@delegance/claude-autopilot 5.0.1 → 5.0.3

package/src/core/schema-alignment/types.ts

@@ -1,43 +0,0 @@
-// src/core/schema-alignment/types.ts
-
-export interface SchemaEntity {
-  table: string;
-  column?: string;
-  operation: 'create_table' | 'add_column' | 'drop_column' | 'rename_column' | 'create_type';
-  oldName?: string; // rename_column only: the previous column name
-}
-
-export interface Evidence {
-  file: string;
-  line: number;
-  snippet: string;
-  confidence: 'high' | 'medium' | 'low';
-}
-
-export interface LayerScanResult {
-  entity: SchemaEntity;
-  typeLayer: Evidence | null;
-  apiLayer: Evidence | null;
-  uiLayer: Evidence | null;
-}
-
-export interface AlignmentFinding {
-  entity: SchemaEntity;
-  layer: 'type' | 'api' | 'ui';
-  message: string;
-  file?: string;
-  severity: 'warning' | 'error';
-  confidence: 'high' | 'medium' | 'low';
-}
-
-export interface SchemaAlignmentConfig {
-  enabled?: boolean;
-  migrationGlobs?: string[];
-  layerRoots?: {
-    types?: string[];
-    api?: string[];
-    ui?: string[];
-  };
-  llmCheck?: boolean;
-  severity?: 'warning' | 'error';
-}

package/src/core/shell.ts

@@ -1,48 +0,0 @@
-// src/core/shell.ts
-
-import { execFileSync } from 'node:child_process';
-import { GuardrailError, type ErrorCode } from './errors.ts';
-
-export interface RunOptions {
-  timeout?: number;
-  input?: string;
-  cwd?: string;
-  env?: NodeJS.ProcessEnv;
-}
-
-/** Run a command; return stdout on success, null on any failure. Never throws. */
-export function runSafe(cmd: string, args: string[], options: RunOptions = {}): string | null {
-  try {
-    const result = execFileSync(cmd, args, {
-      encoding: 'utf8',
-      stdio: options.input ? ['pipe', 'pipe', 'pipe'] : ['ignore', 'pipe', 'pipe'],
-      timeout: options.timeout ?? 60000,
-      input: options.input,
-      cwd: options.cwd,
-      env: options.env,
-    });
-    return result.toString();
-  } catch {
-    return null;
-  }
-}
-
-/** Run a command; throw GuardrailError on failure. */
-export function runThrowing(cmd: string, args: string[], options: RunOptions & { errorCode?: ErrorCode; provider?: string } = {}): string {
-  try {
-    return execFileSync(cmd, args, {
-      encoding: 'utf8',
-      stdio: options.input ? ['pipe', 'pipe', 'pipe'] : ['ignore', 'pipe', 'pipe'],
-      timeout: options.timeout ?? 60000,
-      input: options.input,
-      cwd: options.cwd,
-      env: options.env,
-    }).toString();
-  } catch (err) {
-    throw new GuardrailError(`Command failed: ${cmd} ${args.join(' ')}`, {
-      code: options.errorCode ?? 'transient_network',
-      provider: options.provider,
-      details: { cmd, args, cause: err instanceof Error ? err.message : String(err) },
-    });
-  }
-}

package/src/core/static-rules/registry.ts

@@ -1,59 +0,0 @@
-import type { StaticRule } from '../phases/static-rules.ts';
-import type { StaticRuleReference } from '../config/types.ts';
-import { resolveSiblingModule } from '../../cli/_pkg-root.ts';
-
-// Dynamic-import string literals that end in `.ts` are NOT rewritten by tsc's
-// `rewriteRelativeImportExtensions`. resolveSiblingModule swaps `.ts` → `.js`
-// when the caller is itself compiled, so these imports resolve correctly under
-// both source (`tsx`) and compiled (`node dist/...`) layouts.
-const importRule = <T>(ref: string, exportName: string): Promise<StaticRule> =>
-  import(resolveSiblingModule(ref, import.meta.url)).then((m: Record<string, T>) => m[exportName] as unknown as StaticRule);
-
-// Built-in cross-stack rules
-const BUILTIN: Record<string, () => Promise<StaticRule>> = {
-  'hardcoded-secrets':  () => importRule('./rules/hardcoded-secrets.ts', 'hardcodedSecretsRule'),
-  'npm-audit':          () => importRule('./rules/npm-audit.ts', 'npmAuditRule'),
-  'package-lock-sync':  () => importRule('./rules/package-lock-sync.ts', 'packageLockSyncRule'),
-  'console-log':        () => importRule('./rules/console-log.ts', 'consoleLogRule'),
-  'todo-fixme':         () => importRule('./rules/todo-fixme.ts', 'todoFixmeRule'),
-  'large-file':         () => importRule('./rules/large-file.ts', 'largeFileRule'),
-  'missing-tests':      () => importRule('./rules/missing-tests.ts', 'missingTestsRule'),
-  // Security rules
-  'sql-injection':      () => importRule('./rules/sql-injection.ts', 'sqlInjectionRule'),
-  'missing-auth':       () => importRule('./rules/missing-auth.ts', 'missingAuthRule'),
-  'ssrf':               () => importRule('./rules/ssrf.ts', 'ssrfRule'),
-  'insecure-redirect':  () => importRule('./rules/insecure-redirect.ts', 'insecureRedirectRule'),
-  // Brand rules
-  'brand-tokens':       () => importRule('./rules/brand-tokens.ts', 'brandTokensRule'),
-  // Schema alignment
-  'schema-alignment':   () => importRule('./rules/schema-alignment.ts', 'schemaAlignmentRule'),
-};
-
-// Preset-specific rules registered by name
-const PRESET: Record<string, () => Promise<StaticRule>> = {
-  'supabase-rls-bypass':  () => importRule('../../../presets/nextjs-supabase/rules/supabase-rls-bypass.ts', 'supabaseRlsBypassRule'),
-  'go-sql-injection':     () => importRule('../../../presets/go/rules/go-sql-injection.ts', 'goSqlInjectionRule'),
-  'fastapi-missing-auth': () => importRule('../../../presets/python-fastapi/rules/fastapi-missing-auth.ts', 'fastapiMissingAuthRule'),
-  't3-server-only':       () => importRule('../../../presets/t3/rules/t3-server-only.ts', 't3ServerOnlyRule'),
-  'rails-sql-injection':  () => importRule('../../../presets/rails-postgres/rules/rails-sql-injection.ts', 'railsSqlInjectionRule'),
-};
-
-const ALL = { ...BUILTIN, ...PRESET };
-
-export async function loadRulesFromConfig(refs: StaticRuleReference[]): Promise<StaticRule[]> {
-  const rules: StaticRule[] = [];
-  for (const ref of refs) {
-    const name = typeof ref === 'string' ? ref : ref.adapter;
-    const loader = ALL[name];
-    if (loader) {
-      rules.push(await loader());
-    } else {
-      process.stderr.write(`[guardrail] Unknown static rule: "${name}" — skipping\n`);
-    }
-  }
-  return rules;
-}
-
-export function listAvailableRules(): string[] {
-  return Object.keys(ALL);
-}

package/src/core/static-rules/rules/brand-tokens.ts

@@ -1,145 +0,0 @@
-import * as fs from 'node:fs';
-import * as path from 'node:path';
-import type { StaticRule } from '../../phases/static-rules.ts';
-import type { Finding } from '../../findings/types.ts';
-import { extractTailwindColors } from '../tailwind-extractor.ts';
-
-const UI_EXTS = new Set(['.tsx', '.jsx', '.ts', '.js', '.css', '.scss', '.sass', '.less', '.html', '.vue', '.svelte']);
-const HEX_RE = /#([0-9a-fA-F]{6}|[0-9a-fA-F]{3})\b/g;
-const TAILWIND_ARBITRARY_HEX = /(?:bg|text|border|ring|fill|stroke|from|to|via)-\[#([0-9a-fA-F]{6}|[0-9a-fA-F]{3})\]/g;
-// Matches the hex portion inside a Tailwind arbitrary color bracket so we can strip it before plain HEX_RE scan
-const TAILWIND_ARBITRARY_HEX_STRIP = /(?:bg|text|border|ring|fill|stroke|from|to|via)-\[#[0-9a-fA-F]{3,6}\]/g;
-const FONT_FAMILY_RE = /font-family\s*:\s*([^;}\n]+)/g;
-const CSS_EXTS = new Set(['.css', '.scss', '.sass', '.less']);
-
-function normalizeHex(hex: string): string {
-  const h = hex.toLowerCase();
-  if (h.length === 4) {
-    const r = h[1]!, g = h[2]!, b = h[3]!;
-    return `#${r}${r}${g}${g}${b}${b}`;
-  }
-  return h;
-}
-
-function buildPalette(
-  brandCfg: { colorsFrom?: string; colors?: string[] },
-  cwd: string,
-): Set<string> | null {
-  const hasColorsFrom = !!brandCfg.colorsFrom;
-  const hasColors = Array.isArray(brandCfg.colors) && brandCfg.colors.length > 0;
-  if (!hasColorsFrom && !hasColors) return null;
-
-  const palette = new Set<string>();
-  if (hasColorsFrom) {
-    const cfgPath = path.isAbsolute(brandCfg.colorsFrom!)
-      ? brandCfg.colorsFrom!
-      : path.resolve(cwd, brandCfg.colorsFrom!);
-    for (const c of extractTailwindColors(cfgPath)) palette.add(normalizeHex(c));
-  }
-  for (const c of brandCfg.colors ?? []) palette.add(normalizeHex(c));
-  return palette;
-}
-
-export const brandTokensRule: StaticRule = {
-  name: 'brand-tokens',
-  severity: 'warning',
-
-  async check(touchedFiles: string[], config: Record<string, unknown> = {}): Promise<Finding[]> {
-    const brandCfg = config.brand as
-      | { colorsFrom?: string; colors?: string[]; fonts?: string[] }
-      | undefined;
-
-    if (!brandCfg) return [];
-
-    const cwd = process.cwd();
-    const palette = buildPalette(brandCfg, cwd);
-    const canonicalFonts = brandCfg.fonts?.map(f => f.toLowerCase()) ?? [];
-    const findings: Finding[] = [];
-
-    for (const file of touchedFiles) {
-      const ext = path.extname(file);
-      if (!UI_EXTS.has(ext)) continue;
-
-      let content: string;
-      try { content = fs.readFileSync(file, 'utf8'); } catch { continue; }
-
-      const lines = content.split('\n');
-      for (let i = 0; i < lines.length; i++) {
-        const line = lines[i]!;
-        const trimmed = line.trim();
-        if (trimmed.startsWith('//') || trimmed.startsWith('*') || trimmed.startsWith('/*')) continue;
-
-        if (palette && palette.size > 0) {
-          // Check Tailwind arbitrary color classes first, then scan remaining line for plain hex
-          TAILWIND_ARBITRARY_HEX.lastIndex = 0;
-          let m: RegExpExecArray | null;
-          while ((m = TAILWIND_ARBITRARY_HEX.exec(line)) !== null) {
-            const hex = normalizeHex(`#${m[1]!}`);
-            if (!palette.has(hex)) {
-              findings.push({
-                id: `brand-tokens:tailwind:${file}:${i + 1}`,
-                source: 'static-rules',
-                severity: 'warning',
-                category: 'brand-tokens',
-                file,
-                line: i + 1,
-                message: `Off-brand Tailwind arbitrary color ${hex} is not in the canonical palette`,
-                suggestion: `Replace with a Tailwind token from your brand palette (e.g. bg-primary, text-brand)`,
-                protectedPath: false,
-                createdAt: new Date().toISOString(),
-              });
-            }
-          }
-
-          // Strip Tailwind arbitrary color brackets before plain hex scan to avoid double-reporting
-          const lineWithoutTailwindArbitrary = line.replace(TAILWIND_ARBITRARY_HEX_STRIP, '');
-          HEX_RE.lastIndex = 0;
-          while ((m = HEX_RE.exec(lineWithoutTailwindArbitrary)) !== null) {
-            const hex = normalizeHex(m[0]!);
-            if (!palette.has(hex)) {
-              const palettePreview = [...palette].slice(0, 5).join(', ');
-              findings.push({
-                id: `brand-tokens:${file}:${i + 1}`,
-                source: 'static-rules',
-                severity: 'warning',
-                category: 'brand-tokens',
-                file,
-                line: i + 1,
-                message: `Off-brand color ${hex} is not in the canonical palette`,
-                suggestion: `Use a brand token. Canonical colors: ${palettePreview}${palette.size > 5 ? ` (+${palette.size - 5} more)` : ''}`,
-                protectedPath: false,
-                createdAt: new Date().toISOString(),
-              });
-            }
-          }
-        }
-
-        if (canonicalFonts.length > 0 && CSS_EXTS.has(ext)) {
-          FONT_FAMILY_RE.lastIndex = 0;
-          let fm: RegExpExecArray | null;
-          while ((fm = FONT_FAMILY_RE.exec(line)) !== null) {
-            const declaration = fm[1]!;
-            const declared = declaration.split(',').map(f => f.trim().replace(/['"]/g, '').toLowerCase());
-            const hasCanonical = declared.some(f => canonicalFonts.some(cf => f.includes(cf)));
-            if (!hasCanonical) {
-              findings.push({
-                id: `brand-tokens:font:${file}:${i + 1}`,
-                source: 'static-rules',
-                severity: 'warning',
-                category: 'brand-tokens',
-                file,
-                line: i + 1,
-                message: `Off-brand font-family "${declaration.trim()}" — not in canonical fonts list`,
-                suggestion: `Use one of the canonical fonts: ${canonicalFonts.join(', ')}`,
-                protectedPath: false,
-                createdAt: new Date().toISOString(),
-              });
-            }
-          }
-        }
-      }
-    }
-
-    return findings;
-  },
-};

package/src/core/static-rules/rules/console-log.ts

@@ -1,42 +0,0 @@
-import * as fs from 'node:fs';
-import type { StaticRule } from '../../phases/static-rules.ts';
-import type { Finding } from '../../findings/types.ts';
-
-const CONSOLE_CALLS = /\bconsole\.(log|debug|info)\s*\(/;
-const CODE_EXTS = new Set(['.ts', '.tsx', '.js', '.jsx', '.mts', '.cts', '.mjs', '.cjs']);
-const TEST_PATH = /(?:__tests__|\.test\.|\.spec\.|\/test\/|\/tests\/)/;
-
-export const consoleLogRule: StaticRule = {
-  name: 'console-log',
-  severity: 'warning',
-
-  async check(touchedFiles: string[]): Promise<Finding[]> {
-    const findings: Finding[] = [];
-    for (const file of touchedFiles) {
-      const ext = file.slice(file.lastIndexOf('.'));
-      if (!CODE_EXTS.has(ext) || TEST_PATH.test(file)) continue;
-      let content: string;
-      try { content = fs.readFileSync(file, 'utf8'); } catch { continue; }
-      const lines = content.split('\n');
-      for (let i = 0; i < lines.length; i++) {
-        const line = lines[i]!;
-        if (line.trim().startsWith('//')) continue;
-        if (CONSOLE_CALLS.test(line)) {
-          findings.push({
-            id: `console-log:${file}:${i + 1}`,
-            source: 'static-rules',
-            severity: 'warning',
-            category: 'console-log',
-            file,
-            line: i + 1,
-            message: 'console.log/debug/info left in production code',
-            suggestion: 'Remove or replace with a structured logger',
-            protectedPath: false,
-            createdAt: new Date().toISOString(),
-          });
-        }
-      }
-    }
-    return findings;
-  },
-};

package/src/core/static-rules/rules/hardcoded-secrets.ts

@@ -1,83 +0,0 @@
-import * as fs from 'node:fs';
-import type { StaticRule } from '../../phases/static-rules.ts';
-import type { Finding } from '../../findings/types.ts';
-
-const SECRET_PATTERNS: { regex: RegExp; label: string }[] = [
-  // Cloud provider keys
-  { regex: /\bAKIA[0-9A-Z]{16}\b/, label: 'AWS Access Key ID' },
-  { regex: /\b(?:aws|AWS)_?(?:secret|SECRET)_?(?:key|KEY|access|ACCESS)\s*[:=]\s*['"][A-Za-z0-9/+]{40}['"]/, label: 'AWS Secret Access Key' },
-
-  // LLM / AI providers
-  { regex: /\bsk-ant-[a-zA-Z0-9\-_]{20,}\b/, label: 'Anthropic API key' },
-  { regex: /\bsk-[a-zA-Z0-9]{20,}\b(?!.*placeholder)/, label: 'OpenAI API key' },
-  { regex: /\bgsk_[a-zA-Z0-9]{20,}\b/, label: 'Groq API key' },
-
-  // Payment
-  { regex: /\bsk_live_[a-zA-Z0-9]{24,}\b/, label: 'Stripe secret key (live)' },
-  { regex: /\brk_live_[a-zA-Z0-9]{24,}\b/, label: 'Stripe restricted key (live)' },
-
-  // Source control / CI
-  { regex: /\bghp_[a-zA-Z0-9]{36}\b/, label: 'GitHub personal access token' },
-  { regex: /\bghs_[a-zA-Z0-9]{36}\b/, label: 'GitHub Actions token' },
-  { regex: /\bgithub_pat_[a-zA-Z0-9_]{82}\b/, label: 'GitHub fine-grained PAT' },
-
-  // Communication
-  { regex: /\bSG\.[a-zA-Z0-9\-_]{22,}\.[a-zA-Z0-9\-_]{43,}\b/, label: 'SendGrid API key' },
-  { regex: /\bAC[a-f0-9]{32}\b/, label: 'Twilio Account SID' },
-
-  // Database / BaaS
-  { regex: /\bservice_role\b.*\beyJ[a-zA-Z0-9._-]{100,}\b/, label: 'Supabase service role JWT' },
-  { regex: /\beyJ[a-zA-Z0-9._-]{150,}\b/, label: 'Long JWT (possible service key)' },
-
-  // Generic patterns
-  { regex: /(?:^|[^a-z])(?:password|passwd|pwd)\s*[:=]\s*['"](?!\/)[^'"]{6,}['"]/, label: 'Hardcoded password' },
-  { regex: /(?:api_key|apikey|api-key)\s*[:=]\s*['"][^'"]{8,}['"]/, label: 'Hardcoded API key' },
-  { regex: /(?:secret|secret_key|secretkey)\s*[:=]\s*['"][^'"]{8,}['"]/, label: 'Hardcoded secret' },
-  { regex: /(?:access_token|accesstoken)\s*[:=]\s*['"][^'"]{8,}['"]/, label: 'Hardcoded access token' },
-  { regex: /(?:private_key|privatekey)\s*[:=]\s*['"][^'"]{8,}['"]/, label: 'Hardcoded private key' },
-  { regex: /-----BEGIN (?:RSA |EC )?PRIVATE KEY-----/, label: 'Private key block' },
-];
-
-// Patterns that indicate a placeholder, not a real secret
-const PLACEHOLDER = /(?:your[-_]?|xxx|placeholder|example|test|fake|dummy|changeme|<[^>]+>|process\.env|import\.meta\.env|\$\{)/i;
-const SKIP_EXTS = new Set(['.md', '.txt', '.yaml', '.yml', '.json', '.lock', '.snap']);
-const TEST_PATH = /(?:__tests__|\.test\.|\.spec\.|\/test\/|\/tests\/)/;
-
-export const hardcodedSecretsRule: StaticRule = {
-  name: 'hardcoded-secrets',
-  severity: 'critical',
-
-  async check(touchedFiles: string[]): Promise<Finding[]> {
-    const findings: Finding[] = [];
-    for (const file of touchedFiles) {
-      const ext = file.slice(file.lastIndexOf('.'));
-      if (SKIP_EXTS.has(ext) || TEST_PATH.test(file)) continue;
-      let content: string;
-      try { content = fs.readFileSync(file, 'utf8'); } catch { continue; }
-      const lines = content.split('\n');
-      for (let i = 0; i < lines.length; i++) {
-        const line = lines[i]!;
-        if (line.trim().startsWith('//') || line.trim().startsWith('#')) continue;
-        for (const { regex, label } of SECRET_PATTERNS) {
-          const match = line.match(regex);
-          if (match && !PLACEHOLDER.test(match[0])) {
-            findings.push({
-              id: `hardcoded-secrets:${file}:${i + 1}`,
-              source: 'static-rules',
-              severity: 'critical',
-              category: 'hardcoded-secrets',
-              file,
-              line: i + 1,
-              message: `${label} appears hardcoded`,
-              suggestion: 'Move to environment variable and load via process.env',
-              protectedPath: false,
-              createdAt: new Date().toISOString(),
-            });
-            break;
-          }
-        }
-      }
-    }
-    return findings;
-  },
-};

package/src/core/static-rules/rules/insecure-redirect.ts

@@ -1,67 +0,0 @@
-import * as fs from 'node:fs';
-import type { StaticRule } from '../../phases/static-rules.ts';
-import type { Finding } from '../../findings/types.ts';
-
-// Redirect calls in Next.js / Express / Node
-const REDIRECT_CALL = /(?:\bredirect\s*\(|NextResponse\.redirect\s*\(|res\.redirect\s*\(|router\.push\s*\()/;
-
-// User-controlled input sources
-const USER_INPUT_SOURCES = /(?:req\.|request\.|params\.|query\.|body\.|searchParams\.|headers\.|getParam|getQuery|getSearchParam)/;
-
-// Template interpolation of user input into redirect target
-const TAINTED_REDIRECT_TEMPLATE = /`[^`]*\$\{[^}]*(?:url|redirect|return|next|callback|target|to|from|path|href|location)[^}]*\}`/i;
-const TAINTED_REDIRECT_VAR       = /(?:url|redirect|returnUrl|returnTo|next|callbackUrl|target|to|from|path|href|location)\b/;
-
-const CODE_EXTS = new Set(['.ts', '.tsx', '.js', '.jsx', '.mts', '.cts', '.mjs', '.cjs']);
-const TEST_PATH = /(?:__tests__|\.test\.|\.spec\.|\/test\/|\/tests\/)/;
-
-export const insecureRedirectRule: StaticRule = {
-  name: 'insecure-redirect',
-  severity: 'warning',
-
-  async check(touchedFiles: string[]): Promise<Finding[]> {
-    const findings: Finding[] = [];
-    for (const file of touchedFiles) {
-      const ext = file.slice(file.lastIndexOf('.'));
-      if (!CODE_EXTS.has(ext) || TEST_PATH.test(file)) continue;
-      let content: string;
-      try { content = fs.readFileSync(file, 'utf8'); } catch { continue; }
-      const lines = content.split('\n');
-
-      for (let i = 0; i < lines.length; i++) {
-        const line = lines[i]!;
-        if (line.trim().startsWith('//') || line.trim().startsWith('*')) continue;
-
-        if (!REDIRECT_CALL.test(line)) continue;
-
-        // Check if the redirect target is user-controlled
-        const hasTaint = TAINTED_REDIRECT_TEMPLATE.test(line) || USER_INPUT_SOURCES.test(line);
-        if (!hasTaint) {
-          // Check if a variable with a suspicious name is passed
-          const argStr = line.replace(REDIRECT_CALL, '');
-          const hasRedirectVar = TAINTED_REDIRECT_VAR.test(line) && !/['"`]/.test(argStr);
-          if (!hasRedirectVar) continue;
-        }
-
-        // Skip if there's obvious validation nearby (startsWith, URL constructor, allowlist)
-        const context = lines.slice(Math.max(0, i - 5), i + 1).join('\n');
-        const hasValidation = /(?:startsWith\s*\(\s*['"]\/|new\s+URL|allowedRedirects|trustedOrigins|encodeURIComponent)/.test(context);
-        if (hasValidation) continue;
-
-        findings.push({
-          id: `insecure-redirect:${file}:${i + 1}`,
-          source: 'static-rules',
-          severity: 'warning',
-          category: 'insecure-redirect',
-          file,
-          line: i + 1,
-          message: 'Possible open redirect: redirect target may be user-controlled',
-          suggestion: 'Validate redirect targets — allow only relative paths (startsWith("/")) or an explicit allowlist of trusted origins',
-          protectedPath: false,
-          createdAt: new Date().toISOString(),
-        });
-      }
-    }
-    return findings;
-  },
-};

package/src/core/static-rules/rules/large-file.ts

@@ -1,37 +0,0 @@
-import * as fs from 'node:fs';
-import type { StaticRule } from '../../phases/static-rules.ts';
-import type { Finding } from '../../findings/types.ts';
-
-const DEFAULT_THRESHOLD = 500;
-const SKIP_EXTS = new Set(['.lock', '.snap', '.map', '.min.js', '.min.css']);
-
-export const largeFileRule: StaticRule = {
-  name: 'large-file',
-  severity: 'note',
-
-  async check(touchedFiles: string[]): Promise<Finding[]> {
-    const threshold = parseInt(process.env.AUTOPILOT_LARGE_FILE_LINES ?? '', 10) || DEFAULT_THRESHOLD;
-    const findings: Finding[] = [];
-    for (const file of touchedFiles) {
-      const ext = file.slice(file.lastIndexOf('.'));
-      if (SKIP_EXTS.has(ext)) continue;
-      let content: string;
-      try { content = fs.readFileSync(file, 'utf8'); } catch { continue; }
-      const lines = content.split('\n').length;
-      if (lines > threshold) {
-        findings.push({
-          id: `large-file:${file}`,
-          source: 'static-rules',
-          severity: 'note',
-          category: 'large-file',
-          file,
-          message: `File is ${lines} lines (threshold: ${threshold})`,
-          suggestion: 'Consider splitting into smaller, focused modules',
-          protectedPath: false,
-          createdAt: new Date().toISOString(),
-        });
-      }
-    }
-    return findings;
-  },
-};

package/src/core/static-rules/rules/missing-auth.ts

@@ -1,70 +0,0 @@
-import * as fs from 'node:fs';
-import * as path from 'node:path';
-import type { StaticRule } from '../../phases/static-rules.ts';
-import type { Finding } from '../../findings/types.ts';
-
-// Next.js App Router API routes and pages with data mutations
-const API_ROUTE_PATTERN = /(?:app[/\\]api[/\\].*route\.[tj]sx?|pages[/\\]api[/\\].*\.[tj]sx?)$/;
-
-// Auth function signatures — any of these indicate auth is checked
-const AUTH_PATTERNS = [
-  /getServerSession\s*\(/,
-  /\bauth\s*\(\s*\)/,           // next-auth v5 auth()
-  /createServerSupabase\s*\(/,
-  /createServerClient\s*\(/,
-  /getSession\s*\(/,
-  /verifyToken\s*\(/,
-  /authenticate\s*\(/,
-  /requireAuth\s*\(/,
-  /currentUser\s*\(/,
-  /withAuth\s*\(/,
-  /checkAuth\s*\(/,
-  /isAuthenticated\s*\(/,
-  /useServerSession\s*\(/,
-  /jwtVerify\s*\(/,
-  /verify\s*\(.*token/i,
-  /clerkClient/,
-  /getAuth\s*\(/,               // Clerk
-  /session\s*\.\s*user/,
-  /req\s*\.\s*user\b/,
-];
-
-// Mutation handler exports — GET-only routes are less critical
-const MUTATION_EXPORT = /export\s+(?:async\s+)?function\s+(?:POST|PUT|PATCH|DELETE)\b/;
-const MUTATION_HANDLER = /(?:POST|PUT|PATCH|DELETE)\s*\(/;
-
-export const missingAuthRule: StaticRule = {
-  name: 'missing-auth',
-  severity: 'critical',
-
-  async check(touchedFiles: string[]): Promise<Finding[]> {
-    const findings: Finding[] = [];
-    for (const file of touchedFiles) {
-      if (!API_ROUTE_PATTERN.test(file)) continue;
-      let content: string;
-      try { content = fs.readFileSync(file, 'utf8'); } catch { continue; }
-
-      // Only flag mutation handlers
-      if (!MUTATION_EXPORT.test(content) && !MUTATION_HANDLER.test(content)) continue;
-
-      // Check if any auth pattern is present in the file
-      const hasAuth = AUTH_PATTERNS.some(p => p.test(content));
-      if (hasAuth) continue;
-
-      const rel = path.basename(file);
-      findings.push({
-        id: `missing-auth:${file}:1`,
-        source: 'static-rules',
-        severity: 'critical',
-        category: 'missing-auth',
-        file,
-        line: 1,
-        message: `API route ${rel} has mutation handlers (POST/PUT/PATCH/DELETE) with no visible auth check`,
-        suggestion: 'Add authentication: call getServerSession(), auth(), or equivalent before processing the request body',
-        protectedPath: false,
-        createdAt: new Date().toISOString(),
-      });
-    }
-    return findings;
-  },
-};

package/src/core/static-rules/rules/missing-tests.ts

@@ -1,57 +0,0 @@
-import * as fs from 'node:fs';
-import * as path from 'node:path';
-import type { StaticRule } from '../../phases/static-rules.ts';
-import type { Finding } from '../../findings/types.ts';
-
-const SOURCE_DIRS = ['src/', 'app/', 'lib/', 'utils/'];
-const SOURCE_EXTS = new Set(['.ts', '.tsx', '.js', '.jsx']);
-const TEST_PATH = /(?:__tests__|\.test\.|\.spec\.|\/test\/|\/tests\/)/;
-const INDEX_FILE = /(?:^|[/\\])index\.[tj]sx?$/;
-
-function isSourceFile(f: string): boolean {
-  const ext = f.slice(f.lastIndexOf('.'));
-  return SOURCE_EXTS.has(ext) && !TEST_PATH.test(f) && SOURCE_DIRS.some(d => f.startsWith(d));
-}
-
-function hasTestCounterpart(file: string, touchedFiles: Set<string>): boolean {
-  const base = file.replace(/\.[tj]sx?$/, '');
-  const candidates = [
-    `${base}.test.ts`, `${base}.test.tsx`, `${base}.test.js`,
-    `${base}.spec.ts`, `${base}.spec.tsx`, `${base}.spec.js`,
-  ];
-  const dir = path.dirname(file);
-  const name = path.basename(base);
-  candidates.push(
-    `${dir}/__tests__/${name}.test.ts`,
-    `${dir}/__tests__/${name}.test.tsx`,
-    `${dir}/__tests__/${name}.test.js`,
-  );
-  return candidates.some(c => touchedFiles.has(c) || fs.existsSync(c));
-}
-
-export const missingTestsRule: StaticRule = {
-  name: 'missing-tests',
-  severity: 'note',
-
-  async check(touchedFiles: string[]): Promise<Finding[]> {
-    const touched = new Set(touchedFiles);
-    const findings: Finding[] = [];
-    for (const file of touchedFiles) {
-      if (!isSourceFile(file) || INDEX_FILE.test(file)) continue;
-      if (!hasTestCounterpart(file, touched)) {
-        findings.push({
-          id: `missing-tests:${file}`,
-          source: 'static-rules',
-          severity: 'note',
-          category: 'missing-tests',
-          file,
-          message: 'No test file found for this changed source file',
-          suggestion: `Add tests at ${file.replace(/\.[tj]sx?$/, '.test.ts')}`,
-          protectedPath: false,
-          createdAt: new Date().toISOString(),
-        });
-      }
-    }
-    return findings;
-  },
-};