@kevinrabun/judges 1.2.0 → 1.3.0

package/README.md

@@ -1,6 +1,6 @@
 # Judges Panel
 
-An MCP (Model Context Protocol) server that provides a panel of **18 specialized judges** to evaluate AI-generated code — acting as an independent quality gate regardless of which project is being reviewed.
+An MCP (Model Context Protocol) server that provides a panel of **30 specialized judges** to evaluate AI-generated code — acting as an independent quality gate regardless of which project is being reviewed.
 
 [![CI](https://github.com/KevinRabun/judges/actions/workflows/ci.yml/badge.svg)](https://github.com/KevinRabun/judges/actions/workflows/ci.yml)
 [![npm](https://img.shields.io/npm/v/@kevinrabun/judges)](https://www.npmjs.com/package/@kevinrabun/judges)
@@ -21,7 +21,7 @@ npm run build
 
 ### 2. Try the Demo
 
-Run the included demo to see all 18 judges evaluate a purposely flawed API server:
+Run the included demo to see all 30 judges evaluate a purposely flawed API server:
 
 ```bash
 npm run demo
@@ -41,7 +41,7 @@ This evaluates [`examples/sample-vulnerable-api.ts`](examples/sample-vulnerable-
   Critical Issues : 15
   High Issues     : 17
   Total Findings  : 83
-  Judges Run      : 18
+  Judges Run      : 30
 
   Per-Judge Breakdown:
   ────────────────────────────────────────────────────────────────
@@ -63,6 +63,18 @@ This evaluates [`examples/sample-vulnerable-api.ts`](examples/sample-vulnerable-
   ⚠️  Judge Dependency Health        90/100    1 finding(s)
   ❌ Judge Concurrency               44/100    4 finding(s)
   ❌ Judge Ethics & Bias             65/100    2 finding(s)
+  ❌ Judge Maintainability           52/100    4 finding(s)
+  ❌ Judge Error Handling            27/100    3 finding(s)
+  ❌ Judge Authentication             0/100    4 finding(s)
+  ❌ Judge Database                   0/100    5 finding(s)
+  ❌ Judge Caching                   62/100    3 finding(s)
+  ❌ Judge Configuration Mgmt         0/100    3 finding(s)
+  ⚠️  Judge Backwards Compat         80/100    2 finding(s)
+  ⚠️  Judge Portability              72/100    2 finding(s)
+  ❌ Judge UX                        52/100    4 finding(s)
+  ❌ Judge Logging Privacy            0/100    4 finding(s)
+  ❌ Judge Rate Limiting             27/100    4 finding(s)
+  ⚠️  Judge CI/CD                    80/100    2 finding(s)
 ```
 
 ### 3. Run the Tests
@@ -71,7 +83,7 @@ This evaluates [`examples/sample-vulnerable-api.ts`](examples/sample-vulnerable-
 npm test
 ```
 
-Runs 184 automated tests covering all 18 judges, markdown formatters, and edge cases.
+Runs automated tests covering all 30 judges, markdown formatters, and edge cases.
 
 ### 4. Connect to Your Editor
 
@@ -135,6 +147,18 @@ Then use `judges` as the command in your MCP config (no `args` needed).
 | **Dependency Health** | Dependency Management | `DEPS-` | Version pinning, deprecated packages, supply chain |
 | **Concurrency** | Concurrency & Async Safety | `CONC-` | Race conditions, unbounded parallelism, missing await |
 | **Ethics & Bias** | Ethics & Bias | `ETHICS-` | Demographic logic, dark patterns, inclusive language |
+| **Maintainability** | Code Maintainability & Technical Debt | `MAINT-` | Any types, magic numbers, deep nesting, dead code, file length |
+| **Error Handling** | Error Handling & Fault Tolerance | `ERR-` | Empty catch blocks, missing error handlers, swallowed errors |
+| **Authentication** | Authentication & Authorization | `AUTH-` | Hardcoded creds, missing auth middleware, token in query params |
+| **Database** | Database Design & Query Efficiency | `DB-` | SQL injection, N+1 queries, connection pooling, transactions |
+| **Caching** | Caching Strategy & Data Freshness | `CACHE-` | Unbounded caches, missing TTL, no HTTP cache headers |
+| **Configuration Mgmt** | Configuration & Secrets Management | `CFG-` | Hardcoded secrets, missing env vars, config validation |
+| **Backwards Compat** | Backwards Compatibility & Versioning | `COMPAT-` | API versioning, breaking changes, response consistency |
+| **Portability** | Platform Portability & Vendor Independence | `PORTA-` | OS-specific paths, vendor lock-in, hardcoded hosts |
+| **UX** | User Experience & Interface Quality | `UX-` | Loading states, error messages, pagination, destructive actions |
+| **Logging Privacy** | Logging Privacy & Data Redaction | `LOGPRIV-` | PII in logs, token logging, structured logging, redaction |
+| **Rate Limiting** | Rate Limiting & Throttling | `RATE-` | Missing rate limits, unbounded queries, backoff strategy |
+| **CI/CD** | CI/CD Pipeline & Deployment Safety | `CICD-` | Test infrastructure, lint config, Docker tags, build scripts |
 
 ---
 
@@ -173,7 +197,7 @@ When your AI coding assistant connects to multiple MCP servers, each one contrib
 
 | Layer | What It Does | Example Servers |
 |-------|-------------|-----------------|
-| **Judges Panel** | 18-judge quality gate — security patterns, cost, scalability, a11y, compliance, ethics | This server |
+| **Judges Panel** | 30-judge quality gate — security patterns, cost, scalability, a11y, compliance, ethics | This server |
 | **AST Analysis** | Deep structural analysis — data flow, complexity metrics, dead code, type tracking | Tree-sitter, Semgrep, SonarQube MCP servers |
 | **CVE / SBOM** | Vulnerability scanning against live databases — known CVEs, license risks, supply chain | OSV, Snyk, Trivy, Grype MCP servers |
 | **Linting** | Language-specific style and correctness rules | ESLint, Ruff, Clippy MCP servers |
@@ -209,7 +233,7 @@ Each server returns structured findings. The AI synthesizes everything into a si
 List all available judges with their domains and descriptions.
 
 ### `evaluate_code`
-Submit code to the **full judges panel**. All 18 judges evaluate independently and return a combined verdict.
+Submit code to the **full judges panel**. All 30 judges evaluate independently and return a combined verdict.
 
 | Parameter | Type | Required | Description |
 |-----------|------|----------|-------------|
@@ -229,7 +253,7 @@ Submit code to a **specific judge** for targeted review.
 
 #### Judge IDs
 
-`data-security` · `cybersecurity` · `cost-effectiveness` · `scalability` · `cloud-readiness` · `software-practices` · `accessibility` · `api-design` · `reliability` · `observability` · `performance` · `compliance` · `testing` · `documentation` · `internationalization` · `dependency-health` · `concurrency` · `ethics-bias`
+`data-security` · `cybersecurity` · `cost-effectiveness` · `scalability` · `cloud-readiness` · `software-practices` · `accessibility` · `api-design` · `reliability` · `observability` · `performance` · `compliance` · `testing` · `documentation` · `internationalization` · `dependency-health` · `concurrency` · `ethics-bias` · `maintainability` · `error-handling` · `authentication` · `database` · `caching` · `configuration-management` · `backwards-compatibility` · `portability` · `ux` · `logging-privacy` · `rate-limiting` · `ci-cd`
 
 ---
 
@@ -257,7 +281,19 @@ Each judge has a corresponding prompt for LLM-powered deep analysis:
 | `judge-dependency-health` | Deep dependency health review |
 | `judge-concurrency` | Deep concurrency & async safety review |
 | `judge-ethics-bias` | Deep ethics & bias review |
-| `full-tribunal` | All 18 judges in a single prompt |
+| `judge-maintainability` | Deep maintainability & tech debt review |
+| `judge-error-handling` | Deep error handling review |
+| `judge-authentication` | Deep authentication & authorization review |
+| `judge-database` | Deep database design & query review |
+| `judge-caching` | Deep caching strategy review |
+| `judge-configuration-management` | Deep configuration & secrets review |
+| `judge-backwards-compatibility` | Deep backwards compatibility review |
+| `judge-portability` | Deep platform portability review |
+| `judge-ux` | Deep user experience review |
+| `judge-logging-privacy` | Deep logging privacy review |
+| `judge-rate-limiting` | Deep rate limiting review |
+| `judge-ci-cd` | Deep CI/CD pipeline review |
+| `full-tribunal` | All 30 judges in a single prompt |
 
 ---
 
@@ -278,7 +314,7 @@ Each judge scores the code from **0 to 100**:
 - **WARNING** — Any high finding, any medium finding, or score < 80
 - **PASS** — Score ≥ 80 with no critical, high, or medium findings
 
-The **overall tribunal score** is the average of all 18 judges. The overall verdict fails if **any** judge fails.
+The **overall tribunal score** is the average of all 30 judges. The overall verdict fails if **any** judge fails.
 
 ---
 
@@ -292,12 +328,12 @@ judges/
 │   ├── evaluators/           # Pattern-based analysis engine for each judge
 │   │   ├── index.ts          # evaluateWithJudge(), evaluateWithTribunal()
 │   │   ├── shared.ts         # Scoring, verdict logic, markdown formatters
-│   │   └── *.ts              # One analyzer per judge (18 files)
+│   │   └── *.ts              # One analyzer per judge (30 files)
 │   └── judges/               # Judge definitions (id, name, domain, system prompt)
 │       ├── index.ts          # JUDGES array, getJudge(), getJudgeSummaries()
-│       └── *.ts              # One definition per judge (18 files)
+│       └── *.ts              # One definition per judge (30 files)
 ├── examples/
-│   ├── sample-vulnerable-api.ts  # Intentionally flawed code (triggers all 18 judges)
+│   ├── sample-vulnerable-api.ts  # Intentionally flawed code (triggers all 30 judges)
 │   └── demo.ts                   # Run: npm run demo
 ├── tests/
 │   └── judges.test.ts            # Run: npm test (184 tests)
@@ -315,7 +351,7 @@ judges/
 |---------|-------------|
 | `npm run build` | Compile TypeScript to `dist/` |
 | `npm run dev` | Watch mode — recompile on save |
-| `npm test` | Run the full test suite (184 tests) |
+| `npm test` | Run the full test suite |
 | `npm run demo` | Run the sample tribunal demo |
 | `npm start` | Start the MCP server |
 | `npm run clean` | Remove `dist/` |

package/dist/evaluators/authentication.d.ts

@@ -0,0 +1,3 @@
+import { Finding } from "../types.js";
+export declare function analyzeAuthentication(code: string, language: string): Finding[];
+//# sourceMappingURL=authentication.d.ts.map

package/dist/evaluators/authentication.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authentication.d.ts","sourceRoot":"","sources":["../../src/evaluators/authentication.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAGtC,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE,CA4G/E"}

package/dist/evaluators/authentication.js

@@ -0,0 +1,103 @@
+import { getLineNumbers } from "./shared.js";
+export function analyzeAuthentication(code, language) {
+    const findings = [];
+    let ruleNum = 1;
+    const prefix = "AUTH";
+    // Hardcoded credentials
+    const credentialPattern = /(?:password|passwd|pwd|secret|api_?key|apikey|token|auth_?token)\s*[:=]\s*["'`][^"'`]{3,}/gi;
+    const credentialLines = getLineNumbers(code, credentialPattern);
+    if (credentialLines.length > 0) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "critical",
+            title: "Hardcoded credentials in source code",
+            description: `Found ${credentialLines.length} instance(s) of what appears to be hardcoded credentials. Credentials in source code are exposed in version control and cannot be rotated without redeployment.`,
+            lineNumbers: credentialLines,
+            recommendation: "Use environment variables or a secrets manager (Azure Key Vault, AWS Secrets Manager, HashiCorp Vault). Never commit credentials to version control.",
+            reference: "OWASP: Credential Management / CWE-798",
+        });
+    }
+    // No auth middleware on routes
+    const hasRoutes = /app\.(get|post|put|delete|patch)\s*\(\s*["'`]/gi.test(code);
+    const hasAuthMiddleware = /(?:authenticate|authorize|requireAuth|ensureAuth|isAuthenticated|verifyToken|passport\.authenticate|jwt\.verify|auth\(\)|protect|guard|requireLogin)/gi.test(code);
+    if (hasRoutes && !hasAuthMiddleware && code.split("\n").length > 20) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "high",
+            title: "API routes without authentication middleware",
+            description: "API endpoints are defined without any visible authentication middleware. Any client can access these endpoints without proving their identity.",
+            recommendation: "Apply authentication middleware to routes that require it. Use app.use(authMiddleware) for global protection or per-route middleware for selective protection.",
+            reference: "OWASP API Security Top 10: API2 — Broken Authentication",
+        });
+    }
+    // Token in query parameters
+    const tokenQueryPattern = /req\.query\.(?:token|api_?key|auth|secret|password|access_token)/gi;
+    const tokenQueryLines = getLineNumbers(code, tokenQueryPattern);
+    if (tokenQueryLines.length > 0) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "high",
+            title: "Sensitive tokens passed in query parameters",
+            description: "Authentication tokens or API keys are read from query parameters. Query params appear in server logs, browser history, referrer headers, and proxy logs.",
+            lineNumbers: tokenQueryLines,
+            recommendation: "Pass tokens in the Authorization header (Bearer scheme) or in httpOnly cookies. Never use query parameters for sensitive credentials.",
+            reference: "OWASP: Transport Layer Security / RFC 6750",
+        });
+    }
+    // Weak password hashing
+    const weakHashPattern = /createHash\s*\(\s*["'`](?:md5|sha1|sha256)["'`]\)|(?:md5|sha1)\s*\(/gi;
+    const weakHashLines = getLineNumbers(code, weakHashPattern);
+    if (weakHashLines.length > 0) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "critical",
+            title: "Weak hashing algorithm for credentials",
+            description: "MD5, SHA1, or SHA256 are fast hash algorithms unsuitable for password storage. They can be brute-forced at billions of hashes per second.",
+            lineNumbers: weakHashLines,
+            recommendation: "Use bcrypt, scrypt, or Argon2 for password hashing. These algorithms are intentionally slow and include salt by default.",
+            reference: "OWASP Password Storage Cheat Sheet / NIST 800-63b",
+        });
+    }
+    // No RBAC / authorization checks
+    const hasRoleCheck = /role|permission|isAdmin|isOwner|canAccess|authorize|requiredRole|hasPermission|checkPermission/gi.test(code);
+    if (hasRoutes && !hasRoleCheck && code.split("\n").length > 40) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "medium",
+            title: "No authorization / role-based access control detected",
+            description: "No role or permission checks found. Without authorization, any authenticated user could access any resource, including admin functions.",
+            recommendation: "Implement role-based access control (RBAC) or attribute-based access control (ABAC). Check permissions at each endpoint or resource access.",
+            reference: "OWASP API Security Top 10: API5 — Broken Function Level Authorization",
+        });
+    }
+    // JWT without verification
+    const hasJwt = /jwt|jsonwebtoken|jose/gi.test(code);
+    const hasJwtVerify = /jwt\.verify|jwtVerify|verifyToken|jose\.jwtVerify/gi.test(code);
+    const hasJwtSign = /jwt\.sign|jwtSign|signToken/gi.test(code);
+    if (hasJwt && hasJwtSign && !hasJwtVerify) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "critical",
+            title: "JWT tokens signed but never verified",
+            description: "JWT tokens are being created but no verification logic is visible. Tokens could be tampered with or forged without the server detecting it.",
+            recommendation: "Always verify JWT tokens on every request: check signature, expiration (exp), issuer (iss), and audience (aud).",
+            reference: "RFC 7519: JWT / OWASP JWT Cheat Sheet",
+        });
+    }
+    // Disabled TLS / certificate validation
+    const tlsDisabledPattern = /NODE_TLS_REJECT_UNAUTHORIZED\s*=\s*["'`]?0|rejectUnauthorized\s*:\s*false|verify\s*=\s*False|InsecureSkipVerify\s*:\s*true/gi;
+    const tlsLines = getLineNumbers(code, tlsDisabledPattern);
+    if (tlsLines.length > 0) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "critical",
+            title: "TLS certificate validation disabled",
+            description: "TLS certificate verification is disabled, allowing man-in-the-middle attacks. Authentication credentials sent over this connection can be intercepted.",
+            lineNumbers: tlsLines,
+            recommendation: "Never disable TLS verification in production. Fix certificate issues properly. Use CA bundles for self-signed certs in development only.",
+            reference: "CWE-295: Improper Certificate Validation",
+        });
+    }
+    return findings;
+}
+//# sourceMappingURL=authentication.js.map

package/dist/evaluators/authentication.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authentication.js","sourceRoot":"","sources":["../../src/evaluators/authentication.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C,MAAM,UAAU,qBAAqB,CAAC,IAAY,EAAE,QAAgB;IAClE,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,MAAM,MAAM,GAAG,MAAM,CAAC;IAEtB,wBAAwB;IACxB,MAAM,iBAAiB,GAAG,6FAA6F,CAAC;IACxH,MAAM,eAAe,GAAG,cAAc,CAAC,IAAI,EAAE,iBAAiB,CAAC,CAAC;IAChE,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,sCAAsC;YAC7C,WAAW,EAAE,SAAS,eAAe,CAAC,MAAM,iKAAiK;YAC7M,WAAW,EAAE,eAAe;YAC5B,cAAc,EAAE,sJAAsJ;YACtK,SAAS,EAAE,wCAAwC;SACpD,CAAC,CAAC;IACL,CAAC;IAED,+BAA+B;IAC/B,MAAM,SAAS,GAAG,iDAAiD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/E,MAAM,iBAAiB,GAAG,wJAAwJ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC9L,IAAI,SAAS,IAAI,CAAC,iBAAiB,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACpE,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,8CAA8C;YACrD,WAAW,EAAE,gJAAgJ;YAC7J,cAAc,EAAE,gKAAgK;YAChL,SAAS,EAAE,yDAAyD;SACrE,CAAC,CAAC;IACL,CAAC;IAED,4BAA4B;IAC5B,MAAM,iBAAiB,GAAG,oEAAoE,CAAC;IAC/F,MAAM,eAAe,GAAG,cAAc,CAAC,IAAI,EAAE,iBAAiB,CAAC,CAAC;IAChE,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,6CAA6C;YACpD,WAAW,EAAE,0JAA0J;YACvK,WAAW,EAAE,eAAe;YAC5B,cAAc,EAAE,uIAAuI;YACvJ,SAAS,EAAE,4CAA4C;SACxD,CAAC,CAAC;IACL,CAAC;IAED,wBAAwB;IACxB,MAAM,eAAe,GAAG,uEAAuE,CAAC;IAChG,MAAM,aAAa,GAAG,cAAc,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;IAC5D,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,wCAAwC;YAC/C,WAAW,EAAE,2IAA2I;YACxJ,WAAW,EAAE,aAAa;YAC1B,cAAc,EAAE,0HAA0H;YAC1I,SAAS,EAAE,mDAAmD;SAC/D,CAAC,CAAC;IACL,CAAC;IAED,iCAAiC;IACjC,MAAM,YAAY,GAAG,kGAAkG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnI,IAAI,SAAS,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAC/D,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,uDAAuD;YAC9D,WAAW,EAAE,yIAAyI;YACtJ,cAAc,EAAE,6IAA6I;YAC7J,SAAS,EAAE,uEAAuE;SACnF,CAAC,CAAC;IACL,CAAC;IAED,2BAA2B;IAC3B,MAAM,MAAM,GAAG,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACpD,MAAM,YAAY,GAAG,qDAAqD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtF,MAAM,UAAU,GAAG,+BAA+B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC9D,IAAI,MAAM,IAAI,UAAU,IAAI,CAAC,YAAY,EAAE,CAAC;QAC1C,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,sCAAsC;YAC7C,WAAW,EAAE,6IAA6I;YAC1J,cAAc,EAAE,iHAAiH;YACjI,SAAS,EAAE,uCAAuC;SACnD,CAAC,CAAC;IACL,CAAC;IAED,wCAAwC;IACxC,MAAM,kBAAkB,GAAG,8HAA8H,CAAC;IAC1J,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC;IAC1D,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,qCAAqC;YAC5C,WAAW,EAAE,wJAAwJ;YACrK,WAAW,EAAE,QAAQ;YACrB,cAAc,EAAE,0IAA0I;YAC1J,SAAS,EAAE,0CAA0C;SACtD,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/evaluators/backwards-compatibility.d.ts

@@ -0,0 +1,3 @@
+import { Finding } from "../types.js";
+export declare function analyzeBackwardsCompatibility(code: string, language: string): Finding[];
+//# sourceMappingURL=backwards-compatibility.d.ts.map

package/dist/evaluators/backwards-compatibility.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"backwards-compatibility.d.ts","sourceRoot":"","sources":["../../src/evaluators/backwards-compatibility.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAGtC,wBAAgB,6BAA6B,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE,CA+EvF"}

package/dist/evaluators/backwards-compatibility.js

@@ -0,0 +1,76 @@
+import { getLineNumbers } from "./shared.js";
+export function analyzeBackwardsCompatibility(code, language) {
+    const findings = [];
+    let ruleNum = 1;
+    const prefix = "COMPAT";
+    // No API versioning
+    const hasApiRoutes = /app\.(get|post|put|delete|patch)\s*\(\s*["'`]\/api\//gi.test(code);
+    const hasVersioning = /\/api\/v\d|\/v\d\/|api-version|x-api-version|accept-version/gi.test(code);
+    if (hasApiRoutes && !hasVersioning) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "medium",
+            title: "API endpoints without versioning",
+            description: "API routes are defined under /api/ without a version prefix (e.g., /api/v1/). Without versioning, any changes to the API risk breaking existing consumers.",
+            recommendation: "Add version prefixes to API routes: /api/v1/users. This allows old and new versions to coexist during migration. Use URL, header, or query param versioning.",
+            reference: "API Versioning Best Practices / RESTful API Design",
+        });
+    }
+    // Deprecated API indicators without deprecation headers
+    const hasDeprecated = /deprecated|@deprecated|obsolete|legacy/gi.test(code);
+    const hasDeprecationHeader = /Deprecation|Sunset|X-Deprecated/gi.test(code);
+    if (hasDeprecated && !hasDeprecationHeader) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "low",
+            title: "Deprecated code without API deprecation headers",
+            description: "Code is marked as deprecated in comments or annotations but no HTTP deprecation headers (Deprecation, Sunset) are set. API consumers won't know features are being retired.",
+            recommendation: "Set HTTP Deprecation and Sunset headers on deprecated endpoints. Document alternatives. Communicate timeline to consumers.",
+            reference: "RFC 8594: The Sunset HTTP Header / API Lifecycle Management",
+        });
+    }
+    // Direct field deletion in response objects
+    const deleteFieldPattern = /delete\s+\w+\.\w+/gi;
+    const deleteLines = getLineNumbers(code, deleteFieldPattern);
+    if (deleteLines.length > 0) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "low",
+            title: "Field deletion could break consumers",
+            description: "Fields are deleted from objects before sending responses. If this is an API response, removing previously available fields is a breaking change.",
+            lineNumbers: deleteLines,
+            recommendation: "Instead of deleting fields, use a response DTO/mapper that explicitly selects which fields to include. Version the API when removing fields.",
+            reference: "Backwards-Compatible API Evolution",
+        });
+    }
+    // Response type changes (sending different structures)
+    const mixedResponsePattern = /res\.json\s*\(\s*(?:\{|\[)/g;
+    const responseLines = getLineNumbers(code, /res\.json\s*\(/g);
+    if (responseLines.length > 2) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "info",
+            title: "Multiple response formats — verify contract consistency",
+            description: `Found ${responseLines.length} response points. Verify that all endpoints follow a consistent response envelope (e.g., { data, error, meta }). Inconsistent response shapes are a compatibility hazard.`,
+            lineNumbers: responseLines.slice(0, 5),
+            recommendation: "Use a consistent response envelope across all endpoints. Define response schemas (OpenAPI/Swagger) to enforce contracts.",
+            reference: "API Contract Design / JSON:API Specification",
+        });
+    }
+    // No semver in package version
+    const packageVersionPattern = /"version"\s*:\s*"(?:0\.0\.|[^"]*-alpha|[^"]*-beta)/gi;
+    const packageVersionLines = getLineNumbers(code, packageVersionPattern);
+    if (packageVersionLines.length > 0) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "info",
+            title: "Pre-release version — backwards compatibility expectations unclear",
+            description: "Package version indicates a pre-release or 0.x version. Consumers may not know what compatibility guarantees exist.",
+            lineNumbers: packageVersionLines,
+            recommendation: "Document backwards compatibility policy. Use semver: major bumps for breaking changes, minor for features, patch for fixes.",
+            reference: "Semantic Versioning (semver.org)",
+        });
+    }
+    return findings;
+}
+//# sourceMappingURL=backwards-compatibility.js.map

package/dist/evaluators/backwards-compatibility.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"backwards-compatibility.js","sourceRoot":"","sources":["../../src/evaluators/backwards-compatibility.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C,MAAM,UAAU,6BAA6B,CAAC,IAAY,EAAE,QAAgB;IAC1E,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,MAAM,MAAM,GAAG,QAAQ,CAAC;IAExB,oBAAoB;IACpB,MAAM,YAAY,GAAG,wDAAwD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACzF,MAAM,aAAa,GAAG,+DAA+D,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjG,IAAI,YAAY,IAAI,CAAC,aAAa,EAAE,CAAC;QACnC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,kCAAkC;YACzC,WAAW,EAAE,4JAA4J;YACzK,cAAc,EAAE,8JAA8J;YAC9K,SAAS,EAAE,oDAAoD;SAChE,CAAC,CAAC;IACL,CAAC;IAED,wDAAwD;IACxD,MAAM,aAAa,GAAG,0CAA0C,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC5E,MAAM,oBAAoB,GAAG,mCAAmC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC5E,IAAI,aAAa,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC3C,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,KAAK;YACf,KAAK,EAAE,iDAAiD;YACxD,WAAW,EAAE,6KAA6K;YAC1L,cAAc,EAAE,4HAA4H;YAC5I,SAAS,EAAE,6DAA6D;SACzE,CAAC,CAAC;IACL,CAAC;IAED,4CAA4C;IAC5C,MAAM,kBAAkB,GAAG,qBAAqB,CAAC;IACjD,MAAM,WAAW,GAAG,cAAc,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC;IAC7D,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,KAAK;YACf,KAAK,EAAE,sCAAsC;YAC7C,WAAW,EAAE,kJAAkJ;YAC/J,WAAW,EAAE,WAAW;YACxB,cAAc,EAAE,8IAA8I;YAC9J,SAAS,EAAE,oCAAoC;SAChD,CAAC,CAAC;IACL,CAAC;IAED,uDAAuD;IACvD,MAAM,oBAAoB,GAAG,6BAA6B,CAAC;IAC3D,MAAM,aAAa,GAAG,cAAc,CAAC,IAAI,EAAE,iBAAiB,CAAC,CAAC;IAC9D,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,yDAAyD;YAChE,WAAW,EAAE,SAAS,aAAa,CAAC,MAAM,2KAA2K;YACrN,WAAW,EAAE,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;YACtC,cAAc,EAAE,0HAA0H;YAC1I,SAAS,EAAE,8CAA8C;SAC1D,CAAC,CAAC;IACL,CAAC;IAED,+BAA+B;IAC/B,MAAM,qBAAqB,GAAG,sDAAsD,CAAC;IACrF,MAAM,mBAAmB,GAAG,cAAc,CAAC,IAAI,EAAE,qBAAqB,CAAC,CAAC;IACxE,IAAI,mBAAmB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,oEAAoE;YAC3E,WAAW,EAAE,qHAAqH;YAClI,WAAW,EAAE,mBAAmB;YAChC,cAAc,EAAE,6HAA6H;YAC7I,SAAS,EAAE,kCAAkC;SAC9C,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/evaluators/caching.d.ts

@@ -0,0 +1,3 @@
+import { Finding } from "../types.js";
+export declare function analyzeCaching(code: string, language: string): Finding[];
+//# sourceMappingURL=caching.d.ts.map

package/dist/evaluators/caching.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"caching.d.ts","sourceRoot":"","sources":["../../src/evaluators/caching.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAGtC,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE,CAiFxE"}

package/dist/evaluators/caching.js

@@ -0,0 +1,78 @@
+import { getLineNumbers } from "./shared.js";
+export function analyzeCaching(code, language) {
+    const findings = [];
+    let ruleNum = 1;
+    const prefix = "CACHE";
+    // Unbounded in-memory cache
+    const inMemoryCachePattern = /(?:const|let|var)\s+\w*[Cc]ache\w*\s*[:=]\s*(?:new\s+Map|\{\}|\[\])/gi;
+    const inMemoryCacheLines = getLineNumbers(code, inMemoryCachePattern);
+    if (inMemoryCacheLines.length > 0) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "medium",
+            title: "Unbounded in-memory cache detected",
+            description: "In-memory cache without size limits or eviction policy. This will grow indefinitely and eventually cause out-of-memory errors under production load.",
+            lineNumbers: inMemoryCacheLines,
+            recommendation: "Use a bounded cache with an eviction policy (LRU, TTL). Consider libraries like lru-cache, node-cache, or a distributed cache (Redis, Memcached) for multi-instance deployments.",
+            reference: "Caching Best Practices / LRU Cache Pattern",
+        });
+    }
+    // No caching for expensive operations
+    const hasDbQueries = /(?:db\.|query|find|findOne|findMany|execute|select)\s*\(/gi.test(code);
+    const hasFetch = /fetch\s*\(|axios\.|http\.get|request\s*\(/gi.test(code);
+    const hasCaching = /cache|Cache|redis|memcache|lru|ttl|stale|expires|ETag|If-None-Match|If-Modified-Since/gi.test(code);
+    if ((hasDbQueries || hasFetch) && !hasCaching && code.split("\n").length > 40) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "medium",
+            title: "No caching strategy for expensive operations",
+            description: "Code performs database queries or external API calls without any caching layer. Every request triggers a full backend operation even for data that rarely changes.",
+            recommendation: "Implement cache-aside (lazy loading) for read-heavy operations. Use Redis or Memcached for shared caching. Set appropriate TTLs based on data freshness requirements.",
+            reference: "Cache-Aside Pattern / AWS Caching Best Practices",
+        });
+    }
+    // No HTTP caching headers
+    const hasHttpResponse = /res\.(json|send|render|set|header)\s*\(/gi.test(code);
+    const hasCacheHeaders = /Cache-Control|ETag|Last-Modified|Expires|max-age|s-maxage|must-revalidate|no-cache|no-store/gi.test(code);
+    if (hasHttpResponse && !hasCacheHeaders && code.split("\n").length > 20) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "low",
+            title: "No HTTP caching headers set",
+            description: "HTTP responses are sent without Cache-Control, ETag, or Last-Modified headers. Clients and CDNs cannot cache responses, increasing server load and latency.",
+            recommendation: "Set appropriate Cache-Control headers for static and semi-static responses. Use ETags for conditional requests. Configure CDN caching rules.",
+            reference: "RFC 7234: HTTP Caching / MDN Cache-Control",
+        });
+    }
+    // Cache without invalidation strategy
+    const cacheSetPattern = /cache\.set|cache\.put|setCache|redis\.set|\.setex|memcache\.set/gi;
+    const cacheSetLines = getLineNumbers(code, cacheSetPattern);
+    const hasInvalidation = /cache\.del|cache\.delete|cache\.invalidate|cache\.clear|cache\.flush|redis\.del|cache\.remove|bust.*cache/gi.test(code);
+    if (cacheSetLines.length > 0 && !hasInvalidation) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "medium",
+            title: "Cache writes without invalidation strategy",
+            description: "Data is cached but no invalidation logic is visible. Stale cache entries will serve outdated data indefinitely unless TTLs are set.",
+            lineNumbers: cacheSetLines,
+            recommendation: "Implement cache invalidation when underlying data changes. Use TTLs as a safety net. Consider write-through or write-behind patterns for consistency.",
+            reference: "Cache Invalidation Strategies",
+        });
+    }
+    // Global mutable object used as cache
+    const globalMutableCachePattern = /(?:let|var)\s+\w*[Cc]ache\w*\s*[:=]\s*\{\}/gi;
+    const globalCacheLines = getLineNumbers(code, globalMutableCachePattern);
+    if (globalCacheLines.length > 0) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "medium",
+            title: "Mutable global object used as cache",
+            description: "A mutable global object ({}) is used as a cache. This pattern has no TTL, no eviction, no size limit, doesn't work across instances, and is prone to memory leaks.",
+            lineNumbers: globalCacheLines,
+            recommendation: "Replace with a proper caching library (node-cache, lru-cache) or a distributed cache (Redis). These provide TTL, eviction policies, and memory limits.",
+            reference: "In-Memory Caching Best Practices",
+        });
+    }
+    return findings;
+}
+//# sourceMappingURL=caching.js.map

package/dist/evaluators/caching.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"caching.js","sourceRoot":"","sources":["../../src/evaluators/caching.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C,MAAM,UAAU,cAAc,CAAC,IAAY,EAAE,QAAgB;IAC3D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,MAAM,MAAM,GAAG,OAAO,CAAC;IAEvB,4BAA4B;IAC5B,MAAM,oBAAoB,GAAG,uEAAuE,CAAC;IACrG,MAAM,kBAAkB,GAAG,cAAc,CAAC,IAAI,EAAE,oBAAoB,CAAC,CAAC;IACtE,IAAI,kBAAkB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,oCAAoC;YAC3C,WAAW,EAAE,sJAAsJ;YACnK,WAAW,EAAE,kBAAkB;YAC/B,cAAc,EAAE,kLAAkL;YAClM,SAAS,EAAE,4CAA4C;SACxD,CAAC,CAAC;IACL,CAAC;IAED,sCAAsC;IACtC,MAAM,YAAY,GAAG,4DAA4D,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7F,MAAM,QAAQ,GAAG,6CAA6C,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1E,MAAM,UAAU,GAAG,yFAAyF,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxH,IAAI,CAAC,YAAY,IAAI,QAAQ,CAAC,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAC9E,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,8CAA8C;YACrD,WAAW,EAAE,oKAAoK;YACjL,cAAc,EAAE,uKAAuK;YACvL,SAAS,EAAE,kDAAkD;SAC9D,CAAC,CAAC;IACL,CAAC;IAED,0BAA0B;IAC1B,MAAM,eAAe,GAAG,2CAA2C,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/E,MAAM,eAAe,GAAG,+FAA+F,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnI,IAAI,eAAe,IAAI,CAAC,eAAe,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACxE,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,KAAK;YACf,KAAK,EAAE,6BAA6B;YACpC,WAAW,EAAE,6JAA6J;YAC1K,cAAc,EAAE,8IAA8I;YAC9J,SAAS,EAAE,4CAA4C;SACxD,CAAC,CAAC;IACL,CAAC;IAED,sCAAsC;IACtC,MAAM,eAAe,GAAG,mEAAmE,CAAC;IAC5F,MAAM,aAAa,GAAG,cAAc,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;IAC5D,MAAM,eAAe,GAAG,6GAA6G,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjJ,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC;QACjD,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,4CAA4C;YACnD,WAAW,EAAE,qIAAqI;YAClJ,WAAW,EAAE,aAAa;YAC1B,cAAc,EAAE,uJAAuJ;YACvK,SAAS,EAAE,+BAA+B;SAC3C,CAAC,CAAC;IACL,CAAC;IAED,sCAAsC;IACtC,MAAM,yBAAyB,GAAG,8CAA8C,CAAC;IACjF,MAAM,gBAAgB,GAAG,cAAc,CAAC,IAAI,EAAE,yBAAyB,CAAC,CAAC;IACzE,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,qCAAqC;YAC5C,WAAW,EAAE,oKAAoK;YACjL,WAAW,EAAE,gBAAgB;YAC7B,cAAc,EAAE,wJAAwJ;YACxK,SAAS,EAAE,kCAAkC;SAC9C,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/evaluators/ci-cd.d.ts

@@ -0,0 +1,3 @@
+import { Finding } from "../types.js";
+export declare function analyzeCiCd(code: string, language: string): Finding[];
+//# sourceMappingURL=ci-cd.d.ts.map

package/dist/evaluators/ci-cd.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ci-cd.d.ts","sourceRoot":"","sources":["../../src/evaluators/ci-cd.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAGtC,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE,CA6FrE"}

package/dist/evaluators/ci-cd.js

@@ -0,0 +1,89 @@
+import { getLineNumbers } from "./shared.js";
+export function analyzeCiCd(code, language) {
+    const findings = [];
+    let ruleNum = 1;
+    const prefix = "CICD";
+    // No test script
+    const hasTestScript = /["']test["']\s*:\s*["'][^"']+["']/gi.test(code) ||
+        /describe\s*\(|it\s*\(|test\s*\(|@Test|def\s+test_|unittest|pytest|jest|mocha|vitest/gi.test(code);
+    const isSourceCode = /(?:function|class|const|let|var|import|export|def |public\s+class)/gi.test(code);
+    if (isSourceCode && !hasTestScript && code.split("\n").length > 40) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "medium",
+            title: "No test infrastructure detected",
+            description: "Source code without any testing framework, test scripts, or test functions. CI pipelines need tests to provide value — without them, CI is just 'continuous building.'",
+            recommendation: "Add a test framework (Jest, Vitest, pytest, JUnit). Write tests alongside code. Configure test scripts in package.json or equivalent.",
+            reference: "Continuous Integration Best Practices",
+        });
+    }
+    // No lint configuration
+    const hasLint = /eslint|prettier|tslint|stylelint|rubocop|pylint|flake8|black|rustfmt|clippy|biome/gi.test(code);
+    if (isSourceCode && !hasLint && code.split("\n").length > 40) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "low",
+            title: "No linting/formatting configuration detected",
+            description: "No linter or formatter configuration found. Without automated code quality checks, inconsistent code style and common mistakes slip through.",
+            recommendation: "Configure ESLint + Prettier (JS/TS), Black + Ruff (Python), or equivalent tools. Add lint scripts and run them in CI.",
+            reference: "CI/CD Pipeline Best Practices",
+        });
+    }
+    // process.exit in application code (not test/script)
+    const processExitPattern = /process\.exit\s*\(\s*[01]\s*\)/gi;
+    const processExitLines = getLineNumbers(code, processExitPattern);
+    if (processExitLines.length > 0) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "medium",
+            title: "process.exit() hinders graceful CI/CD lifecycle",
+            description: `Found ${processExitLines.length} process.exit() call(s). Hard exits prevent proper shutdown, skip cleanup hooks, and can cause deployment health checks to fail.`,
+            lineNumbers: processExitLines,
+            recommendation: "Use proper error propagation instead of process.exit(). In production, handle SIGTERM gracefully. Let the runtime manage process lifecycle.",
+            reference: "12-Factor App: Disposability / Kubernetes Pod Lifecycle",
+        });
+    }
+    // @ts-nocheck or type-checking disabled
+    const tsNoCheckPattern = /@ts-nocheck|@ts-ignore|eslint-disable|tslint:disable|# type: ignore|# noqa/gi;
+    const tsNoCheckLines = getLineNumbers(code, tsNoCheckPattern);
+    if (tsNoCheckLines.length > 0) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "medium",
+            title: "Static analysis suppression comments detected",
+            description: `Found ${tsNoCheckLines.length} instance(s) of disabled type checking or linting. Suppression comments defeat the purpose of static analysis in CI.`,
+            lineNumbers: tsNoCheckLines,
+            recommendation: "Fix the underlying issues instead of suppressing them. If suppression is necessary, add a comment explaining why and create a tracking issue to resolve it.",
+            reference: "TypeScript / ESLint Best Practices",
+        });
+    }
+    // No build script
+    const hasBuildScript = /["']build["']\s*:\s*["']/gi.test(code) ||
+        /tsc|webpack|vite|rollup|esbuild|babel|make\s+build|gradle\s+build|mvn\s+package/gi.test(code);
+    if (isSourceCode && !hasBuildScript && code.split("\n").length > 40) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "info",
+            title: "No build script detected",
+            description: "No build script or build tool configuration found. CI pipelines need reproducible builds. Without a build script, builds rely on manual or undocumented steps.",
+            recommendation: "Define build scripts in package.json, Makefile, or equivalent. Ensure builds are reproducible from a clean checkout.",
+            reference: "Reproducible Builds / CI/CD Best Practices",
+        });
+    }
+    // Docker image using :latest tag
+    const latestTagPattern = /FROM\s+\w+(?:\/\w+)*:latest|image:\s*\w+:latest/gi;
+    const latestTagLines = getLineNumbers(code, latestTagPattern);
+    if (latestTagLines.length > 0) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "medium",
+            title: "Docker image using :latest tag",
+            description: "Docker images reference :latest tag, which is mutable and makes builds non-reproducible. The same tag can point to different images over time.",
+            lineNumbers: latestTagLines,
+            recommendation: "Pin Docker images to specific versions or SHA digests: FROM node:20.11.0-alpine or FROM node@sha256:abc123...",
+            reference: "Docker Best Practices / Supply Chain Security",
+        });
+    }
+    return findings;
+}
+//# sourceMappingURL=ci-cd.js.map

package/dist/evaluators/ci-cd.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ci-cd.js","sourceRoot":"","sources":["../../src/evaluators/ci-cd.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C,MAAM,UAAU,WAAW,CAAC,IAAY,EAAE,QAAgB;IACxD,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,MAAM,MAAM,GAAG,MAAM,CAAC;IAEtB,iBAAiB;IACjB,MAAM,aAAa,GAAG,qCAAqC,CAAC,IAAI,CAAC,IAAI,CAAC;QACpE,uFAAuF,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACrG,MAAM,YAAY,GAAG,sEAAsE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACvG,IAAI,YAAY,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACnE,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,iCAAiC;YACxC,WAAW,EAAE,wKAAwK;YACrL,cAAc,EAAE,uIAAuI;YACvJ,SAAS,EAAE,uCAAuC;SACnD,CAAC,CAAC;IACL,CAAC;IAED,wBAAwB;IACxB,MAAM,OAAO,GAAG,qFAAqF,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjH,IAAI,YAAY,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAC7D,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,KAAK;YACf,KAAK,EAAE,8CAA8C;YACrD,WAAW,EAAE,8IAA8I;YAC3J,cAAc,EAAE,uHAAuH;YACvI,SAAS,EAAE,+BAA+B;SAC3C,CAAC,CAAC;IACL,CAAC;IAED,qDAAqD;IACrD,MAAM,kBAAkB,GAAG,kCAAkC,CAAC;IAC9D,MAAM,gBAAgB,GAAG,cAAc,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC;IAClE,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,iDAAiD;YACxD,WAAW,EAAE,SAAS,gBAAgB,CAAC,MAAM,kIAAkI;YAC/K,WAAW,EAAE,gBAAgB;YAC7B,cAAc,EAAE,6IAA6I;YAC7J,SAAS,EAAE,yDAAyD;SACrE,CAAC,CAAC;IACL,CAAC;IAED,wCAAwC;IACxC,MAAM,gBAAgB,GAAG,8EAA8E,CAAC;IACxG,MAAM,cAAc,GAAG,cAAc,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC;IAC9D,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,+CAA+C;YACtD,WAAW,EAAE,SAAS,cAAc,CAAC,MAAM,sHAAsH;YACjK,WAAW,EAAE,cAAc;YAC3B,cAAc,EAAE,6JAA6J;YAC7K,SAAS,EAAE,oCAAoC;SAChD,CAAC,CAAC;IACL,CAAC;IAED,kBAAkB;IAClB,MAAM,cAAc,GAAG,4BAA4B,CAAC,IAAI,CAAC,IAAI,CAAC;QAC5D,mFAAmF,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjG,IAAI,YAAY,IAAI,CAAC,cAAc,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACpE,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,0BAA0B;YACjC,WAAW,EAAE,gKAAgK;YAC7K,cAAc,EAAE,sHAAsH;YACtI,SAAS,EAAE,4CAA4C;SACxD,CAAC,CAAC;IACL,CAAC;IAED,iCAAiC;IACjC,MAAM,gBAAgB,GAAG,mDAAmD,CAAC;IAC7E,MAAM,cAAc,GAAG,cAAc,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC;IAC9D,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,gCAAgC;YACvC,WAAW,EAAE,gJAAgJ;YAC7J,WAAW,EAAE,cAAc;YAC3B,cAAc,EAAE,+GAA+G;YAC/H,SAAS,EAAE,+CAA+C;SAC3D,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/evaluators/configuration-management.d.ts

@@ -0,0 +1,3 @@
+import { Finding } from "../types.js";
+export declare function analyzeConfigurationManagement(code: string, language: string): Finding[];
+//# sourceMappingURL=configuration-management.d.ts.map

package/dist/evaluators/configuration-management.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"configuration-management.d.ts","sourceRoot":"","sources":["../../src/evaluators/configuration-management.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAGtC,wBAAgB,8BAA8B,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE,CA+ExF"}