@jigyasudham/veto 0.8.0

package/dist/council/lead-developer.js

@@ -0,0 +1,108 @@
+const BLOCK_RULES = [
+    {
+        pattern: /\bmd5\b/i,
+        reason: 'MD5 is cryptographically broken since 2008. Rainbow tables crack it instantly.',
+        recommendation: 'Use bcrypt (cost 12) for passwords. Use SHA-256 for checksums only.',
+    },
+    {
+        pattern: /\bsha-?1\b/i,
+        reason: 'SHA-1 collision attacks are practical since 2017. Deprecated for all security use.',
+        recommendation: 'Use SHA-256 or SHA-3. For passwords use bcrypt/argon2.',
+    },
+    {
+        pattern: /\b(des|3des|triple.?des)\b/i,
+        reason: 'DES/3DES is broken. Brute-forceable in hours.',
+        recommendation: 'Use AES-256-GCM for symmetric encryption.',
+    },
+    {
+        pattern: /\brc4\b/i,
+        reason: 'RC4 is broken — biased keystream, practical attacks exist.',
+        recommendation: 'Use ChaCha20-Poly1305 or AES-256-GCM.',
+    },
+    {
+        pattern: /\beval\s*\(/i,
+        reason: 'eval() enables arbitrary code execution from user input.',
+        recommendation: 'Remove eval(). Use JSON.parse() for data, redesign for logic.',
+    },
+    {
+        pattern: /\bnew\s+Function\s*\(/i,
+        reason: 'new Function() is eval() in disguise. Same arbitrary execution risk.',
+        recommendation: 'Never construct functions from strings. Redesign the logic.',
+    },
+    {
+        pattern: /hardcod.{0,20}(password|secret|key|token|credential)/i,
+        reason: 'Hardcoded credentials ship to version control and get leaked.',
+        recommendation: 'Move to environment variables. Use dotenv locally, vault in prod.',
+    },
+    {
+        pattern: /(password|secret|api.?key|token).{0,20}hardcod/i,
+        reason: 'Hardcoded credentials in source is a critical vulnerability.',
+        recommendation: 'Use process.env.VAR_NAME. Never commit secrets.',
+    },
+    {
+        pattern: /disable.{0,15}(ssl|tls|cert(?:ificate)?(?:.?verif)?)/i,
+        reason: 'Disabling SSL/TLS validation exposes all traffic to MITM attacks.',
+        recommendation: 'Fix the certificate properly. Never disable validation in production.',
+    },
+    {
+        pattern: /cors.{0,15}['"]\s*\*\s*['"]/i,
+        reason: 'CORS wildcard (*) allows any origin to read API responses.',
+        recommendation: 'Specify exact allowed origins: ["https://yourdomain.com"].',
+    },
+    {
+        pattern: /innerHTML\s*=\s*.*(req\b|input\b|param|user|body)/i,
+        reason: 'Setting innerHTML from user data enables stored XSS attacks.',
+        recommendation: 'Use textContent for text. Sanitize with DOMPurify if HTML is needed.',
+    },
+    {
+        pattern: /no.{0,10}input.{0,10}(valid|sanitiz)/i,
+        reason: 'Explicitly skipping input validation is the root cause of most injections.',
+        recommendation: 'Validate all external input at the boundary with zod/joi schemas.',
+    },
+];
+const WARN_RULES = [
+    { pattern: /\bjquery\b/i, concern: 'jQuery in 2025 adds 30KB for what native DOM provides for free.' },
+    { pattern: /\bvar\s+[a-zA-Z_$]/i, concern: 'var has function-scope hoisting. Use const (default) or let.' },
+    { pattern: /catch\s*\([^)]*\)\s*\{\s*(\/\/[^\n]*)?\s*\}/i, concern: 'Empty catch silently swallows errors.' },
+    { pattern: /console\.(log|debug)\b/i, concern: 'console.log in production leaks internal state. Use structured logging.' },
+    { pattern: /\/\/\s*(todo|fixme|hack|xxx)\b/i, concern: 'Unresolved TODO/FIXME — resolve before shipping.' },
+    { pattern: /:\s*any\b/i, concern: 'TypeScript any disables type safety. Use unknown or a proper type.' },
+    { pattern: /\b(xdescribe|xit|xtest|\.skip)\b/i, concern: 'Skipped tests hide regressions. Fix or delete them.' },
+    { pattern: /Math\.random\(\)/i, concern: 'Math.random() is not cryptographically secure. Use crypto.randomBytes().' },
+];
+const TRIVIAL = /^(rename|fix typo|reorder|reformat|format code|update comment|add comment)\b/i;
+export function analyze(task) {
+    if (TRIVIAL.test(task.trim())) {
+        return { verdict: 'approve', reason: 'Trivial change — no security or quality concerns.', concerns: [] };
+    }
+    const blocks = [];
+    const concerns = [];
+    for (const rule of BLOCK_RULES) {
+        if (rule.pattern.test(task)) {
+            blocks.push({ reason: rule.reason, recommendation: rule.recommendation });
+        }
+    }
+    for (const rule of WARN_RULES) {
+        if (rule.pattern.test(task)) {
+            concerns.push(rule.concern);
+        }
+    }
+    if (blocks.length > 0) {
+        return {
+            verdict: 'block',
+            reason: blocks[0].reason,
+            concerns: [...blocks.slice(1).map(b => b.reason), ...concerns],
+            recommendation: blocks.map(b => b.recommendation).join(' | '),
+        };
+    }
+    if (concerns.length > 0) {
+        return {
+            verdict: 'warn',
+            reason: `${concerns.length} code quality issue${concerns.length > 1 ? 's' : ''} detected.`,
+            concerns,
+            recommendation: 'Address quality concerns before shipping to production.',
+        };
+    }
+    return { verdict: 'approve', reason: 'No security or quality violations detected.', concerns: [] };
+}
+//# sourceMappingURL=lead-developer.js.map

package/dist/council/legal-compliance.js

@@ -0,0 +1,142 @@
+const BLOCK_RULES = [
+    {
+        pattern: /\b(gpl|gnu.?general.?public.?license)\b/i,
+        reason: 'GPL code in a non-GPL project creates license contamination — entire project must become GPL.',
+        recommendation: 'Audit all dependencies with license-checker. Replace GPL deps with MIT/Apache/BSD alternatives.',
+    },
+    {
+        pattern: /\bagpl\b/i,
+        reason: 'AGPL requires open-sourcing any server code users interact with over a network.',
+        recommendation: 'Either make your code AGPL, obtain a commercial license, or replace the AGPL dependency.',
+    },
+    {
+        pattern: /collect.{0,40}(personal|pii|email|phone|address).{0,40}no.{0,20}consent/i,
+        reason: 'Collecting personal data without consent violates GDPR Article 6 and CCPA — fines up to 4% global revenue.',
+        recommendation: 'Add explicit consent collection before gathering PII. Document legal basis (contract, consent, legitimate interest).',
+    },
+    {
+        pattern: /\b(hipaa|phi|protected.?health|health.?record)\b/i,
+        reason: 'Health data (PHI) requires HIPAA-compliant infrastructure, signed BAAs, and mandatory audit logging.',
+        recommendation: 'Use a HIPAA-compliant cloud provider. Sign Business Associate Agreements. Encrypt PHI at rest and in transit.',
+    },
+    {
+        pattern: /collect.{0,30}(children|child|minor|under.{0,5}1[23])/i,
+        reason: 'Collecting data from under-13s without verifiable parental consent violates COPPA (US) and GDPR.',
+        recommendation: 'Add age gate. Obtain verifiable parental consent. Consult legal counsel before proceeding.',
+    },
+    {
+        pattern: /store.{0,30}(credit.?card|card.?number|\bpan\b|\bcvv\b|\bcvc\b)/i,
+        reason: 'Storing raw card data requires PCI-DSS Level 1 compliance — years of audits and millions in infrastructure.',
+        recommendation: "Never store raw card data. Use Stripe/Braintree tokenization. Your PCI scope drops to SAQ-A.",
+    },
+    {
+        pattern: /scrape.{0,30}(facebook|twitter|linkedin|instagram|google|youtube|amazon)/i,
+        reason: 'Scraping major platforms violates their ToS and has led to multi-million dollar lawsuits (hiQ v. LinkedIn).',
+        recommendation: 'Use official APIs only. Review ToS data-use clauses. Seek legal opinion if data has commercial value.',
+    },
+    {
+        pattern: /train.{0,40}(model|ai|ml|llm).{0,40}(user.?data|customer.?data|without.{0,15}consent)/i,
+        reason: 'Training AI/ML on user data without consent violates GDPR and the ToS of most data platforms.',
+        recommendation: 'Obtain explicit opt-in consent for ML training use. Provide opt-out. Document data flows in privacy policy.',
+    },
+    {
+        pattern: /\b(biometric|facial.?recogni|fingerprint).{0,30}(store|collect|process)\b/i,
+        reason: 'Biometric data has strict consent laws: BIPA (Illinois), GDPR Article 9, TX/WA state laws.',
+        recommendation: 'Obtain explicit written consent. Check state/country-specific laws. Consider if biometrics are necessary at all.',
+    },
+    {
+        pattern: /\bccpa\b.{0,30}(ignore|skip|bypass|not.{0,10}(apply|need))/i,
+        reason: 'CCPA applies to any business serving California residents above certain thresholds — not opt-in.',
+        recommendation: 'Add "Do Not Sell My Personal Information" link. Honor opt-out requests within 15 days.',
+    },
+];
+const WARN_RULES = [
+    {
+        pattern: /no.{0,25}privacy.?policy/i,
+        concern: 'Collecting any user data without a privacy policy violates GDPR, CCPA, and most app store guidelines.',
+        recommendation: 'Draft a privacy policy covering: what you collect, why, how long, who you share with, user rights.',
+    },
+    {
+        pattern: /log.{0,25}(email|ip.?address|phone|full.?name|ssn)|(email|phone|full.?name|ssn).{0,25}(log|plaintext|plain.?text)/i,
+        concern: 'Logging PII creates data retention liability and complicates right-to-erasure compliance.',
+        recommendation: 'Pseudonymize PII in logs (hash emails, truncate IPs). Set log retention to 30-90 days maximum.',
+    },
+    {
+        pattern: /no.{0,20}(delete|erasure|right.?to.?delete|data.?removal|forget)/i,
+        concern: 'GDPR Article 17 mandates honoring right-to-erasure requests within 30 days.',
+        recommendation: 'Build user data deletion endpoint. Cascade to backups. Document deletion confirmation process.',
+    },
+    {
+        pattern: /open.?source|npm.{0,20}install|pip.{0,20}install|composer|cargo.{0,20}add/i,
+        concern: 'New dependencies may carry GPL/AGPL licenses that contaminate your project license.',
+        recommendation: 'Run license-checker or FOSSA after adding deps. Block GPL/AGPL in CI for proprietary projects.',
+    },
+    {
+        pattern: /cookie|tracking|analytics|pixel|beacon/i,
+        concern: 'Cookies and tracking pixels require consent banners for EU/UK users (ePrivacy Directive + GDPR).',
+        recommendation: 'Integrate consent management platform (Cookiebot, OneTrust) for EU users.',
+    },
+    {
+        pattern: /third.?party.{0,30}(share|send|forward|transmit).{0,30}(user|personal|customer)/i,
+        concern: 'Sharing personal data with third parties requires disclosure in privacy policy and may need consent.',
+        recommendation: 'List all third-party data recipients in privacy policy. Sign Data Processing Agreements (DPAs).',
+    },
+    {
+        pattern: /retain.{0,30}(forever|indefinitely|no.?limit|no.?expiry)|store.{0,30}forever/i,
+        concern: 'Retaining personal data indefinitely violates GDPR storage limitation principle (Article 5(1)(e)).',
+        recommendation: 'Define retention periods per data type. Auto-delete or anonymize after the period expires.',
+    },
+    {
+        pattern: /\b(trademark|patent|copyright)\b/i,
+        concern: 'IP risk flagged — verify you have rights to use and distribute this.',
+        recommendation: 'Confirm licensing rights. Consult an IP attorney if building on patented methods or using third-party branding.',
+    },
+    {
+        pattern: /\b(gdpr|data.?protection)\b.{0,30}(ignore|bypass|skip|not.{0,10}(apply|worry))/i,
+        concern: "GDPR applies to any service used by EU residents regardless of where you're based.",
+        recommendation: 'Conduct a GDPR compliance review. Appoint a Data Protection Officer if required.',
+    },
+    {
+        pattern: /export.{0,20}(encryption|crypto|cipher).{0,20}(us|usa|america|international)/i,
+        concern: 'Exporting encryption software may require US export license (EAR/ECCN classification).',
+        recommendation: 'Check ECCN classification for your encryption strength. File annual self-classification if needed.',
+    },
+];
+const TRIVIAL = /^(rename|fix typo|reorder|reformat|format|update comment|add comment)\b/i;
+export function analyze(task) {
+    if (TRIVIAL.test(task.trim())) {
+        return { verdict: 'approve', reason: 'Trivial change — no legal concerns.', concerns: [] };
+    }
+    const blocks = [];
+    const concerns = [];
+    const recommendations = [];
+    for (const rule of BLOCK_RULES) {
+        if (rule.pattern.test(task)) {
+            blocks.push({ reason: rule.reason, recommendation: rule.recommendation });
+        }
+    }
+    for (const rule of WARN_RULES) {
+        if (rule.pattern.test(task)) {
+            concerns.push(rule.concern);
+            recommendations.push(rule.recommendation);
+        }
+    }
+    if (blocks.length > 0) {
+        return {
+            verdict: 'block',
+            reason: blocks[0].reason,
+            concerns: blocks.slice(1).map(b => b.reason),
+            recommendation: blocks.map(b => b.recommendation).join(' | '),
+        };
+    }
+    if (concerns.length > 0) {
+        return {
+            verdict: 'warn',
+            reason: `${concerns.length} legal or compliance concern${concerns.length > 1 ? 's' : ''} — review before shipping.`,
+            concerns,
+            recommendation: recommendations[0],
+        };
+    }
+    return { verdict: 'approve', reason: 'No legal or compliance issues detected.', concerns: [] };
+}
+//# sourceMappingURL=legal-compliance.js.map

package/dist/council/product-manager.js

@@ -0,0 +1,92 @@
+const BLOCK_RULES = [
+    {
+        pattern: /rewrite.{0,20}from.{0,10}scratch/i,
+        reason: 'Rewriting from scratch abandons working code and delays users by months.',
+        recommendation: 'Incremental refactor using Strangler Fig. Split only when bottleneck is proven.',
+    },
+    {
+        pattern: /build.{0,20}(our own|custom).{0,20}(framework|orm|database|auth.?system|message.?queue)/i,
+        reason: 'Building custom infrastructure has a 12+ month cost before it provides value.',
+        recommendation: 'Use battle-tested existing solutions. Build what differentiates you, not plumbing.',
+    },
+];
+const WARN_RULES = [
+    {
+        pattern: /\bmicroservice/i,
+        concern: 'Microservices add 10x operational complexity. Justified only at Netflix/Amazon scale.',
+        recommendation: 'Start modular monolith. Extract services only when a specific bottleneck demands it.',
+    },
+    {
+        pattern: /enterprise.{0,20}(grade|pattern|architecture|solution)/i,
+        concern: 'Enterprise patterns optimize for 10,000-person orgs, not fast-moving products.',
+        recommendation: 'Ship the simple version. Add enterprise complexity when customers pay for it.',
+    },
+    {
+        pattern: /future.{0,20}proof|build.{0,20}for.{0,20}(scale|growth|million)/i,
+        concern: 'Optimizing for imaginary future scale delays value to users you have today.',
+        recommendation: "YAGNI. Build for 10x current scale, not 1000x. You'll know when you need more.",
+    },
+    {
+        pattern: /\bperfect\b|\bflawless\b|fully.{0,10}generic|completely.{0,10}flexible/i,
+        concern: 'Perfect is the enemy of shipped. What is the minimum version that solves the problem?',
+        recommendation: 'Define a specific "done" criterion. Timebox perfection work to 20% of total.',
+    },
+    {
+        pattern: /build.{0,20}(framework|platform|engine|layer|system)\b.{0,20}first/i,
+        concern: 'Building infrastructure before product delays user value. Products fund platforms.',
+        recommendation: 'Build product features. Extract the framework only when the pattern is proven.',
+    },
+    {
+        pattern: /abstrac|generic.{0,20}(solution|framework|wrapper|handler)/i,
+        concern: 'Premature abstraction bets on requirements that may never come.',
+        recommendation: 'Three concrete implementations before extracting an abstraction.',
+    },
+    {
+        pattern: /add.{0,20}feature.{0,30}(not.{0,10}ask|nobody.{0,10}request|just.{0,10}in.{0,10}case)/i,
+        concern: 'Building unrequested features is scope creep. Validate demand first.',
+        recommendation: 'Ship what was asked. Add features after user feedback confirms demand.',
+    },
+    {
+        pattern: /v2|v3|version\s+[23]/i,
+        concern: 'Designing v2/v3 before v1 ships is a classic focus trap.',
+        recommendation: 'Ship v1. Learn from real users. Then plan v2 with real data.',
+    },
+];
+const TRIVIAL = /^(rename|fix typo|reorder|reformat|format|update comment|add comment)\b/i;
+export function analyze(task) {
+    if (TRIVIAL.test(task.trim())) {
+        return { verdict: 'approve', reason: 'Trivial change — no product concerns.', concerns: [] };
+    }
+    const blocks = [];
+    const concerns = [];
+    const recommendations = [];
+    for (const rule of BLOCK_RULES) {
+        if (rule.pattern.test(task)) {
+            blocks.push({ reason: rule.reason, recommendation: rule.recommendation });
+        }
+    }
+    for (const rule of WARN_RULES) {
+        if (rule.pattern.test(task)) {
+            concerns.push(rule.concern);
+            recommendations.push(rule.recommendation);
+        }
+    }
+    if (blocks.length > 0) {
+        return {
+            verdict: 'block',
+            reason: blocks[0].reason,
+            concerns: blocks.slice(1).map(b => b.reason),
+            recommendation: blocks.map(b => b.recommendation).join(' | '),
+        };
+    }
+    if (concerns.length > 0) {
+        return {
+            verdict: 'warn',
+            reason: `${concerns.length} product risk${concerns.length > 1 ? 's' : ''} — scope or complexity concern.`,
+            concerns,
+            recommendation: recommendations[0],
+        };
+    }
+    return { verdict: 'approve', reason: 'Reasonable scope. Ship it.', concerns: [] };
+}
+//# sourceMappingURL=product-manager.js.map

package/dist/council/security.js

@@ -0,0 +1,162 @@
+const BLOCK_RULES = [
+    {
+        pattern: /(no.{0,25}rate.?limit|(auth|login|password|signin|otp|2fa|token|reset).{0,50}no.{0,20}rate.?limit|no.{0,25}rate.?limit.{0,50}(auth|login|password|signin|otp|2fa))/i,
+        reason: 'Auth endpoint without rate limiting is wide open to brute-force and credential stuffing.',
+        recommendation: 'Rate limit: 5 attempts / 15 min / IP. Exponential backoff. Lock account after 10 failures.',
+    },
+    {
+        pattern: /jwt.{0,35}(no|without|missing).{0,20}expir|token.{0,20}never.{0,15}expir/i,
+        reason: 'JWTs without expiry are permanent access tokens — a stolen token never becomes invalid.',
+        recommendation: 'Set JWT exp to 15 min. Issue refresh tokens in httpOnly, Secure, SameSite=Strict cookies.',
+    },
+    {
+        pattern: /localStorage.{0,30}(token|jwt|session|auth|secret)|(token|jwt|session|auth|secret).{0,30}localStorage/i,
+        reason: 'Tokens in localStorage are readable by any script — XSS vulnerability gives full account takeover.',
+        recommendation: 'Store tokens only in httpOnly Secure SameSite=Strict cookies. Never localStorage.',
+    },
+    {
+        pattern: /no.{0,20}csrf|skip.{0,20}csrf|disable.{0,20}csrf|without.{0,20}csrf/i,
+        reason: 'Missing CSRF protection enables cross-site request forgery — attackers can act as authenticated users.',
+        recommendation: 'Use CSRF tokens for form submissions. Set SameSite=Strict on session cookies as baseline.',
+    },
+    {
+        pattern: /run.{0,20}(as\s+)?root|user\s+root.{0,20}(docker|container|image)/i,
+        reason: 'Running containers as root means any exploit has full host access.',
+        recommendation: 'Add `USER 1001` in Dockerfile. Use rootless containers. Drop all capabilities.',
+    },
+    {
+        pattern: /admin.{0,35}(route|endpoint|panel|api).{0,35}(no|without|skip|missing).{0,20}auth/i,
+        reason: 'Admin routes without authentication check expose privileged operations to any unauthenticated caller.',
+        recommendation: 'Guard all admin routes with both authentication AND role/permission authorization check.',
+    },
+    {
+        pattern: /\b(mass.?assign|accept.{0,20}(all|any).{0,20}(field|body|param|input))\b/i,
+        reason: 'Mass assignment lets attackers inject internal fields (isAdmin: true) through the request body.',
+        recommendation: 'Whitelist allowed fields explicitly. Never spread req.body into DB operations.',
+    },
+    {
+        pattern: /\.\.\/|\.\.\\|path.{0,20}traversal|(file|path).{0,20}(user|input|param).{0,20}(read|open|access)/i,
+        reason: 'Path traversal vulnerability — attacker can read arbitrary server files by manipulating path input.',
+        recommendation: 'Use path.resolve() and verify result starts with your allowed base directory.',
+    },
+    {
+        pattern: /deserializ.{0,30}(user|external|untrusted|input)/i,
+        reason: 'Deserializing untrusted data enables remote code execution via gadget chains.',
+        recommendation: 'Never deserialize untrusted data. Use JSON.parse() with schema validation (zod).',
+    },
+    {
+        pattern: /xml.{0,30}(user|input|external).{0,30}(parse|process)/i,
+        reason: 'Parsing user-supplied XML without XXE protection enables XML External Entity injection.',
+        recommendation: 'Disable external entity processing in your XML parser. Prefer JSON over XML for APIs.',
+    },
+    {
+        pattern: /\bshell\b.{0,30}(user|input|param)|exec\s*\(.{0,30}(req\.|input|param)/i,
+        reason: 'Passing user input to shell commands enables OS command injection — full server compromise.',
+        recommendation: 'Use execFile() with args as array. Never concatenate user input into shell commands.',
+    },
+    {
+        pattern: /no.{0,20}(auth|authentication|authorization).{0,30}(internal|service.?to.?service|microservice)/i,
+        reason: 'Service-to-service calls without auth allows any internal service to impersonate another.',
+        recommendation: 'Use mutual TLS or service tokens for internal API calls. Never trust internal network alone.',
+    },
+];
+const WARN_RULES = [
+    {
+        pattern: /no.{0,25}(content.?security.?policy|\bcsp\b)/i,
+        concern: 'Missing Content-Security-Policy header — no browser-level XSS mitigation.',
+        recommendation: "Set CSP: default-src 'self'; script-src 'self'. Use helmet.js for Express.",
+    },
+    {
+        pattern: /verbose.{0,20}error|stack.?trace.{0,25}(user|client|return|response|send)/i,
+        concern: 'Verbose error messages expose file paths, library versions, and stack traces to attackers.',
+        recommendation: 'Log full errors server-side only. Return generic messages to clients.',
+    },
+    {
+        pattern: /no.{0,20}(audit|security).{0,15}log/i,
+        concern: 'No security audit log — impossible to detect or investigate breaches after the fact.',
+        recommendation: 'Log: auth events, admin actions, data exports, permission denials, with IP + user + timestamp.',
+    },
+    {
+        pattern: /no.{0,20}(dependency|package|npm|pip).{0,20}(audit|scan|update)/i,
+        concern: 'Unaudited dependencies may contain known CVEs actively exploited in the wild.',
+        recommendation: 'Run npm audit / snyk in CI pipeline. Block builds with critical severity CVEs.',
+    },
+    {
+        pattern: /no.{0,20}(payload|body|request).{0,20}(size|limit|max)/i,
+        concern: 'No payload size limit — attackers can exhaust server memory with large request bodies.',
+        recommendation: 'Set body size limit (1MB JSON, 10MB uploads). Return 413 on excess. Use streaming for large files.',
+    },
+    {
+        pattern: /\bregex\b.{0,30}(user|input|param|untrusted)/i,
+        concern: 'Complex regex on user input can cause ReDoS — catastrophic backtracking is a DoS vector.',
+        recommendation: 'Test regex with ReDoS checker (vuln-regex-detector). Set match timeout for user input.',
+    },
+    {
+        pattern: /server.?version|x-powered-by|expose.{0,20}(version|framework)/i,
+        concern: 'Disclosing server/framework version in headers helps attackers target known CVEs.',
+        recommendation: 'Remove X-Powered-By. Set Server: header to empty string. Use helmet.js.',
+    },
+    {
+        pattern: /upload.{0,30}(any|all|every).{0,20}(type|extension|format|file)/i,
+        concern: 'Accepting any file type enables upload of malicious executables or web shells.',
+        recommendation: 'Whitelist allowed MIME types. Validate magic bytes (not extension). Scan with ClamAV.',
+    },
+    {
+        pattern: /\bidor\b|direct.{0,20}object.{0,20}ref|user.?id.{0,20}(param|query|url|path)/i,
+        concern: 'Potential IDOR — user can access other users\' resources by changing an ID in the request.',
+        recommendation: 'Always verify ownership: resource.userId === req.user.id before returning/mutating.',
+    },
+    {
+        pattern: /compare.{0,20}(secret|token|hash|hmac|signature|password).{0,20}===|===.{0,20}(secret|token|hmac)/i,
+        concern: 'String === comparison of secrets is vulnerable to timing attacks.',
+        recommendation: 'Use crypto.timingSafeEqual() for all secret and HMAC comparisons.',
+    },
+    {
+        pattern: /no.{0,20}hsts|http.{0,20}(only|no.?https)/i,
+        concern: 'Without HSTS, browsers may connect over HTTP — credentials can be intercepted.',
+        recommendation: 'Set HSTS: max-age=31536000; includeSubDomains; preload. Redirect all HTTP to HTTPS.',
+    },
+    {
+        pattern: /secret.{0,20}(env|environment|config).{0,20}(log|print|console|output)/i,
+        concern: 'Logging secrets or config values leaks credentials to anyone with log access.',
+        recommendation: 'Never log secrets. Redact sensitive fields in structured logs. Audit log pipelines.',
+    },
+];
+const TRIVIAL = /^(rename|fix typo|reorder|reformat|format|update comment|add comment)\b/i;
+export function analyze(task) {
+    if (TRIVIAL.test(task.trim())) {
+        return { verdict: 'approve', reason: 'Trivial change — no security concerns.', concerns: [] };
+    }
+    const blocks = [];
+    const concerns = [];
+    const recommendations = [];
+    for (const rule of BLOCK_RULES) {
+        if (rule.pattern.test(task)) {
+            blocks.push({ reason: rule.reason, recommendation: rule.recommendation });
+        }
+    }
+    for (const rule of WARN_RULES) {
+        if (rule.pattern.test(task)) {
+            concerns.push(rule.concern);
+            recommendations.push(rule.recommendation);
+        }
+    }
+    if (blocks.length > 0) {
+        return {
+            verdict: 'block',
+            reason: blocks[0].reason,
+            concerns: blocks.slice(1).map(b => b.reason),
+            recommendation: blocks.map(b => b.recommendation).join(' | '),
+        };
+    }
+    if (concerns.length > 0) {
+        return {
+            verdict: 'warn',
+            reason: `${concerns.length} security concern${concerns.length > 1 ? 's' : ''} — threat model flagged issues.`,
+            concerns,
+            recommendation: recommendations[0],
+        };
+    }
+    return { verdict: 'approve', reason: 'No security threats identified in threat model.', concerns: [] };
+}
+//# sourceMappingURL=security.js.map

package/dist/council/system-architect.js

@@ -0,0 +1,122 @@
+const BLOCK_RULES = [
+    {
+        pattern: /\bdrop\s+table\b/i,
+        reason: 'DROP TABLE is irreversible. No rollback possible after execution.',
+        recommendation: 'Write a down-migration. Verify backup. Test on staging. Run in maintenance window.',
+    },
+    {
+        pattern: /\btruncate\b/i,
+        reason: 'TRUNCATE deletes all rows instantly — no transaction, no rollback.',
+        recommendation: 'Use DELETE with WHERE in a transaction. Backup first. Verify on staging.',
+    },
+    {
+        pattern: /\bdelete\s+from\b(?!.*where)/i,
+        reason: 'DELETE without WHERE clause wipes the entire table.',
+        recommendation: 'Always add a WHERE clause. Wrap in transaction. Test on staging.',
+    },
+    {
+        pattern: /sqlite.{0,50}(concurrent|multi.?user|high.?traffic|production|scale)/i,
+        reason: 'SQLite serializes writes — breaks at >10 concurrent writers.',
+        recommendation: 'Use PostgreSQL for multi-user or high-traffic applications.',
+    },
+    {
+        pattern: /(payment|billing|charge|transfer|transaction).{0,40}no.{0,15}(transaction|rollback|atomic)/i,
+        reason: 'Financial operations without database transactions risk data inconsistency.',
+        recommendation: 'Wrap all financial mutations in explicit BEGIN/COMMIT/ROLLBACK transactions.',
+    },
+    {
+        pattern: /store.{0,20}(password|credit.?card|ssn|social.?security).{0,20}plain/i,
+        reason: 'Storing sensitive data in plaintext is a catastrophic data breach risk.',
+        recommendation: 'Hash passwords (bcrypt). Encrypt PII at rest (AES-256). Never store raw card data.',
+    },
+];
+const WARN_RULES = [
+    {
+        pattern: /select\s+\*/i,
+        concern: 'SELECT * fetches all columns — wasted memory and network on large tables.',
+        recommendation: 'Select only needed columns explicitly.',
+    },
+    {
+        pattern: /\bfor\b.{0,80}(query|select|db\.|\.find|\.get|fetch)/i,
+        concern: 'Query inside a loop creates N+1 problem — DB gets hammered at scale.',
+        recommendation: 'Batch the query outside the loop using IN clause or JOIN.',
+    },
+    {
+        pattern: /no.{0,15}index\b/i,
+        concern: 'Missing index on search/filter columns causes full table scans.',
+        recommendation: 'Add indexes on FK columns and any WHERE/ORDER BY columns.',
+    },
+    {
+        pattern: /synchronous|blocking.{0,20}(i\/o|read|write|call)/i,
+        concern: 'Synchronous I/O blocks the Node.js event loop under concurrent load.',
+        recommendation: 'Use async/await with fs.promises, not fs.readFileSync.',
+    },
+    {
+        pattern: /no.{0,15}cache\b/i,
+        concern: 'No caching on repeated reads hammers the database unnecessarily.',
+        recommendation: 'Cache hot read paths with Redis or in-memory TTL cache.',
+    },
+    {
+        pattern: /no.{0,15}(timeout|time.?out)\b/i,
+        concern: 'External calls without timeout hang indefinitely when the dependency fails.',
+        recommendation: 'Set explicit timeouts (3-5s for APIs). Add retry with exponential backoff.',
+    },
+    {
+        pattern: /single.{0,25}(point|server|node|instance).{0,25}(fail|crash|down)/i,
+        concern: 'Single point of failure with no redundancy — one crash = full outage.',
+        recommendation: 'Add health checks. Consider redundancy or graceful degradation.',
+    },
+    {
+        pattern: /no.{0,15}(migration|schema.?version)/i,
+        concern: 'Database changes without versioned migrations cannot be safely rolled back.',
+        recommendation: 'Use a migration tool (Knex, Prisma migrate, Flyway).',
+    },
+    {
+        pattern: /global\s+(state|variable|singleton)/i,
+        concern: 'Global mutable state causes unpredictable behavior under concurrent requests.',
+        recommendation: 'Scope state to request context. Use dependency injection.',
+    },
+    {
+        pattern: /\bregex\b.{0,30}(user.?input|unvalidated|untrusted)/i,
+        concern: 'Complex regex on untrusted input can cause ReDoS (catastrophic backtracking).',
+        recommendation: 'Use simple regex patterns. Set timeout on regex evaluation for user input.',
+    },
+];
+const TRIVIAL = /^(rename|fix typo|reorder|reformat|format|update comment|add comment)\b/i;
+export function analyze(task) {
+    if (TRIVIAL.test(task.trim())) {
+        return { verdict: 'approve', reason: 'Trivial change — no architectural concerns.', concerns: [] };
+    }
+    const blocks = [];
+    const concerns = [];
+    const recommendations = [];
+    for (const rule of BLOCK_RULES) {
+        if (rule.pattern.test(task)) {
+            blocks.push({ reason: rule.reason, recommendation: rule.recommendation });
+        }
+    }
+    for (const rule of WARN_RULES) {
+        if (rule.pattern.test(task)) {
+            concerns.push(rule.concern);
+            recommendations.push(rule.recommendation);
+        }
+    }
+    if (blocks.length > 0) {
+        return {
+            verdict: 'block',
+            reason: blocks[0].reason,
+            concerns: blocks.slice(1).map(b => b.reason),
+            recommendation: blocks.map(b => b.recommendation).join(' | '),
+        };
+    }
+    if (concerns.length > 0) {
+        return {
+            verdict: 'warn',
+            reason: `${concerns.length} structural concern${concerns.length > 1 ? 's' : ''} — review before building.`,
+            concerns,
+            recommendation: recommendations[0],
+        };
+    }
+    return { verdict: 'approve', reason: 'Architecture looks sound. No structural concerns.', concerns: [] };
+}
+//# sourceMappingURL=system-architect.js.map

package/dist/council/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map