npm - hackmyagent - Versions diffs - 0.16.0 → 0.16.2 - Mend

hackmyagent 0.16.0 → 0.16.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (49) hide show

package/dist/.integrity-manifest.json +1 -1
package/dist/arp/intelligence/nanomind-l1.d.ts +30 -0
package/dist/arp/intelligence/nanomind-l1.d.ts.map +1 -1
package/dist/arp/intelligence/nanomind-l1.js +115 -0
package/dist/arp/intelligence/nanomind-l1.js.map +1 -1
package/dist/cli.js +220 -19
package/dist/cli.js.map +1 -1
package/dist/hardening/scanner.d.ts.map +1 -1
package/dist/hardening/scanner.js +148 -7
package/dist/hardening/scanner.js.map +1 -1
package/dist/hardening/taxonomy.d.ts +2 -0
package/dist/hardening/taxonomy.d.ts.map +1 -1
package/dist/hardening/taxonomy.js +5 -0
package/dist/hardening/taxonomy.js.map +1 -1
package/dist/nanomind-core/analyzers/credential-analyzer.js +12 -3
package/dist/nanomind-core/analyzers/credential-analyzer.js.map +1 -1
package/dist/nanomind-core/analyzers/stego-analyzer.d.ts +30 -0
package/dist/nanomind-core/analyzers/stego-analyzer.d.ts.map +1 -0
package/dist/nanomind-core/analyzers/stego-analyzer.js +533 -0
package/dist/nanomind-core/analyzers/stego-analyzer.js.map +1 -0
package/dist/nanomind-core/daemon-lifecycle.d.ts +28 -0
package/dist/nanomind-core/daemon-lifecycle.d.ts.map +1 -0
package/dist/nanomind-core/daemon-lifecycle.js +142 -0
package/dist/nanomind-core/daemon-lifecycle.js.map +1 -0
package/dist/nanomind-core/inference/tme-classifier.d.ts +3 -2
package/dist/nanomind-core/inference/tme-classifier.d.ts.map +1 -1
package/dist/nanomind-core/inference/tme-classifier.js +26 -16
package/dist/nanomind-core/inference/tme-classifier.js.map +1 -1
package/dist/nanomind-core/orchestrate.d.ts.map +1 -1
package/dist/nanomind-core/orchestrate.js +11 -1
package/dist/nanomind-core/orchestrate.js.map +1 -1
package/dist/nanomind-core/scanner-bridge.d.ts.map +1 -1
package/dist/nanomind-core/scanner-bridge.js +6 -0
package/dist/nanomind-core/scanner-bridge.js.map +1 -1
package/dist/plugins/credvault.d.ts.map +1 -1
package/dist/plugins/credvault.js +25 -0
package/dist/plugins/credvault.js.map +1 -1
package/dist/semantic/nanomind-enhancer.d.ts.map +1 -1
package/dist/semantic/nanomind-enhancer.js +206 -0
package/dist/semantic/nanomind-enhancer.js.map +1 -1
package/dist/telemetry/nanomind-feedback.d.ts +43 -0
package/dist/telemetry/nanomind-feedback.d.ts.map +1 -0
package/dist/telemetry/nanomind-feedback.js +104 -0
package/dist/telemetry/nanomind-feedback.js.map +1 -0
package/dist/telemetry/nanomind-telemetry.d.ts +48 -0
package/dist/telemetry/nanomind-telemetry.d.ts.map +1 -0
package/dist/telemetry/nanomind-telemetry.js +123 -0
package/dist/telemetry/nanomind-telemetry.js.map +1 -0
package/package.json +1 -1

package/dist/hardening/scanner.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../../src/hardening/scanner.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,OAAO,KAAK,EAAE,UAAU,EAAE,eAAe,EAAY,WAAW,EAAE,MAAM,kBAAkB,CAAC;AA4G3F,0CAA0C;AAC1C,MAAM,MAAM,SAAS,GAAG,OAAO,GAAG,UAAU,GAAG,MAAM,CAAC;AAEtD,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,0CAA0C;IAC1C,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,0DAA0D;IAC1D,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,wEAAwE;IACxE,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,2EAA2E;IAC3E,IAAI,CAAC,EAAE,OAAO,CAAC;IACf;;;;;OAKG;IACH,SAAS,CAAC,EAAE,SAAS,CAAC;IACtB,oDAAoD;IACpD,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IACvC,mEAAmE;IACnE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;~~AAoID~~,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,OAAO,CAAiB;IAEhC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CA2BlC;IAEF;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAM7B;;;OAGG;YACW,aAAa;IAwB3B;;;OAGG;IACH,OAAO,CAAC,mBAAmB;IAa3B;;;OAGG;IACG,oBAAoB,CACxB,QAAQ,EAAE,eAAe,EAAE,EAC3B,SAAS,EAAE,MAAM,EACjB,qBAAqB,CAAC,EAAE,MAAM,EAAE,GAC/B,OAAO,CAAC,eAAe,EAAE,CAAC;IAgB7B;;OAEG;IACH,OAAO,CAAC,aAAa;IASf,IAAI,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC;YA+ZvC,cAAc;IAwE5B;;OAEG;YACW,iBAAiB;IA+F/B;;OAEG;IACH,gBAAgB,CAAC,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,WAAW,GAAG,OAAO;YAe/D,uBAAuB;YA4GvB,aAAa;YAiDb,cAAc;YAiGd,oBAAoB;YAyDpB,gBAAgB;YAgJhB,oBAAoB;YAkFpB,gBAAgB;YA8IhB,mBAAmB;YA8EnB,iBAAiB;YA0CjB,iBAAiB;YAiEjB,wBAAwB;YA6FxB,wBAAwB;YAqExB,wBAAwB;YAyHxB,oBAAoB;YAmHpB,uBAAuB;YA4IvB,iBAAiB;YAkHjB,oBAAoB;YA0HpB,mBAAmB;YAqGnB,gBAAgB;YAwIhB,oBAAoB;YAwIpB,gBAAgB;YA6HhB,qBAAqB;YAmHrB,eAAe;IAqI7B;;OAEG;YACW,mBAAmB;IAkHjC;;OAEG;YACW,oBAAoB;IAqKlC;;OAEG;YACW,iBAAiB;IAgJ/B;;OAEG;YACW,oBAAoB;IA4IlC;;OAEG;YACW,eAAe;IAyJ7B;;OAEG;YACW,eAAe;IA2I7B;;OAEG;YACW,eAAe;IA6G7B;;OAEG;YACW,mBAAmB;IAuHjC,cAAc,CAAC,QAAQ,EAAE,eAAe,EAAE,GAAG;QAC3C,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC;KAClB;IAmBD;;OAEG;YACW,YAAY;IAmE1B;;OAEG;IACG,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA6DhD;;;OAGG;YACW,cAAc;IAgD5B;;OAEG;YACW,mBAAmB;~~IA6pBjC~~;;;OAGG;YACW,kBAAkB;IAgDhC;;OAEG;YACW,sBAAsB;IAkMpC;;OAEG;YACW,sBAAsB;IA+BpC;;OAEG;YACW,oBAAoB;IAgWlC;;OAEG;IACH,OAAO,CAAC,mBAAmB;IA4B3B;;OAEG;YACW,iBAAiB;IA8D/B;;OAEG;YACW,mBAAmB;IAsXjC;;OAEG;YACW,wBAAwB;IAqPtC;;OAEG;YACW,gBAAgB;IAoK9B;;;OAGG;YACW,eAAe;IAoD7B;;;OAGG;YACW,aAAa;IAwC3B;;;OAGG;YACW,oBAAoB;IAoKlC;;;OAGG;YACW,iBAAiB;IAiI/B;;;OAGG;YACW,kBAAkB;IAkFhC;;;OAGG;YACW,aAAa;IA0F3B;;OAEG;YACW,gBAAgB;IAiE9B;;;;OAIG;YACW,yBAAyB;~~IA0WvC~~;;;;;OAKG;YACW,qBAAqB;IAqnBnC;;;;OAIG;YACW,gBAAgB;IA2G9B;;;;OAIG;YACW,mBAAmB;IAmKjC;;;;OAIG;YACW,gBAAgB;IAkF9B;;;OAGG;YACW,iBAAiB;IA+C/B;;;;OAIG;YACW,yBAAyB;IA6FvC;;;OAGG;YACW,kBAAkB;IA8ChC;;;OAGG;YACW,mBAAmB;IA4CjC;;;OAGG;YACW,6BAA6B;IAiD3C;;;OAGG;YACW,oBAAoB;IA4ClC;;;OAGG;YACW,WAAW;IA4DzB;;;OAGG;YACW,aAAa;IAgD3B;;;OAGG;YACW,oBAAoB;IA6ClC;;;OAGG;YACW,YAAY;IAmD1B;;;OAGG;YACW,qBAAqB;IA+DnC;;;;OAIG;YACW,oBAAoB;IAyHlC;;;OAGG;YACW,iBAAiB;IA+F/B;;;OAGG;YACW,4BAA4B;IAqD1C;;;OAGG;YACW,8BAA8B;IAgE5C;;;;OAIG;YACW,qBAAqB;IAgBnC,+DAA+D;YACjD,YAAY;CA+B3B"}
1	+ {"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../../src/hardening/scanner.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,OAAO,KAAK,EAAE,UAAU,EAAE,eAAe,EAAY,WAAW,EAAE,MAAM,kBAAkB,CAAC;AA4G3F,0CAA0C;AAC1C,MAAM,MAAM,SAAS,GAAG,OAAO,GAAG,UAAU,GAAG,MAAM,CAAC;AAEtD,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,0CAA0C;IAC1C,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,0DAA0D;IAC1D,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,wEAAwE;IACxE,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,2EAA2E;IAC3E,IAAI,CAAC,EAAE,OAAO,CAAC;IACf;;;;;OAKG;IACH,SAAS,CAAC,EAAE,SAAS,CAAC;IACtB,oDAAoD;IACpD,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IACvC,mEAAmE;IACnE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAwOD,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,OAAO,CAAiB;IAEhC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CA2BlC;IAEF;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAM7B;;;OAGG;YACW,aAAa;IAwB3B;;;OAGG;IACH,OAAO,CAAC,mBAAmB;IAa3B;;;OAGG;IACG,oBAAoB,CACxB,QAAQ,EAAE,eAAe,EAAE,EAC3B,SAAS,EAAE,MAAM,EACjB,qBAAqB,CAAC,EAAE,MAAM,EAAE,GAC/B,OAAO,CAAC,eAAe,EAAE,CAAC;IAgB7B;;OAEG;IACH,OAAO,CAAC,aAAa;IASf,IAAI,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC;YA+ZvC,cAAc;IAwE5B;;OAEG;YACW,iBAAiB;IA+F/B;;OAEG;IACH,gBAAgB,CAAC,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,WAAW,GAAG,OAAO;YAe/D,uBAAuB;YA4GvB,aAAa;YAiDb,cAAc;YAiGd,oBAAoB;YAyDpB,gBAAgB;YAgJhB,oBAAoB;YAkFpB,gBAAgB;YA8IhB,mBAAmB;YA8EnB,iBAAiB;YA0CjB,iBAAiB;YAiEjB,wBAAwB;YA6FxB,wBAAwB;YAqExB,wBAAwB;YAyHxB,oBAAoB;YAmHpB,uBAAuB;YA4IvB,iBAAiB;YAkHjB,oBAAoB;YA0HpB,mBAAmB;YAqGnB,gBAAgB;YAwIhB,oBAAoB;YAwIpB,gBAAgB;YA6HhB,qBAAqB;YAmHrB,eAAe;IAqI7B;;OAEG;YACW,mBAAmB;IAkHjC;;OAEG;YACW,oBAAoB;IAqKlC;;OAEG;YACW,iBAAiB;IAgJ/B;;OAEG;YACW,oBAAoB;IA4IlC;;OAEG;YACW,eAAe;IAyJ7B;;OAEG;YACW,eAAe;IA2I7B;;OAEG;YACW,eAAe;IA6G7B;;OAEG;YACW,mBAAmB;IAuHjC,cAAc,CAAC,QAAQ,EAAE,eAAe,EAAE,GAAG;QAC3C,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC;KAClB;IAmBD;;OAEG;YACW,YAAY;IAmE1B;;OAEG;IACG,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA6DhD;;;OAGG;YACW,cAAc;IAgD5B;;OAEG;YACW,mBAAmB;IA8qBjC;;;OAGG;YACW,kBAAkB;IAgDhC;;OAEG;YACW,sBAAsB;IAkMpC;;OAEG;YACW,sBAAsB;IA+BpC;;OAEG;YACW,oBAAoB;IAgWlC;;OAEG;IACH,OAAO,CAAC,mBAAmB;IA4B3B;;OAEG;YACW,iBAAiB;IA8D/B;;OAEG;YACW,mBAAmB;IAsXjC;;OAEG;YACW,wBAAwB;IAqPtC;;OAEG;YACW,gBAAgB;IAoK9B;;;OAGG;YACW,eAAe;IAoD7B;;;OAGG;YACW,aAAa;IAwC3B;;;OAGG;YACW,oBAAoB;IAoKlC;;;OAGG;YACW,iBAAiB;IAiI/B;;;OAGG;YACW,kBAAkB;IAkFhC;;;OAGG;YACW,aAAa;IA0F3B;;OAEG;YACW,gBAAgB;IAiE9B;;;;OAIG;YACW,yBAAyB;IAqYvC;;;;;OAKG;YACW,qBAAqB;IAqnBnC;;;;OAIG;YACW,gBAAgB;IA2G9B;;;;OAIG;YACW,mBAAmB;IAmKjC;;;;OAIG;YACW,gBAAgB;IAkF9B;;;OAGG;YACW,iBAAiB;IA+C/B;;;;OAIG;YACW,yBAAyB;IA6FvC;;;OAGG;YACW,kBAAkB;IA8ChC;;;OAGG;YACW,mBAAmB;IA4CjC;;;OAGG;YACW,6BAA6B;IAiD3C;;;OAGG;YACW,oBAAoB;IA4ClC;;;OAGG;YACW,WAAW;IA4DzB;;;OAGG;YACW,aAAa;IAgD3B;;;OAGG;YACW,oBAAoB;IA6ClC;;;OAGG;YACW,YAAY;IAmD1B;;;OAGG;YACW,qBAAqB;IA+DnC;;;;OAIG;YACW,oBAAoB;IAyHlC;;;OAGG;YACW,iBAAiB;IA+F/B;;;OAGG;YACW,4BAA4B;IAqD1C;;;OAGG;YACW,8BAA8B;IAgE5C;;;;OAIG;YACW,qBAAqB;IAgBnC,+DAA+D;YACjD,YAAY;CA+B3B"}

package/dist/hardening/scanner.js CHANGED Viewed

@@ -172,7 +172,9 @@ const SKILL_CREDENTIAL_ACCESS_PATTERNS = [
     /wallet.*\.json/gi,
     /seed.*phrase/gi,
     /private.*key/gi,
-    /\.env/gi,
+    // Match .env as a standalone file reference, not as part of process.env or documentation
+    // like ".env.example in sync" or "set in .env.local"
+    /(?:^|[\s"'`(])\.env(?:\.local|\.production|\.development)?(?:[\s"'`)]|$)/gi,
     /credentials\.json/gi,
 ];
 const SKILL_EXFILTRATION_PATTERNS = [
@@ -246,6 +248,101 @@ function shellEscape(s) {
     // Wrap in single quotes and escape embedded single quotes: ' -> '\''
     return "'" + s.replace(/'/g, "'\\''") + "'";
 }
+/**
+ * Check if a variation selector at position i in rawBuffer is a legitimate
+ * emoji presentation selector (U+FE0F following an emoji base character).
+ *
+ * Emoji base characters that commonly precede FE0F:
+ * - Keycap digits/symbols: 0-9, #, * (encoded as single ASCII bytes)
+ * - BMP symbols: U+2600-27BF range (encoded as 3-byte UTF-8: E2 XX XX or E2 XX XX)
+ * - SMP emoji: U+1F300-1FAFF (encoded as 4-byte UTF-8: F0 9F XX XX)
+ */
+function isEmojiVariationSelector(buf, vsStart) {
+    // Walk backward to find the preceding character
+    // The variation selector is at vsStart (3 bytes: EF B8 8F)
+    // We need to check what character precedes it
+    if (vsStart === 0)
+        return false;
+    // Check for 4-byte SMP emoji before (F0 9F XX XX) — most common case
+    if (vsStart >= 4) {
+        const b0 = buf[vsStart - 4];
+        const b1 = buf[vsStart - 3];
+        if (b0 === 0xF0 && b1 === 0x9F)
+            return true; // U+1F000-1FFFF (emoji range)
+    }
+    // Check for 3-byte BMP symbol before (E2 XX XX) — symbols like warning, gear, etc.
+    if (vsStart >= 3) {
+        const b0 = buf[vsStart - 3];
+        const b1 = buf[vsStart - 2];
+        if (b0 === 0xE2) {
+            // U+2600-27BF: Misc Symbols, Dingbats (E2 98 80 through E2 9E BF)
+            if (b1 >= 0x98 && b1 <= 0x9E)
+                return true;
+            // U+2300-23FF: Misc Technical (E2 8C 80 through E2 8F BF) — includes hourglass, etc.
+            if (b1 >= 0x8C && b1 <= 0x8F)
+                return true;
+        }
+        // U+2700-27BF also encoded as E2 9C XX - E2 9E XX
+        if (b0 === 0xE2 && b1 >= 0x9C && b1 <= 0x9E)
+            return true;
+    }
+    // Check for 1-byte ASCII keycap base: #, *, 0-9
+    if (vsStart >= 1) {
+        const prev = buf[vsStart - 1];
+        if (prev === 0x23 || prev === 0x2A)
+            return true; // # or *
+        if (prev >= 0x30 && prev <= 0x39)
+            return true; // 0-9
+    }
+    return false;
+}
+/**
+ * Check if a Cyrillic character at position ci in chars[] is in a Cyrillic
+ * text context (legitimate i18n) rather than mixed into a Latin word (attack).
+ *
+ * Looks at a window of nearby characters. If the neighborhood contains
+ * mostly Cyrillic or other non-Latin chars, it's i18n. If surrounded by
+ * Latin chars, it's a homoglyph attack.
+ */
+function isCyrillicInCyrillicContext(chars, ci) {
+    // Look at a window of 10 chars in each direction
+    const windowSize = 10;
+    const start = Math.max(0, ci - windowSize);
+    const end = Math.min(chars.length, ci + windowSize + 1);
+    let latinCount = 0;
+    let cyrillicCount = 0;
+    for (let j = start; j < end; j++) {
+        if (j === ci)
+            continue;
+        const cp = chars[j].codePointAt(0);
+        // Latin letter
+        if ((cp >= 0x41 && cp <= 0x5A) || (cp >= 0x61 && cp <= 0x7A)) {
+            latinCount++;
+        }
+        // Any Cyrillic (U+0400-052F)
+        if (cp >= 0x0400 && cp <= 0x052F) {
+            cyrillicCount++;
+        }
+    }
+    // If there are at least 3 other Cyrillic chars nearby, this is i18n text
+    // (translations, i18n badges, etc. always have multiple Cyrillic chars together)
+    if (cyrillicCount >= 3)
+        return true;
+    // If the immediate neighbors are both Latin, this is a homoglyph attack
+    const prevLatin = ci > 0 && (() => {
+        const cp = chars[ci - 1].codePointAt(0);
+        return (cp >= 0x41 && cp <= 0x5A) || (cp >= 0x61 && cp <= 0x7A);
+    })();
+    const nextLatin = ci < chars.length - 1 && (() => {
+        const cp = chars[ci + 1].codePointAt(0);
+        return (cp >= 0x41 && cp <= 0x5A) || (cp >= 0x61 && cp <= 0x7A);
+    })();
+    if (prevLatin && nextLatin)
+        return false; // Sandwiched in Latin = attack
+    // Ambiguous case: not enough context. If there are ANY other Cyrillic
+    // chars nearby, give benefit of the doubt (i18n).
+    return cyrillicCount > 0;
+}
 class HardeningScanner {
     constructor() {
         this.cliName = 'hackmyagent';
@@ -4330,17 +4427,35 @@ dist/
                 await fs.writeFile(skillFile, content);
             }
             // SKILL-005: Credential File Access
+            // Only flag as CRITICAL inside frontmatter (capabilities section).
+            // Body text often describes credential handling in documentation,
+            // which is informational, not an actual access pattern.
+            let inSkill005Frontmatter = false;
+            let skill005FrontmatterDelimiters = 0;
             for (let i = 0; i < lines.length; i++) {
+                const trimmed = lines[i].trim();
+                if (trimmed === '---') {
+                    skill005FrontmatterDelimiters++;
+                    inSkill005Frontmatter = skill005FrontmatterDelimiters === 1;
+                    if (skill005FrontmatterDelimiters >= 2)
+                        inSkill005Frontmatter = false;
+                    continue;
+                }
                 const line = lines[i];
                 for (const pattern of SKILL_CREDENTIAL_ACCESS_PATTERNS) {
                     pattern.lastIndex = 0;
                     if (pattern.test(line)) {
+                        // Frontmatter = actual capability declaration (CRITICAL)
+                        // Body = still suspicious but lower severity (MEDIUM)
+                        const severity = inSkill005Frontmatter ? 'critical' : 'medium';
                         findings.push({
                             checkId: 'SKILL-005',
                             name: 'Credential File Access',
-                            description: 'Skill attempts to access credential or sensitive configuration files',
+                            description: inSkill005Frontmatter
+                                ? 'Skill declares access to credential or sensitive configuration files'
+                                : 'Skill body mentions credential file patterns',
                             category: 'skill',
-                            severity: 'critical',
+                            severity,
                             passed: false,
                             message: `Credential file access pattern detected: "${line.trim().substring(0, 80)}..."`,
                             file: relativePath,
@@ -6872,13 +6987,19 @@ dist/
                     currentLine++;
                     continue;
                 }
-                // Variation selectors: EF B8 80-8F
+                // Variation selectors: EF B8 80-8F (U+FE00-FE0F)
+                // Skip U+FE0F (EF B8 8F) when preceded by an emoji base character,
+                // as it's the standard emoji presentation selector (not steganography).
                 if (rawBuffer[i] === 0xEF &&
                     i + 2 < rawBuffer.length &&
                     rawBuffer[i + 1] === 0xB8 &&
                     rawBuffer[i + 2] >= 0x80 &&
                     rawBuffer[i + 2] <= 0x8F) {
-                    if (!hasVariationSelectors) {
+                    // Check if this is an emoji presentation selector (FE0F after emoji base)
+                    if (rawBuffer[i + 2] === 0x8F && isEmojiVariationSelector(rawBuffer, i)) {
+                        // Legitimate emoji — skip
+                    }
+                    else if (!hasVariationSelectors) {
                         hasVariationSelectors = true;
                         variationSelectorLine = currentLine;
                     }
@@ -7129,17 +7250,37 @@ dist/
             let homoglyphChar = '';
             const contentForHomoglyph = content || rawBuffer.toString('utf-8');
             const homoglyphLines = contentForHomoglyph.split('\n');
+            // Track markdown code fences: homoglyphs inside ```...``` blocks in .md files
+            // are documentation examples, not executable code — skip them.
+            const isMarkdown = relativePath.endsWith('.md') || relativePath.endsWith('.txt');
+            let inCodeFence = false;
             for (let lineIdx = 0; lineIdx < homoglyphLines.length; lineIdx++) {
                 const line = homoglyphLines[lineIdx];
                 if (line.length > MAX_LINE_LENGTH)
                     continue;
+                // Track code fence boundaries in markdown files
+                if (isMarkdown && line.trimStart().startsWith('```')) {
+                    inCodeFence = !inCodeFence;
+                    continue;
+                }
+                // Skip lines inside markdown code fences (documentation examples)
+                if (isMarkdown && inCodeFence)
+                    continue;
                 // Skip comment lines
                 const trimmed = line.trimStart();
                 if (trimmed.startsWith('//') || trimmed.startsWith('#') || trimmed.startsWith('*'))
                     continue;
-                for (const ch of line) {
-                    const cp = ch.codePointAt(0);
+                const chars = [...line];
+                for (let ci = 0; ci < chars.length; ci++) {
+                    const cp = chars[ci].codePointAt(0);
                     if (homoglyphCodepoints.has(cp)) {
+                        // Check if this Cyrillic char is in a Cyrillic text block (i18n)
+                        // vs mixed into a Latin word (homoglyph attack).
+                        // Look at neighboring characters: if surrounded by other Cyrillic
+                        // or non-Latin chars, it's legitimate i18n text.
+                        if (isCyrillicInCyrillicContext(chars, ci)) {
+                            continue; // Legitimate i18n — skip
+                        }
                         homoglyphFound = true;
                         homoglyphLine = lineIdx + 1;
                         homoglyphChar = `U+${cp.toString(16).toUpperCase().padStart(4, '0')}`;