@fourteensystems/shipguard 0.1.0 → 0.2.1

package/dist/rules/rate-limit-missing.test.js

@@ -0,0 +1,325 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { mkdirSync, writeFileSync, rmSync } from "node:fs";
+import path from "node:path";
+import { run } from "./rate-limit-missing.js";
+/* ------------------------------------------------------------------ */
+/*  Helpers                                                            */
+/* ------------------------------------------------------------------ */
+const NO_SIGNALS = {
+    hasMutationEvidence: false,
+    hasDbWriteEvidence: false,
+    hasStripeWriteEvidence: false,
+    mutationDetails: [],
+};
+const MUTATION_SIGNALS = {
+    hasMutationEvidence: true,
+    hasDbWriteEvidence: true,
+    hasStripeWriteEvidence: false,
+    mutationDetails: ["prisma.create"],
+};
+function protectionSummary(opts) {
+    return {
+        auth: {
+            satisfied: opts.authSatisfied ?? false,
+            enforced: false,
+            sources: opts.authSatisfied ? ["direct"] : [],
+            details: [],
+            unverifiedWrappers: [],
+        },
+        rateLimit: {
+            satisfied: opts.rlSatisfied ?? false,
+            enforced: false,
+            sources: [],
+            details: [],
+            unverifiedWrappers: opts.unverifiedWrappers ?? [],
+        },
+    };
+}
+let tmpDir;
+beforeEach(() => {
+    tmpDir = path.join("/tmp", `shipguard-rl-test-${Date.now()}-${Math.random().toString(36).slice(2)}`);
+    mkdirSync(tmpDir, { recursive: true });
+});
+afterEach(() => {
+    rmSync(tmpDir, { recursive: true, force: true });
+});
+/** Create a route file on disk and return a NextRoute pointing to it */
+function createRoute(relPath, source, overrides = {}) {
+    const fullPath = path.join(tmpDir, relPath);
+    mkdirSync(path.dirname(fullPath), { recursive: true });
+    writeFileSync(fullPath, source);
+    const pathname = "/" + relPath
+        .replace(/\/route\.(ts|tsx|js|jsx)$/, "")
+        .replace(/^app\//, "");
+    return {
+        kind: "route-handler",
+        file: relPath,
+        isApi: pathname.startsWith("/api/") || pathname === "/api",
+        isPublic: true,
+        pathname,
+        signals: NO_SIGNALS,
+        protection: protectionSummary({}),
+        ...overrides,
+    };
+}
+function makeIndex(routes) {
+    return {
+        version: 1,
+        framework: "next-app-router",
+        rootDir: tmpDir,
+        deps: {
+            hasNextAuth: false, hasClerk: false, hasSupabase: false,
+            hasKinde: false, hasWorkOS: false, hasBetterAuth: false,
+            hasLucia: false, hasAuth0: false, hasIronSession: false,
+            hasFirebaseAuth: false, hasUpstashRatelimit: false, hasArcjet: false,
+            hasUnkey: false, hasPrisma: false, hasDrizzle: false, hasTrpc: false,
+        },
+        hints: {
+            auth: { functions: ["auth"], middlewareFiles: [], allowlistPaths: [] },
+            rateLimit: { wrappers: ["rateLimit"], allowlistPaths: [] },
+            tenancy: { orgFieldNames: [] },
+        },
+        middleware: { authLikely: false, rateLimitLikely: false, matcherPatterns: [] },
+        wrappers: { wrappers: new Map() },
+        routes: { all: routes, mutationRoutes: routes.filter(r => r.signals.hasMutationEvidence) },
+        serverActions: { all: [], mutationActions: [] },
+        trpc: { detected: false, procedures: [], mutationProcedures: [] },
+    };
+}
+function makeConfig(overrides = {}) {
+    return {
+        framework: "next-app-router",
+        include: ["app/**"],
+        exclude: [],
+        ci: { failOn: "critical", minConfidence: "high", minScore: 70, maxNewCritical: 0 },
+        scoring: { start: 100, penalties: { critical: 25, high: 10, med: 3, low: 1 } },
+        hints: {
+            auth: { functions: ["auth"], middlewareFiles: [], allowlistPaths: [] },
+            rateLimit: { wrappers: ["rateLimit"], allowlistPaths: [] },
+            tenancy: { orgFieldNames: [] },
+        },
+        rules: { "RATE-LIMIT-MISSING": { severity: "critical" } },
+        waiversFile: "shipguard.waivers.json",
+        ...overrides,
+    };
+}
+const BASIC_HANDLER = `export async function GET(request: Request) { return Response.json({ ok: true }); }`;
+const MUTATION_HANDLER = `export async function POST(request: Request) {
+  const body = await request.json();
+  await prisma.user.create({ data: body });
+  return Response.json({ ok: true });
+}`;
+const BODY_HANDLER = `export async function POST(request: Request) {
+  const body = await request.json();
+  return Response.json({ received: true });
+}`;
+/* ------------------------------------------------------------------ */
+/*  Framework-managed exemptions                                       */
+/* ------------------------------------------------------------------ */
+describe("framework-managed route exemptions", () => {
+    const config = makeConfig();
+    it("exempts NextAuth catch-all route", () => {
+        const route = createRoute("app/api/auth/[...nextauth]/route.ts", BASIC_HANDLER);
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("exempts NextAuth with different param name", () => {
+        const route = createRoute("app/api/auth/[...params]/route.ts", BASIC_HANDLER);
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("exempts OAuth token endpoint", () => {
+        const route = createRoute("app/api/oauth/token/route.ts", BASIC_HANDLER);
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("exempts SAML callback route", () => {
+        const route = createRoute("app/api/auth/saml/callback/route.ts", BASIC_HANDLER);
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("exempts callback routes from external services", () => {
+        const route = createRoute("app/api/callback/stripe/route.ts", BASIC_HANDLER);
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("exempts nested callback routes", () => {
+        const route = createRoute("app/api/slack/callback/route.ts", BASIC_HANDLER, {
+            pathname: "/api/slack/callback",
+        });
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("exempts OG image routes", () => {
+        const route = createRoute("app/api/og/analytics/route.tsx", BASIC_HANDLER);
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("exempts terminal OG path", () => {
+        const route = createRoute("app/api/og/route.tsx", BASIC_HANDLER, {
+            pathname: "/api/og",
+        });
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("does NOT exempt regular API routes", () => {
+        const route = createRoute("app/api/users/route.ts", BASIC_HANDLER);
+        const findings = run(makeIndex([route]), config);
+        expect(findings).toHaveLength(1);
+    });
+});
+/* ------------------------------------------------------------------ */
+/*  Improved webhook detection                                         */
+/* ------------------------------------------------------------------ */
+describe("webhook path detection", () => {
+    const config = makeConfig();
+    it("exempts /webhook path", () => {
+        const route = createRoute("app/api/webhook/route.ts", BASIC_HANDLER, {
+            pathname: "/api/webhook",
+        });
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("exempts compound webhook path like /stripe-webhook", () => {
+        const route = createRoute("app/api/billing/stripe-webhook/route.ts", BASIC_HANDLER, {
+            pathname: "/api/billing/stripe-webhook",
+        });
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("exempts /webhooks/stripe nested path", () => {
+        const route = createRoute("app/api/webhooks/stripe/route.ts", BASIC_HANDLER, {
+            pathname: "/api/webhooks/stripe",
+        });
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+});
+/* ------------------------------------------------------------------ */
+/*  Existing exemptions still work                                     */
+/* ------------------------------------------------------------------ */
+describe("existing exemptions", () => {
+    const config = makeConfig();
+    it("exempts health check routes", () => {
+        const route = createRoute("app/api/health/route.ts", BASIC_HANDLER, {
+            pathname: "/api/health",
+        });
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("exempts cron routes", () => {
+        const route = createRoute("app/api/cron/daily/route.ts", BASIC_HANDLER, {
+            pathname: "/api/cron/daily",
+        });
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("skips non-API routes", () => {
+        const route = createRoute("app/dashboard/route.ts", BASIC_HANDLER, {
+            pathname: "/dashboard",
+            isApi: false,
+        });
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("skips routes with rate-limit protection satisfied", () => {
+        const route = createRoute("app/api/users/route.ts", BASIC_HANDLER, {
+            protection: protectionSummary({ rlSatisfied: true }),
+        });
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("defers to WRAPPER-UNRECOGNIZED for unverified wrappers", () => {
+        const route = createRoute("app/api/users/route.ts", BASIC_HANDLER, {
+            protection: protectionSummary({ unverifiedWrappers: ["withCustom"] }),
+        });
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+});
+/* ------------------------------------------------------------------ */
+/*  Auth-aware severity: public routes (unchanged behavior)            */
+/* ------------------------------------------------------------------ */
+describe("severity: public routes (no auth)", () => {
+    const config = makeConfig();
+    it("public mutation route → critical/high", () => {
+        const route = createRoute("app/api/users/route.ts", MUTATION_HANDLER, {
+            signals: MUTATION_SIGNALS,
+            protection: protectionSummary({ authSatisfied: false }),
+        });
+        const findings = run(makeIndex([route]), config);
+        expect(findings).toHaveLength(1);
+        expect(findings[0].severity).toBe("critical");
+        expect(findings[0].confidence).toBe("high");
+    });
+    it("public body-parsing route → high/high", () => {
+        const route = createRoute("app/api/upload/route.ts", BODY_HANDLER, {
+            protection: protectionSummary({ authSatisfied: false }),
+        });
+        const findings = run(makeIndex([route]), config);
+        expect(findings).toHaveLength(1);
+        expect(findings[0].severity).toBe("high");
+        expect(findings[0].confidence).toBe("high");
+    });
+    it("public GET-only route → med/med", () => {
+        const route = createRoute("app/api/data/route.ts", BASIC_HANDLER, {
+            protection: protectionSummary({ authSatisfied: false }),
+        });
+        const findings = run(makeIndex([route]), config);
+        expect(findings).toHaveLength(1);
+        expect(findings[0].severity).toBe("med");
+        expect(findings[0].confidence).toBe("med");
+    });
+});
+/* ------------------------------------------------------------------ */
+/*  Auth-aware severity: authed routes (new behavior)                  */
+/* ------------------------------------------------------------------ */
+describe("severity: authenticated routes", () => {
+    const config = makeConfig();
+    it("authed mutation route → med/med (downgraded from critical)", () => {
+        const route = createRoute("app/api/users/route.ts", MUTATION_HANDLER, {
+            signals: MUTATION_SIGNALS,
+            protection: protectionSummary({ authSatisfied: true }),
+        });
+        const findings = run(makeIndex([route]), config);
+        expect(findings).toHaveLength(1);
+        expect(findings[0].severity).toBe("med");
+        expect(findings[0].confidence).toBe("med");
+        expect(findings[0].evidence).toContain("route has auth boundary — rate limiting is secondary defense");
+    });
+    it("authed body-parsing route → low/low (downgraded from high)", () => {
+        const route = createRoute("app/api/upload/route.ts", BODY_HANDLER, {
+            protection: protectionSummary({ authSatisfied: true }),
+        });
+        const findings = run(makeIndex([route]), config);
+        expect(findings).toHaveLength(1);
+        expect(findings[0].severity).toBe("low");
+        expect(findings[0].confidence).toBe("low");
+    });
+    it("authed GET-only route → low/low (downgraded from med)", () => {
+        const route = createRoute("app/api/data/route.ts", BASIC_HANDLER, {
+            protection: protectionSummary({ authSatisfied: true }),
+        });
+        const findings = run(makeIndex([route]), config);
+        expect(findings).toHaveLength(1);
+        expect(findings[0].severity).toBe("low");
+        expect(findings[0].confidence).toBe("low");
+        expect(findings[0].evidence).toContain("route has auth boundary — rate limiting is secondary defense");
+    });
+    it("authed route gets different message and remediation than public", () => {
+        const authedRoute = createRoute("app/api/data/route.ts", BASIC_HANDLER, {
+            protection: protectionSummary({ authSatisfied: true }),
+        });
+        const publicRoute = createRoute("app/api/other/route.ts", BASIC_HANDLER, {
+            protection: protectionSummary({ authSatisfied: false }),
+        });
+        const authedFindings = run(makeIndex([authedRoute]), config);
+        const publicFindings = run(makeIndex([publicRoute]), config);
+        expect(authedFindings[0].message).toContain("Authenticated");
+        expect(publicFindings[0].message).toContain("Public");
+        expect(authedFindings[0].remediation).not.toEqual(publicFindings[0].remediation);
+    });
+});
+/* ------------------------------------------------------------------ */
+/*  Severity cap                                                       */
+/* ------------------------------------------------------------------ */
+describe("severity cap", () => {
+    it("caps severity at rule max from config", () => {
+        const config = makeConfig({
+            rules: { "RATE-LIMIT-MISSING": { severity: "high" } },
+        });
+        const route = createRoute("app/api/users/route.ts", MUTATION_HANDLER, {
+            signals: MUTATION_SIGNALS,
+            protection: protectionSummary({ authSatisfied: false }),
+        });
+        const findings = run(makeIndex([route]), config);
+        expect(findings).toHaveLength(1);
+        // Would be critical but capped to high
+        expect(findings[0].severity).toBe("high");
+    });
+});
+//# sourceMappingURL=rate-limit-missing.test.js.map

package/dist/rules/rate-limit-missing.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit-missing.test.js","sourceRoot":"","sources":["../../src/rules/rate-limit-missing.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAC3D,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,GAAG,EAAW,MAAM,yBAAyB,CAAC;AAIvD,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AAExE,MAAM,UAAU,GAAG;IACjB,mBAAmB,EAAE,KAAK;IAC1B,kBAAkB,EAAE,KAAK;IACzB,sBAAsB,EAAE,KAAK;IAC7B,eAAe,EAAE,EAAc;CAChC,CAAC;AAEF,MAAM,gBAAgB,GAAG;IACvB,mBAAmB,EAAE,IAAI;IACzB,kBAAkB,EAAE,IAAI;IACxB,sBAAsB,EAAE,KAAK;IAC7B,eAAe,EAAE,CAAC,eAAe,CAAC;CACnC,CAAC;AAEF,SAAS,iBAAiB,CAAC,IAI1B;IACC,OAAO;QACL,IAAI,EAAE;YACJ,SAAS,EAAE,IAAI,CAAC,aAAa,IAAI,KAAK;YACtC,QAAQ,EAAE,KAAK;YACf,OAAO,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE;YAC7C,OAAO,EAAE,EAAE;YACX,kBAAkB,EAAE,EAAE;SACvB;QACD,SAAS,EAAE;YACT,SAAS,EAAE,IAAI,CAAC,WAAW,IAAI,KAAK;YACpC,QAAQ,EAAE,KAAK;YACf,OAAO,EAAE,EAAE;YACX,OAAO,EAAE,EAAE;YACX,kBAAkB,EAAE,IAAI,CAAC,kBAAkB,IAAI,EAAE;SAClD;KACF,CAAC;AACJ,CAAC;AAED,IAAI,MAAc,CAAC;AAEnB,UAAU,CAAC,GAAG,EAAE;IACd,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,qBAAqB,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IACrG,SAAS,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;AACzC,CAAC,CAAC,CAAC;AAEH,SAAS,CAAC,GAAG,EAAE;IACb,MAAM,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;AACnD,CAAC,CAAC,CAAC;AAEH,wEAAwE;AACxE,SAAS,WAAW,CAClB,OAAe,EACf,MAAc,EACd,YAAgC,EAAE;IAElC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC5C,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACvD,aAAa,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAEhC,MAAM,QAAQ,GAAG,GAAG,GAAG,OAAO;SAC3B,OAAO,CAAC,2BAA2B,EAAE,EAAE,CAAC;SACxC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;IAEzB,OAAO;QACL,IAAI,EAAE,eAAe;QACrB,IAAI,EAAE,OAAO;QACb,KAAK,EAAE,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,QAAQ,KAAK,MAAM;QAC1D,QAAQ,EAAE,IAAI;QACd,QAAQ;QACR,OAAO,EAAE,UAAU;QACnB,UAAU,EAAE,iBAAiB,CAAC,EAAE,CAAC;QACjC,GAAG,SAAS;KACb,CAAC;AACJ,CAAC;AAED,SAAS,SAAS,CAAC,MAAmB;IACpC,OAAO;QACL,OAAO,EAAE,CAAC;QACV,SAAS,EAAE,iBAAiB;QAC5B,OAAO,EAAE,MAAM;QACf,IAAI,EAAE;YACJ,WAAW,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK;YACvD,QAAQ,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,aAAa,EAAE,KAAK;YACvD,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,cAAc,EAAE,KAAK;YACvD,eAAe,EAAE,KAAK,EAAE,mBAAmB,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK;YACpE,QAAQ,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK;SACrE;QACD,KAAK,EAAE;YACL,IAAI,EAAE,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE,eAAe,EAAE,EAAE,EAAE,cAAc,EAAE,EAAE,EAAE;YACtE,SAAS,EAAE,EAAE,QAAQ,EAAE,CAAC,WAAW,CAAC,EAAE,cAAc,EAAE,EAAE,EAAE;YAC1D,OAAO,EAAE,EAAE,aAAa,EAAE,EAAE,EAAE;SAC/B;QACD,UAAU,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,eAAe,EAAE,KAAK,EAAE,eAAe,EAAE,EAAE,EAAE;QAC9E,QAAQ,EAAE,EAAE,QAAQ,EAAE,IAAI,GAAG,EAAE,EAAE;QACjC,MAAM,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,mBAAmB,CAAC,EAAE;QAC1F,aAAa,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,eAAe,EAAE,EAAE,EAAE;QAC/C,IAAI,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE,EAAE,kBAAkB,EAAE,EAAE,EAAE;KAClE,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CAAC,YAAsC,EAAE;IAC1D,OAAO;QACL,SAAS,EAAE,iBAAiB;QAC5B,OAAO,EAAE,CAAC,QAAQ,CAAC;QACnB,OAAO,EAAE,EAAE;QACX,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE,EAAE,cAAc,EAAE,CAAC,EAAE;QAClF,OAAO,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,SAAS,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,EAAE;QAC9E,KAAK,EAAE;YACL,IAAI,EAAE,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE,eAAe,EAAE,EAAE,EAAE,cAAc,EAAE,EAAE,EAAE;YACtE,SAAS,EAAE,EAAE,QAAQ,EAAE,CAAC,WAAW,CAAC,EAAE,cAAc,EAAE,EAAE,EAAE;YAC1D,OAAO,EAAE,EAAE,aAAa,EAAE,EAAE,EAAE;SAC/B;QACD,KAAK,EAAE,EAAE,oBAAoB,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE,EAAE;QACzD,WAAW,EAAE,wBAAwB;QACrC,GAAG,SAAS;KACb,CAAC;AACJ,CAAC;AAED,MAAM,aAAa,GAAG,qFAAqF,CAAC;AAC5G,MAAM,gBAAgB,GAAG;;;;EAIvB,CAAC;AACH,MAAM,YAAY,GAAG;;;EAGnB,CAAC;AAEH,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AAExE,QAAQ,CAAC,oCAAoC,EAAE,GAAG,EAAE;IAClD,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;IAE5B,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,KAAK,GAAG,WAAW,CAAC,qCAAqC,EAAE,aAAa,CAAC,CAAC;QAChF,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,KAAK,GAAG,WAAW,CAAC,mCAAmC,EAAE,aAAa,CAAC,CAAC;QAC9E,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,KAAK,GAAG,WAAW,CAAC,8BAA8B,EAAE,aAAa,CAAC,CAAC;QACzE,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,MAAM,KAAK,GAAG,WAAW,CAAC,qCAAqC,EAAE,aAAa,CAAC,CAAC;QAChF,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,KAAK,GAAG,WAAW,CAAC,kCAAkC,EAAE,aAAa,CAAC,CAAC;QAC7E,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,MAAM,KAAK,GAAG,WAAW,CAAC,iCAAiC,EAAE,aAAa,EAAE;YAC1E,QAAQ,EAAE,qBAAqB;SAChC,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,MAAM,KAAK,GAAG,WAAW,CAAC,gCAAgC,EAAE,aAAa,CAAC,CAAC;QAC3E,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;QAClC,MAAM,KAAK,GAAG,WAAW,CAAC,sBAAsB,EAAE,aAAa,EAAE;YAC/D,QAAQ,EAAE,SAAS;SACpB,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;QAC5C,MAAM,KAAK,GAAG,WAAW,CAAC,wBAAwB,EAAE,aAAa,CAAC,CAAC;QACnE,MAAM,QAAQ,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AAExE,QAAQ,CAAC,wBAAwB,EAAE,GAAG,EAAE;IACtC,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;IAE5B,EAAE,CAAC,uBAAuB,EAAE,GAAG,EAAE;QAC/B,MAAM,KAAK,GAAG,WAAW,CAAC,0BAA0B,EAAE,aAAa,EAAE;YACnE,QAAQ,EAAE,cAAc;SACzB,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;QAC5D,MAAM,KAAK,GAAG,WAAW,CAAC,yCAAyC,EAAE,aAAa,EAAE;YAClF,QAAQ,EAAE,6BAA6B;SACxC,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,KAAK,GAAG,WAAW,CAAC,kCAAkC,EAAE,aAAa,EAAE;YAC3E,QAAQ,EAAE,sBAAsB;SACjC,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AAExE,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;IACnC,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;IAE5B,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,MAAM,KAAK,GAAG,WAAW,CAAC,yBAAyB,EAAE,aAAa,EAAE;YAClE,QAAQ,EAAE,aAAa;SACxB,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qBAAqB,EAAE,GAAG,EAAE;QAC7B,MAAM,KAAK,GAAG,WAAW,CAAC,6BAA6B,EAAE,aAAa,EAAE;YACtE,QAAQ,EAAE,iBAAiB;SAC5B,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sBAAsB,EAAE,GAAG,EAAE;QAC9B,MAAM,KAAK,GAAG,WAAW,CAAC,wBAAwB,EAAE,aAAa,EAAE;YACjE,QAAQ,EAAE,YAAY;YACtB,KAAK,EAAE,KAAK;SACb,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,MAAM,KAAK,GAAG,WAAW,CAAC,wBAAwB,EAAE,aAAa,EAAE;YACjE,UAAU,EAAE,iBAAiB,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;SACrD,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wDAAwD,EAAE,GAAG,EAAE;QAChE,MAAM,KAAK,GAAG,WAAW,CAAC,wBAAwB,EAAE,aAAa,EAAE;YACjE,UAAU,EAAE,iBAAiB,CAAC,EAAE,kBAAkB,EAAE,CAAC,YAAY,CAAC,EAAE,CAAC;SACtE,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AAExE,QAAQ,CAAC,mCAAmC,EAAE,GAAG,EAAE;IACjD,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;IAE5B,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,KAAK,GAAG,WAAW,CAAC,wBAAwB,EAAE,gBAAgB,EAAE;YACpE,OAAO,EAAE,gBAAgB;YACzB,UAAU,EAAE,iBAAiB,CAAC,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;SACxD,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC9C,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,KAAK,GAAG,WAAW,CAAC,yBAAyB,EAAE,YAAY,EAAE;YACjE,UAAU,EAAE,iBAAiB,CAAC,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;SACxD,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,KAAK,GAAG,WAAW,CAAC,uBAAuB,EAAE,aAAa,EAAE;YAChE,UAAU,EAAE,iBAAiB,CAAC,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;SACxD,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AAExE,QAAQ,CAAC,gCAAgC,EAAE,GAAG,EAAE;IAC9C,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;IAE5B,EAAE,CAAC,4DAA4D,EAAE,GAAG,EAAE;QACpE,MAAM,KAAK,GAAG,WAAW,CAAC,wBAAwB,EAAE,gBAAgB,EAAE;YACpE,OAAO,EAAE,gBAAgB;YACzB,UAAU,EAAE,iBAAiB,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;SACvD,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC3C,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,SAAS,CAAC,8DAA8D,CAAC,CAAC;IACzG,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4DAA4D,EAAE,GAAG,EAAE;QACpE,MAAM,KAAK,GAAG,WAAW,CAAC,yBAAyB,EAAE,YAAY,EAAE;YACjE,UAAU,EAAE,iBAAiB,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;SACvD,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uDAAuD,EAAE,GAAG,EAAE;QAC/D,MAAM,KAAK,GAAG,WAAW,CAAC,uBAAuB,EAAE,aAAa,EAAE;YAChE,UAAU,EAAE,iBAAiB,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;SACvD,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC3C,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,SAAS,CAAC,8DAA8D,CAAC,CAAC;IACzG,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iEAAiE,EAAE,GAAG,EAAE;QACzE,MAAM,WAAW,GAAG,WAAW,CAAC,uBAAuB,EAAE,aAAa,EAAE;YACtE,UAAU,EAAE,iBAAiB,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;SACvD,CAAC,CAAC;QACH,MAAM,WAAW,GAAG,WAAW,CAAC,wBAAwB,EAAE,aAAa,EAAE;YACvE,UAAU,EAAE,iBAAiB,CAAC,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;SACxD,CAAC,CAAC;QAEH,MAAM,cAAc,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,WAAW,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QAC7D,MAAM,cAAc,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,WAAW,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QAE7D,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;QAC7D,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QACtD,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;IACnF,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AAExE,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;IAC5B,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,MAAM,GAAG,UAAU,CAAC;YACxB,KAAK,EAAE,EAAE,oBAAoB,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE;SACtD,CAAC,CAAC;QACH,MAAM,KAAK,GAAG,WAAW,CAAC,wBAAwB,EAAE,gBAAgB,EAAE;YACpE,OAAO,EAAE,gBAAgB;YACzB,UAAU,EAAE,iBAAiB,CAAC,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;SACxD,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,uCAAuC;QACvC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/rules/wrapper-unrecognized.d.ts

@@ -0,0 +1,5 @@
+import type { NextIndex } from "../next/types.js";
+import type { Finding, ShipguardConfig } from "../engine/types.js";
+export declare const RULE_ID = "WRAPPER-UNRECOGNIZED";
+export declare function run(index: NextIndex, config: ShipguardConfig): Finding[];
+//# sourceMappingURL=wrapper-unrecognized.d.ts.map

package/dist/rules/wrapper-unrecognized.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"wrapper-unrecognized.d.ts","sourceRoot":"","sources":["../../src/rules/wrapper-unrecognized.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,KAAK,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAGnE,eAAO,MAAM,OAAO,yBAAyB,CAAC;AAU9C,wBAAgB,GAAG,CAAC,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,eAAe,GAAG,OAAO,EAAE,CAiFxE"}

package/dist/rules/wrapper-unrecognized.js

@@ -0,0 +1,76 @@
+export const RULE_ID = "WRAPPER-UNRECOGNIZED";
+const SEVERITY_RANK = { critical: 4, high: 3, med: 2, low: 1 };
+function capSeverity(computed, max) {
+    const maxRank = SEVERITY_RANK[max] ?? 4;
+    const computedRank = SEVERITY_RANK[computed] ?? 2;
+    return computedRank > maxRank ? max : computed;
+}
+export function run(index, config) {
+    const findings = [];
+    const maxSeverity = config.rules[RULE_ID]?.severity ?? "high";
+    for (const [name, wrapper] of index.wrappers.wrappers) {
+        // Skip fully resolved wrappers where both auth AND rate-limit are enforced
+        if (wrapper.resolved && wrapper.evidence.authEnforced && wrapper.evidence.rateLimitEnforced) {
+            continue;
+        }
+        // Determine what this wrapper WOULD have triggered
+        const wouldTrigger = [];
+        // Check if any wrapped routes are mutation routes (need auth)
+        const mutationFileSet = new Set(index.routes.mutationRoutes.map((r) => r.file));
+        const wrappedMutationFiles = wrapper.usageFiles.filter((f) => mutationFileSet.has(f));
+        if (wrappedMutationFiles.length > 0) {
+            if (!wrapper.resolved || !wrapper.evidence.authEnforced) {
+                wouldTrigger.push("AUTH-BOUNDARY-MISSING");
+            }
+        }
+        // Check if any wrapped routes are API routes (need rate limiting)
+        const apiFileSet = new Set(index.routes.all.filter((r) => r.isApi).map((r) => r.file));
+        const wrappedApiFiles = wrapper.usageFiles.filter((f) => apiFileSet.has(f));
+        if (wrappedApiFiles.length > 0) {
+            if (!wrapper.resolved || !wrapper.evidence.rateLimitEnforced) {
+                wouldTrigger.push("RATE-LIMIT-MISSING");
+            }
+        }
+        if (wouldTrigger.length === 0)
+            continue;
+        // Severity = high if wrapping mutation routes, med otherwise
+        const computedSeverity = wrappedMutationFiles.length > 0 ? "high" : "med";
+        const status = !wrapper.resolved
+            ? "could not be resolved"
+            : wrapper.evidence.authCallPresent && !wrapper.evidence.authEnforced
+                ? "calls auth but enforcement not proven"
+                : wrapper.evidence.rateLimitCallPresent && !wrapper.evidence.rateLimitEnforced
+                    ? "calls rate limiter but enforcement not proven"
+                    : "missing protections";
+        const evidence = [
+            `${name}() wraps ${wrapper.usageCount} route handler(s) (${wrapper.mutationRouteCount} mutation)`,
+            `Would have triggered: ${wouldTrigger.join(", ")}`,
+            `Top routes: ${wrapper.usageFiles.slice(0, 5).join(", ")}${wrapper.usageCount > 5 ? ` (+${wrapper.usageCount - 5} more)` : ""}`,
+        ];
+        if (wrapper.evidence.authCallPresent) {
+            evidence.push(`Auth call detected: ${wrapper.evidence.authDetails.join(", ")}`);
+        }
+        if (wrapper.evidence.rateLimitCallPresent) {
+            evidence.push(`Rate-limit call detected: ${wrapper.evidence.rateLimitDetails.join(", ")}`);
+        }
+        findings.push({
+            ruleId: RULE_ID,
+            severity: capSeverity(computedSeverity, maxSeverity),
+            confidence: "high",
+            message: `Wrapper "${name}" wraps ${wrapper.usageCount} handler(s); ${status}`,
+            file: wrapper.usageFiles[0],
+            evidence,
+            confidenceRationale: "High: wrapper usage is certain, but protection cannot be verified",
+            remediation: [
+                `If ${name} enforces auth: add "${name}" to hints.auth.functions`,
+                `If ${name} enforces rate limiting: add "${name}" to hints.rateLimit.wrappers`,
+                ...(wrapper.definitionFile
+                    ? [`Verify wrapper implementation at ${wrapper.definitionFile}`]
+                    : [`Wrapper definition could not be found — check import paths`]),
+            ],
+            tags: ["wrapper", "config"],
+        });
+    }
+    return findings;
+}
+//# sourceMappingURL=wrapper-unrecognized.js.map

package/dist/rules/wrapper-unrecognized.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"wrapper-unrecognized.js","sourceRoot":"","sources":["../../src/rules/wrapper-unrecognized.ts"],"names":[],"mappings":"AAIA,MAAM,CAAC,MAAM,OAAO,GAAG,sBAAsB,CAAC;AAE9C,MAAM,aAAa,GAA2B,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;AAEvF,SAAS,WAAW,CAAC,QAAkB,EAAE,GAAW;IAClD,MAAM,OAAO,GAAG,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACxC,MAAM,YAAY,GAAG,aAAa,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAClD,OAAO,YAAY,GAAG,OAAO,CAAC,CAAC,CAAE,GAAgB,CAAC,CAAC,CAAC,QAAQ,CAAC;AAC/D,CAAC;AAED,MAAM,UAAU,GAAG,CAAC,KAAgB,EAAE,MAAuB;IAC3D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,WAAW,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,QAAQ,IAAI,MAAM,CAAC;IAE9D,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;QACtD,2EAA2E;QAC3E,IAAI,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC,YAAY,IAAI,OAAO,CAAC,QAAQ,CAAC,iBAAiB,EAAE,CAAC;YAC5F,SAAS;QACX,CAAC;QAED,mDAAmD;QACnD,MAAM,YAAY,GAAa,EAAE,CAAC;QAElC,8DAA8D;QAC9D,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;QAChF,MAAM,oBAAoB,GAAG,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAEtF,IAAI,oBAAoB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpC,IAAI,CAAC,OAAO,CAAC,QAAQ,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,EAAE,CAAC;gBACxD,YAAY,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;YAC7C,CAAC;QACH,CAAC;QAED,kEAAkE;QAClE,MAAM,UAAU,GAAG,IAAI,GAAG,CACxB,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAC3D,CAAC;QACF,MAAM,eAAe,GAAG,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAE5E,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/B,IAAI,CAAC,OAAO,CAAC,QAAQ,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,EAAE,CAAC;gBAC7D,YAAY,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;YAC1C,CAAC;QACH,CAAC;QAED,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QAExC,6DAA6D;QAC7D,MAAM,gBAAgB,GAAa,oBAAoB,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;QAEpF,MAAM,MAAM,GAAG,CAAC,OAAO,CAAC,QAAQ;YAC9B,CAAC,CAAC,uBAAuB;YACzB,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,eAAe,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY;gBAClE,CAAC,CAAC,uCAAuC;gBACzC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,oBAAoB,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,iBAAiB;oBAC5E,CAAC,CAAC,+CAA+C;oBACjD,CAAC,CAAC,qBAAqB,CAAC;QAE9B,MAAM,QAAQ,GAAa;YACzB,GAAG,IAAI,YAAY,OAAO,CAAC,UAAU,sBAAsB,OAAO,CAAC,kBAAkB,YAAY;YACjG,yBAAyB,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YAClD,eAAe,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,OAAO,CAAC,UAAU,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,EAAE;SAChI,CAAC;QAEF,IAAI,OAAO,CAAC,QAAQ,CAAC,eAAe,EAAE,CAAC;YACrC,QAAQ,CAAC,IAAI,CAAC,uBAAuB,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAClF,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,oBAAoB,EAAE,CAAC;YAC1C,QAAQ,CAAC,IAAI,CAAC,6BAA6B,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC7F,CAAC;QAED,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,OAAO;YACf,QAAQ,EAAE,WAAW,CAAC,gBAAgB,EAAE,WAAW,CAAC;YACpD,UAAU,EAAE,MAAM;YAClB,OAAO,EAAE,YAAY,IAAI,WAAW,OAAO,CAAC,UAAU,gBAAgB,MAAM,EAAE;YAC9E,IAAI,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC;YAC3B,QAAQ;YACR,mBAAmB,EAAE,mEAAmE;YACxF,WAAW,EAAE;gBACX,MAAM,IAAI,wBAAwB,IAAI,2BAA2B;gBACjE,MAAM,IAAI,iCAAiC,IAAI,+BAA+B;gBAC9E,GAAG,CAAC,OAAO,CAAC,cAAc;oBACxB,CAAC,CAAC,CAAC,oCAAoC,OAAO,CAAC,cAAc,EAAE,CAAC;oBAChE,CAAC,CAAC,CAAC,4DAA4D,CAAC,CAAC;aACpE;YACD,IAAI,EAAE,CAAC,SAAS,EAAE,QAAQ,CAAC;SAC5B,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/util/hof.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Shared Higher-Order Function (HOF) detection utilities.
+ * Used by wrapper analysis and rules.
+ */
+/**
+ * Extract the ordered chain of HOF wrapper names from route source.
+ * E.g., `export const POST = withWorkspace(withErrorBoundary(handler))` → ["withWorkspace", "withErrorBoundary"]
+ * E.g., `export default withAuth(handler)` → ["withAuth"]
+ * Returns empty array if no HOF wrapper detected.
+ */
+export declare function extractHofWrapperChain(src: string): string[];
+/**
+ * Check if route source is exported via a specific known function (HOF pattern).
+ * E.g., `export const POST = withAuth(handler)` with functionName="withAuth" → true
+ */
+export declare function isWrappedByFunction(src: string, functionName: string): boolean;
+/**
+ * Find the import source for a given identifier in the source.
+ * Returns the module specifier or undefined if not imported (same-file definition).
+ */
+export declare function findImportSource(src: string, identifierName: string): string | undefined;
+//# sourceMappingURL=hof.d.ts.map

package/dist/util/hof.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hof.d.ts","sourceRoot":"","sources":["../../src/util/hof.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAsB5D;AA2CD;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAY9E;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAoBxF"}

package/dist/util/hof.js

@@ -0,0 +1,99 @@
+/**
+ * Shared Higher-Order Function (HOF) detection utilities.
+ * Used by wrapper analysis and rules.
+ */
+const HTTP_METHODS = "GET|POST|PUT|PATCH|DELETE";
+/**
+ * Extract the ordered chain of HOF wrapper names from route source.
+ * E.g., `export const POST = withWorkspace(withErrorBoundary(handler))` → ["withWorkspace", "withErrorBoundary"]
+ * E.g., `export default withAuth(handler)` → ["withAuth"]
+ * Returns empty array if no HOF wrapper detected.
+ */
+export function extractHofWrapperChain(src) {
+    const chains = [];
+    // Pattern 1: export const METHOD = wrapper(...)
+    const constPattern = new RegExp(`export\\s+(?:const|let|var)\\s+(?:${HTTP_METHODS})\\s*=\\s*(.+)`, "gm");
+    for (const m of src.matchAll(constPattern)) {
+        chains.push(...extractCallChain(m[1]));
+    }
+    // Pattern 2: export default wrapper(...)
+    const defaultPattern = /export\s+default\s+([a-zA-Z_]\w*)\s*\(/gm;
+    for (const m of src.matchAll(defaultPattern)) {
+        // Only add if not already captured
+        if (!chains.includes(m[1])) {
+            chains.push(m[1]);
+        }
+    }
+    return [...new Set(chains)];
+}
+/**
+ * Extract function names from a call chain expression.
+ * E.g., "withWorkspace(withErrorBoundary(handler))" → ["withWorkspace", "withErrorBoundary"]
+ * E.g., "withAuth(async (req) => { ... })" → ["withAuth"]
+ *
+ * Only extracts the leading nested call chain — stops at the first
+ * non-wrapper token (e.g., `async`, handler body) to avoid picking
+ * up identifiers deep inside the handler.
+ */
+function extractCallChain(expr) {
+    const names = [];
+    let pos = 0;
+    while (pos < expr.length) {
+        // Skip whitespace
+        while (pos < expr.length && /\s/.test(expr[pos]))
+            pos++;
+        // Try to match identifier(
+        const remaining = expr.slice(pos);
+        const match = remaining.match(/^([a-zA-Z_]\w*)\s*\(/);
+        if (!match)
+            break;
+        const name = match[1];
+        if (SKIP_IDENTIFIERS.has(name))
+            break; // Not a wrapper, stop
+        names.push(name);
+        pos += match[0].length;
+    }
+    return names;
+}
+const SKIP_IDENTIFIERS = new Set([
+    "async", "await", "function", "return", "new", "typeof", "void",
+    "if", "else", "for", "while", "switch", "case", "try", "catch",
+    "throw", "const", "let", "var", "class", "import", "export",
+    "console", "Error", "Promise", "Array", "Object", "String", "Number",
+    "Boolean", "JSON", "Math", "Date", "RegExp", "Map", "Set",
+    "Response", "Request", "Headers", "NextResponse", "NextRequest",
+]);
+/**
+ * Check if route source is exported via a specific known function (HOF pattern).
+ * E.g., `export const POST = withAuth(handler)` with functionName="withAuth" → true
+ */
+export function isWrappedByFunction(src, functionName) {
+    const escaped = functionName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+    // export const METHOD = fn(...)
+    const hofPattern = new RegExp(`export\\s+(?:const|let|var)\\s+(?:${HTTP_METHODS})\\s*=\\s*${escaped}\\s*\\(`, "m");
+    if (hofPattern.test(src))
+        return true;
+    // export default fn(...)
+    const defaultPattern = new RegExp(`export\\s+default\\s+${escaped}\\s*\\(`, "m");
+    return defaultPattern.test(src);
+}
+/**
+ * Find the import source for a given identifier in the source.
+ * Returns the module specifier or undefined if not imported (same-file definition).
+ */
+export function findImportSource(src, identifierName) {
+    const escaped = identifierName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+    // Named import: import { name } from "source" or import { other as name } from "source"
+    const namedPattern = new RegExp(`import\\s*\\{[^}]*\\b(?:${escaped}|\\w+\\s+as\\s+${escaped})\\b[^}]*\\}\\s*from\\s*["']([^"']+)["']`);
+    const namedMatch = src.match(namedPattern);
+    if (namedMatch)
+        return namedMatch[1];
+    // Default import: import name from "source"
+    const defaultPattern = new RegExp(`import\\s+${escaped}\\s+from\\s*["']([^"']+)["']`);
+    const defaultMatch = src.match(defaultPattern);
+    if (defaultMatch)
+        return defaultMatch[1];
+    // Namespace import + property access won't match here — that's fine for v1
+    return undefined;
+}
+//# sourceMappingURL=hof.js.map

package/dist/util/hof.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hof.js","sourceRoot":"","sources":["../../src/util/hof.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,YAAY,GAAG,2BAA2B,CAAC;AAEjD;;;;;GAKG;AACH,MAAM,UAAU,sBAAsB,CAAC,GAAW;IAChD,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,gDAAgD;IAChD,MAAM,YAAY,GAAG,IAAI,MAAM,CAC7B,qCAAqC,YAAY,gBAAgB,EACjE,IAAI,CACL,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;QAC3C,MAAM,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACzC,CAAC;IAED,yCAAyC;IACzC,MAAM,cAAc,GAAG,0CAA0C,CAAC;IAClE,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;QAC7C,mCAAmC;QACnC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC3B,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACpB,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;AAC9B,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,gBAAgB,CAAC,IAAY;IACpC,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,IAAI,GAAG,GAAG,CAAC,CAAC;IAEZ,OAAO,GAAG,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QACzB,kBAAkB;QAClB,OAAO,GAAG,GAAG,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAAE,GAAG,EAAE,CAAC;QAExD,2BAA2B;QAC3B,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAClC,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACtD,IAAI,CAAC,KAAK;YAAE,MAAM;QAElB,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,IAAI,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,MAAM,CAAC,sBAAsB;QAE7D,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjB,GAAG,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;IACzB,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IAC/B,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM;IAC/D,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO;IAC9D,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ;IAC3D,SAAS,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ;IACpE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK;IACzD,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,cAAc,EAAE,aAAa;CAChE,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,GAAW,EAAE,YAAoB;IACnE,MAAM,OAAO,GAAG,YAAY,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;IACpE,gCAAgC;IAChC,MAAM,UAAU,GAAG,IAAI,MAAM,CAC3B,qCAAqC,YAAY,aAAa,OAAO,SAAS,EAC9E,GAAG,CACJ,CAAC;IACF,IAAI,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAEtC,yBAAyB;IACzB,MAAM,cAAc,GAAG,IAAI,MAAM,CAAC,wBAAwB,OAAO,SAAS,EAAE,GAAG,CAAC,CAAC;IACjF,OAAO,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAClC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,GAAW,EAAE,cAAsB;IAClE,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;IAEtE,wFAAwF;IACxF,MAAM,YAAY,GAAG,IAAI,MAAM,CAC7B,2BAA2B,OAAO,kBAAkB,OAAO,0CAA0C,CACtG,CAAC;IACF,MAAM,UAAU,GAAG,GAAG,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;IAC3C,IAAI,UAAU;QAAE,OAAO,UAAU,CAAC,CAAC,CAAC,CAAC;IAErC,4CAA4C;IAC5C,MAAM,cAAc,GAAG,IAAI,MAAM,CAC/B,aAAa,OAAO,8BAA8B,CACnD,CAAC;IACF,MAAM,YAAY,GAAG,GAAG,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;IAC/C,IAAI,YAAY;QAAE,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;IAEzC,2EAA2E;IAE3E,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/util/hof.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=hof.test.d.ts.map

package/dist/util/hof.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hof.test.d.ts","sourceRoot":"","sources":["../../src/util/hof.test.ts"],"names":[],"mappings":""}