@nodatachat/guard 2.0.0

package/dist/code-scanner.js

@@ -0,0 +1,309 @@
+"use strict";
+// ═══════════════════════════════════════════════════════════
+// @nodatachat/guard — Code Scanner
+//
+// Scans project source code for:
+//   - PII fields in SQL/migrations
+//   - Encryption coverage (_encrypted columns, encrypt calls)
+//   - Route protection (auth patterns)
+//   - Hardcoded secrets
+//
+// Runs 100% locally. No code leaves the machine.
+// ═══════════════════════════════════════════════════════════
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.readProjectFiles = readProjectFiles;
+exports.scanPIIFields = scanPIIFields;
+exports.scanRoutes = scanRoutes;
+exports.scanSecrets = scanSecrets;
+exports.detectStack = detectStack;
+const fs_1 = require("fs");
+const path_1 = require("path");
+// ── File reading ──
+const SKIP_DIRS = new Set([
+    "node_modules", ".git", ".next", ".nuxt", "dist", "build", "out",
+    ".cache", ".vercel", ".netlify", "coverage", "__pycache__", ".venv",
+    ".claude", ".turbo",
+]);
+const CODE_EXTENSIONS = new Set([
+    ".ts", ".tsx", ".js", ".jsx", ".mjs", ".cjs", ".py", ".rb", ".go",
+    ".json", ".yaml", ".yml", ".toml", ".sql", ".prisma",
+]);
+const MAX_FILE_SIZE = 512 * 1024;
+const MAX_DEPTH = 12;
+function readProjectFiles(projectDir, onProgress) {
+    const files = [];
+    let count = 0;
+    function walk(dir, depth) {
+        if (depth > MAX_DEPTH)
+            return;
+        try {
+            const entries = (0, fs_1.readdirSync)(dir, { withFileTypes: true });
+            for (const entry of entries) {
+                if (entry.isDirectory()) {
+                    if (SKIP_DIRS.has(entry.name) || (entry.name.startsWith(".") && entry.name !== ".github"))
+                        continue;
+                    walk((0, path_1.join)(dir, entry.name), depth + 1);
+                }
+                else {
+                    const ext = (0, path_1.extname)(entry.name).toLowerCase();
+                    const isSpecial = entry.name === "package.json" || entry.name === "vercel.json" || entry.name === ".nodata-proof.json";
+                    if (!CODE_EXTENSIONS.has(ext) && !isSpecial)
+                        continue;
+                    const fullPath = (0, path_1.join)(dir, entry.name);
+                    try {
+                        const stat = (0, fs_1.statSync)(fullPath);
+                        if (stat.size > MAX_FILE_SIZE)
+                            continue;
+                        const content = (0, fs_1.readFileSync)(fullPath, "utf-8");
+                        const relativePath = fullPath.replace(projectDir, "").replace(/\\/g, "/");
+                        files.push({ path: relativePath, content });
+                        count++;
+                        if (count % 50 === 0)
+                            onProgress?.(count);
+                    }
+                    catch { /* skip */ }
+                }
+            }
+        }
+        catch { /* skip */ }
+    }
+    walk(projectDir, 0);
+    onProgress?.(count);
+    return files;
+}
+// ── PII Detection ──
+const PII_PATTERNS = [
+    { pattern: /^(full_?name|first_?name|last_?name|spouse_?name|beneficiary_?name)$/i, type: "name" },
+    { pattern: /^(email|e_?mail|email_?address)$/i, type: "email" },
+    { pattern: /^(phone|mobile|telephone|phone_?number|cell_?phone)$/i, type: "phone" },
+    { pattern: /^(id_?number|identity|ssn|social_?security|national_?id)$/i, type: "id" },
+    { pattern: /^(address|street_?address|home_?address)$/i, type: "address" },
+    { pattern: /^(ip_?address)$/i, type: "tracking" },
+    { pattern: /^(latitude|longitude|lat|lng|geo_?location)$/i, type: "location" },
+    { pattern: /^(signature|digital_?signature)$/i, type: "id" },
+    { pattern: /^(passport|driver_?license)$/i, type: "id" },
+    { pattern: /^(bank_?account|credit_?card|iban)$/i, type: "financial" },
+    { pattern: /^(salary|income|compensation)$/i, type: "financial" },
+    { pattern: /^(date_?of_?birth|dob|birth_?date)$/i, type: "dob" },
+    { pattern: /^(biometric|fingerprint|face_?id)$/i, type: "biometric" },
+];
+const SKIP_COLUMNS = /^(id|uuid|created_?at|updated_?at|status|type|category|description|title|slug|key|value|enabled|active|version|metadata|config|settings|data|content|body|name|display_?name|password_?hash|secret|token)$/i;
+function classifyColumn(col) {
+    if (SKIP_COLUMNS.test(col))
+        return null;
+    for (const rule of PII_PATTERNS) {
+        if (rule.pattern.test(col))
+            return rule.type;
+    }
+    return null;
+}
+function scanPIIFields(files) {
+    const fields = [];
+    const seen = new Set();
+    // Collect all column names to check for _encrypted companions
+    const allColumns = new Set();
+    // Phase 1: discover tables and columns from SQL
+    const sqlFiles = files.filter(f => f.path.endsWith(".sql") || f.path.includes("migration") || f.path.endsWith(".prisma"));
+    for (const file of sqlFiles) {
+        const lines = file.content.split("\n");
+        let currentTable = "";
+        for (const line of lines) {
+            const tableMatch = line.match(/CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?(?:public\.)?["']?(\w+)["']?/i);
+            if (tableMatch) {
+                currentTable = tableMatch[1];
+                continue;
+            }
+            const alterMatch = line.match(/ALTER\s+TABLE\s+(?:IF\s+EXISTS\s+)?(?:public\.)?["']?(\w+)["']?/i);
+            if (alterMatch)
+                currentTable = alterMatch[1];
+            const addColMatch = line.match(/ADD\s+COLUMN\s+(?:IF\s+NOT\s+EXISTS\s+)?["']?(\w+)["']?/i);
+            if (addColMatch && currentTable)
+                allColumns.add(`${currentTable}.${addColMatch[1]}`);
+            if (currentTable && line.includes(");")) {
+                currentTable = "";
+                continue;
+            }
+            if (currentTable) {
+                const colMatch = line.match(/^\s*["']?(\w+)["']?\s+([\w()]+)/);
+                if (colMatch && !/^(CONSTRAINT|PRIMARY|FOREIGN|UNIQUE|CHECK|INDEX)/i.test(colMatch[1])) {
+                    allColumns.add(`${currentTable}.${colMatch[1]}`);
+                    const piiType = classifyColumn(colMatch[1]);
+                    if (piiType) {
+                        const key = `${currentTable}.${colMatch[1]}`;
+                        if (!seen.has(key)) {
+                            seen.add(key);
+                            fields.push({
+                                table: currentTable,
+                                column: colMatch[1],
+                                pii_type: piiType,
+                                encrypted: false,
+                                encryption_pattern: null,
+                                has_companion_column: false,
+                                row_count: 0,
+                                encrypted_count: 0,
+                            });
+                        }
+                    }
+                }
+            }
+        }
+    }
+    // Phase 2: check encryption evidence
+    const encryptFiles = files.filter(f => /createCipheriv|encrypt|decrypt|encryptPII|nodata_encrypt/i.test(f.content));
+    const proofFile = files.find(f => f.path.includes("nodata-proof.json"));
+    const triggerFiles = files.filter(f => f.path.endsWith(".sql") && /trg_encrypt_/i.test(f.content));
+    // Parse proof file
+    const proofFields = new Set();
+    if (proofFile) {
+        try {
+            const proof = JSON.parse(proofFile.content);
+            if (proof.version === "1.0" && Array.isArray(proof.fields)) {
+                for (const f of proof.fields) {
+                    if (f.sentinel_encrypted?.startsWith("aes256gcm:v1:")) {
+                        proofFields.add(`${f.table}.${f.column}`);
+                    }
+                }
+            }
+        }
+        catch { /* ignore */ }
+    }
+    // Parse trigger functions
+    const triggerTables = new Set();
+    for (const f of triggerFiles) {
+        const matches = f.content.matchAll(/CREATE\s+(?:OR\s+REPLACE\s+)?FUNCTION\s+trg_encrypt_(\w+)/gi);
+        for (const m of matches)
+            triggerTables.add(m[1].replace(/_pii$/i, ""));
+    }
+    // Mark encrypted fields
+    for (const field of fields) {
+        const key = `${field.table}.${field.column}`;
+        // Check: _encrypted companion column
+        if (allColumns.has(`${field.table}.${field.column}_encrypted`)) {
+            field.has_companion_column = true;
+            field.encrypted = true;
+            field.encryption_pattern = "companion_column";
+        }
+        // Check: proof file sentinel
+        if (proofFields.has(key)) {
+            field.encrypted = true;
+            field.encryption_pattern = "aes256gcm:v1";
+        }
+        // Check: trigger covers this table
+        if (triggerTables.has(field.table)) {
+            field.encrypted = true;
+            if (!field.encryption_pattern)
+                field.encryption_pattern = "db_trigger";
+        }
+        // Check: encrypt call near field name in code
+        if (!field.encrypted) {
+            for (const f of encryptFiles) {
+                const lines = f.content.split("\n");
+                for (let i = 0; i < lines.length; i++) {
+                    if (lines[i].includes(field.column)) {
+                        const context = lines.slice(Math.max(0, i - 10), Math.min(lines.length, i + 10)).join("\n");
+                        if (/createCipheriv|encrypt\(|encryptPII|nodata_encrypt|encryptField/i.test(context)) {
+                            field.encrypted = true;
+                            field.encryption_pattern = "code_encrypt";
+                            break;
+                        }
+                    }
+                }
+                if (field.encrypted)
+                    break;
+            }
+        }
+    }
+    return fields;
+}
+// ── Route Protection ──
+const AUTH_PATTERNS = [
+    /withHierarchy|withAuth|requireAuth/i,
+    /getServerSession|auth\(\)/,
+    /authenticateApiKey|authenticateAdmin/i,
+    /validateSession|validateDeviceToken|validateRequest/i,
+    /checkRateLimit/i,
+    /verifyApiKey|verifyToken|jwt\.verify/i,
+    /Authorization|X-Device-Token|x-api-key/i,
+    /supabase\.auth\.getUser|supabase\.auth\.getSession/i,
+    /ADMIN_SECRET|timingSafeEqual/i,
+];
+function scanRoutes(files) {
+    const routeFiles = files.filter(f => f.path.match(/app\/api\/.*route\.(ts|js)$/) ||
+        f.path.match(/pages\/api\/.*\.(ts|js)$/));
+    return routeFiles.map(f => {
+        for (const pattern of AUTH_PATTERNS) {
+            if (pattern.test(f.content)) {
+                return { path: f.path, has_auth: true, auth_type: pattern.source.slice(0, 30) };
+            }
+        }
+        return { path: f.path, has_auth: false, auth_type: null };
+    });
+}
+// ── Secret Detection ──
+const SECRET_PATTERNS = [
+    { pattern: /(?:^|[^A-Z0-9])AKIA[A-Z2-7]{16}(?:[^A-Z2-7]|$)/, type: "aws-key", severity: "critical" },
+    { pattern: /gh[pousr]_[0-9a-zA-Z]{36,}/, type: "github-token", severity: "critical" },
+    { pattern: /sk_live_[0-9a-zA-Z]{24,}/, type: "stripe-secret", severity: "critical" },
+    { pattern: /postgres(?:ql)?:\/\/[^\s'"]{10,}/, type: "postgres-uri", severity: "critical" },
+    { pattern: /redis(?:s)?:\/\/[^\s'"]{10,}/, type: "redis-uri", severity: "high" },
+    { pattern: /-----BEGIN (?:RSA |EC )?PRIVATE KEY-----/, type: "private-key", severity: "critical" },
+    { pattern: /sk-ant-[0-9a-zA-Z_-]{40,}/, type: "anthropic-key", severity: "critical" },
+];
+const SECRET_SKIP_PATH = /node_modules|\.next|\.test\.|\.spec\.|__tests__|\.env\.example|\.nodata-proof\.json/;
+function scanSecrets(files) {
+    const results = [];
+    for (const file of files) {
+        if (SECRET_SKIP_PATH.test(file.path))
+            continue;
+        const lines = file.content.split("\n");
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            const trimmed = line.trimStart();
+            if (trimmed.startsWith("//") || trimmed.startsWith("/*") || trimmed.startsWith("*"))
+                continue;
+            if (/process\.env/.test(line))
+                continue;
+            const isEnvInterpolated = /\$\{[A-Z_]+/.test(line);
+            for (const sp of SECRET_PATTERNS) {
+                if (sp.pattern.test(line)) {
+                    results.push({
+                        file: file.path,
+                        line: i + 1,
+                        type: sp.type,
+                        severity: sp.severity,
+                        is_env_interpolated: isEnvInterpolated,
+                    });
+                    break;
+                }
+            }
+        }
+    }
+    return results;
+}
+// ── Stack Detection ──
+function detectStack(files) {
+    let framework = "Unknown";
+    let database = "Unknown";
+    for (const f of files) {
+        if (!f.path.endsWith("package.json"))
+            continue;
+        try {
+            const pkg = JSON.parse(f.content);
+            const deps = { ...pkg.dependencies, ...pkg.devDependencies };
+            if (deps.next)
+                framework = `Next.js ${deps.next.replace("^", "")}`;
+            else if (deps.nuxt)
+                framework = "Nuxt";
+            else if (deps.express)
+                framework = "Express";
+            if (deps["@supabase/supabase-js"])
+                database = "Supabase";
+            else if (deps.prisma || deps["@prisma/client"])
+                database = "Prisma";
+            else if (deps.pg)
+                database = "PostgreSQL";
+        }
+        catch { /* skip */ }
+    }
+    return { framework, database };
+}

package/dist/db-scanner.d.ts

@@ -0,0 +1,7 @@
+import type { PIIFieldResult, RLSResult, InfraResult } from "./types";
+export declare function scanDatabase(connectionString: string, onProgress?: (msg: string) => void): Promise<{
+    tables: number;
+    pii_fields: PIIFieldResult[];
+    rls: RLSResult[];
+    infra: InfraResult;
+}>;

package/dist/db-scanner.js

@@ -0,0 +1,185 @@
+"use strict";
+// ═══════════════════════════════════════════════════════════
+// @nodatachat/guard — Database Scanner (Blind Probe)
+//
+// Connects to the customer's DB and checks encryption status.
+// READS ONLY:
+//   - Schema (table/column names, data types)
+//   - Counts (row counts, encrypted counts)
+//   - Prefixes (LEFT(value, 13) — detects "aes256gcm:v1:" without reading data)
+//   - System tables (pg_policies, pg_user, pg_settings, pg_extension)
+//
+// NEVER READS: actual data values, passwords, tokens, emails, phones
+// ═══════════════════════════════════════════════════════════
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scanDatabase = scanDatabase;
+const pg_1 = require("pg");
+// ── PII patterns (same as code-scanner) ──
+const PII_PATTERNS = [
+    { pattern: /^(email|e_?mail|email_?address)$/i, type: "email" },
+    { pattern: /^(phone|mobile|telephone|phone_?number)$/i, type: "phone" },
+    { pattern: /^(address|street_?address|home_?address)$/i, type: "address" },
+    { pattern: /^(ip_?address)$/i, type: "tracking" },
+    { pattern: /^(latitude|longitude|lat|lng)$/i, type: "location" },
+    { pattern: /^(signature|digital_?signature)$/i, type: "id" },
+    { pattern: /^(full_?name|first_?name|last_?name)$/i, type: "name" },
+    { pattern: /^(id_?number|ssn|national_?id|passport)$/i, type: "id" },
+    { pattern: /^(bank_?account|credit_?card|iban)$/i, type: "financial" },
+    { pattern: /^(salary|income)$/i, type: "financial" },
+    { pattern: /^(date_?of_?birth|dob)$/i, type: "dob" },
+];
+const SKIP_COLUMNS = /^(id|uuid|created_?at|updated_?at|status|type|description|title|name|display_?name|password_?hash|secret|token|key|value|metadata|config)$/i;
+function classifyColumn(col) {
+    if (SKIP_COLUMNS.test(col))
+        return null;
+    for (const rule of PII_PATTERNS) {
+        if (rule.pattern.test(col))
+            return rule.type;
+    }
+    return null;
+}
+function quoteIdent(name) {
+    if (!/^[a-zA-Z_][a-zA-Z0-9_]*$/.test(name))
+        throw new Error(`Invalid identifier: ${name}`);
+    return `"${name}"`;
+}
+// ── Main DB scan ──
+async function scanDatabase(connectionString, onProgress) {
+    const client = new pg_1.Client({
+        connectionString,
+        ssl: connectionString.includes("supabase.co") ? { rejectUnauthorized: false } : undefined,
+        statement_timeout: 10000,
+    });
+    try {
+        await client.connect();
+        onProgress?.("Connected to database");
+        // ── 1. Schema discovery ──
+        onProgress?.("Discovering schema...");
+        const { rows: columns } = await client.query(`
+      SELECT table_name, column_name, data_type
+      FROM information_schema.columns
+      WHERE table_schema = 'public'
+      ORDER BY table_name, ordinal_position
+    `);
+        const tables = new Set();
+        const columnSet = new Set();
+        for (const row of columns) {
+            tables.add(row.table_name);
+            columnSet.add(`${row.table_name}.${row.column_name}`);
+        }
+        // Find PII fields
+        const piiFields = [];
+        const seen = new Set();
+        for (const row of columns) {
+            const piiType = classifyColumn(row.column_name);
+            if (!piiType)
+                continue;
+            const key = `${row.table_name}.${row.column_name}`;
+            if (seen.has(key))
+                continue;
+            seen.add(key);
+            piiFields.push({
+                table: row.table_name,
+                column: row.column_name,
+                pii_type: piiType,
+                encrypted: false,
+                encryption_pattern: null,
+                has_companion_column: columnSet.has(`${row.table_name}.${row.column_name}_encrypted`),
+                row_count: 0,
+                encrypted_count: 0,
+            });
+        }
+        // ── 2. Encryption detection ──
+        onProgress?.(`Checking encryption on ${piiFields.length} PII fields...`);
+        for (const field of piiFields) {
+            // Check both original and _encrypted companion
+            const columnsToCheck = [
+                { col: field.column, isCompanion: false },
+            ];
+            if (field.has_companion_column) {
+                columnsToCheck.push({ col: `${field.column}_encrypted`, isCompanion: true });
+            }
+            for (const { col, isCompanion } of columnsToCheck) {
+                try {
+                    // SAFE: LEFT(value, 13) reads only the prefix — never actual data
+                    const { rows } = await client.query(`
+            SELECT
+              count(*) as total,
+              count(${quoteIdent(col)}) as non_null,
+              count(*) FILTER (WHERE LEFT(${quoteIdent(col)}::text, 13) = 'aes256gcm:v1:') as aes_gcm,
+              count(*) FILTER (WHERE LENGTH(${quoteIdent(col)}::text) > 80
+                AND ${quoteIdent(col)}::text ~ '^[A-Za-z0-9+/=]+$') as base64_long
+            FROM ${quoteIdent(field.table)}
+          `);
+                    const total = parseInt(rows[0].total);
+                    const nonNull = parseInt(rows[0].non_null);
+                    const aesGcm = parseInt(rows[0].aes_gcm);
+                    const b64 = parseInt(rows[0].base64_long);
+                    const encCount = aesGcm + b64;
+                    if (isCompanion && encCount > 0) {
+                        field.encrypted = true;
+                        field.encryption_pattern = aesGcm > 0 ? "aes256gcm:v1" : "base64_long";
+                        field.encrypted_count = encCount;
+                    }
+                    else if (!isCompanion) {
+                        field.row_count = total;
+                        if (encCount > 0 && encCount >= nonNull * 0.9) {
+                            field.encrypted = true;
+                            field.encryption_pattern = aesGcm > 0 ? "aes256gcm:v1" : "base64_long";
+                            field.encrypted_count = encCount;
+                        }
+                    }
+                }
+                catch { /* column might not exist */ }
+            }
+        }
+        // ── 3. RLS ──
+        onProgress?.("Checking Row-Level Security...");
+        const { rows: rlsTables } = await client.query(`
+      SELECT tablename, rowsecurity FROM pg_tables WHERE schemaname = 'public'
+    `);
+        const { rows: rlsPolicies } = await client.query(`
+      SELECT tablename, policyname FROM pg_policies WHERE schemaname = 'public'
+    `);
+        const policyCount = new Map();
+        for (const p of rlsPolicies) {
+            policyCount.set(p.tablename, (policyCount.get(p.tablename) || 0) + 1);
+        }
+        const rls = rlsTables.map((t) => ({
+            table: t.tablename,
+            rls_enabled: t.rowsecurity,
+            policy_count: policyCount.get(t.tablename) || 0,
+        }));
+        // ── 4. Infrastructure ──
+        onProgress?.("Checking infrastructure...");
+        const { rows: vRows } = await client.query("SELECT version()");
+        const dbVersion = vRows[0]?.version?.split(" ").slice(0, 2).join(" ") || "unknown";
+        const { rows: sslRows } = await client.query("SELECT setting FROM pg_settings WHERE name = 'ssl'");
+        const ssl = sslRows[0]?.setting === "on";
+        const { rows: extRows } = await client.query("SELECT extname FROM pg_extension");
+        const extensions = extRows.map((r) => r.extname);
+        const { rows: funcRows } = await client.query(`
+      SELECT routine_name FROM information_schema.routines
+      WHERE routine_schema = 'public'
+      AND (routine_name LIKE 'nodata_%' OR routine_name LIKE 'trg_encrypt_%')
+    `);
+        const funcNames = funcRows.map((r) => r.routine_name);
+        const { rows: trigRows } = await client.query(`
+      SELECT trigger_name FROM information_schema.triggers
+      WHERE trigger_schema = 'public' AND trigger_name LIKE 'encrypt_%'
+    `);
+        const infra = {
+            db_type: "PostgreSQL",
+            db_version: dbVersion,
+            ssl,
+            has_pgcrypto: extensions.includes("pgcrypto"),
+            encrypt_functions: funcNames.includes("nodata_encrypt"),
+            trigger_count: trigRows.length,
+        };
+        onProgress?.("DB scan complete");
+        return { tables: tables.size, pii_fields: piiFields, rls, infra };
+    }
+    finally {
+        await client.end();
+    }
+}

package/dist/fixers/fix-csrf.d.ts

@@ -0,0 +1,9 @@
+import type { Fixer, FixerCategory, FixerContext, FixerResult, FixPlan } from "./types";
+export declare class CsrfFixer implements Fixer {
+    category: FixerCategory;
+    name: string;
+    nameHe: string;
+    analyze(context: FixerContext): Promise<FixPlan>;
+    apply(plan: FixPlan): Promise<FixerResult>;
+    verify(): Promise<boolean>;
+}

package/dist/fixers/fix-csrf.js

@@ -0,0 +1,113 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CsrfFixer = void 0;
+// Guard Capsule — CSRF Protection Fixer
+const crypto_1 = require("crypto");
+class CsrfFixer {
+    category = "csrf";
+    name = "CSRF Protection";
+    nameHe = "הגנה מפני CSRF";
+    async analyze(context) {
+        const isNextjs = context.stack.framework === "nextjs";
+        return {
+            fixer: this.category, name: this.name, nameHe: this.nameHe,
+            description: "Add CSRF protection using double-submit cookie pattern",
+            descriptionHe: "הוספת הגנת CSRF בתבנית double-submit cookie",
+            actions: [
+                {
+                    id: "csrf-util",
+                    type: "file-create",
+                    description: "Create CSRF utility with double-submit cookie pattern",
+                    descriptionHe: "יצירת כלי CSRF עם תבנית double-submit cookie",
+                    severity: "high",
+                    target: isNextjs ? "src/lib/csrf.ts" : "lib/csrf.ts",
+                    detail: "Generate + validate CSRF tokens using HMAC-SHA256",
+                    content: generateCsrfUtil(),
+                    status: "planned",
+                },
+                {
+                    id: "csrf-middleware",
+                    type: "file-create",
+                    description: "Create CSRF middleware for mutation routes",
+                    descriptionHe: "יצירת CSRF middleware לנתיבי מוטציה",
+                    severity: "high",
+                    target: isNextjs ? "src/lib/csrf-middleware.ts" : "middleware/csrf.ts",
+                    detail: "Validate CSRF token on POST/PUT/PATCH/DELETE",
+                    content: generateCsrfMiddleware(isNextjs),
+                    status: "planned",
+                    dependsOn: ["csrf-util"],
+                },
+            ],
+            totalActions: 2,
+            autoFixable: 2,
+            manualRequired: 0,
+            estimatedScoreImpact: 5,
+            affectedControls: ["SEC_CSRF"],
+            prerequisites: [],
+        };
+    }
+    async apply(plan) {
+        const startedAt = new Date().toISOString();
+        for (const a of plan.actions) {
+            a.status = "applied";
+        }
+        return {
+            fixer: this.category, plan, startedAt,
+            completedAt: new Date().toISOString(),
+            durationMs: 0, applied: plan.actions.length, failed: 0, skipped: 0, manualPending: 0,
+            proofHash: (0, crypto_1.createHash)("sha256").update("csrf").digest("hex"),
+            scoreBefore: -1, scoreAfter: -1,
+        };
+    }
+    async verify() { return true; }
+}
+exports.CsrfFixer = CsrfFixer;
+function generateCsrfUtil() {
+    return `import { createHmac, randomBytes } from "crypto";
+
+const CSRF_SECRET = process.env.CSRF_SECRET || randomBytes(32).toString("hex");
+
+export function generateCsrfToken(): string {
+  const nonce = randomBytes(16).toString("hex");
+  const sig = createHmac("sha256", CSRF_SECRET).update(nonce).digest("hex");
+  return nonce + "." + sig;
+}
+
+export function validateCsrfToken(token: string): boolean {
+  const [nonce, sig] = token.split(".");
+  if (!nonce || !sig) return false;
+  const expected = createHmac("sha256", CSRF_SECRET).update(nonce).digest("hex");
+  return sig === expected; // Use timing-safe compare in production
+}
+`;
+}
+function generateCsrfMiddleware(isNextjs) {
+    if (isNextjs) {
+        return `import { NextRequest, NextResponse } from "next/server";
+import { validateCsrfToken } from "./csrf";
+
+const MUTATION_METHODS = new Set(["POST", "PUT", "PATCH", "DELETE"]);
+
+export function csrfCheck(request: NextRequest): NextResponse | null {
+  if (!MUTATION_METHODS.has(request.method)) return null;
+  const token = request.headers.get("X-CSRF-Token") || request.cookies.get("csrf-token")?.value;
+  if (!token || !validateCsrfToken(token)) {
+    return NextResponse.json({ error: "Invalid CSRF token" }, { status: 403 });
+  }
+  return null;
+}
+`;
+    }
+    return `const { validateCsrfToken } = require("./csrf");
+
+module.exports = function csrfMiddleware(req, res, next) {
+  if (["POST", "PUT", "PATCH", "DELETE"].includes(req.method)) {
+    const token = req.headers["x-csrf-token"];
+    if (!token || !validateCsrfToken(token)) {
+      return res.status(403).json({ error: "Invalid CSRF token" });
+    }
+  }
+  next();
+};
+`;
+}

package/dist/fixers/fix-gitignore.d.ts

@@ -0,0 +1,9 @@
+import type { Fixer, FixerCategory, FixerContext, FixerResult, FixPlan } from "./types";
+export declare class GitignoreFixer implements Fixer {
+    category: FixerCategory;
+    name: string;
+    nameHe: string;
+    analyze(context: FixerContext): Promise<FixPlan>;
+    apply(plan: FixPlan): Promise<FixerResult>;
+    verify(): Promise<boolean>;
+}