@kevinrabun/judges 2.3.0 → 3.0.1

package/dist/evaluators/framework-safety.js

@@ -0,0 +1,424 @@
+import { getLineNumbers, getLangFamily } from "./shared.js";
+/**
+ * Framework-specific deep safety rules.
+ *
+ * Detects misuse patterns unique to popular frameworks that generic rules miss:
+ * - React: hook violations, unsafe lifecycle, XSS via dangerouslySetInnerHTML
+ * - Express/Koa/Fastify: middleware ordering, body-parser pitfalls, error middleware
+ * - Next.js: SSR data leaks, getServerSideProps security, API route exposure
+ * - Angular: bypassSecurityTrust, template injection, zone.js anti-patterns
+ * - Vue: v-html without sanitization, computed vs watch misuse
+ */
+export function analyzeFrameworkSafety(code, language) {
+    const findings = [];
+    const lines = code.split("\n");
+    let ruleNum = 1;
+    const prefix = "FW";
+    const lang = getLangFamily(language);
+    if (lang !== "javascript" && lang !== "typescript")
+        return findings;
+    // ── React Hook Violations ────────────────────────────────────────────────
+    // Conditional hook call — breaks Rules of Hooks
+    const conditionalHookLines = [];
+    let inConditional = 0;
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if (/\bif\s*\(|\bswitch\s*\(|\?\s*$/.test(line))
+            inConditional++;
+        if (inConditional > 0 &&
+            /\buse(?:State|Effect|Memo|Callback|Ref|Context|Reducer|LayoutEffect|ImperativeHandle|DebugValue)\s*\(/i.test(line)) {
+            conditionalHookLines.push(i + 1);
+        }
+        if (/^\s*\}/.test(line) && inConditional > 0)
+            inConditional--;
+    }
+    if (conditionalHookLines.length > 0) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "critical",
+            title: "React hook called conditionally — Rules of Hooks violation",
+            description: "Hooks must be called at the top level of a React component/custom hook, never inside conditions, loops, or nested functions. Conditional hooks cause stale state and render crashes.",
+            lineNumbers: conditionalHookLines,
+            recommendation: "Move hook calls to the top level of the component. Use the hook's value conditionally instead of calling the hook conditionally.",
+            reference: "React Rules of Hooks — https://react.dev/reference/rules/rules-of-hooks",
+            suggestedFix: "Move the hook call outside the if block: const [value, setValue] = useState(initial); then use value conditionally.",
+            confidence: 0.9,
+        });
+    }
+    // Hook inside loop
+    const hookInLoopLines = [];
+    let inLoop = 0;
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if (/\bfor\s*\(|\bwhile\s*\(|\.forEach\s*\(|\.map\s*\(/.test(line))
+            inLoop++;
+        if (inLoop > 0 && /\buse(?:State|Effect|Memo|Callback|Ref|Context|Reducer)\s*\(/i.test(line)) {
+            hookInLoopLines.push(i + 1);
+        }
+        if (/^\s*\}/.test(line) && inLoop > 0)
+            inLoop--;
+    }
+    if (hookInLoopLines.length > 0) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "critical",
+            title: "React hook called inside a loop — Rules of Hooks violation",
+            description: "Hooks must not be called inside loops. The number of hook calls must be the same on every render. Looped hooks cause unpredictable state corruption.",
+            lineNumbers: hookInLoopLines,
+            recommendation: "Extract the looped logic into a child component that uses its own hooks, or restructure to call hooks at the top level with array state.",
+            reference: "React Rules of Hooks — https://react.dev/reference/rules/rules-of-hooks",
+            confidence: 0.9,
+        });
+    }
+    // useEffect with missing cleanup for subscriptions/timers
+    const effectNoCleanupLines = [];
+    for (let i = 0; i < lines.length; i++) {
+        if (/\buseEffect\s*\(\s*\(\s*\)\s*=>\s*\{/.test(lines[i])) {
+            const effectBody = lines.slice(i, Math.min(lines.length, i + 20)).join("\n");
+            const hasSubscription = /addEventListener|subscribe|setInterval|setTimeout|\.on\(|\.listen\(|socket\.|EventSource|WebSocket/.test(effectBody);
+            const hasCleanup = /return\s*\(\s*\)\s*=>|return\s*\(\)\s*=>|return\s+function|removeEventListener|unsubscribe|clearInterval|clearTimeout|\.off\(|\.close\(/.test(effectBody);
+            if (hasSubscription && !hasCleanup) {
+                effectNoCleanupLines.push(i + 1);
+            }
+        }
+    }
+    if (effectNoCleanupLines.length > 0) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "high",
+            title: "useEffect subscribes without cleanup — memory leak risk",
+            description: "useEffect sets up event listeners, timers, or subscriptions but does not return a cleanup function. On unmount or re-render, old subscriptions accumulate, causing memory leaks.",
+            lineNumbers: effectNoCleanupLines,
+            recommendation: "Return a cleanup function from useEffect that removes listeners/clears timers: return () => { window.removeEventListener('resize', handler); };",
+            reference: "React useEffect cleanup — https://react.dev/reference/react/useEffect",
+            suggestedFix: "Add cleanup: useEffect(() => { const id = setInterval(fn, 1000); return () => clearInterval(id); }, []);",
+            confidence: 0.85,
+        });
+    }
+    // useEffect with object/array literal as dependency → infinite re-render
+    const effectObjDepLines = [];
+    for (let i = 0; i < lines.length; i++) {
+        if (/\buseEffect\s*\(/.test(lines[i]) || /\buseMemo\s*\(/.test(lines[i]) || /\buseCallback\s*\(/.test(lines[i])) {
+            const ctx = lines.slice(i, Math.min(lines.length, i + 5)).join(" ");
+            // Matches dep arrays containing inline object/array literals: [{ ... }] or [[ ... ]]
+            if (/\],\s*\[(?:[^\]]*\{[^}]*\}|[^\]]*\[[^\]]*\])/.test(ctx)) {
+                effectObjDepLines.push(i + 1);
+            }
+        }
+    }
+    if (effectObjDepLines.length > 0) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "high",
+            title: "Inline object/array in hook dependency array — infinite re-render",
+            description: "Object or array literals in useEffect/useMemo/useCallback dependency arrays create new references every render, causing the hook to fire on every render cycle.",
+            lineNumbers: effectObjDepLines,
+            recommendation: "Extract the object/array to a useMemo or define it outside the component. Compare by primitive values or use a stable reference.",
+            reference: "React hook dependency array — https://react.dev/reference/react/useEffect",
+            confidence: 0.8,
+        });
+    }
+    // setState in useEffect without dependency guard → infinite loop
+    const setStateInEffectLines = [];
+    for (let i = 0; i < lines.length; i++) {
+        if (/\buseEffect\s*\(\s*\(\s*\)\s*=>\s*\{/.test(lines[i])) {
+            const effectCtx = lines.slice(i, Math.min(lines.length, i + 15)).join("\n");
+            const hasSetState = /\bset\w+\s*\(/.test(effectCtx);
+            const hasDeps = /\],\s*\[/.test(effectCtx) || /\}\s*,\s*\[\s*\]/.test(effectCtx);
+            if (hasSetState && !hasDeps) {
+                setStateInEffectLines.push(i + 1);
+            }
+        }
+    }
+    if (setStateInEffectLines.length > 0) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "high",
+            title: "setState in useEffect without dependency array — potential infinite loop",
+            description: "Calling setState inside a useEffect with no dependency array causes the component to re-render, which re-runs the effect, which calls setState again — infinite loop.",
+            lineNumbers: setStateInEffectLines,
+            recommendation: "Add a dependency array to useEffect. Use an empty array [] for mount-only effects, or specify the values that should trigger re-run.",
+            reference: "React useEffect — https://react.dev/reference/react/useEffect",
+            confidence: 0.8,
+        });
+    }
+    // ── Express/Koa/Fastify Middleware Rules ─────────────────────────────────
+    // Error-handling middleware position (Express error middleware must be last)
+    const expressErrorMwLines = [];
+    const hasExpressApp = /\bexpress\s*\(\s*\)|require\s*\(\s*["']express["']\s*\)|from\s+["']express["']/i.test(code);
+    if (hasExpressApp) {
+        let lastErrorMw = -1;
+        let hasRouteAfterErrorMw = false;
+        for (let i = 0; i < lines.length; i++) {
+            // Express error middleware: app.use((err, req, res, next) => {})
+            if (/app\.use\s*\(\s*(?:function\s*\(\s*err|(?:\(\s*err\s*,\s*req\s*,\s*res\s*,\s*next\s*\))|(?:\(\s*error\s*,\s*req\s*,\s*res\s*,\s*next\s*\)))/i.test(lines[i])) {
+                lastErrorMw = i;
+            }
+            // Route registered after error middleware
+            if (lastErrorMw >= 0 && i > lastErrorMw && /app\.(?:get|post|put|patch|delete|all)\s*\(\s*["']/i.test(lines[i])) {
+                hasRouteAfterErrorMw = true;
+                expressErrorMwLines.push(i + 1);
+            }
+        }
+        if (hasRouteAfterErrorMw && lastErrorMw >= 0) {
+            findings.push({
+                ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+                severity: "high",
+                title: "Express error middleware registered before routes",
+                description: "Express error-handling middleware (4-parameter function) is registered before route handlers. Routes added after it won't have their errors caught, leading to unhandled rejections.",
+                lineNumbers: [lastErrorMw + 1, ...expressErrorMwLines],
+                recommendation: "Move error-handling middleware to after all route registrations: first register all routes, then app.use(errorHandler).",
+                reference: "Express Error Handling — https://expressjs.com/en/guide/error-handling.html",
+                suggestedFix: "Move app.use((err, req, res, next) => { ... }) to the very end, after all app.get/post/put/delete routes.",
+                confidence: 0.9,
+            });
+        }
+        // CORS before auth middleware (information leak)
+        let corsLine = -1;
+        let authLine = -1;
+        for (let i = 0; i < lines.length; i++) {
+            if (/app\.use\s*\(\s*cors\s*\(/i.test(lines[i]) && corsLine < 0)
+                corsLine = i;
+            if (/app\.use\s*\(.*(?:passport|auth|jwt|bearer|session)\b/i.test(lines[i]) && authLine < 0)
+                authLine = i;
+        }
+        // Body parser without size limit
+        const bodyParserNoLimitLines = [];
+        for (let i = 0; i < lines.length; i++) {
+            if (/(?:express\.json|bodyParser\.json|express\.urlencoded|bodyParser\.urlencoded)\s*\(\s*\)/i.test(lines[i])) {
+                bodyParserNoLimitLines.push(i + 1);
+            }
+        }
+        if (bodyParserNoLimitLines.length > 0) {
+            findings.push({
+                ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+                severity: "medium",
+                title: "Express body parser without size limit — DoS risk",
+                description: "Body parser middleware is configured without a payload size limit. Attackers can send extremely large request bodies to exhaust server memory.",
+                lineNumbers: bodyParserNoLimitLines,
+                recommendation: "Set a limit: express.json({ limit: '1mb' }) or express.urlencoded({ limit: '1mb', extended: true }).",
+                reference: "Express Body Parser — https://expressjs.com/en/api.html#express.json",
+                suggestedFix: "Add limit: app.use(express.json({ limit: '1mb' }));",
+                confidence: 0.9,
+            });
+        }
+        // Express static serving from project root
+        const staticRootLines = getLineNumbers(code, /express\.static\s*\(\s*(?:__dirname|["']\.\/?["']|["']\.\.\/?\/?["']|process\.cwd\(\))\s*\)/gi);
+        if (staticRootLines.length > 0) {
+            findings.push({
+                ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+                severity: "high",
+                title: "Express.static serves project root or parent — file exposure risk",
+                description: "express.static is configured to serve the project root directory. This exposes source code, .env files, package.json, and other sensitive files to the internet.",
+                lineNumbers: staticRootLines,
+                recommendation: "Serve a dedicated directory: express.static(path.join(__dirname, 'public')). Never serve the project root.",
+                reference: "Express Static Files — https://expressjs.com/en/starter/static-files.html",
+                suggestedFix: "Change to: app.use(express.static(path.join(__dirname, 'public')));",
+                confidence: 0.95,
+            });
+        }
+        // Missing helmet() or security headers middleware
+        const hasHelmet = /helmet\s*\(|require\s*\(\s*["']helmet["']\)|from\s+["']helmet["']/i.test(code);
+        const hasRoutes = /app\.(?:get|post|put|patch|delete)\s*\(\s*["']/i.test(code);
+        if (!hasHelmet && hasRoutes) {
+            findings.push({
+                ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+                severity: "medium",
+                title: "Express app without helmet() — missing security headers",
+                description: "No security headers middleware (helmet) detected in Express app. Without it, responses lack X-Content-Type-Options, X-Frame-Options, CSP, and other defensive headers.",
+                lineNumbers: [1],
+                recommendation: "Install and use helmet: npm install helmet, then app.use(helmet()). This sets 11 security headers with sensible defaults.",
+                reference: "Helmet.js — https://helmetjs.github.io/",
+                suggestedFix: "Add: import helmet from 'helmet'; app.use(helmet());",
+                confidence: 0.8,
+            });
+        }
+        // Trust proxy not set when behind reverse proxy
+        const hasTrustProxy = /app\.set\s*\(\s*["']trust proxy["']|trustProxy|trust_proxy/i.test(code);
+        const hasRateLimit = /rateLimit|rate-limit|express-rate-limit/i.test(code);
+        const hasProxy = /nginx|reverse.?proxy|load.?balanc|X-Forwarded/i.test(code);
+        if (!hasTrustProxy && (hasRateLimit || hasProxy)) {
+            findings.push({
+                ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+                severity: "medium",
+                title: "Express 'trust proxy' not configured behind reverse proxy",
+                description: "Rate limiting and IP-based security won't work correctly behind a reverse proxy without 'trust proxy'. All requests appear from 127.0.0.1, making per-IP rate limiting ineffective.",
+                lineNumbers: [1],
+                recommendation: "Set app.set('trust proxy', 1) when behind one proxy, or 'trust proxy' to the number of proxies in the chain.",
+                reference: "Express trust proxy — https://expressjs.com/en/guide/behind-proxies.html",
+                confidence: 0.75,
+            });
+        }
+    }
+    // ── Next.js SSR Security ────────────────────────────────────────────────
+    // getServerSideProps leaking secrets to client
+    const gssp = /export\s+(?:async\s+)?function\s+getServerSideProps|getStaticProps/;
+    if (gssp.test(code)) {
+        const serverPropLines = [];
+        for (let i = 0; i < lines.length; i++) {
+            if (gssp.test(lines[i])) {
+                const fnBody = lines.slice(i, Math.min(lines.length, i + 30)).join("\n");
+                // Checks if secrets/env vars are returned in props without filtering
+                if (/process\.env\.\w+/.test(fnBody) && /return\s*\{[^}]*props\s*:/i.test(fnBody)) {
+                    const propReturn = fnBody.match(/props\s*:\s*\{([^}]*)\}/);
+                    if (propReturn && /process\.env|secret|key|token|password|api_key/i.test(propReturn[1])) {
+                        serverPropLines.push(i + 1);
+                    }
+                }
+            }
+        }
+        if (serverPropLines.length > 0) {
+            findings.push({
+                ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+                severity: "critical",
+                title: "Next.js getServerSideProps leaks secrets to client props",
+                description: "Server-side environment variables or secrets are passed directly in getServerSideProps/getStaticProps return props. These values are serialized into the page HTML and visible to anyone.",
+                lineNumbers: serverPropLines,
+                recommendation: "Never pass secrets, API keys, or sensitive env vars in props. Use them server-side only and return sanitized results.",
+                reference: "Next.js Data Fetching — https://nextjs.org/docs/basic-features/data-fetching",
+                suggestedFix: "Use secrets server-side only: const data = await fetch(url, { headers: { Authorization: process.env.API_KEY } }); return { props: { data } };",
+                confidence: 0.9,
+            });
+        }
+    }
+    // Next.js API routes without authentication checks
+    const nextApiRoutePattern = /export\s+(?:default\s+)?(?:async\s+)?function\s+handler|export\s+(?:default\s+)?(?:async\s+)?\(\s*req\s*(?::\s*\w+)?\s*,\s*res\s*(?::\s*\w+)?\s*\)/;
+    const isNextApiRoute = /pages\/api\/|app\/api\//i.test(language) ||
+        (nextApiRoutePattern.test(code) && /NextApiRequest|NextRequest/i.test(code));
+    if (isNextApiRoute) {
+        const hasAuthCheck = /getSession|getServerSession|getToken|auth\(\)|withAuth|requireAuth|session\?\.user|req\.headers\.authorization|Bearer/i.test(code);
+        if (!hasAuthCheck) {
+            const handlerLine = lines.findIndex((l) => nextApiRoutePattern.test(l));
+            findings.push({
+                ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+                severity: "high",
+                title: "Next.js API route without authentication check",
+                description: "API route handler does not check for user session, auth token, or authorization. This endpoint is publicly accessible to anyone who knows the URL.",
+                lineNumbers: [Math.max(1, handlerLine + 1)],
+                recommendation: "Add authentication: const session = await getServerSession(req, res, authOptions); if (!session) return res.status(401).json({ error: 'Unauthorized' });",
+                reference: "Next.js API Routes Auth — https://nextjs.org/docs/authentication",
+                suggestedFix: "Add auth guard: if (!req.headers.authorization) return res.status(401).json({ error: 'Unauthorized' });",
+                confidence: 0.8,
+            });
+        }
+    }
+    // ── Angular Security ──────────────────────────────────────────────────────
+    // bypassSecurityTrustHtml/Url/ResourceUrl/Style/Script
+    const bypassLines = getLineNumbers(code, /bypassSecurityTrust(?:Html|Url|ResourceUrl|Style|Script)\s*\(/gi);
+    if (bypassLines.length > 0) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "critical",
+            title: "Angular DomSanitizer bypass — XSS risk",
+            description: "bypassSecurityTrustHtml/Url/Script explicitly disables Angular's built-in XSS protection. If the input contains user-controlled data, this creates a direct XSS vulnerability.",
+            lineNumbers: bypassLines,
+            recommendation: "Avoid bypassing the sanitizer. If you must render dynamic HTML, sanitize it first with DOMPurify or validate against a strict whitelist. Document why the bypass is necessary.",
+            reference: "Angular Security — https://angular.io/guide/security",
+            suggestedFix: "Use DOMPurify before bypass: this.sanitizer.bypassSecurityTrustHtml(DOMPurify.sanitize(userHtml));",
+            confidence: 0.95,
+        });
+    }
+    // ── Vue Security ──────────────────────────────────────────────────────────
+    // v-html with dynamic data
+    const vHtmlLines = getLineNumbers(code, /v-html\s*=\s*["'](?!\s*$)/gi);
+    if (vHtmlLines.length > 0) {
+        const hasVueSanitize = /DOMPurify|sanitize|xss|purify/i.test(code);
+        if (!hasVueSanitize) {
+            findings.push({
+                ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+                severity: "high",
+                title: "Vue v-html without sanitization — XSS vulnerability",
+                description: "v-html renders raw HTML content. If the data source includes user input, this is a direct XSS vector. Unlike interpolation ({{ }}), v-html does not escape content.",
+                lineNumbers: vHtmlLines,
+                recommendation: "Sanitize with DOMPurify before using v-html, or use text interpolation {{ }} wherever possible. Consider vue-sanitize or vue-dompurify-html.",
+                reference: "Vue Security — https://vuejs.org/guide/best-practices/security.html",
+                suggestedFix: 'Sanitize: computed: { safeHtml() { return DOMPurify.sanitize(this.rawHtml); } } and use v-html="safeHtml".',
+                confidence: 0.85,
+            });
+        }
+    }
+    // ── General Framework Patterns ────────────────────────────────────────────
+    // Inline arrow functions in JSX event handlers (re-render performance)
+    const inlineHandlerLines = [];
+    for (let i = 0; i < lines.length; i++) {
+        if (/\bon\w+=\{(?:\(\)\s*=>|\(\w+\)\s*=>|function\s*\()/.test(lines[i])) {
+            inlineHandlerLines.push(i + 1);
+        }
+    }
+    if (inlineHandlerLines.length > 3) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "low",
+            title: "Excessive inline arrow functions in JSX event handlers",
+            description: `${inlineHandlerLines.length} inline arrow functions in JSX event handlers detected. Each creates a new function on every render, preventing React.memo optimizations on child components.`,
+            lineNumbers: inlineHandlerLines.slice(0, 5),
+            recommendation: "Extract handlers using useCallback or define methods outside JSX: const handleClick = useCallback(() => { ... }, [deps]);",
+            reference: "React Performance — https://react.dev/reference/react/useCallback",
+            confidence: 0.75,
+        });
+    }
+    // React key prop using array index in dynamic lists
+    const keyIndexLines = [];
+    for (let i = 0; i < lines.length; i++) {
+        if (/key\s*=\s*\{\s*(?:index|i|idx|key)\s*\}/.test(lines[i]) &&
+            /\.map\s*\(/.test(lines[Math.max(0, i - 5)] + lines.slice(Math.max(0, i - 5), i).join(" "))) {
+            keyIndexLines.push(i + 1);
+        }
+    }
+    if (keyIndexLines.length > 0) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "medium",
+            title: "React key prop using array index — may cause render bugs",
+            description: "Using array index as React key causes issues when items are reordered, added, or removed. React associates state with wrong components, leading to subtle UI bugs.",
+            lineNumbers: keyIndexLines,
+            recommendation: "Use a stable unique identifier as key: key={item.id} instead of key={index}. If items have no natural id, generate one during data creation.",
+            reference: "React Keys — https://react.dev/learn/rendering-lists#keeping-list-items-in-order-with-key",
+            confidence: 0.8,
+        });
+    }
+    // React state mutation instead of immutable update
+    const stateMutationLines = [];
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        // Detect patterns like: state.items.push(...), state.count++, state.obj.field = ...
+        if (/\bstate\.\w+\.(?:push|pop|shift|unshift|splice|sort|reverse)\s*\(/.test(line) ||
+            /\bstate\.\w+\s*(?:\+\+|--)/.test(line) ||
+            /\bstate\.\w+\.\w+\s*=\s*/.test(line)) {
+            stateMutationLines.push(i + 1);
+        }
+    }
+    if (stateMutationLines.length > 0) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "high",
+            title: "Direct state mutation instead of immutable update",
+            description: "State object is mutated directly (push, splice, assignment). React/Redux won't detect the change, causing stale renders and bugs. State updates must be immutable.",
+            lineNumbers: stateMutationLines,
+            recommendation: "Use immutable patterns: setState(prev => ({ ...prev, items: [...prev.items, newItem] })) or use immer/structuredClone for complex updates.",
+            reference: "React Updating State — https://react.dev/learn/updating-objects-in-state",
+            suggestedFix: "Replace state.items.push(x) with setItems(prev => [...prev, x]); or use immer: produce(state, draft => { draft.items.push(x); });",
+            confidence: 0.85,
+        });
+    }
+    // dangerouslySetInnerHTML without sanitization
+    const dangerousHtmlLines = getLineNumbers(code, /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:/gi);
+    if (dangerousHtmlLines.length > 0) {
+        const hasSanitizer = /DOMPurify|sanitize|purify|xss|sanitizeHtml/i.test(code);
+        if (!hasSanitizer) {
+            findings.push({
+                ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+                severity: "critical",
+                title: "dangerouslySetInnerHTML without DOMPurify — XSS vulnerability",
+                description: "dangerouslySetInnerHTML injects raw HTML without any sanitization detected in scope. This is a direct XSS vector if the data includes user input.",
+                lineNumbers: dangerousHtmlLines,
+                recommendation: "Always sanitize with DOMPurify: dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(html) }}. Better yet, use a Markdown renderer or React component tree instead of raw HTML.",
+                reference: "React DOM Elements — https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html",
+                suggestedFix: "Add DOMPurify: dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(htmlContent) }}",
+                confidence: 0.95,
+            });
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=framework-safety.js.map

package/dist/evaluators/framework-safety.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"framework-safety.js","sourceRoot":"","sources":["../../src/evaluators/framework-safety.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE5D;;;;;;;;;GASG;AACH,MAAM,UAAU,sBAAsB,CAAC,IAAY,EAAE,QAAgB;IACnE,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,MAAM,MAAM,GAAG,IAAI,CAAC;IACpB,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;IAErC,IAAI,IAAI,KAAK,YAAY,IAAI,IAAI,KAAK,YAAY;QAAE,OAAO,QAAQ,CAAC;IAEpE,4EAA4E;IAE5E,gDAAgD;IAChD,MAAM,oBAAoB,GAAa,EAAE,CAAC;IAC1C,IAAI,aAAa,GAAG,CAAC,CAAC;IACtB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,IAAI,gCAAgC,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,aAAa,EAAE,CAAC;QACjE,IACE,aAAa,GAAG,CAAC;YACjB,wGAAwG,CAAC,IAAI,CAC3G,IAAI,CACL,EACD,CAAC;YACD,oBAAoB,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACnC,CAAC;QACD,IAAI,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,aAAa,GAAG,CAAC;YAAE,aAAa,EAAE,CAAC;IAChE,CAAC;IACD,IAAI,oBAAoB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,4DAA4D;YACnE,WAAW,EACT,sLAAsL;YACxL,WAAW,EAAE,oBAAoB;YACjC,cAAc,EACZ,kIAAkI;YACpI,SAAS,EAAE,yEAAyE;YACpF,YAAY,EACV,qHAAqH;YACvH,UAAU,EAAE,GAAG;SAChB,CAAC,CAAC;IACL,CAAC;IAED,mBAAmB;IACnB,MAAM,eAAe,GAAa,EAAE,CAAC;IACrC,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,IAAI,mDAAmD,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,MAAM,EAAE,CAAC;QAC7E,IAAI,MAAM,GAAG,CAAC,IAAI,+DAA+D,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7F,eAAe,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC9B,CAAC;QACD,IAAI,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,MAAM,GAAG,CAAC;YAAE,MAAM,EAAE,CAAC;IAClD,CAAC;IACD,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,4DAA4D;YACnE,WAAW,EACT,sJAAsJ;YACxJ,WAAW,EAAE,eAAe;YAC5B,cAAc,EACZ,0IAA0I;YAC5I,SAAS,EAAE,yEAAyE;YACpF,UAAU,EAAE,GAAG;SAChB,CAAC,CAAC;IACL,CAAC;IAED,0DAA0D;IAC1D,MAAM,oBAAoB,GAAa,EAAE,CAAC;IAC1C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,IAAI,sCAAsC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC1D,MAAM,UAAU,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC7E,MAAM,eAAe,GACnB,oGAAoG,CAAC,IAAI,CACvG,UAAU,CACX,CAAC;YACJ,MAAM,UAAU,GACd,yIAAyI,CAAC,IAAI,CAC5I,UAAU,CACX,CAAC;YACJ,IAAI,eAAe,IAAI,CAAC,UAAU,EAAE,CAAC;gBACnC,oBAAoB,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;IACH,CAAC;IACD,IAAI,oBAAoB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,yDAAyD;YAChE,WAAW,EACT,kLAAkL;YACpL,WAAW,EAAE,oBAAoB;YACjC,cAAc,EACZ,iJAAiJ;YACnJ,SAAS,EAAE,uEAAuE;YAClF,YAAY,EACV,0GAA0G;YAC5G,UAAU,EAAE,IAAI;SACjB,CAAC,CAAC;IACL,CAAC;IAED,yEAAyE;IACzE,MAAM,iBAAiB,GAAa,EAAE,CAAC;IACvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,IAAI,kBAAkB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,oBAAoB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAChH,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACpE,qFAAqF;YACrF,IAAI,8CAA8C,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC7D,iBAAiB,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAChC,CAAC;QACH,CAAC;IACH,CAAC;IACD,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,mEAAmE;YAC1E,WAAW,EACT,iKAAiK;YACnK,WAAW,EAAE,iBAAiB;YAC9B,cAAc,EACZ,kIAAkI;YACpI,SAAS,EAAE,2EAA2E;YACtF,UAAU,EAAE,GAAG;SAChB,CAAC,CAAC;IACL,CAAC;IAED,iEAAiE;IACjE,MAAM,qBAAqB,GAAa,EAAE,CAAC;IAC3C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,IAAI,sCAAsC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC1D,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC5E,MAAM,WAAW,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACpD,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACjF,IAAI,WAAW,IAAI,CAAC,OAAO,EAAE,CAAC;gBAC5B,qBAAqB,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACpC,CAAC;QACH,CAAC;IACH,CAAC;IACD,IAAI,qBAAqB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,0EAA0E;YACjF,WAAW,EACT,uKAAuK;YACzK,WAAW,EAAE,qBAAqB;YAClC,cAAc,EACZ,sIAAsI;YACxI,SAAS,EAAE,+DAA+D;YAC1E,UAAU,EAAE,GAAG;SAChB,CAAC,CAAC;IACL,CAAC;IAED,4EAA4E;IAE5E,6EAA6E;IAC7E,MAAM,mBAAmB,GAAa,EAAE,CAAC;IACzC,MAAM,aAAa,GAAG,iFAAiF,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnH,IAAI,aAAa,EAAE,CAAC;QAClB,IAAI,WAAW,GAAG,CAAC,CAAC,CAAC;QACrB,IAAI,oBAAoB,GAAG,KAAK,CAAC;QACjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,iEAAiE;YACjE,IACE,8IAA8I,CAAC,IAAI,CACjJ,KAAK,CAAC,CAAC,CAAC,CACT,EACD,CAAC;gBACD,WAAW,GAAG,CAAC,CAAC;YAClB,CAAC;YACD,0CAA0C;YAC1C,IAAI,WAAW,IAAI,CAAC,IAAI,CAAC,GAAG,WAAW,IAAI,qDAAqD,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAChH,oBAAoB,GAAG,IAAI,CAAC;gBAC5B,mBAAmB,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAClC,CAAC;QACH,CAAC;QACD,IAAI,oBAAoB,IAAI,WAAW,IAAI,CAAC,EAAE,CAAC;YAC7C,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBACzD,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,mDAAmD;gBAC1D,WAAW,EACT,sLAAsL;gBACxL,WAAW,EAAE,CAAC,WAAW,GAAG,CAAC,EAAE,GAAG,mBAAmB,CAAC;gBACtD,cAAc,EACZ,yHAAyH;gBAC3H,SAAS,EAAE,6EAA6E;gBACxF,YAAY,EACV,2GAA2G;gBAC7G,UAAU,EAAE,GAAG;aAChB,CAAC,CAAC;QACL,CAAC;QAED,iDAAiD;QACjD,IAAI,QAAQ,GAAG,CAAC,CAAC,CAAC;QAClB,IAAI,QAAQ,GAAG,CAAC,CAAC,CAAC;QAClB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,IAAI,4BAA4B,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,QAAQ,GAAG,CAAC;gBAAE,QAAQ,GAAG,CAAC,CAAC;YAC9E,IAAI,wDAAwD,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,QAAQ,GAAG,CAAC;gBAAE,QAAQ,GAAG,CAAC,CAAC;QAC5G,CAAC;QAED,iCAAiC;QACjC,MAAM,sBAAsB,GAAa,EAAE,CAAC;QAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,IAAI,0FAA0F,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC9G,sBAAsB,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACrC,CAAC;QACH,CAAC;QACD,IAAI,sBAAsB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtC,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBACzD,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,mDAAmD;gBAC1D,WAAW,EACT,gJAAgJ;gBAClJ,WAAW,EAAE,sBAAsB;gBACnC,cAAc,EACZ,sGAAsG;gBACxG,SAAS,EAAE,sEAAsE;gBACjF,YAAY,EAAE,qDAAqD;gBACnE,UAAU,EAAE,GAAG;aAChB,CAAC,CAAC;QACL,CAAC;QAED,2CAA2C;QAC3C,MAAM,eAAe,GAAG,cAAc,CACpC,IAAI,EACJ,+FAA+F,CAChG,CAAC;QACF,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/B,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBACzD,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,mEAAmE;gBAC1E,WAAW,EACT,kKAAkK;gBACpK,WAAW,EAAE,eAAe;gBAC5B,cAAc,EACZ,4GAA4G;gBAC9G,SAAS,EAAE,2EAA2E;gBACtF,YAAY,EAAE,qEAAqE;gBACnF,UAAU,EAAE,IAAI;aACjB,CAAC,CAAC;QACL,CAAC;QAED,kDAAkD;QAClD,MAAM,SAAS,GAAG,oEAAoE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClG,MAAM,SAAS,GAAG,iDAAiD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/E,IAAI,CAAC,SAAS,IAAI,SAAS,EAAE,CAAC;YAC5B,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBACzD,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,yDAAyD;gBAChE,WAAW,EACT,wKAAwK;gBAC1K,WAAW,EAAE,CAAC,CAAC,CAAC;gBAChB,cAAc,EACZ,2HAA2H;gBAC7H,SAAS,EAAE,yCAAyC;gBACpD,YAAY,EAAE,sDAAsD;gBACpE,UAAU,EAAE,GAAG;aAChB,CAAC,CAAC;QACL,CAAC;QAED,gDAAgD;QAChD,MAAM,aAAa,GAAG,6DAA6D,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/F,MAAM,YAAY,GAAG,0CAA0C,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3E,MAAM,QAAQ,GAAG,gDAAgD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7E,IAAI,CAAC,aAAa,IAAI,CAAC,YAAY,IAAI,QAAQ,CAAC,EAAE,CAAC;YACjD,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBACzD,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,2DAA2D;gBAClE,WAAW,EACT,qLAAqL;gBACvL,WAAW,EAAE,CAAC,CAAC,CAAC;gBAChB,cAAc,EACZ,8GAA8G;gBAChH,SAAS,EAAE,0EAA0E;gBACrF,UAAU,EAAE,IAAI;aACjB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,2EAA2E;IAE3E,+CAA+C;IAC/C,MAAM,IAAI,GAAG,oEAAoE,CAAC;IAClF,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACpB,MAAM,eAAe,GAAa,EAAE,CAAC;QACrC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBACxB,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACzE,qEAAqE;gBACrE,IAAI,mBAAmB,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,4BAA4B,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;oBAClF,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC;oBAC3D,IAAI,UAAU,IAAI,iDAAiD,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;wBACxF,eAAe,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;oBAC9B,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QACD,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/B,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBACzD,QAAQ,EAAE,UAAU;gBACpB,KAAK,EAAE,0DAA0D;gBACjE,WAAW,EACT,2LAA2L;gBAC7L,WAAW,EAAE,eAAe;gBAC5B,cAAc,EACZ,uHAAuH;gBACzH,SAAS,EAAE,8EAA8E;gBACzF,YAAY,EACV,+IAA+I;gBACjJ,UAAU,EAAE,GAAG;aAChB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,mDAAmD;IACnD,MAAM,mBAAmB,GACvB,oJAAoJ,CAAC;IACvJ,MAAM,cAAc,GAClB,0BAA0B,CAAC,IAAI,CAAC,QAAQ,CAAC;QACzC,CAAC,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,6BAA6B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAC/E,IAAI,cAAc,EAAE,CAAC;QACnB,MAAM,YAAY,GAChB,wHAAwH,CAAC,IAAI,CAC3H,IAAI,CACL,CAAC;QACJ,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,MAAM,WAAW,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;YACxE,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBACzD,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,gDAAgD;gBACvD,WAAW,EACT,oJAAoJ;gBACtJ,WAAW,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,WAAW,GAAG,CAAC,CAAC,CAAC;gBAC3C,cAAc,EACZ,0JAA0J;gBAC5J,SAAS,EAAE,kEAAkE;gBAC7E,YAAY,EACV,yGAAyG;gBAC3G,UAAU,EAAE,GAAG;aAChB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,6EAA6E;IAE7E,uDAAuD;IACvD,MAAM,WAAW,GAAG,cAAc,CAAC,IAAI,EAAE,iEAAiE,CAAC,CAAC;IAC5G,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,wCAAwC;YAC/C,WAAW,EACT,gLAAgL;YAClL,WAAW,EAAE,WAAW;YACxB,cAAc,EACZ,gLAAgL;YAClL,SAAS,EAAE,sDAAsD;YACjE,YAAY,EACV,oGAAoG;YACtG,UAAU,EAAE,IAAI;SACjB,CAAC,CAAC;IACL,CAAC;IAED,6EAA6E;IAE7E,2BAA2B;IAC3B,MAAM,UAAU,GAAG,cAAc,CAAC,IAAI,EAAE,6BAA6B,CAAC,CAAC;IACvE,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,MAAM,cAAc,GAAG,gCAAgC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnE,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBACzD,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,qDAAqD;gBAC5D,WAAW,EACT,qKAAqK;gBACvK,WAAW,EAAE,UAAU;gBACvB,cAAc,EACZ,8IAA8I;gBAChJ,SAAS,EAAE,qEAAqE;gBAChF,YAAY,EACV,4GAA4G;gBAC9G,UAAU,EAAE,IAAI;aACjB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,6EAA6E;IAE7E,uEAAuE;IACvE,MAAM,kBAAkB,GAAa,EAAE,CAAC;IACxC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,IAAI,oDAAoD,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACxE,kBAAkB,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACjC,CAAC;IACH,CAAC;IACD,IAAI,kBAAkB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,KAAK;YACf,KAAK,EAAE,wDAAwD;YAC/D,WAAW,EAAE,GAAG,kBAAkB,CAAC,MAAM,+JAA+J;YACxM,WAAW,EAAE,kBAAkB,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;YAC3C,cAAc,EACZ,2HAA2H;YAC7H,SAAS,EAAE,mEAAmE;YAC9E,UAAU,EAAE,IAAI;SACjB,CAAC,CAAC;IACL,CAAC;IAED,oDAAoD;IACpD,MAAM,aAAa,GAAa,EAAE,CAAC;IACnC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,IACE,yCAAyC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YACxD,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAC3F,CAAC;YACD,aAAa,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;IACD,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,0DAA0D;YACjE,WAAW,EACT,oKAAoK;YACtK,WAAW,EAAE,aAAa;YAC1B,cAAc,EACZ,8IAA8I;YAChJ,SAAS,EAAE,2FAA2F;YACtG,UAAU,EAAE,GAAG;SAChB,CAAC,CAAC;IACL,CAAC;IAED,mDAAmD;IACnD,MAAM,kBAAkB,GAAa,EAAE,CAAC;IACxC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,oFAAoF;QACpF,IACE,mEAAmE,CAAC,IAAI,CAAC,IAAI,CAAC;YAC9E,4BAA4B,CAAC,IAAI,CAAC,IAAI,CAAC;YACvC,0BAA0B,CAAC,IAAI,CAAC,IAAI,CAAC,EACrC,CAAC;YACD,kBAAkB,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACjC,CAAC;IACH,CAAC;IACD,IAAI,kBAAkB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,mDAAmD;YAC1D,WAAW,EACT,oKAAoK;YACtK,WAAW,EAAE,kBAAkB;YAC/B,cAAc,EACZ,4IAA4I;YAC9I,SAAS,EAAE,0EAA0E;YACrF,YAAY,EACV,mIAAmI;YACrI,UAAU,EAAE,IAAI;SACjB,CAAC,CAAC;IACL,CAAC;IAED,+CAA+C;IAC/C,MAAM,kBAAkB,GAAG,cAAc,CAAC,IAAI,EAAE,sDAAsD,CAAC,CAAC;IACxG,IAAI,kBAAkB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClC,MAAM,YAAY,GAAG,6CAA6C,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9E,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBACzD,QAAQ,EAAE,UAAU;gBACpB,KAAK,EAAE,+DAA+D;gBACtE,WAAW,EACT,mJAAmJ;gBACrJ,WAAW,EAAE,kBAAkB;gBAC/B,cAAc,EACZ,kLAAkL;gBACpL,SAAS,EACP,iHAAiH;gBACnH,YAAY,EAAE,sFAAsF;gBACpG,UAAU,EAAE,IAAI;aACjB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/evaluators/index.d.ts

@@ -1,10 +1,24 @@
-import { JudgeDefinition, JudgeEvaluation, TribunalVerdict, ProjectVerdict, DiffVerdict, DependencyVerdict, AppBuilderWorkflowResult, MustFixGateOptions } from "../types.js";
+import type { JudgeDefinition, JudgeEvaluation, TribunalVerdict, ProjectVerdict, DiffVerdict, Finding, MustFixGateOptions, JudgesConfig } from "../types.js";
+import type { CodeStructure } from "../ast/types.js";
+import type { TaintFlow } from "../ast/taint-tracker.js";
 import { formatVerdictAsMarkdown, formatEvaluationAsMarkdown } from "./shared.js";
 export interface EvaluationOptions {
     includeAstFindings?: boolean;
     minConfidence?: number;
     mustFixGate?: MustFixGateOptions;
+    /** Optional file path — used for file-type gating to suppress absence-based rules on non-server files */
+    filePath?: string;
+    /** Optional config for rule/judge/severity filtering (.judgesrc) */
+    config?: JudgesConfig;
+    /** @internal — pre-computed AST structure for the file (set by evaluateWithTribunal) */
+    _astCache?: CodeStructure;
+    /** @internal — pre-computed taint flows for the file (set by evaluateWithTribunal) */
+    _taintFlows?: TaintFlow[];
 }
+/**
+ * Filter findings based on inline suppression comments in the source code.
+ */
+export declare function applyInlineSuppressions(findings: Finding[], code: string): Finding[];
 /**
  * Run a single judge against the provided code.
  */
@@ -13,10 +27,6 @@ export declare function evaluateWithJudge(judge: JudgeDefinition, code: string,
  * Run the full tribunal — all judges evaluate the code.
  */
 export declare function evaluateWithTribunal(code: string, language: string, context?: string, options?: EvaluationOptions): TribunalVerdict;
-/**
- * Evaluate multiple files as a project. Runs the full tribunal on each file,
- * then detects cross-file architectural issues.
- */
 export declare function evaluateProject(files: Array<{
     path: string;
     content: string;
@@ -27,24 +37,10 @@ export declare function evaluateProject(files: Array<{
  * new code but filters findings to only those affecting changed line ranges.
  */
 export declare function evaluateDiff(code: string, language: string, changedLines: number[], context?: string, options?: EvaluationOptions): DiffVerdict;
-/**
- * Parse a manifest file and analyze dependencies for supply-chain risks.
- */
-export declare function analyzeDependencies(manifest: string, manifestType: string): DependencyVerdict;
-export declare function runAppBuilderWorkflow(params: {
-    code?: string;
-    language?: string;
-    files?: Array<{
-        path: string;
-        content: string;
-        language: string;
-    }>;
-    changedLines?: number[];
-    context?: string;
-    includeAstFindings?: boolean;
-    minConfidence?: number;
-    maxFindings?: number;
-    maxTasks?: number;
-}): AppBuilderWorkflowResult;
+export { analyzeDependencies } from "./dependencies.js";
+import { runAppBuilderWorkflow as _runAppBuilderWorkflow } from "./app-builder.js";
+export declare function runAppBuilderWorkflow(params: Parameters<typeof _runAppBuilderWorkflow>[1]): ReturnType<typeof _runAppBuilderWorkflow>;
 export { formatVerdictAsMarkdown, formatEvaluationAsMarkdown };
+export { enrichWithPatches } from "../patches/index.js";
+export { crossEvaluatorDedup } from "../dedup.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/evaluators/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/evaluators/index.ts"],"names":[],"mappings":"AAIA,OAAO,EACL,eAAe,EACf,eAAe,EACf,eAAe,EACf,cAAc,EACd,WAAW,EACX,iBAAiB,EAKjB,wBAAwB,EAGxB,kBAAkB,EAEnB,MAAM,aAAa,CAAC;AAIrB,OAAO,EAKL,uBAAuB,EACvB,0BAA0B,EAC3B,MAAM,aAAa,CAAC;AAwCrB,MAAM,WAAW,iBAAiB;IAChC,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,CAAC,EAAE,kBAAkB,CAAC;CAClC;AAoJD;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,KAAK,EAAE,eAAe,EACtB,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,iBAAiB,GAC1B,eAAe,CAyHjB;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,iBAAiB,GAC1B,eAAe,CA6CjB;AAID;;;GAGG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE,KAAK,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC,EACjE,OAAO,CAAC,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,iBAAiB,GAC1B,cAAc,CAwHhB;AAID;;;GAGG;AACH,wBAAgB,YAAY,CAC1B,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,EAAE,EACtB,OAAO,CAAC,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,iBAAiB,GAC1B,WAAW,CAqBb;AAID;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,GACnB,iBAAiB,CA0OnB;AAkGD,wBAAgB,qBAAqB,CAAC,MAAM,EAAE;IAC5C,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACnE,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GAAG,wBAAwB,CAwG3B;AAID,OAAO,EAAE,uBAAuB,EAAE,0BAA0B,EAAE,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/evaluators/index.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EACV,eAAe,EACf,eAAe,EACf,eAAe,EACf,cAAc,EACd,WAAW,EACX,OAAO,EAEP,kBAAkB,EAElB,YAAY,EACb,MAAM,aAAa,CAAC;AAIrB,OAAO,KAAK,EAAE,aAAa,EAAgB,MAAM,iBAAiB,CAAC;AACnE,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AAGzD,OAAO,EAKL,uBAAuB,EACvB,0BAA0B,EAI3B,MAAM,aAAa,CAAC;AAqBrB,MAAM,WAAW,iBAAiB;IAChC,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,CAAC,EAAE,kBAAkB,CAAC;IACjC,yGAAyG;IACzG,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,oEAAoE;IACpE,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,wFAAwF;IACxF,SAAS,CAAC,EAAE,aAAa,CAAC;IAC1B,sFAAsF;IACtF,WAAW,CAAC,EAAE,SAAS,EAAE,CAAC;CAC3B;AAoOD;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,EAAE,CAwCpF;AAcD;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,KAAK,EAAE,eAAe,EACtB,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,iBAAiB,GAC1B,eAAe,CAwCjB;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,iBAAiB,GAC1B,eAAe,CA8CjB;AAMD,wBAAgB,eAAe,CAC7B,KAAK,EAAE,KAAK,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC,EACjE,OAAO,CAAC,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,iBAAiB,GAC1B,cAAc,CAGhB;AAID;;;GAGG;AACH,wBAAgB,YAAY,CAC1B,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,EAAE,EACtB,OAAO,CAAC,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,iBAAiB,GAC1B,WAAW,CAqBb;AAGD,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAIxD,OAAO,EAAE,qBAAqB,IAAI,sBAAsB,EAAE,MAAM,kBAAkB,CAAC;AAKnF,wBAAgB,qBAAqB,CACnC,MAAM,EAAE,UAAU,CAAC,OAAO,sBAAsB,CAAC,CAAC,CAAC,CAAC,GACnD,UAAU,CAAC,OAAO,sBAAsB,CAAC,CAE3C;AAID,OAAO,EAAE,uBAAuB,EAAE,0BAA0B,EAAE,CAAC;AAC/D,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC"}