@lbroth/rothunter 1.0.0-rc.1

package/dist/detector-registry.js

@@ -0,0 +1,74 @@
+/**
+ * Single source of truth for detector IDs.
+ *
+ * Anything that lists every detector (the server's settings UI, the CLI
+ * `--detectors` flag validation, future detector documentation) imports
+ * from here. Previously the server/index.ts hardcoded a parallel list
+ * that drifted when new detectors were wired into rothunter.ts.
+ *
+ * To register a new detector:
+ *   1. Add its id below.
+ *   2. Import + invoke it from rothunter.ts.
+ *   3. (Optional) Tag it as `singleWorkspaceOnly` if it can't run when
+ *      multi-workspace-scanner is active — see the `MULTI_WORKSPACE_*`
+ *      sets below for the current split.
+ */
+export const DETECTOR_IDS = [
+    // Always-on (symbol/graph-only)
+    'duplicate-type',
+    'duplicate-function',
+    'dead-module',
+    'dead-export',
+    'dead-api',
+    'long-function',
+    'deep-nesting',
+    'public-any',
+    'hot-hub-file',
+    // Single-workspace only (file-walking, git, or ts-morph Project-bound)
+    'dead-handler',
+    'mutation',
+    'race-condition',
+    'shared-db-write',
+    'api-race',
+    'bad-config',
+    'silent-catch',
+    'skip-tests',
+    'long-file',
+    'console-log-prod',
+    'magic-numbers',
+    'mutable-globals',
+    'unused-deps',
+    'similar-functions',
+    'todo-comments',
+];
+/**
+ * Detectors that need real workspace-root-relative file paths or git
+ * access on a single workspace. Multi-workspace mode skips these because
+ * multi-workspace-scanner prefixes paths with the workspace name (see
+ * the warn-log in rothunter.ts run()).
+ */
+export const MULTI_WORKSPACE_SKIPPED = new Set([
+    'dead-handler',
+    'mutation',
+    'race-condition',
+    'shared-db-write',
+    'api-race',
+    'bad-config',
+    'silent-catch',
+    'skip-tests',
+    'long-file',
+    'console-log-prod',
+    'magic-numbers',
+    'mutable-globals',
+    'unused-deps',
+    'similar-functions',
+    'todo-comments',
+]);
+/**
+ * Cross-repo detector: only runs in multi-workspace mode (its whole
+ * purpose is to flag exported symbols that nobody imports across
+ * workspace boundaries — in single-workspace mode dead-export already
+ * covers that ground).
+ */
+export const MULTI_WORKSPACE_ONLY = new Set(['dead-api']);
+//# sourceMappingURL=detector-registry.js.map

package/dist/detector-registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"detector-registry.js","sourceRoot":"","sources":["../src/detector-registry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,MAAM,CAAC,MAAM,YAAY,GAAG;IAC1B,gCAAgC;IAChC,gBAAgB;IAChB,oBAAoB;IACpB,aAAa;IACb,aAAa;IACb,UAAU;IACV,eAAe;IACf,cAAc;IACd,YAAY;IACZ,cAAc;IACd,uEAAuE;IACvE,cAAc;IACd,UAAU;IACV,gBAAgB;IAChB,iBAAiB;IACjB,UAAU;IACV,YAAY;IACZ,cAAc;IACd,YAAY;IACZ,WAAW;IACX,kBAAkB;IAClB,eAAe;IACf,iBAAiB;IACjB,aAAa;IACb,mBAAmB;IACnB,eAAe;CACP,CAAC;AAIX;;;;;GAKG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAa;IACzD,cAAc;IACd,UAAU;IACV,gBAAgB;IAChB,iBAAiB;IACjB,UAAU;IACV,YAAY;IACZ,cAAc;IACd,YAAY;IACZ,WAAW;IACX,kBAAkB;IAClB,eAAe;IACf,iBAAiB;IACjB,aAAa;IACb,mBAAmB;IACnB,eAAe;CAChB,CAAC,CAAC;AAEH;;;;;GAKG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAa,CAAC,UAAU,CAAC,CAAC,CAAC"}

package/dist/detectors/api-race.d.ts

@@ -0,0 +1,6 @@
+import type { Finding } from '../types.js';
+import type { FileWalkingDetectorInput } from '../types/detector-input.js';
+export interface ApiRaceDetectorInput extends FileWalkingDetectorInput {
+}
+export declare function detectApiRaces(input: ApiRaceDetectorInput): Finding[];
+//# sourceMappingURL=api-race.d.ts.map

package/dist/detectors/api-race.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-race.d.ts","sourceRoot":"","sources":["../../src/detectors/api-race.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAG3C,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAC;AAE3E,MAAM,WAAW,oBAAqB,SAAQ,wBAAwB;CAAG;AAiBzE,wBAAgB,cAAc,CAAC,KAAK,EAAE,oBAAoB,GAAG,OAAO,EAAE,CAwFrE"}

package/dist/detectors/api-race.js

@@ -0,0 +1,222 @@
+import * as path from 'node:path';
+import { Project, SyntaxKind } from 'ts-morph';
+import { stableHash } from '../utils/hash.js';
+import { trimSnippet, trimEnclosingSource } from '../utils/snippet.js';
+// Indexes PUT/PATCH/POST/DELETE calls by (method, normalized path); flags
+// clusters touched by ≥2 caller files. Clients: fetch, axios, got, ky,
+// superagent. GET excluded. Path interpolations + numeric segments → `:param`.
+export function detectApiRaces(input) {
+    let project;
+    if (input.project) {
+        project = input.project;
+    }
+    else {
+        project = new Project({
+            skipAddingFilesFromTsConfig: true,
+            skipFileDependencyResolution: true,
+        });
+        for (const rel of input.files) {
+            project.addSourceFileAtPathIfExists(path.join(input.workspaceRoot, rel));
+        }
+    }
+    const calls = [];
+    for (const sf of project.getSourceFiles()) {
+        const relativeFile = path.relative(input.workspaceRoot, sf.getFilePath());
+        for (const call of sf.getDescendantsOfKind(SyntaxKind.CallExpression)) {
+            const matched = matchHttpClient(call);
+            if (!matched)
+                continue;
+            const enclosing = findEnclosingFunction(call);
+            const enclosingSource = enclosing
+                ? trimEnclosingSource(enclosing.getText())
+                : trimSnippet(call.getText());
+            const enclosingName = enclosing?.getName?.() ?? undefined;
+            calls.push({
+                method: matched.method,
+                pathPattern: matched.pathPattern,
+                file: relativeFile,
+                line: call.getStartLineNumber(),
+                endLine: call.getEndLineNumber(),
+                snippet: trimSnippet(call.getText()),
+                enclosingName,
+                enclosingSource,
+                client: matched.client,
+            });
+        }
+    }
+    const byKey = new Map();
+    for (const c of calls) {
+        const key = `${c.method} ${c.pathPattern}`;
+        const list = byKey.get(key) ?? [];
+        list.push(c);
+        byKey.set(key, list);
+    }
+    const findings = [];
+    for (const [key, list] of byKey) {
+        const distinctFiles = new Set(list.map((c) => c.file));
+        if (distinctFiles.size < 2)
+            continue;
+        const clients = [...new Set(list.map((c) => c.client))];
+        const exampleFiles = [...distinctFiles].slice(0, 6).join(', ');
+        findings.push({
+            detectorId: 'api-race',
+            severity: 'medium',
+            confidence: 0.65,
+            layer: 1,
+            title: `Shared API write: \`${key}\` called from ${distinctFiles.size} files (${list.length} call sites, clients: ${clients.join('+')})`,
+            description: [
+                `Multiple functions issue mutating HTTP calls against \`${key}\`.`,
+                `If any two of these can execute concurrently (browser + worker, two services, a job that retries while the user hits PATCH), the server may see two writes against the same resource — lost update if the server has no optimistic-locking version.`,
+                ``,
+                `Locations:`,
+                ...list.map((c) => `- ${c.file}:${c.line} (${c.client}) \`${c.snippet}\``),
+                ``,
+                `Files involved: ${exampleFiles}${distinctFiles.size > 6 ? ', …' : ''}`,
+            ].join('\n'),
+            evidence: list.slice(0, 8).map((c) => ({
+                file: c.file,
+                range: { startLine: c.line, endLine: c.endLine },
+                snippet: c.enclosingSource,
+                note: JSON.stringify({
+                    method: c.method,
+                    pathPattern: c.pathPattern,
+                    client: c.client,
+                    enclosingName: c.enclosingName ?? '',
+                }),
+            })),
+            suggestion: 'Add an `If-Match` / version-aware update on the server, single-flight the client calls, or merge the duplicated callers into one. If the calls are guaranteed serialised by a queue, document the synchronisation and mark this finding as a false positive.',
+            fingerprint: `api-race:${stableHash(key)}`,
+        });
+    }
+    return findings;
+}
+const FETCH_LIKE = new Set(['fetch']);
+const HTTP_CLIENTS = new Set(['axios', 'got', 'ky', 'superagent', 'request', 'apiClient', 'http']);
+const WRITE_VERBS = new Set(['put', 'patch', 'post', 'delete']);
+function matchHttpClient(call) {
+    const callee = call.getExpression();
+    // fetch(url, { method: 'PUT', ... })
+    if (callee.getKind() === SyntaxKind.Identifier && FETCH_LIKE.has(callee.getText())) {
+        const args = call.getArguments();
+        if (args.length < 2)
+            return null;
+        const url = extractUrlLiteral(args[0]);
+        if (!url)
+            return null;
+        const method = extractFetchMethod(args[1]);
+        if (!method || method === 'GET')
+            return null;
+        return { method, pathPattern: normalisePath(url), client: 'fetch' };
+    }
+    // axios/got/ky/superagent/...method(url, ...)
+    if (callee.getKind() === SyntaxKind.PropertyAccessExpression) {
+        const pa = callee.asKindOrThrow(SyntaxKind.PropertyAccessExpression);
+        const verb = pa.getName().toLowerCase();
+        if (!WRITE_VERBS.has(verb))
+            return null;
+        const head = pa.getExpression();
+        if (head.getKind() !== SyntaxKind.Identifier)
+            return null;
+        const clientName = head.getText();
+        if (!HTTP_CLIENTS.has(clientName))
+            return null;
+        const args = call.getArguments();
+        if (args.length === 0)
+            return null;
+        const url = extractUrlLiteral(args[0]);
+        if (!url)
+            return null;
+        return { method: verb.toUpperCase(), pathPattern: normalisePath(url), client: clientName };
+    }
+    // axios({ url, method: 'put' })
+    if (callee.getKind() === SyntaxKind.Identifier && callee.getText() === 'axios') {
+        const args = call.getArguments();
+        if (args.length === 0)
+            return null;
+        const obj = args[0];
+        if (obj.getKind() !== SyntaxKind.ObjectLiteralExpression)
+            return null;
+        const urlNode = pickObjectProperty(obj, 'url');
+        const methodNode = pickObjectProperty(obj, 'method');
+        if (!urlNode || !methodNode)
+            return null;
+        const url = extractUrlLiteral(urlNode);
+        const method = extractStringFromNode(methodNode);
+        if (!url || !method)
+            return null;
+        const upper = method.toUpperCase();
+        if (upper === 'GET' || !WRITE_VERBS.has(upper.toLowerCase()))
+            return null;
+        return { method: upper, pathPattern: normalisePath(url), client: 'axios' };
+    }
+    return null;
+}
+function extractUrlLiteral(node) {
+    const strLit = node.asKind(SyntaxKind.StringLiteral) ?? node.asKind(SyntaxKind.NoSubstitutionTemplateLiteral);
+    if (strLit)
+        return strLit.getLiteralText();
+    if (node.getKind() === SyntaxKind.TemplateExpression) {
+        // Reconstruct path with `:param` placeholders for each interpolation.
+        const text = node.getText();
+        return text
+            .slice(1, -1) // strip the backticks
+            .replace(/\$\{[^}]+\}/g, ':param');
+    }
+    return null;
+}
+function extractFetchMethod(optsNode) {
+    if (optsNode.getKind() !== SyntaxKind.ObjectLiteralExpression)
+        return null;
+    const methodInit = pickObjectProperty(optsNode, 'method');
+    if (!methodInit)
+        return null;
+    const m = extractStringFromNode(methodInit);
+    return m ? m.toUpperCase() : null;
+}
+function extractStringFromNode(node) {
+    const lit = node.asKind(SyntaxKind.StringLiteral) ?? node.asKind(SyntaxKind.NoSubstitutionTemplateLiteral);
+    return lit ? lit.getLiteralText() : null;
+}
+/**
+ * Normalise a raw URL string into a comparable path pattern:
+ *   - Strip protocol/host (`https://api.example.com/users/123` → `/users/123`)
+ *   - Replace numeric segments with `:id`
+ *   - Replace `:param` interpolation markers (already placed by extractor)
+ *   - Trim trailing slash
+ */
+function normalisePath(raw) {
+    let s = raw;
+    s = s.replace(/^https?:\/\/[^/]+/, '');
+    s = s.replace(/\?.*$/, ''); // drop query string
+    s = s.replace(/\/+\d+(?=\/|$)/g, '/:id');
+    s = s.replace(/\/+/g, '/');
+    if (s.length > 1 && s.endsWith('/'))
+        s = s.slice(0, -1);
+    if (!s.startsWith('/'))
+        s = `/${s}`;
+    return s;
+}
+function pickObjectProperty(obj, name) {
+    const olit = obj.asKind(SyntaxKind.ObjectLiteralExpression);
+    if (!olit)
+        return null;
+    const prop = olit.getProperty(name);
+    if (!prop || prop.getKind() !== SyntaxKind.PropertyAssignment)
+        return null;
+    return prop.getInitializer() ?? null;
+}
+function findEnclosingFunction(node) {
+    let cur = node.getParent();
+    while (cur) {
+        const k = cur.getKind();
+        if (k === SyntaxKind.FunctionDeclaration ||
+            k === SyntaxKind.MethodDeclaration ||
+            k === SyntaxKind.ArrowFunction ||
+            k === SyntaxKind.FunctionExpression) {
+            return cur;
+        }
+        cur = cur.getParent();
+    }
+    return null;
+}
+//# sourceMappingURL=api-race.js.map

package/dist/detectors/api-race.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-race.js","sourceRoot":"","sources":["../../src/detectors/api-race.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,OAAO,EAAE,UAAU,EAAkC,MAAM,UAAU,CAAC;AAE/E,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAiBvE,0EAA0E;AAC1E,uEAAuE;AACvE,+EAA+E;AAC/E,MAAM,UAAU,cAAc,CAAC,KAA2B;IACxD,IAAI,OAAgB,CAAC;IACrB,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAClB,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC;IAC1B,CAAC;SAAM,CAAC;QACN,OAAO,GAAG,IAAI,OAAO,CAAC;YACpB,2BAA2B,EAAE,IAAI;YACjC,4BAA4B,EAAE,IAAI;SACnC,CAAC,CAAC;QACH,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YAC9B,OAAO,CAAC,2BAA2B,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC,CAAC;QAC3E,CAAC;IACH,CAAC;IAED,MAAM,KAAK,GAAmB,EAAE,CAAC;IACjC,KAAK,MAAM,EAAE,IAAI,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC;QAC1C,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,aAAa,EAAE,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;QAC1E,KAAK,MAAM,IAAI,IAAI,EAAE,CAAC,oBAAoB,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;YACtE,MAAM,OAAO,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;YACtC,IAAI,CAAC,OAAO;gBAAE,SAAS;YACvB,MAAM,SAAS,GAAG,qBAAqB,CAAC,IAAI,CAAC,CAAC;YAC9C,MAAM,eAAe,GAAG,SAAS;gBAC/B,CAAC,CAAC,mBAAmB,CAAE,SAAmC,CAAC,OAAO,EAAE,CAAC;gBACrE,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;YAChC,MAAM,aAAa,GAChB,SAA2D,EAAE,OAAO,EAAE,EAAE,IAAI,SAAS,CAAC;YACzF,KAAK,CAAC,IAAI,CAAC;gBACT,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,WAAW,EAAE,OAAO,CAAC,WAAW;gBAChC,IAAI,EAAE,YAAY;gBAClB,IAAI,EAAE,IAAI,CAAC,kBAAkB,EAAE;gBAC/B,OAAO,EAAE,IAAI,CAAC,gBAAgB,EAAE;gBAChC,OAAO,EAAE,WAAW,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;gBACpC,aAAa;gBACb,eAAe;gBACf,MAAM,EAAE,OAAO,CAAC,MAAM;aACvB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,GAAG,EAA0B,CAAC;IAChD,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QAC3C,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QAClC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACb,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IACvB,CAAC;IAED,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,KAAK,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,KAAK,EAAE,CAAC;QAChC,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;QACvD,IAAI,aAAa,CAAC,IAAI,GAAG,CAAC;YAAE,SAAS;QAErC,MAAM,OAAO,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACxD,MAAM,YAAY,GAAG,CAAC,GAAG,aAAa,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAE/D,QAAQ,CAAC,IAAI,CAAC;YACZ,UAAU,EAAE,UAAU;YACtB,QAAQ,EAAE,QAAQ;YAClB,UAAU,EAAE,IAAI;YAChB,KAAK,EAAE,CAAC;YACR,KAAK,EAAE,uBAAuB,GAAG,kBAAkB,aAAa,CAAC,IAAI,WAAW,IAAI,CAAC,MAAM,yBAAyB,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG;YACxI,WAAW,EAAE;gBACX,0DAA0D,GAAG,KAAK;gBAClE,qPAAqP;gBACrP,EAAE;gBACF,YAAY;gBACZ,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,MAAM,OAAO,CAAC,CAAC,OAAO,IAAI,CAAC;gBAC1E,EAAE;gBACF,mBAAmB,YAAY,GAAG,aAAa,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;aACxE,CAAC,IAAI,CAAC,IAAI,CAAC;YACZ,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACrC,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,KAAK,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE;gBAChD,OAAO,EAAE,CAAC,CAAC,eAAe;gBAC1B,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,MAAM,EAAE,CAAC,CAAC,MAAM;oBAChB,WAAW,EAAE,CAAC,CAAC,WAAW;oBAC1B,MAAM,EAAE,CAAC,CAAC,MAAM;oBAChB,aAAa,EAAE,CAAC,CAAC,aAAa,IAAI,EAAE;iBACrC,CAAC;aACH,CAAC,CAAC;YACH,UAAU,EACR,8PAA8P;YAChQ,WAAW,EAAE,YAAY,UAAU,CAAC,GAAG,CAAC,EAAE;SAC3C,CAAC,CAAC;IACL,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAQD,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;AACtC,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,YAAY,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC;AACnG,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;AAEhE,SAAS,eAAe,CAAC,IAAoB;IAC3C,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC;IAEpC,qCAAqC;IACrC,IAAI,MAAM,CAAC,OAAO,EAAE,KAAK,UAAU,CAAC,UAAU,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;QACnF,MAAM,IAAI,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;QACjC,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QACjC,MAAM,GAAG,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAE,CAAC,CAAC;QACxC,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,MAAM,MAAM,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAE,CAAC,CAAC;QAC5C,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,KAAK;YAAE,OAAO,IAAI,CAAC;QAC7C,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,aAAa,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;IACtE,CAAC;IAED,8CAA8C;IAC9C,IAAI,MAAM,CAAC,OAAO,EAAE,KAAK,UAAU,CAAC,wBAAwB,EAAE,CAAC;QAC7D,MAAM,EAAE,GAAG,MAAM,CAAC,aAAa,CAAC,UAAU,CAAC,wBAAwB,CAAC,CAAC;QACrE,MAAM,IAAI,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,WAAW,EAAE,CAAC;QACxC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;QACxC,MAAM,IAAI,GAAG,EAAE,CAAC,aAAa,EAAE,CAAC;QAChC,IAAI,IAAI,CAAC,OAAO,EAAE,KAAK,UAAU,CAAC,UAAU;YAAE,OAAO,IAAI,CAAC;QAC1D,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;QAClC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC;YAAE,OAAO,IAAI,CAAC;QAC/C,MAAM,IAAI,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;QACjC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACnC,MAAM,GAAG,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAE,CAAC,CAAC;QACxC,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,WAAW,EAAE,EAAE,WAAW,EAAE,aAAa,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;IAC7F,CAAC;IAED,gCAAgC;IAChC,IAAI,MAAM,CAAC,OAAO,EAAE,KAAK,UAAU,CAAC,UAAU,IAAI,MAAM,CAAC,OAAO,EAAE,KAAK,OAAO,EAAE,CAAC;QAC/E,MAAM,IAAI,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;QACjC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACnC,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAE,CAAC;QACrB,IAAI,GAAG,CAAC,OAAO,EAAE,KAAK,UAAU,CAAC,uBAAuB;YAAE,OAAO,IAAI,CAAC;QACtE,MAAM,OAAO,GAAG,kBAAkB,CAAC,GAAW,EAAE,KAAK,CAAC,CAAC;QACvD,MAAM,UAAU,GAAG,kBAAkB,CAAC,GAAW,EAAE,QAAQ,CAAC,CAAC;QAC7D,IAAI,CAAC,OAAO,IAAI,CAAC,UAAU;YAAE,OAAO,IAAI,CAAC;QACzC,MAAM,GAAG,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;QACvC,MAAM,MAAM,GAAG,qBAAqB,CAAC,UAAU,CAAC,CAAC;QACjD,IAAI,CAAC,GAAG,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QACjC,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;QACnC,IAAI,KAAK,KAAK,KAAK,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;YAAE,OAAO,IAAI,CAAC;QAC1E,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,aAAa,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;IAC7E,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAU;IACnC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,aAAa,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,6BAA6B,CAAC,CAAC;IAC9G,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC,cAAc,EAAE,CAAC;IAC3C,IAAI,IAAI,CAAC,OAAO,EAAE,KAAK,UAAU,CAAC,kBAAkB,EAAE,CAAC;QACrD,sEAAsE;QACtE,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;QAC5B,OAAO,IAAI;aACR,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,sBAAsB;aACnC,OAAO,CAAC,cAAc,EAAE,QAAQ,CAAC,CAAC;IACvC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,kBAAkB,CAAC,QAAc;IACxC,IAAI,QAAQ,CAAC,OAAO,EAAE,KAAK,UAAU,CAAC,uBAAuB;QAAE,OAAO,IAAI,CAAC;IAC3E,MAAM,UAAU,GAAG,kBAAkB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC1D,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAC;IAC7B,MAAM,CAAC,GAAG,qBAAqB,CAAC,UAAU,CAAC,CAAC;IAC5C,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AACpC,CAAC;AAED,SAAS,qBAAqB,CAAC,IAAU;IACvC,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,aAAa,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,6BAA6B,CAAC,CAAC;IAC3G,OAAO,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AAC3C,CAAC;AAED;;;;;;GAMG;AACH,SAAS,aAAa,CAAC,GAAW;IAChC,IAAI,CAAC,GAAG,GAAG,CAAC;IACZ,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,mBAAmB,EAAE,EAAE,CAAC,CAAC;IACvC,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC,oBAAoB;IAChD,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC;IACzC,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC3B,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACxD,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,CAAC,GAAG,IAAI,CAAC,EAAE,CAAC;IACpC,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAS,kBAAkB,CAAC,GAAS,EAAE,IAAY;IACjD,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,uBAAuB,CAAC,CAAC;IAC5D,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IACvB,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;IACpC,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,EAAE,KAAK,UAAU,CAAC,kBAAkB;QAAE,OAAO,IAAI,CAAC;IAC3E,OAAQ,IAA+C,CAAC,cAAc,EAAE,IAAI,IAAI,CAAC;AACnF,CAAC;AAED,SAAS,qBAAqB,CAAC,IAAU;IACvC,IAAI,GAAG,GAAqB,IAAI,CAAC,SAAS,EAAE,CAAC;IAC7C,OAAO,GAAG,EAAE,CAAC;QACX,MAAM,CAAC,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC;QACxB,IACE,CAAC,KAAK,UAAU,CAAC,mBAAmB;YACpC,CAAC,KAAK,UAAU,CAAC,iBAAiB;YAClC,CAAC,KAAK,UAAU,CAAC,aAAa;YAC9B,CAAC,KAAK,UAAU,CAAC,kBAAkB,EACnC,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QACD,GAAG,GAAG,GAAG,CAAC,SAAS,EAAE,CAAC;IACxB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/detectors/bad-config.d.ts

@@ -0,0 +1,6 @@
+import type { Finding } from '../types.js';
+import type { FileWalkingDetectorInput } from '../types/detector-input.js';
+export interface BadConfigDetectorInput extends FileWalkingDetectorInput {
+}
+export declare function detectBadConfig(input: BadConfigDetectorInput): Finding[];
+//# sourceMappingURL=bad-config.d.ts.map

package/dist/detectors/bad-config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bad-config.d.ts","sourceRoot":"","sources":["../../src/detectors/bad-config.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAG3C,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAC;AAE3E,MAAM,WAAW,sBAAuB,SAAQ,wBAAwB;CAAG;AAK3E,wBAAgB,eAAe,CAAC,KAAK,EAAE,sBAAsB,GAAG,OAAO,EAAE,CAgCxE"}