@oculum/scanner 1.0.9 → 1.0.11

package/src/layer2/dangerous-functions.ts

@@ -1,1940 +0,0 @@
-/**
- * Layer 2: Dangerous Function Call Analysis
- * Detects usage of dangerous functions that can lead to security vulnerabilities
- */
-
-import type { Vulnerability, VulnerabilitySeverity } from '../types'
-import {
-  isComment,
-  isTestOrMockFile,
-  isScannerOrFixtureFile,
-  isSeedOrDataGenFile,
-  isEducationalVulnerabilityFile,
-} from '../utils/context-helpers'
-
-/**
- * Check if exec() call is from child_process (dangerous) vs RegExp.exec (safe)
- * Returns true if this is a child_process exec call that should be flagged
- */
-function isChildProcessExec(content: string, lineContent: string): boolean {
-  // Check for child_process import
-  const hasChildProcessImport = 
-    /require\s*\(\s*['"]child_process['"]\s*\)/.test(content) ||
-    /from\s+['"]child_process['"]/.test(content) ||
-    /import\s+.*child_process/.test(content) ||
-    /require\s*\(\s*['"]node:child_process['"]\s*\)/.test(content) ||
-    /from\s+['"]node:child_process['"]/.test(content)
-
-  // If no child_process import, this is likely RegExp.exec or similar
-  if (!hasChildProcessImport) {
-    return false
-  }
-
-  // Check if this specific line is RegExp.exec pattern
-  // RegExp.exec is called as: regex.exec(string) or /pattern/.exec(string)
-  const isRegExpExec = 
-    /\.\s*exec\s*\(/.test(lineContent) &&  // Method call on an object
-    !/\bexec\s*\(/.test(lineContent.replace(/\.\s*exec\s*\(/, '')) // Not a standalone exec()
-
-  // Also check for common RegExp patterns
-  const isRegExpPattern = 
-    /\/[^/]+\/[gimsuy]*\.exec\s*\(/.test(lineContent) ||  // /pattern/.exec()
-    /new\s+RegExp\s*\([^)]+\)\.exec\s*\(/.test(lineContent) ||  // new RegExp().exec()
-    /regex\.exec\s*\(/i.test(lineContent) ||  // regex.exec()
-    /pattern\.exec\s*\(/i.test(lineContent) ||  // pattern.exec()
-    /match\.exec\s*\(/i.test(lineContent) ||  // match.exec()
-    /re\.exec\s*\(/i.test(lineContent)  // re.exec()
-
-  if (isRegExpExec || isRegExpPattern) {
-    return false
-  }
-
-  // Check if exec is imported/destructured from child_process
-  const execImported = 
-    /\{\s*[^}]*\bexec\b[^}]*\}\s*=\s*require\s*\(\s*['"]child_process['"]/.test(content) ||
-    /\{\s*[^}]*\bexec\b[^}]*\}\s*=\s*require\s*\(\s*['"]node:child_process['"]/.test(content) ||
-    /import\s+\{\s*[^}]*\bexec\b[^}]*\}\s+from\s+['"]child_process['"]/.test(content) ||
-    /import\s+\{\s*[^}]*\bexec\b[^}]*\}\s+from\s+['"]node:child_process['"]/.test(content)
-
-  // If exec is directly imported from child_process, standalone exec() is dangerous
-  if (execImported && /\bexec\s*\(/.test(lineContent)) {
-    return true
-  }
-
-  // Check for child_process.exec() pattern
-  if (/child_process\.exec\s*\(/.test(lineContent) || 
-      /cp\.exec\s*\(/.test(lineContent) ||
-      /childProcess\.exec\s*\(/.test(lineContent)) {
-    return true
-  }
-
-  // If we have child_process import but can't determine usage, be conservative
-  // Only flag if it looks like a standalone exec() call
-  return /\bexec\s*\(/.test(lineContent) && !/\.\s*exec\s*\(/.test(lineContent)
-}
-
-/**
- * Check if schema validation is applied near a JSON.parse call
- * Looks for zod, yup, joi, or similar validation patterns
- */
-function hasSchemaValidationNearby(content: string, lineNumber: number): boolean {
-  const lines = content.split('\n')
-  const start = Math.max(0, lineNumber - 5)
-  const end = Math.min(lines.length, lineNumber + 10)
-  const context = lines.slice(start, end).join('\n')
-
-  const schemaValidationPatterns = [
-    // Zod patterns
-    /z\.(object|string|number|array|boolean)\s*\(/i,
-    /\.parse\s*\(/i,
-    /\.safeParse\s*\(/i,
-    /schema\.parse/i,
-    /Schema\.parse/i,
-    // Yup patterns
-    /yup\.(object|string|number|array|boolean)\s*\(/i,
-    /\.validate\s*\(/i,
-    /\.validateSync\s*\(/i,
-    // Joi patterns
-    /Joi\.(object|string|number|array|boolean)\s*\(/i,
-    /\.validateAsync\s*\(/i,
-    // Valibot patterns
-    /v\.(object|string|number|array|boolean)\s*\(/i,
-    // AJV patterns
-    /ajv\.compile/i,
-    /validate\s*\(\s*schema/i,
-    // TypeBox patterns
-    /Type\.(Object|String|Number|Array|Boolean)\s*\(/i,
-    // Generic validation patterns
-    /validateSchema/i,
-    /schemaValidator/i,
-    /parseAndValidate/i,
-  ]
-
-  return schemaValidationPatterns.some(p => p.test(context))
-}
-
-/**
- * Check if path traversal protection is in place
- * Looks for common sanitization patterns that prevent directory traversal attacks
- */
-function hasPathTraversalProtection(context: string, lineContent: string): boolean {
-  const protectionPatterns = [
-    // Path normalization with base directory check
-    /path\.resolve\s*\([^)]+\).*\.startsWith\s*\(/i,
-    /\.startsWith\s*\([^)]*(?:baseDir|basePath|rootDir|uploadDir|allowedDir)/i,
-    // Explicit ".." rejection
-    /\.includes\s*\(\s*['"`]\.\.['"`]\s*\)/i,
-    /\.indexOf\s*\(\s*['"`]\.\.['"`]\s*\)/i,
-    /['"`]\.\.['"`].*(?:throw|reject|return|error)/i,
-    // Path sanitization libraries
-    /sanitizePath|sanitizeFilename|sanitize-filename/i,
-    /path-sanitizer|secure-path/i,
-    // Explicit path validation
-    /validatePath|isValidPath|checkPath|verifyPath/i,
-    /isPathAllowed|isAllowedPath|pathIsAllowed/i,
-    // Normalize and check pattern
-    /path\.normalize\s*\([^)]+\).*(?:startsWith|includes|indexOf)/i,
-    // Regex validation for safe characters only
-    /\/\^?\[a-zA-Z0-9_\-\.\\\/\]\+\$?\//,  // Only alphanumeric, dash, underscore, dot
-    // Allowlist/whitelist patterns
-    /allowedExtensions|allowedTypes|whitelist/i,
-    /\.endsWith\s*\(\s*['"`]\.\w+['"`]\s*\)/i,  // Extension check
-    // Path.basename to strip directory
-    /path\.basename\s*\(/i,
-    // Zod/validation for filename patterns
-    /z\.string\s*\(\s*\)\.regex\s*\(/i,
-  ]
-
-  return protectionPatterns.some(p => p.test(context) || p.test(lineContent))
-}
-
-/**
- * Check if spawn/execFile/execSync is from child_process
- */
-function isChildProcessSpawn(content: string, lineContent: string): boolean {
-  // Check for child_process import
-  const hasChildProcessImport = 
-    /require\s*\(\s*['"]child_process['"]\s*\)/.test(content) ||
-    /from\s+['"]child_process['"]/.test(content) ||
-    /require\s*\(\s*['"]node:child_process['"]\s*\)/.test(content) ||
-    /from\s+['"]node:child_process['"]/.test(content)
-
-  if (!hasChildProcessImport) {
-    return false
-  }
-
-  // These functions are always from child_process when that module is imported
-  return /\b(spawn|spawnSync|execSync|execFile|execFileSync)\s*\(/.test(lineContent)
-}
-
-/**
- * Check if a line is inside a try-catch block
- * Looks for enclosing try { ... } catch pattern
- */
-function isInsideTryCatch(content: string, lineNumber: number): boolean {
-  const lines = content.split('\n')
-
-  // Track brace depth and whether we're in a try block
-  let tryDepth = 0
-  let inTryBlock = false
-  let braceStack: Array<'try' | 'other'> = []
-
-  // Scan from start to the target line
-  for (let i = 0; i < lineNumber && i < lines.length; i++) {
-    const line = lines[i]
-
-    // Check for try keyword (not in a comment)
-    if (/\btry\s*\{/.test(line) && !isComment(line)) {
-      inTryBlock = true
-      tryDepth++
-      // Count opening braces on this line
-      const openBraces = (line.match(/\{/g) || []).length
-      const closeBraces = (line.match(/\}/g) || []).length
-      for (let j = 0; j < openBraces - closeBraces; j++) {
-        braceStack.push('try')
-      }
-    } else if (/\bcatch\s*\(/.test(line) && !isComment(line)) {
-      // Entering catch block - still protected
-      // Don't decrement tryDepth yet
-    } else if (/\bfinally\s*\{/.test(line) && !isComment(line)) {
-      // Entering finally block - still protected
-    } else {
-      // Track regular braces
-      const openBraces = (line.match(/\{/g) || []).length
-      const closeBraces = (line.match(/\}/g) || []).length
-
-      for (let j = 0; j < openBraces; j++) {
-        braceStack.push(inTryBlock && tryDepth > 0 ? 'try' : 'other')
-      }
-
-      for (let j = 0; j < closeBraces; j++) {
-        const popped = braceStack.pop()
-        if (popped === 'try') {
-          tryDepth--
-          if (tryDepth === 0) {
-            inTryBlock = false
-          }
-        }
-      }
-    }
-  }
-
-  return tryDepth > 0
-}
-
-/**
- * Simpler heuristic: check if there's a try-catch in the same function scope
- * Looks for try { before the line and } catch after, within reasonable bounds
- */
-function hasTryCatchNearby(content: string, lineNumber: number, windowSize: number = 20): boolean {
-  const lines = content.split('\n')
-  const startLine = Math.max(0, lineNumber - windowSize)
-  const endLine = Math.min(lines.length, lineNumber + windowSize)
-
-  // Look backward for 'try {'
-  let foundTry = false
-  for (let i = lineNumber - 1; i >= startLine; i--) {
-    const line = lines[i]
-    if (/\btry\s*\{/.test(line) && !isComment(line)) {
-      foundTry = true
-      break
-    }
-    // Stop if we hit a function boundary
-    if (/\b(function|async function|=>|class)\b/.test(line) && /\{/.test(line)) {
-      break
-    }
-  }
-
-  if (!foundTry) return false
-
-  // Look forward for '} catch'
-  for (let i = lineNumber; i < endLine; i++) {
-    const line = lines[i]
-    if (/\}\s*catch\s*\(/.test(line) && !isComment(line)) {
-      return true
-    }
-    // Stop if we hit another function boundary
-    if (i > lineNumber && /\b(function|async function|class)\b/.test(line) && /\{/.test(line)) {
-      break
-    }
-  }
-
-  return false
-}
-
-/**
- * JSON.parse source classification
- * Determines if the input is user-controlled or internal data
- */
-type JSONParseSource = 'user_input' | 'local_storage' | 'database' | 'config' | 'migration' | 'internal' | 'test_fixture' | 'ui_state' | 'unknown'
-
-/**
- * Check if file path indicates a low-risk context for JSON.parse
- */
-function isLowRiskJSONParseFile(filePath: string): JSONParseSource | null {
-  // Test/mock files - skip or info only
-  if (isTestOrMockFile(filePath)) {
-    return 'test_fixture'
-  }
-
-  // Settings/preferences components - internal UI state
-  if (/\/(components|pages)\/(settings|preferences|config)/i.test(filePath)) {
-    return 'ui_state'
-  }
-
-  // Provider/context files - typically storing state in localStorage
-  if (/Provider\.(ts|tsx|js|jsx)$/i.test(filePath)) {
-    return 'ui_state'
-  }
-
-  // Modal/Dialog components - typically internal state
-  if (/(Modal|Dialog|Settings|Preferences)\.(ts|tsx|js|jsx)$/i.test(filePath)) {
-    return 'ui_state'
-  }
-
-  // __mocks__ directory
-  if (/__mocks__/i.test(filePath)) {
-    return 'test_fixture'
-  }
-
-  // fixtures directory
-  if (/\/(fixtures?|stubs?|mocks?)\//i.test(filePath)) {
-    return 'test_fixture'
-  }
-
-  // scripts/tools directories (internal tooling)
-  if (/\/(scripts?|tools?|cli)\//i.test(filePath)) {
-    return 'internal'
-  }
-
-  // Migration files
-  if (/migration/i.test(filePath)) {
-    return 'migration'
-  }
-
-  // Config files
-  if (/\/(config|settings|constants)\.(ts|js)/i.test(filePath)) {
-    return 'config'
-  }
-
-  return null
-}
-
-/**
- * Check if JSON.parse is parsing a trusted SDK response
- * These are well-defined responses from known APIs and are safe to parse
- */
-function isTrustedSDKResponse(lineContent: string, content: string): boolean {
-  const trustedPatterns = [
-    // OpenAI SDK responses
-    /JSON\.parse\s*\(\s*(?:response|completion|result|message)\.(?:content|text|data)/i,
-    /JSON\.parse\s*\(\s*(?:openai|anthropic|client)\./i,
-    // Fetch response.json() result (already parsed by fetch)
-    /JSON\.parse\s*\(\s*await\s+.*\.json\s*\(\s*\)\s*\)/i,
-    // SDK method results
-    /JSON\.parse\s*\(\s*(?:result|response)\.(?:choices|content|data|body)\[/i,
-    // AI SDK streaming results
-    /JSON\.parse\s*\(\s*(?:chunk|delta|part)\.(?:content|text)/i,
-  ]
-  
-  if (trustedPatterns.some(p => p.test(lineContent))) {
-    return true
-  }
-  
-  // Check surrounding context for SDK usage
-  const sdkContextPatterns = [
-    /openai\..*\.create/i,
-    /anthropic\..*\.create/i,
-    /\.chat\.completions/i,
-    /\.messages\.create/i,
-  ]
-  
-  return sdkContextPatterns.some(p => p.test(content))
-}
-
-function classifyJSONParseSource(lineContent: string, filePath: string): JSONParseSource {
-  // First check file path for low-risk contexts
-  const fileBasedSource = isLowRiskJSONParseFile(filePath)
-  if (fileBasedSource) {
-    return fileBasedSource
-  }
-
-  // User input - potentially dangerous
-  const userInputPatterns = [
-    /JSON\.parse\s*\(\s*(req|request)\.(body|query|params)/i,
-    /JSON\.parse\s*\(\s*event\.(body|queryStringParameters)/i,  // AWS Lambda
-    /JSON\.parse\s*\(\s*ctx\.(request|body|query)/i,            // Koa
-    /JSON\.parse\s*\(\s*(input|userInput|rawInput|payload)/i,
-    /JSON\.parse\s*\(\s*body\b/i,  // Generic 'body' often means request body
-  ]
-  if (userInputPatterns.some(p => p.test(lineContent))) {
-    return 'user_input'
-  }
-
-  // localStorage/sessionStorage - client-side storage
-  const storagePatterns = [
-    /JSON\.parse\s*\(\s*localStorage\.getItem/i,
-    /JSON\.parse\s*\(\s*sessionStorage\.getItem/i,
-    /JSON\.parse\s*\(\s*window\.localStorage/i,
-    /JSON\.parse\s*\(\s*storage\.get/i,
-    /JSON\.parse\s*\(\s*saved\b/i,  // Common pattern: const saved = localStorage.getItem(...); JSON.parse(saved)
-    /JSON\.parse\s*\(\s*stored\b/i,
-  ]
-  if (storagePatterns.some(p => p.test(lineContent))) {
-    return 'local_storage'
-  }
-
-  // Database results - internal data
-  const databasePatterns = [
-    /JSON\.parse\s*\(\s*(row|result|record|doc|document)\./i,
-    /JSON\.parse\s*\(\s*\w+\.(data|json|metadata|embedding)\)/i,
-    /JSON\.parse\s*\(\s*\w+\[['"]?\w+['"]?\]\.(data|json|embedding)/i,
-    /JSON\.parse\s*\(\s*item\.\w+\)/i,  // ORM iteration: items.map(item => JSON.parse(item.field))
-    /JSON\.parse\s*\(\s*\w+\.content\)/i,  // Parsing content field from DB
-  ]
-  if (databasePatterns.some(p => p.test(lineContent))) {
-    return 'database'
-  }
-
-  // Editor state, internal caches, UI state
-  const internalPatterns = [
-    /JSON\.parse\s*\(\s*(state|cache|stored|saved|cached)/i,
-    /JSON\.parse\s*\(\s*this\.(state|cache|data)/i,
-    /JSON\.parse\s*\(\s*\w+State\)/i,
-    /JSON\.parse\s*\(\s*editorState/i,
-    /JSON\.parse\s*\(\s*parsed\b/i,  // JSON.parse(parsed) - likely already validated
-    /JSON\.parse\s*\(\s*settings\b/i,  // Settings data
-    /JSON\.parse\s*\(\s*preferences\b/i,
-  ]
-  if (internalPatterns.some(p => p.test(lineContent))) {
-    return 'internal'
-  }
-
-  // Node content in editor apps (e.g., noda-os nodes have JSON content)
-  if (/JSON\.parse\s*\(\s*(node|note|document|entry)\.(content|body|data)\)/i.test(lineContent)) {
-    return 'database'
-  }
-
-  return 'unknown'
-}
-
-interface DangerousFunctionPattern {
-  name: string
-  pattern: RegExp
-  severity: VulnerabilitySeverity
-  description: string
-  suggestedFix: string
-  languages?: string[] // Optional: restrict to specific languages
-}
-
-const DANGEROUS_FUNCTIONS: DangerousFunctionPattern[] = [
-  // Code execution
-  {
-    name: 'eval() usage',
-    pattern: /\beval\s*\(/gi,
-    severity: 'critical',
-    description: 'eval() executes arbitrary code and is a major security risk',
-    suggestedFix: 'Use JSON.parse() for JSON data, or refactor to avoid dynamic code execution',
-  },
-  {
-    name: 'Function constructor',
-    pattern: /new\s+Function\s*\(/gi,
-    severity: 'critical',
-    description: 'Function constructor can execute arbitrary code like eval()',
-    suggestedFix: 'Refactor to use static functions or safe alternatives',
-  },
-  {
-    name: 'setTimeout/setInterval with string',
-    pattern: /set(Timeout|Interval)\s*\(\s*['"`]/gi,
-    severity: 'high',
-    description: 'setTimeout/setInterval with string argument acts like eval()',
-    suggestedFix: 'Pass a function reference instead of a string',
-  },
-  
-  // Command injection
-  {
-    name: 'child_process exec',
-    pattern: /\b(exec|execSync|spawn|spawnSync|execFile)\s*\(/gi,
-    severity: 'high',
-    description: 'Shell command execution can lead to command injection',
-    suggestedFix: 'Validate and sanitize all inputs, prefer execFile over exec',
-  },
-  {
-    name: 'os.system/subprocess (Python)',
-    pattern: /\b(os\.system|subprocess\.(call|run|Popen|check_output))\s*\(/gi,
-    severity: 'high',
-    description: 'Shell command execution can lead to command injection',
-    suggestedFix: 'Use subprocess with shell=False and pass arguments as a list',
-    languages: ['py'],
-  },
-  
-  // SQL injection risks
-  {
-    name: 'Raw SQL query construction',
-    pattern: /\.(query|execute|raw)\s*\(\s*[`'"].*\$\{|\.query\s*\(\s*['"].*\+/gi,
-    severity: 'critical',
-    description: 'String concatenation in SQL queries can lead to SQL injection',
-    suggestedFix: 'Use parameterized queries or prepared statements',
-  },
-  {
-    name: 'SQL template literal',
-    pattern: /`SELECT.*FROM.*WHERE.*\$\{|`INSERT.*INTO.*VALUES.*\$\{|`UPDATE.*SET.*\$\{|`DELETE.*FROM.*WHERE.*\$\{/gi,
-    severity: 'critical',
-    description: 'Template literals in SQL queries can lead to SQL injection',
-    suggestedFix: 'Use parameterized queries with placeholders (?, $1, etc.)',
-  },
-  
-  // XSS risks
-  {
-    name: 'innerHTML assignment',
-    pattern: /\.innerHTML\s*=|\.outerHTML\s*=/gi,
-    severity: 'high',
-    description: 'Direct innerHTML assignment can lead to XSS vulnerabilities',
-    suggestedFix: 'Use textContent for text, or sanitize HTML with DOMPurify',
-  },
-  {
-    name: 'document.write',
-    pattern: /document\.write\s*\(/gi,
-    severity: 'high',
-    description: 'document.write can introduce XSS vulnerabilities',
-    suggestedFix: 'Use DOM manipulation methods instead',
-  },
-  {
-    name: 'dangerouslySetInnerHTML',
-    pattern: /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:/gi,
-    severity: 'high',
-    description: 'dangerouslySetInnerHTML can lead to XSS if content is not sanitized',
-    suggestedFix: 'Sanitize HTML content with DOMPurify before rendering',
-  },
-  
-  // Deserialization
-  {
-    name: 'Unsafe deserialization',
-    pattern: /\b(pickle\.loads?|yaml\.load\s*\((?!.*Loader)|unserialize|Marshal\.load)\s*\(/gi,
-    severity: 'critical',
-    description: 'Unsafe deserialization can lead to remote code execution',
-    suggestedFix: 'Use safe loaders (yaml.safe_load) or validate input before deserializing',
-  },
-  // Note: JSON.parse is handled specially with source-aware severity - see below
-  // Note: request.json() is NOT a dangerous function - see schema validation rules
-  
-  // File system risks
-  {
-    name: 'Dynamic file path',
-    pattern: /\b(readFile|writeFile|readFileSync|writeFileSync|createReadStream|createWriteStream)\s*\(\s*[^'"]/gi,
-    severity: 'medium',
-    description: 'Dynamic file paths can lead to path traversal attacks',
-    suggestedFix: 'Validate and sanitize file paths, use path.resolve with a base directory',
-  },
-  {
-    name: 'Path traversal risk',
-    pattern: /path\.(join|resolve)\s*\([^)]*req\.(params|query|body)/gi,
-    severity: 'high',
-    description: 'User input in file paths can lead to path traversal attacks',
-    suggestedFix: 'Validate paths and ensure they stay within allowed directories',
-  },
-  
-  // Crypto weaknesses
-  {
-    name: 'Math.random for security',
-    pattern: /Math\.random\s*\(\s*\)/gi,
-    severity: 'medium',
-    description: 'Math.random() is not cryptographically secure',
-    suggestedFix: 'Use crypto.randomBytes() or crypto.getRandomValues() for security-sensitive operations',
-  },
-  
-  // Regex DoS
-  {
-    name: 'Potentially unsafe regex',
-    pattern: /new\s+RegExp\s*\(\s*[^'"]/gi,
-    severity: 'medium',
-    description: 'Dynamic regex construction can lead to ReDoS attacks',
-    suggestedFix: 'Validate regex patterns and consider using safe-regex library',
-  },
-  
-  // Prototype pollution
-  {
-    name: 'Object.assign with user input',
-    pattern: /Object\.assign\s*\(\s*\{\s*\}\s*,\s*(req\.|request\.|body|params|query)/gi,
-    severity: 'high',
-    description: 'Object.assign with user input can lead to prototype pollution',
-    suggestedFix: 'Validate and sanitize input, or use a safe merge function',
-  },
-  {
-    name: 'Spread operator with user input',
-    pattern: /\{\s*\.\.\.req\.(body|params|query)|\.\.\.request\.(body|params|query)/gi,
-    severity: 'medium',
-    description: 'Spreading user input can lead to mass assignment vulnerabilities',
-    suggestedFix: 'Explicitly pick allowed properties instead of spreading all input',
-  },
-]
-
-// Check if file matches language filter
-function matchesLanguage(filePath: string, languages?: string[]): boolean {
-  if (!languages || languages.length === 0) return true
-
-  const ext = filePath.split('.').pop()?.toLowerCase() || ''
-  return languages.some(lang => {
-    if (lang === 'py') return ext === 'py'
-    if (lang === 'js') return ['js', 'jsx', 'mjs', 'cjs'].includes(ext)
-    if (lang === 'ts') return ['ts', 'tsx'].includes(ext)
-    return ext === lang
-  })
-}
-
-// Check if innerHTML/dangerouslySetInnerHTML uses static content only
-function isStaticHTMLContent(lineContent: string, content: string, lineNumber: number): boolean {
-  const lines = content.split('\n')
-
-  // Get surrounding context (5 lines before and after)
-  const contextStart = Math.max(0, lineNumber - 6)
-  const contextEnd = Math.min(lines.length, lineNumber + 5)
-  const context = lines.slice(contextStart, contextEnd).join('\n')
-
-  // Static HTML indicators - string literals only
-  const staticIndicators = [
-    /innerHTML\s*=\s*['"`][^'"`]*['"`]/,                    // innerHTML = "static string"
-    /innerHTML\s*=\s*`[^$]*`/,                              // innerHTML = `static template without ${}`
-    /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html:\s*['"`]/, // React static string
-  ]
-
-  // Dynamic content indicators (red flags)
-  const dynamicIndicators = [
-    /\$\{[^}]+\}/,           // Template interpolation ${...}
-    /innerHTML\s*=.*\+/,     // String concatenation with +
-    /innerHTML\s*\+=\s*/,    // Append operation
-    /\breq\.|\.params|\.query|\.body/,  // User input (req.params, req.query, req.body)
-    /\bprops\./,             // Component props
-    /\bstate\./,             // Component state
-    /\.value\b/,             // Input value
-    /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html:\s*[^'"`]/, // React dynamic
-  ]
-
-  const isStatic = staticIndicators.some(p => p.test(lineContent))
-  const isDynamic = dynamicIndicators.some(p => p.test(context))
-
-  return isStatic && !isDynamic
-}
-
-/**
- * Check if eval/exec/Function has only static literal inputs (no user data)
- * Static inputs like eval('({ mode: "production" })') are low risk
- */
-function hasOnlyStaticInputs(lineContent: string, content: string, lineNumber: number): boolean {
-  const lines = content.split('\n')
-  
-  // Check if the argument to eval/exec/Function is a string literal only
-  const staticPatterns = [
-    /eval\s*\(\s*['"`][^'"`$]*['"`]\s*\)/,           // eval('static string')
-    /eval\s*\(\s*`[^$`]*`\s*\)/,                     // eval(`static template without ${}`)
-    /new\s+Function\s*\(\s*['"`][^'"`$]*['"`]\s*\)/, // new Function('static')
-    /execSync\s*\(\s*['"`][^'"`$]*['"`]\s*\)/,       // execSync('static command')
-    /exec\s*\(\s*['"`][^'"`$]*['"`]/,                // exec('static command'
-  ]
-  
-  if (staticPatterns.some(p => p.test(lineContent))) {
-    return true
-  }
-  
-  // Check surrounding context for user input flowing in
-  const userInputIndicators = [
-    /\$\{/,                    // Template interpolation
-    /\+\s*\w+/,                // String concatenation with variable
-    /req\.|request\.|body\.|params\.|query\./i,  // Request data
-    /user[Ii]nput|userCode|userCommand/,         // User input variables
-    /args\[|argv\[/,           // Command line args
-  ]
-  
-  const contextStart = Math.max(0, lineNumber - 3)
-  const contextEnd = Math.min(lines.length, lineNumber + 1)
-  const context = lines.slice(contextStart, contextEnd).join('\n')
-  
-  // If no user input indicators found, likely static
-  return !userInputIndicators.some(p => p.test(context))
-}
-
-/**
- * Check if SQL query uses whitelist validation pattern
- * e.g., columns validated against allowedColumns array before use
- */
-function hasSQLWhitelistValidation(content: string, lineNumber: number): boolean {
-  const lines = content.split('\n')
-  const contextStart = Math.max(0, lineNumber - 15)
-  const contextEnd = Math.min(lines.length, lineNumber + 5)
-  const context = lines.slice(contextStart, contextEnd).join('\n')
-  
-  // Whitelist/allowlist validation patterns
-  const whitelistPatterns = [
-    /allowed\w*\s*=\s*\[/i,              // allowedColumns = [...]
-    /whitelist\w*\s*=\s*\[/i,            // whitelistFields = [...]
-    /valid\w*\s*=\s*\[/i,                // validColumns = [...]
-    /\.filter\s*\([^)]*\.includes\s*\(/i, // .filter(c => allowed.includes(c))
-    /\.includes\s*\([^)]*\)/i,           // allowedColumns.includes(col)
-    /\.every\s*\([^)]*\.includes/i,      // columns.every(c => allowed.includes(c))
-    /if\s*\(\s*!.*\.includes/i,          // if (!allowed.includes(...))
-  ]
-  
-  return whitelistPatterns.some(p => p.test(context))
-}
-
-/**
- * Check if dangerouslySetInnerHTML is used with DOMPurify sanitization
- */
-function hasDOMPurifySanitization(lineContent: string, content: string, lineNumber: number): boolean {
-  const lines = content.split('\n')
-  const contextStart = Math.max(0, lineNumber - 10)
-  const contextEnd = Math.min(lines.length, lineNumber + 5)
-  const context = lines.slice(contextStart, contextEnd).join('\n')
-  
-  // DOMPurify sanitization patterns
-  const sanitizationPatterns = [
-    /DOMPurify\.sanitize/i,
-    /sanitize\s*\(/i,
-    /purify\s*\(/i,
-    /xss\s*\(/i,
-    /clean\s*\(/i,
-    /sanitizeHtml/i,
-    /escapeHtml/i,
-    /sanitized/i,
-    /purified/i,
-  ]
-  
-  return sanitizationPatterns.some(p => p.test(context))
-}
-
-/**
- * Check if data flows to an LLM prompt rather than a DOM sink
- * LLM prompts are NOT XSS - they're prompt injection (different risk profile)
- */
-function isLLMPromptContext(lineContent: string, content: string, filePath: string): boolean {
-  // File path indicators of AI/LLM code
-  const aiFilePatterns = [
-    /\/(ai|llm|chat|openai|anthropic|gpt|claude)\//i,
-    /\/(assistants?|agents?|prompts?)\//i,
-    /(chat|ai|llm|prompt|assistant).*\.(ts|js|tsx|jsx)$/i,
-  ]
-
-  if (aiFilePatterns.some(p => p.test(filePath))) {
-    return true
-  }
-
-  // Content patterns suggesting LLM API usage
-  const llmApiPatterns = [
-    /\.create\s*\(\s*\{[^}]*messages\s*:/i,          // OpenAI/Anthropic SDK
-    /openai|anthropic|claude|gpt-4|gpt-3/i,         // AI service mentions
-    /\bprompt\s*[=:+]/i,                             // prompt assignment
-    /\bsystemPrompt|userPrompt|assistantPrompt/i,    // Prompt variables
-    /completion|chat\.create|messages\.create/i,     // API calls
-    /\bmessages\s*:\s*\[/i,                          // Messages array
-    /role:\s*['"`](user|assistant|system)['"`]/i,    // Message roles
-  ]
-
-  // Check the line and surrounding context
-  const lines = content.split('\n')
-  const lineIndex = lines.findIndex(l => l === lineContent || l.includes(lineContent.trim()))
-  const startLine = Math.max(0, lineIndex - 10)
-  const endLine = Math.min(lines.length, lineIndex + 10)
-  const context = lines.slice(startLine, endLine).join('\n')
-
-  return llmApiPatterns.some(p => p.test(lineContent) || p.test(context))
-}
-
-/**
- * Check if this is a static bootstrap script (e.g., localStorage theme reader)
- * These are very low risk even with dangerouslySetInnerHTML
- */
-function isStaticBootstrapScript(_lineContent: string, content: string, lineNumber: number): boolean {
-  const lines = content.split('\n')
-  const contextStart = Math.max(0, lineNumber - 10)
-  const contextEnd = Math.min(lines.length, lineNumber + 5)
-  const context = lines.slice(contextStart, contextEnd).join('\n')
-
-  // Bootstrap script indicators (reading from localStorage, setting attributes)
-  const bootstrapPatterns = [
-    /localStorage\.getItem/i,
-    /document\.documentElement\.setAttribute/i,
-    /data-(theme|font|mode)/i,
-    /classList\.(add|remove|toggle)/i,
-    /\.dataset\./i,
-  ]
-
-  // Dangerous patterns that disqualify as safe bootstrap
-  const dangerousPatterns = [
-    /\$\{.*\}/,                    // Template interpolation
-    /\+\s*[a-zA-Z]/,               // String concatenation with variable
-    /innerHTML\s*=\s*[a-zA-Z]/,    // innerHTML set to variable directly
-    /fetch\s*\(/,                  // Network requests
-    /\.(query|params|body)/,       // User input
-    /location\.(search|hash)/,     // URL parameters
-    /document\.cookie/,            // Cookie access
-  ]
-
-  const hasBootstrapPatterns = bootstrapPatterns.some(p => p.test(context))
-  const hasDangerousPatterns = dangerousPatterns.some(p => p.test(context))
-
-  return hasBootstrapPatterns && !hasDangerousPatterns
-}
-
-/**
- * Check if Math.random() is used for cosmetic/UI purposes (not security)
- * Cosmetic uses: CSS values, animations, UI variations, demo data
- * Security uses: tokens, IDs, cryptographic operations, session management
- */
-function isCosmeticMathRandom(lineContent: string, content: string, lineNumber: number): boolean {
-  const lines = content.split('\n')
-  
-  // Check the line itself for cosmetic indicators
-  const cosmeticLinePatterns = [
-    // CSS/style values
-    /['"`]\s*\$\{.*Math\.random.*\}\s*%['"`]/,           // `${Math.random() * 40 + 50}%`
-    /Math\.random.*\s*\+\s*['"`]%['"`]/,                 // Math.random() * 40 + '%'
-    /Math\.random.*\)\s*\*\s*\d+\s*\+\s*\d+\s*\}\s*%/,   // }) * 40 + 50}%
-    /return\s+`.*Math\.random.*%`/,                      // return `${...}%`
-    /width:\s*['"`].*Math\.random/i,                     // width: `${Math.random()...}%`
-    /height:\s*['"`].*Math\.random/i,                    // height: `${Math.random()...}%`
-    /opacity:\s*['"`]?.*Math\.random/i,                  // opacity: Math.random()
-    /transform:\s*['"`]?.*Math\.random/i,                // transform: translate(...)
-    /rotate\(.*Math\.random/i,                           // rotate(Math.random() * 360)
-    /translate\(.*Math\.random/i,                        // translate(Math.random() * 100)
-    /scale\(.*Math\.random/i,                            // scale(Math.random() * 2)
-    // Color/animation values
-    /rgba?\(.*Math\.random/i,                            // rgb(Math.random() * 255, ...)
-    /hsl\(.*Math\.random/i,                              // hsl(Math.random() * 360, ...)
-    /Math\.random.*\*\s*360/,                            // Math.random() * 360 (degrees/hue)
-    /Math\.random.*\*\s*255/,                            // Math.random() * 255 (RGB values)
-    // Array/list randomization for UI
-    /Math\.floor\(Math\.random.*\.length\)/,             // Math.floor(Math.random() * array.length)
-    /\[Math\.floor\(Math\.random/,                       // array[Math.floor(Math.random()...)]
-    // Demo/placeholder data
-    /Math\.random.*\*\s*\d+\s*\+\s*\d+.*\bpx\b/i,        // Math.random() * 100 + 50 + 'px'
-    /Math\.random.*\*\s*\d+\s*\+\s*\d+.*\bms\b/i,        // Math.random() * 1000 + 500 + 'ms'
-    /Math\.random.*\*\s*\d+\s*\+\s*\d+.*\bs\b/i,         // Math.random() * 5 + 2 + 's'
-    // NOTE: toString patterns removed - now handled by analyzeToStringPattern()
-    // which provides more granular severity classification (info/low/medium/high)
-    // based on truncation length and context
-  ]
-  
-  if (cosmeticLinePatterns.some(p => p.test(lineContent))) {
-    return true
-  }
-  
-  // Check surrounding context (5 lines before and after)
-  const contextStart = Math.max(0, lineNumber - 5)
-  const contextEnd = Math.min(lines.length, lineNumber + 5)
-  const context = lines.slice(contextStart, contextEnd).join('\n')
-  
-  // Context indicators of cosmetic use
-  const cosmeticContextPatterns = [
-    // UI component files - REMOVED, let severity classification handle these
-    // Style-related variables/functions
-    /\b(style|styles|css|className|animation|transition)/i,
-    /\b(width|height|opacity|color|transform|rotate|scale|translate)/i,
-    // Demo/example data
-    /\b(demo|example|placeholder|mock|fake|sample|test)Data/i,
-    /\b(random|shuffle|pick|choose).*\b(color|item|element|option)/i,
-    // Animation/timing
-    /setTimeout.*Math\.random/i,
-    /setInterval.*Math\.random/i,
-    /delay.*Math\.random/i,
-    /duration.*Math\.random/i,
-    // UI state variations
-    /\b(variant|theme|layout|position).*Math\.random/i,
-    // NOTE: Removed UI identifier patterns (key, id, tempId, etc.) - these should be
-    // classified with info/low severity by the severity classification logic, not skipped entirely
-  ]
-  
-  if (cosmeticContextPatterns.some(p => p.test(context))) {
-    return true
-  }
-  
-  // Security-sensitive patterns that override cosmetic detection
-  const securityPatterns = [
-    /\b(token|secret|key|password|credential|signature)/i,
-    /\b(auth|crypto|encrypt|decrypt|hash)/i,
-    /\b(session|nonce|salt)\b/i,
-    /Math\.random.*\*\s*1e\d+/,      // Math.random() * 1e16 (large numbers for IDs)
-  ]
-  
-  if (securityPatterns.some(p => p.test(lineContent) || p.test(context))) {
-    return false  // Not cosmetic - this is security-sensitive
-  }
-  
-  // Check for .toString(36) WITHOUT substring/slice/substr (security token pattern)
-  // If it has substring/slice/substr, it's already caught by cosmeticLinePatterns above
-  const hasToString36WithoutTruncation = /Math\.random\(\)\.toString\(36\)/.test(lineContent) &&
-    !/\.(substring|substr|slice)\(/.test(lineContent)
-  
-  const hasToString16WithoutTruncation = /Math\.random\(\)\.toString\(16\)/.test(lineContent) &&
-    !/\.(substring|substr|slice)\(/.test(lineContent)
-  
-  if (hasToString36WithoutTruncation || hasToString16WithoutTruncation) {
-    return false  // Full-length toString() without truncation - likely security token
-  }
-  
-  return false  // Default to flagging if unclear
-}
-
-/**
- * Extract function context where Math.random() is being called
- * Looks backwards from the current line to find enclosing function name
- * Returns lowercase function name or null if not found
- */
-function extractFunctionContext(content: string, lineNumber: number): string | null {
-  const lines = content.split('\n')
-  const start = Math.max(0, lineNumber - 20)  // Increased from 10 to 20 for nested callbacks
-
-  // Look backwards for function declaration
-  for (let i = lineNumber; i >= start; i--) {
-    const line = lines[i]
-
-    // Skip anonymous arrow functions in callbacks (e.g., .map((x) => ...), .replace(/x/g, (c) => ...))
-    // These are not the function context we're looking for
-    // Look for pattern: .methodName(..., (param) => or .methodName(...(param) =>
-    const hasMethodCallWithArrowCallback = /\.\w+\(.*\([^)]*\)\s*=>/.test(line)
-    if (hasMethodCallWithArrowCallback) {
-      continue  // Skip this line and keep looking
-    }
-
-    // Match various function declaration patterns
-    // 1. function functionName
-    // 2. export function functionName
-    // 3. const/let functionName = function
-    // 4. const/let functionName = (arrow function)
-    // 5. export const functionName =
-
-    // Traditional function declaration (handles TypeScript type annotations)
-    // Matches: function name(...), export function name(...), function name<T>(...), etc.
-    const funcDeclMatch = line.match(/(?:export\s+)?(?:async\s+)?function\s+(\w+)/i)
-    if (funcDeclMatch) {
-      return funcDeclMatch[1].toLowerCase()
-    }
-
-    // Function expression assignment (const foo = function...)
-    const funcExprMatch = line.match(/(?:export\s+)?(?:const|let|var)\s+(\w+)\s*=\s*(?:async\s+)?function/i)
-    if (funcExprMatch) {
-      return funcExprMatch[1].toLowerCase()
-    }
-
-    // Arrow function assignment - require => to be present on the same line
-    // This prevents matching "const r = (Math.random()..." as an arrow function
-    if (line.includes('=>')) {
-      const arrowFuncMatch = line.match(/(?:export\s+)?(?:const|let|var)\s+(\w+)\s*=/i)
-      if (arrowFuncMatch) {
-        return arrowFuncMatch[1].toLowerCase()
-      }
-    }
-  }
-  return null
-}
-
-/**
- * Classify function intent based on function name
- * Used to determine if Math.random() usage is legitimate
- */
-function classifyFunctionIntent(functionName: string | null): 'uuid' | 'captcha' | 'demo' | 'security' | 'unknown' {
-  if (!functionName) return 'unknown'
-
-  const lower = functionName.toLowerCase()
-
-  // UUID/ID generation (UI correlation, not security)
-  // Check for specific UUID patterns and generic ID generation functions
-  const uuidPatterns = ['uuid', 'guid', 'uniqueid', 'correlationid']
-  const idGenerationPatterns = /^(generate|create|make|build)(id|identifier)$/i
-  if (uuidPatterns.some(p => lower.includes(p)) || idGenerationPatterns.test(lower)) {
-    return 'uuid'
-  }
-
-  // CAPTCHA/puzzle generation (legitimate non-security)
-  const captchaPatterns = ['captcha', 'puzzle', 'mathproblem']
-  // Also check for 'challenge' but only if not in security context
-  if (captchaPatterns.some(p => lower.includes(p))) return 'captcha'
-  if (lower.includes('challenge') && !lower.includes('auth')) return 'captcha'
-
-  // Demo/seed/fixture data
-  const demoPatterns = ['seed', 'fixture', 'demo', 'mock', 'fake']
-  if (demoPatterns.some(p => lower.includes(p))) return 'demo'
-
-  // Security-sensitive (check this after id generation to avoid false positives)
-  const securityPatterns = ['token', 'secret', 'key', 'password', 'credential', 'signature']
-  // Also match generate/create + security term combinations
-  const securityFunctionPattern = /^(generate|create|make)(token|secret|key|session|password|credential)/i
-  if (securityPatterns.some(p => lower.includes(p)) || securityFunctionPattern.test(lower)) {
-    return 'security'
-  }
-
-  return 'unknown'
-}
-
-/**
- * Analyze toString() pattern in Math.random() usage
- * Determines intent based on base and truncation length
- */
-function analyzeToStringPattern(lineContent: string): {
-  hasToString: boolean
-  base: number | null
-  isTruncated: boolean
-  truncationLength: number | null
-  intent: 'short-ui-id' | 'business-id' | 'full-token' | 'unknown'
-} {
-  const toString36Match = lineContent.match(/Math\.random\(\)\.toString\(36\)/)
-  const toString16Match = lineContent.match(/Math\.random\(\)\.toString\(16\)/)
-
-  if (!toString36Match && !toString16Match) {
-    return { hasToString: false, base: null, isTruncated: false, truncationLength: null, intent: 'unknown' }
-  }
-
-  const base = toString36Match ? 36 : 16
-
-  // Check for truncation methods
-  const substringMatch = lineContent.match(/\.substring\((\d+)(?:,\s*(\d+))?\)/)
-  const sliceMatch = lineContent.match(/\.slice\((\d+)(?:,\s*(\d+))?\)/)
-  const substrMatch = lineContent.match(/\.substr\((\d+)(?:,\s*(\d+))?\)/)
-
-  const truncMatch = substringMatch || sliceMatch || substrMatch
-
-  if (!truncMatch) {
-    return { hasToString: true, base, isTruncated: false, truncationLength: null, intent: 'full-token' }
-  }
-
-  // Calculate truncation length
-  const start = parseInt(truncMatch[1])
-  const end = truncMatch[2] ? parseInt(truncMatch[2]) : null
-  const length = end ? (end - start) : null
-
-  // Classify intent by length
-  // Short (2-9 chars): UI correlation IDs, React keys
-  // Medium (10-15 chars): Business IDs, order numbers
-  if (length && length <= 9) {
-    return { hasToString: true, base, isTruncated: true, truncationLength: length, intent: 'short-ui-id' }
-  } else if (length && length <= 15) {
-    return { hasToString: true, base, isTruncated: true, truncationLength: length, intent: 'business-id' }
-  } else {
-    return { hasToString: true, base, isTruncated: true, truncationLength: length, intent: 'business-id' }
-  }
-}
-
-/**
- * Extract variable name from Math.random() assignment
- * Examples:
- *   const token = Math.random() -> "token"
- *   const businessId = Math.random().toString(36) -> "businessId"
- *   return Math.random() -> null (no variable)
- */
-function extractMathRandomVariableName(lineContent: string): string | null {
-  // const/let/var variableName = Math.random...
-  const assignmentMatch = lineContent.match(/(?:const|let|var)\s+(\w+)\s*=.*Math\.random/)
-  if (assignmentMatch) return assignmentMatch[1]
-
-  // object.property = Math.random...
-  const propertyMatch = lineContent.match(/(\w+)\s*[:=]\s*Math\.random/)
-  if (propertyMatch) return propertyMatch[1]
-
-  // function parameter default: functionName(param = Math.random())
-  const paramMatch = lineContent.match(/(\w+)\s*=\s*Math\.random/)
-  if (paramMatch) return paramMatch[1]
-
-  return null // No variable name found
-}
-
-/**
- * Classify variable name security risk based on naming patterns
- *
- * High risk: Security-sensitive names (token, secret, key, etc.)
- * Medium risk: Unclear context
- * Low risk: Non-security names (id, businessId, orderId, etc.)
- */
-function classifyVariableNameRisk(varName: string | null): 'high' | 'medium' | 'low' {
-  if (!varName) return 'medium' // Unknown usage, moderate risk
-
-  const lower = varName.toLowerCase()
-
-  // High risk: security-sensitive variable names
-  const highRiskPatterns = [
-    'token', 'secret', 'key', 'password', 'credential',
-    'signature', 'salt', 'nonce', 'session', 'csrf',
-    'auth', 'apikey', 'accesstoken', 'refreshtoken',
-    'jwt', 'bearer', 'oauth', 'sessionid'
-  ]
-  if (highRiskPatterns.some(p => lower.includes(p))) {
-    return 'high'
-  }
-
-  // Low risk: clearly non-security contexts
-  const lowRiskPatterns = [
-    // Business identifiers
-    'id', 'uid', 'guid', 'business', 'order', 'invoice',
-    'customer', 'user', 'product', 'item', 'transaction',
-    'request', 'reference', 'tracking', 'confirmation',
-    // Test/demo data
-    'test', 'mock', 'demo', 'sample', 'example', 'fixture',
-    'random', 'temp', 'temporary', 'generated', 'dummy',
-    // UI identifiers
-    'toast', 'notification', 'element', 'component', 'widget',
-    'modal', 'dialog', 'popup', 'unique', 'react',
-    // Non-security randomness usage (backoff/sampling/experiments)
-    'jitter', 'retry', 'backoff', 'delay', 'timeout', 'latency',
-    'sample', 'sampling', 'probability', 'chance', 'rollout',
-    'experiment', 'abtest', 'cohort', 'bucket', 'variant'
-  ]
-  if (lowRiskPatterns.some(p => lower.includes(p))) {
-    return 'low'
-  }
-
-  return 'medium' // Unclear context, moderate risk
-}
-
-/**
- * Analyze surrounding code context for security signals
- * Returns context type and description for severity classification
- */
-function analyzeMathRandomContext(
-  content: string,
-  filePath: string,
-  lineNumber: number
-): {
-  inSecurityContext: boolean
-  inTestContext: boolean
-  inUIContext: boolean
-  inBusinessLogicContext: boolean
-  contextDescription: string
-} {
-  const lines = content.split('\n')
-  const start = Math.max(0, lineNumber - 10)
-  const end = Math.min(lines.length, lineNumber + 5)
-  const context = lines.slice(start, end).join('\n')
-
-  // Security context indicators (functions, imports, comments)
-  const securityPatterns = [
-    /\b(generate|create)(Token|Secret|Key|Password|Nonce|Salt|Session|Signature)/i,
-    /\b(auth|crypto|encrypt|decrypt|hash|sign)\b/i,
-    /function\s+.*(?:token|secret|key|auth|crypto)/i,
-    /\bimport.*(?:crypto|jsonwebtoken|bcrypt|argon2|jose)/i,
-    /\/\*.*(?:security|authentication|cryptograph|authorization)/i,
-    /\/\/.*(?:security|auth|crypto|token|secret)/i,
-  ]
-  const inSecurityContext = securityPatterns.some(p => p.test(context))
-
-  // Test context
-  const testFilePatterns = /\.(test|spec)\.(ts|tsx|js|jsx)$/i
-  const testContextPatterns = [
-    /\b(describe|it|test|expect|mock|jest|vitest|mocha|chai)\b/i,
-    /\b(beforeEach|afterEach|beforeAll|afterAll)\b/i,
-    /\b(fixture|stub|spy)\b/i,
-  ]
-  const inTestContext = testFilePatterns.test(filePath) ||
-    testContextPatterns.some(p => p.test(context))
-
-  // UI/cosmetic context (reuse existing logic)
-  const lineContent = lines[lineNumber]
-  const inUIContext = isCosmeticMathRandom(lineContent, content, lineNumber)
-
-  // Business logic context (non-security ID generation)
-  // Note: UUID/CAPTCHA patterns excluded - handled by functionIntent classification
-  const businessLogicPatterns = [
-    /\b(business|order|invoice|customer|product|transaction)Id\b/i,
-    /\b(reference|tracking|confirmation)Number\b/i,
-    /\b(backoff|retry|jitter|delay|timeout|latency)\b/i,
-    /\b(sample|sampling|probability|chance|rollout|experiment|abtest|cohort|bucket|variant)\b/i,
-  ]
-  const inBusinessLogicContext = businessLogicPatterns.some(p => p.test(context)) &&
-    !inSecurityContext
-
-  // Determine context description
-  let contextDescription = 'unknown context'
-  if (inSecurityContext) {
-    contextDescription = 'security-sensitive function'
-  } else if (inTestContext) {
-    contextDescription = 'test/mock data generation'
-  } else if (inUIContext) {
-    contextDescription = 'UI/cosmetic usage'
-  } else if (inBusinessLogicContext) {
-    contextDescription = 'non-security usage'
-  }
-
-  return {
-    inSecurityContext,
-    inTestContext,
-    inUIContext,
-    inBusinessLogicContext,
-    contextDescription,
-  }
-}
-
-export function detectDangerousFunctions(
-  content: string,
-  filePath: string
-): Vulnerability[] {
-  const vulnerabilities: Vulnerability[] = []
-
-  // Skip scanner/fixture files to avoid self-detection
-  if (isScannerOrFixtureFile(filePath)) {
-    return vulnerabilities
-  }
-
-  const lines = content.split('\n')
-  const isTestFile = isTestOrMockFile(filePath)
-
-  lines.forEach((line, index) => {
-    // Skip comment lines
-    if (isComment(line)) return
-
-    for (const funcPattern of DANGEROUS_FUNCTIONS) {
-      // Check language filter
-      if (!matchesLanguage(filePath, funcPattern.languages)) continue
-
-      const regex = new RegExp(funcPattern.pattern.source, funcPattern.pattern.flags)
-
-      if (regex.test(line)) {
-        // Special handling for innerHTML patterns
-        if (funcPattern.name === 'innerHTML assignment' ||
-            funcPattern.name === 'dangerouslySetInnerHTML') {
-
-          // Check if this uses static content only
-          if (isStaticHTMLContent(line, content, index)) {
-            vulnerabilities.push({
-              id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
-              filePath,
-              lineNumber: index + 1,
-              lineContent: line.trim(),
-              severity: 'info',
-              category: 'dangerous_function',
-              title: funcPattern.name + ' (static content)',
-              description: 'Static HTML assignment detected. Generally safe for hardcoded content, but consider using textContent for plain text or proper DOM methods for dynamic content.',
-              suggestedFix: 'If this is plain text, use textContent instead. If HTML must be used, ensure it is static and does not come from user input.',
-              confidence: 'low',
-              layer: 2,
-            })
-            break // Only report once per line
-          }
-          
-          // Check if DOMPurify or similar sanitization is used
-          if (hasDOMPurifySanitization(line, content, index)) {
-            vulnerabilities.push({
-              id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
-              filePath,
-              lineNumber: index + 1,
-              lineContent: line.trim(),
-              severity: 'info',
-              category: 'dangerous_function',
-              title: funcPattern.name + ' (sanitized)',
-              description: 'HTML is sanitized before rendering (DOMPurify or similar detected). This is the recommended pattern for rendering user-generated HTML.',
-              suggestedFix: 'Ensure DOMPurify is configured correctly and kept up to date.',
-              confidence: 'low',
-              layer: 2,
-            })
-            break // Only report once per line
-          }
-
-          // Check if this is a static bootstrap script (e.g., theme/font loader)
-          if (isStaticBootstrapScript(line, content, index)) {
-            vulnerabilities.push({
-              id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
-              filePath,
-              lineNumber: index + 1,
-              lineContent: line.trim(),
-              severity: 'info',
-              category: 'dangerous_function',
-              title: funcPattern.name + ' (static bootstrap script)',
-              description: 'This appears to be a static bootstrap script (e.g., reading localStorage for theme/font preferences). Low risk as no untrusted data is interpolated into the HTML/JS.',
-              suggestedFix: 'Verify no user-controlled data is interpolated into the script content.',
-              confidence: 'low',
-              layer: 2,
-            })
-            break // Only report once per line
-          }
-
-          // Check if this is in LLM prompt context (not XSS - it's prompt injection)
-          if (isLLMPromptContext(line, content, filePath)) {
-            vulnerabilities.push({
-              id: `dangerous-func-${filePath}-${index + 1}-prompt-injection`,
-              filePath,
-              lineNumber: index + 1,
-              lineContent: line.trim(),
-              severity: 'info',
-              category: 'ai_pattern',
-              title: 'Potential prompt injection risk',
-              description: 'User content is being used in an LLM prompt context. This is NOT XSS (the content goes to an AI, not a DOM). However, untrusted content in prompts may lead to prompt injection attacks.',
-              suggestedFix: 'Consider input validation, content filtering, or structured prompts to limit prompt injection risk.',
-              confidence: 'low',
-              layer: 2,
-            })
-            break // Only report once per line
-          }
-
-          // Dynamic content - full severity, needs AI validation
-          let severity = funcPattern.severity
-          if (isTestFile) {
-            severity = 'low'
-          }
-
-          vulnerabilities.push({
-            id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
-            filePath,
-            lineNumber: index + 1,
-            lineContent: line.trim(),
-            severity,
-            category: 'dangerous_function',
-            title: funcPattern.name,
-            description: funcPattern.description + ' This appears to use dynamic content which increases XSS risk.' + (isTestFile ? ' (in test file)' : ''),
-            suggestedFix: funcPattern.suggestedFix,
-            confidence: isTestFile ? 'low' : 'high',
-            layer: 2,
-            requiresAIValidation: true,  // Dynamic HTML needs validation
-          })
-          break // Only report once per line
-        }
-
-        // Note: JSON.parse is now handled by standalone detectJSONParseSafe() function
-        // which provides better source-aware severity classification
-
-        // Special handling for eval and Function constructor
-        if (funcPattern.name === 'eval() usage' || funcPattern.name === 'Function constructor') {
-          // Suppress entirely in test files - test files legitimately test eval behavior
-          if (isTestFile) {
-            break // Skip reporting entirely
-          }
-
-          // Check if eval is inside a test assertion (expect(), test(), it(), describe())
-          const testAssertionPattern = /\b(expect|test|it|describe)\s*\(/
-          if (testAssertionPattern.test(line)) {
-            break // Skip reporting - this is testing eval behavior
-          }
-
-          // Check if inputs are static literals (low risk)
-          if (hasOnlyStaticInputs(line, content, index)) {
-            vulnerabilities.push({
-              id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
-              filePath,
-              lineNumber: index + 1,
-              lineContent: line.trim(),
-              severity: 'info',
-              category: 'dangerous_function',
-              title: funcPattern.name + ' (static input)',
-              description: 'eval/Function with static string literal input. Lower risk than dynamic input, but consider refactoring to avoid eval entirely.',
-              suggestedFix: 'Consider using JSON.parse() for JSON data or refactoring to avoid eval.',
-              confidence: 'low',
-              layer: 2,
-            })
-            break
-          }
-
-          vulnerabilities.push({
-            id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
-            filePath,
-            lineNumber: index + 1,
-            lineContent: line.trim(),
-            severity: funcPattern.severity,
-            category: 'dangerous_function',
-            title: funcPattern.name,
-            description: funcPattern.description,
-            suggestedFix: funcPattern.suggestedFix,
-            confidence: 'high',
-            layer: 2,
-            requiresAIValidation: true,  // Code execution patterns need validation
-          })
-          break
-        }
-
-        // Special handling for child_process exec - verify it's not RegExp.exec
-        if (funcPattern.name === 'child_process exec') {
-          // First check if this is actually from child_process (not RegExp.exec)
-          const isExecMatch = /\bexec\s*\(/.test(line)
-          const isOtherMatch = /\b(execSync|spawn|spawnSync|execFile)\s*\(/.test(line)
-          
-          if (isExecMatch && !isOtherMatch) {
-            // This matched 'exec(' - verify it's from child_process
-            if (!isChildProcessExec(content, line)) {
-              // This is RegExp.exec or similar - skip
-              break
-            }
-          } else if (isOtherMatch) {
-            // This matched spawn/execSync/etc - verify child_process import
-            if (!isChildProcessSpawn(content, line)) {
-              // No child_process import - skip
-              break
-            }
-          }
-
-          if (hasOnlyStaticInputs(line, content, index)) {
-            vulnerabilities.push({
-              id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
-              filePath,
-              lineNumber: index + 1,
-              lineContent: line.trim(),
-              severity: 'info',
-              category: 'dangerous_function',
-              title: funcPattern.name + ' (static command)',
-              description: 'exec/execSync with hardcoded command. Lower risk than dynamic commands, but ensure command does not change based on user input.',
-              suggestedFix: 'If command is truly static, this is generally acceptable. For dynamic commands, validate and sanitize inputs.',
-              confidence: 'low',
-              layer: 2,
-            })
-            break
-          }
-        }
-        
-        // Special handling for SQL patterns - check for whitelist validation
-        if (funcPattern.name === 'Raw SQL query construction' || funcPattern.name === 'SQL template literal') {
-          if (hasSQLWhitelistValidation(content, index)) {
-            vulnerabilities.push({
-              id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
-              filePath,
-              lineNumber: index + 1,
-              lineContent: line.trim(),
-              severity: 'info',
-              category: 'dangerous_function',
-              title: funcPattern.name + ' (whitelist validated)',
-              description: 'SQL query with dynamic content, but whitelist/allowlist validation detected. This is a safer pattern that limits injection risk.',
-              suggestedFix: 'Ensure the whitelist is comprehensive and cannot be bypassed. Consider using parameterized queries for additional safety.',
-              confidence: 'low',
-              layer: 2,
-            })
-            break
-          }
-        }
-
-        // Special handling for Dynamic file path - skip for utility files
-        // Utility functions designed to work with file paths are expected to take path parameters
-        if (funcPattern.name === 'Dynamic file path') {
-          // Skip for utility/lib/helper files - these are internal functions, not API handlers
-          const isUtilityFile = /\/(utils?|lib|helpers?|services?|modules?)\//i.test(filePath)
-          // Skip if function name suggests it's designed for file operations
-          const isFileOperationFunction = /\b(checksum|hash|digest|fingerprint|read|write|load|save|get|set|copy|move|delete)File/i.test(content.slice(Math.max(0, index - 200), index + 100))
-          
-          // Skip CLI command files - these take paths from command-line args (controlled inputs)
-          const isCLIFile = /\/(cli|commands?|bin)\//i.test(filePath) || 
-                           /\/src\/(index|main|cli)\.(ts|js)$/i.test(filePath)
-          
-          // Skip GitHub Action files - these process repo files (controlled environment)
-          const isGitHubAction = /github-action/i.test(filePath) || 
-                                /action\.(ts|js|yml|yaml)$/i.test(filePath)
-
-          // Check for schema validation patterns in the surrounding context
-          // Zod, Yup, Joi, or regex validation on the input
-          const contextWindow = content.slice(Math.max(0, content.indexOf(line) - 500), content.indexOf(line) + line.length)
-          const hasSchemaValidation = /z\.(string|object)\s*\(\s*\)\.regex\s*\(/i.test(contextWindow) ||
-            /z\.enum\s*\(/i.test(contextWindow) ||
-            /\.regex\s*\(\s*\/.*\/\s*\)/i.test(contextWindow) ||  // .regex(/.../)
-            /\.match\s*\(\s*\/.*\/\s*\)/i.test(contextWindow) ||   // .match(/.../)
-            /\.(schema|validate)\s*\(/i.test(contextWindow) ||
-            /joi\./i.test(contextWindow) ||
-            /yup\./i.test(contextWindow)
-
-          // Check for path sanitization patterns
-          const hasPathSanitization = hasPathTraversalProtection(contextWindow, line)
-
-          if (isUtilityFile || isFileOperationFunction || isTestFile || isCLIFile || isGitHubAction || hasSchemaValidation || hasPathSanitization) {
-            // Skip entirely for utility functions or when schema validation is present
-            break
-          }
-        }
-
-        // Special handling for Path traversal risk - check for sanitization
-        if (funcPattern.name === 'Path traversal risk') {
-          const contextWindow = content.slice(Math.max(0, content.indexOf(line) - 500), content.indexOf(line) + line.length + 200)
-          
-          // Check for path sanitization patterns
-          if (hasPathTraversalProtection(contextWindow, line)) {
-            vulnerabilities.push({
-              id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
-              filePath,
-              lineNumber: index + 1,
-              lineContent: line.trim(),
-              severity: 'info',
-              category: 'dangerous_function',
-              title: funcPattern.name + ' (sanitized)',
-              description: 'User input in file path, but path traversal protection detected. Verify sanitization is comprehensive.',
-              suggestedFix: 'Ensure path.resolve() result is checked against base directory and ".." sequences are rejected.',
-              confidence: 'low',
-              layer: 2,
-            })
-            break
-          }
-        }
-
-        // Special handling for Math.random() - enhanced context-aware severity classification
-        if (funcPattern.name === 'Math.random for security') {
-          // Phase 1: File-level exclusions (skip entirely)
-          if (isSeedOrDataGenFile(filePath)) {
-            break  // Skip seed/data generation files entirely
-          }
-
-          if (isEducationalVulnerabilityFile(filePath)) {
-            break  // Skip intentional vulnerability examples
-          }
-
-          // Phase 2: Context analysis
-          const varName = extractMathRandomVariableName(line)
-          const nameRisk = classifyVariableNameRisk(varName)
-          const context = analyzeMathRandomContext(content, filePath, index)
-          const functionName = extractFunctionContext(content, index)
-          const functionIntent = classifyFunctionIntent(functionName)
-          const toStringPattern = analyzeToStringPattern(line)
-
-          // Phase 3: Skip cosmetic/UI uses
-          if (context.inUIContext) {
-            break  // Already working
-          }
-
-          // Phase 4: Skip UUID/CAPTCHA generation functions
-          if (functionIntent === 'uuid' || functionIntent === 'captcha') {
-            break  // Legitimate non-security uses
-          }
-
-          // Phase 5: Determine severity
-          let severity: VulnerabilitySeverity = 'medium'
-          let confidence: 'high' | 'medium' | 'low' = 'medium'
-          let explanation = ''
-          let description = funcPattern.description
-          let suggestedFix = funcPattern.suggestedFix
-
-          // Test context - INFO
-          if (context.inTestContext) {
-            severity = 'info'
-            confidence = 'low'
-            explanation = ' (test data generation)'
-            description = 'Math.random() used in test context for generating mock data. Not security-critical, but consider crypto.randomUUID() for better uniqueness in tests.'
-            suggestedFix = 'Consider crypto.randomUUID() for test data uniqueness, though Math.random() is acceptable in tests'
-          }
-          // Seed/demo function context - INFO
-          else if (functionIntent === 'demo') {
-            severity = 'info'
-            confidence = 'low'
-            explanation = ' (seed/demo data generation)'
-            description = 'Math.random() used for generating fixture/seed data. Not security-critical in development contexts.'
-            suggestedFix = 'Acceptable for seed data. Use crypto.randomUUID() if uniqueness guarantees needed.'
-          }
-          // Short UI ID pattern - INFO (check before variable name to avoid false positives)
-          // e.g., "const key = Math.random().toString(36).substring(2, 9)" is a UI ID, not a security key
-          else if (toStringPattern.intent === 'short-ui-id') {
-            severity = 'info'
-            confidence = 'low'
-            explanation = ' (UI correlation ID)'
-            description = 'Math.random() used for short UI correlation IDs. Not security-critical, but collisions possible in high-volume scenarios.'
-            suggestedFix = 'For UI correlation, crypto.randomUUID() provides better uniqueness guarantees'
-          }
-          // Security context - HIGH
-          else if (nameRisk === 'high' || context.inSecurityContext || functionIntent === 'security') {
-            severity = 'high'
-            confidence = 'high'
-            explanation = ' (security-sensitive context)'
-            description = 'Math.random() is NOT cryptographically secure and MUST NOT be used for tokens, keys, passwords, or session IDs. This can lead to predictable values that attackers can exploit.'
-            suggestedFix = 'Replace with crypto.randomBytes() or crypto.randomUUID() for security-sensitive operations'
-          }
-          // Business/non-security pattern - LOW
-          else if (nameRisk === 'low' || context.inBusinessLogicContext || toStringPattern.intent === 'business-id') {
-            severity = 'low'
-            confidence = 'low'
-            explanation = ' (non-security usage)'
-            description = 'Math.random() is being used for non-security purposes (business IDs, sampling, jitter/backoff, experiments). While not critical, Math.random() can produce collisions or bias in high-volume scenarios.'
-            suggestedFix = 'Use crypto.randomUUID() for uniqueness-sensitive IDs. For sampling/backoff, consider a seeded PRNG if determinism is needed.'
-          }
-          // Unknown context - MEDIUM
-          else {
-            severity = 'medium'
-            confidence = 'medium'
-            explanation = ' (unclear context)'
-            description = 'Math.random() is being used. Verify this is not for security-critical purposes like tokens, session IDs, or cryptographic operations.'
-            suggestedFix = 'If used for security, replace with crypto.randomBytes(). For unique IDs, use crypto.randomUUID()'
-          }
-
-          // Update title with context
-          const title = `Math.random() in ${context.contextDescription}${explanation}`
-
-          vulnerabilities.push({
-            id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
-            filePath,
-            lineNumber: index + 1,
-            lineContent: line.trim(),
-            severity,
-            category: 'dangerous_function',
-            title,
-            description,
-            suggestedFix,
-            confidence,
-            layer: 2,
-          })
-          break // Only report once per line
-        }
-
-        // Standard handling for all other patterns
-        let severity = funcPattern.severity
-        let confidence: 'high' | 'medium' | 'low' = 'high'
-
-        if (isTestFile) {
-          if (severity === 'critical') {
-            severity = 'medium'
-          } else if (severity === 'high') {
-            severity = 'low'
-          } else {
-            severity = 'info'
-          }
-          confidence = 'low'
-        }
-
-        vulnerabilities.push({
-          id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
-          filePath,
-          lineNumber: index + 1,
-          lineContent: line.trim(),
-          severity,
-          category: 'dangerous_function',
-          title: funcPattern.name,
-          description: funcPattern.description + (isTestFile ? ' (in test file)' : ''),
-          suggestedFix: funcPattern.suggestedFix,
-          confidence,
-          layer: 2,
-        })
-        break // Only report once per line
-      }
-    }
-  })
-
-  // Additional standalone checks (not in DANGEROUS_FUNCTIONS array)
-  
-  // JSON.parse source-aware detection
-  detectJSONParseSafe(content, filePath, isTestFile, vulnerabilities)
-  
-  // request.json() / req.json() schema validation suggestion
-  detectRequestJsonValidation(content, filePath, isTestFile, vulnerabilities)
-
-  return vulnerabilities
-}
-
-/**
- * Detect JSON.parse usage with source-aware severity
- * Much smarter than simple pattern matching - considers try/catch and data source
- */
-function detectJSONParseSafe(
-  content: string,
-  filePath: string,
-  isTestFile: boolean,
-  vulnerabilities: Vulnerability[]
-): void {
-  const lines = content.split('\n')
-  const jsonParsePattern = /JSON\.parse\s*\(/gi
-
-  // Track instances per file to aggregate noisy patterns
-  const instances: { lineNumber: number; lineContent: string; source: JSONParseSource }[] = []
-
-  lines.forEach((line, index) => {
-    if (isComment(line)) return
-
-    jsonParsePattern.lastIndex = 0
-    if (!jsonParsePattern.test(line)) return
-
-    const jsonSource = classifyJSONParseSource(line, filePath)
-
-    // Skip migration files entirely - they're internal tooling
-    if (jsonSource === 'migration') return
-
-    // Skip test fixtures entirely - they're intentionally parsing test data
-    if (jsonSource === 'test_fixture') return
-
-    // Skip trusted SDK responses - these are well-defined and safe to parse
-    if (isTrustedSDKResponse(line, content)) return
-
-    // Check if JSON.parse is inside a try-catch block
-    const insideTryCatch = isInsideTryCatch(content, index) || hasTryCatchNearby(content, index)
-
-    // Check if schema validation is applied after JSON.parse
-    const hasSchemaValidation = hasSchemaValidationNearby(content, index)
-
-    // If inside try-catch with safe source, suppress entirely - this is perfectly fine
-    if (insideTryCatch && ['local_storage', 'database', 'config', 'internal', 'ui_state'].includes(jsonSource)) {
-      return
-    }
-
-    // If schema validation is present, this is properly handled
-    if (hasSchemaValidation) {
-      return
-    }
-
-    // UI state (settings, providers, modals) - very low risk, aggregate or skip
-    if (jsonSource === 'ui_state') {
-      // Only track for aggregation, don't report individually
-      instances.push({ lineNumber: index + 1, lineContent: line.trim(), source: jsonSource })
-      return
-    }
-
-    // Determine severity based on source and error handling
-    let severity: VulnerabilitySeverity
-    let description: string
-    let suggestedFix: string
-    let confidence: 'high' | 'medium' | 'low' = 'medium'
-
-    if (insideTryCatch) {
-      // Already has error handling
-      switch (jsonSource) {
-        case 'user_input':
-          severity = 'low'
-          description = 'JSON.parse on user input is wrapped in try-catch. Consider adding schema validation (zod/yup) to validate the parsed structure.'
-          suggestedFix = 'Add schema validation after parsing: const validated = schema.parse(JSON.parse(input))'
-          confidence = 'low'
-          break
-        default:
-          // With try-catch and non-user source, this is fine - don't report
-          return
-      }
-    } else {
-      // No try-catch
-      switch (jsonSource) {
-        case 'user_input':
-          severity = 'medium'
-          description = 'JSON.parse on user input without schema validation. Malformed input will crash; malicious input may have unexpected shape.'
-          suggestedFix = 'Use a schema validation library (zod, yup, joi): try { const data = schema.parse(JSON.parse(body)) } catch (e) { return 400 }'
-          confidence = 'high'
-          break
-        case 'local_storage':
-          severity = 'info'
-          description = 'JSON.parse on localStorage data. Consider adding try-catch for robustness against corrupted data.'
-          suggestedFix = 'Wrap in try-catch to handle corrupted localStorage gracefully.'
-          confidence = 'low'
-          break
-        case 'database':
-          // Database content parsing is very common and low-risk
-          instances.push({ lineNumber: index + 1, lineContent: line.trim(), source: jsonSource })
-          return // Will be aggregated below
-        case 'config':
-        case 'internal':
-          severity = 'info'
-          description = `JSON.parse on ${jsonSource.replace('_', ' ')} data without error handling. Low risk but consider defensive coding.`
-          suggestedFix = 'Consider adding try-catch for robustness.'
-          confidence = 'low'
-          break
-        default:
-          // Unknown source - track for potential aggregation
-          instances.push({ lineNumber: index + 1, lineContent: line.trim(), source: jsonSource })
-          return // Will be evaluated below based on aggregation
-      }
-    }
-
-    // Downgrade test files
-    if (isTestFile) {
-      severity = 'info'
-      confidence = 'low'
-      description += ' (in test file)'
-    }
-
-    vulnerabilities.push({
-      id: `json-parse-${filePath}-${index + 1}`,
-      filePath,
-      lineNumber: index + 1,
-      lineContent: line.trim(),
-      severity,
-      category: 'dangerous_function',
-      title: 'JSON.parse usage',
-      description,
-      suggestedFix,
-      confidence,
-      layer: 2,
-    })
-  })
-
-  // Aggregate low-risk JSON.parse instances if there are many
-  if (instances.length >= 3) {
-    // Create single aggregated finding instead of N individual findings
-    const lineNumbers = instances.map(i => i.lineNumber).slice(0, 5)
-    const moreText = instances.length > 5 ? `... (${instances.length} total)` : ''
-
-    vulnerabilities.push({
-      id: `json-parse-aggregated-${filePath}`,
-      filePath,
-      lineNumber: instances[0].lineNumber,
-      lineContent: `${instances.length} instances across this file`,
-      severity: 'info',
-      category: 'dangerous_function',
-      title: `JSON.parse usage (${instances.length} instances)`,
-      description: `JSON.parse detected. Consider adding error handling and schema validation if parsing user input.${isTestFile ? ' (in test file)' : ''}\n\nFound ${instances.length} occurrences at lines: ${lineNumbers.join(', ')}${moreText}`,
-      suggestedFix: 'Add try-catch for error handling. If parsing user input, add schema validation.',
-      confidence: 'low',
-      layer: 2,
-    })
-  } else if (instances.length > 0 && instances.length < 3) {
-    // Report individually for small counts
-    for (const instance of instances) {
-      vulnerabilities.push({
-        id: `json-parse-${filePath}-${instance.lineNumber}`,
-        filePath,
-        lineNumber: instance.lineNumber,
-        lineContent: instance.lineContent,
-        severity: 'info',
-        category: 'dangerous_function',
-        title: 'JSON.parse usage',
-        description: `JSON.parse on ${instance.source.replace('_', ' ')} data without error handling. Low risk but consider defensive coding.${isTestFile ? ' (in test file)' : ''}`,
-        suggestedFix: 'Consider adding try-catch for robustness.',
-        confidence: 'low',
-        layer: 2,
-      })
-    }
-  }
-}
-
-/**
- * Check if this file appears to have form/input validation elsewhere
- * (manual checks on body fields, type guards, etc.)
- */
-function hasManualValidation(content: string): boolean {
-  const manualValidationPatterns = [
-    // Type checking / type guards
-    /typeof\s+\w+\s*[!=]==?\s*['"](?:string|number|boolean|object)['"]|Array\.isArray\s*\(/i,
-    // Field existence checks followed by throws/returns
-    /if\s*\(\s*!(?:body|data|input)\.\w+\s*\)\s*\{?\s*(throw|return)/i,
-    // Property access with type assertion comments or inline validation
-    /\b(body|data|input)\s*as\s+\w+/i,  // Type assertion
-    // Manual validation with error handling
-    /if\s*\(\s*![\w.]+\s*\|\|\s*typeof\s+[\w.]+/i,
-    // Using type predicates
-    /is\w+\s*\([\w.]+\)/i,  // isFoo(bar) pattern
-  ]
-
-  return manualValidationPatterns.some(p => p.test(content))
-}
-
-/**
- * Check if route has throwing auth helper (getCurrentUserId, requireAuth, etc.)
- * Routes with throwing auth helpers are already protected
- */
-function hasThrowingAuthHelper(content: string): boolean {
-  const throwingAuthPatterns = [
-    /\bgetCurrentUserId\s*\(/i,
-    /\brequireAuth\s*\(/i,
-    /\bensureAuth\s*\(/i,
-    /\bauth\s*\(\s*\)\s*\.protect\s*\(/i,  // Clerk: auth().protect()
-    /\bcurrentUser\s*\(\s*\)/i,  // Clerk: currentUser()
-    /\bgetServerSession\s*\([^)]*\)/i,  // NextAuth
-    /\bauth\s*\(\s*\)/i,  // Generic auth() call
-    /\bcheckAuth\s*\(/i,
-    /\bverifyAuth\s*\(/i,
-    /\bvalidateAuth\s*\(/i,
-    /\bassertAuth\s*\(/i,
-    /\bgetAuth\s*\(/i,
-    /\brequireUser\s*\(/i,
-    /\bgetUser\s*\(\s*\)/i,  // supabase.auth.getUser()
-    /const\s+\{\s*user\s*\}\s*=\s*await/i,  // Destructuring pattern
-  ]
-  return throwingAuthPatterns.some(p => p.test(content))
-}
-
-/**
- * Detect request.json() / req.json() and suggest schema validation
- * This is NOT a dangerous function - it's a prompt for best practices
- */
-function detectRequestJsonValidation(
-  content: string,
-  filePath: string,
-  isTestFile: boolean,
-  vulnerabilities: Vulnerability[]
-): void {
-  // Only check API route files
-  if (!/\/(api|routes?|handlers?|controllers?)\//i.test(filePath) &&
-      !/route\.(ts|js)$/i.test(filePath)) {
-    return
-  }
-
-  // Skip if route has throwing auth helper - these are already protected routes
-  // and the schema validation suggestion is lower priority
-  if (hasThrowingAuthHelper(content)) {
-    return
-  }
-
-  const lines = content.split('\n')
-  // Matches: request.json(), req.json(), await request.json(), etc.
-  const requestJsonPattern = /\b(request|req)\.json\s*\(\s*\)/gi
-
-  // Check if file has schema validation (library-based)
-  const hasSchemaLibrary = /\b(zod|yup|joi|ajv|superstruct|valibot|typebox)\b/i.test(content) ||
-                           /\.parse\s*\(|\.validate\s*\(|\.safeParse\s*\(/i.test(content)
-
-  // If file has schema library validation, don't report
-  if (hasSchemaLibrary) return
-
-  // Check for manual validation patterns (less robust but still indicates intent)
-  const hasManualCheck = hasManualValidation(content)
-
-  // Track instances for potential aggregation
-  const instances: { lineNumber: number; lineContent: string }[] = []
-
-  lines.forEach((line, index) => {
-    if (isComment(line)) return
-
-    requestJsonPattern.lastIndex = 0
-    if (!requestJsonPattern.test(line)) return
-
-    // Check if there's validation nearby (within 10 lines after)
-    const startCheck = index
-    const endCheck = Math.min(lines.length, index + 10)
-    const nearbyContent = lines.slice(startCheck, endCheck).join('\n')
-
-    // If there's validation in the nearby lines, skip
-    if (/\.parse\s*\(|\.validate\s*\(|\.safeParse\s*\(|schema\./i.test(nearbyContent)) {
-      return
-    }
-
-    // If manual validation is present, skip individual reporting but track for aggregate
-    if (hasManualCheck) {
-      instances.push({ lineNumber: index + 1, lineContent: line.trim() })
-      return
-    }
-
-    if (isTestFile) {
-      return // Don't report in test files
-    }
-
-    instances.push({ lineNumber: index + 1, lineContent: line.trim() })
-  })
-
-  // Don't report if no instances found
-  if (instances.length === 0) return
-
-  // If manual validation exists, create a single info-level note
-  if (hasManualCheck && instances.length > 0) {
-    vulnerabilities.push({
-      id: `request-json-manual-${filePath}`,
-      filePath,
-      lineNumber: instances[0].lineNumber,
-      lineContent: instances[0].lineContent,
-      severity: 'info',
-      category: 'dangerous_function',
-      title: 'Request body with manual validation',
-      description: `API endpoint parses request body with manual validation patterns detected. Consider using a schema library (zod, yup) for more robust type-safe validation.`,
-      suggestedFix: 'While manual validation works, schema libraries provide better TypeScript integration and error messages.',
-      confidence: 'low',
-      layer: 2,
-    })
-    return
-  }
-
-  // Aggregate if multiple instances without validation
-  if (instances.length >= 2) {
-    const lineNumbers = instances.map(i => i.lineNumber).slice(0, 5)
-    vulnerabilities.push({
-      id: `request-json-aggregated-${filePath}`,
-      filePath,
-      lineNumber: instances[0].lineNumber,
-      lineContent: `${instances.length} instances`,
-      severity: 'info',
-      category: 'dangerous_function',
-      title: `Request body without schema validation (${instances.length} instances)`,
-      description: `API endpoint parses request body without visible schema validation at lines: ${lineNumbers.join(', ')}. Consider validating the shape of incoming data.`,
-      suggestedFix: 'Add schema validation (e.g., zod): const body = await request.json(); const data = schema.parse(body);',
-      confidence: 'low',
-      layer: 2,
-    })
-  } else {
-    // Single instance
-    vulnerabilities.push({
-      id: `request-json-${filePath}-${instances[0].lineNumber}`,
-      filePath,
-      lineNumber: instances[0].lineNumber,
-      lineContent: instances[0].lineContent,
-      severity: 'info',
-      category: 'dangerous_function',
-      title: 'Request body without schema validation',
-      description: 'API endpoint parses request body without visible schema validation. Consider validating the shape of incoming data.',
-      suggestedFix: 'Add schema validation (e.g., zod): const body = await request.json(); const data = schema.parse(body);',
-      confidence: 'low',
-      layer: 2,
-    })
-  }
-}