@quantracode/vibecheck 0.2.2 → 0.3.0

package/dist/index.js

@@ -101,6 +101,15 @@ var CategorySchema = z4.enum([
   "uploads",
   "hallucinations",
   "abuse",
+  // Phase 4 categories
+  "correlation",
+  // Cross-pack correlation findings
+  "authorization",
+  // Role/ownership/privilege checks
+  "lifecycle",
+  // Create/update/delete symmetry
+  "supply-chain",
+  // Package.json/lockfile analysis
   "other"
 ]);
 var AbuseRiskSchema = z4.enum([
@@ -143,6 +152,40 @@ var AbuseClassificationSchema = z4.object({
   /** Heuristic confidence */
   confidence: z4.number().min(0).max(1)
 });
+var CorrelationPatternSchema = z4.enum([
+  // PR #1 patterns
+  "auth_without_validation",
+  // Route has auth but no input validation
+  "middleware_bypass",
+  // Middleware exists but route not covered
+  "secret_in_unprotected",
+  // Secret used in unprotected endpoint
+  "validation_without_auth",
+  // Input validated but no auth on state-changing
+  "create_update_asymmetry",
+  // CREATE validates, UPDATE doesn't
+  "ownership_without_auth",
+  // Ownership check but no auth check
+  // PR #2 patterns
+  "middleware_upload_gap",
+  // Upload endpoint not covered by middleware
+  "network_auth_leak",
+  // Token forwarded to SSRF-prone fetch
+  "privacy_auth_context",
+  // Sensitive logging in authenticated context
+  "crypto_auth_gate",
+  // jwt.decode() on auth gate path
+  "hallucination_coverage_gap"
+  // Comment claims protection, proof trace disagrees
+]);
+var CorrelationDataSchema = z4.object({
+  /** IDs of related findings that form this correlation */
+  relatedFindingIds: z4.array(z4.string()),
+  /** The correlation pattern detected */
+  pattern: CorrelationPatternSchema,
+  /** Brief explanation of the correlation */
+  explanation: z4.string()
+});
 var RemediationSchema = z4.object({
   recommendedFix: z4.string(),
   patch: z4.string().optional()
@@ -168,150 +211,283 @@ var FindingSchema = z4.object({
   links: ReferenceLinksSchema.optional(),
   fingerprint: z4.string(),
   /** Optional compute abuse classification */
-  abuseClassification: AbuseClassificationSchema.optional()
+  abuseClassification: AbuseClassificationSchema.optional(),
+  /** Optional correlation data for cross-pack findings (Phase 4) */
+  correlationData: CorrelationDataSchema.optional(),
+  /** References to related finding IDs/fingerprints (Phase 4) */
+  relatedFindings: z4.array(z4.string()).optional()
 });
 
-// ../schema/dist/schemas/artifact.js
+// ../schema/dist/schemas/supply-chain.js
 import { z as z5 } from "zod";
-var ARTIFACT_VERSION = "0.2";
-var SUPPORTED_VERSIONS = ["0.1", "0.2"];
-var ArtifactVersionSchema = z5.enum(SUPPORTED_VERSIONS);
-var ToolInfoSchema = z5.object({
+var DependencyRiskIndicatorSchema = z5.enum([
+  "unpinned_version",
+  // Uses ^ or ~ instead of exact version
+  "git_dependency",
+  // Uses git:// or github: URL
+  "postinstall_script",
+  // Has postinstall lifecycle hook
+  "preinstall_script",
+  // Has preinstall lifecycle hook
+  "file_dependency",
+  // Uses file: protocol
+  "link_dependency",
+  // Uses link: protocol
+  "deprecated_package"
+  // Package marked as deprecated in package.json
+]);
+var DependencyInfoSchema = z5.object({
+  /** Package name */
   name: z5.string(),
-  version: z5.string()
+  /** Declared version or range */
+  declaredVersion: z5.string(),
+  /** Resolved version from lockfile (if available) */
+  resolvedVersion: z5.string().optional(),
+  /** Whether this is a devDependency */
+  isDev: z5.boolean(),
+  /** Risk indicators found */
+  riskIndicators: z5.array(DependencyRiskIndicatorSchema),
+  /** Has lifecycle scripts */
+  hasLifecycleScripts: z5.boolean()
 });
-var GitInfoSchema = z5.object({
-  branch: z5.string().optional(),
-  commit: z5.string().optional(),
-  remoteUrl: z5.string().optional(),
-  isDirty: z5.boolean().optional()
+var LockfileInfoSchema = z5.object({
+  /** Lockfile type detected */
+  type: z5.enum(["npm", "pnpm", "yarn", "yarn-berry", "bun", "none"]),
+  /** Lockfile path relative to repo root */
+  path: z5.string().optional(),
+  /** Whether lockfile exists */
+  exists: z5.boolean(),
+  /** SHA-256 hash of lockfile content for integrity tracking */
+  contentHash: z5.string().optional(),
+  /** Total number of resolved dependencies */
+  totalDependencies: z5.number().int().nonnegative().optional()
 });
-var RepoInfoSchema = z5.object({
-  name: z5.string(),
-  rootPathHash: z5.string(),
+var PackageJsonInfoSchema = z5.object({
+  /** Path relative to repo root */
+  path: z5.string(),
+  /** Package name */
+  name: z5.string().optional(),
+  /** Package version */
+  version: z5.string().optional(),
+  /** Number of production dependencies */
+  dependencyCount: z5.number().int().nonnegative(),
+  /** Number of dev dependencies */
+  devDependencyCount: z5.number().int().nonnegative(),
+  /** Whether engines field is specified */
+  hasEngines: z5.boolean(),
+  /** Whether package-lock is disabled */
+  packageLockDisabled: z5.boolean()
+});
+var SupplyChainInfoSchema = z5.object({
+  /** Analysis timestamp */
+  analyzedAt: z5.string().datetime(),
+  /** Package.json info */
+  packageJson: PackageJsonInfoSchema,
+  /** Lockfile info */
+  lockfile: LockfileInfoSchema,
+  /** Dependencies with risk indicators (limited to those with issues) */
+  riskyDependencies: z5.array(DependencyInfoSchema),
+  /** Summary counts */
+  summary: z5.object({
+    totalDependencies: z5.number().int().nonnegative(),
+    unpinnedCount: z5.number().int().nonnegative(),
+    gitDependencyCount: z5.number().int().nonnegative(),
+    lifecycleScriptCount: z5.number().int().nonnegative()
+  })
+});
+
+// ../schema/dist/schemas/artifact.js
+import { z as z6 } from "zod";
+var ARTIFACT_VERSION = "0.3";
+var SUPPORTED_VERSIONS = ["0.1", "0.2", "0.3"];
+var ArtifactVersionSchema = z6.enum(SUPPORTED_VERSIONS);
+var ToolInfoSchema = z6.object({
+  name: z6.string(),
+  version: z6.string()
+});
+var GitInfoSchema = z6.object({
+  branch: z6.string().optional(),
+  commit: z6.string().optional(),
+  remoteUrl: z6.string().optional(),
+  isDirty: z6.boolean().optional()
+});
+var RepoInfoSchema = z6.object({
+  name: z6.string(),
+  rootPathHash: z6.string(),
   git: GitInfoSchema.optional()
 });
-var SeverityCountsSchema = z5.object({
-  critical: z5.number().int().nonnegative(),
-  high: z5.number().int().nonnegative(),
-  medium: z5.number().int().nonnegative(),
-  low: z5.number().int().nonnegative(),
-  info: z5.number().int().nonnegative()
+var SeverityCountsSchema = z6.object({
+  critical: z6.number().int().nonnegative(),
+  high: z6.number().int().nonnegative(),
+  medium: z6.number().int().nonnegative(),
+  low: z6.number().int().nonnegative(),
+  info: z6.number().int().nonnegative()
 });
-var CategoryCountsSchema = z5.object({
-  auth: z5.number().int().nonnegative(),
-  validation: z5.number().int().nonnegative(),
-  middleware: z5.number().int().nonnegative(),
-  secrets: z5.number().int().nonnegative(),
-  injection: z5.number().int().nonnegative(),
-  privacy: z5.number().int().nonnegative(),
-  config: z5.number().int().nonnegative(),
-  network: z5.number().int().nonnegative(),
-  crypto: z5.number().int().nonnegative(),
-  uploads: z5.number().int().nonnegative(),
-  hallucinations: z5.number().int().nonnegative(),
-  abuse: z5.number().int().nonnegative(),
-  other: z5.number().int().nonnegative()
+var CategoryCountsSchema = z6.object({
+  auth: z6.number().int().nonnegative(),
+  validation: z6.number().int().nonnegative(),
+  middleware: z6.number().int().nonnegative(),
+  secrets: z6.number().int().nonnegative(),
+  injection: z6.number().int().nonnegative(),
+  privacy: z6.number().int().nonnegative(),
+  config: z6.number().int().nonnegative(),
+  network: z6.number().int().nonnegative(),
+  crypto: z6.number().int().nonnegative(),
+  uploads: z6.number().int().nonnegative(),
+  hallucinations: z6.number().int().nonnegative(),
+  abuse: z6.number().int().nonnegative(),
+  // Phase 4 categories
+  correlation: z6.number().int().nonnegative(),
+  authorization: z6.number().int().nonnegative(),
+  lifecycle: z6.number().int().nonnegative(),
+  "supply-chain": z6.number().int().nonnegative(),
+  other: z6.number().int().nonnegative()
 });
-var SummarySchema = z5.object({
-  totalFindings: z5.number().int().nonnegative(),
+var SummarySchema = z6.object({
+  totalFindings: z6.number().int().nonnegative(),
   bySeverity: SeverityCountsSchema,
   byCategory: CategoryCountsSchema
 });
-var RouteEntrySchema = z5.object({
-  routeId: z5.string(),
-  method: z5.string(),
-  path: z5.string(),
-  handler: z5.string().optional(),
-  file: z5.string(),
-  startLine: z5.number().int().positive().optional(),
-  endLine: z5.number().int().positive().optional(),
-  handlerSymbol: z5.string().optional(),
+var RouteEntrySchema = z6.object({
+  routeId: z6.string(),
+  method: z6.string(),
+  path: z6.string(),
+  handler: z6.string().optional(),
+  file: z6.string(),
+  startLine: z6.number().int().positive().optional(),
+  endLine: z6.number().int().positive().optional(),
+  handlerSymbol: z6.string().optional(),
   // Deprecated: for backward compat with 0.1
-  line: z5.number().int().positive().optional(),
-  middleware: z5.array(z5.string()).optional()
+  line: z6.number().int().positive().optional(),
+  middleware: z6.array(z6.string()).optional()
 });
-var MiddlewareCoverageEntrySchema = z5.object({
-  routeId: z5.string(),
-  covered: z5.boolean(),
-  reason: z5.string().optional()
+var MiddlewareCoverageEntrySchema = z6.object({
+  routeId: z6.string(),
+  covered: z6.boolean(),
+  reason: z6.string().optional()
 });
-var MiddlewareEntrySchema = z5.object({
-  name: z5.string().optional(),
-  file: z5.string(),
-  line: z5.number().int().positive().optional(),
-  matcher: z5.array(z5.string()).optional(),
-  appliesTo: z5.array(z5.string()).optional()
+var MiddlewareEntrySchema = z6.object({
+  name: z6.string().optional(),
+  file: z6.string(),
+  line: z6.number().int().positive().optional(),
+  matcher: z6.array(z6.string()).optional(),
+  appliesTo: z6.array(z6.string()).optional()
 });
-var MiddlewareMapSchema = z5.object({
-  middlewareFile: z5.string().optional(),
-  matcher: z5.array(z5.string()),
-  coverage: z5.array(MiddlewareCoverageEntrySchema)
+var MiddlewareMapSchema = z6.object({
+  middlewareFile: z6.string().optional(),
+  matcher: z6.array(z6.string()),
+  coverage: z6.array(MiddlewareCoverageEntrySchema)
 });
-var IntentEntrySchema = z5.object({
-  intentId: z5.string(),
+var IntentEntrySchema = z6.object({
+  intentId: z6.string(),
   type: ClaimTypeSchema,
   scope: ClaimScopeSchema,
-  targetRouteId: z5.string().optional(),
+  targetRouteId: z6.string().optional(),
   source: ClaimSourceSchema,
-  location: z5.object({
-    file: z5.string(),
-    startLine: z5.number().int().positive(),
-    endLine: z5.number().int().positive()
+  location: z6.object({
+    file: z6.string(),
+    startLine: z6.number().int().positive(),
+    endLine: z6.number().int().positive()
   }),
   strength: ClaimStrengthSchema,
-  textEvidence: z5.string()
+  textEvidence: z6.string()
 });
-var IntentMapSchema = z5.object({
-  intents: z5.array(IntentEntrySchema)
+var IntentMapSchema = z6.object({
+  intents: z6.array(IntentEntrySchema)
 });
-var RouteMapSchema = z5.object({
-  routes: z5.array(RouteEntrySchema)
+var RouteMapSchema = z6.object({
+  routes: z6.array(RouteEntrySchema)
 });
-var CoverageMetricsSchema = z5.object({
-  authCoverage: z5.object({
-    totalStateChanging: z5.number().int().nonnegative(),
-    protectedCount: z5.number().int().nonnegative(),
-    unprotectedCount: z5.number().int().nonnegative()
+var CoverageMetricsSchema = z6.object({
+  authCoverage: z6.object({
+    totalStateChanging: z6.number().int().nonnegative(),
+    protectedCount: z6.number().int().nonnegative(),
+    unprotectedCount: z6.number().int().nonnegative()
   }).optional(),
-  validationCoverage: z5.object({
-    totalStateChanging: z5.number().int().nonnegative(),
-    validatedCount: z5.number().int().nonnegative()
+  validationCoverage: z6.object({
+    totalStateChanging: z6.number().int().nonnegative(),
+    validatedCount: z6.number().int().nonnegative()
   }).optional(),
-  middlewareCoverage: z5.object({
-    totalApiRoutes: z5.number().int().nonnegative(),
-    coveredApiRoutes: z5.number().int().nonnegative()
+  middlewareCoverage: z6.object({
+    totalApiRoutes: z6.number().int().nonnegative(),
+    coveredApiRoutes: z6.number().int().nonnegative()
   }).optional()
 });
-var MetricsSchema = z5.object({
-  filesScanned: z5.number().int().nonnegative(),
-  linesOfCode: z5.number().int().nonnegative(),
-  scanDurationMs: z5.number().nonnegative(),
-  rulesExecuted: z5.number().int().nonnegative()
+var MetricsSchema = z6.object({
+  filesScanned: z6.number().int().nonnegative(),
+  linesOfCode: z6.number().int().nonnegative(),
+  scanDurationMs: z6.number().nonnegative(),
+  rulesExecuted: z6.number().int().nonnegative()
 }).merge(CoverageMetricsSchema);
-var ScanArtifactSchema = z5.object({
+var CIMetadataSchema = z6.object({
+  /** Security score (0-100) */
+  securityScore: z6.number().int().min(0).max(100),
+  /** Overall status for CI badge */
+  status: z6.enum(["pass", "warn", "fail"]),
+  /** Badge generation timestamp */
+  badgeGeneratedAt: z6.string().datetime().optional(),
+  /** SHA-256 hash for determinism certification */
+  artifactHash: z6.string().optional(),
+  /** Whether artifact passed determinism certification */
+  deterministicCertified: z6.boolean().optional()
+});
+var CorrelationSummarySchema = z6.object({
+  /** Total number of correlation findings generated */
+  totalCorrelations: z6.number().int().nonnegative(),
+  /** Count by correlation pattern */
+  byPattern: z6.record(z6.string(), z6.number().int().nonnegative()),
+  /** Correlation pass duration in ms */
+  correlationDurationMs: z6.number().nonnegative().optional()
+});
+var GraphNodeSchema = z6.object({
+  id: z6.string(),
+  type: z6.enum(["route", "middleware", "finding", "intent", "function"]),
+  label: z6.string(),
+  file: z6.string().optional(),
+  line: z6.number().int().positive().optional(),
+  metadata: z6.record(z6.string(), z6.unknown()).optional()
+});
+var GraphEdgeSchema = z6.object({
+  source: z6.string(),
+  target: z6.string(),
+  type: z6.enum(["calls", "protects", "validates", "correlates", "references"]),
+  label: z6.string().optional()
+});
+var ProofTraceGraphSchema = z6.object({
+  nodes: z6.array(GraphNodeSchema),
+  edges: z6.array(GraphEdgeSchema)
+});
+var ScanArtifactSchema = z6.object({
   artifactVersion: ArtifactVersionSchema,
-  generatedAt: z5.string().datetime(),
+  generatedAt: z6.string().datetime(),
   tool: ToolInfoSchema,
   repo: RepoInfoSchema.optional(),
   summary: SummarySchema,
-  findings: z5.array(FindingSchema),
+  findings: z6.array(FindingSchema),
   // Phase 3: Enhanced maps
-  routeMap: z5.union([
-    z5.array(RouteEntrySchema),
+  routeMap: z6.union([
+    z6.array(RouteEntrySchema),
     // Legacy format (0.1)
     RouteMapSchema
     // New format (0.2)
   ]).optional(),
-  middlewareMap: z5.union([
-    z5.array(MiddlewareEntrySchema),
+  middlewareMap: z6.union([
+    z6.array(MiddlewareEntrySchema),
     // Legacy format (0.1)
     MiddlewareMapSchema
     // New format (0.2)
   ]).optional(),
   intentMap: IntentMapSchema.optional(),
-  proofTraces: z5.record(z5.string(), ProofTraceSchema).optional(),
-  metrics: MetricsSchema.optional()
+  proofTraces: z6.record(z6.string(), ProofTraceSchema).optional(),
+  metrics: MetricsSchema.optional(),
+  // Phase 4: Supply chain analysis
+  supplyChainInfo: SupplyChainInfoSchema.optional(),
+  // Phase 4: CI badge metadata
+  ciMetadata: CIMetadataSchema.optional(),
+  // Phase 4: Correlation summary
+  correlationSummary: CorrelationSummarySchema.optional(),
+  // Phase 4: Proof trace graph for visualization
+  graph: ProofTraceGraphSchema.optional()
 });
 function computeSummary(findings) {
   const bySeverity = {
@@ -334,6 +510,11 @@ function computeSummary(findings) {
     uploads: 0,
     hallucinations: 0,
     abuse: 0,
+    // Phase 4 categories
+    correlation: 0,
+    authorization: 0,
+    lifecycle: 0,
+    "supply-chain": 0,
     other: 0
   };
   for (const finding of findings) {
@@ -365,6 +546,9 @@ function validateArtifact(json) {
   return result.data;
 }
 
+// src/constants.ts
+var CLI_VERSION = "0.2.3";
+
 // src/utils/file-utils.ts
 import fs from "fs";
 import path from "path";
@@ -3927,165 +4111,2385 @@ var abusePack = {
   scanners: [scanComputeAbuse]
 };
 
-// src/phase3/proof-trace-builder.ts
-import crypto3 from "crypto";
-import path3 from "path";
-import { SyntaxKind as SyntaxKind2 } from "ts-morph";
-var MAX_TRACE_DEPTH = 2;
-function generateRouteId(routePath, method, file) {
-  const normalized = `${method}:${routePath}:${file}`.toLowerCase();
-  return crypto3.createHash("sha256").update(normalized).digest("hex").slice(0, 12);
-}
-function filePathToRoutePath(filePath) {
+// src/scanners/authorization/admin-route-no-role-guard.ts
+var RULE_ID20 = "VC-AUTHZ-001";
+var ADMIN_PATH_PATTERNS = [
+  /\/admin\//i,
+  /\/admin$/i,
+  /\/administrator/i,
+  /\/superuser/i,
+  /\/staff\//i,
+  /\/internal\//i,
+  /\/management\//i,
+  /\/backoffice/i
+];
+var ADMIN_FUNCTION_PATTERNS = [
+  /admin/i,
+  /superuser/i,
+  /moderator/i,
+  /staff/i
+];
+var AUTH_CHECK_PATTERNS2 = [
+  "getServerSession",
+  "getSession",
+  "auth",
+  "requireAuth",
+  "withAuth",
+  "verifyJwt",
+  "verifyToken",
+  "authenticate",
+  "isAuthenticated",
+  "checkAuth",
+  "validateSession",
+  "getToken"
+];
+var ROLE_CHECK_PATTERNS = [
+  // Direct role checks
+  /session\.user\.role\s*[!=]==?\s*["'](admin|moderator|staff|superuser)["']/i,
+  /user\.role\s*[!=]==?\s*["'](admin|moderator|staff|superuser)["']/i,
+  /\.role\s*[!=]==?\s*["'](admin|moderator|staff|superuser)["']/i,
+  /\.isAdmin/i,
+  /\.is_admin/i,
+  // Role includes check: .includes(session.user.role) or ["admin", "mod"].includes(role)
+  /\.includes\s*\(\s*session\.user\.role\s*\)/i,
+  /\[.*["']admin["'].*\]\.includes\s*\(/i,
+  // Role checking functions
+  /checkRole\s*\(/i,
+  /hasRole\s*\(/i,
+  /isRole\s*\(/i,
+  /requireRole\s*\(/i,
+  /authorizeRole\s*\(/i,
+  /verifyRole\s*\(/i,
+  /assertRole\s*\(/i,
+  // Admin check functions
+  /requireAdmin/i,
+  /isAdmin\s*\(/i,
+  /checkAdmin/i,
+  /assertAdmin/i,
+  /adminOnly/i,
+  // Permission checks
+  /hasPermission\s*\(/i,
+  /checkPermission\s*\(/i,
+  /requirePermission\s*\(/i,
+  /can\s*\(\s*["']admin/i,
+  /abilities\./i,
+  /permissions\./i,
+  // RBAC/ABAC libraries
+  /casl/i,
+  /accesscontrol/i,
+  /rbac/i
+];
+function extractRoutePath2(filePath) {
   const normalized = filePath.replace(/\\/g, "/");
-  const appIndex = normalized.indexOf("/app/");
-  if (appIndex === -1) {
-    const appIndexAlt = normalized.indexOf("app/");
-    if (appIndexAlt === 0) {
-      return extractRoutePath2(normalized.slice(4));
-    }
-    return "/";
+  const match = normalized.match(/(?:app|src\/app)(\/api\/[^/]+(?:\/[^/]+)*?)\/route\.[tj]sx?$/);
+  if (match) {
+    return match[1];
   }
-  return extractRoutePath2(normalized.slice(appIndex + 5));
+  return normalized;
 }
-function extractRoutePath2(routePart) {
-  const withoutRoute = routePart.replace(/\/route\.(ts|tsx|js|jsx)$/, "");
-  if (withoutRoute === "" || withoutRoute === "api") {
-    return withoutRoute === "" ? "/" : "/api";
-  }
-  return "/" + withoutRoute;
+function isAdminPath(routePath) {
+  return ADMIN_PATH_PATTERNS.some((pattern) => pattern.test(routePath));
 }
-function buildRouteMap(ctx) {
-  const routes = [];
-  for (const routeFile of ctx.fileIndex.routeFiles) {
-    const absolutePath = path3.join(ctx.repoRoot, routeFile);
-    const sourceFile = ctx.helpers.parseFile(absolutePath);
+function isAdminHandler(handlerName) {
+  return ADMIN_FUNCTION_PATTERNS.some((pattern) => pattern.test(handlerName));
+}
+function hasAuthCheck(handlerText) {
+  return AUTH_CHECK_PATTERNS2.some((pattern) => handlerText.includes(pattern));
+}
+function hasRoleCheck(handlerText) {
+  return ROLE_CHECK_PATTERNS.some((pattern) => pattern.test(handlerText));
+}
+async function scanAdminRouteNoRoleGuard(context) {
+  const { repoRoot, fileIndex, helpers, repoMeta } = context;
+  const findings = [];
+  if (repoMeta.framework !== "next") {
+    return findings;
+  }
+  for (const relPath of fileIndex.apiRouteFiles) {
+    const absPath = resolvePath(repoRoot, relPath);
+    const sourceFile = helpers.parseFile(absPath);
     if (!sourceFile) continue;
-    const handlers = ctx.helpers.findRouteHandlers(sourceFile);
-    const relPath = routeFile.replace(/\\/g, "/");
-    const routePath = filePathToRoutePath(relPath);
+    const routePath = extractRoutePath2(relPath);
+    const handlers = helpers.findRouteHandlers(sourceFile);
     for (const handler of handlers) {
-      const routeId = generateRouteId(routePath, handler.method, relPath);
-      routes.push({
-        routeId,
-        method: handler.method,
-        path: routePath,
+      const handlerText = helpers.getNodeText(handler.functionNode);
+      const pathIsAdmin = isAdminPath(routePath);
+      const handlerIsAdmin = isAdminHandler(handler.exportName);
+      if (!pathIsAdmin && !handlerIsAdmin) {
+        continue;
+      }
+      if (!hasAuthCheck(handlerText)) {
+        continue;
+      }
+      if (hasRoleCheck(handlerText)) {
+        continue;
+      }
+      const evidence = [
+        {
+          file: relPath,
+          startLine: handler.startLine,
+          endLine: handler.endLine,
+          snippet: handlerText.slice(0, 300) + (handlerText.length > 300 ? "..." : ""),
+          label: `Admin ${handler.method} handler with auth but no role guard`
+        }
+      ];
+      const fingerprint = generateFingerprint({
+        ruleId: RULE_ID20,
         file: relPath,
-        startLine: handler.startLine,
-        endLine: handler.endLine
+        symbol: handler.method,
+        route: routePath
       });
-    }
-  }
-  return routes;
+      findings.push({
+        id: generateFindingId({
+          ruleId: RULE_ID20,
+          file: relPath,
+          symbol: handler.method
+        }),
+        ruleId: RULE_ID20,
+        title: `Admin route ${routePath} has auth but no role guard`,
+        description: `The ${handler.method} handler at ${routePath} has authentication checks (verifying user identity) but lacks role-based authorization (verifying admin privileges). Any authenticated user could potentially access this admin functionality. Authentication proves WHO you are; authorization proves WHAT you can do.`,
+        severity: "high",
+        confidence: 0.8,
+        category: "authorization",
+        evidence,
+        remediation: {
+          recommendedFix: `Add a role check after authentication. Example:
+
+const session = await getServerSession();
+if (!session) {
+  return Response.json({ error: "Unauthorized" }, { status: 401 });
 }
-function buildMiddlewareMap(ctx) {
-  const middlewareList = [];
-  if (!ctx.fileIndex.middlewareFile) {
-    return middlewareList;
-  }
-  const absolutePath = path3.join(ctx.repoRoot, ctx.fileIndex.middlewareFile);
-  const sourceFile = ctx.helpers.parseFile(absolutePath);
-  if (!sourceFile) return middlewareList;
-  const relPath = ctx.fileIndex.middlewareFile.replace(/\\/g, "/");
-  const matchers = extractMiddlewareMatchers(sourceFile);
-  const protectsApi = matchers.some(
-    (m) => m.includes("/api") || m.includes("/(api)") || m === "/(.*)"
-  );
-  let startLine = 1;
-  sourceFile.forEachDescendant((node) => {
-    if (node.getKind() === SyntaxKind2.VariableDeclaration && node.getText().includes("config")) {
-      startLine = node.getStartLineNumber();
-    }
-  });
-  middlewareList.push({
-    file: relPath,
-    matchers,
-    protectsApi,
-    startLine
-  });
-  return middlewareList;
+if (session.user.role !== "admin") {
+  return Response.json({ error: "Forbidden" }, { status: 403 });
 }
-function extractMiddlewareMatchers(sourceFile) {
-  const matchers = [];
-  sourceFile.forEachDescendant((node) => {
-    if (node.getKind() === SyntaxKind2.PropertyAssignment) {
-      const text = node.getText();
-      if (text.startsWith("matcher")) {
-        node.forEachDescendant((child) => {
-          if (child.getKind() === SyntaxKind2.StringLiteral) {
-            const value = child.getText().replace(/['"]/g, "");
-            matchers.push(value);
-          }
-        });
-      }
+
+Consider using a role-based access control library like CASL or accesscontrol.`
+        },
+        links: {
+          owasp: "https://owasp.org/Top10/A01_2021-Broken_Access_Control/",
+          cwe: "https://cwe.mitre.org/data/definitions/285.html"
+        },
+        fingerprint
+      });
     }
-  });
-  return matchers;
+  }
+  return findings;
 }
-function isRouteCoveredByMiddleware(routePath, matchers) {
-  for (const matcher of matchers) {
-    const pattern = matcher.replace(/\*/g, ".*").replace(/\/:path\*/g, "/.*").replace(/\(([^)]+)\)/g, "(?:$1)");
-    try {
-      const regex = new RegExp(`^${pattern}`);
-      if (regex.test(routePath)) {
-        return true;
-      }
-    } catch {
-      if (routePath.startsWith(matcher.replace(/\/:path\*$/, ""))) {
-        return true;
-      }
-    }
+
+// src/scanners/authorization/ownership-check-missing.ts
+var RULE_ID21 = "VC-AUTHZ-002";
+var USER_ID_PARAMS = [
+  "userId",
+  "user_id",
+  "userid",
+  "ownerId",
+  "owner_id",
+  "authorId",
+  "author_id",
+  "creatorId",
+  "creator_id",
+  "accountId",
+  "account_id",
+  "memberId",
+  "member_id",
+  "profileId",
+  "profile_id"
+];
+var OWNERSHIP_CHECK_PATTERNS = [
+  // Direct equality: userId === session.user.id
+  /(?:userId|user_id|ownerId|owner_id|authorId)\s*===?\s*session\.user\.id/i,
+  /session\.user\.id\s*===?\s*(?:userId|user_id|ownerId|owner_id|authorId)/i,
+  // Inequality check for ownership: userId !== session.user.id
+  /(?:userId|user_id|ownerId|owner_id|authorId)\s*!==?\s*session\.user\.id/i,
+  /session\.user\.id\s*!==?\s*(?:userId|user_id|ownerId|owner_id|authorId)/i,
+  // Function-based checks
+  /isOwner\s*\(/i,
+  /checkOwnership\s*\(/i,
+  /verifyOwnership\s*\(/i,
+  /canAccess\s*\(/i,
+  /belongsTo\s*\(/i,
+  /ownedBy\s*\(/i,
+  // Prisma where clause with session user
+  /where\s*:\s*\{[^}]*(?:userId|user_id|ownerId|authorId)\s*:\s*session\.user\.id/i,
+  /where\s*:\s*\{[^}]*userId\s*:\s*user\.id/i,
+  // Combined auth + resource check
+  /\.findFirst\s*\([^)]*where\s*:\s*\{[^}]*AND/i,
+  // Finding resource by session user (safe pattern for ownership)
+  /authorId\s*:\s*session\.user\.id/i,
+  /ownerId\s*:\s*session\.user\.id/i,
+  /userId\s*:\s*session\.user\.id/i,
+  /creatorId\s*:\s*session\.user\.id/i,
+  // Role-based authorization (admin/moderator can access any resource)
+  /session\.user\.role\s*[!=]==?\s*["']admin["']/i,
+  /\.role\s*[!=]==?\s*["']admin["']/i,
+  /\.includes\s*\(\s*session\.user\.role\s*\)/i,
+  /\[.*["']admin["'].*\]\.includes/i
+];
+var DANGEROUS_OPS_PATTERNS = [
+  /prisma\.\w+\.update/i,
+  /prisma\.\w+\.delete/i,
+  /prisma\.\w+\.upsert/i,
+  /\.update\s*\(/i,
+  /\.delete\s*\(/i,
+  /\.destroy\s*\(/i,
+  /\.remove\s*\(/i,
+  /db\.\w+\.update/i,
+  /db\.\w+\.delete/i
+];
+function extractRoutePath3(filePath) {
+  const normalized = filePath.replace(/\\/g, "/");
+  const match = normalized.match(/(?:app|src\/app)(\/api\/[^/]+(?:\/[^/]+)*?)\/route\.[tj]sx?$/);
+  if (match) {
+    return match[1];
   }
-  return false;
+  return normalized;
 }
-function buildProofTrace(ctx, route) {
-  const steps = [];
-  let authProven = false;
-  let validationProven = false;
-  const sourceFile = ctx.helpers.parseFile(
-    path3.join(ctx.repoRoot, route.file)
-  );
-  if (!sourceFile) {
-    return {
-      routeId: route.routeId,
-      authProven: false,
-      validationProven: false,
-      middlewareCovered: false,
-      steps: []
-    };
+function extractsUserId(handlerText) {
+  const hasBodyExtraction = /(?:await\s+)?(?:request\.json|req\.body)\s*\(\s*\)|\.json\s*\(\s*\)/.test(handlerText);
+  if (!hasBodyExtraction) {
+    return { found: false };
   }
-  const handlers = ctx.helpers.findRouteHandlers(sourceFile);
-  const handler = handlers.find((h) => h.method === route.method);
-  if (!handler) {
-    return {
-      routeId: route.routeId,
-      authProven: false,
-      validationProven: false,
-      middlewareCovered: false,
-      steps: []
-    };
+  for (const param of USER_ID_PARAMS) {
+    const pattern = new RegExp(`\\{[^}]*\\b${param}\\b[^}]*\\}\\s*=\\s*(?:await\\s+)?`, "i");
+    if (pattern.test(handlerText)) {
+      const match = handlerText.match(pattern);
+      return {
+        found: true,
+        param,
+        snippet: match?.[0] || param
+      };
+    }
   }
-  if (ctx.helpers.containsAuthCheck(handler.functionNode)) {
-    authProven = true;
-    steps.push({
-      file: route.file,
-      line: handler.startLine,
-      snippet: truncateSnippet(handler.functionNode.getText(), 100),
-      label: "Auth check found in handler"
-    });
+  for (const param of USER_ID_PARAMS) {
+    const directPattern = new RegExp(`(?:body|data|payload)\\.${param}\\b`, "i");
+    if (directPattern.test(handlerText)) {
+      const match = handlerText.match(directPattern);
+      return {
+        found: true,
+        param,
+        snippet: match?.[0] || param
+      };
+    }
   }
-  const validationUsage = ctx.helpers.findValidationUsage(handler.functionNode);
-  if (validationUsage.length > 0 && validationUsage.some((v) => v.resultUsed)) {
-    validationProven = true;
-    steps.push({
-      file: route.file,
-      line: validationUsage[0].line,
-      snippet: truncateSnippet(ctx.helpers.getNodeText(validationUsage[0].node), 100),
-      label: "Validation found in handler"
-    });
+  return { found: false };
+}
+function hasOwnershipCheck(handlerText) {
+  return OWNERSHIP_CHECK_PATTERNS.some((pattern) => pattern.test(handlerText));
+}
+function hasDangerousOps(handlerText) {
+  return DANGEROUS_OPS_PATTERNS.some((pattern) => pattern.test(handlerText));
+}
+function hasSessionAccess(handlerText) {
+  return /session\.user|getServerSession|auth\(\)|currentUser|req\.user/i.test(handlerText);
+}
+async function scanOwnershipCheckMissing(context) {
+  const { repoRoot, fileIndex, helpers, repoMeta } = context;
+  const findings = [];
+  if (repoMeta.framework !== "next") {
+    return findings;
   }
-  if (!authProven || !validationProven) {
-    const importedModules = getLocalImports(sourceFile, ctx.repoRoot, route.file);
+  for (const relPath of fileIndex.apiRouteFiles) {
+    const absPath = resolvePath(repoRoot, relPath);
+    const sourceFile = helpers.parseFile(absPath);
+    if (!sourceFile) continue;
+    const routePath = extractRoutePath3(relPath);
+    const handlers = helpers.findRouteHandlers(sourceFile);
+    for (const handler of handlers) {
+      if (!["POST", "PUT", "PATCH", "DELETE"].includes(handler.method)) {
+        continue;
+      }
+      const handlerText = helpers.getNodeText(handler.functionNode);
+      const userIdExtraction = extractsUserId(handlerText);
+      if (!userIdExtraction.found) {
+        continue;
+      }
+      if (!hasDangerousOps(handlerText)) {
+        continue;
+      }
+      if (!hasSessionAccess(handlerText)) {
+        continue;
+      }
+      if (hasOwnershipCheck(handlerText)) {
+        continue;
+      }
+      const evidence = [
+        {
+          file: relPath,
+          startLine: handler.startLine,
+          endLine: handler.endLine,
+          snippet: handlerText.slice(0, 400) + (handlerText.length > 400 ? "..." : ""),
+          label: `${handler.method} handler extracts ${userIdExtraction.param} without ownership check`
+        }
+      ];
+      const fingerprint = generateFingerprint({
+        ruleId: RULE_ID21,
+        file: relPath,
+        symbol: handler.method,
+        route: routePath
+      });
+      findings.push({
+        id: generateFindingId({
+          ruleId: RULE_ID21,
+          file: relPath,
+          symbol: handler.method
+        }),
+        ruleId: RULE_ID21,
+        title: `Missing ownership check for ${userIdExtraction.param} in ${routePath}`,
+        description: `The ${handler.method} handler at ${routePath} extracts '${userIdExtraction.param}' from the request and performs database operations, but never verifies that this ID belongs to the authenticated user. An attacker could modify or delete another user's resources by supplying a different user ID. This is an Insecure Direct Object Reference (IDOR) vulnerability.`,
+        severity: "critical",
+        confidence: 0.75,
+        category: "authorization",
+        evidence,
+        remediation: {
+          recommendedFix: `Verify that the requested resource belongs to the authenticated user:
+
+// Option 1: Compare IDs explicitly
+if (userId !== session.user.id) {
+  return Response.json({ error: "Forbidden" }, { status: 403 });
+}
+
+// Option 2: Include ownership in the database query
+const resource = await prisma.post.findFirst({
+  where: { id: postId, authorId: session.user.id }
+});
+if (!resource) {
+  return Response.json({ error: "Not found" }, { status: 404 });
+}`
+        },
+        links: {
+          owasp: "https://owasp.org/Top10/A01_2021-Broken_Access_Control/",
+          cwe: "https://cwe.mitre.org/data/definitions/639.html"
+        },
+        fingerprint
+      });
+    }
+  }
+  return findings;
+}
+
+// src/scanners/authorization/role-declared-not-enforced.ts
+var RULE_ID22 = "VC-AUTHZ-003";
+var ROLE_DECLARATION_PATTERNS = [
+  // Type unions: type Role = "admin" | "user"
+  /type\s+Role\s*=\s*["'][^"']+["']\s*\|/i,
+  // Enum: enum Role { Admin, User }
+  /enum\s+Role\s*\{/i,
+  // Const object: const ROLES = { ADMIN: "admin", ... }
+  /const\s+ROLES?\s*=\s*\{/i,
+  // Role array: const roles = ["admin", "user"]
+  /const\s+roles?\s*=\s*\[/i,
+  // Interface with role: interface User { role: "admin" | "user" }
+  /role\s*:\s*["'][^"']+["']\s*\|/i
+];
+var ROLE_VALUES = [
+  "admin",
+  "administrator",
+  "superuser",
+  "moderator",
+  "editor",
+  "manager",
+  "staff",
+  "user",
+  "guest",
+  "viewer",
+  "member"
+];
+var ROLE_CHECK_PATTERNS2 = [
+  // Direct role comparison with session
+  /session\.user\.role\s*[!=]==?\s*["'](admin|moderator|staff|manager|user)["']/i,
+  /\.role\s*[!=]==?\s*["'](admin|moderator|staff|manager|user)["']/i,
+  /["'](admin|moderator|staff|manager)["']\s*[!=]==?\s*\.role/i,
+  // Role existence check: if (!session.user.role) or if (session.user.role)
+  /!\s*session\.user\.role\b/i,
+  /if\s*\(\s*session\.user\.role\b/i,
+  // Role includes/has methods
+  /\.role\s*===?\s*\w+\.ADMIN/i,
+  /hasRole\s*\(/i,
+  /checkRole\s*\(/i,
+  /isRole\s*\(/i,
+  /requireRole\s*\(/i,
+  /roles?\.\s*includes\s*\(/i,
+  /\[.*["']admin["'].*\]\.includes\s*\(.*session\.user\.role/i,
+  /\.includes\s*\(\s*session\.user\.role\s*\)/i,
+  // Admin checks
+  /\.isAdmin/i,
+  /isAdmin\s*\(/i,
+  /requireAdmin/i,
+  /adminOnly/i,
+  // RBAC libraries
+  /can\s*\(\s*["']/i,
+  /abilities\./i,
+  /casl/i,
+  /accesscontrol/i
+];
+var AUTH_PATTERNS = [
+  "getServerSession",
+  "getSession",
+  "auth(",
+  "session.user",
+  "currentUser"
+];
+function findRoleDeclarations(context) {
+  const declarations = [];
+  const { repoRoot, fileIndex, helpers } = context;
+  const typeFiles = fileIndex.allSourceFiles.filter(
+    (f) => f.includes("/types/") || f.includes("/types.") || f.includes("/constants") || f.includes("/config") || f.includes("/auth") || f.includes("/lib/")
+  );
+  for (const relPath of typeFiles) {
+    const absPath = resolvePath(repoRoot, relPath);
+    const sourceFile = helpers.parseFile(absPath);
+    if (!sourceFile) continue;
+    const text = sourceFile.getFullText();
+    for (const pattern of ROLE_DECLARATION_PATTERNS) {
+      const match = text.match(pattern);
+      if (match) {
+        const rolesFound = ROLE_VALUES.filter(
+          (role) => new RegExp(`["']${role}["']`, "i").test(text)
+        );
+        if (rolesFound.length > 1) {
+          const pos = match.index || 0;
+          const line = sourceFile.getLineAndColumnAtPos(pos).line;
+          declarations.push({
+            file: relPath,
+            line,
+            snippet: match[0].slice(0, 100),
+            roles: rolesFound
+          });
+          break;
+        }
+      }
+    }
+    const typeAliases = sourceFile.getTypeAliases();
+    for (const typeAlias of typeAliases) {
+      const name = typeAlias.getName();
+      if (/^role$/i.test(name)) {
+        const typeText = typeAlias.getText();
+        const rolesFound = ROLE_VALUES.filter(
+          (role) => new RegExp(`["']${role}["']`, "i").test(typeText)
+        );
+        if (rolesFound.length > 1) {
+          declarations.push({
+            file: relPath,
+            line: typeAlias.getStartLineNumber(),
+            snippet: typeText.slice(0, 100),
+            roles: rolesFound
+          });
+        }
+      }
+    }
+    const enums = sourceFile.getEnums();
+    for (const enumDecl of enums) {
+      const name = enumDecl.getName();
+      if (/^role$/i.test(name)) {
+        const members = enumDecl.getMembers().map((m) => m.getName().toLowerCase());
+        const matchingRoles = members.filter(
+          (m) => ROLE_VALUES.some((r) => m.includes(r))
+        );
+        if (matchingRoles.length > 1) {
+          declarations.push({
+            file: relPath,
+            line: enumDecl.getStartLineNumber(),
+            snippet: enumDecl.getText().slice(0, 100),
+            roles: matchingRoles
+          });
+        }
+      }
+    }
+  }
+  return declarations;
+}
+function hasRoleEnforcement(handlerText) {
+  return ROLE_CHECK_PATTERNS2.some((pattern) => pattern.test(handlerText));
+}
+function hasAuthAccess(handlerText) {
+  return AUTH_PATTERNS.some((pattern) => handlerText.includes(pattern));
+}
+function extractRoutePath4(filePath) {
+  const normalized = filePath.replace(/\\/g, "/");
+  const match = normalized.match(/(?:app|src\/app)(\/api\/[^/]+(?:\/[^/]+)*?)\/route\.[tj]sx?$/);
+  if (match) {
+    return match[1];
+  }
+  return normalized;
+}
+async function scanRoleDeclaredNotEnforced(context) {
+  const { repoRoot, fileIndex, helpers, repoMeta } = context;
+  const findings = [];
+  if (repoMeta.framework !== "next") {
+    return findings;
+  }
+  const roleDeclarations = findRoleDeclarations(context);
+  if (roleDeclarations.length === 0) {
+    return findings;
+  }
+  const routesWithoutEnforcement = [];
+  for (const relPath of fileIndex.apiRouteFiles) {
+    const absPath = resolvePath(repoRoot, relPath);
+    const sourceFile = helpers.parseFile(absPath);
+    if (!sourceFile) continue;
+    const routePath = extractRoutePath4(relPath);
+    const handlers = helpers.findRouteHandlers(sourceFile);
+    for (const handler of handlers) {
+      if (!["POST", "PUT", "PATCH", "DELETE"].includes(handler.method)) {
+        continue;
+      }
+      const handlerText = helpers.getNodeText(handler.functionNode);
+      if (!hasAuthAccess(handlerText)) {
+        continue;
+      }
+      if (hasRoleEnforcement(handlerText)) {
+        continue;
+      }
+      routesWithoutEnforcement.push({
+        file: relPath,
+        routePath,
+        method: handler.method,
+        startLine: handler.startLine,
+        endLine: handler.endLine,
+        snippet: handlerText.slice(0, 300) + (handlerText.length > 300 ? "..." : "")
+      });
+    }
+  }
+  if (routesWithoutEnforcement.length > 0 && roleDeclarations.length > 0) {
+    const routesToFlag = routesWithoutEnforcement.slice(0, 5);
+    for (const route of routesToFlag) {
+      const roleDecl = roleDeclarations[0];
+      const evidence = [
+        {
+          file: roleDecl.file,
+          startLine: roleDecl.line,
+          endLine: roleDecl.line,
+          snippet: roleDecl.snippet,
+          label: `Role types defined: ${roleDecl.roles.join(", ")}`
+        },
+        {
+          file: route.file,
+          startLine: route.startLine,
+          endLine: route.endLine,
+          snippet: route.snippet,
+          label: `${route.method} handler without role check`
+        }
+      ];
+      const fingerprint = generateFingerprint({
+        ruleId: RULE_ID22,
+        file: route.file,
+        symbol: route.method,
+        route: route.routePath
+      });
+      findings.push({
+        id: generateFindingId({
+          ruleId: RULE_ID22,
+          file: route.file,
+          symbol: route.method
+        }),
+        ruleId: RULE_ID22,
+        title: `Roles defined but not enforced in ${route.routePath}`,
+        description: `The codebase defines role types (${roleDecl.roles.join(", ")}) in ${roleDecl.file}, suggesting role-based access control is intended. However, the ${route.method} handler at ${route.routePath} has authentication but doesn't check the user's role. This may indicate incomplete RBAC implementation.`,
+        severity: "medium",
+        confidence: 0.7,
+        category: "authorization",
+        evidence,
+        remediation: {
+          recommendedFix: `Add role checking to the handler. Since roles are already defined in your codebase, implement enforcement:
+
+const session = await getServerSession();
+if (!session) {
+  return Response.json({ error: "Unauthorized" }, { status: 401 });
+}
+if (!["admin", "moderator"].includes(session.user.role)) {
+  return Response.json({ error: "Forbidden" }, { status: 403 });
+}
+
+Consider creating a reusable middleware or higher-order function for role checks.`
+        },
+        links: {
+          owasp: "https://owasp.org/Top10/A01_2021-Broken_Access_Control/",
+          cwe: "https://cwe.mitre.org/data/definitions/862.html"
+        },
+        fingerprint
+      });
+    }
+  }
+  return findings;
+}
+
+// src/scanners/authorization/trusted-client-id.ts
+var RULE_ID23 = "VC-AUTHZ-004";
+var UNTRUSTED_ID_PARAMS = [
+  "userId",
+  "user_id",
+  "userid",
+  "ownerId",
+  "owner_id",
+  "authorId",
+  "author_id",
+  "creatorId",
+  "creator_id",
+  "tenantId",
+  "tenant_id",
+  "organizationId",
+  "organization_id",
+  "orgId",
+  "org_id",
+  "teamId",
+  "team_id",
+  "companyId",
+  "company_id",
+  "accountId",
+  "account_id"
+];
+function usesSafeSessionIdInWrite(handlerText) {
+  const codeOnly = handlerText.replace(/\/\/.*$/gm, "").replace(/\/\*[\s\S]*?\*\//g, "");
+  const safePatterns = [
+    // authorId: session.user.id or userId: session.user.id
+    /(?:authorId|ownerId|creatorId|userId|tenantId|organizationId)\s*:\s*session\.user\.id/i,
+    // Using currentUser.id
+    /(?:authorId|ownerId|creatorId|userId)\s*:\s*currentUser\.id/i,
+    // Using user.id from validated context
+    /(?:authorId|ownerId|creatorId|userId)\s*:\s*user\.id/i
+  ];
+  return safePatterns.some((p) => p.test(codeOnly));
+}
+var WRITE_OP_PATTERNS = [
+  /\.create\s*\(/i,
+  /\.insert\s*\(/i,
+  /\.upsert\s*\(/i,
+  /\.createMany\s*\(/i
+];
+function extractRoutePath5(filePath) {
+  const normalized = filePath.replace(/\\/g, "/");
+  const match = normalized.match(/(?:app|src\/app)(\/api\/[^/]+(?:\/[^/]+)*?)\/route\.[tj]sx?$/);
+  if (match) {
+    return match[1];
+  }
+  return normalized;
+}
+function extractsUntrustedId(handlerText) {
+  const hasBodyExtraction = /(?:await\s+)?(?:request\.json|req\.body)\s*\(\s*\)|\.json\s*\(\s*\)/.test(handlerText);
+  if (!hasBodyExtraction) {
+    return { found: false };
+  }
+  for (const param of UNTRUSTED_ID_PARAMS) {
+    const destructurePattern = new RegExp(`\\{[^}]*\\b${param}\\b[^}]*\\}\\s*=`, "i");
+    const directPattern = new RegExp(`(?:body|data|payload)\\.${param}\\b`, "i");
+    if (destructurePattern.test(handlerText) || directPattern.test(handlerText)) {
+      return { found: true, param };
+    }
+  }
+  return { found: false };
+}
+function usesClientIdInWrite(handlerText, param) {
+  const hasWriteOp = WRITE_OP_PATTERNS.some((p) => p.test(handlerText));
+  if (!hasWriteOp) {
+    return { found: false };
+  }
+  const directUsePattern = new RegExp(
+    `(?:authorId|ownerId|creatorId|userId|tenantId|organizationId)\\s*:\\s*${param}(?:\\s*,|\\s*})`,
+    "i"
+  );
+  if (directUsePattern.test(handlerText)) {
+    const match = handlerText.match(directUsePattern);
+    return { found: true, snippet: match?.[0]?.replace(/[,}]$/, "").trim() };
+  }
+  const multilinePattern = new RegExp(
+    `(?:authorId|ownerId|creatorId|userId|tenantId|organizationId)\\s*:\\s*${param}\\b`,
+    "i"
+  );
+  if (multilinePattern.test(handlerText)) {
+    const contextPattern = new RegExp(
+      `(?:authorId|ownerId|creatorId|userId)\\s*:\\s*${param}\\s*(?:,|//|$)`,
+      "im"
+    );
+    if (contextPattern.test(handlerText)) {
+      const match = handlerText.match(multilinePattern);
+      return { found: true, snippet: match?.[0]?.trim() };
+    }
+  }
+  const bodyUsePattern = new RegExp(
+    `(?:authorId|ownerId|creatorId|userId|tenantId|organizationId)\\s*:\\s*(?:body|data|payload)\\.${param}`,
+    "i"
+  );
+  if (bodyUsePattern.test(handlerText)) {
+    const match = handlerText.match(bodyUsePattern);
+    return { found: true, snippet: match?.[0] };
+  }
+  const spreadPattern = /\{\s*\.\.\.(?:body|data|payload|json)/i;
+  if (spreadPattern.test(handlerText)) {
+    if (!SAFE_ID_PATTERNS.some((p) => p.test(handlerText))) {
+      return { found: true, snippet: "spreading request data without overriding user ID" };
+    }
+  }
+  return { found: false };
+}
+function usesSafeSessionId(handlerText) {
+  return usesSafeSessionIdInWrite(handlerText);
+}
+async function scanTrustedClientId(context) {
+  const { repoRoot, fileIndex, helpers, repoMeta } = context;
+  const findings = [];
+  if (repoMeta.framework !== "next") {
+    return findings;
+  }
+  for (const relPath of fileIndex.apiRouteFiles) {
+    const absPath = resolvePath(repoRoot, relPath);
+    const sourceFile = helpers.parseFile(absPath);
+    if (!sourceFile) continue;
+    const routePath = extractRoutePath5(relPath);
+    const handlers = helpers.findRouteHandlers(sourceFile);
+    for (const handler of handlers) {
+      if (handler.method !== "POST") {
+        continue;
+      }
+      const handlerText = helpers.getNodeText(handler.functionNode);
+      const hasWriteOp = WRITE_OP_PATTERNS.some((p) => p.test(handlerText));
+      if (!hasWriteOp) {
+        continue;
+      }
+      const extraction = extractsUntrustedId(handlerText);
+      if (!extraction.found) {
+        continue;
+      }
+      const writeUsage = usesClientIdInWrite(handlerText, extraction.param);
+      if (!writeUsage.found) {
+        continue;
+      }
+      if (usesSafeSessionId(handlerText)) {
+        continue;
+      }
+      const evidence = [
+        {
+          file: relPath,
+          startLine: handler.startLine,
+          endLine: handler.endLine,
+          snippet: handlerText.slice(0, 400) + (handlerText.length > 400 ? "..." : ""),
+          label: `POST handler uses client-provided ${extraction.param} for write: ${writeUsage.snippet}`
+        }
+      ];
+      const fingerprint = generateFingerprint({
+        ruleId: RULE_ID23,
+        file: relPath,
+        symbol: handler.method,
+        route: routePath
+      });
+      findings.push({
+        id: generateFindingId({
+          ruleId: RULE_ID23,
+          file: relPath,
+          symbol: handler.method
+        }),
+        ruleId: RULE_ID23,
+        title: `Server trusts client-provided ${extraction.param} in ${routePath}`,
+        description: `The POST handler at ${routePath} extracts '${extraction.param}' from the request body and uses it directly in a write operation (${writeUsage.snippet}). An attacker can impersonate any user by supplying a different ID in the request body. User and tenant IDs for write operations must always come from the authenticated session, never from client input.`,
+        severity: "critical",
+        confidence: 0.85,
+        category: "authorization",
+        evidence,
+        remediation: {
+          recommendedFix: `Always derive user/tenant IDs from the authenticated session:
+
+// UNSAFE - trusting client input
+const { userId, content } = await request.json();
+await prisma.post.create({ data: { content, authorId: userId } });
+
+// SAFE - using session
+const session = await getServerSession();
+const { content } = await request.json();
+await prisma.post.create({ data: { content, authorId: session.user.id } });
+
+Never accept user/tenant identifiers from client-controlled input.`
+        },
+        links: {
+          owasp: "https://owasp.org/Top10/A01_2021-Broken_Access_Control/",
+          cwe: "https://cwe.mitre.org/data/definitions/639.html"
+        },
+        fingerprint
+      });
+    }
+  }
+  return findings;
+}
+
+// src/scanners/authorization/index.ts
+var authorizationPack = {
+  id: "authorization",
+  name: "Authorization Semantics",
+  scanners: [
+    scanAdminRouteNoRoleGuard,
+    scanOwnershipCheckMissing,
+    scanRoleDeclaredNotEnforced,
+    scanTrustedClientId
+  ]
+};
+
+// src/scanners/lifecycle/create-update-asymmetry.ts
+var RULE_ID24 = "VC-LIFE-001";
+function extractEntityName(filePath) {
+  const normalized = filePath.replace(/\\/g, "/");
+  const match = normalized.match(/\/api\/([a-z]+(?:-[a-z]+)*)/i);
+  if (match) {
+    return match[1].toLowerCase();
+  }
+  return null;
+}
+function getBasePath(filePath) {
+  const normalized = filePath.replace(/\\/g, "/");
+  return normalized.replace(/\/\[[^\]]+\]/g, "").replace(/\/route\.[tj]sx?$/, "");
+}
+function hasAuthCheck2(handlerText) {
+  const authPatterns = [
+    /getServerSession\s*\(/,
+    /auth\s*\(\)/,
+    /requireAuth\s*\(/,
+    /checkAuth\s*\(/,
+    /isAuthenticated/,
+    /session\s*\?\./,
+    /!session\b/,
+    /session\s*===?\s*null/,
+    /currentUser/,
+    /req\.user/,
+    /middleware.*auth/i,
+    /withAuth\s*\(/,
+    /protectedRoute/i,
+    /AuthGuard/
+  ];
+  return authPatterns.some((pattern) => pattern.test(handlerText));
+}
+async function scanCreateUpdateAsymmetry(context) {
+  const { repoRoot, fileIndex, helpers, repoMeta } = context;
+  const findings = [];
+  if (repoMeta.framework !== "next") {
+    return findings;
+  }
+  const entityGroups = /* @__PURE__ */ new Map();
+  for (const relPath of fileIndex.apiRouteFiles) {
+    const absPath = resolvePath(repoRoot, relPath);
+    const sourceFile = helpers.parseFile(absPath);
+    if (!sourceFile) continue;
+    const entityName = extractEntityName(relPath);
+    if (!entityName) continue;
+    const basePath = getBasePath(relPath);
+    const handlers = helpers.findRouteHandlers(sourceFile);
+    for (const handler of handlers) {
+      const handlerText = helpers.getNodeText(handler.functionNode);
+      const hasAuth = hasAuthCheck2(handlerText);
+      const groupKey = entityName;
+      if (!entityGroups.has(groupKey)) {
+        entityGroups.set(groupKey, {
+          entityName,
+          basePath,
+          handlers: []
+        });
+      }
+      entityGroups.get(groupKey).handlers.push({
+        method: handler.method,
+        file: relPath,
+        handler,
+        hasAuth,
+        handlerText
+      });
+    }
+  }
+  for (const [entityKey, group] of entityGroups) {
+    const protectedCreates = group.handlers.filter(
+      (h) => h.method === "POST" && h.hasAuth
+    );
+    if (protectedCreates.length === 0) continue;
+    const unprotectedUpdates = group.handlers.filter(
+      (h) => (h.method === "PUT" || h.method === "PATCH") && !h.hasAuth
+    );
+    for (const unprotected of unprotectedUpdates) {
+      const protectedExample = protectedCreates[0];
+      const evidence = [
+        {
+          file: protectedExample.file,
+          startLine: protectedExample.handler.startLine,
+          endLine: Math.min(protectedExample.handler.startLine + 10, protectedExample.handler.endLine),
+          snippet: protectedExample.handlerText.slice(0, 300) + "...",
+          label: `Protected POST handler (creates ${group.entityName})`
+        },
+        {
+          file: unprotected.file,
+          startLine: unprotected.handler.startLine,
+          endLine: Math.min(unprotected.handler.startLine + 10, unprotected.handler.endLine),
+          snippet: unprotected.handlerText.slice(0, 300) + "...",
+          label: `Unprotected ${unprotected.method} handler (updates ${group.entityName})`
+        }
+      ];
+      const fingerprint = generateFingerprint({
+        ruleId: RULE_ID24,
+        file: unprotected.file,
+        symbol: unprotected.method,
+        route: group.basePath
+      });
+      findings.push({
+        id: generateFindingId({
+          ruleId: RULE_ID24,
+          file: unprotected.file,
+          symbol: unprotected.method
+        }),
+        ruleId: RULE_ID24,
+        title: `Create-update asymmetry for ${group.entityName}: POST protected but ${unprotected.method} is not`,
+        description: `The POST handler for '${group.entityName}' requires authentication, but the ${unprotected.method} handler that modifies the same entity type does not have equivalent protection. This creates a lifecycle vulnerability where authenticated creation can be bypassed by unauthenticated modification. An attacker could modify ${group.entityName} records without proper authorization.`,
+        severity: "high",
+        confidence: 0.85,
+        category: "lifecycle",
+        evidence,
+        remediation: {
+          recommendedFix: `Add authentication checks to the ${unprotected.method} handler:
+
+export async function ${unprotected.method}(request: Request) {
+  const session = await getServerSession();
+  if (!session) {
+    return Response.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  // ... rest of handler
+}
+
+Ensure all state-changing operations on '${group.entityName}' have consistent auth requirements.`
+        },
+        links: {
+          owasp: "https://owasp.org/Top10/A01_2021-Broken_Access_Control/",
+          cwe: "https://cwe.mitre.org/data/definitions/862.html"
+        },
+        fingerprint
+      });
+    }
+  }
+  return findings;
+}
+
+// src/scanners/lifecycle/validation-schema-drift.ts
+var RULE_ID25 = "VC-LIFE-002";
+var VALIDATION_PATTERNS = [
+  { pattern: /\.parse\s*\(/, library: "zod" },
+  { pattern: /\.safeParse\s*\(/, library: "zod" },
+  { pattern: /\.parseAsync\s*\(/, library: "zod" },
+  { pattern: /z\.\w+\(\)/, library: "zod" },
+  { pattern: /yup\.object\s*\(/, library: "yup" },
+  { pattern: /\.validate\s*\(/, library: "yup/joi" },
+  { pattern: /\.validateSync\s*\(/, library: "yup" },
+  { pattern: /Joi\.object\s*\(/, library: "joi" },
+  { pattern: /schema\.validate\s*\(/, library: "joi" },
+  { pattern: /valibot\./i, library: "valibot" },
+  { pattern: /v\.\w+\(\)/, library: "valibot" },
+  { pattern: /ajv\.compile\s*\(/, library: "ajv" },
+  { pattern: /validate\s*\(\s*body/, library: "custom" },
+  { pattern: /validateBody\s*\(/, library: "custom" },
+  { pattern: /validateRequest\s*\(/, library: "custom" }
+];
+function extractEntityName2(filePath) {
+  const normalized = filePath.replace(/\\/g, "/");
+  const match = normalized.match(/\/api\/([a-z]+(?:-[a-z]+)*)/i);
+  if (match) {
+    return match[1].toLowerCase();
+  }
+  return null;
+}
+function getBasePath2(filePath) {
+  const normalized = filePath.replace(/\\/g, "/");
+  return normalized.replace(/\/\[[^\]]+\]/g, "").replace(/\/route\.[tj]sx?$/, "");
+}
+function detectValidation(handlerText) {
+  for (const { pattern, library } of VALIDATION_PATTERNS) {
+    if (pattern.test(handlerText)) {
+      return { hasValidation: true, library };
+    }
+  }
+  return { hasValidation: false };
+}
+function readsRequestBody(handlerText) {
+  return /request\.json\s*\(\)|req\.body|formData\s*\(\)|\.text\s*\(\)/.test(handlerText);
+}
+async function scanValidationSchemaDrift(context) {
+  const { repoRoot, fileIndex, helpers, repoMeta } = context;
+  const findings = [];
+  if (repoMeta.framework !== "next") {
+    return findings;
+  }
+  const entityGroups = /* @__PURE__ */ new Map();
+  for (const relPath of fileIndex.apiRouteFiles) {
+    const absPath = resolvePath(repoRoot, relPath);
+    const sourceFile = helpers.parseFile(absPath);
+    if (!sourceFile) continue;
+    const entityName = extractEntityName2(relPath);
+    if (!entityName) continue;
+    const basePath = getBasePath2(relPath);
+    const handlers = helpers.findRouteHandlers(sourceFile);
+    for (const handler of handlers) {
+      if (!["POST", "PUT", "PATCH"].includes(handler.method)) continue;
+      const handlerText = helpers.getNodeText(handler.functionNode);
+      if (!readsRequestBody(handlerText)) continue;
+      const { hasValidation, library } = detectValidation(handlerText);
+      const groupKey = entityName;
+      if (!entityGroups.has(groupKey)) {
+        entityGroups.set(groupKey, {
+          entityName,
+          basePath,
+          handlers: []
+        });
+      }
+      entityGroups.get(groupKey).handlers.push({
+        method: handler.method,
+        file: relPath,
+        handler,
+        hasValidation,
+        validationLibrary: library,
+        handlerText
+      });
+    }
+  }
+  for (const [entityKey, group] of entityGroups) {
+    const validatedCreates = group.handlers.filter(
+      (h) => h.method === "POST" && h.hasValidation
+    );
+    if (validatedCreates.length === 0) continue;
+    const unvalidatedUpdates = group.handlers.filter(
+      (h) => (h.method === "PUT" || h.method === "PATCH") && !h.hasValidation
+    );
+    for (const unvalidated of unvalidatedUpdates) {
+      const validatedExample = validatedCreates[0];
+      const evidence = [
+        {
+          file: validatedExample.file,
+          startLine: validatedExample.handler.startLine,
+          endLine: Math.min(validatedExample.handler.startLine + 15, validatedExample.handler.endLine),
+          snippet: validatedExample.handlerText.slice(0, 350) + "...",
+          label: `Validated POST handler using ${validatedExample.validationLibrary || "validation"}`
+        },
+        {
+          file: unvalidated.file,
+          startLine: unvalidated.handler.startLine,
+          endLine: Math.min(unvalidated.handler.startLine + 15, unvalidated.handler.endLine),
+          snippet: unvalidated.handlerText.slice(0, 350) + "...",
+          label: `Unvalidated ${unvalidated.method} handler - reads body without schema validation`
+        }
+      ];
+      const fingerprint = generateFingerprint({
+        ruleId: RULE_ID25,
+        file: unvalidated.file,
+        symbol: unvalidated.method,
+        route: group.basePath
+      });
+      findings.push({
+        id: generateFindingId({
+          ruleId: RULE_ID25,
+          file: unvalidated.file,
+          symbol: unvalidated.method
+        }),
+        ruleId: RULE_ID25,
+        title: `Validation schema drift for ${group.entityName}: POST validated but ${unvalidated.method} is not`,
+        description: `The POST handler for '${group.entityName}' validates input using ${validatedExample.validationLibrary || "schema validation"}, but the ${unvalidated.method} handler accepts unvalidated request body. This "schema drift" means validation rules applied during creation can be bypassed during updates. Attackers could inject malformed data, exceed field limits, or introduce invalid state through the update endpoint.`,
+        severity: "medium",
+        confidence: 0.8,
+        category: "lifecycle",
+        evidence,
+        remediation: {
+          recommendedFix: `Apply consistent validation to the ${unvalidated.method} handler:
+
+// If using Zod:
+const updateSchema = ${group.entityName}Schema.partial(); // Allow partial updates
+
+export async function ${unvalidated.method}(request: Request) {
+  const body = await request.json();
+  const validated = updateSchema.parse(body);
+  // Use validated data
+}
+
+Consider creating a shared schema or using .partial() for update operations.`
+        },
+        links: {
+          owasp: "https://owasp.org/Top10/A03_2021-Injection/",
+          cwe: "https://cwe.mitre.org/data/definitions/20.html"
+        },
+        fingerprint
+      });
+    }
+  }
+  return findings;
+}
+
+// src/scanners/lifecycle/delete-rate-limit-gap.ts
+var RULE_ID26 = "VC-LIFE-003";
+var RATE_LIMIT_PATTERNS = [
+  // Wrapper functions
+  { pattern: /withRateLimit\s*\(/, type: "wrapper" },
+  { pattern: /rateLimit\s*\(/, type: "wrapper" },
+  { pattern: /rateLimiter\s*\(/, type: "wrapper" },
+  { pattern: /throttle\s*\(/, type: "wrapper" },
+  // Import-based detection
+  { pattern: /import.*(?:rateLimit|RateLimiter).*from/, type: "import" },
+  { pattern: /import.*upstash.*ratelimit/i, type: "upstash" },
+  { pattern: /import.*@upstash\/ratelimit/i, type: "upstash" },
+  // Direct library usage
+  { pattern: /Ratelimit\s*\(/, type: "upstash" },
+  { pattern: /new\s+RateLimiter\s*\(/, type: "custom" },
+  { pattern: /limiter\.limit\s*\(/, type: "custom" },
+  { pattern: /rateLimiter\.check\s*\(/, type: "custom" },
+  // Redis-based rate limiting
+  { pattern: /redis\.incr\s*\(.*rate/i, type: "redis" },
+  { pattern: /INCR.*:ratelimit/i, type: "redis" },
+  // Comment/identifier hints
+  { pattern: /@rateLimit/i, type: "decorator" },
+  { pattern: /RateLimited/i, type: "decorator" },
+  // Middleware patterns
+  { pattern: /app\.use\s*\(\s*rateLimit/i, type: "middleware" },
+  { pattern: /limiter\s*=.*sliding.*window/i, type: "custom" }
+];
+function extractEntityName3(filePath) {
+  const normalized = filePath.replace(/\\/g, "/");
+  const match = normalized.match(/\/api\/([a-z]+(?:-[a-z]+)*)/i);
+  if (match) {
+    return match[1].toLowerCase();
+  }
+  return null;
+}
+function getBasePath3(filePath) {
+  const normalized = filePath.replace(/\\/g, "/");
+  return normalized.replace(/\/\[[^\]]+\]/g, "").replace(/\/route\.[tj]sx?$/, "");
+}
+function detectRateLimit(handlerText, fullFileText) {
+  for (const { pattern, type } of RATE_LIMIT_PATTERNS) {
+    if (pattern.test(handlerText)) {
+      return { hasRateLimit: true, type };
+    }
+  }
+  const filePatterns = [
+    /import.*(?:rateLimit|RateLimiter).*from/i,
+    /const\s+(?:rateLimit|limiter)\s*=/i,
+    /withRateLimit/
+  ];
+  for (const pattern of filePatterns) {
+    if (pattern.test(fullFileText)) {
+      if (/withRateLimit\s*\(/.test(handlerText) || /limiter\./.test(handlerText)) {
+        return { hasRateLimit: true, type: "file-level" };
+      }
+    }
+  }
+  return { hasRateLimit: false };
+}
+function hasDestructiveOps(handlerText) {
+  return /\.delete\s*\(|\.destroy\s*\(|\.remove\s*\(|prisma\.\w+\.delete|deleteMany\s*\(/i.test(handlerText);
+}
+async function scanDeleteRateLimitGap(context) {
+  const { repoRoot, fileIndex, helpers, repoMeta } = context;
+  const findings = [];
+  if (repoMeta.framework !== "next") {
+    return findings;
+  }
+  const entityGroups = /* @__PURE__ */ new Map();
+  for (const relPath of fileIndex.apiRouteFiles) {
+    const absPath = resolvePath(repoRoot, relPath);
+    const sourceFile = helpers.parseFile(absPath);
+    if (!sourceFile) continue;
+    const entityName = extractEntityName3(relPath);
+    if (!entityName) continue;
+    const basePath = getBasePath3(relPath);
+    const handlers = helpers.findRouteHandlers(sourceFile);
+    const fullFileText = sourceFile.getFullText();
+    for (const handler of handlers) {
+      if (!["POST", "PUT", "PATCH", "DELETE"].includes(handler.method)) continue;
+      const handlerText = helpers.getNodeText(handler.functionNode);
+      const { hasRateLimit, type } = detectRateLimit(handlerText, fullFileText);
+      const groupKey = entityName;
+      if (!entityGroups.has(groupKey)) {
+        entityGroups.set(groupKey, {
+          entityName,
+          basePath,
+          handlers: []
+        });
+      }
+      entityGroups.get(groupKey).handlers.push({
+        method: handler.method,
+        file: relPath,
+        handler,
+        hasRateLimit,
+        rateLimitType: type,
+        handlerText,
+        fullFileText
+      });
+    }
+  }
+  for (const [entityKey, group] of entityGroups) {
+    const rateLimitedHandlers = group.handlers.filter(
+      (h) => h.method !== "DELETE" && h.hasRateLimit
+    );
+    if (rateLimitedHandlers.length === 0) continue;
+    const unprotectedDeletes = group.handlers.filter(
+      (h) => h.method === "DELETE" && !h.hasRateLimit && hasDestructiveOps(h.handlerText)
+    );
+    for (const unprotected of unprotectedDeletes) {
+      const rateLimitedExample = rateLimitedHandlers[0];
+      const evidence = [
+        {
+          file: rateLimitedExample.file,
+          startLine: rateLimitedExample.handler.startLine,
+          endLine: Math.min(rateLimitedExample.handler.startLine + 10, rateLimitedExample.handler.endLine),
+          snippet: rateLimitedExample.handlerText.slice(0, 250) + "...",
+          label: `Rate-limited ${rateLimitedExample.method} handler (${rateLimitedExample.rateLimitType || "rate limit"})`
+        },
+        {
+          file: unprotected.file,
+          startLine: unprotected.handler.startLine,
+          endLine: Math.min(unprotected.handler.startLine + 10, unprotected.handler.endLine),
+          snippet: unprotected.handlerText.slice(0, 250) + "...",
+          label: `DELETE handler without rate limiting - enables mass deletion`
+        }
+      ];
+      const fingerprint = generateFingerprint({
+        ruleId: RULE_ID26,
+        file: unprotected.file,
+        symbol: "DELETE",
+        route: group.basePath
+      });
+      findings.push({
+        id: generateFindingId({
+          ruleId: RULE_ID26,
+          file: unprotected.file,
+          symbol: "DELETE"
+        }),
+        ruleId: RULE_ID26,
+        title: `Delete rate limit gap for ${group.entityName}: other methods rate-limited but DELETE is not`,
+        description: `The ${rateLimitedExample.method} handler for '${group.entityName}' has rate limiting, but the DELETE handler does not. This asymmetry allows attackers to rapidly delete resources without throttling. A malicious actor could enumerate IDs and mass-delete ${group.entityName} records, causing data loss that would be prevented on other operations.`,
+        severity: "medium",
+        confidence: 0.75,
+        category: "lifecycle",
+        evidence,
+        remediation: {
+          recommendedFix: `Apply rate limiting to the DELETE handler:
+
+// Using the same rate limiter as other endpoints:
+export const DELETE = withRateLimit(async (request: Request) => {
+  // ... delete logic
+});
+
+// Or with Upstash:
+import { Ratelimit } from "@upstash/ratelimit";
+const ratelimit = new Ratelimit({ redis, limiter: Ratelimit.slidingWindow(10, "1 m") });
+
+export async function DELETE(request: Request) {
+  const { success } = await ratelimit.limit(userId);
+  if (!success) return Response.json({ error: "Too many requests" }, { status: 429 });
+  // ... delete logic
+}`
+        },
+        links: {
+          owasp: "https://owasp.org/API-Security/editions/2023/en/0xa4-unrestricted-resource-consumption/",
+          cwe: "https://cwe.mitre.org/data/definitions/770.html"
+        },
+        fingerprint
+      });
+    }
+  }
+  return findings;
+}
+
+// src/scanners/lifecycle/index.ts
+var lifecyclePack = {
+  id: "lifecycle",
+  name: "Lifecycle Security Invariants",
+  scanners: [
+    scanCreateUpdateAsymmetry,
+    scanValidationSchemaDrift,
+    scanDeleteRateLimitGap
+  ]
+};
+
+// src/scanners/supply-chain/lockfile-parser.ts
+import * as YAML from "yaml";
+function parsePackageJson(repoRoot) {
+  const pkgPath = resolvePath(repoRoot, "package.json");
+  const content = readFileSync(pkgPath);
+  if (!content) return null;
+  try {
+    return JSON.parse(content);
+  } catch {
+    return null;
+  }
+}
+function parsePnpmLock(content) {
+  const packages = /* @__PURE__ */ new Map();
+  try {
+    const parsed = YAML.parse(content);
+    const pkgs = parsed.packages || {};
+    for (const [key, value] of Object.entries(pkgs)) {
+      if (!value || typeof value !== "object") continue;
+      const pkgData = value;
+      const match = key.match(/^\/?(@?[^@]+)@(.+)$/);
+      if (!match) continue;
+      const [, name, version] = match;
+      packages.set(name, {
+        name,
+        version,
+        hasInstallScripts: Boolean(pkgData.hasInstallScript || pkgData.requiresBuild),
+        dependencies: pkgData.dependencies
+      });
+    }
+  } catch {
+  }
+  return packages;
+}
+function parseYarnLock(content) {
+  const packages = /* @__PURE__ */ new Map();
+  try {
+    const entries = content.split(/\n(?=[@\w"])/);
+    for (const entry of entries) {
+      if (!entry.trim()) continue;
+      const headerMatch = entry.match(/^"?(@?[^@\s"]+)@[^":\n]+/);
+      if (!headerMatch) continue;
+      const name = headerMatch[1];
+      const versionMatch = entry.match(/\n\s+version\s+"([^"]+)"/);
+      const version = versionMatch ? versionMatch[1] : "unknown";
+      packages.set(name, {
+        name,
+        version,
+        hasInstallScripts: false
+        // yarn.lock v1 doesn't include this
+      });
+    }
+  } catch {
+  }
+  return packages;
+}
+function parseNpmLock(content) {
+  const packages = /* @__PURE__ */ new Map();
+  try {
+    const parsed = JSON.parse(content);
+    const pkgs = parsed.packages || {};
+    const deps = parsed.dependencies || {};
+    for (const [key, value] of Object.entries(pkgs)) {
+      if (!key || key === "") continue;
+      if (!value || typeof value !== "object") continue;
+      const pkgData = value;
+      const name = key.replace(/^node_modules\//, "").replace(/^.*node_modules\//, "");
+      if (!name) continue;
+      packages.set(name, {
+        name,
+        version: pkgData.version || "unknown",
+        hasInstallScripts: Boolean(pkgData.hasInstallScript),
+        scripts: pkgData.scripts
+      });
+    }
+    for (const [name, value] of Object.entries(deps)) {
+      if (!value || typeof value !== "object") continue;
+      if (packages.has(name)) continue;
+      const pkgData = value;
+      packages.set(name, {
+        name,
+        version: pkgData.version || "unknown",
+        hasInstallScripts: Boolean(pkgData.hasInstallScript)
+      });
+    }
+  } catch {
+  }
+  return packages;
+}
+function parseLockfile(repoRoot) {
+  const pkg = parsePackageJson(repoRoot);
+  const directDependencies = /* @__PURE__ */ new Set();
+  if (pkg) {
+    for (const name of Object.keys(pkg.dependencies || {})) {
+      directDependencies.add(name);
+    }
+    for (const name of Object.keys(pkg.devDependencies || {})) {
+      directDependencies.add(name);
+    }
+  }
+  const pnpmPath = resolvePath(repoRoot, "pnpm-lock.yaml");
+  if (fileExists(pnpmPath)) {
+    const content = readFileSync(pnpmPath);
+    if (content) {
+      return {
+        type: "pnpm",
+        path: pnpmPath,
+        packages: parsePnpmLock(content),
+        directDependencies
+      };
+    }
+  }
+  const yarnPath = resolvePath(repoRoot, "yarn.lock");
+  if (fileExists(yarnPath)) {
+    const content = readFileSync(yarnPath);
+    if (content) {
+      return {
+        type: "yarn",
+        path: yarnPath,
+        packages: parseYarnLock(content),
+        directDependencies
+      };
+    }
+  }
+  const npmPath = resolvePath(repoRoot, "package-lock.json");
+  if (fileExists(npmPath)) {
+    const content = readFileSync(npmPath);
+    if (content) {
+      return {
+        type: "npm",
+        path: npmPath,
+        packages: parseNpmLock(content),
+        directDependencies
+      };
+    }
+  }
+  return {
+    type: "none",
+    path: null,
+    packages: /* @__PURE__ */ new Map(),
+    directDependencies
+  };
+}
+function isVersionRange(version) {
+  if (version.startsWith("workspace:")) return false;
+  if (version.startsWith("file:") || version.startsWith("git") || version.includes("://")) {
+    return false;
+  }
+  const rangeIndicators = /[\^~><*x|]|\s-\s/;
+  return rangeIndicators.test(version);
+}
+function getVersionRangeType(version) {
+  if (version.startsWith("^")) return "caret (^) - allows minor updates";
+  if (version.startsWith("~")) return "tilde (~) - allows patch updates";
+  if (version.includes("||")) return "OR range - multiple versions";
+  if (version === "*" || version === "x") return "wildcard - any version";
+  if (version.includes(">") || version.includes("<")) return "comparison range";
+  return "range";
+}
+
+// src/scanners/supply-chain/security-critical-packages.ts
+var SECURITY_CRITICAL_PACKAGES = [
+  // Authentication
+  { name: "next-auth", category: "auth", reason: "Authentication framework" },
+  { name: "@auth/core", category: "auth", reason: "Auth.js core" },
+  { name: "@auth/prisma-adapter", category: "auth", reason: "Auth.js Prisma adapter" },
+  { name: "passport", category: "auth", reason: "Authentication middleware" },
+  { name: "passport-local", category: "auth", reason: "Local authentication strategy" },
+  { name: "passport-jwt", category: "auth", reason: "JWT authentication strategy" },
+  { name: "passport-oauth2", category: "auth", reason: "OAuth2 authentication" },
+  { name: "@clerk/nextjs", category: "auth", reason: "Clerk authentication" },
+  { name: "@supabase/auth-helpers-nextjs", category: "auth", reason: "Supabase auth" },
+  { name: "firebase-admin", category: "auth", reason: "Firebase Admin SDK with auth" },
+  { name: "@okta/okta-auth-js", category: "auth", reason: "Okta authentication" },
+  { name: "auth0", category: "auth", reason: "Auth0 SDK" },
+  { name: "@auth0/nextjs-auth0", category: "auth", reason: "Auth0 Next.js SDK" },
+  { name: "lucia", category: "auth", reason: "Modern authentication library" },
+  { name: "better-auth", category: "auth", reason: "Authentication library" },
+  // Cryptography
+  { name: "bcrypt", category: "crypto", reason: "Password hashing" },
+  { name: "bcryptjs", category: "crypto", reason: "Password hashing (JS)" },
+  { name: "argon2", category: "crypto", reason: "Password hashing (Argon2)" },
+  { name: "scrypt", category: "crypto", reason: "Password hashing (scrypt)" },
+  { name: "jsonwebtoken", category: "crypto", reason: "JWT signing/verification" },
+  { name: "jose", category: "crypto", reason: "JWT/JWS/JWE implementation" },
+  { name: "crypto-js", category: "crypto", reason: "Cryptographic operations" },
+  { name: "node-forge", category: "crypto", reason: "Cryptographic toolkit" },
+  { name: "tweetnacl", category: "crypto", reason: "Cryptographic library" },
+  { name: "sodium-native", category: "crypto", reason: "libsodium bindings" },
+  { name: "libsodium-wrappers", category: "crypto", reason: "libsodium for JS" },
+  // Session management
+  { name: "express-session", category: "session", reason: "Session middleware" },
+  { name: "cookie-session", category: "session", reason: "Cookie-based sessions" },
+  { name: "iron-session", category: "session", reason: "Encrypted sessions" },
+  { name: "connect-redis", category: "session", reason: "Redis session store" },
+  { name: "connect-mongo", category: "session", reason: "MongoDB session store" },
+  // Validation
+  { name: "zod", category: "validation", reason: "Schema validation" },
+  { name: "yup", category: "validation", reason: "Schema validation" },
+  { name: "joi", category: "validation", reason: "Schema validation" },
+  { name: "ajv", category: "validation", reason: "JSON Schema validation" },
+  { name: "validator", category: "validation", reason: "String validation" },
+  { name: "express-validator", category: "validation", reason: "Express validation" },
+  { name: "class-validator", category: "validation", reason: "Class-based validation" },
+  // Security-sensitive network
+  { name: "helmet", category: "network", reason: "Security headers" },
+  { name: "cors", category: "network", reason: "CORS configuration" },
+  { name: "csurf", category: "network", reason: "CSRF protection" },
+  { name: "express-rate-limit", category: "network", reason: "Rate limiting" },
+  { name: "@upstash/ratelimit", category: "network", reason: "Rate limiting" },
+  { name: "rate-limiter-flexible", category: "network", reason: "Rate limiting" },
+  { name: "hpp", category: "network", reason: "HTTP Parameter Pollution protection" }
+];
+var SECURITY_CRITICAL_MAP = new Map(
+  SECURITY_CRITICAL_PACKAGES.map((pkg) => [pkg.name, pkg])
+);
+function isSecurityCritical(name) {
+  return SECURITY_CRITICAL_MAP.get(name);
+}
+var AUTH_LIBRARY_GROUPS = {
+  nextAuth: ["next-auth", "@auth/core"],
+  clerk: ["@clerk/nextjs", "@clerk/clerk-js"],
+  supabase: ["@supabase/auth-helpers-nextjs", "@supabase/supabase-js"],
+  firebase: ["firebase-admin", "firebase"],
+  auth0: ["auth0", "@auth0/nextjs-auth0", "@auth0/auth0-spa-js"],
+  okta: ["@okta/okta-auth-js", "@okta/okta-react"],
+  passport: ["passport"],
+  lucia: ["lucia"],
+  jwt: ["jsonwebtoken", "jose"],
+  betterAuth: ["better-auth"]
+};
+function detectAuthLibraries(dependencies) {
+  const detected = [];
+  for (const [group, packages] of Object.entries(AUTH_LIBRARY_GROUPS)) {
+    if (packages.some((pkg) => pkg in dependencies)) {
+      detected.push(group);
+    }
+  }
+  return detected;
+}
+var SUSPICIOUS_SCRIPT_PATTERNS = [
+  { pattern: /curl\s+.*\s*\|\s*(bash|sh)/i, reason: "Remote script execution" },
+  { pattern: /wget\s+.*\s*\|\s*(bash|sh)/i, reason: "Remote script execution" },
+  { pattern: /\beval\s*\(/i, reason: "Dynamic code execution" },
+  { pattern: /base64\s+(-d|--decode)/i, reason: "Base64 decoding (possible obfuscation)" },
+  { pattern: /\$\(.*\)/i, reason: "Command substitution" },
+  { pattern: /`.*`/i, reason: "Command substitution (backticks)" },
+  { pattern: /powershell/i, reason: "PowerShell execution" },
+  { pattern: /\.exe\b/i, reason: "Windows executable reference" },
+  { pattern: /\/etc\/passwd/i, reason: "System file access" },
+  { pattern: /\/etc\/shadow/i, reason: "System file access" },
+  { pattern: /ssh.*@/i, reason: "SSH connection attempt" },
+  { pattern: /rm\s+-rf\s+\//i, reason: "Destructive command" },
+  { pattern: /nc\s+-.*\d+/i, reason: "Netcat usage (potential backdoor)" },
+  { pattern: /ncat/i, reason: "Ncat usage (potential backdoor)" },
+  { pattern: /reverse.*shell/i, reason: "Reverse shell reference" },
+  { pattern: /crypto.*wallet/i, reason: "Cryptocurrency reference" },
+  { pattern: /bitcoin|ethereum|monero/i, reason: "Cryptocurrency reference" },
+  { pattern: /keylog/i, reason: "Keylogger reference" },
+  { pattern: /exfiltrat/i, reason: "Data exfiltration reference" },
+  { pattern: /hidden|stealth/i, reason: "Stealth behavior reference" },
+  { pattern: /process\.env\.[A-Z_]+.*https?:\/\//i, reason: "Env var with URL (potential C2)" }
+];
+function findSuspiciousPatterns(script) {
+  const found = [];
+  for (const { pattern, reason } of SUSPICIOUS_SCRIPT_PATTERNS) {
+    if (pattern.test(script)) {
+      found.push({ pattern: pattern.source, reason });
+    }
+  }
+  return found;
+}
+
+// src/scanners/supply-chain/postinstall-scripts.ts
+var RULE_ID27 = "VC-SUP-001";
+var INSTALL_SCRIPT_KEYS = [
+  "preinstall",
+  "install",
+  "postinstall",
+  "prepare"
+];
+async function scanPostinstallScripts(context) {
+  const { repoRoot } = context;
+  const findings = [];
+  const pkg = parsePackageJson(repoRoot);
+  if (!pkg || !pkg.scripts) {
+    return findings;
+  }
+  for (const scriptKey of INSTALL_SCRIPT_KEYS) {
+    const script = pkg.scripts[scriptKey];
+    if (!script) continue;
+    const suspicious = findSuspiciousPatterns(script);
+    let severity = "low";
+    let description = `The package.json contains a \`${scriptKey}\` script that runs during \`npm install\`. `;
+    if (suspicious.length > 0) {
+      severity = "high";
+      description += `The script contains suspicious patterns:
+`;
+      for (const { reason } of suspicious) {
+        description += `- ${reason}
+`;
+      }
+    } else if (script.includes("node") || script.includes("npx")) {
+      severity = "medium";
+      description += `The script executes Node.js code which could perform arbitrary operations.`;
+    } else {
+      description += `While often legitimate, install scripts can be exploited for supply chain attacks. Review the script content.`;
+    }
+    const fingerprint = generateFingerprint({
+      ruleId: RULE_ID27,
+      file: "package.json",
+      symbol: scriptKey
+    });
+    findings.push({
+      id: generateFindingId({
+        ruleId: RULE_ID27,
+        file: "package.json",
+        symbol: scriptKey
+      }),
+      severity,
+      confidence: suspicious.length > 0 ? 0.9 : 0.7,
+      category: "supply-chain",
+      ruleId: RULE_ID27,
+      title: `Install script detected: ${scriptKey}`,
+      description,
+      evidence: [
+        {
+          file: "package.json",
+          startLine: 1,
+          endLine: 1,
+          snippet: `"${scriptKey}": "${script.length > 100 ? script.slice(0, 100) + "..." : script}"`,
+          context: "Install script definition"
+        }
+      ],
+      remediation: {
+        recommendedFix: suspicious.length > 0 ? `Review and remove suspicious patterns from the ${scriptKey} script. Consider whether this script is necessary.` : `Review the ${scriptKey} script to ensure it performs only necessary build operations. Consider using --ignore-scripts flag in CI environments.`
+      },
+      links: {
+        cwe: "https://cwe.mitre.org/data/definitions/829.html"
+      },
+      fingerprint
+    });
+  }
+  return findings;
+}
+
+// src/scanners/supply-chain/version-ranges.ts
+var RULE_ID28 = "VC-SUP-002";
+async function scanVersionRanges(context) {
+  const { repoRoot } = context;
+  const findings = [];
+  const pkg = parsePackageJson(repoRoot);
+  if (!pkg) {
+    return findings;
+  }
+  const allDeps = {
+    ...pkg.dependencies,
+    ...pkg.devDependencies
+  };
+  for (const [name, version] of Object.entries(allDeps)) {
+    const criticalInfo = isSecurityCritical(name);
+    if (!criticalInfo) continue;
+    if (!isVersionRange(version)) continue;
+    const rangeType = getVersionRangeType(version);
+    const isDevDep = name in (pkg.devDependencies || {});
+    let severity = "medium";
+    if (criticalInfo.category === "auth" || criticalInfo.category === "crypto") {
+      severity = "high";
+    }
+    if (isDevDep) {
+      severity = severity === "high" ? "medium" : "low";
+    }
+    const fingerprint = generateFingerprint({
+      ruleId: RULE_ID28,
+      file: "package.json",
+      symbol: name
+    });
+    findings.push({
+      id: generateFindingId({
+        ruleId: RULE_ID28,
+        file: "package.json",
+        symbol: name
+      }),
+      severity,
+      confidence: 0.85,
+      category: "supply-chain",
+      ruleId: RULE_ID28,
+      title: `Unpinned security-critical dependency: ${name}`,
+      description: `The ${criticalInfo.category} package \`${name}\` uses a version range (\`${version}\`) instead of a pinned version. This is a ${rangeType}. Version ranges allow automatic updates that could introduce breaking changes or supply chain attacks. Security-critical packages should use exact versions with lockfile commitment.`,
+      evidence: [
+        {
+          file: "package.json",
+          startLine: 1,
+          endLine: 1,
+          snippet: `"${name}": "${version}"`,
+          context: `${isDevDep ? "devDependencies" : "dependencies"} - ${criticalInfo.reason}`
+        }
+      ],
+      remediation: {
+        recommendedFix: `Pin ${name} to an exact version (e.g., "1.2.3" instead of "${version}"). Ensure your lockfile (package-lock.json, yarn.lock, or pnpm-lock.yaml) is committed to version control. Use automated dependency update tools (Dependabot, Renovate) to receive controlled updates.`
+      },
+      links: {
+        cwe: "https://cwe.mitre.org/data/definitions/829.html"
+      },
+      fingerprint
+    });
+  }
+  return findings;
+}
+
+// src/scanners/supply-chain/deprecated-packages.ts
+var DEPRECATED_PACKAGES = [
+  // Security-critical deprecations
+  {
+    name: "request",
+    reason: "Deprecated since 2020, no security patches",
+    replacement: "node-fetch, axios, or got",
+    severity: "high"
+  },
+  {
+    name: "request-promise",
+    reason: "Deprecated, depends on deprecated request",
+    replacement: "node-fetch, axios, or got",
+    severity: "high"
+  },
+  {
+    name: "request-promise-native",
+    reason: "Deprecated, depends on deprecated request",
+    replacement: "node-fetch, axios, or got",
+    severity: "high"
+  },
+  {
+    name: "node-uuid",
+    reason: "Deprecated, renamed to uuid",
+    replacement: "uuid",
+    severity: "low"
+  },
+  {
+    name: "bcrypt-nodejs",
+    reason: "Unmaintained, security concerns",
+    replacement: "bcrypt or bcryptjs",
+    severity: "high",
+    advisory: "Multiple known vulnerabilities"
+  },
+  {
+    name: "cryptiles",
+    reason: "Deprecated due to timing attack vulnerabilities",
+    replacement: "@hapi/cryptiles",
+    severity: "critical",
+    advisory: "CVE-2018-1000620"
+  },
+  {
+    name: "hoek",
+    reason: "Prototype pollution vulnerability",
+    replacement: "@hapi/hoek >= 6.0.0",
+    severity: "critical",
+    advisory: "CVE-2018-3728"
+  },
+  {
+    name: "lodash",
+    reason: "Versions < 4.17.21 have prototype pollution vulnerabilities",
+    severity: "medium",
+    advisory: "CVE-2021-23337, CVE-2020-8203"
+  },
+  {
+    name: "minimist",
+    reason: "Versions < 1.2.6 have prototype pollution",
+    severity: "medium",
+    advisory: "CVE-2021-44906"
+  },
+  {
+    name: "qs",
+    reason: "Versions < 6.10.3 have prototype pollution",
+    severity: "medium",
+    advisory: "CVE-2022-24999"
+  },
+  {
+    name: "ua-parser-js",
+    reason: "Versions < 0.7.33 or 0.8.x/1.0.x compromised",
+    severity: "critical",
+    advisory: "Supply chain attack (malware)"
+  },
+  {
+    name: "event-stream",
+    reason: "Versions 3.3.6 contained malware targeting bitcoin wallets",
+    severity: "critical",
+    advisory: "Supply chain attack (bitcoin theft)"
+  },
+  {
+    name: "flatmap-stream",
+    reason: "Contained malicious code, part of event-stream attack",
+    severity: "critical",
+    advisory: "Supply chain attack"
+  },
+  {
+    name: "coa",
+    reason: "Versions 2.0.3+ briefly compromised",
+    severity: "high",
+    advisory: "Supply chain attack"
+  },
+  {
+    name: "rc",
+    reason: "Versions 1.2.9, 1.3.0, 2.3.9 briefly compromised",
+    severity: "high",
+    advisory: "Supply chain attack"
+  },
+  {
+    name: "colors",
+    reason: "Versions 1.4.1+ contain intentional sabotage code",
+    replacement: "chalk or ansi-colors",
+    severity: "high",
+    advisory: "Protestware"
+  },
+  {
+    name: "faker",
+    reason: "Versions 6.6.6+ contain intentional sabotage code",
+    replacement: "@faker-js/faker",
+    severity: "high",
+    advisory: "Protestware"
+  },
+  {
+    name: "node-ipc",
+    reason: "Versions 10.1.1-10.1.2 contained destructive code",
+    severity: "critical",
+    advisory: "Protestware/malware targeting Russia/Belarus"
+  },
+  {
+    name: "merge",
+    reason: "Prototype pollution in all versions",
+    replacement: "lodash.merge or Object spread",
+    severity: "medium",
+    advisory: "CVE-2018-16469"
+  },
+  {
+    name: "deep-extend",
+    reason: "Versions < 0.6.0 have prototype pollution",
+    severity: "high",
+    advisory: "CVE-2018-3750"
+  },
+  {
+    name: "mixin-deep",
+    reason: "Versions < 1.3.2 have prototype pollution",
+    severity: "high",
+    advisory: "CVE-2019-10746"
+  },
+  {
+    name: "set-value",
+    reason: "Versions < 4.0.0 have prototype pollution",
+    severity: "high",
+    advisory: "CVE-2021-23440"
+  },
+  // Authentication/crypto deprecations
+  {
+    name: "passport-local-mongoose",
+    reason: "Outdated, use @passport-js/passport-local-mongoose",
+    severity: "low"
+  },
+  {
+    name: "jwt-simple",
+    reason: "Algorithm confusion vulnerability possible",
+    replacement: "jsonwebtoken with explicit algorithms",
+    severity: "high"
+  },
+  {
+    name: "cookie-session",
+    reason: "Consider express-session for sensitive data",
+    severity: "low"
+  },
+  // Other security-relevant deprecations
+  {
+    name: "marked",
+    reason: "Versions < 4.0.10 have ReDoS and XSS vulnerabilities",
+    severity: "medium",
+    advisory: "Multiple CVEs"
+  },
+  {
+    name: "serialize-javascript",
+    reason: "Versions < 3.1.0 have XSS vulnerability",
+    severity: "high",
+    advisory: "CVE-2020-7660"
+  },
+  {
+    name: "sanitize-html",
+    reason: "Versions < 2.7.1 have XSS bypass vulnerabilities",
+    severity: "high",
+    advisory: "Multiple CVEs"
+  },
+  {
+    name: "tar",
+    reason: "Versions < 6.1.11 have path traversal vulnerabilities",
+    severity: "high",
+    advisory: "CVE-2021-37701, CVE-2021-37712"
+  },
+  {
+    name: "decompress",
+    reason: "Arbitrary file write via path traversal",
+    severity: "critical",
+    advisory: "CVE-2020-12265"
+  },
+  {
+    name: "unzip",
+    reason: "Arbitrary file write via path traversal",
+    replacement: "unzipper or yauzl",
+    severity: "critical"
+  },
+  {
+    name: "adm-zip",
+    reason: "Versions < 0.5.2 have path traversal",
+    severity: "high",
+    advisory: "CVE-2018-1002204"
+  },
+  {
+    name: "xmldom",
+    reason: "Versions < 0.7.5 have XXE and other vulnerabilities",
+    replacement: "@xmldom/xmldom",
+    severity: "high"
+  },
+  {
+    name: "xml2js",
+    reason: "Prototype pollution in some versions",
+    severity: "medium"
+  }
+];
+var DEPRECATED_PACKAGES_MAP = new Map(
+  DEPRECATED_PACKAGES.map((pkg) => [pkg.name, pkg])
+);
+function isDeprecated(name) {
+  return DEPRECATED_PACKAGES_MAP.get(name);
+}
+
+// src/scanners/supply-chain/deprecated-packages-scanner.ts
+var RULE_ID29 = "VC-SUP-003";
+async function scanDeprecatedPackages(context) {
+  const { repoRoot } = context;
+  const findings = [];
+  const pkg = parsePackageJson(repoRoot);
+  if (!pkg) {
+    return findings;
+  }
+  const allDeps = {
+    ...pkg.dependencies,
+    ...pkg.devDependencies
+  };
+  for (const [name, version] of Object.entries(allDeps)) {
+    const deprecation = isDeprecated(name);
+    if (!deprecation) continue;
+    const isDevDep = name in (pkg.devDependencies || {});
+    let severity = deprecation.severity;
+    if (isDevDep && severity !== "critical") {
+      severity = severity === "high" ? "medium" : "low";
+    }
+    let description = `The package \`${name}\` (${version}) is deprecated or has known vulnerabilities. `;
+    description += `Reason: ${deprecation.reason}. `;
+    if (deprecation.advisory) {
+      description += `Advisory: ${deprecation.advisory}. `;
+    }
+    if (deprecation.replacement) {
+      description += `Consider replacing with: ${deprecation.replacement}.`;
+    }
+    const fingerprint = generateFingerprint({
+      ruleId: RULE_ID29,
+      file: "package.json",
+      symbol: name
+    });
+    findings.push({
+      id: generateFindingId({
+        ruleId: RULE_ID29,
+        file: "package.json",
+        symbol: name
+      }),
+      severity,
+      confidence: 0.95,
+      category: "supply-chain",
+      ruleId: RULE_ID29,
+      title: `Deprecated/vulnerable package: ${name}`,
+      description,
+      evidence: [
+        {
+          file: "package.json",
+          startLine: 1,
+          endLine: 1,
+          snippet: `"${name}": "${version}"`,
+          context: isDevDep ? "devDependencies" : "dependencies"
+        }
+      ],
+      remediation: {
+        recommendedFix: deprecation.replacement ? `Replace ${name} with ${deprecation.replacement}. Remove ${name} from your dependencies and install the replacement.` : `Remove or update ${name} to a secure version. Check npm for the latest secure version or alternative packages.`
+      },
+      links: {
+        cwe: "https://cwe.mitre.org/data/definitions/1104.html"
+      },
+      fingerprint
+    });
+  }
+  return findings;
+}
+
+// src/scanners/supply-chain/multiple-auth-systems.ts
+var RULE_ID30 = "VC-SUP-004";
+function getGroupName(group) {
+  const names = {
+    nextAuth: "NextAuth.js / Auth.js",
+    clerk: "Clerk",
+    supabase: "Supabase Auth",
+    firebase: "Firebase Auth",
+    auth0: "Auth0",
+    okta: "Okta",
+    passport: "Passport.js",
+    lucia: "Lucia",
+    jwt: "Custom JWT (jsonwebtoken/jose)",
+    betterAuth: "Better Auth"
+  };
+  return names[group] || group;
+}
+function areCompatible(groups) {
+  const nonJwt = groups.filter((g) => g !== "jwt");
+  if (nonJwt.length <= 1) return true;
+  return false;
+}
+async function scanMultipleAuthSystems(context) {
+  const { repoRoot } = context;
+  const findings = [];
+  const pkg = parsePackageJson(repoRoot);
+  if (!pkg) {
+    return findings;
+  }
+  const allDeps = {
+    ...pkg.dependencies,
+    ...pkg.devDependencies
+  };
+  const detectedGroups = detectAuthLibraries(allDeps);
+  if (detectedGroups.length < 2) {
+    return findings;
+  }
+  if (areCompatible(detectedGroups)) {
+    return findings;
+  }
+  const groupPackages = {};
+  for (const group of detectedGroups) {
+    const packages = AUTH_LIBRARY_GROUPS[group].filter((pkg2) => pkg2 in allDeps);
+    if (packages.length > 0) {
+      groupPackages[group] = packages;
+    }
+  }
+  const groupNames = detectedGroups.map(getGroupName);
+  let description = `Multiple authentication systems detected: ${groupNames.join(", ")}. Having multiple auth libraries can lead to:
+- Confusion about which system is enforcing authentication
+- Incomplete migration leaving some routes unprotected
+- Conflicting session/token handling
+
+Detected packages:
+`;
+  for (const [group, packages] of Object.entries(groupPackages)) {
+    description += `- ${getGroupName(group)}: ${packages.join(", ")}
+`;
+  }
+  const evidenceItems = [];
+  for (const [group, packages] of Object.entries(groupPackages)) {
+    for (const pkgName of packages) {
+      evidenceItems.push({
+        file: "package.json",
+        startLine: 1,
+        endLine: 1,
+        snippet: `"${pkgName}": "${allDeps[pkgName]}"`,
+        context: `${getGroupName(group)} authentication library`
+      });
+    }
+  }
+  const fingerprint = generateFingerprint({
+    ruleId: RULE_ID30,
+    file: "package.json",
+    symbol: detectedGroups.sort().join(",")
+  });
+  findings.push({
+    id: generateFindingId({
+      ruleId: RULE_ID30,
+      file: "package.json",
+      symbol: "multiple-auth"
+    }),
+    severity: "medium",
+    confidence: 0.75,
+    category: "supply-chain",
+    ruleId: RULE_ID30,
+    title: `Multiple authentication systems detected`,
+    description,
+    evidence: evidenceItems.slice(0, 5),
+    // Limit evidence items
+    remediation: {
+      recommendedFix: `Consolidate to a single authentication system. If migrating, ensure the old system is fully removed after migration. If both are intentionally used (e.g., different auth for different parts of the app), document this clearly and ensure no authentication gaps exist.`
+    },
+    links: {
+      cwe: "https://cwe.mitre.org/data/definitions/287.html"
+    },
+    fingerprint
+  });
+  return findings;
+}
+
+// src/scanners/supply-chain/suspicious-scripts.ts
+var RULE_ID31 = "VC-SUP-005";
+var KNOWN_SAFE_INSTALL_SCRIPTS = /* @__PURE__ */ new Set([
+  // Native addons that need compilation
+  "bcrypt",
+  "argon2",
+  "sharp",
+  "canvas",
+  "node-sass",
+  "sqlite3",
+  "better-sqlite3",
+  "node-gyp",
+  "fsevents",
+  "esbuild",
+  "@swc/core",
+  "turbo",
+  // Prisma
+  "prisma",
+  "@prisma/client",
+  "@prisma/engines",
+  // Playwright/Puppeteer (browser downloads)
+  "playwright",
+  "playwright-core",
+  "puppeteer",
+  "puppeteer-core",
+  // Electron
+  "electron",
+  "electron-builder",
+  // Husky/lint-staged (git hooks)
+  "husky",
+  "lefthook",
+  // Other build tools
+  "node-pre-gyp",
+  "@mapbox/node-pre-gyp",
+  "prebuild-install"
+]);
+async function scanSuspiciousScripts(context) {
+  const { repoRoot } = context;
+  const findings = [];
+  const lockfile = parseLockfile(repoRoot);
+  if (lockfile.type === "none") {
+    return findings;
+  }
+  for (const [name, pkg] of lockfile.packages) {
+    if (!pkg.hasInstallScripts) continue;
+    if (KNOWN_SAFE_INSTALL_SCRIPTS.has(name)) continue;
+    const isDirect = lockfile.directDependencies.has(name);
+    let suspicious = [];
+    let scriptContent = "";
+    if (pkg.scripts) {
+      const scripts = [
+        pkg.scripts.preinstall,
+        pkg.scripts.install,
+        pkg.scripts.postinstall,
+        pkg.scripts.prepare
+      ].filter(Boolean);
+      scriptContent = scripts.join("\n");
+      suspicious = findSuspiciousPatterns(scriptContent);
+    }
+    let severity = "low";
+    let confidence = 0.6;
+    if (suspicious.length > 0) {
+      severity = "high";
+      confidence = 0.9;
+    } else if (isDirect) {
+      severity = "medium";
+      confidence = 0.7;
+    }
+    let description = `The dependency \`${name}@${pkg.version}\` has install scripts that run during \`npm install\`. `;
+    if (suspicious.length > 0) {
+      description += `Suspicious patterns detected:
+`;
+      for (const { reason } of suspicious) {
+        description += `- ${reason}
+`;
+      }
+    } else {
+      description += `While install scripts are sometimes legitimate, they are also a common supply chain attack vector. Review the package to ensure the install script is necessary and safe.`;
+    }
+    const fingerprint = generateFingerprint({
+      ruleId: RULE_ID31,
+      file: lockfile.path || "lockfile",
+      symbol: name
+    });
+    findings.push({
+      id: generateFindingId({
+        ruleId: RULE_ID31,
+        file: lockfile.path || "lockfile",
+        symbol: name
+      }),
+      severity,
+      confidence,
+      category: "supply-chain",
+      ruleId: RULE_ID31,
+      title: `Dependency with install scripts: ${name}`,
+      description,
+      evidence: [
+        {
+          file: lockfile.path || "lockfile",
+          startLine: 1,
+          endLine: 1,
+          snippet: `${name}@${pkg.version} (hasInstallScripts: true)`,
+          context: isDirect ? "Direct dependency" : "Transitive dependency"
+        },
+        ...scriptContent ? [
+          {
+            file: `node_modules/${name}/package.json`,
+            startLine: 1,
+            endLine: 1,
+            snippet: scriptContent.length > 200 ? scriptContent.slice(0, 200) + "..." : scriptContent,
+            context: "Install script content"
+          }
+        ] : []
+      ],
+      remediation: {
+        recommendedFix: suspicious.length > 0 ? `Immediately review ${name} for malicious behavior. Consider removing the package or using --ignore-scripts during install.` : `Review ${name}'s install scripts to ensure they are safe. Consider using \`npm install --ignore-scripts\` in CI and running scripts explicitly after audit.`
+      },
+      links: {
+        cwe: "https://cwe.mitre.org/data/definitions/829.html"
+      },
+      fingerprint
+    });
+  }
+  return findings;
+}
+
+// src/scanners/supply-chain/index.ts
+var supplyChainPack = {
+  id: "supply-chain",
+  name: "Supply Chain Security",
+  scanners: [
+    scanPostinstallScripts,
+    scanVersionRanges,
+    scanDeprecatedPackages,
+    scanMultipleAuthSystems,
+    scanSuspiciousScripts
+  ]
+};
+
+// src/phase3/proof-trace-builder.ts
+import crypto3 from "crypto";
+import path3 from "path";
+import { SyntaxKind as SyntaxKind2 } from "ts-morph";
+var MAX_TRACE_DEPTH = 2;
+function generateRouteId(routePath, method, file) {
+  const normalized = `${method}:${routePath}:${file}`.toLowerCase();
+  return crypto3.createHash("sha256").update(normalized).digest("hex").slice(0, 12);
+}
+function filePathToRoutePath(filePath) {
+  const normalized = filePath.replace(/\\/g, "/");
+  const appIndex = normalized.indexOf("/app/");
+  if (appIndex === -1) {
+    const appIndexAlt = normalized.indexOf("app/");
+    if (appIndexAlt === 0) {
+      return extractRoutePath6(normalized.slice(4));
+    }
+    return "/";
+  }
+  return extractRoutePath6(normalized.slice(appIndex + 5));
+}
+function extractRoutePath6(routePart) {
+  const withoutRoute = routePart.replace(/\/route\.(ts|tsx|js|jsx)$/, "");
+  if (withoutRoute === "" || withoutRoute === "api") {
+    return withoutRoute === "" ? "/" : "/api";
+  }
+  return "/" + withoutRoute;
+}
+function buildRouteMap(ctx) {
+  const routes = [];
+  for (const routeFile of ctx.fileIndex.routeFiles) {
+    const absolutePath = path3.join(ctx.repoRoot, routeFile);
+    const sourceFile = ctx.helpers.parseFile(absolutePath);
+    if (!sourceFile) continue;
+    const handlers = ctx.helpers.findRouteHandlers(sourceFile);
+    const relPath = routeFile.replace(/\\/g, "/");
+    const routePath = filePathToRoutePath(relPath);
+    for (const handler of handlers) {
+      const routeId = generateRouteId(routePath, handler.method, relPath);
+      routes.push({
+        routeId,
+        method: handler.method,
+        path: routePath,
+        file: relPath,
+        startLine: handler.startLine,
+        endLine: handler.endLine
+      });
+    }
+  }
+  return routes;
+}
+function buildMiddlewareMap(ctx) {
+  const middlewareList = [];
+  if (!ctx.fileIndex.middlewareFile) {
+    return middlewareList;
+  }
+  const absolutePath = path3.join(ctx.repoRoot, ctx.fileIndex.middlewareFile);
+  const sourceFile = ctx.helpers.parseFile(absolutePath);
+  if (!sourceFile) return middlewareList;
+  const relPath = ctx.fileIndex.middlewareFile.replace(/\\/g, "/");
+  const matchers = extractMiddlewareMatchers(sourceFile);
+  const protectsApi = matchers.some(
+    (m) => m.includes("/api") || m.includes("/(api)") || m === "/(.*)"
+  );
+  let startLine = 1;
+  sourceFile.forEachDescendant((node) => {
+    if (node.getKind() === SyntaxKind2.VariableDeclaration && node.getText().includes("config")) {
+      startLine = node.getStartLineNumber();
+    }
+  });
+  middlewareList.push({
+    file: relPath,
+    matchers,
+    protectsApi,
+    startLine
+  });
+  return middlewareList;
+}
+function extractMiddlewareMatchers(sourceFile) {
+  const matchers = [];
+  sourceFile.forEachDescendant((node) => {
+    if (node.getKind() === SyntaxKind2.PropertyAssignment) {
+      const text = node.getText();
+      if (text.startsWith("matcher")) {
+        node.forEachDescendant((child) => {
+          if (child.getKind() === SyntaxKind2.StringLiteral) {
+            const value = child.getText().replace(/['"]/g, "");
+            matchers.push(value);
+          }
+        });
+      }
+    }
+  });
+  return matchers;
+}
+function isRouteCoveredByMiddleware(routePath, matchers) {
+  for (const matcher of matchers) {
+    const pattern = matcher.replace(/\*/g, ".*").replace(/\/:path\*/g, "/.*").replace(/\(([^)]+)\)/g, "(?:$1)");
+    try {
+      const regex = new RegExp(`^${pattern}`);
+      if (regex.test(routePath)) {
+        return true;
+      }
+    } catch {
+      if (routePath.startsWith(matcher.replace(/\/:path\*$/, ""))) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+function buildProofTrace(ctx, route) {
+  const steps = [];
+  let authProven = false;
+  let validationProven = false;
+  const sourceFile = ctx.helpers.parseFile(
+    path3.join(ctx.repoRoot, route.file)
+  );
+  if (!sourceFile) {
+    return {
+      routeId: route.routeId,
+      authProven: false,
+      validationProven: false,
+      middlewareCovered: false,
+      steps: []
+    };
+  }
+  const handlers = ctx.helpers.findRouteHandlers(sourceFile);
+  const handler = handlers.find((h) => h.method === route.method);
+  if (!handler) {
+    return {
+      routeId: route.routeId,
+      authProven: false,
+      validationProven: false,
+      middlewareCovered: false,
+      steps: []
+    };
+  }
+  if (ctx.helpers.containsAuthCheck(handler.functionNode)) {
+    authProven = true;
+    steps.push({
+      file: route.file,
+      line: handler.startLine,
+      snippet: truncateSnippet(handler.functionNode.getText(), 100),
+      label: "Auth check found in handler"
+    });
+  }
+  const validationUsage = ctx.helpers.findValidationUsage(handler.functionNode);
+  if (validationUsage.length > 0 && validationUsage.some((v) => v.resultUsed)) {
+    validationProven = true;
+    steps.push({
+      file: route.file,
+      line: validationUsage[0].line,
+      snippet: truncateSnippet(ctx.helpers.getNodeText(validationUsage[0].node), 100),
+      label: "Validation found in handler"
+    });
+  }
+  if (!authProven || !validationProven) {
+    const importedModules = getLocalImports(sourceFile, ctx.repoRoot, route.file);
     for (const importInfo of importedModules) {
       if (authProven && validationProven) break;
       const traceResult = traceImportedModule(
@@ -4526,7 +6930,7 @@ function mineAllIntentClaims(ctx, routes) {
 
 // src/phase3/scanners/comment-claim-unproven.ts
 import crypto5 from "crypto";
-var RULE_ID20 = "VC-HALL-010";
+var RULE_ID32 = "VC-HALL-010";
 async function scanCommentClaimUnproven(ctx) {
   const findings = [];
   const routes = buildRouteMap(ctx);
@@ -4542,7 +6946,7 @@ async function scanCommentClaimUnproven(ctx) {
       severity: "medium",
       confidence: 0.75,
       category: "hallucinations",
-      ruleId: RULE_ID20,
+      ruleId: RULE_ID32,
       title: `Comment claims ${formatClaimType(claim.type)} but implementation doesn't prove it`,
       description: generateDescription2(claim, route, trace),
       evidence: [
@@ -4658,13 +7062,13 @@ function generateFindingId2(claim) {
   return `f-${crypto5.randomUUID().slice(0, 8)}`;
 }
 function generateFingerprint2(claim) {
-  const data = `${RULE_ID20}:${claim.location.file}:${claim.location.startLine}:${claim.type}`;
+  const data = `${RULE_ID32}:${claim.location.file}:${claim.location.startLine}:${claim.type}`;
   return `sha256:${crypto5.createHash("sha256").update(data).digest("hex")}`;
 }
 
 // src/phase3/scanners/middleware-assumed-not-matching.ts
 import crypto6 from "crypto";
-var RULE_ID21 = "VC-HALL-011";
+var RULE_ID33 = "VC-HALL-011";
 var MIDDLEWARE_EXPECTATION_SIGNALS = [
   // Comments
   /middleware.*protect/i,
@@ -4695,7 +7099,7 @@ async function scanMiddlewareAssumedNotMatching(ctx) {
         severity: "high",
         confidence: 0.7,
         category: "hallucinations",
-        ruleId: RULE_ID21,
+        ruleId: RULE_ID33,
         title: `Route ${route.method} ${route.path} expects middleware but is not covered`,
         description: generateDescription3(route, middlewareMap[0], expectsMiddleware.reason),
         evidence: [
@@ -4802,14 +7206,14 @@ function generateFindingId3(route) {
   return `f-${crypto6.randomUUID().slice(0, 8)}`;
 }
 function generateFingerprint3(route) {
-  const data = `${RULE_ID21}:${route.file}:${route.method}:${route.path}`;
+  const data = `${RULE_ID33}:${route.file}:${route.method}:${route.path}`;
   return `sha256:${crypto6.createHash("sha256").update(data).digest("hex")}`;
 }
 
 // src/phase3/scanners/validation-claimed-missing.ts
 import crypto7 from "crypto";
 import path5 from "path";
-var RULE_ID22 = "VC-HALL-012";
+var RULE_ID34 = "VC-HALL-012";
 async function scanValidationClaimedMissing(ctx) {
   const findings = [];
   const routes = buildRouteMap(ctx);
@@ -4912,7 +7316,7 @@ function createFinding(route, claim, issueType, description, additionalEvidence)
     severity: "medium",
     confidence: 0.8,
     category: "hallucinations",
-    ruleId: RULE_ID22,
+    ruleId: RULE_ID34,
     title: generateTitle(route, issueType),
     description,
     evidence,
@@ -4965,7 +7369,7 @@ function checkUnusedValidationImports(ctx, routes, claims) {
           severity: "medium",
           confidence: 0.7,
           category: "hallucinations",
-          ruleId: RULE_ID22,
+          ruleId: RULE_ID34,
           title: `Validation library imported but no schemas defined in ${claim.location.file}`,
           description: "A validation library is imported suggesting validation intent, but no validation schemas are defined in the file. This could be dead code or incomplete implementation.",
           evidence: [
@@ -4980,7 +7384,7 @@ function checkUnusedValidationImports(ctx, routes, claims) {
           remediation: {
             recommendedFix: "Define validation schemas using the imported library, or remove the unused import."
           },
-          fingerprint: `sha256:${crypto7.createHash("sha256").update(`${RULE_ID22}:${claim.location.file}:import_unused`).digest("hex")}`
+          fingerprint: `sha256:${crypto7.createHash("sha256").update(`${RULE_ID34}:${claim.location.file}:import_unused`).digest("hex")}`
         });
       }
     }
@@ -4988,14 +7392,14 @@ function checkUnusedValidationImports(ctx, routes, claims) {
   return findings;
 }
 function generateFingerprint4(route, issueType) {
-  const data = `${RULE_ID22}:${route.file}:${route.method}:${issueType}`;
+  const data = `${RULE_ID34}:${route.file}:${route.method}:${issueType}`;
   return `sha256:${crypto7.createHash("sha256").update(data).digest("hex")}`;
 }
 
 // src/phase3/scanners/auth-by-ui-server-gap.ts
 import crypto8 from "crypto";
 import path6 from "path";
-var RULE_ID23 = "VC-AUTH-010";
+var RULE_ID35 = "VC-AUTH-010";
 var CLIENT_AUTH_PATTERNS = [
   // React/Next.js session hooks
   /\buseSession\s*\(/,
@@ -5053,7 +7457,7 @@ async function scanAuthByUiServerGap(ctx) {
           severity: "critical",
           confidence: 0.85,
           category: "auth",
-          ruleId: RULE_ID23,
+          ruleId: RULE_ID35,
           title: `Client-side auth with unprotected server endpoint ${matchingUnprotected.method} ${matchingUnprotected.path}`,
           description: generateDescription4(
             relPath,
@@ -5184,7 +7588,7 @@ if (!session) {
 Client-side auth checks are for UX only and must never be the sole protection mechanism.`;
 }
 function generateFingerprint5(componentFile, route) {
-  const data = `${RULE_ID23}:${componentFile}:${route.file}:${route.method}`;
+  const data = `${RULE_ID35}:${componentFile}:${route.file}:${route.method}`;
   return `sha256:${crypto8.createHash("sha256").update(data).digest("hex")}`;
 }
 
@@ -5216,12 +7620,452 @@ var ALL_SCANNER_PACKS = [
   cryptoPack,
   uploadsPack,
   abusePack,
+  authorizationPack,
+  lifecyclePack,
+  supplyChainPack,
   // Phase 3 packs
   hallucinationsPack2,
   authPackPhase3
 ];
 var ALL_SCANNERS = ALL_SCANNER_PACKS.flatMap((pack) => pack.scanners);
 
+// src/phase4/correlator.ts
+function detectAuthWithoutValidation(ctx) {
+  const correlatedFindings = [];
+  const findingsByFile = /* @__PURE__ */ new Map();
+  for (const finding of ctx.findings) {
+    const file = finding.evidence[0]?.file;
+    if (file) {
+      const existing = findingsByFile.get(file) || [];
+      existing.push(finding);
+      findingsByFile.set(file, existing);
+    }
+  }
+  const routes = ctx.routeMap?.routes || [];
+  const stateChangingMethods = ["POST", "PUT", "PATCH", "DELETE"];
+  for (const route of routes) {
+    if (!stateChangingMethods.includes(route.method)) continue;
+    const fileFindings = findingsByFile.get(route.file) || [];
+    const authFindings = fileFindings.filter((f) => f.category === "auth");
+    const validationFindings = fileFindings.filter((f) => f.category === "validation");
+    if (authFindings.length > 0 && validationFindings.length === 0) {
+      const relatedIds = authFindings.map((f) => f.fingerprint);
+      const evidence = [
+        {
+          file: route.file,
+          startLine: route.startLine || 1,
+          endLine: route.endLine || 1,
+          label: `${route.method} ${route.path} - auth present, validation missing`
+        },
+        ...authFindings[0].evidence
+      ];
+      const fingerprint = generateFingerprint({
+        ruleId: "VC-CORR-001",
+        file: route.file,
+        route: route.routeId,
+        symbol: "auth_validation_gap"
+      });
+      correlatedFindings.push({
+        id: generateFindingId({
+          ruleId: "VC-CORR-001",
+          file: route.file,
+          symbol: route.routeId
+        }),
+        severity: "medium",
+        confidence: 0.75,
+        category: "correlation",
+        ruleId: "VC-CORR-001",
+        title: "Auth Check Without Input Validation",
+        description: `The ${route.method} ${route.path} endpoint has authentication checks but appears to be missing server-side input validation. Authenticated users can still submit malicious input. Related findings: ${relatedIds.join(", ")}`,
+        evidence,
+        remediation: {
+          recommendedFix: `Add input validation using Zod, Yup, or Joi to validate request body/params before processing. Authentication prevents unauthorized access, but validation prevents malformed data.`
+        },
+        fingerprint,
+        correlationData: {
+          relatedFindingIds: relatedIds,
+          pattern: "auth_without_validation",
+          explanation: `Route ${route.routeId} has auth checks (findings: ${relatedIds.length}) but no validation evidence.`
+        },
+        relatedFindings: relatedIds
+      });
+    }
+  }
+  return correlatedFindings;
+}
+function detectMiddlewareUploadGap(ctx) {
+  const correlatedFindings = [];
+  if (!ctx.middlewareMap) return correlatedFindings;
+  const middlewareMap = ctx.middlewareMap;
+  const uncoveredRoutes = middlewareMap.coverage?.filter((c) => !c.covered) || [];
+  const uploadFindings = ctx.findings.filter(
+    (f) => f.ruleId.startsWith("VC-UPL") || f.category === "uploads"
+  );
+  for (const uncovered of uncoveredRoutes) {
+    const relatedUploads = uploadFindings.filter(
+      (f) => f.evidence.some((e) => e.file.includes(uncovered.routeId) || uncovered.routeId.includes(e.file.replace(/\\/g, "/")))
+    );
+    if (relatedUploads.length > 0) {
+      const relatedIds = relatedUploads.map((f) => f.fingerprint);
+      const evidence = [
+        {
+          file: relatedUploads[0].evidence[0]?.file || uncovered.routeId,
+          startLine: relatedUploads[0].evidence[0]?.startLine || 1,
+          endLine: relatedUploads[0].evidence[0]?.endLine || 1,
+          label: `Upload endpoint not protected by middleware`
+        }
+      ];
+      const fingerprint = generateFingerprint({
+        ruleId: "VC-CORR-002",
+        file: uncovered.routeId,
+        symbol: "middleware_upload_gap"
+      });
+      correlatedFindings.push({
+        id: generateFindingId({
+          ruleId: "VC-CORR-002",
+          file: uncovered.routeId,
+          symbol: "upload"
+        }),
+        severity: "high",
+        confidence: 0.8,
+        category: "correlation",
+        ruleId: "VC-CORR-002",
+        title: "Upload Endpoint Not Protected by Middleware",
+        description: `File upload endpoint at ${uncovered.routeId} is not covered by the global middleware. Upload endpoints without rate limiting or auth middleware are vulnerable to abuse. Related upload findings: ${relatedIds.join(", ")}`,
+        evidence,
+        remediation: {
+          recommendedFix: `Extend middleware matcher to cover this upload endpoint, or add explicit rate limiting and auth checks in the handler. Consider: matcher: ['/((?!api/upload).*)'] to ensure coverage.`
+        },
+        fingerprint,
+        correlationData: {
+          relatedFindingIds: relatedIds,
+          pattern: "middleware_upload_gap",
+          explanation: `Upload route ${uncovered.routeId} bypasses middleware (${uncovered.reason || "not in matcher"}).`
+        },
+        relatedFindings: relatedIds
+      });
+    }
+  }
+  return correlatedFindings;
+}
+function detectNetworkAuthLeak(ctx) {
+  const correlatedFindings = [];
+  const networkFindings = ctx.findings.filter(
+    (f) => f.ruleId.startsWith("VC-NET") || f.category === "network"
+  );
+  const authFindings = ctx.findings.filter(
+    (f) => f.category === "auth" || f.category === "secrets"
+  );
+  const networkByFile = /* @__PURE__ */ new Map();
+  for (const f of networkFindings) {
+    const file = f.evidence[0]?.file;
+    if (file) {
+      const existing = networkByFile.get(file) || [];
+      existing.push(f);
+      networkByFile.set(file, existing);
+    }
+  }
+  const authByFile = /* @__PURE__ */ new Map();
+  for (const f of authFindings) {
+    const file = f.evidence[0]?.file;
+    if (file) {
+      const existing = authByFile.get(file) || [];
+      existing.push(f);
+      authByFile.set(file, existing);
+    }
+  }
+  for (const [file, netFindings] of networkByFile) {
+    const fileAuthFindings = authByFile.get(file) || [];
+    const ssrfFindings = netFindings.filter(
+      (f) => f.ruleId === "VC-NET-001" || f.title.toLowerCase().includes("ssrf")
+    );
+    if (ssrfFindings.length > 0 && fileAuthFindings.length > 0) {
+      const relatedIds = [...ssrfFindings, ...fileAuthFindings].map((f) => f.fingerprint);
+      const evidence = [
+        ...ssrfFindings[0].evidence,
+        ...fileAuthFindings[0]?.evidence || []
+      ];
+      const fingerprint = generateFingerprint({
+        ruleId: "VC-CORR-003",
+        file,
+        symbol: "network_auth_leak"
+      });
+      correlatedFindings.push({
+        id: generateFindingId({
+          ruleId: "VC-CORR-003",
+          file,
+          symbol: "ssrf_token"
+        }),
+        severity: "critical",
+        confidence: 0.7,
+        category: "correlation",
+        ruleId: "VC-CORR-003",
+        title: "Token May Be Forwarded to User-Controlled URL",
+        description: `File ${file} has both SSRF-prone fetch calls and authentication/token handling. Tokens or session data may be inadvertently forwarded to attacker-controlled servers. Related findings: ${relatedIds.join(", ")}`,
+        evidence,
+        remediation: {
+          recommendedFix: `Never forward auth tokens to user-controlled URLs. Use an allowlist for external requests. Strip sensitive headers before forwarding requests. Consider using a separate HTTP client without default auth headers for user-provided URLs.`
+        },
+        fingerprint,
+        correlationData: {
+          relatedFindingIds: relatedIds,
+          pattern: "network_auth_leak",
+          explanation: `File has SSRF vulnerability and handles auth tokens - risk of token exfiltration.`
+        },
+        relatedFindings: relatedIds
+      });
+    }
+  }
+  return correlatedFindings;
+}
+function detectPrivacyLoggingInAuth(ctx) {
+  const correlatedFindings = [];
+  const privacyFindings = ctx.findings.filter(
+    (f) => f.ruleId.startsWith("VC-PRIV") || f.category === "privacy"
+  );
+  const apiRouteFiles = new Set(
+    (ctx.routeMap?.routes || []).map((r) => r.file)
+  );
+  for (const privacyFinding of privacyFindings) {
+    const file = privacyFinding.evidence[0]?.file;
+    if (!file) continue;
+    const isApiRoute = apiRouteFiles.has(file) || file.includes("/api/") || file.includes("route.ts") || file.includes("route.js");
+    if (isApiRoute) {
+      const relatedIds = [privacyFinding.fingerprint];
+      const evidence = [...privacyFinding.evidence];
+      const fingerprint = generateFingerprint({
+        ruleId: "VC-CORR-004",
+        file,
+        symbol: "privacy_auth_context",
+        startLine: privacyFinding.evidence[0]?.startLine
+      });
+      correlatedFindings.push({
+        id: generateFindingId({
+          ruleId: "VC-CORR-004",
+          file,
+          symbol: "sensitive_log_api",
+          startLine: privacyFinding.evidence[0]?.startLine
+        }),
+        severity: "high",
+        confidence: 0.8,
+        category: "correlation",
+        ruleId: "VC-CORR-004",
+        title: "Sensitive Logging in Authenticated API Context",
+        description: `Sensitive data logging in ${file} occurs in an API route context. This increases impact as authenticated user data (tokens, sessions, PII) may be exposed in logs. Related finding: ${privacyFinding.fingerprint}`,
+        evidence,
+        remediation: {
+          recommendedFix: `Remove sensitive data from logs in API routes. Log only non-sensitive identifiers (user ID, request ID, timestamps). Use structured logging with explicit field allowlists.`
+        },
+        fingerprint,
+        correlationData: {
+          relatedFindingIds: relatedIds,
+          pattern: "privacy_auth_context",
+          explanation: `Privacy finding in API route context increases data exposure risk.`
+        },
+        relatedFindings: relatedIds
+      });
+    }
+  }
+  return correlatedFindings;
+}
+function detectCryptoAuthGate(ctx) {
+  const correlatedFindings = [];
+  const jwtFindings = ctx.findings.filter(
+    (f) => f.ruleId === "VC-CRYPTO-002" || f.title.toLowerCase().includes("jwt") && f.title.toLowerCase().includes("decode")
+  );
+  const apiRouteFiles = new Set(
+    (ctx.routeMap?.routes || []).map((r) => r.file)
+  );
+  for (const jwtFinding of jwtFindings) {
+    const file = jwtFinding.evidence[0]?.file;
+    if (!file) continue;
+    const isAuthContext = apiRouteFiles.has(file) || file.includes("/api/") || file.includes("auth") || file.includes("middleware") || file.includes("session");
+    if (isAuthContext) {
+      const relatedIds = [jwtFinding.fingerprint];
+      const evidence = [...jwtFinding.evidence];
+      const fingerprint = generateFingerprint({
+        ruleId: "VC-CORR-005",
+        file,
+        symbol: "jwt_auth_gate",
+        startLine: jwtFinding.evidence[0]?.startLine
+      });
+      correlatedFindings.push({
+        id: generateFindingId({
+          ruleId: "VC-CORR-005",
+          file,
+          symbol: "jwt_gate",
+          startLine: jwtFinding.evidence[0]?.startLine
+        }),
+        severity: "critical",
+        confidence: 0.85,
+        category: "correlation",
+        ruleId: "VC-CORR-005",
+        title: "JWT Decode Without Verify on Auth Gate Path",
+        description: `jwt.decode() without verification is used in ${file}, which appears to be an authentication/authorization gate. This allows attackers to forge JWT tokens and bypass auth entirely. Related finding: ${jwtFinding.fingerprint}`,
+        evidence,
+        remediation: {
+          recommendedFix: `Replace jwt.decode() with jwt.verify() in auth gate paths. Never trust JWT claims without signature verification. If you need to read claims before verification (e.g., to get 'kid'), verify immediately after.`
+        },
+        fingerprint,
+        correlationData: {
+          relatedFindingIds: relatedIds,
+          pattern: "crypto_auth_gate",
+          explanation: `JWT decode without verify in auth gate path allows token forgery.`
+        },
+        relatedFindings: relatedIds
+      });
+    }
+  }
+  return correlatedFindings;
+}
+function detectHallucinationCoverageGap(ctx) {
+  const correlatedFindings = [];
+  const hallFindings = ctx.findings.filter(
+    (f) => f.ruleId.startsWith("VC-HALL") || f.category === "hallucinations"
+  );
+  const proofTraces = ctx.proofTraces || {};
+  for (const hallFinding of hallFindings) {
+    const file = hallFinding.evidence[0]?.file;
+    if (!file) continue;
+    const fileRoutes = (ctx.routeMap?.routes || []).filter((r) => r.file === file);
+    for (const route of fileRoutes) {
+      const trace = proofTraces[route.routeId];
+      if (trace && trace.summary.includes("No protection proven")) {
+        const relatedIds = [hallFinding.fingerprint];
+        const evidence = [
+          ...hallFinding.evidence,
+          {
+            file: route.file,
+            startLine: route.startLine || 1,
+            endLine: route.endLine || 1,
+            label: `Route ${route.method} ${route.path} - proof trace shows no protection`
+          }
+        ];
+        const fingerprint = generateFingerprint({
+          ruleId: "VC-CORR-006",
+          file,
+          route: route.routeId,
+          symbol: "hallucination_coverage"
+        });
+        correlatedFindings.push({
+          id: generateFindingId({
+            ruleId: "VC-CORR-006",
+            file,
+            symbol: route.routeId
+          }),
+          severity: "high",
+          confidence: 0.8,
+          category: "correlation",
+          ruleId: "VC-CORR-006",
+          title: "Security Claim Contradicts Proof Trace",
+          description: `Comments or imports in ${file} claim security protection, but the proof trace for ${route.method} ${route.path} shows no actual protection. This is a dangerous hallucination that creates false confidence. Related finding: ${hallFinding.fingerprint}`,
+          evidence,
+          remediation: {
+            recommendedFix: `Either implement the claimed security control (auth check, validation, etc.) or remove misleading comments/imports. Proof traces require actual runtime checks to prove protection.`
+          },
+          fingerprint,
+          correlationData: {
+            relatedFindingIds: relatedIds,
+            pattern: "hallucination_coverage_gap",
+            explanation: `Hallucination finding + proof trace gap = false security confidence.`
+          },
+          relatedFindings: relatedIds
+        });
+      }
+    }
+  }
+  return correlatedFindings;
+}
+function buildGraph(ctx, correlatedFindings) {
+  const nodes = [];
+  const edges = [];
+  const nodeIds = /* @__PURE__ */ new Set();
+  if (ctx.routeMap?.routes) {
+    for (const route of ctx.routeMap.routes) {
+      if (!nodeIds.has(route.routeId)) {
+        nodes.push({
+          id: route.routeId,
+          type: "route",
+          label: `${route.method} ${route.path}`,
+          file: route.file,
+          line: route.startLine
+        });
+        nodeIds.add(route.routeId);
+      }
+    }
+  }
+  for (const finding of [...ctx.findings, ...correlatedFindings]) {
+    const nodeId = `finding-${finding.fingerprint.slice(0, 16)}`;
+    if (!nodeIds.has(nodeId)) {
+      nodes.push({
+        id: nodeId,
+        type: "finding",
+        label: finding.title,
+        file: finding.evidence[0]?.file,
+        line: finding.evidence[0]?.startLine,
+        metadata: { severity: finding.severity, category: finding.category }
+      });
+      nodeIds.add(nodeId);
+    }
+    if (finding.relatedFindings) {
+      for (const relatedId of finding.relatedFindings) {
+        const relatedNodeId = `finding-${relatedId.slice(0, 16)}`;
+        edges.push({
+          source: nodeId,
+          target: relatedNodeId,
+          type: "correlates",
+          label: finding.correlationData?.pattern
+        });
+      }
+    }
+  }
+  return { nodes, edges };
+}
+function runCorrelationPass(ctx) {
+  const startTime = Date.now();
+  const correlatedFindings = [
+    ...detectAuthWithoutValidation(ctx),
+    ...detectMiddlewareUploadGap(ctx),
+    ...detectNetworkAuthLeak(ctx),
+    ...detectPrivacyLoggingInAuth(ctx),
+    ...detectCryptoAuthGate(ctx),
+    ...detectHallucinationCoverageGap(ctx)
+  ];
+  correlatedFindings.sort((a, b) => {
+    const ruleCompare = a.ruleId.localeCompare(b.ruleId);
+    if (ruleCompare !== 0) return ruleCompare;
+    const fileA = a.evidence[0]?.file || "";
+    const fileB = b.evidence[0]?.file || "";
+    const fileCompare = fileA.localeCompare(fileB);
+    if (fileCompare !== 0) return fileCompare;
+    const lineA = a.evidence[0]?.startLine || 0;
+    const lineB = b.evidence[0]?.startLine || 0;
+    return lineA - lineB;
+  });
+  const byPattern = {};
+  for (const finding of correlatedFindings) {
+    const pattern = finding.correlationData?.pattern;
+    if (pattern) {
+      byPattern[pattern] = (byPattern[pattern] || 0) + 1;
+    }
+  }
+  const allFindings = [...ctx.findings, ...correlatedFindings];
+  const graph = buildGraph(ctx, correlatedFindings);
+  const correlationSummary = {
+    totalCorrelations: correlatedFindings.length,
+    byPattern,
+    correlationDurationMs: Date.now() - startTime
+  };
+  return {
+    findings: allFindings,
+    correlationSummary,
+    graph
+  };
+}
+function shouldRunCorrelation(findings) {
+  return findings.length > 0;
+}
+
 // src/utils/sarif-formatter.ts
 function severityToSarifLevel(severity) {
   switch (severity) {
@@ -5587,8 +8431,9 @@ async function runScannersWithProgress(baseContext, totalFiles) {
   progress.stop();
   return allFindings;
 }
-function createArtifact(findings, targetDir, fileCount, repoName, metrics, phase3Data) {
-  const summary = computeSummary(findings);
+function createArtifact(findings, targetDir, fileCount, repoName, metrics, phase3Data, correlationResult) {
+  const finalFindings = correlationResult?.findings ?? findings;
+  const summary = computeSummary(finalFindings);
   const gitInfo = getGitInfo(targetDir);
   const name = repoName ?? getRepoName(targetDir);
   const artifact = {
@@ -5596,7 +8441,7 @@ function createArtifact(findings, targetDir, fileCount, repoName, metrics, phase
     generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
     tool: {
       name: "vibecheck",
-      version: "0.0.1"
+      version: CLI_VERSION
     },
     repo: {
       name,
@@ -5604,7 +8449,7 @@ function createArtifact(findings, targetDir, fileCount, repoName, metrics, phase
       git: gitInfo
     },
     summary,
-    findings
+    findings: finalFindings
   };
   if (metrics) {
     artifact.metrics = {
@@ -5627,6 +8472,10 @@ function createArtifact(findings, targetDir, fileCount, repoName, metrics, phase
       };
     }
   }
+  if (correlationResult) {
+    artifact.correlationSummary = correlationResult.correlationSummary;
+    artifact.graph = correlationResult.graph;
+  }
   return artifact;
 }
 function formatSeverity(severity) {
@@ -5823,6 +8672,24 @@ async function executeScan(targetDir, options) {
     intentSpinner.succeed(`Built Phase 3 data (${parts.join(", ")})`);
     console.log(`\x1B[90m   \u2514\u2500 Auth coverage: ${Math.round(coverageRaw.authCoverage * 100)}%\x1B[0m`);
   }
+  let correlationResult;
+  if (shouldRunCorrelation(findings)) {
+    const correlationSpinner = new Spinner("Running Phase 4 correlation pass");
+    correlationSpinner.start();
+    correlationResult = runCorrelationPass({
+      findings,
+      routeMap: phase3Data?.routeMap,
+      middlewareMap: phase3Data?.middlewareMap,
+      proofTraces: phase3Data?.proofTraces,
+      intentMap: phase3Data?.intentMap
+    });
+    const correlationCount = correlationResult.correlationSummary.totalCorrelations;
+    if (correlationCount > 0) {
+      correlationSpinner.succeed(`Phase 4 correlation: ${correlationCount} pattern(s) detected`);
+    } else {
+      correlationSpinner.succeed("Phase 4 correlation: no patterns detected");
+    }
+  }
   const artifact = createArtifact(
     findings,
     absoluteTarget,
@@ -5832,7 +8699,8 @@ async function executeScan(targetDir, options) {
       filesScanned: initialContext.fileIndex.allSourceFiles.length,
       scanDurationMs
     },
-    phase3Data
+    phase3Data,
+    correlationResult
   );
   try {
     validateArtifact(artifact);
@@ -6647,60 +9515,60 @@ function registerIntentCommand(program2) {
 import path10 from "path";
 
 // ../policy/dist/schemas/waiver.js
-import { z as z6 } from "zod";
-var WaiverMatchSchema = z6.object({
+import { z as z7 } from "zod";
+var WaiverMatchSchema = z7.object({
   /** Exact fingerprint match */
-  fingerprint: z6.string().optional(),
+  fingerprint: z7.string().optional(),
   /** Rule ID (exact or prefix like "VC-AUTH-*") */
-  ruleId: z6.string().optional(),
+  ruleId: z7.string().optional(),
   /** Path glob pattern for evidence file matching */
-  pathPattern: z6.string().optional()
+  pathPattern: z7.string().optional()
 });
-var WaiverSchema = z6.object({
+var WaiverSchema = z7.object({
   /** Unique waiver ID */
-  id: z6.string(),
+  id: z7.string(),
   /** Match criteria */
   match: WaiverMatchSchema.refine((m) => m.fingerprint || m.ruleId, { message: "Waiver must specify fingerprint or ruleId" }),
   /** Justification for the waiver */
-  reason: z6.string().min(1),
+  reason: z7.string().min(1),
   /** Who created this waiver */
-  createdBy: z6.string().min(1),
+  createdBy: z7.string().min(1),
   /** When the waiver was created */
-  createdAt: z6.string().datetime(),
+  createdAt: z7.string().datetime(),
   /** Optional expiration date */
-  expiresAt: z6.string().datetime().optional(),
+  expiresAt: z7.string().datetime().optional(),
   /** Optional ticket/issue reference */
-  ticketRef: z6.string().optional()
+  ticketRef: z7.string().optional()
 });
-var WaiversFileSchema = z6.object({
+var WaiversFileSchema = z7.object({
   /** Schema version */
-  version: z6.literal("0.1"),
+  version: z7.literal("0.1"),
   /** List of waivers */
-  waivers: z6.array(WaiverSchema)
+  waivers: z7.array(WaiverSchema)
 });
 
 // ../policy/dist/schemas/policy-config.js
-import { z as z7 } from "zod";
-var ProfileNameSchema = z7.enum(["startup", "strict", "compliance-lite"]);
-var ThresholdsSchema = z7.object({
+import { z as z8 } from "zod";
+var ProfileNameSchema = z8.enum(["startup", "strict", "compliance-lite"]);
+var ThresholdsSchema = z8.object({
   /** Minimum severity to trigger FAIL status */
   failOnSeverity: SeveritySchema.default("high"),
   /** Minimum severity to trigger WARN status */
   warnOnSeverity: SeveritySchema.default("medium"),
   /** Minimum confidence (0-1) for a finding to trigger FAIL */
-  minConfidenceForFail: z7.number().min(0).max(1).default(0.7),
+  minConfidenceForFail: z8.number().min(0).max(1).default(0.7),
   /** Minimum confidence (0-1) for a finding to trigger WARN */
-  minConfidenceForWarn: z7.number().min(0).max(1).default(0.5),
+  minConfidenceForWarn: z8.number().min(0).max(1).default(0.5),
   /** Special lower confidence threshold for critical findings */
-  minConfidenceCritical: z7.number().min(0).max(1).default(0.5),
+  minConfidenceCritical: z8.number().min(0).max(1).default(0.5),
   /** Maximum number of findings before auto-fail (0 = unlimited) */
-  maxFindings: z7.number().int().min(0).default(0),
+  maxFindings: z8.number().int().min(0).default(0),
   /** Maximum number of critical findings before auto-fail (0 = unlimited) */
-  maxCritical: z7.number().int().min(0).default(0),
+  maxCritical: z8.number().int().min(0).default(0),
   /** Maximum number of high findings before auto-fail (0 = unlimited) */
-  maxHigh: z7.number().int().min(0).default(0)
+  maxHigh: z8.number().int().min(0).default(0)
 });
-var OverrideActionSchema = z7.enum([
+var OverrideActionSchema = z8.enum([
   "ignore",
   // Skip this finding entirely
   "downgrade",
@@ -6712,56 +9580,62 @@ var OverrideActionSchema = z7.enum([
   "fail"
   // Always fail on this
 ]);
-var OverrideSchema = z7.object({
+var OverrideSchema = z8.object({
   /** Rule ID pattern (exact or prefix like "VC-AUTH-*") */
-  ruleId: z7.string().optional(),
+  ruleId: z8.string().optional(),
   /** Category to match */
   category: CategorySchema.optional(),
   /** Path pattern for evidence file matching (glob-like) */
-  pathPattern: z7.string().optional(),
+  pathPattern: z8.string().optional(),
   /** Action to take when matched */
   action: OverrideActionSchema,
   /** Override severity when action is downgrade/upgrade */
   severity: SeveritySchema.optional(),
   /** Comment explaining the override */
-  comment: z7.string().optional()
+  comment: z8.string().optional()
 });
-var RegressionPolicySchema = z7.object({
+var RegressionPolicySchema = z8.object({
   /** Fail on any new high/critical findings */
-  failOnNewHighCritical: z7.boolean().default(true),
+  failOnNewHighCritical: z8.boolean().default(true),
   /** Fail on any severity regression (e.g., medium became high) */
-  failOnSeverityRegression: z7.boolean().default(false),
+  failOnSeverityRegression: z8.boolean().default(false),
   /** Fail on net increase in findings */
-  failOnNetIncrease: z7.boolean().default(false),
+  failOnNetIncrease: z8.boolean().default(false),
   /** Warn on any new findings */
-  warnOnNewFindings: z7.boolean().default(true)
+  warnOnNewFindings: z8.boolean().default(true),
+  /** Fail on protection removed from routes (auth/validation coverage decreased) */
+  failOnProtectionRemoved: z8.boolean().default(false),
+  /** Warn on protection removed from routes */
+  warnOnProtectionRemoved: z8.boolean().default(true),
+  /** Fail on any semantic regression (coverage decrease, severity group increase) */
+  failOnSemanticRegression: z8.boolean().default(false)
 });
-var PolicyConfigSchema = z7.object({
+var PolicyConfigSchema = z8.object({
   /** Profile name for presets */
   profile: ProfileNameSchema.optional(),
   /** Threshold configuration */
   thresholds: ThresholdsSchema.default({}),
   /** Override rules */
-  overrides: z7.array(OverrideSchema).default([]),
+  overrides: z8.array(OverrideSchema).default([]),
   /** Regression policy */
   regression: RegressionPolicySchema.default({})
 });
-var ConfigFileSchema = z7.object({
+var ConfigFileSchema = z8.object({
   /** Policy configuration */
   policy: PolicyConfigSchema.optional(),
   /** Path to waivers file */
-  waiversPath: z7.string().optional()
+  waiversPath: z8.string().optional()
 });
 
 // ../policy/dist/schemas/policy-report.js
-import { z as z8 } from "zod";
+import { z as z9 } from "zod";
 var POLICY_REPORT_VERSION = "0.1";
-var PolicyStatusSchema = z8.enum(["pass", "warn", "fail"]);
-var PolicyReasonSchema = z8.object({
+var PolicyStatusSchema = z9.enum(["pass", "warn", "fail"]);
+var PolicyReasonSchema = z9.object({
   /** The status this reason contributes to */
   status: PolicyStatusSchema,
   /** Machine-readable reason code */
-  code: z8.enum([
+  code: z9.enum([
     "severity_threshold",
     "confidence_threshold",
     "count_threshold",
@@ -6769,85 +9643,127 @@ var PolicyReasonSchema = z8.object({
     "severity_regression",
     "net_increase",
     "override_fail",
-    "no_issues"
+    "no_issues",
+    // Semantic regression codes
+    "protection_removed",
+    "coverage_decreased",
+    "severity_group_increase",
+    "semantic_regression"
   ]),
   /** Human-readable description */
-  message: z8.string(),
+  message: z9.string(),
   /** Optional finding IDs that triggered this */
-  findingIds: z8.array(z8.string()).optional(),
+  findingIds: z9.array(z9.string()).optional(),
   /** Optional details */
-  details: z8.record(z8.unknown()).optional()
+  details: z9.record(z9.unknown()).optional()
 });
-var PolicySummaryCountsSchema = z8.object({
+var PolicySummaryCountsSchema = z9.object({
   /** Total findings after filtering */
-  total: z8.number().int(),
+  total: z9.number().int(),
   /** By severity */
-  bySeverity: z8.object({
-    critical: z8.number().int(),
-    high: z8.number().int(),
-    medium: z8.number().int(),
-    low: z8.number().int(),
-    info: z8.number().int()
+  bySeverity: z9.object({
+    critical: z9.number().int(),
+    high: z9.number().int(),
+    medium: z9.number().int(),
+    low: z9.number().int(),
+    info: z9.number().int()
   }),
   /** By category */
-  byCategory: z8.record(CategorySchema, z8.number().int()),
+  byCategory: z9.record(CategorySchema, z9.number().int()),
   /** Count of waived findings */
-  waived: z8.number().int(),
+  waived: z9.number().int(),
   /** Count of ignored by override */
-  ignored: z8.number().int()
+  ignored: z9.number().int()
+});
+var ProtectionRegressionSchema = z9.object({
+  /** Route identifier (e.g., "/api/users:POST") */
+  routeId: z9.string(),
+  /** File containing the route */
+  file: z9.string(),
+  /** HTTP method */
+  method: z9.string(),
+  /** Type of protection that was removed */
+  protectionType: z9.enum(["auth", "validation", "rate-limit", "middleware"]),
+  /** Description of what changed */
+  description: z9.string(),
+  /** Related finding fingerprints */
+  relatedFingerprints: z9.array(z9.string()).optional()
+});
+var SemanticRegressionSchema = z9.object({
+  /** Type of semantic regression */
+  type: z9.enum([
+    "protection_removed",
+    // Auth/validation removed from route
+    "coverage_decreased",
+    // Fewer routes protected
+    "severity_group_increase"
+    // Multiple findings in same group got worse
+  ]),
+  /** Severity of this regression */
+  severity: SeveritySchema,
+  /** Human-readable description */
+  description: z9.string(),
+  /** Route or fingerprint group affected */
+  affectedId: z9.string(),
+  /** Detailed evidence */
+  details: z9.record(z9.unknown()).optional()
 });
-var RegressionSummarySchema = z8.object({
+var RegressionSummarySchema = z9.object({
   /** Baseline artifact path or identifier */
-  baselineId: z8.string(),
+  baselineId: z9.string(),
   /** When baseline was generated */
-  baselineGeneratedAt: z8.string(),
+  baselineGeneratedAt: z9.string(),
   /** New findings (not in baseline) */
-  newFindings: z8.array(z8.object({
-    findingId: z8.string(),
-    fingerprint: z8.string(),
+  newFindings: z9.array(z9.object({
+    findingId: z9.string(),
+    fingerprint: z9.string(),
     severity: SeveritySchema,
-    ruleId: z8.string(),
-    title: z8.string()
+    ruleId: z9.string(),
+    title: z9.string()
   })),
   /** Resolved findings (in baseline but not current) */
-  resolvedFindings: z8.array(z8.object({
-    fingerprint: z8.string(),
+  resolvedFindings: z9.array(z9.object({
+    fingerprint: z9.string(),
     severity: SeveritySchema,
-    ruleId: z8.string(),
-    title: z8.string()
+    ruleId: z9.string(),
+    title: z9.string()
   })),
   /** Persisting findings (in both) */
-  persistingCount: z8.number().int(),
+  persistingCount: z9.number().int(),
   /** Severity regressions (same fingerprint but higher severity) */
-  severityRegressions: z8.array(z8.object({
-    fingerprint: z8.string(),
-    ruleId: z8.string(),
+  severityRegressions: z9.array(z9.object({
+    fingerprint: z9.string(),
+    ruleId: z9.string(),
     previousSeverity: SeveritySchema,
     currentSeverity: SeveritySchema,
-    title: z8.string()
+    title: z9.string()
   })),
   /** Net change in finding count */
-  netChange: z8.number().int()
+  netChange: z9.number().int(),
+  /** Protection regressions (auth/validation removed from routes) */
+  protectionRegressions: z9.array(ProtectionRegressionSchema).optional(),
+  /** Semantic regressions (abstract security property degradations) */
+  semanticRegressions: z9.array(SemanticRegressionSchema).optional()
 });
-var WaivedFindingSchema = z8.object({
+var WaivedFindingSchema = z9.object({
   /** The finding that was waived */
-  finding: z8.object({
-    id: z8.string(),
-    fingerprint: z8.string(),
-    ruleId: z8.string(),
+  finding: z9.object({
+    id: z9.string(),
+    fingerprint: z9.string(),
+    ruleId: z9.string(),
     severity: SeveritySchema,
-    title: z8.string()
+    title: z9.string()
   }),
   /** The waiver that matched */
   waiver: WaiverSchema,
   /** Whether waiver is expired */
-  expired: z8.boolean()
+  expired: z9.boolean()
 });
-var PolicyReportSchema = z8.object({
+var PolicyReportSchema = z9.object({
   /** Report schema version */
-  policyVersion: z8.literal(POLICY_REPORT_VERSION),
+  policyVersion: z9.literal(POLICY_REPORT_VERSION),
   /** When evaluation was performed */
-  evaluatedAt: z8.string().datetime(),
+  evaluatedAt: z9.string().datetime(),
   /** Profile name used */
   profileName: ProfileNameSchema.nullable(),
   /** Final status */
@@ -6855,36 +9771,36 @@ var PolicyReportSchema = z8.object({
   /** Thresholds applied */
   thresholds: ThresholdsSchema,
   /** Overrides applied */
-  overrides: z8.array(OverrideSchema),
+  overrides: z9.array(OverrideSchema),
   /** Regression policy applied */
   regressionPolicy: RegressionPolicySchema,
   /** Summary counts */
   summary: PolicySummaryCountsSchema,
   /** Reasons for the status */
-  reasons: z8.array(PolicyReasonSchema),
+  reasons: z9.array(PolicyReasonSchema),
   /** Regression summary (if baseline provided) */
   regression: RegressionSummarySchema.optional(),
   /** Waived findings */
-  waivedFindings: z8.array(WaivedFindingSchema),
+  waivedFindings: z9.array(WaivedFindingSchema),
   /** Active (non-waived, non-ignored) findings included in evaluation */
-  activeFindings: z8.array(z8.object({
-    id: z8.string(),
-    fingerprint: z8.string(),
-    ruleId: z8.string(),
+  activeFindings: z9.array(z9.object({
+    id: z9.string(),
+    fingerprint: z9.string(),
+    ruleId: z9.string(),
     severity: SeveritySchema,
     originalSeverity: SeveritySchema.optional(),
-    confidence: z8.number(),
-    title: z8.string(),
+    confidence: z9.number(),
+    title: z9.string(),
     category: CategorySchema,
-    evidencePaths: z8.array(z8.string())
+    evidencePaths: z9.array(z9.string())
   })),
   /** Recommended exit code (0 = pass/warn, 1 = fail) */
-  exitCode: z8.union([z8.literal(0), z8.literal(1)]),
+  exitCode: z9.union([z9.literal(0), z9.literal(1)]),
   /** Source artifact info */
-  artifact: z8.object({
-    path: z8.string().optional(),
-    generatedAt: z8.string(),
-    repoName: z8.string().optional()
+  artifact: z9.object({
+    path: z9.string().optional(),
+    generatedAt: z9.string(),
+    repoName: z9.string().optional()
   })
 });
 
@@ -6930,7 +9846,10 @@ var STARTUP_REGRESSION = {
   failOnNewHighCritical: true,
   failOnSeverityRegression: false,
   failOnNetIncrease: false,
-  warnOnNewFindings: true
+  warnOnNewFindings: true,
+  failOnProtectionRemoved: false,
+  warnOnProtectionRemoved: true,
+  failOnSemanticRegression: false
 };
 var STARTUP_PROFILE = {
   profile: "startup",
@@ -6952,7 +9871,10 @@ var STRICT_REGRESSION = {
   failOnNewHighCritical: true,
   failOnSeverityRegression: true,
   failOnNetIncrease: false,
-  warnOnNewFindings: true
+  warnOnNewFindings: true,
+  failOnProtectionRemoved: true,
+  warnOnProtectionRemoved: true,
+  failOnSemanticRegression: false
 };
 var STRICT_PROFILE = {
   profile: "strict",
@@ -6974,7 +9896,10 @@ var COMPLIANCE_LITE_REGRESSION = {
   failOnNewHighCritical: true,
   failOnSeverityRegression: true,
   failOnNetIncrease: true,
-  warnOnNewFindings: true
+  warnOnNewFindings: true,
+  failOnProtectionRemoved: true,
+  warnOnProtectionRemoved: true,
+  failOnSemanticRegression: true
 };
 var COMPLIANCE_LITE_PROFILE = {
   profile: "compliance-lite",
@@ -7012,7 +9937,7 @@ function matchRuleId(ruleId, pattern) {
   return ruleId === pattern;
 }
 function matchPathPattern(evidencePaths, pattern) {
-  return evidencePaths.some((path12) => micromatch.isMatch(path12, pattern));
+  return evidencePaths.some((path14) => micromatch.isMatch(path14, pattern));
 }
 function isWaiverExpired(waiver, now = /* @__PURE__ */ new Date()) {
   if (!waiver.expiresAt) {
@@ -7113,6 +10038,44 @@ function removeWaiver(file, waiverId) {
 }
 
 // ../policy/dist/regression.js
+var PROTECTION_RULE_MAPPING = {
+  "VC-AUTH": "auth",
+  "VC-VAL": "validation",
+  "VC-RATE": "rate-limit",
+  "VC-MW": "middleware",
+  "VC-LIFE-001": "auth",
+  "VC-LIFE-002": "validation",
+  "VC-LIFE-003": "rate-limit"
+};
+function extractRouteId(finding) {
+  if (finding.evidence.length === 0)
+    return null;
+  const file = finding.evidence[0].file;
+  const methodMatch = finding.title.match(/\b(GET|POST|PUT|PATCH|DELETE)\b/);
+  const method = methodMatch ? methodMatch[1] : "UNKNOWN";
+  return `${file}:${method}`;
+}
+function getProtectionType(ruleId) {
+  for (const [prefix, type] of Object.entries(PROTECTION_RULE_MAPPING)) {
+    if (ruleId.startsWith(prefix)) {
+      return type;
+    }
+  }
+  return null;
+}
+function groupByRoute(findings) {
+  const groups = /* @__PURE__ */ new Map();
+  for (const finding of findings) {
+    const routeId = extractRouteId(finding);
+    if (!routeId)
+      continue;
+    if (!groups.has(routeId)) {
+      groups.set(routeId, []);
+    }
+    groups.get(routeId).push(finding);
+  }
+  return groups;
+}
 function buildFingerprintIndex(findings) {
   const index = /* @__PURE__ */ new Map();
   for (const finding of findings) {
@@ -7167,6 +10130,8 @@ function computeRegression(current, baseline) {
     }
   }
   const netChange = current.findings.length - baseline.findings.length;
+  const protectionRegressions = detectProtectionRegressions(current, baseline);
+  const semanticRegressions = detectSemanticRegressions(current, baseline);
   return {
     baselineId: baseline.repo?.name ?? "unknown",
     baselineGeneratedAt: baseline.generatedAt,
@@ -7174,7 +10139,9 @@ function computeRegression(current, baseline) {
     resolvedFindings,
     persistingCount,
     severityRegressions,
-    netChange
+    netChange,
+    protectionRegressions: protectionRegressions.length > 0 ? protectionRegressions : void 0,
+    semanticRegressions: semanticRegressions.length > 0 ? semanticRegressions : void 0
   };
 }
 function hasNewHighCritical(regression) {
@@ -7189,6 +10156,107 @@ function hasSeverityRegressions(regression) {
 function hasNetIncrease(regression) {
   return regression.netChange > 0;
 }
+function detectProtectionRegressions(current, baseline) {
+  const regressions = [];
+  const baselineByRoute = groupByRoute(baseline.findings);
+  const currentByRoute = groupByRoute(current.findings);
+  for (const [routeId, currentFindings] of currentByRoute) {
+    const baselineFindings = baselineByRoute.get(routeId) || [];
+    for (const finding of currentFindings) {
+      const protectionType = getProtectionType(finding.ruleId);
+      if (!protectionType)
+        continue;
+      const hadSimilarFinding = baselineFindings.some((bf) => bf.ruleId === finding.ruleId || bf.fingerprint === finding.fingerprint);
+      if (!hadSimilarFinding) {
+        const [file, method] = routeId.split(":");
+        regressions.push({
+          routeId,
+          file,
+          method,
+          protectionType,
+          description: `New ${protectionType} issue detected: ${finding.title}`,
+          relatedFingerprints: [finding.fingerprint]
+        });
+      }
+    }
+  }
+  return regressions;
+}
+function detectSemanticRegressions(current, baseline) {
+  const regressions = [];
+  const protectionRegressions = detectProtectionRegressions(current, baseline);
+  for (const pr of protectionRegressions) {
+    regressions.push({
+      type: "protection_removed",
+      severity: "high",
+      description: pr.description,
+      affectedId: pr.routeId,
+      details: { protectionType: pr.protectionType, file: pr.file, method: pr.method }
+    });
+  }
+  const baselineRoutes = new Set(groupByRoute(baseline.findings).keys());
+  const currentRoutes = new Set(groupByRoute(current.findings).keys());
+  const newlyUnprotectedRoutes = [];
+  for (const route of currentRoutes) {
+    if (!baselineRoutes.has(route)) {
+      newlyUnprotectedRoutes.push(route);
+    }
+  }
+  if (newlyUnprotectedRoutes.length > 0 && baseline.findings.length > 0) {
+    const coverageIncrease = newlyUnprotectedRoutes.length / Math.max(baselineRoutes.size, 1);
+    if (coverageIncrease > 0.1) {
+      regressions.push({
+        type: "coverage_decreased",
+        severity: "medium",
+        description: `${newlyUnprotectedRoutes.length} new routes have security findings (coverage decreased)`,
+        affectedId: "coverage",
+        details: {
+          previousRouteCount: baselineRoutes.size,
+          currentRouteCount: currentRoutes.size,
+          newlyAffectedRoutes: newlyUnprotectedRoutes.slice(0, 5)
+          // Limit to 5 for readability
+        }
+      });
+    }
+  }
+  const currentIndex = buildFingerprintIndex(current.findings);
+  const baselineIndex = buildFingerprintIndex(baseline.findings);
+  const baselineBySeverity = /* @__PURE__ */ new Map();
+  const currentBySeverity = /* @__PURE__ */ new Map();
+  for (const finding of baseline.findings) {
+    const key = finding.ruleId.replace(/-\d+$/, "");
+    const current2 = baselineBySeverity.get(key) || 0;
+    baselineBySeverity.set(key, Math.max(current2, SEVERITY_ORDER2[finding.severity]));
+  }
+  for (const finding of current.findings) {
+    const key = finding.ruleId.replace(/-\d+$/, "");
+    const curr = currentBySeverity.get(key) || 0;
+    currentBySeverity.set(key, Math.max(curr, SEVERITY_ORDER2[finding.severity]));
+  }
+  for (const [rulePrefix, currentMax] of currentBySeverity) {
+    const baselineMax = baselineBySeverity.get(rulePrefix) || 0;
+    if (currentMax > baselineMax && currentMax >= SEVERITY_ORDER2.high) {
+      const severityName = Object.entries(SEVERITY_ORDER2).find(([, v]) => v === currentMax)?.[0];
+      regressions.push({
+        type: "severity_group_increase",
+        severity: severityName,
+        description: `${rulePrefix} findings have increased to ${severityName} severity`,
+        affectedId: rulePrefix,
+        details: {
+          previousMaxSeverity: baselineMax,
+          currentMaxSeverity: currentMax
+        }
+      });
+    }
+  }
+  return regressions;
+}
+function hasProtectionRegressions(regression) {
+  return (regression.protectionRegressions?.length ?? 0) > 0;
+}
+function hasSemanticRegressions(regression) {
+  return (regression.semanticRegressions?.length ?? 0) > 0;
+}
 
 // ../policy/dist/evaluator.js
 function applyOverrides(finding, overrides) {
@@ -7257,6 +10325,11 @@ function computeSummaryCounts(processed, waivedFindings) {
     uploads: 0,
     hallucinations: 0,
     abuse: 0,
+    // Phase 4 categories
+    correlation: 0,
+    authorization: 0,
+    lifecycle: 0,
+    "supply-chain": 0,
     other: 0
   };
   for (const p of active) {
@@ -7400,6 +10473,52 @@ function evaluateRegression(regression, policy) {
       findingIds: regression.newFindings.map((f) => f.findingId)
     });
   }
+  if (hasProtectionRegressions(regression)) {
+    const protectionRegs = regression.protectionRegressions || [];
+    if (policy.failOnProtectionRemoved) {
+      status = "fail";
+      reasons.push({
+        status: "fail",
+        code: "protection_removed",
+        message: `${protectionRegs.length} route(s) lost protection coverage`,
+        details: {
+          regressions: protectionRegs.map((r) => ({
+            route: r.routeId,
+            protectionType: r.protectionType
+          }))
+        }
+      });
+    } else if (policy.warnOnProtectionRemoved && status === "pass") {
+      status = "warn";
+      reasons.push({
+        status: "warn",
+        code: "protection_removed",
+        message: `${protectionRegs.length} route(s) may have lost protection`,
+        details: {
+          regressions: protectionRegs.map((r) => ({
+            route: r.routeId,
+            protectionType: r.protectionType
+          }))
+        }
+      });
+    }
+  }
+  if (policy.failOnSemanticRegression && hasSemanticRegressions(regression)) {
+    const semanticRegs = regression.semanticRegressions || [];
+    status = "fail";
+    reasons.push({
+      status: "fail",
+      code: "semantic_regression",
+      message: `${semanticRegs.length} semantic regression(s) detected`,
+      details: {
+        regressions: semanticRegs.map((r) => ({
+          type: r.type,
+          severity: r.severity,
+          description: r.description
+        }))
+      }
+    });
+  }
   return { status, reasons };
 }
 function mergeStatus(a, b) {
@@ -8411,22 +11530,11 @@ var PLAN_FEATURES = {
     "abuse_classification",
     "architecture_maps",
     "signed_export"
-  ],
-  enterprise: [
-    "baseline",
-    "policy_customization",
-    "abuse_classification",
-    "architecture_maps",
-    "signed_export",
-    "sso",
-    "audit_logs",
-    "custom_rules"
   ]
 };
 var PLAN_NAMES = {
   free: "Free",
-  pro: "Pro",
-  enterprise: "Enterprise"
+  pro: "Pro"
 };
 function isDemoLicense(licenseId) {
   return licenseId.startsWith("demo-") || licenseId.startsWith("trial-");
@@ -8466,7 +11574,7 @@ function parseLicenseKey(licenseKey) {
     const [payloadB64, signature] = parts;
     const payloadJson = atob(payloadB64);
     const payload = JSON.parse(payloadJson);
-    if (!payload.id || !payload.plan || !payload.email || !payload.issuedAt) {
+    if (!payload.id || !payload.plan || !payload.issuedAt) {
       return null;
     }
     return { payload, signature };
@@ -8572,10 +11680,10 @@ function createLicense(options, privateKeyB64) {
     plan: options.plan,
     name: options.name,
     email: options.email,
+    customerId: options.customerId,
     issuedAt: now.toISOString(),
     expiresAt: options.expiresAt?.toISOString() ?? null,
-    features: allFeatures,
-    ...options.seats && { seats: options.seats }
+    features: allFeatures
   };
   const payloadJson = JSON.stringify(payload);
   const payloadB64 = Buffer.from(payloadJson).toString("base64");
@@ -9002,9 +12110,597 @@ async function keygenAction() {
   console.log();
 }
 
+// src/commands/verify-determinism.ts
+import path12 from "path";
+import crypto9 from "crypto";
+function normalizeArtifact(artifact) {
+  const normalized = JSON.parse(JSON.stringify(artifact));
+  normalized.generatedAt = "NORMALIZED";
+  if (normalized.metrics) {
+    normalized.metrics.scanDurationMs = 0;
+  }
+  if (normalized.findings) {
+    normalized.findings.sort((a, b) => a.fingerprint.localeCompare(b.fingerprint));
+  }
+  if (normalized.routeMap?.routes) {
+    normalized.routeMap.routes.sort((a, b) => a.routeId.localeCompare(b.routeId));
+  }
+  if (normalized.intentMap?.intents) {
+    normalized.intentMap.intents.sort((a, b) => a.intentId.localeCompare(b.intentId));
+  }
+  if (normalized.middlewareMap?.coverage) {
+    normalized.middlewareMap.coverage.sort((a, b) => a.routeId.localeCompare(b.routeId));
+  }
+  if (normalized.proofTraces) {
+    const sortedTraces = {};
+    for (const key of Object.keys(normalized.proofTraces).sort()) {
+      sortedTraces[key] = normalized.proofTraces[key];
+    }
+    normalized.proofTraces = sortedTraces;
+  }
+  return normalized;
+}
+function hashContent(content) {
+  return crypto9.createHash("sha256").update(content).digest("hex");
+}
+async function runScannersQuietly(context) {
+  const allFindings = [];
+  const seenFingerprints = /* @__PURE__ */ new Set();
+  for (const pack of ALL_SCANNER_PACKS) {
+    for (const scanner of pack.scanners) {
+      try {
+        const findings = await scanner(context);
+        for (const finding of findings) {
+          if (!seenFingerprints.has(finding.fingerprint)) {
+            seenFingerprints.add(finding.fingerprint);
+            allFindings.push(finding);
+          }
+        }
+      } catch {
+      }
+    }
+  }
+  return allFindings;
+}
+function createArtifact2(findings, targetDir, durationMs, filesScanned) {
+  const summary = computeSummary(findings);
+  const gitInfo = getGitInfo(targetDir);
+  const name = getRepoName(targetDir);
+  return {
+    artifactVersion: ARTIFACT_VERSION,
+    generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    tool: {
+      name: "vibecheck",
+      version: CLI_VERSION
+    },
+    repo: {
+      name,
+      rootPathHash: hashPath(targetDir),
+      git: gitInfo
+    },
+    summary,
+    findings,
+    metrics: {
+      filesScanned,
+      linesOfCode: 0,
+      scanDurationMs: durationMs,
+      rulesExecuted: ALL_SCANNERS.length
+    }
+  };
+}
+async function runScan(targetDir, runNumber, includeSarif) {
+  const startTime = Date.now();
+  const context = await buildScanContext(targetDir);
+  const findings = await runScannersQuietly(context);
+  const endTime = Date.now();
+  const durationMs = endTime - startTime;
+  const artifact = createArtifact2(
+    findings,
+    targetDir,
+    durationMs,
+    context.fileIndex.allSourceFiles.length
+  );
+  const normalizedArtifact = normalizeArtifact(artifact);
+  const jsonContent = JSON.stringify(normalizedArtifact, null, 2);
+  const jsonHash = hashContent(jsonContent);
+  const result = {
+    runNumber,
+    artifact,
+    jsonHash,
+    jsonContent,
+    durationMs
+  };
+  if (includeSarif) {
+    const sarifLog = toSarif(normalizedArtifact);
+    const sarifContent = sarifToJson(sarifLog);
+    result.sarifHash = hashContent(sarifContent);
+    result.sarifContent = sarifContent;
+  }
+  return result;
+}
+function compareRuns(run1, run2) {
+  const differences = [];
+  const jsonMatch = run1.jsonHash === run2.jsonHash;
+  let sarifMatch = true;
+  if (!jsonMatch) {
+    const json1 = JSON.parse(run1.jsonContent);
+    const json2 = JSON.parse(run2.jsonContent);
+    if (json1.summary?.totalFindings !== json2.summary?.totalFindings) {
+      differences.push(
+        `Finding count differs: run${run1.runNumber}=${json1.summary?.totalFindings}, run${run2.runNumber}=${json2.summary?.totalFindings}`
+      );
+    }
+    const fp1 = new Set((json1.findings || []).map((f) => f.fingerprint));
+    const fp2 = new Set((json2.findings || []).map((f) => f.fingerprint));
+    const onlyIn1 = [...fp1].filter((fp) => !fp2.has(fp));
+    const onlyIn2 = [...fp2].filter((fp) => !fp1.has(fp));
+    if (onlyIn1.length > 0) {
+      differences.push(`Fingerprints only in run${run1.runNumber}: ${onlyIn1.slice(0, 3).join(", ")}${onlyIn1.length > 3 ? "..." : ""}`);
+    }
+    if (onlyIn2.length > 0) {
+      differences.push(`Fingerprints only in run${run2.runNumber}: ${onlyIn2.slice(0, 3).join(", ")}${onlyIn2.length > 3 ? "..." : ""}`);
+    }
+    const routes1 = json1.routeMap?.routes?.length ?? 0;
+    const routes2 = json2.routeMap?.routes?.length ?? 0;
+    if (routes1 !== routes2) {
+      differences.push(`Route count differs: run${run1.runNumber}=${routes1}, run${run2.runNumber}=${routes2}`);
+    }
+  }
+  if (run1.sarifHash && run2.sarifHash) {
+    sarifMatch = run1.sarifHash === run2.sarifHash;
+    if (!sarifMatch) {
+      differences.push("SARIF output differs between runs");
+    }
+  }
+  return { jsonMatch, sarifMatch, differences };
+}
+function generateCertificate(targetDir, results, comparisons) {
+  const allJsonMatch = comparisons.every((c) => c.jsonMatch);
+  const allSarifMatch = comparisons.every((c) => c.sarifMatch);
+  const allDifferences = comparisons.flatMap((c) => c.differences);
+  return {
+    certified: allJsonMatch && allSarifMatch,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    targetPath: targetDir,
+    targetPathHash: hashPath(targetDir),
+    runs: results.length,
+    cliVersion: CLI_VERSION,
+    artifactVersion: ARTIFACT_VERSION,
+    totalFindings: results[0]?.artifact.summary.totalFindings ?? 0,
+    jsonHashes: results.map((r) => r.jsonHash),
+    sarifHashes: results[0]?.sarifHash ? results.map((r) => r.sarifHash) : void 0,
+    comparisonDetails: {
+      allJsonMatch,
+      allSarifMatch,
+      differences: allDifferences
+    },
+    runDurations: results.map((r) => r.durationMs)
+  };
+}
+function printCertificate(cert, verbose) {
+  const green = "\x1B[32m";
+  const red = "\x1B[31m";
+  const yellow = "\x1B[33m";
+  const cyan = "\x1B[36m";
+  const reset = "\x1B[0m";
+  const bold = "\x1B[1m";
+  console.log("\n" + "\u2550".repeat(70));
+  console.log(`${bold}DETERMINISM VERIFICATION REPORT${reset}`);
+  console.log("\u2550".repeat(70));
+  console.log(`
+${cyan}Target:${reset} ${cert.targetPath}`);
+  console.log(`${cyan}Runs:${reset} ${cert.runs}`);
+  console.log(`${cyan}CLI Version:${reset} ${cert.cliVersion}`);
+  console.log(`${cyan}Total Findings:${reset} ${cert.totalFindings}`);
+  console.log(`
+${bold}Run Durations:${reset}`);
+  for (let i = 0; i < cert.runDurations.length; i++) {
+    console.log(`  Run ${i + 1}: ${cert.runDurations[i]}ms`);
+  }
+  const avgDuration = Math.round(cert.runDurations.reduce((a, b) => a + b, 0) / cert.runDurations.length);
+  console.log(`  Average: ${avgDuration}ms`);
+  console.log(`
+${bold}JSON Output Hashes:${reset}`);
+  for (let i = 0; i < cert.jsonHashes.length; i++) {
+    const hash = cert.jsonHashes[i];
+    const match = i === 0 || hash === cert.jsonHashes[0];
+    const icon = match ? `${green}\u2713${reset}` : `${red}\u2717${reset}`;
+    console.log(`  Run ${i + 1}: ${hash.slice(0, 16)}... ${icon}`);
+  }
+  if (cert.sarifHashes) {
+    console.log(`
+${bold}SARIF Output Hashes:${reset}`);
+    for (let i = 0; i < cert.sarifHashes.length; i++) {
+      const hash = cert.sarifHashes[i];
+      const match = i === 0 || hash === cert.sarifHashes[0];
+      const icon = match ? `${green}\u2713${reset}` : `${red}\u2717${reset}`;
+      console.log(`  Run ${i + 1}: ${hash.slice(0, 16)}... ${icon}`);
+    }
+  }
+  if (cert.comparisonDetails.differences.length > 0 && verbose) {
+    console.log(`
+${bold}${yellow}Differences Detected:${reset}`);
+    for (const diff of cert.comparisonDetails.differences) {
+      console.log(`  ${red}\u2022${reset} ${diff}`);
+    }
+  }
+  console.log("\n" + "\u2500".repeat(70));
+  if (cert.certified) {
+    console.log(`${bold}${green}\u2713 DETERMINISM CERTIFIED${reset}`);
+    console.log(`${green}All ${cert.runs} runs produced identical output.${reset}`);
+  } else {
+    console.log(`${bold}${red}\u2717 DETERMINISM VERIFICATION FAILED${reset}`);
+    console.log(`${red}Output differs between runs. See differences above.${reset}`);
+  }
+  console.log("\u2500".repeat(70) + "\n");
+}
+async function executeVerifyDeterminism(targetDir, options) {
+  const absoluteTarget = resolvePath(targetDir);
+  const { runs, sarif, out, verbose } = options;
+  if (runs < 2) {
+    console.error("\x1B[31mError: --runs must be at least 2\x1B[0m");
+    return 1;
+  }
+  console.log(`
+\x1B[36m\x1B[1mVibeCheck Determinism Verification\x1B[0m`);
+  console.log(`\x1B[90mTarget: ${absoluteTarget}\x1B[0m`);
+  console.log(`\x1B[90mRuns: ${runs}${sarif ? " (including SARIF)" : ""}\x1B[0m
+`);
+  const results = [];
+  for (let i = 1; i <= runs; i++) {
+    const spinner2 = new Spinner(`Running scan ${i}/${runs}`);
+    spinner2.start();
+    try {
+      const result = await runScan(absoluteTarget, i, sarif);
+      results.push(result);
+      spinner2.succeed(`Run ${i}/${runs} complete (${result.durationMs}ms, ${result.artifact.summary.totalFindings} findings)`);
+    } catch (error) {
+      spinner2.fail(`Run ${i}/${runs} failed: ${error instanceof Error ? error.message : String(error)}`);
+      return 1;
+    }
+  }
+  const spinner = new Spinner("Comparing outputs");
+  spinner.start();
+  const comparisons = [];
+  for (let i = 1; i < results.length; i++) {
+    const comparison = compareRuns(results[0], results[i]);
+    comparisons.push(comparison);
+  }
+  spinner.succeed("Comparison complete");
+  const certificate = generateCertificate(absoluteTarget, results, comparisons);
+  printCertificate(certificate, verbose);
+  if (out) {
+    const outPath = resolvePath(out);
+    ensureDir(path12.dirname(outPath));
+    const certPath = outPath.endsWith(".json") ? outPath : path12.join(outPath, "determinism-cert.json");
+    writeFileSync(certPath, JSON.stringify(certificate, null, 2));
+    console.log(`Certificate written to: ${certPath}
+`);
+  }
+  return certificate.certified ? 0 : 1;
+}
+function registerVerifyDeterminismCommand(program2) {
+  program2.command("verify-determinism [target]").description("Verify scan output is deterministic across multiple runs").option(
+    "-n, --runs <number>",
+    "Number of runs to perform",
+    (v) => parseInt(v, 10),
+    3
+  ).option("--sarif", "Include SARIF output in verification").option("-o, --out <path>", "Output path for certificate JSON").option("-v, --verbose", "Show detailed differences").addHelpText(
+    "after",
+    `
+Examples:
+  $ vibecheck verify-determinism                     Verify current directory with 3 runs
+  $ vibecheck verify-determinism ./my-app            Verify specific directory
+  $ vibecheck verify-determinism --runs 5            Run 5 verification passes
+  $ vibecheck verify-determinism --sarif             Include SARIF in verification
+  $ vibecheck verify-determinism -o ./cert.json      Write certificate to file
+  $ vibecheck verify-determinism -v                  Show detailed differences on failure
+
+What it does:
+  1. Runs the scanner N times on the target directory
+  2. Normalizes output (removes timestamps, sorts arrays)
+  3. Computes SHA-256 hash of each output
+  4. Compares hashes to verify determinism
+  5. Generates a certification report
+  6. Exits 0 if deterministic, 1 if not
+`
+  ).action(async (positionalTarget, cmdOptions) => {
+    const targetDir = positionalTarget ?? process.cwd();
+    const options = {
+      runs: cmdOptions.runs,
+      sarif: Boolean(cmdOptions.sarif),
+      out: cmdOptions.out,
+      verbose: Boolean(cmdOptions.verbose)
+    };
+    const exitCode = await executeVerifyDeterminism(targetDir, options);
+    process.exit(exitCode);
+  });
+}
+
+// src/commands/badge.ts
+import path13 from "path";
+var COLORS = {
+  brightgreen: "#4c1",
+  green: "#97ca00",
+  yellow: "#dfb317",
+  orange: "#fe7d37",
+  red: "#e05d44",
+  blue: "#007ec6",
+  gray: "#555"
+};
+function textWidth(text) {
+  let width = 0;
+  for (const char of text) {
+    if ("1iltfj".includes(char)) {
+      width += 4;
+    } else if ("MWmw".includes(char)) {
+      width += 9;
+    } else if ("ABCDEFGHIJKLNOPQRSTUVXYZ".includes(char)) {
+      width += 7;
+    } else {
+      width += 6;
+    }
+  }
+  return width;
+}
+function generateSvgBadge(data, style) {
+  const { label, message, color } = data;
+  const labelWidth = textWidth(label) + 10;
+  const messageWidth = textWidth(message) + 10;
+  const totalWidth = labelWidth + messageWidth;
+  const height = 20;
+  const labelX = labelWidth / 2;
+  const messageX = labelWidth + messageWidth / 2;
+  const colorHex = COLORS[color];
+  const labelColor = "#555";
+  const radius = style === "flat" ? 3 : 0;
+  const svg = `<svg xmlns="http://www.w3.org/2000/svg" width="${totalWidth}" height="${height}" role="img" aria-label="${label}: ${message}">
+  <title>${label}: ${message}</title>
+  <linearGradient id="s" x2="0" y2="100%">
+    <stop offset="0" stop-color="#bbb" stop-opacity=".1"/>
+    <stop offset="1" stop-opacity=".1"/>
+  </linearGradient>
+  <clipPath id="r">
+    <rect width="${totalWidth}" height="${height}" rx="${radius}" fill="#fff"/>
+  </clipPath>
+  <g clip-path="url(#r)">
+    <rect width="${labelWidth}" height="${height}" fill="${labelColor}"/>
+    <rect x="${labelWidth}" width="${messageWidth}" height="${height}" fill="${colorHex}"/>
+    <rect width="${totalWidth}" height="${height}" fill="url(#s)"/>
+  </g>
+  <g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" text-rendering="geometricPrecision" font-size="11">
+    <text x="${labelX}" y="14" fill="#010101" fill-opacity=".3">${escapeXml(label)}</text>
+    <text x="${labelX}" y="13" fill="#fff">${escapeXml(label)}</text>
+    <text x="${messageX}" y="14" fill="#010101" fill-opacity=".3">${escapeXml(message)}</text>
+    <text x="${messageX}" y="13" fill="#fff">${escapeXml(message)}</text>
+  </g>
+</svg>`;
+  return svg;
+}
+function escapeXml(text) {
+  return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
+}
+function generateScanStatusBadge(artifact) {
+  const { summary } = artifact;
+  const hasCritical = summary.bySeverity.critical > 0;
+  const hasHigh = summary.bySeverity.high > 0;
+  let message;
+  let color;
+  if (hasCritical) {
+    message = "CRITICAL";
+    color = "red";
+  } else if (hasHigh) {
+    message = "HIGH";
+    color = "orange";
+  } else if (summary.totalFindings > 0) {
+    message = "PASS";
+    color = "yellow";
+  } else {
+    message = "PASS";
+    color = "brightgreen";
+  }
+  return {
+    label: "vibecheck",
+    message,
+    color,
+    filename: "vibecheck-status.svg"
+  };
+}
+function generateFindingsCountBadge(artifact) {
+  const { summary } = artifact;
+  const count = summary.totalFindings;
+  let color;
+  if (count === 0) {
+    color = "brightgreen";
+  } else if (summary.bySeverity.critical > 0) {
+    color = "red";
+  } else if (summary.bySeverity.high > 0) {
+    color = "orange";
+  } else if (summary.bySeverity.medium > 0) {
+    color = "yellow";
+  } else {
+    color = "green";
+  }
+  return {
+    label: "findings",
+    message: count.toString(),
+    color,
+    filename: "vibecheck-findings.svg"
+  };
+}
+function generateCoverageBadge(artifact) {
+  const metrics = artifact.metrics;
+  if (!metrics?.authCoverage) {
+    return null;
+  }
+  const { totalStateChanging, protectedCount } = metrics.authCoverage;
+  if (totalStateChanging === 0) {
+    return null;
+  }
+  const percentage = Math.round(protectedCount / totalStateChanging * 100);
+  let color;
+  if (percentage >= 90) {
+    color = "brightgreen";
+  } else if (percentage >= 70) {
+    color = "green";
+  } else if (percentage >= 50) {
+    color = "yellow";
+  } else if (percentage >= 30) {
+    color = "orange";
+  } else {
+    color = "red";
+  }
+  return {
+    label: "auth coverage",
+    message: `${percentage}%`,
+    color,
+    filename: "vibecheck-coverage.svg"
+  };
+}
+function generateSeverityBadge(artifact) {
+  const { summary } = artifact;
+  const parts = [];
+  if (summary.bySeverity.critical > 0) {
+    parts.push(`${summary.bySeverity.critical}C`);
+  }
+  if (summary.bySeverity.high > 0) {
+    parts.push(`${summary.bySeverity.high}H`);
+  }
+  if (summary.bySeverity.medium > 0) {
+    parts.push(`${summary.bySeverity.medium}M`);
+  }
+  if (summary.bySeverity.low > 0) {
+    parts.push(`${summary.bySeverity.low}L`);
+  }
+  const message = parts.length > 0 ? parts.join(" ") : "clean";
+  let color;
+  if (summary.bySeverity.critical > 0) {
+    color = "red";
+  } else if (summary.bySeverity.high > 0) {
+    color = "orange";
+  } else if (summary.bySeverity.medium > 0) {
+    color = "yellow";
+  } else if (summary.bySeverity.low > 0) {
+    color = "green";
+  } else {
+    color = "brightgreen";
+  }
+  return {
+    label: "severity",
+    message,
+    color,
+    filename: "vibecheck-severity.svg"
+  };
+}
+function generateScoreBadge(artifact) {
+  const { summary } = artifact;
+  const score = Math.max(
+    0,
+    100 - (summary.bySeverity.critical * 25 + summary.bySeverity.high * 10 + summary.bySeverity.medium * 3 + summary.bySeverity.low * 1)
+  );
+  let color;
+  if (score >= 90) {
+    color = "brightgreen";
+  } else if (score >= 70) {
+    color = "green";
+  } else if (score >= 50) {
+    color = "yellow";
+  } else if (score >= 30) {
+    color = "orange";
+  } else {
+    color = "red";
+  }
+  return {
+    label: "security score",
+    message: `${score}/100`,
+    color,
+    filename: "vibecheck-score.svg"
+  };
+}
+async function executeBadge(options) {
+  const { artifact: artifactPath, out, style } = options;
+  const absoluteArtifactPath = resolvePath(artifactPath);
+  const content = readFileSync(absoluteArtifactPath);
+  if (!content) {
+    console.error(`\x1B[31mError: Cannot read artifact file: ${absoluteArtifactPath}\x1B[0m`);
+    return 1;
+  }
+  let artifact;
+  try {
+    const json = JSON.parse(content);
+    artifact = validateArtifact(json);
+  } catch (error) {
+    console.error(`\x1B[31mError: Invalid artifact file: ${error instanceof Error ? error.message : String(error)}\x1B[0m`);
+    return 1;
+  }
+  const absoluteOutPath = resolvePath(out);
+  ensureDir(absoluteOutPath);
+  console.log(`
+\x1B[36m\x1B[1mVibeCheck Badge Generator\x1B[0m`);
+  console.log(`\x1B[90mArtifact: ${absoluteArtifactPath}\x1B[0m`);
+  console.log(`\x1B[90mOutput: ${absoluteOutPath}\x1B[0m
+`);
+  const badges = [
+    generateScanStatusBadge(artifact),
+    generateFindingsCountBadge(artifact),
+    generateSeverityBadge(artifact),
+    generateScoreBadge(artifact)
+  ];
+  const coverageBadge = generateCoverageBadge(artifact);
+  if (coverageBadge) {
+    badges.push(coverageBadge);
+  }
+  const writtenFiles = [];
+  for (const badge of badges) {
+    const svg = generateSvgBadge(badge, style);
+    const filePath = path13.join(absoluteOutPath, badge.filename);
+    writeFileSync(filePath, svg);
+    writtenFiles.push(filePath);
+    console.log(`  \x1B[32m\u2713\x1B[0m ${badge.filename} (${badge.label}: ${badge.message})`);
+  }
+  console.log(`
+\x1B[32m${writtenFiles.length} badges generated\x1B[0m
+`);
+  console.log(`\x1B[90mUsage in README.md:\x1B[0m`);
+  console.log(`  ![VibeCheck Status](${path13.basename(absoluteOutPath)}/vibecheck-status.svg)`);
+  console.log(`  ![VibeCheck Score](${path13.basename(absoluteOutPath)}/vibecheck-score.svg)
+`);
+  return 0;
+}
+function registerBadgeCommand(program2) {
+  program2.command("badge").description("Generate static SVG badges from scan artifact").requiredOption("-a, --artifact <file>", "Input artifact JSON file").option("-o, --out <dir>", "Output directory for badges", "./badges").option("--style <style>", "Badge style: flat, flat-square", "flat").addHelpText(
+    "after",
+    `
+Examples:
+  $ vibecheck badge --artifact scan.json               Generate badges in ./badges
+  $ vibecheck badge -a scan.json -o ./docs/badges      Custom output directory
+  $ vibecheck badge -a scan.json --style flat-square   Flat-square style
+
+Generated badges:
+  vibecheck-status.svg   - PASS/FAIL status based on critical/high findings
+  vibecheck-findings.svg - Total findings count
+  vibecheck-severity.svg - Severity breakdown (e.g., "2C 5H 10M")
+  vibecheck-score.svg    - Security score (0-100)
+  vibecheck-coverage.svg - Auth coverage percentage (if available)
+
+Usage in README:
+  ![VibeCheck Status](./badges/vibecheck-status.svg)
+  ![Security Score](./badges/vibecheck-score.svg)
+`
+  ).action(async (cmdOptions) => {
+    const options = {
+      artifact: cmdOptions.artifact,
+      out: cmdOptions.out,
+      style: cmdOptions.style ?? "flat"
+    };
+    const exitCode = await executeBadge(options);
+    process.exit(exitCode);
+  });
+}
+
 // src/index.ts
 var program = new Command();
-program.name("vibecheck").description("Security scanner for modern web applications").version("0.0.1");
+program.name("vibecheck").description("Security scanner for modern web applications").version(CLI_VERSION);
 registerScanCommand(program);
 registerExplainCommand(program);
 registerDemoArtifactCommand(program);
@@ -9013,4 +12709,9 @@ registerEvaluateCommand(program);
 registerWaiversCommand(program);
 registerViewCommand(program);
 registerLicenseCommand(program);
+registerVerifyDeterminismCommand(program);
+registerBadgeCommand(program);
 program.parse();
+export {
+  CLI_VERSION
+};