ghostpatch 1.0.0

package/src/detectors/pathtraversal.ts

@@ -0,0 +1,89 @@
+import { Finding, Severity } from '../core/severity';
+import { generateFingerprint } from '../utils/fingerprint';
+
+const PATTERNS = [
+  {
+    id: 'PATH-TRAVERSAL-FS', name: 'Path Traversal (File System)', severity: Severity.HIGH, confidence: 'medium' as const,
+    cwe: 'CWE-22',
+    pattern: /(?:readFile|readFileSync|createReadStream|writeFile|writeFileSync|appendFile|unlink|unlinkSync|open|openSync|access|accessSync)\s*\(\s*(?:req\.|request\.|input|user|param|query|body|path\.join\s*\([^)]*req)/i,
+    description: 'File operation with user-controlled path — directory traversal risk.',
+    remediation: 'Validate paths. Use path.resolve() and verify against a base directory.',
+  },
+  {
+    id: 'PATH-TRAVERSAL-PY', name: 'Path Traversal (Python)', severity: Severity.HIGH, confidence: 'medium' as const,
+    cwe: 'CWE-22',
+    pattern: /(?:open|os\.path\.join|pathlib\.Path|shutil\.copy|os\.rename)\s*\(\s*(?:request\.|input|user_|flask\.request|args\.get|form\.get)/i,
+    description: 'File operation with user-controlled path in Python.',
+    remediation: 'Use os.path.realpath() and verify against base directory.',
+  },
+  {
+    id: 'PATH-TRAVERSAL-JAVA', name: 'Path Traversal (Java)', severity: Severity.HIGH, confidence: 'medium' as const,
+    cwe: 'CWE-22',
+    pattern: /(?:new\s+File|Paths\.get|FileInputStream|FileOutputStream)\s*\(\s*(?:request\.getParameter|servletRequest|param|input)/i,
+    description: 'File operation with user-controlled path in Java.',
+    remediation: 'Canonicalize path and verify it starts with the expected base directory.',
+  },
+  {
+    id: 'PATH-ZIP-SLIP', name: 'Zip Slip Vulnerability', severity: Severity.HIGH, confidence: 'medium' as const,
+    cwe: 'CWE-22',
+    pattern: /(?:extractAll|extract\s*\(|unzip|ZipFile|tar\.extractall|tar\.extract|decompress|gunzip)\s*\(/i,
+    antiPattern: /(?:validatePath|sanitize|startsWith|normalize|realpath|abspath|canonical)/i,
+    description: 'Archive extraction without path validation — Zip Slip vulnerability.',
+    remediation: 'Validate extracted paths stay within intended directory.',
+  },
+  {
+    id: 'PATH-DOT-DOT', name: 'Directory Traversal Sequence', severity: Severity.HIGH, confidence: 'medium' as const,
+    cwe: 'CWE-22',
+    pattern: /(?:\.\.\/|\.\.\\|%2e%2e%2f|%2e%2e\/|\.\.%2f|%2e%2e%5c)/i,
+    antiPattern: /(?:import|require|from\s+['"]|test|spec|relative)/,
+    description: 'Directory traversal sequence detected.',
+    remediation: 'Reject input containing ".." path sequences.',
+  },
+  {
+    id: 'PATH-SEND-FILE', name: 'Unsafe File Serving', severity: Severity.HIGH, confidence: 'medium' as const,
+    cwe: 'CWE-22',
+    pattern: /(?:sendFile|send_file|download|serveFile)\s*\(\s*(?:req\.|request\.|path\.join\s*\([^)]*(?:req|param|query))/i,
+    description: 'File sent to client based on user input.',
+    remediation: 'Validate file paths and restrict to safe directories.',
+  },
+];
+
+export function detect(content: string, filePath: string, language: string): Finding[] {
+  const findings: Finding[] = [];
+  const lines = content.split('\n');
+
+  for (const pat of PATTERNS) {
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (pat.pattern.test(line)) {
+        if (pat.antiPattern) {
+          const cs = Math.max(0, i - 3);
+          const ce = Math.min(lines.length, i + 4);
+          if (pat.antiPattern.test(lines.slice(cs, ce).join('\n'))) continue;
+        }
+        findings.push({
+          id: `${pat.id}-${filePath}:${i + 1}`,
+          ruleId: pat.id, title: pat.name, description: pat.description,
+          severity: pat.severity, confidence: pat.confidence,
+          filePath, line: i + 1,
+          codeSnippet: getSnippet(lines, i),
+          cwe: pat.cwe, owasp: 'A01',
+          remediation: pat.remediation,
+          fingerprint: generateFingerprint(pat.id, filePath, line.trim()),
+        });
+      }
+    }
+  }
+  return findings;
+}
+
+function getSnippet(lines: string[], index: number, context = 2): string {
+  const start = Math.max(0, index - context);
+  const end = Math.min(lines.length, index + context + 1);
+  return lines.slice(start, end)
+    .map((l, i) => {
+      const lineNum = start + i + 1;
+      const marker = (start + i === index) ? '>' : ' ';
+      return `${marker} ${lineNum} | ${l}`;
+    }).join('\n');
+}

package/src/detectors/prototype.ts

@@ -0,0 +1,77 @@
+import { Finding, Severity } from '../core/severity';
+import { generateFingerprint } from '../utils/fingerprint';
+
+const PATTERNS = [
+  {
+    id: 'PROTO-MERGE', name: 'Prototype Pollution via Deep Merge', severity: Severity.HIGH, confidence: 'medium' as const,
+    cwe: 'CWE-1321',
+    pattern: /(?:Object\.assign|_\.merge|_\.extend|_\.defaultsDeep|deepmerge|deep-extend|merge-deep|lodash\.merge)\s*\(/,
+    antiPattern: /(?:Object\.create\(null\)|hasOwnProperty|__proto__|prototype|constructor.*check)/i,
+    description: 'Deep merge may allow prototype pollution.',
+    remediation: 'Validate input keys. Reject __proto__, constructor, and prototype.',
+  },
+  {
+    id: 'PROTO-BRACKET', name: 'Dynamic Property Assignment', severity: Severity.MEDIUM, confidence: 'low' as const,
+    cwe: 'CWE-1321',
+    pattern: /\w+\s*\[\s*(?:key|prop|name|field|attr|k|p|property)\s*\]\s*=\s*(?!undefined|null|false|true|0|''|"")/,
+    antiPattern: /(?:hasOwnProperty|Object\.keys|Object\.entries|whitelist|allowlist|sanitize|__proto__|prototype|constructor)/i,
+    description: 'Dynamic property assignment without prototype pollution guard.',
+    remediation: 'Check key is not __proto__, constructor, or prototype before assignment.',
+  },
+  {
+    id: 'PROTO-JSON-PARSE', name: 'JSON.parse Without Prototype Check', severity: Severity.LOW, confidence: 'low' as const,
+    cwe: 'CWE-1321',
+    pattern: /JSON\.parse\s*\(\s*(?:req\.|request\.|body|input|user|data)/i,
+    antiPattern: /(?:reviver|filter|sanitize|validate|schema)/i,
+    description: 'JSON.parse of user input may contain __proto__ keys.',
+    remediation: 'Use a JSON reviver to strip __proto__ keys, or validate input schema.',
+  },
+  {
+    id: 'PROTO-RECURSIVE', name: 'Recursive Object Copy', severity: Severity.MEDIUM, confidence: 'low' as const,
+    cwe: 'CWE-1321',
+    pattern: /function\s+(?:deep[Cc]opy|deep[Cc]lone|deep[Mm]erge|extend|assign[Dd]eep)\s*\(/,
+    antiPattern: /(?:__proto__|prototype|constructor|hasOwnProperty|Object\.create\(null\))/i,
+    description: 'Custom deep copy/merge may be vulnerable to prototype pollution.',
+    remediation: 'Add checks for __proto__, constructor, and prototype in recursive operations.',
+  },
+];
+
+export function detect(content: string, filePath: string, language: string): Finding[] {
+  const findings: Finding[] = [];
+  if (!['javascript', 'typescript'].includes(language)) return findings;
+
+  const lines = content.split('\n');
+  for (const pat of PATTERNS) {
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (pat.pattern.test(line)) {
+        if (pat.antiPattern) {
+          const cs = Math.max(0, i - 5);
+          const ce = Math.min(lines.length, i + 6);
+          if (pat.antiPattern.test(lines.slice(cs, ce).join('\n'))) continue;
+        }
+        findings.push({
+          id: `${pat.id}-${filePath}:${i + 1}`,
+          ruleId: pat.id, title: pat.name, description: pat.description,
+          severity: pat.severity, confidence: pat.confidence,
+          filePath, line: i + 1,
+          codeSnippet: getSnippet(lines, i),
+          cwe: pat.cwe, owasp: 'A03',
+          remediation: pat.remediation,
+          fingerprint: generateFingerprint(pat.id, filePath, line.trim()),
+        });
+      }
+    }
+  }
+  return findings;
+}
+
+function getSnippet(lines: string[], index: number, context = 2): string {
+  const start = Math.max(0, index - context);
+  const end = Math.min(lines.length, index + context + 1);
+  return lines.slice(start, end).map((l, i) => {
+    const lineNum = start + i + 1;
+    const marker = (start + i === index) ? '>' : ' ';
+    return `${marker} ${lineNum} | ${l}`;
+  }).join('\n');
+}

package/src/detectors/secrets.ts

@@ -0,0 +1,138 @@
+import { Finding, Severity } from '../core/severity';
+import { generateFingerprint } from '../utils/fingerprint';
+
+const PATTERNS = [
+  {
+    id: 'SEC-AWS-KEY', name: 'AWS Access Key', severity: Severity.CRITICAL, confidence: 'high' as const,
+    cwe: 'CWE-798', pattern: /(?:AKIA|ASIA)[A-Z0-9]{16}/,
+    antiPattern: /(?:example|sample|test|fake|dummy|placeholder|xxx|EXAMPLE)/i,
+    description: 'AWS access key ID found.', remediation: 'Rotate key immediately. Use IAM roles or env vars.',
+  },
+  {
+    id: 'SEC-AWS-SECRET', name: 'AWS Secret Key', severity: Severity.CRITICAL, confidence: 'high' as const,
+    cwe: 'CWE-798', pattern: /(?:aws_secret|AWS_SECRET)\w*\s*[:=]\s*['"][A-Za-z0-9/+=]{40}['"]/,
+    description: 'AWS secret access key found.', remediation: 'Rotate immediately. Use AWS Secrets Manager.',
+  },
+  {
+    id: 'SEC-GITHUB-TOKEN', name: 'GitHub Token', severity: Severity.CRITICAL, confidence: 'high' as const,
+    cwe: 'CWE-798', pattern: /(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{36,}/,
+    description: 'GitHub personal access token found.', remediation: 'Rotate immediately. Use env vars.',
+  },
+  {
+    id: 'SEC-GOOGLE-KEY', name: 'Google API Key', severity: Severity.HIGH, confidence: 'high' as const,
+    cwe: 'CWE-798', pattern: /AIza[A-Za-z0-9_\\-]{35}/,
+    description: 'Google API key found.', remediation: 'Rotate and restrict key scope. Use env vars.',
+  },
+  {
+    id: 'SEC-SLACK-TOKEN', name: 'Slack Token', severity: Severity.CRITICAL, confidence: 'high' as const,
+    cwe: 'CWE-798', pattern: /xox[bpors]-[A-Za-z0-9\-]{10,}/,
+    description: 'Slack API token found.', remediation: 'Rotate immediately. Use env vars.',
+  },
+  {
+    id: 'SEC-STRIPE-KEY', name: 'Stripe API Key', severity: Severity.CRITICAL, confidence: 'high' as const,
+    cwe: 'CWE-798', pattern: /(?:sk|pk)_(?:live|test)_[A-Za-z0-9]{20,}/,
+    description: 'Stripe API key found.', remediation: 'Rotate immediately. Use env vars.',
+  },
+  {
+    id: 'SEC-PRIVATE-KEY', name: 'Private Key', severity: Severity.CRITICAL, confidence: 'high' as const,
+    cwe: 'CWE-321', pattern: /-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----/,
+    description: 'Private key embedded in source.', remediation: 'Remove from source. Use key management service.',
+  },
+  {
+    id: 'SEC-GENERIC-API-KEY', name: 'Generic API Key', severity: Severity.HIGH, confidence: 'medium' as const,
+    cwe: 'CWE-798', pattern: /(?:api[-_]?key|apikey|API[-_]?KEY)\s*[:=]\s*['"][a-zA-Z0-9_\-]{20,}['"]/i,
+    antiPattern: /(?:example|sample|test|fake|dummy|placeholder|xxx|your_|process\.env|os\.environ|config\.|env\[)/i,
+    description: 'Hardcoded API key found.', remediation: 'Store API keys in env vars or secrets manager.',
+  },
+  {
+    id: 'SEC-GENERIC-SECRET', name: 'Generic Secret/Password', severity: Severity.HIGH, confidence: 'medium' as const,
+    cwe: 'CWE-798', pattern: /(?:secret|token|password|passwd|credentials?)\s*[:=]\s*['"][a-zA-Z0-9!@#$%^&*()\-_+=]{12,}['"]/i,
+    antiPattern: /(?:example|sample|test|fake|dummy|placeholder|xxx|your_|process\.env|os\.environ|config\.|env\[|<|TODO|CHANGE|REPLACE|type|interface|const\s+\w+:\s*string)/i,
+    description: 'Potential hardcoded secret.', remediation: 'Use env vars or secrets manager.',
+  },
+  {
+    id: 'SEC-DB-CONN-STRING', name: 'Database Connection String', severity: Severity.HIGH, confidence: 'high' as const,
+    cwe: 'CWE-798', pattern: /['"](?:mongodb(?:\+srv)?|postgres(?:ql)?|mysql|mssql|redis|amqp):\/\/[^:]+:[^@]+@[^'"]+['"]/i,
+    antiPattern: /(?:localhost|127\.0\.0\.1|example\.com|process\.env|os\.environ)/i,
+    description: 'Database connection string with credentials.', remediation: 'Use env vars for connection strings.',
+  },
+  {
+    id: 'SEC-SENDGRID', name: 'SendGrid API Key', severity: Severity.HIGH, confidence: 'high' as const,
+    cwe: 'CWE-798', pattern: /SG\.[A-Za-z0-9_\-]{22}\.[A-Za-z0-9_\-]{43}/,
+    description: 'SendGrid API key found.', remediation: 'Rotate immediately. Use env vars.',
+  },
+  {
+    id: 'SEC-TWILIO', name: 'Twilio Credentials', severity: Severity.HIGH, confidence: 'medium' as const,
+    cwe: 'CWE-798', pattern: /(?:AC[a-z0-9]{32}|SK[a-z0-9]{32})/,
+    description: 'Twilio Account SID or API key found.', remediation: 'Rotate immediately. Use env vars.',
+  },
+  {
+    id: 'SEC-FIREBASE', name: 'Firebase Config Exposed', severity: Severity.MEDIUM, confidence: 'medium' as const,
+    cwe: 'CWE-798', pattern: /(?:firebase|FIREBASE).*(?:apiKey|authDomain|databaseURL)\s*[:=]\s*['"]/i,
+    description: 'Firebase configuration in source.', remediation: 'Use env vars. Secure with Firebase Security Rules.',
+  },
+  {
+    id: 'SEC-HARDCODED-DB-PASS', name: 'Hardcoded Database Password', severity: Severity.CRITICAL, confidence: 'high' as const,
+    cwe: 'CWE-798', pattern: /(?:(?:db|database|mysql|postgres|mongo|redis)[-_.]?(?:password|passwd|pass|pwd))\s*[:=]\s*['"][^'"]{4,}['"]/i,
+    antiPattern: /(?:process\.env|os\.environ|config\.|env\[|example|sample|test|your_|placeholder)/i,
+    description: 'Database password hardcoded.', remediation: 'Use env vars or secrets manager.',
+  },
+  {
+    id: 'SEC-OPENAI-KEY', name: 'OpenAI API Key', severity: Severity.CRITICAL, confidence: 'high' as const,
+    cwe: 'CWE-798', pattern: /sk-[A-Za-z0-9]{32,}/,
+    antiPattern: /(?:example|sample|test|fake|placeholder|xxx)/i,
+    description: 'OpenAI API key found.', remediation: 'Rotate immediately. Use env vars.',
+  },
+  {
+    id: 'SEC-ANTHROPIC-KEY', name: 'Anthropic API Key', severity: Severity.CRITICAL, confidence: 'high' as const,
+    cwe: 'CWE-798', pattern: /sk-ant-[A-Za-z0-9\-]{32,}/,
+    description: 'Anthropic API key found.', remediation: 'Rotate immediately. Use env vars.',
+  },
+];
+
+// All languages — secrets can appear anywhere
+const ALL_LANGS = ['javascript', 'typescript', 'python', 'java', 'go', 'rust', 'c', 'cpp', 'csharp', 'php', 'ruby', 'swift', 'kotlin', 'shell', 'sql'];
+
+export function detect(content: string, filePath: string, _language: string): Finding[] {
+  const findings: Finding[] = [];
+  const lines = content.split('\n');
+
+  for (const pat of PATTERNS) {
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (pat.pattern.test(line)) {
+        if (pat.antiPattern && pat.antiPattern.test(line)) continue;
+
+        findings.push({
+          id: `${pat.id}-${filePath}:${i + 1}`,
+          ruleId: pat.id,
+          title: pat.name,
+          description: pat.description,
+          severity: pat.severity,
+          confidence: pat.confidence,
+          filePath, line: i + 1,
+          codeSnippet: getSnippet(lines, i),
+          cwe: pat.cwe, owasp: 'A02',
+          remediation: pat.remediation,
+          fingerprint: generateFingerprint(pat.id, filePath, line.trim()),
+        });
+      }
+    }
+  }
+  return findings;
+}
+
+export function detectSecretsOnly(content: string, filePath: string): Finding[] {
+  return detect(content, filePath, 'generic');
+}
+
+function getSnippet(lines: string[], index: number, context = 2): string {
+  const start = Math.max(0, index - context);
+  const end = Math.min(lines.length, index + context + 1);
+  return lines.slice(start, end)
+    .map((l, i) => {
+      const lineNum = start + i + 1;
+      const marker = (start + i === index) ? '>' : ' ';
+      return `${marker} ${lineNum} | ${l}`;
+    }).join('\n');
+}

package/src/detectors/ssrf.ts

@@ -0,0 +1,77 @@
+import { Finding, Severity } from '../core/severity';
+import { generateFingerprint } from '../utils/fingerprint';
+
+const PATTERNS = [
+  {
+    id: 'SSRF-USER-URL', name: 'SSRF via User-Controlled URL', severity: Severity.HIGH, confidence: 'medium' as const,
+    cwe: 'CWE-918',
+    pattern: /(?:fetch|axios|http\.get|https\.get|request|urllib|requests\.(?:get|post|put|delete|head)|HttpClient|http\.NewRequest)\s*\(\s*(?:req\.|request\.|input|user|param|query|body|args)/i,
+    description: 'HTTP request URL from user input — SSRF risk.',
+    remediation: 'Validate URLs against an allowlist. Block internal/private IP ranges.',
+  },
+  {
+    id: 'SSRF-URL-PARAM', name: 'URL From Query Parameter', severity: Severity.HIGH, confidence: 'medium' as const,
+    cwe: 'CWE-918',
+    pattern: /(?:url|uri|endpoint|target|destination|redirect|callback|webhook)\s*[:=]\s*(?:req\.query|req\.params|request\.args|request\.GET|params\[)/i,
+    description: 'URL taken from query parameter.',
+    remediation: 'Validate URL scheme, host, and resolved IP. Use allowlist.',
+  },
+  {
+    id: 'SSRF-IMAGE-FETCH', name: 'Image/File Fetch from URL', severity: Severity.MEDIUM, confidence: 'medium' as const,
+    cwe: 'CWE-918',
+    pattern: /(?:download|fetch|grab|load|import)(?:Image|File|URL|Resource|Content)\s*\(\s*(?:url|uri|src|href|link)/i,
+    antiPattern: /(?:allowlist|whitelist|validateUrl|isAllowed|checkUrl|blockPrivate|isExternal)/i,
+    description: 'File/image download from variable URL.',
+    remediation: 'Validate URL and block internal IP ranges before fetching.',
+  },
+  {
+    id: 'SSRF-WEBHOOK', name: 'Webhook URL from User', severity: Severity.HIGH, confidence: 'medium' as const,
+    cwe: 'CWE-918',
+    pattern: /(?:webhook|callback|notify)(?:Url|URL|_url|Uri|URI)\s*[:=]\s*(?:req\.|request\.|body\.|input|user)/i,
+    description: 'Webhook URL from user input — can probe internal services.',
+    remediation: 'Validate webhook URLs. Block private IP ranges and localhost.',
+  },
+];
+
+export function detect(content: string, filePath: string, language: string): Finding[] {
+  const findings: Finding[] = [];
+  const lines = content.split('\n');
+  const backendLangs = ['javascript', 'typescript', 'python', 'java', 'go', 'php', 'ruby', 'csharp', 'kotlin'];
+
+  if (!backendLangs.includes(language)) return findings;
+
+  for (const pat of PATTERNS) {
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (pat.pattern.test(line)) {
+        if (pat.antiPattern) {
+          const cs = Math.max(0, i - 3);
+          const ce = Math.min(lines.length, i + 4);
+          if (pat.antiPattern.test(lines.slice(cs, ce).join('\n'))) continue;
+        }
+        findings.push({
+          id: `${pat.id}-${filePath}:${i + 1}`,
+          ruleId: pat.id, title: pat.name, description: pat.description,
+          severity: pat.severity, confidence: pat.confidence,
+          filePath, line: i + 1,
+          codeSnippet: getSnippet(lines, i),
+          cwe: pat.cwe, owasp: 'A10',
+          remediation: pat.remediation,
+          fingerprint: generateFingerprint(pat.id, filePath, line.trim()),
+        });
+      }
+    }
+  }
+  return findings;
+}
+
+function getSnippet(lines: string[], index: number, context = 2): string {
+  const start = Math.max(0, index - context);
+  const end = Math.min(lines.length, index + context + 1);
+  return lines.slice(start, end)
+    .map((l, i) => {
+      const lineNum = start + i + 1;
+      const marker = (start + i === index) ? '>' : ' ';
+      return `${marker} ${lineNum} | ${l}`;
+    }).join('\n');
+}

package/src/detectors/zeroday.ts

@@ -0,0 +1,93 @@
+import { Finding, Severity, AIFinding } from '../core/severity';
+import { generateFingerprint } from '../utils/fingerprint';
+
+export interface AIProvider {
+  name: string;
+  analyze(code: string, context: string): Promise<AIFinding[]>;
+  isAvailable(): boolean;
+}
+
+const SUSPICIOUS_PATTERNS = [
+  { pattern: /(?:setTimeout|setInterval)\s*\(\s*\w+\s*,\s*0\s*\)/, reason: 'Potential race condition with zero-delay timer' },
+  { pattern: /(?:await|async).*(?:parallel|all|race).*(?:db|database|write|update|delete|remove)/i, reason: 'Concurrent database operations may cause race conditions' },
+  { pattern: /if\s*\(\s*!?\s*(?:req|request)\.(?:user|session|auth)\s*\)\s*\{?\s*(?:return|throw|next)?[^}]*\}?\s*(?:\/\/|$)/i, reason: 'Authentication check may have bypass logic' },
+  { pattern: /(?:try\s*\{[^}]*(?:throw|error|reject)[^}]*\}\s*catch\s*\(\s*\w+\s*\)\s*\{[^}]*\})/i, reason: 'Error handling may silently swallow security exceptions' },
+  { pattern: /(?:\.then\s*\([^)]*\)\s*\.catch\s*\(\s*(?:\(\s*\)\s*=>|function\s*\(\s*\))\s*\{?\s*\}?\s*\))/i, reason: 'Empty catch handler silences errors' },
+  { pattern: /(?:Object\.keys|for\s*\(\s*(?:let|var|const)\s+\w+\s+(?:in|of)\s+).*(?:req\.|request\.|body|query|params)/i, reason: 'Iterating over user input keys without validation' },
+  { pattern: /(?:async\s+function|=>\s*\{)(?:(?!(?:try|catch|finally)).)*(?:await\s+)(?:(?!(?:try|catch|finally)).)*$/im, reason: 'Async function without error handling' },
+  { pattern: /(?:password|secret|token|key).*(?:===?|!==?|==).*(?:undefined|null|''|"")/i, reason: 'Null/empty check on credential may allow bypass' },
+];
+
+export function detectSuspiciousPatterns(content: string, filePath: string, language: string): Finding[] {
+  const findings: Finding[] = [];
+  const lines = content.split('\n');
+
+  for (const { pattern, reason } of SUSPICIOUS_PATTERNS) {
+    for (let i = 0; i < lines.length; i++) {
+      if (pattern.test(lines[i])) {
+        findings.push({
+          id: `ZDAY-PATTERN-${filePath}:${i + 1}`,
+          ruleId: 'ZDAY-SUSPICIOUS',
+          title: 'Suspicious Pattern (AI Analysis Recommended)',
+          description: reason,
+          severity: Severity.LOW,
+          confidence: 'low',
+          filePath, line: i + 1,
+          codeSnippet: getSnippet(lines, i),
+          cwe: 'CWE-691',
+          remediation: 'Enable AI analysis (--ai) for deeper investigation of this pattern.',
+          fingerprint: generateFingerprint('ZDAY', filePath, lines[i].trim()),
+        });
+      }
+    }
+  }
+
+  return findings;
+}
+
+export async function analyzeWithAI(
+  code: string,
+  filePath: string,
+  language: string,
+  provider: AIProvider
+): Promise<Finding[]> {
+  if (!provider.isAvailable()) return [];
+
+  try {
+    const context = `File: ${filePath}\nLanguage: ${language}\n\nAnalyze this code for security vulnerabilities including:\n- Logic bugs that could lead to authorization bypass\n- Race conditions in concurrent operations\n- Business logic vulnerabilities\n- Novel attack vectors not caught by pattern matching\n- Time-of-check-to-time-of-use (TOCTOU) issues\n- Integer overflow/underflow\n- Null pointer dereference\n- Information leakage`;
+
+    const aiFindings = await provider.analyze(code, context);
+
+    return aiFindings.map((af, index) => ({
+      id: `ZDAY-AI-${filePath}:${index}`,
+      ruleId: 'ZDAY-AI',
+      title: af.title,
+      description: af.description,
+      severity: af.severity,
+      confidence: af.confidence,
+      filePath,
+      line: af.line || 1,
+      codeSnippet: code.split('\n').slice(
+        Math.max(0, (af.line || 1) - 3),
+        (af.line || 1) + 2
+      ).join('\n'),
+      cwe: af.cwe,
+      owasp: 'A04',
+      remediation: af.remediation,
+      aiEnhanced: true,
+      fingerprint: generateFingerprint('ZDAY-AI', filePath, af.title),
+    }));
+  } catch {
+    return [];
+  }
+}
+
+function getSnippet(lines: string[], index: number, context = 2): string {
+  const start = Math.max(0, index - context);
+  const end = Math.min(lines.length, index + context + 1);
+  return lines.slice(start, end).map((l, i) => {
+    const lineNum = start + i + 1;
+    const marker = (start + i === index) ? '>' : ' ';
+    return `${marker} ${lineNum} | ${l}`;
+  }).join('\n');
+}

package/src/index.ts

@@ -0,0 +1,24 @@
+// GhostPatch — AI-Powered Security Vulnerability Scanner
+// Library API
+
+export { scan, scanFile, scanWithAI } from './core/scanner';
+export { generateReport, reportJSON, reportSARIF, reportHTML, reportTerminal } from './core/reporter';
+export {
+  Finding,
+  AIFinding,
+  ScanResult,
+  ScanSummary,
+  ScanOptions,
+  Rule,
+  GhostPatchConfig,
+  Severity,
+  SEVERITY_ORDER,
+  meetsMinSeverity,
+  severityFromString,
+} from './core/severity';
+export { ALL_RULES, getRulesForLanguage, getRuleById, getRulesByOwasp, getRulesBySeverity, getEnabledRules } from './core/rules';
+export { getAvailableProvider, AIProvider } from './ai/provider';
+export { loadConfig, getDefaultConfig } from './utils/config';
+export { detectLanguage, isSupportedFile, SUPPORTED_LANGUAGES } from './utils/languages';
+export { generateFingerprint, deduplicateFindings } from './utils/fingerprint';
+export { startMCPServer } from './mcp/server';