@qodfy/core 0.2.6 → 0.2.8

package/dist/index.d.ts

@@ -20,6 +20,7 @@ type Issue = {
     suggestion?: string;
     fixPrompt?: string;
     evidence?: IssueEvidence[];
+    context?: IssueEvidence[];
 };
 type ScanReport = {
     projectPath: string;

package/dist/index.js

@@ -354,18 +354,10 @@ async function scanProject(input) {
       relativeFile,
       content
     }) : null;
-    if (runWebhookChecks && apiRouteAnalysis?.intent === "webhook" && !apiRouteAnalysis.hasWebhookVerification) {
-      addIssue({
-        ruleId: "webhook-missing-signature-verification",
-        category: "webhook",
-        severity: apiRouteAnalysis.confidence === "high" ? "critical" : "warning",
-        confidence: apiRouteAnalysis.confidence,
-        title: "Webhook route may be missing signature verification",
-        message: "This webhook route appears to handle external events, but Qodfy could not find signature verification before the event is handled.",
-        file: relativeFile,
-        suggestion: getWebhookSignatureSuggestion(apiRouteAnalysis.webhookProvider),
-        fixPrompt: createWebhookSignatureFixPrompt(relativeFile),
-        evidence: apiRouteAnalysis.evidence
+    if (runWebhookChecks && apiRouteAnalysis) {
+      addWebhookSignatureIssues({
+        addIssue,
+        analysis: apiRouteAnalysis
       });
     }
     if (runSecurityChecks) {
@@ -726,95 +718,125 @@ function isApiRoute(filePath) {
   const sourceFileExtension = "(?:ts|tsx|js|jsx|mts|cts|mjs|cjs)";
   return new RegExp(`/app/api(?:/.+)?/route\\.${sourceFileExtension}$`).test(normalizedFile) || new RegExp(`/pages/api/.+\\.${sourceFileExtension}$`).test(normalizedFile);
 }
+function addWebhookSignatureIssues({
+  addIssue,
+  analysis
+}) {
+  for (const handler of analysis.handlers) {
+    if (handler.intent !== "webhook" || handler.hasWebhookVerification) {
+      continue;
+    }
+    addIssue({
+      ruleId: "webhook-missing-signature-verification",
+      category: "webhook",
+      severity: handler.confidence === "high" ? "critical" : "warning",
+      confidence: handler.confidence,
+      title: `Webhook ${handler.method} handler may be missing signature verification`,
+      message: `The ${handler.method} handler in this route appears to handle external events, but Qodfy could not find signature verification before the event is handled.`,
+      file: analysis.relativeFile,
+      suggestion: getWebhookSignatureSuggestion(analysis.webhookProvider),
+      fixPrompt: createWebhookSignatureFixPrompt(analysis.relativeFile, handler.method),
+      evidence: handler.evidence,
+      context: handler.context
+    });
+  }
+}
 function addApiRouteProtectionIssues({
   addIssue,
   includeLowConfidence,
   analysis
 }) {
-  if (analysis.intent === "webhook") {
-    return;
-  }
-  if (analysis.intent === "public-read") {
-    if (includeLowConfidence) {
-      addIssue({
-        ruleId: "api-public-read-route",
-        category: "api",
-        severity: "info",
-        confidence: analysis.confidence,
-        title: "Public read API route detected",
-        message: "This route appears intentionally public. Authentication may not be required.",
-        file: analysis.relativeFile,
-        suggestion: "Verify that it only exposes public or published data and has appropriate validation, caching, and abuse protection.",
-        fixPrompt: createPublicReadRouteFixPrompt(analysis.relativeFile),
-        evidence: analysis.evidence
-      });
+  for (const handler of analysis.handlers) {
+    if (handler.intent === "webhook") {
+      continue;
     }
-    return;
-  }
-  if (analysis.intent === "public-form") {
-    if (!analysis.hasRateLimit && !analysis.hasValidation) {
-      addIssue({
-        ruleId: "public-form-missing-abuse-protection",
-        category: "api",
-        severity: "warning",
-        confidence: analysis.confidence,
-        title: "Public form route may be missing abuse protection",
-        message: "This route appears to accept public submissions. Consider adding rate limiting, validation, or spam protection.",
-        file: analysis.relativeFile,
-        suggestion: "Check for rate limiting, validation, captcha, Turnstile, reCAPTCHA, hCaptcha, or another spam protection pattern.",
-        fixPrompt: createPublicFormProtectionFixPrompt(analysis.relativeFile),
-        evidence: analysis.evidence
-      });
+    if (handler.intent === "public-read") {
+      if (includeLowConfidence) {
+        addIssue({
+          ruleId: "api-public-read-route",
+          category: "api",
+          severity: "info",
+          confidence: handler.confidence,
+          title: `Public ${handler.method} handler detected`,
+          message: `The ${handler.method} handler in this route appears intentionally public. Authentication may not be required.`,
+          file: analysis.relativeFile,
+          suggestion: "Verify that it only exposes public or published data and has appropriate validation, caching, and abuse protection.",
+          fixPrompt: createPublicReadRouteFixPrompt(analysis.relativeFile, handler.method),
+          evidence: handler.evidence,
+          context: handler.context
+        });
+      }
+      continue;
     }
-    return;
-  }
-  if (analysis.intent === "internal") {
-    if (!analysis.hasAuth && !analysis.hasSecretProtection) {
-      addIssue({
-        ruleId: "internal-route-missing-protection",
-        category: "security",
-        severity: "warning",
-        confidence: analysis.confidence,
-        title: "Internal API route may be missing protection",
-        message: "This route appears internal or operational. Confirm it is protected by auth, a secret token, or server-only access.",
-        file: analysis.relativeFile,
-        suggestion: "Use the project's existing auth pattern or a secret token check for operational routes such as cron, cleanup, or revalidation.",
-        fixPrompt: createInternalRouteProtectionFixPrompt(analysis.relativeFile),
-        evidence: analysis.evidence
-      });
+    if (handler.intent === "public-form") {
+      if (!handler.hasRateLimit && !handler.hasValidation) {
+        addIssue({
+          ruleId: "public-form-missing-abuse-protection",
+          category: "api",
+          severity: "warning",
+          confidence: handler.confidence,
+          title: `Public form ${handler.method} handler may be missing abuse protection`,
+          message: `The ${handler.method} handler in this route appears to accept public submissions. Consider adding rate limiting, validation, or spam protection.`,
+          file: analysis.relativeFile,
+          suggestion: "Check for rate limiting, validation, captcha, Turnstile, reCAPTCHA, hCaptcha, or another spam protection pattern.",
+          fixPrompt: createPublicFormProtectionFixPrompt(analysis.relativeFile, handler.method),
+          evidence: handler.evidence,
+          context: handler.context
+        });
+      }
+      continue;
     }
-    return;
-  }
-  if (analysis.intent === "sensitive-mutation") {
-    if (!analysis.hasAuth) {
+    if (handler.intent === "internal") {
+      if (!handler.hasAuth && !handler.hasSecretProtection) {
+        addIssue({
+          ruleId: "internal-route-missing-protection",
+          category: "security",
+          severity: "warning",
+          confidence: handler.confidence,
+          title: `Internal ${handler.method} handler may be missing protection`,
+          message: `The ${handler.method} handler in this route appears internal or operational. Confirm it is protected by auth, a secret token, or server-only access.`,
+          file: analysis.relativeFile,
+          suggestion: "Use the project's existing auth pattern or a secret token check for operational handlers such as cron, cleanup, or revalidation.",
+          fixPrompt: createInternalRouteProtectionFixPrompt(analysis.relativeFile, handler.method),
+          evidence: handler.evidence,
+          context: handler.context
+        });
+      }
+      continue;
+    }
+    if (handler.intent === "sensitive-mutation") {
+      if (!handler.hasAuth) {
+        addIssue({
+          ruleId: "sensitive-api-route-missing-auth",
+          category: "security",
+          severity: "warning",
+          confidence: handler.confidence,
+          title: getSensitiveHandlerTitle(handler),
+          message: `The ${handler.method} handler in this route appears to handle uploads or sensitive operations. Confirm it is protected before launch.`,
+          file: analysis.relativeFile,
+          suggestion: "Review the existing project auth/session pattern and apply it if this handler processes private data, uploads, payments, or account changes.",
+          fixPrompt: createApiAuthFixPrompt(analysis.relativeFile, handler.method, handler.intent),
+          evidence: handler.evidence,
+          context: handler.context
+        });
+      }
+      continue;
+    }
+    if (handler.authExpected === "review" && !handler.hasAuth) {
       addIssue({
-        ruleId: "sensitive-api-route-missing-auth",
-        category: "security",
+        ruleId: "api-mutation-route-review-auth",
+        category: "api",
         severity: "warning",
-        confidence: analysis.confidence,
-        title: "Sensitive API route may be missing authentication",
-        message: "This route appears to handle user-specific or sensitive operations. Confirm it is protected before launch.",
+        confidence: handler.confidence,
+        title: "API mutation handler should be reviewed for authentication",
+        message: `The ${handler.method} handler mutates data or handles requests, but Qodfy could not determine whether authentication is required.`,
         file: analysis.relativeFile,
-        suggestion: "Review the existing project auth/session pattern and apply it if this route handles private data, uploads, payments, or account changes.",
-        fixPrompt: createApiAuthFixPrompt(analysis.relativeFile),
-        evidence: analysis.evidence
+        suggestion: "Confirm the handler is intentionally public, or add the existing project auth/session check before handling private data.",
+        fixPrompt: createApiAuthFixPrompt(analysis.relativeFile, handler.method, handler.intent),
+        evidence: handler.evidence,
+        context: handler.context
       });
     }
-    return;
-  }
-  if (analysis.authExpected === "review" && !analysis.hasAuth) {
-    addIssue({
-      ruleId: "api-mutation-route-review-auth",
-      category: "api",
-      severity: "warning",
-      confidence: analysis.confidence,
-      title: "API mutation route should be reviewed for authentication",
-      message: "This route mutates data or handles requests, but Qodfy could not determine whether authentication is required.",
-      file: analysis.relativeFile,
-      suggestion: "Confirm the route is intentionally public, or add the existing project auth/session check before handling private data.",
-      fixPrompt: createApiAuthFixPrompt(analysis.relativeFile),
-      evidence: analysis.evidence
-    });
   }
 }
 function analyzeApiRoute({
@@ -822,25 +844,44 @@ function analyzeApiRoute({
   relativeFile,
   content
 }) {
-  const normalizedFile = relativeFile.toLowerCase();
-  const methods = getRouteHttpMethods(content);
-  const evidence = [];
-  const webhookRouteInfo = getWebhookRouteInfo(relativeFile, content);
-  const hasAuth = hasAuthOrSessionCheck(content);
-  const hasSecretProtection = hasSecretProtectionSignal(content);
-  const hasRateLimit = hasRateLimitSignal(content);
-  const hasValidation = hasValidationSignal(content);
-  const hasCacheHeaders = hasCacheHeaderSignal(content);
-  const hasMethodBlocking = hasMethodBlockingSignal(content);
-  const webhookProvider = webhookRouteInfo?.provider ?? "unknown";
-  const hasWebhookVerification = hasWebhookSignatureVerification(content, webhookProvider);
-  if (methods.length > 0) {
-    for (const method of methods) {
-      evidence.push({ label: "exports", detail: method });
-    }
-  } else {
-    evidence.push({ label: "no exported HTTP method detected" });
+  const exportedHandlers = getExportedRouteHandlers(content);
+  const handlersToAnalyze = exportedHandlers.length > 0 ? exportedHandlers : getRouteHttpMethods(content).map((method) => ({
+    method,
+    body: content,
+    usedFallbackBody: true
+  }));
+  const handlers = handlersToAnalyze.map(
+    (handler) => analyzeApiHandler({
+      relativeFile,
+      content,
+      method: handler.method,
+      body: handler.body,
+      usedFallbackBody: handler.usedFallbackBody
+    })
+  );
+  for (const handler of handlers) {
+    handler.context = getHandlerContext(handler, handlers);
   }
+  const methods = handlers.map((handler) => handler.method);
+  const webhookProvider = getRouteWebhookProvider(handlers, relativeFile, content);
+  return {
+    file,
+    relativeFile,
+    methods,
+    handlers,
+    routeIntent: getRouteIntent(handlers),
+    evidence: methods.map((method) => ({ label: "exports", detail: method })),
+    webhookProvider
+  };
+}
+function analyzeApiHandler({
+  relativeFile,
+  content,
+  method,
+  body,
+  usedFallbackBody
+}) {
+  const normalizedFile = relativeFile.toLowerCase();
   const webhookPathMatch = getRoutePathMatch(normalizedFile, ["webhook", "webhooks", "callback"]);
   const internalPathMatch = getRoutePathMatch(normalizedFile, ["internal", "admin", "cron", "cleanup", "revalidate", "private"]);
   const formPathMatch = getRoutePathMatch(normalizedFile, ["contact", "subscribe", "newsletter", "lead", "inquiry"]);
@@ -874,7 +915,35 @@ function analyzeApiRoute({
     "sitemap",
     "rss"
   ]);
+  const handlerContent = body || content;
+  const webhookRouteInfo = getWebhookRouteInfo(relativeFile, handlerContent);
+  const webhookProvider = webhookRouteInfo?.provider ?? getWebhookProvider(`${normalizedFile}
+${handlerContent.toLowerCase()}`);
+  const protectionAnalysis = analyzeHandlerProtection({
+    handlerBody: handlerContent,
+    fullFileContent: content
+  });
+  const hasWeakAuthSignal = hasWeakAuthRelatedSignal(handlerContent);
+  const hasStrongProtection = hasStrongProtectionCallBeforeSensitiveWork(
+    handlerContent,
+    protectionAnalysis.sensitiveOperation
+  );
+  const hasAuth = protectionAnalysis.hasAccessControlGuard || hasStrongProtection;
+  const hasSecretProtection = hasSecretProtectionGuardBeforeSensitiveWork(
+    handlerContent,
+    protectionAnalysis.sensitiveOperation
+  );
+  const hasWeakSecretSignal = hasWeakSecretProtectionSignal(handlerContent);
+  const hasRateLimit = hasRateLimitSignal(handlerContent);
+  const hasValidation = hasValidationSignal(handlerContent);
+  const hasCacheHeaders = hasCacheHeaderSignal(handlerContent);
+  const hasMethodBlocking = hasMethodBlockingSignal(handlerContent);
+  const hasWebhookVerification = hasWebhookSignatureVerification(handlerContent, webhookProvider);
+  const evidence = [{ label: "exports", detail: method }];
   let intent = "unknown";
+  if (usedFallbackBody) {
+    evidence.push({ label: "handler body extraction fallback", detail: "using full file" });
+  }
   if (webhookRouteInfo || webhookPathMatch) {
     intent = "webhook";
     evidence.push({
@@ -884,54 +953,79 @@ function analyzeApiRoute({
   } else if (internalPathMatch) {
     intent = "internal";
     evidence.push({ label: "path contains", detail: internalPathMatch });
-  } else if (formPathMatch) {
+  } else if (method === "POST" && formPathMatch) {
     intent = "public-form";
     evidence.push({ label: "path contains", detail: formPathMatch });
-  } else if (hasMutationMethod(methods) && sensitivePathMatch) {
+  } else if (method === "GET" && publicContentPathMatch && !sensitivePathMatch && !internalPathMatch) {
+    intent = "public-read";
+    evidence.push({ label: "public read path detected", detail: publicContentPathMatch });
+  } else if (isMutationMethod(method) && sensitivePathMatch && !hasMethodBlocking) {
     intent = "sensitive-mutation";
     evidence.push({ label: "path contains", detail: sensitivePathMatch });
-  } else if (methods.includes("GET") && publicContentPathMatch && !sensitivePathMatch && !internalPathMatch) {
-    intent = "public-read";
-    evidence.push({ label: "public content route detected", detail: publicContentPathMatch });
   }
-  if (hasAuth) {
-    evidence.push({ label: "auth/session check detected" });
+  if (protectionAnalysis.sensitiveOperation) {
+    evidence.push({
+      label: `sensitive operation ${protectionAnalysis.sensitiveOperation.label} detected`,
+      detail: `${method} handler`
+    });
+  }
+  if (protectionAnalysis.hasAccessControlGuard) {
+    evidence.push(...protectionAnalysis.evidence);
+  } else if (hasStrongProtection) {
+    evidence.push({
+      label: "strong protection call detected before sensitive work",
+      detail: `${method} handler`
+    });
+  } else if (hasWeakAuthSignal) {
+    evidence.push({
+      label: "possible auth-related signal detected",
+      detail: `${method} handler`
+    });
+  } else if (protectionAnalysis.sensitiveOperation) {
+    evidence.push({ label: `no access-control guard detected before sensitive operation`, detail: `${method} handler` });
   } else {
-    evidence.push({ label: "no auth/session check detected" });
+    evidence.push({ label: `no auth/session check detected in ${method} handler` });
   }
   if (hasSecretProtection) {
-    evidence.push({ label: "secret token check detected" });
-  }
-  if (hasRateLimit) {
-    evidence.push({ label: "rate limit detected" });
-  } else if (intent === "public-form") {
-    evidence.push({ label: "no rate limit detected" });
+    evidence.push({ label: `secret-token guard detected before sensitive work`, detail: `${method} handler` });
+  } else if (hasWeakSecretSignal) {
+    evidence.push({ label: `possible secret/token signal detected`, detail: `${method} handler` });
   }
-  if (hasValidation) {
-    evidence.push({ label: "validation detected" });
-  } else if (intent === "public-form") {
-    evidence.push({ label: "no validation detected" });
+  if (intent === "public-form") {
+    evidence.push({
+      label: hasRateLimit ? "rate limit detected" : "no rate limit detected",
+      detail: `${method} handler`
+    });
+    evidence.push({
+      label: hasValidation ? "validation detected" : "no validation detected",
+      detail: `${method} handler`
+    });
   }
-  if (hasCacheHeaders) {
-    evidence.push({ label: "cache/public-read safety signal detected" });
+  if (intent === "public-read") {
+    if (hasRateLimit) {
+      evidence.push({ label: "rate limit detected", detail: `${method} handler` });
+    }
+    if (hasValidation) {
+      evidence.push({ label: "validation detected", detail: `${method} handler` });
+    }
+    if (hasCacheHeaders) {
+      evidence.push({ label: "cache/public-read safety signal detected", detail: `${method} handler` });
+    }
   }
   if (hasMethodBlocking) {
-    evidence.push({ label: "method blocking detected" });
+    evidence.push({ label: "method blocking detected", detail: `${method} handler` });
   }
   if (intent === "webhook") {
-    if (hasWebhookVerification) {
-      evidence.push({ label: "webhook signature verification detected" });
-    } else {
-      evidence.push({ label: "no webhook signature verification detected" });
-    }
+    evidence.push({
+      label: hasWebhookVerification ? "webhook signature verification detected" : "no webhook signature verification detected",
+      detail: `${method} handler`
+    });
   }
   return {
-    file,
-    relativeFile,
-    methods,
+    method,
     intent,
-    authExpected: getAuthExpectation(intent, methods),
-    confidence: getApiRouteConfidence(intent, methods, webhookRouteInfo),
+    authExpected: getHandlerAuthExpectation(intent, method, hasMethodBlocking),
+    confidence: getApiHandlerConfidence(intent, method, webhookRouteInfo, hasMethodBlocking),
     evidence,
     hasAuth,
     hasSecretProtection,
@@ -939,31 +1033,89 @@ function analyzeApiRoute({
     hasValidation,
     hasCacheHeaders,
     hasMethodBlocking,
-    hasWebhookVerification,
-    webhookProvider
+    hasWebhookVerification
   };
 }
-function getAuthExpectation(intent, methods) {
+function getHandlerContext(handler, handlers) {
+  const context = [];
+  for (const otherHandler of handlers) {
+    if (otherHandler.method === handler.method) {
+      continue;
+    }
+    context.push({ label: "route also exports", detail: otherHandler.method });
+    if (otherHandler.intent === "public-read") {
+      context.push({ label: "public read handler detected", detail: otherHandler.method });
+    }
+    if (otherHandler.hasCacheHeaders) {
+      context.push({ label: "cache/public-read safety signal detected", detail: `${otherHandler.method} handler` });
+    }
+    if (otherHandler.hasMethodBlocking) {
+      context.push({ label: "method blocking detected", detail: `${otherHandler.method} handler` });
+    }
+  }
+  return context.length > 0 ? context : void 0;
+}
+function getRouteIntent(handlers) {
+  const intentPriority = [
+    "webhook",
+    "internal",
+    "sensitive-mutation",
+    "public-form",
+    "public-read",
+    "unknown"
+  ];
+  return intentPriority.find(
+    (intent) => handlers.some((handler) => handler.intent === intent)
+  ) ?? "unknown";
+}
+function getRouteWebhookProvider(handlers, relativeFile, content) {
+  const routeWebhookInfo = getWebhookRouteInfo(relativeFile, content);
+  if (routeWebhookInfo?.provider && routeWebhookInfo.provider !== "unknown") {
+    return routeWebhookInfo.provider;
+  }
+  const webhookHandler = handlers.find((handler) => handler.intent === "webhook");
+  if (!webhookHandler) {
+    return "unknown";
+  }
+  const providerFromEvidence = webhookHandler.evidence.find(
+    (item) => item.label === "webhook content detected" && item.detail && item.detail !== "unknown"
+  );
+  return providerFromEvidence?.detail ?? "unknown";
+}
+function getHandlerAuthExpectation(intent, method, hasMethodBlocking) {
+  if (hasMethodBlocking || intent === "public-read" || intent === "public-form" || intent === "webhook") {
+    return false;
+  }
   if (intent === "internal" || intent === "sensitive-mutation") {
     return true;
   }
-  if (intent === "unknown" && hasMutationMethod(methods)) {
+  if (isMutationMethod(method)) {
     return "review";
   }
   return false;
 }
-function getApiRouteConfidence(intent, methods, webhookRouteInfo) {
+function getApiHandlerConfidence(intent, method, webhookRouteInfo, hasMethodBlocking) {
+  if (hasMethodBlocking) {
+    return "low";
+  }
   if (intent === "sensitive-mutation" || intent === "internal") {
     return "high";
   }
   if (intent === "webhook") {
     return webhookRouteInfo?.confidence === "high" ? "high" : "medium";
   }
-  if (intent === "public-form" || intent === "unknown" && hasMutationMethod(methods)) {
+  if (intent === "public-form" || intent === "unknown" && isMutationMethod(method)) {
     return "medium";
   }
   return "low";
 }
+function getSensitiveHandlerTitle(handler) {
+  const pathSignal = handler.evidence.find((item) => item.label === "path contains")?.detail;
+  if (handler.method === "POST" && pathSignal === "upload") {
+    return "Upload POST handler may be missing authentication";
+  }
+  return `Sensitive ${handler.method} handler may be missing authentication`;
+}
 function getRoutePathMatch(normalizedFile, terms) {
   return terms.find((term) => {
     const escapedTerm = term.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
@@ -971,16 +1123,123 @@ function getRoutePathMatch(normalizedFile, terms) {
   });
 }
 function getExportedHttpMethods(content) {
-  const methods = /* @__PURE__ */ new Set();
-  const functionExportPattern = /\bexport\s+(?:async\s+)?function\s+(GET|POST|PUT|PATCH|DELETE)\b/g;
-  const constExportPattern = /\bexport\s+const\s+(GET|POST|PUT|PATCH|DELETE)\b/g;
+  return getExportedRouteHandlers(content).map((handler) => handler.method);
+}
+function getExportedRouteHandlers(content) {
+  const handlers = [];
+  const functionExportPattern = /\bexport\s+(?:async\s+)?function\s+(GET|POST|PUT|PATCH|DELETE)\s*\(/g;
+  const constExportPattern = /\bexport\s+const\s+(GET|POST|PUT|PATCH|DELETE)\s*=/g;
   for (const match of content.matchAll(functionExportPattern)) {
-    methods.add(match[1]);
+    handlers.push(extractRouteHandlerBody(content, match.index ?? 0, match[1], "function"));
   }
   for (const match of content.matchAll(constExportPattern)) {
-    methods.add(match[1]);
+    handlers.push(extractRouteHandlerBody(content, match.index ?? 0, match[1], "const"));
   }
-  return [...methods];
+  return handlers.sort(
+    (leftHandler, rightHandler) => getMethodRank(leftHandler.method) - getMethodRank(rightHandler.method)
+  );
+}
+function extractRouteHandlerBody(content, exportIndex, method, exportKind) {
+  const nextExportIndex = findNextRouteHandlerExport(content, exportIndex + 1);
+  const handlerEnd = nextExportIndex === -1 ? content.length : nextExportIndex;
+  const openBraceIndex = getRouteHandlerBodyOpenBrace(content, exportIndex, handlerEnd, exportKind);
+  if (openBraceIndex !== -1 && openBraceIndex < handlerEnd) {
+    const closeBraceIndex = findMatchingBrace(content, openBraceIndex);
+    if (closeBraceIndex !== -1) {
+      return {
+        method,
+        body: content.slice(openBraceIndex, closeBraceIndex + 1),
+        usedFallbackBody: false
+      };
+    }
+  }
+  return {
+    method,
+    body: content.slice(exportIndex, handlerEnd),
+    usedFallbackBody: true
+  };
+}
+function getRouteHandlerBodyOpenBrace(content, exportIndex, handlerEnd, exportKind) {
+  if (exportKind === "function") {
+    const openParenIndex = content.indexOf("(", exportIndex);
+    if (openParenIndex !== -1 && openParenIndex < handlerEnd) {
+      const closeParenIndex = findMatchingParen(content, openParenIndex);
+      if (closeParenIndex !== -1 && closeParenIndex < handlerEnd) {
+        return content.indexOf("{", closeParenIndex);
+      }
+    }
+  }
+  const equalsIndex = content.indexOf("=", exportIndex);
+  if (equalsIndex !== -1 && equalsIndex < handlerEnd) {
+    const arrowIndex = content.indexOf("=>", equalsIndex);
+    if (arrowIndex !== -1 && arrowIndex < handlerEnd) {
+      return content.indexOf("{", arrowIndex);
+    }
+  }
+  return content.indexOf("{", exportIndex);
+}
+function findNextRouteHandlerExport(content, startIndex) {
+  const nextExportPattern = /\bexport\s+(?:async\s+)?(?:function|const)\s+(GET|POST|PUT|PATCH|DELETE)\b/g;
+  nextExportPattern.lastIndex = startIndex;
+  const match = nextExportPattern.exec(content);
+  return match?.index ?? -1;
+}
+function findMatchingParen(content, openParenIndex) {
+  let depth = 0;
+  for (let index = openParenIndex; index < content.length; index++) {
+    const character = content[index];
+    if (character === "(") {
+      depth++;
+    } else if (character === ")") {
+      depth--;
+      if (depth === 0) {
+        return index;
+      }
+    }
+  }
+  return -1;
+}
+function getIfStatements(content, startIndex = 0, endIndex = content.length) {
+  const statements = [];
+  const ifPattern = /\bif\s*\(/g;
+  ifPattern.lastIndex = startIndex;
+  let match;
+  while ((match = ifPattern.exec(content)) !== null) {
+    const matchIndex = match.index;
+    if (matchIndex > endIndex) {
+      break;
+    }
+    const openParenIndex = content.indexOf("(", matchIndex);
+    if (openParenIndex === -1 || openParenIndex > endIndex) {
+      continue;
+    }
+    const closeParenIndex = findMatchingParen(content, openParenIndex);
+    if (closeParenIndex === -1 || closeParenIndex > endIndex) {
+      continue;
+    }
+    statements.push({
+      index: matchIndex,
+      condition: content.slice(openParenIndex + 1, closeParenIndex),
+      branchStartIndex: closeParenIndex + 1
+    });
+    ifPattern.lastIndex = closeParenIndex + 1;
+  }
+  return statements;
+}
+function findMatchingBrace(content, openBraceIndex) {
+  let depth = 0;
+  for (let index = openBraceIndex; index < content.length; index++) {
+    const character = content[index];
+    if (character === "{") {
+      depth++;
+    } else if (character === "}") {
+      depth--;
+      if (depth === 0) {
+        return index;
+      }
+    }
+  }
+  return -1;
 }
 function getRouteHttpMethods(content) {
   const methods = new Set(getExportedHttpMethods(content));
@@ -994,19 +1253,372 @@ function getRouteHttpMethods(content) {
   }
   return [...methods];
 }
-function hasMutationMethod(methods) {
-  return ["POST", "PUT", "PATCH", "DELETE"].some(
-    (method) => methods.includes(method)
-  );
+function getMethodRank(method) {
+  const methodOrder = ["GET", "POST", "PUT", "PATCH", "DELETE"];
+  return methodOrder.indexOf(method);
 }
-function hasAuthOrSessionCheck(content) {
-  const normalizedContent = content.toLowerCase();
-  return normalizedContent.includes("auth(") || normalizedContent.includes("getserversession") || normalizedContent.includes("currentuser") || normalizedContent.includes("clerkclient") || normalizedContent.includes("session") || normalizedContent.includes("requireauth") || normalizedContent.includes("requireuser") || normalizedContent.includes("requireadmin") || normalizedContent.includes("verifysession") || normalizedContent.includes("getuser") || normalizedContent.includes("jwt") || normalizedContent.includes("authorization") || normalizedContent.includes("bearer") || normalizedContent.includes("cookies()") || normalizedContent.includes("request.cookies") || normalizedContent.includes("middleware");
+function isMutationMethod(method) {
+  return method !== "GET";
+}
+function analyzeHandlerProtection({
+  handlerBody,
+  fullFileContent
+}) {
+  const imports = getImportInfos(fullFileContent);
+  const sensitiveOperation = getFirstSensitiveOperation(handlerBody);
+  const helperAssignments = getHelperAssignments(handlerBody);
+  for (const assignment of helperAssignments) {
+    if (isRawRequestAccessorHelper(assignment.helperName)) {
+      continue;
+    }
+    if (!isGuardHelperAssignmentNearTop(assignment.index, handlerBody, sensitiveOperation)) {
+      continue;
+    }
+    const guard = findAccessControlGuardForVariable({
+      handlerBody,
+      variableName: assignment.variableName,
+      startIndex: assignment.endIndex
+    });
+    if (!guard) {
+      continue;
+    }
+    if (sensitiveOperation && guard.endIndex > sensitiveOperation.index) {
+      continue;
+    }
+    const importInfo = getImportInfoForHelper(imports, assignment.helperName);
+    const evidence = [
+      { label: "access-control guard detected" },
+      { label: "helper call assigned to variable", detail: assignment.variableName },
+      { label: "guard checks variable", detail: assignment.variableName },
+      { label: guard.returnSignal }
+    ];
+    if (sensitiveOperation) {
+      evidence.push({ label: "guard appears before sensitive operation", detail: sensitiveOperation.label });
+    }
+    if (importInfo?.isProtectionSource) {
+      evidence.push({ label: "helper imported from protection module", detail: importInfo.source });
+    }
+    return {
+      hasAccessControlGuard: true,
+      evidence,
+      sensitiveOperation
+    };
+  }
+  return {
+    hasAccessControlGuard: false,
+    evidence: [],
+    sensitiveOperation
+  };
+}
+function getImportInfos(content) {
+  const imports = [];
+  const importPattern = /import\s+(?:type\s+)?([\s\S]*?)\s+from\s+["']([^"']+)["'];?/g;
+  for (const match of content.matchAll(importPattern)) {
+    const importClause = match[1]?.trim();
+    const source = match[2];
+    if (!importClause || !source) {
+      continue;
+    }
+    const isProtectionSource = isProtectionImportSource(source);
+    const namedImportMatch = importClause.match(/\{([\s\S]*?)\}/);
+    if (namedImportMatch?.[1]) {
+      const namedImports = namedImportMatch[1].split(",");
+      for (const namedImport of namedImports) {
+        const parts = namedImport.trim().split(/\s+as\s+/i);
+        const importedName = parts[0]?.trim();
+        const localName = parts[1]?.trim() ?? importedName;
+        if (importedName && localName) {
+          imports.push({
+            localName,
+            importedName,
+            source,
+            isProtectionSource
+          });
+        }
+      }
+    }
+    const clauseBeforeNamedImports = importClause.split("{")[0]?.replace(/,\s*$/, "").trim();
+    if (clauseBeforeNamedImports && !clauseBeforeNamedImports.startsWith("*")) {
+      const defaultImport = clauseBeforeNamedImports.split(",")[0]?.trim();
+      if (defaultImport && /^[A-Za-z_$][\w$]*$/.test(defaultImport)) {
+        imports.push({
+          localName: defaultImport,
+          importedName: "default",
+          source,
+          isProtectionSource
+        });
+      }
+    }
+    const namespaceImportMatch = importClause.match(/\*\s+as\s+([A-Za-z_$][\w$]*)/);
+    if (namespaceImportMatch?.[1]) {
+      imports.push({
+        localName: namespaceImportMatch[1],
+        importedName: "*",
+        source,
+        isProtectionSource
+      });
+    }
+  }
+  return imports;
+}
+function isProtectionImportSource(source) {
+  const normalizedSource = source.toLowerCase();
+  const protectionSourceTerms = [
+    "auth",
+    "session",
+    "sessions",
+    "staff",
+    "permission",
+    "permissions",
+    "access",
+    "access-control",
+    "security",
+    "user",
+    "users"
+  ];
+  return protectionSourceTerms.some((term) => normalizedSource.includes(term));
+}
+function getHelperAssignments(handlerBody) {
+  const assignments = [];
+  const assignmentPattern = /\b(?:const|let|var)\s+([A-Za-z_$][\w$]*)\s*=\s*(?:await\s+)?([A-Za-z_$][\w$]*(?:\.[A-Za-z_$][\w$]*)?)\s*\(/g;
+  for (const match of handlerBody.matchAll(assignmentPattern)) {
+    const variableName = match[1];
+    const helperName = match[2];
+    const index = match.index ?? 0;
+    if (!variableName || !helperName) {
+      continue;
+    }
+    assignments.push({
+      variableName,
+      helperName,
+      index,
+      endIndex: index + match[0].length
+    });
+  }
+  return assignments;
+}
+function isRawRequestAccessorHelper(helperName) {
+  const normalizedHelperName = helperName.toLowerCase();
+  const rawAccessorHelpers = [
+    "request.headers.get",
+    "req.headers.get",
+    "headers.get",
+    "request.cookies.get",
+    "req.cookies.get",
+    "request.nexturl.searchparams.get",
+    "req.nexturl.searchparams.get",
+    "searchparams.get",
+    "cookies"
+  ];
+  return rawAccessorHelpers.includes(normalizedHelperName);
+}
+function isGuardHelperAssignmentNearTop(assignmentIndex, handlerBody, sensitiveOperation) {
+  if (sensitiveOperation) {
+    return assignmentIndex < sensitiveOperation.index;
+  }
+  return assignmentIndex < Math.min(1500, handlerBody.length);
+}
+function findAccessControlGuardForVariable({
+  handlerBody,
+  variableName,
+  startIndex
+}) {
+  const guardSearchEnd = Math.min(handlerBody.length, startIndex + 2500);
+  const ifStatements = getIfStatements(handlerBody, startIndex, guardSearchEnd);
+  for (const ifStatement of ifStatements) {
+    if (!doesConditionBlockWhenVariableMissing(ifStatement.condition, variableName)) {
+      continue;
+    }
+    const branch = getIfFailureBranch(handlerBody, ifStatement.branchStartIndex);
+    const returnSignal = getAccessDeniedReturnSignal(branch.text);
+    if (!returnSignal) {
+      continue;
+    }
+    return {
+      endIndex: branch.endIndex,
+      returnSignal
+    };
+  }
+  return null;
 }
-function hasSecretProtectionSignal(content) {
+function doesConditionBlockWhenVariableMissing(condition, variableName) {
+  const escapedVariableName = escapeRegExp(variableName);
+  return new RegExp(`!\\s*${escapedVariableName}(?:\\b|\\?\\.|\\.)`).test(condition) || new RegExp(`\\b${escapedVariableName}\\s*(?:={2,3})\\s*(?:null|undefined|false)\\b`).test(condition) || new RegExp(`\\b(?:null|undefined|false)\\s*(?:={2,3})\\s*${escapedVariableName}\\b`).test(condition) || new RegExp(`!\\s*${escapedVariableName}(?:\\?\\.)?\\.[A-Za-z_$][\\w$]*`).test(condition) || new RegExp(`\\b${escapedVariableName}(?:\\?\\.)?\\.[A-Za-z_$][\\w$]*\\s*(?:={2,3})\\s*false\\b`).test(condition) || new RegExp(`\\bfalse\\s*(?:={2,3})\\s*${escapedVariableName}(?:\\?\\.)?\\.[A-Za-z_$][\\w$]*\\b`).test(condition);
+}
+function getIfFailureBranch(handlerBody, branchStartIndex) {
+  let index = branchStartIndex;
+  while (/\s/.test(handlerBody[index] ?? "")) {
+    index++;
+  }
+  if (handlerBody[index] === "{") {
+    const closeBraceIndex = findMatchingBrace(handlerBody, index);
+    if (closeBraceIndex !== -1) {
+      return {
+        text: handlerBody.slice(index, closeBraceIndex + 1),
+        endIndex: closeBraceIndex
+      };
+    }
+  }
+  const semicolonIndex = handlerBody.indexOf(";", index);
+  const newlineIndex = handlerBody.indexOf("\n", index);
+  const branchEndIndex = [semicolonIndex, newlineIndex].filter((candidateIndex) => candidateIndex !== -1).sort((leftIndex, rightIndex) => leftIndex - rightIndex)[0] ?? Math.min(handlerBody.length, index + 300);
+  return {
+    text: handlerBody.slice(index, branchEndIndex + 1),
+    endIndex: branchEndIndex
+  };
+}
+function getAccessDeniedReturnSignal(branchText) {
+  const normalizedBranch = branchText.toLowerCase();
+  if (!normalizedBranch.includes("return") && !normalizedBranch.includes("redirect(")) {
+    return null;
+  }
+  if (/\bstatus\s*:\s*401\b/.test(normalizedBranch) || /\b401\b/.test(normalizedBranch)) {
+    return "guard returns 401";
+  }
+  if (/\bstatus\s*:\s*403\b/.test(normalizedBranch) || /\b403\b/.test(normalizedBranch)) {
+    return "guard returns 403";
+  }
+  if (normalizedBranch.includes("unauthorized")) {
+    return "guard returns Unauthorized";
+  }
+  if (normalizedBranch.includes("forbidden")) {
+    return "guard returns Forbidden";
+  }
+  if (/redirect\s*\(\s*["']\/(?:login|sign-in|signin|auth)/.test(normalizedBranch)) {
+    return "guard redirects to login";
+  }
+  return null;
+}
+function getImportInfoForHelper(imports, helperName) {
+  const helperRootName = helperName.split(".")[0];
+  return imports.find((importInfo) => importInfo.localName === helperRootName);
+}
+function getFirstSensitiveOperation(handlerBody) {
+  const sensitiveOperationPatterns = [
+    { label: "request.formData", pattern: /\brequest\.formData\s*\(/i },
+    { label: "request.json", pattern: /\brequest\.json\s*\(/i },
+    { label: "file.arrayBuffer", pattern: /\b[A-Za-z_$][\w$]*\.arrayBuffer\s*\(/i },
+    { label: "Buffer.from", pattern: /\bBuffer\.from\s*\(/ },
+    { label: "uploadToR2", pattern: /\buploadToR2\s*\(/i },
+    { label: "upload", pattern: /\bupload[A-Za-z0-9_$]*\s*\(/i },
+    { label: "putObject", pattern: /\bputObject\s*\(/i },
+    { label: "storage", pattern: /\bstorage\b/i },
+    { label: "write", pattern: /\bwrite[A-Za-z0-9_$]*\s*\(/i },
+    { label: "create", pattern: /\bcreate[A-Za-z0-9_$]*\s*\(/i },
+    { label: "update", pattern: /\bupdate[A-Za-z0-9_$]*\s*\(/i },
+    { label: "delete", pattern: /\bdelete[A-Za-z0-9_$]*\s*\(/i },
+    { label: "insert", pattern: /\binsert[A-Za-z0-9_$]*\s*\(/i },
+    { label: "cleanup", pattern: /\bcleanup[A-Za-z0-9_$]*\s*\(/i },
+    { label: "revalidate", pattern: /\brevalidate[A-Za-z0-9_$]*\s*\(/i },
+    { label: "prisma", pattern: /\bprisma\./i },
+    { label: "db", pattern: /\bdb\./i },
+    { label: "checkout", pattern: /\bcheckout\b/i },
+    { label: "payment", pattern: /\bpayment\b/i },
+    { label: "send", pattern: /\bsend[A-Za-z0-9_$]*\s*\(/i },
+    { label: "mutation", pattern: /\bmutation\b/i }
+  ];
+  const matches = [];
+  for (const sensitiveOperationPattern of sensitiveOperationPatterns) {
+    const match = sensitiveOperationPattern.pattern.exec(handlerBody);
+    if (match?.index !== void 0) {
+      matches.push({
+        label: sensitiveOperationPattern.label,
+        index: match.index
+      });
+    }
+  }
+  return matches.sort((leftMatch, rightMatch) => leftMatch.index - rightMatch.index)[0];
+}
+function escapeRegExp(value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function hasWeakAuthRelatedSignal(content) {
+  const normalizedContent = stripStrongProtectionIdentifiers(content).toLowerCase();
+  const weakSignals = [
+    "session",
+    "authorization",
+    "bearer",
+    "cookies()",
+    "request.cookies",
+    "middleware",
+    "getuser",
+    "jwt",
+    "auth(",
+    "getserversession",
+    "currentuser",
+    "clerkclient"
+  ];
+  return weakSignals.some((signal) => normalizedContent.includes(signal));
+}
+function stripStrongProtectionIdentifiers(content) {
+  return content.replace(/\b(?:await\s+)?require(?:Auth|User|Admin)\s*\([^)]*\)/gi, "").replace(/\bauth\.protect\s*\([^)]*\)/gi, "").replace(/\b(?:await\s+)?verifySession\s*\([^)]*\)/gi, "");
+}
+function hasStrongProtectionCallBeforeSensitiveWork(handlerBody, sensitiveOperation) {
+  const protectionCutoffIndex = sensitiveOperation?.index ?? Math.min(2e3, handlerBody.length);
+  const strongProtectionPatterns = [
+    /\b(?:await\s+)?requireAuth\s*\(/gi,
+    /\b(?:await\s+)?requireUser\s*\(/gi,
+    /\b(?:await\s+)?requireAdmin\s*\(/gi,
+    /\bauth\.protect\s*\(/gi,
+    /(?:^|[;{\n]\s*)(?:await\s+)?verifySession\s*\(/gi
+  ];
+  for (const pattern of strongProtectionPatterns) {
+    pattern.lastIndex = 0;
+    for (const match of handlerBody.matchAll(pattern)) {
+      if ((match.index ?? Number.POSITIVE_INFINITY) < protectionCutoffIndex) {
+        return true;
+      }
+    }
+  }
+  return hasAuthGuardRedirectBeforeIndex(handlerBody, protectionCutoffIndex) || hasThrowBasedAuthGuardBeforeIndex(handlerBody, protectionCutoffIndex);
+}
+function hasAuthGuardRedirectBeforeIndex(handlerBody, cutoffIndex) {
+  const redirectPattern = /\bif\s*\(([\s\S]*?)\)\s*(?:return\s+)?redirect\s*\(\s*["']\/(?:login|sign-in|signin|auth)/gi;
+  for (const match of handlerBody.matchAll(redirectPattern)) {
+    const condition = match[1] ?? "";
+    if ((match.index ?? Number.POSITIVE_INFINITY) < cutoffIndex && /\!/.test(condition)) {
+      return true;
+    }
+  }
+  return false;
+}
+function hasThrowBasedAuthGuardBeforeIndex(handlerBody, cutoffIndex) {
+  const throwGuardPattern = /\bif\s*\(([\s\S]*?)\)\s*(?:throw\s+new\s+\w+|throw\s+[^;]*(?:Unauthorized|Forbidden|401|403))/gi;
+  for (const match of handlerBody.matchAll(throwGuardPattern)) {
+    const condition = match[1] ?? "";
+    const guardText = match[0] ?? "";
+    if ((match.index ?? Number.POSITIVE_INFINITY) < cutoffIndex && /\!/.test(condition) && /Unauthorized|Forbidden|401|403/i.test(guardText)) {
+      return true;
+    }
+  }
+  return false;
+}
+function hasWeakSecretProtectionSignal(content) {
   const normalizedContent = content.toLowerCase();
   return /\bprocess\.env\.[A-Za-z0-9_]*SECRET\b/.test(content) || /\bprocess\.env\[['"`][A-Za-z0-9_]*SECRET['"`]\]/.test(content) || normalizedContent.includes("cron_secret") || normalizedContent.includes("revalidate_secret") || normalizedContent.includes("authorization") || normalizedContent.includes("bearer") || normalizedContent.includes("token");
 }
+function hasSecretProtectionGuardBeforeSensitiveWork(handlerBody, sensitiveOperation) {
+  const protectionCutoffIndex = sensitiveOperation?.index ?? Math.min(2e3, handlerBody.length);
+  const ifStatements = getIfStatements(handlerBody, 0, protectionCutoffIndex);
+  for (const ifStatement of ifStatements) {
+    if (!isSecretTokenGuardCondition(ifStatement.condition)) {
+      continue;
+    }
+    const branch = getIfFailureBranch(handlerBody, ifStatement.branchStartIndex);
+    if (getAccessDeniedReturnSignal(branch.text)) {
+      return true;
+    }
+  }
+  return false;
+}
+function isSecretTokenGuardCondition(condition) {
+  const normalizedCondition = condition.toLowerCase();
+  const hasSecretInput = /\b(?:token|secret|authorization|bearer)\b/i.test(condition) || /\bheaders\.get\s*\(\s*["'][^"']*(?:authorization|secret|token|key)[^"']*["']\s*\)/i.test(condition) || /\bsearchParams\.get\s*\(\s*["'](?:secret|token|key)["']\s*\)/i.test(condition);
+  const hasExpectedSecret = /\bprocess\.env\.[A-Za-z0-9_]*(?:SECRET|TOKEN|KEY)\b/.test(condition) || /\b(?:expected|valid|required|cron|revalidate)[A-Za-z0-9_]*(?:Secret|Token|Key)\b/.test(condition) || /\b(?:expected|valid|required|cron|revalidate)[a-z0-9_]*(?:secret|token|key)\b/.test(normalizedCondition);
+  const hasSecretValidationCall = /\b(?:isValid|verify|validate|compare)[A-Za-z0-9_]*(?:Secret|Token|Key)?\s*\(/.test(condition) || /\btimingSafeEqual\s*\(/.test(condition);
+  const hasComparison = /!==|!=|===|==/.test(condition) || /\b(?:timingSafeEqual|compare|verify|isValid|validate)[A-Za-z0-9_]*\s*\(/.test(condition);
+  return hasSecretInput && (hasExpectedSecret || hasSecretValidationCall) && hasComparison;
+}
 function hasRateLimitSignal(content) {
   const normalizedContent = content.toLowerCase();
   return normalizedContent.includes("ratelimit") || normalizedContent.includes("rate limit") || normalizedContent.includes("limiter") || normalizedContent.includes("upstash") || normalizedContent.includes("throttle");
@@ -1017,7 +1629,7 @@ function hasValidationSignal(content) {
 }
 function hasCacheHeaderSignal(content) {
   const normalizedContent = content.toLowerCase();
-  return normalizedContent.includes("cache-control") || normalizedContent.includes("s-maxage") || normalizedContent.includes("stale-while-revalidate") || normalizedContent.includes("public") || normalizedContent.includes("published") || normalizedContent.includes("status");
+  return normalizedContent.includes("cache-control") || normalizedContent.includes("s-maxage") || normalizedContent.includes("stale-while-revalidate") || normalizedContent.includes("public") || normalizedContent.includes("published");
 }
 function hasMethodBlockingSignal(content) {
   const normalizedContent = content.toLowerCase();
@@ -1179,7 +1791,54 @@ function getLargeFileIssueCopy(kind) {
     suggestion: "Review whether this file mixes unrelated responsibilities. If so, split it into smaller modules while preserving behavior."
   };
 }
-function createApiAuthFixPrompt(file) {
+function createApiAuthFixPrompt(file, method, intent = "unknown") {
+  if (method && intent === "sensitive-mutation") {
+    return `Review the API route at ${file}.
+
+Qodfy detected a possible issue in the ${method} handler.
+
+Goal:
+Determine whether the ${method} handler should be protected.
+
+Instructions:
+- Inspect each exported HTTP handler separately.
+- Do not add authentication to a GET handler if it is intentionally public.
+- If the ${method} handler already has a guard that returns 401/403 before sensitive logic, explain where it happens and do not add duplicate auth.
+- If the ${method} handler handles file uploads, private data, storage writes, payments, account changes, or user-specific actions, add the existing project auth/session check before sensitive logic.
+- Also verify protections such as input validation, file size limits for uploads, storage path safety, and rate limiting where relevant.
+- Do not introduce a new auth provider.
+- Do not refactor unrelated code.
+- Keep existing response formats unchanged.
+- If the ${method} handler is intentionally public, add a short comment explaining why and confirm abuse protection exists.
+
+Return:
+- Whether each handler is public or protected.
+- Whether the ${method} handler should be protected.
+- The safest code change.
+- Edge cases to test.`;
+  }
+  if (method && intent === "unknown") {
+    return `Review the API route at ${file}.
+
+Qodfy detected a mutation handler that should be reviewed: ${method}.
+
+Goal:
+Determine whether the ${method} handler should be public or protected.
+
+Instructions:
+- Inspect each exported HTTP handler separately.
+- Check what data the ${method} handler reads, writes, or returns.
+- If it handles private data, user-specific data, writes, uploads, or admin actions, add the existing project auth/session check.
+- If it is intentionally public, document why and confirm validation and abuse protection exist.
+- Do not introduce a new auth provider.
+- Do not refactor unrelated code.
+- Keep existing response formats unchanged.
+
+Return:
+- Whether the ${method} handler should be protected.
+- The safest code change, if any.
+- Edge cases to test.`;
+  }
   return `Review the API route at ${file}.
 
 Goal:
@@ -1198,34 +1857,40 @@ Return:
 - The updated code.
 - Any edge cases I should test.`;
 }
-function createPublicReadRouteFixPrompt(file) {
+function createPublicReadRouteFixPrompt(file, method = "GET") {
   return `Review the public read API route at ${file}.
 
+Qodfy detected this as a likely public ${method} handler.
+
 Goal:
-Verify that this route is safe to remain public.
+Verify that the ${method} handler is safe to remain public.
 
 Instructions:
-- Confirm it only exposes published, public, or non-sensitive data.
+- Inspect each exported HTTP handler separately.
+- Confirm the ${method} handler only exposes published, public, or non-sensitive data.
 - Check that route params and query values are validated or sanitized.
 - Check for appropriate cache headers where useful.
 - Check for abuse protection if the route can be called heavily.
-- Do not add user authentication unless the route should be private.
+- Do not add user authentication to the ${method} handler unless it should be private.
 - Do not refactor unrelated code.
 
 Return:
-- Whether this route appears intentionally public.
+- Whether the ${method} handler appears intentionally public.
 - Any low-risk safety improvements.
 - Any edge cases I should test.`;
 }
-function createPublicFormProtectionFixPrompt(file) {
+function createPublicFormProtectionFixPrompt(file, method = "POST") {
   return `Review the public form API route at ${file}.
 
+Qodfy detected this as a likely public ${method} handler.
+
 Goal:
 Verify validation, rate limiting, and spam protection.
 
 Instructions:
-- Confirm submitted input is validated before it is used.
-- Check for rate limiting or another abuse protection pattern.
+- Inspect each exported HTTP handler separately.
+- Confirm submitted input in the ${method} handler is validated before it is used.
+- Check for rate limiting or another abuse protection pattern on the ${method} handler.
 - Check whether captcha, Turnstile, reCAPTCHA, or hCaptcha is appropriate.
 - Do not add user authentication unless the form should be private.
 - Do not introduce a new service unless necessary.
@@ -1236,18 +1901,24 @@ Return:
 - The safest minimal change if protection is missing.
 - Any edge cases I should test.`;
 }
-function createInternalRouteProtectionFixPrompt(file) {
+function createInternalRouteProtectionFixPrompt(file, method) {
+  const handlerLine = method ? `
+Qodfy detected this as a likely internal ${method} handler.
+` : "";
+  const handlerReference = method ? `the ${method} handler` : "the route";
   return `Review the internal API route at ${file}.
+${handlerLine}
 
 Goal:
 Confirm this operational route is protected before launch.
 
 Instructions:
-- Check whether the route is protected by existing auth, a secret token, or server-only access.
+- Inspect each exported HTTP handler separately.
+- Check whether ${handlerReference} is protected by existing auth, a secret token, or server-only access.
 - For cron, cleanup, revalidation, or admin routes, prefer the existing project protection pattern.
 - Do not introduce a new auth provider.
 - Do not change route behavior unless protection is missing.
-- If the route is intentionally reachable, add a short comment explaining the protection boundary.
+- If ${handlerReference} is intentionally reachable, add a short comment explaining the protection boundary.
 
 Return:
 - Whether protection already exists.
@@ -1301,7 +1972,7 @@ Create a safe refactor plan without changing behavior.
 
 Instructions:
 - Identify the main responsibilities inside this module.
-- Check whether the file mixes unrelated concerns such as data fetching, filtering, mapping, sorting, constants, types, validation, or business rules.
+- Check whether the module mixes unrelated concerns such as data access, filtering, mapping, sorting, constants, types, validation, or business rules.
 - Suggest smaller TypeScript modules that could be extracted safely.
 - Do not rewrite the whole file at once.
 - Do not change business logic.
@@ -1467,8 +2138,13 @@ Return:
 - The updated code.
 - Any environment variables required.`;
 }
-function createWebhookSignatureFixPrompt(file) {
+function createWebhookSignatureFixPrompt(file, method) {
+  const handlerLine = method ? `
+Qodfy detected a possible issue in the ${method} webhook handler.
+` : "";
+  const handlerReference = method ? `the ${method} handler` : "the webhook route";
   return `Review the webhook API route at ${file}.
+${handlerLine}
 
 Goal:
 Verify that webhook signature validation happens before the event is handled.
@@ -1476,7 +2152,8 @@ Verify that webhook signature validation happens before the event is handled.
 Instructions:
 - Detect which provider this webhook belongs to based on imports, headers, and environment variables.
 - Use the provider's existing verification pattern if already present.
-- Do not process the webhook event before verification unless required by the provider.
+- Verify that ${handlerReference} validates the provider signature before processing the event unless the provider requires a different order.
+- Do not add user authentication unless the webhook provider requires it.
 - Do not introduce unrelated changes.
 - If verification already exists, explain where it happens.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@qodfy/core",
-  "version": "0.2.6",
+  "version": "0.2.8",
   "description": "Scanner engine for Qodfy, an open-source launch readiness scanner for AI-built apps.",
   "keywords": [
     "qodfy",
@@ -54,6 +54,7 @@
   },
   "scripts": {
     "build": "tsup src/index.ts --format esm --dts --clean --tsconfig tsconfig.json",
-    "dev": "tsx src/index.ts"
+    "dev": "tsx src/index.ts",
+    "test": "node --import tsx --test src/protection.test.ts"
   }
 }