agentic-qe 3.6.7 → 3.6.9

package/v3/dist/domains/security-compliance/services/security-auditor.js

@@ -1,56 +1,27 @@
 /**
  * Agentic QE v3 - Security Auditor Service
- * Provides comprehensive security audit functionality
+ * Orchestrator that delegates to focused modules for scanning and reporting.
+ *
+ * Extracted modules:
+ *   - security-auditor-types.ts: Types, interfaces, config, HTTP client
+ *   - security-auditor-sast.ts: Static Application Security Testing
+ *   - security-auditor-dast.ts: Dynamic Application Security Testing
+ *   - security-auditor-secrets.ts: Secret/credential detection
+ *   - security-auditor-reports.ts: Risk calculation, posture, recommendations
  */
 import { v4 as uuidv4 } from 'uuid';
 import * as fs from 'fs/promises';
 import * as path from 'path';
 import { ok, err } from '../../../shared/types/index.js';
-async function httpPost(url, body) {
-    const response = await fetch(url, {
-        method: 'POST',
-        headers: {
-            'Content-Type': 'application/json',
-        },
-        body: JSON.stringify(body),
-    });
-    const data = await response.json();
-    return {
-        ok: response.ok,
-        status: response.status,
-        data,
-    };
-}
-async function httpGet(url) {
-    const response = await fetch(url, {
-        method: 'GET',
-        headers: {
-            'Accept': 'application/json',
-        },
-    });
-    const data = await response.json();
-    return {
-        ok: response.ok,
-        status: response.status,
-        data,
-    };
-}
-const DEFAULT_CONFIG = {
-    secretPatterns: [
-        /(?:api[_-]?key|apikey)['":\s]*['"=]?\s*['"]?([a-zA-Z0-9_\-]{20,})['"]?/gi,
-        /(?:password|passwd|pwd)['":\s]*['"=]?\s*['"]?([^\s'"]{8,})['"]?/gi,
-        /(?:secret|token)['":\s]*['"=]?\s*['"]?([a-zA-Z0-9_\-]{16,})['"]?/gi,
-        /(?:aws[_-]?access[_-]?key|aws[_-]?secret)['":\s]*['"=]?\s*['"]?([A-Z0-9]{20,})['"]?/gi,
-        /-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----/gi,
-        /ghp_[a-zA-Z0-9]{36}/g, // GitHub personal access token
-        /gho_[a-zA-Z0-9]{36}/g, // GitHub OAuth access token
-        /sk-[a-zA-Z0-9]{48}/g, // OpenAI API key
-    ],
-    excludePatterns: ['node_modules', 'dist', 'build', '.git', '*.test.*', '*.spec.*'],
-    maxFileSizeKb: 1024,
-    enableHistoricalAnalysis: true,
-    riskThreshold: 0.7,
-};
+import { toError } from '../../../shared/error-utils.js';
+import { safeJsonParse } from '../../../shared/safe-json.js';
+export { DEFAULT_CONFIG, httpPost, httpGet } from './security-auditor-types.js';
+import { DEFAULT_CONFIG, httpPost, httpGet } from './security-auditor-types.js';
+// Import extracted modules
+import { performSASTScan } from './security-auditor-sast.js';
+import { performDASTScan } from './security-auditor-dast.js';
+import { scanFileForSecrets } from './security-auditor-secrets.js';
+import { calculateOverallRisk, generateRecommendations, countBySeverity, countOpenVulnerabilities, calculateTrend, calculatePostureScore, generatePostureRecommendations, determinePriorityBucket, } from './security-auditor-reports.js';
 // ============================================================================
 // Security Auditor Service Implementation
 // ============================================================================
@@ -64,9 +35,6 @@ export class SecurityAuditorService {
     // ==========================================================================
     // IDependencySecurityService Implementation
     // ==========================================================================
-    /**
-     * Scan dependencies for vulnerabilities
-     */
     async scanDependencies(manifestPath) {
         try {
             const manifest = manifestPath.value;
@@ -76,60 +44,37 @@ export class SecurityAuditorService {
             }
             const vulnerabilities = [];
             const outdatedPackages = [];
-            // Parse dependencies from manifest file
             const dependencies = await this.parseDependencies(manifest, ecosystem);
             for (const dep of dependencies) {
-                // Check for known vulnerabilities
                 const vulns = await this.checkDependencyVulnerabilities(dep, ecosystem);
                 vulnerabilities.push(...vulns);
-                // Check for outdated packages
                 const outdated = await this.checkOutdated(dep);
                 if (outdated) {
                     outdatedPackages.push(outdated);
                 }
             }
             const summary = this.createDependencySummary(vulnerabilities, dependencies.length);
-            // Store results
-            await this.memory.set(`security:deps:${manifestPath.filename}`, { vulnerabilities, outdatedPackages, summary }, { namespace: 'security-compliance', ttl: 86400 } // 24 hours
-            );
-            return ok({
-                vulnerabilities,
-                outdatedPackages,
-                summary,
-            });
+            await this.memory.set(`security:deps:${manifestPath.filename}`, { vulnerabilities, outdatedPackages, summary }, { namespace: 'security-compliance', ttl: 86400 });
+            return ok({ vulnerabilities, outdatedPackages, summary });
         }
         catch (error) {
-            return err(error instanceof Error ? error : new Error(String(error)));
+            return err(toError(error));
         }
     }
-    /**
-     * Check specific package for security issues
-     */
     async checkPackage(name, version, ecosystem) {
         try {
-            // Query OSV vulnerability database
             const vulnerabilities = await this.queryVulnerabilityDatabase(name, version, ecosystem);
             const latestVersion = await this.getLatestVersion(name, ecosystem);
             const isDeprecated = await this.checkDeprecation(name, ecosystem);
-            return ok({
-                name,
-                version,
-                vulnerabilities,
-                latestVersion,
-                isDeprecated,
-            });
+            return ok({ name, version, vulnerabilities, latestVersion, isDeprecated });
         }
         catch (error) {
-            return err(error instanceof Error ? error : new Error(String(error)));
+            return err(toError(error));
         }
     }
-    /**
-     * Get upgrade recommendations for vulnerabilities
-     */
     async getUpgradeRecommendations(vulnerabilities) {
         try {
             const recommendations = [];
-            // Group vulnerabilities by package
             const byPackage = new Map();
             for (const vuln of vulnerabilities) {
                 const dep = vuln.location.dependency;
@@ -140,7 +85,6 @@ export class SecurityAuditorService {
                     byPackage.set(key, existing);
                 }
             }
-            // Generate recommendations for each package
             for (const [key, vulns] of byPackage) {
                 const [ecosystem, name] = key.split(':');
                 const currentVersion = vulns[0].location.dependency?.version || 'unknown';
@@ -156,20 +100,16 @@ export class SecurityAuditorService {
                     breakingChanges: this.hasBreakingChanges(currentVersion, latestVersion),
                 });
             }
-            // Sort by number of vulnerabilities fixed
             recommendations.sort((a, b) => b.fixesVulnerabilities.length - a.fixesVulnerabilities.length);
             return ok(recommendations);
         }
         catch (error) {
-            return err(error instanceof Error ? error : new Error(String(error)));
+            return err(toError(error));
         }
     }
     // ==========================================================================
-    // Audit Functionality
+    // Audit Functionality (delegates to extracted modules)
     // ==========================================================================
-    /**
-     * Run comprehensive security audit
-     */
     async runAudit(options) {
         const auditId = uuidv4();
         const timestamp = new Date();
@@ -178,28 +118,20 @@ export class SecurityAuditorService {
             let dastResults;
             let dependencyResults;
             let secretScanResults;
-            // Note: Actual SAST/DAST scanning would be delegated to SecurityScannerService
-            // This is orchestration-level code that combines results
             if (options.includeSAST) {
-                // SAST scanning delegated to SecurityScannerService
-                sastResults = await this.performSASTScan();
+                sastResults = await performSASTScan((dir) => this.findSourceFiles(dir), (fp) => this.shouldExclude(fp));
             }
             if (options.includeDAST && options.targetUrl) {
-                // DAST scanning delegated to SecurityScannerService
-                dastResults = await this.performDASTScan(options.targetUrl);
+                dastResults = await performDASTScan(options.targetUrl);
             }
             if (options.includeDependencies) {
-                // Scan package manifests for vulnerabilities
                 dependencyResults = await this.performDependencyScan();
             }
             if (options.includeSecrets) {
-                // Scan source files for secrets
                 secretScanResults = await this.performSecretScan();
             }
-            // Calculate overall risk score
-            const overallRiskScore = this.calculateOverallRisk(sastResults, dastResults, dependencyResults, secretScanResults);
-            // Generate recommendations
-            const recommendations = this.generateRecommendations(sastResults, dastResults, dependencyResults, secretScanResults);
+            const overallRiskScore = calculateOverallRisk(sastResults, dastResults, dependencyResults, secretScanResults);
+            const recommendations = generateRecommendations(sastResults, dastResults, dependencyResults, secretScanResults);
             const report = {
                 auditId,
                 timestamp,
@@ -210,59 +142,42 @@ export class SecurityAuditorService {
                 overallRiskScore,
                 recommendations,
             };
-            // Store audit report
             await this.memory.set(`security:audit:${auditId}`, report, { namespace: 'security-compliance', persist: true });
             return ok(report);
         }
         catch (error) {
-            return err(error instanceof Error ? error : new Error(String(error)));
+            return err(toError(error));
         }
     }
-    /**
-     * Scan for secrets in code
-     */
     async scanSecrets(files) {
         try {
             const secretsFound = [];
             let filesScanned = 0;
             for (const file of files) {
-                // Skip excluded patterns
                 if (this.shouldExclude(file.value)) {
                     continue;
                 }
                 filesScanned++;
-                // Read and scan file for secrets using regex patterns
-                const secrets = await this.scanFileForSecrets(file);
+                const secrets = await scanFileForSecrets(file);
                 secretsFound.push(...secrets);
             }
-            return ok({
-                secretsFound,
-                filesScanned,
-            });
+            return ok({ secretsFound, filesScanned });
         }
         catch (error) {
-            return err(error instanceof Error ? error : new Error(String(error)));
+            return err(toError(error));
         }
     }
-    /**
-     * Get security posture summary
-     */
     async getSecurityPosture() {
         try {
-            // Get historical audit data
             const audits = await this.getRecentAudits();
-            // Calculate metrics
             const latestAudit = audits[0];
             const previousAudit = audits[1];
-            const criticalIssues = this.countBySeverity(latestAudit, 'critical');
-            const highIssues = this.countBySeverity(latestAudit, 'high');
-            const openVulnerabilities = this.countOpenVulnerabilities(latestAudit);
-            // Calculate trend
-            const trend = this.calculateTrend(latestAudit, previousAudit);
-            // Calculate overall score (0-100)
-            const overallScore = this.calculatePostureScore(criticalIssues, highIssues, openVulnerabilities);
-            // Generate recommendations
-            const recommendations = this.generatePostureRecommendations(criticalIssues, highIssues, overallScore);
+            const criticalIssues = countBySeverity(latestAudit, 'critical');
+            const highIssues = countBySeverity(latestAudit, 'high');
+            const openVulnerabilities = countOpenVulnerabilities(latestAudit);
+            const trend = calculateTrend(latestAudit, previousAudit);
+            const overallScore = calculatePostureScore(criticalIssues, highIssues, openVulnerabilities);
+            const recommendations = generatePostureRecommendations(criticalIssues, highIssues, overallScore);
             return ok({
                 overallScore,
                 trend,
@@ -276,12 +191,9 @@ export class SecurityAuditorService {
             });
         }
         catch (error) {
-            return err(error instanceof Error ? error : new Error(String(error)));
+            return err(toError(error));
         }
     }
-    /**
-     * Triage vulnerabilities by priority
-     */
     async triageVulnerabilities(vulnerabilities) {
         try {
             const triaged = {
@@ -292,10 +204,9 @@ export class SecurityAuditorService {
                 accepted: [],
             };
             for (const vuln of vulnerabilities) {
-                const bucket = this.determinePriorityBucket(vuln);
+                const bucket = determinePriorityBucket(vuln);
                 triaged[bucket].push(vuln);
             }
-            // Sort each bucket by severity
             const severityOrder = ['critical', 'high', 'medium', 'low', 'informational'];
             for (const bucket of Object.values(triaged)) {
                 bucket.sort((a, b) => severityOrder.indexOf(a.severity) - severityOrder.indexOf(b.severity));
@@ -303,11 +214,11 @@ export class SecurityAuditorService {
             return ok(triaged);
         }
         catch (error) {
-            return err(error instanceof Error ? error : new Error(String(error)));
+            return err(toError(error));
         }
     }
     // ==========================================================================
-    // Private Helper Methods
+    // Dependency Analysis Helpers
     // ==========================================================================
     detectEcosystem(manifest) {
         if (manifest.includes('package.json'))
@@ -326,33 +237,26 @@ export class SecurityAuditorService {
         const dependencies = [];
         try {
             if (ecosystem === 'npm') {
-                // Read and parse package.json
                 const content = await fs.readFile(manifest, 'utf-8');
-                const packageJson = JSON.parse(content);
-                // Collect all dependency types
+                const packageJson = safeJsonParse(content);
                 const allDeps = {
                     ...packageJson.dependencies,
                     ...packageJson.devDependencies,
                     ...packageJson.peerDependencies,
                     ...packageJson.optionalDependencies,
                 };
-                // Convert to DependencyInfo array
                 for (const [name, versionSpec] of Object.entries(allDeps)) {
-                    // Clean version specifiers (^, ~, >=, etc.)
                     const version = this.cleanVersionSpec(versionSpec);
                     dependencies.push({ name, version, ecosystem: 'npm' });
                 }
             }
             else if (ecosystem === 'pip') {
-                // Parse requirements.txt or Pipfile
                 const content = await fs.readFile(manifest, 'utf-8');
                 const lines = content.split('\n');
                 for (const line of lines) {
                     const trimmed = line.trim();
-                    // Skip comments and empty lines
                     if (!trimmed || trimmed.startsWith('#'))
                         continue;
-                    // Parse package==version or package>=version patterns
                     const match = trimmed.match(/^([a-zA-Z0-9_-]+)(?:[=<>~!]+(.+))?$/);
                     if (match) {
                         dependencies.push({
@@ -363,32 +267,21 @@ export class SecurityAuditorService {
                     }
                 }
             }
-            // Additional ecosystems (maven, cargo, nuget) would be implemented similarly
         }
         catch (error) {
-            // If file reading fails, return empty array rather than throwing
             console.error(`Failed to parse dependencies from ${manifest}:`, error);
         }
         return dependencies;
     }
-    /**
-     * Clean version specifier to extract actual version
-     */
     cleanVersionSpec(versionSpec) {
-        // Remove leading specifiers like ^, ~, >=, <=, >, <, =
         return versionSpec.replace(/^[\^~>=<]+/, '').trim();
     }
     async checkDependencyVulnerabilities(dep, ecosystem) {
         const vulnerabilities = [];
         try {
-            // Map ecosystem to OSV ecosystem name
             const osvEcosystem = this.mapToOSVEcosystem(ecosystem);
-            // Query OSV API for vulnerabilities
             const osvQuery = {
-                package: {
-                    name: dep.name,
-                    ecosystem: osvEcosystem,
-                },
+                package: { name: dep.name, ecosystem: osvEcosystem },
                 version: dep.version,
             };
             const response = await httpPost('https://api.osv.dev/v1/query', osvQuery);
@@ -400,14 +293,10 @@ export class SecurityAuditorService {
             }
         }
         catch (error) {
-            // Log error but don't fail the entire scan
             console.error(`Failed to check vulnerabilities for ${dep.name}@${dep.version}:`, error);
         }
         return vulnerabilities;
     }
-    /**
-     * Map internal ecosystem to OSV ecosystem name
-     */
     mapToOSVEcosystem(ecosystem) {
         const ecosystemMap = {
             npm: 'npm',
@@ -418,17 +307,10 @@ export class SecurityAuditorService {
         };
         return ecosystemMap[ecosystem];
     }
-    /**
-     * Map OSV vulnerability to our Vulnerability type
-     */
     mapOSVVulnerability(osvVuln, dep) {
-        // Extract CVE ID from aliases
         const cveId = osvVuln.aliases?.find((alias) => alias.startsWith('CVE-'));
-        // Determine severity from OSV severity scores
         const severity = this.mapOSVSeverity(osvVuln.severity);
-        // Extract fixed version from affected ranges
         const fixedVersion = this.extractFixedVersion(osvVuln);
-        // Build references list
         const references = osvVuln.references?.map((ref) => ref.url) || [];
         const location = {
             file: 'package.json',
@@ -454,14 +336,10 @@ export class SecurityAuditorService {
             references,
         };
     }
-    /**
-     * Map OSV severity to our severity levels
-     */
     mapOSVSeverity(severityScores) {
         if (!severityScores || severityScores.length === 0) {
-            return 'medium'; // Default to medium if no severity info
+            return 'medium';
         }
-        // Find CVSS score
         const cvssScore = severityScores.find((s) => s.type === 'CVSS_V3' || s.type === 'CVSS_V2');
         if (cvssScore) {
             const score = parseFloat(cvssScore.score);
@@ -476,9 +354,6 @@ export class SecurityAuditorService {
         }
         return 'medium';
     }
-    /**
-     * Extract fixed version from OSV vulnerability data
-     */
     extractFixedVersion(osvVuln) {
         if (!osvVuln.affected)
             return undefined;
@@ -496,43 +371,29 @@ export class SecurityAuditorService {
         }
         return undefined;
     }
-    /**
-     * Categorize vulnerability based on OSV data
-     */
     categorizeVulnerability(osvVuln) {
         const summary = (osvVuln.summary || '').toLowerCase();
         const details = (osvVuln.details || '').toLowerCase();
         const combined = `${summary} ${details}`;
-        // Check for common vulnerability patterns
-        if (combined.includes('injection') || combined.includes('sql')) {
+        if (combined.includes('injection') || combined.includes('sql'))
             return 'injection';
-        }
-        if (combined.includes('xss') || combined.includes('cross-site scripting')) {
+        if (combined.includes('xss') || combined.includes('cross-site scripting'))
             return 'xss';
-        }
-        if (combined.includes('authentication') || combined.includes('auth bypass')) {
+        if (combined.includes('authentication') || combined.includes('auth bypass'))
             return 'broken-auth';
-        }
-        if (combined.includes('sensitive data') || combined.includes('exposure')) {
+        if (combined.includes('sensitive data') || combined.includes('exposure'))
             return 'sensitive-data';
-        }
-        if (combined.includes('xxe') || combined.includes('xml external')) {
+        if (combined.includes('xxe') || combined.includes('xml external'))
             return 'xxe';
-        }
-        if (combined.includes('access control') || combined.includes('authorization')) {
+        if (combined.includes('access control') || combined.includes('authorization'))
             return 'access-control';
-        }
-        if (combined.includes('deseriali')) {
+        if (combined.includes('deseriali'))
             return 'insecure-deserialization';
-        }
-        if (combined.includes('prototype pollution') || combined.includes('dependency')) {
+        if (combined.includes('prototype pollution') || combined.includes('dependency'))
             return 'vulnerable-components';
-        }
-        // Default to vulnerable-components for dependency vulnerabilities
         return 'vulnerable-components';
     }
     async checkOutdated(dep) {
-        // Check if package is outdated by comparing with latest version from registry
         const latestVersion = await this.getLatestVersion(dep.name, dep.ecosystem);
         if (latestVersion !== dep.version) {
             return {
@@ -545,27 +406,23 @@ export class SecurityAuditorService {
         return null;
     }
     async queryVulnerabilityDatabase(name, version, ecosystem) {
-        // Query OSV API for vulnerabilities
         const dep = { name, version, ecosystem };
         return this.checkDependencyVulnerabilities(dep, ecosystem);
     }
     async getLatestVersion(name, ecosystem) {
         try {
             if (ecosystem === 'npm') {
-                // Query npm registry for latest version
                 const response = await httpGet(`https://registry.npmjs.org/${encodeURIComponent(name)}/latest`);
                 if (response.ok && response.data.version) {
                     return response.data.version;
                 }
             }
             else if (ecosystem === 'pip') {
-                // Query PyPI for latest version
                 const response = await httpGet(`https://pypi.org/pypi/${encodeURIComponent(name)}/json`);
                 if (response.ok && response.data.info?.version) {
                     return response.data.info.version;
                 }
             }
-            // Additional registries (Maven, NuGet, Cargo) would be implemented similarly
         }
         catch (error) {
             console.error(`Failed to get latest version for ${name}:`, error);
@@ -575,13 +432,11 @@ export class SecurityAuditorService {
     async checkDeprecation(name, ecosystem) {
         try {
             if (ecosystem === 'npm') {
-                // Query npm registry for deprecation notice
                 const response = await httpGet(`https://registry.npmjs.org/${encodeURIComponent(name)}/latest`);
                 if (response.ok && response.data.deprecated) {
                     return true;
                 }
             }
-            // Additional registries would be implemented similarly
         }
         catch (error) {
             console.error(`Failed to check deprecation for ${name}:`, error);
@@ -603,12 +458,7 @@ export class SecurityAuditorService {
         return latestMajor > currentMajor;
     }
     createDependencySummary(vulnerabilities, totalDeps) {
-        // Count vulnerabilities by severity
-        let critical = 0;
-        let high = 0;
-        let medium = 0;
-        let low = 0;
-        let informational = 0;
+        let critical = 0, high = 0, medium = 0, low = 0, informational = 0;
         for (const vuln of vulnerabilities) {
             switch (vuln.severity) {
                 case 'critical':
@@ -628,16 +478,11 @@ export class SecurityAuditorService {
                     break;
             }
         }
-        return {
-            critical,
-            high,
-            medium,
-            low,
-            informational,
-            totalFiles: totalDeps,
-            scanDurationMs: 0,
-        };
+        return { critical, high, medium, low, informational, totalFiles: totalDeps, scanDurationMs: 0 };
     }
+    // ==========================================================================
+    // File & Scan Helpers
+    // ==========================================================================
     shouldExclude(filePath) {
         return this.config.excludePatterns.some((pattern) => {
             if (pattern.startsWith('*')) {
@@ -646,789 +491,16 @@ export class SecurityAuditorService {
             return filePath.includes(pattern);
         });
     }
-    async scanFileForSecrets(file) {
-        const secrets = [];
-        try {
-            // Read the file content
-            const content = await fs.readFile(file.value, 'utf-8');
-            const lines = content.split('\n');
-            // Comprehensive secret detection patterns
-            const secretPatterns = [
-                // AWS Keys
-                {
-                    name: 'AWS Access Key ID',
-                    type: 'api-key',
-                    regex: /AKIA[0-9A-Z]{16}/g,
-                },
-                {
-                    name: 'AWS Secret Access Key',
-                    type: 'api-key',
-                    regex: /(?:aws[_-]?secret[_-]?access[_-]?key|AWS_SECRET_ACCESS_KEY)['"]?\s*[:=]\s*['"]?([A-Za-z0-9/+=]{40})['"]?/gi,
-                    entropyThreshold: 4.0,
-                },
-                // GitHub Tokens
-                {
-                    name: 'GitHub Personal Access Token',
-                    type: 'token',
-                    regex: /ghp_[A-Za-z0-9]{36}/g,
-                },
-                {
-                    name: 'GitHub OAuth Access Token',
-                    type: 'token',
-                    regex: /gho_[A-Za-z0-9]{36}/g,
-                },
-                {
-                    name: 'GitHub App Token',
-                    type: 'token',
-                    regex: /(?:ghu|ghs)_[A-Za-z0-9]{36}/g,
-                },
-                // Generic API Keys
-                {
-                    name: 'Generic API Key',
-                    type: 'api-key',
-                    regex: /(?:api[_-]?key|apikey|api_secret)['"]?\s*[:=]\s*['"]([A-Za-z0-9_\-]{20,})['"]?/gi,
-                    entropyThreshold: 3.5,
-                },
-                // OpenAI API Key
-                {
-                    name: 'OpenAI API Key',
-                    type: 'api-key',
-                    regex: /sk-[A-Za-z0-9]{48}/g,
-                },
-                // Stripe Keys
-                {
-                    name: 'Stripe Secret Key',
-                    type: 'api-key',
-                    regex: /sk_live_[A-Za-z0-9]{24,}/g,
-                },
-                {
-                    name: 'Stripe Publishable Key',
-                    type: 'api-key',
-                    regex: /pk_live_[A-Za-z0-9]{24,}/g,
-                },
-                // Private Keys
-                {
-                    name: 'RSA Private Key',
-                    type: 'private-key',
-                    regex: /-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----/gi,
-                },
-                {
-                    name: 'PGP Private Key',
-                    type: 'private-key',
-                    regex: /-----BEGIN\s+PGP\s+PRIVATE\s+KEY\s+BLOCK-----/gi,
-                },
-                {
-                    name: 'SSH Private Key',
-                    type: 'private-key',
-                    regex: /-----BEGIN\s+(?:OPENSSH|DSA|EC)?\s*PRIVATE\s+KEY-----/gi,
-                },
-                // Passwords
-                {
-                    name: 'Password Assignment',
-                    type: 'password',
-                    regex: /(?:password|passwd|pwd|secret)['"]?\s*[:=]\s*['"]([^'"\s]{8,})['"]?/gi,
-                    entropyThreshold: 3.0,
-                },
-                // Database Connection Strings
-                {
-                    name: 'Database Connection String',
-                    type: 'password',
-                    regex: /(?:mongodb|postgres|mysql|redis):\/\/[^:]+:[^@]+@[^\s'"]+/gi,
-                },
-                // JWT Tokens
-                {
-                    name: 'JWT Token',
-                    type: 'token',
-                    regex: /eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*/g,
-                    entropyThreshold: 4.0,
-                },
-                // Slack Tokens
-                {
-                    name: 'Slack Token',
-                    type: 'token',
-                    regex: /xox[baprs]-[A-Za-z0-9-]{10,}/g,
-                },
-                // Google API Key
-                {
-                    name: 'Google API Key',
-                    type: 'api-key',
-                    regex: /AIza[A-Za-z0-9_-]{35}/g,
-                },
-                // Twilio
-                {
-                    name: 'Twilio API Key',
-                    type: 'api-key',
-                    regex: /SK[A-Za-z0-9]{32}/g,
-                },
-                // SendGrid
-                {
-                    name: 'SendGrid API Key',
-                    type: 'api-key',
-                    regex: /SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}/g,
-                },
-                // Certificates
-                {
-                    name: 'X.509 Certificate',
-                    type: 'certificate',
-                    regex: /-----BEGIN\s+CERTIFICATE-----/gi,
-                },
-            ];
-            // Scan each line for secrets
-            for (let lineIndex = 0; lineIndex < lines.length; lineIndex++) {
-                const line = lines[lineIndex];
-                const lineNumber = lineIndex + 1;
-                for (const pattern of secretPatterns) {
-                    // Reset regex lastIndex for global patterns
-                    pattern.regex.lastIndex = 0;
-                    let match;
-                    while ((match = pattern.regex.exec(line)) !== null) {
-                        const matchedValue = match[1] || match[0];
-                        // Calculate entropy if threshold is specified
-                        const entropy = this.calculateEntropy(matchedValue);
-                        // Skip low-entropy matches if threshold is specified
-                        if (pattern.entropyThreshold && entropy < pattern.entropyThreshold) {
-                            continue;
-                        }
-                        // Create masked snippet (show context but mask the actual secret)
-                        const snippet = this.createMaskedSnippet(line, match.index, matchedValue.length);
-                        const location = {
-                            file: file.value,
-                            line: lineNumber,
-                            column: match.index + 1,
-                            snippet,
-                        };
-                        secrets.push({
-                            type: pattern.type,
-                            location,
-                            entropy,
-                            isValid: this.validateSecret(pattern.type, matchedValue),
-                        });
-                    }
-                }
-            }
-        }
-        catch (error) {
-            // File reading error - skip this file
-            console.error(`Failed to scan file for secrets: ${file.value}`, error);
-        }
-        return secrets;
-    }
-    /**
-     * Calculate Shannon entropy of a string
-     */
-    calculateEntropy(str) {
-        if (!str || str.length === 0)
-            return 0;
-        const charFrequency = {};
-        for (const char of str) {
-            charFrequency[char] = (charFrequency[char] || 0) + 1;
-        }
-        let entropy = 0;
-        const len = str.length;
-        for (const char in charFrequency) {
-            const probability = charFrequency[char] / len;
-            entropy -= probability * Math.log2(probability);
-        }
-        return entropy;
-    }
-    /**
-     * Create a masked snippet for display
-     */
-    createMaskedSnippet(line, matchIndex, matchLength) {
-        const contextBefore = 20;
-        const contextAfter = 10;
-        const start = Math.max(0, matchIndex - contextBefore);
-        const end = Math.min(line.length, matchIndex + matchLength + contextAfter);
-        let snippet = line.substring(start, end);
-        // Mask the secret value (show first 4 and last 4 characters)
-        const secretStart = matchIndex - start;
-        const secretInSnippet = snippet.substring(secretStart, secretStart + matchLength);
-        if (secretInSnippet.length > 8) {
-            const masked = secretInSnippet.substring(0, 4) + '...' + secretInSnippet.substring(secretInSnippet.length - 4);
-            snippet = snippet.substring(0, secretStart) + masked + snippet.substring(secretStart + matchLength);
-        }
-        if (start > 0)
-            snippet = '...' + snippet;
-        if (end < line.length)
-            snippet = snippet + '...';
-        return snippet;
-    }
-    /**
-     * Validate if a detected secret is likely valid (basic validation)
-     */
-    validateSecret(type, value) {
-        // Basic validation - in production, could do more sophisticated checks
-        switch (type) {
-            case 'api-key':
-                // Check minimum length and character variety
-                return value.length >= 20 && /[a-z]/.test(value) && /[A-Z0-9]/.test(value);
-            case 'token':
-                return value.length >= 20;
-            case 'password':
-                // Likely not a placeholder password
-                return !['password', 'secret', 'changeme', '12345678', 'qwerty'].includes(value.toLowerCase());
-            case 'private-key':
-                return true; // Private key headers are already specific
-            case 'certificate':
-                return true;
-            default:
-                return true;
-        }
-    }
-    /**
-     * Perform SAST scan using AST-based analysis for JavaScript/TypeScript
-     * Scans for common vulnerability patterns: XSS, SQL injection, command injection, path traversal
-     */
-    async performSASTScan() {
-        const scanId = uuidv4();
-        const startTime = Date.now();
-        const vulnerabilities = [];
-        let filesScanned = 0;
-        let linesScanned = 0;
-        try {
-            // Find source files to scan
-            const sourceFiles = await this.findSourceFiles(process.cwd());
-            // Define vulnerability patterns for AST-like analysis
-            const vulnerabilityPatterns = [
-                // SQL Injection patterns
-                {
-                    id: 'sqli-concat',
-                    pattern: /(?:query|execute|exec|run)\s*\(\s*(?:['"`].*?\s*\+|`[^`]*\$\{)/gi,
-                    title: 'SQL Injection via String Concatenation',
-                    description: 'SQL query constructed using string concatenation with potentially untrusted input',
-                    severity: 'critical',
-                    category: 'injection',
-                    remediation: 'Use parameterized queries or prepared statements',
-                    fixExample: 'db.query("SELECT * FROM users WHERE id = $1", [userId])',
-                    cweId: 'CWE-89',
-                },
-                // XSS patterns
-                {
-                    id: 'xss-innerhtml',
-                    pattern: /\.innerHTML\s*=\s*(?!['"`])/g,
-                    title: 'XSS via innerHTML Assignment',
-                    description: 'Direct innerHTML assignment with potentially unsanitized content',
-                    severity: 'high',
-                    category: 'xss',
-                    remediation: 'Use textContent for text, or sanitize HTML with DOMPurify',
-                    fixExample: 'element.textContent = userInput;',
-                    cweId: 'CWE-79',
-                },
-                {
-                    id: 'xss-document-write',
-                    pattern: /document\.write\s*\([^)]+\)/g,
-                    title: 'XSS via document.write',
-                    description: 'document.write() can execute scripts from untrusted data',
-                    severity: 'high',
-                    category: 'xss',
-                    remediation: 'Avoid document.write(); use DOM manipulation methods',
-                    cweId: 'CWE-79',
-                },
-                {
-                    id: 'xss-eval',
-                    pattern: /(?<!\.)\beval\s*\([^)]+\)/g,
-                    title: 'Code Injection via eval()',
-                    description: 'eval() executes arbitrary code and is a major security risk',
-                    severity: 'critical',
-                    category: 'xss',
-                    remediation: 'Never use eval(); use JSON.parse() for JSON data',
-                    fixExample: 'JSON.parse(jsonString)',
-                    cweId: 'CWE-95',
-                },
-                {
-                    id: 'xss-dangerous-react',
-                    pattern: /dangerouslySetInnerHTML\s*=\s*\{/g,
-                    title: 'React dangerouslySetInnerHTML Usage',
-                    description: 'dangerouslySetInnerHTML bypasses React XSS protections',
-                    severity: 'medium',
-                    category: 'xss',
-                    remediation: 'Sanitize HTML content with DOMPurify before use',
-                    fixExample: 'dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(content) }}',
-                    cweId: 'CWE-79',
-                },
-                // Command Injection patterns
-                {
-                    id: 'cmd-injection-exec',
-                    pattern: /(?:child_process\.)?exec\s*\(\s*(?:[^,)]*\s*\+|`[^`]*\$\{)/g,
-                    title: 'Command Injection via exec()',
-                    description: 'Shell command execution with unsanitized input',
-                    severity: 'critical',
-                    category: 'injection',
-                    remediation: 'Use execFile() with argument array instead of exec()',
-                    fixExample: 'execFile("command", [arg1, arg2], callback)',
-                    cweId: 'CWE-78',
-                },
-                {
-                    id: 'cmd-injection-spawn-shell',
-                    pattern: /spawn\s*\([^)]+,\s*\{[^}]*shell\s*:\s*true/g,
-                    title: 'Dangerous Shell Option in spawn()',
-                    description: 'spawn() with shell: true can enable command injection',
-                    severity: 'high',
-                    category: 'injection',
-                    remediation: 'Avoid shell: true option; use direct command execution',
-                    cweId: 'CWE-78',
-                },
-                // Path Traversal patterns
-                {
-                    id: 'path-traversal-readfile',
-                    pattern: /(?:readFile|readFileSync)\s*\([^)]*\+/g,
-                    title: 'Path Traversal via File Read',
-                    description: 'File read operation with concatenated path may allow directory traversal',
-                    severity: 'high',
-                    category: 'access-control',
-                    remediation: 'Validate and sanitize file paths; use path.resolve() and check against base directory',
-                    fixExample: 'const safePath = path.resolve(baseDir, path.basename(userInput))',
-                    cweId: 'CWE-22',
-                },
-                {
-                    id: 'path-traversal-writefile',
-                    pattern: /(?:writeFile|writeFileSync)\s*\([^)]*\+/g,
-                    title: 'Path Traversal via File Write',
-                    description: 'File write operation with concatenated path may allow directory traversal',
-                    severity: 'high',
-                    category: 'access-control',
-                    remediation: 'Validate file paths before writing; ensure path is within allowed directory',
-                    cweId: 'CWE-22',
-                },
-                // Hardcoded secrets
-                {
-                    id: 'secret-private-key',
-                    pattern: /-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----/g,
-                    title: 'Private Key Detected in Source',
-                    description: 'Private key found in source code',
-                    severity: 'critical',
-                    category: 'sensitive-data',
-                    remediation: 'Store private keys in secure key management systems, not in code',
-                    cweId: 'CWE-798',
-                },
-                // Insecure configurations
-                {
-                    id: 'config-tls-disabled',
-                    pattern: /rejectUnauthorized\s*:\s*false/g,
-                    title: 'TLS Certificate Validation Disabled',
-                    description: 'Disabling TLS certificate validation exposes to MITM attacks',
-                    severity: 'high',
-                    category: 'security-misconfiguration',
-                    remediation: 'Always enable TLS certificate validation in production',
-                    cweId: 'CWE-295',
-                },
-                {
-                    id: 'config-cors-wildcard',
-                    pattern: /cors\s*\(\s*\{[^}]*origin\s*:\s*['"]\*['"]/gi,
-                    title: 'Permissive CORS Configuration',
-                    description: 'CORS allows all origins (*) which may expose sensitive data',
-                    severity: 'medium',
-                    category: 'security-misconfiguration',
-                    remediation: 'Restrict CORS to specific trusted origins',
-                    fixExample: 'cors({ origin: ["https://trusted-domain.com"] })',
-                    cweId: 'CWE-942',
-                },
-            ];
-            for (const filePath of sourceFiles) {
-                if (this.shouldExclude(filePath)) {
-                    continue;
-                }
-                // Only scan JS/TS files
-                const ext = path.extname(filePath).toLowerCase();
-                if (!['.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs'].includes(ext)) {
-                    continue;
-                }
-                try {
-                    const content = await fs.readFile(filePath, 'utf-8');
-                    const lines = content.split('\n');
-                    filesScanned++;
-                    linesScanned += lines.length;
-                    // Check each vulnerability pattern
-                    for (const vulnPattern of vulnerabilityPatterns) {
-                        // Reset regex state
-                        vulnPattern.pattern.lastIndex = 0;
-                        let match;
-                        while ((match = vulnPattern.pattern.exec(content)) !== null) {
-                            // Calculate line and column
-                            const beforeMatch = content.substring(0, match.index);
-                            const linesBefore = beforeMatch.split('\n');
-                            const lineNumber = linesBefore.length;
-                            const column = linesBefore[linesBefore.length - 1].length + 1;
-                            // Check if in comment
-                            const currentLine = lines[lineNumber - 1] || '';
-                            if (currentLine.trimStart().startsWith('//') || currentLine.trimStart().startsWith('*')) {
-                                continue;
-                            }
-                            // Check for nosec annotation
-                            if (currentLine.includes('// nosec') || currentLine.includes('// security-ignore')) {
-                                continue;
-                            }
-                            // Extract snippet with context
-                            const startLine = Math.max(0, lineNumber - 2);
-                            const endLine = Math.min(lines.length, lineNumber + 1);
-                            const snippet = lines.slice(startLine, endLine).join('\n');
-                            const location = {
-                                file: filePath,
-                                line: lineNumber,
-                                column,
-                                snippet,
-                            };
-                            const remediation = {
-                                description: vulnPattern.remediation,
-                                fixExample: vulnPattern.fixExample,
-                                estimatedEffort: vulnPattern.severity === 'critical' ? 'moderate' : 'minor',
-                                automatable: vulnPattern.severity === 'low' || vulnPattern.severity === 'medium',
-                            };
-                            vulnerabilities.push({
-                                id: uuidv4(),
-                                cveId: undefined,
-                                title: vulnPattern.title,
-                                description: `${vulnPattern.description} [${vulnPattern.cweId}]`,
-                                severity: vulnPattern.severity,
-                                category: vulnPattern.category,
-                                location,
-                                remediation,
-                                references: [
-                                    `https://cwe.mitre.org/data/definitions/${vulnPattern.cweId.replace('CWE-', '')}.html`,
-                                ],
-                            });
-                        }
-                    }
-                }
-                catch {
-                    // Skip files that can't be read
-                }
-            }
-        }
-        catch (error) {
-            console.error('SAST scan failed:', error);
-        }
-        const scanDurationMs = Date.now() - startTime;
-        // Calculate summary
-        let critical = 0, high = 0, medium = 0, low = 0, informational = 0;
-        for (const vuln of vulnerabilities) {
-            switch (vuln.severity) {
-                case 'critical':
-                    critical++;
-                    break;
-                case 'high':
-                    high++;
-                    break;
-                case 'medium':
-                    medium++;
-                    break;
-                case 'low':
-                    low++;
-                    break;
-                case 'informational':
-                    informational++;
-                    break;
-            }
-        }
-        return {
-            scanId,
-            vulnerabilities,
-            summary: {
-                critical,
-                high,
-                medium,
-                low,
-                informational,
-                totalFiles: filesScanned,
-                scanDurationMs,
-            },
-            coverage: {
-                filesScanned,
-                linesScanned,
-                rulesApplied: 12, // Number of vulnerability patterns
-            },
-        };
-    }
-    /**
-     * Perform DAST scan using HTTP requests to test for vulnerabilities
-     * Tests for common web vulnerabilities: XSS, SQL injection, security headers, etc.
-     */
-    async performDASTScan(targetUrl) {
-        const scanId = uuidv4();
-        const startTime = Date.now();
-        const vulnerabilities = [];
-        let crawledUrls = 0;
-        try {
-            // Validate URL
-            let parsedUrl;
-            try {
-                parsedUrl = new URL(targetUrl);
-            }
-            catch {
-                return {
-                    scanId,
-                    targetUrl,
-                    vulnerabilities: [{
-                            id: uuidv4(),
-                            title: 'Invalid Target URL',
-                            description: 'The provided target URL is not valid',
-                            severity: 'informational',
-                            category: 'security-misconfiguration',
-                            location: { file: targetUrl },
-                            remediation: { description: 'Provide a valid URL', estimatedEffort: 'trivial', automatable: false },
-                            references: [],
-                        }],
-                    summary: { critical: 0, high: 0, medium: 0, low: 0, informational: 1, totalFiles: 0, scanDurationMs: Date.now() - startTime },
-                    crawledUrls: 0,
-                };
-            }
-            // Perform HTTP request to check security headers and response characteristics
-            const controller = new AbortController();
-            const timeoutId = setTimeout(() => controller.abort(), 30000); // 30s timeout
-            try {
-                const response = await fetch(targetUrl, {
-                    method: 'GET',
-                    headers: {
-                        'User-Agent': 'AgenticQE-SecurityScanner/3.0',
-                        'Accept': 'text/html,application/json,*/*',
-                    },
-                    signal: controller.signal,
-                    redirect: 'follow',
-                });
-                clearTimeout(timeoutId);
-                crawledUrls = 1;
-                // Check security headers
-                const headers = response.headers;
-                // Check for missing security headers
-                const securityHeaderChecks = [
-                    {
-                        header: 'strict-transport-security',
-                        title: 'Missing HTTP Strict Transport Security (HSTS)',
-                        description: 'HSTS header is missing, allowing downgrade attacks',
-                        severity: 'medium',
-                        remediation: 'Add Strict-Transport-Security header with appropriate max-age',
-                    },
-                    {
-                        header: 'x-content-type-options',
-                        title: 'Missing X-Content-Type-Options Header',
-                        description: 'X-Content-Type-Options header is missing, allowing MIME sniffing attacks',
-                        severity: 'low',
-                        remediation: 'Add X-Content-Type-Options: nosniff header',
-                    },
-                    {
-                        header: 'x-frame-options',
-                        title: 'Missing X-Frame-Options Header',
-                        description: 'X-Frame-Options header is missing, allowing clickjacking attacks',
-                        severity: 'medium',
-                        remediation: 'Add X-Frame-Options: DENY or SAMEORIGIN header',
-                    },
-                    {
-                        header: 'content-security-policy',
-                        title: 'Missing Content Security Policy',
-                        description: 'CSP header is missing, increasing XSS attack surface',
-                        severity: 'medium',
-                        remediation: 'Implement a Content-Security-Policy header',
-                    },
-                    {
-                        header: 'x-xss-protection',
-                        title: 'Missing X-XSS-Protection Header',
-                        description: 'X-XSS-Protection header is missing (legacy XSS filter)',
-                        severity: 'low',
-                        remediation: 'Add X-XSS-Protection: 1; mode=block header',
-                    },
-                ];
-                for (const check of securityHeaderChecks) {
-                    if (!headers.get(check.header)) {
-                        vulnerabilities.push({
-                            id: uuidv4(),
-                            title: check.title,
-                            description: check.description,
-                            severity: check.severity,
-                            category: 'security-misconfiguration',
-                            location: {
-                                file: targetUrl,
-                                snippet: `Response Headers: ${check.header} not present`,
-                            },
-                            remediation: {
-                                description: check.remediation,
-                                estimatedEffort: 'minor',
-                                automatable: true,
-                            },
-                            references: [
-                                'https://owasp.org/www-project-secure-headers/',
-                            ],
-                        });
-                    }
-                }
-                // Check for insecure cookies
-                const cookies = headers.get('set-cookie');
-                if (cookies) {
-                    if (!cookies.toLowerCase().includes('secure')) {
-                        vulnerabilities.push({
-                            id: uuidv4(),
-                            title: 'Cookie Without Secure Flag',
-                            description: 'Session cookie is set without the Secure flag',
-                            severity: 'medium',
-                            category: 'sensitive-data',
-                            location: { file: targetUrl, snippet: `Set-Cookie: ${cookies.substring(0, 50)}...` },
-                            remediation: { description: 'Add Secure flag to cookies', estimatedEffort: 'trivial', automatable: true },
-                            references: ['https://owasp.org/www-community/controls/SecureCookieAttribute'],
-                        });
-                    }
-                    if (!cookies.toLowerCase().includes('httponly')) {
-                        vulnerabilities.push({
-                            id: uuidv4(),
-                            title: 'Cookie Without HttpOnly Flag',
-                            description: 'Session cookie is set without the HttpOnly flag, making it accessible to JavaScript',
-                            severity: 'medium',
-                            category: 'sensitive-data',
-                            location: { file: targetUrl, snippet: `Set-Cookie: ${cookies.substring(0, 50)}...` },
-                            remediation: { description: 'Add HttpOnly flag to session cookies', estimatedEffort: 'trivial', automatable: true },
-                            references: ['https://owasp.org/www-community/HttpOnly'],
-                        });
-                    }
-                    if (!cookies.toLowerCase().includes('samesite')) {
-                        vulnerabilities.push({
-                            id: uuidv4(),
-                            title: 'Cookie Without SameSite Attribute',
-                            description: 'Cookie is set without the SameSite attribute, potentially vulnerable to CSRF',
-                            severity: 'low',
-                            category: 'broken-auth',
-                            location: { file: targetUrl, snippet: `Set-Cookie: ${cookies.substring(0, 50)}...` },
-                            remediation: { description: 'Add SameSite=Strict or SameSite=Lax to cookies', estimatedEffort: 'trivial', automatable: true },
-                            references: ['https://owasp.org/www-community/SameSite'],
-                        });
-                    }
-                }
-                // Check for server information disclosure
-                const server = headers.get('server');
-                if (server && /[0-9]+\.[0-9]+/.test(server)) {
-                    vulnerabilities.push({
-                        id: uuidv4(),
-                        title: 'Server Version Disclosure',
-                        description: `Server header reveals version information: ${server}`,
-                        severity: 'low',
-                        category: 'security-misconfiguration',
-                        location: { file: targetUrl, snippet: `Server: ${server}` },
-                        remediation: { description: 'Remove or obfuscate server version information', estimatedEffort: 'trivial', automatable: true },
-                        references: ['https://owasp.org/www-project-web-security-testing-guide/'],
-                    });
-                }
-                // Check for HTTPS
-                if (parsedUrl.protocol === 'http:') {
-                    vulnerabilities.push({
-                        id: uuidv4(),
-                        title: 'Insecure HTTP Protocol',
-                        description: 'Target is using HTTP instead of HTTPS, exposing data in transit',
-                        severity: 'high',
-                        category: 'sensitive-data',
-                        location: { file: targetUrl },
-                        remediation: { description: 'Use HTTPS with valid TLS certificate', estimatedEffort: 'moderate', automatable: false },
-                        references: ['https://owasp.org/www-project-web-security-testing-guide/'],
-                    });
-                }
-                // Try common test endpoints for additional checks
-                const testEndpoints = [
-                    { path: '/.git/config', vuln: 'Git Repository Exposed', severity: 'high' },
-                    { path: '/.env', vuln: 'Environment File Exposed', severity: 'critical' },
-                    { path: '/phpinfo.php', vuln: 'PHP Info Exposed', severity: 'medium' },
-                    { path: '/wp-config.php.bak', vuln: 'WordPress Config Backup Exposed', severity: 'critical' },
-                ];
-                for (const endpoint of testEndpoints) {
-                    try {
-                        const testUrl = new URL(endpoint.path, parsedUrl.origin).toString();
-                        const testResponse = await fetch(testUrl, {
-                            method: 'GET',
-                            signal: AbortSignal.timeout(5000),
-                        });
-                        if (testResponse.ok && testResponse.status === 200) {
-                            const text = await testResponse.text();
-                            // Verify it's actually the sensitive content, not a custom 404
-                            if (text.length > 10 && !text.toLowerCase().includes('not found')) {
-                                crawledUrls++;
-                                vulnerabilities.push({
-                                    id: uuidv4(),
-                                    title: endpoint.vuln,
-                                    description: `Sensitive file found at ${endpoint.path}`,
-                                    severity: endpoint.severity,
-                                    category: 'sensitive-data',
-                                    location: { file: testUrl },
-                                    remediation: { description: 'Remove or restrict access to sensitive files', estimatedEffort: 'trivial', automatable: true },
-                                    references: ['https://owasp.org/www-project-web-security-testing-guide/'],
-                                });
-                            }
-                        }
-                    }
-                    catch {
-                        // Endpoint not accessible, which is expected/good
-                    }
-                }
-            }
-            catch (fetchError) {
-                clearTimeout(timeoutId);
-                const errorMessage = fetchError instanceof Error ? fetchError.message : String(fetchError);
-                // Network errors might indicate issues
-                if (errorMessage.includes('certificate') || errorMessage.includes('SSL') || errorMessage.includes('TLS')) {
-                    vulnerabilities.push({
-                        id: uuidv4(),
-                        title: 'TLS/SSL Certificate Issue',
-                        description: `Certificate error: ${errorMessage}`,
-                        severity: 'high',
-                        category: 'security-misconfiguration',
-                        location: { file: targetUrl },
-                        remediation: { description: 'Fix TLS certificate configuration', estimatedEffort: 'moderate', automatable: false },
-                        references: ['https://owasp.org/www-project-web-security-testing-guide/'],
-                    });
-                }
-            }
-        }
-        catch (error) {
-            console.error('DAST scan failed:', error);
-        }
-        const scanDurationMs = Date.now() - startTime;
-        // Calculate summary
-        let critical = 0, high = 0, medium = 0, low = 0, informational = 0;
-        for (const vuln of vulnerabilities) {
-            switch (vuln.severity) {
-                case 'critical':
-                    critical++;
-                    break;
-                case 'high':
-                    high++;
-                    break;
-                case 'medium':
-                    medium++;
-                    break;
-                case 'low':
-                    low++;
-                    break;
-                case 'informational':
-                    informational++;
-                    break;
-            }
-        }
-        return {
-            scanId,
-            targetUrl,
-            vulnerabilities,
-            summary: {
-                critical,
-                high,
-                medium,
-                low,
-                informational,
-                totalFiles: 1,
-                scanDurationMs,
-            },
-            crawledUrls,
-        };
-    }
-    /**
-     * Perform dependency scan using OSV API
-     */
     async performDependencyScan() {
         const startTime = Date.now();
         const vulnerabilities = [];
         const outdatedPackages = [];
         try {
-            // Look for package.json in current working directory
             const manifestPath = path.join(process.cwd(), 'package.json');
             const dependencies = await this.parseDependencies(manifestPath, 'npm');
             for (const dep of dependencies) {
-                // Check for vulnerabilities via OSV API
                 const vulns = await this.checkDependencyVulnerabilities(dep, dep.ecosystem);
                 vulnerabilities.push(...vulns);
-                // Check for outdated packages
                 const outdated = await this.checkOutdated(dep);
                 if (outdated) {
                     outdatedPackages.push(outdated);
@@ -1436,14 +508,7 @@ export class SecurityAuditorService {
             }
             const scanDurationMs = Date.now() - startTime;
             const baseSummary = this.createDependencySummary(vulnerabilities, dependencies.length);
-            return {
-                vulnerabilities,
-                outdatedPackages,
-                summary: {
-                    ...baseSummary,
-                    scanDurationMs,
-                },
-            };
+            return { vulnerabilities, outdatedPackages, summary: { ...baseSummary, scanDurationMs } };
         }
         catch (error) {
             console.error('Dependency scan failed:', error);
@@ -1451,25 +516,16 @@ export class SecurityAuditorService {
                 vulnerabilities: [],
                 outdatedPackages: [],
                 summary: {
-                    critical: 0,
-                    high: 0,
-                    medium: 0,
-                    low: 0,
-                    informational: 0,
-                    totalFiles: 0,
-                    scanDurationMs: Date.now() - startTime,
+                    critical: 0, high: 0, medium: 0, low: 0, informational: 0,
+                    totalFiles: 0, scanDurationMs: Date.now() - startTime,
                 },
             };
         }
     }
-    /**
-     * Perform secret scan on source files
-     */
     async performSecretScan() {
         const secretsFound = [];
         let filesScanned = 0;
         try {
-            // Get list of source files to scan
             const sourceFiles = await this.findSourceFiles(process.cwd());
             for (const filePath of sourceFiles) {
                 if (this.shouldExclude(filePath)) {
@@ -1477,28 +533,21 @@ export class SecurityAuditorService {
                 }
                 filesScanned++;
                 const filePathObj = { value: filePath };
-                const secrets = await this.scanFileForSecrets(filePathObj);
+                const secrets = await scanFileForSecrets(filePathObj);
                 secretsFound.push(...secrets);
             }
         }
         catch (error) {
             console.error('Secret scan failed:', error);
         }
-        return {
-            secretsFound,
-            filesScanned,
-        };
+        return { secretsFound, filesScanned };
     }
-    /**
-     * Find source files in a directory (recursively)
-     */
     async findSourceFiles(dir, files = []) {
         const sourceExtensions = ['.ts', '.js', '.tsx', '.jsx', '.json', '.env', '.yaml', '.yml', '.config'];
         try {
             const entries = await fs.readdir(dir, { withFileTypes: true });
             for (const entry of entries) {
                 const fullPath = path.join(dir, entry.name);
-                // Skip excluded directories
                 if (this.shouldExclude(fullPath)) {
                     continue;
                 }
@@ -1514,87 +563,14 @@ export class SecurityAuditorService {
             }
         }
         catch (error) {
-            // Non-critical: permission errors when reading directories are expected
             console.debug('[SecurityAuditor] Directory read error:', error instanceof Error ? error.message : error);
         }
         return files;
     }
-    calculateOverallRisk(sast, dast, deps, secrets) {
-        let riskValue = 0;
-        let weights = 0;
-        if (sast) {
-            riskValue +=
-                this.calculateScanRisk(sast.summary) * 0.35;
-            weights += 0.35;
-        }
-        if (dast) {
-            riskValue +=
-                this.calculateScanRisk(dast.summary) * 0.25;
-            weights += 0.25;
-        }
-        if (deps) {
-            riskValue +=
-                this.calculateScanRisk(deps.summary) * 0.25;
-            weights += 0.25;
-        }
-        if (secrets) {
-            const secretRisk = secrets.secretsFound.length > 0 ? 0.9 : 0.1;
-            riskValue += secretRisk * 0.15;
-            weights += 0.15;
-        }
-        const normalizedRisk = weights > 0 ? riskValue / weights : 0;
-        // Return RiskScore-compatible object
-        return {
-            value: Math.min(1, normalizedRisk),
-            percentage: normalizedRisk * 100,
-            level: normalizedRisk >= 0.8 ? 'critical' :
-                normalizedRisk >= 0.6 ? 'high' :
-                    normalizedRisk >= 0.3 ? 'medium' : 'low',
-        };
-    }
-    calculateScanRisk(summary) {
-        const weights = {
-            critical: 1.0,
-            high: 0.7,
-            medium: 0.4,
-            low: 0.1,
-            informational: 0.02,
-        };
-        const totalIssues = summary.critical +
-            summary.high +
-            summary.medium +
-            summary.low +
-            summary.informational;
-        if (totalIssues === 0)
-            return 0;
-        const weightedSum = summary.critical * weights.critical +
-            summary.high * weights.high +
-            summary.medium * weights.medium +
-            summary.low * weights.low +
-            summary.informational * weights.informational;
-        return Math.min(1, weightedSum / 10);
-    }
-    generateRecommendations(sast, dast, deps, secrets) {
-        const recommendations = [];
-        if (sast && sast.summary.critical > 0) {
-            recommendations.push(`Address ${sast.summary.critical} critical vulnerabilities found in static analysis`);
-        }
-        if (dast && dast.summary.high > 0) {
-            recommendations.push(`Fix ${dast.summary.high} high-severity issues found in dynamic testing`);
-        }
-        if (deps && deps.outdatedPackages.length > 5) {
-            recommendations.push(`Update ${deps.outdatedPackages.length} outdated dependencies`);
-        }
-        if (secrets && secrets.secretsFound.length > 0) {
-            recommendations.push(`Remove ${secrets.secretsFound.length} exposed secrets and rotate credentials`);
-        }
-        if (recommendations.length === 0) {
-            recommendations.push('Security posture is good. Continue regular scanning.');
-        }
-        return recommendations;
-    }
+    // ==========================================================================
+    // Historical Analysis Helpers
+    // ==========================================================================
     async getRecentAudits() {
-        // Query recent audits from memory storage
         const keys = await this.memory.search('security:audit:*', 10);
         const audits = [];
         for (const key of keys) {
@@ -1605,87 +581,19 @@ export class SecurityAuditorService {
         }
         return audits.sort((a, b) => new Date(b.timestamp).getTime() - new Date(a.timestamp).getTime());
     }
-    countBySeverity(audit, severity) {
-        if (!audit)
-            return 0;
-        let count = 0;
-        if (audit.sastResults)
-            count += audit.sastResults.summary[severity];
-        if (audit.dastResults)
-            count += audit.dastResults.summary[severity];
-        if (audit.dependencyResults)
-            count += audit.dependencyResults.summary[severity];
-        return count;
-    }
-    countOpenVulnerabilities(audit) {
-        if (!audit)
-            return 0;
-        let count = 0;
-        if (audit.sastResults)
-            count += audit.sastResults.vulnerabilities.length;
-        if (audit.dastResults)
-            count += audit.dastResults.vulnerabilities.length;
-        if (audit.dependencyResults)
-            count += audit.dependencyResults.vulnerabilities.length;
-        return count;
-    }
-    calculateTrend(latest, previous) {
-        if (!latest || !previous)
-            return 'stable';
-        const latestScore = this.countOpenVulnerabilities(latest);
-        const previousScore = this.countOpenVulnerabilities(previous);
-        if (latestScore < previousScore * 0.9)
-            return 'improving';
-        if (latestScore > previousScore * 1.1)
-            return 'declining';
-        return 'stable';
-    }
-    calculatePostureScore(critical, high, open) {
-        // Start at 100, deduct points for issues
-        let score = 100;
-        score -= critical * 20;
-        score -= high * 10;
-        score -= open * 2;
-        return Math.max(0, Math.min(100, score));
-    }
-    generatePostureRecommendations(critical, high, score) {
-        const recommendations = [];
-        if (critical > 0) {
-            recommendations.push('Immediately address all critical vulnerabilities');
-        }
-        if (high > 3) {
-            recommendations.push('Prioritize fixing high-severity issues');
-        }
-        if (score < 50) {
-            recommendations.push('Consider a comprehensive security review');
-            recommendations.push('Implement automated security scanning in CI/CD');
-        }
-        if (score >= 80) {
-            recommendations.push('Maintain current security practices');
-            recommendations.push('Consider penetration testing for deeper analysis');
-        }
-        return recommendations;
-    }
-    /**
-     * Count vulnerabilities resolved in the last week
-     * Calculates by comparing consecutive audit reports
-     */
     async countResolvedLastWeek() {
         try {
             const audits = await this.getRecentAudits();
             if (audits.length < 2)
                 return 0;
             const oneWeekAgo = new Date(Date.now() - 7 * 24 * 60 * 60 * 1000);
-            // Find audits from this week
             const recentAudits = audits.filter((audit) => new Date(audit.timestamp) >= oneWeekAgo);
             if (recentAudits.length < 2)
                 return 0;
-            // Compare vulnerability counts between first and last audit of the week
             const oldest = recentAudits[recentAudits.length - 1];
             const newest = recentAudits[0];
-            const oldCount = this.countOpenVulnerabilities(oldest);
-            const newCount = this.countOpenVulnerabilities(newest);
-            // Resolved = old count - new count (if positive)
+            const oldCount = countOpenVulnerabilities(oldest);
+            const newCount = countOpenVulnerabilities(newest);
             return Math.max(0, oldCount - newCount);
         }
         catch (error) {
@@ -1693,22 +601,16 @@ export class SecurityAuditorService {
             return 0;
         }
     }
-    /**
-     * Calculate average resolution time from historical audit data
-     */
     async calculateAverageResolutionTime() {
         try {
             const audits = await this.getRecentAudits();
             if (audits.length < 2)
-                return 72; // Default to 72 hours
-            // Track vulnerabilities across audits to calculate resolution time
+                return 72;
             const vulnFirstSeen = new Map();
             const resolutionTimes = [];
-            // Process audits from oldest to newest
             const sortedAudits = [...audits].reverse();
             for (const audit of sortedAudits) {
                 const currentVulnIds = new Set();
-                // Collect all vulnerability IDs in this audit
                 if (audit.sastResults) {
                     audit.sastResults.vulnerabilities.forEach((v) => currentVulnIds.add(v.id));
                 }
@@ -1718,13 +620,11 @@ export class SecurityAuditorService {
                 if (audit.dependencyResults) {
                     audit.dependencyResults.vulnerabilities.forEach((v) => currentVulnIds.add(v.id));
                 }
-                // Track new vulnerabilities
                 for (const vulnId of currentVulnIds) {
                     if (!vulnFirstSeen.has(vulnId)) {
                         vulnFirstSeen.set(vulnId, audit.timestamp);
                     }
                 }
-                // Check for resolved vulnerabilities
                 for (const [vulnId, firstSeen] of vulnFirstSeen) {
                     if (!currentVulnIds.has(vulnId)) {
                         const resolutionTime = (audit.timestamp.getTime() - firstSeen.getTime()) / (1000 * 60 * 60);
@@ -1734,31 +634,14 @@ export class SecurityAuditorService {
                 }
             }
             if (resolutionTimes.length === 0)
-                return 72; // Default
-            // Calculate average
+                return 72;
             const sum = resolutionTimes.reduce((acc, time) => acc + time, 0);
             return Math.round(sum / resolutionTimes.length);
         }
         catch (error) {
             console.error('Failed to calculate average resolution time:', error);
-            return 72; // Default to 72 hours
-        }
-    }
-    determinePriorityBucket(vuln) {
-        const effort = vuln.remediation.estimatedEffort;
-        if (vuln.severity === 'critical') {
-            return 'immediate';
-        }
-        if (vuln.severity === 'high') {
-            return effort === 'trivial' || effort === 'minor' ? 'immediate' : 'shortTerm';
-        }
-        if (vuln.severity === 'medium') {
-            return effort === 'major' ? 'longTerm' : 'mediumTerm';
-        }
-        if (vuln.severity === 'low' || vuln.severity === 'informational') {
-            return 'longTerm';
+            return 72;
         }
-        return 'accepted';
     }
 }
 //# sourceMappingURL=security-auditor.js.map