@quantracode/vibecheck 0.0.1 → 0.0.2

package/dist/scanners/unused-security-imports.js

@@ -1,206 +0,0 @@
-import { readFileSync, resolvePath } from "../utils/file-utils.js";
-import { generateFingerprint, generateFindingId } from "../utils/fingerprint.js";
-const RULE_ID = "VC-HALL-001";
-const SECURITY_LIBS = [
-    {
-        name: "zod",
-        category: "validation",
-        severity: "medium",
-        description: "Schema validation library",
-    },
-    {
-        name: "yup",
-        category: "validation",
-        severity: "medium",
-        description: "Schema validation library",
-    },
-    {
-        name: "joi",
-        category: "validation",
-        severity: "medium",
-        description: "Schema validation library",
-    },
-    {
-        name: "helmet",
-        category: "middleware",
-        severity: "medium",
-        description: "Security headers middleware",
-    },
-    {
-        name: "cors",
-        category: "middleware",
-        severity: "low",
-        description: "CORS middleware",
-    },
-    {
-        name: "csurf",
-        category: "middleware",
-        severity: "medium",
-        description: "CSRF protection middleware",
-    },
-];
-/**
- * Find imports of security libraries in a file
- *
- * Limitations:
- * - Uses regex, may match imports in comments
- * - Does not handle dynamic imports: import('zod')
- * - Does not track re-exports
- */
-export function findSecurityImports(content, libraries) {
-    const imports = [];
-    const lines = content.split("\n");
-    const libPattern = libraries.join("|");
-    // Match: import X from 'lib' / import { x, y } from 'lib' / import * as X from 'lib'
-    const importRegex = new RegExp(`^\\s*import\\s+(?:([\\w]+)|\\{([^}]+)\\}|\\*\\s+as\\s+([\\w]+))\\s+from\\s+['"](?:${libPattern})['"]`, "gm");
-    for (let i = 0; i < lines.length; i++) {
-        const line = lines[i];
-        importRegex.lastIndex = 0;
-        for (const lib of libraries) {
-            // Check each library pattern
-            const patterns = [
-                // import X from 'lib'
-                new RegExp(`^\\s*import\\s+(\\w+)\\s+from\\s+['"]${lib}['"]`),
-                // import { x, y } from 'lib'
-                new RegExp(`^\\s*import\\s+\\{([^}]+)\\}\\s+from\\s+['"]${lib}['"]`),
-                // import * as X from 'lib'
-                new RegExp(`^\\s*import\\s+\\*\\s+as\\s+(\\w+)\\s+from\\s+['"]${lib}['"]`),
-                // import X, { y } from 'lib'
-                new RegExp(`^\\s*import\\s+(\\w+)\\s*,\\s*\\{([^}]+)\\}\\s+from\\s+['"]${lib}['"]`),
-            ];
-            for (let p = 0; p < patterns.length; p++) {
-                const match = line.match(patterns[p]);
-                if (match) {
-                    const importedNames = [];
-                    let isDefaultImport = false;
-                    let isNamespaceImport = false;
-                    if (p === 0) {
-                        // Default import
-                        importedNames.push(match[1]);
-                        isDefaultImport = true;
-                    }
-                    else if (p === 1) {
-                        // Named imports
-                        const names = match[1].split(",").map((n) => n.trim().split(/\s+as\s+/)[0].trim());
-                        importedNames.push(...names.filter(Boolean));
-                    }
-                    else if (p === 2) {
-                        // Namespace import
-                        importedNames.push(match[1]);
-                        isNamespaceImport = true;
-                    }
-                    else if (p === 3) {
-                        // Default + named
-                        importedNames.push(match[1]);
-                        isDefaultImport = true;
-                        const names = match[2].split(",").map((n) => n.trim().split(/\s+as\s+/)[0].trim());
-                        importedNames.push(...names.filter(Boolean));
-                    }
-                    imports.push({
-                        library: lib,
-                        importedNames,
-                        line: i + 1,
-                        snippet: line.trim(),
-                        isDefaultImport,
-                        isNamespaceImport,
-                    });
-                    break;
-                }
-            }
-        }
-    }
-    return imports;
-}
-/**
- * Check if any imported identifiers are used after the import line
- */
-export function checkIdentifierUsage(content, importLine, identifiers, isNamespaceImport) {
-    const lines = content.split("\n");
-    const afterImport = lines.slice(importLine).join("\n");
-    return identifiers.map((id) => {
-        // For namespace imports, check for namespace.something
-        if (isNamespaceImport) {
-            const namespaceRegex = new RegExp(`\\b${id}\\s*\\.`, "g");
-            return { identifier: id, used: namespaceRegex.test(afterImport) };
-        }
-        // For regular imports, check for identifier usage
-        // Match the identifier as a word boundary, not just as part of another word
-        const usageRegex = new RegExp(`\\b${id}\\b`, "g");
-        const matches = afterImport.match(usageRegex);
-        // If found at least once, it's used (the import line itself is excluded)
-        return { identifier: id, used: matches !== null && matches.length > 0 };
-    });
-}
-/**
- * Unused Security Imports Scanner
- *
- * Detects when security libraries are imported but not used
- */
-export async function scanUnusedSecurityImports(context) {
-    const { targetDir, sourceFiles } = context;
-    const findings = [];
-    const libNames = SECURITY_LIBS.map((l) => l.name);
-    for (const relFile of sourceFiles) {
-        const absPath = resolvePath(targetDir, relFile);
-        const content = readFileSync(absPath);
-        if (!content)
-            continue;
-        const imports = findSecurityImports(content, libNames);
-        for (const imp of imports) {
-            const libInfo = SECURITY_LIBS.find((l) => l.name === imp.library);
-            if (!libInfo)
-                continue;
-            const usageResults = checkIdentifierUsage(content, imp.line, imp.importedNames, imp.isNamespaceImport);
-            const unusedIdentifiers = usageResults
-                .filter((r) => !r.used)
-                .map((r) => r.identifier);
-            if (unusedIdentifiers.length === 0)
-                continue;
-            // All imported identifiers are unused
-            const allUnused = unusedIdentifiers.length === imp.importedNames.length;
-            const evidence = [
-                {
-                    file: relFile,
-                    startLine: imp.line,
-                    endLine: imp.line,
-                    snippet: imp.snippet,
-                    label: allUnused
-                        ? `Unused import of ${imp.library}`
-                        : `Partially unused import: ${unusedIdentifiers.join(", ")}`,
-                },
-            ];
-            const fingerprint = generateFingerprint({
-                ruleId: RULE_ID,
-                file: relFile,
-                symbol: imp.library,
-                startLine: imp.line,
-            });
-            findings.push({
-                id: generateFindingId({
-                    ruleId: RULE_ID,
-                    file: relFile,
-                    symbol: imp.library,
-                    startLine: imp.line,
-                }),
-                severity: libInfo.severity,
-                confidence: allUnused ? 0.9 : 0.75,
-                category: libInfo.category,
-                ruleId: RULE_ID,
-                title: allUnused
-                    ? `Imported ${libInfo.description.toLowerCase()} "${imp.library}" is not used`
-                    : `Partially unused import from "${imp.library}"`,
-                description: allUnused
-                    ? `The security library "${imp.library}" is imported but none of its exports are used. This may indicate incomplete implementation of ${libInfo.category} functionality.`
-                    : `Some exports from "${imp.library}" (${unusedIdentifiers.join(", ")}) are imported but not used. This may indicate incomplete implementation.`,
-                evidence,
-                remediation: {
-                    recommendedFix: allUnused
-                        ? `Either implement ${libInfo.category} using "${imp.library}" or remove the unused import.`
-                        : `Remove unused imports (${unusedIdentifiers.join(", ")}) or implement their usage.`,
-                },
-                fingerprint,
-            });
-        }
-    }
-    return findings;
-}

package/dist/scanners/uploads/index.d.ts

@@ -1,5 +0,0 @@
-import type { ScannerPack } from "../types.js";
-export declare const uploadsPack: ScannerPack;
-export { scanMissingUploadConstraints } from "./missing-constraints.js";
-export { scanPublicUploadPath } from "./public-path.js";
-//# sourceMappingURL=index.d.ts.map

package/dist/scanners/uploads/index.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/scanners/uploads/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAI/C,eAAO,MAAM,WAAW,EAAE,WAIzB,CAAC;AAEF,OAAO,EAAE,4BAA4B,EAAE,MAAM,0BAA0B,CAAC;AACxE,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC"}

package/dist/scanners/uploads/index.js

@@ -1,9 +0,0 @@
-import { scanMissingUploadConstraints } from "./missing-constraints.js";
-import { scanPublicUploadPath } from "./public-path.js";
-export const uploadsPack = {
-    id: "uploads",
-    name: "File Upload Security",
-    scanners: [scanMissingUploadConstraints, scanPublicUploadPath],
-};
-export { scanMissingUploadConstraints } from "./missing-constraints.js";
-export { scanPublicUploadPath } from "./public-path.js";

package/dist/scanners/uploads/missing-constraints.d.ts

@@ -1,15 +0,0 @@
-import type { Finding } from "@vibecheck/schema";
-import type { ScanContext } from "../types.js";
-/**
- * VC-UP-001: File upload without size/type constraints
- *
- * Targets:
- * - multer usage without limits/fileFilter
- * - formidable/busboy without size checks
- * - Next.js route handlers reading formData and accepting file without checking type/size
- *
- * Precision:
- * - Only flag if a file is accepted AND there is no check of file.size, file.type, or limits
- */
-export declare function scanMissingUploadConstraints(context: ScanContext): Promise<Finding[]>;
-//# sourceMappingURL=missing-constraints.d.ts.map

package/dist/scanners/uploads/missing-constraints.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"missing-constraints.d.ts","sourceRoot":"","sources":["../../../src/scanners/uploads/missing-constraints.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAgB,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAM/C;;;;;;;;;;GAUG;AACH,wBAAsB,4BAA4B,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CAoG3F"}

package/dist/scanners/uploads/missing-constraints.js

@@ -1,109 +0,0 @@
-import { resolvePath } from "../../utils/file-utils.js";
-import { generateFingerprint, generateFindingId } from "../../utils/fingerprint.js";
-const RULE_ID = "VC-UP-001";
-/**
- * VC-UP-001: File upload without size/type constraints
- *
- * Targets:
- * - multer usage without limits/fileFilter
- * - formidable/busboy without size checks
- * - Next.js route handlers reading formData and accepting file without checking type/size
- *
- * Precision:
- * - Only flag if a file is accepted AND there is no check of file.size, file.type, or limits
- */
-export async function scanMissingUploadConstraints(context) {
-    const { repoRoot, fileIndex, helpers } = context;
-    const findings = [];
-    // Scan API route files
-    for (const relPath of fileIndex.apiRouteFiles) {
-        const absPath = resolvePath(repoRoot, relPath);
-        const sourceFile = helpers.parseFile(absPath);
-        if (!sourceFile)
-            continue;
-        const handlers = helpers.findRouteHandlers(sourceFile);
-        for (const handler of handlers) {
-            const uploadHandlers = helpers.findFileUploadHandlers(handler.functionNode);
-            for (const upload of uploadHandlers) {
-                // Only flag if missing both size and type checks
-                if (upload.hasSizeCheck && upload.hasTypeCheck)
-                    continue;
-                const missingChecks = [];
-                if (!upload.hasSizeCheck)
-                    missingChecks.push("size limit");
-                if (!upload.hasTypeCheck)
-                    missingChecks.push("type validation");
-                const evidence = [
-                    {
-                        file: relPath,
-                        startLine: upload.line,
-                        endLine: upload.line,
-                        snippet: upload.snippet,
-                        label: `File upload via ${upload.uploadMethod} without ${missingChecks.join(" or ")}`,
-                    },
-                ];
-                const fingerprint = generateFingerprint({
-                    ruleId: RULE_ID,
-                    file: relPath,
-                    symbol: upload.uploadMethod,
-                    startLine: upload.line,
-                });
-                findings.push({
-                    id: generateFindingId({
-                        ruleId: RULE_ID,
-                        file: relPath,
-                        symbol: upload.uploadMethod,
-                        startLine: upload.line,
-                    }),
-                    ruleId: RULE_ID,
-                    title: `File upload missing ${missingChecks.join(" and ")}`,
-                    description: `This file upload handler using ${upload.uploadMethod} lacks ${missingChecks.join(" and ")}. Without size limits, attackers can upload extremely large files causing denial of service. Without type validation, attackers may upload malicious executables, scripts, or unexpected content types.`,
-                    severity: "high",
-                    confidence: 0.8,
-                    category: "uploads",
-                    evidence,
-                    remediation: {
-                        recommendedFix: `Add both size limits and file type validation to your upload handler.`,
-                        patch: upload.uploadMethod === "multer"
-                            ? `// For multer, add limits and fileFilter:
-const upload = multer({
-  limits: {
-    fileSize: 5 * 1024 * 1024, // 5MB limit
-    files: 1, // Single file
-  },
-  fileFilter: (req, file, cb) => {
-    const allowedTypes = ['image/jpeg', 'image/png', 'image/gif'];
-    if (allowedTypes.includes(file.mimetype)) {
-      cb(null, true);
-    } else {
-      cb(new Error('Invalid file type'));
-    }
-  },
-});`
-                            : `// For Next.js formData, validate the file:
-const formData = await request.formData();
-const file = formData.get('file') as File;
-
-// Check file size
-const MAX_SIZE = 5 * 1024 * 1024; // 5MB
-if (file.size > MAX_SIZE) {
-  return Response.json({ error: 'File too large' }, { status: 400 });
-}
-
-// Check file type
-const allowedTypes = ['image/jpeg', 'image/png', 'image/gif'];
-if (!allowedTypes.includes(file.type)) {
-  return Response.json({ error: 'Invalid file type' }, { status: 400 });
-}`,
-                    },
-                    links: {
-                        cwe: "https://cwe.mitre.org/data/definitions/434.html",
-                        owasp: "https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html",
-                    },
-                    fingerprint,
-                });
-            }
-        }
-    }
-    return findings;
-}

package/dist/scanners/uploads/public-path.d.ts

@@ -1,11 +0,0 @@
-import type { Finding } from "@vibecheck/schema";
-import type { ScanContext } from "../types.js";
-/**
- * VC-UP-002: Upload served from public path
- *
- * Detect:
- * - Writing uploaded file to `public/` or `static/` directories
- * - Or referencing user-supplied filenames in public URL generation
- */
-export declare function scanPublicUploadPath(context: ScanContext): Promise<Finding[]>;
-//# sourceMappingURL=public-path.d.ts.map

package/dist/scanners/uploads/public-path.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"public-path.d.ts","sourceRoot":"","sources":["../../../src/scanners/uploads/public-path.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAgB,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAM/C;;;;;;GAMG;AACH,wBAAsB,oBAAoB,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CAmFnF"}

package/dist/scanners/uploads/public-path.js

@@ -1,87 +0,0 @@
-import { resolvePath } from "../../utils/file-utils.js";
-import { generateFingerprint, generateFindingId } from "../../utils/fingerprint.js";
-const RULE_ID = "VC-UP-002";
-/**
- * VC-UP-002: Upload served from public path
- *
- * Detect:
- * - Writing uploaded file to `public/` or `static/` directories
- * - Or referencing user-supplied filenames in public URL generation
- */
-export async function scanPublicUploadPath(context) {
-    const { repoRoot, fileIndex, helpers } = context;
-    const findings = [];
-    for (const relPath of fileIndex.allSourceFiles) {
-        const absPath = resolvePath(repoRoot, relPath);
-        const sourceFile = helpers.parseFile(absPath);
-        if (!sourceFile)
-            continue;
-        const publicWrites = helpers.findPublicFileWrites(sourceFile);
-        for (const write of publicWrites) {
-            if (!write.isPublicDir)
-                continue;
-            const evidence = [
-                {
-                    file: relPath,
-                    startLine: write.line,
-                    endLine: write.line,
-                    snippet: write.snippet,
-                    label: `File written to public path${write.usesUserFilename ? " with user-supplied filename" : ""}`,
-                },
-            ];
-            const fingerprint = generateFingerprint({
-                ruleId: RULE_ID,
-                file: relPath,
-                symbol: "public-write",
-                startLine: write.line,
-            });
-            const severity = write.usesUserFilename ? "high" : "medium";
-            findings.push({
-                id: generateFindingId({
-                    ruleId: RULE_ID,
-                    file: relPath,
-                    symbol: "public-write",
-                    startLine: write.line,
-                }),
-                ruleId: RULE_ID,
-                title: `Uploaded file written to public directory${write.usesUserFilename ? " with user filename" : ""}`,
-                description: `Files are being written to a publicly accessible directory (${write.writePath}).${write.usesUserFilename ? " The filename appears to come from user input, which could allow path traversal attacks or filename-based exploits." : ""} Publicly accessible uploads can be directly accessed by anyone and may be executed by the server if not properly configured.`,
-                severity,
-                confidence: 0.85,
-                category: "uploads",
-                evidence,
-                remediation: {
-                    recommendedFix: `Store uploads outside the public directory and serve them through a controlled API endpoint. Always sanitize and generate safe filenames.`,
-                    patch: `// DON'T: Write directly to public folder
-// fs.writeFile(path.join('public', filename), buffer);
-
-// DO: Store outside public with generated names
-import { randomUUID } from 'crypto';
-import path from 'path';
-
-// Generate safe filename
-const ext = path.extname(originalFilename).toLowerCase();
-const allowedExtensions = ['.jpg', '.jpeg', '.png', '.gif'];
-if (!allowedExtensions.includes(ext)) {
-  throw new Error('Invalid file extension');
-}
-
-const safeFilename = \`\${randomUUID()}\${ext}\`;
-const uploadPath = path.join(process.cwd(), 'uploads', safeFilename);
-
-// Write to non-public directory
-await fs.writeFile(uploadPath, buffer);
-
-// Serve through API route:
-// GET /api/files/[id] -> Stream file from uploads directory`,
-                },
-                links: {
-                    cwe: "https://cwe.mitre.org/data/definitions/434.html",
-                    owasp: "https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html",
-                },
-                fingerprint,
-            });
-        }
-    }
-    return findings;
-}

package/dist/scanners/validation/client-side-only.d.ts

@@ -1,14 +0,0 @@
-import type { Finding } from "@vibecheck/schema";
-import type { ScanContext } from "../types.js";
-/**
- * VC-VAL-002: Client-side-only validation
- *
- * Detects if validation libraries (zod/yup/joi) are used in frontend components
- * but API route handlers accept raw input without validation.
- *
- * Precision rule:
- * - Only flag if there exists at least one validation schema used in frontend
- * - AND at least one API route file exists that uses req.json without validation
- */
-export declare function scanClientSideOnlyValidation(context: ScanContext): Promise<Finding[]>;
-//# sourceMappingURL=client-side-only.d.ts.map

package/dist/scanners/validation/client-side-only.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"client-side-only.d.ts","sourceRoot":"","sources":["../../../src/scanners/validation/client-side-only.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAgB,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAM/C;;;;;;;;;GASG;AACH,wBAAsB,4BAA4B,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CAyI3F"}

package/dist/scanners/validation/client-side-only.js

@@ -1,140 +0,0 @@
-import { resolvePath } from "../../utils/file-utils.js";
-import { generateFingerprint, generateFindingId } from "../../utils/fingerprint.js";
-const RULE_ID = "VC-VAL-002";
-/**
- * VC-VAL-002: Client-side-only validation
- *
- * Detects if validation libraries (zod/yup/joi) are used in frontend components
- * but API route handlers accept raw input without validation.
- *
- * Precision rule:
- * - Only flag if there exists at least one validation schema used in frontend
- * - AND at least one API route file exists that uses req.json without validation
- */
-export async function scanClientSideOnlyValidation(context) {
-    const { repoRoot, fileIndex, helpers } = context;
-    const findings = [];
-    // Find frontend files with validation
-    const frontendFilesWithValidation = [];
-    for (const relPath of fileIndex.allSourceFiles) {
-        // Check if it's a frontend file (components, pages, but NOT api routes)
-        const isFrontend = (relPath.includes("/components/") ||
-            relPath.includes("\\components\\") ||
-            relPath.includes("/app/") ||
-            relPath.includes("\\app\\")) &&
-            !relPath.includes("/api/") &&
-            !relPath.includes("\\api\\") &&
-            (relPath.endsWith(".tsx") || relPath.endsWith(".jsx"));
-        if (!isFrontend)
-            continue;
-        const absPath = resolvePath(repoRoot, relPath);
-        const sourceFile = helpers.parseFile(absPath);
-        if (!sourceFile)
-            continue;
-        if (helpers.hasValidationSchemas(sourceFile)) {
-            frontendFilesWithValidation.push(relPath);
-        }
-    }
-    // If no frontend validation found, skip
-    if (frontendFilesWithValidation.length === 0) {
-        return findings;
-    }
-    // Check API routes for missing server-side validation
-    for (const relPath of fileIndex.apiRouteFiles) {
-        const absPath = resolvePath(repoRoot, relPath);
-        const sourceFile = helpers.parseFile(absPath);
-        if (!sourceFile)
-            continue;
-        const handlers = helpers.findRouteHandlers(sourceFile);
-        const fileHasValidation = helpers.hasValidationSchemas(sourceFile);
-        for (const handler of handlers) {
-            // Only check POST/PUT/PATCH handlers that accept body
-            if (!["POST", "PUT", "PATCH"].includes(handler.method))
-                continue;
-            const handlerText = helpers.getNodeText(handler.functionNode);
-            // Check if handler reads request body
-            const readsBody = /\.json\s*\(\s*\)|\.body\b|await\s+request\.json\s*\(\s*\)/.test(handlerText);
-            if (!readsBody)
-                continue;
-            // Check if handler has validation
-            const validationUsages = helpers.findValidationUsage(handler.functionNode);
-            const hasValidation = validationUsages.length > 0 || fileHasValidation;
-            if (hasValidation)
-                continue;
-            const evidence = [
-                {
-                    file: relPath,
-                    startLine: handler.startLine,
-                    endLine: handler.endLine,
-                    snippet: handlerText.slice(0, 200) + "...",
-                    label: `${handler.method} handler accepts request body without server-side validation`,
-                },
-                {
-                    file: frontendFilesWithValidation[0],
-                    startLine: 1,
-                    endLine: 1,
-                    snippet: `Validation schema found in frontend component`,
-                    label: "Frontend validation exists but server validation missing",
-                },
-            ];
-            const fingerprint = generateFingerprint({
-                ruleId: RULE_ID,
-                file: relPath,
-                symbol: handler.method,
-                startLine: handler.startLine,
-            });
-            findings.push({
-                id: generateFindingId({
-                    ruleId: RULE_ID,
-                    file: relPath,
-                    symbol: handler.method,
-                    startLine: handler.startLine,
-                }),
-                ruleId: RULE_ID,
-                title: `Client-side-only validation on ${handler.method} endpoint`,
-                description: `This API endpoint accepts request body data without server-side validation, while validation schemas exist in frontend components. Client-side validation can be easily bypassed - attackers can send requests directly to your API. Always validate input on the server.`,
-                severity: "medium",
-                confidence: 0.7,
-                category: "validation",
-                evidence,
-                remediation: {
-                    recommendedFix: `Add server-side validation using the same schema. Consider sharing schemas between frontend and backend.`,
-                    patch: `// Share your Zod schema between frontend and backend:
-// lib/schemas/user.ts
-import { z } from "zod";
-
-export const createUserSchema = z.object({
-  name: z.string().min(1),
-  email: z.string().email(),
-});
-
-// In your API route:
-import { createUserSchema } from "@/lib/schemas/user";
-
-export async function POST(request: Request) {
-  const body = await request.json();
-
-  // Server-side validation
-  const result = createUserSchema.safeParse(body);
-  if (!result.success) {
-    return Response.json(
-      { error: result.error.flatten() },
-      { status: 400 }
-    );
-  }
-
-  // Use validated data
-  const { name, email } = result.data;
-  // ...
-}`,
-                },
-                links: {
-                    cwe: "https://cwe.mitre.org/data/definitions/20.html",
-                    owasp: "https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html",
-                },
-                fingerprint,
-            });
-        }
-    }
-    return findings;
-}

package/dist/scanners/validation/ignored-validation.d.ts

@@ -1,12 +0,0 @@
-import type { Finding } from "@vibecheck/schema";
-import type { ScanContext } from "../types.js";
-/**
- * VC-VAL-001: Validation defined but output ignored
- *
- * Detects when zod/yup/joi validation is performed but:
- * - The validated result is not assigned to a variable
- * - The validated result is assigned but never referenced
- * - Raw request body is used after validation
- */
-export declare function scanIgnoredValidation(context: ScanContext): Promise<Finding[]>;
-//# sourceMappingURL=ignored-validation.d.ts.map

package/dist/scanners/validation/ignored-validation.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"ignored-validation.d.ts","sourceRoot":"","sources":["../../../src/scanners/validation/ignored-validation.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAgB,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAM/C;;;;;;;GAOG;AACH,wBAAsB,qBAAqB,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CAqHpF"}