@apiposture/cli 1.0.1

package/dist/output/terminal-formatter.js

@@ -0,0 +1,82 @@
+import { AccessibilityHelper } from './accessibility-helper.js';
+import { getScanSummary } from '../core/models/scan-result.js';
+import { Severity, severityOrder } from '../core/models/severity.js';
+import { formatSourceLocation } from '../core/models/source-location.js';
+export class TerminalFormatter {
+    name = 'terminal';
+    helper;
+    constructor(options = {}) {
+        this.helper = new AccessibilityHelper({
+            noColor: options.noColor,
+            noIcons: options.noIcons,
+        });
+    }
+    format(result) {
+        const lines = [];
+        const summary = getScanSummary(result);
+        // Header
+        lines.push('');
+        lines.push(this.helper.bold('ApiPosture Security Scan Results'));
+        lines.push(this.helper.dim('='.repeat(50)));
+        lines.push('');
+        // Scan info
+        lines.push(`Project: ${this.helper.cyan(result.projectPath)}`);
+        lines.push(`Files scanned: ${result.filesScanned}`);
+        lines.push(`Endpoints found: ${summary.totalEndpoints}`);
+        lines.push(`Scan duration: ${result.scanDurationMs}ms`);
+        lines.push('');
+        // Findings summary
+        if (summary.totalFindings === 0) {
+            lines.push(this.helper.green(`${this.helper.checkmark()} No security findings detected!`));
+        }
+        else {
+            lines.push(this.helper.bold('Findings Summary:'));
+            lines.push(this.formatFindingsSummary(summary.findingsBySeverity));
+            lines.push('');
+            // Findings details
+            lines.push(this.helper.bold('Findings Details:'));
+            lines.push(this.helper.dim('-'.repeat(50)));
+            const activeFindings = result.findings.filter((f) => !f.suppressed);
+            const sortedFindings = this.sortFindingsBySeverity(activeFindings);
+            for (const finding of sortedFindings) {
+                lines.push(this.formatFinding(finding));
+            }
+        }
+        // Suppressed findings
+        if (summary.suppressedFindings > 0) {
+            lines.push('');
+            lines.push(this.helper.dim(`(${summary.suppressedFindings} findings suppressed)`));
+        }
+        lines.push('');
+        return lines.join('\n');
+    }
+    formatFindingsSummary(bySeverity) {
+        const parts = [];
+        for (const severity of Object.values(Severity).reverse()) {
+            const count = bySeverity[severity];
+            if (count > 0) {
+                const icon = this.helper.severityIcon(severity);
+                const text = this.helper.severityColor(severity, `${severity}: ${count}`);
+                parts.push(`  ${icon} ${text}`);
+            }
+        }
+        return parts.join('\n');
+    }
+    formatFinding(finding) {
+        const lines = [];
+        const icon = this.helper.severityIcon(finding.severity);
+        const severityText = this.helper.severityColor(finding.severity, finding.severity.toUpperCase());
+        lines.push('');
+        lines.push(`${icon} ${this.helper.bold(finding.ruleId)}: ${finding.ruleName}`);
+        lines.push(`   Severity: ${severityText}`);
+        lines.push(`   Endpoint: ${this.helper.cyan(`${finding.endpoint.method} ${finding.endpoint.route}`)}`);
+        lines.push(`   Location: ${this.helper.dim(formatSourceLocation(finding.location))}`);
+        lines.push(`   Message: ${finding.message}`);
+        lines.push(`   ${this.helper.dim('Recommendation:')} ${finding.recommendation}`);
+        return lines.join('\n');
+    }
+    sortFindingsBySeverity(findings) {
+        return [...findings].sort((a, b) => severityOrder[b.severity] - severityOrder[a.severity]);
+    }
+}
+//# sourceMappingURL=terminal-formatter.js.map

package/dist/rules/consistency/controller-action-conflict.d.ts

@@ -0,0 +1,19 @@
+import { Endpoint } from '../../core/models/endpoint.js';
+import { Finding } from '../../core/models/finding.js';
+import { Severity } from '../../core/models/severity.js';
+import { SecurityRule } from '../rule-interface.js';
+/**
+ * AP003: Controller/action authorization conflict
+ *
+ * Detects when a method-level @Public decorator overrides class-level
+ * @UseGuards. This can indicate a security misconfiguration where
+ * developers may not realize the method is bypassing controller auth.
+ */
+export declare class ControllerActionConflict implements SecurityRule {
+    readonly id = "AP003";
+    readonly name = "Controller/action authorization conflict";
+    readonly description = "Method-level public marker overrides class-level authentication guards";
+    readonly severity = Severity.Medium;
+    evaluate(endpoint: Endpoint): Finding[];
+}
+//# sourceMappingURL=controller-action-conflict.d.ts.map

package/dist/rules/consistency/controller-action-conflict.js

@@ -0,0 +1,40 @@
+import { createFinding } from '../../core/models/finding.js';
+import { Severity } from '../../core/models/severity.js';
+import { EndpointType } from '../../core/models/endpoint-type.js';
+/**
+ * AP003: Controller/action authorization conflict
+ *
+ * Detects when a method-level @Public decorator overrides class-level
+ * @UseGuards. This can indicate a security misconfiguration where
+ * developers may not realize the method is bypassing controller auth.
+ */
+export class ControllerActionConflict {
+    id = 'AP003';
+    name = 'Controller/action authorization conflict';
+    description = 'Method-level public marker overrides class-level authentication guards';
+    severity = Severity.Medium;
+    evaluate(endpoint) {
+        const findings = [];
+        // This rule primarily applies to NestJS decorator patterns
+        if (endpoint.type !== EndpointType.NestJS) {
+            return findings;
+        }
+        const auth = endpoint.authorization;
+        // Detect conflict: both authenticated (from class) and explicitly public (from method)
+        if (auth.isAuthenticated && auth.isExplicitlyPublic) {
+            findings.push(createFinding({
+                ruleId: this.id,
+                ruleName: this.name,
+                severity: this.severity,
+                message: `${endpoint.method} ${endpoint.route} has @Public overriding class-level guards`,
+                endpoint,
+                location: endpoint.location,
+                recommendation: 'This endpoint has @Public decorator that overrides class-level @UseGuards. ' +
+                    'Ensure this is intentional. If the endpoint should be public, consider ' +
+                    'documenting why. If not, remove the @Public decorator.',
+            }));
+        }
+        return findings;
+    }
+}
+//# sourceMappingURL=controller-action-conflict.js.map

package/dist/rules/consistency/missing-auth-on-writes.d.ts

@@ -0,0 +1,21 @@
+import { Endpoint } from '../../core/models/endpoint.js';
+import { Finding } from '../../core/models/finding.js';
+import { Severity } from '../../core/models/severity.js';
+import { SecurityRule } from '../rule-interface.js';
+/**
+ * AP004: Missing authentication on write operations
+ *
+ * Detects write operations (POST, PUT, DELETE, PATCH) that have no
+ * authentication and no explicit public marker. This is the most
+ * dangerous scenario: an unprotected write endpoint that may have
+ * been accidentally left open.
+ */
+export declare class MissingAuthOnWrites implements SecurityRule {
+    readonly id = "AP004";
+    readonly name = "Missing authentication on write operations";
+    readonly description = "Write operation has no authentication and no explicit public marker";
+    readonly severity = Severity.Critical;
+    evaluate(endpoint: Endpoint): Finding[];
+    private getRecommendation;
+}
+//# sourceMappingURL=missing-auth-on-writes.d.ts.map

package/dist/rules/consistency/missing-auth-on-writes.js

@@ -0,0 +1,59 @@
+import { createFinding } from '../../core/models/finding.js';
+import { Severity } from '../../core/models/severity.js';
+import { SecurityClassification } from '../../core/models/security-classification.js';
+import { isWriteMethod } from '../../core/models/http-method.js';
+/**
+ * AP004: Missing authentication on write operations
+ *
+ * Detects write operations (POST, PUT, DELETE, PATCH) that have no
+ * authentication and no explicit public marker. This is the most
+ * dangerous scenario: an unprotected write endpoint that may have
+ * been accidentally left open.
+ */
+export class MissingAuthOnWrites {
+    id = 'AP004';
+    name = 'Missing authentication on write operations';
+    description = 'Write operation has no authentication and no explicit public marker';
+    severity = Severity.Critical;
+    evaluate(endpoint) {
+        const findings = [];
+        const auth = endpoint.authorization;
+        // Flag if:
+        // 1. It's a write method
+        // 2. No authentication
+        // 3. No explicit public marker (so it's accidentally open, not intentionally)
+        if (isWriteMethod(endpoint.method) &&
+            auth.classification === SecurityClassification.Public &&
+            !auth.isAuthenticated &&
+            !auth.isExplicitlyPublic) {
+            findings.push(createFinding({
+                ruleId: this.id,
+                ruleName: this.name,
+                severity: this.severity,
+                message: `${endpoint.method} ${endpoint.route} is an unprotected write operation`,
+                endpoint,
+                location: endpoint.location,
+                recommendation: this.getRecommendation(endpoint),
+            }));
+        }
+        return findings;
+    }
+    getRecommendation(endpoint) {
+        switch (endpoint.type) {
+            case 'express':
+                return ('CRITICAL: Add authentication middleware immediately. ' +
+                    'Example: router.post("/path", passport.authenticate("jwt"), handler)');
+            case 'nestjs':
+                return ('CRITICAL: Add @UseGuards(AuthGuard) decorator immediately. ' +
+                    'If this endpoint must be public, add @Public() to make intent explicit.');
+            case 'fastify':
+                return ('CRITICAL: Add authentication via preHandler hook. ' +
+                    'Example: { preHandler: [fastify.authenticate] }');
+            case 'koa':
+                return 'CRITICAL: Add authentication middleware before the route handler.';
+            default:
+                return 'CRITICAL: Add authentication to this write endpoint immediately.';
+        }
+    }
+}
+//# sourceMappingURL=missing-auth-on-writes.js.map

package/dist/rules/exposure/allow-anonymous-on-write.d.ts

@@ -0,0 +1,20 @@
+import { Endpoint } from '../../core/models/endpoint.js';
+import { Finding } from '../../core/models/finding.js';
+import { Severity } from '../../core/models/severity.js';
+import { SecurityRule } from '../rule-interface.js';
+/**
+ * AP002: AllowAnonymous on write operation
+ *
+ * Detects write operations (POST, PUT, DELETE, PATCH) that have been
+ * explicitly marked as public. Write operations should typically require
+ * authentication to prevent unauthorized data modification.
+ */
+export declare class AllowAnonymousOnWrite implements SecurityRule {
+    readonly id = "AP002";
+    readonly name = "AllowAnonymous on write operation";
+    readonly description = "Write operation (POST/PUT/DELETE/PATCH) is explicitly marked as public";
+    readonly severity = Severity.High;
+    evaluate(endpoint: Endpoint): Finding[];
+    private getRecommendation;
+}
+//# sourceMappingURL=allow-anonymous-on-write.d.ts.map

package/dist/rules/exposure/allow-anonymous-on-write.js

@@ -0,0 +1,42 @@
+import { createFinding } from '../../core/models/finding.js';
+import { Severity } from '../../core/models/severity.js';
+import { isWriteMethod } from '../../core/models/http-method.js';
+/**
+ * AP002: AllowAnonymous on write operation
+ *
+ * Detects write operations (POST, PUT, DELETE, PATCH) that have been
+ * explicitly marked as public. Write operations should typically require
+ * authentication to prevent unauthorized data modification.
+ */
+export class AllowAnonymousOnWrite {
+    id = 'AP002';
+    name = 'AllowAnonymous on write operation';
+    description = 'Write operation (POST/PUT/DELETE/PATCH) is explicitly marked as public';
+    severity = Severity.High;
+    evaluate(endpoint) {
+        const findings = [];
+        const auth = endpoint.authorization;
+        // Only flag if:
+        // 1. It's a write method
+        // 2. It's explicitly marked as public (intentional)
+        if (isWriteMethod(endpoint.method) && auth.isExplicitlyPublic) {
+            findings.push(createFinding({
+                ruleId: this.id,
+                ruleName: this.name,
+                severity: this.severity,
+                message: `${endpoint.method} ${endpoint.route} is a write operation explicitly marked as public`,
+                endpoint,
+                location: endpoint.location,
+                recommendation: this.getRecommendation(endpoint),
+            }));
+        }
+        return findings;
+    }
+    getRecommendation(endpoint) {
+        return (`Write operations like ${endpoint.method} typically require authentication. ` +
+            'If public access is truly needed (e.g., user registration, contact form), ' +
+            'consider adding rate limiting and input validation. ' +
+            'Otherwise, remove the public marker and add authentication.');
+    }
+}
+//# sourceMappingURL=allow-anonymous-on-write.js.map

package/dist/rules/exposure/public-without-explicit-intent.d.ts

@@ -0,0 +1,20 @@
+import { Endpoint } from '../../core/models/endpoint.js';
+import { Finding } from '../../core/models/finding.js';
+import { Severity } from '../../core/models/severity.js';
+import { SecurityRule } from '../rule-interface.js';
+/**
+ * AP001: Public without explicit intent
+ *
+ * Detects endpoints that are publicly accessible without an explicit
+ * @Public decorator or allowAnonymous middleware. This catches endpoints
+ * that may be accidentally exposed due to missing authentication.
+ */
+export declare class PublicWithoutExplicitIntent implements SecurityRule {
+    readonly id = "AP001";
+    readonly name = "Public without explicit intent";
+    readonly description = "Endpoint is publicly accessible without explicit @Public or allowAnonymous marker";
+    readonly severity = Severity.High;
+    evaluate(endpoint: Endpoint): Finding[];
+    private getRecommendation;
+}
+//# sourceMappingURL=public-without-explicit-intent.d.ts.map

package/dist/rules/exposure/public-without-explicit-intent.js

@@ -0,0 +1,58 @@
+import { createFinding } from '../../core/models/finding.js';
+import { Severity } from '../../core/models/severity.js';
+import { SecurityClassification } from '../../core/models/security-classification.js';
+/**
+ * AP001: Public without explicit intent
+ *
+ * Detects endpoints that are publicly accessible without an explicit
+ * @Public decorator or allowAnonymous middleware. This catches endpoints
+ * that may be accidentally exposed due to missing authentication.
+ */
+export class PublicWithoutExplicitIntent {
+    id = 'AP001';
+    name = 'Public without explicit intent';
+    description = 'Endpoint is publicly accessible without explicit @Public or allowAnonymous marker';
+    severity = Severity.High;
+    evaluate(endpoint) {
+        const findings = [];
+        const auth = endpoint.authorization;
+        // Only flag if:
+        // 1. Endpoint is classified as public
+        // 2. No explicit public marker
+        // 3. No authentication middleware
+        if (auth.classification === SecurityClassification.Public &&
+            !auth.isExplicitlyPublic &&
+            !auth.isAuthenticated &&
+            auth.guardNames.length === 0) {
+            findings.push(createFinding({
+                ruleId: this.id,
+                ruleName: this.name,
+                severity: this.severity,
+                message: `${endpoint.method} ${endpoint.route} is publicly accessible without explicit intent`,
+                endpoint,
+                location: endpoint.location,
+                recommendation: this.getRecommendation(endpoint),
+            }));
+        }
+        return findings;
+    }
+    getRecommendation(endpoint) {
+        switch (endpoint.type) {
+            case 'express':
+                return ('Add authentication middleware (e.g., passport.authenticate) or ' +
+                    'mark as explicitly public with allowAnonymous middleware if intentional.');
+            case 'nestjs':
+                return ('Add @UseGuards(AuthGuard) to require authentication, or ' +
+                    'add @Public() decorator if public access is intentional.');
+            case 'fastify':
+                return ('Add preHandler hook for authentication or ' +
+                    'mark as explicitly public if intentional.');
+            case 'koa':
+                return ('Add authentication middleware or ' +
+                    'mark as explicitly public if intentional.');
+            default:
+                return 'Add authentication or mark as explicitly public if intentional.';
+        }
+    }
+}
+//# sourceMappingURL=public-without-explicit-intent.js.map

package/dist/rules/index.d.ts

@@ -0,0 +1,11 @@
+export * from './rule-interface.js';
+export * from './rule-engine.js';
+export * from './exposure/public-without-explicit-intent.js';
+export * from './exposure/allow-anonymous-on-write.js';
+export * from './consistency/controller-action-conflict.js';
+export * from './consistency/missing-auth-on-writes.js';
+export * from './privilege/excessive-role-access.js';
+export * from './privilege/weak-role-naming.js';
+export * from './surface/sensitive-route-keywords.js';
+export * from './surface/unprotected-endpoint.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/rules/index.js

@@ -0,0 +1,11 @@
+export * from './rule-interface.js';
+export * from './rule-engine.js';
+export * from './exposure/public-without-explicit-intent.js';
+export * from './exposure/allow-anonymous-on-write.js';
+export * from './consistency/controller-action-conflict.js';
+export * from './consistency/missing-auth-on-writes.js';
+export * from './privilege/excessive-role-access.js';
+export * from './privilege/weak-role-naming.js';
+export * from './surface/sensitive-route-keywords.js';
+export * from './surface/unprotected-endpoint.js';
+//# sourceMappingURL=index.js.map

package/dist/rules/privilege/excessive-role-access.d.ts

@@ -0,0 +1,20 @@
+import { Endpoint } from '../../core/models/endpoint.js';
+import { Finding } from '../../core/models/finding.js';
+import { Severity } from '../../core/models/severity.js';
+import { SecurityRule } from '../rule-interface.js';
+/**
+ * AP005: Excessive role access
+ *
+ * Detects endpoints that allow too many roles (>3 by default).
+ * This may indicate overly permissive access control or a need
+ * for refactoring the authorization model.
+ */
+export declare class ExcessiveRoleAccess implements SecurityRule {
+    readonly id = "AP005";
+    readonly name = "Excessive role access";
+    readonly description = "Endpoint allows more than 3 roles";
+    readonly severity = Severity.Low;
+    private readonly maxRoles;
+    evaluate(endpoint: Endpoint): Finding[];
+}
+//# sourceMappingURL=excessive-role-access.d.ts.map

package/dist/rules/privilege/excessive-role-access.js

@@ -0,0 +1,36 @@
+import { createFinding } from '../../core/models/finding.js';
+import { Severity } from '../../core/models/severity.js';
+/**
+ * AP005: Excessive role access
+ *
+ * Detects endpoints that allow too many roles (>3 by default).
+ * This may indicate overly permissive access control or a need
+ * for refactoring the authorization model.
+ */
+export class ExcessiveRoleAccess {
+    id = 'AP005';
+    name = 'Excessive role access';
+    description = 'Endpoint allows more than 3 roles';
+    severity = Severity.Low;
+    maxRoles = 3;
+    evaluate(endpoint) {
+        const findings = [];
+        const roles = endpoint.authorization.roles;
+        if (roles.length > this.maxRoles) {
+            findings.push(createFinding({
+                ruleId: this.id,
+                ruleName: this.name,
+                severity: this.severity,
+                message: `${endpoint.method} ${endpoint.route} allows ${roles.length} roles: ${roles.join(', ')}`,
+                endpoint,
+                location: endpoint.location,
+                recommendation: `This endpoint allows ${roles.length} different roles which may indicate ` +
+                    'overly permissive access. Consider: (1) Creating a permission-based system ' +
+                    'instead of role-based, (2) Creating role hierarchies, or (3) Using policies ' +
+                    'to combine related access patterns.',
+            }));
+        }
+        return findings;
+    }
+}
+//# sourceMappingURL=excessive-role-access.js.map

package/dist/rules/privilege/weak-role-naming.d.ts

@@ -0,0 +1,20 @@
+import { Endpoint } from '../../core/models/endpoint.js';
+import { Finding } from '../../core/models/finding.js';
+import { Severity } from '../../core/models/severity.js';
+import { SecurityRule } from '../rule-interface.js';
+/**
+ * AP006: Weak role naming
+ *
+ * Detects generic or weak role names that don't clearly define
+ * the access level or purpose. Examples: 'User', 'Admin', 'Guest'.
+ * More specific names like 'billing-admin' or 'content-editor' are preferred.
+ */
+export declare class WeakRoleNaming implements SecurityRule {
+    readonly id = "AP006";
+    readonly name = "Weak role naming";
+    readonly description = "Role names are too generic or weak";
+    readonly severity = Severity.Low;
+    private readonly weakPatterns;
+    evaluate(endpoint: Endpoint): Finding[];
+}
+//# sourceMappingURL=weak-role-naming.d.ts.map

package/dist/rules/privilege/weak-role-naming.js

@@ -0,0 +1,50 @@
+import { createFinding } from '../../core/models/finding.js';
+import { Severity } from '../../core/models/severity.js';
+/**
+ * AP006: Weak role naming
+ *
+ * Detects generic or weak role names that don't clearly define
+ * the access level or purpose. Examples: 'User', 'Admin', 'Guest'.
+ * More specific names like 'billing-admin' or 'content-editor' are preferred.
+ */
+export class WeakRoleNaming {
+    id = 'AP006';
+    name = 'Weak role naming';
+    description = 'Role names are too generic or weak';
+    severity = Severity.Low;
+    weakPatterns = [
+        /^user$/i,
+        /^admin$/i,
+        /^guest$/i,
+        /^member$/i,
+        /^moderator$/i,
+        /^manager$/i,
+        /^superuser$/i,
+        /^root$/i,
+        /^default$/i,
+        /^basic$/i,
+        /^standard$/i,
+        /^premium$/i,
+        /^vip$/i,
+    ];
+    evaluate(endpoint) {
+        const findings = [];
+        const roles = endpoint.authorization.roles;
+        const weakRoles = roles.filter((role) => this.weakPatterns.some((pattern) => pattern.test(role)));
+        if (weakRoles.length > 0) {
+            findings.push(createFinding({
+                ruleId: this.id,
+                ruleName: this.name,
+                severity: this.severity,
+                message: `${endpoint.method} ${endpoint.route} uses generic role names: ${weakRoles.join(', ')}`,
+                endpoint,
+                location: endpoint.location,
+                recommendation: 'Consider using more descriptive role names that indicate specific permissions ' +
+                    `or responsibilities. Instead of "${weakRoles[0]}", consider names like ` +
+                    '"billing-admin", "content-editor", "inventory-manager", or "read-only-analyst".',
+            }));
+        }
+        return findings;
+    }
+}
+//# sourceMappingURL=weak-role-naming.js.map

package/dist/rules/rule-engine.d.ts

@@ -0,0 +1,15 @@
+import { Endpoint } from '../core/models/endpoint.js';
+import { Finding } from '../core/models/finding.js';
+import { SecurityRule, RuleConfig } from './rule-interface.js';
+export interface RuleEngineConfig {
+    rules?: Record<string, RuleConfig>;
+}
+export declare class RuleEngine {
+    private rules;
+    constructor(config?: RuleEngineConfig);
+    private initializeRules;
+    evaluate(endpoints: Endpoint[]): Finding[];
+    getRules(): SecurityRule[];
+    getRuleById(id: string): SecurityRule | undefined;
+}
+//# sourceMappingURL=rule-engine.d.ts.map

package/dist/rules/rule-engine.js

@@ -0,0 +1,52 @@
+// Import all rules
+import { PublicWithoutExplicitIntent } from './exposure/public-without-explicit-intent.js';
+import { AllowAnonymousOnWrite } from './exposure/allow-anonymous-on-write.js';
+import { ControllerActionConflict } from './consistency/controller-action-conflict.js';
+import { MissingAuthOnWrites } from './consistency/missing-auth-on-writes.js';
+import { ExcessiveRoleAccess } from './privilege/excessive-role-access.js';
+import { WeakRoleNaming } from './privilege/weak-role-naming.js';
+import { SensitiveRouteKeywords } from './surface/sensitive-route-keywords.js';
+import { UnprotectedEndpoint } from './surface/unprotected-endpoint.js';
+export class RuleEngine {
+    rules = [];
+    constructor(config) {
+        this.initializeRules(config);
+    }
+    initializeRules(config) {
+        const allRules = [
+            new PublicWithoutExplicitIntent(),
+            new AllowAnonymousOnWrite(),
+            new ControllerActionConflict(),
+            new MissingAuthOnWrites(),
+            new ExcessiveRoleAccess(),
+            new WeakRoleNaming(),
+            new SensitiveRouteKeywords(),
+            new UnprotectedEndpoint(),
+        ];
+        // Filter and configure rules based on config
+        for (const rule of allRules) {
+            const ruleConfig = config?.rules?.[rule.id];
+            if (ruleConfig?.enabled === false) {
+                continue;
+            }
+            this.rules.push(rule);
+        }
+    }
+    evaluate(endpoints) {
+        const findings = [];
+        for (const endpoint of endpoints) {
+            for (const rule of this.rules) {
+                const ruleFindings = rule.evaluate(endpoint);
+                findings.push(...ruleFindings);
+            }
+        }
+        return findings;
+    }
+    getRules() {
+        return [...this.rules];
+    }
+    getRuleById(id) {
+        return this.rules.find((r) => r.id === id);
+    }
+}
+//# sourceMappingURL=rule-engine.js.map

package/dist/rules/rule-interface.d.ts

@@ -0,0 +1,16 @@
+import { Endpoint } from '../core/models/endpoint.js';
+import { Finding } from '../core/models/finding.js';
+import { Severity } from '../core/models/severity.js';
+export interface SecurityRule {
+    readonly id: string;
+    readonly name: string;
+    readonly description: string;
+    readonly severity: Severity;
+    evaluate(endpoint: Endpoint): Finding[];
+}
+export interface RuleConfig {
+    enabled: boolean;
+    severity?: Severity;
+    options?: Record<string, unknown>;
+}
+//# sourceMappingURL=rule-interface.d.ts.map

package/dist/rules/rule-interface.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=rule-interface.js.map

package/dist/rules/surface/sensitive-route-keywords.d.ts

@@ -0,0 +1,20 @@
+import { Endpoint } from '../../core/models/endpoint.js';
+import { Finding } from '../../core/models/finding.js';
+import { Severity } from '../../core/models/severity.js';
+import { SecurityRule } from '../rule-interface.js';
+/**
+ * AP007: Sensitive route keywords
+ *
+ * Detects publicly accessible routes that contain sensitive keywords
+ * like 'admin', 'debug', 'internal', 'export', etc. These routes
+ * typically should not be publicly accessible.
+ */
+export declare class SensitiveRouteKeywords implements SecurityRule {
+    readonly id = "AP007";
+    readonly name = "Sensitive route keywords";
+    readonly description = "Public route contains sensitive keywords";
+    readonly severity = Severity.Medium;
+    private readonly sensitiveKeywords;
+    evaluate(endpoint: Endpoint): Finding[];
+}
+//# sourceMappingURL=sensitive-route-keywords.d.ts.map