@kernlang/review 3.1.8 → 3.2.3

package/dist/rules/react-hooks.js

@@ -0,0 +1,380 @@
+/**
+ * React hooks correctness — Wave 2 net-new rules.
+ *
+ * Intentionally conservative: each rule only fires when the pattern is
+ * unambiguous. eslint-plugin-react-hooks is the authority for exhaustive
+ * correctness; this layer catches the common footguns with high precision.
+ */
+import { Node, SyntaxKind } from 'ts-morph';
+import { finding, nodeSpan } from './utils.js';
+const EFFECT_HOOKS = new Set(['useEffect', 'useLayoutEffect']);
+const MEMO_HOOKS = new Set(['useMemo', 'useCallback']);
+const REACT_HOOK_NAMES = new Set([
+    'useState',
+    'useEffect',
+    'useLayoutEffect',
+    'useRef',
+    'useCallback',
+    'useMemo',
+    'useReducer',
+    'useContext',
+    'useTransition',
+    'useDeferredValue',
+    'useImperativeHandle',
+    'useSyncExternalStore',
+    'useId',
+    'useDebugValue',
+]);
+const GLOBAL_NAMES = new Set([
+    'console',
+    'window',
+    'document',
+    'globalThis',
+    'process',
+    'Math',
+    'Date',
+    'JSON',
+    'Object',
+    'Array',
+    'String',
+    'Number',
+    'Boolean',
+    'Symbol',
+    'Promise',
+    'Error',
+    'TypeError',
+    'RangeError',
+    'RegExp',
+    'Map',
+    'Set',
+    'WeakMap',
+    'WeakSet',
+    'Proxy',
+    'Reflect',
+    'setTimeout',
+    'setInterval',
+    'clearTimeout',
+    'clearInterval',
+    'requestAnimationFrame',
+    'cancelAnimationFrame',
+    'queueMicrotask',
+    'structuredClone',
+    'fetch',
+    'URL',
+    'URLSearchParams',
+    'localStorage',
+    'sessionStorage',
+    'navigator',
+    'history',
+    'location',
+    'alert',
+    'confirm',
+    'prompt',
+    'undefined',
+    'null',
+    'true',
+    'false',
+    'NaN',
+    'Infinity',
+    'React',
+]);
+/**
+ * Collect "stable" identifier names inside the enclosing function:
+ *   - setters from `const [x, setX] = useState(...)`
+ *   - dispatch from `const [state, dispatch] = useReducer(...)`
+ *   - refs from `const foo = useRef(...)`
+ *
+ * These are guaranteed stable across renders and don't need to appear
+ * in dependency arrays.
+ */
+function collectStableNames(root) {
+    const setters = new Set();
+    const refs = new Set();
+    for (const decl of root.getDescendantsOfKind(SyntaxKind.VariableDeclaration)) {
+        const init = decl.getInitializer();
+        if (!init || !Node.isCallExpression(init))
+            continue;
+        const callee = init.getExpression().getText();
+        const calleeName = callee.includes('.') ? callee.split('.').pop() : callee;
+        const nameNode = decl.getNameNode();
+        if (calleeName === 'useState' || calleeName === 'useReducer') {
+            // Destructured tuple: const [state, setter] = useState(...)
+            if (Node.isArrayBindingPattern(nameNode)) {
+                const elements = nameNode.getElements();
+                if (elements.length >= 2) {
+                    const second = elements[1];
+                    if (Node.isBindingElement(second)) {
+                        setters.add(second.getNameNode().getText());
+                    }
+                }
+            }
+        }
+        else if (calleeName === 'useRef') {
+            if (Node.isIdentifier(nameNode)) {
+                refs.add(nameNode.getText());
+            }
+        }
+    }
+    return { setters, refs };
+}
+/** Extract identifiers from a deps array literal — returns names only. */
+function extractDepNames(depsExpr) {
+    const names = new Set();
+    if (!Node.isArrayLiteralExpression(depsExpr))
+        return names;
+    for (const el of depsExpr.getElements()) {
+        if (Node.isIdentifier(el)) {
+            names.add(el.getText());
+        }
+        else if (Node.isPropertyAccessExpression(el)) {
+            // Capture the root: `foo.bar.baz` → `foo`
+            let cur = el;
+            while (Node.isPropertyAccessExpression(cur)) {
+                cur = cur.getExpression();
+            }
+            if (Node.isIdentifier(cur))
+                names.add(cur.getText());
+            names.add(el.getText()); // also allow exact match
+        }
+    }
+    return names;
+}
+// ── Rule: exhaustive-deps ────────────────────────────────────────────────
+function exhaustiveDeps(ctx) {
+    const findings = [];
+    for (const call of ctx.sourceFile.getDescendantsOfKind(SyntaxKind.CallExpression)) {
+        const calleeText = call.getExpression().getText();
+        const calleeName = calleeText.includes('.') ? calleeText.split('.').pop() : calleeText;
+        const isEffect = EFFECT_HOOKS.has(calleeName);
+        const isMemo = MEMO_HOOKS.has(calleeName);
+        if (!isEffect && !isMemo)
+            continue;
+        const args = call.getArguments();
+        if (args.length < 2)
+            continue; // handled by missing-memo-deps
+        const fnArg = args[0];
+        const depsArg = args[1];
+        if (!Node.isArrayLiteralExpression(depsArg))
+            continue;
+        if (!Node.isArrowFunction(fnArg) && !Node.isFunctionExpression(fnArg))
+            continue;
+        // Find enclosing React component function to collect stable names
+        const enclosingFn = call.getFirstAncestorByKind(SyntaxKind.FunctionDeclaration) ||
+            call.getFirstAncestorByKind(SyntaxKind.ArrowFunction) ||
+            call.getFirstAncestorByKind(SyntaxKind.FunctionExpression);
+        if (!enclosingFn)
+            continue;
+        const { setters, refs } = collectStableNames(enclosingFn);
+        const depNames = extractDepNames(depsArg);
+        const body = fnArg.getBody();
+        if (!body)
+            continue;
+        // Collect identifiers defined INSIDE the hook body itself — they are local.
+        // Must cover: const x = ..., const { a, b } = obj, const [x, y] = arr.
+        const locallyDeclared = new Set();
+        for (const decl of body.getDescendantsOfKind(SyntaxKind.VariableDeclaration)) {
+            const nameNode = decl.getNameNode();
+            if (Node.isIdentifier(nameNode)) {
+                locallyDeclared.add(nameNode.getText());
+            }
+            else if (Node.isObjectBindingPattern(nameNode) || Node.isArrayBindingPattern(nameNode)) {
+                for (const el of nameNode.getDescendantsOfKind(SyntaxKind.BindingElement)) {
+                    const n = el.getNameNode();
+                    if (Node.isIdentifier(n))
+                        locallyDeclared.add(n.getText());
+                }
+            }
+        }
+        for (const param of fnArg.getParameters()) {
+            locallyDeclared.add(param.getName());
+        }
+        const missing = new Set();
+        for (const id of body.getDescendantsOfKind(SyntaxKind.Identifier)) {
+            const name = id.getText();
+            if (GLOBAL_NAMES.has(name))
+                continue;
+            if (REACT_HOOK_NAMES.has(name))
+                continue;
+            if (setters.has(name))
+                continue;
+            if (refs.has(name))
+                continue;
+            if (locallyDeclared.has(name))
+                continue;
+            if (depNames.has(name))
+                continue;
+            // Skip identifiers that are the property name in a PropertyAccessExpression
+            // (we only care about the root object, which is the expression side)
+            const parent = id.getParent();
+            if (parent && Node.isPropertyAccessExpression(parent) && parent.getNameNode() === id)
+                continue;
+            // Skip property assignment keys (but NOT shorthand — shorthand IS a read of the identifier)
+            if (parent && Node.isPropertyAssignment(parent) && parent.getNameNode() === id)
+                continue;
+            // Note: shorthand property assignments like `{ userId }` inside a hook body
+            // ARE reads of `userId` and must be checked — do NOT skip them.
+            // Skip import specifiers / binding elements (declarations, not references)
+            if (parent && (Node.isImportSpecifier(parent) || Node.isBindingElement(parent)))
+                continue;
+            // Skip type references
+            if (parent && Node.isTypeReference(parent))
+                continue;
+            // Skip function/variable declaration names
+            if (parent && Node.isVariableDeclaration(parent) && parent.getNameNode() === id)
+                continue;
+            if (parent && Node.isFunctionDeclaration(parent) && parent.getNameNode() === id)
+                continue;
+            if (parent && Node.isParameterDeclaration(parent))
+                continue;
+            // Check if it's defined outside the enclosing function (import, module-level)
+            const sym = id.getSymbol();
+            if (!sym)
+                continue;
+            const decls = sym.getDeclarations();
+            if (decls.length === 0)
+                continue;
+            let definedInEnclosing = false;
+            for (const d of decls) {
+                const ancestor = d.getFirstAncestor((a) => a === enclosingFn);
+                if (ancestor) {
+                    definedInEnclosing = true;
+                    break;
+                }
+            }
+            if (!definedInEnclosing)
+                continue;
+            missing.add(name);
+        }
+        if (missing.size > 0) {
+            const hookName = calleeName;
+            const names = [...missing].sort().join(', ');
+            // Autofix: rebuild the dependency array to include the missing names.
+            // Preserve existing deps in their original order, then append missing
+            // in sorted order. Marked as "review before applying" because adding
+            // deps can introduce render loops when a dep is a non-memoized object.
+            const existingTexts = depsArg.getElements().map((e) => e.getText());
+            const missingSorted = [...missing].sort();
+            const newDepsText = `[${[...existingTexts, ...missingSorted].join(', ')}]`;
+            findings.push(finding('exhaustive-deps', 'warning', 'bug', `${hookName} references ${names} but ${missing.size === 1 ? 'it is' : 'they are'} missing from the dependency array — will use stale ${missing.size === 1 ? 'value' : 'values'} across renders`, ctx.filePath, depsArg.getStartLineNumber(), 1, {
+                suggestion: `Add ${names} to the dependency array, or move ${missing.size === 1 ? 'it' : 'them'} out of the enclosing closure`,
+                autofix: {
+                    type: 'replace',
+                    span: nodeSpan(depsArg, ctx.filePath),
+                    replacement: newDepsText,
+                    description: `Add ${names} to the dependency array — REVIEW before applying: adding a non-memoized object/function dep can trigger a render loop`,
+                },
+            }));
+        }
+    }
+    return findings;
+}
+// ── Rule: ref-in-deps ────────────────────────────────────────────────────
+// A ref created with useRef() is stable across renders — putting it in a
+// dependency array is pointless noise and usually indicates a misunderstanding.
+function refInDeps(ctx) {
+    const findings = [];
+    for (const call of ctx.sourceFile.getDescendantsOfKind(SyntaxKind.CallExpression)) {
+        const calleeText = call.getExpression().getText();
+        const calleeName = calleeText.includes('.') ? calleeText.split('.').pop() : calleeText;
+        if (!EFFECT_HOOKS.has(calleeName) && !MEMO_HOOKS.has(calleeName))
+            continue;
+        const args = call.getArguments();
+        if (args.length < 2)
+            continue;
+        const depsArg = args[1];
+        if (!Node.isArrayLiteralExpression(depsArg))
+            continue;
+        const enclosingFn = call.getFirstAncestorByKind(SyntaxKind.FunctionDeclaration) ||
+            call.getFirstAncestorByKind(SyntaxKind.ArrowFunction) ||
+            call.getFirstAncestorByKind(SyntaxKind.FunctionExpression);
+        if (!enclosingFn)
+            continue;
+        const { refs } = collectStableNames(enclosingFn);
+        // Collect the ref names present in the deps array, then emit one finding
+        // per ref with an autofix that rewrites the deps array without ANY of the
+        // refs. That way applying the first autofix also resolves the others,
+        // and we avoid emitting stale "remove X" fixes after the user accepted one.
+        const depElements = depsArg.getElements();
+        const refElementsInDeps = depElements.filter((el) => Node.isIdentifier(el) && refs.has(el.getText()));
+        if (refElementsInDeps.length === 0)
+            continue;
+        const refNamesInDeps = new Set(refElementsInDeps.map((e) => e.getText()));
+        const filteredElements = depElements.filter((el) => !(Node.isIdentifier(el) && refNamesInDeps.has(el.getText())));
+        const newDepsText = `[${filteredElements.map((e) => e.getText()).join(', ')}]`;
+        for (const el of refElementsInDeps) {
+            findings.push(finding('ref-in-deps', 'warning', 'pattern', `'${el.getText()}' is a ref from useRef — refs are stable across renders, so including them in a dependency array has no effect`, ctx.filePath, el.getStartLineNumber(), 1, {
+                suggestion: `Remove '${el.getText()}' from the dependency array. If you want to react to ref.current changes, you need a different pattern (state or a callback ref).`,
+                autofix: {
+                    type: 'replace',
+                    span: nodeSpan(depsArg, ctx.filePath),
+                    replacement: newDepsText,
+                    description: `Remove ref(s) from the dependency array`,
+                },
+            }));
+        }
+    }
+    return findings;
+}
+// ── Rule: state-derived-from-props ───────────────────────────────────────
+// `const [x, setX] = useState(props.y)` — classic stale-state antipattern.
+// The state is initialized from props once, then drifts if props.y changes.
+function stateDerivedFromProps(ctx) {
+    const findings = [];
+    for (const call of ctx.sourceFile.getDescendantsOfKind(SyntaxKind.CallExpression)) {
+        const calleeText = call.getExpression().getText();
+        const calleeName = calleeText.includes('.') ? calleeText.split('.').pop() : calleeText;
+        if (calleeName !== 'useState')
+            continue;
+        const args = call.getArguments();
+        if (args.length === 0)
+            continue;
+        const initArg = args[0];
+        // Pattern A: useState(props.y) / useState(props.y.z)
+        // Pattern B: useState(someProp) where someProp is a destructured prop
+        let flagged = false;
+        let label = '';
+        if (Node.isPropertyAccessExpression(initArg)) {
+            let root = initArg;
+            while (Node.isPropertyAccessExpression(root)) {
+                root = root.getExpression();
+            }
+            if (Node.isIdentifier(root) && root.getText() === 'props') {
+                flagged = true;
+                label = initArg.getText();
+            }
+        }
+        else if (Node.isIdentifier(initArg)) {
+            // Check if this identifier is a destructured prop
+            const name = initArg.getText();
+            const enclosingFn = call.getFirstAncestorByKind(SyntaxKind.FunctionDeclaration) ||
+                call.getFirstAncestorByKind(SyntaxKind.ArrowFunction) ||
+                call.getFirstAncestorByKind(SyntaxKind.FunctionExpression);
+            if (enclosingFn) {
+                const params = enclosingFn.getParameters();
+                // Component signature: `function Foo({ y, z })` — first param is an object binding pattern
+                if (params.length > 0) {
+                    const firstParam = params[0];
+                    const paramName = firstParam.getNameNode();
+                    if (Node.isObjectBindingPattern(paramName)) {
+                        for (const el of paramName.getElements()) {
+                            if (el.getName() === name) {
+                                flagged = true;
+                                label = `destructured prop '${name}'`;
+                                break;
+                            }
+                        }
+                    }
+                }
+            }
+        }
+        if (flagged) {
+            findings.push(finding('state-derived-from-props', 'warning', 'bug', `useState initialized from ${label} — state will not update when the prop changes, causing stale UI`, ctx.filePath, call.getStartLineNumber(), 1, {
+                suggestion: 'Use the prop directly, derive with useMemo, or use a key prop on the parent to force remount when the source changes',
+            }));
+        }
+    }
+    return findings;
+}
+// ── Exported React Hooks Rules ───────────────────────────────────────────
+export const reactHooksRules = [exhaustiveDeps, refInDeps, stateDerivedFromProps];
+//# sourceMappingURL=react-hooks.js.map

package/dist/rules/react-hooks.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"react-hooks.js","sourceRoot":"","sources":["../../src/rules/react-hooks.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAE5C,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAE/C,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,CAAC,WAAW,EAAE,iBAAiB,CAAC,CAAC,CAAC;AAC/D,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,CAAC;AAEvD,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IAC/B,UAAU;IACV,WAAW;IACX,iBAAiB;IACjB,QAAQ;IACR,aAAa;IACb,SAAS;IACT,YAAY;IACZ,YAAY;IACZ,eAAe;IACf,kBAAkB;IAClB,qBAAqB;IACrB,sBAAsB;IACtB,OAAO;IACP,eAAe;CAChB,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC;IAC3B,SAAS;IACT,QAAQ;IACR,UAAU;IACV,YAAY;IACZ,SAAS;IACT,MAAM;IACN,MAAM;IACN,MAAM;IACN,QAAQ;IACR,OAAO;IACP,QAAQ;IACR,QAAQ;IACR,SAAS;IACT,QAAQ;IACR,SAAS;IACT,OAAO;IACP,WAAW;IACX,YAAY;IACZ,QAAQ;IACR,KAAK;IACL,KAAK;IACL,SAAS;IACT,SAAS;IACT,OAAO;IACP,SAAS;IACT,YAAY;IACZ,aAAa;IACb,cAAc;IACd,eAAe;IACf,uBAAuB;IACvB,sBAAsB;IACtB,gBAAgB;IAChB,iBAAiB;IACjB,OAAO;IACP,KAAK;IACL,iBAAiB;IACjB,cAAc;IACd,gBAAgB;IAChB,WAAW;IACX,SAAS;IACT,UAAU;IACV,OAAO;IACP,SAAS;IACT,QAAQ;IACR,WAAW;IACX,MAAM;IACN,MAAM;IACN,OAAO;IACP,KAAK;IACL,UAAU;IACV,OAAO;CACR,CAAC,CAAC;AAEH;;;;;;;;GAQG;AACH,SAAS,kBAAkB,CAAC,IAAU;IACpC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IAClC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/B,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,oBAAoB,CAAC,UAAU,CAAC,mBAAmB,CAAC,EAAE,CAAC;QAC7E,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC;QACnC,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC;YAAE,SAAS;QACpD,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC,OAAO,EAAE,CAAC;QAC9C,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;QAE3E,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QAEpC,IAAI,UAAU,KAAK,UAAU,IAAI,UAAU,KAAK,YAAY,EAAE,CAAC;YAC7D,4DAA4D;YAC5D,IAAI,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACzC,MAAM,QAAQ,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;gBACxC,IAAI,QAAQ,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;oBACzB,MAAM,MAAM,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;oBAC3B,IAAI,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,EAAE,CAAC;wBAClC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;oBAC9C,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;aAAM,IAAI,UAAU,KAAK,QAAQ,EAAE,CAAC;YACnC,IAAI,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAChC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAC;YAC/B,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC3B,CAAC;AAED,0EAA0E;AAC1E,SAAS,eAAe,CAAC,QAAc;IACrC,MAAM,KAAK,GAAG,IAAI,GAAG,EAAU,CAAC;IAChC,IAAI,CAAC,IAAI,CAAC,wBAAwB,CAAC,QAAQ,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3D,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,WAAW,EAAE,EAAE,CAAC;QACxC,IAAI,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC,EAAE,CAAC;YAC1B,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;QAC1B,CAAC;aAAM,IAAI,IAAI,CAAC,0BAA0B,CAAC,EAAE,CAAC,EAAE,CAAC;YAC/C,0CAA0C;YAC1C,IAAI,GAAG,GAAS,EAAE,CAAC;YACnB,OAAO,IAAI,CAAC,0BAA0B,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC5C,GAAG,GAAG,GAAG,CAAC,aAAa,EAAE,CAAC;YAC5B,CAAC;YACD,IAAI,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC;gBAAE,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;YACrD,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,yBAAyB;QACpD,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,4EAA4E;AAE5E,SAAS,cAAc,CAAC,GAAgB;IACtC,MAAM,QAAQ,GAAoB,EAAE,CAAC;IAErC,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,UAAU,CAAC,oBAAoB,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;QAClF,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC,OAAO,EAAE,CAAC;QAClD,MAAM,UAAU,GAAG,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAG,CAAC,CAAC,CAAC,UAAU,CAAC;QAExF,MAAM,QAAQ,GAAG,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAC9C,MAAM,MAAM,GAAG,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAC1C,IAAI,CAAC,QAAQ,IAAI,CAAC,MAAM;YAAE,SAAS;QAEnC,MAAM,IAAI,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;QACjC,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC;YAAE,SAAS,CAAC,+BAA+B;QAC9D,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACtB,MAAM,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACxB,IAAI,CAAC,IAAI,CAAC,wBAAwB,CAAC,OAAO,CAAC;YAAE,SAAS;QACtD,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,oBAAoB,CAAC,KAAK,CAAC;YAAE,SAAS;QAEhF,kEAAkE;QAClE,MAAM,WAAW,GACf,IAAI,CAAC,sBAAsB,CAAC,UAAU,CAAC,mBAAmB,CAAC;YAC3D,IAAI,CAAC,sBAAsB,CAAC,UAAU,CAAC,aAAa,CAAC;YACrD,IAAI,CAAC,sBAAsB,CAAC,UAAU,CAAC,kBAAkB,CAAC,CAAC;QAC7D,IAAI,CAAC,WAAW;YAAE,SAAS;QAE3B,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,kBAAkB,CAAC,WAAW,CAAC,CAAC;QAC1D,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;QAE1C,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,EAAE,CAAC;QAC7B,IAAI,CAAC,IAAI;YAAE,SAAS;QAEpB,4EAA4E;QAC5E,uEAAuE;QACvE,MAAM,eAAe,GAAG,IAAI,GAAG,EAAU,CAAC;QAC1C,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,oBAAoB,CAAC,UAAU,CAAC,mBAAmB,CAAC,EAAE,CAAC;YAC7E,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YACpC,IAAI,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAChC,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAC;YAC1C,CAAC;iBAAM,IAAI,IAAI,CAAC,sBAAsB,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACzF,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,oBAAoB,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;oBAC1E,MAAM,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC;oBAC3B,IAAI,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC;wBAAE,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;gBAC7D,CAAC;YACH,CAAC;QACH,CAAC;QACD,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,aAAa,EAAE,EAAE,CAAC;YAC1C,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QACvC,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;QAElC,KAAK,MAAM,EAAE,IAAI,IAAI,CAAC,oBAAoB,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAClE,MAAM,IAAI,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC;YAE1B,IAAI,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,SAAS;YACrC,IAAI,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,SAAS;YACzC,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,SAAS;YAChC,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,SAAS;YAC7B,IAAI,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,SAAS;YACxC,IAAI,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,SAAS;YAEjC,4EAA4E;YAC5E,qEAAqE;YACrE,MAAM,MAAM,GAAG,EAAE,CAAC,SAAS,EAAE,CAAC;YAC9B,IAAI,MAAM,IAAI,IAAI,CAAC,0BAA0B,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,WAAW,EAAE,KAAK,EAAE;gBAAE,SAAS;YAC/F,4FAA4F;YAC5F,IAAI,MAAM,IAAI,IAAI,CAAC,oBAAoB,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,WAAW,EAAE,KAAK,EAAE;gBAAE,SAAS;YACzF,4EAA4E;YAC5E,gEAAgE;YAChE,2EAA2E;YAC3E,IAAI,MAAM,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;gBAAE,SAAS;YAC1F,uBAAuB;YACvB,IAAI,MAAM,IAAI,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC;gBAAE,SAAS;YACrD,2CAA2C;YAC3C,IAAI,MAAM,IAAI,IAAI,CAAC,qBAAqB,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,WAAW,EAAE,KAAK,EAAE;gBAAE,SAAS;YAC1F,IAAI,MAAM,IAAI,IAAI,CAAC,qBAAqB,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,WAAW,EAAE,KAAK,EAAE;gBAAE,SAAS;YAC1F,IAAI,MAAM,IAAI,IAAI,CAAC,sBAAsB,CAAC,MAAM,CAAC;gBAAE,SAAS;YAE5D,8EAA8E;YAC9E,MAAM,GAAG,GAAG,EAAE,CAAC,SAAS,EAAE,CAAC;YAC3B,IAAI,CAAC,GAAG;gBAAE,SAAS;YACnB,MAAM,KAAK,GAAG,GAAG,CAAC,eAAe,EAAE,CAAC;YACpC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YAEjC,IAAI,kBAAkB,GAAG,KAAK,CAAC;YAC/B,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;gBACtB,MAAM,QAAQ,GAAG,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,WAAW,CAAC,CAAC;gBAC9D,IAAI,QAAQ,EAAE,CAAC;oBACb,kBAAkB,GAAG,IAAI,CAAC;oBAC1B,MAAM;gBACR,CAAC;YACH,CAAC;YACD,IAAI,CAAC,kBAAkB;gBAAE,SAAS;YAElC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACpB,CAAC;QAED,IAAI,OAAO,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;YACrB,MAAM,QAAQ,GAAG,UAAU,CAAC;YAC5B,MAAM,KAAK,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC7C,sEAAsE;YACtE,sEAAsE;YACtE,qEAAqE;YACrE,uEAAuE;YACvE,MAAM,aAAa,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;YACpE,MAAM,aAAa,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;YAC1C,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,aAAa,EAAE,GAAG,aAAa,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;YAC3E,QAAQ,CAAC,IAAI,CACX,OAAO,CACL,iBAAiB,EACjB,SAAS,EACT,KAAK,EACL,GAAG,QAAQ,eAAe,KAAK,QAAQ,OAAO,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,uDAAuD,OAAO,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,iBAAiB,EAC/L,GAAG,CAAC,QAAQ,EACZ,OAAO,CAAC,kBAAkB,EAAE,EAC5B,CAAC,EACD;gBACE,UAAU,EAAE,OAAO,KAAK,qCAAqC,OAAO,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,+BAA+B;gBAC9H,OAAO,EAAE;oBACP,IAAI,EAAE,SAAS;oBACf,IAAI,EAAE,QAAQ,CAAC,OAAO,EAAE,GAAG,CAAC,QAAQ,CAAC;oBACrC,WAAW,EAAE,WAAW;oBACxB,WAAW,EAAE,OAAO,KAAK,wHAAwH;iBAClJ;aACF,CACF,CACF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,4EAA4E;AAC5E,yEAAyE;AACzE,gFAAgF;AAEhF,SAAS,SAAS,CAAC,GAAgB;IACjC,MAAM,QAAQ,GAAoB,EAAE,CAAC;IAErC,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,UAAU,CAAC,oBAAoB,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;QAClF,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC,OAAO,EAAE,CAAC;QAClD,MAAM,UAAU,GAAG,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAG,CAAC,CAAC,CAAC,UAAU,CAAC;QAExF,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC;YAAE,SAAS;QAE3E,MAAM,IAAI,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;QACjC,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC;YAAE,SAAS;QAC9B,MAAM,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACxB,IAAI,CAAC,IAAI,CAAC,wBAAwB,CAAC,OAAO,CAAC;YAAE,SAAS;QAEtD,MAAM,WAAW,GACf,IAAI,CAAC,sBAAsB,CAAC,UAAU,CAAC,mBAAmB,CAAC;YAC3D,IAAI,CAAC,sBAAsB,CAAC,UAAU,CAAC,aAAa,CAAC;YACrD,IAAI,CAAC,sBAAsB,CAAC,UAAU,CAAC,kBAAkB,CAAC,CAAC;QAC7D,IAAI,CAAC,WAAW;YAAE,SAAS;QAE3B,MAAM,EAAE,IAAI,EAAE,GAAG,kBAAkB,CAAC,WAAW,CAAC,CAAC;QAEjD,yEAAyE;QACzE,0EAA0E;QAC1E,sEAAsE;QACtE,4EAA4E;QAC5E,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QAC1C,MAAM,iBAAiB,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACtG,IAAI,iBAAiB,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QAE7C,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QAC1E,MAAM,gBAAgB,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC,IAAI,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;QAClH,MAAM,WAAW,GAAG,IAAI,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;QAE/E,KAAK,MAAM,EAAE,IAAI,iBAAiB,EAAE,CAAC;YACnC,QAAQ,CAAC,IAAI,CACX,OAAO,CACL,aAAa,EACb,SAAS,EACT,SAAS,EACT,IAAI,EAAE,CAAC,OAAO,EAAE,gHAAgH,EAChI,GAAG,CAAC,QAAQ,EACZ,EAAE,CAAC,kBAAkB,EAAE,EACvB,CAAC,EACD;gBACE,UAAU,EAAE,WAAW,EAAE,CAAC,OAAO,EAAE,mIAAmI;gBACtK,OAAO,EAAE;oBACP,IAAI,EAAE,SAAS;oBACf,IAAI,EAAE,QAAQ,CAAC,OAAO,EAAE,GAAG,CAAC,QAAQ,CAAC;oBACrC,WAAW,EAAE,WAAW;oBACxB,WAAW,EAAE,yCAAyC;iBACvD;aACF,CACF,CACF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,4EAA4E;AAC5E,2EAA2E;AAC3E,4EAA4E;AAE5E,SAAS,qBAAqB,CAAC,GAAgB;IAC7C,MAAM,QAAQ,GAAoB,EAAE,CAAC;IAErC,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,UAAU,CAAC,oBAAoB,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;QAClF,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC,OAAO,EAAE,CAAC;QAClD,MAAM,UAAU,GAAG,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAG,CAAC,CAAC,CAAC,UAAU,CAAC;QACxF,IAAI,UAAU,KAAK,UAAU;YAAE,SAAS;QAExC,MAAM,IAAI,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;QACjC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QAChC,MAAM,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QAExB,qDAAqD;QACrD,sEAAsE;QACtE,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,IAAI,KAAK,GAAG,EAAE,CAAC;QAEf,IAAI,IAAI,CAAC,0BAA0B,CAAC,OAAO,CAAC,EAAE,CAAC;YAC7C,IAAI,IAAI,GAAS,OAAO,CAAC;YACzB,OAAO,IAAI,CAAC,0BAA0B,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7C,IAAI,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC;YAC9B,CAAC;YACD,IAAI,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE,KAAK,OAAO,EAAE,CAAC;gBAC1D,OAAO,GAAG,IAAI,CAAC;gBACf,KAAK,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;YAC5B,CAAC;QACH,CAAC;aAAM,IAAI,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,EAAE,CAAC;YACtC,kDAAkD;YAClD,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;YAC/B,MAAM,WAAW,GACf,IAAI,CAAC,sBAAsB,CAAC,UAAU,CAAC,mBAAmB,CAAC;gBAC3D,IAAI,CAAC,sBAAsB,CAAC,UAAU,CAAC,aAAa,CAAC;gBACrD,IAAI,CAAC,sBAAsB,CAAC,UAAU,CAAC,kBAAkB,CAAC,CAAC;YAC7D,IAAI,WAAW,EAAE,CAAC;gBAChB,MAAM,MAAM,GAAG,WAAW,CAAC,aAAa,EAAE,CAAC;gBAC3C,2FAA2F;gBAC3F,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACtB,MAAM,UAAU,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;oBAC7B,MAAM,SAAS,GAAG,UAAU,CAAC,WAAW,EAAE,CAAC;oBAC3C,IAAI,IAAI,CAAC,sBAAsB,CAAC,SAAS,CAAC,EAAE,CAAC;wBAC3C,KAAK,MAAM,EAAE,IAAI,SAAS,CAAC,WAAW,EAAE,EAAE,CAAC;4BACzC,IAAI,EAAE,CAAC,OAAO,EAAE,KAAK,IAAI,EAAE,CAAC;gCAC1B,OAAO,GAAG,IAAI,CAAC;gCACf,KAAK,GAAG,sBAAsB,IAAI,GAAG,CAAC;gCACtC,MAAM;4BACR,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,OAAO,EAAE,CAAC;YACZ,QAAQ,CAAC,IAAI,CACX,OAAO,CACL,0BAA0B,EAC1B,SAAS,EACT,KAAK,EACL,6BAA6B,KAAK,kEAAkE,EACpG,GAAG,CAAC,QAAQ,EACZ,IAAI,CAAC,kBAAkB,EAAE,EACzB,CAAC,EACD;gBACE,UAAU,EACR,sHAAsH;aACzH,CACF,CACF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,4EAA4E;AAE5E,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,cAAc,EAAE,SAAS,EAAE,qBAAqB,CAAC,CAAC"}

package/dist/rules/security-v5.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Security v5 — XSS attribute surface, javascript: URLs, crypto misuse.
+ *
+ * Note: ssrf-fetch and sql-string-concat are handled automatically by the
+ * shared taint engine via new sinks registered in taint-types.ts (Wave 0).
+ * This file holds only the rules that can't be expressed as a sink category.
+ */
+import type { ReviewFinding, RuleContext } from '../types.js';
+declare function xssHrefJavascript(ctx: RuleContext): ReviewFinding[];
+export declare const securityV5Rules: (typeof xssHrefJavascript)[];
+export {};

package/dist/rules/security-v5.js

@@ -0,0 +1,200 @@
+/**
+ * Security v5 — XSS attribute surface, javascript: URLs, crypto misuse.
+ *
+ * Note: ssrf-fetch and sql-string-concat are handled automatically by the
+ * shared taint engine via new sinks registered in taint-types.ts (Wave 0).
+ * This file holds only the rules that can't be expressed as a sink category.
+ */
+import { Node, SyntaxKind } from 'ts-morph';
+import { finding, nodeSpan } from './utils.js';
+// ── Rule: xss-href-javascript ────────────────────────────────────────────
+// JSX href / src attribute set to a string starting with `javascript:`,
+// or to an expression whose value can be traced to a literal javascript: URL.
+function xssHrefJavascript(ctx) {
+    const findings = [];
+    for (const attr of ctx.sourceFile.getDescendantsOfKind(SyntaxKind.JsxAttribute)) {
+        const name = attr.getNameNode().getText();
+        if (name !== 'href' && name !== 'src' && name !== 'action' && name !== 'formAction')
+            continue;
+        const init = attr.getInitializer();
+        if (!init)
+            continue;
+        // Literal string attribute: href="javascript:alert(1)"
+        // Autofix: replace the string literal with "#". That's the standard
+        // "inert link" marker — safe default, user can change to a real URL later.
+        if (Node.isStringLiteral(init)) {
+            const value = init.getLiteralValue();
+            if (/^\s*javascript:/i.test(value)) {
+                findings.push(finding('xss-href-javascript', 'error', 'bug', `${name} uses a javascript: URL — executes arbitrary script on click`, ctx.filePath, attr.getStartLineNumber(), 1, {
+                    suggestion: 'Replace javascript: URL with an onClick handler or a safe href',
+                    autofix: {
+                        type: 'replace',
+                        span: nodeSpan(init, ctx.filePath),
+                        replacement: '"#"',
+                        description: 'Replace javascript: URL with inert "#" — wire an onClick handler for real behavior',
+                    },
+                }));
+            }
+            continue;
+        }
+        // Expression attribute: href={someVar} — flag when the expression is a
+        // template literal or string literal starting with javascript:
+        if (Node.isJsxExpression(init)) {
+            const expr = init.getExpression();
+            if (!expr)
+                continue;
+            if (Node.isStringLiteral(expr)) {
+                if (/^\s*javascript:/i.test(expr.getLiteralValue())) {
+                    findings.push(finding('xss-href-javascript', 'error', 'bug', `${name} uses a javascript: URL — executes arbitrary script on click`, ctx.filePath, attr.getStartLineNumber(), 1, {
+                        suggestion: 'Replace javascript: URL with an onClick handler or a safe href',
+                        autofix: {
+                            type: 'replace',
+                            span: nodeSpan(expr, ctx.filePath),
+                            replacement: '"#"',
+                            description: 'Replace javascript: URL with inert "#"',
+                        },
+                    }));
+                }
+            }
+            else if (Node.isTemplateExpression(expr) || Node.isNoSubstitutionTemplateLiteral(expr)) {
+                const text = expr.getText();
+                if (/^[`'"]\s*javascript:/i.test(text)) {
+                    findings.push(finding('xss-href-javascript', 'error', 'bug', `${name} is a template literal starting with javascript: — executes arbitrary script on click`, ctx.filePath, attr.getStartLineNumber(), 1, { suggestion: 'Replace javascript: URL with an onClick handler or a safe href' }));
+                }
+            }
+        }
+    }
+    return findings;
+}
+// ── Rule: crypto-iv-reuse ────────────────────────────────────────────────
+// createCipheriv(algo, key, iv) with a literal/constant IV.
+// A reused IV on GCM is catastrophic; on CBC it's merely broken.
+function isLiteralOrConstant(node) {
+    if (!node)
+        return false;
+    if (Node.isStringLiteral(node))
+        return true;
+    if (Node.isNumericLiteral(node))
+        return true;
+    if (Node.isNoSubstitutionTemplateLiteral(node))
+        return true;
+    // Buffer.from("constant"), Buffer.from([1,2,3]), Buffer.alloc(16)
+    if (Node.isCallExpression(node)) {
+        const callee = node.getExpression().getText();
+        if (callee === 'Buffer.from' || callee === 'Buffer.alloc') {
+            const arg = node.getArguments()[0];
+            if (!arg)
+                return false;
+            // Buffer.alloc(16) — all zeros, always unsafe
+            if (callee === 'Buffer.alloc' && Node.isNumericLiteral(arg))
+                return true;
+            if (Node.isStringLiteral(arg))
+                return true;
+            if (Node.isNumericLiteral(arg))
+                return true;
+            if (Node.isArrayLiteralExpression(arg)) {
+                return arg.getElements().every((el) => Node.isNumericLiteral(el));
+            }
+        }
+    }
+    return false;
+}
+/** Resolve a variable reference to its initializer if it is a top-level const. */
+function resolveConstInitializer(node) {
+    if (!Node.isIdentifier(node))
+        return undefined;
+    const decls = node.getSymbol()?.getDeclarations() ?? [];
+    for (const d of decls) {
+        if (Node.isVariableDeclaration(d)) {
+            // Must be a `const` declaration
+            const statement = d.getVariableStatement();
+            if (statement && statement.getDeclarationKind() === 'const') {
+                return d.getInitializer();
+            }
+        }
+    }
+    return undefined;
+}
+function cryptoIvReuse(ctx) {
+    const findings = [];
+    for (const call of ctx.sourceFile.getDescendantsOfKind(SyntaxKind.CallExpression)) {
+        const callee = call.getExpression().getText();
+        if (callee !== 'createCipheriv' && callee !== 'crypto.createCipheriv')
+            continue;
+        const args = call.getArguments();
+        if (args.length < 3)
+            continue;
+        const ivArg = args[2];
+        let unsafe = isLiteralOrConstant(ivArg);
+        let reason = 'IV is a compile-time constant';
+        if (!unsafe && Node.isIdentifier(ivArg)) {
+            const init = resolveConstInitializer(ivArg);
+            if (init && isLiteralOrConstant(init)) {
+                unsafe = true;
+                reason = `IV resolves to constant '${ivArg.getText()}' (declared as const with a literal initializer)`;
+            }
+        }
+        if (unsafe) {
+            findings.push(finding('crypto-iv-reuse', 'error', 'bug', `createCipheriv called with a constant IV — ${reason}. Reusing an IV on AES-GCM leaks the key stream; on CBC it enables chosen-plaintext attacks.`, ctx.filePath, call.getStartLineNumber(), 1, {
+                suggestion: 'Generate a fresh IV per encryption: `const iv = crypto.randomBytes(ivLength)` and prepend it to the ciphertext for decryption',
+            }));
+        }
+    }
+    return findings;
+}
+// ── Rule: crypto-weak-kdf ────────────────────────────────────────────────
+// pbkdf2(password, salt, iterations, keylen, digest) with iterations below
+// the current OWASP minimum (600_000 for SHA-256 as of 2023, 210_000 for
+// SHA-512). We use 100_000 as a hard floor to avoid flagging historical
+// but still-passing callers; anything lower is indefensible.
+const PBKDF2_MIN_ITERATIONS = 100_000;
+function cryptoWeakKdf(ctx) {
+    const findings = [];
+    for (const call of ctx.sourceFile.getDescendantsOfKind(SyntaxKind.CallExpression)) {
+        const callee = call.getExpression().getText();
+        if (callee !== 'pbkdf2' &&
+            callee !== 'pbkdf2Sync' &&
+            callee !== 'crypto.pbkdf2' &&
+            callee !== 'crypto.pbkdf2Sync') {
+            continue;
+        }
+        const args = call.getArguments();
+        if (args.length < 3)
+            continue;
+        const iterArg = args[2];
+        let iterations;
+        if (Node.isNumericLiteral(iterArg)) {
+            iterations = Number(iterArg.getLiteralValue());
+        }
+        else if (Node.isIdentifier(iterArg)) {
+            const init = resolveConstInitializer(iterArg);
+            if (init && Node.isNumericLiteral(init)) {
+                iterations = Number(init.getLiteralValue());
+            }
+        }
+        if (iterations !== undefined && iterations < PBKDF2_MIN_ITERATIONS) {
+            // Autofix: replace the iterations literal with 600_000 (OWASP 2023 min
+            // for SHA-256). Only when the arg is a direct literal — don't try to
+            // rewrite a referenced constant, that requires resolving and patching
+            // the declaration.
+            const canAutofix = Node.isNumericLiteral(iterArg);
+            findings.push(finding('crypto-weak-kdf', 'error', 'bug', `pbkdf2 called with only ${iterations} iterations — well below the OWASP minimum (600,000 for SHA-256, 210,000 for SHA-512). This key derivation can be brute-forced.`, ctx.filePath, call.getStartLineNumber(), 1, {
+                suggestion: 'Use argon2id via `argon2` or increase iterations to at least 600,000 for SHA-256 / 210,000 for SHA-512',
+                ...(canAutofix
+                    ? {
+                        autofix: {
+                            type: 'replace',
+                            span: nodeSpan(iterArg, ctx.filePath),
+                            replacement: '600_000',
+                            description: 'Bump iteration count to 600,000 (OWASP 2023 minimum for SHA-256)',
+                        },
+                    }
+                    : {}),
+            }));
+        }
+    }
+    return findings;
+}
+// ── Exported Security v5 Rules ───────────────────────────────────────────
+export const securityV5Rules = [xssHrefJavascript, cryptoIvReuse, cryptoWeakKdf];
+//# sourceMappingURL=security-v5.js.map

package/dist/rules/security-v5.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-v5.js","sourceRoot":"","sources":["../../src/rules/security-v5.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAE5C,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAE/C,4EAA4E;AAC5E,wEAAwE;AACxE,8EAA8E;AAE9E,SAAS,iBAAiB,CAAC,GAAgB;IACzC,MAAM,QAAQ,GAAoB,EAAE,CAAC;IAErC,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,UAAU,CAAC,oBAAoB,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAChF,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC,OAAO,EAAE,CAAC;QAC1C,IAAI,IAAI,KAAK,MAAM,IAAI,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,YAAY;YAAE,SAAS;QAE9F,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC;QACnC,IAAI,CAAC,IAAI;YAAE,SAAS;QAEpB,uDAAuD;QACvD,oEAAoE;QACpE,2EAA2E;QAC3E,IAAI,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,EAAE,CAAC;YACrC,IAAI,kBAAkB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;gBACnC,QAAQ,CAAC,IAAI,CACX,OAAO,CACL,qBAAqB,EACrB,OAAO,EACP,KAAK,EACL,GAAG,IAAI,8DAA8D,EACrE,GAAG,CAAC,QAAQ,EACZ,IAAI,CAAC,kBAAkB,EAAE,EACzB,CAAC,EACD;oBACE,UAAU,EAAE,gEAAgE;oBAC5E,OAAO,EAAE;wBACP,IAAI,EAAE,SAAS;wBACf,IAAI,EAAE,QAAQ,CAAC,IAAI,EAAE,GAAG,CAAC,QAAQ,CAAC;wBAClC,WAAW,EAAE,KAAK;wBAClB,WAAW,EAAE,oFAAoF;qBAClG;iBACF,CACF,CACF,CAAC;YACJ,CAAC;YACD,SAAS;QACX,CAAC;QAED,uEAAuE;QACvE,+DAA+D;QAC/D,IAAI,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,MAAM,IAAI,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC;YAClC,IAAI,CAAC,IAAI;gBAAE,SAAS;YAEpB,IAAI,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC/B,IAAI,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC,EAAE,CAAC;oBACpD,QAAQ,CAAC,IAAI,CACX,OAAO,CACL,qBAAqB,EACrB,OAAO,EACP,KAAK,EACL,GAAG,IAAI,8DAA8D,EACrE,GAAG,CAAC,QAAQ,EACZ,IAAI,CAAC,kBAAkB,EAAE,EACzB,CAAC,EACD;wBACE,UAAU,EAAE,gEAAgE;wBAC5E,OAAO,EAAE;4BACP,IAAI,EAAE,SAAS;4BACf,IAAI,EAAE,QAAQ,CAAC,IAAI,EAAE,GAAG,CAAC,QAAQ,CAAC;4BAClC,WAAW,EAAE,KAAK;4BAClB,WAAW,EAAE,wCAAwC;yBACtD;qBACF,CACF,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;iBAAM,IAAI,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,+BAA+B,CAAC,IAAI,CAAC,EAAE,CAAC;gBACzF,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;gBAC5B,IAAI,uBAAuB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACvC,QAAQ,CAAC,IAAI,CACX,OAAO,CACL,qBAAqB,EACrB,OAAO,EACP,KAAK,EACL,GAAG,IAAI,uFAAuF,EAC9F,GAAG,CAAC,QAAQ,EACZ,IAAI,CAAC,kBAAkB,EAAE,EACzB,CAAC,EACD,EAAE,UAAU,EAAE,gEAAgE,EAAE,CACjF,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,4EAA4E;AAC5E,4DAA4D;AAC5D,iEAAiE;AAEjE,SAAS,mBAAmB,CAAC,IAAsB;IACjD,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IACxB,IAAI,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5C,IAAI,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7C,IAAI,IAAI,CAAC,+BAA+B,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5D,kEAAkE;IAClE,IAAI,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC;QAChC,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC,OAAO,EAAE,CAAC;QAC9C,IAAI,MAAM,KAAK,aAAa,IAAI,MAAM,KAAK,cAAc,EAAE,CAAC;YAC1D,MAAM,GAAG,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,CAAC;YACnC,IAAI,CAAC,GAAG;gBAAE,OAAO,KAAK,CAAC;YACvB,8CAA8C;YAC9C,IAAI,MAAM,KAAK,cAAc,IAAI,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC;gBAAE,OAAO,IAAI,CAAC;YACzE,IAAI,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC;gBAAE,OAAO,IAAI,CAAC;YAC3C,IAAI,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC;gBAAE,OAAO,IAAI,CAAC;YAC5C,IAAI,IAAI,CAAC,wBAAwB,CAAC,GAAG,CAAC,EAAE,CAAC;gBACvC,OAAO,GAAG,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,gBAAgB,CAAC,EAAE,CAAC,CAAC,CAAC;YACpE,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,kFAAkF;AAClF,SAAS,uBAAuB,CAAC,IAAU;IACzC,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC;QAAE,OAAO,SAAS,CAAC;IAC/C,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,EAAE,EAAE,eAAe,EAAE,IAAI,EAAE,CAAC;IACxD,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,IAAI,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC,EAAE,CAAC;YAClC,gCAAgC;YAChC,MAAM,SAAS,GAAG,CAAC,CAAC,oBAAoB,EAAE,CAAC;YAC3C,IAAI,SAAS,IAAI,SAAS,CAAC,kBAAkB,EAAE,KAAK,OAAO,EAAE,CAAC;gBAC5D,OAAO,CAAC,CAAC,cAAc,EAAE,CAAC;YAC5B,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,aAAa,CAAC,GAAgB;IACrC,MAAM,QAAQ,GAAoB,EAAE,CAAC;IAErC,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,UAAU,CAAC,oBAAoB,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;QAClF,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC,OAAO,EAAE,CAAC;QAC9C,IAAI,MAAM,KAAK,gBAAgB,IAAI,MAAM,KAAK,uBAAuB;YAAE,SAAS;QAEhF,MAAM,IAAI,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;QACjC,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC;YAAE,SAAS;QAC9B,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QAEtB,IAAI,MAAM,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;QACxC,IAAI,MAAM,GAAG,+BAA+B,CAAC;QAE7C,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;YACxC,MAAM,IAAI,GAAG,uBAAuB,CAAC,KAAK,CAAC,CAAC;YAC5C,IAAI,IAAI,IAAI,mBAAmB,CAAC,IAAI,CAAC,EAAE,CAAC;gBACtC,MAAM,GAAG,IAAI,CAAC;gBACd,MAAM,GAAG,4BAA4B,KAAK,CAAC,OAAO,EAAE,kDAAkD,CAAC;YACzG,CAAC;QACH,CAAC;QAED,IAAI,MAAM,EAAE,CAAC;YACX,QAAQ,CAAC,IAAI,CACX,OAAO,CACL,iBAAiB,EACjB,OAAO,EACP,KAAK,EACL,8CAA8C,MAAM,8FAA8F,EAClJ,GAAG,CAAC,QAAQ,EACZ,IAAI,CAAC,kBAAkB,EAAE,EACzB,CAAC,EACD;gBACE,UAAU,EACR,+HAA+H;aAClI,CACF,CACF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,4EAA4E;AAC5E,2EAA2E;AAC3E,yEAAyE;AACzE,wEAAwE;AACxE,6DAA6D;AAE7D,MAAM,qBAAqB,GAAG,OAAO,CAAC;AAEtC,SAAS,aAAa,CAAC,GAAgB;IACrC,MAAM,QAAQ,GAAoB,EAAE,CAAC;IAErC,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,UAAU,CAAC,oBAAoB,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;QAClF,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC,OAAO,EAAE,CAAC;QAC9C,IACE,MAAM,KAAK,QAAQ;YACnB,MAAM,KAAK,YAAY;YACvB,MAAM,KAAK,eAAe;YAC1B,MAAM,KAAK,mBAAmB,EAC9B,CAAC;YACD,SAAS;QACX,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;QACjC,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC;YAAE,SAAS;QAC9B,MAAM,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QAExB,IAAI,UAA8B,CAAC;QAEnC,IAAI,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,EAAE,CAAC;YACnC,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,eAAe,EAAE,CAAC,CAAC;QACjD,CAAC;aAAM,IAAI,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAC;YAC9C,IAAI,IAAI,IAAI,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC;gBACxC,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;QAED,IAAI,UAAU,KAAK,SAAS,IAAI,UAAU,GAAG,qBAAqB,EAAE,CAAC;YACnE,uEAAuE;YACvE,qEAAqE;YACrE,sEAAsE;YACtE,mBAAmB;YACnB,MAAM,UAAU,GAAG,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC;YAClD,QAAQ,CAAC,IAAI,CACX,OAAO,CACL,iBAAiB,EACjB,OAAO,EACP,KAAK,EACL,2BAA2B,UAAU,iIAAiI,EACtK,GAAG,CAAC,QAAQ,EACZ,IAAI,CAAC,kBAAkB,EAAE,EACzB,CAAC,EACD;gBACE,UAAU,EACR,wGAAwG;gBAC1G,GAAG,CAAC,UAAU;oBACZ,CAAC,CAAC;wBACE,OAAO,EAAE;4BACP,IAAI,EAAE,SAAkB;4BACxB,IAAI,EAAE,QAAQ,CAAC,OAAO,EAAE,GAAG,CAAC,QAAQ,CAAC;4BACrC,WAAW,EAAE,SAAS;4BACtB,WAAW,EAAE,kEAAkE;yBAChF;qBACF;oBACH,CAAC,CAAC,EAAE,CAAC;aACR,CACF,CACF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,4EAA4E;AAE5E,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,iBAAiB,EAAE,aAAa,EAAE,aAAa,CAAC,CAAC"}

package/dist/rules/utils.d.ts

@@ -2,6 +2,22 @@
  * Shared helpers for review rules — eliminates duplication of span() and finding()
  * across base.ts, react.ts, nextjs.ts, express.ts, security.ts, vue.ts, dead-logic.ts.
  */
+import type { Node } from 'ts-morph';
 import type { ReviewFinding, SourceSpan } from '../types.js';
 export declare function span(file: string, line: number, col?: number, endLine?: number, endCol?: number): SourceSpan;
+/**
+ * Compute a precise SourceSpan for a ts-morph Node, using 1-based line/column.
+ * Used by autofix rules that need character-accurate replacement coordinates.
+ */
+export declare function nodeSpan(node: Node, file: string): SourceSpan;
+/**
+ * Compute a SourceSpan for the insertion point immediately before a node.
+ * For use with FixAction.type === 'insert-before'.
+ */
+export declare function insertBeforeSpan(node: Node, file: string): SourceSpan;
+/**
+ * Compute a SourceSpan for the insertion point immediately after a node.
+ * For use with FixAction.type === 'insert-after'.
+ */
+export declare function insertAfterSpan(node: Node, file: string): SourceSpan;
 export declare function finding(ruleId: string, severity: 'error' | 'warning' | 'info', category: ReviewFinding['category'], message: string, file: string, line: number, col?: number, extra?: Partial<ReviewFinding>): ReviewFinding;