@fourteensystems/prodcheck 0.3.0

package/dist/rules/auth-boundary-missing.test.js

@@ -0,0 +1,492 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { mkdirSync, writeFileSync, rmSync } from "node:fs";
+import path from "node:path";
+import { run } from "./auth-boundary-missing.js";
+/* ------------------------------------------------------------------ */
+/*  Helpers                                                            */
+/* ------------------------------------------------------------------ */
+const MUTATION_SIGNALS = {
+    hasMutationEvidence: true,
+    hasDbWriteEvidence: true,
+    hasStripeWriteEvidence: false,
+    mutationDetails: ["prisma.create"],
+};
+function protectionSummary(opts) {
+    return {
+        auth: {
+            satisfied: opts.authSatisfied ?? false,
+            enforced: false,
+            sources: opts.authSatisfied ? ["direct"] : [],
+            details: [],
+            unverifiedWrappers: opts.unverifiedWrappers ?? [],
+        },
+        rateLimit: {
+            satisfied: false,
+            enforced: false,
+            sources: [],
+            details: [],
+            unverifiedWrappers: [],
+        },
+    };
+}
+let tmpDir;
+beforeEach(() => {
+    tmpDir = path.join("/tmp", `prodcheck-auth-test-${Date.now()}-${Math.random().toString(36).slice(2)}`);
+    mkdirSync(tmpDir, { recursive: true });
+});
+afterEach(() => {
+    rmSync(tmpDir, { recursive: true, force: true });
+});
+function createRoute(relPath, source, overrides = {}) {
+    const fullPath = path.join(tmpDir, relPath);
+    mkdirSync(path.dirname(fullPath), { recursive: true });
+    writeFileSync(fullPath, source);
+    const pathname = "/" + relPath
+        .replace(/\/route\.(ts|tsx|js|jsx)$/, "")
+        .replace(/^app\//, "");
+    return {
+        kind: "route-handler",
+        file: relPath,
+        isApi: pathname.startsWith("/api/") || pathname === "/api",
+        isPublic: true,
+        pathname,
+        signals: MUTATION_SIGNALS,
+        protection: protectionSummary({}),
+        ...overrides,
+    };
+}
+function makeIndex(routes) {
+    return {
+        version: 1,
+        framework: "next-app-router",
+        rootDir: tmpDir,
+        deps: {
+            hasNextAuth: false, hasClerk: false, hasSupabase: false,
+            hasKinde: false, hasWorkOS: false, hasBetterAuth: false,
+            hasLucia: false, hasAuth0: false, hasIronSession: false,
+            hasFirebaseAuth: false, hasUpstashRatelimit: false, hasArcjet: false,
+            hasUnkey: false, hasPrisma: false, hasDrizzle: false, hasTrpc: false,
+        },
+        hints: {
+            auth: { functions: ["auth", "getServerSession"], middlewareFiles: [], allowlistPaths: [] },
+            rateLimit: { wrappers: ["rateLimit"], allowlistPaths: [] },
+            tenancy: { orgFieldNames: [] },
+        },
+        middleware: { authLikely: false, rateLimitLikely: false, matcherPatterns: [] },
+        wrappers: { wrappers: new Map() },
+        routes: { all: routes, mutationRoutes: routes },
+        serverActions: { all: [], mutationActions: [] },
+        trpc: { detected: false, procedures: [], mutationProcedures: [] },
+    };
+}
+function makeConfig(overrides = {}) {
+    return {
+        framework: "next-app-router",
+        include: ["app/**"],
+        exclude: [],
+        ci: { failOn: "critical", minConfidence: "high", minScore: 70, maxNewCritical: 0 },
+        scoring: { start: 100, penalties: { critical: 25, high: 10, med: 3, low: 1 } },
+        hints: {
+            auth: { functions: ["auth", "getServerSession"], middlewareFiles: [], allowlistPaths: [] },
+            rateLimit: { wrappers: ["rateLimit"], allowlistPaths: [] },
+            tenancy: { orgFieldNames: [] },
+        },
+        rules: { "AUTH-BOUNDARY-MISSING": { severity: "critical" } },
+        waiversFile: "prodcheck.waivers.json",
+        ...overrides,
+    };
+}
+const config = makeConfig();
+/* ------------------------------------------------------------------ */
+/*  1. Upstash Workflow serve() — should suppress finding              */
+/* ------------------------------------------------------------------ */
+describe("Upstash Workflow serve() recognition", () => {
+    it("suppresses finding for @upstash/workflow serve()", () => {
+        const route = createRoute("app/api/workflows/process/route.ts", `
+import { serve } from "@upstash/workflow/nextjs";
+import { MemoryExtractionExecutor } from "@/server/services/memory";
+
+export const { POST } = serve(async (context) => {
+  const executor = await MemoryExtractionExecutor.create();
+  await prisma.memory.create({ data: { userId: "test" } });
+  return { done: true };
+});
+`);
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("suppresses finding for serve with generic type param", () => {
+        const route = createRoute("app/api/workflows/extract/route.ts", `
+import { serve } from "@upstash/workflow/nextjs";
+
+export const { POST } = serve<PayloadInput>(async (context) => {
+  await prisma.topic.create({ data: context.requestPayload });
+});
+`);
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("does NOT suppress for serve() from unknown package", () => {
+        const route = createRoute("app/api/unknown/route.ts", `
+import { serve } from "some-other-package";
+
+export const { POST } = serve(async (context) => {
+  await prisma.user.create({ data: { name: "test" } });
+});
+`);
+        expect(run(makeIndex([route]), config)).toHaveLength(1);
+    });
+});
+/* ------------------------------------------------------------------ */
+/*  1b. Inngest serve() — should suppress finding                     */
+/* ------------------------------------------------------------------ */
+describe("Inngest serve() recognition", () => {
+    it("suppresses finding for inngest/next serve()", () => {
+        const route = createRoute("app/api/inngest/route.ts", `
+import { serve } from "inngest/next";
+import { inngest } from "@/inngest/client";
+
+export const { GET, POST, PUT } = serve({ client: inngest, functions: [myFn] });
+`);
+        // No mutation signals in this source, override to force mutation
+        const routeWithMutation = createRoute("app/api/inngest/route.ts", `
+import { serve } from "inngest/next";
+import { inngest } from "@/inngest/client";
+
+export const { POST } = serve({ client: inngest, functions: [myFn] });
+// hypothetical mutation
+await prisma.job.create({ data: {} });
+`);
+        expect(run(makeIndex([routeWithMutation]), config)).toHaveLength(0);
+    });
+});
+/* ------------------------------------------------------------------ */
+/*  2. Svix webhook verification — should suppress finding             */
+/* ------------------------------------------------------------------ */
+describe("Svix webhook verification", () => {
+    it("suppresses finding for svix Webhook.verify()", () => {
+        const route = createRoute("app/api/webhooks/clerk/route.ts", `
+import { Webhook } from "svix";
+
+export async function POST(req: Request) {
+  const body = await req.text();
+  const wh = new Webhook(process.env.CLERK_WEBHOOK_SECRET!);
+  const payload = wh.verify(body, Object.fromEntries(req.headers));
+  await prisma.user.create({ data: payload });
+  return Response.json({ ok: true });
+}
+`);
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+});
+/* ------------------------------------------------------------------ */
+/*  3. timingSafeEqual — contextual webhook verification               */
+/* ------------------------------------------------------------------ */
+describe("timingSafeEqual webhook verification", () => {
+    it("suppresses when timingSafeEqual + headers.get + 401", () => {
+        const route = createRoute("app/api/webhooks/video/route.ts", `
+import { timingSafeEqual } from "node:crypto";
+
+export const POST = async (req: Request) => {
+  const url = new URL(req.url);
+  const token = url.searchParams.get("token");
+  const expected = metadata?.webhookToken;
+  if (!expected || !token || !timingSafeEqual(Buffer.from(token), Buffer.from(expected))) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  await prisma.asyncTask.update({ where: { id }, data: { status: "success" } });
+  return NextResponse.json({ success: true });
+};
+`);
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("does NOT suppress timingSafeEqual without request-derived data", () => {
+        const route = createRoute("app/api/compare/route.ts", `
+import { timingSafeEqual } from "node:crypto";
+
+export const POST = async (req: Request) => {
+  // timingSafeEqual used for non-auth comparison
+  const match = timingSafeEqual(Buffer.from("a"), Buffer.from("b"));
+  await prisma.user.create({ data: { name: "test" } });
+  return Response.json({ match });
+};
+`);
+        expect(run(makeIndex([route]), config)).toHaveLength(1);
+    });
+});
+/* ------------------------------------------------------------------ */
+/*  4. Auth-guard return detection (safe version)                      */
+/* ------------------------------------------------------------------ */
+describe("auth-guard return detection", () => {
+    it("suppresses for x-api-key header check + env comparison + 401 before mutation", () => {
+        const route = createRoute("app/api/internal/route.ts", `
+export async function POST(req: Request) {
+  const apiKey = req.headers.get("x-api-key");
+  if (apiKey !== process.env.API_KEY) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  await prisma.job.create({ data: { type: "sync" } });
+  return NextResponse.json({ ok: true });
+}
+`);
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("suppresses for authorization header + Bearer token check + 403", () => {
+        const route = createRoute("app/api/protected/route.ts", `
+export async function POST(req: Request) {
+  const authorization = req.headers.get("authorization");
+  if (!authorization?.startsWith("Bearer ")) {
+    return new Response("Forbidden", { status: 403 });
+  }
+  await prisma.user.update({ where: { id }, data: body });
+  return Response.json({ ok: true });
+}
+`);
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("does NOT suppress for feature flag check + 403", () => {
+        const route = createRoute("app/api/gated/route.ts", `
+export async function POST(req: Request) {
+  const enabled = await isFeatureEnabled("new-flow");
+  if (!enabled) {
+    return NextResponse.json({ error: "Not available" }, { status: 403 });
+  }
+  await prisma.user.create({ data: { name: "test" } });
+  return Response.json({ ok: true });
+}
+`);
+        expect(run(makeIndex([route]), config)).toHaveLength(1);
+    });
+    it("does NOT suppress for plan gating + 403", () => {
+        const route = createRoute("app/api/billing/route.ts", `
+export async function POST(req: Request) {
+  const isPro = await checkPlan(userId);
+  if (!isPro) {
+    return NextResponse.json({ error: "Upgrade required" }, { status: 403 });
+  }
+  await prisma.subscription.create({ data: { userId } });
+  return Response.json({ ok: true });
+}
+`);
+        expect(run(makeIndex([route]), config)).toHaveLength(1);
+    });
+    it("does NOT suppress for 401/403 AFTER mutation (error handling, not guard)", () => {
+        const route = createRoute("app/api/late-check/route.ts", `
+export async function POST(req: Request) {
+  await prisma.audit.create({ data: { action: "attempt" } });
+  const token = req.headers.get("authorization");
+  if (!token) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  return Response.json({ ok: true });
+}
+`);
+        expect(run(makeIndex([route]), config)).toHaveLength(1);
+    });
+    it("suppresses for webhook header secret verification + 403", () => {
+        const route = createRoute("app/api/webhooks/memory/route.ts", `
+export const POST = async (req: Request) => {
+  const { webhook } = parseConfig();
+  if (webhook.headers && Object.keys(webhook.headers).length > 0) {
+    for (const [key, value] of Object.entries(webhook.headers)) {
+      const headerValue = req.headers.get(key);
+      if (headerValue !== value) {
+        return NextResponse.json(
+          { error: "Unauthorized" },
+          { status: 403 },
+        );
+      }
+    }
+  }
+  const executor = await MemoryExtractionExecutor.create();
+  const result = await executor.runDirect(params);
+  return NextResponse.json({ result }, { status: 200 });
+};
+`);
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+});
+/* ------------------------------------------------------------------ */
+/*  5. JWT verification (jose / jsonwebtoken)                          */
+/* ------------------------------------------------------------------ */
+describe("JWT verification", () => {
+    it("suppresses for jose jwtVerify()", () => {
+        const route = createRoute("app/api/secure/route.ts", `
+import { jwtVerify } from "jose";
+
+export async function POST(req: Request) {
+  const token = req.headers.get("authorization")?.split(" ")[1];
+  const { payload } = await jwtVerify(token, secret);
+  await prisma.action.create({ data: { userId: payload.sub } });
+  return Response.json({ ok: true });
+}
+`);
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("suppresses for jsonwebtoken verify()", () => {
+        const route = createRoute("app/api/jwt/route.ts", `
+import jwt from "jsonwebtoken";
+
+export async function POST(req: Request) {
+  const token = req.headers.get("authorization")?.split(" ")[1];
+  const decoded = jwt.verify(token, process.env.JWT_SECRET!);
+  await prisma.user.update({ where: { id: decoded.sub }, data: { lastSeen: new Date() } });
+  return Response.json({ ok: true });
+}
+`);
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("does NOT suppress for verify() without jsonwebtoken import", () => {
+        const route = createRoute("app/api/fake-verify/route.ts", `
+import { verify } from "./my-utils";
+
+export async function POST(req: Request) {
+  verify(someData);
+  await prisma.user.create({ data: { name: "test" } });
+  return Response.json({ ok: true });
+}
+`);
+        expect(run(makeIndex([route]), config)).toHaveLength(1);
+    });
+});
+/* ------------------------------------------------------------------ */
+/*  6. DB-backed API token lookup                                      */
+/* ------------------------------------------------------------------ */
+describe("DB-backed API token lookup", () => {
+    it("suppresses for header + prisma.apiKey.findUnique + 401", () => {
+        const route = createRoute("app/api/external/route.ts", `
+export async function POST(req: Request) {
+  const key = req.headers.get("x-api-key");
+  if (!key) return NextResponse.json({ error: "Missing key" }, { status: 401 });
+  const apiKey = await prisma.apiKey.findUnique({ where: { key } });
+  if (!apiKey) return NextResponse.json({ error: "Invalid key" }, { status: 403 });
+  await prisma.event.create({ data: { source: "api", keyId: apiKey.id } });
+  return Response.json({ ok: true });
+}
+`);
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("suppresses for header + prisma.apiToken.findFirst + 403", () => {
+        const route = createRoute("app/api/integration/route.ts", `
+export async function POST(req: Request) {
+  const token = req.headers.get("authorization")?.replace("Bearer ", "");
+  const apiToken = await prisma.apiToken.findFirst({ where: { token, active: true } });
+  if (!apiToken) {
+    return new Response("Forbidden", { status: 403 });
+  }
+  await prisma.webhook.create({ data: { tokenId: apiToken.id } });
+  return Response.json({ ok: true });
+}
+`);
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+});
+/* ------------------------------------------------------------------ */
+/*  7. Callback path downgrade                                         */
+/* ------------------------------------------------------------------ */
+describe("callback path exemption", () => {
+    it("exempts /oidc/callback — public by protocol design", () => {
+        const route = createRoute("app/oidc/callback/desktop/route.ts", `
+export const GET = async (req: Request) => {
+  const code = new URL(req.url).searchParams.get("code");
+  const state = new URL(req.url).searchParams.get("state");
+  await prisma.oauthHandoff.create({ client: "desktop", id: state, payload: { code } });
+  return NextResponse.redirect(successUrl);
+};
+`, { pathname: "/oidc/callback/desktop" });
+        const findings = run(makeIndex([route]), config);
+        expect(findings).toHaveLength(0);
+    });
+    it("exempts /oauth/callback — public by protocol design", () => {
+        const route = createRoute("app/api/oauth/callback/route.ts", `
+export async function GET(req: Request) {
+  const code = new URL(req.url).searchParams.get("code");
+  await prisma.session.create({ data: { code } });
+  return Response.redirect("/dashboard");
+}
+`, { pathname: "/api/oauth/callback" });
+        const findings = run(makeIndex([route]), config);
+        expect(findings).toHaveLength(0);
+    });
+    it("does NOT downgrade regular API routes", () => {
+        const route = createRoute("app/api/users/route.ts", `
+export async function POST(req: Request) {
+  const body = await req.json();
+  await prisma.user.create({ data: body });
+  return Response.json({ ok: true });
+}
+`);
+        const findings = run(makeIndex([route]), config);
+        expect(findings).toHaveLength(1);
+        expect(findings[0].confidence).toBe("high");
+    });
+});
+/* ------------------------------------------------------------------ */
+/*  8. Existing patterns still work                                    */
+/* ------------------------------------------------------------------ */
+describe("existing patterns still work", () => {
+    it("suppresses for Stripe constructEvent", () => {
+        const route = createRoute("app/api/webhooks/stripe/route.ts", `
+export async function POST(req: Request) {
+  const sig = req.headers.get("stripe-signature");
+  const event = stripe.webhooks.constructEvent(body, sig, secret);
+  await prisma.payment.create({ data: event.data });
+  return Response.json({ ok: true });
+}
+`);
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("suppresses for Supabase .auth.getUser()", () => {
+        const route = createRoute("app/api/posts/route.ts", `
+export async function POST(req: Request) {
+  const { data: { user } } = await supabase.auth.getUser();
+  if (!user) return Response.json({ error: "Unauthorized" }, { status: 401 });
+  await supabase.from("posts").insert({ title: "test", author: user.id });
+  return Response.json({ ok: true });
+}
+`);
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("flags unprotected mutation route", () => {
+        const route = createRoute("app/api/unprotected/route.ts", `
+export async function POST(req: Request) {
+  const body = await req.json();
+  await prisma.user.create({ data: body });
+  return Response.json({ ok: true });
+}
+`);
+        const findings = run(makeIndex([route]), config);
+        expect(findings).toHaveLength(1);
+        expect(findings[0].ruleId).toBe("AUTH-BOUNDARY-MISSING");
+        expect(findings[0].severity).toBe("critical");
+        expect(findings[0].confidence).toBe("high");
+    });
+});
+/* ------------------------------------------------------------------ */
+/*  9. public-intent suppression                                       */
+/* ------------------------------------------------------------------ */
+describe("public-intent auth suppression", () => {
+    it("suppresses AUTH finding when public-intent has valid reason", () => {
+        const route = createRoute("app/api/checker/route.ts", `
+// prodcheck:public-intent reason="Public URL health checker"
+export async function POST(req: Request) {
+  const body = await req.json();
+  await prisma.check.create({ data: body });
+  return Response.json({ ok: true });
+}
+`, { publicIntent: { reason: "Public URL health checker", line: 1 } });
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("does NOT suppress AUTH finding when publicIntent is absent (malformed)", () => {
+        const route = createRoute("app/api/checker/route.ts", `
+// prodcheck:public-intent
+export async function POST(req: Request) {
+  const body = await req.json();
+  await prisma.check.create({ data: body });
+  return Response.json({ ok: true });
+}
+`, { malformedPublicIntent: { line: 1, raw: "// prodcheck:public-intent" } });
+        const findings = run(makeIndex([route]), config);
+        expect(findings).toHaveLength(1);
+        expect(findings[0].ruleId).toBe("AUTH-BOUNDARY-MISSING");
+    });
+});
+//# sourceMappingURL=auth-boundary-missing.test.js.map

package/dist/rules/auth-boundary-missing.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-boundary-missing.test.js","sourceRoot":"","sources":["../../src/rules/auth-boundary-missing.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAC3D,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,GAAG,EAAW,MAAM,4BAA4B,CAAC;AAI1D,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AAExE,MAAM,gBAAgB,GAAG;IACvB,mBAAmB,EAAE,IAAI;IACzB,kBAAkB,EAAE,IAAI;IACxB,sBAAsB,EAAE,KAAK;IAC7B,eAAe,EAAE,CAAC,eAAe,CAAC;CACnC,CAAC;AAEF,SAAS,iBAAiB,CAAC,IAG1B;IACC,OAAO;QACL,IAAI,EAAE;YACJ,SAAS,EAAE,IAAI,CAAC,aAAa,IAAI,KAAK;YACtC,QAAQ,EAAE,KAAK;YACf,OAAO,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE;YAC7C,OAAO,EAAE,EAAE;YACX,kBAAkB,EAAE,IAAI,CAAC,kBAAkB,IAAI,EAAE;SAClD;QACD,SAAS,EAAE;YACT,SAAS,EAAE,KAAK;YAChB,QAAQ,EAAE,KAAK;YACf,OAAO,EAAE,EAAE;YACX,OAAO,EAAE,EAAE;YACX,kBAAkB,EAAE,EAAE;SACvB;KACF,CAAC;AACJ,CAAC;AAED,IAAI,MAAc,CAAC;AAEnB,UAAU,CAAC,GAAG,EAAE;IACd,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,uBAAuB,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IACvG,SAAS,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;AACzC,CAAC,CAAC,CAAC;AAEH,SAAS,CAAC,GAAG,EAAE;IACb,MAAM,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;AACnD,CAAC,CAAC,CAAC;AAEH,SAAS,WAAW,CAClB,OAAe,EACf,MAAc,EACd,YAAgC,EAAE;IAElC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC5C,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACvD,aAAa,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAEhC,MAAM,QAAQ,GAAG,GAAG,GAAG,OAAO;SAC3B,OAAO,CAAC,2BAA2B,EAAE,EAAE,CAAC;SACxC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;IAEzB,OAAO;QACL,IAAI,EAAE,eAAe;QACrB,IAAI,EAAE,OAAO;QACb,KAAK,EAAE,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,QAAQ,KAAK,MAAM;QAC1D,QAAQ,EAAE,IAAI;QACd,QAAQ;QACR,OAAO,EAAE,gBAAgB;QACzB,UAAU,EAAE,iBAAiB,CAAC,EAAE,CAAC;QACjC,GAAG,SAAS;KACb,CAAC;AACJ,CAAC;AAED,SAAS,SAAS,CAAC,MAAmB;IACpC,OAAO;QACL,OAAO,EAAE,CAAC;QACV,SAAS,EAAE,iBAAiB;QAC5B,OAAO,EAAE,MAAM;QACf,IAAI,EAAE;YACJ,WAAW,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK;YACvD,QAAQ,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,aAAa,EAAE,KAAK;YACvD,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,cAAc,EAAE,KAAK;YACvD,eAAe,EAAE,KAAK,EAAE,mBAAmB,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK;YACpE,QAAQ,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK;SACrE;QACD,KAAK,EAAE;YACL,IAAI,EAAE,EAAE,SAAS,EAAE,CAAC,MAAM,EAAE,kBAAkB,CAAC,EAAE,eAAe,EAAE,EAAE,EAAE,cAAc,EAAE,EAAE,EAAE;YAC1F,SAAS,EAAE,EAAE,QAAQ,EAAE,CAAC,WAAW,CAAC,EAAE,cAAc,EAAE,EAAE,EAAE;YAC1D,OAAO,EAAE,EAAE,aAAa,EAAE,EAAE,EAAE;SAC/B;QACD,UAAU,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,eAAe,EAAE,KAAK,EAAE,eAAe,EAAE,EAAE,EAAE;QAC9E,QAAQ,EAAE,EAAE,QAAQ,EAAE,IAAI,GAAG,EAAE,EAAE;QACjC,MAAM,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE;QAC/C,aAAa,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,eAAe,EAAE,EAAE,EAAE;QAC/C,IAAI,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE,EAAE,kBAAkB,EAAE,EAAE,EAAE;KAClE,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CAAC,YAAsC,EAAE;IAC1D,OAAO;QACL,SAAS,EAAE,iBAAiB;QAC5B,OAAO,EAAE,CAAC,QAAQ,CAAC;QACnB,OAAO,EAAE,EAAE;QACX,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE,EAAE,cAAc,EAAE,CAAC,EAAE;QAClF,OAAO,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,SAAS,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,EAAE;QAC9E,KAAK,EAAE;YACL,IAAI,EAAE,EAAE,SAAS,EAAE,CAAC,MAAM,EAAE,kBAAkB,CAAC,EAAE,eAAe,EAAE,EAAE,EAAE,cAAc,EAAE,EAAE,EAAE;YAC1F,SAAS,EAAE,EAAE,QAAQ,EAAE,CAAC,WAAW,CAAC,EAAE,cAAc,EAAE,EAAE,EAAE;YAC1D,OAAO,EAAE,EAAE,aAAa,EAAE,EAAE,EAAE;SAC/B;QACD,KAAK,EAAE,EAAE,uBAAuB,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE,EAAE;QAC5D,WAAW,EAAE,wBAAwB;QACrC,GAAG,SAAS;KACb,CAAC;AACJ,CAAC;AAED,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;AAE5B,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AAExE,QAAQ,CAAC,sCAAsC,EAAE,GAAG,EAAE;IACpD,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;QAC1D,MAAM,KAAK,GAAG,WAAW,CAAC,oCAAoC,EAAE;;;;;;;;;CASnE,CAAC,CAAC;QACC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sDAAsD,EAAE,GAAG,EAAE;QAC9D,MAAM,KAAK,GAAG,WAAW,CAAC,oCAAoC,EAAE;;;;;;CAMnE,CAAC,CAAC;QACC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;QAC5D,MAAM,KAAK,GAAG,WAAW,CAAC,0BAA0B,EAAE;;;;;;CAMzD,CAAC,CAAC;QACC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,wEAAwE;AACxE,wEAAwE;AACxE,wEAAwE;AAExE,QAAQ,CAAC,6BAA6B,EAAE,GAAG,EAAE;IAC3C,EAAE,CAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,KAAK,GAAG,WAAW,CAAC,0BAA0B,EAAE;;;;;CAKzD,CAAC,CAAC;QACC,iEAAiE;QACjE,MAAM,iBAAiB,GAAG,WAAW,CAAC,0BAA0B,EAAE;;;;;;;CAOrE,CAAC,CAAC;QACC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,iBAAiB,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AAExE,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;IACzC,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,KAAK,GAAG,WAAW,CAAC,iCAAiC,EAAE;;;;;;;;;;CAUhE,CAAC,CAAC;QACC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AAExE,QAAQ,CAAC,sCAAsC,EAAE,GAAG,EAAE;IACpD,EAAE,CAAC,qDAAqD,EAAE,GAAG,EAAE;QAC7D,MAAM,KAAK,GAAG,WAAW,CAAC,iCAAiC,EAAE;;;;;;;;;;;;;CAahE,CAAC,CAAC;QACC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gEAAgE,EAAE,GAAG,EAAE;QACxE,MAAM,KAAK,GAAG,WAAW,CAAC,0BAA0B,EAAE;;;;;;;;;CASzD,CAAC,CAAC;QACC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AAExE,QAAQ,CAAC,6BAA6B,EAAE,GAAG,EAAE;IAC3C,EAAE,CAAC,8EAA8E,EAAE,GAAG,EAAE;QACtF,MAAM,KAAK,GAAG,WAAW,CAAC,2BAA2B,EAAE;;;;;;;;;CAS1D,CAAC,CAAC;QACC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gEAAgE,EAAE,GAAG,EAAE;QACxE,MAAM,KAAK,GAAG,WAAW,CAAC,4BAA4B,EAAE;;;;;;;;;CAS3D,CAAC,CAAC;QACC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,KAAK,GAAG,WAAW,CAAC,wBAAwB,EAAE;;;;;;;;;CASvD,CAAC,CAAC;QACC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,KAAK,GAAG,WAAW,CAAC,0BAA0B,EAAE;;;;;;;;;CASzD,CAAC,CAAC;QACC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0EAA0E,EAAE,GAAG,EAAE;QAClF,MAAM,KAAK,GAAG,WAAW,CAAC,6BAA6B,EAAE;;;;;;;;;CAS5D,CAAC,CAAC;QACC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;QACjE,MAAM,KAAK,GAAG,WAAW,CAAC,kCAAkC,EAAE;;;;;;;;;;;;;;;;;;CAkBjE,CAAC,CAAC;QACC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AAExE,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;IAChC,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,KAAK,GAAG,WAAW,CAAC,yBAAyB,EAAE;;;;;;;;;CASxD,CAAC,CAAC;QACC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,KAAK,GAAG,WAAW,CAAC,sBAAsB,EAAE;;;;;;;;;CASrD,CAAC,CAAC;QACC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4DAA4D,EAAE,GAAG,EAAE;QACpE,MAAM,KAAK,GAAG,WAAW,CAAC,8BAA8B,EAAE;;;;;;;;CAQ7D,CAAC,CAAC;QACC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AAExE,QAAQ,CAAC,4BAA4B,EAAE,GAAG,EAAE;IAC1C,EAAE,CAAC,wDAAwD,EAAE,GAAG,EAAE;QAChE,MAAM,KAAK,GAAG,WAAW,CAAC,2BAA2B,EAAE;;;;;;;;;CAS1D,CAAC,CAAC;QACC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;QACjE,MAAM,KAAK,GAAG,WAAW,CAAC,8BAA8B,EAAE;;;;;;;;;;CAU7D,CAAC,CAAC;QACC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AAExE,QAAQ,CAAC,yBAAyB,EAAE,GAAG,EAAE;IACvC,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;QAC5D,MAAM,KAAK,GAAG,WAAW,CAAC,oCAAoC,EAAE;;;;;;;CAOnE,EAAE,EAAE,QAAQ,EAAE,wBAAwB,EAAE,CAAC,CAAC;QAEvC,MAAM,QAAQ,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qDAAqD,EAAE,GAAG,EAAE;QAC7D,MAAM,KAAK,GAAG,WAAW,CAAC,iCAAiC,EAAE;;;;;;CAMhE,EAAE,EAAE,QAAQ,EAAE,qBAAqB,EAAE,CAAC,CAAC;QAEpC,MAAM,QAAQ,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,KAAK,GAAG,WAAW,CAAC,wBAAwB,EAAE;;;;;;CAMvD,CAAC,CAAC;QAEC,MAAM,QAAQ,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AAExE,QAAQ,CAAC,8BAA8B,EAAE,GAAG,EAAE;IAC5C,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,KAAK,GAAG,WAAW,CAAC,kCAAkC,EAAE;;;;;;;CAOjE,CAAC,CAAC;QACC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,KAAK,GAAG,WAAW,CAAC,wBAAwB,EAAE;;;;;;;CAOvD,CAAC,CAAC;QACC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,KAAK,GAAG,WAAW,CAAC,8BAA8B,EAAE;;;;;;CAM7D,CAAC,CAAC;QACC,MAAM,QAAQ,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QACzD,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC9C,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AAExE,QAAQ,CAAC,gCAAgC,EAAE,GAAG,EAAE;IAC9C,EAAE,CAAC,6DAA6D,EAAE,GAAG,EAAE;QACrE,MAAM,KAAK,GAAG,WAAW,CAAC,0BAA0B,EAAE;;;;;;;CAOzD,EAAE,EAAE,YAAY,EAAE,EAAE,MAAM,EAAE,2BAA2B,EAAE,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;QACnE,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wEAAwE,EAAE,GAAG,EAAE;QAChF,MAAM,KAAK,GAAG,WAAW,CAAC,0BAA0B,EAAE;;;;;;;CAOzD,EAAE,EAAE,qBAAqB,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,GAAG,EAAE,4BAA4B,EAAE,EAAE,CAAC,CAAC;QAC1E,MAAM,QAAQ,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/rules/index.d.ts

@@ -0,0 +1,12 @@
+import type { NextIndex } from "../next/types.js";
+import type { Finding, ProdcheckConfig } from "../engine/types.js";
+export interface RuleMeta {
+    id: string;
+    name: string;
+    description: string;
+    defaultSeverity: string;
+    docs: string;
+}
+export declare const RULE_REGISTRY: RuleMeta[];
+export declare function runAllRules(index: NextIndex, config: ProdcheckConfig): Finding[];
+//# sourceMappingURL=index.d.ts.map

package/dist/rules/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/rules/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,KAAK,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAOnE,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;IACxB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,eAAO,MAAM,aAAa,EAAE,QAAQ,EA2CnC,CAAC;AAEF,wBAAgB,WAAW,CAAC,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,eAAe,GAAG,OAAO,EAAE,CA+ChF"}

package/dist/rules/index.js

@@ -0,0 +1,95 @@
+import * as authBoundary from "./auth-boundary-missing.js";
+import * as rateLimit from "./rate-limit-missing.js";
+import * as tenancyScope from "./tenancy-scope-missing.js";
+import * as wrapperUnrecognized from "./wrapper-unrecognized.js";
+import * as inputValidation from "./input-validation-missing.js";
+export const RULE_REGISTRY = [
+    {
+        id: "AUTH-BOUNDARY-MISSING",
+        name: "Auth Boundary Missing",
+        description: "Flags server-side mutation endpoints that lack a recognized authentication boundary.",
+        defaultSeverity: "critical",
+        docs: "Prodcheck checks for calls to known auth functions (auth(), getServerSession(), currentUser(), etc.) in route handlers and server actions that perform database writes or Stripe operations. Configure additional auth function names in hints.auth.functions.",
+    },
+    {
+        id: "RATE-LIMIT-MISSING",
+        name: "Rate Limit Missing",
+        description: "Flags public API routes without recognized rate limiting.",
+        defaultSeverity: "critical",
+        docs: "Prodcheck checks for calls to known rate limiting wrappers (@upstash/ratelimit, rate-limiter-flexible, etc.) in API route handlers. If rate limiting is handled at the edge (Cloudflare WAF, Vercel), add a waiver. Configure custom wrappers in hints.rateLimit.wrappers.",
+    },
+    {
+        id: "TENANCY-SCOPE-MISSING",
+        name: "Tenancy Scope Missing",
+        description: "Flags Prisma queries on tenant-owned models that lack tenant field in the where clause.",
+        defaultSeverity: "critical",
+        docs: "Prodcheck checks that Prisma queries include a tenant scoping field (orgId, tenantId, workspaceId) in their where clause. Only runs when Prisma is detected and the schema contains tenant fields. Configure field names in hints.tenancy.orgFieldNames.",
+    },
+    {
+        id: "INPUT-VALIDATION-MISSING",
+        name: "Input Validation Missing",
+        description: "Flags endpoints that read user input and perform writes without schema validation.",
+        defaultSeverity: "high",
+        docs: "Prodcheck checks that endpoints reading request.json(), formData(), or req.body validate input through a schema library (zod, valibot, yup, joi) before passing data to database writes or payment operations. Only flags when both body reading and writes are detected without validation.",
+    },
+    {
+        id: "WRAPPER-UNRECOGNIZED",
+        name: "Wrapper Unrecognized",
+        description: "Flags HOF wrappers that could not be analyzed for auth or rate-limit enforcement.",
+        defaultSeverity: "high",
+        docs: "Prodcheck resolves and analyzes HOF wrapper implementations to detect auth and rate-limit enforcement. When a wrapper cannot be resolved or its enforcement cannot be verified, this rule emits a single grouped finding. Add the wrapper name to hints.auth.functions or hints.rateLimit.wrappers to suppress.",
+    },
+    {
+        id: "PUBLIC-INTENT-MISSING-REASON",
+        name: "Public Intent Missing Reason",
+        description: "Flags prodcheck:public-intent directives that lack a required reason string.",
+        defaultSeverity: "med",
+        docs: "The prodcheck:public-intent directive requires a reason for auditability. Without a reason, the directive is ignored and AUTH findings are NOT suppressed. Format: // prodcheck:public-intent reason=\"description\"",
+    },
+];
+export function runAllRules(index, config) {
+    const findings = [];
+    // Only run rules that are configured (all 3 are on by default)
+    if (config.rules["AUTH-BOUNDARY-MISSING"]) {
+        findings.push(...authBoundary.run(index, config));
+    }
+    if (config.rules["RATE-LIMIT-MISSING"]) {
+        findings.push(...rateLimit.run(index, config));
+    }
+    if (config.rules["TENANCY-SCOPE-MISSING"]) {
+        findings.push(...tenancyScope.run(index, config));
+    }
+    if (config.rules["INPUT-VALIDATION-MISSING"]) {
+        findings.push(...inputValidation.run(index, config));
+    }
+    // WRAPPER-UNRECOGNIZED is always enabled unless explicitly configured out
+    if (config.rules["WRAPPER-UNRECOGNIZED"] !== undefined ? config.rules["WRAPPER-UNRECOGNIZED"] : true) {
+        findings.push(...wrapperUnrecognized.run(index, config));
+    }
+    // PUBLIC-INTENT-MISSING-REASON: flag malformed directives
+    for (const route of index.routes.all) {
+        if (route.malformedPublicIntent) {
+            findings.push({
+                ruleId: "PUBLIC-INTENT-MISSING-REASON",
+                severity: "med",
+                confidence: "high",
+                message: "prodcheck:public-intent requires a reason for auditability",
+                file: route.file,
+                line: route.malformedPublicIntent.line,
+                snippet: route.malformedPublicIntent.raw,
+                evidence: [
+                    "Directive found without valid reason=\"...\" — treated as not public-intent",
+                    "AUTH findings are NOT suppressed and RL severity is NOT floored",
+                ],
+                confidenceRationale: "High: directive syntax is deterministic",
+                remediation: [
+                    'Add a reason: // prodcheck:public-intent reason="Public URL health checker"',
+                    "Without a reason, the directive is ignored for all rule behavior",
+                ],
+                tags: ["misconfig", "public-intent"],
+            });
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=index.js.map

package/dist/rules/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/rules/index.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,YAAY,MAAM,4BAA4B,CAAC;AAC3D,OAAO,KAAK,SAAS,MAAM,yBAAyB,CAAC;AACrD,OAAO,KAAK,YAAY,MAAM,4BAA4B,CAAC;AAC3D,OAAO,KAAK,mBAAmB,MAAM,2BAA2B,CAAC;AACjE,OAAO,KAAK,eAAe,MAAM,+BAA+B,CAAC;AAUjE,MAAM,CAAC,MAAM,aAAa,GAAe;IACvC;QACE,EAAE,EAAE,uBAAuB;QAC3B,IAAI,EAAE,uBAAuB;QAC7B,WAAW,EAAE,sFAAsF;QACnG,eAAe,EAAE,UAAU;QAC3B,IAAI,EAAE,gQAAgQ;KACvQ;IACD;QACE,EAAE,EAAE,oBAAoB;QACxB,IAAI,EAAE,oBAAoB;QAC1B,WAAW,EAAE,2DAA2D;QACxE,eAAe,EAAE,UAAU;QAC3B,IAAI,EAAE,4QAA4Q;KACnR;IACD;QACE,EAAE,EAAE,uBAAuB;QAC3B,IAAI,EAAE,uBAAuB;QAC7B,WAAW,EAAE,yFAAyF;QACtG,eAAe,EAAE,UAAU;QAC3B,IAAI,EAAE,0PAA0P;KACjQ;IACD;QACE,EAAE,EAAE,0BAA0B;QAC9B,IAAI,EAAE,0BAA0B;QAChC,WAAW,EAAE,oFAAoF;QACjG,eAAe,EAAE,MAAM;QACvB,IAAI,EAAE,8RAA8R;KACrS;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,IAAI,EAAE,sBAAsB;QAC5B,WAAW,EAAE,mFAAmF;QAChG,eAAe,EAAE,MAAM;QACvB,IAAI,EAAE,iTAAiT;KACxT;IACD;QACE,EAAE,EAAE,8BAA8B;QAClC,IAAI,EAAE,8BAA8B;QACpC,WAAW,EAAE,8EAA8E;QAC3F,eAAe,EAAE,KAAK;QACtB,IAAI,EAAE,sNAAsN;KAC7N;CACF,CAAC;AAEF,MAAM,UAAU,WAAW,CAAC,KAAgB,EAAE,MAAuB;IACnE,MAAM,QAAQ,GAAc,EAAE,CAAC;IAE/B,+DAA+D;IAC/D,IAAI,MAAM,CAAC,KAAK,CAAC,uBAAuB,CAAC,EAAE,CAAC;QAC1C,QAAQ,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC;IACpD,CAAC;IACD,IAAI,MAAM,CAAC,KAAK,CAAC,oBAAoB,CAAC,EAAE,CAAC;QACvC,QAAQ,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC;IACjD,CAAC;IACD,IAAI,MAAM,CAAC,KAAK,CAAC,uBAAuB,CAAC,EAAE,CAAC;QAC1C,QAAQ,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC;IACpD,CAAC;IACD,IAAI,MAAM,CAAC,KAAK,CAAC,0BAA0B,CAAC,EAAE,CAAC;QAC7C,QAAQ,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC;IACvD,CAAC;IACD,0EAA0E;IAC1E,IAAI,MAAM,CAAC,KAAK,CAAC,sBAAsB,CAAC,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACrG,QAAQ,CAAC,IAAI,CAAC,GAAG,mBAAmB,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC;IAC3D,CAAC;IAED,0DAA0D;IAC1D,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;QACrC,IAAI,KAAK,CAAC,qBAAqB,EAAE,CAAC;YAChC,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,8BAA8B;gBACtC,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,MAAM;gBAClB,OAAO,EAAE,4DAA4D;gBACrE,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,IAAI,EAAE,KAAK,CAAC,qBAAqB,CAAC,IAAI;gBACtC,OAAO,EAAE,KAAK,CAAC,qBAAqB,CAAC,GAAG;gBACxC,QAAQ,EAAE;oBACR,6EAA6E;oBAC7E,iEAAiE;iBAClE;gBACD,mBAAmB,EAAE,yCAAyC;gBAC9D,WAAW,EAAE;oBACX,6EAA6E;oBAC7E,kEAAkE;iBACnE;gBACD,IAAI,EAAE,CAAC,WAAW,EAAE,eAAe,CAAC;aACrC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/rules/input-validation-missing.d.ts

@@ -0,0 +1,5 @@
+import type { NextIndex } from "../next/types.js";
+import type { Finding, ProdcheckConfig } from "../engine/types.js";
+export declare const RULE_ID = "INPUT-VALIDATION-MISSING";
+export declare function run(index: NextIndex, config: ProdcheckConfig): Finding[];
+//# sourceMappingURL=input-validation-missing.d.ts.map

package/dist/rules/input-validation-missing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"input-validation-missing.d.ts","sourceRoot":"","sources":["../../src/rules/input-validation-missing.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,SAAS,EAA+B,MAAM,kBAAkB,CAAC;AAC/E,OAAO,KAAK,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAInE,eAAO,MAAM,OAAO,6BAA6B,CAAC;AAqBlD,wBAAgB,GAAG,CAAC,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,eAAe,GAAG,OAAO,EAAE,CA8ExE"}