npm - @elytrasec/engine - Versions diffs - 0.3.2 → 0.4.1 - Mend

@elytrasec/engine 0.3.2 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -2957,12 +2957,43 @@ var securityRules = [
     title: "Hardcoded secret or credential",
     description: "A string that looks like a password, API key, or token is hardcoded in source code.",
     suggestion: "Move the secret to an environment variable or a secrets manager. Rotate the exposed credential immediately.",
-    pattern: /(?:password|secret|api_key|apikey|api_secret|token|auth_token|private_key|client_secret)\s*[:=]\s*["'](?!changeme|password|your-|<|TODO|xxx|test|example|placeholder|REPLACE)[^"']{8,}["']/i,
+    // `token` removed from the keyword list — too ambiguous in crypto context (tokenAddress,
+    // token0, token1, tokenContract, tokenFactory all match and are public addresses, not secrets).
+    // `auth_token`, `accessToken`, `bearerToken`, `jwt_token` etc. remain via specific patterns below.
+    pattern: /(?:password|secret|apikey|api_key|api_secret|auth[_-]?token|access[_-]?token|bearer[_-]?token|jwt[_-]?secret|private[_-]?key|client_secret)\s*[:=]\s*["'](?!changeme|password|your-|<|TODO|xxx|test|example|placeholder|REPLACE|0x[0-9a-fA-F]{40}["'])[^"']{8,}["']/i,
     severity: "critical",
     category: "security",
     confidence: "medium",
     languages: ALL
   },
+  {
+    // Crypto-native: a raw 32-byte (64-hex) value assigned to a *private*-key-shaped name.
+    // Wallet/contract addresses (40 hex) are public — never flag those.
+    // Hashes / UIDs / merkle roots (64 hex) on a `*Hash`, `*Uid`, `*Root` LHS are public — don't flag.
+    // Only flag when the LHS specifically suggests a SIGNING KEY.
+    id: "cp-sec-private-key-hex",
+    title: "Hardcoded EVM private key",
+    description: "A 64-character hex value is assigned to a variable whose name implies it's a signing key. If real, this is a wallet private key \u2014 anyone who reads the source can drain the wallet.",
+    suggestion: "Move to an environment variable, KMS, or hardware wallet immediately. Rotate the key (transfer all assets to a new wallet and never use this key again).",
+    pattern: /\b(?:private[_-]?key|signing[_-]?key|wallet[_-]?key|signer[_-]?key|deployer[_-]?key|mnemonic[_-]?seed|raw[_-]?key|eas_private_key|x402_wallet_key)\s*[:=]\s*["']?0x[0-9a-fA-F]{64}["']?/i,
+    severity: "critical",
+    category: "security",
+    confidence: "high",
+    languages: ALL
+  },
+  {
+    // BIP-39 seed phrase — 12 or 24 lowercase English words in a row.
+    // Any leak of these = full wallet compromise. Targets the common assignment pattern.
+    id: "cp-sec-mnemonic-phrase",
+    title: "Hardcoded BIP-39 mnemonic / seed phrase",
+    description: "A string with 12 or 24 lowercase words looks like a BIP-39 mnemonic. A leaked seed phrase compromises the entire HD wallet and every account derived from it.",
+    suggestion: "Never store mnemonics in source. Use a secure secret manager. If exposed, immediately transfer all assets out of every derived account, never reuse the seed.",
+    pattern: /(?:mnemonic|seed[_-]?phrase|secret[_-]?phrase|backup[_-]?phrase)\s*[:=]\s*["'](?:[a-z]{3,8}\s+){11,23}[a-z]{3,8}["']/i,
+    severity: "critical",
+    category: "security",
+    confidence: "high",
+    languages: ALL
+  },
   {
     id: "cp-sec-hardcoded-ip",
     title: "Hardcoded IP address",
@@ -3074,7 +3105,7 @@ var securityRules = [
     title: "Form without CSRF protection",
     description: "HTML form with method=POST but no visible CSRF token field. This may be vulnerable to cross-site request forgery.",
     suggestion: "Add a hidden CSRF token field to the form or use a framework-provided CSRF middleware.",
-    pattern: /method\s*=\s*["']post["'][^>]*>(?![\s\S]{0,500}csrf)/i,
+    multilinePattern: /method\s*=\s*["']post["'][^>]*>(?![\s\S]{0,500}csrf)/i,
     severity: "medium",
     category: "security",
     confidence: "low",
@@ -3130,7 +3161,7 @@ var securityRules = [
     title: "XML parsing without entity restriction (XXE)",
     description: "XML parsers that allow external entities can be exploited to read local files or perform SSRF.",
     suggestion: "Disable external entity processing: set noent: false, or use defusedxml in Python.",
-    pattern: /(?:parseXml|parseString|DOMParser|xml2js|libxmljs|XMLParser)\s*\((?![\s\S]*(?:noent:\s*false|resolve_entities:\s*false))/,
+    multilinePattern: /(?:parseXml|parseString|DOMParser|xml2js|libxmljs|XMLParser)\s*\((?![\s\S]*(?:noent:\s*false|resolve_entities:\s*false))/,
     severity: "high",
     category: "security",
     confidence: "medium",
@@ -3180,7 +3211,7 @@ var securityRules = [
     title: "Mass assignment via spread of user input",
     description: "Spreading req.body directly into a database create/update allows attackers to set arbitrary fields (e.g. isAdmin).",
     suggestion: "Explicitly pick allowed fields instead of spreading the entire request body.",
-    pattern: /(?:create|update|insert|save|upsert)\s*\(\s*\{[\s\S]{0,50}\.\.\.(?:req\.body|req\.query|body|input)\b/,
+    multilinePattern: /(?:create|update|insert|save|upsert)\s*\(\s*\{[\s\S]{0,50}\.\.\.(?:req\.body|req\.query|body|input)\b/,
     severity: "high",
     category: "security",
     confidence: "medium",
@@ -3247,7 +3278,7 @@ var securityRules = [
     title: "Cookie set without security flags",
     description: "Cookies set without Secure, HttpOnly, or SameSite flags are vulnerable to interception and XSS theft.",
     suggestion: "Set cookies with { secure: true, httpOnly: true, sameSite: 'strict' } flags.",
-    pattern: /(?:res\.cookie|setCookie|set-cookie|document\.cookie)\s*(?:\(|=)(?![\s\S]{0,100}(?:secure|httpOnly|SameSite))/i,
+    multilinePattern: /(?:res\.cookie|setCookie|set-cookie|document\.cookie)\s*(?:\(|=)(?![\s\S]{0,100}(?:secure|httpOnly|SameSite))/i,
     severity: "medium",
     category: "security",
     confidence: "medium",
@@ -3275,7 +3306,7 @@ var securityRules = [
     title: "CORS credentials with wildcard origin",
     description: "Enabling credentials with a wildcard or reflected origin allows any site to make authenticated cross-origin requests.",
     suggestion: "When using credentials: true, specify explicit trusted origins instead of '*' or reflecting the Origin header.",
-    pattern: /credentials\s*:\s*true[\s\S]{0,200}origin\s*:\s*(?:["']\*["']|req\.headers\.origin|true)/,
+    multilinePattern: /credentials\s*:\s*true[\s\S]{0,200}origin\s*:\s*(?:["']\*["']|req\.headers\.origin|true)/,
     severity: "high",
     category: "security",
     confidence: "high",
@@ -3309,13 +3340,13 @@ var securityRules = [
 var solidityRules2 = [
   {
     id: "cp-sol-reentrancy",
-    title: "Potential reentrancy \u2014 external call before state update",
-    description: "An external call (call, send, transfer) appears before a state variable assignment. An attacker contract can re-enter before state is updated.",
-    suggestion: "Follow the checks-effects-interactions pattern: update state before making external calls. Consider using ReentrancyGuard.",
-    pattern: /\.(?:call|send|transfer)\s*[\({]/,
-    severity: "critical",
+    title: "Potential reentrancy \u2014 review external call sequencing",
+    description: "An external call via `.call{value:...}` is present. The classic reentrancy pattern requires the call to occur BEFORE a state update \u2014 a same-line regex can't verify the order across multiple lines, so this is flagged for manual or AI review. `.send` and `.transfer` are intentionally not flagged because their 2300-gas stipend prevents reentrancy except in pathological cases (post-EIP-1884 gas changes).",
+    suggestion: "Follow checks-effects-interactions: update state before external calls. Or use OpenZeppelin's ReentrancyGuard. Confirm by reading the surrounding function or running AI deep-review.",
+    pattern: /\.call\s*\{(?:[^}]*value[^}]*)?\}/,
+    severity: "high",
     category: "security",
-    confidence: "medium",
+    confidence: "low",
     languages: SOL
   },
   {
@@ -3399,12 +3430,12 @@ var solidityRules2 = [
   {
     id: "cp-sol-assembly",
     title: "Inline assembly usage",
-    description: "Inline assembly bypasses Solidity's safety checks (overflow, type-safety). Bugs are easy to introduce and hard to audit.",
-    suggestion: "Use Solidity builtins where possible. If assembly is required, document it thoroughly and add extensive tests.",
+    description: "Inline assembly bypasses Solidity's safety checks. Routine in production DeFi for gas optimization (transient storage, packed structs, math) \u2014 flagged informationally so reviewers can verify the assembly block is justified.",
+    suggestion: "Confirm the assembly block is necessary and audited. Document the storage slots / opcodes used.",
     pattern: /\bassembly\s*\{/,
-    severity: "medium",
-    category: "security",
-    confidence: "high",
+    severity: "info",
+    category: "solidity",
+    confidence: "low",
     languages: SOL
   },
   {
@@ -3421,11 +3452,11 @@ var solidityRules2 = [
   {
     id: "cp-sol-unchecked-math",
     title: "Unchecked arithmetic block",
-    description: "The `unchecked` block disables overflow/underflow checks. This is dangerous unless you have proven the values cannot overflow.",
-    suggestion: "Only use unchecked blocks when overflow is mathematically impossible. Add comments explaining the safety invariant.",
+    description: "`unchecked` disables Solidity 0.8+ overflow checks. Usually intentional for gas savings on loop counters and proven-safe math, but worth confirming each block has a documented invariant.",
+    suggestion: "Add a comment explaining why overflow is impossible in this block. Consider whether the gas savings justify the risk.",
     pattern: /unchecked\s*\{/,
-    severity: "medium",
-    category: "security",
+    severity: "low",
+    category: "solidity",
     confidence: "low",
     languages: SOL
   },
@@ -3446,7 +3477,7 @@ var solidityRules2 = [
     title: "balanceOf used for pricing without flash loan guards",
     description: "Using balanceOf() for pricing calculations is vulnerable to flash loan manipulation.",
     suggestion: "Use time-weighted average prices (TWAP) or Chainlink oracles instead of spot balanceOf for pricing.",
-    pattern: /balanceOf\s*\([^)]*\)[\s\S]{0,20}(?:\*|\/)/,
+    multilinePattern: /balanceOf\s*\([^)]*\)[\s\S]{0,20}(?:\*|\/)/,
     severity: "high",
     category: "security",
     confidence: "medium",
@@ -3455,25 +3486,25 @@ var solidityRules2 = [
   {
     id: "cp-sol-storage-collision",
     title: "delegatecall with state variables \u2014 storage collision risk",
-    description: "Using delegatecall in a contract with state variables can cause storage layout collisions with the implementation contract.",
+    description: "Using delegatecall in a contract with state variables can cause storage layout collisions with the implementation contract. Common in proxy patterns where it's intentional \u2014 verify EIP-1967 storage slots are used. High false-positive rate on standard proxy implementations.",
     suggestion: "Use EIP-1967 proxy pattern with standardized storage slots, or ensure identical storage layouts.",
     pattern: /delegatecall\s*\(/,
     multilinePattern: /(?:uint|int|address|mapping|bytes|string|bool)\s+(?:public|private|internal)?\s*\w+[\s\S]{0,2000}delegatecall\s*\(/g,
-    severity: "high",
+    severity: "medium",
     category: "security",
-    confidence: "medium",
+    confidence: "low",
     languages: SOL
   },
   {
     id: "cp-sol-missing-event",
     title: "State change without event emission",
-    description: "State-changing functions should emit events for off-chain indexing and transparency.",
-    suggestion: "Add an event emission after state changes for important variables.",
+    description: "State-changing functions should emit events for off-chain indexing. Best practice for indexers and UI, not a security vulnerability \u2014 flagged informationally.",
+    suggestion: "Add an event emission after state changes if downstream indexers / UI need to track them.",
     pattern: /(?!)/,
     // never matches per-line; use multiline only
     multilinePattern: /function\s+\w+\s*\([^)]*\)\s*(?:external|public)[^{]*\{(?:(?!emit\s)[\s\S]){1,500}\w+\s*=[^=]/g,
-    severity: "medium",
-    category: "security",
+    severity: "info",
+    category: "quality",
     confidence: "low",
     languages: SOL
   }
@@ -3506,7 +3537,7 @@ var javaRules = [
     title: "XPath injection via string concatenation",
     description: "Building XPath queries with string concatenation allows injection attacks.",
     suggestion: "Use XPath parameterization via XPathExpression or sanitize input.",
-    pattern: /(?:XPath|xpath)[\s\S]{0,50}\.(?:evaluate|compile)\s*\(\s*(?:["'][^"']*["']\s*\+|.*\+\s*["'])/,
+    multilinePattern: /(?:XPath|xpath)[\s\S]{0,50}\.(?:evaluate|compile)\s*\(\s*(?:["'][^"']*["']\s*\+|.*\+\s*["'])/,
     severity: "high",
     category: "security",
     confidence: "medium",
@@ -3900,7 +3931,7 @@ var performanceRules = [
     title: "Potential N+1 query \u2014 database call inside a loop",
     description: "A database query inside a loop makes N separate round-trips instead of 1 batch query. This causes severe performance degradation at scale.",
     suggestion: "Batch the queries: collect all IDs first, then execute a single WHERE IN query.",
-    pattern: /(?:for|while|\.forEach|\.map)\s*\([\s\S]*?(?:\.find\(|\.findOne\(|\.findUnique\(|\.query\(|\.execute\(|SELECT\b)/,
+    multilinePattern: /(?:for|while|\.forEach|\.map)\s*\([\s\S]*?(?:\.find\(|\.findOne\(|\.findUnique\(|\.query\(|\.execute\(|SELECT\b)/,
     severity: "high",
     category: "performance",
     confidence: "medium",
@@ -3911,7 +3942,7 @@ var performanceRules = [
     title: "Nested iteration \u2014 Array search inside a loop",
     description: "Using Array.find/filter/some/indexOf inside a loop is O(n*m). Use a Map or Set for O(n) lookups.",
     suggestion: "Build a Map or Set from the inner array before the loop, then use .get()/.has() for O(1) lookup.",
-    pattern: /(?:for|while|\.forEach|\.map)\s*\([\s\S]*?\.(?:find|filter|some|indexOf|includes)\s*\(/,
+    multilinePattern: /(?:for|while|\.forEach|\.map)\s*\([\s\S]*?\.(?:find|filter|some|indexOf|includes)\s*\(/,
     severity: "low",
     category: "performance",
     confidence: "medium",
@@ -3934,7 +3965,7 @@ var performanceRules = [
     title: "RegExp construction inside a loop",
     description: "Creating a new RegExp object on every iteration is wasteful. Regex compilation is expensive.",
     suggestion: "Move the RegExp construction outside the loop and reuse the compiled pattern.",
-    pattern: /(?:for|while|\.forEach|\.map)\s*\([\s\S]*?new\s+RegExp\s*\(/,
+    multilinePattern: /(?:for|while|\.forEach|\.map)\s*\([\s\S]*?new\s+RegExp\s*\(/,
     severity: "low",
     category: "performance",
     confidence: "medium",
@@ -3945,7 +3976,7 @@ var performanceRules = [
     title: "JSON.parse inside a loop",
     description: "Parsing JSON inside a loop is CPU-intensive. If the same data is re-parsed, cache the result.",
     suggestion: "Parse the JSON once before the loop and reuse the result, or use streaming JSON parsing for large datasets.",
-    pattern: /(?:for|while|\.forEach|\.map)\s*\([\s\S]*?JSON\.parse\s*\(/,
+    multilinePattern: /(?:for|while|\.forEach|\.map)\s*\([\s\S]*?JSON\.parse\s*\(/,
     severity: "low",
     category: "performance",
     confidence: "medium",
@@ -3956,7 +3987,7 @@ var performanceRules = [
     title: "Sequential await inside a loop",
     description: "Using await inside a loop executes async operations sequentially. Independent operations can run in parallel with Promise.all.",
     suggestion: "Collect promises in an array and use Promise.all() or Promise.allSettled() for parallel execution.",
-    pattern: /(?:for|while)\s*\([\s\S]*?await\s+/,
+    multilinePattern: /(?:for|while)\s*\([\s\S]*?await\s+/,
     severity: "low",
     category: "performance",
     confidence: "low",
@@ -4615,12 +4646,12 @@ var eip7702Rules = [
   {
     id: "cp-sol-7702-unguarded-init",
     title: "EIP-7702 delegation: unguarded initializer",
-    description: "Contracts used as EIP-7702 delegation targets must guard initializers \u2014 constructors don't run on delegated EOAs. An unguarded `initialize()` can be front-run, letting an attacker take ownership of the delegated account.",
-    suggestion: "Add an `initializer` modifier (OpenZeppelin) or an `initialized` flag checked at the top of every init function. Ensure no init path is callable twice.",
+    description: "Contracts intended as EIP-7702 delegation targets must guard initializers \u2014 constructors don't run on delegated EOAs. An unguarded `initialize()` can be front-run, letting an attacker take ownership. The pattern also matches generic proxy initializers, which usually ARE guarded (just not by an `initializer` keyword on the same line), so confirm whether this contract is actually a 7702 target before treating as critical.",
+    suggestion: "If this is a 7702 delegation target: add `initializer` modifier (OpenZeppelin) or a boolean guard. For regular proxies, confirm the initializer is gated by the proxy factory.",
     pattern: /function\s+initialize\s*\([^)]*\)\s*(?:external|public)(?!\s+\w*[Ii]nitializer)/,
-    severity: "critical",
+    severity: "high",
     category: "solidity",
-    confidence: "medium",
+    confidence: "low",
     languages: SOL
   },
   {
@@ -4688,7 +4719,7 @@ var uniswapV4Rules = [
     title: "Uniswap v4 hook: BalanceDelta returned without settle/take",
     description: "Hooks that return a modified `BalanceDelta` must ensure the delta is fully consumed (settled or taken) within the same unlock cycle. An unconsumed delta causes `CurrencyNotSettled` revert; partial consumption can silently strand tokens.",
     suggestion: "Ensure `poolManager.settle()` or `poolManager.take()` is called for both currency0 and currency1 before returning from the unlock callback.",
-    pattern: /returns\s*\([^)]*BalanceDelta[^)]*\)(?![\s\S]{0,800}?(?:settle|\.take)\s*\()/,
+    multilinePattern: /returns\s*\([^)]*BalanceDelta[^)]*\)(?![\s\S]{0,800}?(?:settle|\.take)\s*\()/,
     severity: "high",
     category: "solidity",
     confidence: "low",
@@ -4699,7 +4730,7 @@ var uniswapV4Rules = [
     title: "Uniswap v4 hook: overly broad hook permissions",
     description: "Hook permissions are set at deployment via the address bit-flags and cannot be changed. Requesting permissions you don't need (e.g. `BEFORE_SWAP_RETURNS_DELTA` when you never return a delta) increases attack surface and gas costs for every pool interaction.",
     suggestion: "Return only the minimum required `Hooks.Permissions` from `getHookPermissions()`. Audit each permission flag against your actual callback implementations.",
-    pattern: /getHookPermissions\s*\(\s*\)\s*(?:public|external|override)[^{]*\{[\s\S]{0,300}?true/,
+    multilinePattern: /getHookPermissions\s*\(\s*\)\s*(?:public|external|override)[^{]*\{[\s\S]{0,300}?true/,
     severity: "medium",
     category: "solidity",
     confidence: "low",
@@ -4717,9 +4748,337 @@ var uniswapV4Rules = [
     languages: SOL
   }
 ];
+var hackReplayRules = [
+  /* ── Curve Finance ($73M, July 2023) ────────────────────────── */
+  /*  Root cause: Vyper compiler versions 0.2.15, 0.2.16, 0.3.0    */
+  /*  generated broken reentrancy locks — the malloc-style storage  */
+  /*  slot for the lock was not reused correctly across functions. */
+  {
+    id: "cp-hack-curve-vyper-version",
+    title: "Curve hack pattern \u2014 Vyper compiler version with broken reentrancy lock",
+    description: "This file declares Vyper 0.2.15, 0.2.16, or 0.3.0 \u2014 the exact compiler versions that mis-generated reentrancy locks and enabled the July 2023 Curve Finance exploit ($73M across multiple pools). The bug is in the compiler, not your source code: any @nonreentrant guard in these versions is silently bypassable.",
+    suggestion: "Upgrade to Vyper >= 0.3.1 (lock fix landed in 0.3.1) and redeploy any affected pools. If you cannot redeploy, pause all reentrancy-sensitive functions and migrate liquidity.",
+    pattern: /#\s*@version\s+0\.(?:2\.1[56]|3\.0)(?:\s|$)/,
+    severity: "critical",
+    category: "hack-replay",
+    confidence: "high",
+    languages: [".vy"]
+  },
+  /* ── Euler Finance ($197M, March 2023) ──────────────────────── */
+  /*  Root cause: donateToReserves() allowed an attacker to push    */
+  /*  their own account into an artificially unhealthy state,       */
+  /*  then self-liquidate at a discount via the liquidation flow.   */
+  {
+    id: "cp-hack-euler-donate-self-liquidation",
+    title: "Euler hack pattern \u2014 donate function reachable from liquidation path",
+    description: "A donate/donateTo* function in a lending or vault context can be weaponized to artificially worsen the caller's health factor, then trigger self-liquidation at a profit. This is the exact vector that drained $197M from Euler Finance in March 2023.",
+    suggestion: "Either remove the donate function, or (a) require donations to come from accounts with no active borrows, (b) recompute health AFTER the donation as if the donated assets remained the donor's, and (c) prevent same-block liquidation of the donor.",
+    pattern: /function\s+donate[A-Za-z]*\s*\(/,
+    severity: "high",
+    category: "hack-replay",
+    confidence: "medium",
+    languages: SOL
+  },
+  /* ── Radiant Capital ($53M, October 2024) ───────────────────── */
+  /*  Root cause: 3-of-11 multisig members signed a malicious      */
+  /*  transferOwnership tx (their UI was tampered by malware).      */
+  /*  A two-step transferOwnership + timelock would have given the */
+  /*  team a chance to notice and abort.                            */
+  {
+    id: "cp-hack-radiant-immediate-ownership-transfer",
+    title: "Radiant hack pattern \u2014 single-step ownership transfer (no Ownable2Step)",
+    description: "transferOwnership is implemented as a single-call function \u2014 the new owner takes effect immediately. This is the same pattern the Radiant Capital ($53M, Oct 2024) attackers exploited after compromising a multisig signer's UI: ownership flipped before anyone could react. A two-step or timelocked pattern would have created a defensive window.",
+    suggestion: "Inherit from OpenZeppelin Ownable2Step (requires acceptOwnership from the new owner) AND gate it behind a timelock for production deployments. Never let a single signature transfer ownership atomically.",
+    multilinePattern: /function\s+transferOwnership\s*\(\s*address\s+\w+\s*\)\s*(?:public|external)(?![\s\S]{0,400}?(?:pendingOwner|_pendingOwner|acceptOwnership|Ownable2Step|timelock|Timelock|TimelockController))/,
+    severity: "high",
+    category: "hack-replay",
+    confidence: "medium",
+    languages: SOL
+  },
+  /* ── zkSync Airdrop ($5M, April 2025) ───────────────────────── */
+  /*  Root cause: sweepUnclaimed() admin-only function with no      */
+  /*  timelock or multisig gate — when the admin key was            */
+  /*  compromised, attacker minted 111M ZK in a single tx.          */
+  /*  Pattern targets the unambiguous red-flag names. We do NOT     */
+  /*  flag plain `mint` since regular token contracts use it with   */
+  /*  proper guards — single-line regex can't verify a timelock     */
+  /*  check on the next line, so we stay conservative.              */
+  {
+    id: "cp-hack-zksync-admin-sweep-no-timelock",
+    title: "zkSync hack pattern \u2014 admin-only sweep/drain/rescue function",
+    description: "An admin-gated function with a name like sweep*, drain*, rescue*, emergencyWithdraw*, forceMint*, adminMint* is the exact category of function the zkSync airdrop attacker exploited (April 2025, $5M loss). Even with a timelock check inside, these functions are high-value targets \u2014 a compromised admin key bypasses everything. The pattern is reviewed manually because a same-line regex cannot verify whether a timelock guard is enforced.",
+    suggestion: "Audit this function carefully: (a) is it gated by a TimelockController contract address check, not just an onlyOwner modifier? (b) is the action bounded (max amount per call, per epoch)? (c) is there an N-of-M multisig requirement at the modifier level? If any answer is no, add it before mainnet.",
+    pattern: /function\s+(?:sweep[A-Za-z]*|drain[A-Za-z]*|rescue[A-Za-z]*|emergencyWithdraw[A-Za-z]*|forceMint[A-Za-z]*|adminMint[A-Za-z]*)\s*\([^)]*\)\s*(?:external|public)/,
+    severity: "high",
+    category: "hack-replay",
+    confidence: "medium",
+    languages: SOL
+  },
+  /* ── Bybit ($1.46B, February 2025) ──────────────────────────── */
+  /*  Root cause: Safe{Wallet}'s frontend bundle on S3 was modified */
+  /*  to display a legit tx while signing a malicious one to        */
+  /*  hardware wallets. This is a CI/CD + frontend integrity issue. */
+  {
+    id: "cp-hack-bybit-unpinned-action-checkout",
+    title: "Bybit hack pattern \u2014 unpinned GitHub Action handling deploy/release",
+    description: "A workflow that deploys frontend bundles or release artifacts uses a third-party action pinned to a mutable ref (@main, @master, or a version tag instead of a commit SHA). This is the supply-chain vector behind the $1.46B Bybit hack (Feb 2025): the deploy pipeline trusts a moving target. An attacker that compromises the action's repo can swap your build output.",
+    suggestion: "Pin every third-party action to a full 40-char commit SHA (e.g. `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`). Use Dependabot or Renovate to keep SHAs up to date with review.",
+    pattern: /uses:\s+(?!actions\/)[^\s]+@(?:main|master|v\d+(?:\.\d+)*)\s*$/m,
+    severity: "high",
+    category: "hack-replay",
+    confidence: "medium",
+    languages: [],
+    pathPattern: /\.github\/workflows\/.*\.ya?ml$/
+  },
+  /* ── Beanstalk ($182M, April 2022) ──────────────────────────── */
+  /*  Root cause: governance proposal could call arbitrary code in   */
+  /*  the same transaction it was submitted/voted-on, with voting   */
+  /*  power based on token balance at proposal time. Attacker flash- */
+  /*  loaned BEAN, voted YES on a self-draining proposal, executed  */
+  /*  immediately. No timelock between vote and execution.          */
+  {
+    id: "cp-hack-beanstalk-instant-governance",
+    title: "Beanstalk hack pattern \u2014 governance execute() with no timelock between vote and call",
+    description: "A governance contract exposes an execute() / executeProposal() / propose() function callable in the same block as voting. This is the exact $182M Beanstalk vector (April 2022): an attacker flash-loaned the governance token, voted yes on a self-draining proposal, and called execute() in the same transaction. A timelock between successful vote and execution would have made the flash-loan economically pointless.",
+    suggestion: "Add a queue/execute split: successful proposals enter a TimelockController with a minimum delay (24-48h is standard). Require execute() to verify block.timestamp >= queuedAt + delay. Never let voting power, proposal acceptance, and code execution happen atomically.",
+    multilinePattern: /function\s+(?:execute(?:Proposal)?|propose(?:AndExecute)?)\s*\([^)]*\)\s*(?:external|public)(?:\s+payable)?(?:\s+returns)?[^{]*\{(?![\s\S]{0,600}?(?:timelock|Timelock|TimelockController|queued|block\.timestamp\s*[><]=?\s*\w+\s*\+))/,
+    severity: "critical",
+    category: "hack-replay",
+    confidence: "low",
+    languages: SOL
+  },
+  /* ── Multichain ($126M, July 2023) ──────────────────────────── */
+  /*  Root cause: bridge admin private keys controlled by a single  */
+  /*  person (CEO). When that person was detained, funds were       */
+  /*  withdrawn from MPC-controlled addresses. Single key controls  */
+  /*  bridge withdraw / unlock = single point of failure.            */
+  {
+    id: "cp-hack-multichain-single-admin-bridge",
+    title: "Multichain hack pattern \u2014 bridge withdraw/unlock gated by single owner role",
+    description: "A bridge function (withdraw, unlock, releaseTo, claim, mintBridged) is gated only by onlyOwner or a single-address admin check. This was the structural failure behind the $126M Multichain collapse (July 2023): the CEO's MPC key controlled bridge outflows, and when he was detained, attackers (or insiders) drained the bridge. Bridge withdraw functions are the highest-value attack surface in crypto and must be multi-party.",
+    suggestion: "Require a multi-sig (Safe / Gnosis), a multi-party MPC (TSS), or an N-of-M validator set before any bridge outflow. Never let a single private key sign a withdraw of bridged assets. Add per-asset and per-block outflow caps as a defense-in-depth limit.",
+    multilinePattern: /function\s+(?:withdraw|unlock|releaseTo|releaseFor|claim|mintBridged|bridgeOut|relayOut)\s*\([^)]*\)\s*(?:external|public)\s+(?:onlyOwner|onlyAdmin|onlyMPC)(?![\s\S]{0,200}?(?:multisig|Multisig|threshold|N_OF_M|validators|attestors))/,
+    severity: "critical",
+    category: "hack-replay",
+    confidence: "medium",
+    languages: SOL
+  },
+  /* ── Ronin Bridge ($625M, March 2022) ───────────────────────── */
+  /*  Root cause: 5-of-9 validator set with 4 validators run by    */
+  /*  Sky Mavis + 1 by Axie DAO. Attacker compromised the 4 Sky    */
+  /*  Mavis keys and the Axie DAO had previously granted Sky Mavis */
+  /*  signing rights "temporarily" but never revoked → 5/9 reached. */
+  /*  Detection: low signature threshold relative to validator set. */
+  {
+    id: "cp-hack-ronin-low-validator-threshold",
+    title: "Ronin hack pattern \u2014 bridge validator threshold \u2264 5/9 or hardcoded low quorum",
+    description: "A bridge contract uses a hardcoded signature threshold of 4, 5, or 6 \u2014 the same range that allowed the $625M Ronin bridge hack (March 2022). Sky Mavis ran 4 of 9 validators; combined with one improperly-revoked delegated key, the attacker hit the 5/9 threshold from a single team's compromise. A higher threshold (7-of-9, 8-of-11) makes single-team compromise insufficient.",
+    suggestion: "Audit your validator threshold against the social/operational concentration of validator operators. Aim for \u2265 70% threshold (e.g. 7-of-9, 11-of-15). Periodically rotate delegated signing rights and verify revocations actually happen. Set up monitoring for validator-set changes.",
+    pattern: /(?:signatureThreshold|requiredSignatures|threshold|quorum|VALIDATOR_THRESHOLD)\s*[=:]\s*(?:uint(?:8|16|32|256)\s*\(\s*)?[4-6]\b/i,
+    severity: "high",
+    category: "hack-replay",
+    confidence: "low",
+    languages: SOL
+  },
+  /* ── Cream Finance ($130M, October 2021) ────────────────────── */
+  /*  Root cause: oracle manipulated via flash-loaned yUSD vault    */
+  /*  shares. Collateral price computed from spot share supply,     */
+  /*  inflatable via flash loan → borrow against inflated value →   */
+  /*  drain. Detection: spot-balance arithmetic in pricing without  */
+  /*  TWAP / Chainlink fallback.                                    */
+  {
+    id: "cp-hack-cream-spot-share-pricing",
+    title: "Cream hack pattern \u2014 collateral price computed from spot vault share supply",
+    description: "A function computes a token/share price by dividing total assets by spot totalSupply (or balanceOf this). The $130M Cream hack (Oct 2021) exploited exactly this on yUSDVault: flash-loan inflated the share supply during a single tx, the price oracle read the manipulated value, and the attacker borrowed massively against fictitious collateral. Spot supply/balance ratios are flash-loan-attackable.",
+    suggestion: "Use Chainlink price feeds with staleness checks, a TWAP from a deep Uniswap V3 pool, or external collateral-pricing oracles. Never compute price from same-block totalSupply or balanceOf.",
+    pattern: /(?:totalSupply|balanceOf)\s*\([^)]*\)\s*[*/]\s*\w+|\w+\s*[*/]\s*(?:totalSupply|balanceOf)\s*\(/,
+    severity: "high",
+    category: "hack-replay",
+    confidence: "low",
+    languages: SOL
+  },
+  /* ── Wormhole ($325M, February 2022) ────────────────────────── */
+  /*  Root cause: signature verification path used a stub guardian  */
+  /*  set lookup that didn't validate the set hash. Attacker forged */
+  /*  a guardian signature against an empty set, which the contract */
+  /*  accepted because the set comparison was wrong. Detection:     */
+  /*  ecrecover or signature-set membership without strict hash      */
+  /*  equality of the validator set.                                */
+  {
+    id: "cp-hack-wormhole-unchecked-signature-set",
+    title: "Wormhole hack pattern \u2014 guardian/validator signature accepted without strict set verification",
+    description: "A function verifies a signature against a validator/guardian set but does not strictly check that the set hash matches the expected current set (or compares against a default/empty value). The $325M Wormhole hack (Feb 2022) exploited a stub `verify_signatures` path that accepted forged signatures because the validator set comparison was missing/insecure. ecrecover-based signature schemes need every validator set rotation tracked by an explicit hash check.",
+    suggestion: "Verify the signed message includes a strict hash of the current validator set. Reject signatures where the recovered signer is not in the active set. Never use `default!()` or zero-initialized guardian arrays in signature paths.",
+    multilinePattern: /(?:ecrecover|recover)\s*\([\s\S]{0,400}?\)(?![\s\S]{0,300}?(?:guardianSet|validatorSet|currentSetHash|setHash|require\s*\([^)]*==\s*expected))/,
+    severity: "critical",
+    category: "hack-replay",
+    confidence: "low",
+    languages: SOL
+  },
+  /* ── Nomad Bridge ($190M, August 2022) ──────────────────────── */
+  /*  Root cause: an upgrade initialized the trusted-root mapping   */
+  /*  with 0x00. Any message with a 0-bytes proof became 'proven'. */
+  /*  Anyone could replay arbitrary messages against the bridge.    */
+  /*  Detection: trusted-root / merkle-root mapping reads or writes */
+  /*  that don't reject zero values.                                */
+  {
+    id: "cp-hack-nomad-zero-root-acceptance",
+    title: "Nomad hack pattern \u2014 trusted/merkle root lookup accepts zero hash as valid",
+    description: "A function reads a value from a merkle-root or trusted-root mapping and treats any non-revert response as valid, including the zero default. The $190M Nomad bridge hack (Aug 2022) was caused by an upgrade that initialized the root mapping to zero \u2014 every message proof of zero became 'valid', and the entire bridge was drained by 300+ copy-paste attackers within hours.",
+    suggestion: "Always `require(root != bytes32(0))` before treating a stored root/hash as a valid proof anchor. Apply the same check to any zero-value default in upgrade-initialized storage.",
+    pattern: /(?:roots|messages|acceptableRoot|trustedRoot|merkleRoot)\s*\[[^\]]+\]\s*(?:==\s*(?:true|0x01)|!=\s*0x00\b)(?!\s*&&\s*\w+\s*!=\s*(?:bytes32\(0\)|0x0+))/,
+    severity: "critical",
+    category: "hack-replay",
+    confidence: "low",
+    languages: SOL
+  },
+  /* ── Mango Markets ($114M, October 2022) ────────────────────── */
+  /*  Root cause: oracle was a thinly-traded spot AMM price.        */
+  /*  Attacker pumped MNGO token via CEX wash trades, then borrowed */
+  /*  $114M against inflated collateral. Detection: pricing pulled  */
+  /*  from a single low-liquidity source with no sanity bounds.     */
+  {
+    id: "cp-hack-mango-single-source-oracle",
+    title: "Mango hack pattern \u2014 oracle uses single price source without bounds",
+    description: "A pricing function reads from a single oracle source (one Uniswap pool, one CEX feed, one Chainlink aggregator) without sanity bounds or a secondary source. The $114M Mango Markets hack (Oct 2022) was a textbook oracle-manipulation attack: the attacker pumped MNGO price ~10\xD7 via CEX trades, the oracle dutifully reported it, and Mango let them borrow $114M against the now-inflated collateral.",
+    suggestion: "Use at least two independent oracle sources for any collateral pricing. Apply a circuit breaker (max % change per block, deviation from TWAP). For long-tail tokens, cap borrowable collateral or require multi-source confirmation.",
+    // Tightened: require the call to appear in a function whose name implies
+    // lending / collateral / liquidation context (the actual hack surface).
+    // Plain DEX pool internals like Uniswap getReserves are not at risk.
+    multilinePattern: /function\s+(?:borrow\w*|liquidat\w*|isHealthy|collateralValue|getAccountHealth|maxBorrow|withdrawCollateral|getBorrowable)[\s\S]{0,600}?\b(?:getPrice|latestAnswer|peek|read)\s*\((?![\s\S]{0,400}?(?:twap|TWAP|deviation|maxDeviation|stalenessThreshold|secondaryPrice|sanity))/,
+    severity: "medium",
+    category: "hack-replay",
+    confidence: "low",
+    languages: SOL
+  }
+];
+var rugSurfaceRules = [
+  {
+    id: "cp-rug-owner-can-mint",
+    title: "Owner can mint tokens",
+    description: "A mint function is gated by onlyOwner (or similar single-address modifier). Owner can dilute holders at will. Verify whether this is intentional (e.g. emissions schedule) or unrestricted.",
+    suggestion: "Hard-cap max supply, route mints through a timelock + multisig, or renounce ownership after initial mint.",
+    pattern: /function\s+(?:_?mint|mintTo|airdrop)\s*\([^)]*\)\s*(?:external|public)\s+(?:onlyOwner|onlyAdmin|onlyMinter)/,
+    severity: "high",
+    category: "rug-surface",
+    confidence: "medium",
+    languages: SOL
+  },
+  {
+    id: "cp-rug-owner-can-pause",
+    title: "Owner can pause transfers",
+    description: "Owner can call _pause() or set a paused flag \u2014 halting all transfers. Useful for emergencies, dangerous if the owner is an EOA without timelock.",
+    suggestion: "Move pause behind multisig + timelock. Document expected pause scenarios. Consider auto-unpause after N blocks.",
+    pattern: /function\s+(?:pause|setPaused|_pause|emergencyPause)\s*\([^)]*\)\s*(?:external|public)\s+(?:onlyOwner|onlyAdmin)/,
+    severity: "medium",
+    category: "rug-surface",
+    confidence: "medium",
+    languages: SOL
+  },
+  {
+    id: "cp-rug-owner-can-blacklist",
+    title: "Owner can blacklist addresses",
+    description: "Owner can prevent specific addresses from transferring. Honeypot pattern when combined with no transfer-tax limit or a hidden blacklist mapping.",
+    suggestion: "Either remove the blacklist entirely (rely on protocol-level sanctions), or gate it behind a multisig + timelock with public allowlist process.",
+    pattern: /(?:blacklist|denylist|isBlocked|blocked)\s*\[\s*\w+\s*\]\s*=\s*(?:true|1)|function\s+(?:blacklist|setBlacklist|addToBlacklist|block(?:Address|User|Account))\s*\(/i,
+    severity: "high",
+    category: "rug-surface",
+    confidence: "medium",
+    languages: SOL
+  },
+  {
+    id: "cp-rug-owner-can-change-fees",
+    title: "Owner can change transfer fees",
+    description: "A setFee / updateFee / setTax function gated by onlyOwner. Owner can spike fees to 99% effectively stopping trading.",
+    suggestion: "Cap maximum fee in the contract (e.g. require new fee <= 10%). Combine with a timelock so changes are observable in advance.",
+    pattern: /function\s+(?:setFee|setTax|setBuyFee|setSellFee|setTransferFee|updateFee|updateTax|setFees)\s*\([^)]*\)\s*(?:external|public)\s+(?:onlyOwner|onlyAdmin)/i,
+    severity: "high",
+    category: "rug-surface",
+    confidence: "medium",
+    languages: SOL
+  },
+  {
+    id: "cp-rug-owner-can-change-router",
+    title: "Owner can swap router or pair",
+    description: "A setRouter / setPair / setSwapRouter function gated by onlyOwner. Owner can redirect liquidity to an attacker-controlled router and drain trades.",
+    suggestion: "Make router / pair immutable. If upgrades are needed, gate behind multisig + 7-day timelock with clear public announcement.",
+    pattern: /function\s+(?:setRouter|setPair|setSwapRouter|updateRouter|setUniswapRouter|setSwapPair)\s*\([^)]*\)\s*(?:external|public)\s+(?:onlyOwner|onlyAdmin)/i,
+    severity: "high",
+    category: "rug-surface",
+    confidence: "medium",
+    languages: SOL
+  },
+  {
+    id: "cp-rug-owner-can-sweep",
+    title: "Owner can sweep ETH or ERC20 from contract",
+    description: 'Owner can call a sweep / rescue / withdraw / recover function that drains arbitrary tokens or ETH from the contract. Often labelled "rescue stuck funds" \u2014 but the same path drains user-owned balances.',
+    suggestion: "Restrict to specific tokens that should never be in the contract. Exclude the protocol's own LP token / treasury. Behind multisig + timelock.",
+    pattern: /function\s+(?:rescueTokens|rescueERC20|sweepTokens|sweep|sweepERC20|recoverTokens|recoverERC20|withdrawStuck|withdrawTokens|emergencyWithdraw|emergencyRescue)\s*\([^)]*\)\s*(?:external|public)\s+(?:onlyOwner|onlyAdmin)/i,
+    severity: "critical",
+    category: "rug-surface",
+    confidence: "medium",
+    languages: SOL
+  },
+  {
+    id: "cp-rug-owner-can-upgrade",
+    title: "Proxy upgrade gated by single owner",
+    description: "An _upgradeTo / upgradeTo function is callable by onlyOwner (UUPS pattern). The implementation contract can be swapped to attacker code unilaterally.",
+    suggestion: "Route upgrades through a TimelockController owned by a multisig. Publish the new implementation address before the timelock expires.",
+    pattern: /function\s+(?:_upgradeTo|upgradeTo|upgradeToAndCall|_authorizeUpgrade)\s*\([^)]*\)\s*(?:external|public|internal|virtual\s+override)?(?:[^{]*?)(?:onlyOwner|onlyAdmin)/,
+    severity: "high",
+    category: "rug-surface",
+    confidence: "medium",
+    languages: SOL
+  },
+  {
+    id: "cp-rug-role-self-grant",
+    title: "Role admin can grant itself any role",
+    description: "DEFAULT_ADMIN_ROLE or a self-managed role can call grantRole() on itself or on other privileged roles. Single admin compromise = full takeover.",
+    suggestion: "Use AccessControlEnumerable + revoke admin's ability to manage its own role. Move sensitive roles to a separate multisig.",
+    pattern: /_setupRole\s*\(\s*DEFAULT_ADMIN_ROLE|_grantRole\s*\(\s*DEFAULT_ADMIN_ROLE|grantRole\s*\([^,]+,\s*msg\.sender\s*\)/,
+    severity: "high",
+    category: "rug-surface",
+    confidence: "medium",
+    languages: SOL
+  },
+  {
+    id: "cp-rug-no-renounce-evidence",
+    title: "Renounceable ownership without evidence of renunciation",
+    description: "Contract inherits Ownable / OwnableUpgradeable but the constructor / initializer doesn't transfer ownership to a known-safe address (zero, multisig, timelock). Owner power may still be active.",
+    suggestion: "Either renounce ownership in the constructor (acceptably for fully-immutable contracts), or transfer to a multisig. Document this explicitly.",
+    multilinePattern: /(?:contract|abstract\s+contract)\s+\w+[\s\S]{0,500}?\bis\s+[\w,\s]*?Ownable(?:Upgradeable)?\b(?![\s\S]{0,2000}?(?:renounceOwnership\s*\(\)|transferOwnership\s*\(\s*address\(0x|TimelockController|Safe\s*\())/,
+    severity: "medium",
+    category: "rug-surface",
+    confidence: "low",
+    languages: SOL
+  },
+  {
+    id: "cp-rug-max-wallet-or-tx",
+    title: "Trading restrictions (max wallet / max tx)",
+    description: "Contract enforces maxWallet, maxTransactionAmount, or similar caps. Common in memecoin templates \u2014 verify the cap can't be set to 0 or 1 wei (effectively halting trading).",
+    suggestion: "Ensure max-cap setters have a minimum floor (e.g. 0.1% of supply). Combine with timelock for changes after launch.",
+    pattern: /(?:maxWallet|maxTransactionAmount|maxTx|maxWalletAmount|_maxWallet|_maxTx)\s*[:=]/i,
+    severity: "low",
+    category: "rug-surface",
+    confidence: "medium",
+    languages: SOL
+  },
+  {
+    id: "cp-rug-hidden-modifier",
+    title: "Privileged modifier without visible role check in body",
+    description: "A modifier name doesn't suggest privilege (e.g. `lock`, `safe`, `nonReentrant`-shaped names) but its body restricts access. Auditors miss these; users assume the function is open.",
+    suggestion: "Rename modifier to make privilege explicit (e.g. `onlyOperator`). Or move check inline so reviewers see it in the function body.",
+    multilinePattern: /modifier\s+(?!onlyOwner|onlyAdmin|onlyRole|nonReentrant|whenNotPaused|whenPaused|initializer|reinitializer)(\w+)\s*\(\s*\)\s*\{[\s\S]{0,200}?require\s*\(\s*msg\.sender\s*==\s*\w+/,
+    severity: "medium",
+    category: "rug-surface",
+    confidence: "low",
+    languages: SOL
+  }
+];
 var ALL_RULES2 = [
   ...securityRules,
   ...solidityRules2,
+  ...rugSurfaceRules,
   ...javaRules,
   ...rubyRules,
   ...phpRules,
@@ -4730,7 +5089,8 @@ var ALL_RULES2 = [
   ...iacRules,
   ...eip7702Rules,
   ...tstoreRules,
-  ...uniswapV4Rules
+  ...uniswapV4Rules,
+  ...hackReplayRules
 ];
 // src/static/pattern-scanner.ts
@@ -4782,9 +5142,13 @@ function isJsxFile(filePath) {
 function isScriptDir(filePath) {
   return /(?:^|\/)(?:scripts|build|tools|infra)\//i.test(filePath);
 }
+function isVendorFile(filePath) {
+  return /(?:^|\/)(?:node_modules|@openzeppelin|@uniswap|@aave|@chainlink|solmate|solady|lib|vendor|dependencies|forge-std|ds-test)(?:\/|@)/i.test(filePath);
+}
 function isFalsePositive(ctx) {
   if (isDocsFile(ctx.filePath)) return true;
-  if (ctx.rule.id !== "cp-qual-todo-fixme" && isCommentLine(ctx.line)) return true;
+  if (isVendorFile(ctx.filePath)) return true;
+  if (ctx.rule.id !== "cp-qual-todo-fixme" && ctx.rule.category !== "hack-replay" && isCommentLine(ctx.line)) return true;
   if (isImportLine(ctx.line) && /(?:http-no-tls|hardcoded-ip|hardcoded-secret)/.test(ctx.rule.id)) return true;
   if (isConfigFile(ctx.filePath) && ctx.rule.category === "security") return true;
   const trimmed = ctx.line.trim();
@@ -4802,6 +5166,11 @@ function isFalsePositive(ctx) {
       if (/process\.env\b/.test(ctx.line)) return true;
     }
   }
+  if (ctx.rule.id === "cp-sec-hardcoded-secret") {
+    if (/=\s*["']?0x[0-9a-fA-F]{40}["']?/.test(ctx.line)) return true;
+    if (/\b(?:address|token0?|token1|tokenAddress|contractAddress|pool|router|factory|vault|recipient|payTo|treasury|owner|admin|operator|signer|delegate|merkleRoot|root|domain|salt|chainId|deadline|attestation|uid|schema)\b\s*[:=]/i.test(ctx.line)) return true;
+    if (/\b(?:hash|sha|keccak|merkle|root|uid|tx|proof|signature|sig|domain|salt|nonce|attestation|commitment)\w*\s*[:=]\s*["']?0x[0-9a-fA-F]{64}/i.test(ctx.line)) return true;
+  }
   return false;
 }
 function adjustSeverityForContext(severity, filePath) {
@@ -4939,7 +5308,7 @@ ${lines[i]}`,
       }
     }
   }
-  if (lines.length > 8) {
+  if (lines.length > 8 && !SOL2.includes(ext)) {
     const WINDOW = 4;
     const blockMap = /* @__PURE__ */ new Map();
     for (let i = 0; i <= lines.length - WINDOW; i++) {
@@ -5026,6 +5395,7 @@ function scanFile(relPath, content, rules, changedRanges) {
   const applicableRules = rules.filter((r) => ruleAppliesToFile(r, relPath));
   if (applicableRules.length === 0) return findings;
   for (const rule of applicableRules) {
+    if (!rule.pattern) continue;
     for (let i = 0; i < lines.length; i++) {
       const lineNumber = i + 1;
       const line = lines[i];
@@ -5057,8 +5427,10 @@ function scanFile(relPath, content, rules, changedRanges) {
     if (rule.id === "cp-clean-callback-hell" && isTestFile(relPath)) continue;
     if (rule.id === "cp-sec-command-injection" && isScriptDir(relPath)) continue;
     rule.multilinePattern.lastIndex = 0;
+    const isGlobal = rule.multilinePattern.flags.includes("g");
     let match;
     while ((match = rule.multilinePattern.exec(content)) !== null) {
+      const breakAfter = !isGlobal;
       const textBefore = content.slice(0, match.index);
       const startLine = textBefore.split("\n").length;
       const matchLines = match[0].split("\n").length;
@@ -5084,6 +5456,7 @@ function scanFile(relPath, content, rules, changedRanges) {
       if (match[0].length === 0) {
         rule.multilinePattern.lastIndex++;
       }
+      if (breakAfter) break;
     }
   }
   if (rules.some((r) => r.category === "code-cleaning")) {