@indicated/vibeguard 1.0.0

package/dist/scanner/rules/definitions.js

@@ -0,0 +1,584 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.securityRules = void 0;
+exports.getRuleById = getRuleById;
+exports.getRulesBySeverity = getRulesBySeverity;
+exports.securityRules = [
+    // CRITICAL
+    {
+        id: 'hardcoded-secret',
+        name: 'Hardcoded API Key/Secret',
+        description: 'Hardcoded secrets can be extracted from source code and used maliciously',
+        severity: 'critical',
+        languages: ['javascript', 'typescript', 'python'],
+        patterns: [
+            /(['"`])(?:sk-[a-zA-Z0-9]{20,})\1/,
+            /(['"`])(?:api[_-]?key|apikey|secret[_-]?key|secretkey|password|passwd|pwd)\s*[=:]\s*\1[^'"`\n]{8,}\1/i,
+            /(['"`])(?:ghp_[a-zA-Z0-9]{36})\1/,
+            /(['"`])(?:xox[baprs]-[a-zA-Z0-9-]{10,})\1/,
+            /(['"`])(?:AKIA[0-9A-Z]{16})\1/,
+            /(['"`])(?:eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*)\1/,
+        ],
+        fix: 'Move secrets to environment variables and use process.env',
+    },
+    {
+        id: 'sql-injection',
+        name: 'SQL Injection Vulnerability',
+        description: 'User input directly concatenated into SQL queries can allow attackers to execute arbitrary SQL',
+        severity: 'critical',
+        languages: ['javascript', 'typescript', 'python'],
+        astMatcher: 'sql-injection',
+        fix: 'Use parameterized queries or prepared statements',
+    },
+    {
+        id: 'eval-usage',
+        name: 'Dangerous eval() Usage',
+        description: 'eval() with dynamic input can execute arbitrary code',
+        severity: 'critical',
+        languages: ['javascript', 'typescript', 'python'],
+        astMatcher: 'eval-usage',
+        fix: 'Avoid eval() entirely or use safer alternatives like JSON.parse()',
+    },
+    {
+        id: 'command-injection',
+        name: 'Command Injection Vulnerability',
+        description: 'User input passed to shell commands can allow arbitrary command execution',
+        severity: 'critical',
+        languages: ['javascript', 'typescript', 'python'],
+        patterns: [
+            /child_process.*exec\s*\([^)]*\$\{/,
+            /child_process.*exec\s*\([^)]*\+/,
+            /exec\s*\(\s*['"`][^'"`]*\$\{/,
+            /execSync\s*\(\s*['"`][^'"`]*\$\{/,
+            /spawn\s*\(\s*['"`][^'"`]*\$\{/,
+            /subprocess\.(?:call|run|Popen)\s*\([^)]*(?:shell\s*=\s*True|f['"`])/,
+            /os\.system\s*\(\s*f?['"`]/,
+            /os\.popen\s*\(\s*f?['"`]/,
+        ],
+        fix: 'Never pass user input to shell commands. Use parameterized APIs or escape input properly',
+    },
+    {
+        id: 'insecure-deserialization',
+        name: 'Insecure Deserialization',
+        description: 'Deserializing untrusted data can lead to remote code execution',
+        severity: 'critical',
+        languages: ['javascript', 'typescript', 'python'],
+        patterns: [
+            /pickle\.loads?\s*\(/,
+            /yaml\.(?:load|unsafe_load)\s*\([^)]*(?!Loader)/,
+            /eval\s*\(\s*JSON\.parse/,
+            /serialize-javascript/,
+            /node-serialize/,
+            /unserialize\s*\(/,
+        ],
+        fix: 'Use safe deserialization methods. For Python use yaml.safe_load(). Avoid pickle with untrusted data',
+    },
+    // HIGH
+    {
+        id: 'missing-auth-route',
+        name: 'Missing Authentication on API Route',
+        description: 'API routes without authentication checks can be accessed by anyone',
+        severity: 'high',
+        languages: ['javascript', 'typescript'],
+        astMatcher: 'missing-auth',
+        fix: 'Add authentication middleware or check session/token at route start',
+    },
+    {
+        id: 'xss-innerhtml',
+        name: 'XSS via innerHTML/dangerouslySetInnerHTML',
+        description: 'Setting innerHTML with user data can execute malicious scripts',
+        severity: 'high',
+        languages: ['javascript', 'typescript'],
+        astMatcher: 'xss-innerhtml',
+        fix: 'Use textContent instead of innerHTML, or sanitize with DOMPurify',
+    },
+    {
+        id: 'secrets-localstorage',
+        name: 'Secrets in localStorage/sessionStorage',
+        description: 'Storing sensitive data in browser storage exposes it to XSS attacks',
+        severity: 'high',
+        languages: ['javascript', 'typescript'],
+        patterns: [
+            /localStorage\.setItem\s*\(\s*['"`](?:token|jwt|auth|session|api[_-]?key|secret|password|credential)/i,
+            /sessionStorage\.setItem\s*\(\s*['"`](?:token|jwt|auth|session|api[_-]?key|secret|password|credential)/i,
+        ],
+        fix: 'Use httpOnly cookies for sensitive tokens, or encrypt before storage',
+    },
+    {
+        id: 'supabase-no-rls',
+        name: 'Supabase Without RLS',
+        description: 'Direct table access without Row Level Security allows unauthorized data access',
+        severity: 'high',
+        languages: ['javascript', 'typescript'],
+        patterns: [
+            /\.from\s*\(\s*['"`][^'"`]+['"`]\s*\)\.(?:select|insert|update|delete)/,
+        ],
+        astMatcher: 'supabase-no-rls',
+        fix: 'Enable Row Level Security on Supabase tables and add policies',
+    },
+    {
+        id: 'firebase-no-rules',
+        name: 'Firebase Without Security Rules',
+        description: 'Firebase operations without proper security rules can expose data',
+        severity: 'high',
+        languages: ['javascript', 'typescript'],
+        patterns: [
+            /firestore\(\)\.collection\s*\(\s*['"`][^'"`]+['"`]\s*\)/,
+            /firebase\.database\(\)\.ref\s*\(/,
+        ],
+        fix: 'Implement Firebase Security Rules to restrict access',
+    },
+    {
+        id: 'idor-vulnerability',
+        name: 'Potential IDOR Vulnerability',
+        description: 'Direct object references without ownership check allow unauthorized access',
+        severity: 'high',
+        languages: ['javascript', 'typescript'],
+        astMatcher: 'idor',
+        fix: 'Always verify the requesting user owns or has access to the resource',
+    },
+    {
+        id: 'path-traversal',
+        name: 'Path Traversal Vulnerability',
+        description: 'User input in file paths can allow access to arbitrary files',
+        severity: 'high',
+        languages: ['javascript', 'typescript', 'python'],
+        patterns: [
+            /(?:readFile|writeFile|readFileSync|writeFileSync|createReadStream|createWriteStream)\s*\([^)]*(?:req\.|params\.|query\.|body\.|\$\{)/,
+            /path\.(?:join|resolve)\s*\([^)]*(?:req\.|params\.|query\.|body\.)/,
+            /open\s*\(\s*(?:f['"`]|request\.|params\[)/,
+            /\.sendFile\s*\([^)]*(?:req\.|params\.|query\.)/,
+            /res\.download\s*\([^)]*(?:req\.|params\.|query\.)/,
+        ],
+        fix: 'Validate and sanitize file paths. Use path.basename() and check against allowed directories',
+    },
+    {
+        id: 'ssrf-vulnerability',
+        name: 'Server-Side Request Forgery (SSRF)',
+        description: 'User-controlled URLs can be used to access internal services',
+        severity: 'high',
+        languages: ['javascript', 'typescript', 'python'],
+        patterns: [
+            /(?:fetch|axios\.get|axios\.post|request|got|node-fetch)\s*\([^)]*(?:req\.|params\.|query\.|body\.|\$\{)/,
+            /requests\.(?:get|post|put|delete)\s*\([^)]*(?:request\.|params\[|f['"`])/,
+            /urllib\.request\.urlopen\s*\([^)]*(?:request\.|f['"`])/,
+            /http\.request\s*\([^)]*(?:req\.|params\.)/,
+        ],
+        fix: 'Validate and whitelist allowed URLs/domains. Block internal IP ranges (10.x, 172.16.x, 192.168.x, 127.x)',
+    },
+    {
+        id: 'open-redirect',
+        name: 'Open Redirect Vulnerability',
+        description: 'Redirecting to user-supplied URLs can be used for phishing attacks',
+        severity: 'high',
+        languages: ['javascript', 'typescript', 'python'],
+        patterns: [
+            /res\.redirect\s*\([^)]*(?:req\.|params\.|query\.|body\.)/,
+            /response\.redirect\s*\([^)]*(?:req\.|params\.|query\.)/,
+            /window\.location\s*=\s*(?:params|query|searchParams)/,
+            /location\.href\s*=\s*(?:params|query|searchParams)/,
+            /redirect\s*\(\s*request\.(?:GET|POST|args)/,
+            /HttpResponseRedirect\s*\([^)]*request\./,
+        ],
+        fix: 'Validate redirect URLs against a whitelist of allowed domains',
+    },
+    {
+        id: 'insecure-cookie',
+        name: 'Insecure Cookie Configuration',
+        description: 'Cookies without security flags are vulnerable to theft and CSRF',
+        severity: 'high',
+        languages: ['javascript', 'typescript', 'python'],
+        patterns: [
+            /^\s*res\.cookie\s*\(\s*['"`](?:token|session|auth|jwt)[^'"]*['"`]\s*,\s*\w+\s*\)/im,
+            /^\s*document\.cookie\s*=\s*['"`](?:token|session|auth|jwt)\s*=/im,
+            /^\s*response\.set_cookie\s*\(\s*['"`](?:token|session|auth)[^'"]*['"`]\s*,[^)]*\)(?![^)]*httponly)/im,
+        ],
+        fix: 'Set httpOnly, secure, and sameSite flags on sensitive cookies. Note: httpOnly can only be set server-side',
+    },
+    {
+        id: 'missing-csrf',
+        name: 'Missing CSRF Protection',
+        description: 'Forms without CSRF tokens can be exploited by malicious sites',
+        severity: 'high',
+        languages: ['javascript', 'typescript', 'python'],
+        patterns: [
+            /<form[^>]+method\s*=\s*['"`]post['"`][^>]*>(?![^<]{0,200}csrf)/i,
+            /@app\.route\s*\([^)]+methods\s*=\s*\[[^\]]*['"`]POST['"`][^\]]*\]\s*\)\s*\ndef\s+\w+/,
+        ],
+        fix: 'Implement CSRF tokens using csurf (Express) or Django/Flask CSRF middleware',
+    },
+    // MEDIUM
+    {
+        id: 'permissive-cors',
+        name: 'Permissive CORS Configuration',
+        description: 'Allowing all origins can enable CSRF attacks from any website',
+        severity: 'medium',
+        languages: ['javascript', 'typescript', 'python'],
+        patterns: [
+            /Access-Control-Allow-Origin['"`:]\s*['"`]\*['"`]/,
+            /cors\(\s*\{\s*origin\s*:\s*['"`]\*['"`]/,
+            /cors\(\s*\)/,
+        ],
+        fix: 'Restrict CORS to specific trusted origins',
+    },
+    {
+        id: 'http-not-https',
+        name: 'HTTP Instead of HTTPS',
+        description: 'Unencrypted HTTP connections can be intercepted',
+        severity: 'medium',
+        languages: ['javascript', 'typescript', 'python'],
+        patterns: [
+            /['"`]http:\/\/(?!localhost|127\.0\.0\.1|0\.0\.0\.0)[^'"`]+['"`]/,
+        ],
+        fix: 'Use HTTPS for all external connections',
+    },
+    {
+        id: 'weak-password',
+        name: 'Weak Password Requirements',
+        description: 'Password validation that allows weak passwords',
+        severity: 'medium',
+        languages: ['javascript', 'typescript', 'python'],
+        patterns: [
+            /password\.length\s*(?:>=?|>)\s*[1-5](?!\d)/,
+            /len\(password\)\s*(?:>=?|>)\s*[1-5](?!\d)/,
+            /minLength\s*:\s*[1-5](?!\d)/,
+        ],
+        fix: 'Require minimum 8 characters with complexity requirements',
+    },
+    {
+        id: 'hardcoded-ip',
+        name: 'Hardcoded IP Address',
+        description: 'Hardcoded IP addresses make configuration inflexible and may expose internal infrastructure',
+        severity: 'medium',
+        languages: ['javascript', 'typescript', 'python'],
+        patterns: [
+            /['"`](?:10\.\d{1,3}\.\d{1,3}\.\d{1,3})['"`]/,
+            /['"`](?:172\.(?:1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3})['"`]/,
+            /['"`](?:192\.168\.\d{1,3}\.\d{1,3})['"`]/,
+            /['"`](?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})['"`](?!.*(?:localhost|example|test|0\.0\.0\.0|127\.0\.0\.1))/,
+        ],
+        fix: 'Use environment variables or configuration files for IP addresses',
+    },
+    {
+        id: 'xxe-vulnerability',
+        name: 'XML External Entity (XXE) Injection',
+        description: 'XML parsers with external entities enabled can leak files or perform SSRF',
+        severity: 'medium',
+        languages: ['javascript', 'typescript', 'python'],
+        patterns: [
+            /xml2js/,
+            /DOMParser\s*\(\s*\)/,
+            /parseXML/,
+            /etree\.parse\s*\(/,
+            /xml\.etree\.ElementTree/,
+            /minidom\.parse/,
+            /lxml\.etree/,
+            /XMLReader/,
+        ],
+        fix: 'Disable external entities and DTDs in XML parser configuration',
+    },
+    {
+        id: 'jwt-none-algorithm',
+        name: 'JWT None Algorithm Vulnerability',
+        description: 'Accepting "none" algorithm in JWT allows token forgery',
+        severity: 'medium',
+        languages: ['javascript', 'typescript', 'python'],
+        patterns: [
+            /algorithms\s*:\s*\[[^\]]*['"`]none['"`]/i,
+            /algorithm\s*=\s*['"`]none['"`]/i,
+            /verify\s*:\s*false/,
+            /ignoreExpiration\s*:\s*true/,
+        ],
+        fix: 'Always specify allowed algorithms explicitly and never include "none"',
+    },
+    // LOW
+    {
+        id: 'verbose-errors',
+        name: 'Verbose Error Messages to Client',
+        description: 'Detailed error messages can leak implementation details to attackers',
+        severity: 'low',
+        languages: ['javascript', 'typescript'],
+        patterns: [
+            /res\.(?:json|send)\s*\(\s*(?:err|error)(?:\.message|\.stack)?/,
+            /\.status\s*\(\s*500\s*\)\.(?:json|send)\s*\(\s*\{[^}]*(?:error|message)\s*:\s*(?:err|error)/,
+        ],
+        fix: 'Return generic error messages to clients, log details server-side',
+    },
+    {
+        id: 'missing-rate-limit',
+        name: 'Missing Rate Limiting',
+        description: 'Auth endpoints without rate limiting are vulnerable to brute force attacks',
+        severity: 'low',
+        languages: ['javascript', 'typescript'],
+        patterns: [
+            /app\.post\s*\(\s*['"`]\/(?:login|signin|auth\/login|api\/login)['"`]\s*,\s*(?:async\s*)?\(/,
+            /app\.post\s*\(\s*['"`]\/(?:register|signup|auth\/register)['"`]\s*,\s*(?:async\s*)?\(/,
+            /app\.post\s*\(\s*['"`]\/(?:forgot-password|reset-password|password\/reset)['"`]\s*,\s*(?:async\s*)?\(/,
+        ],
+        astMatcher: 'missing-rate-limit',
+        fix: 'Add rate limiting middleware (e.g., express-rate-limit)',
+    },
+    {
+        id: 'console-log-sensitive',
+        name: 'Logging Sensitive Data',
+        description: 'Logging sensitive information can expose it in log files',
+        severity: 'low',
+        languages: ['javascript', 'typescript', 'python'],
+        patterns: [
+            /console\.log\s*\(\s*(?:password|secret|apiKey|token|credential|accessToken|refreshToken)\s*[,)]/i,
+            /console\.log\s*\([^)]*,\s*(?:password|secret|apiKey|token|credential)\s*[,)]/i,
+            /print\s*\(\s*(?:password|secret|api_key|token|credential)\s*[,)]/i,
+            /print\s*\(\s*f?['"`][^'"]*\{(?:password|secret|token|credential)\}/i,
+            /logger\.(?:info|debug|log)\s*\(\s*(?:password|secret|token|credential)\s*[,)]/i,
+        ],
+        fix: 'Remove or mask sensitive data before logging',
+    },
+    {
+        id: 'debug-mode-enabled',
+        name: 'Debug Mode Enabled in Production',
+        description: 'Debug mode can expose sensitive information and stack traces',
+        severity: 'low',
+        languages: ['javascript', 'typescript', 'python'],
+        patterns: [
+            /DEBUG\s*=\s*True/,
+            /debug\s*:\s*true/,
+            /NODE_ENV.*development/,
+            /\.enableDebug\s*\(\s*true\s*\)/,
+        ],
+        fix: 'Disable debug mode in production environments',
+    },
+    {
+        id: 'prototype-pollution',
+        name: 'Potential Prototype Pollution',
+        description: 'Merging user input into objects can allow prototype pollution attacks',
+        severity: 'low',
+        languages: ['javascript', 'typescript'],
+        patterns: [
+            /Object\.assign\s*\(\s*\{\}\s*,[^)]*(?:req\.|body\.|params\.|query\.)/,
+            /\{\s*\.\.\.(?:req|body|params|query)/,
+            /lodash\.merge\s*\([^)]*(?:req\.|body\.)/,
+            /deepmerge\s*\([^)]*(?:req\.|body\.)/,
+        ],
+        fix: 'Validate and sanitize user input before merging. Use Object.create(null) for dictionaries',
+    },
+    // ============================================
+    // FRAMEWORK-SPECIFIC RULES
+    // ============================================
+    // --- Next.js ---
+    {
+        id: 'nextjs-exposed-server-action',
+        name: 'Next.js Server Action Without Auth',
+        description: 'Server actions are public endpoints and need authentication checks',
+        severity: 'high',
+        languages: ['javascript', 'typescript'],
+        patterns: [
+            /['"`]use server['"`]\s*;?\s*(?:export\s+)?(?:async\s+)?function\s+\w+\s*\([^)]*\)\s*\{(?![^}]*(?:auth|session|getServerSession|currentUser))/,
+        ],
+        fix: 'Add authentication check at the start of server actions using getServerSession() or similar',
+    },
+    {
+        id: 'nextjs-api-route-no-auth',
+        name: 'Next.js API Route Without Auth Check',
+        description: 'API routes in Next.js are public by default and need explicit auth',
+        severity: 'high',
+        languages: ['javascript', 'typescript'],
+        patterns: [
+            /export\s+(?:default\s+)?(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH)\s*\([^)]*\)\s*\{(?![^}]{0,500}(?:getServerSession|auth|getToken|verifyToken|currentUser))/,
+        ],
+        fix: 'Add authentication check using getServerSession() from next-auth or similar',
+    },
+    {
+        id: 'nextjs-dangerouslySetInnerHTML',
+        name: 'Next.js dangerouslySetInnerHTML with User Data',
+        description: 'Using dangerouslySetInnerHTML with dynamic data can cause XSS',
+        severity: 'high',
+        languages: ['javascript', 'typescript'],
+        patterns: [
+            /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:\s*(?!['"`])/,
+        ],
+        fix: 'Sanitize HTML using DOMPurify or similar before using dangerouslySetInnerHTML',
+    },
+    {
+        id: 'nextjs-exposed-env',
+        name: 'Next.js Private Env Exposed to Client',
+        description: 'Environment variables without NEXT_PUBLIC_ prefix should not be in client code',
+        severity: 'high',
+        languages: ['javascript', 'typescript'],
+        patterns: [
+            /['"`]use client['"`][\s\S]*process\.env\.(?!NEXT_PUBLIC_)[A-Z_]+/,
+        ],
+        fix: 'Use NEXT_PUBLIC_ prefix for client-side env vars, or access server env in API routes only',
+    },
+    // --- Django ---
+    {
+        id: 'django-debug-true',
+        name: 'Django DEBUG=True in Production',
+        description: 'Debug mode exposes sensitive information and should never be enabled in production',
+        severity: 'critical',
+        languages: ['python'],
+        patterns: [
+            /DEBUG\s*=\s*True/,
+        ],
+        fix: 'Set DEBUG=False in production and use environment variables',
+    },
+    {
+        id: 'django-secret-key-exposed',
+        name: 'Django SECRET_KEY Hardcoded',
+        description: 'Hardcoded SECRET_KEY can be extracted and used to forge sessions',
+        severity: 'critical',
+        languages: ['python'],
+        patterns: [
+            /SECRET_KEY\s*=\s*['"`][^'"`]{20,}['"`]/,
+        ],
+        fix: 'Load SECRET_KEY from environment variable: os.environ.get("SECRET_KEY")',
+    },
+    {
+        id: 'django-raw-sql',
+        name: 'Django Raw SQL Query',
+        description: 'Raw SQL queries with string formatting are vulnerable to SQL injection',
+        severity: 'critical',
+        languages: ['python'],
+        patterns: [
+            /\.raw\s*\(\s*f['"`]/,
+            /\.raw\s*\(\s*['"`][^'"`]*%s/,
+            /\.extra\s*\(\s*where\s*=\s*\[/,
+            /cursor\.execute\s*\(\s*f['"`]/,
+        ],
+        fix: 'Use parameterized queries with %s placeholders and params tuple',
+    },
+    {
+        id: 'django-no-csrf-exempt',
+        name: 'Django CSRF Exemption',
+        description: 'Disabling CSRF protection exposes the endpoint to cross-site attacks',
+        severity: 'high',
+        languages: ['python'],
+        patterns: [
+            /@csrf_exempt/,
+        ],
+        fix: 'Remove @csrf_exempt and implement proper CSRF handling, or use API tokens for non-browser clients',
+    },
+    {
+        id: 'django-allowed-hosts-all',
+        name: 'Django ALLOWED_HOSTS Wildcard',
+        description: 'Allowing all hosts can enable host header attacks',
+        severity: 'medium',
+        languages: ['python'],
+        patterns: [
+            /ALLOWED_HOSTS\s*=\s*\[\s*['"`]\*['"`]\s*\]/,
+        ],
+        fix: 'Specify explicit allowed hosts: ALLOWED_HOSTS = ["example.com", "www.example.com"]',
+    },
+    // --- FastAPI ---
+    {
+        id: 'fastapi-no-auth-dependency',
+        name: 'FastAPI Endpoint Without Auth Dependency',
+        description: 'Sensitive endpoints should use Depends() for authentication',
+        severity: 'high',
+        languages: ['python'],
+        patterns: [
+            /@app\.(?:post|put|delete|patch)\s*\(\s*['"`]\/(?:admin|user|account|settings)[^'"]*['"`]\s*\)\s*\n(?:async\s+)?def\s+\w+\s*\([^)]*\)(?![^:]*Depends)/,
+        ],
+        fix: 'Add authentication dependency: async def endpoint(user: User = Depends(get_current_user))',
+    },
+    {
+        id: 'fastapi-cors-all-origins',
+        name: 'FastAPI CORS Allow All Origins',
+        description: 'Allowing all origins with credentials enabled is a security risk',
+        severity: 'medium',
+        languages: ['python'],
+        patterns: [
+            /add_middleware\s*\(\s*CORSMiddleware[^)]*allow_origins\s*=\s*\[\s*['"`]\*['"`]\s*\]/,
+        ],
+        fix: 'Specify allowed origins explicitly instead of using wildcard',
+    },
+    // --- NestJS ---
+    {
+        id: 'nestjs-no-auth-guard',
+        name: 'NestJS Controller Without Auth Guard',
+        description: 'Controllers handling sensitive data should use authentication guards',
+        severity: 'high',
+        languages: ['typescript'],
+        patterns: [
+            /@Controller\s*\(\s*['"`](?:admin|user|account|settings|payment)[^'"]*['"`]\s*\)\s*\nexport\s+class\s+\w+(?![^{]*@UseGuards)/,
+        ],
+        fix: 'Add @UseGuards(AuthGuard) decorator to the controller or specific routes',
+    },
+    {
+        id: 'nestjs-exposed-internal-exception',
+        name: 'NestJS Internal Exception Exposed',
+        description: 'Throwing raw errors exposes internal details to clients',
+        severity: 'low',
+        languages: ['typescript'],
+        patterns: [
+            /throw\s+new\s+(?:Error|InternalServerErrorException)\s*\(\s*(?:err|error)\.message/,
+        ],
+        fix: 'Use HttpException with generic message, log details internally',
+    },
+    // --- React (general) ---
+    {
+        id: 'react-href-javascript',
+        name: 'React href with javascript: Protocol',
+        description: 'javascript: URLs in href can execute arbitrary code',
+        severity: 'high',
+        languages: ['javascript', 'typescript'],
+        patterns: [
+            /href\s*=\s*\{[^}]*['"`]javascript:/,
+            /href\s*=\s*['"`]javascript:/,
+        ],
+        fix: 'Never use javascript: URLs. Use onClick handlers instead',
+    },
+    {
+        id: 'react-url-state-injection',
+        name: 'React URL Parameters in Dangerous Context',
+        description: 'URL parameters used in dangerous contexts can cause XSS',
+        severity: 'high',
+        languages: ['javascript', 'typescript'],
+        patterns: [
+            /useSearchParams\s*\(\s*\)[\s\S]*dangerouslySetInnerHTML/,
+            /searchParams\.get\s*\([^)]+\)[\s\S]*innerHTML/,
+        ],
+        fix: 'Sanitize URL parameters before using in dangerous contexts',
+    },
+    // --- Express.js ---
+    {
+        id: 'express-helmet-missing',
+        name: 'Express Missing Security Headers (Helmet)',
+        description: 'Express apps should use Helmet for security headers',
+        severity: 'medium',
+        languages: ['javascript', 'typescript'],
+        patterns: [
+            /express\s*\(\s*\)(?![^;]*helmet)/,
+        ],
+        fix: 'Add Helmet middleware: app.use(helmet())',
+    },
+    {
+        id: 'express-body-parser-limit',
+        name: 'Express Body Parser Without Size Limit',
+        description: 'Unlimited body size can lead to denial of service attacks',
+        severity: 'medium',
+        languages: ['javascript', 'typescript'],
+        patterns: [
+            /express\.json\s*\(\s*\)/,
+            /bodyParser\.json\s*\(\s*\)/,
+        ],
+        fix: 'Set a body size limit: express.json({ limit: "10kb" })',
+    },
+    {
+        id: 'express-session-insecure',
+        name: 'Express Session Insecure Configuration',
+        description: 'Session cookies should be secure and httpOnly',
+        severity: 'high',
+        languages: ['javascript', 'typescript'],
+        patterns: [
+            /session\s*\(\s*\{[^}]*secret\s*:[^}]*\}\s*\)(?![^)]*(?:secure|httpOnly))/,
+        ],
+        fix: 'Configure session with secure options: { cookie: { secure: true, httpOnly: true, sameSite: "strict" } }',
+    },
+];
+function getRuleById(id) {
+    return exports.securityRules.find(rule => rule.id === id);
+}
+function getRulesBySeverity(severity) {
+    return exports.securityRules.filter(rule => rule.severity === severity);
+}
+//# sourceMappingURL=definitions.js.map

package/dist/scanner/rules/definitions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"definitions.js","sourceRoot":"","sources":["../../../src/scanner/rules/definitions.ts"],"names":[],"mappings":";;;AAykBA,kCAEC;AAED,gDAEC;AA7kBY,QAAA,aAAa,GAAmB;IAC3C,WAAW;IACX;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,0BAA0B;QAChC,WAAW,EAAE,0EAA0E;QACvF,QAAQ,EAAE,UAAU;QACpB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC;QACjD,QAAQ,EAAE;YACR,kCAAkC;YAClC,uGAAuG;YACvG,kCAAkC;YAClC,2CAA2C;YAC3C,+BAA+B;YAC/B,mEAAmE;SACpE;QACD,GAAG,EAAE,2DAA2D;KACjE;IACD;QACE,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,6BAA6B;QACnC,WAAW,EAAE,gGAAgG;QAC7G,QAAQ,EAAE,UAAU;QACpB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC;QACjD,UAAU,EAAE,eAAe;QAC3B,GAAG,EAAE,kDAAkD;KACxD;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,wBAAwB;QAC9B,WAAW,EAAE,sDAAsD;QACnE,QAAQ,EAAE,UAAU;QACpB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC;QACjD,UAAU,EAAE,YAAY;QACxB,GAAG,EAAE,mEAAmE;KACzE;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,iCAAiC;QACvC,WAAW,EAAE,2EAA2E;QACxF,QAAQ,EAAE,UAAU;QACpB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC;QACjD,QAAQ,EAAE;YACR,mCAAmC;YACnC,iCAAiC;YACjC,8BAA8B;YAC9B,kCAAkC;YAClC,+BAA+B;YAC/B,qEAAqE;YACrE,2BAA2B;YAC3B,0BAA0B;SAC3B;QACD,GAAG,EAAE,0FAA0F;KAChG;IACD;QACE,EAAE,EAAE,0BAA0B;QAC9B,IAAI,EAAE,0BAA0B;QAChC,WAAW,EAAE,gEAAgE;QAC7E,QAAQ,EAAE,UAAU;QACpB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC;QACjD,QAAQ,EAAE;YACR,qBAAqB;YACrB,gDAAgD;YAChD,yBAAyB;YACzB,sBAAsB;YACtB,gBAAgB;YAChB,kBAAkB;SACnB;QACD,GAAG,EAAE,qGAAqG;KAC3G;IAED,OAAO;IACP;QACE,EAAE,EAAE,oBAAoB;QACxB,IAAI,EAAE,qCAAqC;QAC3C,WAAW,EAAE,oEAAoE;QACjF,QAAQ,EAAE,MAAM;QAChB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,UAAU,EAAE,cAAc;QAC1B,GAAG,EAAE,qEAAqE;KAC3E;IACD;QACE,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,2CAA2C;QACjD,WAAW,EAAE,gEAAgE;QAC7E,QAAQ,EAAE,MAAM;QAChB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,UAAU,EAAE,eAAe;QAC3B,GAAG,EAAE,kEAAkE;KACxE;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,IAAI,EAAE,wCAAwC;QAC9C,WAAW,EAAE,qEAAqE;QAClF,QAAQ,EAAE,MAAM;QAChB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,QAAQ,EAAE;YACR,sGAAsG;YACtG,wGAAwG;SACzG;QACD,GAAG,EAAE,sEAAsE;KAC5E;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,sBAAsB;QAC5B,WAAW,EAAE,gFAAgF;QAC7F,QAAQ,EAAE,MAAM;QAChB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,QAAQ,EAAE;YACR,uEAAuE;SACxE;QACD,UAAU,EAAE,iBAAiB;QAC7B,GAAG,EAAE,+DAA+D;KACrE;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,iCAAiC;QACvC,WAAW,EAAE,mEAAmE;QAChF,QAAQ,EAAE,MAAM;QAChB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,QAAQ,EAAE;YACR,yDAAyD;YACzD,kCAAkC;SACnC;QACD,GAAG,EAAE,sDAAsD;KAC5D;IACD;QACE,EAAE,EAAE,oBAAoB;QACxB,IAAI,EAAE,8BAA8B;QACpC,WAAW,EAAE,4EAA4E;QACzF,QAAQ,EAAE,MAAM;QAChB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,UAAU,EAAE,MAAM;QAClB,GAAG,EAAE,sEAAsE;KAC5E;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,8BAA8B;QACpC,WAAW,EAAE,8DAA8D;QAC3E,QAAQ,EAAE,MAAM;QAChB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC;QACjD,QAAQ,EAAE;YACR,sIAAsI;YACtI,mEAAmE;YACnE,2CAA2C;YAC3C,gDAAgD;YAChD,mDAAmD;SACpD;QACD,GAAG,EAAE,6FAA6F;KACnG;IACD;QACE,EAAE,EAAE,oBAAoB;QACxB,IAAI,EAAE,oCAAoC;QAC1C,WAAW,EAAE,8DAA8D;QAC3E,QAAQ,EAAE,MAAM;QAChB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC;QACjD,QAAQ,EAAE;YACR,yGAAyG;YACzG,0EAA0E;YAC1E,wDAAwD;YACxD,2CAA2C;SAC5C;QACD,GAAG,EAAE,0GAA0G;KAChH;IACD;QACE,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,6BAA6B;QACnC,WAAW,EAAE,oEAAoE;QACjF,QAAQ,EAAE,MAAM;QAChB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC;QACjD,QAAQ,EAAE;YACR,0DAA0D;YAC1D,wDAAwD;YACxD,sDAAsD;YACtD,oDAAoD;YACpD,4CAA4C;YAC5C,yCAAyC;SAC1C;QACD,GAAG,EAAE,+DAA+D;KACrE;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,+BAA+B;QACrC,WAAW,EAAE,iEAAiE;QAC9E,QAAQ,EAAE,MAAM;QAChB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC;QACjD,QAAQ,EAAE;YACR,oFAAoF;YACpF,kEAAkE;YAClE,sGAAsG;SACvG;QACD,GAAG,EAAE,2GAA2G;KACjH;IACD;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,yBAAyB;QAC/B,WAAW,EAAE,+DAA+D;QAC5E,QAAQ,EAAE,MAAM;QAChB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC;QACjD,QAAQ,EAAE;YACR,iEAAiE;YACjE,sFAAsF;SACvF;QACD,GAAG,EAAE,6EAA6E;KACnF;IAED,SAAS;IACT;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,+BAA+B;QACrC,WAAW,EAAE,+DAA+D;QAC5E,QAAQ,EAAE,QAAQ;QAClB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC;QACjD,QAAQ,EAAE;YACR,kDAAkD;YAClD,yCAAyC;YACzC,aAAa;SACd;QACD,GAAG,EAAE,2CAA2C;KACjD;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,uBAAuB;QAC7B,WAAW,EAAE,iDAAiD;QAC9D,QAAQ,EAAE,QAAQ;QAClB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC;QACjD,QAAQ,EAAE;YACR,iEAAiE;SAClE;QACD,GAAG,EAAE,wCAAwC;KAC9C;IACD;QACE,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,4BAA4B;QAClC,WAAW,EAAE,gDAAgD;QAC7D,QAAQ,EAAE,QAAQ;QAClB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC;QACjD,QAAQ,EAAE;YACR,4CAA4C;YAC5C,2CAA2C;YAC3C,6BAA6B;SAC9B;QACD,GAAG,EAAE,2DAA2D;KACjE;IACD;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,sBAAsB;QAC5B,WAAW,EAAE,6FAA6F;QAC1G,QAAQ,EAAE,QAAQ;QAClB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC;QACjD,QAAQ,EAAE;YACR,6CAA6C;YAC7C,2DAA2D;YAC3D,0CAA0C;YAC1C,0GAA0G;SAC3G;QACD,GAAG,EAAE,mEAAmE;KACzE;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,qCAAqC;QAC3C,WAAW,EAAE,2EAA2E;QACxF,QAAQ,EAAE,QAAQ;QAClB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC;QACjD,QAAQ,EAAE;YACR,QAAQ;YACR,qBAAqB;YACrB,UAAU;YACV,mBAAmB;YACnB,yBAAyB;YACzB,gBAAgB;YAChB,aAAa;YACb,WAAW;SACZ;QACD,GAAG,EAAE,gEAAgE;KACtE;IACD;QACE,EAAE,EAAE,oBAAoB;QACxB,IAAI,EAAE,kCAAkC;QACxC,WAAW,EAAE,wDAAwD;QACrE,QAAQ,EAAE,QAAQ;QAClB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC;QACjD,QAAQ,EAAE;YACR,0CAA0C;YAC1C,iCAAiC;YACjC,oBAAoB;YACpB,6BAA6B;SAC9B;QACD,GAAG,EAAE,uEAAuE;KAC7E;IAED,MAAM;IACN;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,kCAAkC;QACxC,WAAW,EAAE,sEAAsE;QACnF,QAAQ,EAAE,KAAK;QACf,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,QAAQ,EAAE;YACR,+DAA+D;YAC/D,6FAA6F;SAC9F;QACD,GAAG,EAAE,mEAAmE;KACzE;IACD;QACE,EAAE,EAAE,oBAAoB;QACxB,IAAI,EAAE,uBAAuB;QAC7B,WAAW,EAAE,4EAA4E;QACzF,QAAQ,EAAE,KAAK;QACf,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,QAAQ,EAAE;YACR,4FAA4F;YAC5F,uFAAuF;YACvF,uGAAuG;SACxG;QACD,UAAU,EAAE,oBAAoB;QAChC,GAAG,EAAE,yDAAyD;KAC/D;IACD;QACE,EAAE,EAAE,uBAAuB;QAC3B,IAAI,EAAE,wBAAwB;QAC9B,WAAW,EAAE,0DAA0D;QACvE,QAAQ,EAAE,KAAK;QACf,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC;QACjD,QAAQ,EAAE;YACR,kGAAkG;YAClG,+EAA+E;YAC/E,mEAAmE;YACnE,qEAAqE;YACrE,gFAAgF;SACjF;QACD,GAAG,EAAE,8CAA8C;KACpD;IACD;QACE,EAAE,EAAE,oBAAoB;QACxB,IAAI,EAAE,kCAAkC;QACxC,WAAW,EAAE,8DAA8D;QAC3E,QAAQ,EAAE,KAAK;QACf,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC;QACjD,QAAQ,EAAE;YACR,kBAAkB;YAClB,kBAAkB;YAClB,uBAAuB;YACvB,gCAAgC;SACjC;QACD,GAAG,EAAE,+CAA+C;KACrD;IACD;QACE,EAAE,EAAE,qBAAqB;QACzB,IAAI,EAAE,+BAA+B;QACrC,WAAW,EAAE,uEAAuE;QACpF,QAAQ,EAAE,KAAK;QACf,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,QAAQ,EAAE;YACR,sEAAsE;YACtE,sCAAsC;YACtC,yCAAyC;YACzC,qCAAqC;SACtC;QACD,GAAG,EAAE,2FAA2F;KACjG;IAED,+CAA+C;IAC/C,2BAA2B;IAC3B,+CAA+C;IAE/C,kBAAkB;IAClB;QACE,EAAE,EAAE,8BAA8B;QAClC,IAAI,EAAE,oCAAoC;QAC1C,WAAW,EAAE,oEAAoE;QACjF,QAAQ,EAAE,MAAM;QAChB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,QAAQ,EAAE;YACR,8IAA8I;SAC/I;QACD,GAAG,EAAE,6FAA6F;KACnG;IACD;QACE,EAAE,EAAE,0BAA0B;QAC9B,IAAI,EAAE,sCAAsC;QAC5C,WAAW,EAAE,oEAAoE;QACjF,QAAQ,EAAE,MAAM;QAChB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,QAAQ,EAAE;YACR,yKAAyK;SAC1K;QACD,GAAG,EAAE,6EAA6E;KACnF;IACD;QACE,EAAE,EAAE,gCAAgC;QACpC,IAAI,EAAE,gDAAgD;QACtD,WAAW,EAAE,+DAA+D;QAC5E,QAAQ,EAAE,MAAM;QAChB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,QAAQ,EAAE;YACR,gEAAgE;SACjE;QACD,GAAG,EAAE,+EAA+E;KACrF;IACD;QACE,EAAE,EAAE,oBAAoB;QACxB,IAAI,EAAE,uCAAuC;QAC7C,WAAW,EAAE,gFAAgF;QAC7F,QAAQ,EAAE,MAAM;QAChB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,QAAQ,EAAE;YACR,kEAAkE;SACnE;QACD,GAAG,EAAE,2FAA2F;KACjG;IAED,iBAAiB;IACjB;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,iCAAiC;QACvC,WAAW,EAAE,oFAAoF;QACjG,QAAQ,EAAE,UAAU;QACpB,SAAS,EAAE,CAAC,QAAQ,CAAC;QACrB,QAAQ,EAAE;YACR,kBAAkB;SACnB;QACD,GAAG,EAAE,6DAA6D;KACnE;IACD;QACE,EAAE,EAAE,2BAA2B;QAC/B,IAAI,EAAE,6BAA6B;QACnC,WAAW,EAAE,kEAAkE;QAC/E,QAAQ,EAAE,UAAU;QACpB,SAAS,EAAE,CAAC,QAAQ,CAAC;QACrB,QAAQ,EAAE;YACR,wCAAwC;SACzC;QACD,GAAG,EAAE,yEAAyE;KAC/E;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,sBAAsB;QAC5B,WAAW,EAAE,wEAAwE;QACrF,QAAQ,EAAE,UAAU;QACpB,SAAS,EAAE,CAAC,QAAQ,CAAC;QACrB,QAAQ,EAAE;YACR,qBAAqB;YACrB,6BAA6B;YAC7B,+BAA+B;YAC/B,+BAA+B;SAChC;QACD,GAAG,EAAE,iEAAiE;KACvE;IACD;QACE,EAAE,EAAE,uBAAuB;QAC3B,IAAI,EAAE,uBAAuB;QAC7B,WAAW,EAAE,sEAAsE;QACnF,QAAQ,EAAE,MAAM;QAChB,SAAS,EAAE,CAAC,QAAQ,CAAC;QACrB,QAAQ,EAAE;YACR,cAAc;SACf;QACD,GAAG,EAAE,mGAAmG;KACzG;IACD;QACE,EAAE,EAAE,0BAA0B;QAC9B,IAAI,EAAE,+BAA+B;QACrC,WAAW,EAAE,mDAAmD;QAChE,QAAQ,EAAE,QAAQ;QAClB,SAAS,EAAE,CAAC,QAAQ,CAAC;QACrB,QAAQ,EAAE;YACR,4CAA4C;SAC7C;QACD,GAAG,EAAE,oFAAoF;KAC1F;IAED,kBAAkB;IAClB;QACE,EAAE,EAAE,4BAA4B;QAChC,IAAI,EAAE,0CAA0C;QAChD,WAAW,EAAE,6DAA6D;QAC1E,QAAQ,EAAE,MAAM;QAChB,SAAS,EAAE,CAAC,QAAQ,CAAC;QACrB,QAAQ,EAAE;YACR,sJAAsJ;SACvJ;QACD,GAAG,EAAE,2FAA2F;KACjG;IACD;QACE,EAAE,EAAE,0BAA0B;QAC9B,IAAI,EAAE,gCAAgC;QACtC,WAAW,EAAE,kEAAkE;QAC/E,QAAQ,EAAE,QAAQ;QAClB,SAAS,EAAE,CAAC,QAAQ,CAAC;QACrB,QAAQ,EAAE;YACR,qFAAqF;SACtF;QACD,GAAG,EAAE,8DAA8D;KACpE;IAED,iBAAiB;IACjB;QACE,EAAE,EAAE,sBAAsB;QAC1B,IAAI,EAAE,sCAAsC;QAC5C,WAAW,EAAE,sEAAsE;QACnF,QAAQ,EAAE,MAAM;QAChB,SAAS,EAAE,CAAC,YAAY,CAAC;QACzB,QAAQ,EAAE;YACR,6HAA6H;SAC9H;QACD,GAAG,EAAE,0EAA0E;KAChF;IACD;QACE,EAAE,EAAE,mCAAmC;QACvC,IAAI,EAAE,mCAAmC;QACzC,WAAW,EAAE,yDAAyD;QACtE,QAAQ,EAAE,KAAK;QACf,SAAS,EAAE,CAAC,YAAY,CAAC;QACzB,QAAQ,EAAE;YACR,oFAAoF;SACrF;QACD,GAAG,EAAE,gEAAgE;KACtE;IAED,0BAA0B;IAC1B;QACE,EAAE,EAAE,uBAAuB;QAC3B,IAAI,EAAE,sCAAsC;QAC5C,WAAW,EAAE,qDAAqD;QAClE,QAAQ,EAAE,MAAM;QAChB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,QAAQ,EAAE;YACR,oCAAoC;YACpC,6BAA6B;SAC9B;QACD,GAAG,EAAE,0DAA0D;KAChE;IACD;QACE,EAAE,EAAE,2BAA2B;QAC/B,IAAI,EAAE,2CAA2C;QACjD,WAAW,EAAE,yDAAyD;QACtE,QAAQ,EAAE,MAAM;QAChB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,QAAQ,EAAE;YACR,yDAAyD;YACzD,+CAA+C;SAChD;QACD,GAAG,EAAE,4DAA4D;KAClE;IAED,qBAAqB;IACrB;QACE,EAAE,EAAE,wBAAwB;QAC5B,IAAI,EAAE,2CAA2C;QACjD,WAAW,EAAE,qDAAqD;QAClE,QAAQ,EAAE,QAAQ;QAClB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,QAAQ,EAAE;YACR,kCAAkC;SACnC;QACD,GAAG,EAAE,0CAA0C;KAChD;IACD;QACE,EAAE,EAAE,2BAA2B;QAC/B,IAAI,EAAE,wCAAwC;QAC9C,WAAW,EAAE,2DAA2D;QACxE,QAAQ,EAAE,QAAQ;QAClB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,QAAQ,EAAE;YACR,yBAAyB;YACzB,4BAA4B;SAC7B;QACD,GAAG,EAAE,wDAAwD;KAC9D;IACD;QACE,EAAE,EAAE,0BAA0B;QAC9B,IAAI,EAAE,wCAAwC;QAC9C,WAAW,EAAE,+CAA+C;QAC5D,QAAQ,EAAE,MAAM;QAChB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,QAAQ,EAAE;YACR,0EAA0E;SAC3E;QACD,GAAG,EAAE,yGAAyG;KAC/G;CACF,CAAC;AAEF,SAAgB,WAAW,CAAC,EAAU;IACpC,OAAO,qBAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;AACpD,CAAC;AAED,SAAgB,kBAAkB,CAAC,QAAgB;IACjD,OAAO,qBAAa,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;AAClE,CAAC"}

package/dist/scanner/rules/loader.d.ts

@@ -0,0 +1,8 @@
+import { SecurityRule } from '../../types';
+export declare function loadRules(licenseKey?: string): Promise<SecurityRule[]>;
+export declare function filterRules(rules: SecurityRule[], options: {
+    enabled?: string[];
+    disabled?: string[];
+    languages?: string[];
+}): SecurityRule[];
+//# sourceMappingURL=loader.d.ts.map

package/dist/scanner/rules/loader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"loader.d.ts","sourceRoot":"","sources":["../../../src/scanner/rules/loader.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAK3C,wBAAsB,SAAS,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,CA0B5E;AAED,wBAAgB,WAAW,CACzB,KAAK,EAAE,YAAY,EAAE,EACrB,OAAO,EAAE;IACP,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;CACtB,GACA,YAAY,EAAE,CAkBhB"}

package/dist/scanner/rules/loader.js

@@ -0,0 +1,45 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadRules = loadRules;
+exports.filterRules = filterRules;
+const definitions_1 = require("./definitions");
+const API_BASE_URL = process.env.VIBEGUARD_API_URL || 'https://api.vibeguard.dev';
+async function loadRules(licenseKey) {
+    // For now, use local rules
+    // In production, this would fetch from the API
+    if (process.env.VIBEGUARD_OFFLINE === 'true' || !licenseKey) {
+        return definitions_1.securityRules;
+    }
+    try {
+        const response = await fetch(`${API_BASE_URL}/v1/rules`, {
+            headers: {
+                'Authorization': `Bearer ${licenseKey}`,
+                'Content-Type': 'application/json',
+            },
+        });
+        if (!response.ok) {
+            // Fall back to local rules if API fails
+            return definitions_1.securityRules;
+        }
+        const data = (await response.json());
+        return data.rules || definitions_1.securityRules;
+    }
+    catch {
+        // Fall back to local rules on network error
+        return definitions_1.securityRules;
+    }
+}
+function filterRules(rules, options) {
+    let filtered = [...rules];
+    if (options.enabled && options.enabled.length > 0) {
+        filtered = filtered.filter(rule => options.enabled.includes(rule.id));
+    }
+    if (options.disabled && options.disabled.length > 0) {
+        filtered = filtered.filter(rule => !options.disabled.includes(rule.id));
+    }
+    if (options.languages && options.languages.length > 0) {
+        filtered = filtered.filter(rule => rule.languages.some(lang => options.languages.includes(lang)));
+    }
+    return filtered;
+}
+//# sourceMappingURL=loader.js.map