@empline/preflight 1.0.20

package/dist/checks/security/env-value-leakage.js

@@ -0,0 +1,285 @@
+#!/usr/bin/env tsx
+"use strict";
+/**
+ * Preflight: Env value leakage (outside .env files)
+ *
+ * Goal:
+ * - Catch env-variable *values* (especially secrets) being stored in non-.env files
+ *   like .ts/.tsx/.js/.json configs, or docs with accidental real keys.
+ *
+ * How:
+ * - Load the env-var names from .env.example (source of truth).
+ * - Scan non-env files for patterns like `OPENAI_API_KEY = "..."` or `OPENAI_API_KEY: "..."`.
+ * - Block only when the value looks like a real secret (sk-..., pk_live..., ghp_..., AKIA...).
+ * - Warn for non-secret values (to keep signal high and avoid breaking existing patterns).
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.tags = exports.description = exports.blocking = exports.category = exports.name = exports.id = void 0;
+const node_fs_1 = __importDefault(require("node:fs"));
+const node_path_1 = __importDefault(require("node:path"));
+const glob_1 = require("glob");
+const console_chars_1 = require("../../utils/console-chars");
+const glob_patterns_1 = require("../../shared/glob-patterns");
+const universal_progress_reporter_1 = require("../system/universal-progress-reporter");
+const findings_writer_1 = require("../../utils/findings-writer");
+// Check metadata
+exports.id = "security/env-value-leakage";
+exports.name = "Env Value Leakage";
+exports.category = "security";
+exports.blocking = true;
+exports.description = "Preflight: Env value leakage (outside .env files)";
+exports.tags = ["security"];
+const EXCLUDED = (0, glob_patterns_1.extendExcludes)(glob_patterns_1.STANDARD_EXCLUDES, [
+    "**/build/**",
+    "**/out/**",
+    "**/.turbo/**",
+    "**/test-results/**",
+    "**/playwright-report/**",
+    "**/backups/**",
+    "**/reports/**",
+]);
+function isEnvFile(rel) {
+    const base = node_path_1.default.posix.basename(rel);
+    return base === ".env" || base === ".env.local" || base.startsWith(".env.");
+}
+function readEnvExampleKeys() {
+    const envExamplePath = node_path_1.default.join(process.cwd(), ".env.example");
+    if (!node_fs_1.default.existsSync(envExamplePath))
+        return [];
+    const text = node_fs_1.default.readFileSync(envExamplePath, "utf8");
+    const keys = new Set();
+    for (const line of text.split("\n")) {
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith("#"))
+            continue;
+        const match = trimmed.match(/^([A-Z][A-Z0-9_]+)\s*=/);
+        if (match?.[1])
+            keys.add(match[1]);
+    }
+    return [...keys].sort();
+}
+function looksLikeRealSecret(value) {
+    const v = value.trim();
+    // Common secret formats
+    if (/^sk-[A-Za-z0-9]{20,}$/.test(v))
+        return true; // OpenAI
+    if (/^pk_live_[A-Za-z0-9]{16,}$/.test(v))
+        return true; // Stripe publishable (live)
+    if (/^sk_live_[A-Za-z0-9]{16,}$/.test(v))
+        return true; // Stripe secret (live)
+    if (/^rk_live_[A-Za-z0-9]{16,}$/.test(v))
+        return true; // Stripe restricted (live)
+    if (/^ghp_[A-Za-z0-9]{30,}$/.test(v))
+        return true; // GitHub token
+    if (/^AKIA[0-9A-Z]{16}$/.test(v))
+        return true; // AWS access key
+    // Generic "looks like token" heuristic (high entropy-ish)
+    if (/^[A-Za-z0-9+/_=-]{40,}$/.test(v))
+        return true;
+    return false;
+}
+function looksLikePlaceholder(value) {
+    const v = value.trim().toLowerCase();
+    return (v === "" ||
+        v.includes("...") ||
+        v.includes("your-") ||
+        v.includes("placeholder") ||
+        v.includes("example") ||
+        v.includes("changeme") ||
+        v.includes("replace") ||
+        v.includes("<") ||
+        v.includes(">") ||
+        v === "true" ||
+        v === "false");
+}
+function looksLikeRegexFragment(value) {
+    // Avoid flagging regex snippets embedded in code (common in env-file parsing/replacing scripts).
+    // Example false positives: DATABASE_URL="[^"]+" etc.
+    const v = value.trim();
+    return v.includes("[^") || v.includes("\\b") || v.includes("\\s");
+}
+function escapeRegExp(s) {
+    return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function isBenignPublicEnvAssignment(key, value) {
+    // NEXT_PUBLIC_* values are intentionally public and are sometimes defined in config.
+    // We still want to block if someone accidentally pastes a real secret into a public var.
+    return key.startsWith("NEXT_PUBLIC_") && !looksLikeRealSecret(value);
+}
+function scanFile(file, keys) {
+    const rel = file.replace(/\\/g, "/");
+    const isMarkdown = rel.endsWith(".md");
+    const content = node_fs_1.default.readFileSync(file, "utf8");
+    const lines = content.split("\n");
+    const findings = [];
+    // Build one regex that matches any key to keep it fast.
+    // Matches `KEY = "value"`, `KEY: "value"`, `KEY="value"` (single or double quotes).
+    const keyAlternation = keys.map(escapeRegExp).join("|");
+    const pattern = new RegExp(
+    // Avoid matching inside string/template literals (common source of false positives).
+    // Node 24 supports fixed-length negative lookbehind.
+    `(?<!["'\\\`])\\b(${keyAlternation})\\b\\s*(?:[:=])\\s*(["'])([^"']{1,500})\\2`, "g");
+    for (let i = 0; i < lines.length; i += 1) {
+        const line = lines[i] ?? "";
+        // Skip obvious comments to reduce noise
+        const trimmed = line.trim();
+        if (trimmed.startsWith("//") || trimmed.startsWith("*") || trimmed.startsWith("#"))
+            continue;
+        let m;
+        pattern.lastIndex = 0;
+        // eslint-disable-next-line no-cond-assign
+        while ((m = pattern.exec(line))) {
+            const key = m[1] ?? "";
+            const rawValue = m[3] ?? "";
+            // Best-effort column range for the value portion.
+            // ESLint/SARIF are 1-based columns.
+            const matchText = m[0] ?? "";
+            const matchStartIdx = typeof m.index === "number" ? m.index : -1;
+            const valueOffsetInMatch = rawValue ? matchText.indexOf(rawValue) : -1;
+            const valueStartIdxInLine = matchStartIdx >= 0 && valueOffsetInMatch >= 0
+                ? matchStartIdx + valueOffsetInMatch
+                : matchStartIdx;
+            const startColumn = valueStartIdxInLine >= 0 ? valueStartIdxInLine + 1 : undefined;
+            const endColumn = typeof startColumn === "number" && rawValue
+                ? startColumn + Math.max(0, rawValue.length)
+                : undefined;
+            if (!key)
+                continue;
+            if (looksLikePlaceholder(rawValue))
+                continue;
+            if (looksLikeRegexFragment(rawValue))
+                continue;
+            // If our "value" contains code, it's almost certainly a regex false-positive.
+            if (rawValue.includes("process.env") || rawValue.includes("process."))
+                continue;
+            if (isBenignPublicEnvAssignment(key, rawValue))
+                continue;
+            const severity = looksLikeRealSecret(rawValue) ? "error" : "warning";
+            // Docs can (and should) contain illustrative env snippets; only block if it
+            // looks like someone pasted a real secret into documentation.
+            if (isMarkdown && severity === "warning")
+                continue;
+            findings.push({
+                file: rel,
+                line: i + 1,
+                startColumn,
+                endColumn,
+                key,
+                severity,
+                message: severity === "error"
+                    ? "Env var value looks like a real secret outside .env files"
+                    : "Env var value appears set outside .env files",
+            });
+        }
+    }
+    return findings;
+}
+function parseArgs(argv) {
+    const args = new Map();
+    for (const raw of argv) {
+        if (!raw.startsWith("--"))
+            continue;
+        const [k, ...rest] = raw.slice(2).split("=");
+        const key = k.trim();
+        const value = rest.join("=");
+        if (!key)
+            continue;
+        args.set(key, value.length ? value : true);
+    }
+    const reportPath = typeof args.get("report") === "string" ? String(args.get("report")) : null;
+    const filterPrefix = typeof args.get("filterPrefix") === "string" ? String(args.get("filterPrefix")) : null;
+    return { reportPath, filterPrefix };
+}
+function ensureParentDir(filePath) {
+    const dir = node_path_1.default.dirname(filePath);
+    node_fs_1.default.mkdirSync(dir, { recursive: true });
+}
+async function main() {
+    const reporter = (0, universal_progress_reporter_1.createUniversalProgressReporter)(node_path_1.default.basename(__filename, ".ts"));
+    const { reportPath, filterPrefix } = parseArgs(process.argv.slice(2));
+    const keys = readEnvExampleKeys();
+    if (keys.length === 0) {
+        console.log(`${console_chars_1.emoji.warning}  Preflight: env value leakage skipped (no keys found in .env.example)`);
+        process.exit(0);
+    }
+    const files = await (0, glob_1.glob)(["**/*.{ts,tsx,js,jsx,cjs,mjs,json,md,yml,yaml}"], {
+        nodir: true,
+        ignore: EXCLUDED,
+        windowsPathsNoEscape: true,
+    });
+    const candidates = files
+        .map((f) => f.replace(/\\/g, "/"))
+        .filter((f) => !isEnvFile(f))
+        // allow the templates/examples to contain example values
+        .filter((f) => !f.endsWith(".env.example"))
+        .filter((f) => !f.startsWith("docs/env-templates/"));
+    const findings = [];
+    for (const file of candidates) {
+        try {
+            findings.push(...scanFile(file, keys));
+        }
+        catch {
+            // ignore unreadable files
+        }
+    }
+    const errors = findings.filter((f) => f.severity === "error");
+    const warnings = findings.filter((f) => f.severity === "warning");
+    const filteredFindings = filterPrefix
+        ? findings.filter((f) => f.file.startsWith(filterPrefix.replace(/\\/g, "/")))
+        : findings;
+    (0, findings_writer_1.writeFindings)(filteredFindings.map((f) => ({
+        severity: f.severity,
+        message: `${f.message} (${f.key})`,
+        file: f.file,
+        range: {
+            startLine: f.line,
+            startColumn: f.startColumn,
+            endLine: f.line,
+            endColumn: f.endColumn,
+        },
+        code: "env-value-leakage",
+    })));
+    if (reportPath) {
+        const report = {
+            summary: {
+                total: filteredFindings.length,
+                errors: filteredFindings.filter((f) => f.severity === "error").length,
+                warnings: filteredFindings.filter((f) => f.severity === "warning").length,
+            },
+            findings: filteredFindings,
+        };
+        ensureParentDir(reportPath);
+        node_fs_1.default.writeFileSync(reportPath, JSON.stringify(report, null, 2) + "\n", "utf8");
+    }
+    if (findings.length === 0) {
+        console.log(`${console_chars_1.emoji.success} Preflight: No env var values detected outside .env files`);
+        process.exit(0);
+    }
+    console.log(`${console_chars_1.emoji.warning}  Preflight: Potential env var values detected outside .env files`);
+    if (errors.length > 0) {
+        console.log(`\n${console_chars_1.emoji.error} Blocking (possible real secrets): ${errors.length}`);
+        for (const f of errors.slice(0, 25)) {
+            console.log(`  - ${f.file}:${f.line}  (${f.key})`);
+        }
+        if (errors.length > 25)
+            console.log(`  ...and ${errors.length - 25} more`);
+    }
+    if (warnings.length > 0) {
+        console.log(`\n${console_chars_1.emoji.warning}  Warning (review): ${warnings.length}`);
+        for (const f of warnings.slice(0, 25)) {
+            console.log(`  - ${f.file}:${f.line}  (${f.key})`);
+        }
+        if (warnings.length > 25)
+            console.log(`  ...and ${warnings.length - 25} more`);
+    }
+    console.log("\nGuidance:");
+    console.log("  - Store values in .env.* files or your secret manager.");
+    console.log("  - Keep code using process.env / server-side env helpers.");
+    console.log("  - For docs, use placeholders (e.g. 'your-api-key-here').");
+    process.exit(errors.length > 0 ? 1 : 0);
+}
+void main();
+//# sourceMappingURL=env-value-leakage.js.map

package/dist/checks/security/env-value-leakage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"env-value-leakage.js","sourceRoot":"","sources":["../../../src/checks/security/env-value-leakage.ts"],"names":[],"mappings":";;AACA;;;;;;;;;;;;GAYG;;;;;;AAEH,sDAAyB;AACzB,0DAA6B;AAE7B,+BAA4B;AAE5B,6DAAkD;AAClD,8DAA+E;AAC/E,uFAAwF;AACxF,iEAA4D;AAG5D,iBAAiB;AACJ,QAAA,EAAE,GAAG,4BAA4B,CAAC;AAClC,QAAA,IAAI,GAAG,mBAAmB,CAAC;AAC3B,QAAA,QAAQ,GAAG,UAAU,CAAC;AACtB,QAAA,QAAQ,GAAG,IAAI,CAAC;AAChB,QAAA,WAAW,GAAG,mDAAmD,CAAC;AAClE,QAAA,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;AAuBjC,MAAM,QAAQ,GAAG,IAAA,8BAAc,EAAC,iCAAiB,EAAE;IACjD,aAAa;IACb,WAAW;IACX,cAAc;IACd,oBAAoB;IACpB,yBAAyB;IACzB,eAAe;IACf,eAAe;CAChB,CAAC,CAAC;AAEH,SAAS,SAAS,CAAC,GAAW;IAC5B,MAAM,IAAI,GAAG,mBAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IACtC,OAAO,IAAI,KAAK,MAAM,IAAI,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;AAC9E,CAAC;AAED,SAAS,kBAAkB;IACzB,MAAM,cAAc,GAAG,mBAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,cAAc,CAAC,CAAC;IAChE,IAAI,CAAC,iBAAE,CAAC,UAAU,CAAC,cAAc,CAAC;QAAE,OAAO,EAAE,CAAC;IAE9C,MAAM,IAAI,GAAG,iBAAE,CAAC,YAAY,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC;IACrD,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/B,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACpC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QAElD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAC;QACtD,IAAI,KAAK,EAAE,CAAC,CAAC,CAAC;YAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACrC,CAAC;IAED,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;AAC1B,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAa;IACxC,MAAM,CAAC,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAEvB,wBAAwB;IACxB,IAAI,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC,CAAC,SAAS;IAC3D,IAAI,4BAA4B,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC,CAAC,4BAA4B;IACnF,IAAI,4BAA4B,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC,CAAC,uBAAuB;IAC9E,IAAI,4BAA4B,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC,CAAC,2BAA2B;IAClF,IAAI,wBAAwB,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC,CAAC,eAAe;IAClE,IAAI,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC,CAAC,iBAAiB;IAEhE,0DAA0D;IAC1D,IAAI,yBAAyB,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAEnD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAa;IACzC,MAAM,CAAC,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACrC,OAAO,CACL,CAAC,KAAK,EAAE;QACR,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;QACjB,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC;QACnB,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC;QACzB,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC;QACrB,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC;QACtB,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC;QACrB,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC;QACf,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC;QACf,CAAC,KAAK,MAAM;QACZ,CAAC,KAAK,OAAO,CACd,CAAC;AACJ,CAAC;AAED,SAAS,sBAAsB,CAAC,KAAa;IAC3C,iGAAiG;IACjG,qDAAqD;IACrD,MAAM,CAAC,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IACvB,OAAO,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACpE,CAAC;AAED,SAAS,YAAY,CAAC,CAAS;IAC7B,OAAO,CAAC,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;AAClD,CAAC;AAED,SAAS,2BAA2B,CAAC,GAAW,EAAE,KAAa;IAC7D,qFAAqF;IACrF,yFAAyF;IACzF,OAAO,GAAG,CAAC,UAAU,CAAC,cAAc,CAAC,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC;AACvE,CAAC;AAED,SAAS,QAAQ,CAAC,IAAY,EAAE,IAAc;IAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACrC,MAAM,UAAU,GAAG,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IACvC,MAAM,OAAO,GAAG,iBAAE,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IAC9C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAElC,MAAM,QAAQ,GAAc,EAAE,CAAC;IAE/B,wDAAwD;IACxD,oFAAoF;IACpF,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACxD,MAAM,OAAO,GAAG,IAAI,MAAM;IACxB,qFAAqF;IACrF,qDAAqD;IACrD,oBAAoB,cAAc,6CAA6C,EAC/E,GAAG,CACJ,CAAC;IAEF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACzC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAE5B,wCAAwC;QACxC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QAE7F,IAAI,CAAyB,CAAC;QAC9B,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;QACtB,0CAA0C;QAC1C,OAAO,CAAC,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YAChC,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACvB,MAAM,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAE5B,kDAAkD;YAClD,oCAAoC;YACpC,MAAM,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC7B,MAAM,aAAa,GAAG,OAAO,CAAC,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YACjE,MAAM,kBAAkB,GAAG,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YACvE,MAAM,mBAAmB,GACvB,aAAa,IAAI,CAAC,IAAI,kBAAkB,IAAI,CAAC;gBAC3C,CAAC,CAAC,aAAa,GAAG,kBAAkB;gBACpC,CAAC,CAAC,aAAa,CAAC;YACpB,MAAM,WAAW,GAAG,mBAAmB,IAAI,CAAC,CAAC,CAAC,CAAC,mBAAmB,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;YACnF,MAAM,SAAS,GACb,OAAO,WAAW,KAAK,QAAQ,IAAI,QAAQ;gBACzC,CAAC,CAAC,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC;gBAC5C,CAAC,CAAC,SAAS,CAAC;YAEhB,IAAI,CAAC,GAAG;gBAAE,SAAS;YACnB,IAAI,oBAAoB,CAAC,QAAQ,CAAC;gBAAE,SAAS;YAC7C,IAAI,sBAAsB,CAAC,QAAQ,CAAC;gBAAE,SAAS;YAE/C,8EAA8E;YAC9E,IAAI,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC;gBAAE,SAAS;YAEhF,IAAI,2BAA2B,CAAC,GAAG,EAAE,QAAQ,CAAC;gBAAE,SAAS;YAEzD,MAAM,QAAQ,GAAoB,mBAAmB,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;YAEtF,4EAA4E;YAC5E,8DAA8D;YAC9D,IAAI,UAAU,IAAI,QAAQ,KAAK,SAAS;gBAAE,SAAS;YAEnD,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,GAAG;gBACT,IAAI,EAAE,CAAC,GAAG,CAAC;gBACX,WAAW;gBACX,SAAS;gBACT,GAAG;gBACH,QAAQ;gBACR,OAAO,EACL,QAAQ,KAAK,OAAO;oBAClB,CAAC,CAAC,2DAA2D;oBAC7D,CAAC,CAAC,8CAA8C;aACrD,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,SAAS,CAAC,IAAc;IAC/B,MAAM,IAAI,GAAG,IAAI,GAAG,EAA4B,CAAC;IACjD,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,SAAS;QACpC,MAAM,CAAC,CAAC,EAAE,GAAG,IAAI,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC7C,MAAM,GAAG,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;QACrB,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,CAAC,GAAG;YAAE,SAAS;QACnB,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IAC7C,CAAC;IAED,MAAM,UAAU,GAAG,OAAO,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC9F,MAAM,YAAY,GAChB,OAAO,IAAI,CAAC,GAAG,CAAC,cAAc,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAEzF,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,CAAC;AACtC,CAAC;AAED,SAAS,eAAe,CAAC,QAAgB;IACvC,MAAM,GAAG,GAAG,mBAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACnC,iBAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;AACzC,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,MAAM,QAAQ,GAAG,IAAA,6DAA+B,EAAC,mBAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC,CAAC;IACnF,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACtE,MAAM,IAAI,GAAG,kBAAkB,EAAE,CAAC;IAElC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,OAAO,CAAC,GAAG,CACT,GAAG,qBAAK,CAAC,OAAO,wEAAwE,CACzF,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,IAAA,WAAI,EAAC,CAAC,+CAA+C,CAAC,EAAE;QAC1E,KAAK,EAAE,IAAI;QACX,MAAM,EAAE,QAAQ;QAChB,oBAAoB,EAAE,IAAI;KAC3B,CAAC,CAAC;IAEH,MAAM,UAAU,GAAG,KAAK;SACrB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;SACjC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;QAC7B,yDAAyD;SACxD,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;SAC1C,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,qBAAqB,CAAC,CAAC,CAAC;IAEvD,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;QAC9B,IAAI,CAAC;YACH,QAAQ,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;QACzC,CAAC;QAAC,MAAM,CAAC;YACP,0BAA0B;QAC5B,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC;IAC9D,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC;IAElE,MAAM,gBAAgB,GAAG,YAAY;QACnC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC;QAC7E,CAAC,CAAC,QAAQ,CAAC;IAEb,IAAA,+BAAa,EACX,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAC3B,QAAQ,EAAE,CAAC,CAAC,QAAQ;QACpB,OAAO,EAAE,GAAG,CAAC,CAAC,OAAO,KAAK,CAAC,CAAC,GAAG,GAAG;QAClC,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,KAAK,EAAE;YACL,SAAS,EAAE,CAAC,CAAC,IAAI;YACjB,WAAW,EAAE,CAAC,CAAC,WAAW;YAC1B,OAAO,EAAE,CAAC,CAAC,IAAI;YACf,SAAS,EAAE,CAAC,CAAC,SAAS;SACvB;QACD,IAAI,EAAE,mBAAmB;KAC1B,CAAC,CAAC,CACJ,CAAC;IAEF,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,MAAM,GAAW;YACrB,OAAO,EAAE;gBACP,KAAK,EAAE,gBAAgB,CAAC,MAAM;gBAC9B,MAAM,EAAE,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,MAAM;gBACrE,QAAQ,EAAE,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,MAAM;aAC1E;YACD,QAAQ,EAAE,gBAAgB;SAC3B,CAAC;QACF,eAAe,CAAC,UAAU,CAAC,CAAC;QAC5B,iBAAE,CAAC,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC,CAAC;IAC/E,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,CAAC,GAAG,CAAC,GAAG,qBAAK,CAAC,OAAO,2DAA2D,CAAC,CAAC;QACzF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,GAAG,qBAAK,CAAC,OAAO,mEAAmE,CAAC,CAAC;IAEjG,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,OAAO,CAAC,GAAG,CAAC,KAAK,qBAAK,CAAC,KAAK,sCAAsC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;QACnF,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;YACpC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC;QACrD,CAAC;QACD,IAAI,MAAM,CAAC,MAAM,GAAG,EAAE;YAAE,OAAO,CAAC,GAAG,CAAC,YAAY,MAAM,CAAC,MAAM,GAAG,EAAE,OAAO,CAAC,CAAC;IAC7E,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,KAAK,qBAAK,CAAC,OAAO,uBAAuB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QACxE,KAAK,MAAM,CAAC,IAAI,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;YACtC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC;QACrD,CAAC;QACD,IAAI,QAAQ,CAAC,MAAM,GAAG,EAAE;YAAE,OAAO,CAAC,GAAG,CAAC,YAAY,QAAQ,CAAC,MAAM,GAAG,EAAE,OAAO,CAAC,CAAC;IACjF,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;IAC3B,OAAO,CAAC,GAAG,CAAC,0DAA0D,CAAC,CAAC;IACxE,OAAO,CAAC,GAAG,CAAC,4DAA4D,CAAC,CAAC;IAC1E,OAAO,CAAC,GAAG,CAAC,4DAA4D,CAAC,CAAC;IAE1E,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC1C,CAAC;AAED,KAAK,IAAI,EAAE,CAAC"}

package/dist/checks/security/no-tracked-env-files.d.ts

@@ -0,0 +1,18 @@
+#!/usr/bin/env tsx
+/**
+ * Preflight: Disallow tracked .env files
+ *
+ * Goal:
+ * - Prevent committing real environment files (e.g. .env, .env.local) that can contain secrets.
+ * - Allow templates/examples under docs/env-templates and *.example/*.template.
+ *
+ * This is intentionally a git-aware check (tracked files only). Developers may keep local
+ * .env files untracked; that's fine.
+ */
+export declare const id = "security/no-tracked-env-files";
+export declare const name = "No Tracked Env Files";
+export declare const category = "security";
+export declare const blocking = true;
+export declare const description = "Preflight: Disallow tracked .env files";
+export declare const tags: string[];
+//# sourceMappingURL=no-tracked-env-files.d.ts.map

package/dist/checks/security/no-tracked-env-files.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-tracked-env-files.d.ts","sourceRoot":"","sources":["../../../src/checks/security/no-tracked-env-files.ts"],"names":[],"mappings":";AACA;;;;;;;;;GASG;AAWH,eAAO,MAAM,EAAE,kCAAkC,CAAC;AAClD,eAAO,MAAM,IAAI,yBAAyB,CAAC;AAC3C,eAAO,MAAM,QAAQ,aAAa,CAAC;AACnC,eAAO,MAAM,QAAQ,OAAO,CAAC;AAC7B,eAAO,MAAM,WAAW,2CAA2C,CAAC;AACpE,eAAO,MAAM,IAAI,UAAe,CAAC"}

package/dist/checks/security/no-tracked-env-files.js

@@ -0,0 +1,247 @@
+#!/usr/bin/env tsx
+"use strict";
+/**
+ * Preflight: Disallow tracked .env files
+ *
+ * Goal:
+ * - Prevent committing real environment files (e.g. .env, .env.local) that can contain secrets.
+ * - Allow templates/examples under docs/env-templates and *.example/*.template.
+ *
+ * This is intentionally a git-aware check (tracked files only). Developers may keep local
+ * .env files untracked; that's fine.
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.tags = exports.description = exports.blocking = exports.category = exports.name = exports.id = void 0;
+const node_child_process_1 = require("node:child_process");
+const node_fs_1 = __importDefault(require("node:fs"));
+const node_path_1 = __importDefault(require("node:path"));
+const console_chars_1 = require("../../utils/console-chars");
+const findings_writer_1 = require("../../utils/findings-writer");
+// Check metadata
+exports.id = "security/no-tracked-env-files";
+exports.name = "No Tracked Env Files";
+exports.category = "security";
+exports.blocking = true;
+exports.description = "Preflight: Disallow tracked .env files";
+exports.tags = ["security"];
+function runGitLsFiles() {
+    const result = (0, node_child_process_1.spawnSync)("git", ["ls-files", "-z"], {
+        encoding: "utf8",
+        windowsHide: true,
+    });
+    if (result.status !== 0) {
+        // If git isn't available, fail safe (blocking) because this check is only meaningful in a repo.
+        // eslint-disable-next-line no-console
+        console.error(`${console_chars_1.emoji.error} Preflight: unable to run "git ls-files" (is git available?)`);
+        process.exit(1);
+    }
+    const raw = String(result.stdout ?? "");
+    if (!raw)
+        return [];
+    return raw
+        .split("\0")
+        .map((s) => s.trim())
+        .filter(Boolean)
+        .map((p) => p.replace(/\\/g, "/"));
+}
+function isEnvLikeFile(relPath) {
+    const base = node_path_1.default.posix.basename(relPath);
+    return base === ".env" || base.startsWith(".env.") || base === ".env.local";
+}
+function isHighRiskEnvFile(relPath) {
+    const base = node_path_1.default.posix.basename(relPath);
+    // These are commonly used as real secret-bearing files.
+    if (base === ".env")
+        return true;
+    if (base === ".env.local")
+        return true;
+    if (/^\.env\..*\.local$/i.test(base))
+        return true;
+    // Local/ephemeral env artifacts that should never be tracked.
+    if (base === ".env.vercel.local")
+        return true;
+    // Vercel CLI export artifacts (often contain real secrets).
+    if (base === ".env.vercel-prod")
+        return true;
+    if (base === ".env.preview")
+        return true;
+    if (base === ".env.playwright")
+        return true;
+    return false;
+}
+function isAllowedEnvTemplate(relPath) {
+    const normalized = relPath.replace(/\\/g, "/");
+    // This repo intentionally tracks certain environment files.
+    // These are treated as allowed so the preflight doesn't nag.
+    if (normalized === ".env.development" ||
+        normalized === ".env.production" ||
+        normalized === ".env.test" ||
+        false) {
+        return true;
+    }
+    // Allow docs templates/examples
+    if (normalized.startsWith("docs/env-templates/"))
+        return true;
+    // Allow example/template files in root (and elsewhere)
+    if (normalized.endsWith(".example"))
+        return true;
+    if (normalized.endsWith(".template"))
+        return true;
+    if (normalized.endsWith(".sample"))
+        return true;
+    return false;
+}
+function looksLikePlaceholder(value) {
+    const v = value.trim().toLowerCase();
+    return (v === "" ||
+        v.includes("dev-secret") ||
+        v.includes("your-") ||
+        v.includes("placeholder") ||
+        v.includes("example") ||
+        v.includes("changeme") ||
+        v.includes("replace") ||
+        v.includes("...") ||
+        v.includes("<") ||
+        v.includes(">"));
+}
+function looksLikeRealSecret(value) {
+    const v = value.trim();
+    // Common secret formats
+    if (/^sk-[A-Za-z0-9]{20,}$/.test(v))
+        return true; // OpenAI
+    if (/^sk_live_[A-Za-z0-9]{16,}$/.test(v))
+        return true; // Stripe secret (live)
+    if (/^rk_live_[A-Za-z0-9]{16,}$/.test(v))
+        return true; // Stripe restricted (live)
+    if (/^ghp_[A-Za-z0-9]{30,}$/.test(v))
+        return true; // GitHub token
+    if (/^AKIA[0-9A-Z]{16}$/.test(v))
+        return true; // AWS access key
+    // Generic high-entropy-ish token
+    if (/^[A-Za-z0-9+/_=-]{40,}$/.test(v))
+        return true;
+    return false;
+}
+function scanTrackedEnvTemplateForSecrets(relPath) {
+    const normalized = relPath.replace(/\\/g, "/");
+    const abs = node_path_1.default.join(process.cwd(), normalized);
+    if (!node_fs_1.default.existsSync(abs))
+        return [];
+    const text = node_fs_1.default.readFileSync(abs, "utf8");
+    const findings = [];
+    const lines = text.split("\n");
+    for (let i = 0; i < lines.length; i += 1) {
+        const raw = lines[i] ?? "";
+        const trimmed = raw.trim();
+        if (!trimmed || trimmed.startsWith("#"))
+            continue;
+        // Parse KEY=VALUE (allow quotes)
+        const m = trimmed.match(/^([A-Z][A-Z0-9_]+)\s*=\s*(.*)$/);
+        if (!m)
+            continue;
+        const key = m[1] ?? "";
+        let value = (m[2] ?? "").trim();
+        // Strip surrounding quotes
+        if ((value.startsWith('"') && value.endsWith('"')) ||
+            (value.startsWith("'") && value.endsWith("'"))) {
+            value = value.slice(1, -1);
+        }
+        if (!value)
+            continue;
+        if (looksLikePlaceholder(value))
+            continue;
+        if (looksLikeRealSecret(value)) {
+            findings.push({ file: normalized, line: i + 1, key });
+        }
+    }
+    return findings;
+}
+function main() {
+    const files = runGitLsFiles();
+    const offenders = files.filter((f) => isEnvLikeFile(f) && !isAllowedEnvTemplate(f));
+    const missingOnDisk = offenders.filter((rel) => {
+        const abs = node_path_1.default.join(process.cwd(), rel);
+        return !node_fs_1.default.existsSync(abs);
+    });
+    const presentOnDisk = offenders.filter((rel) => !missingOnDisk.includes(rel));
+    // Even if a tracked env file is "allowed" (template), it must not contain real secrets.
+    const allowedEnvTemplates = files.filter((f) => isEnvLikeFile(f) && isAllowedEnvTemplate(f));
+    const secretFindings = allowedEnvTemplates.flatMap(scanTrackedEnvTemplateForSecrets);
+    (0, findings_writer_1.writeFindings)([
+        ...secretFindings.map((f) => ({
+            severity: "error",
+            message: `Tracked env template contains secret-looking value (${f.key})`,
+            file: f.file,
+            range: { startLine: f.line },
+            code: "env-template-secret",
+        })),
+        ...offenders.map((f) => ({
+            severity: (isHighRiskEnvFile(f) ? "error" : "warning"),
+            message: isHighRiskEnvFile(f) ? "High-risk tracked env file" : "Tracked env file (review)",
+            file: f,
+            code: "tracked-env-file",
+        })),
+    ]);
+    if (secretFindings.length > 0) {
+        // eslint-disable-next-line no-console
+        console.log(`${console_chars_1.emoji.error} Preflight: Tracked env templates contain secret-looking values`);
+        for (const f of secretFindings) {
+            // eslint-disable-next-line no-console
+            console.log(`  - ${f.file}:${f.line} (${f.key})`);
+        }
+        // eslint-disable-next-line no-console
+        console.log("\nFix:");
+        // eslint-disable-next-line no-console
+        console.log("  - Replace real secrets with placeholders in tracked env templates.");
+        // eslint-disable-next-line no-console
+        console.log("  - Put real values only in untracked .env.local or your secret manager.");
+        process.exit(1);
+    }
+    if (offenders.length === 0) {
+        // eslint-disable-next-line no-console
+        console.log(`${console_chars_1.emoji.success} Preflight: No tracked .env files`);
+        process.exit(0);
+    }
+    const errors = offenders.filter(isHighRiskEnvFile);
+    const warnings = offenders.filter((f) => !isHighRiskEnvFile(f));
+    // eslint-disable-next-line no-console
+    console.log(`${console_chars_1.emoji.warning}  Preflight: Tracked .env files detected`);
+    if (missingOnDisk.length > 0) {
+        // eslint-disable-next-line no-console
+        console.log("\n🧹 Note: Some files are already deleted locally but still tracked by git:");
+        for (const f of missingOnDisk) {
+            // eslint-disable-next-line no-console
+            console.log(`  - ${f}`);
+        }
+    }
+    if (errors.length > 0) {
+        // eslint-disable-next-line no-console
+        console.log(`\n${console_chars_1.emoji.error} Blocking (high risk):`);
+        for (const f of errors) {
+            // eslint-disable-next-line no-console
+            console.log(`  - ${f}`);
+        }
+    }
+    if (warnings.length > 0) {
+        // eslint-disable-next-line no-console
+        console.log(`\n${console_chars_1.emoji.warning}  Warning (review):`);
+        for (const f of warnings) {
+            // eslint-disable-next-line no-console
+            console.log(`  - ${f}`);
+        }
+    }
+    // eslint-disable-next-line no-console
+    console.log("\nFix:");
+    // eslint-disable-next-line no-console
+    console.log("  - Remove secret-bearing env files from git and keep them untracked.");
+    // eslint-disable-next-line no-console
+    console.log("  - If you already deleted the file locally, run: git rm --cached <file> (and commit).");
+    // eslint-disable-next-line no-console
+    console.log("  - Use .env.example / docs/env-templates/*.template for documentation.");
+    process.exit(errors.length > 0 ? 1 : 0);
+}
+main();
+//# sourceMappingURL=no-tracked-env-files.js.map

package/dist/checks/security/no-tracked-env-files.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-tracked-env-files.js","sourceRoot":"","sources":["../../../src/checks/security/no-tracked-env-files.ts"],"names":[],"mappings":";;AACA;;;;;;;;;GASG;;;;;;AAEH,2DAA+C;AAC/C,sDAAyB;AACzB,0DAA6B;AAE7B,6DAAkD;AAClD,iEAA4D;AAG5D,iBAAiB;AACJ,QAAA,EAAE,GAAG,+BAA+B,CAAC;AACrC,QAAA,IAAI,GAAG,sBAAsB,CAAC;AAC9B,QAAA,QAAQ,GAAG,UAAU,CAAC;AACtB,QAAA,QAAQ,GAAG,IAAI,CAAC;AAChB,QAAA,WAAW,GAAG,wCAAwC,CAAC;AACvD,QAAA,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;AAEjC,SAAS,aAAa;IACpB,MAAM,MAAM,GAAG,IAAA,8BAAS,EAAC,KAAK,EAAE,CAAC,UAAU,EAAE,IAAI,CAAC,EAAE;QAClD,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,IAAI;KAClB,CAAC,CAAC;IAEH,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,gGAAgG;QAChG,sCAAsC;QACtC,OAAO,CAAC,KAAK,CAAC,GAAG,qBAAK,CAAC,KAAK,8DAA8D,CAAC,CAAC;QAC5F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;IACxC,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,CAAC;IACpB,OAAO,GAAG;SACP,KAAK,CAAC,IAAI,CAAC;SACX,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACpB,MAAM,CAAC,OAAO,CAAC;SACf,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC;AACvC,CAAC;AAED,SAAS,aAAa,CAAC,OAAe;IACpC,MAAM,IAAI,GAAG,mBAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC1C,OAAO,IAAI,KAAK,MAAM,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,IAAI,KAAK,YAAY,CAAC;AAC9E,CAAC;AAED,SAAS,iBAAiB,CAAC,OAAe;IACxC,MAAM,IAAI,GAAG,mBAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAE1C,wDAAwD;IACxD,IAAI,IAAI,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IACjC,IAAI,IAAI,KAAK,YAAY;QAAE,OAAO,IAAI,CAAC;IACvC,IAAI,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAElD,8DAA8D;IAC9D,IAAI,IAAI,KAAK,mBAAmB;QAAE,OAAO,IAAI,CAAC;IAC9C,4DAA4D;IAC5D,IAAI,IAAI,KAAK,kBAAkB;QAAE,OAAO,IAAI,CAAC;IAC7C,IAAI,IAAI,KAAK,cAAc;QAAE,OAAO,IAAI,CAAC;IACzC,IAAI,IAAI,KAAK,iBAAiB;QAAE,OAAO,IAAI,CAAC;IAE5C,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,oBAAoB,CAAC,OAAe;IAC3C,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAE/C,4DAA4D;IAC5D,6DAA6D;IAC7D,IACE,UAAU,KAAK,kBAAkB;QACjC,UAAU,KAAK,iBAAiB;QAChC,UAAU,KAAK,WAAW;QAC1B,KAAK,EACL,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,gCAAgC;IAChC,IAAI,UAAU,CAAC,UAAU,CAAC,qBAAqB,CAAC;QAAE,OAAO,IAAI,CAAC;IAE9D,uDAAuD;IACvD,IAAI,UAAU,CAAC,QAAQ,CAAC,UAAU,CAAC;QAAE,OAAO,IAAI,CAAC;IACjD,IAAI,UAAU,CAAC,QAAQ,CAAC,WAAW,CAAC;QAAE,OAAO,IAAI,CAAC;IAClD,IAAI,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAEhD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAa;IACzC,MAAM,CAAC,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACrC,OAAO,CACL,CAAC,KAAK,EAAE;QACR,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC;QACxB,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC;QACnB,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC;QACzB,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC;QACrB,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC;QACtB,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC;QACrB,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;QACjB,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC;QACf,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAChB,CAAC;AACJ,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAa;IACxC,MAAM,CAAC,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAEvB,wBAAwB;IACxB,IAAI,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC,CAAC,SAAS;IAC3D,IAAI,4BAA4B,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC,CAAC,uBAAuB;IAC9E,IAAI,4BAA4B,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC,CAAC,2BAA2B;IAClF,IAAI,wBAAwB,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC,CAAC,eAAe;IAClE,IAAI,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC,CAAC,iBAAiB;IAEhE,iCAAiC;IACjC,IAAI,yBAAyB,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAEnD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,gCAAgC,CACvC,OAAe;IAEf,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAC/C,MAAM,GAAG,GAAG,mBAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,CAAC,CAAC;IACjD,IAAI,CAAC,iBAAE,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,EAAE,CAAC;IAEnC,MAAM,IAAI,GAAG,iBAAE,CAAC,YAAY,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAC1C,MAAM,QAAQ,GAAuD,EAAE,CAAC;IAExE,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACzC,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC3B,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;QAC3B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QAElD,iCAAiC;QACjC,MAAM,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC;QAC1D,IAAI,CAAC,CAAC;YAAE,SAAS;QACjB,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACvB,IAAI,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAEhC,2BAA2B;QAC3B,IACE,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YAC9C,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAC9C,CAAC;YACD,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC7B,CAAC;QAED,IAAI,CAAC,KAAK;YAAE,SAAS;QACrB,IAAI,oBAAoB,CAAC,KAAK,CAAC;YAAE,SAAS;QAE1C,IAAI,mBAAmB,CAAC,KAAK,CAAC,EAAE,CAAC;YAC/B,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,IAAI;IACX,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;IAC9B,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,CAAC,CAAC,CAAC;IAEpF,MAAM,aAAa,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE;QAC7C,MAAM,GAAG,GAAG,mBAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;QAC1C,OAAO,CAAC,iBAAE,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;IACH,MAAM,aAAa,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;IAE9E,wFAAwF;IACxF,MAAM,mBAAmB,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,oBAAoB,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7F,MAAM,cAAc,GAAG,mBAAmB,CAAC,OAAO,CAAC,gCAAgC,CAAC,CAAC;IAErF,IAAA,+BAAa,EAAC;QACZ,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC5B,QAAQ,EAAE,OAAgB;YAC1B,OAAO,EAAE,uDAAuD,CAAC,CAAC,GAAG,GAAG;YACxE,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,KAAK,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC,IAAI,EAAE;YAC5B,IAAI,EAAE,qBAAqB;SAC5B,CAAC,CAAC;QACH,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACvB,QAAQ,EAAE,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAwB;YAC7E,OAAO,EAAE,iBAAiB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,4BAA4B,CAAC,CAAC,CAAC,2BAA2B;YAC1F,IAAI,EAAE,CAAC;YACP,IAAI,EAAE,kBAAkB;SACzB,CAAC,CAAC;KACJ,CAAC,CAAC;IAEH,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,sCAAsC;QACtC,OAAO,CAAC,GAAG,CAAC,GAAG,qBAAK,CAAC,KAAK,iEAAiE,CAAC,CAAC;QAC7F,KAAK,MAAM,CAAC,IAAI,cAAc,EAAE,CAAC;YAC/B,sCAAsC;YACtC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC;QACpD,CAAC;QACD,sCAAsC;QACtC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACtB,sCAAsC;QACtC,OAAO,CAAC,GAAG,CAAC,sEAAsE,CAAC,CAAC;QACpF,sCAAsC;QACtC,OAAO,CAAC,GAAG,CAAC,0EAA0E,CAAC,CAAC;QACxF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3B,sCAAsC;QACtC,OAAO,CAAC,GAAG,CAAC,GAAG,qBAAK,CAAC,OAAO,mCAAmC,CAAC,CAAC;QACjE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;IACnD,MAAM,QAAQ,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,CAAC;IAEhE,sCAAsC;IACtC,OAAO,CAAC,GAAG,CAAC,GAAG,qBAAK,CAAC,OAAO,0CAA0C,CAAC,CAAC;IAExE,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,sCAAsC;QACtC,OAAO,CAAC,GAAG,CAAC,6EAA6E,CAAC,CAAC;QAC3F,KAAK,MAAM,CAAC,IAAI,aAAa,EAAE,CAAC;YAC9B,sCAAsC;YACtC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,sCAAsC;QACtC,OAAO,CAAC,GAAG,CAAC,KAAK,qBAAK,CAAC,KAAK,wBAAwB,CAAC,CAAC;QACtD,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;YACvB,sCAAsC;YACtC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,sCAAsC;QACtC,OAAO,CAAC,GAAG,CAAC,KAAK,qBAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;QACrD,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,sCAAsC;YACtC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IAED,sCAAsC;IACtC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACtB,sCAAsC;IACtC,OAAO,CAAC,GAAG,CAAC,uEAAuE,CAAC,CAAC;IACrF,sCAAsC;IACtC,OAAO,CAAC,GAAG,CACT,wFAAwF,CACzF,CAAC;IACF,sCAAsC;IACtC,OAAO,CAAC,GAAG,CAAC,yEAAyE,CAAC,CAAC;IAEvF,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC1C,CAAC;AAED,IAAI,EAAE,CAAC"}

package/dist/checks/security/open-redirect-prevention.d.ts

@@ -0,0 +1,19 @@
+#!/usr/bin/env tsx
+/**
+ * Open Redirect Prevention Preflight (BLOCKING)
+ *
+ * Goal: prevent redirect/router navigation using user-controlled URLs
+ * (callbackUrl/returnTo/next/redirect) without validation.
+ *
+ * Heuristic (fast + low false positives):
+ * - Taint variables assigned from searchParams.get("callbackUrl"|"returnTo"|"next"|"redirect"...)
+ * - Flag redirect()/router.push()/router.replace() using tainted variables or direct searchParams.get(...) usage
+ *   unless wrapped in a known safe helper (e.g. getAuthRedirectUrl/validateRedirectUrl) or obviously internal.
+ */
+export declare const id = "security/open-redirect-prevention";
+export declare const name = "Open Redirect Prevention";
+export declare const category = "security";
+export declare const blocking = true;
+export declare const description = "Open Redirect Prevention Preflight (BLOCKING)";
+export declare const tags: string[];
+//# sourceMappingURL=open-redirect-prevention.d.ts.map

package/dist/checks/security/open-redirect-prevention.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"open-redirect-prevention.d.ts","sourceRoot":"","sources":["../../../src/checks/security/open-redirect-prevention.ts"],"names":[],"mappings":";AACA;;;;;;;;;;GAUG;AAYH,eAAO,MAAM,EAAE,sCAAsC,CAAC;AACtD,eAAO,MAAM,IAAI,6BAA6B,CAAC;AAC/C,eAAO,MAAM,QAAQ,aAAa,CAAC;AACnC,eAAO,MAAM,QAAQ,OAAO,CAAC;AAC7B,eAAO,MAAM,WAAW,kDAAkD,CAAC;AAC3E,eAAO,MAAM,IAAI,UAAe,CAAC"}