@kevinrabun/judges 3.48.0 → 3.50.0

package/dist/commands/api-audit.js

@@ -0,0 +1,360 @@
+/**
+ * API audit — security audit for REST/GraphQL API endpoints.
+ * Detects missing rate limiting, CORS misconfig, unauthenticated routes,
+ * input validation gaps, and overly permissive responses.
+ *
+ * All analysis local.
+ */
+import { existsSync, readFileSync, readdirSync } from "fs";
+import { join, extname } from "path";
+// ─── Framework detectors ────────────────────────────────────────────────────
+const FRAMEWORK_DETECTORS = [
+    {
+        name: "express",
+        routePattern: /(?:app|router)\.(get|post|put|patch|delete|all|use)\s*\(\s*["'`]([^"'`]+)["'`]/gi,
+        extractEndpoint: (m) => ({ method: m[1].toUpperCase(), path: m[2] }),
+    },
+    {
+        name: "fastify",
+        routePattern: /(?:fastify|server|app)\.(get|post|put|patch|delete)\s*\(\s*["'`]([^"'`]+)["'`]/gi,
+        extractEndpoint: (m) => ({ method: m[1].toUpperCase(), path: m[2] }),
+    },
+    {
+        name: "flask",
+        routePattern: /@(?:app|blueprint)\.route\s*\(\s*["']([^"']+)["'](?:.*methods\s*=\s*\[([^\]]+)\])?/gi,
+        extractEndpoint: (m) => ({ method: m[2] ? m[2].replace(/['"]/g, "") : "GET", path: m[1] }),
+    },
+    {
+        name: "spring",
+        routePattern: /@(?:Get|Post|Put|Patch|Delete|Request)Mapping\s*\(\s*(?:value\s*=\s*)?["']([^"']+)["']/gi,
+        extractEndpoint: (m) => {
+            const methodMatch = m[0].match(/@(Get|Post|Put|Patch|Delete|Request)Mapping/i);
+            return { method: methodMatch ? methodMatch[1].toUpperCase() : "ANY", path: m[1] };
+        },
+    },
+    {
+        name: "django",
+        routePattern: /path\s*\(\s*["']([^"']+)["']/gi,
+        extractEndpoint: (m) => ({ method: "ANY", path: m[1] }),
+    },
+];
+const API_RULES = [
+    {
+        id: "no-rate-limiting",
+        severity: "high",
+        check: (content, _lines, endpoints) => {
+            if (endpoints.length === 0)
+                return [];
+            const hasRateLimit = /(?:rate[-_]?limit|rateLimit|throttle|express-rate-limit|@nestjs\/throttler|slowDown)/i.test(content);
+            if (!hasRateLimit) {
+                return [
+                    {
+                        file: "",
+                        line: 1,
+                        ruleId: "no-rate-limiting",
+                        severity: "high",
+                        message: "No rate limiting detected — API vulnerable to abuse",
+                        recommendation: "Add rate limiting middleware (e.g., express-rate-limit)",
+                    },
+                ];
+            }
+            return [];
+        },
+    },
+    {
+        id: "cors-wildcard",
+        severity: "high",
+        check: (_content, lines) => {
+            const issues = [];
+            for (let i = 0; i < lines.length; i++) {
+                if (/cors\s*\(\s*\)|origin:\s*['"]?\*['"]?|Access-Control-Allow-Origin.*\*/i.test(lines[i])) {
+                    issues.push({
+                        file: "",
+                        line: i + 1,
+                        ruleId: "cors-wildcard",
+                        severity: "high",
+                        message: "CORS allows all origins (wildcard *)",
+                        recommendation: "Restrict CORS to specific trusted domains",
+                    });
+                }
+            }
+            return issues;
+        },
+    },
+    {
+        id: "unauthenticated-endpoint",
+        severity: "medium",
+        check: (content, lines, endpoints) => {
+            if (endpoints.length === 0)
+                return [];
+            const hasAuthMiddleware = /(?:passport|jwt|auth(?:enticate|orize)|bearer|keycloak|oauth|session)/i.test(content);
+            if (!hasAuthMiddleware) {
+                return [
+                    {
+                        file: "",
+                        line: 1,
+                        ruleId: "unauthenticated-endpoint",
+                        severity: "medium",
+                        message: `${endpoints.length} endpoints found with no authentication middleware detected`,
+                        recommendation: "Add authentication middleware (JWT, session, OAuth)",
+                    },
+                ];
+            }
+            // Check individual routes missing auth
+            const issues = [];
+            for (const ep of endpoints) {
+                const lineContent = lines[ep.line - 1] || "";
+                const nextContent = lines[ep.line] || "";
+                if (!/auth|protect|guard|session/i.test(lineContent) && !/auth|protect|guard|session/i.test(nextContent)) {
+                    if (!/health|ping|status|public|login|register|signup|webhook|callback/i.test(ep.path)) {
+                        issues.push({
+                            file: ep.file,
+                            line: ep.line,
+                            ruleId: "unauthenticated-endpoint",
+                            severity: "medium",
+                            message: `Endpoint ${ep.method} ${ep.path} may lack authentication`,
+                            recommendation: "Add authentication middleware to this route",
+                            endpoint: `${ep.method} ${ep.path}`,
+                        });
+                    }
+                }
+            }
+            return issues;
+        },
+    },
+    {
+        id: "no-input-validation",
+        severity: "high",
+        check: (content, _lines, endpoints) => {
+            if (endpoints.length === 0)
+                return [];
+            const hasValidation = /(?:joi|yup|zod|celebrate|express-validator|class-validator|@IsString|@IsNumber|validation)/i.test(content);
+            if (!hasValidation) {
+                return [
+                    {
+                        file: "",
+                        line: 1,
+                        ruleId: "no-input-validation",
+                        severity: "high",
+                        message: "No input validation library detected — vulnerable to injection",
+                        recommendation: "Use a validation library (Zod, Joi, express-validator)",
+                    },
+                ];
+            }
+            return [];
+        },
+    },
+    {
+        id: "sensitive-data-response",
+        severity: "high",
+        check: (_content, lines) => {
+            const issues = [];
+            for (let i = 0; i < lines.length; i++) {
+                if (/(?:res\.json|res\.send|response\.json|jsonify)\s*\(.*(?:password|secret|token|ssn|credit_?card)/i.test(lines[i])) {
+                    issues.push({
+                        file: "",
+                        line: i + 1,
+                        ruleId: "sensitive-data-response",
+                        severity: "high",
+                        message: "Potentially sensitive data in API response",
+                        recommendation: "Sanitize response objects — remove sensitive fields before sending",
+                    });
+                }
+            }
+            return issues;
+        },
+    },
+    {
+        id: "helmet-missing",
+        severity: "medium",
+        check: (content, _lines, endpoints) => {
+            if (endpoints.length === 0)
+                return [];
+            const isExpress = /require\s*\(\s*["']express["']\)|from\s+["']express["']/i.test(content);
+            if (isExpress && !/helmet/i.test(content)) {
+                return [
+                    {
+                        file: "",
+                        line: 1,
+                        ruleId: "helmet-missing",
+                        severity: "medium",
+                        message: "Express app without Helmet — missing security headers",
+                        recommendation: "Add helmet middleware for security headers",
+                    },
+                ];
+            }
+            return [];
+        },
+    },
+    {
+        id: "sql-in-route",
+        severity: "critical",
+        check: (_content, lines) => {
+            const issues = [];
+            for (let i = 0; i < lines.length; i++) {
+                if (/(?:query|execute)\s*\(\s*[`"']?\s*(?:SELECT|INSERT|UPDATE|DELETE).*\$\{|(?:req\.(?:body|params|query))/i.test(lines[i])) {
+                    issues.push({
+                        file: "",
+                        line: i + 1,
+                        ruleId: "sql-in-route",
+                        severity: "critical",
+                        message: "Potential SQL injection — user input in query string",
+                        recommendation: "Use parameterized queries or an ORM",
+                    });
+                }
+            }
+            return issues;
+        },
+    },
+];
+// ─── Scanner ────────────────────────────────────────────────────────────────
+const SKIP_DIRS = new Set(["node_modules", ".git", "dist", "build", "coverage"]);
+const CODE_EXTS = new Set([".ts", ".js", ".py", ".java", ".cs", ".go", ".rb", ".php"]);
+function collectFiles(dir) {
+    const result = [];
+    function walk(d) {
+        let entries;
+        try {
+            entries = readdirSync(d);
+        }
+        catch {
+            return;
+        }
+        for (const name of entries) {
+            if (SKIP_DIRS.has(name) || name.startsWith("."))
+                continue;
+            const full = join(d, name);
+            try {
+                const sub = readdirSync(full);
+                void sub;
+                walk(full);
+            }
+            catch {
+                if (CODE_EXTS.has(extname(name).toLowerCase()))
+                    result.push(full);
+            }
+        }
+    }
+    walk(dir);
+    return result;
+}
+function extractEndpoints(filePath, content) {
+    const endpoints = [];
+    const lines = content.split("\n");
+    for (const detector of FRAMEWORK_DETECTORS) {
+        detector.routePattern.lastIndex = 0;
+        let m;
+        while ((m = detector.routePattern.exec(content)) !== null) {
+            const ep = detector.extractEndpoint(m);
+            const offset = content.substring(0, m.index).split("\n").length;
+            endpoints.push({ file: filePath, line: offset, method: ep.method, path: ep.path, framework: detector.name });
+        }
+        void lines;
+    }
+    return endpoints;
+}
+// ─── CLI ────────────────────────────────────────────────────────────────────
+export function runApiAudit(argv) {
+    if (argv.includes("--help") || argv.includes("-h")) {
+        console.log(`
+judges api-audit — Security audit for REST/GraphQL API endpoints
+
+Usage:
+  judges api-audit [dir]
+  judges api-audit src/ --severity critical,high
+
+Options:
+  --severity <levels>   Filter by severity (comma-separated)
+  --endpoints           List discovered API endpoints only
+  --rules               List all API audit rules
+  --format json         JSON output
+  --help, -h            Show this help
+
+Frameworks: Express, Fastify, Flask, Spring, Django
+`);
+        return;
+    }
+    const format = argv.find((_a, i) => argv[i - 1] === "--format") || "text";
+    if (argv.includes("--rules")) {
+        const rules = API_RULES.map(({ check: _c, ...rest }) => rest);
+        if (format === "json") {
+            console.log(JSON.stringify(rules, null, 2));
+        }
+        else {
+            console.log(`\n  API Audit Rules (${rules.length})\n  ──────────────────────────`);
+            for (const r of rules)
+                console.log(`    [${r.severity.toUpperCase().padEnd(8)}] ${r.id}`);
+            console.log("");
+        }
+        return;
+    }
+    const target = argv.find((a) => !a.startsWith("--") && !argv[argv.indexOf(a) - 1]?.startsWith("--")) || ".";
+    const sevFilter = argv.find((_a, i) => argv[i - 1] === "--severity");
+    if (!existsSync(target)) {
+        console.error(`  Path not found: ${target}`);
+        return;
+    }
+    const files = collectFiles(target);
+    const allEndpoints = [];
+    let allIssues = [];
+    for (const file of files) {
+        let content;
+        try {
+            content = readFileSync(file, "utf-8");
+        }
+        catch {
+            continue;
+        }
+        const endpoints = extractEndpoints(file, content);
+        allEndpoints.push(...endpoints);
+        const lines = content.split("\n");
+        for (const rule of API_RULES) {
+            const issues = rule.check(content, lines, endpoints);
+            for (const issue of issues) {
+                issue.file = issue.file || file;
+                allIssues.push(issue);
+            }
+        }
+    }
+    if (argv.includes("--endpoints")) {
+        if (format === "json") {
+            console.log(JSON.stringify(allEndpoints, null, 2));
+        }
+        else {
+            console.log(`\n  Discovered API Endpoints (${allEndpoints.length})\n  ──────────────────────────`);
+            for (const ep of allEndpoints) {
+                console.log(`    ${ep.method.padEnd(7)} ${ep.path.padEnd(30)} [${ep.framework}] ${ep.file}:${ep.line}`);
+            }
+            console.log("");
+        }
+        return;
+    }
+    if (sevFilter) {
+        const allowed = sevFilter.split(",");
+        allIssues = allIssues.filter((i) => allowed.includes(i.severity));
+    }
+    if (format === "json") {
+        console.log(JSON.stringify({ endpoints: allEndpoints, issues: allIssues, scannedFiles: files.length, timestamp: new Date().toISOString() }, null, 2));
+    }
+    else {
+        console.log(`\n  API Security Audit — ${files.length} files scanned`);
+        console.log(`  Endpoints: ${allEndpoints.length} | Issues: ${allIssues.length}\n  ──────────────────────────`);
+        if (allIssues.length === 0) {
+            console.log(`    ✅ No API security issues detected\n`);
+            return;
+        }
+        for (const sev of ["critical", "high", "medium", "low"]) {
+            const items = allIssues.filter((i) => i.severity === sev);
+            if (items.length === 0)
+                continue;
+            console.log(`\n    ${sev.toUpperCase()} (${items.length})`);
+            for (const issue of items) {
+                console.log(`      ${issue.file}:${issue.line} — ${issue.ruleId}`);
+                console.log(`        ${issue.message}`);
+                console.log(`        → ${issue.recommendation}`);
+            }
+        }
+        console.log("");
+    }
+}
+//# sourceMappingURL=api-audit.js.map

package/dist/commands/api-audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-audit.js","sourceRoot":"","sources":["../../src/commands/api-audit.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,IAAI,CAAC;AAC3D,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AA4BrC,+EAA+E;AAE/E,MAAM,mBAAmB,GAAwB;IAC/C;QACE,IAAI,EAAE,SAAS;QACf,YAAY,EAAE,kFAAkF;QAChG,eAAe,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;KACrE;IACD;QACE,IAAI,EAAE,SAAS;QACf,YAAY,EAAE,kFAAkF;QAChG,eAAe,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;KACrE;IACD;QACE,IAAI,EAAE,OAAO;QACb,YAAY,EAAE,sFAAsF;QACpG,eAAe,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;KAC3F;IACD;QACE,IAAI,EAAE,QAAQ;QACd,YAAY,EAAE,0FAA0F;QACxG,eAAe,EAAE,CAAC,CAAC,EAAE,EAAE;YACrB,MAAM,WAAW,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,8CAA8C,CAAC,CAAC;YAC/E,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACpF,CAAC;KACF;IACD;QACE,IAAI,EAAE,QAAQ;QACd,YAAY,EAAE,gCAAgC;QAC9C,eAAe,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;KACxD;CACF,CAAC;AAUF,MAAM,SAAS,GAAc;IAC3B;QACE,EAAE,EAAE,kBAAkB;QACtB,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,EAAE;YACpC,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,EAAE,CAAC;YACtC,MAAM,YAAY,GAAG,uFAAuF,CAAC,IAAI,CAC/G,OAAO,CACR,CAAC;YACF,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClB,OAAO;oBACL;wBACE,IAAI,EAAE,EAAE;wBACR,IAAI,EAAE,CAAC;wBACP,MAAM,EAAE,kBAAkB;wBAC1B,QAAQ,EAAE,MAAM;wBAChB,OAAO,EAAE,qDAAqD;wBAC9D,cAAc,EAAE,yDAAyD;qBAC1E;iBACF,CAAC;YACJ,CAAC;YACD,OAAO,EAAE,CAAC;QACZ,CAAC;KACF;IACD;QACE,EAAE,EAAE,eAAe;QACnB,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,QAAQ,EAAE,KAAK,EAAE,EAAE;YACzB,MAAM,MAAM,GAAe,EAAE,CAAC;YAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,IAAI,wEAAwE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC5F,MAAM,CAAC,IAAI,CAAC;wBACV,IAAI,EAAE,EAAE;wBACR,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,MAAM,EAAE,eAAe;wBACvB,QAAQ,EAAE,MAAM;wBAChB,OAAO,EAAE,sCAAsC;wBAC/C,cAAc,EAAE,2CAA2C;qBAC5D,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC;KACF;IACD;QACE,EAAE,EAAE,0BAA0B;QAC9B,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,CAAC,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE;YACnC,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,EAAE,CAAC;YACtC,MAAM,iBAAiB,GAAG,wEAAwE,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACjH,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBACvB,OAAO;oBACL;wBACE,IAAI,EAAE,EAAE;wBACR,IAAI,EAAE,CAAC;wBACP,MAAM,EAAE,0BAA0B;wBAClC,QAAQ,EAAE,QAAQ;wBAClB,OAAO,EAAE,GAAG,SAAS,CAAC,MAAM,6DAA6D;wBACzF,cAAc,EAAE,qDAAqD;qBACtE;iBACF,CAAC;YACJ,CAAC;YACD,uCAAuC;YACvC,MAAM,MAAM,GAAe,EAAE,CAAC;YAC9B,KAAK,MAAM,EAAE,IAAI,SAAS,EAAE,CAAC;gBAC3B,MAAM,WAAW,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC7C,MAAM,WAAW,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;gBACzC,IAAI,CAAC,6BAA6B,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,6BAA6B,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;oBACzG,IAAI,CAAC,mEAAmE,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;wBACvF,MAAM,CAAC,IAAI,CAAC;4BACV,IAAI,EAAE,EAAE,CAAC,IAAI;4BACb,IAAI,EAAE,EAAE,CAAC,IAAI;4BACb,MAAM,EAAE,0BAA0B;4BAClC,QAAQ,EAAE,QAAQ;4BAClB,OAAO,EAAE,YAAY,EAAE,CAAC,MAAM,IAAI,EAAE,CAAC,IAAI,0BAA0B;4BACnE,cAAc,EAAE,6CAA6C;4BAC7D,QAAQ,EAAE,GAAG,EAAE,CAAC,MAAM,IAAI,EAAE,CAAC,IAAI,EAAE;yBACpC,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC;KACF;IACD;QACE,EAAE,EAAE,qBAAqB;QACzB,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,EAAE;YACpC,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,EAAE,CAAC;YACtC,MAAM,aAAa,GACjB,6FAA6F,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC9G,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,OAAO;oBACL;wBACE,IAAI,EAAE,EAAE;wBACR,IAAI,EAAE,CAAC;wBACP,MAAM,EAAE,qBAAqB;wBAC7B,QAAQ,EAAE,MAAM;wBAChB,OAAO,EAAE,gEAAgE;wBACzE,cAAc,EAAE,wDAAwD;qBACzE;iBACF,CAAC;YACJ,CAAC;YACD,OAAO,EAAE,CAAC;QACZ,CAAC;KACF;IACD;QACE,EAAE,EAAE,yBAAyB;QAC7B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,QAAQ,EAAE,KAAK,EAAE,EAAE;YACzB,MAAM,MAAM,GAAe,EAAE,CAAC;YAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,IACE,kGAAkG,CAAC,IAAI,CACrG,KAAK,CAAC,CAAC,CAAC,CACT,EACD,CAAC;oBACD,MAAM,CAAC,IAAI,CAAC;wBACV,IAAI,EAAE,EAAE;wBACR,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,MAAM,EAAE,yBAAyB;wBACjC,QAAQ,EAAE,MAAM;wBAChB,OAAO,EAAE,4CAA4C;wBACrD,cAAc,EAAE,oEAAoE;qBACrF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC;KACF;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,EAAE;YACpC,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,EAAE,CAAC;YACtC,MAAM,SAAS,GAAG,0DAA0D,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC3F,IAAI,SAAS,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC1C,OAAO;oBACL;wBACE,IAAI,EAAE,EAAE;wBACR,IAAI,EAAE,CAAC;wBACP,MAAM,EAAE,gBAAgB;wBACxB,QAAQ,EAAE,QAAQ;wBAClB,OAAO,EAAE,uDAAuD;wBAChE,cAAc,EAAE,4CAA4C;qBAC7D;iBACF,CAAC;YACJ,CAAC;YACD,OAAO,EAAE,CAAC;QACZ,CAAC;KACF;IACD;QACE,EAAE,EAAE,cAAc;QAClB,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,CAAC,QAAQ,EAAE,KAAK,EAAE,EAAE;YACzB,MAAM,MAAM,GAAe,EAAE,CAAC;YAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,IACE,yGAAyG,CAAC,IAAI,CAC5G,KAAK,CAAC,CAAC,CAAC,CACT,EACD,CAAC;oBACD,MAAM,CAAC,IAAI,CAAC;wBACV,IAAI,EAAE,EAAE;wBACR,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,MAAM,EAAE,cAAc;wBACtB,QAAQ,EAAE,UAAU;wBACpB,OAAO,EAAE,sDAAsD;wBAC/D,cAAc,EAAE,qCAAqC;qBACtD,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC;KACF;CACF,CAAC;AAEF,+EAA+E;AAE/E,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,CAAC,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC,CAAC;AACjF,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC;AAEvF,SAAS,YAAY,CAAC,GAAW;IAC/B,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,SAAS,IAAI,CAAC,CAAS;QACrB,IAAI,OAAiB,CAAC;QACtB,IAAI,CAAC;YACH,OAAO,GAAG,WAAW,CAAC,CAAC,CAAwB,CAAC;QAClD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;QACT,CAAC;QACD,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;YAC3B,IAAI,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,SAAS;YAC1D,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;YAC3B,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;gBAC9B,KAAK,GAAG,CAAC;gBACT,IAAI,CAAC,IAAI,CAAC,CAAC;YACb,CAAC;YAAC,MAAM,CAAC;gBACP,IAAI,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;oBAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACpE,CAAC;QACH,CAAC;IACH,CAAC;IACD,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,gBAAgB,CAAC,QAAgB,EAAE,OAAe;IACzD,MAAM,SAAS,GAAkB,EAAE,CAAC;IACpC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,KAAK,MAAM,QAAQ,IAAI,mBAAmB,EAAE,CAAC;QAC3C,QAAQ,CAAC,YAAY,CAAC,SAAS,GAAG,CAAC,CAAC;QACpC,IAAI,CAAyB,CAAC;QAC9B,OAAO,CAAC,CAAC,GAAG,QAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC1D,MAAM,EAAE,GAAG,QAAQ,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YACvC,MAAM,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;YAChE,SAAS,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,IAAI,EAAE,EAAE,CAAC,IAAI,EAAE,SAAS,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;QAC/G,CAAC;QACD,KAAK,KAAK,CAAC;IACb,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,+EAA+E;AAE/E,MAAM,UAAU,WAAW,CAAC,IAAc;IACxC,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACnD,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;;;;CAef,CAAC,CAAC;QACC,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,EAAU,EAAE,CAAS,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,UAAU,CAAC,IAAI,MAAM,CAAC;IAE1F,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QAC7B,MAAM,KAAK,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,GAAG,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC;QAC9D,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YACtB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAC9C,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,wBAAwB,KAAK,CAAC,MAAM,iCAAiC,CAAC,CAAC;YACnF,KAAK,MAAM,CAAC,IAAI,KAAK;gBAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC1F,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClB,CAAC;QACD,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,IAAI,GAAG,CAAC;IACpH,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,EAAU,EAAE,CAAS,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,YAAY,CAAC,CAAC;IAErF,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QACxB,OAAO,CAAC,KAAK,CAAC,qBAAqB,MAAM,EAAE,CAAC,CAAC;QAC7C,OAAO;IACT,CAAC;IAED,MAAM,KAAK,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IACnC,MAAM,YAAY,GAAkB,EAAE,CAAC;IACvC,IAAI,SAAS,GAAe,EAAE,CAAC;IAE/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,OAAe,CAAC;QACpB,IAAI,CAAC;YACH,OAAO,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QACxC,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QAED,MAAM,SAAS,GAAG,gBAAgB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAClD,YAAY,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,CAAC;QAEhC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAClC,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;YACrD,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,KAAK,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,IAAI,IAAI,CAAC;gBAChC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACxB,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;QACjC,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YACtB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QACrD,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,iCAAiC,YAAY,CAAC,MAAM,iCAAiC,CAAC,CAAC;YACnG,KAAK,MAAM,EAAE,IAAI,YAAY,EAAE,CAAC;gBAC9B,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC,SAAS,KAAK,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC;YAC1G,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClB,CAAC;QACD,OAAO;IACT,CAAC;IAED,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACrC,SAAS,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;IACpE,CAAC;IAED,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,OAAO,CAAC,GAAG,CACT,IAAI,CAAC,SAAS,CACZ,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,KAAK,CAAC,MAAM,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,EAC/G,IAAI,EACJ,CAAC,CACF,CACF,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,4BAA4B,KAAK,CAAC,MAAM,gBAAgB,CAAC,CAAC;QACtE,OAAO,CAAC,GAAG,CAAC,gBAAgB,YAAY,CAAC,MAAM,cAAc,SAAS,CAAC,MAAM,gCAAgC,CAAC,CAAC;QAE/G,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC3B,OAAO,CAAC,GAAG,CAAC,yCAAyC,CAAC,CAAC;YACvD,OAAO;QACT,CAAC;QAED,KAAK,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,CAAC;YACxD,MAAM,KAAK,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,GAAG,CAAC,CAAC;YAC1D,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YACjC,OAAO,CAAC,GAAG,CAAC,SAAS,GAAG,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;YAC5D,KAAK,MAAM,KAAK,IAAI,KAAK,EAAE,CAAC;gBAC1B,OAAO,CAAC,GAAG,CAAC,SAAS,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI,MAAM,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;gBACnE,OAAO,CAAC,GAAG,CAAC,WAAW,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;gBACxC,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,CAAC,cAAc,EAAE,CAAC,CAAC;YACnD,CAAC;QACH,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}

package/dist/commands/compliance-map.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Compliance map — map findings to multiple compliance frameworks
+ * (HIPAA, SOC2, PCI-DSS, ISO 27001, NIST 800-53).
+ *
+ * Produces a unified cross-walk matrix with gap analysis.
+ * All analysis local — no data leaves the machine.
+ */
+export declare function runComplianceMap(argv: string[]): void;
+//# sourceMappingURL=compliance-map.d.ts.map

package/dist/commands/compliance-map.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"compliance-map.d.ts","sourceRoot":"","sources":["../../src/commands/compliance-map.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AA+RH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,IAAI,CA0IrD"}