npm - @fourteensystems/prodcheck - Versions diffs - 0.3.0 - Mend

@fourteensystems/prodcheck 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (239) hide show

package/README.md +252 -0
package/bin/prodcheck.mjs +2 -0
package/dist/cli/commands/baseline.d.ts +7 -0
package/dist/cli/commands/baseline.d.ts.map +1 -0
package/dist/cli/commands/baseline.js +22 -0
package/dist/cli/commands/baseline.js.map +1 -0
package/dist/cli/commands/ci.d.ts +14 -0
package/dist/cli/commands/ci.d.ts.map +1 -0
package/dist/cli/commands/ci.js +104 -0
package/dist/cli/commands/ci.js.map +1 -0
package/dist/cli/commands/explain.d.ts +2 -0
package/dist/cli/commands/explain.d.ts.map +1 -0
package/dist/cli/commands/explain.js +20 -0
package/dist/cli/commands/explain.js.map +1 -0
package/dist/cli/commands/init.d.ts +7 -0
package/dist/cli/commands/init.d.ts.map +1 -0
package/dist/cli/commands/init.js +127 -0
package/dist/cli/commands/init.js.map +1 -0
package/dist/cli/commands/rules.d.ts +2 -0
package/dist/cli/commands/rules.d.ts.map +1 -0
package/dist/cli/commands/rules.js +13 -0
package/dist/cli/commands/rules.js.map +1 -0
package/dist/cli/commands/scan.d.ts +10 -0
package/dist/cli/commands/scan.d.ts.map +1 -0
package/dist/cli/commands/scan.js +65 -0
package/dist/cli/commands/scan.js.map +1 -0
package/dist/cli/commands/waive.d.ts +8 -0
package/dist/cli/commands/waive.d.ts.map +1 -0
package/dist/cli/commands/waive.js +34 -0
package/dist/cli/commands/waive.js.map +1 -0
package/dist/cli/index.d.ts +2 -0
package/dist/cli/index.d.ts.map +1 -0
package/dist/cli/index.js +64 -0
package/dist/cli/index.js.map +1 -0
package/dist/engine/baseline.d.ts +11 -0
package/dist/engine/baseline.d.ts.map +1 -0
package/dist/engine/baseline.js +39 -0
package/dist/engine/baseline.js.map +1 -0
package/dist/engine/baseline.test.d.ts +2 -0
package/dist/engine/baseline.test.d.ts.map +1 -0
package/dist/engine/baseline.test.js +135 -0
package/dist/engine/baseline.test.js.map +1 -0
package/dist/engine/config.d.ts +8 -0
package/dist/engine/config.d.ts.map +1 -0
package/dist/engine/config.js +134 -0
package/dist/engine/config.js.map +1 -0
package/dist/engine/config.test.d.ts +2 -0
package/dist/engine/config.test.d.ts.map +1 -0
package/dist/engine/config.test.js +107 -0
package/dist/engine/config.test.js.map +1 -0
package/dist/engine/extensions/load.d.ts +11 -0
package/dist/engine/extensions/load.d.ts.map +1 -0
package/dist/engine/extensions/load.js +26 -0
package/dist/engine/extensions/load.js.map +1 -0
package/dist/engine/extensions/registry.d.ts +5 -0
package/dist/engine/extensions/registry.d.ts.map +1 -0
package/dist/engine/extensions/registry.js +11 -0
package/dist/engine/extensions/registry.js.map +1 -0
package/dist/engine/extensions/types.d.ts +51 -0
package/dist/engine/extensions/types.d.ts.map +1 -0
package/dist/engine/extensions/types.js +2 -0
package/dist/engine/extensions/types.js.map +1 -0
package/dist/engine/license.d.ts +40 -0
package/dist/engine/license.d.ts.map +1 -0
package/dist/engine/license.js +104 -0
package/dist/engine/license.js.map +1 -0
package/dist/engine/report.d.ts +5 -0
package/dist/engine/report.d.ts.map +1 -0
package/dist/engine/report.js +115 -0
package/dist/engine/report.js.map +1 -0
package/dist/engine/run.d.ts +11 -0
package/dist/engine/run.d.ts.map +1 -0
package/dist/engine/run.js +105 -0
package/dist/engine/run.js.map +1 -0
package/dist/engine/sarif.d.ts +3 -0
package/dist/engine/sarif.d.ts.map +1 -0
package/dist/engine/sarif.js +58 -0
package/dist/engine/sarif.js.map +1 -0
package/dist/engine/sarif.test.d.ts +2 -0
package/dist/engine/sarif.test.d.ts.map +1 -0
package/dist/engine/sarif.test.js +152 -0
package/dist/engine/sarif.test.js.map +1 -0
package/dist/engine/score.d.ts +13 -0
package/dist/engine/score.d.ts.map +1 -0
package/dist/engine/score.js +116 -0
package/dist/engine/score.js.map +1 -0
package/dist/engine/score.test.d.ts +2 -0
package/dist/engine/score.test.d.ts.map +1 -0
package/dist/engine/score.test.js +227 -0
package/dist/engine/score.test.js.map +1 -0
package/dist/engine/types.d.ts +123 -0
package/dist/engine/types.d.ts.map +1 -0
package/dist/engine/types.js +2 -0
package/dist/engine/types.js.map +1 -0
package/dist/engine/version.d.ts +5 -0
package/dist/engine/version.d.ts.map +1 -0
package/dist/engine/version.js +15 -0
package/dist/engine/version.js.map +1 -0
package/dist/engine/waivers.d.ts +9 -0
package/dist/engine/waivers.d.ts.map +1 -0
package/dist/engine/waivers.js +55 -0
package/dist/engine/waivers.js.map +1 -0
package/dist/engine/waivers.test.d.ts +2 -0
package/dist/engine/waivers.test.d.ts.map +1 -0
package/dist/engine/waivers.test.js +147 -0
package/dist/engine/waivers.test.js.map +1 -0
package/dist/index.d.ts +14 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +12 -0
package/dist/index.js.map +1 -0
package/dist/next/deps.d.ts +4 -0
package/dist/next/deps.d.ts.map +1 -0
package/dist/next/deps.js +118 -0
package/dist/next/deps.js.map +1 -0
package/dist/next/deps.test.d.ts +2 -0
package/dist/next/deps.test.d.ts.map +1 -0
package/dist/next/deps.test.js +249 -0
package/dist/next/deps.test.js.map +1 -0
package/dist/next/detect.d.ts +10 -0
package/dist/next/detect.d.ts.map +1 -0
package/dist/next/detect.js +57 -0
package/dist/next/detect.js.map +1 -0
package/dist/next/detect.test.d.ts +2 -0
package/dist/next/detect.test.d.ts.map +1 -0
package/dist/next/detect.test.js +74 -0
package/dist/next/detect.test.js.map +1 -0
package/dist/next/index.d.ts +5 -0
package/dist/next/index.d.ts.map +1 -0
package/dist/next/index.js +59 -0
package/dist/next/index.js.map +1 -0
package/dist/next/middleware.d.ts +3 -0
package/dist/next/middleware.d.ts.map +1 -0
package/dist/next/middleware.js +48 -0
package/dist/next/middleware.js.map +1 -0
package/dist/next/middleware.test.d.ts +2 -0
package/dist/next/middleware.test.d.ts.map +1 -0
package/dist/next/middleware.test.js +203 -0
package/dist/next/middleware.test.js.map +1 -0
package/dist/next/routes.d.ts +10 -0
package/dist/next/routes.d.ts.map +1 -0
package/dist/next/routes.js +172 -0
package/dist/next/routes.js.map +1 -0
package/dist/next/routes.test.d.ts +2 -0
package/dist/next/routes.test.d.ts.map +1 -0
package/dist/next/routes.test.js +175 -0
package/dist/next/routes.test.js.map +1 -0
package/dist/next/server-actions.d.ts +4 -0
package/dist/next/server-actions.d.ts.map +1 -0
package/dist/next/server-actions.js +107 -0
package/dist/next/server-actions.js.map +1 -0
package/dist/next/server-actions.test.d.ts +2 -0
package/dist/next/server-actions.test.d.ts.map +1 -0
package/dist/next/server-actions.test.js +138 -0
package/dist/next/server-actions.test.js.map +1 -0
package/dist/next/trpc.d.ts +3 -0
package/dist/next/trpc.d.ts.map +1 -0
package/dist/next/trpc.js +312 -0
package/dist/next/trpc.js.map +1 -0
package/dist/next/types.d.ts +144 -0
package/dist/next/types.d.ts.map +1 -0
package/dist/next/types.js +2 -0
package/dist/next/types.js.map +1 -0
package/dist/next/wrappers.d.ts +10 -0
package/dist/next/wrappers.d.ts.map +1 -0
package/dist/next/wrappers.js +536 -0
package/dist/next/wrappers.js.map +1 -0
package/dist/next/wrappers.test.d.ts +2 -0
package/dist/next/wrappers.test.d.ts.map +1 -0
package/dist/next/wrappers.test.js +361 -0
package/dist/next/wrappers.test.js.map +1 -0
package/dist/rules/auth-boundary-missing.d.ts +5 -0
package/dist/rules/auth-boundary-missing.d.ts.map +1 -0
package/dist/rules/auth-boundary-missing.js +463 -0
package/dist/rules/auth-boundary-missing.js.map +1 -0
package/dist/rules/auth-boundary-missing.test.d.ts +2 -0
package/dist/rules/auth-boundary-missing.test.d.ts.map +1 -0
package/dist/rules/auth-boundary-missing.test.js +492 -0
package/dist/rules/auth-boundary-missing.test.js.map +1 -0
package/dist/rules/index.d.ts +12 -0
package/dist/rules/index.d.ts.map +1 -0
package/dist/rules/index.js +95 -0
package/dist/rules/index.js.map +1 -0
package/dist/rules/input-validation-missing.d.ts +5 -0
package/dist/rules/input-validation-missing.d.ts.map +1 -0
package/dist/rules/input-validation-missing.js +272 -0
package/dist/rules/input-validation-missing.js.map +1 -0
package/dist/rules/input-validation-missing.test.d.ts +2 -0
package/dist/rules/input-validation-missing.test.d.ts.map +1 -0
package/dist/rules/input-validation-missing.test.js +449 -0
package/dist/rules/input-validation-missing.test.js.map +1 -0
package/dist/rules/rate-limit-missing.d.ts +5 -0
package/dist/rules/rate-limit-missing.d.ts.map +1 -0
package/dist/rules/rate-limit-missing.js +316 -0
package/dist/rules/rate-limit-missing.js.map +1 -0
package/dist/rules/rate-limit-missing.test.d.ts +2 -0
package/dist/rules/rate-limit-missing.test.d.ts.map +1 -0
package/dist/rules/rate-limit-missing.test.js +381 -0
package/dist/rules/rate-limit-missing.test.js.map +1 -0
package/dist/rules/tenancy-scope-missing.d.ts +5 -0
package/dist/rules/tenancy-scope-missing.d.ts.map +1 -0
package/dist/rules/tenancy-scope-missing.js +149 -0
package/dist/rules/tenancy-scope-missing.js.map +1 -0
package/dist/rules/wrapper-unrecognized.d.ts +5 -0
package/dist/rules/wrapper-unrecognized.d.ts.map +1 -0
package/dist/rules/wrapper-unrecognized.js +81 -0
package/dist/rules/wrapper-unrecognized.js.map +1 -0
package/dist/util/hof.d.ts +22 -0
package/dist/util/hof.d.ts.map +1 -0
package/dist/util/hof.js +99 -0
package/dist/util/hof.js.map +1 -0
package/dist/util/hof.test.d.ts +2 -0
package/dist/util/hof.test.d.ts.map +1 -0
package/dist/util/hof.test.js +79 -0
package/dist/util/hof.test.js.map +1 -0
package/dist/util/monorepo.d.ts +6 -0
package/dist/util/monorepo.d.ts.map +1 -0
package/dist/util/monorepo.js +29 -0
package/dist/util/monorepo.js.map +1 -0
package/dist/util/outbound-fetch.d.ts +14 -0
package/dist/util/outbound-fetch.d.ts.map +1 -0
package/dist/util/outbound-fetch.js +59 -0
package/dist/util/outbound-fetch.js.map +1 -0
package/dist/util/outbound-fetch.test.d.ts +2 -0
package/dist/util/outbound-fetch.test.d.ts.map +1 -0
package/dist/util/outbound-fetch.test.js +83 -0
package/dist/util/outbound-fetch.test.js.map +1 -0
package/dist/util/paths.d.ts +6 -0
package/dist/util/paths.d.ts.map +1 -0
package/dist/util/paths.js +18 -0
package/dist/util/paths.js.map +1 -0
package/dist/util/resolve.d.ts +30 -0
package/dist/util/resolve.d.ts.map +1 -0
package/dist/util/resolve.js +306 -0
package/dist/util/resolve.js.map +1 -0
package/dist/util/resolve.test.d.ts +2 -0
package/dist/util/resolve.test.d.ts.map +1 -0
package/dist/util/resolve.test.js +186 -0
package/dist/util/resolve.test.js.map +1 -0
package/package.json +56 -0

package/README.md ADDED Viewed

@@ -0,0 +1,252 @@
+# Prodcheck
+Static analysis guardrail for Next.js SaaS — flags unprotected routes, missing rate limiting, and SSRF surfaces.
+Prodcheck statically analyzes your Next.js App Router codebase and flags mutation endpoints missing auth boundaries, rate limiting, or tenant scoping. It understands your stack — Auth.js, Clerk, Supabase, tRPC, Prisma — resolves your wrapper implementations, and stays quiet when protections are in place.
+Zero config for most projects. Prodcheck auto-detects your auth library, rate limiter, ORM, middleware, tsconfig path aliases, and HOF wrappers. No manual hints needed unless you're doing something exotic.
+## Quick Start
+```bash
+npx @fourteensystems/prodcheck init
+```
+Detects your framework and dependencies, generates a config, and runs your first scan.
+```
+  Prodcheck 0.3.0
+  Detected: next-app-router · next-auth · prisma · upstash-ratelimit · middleware.ts
+  Score: 85 PASS
+```
+## Usage
+```bash
+# Scan and print report
+prodcheck
+# Only run specific rules
+prodcheck scan --only AUTH-BOUNDARY-MISSING,RATE-LIMIT-MISSING
+# Exclude paths
+prodcheck scan --exclude "app/api/internal/**"
+# JSON or SARIF output
+prodcheck scan --format json
+prodcheck scan --format sarif --output report.sarif
+# CI mode (fail on critical findings)
+prodcheck ci --fail-on critical --min-confidence high
+# Save baseline for regression detection
+prodcheck baseline --write
+# Waive a finding
+prodcheck waive RATE-LIMIT-MISSING --file app/api/foo/route.ts --reason "Handled by Cloudflare WAF"
+# List rules
+prodcheck rules
+# Explain a rule
+prodcheck explain AUTH-BOUNDARY-MISSING
+```
+## What It Detects
+### Rules
+| Rule | Severity | What it catches |
+|------|----------|----------------|
+| AUTH-BOUNDARY-MISSING | critical | Mutation endpoints without auth checks |
+| RATE-LIMIT-MISSING | critical | Public API routes without rate limiting |
+| TENANCY-SCOPE-MISSING | critical | Prisma queries without tenant scoping |
+| INPUT-VALIDATION-MISSING | med | Mutation endpoints accepting input without schema validation |
+| WRAPPER-UNRECOGNIZED | high | HOF wrappers that couldn't be verified for auth/rate-limit enforcement |
+| PUBLIC-INTENT-MISSING-REASON | med | `prodcheck:public-intent` directives missing a required reason |
+### Auth-Aware Rate Limiting
+Prodcheck suppresses RATE-LIMIT-MISSING findings on routes with **strongly enforced auth** — where the auth call is proven to throw/return on failure (e.g., `if (!session) throw new Error(401)`). Routes with weak or optional auth (call present but no enforcement) are still flagged.
+This means authenticated routes behind `withWorkspace()`, `protectedProcedure`, or `requireAuth()` with verified enforcement won't produce rate-limit noise. Public routes and weakly-authed routes still get full RL findings.
+### `prodcheck:public-intent` Annotation
+For routes that are **intentionally public** (no auth by design), add a directive:
+```ts
+// prodcheck:public-intent reason="Public URL health checker"
+export async function GET(request: Request) { ... }
+```
+This tells Prodcheck:
+- **AUTH-BOUNDARY-MISSING** is suppressed (auth absence is intentional)
+- **RATE-LIMIT-MISSING** severity is floored at HIGH (public by design = rate limiting mandatory)
+- If the route performs outbound fetch with user-influenced URLs, severity escalates to CRITICAL with `ssrf-surface` tag
+- **INPUT-VALIDATION-MISSING** severity is bumped (public + unvalidated = higher exposure)
+Missing or empty `reason` produces a `PUBLIC-INTENT-MISSING-REASON` finding and the directive is ignored.
+### Wrapper Introspection
+The dominant pattern in real-world Next.js codebases is HOF wrappers:
+```ts
+export const POST = withWorkspace(async (req) => {
+  await prisma.user.create({ data: { name: "test" } });
+  return Response.json({});
+});
+```
+Prodcheck doesn't just detect the wrapper name — it **follows the import, reads the implementation, and verifies enforcement**:
+1. **Resolve**: follows `import { withWorkspace } from "@/lib/auth"` through tsconfig path aliases (`@/lib/*` → `lib/*`), barrel re-exports (`index.ts` → `export * from "./workspace"`), up to 5 hops with cycle detection
+2. **Analyze**: parses the wrapper body with TypeScript AST to find auth/rate-limit calls
+3. **Verify enforcement**: checks that the call result is used in a conditional (`if (!session) throw`) — calling `getSession()` without checking the result is NOT an auth boundary
+4. **Built-in patterns**: recognizes webhook signature verification (`stripe.webhooks.constructEvent`, `verifyVercelSignature`, `verifyQstashSignature`, HMAC + `timingSafeEqual`) as auth enforcement
+5. **Apply**: routes using a verified wrapper are automatically cleared, no hints needed
+When a wrapper can't be resolved (npm package) or enforcement can't be proven, Prodcheck emits a single grouped `WRAPPER-UNRECOGNIZED` finding instead of N identical per-route alerts.
+### Stack Support
+Prodcheck auto-detects your stack and adjusts detection accordingly:
+| Stack | What Prodcheck understands |
+|-------|---------------------------|
+| **Auth.js / NextAuth** | `auth()`, `getServerSession()`, `withAuth()`, middleware auth |
+| **Clerk** | `auth()`, `currentUser()`, `clerkMiddleware()` |
+| **Supabase** | `.auth.getUser()`, `.auth.getSession()` (call-based, not import-based) |
+| **Kinde** | `getKindeServerSession()` |
+| **WorkOS / AuthKit** | `withAuth()`, `getUser()`, `authkitMiddleware()` |
+| **Better Auth** | `auth()` |
+| **Lucia** | `validateRequest()`, `validateSession()` |
+| **Auth0** | `getSession()`, `withApiAuthRequired()` |
+| **iron-session** | `getIronSession()` |
+| **Firebase Auth** | `verifyIdToken()`, `getTokens()`, `verifySessionCookie()` |
+| **tRPC** | `protectedProcedure` vs `publicProcedure`, `.mutation()` surfaces |
+| **Prisma** | `.create()`, `.update()`, `.delete()` as mutation evidence, tenant scoping |
+| **Drizzle** | Detected but gracefully degraded (tenancy rule skips) |
+| **Upstash** | `Ratelimit`, `ratelimit.limit()` as rate-limit evidence |
+| **Arcjet** | `fixedWindow()`, `slidingWindow()`, `tokenBucket()` |
+| **Unkey** | `withUnkey()`, `verifyKey()` |
+| **Zod / Valibot / Yup** | Schema validation in mutation handlers (INPUT-VALIDATION-MISSING) |
+| **Webhook signatures** | Stripe, WorkOS, Vercel cron, QStash signature verification as auth |
+### What It Skips
+- Webhook routes (any path containing `webhook`) — exempt from rate-limit
+- Cron routes (`/api/cron/*`) — exempt from rate-limit
+- Framework-managed routes (NextAuth catch-all, OAuth/SAML endpoints, callbacks, OG images) — exempt from rate-limit
+- OAuth/OIDC/SSO/SCIM callback paths — exempt from auth (public by protocol design)
+- `GET`-only route handlers — not mutation surfaces
+- Routes covered by `middleware.ts` auth — no double-flagging
+- Routes wrapped by verified HOF wrappers (`withWorkspace(handler)` where auth+RL enforcement is proven)
+- DB-backed token lookups with deny on failure (password reset tokens, API keys)
+- Inline auth guards (`getCurrentUser()` + null check + throw/return)
+- **Strongly authenticated routes** — RL findings suppressed when auth is enforced (proven throw/return on failure)
+- Login/signin endpoints get critical severity for missing rate limiting (brute-force risk)
+- Public file upload endpoints get critical severity for missing rate limiting (storage abuse risk)
+### Rate Limit Detection
+Prodcheck recognizes rate limiting through multiple patterns:
+- **Package imports**: `@upstash/ratelimit`, `rate-limiter-flexible`, `@arcjet/next`, `@unkey/ratelimit`
+- **Method calls**: `ratelimit.limit()`, `rl.limit()`, `limiter.limit()`, `rateLimiter.limit()`
+- **General function pattern**: any function with `rateLimit`, `ratelimit`, or `rate_limit` in the name — catches `ratelimitOrThrow()`, `checkRateLimit()`, `rateLimitMiddleware()`, etc.
+- **Wrapper introspection**: follows imports and verifies RL calls in wrapper bodies
+See [PATTERNS.md](../../PATTERNS.md) for full detection logic.
+## Scoring
+Prodcheck computes a 0-100 security score. Each finding deducts points based on severity **and** confidence:
+| | high confidence | med confidence | low confidence |
+|---|---|---|---|
+| **critical** | -15 | -3.75 | -1.5 |
+| **high** | -6 | -1.5 | -0.6 |
+| **med** | -3 | -0.75 | -0.3 |
+| **low** | -1 | -0.25 | -0.1 |
+A single rule can deduct at most 35 points (preventing one noisy rule from tanking the score).
+| Score | Status | Meaning |
+|-------|--------|---------|
+| 80-100 | PASS | Healthy — no critical gaps |
+| 50-79 | WARN | Issues to address |
+| 0-49 | FAIL | Critical gaps in protection |
+## Confidence Levels
+Every finding has a confidence level:
+- **high** — strong evidence (e.g., `publicProcedure.mutation()` with `prisma.create`)
+- **med** — likely but uncertain (e.g., unrecognized procedure type)
+- **low** — possible issue, may be false positive
+Use `--min-confidence` in CI to control noise:
+```bash
+prodcheck ci --min-confidence high
+```
+## Monorepos
+Prodcheck must be run from the Next.js app directory (the one with `package.json` and `app/`). In a monorepo like Turborepo or pnpm workspaces:
+```bash
+cd apps/web && npx @fourteensystems/prodcheck scan
+```
+Prodcheck automatically reads dependencies from both the app's `package.json` and the workspace root, and checks for `middleware.ts` at both levels. tsconfig `extends` chains (e.g., `"extends": "tsconfig/nextjs.json"`) and monorepo path aliases are resolved automatically.
+## Configuration
+Most teams do not need to configure Prodcheck. Run `prodcheck init` and commit the generated config.
+With wrapper introspection, Prodcheck resolves and analyzes your custom wrappers automatically. Hints are only needed for edge cases where the wrapper can't be resolved (e.g., auth handled by an API gateway, rate limiting at the CDN edge).
+For advanced use cases, create `prodcheck.config.json`:
+```json
+{
+  "framework": "next-app-router",
+  "include": ["app/**", "src/**"],
+  "exclude": ["**/*.test.*", "**/*.spec.*"],
+  "ci": {
+    "failOn": "critical",
+    "minConfidence": "high",
+    "minScore": 70,
+    "maxNewCritical": 0
+  },
+  "hints": {
+    "auth": {
+      "functions": ["auth", "getServerSession", "currentUser"],
+      "middlewareFiles": ["middleware.ts"],
+      "allowlistPaths": ["app/api/public/**"]
+    },
+    "rateLimit": {
+      "wrappers": ["rateLimit", "withRateLimit"],
+      "allowlistPaths": ["app/api/webhooks/**"]
+    },
+    "tenancy": {
+      "orgFieldNames": ["orgId", "tenantId", "workspaceId"]
+    }
+  }
+}
+```
+### Hints
+Hints are the "hard allow" escape hatch. Add function names when Prodcheck can't verify protection automatically:
+- **Wrapper introspection handles most cases** — if your wrapper calls `getSession()` and throws on failure, Prodcheck detects this without hints
+- **Unresolvable wrappers** (npm packages, API gateway auth) need hints: add to `hints.auth.functions` or `hints.rateLimit.wrappers`
+- **CDN/edge rate limiting** (Cloudflare, Vercel) is invisible to static analysis — use waivers or allowlist paths
+## License
+MIT

package/bin/prodcheck.mjs ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ #!/usr/bin/env node
2	+ import "../dist/cli/index.js";

package/dist/cli/commands/baseline.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+interface BaselineOptions {
+    write?: boolean;
+    output?: string;
+}
+export declare function cmdBaseline(opts: BaselineOptions): Promise<void>;
+export {};
+//# sourceMappingURL=baseline.d.ts.map

package/dist/cli/commands/baseline.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"baseline.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/baseline.ts"],"names":[],"mappings":"AAIA,UAAU,eAAe;IACvB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,wBAAsB,WAAW,CAAC,IAAI,EAAE,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC,CAkBtE"}

package/dist/cli/commands/baseline.js ADDED Viewed

@@ -0,0 +1,22 @@
+import pc from "picocolors";
+import { runScan } from "../../engine/run.js";
+import { writeBaseline } from "../../engine/baseline.js";
+export async function cmdBaseline(opts) {
+    if (!opts.write) {
+        console.log(pc.dim("  Use --write to save a baseline snapshot."));
+        console.log(pc.dim("  Example: prodcheck baseline --write"));
+        return;
+    }
+    try {
+        const rootDir = process.cwd();
+        const result = await runScan({ rootDir });
+        const dest = writeBaseline(rootDir, result, opts.output);
+        console.log(pc.green(`  Baseline written to ${dest}`));
+        console.log(pc.dim(`  Score: ${result.score} | Findings: ${result.findings.length}`));
+    }
+    catch (err) {
+        console.error(pc.red(`  Error: ${err instanceof Error ? err.message : String(err)}`));
+        process.exit(1);
+    }
+}
+//# sourceMappingURL=baseline.js.map

package/dist/cli/commands/baseline.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"baseline.js","sourceRoot":"","sources":["../../../src/cli/commands/baseline.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,YAAY,CAAC;AAC5B,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAOzD,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,IAAqB;IACrD,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAC,CAAC;QAClE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC,CAAC;QAC7D,OAAO;IACT,CAAC;IAED,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;QAC9B,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;QAC1C,MAAM,IAAI,GAAG,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QAEzD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,yBAAyB,IAAI,EAAE,CAAC,CAAC,CAAC;QACvD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,YAAY,MAAM,CAAC,KAAK,gBAAgB,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACxF,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,YAAY,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;QACtF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}

package/dist/cli/commands/ci.d.ts ADDED Viewed

@@ -0,0 +1,14 @@
+interface CiOptions {
+    failOn: string;
+    minConfidence: string;
+    minScore: string;
+    baseline?: string;
+    maxNewCritical: string;
+    maxNewHigh?: string;
+    format: string;
+    output?: string;
+    preview?: boolean;
+}
+export declare function cmdCi(opts: CiOptions): Promise<void>;
+export {};
+//# sourceMappingURL=ci.d.ts.map

package/dist/cli/commands/ci.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"ci.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/ci.ts"],"names":[],"mappings":"AAUA,UAAU,SAAS;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,wBAAsB,KAAK,CAAC,IAAI,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CA+G1D"}

package/dist/cli/commands/ci.js ADDED Viewed

@@ -0,0 +1,104 @@
+import { writeFileSync } from "node:fs";
+import pc from "picocolors";
+import { runScan } from "../../engine/run.js";
+import { formatPretty, formatJson } from "../../engine/report.js";
+import { formatSarif } from "../../engine/sarif.js";
+import { loadBaseline, diffBaseline } from "../../engine/baseline.js";
+import { confidenceLevel, severityLevel, parseConfidence, parseSeverity, parseIntOrThrow } from "../../engine/score.js";
+import { loadConfigIfExists } from "../../engine/config.js";
+import { requireProLicense } from "../../engine/license.js";
+export async function cmdCi(opts) {
+    try {
+        const rootDir = process.cwd();
+        // --preview runs a free, non-blocking scan (no enforcement, no exit code)
+        if (!opts.preview) {
+            const config = loadConfigIfExists(rootDir);
+            requireProLicense(config?.license?.key);
+        }
+        const result = await runScan({ rootDir });
+        const minConf = parseConfidence(opts.minConfidence ?? "high");
+        const failOnSeverity = parseSeverity(opts.failOn ?? "critical");
+        const minScore = parseIntOrThrow(opts.minScore ?? "70", "min-score");
+        const maxNewCritical = parseIntOrThrow(opts.maxNewCritical ?? "0", "max-new-critical");
+        const maxNewHigh = opts.maxNewHigh !== undefined ? parseIntOrThrow(opts.maxNewHigh, "max-new-high") : undefined;
+        // Filter findings by confidence for failure evaluation
+        const gatedFindings = result.findings.filter((f) => confidenceLevel(f.confidence) >= confidenceLevel(minConf));
+        // Check baseline
+        let diff;
+        if (opts.baseline) {
+            const baseline = loadBaseline(opts.baseline);
+            if (baseline) {
+                diff = diffBaseline(baseline, result);
+            }
+        }
+        // Output report
+        let output;
+        switch (opts.format) {
+            case "json":
+                output = formatJson(result);
+                break;
+            case "sarif":
+                output = formatSarif(result);
+                break;
+            default:
+                output = formatPretty(result, diff);
+        }
+        if (opts.output) {
+            writeFileSync(opts.output, output);
+        }
+        console.log(output);
+        // --preview: print summary and exit without enforcement
+        if (opts.preview) {
+            console.log(pc.dim("\n  Preview mode — no enforcement applied."));
+            console.log(pc.dim("  Upgrade to Pro for CI enforcement: https://fourteensystems.com/prodcheck#pricing\n"));
+            return;
+        }
+        // Evaluate gates
+        const failures = [];
+        // Score gate
+        if (result.score < minScore) {
+            failures.push(`Score ${result.score} is below minimum ${minScore}`);
+        }
+        // Severity gate: any findings at or above fail-on severity with sufficient confidence
+        const failingSeverities = gatedFindings.filter((f) => severityLevel(f.severity) >= severityLevel(failOnSeverity));
+        if (failingSeverities.length > 0) {
+            failures.push(`${failingSeverities.length} finding(s) at ${failOnSeverity} or above (${minConf}+ confidence)`);
+        }
+        // New findings gate (baseline)
+        if (diff) {
+            const newCritical = diff.newFindings.filter((f) => f.severity === "critical").length;
+            const newHigh = diff.newFindings.filter((f) => f.severity === "high").length;
+            if (newCritical > maxNewCritical) {
+                failures.push(`${newCritical} new critical finding(s) exceeds max ${maxNewCritical}`);
+            }
+            if (maxNewHigh !== undefined && newHigh > maxNewHigh) {
+                failures.push(`${newHigh} new high finding(s) exceeds max ${maxNewHigh}`);
+            }
+        }
+        if (failures.length > 0) {
+            console.log(pc.red("\n  CI FAILED:"));
+            for (const f of failures) {
+                console.log(pc.red(`    - ${f}`));
+            }
+            // Show specific rule IDs + files that triggered the failure
+            if (failingSeverities.length > 0) {
+                console.log("");
+                console.log(pc.dim("  Failing findings:"));
+                for (const f of failingSeverities) {
+                    const loc = f.line ? `:${f.line}` : "";
+                    console.log(`    ${pc.red(f.ruleId)} ${pc.dim(`(${f.severity})`)} ${pc.dim(f.file + loc)}`);
+                }
+            }
+            console.log("");
+            process.exit(1);
+        }
+        else {
+            console.log(pc.green("\n  CI PASSED\n"));
+        }
+    }
+    catch (err) {
+        console.error(pc.red(`  Error: ${err instanceof Error ? err.message : String(err)}`));
+        process.exit(1);
+    }
+}
+//# sourceMappingURL=ci.js.map

package/dist/cli/commands/ci.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"ci.js","sourceRoot":"","sources":["../../../src/cli/commands/ci.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACxC,OAAO,EAAE,MAAM,YAAY,CAAC;AAC5B,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAClE,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACpD,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACtE,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,eAAe,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxH,OAAO,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAC5D,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAc5D,MAAM,CAAC,KAAK,UAAU,KAAK,CAAC,IAAe;IACzC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;QAE9B,0EAA0E;QAC1E,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,MAAM,MAAM,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;YAC3C,iBAAiB,CAAC,MAAM,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;QAC1C,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;QAE1C,MAAM,OAAO,GAAG,eAAe,CAAC,IAAI,CAAC,aAAa,IAAI,MAAM,CAAC,CAAC;QAC9D,MAAM,cAAc,GAAG,aAAa,CAAC,IAAI,CAAC,MAAM,IAAI,UAAU,CAAC,CAAC;QAChE,MAAM,QAAQ,GAAG,eAAe,CAAC,IAAI,CAAC,QAAQ,IAAI,IAAI,EAAE,WAAW,CAAC,CAAC;QACrE,MAAM,cAAc,GAAG,eAAe,CAAC,IAAI,CAAC,cAAc,IAAI,GAAG,EAAE,kBAAkB,CAAC,CAAC;QACvF,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,eAAe,CAAC,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAEhH,uDAAuD;QACvD,MAAM,aAAa,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAC1C,CAAC,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,eAAe,CAAC,OAAO,CAAC,CACjE,CAAC;QAEF,iBAAiB;QACjB,IAAI,IAAI,CAAC;QACT,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC7C,IAAI,QAAQ,EAAE,CAAC;gBACb,IAAI,GAAG,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YACxC,CAAC;QACH,CAAC;QAED,gBAAgB;QAChB,IAAI,MAAc,CAAC;QACnB,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC;YACpB,KAAK,MAAM;gBACT,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;gBAC5B,MAAM;YACR,KAAK,OAAO;gBACV,MAAM,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;gBAC7B,MAAM;YACR;gBACE,MAAM,GAAG,YAAY,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QACxC,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,aAAa,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACrC,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAEpB,wDAAwD;QACxD,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAC,CAAC;YAClE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,sFAAsF,CAAC,CAAC,CAAC;YAC5G,OAAO;QACT,CAAC;QAED,iBAAiB;QACjB,MAAM,QAAQ,GAAa,EAAE,CAAC;QAE9B,aAAa;QACb,IAAI,MAAM,CAAC,KAAK,GAAG,QAAQ,EAAE,CAAC;YAC5B,QAAQ,CAAC,IAAI,CAAC,SAAS,MAAM,CAAC,KAAK,qBAAqB,QAAQ,EAAE,CAAC,CAAC;QACtE,CAAC;QAED,sFAAsF;QACtF,MAAM,iBAAiB,GAAG,aAAa,CAAC,MAAM,CAC5C,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,aAAa,CAAC,cAAc,CAAC,CAClE,CAAC;QACF,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACjC,QAAQ,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,MAAM,kBAAkB,cAAc,cAAc,OAAO,eAAe,CAAC,CAAC;QACjH,CAAC;QAED,+BAA+B;QAC/B,IAAI,IAAI,EAAE,CAAC;YACT,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM,CAAC;YACrF,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;YAE7E,IAAI,WAAW,GAAG,cAAc,EAAE,CAAC;gBACjC,QAAQ,CAAC,IAAI,CAAC,GAAG,WAAW,wCAAwC,cAAc,EAAE,CAAC,CAAC;YACxF,CAAC;YACD,IAAI,UAAU,KAAK,SAAS,IAAI,OAAO,GAAG,UAAU,EAAE,CAAC;gBACrD,QAAQ,CAAC,IAAI,CAAC,GAAG,OAAO,oCAAoC,UAAU,EAAE,CAAC,CAAC;YAC5E,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC;YACtC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;gBACzB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC;YACpC,CAAC;YAED,4DAA4D;YAC5D,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACjC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAChB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC,CAAC;gBAC3C,KAAK,MAAM,CAAC,IAAI,iBAAiB,EAAE,CAAC;oBAClC,MAAM,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACvC,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,GAAG,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC,CAAC;gBAC9F,CAAC;YACH,CAAC;YAED,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAChB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,YAAY,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;QACtF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}

package/dist/cli/commands/explain.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export declare function cmdExplain(ruleId: string): Promise<void>;
2	+ //# sourceMappingURL=explain.d.ts.map

package/dist/cli/commands/explain.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"explain.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/explain.ts"],"names":[],"mappings":"AAGA,wBAAsB,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAoB9D"}

package/dist/cli/commands/explain.js ADDED Viewed

@@ -0,0 +1,20 @@
+import pc from "picocolors";
+import { RULE_REGISTRY } from "../../rules/index.js";
+export async function cmdExplain(ruleId) {
+    const rule = RULE_REGISTRY.find((r) => r.id === ruleId || r.id === ruleId.toUpperCase());
+    if (!rule) {
+        console.error(pc.red(`  Unknown rule: ${ruleId}`));
+        console.error(pc.dim(`  Run \`prodcheck rules\` to see available rules.`));
+        process.exit(1);
+    }
+    console.log(`\n  ${pc.bold(rule.id)}`);
+    console.log(`  ${rule.name}`);
+    console.log(`  Default severity: ${rule.defaultSeverity}`);
+    console.log("");
+    console.log(`  ${rule.description}`);
+    console.log("");
+    console.log(`  ${pc.dim("How it works:")}`);
+    console.log(`  ${rule.docs}`);
+    console.log("");
+}
+//# sourceMappingURL=explain.js.map

package/dist/cli/commands/explain.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"explain.js","sourceRoot":"","sources":["../../../src/cli/commands/explain.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,YAAY,CAAC;AAC5B,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAErD,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,MAAc;IAC7C,MAAM,IAAI,GAAG,aAAa,CAAC,IAAI,CAC7B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,MAAM,IAAI,CAAC,CAAC,EAAE,KAAK,MAAM,CAAC,WAAW,EAAE,CACxD,CAAC;IAEF,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,mBAAmB,MAAM,EAAE,CAAC,CAAC,CAAC;QACnD,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC,CAAC;QAC3E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;IACvC,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;IAC9B,OAAO,CAAC,GAAG,CAAC,uBAAuB,IAAI,CAAC,eAAe,EAAE,CAAC,CAAC;IAC3D,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;IACrC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,eAAe,CAAC,EAAE,CAAC,CAAC;IAC5C,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;IAC9B,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;AAClB,CAAC"}

package/dist/cli/commands/init.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+interface InitOptions {
+    force?: boolean;
+    dryRun?: boolean;
+}
+export declare function cmdInit(opts: InitOptions): Promise<void>;
+export {};
+//# sourceMappingURL=init.d.ts.map

package/dist/cli/commands/init.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/init.ts"],"names":[],"mappings":"AASA,UAAU,WAAW;IACnB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,wBAAsB,OAAO,CAAC,IAAI,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAiH9D"}

package/dist/cli/commands/init.js ADDED Viewed

@@ -0,0 +1,127 @@
+import pc from "picocolors";
+import { findConfigFile, writeDefaultConfig } from "../../engine/config.js";
+import { runScan } from "../../engine/run.js";
+import { scoreStatus } from "../../engine/score.js";
+import { readDeps } from "../../next/deps.js";
+import { detectNextAppRouter } from "../../next/detect.js";
+import { existsSync } from "node:fs";
+import path from "node:path";
+export async function cmdInit(opts) {
+    const rootDir = process.cwd();
+    // 1. Detect framework
+    const det = detectNextAppRouter(rootDir);
+    if (!det.ok) {
+        console.error(pc.red(`\n  Prodcheck v1 requires a Next.js App Router project.`));
+        console.error(pc.dim(`  Reason: ${det.reason}`));
+        console.error(pc.dim(`  Make sure you're in the project root with package.json and app/ directory.\n`));
+        process.exit(1);
+    }
+    console.log(pc.green("  Detected Next.js App Router"));
+    // 2. Detect dependencies and print what we found
+    const deps = readDeps(rootDir);
+    const detected = ["next-app-router"];
+    if (deps.hasNextAuth)
+        detected.push("next-auth");
+    if (deps.hasClerk)
+        detected.push("clerk");
+    if (deps.hasSupabase)
+        detected.push("supabase");
+    if (deps.hasPrisma)
+        detected.push("prisma");
+    if (deps.hasDrizzle)
+        detected.push("drizzle");
+    if (deps.hasTrpc)
+        detected.push("trpc");
+    if (deps.hasUpstashRatelimit)
+        detected.push("upstash-ratelimit");
+    // Check for middleware
+    const hasMiddleware = existsSync(path.join(rootDir, "middleware.ts"))
+        || existsSync(path.join(rootDir, "middleware.js"))
+        || existsSync(path.join(rootDir, "src/middleware.ts"))
+        || existsSync(path.join(rootDir, "src/middleware.js"));
+    if (hasMiddleware)
+        detected.push("middleware.ts");
+    console.log(pc.green(`  Detected: ${detected.join(" · ")}`));
+    // 3. Write config (idempotent)
+    const existingConfig = findConfigFile(rootDir);
+    if (existingConfig && !opts.force) {
+        console.log(pc.dim(`  Found existing config → skipping generation (${path.basename(existingConfig)})`));
+    }
+    else if (opts.dryRun) {
+        console.log(pc.dim("  Would create prodcheck.config.json (--dry-run)"));
+    }
+    else {
+        writeDefaultConfig(rootDir, { force: Boolean(opts.force) });
+        console.log(pc.green("  Created prodcheck.config.json"));
+    }
+    // 4. Run scan
+    console.log(pc.dim("\n  Running scan..."));
+    try {
+        const result = await runScan({ rootDir });
+        const status = scoreStatus(result.score);
+        const scoreColor = status === "PASS" ? pc.green : status === "WARN" ? pc.yellow : pc.red;
+        console.log(`\n  Prodcheck Score: ${scoreColor(String(result.score))} ${scoreColor(status)}`);
+        if (result.findings.length === 0) {
+            console.log(pc.green("  No findings — looking good!"));
+        }
+        else {
+            // Show top 5 findings
+            const top = result.findings.slice(0, 5);
+            for (const f of top) {
+                const loc = f.line ? `:${f.line}` : "";
+                const conf = pc.dim(`(${f.confidence})`);
+                console.log(`  ${pc.red(f.ruleId)} ${conf} ${pc.dim(f.file + loc)}`);
+            }
+            if (result.findings.length > 5) {
+                console.log(pc.dim(`  ... and ${result.findings.length - 5} more`));
+            }
+        }
+        // Wrapper suggestions
+        const wrapperFindings = result.findings.filter((f) => f.ruleId === "WRAPPER-UNRECOGNIZED");
+        if (wrapperFindings.length > 0) {
+            console.log(pc.yellow("\n  Wrapper hints needed:"));
+            for (const f of wrapperFindings) {
+                const nameMatch = f.message.match(/Wrapper "(\w+)"/);
+                if (!nameMatch)
+                    continue;
+                const name = nameMatch[1];
+                // Determine suggestion based on evidence
+                const hasAuth = f.evidence.some((e) => e.startsWith("Auth call detected:"));
+                const hasRL = f.evidence.some((e) => e.startsWith("Rate-limit call detected:"));
+                const isUnresolved = f.message.includes("could not be resolved");
+                const isUnverified = f.message.includes("enforcement not proven");
+                if (isUnresolved) {
+                    console.log(pc.dim(`    ${name} — wraps routes but could not be resolved`));
+                    console.log(pc.dim(`      If auth:       add "${name}" to hints.auth.functions`));
+                    console.log(pc.dim(`      If rate limit:  add "${name}" to hints.rateLimit.wrappers`));
+                }
+                else if (isUnverified) {
+                    if (hasAuth && !hasRL) {
+                        console.log(pc.dim(`    ${name} — calls auth but enforcement not proven`));
+                        console.log(pc.dim(`      Verify wrapper or add "${name}" to hints.auth.functions`));
+                    }
+                    else if (hasRL && !hasAuth) {
+                        console.log(pc.dim(`    ${name} — calls rate limiter but enforcement not proven`));
+                        console.log(pc.dim(`      Verify wrapper or add "${name}" to hints.rateLimit.wrappers`));
+                    }
+                    else {
+                        console.log(pc.dim(`    ${name} — missing protections`));
+                        console.log(pc.dim(`      If auth:       add "${name}" to hints.auth.functions`));
+                        console.log(pc.dim(`      If rate limit:  add "${name}" to hints.rateLimit.wrappers`));
+                    }
+                }
+            }
+        }
+        // Next steps
+        console.log(pc.dim("\n  Next:"));
+        console.log(pc.dim("    prodcheck baseline --write     Save current state as baseline"));
+        console.log(pc.dim("    prodcheck explain <RULE>        Learn about a specific rule"));
+        console.log(pc.dim("    prodcheck ci                    Run in CI mode"));
+        console.log("");
+    }
+    catch (err) {
+        console.error(pc.red(`  Scan failed: ${err instanceof Error ? err.message : String(err)}`));
+        process.exit(1);
+    }
+}
+//# sourceMappingURL=init.js.map

package/dist/cli/commands/init.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"init.js","sourceRoot":"","sources":["../../../src/cli/commands/init.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,YAAY,CAAC;AAC5B,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAC5E,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACpD,OAAO,EAAE,QAAQ,EAAwB,MAAM,oBAAoB,CAAC;AACpE,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,IAAI,MAAM,WAAW,CAAC;AAO7B,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,IAAiB;IAC7C,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IAE9B,sBAAsB;IACtB,MAAM,GAAG,GAAG,mBAAmB,CAAC,OAAO,CAAC,CAAC;IACzC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,yDAAyD,CAAC,CAAC,CAAC;QACjF,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,aAAa,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QACjD,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,gFAAgF,CAAC,CAAC,CAAC;QACxG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC,CAAC;IAEvD,iDAAiD;IACjD,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC/B,MAAM,QAAQ,GAAa,CAAC,iBAAiB,CAAC,CAAC;IAC/C,IAAI,IAAI,CAAC,WAAW;QAAE,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACjD,IAAI,IAAI,CAAC,QAAQ;QAAE,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC1C,IAAI,IAAI,CAAC,WAAW;QAAE,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAChD,IAAI,IAAI,CAAC,SAAS;QAAE,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC5C,IAAI,IAAI,CAAC,UAAU;QAAE,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC9C,IAAI,IAAI,CAAC,OAAO;QAAE,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACxC,IAAI,IAAI,CAAC,mBAAmB;QAAE,QAAQ,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IAEjE,uBAAuB;IACvB,MAAM,aAAa,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;WAChE,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;WAC/C,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;WACnD,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC,CAAC;IACzD,IAAI,aAAa;QAAE,QAAQ,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAElD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,eAAe,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC;IAE7D,+BAA+B;IAC/B,MAAM,cAAc,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;IAC/C,IAAI,cAAc,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QAClC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,kDAAkD,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1G,CAAC;SAAM,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAC,CAAC;IAC1E,CAAC;SAAM,CAAC;QACN,kBAAkB,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAC5D,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC,CAAC;IAC3D,CAAC;IAED,cAAc;IACd,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC,CAAC;IAC3C,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;QAE1C,MAAM,MAAM,GAAG,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACzC,MAAM,UAAU,GAAG,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC;QACzF,OAAO,CAAC,GAAG,CAAC,wBAAwB,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QAE9F,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACjC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC,CAAC;QACzD,CAAC;aAAM,CAAC;YACN,sBAAsB;YACtB,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YACxC,KAAK,MAAM,CAAC,IAAI,GAAG,EAAE,CAAC;gBACpB,MAAM,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACvC,MAAM,IAAI,GAAG,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC;gBACzC,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,IAAI,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC,CAAC;YACvE,CAAC;YACD,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC/B,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,aAAa,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;YACtE,CAAC;QACH,CAAC;QAED,sBAAsB;QACtB,MAAM,eAAe,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,sBAAsB,CAAC,CAAC;QAC3F,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/B,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,2BAA2B,CAAC,CAAC,CAAC;YACpD,KAAK,MAAM,CAAC,IAAI,eAAe,EAAE,CAAC;gBAChC,MAAM,SAAS,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;gBACrD,IAAI,CAAC,SAAS;oBAAE,SAAS;gBACzB,MAAM,IAAI,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;gBAE1B,yCAAyC;gBACzC,MAAM,OAAO,GAAG,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,qBAAqB,CAAC,CAAC,CAAC;gBAC5E,MAAM,KAAK,GAAG,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,2BAA2B,CAAC,CAAC,CAAC;gBAChF,MAAM,YAAY,GAAG,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,uBAAuB,CAAC,CAAC;gBACjE,MAAM,YAAY,GAAG,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC,CAAC;gBAElE,IAAI,YAAY,EAAE,CAAC;oBACjB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,IAAI,2CAA2C,CAAC,CAAC,CAAC;oBAC5E,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,6BAA6B,IAAI,2BAA2B,CAAC,CAAC,CAAC;oBAClF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,8BAA8B,IAAI,+BAA+B,CAAC,CAAC,CAAC;gBACzF,CAAC;qBAAM,IAAI,YAAY,EAAE,CAAC;oBACxB,IAAI,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC;wBACtB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,IAAI,0CAA0C,CAAC,CAAC,CAAC;wBAC3E,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,gCAAgC,IAAI,2BAA2B,CAAC,CAAC,CAAC;oBACvF,CAAC;yBAAM,IAAI,KAAK,IAAI,CAAC,OAAO,EAAE,CAAC;wBAC7B,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,IAAI,kDAAkD,CAAC,CAAC,CAAC;wBACnF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,gCAAgC,IAAI,+BAA+B,CAAC,CAAC,CAAC;oBAC3F,CAAC;yBAAM,CAAC;wBACN,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,IAAI,wBAAwB,CAAC,CAAC,CAAC;wBACzD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,6BAA6B,IAAI,2BAA2B,CAAC,CAAC,CAAC;wBAClF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,8BAA8B,IAAI,+BAA+B,CAAC,CAAC,CAAC;oBACzF,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,aAAa;QACb,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC;QACjC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,mEAAmE,CAAC,CAAC,CAAC;QACzF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,iEAAiE,CAAC,CAAC,CAAC;QACvF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,oDAAoD,CAAC,CAAC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,kBAAkB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;QAC5F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}

package/dist/cli/commands/rules.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export declare function cmdRules(): Promise<void>;
2	+ //# sourceMappingURL=rules.d.ts.map

package/dist/cli/commands/rules.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"rules.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/rules.ts"],"names":[],"mappings":"AAGA,wBAAsB,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC,CAW9C"}

package/dist/cli/commands/rules.js ADDED Viewed

@@ -0,0 +1,13 @@
+import pc from "picocolors";
+import { RULE_REGISTRY } from "../../rules/index.js";
+export async function cmdRules() {
+    console.log("\n  Prodcheck Rules (v1)\n");
+    for (const rule of RULE_REGISTRY) {
+        const severityColor = rule.defaultSeverity === "critical" ? pc.red : pc.yellow;
+        console.log(`  ${pc.bold(rule.id)} ${severityColor(`[${rule.defaultSeverity}]`)}`);
+        console.log(`  ${pc.dim(rule.description)}`);
+        console.log("");
+    }
+    console.log(pc.dim("  Run `prodcheck explain <RULE>` for full details.\n"));
+}
+//# sourceMappingURL=rules.js.map

package/dist/cli/commands/rules.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"rules.js","sourceRoot":"","sources":["../../../src/cli/commands/rules.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,YAAY,CAAC;AAC5B,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAErD,MAAM,CAAC,KAAK,UAAU,QAAQ;IAC5B,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAC;IAE1C,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;QACjC,MAAM,aAAa,GAAG,IAAI,CAAC,eAAe,KAAK,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC;QAC/E,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,aAAa,CAAC,IAAI,IAAI,CAAC,eAAe,GAAG,CAAC,EAAE,CAAC,CAAC;QACnF,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QAC7C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC,CAAC;AAC9E,CAAC"}