npm - @qodfy/core - Versions diffs - 0.2.7 → 0.2.9 - Mend

@qodfy/core 0.2.7 → 0.2.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.js +797 -19
package/package.json +3 -2

package/dist/index.js CHANGED Viewed

@@ -124,6 +124,7 @@ var issueIdPrefixes = {
   "api-public-read-route": "api-public-read-route",
   "public-form-missing-abuse-protection": "public-form-missing-abuse-protection",
   "internal-route-missing-protection": "internal-route-missing-protection",
+  "admin-route-missing-authorization": "admin-route-authorization",
   "api-mutation-route-review-auth": "api-mutation-route-review-auth",
   "ai-route-missing-rate-limit": "ai-route-rate-limit",
   "maintainability-large-file": "maintainability-large-file",
@@ -723,7 +724,7 @@ function addWebhookSignatureIssues({
   analysis
 }) {
   for (const handler of analysis.handlers) {
-    if (handler.intent !== "webhook" || handler.hasWebhookVerification) {
+    if (handler.intent !== "webhook" || handler.hasWebhookVerification || handler.hasMethodBlocking) {
       continue;
     }
     addIssue({
@@ -750,6 +751,29 @@ function addApiRouteProtectionIssues({
     if (handler.intent === "webhook") {
       continue;
     }
+    if (handler.hasMethodBlocking) {
+      continue;
+    }
+    const adminPathMatch = getAdminRoutePathMatch(analysis.relativeFile);
+    if (adminPathMatch && handler.hasAuth && !handler.hasAdminAuthorization) {
+      addIssue({
+        ruleId: "admin-route-missing-authorization",
+        category: "security",
+        severity: "warning",
+        confidence: "medium",
+        title: `Admin ${handler.method} handler may be missing admin authorization`,
+        message: `The ${handler.method} handler is authenticated, but this route appears to expose admin, private, or debug functionality and Qodfy could not find a role, staff, or permission check.`,
+        file: analysis.relativeFile,
+        suggestion: "Confirm this route is restricted to admins/staff, or remove it before production if it is only for debugging.",
+        fixPrompt: createAdminAuthorizationFixPrompt(analysis.relativeFile, handler.method),
+        evidence: [
+          { label: "path contains", detail: adminPathMatch },
+          { label: "auth guard detected", detail: `${handler.method} handler` },
+          { label: "no admin/staff/role/permission check detected", detail: `${handler.method} handler` }
+        ],
+        context: handler.evidence
+      });
+    }
     if (handler.intent === "public-read") {
       if (includeLowConfidence) {
         addIssue({
@@ -769,7 +793,7 @@ function addApiRouteProtectionIssues({
       continue;
     }
     if (handler.intent === "public-form") {
-      if (!handler.hasRateLimit && !handler.hasValidation) {
+      if (!(handler.hasValidation && handler.hasRateLimit)) {
         addIssue({
           ruleId: "public-form-missing-abuse-protection",
           category: "api",
@@ -883,7 +907,7 @@ function analyzeApiHandler({
 }) {
   const normalizedFile = relativeFile.toLowerCase();
   const webhookPathMatch = getRoutePathMatch(normalizedFile, ["webhook", "webhooks", "callback"]);
-  const internalPathMatch = getRoutePathMatch(normalizedFile, ["internal", "admin", "cron", "cleanup", "revalidate", "private"]);
+  const internalPathMatch = getRoutePathMatch(normalizedFile, ["internal", "admin", "cron", "cleanup", "revalidate", "private", "debug", "staff", "manager"]);
   const formPathMatch = getRoutePathMatch(normalizedFile, ["contact", "subscribe", "newsletter", "lead", "inquiry"]);
   const sensitivePathMatch = getRoutePathMatch(normalizedFile, [
     "upload",
@@ -919,10 +943,30 @@ function analyzeApiHandler({
   const webhookRouteInfo = getWebhookRouteInfo(relativeFile, handlerContent);
   const webhookProvider = webhookRouteInfo?.provider ?? getWebhookProvider(`${normalizedFile}
 ${handlerContent.toLowerCase()}`);
-  const hasAuth = hasAuthOrSessionCheck(handlerContent);
-  const hasSecretProtection = hasSecretProtectionSignal(handlerContent);
+  const protectionAnalysis = analyzeHandlerProtection({
+    handlerBody: handlerContent,
+    fullFileContent: content
+  });
+  const hasWeakAuthSignal = hasWeakAuthRelatedSignal(handlerContent);
+  const hasStrongProtection = hasStrongProtectionCallBeforeSensitiveWork(
+    handlerContent,
+    protectionAnalysis.sensitiveOperation
+  );
+  const hasAuth = protectionAnalysis.hasAccessControlGuard || hasStrongProtection;
+  const secretProtectionAnalysis = analyzeSecretProtectionGuardBeforeSensitiveWork(
+    handlerContent,
+    content,
+    protectionAnalysis.sensitiveOperation
+  );
+  const hasSecretProtection = secretProtectionAnalysis.hasSecretProtectionGuard;
+  const hasWeakSecretSignal = hasWeakSecretProtectionSignal(handlerContent);
+  const adminAuthorizationAnalysis = analyzeAdminAuthorization(handlerContent);
+  const hasAdminAuthorization = adminAuthorizationAnalysis.hasAdminAuthorization;
   const hasRateLimit = hasRateLimitSignal(handlerContent);
-  const hasValidation = hasValidationSignal(handlerContent);
+  const hasBasicValidation = hasBasicValidationSignal(handlerContent);
+  const hasSchemaValidation = hasSchemaValidationSignal(handlerContent);
+  const hasValidation = hasBasicValidation || hasSchemaValidation;
+  const hasSpamProtection = hasSpamProtectionSignal(handlerContent);
   const hasCacheHeaders = hasCacheHeaderSignal(handlerContent);
   const hasMethodBlocking = hasMethodBlockingSignal(handlerContent);
   const hasWebhookVerification = hasWebhookSignatureVerification(handlerContent, webhookProvider);
@@ -942,7 +986,7 @@ ${handlerContent.toLowerCase()}`);
     evidence.push({ label: "path contains", detail: internalPathMatch });
   } else if (method === "POST" && formPathMatch) {
     intent = "public-form";
-    evidence.push({ label: "path contains", detail: formPathMatch });
+    evidence.push({ label: "public submission endpoint detected", detail: formPathMatch });
   } else if (method === "GET" && publicContentPathMatch && !sensitivePathMatch && !internalPathMatch) {
     intent = "public-read";
     evidence.push({ label: "public read path detected", detail: publicContentPathMatch });
@@ -950,13 +994,43 @@ ${handlerContent.toLowerCase()}`);
     intent = "sensitive-mutation";
     evidence.push({ label: "path contains", detail: sensitivePathMatch });
   }
-  if (hasAuth) {
-    evidence.push({ label: `auth/session check detected in ${method} handler` });
+  if (protectionAnalysis.sensitiveOperation) {
+    evidence.push({
+      label: intent === "public-form" ? `${getPublicFormSideEffectLabel(protectionAnalysis.sensitiveOperation.label)} side effect detected` : `sensitive side effect ${protectionAnalysis.sensitiveOperation.label} detected`,
+      detail: `${method} handler`
+    });
+  }
+  if (protectionAnalysis.inputParsingOperation && intent !== "public-form") {
+    evidence.push({
+      label: `input parsing ${protectionAnalysis.inputParsingOperation.label} detected`,
+      detail: `${method} handler`
+    });
+  }
+  if (intent === "public-form") {
+  } else if (protectionAnalysis.hasAccessControlGuard) {
+    evidence.push(...protectionAnalysis.evidence);
+  } else if (hasStrongProtection) {
+    evidence.push({
+      label: "strong protection call detected before sensitive work",
+      detail: `${method} handler`
+    });
+  } else if (hasWeakAuthSignal) {
+    evidence.push({
+      label: "possible auth-related signal detected",
+      detail: `${method} handler`
+    });
+  } else if (protectionAnalysis.sensitiveOperation) {
+    evidence.push({ label: `no access-control guard detected before sensitive side effect`, detail: `${method} handler` });
   } else {
     evidence.push({ label: `no auth/session check detected in ${method} handler` });
   }
   if (hasSecretProtection) {
-    evidence.push({ label: `secret token check detected in ${method} handler` });
+    evidence.push(...secretProtectionAnalysis.evidence);
+  } else if (hasWeakSecretSignal) {
+    evidence.push({ label: `possible secret/token signal detected`, detail: `${method} handler` });
+  }
+  if (hasAdminAuthorization) {
+    evidence.push(...adminAuthorizationAnalysis.evidence);
   }
   if (intent === "public-form") {
     evidence.push({
@@ -964,7 +1038,11 @@ ${handlerContent.toLowerCase()}`);
       detail: `${method} handler`
     });
     evidence.push({
-      label: hasValidation ? "validation detected" : "no validation detected",
+      label: hasSchemaValidation ? "schema validation detected" : hasBasicValidation ? "basic validation detected" : "no validation detected",
+      detail: `${method} handler`
+    });
+    evidence.push({
+      label: hasSpamProtection ? "spam/bot protection detected" : "no spam/bot protection detected",
       detail: `${method} handler`
     });
   }
@@ -996,13 +1074,23 @@ ${handlerContent.toLowerCase()}`);
     evidence,
     hasAuth,
     hasSecretProtection,
+    hasAdminAuthorization,
     hasRateLimit,
+    hasBasicValidation,
+    hasSchemaValidation,
     hasValidation,
+    hasSpamProtection,
     hasCacheHeaders,
     hasMethodBlocking,
     hasWebhookVerification
   };
 }
+function getPublicFormSideEffectLabel(sideEffectLabel) {
+  if (sideEffectLabel === "send") {
+    return "email/send";
+  }
+  return sideEffectLabel;
+}
 function getHandlerContext(handler, handlers) {
   const context = [];
   for (const otherHandler of handlers) {
@@ -1089,6 +1177,9 @@ function getRoutePathMatch(normalizedFile, terms) {
     return new RegExp(`(^|[\\/._\\[\\]-])${escapedTerm}([\\/._\\[\\]-]|$)`).test(normalizedFile);
   });
 }
+function getAdminRoutePathMatch(relativeFile) {
+  return getRoutePathMatch(relativeFile.toLowerCase(), ["admin", "debug", "private", "staff", "manager"]);
+}
 function getExportedHttpMethods(content) {
   return getExportedRouteHandlers(content).map((handler) => handler.method);
 }
@@ -1097,15 +1188,31 @@ function getExportedRouteHandlers(content) {
   const functionExportPattern = /\bexport\s+(?:async\s+)?function\s+(GET|POST|PUT|PATCH|DELETE)\s*\(/g;
   const constExportPattern = /\bexport\s+const\s+(GET|POST|PUT|PATCH|DELETE)\s*=/g;
   for (const match of content.matchAll(functionExportPattern)) {
+    if (isCommentedMatch(content, match.index ?? 0)) {
+      continue;
+    }
     handlers.push(extractRouteHandlerBody(content, match.index ?? 0, match[1], "function"));
   }
   for (const match of content.matchAll(constExportPattern)) {
+    if (isCommentedMatch(content, match.index ?? 0)) {
+      continue;
+    }
     handlers.push(extractRouteHandlerBody(content, match.index ?? 0, match[1], "const"));
   }
   return handlers.sort(
     (leftHandler, rightHandler) => getMethodRank(leftHandler.method) - getMethodRank(rightHandler.method)
   );
 }
+function isCommentedMatch(content, matchIndex) {
+  const lineStart = content.lastIndexOf("\n", matchIndex) + 1;
+  const linePrefix = content.slice(lineStart, matchIndex).trim();
+  if (linePrefix.startsWith("//") || linePrefix.startsWith("*")) {
+    return true;
+  }
+  const previousBlockStart = content.lastIndexOf("/*", matchIndex);
+  const previousBlockEnd = content.lastIndexOf("*/", matchIndex);
+  return previousBlockStart !== -1 && previousBlockStart > previousBlockEnd;
+}
 function extractRouteHandlerBody(content, exportIndex, method, exportKind) {
   const nextExportIndex = findNextRouteHandlerExport(content, exportIndex + 1);
   const handlerEnd = nextExportIndex === -1 ? content.length : nextExportIndex;
@@ -1166,6 +1273,33 @@ function findMatchingParen(content, openParenIndex) {
   }
   return -1;
 }
+function getIfStatements(content, startIndex = 0, endIndex = content.length) {
+  const statements = [];
+  const ifPattern = /\bif\s*\(/g;
+  ifPattern.lastIndex = startIndex;
+  let match;
+  while ((match = ifPattern.exec(content)) !== null) {
+    const matchIndex = match.index;
+    if (matchIndex > endIndex) {
+      break;
+    }
+    const openParenIndex = content.indexOf("(", matchIndex);
+    if (openParenIndex === -1 || openParenIndex > endIndex) {
+      continue;
+    }
+    const closeParenIndex = findMatchingParen(content, openParenIndex);
+    if (closeParenIndex === -1 || closeParenIndex > endIndex) {
+      continue;
+    }
+    statements.push({
+      index: matchIndex,
+      condition: content.slice(openParenIndex + 1, closeParenIndex),
+      branchStartIndex: closeParenIndex + 1
+    });
+    ifPattern.lastIndex = closeParenIndex + 1;
+  }
+  return statements;
+}
 function findMatchingBrace(content, openBraceIndex) {
   let depth = 0;
   for (let index = openBraceIndex; index < content.length; index++) {
@@ -1200,21 +1334,641 @@ function getMethodRank(method) {
 function isMutationMethod(method) {
   return method !== "GET";
 }
-function hasAuthOrSessionCheck(content) {
-  const normalizedContent = content.toLowerCase();
-  return normalizedContent.includes("auth(") || normalizedContent.includes("getserversession") || normalizedContent.includes("currentuser") || normalizedContent.includes("clerkclient") || normalizedContent.includes("session") || normalizedContent.includes("requireauth") || normalizedContent.includes("requireuser") || normalizedContent.includes("requireadmin") || normalizedContent.includes("verifysession") || normalizedContent.includes("getuser") || normalizedContent.includes("jwt") || normalizedContent.includes("authorization") || normalizedContent.includes("bearer") || normalizedContent.includes("cookies()") || normalizedContent.includes("request.cookies") || normalizedContent.includes("middleware");
+function analyzeHandlerProtection({
+  handlerBody,
+  fullFileContent
+}) {
+  const imports = getImportInfos(fullFileContent);
+  const inputParsingOperation = getFirstInputParsingOperation(handlerBody);
+  const sensitiveOperation = getFirstSensitiveOperation(handlerBody);
+  const localHelpers = getLocalHelperInfos(fullFileContent);
+  const helperAssignments = getHelperAssignments(handlerBody);
+  for (const assignment of helperAssignments) {
+    if (isRawRequestAccessorHelper(assignment.helperName)) {
+      continue;
+    }
+    const localHelper = getLocalHelperInfo(localHelpers, assignment.helperName);
+    if (localHelper && !isLocalProtectionHelper(localHelper.body)) {
+      continue;
+    }
+    if (!isGuardHelperAssignmentNearTop(assignment.index, handlerBody, sensitiveOperation)) {
+      continue;
+    }
+    const guard = findAccessControlGuardForVariable({
+      handlerBody,
+      variableName: assignment.variableName,
+      startIndex: assignment.endIndex
+    });
+    if (!guard) {
+      continue;
+    }
+    if (sensitiveOperation && guard.endIndex > sensitiveOperation.index) {
+      continue;
+    }
+    const importInfo = getImportInfoForHelper(imports, assignment.helperName);
+    const evidence = [
+      { label: "access-control guard detected" },
+      { label: "helper call assigned to variable", detail: assignment.variableName },
+      { label: "guard checks variable", detail: assignment.variableName },
+      { label: guard.returnSignal }
+    ];
+    if (sensitiveOperation) {
+      evidence.push({ label: "guard appears before sensitive operation", detail: sensitiveOperation.label });
+    }
+    if (importInfo?.isProtectionSource) {
+      evidence.push({ label: "helper imported from protection module", detail: importInfo.source });
+    }
+    if (localHelper) {
+      evidence.push({ label: "local protection helper detected", detail: localHelper.name });
+    }
+    return {
+      hasAccessControlGuard: true,
+      evidence,
+      inputParsingOperation,
+      sensitiveOperation
+    };
+  }
+  return {
+    hasAccessControlGuard: false,
+    evidence: [],
+    inputParsingOperation,
+    sensitiveOperation
+  };
 }
-function hasSecretProtectionSignal(content) {
+function getImportInfos(content) {
+  const imports = [];
+  const importPattern = /import\s+(?:type\s+)?([\s\S]*?)\s+from\s+["']([^"']+)["'];?/g;
+  for (const match of content.matchAll(importPattern)) {
+    const importClause = match[1]?.trim();
+    const source = match[2];
+    if (!importClause || !source) {
+      continue;
+    }
+    const isProtectionSource = isProtectionImportSource(source);
+    const namedImportMatch = importClause.match(/\{([\s\S]*?)\}/);
+    if (namedImportMatch?.[1]) {
+      const namedImports = namedImportMatch[1].split(",");
+      for (const namedImport of namedImports) {
+        const parts = namedImport.trim().split(/\s+as\s+/i);
+        const importedName = parts[0]?.trim();
+        const localName = parts[1]?.trim() ?? importedName;
+        if (importedName && localName) {
+          imports.push({
+            localName,
+            importedName,
+            source,
+            isProtectionSource
+          });
+        }
+      }
+    }
+    const clauseBeforeNamedImports = importClause.split("{")[0]?.replace(/,\s*$/, "").trim();
+    if (clauseBeforeNamedImports && !clauseBeforeNamedImports.startsWith("*")) {
+      const defaultImport = clauseBeforeNamedImports.split(",")[0]?.trim();
+      if (defaultImport && /^[A-Za-z_$][\w$]*$/.test(defaultImport)) {
+        imports.push({
+          localName: defaultImport,
+          importedName: "default",
+          source,
+          isProtectionSource
+        });
+      }
+    }
+    const namespaceImportMatch = importClause.match(/\*\s+as\s+([A-Za-z_$][\w$]*)/);
+    if (namespaceImportMatch?.[1]) {
+      imports.push({
+        localName: namespaceImportMatch[1],
+        importedName: "*",
+        source,
+        isProtectionSource
+      });
+    }
+  }
+  return imports;
+}
+function isProtectionImportSource(source) {
+  const normalizedSource = source.toLowerCase();
+  const protectionSourceTerms = [
+    "auth",
+    "session",
+    "sessions",
+    "staff",
+    "permission",
+    "permissions",
+    "access",
+    "access-control",
+    "security",
+    "user",
+    "users"
+  ];
+  return protectionSourceTerms.some((term) => normalizedSource.includes(term));
+}
+function getLocalHelperInfos(content) {
+  return [
+    ...getLocalFunctionDeclarationHelpers(content),
+    ...getLocalConstFunctionHelpers(content)
+  ];
+}
+function getLocalFunctionDeclarationHelpers(content) {
+  const helpers = [];
+  const functionPattern = /\bfunction\s+([A-Za-z_$][\w$]*)\s*\(/g;
+  for (const match of content.matchAll(functionPattern)) {
+    const helperName = match[1];
+    const matchIndex = match.index ?? 0;
+    if (!helperName) {
+      continue;
+    }
+    const openParenIndex = content.indexOf("(", matchIndex);
+    const closeParenIndex = openParenIndex === -1 ? -1 : findMatchingParen(content, openParenIndex);
+    const openBraceIndex = closeParenIndex === -1 ? -1 : content.indexOf("{", closeParenIndex);
+    if (openBraceIndex === -1) {
+      continue;
+    }
+    const closeBraceIndex = findMatchingBrace(content, openBraceIndex);
+    if (closeBraceIndex === -1) {
+      continue;
+    }
+    helpers.push({
+      name: helperName,
+      body: content.slice(openBraceIndex, closeBraceIndex + 1)
+    });
+  }
+  return helpers;
+}
+function getLocalConstFunctionHelpers(content) {
+  const helpers = [];
+  const constFunctionPattern = /\bconst\s+([A-Za-z_$][\w$]*)\s*=\s*(?:async\s+)?(?:function\b|(?:\([^)]*\)|[A-Za-z_$][\w$]*)\s*=>)/g;
+  for (const match of content.matchAll(constFunctionPattern)) {
+    const helperName = match[1];
+    const matchIndex = match.index ?? 0;
+    if (!helperName) {
+      continue;
+    }
+    const equalsIndex = content.indexOf("=", matchIndex);
+    if (equalsIndex === -1) {
+      continue;
+    }
+    const arrowIndex = content.indexOf("=>", equalsIndex);
+    const functionIndex = content.indexOf("function", equalsIndex);
+    const bodyStartSearchIndex = arrowIndex !== -1 && (functionIndex === -1 || arrowIndex < functionIndex) ? arrowIndex + 2 : functionIndex;
+    if (bodyStartSearchIndex === -1) {
+      continue;
+    }
+    let bodyStartIndex = bodyStartSearchIndex;
+    while (/\s/.test(content[bodyStartIndex] ?? "")) {
+      bodyStartIndex++;
+    }
+    if (content[bodyStartIndex] === "{") {
+      const closeBraceIndex = findMatchingBrace(content, bodyStartIndex);
+      if (closeBraceIndex !== -1) {
+        helpers.push({
+          name: helperName,
+          body: content.slice(bodyStartIndex, closeBraceIndex + 1)
+        });
+      }
+      continue;
+    }
+    const expressionEndIndex = findExpressionEnd(content, bodyStartIndex);
+    helpers.push({
+      name: helperName,
+      body: content.slice(bodyStartIndex, expressionEndIndex)
+    });
+  }
+  return helpers;
+}
+function findExpressionEnd(content, startIndex) {
+  const semicolonIndex = content.indexOf(";", startIndex);
+  const newlineIndex = content.indexOf("\n", startIndex);
+  return [semicolonIndex, newlineIndex].filter((candidateIndex) => candidateIndex !== -1).sort((leftIndex, rightIndex) => leftIndex - rightIndex)[0] ?? content.length;
+}
+function getLocalHelperInfo(localHelpers, helperName) {
+  const helperRootName = getHelperRootName(helperName);
+  return localHelpers.find((helper) => helper.name === helperRootName);
+}
+function getHelperRootName(helperName) {
+  return helperName.split(".")[0] ?? helperName;
+}
+function isLocalProtectionHelper(helperBody) {
+  return isSecretValidationExpression(helperBody) || hasStrongAuthProviderSignal(helperBody) || analyzeAdminAuthorization(helperBody).hasAdminAuthorization;
+}
+function hasStrongAuthProviderSignal(content) {
+  return /\bauth\s*\(/i.test(content) || /\bgetServerSession\s*\(/.test(content) || /\bgetSession\s*\(/.test(content) || /\bcurrentUser\s*\(/.test(content) || /\bgetUser\s*\(/.test(content) || /\bauth\.getUser\s*\(/i.test(content);
+}
+function getHelperAssignments(handlerBody) {
+  const assignments = [];
+  const assignmentPattern = /\b(?:const|let|var)\s+([A-Za-z_$][\w$]*)\s*=\s*(?:await\s+)?([A-Za-z_$][\w$]*(?:\.[A-Za-z_$][\w$]*)?)\s*\(/g;
+  const destructuredAssignmentPattern = /\b(?:const|let|var)\s*\{([^}]+)\}\s*=\s*(?:await\s+)?([A-Za-z_$][\w$]*(?:\.[A-Za-z_$][\w$]*)?)\s*\(/g;
+  for (const match of handlerBody.matchAll(assignmentPattern)) {
+    const variableName = match[1];
+    const helperName = match[2];
+    const index = match.index ?? 0;
+    if (!variableName || !helperName) {
+      continue;
+    }
+    assignments.push({
+      variableName,
+      helperName,
+      index,
+      endIndex: index + match[0].length
+    });
+  }
+  for (const match of handlerBody.matchAll(destructuredAssignmentPattern)) {
+    const destructuredContent = match[1];
+    const helperName = match[2];
+    const index = match.index ?? 0;
+    if (!destructuredContent || !helperName) {
+      continue;
+    }
+    for (const variableName of parseDestructuredBindingNames(destructuredContent)) {
+      assignments.push({
+        variableName,
+        helperName,
+        index,
+        endIndex: index + match[0].length
+      });
+    }
+  }
+  return assignments.sort(
+    (leftAssignment, rightAssignment) => leftAssignment.index - rightAssignment.index
+  );
+}
+function parseDestructuredBindingNames(destructuredContent) {
+  const variableNames = [];
+  for (const part of destructuredContent.split(",")) {
+    const trimmedPart = part.trim();
+    if (!trimmedPart) {
+      continue;
+    }
+    const withoutDefault = trimmedPart.split("=")[0]?.trim() ?? "";
+    const aliasParts = withoutDefault.split(":");
+    const variableName = (aliasParts[1] ?? aliasParts[0])?.trim();
+    if (variableName && /^[A-Za-z_$][\w$]*$/.test(variableName)) {
+      variableNames.push(variableName);
+    }
+  }
+  return variableNames;
+}
+function isRawRequestAccessorHelper(helperName) {
+  const normalizedHelperName = helperName.toLowerCase();
+  const rawAccessorHelpers = [
+    "request.headers.get",
+    "req.headers.get",
+    "headers.get",
+    "request.cookies.get",
+    "req.cookies.get",
+    "request.nexturl.searchparams.get",
+    "req.nexturl.searchparams.get",
+    "searchparams.get",
+    "cookies"
+  ];
+  return rawAccessorHelpers.includes(normalizedHelperName);
+}
+function isGuardHelperAssignmentNearTop(assignmentIndex, handlerBody, sensitiveOperation) {
+  if (sensitiveOperation) {
+    return assignmentIndex < sensitiveOperation.index;
+  }
+  return assignmentIndex < Math.min(1500, handlerBody.length);
+}
+function findAccessControlGuardForVariable({
+  handlerBody,
+  variableName,
+  startIndex
+}) {
+  const guardSearchEnd = Math.min(handlerBody.length, startIndex + 2500);
+  const ifStatements = getIfStatements(handlerBody, startIndex, guardSearchEnd);
+  for (const ifStatement of ifStatements) {
+    if (!doesConditionBlockWhenVariableMissing(ifStatement.condition, variableName)) {
+      continue;
+    }
+    const branch = getIfFailureBranch(handlerBody, ifStatement.branchStartIndex);
+    const returnSignal = getAccessDeniedReturnSignal(branch.text);
+    if (!returnSignal) {
+      continue;
+    }
+    return {
+      endIndex: branch.endIndex,
+      returnSignal
+    };
+  }
+  return null;
+}
+function doesConditionBlockWhenVariableMissing(condition, variableName) {
+  const escapedVariableName = escapeRegExp(variableName);
+  return new RegExp(`!\\s*${escapedVariableName}(?:\\b|\\?\\.|\\.)`).test(condition) || new RegExp(`\\b${escapedVariableName}\\s*(?:={2,3})\\s*(?:null|undefined|false)\\b`).test(condition) || new RegExp(`\\b(?:null|undefined|false)\\s*(?:={2,3})\\s*${escapedVariableName}\\b`).test(condition) || new RegExp(`!\\s*${escapedVariableName}(?:\\?\\.)?\\.[A-Za-z_$][\\w$]*`).test(condition) || new RegExp(`\\b${escapedVariableName}(?:\\?\\.)?\\.[A-Za-z_$][\\w$]*\\s*(?:={2,3})\\s*false\\b`).test(condition) || new RegExp(`\\bfalse\\s*(?:={2,3})\\s*${escapedVariableName}(?:\\?\\.)?\\.[A-Za-z_$][\\w$]*\\b`).test(condition);
+}
+function getIfFailureBranch(handlerBody, branchStartIndex) {
+  let index = branchStartIndex;
+  while (/\s/.test(handlerBody[index] ?? "")) {
+    index++;
+  }
+  if (handlerBody[index] === "{") {
+    const closeBraceIndex = findMatchingBrace(handlerBody, index);
+    if (closeBraceIndex !== -1) {
+      return {
+        text: handlerBody.slice(index, closeBraceIndex + 1),
+        endIndex: closeBraceIndex
+      };
+    }
+  }
+  const semicolonIndex = handlerBody.indexOf(";", index);
+  const newlineIndex = handlerBody.indexOf("\n", index);
+  const branchEndIndex = [semicolonIndex, newlineIndex].filter((candidateIndex) => candidateIndex !== -1).sort((leftIndex, rightIndex) => leftIndex - rightIndex)[0] ?? Math.min(handlerBody.length, index + 300);
+  return {
+    text: handlerBody.slice(index, branchEndIndex + 1),
+    endIndex: branchEndIndex
+  };
+}
+function getAccessDeniedReturnSignal(branchText) {
+  const normalizedBranch = branchText.toLowerCase();
+  if (!normalizedBranch.includes("return") && !normalizedBranch.includes("redirect(")) {
+    return null;
+  }
+  if (/\bstatus\s*:\s*401\b/.test(normalizedBranch) || /\b401\b/.test(normalizedBranch)) {
+    return "guard returns 401";
+  }
+  if (/\bstatus\s*:\s*403\b/.test(normalizedBranch) || /\b403\b/.test(normalizedBranch)) {
+    return "guard returns 403";
+  }
+  if (normalizedBranch.includes("unauthorized")) {
+    return "guard returns Unauthorized";
+  }
+  if (normalizedBranch.includes("forbidden")) {
+    return "guard returns Forbidden";
+  }
+  if (/redirect\s*\(\s*["']\/(?:login|sign-in|signin|auth)/.test(normalizedBranch)) {
+    return "guard redirects to login";
+  }
+  return null;
+}
+function getImportInfoForHelper(imports, helperName) {
+  const helperRootName = getHelperRootName(helperName);
+  return imports.find((importInfo) => importInfo.localName === helperRootName);
+}
+function getFirstInputParsingOperation(handlerBody) {
+  const inputParsingPatterns = [
+    { label: "request.json", pattern: /\brequest\.json\s*\(/i },
+    { label: "request.formData", pattern: /\brequest\.formData\s*\(/i },
+    { label: "request.text", pattern: /\brequest\.text\s*\(/i },
+    { label: "searchParams.get", pattern: /\b(?:request\.nextUrl\.)?searchParams\.get\s*\(/i }
+  ];
+  const matches = [];
+  for (const inputParsingPattern of inputParsingPatterns) {
+    const match = inputParsingPattern.pattern.exec(handlerBody);
+    if (match?.index !== void 0) {
+      matches.push({
+        label: inputParsingPattern.label,
+        index: match.index
+      });
+    }
+  }
+  return matches.sort((leftMatch, rightMatch) => leftMatch.index - rightMatch.index)[0];
+}
+function getFirstSensitiveOperation(handlerBody) {
+  const sensitiveOperationPatterns = [
+    { label: "file.arrayBuffer", pattern: /\b[A-Za-z_$][\w$]*\.arrayBuffer\s*\(/i },
+    { label: "Buffer.from", pattern: /\bBuffer\.from\s*\(/ },
+    { label: "uploadToR2", pattern: /\buploadToR2\s*\(/i },
+    { label: "upload", pattern: /\bupload[A-Za-z0-9_$]*\s*\(/i },
+    { label: "putObject", pattern: /\bputObject\s*\(/i },
+    { label: "revalidatePath", pattern: /\brevalidatePath\s*\(/i },
+    { label: "revalidateTag", pattern: /\brevalidateTag\s*\(/i },
+    { label: "storage", pattern: /\bstorage\b/i },
+    { label: "write", pattern: /\bwrite[A-Za-z0-9_$]*\s*\(/i },
+    { label: "create", pattern: /\bcreate[A-Za-z0-9_$]*\s*\(/i },
+    { label: "update", pattern: /\bupdate[A-Za-z0-9_$]*\s*\(/i },
+    { label: "delete", pattern: /\bdelete[A-Za-z0-9_$]*\s*\(/i },
+    { label: "insert", pattern: /\binsert[A-Za-z0-9_$]*\s*\(/i },
+    { label: "cleanup", pattern: /\bcleanup[A-Za-z0-9_$]*\s*\(/i },
+    { label: "revalidate", pattern: /\brevalidate[A-Za-z0-9_$]*\s*\(/i },
+    { label: "prisma", pattern: /\bprisma\./i },
+    { label: "db", pattern: /\bdb\./i },
+    { label: "checkout", pattern: /\bcheckout\b/i },
+    { label: "payment", pattern: /\bpayment\b/i },
+    { label: "send", pattern: /\bsend[A-Za-z0-9_$]*\s*\(/i },
+    { label: "mutation", pattern: /\bmutation\b/i }
+  ];
+  const matches = [];
+  for (const sensitiveOperationPattern of sensitiveOperationPatterns) {
+    const match = sensitiveOperationPattern.pattern.exec(handlerBody);
+    if (match?.index !== void 0) {
+      if (isBroadMutationOperationLabel(sensitiveOperationPattern.label) && isBenignHelperFunctionCall(match[0] ?? "")) {
+        continue;
+      }
+      matches.push({
+        label: sensitiveOperationPattern.label,
+        index: match.index
+      });
+    }
+  }
+  return matches.sort((leftMatch, rightMatch) => leftMatch.index - rightMatch.index)[0];
+}
+function isBroadMutationOperationLabel(label) {
+  return ["create", "update", "delete", "insert", "write"].includes(label);
+}
+function isBenignHelperFunctionCall(callExpression) {
+  const functionName = callExpression.match(/\b([A-Za-z_$][\w$]*)\s*\(/)?.[1];
+  if (!functionName) {
+    return false;
+  }
+  const normalizedFunctionName = functionName.toLowerCase();
+  return normalizedFunctionName.includes("ratelimit") || normalizedFunctionName.includes("header") || normalizedFunctionName.includes("response");
+}
+function escapeRegExp(value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function hasWeakAuthRelatedSignal(content) {
+  const normalizedContent = stripStrongProtectionIdentifiers(content).toLowerCase();
+  const weakSignals = [
+    "session",
+    "authorization",
+    "bearer",
+    "cookies()",
+    "request.cookies",
+    "middleware",
+    "getuser",
+    "jwt",
+    "auth(",
+    "getserversession",
+    "currentuser",
+    "clerkclient"
+  ];
+  return weakSignals.some((signal) => normalizedContent.includes(signal));
+}
+function stripStrongProtectionIdentifiers(content) {
+  return content.replace(/\b(?:await\s+)?require(?:Auth|User|Admin)\s*\([^)]*\)/gi, "").replace(/\bauth\.protect\s*\([^)]*\)/gi, "").replace(/\b(?:await\s+)?verifySession\s*\([^)]*\)/gi, "");
+}
+function hasStrongProtectionCallBeforeSensitiveWork(handlerBody, sensitiveOperation) {
+  const protectionCutoffIndex = sensitiveOperation?.index ?? Math.min(2e3, handlerBody.length);
+  const strongProtectionPatterns = [
+    /\b(?:await\s+)?requireAuth\s*\(/gi,
+    /\b(?:await\s+)?requireUser\s*\(/gi,
+    /\b(?:await\s+)?requireAdmin\s*\(/gi,
+    /\bauth\.protect\s*\(/gi,
+    /(?:^|[;{\n]\s*)(?:await\s+)?verifySession\s*\(/gi
+  ];
+  for (const pattern of strongProtectionPatterns) {
+    pattern.lastIndex = 0;
+    for (const match of handlerBody.matchAll(pattern)) {
+      if ((match.index ?? Number.POSITIVE_INFINITY) < protectionCutoffIndex) {
+        return true;
+      }
+    }
+  }
+  return hasAuthGuardRedirectBeforeIndex(handlerBody, protectionCutoffIndex) || hasThrowBasedAuthGuardBeforeIndex(handlerBody, protectionCutoffIndex);
+}
+function hasAuthGuardRedirectBeforeIndex(handlerBody, cutoffIndex) {
+  const redirectPattern = /\bif\s*\(([\s\S]*?)\)\s*(?:return\s+)?redirect\s*\(\s*["']\/(?:login|sign-in|signin|auth)/gi;
+  for (const match of handlerBody.matchAll(redirectPattern)) {
+    const condition = match[1] ?? "";
+    if ((match.index ?? Number.POSITIVE_INFINITY) < cutoffIndex && /\!/.test(condition)) {
+      return true;
+    }
+  }
+  return false;
+}
+function hasThrowBasedAuthGuardBeforeIndex(handlerBody, cutoffIndex) {
+  const throwGuardPattern = /\bif\s*\(([\s\S]*?)\)\s*(?:throw\s+new\s+\w+|throw\s+[^;]*(?:Unauthorized|Forbidden|401|403))/gi;
+  for (const match of handlerBody.matchAll(throwGuardPattern)) {
+    const condition = match[1] ?? "";
+    const guardText = match[0] ?? "";
+    if ((match.index ?? Number.POSITIVE_INFINITY) < cutoffIndex && /\!/.test(condition) && /Unauthorized|Forbidden|401|403/i.test(guardText)) {
+      return true;
+    }
+  }
+  return false;
+}
+function hasWeakSecretProtectionSignal(content) {
   const normalizedContent = content.toLowerCase();
   return /\bprocess\.env\.[A-Za-z0-9_]*SECRET\b/.test(content) || /\bprocess\.env\[['"`][A-Za-z0-9_]*SECRET['"`]\]/.test(content) || normalizedContent.includes("cron_secret") || normalizedContent.includes("revalidate_secret") || normalizedContent.includes("authorization") || normalizedContent.includes("bearer") || normalizedContent.includes("token");
 }
+function analyzeSecretProtectionGuardBeforeSensitiveWork(handlerBody, fullFileContent, sensitiveOperation) {
+  const protectionCutoffIndex = sensitiveOperation?.index ?? Math.min(2e3, handlerBody.length);
+  const ifStatements = getIfStatements(handlerBody, 0, protectionCutoffIndex);
+  const localSecretHelpers = getLocalHelperInfos(fullFileContent).filter(
+    (helper) => isSecretValidationExpression(helper.body)
+  );
+  for (const ifStatement of ifStatements) {
+    const branch = getIfFailureBranch(handlerBody, ifStatement.branchStartIndex);
+    const returnSignal = getAccessDeniedReturnSignal(branch.text);
+    if (!returnSignal) {
+      continue;
+    }
+    if (isSecretTokenGuardCondition(ifStatement.condition)) {
+      const evidence = [
+        { label: "secret-token guard detected before sensitive work" },
+        { label: "secret/token comparison detected", detail: "handler guard condition" },
+        { label: returnSignal }
+      ];
+      if (sensitiveOperation) {
+        evidence.push({
+          label: `secret guard appears before sensitive side effect`,
+          detail: sensitiveOperation.label
+        });
+      }
+      return {
+        hasSecretProtectionGuard: true,
+        evidence
+      };
+    }
+    const localHelper = getLocalSecretHelperCalledInGuard(ifStatement.condition, localSecretHelpers);
+    if (localHelper) {
+      const evidence = [
+        { label: "secret-token guard detected before sensitive work" },
+        { label: "local secret validation helper detected", detail: localHelper.name },
+        { label: returnSignal }
+      ];
+      if (sensitiveOperation) {
+        evidence.push({
+          label: `secret guard appears before sensitive side effect`,
+          detail: sensitiveOperation.label
+        });
+      }
+      return {
+        hasSecretProtectionGuard: true,
+        evidence
+      };
+    }
+  }
+  return {
+    hasSecretProtectionGuard: false,
+    evidence: []
+  };
+}
+function isSecretTokenGuardCondition(condition) {
+  return isSecretValidationExpression(condition);
+}
+function isSecretValidationExpression(expression) {
+  const normalizedExpression = expression.toLowerCase();
+  const hasSecretInput = /\b(?:token|secret|authorization|bearer)\b/i.test(expression) || /\bheaders\.get\s*\(\s*["'][^"']*(?:authorization|secret|token|key)[^"']*["']\s*\)/i.test(expression) || /\bsearchParams\.get\s*\(\s*["'](?:secret|token|key)["']\s*\)/i.test(expression) || /\bcookies?(?:\(\))?\.get\s*\(\s*["'][^"']*(?:secret|token|key|session)[^"']*["']\s*\)/i.test(expression);
+  const hasExpectedSecret = /\bprocess\.env\.[A-Za-z0-9_]*(?:SECRET|TOKEN|KEY)\b/.test(expression) || /\bprocess\.env\[['"`][A-Za-z0-9_]*(?:SECRET|TOKEN|KEY)['"`]\]/.test(expression) || /\b(?:expected|valid|required|cron|revalidate|internal)[A-Za-z0-9_]*(?:Secret|Token|Key)\b/.test(expression) || /\b(?:expected|valid|required|cron|revalidate|internal)[a-z0-9_]*(?:secret|token|key)\b/.test(normalizedExpression);
+  const hasSecretValidationCall = /\b(?:isValid|verify|validate|compare)[A-Za-z0-9_]*(?:Secret|Token|Key)?\s*\(/.test(expression) || /\btimingSafeEqual\s*\(/.test(expression);
+  const hasComparison = /!==|!=|===|==/.test(expression) || /\b(?:timingSafeEqual|compare|verify|isValid|validate)[A-Za-z0-9_]*\s*\(/.test(expression);
+  return hasSecretInput && (hasExpectedSecret || hasSecretValidationCall) && hasComparison;
+}
+function getLocalSecretHelperCalledInGuard(condition, localSecretHelpers) {
+  return localSecretHelpers.find((helper) => {
+    const escapedHelperName = escapeRegExp(helper.name);
+    return new RegExp(`!\\s*(?:await\\s+)?${escapedHelperName}\\s*\\(`).test(condition) || new RegExp(`\\b${escapedHelperName}\\s*\\([^)]*\\)\\s*(?:={2,3})\\s*false\\b`).test(condition) || new RegExp(`\\bfalse\\s*(?:={2,3})\\s*${escapedHelperName}\\s*\\(`).test(condition) || new RegExp(`\\b${escapedHelperName}\\s*\\([^)]*\\)\\s*!={1,2}\\s*true\\b`).test(condition);
+  });
+}
+function analyzeAdminAuthorization(content) {
+  const evidence = [];
+  if (/\brequireAdmin\s*\(/.test(content)) {
+    evidence.push({ label: "admin authorization check detected", detail: "requireAdmin" });
+  }
+  if (/\brequireStaff\s*\(/.test(content)) {
+    evidence.push({ label: "staff authorization check detected", detail: "requireStaff" });
+  }
+  if (/\brequireRole\s*\(/.test(content) || /\brequirePermission\s*\(/.test(content)) {
+    evidence.push({ label: "role/permission check detected", detail: "requireRole/requirePermission" });
+  }
+  if (/\b(?:hasPermission|checkPermission)\s*\(/.test(content)) {
+    evidence.push({ label: "permission check detected", detail: "hasPermission/checkPermission" });
+  }
+  if (/\b(?:isAdmin|isStaff)\b/.test(content)) {
+    evidence.push({ label: "admin/staff flag detected", detail: "isAdmin/isStaff" });
+  }
+  if (/\brole\s*(?:={2,3}|!={1,2})\s*["'](?:ADMIN|admin|STAFF|staff|MANAGER|manager)["']/.test(content)) {
+    evidence.push({ label: "role comparison detected" });
+  }
+  if (/\b(?:allowedRoles|roles)\.includes\s*\(/.test(content) || /\.includes\s*\(\s*(?:user|staff|session|account)\.role\s*\)/.test(content)) {
+    evidence.push({ label: "allowed roles check detected" });
+  }
+  if (hasRoleGuardReturningForbidden(content)) {
+    evidence.push({ label: "role guard returns 403/Forbidden" });
+  }
+  return {
+    hasAdminAuthorization: evidence.length > 0,
+    evidence
+  };
+}
+function hasRoleGuardReturningForbidden(content) {
+  for (const ifStatement of getIfStatements(content)) {
+    if (!/\b(?:role|permission|admin|staff|manager|allowedRoles|isAdmin|isStaff)\b/i.test(ifStatement.condition)) {
+      continue;
+    }
+    const branch = getIfFailureBranch(content, ifStatement.branchStartIndex);
+    if (/\bstatus\s*:\s*403\b|\b403\b|Forbidden/i.test(branch.text)) {
+      return true;
+    }
+  }
+  return false;
+}
 function hasRateLimitSignal(content) {
   const normalizedContent = content.toLowerCase();
-  return normalizedContent.includes("ratelimit") || normalizedContent.includes("rate limit") || normalizedContent.includes("limiter") || normalizedContent.includes("upstash") || normalizedContent.includes("throttle");
+  return normalizedContent.includes("ratelimit") || normalizedContent.includes("rate limit") || normalizedContent.includes("limiter") || normalizedContent.includes("upstash") || normalizedContent.includes("throttle") || normalizedContent.includes("too many requests") || /\bstatus\s*:\s*429\b/.test(normalizedContent) || /\b429\b/.test(normalizedContent);
+}
+function hasBasicValidationSignal(content) {
+  const normalizedContent = content.toLowerCase();
+  return /\bif\s*\([^)]*!\s*(?:email|name|message|value|body|payload|input|content|phone|subject)\b/i.test(content) || /\btypeof\s+\w+\s*!==\s*["']string["']/.test(content) || /\btypeof\s+\w+\s*===\s*["']string["']/.test(content) || /\.\s*trim\s*\(/.test(content) || /\.\s*length\b/.test(content) || normalizedContent.includes("validate") || normalizedContent.includes("validation") || normalizedContent.includes("sanitize") || normalizedContent.includes("slugregex") || normalizedContent.includes("isvalid") || /\bstatus\s*:\s*400\b/.test(normalizedContent) && /\b(?:email|name|message|value|body|payload|input|content|phone|subject)\b/.test(normalizedContent);
+}
+function hasSchemaValidationSignal(content) {
+  const normalizedContent = content.toLowerCase();
+  return normalizedContent.includes("safeparse") || /\bparse\s*\(\s*(?:body|payload|input|data|requestbody)\s*\)/i.test(content) || normalizedContent.includes("z.object") || normalizedContent.includes("yup") || normalizedContent.includes("joi") || normalizedContent.includes("valibot") || normalizedContent.includes("arktype");
 }
-function hasValidationSignal(content) {
+function hasSpamProtectionSignal(content) {
   const normalizedContent = content.toLowerCase();
-  return normalizedContent.includes("zod") || normalizedContent.includes("schema") || normalizedContent.includes("validate") || normalizedContent.includes("validation") || normalizedContent.includes("sanitize") || normalizedContent.includes("safeparse") || normalizedContent.includes("parse(") || normalizedContent.includes("slugregex") || normalizedContent.includes("isvalid") || normalizedContent.includes("captcha") || normalizedContent.includes("turnstile") || normalizedContent.includes("recaptcha") || normalizedContent.includes("hcaptcha");
+  return normalizedContent.includes("captcha") || normalizedContent.includes("recaptcha") || normalizedContent.includes("hcaptcha") || normalizedContent.includes("turnstile") || normalizedContent.includes("honeypot") || normalizedContent.includes("bot protection");
 }
 function hasCacheHeaderSignal(content) {
   const normalizedContent = content.toLowerCase();
@@ -1392,7 +2146,8 @@ Determine whether the ${method} handler should be protected.
 Instructions:
 - Inspect each exported HTTP handler separately.
 - Do not add authentication to a GET handler if it is intentionally public.
-- If the ${method} handler handles file uploads, private data, storage writes, payments, account changes, or user-specific actions, add the existing project auth/session check to the ${method} handler.
+- If the ${method} handler already has a guard that returns 401/403 before sensitive logic, explain where it happens and do not add duplicate auth.
+- If the ${method} handler handles file uploads, private data, storage writes, payments, account changes, or user-specific actions, add the existing project auth/session check before sensitive logic.
 - Also verify protections such as input validation, file size limits for uploads, storage path safety, and rate limiting where relevant.
 - Do not introduce a new auth provider.
 - Do not refactor unrelated code.
@@ -1513,6 +2268,29 @@ Return:
 - The safest minimal change if protection is missing.
 - Any edge cases I should test.`;
 }
+function createAdminAuthorizationFixPrompt(file, method) {
+  return `Review the API route at ${file}.
+Qodfy detected a possible authorization issue in the ${method} handler.
+Goal:
+Confirm this authenticated handler is restricted to the right admin, staff, role, or permission level.
+Instructions:
+- Inspect each exported HTTP handler separately.
+- Do not add a new auth provider.
+- Do not duplicate authentication if the handler already has a 401/403 guard.
+- Check the existing project pattern for admin, staff, role, or permission checks.
+- If this handler exposes admin, private, staff, manager, or debug functionality, confirm it has an authorization check beyond basic login.
+- If this route is only for debugging, remove it or make sure it cannot run in production.
+- Keep existing response formats unchanged.
+Return:
+- Where authentication currently happens.
+- Whether admin/staff/role/permission authorization exists.
+- The safest minimal change if authorization is missing.
+- Edge cases to test.`;
+}
 function createMissingEnvVariableFixPrompt(variableName, files) {
   return `Update the environment documentation for this project.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@qodfy/core",
-  "version": "0.2.7",
+  "version": "0.2.9",
   "description": "Scanner engine for Qodfy, an open-source launch readiness scanner for AI-built apps.",
   "keywords": [
     "qodfy",
@@ -54,6 +54,7 @@
   },
   "scripts": {
     "build": "tsup src/index.ts --format esm --dts --clean --tsconfig tsconfig.json",
-    "dev": "tsx src/index.ts"
+    "dev": "tsx src/index.ts",
+    "test": "node --import tsx --test src/protection.test.ts"
   }
 }