@kevinrabun/judges 3.53.0 → 3.55.0

package/dist/commands/rollback-safety.js

@@ -0,0 +1,192 @@
+/**
+ * Rollback safety — detect changes that are unsafe or impossible to roll back.
+ */
+import { readFileSync, readdirSync, statSync } from "fs";
+import { join, extname } from "path";
+// ─── File Collection ────────────────────────────────────────────────────────
+const CODE_EXTS = new Set([".ts", ".tsx", ".js", ".jsx", ".py", ".java", ".go", ".rs", ".sql", ".yaml", ".yml"]);
+function collectFiles(dir, max = 300) {
+    const files = [];
+    function walk(d) {
+        if (files.length >= max)
+            return;
+        let entries;
+        try {
+            entries = readdirSync(d);
+        }
+        catch {
+            return;
+        }
+        for (const e of entries) {
+            if (files.length >= max)
+                return;
+            if (e.startsWith(".") || e === "node_modules" || e === "dist" || e === "build")
+                continue;
+            const full = join(d, e);
+            try {
+                if (statSync(full).isDirectory())
+                    walk(full);
+                else if (CODE_EXTS.has(extname(full)))
+                    files.push(full);
+            }
+            catch {
+                /* skip */
+            }
+        }
+    }
+    walk(dir);
+    return files;
+}
+// ─── Analysis ───────────────────────────────────────────────────────────────
+const RISK_PATTERNS = [
+    {
+        pattern: /DROP\s+TABLE/i,
+        risk: "Destructive migration",
+        severity: "critical",
+        detail: "Drops entire table — data unrecoverable without backup",
+    },
+    {
+        pattern: /DROP\s+COLUMN/i,
+        risk: "Column removal",
+        severity: "critical",
+        detail: "Dropped column data lost — add deprecation period first",
+    },
+    {
+        pattern: /ALTER\s+TABLE.*RENAME/i,
+        risk: "Table/column rename",
+        severity: "high",
+        detail: "Rename breaks old queries — use alias during transition",
+    },
+    {
+        pattern: /TRUNCATE\s+/i,
+        risk: "Table truncation",
+        severity: "critical",
+        detail: "Removes all rows — cannot undo without backup",
+    },
+    {
+        pattern: /DELETE\s+FROM\s+\w+\s*(?:;|$)/im,
+        risk: "Mass delete",
+        severity: "high",
+        detail: "Delete without WHERE — removes all rows",
+    },
+    {
+        pattern: /ALTER\s+TYPE|CHANGE\s+COLUMN.*\bTYPE\b/i,
+        risk: "Column type change",
+        severity: "high",
+        detail: "Type narrowing can lose data silently",
+    },
+    {
+        pattern: /removeField|removeColumn|dropIndex/i,
+        risk: "ORM schema removal",
+        severity: "high",
+        detail: "Field/index removal in ORM migration — deploy new code first",
+    },
+    {
+        pattern: /\.destroy\(\)|\.deleteMany\(\{?\s*\}?\)|\.remove\(\{?\s*\}?\)/i,
+        risk: "Bulk data deletion",
+        severity: "high",
+        detail: "Bulk delete in application code — ensure filters are correct",
+    },
+    {
+        pattern: /(?:api|endpoint|route).*(?:removed|deprecated|deleted)/i,
+        risk: "API endpoint removal",
+        severity: "high",
+        detail: "Removing endpoints breaks consumers — deprecate first",
+    },
+    {
+        pattern: /(?:encryption|crypto).*(?:changed|migrated|switched)/i,
+        risk: "Encryption scheme change",
+        severity: "critical",
+        detail: "Changing encryption makes old data unreadable — migrate gradually",
+    },
+    {
+        pattern: /(?:partition|shard).*(?:key|strategy).*(?:change|update)/i,
+        risk: "Partition key change",
+        severity: "critical",
+        detail: "Partition key change requires full data re-distribution",
+    },
+    {
+        pattern: /irreversible|no.?rollback|one.?way/i,
+        risk: "Explicit irreversibility marker",
+        severity: "high",
+        detail: "Code explicitly marked as irreversible",
+    },
+];
+function analyzeFile(filepath) {
+    const risks = [];
+    let content;
+    try {
+        content = readFileSync(filepath, "utf-8");
+    }
+    catch {
+        return risks;
+    }
+    const lines = content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        for (const rp of RISK_PATTERNS) {
+            if (rp.pattern.test(line)) {
+                risks.push({ file: filepath, line: i + 1, risk: rp.risk, severity: rp.severity, detail: rp.detail });
+            }
+        }
+    }
+    return risks;
+}
+// ─── CLI ────────────────────────────────────────────────────────────────────
+export function runRollbackSafety(argv) {
+    if (argv.includes("--help") || argv.includes("-h")) {
+        console.log(`
+judges rollback-safety — Detect changes unsafe or impossible to roll back
+
+Usage:
+  judges rollback-safety [dir]
+  judges rollback-safety migrations/ --format json
+
+Options:
+  [dir]                 Directory to scan (default: .)
+  --format json         JSON output
+  --help, -h            Show this help
+
+Detects: destructive DB migrations, bulk deletes, API removals, encryption changes,
+partition key changes, and code explicitly marked irreversible.
+`);
+        return;
+    }
+    const format = argv.find((_a, i) => argv[i - 1] === "--format") || "text";
+    const dir = argv.find((a) => !a.startsWith("-") && argv.indexOf(a) > 0) || ".";
+    const files = collectFiles(dir);
+    const risks = [];
+    for (const f of files)
+        risks.push(...analyzeFile(f));
+    risks.sort((a, b) => {
+        const order = { critical: 0, high: 1, medium: 2 };
+        return order[a.severity] - order[b.severity];
+    });
+    const critCount = risks.filter((r) => r.severity === "critical").length;
+    const highCount = risks.filter((r) => r.severity === "high").length;
+    const score = risks.length === 0 ? 100 : Math.max(0, 100 - critCount * 25 - highCount * 10);
+    if (format === "json") {
+        console.log(JSON.stringify({
+            risks,
+            score,
+            summary: { critical: critCount, high: highCount, total: risks.length },
+            timestamp: new Date().toISOString(),
+        }, null, 2));
+    }
+    else {
+        const badge = critCount > 0 ? "🚫 UNSAFE" : highCount > 0 ? "⚠️  CAUTION" : "✅ SAFE";
+        console.log(`\n  Rollback Safety: ${badge} (score ${score}/100)\n  ─────────────────────────`);
+        if (risks.length === 0) {
+            console.log("    No rollback risks detected.\n");
+            return;
+        }
+        for (const r of risks) {
+            const icon = r.severity === "critical" ? "🚫" : r.severity === "high" ? "🔴" : "🟡";
+            console.log(`    ${icon} [${r.severity.toUpperCase()}] ${r.risk}`);
+            console.log(`        ${r.file}:${r.line}`);
+            console.log(`        ${r.detail}`);
+        }
+        console.log(`\n    Total: ${risks.length} risks | Critical: ${critCount} | High: ${highCount} | Score: ${score}/100\n`);
+    }
+}
+//# sourceMappingURL=rollback-safety.js.map

package/dist/commands/rollback-safety.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rollback-safety.js","sourceRoot":"","sources":["../../src/commands/rollback-safety.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,IAAI,CAAC;AACzD,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAYrC,+EAA+E;AAE/E,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;AAEjH,SAAS,YAAY,CAAC,GAAW,EAAE,GAAG,GAAG,GAAG;IAC1C,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,SAAS,IAAI,CAAC,CAAS;QACrB,IAAI,KAAK,CAAC,MAAM,IAAI,GAAG;YAAE,OAAO;QAChC,IAAI,OAAiB,CAAC;QACtB,IAAI,CAAC;YACH,OAAO,GAAG,WAAW,CAAC,CAAC,CAAwB,CAAC;QAClD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;QACT,CAAC;QACD,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACxB,IAAI,KAAK,CAAC,MAAM,IAAI,GAAG;gBAAE,OAAO;YAChC,IAAI,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,cAAc,IAAI,CAAC,KAAK,MAAM,IAAI,CAAC,KAAK,OAAO;gBAAE,SAAS;YACzF,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YACxB,IAAI,CAAC;gBACH,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE;oBAAE,IAAI,CAAC,IAAI,CAAC,CAAC;qBACxC,IAAI,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;oBAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC1D,CAAC;YAAC,MAAM,CAAC;gBACP,UAAU;YACZ,CAAC;QACH,CAAC;IACH,CAAC;IACD,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,OAAO,KAAK,CAAC;AACf,CAAC;AAED,+EAA+E;AAE/E,MAAM,aAAa,GAAkG;IACnH;QACE,OAAO,EAAE,eAAe;QACxB,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,UAAU;QACpB,MAAM,EAAE,wDAAwD;KACjE;IACD;QACE,OAAO,EAAE,gBAAgB;QACzB,IAAI,EAAE,gBAAgB;QACtB,QAAQ,EAAE,UAAU;QACpB,MAAM,EAAE,yDAAyD;KAClE;IACD;QACE,OAAO,EAAE,wBAAwB;QACjC,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,yDAAyD;KAClE;IACD;QACE,OAAO,EAAE,cAAc;QACvB,IAAI,EAAE,kBAAkB;QACxB,QAAQ,EAAE,UAAU;QACpB,MAAM,EAAE,+CAA+C;KACxD;IACD;QACE,OAAO,EAAE,iCAAiC;QAC1C,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,yCAAyC;KAClD;IACD;QACE,OAAO,EAAE,yCAAyC;QAClD,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,uCAAuC;KAChD;IACD;QACE,OAAO,EAAE,qCAAqC;QAC9C,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,8DAA8D;KACvE;IACD;QACE,OAAO,EAAE,gEAAgE;QACzE,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,8DAA8D;KACvE;IACD;QACE,OAAO,EAAE,yDAAyD;QAClE,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,uDAAuD;KAChE;IACD;QACE,OAAO,EAAE,uDAAuD;QAChE,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,MAAM,EAAE,mEAAmE;KAC5E;IACD;QACE,OAAO,EAAE,2DAA2D;QACpE,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,UAAU;QACpB,MAAM,EAAE,yDAAyD;KAClE;IACD;QACE,OAAO,EAAE,qCAAqC;QAC9C,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,wCAAwC;KACjD;CACF,CAAC;AAEF,SAAS,WAAW,CAAC,QAAgB;IACnC,MAAM,KAAK,GAAmB,EAAE,CAAC;IACjC,IAAI,OAAe,CAAC;IACpB,IAAI,CAAC;QACH,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,KAAK,MAAM,EAAE,IAAI,aAAa,EAAE,CAAC;YAC/B,IAAI,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC1B,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,EAAE,CAAC,IAAI,EAAE,QAAQ,EAAE,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC;YACvG,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,+EAA+E;AAE/E,MAAM,UAAU,iBAAiB,CAAC,IAAc;IAC9C,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACnD,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;;;CAcf,CAAC,CAAC;QACC,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,EAAU,EAAE,CAAS,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,UAAU,CAAC,IAAI,MAAM,CAAC;IAC1F,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,GAAG,CAAC;IAE/E,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;IAChC,MAAM,KAAK,GAAmB,EAAE,CAAC;IACjC,KAAK,MAAM,CAAC,IAAI,KAAK;QAAE,KAAK,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC;IAErD,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QAClB,MAAM,KAAK,GAAG,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;QAClD,OAAO,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM,CAAC;IACxE,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;IACpE,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,GAAG,SAAS,GAAG,EAAE,GAAG,SAAS,GAAG,EAAE,CAAC,CAAC;IAE5F,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,OAAO,CAAC,GAAG,CACT,IAAI,CAAC,SAAS,CACZ;YACE,KAAK;YACL,KAAK;YACL,OAAO,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,CAAC,MAAM,EAAE;YACtE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,EACD,IAAI,EACJ,CAAC,CACF,CACF,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,MAAM,KAAK,GAAG,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC;QACrF,OAAO,CAAC,GAAG,CAAC,wBAAwB,KAAK,WAAW,KAAK,oCAAoC,CAAC,CAAC;QAE/F,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;YACjD,OAAO;QACT,CAAC;QAED,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;YACtB,MAAM,IAAI,GAAG,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;YACpF,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,KAAK,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;YACnE,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;YAC3C,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;QACrC,CAAC;QAED,OAAO,CAAC,GAAG,CACT,gBAAgB,KAAK,CAAC,MAAM,sBAAsB,SAAS,YAAY,SAAS,aAAa,KAAK,QAAQ,CAC3G,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/commands/secret-age.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Secret age — detect credentials with no rotation policy, hardcoded expiry,
+ * missing vault references, and shared service-account credentials.
+ */
+export declare function runSecretAge(argv: string[]): void;
+//# sourceMappingURL=secret-age.d.ts.map

package/dist/commands/secret-age.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-age.d.ts","sourceRoot":"","sources":["../../src/commands/secret-age.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAkLH,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,IAAI,CAiEjD"}

package/dist/commands/secret-age.js

@@ -0,0 +1,215 @@
+/**
+ * Secret age — detect credentials with no rotation policy, hardcoded expiry,
+ * missing vault references, and shared service-account credentials.
+ */
+import { readFileSync, readdirSync, statSync } from "fs";
+import { join, extname } from "path";
+// ─── File Collection ────────────────────────────────────────────────────────
+const SCAN_EXTS = new Set([
+    ".ts",
+    ".tsx",
+    ".js",
+    ".jsx",
+    ".py",
+    ".java",
+    ".go",
+    ".rs",
+    ".yaml",
+    ".yml",
+    ".json",
+    ".env",
+    ".toml",
+    ".cfg",
+    ".ini",
+    ".xml",
+]);
+function collectFiles(dir, max = 400) {
+    const files = [];
+    function walk(d) {
+        if (files.length >= max)
+            return;
+        let entries;
+        try {
+            entries = readdirSync(d);
+        }
+        catch {
+            return;
+        }
+        for (const e of entries) {
+            if (files.length >= max)
+                return;
+            if (e.startsWith(".") || e === "node_modules" || e === "dist" || e === "build")
+                continue;
+            const full = join(d, e);
+            try {
+                if (statSync(full).isDirectory())
+                    walk(full);
+                else if (SCAN_EXTS.has(extname(full)))
+                    files.push(full);
+            }
+            catch {
+                /* skip */
+            }
+        }
+    }
+    walk(dir);
+    return files;
+}
+// ─── Patterns ───────────────────────────────────────────────────────────────
+const SECRET_PATTERNS = [
+    {
+        pattern: /(?:api[_-]?key|apikey)\s*[:=]\s*['"][A-Za-z0-9]{16,}['"]/i,
+        finding: "Hardcoded API key",
+        severity: "critical",
+        recommendation: "Move to vault or environment variable",
+    },
+    {
+        pattern: /(?:password|passwd|pwd)\s*[:=]\s*['"][^'"]{4,}['"]/i,
+        finding: "Hardcoded password",
+        severity: "critical",
+        recommendation: "Use a secrets manager",
+    },
+    {
+        pattern: /(?:secret|token)\s*[:=]\s*['"][A-Za-z0-9+/=]{16,}['"]/i,
+        finding: "Hardcoded secret/token",
+        severity: "critical",
+        recommendation: "Store in vault (AWS SSM, Azure Key Vault, HashiCorp Vault)",
+    },
+    {
+        pattern: /(?:private[_-]?key|privateKey)\s*[:=]\s*['"`]-----BEGIN/i,
+        finding: "Embedded private key",
+        severity: "critical",
+        recommendation: "Store private keys in a secure key store",
+    },
+    {
+        pattern: /(?:connection[_-]?string|connStr)\s*[:=]\s*['"][^'"]{20,}['"]/i,
+        finding: "Hardcoded connection string",
+        severity: "high",
+        recommendation: "Reference from vault; use managed identity where possible",
+    },
+    {
+        pattern: /expires?\s*[:=]\s*['"]?\d{4}[-/]\d{2}[-/]\d{2}/i,
+        finding: "Hardcoded expiry date",
+        severity: "medium",
+        recommendation: "Implement dynamic rotation; avoid static expiry",
+    },
+    {
+        pattern: /rotation|rotate.*(?:never|disabled|false)/i,
+        finding: "Rotation disabled",
+        severity: "high",
+        recommendation: "Enable automatic credential rotation",
+    },
+    {
+        pattern: /(?:aws_access_key_id|aws_secret_access_key)\s*[:=]\s*['"][A-Z0-9]{16,}['"]/i,
+        finding: "AWS credentials in source",
+        severity: "critical",
+        recommendation: "Use IAM roles or environment credentials",
+    },
+    {
+        pattern: /(?:GOOGLE_APPLICATION_CREDENTIALS|gcp_credentials)\s*[:=]\s*['"][^'"]+['"]/i,
+        finding: "GCP credentials in source",
+        severity: "high",
+        recommendation: "Use workload identity or service account key file outside repo",
+    },
+    {
+        pattern: /(?:shared|common)[_-]?(?:service)?[_-]?(?:account|credential|key)/i,
+        finding: "Shared service credentials",
+        severity: "high",
+        recommendation: "Use per-environment, per-service credentials",
+    },
+];
+function analyzeFile(filepath) {
+    const findings = [];
+    let content;
+    try {
+        content = readFileSync(filepath, "utf-8");
+    }
+    catch {
+        return findings;
+    }
+    const lines = content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        // Skip comments
+        if (/^\s*(?:\/\/|#|\/\*|\*)/.test(line))
+            continue;
+        for (const sp of SECRET_PATTERNS) {
+            if (sp.pattern.test(line)) {
+                findings.push({
+                    file: filepath,
+                    line: i + 1,
+                    finding: sp.finding,
+                    severity: sp.severity,
+                    recommendation: sp.recommendation,
+                });
+            }
+        }
+    }
+    // Check for vault integration
+    const hasVaultRef = /vault|keyVault|ssm|secretsmanager|VAULT_ADDR|SecretClient/i.test(content);
+    const hasSecrets = findings.length > 0;
+    if (hasSecrets && !hasVaultRef) {
+        findings.push({
+            file: filepath,
+            line: 1,
+            finding: "No vault integration detected",
+            severity: "medium",
+            recommendation: "Add a secrets manager reference for credential lifecycle management",
+        });
+    }
+    return findings;
+}
+// ─── CLI ────────────────────────────────────────────────────────────────────
+export function runSecretAge(argv) {
+    if (argv.includes("--help") || argv.includes("-h")) {
+        console.log(`
+judges secret-age — Credential lifecycle and rotation analysis
+
+Usage:
+  judges secret-age [dir]
+  judges secret-age src/ --format json
+
+Options:
+  [dir]                 Directory to scan (default: .)
+  --format json         JSON output
+  --help, -h            Show this help
+
+Detects: hardcoded API keys, passwords, tokens, private keys, connection strings,
+disabled rotation, hardcoded expiry, shared credentials, missing vault integration.
+`);
+        return;
+    }
+    const format = argv.find((_a, i) => argv[i - 1] === "--format") || "text";
+    const dir = argv.find((a) => !a.startsWith("-") && argv.indexOf(a) > 0) || ".";
+    const files = collectFiles(dir);
+    const allFindings = [];
+    for (const f of files)
+        allFindings.push(...analyzeFile(f));
+    const critCount = allFindings.filter((f) => f.severity === "critical").length;
+    const highCount = allFindings.filter((f) => f.severity === "high").length;
+    const score = allFindings.length === 0 ? 100 : Math.max(0, 100 - critCount * 20 - highCount * 10);
+    if (format === "json") {
+        console.log(JSON.stringify({
+            findings: allFindings,
+            score,
+            summary: { critical: critCount, high: highCount, total: allFindings.length },
+            timestamp: new Date().toISOString(),
+        }, null, 2));
+    }
+    else {
+        const badge = critCount > 0 ? "🚫 EXPOSED" : highCount > 0 ? "⚠️  AT RISK" : allFindings.length > 0 ? "🟡 REVIEW" : "✅ CLEAN";
+        console.log(`\n  Secret Age Analysis: ${badge} (${score}/100)\n  ─────────────────────────────`);
+        if (allFindings.length === 0) {
+            console.log("    No credential lifecycle issues detected.\n");
+            return;
+        }
+        for (const f of allFindings) {
+            const icon = f.severity === "critical" ? "🚫" : f.severity === "high" ? "🔴" : "🟡";
+            console.log(`    ${icon} [${f.severity.toUpperCase()}] ${f.finding}`);
+            console.log(`        ${f.file}:${f.line}`);
+            console.log(`        → ${f.recommendation}`);
+        }
+        console.log(`\n    Total: ${allFindings.length} | Critical: ${critCount} | High: ${highCount} | Score: ${score}/100\n`);
+    }
+}
+//# sourceMappingURL=secret-age.js.map

package/dist/commands/secret-age.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-age.js","sourceRoot":"","sources":["../../src/commands/secret-age.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,IAAI,CAAC;AACzD,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAYrC,+EAA+E;AAE/E,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC;IACxB,KAAK;IACL,MAAM;IACN,KAAK;IACL,MAAM;IACN,KAAK;IACL,OAAO;IACP,KAAK;IACL,KAAK;IACL,OAAO;IACP,MAAM;IACN,OAAO;IACP,MAAM;IACN,OAAO;IACP,MAAM;IACN,MAAM;IACN,MAAM;CACP,CAAC,CAAC;AAEH,SAAS,YAAY,CAAC,GAAW,EAAE,GAAG,GAAG,GAAG;IAC1C,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,SAAS,IAAI,CAAC,CAAS;QACrB,IAAI,KAAK,CAAC,MAAM,IAAI,GAAG;YAAE,OAAO;QAChC,IAAI,OAAiB,CAAC;QACtB,IAAI,CAAC;YACH,OAAO,GAAG,WAAW,CAAC,CAAC,CAAwB,CAAC;QAClD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;QACT,CAAC;QACD,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACxB,IAAI,KAAK,CAAC,MAAM,IAAI,GAAG;gBAAE,OAAO;YAChC,IAAI,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,cAAc,IAAI,CAAC,KAAK,MAAM,IAAI,CAAC,KAAK,OAAO;gBAAE,SAAS;YACzF,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YACxB,IAAI,CAAC;gBACH,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE;oBAAE,IAAI,CAAC,IAAI,CAAC,CAAC;qBACxC,IAAI,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;oBAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC1D,CAAC;YAAC,MAAM,CAAC;gBACP,UAAU;YACZ,CAAC;QACH,CAAC;IACH,CAAC;IACD,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,OAAO,KAAK,CAAC;AACf,CAAC;AAED,+EAA+E;AAE/E,MAAM,eAAe,GAKf;IACJ;QACE,OAAO,EAAE,2DAA2D;QACpE,OAAO,EAAE,mBAAmB;QAC5B,QAAQ,EAAE,UAAU;QACpB,cAAc,EAAE,uCAAuC;KACxD;IACD;QACE,OAAO,EAAE,qDAAqD;QAC9D,OAAO,EAAE,oBAAoB;QAC7B,QAAQ,EAAE,UAAU;QACpB,cAAc,EAAE,uBAAuB;KACxC;IACD;QACE,OAAO,EAAE,wDAAwD;QACjE,OAAO,EAAE,wBAAwB;QACjC,QAAQ,EAAE,UAAU;QACpB,cAAc,EAAE,4DAA4D;KAC7E;IACD;QACE,OAAO,EAAE,0DAA0D;QACnE,OAAO,EAAE,sBAAsB;QAC/B,QAAQ,EAAE,UAAU;QACpB,cAAc,EAAE,0CAA0C;KAC3D;IACD;QACE,OAAO,EAAE,gEAAgE;QACzE,OAAO,EAAE,6BAA6B;QACtC,QAAQ,EAAE,MAAM;QAChB,cAAc,EAAE,2DAA2D;KAC5E;IACD;QACE,OAAO,EAAE,iDAAiD;QAC1D,OAAO,EAAE,uBAAuB;QAChC,QAAQ,EAAE,QAAQ;QAClB,cAAc,EAAE,iDAAiD;KAClE;IACD;QACE,OAAO,EAAE,4CAA4C;QACrD,OAAO,EAAE,mBAAmB;QAC5B,QAAQ,EAAE,MAAM;QAChB,cAAc,EAAE,sCAAsC;KACvD;IACD;QACE,OAAO,EAAE,6EAA6E;QACtF,OAAO,EAAE,2BAA2B;QACpC,QAAQ,EAAE,UAAU;QACpB,cAAc,EAAE,0CAA0C;KAC3D;IACD;QACE,OAAO,EAAE,6EAA6E;QACtF,OAAO,EAAE,2BAA2B;QACpC,QAAQ,EAAE,MAAM;QAChB,cAAc,EAAE,gEAAgE;KACjF;IACD;QACE,OAAO,EAAE,oEAAoE;QAC7E,OAAO,EAAE,4BAA4B;QACrC,QAAQ,EAAE,MAAM;QAChB,cAAc,EAAE,8CAA8C;KAC/D;CACF,CAAC;AAEF,SAAS,WAAW,CAAC,QAAgB;IACnC,MAAM,QAAQ,GAAoB,EAAE,CAAC;IACrC,IAAI,OAAe,CAAC;IACpB,IAAI,CAAC;QACH,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,gBAAgB;QAChB,IAAI,wBAAwB,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,SAAS;QAElD,KAAK,MAAM,EAAE,IAAI,eAAe,EAAE,CAAC;YACjC,IAAI,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC1B,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,QAAQ;oBACd,IAAI,EAAE,CAAC,GAAG,CAAC;oBACX,OAAO,EAAE,EAAE,CAAC,OAAO;oBACnB,QAAQ,EAAE,EAAE,CAAC,QAAQ;oBACrB,cAAc,EAAE,EAAE,CAAC,cAAc;iBAClC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,8BAA8B;IAC9B,MAAM,WAAW,GAAG,4DAA4D,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC/F,MAAM,UAAU,GAAG,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IACvC,IAAI,UAAU,IAAI,CAAC,WAAW,EAAE,CAAC;QAC/B,QAAQ,CAAC,IAAI,CAAC;YACZ,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC;YACP,OAAO,EAAE,+BAA+B;YACxC,QAAQ,EAAE,QAAQ;YAClB,cAAc,EAAE,qEAAqE;SACtF,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+EAA+E;AAE/E,MAAM,UAAU,YAAY,CAAC,IAAc;IACzC,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACnD,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;;;CAcf,CAAC,CAAC;QACC,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,EAAU,EAAE,CAAS,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,UAAU,CAAC,IAAI,MAAM,CAAC;IAC1F,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,GAAG,CAAC;IAE/E,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;IAChC,MAAM,WAAW,GAAoB,EAAE,CAAC;IACxC,KAAK,MAAM,CAAC,IAAI,KAAK;QAAE,WAAW,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC;IAE3D,MAAM,SAAS,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM,CAAC;IAC9E,MAAM,SAAS,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;IAC1E,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,GAAG,SAAS,GAAG,EAAE,GAAG,SAAS,GAAG,EAAE,CAAC,CAAC;IAElG,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,OAAO,CAAC,GAAG,CACT,IAAI,CAAC,SAAS,CACZ;YACE,QAAQ,EAAE,WAAW;YACrB,KAAK;YACL,OAAO,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,WAAW,CAAC,MAAM,EAAE;YAC5E,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,EACD,IAAI,EACJ,CAAC,CACF,CACF,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,MAAM,KAAK,GACT,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC;QAClH,OAAO,CAAC,GAAG,CAAC,4BAA4B,KAAK,KAAK,KAAK,wCAAwC,CAAC,CAAC;QAEjG,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC7B,OAAO,CAAC,GAAG,CAAC,gDAAgD,CAAC,CAAC;YAC9D,OAAO;QACT,CAAC;QAED,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;YAC5B,MAAM,IAAI,GAAG,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;YACpF,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,KAAK,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;YACtE,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;YAC3C,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,cAAc,EAAE,CAAC,CAAC;QAC/C,CAAC;QAED,OAAO,CAAC,GAAG,CACT,gBAAgB,WAAW,CAAC,MAAM,gBAAgB,SAAS,YAAY,SAAS,aAAa,KAAK,QAAQ,CAC3G,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/commands/snippet-eval.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Snippet eval — evaluate a code snippet from stdin or a string
+ * argument without needing a file, with instant formatted output.
+ *
+ * Zero-friction entry point for evaluating AI-generated code snippets.
+ */
+export declare function runSnippetEval(argv: string[]): void;
+//# sourceMappingURL=snippet-eval.d.ts.map

package/dist/commands/snippet-eval.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"snippet-eval.d.ts","sourceRoot":"","sources":["../../src/commands/snippet-eval.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAkJH,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,IAAI,CAwGnD"}