@etalon/core 1.0.0

package/dist/index.js

@@ -0,0 +1,3051 @@
+import {
+  GDPR_RULE_MAP,
+  enrichWithGdpr,
+  loadCustomRules,
+  scanWithCustomRules
+} from "./chunk-C6WLBWUY.js";
+
+// src/vendor-registry.ts
+import { readFileSync } from "fs";
+import { fileURLToPath } from "url";
+import { dirname, join } from "path";
+
+// src/domain-utils.ts
+function extractDomain(url) {
+  try {
+    if (url.startsWith("data:") || url.startsWith("blob:") || url.startsWith("about:")) {
+      return null;
+    }
+    const parsed = new URL(url);
+    return parsed.hostname.toLowerCase();
+  } catch {
+    return null;
+  }
+}
+function getParentDomains(domain) {
+  const parts = domain.split(".");
+  const parents = [];
+  for (let i = 1; i < parts.length - 1; i++) {
+    parents.push(parts.slice(i).join("."));
+  }
+  return parents;
+}
+function isFirstParty(requestDomain, siteDomain) {
+  const reqLower = requestDomain.toLowerCase();
+  const siteLower = siteDomain.toLowerCase();
+  if (reqLower === siteLower) return true;
+  if (reqLower.endsWith("." + siteLower)) return true;
+  return false;
+}
+function normalizeUrl(url) {
+  let normalized = url.trim();
+  if (!normalized.match(/^https?:\/\//i)) {
+    normalized = "https://" + normalized;
+  }
+  return normalized;
+}
+
+// src/vendor-registry.ts
+var VendorRegistry = class _VendorRegistry {
+  vendors = [];
+  categories = [];
+  domainMap = /* @__PURE__ */ new Map();
+  version = "";
+  lastUpdated = "";
+  /**
+   * Load the vendor database from a JSON file.
+   * If no path is provided, loads the bundled vendors.json.
+   */
+  static load(path) {
+    const registry = new _VendorRegistry();
+    const filePath = path ?? _VendorRegistry.defaultPath();
+    const raw = readFileSync(filePath, "utf-8");
+    const db = JSON.parse(raw);
+    registry.version = db.version;
+    registry.lastUpdated = db.last_updated;
+    registry.vendors = db.vendors;
+    registry.categories = db.categories;
+    for (const vendor of db.vendors) {
+      for (const domain of vendor.domains) {
+        registry.domainMap.set(domain.toLowerCase(), vendor);
+      }
+    }
+    return registry;
+  }
+  /**
+   * Load from an in-memory VendorDatabase object (useful for testing).
+   */
+  static fromDatabase(db) {
+    const registry = new _VendorRegistry();
+    registry.version = db.version;
+    registry.lastUpdated = db.last_updated;
+    registry.vendors = db.vendors;
+    registry.categories = db.categories;
+    for (const vendor of db.vendors) {
+      for (const domain of vendor.domains) {
+        registry.domainMap.set(domain.toLowerCase(), vendor);
+      }
+    }
+    return registry;
+  }
+  /**
+   * Look up a vendor by domain.
+   * Tries exact match first, then walks up parent domains.
+   * 
+   * @param domainOrUrl - A domain (e.g. "ssl.google-analytics.com") or full URL
+   * @returns The matched Vendor, or null if not found
+   */
+  lookupDomain(domainOrUrl) {
+    let domain;
+    if (domainOrUrl.includes("://")) {
+      const extracted = extractDomain(domainOrUrl);
+      if (!extracted) return null;
+      domain = extracted;
+    } else {
+      domain = domainOrUrl.toLowerCase();
+    }
+    const exact = this.domainMap.get(domain);
+    if (exact) return exact;
+    const parents = getParentDomains(domain);
+    for (const parent of parents) {
+      const match = this.domainMap.get(parent);
+      if (match) return match;
+    }
+    return null;
+  }
+  /**
+   * Get all vendors in a specific category.
+   */
+  getByCategory(category) {
+    return this.vendors.filter((v) => v.category === category);
+  }
+  /**
+   * Get all GDPR-compliant vendors.
+   */
+  getCompliant() {
+    return this.vendors.filter((v) => v.gdpr_compliant);
+  }
+  /**
+   * Get all available categories.
+   */
+  getCategories() {
+    return [...this.categories];
+  }
+  /**
+   * Search vendors by name or company (case-insensitive substring match).
+   */
+  search(query) {
+    const q = query.toLowerCase();
+    return this.vendors.filter(
+      (v) => v.name.toLowerCase().includes(q) || v.company.toLowerCase().includes(q) || v.id.toLowerCase().includes(q)
+    );
+  }
+  /**
+   * Get all vendors.
+   */
+  getAllVendors() {
+    return [...this.vendors];
+  }
+  /**
+   * Get a vendor by its ID.
+   */
+  getById(id) {
+    return this.vendors.find((v) => v.id === id) ?? null;
+  }
+  /**
+   * Get registry metadata.
+   */
+  getMetadata() {
+    return {
+      version: this.version,
+      lastUpdated: this.lastUpdated,
+      vendorCount: this.vendors.length,
+      categoryCount: this.categories.length,
+      domainCount: this.domainMap.size
+    };
+  }
+  /**
+   * Default path to the bundled vendors.json file.
+   */
+  static defaultPath() {
+    const currentDir = dirname(fileURLToPath(import.meta.url));
+    return join(currentDir, "..", "..", "..", "data", "vendors.json");
+  }
+};
+
+// src/audit/index.ts
+import { readFileSync as readFileSync10, existsSync as existsSync5 } from "fs";
+import { join as join5, dirname as dirname2 } from "path";
+import { fileURLToPath as fileURLToPath2 } from "url";
+
+// src/audit/stack-detector.ts
+import { existsSync, readFileSync as readFileSync2 } from "fs";
+import { join as join2 } from "path";
+function detectStack(directory) {
+  const languages = [];
+  let framework = "none";
+  let orm = "none";
+  let packageManager = "unknown";
+  const detectedFiles = [];
+  const packageJsonPath = join2(directory, "package.json");
+  if (existsSync(packageJsonPath)) {
+    languages.push("javascript");
+    detectedFiles.push("package.json");
+    if (existsSync(join2(directory, "pnpm-lock.yaml"))) {
+      packageManager = "pnpm";
+    } else if (existsSync(join2(directory, "yarn.lock"))) {
+      packageManager = "yarn";
+    } else {
+      packageManager = "npm";
+    }
+    if (existsSync(join2(directory, "tsconfig.json")) || existsSync(join2(directory, "tsconfig.base.json"))) {
+      if (!languages.includes("typescript")) languages.push("typescript");
+      detectedFiles.push("tsconfig.json");
+    }
+    try {
+      const pkg = JSON.parse(readFileSync2(packageJsonPath, "utf-8"));
+      const allDeps = {
+        ...pkg.dependencies,
+        ...pkg.devDependencies
+      };
+      if (allDeps["next"]) {
+        framework = "nextjs";
+        detectedFiles.push("next.config.*");
+      } else if (allDeps["nuxt"] || allDeps["nuxt3"]) {
+        framework = "nuxt";
+      } else if (allDeps["@sveltejs/kit"] || allDeps["svelte"]) {
+        framework = "svelte";
+      } else if (allDeps["fastify"]) {
+        framework = "fastify";
+      } else if (allDeps["express"]) {
+        framework = "express";
+      }
+      if (allDeps["prisma"] || allDeps["@prisma/client"]) {
+        orm = "prisma";
+      } else if (allDeps["typeorm"]) {
+        orm = "typeorm";
+      } else if (allDeps["drizzle-orm"]) {
+        orm = "drizzle";
+      } else if (allDeps["sequelize"]) {
+        orm = "sequelize";
+      }
+    } catch {
+    }
+  }
+  const pyprojectPath = join2(directory, "pyproject.toml");
+  const requirementsPath = join2(directory, "requirements.txt");
+  const pipfilePath = join2(directory, "Pipfile");
+  if (existsSync(pyprojectPath) || existsSync(requirementsPath) || existsSync(pipfilePath)) {
+    if (!languages.includes("python")) languages.push("python");
+    if (existsSync(pyprojectPath)) {
+      detectedFiles.push("pyproject.toml");
+      packageManager = "poetry";
+    } else if (existsSync(requirementsPath)) {
+      detectedFiles.push("requirements.txt");
+      packageManager = "pip";
+    }
+    const pyDeps = readPythonDeps(directory);
+    if (pyDeps.has("django")) {
+      framework = "django";
+      orm = "django-orm";
+    } else if (pyDeps.has("fastapi")) {
+      framework = "fastapi";
+    } else if (pyDeps.has("flask")) {
+      framework = "flask";
+    }
+    if (pyDeps.has("sqlalchemy") || pyDeps.has("flask-sqlalchemy")) {
+      orm = "sqlalchemy";
+    }
+    if (existsSync(join2(directory, "manage.py"))) {
+      framework = "django";
+      orm = "django-orm";
+      detectedFiles.push("manage.py");
+    }
+  }
+  const cargoPath = join2(directory, "Cargo.toml");
+  if (existsSync(cargoPath)) {
+    if (!languages.includes("rust")) languages.push("rust");
+    detectedFiles.push("Cargo.toml");
+    packageManager = "cargo";
+    try {
+      const cargoContent = readFileSync2(cargoPath, "utf-8");
+      if (cargoContent.includes("actix-web")) {
+        framework = "actix";
+      } else if (cargoContent.includes("axum")) {
+        framework = "axum";
+      } else if (cargoContent.includes("rocket")) {
+        framework = "rocket";
+      }
+      if (cargoContent.includes("diesel")) {
+        orm = "diesel";
+      } else if (cargoContent.includes("sea-orm")) {
+        orm = "sea-orm";
+      }
+    } catch {
+    }
+  }
+  if (languages.length === 0) {
+    languages.push("unknown");
+  }
+  return {
+    languages,
+    framework,
+    orm,
+    packageManager,
+    detectedFiles
+  };
+}
+function readPythonDeps(directory) {
+  const deps = /* @__PURE__ */ new Set();
+  const reqPath = join2(directory, "requirements.txt");
+  if (existsSync(reqPath)) {
+    const content = readFileSync2(reqPath, "utf-8");
+    for (const line of content.split("\n")) {
+      const trimmed = line.trim();
+      if (trimmed && !trimmed.startsWith("#") && !trimmed.startsWith("-")) {
+        const name = trimmed.split(/[=><~![\s]/)[0].toLowerCase();
+        if (name) deps.add(name);
+      }
+    }
+  }
+  const pyprojectPath = join2(directory, "pyproject.toml");
+  if (existsSync(pyprojectPath)) {
+    const content = readFileSync2(pyprojectPath, "utf-8");
+    const matches = content.matchAll(/["']([a-zA-Z0-9_-]+)["']/g);
+    for (const match of matches) {
+      deps.add(match[1].toLowerCase());
+    }
+  }
+  return deps;
+}
+
+// src/audit/code-scanner.ts
+import { readFileSync as readFileSync3 } from "fs";
+import { basename, relative, extname } from "path";
+var CODE_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".js",
+  ".jsx",
+  ".ts",
+  ".tsx",
+  ".mjs",
+  ".cjs",
+  ".py",
+  ".pyw",
+  ".rs",
+  ".html",
+  ".htm",
+  ".ejs",
+  ".hbs",
+  ".pug",
+  ".jinja",
+  ".jinja2",
+  ".j2",
+  ".vue",
+  ".svelte",
+  ".astro",
+  ".env",
+  ".env.local",
+  ".env.production",
+  ".env.development"
+]);
+var IGNORE_DIRS = /* @__PURE__ */ new Set([
+  "node_modules",
+  ".next",
+  "__pycache__",
+  ".git",
+  "dist",
+  "build",
+  "target",
+  ".venv",
+  "venv",
+  "env",
+  ".tox",
+  ".mypy_cache",
+  "vendor",
+  ".cargo",
+  "coverage",
+  ".turbo"
+]);
+function scanCode(files, baseDir, stack, patterns) {
+  const findings = [];
+  findings.push(...scanPackageManifest(baseDir, stack, patterns));
+  for (const filePath of files) {
+    if (!shouldScanFile(filePath)) continue;
+    try {
+      const content = readFileSync3(filePath, "utf-8");
+      const relPath = relative(baseDir, filePath);
+      const ext = extname(filePath).toLowerCase();
+      if (basename(filePath).startsWith(".env")) {
+        findings.push(...scanEnvFile(content, relPath, patterns));
+        continue;
+      }
+      if ([".html", ".htm", ".ejs", ".hbs", ".pug", ".jinja", ".jinja2", ".j2"].includes(ext)) {
+        findings.push(...scanHtmlFile(content, relPath, patterns));
+      }
+      if ([".js", ".jsx", ".ts", ".tsx", ".mjs", ".cjs", ".vue", ".svelte", ".astro"].includes(ext)) {
+        findings.push(...scanJsFile(content, relPath, patterns));
+        findings.push(...scanCookieUsage(content, relPath));
+        findings.push(...scanLocalStorage(content, relPath));
+      }
+      if ([".py", ".pyw"].includes(ext)) {
+        findings.push(...scanPythonFile(content, relPath, patterns));
+      }
+      if (ext === ".rs") {
+        findings.push(...scanRustFile(content, relPath, patterns));
+      }
+      findings.push(...scanForHtmlPatterns(content, relPath, patterns));
+    } catch {
+    }
+  }
+  return deduplicateFindings(findings);
+}
+function shouldScanFile(filePath) {
+  const ext = extname(filePath).toLowerCase();
+  const name = basename(filePath);
+  if (name.startsWith(".env")) return true;
+  if (!CODE_EXTENSIONS.has(ext)) return false;
+  const parts = filePath.split("/");
+  for (const part of parts) {
+    if (IGNORE_DIRS.has(part)) return false;
+  }
+  return true;
+}
+function scanPackageManifest(baseDir, stack, patterns) {
+  const findings = [];
+  if (stack.languages.includes("javascript") || stack.languages.includes("typescript")) {
+    try {
+      const pkg = JSON.parse(readFileSync3(`${baseDir}/package.json`, "utf-8"));
+      const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+      for (const dep of Object.keys(allDeps)) {
+        const match = patterns.npm[dep];
+        if (match) {
+          findings.push({
+            id: `code-tracker-dep-${dep}`,
+            category: "code",
+            severity: match.severity,
+            title: `Tracker SDK dependency: ${dep}`,
+            message: `Package "${dep}" is a known tracker SDK (vendor: ${match.vendorId}). Ensure it is loaded behind a consent mechanism.`,
+            file: "package.json",
+            vendorId: match.vendorId,
+            rule: "tracker-dependency"
+          });
+        }
+      }
+    } catch {
+    }
+  }
+  if (stack.languages.includes("python")) {
+    for (const reqFile of ["requirements.txt", "pyproject.toml"]) {
+      try {
+        const content = readFileSync3(`${baseDir}/${reqFile}`, "utf-8");
+        for (const [pkg, match] of Object.entries(patterns.pypi)) {
+          if (content.toLowerCase().includes(pkg.toLowerCase())) {
+            findings.push({
+              id: `code-tracker-dep-${pkg}`,
+              category: "code",
+              severity: match.severity,
+              title: `Tracker SDK dependency: ${pkg}`,
+              message: `Python package "${pkg}" is a known tracker SDK (vendor: ${match.vendorId}). Ensure it has proper consent handling.`,
+              file: reqFile,
+              vendorId: match.vendorId,
+              rule: "tracker-dependency"
+            });
+          }
+        }
+      } catch {
+      }
+    }
+  }
+  if (stack.languages.includes("rust")) {
+    try {
+      const content = readFileSync3(`${baseDir}/Cargo.toml`, "utf-8");
+      for (const [crate, match] of Object.entries(patterns.cargo)) {
+        if (content.includes(crate)) {
+          findings.push({
+            id: `code-tracker-dep-${crate}`,
+            category: "code",
+            severity: match.severity,
+            title: `Tracker SDK dependency: ${crate}`,
+            message: `Cargo crate "${crate}" is a known tracker SDK (vendor: ${match.vendorId}).`,
+            file: "Cargo.toml",
+            vendorId: match.vendorId,
+            rule: "tracker-dependency"
+          });
+        }
+      }
+    } catch {
+    }
+  }
+  return findings;
+}
+function scanEnvFile(content, filePath, patterns) {
+  const findings = [];
+  const lines = content.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i].trim();
+    if (!line || line.startsWith("#")) continue;
+    const eqIndex = line.indexOf("=");
+    if (eqIndex === -1) continue;
+    const key = line.slice(0, eqIndex).trim();
+    const match = patterns.envVars[key];
+    if (match) {
+      findings.push({
+        id: `code-env-tracker-${key}`,
+        category: "code",
+        severity: match.severity,
+        title: `Tracker env variable: ${key}`,
+        message: `Environment variable "${key}" configures ${match.vendorId}. Document this third-party in your privacy policy.`,
+        file: filePath,
+        line: i + 1,
+        vendorId: match.vendorId,
+        rule: "tracker-env-var"
+      });
+    }
+  }
+  return findings;
+}
+function scanHtmlFile(content, filePath, patterns) {
+  const findings = [];
+  const lines = content.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    for (const hp of patterns.htmlPatterns) {
+      if (lines[i].includes(hp.pattern)) {
+        findings.push({
+          id: `code-html-tracker-${hp.vendorId}-${filePath}`,
+          category: "code",
+          severity: hp.severity,
+          title: `Hardcoded tracking pixel: ${hp.vendorId}`,
+          message: `Found "${hp.pattern}" loaded directly in HTML. This should be gated behind user consent.`,
+          file: filePath,
+          line: i + 1,
+          vendorId: hp.vendorId,
+          rule: "hardcoded-tracker"
+        });
+      }
+    }
+  }
+  return findings;
+}
+function scanForHtmlPatterns(content, filePath, patterns) {
+  const findings = [];
+  const lines = content.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    for (const hp of patterns.htmlPatterns) {
+      if (lines[i].includes(hp.pattern)) {
+        findings.push({
+          id: `code-inline-tracker-${hp.vendorId}-${filePath}-${i}`,
+          category: "code",
+          severity: hp.severity,
+          title: `Inline tracking script: ${hp.vendorId}`,
+          message: `Found "${hp.pattern}" in source. Ensure this is loaded conditionally behind consent.`,
+          file: filePath,
+          line: i + 1,
+          vendorId: hp.vendorId,
+          rule: "inline-tracker"
+        });
+      }
+    }
+  }
+  return findings;
+}
+function scanJsFile(content, filePath, patterns) {
+  const findings = [];
+  const lines = content.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const importMatch = line.match(/(?:from\s+['"]|require\s*\(\s*['"])([^'"]+)['"]/);
+    if (importMatch) {
+      const pkg = importMatch[1];
+      const match = patterns.npm[pkg];
+      if (match) {
+        findings.push({
+          id: `code-import-${match.vendorId}-${filePath}-${i}`,
+          category: "code",
+          severity: match.severity,
+          title: `Tracker SDK import: ${pkg}`,
+          message: `Importing "${pkg}" (${match.vendorId}). Ensure this is initialized only after user consent.`,
+          file: filePath,
+          line: i + 1,
+          vendorId: match.vendorId,
+          rule: "tracker-import"
+        });
+      }
+    }
+    for (const ip of patterns.importPatterns) {
+      if (ip.language === "javascript" && line.includes(ip.pattern)) {
+        findings.push({
+          id: `code-pattern-${ip.vendorId}-${filePath}-${i}`,
+          category: "code",
+          severity: ip.severity,
+          title: `Tracker API usage: ${ip.vendorId}`,
+          message: `Found "${ip.pattern}" usage. Ensure proper consent before tracking.`,
+          file: filePath,
+          line: i + 1,
+          vendorId: ip.vendorId,
+          rule: "tracker-api-call"
+        });
+      }
+    }
+    const urlMatch = line.match(/(?:fetch|axios\.\w+|http\.get|http\.post)\s*\(\s*['"`]([^'"`]+)['"`]/);
+    if (urlMatch) {
+      const url = urlMatch[1];
+      for (const hp of patterns.htmlPatterns) {
+        if (url.includes(hp.pattern)) {
+          findings.push({
+            id: `code-fetch-${hp.vendorId}-${filePath}-${i}`,
+            category: "code",
+            severity: hp.severity,
+            title: `HTTP call to tracker: ${hp.vendorId}`,
+            message: `Direct HTTP request to "${url}" detected.`,
+            file: filePath,
+            line: i + 1,
+            vendorId: hp.vendorId,
+            rule: "tracker-http-call"
+          });
+        }
+      }
+    }
+  }
+  return findings;
+}
+function scanCookieUsage(content, filePath) {
+  const findings = [];
+  const lines = content.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (line.includes("document.cookie") && line.includes("=") && !line.includes("===") && !line.includes("!==")) {
+      const contextStart = Math.max(0, i - 10);
+      const context = lines.slice(contextStart, i).join("\n").toLowerCase();
+      const hasConsentGuard = context.includes("consent") || context.includes("cookie_accepted") || context.includes("gdpr");
+      if (!hasConsentGuard) {
+        findings.push({
+          id: `code-cookie-no-consent-${filePath}-${i}`,
+          category: "code",
+          severity: "high",
+          title: "Cookie write without consent check",
+          message: "Writing to document.cookie without an apparent consent guard. GDPR requires user consent before setting non-essential cookies.",
+          file: filePath,
+          line: i + 1,
+          rule: "cookie-no-consent",
+          fix: 'Gate cookie writes behind a consent check, e.g. `if (hasConsent("analytics")) { document.cookie = ... }`'
+        });
+      }
+    }
+    if (line.includes("res.cookie(") || line.includes("response.set_cookie(")) {
+      if (!content.includes("httpOnly") && !content.includes("HttpOnly") && !content.includes("httponly")) {
+        findings.push({
+          id: `code-cookie-insecure-${filePath}-${i}`,
+          category: "code",
+          severity: "medium",
+          title: "Cookie set without HttpOnly flag",
+          message: "Setting a cookie without explicit HttpOnly flag. Consider adding httpOnly: true for security.",
+          file: filePath,
+          line: i + 1,
+          rule: "cookie-insecure"
+        });
+      }
+    }
+  }
+  return findings;
+}
+function scanLocalStorage(content, filePath) {
+  const findings = [];
+  const lines = content.split("\n");
+  const piiKeys = ["email", "phone", "name", "address", "user", "token", "password", "ssn", "dob", "birth"];
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i].toLowerCase();
+    if (line.includes("localstorage.setitem") || line.includes("sessionstorage.setitem")) {
+      const keyMatch = lines[i].match(/(?:localStorage|sessionStorage)\.setItem\s*\(\s*['"]([^'"]+)['"]/i);
+      if (keyMatch) {
+        const key = keyMatch[1].toLowerCase();
+        for (const piiKey of piiKeys) {
+          if (key.includes(piiKey)) {
+            findings.push({
+              id: `code-storage-pii-${filePath}-${i}`,
+              category: "code",
+              severity: "medium",
+              title: `PII stored in browser storage: "${keyMatch[1]}"`,
+              message: `Storing potentially sensitive data ("${keyMatch[1]}") in browser storage. Consider using HttpOnly cookies or server-side sessions instead.`,
+              file: filePath,
+              line: i + 1,
+              rule: "storage-pii"
+            });
+            break;
+          }
+        }
+      }
+    }
+  }
+  return findings;
+}
+function scanPythonFile(content, filePath, patterns) {
+  const findings = [];
+  const lines = content.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const importMatch = line.match(/(?:from\s+(\S+)\s+import|^import\s+(\S+))/);
+    if (importMatch) {
+      const pkg = (importMatch[1] || importMatch[2]).split(".")[0].toLowerCase();
+      for (const [pyPkg, match] of Object.entries(patterns.pypi)) {
+        if (pkg === pyPkg.toLowerCase().replace(/-/g, "_") || pkg === pyPkg.toLowerCase().replace(/-/g, "")) {
+          findings.push({
+            id: `code-python-import-${match.vendorId}-${filePath}-${i}`,
+            category: "code",
+            severity: match.severity,
+            title: `Tracker SDK import: ${pyPkg}`,
+            message: `Python import of "${pkg}" (${match.vendorId}). Ensure proper consent handling.`,
+            file: filePath,
+            line: i + 1,
+            vendorId: match.vendorId,
+            rule: "tracker-import"
+          });
+        }
+      }
+    }
+    for (const ip of patterns.importPatterns) {
+      if (ip.language === "python" && line.includes(ip.pattern)) {
+        findings.push({
+          id: `code-python-pattern-${ip.vendorId}-${filePath}-${i}`,
+          category: "code",
+          severity: ip.severity,
+          title: `Tracker usage: ${ip.vendorId}`,
+          message: `Found "${ip.pattern}" in Python source.`,
+          file: filePath,
+          line: i + 1,
+          vendorId: ip.vendorId,
+          rule: "tracker-api-call"
+        });
+      }
+    }
+    if (line.includes("'analytical'") || line.includes("'django_analytical'")) {
+      findings.push({
+        id: `code-django-analytical-${filePath}-${i}`,
+        category: "code",
+        severity: "medium",
+        title: "Django Analytical middleware",
+        message: `django-analytical is installed. Review which analytics services are configured and ensure consent is collected.`,
+        file: filePath,
+        line: i + 1,
+        rule: "tracker-middleware"
+      });
+    }
+  }
+  return findings;
+}
+function scanRustFile(content, filePath, patterns) {
+  const findings = [];
+  const lines = content.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const useMatch = line.match(/^\s*use\s+(\w+)/);
+    if (useMatch) {
+      const crate = useMatch[1].toLowerCase();
+      for (const [cargo, match] of Object.entries(patterns.cargo)) {
+        if (crate === cargo.toLowerCase().replace(/-/g, "_")) {
+          findings.push({
+            id: `code-rust-use-${match.vendorId}-${filePath}-${i}`,
+            category: "code",
+            severity: match.severity,
+            title: `Tracker crate usage: ${cargo}`,
+            message: `Using crate "${cargo}" (${match.vendorId}).`,
+            file: filePath,
+            line: i + 1,
+            vendorId: match.vendorId,
+            rule: "tracker-import"
+          });
+        }
+      }
+    }
+    for (const ip of patterns.importPatterns) {
+      if (ip.language === "rust" && line.includes(ip.pattern)) {
+        findings.push({
+          id: `code-rust-pattern-${ip.vendorId}-${filePath}-${i}`,
+          category: "code",
+          severity: ip.severity,
+          title: `Tracker usage: ${ip.vendorId}`,
+          message: `Found "${ip.pattern}" in Rust source.`,
+          file: filePath,
+          line: i + 1,
+          vendorId: ip.vendorId,
+          rule: "tracker-api-call"
+        });
+      }
+    }
+  }
+  return findings;
+}
+function deduplicateFindings(findings) {
+  const seen = /* @__PURE__ */ new Set();
+  return findings.filter((f) => {
+    const key = `${f.rule}:${f.vendorId}:${f.file}:${f.line ?? ""}`;
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  });
+}
+
+// src/audit/schema-scanner.ts
+import { readFileSync as readFileSync4 } from "fs";
+import { relative as relative2 } from "path";
+var PII_PATTERNS = [
+  // Direct identifiers
+  { pattern: "email", piiType: "email address", severity: "high", recommendation: "Hash or encrypt email addresses at rest" },
+  { pattern: "e_mail", piiType: "email address", severity: "high", recommendation: "Hash or encrypt email addresses at rest" },
+  { pattern: "phone", piiType: "phone number", severity: "high", recommendation: "Encrypt phone numbers and limit access" },
+  { pattern: "telephone", piiType: "phone number", severity: "high", recommendation: "Encrypt phone numbers and limit access" },
+  { pattern: "mobile", piiType: "phone number", severity: "high", recommendation: "Encrypt phone numbers and limit access" },
+  { pattern: "ssn", piiType: "social security number", severity: "critical", recommendation: "Never store SSN in plaintext \u2014 hash or use tokenization" },
+  { pattern: "social_security", piiType: "social security number", severity: "critical", recommendation: "Never store SSN in plaintext \u2014 hash or use tokenization" },
+  { pattern: "national_id", piiType: "national ID", severity: "critical", recommendation: "Encrypt national ID numbers" },
+  { pattern: "passport", piiType: "passport number", severity: "critical", recommendation: "Encrypt passport numbers" },
+  { pattern: "drivers_license", piiType: "drivers license", severity: "critical", recommendation: "Encrypt license numbers" },
+  { pattern: "tax_id", piiType: "tax ID", severity: "critical", recommendation: "Encrypt tax identification numbers" },
+  // Names
+  { pattern: "first_name", piiType: "personal name", severity: "medium", recommendation: "Consider whether full names need to be stored" },
+  { pattern: "last_name", piiType: "personal name", severity: "medium", recommendation: "Consider whether full names need to be stored" },
+  { pattern: "full_name", piiType: "personal name", severity: "medium", recommendation: "Consider whether full names need to be stored" },
+  { pattern: "display_name", piiType: "personal name", severity: "low", recommendation: "Display names are PII \u2014 document in privacy policy" },
+  // Location
+  { pattern: "address", piiType: "physical address", severity: "high", recommendation: "Encrypt addresses and limit retention" },
+  { pattern: "street", piiType: "physical address", severity: "high", recommendation: "Encrypt addresses" },
+  { pattern: "zip_code", piiType: "location data", severity: "medium", recommendation: "Truncate zip codes for analytics (first 3 digits)" },
+  { pattern: "postal_code", piiType: "location data", severity: "medium", recommendation: "Truncate postal codes" },
+  { pattern: "latitude", piiType: "geolocation", severity: "high", recommendation: "Reduce precision for analytics, encrypt for storage" },
+  { pattern: "longitude", piiType: "geolocation", severity: "high", recommendation: "Reduce precision for analytics" },
+  { pattern: "geolocation", piiType: "geolocation", severity: "high", recommendation: "Reduce precision and encrypt" },
+  // Network identifiers
+  { pattern: "ip_address", piiType: "IP address", severity: "high", recommendation: "Anonymize IP addresses (zero last octet) or hash them" },
+  { pattern: "ip_addr", piiType: "IP address", severity: "high", recommendation: "Anonymize IP addresses" },
+  { pattern: "client_ip", piiType: "IP address", severity: "high", recommendation: "Anonymize IP addresses" },
+  { pattern: "remote_addr", piiType: "IP address", severity: "high", recommendation: "Anonymize IP addresses" },
+  { pattern: "user_agent", piiType: "browser fingerprint", severity: "medium", recommendation: "Consider truncating user agent strings" },
+  { pattern: "device_id", piiType: "device identifier", severity: "high", recommendation: "Hash device IDs" },
+  { pattern: "fingerprint", piiType: "browser fingerprint", severity: "high", recommendation: "Avoid storing browser fingerprints" },
+  { pattern: "mac_address", piiType: "hardware identifier", severity: "high", recommendation: "Hash MAC addresses" },
+  // Date of birth / age
+  { pattern: "date_of_birth", piiType: "date of birth", severity: "high", recommendation: "Store only age or year of birth if possible" },
+  { pattern: "dob", piiType: "date of birth", severity: "high", recommendation: "Store only age or year of birth if possible" },
+  { pattern: "birth_date", piiType: "date of birth", severity: "high", recommendation: "Store only age or year of birth" },
+  // Financial
+  { pattern: "credit_card", piiType: "payment card", severity: "critical", recommendation: "Never store credit card numbers \u2014 use tokenization (Stripe, etc.)" },
+  { pattern: "card_number", piiType: "payment card", severity: "critical", recommendation: "Never store card numbers \u2014 use a payment processor" },
+  { pattern: "bank_account", piiType: "bank account", severity: "critical", recommendation: "Encrypt bank details, use payment processor tokenization" },
+  { pattern: "iban", piiType: "bank identifier", severity: "critical", recommendation: "Encrypt IBAN numbers" },
+  // Passwords / secrets
+  { pattern: "password", piiType: "credential", severity: "critical", recommendation: "Passwords must be hashed (bcrypt/argon2), never stored in plaintext" },
+  { pattern: "secret", piiType: "credential", severity: "high", recommendation: "Secrets should be hashed or encrypted" }
+];
+function scanSchemas(files, baseDir, stack) {
+  const findings = [];
+  for (const filePath of files) {
+    try {
+      const content = readFileSync4(filePath, "utf-8");
+      const relPath = relative2(baseDir, filePath);
+      if (filePath.endsWith(".prisma")) {
+        findings.push(...scanPrismaSchema(content, relPath));
+        continue;
+      }
+      if (filePath.endsWith(".sql")) {
+        findings.push(...scanSqlFile(content, relPath));
+        continue;
+      }
+      if (filePath.endsWith("models.py")) {
+        findings.push(...scanDjangoModels(content, relPath));
+        continue;
+      }
+      if (stack.orm === "sqlalchemy" && filePath.endsWith(".py")) {
+        if (content.includes("Column(") || content.includes("mapped_column(")) {
+          findings.push(...scanSqlAlchemyModels(content, relPath));
+        }
+        continue;
+      }
+      if (stack.orm === "typeorm" && (filePath.endsWith(".ts") || filePath.endsWith(".js"))) {
+        if (content.includes("@Entity(") || content.includes("@Column(")) {
+          findings.push(...scanTypeOrmEntities(content, relPath));
+        }
+        continue;
+      }
+      if (filePath.endsWith(".rs") && content.includes("table!")) {
+        findings.push(...scanDieselSchema(content, relPath));
+        continue;
+      }
+    } catch {
+    }
+  }
+  return findings;
+}
+function scanPrismaSchema(content, filePath) {
+  const findings = [];
+  const lines = content.split("\n");
+  let currentModel = "";
+  let modelHasTimestamp = false;
+  let modelHasPii = false;
+  let modelStartLine = 0;
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i].trim();
+    const modelMatch = line.match(/^model\s+(\w+)\s*\{/);
+    if (modelMatch) {
+      if (currentModel && modelHasPii && !modelHasTimestamp) {
+        findings.push(createRetentionFinding(filePath, modelStartLine, currentModel));
+      }
+      currentModel = modelMatch[1];
+      modelStartLine = i + 1;
+      modelHasTimestamp = false;
+      modelHasPii = false;
+      continue;
+    }
+    if (currentModel && line === "}") {
+      if (modelHasPii && !modelHasTimestamp) {
+        findings.push(createRetentionFinding(filePath, modelStartLine, currentModel));
+      }
+      currentModel = "";
+      continue;
+    }
+    if (!currentModel) continue;
+    const fieldMatch = line.match(/^\s*(\w+)\s+/);
+    if (fieldMatch) {
+      const fieldName = fieldMatch[1].toLowerCase();
+      checkPiiField(fieldName, filePath, i + 1, currentModel, findings);
+      if (isPiiField(fieldName)) modelHasPii = true;
+    }
+    if (line.includes("deletedAt") || line.includes("deleted_at") || line.includes("expiresAt") || line.includes("expires_at") || line.includes("archivedAt")) {
+      modelHasTimestamp = true;
+    }
+  }
+  return findings;
+}
+function scanSqlFile(content, filePath) {
+  const findings = [];
+  const lines = content.split("\n");
+  let currentTable = "";
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const tableMatch = line.match(/CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?["`]?(\w+)["`]?/i);
+    if (tableMatch) {
+      currentTable = tableMatch[1];
+      continue;
+    }
+    if (currentTable) {
+      const colMatch = line.match(/^\s*["`]?(\w+)["`]?\s+(VARCHAR|TEXT|CHAR|INTEGER|INT|BIGINT|INET|CIDR|UUID|JSONB?|TIMESTAMP)/i);
+      if (colMatch) {
+        const colName = colMatch[1].toLowerCase();
+        checkPiiField(colName, filePath, i + 1, currentTable, findings);
+      }
+    }
+    if (line.includes(");")) {
+      currentTable = "";
+    }
+  }
+  return findings;
+}
+function scanDjangoModels(content, filePath) {
+  const findings = [];
+  const lines = content.split("\n");
+  let currentModel = "";
+  const djangoPiiFields = {
+    "EmailField": { piiType: "email address", severity: "high" },
+    "GenericIPAddressField": { piiType: "IP address", severity: "high" },
+    "IPAddressField": { piiType: "IP address", severity: "high" }
+  };
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const classMatch = line.match(/^class\s+(\w+)\s*\(.*Model.*\)/);
+    if (classMatch) {
+      currentModel = classMatch[1];
+      continue;
+    }
+    if (!currentModel) continue;
+    for (const [fieldType, pii] of Object.entries(djangoPiiFields)) {
+      if (line.includes(fieldType)) {
+        findings.push({
+          id: `schema-django-pii-type-${filePath}-${i}`,
+          category: "schema",
+          severity: pii.severity,
+          title: `PII field type: ${fieldType} in ${currentModel}`,
+          message: `Django ${fieldType} stores ${pii.piiType}. Ensure GDPR compliance measures are in place.`,
+          file: filePath,
+          line: i + 1,
+          rule: "pii-field-type"
+        });
+      }
+    }
+    const fieldNameMatch = line.match(/^\s+(\w+)\s*=\s*models\.\w+Field/);
+    if (fieldNameMatch) {
+      const fieldName = fieldNameMatch[1].toLowerCase();
+      checkPiiField(fieldName, filePath, i + 1, currentModel, findings);
+    }
+    if (/^class\s/.test(line) && !line.includes("Model")) {
+      currentModel = "";
+    }
+  }
+  return findings;
+}
+function scanSqlAlchemyModels(content, filePath) {
+  const findings = [];
+  const lines = content.split("\n");
+  let currentModel = "";
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const classMatch = line.match(/^class\s+(\w+)\s*\(/);
+    if (classMatch) {
+      currentModel = classMatch[1];
+      continue;
+    }
+    if (!currentModel) continue;
+    const colMatch = line.match(/(?:Column|mapped_column)\s*\(\s*['"]?(\w+)['"]?/);
+    if (colMatch) {
+      const colName = colMatch[1].toLowerCase();
+      checkPiiField(colName, filePath, i + 1, currentModel, findings);
+    }
+    const attrMatch = line.match(/^\s+(\w+)\s*=\s*(?:Column|mapped_column)/);
+    if (attrMatch) {
+      const attrName = attrMatch[1].toLowerCase();
+      checkPiiField(attrName, filePath, i + 1, currentModel, findings);
+    }
+  }
+  return findings;
+}
+function scanTypeOrmEntities(content, filePath) {
+  const findings = [];
+  const lines = content.split("\n");
+  let currentEntity = "";
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const entityMatch = line.match(/class\s+(\w+)/);
+    if (entityMatch && content.slice(0, lines.slice(0, i).join("\n").length).includes("@Entity(")) {
+      currentEntity = entityMatch[1];
+    }
+    if (!currentEntity) continue;
+    const colMatch = line.match(/^\s+(\w+)\s*[?!]?\s*:\s*/);
+    if (colMatch && i > 0 && lines[i - 1].includes("@Column")) {
+      const colName = colMatch[1].toLowerCase();
+      checkPiiField(colName, filePath, i + 1, currentEntity, findings);
+    }
+  }
+  return findings;
+}
+function scanDieselSchema(content, filePath) {
+  const findings = [];
+  const lines = content.split("\n");
+  let currentTable = "";
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const tableMatch = line.match(/^\s*(\w+)\s*\(/);
+    if (tableMatch && content.slice(0, lines.slice(0, i).join("\n").length).includes("table!")) {
+      currentTable = tableMatch[1];
+      continue;
+    }
+    if (currentTable) {
+      const colMatch = line.match(/^\s+(\w+)\s*->/);
+      if (colMatch) {
+        const colName = colMatch[1].toLowerCase();
+        checkPiiField(colName, filePath, i + 1, currentTable, findings);
+      }
+    }
+    if (line.trim() === "}") {
+      currentTable = "";
+    }
+  }
+  return findings;
+}
+function checkPiiField(fieldName, filePath, line, context, findings) {
+  const normalized = fieldName.toLowerCase().replace(/[_-]/g, "");
+  for (const pii of PII_PATTERNS) {
+    const piiNorm = pii.pattern.replace(/[_-]/g, "");
+    if (normalized.includes(piiNorm)) {
+      findings.push({
+        id: `schema-pii-${pii.pattern}-${filePath}-${line}`,
+        category: "schema",
+        severity: pii.severity,
+        title: `PII column "${fieldName}" in ${context}`,
+        message: `Column "${fieldName}" likely stores ${pii.piiType}. ${pii.recommendation}`,
+        file: filePath,
+        line,
+        rule: "pii-column",
+        fix: pii.recommendation
+      });
+      return;
+    }
+  }
+}
+function isPiiField(name) {
+  const norm = name.toLowerCase().replace(/[_-]/g, "");
+  return PII_PATTERNS.some((p) => norm.includes(p.pattern.replace(/[_-]/g, "")));
+}
+function createRetentionFinding(filePath, line, model) {
+  return {
+    id: `schema-no-retention-${model}-${filePath}`,
+    category: "schema",
+    severity: "medium",
+    title: `No retention policy for ${model}`,
+    message: `Model "${model}" contains PII but has no soft-delete (deleted_at) or expiry (expires_at) column. GDPR requires data retention limits.`,
+    file: filePath,
+    line,
+    rule: "no-retention-policy",
+    fix: "Add a deleted_at/expires_at timestamp column and implement a data retention cleanup job."
+  };
+}
+
+// src/audit/config-scanner.ts
+import { readFileSync as readFileSync5, existsSync as existsSync3 } from "fs";
+import { join as join3, relative as relative3 } from "path";
+function scanConfigs(files, baseDir, stack) {
+  const findings = [];
+  findings.push(...scanFrameworkConfig(baseDir, stack));
+  for (const filePath of files) {
+    try {
+      const content = readFileSync5(filePath, "utf-8");
+      const relPath = relative3(baseDir, filePath);
+      findings.push(...scanCookieConfig(content, relPath, stack));
+      findings.push(...scanCorsConfig(content, relPath));
+      findings.push(...scanCspConfig(content, relPath));
+      findings.push(...scanLoggingConfig(content, relPath));
+    } catch {
+    }
+  }
+  return findings;
+}
+function scanFrameworkConfig(baseDir, stack) {
+  const findings = [];
+  switch (stack.framework) {
+    case "nextjs":
+      findings.push(...scanNextjsConfig(baseDir));
+      break;
+    case "django":
+      findings.push(...scanDjangoConfig(baseDir));
+      break;
+    case "express":
+    case "fastify":
+      findings.push(...scanExpressConfig(baseDir));
+      break;
+    case "flask":
+      findings.push(...scanFlaskConfig(baseDir));
+      break;
+  }
+  return findings;
+}
+function scanNextjsConfig(baseDir) {
+  const findings = [];
+  for (const ext of [".js", ".ts", ".mjs"]) {
+    const configPath = join3(baseDir, `next.config${ext}`);
+    if (!existsSync3(configPath)) continue;
+    const content = readFileSync5(configPath, "utf-8");
+    if (!content.includes("headers") || !content.includes("Content-Security-Policy")) {
+      findings.push({
+        id: "config-nextjs-no-csp",
+        category: "config",
+        severity: "medium",
+        title: "No Content-Security-Policy in Next.js config",
+        message: "next.config does not set CSP headers. A CSP helps prevent unauthorized tracker injection via XSS.",
+        file: `next.config${ext}`,
+        rule: "missing-csp",
+        fix: "Add security headers in next.config.js headers() function."
+      });
+    }
+    if (content.includes("google-analytics.com") || content.includes("googletagmanager.com")) {
+      const lines = content.split("\n");
+      for (let i = 0; i < lines.length; i++) {
+        if (lines[i].includes("google-analytics.com") || lines[i].includes("googletagmanager.com")) {
+          findings.push({
+            id: `config-nextjs-proxy-analytics-${i}`,
+            category: "config",
+            severity: "high",
+            title: "Analytics proxy in Next.js rewrites",
+            message: "Proxying analytics through Next.js rewrites can circumvent ad blockers but may violate GDPR transparency requirements.",
+            file: `next.config${ext}`,
+            line: i + 1,
+            vendorId: "google-analytics",
+            rule: "analytics-proxy"
+          });
+        }
+      }
+    }
+  }
+  const appFiles = ["src/pages/_app.tsx", "src/pages/_app.jsx", "src/app/layout.tsx", "src/app/layout.jsx", "pages/_app.tsx", "pages/_app.jsx", "app/layout.tsx", "app/layout.jsx"];
+  for (const appFile of appFiles) {
+    const appPath = join3(baseDir, appFile);
+    if (!existsSync3(appPath)) continue;
+    const content = readFileSync5(appPath, "utf-8");
+    const lines = content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+      if (lines[i].includes("GoogleAnalytics") || lines[i].includes("GoogleTagManager") || lines[i].includes("next/script") && lines[i].includes("gtag")) {
+        const contextStart = Math.max(0, i - 5);
+        const context = lines.slice(contextStart, i + 3).join("\n").toLowerCase();
+        if (!context.includes("consent") && !context.includes("cookie") && !context.includes("gdpr")) {
+          findings.push({
+            id: `config-nextjs-unconditional-tracker-${appFile}-${i}`,
+            category: "config",
+            severity: "high",
+            title: "Tracker loaded unconditionally in app layout",
+            message: `Analytics/tracking script loaded without consent check in ${appFile}. GDPR requires consent before non-essential tracking.`,
+            file: appFile,
+            line: i + 1,
+            rule: "unconditional-tracker",
+            fix: "Wrap tracker initialization in a consent check."
+          });
+        }
+      }
+    }
+  }
+  return findings;
+}
+function scanDjangoConfig(baseDir) {
+  const findings = [];
+  const settingsPaths = ["settings.py", "settings/base.py", "settings/production.py", "config/settings.py"];
+  for (const settingsFile of settingsPaths) {
+    const settingsPath = join3(baseDir, settingsFile);
+    if (!existsSync3(settingsPath)) continue;
+    const content = readFileSync5(settingsPath, "utf-8");
+    const lines = content.split("\n");
+    if (!content.includes("SESSION_COOKIE_SECURE") || content.includes("SESSION_COOKIE_SECURE = False")) {
+      findings.push({
+        id: `config-django-session-insecure-${settingsFile}`,
+        category: "config",
+        severity: "high",
+        title: "Django session cookie not marked Secure",
+        message: "SESSION_COOKIE_SECURE should be True in production to prevent session hijacking over HTTP.",
+        file: settingsFile,
+        rule: "cookie-insecure",
+        fix: "Set SESSION_COOKIE_SECURE = True"
+      });
+    }
+    if (content.includes("CSRF_COOKIE_HTTPONLY = False")) {
+      findings.push({
+        id: `config-django-csrf-httponly-${settingsFile}`,
+        category: "config",
+        severity: "medium",
+        title: "Django CSRF cookie HttpOnly disabled",
+        message: "CSRF_COOKIE_HTTPONLY = False exposes the CSRF token to JavaScript.",
+        file: settingsFile,
+        rule: "cookie-insecure"
+      });
+    }
+    if (!content.includes("SESSION_COOKIE_SAMESITE") || content.includes("SESSION_COOKIE_SAMESITE = 'None'") || content.includes("SESSION_COOKIE_SAMESITE = None")) {
+      findings.push({
+        id: `config-django-samesite-${settingsFile}`,
+        category: "config",
+        severity: "medium",
+        title: "Django session cookie SameSite not set",
+        message: 'SESSION_COOKIE_SAMESITE should be "Lax" or "Strict" to prevent CSRF and limit third-party cookie sharing.',
+        file: settingsFile,
+        rule: "cookie-samesite",
+        fix: "Set SESSION_COOKIE_SAMESITE = 'Lax'"
+      });
+    }
+    for (let i = 0; i < lines.length; i++) {
+      if (lines[i].match(/^\s*DEBUG\s*=\s*True/)) {
+        findings.push({
+          id: `config-django-debug-${settingsFile}`,
+          category: "config",
+          severity: "high",
+          title: "Django DEBUG = True",
+          message: "DEBUG mode enabled \u2014 this leaks detailed error info including PII in stack traces to users.",
+          file: settingsFile,
+          line: i + 1,
+          rule: "debug-mode"
+        });
+      }
+    }
+    if (!content.includes("SECURE_SSL_REDIRECT") || content.includes("SECURE_SSL_REDIRECT = False")) {
+      findings.push({
+        id: `config-django-no-ssl-${settingsFile}`,
+        category: "config",
+        severity: "medium",
+        title: "Django SSL redirect not enabled",
+        message: "SECURE_SSL_REDIRECT should be True to enforce HTTPS.",
+        file: settingsFile,
+        rule: "no-ssl"
+      });
+    }
+  }
+  return findings;
+}
+function scanExpressConfig(baseDir) {
+  const findings = [];
+  try {
+    const pkg = JSON.parse(readFileSync5(join3(baseDir, "package.json"), "utf-8"));
+    const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+    if (!allDeps["helmet"]) {
+      findings.push({
+        id: "config-express-no-helmet",
+        category: "config",
+        severity: "medium",
+        title: "Express app missing Helmet",
+        message: "Helmet sets security headers (CSP, X-Frame-Options, etc.) that help prevent tracker injection via XSS.",
+        file: "package.json",
+        rule: "missing-security-headers",
+        fix: "npm install helmet && app.use(helmet())"
+      });
+    }
+  } catch {
+  }
+  return findings;
+}
+function scanFlaskConfig(baseDir) {
+  const findings = [];
+  const configFiles = ["config.py", "app.py", "settings.py"];
+  for (const configFile of configFiles) {
+    const configPath = join3(baseDir, configFile);
+    if (!existsSync3(configPath)) continue;
+    const content = readFileSync5(configPath, "utf-8");
+    const lines = content.split("\n");
+    if (content.includes("SESSION_COOKIE_SECURE") && content.includes("False")) {
+      findings.push({
+        id: `config-flask-session-insecure-${configFile}`,
+        category: "config",
+        severity: "high",
+        title: "Flask session cookie not secure",
+        message: "SESSION_COOKIE_SECURE should be True in production.",
+        file: configFile,
+        rule: "cookie-insecure"
+      });
+    }
+    for (let i = 0; i < lines.length; i++) {
+      if (lines[i].match(/DEBUG\s*=\s*True/) || lines[i].includes("app.run(debug=True)")) {
+        findings.push({
+          id: `config-flask-debug-${configFile}-${i}`,
+          category: "config",
+          severity: "high",
+          title: "Flask debug mode enabled",
+          message: "Debug mode leaks stack traces and PII to users.",
+          file: configFile,
+          line: i + 1,
+          rule: "debug-mode"
+        });
+      }
+    }
+  }
+  return findings;
+}
+function scanCookieConfig(content, filePath, stack) {
+  const findings = [];
+  const lines = content.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (line.includes("cookie:") && i + 5 < lines.length) {
+      const cookieBlock = lines.slice(i, i + 8).join("\n");
+      if (!cookieBlock.includes("secure")) {
+        findings.push({
+          id: `config-cookie-no-secure-${filePath}-${i}`,
+          category: "config",
+          severity: "high",
+          title: "Cookie missing Secure flag",
+          message: "Cookie configuration does not set secure: true. Cookies will be sent over HTTP.",
+          file: filePath,
+          line: i + 1,
+          rule: "cookie-insecure",
+          fix: "Add secure: true to cookie options"
+        });
+      }
+      if (!cookieBlock.includes("sameSite") && !cookieBlock.includes("same_site")) {
+        findings.push({
+          id: `config-cookie-no-samesite-${filePath}-${i}`,
+          category: "config",
+          severity: "medium",
+          title: "Cookie missing SameSite attribute",
+          message: 'Cookie does not set SameSite attribute. Set to "Lax" or "Strict" to prevent CSRF.',
+          file: filePath,
+          line: i + 1,
+          rule: "cookie-samesite",
+          fix: "Add sameSite: 'lax' to cookie options"
+        });
+      }
+    }
+  }
+  return findings;
+}
+function scanCorsConfig(content, filePath) {
+  const findings = [];
+  const lines = content.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (line.includes("origin: '*'") || line.includes('origin: "*"') || line.includes("origin: true") || line.includes("CORS_ALLOW_ALL_ORIGINS") && line.includes("True") || line.includes("Access-Control-Allow-Origin") && line.includes("*")) {
+      findings.push({
+        id: `config-cors-wildcard-${filePath}-${i}`,
+        category: "config",
+        severity: "medium",
+        title: "CORS wildcard origin",
+        message: "CORS is configured to allow all origins. This can expose user data to any domain.",
+        file: filePath,
+        line: i + 1,
+        rule: "cors-wildcard",
+        fix: "Restrict CORS to specific trusted origins."
+      });
+    }
+    if (line.includes("credentials") && line.includes("true")) {
+      const block = lines.slice(Math.max(0, i - 5), i + 5).join("\n");
+      if (block.includes("'*'") || block.includes('"*"')) {
+        findings.push({
+          id: `config-cors-credentials-wildcard-${filePath}-${i}`,
+          category: "config",
+          severity: "high",
+          title: "CORS credentials with wildcard origin",
+          message: "CORS allows credentials with wildcard origin \u2014 this is a security vulnerability.",
+          file: filePath,
+          line: i + 1,
+          rule: "cors-credentials-wildcard"
+        });
+      }
+    }
+  }
+  return findings;
+}
+function scanCspConfig(content, filePath) {
+  const findings = [];
+  const lines = content.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (line.includes("Content-Security-Policy") || line.includes("contentSecurityPolicy")) {
+      const cspBlock = lines.slice(i, Math.min(lines.length, i + 10)).join("\n");
+      if (cspBlock.includes("'unsafe-inline'")) {
+        findings.push({
+          id: `config-csp-unsafe-inline-${filePath}-${i}`,
+          category: "config",
+          severity: "medium",
+          title: "CSP allows 'unsafe-inline'",
+          message: "Content-Security-Policy uses 'unsafe-inline' which allows injected tracker scripts to execute.",
+          file: filePath,
+          line: i + 1,
+          rule: "csp-unsafe-inline"
+        });
+      }
+      if (cspBlock.includes("'unsafe-eval'")) {
+        findings.push({
+          id: `config-csp-unsafe-eval-${filePath}-${i}`,
+          category: "config",
+          severity: "high",
+          title: "CSP allows 'unsafe-eval'",
+          message: "Content-Security-Policy uses 'unsafe-eval' which enables arbitrary script execution.",
+          file: filePath,
+          line: i + 1,
+          rule: "csp-unsafe-eval"
+        });
+      }
+    }
+  }
+  return findings;
+}
+function scanLoggingConfig(content, filePath) {
+  const findings = [];
+  const lines = content.split("\n");
+  const piiLogPatterns = [
+    /console\.log\(.*(?:email|password|token|ssn|phone|ip_address)/i,
+    /logger\.\w+\(.*(?:email|password|token|ssn|phone)/i,
+    /logging\.\w+\(.*(?:email|password|token|ssn|phone)/i,
+    /print\(.*(?:email|password|token|ssn|phone)/i,
+    /log::\w+!\(.*(?:email|password|token|ssn|phone)/i
+  ];
+  for (let i = 0; i < lines.length; i++) {
+    for (const pattern of piiLogPatterns) {
+      if (pattern.test(lines[i])) {
+        findings.push({
+          id: `config-log-pii-${filePath}-${i}`,
+          category: "config",
+          severity: "medium",
+          title: "Logging potentially sensitive data",
+          message: "Log statement appears to include PII (email, password, token, etc.). Avoid logging sensitive data.",
+          file: filePath,
+          line: i + 1,
+          rule: "logging-pii",
+          fix: "Remove PII from log statements or mask sensitive values."
+        });
+        break;
+      }
+    }
+  }
+  return findings;
+}
+
+// src/audit/server-tracker-scanner.ts
+import { readFileSync as readFileSync6 } from "fs";
+import { relative as relative4, extname as extname2 } from "path";
+var TRACKER_ENDPOINTS = [
+  { pattern: /https?:\/\/www\.google-analytics\.com\/collect/g, vendor: "Google Analytics", vendorId: "google-analytics" },
+  { pattern: /https?:\/\/www\.google-analytics\.com\/g\/collect/g, vendor: "Google Analytics 4", vendorId: "google-analytics" },
+  { pattern: /https?:\/\/graph\.facebook\.com\/[^'"`\s]*\/events/g, vendor: "Facebook Conversions API", vendorId: "facebook-pixel" },
+  { pattern: /https?:\/\/api\.segment\.(io|com)/g, vendor: "Segment", vendorId: "segment" },
+  { pattern: /https?:\/\/api\.mixpanel\.com/g, vendor: "Mixpanel", vendorId: "mixpanel" },
+  { pattern: /https?:\/\/api2?\.amplitude\.com/g, vendor: "Amplitude", vendorId: "amplitude" },
+  { pattern: /https?:\/\/analytics\.tiktok\.com/g, vendor: "TikTok Pixel", vendorId: "tiktok" },
+  { pattern: /https?:\/\/tr\.snapchat\.com/g, vendor: "Snapchat", vendorId: "snapchat" },
+  { pattern: /https?:\/\/ct\.pinterest\.com/g, vendor: "Pinterest Tag", vendorId: "pinterest" },
+  { pattern: /https?:\/\/bat\.bing\.com/g, vendor: "Microsoft UET", vendorId: "bing" },
+  { pattern: /https?:\/\/app\.posthog\.com\/capture/g, vendor: "PostHog", vendorId: "posthog" },
+  { pattern: /https?:\/\/events\.launchdarkly\.com/g, vendor: "LaunchDarkly", vendorId: "launchdarkly" }
+];
+var TRACKER_DOMAINS = [
+  "google-analytics.com",
+  "googletagmanager.com",
+  "graph.facebook.com",
+  "api.segment.io",
+  "api.segment.com",
+  "api.mixpanel.com",
+  "api.amplitude.com",
+  "api2.amplitude.com",
+  "analytics.tiktok.com",
+  "tr.snapchat.com",
+  "ct.pinterest.com",
+  "bat.bing.com",
+  "app.posthog.com",
+  "events.launchdarkly.com"
+];
+var SERVER_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".js",
+  ".ts",
+  ".mjs",
+  ".cjs",
+  ".py",
+  ".rs",
+  ".rb",
+  ".go",
+  ".java",
+  ".php"
+]);
+function scanServerTracking(files, baseDir, _stack) {
+  const findings = [];
+  for (const filePath of files) {
+    const ext = extname2(filePath);
+    if (!SERVER_EXTENSIONS.has(ext)) continue;
+    let content;
+    try {
+      content = readFileSync6(filePath, "utf-8");
+    } catch {
+      continue;
+    }
+    const relPath = relative4(baseDir, filePath);
+    const lines = content.split("\n");
+    findings.push(...scanTrackerUrls(lines, relPath));
+    findings.push(...scanHttpCalls(lines, relPath));
+  }
+  return deduplicateByKey(findings);
+}
+function scanTrackerUrls(lines, filePath) {
+  const findings = [];
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    for (const endpoint of TRACKER_ENDPOINTS) {
+      endpoint.pattern.lastIndex = 0;
+      if (endpoint.pattern.test(line)) {
+        findings.push({
+          id: `code-server-tracking-${filePath}-${i}`,
+          category: "code",
+          severity: "high",
+          title: `Server-side tracking: ${endpoint.vendor}`,
+          message: `Server-side API call to ${endpoint.vendor} detected. This bypasses browser privacy controls (ad blockers, consent banners).`,
+          file: filePath,
+          line: i + 1,
+          vendorId: endpoint.vendorId,
+          rule: "server-side-tracking",
+          fix: "Ensure explicit user consent before sending data. Consider a server-side consent check or privacy-friendly alternative."
+        });
+      }
+    }
+  }
+  return findings;
+}
+var HTTP_CALL_PATTERNS = [
+  // JS/TS: fetch, axios, got, node-fetch
+  /fetch\s*\(\s*['"`]([^'"`]+)['"`]/g,
+  /axios\.(get|post|put|patch)\s*\(\s*['"`]([^'"`]+)['"`]/g,
+  /got\.(get|post|put|patch)\s*\(\s*['"`]([^'"`]+)['"`]/g,
+  // Python: requests, httpx, urllib
+  /requests?\.(get|post|put|patch)\s*\(\s*['"`]([^'"`]+)['"`]/g,
+  /httpx\.(get|post|put|patch)\s*\(\s*['"`]([^'"`]+)['"`]/g,
+  // Rust: reqwest
+  /\.(?:get|post|put|patch)\s*\(\s*"([^"]+)"/g,
+  // Generic URL in string assignment
+  /(?:url|endpoint|api_url|base_url)\s*=\s*['"`]([^'"`]+)['"`]/gi
+];
+function scanHttpCalls(lines, filePath) {
+  const findings = [];
+  const fullContent = lines.join("\n");
+  for (const pattern of HTTP_CALL_PATTERNS) {
+    pattern.lastIndex = 0;
+    let match;
+    while ((match = pattern.exec(fullContent)) !== null) {
+      const url = match[2] ?? match[1];
+      if (!url) continue;
+      const matchedDomain = TRACKER_DOMAINS.find((d) => url.includes(d));
+      if (!matchedDomain) continue;
+      const lineNumber = fullContent.substring(0, match.index).split("\n").length;
+      findings.push({
+        id: `code-server-http-${filePath}-${lineNumber}`,
+        category: "code",
+        severity: "high",
+        title: `HTTP call to tracker domain: ${matchedDomain}`,
+        message: `Server-side HTTP request to ${matchedDomain} detected. This sends tracking data without user visibility.`,
+        file: filePath,
+        line: lineNumber,
+        rule: "server-side-tracking",
+        fix: "Verify user consent before sending data. Use a privacy proxy or first-party endpoint instead."
+      });
+    }
+  }
+  return findings;
+}
+function deduplicateByKey(findings) {
+  const seen = /* @__PURE__ */ new Set();
+  return findings.filter((f) => {
+    const key = `${f.file}:${f.line}:${f.rule}`;
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  });
+}
+
+// src/audit/cname-cloaking-scanner.ts
+import { readFileSync as readFileSync7 } from "fs";
+import { basename as basename2, relative as relative5, extname as extname3 } from "path";
+var CNAME_TRACKER_DOMAINS = [
+  // Adobe / Omniture
+  { domain: "omtrdc.net", vendor: "Adobe Analytics", vendorId: "adobe-analytics" },
+  { domain: "2o7.net", vendor: "Adobe Analytics", vendorId: "adobe-analytics" },
+  { domain: "sc.omtrdc.net", vendor: "Adobe Analytics", vendorId: "adobe-analytics" },
+  // Eulerian
+  { domain: "eulerian.net", vendor: "Eulerian", vendorId: "eulerian" },
+  // Criteo
+  { domain: "dnsdelegation.io", vendor: "Criteo", vendorId: "criteo" },
+  { domain: "criteo.com", vendor: "Criteo", vendorId: "criteo" },
+  // AT Internet / Piano
+  { domain: "xiti.com", vendor: "AT Internet", vendorId: "at-internet" },
+  { domain: "ati-host.net", vendor: "AT Internet", vendorId: "at-internet" },
+  // Segment
+  { domain: "cdn.segment.com", vendor: "Segment", vendorId: "segment" },
+  { domain: "api.segment.io", vendor: "Segment", vendorId: "segment" },
+  // Mixpanel
+  { domain: "cdn.mxpnl.com", vendor: "Mixpanel", vendorId: "mixpanel" },
+  { domain: "api-js.mixpanel.com", vendor: "Mixpanel", vendorId: "mixpanel" },
+  // Google Tag Manager server-side
+  { domain: "googletagmanager.com", vendor: "Google Tag Manager", vendorId: "google-tag-manager" },
+  { domain: "analytics.google.com", vendor: "Google Analytics", vendorId: "google-analytics" },
+  // Amplitude
+  { domain: "cdn.amplitude.com", vendor: "Amplitude", vendorId: "amplitude" },
+  { domain: "api.amplitude.com", vendor: "Amplitude", vendorId: "amplitude" },
+  // PostHog
+  { domain: "app.posthog.com", vendor: "PostHog", vendorId: "posthog" },
+  // Hubspot
+  { domain: "js.hs-scripts.com", vendor: "HubSpot", vendorId: "hubspot" },
+  { domain: "track.hubspot.com", vendor: "HubSpot", vendorId: "hubspot" },
+  // Plausible (self-hosted proxy patterns)
+  { domain: "plausible.io", vendor: "Plausible", vendorId: "plausible" },
+  // Facebook / Meta
+  { domain: "connect.facebook.net", vendor: "Facebook", vendorId: "facebook-pixel" },
+  { domain: "graph.facebook.com", vendor: "Facebook", vendorId: "facebook-pixel" },
+  // TikTok
+  { domain: "analytics.tiktok.com", vendor: "TikTok", vendorId: "tiktok" }
+];
+var DNS_CONFIG_FILES = /* @__PURE__ */ new Set([
+  "cloudflare.json",
+  "dns-records.json",
+  "vercel.json",
+  "netlify.toml",
+  "_redirects",
+  "_headers"
+]);
+var IAC_EXTENSIONS = /* @__PURE__ */ new Set([".tf", ".json", ".yml", ".yaml", ".toml"]);
+var PROXY_CONFIG_FILES = /* @__PURE__ */ new Set(["nginx.conf", "httpd.conf", ".htaccess"]);
+var NEXTJS_CONFIG = /* @__PURE__ */ new Set(["next.config.js", "next.config.mjs", "next.config.ts"]);
+function scanCnameCloaking(files, baseDir, stack) {
+  const findings = [];
+  for (const filePath of files) {
+    const name = basename2(filePath);
+    const ext = extname3(filePath);
+    let content;
+    try {
+      content = readFileSync7(filePath, "utf-8");
+    } catch {
+      continue;
+    }
+    const relPath = relative5(baseDir, filePath);
+    if (DNS_CONFIG_FILES.has(name)) {
+      findings.push(...scanDnsConfig(content, relPath, name));
+    }
+    if (IAC_EXTENSIONS.has(ext) && isInfraFile(filePath, content)) {
+      findings.push(...scanIacFile(content, relPath, name));
+    }
+    if (PROXY_CONFIG_FILES.has(name) || name.endsWith(".conf")) {
+      findings.push(...scanProxyConfig(content, relPath));
+    }
+    if (NEXTJS_CONFIG.has(name) || name === "vercel.json") {
+      findings.push(...scanNextjsRewrites(content, relPath));
+    }
+    if ((ext === ".js" || ext === ".ts" || ext === ".mjs") && isServerFile(name)) {
+      findings.push(...scanExpressProxy(content, relPath));
+    }
+  }
+  return dedup(findings);
+}
+function scanDnsConfig(content, filePath, fileName) {
+  const findings = [];
+  const lines = content.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i].toLowerCase();
+    if (!line.includes("cname")) continue;
+    for (const tracker of CNAME_TRACKER_DOMAINS) {
+      if (line.includes(tracker.domain.toLowerCase())) {
+        findings.push(makeFinding(
+          filePath,
+          i + 1,
+          tracker,
+          `CNAME record pointing to ${tracker.vendor} (${tracker.domain}). This cloaks third-party tracking behind a first-party domain, bypassing ad blockers and consent mechanisms.`
+        ));
+      }
+    }
+  }
+  return findings;
+}
+function isInfraFile(filePath, content) {
+  if (filePath.endsWith(".tf")) return true;
+  if (content.includes("AWSTemplateFormatVersion") || content.includes("AWS::")) return true;
+  if (content.includes("pulumi")) return true;
+  if (content.includes("route53") || content.includes("dns_record") || content.includes("cloudflare_record")) return true;
+  return false;
+}
+function scanIacFile(content, filePath, fileName) {
+  const findings = [];
+  const lines = content.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i].toLowerCase();
+    const isCnameContext = line.includes("cname") || line.includes('"type"') && lines.slice(Math.max(0, i - 3), i + 3).join(" ").toLowerCase().includes("cname");
+    if (!isCnameContext) continue;
+    const contextWindow = lines.slice(Math.max(0, i - 2), Math.min(lines.length, i + 5)).join("\n").toLowerCase();
+    for (const tracker of CNAME_TRACKER_DOMAINS) {
+      if (contextWindow.includes(tracker.domain.toLowerCase())) {
+        findings.push(makeFinding(
+          filePath,
+          i + 1,
+          tracker,
+          `Infrastructure-as-code CNAME record to ${tracker.vendor} (${tracker.domain}). This creates a DNS-level proxy to a third-party tracker.`
+        ));
+      }
+    }
+  }
+  return findings;
+}
+function scanProxyConfig(content, filePath) {
+  const findings = [];
+  const lines = content.split("\n");
+  const proxyPatterns = [
+    /proxy_pass\s+https?:\/\/([^\s;]+)/gi,
+    /ProxyPass\s+\S+\s+https?:\/\/([^\s]+)/gi,
+    /upstream\s+\w+\s*{[^}]*server\s+([^\s;]+)/gi
+  ];
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    for (const pattern of proxyPatterns) {
+      pattern.lastIndex = 0;
+      const match = pattern.exec(line);
+      if (!match) continue;
+      const target = match[1].toLowerCase();
+      for (const tracker of CNAME_TRACKER_DOMAINS) {
+        if (target.includes(tracker.domain.toLowerCase())) {
+          findings.push(makeFinding(
+            filePath,
+            i + 1,
+            tracker,
+            `Reverse proxy to ${tracker.vendor} (${tracker.domain}). Proxying tracker requests through your server makes them appear first-party.`
+          ));
+        }
+      }
+    }
+  }
+  return findings;
+}
+function scanNextjsRewrites(content, filePath) {
+  const findings = [];
+  const lines = content.split("\n");
+  const rewritePattern = /(?:destination|dest|to)\s*[:=]\s*['"`](https?:\/\/[^'"`]+)['"`]/gi;
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    rewritePattern.lastIndex = 0;
+    let match;
+    while ((match = rewritePattern.exec(line)) !== null) {
+      const url = match[1].toLowerCase();
+      for (const tracker of CNAME_TRACKER_DOMAINS) {
+        if (url.includes(tracker.domain.toLowerCase())) {
+          findings.push(makeFinding(
+            filePath,
+            i + 1,
+            tracker,
+            `Rewrite/redirect rule proxying to ${tracker.vendor} (${tracker.domain}). This makes tracker requests appear first-party to the browser.`
+          ));
+        }
+      }
+    }
+  }
+  const fullContent = content.toLowerCase();
+  for (const tracker of CNAME_TRACKER_DOMAINS) {
+    if (fullContent.includes(tracker.domain.toLowerCase()) && (fullContent.includes("rewrites") || fullContent.includes("redirects"))) {
+      for (let i = 0; i < lines.length; i++) {
+        if (lines[i].toLowerCase().includes(tracker.domain.toLowerCase())) {
+          findings.push(makeFinding(
+            filePath,
+            i + 1,
+            tracker,
+            `Next.js/Vercel config references ${tracker.vendor} (${tracker.domain}) in a rewrites/redirects context. This proxies tracker traffic through your domain.`
+          ));
+        }
+      }
+    }
+  }
+  return findings;
+}
+function isServerFile(name) {
+  const serverNames = ["server", "app", "proxy", "middleware", "api"];
+  const lower = name.toLowerCase();
+  return serverNames.some((s) => lower.includes(s));
+}
+function scanExpressProxy(content, filePath) {
+  const findings = [];
+  const lines = content.split("\n");
+  const proxyPatterns = [
+    /(?:target|changeOrigin|router)\s*[:=]\s*['"`](https?:\/\/[^'"`]+)['"`]/gi,
+    /createProxyMiddleware\s*\(\s*(?:['"`]([^'"`]+)['"`]|{[^}]*target\s*:\s*['"`]([^'"`]+)['"`])/gi,
+    /httpProxy\.createServer\s*\(\s*{[^}]*target\s*:\s*['"`](https?:\/\/[^'"`]+)['"`]/gi
+  ];
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    for (const pattern of proxyPatterns) {
+      pattern.lastIndex = 0;
+      let match;
+      while ((match = pattern.exec(line)) !== null) {
+        const url = (match[2] ?? match[1] ?? "").toLowerCase();
+        if (!url) continue;
+        for (const tracker of CNAME_TRACKER_DOMAINS) {
+          if (url.includes(tracker.domain.toLowerCase())) {
+            findings.push(makeFinding(
+              filePath,
+              i + 1,
+              tracker,
+              `Express/Node proxy middleware forwarding to ${tracker.vendor} (${tracker.domain}). This cloaks third-party tracking as first-party traffic.`
+            ));
+          }
+        }
+      }
+    }
+  }
+  return findings;
+}
+function makeFinding(file, line, tracker, message) {
+  return {
+    id: `code-cname-cloaking-${file}-${line}`,
+    category: "code",
+    severity: "critical",
+    title: `CNAME cloaking: ${tracker.vendor}`,
+    message,
+    file,
+    line,
+    vendorId: tracker.vendorId,
+    rule: "cname-cloaking",
+    fix: "Remove the CNAME/proxy that cloaks third-party tracking. Use a consent-gated client-side integration instead, or disclose the proxy in your privacy policy."
+  };
+}
+function dedup(findings) {
+  const seen = /* @__PURE__ */ new Set();
+  return findings.filter((f) => {
+    const key = `${f.file}:${f.line}:${f.vendorId}`;
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  });
+}
+
+// src/audit/git-blame.ts
+import { execSync } from "child_process";
+function isGitRepo(cwd) {
+  try {
+    execSync("git rev-parse --git-dir", {
+      stdio: "ignore",
+      cwd
+    });
+    return true;
+  } catch {
+    return false;
+  }
+}
+function getBlameForLine(filePath, lineNumber, cwd) {
+  try {
+    const output = execSync(
+      `git blame -L ${lineNumber},${lineNumber} --porcelain "${filePath}"`,
+      { encoding: "utf-8", cwd }
+    );
+    const lines = output.split("\n");
+    const commit = lines[0]?.split(" ")[0] ?? "";
+    const author = lines.find((l) => l.startsWith("author "))?.substring(7) ?? "Unknown";
+    const email = lines.find((l) => l.startsWith("author-mail "))?.substring(12).replace(/[<>]/g, "") ?? "";
+    const timestamp = lines.find((l) => l.startsWith("author-time "))?.substring(12) ?? "";
+    const summary = lines.find((l) => l.startsWith("summary "))?.substring(8) ?? "";
+    const date = timestamp ? new Date(parseInt(timestamp, 10) * 1e3).toISOString() : "";
+    return { author, email, date, commit, commitMessage: summary };
+  } catch {
+    return null;
+  }
+}
+function enrichFindings(findings, cwd) {
+  if (!isGitRepo(cwd)) return findings;
+  return findings.map((finding) => {
+    if (!finding.line) return finding;
+    const blame = getBlameForLine(finding.file, finding.line, cwd);
+    if (!blame) return finding;
+    return { ...finding, blame };
+  });
+}
+function groupByAuthor(findings) {
+  const grouped = /* @__PURE__ */ new Map();
+  for (const finding of findings) {
+    if (!finding.blame) continue;
+    const { author } = finding.blame;
+    const list = grouped.get(author) ?? [];
+    list.push(finding);
+    grouped.set(author, list);
+  }
+  return grouped;
+}
+
+// src/audit/scoring.ts
+var SEVERITY_WEIGHTS = {
+  critical: 25,
+  high: 10,
+  medium: 3,
+  low: 1,
+  info: 0
+};
+function gradeFromScore(score) {
+  if (score >= 90) return "A";
+  if (score >= 75) return "B";
+  if (score >= 60) return "C";
+  if (score >= 40) return "D";
+  return "F";
+}
+function calculateScore(report) {
+  const breakdown = {
+    critical: 0,
+    high: 0,
+    medium: 0,
+    low: 0,
+    info: 0
+  };
+  for (const finding of report.findings) {
+    breakdown[finding.severity]++;
+  }
+  let penalty = 0;
+  for (const [severity, count] of Object.entries(breakdown)) {
+    penalty += SEVERITY_WEIGHTS[severity] * count;
+  }
+  const score = Math.max(0, 100 - penalty);
+  const grade = gradeFromScore(score);
+  return { score, grade, breakdown };
+}
+function gradeColor(grade) {
+  switch (grade) {
+    case "A":
+      return "#4caf50";
+    // green
+    case "B":
+      return "#8bc34a";
+    // light green
+    case "C":
+      return "#ff9800";
+    // orange
+    case "D":
+      return "#ff5722";
+    // deep orange
+    case "F":
+      return "#f44336";
+  }
+}
+
+// src/audit/sarif-formatter.ts
+function formatAuditSarif(report) {
+  const sarif = {
+    $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+    version: "2.1.0",
+    runs: [
+      {
+        tool: {
+          driver: {
+            name: "ETALON",
+            version: report.meta.etalonVersion,
+            informationUri: "https://github.com/NMA-vc/etalon",
+            rules: generateRules(report.findings)
+          }
+        },
+        results: generateResults(report.findings)
+      }
+    ]
+  };
+  return JSON.stringify(sarif, null, 2);
+}
+function toSarifLevel(severity) {
+  switch (severity) {
+    case "critical":
+    case "high":
+      return "error";
+    case "medium":
+      return "warning";
+    case "low":
+    case "info":
+    default:
+      return "note";
+  }
+}
+var RULE_DESCRIPTIONS = {
+  "tracker-dependency": "Third-party tracking SDK detected in dependencies",
+  "tracker-import": "Tracker SDK import found in source code",
+  "tracker-api-call": "Call to a tracker API function detected",
+  "tracker-env-var": "Tracker-related environment variable detected",
+  "hardcoded-tracker": "Hardcoded tracking pixel or script found",
+  "cookie-no-consent": "Cookie written without consent check",
+  "storage-pii": "PII stored in localStorage or sessionStorage",
+  "pii-column": "Potential PII stored in database column",
+  "no-retention-policy": "Database table with PII lacks a retention policy",
+  "pii-no-encryption": "PII column without encryption hint",
+  "cookie-insecure": "Cookie missing Secure flag",
+  "cookie-httponly": "Cookie missing HttpOnly flag",
+  "cookie-samesite": "Cookie missing SameSite attribute",
+  "cors-wildcard": "Overly permissive CORS configuration",
+  "cors-credentials-wildcard": "CORS credentials allowed with wildcard origin",
+  "missing-csp": "Missing Content-Security-Policy header",
+  "csp-unsafe-inline": "CSP allows 'unsafe-inline'",
+  "csp-unsafe-eval": "CSP allows 'unsafe-eval'",
+  "debug-mode": "Debug mode enabled in production",
+  "logging-pii": "PII detected in logging statements",
+  "inline-tracker": "Inline tracking script reference detected",
+  "server-side-tracking": "Server-side call to a tracking service endpoint",
+  "cname-cloaking": "CNAME cloaking detected \u2014 third-party tracker hidden behind first-party domain"
+};
+function generateRules(findings) {
+  const uniqueRules = new Set(findings.map((f) => f.rule));
+  return Array.from(uniqueRules).map((rule) => ({
+    id: rule,
+    shortDescription: {
+      text: RULE_DESCRIPTIONS[rule] ?? rule.replace(/[-_]/g, " ")
+    },
+    helpUri: `https://github.com/NMA-vc/etalon/blob/main/docs/rules/${rule}.md`,
+    defaultConfiguration: {
+      level: toSarifLevel(
+        findings.find((f) => f.rule === rule)?.severity ?? "info"
+      )
+    }
+  }));
+}
+function generateResults(findings) {
+  return findings.map((finding) => ({
+    ruleId: finding.rule,
+    level: toSarifLevel(finding.severity),
+    message: { text: finding.message },
+    locations: [
+      {
+        physicalLocation: {
+          artifactLocation: { uri: finding.file },
+          region: {
+            startLine: finding.line ?? 1,
+            startColumn: finding.column ?? 1
+          }
+        }
+      }
+    ],
+    ...finding.fix && {
+      fixes: [
+        {
+          description: { text: finding.fix }
+        }
+      ]
+    },
+    properties: {
+      category: finding.category,
+      severity: finding.severity,
+      ...finding.vendorId && { vendorId: finding.vendorId }
+    }
+  }));
+}
+
+// src/audit/diff-analyzer.ts
+function diffReports(current, baseline) {
+  const makeKey = (f) => `${f.rule}::${f.file}::${f.line ?? 0}::${f.message}`;
+  const baselineKeys = new Set(baseline.findings.map(makeKey));
+  const currentKeys = new Set(current.findings.map(makeKey));
+  const added = [];
+  const unchanged = [];
+  for (const finding of current.findings) {
+    if (baselineKeys.has(makeKey(finding))) {
+      unchanged.push(finding);
+    } else {
+      added.push(finding);
+    }
+  }
+  const removed = baseline.findings.filter((f) => !currentKeys.has(makeKey(f)));
+  return { added, removed, unchanged };
+}
+function shouldBlock(diff, threshold) {
+  const order = {
+    info: 0,
+    low: 1,
+    medium: 2,
+    high: 3,
+    critical: 4
+  };
+  const minLevel = order[threshold] ?? 0;
+  return diff.added.some((f) => (order[f.severity] ?? 0) >= minLevel);
+}
+
+// src/audit/badge.ts
+function generateBadgeSvg(score) {
+  const color = gradeColor(score.grade);
+  const label = "ETALON";
+  const value = `${score.grade} (${score.score})`;
+  const labelWidth = 50;
+  const valueWidth = 55;
+  const totalWidth = labelWidth + valueWidth;
+  return `<svg xmlns="http://www.w3.org/2000/svg" width="${totalWidth}" height="20" role="img" aria-label="${label}: ${value}">
+  <title>${label}: ${value}</title>
+  <linearGradient id="s" x2="0" y2="100%">
+    <stop offset="0" stop-color="#bbb" stop-opacity=".1"/>
+    <stop offset="1" stop-opacity=".1"/>
+  </linearGradient>
+  <clipPath id="r"><rect width="${totalWidth}" height="20" rx="3" fill="#fff"/></clipPath>
+  <g clip-path="url(#r)">
+    <rect width="${labelWidth}" height="20" fill="#555"/>
+    <rect x="${labelWidth}" width="${valueWidth}" height="20" fill="${color}"/>
+    <rect width="${totalWidth}" height="20" fill="url(#s)"/>
+  </g>
+  <g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" text-rendering="geometricPrecision" font-size="11">
+    <text x="${labelWidth / 2}" y="14">${label}</text>
+    <text x="${labelWidth + valueWidth / 2}" y="14">${value}</text>
+  </g>
+</svg>`;
+}
+function badgeUrl(grade, score) {
+  const color = grade === "A" ? "brightgreen" : grade === "B" ? "green" : grade === "C" ? "orange" : grade === "D" ? "red" : "critical";
+  return `https://img.shields.io/badge/ETALON-${grade}%20(${score}%2F100)-${color}?style=flat-square&logo=data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyMCIgaGVpZ2h0PSIyMCI+PHJlY3Qgd2lkdGg9IjIwIiBoZWlnaHQ9IjIwIiByeD0iMyIgZmlsbD0iIzNCODJGNiIvPjx0ZXh0IHg9IjEwIiB5PSIxNSIgZm9udC1zaXplPSIxNCIgZmlsbD0iI2ZmZiIgdGV4dC1hbmNob3I9Im1pZGRsZSIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtd2VpZ2h0PSJib2xkIj5FPC90ZXh0Pjwvc3ZnPg==`;
+}
+function badgeMarkdown(grade, score) {
+  return `[![ETALON Privacy Score](${badgeUrl(grade, score)})](https://etalon.nma.vc)`;
+}
+
+// src/audit/auto-fixer.ts
+import { readFileSync as readFileSync8, writeFileSync } from "fs";
+var FIXERS = {
+  "cookie-samesite": fixCookieSameSite,
+  "cookie-insecure": fixCookieSecure,
+  "csp-unsafe-eval": fixCspUnsafeEval,
+  "cors-credentials-wildcard": fixCorsCredentials
+};
+function fixCookieSameSite(finding, content) {
+  const lines = content.split("\n");
+  const line = finding.line ? lines[finding.line - 1] : null;
+  if (!line) return null;
+  if (line.includes("Set-Cookie") || line.toLowerCase().includes("cookie")) {
+    const patched = line.includes(";") ? line.replace(/;([^;]*)$/, "; SameSite=Lax;$1") : line.replace(/(["'`])$/, "; SameSite=Lax$1");
+    if (patched !== line) {
+      return {
+        file: finding.file,
+        line: finding.line,
+        rule: finding.rule,
+        oldContent: line,
+        newContent: patched,
+        description: "Add SameSite=Lax to cookie"
+      };
+    }
+  }
+  return null;
+}
+function fixCookieSecure(finding, content) {
+  const lines = content.split("\n");
+  const line = finding.line ? lines[finding.line - 1] : null;
+  if (!line) return null;
+  if ((line.includes("Set-Cookie") || line.toLowerCase().includes("cookie")) && !line.includes("Secure")) {
+    const patched = line.includes(";") ? line.replace(/;([^;]*)$/, "; Secure;$1") : line.replace(/(["'`])$/, "; Secure$1");
+    if (patched !== line) {
+      return {
+        file: finding.file,
+        line: finding.line,
+        rule: finding.rule,
+        oldContent: line,
+        newContent: patched,
+        description: "Add Secure flag to cookie"
+      };
+    }
+  }
+  return null;
+}
+function fixCspUnsafeEval(finding, content) {
+  const lines = content.split("\n");
+  const line = finding.line ? lines[finding.line - 1] : null;
+  if (!line) return null;
+  if (line.includes("'unsafe-eval'")) {
+    return {
+      file: finding.file,
+      line: finding.line,
+      rule: finding.rule,
+      oldContent: line,
+      newContent: line.replace(/'unsafe-eval'\s*/g, ""),
+      description: "Remove 'unsafe-eval' from CSP"
+    };
+  }
+  return null;
+}
+function fixCorsCredentials(finding, content) {
+  const lines = content.split("\n");
+  const line = finding.line ? lines[finding.line - 1] : null;
+  if (!line) return null;
+  if (line.includes("'*'") || line.includes('"*"')) {
+    return {
+      file: finding.file,
+      line: finding.line,
+      rule: finding.rule,
+      oldContent: line,
+      newContent: line.replace(/(['"])\*\1/, `$1https://yourdomain.com$1 /* TODO: replace with actual origin */`),
+      description: "Replace CORS wildcard with specific origin (needs manual review)"
+    };
+  }
+  return null;
+}
+function generatePatches(findings, baseDir) {
+  const patches = [];
+  const fileCache = /* @__PURE__ */ new Map();
+  for (const finding of findings) {
+    const fixer = FIXERS[finding.rule];
+    if (!fixer) continue;
+    const filePath = `${baseDir}/${finding.file}`;
+    let content = fileCache.get(filePath);
+    if (content === void 0) {
+      try {
+        content = readFileSync8(filePath, "utf-8");
+        fileCache.set(filePath, content);
+      } catch {
+        continue;
+      }
+    }
+    const patch = fixer(finding, content);
+    if (patch) patches.push(patch);
+  }
+  return patches;
+}
+function applyPatches(patches, baseDir) {
+  const fileEdits = /* @__PURE__ */ new Map();
+  for (const patch of patches) {
+    const file = `${baseDir}/${patch.file}`;
+    if (!fileEdits.has(file)) fileEdits.set(file, /* @__PURE__ */ new Map());
+    fileEdits.get(file).set(patch.line, patch.newContent);
+  }
+  let applied = 0;
+  for (const [file, edits] of fileEdits) {
+    try {
+      const content = readFileSync8(file, "utf-8");
+      const lines = content.split("\n");
+      for (const [lineNum, newContent] of edits) {
+        lines[lineNum - 1] = newContent;
+        applied++;
+      }
+      writeFileSync(file, lines.join("\n"), "utf-8");
+    } catch {
+    }
+  }
+  return applied;
+}
+function fixableRules() {
+  return Object.keys(FIXERS);
+}
+
+// src/audit/data-flow-analyzer.ts
+import { readFileSync as readFileSync9 } from "fs";
+import { join as join4, extname as extname4 } from "path";
+var PII_PATTERNS2 = [
+  { regex: /\b(email|e[_-]?mail)\b/i, piiType: "email" },
+  { regex: /\b(phone|tel|mobile|phone[_-]?number)\b/i, piiType: "phone" },
+  { regex: /\b(name|first[_-]?name|last[_-]?name|full[_-]?name|user[_-]?name)\b/i, piiType: "name" },
+  { regex: /\b(address|street|city|zip[_-]?code|postal)\b/i, piiType: "address" },
+  { regex: /\b(ssn|social[_-]?security|national[_-]?id)\b/i, piiType: "national-id" },
+  { regex: /\b(credit[_-]?card|card[_-]?number|cvv|ccn)\b/i, piiType: "payment" },
+  { regex: /\b(date[_-]?of[_-]?birth|dob|birth[_-]?date)\b/i, piiType: "date-of-birth" },
+  { regex: /\b(ip[_-]?address|ip[_-]?addr)\b/i, piiType: "ip-address" },
+  { regex: /\b(password|passwd|pwd)\b/i, piiType: "password" }
+];
+var SOURCE_PATTERNS = [
+  // Form fields / input elements
+  { regex: /(?:input|TextField|TextInput).*(?:name|type|id)\s*[=:]\s*['"`]([^'"`]+)/i, type: "form-input" },
+  // Request body / params
+  { regex: /req\.body\.(\w+)/i, type: "request-body" },
+  { regex: /request\.form\[['"](\w+)['"]\]/i, type: "request-form" },
+  { regex: /params\[['"](\w+)['"]\]/i, type: "request-params" },
+  // Destructured body
+  { regex: /const\s*\{[^}]*\}\s*=\s*req\.body/i, type: "destructured-body" }
+];
+var STORAGE_PATTERNS = [
+  // Database columns
+  { regex: /(?:column|field|Column)\s*\(\s*['"](\w+)['"]/i, type: "db-column" },
+  { regex: /(?:CREATE\s+TABLE|ALTER\s+TABLE).*?\b(\w+)\b.*?(?:VARCHAR|TEXT|INT)/i, type: "sql-column" },
+  // Prisma/Drizzle schema
+  { regex: /(\w+)\s+String/i, type: "orm-field" },
+  // localStorage / cookies
+  { regex: /localStorage\.setItem\s*\(\s*['"]([^'"]+)['"]/i, type: "local-storage" },
+  { regex: /document\.cookie\s*=\s*['"`](\w+)/i, type: "cookie" },
+  // Redis / cache
+  { regex: /(?:redis|cache)\.set\s*\(\s*['"]([^'"]+)['"]/i, type: "cache" }
+];
+var SINK_PATTERNS = [
+  // Tracker SDKs
+  { regex: /(?:analytics|gtag|fbq|segment|mixpanel|amplitude)\s*\.\s*(?:track|identify|page|send)\s*\(/i, type: "tracker-sdk" },
+  // HTTP calls to external
+  { regex: /(?:fetch|axios|got|request)\s*\(\s*['"`](https?:\/\/[^'"`]+)/i, type: "http-external" },
+  // Logging
+  { regex: /(?:console\.log|logger\.\w+|winston\.\w+)\s*\(/i, type: "logging" },
+  // Email sending
+  { regex: /(?:sendMail|sendEmail|transport\.send|ses\.send)/i, type: "email-send" },
+  // Webhook / API push
+  { regex: /(?:webhook|callbackUrl|postback)\s*[=:]/i, type: "webhook" }
+];
+var SCANNABLE_EXTS = /* @__PURE__ */ new Set([
+  ".ts",
+  ".tsx",
+  ".js",
+  ".jsx",
+  ".mjs",
+  ".cjs",
+  ".py",
+  ".rb",
+  ".go",
+  ".java",
+  ".rs",
+  ".vue",
+  ".svelte",
+  ".prisma",
+  ".sql"
+]);
+function analyzeDataFlow(files, directory) {
+  const nodes = [];
+  const nodeIndex = /* @__PURE__ */ new Map();
+  for (const file of files) {
+    if (!SCANNABLE_EXTS.has(extname4(file))) continue;
+    let content;
+    try {
+      content = readFileSync9(join4(directory, file), "utf-8");
+    } catch {
+      continue;
+    }
+    const lines = content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      for (const pii of PII_PATTERNS2) {
+        if (!pii.regex.test(line)) continue;
+        for (const src of SOURCE_PATTERNS) {
+          if (src.regex.test(line)) {
+            const key = `source:${pii.piiType}:${file}:${i + 1}`;
+            if (!nodeIndex.has(key)) {
+              nodeIndex.set(key, nodes.length);
+              nodes.push({
+                type: "source",
+                label: `User Input (${pii.piiType})`,
+                file,
+                line: i + 1,
+                piiType: pii.piiType,
+                detail: src.type
+              });
+            }
+          }
+        }
+        for (const store of STORAGE_PATTERNS) {
+          if (store.regex.test(line)) {
+            const key = `storage:${pii.piiType}:${file}:${i + 1}`;
+            if (!nodeIndex.has(key)) {
+              nodeIndex.set(key, nodes.length);
+              nodes.push({
+                type: "storage",
+                label: `Storage (${pii.piiType})`,
+                file,
+                line: i + 1,
+                piiType: pii.piiType,
+                detail: store.type
+              });
+            }
+          }
+        }
+        for (const sink of SINK_PATTERNS) {
+          if (sink.regex.test(line)) {
+            const key = `sink:${pii.piiType}:${file}:${i + 1}`;
+            if (!nodeIndex.has(key)) {
+              nodeIndex.set(key, nodes.length);
+              nodes.push({
+                type: "sink",
+                label: `Sink (${pii.piiType})`,
+                file,
+                line: i + 1,
+                piiType: pii.piiType,
+                detail: sink.type
+              });
+            }
+          }
+        }
+      }
+    }
+  }
+  const edges = [];
+  const byPii = /* @__PURE__ */ new Map();
+  for (const [key, idx] of nodeIndex) {
+    const [type, piiType] = key.split(":");
+    if (!byPii.has(piiType)) byPii.set(piiType, { sources: [], storage: [], sinks: [] });
+    const group = byPii.get(piiType);
+    if (type === "source") group.sources.push(idx);
+    else if (type === "storage") group.storage.push(idx);
+    else if (type === "sink") group.sinks.push(idx);
+  }
+  for (const [, group] of byPii) {
+    for (const src of group.sources) {
+      for (const sto of group.storage) {
+        edges.push({ from: src, to: sto, label: "stores" });
+      }
+    }
+    for (const sto of group.storage) {
+      for (const sink of group.sinks) {
+        edges.push({ from: sto, to: sink, label: "sends" });
+      }
+    }
+    if (group.storage.length === 0) {
+      for (const src of group.sources) {
+        for (const sink of group.sinks) {
+          edges.push({ from: src, to: sink, label: "direct" });
+        }
+      }
+    }
+  }
+  return { nodes, edges };
+}
+var NODE_SHAPES = {
+  source: ["([", "])"],
+  // stadium shape
+  storage: ["[(", ")]"],
+  // cylinder
+  sink: ["[[", "]]"]
+  // rectangle
+};
+function toMermaid(flow) {
+  if (flow.nodes.length === 0) return "graph LR\n  empty[No PII data flows detected]";
+  const lines = ["graph LR"];
+  for (let i = 0; i < flow.nodes.length; i++) {
+    const node = flow.nodes[i];
+    const [open, close] = NODE_SHAPES[node.type];
+    const label = `${node.label}\\n${node.file}:${node.line}`;
+    lines.push(`  n${i}${open}"${label}"${close}`);
+  }
+  for (const edge of flow.edges) {
+    const label = edge.label ? `|${edge.label}|` : "";
+    lines.push(`  n${edge.from} -->${label} n${edge.to}`);
+  }
+  lines.push("  classDef source fill:#4caf50,stroke:#2e7d32,color:#fff");
+  lines.push("  classDef storage fill:#2196f3,stroke:#1565c0,color:#fff");
+  lines.push("  classDef sink fill:#f44336,stroke:#c62828,color:#fff");
+  const sources = flow.nodes.map((n, i) => n.type === "source" ? `n${i}` : "").filter(Boolean);
+  const storage = flow.nodes.map((n, i) => n.type === "storage" ? `n${i}` : "").filter(Boolean);
+  const sinks = flow.nodes.map((n, i) => n.type === "sink" ? `n${i}` : "").filter(Boolean);
+  if (sources.length) lines.push(`  class ${sources.join(",")} source`);
+  if (storage.length) lines.push(`  class ${storage.join(",")} storage`);
+  if (sinks.length) lines.push(`  class ${sinks.join(",")} sink`);
+  return lines.join("\n");
+}
+function toTextSummary(flow) {
+  if (flow.nodes.length === 0) return "No PII data flows detected.";
+  const lines = [];
+  lines.push("PII Data Flow Analysis");
+  lines.push("\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\n");
+  const byPii = /* @__PURE__ */ new Map();
+  for (const node of flow.nodes) {
+    if (!byPii.has(node.piiType)) byPii.set(node.piiType, []);
+    byPii.get(node.piiType).push(node);
+  }
+  for (const [piiType, piiNodes] of byPii) {
+    lines.push(`\u{1F4CC} ${piiType.toUpperCase()}`);
+    lines.push("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+    const sources = piiNodes.filter((n) => n.type === "source");
+    const storage = piiNodes.filter((n) => n.type === "storage");
+    const sinks = piiNodes.filter((n) => n.type === "sink");
+    if (sources.length) {
+      lines.push("  Sources (user input):");
+      for (const s of sources) lines.push(`    \u2192 ${s.detail} at ${s.file}:${s.line}`);
+    }
+    if (storage.length) {
+      lines.push("  Storage:");
+      for (const s of storage) lines.push(`    \u{1F4BE} ${s.detail} at ${s.file}:${s.line}`);
+    }
+    if (sinks.length) {
+      lines.push("  Sinks (data exits):");
+      for (const s of sinks) lines.push(`    \u2B06\uFE0F  ${s.detail} at ${s.file}:${s.line}`);
+    }
+    lines.push("");
+  }
+  lines.push(`Total: ${flow.nodes.length} nodes, ${flow.edges.length} data flows`);
+  return lines.join("\n");
+}
+
+// src/audit/policy-generator.ts
+var CATEGORY_LABELS = {
+  analytics: "Website Analytics",
+  advertising: "Advertising & Conversion Tracking",
+  social: "Social Media Integration",
+  tag_manager: "Tag Management",
+  heatmaps: "Heatmap & Session Recording",
+  ab_testing: "A/B Testing",
+  error_tracking: "Error Monitoring",
+  chat: "Live Chat & Customer Support",
+  video: "Video Embedding",
+  cdn: "Content Delivery",
+  payments: "Payment Processing",
+  consent: "Cookie Consent Management",
+  security: "Security",
+  fonts: "Web Fonts",
+  other: "Third-Party Services"
+};
+var CATEGORY_PURPOSES = {
+  analytics: "to understand how visitors interact with our website, including page views, session duration, and user behavior",
+  advertising: "for advertising, retargeting, and conversion tracking to measure the effectiveness of our marketing campaigns",
+  social: "to enable social media sharing, login, and integration features",
+  tag_manager: "to manage third-party scripts and tags on our website",
+  heatmaps: "to record user interactions such as clicks, scrolls, and mouse movements for improving user experience",
+  ab_testing: "to test different versions of our website and optimize the user experience",
+  error_tracking: "to monitor and diagnose technical errors and improve website reliability",
+  chat: "to provide live chat and customer support functionality",
+  video: "to embed and deliver video content",
+  cdn: "for content delivery and performance optimization",
+  payments: "to process payments securely",
+  consent: "to manage cookie consent preferences",
+  security: "for security monitoring and fraud prevention",
+  fonts: "to deliver custom web fonts",
+  other: "for various operational purposes"
+};
+var PII_LABELS = {
+  email: "Email addresses",
+  ip: "IP addresses",
+  name: "Names",
+  phone: "Phone numbers",
+  address: "Physical addresses",
+  ssn: "Government identification numbers",
+  "credit-card": "Payment card information",
+  "date-of-birth": "Date of birth",
+  password: "Passwords (hashed)",
+  geolocation: "Geolocation data",
+  "device-id": "Device identifiers",
+  cookie: "Cookies and tracking identifiers"
+};
+function mergeVendors(codeVendorIds, networkVendorIds, registry) {
+  const allIds = /* @__PURE__ */ new Set([...codeVendorIds, ...networkVendorIds]);
+  const entries = [];
+  for (const id of allIds) {
+    const vendor = registry.getById(id);
+    if (!vendor) continue;
+    const skipCategories = ["cdn", "consent", "security", "fonts"];
+    if (skipCategories.includes(vendor.category)) continue;
+    const inCode = codeVendorIds.has(id);
+    const inNetwork = networkVendorIds.has(id);
+    entries.push({
+      vendorId: vendor.id,
+      vendorName: vendor.name,
+      company: vendor.company,
+      category: vendor.category,
+      purpose: vendor.purpose,
+      dataCollected: vendor.data_collected,
+      privacyPolicyUrl: vendor.privacy_policy,
+      dpaUrl: vendor.dpa_url,
+      retentionPeriod: vendor.retention_period,
+      gdprCompliant: vendor.gdpr_compliant,
+      source: inCode && inNetwork ? "both" : inCode ? "code" : "network"
+    });
+  }
+  const categoryOrder = {
+    advertising: 0,
+    social: 1,
+    analytics: 2,
+    heatmaps: 3,
+    ab_testing: 4,
+    tag_manager: 5,
+    error_tracking: 6,
+    chat: 7,
+    video: 8,
+    payments: 9,
+    other: 10
+  };
+  entries.sort((a, b) => (categoryOrder[a.category] ?? 10) - (categoryOrder[b.category] ?? 10));
+  return entries;
+}
+function extractPiiTypes(dataFlow) {
+  if (!dataFlow) return [];
+  const types = /* @__PURE__ */ new Set();
+  for (const node of dataFlow.nodes) {
+    if (node.piiType) {
+      types.add(node.piiType);
+    }
+  }
+  return Array.from(types);
+}
+function extractCodeVendorIds(audit) {
+  if (!audit) return /* @__PURE__ */ new Set();
+  const ids = /* @__PURE__ */ new Set();
+  for (const finding of audit.findings) {
+    if (finding.vendorId) {
+      ids.add(finding.vendorId);
+    }
+  }
+  return ids;
+}
+function generateIntroSection(input) {
+  const date = (/* @__PURE__ */ new Date()).toLocaleDateString("en-US", {
+    year: "numeric",
+    month: "long",
+    day: "numeric"
+  });
+  return {
+    id: "introduction",
+    title: "Introduction & Data Controller",
+    content: [
+      `This privacy policy explains how **${input.companyName}** ("we", "us", "our") collects, uses, and protects your personal data when you use our website${input.siteUrl ? ` (${input.siteUrl})` : ""} and services.`,
+      "",
+      `**Data Controller:** ${input.companyName}`,
+      `**Contact:** ${input.companyEmail}`,
+      input.companyCountry ? `**Jurisdiction:** ${input.companyCountry}` : "",
+      "",
+      `*Last updated: ${date}*`
+    ].filter(Boolean).join("\n")
+  };
+}
+function generateDataCollectionSection(piiTypes) {
+  if (piiTypes.length === 0) {
+    return {
+      id: "data-collection",
+      title: "Data We Collect",
+      content: "We collect standard usage data such as IP addresses, browser type, and pages visited when you use our website."
+    };
+  }
+  const items = piiTypes.map((t) => {
+    const label = PII_LABELS[t] ?? t;
+    return `- ${label}`;
+  });
+  return {
+    id: "data-collection",
+    title: "Data We Collect",
+    content: [
+      "We collect the following categories of personal data:",
+      "",
+      ...items,
+      "",
+      "Additionally, we automatically collect standard usage data such as IP addresses, browser type, device information, and pages visited."
+    ].join("\n")
+  };
+}
+function generateThirdPartiesSection(vendors) {
+  if (vendors.length === 0) {
+    return {
+      id: "third-parties",
+      title: "Third-Party Services",
+      content: "We do not currently use third-party tracking or analytics services on our website."
+    };
+  }
+  const groups = /* @__PURE__ */ new Map();
+  for (const v of vendors) {
+    const existing = groups.get(v.category) ?? [];
+    existing.push(v);
+    groups.set(v.category, existing);
+  }
+  const parts = [
+    "We use the following third-party services:",
+    ""
+  ];
+  for (const [category, categoryVendors] of groups) {
+    const label = CATEGORY_LABELS[category] ?? category;
+    parts.push(`### ${label}`);
+    parts.push("");
+    for (const v of categoryVendors) {
+      let snippet = `**${v.vendorName}**`;
+      if (v.company && v.company !== v.vendorName) {
+        snippet += ` (provided by ${v.company})`;
+      }
+      const purposeText = CATEGORY_PURPOSES[v.category] ?? v.purpose;
+      snippet += ` \u2014 We use this service ${purposeText}.`;
+      if (v.dataCollected.length > 0) {
+        snippet += ` This service may collect: ${v.dataCollected.join(", ")}.`;
+      }
+      if (v.retentionPeriod) {
+        snippet += ` Data retention: ${v.retentionPeriod}.`;
+      }
+      if (v.privacyPolicyUrl) {
+        snippet += ` [Privacy Policy](${v.privacyPolicyUrl})`;
+      }
+      parts.push(snippet);
+      parts.push("");
+    }
+  }
+  return {
+    id: "third-parties",
+    title: "Third-Party Services",
+    content: parts.join("\n")
+  };
+}
+function generateCookiesSection(vendors) {
+  const cookieVendors = vendors.filter(
+    (v) => ["analytics", "advertising", "social", "heatmaps", "ab_testing", "tag_manager"].includes(v.category)
+  );
+  if (cookieVendors.length === 0) {
+    return {
+      id: "cookies",
+      title: "Cookies & Tracking Technologies",
+      content: [
+        "We use essential cookies required for the basic functioning of our website. These cookies do not require consent under GDPR as they are strictly necessary.",
+        "",
+        "We do not use analytics or advertising cookies."
+      ].join("\n")
+    };
+  }
+  const rows = cookieVendors.map((v) => {
+    const cat = CATEGORY_LABELS[v.category] ?? v.category;
+    const data = v.dataCollected.length > 0 ? v.dataCollected.slice(0, 3).join(", ") : "Usage data";
+    const retention = v.retentionPeriod ?? "See provider policy";
+    return `| ${v.vendorName} | ${cat} | ${data} | ${retention} |`;
+  });
+  return {
+    id: "cookies",
+    title: "Cookies & Tracking Technologies",
+    content: [
+      "We use cookies and similar tracking technologies on our website. Below is a summary of the cookies set by third-party services:",
+      "",
+      "| Provider | Category | Data Collected | Retention |",
+      "|----------|----------|----------------|-----------|",
+      ...rows,
+      "",
+      "**Essential cookies** required for basic website functionality do not require consent. All other cookies require your explicit consent before being set.",
+      "",
+      "You can manage your cookie preferences at any time through your browser settings or our cookie consent banner."
+    ].join("\n")
+  };
+}
+function generateDataTransferSection(vendors) {
+  const nonCompliant = vendors.filter((v) => !v.gdprCompliant);
+  if (nonCompliant.length === 0) {
+    return {
+      id: "data-transfers",
+      title: "International Data Transfers",
+      content: "All third-party services we use are GDPR-compliant and process data within the EU/EEA or under appropriate safeguards (such as Standard Contractual Clauses)."
+    };
+  }
+  const lines = nonCompliant.map((v) => {
+    let line = `- **${v.vendorName}** (${v.company})`;
+    if (v.dpaUrl) {
+      line += ` \u2014 [Data Processing Agreement](${v.dpaUrl})`;
+    }
+    return line;
+  });
+  return {
+    id: "data-transfers",
+    title: "International Data Transfers",
+    content: [
+      "Some of our third-party service providers may process data outside the EU/EEA. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and adequacy decisions.",
+      "",
+      "The following services may transfer data internationally:",
+      "",
+      ...lines
+    ].join("\n")
+  };
+}
+function generateRetentionSection(vendors) {
+  const withRetention = vendors.filter((v) => v.retentionPeriod);
+  return {
+    id: "data-retention",
+    title: "Data Retention",
+    content: [
+      "We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law.",
+      "",
+      ...withRetention.length > 0 ? [
+        "Retention periods for third-party services:",
+        "",
+        ...withRetention.map((v) => `- **${v.vendorName}**: ${v.retentionPeriod}`),
+        ""
+      ] : [],
+      "When data is no longer needed, it is securely deleted or anonymized."
+    ].join("\n")
+  };
+}
+function generateRightsSection() {
+  return {
+    id: "your-rights",
+    title: "Your Rights Under GDPR",
+    content: [
+      "Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:",
+      "",
+      "- **Right of Access** (Art. 15) \u2014 You can request a copy of the personal data we hold about you.",
+      "- **Right to Rectification** (Art. 16) \u2014 You can request correction of inaccurate or incomplete data.",
+      '- **Right to Erasure** (Art. 17) \u2014 You can request deletion of your personal data ("right to be forgotten").',
+      "- **Right to Restrict Processing** (Art. 18) \u2014 You can request that we limit how we use your data.",
+      "- **Right to Data Portability** (Art. 20) \u2014 You can request your data in a structured, machine-readable format.",
+      "- **Right to Object** (Art. 21) \u2014 You can object to processing based on legitimate interests or direct marketing.",
+      "- **Right to Withdraw Consent** (Art. 7(3)) \u2014 You can withdraw consent at any time without affecting prior processing.",
+      "",
+      "To exercise any of these rights, please contact us using the information provided above."
+    ].join("\n")
+  };
+}
+function generateContactSection(input) {
+  return {
+    id: "contact",
+    title: "Contact & Data Protection Officer",
+    content: [
+      `For any privacy-related questions or to exercise your rights, please contact:`,
+      "",
+      `**${input.companyName}**`,
+      `Email: ${input.companyEmail}`,
+      "",
+      "If you believe that your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement."
+    ].join("\n")
+  };
+}
+function generatePolicy(opts) {
+  const registry = VendorRegistry.load();
+  const codeVendorIds = extractCodeVendorIds(opts.audit);
+  const networkIds = opts.networkVendorIds ?? /* @__PURE__ */ new Set();
+  const piiTypes = extractPiiTypes(opts.dataFlow);
+  const vendors = mergeVendors(codeVendorIds, networkIds, registry);
+  const sources = [];
+  if (opts.audit) sources.push("code-audit");
+  if (opts.networkVendorIds) sources.push("network-scan");
+  if (opts.dataFlow) sources.push("data-flow-analysis");
+  const sections = [
+    generateIntroSection(opts.input),
+    generateDataCollectionSection(piiTypes),
+    generateThirdPartiesSection(vendors),
+    generateCookiesSection(vendors),
+    generateDataTransferSection(vendors),
+    generateRetentionSection(vendors),
+    generateRightsSection(),
+    generateContactSection(opts.input)
+  ];
+  const fullText = assemblePolicy(opts.input, sections);
+  return {
+    sections,
+    vendors,
+    piiTypes,
+    fullText,
+    meta: {
+      generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      etalonVersion: "1.0.0",
+      sources
+    }
+  };
+}
+function assemblePolicy(input, sections) {
+  const lines = [
+    `# Privacy Policy \u2014 ${input.companyName}`,
+    ""
+  ];
+  for (let i = 0; i < sections.length; i++) {
+    const section = sections[i];
+    lines.push(`## ${i + 1}. ${section.title}`);
+    lines.push("");
+    lines.push(section.content);
+    lines.push("");
+    lines.push("---");
+    lines.push("");
+  }
+  lines.push("");
+  lines.push("> **Disclaimer:** This privacy policy was auto-generated by [ETALON](https://etalon.dev) based on an automated scan of the website and codebase. It should be reviewed by a qualified legal professional before publication. ETALON does not provide legal advice.");
+  lines.push("");
+  return lines.join("\n");
+}
+
+// src/audit/index.ts
+import { readdirSync } from "fs";
+function findPatternsFile() {
+  const currentDir = dirname2(fileURLToPath2(import.meta.url));
+  let dir = currentDir;
+  for (let i = 0; i < 6; i++) {
+    const candidate = join5(dir, "data", "tracker-patterns.json");
+    if (existsSync5(candidate)) return candidate;
+    dir = dirname2(dir);
+  }
+  return null;
+}
+async function auditProject(directory, options = {}) {
+  const startTime = Date.now();
+  const stack = detectStack(directory);
+  let patterns;
+  const patternsPath = findPatternsFile();
+  if (patternsPath) {
+    patterns = JSON.parse(readFileSync10(patternsPath, "utf-8"));
+  } else {
+    patterns = { npm: {}, pypi: {}, cargo: {}, envVars: {}, htmlPatterns: [], importPatterns: [] };
+  }
+  const allFiles = collectFiles(directory);
+  const codeFindings = scanCode(allFiles, directory, stack, patterns);
+  const schemaFindings = scanSchemas(allFiles, directory, stack);
+  const configFindings = scanConfigs(allFiles, directory, stack);
+  const serverFindings = scanServerTracking(allFiles, directory, stack);
+  const cnameFindings = scanCnameCloaking(allFiles, directory, stack);
+  const { loadCustomRules: loadCustomRules2, scanWithCustomRules: scanWithCustomRules2 } = await import("./plugin-loader-TQ2IIQED.js");
+  const customRules = loadCustomRules2(directory);
+  const customFindings = scanWithCustomRules2(allFiles, directory, customRules);
+  let findings = [...codeFindings, ...schemaFindings, ...configFindings, ...serverFindings, ...cnameFindings, ...customFindings];
+  if (options.severity) {
+    const minLevel = severityLevel(options.severity);
+    findings = findings.filter((f) => severityLevel(f.severity) >= minLevel);
+  }
+  findings.sort((a, b) => severityLevel(b.severity) - severityLevel(a.severity));
+  if (options.includeBlame) {
+    findings = enrichFindings(findings, directory);
+  }
+  findings = enrichWithGdpr(findings);
+  const summary = summarizeFindings(findings);
+  const recommendations = generateRecommendations(findings, stack);
+  const durationMs = Date.now() - startTime;
+  const report = {
+    meta: {
+      etalonVersion: "1.0.0",
+      auditDate: (/* @__PURE__ */ new Date()).toISOString(),
+      auditDurationMs: durationMs,
+      directory,
+      stack
+    },
+    summary,
+    findings,
+    recommendations
+  };
+  report.score = calculateScore(report);
+  return report;
+}
+var IGNORE_DIRS2 = /* @__PURE__ */ new Set([
+  "node_modules",
+  ".next",
+  ".nuxt",
+  "__pycache__",
+  ".git",
+  "dist",
+  "build",
+  "target",
+  ".venv",
+  "venv",
+  "env",
+  ".tox",
+  ".mypy_cache",
+  "vendor",
+  ".cargo",
+  "coverage",
+  ".turbo",
+  ".svelte-kit",
+  ".vercel",
+  ".output"
+]);
+function collectFiles(dir, maxDepth = 8) {
+  const files = [];
+  function walk(currentDir, depth) {
+    if (depth > maxDepth) return;
+    let entries;
+    try {
+      entries = readdirSync(currentDir, { withFileTypes: true });
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      if (entry.name.startsWith(".") && entry.name !== ".env" && !entry.name.startsWith(".env.")) continue;
+      const fullPath = join5(currentDir, entry.name);
+      if (entry.isDirectory()) {
+        if (!IGNORE_DIRS2.has(entry.name)) {
+          walk(fullPath, depth + 1);
+        }
+      } else if (entry.isFile()) {
+        files.push(fullPath);
+      }
+    }
+  }
+  walk(dir, 0);
+  return files;
+}
+function severityLevel(severity) {
+  switch (severity) {
+    case "critical":
+      return 5;
+    case "high":
+      return 4;
+    case "medium":
+      return 3;
+    case "low":
+      return 2;
+    case "info":
+      return 1;
+    default:
+      return 0;
+  }
+}
+function summarizeFindings(findings) {
+  return {
+    totalFindings: findings.length,
+    critical: findings.filter((f) => f.severity === "critical").length,
+    high: findings.filter((f) => f.severity === "high").length,
+    medium: findings.filter((f) => f.severity === "medium").length,
+    low: findings.filter((f) => f.severity === "low").length,
+    info: findings.filter((f) => f.severity === "info").length,
+    trackerSdksFound: new Set(findings.filter((f) => f.category === "code" && f.vendorId).map((f) => f.vendorId)).size,
+    piiColumnsFound: findings.filter((f) => f.rule === "pii-column").length,
+    configIssues: findings.filter((f) => f.category === "config").length
+  };
+}
+function generateRecommendations(findings, _stack) {
+  const recs = [];
+  const trackerCount = new Set(findings.filter((f) => f.category === "code" && f.vendorId).map((f) => f.vendorId)).size;
+  if (trackerCount > 0) {
+    recs.push(`Found ${trackerCount} third-party tracker SDK(s) in your codebase. Ensure each is documented in your privacy policy and loaded only after user consent.`);
+  }
+  const piiCount = findings.filter((f) => f.rule === "pii-column").length;
+  if (piiCount > 0) {
+    recs.push(`Found ${piiCount} PII column(s) in your database schemas. Review each for encryption, anonymization, and retention policies.`);
+  }
+  const criticalCount = findings.filter((f) => f.severity === "critical").length;
+  if (criticalCount > 0) {
+    recs.push(`${criticalCount} critical finding(s) need immediate attention \u2014 these represent serious privacy or security risks.`);
+  }
+  const cookieIssues = findings.filter((f) => f.rule.startsWith("cookie-"));
+  if (cookieIssues.length > 0) {
+    recs.push(`${cookieIssues.length} cookie configuration issue(s) found. Set Secure, HttpOnly, and SameSite flags on all cookies.`);
+  }
+  const noRetention = findings.filter((f) => f.rule === "no-retention-policy");
+  if (noRetention.length > 0) {
+    recs.push(`${noRetention.length} database table(s) with PII lack retention policies. Add deleted_at/expires_at columns and implement cleanup jobs.`);
+  }
+  if (findings.some((f) => f.rule === "missing-csp")) {
+    recs.push("Add a Content-Security-Policy header to prevent unauthorized tracker injection via XSS.");
+  }
+  if (recs.length === 0) {
+    recs.push("No significant GDPR compliance issues found. Keep it up! \u{1F389}");
+  }
+  return recs;
+}
+export {
+  GDPR_RULE_MAP,
+  VendorRegistry,
+  analyzeDataFlow,
+  applyPatches,
+  auditProject,
+  badgeMarkdown,
+  badgeUrl,
+  calculateScore,
+  detectStack,
+  diffReports,
+  enrichFindings,
+  enrichWithGdpr,
+  extractDomain,
+  fixableRules,
+  formatAuditSarif,
+  generateBadgeSvg,
+  generatePatches,
+  generatePolicy,
+  getBlameForLine,
+  getParentDomains,
+  gradeColor,
+  groupByAuthor,
+  isFirstParty,
+  isGitRepo,
+  loadCustomRules,
+  normalizeUrl,
+  scanCnameCloaking,
+  scanCode,
+  scanConfigs,
+  scanSchemas,
+  scanServerTracking,
+  scanWithCustomRules,
+  shouldBlock,
+  toMermaid,
+  toTextSummary
+};