codehere 0.1.0 → 0.3.0

package/dist/infrastructure/security/enhanced-security-gate.js

@@ -0,0 +1,151 @@
+/**
+ * Infrastructure: Enhanced Security Gate
+ * Comprehensive security validation combining all security scanners
+ *
+ * Research-Driven Security:
+ * - AI SAST Scanner (existing) - 45% of AI code has flaws
+ * - License Scanner - 35% license contamination risk
+ * - Provider Bias Detector - Vendor lock-in prevention
+ * - Uncertainty Quantifier - Hallucination risk
+ *
+ * All checks must pass before code generation/editing
+ */
+import { getSecurityScanCache } from '../cache/security-scan-cache.js';
+/**
+ * Enhanced Security Gate
+ * Orchestrates all security scanners
+ */
+export class EnhancedSecurityGate {
+    sastScanner;
+    licenseScanner;
+    providerBiasDetector;
+    uncertaintyQuantifier;
+    scanCache = getSecurityScanCache();
+    constructor(sastScanner, licenseScanner, providerBiasDetector, uncertaintyQuantifier) {
+        this.sastScanner = sastScanner;
+        this.licenseScanner = licenseScanner;
+        this.providerBiasDetector = providerBiasDetector;
+        this.uncertaintyQuantifier = uncertaintyQuantifier;
+    }
+    /**
+     * Comprehensive security scan
+     * PERFORMANCE OPTIMIZATION: Parallelizes independent scans for ~3x speedup
+     */
+    async scan(filepath, code, instruction, context) {
+        const errors = [];
+        const warnings = [];
+        // PERFORMANCE: Check cache first (bypasses expensive scans for unchanged files)
+        const cachedResults = this.scanCache.get(filepath, code);
+        if (cachedResults) {
+            // Return cached results (skip expensive scans)
+            const passed = cachedResults.sast.passed && cachedResults.license.passed;
+            if (!cachedResults.sast.passed) {
+                errors.push(`Security vulnerabilities: ${cachedResults.sast.criticalCount} critical, ${cachedResults.sast.highCount} high`);
+            }
+            if (!cachedResults.license.passed) {
+                errors.push(`License conflicts: ${cachedResults.license.criticalCount} critical issues`);
+            }
+            if (!cachedResults.providerBias.passed) {
+                warnings.push(`Provider bias detected: ${cachedResults.providerBias.criticalCount} critical issues`);
+            }
+            // Still run uncertainty quantification if needed (it's fast and context-dependent)
+            let uncertainty;
+            if (this.uncertaintyQuantifier && context?.query && code) {
+                uncertainty = await this.uncertaintyQuantifier.quantifyUncertainty(context.query, code, { chunks: context.chunks }).catch(() => undefined);
+                if (uncertainty?.isHallucinationRisk) {
+                    warnings.push(`High epistemic uncertainty detected: Possible hallucination risk`);
+                }
+            }
+            return {
+                passed: errors.length === 0,
+                sast: cachedResults.sast,
+                license: cachedResults.license,
+                providerBias: cachedResults.providerBias,
+                uncertainty,
+                errors,
+                warnings,
+            };
+        }
+        // PERFORMANCE: Parallelize independent scans (SAST, License, Provider Bias)
+        // These scans are independent and can run concurrently
+        const scanPromises = [
+            // 1. Fast security check on instruction (if provided)
+            instruction
+                ? this.sastScanner.scanInstruction(instruction).catch(err => {
+                    console.warn(`[EnhancedSecurityGate] Instruction scan failed: ${err instanceof Error ? err.message : String(err)}`);
+                    return null;
+                })
+                : Promise.resolve(null),
+            // 2. SAST scan on code
+            this.sastScanner.scan(filepath, code).catch(err => {
+                console.warn(`[EnhancedSecurityGate] SAST scan failed: ${err instanceof Error ? err.message : String(err)}`);
+                return { passed: true, findings: [], criticalCount: 0, highCount: 0 };
+            }),
+            // 3. License scan
+            this.licenseScanner.scan(filepath, code).catch(err => {
+                console.warn(`[EnhancedSecurityGate] License scan failed: ${err instanceof Error ? err.message : String(err)}`);
+                return { passed: true, findings: [], criticalCount: 0 };
+            }),
+            // 4. Provider bias detection
+            this.providerBiasDetector.scan(filepath, code).catch(err => {
+                console.warn(`[EnhancedSecurityGate] Provider bias scan failed: ${err instanceof Error ? err.message : String(err)}`);
+                return { passed: true, findings: [], criticalCount: 0 };
+            }),
+        ];
+        // Execute all scans in parallel
+        const [instructionSast, sast, license, providerBias] = await Promise.all(scanPromises);
+        // Process results
+        if (instructionSast && !instructionSast.passed) {
+            errors.push(`Security vulnerabilities in instruction: ${instructionSast.findings.length} findings`);
+        }
+        if (!sast.passed) {
+            errors.push(`Security vulnerabilities: ${sast.criticalCount} critical, ${sast.highCount} high`);
+        }
+        if (!license.passed) {
+            errors.push(`License conflicts: ${license.criticalCount} critical issues`);
+        }
+        if (!providerBias.passed) {
+            warnings.push(`Provider bias detected: ${providerBias.criticalCount} critical issues`);
+            // Provider bias is a warning, not blocking (unless policy enforces)
+        }
+        // 5. Uncertainty quantification (runs after parallel scans, depends on context)
+        // This is independent but typically faster, so can run in parallel with scans if needed
+        let uncertainty;
+        if (this.uncertaintyQuantifier && context?.query && code) {
+            uncertainty = await this.uncertaintyQuantifier.quantifyUncertainty(context.query, code, { chunks: context.chunks }).catch(err => {
+                console.warn(`[EnhancedSecurityGate] Uncertainty quantification failed: ${err instanceof Error ? err.message : String(err)}`);
+                return undefined;
+            });
+            if (uncertainty?.isHallucinationRisk) {
+                warnings.push(`High epistemic uncertainty detected: Possible hallucination risk`);
+            }
+        }
+        const passed = errors.length === 0; // Only fail on critical errors
+        // Cache results for future use (performance optimization)
+        this.scanCache.set(filepath, code, sast, license, providerBias);
+        return {
+            passed,
+            sast,
+            license,
+            providerBias,
+            uncertainty,
+            errors,
+            warnings,
+        };
+    }
+    /**
+     * Fast pre-check on instruction (before expensive operations)
+     */
+    async fastCheck(instruction) {
+        const findings = [];
+        const sastResult = await this.sastScanner.scanInstruction(instruction);
+        if (sastResult && !sastResult.passed) {
+            findings.push(...sastResult.findings.map(f => `${f.severity}: ${f.description}`));
+        }
+        return {
+            allowed: findings.length === 0,
+            findings,
+        };
+    }
+}
+//# sourceMappingURL=enhanced-security-gate.js.map

package/dist/infrastructure/security/enhanced-security-gate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"enhanced-security-gate.js","sourceRoot":"","sources":["../../../src/infrastructure/security/enhanced-security-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAMH,OAAO,EAAE,oBAAoB,EAAE,MAAM,iCAAiC,CAAC;AAYvE;;;GAGG;AACH,MAAM,OAAO,oBAAoB;IAIrB;IACA;IACA;IACA;IANF,SAAS,GAAG,oBAAoB,EAAE,CAAC;IAE3C,YACU,WAA0B,EAC1B,cAA8B,EAC9B,oBAA0C,EAC1C,qBAA6C;QAH7C,gBAAW,GAAX,WAAW,CAAe;QAC1B,mBAAc,GAAd,cAAc,CAAgB;QAC9B,yBAAoB,GAApB,oBAAoB,CAAsB;QAC1C,0BAAqB,GAArB,qBAAqB,CAAwB;IACpD,CAAC;IAEJ;;;OAGG;IACH,KAAK,CAAC,IAAI,CACR,QAAgB,EAChB,IAAY,EACZ,WAAoB,EACpB,OAA4C;QAE5C,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,MAAM,QAAQ,GAAa,EAAE,CAAC;QAE9B,gFAAgF;QAChF,MAAM,aAAa,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACzD,IAAI,aAAa,EAAE,CAAC;YAClB,+CAA+C;YAC/C,MAAM,MAAM,GAAG,aAAa,CAAC,IAAI,CAAC,MAAM,IAAI,aAAa,CAAC,OAAO,CAAC,MAAM,CAAC;YAEzE,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;gBAC/B,MAAM,CAAC,IAAI,CAAC,6BAA6B,aAAa,CAAC,IAAI,CAAC,aAAa,cAAc,aAAa,CAAC,IAAI,CAAC,SAAS,OAAO,CAAC,CAAC;YAC9H,CAAC;YACD,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;gBAClC,MAAM,CAAC,IAAI,CAAC,sBAAsB,aAAa,CAAC,OAAO,CAAC,aAAa,kBAAkB,CAAC,CAAC;YAC3F,CAAC;YACD,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,MAAM,EAAE,CAAC;gBACvC,QAAQ,CAAC,IAAI,CAAC,2BAA2B,aAAa,CAAC,YAAY,CAAC,aAAa,kBAAkB,CAAC,CAAC;YACvG,CAAC;YAED,mFAAmF;YACnF,IAAI,WAA0C,CAAC;YAC/C,IAAI,IAAI,CAAC,qBAAqB,IAAI,OAAO,EAAE,KAAK,IAAI,IAAI,EAAE,CAAC;gBACzD,WAAW,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,mBAAmB,CAChE,OAAO,CAAC,KAAK,EACb,IAAI,EACJ,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAC3B,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;gBAEzB,IAAI,WAAW,EAAE,mBAAmB,EAAE,CAAC;oBACrC,QAAQ,CAAC,IAAI,CAAC,kEAAkE,CAAC,CAAC;gBACpF,CAAC;YACH,CAAC;YAED,OAAO;gBACL,MAAM,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC;gBAC3B,IAAI,EAAE,aAAa,CAAC,IAAI;gBACxB,OAAO,EAAE,aAAa,CAAC,OAAO;gBAC9B,YAAY,EAAE,aAAa,CAAC,YAAY;gBACxC,WAAW;gBACX,MAAM;gBACN,QAAQ;aACT,CAAC;QACJ,CAAC;QAED,4EAA4E;QAC5E,uDAAuD;QACvD,MAAM,YAAY,GAAmB;YACnC,sDAAsD;YACtD,WAAW;gBACT,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE;oBACxD,OAAO,CAAC,IAAI,CAAC,mDAAmD,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;oBACpH,OAAO,IAAI,CAAC;gBACd,CAAC,CAAC;gBACJ,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC;YAEzB,uBAAuB;YACvB,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE;gBAChD,OAAO,CAAC,IAAI,CAAC,4CAA4C,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAC7G,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,aAAa,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC;YACxE,CAAC,CAAC;YAEF,kBAAkB;YAClB,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE;gBACnD,OAAO,CAAC,IAAI,CAAC,+CAA+C,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAChH,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,aAAa,EAAE,CAAC,EAAE,CAAC;YAC1D,CAAC,CAAC;YAEF,6BAA6B;YAC7B,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE;gBACzD,OAAO,CAAC,IAAI,CAAC,qDAAqD,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBACtH,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,aAAa,EAAE,CAAC,EAAE,CAAC;YAC1D,CAAC,CAAC;SACH,CAAC;QAEF,gCAAgC;QAChC,MAAM,CAAC,eAAe,EAAE,IAAI,EAAE,OAAO,EAAE,YAAY,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAEvF,kBAAkB;QAClB,IAAI,eAAe,IAAI,CAAC,eAAe,CAAC,MAAM,EAAE,CAAC;YAC/C,MAAM,CAAC,IAAI,CAAC,4CAA4C,eAAe,CAAC,QAAQ,CAAC,MAAM,WAAW,CAAC,CAAC;QACtG,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,MAAM,CAAC,IAAI,CAAC,6BAA6B,IAAI,CAAC,aAAa,cAAc,IAAI,CAAC,SAAS,OAAO,CAAC,CAAC;QAClG,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;YACpB,MAAM,CAAC,IAAI,CAAC,sBAAsB,OAAO,CAAC,aAAa,kBAAkB,CAAC,CAAC;QAC7E,CAAC;QAED,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,CAAC;YACzB,QAAQ,CAAC,IAAI,CAAC,2BAA2B,YAAY,CAAC,aAAa,kBAAkB,CAAC,CAAC;YACvF,oEAAoE;QACtE,CAAC;QAED,gFAAgF;QAChF,wFAAwF;QACxF,IAAI,WAA0C,CAAC;QAC/C,IAAI,IAAI,CAAC,qBAAqB,IAAI,OAAO,EAAE,KAAK,IAAI,IAAI,EAAE,CAAC;YACzD,WAAW,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,mBAAmB,CAChE,OAAO,CAAC,KAAK,EACb,IAAI,EACJ,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAC3B,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE;gBACZ,OAAO,CAAC,IAAI,CAAC,6DAA6D,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAC9H,OAAO,SAAS,CAAC;YACnB,CAAC,CAAC,CAAC;YAEH,IAAI,WAAW,EAAE,mBAAmB,EAAE,CAAC;gBACrC,QAAQ,CAAC,IAAI,CAAC,kEAAkE,CAAC,CAAC;YACpF,CAAC;QACH,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,+BAA+B;QAEnE,0DAA0D;QAC1D,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC;QAEhE,OAAO;YACL,MAAM;YACN,IAAI;YACJ,OAAO;YACP,YAAY;YACZ,WAAW;YACX,MAAM;YACN,QAAQ;SACT,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,SAAS,CAAC,WAAmB;QACjC,MAAM,QAAQ,GAAa,EAAE,CAAC;QAE9B,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;QACvE,IAAI,UAAU,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC;YACrC,QAAQ,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;QACpF,CAAC;QAED,OAAO;YACL,OAAO,EAAE,QAAQ,CAAC,MAAM,KAAK,CAAC;YAC9B,QAAQ;SACT,CAAC;IACJ,CAAC;CACF"}

package/dist/infrastructure/security/input-validator.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Infrastructure: Input Validator
+ * Enterprise-grade input validation and sanitization
+ *
+ * Clean Architecture: Infrastructure Layer
+ * Security: Prevents injection attacks, validates user input
+ */
+export interface ValidationResult {
+    valid: boolean;
+    errors: string[];
+    sanitized?: string;
+}
+/**
+ * Validate file path to prevent directory traversal
+ */
+export declare function validateFilePath(filepath: string): ValidationResult;
+/**
+ * Validate query string to prevent injection
+ */
+export declare function validateQuery(query: string): ValidationResult;
+/**
+ * Validate API key format
+ */
+export declare function validateAPIKey(apiKey: string): ValidationResult;
+/**
+ * Validate file content before processing
+ */
+export declare function validateFileContent(content: string, maxSize?: number): ValidationResult;
+/**
+ * Sanitize user input for logging (prevent sensitive data leakage)
+ */
+export declare function sanitizeForLogging(input: string): string;
+//# sourceMappingURL=input-validator.d.ts.map

package/dist/infrastructure/security/input-validator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"input-validator.d.ts","sourceRoot":"","sources":["../../../src/infrastructure/security/input-validator.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,gBAAgB,CAuCnE;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,gBAAgB,CA4C7D;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,gBAAgB,CA2B/D;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,GAAE,MAAyB,GAAG,gBAAgB,CAkBzG;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAmBxD"}

package/dist/infrastructure/security/input-validator.js

@@ -0,0 +1,152 @@
+/**
+ * Infrastructure: Input Validator
+ * Enterprise-grade input validation and sanitization
+ *
+ * Clean Architecture: Infrastructure Layer
+ * Security: Prevents injection attacks, validates user input
+ */
+/**
+ * Validate file path to prevent directory traversal
+ */
+export function validateFilePath(filepath) {
+    const errors = [];
+    // Check for directory traversal attempts
+    if (filepath.includes('..') || filepath.includes('~')) {
+        errors.push('Directory traversal detected in file path');
+    }
+    // Check for absolute paths (should be relative)
+    if (filepath.startsWith('/') || /^[A-Z]:\\/.test(filepath)) {
+        errors.push('Absolute paths not allowed');
+    }
+    // Check for null bytes
+    if (filepath.includes('\0')) {
+        errors.push('Null bytes not allowed in file path');
+    }
+    // Check for dangerous characters
+    const dangerousChars = /[<>:"|?*\x00-\x1f]/;
+    if (dangerousChars.test(filepath)) {
+        errors.push('Invalid characters in file path');
+    }
+    // Sanitize path
+    let sanitized = filepath
+        .replace(/\.\./g, '') // Remove ..
+        .replace(/~/g, '') // Remove ~
+        .replace(/\0/g, '') // Remove null bytes
+        .replace(/[<>:"|?*\x00-\x1f]/g, '_'); // Replace dangerous chars
+    // Normalize path separators
+    sanitized = sanitized.replace(/\\/g, '/');
+    return {
+        valid: errors.length === 0,
+        errors,
+        sanitized: errors.length > 0 ? sanitized : undefined,
+    };
+}
+/**
+ * Validate query string to prevent injection
+ */
+export function validateQuery(query) {
+    const errors = [];
+    // Check for null bytes
+    if (query.includes('\0')) {
+        errors.push('Null bytes not allowed in query');
+    }
+    // Check for command injection patterns
+    const commandInjectionPatterns = [
+        /[;&|`$(){}[\]]/, // Shell metacharacters
+        /<script/i, // XSS attempts
+        /javascript:/i, // JavaScript protocol
+        /on\w+\s*=/i, // Event handlers
+    ];
+    for (const pattern of commandInjectionPatterns) {
+        if (pattern.test(query)) {
+            errors.push('Potentially dangerous characters detected in query');
+            break;
+        }
+    }
+    // Sanitize query
+    let sanitized = query
+        .replace(/\0/g, '') // Remove null bytes
+        .replace(/[;&|`$(){}[\]]/g, '') // Remove shell metacharacters
+        .replace(/<script/gi, '&lt;script') // Escape script tags
+        .replace(/javascript:/gi, '') // Remove javascript protocol
+        .replace(/on\w+\s*=/gi, ''); // Remove event handlers
+    // Trim and limit length
+    sanitized = sanitized.trim();
+    const MAX_QUERY_LENGTH = 10000; // Reasonable limit
+    if (sanitized.length > MAX_QUERY_LENGTH) {
+        errors.push(`Query exceeds maximum length of ${MAX_QUERY_LENGTH} characters`);
+        sanitized = sanitized.substring(0, MAX_QUERY_LENGTH);
+    }
+    return {
+        valid: errors.length === 0,
+        errors,
+        sanitized: errors.length > 0 ? sanitized : undefined,
+    };
+}
+/**
+ * Validate API key format
+ */
+export function validateAPIKey(apiKey) {
+    const errors = [];
+    if (!apiKey || apiKey.trim().length === 0) {
+        errors.push('API key is required');
+    }
+    // Check minimum length
+    if (apiKey.length < 10) {
+        errors.push('API key is too short');
+    }
+    // Check for null bytes
+    if (apiKey.includes('\0')) {
+        errors.push('Null bytes not allowed in API key');
+    }
+    // Check for whitespace (API keys shouldn't have spaces)
+    if (apiKey !== apiKey.trim()) {
+        errors.push('API key should not have leading or trailing whitespace');
+    }
+    return {
+        valid: errors.length === 0,
+        errors,
+        sanitized: errors.length > 0 ? apiKey.trim() : undefined,
+    };
+}
+/**
+ * Validate file content before processing
+ */
+export function validateFileContent(content, maxSize = 10 * 1024 * 1024) {
+    const errors = [];
+    // Check size
+    const sizeInBytes = new Blob([content]).size;
+    if (sizeInBytes > maxSize) {
+        errors.push(`File content exceeds maximum size of ${maxSize} bytes`);
+    }
+    // Check for null bytes (shouldn't be in text files)
+    if (content.includes('\0')) {
+        errors.push('Null bytes detected in file content');
+    }
+    return {
+        valid: errors.length === 0,
+        errors,
+    };
+}
+/**
+ * Sanitize user input for logging (prevent sensitive data leakage)
+ */
+export function sanitizeForLogging(input) {
+    // Remove potential secrets (API keys, tokens, etc.)
+    let sanitized = input
+        // Remove API keys (Cohere format: alphanumeric, 40+ chars)
+        .replace(/[A-Za-z0-9]{40,}/g, '[REDACTED]')
+        // Remove email addresses
+        .replace(/[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g, '[EMAIL_REDACTED]')
+        // Remove potential tokens
+        .replace(/token[=:]\s*[A-Za-z0-9_-]+/gi, 'token=[REDACTED]')
+        .replace(/password[=:]\s*[^\s]+/gi, 'password=[REDACTED]')
+        .replace(/secret[=:]\s*[^\s]+/gi, 'secret=[REDACTED]');
+    // Limit length for logging
+    const MAX_LOG_LENGTH = 1000;
+    if (sanitized.length > MAX_LOG_LENGTH) {
+        sanitized = sanitized.substring(0, MAX_LOG_LENGTH) + '...[TRUNCATED]';
+    }
+    return sanitized;
+}
+//# sourceMappingURL=input-validator.js.map

package/dist/infrastructure/security/input-validator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"input-validator.js","sourceRoot":"","sources":["../../../src/infrastructure/security/input-validator.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAQH;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAgB;IAC/C,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,yCAAyC;IACzC,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACtD,MAAM,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;IAC3D,CAAC;IAED,gDAAgD;IAChD,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC3D,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;IAC5C,CAAC;IAED,uBAAuB;IACvB,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5B,MAAM,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;IACrD,CAAC;IAED,iCAAiC;IACjC,MAAM,cAAc,GAAG,oBAAoB,CAAC;IAC5C,IAAI,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QAClC,MAAM,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;IACjD,CAAC;IAED,gBAAgB;IAChB,IAAI,SAAS,GAAG,QAAQ;SACrB,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,YAAY;SACjC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,WAAW;SAC7B,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,oBAAoB;SACvC,OAAO,CAAC,qBAAqB,EAAE,GAAG,CAAC,CAAC,CAAC,0BAA0B;IAElE,4BAA4B;IAC5B,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAE1C,OAAO;QACL,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC;QAC1B,MAAM;QACN,SAAS,EAAE,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;KACrD,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,KAAa;IACzC,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,uBAAuB;IACvB,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACzB,MAAM,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;IACjD,CAAC;IAED,uCAAuC;IACvC,MAAM,wBAAwB,GAAG;QAC/B,gBAAgB,EAAE,uBAAuB;QACzC,UAAU,EAAE,eAAe;QAC3B,cAAc,EAAE,sBAAsB;QACtC,YAAY,EAAE,iBAAiB;KAChC,CAAC;IAEF,KAAK,MAAM,OAAO,IAAI,wBAAwB,EAAE,CAAC;QAC/C,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;YAClE,MAAM;QACR,CAAC;IACH,CAAC;IAED,iBAAiB;IACjB,IAAI,SAAS,GAAG,KAAK;SAClB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,oBAAoB;SACvC,OAAO,CAAC,iBAAiB,EAAE,EAAE,CAAC,CAAC,8BAA8B;SAC7D,OAAO,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC,qBAAqB;SACxD,OAAO,CAAC,eAAe,EAAE,EAAE,CAAC,CAAC,6BAA6B;SAC1D,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC,CAAC,wBAAwB;IAEvD,wBAAwB;IACxB,SAAS,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC;IAC7B,MAAM,gBAAgB,GAAG,KAAK,CAAC,CAAC,mBAAmB;IACnD,IAAI,SAAS,CAAC,MAAM,GAAG,gBAAgB,EAAE,CAAC;QACxC,MAAM,CAAC,IAAI,CAAC,mCAAmC,gBAAgB,aAAa,CAAC,CAAC;QAC9E,SAAS,GAAG,SAAS,CAAC,SAAS,CAAC,CAAC,EAAE,gBAAgB,CAAC,CAAC;IACvD,CAAC;IAED,OAAO;QACL,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC;QAC1B,MAAM;QACN,SAAS,EAAE,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;KACrD,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,MAAc;IAC3C,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1C,MAAM,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;IACrC,CAAC;IAED,uBAAuB;IACvB,IAAI,MAAM,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACvB,MAAM,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;IACtC,CAAC;IAED,uBAAuB;IACvB,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1B,MAAM,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;IACnD,CAAC;IAED,wDAAwD;IACxD,IAAI,MAAM,KAAK,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC;QAC7B,MAAM,CAAC,IAAI,CAAC,wDAAwD,CAAC,CAAC;IACxE,CAAC;IAED,OAAO;QACL,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC;QAC1B,MAAM;QACN,SAAS,EAAE,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS;KACzD,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,OAAe,EAAE,UAAkB,EAAE,GAAG,IAAI,GAAG,IAAI;IACrF,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,aAAa;IACb,MAAM,WAAW,GAAG,IAAI,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC;IAC7C,IAAI,WAAW,GAAG,OAAO,EAAE,CAAC;QAC1B,MAAM,CAAC,IAAI,CAAC,wCAAwC,OAAO,QAAQ,CAAC,CAAC;IACvE,CAAC;IAED,oDAAoD;IACpD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3B,MAAM,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;IACrD,CAAC;IAED,OAAO;QACL,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC;QAC1B,MAAM;KACP,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAa;IAC9C,oDAAoD;IACpD,IAAI,SAAS,GAAG,KAAK;QACnB,2DAA2D;SAC1D,OAAO,CAAC,mBAAmB,EAAE,YAAY,CAAC;QAC3C,yBAAyB;SACxB,OAAO,CAAC,iDAAiD,EAAE,kBAAkB,CAAC;QAC/E,0BAA0B;SACzB,OAAO,CAAC,8BAA8B,EAAE,kBAAkB,CAAC;SAC3D,OAAO,CAAC,yBAAyB,EAAE,qBAAqB,CAAC;SACzD,OAAO,CAAC,uBAAuB,EAAE,mBAAmB,CAAC,CAAC;IAEzD,2BAA2B;IAC3B,MAAM,cAAc,GAAG,IAAI,CAAC;IAC5B,IAAI,SAAS,CAAC,MAAM,GAAG,cAAc,EAAE,CAAC;QACtC,SAAS,GAAG,SAAS,CAAC,SAAS,CAAC,CAAC,EAAE,cAAc,CAAC,GAAG,gBAAgB,CAAC;IACxE,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/infrastructure/security/license-scanner.d.ts

@@ -0,0 +1,55 @@
+/**
+ * Infrastructure: License Scanner
+ * Detects license contamination in AI-generated code
+ *
+ * Research Finding: 35% of AI-generated code contains license irregularities
+ * Critical for preventing IP contamination and legal liability
+ *
+ * Based on research: AI Ethics for Coding Assistants
+ * - GPL/MIT/Apache conflicts are common
+ * - Automated detection prevents legal liability
+ * - Must integrate into CI/CD pipeline
+ */
+export interface LicenseFinding {
+    license: string;
+    filepath: string;
+    line?: number;
+    conflictType: 'incompatible' | 'missing' | 'ambiguous';
+    description: string;
+    recommendation: string;
+    severity: 'critical' | 'high' | 'medium' | 'low';
+}
+export interface LicenseScanResult {
+    findings: LicenseFinding[];
+    totalFindings: number;
+    criticalCount: number;
+    passed: boolean;
+    licenseSummary: Record<string, number>;
+}
+/**
+ * License Scanner
+ * Scans code for license headers and detects conflicts
+ */
+export declare class LicenseScanner {
+    /**
+     * Scan code for license information
+     */
+    scan(filepath: string, code: string): Promise<LicenseScanResult>;
+    /**
+     * Detect license headers in code
+     */
+    private detectLicenseHeaders;
+    /**
+     * Check if code has open-source patterns (might need license)
+     */
+    private hasOpenSourcePatterns;
+    /**
+     * Detect ambiguous license statements
+     */
+    private detectAmbiguousLicenses;
+    /**
+     * Check if code has explicit license statement
+     */
+    private hasExplicitLicense;
+}
+//# sourceMappingURL=license-scanner.d.ts.map

package/dist/infrastructure/security/license-scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"license-scanner.d.ts","sourceRoot":"","sources":["../../../src/infrastructure/security/license-scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,YAAY,EAAE,cAAc,GAAG,SAAS,GAAG,WAAW,CAAC;IACvD,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;CAClD;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,cAAc,EAAE,CAAC;IAC3B,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,OAAO,CAAC;IAChB,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACxC;AAsBD;;;GAGG;AACH,qBAAa,cAAc;IACzB;;OAEG;IACG,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAsEtE;;OAEG;IACH,OAAO,CAAC,oBAAoB;IA0B5B;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAc7B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAe/B;;OAEG;IACH,OAAO,CAAC,kBAAkB;CAW3B"}

package/dist/infrastructure/security/license-scanner.js

@@ -0,0 +1,167 @@
+/**
+ * Infrastructure: License Scanner
+ * Detects license contamination in AI-generated code
+ *
+ * Research Finding: 35% of AI-generated code contains license irregularities
+ * Critical for preventing IP contamination and legal liability
+ *
+ * Based on research: AI Ethics for Coding Assistants
+ * - GPL/MIT/Apache conflicts are common
+ * - Automated detection prevents legal liability
+ * - Must integrate into CI/CD pipeline
+ */
+/**
+ * License Compatibility Matrix
+ * Based on common open-source license compatibility rules
+ */
+const LICENSE_COMPATIBILITY = {
+    // GPL is incompatible with most proprietary licenses
+    'GPL-2.0': ['proprietary', 'Apache-2.0'], // GPL-2.0 incompatible with Apache-2.0
+    'GPL-3.0': ['proprietary', 'Apache-2.0'],
+    // MIT is permissive and compatible with most
+    'MIT': [], // MIT is compatible with everything
+    // Apache-2.0 is compatible with most except GPL-2.0
+    'Apache-2.0': ['GPL-2.0'],
+    // BSD is permissive
+    'BSD-2-Clause': [],
+    'BSD-3-Clause': [],
+};
+/**
+ * License Scanner
+ * Scans code for license headers and detects conflicts
+ */
+export class LicenseScanner {
+    /**
+     * Scan code for license information
+     */
+    async scan(filepath, code) {
+        const findings = [];
+        const detectedLicenses = new Set();
+        // 1. Detect license headers in code
+        const licenseHeaders = this.detectLicenseHeaders(code);
+        // 2. Check for license conflicts
+        for (const detectedLicense of licenseHeaders) {
+            detectedLicenses.add(detectedLicense);
+            // Check compatibility with other detected licenses
+            for (const otherLicense of licenseHeaders) {
+                if (detectedLicense !== otherLicense) {
+                    const incompatibilities = LICENSE_COMPATIBILITY[detectedLicense] || [];
+                    if (incompatibilities.includes(otherLicense)) {
+                        findings.push({
+                            license: detectedLicense,
+                            filepath,
+                            conflictType: 'incompatible',
+                            description: `License conflict: ${detectedLicense} is incompatible with ${otherLicense}`,
+                            recommendation: `Remove one of the conflicting licenses or use a compatible license`,
+                            severity: 'critical',
+                        });
+                    }
+                }
+            }
+        }
+        // 3. Check for missing licenses in generated code
+        // If code appears to use open-source patterns but has no license, warn
+        if (licenseHeaders.length === 0 && this.hasOpenSourcePatterns(code)) {
+            findings.push({
+                license: 'unknown',
+                filepath,
+                conflictType: 'missing',
+                description: 'Generated code may contain open-source patterns but no license header detected',
+                recommendation: 'Add appropriate license header or clarify license status',
+                severity: 'medium',
+            });
+        }
+        // 4. Check for ambiguous license statements
+        const ambiguousLicenses = this.detectAmbiguousLicenses(code);
+        for (const ambiguous of ambiguousLicenses) {
+            findings.push({
+                license: ambiguous,
+                filepath,
+                conflictType: 'ambiguous',
+                description: `Ambiguous license statement detected: ${ambiguous}`,
+                recommendation: 'Clarify license type explicitly',
+                severity: 'low',
+            });
+        }
+        const criticalCount = findings.filter(f => f.severity === 'critical').length;
+        const licenseSummary = {};
+        detectedLicenses.forEach(license => {
+            licenseSummary[license] = (licenseSummary[license] || 0) + 1;
+        });
+        return {
+            findings,
+            totalFindings: findings.length,
+            criticalCount,
+            passed: criticalCount === 0,
+            licenseSummary,
+        };
+    }
+    /**
+     * Detect license headers in code
+     */
+    detectLicenseHeaders(code) {
+        const licenses = [];
+        const upperCode = code.toUpperCase();
+        // Common license patterns
+        const patterns = [
+            { pattern: /GPL.*?v?[23]/i, license: 'GPL-3.0' },
+            { pattern: /GNU.*?GENERAL.*?PUBLIC.*?LICENSE/i, license: 'GPL-3.0' },
+            { pattern: /MIT.*?LICENSE/i, license: 'MIT' },
+            { pattern: /THE.*?MIT.*?LICENSE/i, license: 'MIT' },
+            { pattern: /APACHE.*?LICENSE.*?v?2/i, license: 'Apache-2.0' },
+            { pattern: /BSD.*?LICENSE/i, license: 'BSD-3-Clause' },
+            { pattern: /BSD.*?2.*?CLAUSE/i, license: 'BSD-2-Clause' },
+            { pattern: /ISC.*?LICENSE/i, license: 'ISC' },
+            { pattern: /PROPRIETARY/i, license: 'proprietary' },
+        ];
+        for (const { pattern, license } of patterns) {
+            if (pattern.test(code)) {
+                licenses.push(license);
+            }
+        }
+        return [...new Set(licenses)]; // Remove duplicates
+    }
+    /**
+     * Check if code has open-source patterns (might need license)
+     */
+    hasOpenSourcePatterns(code) {
+        // Patterns that suggest open-source code
+        const patterns = [
+            /copyright/i,
+            /license/i,
+            /github\.com/i,
+            /npm/i,
+            /import.*from.*['"]/i,
+            /require\(/i,
+        ];
+        return patterns.some(pattern => pattern.test(code));
+    }
+    /**
+     * Detect ambiguous license statements
+     */
+    detectAmbiguousLicenses(code) {
+        const ambiguous = [];
+        // Ambiguous patterns
+        if (/open.*?source/i.test(code) && !this.hasExplicitLicense(code)) {
+            ambiguous.push('open-source (unclear)');
+        }
+        if (/free.*?software/i.test(code) && !this.hasExplicitLicense(code)) {
+            ambiguous.push('free software (unclear)');
+        }
+        return ambiguous;
+    }
+    /**
+     * Check if code has explicit license statement
+     */
+    hasExplicitLicense(code) {
+        const explicitPatterns = [
+            /MIT/i,
+            /GPL/i,
+            /Apache/i,
+            /BSD/i,
+            /LICENSE.*?FILE/i,
+        ];
+        return explicitPatterns.some(pattern => pattern.test(code));
+    }
+}
+//# sourceMappingURL=license-scanner.js.map

package/dist/infrastructure/security/license-scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"license-scanner.js","sourceRoot":"","sources":["../../../src/infrastructure/security/license-scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAoBH;;;GAGG;AACH,MAAM,qBAAqB,GAA6B;IACtD,qDAAqD;IACrD,SAAS,EAAE,CAAC,aAAa,EAAE,YAAY,CAAC,EAAE,uCAAuC;IACjF,SAAS,EAAE,CAAC,aAAa,EAAE,YAAY,CAAC;IAExC,6CAA6C;IAC7C,KAAK,EAAE,EAAE,EAAE,oCAAoC;IAE/C,oDAAoD;IACpD,YAAY,EAAE,CAAC,SAAS,CAAC;IAEzB,oBAAoB;IACpB,cAAc,EAAE,EAAE;IAClB,cAAc,EAAE,EAAE;CACnB,CAAC;AAEF;;;GAGG;AACH,MAAM,OAAO,cAAc;IACzB;;OAEG;IACH,KAAK,CAAC,IAAI,CAAC,QAAgB,EAAE,IAAY;QACvC,MAAM,QAAQ,GAAqB,EAAE,CAAC;QACtC,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAU,CAAC;QAE3C,oCAAoC;QACpC,MAAM,cAAc,GAAG,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,CAAC;QAEvD,iCAAiC;QACjC,KAAK,MAAM,eAAe,IAAI,cAAc,EAAE,CAAC;YAC7C,gBAAgB,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;YAEtC,mDAAmD;YACnD,KAAK,MAAM,YAAY,IAAI,cAAc,EAAE,CAAC;gBAC1C,IAAI,eAAe,KAAK,YAAY,EAAE,CAAC;oBACrC,MAAM,iBAAiB,GAAG,qBAAqB,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC;oBACvE,IAAI,iBAAiB,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;wBAC7C,QAAQ,CAAC,IAAI,CAAC;4BACZ,OAAO,EAAE,eAAe;4BACxB,QAAQ;4BACR,YAAY,EAAE,cAAc;4BAC5B,WAAW,EAAE,qBAAqB,eAAe,yBAAyB,YAAY,EAAE;4BACxF,cAAc,EAAE,oEAAoE;4BACpF,QAAQ,EAAE,UAAU;yBACrB,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,kDAAkD;QAClD,uEAAuE;QACvE,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC,IAAI,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,EAAE,CAAC;YACpE,QAAQ,CAAC,IAAI,CAAC;gBACZ,OAAO,EAAE,SAAS;gBAClB,QAAQ;gBACR,YAAY,EAAE,SAAS;gBACvB,WAAW,EAAE,gFAAgF;gBAC7F,cAAc,EAAE,0DAA0D;gBAC1E,QAAQ,EAAE,QAAQ;aACnB,CAAC,CAAC;QACL,CAAC;QAED,4CAA4C;QAC5C,MAAM,iBAAiB,GAAG,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,CAAC;QAC7D,KAAK,MAAM,SAAS,IAAI,iBAAiB,EAAE,CAAC;YAC1C,QAAQ,CAAC,IAAI,CAAC;gBACZ,OAAO,EAAE,SAAS;gBAClB,QAAQ;gBACR,YAAY,EAAE,WAAW;gBACzB,WAAW,EAAE,yCAAyC,SAAS,EAAE;gBACjE,cAAc,EAAE,iCAAiC;gBACjD,QAAQ,EAAE,KAAK;aAChB,CAAC,CAAC;QACL,CAAC;QAED,MAAM,aAAa,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM,CAAC;QAC7E,MAAM,cAAc,GAA2B,EAAE,CAAC;QAClD,gBAAgB,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE;YACjC,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;QAC/D,CAAC,CAAC,CAAC;QAEH,OAAO;YACL,QAAQ;YACR,aAAa,EAAE,QAAQ,CAAC,MAAM;YAC9B,aAAa;YACb,MAAM,EAAE,aAAa,KAAK,CAAC;YAC3B,cAAc;SACf,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,oBAAoB,CAAC,IAAY;QACvC,MAAM,QAAQ,GAAa,EAAE,CAAC;QAC9B,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QAErC,0BAA0B;QAC1B,MAAM,QAAQ,GAAG;YACf,EAAE,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,SAAS,EAAE;YAChD,EAAE,OAAO,EAAE,mCAAmC,EAAE,OAAO,EAAE,SAAS,EAAE;YACpE,EAAE,OAAO,EAAE,gBAAgB,EAAE,OAAO,EAAE,KAAK,EAAE;YAC7C,EAAE,OAAO,EAAE,sBAAsB,EAAE,OAAO,EAAE,KAAK,EAAE;YACnD,EAAE,OAAO,EAAE,yBAAyB,EAAE,OAAO,EAAE,YAAY,EAAE;YAC7D,EAAE,OAAO,EAAE,gBAAgB,EAAE,OAAO,EAAE,cAAc,EAAE;YACtD,EAAE,OAAO,EAAE,mBAAmB,EAAE,OAAO,EAAE,cAAc,EAAE;YACzD,EAAE,OAAO,EAAE,gBAAgB,EAAE,OAAO,EAAE,KAAK,EAAE;YAC7C,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,aAAa,EAAE;SACpD,CAAC;QAEF,KAAK,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,QAAQ,EAAE,CAAC;YAC5C,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;QAED,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,oBAAoB;IACrD,CAAC;IAED;;OAEG;IACK,qBAAqB,CAAC,IAAY;QACxC,yCAAyC;QACzC,MAAM,QAAQ,GAAG;YACf,YAAY;YACZ,UAAU;YACV,cAAc;YACd,MAAM;YACN,qBAAqB;YACrB,YAAY;SACb,CAAC;QAEF,OAAO,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IACtD,CAAC;IAED;;OAEG;IACK,uBAAuB,CAAC,IAAY;QAC1C,MAAM,SAAS,GAAa,EAAE,CAAC;QAE/B,qBAAqB;QACrB,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC;YAClE,SAAS,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QAC1C,CAAC;QAED,IAAI,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC;YACpE,SAAS,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;QAC5C,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACK,kBAAkB,CAAC,IAAY;QACrC,MAAM,gBAAgB,GAAG;YACvB,MAAM;YACN,MAAM;YACN,SAAS;YACT,MAAM;YACN,iBAAiB;SAClB,CAAC;QAEF,OAAO,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAC9D,CAAC;CACF"}

package/dist/infrastructure/security/provider-bias-detector.d.ts

@@ -0,0 +1,53 @@
+/**
+ * Infrastructure: Provider Bias Detector
+ * Detects vendor-specific SDK/API usage that creates vendor lock-in
+ *
+ * Research Finding: LLMs systematically favor Google/Amazon services
+ * This creates structural vendor lock-in and violates neutrality
+ *
+ * Based on research: AI Ethics for Coding Assistants
+ * - Provider bias detected in LLM outputs
+ * - Creates vendor lock-in risk
+ * - Must audit and enforce vendor neutrality
+ */
+export interface ProviderBiasFinding {
+    provider: string;
+    service: string;
+    filepath: string;
+    line?: number;
+    description: string;
+    recommendation: string;
+    severity: 'critical' | 'high' | 'medium' | 'low';
+}
+export interface ProviderBiasResult {
+    findings: ProviderBiasFinding[];
+    totalFindings: number;
+    criticalCount: number;
+    providerSummary: Record<string, number>;
+    passed: boolean;
+}
+/**
+ * Provider Bias Detector
+ * Scans code for provider-specific dependencies and flags vendor lock-in risks
+ */
+export declare class ProviderBiasDetector {
+    private allowedProviders?;
+    constructor(allowedProviders?: string[]);
+    /**
+     * Scan code for provider bias
+     */
+    scan(filepath: string, code: string): Promise<ProviderBiasResult>;
+    /**
+     * Detect provider-specific services in code
+     */
+    private detectProviders;
+    /**
+     * Detect hardcoded service endpoints/configurations
+     */
+    private detectHardcodedServices;
+    /**
+     * Set allowed providers (enforces vendor neutrality policy)
+     */
+    setAllowedProviders(providers: string[]): void;
+}
+//# sourceMappingURL=provider-bias-detector.d.ts.map

package/dist/infrastructure/security/provider-bias-detector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider-bias-detector.d.ts","sourceRoot":"","sources":["../../../src/infrastructure/security/provider-bias-detector.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;CAClD;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,mBAAmB,EAAE,CAAC;IAChC,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,EAAE,MAAM,CAAC;IACtB,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxC,MAAM,EAAE,OAAO,CAAC;CACjB;AA0CD;;;GAGG;AACH,qBAAa,oBAAoB;IAC/B,OAAO,CAAC,gBAAgB,CAAC,CAAW;gBAExB,gBAAgB,CAAC,EAAE,MAAM,EAAE;IAIvC;;OAEG;IACG,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAoEvE;;OAEG;IACH,OAAO,CAAC,eAAe;IAevB;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAmB/B;;OAEG;IACH,mBAAmB,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,IAAI;CAG/C"}