npm - @oculum/scanner - Versions diffs - 1.0.9 → 1.0.11 - Mend

@oculum/scanner 1.0.9 → 1.0.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (365) hide show

package/dist/baseline/diff.d.ts +32 -0
package/dist/baseline/diff.d.ts.map +1 -0
package/dist/baseline/diff.js +119 -0
package/dist/baseline/diff.js.map +1 -0
package/dist/baseline/index.d.ts +9 -0
package/dist/baseline/index.d.ts.map +1 -0
package/dist/baseline/index.js +19 -0
package/dist/baseline/index.js.map +1 -0
package/dist/baseline/manager.d.ts +67 -0
package/dist/baseline/manager.d.ts.map +1 -0
package/dist/baseline/manager.js +180 -0
package/dist/baseline/manager.js.map +1 -0
package/dist/baseline/types.d.ts +91 -0
package/dist/baseline/types.d.ts.map +1 -0
package/dist/baseline/types.js +12 -0
package/dist/baseline/types.js.map +1 -0
package/dist/formatters/cli-terminal.d.ts +38 -0
package/dist/formatters/cli-terminal.d.ts.map +1 -1
package/dist/formatters/cli-terminal.js +365 -42
package/dist/formatters/cli-terminal.js.map +1 -1
package/dist/formatters/github-comment.d.ts +1 -1
package/dist/formatters/github-comment.d.ts.map +1 -1
package/dist/formatters/github-comment.js +75 -11
package/dist/formatters/github-comment.js.map +1 -1
package/dist/formatters/index.d.ts +1 -1
package/dist/formatters/index.d.ts.map +1 -1
package/dist/formatters/index.js +4 -1
package/dist/formatters/index.js.map +1 -1
package/dist/index.d.ts +7 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +155 -16
package/dist/index.js.map +1 -1
package/dist/layer1/config-audit.d.ts.map +1 -1
package/dist/layer1/config-audit.js +20 -3
package/dist/layer1/config-audit.js.map +1 -1
package/dist/layer1/config-mcp-audit.d.ts +20 -0
package/dist/layer1/config-mcp-audit.d.ts.map +1 -0
package/dist/layer1/config-mcp-audit.js +239 -0
package/dist/layer1/config-mcp-audit.js.map +1 -0
package/dist/layer1/index.d.ts +1 -0
package/dist/layer1/index.d.ts.map +1 -1
package/dist/layer1/index.js +9 -1
package/dist/layer1/index.js.map +1 -1
package/dist/layer2/ai-agent-tools.d.ts.map +1 -1
package/dist/layer2/ai-agent-tools.js +303 -0
package/dist/layer2/ai-agent-tools.js.map +1 -1
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -1
package/dist/layer2/ai-endpoint-protection.js +17 -3
package/dist/layer2/ai-endpoint-protection.js.map +1 -1
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -1
package/dist/layer2/ai-execution-sinks.js +462 -12
package/dist/layer2/ai-execution-sinks.js.map +1 -1
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -1
package/dist/layer2/ai-fingerprinting.js +3 -0
package/dist/layer2/ai-fingerprinting.js.map +1 -1
package/dist/layer2/ai-mcp-security.d.ts +17 -0
package/dist/layer2/ai-mcp-security.d.ts.map +1 -0
package/dist/layer2/ai-mcp-security.js +679 -0
package/dist/layer2/ai-mcp-security.js.map +1 -0
package/dist/layer2/ai-package-hallucination.d.ts +19 -0
package/dist/layer2/ai-package-hallucination.d.ts.map +1 -0
package/dist/layer2/ai-package-hallucination.js +696 -0
package/dist/layer2/ai-package-hallucination.js.map +1 -0
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -1
package/dist/layer2/ai-prompt-hygiene.js +495 -9
package/dist/layer2/ai-prompt-hygiene.js.map +1 -1
package/dist/layer2/ai-rag-safety.d.ts.map +1 -1
package/dist/layer2/ai-rag-safety.js +372 -1
package/dist/layer2/ai-rag-safety.js.map +1 -1
package/dist/layer2/auth-antipatterns.d.ts.map +1 -1
package/dist/layer2/auth-antipatterns.js +4 -0
package/dist/layer2/auth-antipatterns.js.map +1 -1
package/dist/layer2/byok-patterns.d.ts.map +1 -1
package/dist/layer2/byok-patterns.js +3 -0
package/dist/layer2/byok-patterns.js.map +1 -1
package/dist/layer2/dangerous-functions/child-process.d.ts +16 -0
package/dist/layer2/dangerous-functions/child-process.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/child-process.js +74 -0
package/dist/layer2/dangerous-functions/child-process.js.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts +29 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.js +179 -0
package/dist/layer2/dangerous-functions/dom-xss.js.map +1 -0
package/dist/layer2/dangerous-functions/index.d.ts +13 -0
package/dist/layer2/dangerous-functions/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/index.js +621 -0
package/dist/layer2/dangerous-functions/index.js.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts +31 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.js +319 -0
package/dist/layer2/dangerous-functions/json-parse.js.map +1 -0
package/dist/layer2/dangerous-functions/math-random.d.ts +61 -0
package/dist/layer2/dangerous-functions/math-random.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/math-random.js +459 -0
package/dist/layer2/dangerous-functions/math-random.js.map +1 -0
package/dist/layer2/dangerous-functions/patterns.d.ts +21 -0
package/dist/layer2/dangerous-functions/patterns.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/patterns.js +161 -0
package/dist/layer2/dangerous-functions/patterns.js.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts +13 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.js +119 -0
package/dist/layer2/dangerous-functions/request-validation.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts +23 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js +149 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts +31 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.js +124 -0
package/dist/layer2/dangerous-functions/utils/helpers.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts +9 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.js +23 -0
package/dist/layer2/dangerous-functions/utils/index.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts +22 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js +89 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js.map +1 -0
package/dist/layer2/data-exposure.d.ts.map +1 -1
package/dist/layer2/data-exposure.js +3 -0
package/dist/layer2/data-exposure.js.map +1 -1
package/dist/layer2/framework-checks.d.ts.map +1 -1
package/dist/layer2/framework-checks.js +3 -0
package/dist/layer2/framework-checks.js.map +1 -1
package/dist/layer2/index.d.ts +3 -0
package/dist/layer2/index.d.ts.map +1 -1
package/dist/layer2/index.js +61 -2
package/dist/layer2/index.js.map +1 -1
package/dist/layer2/logic-gates.d.ts.map +1 -1
package/dist/layer2/logic-gates.js +4 -0
package/dist/layer2/logic-gates.js.map +1 -1
package/dist/layer2/model-supply-chain.d.ts +20 -0
package/dist/layer2/model-supply-chain.d.ts.map +1 -0
package/dist/layer2/model-supply-chain.js +376 -0
package/dist/layer2/model-supply-chain.js.map +1 -0
package/dist/layer2/risky-imports.d.ts.map +1 -1
package/dist/layer2/risky-imports.js +4 -0
package/dist/layer2/risky-imports.js.map +1 -1
package/dist/layer2/variables.d.ts.map +1 -1
package/dist/layer2/variables.js +4 -0
package/dist/layer2/variables.js.map +1 -1
package/dist/layer3/anthropic/auto-dismiss.d.ts +24 -0
package/dist/layer3/anthropic/auto-dismiss.d.ts.map +1 -0
package/dist/layer3/anthropic/auto-dismiss.js +188 -0
package/dist/layer3/anthropic/auto-dismiss.js.map +1 -0
package/dist/layer3/anthropic/clients.d.ts +44 -0
package/dist/layer3/anthropic/clients.d.ts.map +1 -0
package/dist/layer3/anthropic/clients.js +81 -0
package/dist/layer3/anthropic/clients.js.map +1 -0
package/dist/layer3/anthropic/index.d.ts +41 -0
package/dist/layer3/anthropic/index.d.ts.map +1 -0
package/dist/layer3/anthropic/index.js +141 -0
package/dist/layer3/anthropic/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/index.d.ts +8 -0
package/dist/layer3/anthropic/prompts/index.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/index.js +14 -0
package/dist/layer3/anthropic/prompts/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts +15 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js +169 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js.map +1 -0
package/dist/layer3/anthropic/prompts/validation.d.ts +12 -0
package/dist/layer3/anthropic/prompts/validation.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/validation.js +421 -0
package/dist/layer3/anthropic/prompts/validation.js.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts +21 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.js +266 -0
package/dist/layer3/anthropic/providers/anthropic.js.map +1 -0
package/dist/layer3/anthropic/providers/index.d.ts +8 -0
package/dist/layer3/anthropic/providers/index.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/index.js +15 -0
package/dist/layer3/anthropic/providers/index.js.map +1 -0
package/dist/layer3/anthropic/providers/openai.d.ts +18 -0
package/dist/layer3/anthropic/providers/openai.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/openai.js +340 -0
package/dist/layer3/anthropic/providers/openai.js.map +1 -0
package/dist/layer3/anthropic/request-builder.d.ts +20 -0
package/dist/layer3/anthropic/request-builder.d.ts.map +1 -0
package/dist/layer3/anthropic/request-builder.js +134 -0
package/dist/layer3/anthropic/request-builder.js.map +1 -0
package/dist/layer3/anthropic/types.d.ts +88 -0
package/dist/layer3/anthropic/types.d.ts.map +1 -0
package/dist/layer3/anthropic/types.js +38 -0
package/dist/layer3/anthropic/types.js.map +1 -0
package/dist/layer3/anthropic/utils/index.d.ts +9 -0
package/dist/layer3/anthropic/utils/index.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/index.js +24 -0
package/dist/layer3/anthropic/utils/index.js.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts +21 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.js +69 -0
package/dist/layer3/anthropic/utils/path-helpers.js.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts +40 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.js +285 -0
package/dist/layer3/anthropic/utils/response-parser.js.map +1 -0
package/dist/layer3/anthropic/utils/retry.d.ts +15 -0
package/dist/layer3/anthropic/utils/retry.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/retry.js +62 -0
package/dist/layer3/anthropic/utils/retry.js.map +1 -0
package/dist/layer3/index.d.ts +1 -0
package/dist/layer3/index.d.ts.map +1 -1
package/dist/layer3/index.js +16 -6
package/dist/layer3/index.js.map +1 -1
package/dist/layer3/osv-check.d.ts +75 -0
package/dist/layer3/osv-check.d.ts.map +1 -0
package/dist/layer3/osv-check.js +308 -0
package/dist/layer3/osv-check.js.map +1 -0
package/dist/rules/framework-fixes.d.ts +48 -0
package/dist/rules/framework-fixes.d.ts.map +1 -0
package/dist/rules/framework-fixes.js +439 -0
package/dist/rules/framework-fixes.js.map +1 -0
package/dist/rules/index.d.ts +8 -0
package/dist/rules/index.d.ts.map +1 -0
package/dist/rules/index.js +18 -0
package/dist/rules/index.js.map +1 -0
package/dist/rules/metadata.d.ts +43 -0
package/dist/rules/metadata.d.ts.map +1 -0
package/dist/rules/metadata.js +734 -0
package/dist/rules/metadata.js.map +1 -0
package/dist/suppression/config-loader.d.ts +74 -0
package/dist/suppression/config-loader.d.ts.map +1 -0
package/dist/suppression/config-loader.js +424 -0
package/dist/suppression/config-loader.js.map +1 -0
package/dist/suppression/hash.d.ts +48 -0
package/dist/suppression/hash.d.ts.map +1 -0
package/dist/suppression/hash.js +88 -0
package/dist/suppression/hash.js.map +1 -0
package/dist/suppression/index.d.ts +11 -0
package/dist/suppression/index.d.ts.map +1 -0
package/dist/suppression/index.js +39 -0
package/dist/suppression/index.js.map +1 -0
package/dist/suppression/inline-parser.d.ts +39 -0
package/dist/suppression/inline-parser.d.ts.map +1 -0
package/dist/suppression/inline-parser.js +218 -0
package/dist/suppression/inline-parser.js.map +1 -0
package/dist/suppression/manager.d.ts +94 -0
package/dist/suppression/manager.d.ts.map +1 -0
package/dist/suppression/manager.js +292 -0
package/dist/suppression/manager.js.map +1 -0
package/dist/suppression/types.d.ts +151 -0
package/dist/suppression/types.d.ts.map +1 -0
package/dist/suppression/types.js +28 -0
package/dist/suppression/types.js.map +1 -0
package/dist/tiers.d.ts +1 -1
package/dist/tiers.d.ts.map +1 -1
package/dist/tiers.js +27 -0
package/dist/tiers.js.map +1 -1
package/dist/types.d.ts +62 -1
package/dist/types.d.ts.map +1 -1
package/dist/types.js.map +1 -1
package/dist/utils/context-helpers.d.ts +4 -0
package/dist/utils/context-helpers.d.ts.map +1 -1
package/dist/utils/context-helpers.js +13 -9
package/dist/utils/context-helpers.js.map +1 -1
package/package.json +4 -2
package/src/__tests__/benchmark/fixtures/layer1/mcp-config-audit.json +31 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +1489 -82
package/src/__tests__/benchmark/fixtures/layer2/ai-mcp-security.ts +495 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-package-hallucination.ts +255 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +300 -1
package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +139 -0
package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +7 -0
package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +63 -0
package/src/__tests__/benchmark/fixtures/layer2/excessive-agency.ts +221 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +18 -0
package/src/__tests__/benchmark/fixtures/layer2/model-supply-chain.ts +204 -0
package/src/__tests__/benchmark/fixtures/layer2/phase1-enhancements.ts +157 -0
package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +758 -0
package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +503 -0
package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +321 -0
package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +439 -0
package/src/baseline/__tests__/diff.test.ts +261 -0
package/src/baseline/__tests__/manager.test.ts +225 -0
package/src/baseline/diff.ts +135 -0
package/src/baseline/index.ts +29 -0
package/src/baseline/manager.ts +230 -0
package/src/baseline/types.ts +97 -0
package/src/formatters/cli-terminal.ts +444 -41
package/src/formatters/github-comment.ts +79 -11
package/src/formatters/index.ts +4 -0
package/src/index.ts +197 -14
package/src/layer1/config-audit.ts +24 -3
package/src/layer1/config-mcp-audit.ts +276 -0
package/src/layer1/index.ts +16 -6
package/src/layer2/ai-agent-tools.ts +336 -0
package/src/layer2/ai-endpoint-protection.ts +16 -3
package/src/layer2/ai-execution-sinks.ts +516 -12
package/src/layer2/ai-fingerprinting.ts +5 -1
package/src/layer2/ai-mcp-security.ts +730 -0
package/src/layer2/ai-package-hallucination.ts +791 -0
package/src/layer2/ai-prompt-hygiene.ts +547 -9
package/src/layer2/ai-rag-safety.ts +382 -3
package/src/layer2/auth-antipatterns.ts +5 -0
package/src/layer2/byok-patterns.ts +5 -1
package/src/layer2/dangerous-functions/child-process.ts +98 -0
package/src/layer2/dangerous-functions/dom-xss.ts +220 -0
package/src/layer2/dangerous-functions/index.ts +949 -0
package/src/layer2/dangerous-functions/json-parse.ts +385 -0
package/src/layer2/dangerous-functions/math-random.ts +537 -0
package/src/layer2/dangerous-functions/patterns.ts +174 -0
package/src/layer2/dangerous-functions/request-validation.ts +145 -0
package/src/layer2/dangerous-functions/utils/control-flow.ts +162 -0
package/src/layer2/dangerous-functions/utils/helpers.ts +170 -0
package/src/layer2/dangerous-functions/utils/index.ts +25 -0
package/src/layer2/dangerous-functions/utils/schema-validation.ts +91 -0
package/src/layer2/data-exposure.ts +5 -1
package/src/layer2/framework-checks.ts +5 -0
package/src/layer2/index.ts +63 -1
package/src/layer2/logic-gates.ts +5 -0
package/src/layer2/model-supply-chain.ts +456 -0
package/src/layer2/risky-imports.ts +5 -0
package/src/layer2/variables.ts +5 -0
package/src/layer3/__tests__/osv-check.test.ts +384 -0
package/src/layer3/anthropic/auto-dismiss.ts +212 -0
package/src/layer3/anthropic/clients.ts +84 -0
package/src/layer3/anthropic/index.ts +170 -0
package/src/layer3/anthropic/prompts/index.ts +14 -0
package/src/layer3/anthropic/prompts/semantic-analysis.ts +173 -0
package/src/layer3/anthropic/prompts/validation.ts +419 -0
package/src/layer3/anthropic/providers/anthropic.ts +310 -0
package/src/layer3/anthropic/providers/index.ts +8 -0
package/src/layer3/anthropic/providers/openai.ts +384 -0
package/src/layer3/anthropic/request-builder.ts +150 -0
package/src/layer3/anthropic/types.ts +148 -0
package/src/layer3/anthropic/utils/index.ts +26 -0
package/src/layer3/anthropic/utils/path-helpers.ts +68 -0
package/src/layer3/anthropic/utils/response-parser.ts +322 -0
package/src/layer3/anthropic/utils/retry.ts +75 -0
package/src/layer3/index.ts +18 -5
package/src/layer3/osv-check.ts +420 -0
package/src/rules/__tests__/framework-fixes.test.ts +689 -0
package/src/rules/__tests__/metadata.test.ts +218 -0
package/src/rules/framework-fixes.ts +470 -0
package/src/rules/index.ts +21 -0
package/src/rules/metadata.ts +831 -0
package/src/suppression/__tests__/config-loader.test.ts +382 -0
package/src/suppression/__tests__/hash.test.ts +166 -0
package/src/suppression/__tests__/inline-parser.test.ts +212 -0
package/src/suppression/__tests__/manager.test.ts +415 -0
package/src/suppression/config-loader.ts +462 -0
package/src/suppression/hash.ts +95 -0
package/src/suppression/index.ts +51 -0
package/src/suppression/inline-parser.ts +273 -0
package/src/suppression/manager.ts +379 -0
package/src/suppression/types.ts +174 -0
package/src/tiers.ts +36 -0
package/src/types.ts +90 -0
package/src/utils/context-helpers.ts +13 -9
package/dist/layer2/dangerous-functions.d.ts +0 -7
package/dist/layer2/dangerous-functions.d.ts.map +0 -1
package/dist/layer2/dangerous-functions.js +0 -1701
package/dist/layer2/dangerous-functions.js.map +0 -1
package/dist/layer3/anthropic.d.ts +0 -87
package/dist/layer3/anthropic.d.ts.map +0 -1
package/dist/layer3/anthropic.js +0 -1948
package/dist/layer3/anthropic.js.map +0 -1
package/dist/layer3/openai.d.ts +0 -25
package/dist/layer3/openai.d.ts.map +0 -1
package/dist/layer3/openai.js +0 -238
package/dist/layer3/openai.js.map +0 -1
package/src/layer2/dangerous-functions.ts +0 -1940
package/src/layer3/anthropic.ts +0 -2257

package/src/suppression/__tests__/inline-parser.test.ts ADDED Viewed

@@ -0,0 +1,212 @@
+/**
+ * Inline Suppression Parser Tests
+ */
+import {
+  parseInlineSuppressions,
+  isLineSuppressed,
+  extractSuppressionReasons,
+  generateSuppressionComment,
+} from '../inline-parser'
+describe('Inline Suppression Parser', () => {
+  describe('parseInlineSuppressions', () => {
+    it('should parse next-line suppression comments', () => {
+      const content = `
+const x = 1;
+// oculum-ignore-next-line: false positive
+const secret = "abc123";
+const y = 2;
+`
+      const suppressions = parseInlineSuppressions(content)
+      // Line 4 (const secret) should be suppressed by line 3's comment
+      expect(suppressions.has(4)).toBe(true)
+      expect(suppressions.get(4)?.reason).toBe('false positive')
+      expect(suppressions.get(4)?.type).toBe('next-line')
+    })
+    it('should parse same-line suppression comments', () => {
+      const content = `
+const x = 1;
+const secret = "abc123"; // oculum-ignore: known safe
+const y = 2;
+`
+      const suppressions = parseInlineSuppressions(content)
+      // Line 3 should be suppressed
+      expect(suppressions.has(3)).toBe(true)
+      expect(suppressions.get(3)?.reason).toBe('known safe')
+      expect(suppressions.get(3)?.type).toBe('same-line')
+    })
+    it('should parse block suppressions', () => {
+      const content = `
+const x = 1;
+/* oculum-ignore-block: legacy code */
+const secret1 = "abc";
+const secret2 = "def";
+/* oculum-ignore-block-end */
+const y = 2;
+`
+      const suppressions = parseInlineSuppressions(content)
+      // Lines 4 and 5 should be suppressed by the block
+      expect(suppressions.has(4)).toBe(true)
+      expect(suppressions.has(5)).toBe(true)
+      expect(suppressions.get(4)?.reason).toBe('legacy code')
+      expect(suppressions.get(5)?.reason).toBe('legacy code')
+      // Lines before and after block should not be suppressed
+      expect(suppressions.has(2)).toBe(false)
+      expect(suppressions.has(7)).toBe(false)
+    })
+    it('should parse rule-specific suppressions', () => {
+      const content = `
+// oculum-ignore-next-line [hardcoded_secret]: test data
+const secret = "test123";
+`
+      const suppressions = parseInlineSuppressions(content)
+      expect(suppressions.has(3)).toBe(true)
+      expect(suppressions.get(3)?.ruleId).toBe('hardcoded_secret')
+      expect(suppressions.get(3)?.reason).toBe('test data')
+    })
+    it('should support Python-style comments (#)', () => {
+      const content = `
+x = 1
+# oculum-ignore-next-line: test data
+secret = "abc123"
+`
+      const suppressions = parseInlineSuppressions(content)
+      expect(suppressions.has(4)).toBe(true)
+      expect(suppressions.get(4)?.reason).toBe('test data')
+    })
+    it('should support SQL-style comments (--)', () => {
+      const content = `
+SELECT 1;
+-- oculum-ignore-next-line: intentional
+SELECT password FROM users;
+`
+      const suppressions = parseInlineSuppressions(content)
+      expect(suppressions.has(4)).toBe(true)
+      expect(suppressions.get(4)?.reason).toBe('intentional')
+    })
+    it('should handle empty files', () => {
+      const suppressions = parseInlineSuppressions('')
+      expect(suppressions.size).toBe(0)
+    })
+    it('should not match partial oculum-ignore patterns', () => {
+      const content = `
+// This is not oculum-ignore but mentions it
+const x = "oculum-ignore";
+`
+      const suppressions = parseInlineSuppressions(content)
+      expect(suppressions.size).toBe(0)
+    })
+  })
+  describe('isLineSuppressed', () => {
+    it('should return suppression for suppressed line', () => {
+      const content = `
+// oculum-ignore-next-line: reason
+const x = 1;
+`
+      const suppressions = parseInlineSuppressions(content)
+      const result = isLineSuppressed(suppressions, 3)
+      expect(result).not.toBeNull()
+      expect(result?.reason).toBe('reason')
+    })
+    it('should return null for non-suppressed line', () => {
+      const content = `
+// oculum-ignore-next-line: reason
+const x = 1;
+const y = 2;
+`
+      const suppressions = parseInlineSuppressions(content)
+      const result = isLineSuppressed(suppressions, 4)
+      expect(result).toBeNull()
+    })
+    it('should respect rule-specific suppressions', () => {
+      const content = `
+// oculum-ignore-next-line [hardcoded_secret]: reason
+const x = 1;
+`
+      const suppressions = parseInlineSuppressions(content)
+      // Should match hardcoded_secret
+      expect(isLineSuppressed(suppressions, 3, 'hardcoded_secret')).not.toBeNull()
+      // Should not match other categories
+      expect(isLineSuppressed(suppressions, 3, 'high_entropy_string')).toBeNull()
+      // Should match if no category specified
+      expect(isLineSuppressed(suppressions, 3)).not.toBeNull()
+    })
+  })
+  describe('extractSuppressionReasons', () => {
+    it('should extract all unique suppression reasons', () => {
+      const content = `
+// oculum-ignore-next-line: reason 1
+const a = 1;
+// oculum-ignore-next-line: reason 2
+const b = 2;
+`
+      const reasons = extractSuppressionReasons(content)
+      expect(reasons).toHaveLength(2)
+      expect(reasons.map(r => r.reason)).toContain('reason 1')
+      expect(reasons.map(r => r.reason)).toContain('reason 2')
+    })
+    it('should not duplicate block suppression reasons', () => {
+      const content = `
+/* oculum-ignore-block: block reason */
+const a = 1;
+const b = 2;
+/* oculum-ignore-block-end */
+`
+      const reasons = extractSuppressionReasons(content)
+      // Should only have one entry for the block, not one per line
+      expect(reasons).toHaveLength(1)
+      expect(reasons[0].reason).toBe('block reason')
+    })
+  })
+  describe('generateSuppressionComment', () => {
+    it('should generate next-line comment', () => {
+      const comment = generateSuppressionComment('false positive')
+      expect(comment).toBe('// oculum-ignore-next-line: false positive')
+    })
+    it('should generate same-line comment', () => {
+      const comment = generateSuppressionComment('known safe', { type: 'same-line' })
+      expect(comment).toBe('// oculum-ignore: known safe')
+    })
+    it('should generate comment with rule ID', () => {
+      const comment = generateSuppressionComment('test data', { ruleId: 'hardcoded_secret' })
+      expect(comment).toBe('// oculum-ignore-next-line [hardcoded_secret]: test data')
+    })
+    it('should support different comment styles', () => {
+      expect(generateSuppressionComment('reason', { commentStyle: '#' }))
+        .toBe('# oculum-ignore-next-line: reason')
+      expect(generateSuppressionComment('reason', { commentStyle: '--' }))
+        .toBe('-- oculum-ignore-next-line: reason')
+    })
+  })
+})

package/src/suppression/__tests__/manager.test.ts ADDED Viewed

@@ -0,0 +1,415 @@
+/**
+ * SuppressionManager Tests
+ */
+import { SuppressionManager } from '../manager'
+import type { SuppressionConfig } from '../types'
+import type { Vulnerability, ScanFile } from '../../types'
+describe('SuppressionManager', () => {
+  // Helper to create a mock vulnerability
+  function createVulnerability(overrides: Partial<Vulnerability> = {}): Vulnerability {
+    return {
+      id: 'test-1',
+      filePath: 'src/index.ts',
+      lineNumber: 10,
+      lineContent: 'const secret = "api_key_12345"',
+      severity: 'high',
+      category: 'hardcoded_secret',
+      title: 'Hardcoded Secret',
+      description: 'Found a hardcoded secret',
+      confidence: 'high',
+      layer: 1,
+      ...overrides,
+    }
+  }
+  // Helper to create a mock scan file
+  function createScanFile(overrides: Partial<ScanFile> = {}): ScanFile {
+    return {
+      path: 'src/index.ts',
+      content: 'const secret = "api_key_12345";',
+      language: 'typescript',
+      size: 100,
+      ...overrides,
+    }
+  }
+  describe('constructor', () => {
+    it('should accept a pre-loaded config', () => {
+      const config: SuppressionConfig = {
+        version: 1,
+        suppressions: {
+          rules: [{
+            category: 'hardcoded_secret',
+            reason: 'test',
+          }],
+        },
+      }
+      const manager = new SuppressionManager({
+        projectPath: '/fake/path',
+        config,
+      })
+      expect(manager.hasSuppressions()).toBe(true)
+      expect(manager.getAllSuppressions().rules).toHaveLength(1)
+    })
+    it('should return default config when path has no config file', () => {
+      const manager = new SuppressionManager({
+        projectPath: '/nonexistent/path',
+      })
+      expect(manager.hasSuppressions()).toBe(false)
+      expect(manager.getConfigPath()).toBeUndefined()
+    })
+  })
+  describe('isPathIgnored', () => {
+    it('should match simple patterns', () => {
+      const config: SuppressionConfig = {
+        version: 1,
+        ignore: ['**/*.test.ts', 'node_modules/**'],
+      }
+      const manager = new SuppressionManager({
+        projectPath: '/fake',
+        config,
+      })
+      expect(manager.isPathIgnored('src/utils.test.ts')).toBe(true)
+      expect(manager.isPathIgnored('node_modules/lodash/index.js')).toBe(true)
+      expect(manager.isPathIgnored('src/index.ts')).toBe(false)
+    })
+    it('should return false when no ignore patterns', () => {
+      const manager = new SuppressionManager({
+        projectPath: '/fake',
+        config: { version: 1 },
+      })
+      expect(manager.isPathIgnored('anything.ts')).toBe(false)
+    })
+  })
+  describe('isFindingSuppressed', () => {
+    it('should suppress by inline comment', () => {
+      const config: SuppressionConfig = { version: 1 }
+      const manager = new SuppressionManager({ projectPath: '/fake', config })
+      // Line 4 should be suppressed (line 3 has the comment)
+      const finding = createVulnerability({ lineNumber: 4 })
+      const fileContent = `const x = 1;
+const y = 2;
+// oculum-ignore-next-line: false positive
+const secret = "api_key_12345";
+`
+      const result = manager.isFindingSuppressed(finding, fileContent)
+      expect(result.suppressed).toBe(true)
+      expect(result.match?.type).toBe('inline')
+      expect(result.match?.reason).toBe('false positive')
+    })
+    it('should suppress by config finding hash', () => {
+      const finding = createVulnerability()
+      // First get the hash
+      const tempManager = new SuppressionManager({
+        projectPath: '/fake',
+        config: { version: 1 },
+      })
+      const { hash } = tempManager.isFindingSuppressed(finding)
+      // Now create a manager with that hash suppressed
+      const config: SuppressionConfig = {
+        version: 1,
+        suppressions: {
+          findings: [{
+            hash,
+            file: 'src/index.ts',
+            reason: 'suppressed by hash',
+          }],
+        },
+      }
+      const manager = new SuppressionManager({ projectPath: '/fake', config })
+      const result = manager.isFindingSuppressed(finding)
+      expect(result.suppressed).toBe(true)
+      expect(result.match?.type).toBe('config-finding')
+      expect(result.match?.reason).toBe('suppressed by hash')
+    })
+    it('should suppress by config rule', () => {
+      const config: SuppressionConfig = {
+        version: 1,
+        suppressions: {
+          rules: [{
+            category: 'hardcoded_secret',
+            reason: 'all hardcoded secrets suppressed',
+          }],
+        },
+      }
+      const manager = new SuppressionManager({ projectPath: '/fake', config })
+      const finding = createVulnerability()
+      const result = manager.isFindingSuppressed(finding)
+      expect(result.suppressed).toBe(true)
+      expect(result.match?.type).toBe('config-rule')
+      expect(result.match?.reason).toBe('all hardcoded secrets suppressed')
+    })
+    it('should respect rule path restrictions', () => {
+      const config: SuppressionConfig = {
+        version: 1,
+        suppressions: {
+          rules: [{
+            category: 'hardcoded_secret',
+            reason: 'only in tests',
+            paths: ['**/*.test.ts'],
+          }],
+        },
+      }
+      const manager = new SuppressionManager({ projectPath: '/fake', config })
+      const testFinding = createVulnerability({ filePath: 'src/utils.test.ts' })
+      const srcFinding = createVulnerability({ filePath: 'src/index.ts' })
+      expect(manager.isFindingSuppressed(testFinding).suppressed).toBe(true)
+      expect(manager.isFindingSuppressed(srcFinding).suppressed).toBe(false)
+    })
+    it('should handle expired suppressions', () => {
+      const finding = createVulnerability()
+      const tempManager = new SuppressionManager({
+        projectPath: '/fake',
+        config: { version: 1 },
+      })
+      const { hash } = tempManager.isFindingSuppressed(finding)
+      const config: SuppressionConfig = {
+        version: 1,
+        suppressions: {
+          findings: [{
+            hash,
+            file: 'src/index.ts',
+            reason: 'expired suppression',
+            expires: '2020-01-01', // Already expired
+          }],
+        },
+      }
+      const manager = new SuppressionManager({ projectPath: '/fake', config })
+      const result = manager.isFindingSuppressed(finding)
+      expect(result.suppressed).toBe(false)
+      expect(result.match?.expired).toBe(true)
+    })
+    it('should prioritize inline over config', () => {
+      // Line 4 is the secret line, line 3 has the comment
+      const finding = createVulnerability({ lineNumber: 4 })
+      const tempManager = new SuppressionManager({
+        projectPath: '/fake',
+        config: { version: 1 },
+      })
+      const { hash } = tempManager.isFindingSuppressed(finding)
+      const config: SuppressionConfig = {
+        version: 1,
+        suppressions: {
+          findings: [{
+            hash,
+            file: 'src/index.ts',
+            reason: 'config reason',
+          }],
+        },
+      }
+      const manager = new SuppressionManager({ projectPath: '/fake', config })
+      const fileContent = `const x = 1;
+const y = 2;
+// oculum-ignore-next-line: inline reason
+const secret = "api_key_12345";
+`
+      const result = manager.isFindingSuppressed(finding, fileContent)
+      // Should be suppressed by inline (higher priority)
+      expect(result.suppressed).toBe(true)
+      expect(result.match?.type).toBe('inline')
+      expect(result.match?.reason).toBe('inline reason')
+    })
+  })
+  describe('applySuppressions', () => {
+    it('should filter suppressed findings', () => {
+      const config: SuppressionConfig = {
+        version: 1,
+        suppressions: {
+          rules: [{
+            category: 'hardcoded_secret',
+            reason: 'suppress all secrets',
+          }],
+        },
+      }
+      const manager = new SuppressionManager({ projectPath: '/fake', config })
+      const findings = [
+        createVulnerability({ id: '1', category: 'hardcoded_secret' }),
+        createVulnerability({ id: '2', category: 'high_entropy_string' }),
+        createVulnerability({ id: '3', category: 'hardcoded_secret' }),
+      ]
+      const files = [createScanFile()]
+      const result = manager.applySuppressions(findings, files)
+      expect(result.findings).toHaveLength(1)
+      expect(result.findings[0].category).toBe('high_entropy_string')
+      expect(result.suppressed).toHaveLength(2)
+      expect(result.stats.configRuleSuppressed).toBe(2)
+    })
+    it('should include suppression details in result', () => {
+      const config: SuppressionConfig = {
+        version: 1,
+        suppressions: {
+          rules: [{
+            category: 'hardcoded_secret',
+            reason: 'test reason',
+          }],
+        },
+      }
+      const manager = new SuppressionManager({ projectPath: '/fake', config })
+      const finding = createVulnerability()
+      const files = [createScanFile()]
+      const result = manager.applySuppressions([finding], files)
+      expect(result.suppressed).toHaveLength(1)
+      expect(result.suppressed[0].suppression.reason).toBe('test reason')
+      expect(result.suppressed[0].suppression.type).toBe('config-rule')
+      expect(result.suppressed[0].vulnerability.filePath).toBe(finding.filePath)
+    })
+    it('should track expired suppressions count', () => {
+      const finding = createVulnerability()
+      const tempManager = new SuppressionManager({
+        projectPath: '/fake',
+        config: { version: 1 },
+      })
+      const { hash } = tempManager.isFindingSuppressed(finding)
+      const config: SuppressionConfig = {
+        version: 1,
+        suppressions: {
+          findings: [{
+            hash,
+            file: 'src/index.ts',
+            reason: 'expired',
+            expires: '2020-01-01',
+          }],
+        },
+      }
+      const manager = new SuppressionManager({ projectPath: '/fake', config })
+      const files = [createScanFile()]
+      const result = manager.applySuppressions([finding], files)
+      expect(result.findings).toHaveLength(1) // Not suppressed because expired
+      expect(result.expiredSuppressions).toBe(1)
+      expect(result.stats.expired).toBe(1)
+    })
+    it('should correctly count by suppression type', () => {
+      const config: SuppressionConfig = {
+        version: 1,
+        suppressions: {
+          rules: [{
+            category: 'hardcoded_secret',
+            reason: 'rule suppression',
+          }],
+        },
+      }
+      const manager = new SuppressionManager({ projectPath: '/fake', config })
+      // Create a finding that will be suppressed by inline (line 4 - after the comment on line 3)
+      const inlineFinding = createVulnerability({
+        id: '1',
+        category: 'high_entropy_string',
+        lineNumber: 4,
+        lineContent: 'const entropy = "abcdef123456";',
+      })
+      // Create a finding that will be suppressed by rule (line 5)
+      const ruleFinding = createVulnerability({
+        id: '2',
+        category: 'hardcoded_secret',
+        lineNumber: 5,
+        lineContent: 'const secret = "api_key";',
+      })
+      // Create a finding that won't be suppressed (line 6)
+      const passedFinding = createVulnerability({
+        id: '3',
+        category: 'sql_injection',
+        lineNumber: 6,
+        lineContent: 'const query = "SELECT * FROM users";',
+      })
+      const findings = [inlineFinding, ruleFinding, passedFinding]
+      const fileContent = `const x = 1;
+const y = 2;
+// oculum-ignore-next-line: inline reason
+const entropy = "abcdef123456";
+const secret = "api_key";
+const query = "SELECT * FROM users";
+`
+      const files = [createScanFile({ content: fileContent })]
+      const result = manager.applySuppressions(findings, files)
+      expect(result.findings).toHaveLength(1)
+      expect(result.stats.inlineSuppressed).toBe(1)
+      expect(result.stats.configRuleSuppressed).toBe(1)
+    })
+  })
+  describe('getSummary', () => {
+    it('should return accurate summary', () => {
+      const config: SuppressionConfig = {
+        version: 1,
+        suppressions: {
+          rules: [
+            { category: 'hardcoded_secret', reason: 'r1' },
+            { category: 'high_entropy_string', reason: 'r2' },
+          ],
+          findings: [
+            { hash: 'abc123def4567890', file: 'a.ts', reason: 'f1' },
+          ],
+        },
+        ignore: ['*.test.ts', '*.spec.ts'],
+      }
+      const manager = new SuppressionManager({ projectPath: '/fake', config })
+      const summary = manager.getSummary()
+      expect(summary.ruleCount).toBe(2)
+      expect(summary.findingCount).toBe(1)
+      expect(summary.ignorePatternCount).toBe(2)
+      expect(summary.hasErrors).toBe(false)
+    })
+  })
+})