@quantracode/vibecheck 0.0.1

package/dist/commands/waivers.js

@@ -0,0 +1,249 @@
+import path from "node:path";
+import { readFileSync, fileExists, resolvePath, writeFileSync, ensureDir, } from "../utils/file-utils.js";
+import { createEmptyWaiversFile, createWaiver, addWaiver, removeWaiver, WaiversFileSchema, } from "@vibecheck/policy";
+const DEFAULT_WAIVERS_FILE = "vibecheck-waivers.json";
+/**
+ * Load waivers file from path
+ */
+function loadWaiversFile(filepath) {
+    const absolutePath = resolvePath(filepath);
+    if (!fileExists(absolutePath)) {
+        throw new Error(`Waivers file not found: ${filepath}`);
+    }
+    const content = readFileSync(absolutePath);
+    if (!content) {
+        throw new Error(`Failed to read waivers file: ${filepath}`);
+    }
+    const data = JSON.parse(content);
+    const result = WaiversFileSchema.safeParse(data);
+    if (!result.success) {
+        throw new Error(`Invalid waivers file: ${result.error.message}`);
+    }
+    return result.data;
+}
+/**
+ * Save waivers file to path
+ */
+function saveWaiversFile(filepath, file) {
+    const absolutePath = resolvePath(filepath);
+    ensureDir(path.dirname(absolutePath));
+    writeFileSync(absolutePath, JSON.stringify(file, null, 2));
+}
+/**
+ * Initialize a new waivers file
+ */
+export function executeWaiversInit(filepath, force) {
+    const absolutePath = resolvePath(filepath);
+    if (fileExists(absolutePath) && !force) {
+        console.error(`\x1b[31mError: Waivers file already exists: ${absolutePath}\x1b[0m`);
+        console.error("Use --force to overwrite");
+        return 1;
+    }
+    const emptyFile = createEmptyWaiversFile();
+    saveWaiversFile(filepath, emptyFile);
+    console.log(`Created waivers file: ${absolutePath}`);
+    return 0;
+}
+/**
+ * Add a waiver to the file
+ */
+export function executeWaiversAdd(filepath, options) {
+    // Validate options
+    if (!options.fingerprint && !options.ruleId) {
+        console.error("\x1b[31mError: Must specify either --fingerprint or --ruleId\x1b[0m");
+        return 1;
+    }
+    if (options.fingerprint && options.ruleId) {
+        console.error("\x1b[31mError: Cannot specify both --fingerprint and --ruleId\x1b[0m");
+        return 1;
+    }
+    // Validate expiry date if provided
+    if (options.expiresAt) {
+        const date = new Date(options.expiresAt);
+        if (isNaN(date.getTime())) {
+            console.error(`\x1b[31mError: Invalid expiry date: ${options.expiresAt}\x1b[0m`);
+            return 1;
+        }
+        if (date <= new Date()) {
+            console.error("\x1b[31mError: Expiry date must be in the future\x1b[0m");
+            return 1;
+        }
+    }
+    // Load or create waivers file
+    let file;
+    const absolutePath = resolvePath(filepath);
+    if (fileExists(absolutePath)) {
+        file = loadWaiversFile(filepath);
+    }
+    else {
+        console.log("Creating new waivers file...");
+        file = createEmptyWaiversFile();
+    }
+    // Create waiver
+    const waiver = createWaiver({
+        fingerprint: options.fingerprint,
+        ruleId: options.ruleId,
+        pathPattern: options.pathPattern,
+        reason: options.reason,
+        createdBy: options.createdBy,
+        expiresAt: options.expiresAt ? new Date(options.expiresAt).toISOString() : undefined,
+        ticketRef: options.ticketRef,
+    });
+    // Add to file
+    const updated = addWaiver(file, waiver);
+    saveWaiversFile(filepath, updated);
+    console.log(`Added waiver: ${waiver.id}`);
+    if (options.fingerprint) {
+        console.log(`  Fingerprint: ${options.fingerprint}`);
+    }
+    else {
+        console.log(`  Rule ID: ${options.ruleId}`);
+        if (options.pathPattern) {
+            console.log(`  Path pattern: ${options.pathPattern}`);
+        }
+    }
+    console.log(`  Reason: ${options.reason}`);
+    console.log(`  Created by: ${options.createdBy}`);
+    if (options.expiresAt) {
+        console.log(`  Expires: ${options.expiresAt}`);
+    }
+    if (options.ticketRef) {
+        console.log(`  Ticket: ${options.ticketRef}`);
+    }
+    return 0;
+}
+/**
+ * List waivers in the file
+ */
+export function executeWaiversList(filepath, verbose) {
+    const file = loadWaiversFile(filepath);
+    if (file.waivers.length === 0) {
+        console.log("No waivers in file");
+        return 0;
+    }
+    console.log(`Found ${file.waivers.length} waiver(s):\n`);
+    for (const waiver of file.waivers) {
+        const isExpired = waiver.expiresAt && new Date(waiver.expiresAt) < new Date();
+        const expiredNote = isExpired ? " \x1b[31m[EXPIRED]\x1b[0m" : "";
+        console.log(`ID: ${waiver.id}${expiredNote}`);
+        if (waiver.match.fingerprint) {
+            console.log(`  Match: fingerprint = ${waiver.match.fingerprint}`);
+        }
+        else {
+            console.log(`  Match: ruleId = ${waiver.match.ruleId}`);
+            if (waiver.match.pathPattern) {
+                console.log(`         pathPattern = ${waiver.match.pathPattern}`);
+            }
+        }
+        console.log(`  Reason: ${waiver.reason}`);
+        if (verbose) {
+            console.log(`  Created by: ${waiver.createdBy}`);
+            console.log(`  Created at: ${waiver.createdAt}`);
+            if (waiver.expiresAt) {
+                console.log(`  Expires at: ${waiver.expiresAt}`);
+            }
+            if (waiver.ticketRef) {
+                console.log(`  Ticket: ${waiver.ticketRef}`);
+            }
+        }
+        console.log("");
+    }
+    return 0;
+}
+/**
+ * Remove a waiver from the file
+ */
+export function executeWaiversRemove(filepath, waiverId) {
+    const file = loadWaiversFile(filepath);
+    // Check if waiver exists
+    const exists = file.waivers.some((w) => w.id === waiverId);
+    if (!exists) {
+        console.error(`\x1b[31mError: Waiver not found: ${waiverId}\x1b[0m`);
+        return 1;
+    }
+    const updated = removeWaiver(file, waiverId);
+    saveWaiversFile(filepath, updated);
+    console.log(`Removed waiver: ${waiverId}`);
+    return 0;
+}
+/**
+ * Register waivers command with subcommands
+ */
+export function registerWaiversCommand(program) {
+    const waiversCmd = program
+        .command("waivers")
+        .description("Manage policy waivers");
+    // waivers init
+    waiversCmd
+        .command("init [path]")
+        .description("Initialize a new waivers file")
+        .option("-f, --force", "Overwrite existing file")
+        .action((pathArg, cmdOptions) => {
+        const filepath = pathArg ?? DEFAULT_WAIVERS_FILE;
+        const exitCode = executeWaiversInit(filepath, Boolean(cmdOptions.force));
+        process.exit(exitCode);
+    });
+    // waivers add
+    waiversCmd
+        .command("add [path]")
+        .description("Add a waiver to the file")
+        .option("--fingerprint <sha256>", "Match by finding fingerprint")
+        .option("--rule-id <id>", "Match by rule ID (supports wildcards like VC-AUTH-*)")
+        .option("--path-pattern <glob>", "Additional path pattern for rule ID match")
+        .requiredOption("-r, --reason <text>", "Justification for the waiver")
+        .requiredOption("--created-by <email>", "Who is creating this waiver")
+        .option("--expires <date>", "Expiration date (ISO format)")
+        .option("--ticket <ref>", "Reference to ticket/issue")
+        .addHelpText("after", `
+Examples:
+  $ vibecheck waivers add --fingerprint sha256:abc123 -r "False positive" --created-by dev@example.com
+  $ vibecheck waivers add --rule-id VC-AUTH-001 -r "Accepted risk" --created-by dev@example.com
+  $ vibecheck waivers add --rule-id "VC-VAL-*" --path-pattern "src/legacy/**" -r "Legacy code" --created-by dev@example.com
+  $ vibecheck waivers add --fingerprint sha256:xyz --expires 2025-12-31 -r "Temporary" --created-by dev@example.com
+  $ vibecheck waivers add ./custom-waivers.json --fingerprint sha256:abc -r "Custom file" --created-by dev@example.com
+`)
+        .action((pathArg, cmdOptions) => {
+        const filepath = pathArg ?? DEFAULT_WAIVERS_FILE;
+        const exitCode = executeWaiversAdd(filepath, {
+            fingerprint: cmdOptions.fingerprint,
+            ruleId: cmdOptions.ruleId,
+            pathPattern: cmdOptions.pathPattern,
+            reason: cmdOptions.reason,
+            createdBy: cmdOptions.createdBy,
+            expiresAt: cmdOptions.expires,
+            ticketRef: cmdOptions.ticket,
+        });
+        process.exit(exitCode);
+    });
+    // waivers list
+    waiversCmd
+        .command("list [path]")
+        .description("List waivers in the file")
+        .option("-v, --verbose", "Show all waiver details")
+        .action((pathArg, cmdOptions) => {
+        const filepath = pathArg ?? DEFAULT_WAIVERS_FILE;
+        try {
+            const exitCode = executeWaiversList(filepath, Boolean(cmdOptions.verbose));
+            process.exit(exitCode);
+        }
+        catch (error) {
+            console.error(`\x1b[31mError: ${error instanceof Error ? error.message : String(error)}\x1b[0m`);
+            process.exit(1);
+        }
+    });
+    // waivers remove
+    waiversCmd
+        .command("remove <waiverId> [path]")
+        .description("Remove a waiver from the file")
+        .action((waiverId, pathArg) => {
+        const filepath = pathArg ?? DEFAULT_WAIVERS_FILE;
+        try {
+            const exitCode = executeWaiversRemove(filepath, waiverId);
+            process.exit(exitCode);
+        }
+        catch (error) {
+            console.error(`\x1b[31mError: ${error instanceof Error ? error.message : String(error)}\x1b[0m`);
+            process.exit(1);
+        }
+    });
+}

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":""}

package/dist/index.js

@@ -0,0 +1,17 @@
+#!/usr/bin/env node
+import { Command } from "commander";
+import { registerScanCommand, registerExplainCommand, registerDemoArtifactCommand, registerIntentCommand, registerEvaluateCommand, registerWaiversCommand, } from "./commands/index.js";
+const program = new Command();
+program
+    .name("vibecheck")
+    .description("Security scanner for modern web applications")
+    .version("0.0.1");
+// Register commands
+registerScanCommand(program);
+registerExplainCommand(program);
+registerDemoArtifactCommand(program);
+registerIntentCommand(program);
+registerEvaluateCommand(program);
+registerWaiversCommand(program);
+// Parse arguments
+program.parse();

package/dist/phase3/index.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Phase 3: Hallucination Detection Engine
+ *
+ * Cross-file proof traces, intent claim mining, and hallucination detection.
+ * All deterministic, local-only.
+ */
+export { generateRouteId, filePathToRoutePath, buildRouteMap, buildMiddlewareMap, isRouteCoveredByMiddleware, buildProofTrace, buildAllProofTraces, calculateCoverage, } from "./proof-trace-builder.js";
+export { generateIntentId, mineIntentClaims, mineAllIntentClaims, findClaimsForRoute, findUnprovenClaims, } from "./intent-miner.js";
+export { phase3Scanners, hallucinationsPack, authPackPhase3, scanCommentClaimUnproven, scanMiddlewareAssumedNotMatching, scanValidationClaimedMissing, scanAuthByUiServerGap, } from "./scanners/index.js";
+export type { RouteInfo, MiddlewareInfo, IntentClaim, IntentClaimType, IntentClaimSource, IntentClaimScope, IntentClaimStrength, ProofTrace, ProofTraceStep, CoverageMetrics, Phase3Context, } from "../scanners/types.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/phase3/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/phase3/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EACL,eAAe,EACf,mBAAmB,EACnB,aAAa,EACb,kBAAkB,EAClB,0BAA0B,EAC1B,eAAe,EACf,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EACL,gBAAgB,EAChB,gBAAgB,EAChB,mBAAmB,EACnB,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,mBAAmB,CAAC;AAG3B,OAAO,EACL,cAAc,EACd,kBAAkB,EAClB,cAAc,EACd,wBAAwB,EACxB,gCAAgC,EAChC,4BAA4B,EAC5B,qBAAqB,GACtB,MAAM,qBAAqB,CAAC;AAG7B,YAAY,EACV,SAAS,EACT,cAAc,EACd,WAAW,EACX,eAAe,EACf,iBAAiB,EACjB,gBAAgB,EAChB,mBAAmB,EACnB,UAAU,EACV,cAAc,EACd,eAAe,EACf,aAAa,GACd,MAAM,sBAAsB,CAAC"}

package/dist/phase3/index.js

@@ -0,0 +1,12 @@
+/**
+ * Phase 3: Hallucination Detection Engine
+ *
+ * Cross-file proof traces, intent claim mining, and hallucination detection.
+ * All deterministic, local-only.
+ */
+// Proof trace builder
+export { generateRouteId, filePathToRoutePath, buildRouteMap, buildMiddlewareMap, isRouteCoveredByMiddleware, buildProofTrace, buildAllProofTraces, calculateCoverage, } from "./proof-trace-builder.js";
+// Intent claim miner
+export { generateIntentId, mineIntentClaims, mineAllIntentClaims, findClaimsForRoute, findUnprovenClaims, } from "./intent-miner.js";
+// Scanners
+export { phase3Scanners, hallucinationsPack, authPackPhase3, scanCommentClaimUnproven, scanMiddlewareAssumedNotMatching, scanValidationClaimedMissing, scanAuthByUiServerGap, } from "./scanners/index.js";

package/dist/phase3/intent-miner.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Phase 3: Intent Claim Miner
+ *
+ * Parses comments, identifiers, imports, and config for security claims.
+ * Deterministic, local-only.
+ */
+import { type SourceFile } from "ts-morph";
+import type { ScanContext, IntentClaim, IntentClaimType, RouteInfo } from "../scanners/types.js";
+/**
+ * Generate a stable intent ID
+ */
+export declare function generateIntentId(type: IntentClaimType, file: string, line: number, evidence: string): string;
+/**
+ * Mine intent claims from a source file
+ */
+export declare function mineIntentClaims(ctx: ScanContext, sourceFile: SourceFile, routes: RouteInfo[]): IntentClaim[];
+/**
+ * Mine all intent claims from scan context
+ */
+export declare function mineAllIntentClaims(ctx: ScanContext, routes: RouteInfo[]): IntentClaim[];
+/**
+ * Find claims that target a specific route
+ */
+export declare function findClaimsForRoute(claims: IntentClaim[], routeId: string): IntentClaim[];
+/**
+ * Find unproven claims (claims without corresponding proof)
+ */
+export declare function findUnprovenClaims(claims: IntentClaim[], proofTraces: Map<string, {
+    authProven: boolean;
+    validationProven: boolean;
+}>): IntentClaim[];
+//# sourceMappingURL=intent-miner.d.ts.map

package/dist/phase3/intent-miner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"intent-miner.d.ts","sourceRoot":"","sources":["../../src/phase3/intent-miner.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAc,KAAK,UAAU,EAAE,MAAM,UAAU,CAAC;AACvD,OAAO,KAAK,EACV,WAAW,EACX,WAAW,EACX,eAAe,EAIf,SAAS,EACV,MAAM,sBAAsB,CAAC;AAkD9B;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,IAAI,EAAE,eAAe,EACrB,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,GACf,MAAM,CAGR;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,GAAG,EAAE,WAAW,EAChB,UAAU,EAAE,UAAU,EACtB,MAAM,EAAE,SAAS,EAAE,GAClB,WAAW,EAAE,CAef;AA6PD;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,GAAG,EAAE,WAAW,EAChB,MAAM,EAAE,SAAS,EAAE,GAClB,WAAW,EAAE,CAuBf;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,WAAW,EAAE,EACrB,OAAO,EAAE,MAAM,GACd,WAAW,EAAE,CAIf;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,WAAW,EAAE,EACrB,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE;IAAE,UAAU,EAAE,OAAO,CAAC;IAAC,gBAAgB,EAAE,OAAO,CAAA;CAAE,CAAC,GAC3E,WAAW,EAAE,CAqBf"}

package/dist/phase3/intent-miner.js

@@ -0,0 +1,323 @@
+/**
+ * Phase 3: Intent Claim Miner
+ *
+ * Parses comments, identifiers, imports, and config for security claims.
+ * Deterministic, local-only.
+ */
+import crypto from "node:crypto";
+import path from "node:path";
+import { SyntaxKind } from "ts-morph";
+/**
+ * Patterns for detecting security intent claims
+ */
+const INTENT_PATTERNS = [
+    // Auth patterns
+    { pattern: /\b(auth|authenticate|authorized|protected|secured)\b/i, type: "AUTH_ENFORCED", strength: "strong" },
+    { pattern: /\brequires?\s*(auth|login|session)\b/i, type: "AUTH_ENFORCED", strength: "strong" },
+    { pattern: /\b(getServerSession|useSession|withAuth|requireAuth)\b/, type: "AUTH_ENFORCED", strength: "medium" },
+    // Validation patterns
+    { pattern: /\b(validat(e|ed|ion|or)|sanitiz(e|ed))\b/i, type: "INPUT_VALIDATED", strength: "strong" },
+    { pattern: /\b(schema|zod|yup|joi)\b/i, type: "INPUT_VALIDATED", strength: "medium" },
+    { pattern: /\.parse\(|\.validate\(|\.safeParse\(/, type: "INPUT_VALIDATED", strength: "medium" },
+    // CSRF patterns
+    { pattern: /\b(csrf|xsrf|cross.?site)\b/i, type: "CSRF_ENABLED", strength: "strong" },
+    // Rate limiting patterns
+    { pattern: /\b(rate.?limit|throttl|limit.?rate)\b/i, type: "RATE_LIMITED", strength: "strong" },
+    // Encryption patterns
+    { pattern: /\b(encrypt|cipher|aes|rsa)\b/i, type: "ENCRYPTED_AT_REST", strength: "medium" },
+    // Middleware patterns
+    { pattern: /\b(middleware|intercept|guard)\b/i, type: "MIDDLEWARE_PROTECTED", strength: "medium" },
+];
+/**
+ * Security-related import patterns
+ */
+const SECURITY_IMPORTS = [
+    { module: /^next-auth/, type: "AUTH_ENFORCED" },
+    { module: /^@auth\//, type: "AUTH_ENFORCED" },
+    { module: /^passport/, type: "AUTH_ENFORCED" },
+    { module: /^zod$/, type: "INPUT_VALIDATED" },
+    { module: /^yup$/, type: "INPUT_VALIDATED" },
+    { module: /^joi$/, type: "INPUT_VALIDATED" },
+    { module: /^csurf$/, type: "CSRF_ENABLED" },
+    { module: /^express-rate-limit$/, type: "RATE_LIMITED" },
+    { module: /^rate-limiter-flexible$/, type: "RATE_LIMITED" },
+    { module: /^helmet$/, type: "MIDDLEWARE_PROTECTED" },
+];
+/**
+ * Generate a stable intent ID
+ */
+export function generateIntentId(type, file, line, evidence) {
+    const normalized = `${type}:${file}:${line}:${evidence.slice(0, 50)}`.toLowerCase();
+    return crypto.createHash("sha256").update(normalized).digest("hex").slice(0, 12);
+}
+/**
+ * Mine intent claims from a source file
+ */
+export function mineIntentClaims(ctx, sourceFile, routes) {
+    const claims = [];
+    const filePath = sourceFile.getFilePath();
+    const relPath = path.relative(ctx.repoRoot, filePath).replace(/\\/g, "/");
+    // Mine from comments
+    claims.push(...mineFromComments(sourceFile, relPath, routes));
+    // Mine from imports
+    claims.push(...mineFromImports(sourceFile, relPath));
+    // Mine from identifiers (function names, variable names)
+    claims.push(...mineFromIdentifiers(sourceFile, relPath, routes));
+    return claims;
+}
+/**
+ * Mine claims from code comments
+ */
+function mineFromComments(sourceFile, relPath, routes) {
+    const claims = [];
+    // Get all comments in the file
+    const leadingComments = [];
+    sourceFile.forEachDescendant((node) => {
+        const nodeComments = node.getLeadingCommentRanges();
+        for (const comment of nodeComments) {
+            leadingComments.push({
+                text: comment.getText(),
+                line: sourceFile.getLineAndColumnAtPos(comment.getPos()).line,
+            });
+        }
+    });
+    // Also get file-level comments
+    const fullText = sourceFile.getFullText();
+    const commentMatches = fullText.matchAll(/\/\*\*?[\s\S]*?\*\/|\/\/[^\n]*/g);
+    for (const match of commentMatches) {
+        const line = sourceFile.getLineAndColumnAtPos(match.index || 0).line;
+        // Avoid duplicates
+        if (!leadingComments.some((c) => c.line === line)) {
+            leadingComments.push({ text: match[0], line });
+        }
+    }
+    for (const { text, line } of leadingComments) {
+        for (const { pattern, type, strength } of INTENT_PATTERNS) {
+            if (pattern.test(text)) {
+                // Determine scope based on comment context
+                const scope = determineCommentScope(text, relPath);
+                // Try to find associated route
+                const targetRouteId = findAssociatedRoute(relPath, line, routes);
+                claims.push({
+                    intentId: generateIntentId(type, relPath, line, text),
+                    type,
+                    scope,
+                    targetRouteId,
+                    source: "comment",
+                    location: {
+                        file: relPath,
+                        startLine: line,
+                        endLine: line,
+                    },
+                    strength,
+                    textEvidence: truncateEvidence(text),
+                });
+                break; // One claim per comment
+            }
+        }
+    }
+    return claims;
+}
+/**
+ * Mine claims from import statements
+ */
+function mineFromImports(sourceFile, relPath) {
+    const claims = [];
+    for (const importDecl of sourceFile.getImportDeclarations()) {
+        const moduleSpecifier = importDecl.getModuleSpecifierValue();
+        const line = importDecl.getStartLineNumber();
+        for (const { module, type } of SECURITY_IMPORTS) {
+            if (module.test(moduleSpecifier)) {
+                claims.push({
+                    intentId: generateIntentId(type, relPath, line, moduleSpecifier),
+                    type,
+                    scope: "module",
+                    source: "import",
+                    location: {
+                        file: relPath,
+                        startLine: line,
+                        endLine: line,
+                    },
+                    strength: "medium",
+                    textEvidence: `import from "${moduleSpecifier}"`,
+                });
+                break;
+            }
+        }
+    }
+    return claims;
+}
+/**
+ * Mine claims from function and variable identifiers
+ */
+function mineFromIdentifiers(sourceFile, relPath, routes) {
+    const claims = [];
+    // Function declarations
+    for (const func of sourceFile.getFunctions()) {
+        const name = func.getName() || "";
+        const line = func.getStartLineNumber();
+        for (const { pattern, type, strength } of INTENT_PATTERNS) {
+            if (pattern.test(name)) {
+                const targetRouteId = findAssociatedRoute(relPath, line, routes);
+                claims.push({
+                    intentId: generateIntentId(type, relPath, line, name),
+                    type,
+                    scope: "route",
+                    targetRouteId,
+                    source: "identifier",
+                    location: {
+                        file: relPath,
+                        startLine: line,
+                        endLine: func.getEndLineNumber(),
+                    },
+                    strength,
+                    textEvidence: `function ${name}`,
+                });
+                break;
+            }
+        }
+    }
+    // Variable declarations with security-related names
+    sourceFile.forEachDescendant((node) => {
+        if (node.getKind() === SyntaxKind.VariableDeclaration) {
+            const text = node.getText();
+            const name = text.split("=")[0].trim();
+            const line = node.getStartLineNumber();
+            for (const { pattern, type, strength } of INTENT_PATTERNS) {
+                if (pattern.test(name)) {
+                    claims.push({
+                        intentId: generateIntentId(type, relPath, line, name),
+                        type,
+                        scope: "route",
+                        source: "identifier",
+                        location: {
+                            file: relPath,
+                            startLine: line,
+                            endLine: line,
+                        },
+                        strength,
+                        textEvidence: `variable: ${truncateEvidence(name)}`,
+                    });
+                    break;
+                }
+            }
+        }
+    });
+    return claims;
+}
+/**
+ * Determine the scope of a comment-based claim
+ */
+function determineCommentScope(text, filePath) {
+    const lowerText = text.toLowerCase();
+    // Module-level indicators (file or function scope maps to module)
+    if (lowerText.includes("@file") ||
+        lowerText.includes("this file") ||
+        lowerText.includes("this module")) {
+        return "module";
+    }
+    // Route-level indicators
+    if (lowerText.includes("this route") ||
+        lowerText.includes("this endpoint") ||
+        lowerText.includes("this handler")) {
+        return "route";
+    }
+    // Global indicators
+    if (lowerText.includes("all routes") ||
+        lowerText.includes("every request") ||
+        lowerText.includes("globally")) {
+        return "global";
+    }
+    // Default to route scope for comments near handlers
+    return "route";
+}
+/**
+ * Find an associated route for a given file and line
+ */
+function findAssociatedRoute(filePath, line, routes) {
+    // Find routes in the same file
+    const fileRoutes = routes.filter((r) => r.file === filePath);
+    if (fileRoutes.length === 0) {
+        return undefined;
+    }
+    // If only one route, associate with it
+    if (fileRoutes.length === 1) {
+        return fileRoutes[0].routeId;
+    }
+    // Find the closest route that starts after or contains this line
+    for (const route of fileRoutes) {
+        if (line >= route.startLine && line <= route.endLine) {
+            return route.routeId;
+        }
+    }
+    // Find the closest route that starts after this line
+    const afterRoutes = fileRoutes.filter((r) => r.startLine > line);
+    if (afterRoutes.length > 0) {
+        return afterRoutes.sort((a, b) => a.startLine - b.startLine)[0].routeId;
+    }
+    return undefined;
+}
+/**
+ * Truncate evidence text
+ */
+function truncateEvidence(text) {
+    const cleaned = text.replace(/\s+/g, " ").trim();
+    if (cleaned.length <= 100) {
+        return cleaned;
+    }
+    return cleaned.slice(0, 97) + "...";
+}
+/**
+ * Mine all intent claims from scan context
+ */
+export function mineAllIntentClaims(ctx, routes) {
+    const allClaims = [];
+    // Mine from all source files
+    for (const file of ctx.fileIndex.allSourceFiles) {
+        // allSourceFiles are relative paths, resolve to absolute for parseFile
+        const absolutePath = path.join(ctx.repoRoot, file);
+        const sourceFile = ctx.helpers.parseFile(absolutePath);
+        if (!sourceFile)
+            continue;
+        const claims = mineIntentClaims(ctx, sourceFile, routes);
+        allClaims.push(...claims);
+    }
+    // Deduplicate by intentId
+    const seen = new Set();
+    return allClaims.filter((claim) => {
+        if (seen.has(claim.intentId)) {
+            return false;
+        }
+        seen.add(claim.intentId);
+        return true;
+    });
+}
+/**
+ * Find claims that target a specific route
+ */
+export function findClaimsForRoute(claims, routeId) {
+    return claims.filter((c) => c.targetRouteId === routeId || c.scope === "global" || c.scope === "module");
+}
+/**
+ * Find unproven claims (claims without corresponding proof)
+ */
+export function findUnprovenClaims(claims, proofTraces) {
+    const unproven = [];
+    for (const claim of claims) {
+        if (!claim.targetRouteId)
+            continue;
+        const proof = proofTraces.get(claim.targetRouteId);
+        if (!proof) {
+            unproven.push(claim);
+            continue;
+        }
+        // Check if the claim type matches the proof
+        if (claim.type === "AUTH_ENFORCED" && !proof.authProven) {
+            unproven.push(claim);
+        }
+        else if (claim.type === "INPUT_VALIDATED" && !proof.validationProven) {
+            unproven.push(claim);
+        }
+    }
+    return unproven;
+}