@guardrail-ai/rules 0.1.0

package/dist/overly-broad-catch.d.ts

@@ -0,0 +1,4 @@
+import type { Rule } from '@guardrail-ai/core';
+declare const overlyBroadCatchRule: Rule;
+export default overlyBroadCatchRule;
+//# sourceMappingURL=overly-broad-catch.d.ts.map

package/dist/overly-broad-catch.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"overly-broad-catch.d.ts","sourceRoot":"","sources":["../src/overly-broad-catch.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAA0B,MAAM,oBAAoB,CAAC;AAEvE,QAAA,MAAM,oBAAoB,EAAE,IA+C3B,CAAC;AAEF,eAAe,oBAAoB,CAAC"}

package/dist/overly-broad-catch.js

@@ -0,0 +1,48 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const traverse_1 = __importDefault(require("@babel/traverse"));
+const overlyBroadCatchRule = {
+    id: 'ai-codegen/overly-broad-catch',
+    name: 'Overly Broad Catch',
+    description: 'Detects catch blocks that only log errors without proper handling or rethrowing',
+    severity: 'warning',
+    category: 'ai-codegen',
+    detect(context) {
+        const violations = [];
+        const { ast, filePath } = context;
+        (0, traverse_1.default)(ast, {
+            CatchClause(path) {
+                const body = path.node.body.body;
+                // Empty catch — already handled by dead-code rule
+                if (body.length === 0)
+                    return;
+                // Only a single console.log/console.error statement
+                if (body.length === 1) {
+                    const stmt = body[0];
+                    if (stmt.type === 'ExpressionStatement' &&
+                        stmt.expression.type === 'CallExpression' &&
+                        stmt.expression.callee.type === 'MemberExpression' &&
+                        stmt.expression.callee.object.type === 'Identifier' &&
+                        stmt.expression.callee.object.name === 'console') {
+                        violations.push({
+                            ruleId: 'ai-codegen/overly-broad-catch',
+                            severity: 'warning',
+                            message: 'Catch block only logs the error without proper handling. Consider rethrowing, returning an error state, or implementing recovery logic.',
+                            location: {
+                                file: filePath,
+                                line: path.node.loc?.start.line ?? 0,
+                                column: path.node.loc?.start.column ?? 0,
+                            },
+                        });
+                    }
+                }
+            },
+        });
+        return violations;
+    },
+};
+exports.default = overlyBroadCatchRule;
+//# sourceMappingURL=overly-broad-catch.js.map

package/dist/overly-broad-catch.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"overly-broad-catch.js","sourceRoot":"","sources":["../src/overly-broad-catch.ts"],"names":[],"mappings":";;;;;AAAA,+DAAuC;AAGvC,MAAM,oBAAoB,GAAS;IACjC,EAAE,EAAE,+BAA+B;IACnC,IAAI,EAAE,oBAAoB;IAC1B,WAAW,EACT,iFAAiF;IACnF,QAAQ,EAAE,SAAS;IACnB,QAAQ,EAAE,YAAY;IAEtB,MAAM,CAAC,OAAoB;QACzB,MAAM,UAAU,GAAgB,EAAE,CAAC;QACnC,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;QAElC,IAAA,kBAAQ,EAAC,GAAG,EAAE;YACZ,WAAW,CAAC,IAAI;gBACd,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;gBAEjC,kDAAkD;gBAClD,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;oBAAE,OAAO;gBAE9B,oDAAoD;gBACpD,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBACtB,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;oBACrB,IACE,IAAI,CAAC,IAAI,KAAK,qBAAqB;wBACnC,IAAI,CAAC,UAAU,CAAC,IAAI,KAAK,gBAAgB;wBACzC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB;wBAClD,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY;wBACnD,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,SAAS,EAChD,CAAC;wBACD,UAAU,CAAC,IAAI,CAAC;4BACd,MAAM,EAAE,+BAA+B;4BACvC,QAAQ,EAAE,SAAS;4BACnB,OAAO,EACL,yIAAyI;4BAC3I,QAAQ,EAAE;gCACR,IAAI,EAAE,QAAQ;gCACd,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC;gCACpC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,IAAI,CAAC;6BACzC;yBACF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;SACF,CAAC,CAAC;QAEH,OAAO,UAAU,CAAC;IACpB,CAAC;CACF,CAAC;AAEF,kBAAe,oBAAoB,CAAC"}

package/dist/placeholder-code.d.ts

@@ -0,0 +1,4 @@
+import type { Rule } from '@guardrail-ai/core';
+declare const placeholderCodeRule: Rule;
+export default placeholderCodeRule;
+//# sourceMappingURL=placeholder-code.d.ts.map

package/dist/placeholder-code.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"placeholder-code.d.ts","sourceRoot":"","sources":["../src/placeholder-code.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAA0B,MAAM,oBAAoB,CAAC;AAUvE,QAAA,MAAM,mBAAmB,EAAE,IAmD1B,CAAC;AAEF,eAAe,mBAAmB,CAAC"}

package/dist/placeholder-code.js

@@ -0,0 +1,58 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const traverse_1 = __importDefault(require("@babel/traverse"));
+const COMMENT_PATTERNS = /\b(TODO|FIXME|HACK|PLACEHOLDER|XXX|TEMP|implement\s*(this|later|here)|add\s*(logic|code|implementation)\s*here|replace\s*(this|with)|your[_\s-]*(code|logic|implementation)\s*here)\b/i;
+const STRING_PATTERNS = /^(placeholder|example\.com|your[_-]api[_-]key[_-]here|your[_-].*[_-]here|test123|lorem\s*ipsum|foo|bar|baz|changeme|replace[_-]me)$/i;
+const URL_PATTERNS = /^https?:\/\/example\.(com|org|net)/;
+const placeholderCodeRule = {
+    id: 'ai-codegen/placeholder-code',
+    name: 'Placeholder Code',
+    description: 'Detects TODO/FIXME comments, placeholder strings, and example.com URLs left by AI generators',
+    severity: 'warning',
+    category: 'ai-codegen',
+    detect(context) {
+        const violations = [];
+        const { ast, filePath } = context;
+        // Check comments
+        if (ast.comments) {
+            for (const comment of ast.comments) {
+                if (COMMENT_PATTERNS.test(comment.value)) {
+                    violations.push({
+                        ruleId: 'ai-codegen/placeholder-code',
+                        severity: 'warning',
+                        message: `Placeholder comment found: "${comment.value.trim().substring(0, 60)}..."`,
+                        location: {
+                            file: filePath,
+                            line: comment.loc?.start.line ?? 0,
+                            column: comment.loc?.start.column ?? 0,
+                        },
+                    });
+                }
+            }
+        }
+        // Check string literals
+        (0, traverse_1.default)(ast, {
+            StringLiteral(path) {
+                const val = path.node.value;
+                if (STRING_PATTERNS.test(val) || URL_PATTERNS.test(val)) {
+                    violations.push({
+                        ruleId: 'ai-codegen/placeholder-code',
+                        severity: 'warning',
+                        message: `Placeholder string "${val.substring(0, 40)}" — likely needs to be replaced with real values.`,
+                        location: {
+                            file: filePath,
+                            line: path.node.loc?.start.line ?? 0,
+                            column: path.node.loc?.start.column ?? 0,
+                        },
+                    });
+                }
+            },
+        });
+        return violations;
+    },
+};
+exports.default = placeholderCodeRule;
+//# sourceMappingURL=placeholder-code.js.map

package/dist/placeholder-code.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"placeholder-code.js","sourceRoot":"","sources":["../src/placeholder-code.ts"],"names":[],"mappings":";;;;;AAAA,+DAAuC;AAGvC,MAAM,gBAAgB,GACpB,wLAAwL,CAAC;AAE3L,MAAM,eAAe,GACnB,sIAAsI,CAAC;AAEzI,MAAM,YAAY,GAAG,oCAAoC,CAAC;AAE1D,MAAM,mBAAmB,GAAS;IAChC,EAAE,EAAE,6BAA6B;IACjC,IAAI,EAAE,kBAAkB;IACxB,WAAW,EACT,8FAA8F;IAChG,QAAQ,EAAE,SAAS;IACnB,QAAQ,EAAE,YAAY;IAEtB,MAAM,CAAC,OAAoB;QACzB,MAAM,UAAU,GAAgB,EAAE,CAAC;QACnC,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;QAElC,iBAAiB;QACjB,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;YACjB,KAAK,MAAM,OAAO,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;gBACnC,IAAI,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;oBACzC,UAAU,CAAC,IAAI,CAAC;wBACd,MAAM,EAAE,6BAA6B;wBACrC,QAAQ,EAAE,SAAS;wBACnB,OAAO,EAAE,+BAA+B,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM;wBACnF,QAAQ,EAAE;4BACR,IAAI,EAAE,QAAQ;4BACd,IAAI,EAAE,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC;4BAClC,MAAM,EAAE,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,IAAI,CAAC;yBACvC;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,wBAAwB;QACxB,IAAA,kBAAQ,EAAC,GAAG,EAAE;YACZ,aAAa,CAAC,IAAI;gBAChB,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC;gBAC5B,IAAI,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;oBACxD,UAAU,CAAC,IAAI,CAAC;wBACd,MAAM,EAAE,6BAA6B;wBACrC,QAAQ,EAAE,SAAS;wBACnB,OAAO,EAAE,uBAAuB,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,mDAAmD;wBACvG,QAAQ,EAAE;4BACR,IAAI,EAAE,QAAQ;4BACd,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC;4BACpC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,IAAI,CAAC;yBACzC;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;SACF,CAAC,CAAC;QAEH,OAAO,UAAU,CAAC;IACpB,CAAC;CACF,CAAC;AAEF,kBAAe,mBAAmB,CAAC"}

package/dist/promise-without-catch.d.ts

@@ -0,0 +1,4 @@
+import type { Rule } from '@guardrail-ai/core';
+declare const promiseWithoutCatchRule: Rule;
+export default promiseWithoutCatchRule;
+//# sourceMappingURL=promise-without-catch.d.ts.map

package/dist/promise-without-catch.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"promise-without-catch.d.ts","sourceRoot":"","sources":["../src/promise-without-catch.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAA0B,MAAM,oBAAoB,CAAC;AAEvE,QAAA,MAAM,uBAAuB,EAAE,IA8E9B,CAAC;AAEF,eAAe,uBAAuB,CAAC"}

package/dist/promise-without-catch.js

@@ -0,0 +1,72 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const traverse_1 = __importDefault(require("@babel/traverse"));
+const promiseWithoutCatchRule = {
+    id: 'ai-codegen/promise-without-catch',
+    name: 'Promise Without Catch',
+    description: 'Detects .then() chains without a .catch() handler',
+    severity: 'warning',
+    category: 'ai-codegen',
+    detect(context) {
+        const violations = [];
+        const { ast, filePath } = context;
+        (0, traverse_1.default)(ast, {
+            CallExpression(path) {
+                const callee = path.node.callee;
+                // Look for .then() calls
+                if (callee.type !== 'MemberExpression' ||
+                    callee.property.type !== 'Identifier' ||
+                    callee.property.name !== 'then') {
+                    return;
+                }
+                // Walk up the chain to see if there's a .catch() anywhere
+                let current = path.parentPath;
+                let hasCatch = false;
+                // Check if this .then() is itself chained with .catch()
+                while (current) {
+                    if (current.isCallExpression() &&
+                        current.node.callee.type === 'MemberExpression' &&
+                        current.node.callee.property.type === 'Identifier' &&
+                        current.node.callee.property.name === 'catch') {
+                        hasCatch = true;
+                        break;
+                    }
+                    // If the parent is a member expression accessing .then/.catch/.finally, keep walking
+                    if (current.isMemberExpression() &&
+                        current.parentPath?.isCallExpression()) {
+                        current = current.parentPath;
+                        continue;
+                    }
+                    break;
+                }
+                // Also check if the .then() is inside a try block
+                if (!hasCatch) {
+                    for (const anc of path.getAncestry()) {
+                        if (anc.isTryStatement()) {
+                            hasCatch = true;
+                            break;
+                        }
+                    }
+                }
+                if (!hasCatch) {
+                    violations.push({
+                        ruleId: 'ai-codegen/promise-without-catch',
+                        severity: 'warning',
+                        message: '.then() chain without .catch() handler. Add error handling to prevent unhandled rejections.',
+                        location: {
+                            file: filePath,
+                            line: path.node.loc?.start.line ?? 0,
+                            column: path.node.loc?.start.column ?? 0,
+                        },
+                    });
+                }
+            },
+        });
+        return violations;
+    },
+};
+exports.default = promiseWithoutCatchRule;
+//# sourceMappingURL=promise-without-catch.js.map

package/dist/promise-without-catch.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"promise-without-catch.js","sourceRoot":"","sources":["../src/promise-without-catch.ts"],"names":[],"mappings":";;;;;AAAA,+DAAuC;AAGvC,MAAM,uBAAuB,GAAS;IACpC,EAAE,EAAE,kCAAkC;IACtC,IAAI,EAAE,uBAAuB;IAC7B,WAAW,EAAE,mDAAmD;IAChE,QAAQ,EAAE,SAAS;IACnB,QAAQ,EAAE,YAAY;IAEtB,MAAM,CAAC,OAAoB;QACzB,MAAM,UAAU,GAAgB,EAAE,CAAC;QACnC,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;QAElC,IAAA,kBAAQ,EAAC,GAAG,EAAE;YACZ,cAAc,CAAC,IAAI;gBACjB,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC;gBAEhC,yBAAyB;gBACzB,IACE,MAAM,CAAC,IAAI,KAAK,kBAAkB;oBAClC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;oBACrC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,MAAM,EAC/B,CAAC;oBACD,OAAO;gBACT,CAAC;gBAED,0DAA0D;gBAC1D,IAAI,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC;gBAC9B,IAAI,QAAQ,GAAG,KAAK,CAAC;gBAErB,wDAAwD;gBACxD,OAAO,OAAO,EAAE,CAAC;oBACf,IACE,OAAO,CAAC,gBAAgB,EAAE;wBAC1B,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB;wBAC/C,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;wBAClD,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,OAAO,EAC7C,CAAC;wBACD,QAAQ,GAAG,IAAI,CAAC;wBAChB,MAAM;oBACR,CAAC;oBACD,qFAAqF;oBACrF,IACE,OAAO,CAAC,kBAAkB,EAAE;wBAC5B,OAAO,CAAC,UAAU,EAAE,gBAAgB,EAAE,EACtC,CAAC;wBACD,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC;wBAC7B,SAAS;oBACX,CAAC;oBACD,MAAM;gBACR,CAAC;gBAED,kDAAkD;gBAClD,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACd,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;wBACrC,IAAI,GAAG,CAAC,cAAc,EAAE,EAAE,CAAC;4BACzB,QAAQ,GAAG,IAAI,CAAC;4BAChB,MAAM;wBACR,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACd,UAAU,CAAC,IAAI,CAAC;wBACd,MAAM,EAAE,kCAAkC;wBAC1C,QAAQ,EAAE,SAAS;wBACnB,OAAO,EACL,6FAA6F;wBAC/F,QAAQ,EAAE;4BACR,IAAI,EAAE,QAAQ;4BACd,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC;4BACpC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,IAAI,CAAC;yBACzC;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;SACF,CAAC,CAAC;QAEH,OAAO,UAAU,CAAC;IACpB,CAAC;CACF,CAAC;AAEF,kBAAe,uBAAuB,CAAC"}

package/dist/sql-injection.d.ts

@@ -0,0 +1,4 @@
+import type { Rule } from '@guardrail-ai/core';
+declare const sqlInjectionRule: Rule;
+export default sqlInjectionRule;
+//# sourceMappingURL=sql-injection.d.ts.map

package/dist/sql-injection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sql-injection.d.ts","sourceRoot":"","sources":["../src/sql-injection.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,IAAI,EAA0B,MAAM,oBAAoB,CAAC;AAwFvE,QAAA,MAAM,gBAAgB,EAAE,IA0CvB,CAAC;AAEF,eAAe,gBAAgB,CAAC"}

package/dist/sql-injection.js

@@ -0,0 +1,108 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const traverse_1 = __importDefault(require("@babel/traverse"));
+/**
+ * Detects SQL injection vulnerabilities from string concatenation
+ * or template literals used in database query calls.
+ *
+ * Catches patterns like:
+ *   db.query("SELECT * FROM users WHERE id = " + userId)
+ *   db.query(`SELECT * FROM users WHERE id = ${userId}`)
+ *   connection.execute("DELETE FROM " + table)
+ */
+const SQL_KEYWORDS = /\b(SELECT|INSERT|UPDATE|DELETE|DROP|CREATE|ALTER|EXEC|EXECUTE|UNION|WHERE|FROM|INTO|VALUES|SET|TABLE|DATABASE)\b/i;
+const QUERY_METHOD_NAMES = new Set([
+    'query',
+    'execute',
+    'exec',
+    'raw',
+    'rawQuery',
+    'prepare',
+    'run',
+]);
+function containsSqlKeyword(value) {
+    return SQL_KEYWORDS.test(value);
+}
+function isQueryCall(path) {
+    const callee = path.node.callee;
+    // db.query(...)
+    if (callee.type === 'MemberExpression' &&
+        callee.property.type === 'Identifier' &&
+        QUERY_METHOD_NAMES.has(callee.property.name)) {
+        return true;
+    }
+    // query(...)
+    if (callee.type === 'Identifier' &&
+        QUERY_METHOD_NAMES.has(callee.name)) {
+        return true;
+    }
+    return false;
+}
+function hasDynamicParts(node) {
+    // Template literal with expressions
+    if (node.type === 'TemplateLiteral' &&
+        node.expressions.length > 0) {
+        return true;
+    }
+    // String concatenation with non-literal
+    if (node.type === 'BinaryExpression' &&
+        node.operator === '+') {
+        return true;
+    }
+    return false;
+}
+function extractStaticSqlParts(node) {
+    if (node.type === 'StringLiteral') {
+        return node.value;
+    }
+    if (node.type === 'TemplateLiteral') {
+        return node.quasis.map((q) => q.value.raw).join('');
+    }
+    if (node.type === 'BinaryExpression' && node.operator === '+') {
+        return (extractStaticSqlParts(node.left) +
+            extractStaticSqlParts(node.right));
+    }
+    return '';
+}
+const sqlInjectionRule = {
+    id: 'security/sql-injection',
+    name: 'SQL Injection',
+    description: 'Detects potential SQL injection from string concatenation or template literals in database queries',
+    severity: 'critical',
+    category: 'security',
+    detect(context) {
+        const violations = [];
+        const { ast, filePath } = context;
+        (0, traverse_1.default)(ast, {
+            CallExpression(path) {
+                if (!isQueryCall(path))
+                    return;
+                const args = path.node.arguments;
+                if (args.length === 0)
+                    return;
+                const firstArg = args[0];
+                if (firstArg.type === 'SpreadElement')
+                    return;
+                const staticSql = extractStaticSqlParts(firstArg);
+                if (containsSqlKeyword(staticSql) && hasDynamicParts(firstArg)) {
+                    violations.push({
+                        ruleId: 'security/sql-injection',
+                        severity: 'critical',
+                        message: 'Potential SQL injection: dynamic values in SQL query string. Use parameterized queries instead.',
+                        location: {
+                            file: filePath,
+                            line: firstArg.loc?.start.line ?? 0,
+                            column: firstArg.loc?.start.column ?? 0,
+                        },
+                    });
+                }
+            },
+        });
+        return violations;
+    },
+};
+exports.default = sqlInjectionRule;
+//# sourceMappingURL=sql-injection.js.map

package/dist/sql-injection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sql-injection.js","sourceRoot":"","sources":["../src/sql-injection.ts"],"names":[],"mappings":";;;;;AAAA,+DAAuC;AAIvC;;;;;;;;GAQG;AAEH,MAAM,YAAY,GAChB,mHAAmH,CAAC;AAEtH,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACjC,OAAO;IACP,SAAS;IACT,MAAM;IACN,KAAK;IACL,UAAU;IACV,SAAS;IACT,KAAK;CACN,CAAC,CAAC;AAEH,SAAS,kBAAkB,CAAC,KAAa;IACvC,OAAO,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AAClC,CAAC;AAED,SAAS,WAAW,CAAC,IAAS;IAC5B,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC;IAEhC,gBAAgB;IAChB,IACE,MAAM,CAAC,IAAI,KAAK,kBAAkB;QAClC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;QACrC,kBAAkB,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,EAC5C,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,aAAa;IACb,IACE,MAAM,CAAC,IAAI,KAAK,YAAY;QAC5B,kBAAkB,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,EACnC,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,eAAe,CAAC,IAAY;IACnC,oCAAoC;IACpC,IACE,IAAI,CAAC,IAAI,KAAK,iBAAiB;QAC/B,IAAI,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,EAC3B,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,wCAAwC;IACxC,IACE,IAAI,CAAC,IAAI,KAAK,kBAAkB;QAChC,IAAI,CAAC,QAAQ,KAAK,GAAG,EACrB,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,qBAAqB,CAAC,IAAY;IACzC,IAAI,IAAI,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;QAClC,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IACD,IAAI,IAAI,CAAC,IAAI,KAAK,iBAAiB,EAAE,CAAC;QACpC,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACtD,CAAC;IACD,IAAI,IAAI,CAAC,IAAI,KAAK,kBAAkB,IAAI,IAAI,CAAC,QAAQ,KAAK,GAAG,EAAE,CAAC;QAC9D,OAAO,CACL,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC;YAChC,qBAAqB,CAAC,IAAI,CAAC,KAAK,CAAC,CAClC,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,MAAM,gBAAgB,GAAS;IAC7B,EAAE,EAAE,wBAAwB;IAC5B,IAAI,EAAE,eAAe;IACrB,WAAW,EACT,oGAAoG;IACtG,QAAQ,EAAE,UAAU;IACpB,QAAQ,EAAE,UAAU;IAEpB,MAAM,CAAC,OAAoB;QACzB,MAAM,UAAU,GAAgB,EAAE,CAAC;QACnC,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;QAElC,IAAA,kBAAQ,EAAC,GAAG,EAAE;YACZ,cAAc,CAAC,IAAI;gBACjB,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC;oBAAE,OAAO;gBAE/B,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;gBACjC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;oBAAE,OAAO;gBAE9B,MAAM,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;gBACzB,IAAI,QAAQ,CAAC,IAAI,KAAK,eAAe;oBAAE,OAAO;gBAE9C,MAAM,SAAS,GAAG,qBAAqB,CAAC,QAAQ,CAAC,CAAC;gBAElD,IAAI,kBAAkB,CAAC,SAAS,CAAC,IAAI,eAAe,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAC/D,UAAU,CAAC,IAAI,CAAC;wBACd,MAAM,EAAE,wBAAwB;wBAChC,QAAQ,EAAE,UAAU;wBACpB,OAAO,EACL,iGAAiG;wBACnG,QAAQ,EAAE;4BACR,IAAI,EAAE,QAAQ;4BACd,IAAI,EAAE,QAAQ,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC;4BACnC,MAAM,EAAE,QAAQ,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,IAAI,CAAC;yBACxC;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;SACF,CAAC,CAAC;QAEH,OAAO,UAAU,CAAC;IACpB,CAAC;CACF,CAAC;AAEF,kBAAe,gBAAgB,CAAC"}

package/dist/unsafe-regex.d.ts

@@ -0,0 +1,4 @@
+import type { Rule } from '@guardrail-ai/core';
+declare const unsafeRegexRule: Rule;
+export default unsafeRegexRule;
+//# sourceMappingURL=unsafe-regex.d.ts.map

package/dist/unsafe-regex.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"unsafe-regex.d.ts","sourceRoot":"","sources":["../src/unsafe-regex.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAA0B,MAAM,oBAAoB,CAAC;AAgBvE,QAAA,MAAM,eAAe,EAAE,IA4DtB,CAAC;AAEF,eAAe,eAAe,CAAC"}

package/dist/unsafe-regex.js

@@ -0,0 +1,75 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const traverse_1 = __importDefault(require("@babel/traverse"));
+/**
+ * Detects regex patterns vulnerable to ReDoS (Regular Expression Denial of Service).
+ * Flags patterns with nested quantifiers like (a+)+ or (a|b|c)* that cause exponential backtracking.
+ */
+const REDOS_PATTERNS = [
+    /\(.+\+\)\+/, // (x+)+
+    /\(.+\*\)\*/, // (x*)*
+    /\(.+\+\)\*/, // (x+)*
+    /\(.+\*\)\+/, // (x*)+
+    /\(.+\{.+\}\)\+/, // (x{n})+
+    /\(.+\{.+\}\)\*/, // (x{n})*
+];
+const unsafeRegexRule = {
+    id: 'security/unsafe-regex',
+    name: 'Unsafe Regex',
+    description: 'Detects regex patterns vulnerable to ReDoS (catastrophic backtracking)',
+    severity: 'high',
+    category: 'security',
+    detect(context) {
+        const violations = [];
+        const { ast, filePath } = context;
+        (0, traverse_1.default)(ast, {
+            RegExpLiteral(path) {
+                const pattern = path.node.pattern;
+                for (const redos of REDOS_PATTERNS) {
+                    if (redos.test(pattern)) {
+                        violations.push({
+                            ruleId: 'security/unsafe-regex',
+                            severity: 'high',
+                            message: `Regex "/${pattern}/" is vulnerable to ReDoS. Simplify the pattern or add input length limits.`,
+                            location: {
+                                file: filePath,
+                                line: path.node.loc?.start.line ?? 0,
+                                column: path.node.loc?.start.column ?? 0,
+                            },
+                        });
+                        break;
+                    }
+                }
+            },
+            NewExpression(path) {
+                if (path.node.callee.type === 'Identifier' &&
+                    path.node.callee.name === 'RegExp' &&
+                    path.node.arguments.length > 0 &&
+                    path.node.arguments[0].type === 'StringLiteral') {
+                    const pattern = path.node.arguments[0].value;
+                    for (const redos of REDOS_PATTERNS) {
+                        if (redos.test(pattern)) {
+                            violations.push({
+                                ruleId: 'security/unsafe-regex',
+                                severity: 'high',
+                                message: `Regex pattern "${pattern}" is vulnerable to ReDoS. Simplify the pattern or add input length limits.`,
+                                location: {
+                                    file: filePath,
+                                    line: path.node.loc?.start.line ?? 0,
+                                    column: path.node.loc?.start.column ?? 0,
+                                },
+                            });
+                            break;
+                        }
+                    }
+                }
+            },
+        });
+        return violations;
+    },
+};
+exports.default = unsafeRegexRule;
+//# sourceMappingURL=unsafe-regex.js.map

package/dist/unsafe-regex.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"unsafe-regex.js","sourceRoot":"","sources":["../src/unsafe-regex.ts"],"names":[],"mappings":";;;;;AAAA,+DAAuC;AAGvC;;;GAGG;AAEH,MAAM,cAAc,GAAG;IACrB,YAAY,EAAM,QAAQ;IAC1B,YAAY,EAAM,QAAQ;IAC1B,YAAY,EAAM,QAAQ;IAC1B,YAAY,EAAM,QAAQ;IAC1B,gBAAgB,EAAE,UAAU;IAC5B,gBAAgB,EAAE,UAAU;CAC7B,CAAC;AAEF,MAAM,eAAe,GAAS;IAC5B,EAAE,EAAE,uBAAuB;IAC3B,IAAI,EAAE,cAAc;IACpB,WAAW,EAAE,wEAAwE;IACrF,QAAQ,EAAE,MAAM;IAChB,QAAQ,EAAE,UAAU;IAEpB,MAAM,CAAC,OAAoB;QACzB,MAAM,UAAU,GAAgB,EAAE,CAAC;QACnC,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;QAElC,IAAA,kBAAQ,EAAC,GAAG,EAAE;YACZ,aAAa,CAAC,IAAI;gBAChB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC;gBAClC,KAAK,MAAM,KAAK,IAAI,cAAc,EAAE,CAAC;oBACnC,IAAI,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;wBACxB,UAAU,CAAC,IAAI,CAAC;4BACd,MAAM,EAAE,uBAAuB;4BAC/B,QAAQ,EAAE,MAAM;4BAChB,OAAO,EAAE,WAAW,OAAO,6EAA6E;4BACxG,QAAQ,EAAE;gCACR,IAAI,EAAE,QAAQ;gCACd,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC;gCACpC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,IAAI,CAAC;6BACzC;yBACF,CAAC,CAAC;wBACH,MAAM;oBACR,CAAC;gBACH,CAAC;YACH,CAAC;YAED,aAAa,CAAC,IAAI;gBAChB,IACE,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY;oBACtC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,QAAQ;oBAClC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC;oBAC9B,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,eAAe,EAC/C,CAAC;oBACD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;oBAC7C,KAAK,MAAM,KAAK,IAAI,cAAc,EAAE,CAAC;wBACnC,IAAI,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;4BACxB,UAAU,CAAC,IAAI,CAAC;gCACd,MAAM,EAAE,uBAAuB;gCAC/B,QAAQ,EAAE,MAAM;gCAChB,OAAO,EAAE,kBAAkB,OAAO,4EAA4E;gCAC9G,QAAQ,EAAE;oCACR,IAAI,EAAE,QAAQ;oCACd,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC;oCACpC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,IAAI,CAAC;iCACzC;6BACF,CAAC,CAAC;4BACH,MAAM;wBACR,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;SACF,CAAC,CAAC;QAEH,OAAO,UAAU,CAAC;IACpB,CAAC;CACF,CAAC;AAEF,kBAAe,eAAe,CAAC"}

package/dist/unused-imports.d.ts

@@ -0,0 +1,4 @@
+import type { Rule } from '@guardrail-ai/core';
+declare const unusedImportsRule: Rule;
+export default unusedImportsRule;
+//# sourceMappingURL=unused-imports.d.ts.map

package/dist/unused-imports.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"unused-imports.d.ts","sourceRoot":"","sources":["../src/unused-imports.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAA0B,MAAM,oBAAoB,CAAC;AAEvE,QAAA,MAAM,iBAAiB,EAAE,IAmDxB,CAAC;AAEF,eAAe,iBAAiB,CAAC"}

package/dist/unused-imports.js

@@ -0,0 +1,56 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const traverse_1 = __importDefault(require("@babel/traverse"));
+const unusedImportsRule = {
+    id: 'ai-codegen/unused-imports',
+    name: 'Unused Imports',
+    description: 'Detects imported identifiers that are never referenced in the file',
+    severity: 'warning',
+    category: 'ai-codegen',
+    detect(context) {
+        const violations = [];
+        const { ast, filePath } = context;
+        (0, traverse_1.default)(ast, {
+            ImportDeclaration(path) {
+                for (const specifier of path.node.specifiers) {
+                    const localName = specifier.local.name;
+                    const binding = path.scope.getBinding(localName);
+                    if (binding && binding.references === 0) {
+                        violations.push({
+                            ruleId: 'ai-codegen/unused-imports',
+                            severity: 'warning',
+                            message: `"${localName}" is imported but never used.`,
+                            location: {
+                                file: filePath,
+                                line: specifier.loc?.start.line ?? 0,
+                                column: specifier.loc?.start.column ?? 0,
+                            },
+                            fix: path.node.specifiers.length === 1
+                                ? {
+                                    description: `Remove unused import of "${localName}"`,
+                                    range: {
+                                        start: {
+                                            line: path.node.loc?.start.line ?? 0,
+                                            column: path.node.loc?.start.column ?? 0,
+                                        },
+                                        end: {
+                                            line: path.node.loc?.end.line ?? 0,
+                                            column: path.node.loc?.end.column ?? 0,
+                                        },
+                                    },
+                                    replacement: '',
+                                }
+                                : undefined,
+                        });
+                    }
+                }
+            },
+        });
+        return violations;
+    },
+};
+exports.default = unusedImportsRule;
+//# sourceMappingURL=unused-imports.js.map

package/dist/unused-imports.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"unused-imports.js","sourceRoot":"","sources":["../src/unused-imports.ts"],"names":[],"mappings":";;;;;AAAA,+DAAuC;AAGvC,MAAM,iBAAiB,GAAS;IAC9B,EAAE,EAAE,2BAA2B;IAC/B,IAAI,EAAE,gBAAgB;IACtB,WAAW,EAAE,oEAAoE;IACjF,QAAQ,EAAE,SAAS;IACnB,QAAQ,EAAE,YAAY;IAEtB,MAAM,CAAC,OAAoB;QACzB,MAAM,UAAU,GAAgB,EAAE,CAAC;QACnC,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;QAElC,IAAA,kBAAQ,EAAC,GAAG,EAAE;YACZ,iBAAiB,CAAC,IAAI;gBACpB,KAAK,MAAM,SAAS,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;oBAC7C,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC;oBACvC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;oBAEjD,IAAI,OAAO,IAAI,OAAO,CAAC,UAAU,KAAK,CAAC,EAAE,CAAC;wBACxC,UAAU,CAAC,IAAI,CAAC;4BACd,MAAM,EAAE,2BAA2B;4BACnC,QAAQ,EAAE,SAAS;4BACnB,OAAO,EAAE,IAAI,SAAS,+BAA+B;4BACrD,QAAQ,EAAE;gCACR,IAAI,EAAE,QAAQ;gCACd,IAAI,EAAE,SAAS,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC;gCACpC,MAAM,EAAE,SAAS,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,IAAI,CAAC;6BACzC;4BACD,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC;gCACpC,CAAC,CAAC;oCACE,WAAW,EAAE,4BAA4B,SAAS,GAAG;oCACrD,KAAK,EAAE;wCACL,KAAK,EAAE;4CACL,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC;4CACpC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,IAAI,CAAC;yCACzC;wCACD,GAAG,EAAE;4CACH,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,IAAI,CAAC;4CAClC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,MAAM,IAAI,CAAC;yCACvC;qCACF;oCACD,WAAW,EAAE,EAAE;iCAChB;gCACH,CAAC,CAAC,SAAS;yBACd,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;SACF,CAAC,CAAC;QAEH,OAAO,UAAU,CAAC;IACpB,CAAC;CACF,CAAC;AAEF,kBAAe,iBAAiB,CAAC"}

package/package.json

@@ -0,0 +1,32 @@
+{
+  "name": "@guardrail-ai/rules",
+  "version": "0.1.0",
+  "description": "Built-in detection rules for Guardrail (19 rules across security, performance, quality, and AI-codegen)",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "files": ["dist", "README.md"],
+  "publishConfig": {
+    "access": "public"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/Manavarya09/Guardrail.git",
+    "directory": "packages/rules"
+  },
+  "homepage": "https://github.com/Manavarya09/Guardrail",
+  "bugs": "https://github.com/Manavarya09/Guardrail/issues",
+  "keywords": ["guardrail", "security-rules", "ai-codegen", "static-analysis"],
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "prepublishOnly": "npm run build"
+  },
+  "dependencies": {
+    "@guardrail-ai/core": "^0.1.0",
+    "@babel/traverse": "^7.23.6",
+    "@babel/types": "^7.23.6"
+  },
+  "devDependencies": {
+    "@types/babel__traverse": "^7.20.4"
+  },
+  "license": "MIT"
+}