@guardrail-ai/rules 0.1.0

package/dist/__tests__/advanced-rules.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=advanced-rules.test.d.ts.map

package/dist/__tests__/advanced-rules.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"advanced-rules.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/advanced-rules.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/advanced-rules.test.js

@@ -0,0 +1,59 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const core_1 = require("@guardrail-ai/core");
+const unsafe_regex_js_1 = __importDefault(require("../unsafe-regex.js"));
+const no_eval_js_1 = __importDefault(require("../no-eval.js"));
+const no_secrets_in_logs_js_1 = __importDefault(require("../no-secrets-in-logs.js"));
+function detect(rule, source, file = 'test.js') {
+    const ast = (0, core_1.parseSource)(source, file);
+    return rule.detect({ filePath: file, source, ast });
+}
+(0, vitest_1.describe)('security/unsafe-regex', () => {
+    (0, vitest_1.it)('detects ReDoS patterns', () => {
+        const v = detect(unsafe_regex_js_1.default, 'const re = /(a+)+$/;');
+        (0, vitest_1.expect)(v).toHaveLength(1);
+        (0, vitest_1.expect)(v[0].ruleId).toBe('security/unsafe-regex');
+    });
+    (0, vitest_1.it)('detects ReDoS in new RegExp', () => {
+        const v = detect(unsafe_regex_js_1.default, 'const re = new RegExp("(a+)+");');
+        (0, vitest_1.expect)(v).toHaveLength(1);
+    });
+    (0, vitest_1.it)('ignores safe regex', () => {
+        const v = detect(unsafe_regex_js_1.default, 'const re = /^[a-z]+$/;');
+        (0, vitest_1.expect)(v).toHaveLength(0);
+    });
+});
+(0, vitest_1.describe)('security/no-eval', () => {
+    (0, vitest_1.it)('detects eval()', () => {
+        const v = detect(no_eval_js_1.default, 'eval("console.log(1)");');
+        (0, vitest_1.expect)(v).toHaveLength(1);
+        (0, vitest_1.expect)(v[0].severity).toBe('critical');
+    });
+    (0, vitest_1.it)('detects new Function()', () => {
+        const v = detect(no_eval_js_1.default, 'const fn = new Function("return 1");');
+        (0, vitest_1.expect)(v).toHaveLength(1);
+    });
+    (0, vitest_1.it)('ignores safe code', () => {
+        const v = detect(no_eval_js_1.default, 'const x = JSON.parse("{}");');
+        (0, vitest_1.expect)(v).toHaveLength(0);
+    });
+});
+(0, vitest_1.describe)('security/no-secrets-in-logs', () => {
+    (0, vitest_1.it)('detects sensitive variable in console.log', () => {
+        const v = detect(no_secrets_in_logs_js_1.default, 'console.log(password);');
+        (0, vitest_1.expect)(v).toHaveLength(1);
+    });
+    (0, vitest_1.it)('detects sensitive property in console.log', () => {
+        const v = detect(no_secrets_in_logs_js_1.default, 'console.log(user.secretKey);');
+        (0, vitest_1.expect)(v).toHaveLength(1);
+    });
+    (0, vitest_1.it)('ignores non-sensitive logging', () => {
+        const v = detect(no_secrets_in_logs_js_1.default, 'console.log(username);');
+        (0, vitest_1.expect)(v).toHaveLength(0);
+    });
+});
+//# sourceMappingURL=advanced-rules.test.js.map

package/dist/__tests__/advanced-rules.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"advanced-rules.test.js","sourceRoot":"","sources":["../../src/__tests__/advanced-rules.test.ts"],"names":[],"mappings":";;;;;AAAA,mCAA8C;AAC9C,6CAAiD;AACjD,yEAA6C;AAC7C,+DAAmC;AACnC,qFAAuD;AAEvD,SAAS,MAAM,CAAC,IAAS,EAAE,MAAc,EAAE,IAAI,GAAG,SAAS;IACzD,MAAM,GAAG,GAAG,IAAA,kBAAW,EAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IACtC,OAAO,IAAI,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;AACtD,CAAC;AAED,IAAA,iBAAQ,EAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,IAAA,WAAE,EAAC,wBAAwB,EAAE,GAAG,EAAE;QAChC,MAAM,CAAC,GAAG,MAAM,CAAC,yBAAW,EAAE,sBAAsB,CAAC,CAAC;QACtD,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC1B,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,MAAM,CAAC,GAAG,MAAM,CAAC,yBAAW,EAAE,iCAAiC,CAAC,CAAC;QACjE,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,oBAAoB,EAAE,GAAG,EAAE;QAC5B,MAAM,CAAC,GAAG,MAAM,CAAC,yBAAW,EAAE,wBAAwB,CAAC,CAAC;QACxD,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,kBAAkB,EAAE,GAAG,EAAE;IAChC,IAAA,WAAE,EAAC,gBAAgB,EAAE,GAAG,EAAE;QACxB,MAAM,CAAC,GAAG,MAAM,CAAC,oBAAM,EAAE,yBAAyB,CAAC,CAAC;QACpD,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC1B,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,wBAAwB,EAAE,GAAG,EAAE;QAChC,MAAM,CAAC,GAAG,MAAM,CAAC,oBAAM,EAAE,sCAAsC,CAAC,CAAC;QACjE,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,mBAAmB,EAAE,GAAG,EAAE;QAC3B,MAAM,CAAC,GAAG,MAAM,CAAC,oBAAM,EAAE,6BAA6B,CAAC,CAAC;QACxD,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,6BAA6B,EAAE,GAAG,EAAE;IAC3C,IAAA,WAAE,EAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,MAAM,CAAC,GAAG,MAAM,CAAC,+BAAe,EAAE,wBAAwB,CAAC,CAAC;QAC5D,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,MAAM,CAAC,GAAG,MAAM,CAAC,+BAAe,EAAE,8BAA8B,CAAC,CAAC;QAClE,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,CAAC,GAAG,MAAM,CAAC,+BAAe,EAAE,wBAAwB,CAAC,CAAC;QAC5D,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/dead-code.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=dead-code.test.d.ts.map

package/dist/__tests__/dead-code.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dead-code.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/dead-code.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/dead-code.test.js

@@ -0,0 +1,66 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const core_1 = require("@guardrail-ai/core");
+const dead_code_js_1 = __importDefault(require("../dead-code.js"));
+function detect(source) {
+    const ast = (0, core_1.parseSource)(source, 'test.js');
+    return dead_code_js_1.default.detect({ filePath: 'test.js', source, ast });
+}
+(0, vitest_1.describe)('quality/dead-code', () => {
+    (0, vitest_1.it)('detects unreachable code after return', () => {
+        const v = detect(`
+function foo() {
+  return 1;
+  console.log("dead");
+}
+foo();
+`);
+        (0, vitest_1.expect)(v.some((x) => x.message.includes('Unreachable'))).toBe(true);
+    });
+    (0, vitest_1.it)('detects unreachable code after throw', () => {
+        const v = detect(`
+function foo() {
+  throw new Error("x");
+  console.log("dead");
+}
+foo();
+`);
+        (0, vitest_1.expect)(v.some((x) => x.message.includes('Unreachable'))).toBe(true);
+    });
+    (0, vitest_1.it)('detects empty catch block', () => {
+        const v = detect(`
+try { x(); } catch (e) {}
+`);
+        (0, vitest_1.expect)(v.some((x) => x.message.includes('Empty catch'))).toBe(true);
+    });
+    (0, vitest_1.it)('allows catch block with comment', () => {
+        const v = detect(`
+try { x(); } catch (e) { /* intentionally empty */ }
+`);
+        (0, vitest_1.expect)(v.filter((x) => x.message.includes('Empty catch'))).toHaveLength(0);
+    });
+    (0, vitest_1.it)('detects unused function', () => {
+        const v = detect(`
+function unused() { return 1; }
+`);
+        (0, vitest_1.expect)(v.some((x) => x.message.includes('never used'))).toBe(true);
+    });
+    (0, vitest_1.it)('does not flag exported functions', () => {
+        const v = detect(`
+export function used() { return 1; }
+`);
+        (0, vitest_1.expect)(v.filter((x) => x.message.includes('never used'))).toHaveLength(0);
+    });
+    (0, vitest_1.it)('does not flag called functions', () => {
+        const v = detect(`
+function helper() { return 1; }
+helper();
+`);
+        (0, vitest_1.expect)(v.filter((x) => x.message.includes('never used'))).toHaveLength(0);
+    });
+});
+//# sourceMappingURL=dead-code.test.js.map

package/dist/__tests__/dead-code.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dead-code.test.js","sourceRoot":"","sources":["../../src/__tests__/dead-code.test.ts"],"names":[],"mappings":";;;;;AAAA,mCAA8C;AAC9C,6CAAiD;AACjD,mEAAmC;AAEnC,SAAS,MAAM,CAAC,MAAc;IAC5B,MAAM,GAAG,GAAG,IAAA,kBAAW,EAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAC3C,OAAO,sBAAI,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;AAC3D,CAAC;AAED,IAAA,iBAAQ,EAAC,mBAAmB,EAAE,GAAG,EAAE;IACjC,IAAA,WAAE,EAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,CAAC,GAAG,MAAM,CAAC;;;;;;CAMpB,CAAC,CAAC;QACC,IAAA,eAAM,EAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,CAAC,GAAG,MAAM,CAAC;;;;;;CAMpB,CAAC,CAAC;QACC,IAAA,eAAM,EAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,2BAA2B,EAAE,GAAG,EAAE;QACnC,MAAM,CAAC,GAAG,MAAM,CAAC;;CAEpB,CAAC,CAAC;QACC,IAAA,eAAM,EAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,CAAC,GAAG,MAAM,CAAC;;CAEpB,CAAC,CAAC;QACC,IAAA,eAAM,EAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC7E,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,MAAM,CAAC,GAAG,MAAM,CAAC;;CAEpB,CAAC,CAAC;QACC,IAAA,eAAM,EAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,CAAC,GAAG,MAAM,CAAC;;CAEpB,CAAC,CAAC;QACC,IAAA,eAAM,EAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5E,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,MAAM,CAAC,GAAG,MAAM,CAAC;;;CAGpB,CAAC,CAAC;QACC,IAAA,eAAM,EAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5E,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/duplicate-logic.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=duplicate-logic.test.d.ts.map

package/dist/__tests__/duplicate-logic.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"duplicate-logic.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/duplicate-logic.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/duplicate-logic.test.js

@@ -0,0 +1,47 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const core_1 = require("@guardrail-ai/core");
+const duplicate_logic_js_1 = __importDefault(require("../duplicate-logic.js"));
+function detect(source) {
+    const ast = (0, core_1.parseSource)(source, 'test.js');
+    return duplicate_logic_js_1.default.detect({ filePath: 'test.js', source, ast });
+}
+(0, vitest_1.describe)('quality/duplicate-logic', () => {
+    (0, vitest_1.it)('detects identical function bodies', () => {
+        const v = detect(`
+function calcA(amount) {
+  const rate = 0.15;
+  const base = amount * rate;
+  const surcharge = base > 1000 ? base * 0.05 : 0;
+  return base + surcharge;
+}
+function calcB(amount) {
+  const rate = 0.15;
+  const base = amount * rate;
+  const surcharge = base > 1000 ? base * 0.05 : 0;
+  return base + surcharge;
+}
+`);
+        (0, vitest_1.expect)(v.length).toBeGreaterThanOrEqual(1);
+        (0, vitest_1.expect)(v[0].ruleId).toBe('quality/duplicate-logic');
+    });
+    (0, vitest_1.it)('does not flag different function bodies', () => {
+        const v = detect(`
+function add(a, b) { return a + b; }
+function sub(a, b) { return a - b; }
+`);
+        (0, vitest_1.expect)(v).toHaveLength(0);
+    });
+    (0, vitest_1.it)('ignores small functions', () => {
+        const v = detect(`
+function a() { return 1; }
+function b() { return 1; }
+`);
+        (0, vitest_1.expect)(v).toHaveLength(0);
+    });
+});
+//# sourceMappingURL=duplicate-logic.test.js.map

package/dist/__tests__/duplicate-logic.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"duplicate-logic.test.js","sourceRoot":"","sources":["../../src/__tests__/duplicate-logic.test.ts"],"names":[],"mappings":";;;;;AAAA,mCAA8C;AAC9C,6CAAiD;AACjD,+EAAyC;AAEzC,SAAS,MAAM,CAAC,MAAc;IAC5B,MAAM,GAAG,GAAG,IAAA,kBAAW,EAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAC3C,OAAO,4BAAI,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;AAC3D,CAAC;AAED,IAAA,iBAAQ,EAAC,yBAAyB,EAAE,GAAG,EAAE;IACvC,IAAA,WAAE,EAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,MAAM,CAAC,GAAG,MAAM,CAAC;;;;;;;;;;;;;CAapB,CAAC,CAAC;QACC,IAAA,eAAM,EAAC,CAAC,CAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;QAC3C,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,CAAC,GAAG,MAAM,CAAC;;;CAGpB,CAAC,CAAC;QACC,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,MAAM,CAAC,GAAG,MAAM,CAAC;;;CAGpB,CAAC,CAAC;QACC,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/hardcoded-api-key.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=hardcoded-api-key.test.d.ts.map

package/dist/__tests__/hardcoded-api-key.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hardcoded-api-key.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/hardcoded-api-key.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/hardcoded-api-key.test.js

@@ -0,0 +1,44 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const core_1 = require("@guardrail-ai/core");
+const hardcoded_api_key_js_1 = __importDefault(require("../hardcoded-api-key.js"));
+function detect(source) {
+    const ast = (0, core_1.parseSource)(source, 'test.js');
+    return hardcoded_api_key_js_1.default.detect({ filePath: 'test.js', source, ast });
+}
+(0, vitest_1.describe)('security/hardcoded-api-key', () => {
+    (0, vitest_1.it)('detects hardcoded API key in variable', () => {
+        const v = detect('const API_KEY = "sk-abc12345678901234567890123456789";');
+        (0, vitest_1.expect)(v.length).toBeGreaterThanOrEqual(1);
+        (0, vitest_1.expect)(v[0].ruleId).toBe('security/hardcoded-api-key');
+    });
+    (0, vitest_1.it)('detects hardcoded password', () => {
+        const v = detect('const password = "super-secret-password-123";');
+        (0, vitest_1.expect)(v.length).toBeGreaterThanOrEqual(1);
+    });
+    (0, vitest_1.it)('detects hardcoded token in object property', () => {
+        const v = detect('const cfg = { secret_token: "abcdefghijklmnop" };');
+        (0, vitest_1.expect)(v.length).toBeGreaterThanOrEqual(1);
+    });
+    (0, vitest_1.it)('detects JWT-like string literal', () => {
+        const v = detect('fetch("/api", { headers: { Authorization: "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.abc123def456" } });');
+        (0, vitest_1.expect)(v.length).toBeGreaterThanOrEqual(1);
+    });
+    (0, vitest_1.it)('ignores short strings', () => {
+        const v = detect('const password = "short";');
+        (0, vitest_1.expect)(v).toHaveLength(0);
+    });
+    (0, vitest_1.it)('ignores env variable usage', () => {
+        const v = detect('const apiKey = process.env.API_KEY;');
+        (0, vitest_1.expect)(v).toHaveLength(0);
+    });
+    (0, vitest_1.it)('ignores non-suspicious variable names', () => {
+        const v = detect('const greeting = "hello world and some extra text";');
+        (0, vitest_1.expect)(v).toHaveLength(0);
+    });
+});
+//# sourceMappingURL=hardcoded-api-key.test.js.map

package/dist/__tests__/hardcoded-api-key.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hardcoded-api-key.test.js","sourceRoot":"","sources":["../../src/__tests__/hardcoded-api-key.test.ts"],"names":[],"mappings":";;;;;AAAA,mCAA8C;AAC9C,6CAAiD;AACjD,mFAA2C;AAE3C,SAAS,MAAM,CAAC,MAAc;IAC5B,MAAM,GAAG,GAAG,IAAA,kBAAW,EAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAC3C,OAAO,8BAAI,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;AAC3D,CAAC;AAED,IAAA,iBAAQ,EAAC,4BAA4B,EAAE,GAAG,EAAE;IAC1C,IAAA,WAAE,EAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,CAAC,GAAG,MAAM,CAAC,wDAAwD,CAAC,CAAC;QAC3E,IAAA,eAAM,EAAC,CAAC,CAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;QAC3C,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,CAAC,GAAG,MAAM,CAAC,+CAA+C,CAAC,CAAC;QAClE,IAAA,eAAM,EAAC,CAAC,CAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,CAAC,GAAG,MAAM,CAAC,mDAAmD,CAAC,CAAC;QACtE,IAAA,eAAM,EAAC,CAAC,CAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,CAAC,GAAG,MAAM,CAAC,iHAAiH,CAAC,CAAC;QACpI,IAAA,eAAM,EAAC,CAAC,CAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,uBAAuB,EAAE,GAAG,EAAE;QAC/B,MAAM,CAAC,GAAG,MAAM,CAAC,2BAA2B,CAAC,CAAC;QAC9C,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,CAAC,GAAG,MAAM,CAAC,qCAAqC,CAAC,CAAC;QACxD,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,CAAC,GAAG,MAAM,CAAC,qDAAqD,CAAC,CAAC;QACxE,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/inefficient-loop.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=inefficient-loop.test.d.ts.map

package/dist/__tests__/inefficient-loop.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"inefficient-loop.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/inefficient-loop.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/inefficient-loop.test.js

@@ -0,0 +1,49 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const core_1 = require("@guardrail-ai/core");
+const inefficient_loop_js_1 = __importDefault(require("../inefficient-loop.js"));
+function detect(source) {
+    const ast = (0, core_1.parseSource)(source, 'test.js');
+    return inefficient_loop_js_1.default.detect({ filePath: 'test.js', source, ast });
+}
+(0, vitest_1.describe)('performance/inefficient-loop', () => {
+    (0, vitest_1.it)('detects uncached array length', () => {
+        const src = 'var arr = [1,2,3]; for (var i = 0; i < arr.length; i++) { console.log(arr[i]); }';
+        const v = detect(src);
+        (0, vitest_1.expect)(v.length).toBeGreaterThanOrEqual(1);
+        (0, vitest_1.expect)(v[0].ruleId).toBe('performance/inefficient-loop');
+    });
+    (0, vitest_1.it)('ignores cached array length', () => {
+        const src = 'var arr = [1,2,3]; var len = arr.length; for (var i = 0; i < len; i++) { console.log(arr[i]); }';
+        const v = detect(src);
+        (0, vitest_1.expect)(v).toHaveLength(0);
+    });
+    (0, vitest_1.it)('detects sequential await in loop', () => {
+        const v = detect(`
+async function f(urls) {
+  for (const url of urls) {
+    await fetch(url);
+  }
+}
+f([]);
+`);
+        (0, vitest_1.expect)(v.some((x) => x.message.includes('Sequential await'))).toBe(true);
+    });
+    (0, vitest_1.it)('ignores await in nested function inside loop', () => {
+        const v = detect(`
+async function f(items) {
+  for (const item of items) {
+    const handler = async () => { await process(item); };
+    handler();
+  }
+}
+f([]);
+`);
+        (0, vitest_1.expect)(v.filter((x) => x.message.includes('Sequential await'))).toHaveLength(0);
+    });
+});
+//# sourceMappingURL=inefficient-loop.test.js.map

package/dist/__tests__/inefficient-loop.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"inefficient-loop.test.js","sourceRoot":"","sources":["../../src/__tests__/inefficient-loop.test.ts"],"names":[],"mappings":";;;;;AAAA,mCAA8C;AAC9C,6CAAiD;AACjD,iFAA0C;AAE1C,SAAS,MAAM,CAAC,MAAc;IAC5B,MAAM,GAAG,GAAG,IAAA,kBAAW,EAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAC3C,OAAO,6BAAI,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;AAC3D,CAAC;AAED,IAAA,iBAAQ,EAAC,8BAA8B,EAAE,GAAG,EAAE;IAC5C,IAAA,WAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,GAAG,GAAG,kFAAkF,CAAC;QAC/F,MAAM,CAAC,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;QACtB,IAAA,eAAM,EAAC,CAAC,CAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;QAC3C,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,MAAM,GAAG,GAAG,iGAAiG,CAAC;QAC9G,MAAM,CAAC,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;QACtB,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,CAAC,GAAG,MAAM,CAAC;;;;;;;CAOpB,CAAC,CAAC;QACC,IAAA,eAAM,EAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC3E,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,CAAC,GAAG,MAAM,CAAC;;;;;;;;CAQpB,CAAC,CAAC;QACC,IAAA,eAAM,EAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAClF,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/new-rules.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=new-rules.test.d.ts.map

package/dist/__tests__/new-rules.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"new-rules.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/new-rules.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/new-rules.test.js

@@ -0,0 +1,193 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const core_1 = require("@guardrail-ai/core");
+const hallucinated_import_js_1 = __importDefault(require("../hallucinated-import.js"));
+const placeholder_code_js_1 = __importDefault(require("../placeholder-code.js"));
+const hardcoded_localhost_js_1 = __importDefault(require("../hardcoded-localhost.js"));
+const console_log_spam_js_1 = __importDefault(require("../console-log-spam.js"));
+const overly_broad_catch_js_1 = __importDefault(require("../overly-broad-catch.js"));
+const unused_imports_js_1 = __importDefault(require("../unused-imports.js"));
+const any_type_abuse_js_1 = __importDefault(require("../any-type-abuse.js"));
+const fetch_without_error_handling_js_1 = __importDefault(require("../fetch-without-error-handling.js"));
+const promise_without_catch_js_1 = __importDefault(require("../promise-without-catch.js"));
+const magic_numbers_js_1 = __importDefault(require("../magic-numbers.js"));
+const insecure_cors_js_1 = __importDefault(require("../insecure-cors.js"));
+const env_var_leak_js_1 = __importDefault(require("../env-var-leak.js"));
+const no_rate_limiting_js_1 = __importDefault(require("../no-rate-limiting.js"));
+const n_plus_one_query_js_1 = __importDefault(require("../n-plus-one-query.js"));
+function detect(rule, source, file = 'test.js') {
+    const ast = (0, core_1.parseSource)(source, file);
+    return rule.detect({ filePath: file, source, ast });
+}
+// --- AI-Codegen Rules ---
+(0, vitest_1.describe)('ai-codegen/hallucinated-import', () => {
+    (0, vitest_1.it)('detects known hallucinated package', () => {
+        const v = detect(hallucinated_import_js_1.default, 'import { foo } from "validation-utils";');
+        (0, vitest_1.expect)(v.length).toBeGreaterThanOrEqual(1);
+    });
+    (0, vitest_1.it)('ignores real packages', () => {
+        const v = detect(hallucinated_import_js_1.default, 'import express from "express";');
+        (0, vitest_1.expect)(v).toHaveLength(0);
+    });
+    (0, vitest_1.it)('ignores relative imports', () => {
+        const v = detect(hallucinated_import_js_1.default, 'import { foo } from "./utils";');
+        (0, vitest_1.expect)(v).toHaveLength(0);
+    });
+});
+(0, vitest_1.describe)('ai-codegen/placeholder-code', () => {
+    (0, vitest_1.it)('detects TODO comments', () => {
+        const v = detect(placeholder_code_js_1.default, '// TODO: implement this');
+        (0, vitest_1.expect)(v.length).toBeGreaterThanOrEqual(1);
+    });
+    (0, vitest_1.it)('detects example.com URLs', () => {
+        const v = detect(placeholder_code_js_1.default, 'const url = "https://example.com/api";');
+        (0, vitest_1.expect)(v.length).toBeGreaterThanOrEqual(1);
+    });
+    (0, vitest_1.it)('ignores normal strings', () => {
+        const v = detect(placeholder_code_js_1.default, 'const name = "production-api.myapp.com";');
+        (0, vitest_1.expect)(v).toHaveLength(0);
+    });
+});
+(0, vitest_1.describe)('ai-codegen/hardcoded-localhost', () => {
+    (0, vitest_1.it)('detects localhost URL', () => {
+        const v = detect(hardcoded_localhost_js_1.default, 'const url = "http://localhost:3000/api";');
+        (0, vitest_1.expect)(v).toHaveLength(1);
+    });
+    (0, vitest_1.it)('detects 127.0.0.1', () => {
+        const v = detect(hardcoded_localhost_js_1.default, 'fetch("http://127.0.0.1:8080");');
+        (0, vitest_1.expect)(v).toHaveLength(1);
+    });
+    (0, vitest_1.it)('ignores production URLs', () => {
+        const v = detect(hardcoded_localhost_js_1.default, 'const url = "https://api.myapp.com";');
+        (0, vitest_1.expect)(v).toHaveLength(0);
+    });
+});
+(0, vitest_1.describe)('ai-codegen/console-log-spam', () => {
+    (0, vitest_1.it)('detects console.log', () => {
+        const v = detect(console_log_spam_js_1.default, 'console.log("test");');
+        (0, vitest_1.expect)(v).toHaveLength(1);
+        (0, vitest_1.expect)(v[0].fix).toBeDefined();
+    });
+    (0, vitest_1.it)('ignores console.error', () => {
+        const v = detect(console_log_spam_js_1.default, 'console.error("critical failure");');
+        (0, vitest_1.expect)(v).toHaveLength(0);
+    });
+    (0, vitest_1.it)('ignores console.warn', () => {
+        const v = detect(console_log_spam_js_1.default, 'console.warn("deprecated");');
+        (0, vitest_1.expect)(v).toHaveLength(0);
+    });
+});
+(0, vitest_1.describe)('ai-codegen/overly-broad-catch', () => {
+    (0, vitest_1.it)('detects catch with only console.log', () => {
+        const v = detect(overly_broad_catch_js_1.default, 'try { x(); } catch (e) { console.log(e); }');
+        (0, vitest_1.expect)(v).toHaveLength(1);
+    });
+    (0, vitest_1.it)('ignores catch with rethrow', () => {
+        const v = detect(overly_broad_catch_js_1.default, 'try { x(); } catch (e) { console.log(e); throw e; }');
+        (0, vitest_1.expect)(v).toHaveLength(0);
+    });
+});
+(0, vitest_1.describe)('ai-codegen/unused-imports', () => {
+    (0, vitest_1.it)('detects unused import', () => {
+        const v = detect(unused_imports_js_1.default, 'import { unused } from "mod"; const x = 1;');
+        (0, vitest_1.expect)(v).toHaveLength(1);
+    });
+    (0, vitest_1.it)('ignores used import', () => {
+        const v = detect(unused_imports_js_1.default, 'import { used } from "mod"; used();');
+        (0, vitest_1.expect)(v).toHaveLength(0);
+    });
+});
+(0, vitest_1.describe)('ai-codegen/any-type-abuse', () => {
+    (0, vitest_1.it)('detects : any in TS files', () => {
+        const v = detect(any_type_abuse_js_1.default, 'const x: any = 1;', 'test.ts');
+        (0, vitest_1.expect)(v).toHaveLength(1);
+    });
+    (0, vitest_1.it)('skips JS files', () => {
+        const v = detect(any_type_abuse_js_1.default, 'const x = 1;', 'test.js');
+        (0, vitest_1.expect)(v).toHaveLength(0);
+    });
+});
+(0, vitest_1.describe)('ai-codegen/fetch-without-error-handling', () => {
+    (0, vitest_1.it)('detects unhandled fetch', () => {
+        const v = detect(fetch_without_error_handling_js_1.default, 'async function f() { const r = await fetch("/api"); }');
+        (0, vitest_1.expect)(v.length).toBeGreaterThanOrEqual(1);
+    });
+    (0, vitest_1.it)('ignores fetch in try/catch', () => {
+        const v = detect(fetch_without_error_handling_js_1.default, 'async function f() { try { await fetch("/api"); } catch(e) { throw e; } }');
+        (0, vitest_1.expect)(v).toHaveLength(0);
+    });
+});
+(0, vitest_1.describe)('ai-codegen/promise-without-catch', () => {
+    (0, vitest_1.it)('detects .then without .catch', () => {
+        const v = detect(promise_without_catch_js_1.default, 'fetch("/api").then(r => r.json());');
+        (0, vitest_1.expect)(v.length).toBeGreaterThanOrEqual(1);
+    });
+    (0, vitest_1.it)('ignores .then with .catch', () => {
+        const v = detect(promise_without_catch_js_1.default, 'fetch("/api").then(r => r.json()).catch(e => console.error(e));');
+        (0, vitest_1.expect)(v).toHaveLength(0);
+    });
+});
+(0, vitest_1.describe)('ai-codegen/magic-numbers', () => {
+    (0, vitest_1.it)('detects magic numbers', () => {
+        const v = detect(magic_numbers_js_1.default, 'const result = value * 3.14159;');
+        (0, vitest_1.expect)(v).toHaveLength(1);
+    });
+    (0, vitest_1.it)('ignores 0 and 1', () => {
+        const v = detect(magic_numbers_js_1.default, 'const x = arr[0]; const y = x + 1;');
+        (0, vitest_1.expect)(v).toHaveLength(0);
+    });
+});
+// --- Security Rules ---
+(0, vitest_1.describe)('security/insecure-cors', () => {
+    (0, vitest_1.it)('detects cors() with no args', () => {
+        const v = detect(insecure_cors_js_1.default, 'app.use(cors());');
+        (0, vitest_1.expect)(v).toHaveLength(1);
+    });
+    (0, vitest_1.it)('detects cors({ origin: "*" })', () => {
+        const v = detect(insecure_cors_js_1.default, 'app.use(cors({ origin: "*" }));');
+        (0, vitest_1.expect)(v).toHaveLength(1);
+    });
+    (0, vitest_1.it)('ignores cors with specific origin', () => {
+        const v = detect(insecure_cors_js_1.default, 'app.use(cors({ origin: "https://myapp.com" }));');
+        (0, vitest_1.expect)(v).toHaveLength(0);
+    });
+});
+(0, vitest_1.describe)('security/env-var-leak', () => {
+    (0, vitest_1.it)('detects process.env in console.log', () => {
+        const v = detect(env_var_leak_js_1.default, 'console.log(process.env.SECRET);');
+        (0, vitest_1.expect)(v).toHaveLength(1);
+    });
+    (0, vitest_1.it)('ignores non-env console.log', () => {
+        const v = detect(env_var_leak_js_1.default, 'console.log("hello");');
+        (0, vitest_1.expect)(v).toHaveLength(0);
+    });
+});
+(0, vitest_1.describe)('security/no-rate-limiting', () => {
+    (0, vitest_1.it)('detects express without rate limiting', () => {
+        const v = detect(no_rate_limiting_js_1.default, 'import express from "express"; const app = express();');
+        (0, vitest_1.expect)(v).toHaveLength(1);
+    });
+    (0, vitest_1.it)('passes when rate limiting is present', () => {
+        const v = detect(no_rate_limiting_js_1.default, 'import express from "express"; import rateLimit from "express-rate-limit";');
+        (0, vitest_1.expect)(v).toHaveLength(0);
+    });
+});
+(0, vitest_1.describe)('performance/n-plus-one-query', () => {
+    (0, vitest_1.it)('detects query inside loop', () => {
+        const v = detect(n_plus_one_query_js_1.default, `
+for (const id of ids) {
+  db.query("SELECT * FROM posts WHERE user_id = ?", [id]);
+}
+`);
+        (0, vitest_1.expect)(v).toHaveLength(1);
+    });
+    (0, vitest_1.it)('ignores query outside loop', () => {
+        const v = detect(n_plus_one_query_js_1.default, 'db.query("SELECT * FROM posts");');
+        (0, vitest_1.expect)(v).toHaveLength(0);
+    });
+});
+//# sourceMappingURL=new-rules.test.js.map

package/dist/__tests__/new-rules.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"new-rules.test.js","sourceRoot":"","sources":["../../src/__tests__/new-rules.test.ts"],"names":[],"mappings":";;;;;AAAA,mCAA8C;AAC9C,6CAAiD;AAEjD,uFAA2D;AAC3D,iFAAqD;AACrD,uFAA2D;AAC3D,iFAAoD;AACpD,qFAAwD;AACxD,6EAAiD;AACjD,6EAAgD;AAChD,yGAA2E;AAC3E,2FAA8D;AAC9D,2EAA+C;AAC/C,2EAA+C;AAC/C,yEAA4C;AAC5C,iFAAoD;AACpD,iFAAmD;AAEnD,SAAS,MAAM,CAAC,IAAS,EAAE,MAAc,EAAE,IAAI,GAAG,SAAS;IACzD,MAAM,GAAG,GAAG,IAAA,kBAAW,EAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IACtC,OAAO,IAAI,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;AACtD,CAAC;AAED,2BAA2B;AAE3B,IAAA,iBAAQ,EAAC,gCAAgC,EAAE,GAAG,EAAE;IAC9C,IAAA,WAAE,EAAC,oCAAoC,EAAE,GAAG,EAAE;QAC5C,MAAM,CAAC,GAAG,MAAM,CAAC,gCAAkB,EAAE,yCAAyC,CAAC,CAAC;QAChF,IAAA,eAAM,EAAC,CAAC,CAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,uBAAuB,EAAE,GAAG,EAAE;QAC/B,MAAM,CAAC,GAAG,MAAM,CAAC,gCAAkB,EAAE,gCAAgC,CAAC,CAAC;QACvE,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,0BAA0B,EAAE,GAAG,EAAE;QAClC,MAAM,CAAC,GAAG,MAAM,CAAC,gCAAkB,EAAE,gCAAgC,CAAC,CAAC;QACvE,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,6BAA6B,EAAE,GAAG,EAAE;IAC3C,IAAA,WAAE,EAAC,uBAAuB,EAAE,GAAG,EAAE;QAC/B,MAAM,CAAC,GAAG,MAAM,CAAC,6BAAe,EAAE,yBAAyB,CAAC,CAAC;QAC7D,IAAA,eAAM,EAAC,CAAC,CAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,0BAA0B,EAAE,GAAG,EAAE;QAClC,MAAM,CAAC,GAAG,MAAM,CAAC,6BAAe,EAAE,wCAAwC,CAAC,CAAC;QAC5E,IAAA,eAAM,EAAC,CAAC,CAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,wBAAwB,EAAE,GAAG,EAAE;QAChC,MAAM,CAAC,GAAG,MAAM,CAAC,6BAAe,EAAE,0CAA0C,CAAC,CAAC;QAC9E,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,gCAAgC,EAAE,GAAG,EAAE;IAC9C,IAAA,WAAE,EAAC,uBAAuB,EAAE,GAAG,EAAE;QAC/B,MAAM,CAAC,GAAG,MAAM,CAAC,gCAAkB,EAAE,0CAA0C,CAAC,CAAC;QACjF,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,mBAAmB,EAAE,GAAG,EAAE;QAC3B,MAAM,CAAC,GAAG,MAAM,CAAC,gCAAkB,EAAE,iCAAiC,CAAC,CAAC;QACxE,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,MAAM,CAAC,GAAG,MAAM,CAAC,gCAAkB,EAAE,sCAAsC,CAAC,CAAC;QAC7E,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,6BAA6B,EAAE,GAAG,EAAE;IAC3C,IAAA,WAAE,EAAC,qBAAqB,EAAE,GAAG,EAAE;QAC7B,MAAM,CAAC,GAAG,MAAM,CAAC,6BAAc,EAAE,sBAAsB,CAAC,CAAC;QACzD,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC1B,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;IACjC,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,uBAAuB,EAAE,GAAG,EAAE;QAC/B,MAAM,CAAC,GAAG,MAAM,CAAC,6BAAc,EAAE,oCAAoC,CAAC,CAAC;QACvE,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,sBAAsB,EAAE,GAAG,EAAE;QAC9B,MAAM,CAAC,GAAG,MAAM,CAAC,6BAAc,EAAE,6BAA6B,CAAC,CAAC;QAChE,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,+BAA+B,EAAE,GAAG,EAAE;IAC7C,IAAA,WAAE,EAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,MAAM,CAAC,GAAG,MAAM,CAAC,+BAAgB,EAAE,4CAA4C,CAAC,CAAC;QACjF,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,CAAC,GAAG,MAAM,CAAC,+BAAgB,EAAE,qDAAqD,CAAC,CAAC;QAC1F,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,2BAA2B,EAAE,GAAG,EAAE;IACzC,IAAA,WAAE,EAAC,uBAAuB,EAAE,GAAG,EAAE;QAC/B,MAAM,CAAC,GAAG,MAAM,CAAC,2BAAa,EAAE,4CAA4C,CAAC,CAAC;QAC9E,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,qBAAqB,EAAE,GAAG,EAAE;QAC7B,MAAM,CAAC,GAAG,MAAM,CAAC,2BAAa,EAAE,qCAAqC,CAAC,CAAC;QACvE,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,2BAA2B,EAAE,GAAG,EAAE;IACzC,IAAA,WAAE,EAAC,2BAA2B,EAAE,GAAG,EAAE;QACnC,MAAM,CAAC,GAAG,MAAM,CAAC,2BAAY,EAAE,mBAAmB,EAAE,SAAS,CAAC,CAAC;QAC/D,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,gBAAgB,EAAE,GAAG,EAAE;QACxB,MAAM,CAAC,GAAG,MAAM,CAAC,2BAAY,EAAE,cAAc,EAAE,SAAS,CAAC,CAAC;QAC1D,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,yCAAyC,EAAE,GAAG,EAAE;IACvD,IAAA,WAAE,EAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,MAAM,CAAC,GAAG,MAAM,CAAC,yCAAyB,EAAE,uDAAuD,CAAC,CAAC;QACrG,IAAA,eAAM,EAAC,CAAC,CAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,CAAC,GAAG,MAAM,CAAC,yCAAyB,EAAE,2EAA2E,CAAC,CAAC;QACzH,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,kCAAkC,EAAE,GAAG,EAAE;IAChD,IAAA,WAAE,EAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,CAAC,GAAG,MAAM,CAAC,kCAAmB,EAAE,oCAAoC,CAAC,CAAC;QAC5E,IAAA,eAAM,EAAC,CAAC,CAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,2BAA2B,EAAE,GAAG,EAAE;QACnC,MAAM,CAAC,GAAG,MAAM,CAAC,kCAAmB,EAAE,iEAAiE,CAAC,CAAC;QACzG,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,0BAA0B,EAAE,GAAG,EAAE;IACxC,IAAA,WAAE,EAAC,uBAAuB,EAAE,GAAG,EAAE;QAC/B,MAAM,CAAC,GAAG,MAAM,CAAC,0BAAY,EAAE,iCAAiC,CAAC,CAAC;QAClE,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,iBAAiB,EAAE,GAAG,EAAE;QACzB,MAAM,CAAC,GAAG,MAAM,CAAC,0BAAY,EAAE,oCAAoC,CAAC,CAAC;QACrE,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,yBAAyB;AAEzB,IAAA,iBAAQ,EAAC,wBAAwB,EAAE,GAAG,EAAE;IACtC,IAAA,WAAE,EAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,MAAM,CAAC,GAAG,MAAM,CAAC,0BAAY,EAAE,kBAAkB,CAAC,CAAC;QACnD,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,CAAC,GAAG,MAAM,CAAC,0BAAY,EAAE,iCAAiC,CAAC,CAAC;QAClE,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,MAAM,CAAC,GAAG,MAAM,CAAC,0BAAY,EAAE,iDAAiD,CAAC,CAAC;QAClF,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,IAAA,WAAE,EAAC,oCAAoC,EAAE,GAAG,EAAE;QAC5C,MAAM,CAAC,GAAG,MAAM,CAAC,yBAAU,EAAE,kCAAkC,CAAC,CAAC;QACjE,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,MAAM,CAAC,GAAG,MAAM,CAAC,yBAAU,EAAE,uBAAuB,CAAC,CAAC;QACtD,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,2BAA2B,EAAE,GAAG,EAAE;IACzC,IAAA,WAAE,EAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,CAAC,GAAG,MAAM,CAAC,6BAAc,EAAE,uDAAuD,CAAC,CAAC;QAC1F,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,CAAC,GAAG,MAAM,CAAC,6BAAc,EAAE,4EAA4E,CAAC,CAAC;QAC/G,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,8BAA8B,EAAE,GAAG,EAAE;IAC5C,IAAA,WAAE,EAAC,2BAA2B,EAAE,GAAG,EAAE;QACnC,MAAM,CAAC,GAAG,MAAM,CAAC,6BAAa,EAAE;;;;CAInC,CAAC,CAAC;QACC,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,CAAC,GAAG,MAAM,CAAC,6BAAa,EAAE,kCAAkC,CAAC,CAAC;QACpE,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/sql-injection.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=sql-injection.test.d.ts.map

package/dist/__tests__/sql-injection.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sql-injection.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/sql-injection.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/sql-injection.test.js

@@ -0,0 +1,40 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const core_1 = require("@guardrail-ai/core");
+const sql_injection_js_1 = __importDefault(require("../sql-injection.js"));
+function detect(source) {
+    const ast = (0, core_1.parseSource)(source, 'test.js');
+    return sql_injection_js_1.default.detect({ filePath: 'test.js', source, ast });
+}
+(0, vitest_1.describe)('security/sql-injection', () => {
+    (0, vitest_1.it)('detects string concatenation in query', () => {
+        const v = detect('db.query("SELECT * FROM users WHERE id = " + userId);');
+        (0, vitest_1.expect)(v).toHaveLength(1);
+        (0, vitest_1.expect)(v[0].ruleId).toBe('security/sql-injection');
+    });
+    (0, vitest_1.it)('detects template literal in query', () => {
+        const v = detect('db.query(`SELECT * FROM users WHERE id = ${userId}`);');
+        (0, vitest_1.expect)(v).toHaveLength(1);
+    });
+    (0, vitest_1.it)('detects execute method', () => {
+        const v = detect('conn.execute("DELETE FROM users WHERE name = " + name);');
+        (0, vitest_1.expect)(v).toHaveLength(1);
+    });
+    (0, vitest_1.it)('ignores parameterized queries', () => {
+        const v = detect('db.query("SELECT * FROM users WHERE id = $1", [userId]);');
+        (0, vitest_1.expect)(v).toHaveLength(0);
+    });
+    (0, vitest_1.it)('ignores static string queries', () => {
+        const v = detect('db.query("SELECT * FROM users");');
+        (0, vitest_1.expect)(v).toHaveLength(0);
+    });
+    (0, vitest_1.it)('ignores non-SQL method calls', () => {
+        const v = detect('console.log("SELECT * FROM " + table);');
+        (0, vitest_1.expect)(v).toHaveLength(0);
+    });
+});
+//# sourceMappingURL=sql-injection.test.js.map

package/dist/__tests__/sql-injection.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sql-injection.test.js","sourceRoot":"","sources":["../../src/__tests__/sql-injection.test.ts"],"names":[],"mappings":";;;;;AAAA,mCAA8C;AAC9C,6CAAiD;AACjD,2EAAuC;AAEvC,SAAS,MAAM,CAAC,MAAc;IAC5B,MAAM,GAAG,GAAG,IAAA,kBAAW,EAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAC3C,OAAO,0BAAI,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;AAC3D,CAAC;AAED,IAAA,iBAAQ,EAAC,wBAAwB,EAAE,GAAG,EAAE;IACtC,IAAA,WAAE,EAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,CAAC,GAAG,MAAM,CAAC,uDAAuD,CAAC,CAAC;QAC1E,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC1B,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,MAAM,CAAC,GAAG,MAAM,CAAC,uDAAuD,CAAC,CAAC;QAC1E,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,wBAAwB,EAAE,GAAG,EAAE;QAChC,MAAM,CAAC,GAAG,MAAM,CAAC,yDAAyD,CAAC,CAAC;QAC5E,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,CAAC,GAAG,MAAM,CAAC,0DAA0D,CAAC,CAAC;QAC7E,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,CAAC,GAAG,MAAM,CAAC,kCAAkC,CAAC,CAAC;QACrD,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,CAAC,GAAG,MAAM,CAAC,wCAAwC,CAAC,CAAC;QAC3D,IAAA,eAAM,EAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/any-type-abuse.d.ts

@@ -0,0 +1,4 @@
+import type { Rule } from '@guardrail-ai/core';
+declare const anyTypeAbuseRule: Rule;
+export default anyTypeAbuseRule;
+//# sourceMappingURL=any-type-abuse.d.ts.map

package/dist/any-type-abuse.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"any-type-abuse.d.ts","sourceRoot":"","sources":["../src/any-type-abuse.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAA0B,MAAM,oBAAoB,CAAC;AAEvE,QAAA,MAAM,gBAAgB,EAAE,IAiCvB,CAAC;AAEF,eAAe,gBAAgB,CAAC"}