npm - @fourteensystems/prodcheck - Versions diffs - 0.3.0 - Mend

@fourteensystems/prodcheck 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (239) hide show

package/README.md +252 -0
package/bin/prodcheck.mjs +2 -0
package/dist/cli/commands/baseline.d.ts +7 -0
package/dist/cli/commands/baseline.d.ts.map +1 -0
package/dist/cli/commands/baseline.js +22 -0
package/dist/cli/commands/baseline.js.map +1 -0
package/dist/cli/commands/ci.d.ts +14 -0
package/dist/cli/commands/ci.d.ts.map +1 -0
package/dist/cli/commands/ci.js +104 -0
package/dist/cli/commands/ci.js.map +1 -0
package/dist/cli/commands/explain.d.ts +2 -0
package/dist/cli/commands/explain.d.ts.map +1 -0
package/dist/cli/commands/explain.js +20 -0
package/dist/cli/commands/explain.js.map +1 -0
package/dist/cli/commands/init.d.ts +7 -0
package/dist/cli/commands/init.d.ts.map +1 -0
package/dist/cli/commands/init.js +127 -0
package/dist/cli/commands/init.js.map +1 -0
package/dist/cli/commands/rules.d.ts +2 -0
package/dist/cli/commands/rules.d.ts.map +1 -0
package/dist/cli/commands/rules.js +13 -0
package/dist/cli/commands/rules.js.map +1 -0
package/dist/cli/commands/scan.d.ts +10 -0
package/dist/cli/commands/scan.d.ts.map +1 -0
package/dist/cli/commands/scan.js +65 -0
package/dist/cli/commands/scan.js.map +1 -0
package/dist/cli/commands/waive.d.ts +8 -0
package/dist/cli/commands/waive.d.ts.map +1 -0
package/dist/cli/commands/waive.js +34 -0
package/dist/cli/commands/waive.js.map +1 -0
package/dist/cli/index.d.ts +2 -0
package/dist/cli/index.d.ts.map +1 -0
package/dist/cli/index.js +64 -0
package/dist/cli/index.js.map +1 -0
package/dist/engine/baseline.d.ts +11 -0
package/dist/engine/baseline.d.ts.map +1 -0
package/dist/engine/baseline.js +39 -0
package/dist/engine/baseline.js.map +1 -0
package/dist/engine/baseline.test.d.ts +2 -0
package/dist/engine/baseline.test.d.ts.map +1 -0
package/dist/engine/baseline.test.js +135 -0
package/dist/engine/baseline.test.js.map +1 -0
package/dist/engine/config.d.ts +8 -0
package/dist/engine/config.d.ts.map +1 -0
package/dist/engine/config.js +134 -0
package/dist/engine/config.js.map +1 -0
package/dist/engine/config.test.d.ts +2 -0
package/dist/engine/config.test.d.ts.map +1 -0
package/dist/engine/config.test.js +107 -0
package/dist/engine/config.test.js.map +1 -0
package/dist/engine/extensions/load.d.ts +11 -0
package/dist/engine/extensions/load.d.ts.map +1 -0
package/dist/engine/extensions/load.js +26 -0
package/dist/engine/extensions/load.js.map +1 -0
package/dist/engine/extensions/registry.d.ts +5 -0
package/dist/engine/extensions/registry.d.ts.map +1 -0
package/dist/engine/extensions/registry.js +11 -0
package/dist/engine/extensions/registry.js.map +1 -0
package/dist/engine/extensions/types.d.ts +51 -0
package/dist/engine/extensions/types.d.ts.map +1 -0
package/dist/engine/extensions/types.js +2 -0
package/dist/engine/extensions/types.js.map +1 -0
package/dist/engine/license.d.ts +40 -0
package/dist/engine/license.d.ts.map +1 -0
package/dist/engine/license.js +104 -0
package/dist/engine/license.js.map +1 -0
package/dist/engine/report.d.ts +5 -0
package/dist/engine/report.d.ts.map +1 -0
package/dist/engine/report.js +115 -0
package/dist/engine/report.js.map +1 -0
package/dist/engine/run.d.ts +11 -0
package/dist/engine/run.d.ts.map +1 -0
package/dist/engine/run.js +105 -0
package/dist/engine/run.js.map +1 -0
package/dist/engine/sarif.d.ts +3 -0
package/dist/engine/sarif.d.ts.map +1 -0
package/dist/engine/sarif.js +58 -0
package/dist/engine/sarif.js.map +1 -0
package/dist/engine/sarif.test.d.ts +2 -0
package/dist/engine/sarif.test.d.ts.map +1 -0
package/dist/engine/sarif.test.js +152 -0
package/dist/engine/sarif.test.js.map +1 -0
package/dist/engine/score.d.ts +13 -0
package/dist/engine/score.d.ts.map +1 -0
package/dist/engine/score.js +116 -0
package/dist/engine/score.js.map +1 -0
package/dist/engine/score.test.d.ts +2 -0
package/dist/engine/score.test.d.ts.map +1 -0
package/dist/engine/score.test.js +227 -0
package/dist/engine/score.test.js.map +1 -0
package/dist/engine/types.d.ts +123 -0
package/dist/engine/types.d.ts.map +1 -0
package/dist/engine/types.js +2 -0
package/dist/engine/types.js.map +1 -0
package/dist/engine/version.d.ts +5 -0
package/dist/engine/version.d.ts.map +1 -0
package/dist/engine/version.js +15 -0
package/dist/engine/version.js.map +1 -0
package/dist/engine/waivers.d.ts +9 -0
package/dist/engine/waivers.d.ts.map +1 -0
package/dist/engine/waivers.js +55 -0
package/dist/engine/waivers.js.map +1 -0
package/dist/engine/waivers.test.d.ts +2 -0
package/dist/engine/waivers.test.d.ts.map +1 -0
package/dist/engine/waivers.test.js +147 -0
package/dist/engine/waivers.test.js.map +1 -0
package/dist/index.d.ts +14 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +12 -0
package/dist/index.js.map +1 -0
package/dist/next/deps.d.ts +4 -0
package/dist/next/deps.d.ts.map +1 -0
package/dist/next/deps.js +118 -0
package/dist/next/deps.js.map +1 -0
package/dist/next/deps.test.d.ts +2 -0
package/dist/next/deps.test.d.ts.map +1 -0
package/dist/next/deps.test.js +249 -0
package/dist/next/deps.test.js.map +1 -0
package/dist/next/detect.d.ts +10 -0
package/dist/next/detect.d.ts.map +1 -0
package/dist/next/detect.js +57 -0
package/dist/next/detect.js.map +1 -0
package/dist/next/detect.test.d.ts +2 -0
package/dist/next/detect.test.d.ts.map +1 -0
package/dist/next/detect.test.js +74 -0
package/dist/next/detect.test.js.map +1 -0
package/dist/next/index.d.ts +5 -0
package/dist/next/index.d.ts.map +1 -0
package/dist/next/index.js +59 -0
package/dist/next/index.js.map +1 -0
package/dist/next/middleware.d.ts +3 -0
package/dist/next/middleware.d.ts.map +1 -0
package/dist/next/middleware.js +48 -0
package/dist/next/middleware.js.map +1 -0
package/dist/next/middleware.test.d.ts +2 -0
package/dist/next/middleware.test.d.ts.map +1 -0
package/dist/next/middleware.test.js +203 -0
package/dist/next/middleware.test.js.map +1 -0
package/dist/next/routes.d.ts +10 -0
package/dist/next/routes.d.ts.map +1 -0
package/dist/next/routes.js +172 -0
package/dist/next/routes.js.map +1 -0
package/dist/next/routes.test.d.ts +2 -0
package/dist/next/routes.test.d.ts.map +1 -0
package/dist/next/routes.test.js +175 -0
package/dist/next/routes.test.js.map +1 -0
package/dist/next/server-actions.d.ts +4 -0
package/dist/next/server-actions.d.ts.map +1 -0
package/dist/next/server-actions.js +107 -0
package/dist/next/server-actions.js.map +1 -0
package/dist/next/server-actions.test.d.ts +2 -0
package/dist/next/server-actions.test.d.ts.map +1 -0
package/dist/next/server-actions.test.js +138 -0
package/dist/next/server-actions.test.js.map +1 -0
package/dist/next/trpc.d.ts +3 -0
package/dist/next/trpc.d.ts.map +1 -0
package/dist/next/trpc.js +312 -0
package/dist/next/trpc.js.map +1 -0
package/dist/next/types.d.ts +144 -0
package/dist/next/types.d.ts.map +1 -0
package/dist/next/types.js +2 -0
package/dist/next/types.js.map +1 -0
package/dist/next/wrappers.d.ts +10 -0
package/dist/next/wrappers.d.ts.map +1 -0
package/dist/next/wrappers.js +536 -0
package/dist/next/wrappers.js.map +1 -0
package/dist/next/wrappers.test.d.ts +2 -0
package/dist/next/wrappers.test.d.ts.map +1 -0
package/dist/next/wrappers.test.js +361 -0
package/dist/next/wrappers.test.js.map +1 -0
package/dist/rules/auth-boundary-missing.d.ts +5 -0
package/dist/rules/auth-boundary-missing.d.ts.map +1 -0
package/dist/rules/auth-boundary-missing.js +463 -0
package/dist/rules/auth-boundary-missing.js.map +1 -0
package/dist/rules/auth-boundary-missing.test.d.ts +2 -0
package/dist/rules/auth-boundary-missing.test.d.ts.map +1 -0
package/dist/rules/auth-boundary-missing.test.js +492 -0
package/dist/rules/auth-boundary-missing.test.js.map +1 -0
package/dist/rules/index.d.ts +12 -0
package/dist/rules/index.d.ts.map +1 -0
package/dist/rules/index.js +95 -0
package/dist/rules/index.js.map +1 -0
package/dist/rules/input-validation-missing.d.ts +5 -0
package/dist/rules/input-validation-missing.d.ts.map +1 -0
package/dist/rules/input-validation-missing.js +272 -0
package/dist/rules/input-validation-missing.js.map +1 -0
package/dist/rules/input-validation-missing.test.d.ts +2 -0
package/dist/rules/input-validation-missing.test.d.ts.map +1 -0
package/dist/rules/input-validation-missing.test.js +449 -0
package/dist/rules/input-validation-missing.test.js.map +1 -0
package/dist/rules/rate-limit-missing.d.ts +5 -0
package/dist/rules/rate-limit-missing.d.ts.map +1 -0
package/dist/rules/rate-limit-missing.js +316 -0
package/dist/rules/rate-limit-missing.js.map +1 -0
package/dist/rules/rate-limit-missing.test.d.ts +2 -0
package/dist/rules/rate-limit-missing.test.d.ts.map +1 -0
package/dist/rules/rate-limit-missing.test.js +381 -0
package/dist/rules/rate-limit-missing.test.js.map +1 -0
package/dist/rules/tenancy-scope-missing.d.ts +5 -0
package/dist/rules/tenancy-scope-missing.d.ts.map +1 -0
package/dist/rules/tenancy-scope-missing.js +149 -0
package/dist/rules/tenancy-scope-missing.js.map +1 -0
package/dist/rules/wrapper-unrecognized.d.ts +5 -0
package/dist/rules/wrapper-unrecognized.d.ts.map +1 -0
package/dist/rules/wrapper-unrecognized.js +81 -0
package/dist/rules/wrapper-unrecognized.js.map +1 -0
package/dist/util/hof.d.ts +22 -0
package/dist/util/hof.d.ts.map +1 -0
package/dist/util/hof.js +99 -0
package/dist/util/hof.js.map +1 -0
package/dist/util/hof.test.d.ts +2 -0
package/dist/util/hof.test.d.ts.map +1 -0
package/dist/util/hof.test.js +79 -0
package/dist/util/hof.test.js.map +1 -0
package/dist/util/monorepo.d.ts +6 -0
package/dist/util/monorepo.d.ts.map +1 -0
package/dist/util/monorepo.js +29 -0
package/dist/util/monorepo.js.map +1 -0
package/dist/util/outbound-fetch.d.ts +14 -0
package/dist/util/outbound-fetch.d.ts.map +1 -0
package/dist/util/outbound-fetch.js +59 -0
package/dist/util/outbound-fetch.js.map +1 -0
package/dist/util/outbound-fetch.test.d.ts +2 -0
package/dist/util/outbound-fetch.test.d.ts.map +1 -0
package/dist/util/outbound-fetch.test.js +83 -0
package/dist/util/outbound-fetch.test.js.map +1 -0
package/dist/util/paths.d.ts +6 -0
package/dist/util/paths.d.ts.map +1 -0
package/dist/util/paths.js +18 -0
package/dist/util/paths.js.map +1 -0
package/dist/util/resolve.d.ts +30 -0
package/dist/util/resolve.d.ts.map +1 -0
package/dist/util/resolve.js +306 -0
package/dist/util/resolve.js.map +1 -0
package/dist/util/resolve.test.d.ts +2 -0
package/dist/util/resolve.test.d.ts.map +1 -0
package/dist/util/resolve.test.js +186 -0
package/dist/util/resolve.test.js.map +1 -0
package/package.json +56 -0

package/dist/rules/auth-boundary-missing.js ADDED Viewed

@@ -0,0 +1,463 @@
+import { readFileSync } from "node:fs";
+import path from "node:path";
+import { isAllowlisted } from "../util/paths.js";
+export const RULE_ID = "AUTH-BOUNDARY-MISSING";
+const SEVERITY_RANK = { critical: 4, high: 3, med: 2, low: 1 };
+function severityFromConfidence(confidence, maxSeverity) {
+    const max = maxSeverity;
+    const maxRank = SEVERITY_RANK[max] ?? 4;
+    // high confidence → use max severity (typically critical)
+    // med confidence → cap at high
+    const computed = confidence === "high" ? max : "high";
+    const computedRank = SEVERITY_RANK[computed] ?? 3;
+    return computedRank > maxRank ? max : computed;
+}
+export function run(index, config) {
+    const findings = [];
+    const maxSeverity = config.rules[RULE_ID]?.severity ?? "critical";
+    const authAllowlist = config.hints.auth.allowlistPaths;
+    // Check mutation route handlers
+    for (const route of index.routes.mutationRoutes) {
+        if (route.publicIntent)
+            continue; // Auth absence is intentional — structured suppression
+        if (isAllowlisted(route.file, authAllowlist))
+            continue;
+        const result = checkRoute(route, index, config);
+        if (result) {
+            const pathname = route.pathname ?? route.file;
+            const isWebhook = /webhook/i.test(pathname);
+            findings.push({
+                ruleId: RULE_ID,
+                severity: severityFromConfidence(result.confidence, maxSeverity),
+                confidence: result.confidence,
+                message: isWebhook
+                    ? `Webhook endpoint processes payloads without signature verification`
+                    : `Route handler performs mutations without a recognized auth boundary`,
+                file: route.file,
+                line: result.line,
+                snippet: result.snippet,
+                evidence: result.evidence,
+                confidenceRationale: result.confidenceRationale,
+                remediation: isWebhook
+                    ? [
+                        "Verify the provider's webhook signature before processing the payload",
+                        "Examples: Stripe `constructEvent()`, GitHub HMAC, Google Pub/Sub JWT, Slack `verifyRequest()`",
+                        "Use `crypto.timingSafeEqual()` for HMAC comparisons to prevent timing attacks",
+                    ]
+                    : [
+                        "Add an auth check at the top of the handler (e.g., `const session = await auth()`)",
+                        "Ensure middleware.ts protects this route segment",
+                        "If using a custom auth wrapper, add it to hints.auth.functions in prodcheck.config.json",
+                    ],
+                tags: isWebhook
+                    ? ["auth", "webhook", "server"]
+                    : ["auth", "server"],
+            });
+        }
+    }
+    // Check mutation server actions (deduplicate by file since auth check is file-level)
+    const seenActionFiles = new Set();
+    for (const action of index.serverActions.mutationActions) {
+        if (seenActionFiles.has(action.file))
+            continue;
+        seenActionFiles.add(action.file);
+        if (isAllowlisted(action.file, authAllowlist))
+            continue;
+        const result = checkServerAction(action, index, config);
+        if (result) {
+            findings.push({
+                ruleId: RULE_ID,
+                severity: severityFromConfidence(result.confidence, maxSeverity),
+                confidence: result.confidence,
+                message: `Server action performs mutations without a recognized auth boundary`,
+                file: action.file,
+                line: result.line,
+                snippet: result.snippet,
+                evidence: result.evidence,
+                confidenceRationale: result.confidenceRationale,
+                remediation: [
+                    "Add an auth check at the top of the server action",
+                    "If using a custom auth wrapper, add it to hints.auth.functions in prodcheck.config.json",
+                ],
+                tags: ["auth", "server-action"],
+            });
+        }
+    }
+    // Check tRPC mutation procedures
+    for (const proc of index.trpc.mutationProcedures) {
+        if (proc.procedureType === "protected")
+            continue;
+        if (isAllowlisted(proc.file, authAllowlist))
+            continue;
+        const confidence = proc.procedureType === "public" ? "high" : "med";
+        findings.push({
+            ruleId: RULE_ID,
+            severity: severityFromConfidence(confidence, maxSeverity),
+            confidence,
+            message: `tRPC mutation "${proc.name}" uses ${proc.procedureType}Procedure without auth boundary`,
+            file: proc.file,
+            line: proc.line,
+            evidence: [`${proc.procedureType}Procedure.mutation()`, ...proc.signals.mutationDetails],
+            confidenceRationale: proc.procedureType === "public"
+                ? "High: public tRPC mutation with no auth boundary"
+                : "Medium: unrecognized procedure type (may have auth middleware)",
+            remediation: [
+                "Use protectedProcedure instead of publicProcedure for mutations",
+                "Add auth middleware to the procedure chain: publicProcedure.use(authMiddleware).mutation(...)",
+                "If this mutation is intentionally public, add a waiver with reason",
+            ],
+            tags: ["auth", "trpc"],
+        });
+    }
+    return findings;
+}
+function checkRoute(route, index, config) {
+    // Use ProtectionSummary if available (computed during index building)
+    if (route.protection) {
+        if (route.protection.auth.satisfied)
+            return null;
+        // If wrapper introspection deferred this to WRAPPER-UNRECOGNIZED, don't emit per-route finding
+        if (route.protection.auth.unverifiedWrappers.length > 0)
+            return null;
+    }
+    const src = readSource(index.rootDir, route.file);
+    if (!src)
+        return null;
+    // Check for built-in auth patterns (webhook signatures, cron keys, etc.)
+    // These are always checked regardless of ProtectionSummary
+    if (hasBuiltInAuthPattern(src))
+        return null;
+    // No auth found — determine confidence
+    const evidence = [...route.signals.mutationDetails];
+    evidence.push(`No auth function calls matched: ${config.hints.auth.functions.join(", ")}`);
+    evidence.push("No middleware auth covering this route");
+    let confidence = "high";
+    let confidenceRationale = "High: mutation evidence + no auth calls + no middleware coverage";
+    // Downgrade if we see any function calls that could be custom auth
+    if (hasPossibleCustomAuth(src)) {
+        confidence = "med";
+        confidenceRationale = "Medium: mutation evidence present but possible custom auth wrapper detected (not in hints)";
+        evidence.push("possible custom auth wrapper detected (not in hints)");
+    }
+    // Exempt callback/OAuth/OIDC/SSO/SCIM paths — public by protocol design.
+    // The OAuth flow itself (state/PKCE/nonce) IS the auth boundary.
+    const pathname = route.pathname ?? route.file;
+    if (isCallbackPath(pathname)) {
+        return null;
+    }
+    // Find the line of the first mutation evidence for precise reporting
+    const line = findFirstMutationLine(src, route.signals);
+    return { confidence, confidenceRationale, line, evidence };
+}
+function checkServerAction(action, index, config) {
+    const src = readSource(index.rootDir, action.file);
+    if (!src)
+        return null;
+    if (hasAuthCall(src, config.hints.auth.functions))
+        return null;
+    if (hasBuiltInAuthPattern(src))
+        return null;
+    const evidence = [...action.signals.mutationDetails];
+    evidence.push(`No auth function calls matched: ${config.hints.auth.functions.join(", ")}`);
+    let confidence = "high";
+    let confidenceRationale = "High: server action with mutation evidence + no auth calls";
+    if (hasPossibleCustomAuth(src)) {
+        confidence = "med";
+        confidenceRationale = "Medium: mutation evidence present but possible custom auth wrapper detected (not in hints)";
+        evidence.push("possible custom auth wrapper detected (not in hints)");
+    }
+    const line = findFirstMutationLine(src, action.signals);
+    return { confidence, confidenceRationale, line, evidence };
+}
+function hasAuthCall(src, authFunctions) {
+    for (const fn of authFunctions) {
+        const pattern = new RegExp(`\\b${escapeRegex(fn)}\\s*\\(`, "m");
+        if (pattern.test(src))
+            return true;
+    }
+    return false;
+}
+/**
+ * Built-in auth patterns that don't need to be in hints.
+ * These are common enough to detect automatically.
+ */
+function hasBuiltInAuthPattern(src) {
+    // Stripe webhook signature verification
+    if (/stripe\.webhooks\.constructEvent\s*\(/m.test(src))
+        return true;
+    // WorkOS webhook signature verification
+    if (/workos\.webhooks\.constructEvent\s*\(/m.test(src))
+        return true;
+    // Vercel/QStash cron signature verification
+    if (/verifyVercelSignature\s*\(/m.test(src))
+        return true;
+    if (/verifyQstashSignature\s*\(/m.test(src))
+        return true;
+    // HMAC webhook signature verification (crypto.createHmac + comparison)
+    if (/createHmac\s*\(/.test(src) && /signature/i.test(src))
+        return true;
+    // Cron API key / secret env var check
+    if (/process\.env\.CRON_(?:API_KEY|SECRET)/m.test(src))
+        return true;
+    // Shared secret header verification (common webhook pattern)
+    if (/process\.env\.\w+SECRET\b/.test(src) && /headers\.get\s*\(/m.test(src))
+        return true;
+    // Supabase auth boundary — call-based, not import-based.
+    if (/\.auth\.getUser\s*\(/.test(src))
+        return true;
+    if (/\.auth\.getSession\s*\(/.test(src))
+        return true;
+    // --- Framework wrappers with built-in request signing ---
+    // Upstash Workflow serve() — verifies request signatures automatically
+    if (hasFrameworkServe(src, "@upstash/workflow"))
+        return true;
+    // Inngest serve() — verifies signing key on incoming requests
+    if (hasFrameworkServe(src, "inngest"))
+        return true;
+    // --- Webhook verification libraries (import + call) ---
+    // Svix webhook verification (used by Clerk, etc.)
+    if (hasImportAndCall(src, "svix", /\.verify\s*\(/))
+        return true;
+    // Octokit/GitHub webhook verification
+    if (hasImportAndCall(src, "@octokit/webhooks", /\.verify\s*\(/))
+        return true;
+    // --- Contextual webhook auth patterns ---
+    // timingSafeEqual used with request-derived data + early 401/403
+    if (hasWebhookTokenVerification(src))
+        return true;
+    // --- JWT verification (jose / jsonwebtoken) ---
+    // jose: jwtVerify() with token from headers/cookies + early deny
+    if (hasImportAndCall(src, "jose", /jwtVerify\s*\(/))
+        return true;
+    // jsonwebtoken: jwt.verify() / verify() with token from headers/cookies
+    if (hasImportAndCall(src, "jsonwebtoken", /\.verify\s*\(/))
+        return true;
+    // --- DB-backed API token lookup + early deny ---
+    if (hasDbTokenLookup(src))
+        return true;
+    // --- Auth-guard return: header/token/secret check → early 401/403 before mutation ---
+    if (hasAuthGuardReturn(src))
+        return true;
+    // --- Inline auth guard: common auth function name + null check + early return/throw ---
+    if (hasInlineAuthGuard(src))
+        return true;
+    return false;
+}
+/**
+ * Detect framework `serve()` wrappers that have built-in request signing.
+ * Checks both the import source and the serve() call in the source.
+ */
+function hasFrameworkServe(src, packagePrefix) {
+    const importPattern = new RegExp(`from\\s+["']${escapeRegex(packagePrefix)}[^"']*["']`);
+    if (!importPattern.test(src))
+        return false;
+    return /\bserve\s*[<(]/.test(src);
+}
+/**
+ * Detect a known verification library by import source + method call.
+ */
+function hasImportAndCall(src, packageName, callPattern) {
+    const importPattern = new RegExp(`from\\s+["']${escapeRegex(packageName)}[^"']*["']`);
+    if (!importPattern.test(src))
+        return false;
+    return callPattern.test(src);
+}
+/**
+ * Detect webhook token verification: timingSafeEqual used with
+ * request-derived data (headers/params/body) and early 401/403 on mismatch.
+ *
+ * NOT a blanket "any timingSafeEqual = auth" — requires:
+ * 1. timingSafeEqual call present
+ * 2. Reads from request (headers, searchParams, or body)
+ * 3. Returns 401 or 403 on failure
+ */
+function hasWebhookTokenVerification(src) {
+    if (!/timingSafeEqual\s*\(/.test(src))
+        return false;
+    const readsRequest = /headers\.get\s*\(/.test(src)
+        || /searchParams\.get\s*\(/.test(src)
+        || /request\.json\s*\(/.test(src)
+        || /req\.json\s*\(/.test(src);
+    if (!readsRequest)
+        return false;
+    // Accept explicit 401/403 or any throw (many apps throw custom errors)
+    return /status:\s*40[13]\b/.test(src) || /\(\s*40[13]\s*\)/.test(src) || /\bthrow\s+new\b/.test(src);
+}
+/**
+ * Detect DB-backed token lookup with early deny.
+ *
+ * Pattern: reads token from request (header, body, params) → looks it up in DB → returns 401/403 if missing.
+ * Common in B2B SaaS for API key authentication, password reset flows, etc.
+ *
+ * Requires all three:
+ * 1. Reads from request (headers, searchParams, body, or route params)
+ * 2. DB lookup on a token/key-like table (prisma.apiToken, prisma.apiKey, etc.)
+ * 3. Returns 401 or 403
+ */
+function hasDbTokenLookup(src) {
+    // DB lookup on a token/key-like table
+    const hasTokenLookup = /\.(apiToken|apiKey|token|accessToken|api_key|access_token|passwordResetToken|verificationToken|resetToken)\.(findUnique|findFirst|findMany)\s*\(/i.test(src);
+    if (!hasTokenLookup)
+        return false;
+    // Accept explicit 401/403, or any throw (custom error classes like DubApiError)
+    // Route handlers always read from the request, so token lookup + deny is sufficient
+    return /status:\s*40[13]\b/.test(src) || /\(\s*40[13]\s*\)/.test(src) || /\bthrow\s+new\b/.test(src);
+}
+/**
+ * Detect auth-guard return patterns: an early 401/403 return whose guarding
+ * condition references an auth signal, occurring BEFORE mutation evidence.
+ *
+ * We require ALL of:
+ * 1. A return/throw producing 401 or 403
+ * 2. The surrounding context references an auth-related signal
+ * 3. The guard occurs before the first mutation evidence in the file
+ *
+ * Auth signals (the condition must reference at least one):
+ * - headers.get(...) with auth-related header names
+ * - Variables named token, apiKey, signature, secret, session, user, auth
+ * - Comparison against process.env.* or config values
+ *
+ * This intentionally does NOT match:
+ * - Feature flag checks (if (!enabled) return 403)
+ * - Plan gating (if (!isPro) return 403)
+ * - CSRF/bot checks without auth signals
+ * - 401/403 returns AFTER mutation code (error handling, not guards)
+ */
+function hasAuthGuardReturn(src) {
+    // Must have a 401 or 403 status somewhere
+    if (!/status:\s*40[13]\b/.test(src) && !/\(\s*40[13]\s*\)/.test(src))
+        return false;
+    const lines = src.split("\n");
+    // Find the first mutation evidence line
+    const firstMutationLine = findFirstMutationLineIndex(lines);
+    // Find lines with 401/403 returns and check nearby context for auth signals
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if (!/40[13]/.test(line))
+            continue;
+        if (!/status|Response|NextResponse|return|throw/i.test(line))
+            continue;
+        // Guard must occur before mutation evidence (or if no mutation found, accept it)
+        if (firstMutationLine !== undefined && i >= firstMutationLine)
+            continue;
+        // Look at the surrounding context (up to 10 lines before the 401/403)
+        const contextStart = Math.max(0, i - 10);
+        const context = lines.slice(contextStart, i + 1).join("\n");
+        if (hasAuthSignalInContext(context))
+            return true;
+    }
+    return false;
+}
+/**
+ * Detect inline auth guards using common auth function name patterns + null check.
+ *
+ * Matches function calls like getCurrentUser(), getUser(), requireSession(), checkAuth(), etc.
+ * followed by a null/falsy check within 15 lines, with an early return/throw in the guard body.
+ *
+ * This catches auth patterns that aren't in hints (custom function names).
+ */
+const AUTH_FN_PATTERN = /\b(?:get|require|check|validate|verify|ensure|load|fetch|update)\w*(?:User|Session|Auth|Account|Identity|Token)\s*\(/i;
+function hasInlineAuthGuard(src) {
+    if (!AUTH_FN_PATTERN.test(src))
+        return false;
+    const lines = src.split("\n");
+    // Find lines with auth function calls
+    for (let i = 0; i < lines.length; i++) {
+        if (!AUTH_FN_PATTERN.test(lines[i]))
+            continue;
+        // Look for a null/falsy check within 15 lines after the call
+        const searchEnd = Math.min(lines.length, i + 15);
+        for (let j = i; j < searchEnd; j++) {
+            const line = lines[j];
+            // Check for if (!variable) or if (variable == null) patterns
+            if (!/if\s*\(\s*!|\s*==\s*null|\s*===\s*null/.test(line))
+                continue;
+            // Check subsequent lines (the guard body) for throw/return/redirect
+            const guardEnd = Math.min(lines.length, j + 5);
+            const guardBody = lines.slice(j, guardEnd).join("\n");
+            if (/\bthrow\b|\breturn\b|\bredirect\b|NextResponse\.redirect|NextResponse\.json/.test(guardBody)) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+/** Find the 0-based line index of the first mutation evidence in source lines. */
+function findFirstMutationLineIndex(lines) {
+    for (let i = 0; i < lines.length; i++) {
+        if (/\.(create|update|delete|upsert|createMany|updateMany|deleteMany)\s*\(/.test(lines[i])) {
+            return i;
+        }
+        if (/stripe\.\w+\.(create|update|del)\s*\(/.test(lines[i])) {
+            return i;
+        }
+    }
+    return undefined;
+}
+/**
+ * Auth signals that distinguish real auth guards from feature flags / plan gating.
+ */
+const AUTH_SIGNAL_PATTERNS = [
+    // Header reads with auth-related names
+    /headers\.get\s*\(\s*["'](?:authorization|x-api-key|x-webhook-secret|x-signature|x-hub-signature)/i,
+    // Any custom header read + secret/token/key comparison
+    /headers\.get\s*\([^)]+\)[\s\S]{0,100}(?:secret|token|key|signature)\b/i,
+    // Variable names that imply auth context
+    /\b(?:const|let|var)\s+(?:token|apiKey|api_key|signature|webhookSecret|webhook_secret|headerValue)\b/i,
+    // Comparison against env vars (secret/key/token)
+    /process\.env\.\w*(?:SECRET|TOKEN|KEY|API_KEY|WEBHOOK)\w*/i,
+    // Authorization / Bearer token patterns
+    /\bauthorization\b/i,
+    /\bbearer\b/i,
+    // Known verification function names in the condition
+    /\b(?:verify|validate|check)\w*(?:Token|Signature|Auth|Secret|Key)\s*\(/i,
+];
+/**
+ * Check if a code context (a few lines around a 401/403 return)
+ * contains at least one auth signal, distinguishing it from
+ * feature-flag / plan-gating returns.
+ */
+function hasAuthSignalInContext(context) {
+    return AUTH_SIGNAL_PATTERNS.some((pattern) => pattern.test(context));
+}
+/**
+ * Detect callback/OAuth/OIDC paths that are typically public by protocol design.
+ * These get downgraded (not allowlisted) — they should still rely on
+ * framework validation (state/PKCE) but are not auth-boundary issues.
+ */
+function isCallbackPath(pathname) {
+    return /\/(callback|oauth|oidc|sso|scim)(\/|$)/i.test(pathname);
+}
+function hasPossibleCustomAuth(src) {
+    if (/\b(verify|check|require|validate|ensure|guard|protect|get|fetch|load)\w*(Token|Auth|Session|User|Access|Secret|Signature|Permission)\s*\(/i.test(src)) {
+        return true;
+    }
+    if (/headers?\S*\.get\s*\(\s*["']authorization["']\s*\)/i.test(src)) {
+        return true;
+    }
+    return false;
+}
+function findFirstMutationLine(src, signals) {
+    const lines = src.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+        if (/\.(create|update|delete|upsert|createMany|updateMany|deleteMany)\s*\(/.test(lines[i])) {
+            return i + 1;
+        }
+        if (/stripe\.\w+\.(create|update|del)\s*\(/.test(lines[i])) {
+            return i + 1;
+        }
+    }
+    return undefined;
+}
+function readSource(rootDir, file) {
+    try {
+        return readFileSync(path.join(rootDir, file), "utf8");
+    }
+    catch {
+        return null;
+    }
+}
+function escapeRegex(str) {
+    return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+//# sourceMappingURL=auth-boundary-missing.js.map

package/dist/rules/auth-boundary-missing.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"auth-boundary-missing.js","sourceRoot":"","sources":["../../src/rules/auth-boundary-missing.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,IAAI,MAAM,WAAW,CAAC;AAI7B,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAEjD,MAAM,CAAC,MAAM,OAAO,GAAG,uBAAuB,CAAC;AAE/C,MAAM,aAAa,GAA2B,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;AAEvF,SAAS,sBAAsB,CAAC,UAAsB,EAAE,WAAmB;IACzE,MAAM,GAAG,GAAG,WAAuB,CAAC;IACpC,MAAM,OAAO,GAAG,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACxC,0DAA0D;IAC1D,+BAA+B;IAC/B,MAAM,QAAQ,GAAa,UAAU,KAAK,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC;IAChE,MAAM,YAAY,GAAG,aAAa,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAClD,OAAO,YAAY,GAAG,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC;AACjD,CAAC;AAED,MAAM,UAAU,GAAG,CAAC,KAAgB,EAAE,MAAuB;IAC3D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,WAAW,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,QAAQ,IAAI,UAAU,CAAC;IAElE,MAAM,aAAa,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC;IAEvD,gCAAgC;IAChC,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;QAChD,IAAI,KAAK,CAAC,YAAY;YAAE,SAAS,CAAC,uDAAuD;QACzF,IAAI,aAAa,CAAC,KAAK,CAAC,IAAI,EAAE,aAAa,CAAC;YAAE,SAAS;QACvD,MAAM,MAAM,GAAG,UAAU,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QAChD,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,IAAI,CAAC;YAC9C,MAAM,SAAS,GAAG,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC5C,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,OAAO;gBACf,QAAQ,EAAE,sBAAsB,CAAC,MAAM,CAAC,UAAU,EAAE,WAAW,CAAC;gBAChE,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,OAAO,EAAE,SAAS;oBAChB,CAAC,CAAC,oEAAoE;oBACtE,CAAC,CAAC,qEAAqE;gBACzE,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,mBAAmB,EAAE,MAAM,CAAC,mBAAmB;gBAC/C,WAAW,EAAE,SAAS;oBACpB,CAAC,CAAC;wBACE,uEAAuE;wBACvE,+FAA+F;wBAC/F,+EAA+E;qBAChF;oBACH,CAAC,CAAC;wBACE,oFAAoF;wBACpF,kDAAkD;wBAClD,yFAAyF;qBAC1F;gBACL,IAAI,EAAE,SAAS;oBACb,CAAC,CAAC,CAAC,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;oBAC/B,CAAC,CAAC,CAAC,MAAM,EAAE,QAAQ,CAAC;aACvB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,qFAAqF;IACrF,MAAM,eAAe,GAAG,IAAI,GAAG,EAAU,CAAC;IAC1C,KAAK,MAAM,MAAM,IAAI,KAAK,CAAC,aAAa,CAAC,eAAe,EAAE,CAAC;QACzD,IAAI,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC;YAAE,SAAS;QAC/C,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QACjC,IAAI,aAAa,CAAC,MAAM,CAAC,IAAI,EAAE,aAAa,CAAC;YAAE,SAAS;QACxD,MAAM,MAAM,GAAG,iBAAiB,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QACxD,IAAI,MAAM,EAAE,CAAC;YACX,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,OAAO;gBACf,QAAQ,EAAE,sBAAsB,CAAC,MAAM,CAAC,UAAU,EAAE,WAAW,CAAC;gBAChE,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,OAAO,EAAE,qEAAqE;gBAC9E,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,mBAAmB,EAAE,MAAM,CAAC,mBAAmB;gBAC/C,WAAW,EAAE;oBACX,mDAAmD;oBACnD,yFAAyF;iBAC1F;gBACD,IAAI,EAAE,CAAC,MAAM,EAAE,eAAe,CAAC;aAChC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,iCAAiC;IACjC,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACjD,IAAI,IAAI,CAAC,aAAa,KAAK,WAAW;YAAE,SAAS;QACjD,IAAI,aAAa,CAAC,IAAI,CAAC,IAAI,EAAE,aAAa,CAAC;YAAE,SAAS;QAEtD,MAAM,UAAU,GAAe,IAAI,CAAC,aAAa,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;QAChF,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,OAAO;YACf,QAAQ,EAAE,sBAAsB,CAAC,UAAU,EAAE,WAAW,CAAC;YACzD,UAAU;YACV,OAAO,EAAE,kBAAkB,IAAI,CAAC,IAAI,UAAU,IAAI,CAAC,aAAa,iCAAiC;YACjG,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,QAAQ,EAAE,CAAC,GAAG,IAAI,CAAC,aAAa,sBAAsB,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC;YACxF,mBAAmB,EAAE,IAAI,CAAC,aAAa,KAAK,QAAQ;gBAClD,CAAC,CAAC,kDAAkD;gBACpD,CAAC,CAAC,gEAAgE;YACpE,WAAW,EAAE;gBACX,iEAAiE;gBACjE,+FAA+F;gBAC/F,oEAAoE;aACrE;YACD,IAAI,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC;SACvB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAUD,SAAS,UAAU,CACjB,KAAgB,EAChB,KAAgB,EAChB,MAAuB;IAEvB,sEAAsE;IACtE,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;QACrB,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC;QAEjD,+FAA+F;QAC/F,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,kBAAkB,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;IACvE,CAAC;IAED,MAAM,GAAG,GAAG,UAAU,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;IAClD,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAEtB,yEAAyE;IACzE,2DAA2D;IAC3D,IAAI,qBAAqB,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAE5C,uCAAuC;IACvC,MAAM,QAAQ,GAAa,CAAC,GAAG,KAAK,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAC9D,QAAQ,CAAC,IAAI,CAAC,mCAAmC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC3F,QAAQ,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAC;IACxD,IAAI,UAAU,GAAe,MAAM,CAAC;IACpC,IAAI,mBAAmB,GAAG,kEAAkE,CAAC;IAE7F,mEAAmE;IACnE,IAAI,qBAAqB,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/B,UAAU,GAAG,KAAK,CAAC;QACnB,mBAAmB,GAAG,4FAA4F,CAAC;QACnH,QAAQ,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;IACxE,CAAC;IAED,yEAAyE;IACzE,iEAAiE;IACjE,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,IAAI,CAAC;IAC9C,IAAI,cAAc,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,qEAAqE;IACrE,MAAM,IAAI,GAAG,qBAAqB,CAAC,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;IAEvD,OAAO,EAAE,UAAU,EAAE,mBAAmB,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;AAC7D,CAAC;AAED,SAAS,iBAAiB,CACxB,MAAwB,EACxB,KAAgB,EAChB,MAAuB;IAEvB,MAAM,GAAG,GAAG,UAAU,CAAC,KAAK,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;IACnD,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAEtB,IAAI,WAAW,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/D,IAAI,qBAAqB,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAE5C,MAAM,QAAQ,GAAa,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAC/D,QAAQ,CAAC,IAAI,CAAC,mCAAmC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC3F,IAAI,UAAU,GAAe,MAAM,CAAC;IACpC,IAAI,mBAAmB,GAAG,4DAA4D,CAAC;IAEvF,IAAI,qBAAqB,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/B,UAAU,GAAG,KAAK,CAAC;QACnB,mBAAmB,GAAG,4FAA4F,CAAC;QACnH,QAAQ,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;IACxE,CAAC;IAED,MAAM,IAAI,GAAG,qBAAqB,CAAC,GAAG,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;IAExD,OAAO,EAAE,UAAU,EAAE,mBAAmB,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;AAC7D,CAAC;AAED,SAAS,WAAW,CAAC,GAAW,EAAE,aAAuB;IACvD,KAAK,MAAM,EAAE,IAAI,aAAa,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG,IAAI,MAAM,CAAC,MAAM,WAAW,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QAChE,IAAI,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;IACrC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,SAAS,qBAAqB,CAAC,GAAW;IACxC,wCAAwC;IACxC,IAAI,wCAAwC,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAEpE,wCAAwC;IACxC,IAAI,wCAAwC,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAEpE,4CAA4C;IAC5C,IAAI,6BAA6B,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACzD,IAAI,6BAA6B,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAEzD,uEAAuE;IACvE,IAAI,iBAAiB,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAEvE,sCAAsC;IACtC,IAAI,wCAAwC,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAEpE,6DAA6D;IAC7D,IAAI,2BAA2B,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,oBAAoB,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAEzF,yDAAyD;IACzD,IAAI,sBAAsB,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAClD,IAAI,yBAAyB,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAErD,2DAA2D;IAE3D,uEAAuE;IACvE,IAAI,iBAAiB,CAAC,GAAG,EAAE,mBAAmB,CAAC;QAAE,OAAO,IAAI,CAAC;IAE7D,8DAA8D;IAC9D,IAAI,iBAAiB,CAAC,GAAG,EAAE,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAEnD,yDAAyD;IAEzD,kDAAkD;IAClD,IAAI,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,eAAe,CAAC;QAAE,OAAO,IAAI,CAAC;IAEhE,sCAAsC;IACtC,IAAI,gBAAgB,CAAC,GAAG,EAAE,mBAAmB,EAAE,eAAe,CAAC;QAAE,OAAO,IAAI,CAAC;IAE7E,2CAA2C;IAE3C,iEAAiE;IACjE,IAAI,2BAA2B,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAElD,iDAAiD;IAEjD,iEAAiE;IACjE,IAAI,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,gBAAgB,CAAC;QAAE,OAAO,IAAI,CAAC;IAEjE,wEAAwE;IACxE,IAAI,gBAAgB,CAAC,GAAG,EAAE,cAAc,EAAE,eAAe,CAAC;QAAE,OAAO,IAAI,CAAC;IAExE,kDAAkD;IAClD,IAAI,gBAAgB,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAEvC,uFAAuF;IACvF,IAAI,kBAAkB,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAEzC,yFAAyF;IACzF,IAAI,kBAAkB,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAEzC,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,SAAS,iBAAiB,CAAC,GAAW,EAAE,aAAqB;IAC3D,MAAM,aAAa,GAAG,IAAI,MAAM,CAAC,eAAe,WAAW,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC;IACxF,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3C,OAAO,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACpC,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CAAC,GAAW,EAAE,WAAmB,EAAE,WAAmB;IAC7E,MAAM,aAAa,GAAG,IAAI,MAAM,CAAC,eAAe,WAAW,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC;IACtF,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3C,OAAO,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC/B,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,2BAA2B,CAAC,GAAW;IAC9C,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IACpD,MAAM,YAAY,GAAG,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC;WAC7C,wBAAwB,CAAC,IAAI,CAAC,GAAG,CAAC;WAClC,oBAAoB,CAAC,IAAI,CAAC,GAAG,CAAC;WAC9B,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAChC,IAAI,CAAC,YAAY;QAAE,OAAO,KAAK,CAAC;IAChC,uEAAuE;IACvE,OAAO,oBAAoB,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,iBAAiB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACvG,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,gBAAgB,CAAC,GAAW;IACnC,sCAAsC;IACtC,MAAM,cAAc,GAAG,mJAAmJ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACrL,IAAI,CAAC,cAAc;QAAE,OAAO,KAAK,CAAC;IAClC,gFAAgF;IAChF,oFAAoF;IACpF,OAAO,oBAAoB,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,iBAAiB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACvG,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,SAAS,kBAAkB,CAAC,GAAW;IACrC,0CAA0C;IAC1C,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAEnF,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAE9B,wCAAwC;IACxC,MAAM,iBAAiB,GAAG,0BAA0B,CAAC,KAAK,CAAC,CAAC;IAE5D,4EAA4E;IAC5E,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,SAAS;QACnC,IAAI,CAAC,4CAA4C,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,SAAS;QAEvE,iFAAiF;QACjF,IAAI,iBAAiB,KAAK,SAAS,IAAI,CAAC,IAAI,iBAAiB;YAAE,SAAS;QAExE,sEAAsE;QACtE,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC;QACzC,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAE5D,IAAI,sBAAsB,CAAC,OAAO,CAAC;YAAE,OAAO,IAAI,CAAC;IACnD,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,eAAe,GAAG,uHAAuH,CAAC;AAEhJ,SAAS,kBAAkB,CAAC,GAAW;IACrC,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAE7C,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAE9B,sCAAsC;IACtC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAAE,SAAS;QAE9C,6DAA6D;QAC7D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC;QACjD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,EAAE,CAAC,EAAE,EAAE,CAAC;YACnC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,6DAA6D;YAC7D,IAAI,CAAC,wCAAwC,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,SAAS;YAEnE,oEAAoE;YACpE,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;YAC/C,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtD,IAAI,6EAA6E,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;gBAClG,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,kFAAkF;AAClF,SAAS,0BAA0B,CAAC,KAAe;IACjD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,IAAI,uEAAuE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC3F,OAAO,CAAC,CAAC;QACX,CAAC;QACD,IAAI,uCAAuC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC3D,OAAO,CAAC,CAAC;QACX,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,MAAM,oBAAoB,GAAa;IACrC,uCAAuC;IACvC,mGAAmG;IACnG,uDAAuD;IACvD,wEAAwE;IACxE,yCAAyC;IACzC,sGAAsG;IACtG,iDAAiD;IACjD,2DAA2D;IAC3D,wCAAwC;IACxC,oBAAoB;IACpB,aAAa;IACb,qDAAqD;IACrD,yEAAyE;CAC1E,CAAC;AAEF;;;;GAIG;AACH,SAAS,sBAAsB,CAAC,OAAe;IAC7C,OAAO,oBAAoB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;AACvE,CAAC;AAED;;;;GAIG;AACH,SAAS,cAAc,CAAC,QAAgB;IACtC,OAAO,yCAAyC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AAClE,CAAC;AAED,SAAS,qBAAqB,CAAC,GAAW;IACxC,IAAI,4IAA4I,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAC3J,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,qDAAqD,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACpE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,qBAAqB,CAAC,GAAW,EAAE,OAAsC;IAChF,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,IAAI,uEAAuE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC3F,OAAO,CAAC,GAAG,CAAC,CAAC;QACf,CAAC;QACD,IAAI,uCAAuC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC3D,OAAO,CAAC,GAAG,CAAC,CAAC;QACf,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,UAAU,CAAC,OAAe,EAAE,IAAY;IAC/C,IAAI,CAAC;QACH,OAAO,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,CAAC;IACxD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,GAAW;IAC9B,OAAO,GAAG,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;AACpD,CAAC"}

package/dist/rules/auth-boundary-missing.test.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export {};
2	+ //# sourceMappingURL=auth-boundary-missing.test.d.ts.map

package/dist/rules/auth-boundary-missing.test.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"auth-boundary-missing.test.d.ts","sourceRoot":"","sources":["../../src/rules/auth-boundary-missing.test.ts"],"names":[],"mappings":""}