circle-ir-ai 1.1.0

package/dist/llm/enrichment.js

@@ -0,0 +1,312 @@
+/**
+ * LLM Enrichment Engine (Phase 1)
+ *
+ * Uses LLM to discover:
+ * - Taint sources beyond YAML patterns
+ * - Taint sinks beyond YAML patterns
+ * - Class/method roles (controller, service, repository)
+ * - Virtual call resolution
+ *
+ * Supports language-aware prompts for Java, Python, JavaScript/TypeScript, and Rust.
+ */
+import { getAxLLMClient } from './ax-client.js';
+import { getLanguageContext, generateSourceDiscoveryPrompt, generateSinkDiscoveryPrompt, generateRoleClassificationPrompt, } from './language-context.js';
+// ============================================================================
+// Prompt Templates
+// ============================================================================
+const ROLE_CLASSIFICATION_PROMPT = `You are a security expert analyzing Java code.
+Classify the role of this class based on its name, methods, and annotations.
+
+Class: {className}
+Methods: {methodNames}
+Annotations: {annotations}
+Imports: {imports}
+
+Respond in JSON format:
+{
+  "role": "controller" | "service" | "repository" | "utility" | "entity" | "unknown",
+  "confidence": 0.0-1.0,
+  "reasoning": "explanation",
+  "indicators": ["list", "of", "indicators"]
+}`;
+// Note: This prompt is a fallback. The engine uses generateSourceDiscoveryPrompt() from language-context.ts
+const SOURCE_DISCOVERY_PROMPT = `You are a security expert analyzing code for taint sources.
+Find user-controlled input sources NOT already identified.
+
+Method code:
+\`\`\`
+{methodCode}
+\`\`\`
+
+Method: {methodName}
+Class role: {classRole}
+Already identified sources: {existingSources}
+
+## SEMANTIC CATEGORIES OF SOURCES (reason about data origin, not method names):
+
+**1. Network Input** - Data from HTTP/network requests
+**2. File/Stream Input** - Data read from external sources
+**3. Database Input** - Query results that may contain user data
+**4. Environment Input** - Config that could be attacker-controlled
+**5. Inter-Process Input** - Data from other processes/services
+
+KEY QUESTION: Does this data originate from OUTSIDE the application's trust boundary?
+
+## WHAT TO IGNORE:
+- Constants, literals, hardcoded strings
+- Internal configuration values
+- Data constructed entirely within the application
+
+Respond in JSON format:
+{
+  "additionalSources": [
+    {
+      "line": number,
+      "variable": "variable name",
+      "type": "http_param | http_body | http_header | http_cookie | http_path | io_input | env_input | db_input",
+      "confidence": 0.0-1.0,
+      "reasoning": "explanation"
+    }
+  ]
+}`;
+// Note: This prompt is a fallback. The engine uses generateSinkDiscoveryPrompt() from language-context.ts
+const SINK_DISCOVERY_PROMPT = `You are a security expert analyzing code for security sinks.
+Find dangerous operations NOT already identified.
+
+Method code:
+\`\`\`
+{methodCode}
+\`\`\`
+
+Method: {methodName}
+Method calls: {methodCalls}
+Already identified sinks: {existingSinks}
+
+## SEMANTIC CATEGORIES OF SINKS (reason about EFFECT, not method names):
+
+**1. Data Query Execution** (CWE-89, CWE-943) - Operations that execute queries
+**2. System Command Execution** (CWE-78) - Operations that run system commands
+**3. Output Rendering** (CWE-79) - Operations that render content to users
+**4. File System Operations** (CWE-22) - Operations that access file paths
+**5. Code Evaluation** (CWE-94) - Operations that interpret data as code
+**6. Deserialization** (CWE-502) - Operations that reconstruct objects from data
+**7. Directory/Query Injection** (CWE-90, CWE-643) - LDAP/XPath queries
+**8. Network Requests** (CWE-918) - Operations with user-controlled URLs
+
+KEY REASONING:
+1. What EFFECT does this operation have?
+2. Can EXTERNAL DATA influence that effect?
+3. Is there SANITIZATION that makes it safe?
+
+## WHAT TO IGNORE:
+- Logging operations
+- Parameterized/bound operations (data separate from structure)
+- Internal method calls with no dangerous effects
+
+Respond in JSON format:
+{
+  "additionalSinks": [
+    {
+      "line": number,
+      "method": "operation description",
+      "type": "sql_injection | command_injection | xss | path_traversal | code_injection | deserialization | ldap_injection | xpath_injection | ssrf",
+      "cwe": "CWE-XX",
+      "argPositions": [0],
+      "confidence": 0.0-1.0,
+      "reasoning": "explanation"
+    }
+  ]
+}`;
+// ============================================================================
+// Enrichment Engine
+// ============================================================================
+export class EnrichmentEngine {
+    client;
+    config;
+    language;
+    constructor(client, language = 'java') {
+        this.client = client || getAxLLMClient();
+        this.config = this.client.getEnrichmentConfig();
+        this.language = language;
+    }
+    /**
+     * Set the language for enrichment (affects prompts)
+     */
+    setLanguage(language) {
+        this.language = language;
+    }
+    /**
+     * Get the current language context
+     */
+    getLanguageContext() {
+        return getLanguageContext(this.language);
+    }
+    /**
+     * Classify the role of a class
+     */
+    async classifyRole(className, methods, annotations, imports) {
+        if (!this.config.enableRoleClassification) {
+            return undefined;
+        }
+        try {
+            // Use language-aware prompt
+            const prompt = generateRoleClassificationPrompt(this.language);
+            const result = await this.client.classifyRoleWithPrompt(prompt, {
+                className,
+                methodNames: methods.map(m => m.name).join(', '),
+                annotations: annotations.join(', ') || 'none',
+                imports: imports.slice(0, 20).join(', '),
+            });
+            if (result && result.confidence >= this.config.confidenceThreshold) {
+                return result;
+            }
+        }
+        catch (error) {
+            console.error('Role classification failed:', error);
+        }
+        return undefined;
+    }
+    /**
+     * Discover additional taint sources in a method
+     */
+    async discoverSources(methodCode, methodName, classRole, existingSources) {
+        try {
+            // Use language-aware prompt
+            const prompt = generateSourceDiscoveryPrompt(this.language);
+            const result = await this.client.discoverSourcesWithPrompt(prompt, {
+                methodCode,
+                methodName,
+                classRole,
+                existingSources: existingSources.map(s => `${s.type}:${s.line}`).join(', ') || 'none',
+            });
+            if (result) {
+                return result.filter((s) => s.confidence >= this.config.confidenceThreshold);
+            }
+        }
+        catch (error) {
+            console.error('Source discovery failed:', error);
+        }
+        return [];
+    }
+    /**
+     * Discover additional taint sinks in a method
+     */
+    async discoverSinks(methodCode, methodName, methodCalls, existingSinks) {
+        try {
+            // Use language-aware prompt
+            const prompt = generateSinkDiscoveryPrompt(this.language);
+            const result = await this.client.discoverSinksWithPrompt(prompt, {
+                methodCode,
+                methodName,
+                methodCalls: methodCalls.map(c => `${c.receiver || ''}.${c.method_name}()`).join(', '),
+                existingSinks: existingSinks.map(s => `${s.type}:${s.line}`).join(', ') || 'none',
+            });
+            if (result) {
+                return result.filter((s) => s.confidence >= this.config.confidenceThreshold);
+            }
+        }
+        catch (error) {
+            console.error('Sink discovery failed:', error);
+        }
+        return [];
+    }
+    /**
+     * Resolve virtual/interface method calls to implementations
+     */
+    async resolveVirtualCall(callExpression, interfaceType, availableImplementations, context) {
+        if (!this.config.enableVirtualDispatch) {
+            return undefined;
+        }
+        try {
+            const result = await this.client.resolveVirtualCall({
+                callExpression,
+                interfaceType,
+                availableImplementations: availableImplementations.join(', '),
+                context,
+            });
+            if (result && result.confidence >= this.config.confidenceThreshold) {
+                return {
+                    callLine: 0,
+                    interfaceType,
+                    resolvedImplementation: result.resolvedImplementation,
+                    confidence: result.confidence,
+                    reasoning: result.reasoning,
+                };
+            }
+        }
+        catch (error) {
+            console.error('Virtual call resolution failed:', error);
+        }
+        return undefined;
+    }
+    /**
+     * Enrich a complete type (class/interface)
+     */
+    async enrichType(type, sourceCode, imports, existingSources, existingSinks) {
+        const result = {
+            additionalSources: [],
+            additionalSinks: [],
+            virtualCallResolutions: [],
+            enrichedAt: new Date().toISOString(),
+            modelUsed: this.client.getPhaseConfig('enrichment').model,
+        };
+        // Classify role
+        result.role = await this.classifyRole(type.name, type.methods, type.annotations, imports);
+        // Process methods in batches
+        const methodBatches = this.batchMethods(type.methods);
+        for (const batch of methodBatches) {
+            for (const method of batch) {
+                // Extract method code from source
+                const methodCode = this.extractMethodCode(sourceCode, method);
+                if (!methodCode)
+                    continue;
+                // Discover sources and sinks in parallel for each method
+                const [sources, sinks] = await Promise.all([
+                    this.discoverSources(methodCode, method.name, result.role?.role || 'unknown', existingSources),
+                    this.discoverSinks(methodCode, method.name, [], // No call info available at this level
+                    existingSinks),
+                ]);
+                result.additionalSources.push(...sources);
+                result.additionalSinks.push(...sinks);
+            }
+        }
+        return result;
+    }
+    /**
+     * Batch methods for efficient LLM calls
+     */
+    batchMethods(methods) {
+        const batches = [];
+        for (let i = 0; i < methods.length; i += this.config.maxMethodsPerRequest) {
+            batches.push(methods.slice(i, i + this.config.maxMethodsPerRequest));
+        }
+        return batches;
+    }
+    /**
+     * Extract method code from source
+     */
+    extractMethodCode(sourceCode, method) {
+        const lines = sourceCode.split('\n');
+        if (method.start_line <= 0 || method.end_line > lines.length) {
+            return undefined;
+        }
+        return lines.slice(method.start_line - 1, method.end_line).join('\n');
+    }
+}
+// ============================================================================
+// Convenience Functions
+// ============================================================================
+/**
+ * Get a new enrichment engine instance for a specific language
+ * Always creates a fresh instance for per-request isolation
+ */
+export function getEnrichmentEngine(language = 'java', client) {
+    return new EnrichmentEngine(client, language);
+}
+/**
+ * Enrich a type with LLM-discovered sources/sinks
+ */
+export async function enrichType(type, sourceCode, imports, existingSources, existingSinks, language = 'java') {
+    return getEnrichmentEngine(language).enrichType(type, sourceCode, imports, existingSources, existingSinks);
+}
+//# sourceMappingURL=enrichment.js.map

package/dist/llm/enrichment.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"enrichment.js","sourceRoot":"","sources":["../../src/llm/enrichment.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,cAAc,EAAoB,MAAM,gBAAgB,CAAC;AAElE,OAAO,EACL,kBAAkB,EAClB,6BAA6B,EAC7B,2BAA2B,EAC3B,gCAAgC,GACjC,MAAM,uBAAuB,CAAC;AA+D/B,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E,MAAM,0BAA0B,GAAG;;;;;;;;;;;;;;EAcjC,CAAC;AAEH,4GAA4G;AAC5G,MAAM,uBAAuB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAsC9B,CAAC;AAEH,0GAA0G;AAC1G,MAAM,qBAAqB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA8C5B,CAAC;AAEH,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E,MAAM,OAAO,gBAAgB;IACnB,MAAM,CAAc;IACpB,MAAM,CAMZ;IACM,QAAQ,CAAoB;IAEpC,YAAY,MAAoB,EAAE,WAA8B,MAAM;QACpE,IAAI,CAAC,MAAM,GAAG,MAAM,IAAI,cAAc,EAAE,CAAC;QACzC,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,mBAAmB,EAAE,CAAC;QAChD,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,QAA2B;QACrC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IAED;;OAEG;IACH,kBAAkB;QAChB,OAAO,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC3C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY,CAChB,SAAiB,EACjB,OAAqB,EACrB,WAAqB,EACrB,OAAiB;QAEjB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,wBAAwB,EAAE,CAAC;YAC1C,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,IAAI,CAAC;YACH,4BAA4B;YAC5B,MAAM,MAAM,GAAG,gCAAgC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC/D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,sBAAsB,CAAC,MAAM,EAAE;gBAC9D,SAAS;gBACT,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;gBAChD,WAAW,EAAE,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,MAAM;gBAC7C,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;aACzC,CAAC,CAAC;YAEH,IAAI,MAAM,IAAI,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,MAAM,CAAC,mBAAmB,EAAE,CAAC;gBACnE,OAAO,MAAM,CAAC;YAChB,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,6BAA6B,EAAE,KAAK,CAAC,CAAC;QACtD,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,eAAe,CACnB,UAAkB,EAClB,UAAkB,EAClB,SAAiB,EACjB,eAA8B;QAE9B,IAAI,CAAC;YACH,4BAA4B;YAC5B,MAAM,MAAM,GAAG,6BAA6B,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC5D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,yBAAyB,CAAC,MAAM,EAAE;gBACjE,UAAU;gBACV,UAAU;gBACV,SAAS;gBACT,eAAe,EAAE,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,MAAM;aACtF,CAAC,CAAC;YAEH,IAAI,MAAM,EAAE,CAAC;gBACX,OAAO,MAAM,CAAC,MAAM,CAClB,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,IAAI,IAAI,CAAC,MAAM,CAAC,mBAAmB,CACvD,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,0BAA0B,EAAE,KAAK,CAAC,CAAC;QACnD,CAAC;QAED,OAAO,EAAE,CAAC;IACZ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CACjB,UAAkB,EAClB,UAAkB,EAClB,WAAuB,EACvB,aAA0B;QAE1B,IAAI,CAAC;YACH,4BAA4B;YAC5B,MAAM,MAAM,GAAG,2BAA2B,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC1D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,uBAAuB,CAAC,MAAM,EAAE;gBAC/D,UAAU;gBACV,UAAU;gBACV,WAAW,EAAE,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,QAAQ,IAAI,EAAE,IAAI,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;gBACtF,aAAa,EAAE,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,MAAM;aAClF,CAAC,CAAC;YAEH,IAAI,MAAM,EAAE,CAAC;gBACX,OAAO,MAAM,CAAC,MAAM,CAClB,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,IAAI,IAAI,CAAC,MAAM,CAAC,mBAAmB,CACvD,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,wBAAwB,EAAE,KAAK,CAAC,CAAC;QACjD,CAAC;QAED,OAAO,EAAE,CAAC;IACZ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,kBAAkB,CACtB,cAAsB,EACtB,aAAqB,EACrB,wBAAkC,EAClC,OAAe;QAEf,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,qBAAqB,EAAE,CAAC;YACvC,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC;gBAClD,cAAc;gBACd,aAAa;gBACb,wBAAwB,EAAE,wBAAwB,CAAC,IAAI,CAAC,IAAI,CAAC;gBAC7D,OAAO;aACR,CAAC,CAAC;YAEH,IAAI,MAAM,IAAI,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,MAAM,CAAC,mBAAmB,EAAE,CAAC;gBACnE,OAAO;oBACL,QAAQ,EAAE,CAAC;oBACX,aAAa;oBACb,sBAAsB,EAAE,MAAM,CAAC,sBAAsB;oBACrD,UAAU,EAAE,MAAM,CAAC,UAAU;oBAC7B,SAAS,EAAE,MAAM,CAAC,SAAS;iBAC5B,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,iCAAiC,EAAE,KAAK,CAAC,CAAC;QAC1D,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU,CACd,IAAc,EACd,UAAkB,EAClB,OAAiB,EACjB,eAA8B,EAC9B,aAA0B;QAE1B,MAAM,MAAM,GAAqB;YAC/B,iBAAiB,EAAE,EAAE;YACrB,eAAe,EAAE,EAAE;YACnB,sBAAsB,EAAE,EAAE;YAC1B,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACpC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,YAAY,CAAC,CAAC,KAAK;SAC1D,CAAC;QAEF,gBAAgB;QAChB,MAAM,CAAC,IAAI,GAAG,MAAM,IAAI,CAAC,YAAY,CACnC,IAAI,CAAC,IAAI,EACT,IAAI,CAAC,OAAO,EACZ,IAAI,CAAC,WAAW,EAChB,OAAO,CACR,CAAC;QAEF,6BAA6B;QAC7B,MAAM,aAAa,GAAG,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAEtD,KAAK,MAAM,KAAK,IAAI,aAAa,EAAE,CAAC;YAClC,KAAK,MAAM,MAAM,IAAI,KAAK,EAAE,CAAC;gBAC3B,kCAAkC;gBAClC,MAAM,UAAU,GAAG,IAAI,CAAC,iBAAiB,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;gBAC9D,IAAI,CAAC,UAAU;oBAAE,SAAS;gBAE1B,yDAAyD;gBACzD,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;oBACzC,IAAI,CAAC,eAAe,CAClB,UAAU,EACV,MAAM,CAAC,IAAI,EACX,MAAM,CAAC,IAAI,EAAE,IAAI,IAAI,SAAS,EAC9B,eAAe,CAChB;oBACD,IAAI,CAAC,aAAa,CAChB,UAAU,EACV,MAAM,CAAC,IAAI,EACX,EAAE,EAAE,uCAAuC;oBAC3C,aAAa,CACd;iBACF,CAAC,CAAC;gBACH,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,CAAC;gBAC1C,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,CAAC;YACxC,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACK,YAAY,CAAC,OAAqB;QACxC,MAAM,OAAO,GAAmB,EAAE,CAAC;QACnC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,oBAAoB,EAAE,CAAC;YAC1E,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC,CAAC;QACvE,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACK,iBAAiB,CAAC,UAAkB,EAAE,MAAkB;QAC9D,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACrC,IAAI,MAAM,CAAC,UAAU,IAAI,CAAC,IAAI,MAAM,CAAC,QAAQ,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;YAC7D,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,OAAO,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,UAAU,GAAG,CAAC,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxE,CAAC;CACF;AAED,+EAA+E;AAC/E,wBAAwB;AACxB,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,WAA8B,MAAM,EAAE,MAAoB;IAC5F,OAAO,IAAI,gBAAgB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;AAChD,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,IAAc,EACd,UAAkB,EAClB,OAAiB,EACjB,eAA8B,EAC9B,aAA0B,EAC1B,WAA8B,MAAM;IAEpC,OAAO,mBAAmB,CAAC,QAAQ,CAAC,CAAC,UAAU,CAC7C,IAAI,EACJ,UAAU,EACV,OAAO,EACP,eAAe,EACf,aAAa,CACd,CAAC;AACJ,CAAC"}

package/dist/llm/index.d.ts

@@ -0,0 +1,13 @@
+/**
+ * LLM Integration Module
+ *
+ * Provides LLM-based enrichment and verification capabilities.
+ */
+export { defaultLLMConfig, createLLMConfig, validateLLMConfig, type LLMConfig, type PhaseConfig } from './config.js';
+export { AxLLMClient, getAxLLMClient, enrichmentSignature, verificationSignature, listIndexSignature, correlatedPredicateSignature, crossFileTaintSignature, roleClassificationSignature, sourceDiscoverySignature, sinkDiscoverySignature, virtualCallResolutionSignature, patternVerificationSignature, } from './ax-client.js';
+export { EnrichmentEngine, getEnrichmentEngine, enrichType, type EnrichmentResult, type RoleClassificationResult, type DiscoveredSource, type DiscoveredSink, type VirtualCallResolution, } from './enrichment.js';
+export { VerificationEngine, getVerificationEngine, verifyTaintPath, verifyTaintPathsBatch, verifyVulnerability, type VerificationResult, type VerificationInput, type VerificationVerdict, type Exploitability, type BatchVerificationInput, type BatchVerificationResult, } from './verification.js';
+export { DiscoveryEngine, getDiscoveryEngine, discoverVulnerabilities, discoveryResultsToFindings, type DiscoveryResult, type DiscoveredVulnerability, type DiscoveryOptions, } from './discovery.js';
+export { getLanguageContext, generateSourceDiscoveryPrompt, generateSinkDiscoveryPrompt, generateRoleClassificationPrompt, getCWEGuidance, type LanguageContext, type SourcePattern, type SinkPattern, } from './language-context.js';
+export { sanitizeCodeForPrompt, sanitizeListForPrompt, sanitizeObjectForPrompt, wrapUserCode, formatSystemPrompt, formatCodeBlock, getModelPromptConfig, detectModelFamily, isInputSafe, logInjectionAttempt, type ModelFamily, type ModelPromptConfig, } from './prompt-security.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/llm/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/llm/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,iBAAiB,EAAE,KAAK,SAAS,EAAE,KAAK,WAAW,EAAE,MAAM,aAAa,CAAC;AAGrH,OAAO,EACL,WAAW,EACX,cAAc,EAEd,mBAAmB,EACnB,qBAAqB,EACrB,kBAAkB,EAClB,4BAA4B,EAC5B,uBAAuB,EACvB,2BAA2B,EAC3B,wBAAwB,EACxB,sBAAsB,EACtB,8BAA8B,EAC9B,4BAA4B,GAC7B,MAAM,gBAAgB,CAAC;AAGxB,OAAO,EACL,gBAAgB,EAChB,mBAAmB,EACnB,UAAU,EACV,KAAK,gBAAgB,EACrB,KAAK,wBAAwB,EAC7B,KAAK,gBAAgB,EACrB,KAAK,cAAc,EACnB,KAAK,qBAAqB,GAC3B,MAAM,iBAAiB,CAAC;AAGzB,OAAO,EACL,kBAAkB,EAClB,qBAAqB,EACrB,eAAe,EACf,qBAAqB,EACrB,mBAAmB,EACnB,KAAK,kBAAkB,EACvB,KAAK,iBAAiB,EACtB,KAAK,mBAAmB,EACxB,KAAK,cAAc,EACnB,KAAK,sBAAsB,EAC3B,KAAK,uBAAuB,GAC7B,MAAM,mBAAmB,CAAC;AAG3B,OAAO,EACL,eAAe,EACf,kBAAkB,EAClB,uBAAuB,EACvB,0BAA0B,EAC1B,KAAK,eAAe,EACpB,KAAK,uBAAuB,EAC5B,KAAK,gBAAgB,GACtB,MAAM,gBAAgB,CAAC;AAGxB,OAAO,EACL,kBAAkB,EAClB,6BAA6B,EAC7B,2BAA2B,EAC3B,gCAAgC,EAChC,cAAc,EACd,KAAK,eAAe,EACpB,KAAK,aAAa,EAClB,KAAK,WAAW,GACjB,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EACL,qBAAqB,EACrB,qBAAqB,EACrB,uBAAuB,EACvB,YAAY,EACZ,kBAAkB,EAClB,eAAe,EACf,oBAAoB,EACpB,iBAAiB,EACjB,WAAW,EACX,mBAAmB,EACnB,KAAK,WAAW,EAChB,KAAK,iBAAiB,GACvB,MAAM,sBAAsB,CAAC"}

package/dist/llm/index.js

@@ -0,0 +1,22 @@
+/**
+ * LLM Integration Module
+ *
+ * Provides LLM-based enrichment and verification capabilities.
+ */
+// Configuration
+export { defaultLLMConfig, createLLMConfig, validateLLMConfig } from './config.js';
+// New Ax-LLM client (DSPy-style with typed signatures)
+export { AxLLMClient, getAxLLMClient, 
+// Signatures
+enrichmentSignature, verificationSignature, listIndexSignature, correlatedPredicateSignature, crossFileTaintSignature, roleClassificationSignature, sourceDiscoverySignature, sinkDiscoverySignature, virtualCallResolutionSignature, patternVerificationSignature, } from './ax-client.js';
+// Enrichment (Phase 1)
+export { EnrichmentEngine, getEnrichmentEngine, enrichType, } from './enrichment.js';
+// Verification (Phase 2)
+export { VerificationEngine, getVerificationEngine, verifyTaintPath, verifyTaintPathsBatch, verifyVulnerability, } from './verification.js';
+// Discovery Mode (for methods with no static findings)
+export { DiscoveryEngine, getDiscoveryEngine, discoverVulnerabilities, discoveryResultsToFindings, } from './discovery.js';
+// Language-Aware Prompts (for multi-language support)
+export { getLanguageContext, generateSourceDiscoveryPrompt, generateSinkDiscoveryPrompt, generateRoleClassificationPrompt, getCWEGuidance, } from './language-context.js';
+// Prompt Security (for robustness against prompt injection)
+export { sanitizeCodeForPrompt, sanitizeListForPrompt, sanitizeObjectForPrompt, wrapUserCode, formatSystemPrompt, formatCodeBlock, getModelPromptConfig, detectModelFamily, isInputSafe, logInjectionAttempt, } from './prompt-security.js';
+//# sourceMappingURL=index.js.map

package/dist/llm/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/llm/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,gBAAgB;AAChB,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,iBAAiB,EAAoC,MAAM,aAAa,CAAC;AAErH,uDAAuD;AACvD,OAAO,EACL,WAAW,EACX,cAAc;AACd,aAAa;AACb,mBAAmB,EACnB,qBAAqB,EACrB,kBAAkB,EAClB,4BAA4B,EAC5B,uBAAuB,EACvB,2BAA2B,EAC3B,wBAAwB,EACxB,sBAAsB,EACtB,8BAA8B,EAC9B,4BAA4B,GAC7B,MAAM,gBAAgB,CAAC;AAExB,uBAAuB;AACvB,OAAO,EACL,gBAAgB,EAChB,mBAAmB,EACnB,UAAU,GAMX,MAAM,iBAAiB,CAAC;AAEzB,yBAAyB;AACzB,OAAO,EACL,kBAAkB,EAClB,qBAAqB,EACrB,eAAe,EACf,qBAAqB,EACrB,mBAAmB,GAOpB,MAAM,mBAAmB,CAAC;AAE3B,uDAAuD;AACvD,OAAO,EACL,eAAe,EACf,kBAAkB,EAClB,uBAAuB,EACvB,0BAA0B,GAI3B,MAAM,gBAAgB,CAAC;AAExB,sDAAsD;AACtD,OAAO,EACL,kBAAkB,EAClB,6BAA6B,EAC7B,2BAA2B,EAC3B,gCAAgC,EAChC,cAAc,GAIf,MAAM,uBAAuB,CAAC;AAE/B,4DAA4D;AAC5D,OAAO,EACL,qBAAqB,EACrB,qBAAqB,EACrB,uBAAuB,EACvB,YAAY,EACZ,kBAAkB,EAClB,eAAe,EACf,oBAAoB,EACpB,iBAAiB,EACjB,WAAW,EACX,mBAAmB,GAGpB,MAAM,sBAAsB,CAAC"}

package/dist/llm/language-context.d.ts

@@ -0,0 +1,64 @@
+/**
+ * Language-Specific Context for LLM Prompts
+ *
+ * Provides language-aware examples, patterns, and guidance for
+ * enrichment and verification across Java, Python, JavaScript/TypeScript, and Rust.
+ */
+import type { SupportedLanguage } from 'circle-ir';
+export interface LanguageContext {
+    /** Display name for prompts */
+    name: string;
+    /** Code fence language identifier */
+    codeFence: string;
+    /** Common web frameworks */
+    frameworks: string[];
+    /** HTTP source patterns */
+    httpSources: SourcePattern[];
+    /** Common sanitizers by CWE */
+    sanitizers: Record<string, string[]>;
+    /** Sink patterns by CWE */
+    sinkPatterns: Record<string, SinkPattern[]>;
+    /** Example source discovery code */
+    sourceExamples: string;
+    /** Example sink discovery code */
+    sinkExamples: string;
+}
+export interface SourcePattern {
+    pattern: string;
+    type: string;
+    description: string;
+}
+export interface SinkPattern {
+    pattern: string;
+    safe: string;
+    description: string;
+}
+/**
+ * Get the language context for a supported language
+ */
+export declare function getLanguageContext(language: SupportedLanguage): LanguageContext;
+/**
+ * Generate source discovery prompt for a specific language
+ *
+ * Uses semantic-guided prompts that focus on security concepts rather than
+ * specific API patterns. This allows the LLM to reason about data flow
+ * semantics and discover sources in unfamiliar frameworks or custom code.
+ */
+export declare function generateSourceDiscoveryPrompt(language: SupportedLanguage): string;
+/**
+ * Generate sink discovery prompt for a specific language
+ *
+ * Uses semantic-guided prompts that focus on what operations DO
+ * rather than specific API names. This allows the LLM to discover
+ * dangerous operations in unfamiliar frameworks or custom code.
+ */
+export declare function generateSinkDiscoveryPrompt(language: SupportedLanguage): string;
+/**
+ * Generate role classification prompt for a specific language
+ */
+export declare function generateRoleClassificationPrompt(language: SupportedLanguage): string;
+/**
+ * Get CWE-specific verification guidance for a language
+ */
+export declare function getCWEGuidance(language: SupportedLanguage, cwe: string): string;
+//# sourceMappingURL=language-context.d.ts.map

package/dist/llm/language-context.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"language-context.d.ts","sourceRoot":"","sources":["../../src/llm/language-context.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAMnD,MAAM,WAAW,eAAe;IAC9B,+BAA+B;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,4BAA4B;IAC5B,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,2BAA2B;IAC3B,WAAW,EAAE,aAAa,EAAE,CAAC;IAC7B,+BAA+B;IAC/B,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IACrC,2BAA2B;IAC3B,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,EAAE,CAAC,CAAC;IAC5C,oCAAoC;IACpC,cAAc,EAAE,MAAM,CAAC;IACvB,kCAAkC;IAClC,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;CACrB;AA8QD;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,iBAAiB,GAAG,eAAe,CAE/E;AAED;;;;;;GAMG;AACH,wBAAgB,6BAA6B,CAAC,QAAQ,EAAE,iBAAiB,GAAG,MAAM,CAiEjF;AAED;;;;;;GAMG;AACH,wBAAgB,2BAA2B,CAAC,QAAQ,EAAE,iBAAiB,GAAG,MAAM,CA4F/E;AAED;;GAEG;AACH,wBAAgB,gCAAgC,CAAC,QAAQ,EAAE,iBAAiB,GAAG,MAAM,CA6BpF;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,iBAAiB,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,CAkB/E"}