@aicqtools/guardrail 1.0.0-alpha.2

package/dist/rules-default/index.js

@@ -0,0 +1,138 @@
+import { readFile, readdir } from 'node:fs/promises';
+import { dirname, extname, join, resolve } from 'node:path';
+import { fileURLToPath, pathToFileURL } from 'node:url';
+import { parseYamlRule } from '../matcher/yaml-rule.js';
+// Phase 0 (TalkUp 사례 + 기본)
+import noConsoleLog from './no-console-log.js';
+import noIdOverwrite from './no-id-overwrite.js';
+import routeNeedsRateLimit from './route-needs-rate-limit.js';
+import controllerNeedsAsyncWrapper from './controller-needs-async-wrapper.js';
+import fkNeedsOnDelete from './fk-needs-on-delete.js';
+import apiResponseShape from './api-response-shape.js';
+// S3.A — TS 글로벌 추가 (function-style)
+import noBareThrow from './no-bare-throw.js';
+import noEmptyCatch from './no-empty-catch.js';
+import noProcessEnvLeak from './no-process-env-leak.js';
+import routeNeedsAuth from './route-needs-auth.js';
+import noMagicNumber from './no-magic-number.js';
+import noDefaultExportFromLibs from './no-default-export-from-libs.js';
+import preferConstArray from './prefer-const-array.js';
+import noBooleanTrap from './no-boolean-trap.js';
+import preferNamedImports from './prefer-named-imports.js';
+import noJsonbCircular from './no-jsonb-circular.js';
+// S3.B — Python 글로벌 (function-style; YAML은 자동 로드됨)
+import requestsNeedsTimeout from './requests-needs-timeout.js';
+import noShellTrue from './no-shell-true.js';
+import noFstringSql from './no-fstring-sql.js';
+import noMutableDefaultArg from './no-mutable-default-arg.js';
+import noBareExcept from './no-bare-except.js';
+import typeHintRequiredPublic from './type-hint-required-public.js';
+import asyncAwaitConsistency from './async-await-consistency.js';
+import pytestFixtureNaming from './pytest-fixture-naming.js';
+// K1 — 한국 IT 컨벤션 (Phase 1a 베타)
+import camelcaseMigrationColumn from './camelcase-migration-column.js';
+import enforceUtf8Encoding from './enforce-utf8-encoding.js';
+import explicitKstTimezone from './explicit-kst-timezone.js';
+import wonFormatThousands from './won-format-thousands.js';
+import rfc5987KoreanFilename from './rfc5987-korean-filename.js';
+import naverKakaoOauthWebview from './naver-kakao-oauth-webview.js';
+import koreanCommentEncoding from './korean-comment-encoding.js';
+// K2 — 한국 도메인 컴플라이언스 (Phase 1b 베타)
+// 금감원 AI 가이드라인 (5)
+import auditLogAiDecision from './audit-log-ai-decision.js';
+import maskPiiInAiPrompt from './mask-pii-in-ai-prompt.js';
+import trackAiModelVersion from './track-ai-model-version.js';
+import humanOversightCheckpoint from './human-oversight-checkpoint.js';
+import aiExplainabilityMetadata from './ai-explainability-metadata.js';
+// PCI DSS (8)
+import noPlainCardNumber from './no-plain-card-number.js';
+import noCvvLogging from './no-cvv-logging.js';
+import requireTls12Plus from './require-tls-1-2-plus.js';
+import verifyPgResponse from './verify-pg-response.js';
+import requireIdempotencyKey from './require-idempotency-key.js';
+import separateRefundPermission from './separate-refund-permission.js';
+import preserveTransactionLog from './preserve-transaction-log.js';
+import maskCardNumber from './mask-card-number.js';
+export const builtinFunctionRules = [
+    // Phase 0
+    noConsoleLog,
+    noIdOverwrite,
+    routeNeedsRateLimit,
+    controllerNeedsAsyncWrapper,
+    fkNeedsOnDelete,
+    apiResponseShape,
+    // S3.A TS 글로벌
+    noBareThrow,
+    noEmptyCatch,
+    noProcessEnvLeak,
+    routeNeedsAuth,
+    noMagicNumber,
+    noDefaultExportFromLibs,
+    preferConstArray,
+    noBooleanTrap,
+    preferNamedImports,
+    noJsonbCircular,
+    // S3.B Python 글로벌
+    requestsNeedsTimeout,
+    noShellTrue,
+    noFstringSql,
+    noMutableDefaultArg,
+    noBareExcept,
+    typeHintRequiredPublic,
+    asyncAwaitConsistency,
+    pytestFixtureNaming,
+    // K1 한국 IT 컨벤션
+    camelcaseMigrationColumn,
+    enforceUtf8Encoding,
+    explicitKstTimezone,
+    wonFormatThousands,
+    rfc5987KoreanFilename,
+    naverKakaoOauthWebview,
+    koreanCommentEncoding,
+    // K2 금감원 AI 가이드라인
+    auditLogAiDecision,
+    maskPiiInAiPrompt,
+    trackAiModelVersion,
+    humanOversightCheckpoint,
+    aiExplainabilityMetadata,
+    // K2 PCI DSS
+    noPlainCardNumber,
+    noCvvLogging,
+    requireTls12Plus,
+    verifyPgResponse,
+    requireIdempotencyKey,
+    separateRefundPermission,
+    preserveTransactionLog,
+    maskCardNumber,
+];
+export async function loadBuiltinYamlRules() {
+    const dir = dirname(fileURLToPath(import.meta.url));
+    const entries = await readdir(dir);
+    const rules = [];
+    for (const entry of entries) {
+        if (extname(entry) === '.yaml' || extname(entry) === '.yml') {
+            const content = await readFile(join(dir, entry), 'utf-8');
+            rules.push(parseYamlRule(content));
+        }
+    }
+    return rules;
+}
+export async function loadAllBuiltinRules() {
+    const yaml = await loadBuiltinYamlRules();
+    return [...builtinFunctionRules, ...yaml];
+}
+export async function loadFunctionRulesFromDir(dir) {
+    const absDir = resolve(dir);
+    const entries = await readdir(absDir);
+    const rules = [];
+    for (const entry of entries) {
+        if (extname(entry) === '.ts' || extname(entry) === '.js' || extname(entry) === '.mjs') {
+            const url = pathToFileURL(join(absDir, entry)).href;
+            const mod = (await import(url));
+            if (mod.default)
+                rules.push(mod.default);
+        }
+    }
+    return rules;
+}
+//# sourceMappingURL=index.js.map

package/dist/rules-default/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/rules-default/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC5D,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAExD,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AACxD,2BAA2B;AAC3B,OAAO,YAAY,MAAM,qBAAqB,CAAC;AAC/C,OAAO,aAAa,MAAM,sBAAsB,CAAC;AACjD,OAAO,mBAAmB,MAAM,6BAA6B,CAAC;AAC9D,OAAO,2BAA2B,MAAM,qCAAqC,CAAC;AAC9E,OAAO,eAAe,MAAM,yBAAyB,CAAC;AACtD,OAAO,gBAAgB,MAAM,yBAAyB,CAAC;AAEvD,oCAAoC;AACpC,OAAO,WAAW,MAAM,oBAAoB,CAAC;AAC7C,OAAO,YAAY,MAAM,qBAAqB,CAAC;AAC/C,OAAO,gBAAgB,MAAM,0BAA0B,CAAC;AACxD,OAAO,cAAc,MAAM,uBAAuB,CAAC;AACnD,OAAO,aAAa,MAAM,sBAAsB,CAAC;AACjD,OAAO,uBAAuB,MAAM,kCAAkC,CAAC;AACvE,OAAO,gBAAgB,MAAM,yBAAyB,CAAC;AACvD,OAAO,aAAa,MAAM,sBAAsB,CAAC;AACjD,OAAO,kBAAkB,MAAM,2BAA2B,CAAC;AAC3D,OAAO,eAAe,MAAM,wBAAwB,CAAC;AAErD,mDAAmD;AACnD,OAAO,oBAAoB,MAAM,6BAA6B,CAAC;AAC/D,OAAO,WAAW,MAAM,oBAAoB,CAAC;AAC7C,OAAO,YAAY,MAAM,qBAAqB,CAAC;AAC/C,OAAO,mBAAmB,MAAM,6BAA6B,CAAC;AAC9D,OAAO,YAAY,MAAM,qBAAqB,CAAC;AAC/C,OAAO,sBAAsB,MAAM,gCAAgC,CAAC;AACpE,OAAO,qBAAqB,MAAM,8BAA8B,CAAC;AACjE,OAAO,mBAAmB,MAAM,4BAA4B,CAAC;AAE7D,+BAA+B;AAC/B,OAAO,wBAAwB,MAAM,iCAAiC,CAAC;AACvE,OAAO,mBAAmB,MAAM,4BAA4B,CAAC;AAC7D,OAAO,mBAAmB,MAAM,4BAA4B,CAAC;AAC7D,OAAO,kBAAkB,MAAM,2BAA2B,CAAC;AAC3D,OAAO,qBAAqB,MAAM,8BAA8B,CAAC;AACjE,OAAO,sBAAsB,MAAM,gCAAgC,CAAC;AACpE,OAAO,qBAAqB,MAAM,8BAA8B,CAAC;AAEjE,mCAAmC;AACnC,mBAAmB;AACnB,OAAO,kBAAkB,MAAM,4BAA4B,CAAC;AAC5D,OAAO,iBAAiB,MAAM,4BAA4B,CAAC;AAC3D,OAAO,mBAAmB,MAAM,6BAA6B,CAAC;AAC9D,OAAO,wBAAwB,MAAM,iCAAiC,CAAC;AACvE,OAAO,wBAAwB,MAAM,iCAAiC,CAAC;AACvE,cAAc;AACd,OAAO,iBAAiB,MAAM,2BAA2B,CAAC;AAC1D,OAAO,YAAY,MAAM,qBAAqB,CAAC;AAC/C,OAAO,gBAAgB,MAAM,2BAA2B,CAAC;AACzD,OAAO,gBAAgB,MAAM,yBAAyB,CAAC;AACvD,OAAO,qBAAqB,MAAM,8BAA8B,CAAC;AACjE,OAAO,wBAAwB,MAAM,iCAAiC,CAAC;AACvE,OAAO,sBAAsB,MAAM,+BAA+B,CAAC;AACnE,OAAO,cAAc,MAAM,uBAAuB,CAAC;AAEnD,MAAM,CAAC,MAAM,oBAAoB,GAAoB;IACnD,UAAU;IACV,YAAY;IACZ,aAAa;IACb,mBAAmB;IACnB,2BAA2B;IAC3B,eAAe;IACf,gBAAgB;IAChB,cAAc;IACd,WAAW;IACX,YAAY;IACZ,gBAAgB;IAChB,cAAc;IACd,aAAa;IACb,uBAAuB;IACvB,gBAAgB;IAChB,aAAa;IACb,kBAAkB;IAClB,eAAe;IACf,kBAAkB;IAClB,oBAAoB;IACpB,WAAW;IACX,YAAY;IACZ,mBAAmB;IACnB,YAAY;IACZ,sBAAsB;IACtB,qBAAqB;IACrB,mBAAmB;IACnB,eAAe;IACf,wBAAwB;IACxB,mBAAmB;IACnB,mBAAmB;IACnB,kBAAkB;IAClB,qBAAqB;IACrB,sBAAsB;IACtB,qBAAqB;IACrB,kBAAkB;IAClB,kBAAkB;IAClB,iBAAiB;IACjB,mBAAmB;IACnB,wBAAwB;IACxB,wBAAwB;IACxB,aAAa;IACb,iBAAiB;IACjB,YAAY;IACZ,gBAAgB;IAChB,gBAAgB;IAChB,qBAAqB;IACrB,wBAAwB;IACxB,sBAAsB;IACtB,cAAc;CACf,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,oBAAoB;IACxC,MAAM,GAAG,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IACpD,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC;IACnC,MAAM,KAAK,GAAW,EAAE,CAAC;IACzB,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,IAAI,OAAO,CAAC,KAAK,CAAC,KAAK,OAAO,IAAI,OAAO,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAC5D,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,OAAO,CAAC,CAAC;YAC1D,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB;IACvC,MAAM,IAAI,GAAG,MAAM,oBAAoB,EAAE,CAAC;IAC1C,OAAO,CAAC,GAAG,oBAAoB,EAAE,GAAG,IAAI,CAAC,CAAC;AAC5C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAAC,GAAW;IACxD,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IAC5B,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;IACtC,MAAM,KAAK,GAAW,EAAE,CAAC;IACzB,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,IAAI,OAAO,CAAC,KAAK,CAAC,KAAK,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,KAAK,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YACtF,MAAM,GAAG,GAAG,aAAa,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;YACpD,MAAM,GAAG,GAAG,CAAC,MAAM,MAAM,CAAC,GAAG,CAAC,CAAuB,CAAC;YACtD,IAAI,GAAG,CAAC,OAAO;gBAAE,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/rules-default/korean-comment-encoding.d.ts

@@ -0,0 +1,3 @@
+declare const _default: import("@aicqtools/rule-sdk").FunctionRule;
+export default _default;
+//# sourceMappingURL=korean-comment-encoding.d.ts.map

package/dist/rules-default/korean-comment-encoding.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"korean-comment-encoding.d.ts","sourceRoot":"","sources":["../../src/rules-default/korean-comment-encoding.ts"],"names":[],"mappings":";AAeA,wBAYG"}

package/dist/rules-default/korean-comment-encoding.js

@@ -0,0 +1,28 @@
+import { defineRule } from '@aicqtools/rule-sdk';
+/**
+ * Detect mojibake (broken Korean) in comments — typical sign of EUC-KR / CP949
+ * source forced through a UTF-8 decoder.
+ *
+ * Heuristic: looks for runs of `�` or characters in the CJK Compatibility
+ * range that are very rare in well-formed Korean comments. False positives
+ * possible if the file legitimately uses these chars (e.g. Japanese mixed text).
+ *
+ * Known limitation: this rule is intentionally heuristic. v1.5 will use a proper
+ * encoding detection lib (e.g. chardet) at the file-loader level.
+ */
+const MOJIBAKE_PATTERN = /[�]{1,}|[㈠-㉃]{2,}|[豈-﫿]{3,}/;
+export default defineRule({
+    id: 'korean-comment-encoding',
+    language: ['typescript', 'javascript', 'tsx', 'python'],
+    severity: 'info',
+    message: 'Comment contains potential mojibake — file may have encoding issues.',
+    messageKo: '주석에 깨진 한글로 보이는 패턴이 있습니다 — 파일 인코딩을 확인하세요.',
+    visitors: {
+        comment(node, ctx) {
+            const text = ctx.textOf(node);
+            if (MOJIBAKE_PATTERN.test(text))
+                ctx.report({ node });
+        },
+    },
+});
+//# sourceMappingURL=korean-comment-encoding.js.map

package/dist/rules-default/korean-comment-encoding.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"korean-comment-encoding.js","sourceRoot":"","sources":["../../src/rules-default/korean-comment-encoding.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAEjD;;;;;;;;;;GAUG;AACH,MAAM,gBAAgB,GAAG,6BAA6B,CAAC;AAEvD,eAAe,UAAU,CAAC;IACxB,EAAE,EAAE,yBAAyB;IAC7B,QAAQ,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,EAAE,QAAQ,CAAC;IACvD,QAAQ,EAAE,MAAM;IAChB,OAAO,EAAE,sEAAsE;IAC/E,SAAS,EAAE,0CAA0C;IACrD,QAAQ,EAAE;QACR,OAAO,CAAC,IAAI,EAAE,GAAG;YACf,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAC9B,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;QACxD,CAAC;KACF;CACF,CAAC,CAAC"}

package/dist/rules-default/mask-card-number.d.ts

@@ -0,0 +1,3 @@
+declare const _default: import("@aicqtools/rule-sdk").FunctionRule;
+export default _default;
+//# sourceMappingURL=mask-card-number.d.ts.map

package/dist/rules-default/mask-card-number.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mask-card-number.d.ts","sourceRoot":"","sources":["../../src/rules-default/mask-card-number.ts"],"names":[],"mappings":";AAaA,wBA2BG"}

package/dist/rules-default/mask-card-number.js

@@ -0,0 +1,45 @@
+import { defineRule } from '@aicqtools/rule-sdk';
+/**
+ * PCI DSS § 3.3: when a PAN is displayed it must be masked. Detect raw
+ * `cardNumber` / `card_number` references inside `JSON.stringify(...)`,
+ * template literals, or string concatenations without an accompanying
+ * mask helper (`mask`, `redact`, `truncate`).
+ */
+const CARD_VAR = /\b(cardNumber|card_number|pan)\b/;
+const MASK_HELPER = /\b(mask|redact|truncate|last4|maskCard)\w*\(/;
+export default defineRule({
+    id: 'mask-card-number',
+    language: ['typescript', 'tsx'],
+    severity: 'error',
+    message: 'Card number is rendered without masking (PCI DSS § 3.4.1 — PAN must be masked when displayed; max first 6 + last 4).',
+    messageKo: '카드번호가 마스킹 없이 표시됩니다 (PCI DSS § 3.4.1 — PAN 표시 시 마스킹 필수; 최대 앞 6자리 + 뒷 4자리).',
+    docs: 'https://github.com/aicqtools/aicqtools/blob/main/docs/rules/mask-card-number.md',
+    visitors: {
+        template_string(node, ctx) {
+            const text = ctx.textOf(node);
+            if (!CARD_VAR.test(text))
+                return;
+            if (MASK_HELPER.test(text))
+                return;
+            ctx.report({ node });
+        },
+        call_expression(node, ctx) {
+            const fn = node.childForFieldName('function');
+            if (!fn)
+                return;
+            const fnText = ctx.textOf(fn);
+            if (fnText !== 'JSON.stringify')
+                return;
+            const args = node.childForFieldName('arguments');
+            if (!args)
+                return;
+            const argsText = ctx.textOf(args);
+            if (!CARD_VAR.test(argsText))
+                return;
+            if (MASK_HELPER.test(argsText))
+                return;
+            ctx.report({ node });
+        },
+    },
+});
+//# sourceMappingURL=mask-card-number.js.map

package/dist/rules-default/mask-card-number.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mask-card-number.js","sourceRoot":"","sources":["../../src/rules-default/mask-card-number.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAGjD;;;;;GAKG;AACH,MAAM,QAAQ,GAAG,kCAAkC,CAAC;AACpD,MAAM,WAAW,GAAG,8CAA8C,CAAC;AAEnE,eAAe,UAAU,CAAC;IACxB,EAAE,EAAE,kBAAkB;IACtB,QAAQ,EAAE,CAAC,YAAY,EAAE,KAAK,CAAC;IAC/B,QAAQ,EAAE,OAAO;IACjB,OAAO,EAAE,sHAAsH;IAC/H,SAAS,EAAE,2EAA2E;IACtF,IAAI,EAAE,iFAAiF;IACvF,QAAQ,EAAE;QACR,eAAe,CAAC,IAAuB,EAAE,GAAgB;YACvD,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAC9B,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,OAAO;YACjC,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,OAAO;YACnC,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;QACvB,CAAC;QACD,eAAe,CAAC,IAAuB,EAAE,GAAgB;YACvD,MAAM,EAAE,GAAG,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;YAC9C,IAAI,CAAC,EAAE;gBAAE,OAAO;YAChB,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YAC9B,IAAI,MAAM,KAAK,gBAAgB;gBAAE,OAAO;YACxC,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,WAAW,CAAC,CAAC;YACjD,IAAI,CAAC,IAAI;gBAAE,OAAO;YAClB,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAClC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,OAAO;YACrC,IAAI,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,OAAO;YACvC,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;QACvB,CAAC;KACF;CACF,CAAC,CAAC"}

package/dist/rules-default/mask-pii-in-ai-prompt.d.ts

@@ -0,0 +1,3 @@
+declare const _default: import("@aicqtools/rule-sdk").FunctionRule;
+export default _default;
+//# sourceMappingURL=mask-pii-in-ai-prompt.d.ts.map

package/dist/rules-default/mask-pii-in-ai-prompt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mask-pii-in-ai-prompt.d.ts","sourceRoot":"","sources":["../../src/rules-default/mask-pii-in-ai-prompt.ts"],"names":[],"mappings":";AAqBA,wBAmBG"}

package/dist/rules-default/mask-pii-in-ai-prompt.js

@@ -0,0 +1,41 @@
+import { defineRule } from '@aicqtools/rule-sdk';
+/**
+ * FSC AI guideline: personal information (RRN, card number) must be masked
+ * before being passed to AI providers. Detect literal Korean RRN patterns
+ * (\d{6}-\d{7}) or 16-digit card numbers in string/template arguments of
+ * AI SDK calls.
+ *
+ * Limitation: false negatives if PII enters via interpolated variables;
+ * false positives if a legitimate test fixture contains a digit run.
+ */
+const RRN_PATTERN = /\b\d{6}-\d{7}\b/;
+const CARD_PATTERN = /\b(?:\d[ -]?){15,16}\b/;
+const AI_CALL = /\b(openai|anthropic|aiClient)\.\w+/;
+function inspectArgsString(text) {
+    return RRN_PATTERN.test(text) || CARD_PATTERN.test(text);
+}
+export default defineRule({
+    id: 'mask-pii-in-ai-prompt',
+    language: ['typescript', 'tsx'],
+    severity: 'error',
+    message: 'AI prompt contains unmasked PII (Korean RRN or card number) — mask before sending (FSC AI guideline — privacy protection).',
+    messageKo: 'AI 프롬프트에 마스킹되지 않은 개인정보(주민번호/카드번호)가 포함되어 있습니다 — AI 호출 전 마스킹 필수 (금감원 AI 가이드라인 — 개인정보 보호).',
+    docs: 'https://github.com/aicqtools/aicqtools/blob/main/docs/rules/mask-pii-in-ai-prompt.md',
+    visitors: {
+        call_expression(node, ctx) {
+            const fnNode = node.childForFieldName('function');
+            if (!fnNode)
+                return;
+            const fnText = ctx.textOf(fnNode);
+            if (!AI_CALL.test(fnText))
+                return;
+            const args = node.childForFieldName('arguments');
+            if (!args)
+                return;
+            const argsText = ctx.textOf(args);
+            if (inspectArgsString(argsText))
+                ctx.report({ node });
+        },
+    },
+});
+//# sourceMappingURL=mask-pii-in-ai-prompt.js.map

package/dist/rules-default/mask-pii-in-ai-prompt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mask-pii-in-ai-prompt.js","sourceRoot":"","sources":["../../src/rules-default/mask-pii-in-ai-prompt.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAGjD;;;;;;;;GAQG;AACH,MAAM,WAAW,GAAG,iBAAiB,CAAC;AACtC,MAAM,YAAY,GAAG,wBAAwB,CAAC;AAC9C,MAAM,OAAO,GAAG,oCAAoC,CAAC;AAErD,SAAS,iBAAiB,CAAC,IAAY;IACrC,OAAO,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC3D,CAAC;AAED,eAAe,UAAU,CAAC;IACxB,EAAE,EAAE,uBAAuB;IAC3B,QAAQ,EAAE,CAAC,YAAY,EAAE,KAAK,CAAC;IAC/B,QAAQ,EAAE,OAAO;IACjB,OAAO,EAAE,4HAA4H;IACrI,SAAS,EAAE,yFAAyF;IACpG,IAAI,EAAE,sFAAsF;IAC5F,QAAQ,EAAE;QACR,eAAe,CAAC,IAAuB,EAAE,GAAgB;YACvD,MAAM,MAAM,GAAG,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;YAClD,IAAI,CAAC,MAAM;gBAAE,OAAO;YACpB,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAClC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC;gBAAE,OAAO;YAClC,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,WAAW,CAAC,CAAC;YACjD,IAAI,CAAC,IAAI;gBAAE,OAAO;YAClB,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAClC,IAAI,iBAAiB,CAAC,QAAQ,CAAC;gBAAE,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;QACxD,CAAC;KACF;CACF,CAAC,CAAC"}

package/dist/rules-default/naver-kakao-oauth-webview.d.ts

@@ -0,0 +1,3 @@
+declare const _default: import("@aicqtools/rule-sdk").FunctionRule;
+export default _default;
+//# sourceMappingURL=naver-kakao-oauth-webview.d.ts.map

package/dist/rules-default/naver-kakao-oauth-webview.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"naver-kakao-oauth-webview.d.ts","sourceRoot":"","sources":["../../src/rules-default/naver-kakao-oauth-webview.ts"],"names":[],"mappings":";AAkBA,wBAoBG"}

package/dist/rules-default/naver-kakao-oauth-webview.js

@@ -0,0 +1,40 @@
+import { defineRule } from '@aicqtools/rule-sdk';
+/**
+ * Capacitor's `Browser.open()` opens an external Chrome Custom Tab on Android — but
+ * Naver/Kakao OAuth callbacks may not return to the in-app session correctly.
+ * Best practice (per soanjang's brain rule): use WebView-internal web flow instead.
+ *
+ * Known limitation: false positives if `Browser.open()` is used for non-OAuth URLs.
+ * v1.0 PoC accepts this in exchange for catching the common Capacitor mis-pattern.
+ */
+const KAKAO_NAVER_PATTERN = /(kakao|naver)/i;
+function nthArgText(args, idx, textOf) {
+    const arg = args.namedChild(idx);
+    return arg ? textOf(arg) : null;
+}
+export default defineRule({
+    id: 'naver-kakao-oauth-webview',
+    language: ['typescript', 'javascript', 'tsx'],
+    severity: 'warning',
+    message: 'Capacitor Browser.open() with Kakao/Naver OAuth URL — use in-WebView web flow for callback continuity.',
+    messageKo: 'Capacitor Browser.open()으로 카카오/네이버 OAuth URL — 콜백 연속성을 위해 WebView 내 웹 플로우 권장.',
+    docs: 'https://github.com/aicqtools/aicqtools/blob/main/docs/rules/naver-kakao-oauth-webview.md',
+    visitors: {
+        call_expression(node, ctx) {
+            const fn = node.childForFieldName('function');
+            if (!fn)
+                return;
+            // Match `Browser.open(...)` exactly
+            if (ctx.textOf(fn) !== 'Browser.open')
+                return;
+            const args = node.childForFieldName('arguments');
+            if (!args || args.namedChildCount === 0)
+                return;
+            // Argument is usually an options object containing { url: '...' }
+            const optsText = nthArgText(args, 0, ctx.textOf) ?? '';
+            if (KAKAO_NAVER_PATTERN.test(optsText))
+                ctx.report({ node });
+        },
+    },
+});
+//# sourceMappingURL=naver-kakao-oauth-webview.js.map

package/dist/rules-default/naver-kakao-oauth-webview.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"naver-kakao-oauth-webview.js","sourceRoot":"","sources":["../../src/rules-default/naver-kakao-oauth-webview.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAEjD;;;;;;;GAOG;AACH,MAAM,mBAAmB,GAAG,gBAAgB,CAAC;AAE7C,SAAS,UAAU,CAAC,IAAuB,EAAE,GAAW,EAAE,MAAwC;IAChG,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACjC,OAAO,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAClC,CAAC;AAED,eAAe,UAAU,CAAC;IACxB,EAAE,EAAE,2BAA2B;IAC/B,QAAQ,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,CAAC;IAC7C,QAAQ,EAAE,SAAS;IACnB,OAAO,EAAE,wGAAwG;IACjH,SAAS,EAAE,+EAA+E;IAC1F,IAAI,EAAE,0FAA0F;IAChG,QAAQ,EAAE;QACR,eAAe,CAAC,IAAI,EAAE,GAAG;YACvB,MAAM,EAAE,GAAG,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;YAC9C,IAAI,CAAC,EAAE;gBAAE,OAAO;YAChB,oCAAoC;YACpC,IAAI,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,KAAK,cAAc;gBAAE,OAAO;YAC9C,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,WAAW,CAAC,CAAC;YACjD,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,eAAe,KAAK,CAAC;gBAAE,OAAO;YAChD,kEAAkE;YAClE,MAAM,QAAQ,GAAG,UAAU,CAAC,IAAI,EAAE,CAAC,EAAE,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YACvD,IAAI,mBAAmB,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;QAC/D,CAAC;KACF;CACF,CAAC,CAAC"}

package/dist/rules-default/no-bare-except.d.ts

@@ -0,0 +1,7 @@
+/**
+ * `except:` (no exception type) catches everything including SystemExit and KeyboardInterrupt.
+ * Always specify the exception class(es) to catch.
+ */
+declare const _default: import("@aicqtools/rule-sdk").FunctionRule;
+export default _default;
+//# sourceMappingURL=no-bare-except.d.ts.map

package/dist/rules-default/no-bare-except.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-bare-except.d.ts","sourceRoot":"","sources":["../../src/rules-default/no-bare-except.ts"],"names":[],"mappings":"AAEA;;;GAGG;;AACH,wBAgBG"}

package/dist/rules-default/no-bare-except.js

@@ -0,0 +1,23 @@
+import { defineRule } from '@aicqtools/rule-sdk';
+/**
+ * `except:` (no exception type) catches everything including SystemExit and KeyboardInterrupt.
+ * Always specify the exception class(es) to catch.
+ */
+export default defineRule({
+    id: 'no-bare-except',
+    language: 'python',
+    severity: 'error',
+    message: 'Bare `except:` catches SystemExit/KeyboardInterrupt — specify exception type(s).',
+    messageKo: 'bare `except:`는 SystemExit/KeyboardInterrupt까지 잡습니다 — 예외 타입을 명시하세요.',
+    visitors: {
+        except_clause(node, ctx) {
+            // tree-sitter-python's except_clause: `except [exception_type [as name]]: body`
+            // Bare except has no type specifier between `except` and `:`.
+            const text = ctx.textOf(node).split('\n')[0] ?? '';
+            if (/^\s*except\s*:/.test(text)) {
+                ctx.report({ node });
+            }
+        },
+    },
+});
+//# sourceMappingURL=no-bare-except.js.map

package/dist/rules-default/no-bare-except.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-bare-except.js","sourceRoot":"","sources":["../../src/rules-default/no-bare-except.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAEjD;;;GAGG;AACH,eAAe,UAAU,CAAC;IACxB,EAAE,EAAE,gBAAgB;IACpB,QAAQ,EAAE,QAAQ;IAClB,QAAQ,EAAE,OAAO;IACjB,OAAO,EAAE,kFAAkF;IAC3F,SAAS,EAAE,qEAAqE;IAChF,QAAQ,EAAE;QACR,aAAa,CAAC,IAAI,EAAE,GAAG;YACrB,gFAAgF;YAChF,8DAA8D;YAC9D,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACnD,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChC,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;YACvB,CAAC;QACH,CAAC;KACF;CACF,CAAC,CAAC"}

package/dist/rules-default/no-bare-throw.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Forbids `throw <non-Error>` (e.g. `throw "msg"`, `throw 42`, `throw {x:1}`).
+ * Errors should always be Error instances or its subclasses for stack-trace + instanceof checks.
+ */
+declare const _default: import("@aicqtools/rule-sdk").FunctionRule;
+export default _default;
+//# sourceMappingURL=no-bare-throw.d.ts.map

package/dist/rules-default/no-bare-throw.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-bare-throw.d.ts","sourceRoot":"","sources":["../../src/rules-default/no-bare-throw.ts"],"names":[],"mappings":"AAEA;;;GAGG;;AACH,wBAyBG"}

package/dist/rules-default/no-bare-throw.js

@@ -0,0 +1,32 @@
+import { defineRule } from '@aicqtools/rule-sdk';
+/**
+ * Forbids `throw <non-Error>` (e.g. `throw "msg"`, `throw 42`, `throw {x:1}`).
+ * Errors should always be Error instances or its subclasses for stack-trace + instanceof checks.
+ */
+export default defineRule({
+    id: 'no-bare-throw',
+    language: ['typescript', 'javascript', 'tsx'],
+    severity: 'error',
+    message: 'Throw an Error instance, not a raw value (string/number/object).',
+    messageKo: 'raw 값 대신 Error 인스턴스를 throw 하세요 (스택 트레이스 + instanceof 검사 가능).',
+    visitors: {
+        throw_statement(node, ctx) {
+            const expr = node.namedChild(0);
+            if (!expr)
+                return;
+            // Allow: new Error(...), new <SomethingError>(...), call expressions, identifiers (assume Error var)
+            if (expr.type === 'new_expression' || expr.type === 'identifier' || expr.type === 'call_expression')
+                return;
+            // Flag: string_literal, number, true/false, object literal
+            if (expr.type === 'string' ||
+                expr.type === 'template_string' ||
+                expr.type === 'number' ||
+                expr.type === 'true' ||
+                expr.type === 'false' ||
+                expr.type === 'object') {
+                ctx.report({ node });
+            }
+        },
+    },
+});
+//# sourceMappingURL=no-bare-throw.js.map

package/dist/rules-default/no-bare-throw.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-bare-throw.js","sourceRoot":"","sources":["../../src/rules-default/no-bare-throw.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAEjD;;;GAGG;AACH,eAAe,UAAU,CAAC;IACxB,EAAE,EAAE,eAAe;IACnB,QAAQ,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,CAAC;IAC7C,QAAQ,EAAE,OAAO;IACjB,OAAO,EAAE,kEAAkE;IAC3E,SAAS,EAAE,8DAA8D;IACzE,QAAQ,EAAE;QACR,eAAe,CAAC,IAAI,EAAE,GAAG;YACvB,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YAChC,IAAI,CAAC,IAAI;gBAAE,OAAO;YAClB,qGAAqG;YACrG,IAAI,IAAI,CAAC,IAAI,KAAK,gBAAgB,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,IAAI,KAAK,iBAAiB;gBAAE,OAAO;YAC5G,2DAA2D;YAC3D,IACE,IAAI,CAAC,IAAI,KAAK,QAAQ;gBACtB,IAAI,CAAC,IAAI,KAAK,iBAAiB;gBAC/B,IAAI,CAAC,IAAI,KAAK,QAAQ;gBACtB,IAAI,CAAC,IAAI,KAAK,MAAM;gBACpB,IAAI,CAAC,IAAI,KAAK,OAAO;gBACrB,IAAI,CAAC,IAAI,KAAK,QAAQ,EACtB,CAAC;gBACD,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;YACvB,CAAC;QACH,CAAC;KACF;CACF,CAAC,CAAC"}

package/dist/rules-default/no-boolean-trap.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Functions with a single boolean argument force callers to write
+ * `doThing(true)` whose meaning is unclear at the call site. Use an
+ * options object instead (e.g. `doThing({ silent: true })`).
+ */
+declare const _default: import("@aicqtools/rule-sdk").FunctionRule;
+export default _default;
+//# sourceMappingURL=no-boolean-trap.d.ts.map

package/dist/rules-default/no-boolean-trap.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-boolean-trap.d.ts","sourceRoot":"","sources":["../../src/rules-default/no-boolean-trap.ts"],"names":[],"mappings":"AAEA;;;;GAIG;;AACH,wBAqBG"}

package/dist/rules-default/no-boolean-trap.js

@@ -0,0 +1,33 @@
+import { defineRule } from '@aicqtools/rule-sdk';
+/**
+ * Functions with a single boolean argument force callers to write
+ * `doThing(true)` whose meaning is unclear at the call site. Use an
+ * options object instead (e.g. `doThing({ silent: true })`).
+ */
+export default defineRule({
+    id: 'no-boolean-trap',
+    language: ['typescript', 'javascript', 'tsx'],
+    severity: 'info',
+    message: 'Boolean-only function argument is opaque at call sites — prefer an options object.',
+    messageKo: '함수 인자에 boolean 단독은 호출부에서 의미가 불분명합니다 — 옵션 객체를 권장합니다.',
+    visitors: {
+        function_declaration(node, ctx) {
+            const params = node.childForFieldName('parameters');
+            if (!params)
+                return;
+            if (params.namedChildCount !== 1)
+                return;
+            const onlyParam = params.namedChild(0);
+            if (!onlyParam)
+                return;
+            const text = ctx.textOf(onlyParam);
+            // Skip object/array type literals (e.g. `opts: { silent: boolean }`)
+            if (text.includes('{') || text.includes('['))
+                return;
+            if (/:\s*boolean(\s|$|=)/.test(text)) {
+                ctx.report({ node: onlyParam });
+            }
+        },
+    },
+});
+//# sourceMappingURL=no-boolean-trap.js.map

package/dist/rules-default/no-boolean-trap.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-boolean-trap.js","sourceRoot":"","sources":["../../src/rules-default/no-boolean-trap.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAEjD;;;;GAIG;AACH,eAAe,UAAU,CAAC;IACxB,EAAE,EAAE,iBAAiB;IACrB,QAAQ,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,CAAC;IAC7C,QAAQ,EAAE,MAAM;IAChB,OAAO,EAAE,oFAAoF;IAC7F,SAAS,EAAE,qDAAqD;IAChE,QAAQ,EAAE;QACR,oBAAoB,CAAC,IAAI,EAAE,GAAG;YAC5B,MAAM,MAAM,GAAG,IAAI,CAAC,iBAAiB,CAAC,YAAY,CAAC,CAAC;YACpD,IAAI,CAAC,MAAM;gBAAE,OAAO;YACpB,IAAI,MAAM,CAAC,eAAe,KAAK,CAAC;gBAAE,OAAO;YACzC,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YACvC,IAAI,CAAC,SAAS;gBAAE,OAAO;YACvB,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YACnC,qEAAqE;YACrE,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAAE,OAAO;YACrD,IAAI,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrC,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC;YAClC,CAAC;QACH,CAAC;KACF;CACF,CAAC,CAAC"}

package/dist/rules-default/no-console-log.d.ts

@@ -0,0 +1,3 @@
+declare const _default: import("@aicqtools/rule-sdk").FunctionRule;
+export default _default;
+//# sourceMappingURL=no-console-log.d.ts.map

package/dist/rules-default/no-console-log.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-console-log.d.ts","sourceRoot":"","sources":["../../src/rules-default/no-console-log.ts"],"names":[],"mappings":";AAEA,wBAcG"}

package/dist/rules-default/no-console-log.js

@@ -0,0 +1,19 @@
+import { defineRule } from '@aicqtools/rule-sdk';
+export default defineRule({
+    id: 'no-console-log',
+    language: ['typescript', 'javascript', 'tsx'],
+    severity: 'warning',
+    message: 'Avoid console.log in production code.',
+    messageKo: '운영 코드에서 console.log 사용을 피하세요.',
+    visitors: {
+        call_expression(node, ctx) {
+            const fn = node.childForFieldName('function');
+            if (!fn)
+                return;
+            const text = ctx.textOf(fn);
+            if (text === 'console.log')
+                ctx.report({ node });
+        },
+    },
+});
+//# sourceMappingURL=no-console-log.js.map

package/dist/rules-default/no-console-log.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-console-log.js","sourceRoot":"","sources":["../../src/rules-default/no-console-log.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAEjD,eAAe,UAAU,CAAC;IACxB,EAAE,EAAE,gBAAgB;IACpB,QAAQ,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,CAAC;IAC7C,QAAQ,EAAE,SAAS;IACnB,OAAO,EAAE,uCAAuC;IAChD,SAAS,EAAE,+BAA+B;IAC1C,QAAQ,EAAE;QACR,eAAe,CAAC,IAAI,EAAE,GAAG;YACvB,MAAM,EAAE,GAAG,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;YAC9C,IAAI,CAAC,EAAE;gBAAE,OAAO;YAChB,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YAC5B,IAAI,IAAI,KAAK,aAAa;gBAAE,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;QACnD,CAAC;KACF;CACF,CAAC,CAAC"}

package/dist/rules-default/no-cvv-logging.d.ts

@@ -0,0 +1,3 @@
+declare const _default: import("@aicqtools/rule-sdk").FunctionRule;
+export default _default;
+//# sourceMappingURL=no-cvv-logging.d.ts.map

package/dist/rules-default/no-cvv-logging.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-cvv-logging.d.ts","sourceRoot":"","sources":["../../src/rules-default/no-cvv-logging.ts"],"names":[],"mappings":";AAeA,wBAmBG"}

package/dist/rules-default/no-cvv-logging.js

@@ -0,0 +1,36 @@
+import { defineRule } from '@aicqtools/rule-sdk';
+/**
+ * PCI DSS § 3.2: CVV/CVC must never be persisted or logged. Detect
+ * `console.log` / `logger.*` / `winston.*` / `pino.*` calls whose
+ * arguments reference a `cvv` / `cvc` identifier.
+ *
+ * Limitation: false positive when a variable is named `cvc` for unrelated
+ * reasons.
+ */
+const LOGGER_FN = /^(console\.(log|info|warn|error|debug)|(logger|winston|pino|log)\.\w+)$/;
+const CVV_PATTERN = /\b(cvv|cvc|cvv2|cardSecurityCode)\b/i;
+export default defineRule({
+    id: 'no-cvv-logging',
+    language: ['typescript', 'tsx'],
+    severity: 'error',
+    message: 'CVV/CVC must not appear in log output (PCI DSS § 3.3.1 — sensitive authentication data must not be stored after authorization).',
+    messageKo: 'CVV/CVC를 로그에 기록할 수 없습니다 (PCI DSS § 3.3.1 — 인증 후 민감 인증 데이터 저장 금지).',
+    docs: 'https://github.com/aicqtools/aicqtools/blob/main/docs/rules/no-cvv-logging.md',
+    visitors: {
+        call_expression(node, ctx) {
+            const fnNode = node.childForFieldName('function');
+            if (!fnNode)
+                return;
+            const fnText = ctx.textOf(fnNode);
+            if (!LOGGER_FN.test(fnText))
+                return;
+            const args = node.childForFieldName('arguments');
+            if (!args)
+                return;
+            const argsText = ctx.textOf(args);
+            if (CVV_PATTERN.test(argsText))
+                ctx.report({ node });
+        },
+    },
+});
+//# sourceMappingURL=no-cvv-logging.js.map

package/dist/rules-default/no-cvv-logging.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-cvv-logging.js","sourceRoot":"","sources":["../../src/rules-default/no-cvv-logging.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAGjD;;;;;;;GAOG;AACH,MAAM,SAAS,GAAG,yEAAyE,CAAC;AAC5F,MAAM,WAAW,GAAG,sCAAsC,CAAC;AAE3D,eAAe,UAAU,CAAC;IACxB,EAAE,EAAE,gBAAgB;IACpB,QAAQ,EAAE,CAAC,YAAY,EAAE,KAAK,CAAC;IAC/B,QAAQ,EAAE,OAAO;IACjB,OAAO,EAAE,iIAAiI;IAC1I,SAAS,EAAE,mEAAmE;IAC9E,IAAI,EAAE,+EAA+E;IACrF,QAAQ,EAAE;QACR,eAAe,CAAC,IAAuB,EAAE,GAAgB;YACvD,MAAM,MAAM,GAAG,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;YAClD,IAAI,CAAC,MAAM;gBAAE,OAAO;YACpB,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAClC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC;gBAAE,OAAO;YACpC,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,WAAW,CAAC,CAAC;YACjD,IAAI,CAAC,IAAI;gBAAE,OAAO;YAClB,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAClC,IAAI,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;QACvD,CAAC;KACF;CACF,CAAC,CAAC"}

package/dist/rules-default/no-default-export-from-libs.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Inside a `libs/` or `packages/` directory, prefer named exports for tree-shaking
+ * and clearer intent. `export default` makes refactoring/renaming harder across consumers.
+ */
+declare const _default: import("@aicqtools/rule-sdk").FunctionRule;
+export default _default;
+//# sourceMappingURL=no-default-export-from-libs.d.ts.map

package/dist/rules-default/no-default-export-from-libs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-default-export-from-libs.d.ts","sourceRoot":"","sources":["../../src/rules-default/no-default-export-from-libs.ts"],"names":[],"mappings":"AAEA;;;GAGG;;AACH,wBAgBG"}

package/dist/rules-default/no-default-export-from-libs.js

@@ -0,0 +1,24 @@
+import { defineRule } from '@aicqtools/rule-sdk';
+/**
+ * Inside a `libs/` or `packages/` directory, prefer named exports for tree-shaking
+ * and clearer intent. `export default` makes refactoring/renaming harder across consumers.
+ */
+export default defineRule({
+    id: 'no-default-export-from-libs',
+    language: ['typescript', 'javascript', 'tsx'],
+    severity: 'warning',
+    message: 'Use named exports from libraries (default exports hinder tree-shaking and renames).',
+    messageKo: '라이브러리는 named export를 사용하세요 (default export는 tree-shaking·이름 변경에 불리).',
+    visitors: {
+        export_statement(node, ctx) {
+            // Only flag `export default ...` patterns inside lib/package directories
+            if (!/(^|[/\\])(libs?|packages)[/\\]/.test(ctx.filePath))
+                return;
+            const text = ctx.textOf(node);
+            if (text.startsWith('export default ')) {
+                ctx.report({ node });
+            }
+        },
+    },
+});
+//# sourceMappingURL=no-default-export-from-libs.js.map