@fourteensystems/shipguard 0.1.0

package/dist/rules/auth-boundary-missing.js

@@ -0,0 +1,278 @@
+import { readFileSync } from "node:fs";
+import path from "node:path";
+import { isAllowlisted } from "../util/paths.js";
+export const RULE_ID = "AUTH-BOUNDARY-MISSING";
+export function run(index, config) {
+    const findings = [];
+    const severity = config.rules[RULE_ID]?.severity ?? "critical";
+    const authAllowlist = config.hints.auth.allowlistPaths;
+    // Check mutation route handlers
+    for (const route of index.routes.mutationRoutes) {
+        if (isAllowlisted(route.file, authAllowlist))
+            continue;
+        const result = checkRoute(route, index, config);
+        if (result) {
+            findings.push({
+                ruleId: RULE_ID,
+                severity,
+                confidence: result.confidence,
+                message: `Route handler performs mutations without a recognized auth boundary`,
+                file: route.file,
+                line: result.line,
+                snippet: result.snippet,
+                evidence: result.evidence,
+                confidenceRationale: result.confidenceRationale,
+                remediation: [
+                    "Add an auth check at the top of the handler (e.g., `const session = await auth()`)",
+                    "Ensure middleware.ts protects this route segment",
+                    "If using a custom auth wrapper, add it to hints.auth.functions in shipguard.config.json",
+                ],
+                tags: ["auth", "server"],
+            });
+        }
+    }
+    // Check mutation server actions (deduplicate by file since auth check is file-level)
+    const seenActionFiles = new Set();
+    for (const action of index.serverActions.mutationActions) {
+        if (seenActionFiles.has(action.file))
+            continue;
+        seenActionFiles.add(action.file);
+        if (isAllowlisted(action.file, authAllowlist))
+            continue;
+        const result = checkServerAction(action, index, config);
+        if (result) {
+            findings.push({
+                ruleId: RULE_ID,
+                severity,
+                confidence: result.confidence,
+                message: `Server action performs mutations without a recognized auth boundary`,
+                file: action.file,
+                line: result.line,
+                snippet: result.snippet,
+                evidence: result.evidence,
+                confidenceRationale: result.confidenceRationale,
+                remediation: [
+                    "Add an auth check at the top of the server action",
+                    "If using a custom auth wrapper, add it to hints.auth.functions in shipguard.config.json",
+                ],
+                tags: ["auth", "server-action"],
+            });
+        }
+    }
+    // Check tRPC mutation procedures
+    for (const proc of index.trpc.mutationProcedures) {
+        if (proc.procedureType === "protected")
+            continue;
+        if (isAllowlisted(proc.file, authAllowlist))
+            continue;
+        const confidence = proc.procedureType === "public" ? "high" : "med";
+        findings.push({
+            ruleId: RULE_ID,
+            severity,
+            confidence,
+            message: `tRPC mutation "${proc.name}" uses ${proc.procedureType}Procedure without auth boundary`,
+            file: proc.file,
+            line: proc.line,
+            evidence: [`${proc.procedureType}Procedure.mutation()`, ...proc.signals.mutationDetails],
+            confidenceRationale: proc.procedureType === "public"
+                ? "High: public tRPC mutation with no auth boundary"
+                : "Medium: unrecognized procedure type (may have auth middleware)",
+            remediation: [
+                "Use protectedProcedure instead of publicProcedure for mutations",
+                "Add auth middleware to the procedure chain: publicProcedure.use(authMiddleware).mutation(...)",
+                "If this mutation is intentionally public, add a waiver with reason",
+            ],
+            tags: ["auth", "trpc"],
+        });
+    }
+    return findings;
+}
+function checkRoute(route, index, config) {
+    const src = readSource(index.rootDir, route.file);
+    if (!src)
+        return null;
+    // Check if auth boundary exists (call inside handler body)
+    if (hasAuthCall(src, config.hints.auth.functions))
+        return null;
+    // Check if handler is wrapped by a known auth function (HOF pattern)
+    if (isWrappedByAuthFunction(src, config.hints.auth.functions))
+        return null;
+    // Check if middleware covers this route
+    if (isProtectedByMiddleware(route, index))
+        return null;
+    // Check for built-in auth patterns (webhook signatures, cron keys, etc.)
+    if (hasBuiltInAuthPattern(src))
+        return null;
+    // No auth found — determine confidence
+    const evidence = [...route.signals.mutationDetails];
+    evidence.push(`No auth function calls matched: ${config.hints.auth.functions.join(", ")}`);
+    evidence.push("No middleware auth covering this route");
+    let confidence = "high";
+    let confidenceRationale = "High: mutation evidence + no auth calls + no middleware coverage";
+    // Downgrade if we see any function calls that could be custom auth
+    if (hasPossibleCustomAuth(src)) {
+        confidence = "med";
+        confidenceRationale = "Medium: mutation evidence present but possible custom auth wrapper detected (not in hints)";
+        evidence.push("possible custom auth wrapper detected (not in hints)");
+    }
+    // Downgrade if handler is exported via HOF wrapper (unknown function)
+    if (isWrappedByUnknownFunction(src)) {
+        confidence = "med";
+        confidenceRationale = "Medium: handler is wrapped by a higher-order function (may contain auth)";
+        evidence.push("handler exported via HOF wrapper (may contain auth)");
+    }
+    // Find the line of the first mutation evidence for precise reporting
+    const line = findFirstMutationLine(src, route.signals);
+    return { confidence, confidenceRationale, line, evidence };
+}
+function checkServerAction(action, index, config) {
+    const src = readSource(index.rootDir, action.file);
+    if (!src)
+        return null;
+    if (hasAuthCall(src, config.hints.auth.functions))
+        return null;
+    if (hasBuiltInAuthPattern(src))
+        return null;
+    const evidence = [...action.signals.mutationDetails];
+    evidence.push(`No auth function calls matched: ${config.hints.auth.functions.join(", ")}`);
+    let confidence = "high";
+    let confidenceRationale = "High: server action with mutation evidence + no auth calls";
+    if (hasPossibleCustomAuth(src)) {
+        confidence = "med";
+        confidenceRationale = "Medium: mutation evidence present but possible custom auth wrapper detected (not in hints)";
+        evidence.push("possible custom auth wrapper detected (not in hints)");
+    }
+    const line = findFirstMutationLine(src, action.signals);
+    return { confidence, confidenceRationale, line, evidence };
+}
+function hasAuthCall(src, authFunctions) {
+    for (const fn of authFunctions) {
+        // Match: fn(), await fn(), const x = fn(), const x = await fn()
+        const pattern = new RegExp(`\\b${escapeRegex(fn)}\\s*\\(`, "m");
+        if (pattern.test(src))
+            return true;
+    }
+    return false;
+}
+/**
+ * Detect Higher-Order Function (HOF) auth wrapper pattern.
+ * E.g.: export const GET = withWorkspace(async ({ workspace }) => { ... })
+ *       export const POST = withSession(handler)
+ *       export default withAuth(handler)
+ */
+function isWrappedByAuthFunction(src, authFunctions) {
+    for (const fn of authFunctions) {
+        const escaped = escapeRegex(fn);
+        // export const METHOD = fn(...) or export { fn as METHOD }
+        const hofPattern = new RegExp(`export\\s+(?:const|let|var)\\s+(?:GET|POST|PUT|PATCH|DELETE)\\s*=\\s*${escaped}\\s*\\(`, "m");
+        if (hofPattern.test(src))
+            return true;
+        // export default fn(...)
+        const defaultPattern = new RegExp(`export\\s+default\\s+${escaped}\\s*\\(`, "m");
+        if (defaultPattern.test(src))
+            return true;
+    }
+    return false;
+}
+/**
+ * Detect if handler is exported via any HOF wrapper (unknown function name).
+ * Used to downgrade confidence when we see the wrapping pattern but don't know the function.
+ */
+function isWrappedByUnknownFunction(src) {
+    return /export\s+(?:const|let|var)\s+(?:GET|POST|PUT|PATCH|DELETE)\s*=\s*[a-zA-Z_]\w*\s*\(/m.test(src);
+}
+/**
+ * Built-in auth patterns that don't need to be in hints.
+ * These are common enough to detect automatically.
+ */
+function hasBuiltInAuthPattern(src) {
+    // Stripe webhook signature verification
+    if (/stripe\.webhooks\.constructEvent\s*\(/m.test(src))
+        return true;
+    // Vercel/QStash cron signature verification
+    if (/verifyVercelSignature\s*\(/m.test(src))
+        return true;
+    if (/verifyQstashSignature\s*\(/m.test(src))
+        return true;
+    // HMAC webhook signature verification (crypto.createHmac + comparison)
+    if (/createHmac\s*\(/.test(src) && /signature/i.test(src))
+        return true;
+    // Cron API key / secret env var check
+    if (/process\.env\.CRON_(?:API_KEY|SECRET)/m.test(src))
+        return true;
+    // Shared secret header verification (common webhook pattern)
+    if (/process\.env\.\w+SECRET\b/.test(src) && /headers\.get\s*\(/m.test(src))
+        return true;
+    // Supabase auth boundary — call-based, not import-based.
+    // Client creation (createServerClient, etc.) is NOT an auth boundary.
+    // Only .auth.getUser() / .auth.getSession() counts.
+    if (/\.auth\.getUser\s*\(/.test(src))
+        return true;
+    if (/\.auth\.getSession\s*\(/.test(src))
+        return true;
+    return false;
+}
+function isProtectedByMiddleware(route, index) {
+    if (!index.middleware.authLikely)
+        return false;
+    // If middleware has no matcher, it applies to all routes
+    if (index.middleware.matcherPatterns.length === 0)
+        return true;
+    // Check if any matcher pattern covers this route
+    const pathname = route.pathname ?? "";
+    for (const pattern of index.middleware.matcherPatterns) {
+        if (pathnameMatchesMatcher(pathname, pattern))
+            return true;
+    }
+    return false;
+}
+function pathnameMatchesMatcher(pathname, matcher) {
+    // Simple matcher check: does the matcher pattern cover this path?
+    // Next.js matchers use a regex-like syntax; for v1, do prefix matching
+    if (matcher.endsWith("/:path*")) {
+        const prefix = matcher.replace("/:path*", "");
+        return pathname.startsWith(prefix);
+    }
+    if (matcher.endsWith("(.*)")) {
+        const prefix = matcher.replace("(.*)", "");
+        return pathname.startsWith(prefix);
+    }
+    return pathname === matcher || pathname.startsWith(matcher + "/");
+}
+function hasPossibleCustomAuth(src) {
+    // Heuristic: looks for patterns like `verifyToken(`, `checkAuth(`, `requireAuth(`
+    // that could be custom auth wrappers we don't know about.
+    // Allow intermediate words: verifyUnsubscribeToken, checkUserAccessLevel, etc.
+    if (/\b(verify|check|require|validate|ensure|guard|protect)\w*(Token|Auth|Session|User|Access|Secret|Signature|Permission)\s*\(/i.test(src)) {
+        return true;
+    }
+    // Direct Authorization header reading is likely auth
+    if (/headers?\S*\.get\s*\(\s*["']authorization["']\s*\)/i.test(src)) {
+        return true;
+    }
+    return false;
+}
+function findFirstMutationLine(src, signals) {
+    const lines = src.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+        if (/\.(create|update|delete|upsert|createMany|updateMany|deleteMany)\s*\(/.test(lines[i])) {
+            return i + 1;
+        }
+        if (/stripe\.\w+\.(create|update|del)\s*\(/.test(lines[i])) {
+            return i + 1;
+        }
+    }
+    return undefined;
+}
+function readSource(rootDir, file) {
+    try {
+        return readFileSync(path.join(rootDir, file), "utf8");
+    }
+    catch {
+        return null;
+    }
+}
+function escapeRegex(str) {
+    return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+//# sourceMappingURL=auth-boundary-missing.js.map

package/dist/rules/auth-boundary-missing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-boundary-missing.js","sourceRoot":"","sources":["../../src/rules/auth-boundary-missing.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,IAAI,MAAM,WAAW,CAAC;AAI7B,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAEjD,MAAM,CAAC,MAAM,OAAO,GAAG,uBAAuB,CAAC;AAE/C,MAAM,UAAU,GAAG,CAAC,KAAgB,EAAE,MAAuB;IAC3D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,QAAQ,IAAI,UAAU,CAAC;IAE/D,MAAM,aAAa,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC;IAEvD,gCAAgC;IAChC,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;QAChD,IAAI,aAAa,CAAC,KAAK,CAAC,IAAI,EAAE,aAAa,CAAC;YAAE,SAAS;QACvD,MAAM,MAAM,GAAG,UAAU,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QAChD,IAAI,MAAM,EAAE,CAAC;YACX,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,OAAO;gBACf,QAAQ;gBACR,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,OAAO,EAAE,qEAAqE;gBAC9E,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,mBAAmB,EAAE,MAAM,CAAC,mBAAmB;gBAC/C,WAAW,EAAE;oBACX,oFAAoF;oBACpF,kDAAkD;oBAClD,yFAAyF;iBAC1F;gBACD,IAAI,EAAE,CAAC,MAAM,EAAE,QAAQ,CAAC;aACzB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,qFAAqF;IACrF,MAAM,eAAe,GAAG,IAAI,GAAG,EAAU,CAAC;IAC1C,KAAK,MAAM,MAAM,IAAI,KAAK,CAAC,aAAa,CAAC,eAAe,EAAE,CAAC;QACzD,IAAI,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC;YAAE,SAAS;QAC/C,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QACjC,IAAI,aAAa,CAAC,MAAM,CAAC,IAAI,EAAE,aAAa,CAAC;YAAE,SAAS;QACxD,MAAM,MAAM,GAAG,iBAAiB,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QACxD,IAAI,MAAM,EAAE,CAAC;YACX,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,OAAO;gBACf,QAAQ;gBACR,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,OAAO,EAAE,qEAAqE;gBAC9E,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,mBAAmB,EAAE,MAAM,CAAC,mBAAmB;gBAC/C,WAAW,EAAE;oBACX,mDAAmD;oBACnD,yFAAyF;iBAC1F;gBACD,IAAI,EAAE,CAAC,MAAM,EAAE,eAAe,CAAC;aAChC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,iCAAiC;IACjC,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACjD,IAAI,IAAI,CAAC,aAAa,KAAK,WAAW;YAAE,SAAS;QACjD,IAAI,aAAa,CAAC,IAAI,CAAC,IAAI,EAAE,aAAa,CAAC;YAAE,SAAS;QAEtD,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;QACpE,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,OAAO;YACf,QAAQ;YACR,UAAU;YACV,OAAO,EAAE,kBAAkB,IAAI,CAAC,IAAI,UAAU,IAAI,CAAC,aAAa,iCAAiC;YACjG,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,QAAQ,EAAE,CAAC,GAAG,IAAI,CAAC,aAAa,sBAAsB,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC;YACxF,mBAAmB,EAAE,IAAI,CAAC,aAAa,KAAK,QAAQ;gBAClD,CAAC,CAAC,kDAAkD;gBACpD,CAAC,CAAC,gEAAgE;YACpE,WAAW,EAAE;gBACX,iEAAiE;gBACjE,+FAA+F;gBAC/F,oEAAoE;aACrE;YACD,IAAI,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC;SACvB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAUD,SAAS,UAAU,CACjB,KAAgB,EAChB,KAAgB,EAChB,MAAuB;IAEvB,MAAM,GAAG,GAAG,UAAU,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;IAClD,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAEtB,2DAA2D;IAC3D,IAAI,WAAW,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAE/D,qEAAqE;IACrE,IAAI,uBAAuB,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAE3E,wCAAwC;IACxC,IAAI,uBAAuB,CAAC,KAAK,EAAE,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEvD,yEAAyE;IACzE,IAAI,qBAAqB,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAE5C,uCAAuC;IACvC,MAAM,QAAQ,GAAa,CAAC,GAAG,KAAK,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAC9D,QAAQ,CAAC,IAAI,CAAC,mCAAmC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC3F,QAAQ,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAC;IACxD,IAAI,UAAU,GAAe,MAAM,CAAC;IACpC,IAAI,mBAAmB,GAAG,kEAAkE,CAAC;IAE7F,mEAAmE;IACnE,IAAI,qBAAqB,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/B,UAAU,GAAG,KAAK,CAAC;QACnB,mBAAmB,GAAG,4FAA4F,CAAC;QACnH,QAAQ,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;IACxE,CAAC;IAED,sEAAsE;IACtE,IAAI,0BAA0B,CAAC,GAAG,CAAC,EAAE,CAAC;QACpC,UAAU,GAAG,KAAK,CAAC;QACnB,mBAAmB,GAAG,0EAA0E,CAAC;QACjG,QAAQ,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;IACvE,CAAC;IAED,qEAAqE;IACrE,MAAM,IAAI,GAAG,qBAAqB,CAAC,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;IAEvD,OAAO,EAAE,UAAU,EAAE,mBAAmB,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;AAC7D,CAAC;AAED,SAAS,iBAAiB,CACxB,MAAwB,EACxB,KAAgB,EAChB,MAAuB;IAEvB,MAAM,GAAG,GAAG,UAAU,CAAC,KAAK,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;IACnD,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAEtB,IAAI,WAAW,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/D,IAAI,qBAAqB,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAE5C,MAAM,QAAQ,GAAa,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAC/D,QAAQ,CAAC,IAAI,CAAC,mCAAmC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC3F,IAAI,UAAU,GAAe,MAAM,CAAC;IACpC,IAAI,mBAAmB,GAAG,4DAA4D,CAAC;IAEvF,IAAI,qBAAqB,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/B,UAAU,GAAG,KAAK,CAAC;QACnB,mBAAmB,GAAG,4FAA4F,CAAC;QACnH,QAAQ,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;IACxE,CAAC;IAED,MAAM,IAAI,GAAG,qBAAqB,CAAC,GAAG,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;IAExD,OAAO,EAAE,UAAU,EAAE,mBAAmB,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;AAC7D,CAAC;AAED,SAAS,WAAW,CAAC,GAAW,EAAE,aAAuB;IACvD,KAAK,MAAM,EAAE,IAAI,aAAa,EAAE,CAAC;QAC/B,gEAAgE;QAChE,MAAM,OAAO,GAAG,IAAI,MAAM,CAAC,MAAM,WAAW,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QAChE,IAAI,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;IACrC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;GAKG;AACH,SAAS,uBAAuB,CAAC,GAAW,EAAE,aAAuB;IACnE,KAAK,MAAM,EAAE,IAAI,aAAa,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;QAChC,2DAA2D;QAC3D,MAAM,UAAU,GAAG,IAAI,MAAM,CAC3B,wEAAwE,OAAO,SAAS,EACxF,GAAG,CACJ,CAAC;QACF,IAAI,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QAEtC,yBAAyB;QACzB,MAAM,cAAc,GAAG,IAAI,MAAM,CAAC,wBAAwB,OAAO,SAAS,EAAE,GAAG,CAAC,CAAC;QACjF,IAAI,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;IAC5C,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,SAAS,0BAA0B,CAAC,GAAW;IAC7C,OAAO,qFAAqF,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACzG,CAAC;AAED;;;GAGG;AACH,SAAS,qBAAqB,CAAC,GAAW;IACxC,wCAAwC;IACxC,IAAI,wCAAwC,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAEpE,4CAA4C;IAC5C,IAAI,6BAA6B,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACzD,IAAI,6BAA6B,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAEzD,uEAAuE;IACvE,IAAI,iBAAiB,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAEvE,sCAAsC;IACtC,IAAI,wCAAwC,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAEpE,6DAA6D;IAC7D,IAAI,2BAA2B,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,oBAAoB,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAEzF,yDAAyD;IACzD,sEAAsE;IACtE,oDAAoD;IACpD,IAAI,sBAAsB,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAClD,IAAI,yBAAyB,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAErD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,uBAAuB,CAAC,KAAgB,EAAE,KAAgB;IACjE,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,UAAU;QAAE,OAAO,KAAK,CAAC;IAE/C,yDAAyD;IACzD,IAAI,KAAK,CAAC,UAAU,CAAC,eAAe,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAE/D,iDAAiD;IACjD,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,IAAI,EAAE,CAAC;IACtC,KAAK,MAAM,OAAO,IAAI,KAAK,CAAC,UAAU,CAAC,eAAe,EAAE,CAAC;QACvD,IAAI,sBAAsB,CAAC,QAAQ,EAAE,OAAO,CAAC;YAAE,OAAO,IAAI,CAAC;IAC7D,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,sBAAsB,CAAC,QAAgB,EAAE,OAAe;IAC/D,kEAAkE;IAClE,uEAAuE;IACvE,IAAI,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QAChC,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAC9C,OAAO,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IACrC,CAAC;IACD,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC7B,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAC3C,OAAO,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IACrC,CAAC;IACD,OAAO,QAAQ,KAAK,OAAO,IAAI,QAAQ,CAAC,UAAU,CAAC,OAAO,GAAG,GAAG,CAAC,CAAC;AACpE,CAAC;AAED,SAAS,qBAAqB,CAAC,GAAW;IACxC,kFAAkF;IAClF,0DAA0D;IAC1D,+EAA+E;IAC/E,IAAI,6HAA6H,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5I,OAAO,IAAI,CAAC;IACd,CAAC;IAED,qDAAqD;IACrD,IAAI,qDAAqD,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACpE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,qBAAqB,CAAC,GAAW,EAAE,OAAsC;IAChF,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,IAAI,uEAAuE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC3F,OAAO,CAAC,GAAG,CAAC,CAAC;QACf,CAAC;QACD,IAAI,uCAAuC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC3D,OAAO,CAAC,GAAG,CAAC,CAAC;QACf,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,UAAU,CAAC,OAAe,EAAE,IAAY;IAC/C,IAAI,CAAC;QACH,OAAO,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,CAAC;IACxD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,GAAW;IAC9B,OAAO,GAAG,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;AACpD,CAAC"}

package/dist/rules/index.d.ts

@@ -0,0 +1,12 @@
+import type { NextIndex } from "../next/types.js";
+import type { Finding, ShipguardConfig } from "../engine/types.js";
+export interface RuleMeta {
+    id: string;
+    name: string;
+    description: string;
+    defaultSeverity: string;
+    docs: string;
+}
+export declare const RULE_REGISTRY: RuleMeta[];
+export declare function runAllRules(index: NextIndex, config: ShipguardConfig): Finding[];
+//# sourceMappingURL=index.d.ts.map

package/dist/rules/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/rules/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,KAAK,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAKnE,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;IACxB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,eAAO,MAAM,aAAa,EAAE,QAAQ,EAsBnC,CAAC;AAEF,wBAAgB,WAAW,CAAC,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,eAAe,GAAG,OAAO,EAAE,CAehF"}

package/dist/rules/index.js

@@ -0,0 +1,41 @@
+import * as authBoundary from "./auth-boundary-missing.js";
+import * as rateLimit from "./rate-limit-missing.js";
+import * as tenancyScope from "./tenancy-scope-missing.js";
+export const RULE_REGISTRY = [
+    {
+        id: "AUTH-BOUNDARY-MISSING",
+        name: "Auth Boundary Missing",
+        description: "Flags server-side mutation endpoints that lack a recognized authentication boundary.",
+        defaultSeverity: "critical",
+        docs: "Shipguard checks for calls to known auth functions (auth(), getServerSession(), currentUser(), etc.) in route handlers and server actions that perform database writes or Stripe operations. Configure additional auth function names in hints.auth.functions.",
+    },
+    {
+        id: "RATE-LIMIT-MISSING",
+        name: "Rate Limit Missing",
+        description: "Flags public API routes without recognized rate limiting.",
+        defaultSeverity: "critical",
+        docs: "Shipguard checks for calls to known rate limiting wrappers (@upstash/ratelimit, rate-limiter-flexible, etc.) in API route handlers. If rate limiting is handled at the edge (Cloudflare WAF, Vercel), add a waiver. Configure custom wrappers in hints.rateLimit.wrappers.",
+    },
+    {
+        id: "TENANCY-SCOPE-MISSING",
+        name: "Tenancy Scope Missing",
+        description: "Flags Prisma queries on tenant-owned models that lack tenant field in the where clause.",
+        defaultSeverity: "critical",
+        docs: "Shipguard checks that Prisma queries include a tenant scoping field (orgId, tenantId, workspaceId) in their where clause. Only runs when Prisma is detected and the schema contains tenant fields. Configure field names in hints.tenancy.orgFieldNames.",
+    },
+];
+export function runAllRules(index, config) {
+    const findings = [];
+    // Only run rules that are configured (all 3 are on by default)
+    if (config.rules["AUTH-BOUNDARY-MISSING"]) {
+        findings.push(...authBoundary.run(index, config));
+    }
+    if (config.rules["RATE-LIMIT-MISSING"]) {
+        findings.push(...rateLimit.run(index, config));
+    }
+    if (config.rules["TENANCY-SCOPE-MISSING"]) {
+        findings.push(...tenancyScope.run(index, config));
+    }
+    return findings;
+}
+//# sourceMappingURL=index.js.map

package/dist/rules/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/rules/index.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,YAAY,MAAM,4BAA4B,CAAC;AAC3D,OAAO,KAAK,SAAS,MAAM,yBAAyB,CAAC;AACrD,OAAO,KAAK,YAAY,MAAM,4BAA4B,CAAC;AAU3D,MAAM,CAAC,MAAM,aAAa,GAAe;IACvC;QACE,EAAE,EAAE,uBAAuB;QAC3B,IAAI,EAAE,uBAAuB;QAC7B,WAAW,EAAE,sFAAsF;QACnG,eAAe,EAAE,UAAU;QAC3B,IAAI,EAAE,gQAAgQ;KACvQ;IACD;QACE,EAAE,EAAE,oBAAoB;QACxB,IAAI,EAAE,oBAAoB;QAC1B,WAAW,EAAE,2DAA2D;QACxE,eAAe,EAAE,UAAU;QAC3B,IAAI,EAAE,4QAA4Q;KACnR;IACD;QACE,EAAE,EAAE,uBAAuB;QAC3B,IAAI,EAAE,uBAAuB;QAC7B,WAAW,EAAE,yFAAyF;QACtG,eAAe,EAAE,UAAU;QAC3B,IAAI,EAAE,0PAA0P;KACjQ;CACF,CAAC;AAEF,MAAM,UAAU,WAAW,CAAC,KAAgB,EAAE,MAAuB;IACnE,MAAM,QAAQ,GAAc,EAAE,CAAC;IAE/B,+DAA+D;IAC/D,IAAI,MAAM,CAAC,KAAK,CAAC,uBAAuB,CAAC,EAAE,CAAC;QAC1C,QAAQ,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC;IACpD,CAAC;IACD,IAAI,MAAM,CAAC,KAAK,CAAC,oBAAoB,CAAC,EAAE,CAAC;QACvC,QAAQ,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC;IACjD,CAAC;IACD,IAAI,MAAM,CAAC,KAAK,CAAC,uBAAuB,CAAC,EAAE,CAAC;QAC1C,QAAQ,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC;IACpD,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/rules/rate-limit-missing.d.ts

@@ -0,0 +1,5 @@
+import type { NextIndex } from "../next/types.js";
+import type { Finding, ShipguardConfig } from "../engine/types.js";
+export declare const RULE_ID = "RATE-LIMIT-MISSING";
+export declare function run(index: NextIndex, config: ShipguardConfig): Finding[];
+//# sourceMappingURL=rate-limit-missing.d.ts.map

package/dist/rules/rate-limit-missing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit-missing.d.ts","sourceRoot":"","sources":["../../src/rules/rate-limit-missing.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,SAAS,EAAa,MAAM,kBAAkB,CAAC;AAC7D,OAAO,KAAK,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAInE,eAAO,MAAM,OAAO,uBAAuB,CAAC;AAyB5C,wBAAgB,GAAG,CAAC,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,eAAe,GAAG,OAAO,EAAE,CAkExE"}

package/dist/rules/rate-limit-missing.js

@@ -0,0 +1,230 @@
+import { readFileSync } from "node:fs";
+import path from "node:path";
+import { isAllowlisted } from "../util/paths.js";
+export const RULE_ID = "RATE-LIMIT-MISSING";
+/**
+ * Paths commonly excluded from rate limiting.
+ * Health checks, static assets, internal probes, cron/task routes.
+ */
+const EXEMPT_PATH_PATTERNS = [
+    /\/health$/,
+    /\/ping$/,
+    /\/ready$/,
+    /\/live$/,
+    /\/_next\//,
+    /\/cron\//, // Cron routes are server-to-server
+    /\/tasks\//, // Task/job routes are server-to-server
+];
+/**
+ * Webhook path patterns — rate limiting is inappropriate for inbound webhooks.
+ * The calling service controls the call rate, and rejecting would miss events.
+ */
+const WEBHOOK_PATH_PATTERNS = [
+    /\/webhooks?\//, // /webhook/ or /webhooks/
+    /\/webhooks?$/, // /webhook or /webhooks (terminal)
+];
+export function run(index, config) {
+    const findings = [];
+    const severity = config.rules[RULE_ID]?.severity ?? "critical";
+    for (const route of index.routes.all) {
+        // Only check API routes
+        if (!route.isApi)
+            continue;
+        // Skip exempt paths and user allowlisted paths
+        if (isExemptPath(route.pathname))
+            continue;
+        if (isAllowlisted(route.file, config.hints.rateLimit.allowlistPaths))
+            continue;
+        // Skip tRPC proxy routes — rate limiting is checked at the procedure level
+        if (index.trpc.detected && route.file === index.trpc.proxyFile)
+            continue;
+        const result = checkRoute(route, index, config);
+        if (result) {
+            findings.push({
+                ruleId: RULE_ID,
+                severity,
+                confidence: result.confidence,
+                message: `Public API route has no recognized rate limiting`,
+                file: route.file,
+                line: result.line,
+                snippet: result.snippet,
+                evidence: result.evidence,
+                confidenceRationale: result.confidenceRationale,
+                remediation: [
+                    "Add rate limiting middleware or wrapper to this route",
+                    "If using @upstash/ratelimit, wrap the handler with a rate limit check",
+                    "If rate limiting is handled at the edge (Cloudflare, Vercel), add a waiver with reason",
+                    "Add custom wrapper names to hints.rateLimit.wrappers in config",
+                ],
+                tags: ["rate-limit", "server"],
+            });
+        }
+    }
+    // Check tRPC public mutation procedures
+    for (const proc of index.trpc.mutationProcedures) {
+        if (proc.procedureType === "protected")
+            continue;
+        if (isAllowlisted(proc.file, config.hints.rateLimit.allowlistPaths))
+            continue;
+        // Check if the procedure's file has rate limit calls
+        const src = readSource(index.rootDir, proc.file);
+        if (src && hasRateLimitCall(src, config.hints.rateLimit.wrappers))
+            continue;
+        findings.push({
+            ruleId: RULE_ID,
+            severity,
+            confidence: "med",
+            message: `tRPC public mutation "${proc.name}" has no recognized rate limiting`,
+            file: proc.file,
+            line: proc.line,
+            evidence: [`${proc.procedureType}Procedure.mutation() without rate limit wrapper`],
+            confidenceRationale: "Medium: tRPC rate limiting may be handled at middleware or procedure level (not detected)",
+            remediation: [
+                "Add rate limiting middleware to the procedure chain",
+                "If rate limiting is handled at the tRPC middleware level, add a waiver with reason",
+                "If rate limiting is at the edge (Cloudflare, Vercel), add a waiver",
+            ],
+            tags: ["rate-limit", "trpc"],
+        });
+    }
+    return findings;
+}
+function checkRoute(route, index, config) {
+    const src = readSource(index.rootDir, route.file);
+    if (!src)
+        return null;
+    // Check for known rate limit wrappers (call inside handler body)
+    if (hasRateLimitCall(src, config.hints.rateLimit.wrappers))
+        return null;
+    // Check if handler is wrapped by a known rate-limit function (HOF pattern)
+    if (isWrappedByKnownFunction(src, config.hints.rateLimit.wrappers))
+        return null;
+    // Check if middleware handles rate limiting for this route
+    if (index.middleware.rateLimitLikely)
+        return null;
+    // Routes with webhook signature verification don't need rate limiting
+    if (hasWebhookSignatureAuth(src))
+        return null;
+    if (isWebhookPath(route.pathname))
+        return null;
+    // Routes with cron key auth are server-to-server (no rate limiting needed)
+    if (hasCronKeyAuth(src))
+        return null;
+    // No rate limiting found
+    const evidence = [];
+    evidence.push(`No rate limit wrapper calls matched: ${config.hints.rateLimit.wrappers.join(", ")}`);
+    evidence.push("No middleware-level rate limiting detected");
+    let confidence;
+    let confidenceRationale;
+    if (route.signals.hasMutationEvidence || route.signals.hasDbWriteEvidence) {
+        confidence = "high";
+        confidenceRationale = "High: mutation route without rate limiting (higher abuse risk)";
+        evidence.push("route performs mutations (higher abuse risk)");
+        evidence.push(...route.signals.mutationDetails);
+    }
+    else if (hasBodyParsing(src)) {
+        confidence = "high";
+        confidenceRationale = "High: route reads request body without rate limiting";
+        evidence.push("route reads request body");
+    }
+    else {
+        confidence = "med";
+        confidenceRationale = "Medium: public API route without rate limiting (GET-only, lower risk)";
+        evidence.push("public API route without rate limiting");
+    }
+    // Downgrade if handler is exported via unknown HOF wrapper (may contain rate limiting)
+    if (isWrappedByUnknownFunction(src)) {
+        if (confidence === "high") {
+            confidence = "med";
+            confidenceRationale = "Medium: handler is wrapped by a higher-order function (may contain rate limiting)";
+        }
+        evidence.push("handler exported via HOF wrapper (may contain rate limiting)");
+    }
+    return { confidence, confidenceRationale, evidence };
+}
+function hasRateLimitCall(src, wrappers) {
+    for (const wrapper of wrappers) {
+        const pattern = new RegExp(`\\b${escapeRegex(wrapper)}\\s*[.(]`, "m");
+        if (pattern.test(src))
+            return true;
+    }
+    // Also check for common rate limit import patterns
+    if (/@upstash\/ratelimit/.test(src))
+        return true;
+    if (/rate-limiter-flexible/.test(src))
+        return true;
+    if (/@arcjet\/next/.test(src))
+        return true;
+    if (/@unkey\/ratelimit/.test(src))
+        return true;
+    return false;
+}
+/**
+ * Check if handler is wrapped by a known function (HOF pattern).
+ * E.g.: export const GET = withWorkspace(async () => { ... })
+ */
+function isWrappedByKnownFunction(src, functions) {
+    for (const fn of functions) {
+        const escaped = escapeRegex(fn);
+        const hofPattern = new RegExp(`export\\s+(?:const|let|var)\\s+(?:GET|POST|PUT|PATCH|DELETE)\\s*=\\s*${escaped}\\s*\\(`, "m");
+        if (hofPattern.test(src))
+            return true;
+        const defaultPattern = new RegExp(`export\\s+default\\s+${escaped}\\s*\\(`, "m");
+        if (defaultPattern.test(src))
+            return true;
+    }
+    return false;
+}
+/**
+ * Detect if handler is exported via any HOF wrapper (unknown function name).
+ */
+function isWrappedByUnknownFunction(src) {
+    return /export\s+(?:const|let|var)\s+(?:GET|POST|PUT|PATCH|DELETE)\s*=\s*[a-zA-Z_]\w*\s*\(/m.test(src);
+}
+/**
+ * Webhook signature verification — these routes don't need rate limiting.
+ */
+function hasWebhookSignatureAuth(src) {
+    if (/stripe\.webhooks\.constructEvent\s*\(/m.test(src))
+        return true;
+    if (/verifyQstashSignature\s*\(/m.test(src))
+        return true;
+    if (/createHmac\s*\(/.test(src) && /signature/i.test(src))
+        return true;
+    return false;
+}
+/**
+ * Cron routes protected by API key are server-to-server.
+ */
+function hasCronKeyAuth(src) {
+    if (/process\.env\.CRON_(?:API_KEY|SECRET)/m.test(src))
+        return true;
+    if (/verifyVercelSignature\s*\(/m.test(src))
+        return true;
+    return false;
+}
+function isWebhookPath(pathname) {
+    if (!pathname)
+        return false;
+    return WEBHOOK_PATH_PATTERNS.some((p) => p.test(pathname));
+}
+function hasBodyParsing(src) {
+    return /request\.json\s*\(|request\.formData\s*\(|req\.body/.test(src);
+}
+function isExemptPath(pathname) {
+    if (!pathname)
+        return false;
+    return EXEMPT_PATH_PATTERNS.some((p) => p.test(pathname));
+}
+function readSource(rootDir, file) {
+    try {
+        return readFileSync(path.join(rootDir, file), "utf8");
+    }
+    catch {
+        return null;
+    }
+}
+function escapeRegex(str) {
+    return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+//# sourceMappingURL=rate-limit-missing.js.map

package/dist/rules/rate-limit-missing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit-missing.js","sourceRoot":"","sources":["../../src/rules/rate-limit-missing.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,IAAI,MAAM,WAAW,CAAC;AAI7B,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAEjD,MAAM,CAAC,MAAM,OAAO,GAAG,oBAAoB,CAAC;AAE5C;;;GAGG;AACH,MAAM,oBAAoB,GAAG;IAC3B,WAAW;IACX,SAAS;IACT,UAAU;IACV,SAAS;IACT,WAAW;IACX,UAAU,EAAK,mCAAmC;IAClD,WAAW,EAAI,uCAAuC;CACvD,CAAC;AAEF;;;GAGG;AACH,MAAM,qBAAqB,GAAG;IAC5B,eAAe,EAAI,0BAA0B;IAC7C,cAAc,EAAK,mCAAmC;CACvD,CAAC;AAEF,MAAM,UAAU,GAAG,CAAC,KAAgB,EAAE,MAAuB;IAC3D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,QAAQ,IAAI,UAAU,CAAC;IAE/D,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;QACrC,wBAAwB;QACxB,IAAI,CAAC,KAAK,CAAC,KAAK;YAAE,SAAS;QAE3B,+CAA+C;QAC/C,IAAI,YAAY,CAAC,KAAK,CAAC,QAAQ,CAAC;YAAE,SAAS;QAC3C,IAAI,aAAa,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,cAAc,CAAC;YAAE,SAAS;QAE/E,2EAA2E;QAC3E,IAAI,KAAK,CAAC,IAAI,CAAC,QAAQ,IAAI,KAAK,CAAC,IAAI,KAAK,KAAK,CAAC,IAAI,CAAC,SAAS;YAAE,SAAS;QAEzE,MAAM,MAAM,GAAG,UAAU,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QAChD,IAAI,MAAM,EAAE,CAAC;YACX,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,OAAO;gBACf,QAAQ;gBACR,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,OAAO,EAAE,kDAAkD;gBAC3D,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,mBAAmB,EAAE,MAAM,CAAC,mBAAmB;gBAC/C,WAAW,EAAE;oBACX,uDAAuD;oBACvD,uEAAuE;oBACvE,wFAAwF;oBACxF,gEAAgE;iBACjE;gBACD,IAAI,EAAE,CAAC,YAAY,EAAE,QAAQ,CAAC;aAC/B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,wCAAwC;IACxC,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACjD,IAAI,IAAI,CAAC,aAAa,KAAK,WAAW;YAAE,SAAS;QACjD,IAAI,aAAa,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,cAAc,CAAC;YAAE,SAAS;QAE9E,qDAAqD;QACrD,MAAM,GAAG,GAAG,UAAU,CAAC,KAAK,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;QACjD,IAAI,GAAG,IAAI,gBAAgB,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,QAAQ,CAAC;YAAE,SAAS;QAE5E,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,OAAO;YACf,QAAQ;YACR,UAAU,EAAE,KAAK;YACjB,OAAO,EAAE,yBAAyB,IAAI,CAAC,IAAI,mCAAmC;YAC9E,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,QAAQ,EAAE,CAAC,GAAG,IAAI,CAAC,aAAa,iDAAiD,CAAC;YAClF,mBAAmB,EAAE,2FAA2F;YAChH,WAAW,EAAE;gBACX,qDAAqD;gBACrD,oFAAoF;gBACpF,oEAAoE;aACrE;YACD,IAAI,EAAE,CAAC,YAAY,EAAE,MAAM,CAAC;SAC7B,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAUD,SAAS,UAAU,CACjB,KAAgB,EAChB,KAAgB,EAChB,MAAuB;IAEvB,MAAM,GAAG,GAAG,UAAU,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;IAClD,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAEtB,iEAAiE;IACjE,IAAI,gBAAgB,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAExE,2EAA2E;IAC3E,IAAI,wBAAwB,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAEhF,2DAA2D;IAC3D,IAAI,KAAK,CAAC,UAAU,CAAC,eAAe;QAAE,OAAO,IAAI,CAAC;IAElD,sEAAsE;IACtE,IAAI,uBAAuB,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9C,IAAI,aAAa,CAAC,KAAK,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAE/C,2EAA2E;IAC3E,IAAI,cAAc,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAErC,yBAAyB;IACzB,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,QAAQ,CAAC,IAAI,CAAC,wCAAwC,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACpG,QAAQ,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;IAC5D,IAAI,UAAsB,CAAC;IAC3B,IAAI,mBAA2B,CAAC;IAEhC,IAAI,KAAK,CAAC,OAAO,CAAC,mBAAmB,IAAI,KAAK,CAAC,OAAO,CAAC,kBAAkB,EAAE,CAAC;QAC1E,UAAU,GAAG,MAAM,CAAC;QACpB,mBAAmB,GAAG,gEAAgE,CAAC;QACvF,QAAQ,CAAC,IAAI,CAAC,8CAA8C,CAAC,CAAC;QAC9D,QAAQ,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAClD,CAAC;SAAM,IAAI,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/B,UAAU,GAAG,MAAM,CAAC;QACpB,mBAAmB,GAAG,sDAAsD,CAAC;QAC7E,QAAQ,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;IAC5C,CAAC;SAAM,CAAC;QACN,UAAU,GAAG,KAAK,CAAC;QACnB,mBAAmB,GAAG,uEAAuE,CAAC;QAC9F,QAAQ,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAC;IAC1D,CAAC;IAED,uFAAuF;IACvF,IAAI,0BAA0B,CAAC,GAAG,CAAC,EAAE,CAAC;QACpC,IAAI,UAAU,KAAK,MAAM,EAAE,CAAC;YAC1B,UAAU,GAAG,KAAK,CAAC;YACnB,mBAAmB,GAAG,mFAAmF,CAAC;QAC5G,CAAC;QACD,QAAQ,CAAC,IAAI,CAAC,8DAA8D,CAAC,CAAC;IAChF,CAAC;IAED,OAAO,EAAE,UAAU,EAAE,mBAAmB,EAAE,QAAQ,EAAE,CAAC;AACvD,CAAC;AAED,SAAS,gBAAgB,CAAC,GAAW,EAAE,QAAkB;IACvD,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG,IAAI,MAAM,CAAC,MAAM,WAAW,CAAC,OAAO,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;QACtE,IAAI,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;IACrC,CAAC;IAED,mDAAmD;IACnD,IAAI,qBAAqB,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACjD,IAAI,uBAAuB,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACnD,IAAI,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3C,IAAI,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAE/C,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,SAAS,wBAAwB,CAAC,GAAW,EAAE,SAAmB;IAChE,KAAK,MAAM,EAAE,IAAI,SAAS,EAAE,CAAC;QAC3B,MAAM,OAAO,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;QAChC,MAAM,UAAU,GAAG,IAAI,MAAM,CAC3B,wEAAwE,OAAO,SAAS,EACxF,GAAG,CACJ,CAAC;QACF,IAAI,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QAEtC,MAAM,cAAc,GAAG,IAAI,MAAM,CAAC,wBAAwB,OAAO,SAAS,EAAE,GAAG,CAAC,CAAC;QACjF,IAAI,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;IAC5C,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,0BAA0B,CAAC,GAAW;IAC7C,OAAO,qFAAqF,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACzG,CAAC;AAED;;GAEG;AACH,SAAS,uBAAuB,CAAC,GAAW;IAC1C,IAAI,wCAAwC,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACpE,IAAI,6BAA6B,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACzD,IAAI,iBAAiB,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACvE,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,GAAW;IACjC,IAAI,wCAAwC,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACpE,IAAI,6BAA6B,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACzD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,aAAa,CAAC,QAAiB;IACtC,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5B,OAAO,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;AAC7D,CAAC;AAED,SAAS,cAAc,CAAC,GAAW;IACjC,OAAO,qDAAqD,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACzE,CAAC;AAED,SAAS,YAAY,CAAC,QAAiB;IACrC,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5B,OAAO,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,UAAU,CAAC,OAAe,EAAE,IAAY;IAC/C,IAAI,CAAC;QACH,OAAO,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,CAAC;IACxD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,GAAW;IAC9B,OAAO,GAAG,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;AACpD,CAAC"}

package/dist/rules/tenancy-scope-missing.d.ts

@@ -0,0 +1,5 @@
+import type { NextIndex } from "../next/types.js";
+import type { Finding, ShipguardConfig } from "../engine/types.js";
+export declare const RULE_ID = "TENANCY-SCOPE-MISSING";
+export declare function run(index: NextIndex, config: ShipguardConfig): Finding[];
+//# sourceMappingURL=tenancy-scope-missing.d.ts.map

package/dist/rules/tenancy-scope-missing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenancy-scope-missing.d.ts","sourceRoot":"","sources":["../../src/rules/tenancy-scope-missing.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,KAAK,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAGnE,eAAO,MAAM,OAAO,0BAA0B,CAAC;AAY/C,wBAAgB,GAAG,CAAC,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,eAAe,GAAG,OAAO,EAAE,CAkDxE"}