@aicqtools/guardrail 1.0.0-alpha.2

package/dist/rules-default/prefer-named-imports.js

@@ -0,0 +1,25 @@
+import { defineRule } from '@aicqtools/rule-sdk';
+/**
+ * `import * as X from 'module'` namespace imports prevent tree-shaking and
+ * obscure dependency analysis. Prefer named imports unless the module
+ * genuinely exports many disparate symbols (rare).
+ */
+export default defineRule({
+    id: 'prefer-named-imports',
+    language: ['typescript', 'javascript', 'tsx'],
+    severity: 'info',
+    message: 'Avoid `import * as X` namespace imports; use named imports for tree-shaking.',
+    messageKo: '`import * as X` 네임스페이스 import 지양 — tree-shaking을 위해 named import 권장.',
+    visitors: {
+        import_statement(node, ctx) {
+            const text = ctx.textOf(node);
+            if (/import\s+\*\s+as\s+\w+/.test(text)) {
+                // Allow type-only namespace imports (less impact on bundle)
+                if (/import\s+type\s+\*/.test(text))
+                    return;
+                ctx.report({ node });
+            }
+        },
+    },
+});
+//# sourceMappingURL=prefer-named-imports.js.map

package/dist/rules-default/prefer-named-imports.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"prefer-named-imports.js","sourceRoot":"","sources":["../../src/rules-default/prefer-named-imports.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAEjD;;;;GAIG;AACH,eAAe,UAAU,CAAC;IACxB,EAAE,EAAE,sBAAsB;IAC1B,QAAQ,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,CAAC;IAC7C,QAAQ,EAAE,MAAM;IAChB,OAAO,EAAE,8EAA8E;IACvF,SAAS,EAAE,sEAAsE;IACjF,QAAQ,EAAE;QACR,gBAAgB,CAAC,IAAI,EAAE,GAAG;YACxB,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAC9B,IAAI,wBAAwB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACxC,4DAA4D;gBAC5D,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC;oBAAE,OAAO;gBAC5C,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;YACvB,CAAC;QACH,CAAC;KACF;CACF,CAAC,CAAC"}

package/dist/rules-default/preserve-transaction-log.d.ts

@@ -0,0 +1,3 @@
+declare const _default: import("@aicqtools/rule-sdk").FunctionRule;
+export default _default;
+//# sourceMappingURL=preserve-transaction-log.d.ts.map

package/dist/rules-default/preserve-transaction-log.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"preserve-transaction-log.d.ts","sourceRoot":"","sources":["../../src/rules-default/preserve-transaction-log.ts"],"names":[],"mappings":";AAsBA,wBAWG"}

package/dist/rules-default/preserve-transaction-log.js

@@ -0,0 +1,33 @@
+import { defineRule } from '@aicqtools/rule-sdk';
+/**
+ * PCI DSS § 10: financial transactions must produce an audit trail.
+ * Detect functions named pay/charge/payment/refund that lack any logging
+ * or transaction-table write call in their body.
+ */
+const TX_NAME = /^(pay|charge|payment|refund|cancelRefund|issueRefund|pay\w*|charge\w*|payment\w*|refund\w*)$/;
+const LOG_OR_AUDIT = /\b(logger|auditLog|audit|winston|pino)\.\w+|\bconsole\.(log|info|warn|error)|\b(transactions|payment_log|paymentLogs|auditLogs|tx_log)\b.*\.(insert|create|save|push)/;
+function check(node, ctx) {
+    const name = node.childForFieldName('name');
+    if (!name)
+        return;
+    const fnName = ctx.textOf(name);
+    if (!TX_NAME.test(fnName))
+        return;
+    const text = ctx.textOf(node);
+    if (LOG_OR_AUDIT.test(text))
+        return;
+    ctx.report({ node });
+}
+export default defineRule({
+    id: 'preserve-transaction-log',
+    language: ['typescript', 'tsx'],
+    severity: 'error',
+    message: 'Payment/refund function does not produce an audit log entry (PCI DSS § 10.2 — implement audit logs for all access to cardholder data).',
+    messageKo: '결제/환불 함수에 감사 로그 기록이 없습니다 (PCI DSS § 10.2 — 카드 소지자 데이터 접근에 대한 감사 로그 필수).',
+    docs: 'https://github.com/aicqtools/aicqtools/blob/main/docs/rules/preserve-transaction-log.md',
+    visitors: {
+        function_declaration: check,
+        method_definition: check,
+    },
+});
+//# sourceMappingURL=preserve-transaction-log.js.map

package/dist/rules-default/preserve-transaction-log.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"preserve-transaction-log.js","sourceRoot":"","sources":["../../src/rules-default/preserve-transaction-log.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAGjD;;;;GAIG;AACH,MAAM,OAAO,GAAG,8FAA8F,CAAC;AAC/G,MAAM,YAAY,GAAG,uKAAuK,CAAC;AAE7L,SAAS,KAAK,CAAC,IAAuB,EAAE,GAAgB;IACtD,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAC5C,IAAI,CAAC,IAAI;QAAE,OAAO;IAClB,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAChC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC;QAAE,OAAO;IAClC,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC9B,IAAI,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO;IACpC,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;AACvB,CAAC;AAED,eAAe,UAAU,CAAC;IACxB,EAAE,EAAE,0BAA0B;IAC9B,QAAQ,EAAE,CAAC,YAAY,EAAE,KAAK,CAAC;IAC/B,QAAQ,EAAE,OAAO;IACjB,OAAO,EAAE,wIAAwI;IACjJ,SAAS,EAAE,yEAAyE;IACpF,IAAI,EAAE,yFAAyF;IAC/F,QAAQ,EAAE;QACR,oBAAoB,EAAE,KAAK;QAC3B,iBAAiB,EAAE,KAAK;KACzB;CACF,CAAC,CAAC"}

package/dist/rules-default/pytest-fixture-naming.d.ts

@@ -0,0 +1,3 @@
+declare const _default: import("@aicqtools/rule-sdk").FunctionRule;
+export default _default;
+//# sourceMappingURL=pytest-fixture-naming.d.ts.map

package/dist/rules-default/pytest-fixture-naming.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pytest-fixture-naming.d.ts","sourceRoot":"","sources":["../../src/rules-default/pytest-fixture-naming.ts"],"names":[],"mappings":";AAgBA,wBAeG"}

package/dist/rules-default/pytest-fixture-naming.js

@@ -0,0 +1,36 @@
+import { defineRule } from '@aicqtools/rule-sdk';
+function hasPytestFixtureDecorator(node, textOf) {
+    // function_definition's parent is decorated_definition when decorated
+    const parent = node.parent;
+    if (!parent || parent.type !== 'decorated_definition')
+        return false;
+    for (let i = 0; i < parent.namedChildCount; i++) {
+        const child = parent.namedChild(i);
+        if (!child || child.type !== 'decorator')
+            continue;
+        const text = textOf(child);
+        if (/@pytest\.fixture\b/.test(text) || /^@fixture\b/.test(text))
+            return true;
+    }
+    return false;
+}
+export default defineRule({
+    id: 'pytest-fixture-naming',
+    language: 'python',
+    severity: 'warning',
+    message: 'pytest fixture should not start with `test_` (it would be collected as a test instead).',
+    messageKo: 'pytest fixture 함수는 `test_`로 시작하면 안 됩니다 (테스트로 인식되어 버립니다).',
+    visitors: {
+        function_definition(node, ctx) {
+            const name = node.childForFieldName('name');
+            if (!name)
+                return;
+            const nameText = ctx.textOf(name);
+            if (!nameText.startsWith('test_'))
+                return;
+            if (hasPytestFixtureDecorator(node, ctx.textOf))
+                ctx.report({ node: name });
+        },
+    },
+});
+//# sourceMappingURL=pytest-fixture-naming.js.map

package/dist/rules-default/pytest-fixture-naming.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pytest-fixture-naming.js","sourceRoot":"","sources":["../../src/rules-default/pytest-fixture-naming.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAEjD,SAAS,yBAAyB,CAAC,IAAuB,EAAE,MAAwC;IAClG,sEAAsE;IACtE,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;IAC3B,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,IAAI,KAAK,sBAAsB;QAAE,OAAO,KAAK,CAAC;IACpE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,eAAe,EAAE,CAAC,EAAE,EAAE,CAAC;QAChD,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QACnC,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,WAAW;YAAE,SAAS;QACnD,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;QAC3B,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;IAC/E,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,eAAe,UAAU,CAAC;IACxB,EAAE,EAAE,uBAAuB;IAC3B,QAAQ,EAAE,QAAQ;IAClB,QAAQ,EAAE,SAAS;IACnB,OAAO,EAAE,yFAAyF;IAClG,SAAS,EAAE,0DAA0D;IACrE,QAAQ,EAAE;QACR,mBAAmB,CAAC,IAAI,EAAE,GAAG;YAC3B,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;YAC5C,IAAI,CAAC,IAAI;gBAAE,OAAO;YAClB,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAClC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC;gBAAE,OAAO;YAC1C,IAAI,yBAAyB,CAAC,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC;gBAAE,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;QAC9E,CAAC;KACF;CACF,CAAC,CAAC"}

package/dist/rules-default/requests-needs-timeout.d.ts

@@ -0,0 +1,3 @@
+declare const _default: import("@aicqtools/rule-sdk").FunctionRule;
+export default _default;
+//# sourceMappingURL=requests-needs-timeout.d.ts.map

package/dist/rules-default/requests-needs-timeout.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"requests-needs-timeout.d.ts","sourceRoot":"","sources":["../../src/rules-default/requests-needs-timeout.ts"],"names":[],"mappings":";AAiBA,wBAoBG"}

package/dist/rules-default/requests-needs-timeout.js

@@ -0,0 +1,43 @@
+import { defineRule } from '@aicqtools/rule-sdk';
+const REQUESTS_METHODS = new Set(['get', 'post', 'put', 'patch', 'delete', 'head', 'options', 'request']);
+function hasTimeoutKwarg(args, textOf) {
+    for (let i = 0; i < args.namedChildCount; i++) {
+        const arg = args.namedChild(i);
+        if (!arg)
+            continue;
+        if (arg.type === 'keyword_argument') {
+            const name = arg.childForFieldName('name');
+            if (name && textOf(name) === 'timeout')
+                return true;
+        }
+    }
+    return false;
+}
+export default defineRule({
+    id: 'requests-needs-timeout',
+    language: 'python',
+    severity: 'error',
+    message: 'requests call missing `timeout=...` — without it the call can hang indefinitely.',
+    messageKo: 'requests 호출에 `timeout=...` 누락 — 무한 대기 위험.',
+    visitors: {
+        call(node, ctx) {
+            const fn = node.childForFieldName('function');
+            if (!fn || fn.type !== 'attribute')
+                return;
+            const obj = fn.childForFieldName('object');
+            const attr = fn.childForFieldName('attribute');
+            if (!obj || !attr)
+                return;
+            if (ctx.textOf(obj) !== 'requests')
+                return;
+            if (!REQUESTS_METHODS.has(ctx.textOf(attr)))
+                return;
+            const args = node.childForFieldName('arguments');
+            if (!args)
+                return;
+            if (!hasTimeoutKwarg(args, ctx.textOf))
+                ctx.report({ node });
+        },
+    },
+});
+//# sourceMappingURL=requests-needs-timeout.js.map

package/dist/rules-default/requests-needs-timeout.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"requests-needs-timeout.js","sourceRoot":"","sources":["../../src/rules-default/requests-needs-timeout.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAEjD,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC;AAE1G,SAAS,eAAe,CAAC,IAAuB,EAAE,MAAwC;IACxF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,eAAe,EAAE,CAAC,EAAE,EAAE,CAAC;QAC9C,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAC/B,IAAI,CAAC,GAAG;YAAE,SAAS;QACnB,IAAI,GAAG,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;YACpC,MAAM,IAAI,GAAG,GAAG,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;YAC3C,IAAI,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,SAAS;gBAAE,OAAO,IAAI,CAAC;QACtD,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,eAAe,UAAU,CAAC;IACxB,EAAE,EAAE,wBAAwB;IAC5B,QAAQ,EAAE,QAAQ;IAClB,QAAQ,EAAE,OAAO;IACjB,OAAO,EAAE,kFAAkF;IAC3F,SAAS,EAAE,2CAA2C;IACtD,QAAQ,EAAE;QACR,IAAI,CAAC,IAAI,EAAE,GAAG;YACZ,MAAM,EAAE,GAAG,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;YAC9C,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,IAAI,KAAK,WAAW;gBAAE,OAAO;YAC3C,MAAM,GAAG,GAAG,EAAE,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC;YAC3C,MAAM,IAAI,GAAG,EAAE,CAAC,iBAAiB,CAAC,WAAW,CAAC,CAAC;YAC/C,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI;gBAAE,OAAO;YAC1B,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,UAAU;gBAAE,OAAO;YAC3C,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;gBAAE,OAAO;YACpD,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,WAAW,CAAC,CAAC;YACjD,IAAI,CAAC,IAAI;gBAAE,OAAO;YAClB,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC;gBAAE,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;QAC/D,CAAC;KACF;CACF,CAAC,CAAC"}

package/dist/rules-default/require-idempotency-key.d.ts

@@ -0,0 +1,3 @@
+declare const _default: import("@aicqtools/rule-sdk").FunctionRule;
+export default _default;
+//# sourceMappingURL=require-idempotency-key.d.ts.map

package/dist/rules-default/require-idempotency-key.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"require-idempotency-key.d.ts","sourceRoot":"","sources":["../../src/rules-default/require-idempotency-key.ts"],"names":[],"mappings":";AAgBA,wBA2BG"}

package/dist/rules-default/require-idempotency-key.js

@@ -0,0 +1,47 @@
+import { defineRule } from '@aicqtools/rule-sdk';
+/**
+ * Payment best practice: charge/pay/refund operations must include an
+ * idempotency key to prevent double-spend on retry. Detect functions whose
+ * name contains `pay` / `charge` / `payment` and which lack an
+ * `idempotencyKey` / `Idempotency-Key` reference in the body.
+ *
+ * Limitation: name-based detection — functions named differently
+ * (`processOrder`, `bill`, etc.) are not flagged.
+ */
+const PAYMENT_NAME = /^(pay|charge|payment|chargePayment|pay\w*|charge\w*|payment\w*|process(Pay|Payment|Charge))$/;
+const IDEMPOTENCY = /\b(idempotency[_-]?key|idempotencyKey|Idempotency-Key)\b/i;
+export default defineRule({
+    id: 'require-idempotency-key',
+    language: ['typescript', 'tsx'],
+    severity: 'error',
+    message: 'Payment function missing an idempotency key — required to prevent double-charge on retry (payment-domain best practice; aligns with PCI DSS § 10.2 audit trail integrity).',
+    messageKo: '결제 함수에 idempotency key 누락 — 재시도 시 중복 청구 방지 필수 (결제 도메인 권장 사항; PCI DSS § 10.2 감사 추적 무결성 정렬).',
+    docs: 'https://github.com/aicqtools/aicqtools/blob/main/docs/rules/require-idempotency-key.md',
+    visitors: {
+        function_declaration(node, ctx) {
+            const name = node.childForFieldName('name');
+            if (!name)
+                return;
+            const fnName = ctx.textOf(name);
+            if (!PAYMENT_NAME.test(fnName))
+                return;
+            const text = ctx.textOf(node);
+            if (IDEMPOTENCY.test(text))
+                return;
+            ctx.report({ node });
+        },
+        method_definition(node, ctx) {
+            const name = node.childForFieldName('name');
+            if (!name)
+                return;
+            const fnName = ctx.textOf(name);
+            if (!PAYMENT_NAME.test(fnName))
+                return;
+            const text = ctx.textOf(node);
+            if (IDEMPOTENCY.test(text))
+                return;
+            ctx.report({ node });
+        },
+    },
+});
+//# sourceMappingURL=require-idempotency-key.js.map

package/dist/rules-default/require-idempotency-key.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"require-idempotency-key.js","sourceRoot":"","sources":["../../src/rules-default/require-idempotency-key.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAGjD;;;;;;;;GAQG;AACH,MAAM,YAAY,GAAG,8FAA8F,CAAC;AACpH,MAAM,WAAW,GAAG,2DAA2D,CAAC;AAEhF,eAAe,UAAU,CAAC;IACxB,EAAE,EAAE,yBAAyB;IAC7B,QAAQ,EAAE,CAAC,YAAY,EAAE,KAAK,CAAC;IAC/B,QAAQ,EAAE,OAAO;IACjB,OAAO,EAAE,4KAA4K;IACrL,SAAS,EAAE,4FAA4F;IACvG,IAAI,EAAE,wFAAwF;IAC9F,QAAQ,EAAE;QACR,oBAAoB,CAAC,IAAuB,EAAE,GAAgB;YAC5D,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;YAC5C,IAAI,CAAC,IAAI;gBAAE,OAAO;YAClB,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAChC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC;gBAAE,OAAO;YACvC,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAC9B,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,OAAO;YACnC,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;QACvB,CAAC;QACD,iBAAiB,CAAC,IAAuB,EAAE,GAAgB;YACzD,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;YAC5C,IAAI,CAAC,IAAI;gBAAE,OAAO;YAClB,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAChC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC;gBAAE,OAAO;YACvC,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAC9B,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,OAAO;YACnC,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;QACvB,CAAC;KACF;CACF,CAAC,CAAC"}

package/dist/rules-default/require-tls-1-2-plus.d.ts

@@ -0,0 +1,3 @@
+declare const _default: import("@aicqtools/rule-sdk").FunctionRule;
+export default _default;
+//# sourceMappingURL=require-tls-1-2-plus.d.ts.map

package/dist/rules-default/require-tls-1-2-plus.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"require-tls-1-2-plus.d.ts","sourceRoot":"","sources":["../../src/rules-default/require-tls-1-2-plus.ts"],"names":[],"mappings":";AAWA,wBAkBG"}

package/dist/rules-default/require-tls-1-2-plus.js

@@ -0,0 +1,30 @@
+import { defineRule } from '@aicqtools/rule-sdk';
+/**
+ * PCI DSS § 4.1: cardholder data in transit must use strong cryptography.
+ * Detect TLS configuration that explicitly allows TLSv1 / TLSv1.1 via
+ * `secureProtocol` or `minVersion` options.
+ */
+const FORBIDDEN_PROTO = /['"`](TLSv1(_method)?|TLSv1\.1|TLSv1_1(_method)?|SSLv\d|SSLv\d_method)['"`]/;
+export default defineRule({
+    id: 'require-tls-1-2-plus',
+    language: ['typescript', 'tsx'],
+    severity: 'error',
+    message: 'TLS configuration allows TLS < 1.2 (PCI DSS § 4.2.1 — strong cryptography for cardholder data in transit).',
+    messageKo: 'TLS 1.2 미만 프로토콜을 허용하는 설정 (PCI DSS § 4.2.1 — 카드 소지자 데이터 전송 시 강한 암호화 필수).',
+    docs: 'https://github.com/aicqtools/aicqtools/blob/main/docs/rules/require-tls-1-2-plus.md',
+    visitors: {
+        pair(node, ctx) {
+            const key = node.childForFieldName('key');
+            const value = node.childForFieldName('value');
+            if (!key || !value)
+                return;
+            const keyText = ctx.textOf(key).replace(/^['"`]|['"`]$/g, '');
+            if (keyText !== 'secureProtocol' && keyText !== 'minVersion')
+                return;
+            const valueText = ctx.textOf(value);
+            if (FORBIDDEN_PROTO.test(valueText))
+                ctx.report({ node });
+        },
+    },
+});
+//# sourceMappingURL=require-tls-1-2-plus.js.map

package/dist/rules-default/require-tls-1-2-plus.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"require-tls-1-2-plus.js","sourceRoot":"","sources":["../../src/rules-default/require-tls-1-2-plus.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAGjD;;;;GAIG;AACH,MAAM,eAAe,GAAG,6EAA6E,CAAC;AAEtG,eAAe,UAAU,CAAC;IACxB,EAAE,EAAE,sBAAsB;IAC1B,QAAQ,EAAE,CAAC,YAAY,EAAE,KAAK,CAAC;IAC/B,QAAQ,EAAE,OAAO;IACjB,OAAO,EAAE,4GAA4G;IACrH,SAAS,EAAE,yEAAyE;IACpF,IAAI,EAAE,qFAAqF;IAC3F,QAAQ,EAAE;QACR,IAAI,CAAC,IAAuB,EAAE,GAAgB;YAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;YAC9C,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK;gBAAE,OAAO;YAC3B,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,gBAAgB,EAAE,EAAE,CAAC,CAAC;YAC9D,IAAI,OAAO,KAAK,gBAAgB,IAAI,OAAO,KAAK,YAAY;gBAAE,OAAO;YACrE,MAAM,SAAS,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACpC,IAAI,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC;gBAAE,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;QAC5D,CAAC;KACF;CACF,CAAC,CAAC"}

package/dist/rules-default/rfc5987-korean-filename.d.ts

@@ -0,0 +1,3 @@
+declare const _default: import("@aicqtools/rule-sdk").FunctionRule;
+export default _default;
+//# sourceMappingURL=rfc5987-korean-filename.d.ts.map

package/dist/rules-default/rfc5987-korean-filename.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rfc5987-korean-filename.d.ts","sourceRoot":"","sources":["../../src/rules-default/rfc5987-korean-filename.ts"],"names":[],"mappings":";AAcA,wBAeG"}

package/dist/rules-default/rfc5987-korean-filename.js

@@ -0,0 +1,32 @@
+import { defineRule } from '@aicqtools/rule-sdk';
+/**
+ * `Content-Disposition: attachment; filename="<korean>.csv"` without RFC 5987 encoding
+ * breaks Korean filenames in older browsers (esp. IE11/old Safari). Use
+ * `filename*=UTF-8''<encoded>` form.
+ *
+ * Heuristic: inspect whole call expressions (e.g. `setHeader("Content-Disposition", "...")`)
+ * so multi-arg patterns where the header name and value live in separate strings are caught.
+ */
+const HAS_KOREAN = /[ㄱ-힝]/;
+const HAS_RFC5987 = /filename\*\s*=\s*UTF-8''/i;
+const HAS_CONTENT_DISPOSITION = /Content-Disposition/i;
+export default defineRule({
+    id: 'rfc5987-korean-filename',
+    language: ['typescript', 'javascript', 'tsx'],
+    severity: 'warning',
+    message: 'Content-Disposition with Korean filename should use RFC 5987 (`filename*=UTF-8\'\'...`).',
+    messageKo: '한글 파일명 Content-Disposition은 RFC 5987 인코딩 필요 (`filename*=UTF-8\'\'...`).',
+    visitors: {
+        call_expression(node, ctx) {
+            const text = ctx.textOf(node);
+            if (!HAS_CONTENT_DISPOSITION.test(text))
+                return;
+            if (!HAS_KOREAN.test(text))
+                return;
+            if (HAS_RFC5987.test(text))
+                return;
+            ctx.report({ node });
+        },
+    },
+});
+//# sourceMappingURL=rfc5987-korean-filename.js.map

package/dist/rules-default/rfc5987-korean-filename.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rfc5987-korean-filename.js","sourceRoot":"","sources":["../../src/rules-default/rfc5987-korean-filename.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAEjD;;;;;;;GAOG;AACH,MAAM,UAAU,GAAG,OAAO,CAAC;AAC3B,MAAM,WAAW,GAAG,2BAA2B,CAAC;AAChD,MAAM,uBAAuB,GAAG,sBAAsB,CAAC;AAEvD,eAAe,UAAU,CAAC;IACxB,EAAE,EAAE,yBAAyB;IAC7B,QAAQ,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,CAAC;IAC7C,QAAQ,EAAE,SAAS;IACnB,OAAO,EAAE,0FAA0F;IACnG,SAAS,EAAE,yEAAyE;IACpF,QAAQ,EAAE;QACR,eAAe,CAAC,IAAI,EAAE,GAAG;YACvB,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAC9B,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,OAAO;YAChD,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,OAAO;YACnC,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,OAAO;YACnC,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;QACvB,CAAC;KACF;CACF,CAAC,CAAC"}

package/dist/rules-default/route-needs-auth.d.ts

@@ -0,0 +1,3 @@
+declare const _default: import("@aicqtools/rule-sdk").FunctionRule;
+export default _default;
+//# sourceMappingURL=route-needs-auth.d.ts.map

package/dist/rules-default/route-needs-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"route-needs-auth.d.ts","sourceRoot":"","sources":["../../src/rules-default/route-needs-auth.ts"],"names":[],"mappings":";AAkBA,wBA2BG"}

package/dist/rules-default/route-needs-auth.js

@@ -0,0 +1,48 @@
+import { defineRule } from '@aicqtools/rule-sdk';
+const ROUTER_METHODS = new Set(['get', 'post', 'put', 'patch', 'delete']);
+const AUTH_PATTERN = /auth(enticate)?|requireUser|requireAuth|isAuthenticated/i;
+// Public path patterns that don't require auth
+const PUBLIC_PATH_PATTERN = /^["'`](\/health|\/ping|\/login|\/signup|\/auth\/|\/public\/)/;
+function isRouterCall(callee, textOf) {
+    if (callee.type !== 'member_expression')
+        return false;
+    const obj = callee.childForFieldName('object');
+    const prop = callee.childForFieldName('property');
+    if (!obj || !prop)
+        return false;
+    const objText = textOf(obj);
+    if (objText !== 'router' && objText !== 'app')
+        return false;
+    return ROUTER_METHODS.has(textOf(prop));
+}
+export default defineRule({
+    id: 'route-needs-auth',
+    language: ['typescript', 'javascript', 'tsx'],
+    severity: 'error',
+    message: 'Route is missing an authentication middleware (e.g. `authenticate`, `requireAuth`).',
+    messageKo: '라우트에 인증 미들웨어가 빠졌습니다 (`authenticate` / `requireAuth` 등).',
+    visitors: {
+        call_expression(node, ctx) {
+            const callee = node.childForFieldName('function');
+            if (!callee || !isRouterCall(callee, ctx.textOf))
+                return;
+            const args = node.childForFieldName('arguments');
+            if (!args || args.namedChildCount < 2)
+                return;
+            const pathArg = args.namedChild(0);
+            if (pathArg && PUBLIC_PATH_PATTERN.test(ctx.textOf(pathArg)))
+                return;
+            let hasAuth = false;
+            for (let i = 1; i < args.namedChildCount; i++) {
+                const arg = args.namedChild(i);
+                if (arg && AUTH_PATTERN.test(ctx.textOf(arg))) {
+                    hasAuth = true;
+                    break;
+                }
+            }
+            if (!hasAuth)
+                ctx.report({ node });
+        },
+    },
+});
+//# sourceMappingURL=route-needs-auth.js.map

package/dist/rules-default/route-needs-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"route-needs-auth.js","sourceRoot":"","sources":["../../src/rules-default/route-needs-auth.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAEjD,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;AAC1E,MAAM,YAAY,GAAG,0DAA0D,CAAC;AAChF,+CAA+C;AAC/C,MAAM,mBAAmB,GAAG,8DAA8D,CAAC;AAE3F,SAAS,YAAY,CAAC,MAAyB,EAAE,MAAwC;IACvF,IAAI,MAAM,CAAC,IAAI,KAAK,mBAAmB;QAAE,OAAO,KAAK,CAAC;IACtD,MAAM,GAAG,GAAG,MAAM,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC;IAC/C,MAAM,IAAI,GAAG,MAAM,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;IAClD,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IAChC,MAAM,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;IAC5B,IAAI,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IAC5D,OAAO,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;AAC1C,CAAC;AAED,eAAe,UAAU,CAAC;IACxB,EAAE,EAAE,kBAAkB;IACtB,QAAQ,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,CAAC;IAC7C,QAAQ,EAAE,OAAO;IACjB,OAAO,EAAE,qFAAqF;IAC9F,SAAS,EAAE,yDAAyD;IACpE,QAAQ,EAAE;QACR,eAAe,CAAC,IAAI,EAAE,GAAG;YACvB,MAAM,MAAM,GAAG,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;YAClD,IAAI,CAAC,MAAM,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC;gBAAE,OAAO;YACzD,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,WAAW,CAAC,CAAC;YACjD,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,eAAe,GAAG,CAAC;gBAAE,OAAO;YAE9C,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YACnC,IAAI,OAAO,IAAI,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;gBAAE,OAAO;YAErE,IAAI,OAAO,GAAG,KAAK,CAAC;YACpB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,eAAe,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC9C,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;gBAC/B,IAAI,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;oBAC9C,OAAO,GAAG,IAAI,CAAC;oBACf,MAAM;gBACR,CAAC;YACH,CAAC;YACD,IAAI,CAAC,OAAO;gBAAE,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;QACrC,CAAC;KACF;CACF,CAAC,CAAC"}

package/dist/rules-default/route-needs-rate-limit.d.ts

@@ -0,0 +1,3 @@
+declare const _default: import("@aicqtools/rule-sdk").FunctionRule;
+export default _default;
+//# sourceMappingURL=route-needs-rate-limit.d.ts.map

package/dist/rules-default/route-needs-rate-limit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"route-needs-rate-limit.d.ts","sourceRoot":"","sources":["../../src/rules-default/route-needs-rate-limit.ts"],"names":[],"mappings":";AAqBA,wBAuBG"}

package/dist/rules-default/route-needs-rate-limit.js

@@ -0,0 +1,47 @@
+import { defineRule } from '@aicqtools/rule-sdk';
+const ROUTER_METHODS = new Set(['get', 'post', 'put', 'patch', 'delete']);
+const RATE_LIMIT_PATTERN = /rate.?limit/i;
+function isRouterCall(callee, textOf) {
+    if (callee.type !== 'member_expression')
+        return false;
+    const obj = callee.childForFieldName('object');
+    const prop = callee.childForFieldName('property');
+    if (!obj || !prop)
+        return false;
+    const objText = textOf(obj);
+    if (objText !== 'router' && objText !== 'app')
+        return false;
+    return ROUTER_METHODS.has(textOf(prop));
+}
+function argHasRateLimit(arg, textOf) {
+    const text = textOf(arg);
+    return RATE_LIMIT_PATTERN.test(text);
+}
+export default defineRule({
+    id: 'route-needs-rate-limit',
+    language: ['typescript', 'javascript', 'tsx'],
+    severity: 'error',
+    message: 'New route is missing a rate-limit middleware.',
+    messageKo: '새 라우트에 rate-limit 미들웨어가 빠졌습니다.',
+    visitors: {
+        call_expression(node, ctx) {
+            const callee = node.childForFieldName('function');
+            if (!callee || !isRouterCall(callee, ctx.textOf))
+                return;
+            const args = node.childForFieldName('arguments');
+            if (!args)
+                return;
+            let hasRateLimit = false;
+            for (let i = 0; i < args.namedChildCount; i++) {
+                const arg = args.namedChild(i);
+                if (arg && argHasRateLimit(arg, ctx.textOf)) {
+                    hasRateLimit = true;
+                    break;
+                }
+            }
+            if (!hasRateLimit)
+                ctx.report({ node });
+        },
+    },
+});
+//# sourceMappingURL=route-needs-rate-limit.js.map

package/dist/rules-default/route-needs-rate-limit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"route-needs-rate-limit.js","sourceRoot":"","sources":["../../src/rules-default/route-needs-rate-limit.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAEjD,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;AAC1E,MAAM,kBAAkB,GAAG,cAAc,CAAC;AAE1C,SAAS,YAAY,CAAC,MAAyB,EAAE,MAAwC;IACvF,IAAI,MAAM,CAAC,IAAI,KAAK,mBAAmB;QAAE,OAAO,KAAK,CAAC;IACtD,MAAM,GAAG,GAAG,MAAM,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC;IAC/C,MAAM,IAAI,GAAG,MAAM,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;IAClD,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IAChC,MAAM,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;IAC5B,IAAI,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IAC5D,OAAO,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;AAC1C,CAAC;AAED,SAAS,eAAe,CAAC,GAAsB,EAAE,MAAwC;IACvF,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;IACzB,OAAO,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACvC,CAAC;AAED,eAAe,UAAU,CAAC;IACxB,EAAE,EAAE,wBAAwB;IAC5B,QAAQ,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,CAAC;IAC7C,QAAQ,EAAE,OAAO;IACjB,OAAO,EAAE,+CAA+C;IACxD,SAAS,EAAE,gCAAgC;IAC3C,QAAQ,EAAE;QACR,eAAe,CAAC,IAAI,EAAE,GAAG;YACvB,MAAM,MAAM,GAAG,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;YAClD,IAAI,CAAC,MAAM,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC;gBAAE,OAAO;YACzD,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,WAAW,CAAC,CAAC;YACjD,IAAI,CAAC,IAAI;gBAAE,OAAO;YAClB,IAAI,YAAY,GAAG,KAAK,CAAC;YACzB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,eAAe,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC9C,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;gBAC/B,IAAI,GAAG,IAAI,eAAe,CAAC,GAAG,EAAE,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;oBAC5C,YAAY,GAAG,IAAI,CAAC;oBACpB,MAAM;gBACR,CAAC;YACH,CAAC;YACD,IAAI,CAAC,YAAY;gBAAE,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;QAC1C,CAAC;KACF;CACF,CAAC,CAAC"}

package/dist/rules-default/separate-refund-permission.d.ts

@@ -0,0 +1,3 @@
+declare const _default: import("@aicqtools/rule-sdk").FunctionRule;
+export default _default;
+//# sourceMappingURL=separate-refund-permission.d.ts.map

package/dist/rules-default/separate-refund-permission.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"separate-refund-permission.d.ts","sourceRoot":"","sources":["../../src/rules-default/separate-refund-permission.ts"],"names":[],"mappings":";AAsBA,wBAWG"}

package/dist/rules-default/separate-refund-permission.js

@@ -0,0 +1,33 @@
+import { defineRule } from '@aicqtools/rule-sdk';
+/**
+ * Refund operations are highly privileged — separation of duties requires
+ * a permission check before invoking any refund logic. Detect functions
+ * named `refund*` whose body lacks a permission/role check.
+ */
+const REFUND_NAME = /^(refund|cancelRefund|issueRefund|refund\w*)$/;
+const PERMISSION_CHECK = /\b(req\.user\.role|hasPermission|checkPermission|isAdmin|requireRole|allowedRoles|authGuard|RBAC|canRefund|verifyPermission)\b/i;
+function check(node, ctx) {
+    const name = node.childForFieldName('name');
+    if (!name)
+        return;
+    const fnName = ctx.textOf(name);
+    if (!REFUND_NAME.test(fnName))
+        return;
+    const text = ctx.textOf(node);
+    if (PERMISSION_CHECK.test(text))
+        return;
+    ctx.report({ node });
+}
+export default defineRule({
+    id: 'separate-refund-permission',
+    language: ['typescript', 'tsx'],
+    severity: 'error',
+    message: 'Refund function lacks a permission/role check (PCI DSS § 7.2 — restrict access by business need-to-know; separation of duties).',
+    messageKo: '환불 함수에 권한 체크가 없습니다 (PCI DSS § 7.2 — 업무 필요에 따른 접근 제한; 직무 분리 원칙).',
+    docs: 'https://github.com/aicqtools/aicqtools/blob/main/docs/rules/separate-refund-permission.md',
+    visitors: {
+        function_declaration: check,
+        method_definition: check,
+    },
+});
+//# sourceMappingURL=separate-refund-permission.js.map

package/dist/rules-default/separate-refund-permission.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"separate-refund-permission.js","sourceRoot":"","sources":["../../src/rules-default/separate-refund-permission.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAGjD;;;;GAIG;AACH,MAAM,WAAW,GAAG,+CAA+C,CAAC;AACpE,MAAM,gBAAgB,GAAG,iIAAiI,CAAC;AAE3J,SAAS,KAAK,CAAC,IAAuB,EAAE,GAAgB;IACtD,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAC5C,IAAI,CAAC,IAAI;QAAE,OAAO;IAClB,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAChC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC;QAAE,OAAO;IACtC,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC9B,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO;IACxC,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;AACvB,CAAC;AAED,eAAe,UAAU,CAAC;IACxB,EAAE,EAAE,4BAA4B;IAChC,QAAQ,EAAE,CAAC,YAAY,EAAE,KAAK,CAAC;IAC/B,QAAQ,EAAE,OAAO;IACjB,OAAO,EAAE,iIAAiI;IAC1I,SAAS,EAAE,iEAAiE;IAC5E,IAAI,EAAE,2FAA2F;IACjG,QAAQ,EAAE;QACR,oBAAoB,EAAE,KAAK;QAC3B,iBAAiB,EAAE,KAAK;KACzB;CACF,CAAC,CAAC"}

package/dist/rules-default/track-ai-model-version.d.ts

@@ -0,0 +1,3 @@
+declare const _default: import("@aicqtools/rule-sdk").FunctionRule;
+export default _default;
+//# sourceMappingURL=track-ai-model-version.d.ts.map

package/dist/rules-default/track-ai-model-version.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"track-ai-model-version.d.ts","sourceRoot":"","sources":["../../src/rules-default/track-ai-model-version.ts"],"names":[],"mappings":";AAeA,wBAoBG"}

package/dist/rules-default/track-ai-model-version.js

@@ -0,0 +1,37 @@
+import { defineRule } from '@aicqtools/rule-sdk';
+/**
+ * FSC AI guideline: AI inference calls must specify the model name explicitly
+ * so audits can trace which model produced a given decision. Detect calls to
+ * `openai.chat.completions.create()` / `anthropic.messages.create()` whose
+ * argument object lacks a `model:` property.
+ *
+ * Limitation: false negatives when the options object is built elsewhere and
+ * passed in as a variable.
+ */
+const TARGET_FN = /\b(openai\.chat\.completions\.create|anthropic\.messages\.create|openai\.completions\.create)$/;
+export default defineRule({
+    id: 'track-ai-model-version',
+    language: ['typescript', 'tsx'],
+    severity: 'warning',
+    message: 'AI inference call missing explicit `model:` parameter (FSC AI guideline — model governance).',
+    messageKo: 'AI 추론 호출에 `model:` 파라미터가 명시되지 않았습니다 (금감원 AI 가이드라인 — 모델 거버넌스).',
+    docs: 'https://github.com/aicqtools/aicqtools/blob/main/docs/rules/track-ai-model-version.md',
+    visitors: {
+        call_expression(node, ctx) {
+            const fnNode = node.childForFieldName('function');
+            if (!fnNode)
+                return;
+            const fnText = ctx.textOf(fnNode);
+            if (!TARGET_FN.test(fnText))
+                return;
+            const args = node.childForFieldName('arguments');
+            if (!args)
+                return;
+            const argsText = ctx.textOf(args);
+            if (/\bmodel\s*:/.test(argsText))
+                return;
+            ctx.report({ node });
+        },
+    },
+});
+//# sourceMappingURL=track-ai-model-version.js.map

package/dist/rules-default/track-ai-model-version.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"track-ai-model-version.js","sourceRoot":"","sources":["../../src/rules-default/track-ai-model-version.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAGjD;;;;;;;;GAQG;AACH,MAAM,SAAS,GAAG,gGAAgG,CAAC;AAEnH,eAAe,UAAU,CAAC;IACxB,EAAE,EAAE,wBAAwB;IAC5B,QAAQ,EAAE,CAAC,YAAY,EAAE,KAAK,CAAC;IAC/B,QAAQ,EAAE,SAAS;IACnB,OAAO,EAAE,8FAA8F;IACvG,SAAS,EAAE,+DAA+D;IAC1E,IAAI,EAAE,uFAAuF;IAC7F,QAAQ,EAAE;QACR,eAAe,CAAC,IAAuB,EAAE,GAAgB;YACvD,MAAM,MAAM,GAAG,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;YAClD,IAAI,CAAC,MAAM;gBAAE,OAAO;YACpB,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAClC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC;gBAAE,OAAO;YACpC,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,WAAW,CAAC,CAAC;YACjD,IAAI,CAAC,IAAI;gBAAE,OAAO;YAClB,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAClC,IAAI,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,OAAO;YACzC,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;QACvB,CAAC;KACF;CACF,CAAC,CAAC"}

package/dist/rules-default/type-hint-required-public.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Public functions (not starting with `_`) should have a return type annotation.
+ * Helps catch type errors and serves as inline documentation.
+ *
+ * Heuristic: looks for `-> Type:` after parameter list. False positives possible
+ * for functions that genuinely have no useful return type, but that's rare.
+ */
+declare const _default: import("@aicqtools/rule-sdk").FunctionRule;
+export default _default;
+//# sourceMappingURL=type-hint-required-public.d.ts.map

package/dist/rules-default/type-hint-required-public.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"type-hint-required-public.d.ts","sourceRoot":"","sources":["../../src/rules-default/type-hint-required-public.ts"],"names":[],"mappings":"AAEA;;;;;;GAMG;;AACH,wBAgBG"}

package/dist/rules-default/type-hint-required-public.js

@@ -0,0 +1,29 @@
+import { defineRule } from '@aicqtools/rule-sdk';
+/**
+ * Public functions (not starting with `_`) should have a return type annotation.
+ * Helps catch type errors and serves as inline documentation.
+ *
+ * Heuristic: looks for `-> Type:` after parameter list. False positives possible
+ * for functions that genuinely have no useful return type, but that's rare.
+ */
+export default defineRule({
+    id: 'type-hint-required-public',
+    language: 'python',
+    severity: 'info',
+    message: 'Public function is missing a return type annotation (`-> Type:`).',
+    messageKo: 'public 함수에 반환 타입 어노테이션 누락 (`-> Type:`).',
+    visitors: {
+        function_definition(node, ctx) {
+            const name = node.childForFieldName('name');
+            if (!name)
+                return;
+            const nameText = ctx.textOf(name);
+            if (nameText.startsWith('_'))
+                return;
+            const returnType = node.childForFieldName('return_type');
+            if (!returnType)
+                ctx.report({ node: name });
+        },
+    },
+});
+//# sourceMappingURL=type-hint-required-public.js.map

package/dist/rules-default/type-hint-required-public.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"type-hint-required-public.js","sourceRoot":"","sources":["../../src/rules-default/type-hint-required-public.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAEjD;;;;;;GAMG;AACH,eAAe,UAAU,CAAC;IACxB,EAAE,EAAE,2BAA2B;IAC/B,QAAQ,EAAE,QAAQ;IAClB,QAAQ,EAAE,MAAM;IAChB,OAAO,EAAE,mEAAmE;IAC5E,SAAS,EAAE,yCAAyC;IACpD,QAAQ,EAAE;QACR,mBAAmB,CAAC,IAAI,EAAE,GAAG;YAC3B,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;YAC5C,IAAI,CAAC,IAAI;gBAAE,OAAO;YAClB,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAClC,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,OAAO;YACrC,MAAM,UAAU,GAAG,IAAI,CAAC,iBAAiB,CAAC,aAAa,CAAC,CAAC;YACzD,IAAI,CAAC,UAAU;gBAAE,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;QAC9C,CAAC;KACF;CACF,CAAC,CAAC"}

package/dist/rules-default/verify-pg-response.d.ts

@@ -0,0 +1,3 @@
+declare const _default: import("@aicqtools/rule-sdk").FunctionRule;
+export default _default;
+//# sourceMappingURL=verify-pg-response.d.ts.map