ferret-scan 2.1.1 → 2.2.0

package/CHANGELOG.md

@@ -16,6 +16,29 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - REST API for third-party integrations
 - SIEM/SOAR integrations
 
+## [2.2.0] - 2026-04-23
+
+### Security
+- **Bounded content cache**: Replaced unbounded `Map` with `BoundedContentCache` (256 MB aggregate cap, 10,000 entry limit, 1 MB per-file cap with LRU eviction) to prevent OOM on large repos
+- **Quarantine hardening**: Quarantine directory created with mode `0700` (owner-only) on POSIX; permissions verified after creation with a warning if loose; disk-space pre-checked via `statfsSync` before any quarantine operation
+- **BUILTIN_FIXES startup validation**: All 9 built-in remediation patterns validated by `compileSafePattern` at module load time — a bad pattern fails fast at startup rather than at first use
+- **Hybrid AST deadline**: `analyzeFile` now enforces both a per-code-block cap (default 500 ms, `maxBlockMs`) and a file-scoped total cap (default 2 s, `maxMs`). A single hostile markdown block can no longer starve all subsequent blocks of their analysis budget
+- **ReDoS prevention hardened**: `compileSafePattern` updated to screen alternation-inside-quantified-groups patterns; `globToRegex` escapes all regex metacharacters and anchors patterns; all correlation and AST pattern execution runs through `runBounded`
+- **`statfsSync` bigint safety**: Explicit `Number()` coercion in `hasSufficientDiskSpace` guards against future `{ bigint: true }` call-sites
+- **`ignoreComments` regex fix**: Alternation order corrected (longest-first: `ignore-next-line`, `ignore-line`, `ignore`) so `ferret-ignore-next-line` is no longer mis-parsed as `ferret-ignore`
+
+### Added
+- **JSON schema sync**: `src/schemas/ferret-config.schema.json` now generated from the runtime zod schema via `npm run schema:generate`; CI enforces drift detection with `npm run schema:check`
+- **Coverage thresholds**: Per-module Jest coverage thresholds for `safeRegex`, `glob`, `contentCache`, `Fixer`, `Quarantine`, `AstAnalyzer`, all four reporters, `WatchMode`, and `policyEnforcement` — silent regressions now fail CI
+- **CI benchmark regression detection**: `scripts/bench-compare.mjs` compares benchmark results against the cached main-branch baseline and fails PRs that regress by >20%
+
+### Tests
+- **673 tests** across 39 test suites (was 244 tests)
+- New unit tests: `AstAnalyzer`, `ConsoleReporter`, `HtmlReporter`, `SarifReporter`, `WatchMode`, `contentCache`, `safeRegex`, `glob`, `Fixer`, `Quarantine`, `ignoreComments`, `mcpValidator`, `policyEnforcement`, `cliOptions`
+- New integration tests: `remediation` (scan→fix→rescan, quarantine→restore, dry-run, backup round-trip) and `cli` (subprocess exit-code contract for `--version`, `--help`, scan, SARIF output)
+- HtmlReporter XSS escape verified: `<script>` in finding values renders as `&lt;script&gt;`
+- SarifReporter validates SARIF 2.1.0 shape, severity mapping, rule deduplication, and location encoding
+
 ## [2.1.0] - 2026-02-16
 
 ### Added

package/bin/ferret.js

@@ -267,7 +267,7 @@ program
       // Apply baseline filtering if enabled
       if (!options.ignoreBaseline) {
         const baselinePath = options.baseline || getDefaultBaselinePath(config.paths);
-        const baseline = loadBaseline(baselinePath);
+        const baseline = await loadBaseline(baselinePath);
         if (baseline) {
           console.log(`📋 Applying baseline from: ${baselinePath}`);
           result = filterAgainstBaseline(result, baseline);
@@ -514,7 +514,7 @@ baselineCmd
       const baselinePath = options.output || getDefaultBaselinePath(config.paths);
       const baseline = createBaseline(result, options.description);
 
-      saveBaseline(baseline, baselinePath);
+      await saveBaseline(baseline, baselinePath);
       console.log(`✅ Created baseline with ${baseline.findings.length} findings`);
       console.log(`📋 Baseline saved to: ${baselinePath}`);
 
@@ -528,10 +528,10 @@ baselineCmd
   .command('show')
   .description('Show baseline information')
   .argument('[file]', 'Baseline file path (defaults to .ferret-baseline.json)')
-  .action((file) => {
+  .action(async (file) => {
     try {
       const baselinePath = file || getDefaultBaselinePath([process.cwd()]);
-      const baseline = loadBaseline(baselinePath);
+      const baseline = await loadBaseline(baselinePath);
 
       if (!baseline) {
         console.error(`No baseline found at: ${baselinePath}`);
@@ -578,7 +578,7 @@ baselineCmd
   .action(async (file, options) => {
     try {
       const baselinePath = file || getDefaultBaselinePath([process.cwd()]);
-      const baseline = loadBaseline(baselinePath);
+      const baseline = await loadBaseline(baselinePath);
 
       if (!baseline) {
         console.error(`No baseline found at: ${baselinePath}`);

package/dist/analyzers/AstAnalyzer.d.ts

@@ -6,7 +6,11 @@ import type { SemanticFinding, DiscoveredFile, Rule } from '../types.js';
 /**
  * Analyze a single file for semantic patterns
  */
-export declare function analyzeFile(file: DiscoveredFile, content: string, rules: Rule[]): Promise<SemanticFinding[]>;
+export declare function analyzeFile(file: DiscoveredFile, content: string, rules: Rule[], opts?: {
+    maxMs?: number;
+    maxNodes?: number;
+    maxBlockMs?: number;
+}): Promise<SemanticFinding[]>;
 /**
  * Check if semantic analysis should be performed
  */

package/dist/analyzers/AstAnalyzer.js

@@ -133,11 +133,19 @@ function extractSemanticContext(tsLib, sourceFile) {
     return context;
 }
 /**
- * Find security patterns in AST
+ * Find security patterns in AST, with optional time and node-count guards.
  */
-function findSecurityPatterns(tsLib, sourceFile, patterns) {
+function findSecurityPatterns(tsLib, sourceFile, patterns, opts) {
     const matches = [];
+    let nodeCount = 0;
+    const deadline = opts?.deadline;
+    const maxNodes = opts?.maxNodes ?? 50_000;
     function visit(node) {
+        nodeCount++;
+        if (nodeCount > maxNodes)
+            return;
+        if (deadline !== undefined && Date.now() > deadline)
+            return;
         for (const pattern of patterns) {
             const match = matchSemanticPattern(tsLib, node, pattern, sourceFile);
             if (match) {
@@ -277,8 +285,11 @@ function createContextLines(sourceFile, node, contextLines = 3) {
 /**
  * Analyze a single file for semantic patterns
  */
-export async function analyzeFile(file, content, rules) {
+export async function analyzeFile(file, content, rules, opts) {
     const findings = [];
+    const maxMs = opts?.maxMs ?? 2000;
+    const maxNodes = opts?.maxNodes ?? 50_000;
+    const perBlockMs = Math.min(maxMs, opts?.maxBlockMs ?? 500);
     try {
         // Get rules with semantic patterns
         const semanticRules = rules.filter(rule => rule.semanticPatterns && rule.semanticPatterns.length > 0);
@@ -296,16 +307,26 @@ export async function analyzeFile(file, content, rules) {
             // Analyze the entire file for TypeScript/JavaScript files
             codeBlocksToAnalyze = [{ code: content, language: file.type, line: 1 }];
         }
+        const fileDeadline = Date.now() + maxMs;
         // Analyze each code block
         for (const codeBlock of codeBlocksToAnalyze) {
+            if (Date.now() > fileDeadline) {
+                logger.warn(`AST analysis file deadline (${maxMs}ms) reached for ${file.relativePath}; skipping remaining code blocks`);
+                break;
+            }
             try {
                 const sourceFile = createAST(tsLib, codeBlock.code, `${file.relativePath}_block_${codeBlock.line}.${codeBlock.language}`);
                 const semanticContext = extractSemanticContext(tsLib, sourceFile);
+                // Per-block deadline: min of (remaining file budget, per-block cap).
+                const blockDeadline = Math.min(fileDeadline, Date.now() + perBlockMs);
                 // Check each semantic rule
                 for (const rule of semanticRules) {
                     if (!rule.semanticPatterns)
                         continue;
-                    const patternMatches = findSecurityPatterns(tsLib, sourceFile, rule.semanticPatterns);
+                    const patternMatches = findSecurityPatterns(tsLib, sourceFile, rule.semanticPatterns, {
+                        deadline: blockDeadline,
+                        maxNodes,
+                    });
                     for (const match of patternMatches) {
                         const position = getPositionFromNode(match.node, sourceFile);
                         const astNodeInfo = createASTNodeInfo(tsLib, match.node, sourceFile);

package/dist/features/ignoreComments.js

@@ -8,16 +8,16 @@ import logger from '../utils/logger.js';
  */
 const COMMENT_PATTERNS = {
     default: [
-        /\/\/\s*ferret-(ignore|disable|enable|ignore-line|ignore-next-line)(?:\s+([^\n]+))?/gi,
-        /\/\*\s*ferret-(ignore|disable|enable|ignore-line|ignore-next-line)(?:\s+([^*]+))?\s*\*\//gi,
-        /#\s*ferret-(ignore|disable|enable|ignore-line|ignore-next-line)(?:\s+([^\n]+))?/gi,
+        /\/\/\s*ferret-(ignore-next-line|ignore-line|ignore|disable|enable)(?:\s+([^\n]+))?/gi,
+        /\/\*\s*ferret-(ignore-next-line|ignore-line|ignore|disable|enable)(?:\s+([^*]+))?\s*\*\//gi,
+        /#\s*ferret-(ignore-next-line|ignore-line|ignore|disable|enable)(?:\s+([^\n]+))?/gi,
     ],
     html: [
         // Non-greedy capture so rule ids like "INJ-001" (with hyphens) work correctly.
-        /<!--\s*ferret-(ignore|disable|enable|ignore-line|ignore-next-line)(?:\s+(.+?))?\s*-->/gi,
+        /<!--\s*ferret-(ignore-next-line|ignore-line|ignore|disable|enable)(?:\s+(.+?))?\s*-->/gi,
     ],
     sql: [
-        /--\s*ferret-(ignore|disable|enable|ignore-line|ignore-next-line)(?:\s+([^\n]+))?/gi,
+        /--\s*ferret-(ignore-next-line|ignore-line|ignore|disable|enable)(?:\s+([^\n]+))?/gi,
     ],
 };
 /**

package/dist/features/policyEnforcement.js

@@ -6,6 +6,7 @@
 import { readFileSync, existsSync, writeFileSync } from 'node:fs';
 import { resolve } from 'node:path';
 import { z } from 'zod';
+import { globToRegex } from '../utils/glob.js';
 import logger from '../utils/logger.js';
 /**
  * Policy rule schema
@@ -161,7 +162,7 @@ function findingMatchesConditions(finding, conditions) {
     if (conditions.ruleIds && conditions.ruleIds.length > 0) {
         const matchesRule = conditions.ruleIds.some(id => {
             if (id.includes('*')) {
-                const pattern = new RegExp('^' + id.replace(/\*/g, '.*') + '$');
+                const pattern = globToRegex(id, { pathLike: false });
                 return pattern.test(finding.ruleId);
             }
             return finding.ruleId === id;
@@ -184,7 +185,7 @@ function findingMatchesConditions(finding, conditions) {
     // Check file patterns
     if (conditions.filePatterns && conditions.filePatterns.length > 0) {
         const matchesFile = conditions.filePatterns.some(pattern => {
-            const regex = new RegExp(pattern.replace(/\*/g, '.*'));
+            const regex = globToRegex(pattern, { pathLike: true });
             return regex.test(finding.file) || regex.test(finding.relativePath);
         });
         if (!matchesFile)

package/dist/remediation/Fixer.js

@@ -7,6 +7,7 @@ import { readFileSync, writeFileSync, existsSync, mkdirSync, copyFileSync, statS
 import { resolve, dirname, basename } from 'node:path';
 import logger from '../utils/logger.js';
 import { validatePathWithinBase, sanitizeFilename, isPathWithinBase } from '../utils/pathSecurity.js';
+import { compileSafePattern, safeMatch, safeTest } from '../utils/safeRegex.js';
 /**
  * Default remediation options
  */
@@ -99,6 +100,13 @@ const BUILTIN_FIXES = [
         automatic: false
     }
 ];
+// Fail fast at module load if any built-in pattern is rejected by the safe-regex gate.
+// This catches contributor mistakes at startup rather than silently at fix-application time.
+for (const fix of BUILTIN_FIXES) {
+    if (!compileSafePattern(fix.pattern)) {
+        throw new Error(`Fixer startup: BUILTIN_FIXES pattern rejected by compileSafePattern: ${fix.description} (${fix.pattern})`);
+    }
+}
 /**
  * Create backup of file before modification
  */
@@ -125,34 +133,55 @@ function applyFix(content, fix, _finding) {
     try {
         switch (fix.type) {
             case 'replace': {
-                const regex = new RegExp(fix.pattern, 'gi');
+                const regex = compileSafePattern(fix.pattern, 'gi');
+                if (!regex) {
+                    logger.warn(`Unsafe fix pattern rejected: ${fix.pattern}`);
+                    return { success: false, newContent: content, linesModified: 0 };
+                }
                 const originalLineCount = content.split('\n').length;
                 const replacement = fix.replacement ?? '';
+                // Use safe bounded matching to find replacements
+                const matchResult = safeMatch(fix.pattern, content, 'gi');
+                if (!matchResult) {
+                    logger.warn(`Safe match failed for pattern: ${fix.pattern}`);
+                    return { success: false, newContent: content, linesModified: 0 };
+                }
+                if (matchResult.truncated) {
+                    logger.warn(`Fix pattern execution truncated for safety: ${fix.pattern}`);
+                    return { success: false, newContent: content, linesModified: 0 };
+                }
+                // Apply replacement safely
                 newContent = content.replace(regex, replacement);
                 const newLineCount = newContent.split('\n').length;
-                linesModified = Math.abs(newLineCount - originalLineCount);
-                // Count actual replacements
-                const matches = content.match(regex);
-                if (matches) {
-                    linesModified = Math.max(linesModified, matches.length);
-                }
+                linesModified = Math.max(Math.abs(newLineCount - originalLineCount), matchResult.matches.length);
                 break;
             }
             case 'remove': {
-                const regex = new RegExp(fix.pattern, 'gi');
+                const regex = compileSafePattern(fix.pattern, 'gi');
+                if (!regex) {
+                    logger.warn(`Unsafe fix pattern rejected: ${fix.pattern}`);
+                    return { success: false, newContent: content, linesModified: 0 };
+                }
                 const lines = content.split('\n');
-                const filteredLines = lines.filter(line => !regex.test(line));
+                const filteredLines = lines.filter(line => {
+                    const isMatch = safeTest(fix.pattern, line, 'i');
+                    return !isMatch;
+                });
                 newContent = filteredLines.join('\n');
                 linesModified = lines.length - filteredLines.length;
                 break;
             }
             case 'quarantine': {
-                // For quarantine, we comment out the problematic lines
-                const regex = new RegExp(fix.pattern, 'gi');
+                const regex = compileSafePattern(fix.pattern, 'gi');
+                if (!regex) {
+                    logger.warn(`Unsafe fix pattern rejected: ${fix.pattern}`);
+                    return { success: false, newContent: content, linesModified: 0 };
+                }
                 const lines = content.split('\n');
                 for (let i = 0; i < lines.length; i++) {
                     const line = lines[i] ?? '';
-                    if (regex.test(line)) {
+                    const isMatch = safeTest(fix.pattern, line, 'i');
+                    if (isMatch) {
                         lines[i] = `# QUARANTINED: ${line}`;
                         linesModified++;
                     }
@@ -191,25 +220,22 @@ function findApplicableFixes(finding) {
     }
     // Check built-in fixes
     for (const fix of BUILTIN_FIXES) {
-        try {
-            const regex = new RegExp(fix.pattern, 'i');
-            // Check if fix pattern matches the finding
-            if (regex.test(finding.match) || regex.test(finding.context.map(c => c.content).join('\n'))) {
-                applicableFixes.push(fix);
-            }
-            // Check by rule category
-            if (finding.category === 'credentials' && fix.description.includes('credential')) {
-                applicableFixes.push(fix);
-            }
-            if (finding.category === 'injection' && fix.description.includes('jailbreak')) {
-                applicableFixes.push(fix);
-            }
-            if (finding.category === 'permissions' && fix.description.includes('permission')) {
-                applicableFixes.push(fix);
-            }
+        // Use safe pattern matching
+        const matchesDirectly = safeTest(fix.pattern, finding.match, 'i');
+        const contextText = finding.context.map(c => c.content).join('\n');
+        const matchesContext = safeTest(fix.pattern, contextText, 'i');
+        if (matchesDirectly || matchesContext) {
+            applicableFixes.push(fix);
+        }
+        // Check by rule category
+        if (finding.category === 'credentials' && fix.description.includes('credential')) {
+            applicableFixes.push(fix);
+        }
+        if (finding.category === 'injection' && fix.description.includes('jailbreak')) {
+            applicableFixes.push(fix);
         }
-        catch {
-            logger.warn(`Invalid fix pattern: ${fix.pattern}`);
+        if (finding.category === 'permissions' && fix.description.includes('permission')) {
+            applicableFixes.push(fix);
         }
     }
     // Remove duplicates

package/dist/remediation/Quarantine.js

@@ -2,11 +2,49 @@
  * Quarantine System - Safely isolate suspicious files and content
  * Provides reversible quarantine operations with audit trails
  */
-import { readFileSync, writeFileSync, existsSync, mkdirSync, copyFileSync, unlinkSync, statSync } from 'node:fs';
+import { readFileSync, writeFileSync, existsSync, mkdirSync, copyFileSync, unlinkSync, statSync, statfsSync } from 'node:fs';
 import { resolve, dirname, basename } from 'node:path';
 import { createHash } from 'node:crypto';
 import logger from '../utils/logger.js';
 import { validatePathWithinBase, isPathWithinBase } from '../utils/pathSecurity.js';
+/**
+ * Create a quarantine-grade directory with restrictive permissions (0700 on POSIX).
+ * On Windows, Node silently ignores the mode argument — permissions are managed by
+ * the OS ACL instead.
+ */
+function ensureSecureDir(dir) {
+    // 0o700 = owner-only rwx; harmlessly ignored on Windows
+    mkdirSync(dir, { recursive: true, mode: 0o700 });
+    // Verify no group/other bits leaked through (e.g. pre-existing dir with loose perms).
+    // stat().mode & 0o077 !== 0 means at least one g/o bit is set.
+    if (process.platform !== 'win32') {
+        const mode = statSync(dir).mode;
+        if ((mode & 0o077) !== 0) {
+            logger.warn(`Quarantine directory ${dir} has loose permissions (mode ${(mode & 0o777).toString(8)}); secrets may be readable by other users`);
+        }
+    }
+}
+/**
+ * Check whether the quarantine directory has sufficient free space for a file of the given size.
+ * Refuses if the file is ≥50% of remaining disk space to prevent filling the disk.
+ * Returns true (allow) when statfsSync is unavailable (older Node / Windows).
+ */
+function hasSufficientDiskSpace(dir, requiredBytes) {
+    try {
+        // statfsSync is available in Node ≥18.15.0 on POSIX; falls through on Windows.
+        const stats = statfsSync(dir);
+        // eslint-disable-next-line @typescript-eslint/no-unnecessary-type-conversion -- guards against a future { bigint: true } call-site; safe up to ~9 PB
+        const freeBytes = Number(stats.bavail) * Number(stats.bsize);
+        if (requiredBytes >= freeBytes * 0.5) {
+            logger.warn(`Insufficient disk space for quarantine: need ${requiredBytes} bytes, ${freeBytes} available`);
+            return false;
+        }
+    }
+    catch {
+        // statfsSync unavailable — skip the check rather than failing the quarantine.
+    }
+    return true;
+}
 /**
  * Default quarantine options
  */
@@ -66,8 +104,8 @@ export function loadQuarantineDatabase(quarantineDir) {
  */
 export function saveQuarantineDatabase(db, quarantineDir) {
     try {
-        // Ensure directory exists
-        mkdirSync(quarantineDir, { recursive: true });
+        // Ensure directory exists with secure permissions
+        ensureSecureDir(quarantineDir);
         // Update stats and metadata
         db.lastUpdated = new Date().toISOString();
         db.stats = calculateQuarantineStats(db.entries);
@@ -139,8 +177,13 @@ export function quarantineFile(filePath, findings, reason, options = {}) {
         const fileName = basename(filePath);
         const quarantineFileName = `${id}_${fileName}`;
         const quarantinePath = resolve(config.quarantineDir, 'files', quarantineFileName);
-        // Ensure quarantine directory exists
-        mkdirSync(dirname(quarantinePath), { recursive: true });
+        // Ensure quarantine directory exists with secure permissions
+        ensureSecureDir(dirname(quarantinePath));
+        // Refuse quarantine if disk space is critically low
+        if (!hasSufficientDiskSpace(dirname(quarantinePath), stats.size)) {
+            logger.error(`Quarantine aborted for ${filePath}: insufficient disk space`);
+            return null;
+        }
         // Copy file to quarantine
         copyFileSync(filePath, quarantinePath);
         // Calculate metadata
@@ -321,6 +364,13 @@ export function checkQuarantineHealth(quarantineDir = DEFAULT_OPTIONS.quarantine
     if (!existsSync(quarantineFilesDir)) {
         issues.push('Quarantine files directory missing');
     }
+    // Check directory permissions (POSIX only)
+    if (process.platform !== 'win32' && existsSync(quarantineDir)) {
+        const mode = statSync(quarantineDir).mode;
+        if ((mode & 0o077) !== 0) {
+            issues.push(`Quarantine directory has loose permissions (mode ${(mode & 0o777).toString(8)}); run chmod 700 ${quarantineDir}`);
+        }
+    }
     return {
         healthy: issues.length === 0,
         issues,

package/dist/rules/ai-specific.js

@@ -29,9 +29,9 @@ export const aiSpecificRules = [
         severity: 'HIGH',
         description: 'Detects attempts to make Claude impersonate other entities',
         patterns: [
-            /pretend\s+(to\s+be|you\s+are)\s+.*(anthropic|openai|google|microsoft)/gi,
+            /pretend\s+(to\s+be|you\s+are)\s+[^\n]{0,100}(anthropic|openai|google|microsoft)/gi,
             /you\s+are\s+(now\s+)?(an?\s+)?(anthropic|openai)\s+(employee|staff|system)/gi,
-            /impersonate\s+.*(admin|moderator|system|support)/gi,
+            /impersonate\s+[^\n]{0,100}(admin|moderator|system|support)/gi,
         ],
         fileTypes: ['md'],
         components: ['skill', 'agent', 'ai-config-md'],
@@ -82,8 +82,8 @@ export const aiSpecificRules = [
         severity: 'HIGH',
         description: 'Detects setup for multi-step attacks that unfold over time',
         patterns: [
-            /on\s+the\s+next\s+(message|turn|response)\s+.*(execute|attack|inject|exfiltrate)/gi,
-            /when\s+the\s+user\s+says\s+.*(trigger|activate|execute)\s+.*(attack|payload|exploit)/gi,
+            /on\s+the\s+next\s+(message|turn|response)\s+[^\n]{0,100}(execute|attack|inject|exfiltrate)/gi,
+            /when\s+the\s+user\s+says\s+[^\n]{0,100}(trigger|activate|execute)[^\n]{0,100}(attack|payload|exploit)/gi,
             /wait\s+for\s+(signal|trigger|command)\s+to\s+(attack|execute|inject)/gi,
             /phase\s+\d+\s*:\s*(attack|exploit|inject|exfiltrate|payload)/gi,
             /step\s+\d+\s*:\s*(gain|escalate|exfiltrate|compromise)/gi,
@@ -118,7 +118,7 @@ export const aiSpecificRules = [
         severity: 'MEDIUM',
         description: 'Detects attempts to manipulate output formatting for injection',
         patterns: [
-            /output\s+.*(json|xml|html)\s+without\s+(escaping|validation)/gi,
+            /output\s+[^\n]{0,100}(json|xml|html)\s+without\s+(escaping|validation)/gi,
             /include\s+(raw|unescaped)\s+(html|script|code)/gi,
             /respond\s+with\s+raw\s+/gi,
         ],
@@ -167,8 +167,8 @@ export const aiSpecificRules = [
         severity: 'CRITICAL',
         description: 'Detects patterns that set up indirect prompt injection',
         patterns: [
-            /when\s+you\s+(read|see|find)\s+.*(execute|run|follow)/gi,
-            /if\s+.*(file|url|content)\s+contains.*then\s+(do|execute|run)/gi,
+            /when\s+you\s+(read|see|find)\s+[^\n]{0,100}(execute|run|follow)/gi,
+            /if\s+[^\n]{0,100}(file|url|content)\s+contains[^\n]{0,100}then\s+(do|execute|run)/gi,
             /follow\s+instructions\s+(in|from)\s+(the|any)\s+(file|url|content)/gi,
         ],
         fileTypes: ['md'],
@@ -184,7 +184,7 @@ export const aiSpecificRules = [
         severity: 'HIGH',
         description: 'Detects instructions to abuse AI CLI tools',
         patterns: [
-            /use\s+(bash|write|edit)\s+tool\s+to.*(delete|remove|destroy)/gi,
+            /use\s+(bash|write|edit)\s+tool\s+to[^\n]{0,100}(delete|remove|destroy)/gi,
             /execute\s+(arbitrary|any)\s+(commands?|code)/gi,
             /bypass\s+tool\s+(restrictions|limits|permissions)/gi,
         ],
@@ -215,6 +215,27 @@ export const aiSpecificRules = [
             'https://owasp.org/www-project-top-10-for-large-language-model-applications/',
         ],
         enabled: true,
+        // Mirror INJ-003 semantic context suppression: a skill that discusses,
+        // documents, detects, or provides examples of these techniques is not
+        // itself a jailbreak attempt.
+        excludePatterns: [
+            // Line discusses detection/blocking rather than deployment
+            /\b(detect|catch|flag|block|prevent|scan\s+for|identify|reject|report)\b[^\n]{0,80}(jailbreak|DAN|bypass)/gi,
+            /\b(jailbreak|DAN|bypass)\b[^\n]{0,80}\b(detect|catch|flag|block|prevent|found|identified)/gi,
+            // Term appears inside a quoted string
+            /["'][^"'\n]{0,120}\b(jailbreak|DAN)\b[^"'\n]{0,120}["']/gi,
+            // Scanner rule-ID reference on the same line
+            /\[(?:INJ|AI|SEC|CRED)-\d+\]/gi,
+            // Markdown example label
+            /^\s*\*\*(?:Input|Output|Example|Finding|Result)\*\*\s*:/i,
+        ],
+        excludeContext: [
+            /\b(security\s+(rule|finding|scan|check|gate|scanner|score)|ferret.?scan|scan\s+result)/gi,
+            /\b(example\s+of|this\s+detects|used\s+to\s+(bypass|attack)|common\s+(attack|technique)|known\s+(jailbreak|attack))/gi,
+            /\b(security\s+scanner|vulnerability\s+scanner|threat\s+detect|scan\s+for\s+(injection|jailbreak))/gi,
+            /^\s*##\s+Example/im,
+            /publication\s+blocked/gi,
+        ],
     },
     {
         id: 'AI-011',

package/dist/rules/backdoors.js

@@ -32,10 +32,10 @@ export const backdoorRules = [
         patterns: [
             /\/bin\/(ba)?sh\s+-i/gi,
             /bash\s+-i\s+>&/gi,
-            /nc\s+.*-e\s+\/bin/gi,
-            /python.*socket.*connect/gi,
-            /perl.*socket.*INET/gi,
-            /ruby.*TCPSocket/gi,
+            /nc\s+[^\n]{0,100}-e\s+\/bin/gi,
+            /python[^\n]{0,100}socket[^\n]{0,100}connect/gi,
+            /perl[^\n]{0,100}socket[^\n]{0,100}INET/gi,
+            /ruby[^\n]{0,100}TCPSocket/gi,
         ],
         fileTypes: ['sh', 'bash', 'zsh', 'md'],
         components: ['hook', 'skill', 'agent', 'ai-config-md', 'plugin'],
@@ -50,10 +50,10 @@ export const backdoorRules = [
         severity: 'CRITICAL',
         description: 'Detects patterns that download and execute remote code',
         patterns: [
-            /curl\s+.*\|\s*(ba)?sh/gi,
-            /wget\s+.*\|\s*(ba)?sh/gi,
-            /curl\s+.*\|\s*python/gi,
-            /wget\s+.*-O\s*-\s*\|\s*(ba)?sh/gi,
+            /curl\s+[^\n]{0,200}\|\s*(ba)?sh/gi,
+            /wget\s+[^\n]{0,200}\|\s*(ba)?sh/gi,
+            /curl\s+[^\n]{0,200}\|\s*python/gi,
+            /wget\s+[^\n]{0,100}-O\s*-\s*\|\s*(ba)?sh/gi,
         ],
         fileTypes: ['sh', 'bash', 'zsh', 'md'],
         components: ['hook', 'skill', 'agent', 'ai-config-md', 'plugin'],
@@ -71,7 +71,7 @@ export const backdoorRules = [
             />\s*\/etc\//gi,
             />\s*~\/\.(bash|zsh|profile)/gi,
             /tee\s+\/etc\//gi,
-            /echo.*>>\s*~\/\.(bash|zsh)/gi,
+            /echo[^\n]{0,200}>>\s*~\/\.(bash|zsh)/gi,
         ],
         fileTypes: ['sh', 'bash', 'zsh', 'md'],
         components: ['hook', 'skill', 'agent', 'ai-config-md', 'plugin'],
@@ -104,7 +104,7 @@ export const backdoorRules = [
         severity: 'MEDIUM',
         description: 'Detects creation of background processes or daemons',
         patterns: [
-            /nohup\s+.*&/gi,
+            /nohup\s+[^\n]{0,200}&/gi,
             /disown/gi,
             /setsid/gi,
             /&\s*$/gm,
@@ -122,8 +122,8 @@ export const backdoorRules = [
         severity: 'CRITICAL',
         description: 'Detects execution of base64 or otherwise encoded commands',
         patterns: [
-            /echo\s+.*\|\s*base64\s+-d\s*\|\s*(ba)?sh/gi,
-            /base64\s+-d.*\|\s*(ba)?sh/gi,
+            /echo\s+[^\n]{0,200}\|\s*base64\s+-d\s*\|\s*(ba)?sh/gi,
+            /base64\s+-d[^\n]{0,100}\|\s*(ba)?sh/gi,
             /python\s+-c\s+['"]import\s+base64/gi,
         ],
         fileTypes: ['sh', 'bash', 'zsh', 'md'],

package/dist/rules/correlationRules.js

@@ -22,7 +22,7 @@ export const correlationRules = [
             {
                 id: 'CORR-001-A',
                 description: 'Credential access followed by network transmission',
-                filePatterns: ['*'],
+                filePatterns: [],
                 contentPatterns: [
                     'SECRET|TOKEN|API_KEY|getenv|process\\.env',
                     'fetch|axios|XMLHttpRequest|curl|wget|request'
@@ -50,7 +50,7 @@ export const correlationRules = [
             {
                 id: 'CORR-002-A',
                 description: 'Permission escalation with startup persistence',
-                filePatterns: ['*'],
+                filePatterns: [],
                 contentPatterns: [
                     'chmod|chown|setuid|sudo|defaultMode.*dontAsk',
                     'startup|onload|autostart|service.*enable|systemctl.*enable'
@@ -131,7 +131,7 @@ export const correlationRules = [
             {
                 id: 'CORR-005-A',
                 description: 'AI safeguard bypass with data harvesting',
-                filePatterns: ['*'],
+                filePatterns: [],
                 contentPatterns: [
                     'ignore.*previous.*instruction|forget.*safeguard|bypass.*filter',
                     'conversation.*history|user.*data|personal.*information|collect.*data'
@@ -158,7 +158,7 @@ export const correlationRules = [
             {
                 id: 'CORR-006-A',
                 description: 'Package installation with network communication',
-                filePatterns: ['*'],
+                filePatterns: [],
                 contentPatterns: [
                     'npm.*install|pip.*install|wget.*http|curl.*http|git.*clone',
                     'http://|https://|fetch\\(|axios|request\\(|XMLHttpRequest'
@@ -186,7 +186,7 @@ export const correlationRules = [
             {
                 id: 'CORR-007-A',
                 description: 'File access with network transmission',
-                filePatterns: ['*'],
+                filePatterns: [],
                 contentPatterns: [
                     'readFile|writeFile|fs\\.|glob|find.*-name',
                     'fetch\\(|axios|post|put|XMLHttpRequest'
@@ -213,7 +213,7 @@ export const correlationRules = [
             {
                 id: 'CORR-008-A',
                 description: 'Authentication bypass with privileged access',
-                filePatterns: ['*'],
+                filePatterns: [],
                 contentPatterns: [
                     'auth.*bypass|no.*auth|skip.*login|admin.*access',
                     'sudo|root|administrator|privileged|elevated'

package/dist/rules/index.d.ts

@@ -33,6 +33,7 @@ export declare function getRuleById(id: string): Rule | undefined;
  * Get enabled rules only
  */
 export declare function getEnabledRules(): Rule[];
+export declare function clearRuleCache(): void;
 /**
  * Get rules for scanning with filters applied
  */

package/dist/rules/index.js

@@ -59,10 +59,18 @@ export function getRuleById(id) {
 export function getEnabledRules() {
     return ALL_RULES.filter(rule => rule.enabled);
 }
+const scanRuleCache = new Map();
+export function clearRuleCache() {
+    scanRuleCache.clear();
+}
 /**
  * Get rules for scanning with filters applied
  */
 export function getRulesForScan(categories, severities) {
+    const key = `${[...categories].sort().join(',')}::${[...severities].sort().join(',')}`;
+    const cached = scanRuleCache.get(key);
+    if (cached)
+        return cached;
     const rules = ALL_RULES.filter(rule => {
         if (!rule.enabled)
             return false;
@@ -72,7 +80,8 @@ export function getRulesForScan(categories, severities) {
             return false;
         return true;
     });
-    logger.debug(`Loaded ${rules.length} rules for scan`);
+    scanRuleCache.set(key, rules);
+    logger.debug(`Loaded ${rules.length} rules for scan (cached)`);
     return rules;
 }
 /**