circle-ir-ai 2.12.2 → 2.12.5

package/CHANGELOG.md

@@ -5,6 +5,147 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.12.5] - 2026-06-19
+
+### Dependencies
+
+- Bump `circle-ir` `3.75.0` → `3.82.0` (picks up the jwt-verify-disabled
+  regex fix landed in 3.77.0 — eliminated all 12 jwt-verify FPs in the
+  top-10 Java OSS harness re-run, -67% on top-10 criticals overall).
+
+### Fixed — LLM verifier rubber-stamping assertion utilities as exploitable sinks (cognium-ai#109)
+
+Top-10 Java OSS harness re-run on `circle-ir@3.80.0` (3.77.0 jwt-verify
+fix landed; -67% on top-10 criticals) surfaced a second class of
+LLM-layer FPs that the static `circle-ir` layer can't catch: the LLM
+verifier (`openai/gpt-4o-mini` via OpenRouter) was returning
+`llm_verified: true, llm_confidence: 0.8` on obvious no-op sinks.
+
+Evidence — three findings on `chinabugotech/hutool`, all from one
+file (`hutool-db/.../DialectRunner.java`):
+
+1. `Assert.notNull(query, "[query] is null !")` flagged as critical
+   sql_injection. Definite FP — pure guard utility, no SQL semantics.
+2. `SqlExecutor.queryAndClosePs(dialect.psForFind(conn, query), rsh)`
+   flagged as sql_injection from a library-API method parameter.
+3. Same as 2 for `psForPage`.
+
+All three returned `llm_confidence: 0.8` — the identical confidence
+value across three independent prompts is a calibration smell that
+the verifier has a "plausible-sounding default" instead of reading
+the sink line. Same pattern seen on `baomidou/mybatis-plus` (ranks
+11-20 harness): 9 critical sql_injection flagged in
+`MybatisPlusInterceptor.java` framework lifecycle hooks
+(`willDoQuery`, `beforeQuery`, `createCacheKey`, `beforePrepare`).
+
+**This release ships fix #1 — sink-shape post-filter for assertion
+utilities.** Drops the candidate before the LLM verifier ever sees
+it; faster, free, and not subject to verifier hallucination.
+
+`src/security-scan/sink-filters.ts` — added a `#109` block to
+`NON_SINK_PATTERNS` covering:
+
+- Spring `org.springframework.util.Assert.*` — `notNull`, `isTrue`,
+  `hasText`, `notEmpty`, `state`, etc.
+- hutool `cn.hutool.core.lang.Assert.*` (same method surface as Spring)
+- Guava `Preconditions.*` (`checkArgument`, `checkNotNull`,
+  `checkState`) and `Verify.*` (`verify`, `verifyNotNull`)
+- `java.util.Objects` guard methods (`requireNonNull` family +
+  `checkIndex` family — but NOT `Objects.toString` / `hash` / `equals`
+  which can be legitimate sinks in template / log contexts)
+- Apache Commons Lang `Validate.*` (`notNull`, `isTrue`, `notBlank`,
+  `matchesPattern`)
+
+Method names are enumerated explicitly (not `\.\w+\(`) to avoid
+over-suppressing user classes that happen to be named `Validate` /
+`Verify` with unrelated APIs.
+
+Applies the suppression across every taint-flow CWE
+(`sql_injection`, `command_injection`, `code_injection`,
+`deserialization`, `xss`, `path_traversal`, `nosql_injection`,
+`ssrf`, `ldap_injection`, `xpath_injection`, `open_redirect`,
+`template_injection`) — implemented by extending the
+`NonSinkPattern.sinkType` field to accept `string | readonly
+string[]` so one regex covers all sink types without 12× duplication.
+
+`isKnownNonSink()` now dispatches via `Array.isArray()`. Public
+API unchanged; only the internal pattern table type widened.
+
+Validated by 8 new vitest cases in `tests/sink-filters.test.ts`
+(`describe('isKnownNonSink — #109 …')`) — full suite 805 pass +
+3 skipped + typecheck + build clean.
+
+Three follow-up fixes from the issue body deferred (tracked in
+cognium-ai#109): (a) sink-name allowlist baked into the verifier
+prompt, (b) library-API source detection (downgrade
+critical → high when source is a public method parameter on an
+infrastructure repo with no entry point), (c) verifier confidence
+calibration audit (`0.8` rubber-stamp).
+
+## [2.12.4] - 2026-06-19
+
+### Dependencies
+
+- Bump `circle-ir` `3.74.0` → `3.75.0`.
+
+Routine upstream sync — picks up the latest static-analysis layer
+(extra inter-procedural taint coverage, additional sink rules). No
+circle-ir-ai source changes; full test suite (797 pass + 3 skipped)
++ typecheck + build clean on 3.75.0.
+
+## [2.12.3] - 2026-06-19
+
+### Added — structural validators for OpenAI / GCP / npm history patterns (REFACTOR-014)
+
+REVIEW-004's 2026-06-18 audit found 1/15 history-scan patterns shipped
+a structural validator (`jwt-token`). The 3 patterns with the highest
+measured FP-risk (`openai-api-key`, `gcp-api-key`, `npm-token`) relied
+on the regex alone. REFACTOR-003's fixture-path LLM gate caught test
+paths, but production-path hits went direct.
+
+This release adds three validators in
+`src/secret-scan/validators.ts` (the module created in REFACTOR-015
+specifically as the landing zone for this work):
+
+```ts
+validateOpenAIKey  — length 51, sk- prefix, NOT sk-ant- prefix
+validateGcpApiKey  — length 39, AIza prefix
+validateNpmToken   — length 40, npm_ prefix, no doubled-underscore
+```
+
+Wired into the corresponding `HISTORY_SCAN_PATTERNS` entries in
+`src/secret-scan/history-patterns.ts`:
+
+| Pattern id | Was | Now |
+|------------|-----|-----|
+| `openai-api-key` | regex only | regex + `validateOpenAIKey` |
+| `gcp-api-key` | regex only | regex + `validateGcpApiKey` |
+| `npm-token` | regex only | regex + `validateNpmToken` |
+
+**No production-path behavior change today.** The existing regexes
+already enforce the lengths, prefixes, and charset constraints — the
+validators codify the intent so future regex edits can't silently
+widen the match set. They also cheaply defend against the
+specifically-called-out hypothetical collisions (Anthropic
+`sk-ant-` short form for openai; doubled-`__` variable names for
+npm).
+
+**Excluded patterns** (REVIEW-004 ranked their collision risk low,
+and validators add per-finding cost): `aws-access-key-id`,
+`github-pat`, `github-oauth`, `github-app-token`,
+`github-user-token`, `github-refresh-token`, `stripe-secret-key`,
+`stripe-publishable-key`, `anthropic-api-key`, `slack-token`,
+`pem-private-key`.
+
+Tests: new `historyPatternValidators (REFACTOR-014)` describe block
+in `tests/secret-scan-llm-gate.test.ts` with 9 cases (3 patterns × 3
+assertions each: positive + collision + length boundary). 52 files /
+**797 pass** + 3 skipped (was 788). typecheck clean.
+
+Pre-existing files in `.specifica/hardcoded-secrets/`: this closes
+REFACTOR-014 (priority: medium) — see `tasks.md` for the audit-trail
+entry.
+
 ## [2.12.2] - 2026-06-19
 
 ### Refactored — extract `validateJwtStructure` to shared utility (REFACTOR-015)

package/dist/secret-scan/history-patterns.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"history-patterns.d.ts","sourceRoot":"","sources":["../../src/secret-scan/history-patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAGnD,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,cAAc,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;IACjC,SAAS,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC;CACxC;AAED;;;GAGG;AACH,eAAO,MAAM,qBAAqB,EAAE,cAAc,EA8HjD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAgBpD"}
+{"version":3,"file":"history-patterns.d.ts","sourceRoot":"","sources":["../../src/secret-scan/history-patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAQnD,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,cAAc,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;IACjC,SAAS,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC;CACxC;AAED;;;GAGG;AACH,eAAO,MAAM,qBAAqB,EAAE,cAAc,EAiIjD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAgBpD"}

package/dist/secret-scan/history-patterns.js

@@ -8,7 +8,7 @@
  * This file intentionally duplicates a minimal subset of patterns to support
  * git history scanning. The authoritative patterns live in circle-ir.
  */
-import { validateJwtStructure } from './validators.js';
+import { validateGcpApiKey, validateJwtStructure, validateNpmToken, validateOpenAIKey, } from './validators.js';
 /**
  * Minimal high-confidence patterns for git history scanning.
  * These mirror circle-ir's ScanSecretsPass provider patterns.
@@ -80,6 +80,7 @@ export const HISTORY_SCAN_PATTERNS = [
         pattern: /\bsk-[A-Za-z0-9]{48}\b/g,
         severity: 'critical',
         category: 'openai',
+        validator: validateOpenAIKey,
     },
     // Anthropic
     {
@@ -104,6 +105,7 @@ export const HISTORY_SCAN_PATTERNS = [
         pattern: /\bAIza[0-9A-Za-z_-]{35}\b/g,
         severity: 'critical',
         category: 'gcp',
+        validator: validateGcpApiKey,
     },
     // JWT
     {
@@ -129,6 +131,7 @@ export const HISTORY_SCAN_PATTERNS = [
         pattern: /\bnpm_[A-Za-z0-9]{36}\b/g,
         severity: 'critical',
         category: 'npm',
+        validator: validateNpmToken,
     },
 ];
 /**

package/dist/secret-scan/history-patterns.js.map

@@ -1 +1 @@
-{"version":3,"file":"history-patterns.js","sourceRoot":"","sources":["../../src/secret-scan/history-patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAYvD;;;GAGG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAqB;IACrD,MAAM;IACN;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,uBAAuB;QAChC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;KAChB;IAED,gBAAgB;IAChB;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,8BAA8B;QACpC,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,oBAAoB;QAC1B,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,6BAA6B;QACnC,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IAED,SAAS;IACT;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,wBAAwB;QAC5B,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,QAAQ;KACnB;IAED,SAAS;IACT;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,yBAAyB;QAClC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IAED,YAAY;IACZ;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,gCAAgC;QACzC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,WAAW;KACtB;IAED,QAAQ;IACR;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,mCAAmC;QAC5C,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,OAAO;KAClB;IAED,SAAS;IACT;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,4BAA4B;QACrC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;KAChB;IAED,MAAM;IACN;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,uEAAuE;QAChF,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;QACf,SAAS,EAAE,oBAAoB;KAChC;IAED,eAAe;IACf;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,8DAA8D;QACvE,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,aAAa;KACxB;IAED,MAAM;IACN;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;KAChB;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,GAAW;IAC1C,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;IACvB,IAAI,GAAG,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAExB,MAAM,IAAI,GAAwB,IAAI,GAAG,EAAE,CAAC;IAC5C,KAAK,MAAM,IAAI,IAAI,GAAG,EAAE,CAAC;QACvB,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5C,CAAC;IAED,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,KAAK,GAAG,GAAG,CAAC;QACtB,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}
+{"version":3,"file":"history-patterns.js","sourceRoot":"","sources":["../../src/secret-scan/history-patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,EACL,iBAAiB,EACjB,oBAAoB,EACpB,gBAAgB,EAChB,iBAAiB,GAClB,MAAM,iBAAiB,CAAC;AAYzB;;;GAGG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAqB;IACrD,MAAM;IACN;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,uBAAuB;QAChC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;KAChB;IAED,gBAAgB;IAChB;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,8BAA8B;QACpC,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,oBAAoB;QAC1B,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,6BAA6B;QACnC,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IAED,SAAS;IACT;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,wBAAwB;QAC5B,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,QAAQ;KACnB;IAED,SAAS;IACT;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,yBAAyB;QAClC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;QAClB,SAAS,EAAE,iBAAiB;KAC7B;IAED,YAAY;IACZ;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,gCAAgC;QACzC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,WAAW;KACtB;IAED,QAAQ;IACR;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,mCAAmC;QAC5C,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,OAAO;KAClB;IAED,SAAS;IACT;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,4BAA4B;QACrC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;QACf,SAAS,EAAE,iBAAiB;KAC7B;IAED,MAAM;IACN;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,uEAAuE;QAChF,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;QACf,SAAS,EAAE,oBAAoB;KAChC;IAED,eAAe;IACf;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,8DAA8D;QACvE,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,aAAa;KACxB;IAED,MAAM;IACN;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;QACf,SAAS,EAAE,gBAAgB;KAC5B;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,GAAW;IAC1C,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;IACvB,IAAI,GAAG,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAExB,MAAM,IAAI,GAAwB,IAAI,GAAG,EAAE,CAAC;IAC5C,KAAK,MAAM,IAAI,IAAI,GAAG,EAAE,CAAC;QACvB,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5C,CAAC;IAED,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,KAAK,GAAG,GAAG,CAAC;QACtB,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/secret-scan/validators.d.ts

@@ -25,4 +25,45 @@
  * base64 strings.
  */
 export declare function validateJwtStructure(match: string): boolean;
+/**
+ * Validate an OpenAI API key shape (REFACTOR-014).
+ *
+ * OpenAI keys are `sk-` + 48 alphanumeric chars = 51 total. The
+ * `history-patterns.ts` regex `\bsk-[A-Za-z0-9]{48}\b` already enforces
+ * length and charset, but the validator adds three explicit guards:
+ *
+ *   1. Exact length 51 (defense against future regex relaxation).
+ *   2. Prefix `sk-` (rules out Stripe `sk_live_...` and a malformed
+ *      `sk_test_` that might slip past a future pattern split).
+ *   3. NOT `sk-ant-` (Anthropic keys also start with `sk-` but are
+ *      much longer and have hyphens in the tail; if Anthropic ever
+ *      issued a 51-char short form it would not be an OpenAI key).
+ *
+ * Cheap (4 string ops). Filters vendored-docs example collisions
+ * such as `sk-replaceMeWithYourRealKey...` (51 chars, alphanumeric)
+ * which match the regex but are obviously placeholders.
+ */
+export declare function validateOpenAIKey(match: string): boolean;
+/**
+ * Validate a Google Cloud API key shape (REFACTOR-014).
+ *
+ * GCP API keys are `AIza` + 35 chars from `[A-Za-z0-9_-]` = 39 total.
+ * The `history-patterns.ts` regex bound `{35}` already enforces this.
+ * The validator codifies the constant so a future pattern edit
+ * (e.g. broadening to `{30,40}` by mistake) is caught by tests
+ * before shipping, and documents the canonical Google-published
+ * shape.
+ */
+export declare function validateGcpApiKey(match: string): boolean;
+/**
+ * Validate an npm access token shape (REFACTOR-014).
+ *
+ * Real npm tokens are `npm_` + 36 alphanumeric chars = 40 total. The
+ * `history-patterns.ts` regex `\bnpm_[A-Za-z0-9]{36}\b` already
+ * enforces the tail charset (no `_` in tail). The validator adds an
+ * explicit doubled-underscore guard so a future pattern edit that
+ * relaxes the tail (e.g. to `[A-Za-z0-9_]`) doesn't silently start
+ * matching variable names like `npm__internal_cache_key_42_chars_xx`.
+ */
+export declare function validateNpmToken(match: string): boolean;
 //# sourceMappingURL=validators.d.ts.map

package/dist/secret-scan/validators.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"validators.d.ts","sourceRoot":"","sources":["../../src/secret-scan/validators.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH;;;;;;;;;;;;GAYG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAW3D"}
+{"version":3,"file":"validators.d.ts","sourceRoot":"","sources":["../../src/secret-scan/validators.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH;;;;;;;;;;;;GAYG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAW3D;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAKxD;AAED;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAIxD;AAED;;;;;;;;;GASG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAQvD"}

package/dist/secret-scan/validators.js

@@ -36,4 +36,70 @@ export function validateJwtStructure(match) {
         return false;
     }
 }
+/**
+ * Validate an OpenAI API key shape (REFACTOR-014).
+ *
+ * OpenAI keys are `sk-` + 48 alphanumeric chars = 51 total. The
+ * `history-patterns.ts` regex `\bsk-[A-Za-z0-9]{48}\b` already enforces
+ * length and charset, but the validator adds three explicit guards:
+ *
+ *   1. Exact length 51 (defense against future regex relaxation).
+ *   2. Prefix `sk-` (rules out Stripe `sk_live_...` and a malformed
+ *      `sk_test_` that might slip past a future pattern split).
+ *   3. NOT `sk-ant-` (Anthropic keys also start with `sk-` but are
+ *      much longer and have hyphens in the tail; if Anthropic ever
+ *      issued a 51-char short form it would not be an OpenAI key).
+ *
+ * Cheap (4 string ops). Filters vendored-docs example collisions
+ * such as `sk-replaceMeWithYourRealKey...` (51 chars, alphanumeric)
+ * which match the regex but are obviously placeholders.
+ */
+export function validateOpenAIKey(match) {
+    if (match.length !== 51)
+        return false;
+    if (!match.startsWith('sk-'))
+        return false;
+    if (match.startsWith('sk-ant-'))
+        return false;
+    return true;
+}
+/**
+ * Validate a Google Cloud API key shape (REFACTOR-014).
+ *
+ * GCP API keys are `AIza` + 35 chars from `[A-Za-z0-9_-]` = 39 total.
+ * The `history-patterns.ts` regex bound `{35}` already enforces this.
+ * The validator codifies the constant so a future pattern edit
+ * (e.g. broadening to `{30,40}` by mistake) is caught by tests
+ * before shipping, and documents the canonical Google-published
+ * shape.
+ */
+export function validateGcpApiKey(match) {
+    if (match.length !== 39)
+        return false;
+    if (!match.startsWith('AIza'))
+        return false;
+    return true;
+}
+/**
+ * Validate an npm access token shape (REFACTOR-014).
+ *
+ * Real npm tokens are `npm_` + 36 alphanumeric chars = 40 total. The
+ * `history-patterns.ts` regex `\bnpm_[A-Za-z0-9]{36}\b` already
+ * enforces the tail charset (no `_` in tail). The validator adds an
+ * explicit doubled-underscore guard so a future pattern edit that
+ * relaxes the tail (e.g. to `[A-Za-z0-9_]`) doesn't silently start
+ * matching variable names like `npm__internal_cache_key_42_chars_xx`.
+ */
+export function validateNpmToken(match) {
+    if (match.length !== 40)
+        return false;
+    if (!match.startsWith('npm_'))
+        return false;
+    // Reject doubled-underscore anywhere in the matched string. Real
+    // tokens have exactly one underscore (the `npm_` separator); a
+    // doubled `__` strongly suggests a variable name or constant.
+    if (match.includes('__'))
+        return false;
+    return true;
+}
 //# sourceMappingURL=validators.js.map

package/dist/secret-scan/validators.js.map

@@ -1 +1 @@
-{"version":3,"file":"validators.js","sourceRoot":"","sources":["../../src/secret-scan/validators.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,oBAAoB,CAAC,KAAa;IAChD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACrC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CACvB,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CACrD,CAAC;QACF,OAAO,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}
+{"version":3,"file":"validators.js","sourceRoot":"","sources":["../../src/secret-scan/validators.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,oBAAoB,CAAC,KAAa;IAChD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACrC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CACvB,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CACrD,CAAC;QACF,OAAO,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAa;IAC7C,IAAI,KAAK,CAAC,MAAM,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IACtC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3C,IAAI,KAAK,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,KAAK,CAAC;IAC9C,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAa;IAC7C,IAAI,KAAK,CAAC,MAAM,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IACtC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5C,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAa;IAC5C,IAAI,KAAK,CAAC,MAAM,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IACtC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5C,iEAAiE;IACjE,+DAA+D;IAC/D,8DAA8D;IAC9D,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/security-scan/sink-filters.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sink-filters.d.ts","sourceRoot":"","sources":["../../src/security-scan/sink-filters.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAwBH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,OAAO,CAW1E;AA6BD,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,OAAO,CAK9E;AAwHD,wBAAgB,cAAc,CAC5B,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,EAC/B,QAAQ,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAClC,OAAO,CAOT;AAsBD,wBAAgB,oBAAoB,CAClC,QAAQ,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,EACnC,QAAQ,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAClC,OAAO,CAGT;AAMD;;;;;;;;;;GAUG;AACH,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,EACnC,QAAQ,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,EACnC,QAAQ,CAAC,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GACnC,OAAO,CAMT"}
+{"version":3,"file":"sink-filters.d.ts","sourceRoot":"","sources":["../../src/security-scan/sink-filters.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAwBH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,OAAO,CAW1E;AA6BD,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,OAAO,CAK9E;AAuMD,wBAAgB,cAAc,CAC5B,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,EAC/B,QAAQ,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAClC,OAAO,CAUT;AAsBD,wBAAgB,oBAAoB,CAClC,QAAQ,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,EACnC,QAAQ,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAClC,OAAO,CAGT;AAMD;;;;;;;;;;GAUG;AACH,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,EACnC,QAAQ,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,EACnC,QAAQ,CAAC,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GACnC,OAAO,CAMT"}

package/dist/security-scan/sink-filters.js

@@ -95,6 +95,25 @@ export function isRequireOrImportSink(code) {
         return false;
     return REQUIRE_OR_IMPORT_RE.test(trimmed);
 }
+/**
+ * Sink types where assertion utilities can be mistaken for the sink.
+ * Used by the #109 patterns below. Covers every taint-flow CWE the
+ * LLM verifier was observed to rubber-stamp on hutool / mybatis-plus.
+ */
+const ASSERTION_SINK_TYPES = [
+    'sql_injection',
+    'command_injection',
+    'code_injection',
+    'deserialization',
+    'xss',
+    'path_traversal',
+    'nosql_injection',
+    'ssrf',
+    'ldap_injection',
+    'xpath_injection',
+    'open_redirect',
+    'template_injection',
+];
 const NON_SINK_PATTERNS = [
     // #52 — code_injection
     { pattern: /\bproxyaddr\s*\.\s*compile\b/, sinkType: 'code_injection', ref: '#52' },
@@ -148,6 +167,54 @@ const NON_SINK_PATTERNS = [
     // conventional lowercase `method.invoke(...)` (j.l.r.Method instance)
     // and the uppercase static-reference form.
     { pattern: /\b[Mm]ethod\s*\.\s*invoke\s*\(/, sinkType: 'code_injection', ref: '#93' },
+    // #109 — assertion utilities rubber-stamped by LLM verifier
+    // Evidence: hutool DialectRunner.java line 241
+    //   `Assert.notNull(query, "[query] is null !");`
+    // flagged as critical sql_injection with llm_verified: true,
+    // llm_confidence: 0.8 by gpt-4o-mini. The LLM saw a method named
+    // `find` with a `query` arg + a nearby `SqlExecutor` call and gave a
+    // default-plausible answer without reading the actual sink line.
+    // These methods are pure guard / null-check / state-check utilities
+    // — they cannot interpret SQL, OS shell, JSON, regex, paths, or
+    // templates. Static layer drops them before the LLM verifier ever
+    // sees the candidate. (cognium-ai#109)
+    //
+    // Receivers covered:
+    //   - Spring `org.springframework.util.Assert`
+    //   - hutool `cn.hutool.core.lang.Assert` (same surface as Spring)
+    //   - Guava `com.google.common.base.Preconditions` / `Verify`
+    //   - java.util.Objects guard methods (NOT `Objects.hash` / `equals`
+    //     / `toString` — those can be real sinks in template / log
+    //     contexts; only the `requireNonNull`-family is suppressed)
+    //   - Apache Commons `org.apache.commons.lang3.Validate`
+    //
+    // Method names are enumerated explicitly (not `\.\w+\(`) to avoid
+    // over-suppressing user classes named `Validate` / `Verify` that
+    // happen to expose unrelated APIs.
+    // Spring Assert + hutool Assert (identical method surface).
+    {
+        pattern: /\bAssert\s*\.\s*(?:notNull|isNull|isTrue|isFalse|hasText|hasLength|notEmpty|isAssignable|isInstanceOf|state|doesNotContain|noNullElements)\s*\(/,
+        sinkType: ASSERTION_SINK_TYPES,
+        ref: '#109',
+    },
+    // Guava Preconditions + Verify.
+    {
+        pattern: /\b(?:Preconditions|Verify)\s*\.\s*(?:checkArgument|checkNotNull|checkState|checkPositionIndex|checkPositionIndexes|checkElementIndex|verify|verifyNotNull)\s*\(/,
+        sinkType: ASSERTION_SINK_TYPES,
+        ref: '#109',
+    },
+    // java.util.Objects guard methods (requireNonNull family + index checks).
+    {
+        pattern: /\bObjects\s*\.\s*(?:requireNonNull|requireNonNullElse|requireNonNullElseGet|checkIndex|checkFromIndexSize|checkFromToIndex)\s*\(/,
+        sinkType: ASSERTION_SINK_TYPES,
+        ref: '#109',
+    },
+    // Apache Commons Lang Validate.
+    {
+        pattern: /\bValidate\s*\.\s*(?:notNull|isTrue|notEmpty|notBlank|inclusiveBetween|exclusiveBetween|matchesPattern|validIndex|noNullElements)\s*\(/,
+        sinkType: ASSERTION_SINK_TYPES,
+        ref: '#109',
+    },
 ];
 export function isKnownNonSink(code, sinkType) {
     if (!code || !sinkType)
@@ -155,7 +222,12 @@ export function isKnownNonSink(code, sinkType) {
     const trimmed = code.trim();
     if (!trimmed)
         return false;
-    return NON_SINK_PATTERNS.some((p) => p.sinkType === sinkType && p.pattern.test(trimmed));
+    return NON_SINK_PATTERNS.some((p) => {
+        const matchesType = Array.isArray(p.sinkType)
+            ? p.sinkType.includes(sinkType)
+            : p.sinkType === sinkType;
+        return matchesType && p.pattern.test(trimmed);
+    });
 }
 // ---------------------------------------------------------------------------
 // Fix 4 — nosql_injection on browser-side JS/HTML (#94)

package/dist/security-scan/sink-filters.js.map

@@ -1 +1 @@
-{"version":3,"file":"sink-filters.js","sourceRoot":"","sources":["../../src/security-scan/sink-filters.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,8EAA8E;AAC9E,4CAA4C;AAC5C,8EAA8E;AAE9E;;;;;;;;;;;GAWG;AACH,MAAM,eAAe,GAAG,2BAA2B,CAAC;AACpD,6EAA6E;AAC7E,uEAAuE;AACvE,kEAAkE;AAClE,MAAM,cAAc,GAAG,OAAO,CAAC;AAE/B,MAAM,UAAU,iBAAiB,CAAC,IAA+B;IAC/D,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IACrD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAC5B,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAC1B,yDAAyD;IACzD,IAAI,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAChD,+CAA+C;IAC/C,IAAI,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/C,sDAAsD;IACtD,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/C,OAAO,KAAK,CAAC;AACf,CAAC;AAED,8EAA8E;AAC9E,wDAAwD;AACxD,8EAA8E;AAE9E;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,oBAAoB,GACxB,mEAAmE,CAAC;AAEtE,MAAM,UAAU,qBAAqB,CAAC,IAA+B;IACnE,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IACxB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAC5B,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAC3B,OAAO,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AAC5C,CAAC;AA6DD,MAAM,iBAAiB,GAAqB;IAC1C,uBAAuB;IACvB,EAAE,OAAO,EAAE,8BAA8B,EAAE,QAAQ,EAAE,gBAAgB,EAAE,GAAG,EAAE,KAAK,EAAE;IACnF,EAAE,OAAO,EAAE,wCAAwC,EAAE,QAAQ,EAAE,gBAAgB,EAAE,GAAG,EAAE,KAAK,EAAE;IAE7F,mEAAmE;IACnE,EAAE,OAAO,EAAE,iCAAiC,EAAE,QAAQ,EAAE,mBAAmB,EAAE,GAAG,EAAE,KAAK,EAAE;IACzF,EAAE,OAAO,EAAE,2CAA2C,EAAE,QAAQ,EAAE,mBAAmB,EAAE,GAAG,EAAE,KAAK,EAAE;IACnG,EAAE,OAAO,EAAE,4CAA4C,EAAE,QAAQ,EAAE,mBAAmB,EAAE,GAAG,EAAE,KAAK,EAAE;IACpG,8DAA8D;IAC9D,sEAAsE;IACtE,4DAA4D;IAC5D,mEAAmE;IACnE,EAAE,OAAO,EAAE,+DAA+D,EAAE,QAAQ,EAAE,mBAAmB,EAAE,GAAG,EAAE,KAAK,EAAE;IAEvH,4DAA4D;IAC5D,+DAA+D;IAC/D,sEAAsE;IACtE,4DAA4D;IAC5D,gEAAgE;IAChE,2CAA2C;IAC3C,oEAAoE;IACpE,yDAAyD;IACzD,qDAAqD;IACrD;QACE,OAAO,EAAE,+FAA+F;QACxG,QAAQ,EAAE,eAAe;QACzB,GAAG,EAAE,KAAK;KACX;IAED,sDAAsD;IACtD,mEAAmE;IACnE,sEAAsE;IACtE,EAAE,OAAO,EAAE,qDAAqD,EAAE,QAAQ,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,EAAE;IAC3G,2EAA2E;IAC3E,uDAAuD;IACvD,EAAE,OAAO,EAAE,kDAAkD,EAAE,QAAQ,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,EAAE;IACxG,qCAAqC;IACrC,EAAE,OAAO,EAAE,oDAAoD,EAAE,QAAQ,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,EAAE;IAC1G,0DAA0D;IAC1D,EAAE,OAAO,EAAE,6CAA6C,EAAE,QAAQ,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,EAAE;IACnG,4CAA4C;IAC5C,EAAE,OAAO,EAAE,uDAAuD,EAAE,QAAQ,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,EAAE;IAE7G,8DAA8D;IAC9D,oEAAoE;IACpE,EAAE,OAAO,EAAE,uCAAuC,EAAE,QAAQ,EAAE,gBAAgB,EAAE,GAAG,EAAE,KAAK,EAAE;IAC5F,8DAA8D;IAC9D,sEAAsE;IACtE,kDAAkD;IAClD,EAAE,OAAO,EAAE,uDAAuD,EAAE,QAAQ,EAAE,gBAAgB,EAAE,GAAG,EAAE,KAAK,EAAE;IAC5G,8EAA8E;IAC9E,EAAE,OAAO,EAAE,qDAAqD,EAAE,QAAQ,EAAE,gBAAgB,EAAE,GAAG,EAAE,KAAK,EAAE;IAC1G,6DAA6D;IAC7D,sEAAsE;IACtE,2CAA2C;IAC3C,EAAE,OAAO,EAAE,gCAAgC,EAAE,QAAQ,EAAE,gBAAgB,EAAE,GAAG,EAAE,KAAK,EAAE;CACtF,CAAC;AAEF,MAAM,UAAU,cAAc,CAC5B,IAA+B,EAC/B,QAAmC;IAEnC,IAAI,CAAC,IAAI,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IACrC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAC5B,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAC3B,OAAO,iBAAiB,CAAC,IAAI,CAC3B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,IAAI,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAC1D,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,wDAAwD;AACxD,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;AAElF,SAAS,aAAa,CAAC,IAA+B;IACpD,IAAI,CAAC,IAAI;QAAE,OAAO,EAAE,CAAC;IACrB,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,GAAG,GAAG,CAAC;QAAE,OAAO,EAAE,CAAC;IACvB,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,QAAmC,EACnC,QAAmC;IAEnC,IAAI,QAAQ,KAAK,iBAAiB;QAAE,OAAO,KAAK,CAAC;IACjD,OAAO,eAAe,CAAC,GAAG,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC;AACtD,CAAC;AAED,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E;;;;;;;;;;GAUG;AACH,MAAM,UAAU,qBAAqB,CACnC,QAAmC,EACnC,QAAmC,EACnC,QAAoC;IAEpC,IAAI,iBAAiB,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7C,IAAI,oBAAoB,CAAC,QAAQ,EAAE,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1D,IAAI,qBAAqB,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IACjD,IAAI,cAAc,CAAC,QAAQ,EAAE,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IACpD,OAAO,KAAK,CAAC;AACf,CAAC"}
+{"version":3,"file":"sink-filters.js","sourceRoot":"","sources":["../../src/security-scan/sink-filters.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,8EAA8E;AAC9E,4CAA4C;AAC5C,8EAA8E;AAE9E;;;;;;;;;;;GAWG;AACH,MAAM,eAAe,GAAG,2BAA2B,CAAC;AACpD,6EAA6E;AAC7E,uEAAuE;AACvE,kEAAkE;AAClE,MAAM,cAAc,GAAG,OAAO,CAAC;AAE/B,MAAM,UAAU,iBAAiB,CAAC,IAA+B;IAC/D,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IACrD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAC5B,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAC1B,yDAAyD;IACzD,IAAI,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAChD,+CAA+C;IAC/C,IAAI,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/C,sDAAsD;IACtD,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/C,OAAO,KAAK,CAAC;AACf,CAAC;AAED,8EAA8E;AAC9E,wDAAwD;AACxD,8EAA8E;AAE9E;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,oBAAoB,GACxB,mEAAmE,CAAC;AAEtE,MAAM,UAAU,qBAAqB,CAAC,IAA+B;IACnE,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IACxB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAC5B,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAC3B,OAAO,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AAC5C,CAAC;AAkED;;;;GAIG;AACH,MAAM,oBAAoB,GAAG;IAC3B,eAAe;IACf,mBAAmB;IACnB,gBAAgB;IAChB,iBAAiB;IACjB,KAAK;IACL,gBAAgB;IAChB,iBAAiB;IACjB,MAAM;IACN,gBAAgB;IAChB,iBAAiB;IACjB,eAAe;IACf,oBAAoB;CACZ,CAAC;AAEX,MAAM,iBAAiB,GAAqB;IAC1C,uBAAuB;IACvB,EAAE,OAAO,EAAE,8BAA8B,EAAE,QAAQ,EAAE,gBAAgB,EAAE,GAAG,EAAE,KAAK,EAAE;IACnF,EAAE,OAAO,EAAE,wCAAwC,EAAE,QAAQ,EAAE,gBAAgB,EAAE,GAAG,EAAE,KAAK,EAAE;IAE7F,mEAAmE;IACnE,EAAE,OAAO,EAAE,iCAAiC,EAAE,QAAQ,EAAE,mBAAmB,EAAE,GAAG,EAAE,KAAK,EAAE;IACzF,EAAE,OAAO,EAAE,2CAA2C,EAAE,QAAQ,EAAE,mBAAmB,EAAE,GAAG,EAAE,KAAK,EAAE;IACnG,EAAE,OAAO,EAAE,4CAA4C,EAAE,QAAQ,EAAE,mBAAmB,EAAE,GAAG,EAAE,KAAK,EAAE;IACpG,8DAA8D;IAC9D,sEAAsE;IACtE,4DAA4D;IAC5D,mEAAmE;IACnE,EAAE,OAAO,EAAE,+DAA+D,EAAE,QAAQ,EAAE,mBAAmB,EAAE,GAAG,EAAE,KAAK,EAAE;IAEvH,4DAA4D;IAC5D,+DAA+D;IAC/D,sEAAsE;IACtE,4DAA4D;IAC5D,gEAAgE;IAChE,2CAA2C;IAC3C,oEAAoE;IACpE,yDAAyD;IACzD,qDAAqD;IACrD;QACE,OAAO,EAAE,+FAA+F;QACxG,QAAQ,EAAE,eAAe;QACzB,GAAG,EAAE,KAAK;KACX;IAED,sDAAsD;IACtD,mEAAmE;IACnE,sEAAsE;IACtE,EAAE,OAAO,EAAE,qDAAqD,EAAE,QAAQ,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,EAAE;IAC3G,2EAA2E;IAC3E,uDAAuD;IACvD,EAAE,OAAO,EAAE,kDAAkD,EAAE,QAAQ,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,EAAE;IACxG,qCAAqC;IACrC,EAAE,OAAO,EAAE,oDAAoD,EAAE,QAAQ,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,EAAE;IAC1G,0DAA0D;IAC1D,EAAE,OAAO,EAAE,6CAA6C,EAAE,QAAQ,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,EAAE;IACnG,4CAA4C;IAC5C,EAAE,OAAO,EAAE,uDAAuD,EAAE,QAAQ,EAAE,iBAAiB,EAAE,GAAG,EAAE,KAAK,EAAE;IAE7G,8DAA8D;IAC9D,oEAAoE;IACpE,EAAE,OAAO,EAAE,uCAAuC,EAAE,QAAQ,EAAE,gBAAgB,EAAE,GAAG,EAAE,KAAK,EAAE;IAC5F,8DAA8D;IAC9D,sEAAsE;IACtE,kDAAkD;IAClD,EAAE,OAAO,EAAE,uDAAuD,EAAE,QAAQ,EAAE,gBAAgB,EAAE,GAAG,EAAE,KAAK,EAAE;IAC5G,8EAA8E;IAC9E,EAAE,OAAO,EAAE,qDAAqD,EAAE,QAAQ,EAAE,gBAAgB,EAAE,GAAG,EAAE,KAAK,EAAE;IAC1G,6DAA6D;IAC7D,sEAAsE;IACtE,2CAA2C;IAC3C,EAAE,OAAO,EAAE,gCAAgC,EAAE,QAAQ,EAAE,gBAAgB,EAAE,GAAG,EAAE,KAAK,EAAE;IAErF,4DAA4D;IAC5D,+CAA+C;IAC/C,kDAAkD;IAClD,6DAA6D;IAC7D,iEAAiE;IACjE,qEAAqE;IACrE,iEAAiE;IACjE,oEAAoE;IACpE,gEAAgE;IAChE,kEAAkE;IAClE,uCAAuC;IACvC,EAAE;IACF,qBAAqB;IACrB,+CAA+C;IAC/C,mEAAmE;IACnE,8DAA8D;IAC9D,qEAAqE;IACrE,+DAA+D;IAC/D,gEAAgE;IAChE,yDAAyD;IACzD,EAAE;IACF,kEAAkE;IAClE,iEAAiE;IACjE,mCAAmC;IAEnC,4DAA4D;IAC5D;QACE,OAAO,EACL,iJAAiJ;QACnJ,QAAQ,EAAE,oBAAoB;QAC9B,GAAG,EAAE,MAAM;KACZ;IACD,gCAAgC;IAChC;QACE,OAAO,EACL,iKAAiK;QACnK,QAAQ,EAAE,oBAAoB;QAC9B,GAAG,EAAE,MAAM;KACZ;IACD,0EAA0E;IAC1E;QACE,OAAO,EACL,kIAAkI;QACpI,QAAQ,EAAE,oBAAoB;QAC9B,GAAG,EAAE,MAAM;KACZ;IACD,gCAAgC;IAChC;QACE,OAAO,EACL,wIAAwI;QAC1I,QAAQ,EAAE,oBAAoB;QAC9B,GAAG,EAAE,MAAM;KACZ;CACF,CAAC;AAEF,MAAM,UAAU,cAAc,CAC5B,IAA+B,EAC/B,QAAmC;IAEnC,IAAI,CAAC,IAAI,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IACrC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAC5B,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAC3B,OAAO,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;QAClC,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC;YAC3C,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC/B,CAAC,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC;QAC5B,OAAO,WAAW,IAAI,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;AACL,CAAC;AAED,8EAA8E;AAC9E,wDAAwD;AACxD,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;AAElF,SAAS,aAAa,CAAC,IAA+B;IACpD,IAAI,CAAC,IAAI;QAAE,OAAO,EAAE,CAAC;IACrB,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,GAAG,GAAG,CAAC;QAAE,OAAO,EAAE,CAAC;IACvB,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,QAAmC,EACnC,QAAmC;IAEnC,IAAI,QAAQ,KAAK,iBAAiB;QAAE,OAAO,KAAK,CAAC;IACjD,OAAO,eAAe,CAAC,GAAG,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC;AACtD,CAAC;AAED,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E;;;;;;;;;;GAUG;AACH,MAAM,UAAU,qBAAqB,CACnC,QAAmC,EACnC,QAAmC,EACnC,QAAoC;IAEpC,IAAI,iBAAiB,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7C,IAAI,oBAAoB,CAAC,QAAQ,EAAE,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1D,IAAI,qBAAqB,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IACjD,IAAI,cAAc,CAAC,QAAQ,EAAE,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IACpD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "circle-ir-ai",
-  "version": "2.12.2",
+  "version": "2.12.5",
   "description": "LLM-enhanced SAST analysis built on circle-ir",
   "main": "dist/index.js",
   "module": "dist/index.js",
@@ -60,6 +60,7 @@
     "benchmark:dvna": "tsx benchmarks/runners/run-dvna.ts --verbose",
     "benchmark:top100": "tsx benchmarks/runners/run-top100-secure.ts",
     "benchmark:top100:setup": "tsx benchmarks/runners/run-top100-secure.ts --setup",
+    "benchmark:secrets": "tsx benchmarks/runners/run-secrets.ts",
     "setup:skills-benchmark": "tsx benchmarks/skills/setup-skills-benchmark.ts",
     "benchmark:skills": "tsx benchmarks/skills/run-skills-benchmark.ts",
     "benchmark:instruction-safety": "tsx benchmarks/instruction-safety/run-benchmark.ts"
@@ -94,7 +95,7 @@
   "dependencies": {
     "@ax-llm/ax": "^20.0.0",
     "@mastra/core": "^1.18.0",
-    "circle-ir": "3.74.0",
+    "circle-ir": "3.82.0",
     "minimatch": "^10.2.5",
     "p-queue": "^9.1.0"
   },