@quantracode/vibecheck 0.3.3 → 0.4.1

package/dist/index.js

@@ -10,7 +10,7 @@ var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require
 import { Command } from "commander";
 
 // src/commands/scan.ts
-import path8 from "path";
+import path9 from "path";
 
 // ../schema/dist/schemas/claim.js
 import { z } from "zod";
@@ -296,189 +296,301 @@ var SupplyChainInfoSchema = z5.object({
   })
 });
 
-// ../schema/dist/schemas/artifact.js
+// ../schema/dist/schemas/custom-rule.js
 import { z as z6 } from "zod";
+var FileTypeSchema = z6.enum([
+  "ts",
+  "tsx",
+  "js",
+  "jsx",
+  "json",
+  "env",
+  "yaml",
+  "yml",
+  "md",
+  "config",
+  "any"
+]);
+var MatchConditionSchema = z6.object({
+  /** String or regex pattern to search for */
+  contains: z6.string().optional(),
+  /** Pattern that should NOT be present (for checking missing security controls) */
+  not_contains: z6.string().optional(),
+  /** Regex pattern to match (advanced) */
+  regex: z6.string().optional(),
+  /** Require the match to be case-sensitive (default: false) */
+  case_sensitive: z6.boolean().optional().default(false),
+  /** Require ALL conditions to match (default: true for contains, false for not_contains) */
+  all_must_match: z6.boolean().optional()
+});
+var FileFilterSchema = z6.object({
+  /** File types to include (e.g., ["ts", "js"]) */
+  file_type: z6.array(FileTypeSchema).optional(),
+  /** Glob patterns to include */
+  include: z6.array(z6.string()).optional(),
+  /** Glob patterns to exclude */
+  exclude: z6.array(z6.string()).optional(),
+  /** Only match files in specific directories */
+  directories: z6.array(z6.string()).optional()
+});
+var ContextConditionSchema = z6.object({
+  /** Match only in specific function/handler types */
+  in_function: z6.array(z6.enum([
+    "GET",
+    "POST",
+    "PUT",
+    "PATCH",
+    "DELETE",
+    "route_handler",
+    "middleware",
+    "any"
+  ])).optional(),
+  /** Require presence of imports */
+  requires_import: z6.array(z6.string()).optional(),
+  /** Exclude if imports are present */
+  excludes_import: z6.array(z6.string()).optional(),
+  /** Only match if file contains certain keywords */
+  file_contains: z6.array(z6.string()).optional(),
+  /** Only match if file does NOT contain certain keywords */
+  file_not_contains: z6.array(z6.string()).optional()
+});
+var CustomRuleSchema = z6.object({
+  /** Unique rule identifier (e.g., "VC-CUSTOM-001" or "MY-RULE-001") */
+  id: z6.string().regex(/^[A-Z]+-[A-Z]+-\d{3,}$/, {
+    message: "Rule ID must match pattern XXX-XXX-000 (e.g., VC-CUSTOM-001)"
+  }),
+  /** Rule version for tracking updates */
+  version: z6.string().optional().default("1.0.0"),
+  /** Severity level */
+  severity: SeveritySchema,
+  /** Confidence score (0.0 - 1.0) */
+  confidence: z6.number().min(0).max(1).default(0.8),
+  /** Category */
+  category: CategorySchema,
+  /** Human-readable title */
+  title: z6.string().min(1),
+  /** Detailed description of the security issue */
+  description: z6.string().min(1),
+  /** File filters to limit where the rule applies */
+  files: FileFilterSchema.optional(),
+  /** Match conditions - what to look for */
+  match: MatchConditionSchema,
+  /** Context conditions for more sophisticated matching */
+  context: ContextConditionSchema.optional(),
+  /** Recommended fix explanation */
+  recommended_fix: z6.string(),
+  /** Optional code patch in unified diff format */
+  patch: z6.string().optional(),
+  /** Reference links */
+  links: z6.object({
+    owasp: z6.string().url().optional(),
+    cwe: z6.string().url().optional(),
+    documentation: z6.string().url().optional()
+  }).optional(),
+  /** Optional metadata */
+  metadata: z6.object({
+    /** Author of the rule */
+    author: z6.string().optional(),
+    /** Tags for categorization */
+    tags: z6.array(z6.string()).optional(),
+    /** Creation date */
+    created: z6.string().optional(),
+    /** Last updated date */
+    updated: z6.string().optional()
+  }).optional(),
+  /** Whether the rule is enabled (default: true) */
+  enabled: z6.boolean().optional().default(true)
+});
+var CustomRuleCollectionSchema = z6.object({
+  /** Schema version */
+  schema_version: z6.string().optional().default("1.0"),
+  /** Array of rules */
+  rules: z6.array(CustomRuleSchema)
+});
+
+// ../schema/dist/schemas/artifact.js
+import { z as z7 } from "zod";
 var ARTIFACT_VERSION = "0.3";
 var SUPPORTED_VERSIONS = ["0.1", "0.2", "0.3"];
-var ArtifactVersionSchema = z6.enum(SUPPORTED_VERSIONS);
-var ToolInfoSchema = z6.object({
-  name: z6.string(),
-  version: z6.string()
+var ArtifactVersionSchema = z7.enum(SUPPORTED_VERSIONS);
+var ToolInfoSchema = z7.object({
+  name: z7.string(),
+  version: z7.string()
 });
-var GitInfoSchema = z6.object({
-  branch: z6.string().optional(),
-  commit: z6.string().optional(),
-  remoteUrl: z6.string().optional(),
-  isDirty: z6.boolean().optional()
+var GitInfoSchema = z7.object({
+  branch: z7.string().optional(),
+  commit: z7.string().optional(),
+  remoteUrl: z7.string().optional(),
+  isDirty: z7.boolean().optional()
 });
-var RepoInfoSchema = z6.object({
-  name: z6.string(),
-  rootPathHash: z6.string(),
+var RepoInfoSchema = z7.object({
+  name: z7.string(),
+  rootPathHash: z7.string(),
   git: GitInfoSchema.optional()
 });
-var SeverityCountsSchema = z6.object({
-  critical: z6.number().int().nonnegative(),
-  high: z6.number().int().nonnegative(),
-  medium: z6.number().int().nonnegative(),
-  low: z6.number().int().nonnegative(),
-  info: z6.number().int().nonnegative()
+var SeverityCountsSchema = z7.object({
+  critical: z7.number().int().nonnegative(),
+  high: z7.number().int().nonnegative(),
+  medium: z7.number().int().nonnegative(),
+  low: z7.number().int().nonnegative(),
+  info: z7.number().int().nonnegative()
 });
-var CategoryCountsSchema = z6.object({
-  auth: z6.number().int().nonnegative(),
-  validation: z6.number().int().nonnegative(),
-  middleware: z6.number().int().nonnegative(),
-  secrets: z6.number().int().nonnegative(),
-  injection: z6.number().int().nonnegative(),
-  privacy: z6.number().int().nonnegative(),
-  config: z6.number().int().nonnegative(),
-  network: z6.number().int().nonnegative(),
-  crypto: z6.number().int().nonnegative(),
-  uploads: z6.number().int().nonnegative(),
-  hallucinations: z6.number().int().nonnegative(),
-  abuse: z6.number().int().nonnegative(),
+var CategoryCountsSchema = z7.object({
+  auth: z7.number().int().nonnegative(),
+  validation: z7.number().int().nonnegative(),
+  middleware: z7.number().int().nonnegative(),
+  secrets: z7.number().int().nonnegative(),
+  injection: z7.number().int().nonnegative(),
+  privacy: z7.number().int().nonnegative(),
+  config: z7.number().int().nonnegative(),
+  network: z7.number().int().nonnegative(),
+  crypto: z7.number().int().nonnegative(),
+  uploads: z7.number().int().nonnegative(),
+  hallucinations: z7.number().int().nonnegative(),
+  abuse: z7.number().int().nonnegative(),
   // Phase 4 categories
-  correlation: z6.number().int().nonnegative(),
-  authorization: z6.number().int().nonnegative(),
-  lifecycle: z6.number().int().nonnegative(),
-  "supply-chain": z6.number().int().nonnegative(),
-  other: z6.number().int().nonnegative()
+  correlation: z7.number().int().nonnegative(),
+  authorization: z7.number().int().nonnegative(),
+  lifecycle: z7.number().int().nonnegative(),
+  "supply-chain": z7.number().int().nonnegative(),
+  other: z7.number().int().nonnegative()
 });
-var SummarySchema = z6.object({
-  totalFindings: z6.number().int().nonnegative(),
+var SummarySchema = z7.object({
+  totalFindings: z7.number().int().nonnegative(),
   bySeverity: SeverityCountsSchema,
   byCategory: CategoryCountsSchema
 });
-var RouteEntrySchema = z6.object({
-  routeId: z6.string(),
-  method: z6.string(),
-  path: z6.string(),
-  handler: z6.string().optional(),
-  file: z6.string(),
-  startLine: z6.number().int().positive().optional(),
-  endLine: z6.number().int().positive().optional(),
-  handlerSymbol: z6.string().optional(),
+var RouteEntrySchema = z7.object({
+  routeId: z7.string(),
+  method: z7.string(),
+  path: z7.string(),
+  handler: z7.string().optional(),
+  file: z7.string(),
+  startLine: z7.number().int().positive().optional(),
+  endLine: z7.number().int().positive().optional(),
+  handlerSymbol: z7.string().optional(),
   // Deprecated: for backward compat with 0.1
-  line: z6.number().int().positive().optional(),
-  middleware: z6.array(z6.string()).optional()
+  line: z7.number().int().positive().optional(),
+  middleware: z7.array(z7.string()).optional()
 });
-var MiddlewareCoverageEntrySchema = z6.object({
-  routeId: z6.string(),
-  covered: z6.boolean(),
-  reason: z6.string().optional()
+var MiddlewareCoverageEntrySchema = z7.object({
+  routeId: z7.string(),
+  covered: z7.boolean(),
+  reason: z7.string().optional()
 });
-var MiddlewareEntrySchema = z6.object({
-  name: z6.string().optional(),
-  file: z6.string(),
-  line: z6.number().int().positive().optional(),
-  matcher: z6.array(z6.string()).optional(),
-  appliesTo: z6.array(z6.string()).optional()
+var MiddlewareEntrySchema = z7.object({
+  name: z7.string().optional(),
+  file: z7.string(),
+  line: z7.number().int().positive().optional(),
+  matcher: z7.array(z7.string()).optional(),
+  appliesTo: z7.array(z7.string()).optional()
 });
-var MiddlewareMapSchema = z6.object({
-  middlewareFile: z6.string().optional(),
-  matcher: z6.array(z6.string()),
-  coverage: z6.array(MiddlewareCoverageEntrySchema)
+var MiddlewareMapSchema = z7.object({
+  middlewareFile: z7.string().optional(),
+  matcher: z7.array(z7.string()),
+  coverage: z7.array(MiddlewareCoverageEntrySchema)
 });
-var IntentEntrySchema = z6.object({
-  intentId: z6.string(),
+var IntentEntrySchema = z7.object({
+  intentId: z7.string(),
   type: ClaimTypeSchema,
   scope: ClaimScopeSchema,
-  targetRouteId: z6.string().optional(),
+  targetRouteId: z7.string().optional(),
   source: ClaimSourceSchema,
-  location: z6.object({
-    file: z6.string(),
-    startLine: z6.number().int().positive(),
-    endLine: z6.number().int().positive()
+  location: z7.object({
+    file: z7.string(),
+    startLine: z7.number().int().positive(),
+    endLine: z7.number().int().positive()
   }),
   strength: ClaimStrengthSchema,
-  textEvidence: z6.string()
+  textEvidence: z7.string()
 });
-var IntentMapSchema = z6.object({
-  intents: z6.array(IntentEntrySchema)
+var IntentMapSchema = z7.object({
+  intents: z7.array(IntentEntrySchema)
 });
-var RouteMapSchema = z6.object({
-  routes: z6.array(RouteEntrySchema)
+var RouteMapSchema = z7.object({
+  routes: z7.array(RouteEntrySchema)
 });
-var CoverageMetricsSchema = z6.object({
-  authCoverage: z6.object({
-    totalStateChanging: z6.number().int().nonnegative(),
-    protectedCount: z6.number().int().nonnegative(),
-    unprotectedCount: z6.number().int().nonnegative()
+var CoverageMetricsSchema = z7.object({
+  authCoverage: z7.object({
+    totalStateChanging: z7.number().int().nonnegative(),
+    protectedCount: z7.number().int().nonnegative(),
+    unprotectedCount: z7.number().int().nonnegative()
   }).optional(),
-  validationCoverage: z6.object({
-    totalStateChanging: z6.number().int().nonnegative(),
-    validatedCount: z6.number().int().nonnegative()
+  validationCoverage: z7.object({
+    totalStateChanging: z7.number().int().nonnegative(),
+    validatedCount: z7.number().int().nonnegative()
   }).optional(),
-  middlewareCoverage: z6.object({
-    totalApiRoutes: z6.number().int().nonnegative(),
-    coveredApiRoutes: z6.number().int().nonnegative()
+  middlewareCoverage: z7.object({
+    totalApiRoutes: z7.number().int().nonnegative(),
+    coveredApiRoutes: z7.number().int().nonnegative()
   }).optional()
 });
-var MetricsSchema = z6.object({
-  filesScanned: z6.number().int().nonnegative(),
-  linesOfCode: z6.number().int().nonnegative(),
-  scanDurationMs: z6.number().nonnegative(),
-  rulesExecuted: z6.number().int().nonnegative()
+var MetricsSchema = z7.object({
+  filesScanned: z7.number().int().nonnegative(),
+  linesOfCode: z7.number().int().nonnegative(),
+  scanDurationMs: z7.number().nonnegative(),
+  rulesExecuted: z7.number().int().nonnegative()
 }).merge(CoverageMetricsSchema);
-var CIMetadataSchema = z6.object({
+var CIMetadataSchema = z7.object({
   /** Security score (0-100) */
-  securityScore: z6.number().int().min(0).max(100),
+  securityScore: z7.number().int().min(0).max(100),
   /** Overall status for CI badge */
-  status: z6.enum(["pass", "warn", "fail"]),
+  status: z7.enum(["pass", "warn", "fail"]),
   /** Badge generation timestamp */
-  badgeGeneratedAt: z6.string().datetime().optional(),
+  badgeGeneratedAt: z7.string().datetime().optional(),
   /** SHA-256 hash for determinism certification */
-  artifactHash: z6.string().optional(),
+  artifactHash: z7.string().optional(),
   /** Whether artifact passed determinism certification */
-  deterministicCertified: z6.boolean().optional()
+  deterministicCertified: z7.boolean().optional()
 });
-var CorrelationSummarySchema = z6.object({
+var CorrelationSummarySchema = z7.object({
   /** Total number of correlation findings generated */
-  totalCorrelations: z6.number().int().nonnegative(),
+  totalCorrelations: z7.number().int().nonnegative(),
   /** Count by correlation pattern */
-  byPattern: z6.record(z6.string(), z6.number().int().nonnegative()),
+  byPattern: z7.record(z7.string(), z7.number().int().nonnegative()),
   /** Correlation pass duration in ms */
-  correlationDurationMs: z6.number().nonnegative().optional()
+  correlationDurationMs: z7.number().nonnegative().optional()
 });
-var GraphNodeSchema = z6.object({
-  id: z6.string(),
-  type: z6.enum(["route", "middleware", "finding", "intent", "function"]),
-  label: z6.string(),
-  file: z6.string().optional(),
-  line: z6.number().int().positive().optional(),
-  metadata: z6.record(z6.string(), z6.unknown()).optional()
+var GraphNodeSchema = z7.object({
+  id: z7.string(),
+  type: z7.enum(["route", "middleware", "finding", "intent", "function"]),
+  label: z7.string(),
+  file: z7.string().optional(),
+  line: z7.number().int().positive().optional(),
+  metadata: z7.record(z7.string(), z7.unknown()).optional()
 });
-var GraphEdgeSchema = z6.object({
-  source: z6.string(),
-  target: z6.string(),
-  type: z6.enum(["calls", "protects", "validates", "correlates", "references"]),
-  label: z6.string().optional()
+var GraphEdgeSchema = z7.object({
+  source: z7.string(),
+  target: z7.string(),
+  type: z7.enum(["calls", "protects", "validates", "correlates", "references"]),
+  label: z7.string().optional()
 });
-var ProofTraceGraphSchema = z6.object({
-  nodes: z6.array(GraphNodeSchema),
-  edges: z6.array(GraphEdgeSchema)
+var ProofTraceGraphSchema = z7.object({
+  nodes: z7.array(GraphNodeSchema),
+  edges: z7.array(GraphEdgeSchema)
 });
-var ScanArtifactSchema = z6.object({
+var ScanArtifactSchema = z7.object({
   artifactVersion: ArtifactVersionSchema,
-  generatedAt: z6.string().datetime(),
+  generatedAt: z7.string().datetime(),
   tool: ToolInfoSchema,
   repo: RepoInfoSchema.optional(),
   summary: SummarySchema,
-  findings: z6.array(FindingSchema),
+  findings: z7.array(FindingSchema),
   // Phase 3: Enhanced maps
-  routeMap: z6.union([
-    z6.array(RouteEntrySchema),
+  routeMap: z7.union([
+    z7.array(RouteEntrySchema),
     // Legacy format (0.1)
     RouteMapSchema
     // New format (0.2)
   ]).optional(),
-  middlewareMap: z6.union([
-    z6.array(MiddlewareEntrySchema),
+  middlewareMap: z7.union([
+    z7.array(MiddlewareEntrySchema),
     // Legacy format (0.1)
     MiddlewareMapSchema
     // New format (0.2)
   ]).optional(),
   intentMap: IntentMapSchema.optional(),
-  proofTraces: z6.record(z6.string(), ProofTraceSchema).optional(),
+  proofTraces: z7.record(z7.string(), ProofTraceSchema).optional(),
   metrics: MetricsSchema.optional(),
   // Phase 4: Supply chain analysis
   supplyChainInfo: SupplyChainInfoSchema.optional(),
@@ -547,7 +659,7 @@ function validateArtifact(json) {
 }
 
 // src/constants.ts
-var CLI_VERSION = "0.3.2";
+var CLI_VERSION = "0.4.1";
 
 // src/utils/file-utils.ts
 import fs from "fs";
@@ -656,6 +768,601 @@ function getRepoName(cwd) {
   return path2.basename(cwd);
 }
 
+// src/utils/apply-patches.ts
+import { readFile, writeFile } from "fs/promises";
+import { existsSync } from "fs";
+import path3 from "path";
+import readline from "readline";
+function isUnifiedDiff(patch) {
+  const lines = patch.trim().split("\n");
+  return lines.some(
+    (line) => line.startsWith("--- ") || line.startsWith("+++ ") || line.startsWith("@@ ")
+  );
+}
+async function applyUnifiedDiff(filePath, patch, baseDir) {
+  try {
+    const absolutePath = path3.isAbsolute(filePath) ? filePath : path3.resolve(baseDir, filePath);
+    if (!existsSync(absolutePath)) {
+      return {
+        success: false,
+        error: `File not found: ${filePath}`
+      };
+    }
+    const content = await readFile(absolutePath, "utf-8");
+    const lines = content.split("\n");
+    const patchLines = patch.split("\n");
+    let currentLine = 0;
+    let inHunk = false;
+    let hunkStartLine = 0;
+    const newLines = [];
+    for (const patchLine of patchLines) {
+      if (patchLine.startsWith("--- ") || patchLine.startsWith("+++ ")) {
+        continue;
+      }
+      if (patchLine.startsWith("@@ ")) {
+        const match = patchLine.match(/@@ -(\d+),?\d* \+(\d+),?\d* @@/);
+        if (match) {
+          hunkStartLine = parseInt(match[1], 10) - 1;
+          while (currentLine < hunkStartLine) {
+            newLines.push(lines[currentLine]);
+            currentLine++;
+          }
+          inHunk = true;
+        }
+        continue;
+      }
+      if (inHunk) {
+        if (patchLine.startsWith("-")) {
+          currentLine++;
+        } else if (patchLine.startsWith("+")) {
+          newLines.push(patchLine.slice(1));
+        } else if (patchLine.startsWith(" ")) {
+          const contextLine = patchLine.slice(1);
+          if (lines[currentLine] !== contextLine) {
+            return {
+              success: false,
+              error: `Patch context mismatch at line ${currentLine + 1}. Expected: "${contextLine}", found: "${lines[currentLine]}"`
+            };
+          }
+          newLines.push(lines[currentLine]);
+          currentLine++;
+        }
+      }
+    }
+    while (currentLine < lines.length) {
+      newLines.push(lines[currentLine]);
+      currentLine++;
+    }
+    await writeFile(absolutePath, newLines.join("\n"), "utf-8");
+    return { success: true };
+  } catch (error) {
+    return {
+      success: false,
+      error: error instanceof Error ? error.message : String(error)
+    };
+  }
+}
+async function promptConfirmation(message) {
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout
+  });
+  return new Promise((resolve3) => {
+    rl.question(`${message} (y/N): `, (answer) => {
+      rl.close();
+      resolve3(answer.toLowerCase() === "y" || answer.toLowerCase() === "yes");
+    });
+  });
+}
+async function applyPatches(findings, baseDir, options = {}) {
+  const results = [];
+  const patchableFindings = findings.filter(
+    (f) => f.remediation?.patch && f.remediation.patch.trim().length > 0
+  );
+  if (patchableFindings.length === 0) {
+    return {
+      totalPatchable: 0,
+      applied: 0,
+      failed: 0,
+      skipped: 0,
+      results: []
+    };
+  }
+  console.log(`
+Found ${patchableFindings.length} finding(s) with patches.
+`);
+  for (const finding of patchableFindings) {
+    const patch = finding.remediation.patch;
+    const firstEvidence = finding.evidence[0];
+    if (!firstEvidence) {
+      results.push({
+        findingId: finding.id,
+        file: "unknown",
+        success: false,
+        error: "No evidence found to determine target file",
+        patch
+      });
+      continue;
+    }
+    const targetFile = firstEvidence.file;
+    if (!isUnifiedDiff(patch)) {
+      results.push({
+        findingId: finding.id,
+        file: targetFile,
+        success: false,
+        error: "Patch is not in unified diff format. Only standard git-style diffs are supported.",
+        patch
+      });
+      continue;
+    }
+    console.log(`\x1B[36m[${finding.ruleId}]\x1B[0m ${finding.title}`);
+    console.log(`  File: ${targetFile}`);
+    console.log(`  Severity: \x1B[33m${finding.severity.toUpperCase()}\x1B[0m`);
+    console.log(`  Description: ${finding.description.slice(0, 100)}${finding.description.length > 100 ? "..." : ""}`);
+    console.log(`
+  Patch preview:`);
+    const patchLines = patch.split("\n").slice(0, 15);
+    for (const line of patchLines) {
+      if (line.startsWith("+")) {
+        console.log(`    \x1B[32m${line}\x1B[0m`);
+      } else if (line.startsWith("-")) {
+        console.log(`    \x1B[31m${line}\x1B[0m`);
+      } else {
+        console.log(`    ${line}`);
+      }
+    }
+    if (patch.split("\n").length > 15) {
+      console.log(`    \x1B[90m... (${patch.split("\n").length - 15} more lines)\x1B[0m`);
+    }
+    console.log("");
+    if (options.dryRun) {
+      console.log(`  \x1B[90m[DRY RUN] Would apply patch to ${targetFile}\x1B[0m
+`);
+      results.push({
+        findingId: finding.id,
+        file: targetFile,
+        success: true,
+        patch
+      });
+      continue;
+    }
+    let shouldApply = options.force ?? false;
+    if (!options.force) {
+      shouldApply = await promptConfirmation("  Apply this patch?");
+    }
+    if (!shouldApply) {
+      console.log(`  \x1B[90mSkipped\x1B[0m
+`);
+      results.push({
+        findingId: finding.id,
+        file: targetFile,
+        success: false,
+        error: "User declined",
+        patch
+      });
+      continue;
+    }
+    const result = await applyUnifiedDiff(targetFile, patch, baseDir);
+    if (result.success) {
+      console.log(`  \x1B[32m\u2713 Patch applied successfully\x1B[0m
+`);
+      results.push({
+        findingId: finding.id,
+        file: targetFile,
+        success: true,
+        patch
+      });
+    } else {
+      console.log(`  \x1B[31m\u2717 Failed to apply patch: ${result.error}\x1B[0m
+`);
+      results.push({
+        findingId: finding.id,
+        file: targetFile,
+        success: false,
+        error: result.error,
+        patch
+      });
+    }
+  }
+  const applied = results.filter((r) => r.success).length;
+  const failed = results.filter((r) => !r.success && r.error !== "User declined").length;
+  const skipped = results.filter((r) => r.error === "User declined").length;
+  return {
+    totalPatchable: patchableFindings.length,
+    applied,
+    failed,
+    skipped,
+    results
+  };
+}
+
+// src/utils/custom-rules-loader.ts
+import { readFileSync as readFileSync2, statSync, readdirSync } from "fs";
+import { join, extname } from "path";
+import { parse as parseYAML } from "yaml";
+function loadRuleFile(filePath) {
+  try {
+    const content = readFileSync2(filePath, "utf-8");
+    const parsed = parseYAML(content);
+    const collectionResult = CustomRuleCollectionSchema.safeParse(parsed);
+    if (collectionResult.success) {
+      return collectionResult.data.rules.filter((rule) => rule.enabled !== false);
+    }
+    const ruleResult = CustomRuleSchema.safeParse(parsed);
+    if (ruleResult.success) {
+      return ruleResult.data.enabled !== false ? [ruleResult.data] : [];
+    }
+    throw new Error(
+      `Invalid rule format in ${filePath}:
+${collectionResult.error?.message || ruleResult.error?.message}`
+    );
+  } catch (error) {
+    if (error instanceof Error) {
+      throw new Error(`Failed to load rule file ${filePath}: ${error.message}`);
+    }
+    throw error;
+  }
+}
+function loadRulesFromDirectory(dirPath) {
+  const rules = [];
+  const seenIds = /* @__PURE__ */ new Set();
+  try {
+    const stat = statSync(dirPath);
+    if (stat.isFile()) {
+      const fileRules = loadRuleFile(dirPath);
+      for (const rule of fileRules) {
+        if (seenIds.has(rule.id)) {
+          console.warn(
+            `\x1B[33mWarning: Duplicate rule ID "${rule.id}" found, skipping duplicate\x1B[0m`
+          );
+          continue;
+        }
+        seenIds.add(rule.id);
+        rules.push(rule);
+      }
+      return rules;
+    }
+    const files = readdirSync(dirPath);
+    for (const file of files) {
+      const ext = extname(file).toLowerCase();
+      if (![".yaml", ".yml"].includes(ext)) {
+        continue;
+      }
+      const filePath = join(dirPath, file);
+      try {
+        const fileRules = loadRuleFile(filePath);
+        for (const rule of fileRules) {
+          if (seenIds.has(rule.id)) {
+            console.warn(
+              `\x1B[33mWarning: Duplicate rule ID "${rule.id}" in ${file}, skipping duplicate\x1B[0m`
+            );
+            continue;
+          }
+          seenIds.add(rule.id);
+          rules.push(rule);
+        }
+      } catch (error) {
+        console.error(
+          `\x1B[31mError loading ${file}: ${error instanceof Error ? error.message : String(error)}\x1B[0m`
+        );
+      }
+    }
+    return rules;
+  } catch (error) {
+    throw new Error(
+      `Failed to load rules from ${dirPath}: ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+}
+function validateCustomRules(rules) {
+  const valid = [];
+  const errors = [];
+  for (const rule of rules) {
+    try {
+      if (!rule.match.contains && !rule.match.not_contains && !rule.match.regex) {
+        errors.push({
+          ruleId: rule.id,
+          error: "Rule must have at least one match condition (contains, not_contains, or regex)"
+        });
+        continue;
+      }
+      if (rule.match.regex) {
+        try {
+          new RegExp(rule.match.regex);
+        } catch (e) {
+          errors.push({
+            ruleId: rule.id,
+            error: `Invalid regex pattern: ${rule.match.regex}`
+          });
+          continue;
+        }
+      }
+      if (rule.files?.file_type && rule.files.file_type.length === 0) {
+        errors.push({
+          ruleId: rule.id,
+          error: "file_type array cannot be empty"
+        });
+        continue;
+      }
+      valid.push(rule);
+    } catch (error) {
+      errors.push({
+        ruleId: rule.id,
+        error: error instanceof Error ? error.message : String(error)
+      });
+    }
+  }
+  return { valid, errors };
+}
+function printRulesSummary(rules) {
+  if (rules.length === 0) {
+    console.log("  No custom rules loaded");
+    return;
+  }
+  console.log(`  Loaded ${rules.length} custom rule(s):`);
+  const byCategory = /* @__PURE__ */ new Map();
+  for (const rule of rules) {
+    const existing = byCategory.get(rule.category) || [];
+    existing.push(rule);
+    byCategory.set(rule.category, existing);
+  }
+  for (const [category, categoryRules] of byCategory) {
+    console.log(`    \x1B[36m${category}\x1B[0m: ${categoryRules.length} rule(s)`);
+    for (const rule of categoryRules) {
+      const severityColor = rule.severity === "critical" || rule.severity === "high" ? "\x1B[31m" : rule.severity === "medium" ? "\x1B[33m" : "\x1B[36m";
+      console.log(
+        `      [${rule.id}] ${rule.title} (${severityColor}${rule.severity.toUpperCase()}\x1B[0m)`
+      );
+    }
+  }
+}
+
+// src/scanners/custom-rule-engine.ts
+import { readFileSync as readFileSync3 } from "fs";
+import { basename, extname as extname2 } from "path";
+import micromatch from "micromatch";
+function matchesFileFilter(filePath, filter) {
+  if (!filter) {
+    return true;
+  }
+  const ext = extname2(filePath).slice(1).toLowerCase();
+  const fileName = basename(filePath);
+  if (filter.file_type && filter.file_type.length > 0) {
+    const hasAny = filter.file_type.includes("any");
+    if (!hasAny) {
+      const matchesType = filter.file_type.some((type) => {
+        if (type === "config") {
+          return /\.(config|rc)\.(js|ts|json|yaml|yml)$/.test(fileName) || /^\..*rc$/.test(fileName);
+        }
+        if (type === "env") {
+          return /^\.env/.test(fileName);
+        }
+        return ext === type || type === "tsx" && ext === "ts" || type === "jsx" && ext === "js";
+      });
+      if (!matchesType) {
+        return false;
+      }
+    }
+  }
+  if (filter.include && filter.include.length > 0) {
+    if (!micromatch.isMatch(filePath, filter.include)) {
+      return false;
+    }
+  }
+  if (filter.exclude && filter.exclude.length > 0) {
+    if (micromatch.isMatch(filePath, filter.exclude)) {
+      return false;
+    }
+  }
+  if (filter.directories && filter.directories.length > 0) {
+    const matchesDir = filter.directories.some((dir) => {
+      const normalizedDir = dir.replace(/\\/g, "/");
+      const normalizedPath = filePath.replace(/\\/g, "/");
+      return normalizedPath.includes(normalizedDir);
+    });
+    if (!matchesDir) {
+      return false;
+    }
+  }
+  return true;
+}
+function matchesContent(content, match, caseSensitive = false) {
+  const lines = content.split("\n");
+  const matchedLines = [];
+  let snippet;
+  const normalize = (str) => caseSensitive ? str : str.toLowerCase();
+  if (match.contains) {
+    const searchTerm = normalize(match.contains);
+    let found = false;
+    for (let i = 0; i < lines.length; i++) {
+      if (normalize(lines[i]).includes(searchTerm)) {
+        matchedLines.push(i + 1);
+        if (!snippet) {
+          snippet = lines[i].trim();
+        }
+        found = true;
+        if (!match.all_must_match) {
+          break;
+        }
+      }
+    }
+    if (!found) {
+      return { matches: false, matchedLines: [] };
+    }
+  }
+  if (match.not_contains) {
+    const searchTerm = normalize(match.not_contains);
+    const defaultAllMatch = match.all_must_match ?? true;
+    for (let i = 0; i < lines.length; i++) {
+      if (normalize(lines[i]).includes(searchTerm)) {
+        if (defaultAllMatch) {
+          return { matches: false, matchedLines: [] };
+        }
+      }
+    }
+    if (matchedLines.length === 0) {
+      matchedLines.push(1);
+      snippet = lines[0]?.trim() || "";
+    }
+  }
+  if (match.regex) {
+    try {
+      const flags = caseSensitive ? "g" : "gi";
+      const regex = new RegExp(match.regex, flags);
+      let found = false;
+      for (let i = 0; i < lines.length; i++) {
+        if (regex.test(lines[i])) {
+          matchedLines.push(i + 1);
+          if (!snippet) {
+            snippet = lines[i].trim();
+          }
+          found = true;
+          if (!match.all_must_match) {
+            break;
+          }
+        }
+      }
+      if (!found) {
+        return { matches: false, matchedLines: [] };
+      }
+    } catch (e) {
+      console.error(`Invalid regex: ${match.regex}`);
+      return { matches: false, matchedLines: [] };
+    }
+  }
+  return {
+    matches: matchedLines.length > 0,
+    matchedLines,
+    snippet
+  };
+}
+function matchesContext(content, sourceFile, context, helpers) {
+  if (!context) {
+    return true;
+  }
+  const normalizeContent = content.toLowerCase();
+  if (context.requires_import && context.requires_import.length > 0) {
+    const hasAllRequiredImports = context.requires_import.every((imp) => {
+      return normalizeContent.includes(`from "${imp}"`) || normalizeContent.includes(`from '${imp}'`) || normalizeContent.includes(`require("${imp}")`) || normalizeContent.includes(`require('${imp}')`);
+    });
+    if (!hasAllRequiredImports) {
+      return false;
+    }
+  }
+  if (context.excludes_import && context.excludes_import.length > 0) {
+    const hasExcludedImport = context.excludes_import.some((imp) => {
+      return normalizeContent.includes(`from "${imp}"`) || normalizeContent.includes(`from '${imp}'`) || normalizeContent.includes(`require("${imp}")`) || normalizeContent.includes(`require('${imp}')`);
+    });
+    if (hasExcludedImport) {
+      return false;
+    }
+  }
+  if (context.file_contains && context.file_contains.length > 0) {
+    const hasAll = context.file_contains.every(
+      (term) => normalizeContent.includes(term.toLowerCase())
+    );
+    if (!hasAll) {
+      return false;
+    }
+  }
+  if (context.file_not_contains && context.file_not_contains.length > 0) {
+    const hasAny = context.file_not_contains.some(
+      (term) => normalizeContent.includes(term.toLowerCase())
+    );
+    if (hasAny) {
+      return false;
+    }
+  }
+  if (context.in_function && context.in_function.length > 0 && sourceFile) {
+    try {
+      const handlers = helpers.findRouteHandlers(sourceFile);
+      if (handlers.length === 0) {
+        return false;
+      }
+      const hasMatchingHandler = handlers.some((handler) => {
+        return context.in_function?.includes(handler.method) || context.in_function?.includes("route_handler") || context.in_function?.includes("any");
+      });
+      if (!hasMatchingHandler) {
+        return false;
+      }
+    } catch (e) {
+    }
+  }
+  return true;
+}
+function createScannerFromRule(rule) {
+  return async (context) => {
+    const { repoRoot, fileIndex, helpers } = context;
+    const findings = [];
+    let filesToScan = fileIndex.allSourceFiles;
+    filesToScan = filesToScan.filter(
+      (relPath) => matchesFileFilter(relPath, rule.files)
+    );
+    for (const relPath of filesToScan) {
+      const absPath = resolvePath(repoRoot, relPath);
+      try {
+        const content = readFileSync3(absPath, "utf-8");
+        let sourceFile = null;
+        if (/\.(ts|tsx|js|jsx)$/.test(relPath)) {
+          sourceFile = helpers.parseFile(absPath);
+        }
+        if (!matchesContext(content, sourceFile, rule.context, helpers)) {
+          continue;
+        }
+        const matchResult = matchesContent(
+          content,
+          rule.match,
+          rule.match.case_sensitive
+        );
+        if (!matchResult.matches) {
+          continue;
+        }
+        const evidence = matchResult.matchedLines.slice(0, 3).map((lineNum) => ({
+          file: relPath,
+          startLine: lineNum,
+          endLine: lineNum,
+          snippet: matchResult.snippet || content.split("\n")[lineNum - 1]?.trim() || "",
+          label: `Match found`
+        }));
+        const fingerprint = generateFingerprint({
+          ruleId: rule.id,
+          file: relPath,
+          line: matchResult.matchedLines[0] || 1,
+          snippet: matchResult.snippet || ""
+        });
+        const finding = {
+          id: generateFindingId({
+            ruleId: rule.id,
+            file: relPath,
+            symbol: matchResult.snippet || "",
+            startLine: matchResult.matchedLines[0] || 1
+          }),
+          ruleId: rule.id,
+          title: rule.title,
+          description: rule.description,
+          severity: rule.severity,
+          confidence: rule.confidence,
+          category: rule.category,
+          evidence,
+          remediation: {
+            recommendedFix: rule.recommended_fix,
+            patch: rule.patch
+          },
+          links: rule.links,
+          fingerprint
+        };
+        findings.push(finding);
+      } catch (error) {
+        continue;
+      }
+    }
+    return findings;
+  };
+}
+function createScannersFromRules(rules) {
+  return rules.map(createScannerFromRule);
+}
+
 // src/scanners/types.ts
 var SEVERITY_ORDER = {
   critical: 4,
@@ -1626,6 +2333,61 @@ async function buildScanContext(repoRoot, options = {}) {
   };
 }
 
+// src/scanners/helpers/patch-generator.ts
+import { readFileSync as readFileSync4 } from "fs";
+function generateFunctionStartPatch(repoRoot, relPath, functionStartLine, codeToInsert, contextLines = 3) {
+  try {
+    const absPath = resolvePath(repoRoot, relPath);
+    const content = readFileSync4(absPath, "utf-8");
+    const lines = content.split("\n");
+    let bodyStartLine = functionStartLine;
+    for (let i = functionStartLine - 1; i < lines.length; i++) {
+      if (lines[i].includes("{")) {
+        bodyStartLine = i + 1;
+        break;
+      }
+    }
+    const contextBefore = lines.slice(
+      Math.max(0, bodyStartLine - contextLines),
+      bodyStartLine
+    );
+    const contextAfter = lines.slice(
+      bodyStartLine,
+      Math.min(lines.length, bodyStartLine + contextLines)
+    );
+    const firstLineAfterBrace = lines[bodyStartLine];
+    const indentation = firstLineAfterBrace?.match(/^(\s*)/)?.[1] || "  ";
+    const insertLines = codeToInsert.split("\n").map((line) => {
+      if (line.trim() === "") return "";
+      return indentation + line;
+    });
+    const oldStartLine = bodyStartLine - contextBefore.length + 1;
+    const oldLineCount = contextBefore.length + contextAfter.length;
+    const newLineCount = oldLineCount + insertLines.length;
+    const diffLines = [];
+    diffLines.push(`--- a/${relPath.replace(/\\/g, "/")}`);
+    diffLines.push(`+++ b/${relPath.replace(/\\/g, "/")}`);
+    diffLines.push(
+      `@@ -${oldStartLine},${oldLineCount} +${oldStartLine},${newLineCount} @@`
+    );
+    for (const line of contextBefore) {
+      diffLines.push(" " + line);
+    }
+    for (const line of insertLines) {
+      diffLines.push("+" + line);
+    }
+    if (contextAfter.length > 0 && contextAfter[0].trim() !== "") {
+      diffLines.push("+");
+    }
+    for (const line of contextAfter) {
+      diffLines.push(" " + line);
+    }
+    return diffLines.join("\n");
+  } catch (error) {
+    return "";
+  }
+}
+
 // src/scanners/auth/unprotected-api-route.ts
 var RULE_ID = "VC-AUTH-001";
 var STATE_CHANGING_METHODS = ["POST", "PUT", "PATCH", "DELETE"];
@@ -1689,6 +2451,19 @@ async function scanUnprotectedApiRoutes(context) {
         route: routePath
       });
       const sinkOperations = sinks.map((s) => `${s.kind}.${s.operation}`).join(", ");
+      const authCheckCode = `const session = await getServerSession(authOptions);
+if (!session) {
+  return new Response(JSON.stringify({ error: "Unauthorized" }), {
+    status: 401,
+    headers: { "Content-Type": "application/json" }
+  });
+}`;
+      const patch = generateFunctionStartPatch(
+        repoRoot,
+        relPath,
+        handler.startLine,
+        authCheckCode
+      );
       findings.push({
         id: generateFindingId({
           ruleId: RULE_ID,
@@ -1704,14 +2479,8 @@ async function scanUnprotectedApiRoutes(context) {
         evidence,
         remediation: {
           recommendedFix: `Add authentication to the ${handler.method} handler. Check for a valid session using getServerSession(), auth(), or similar before performing database operations.`,
-          patch: `// Add at the start of your handler:
-const session = await getServerSession(authOptions);
-if (!session) {
-  return new Response(JSON.stringify({ error: "Unauthorized" }), {
-    status: 401,
-    headers: { "Content-Type": "application/json" }
-  });
-}`
+          patch: patch || void 0
+          // Only include patch if generation succeeded
         },
         links: {
           owasp: "https://owasp.org/Top10/A01_2021-Broken_Access_Control/",
@@ -1814,19 +2583,8 @@ async function scanMiddlewareGap(context) {
         description: `This Next.js project uses next-auth but has no middleware.ts file. API routes (${fileIndex.apiRouteFiles.length} found) may lack server-side authentication enforcement. While next-auth provides session management, middleware is recommended for edge-level protection.`,
         evidence,
         remediation: {
-          recommendedFix: "Create a middleware.ts file that checks authentication for protected routes. See: https://next-auth.js.org/configuration/nextjs#middleware",
-          patch: `// middleware.ts
-import { withAuth } from "next-auth/middleware";
-
-export default withAuth({
-  callbacks: {
-    authorized: ({ token }) => !!token,
-  },
-});
-
-export const config = {
-  matcher: ["/api/:path*", "/dashboard/:path*"],
-};`
+          recommendedFix: "Create a middleware.ts file that checks authentication for protected routes. Use next-auth's withAuth helper with a matcher config for /api/:path* and other protected routes. See: https://next-auth.js.org/configuration/nextjs#middleware"
+          // No patch for file creation - apply-patches only handles modifications to existing files
         },
         links: {
           owasp: "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
@@ -1888,6 +2646,7 @@ export const config = {
       evidence,
       remediation: {
         recommendedFix: `Update the middleware matcher to include API routes. Example: matcher: ['/((?!_next/static|_next/image|favicon.ico).*)', '/api/:path*']`
+        // No patch for middleware matcher updates - requires understanding the full matcher pattern and what should be included/excluded
       },
       links: {
         owasp: "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
@@ -1949,14 +2708,8 @@ async function scanIgnoredValidation(context) {
             category: "validation",
             evidence,
             remediation: {
-              recommendedFix: `Assign the validation result to a variable and use the validated data instead of the raw input.`,
-              patch: usage.library === "zod" ? `// Instead of:
-schema.parse(data);
-
-// Do:
-const validatedData = schema.parse(data);
-// Use validatedData for all subsequent operations` : `// Assign and use the validated result
-const validatedData = await schema.validate(data);`
+              recommendedFix: `Assign the validation result to a variable and use the validated data instead of the raw input. For Zod: const validatedData = schema.parse(data). For Yup/Joi: const validatedData = await schema.validate(data). Then use validatedData for all operations.`
+              // No patch for validation fixes - requires knowing actual variable names and how to replace raw body usage
             },
             links: {
               cwe: "https://cwe.mitre.org/data/definitions/20.html"
@@ -2080,35 +2833,8 @@ async function scanClientSideOnlyValidation(context) {
         category: "validation",
         evidence,
         remediation: {
-          recommendedFix: `Add server-side validation using the same schema. Consider sharing schemas between frontend and backend.`,
-          patch: `// Share your Zod schema between frontend and backend:
-// lib/schemas/user.ts
-import { z } from "zod";
-
-export const createUserSchema = z.object({
-  name: z.string().min(1),
-  email: z.string().email(),
-});
-
-// In your API route:
-import { createUserSchema } from "@/lib/schemas/user";
-
-export async function POST(request: Request) {
-  const body = await request.json();
-
-  // Server-side validation
-  const result = createUserSchema.safeParse(body);
-  if (!result.success) {
-    return Response.json(
-      { error: result.error.flatten() },
-      { status: 400 }
-    );
-  }
-
-  // Use validated data
-  const { name, email } = result.data;
-  // ...
-}`
+          recommendedFix: `Add server-side validation using the same schema. Consider sharing schemas between frontend and backend. Example with Zod: const result = schema.safeParse(body); if (!result.success) return Response.json({ error: result.error }, { status: 400 }); then use result.data for validated values.`
+          // No patch for validation addition - requires knowing the validation schema structure and which fields to validate
         },
         links: {
           cwe: "https://cwe.mitre.org/data/definitions/20.html",
@@ -2178,12 +2904,8 @@ async function scanSensitiveLogging(context) {
         category: "privacy",
         evidence,
         remediation: {
-          recommendedFix: `Remove sensitive data from log statements. Only log non-sensitive identifiers like user IDs, timestamps, or action types.`,
-          patch: `// Instead of:
-console.log("Login:", { email, password });
-
-// Do:
-console.log("Login attempt:", { email, timestamp: Date.now() });`
+          recommendedFix: `Remove sensitive data from log statements. Only log non-sensitive identifiers like user IDs, timestamps, or action types. Never log passwords, tokens, auth headers, secrets, or API keys.`
+          // No patch for sensitive logging - requires understanding which data is needed for debugging vs which should be redacted
         },
         links: {
           cwe: "https://cwe.mitre.org/data/definitions/532.html",
@@ -2260,20 +2982,8 @@ async function scanOverBroadResponse(context) {
           category: "privacy",
           evidence,
           remediation: {
-            recommendedFix: `Use Prisma's \`select\` clause to explicitly choose which fields to return. Never expose password hashes, tokens, or other sensitive data in API responses.`,
-            patch: `// Instead of:
-const users = await prisma.${query.model.toLowerCase()}.${query.operation}();
-
-// Use select to return only needed fields:
-const users = await prisma.${query.model.toLowerCase()}.${query.operation}({
-  select: {
-    id: true,
-    name: true,
-    email: true,
-    createdAt: true,
-    // Explicitly omit: password, passwordHash, tokens, etc.
-  },
-});`
+            recommendedFix: `Use Prisma's \`select\` clause to explicitly choose which fields to return. Never expose password hashes, tokens, or other sensitive data in API responses. Example: prisma.user.findMany({ select: { id: true, name: true, email: true } }) - only include fields the API consumer needs.`
+            // No patch for over-broad responses - requires understanding which fields are needed by the API consumer
           },
           links: {
             cwe: "https://cwe.mitre.org/data/definitions/359.html",
@@ -2371,17 +3081,8 @@ async function scanDebugFlags(context) {
         category: "config",
         evidence,
         remediation: {
-          recommendedFix: `Ensure debug flags are only enabled in development. Use environment variables or NODE_ENV checks.`,
-          patch: `// Guard debug flags with environment check:
-const isDev = process.env.NODE_ENV === 'development';
-
-module.exports = {
-  // Only enable in development
-  ...(isDev && { debug: true }),
-
-  // Or use environment variable:
-  debug: process.env.DEBUG === 'true',
-};`
+          recommendedFix: `Ensure debug flags are only enabled in development. Use environment variables or NODE_ENV checks. Example: ...(process.env.NODE_ENV === 'development' && { debug: true }) or debug: process.env.DEBUG === 'true'.`
+          // No patch for debug flag fixes - requires understanding config structure and which flags to guard
         },
         links: {
           cwe: "https://cwe.mitre.org/data/definitions/489.html",
@@ -2631,30 +3332,8 @@ async function scanSsrfProneFetch(context) {
           category: "network",
           evidence,
           remediation: {
-            recommendedFix: `Validate and sanitize the URL before use. Use an allowlist of permitted domains or URL patterns. Never allow requests to internal networks, localhost, or cloud metadata endpoints.`,
-            patch: `// Validate URL before fetching
-const url = new URL(userProvidedUrl);
-
-// Check against allowlist
-const allowedHosts = ["api.example.com", "cdn.example.com"];
-if (!allowedHosts.includes(url.hostname)) {
-  throw new Error("URL not allowed");
-}
-
-// Block internal addresses
-const blockedPatterns = [
-  /^localhost$/i,
-  /^127\\.\\d+\\.\\d+\\.\\d+$/,
-  /^10\\.\\d+\\.\\d+\\.\\d+$/,
-  /^172\\.(1[6-9]|2[0-9]|3[0-1])\\.\\d+\\.\\d+$/,
-  /^192\\.168\\.\\d+\\.\\d+$/,
-  /^169\\.254\\.169\\.254$/, // AWS metadata
-];
-if (blockedPatterns.some(p => p.test(url.hostname))) {
-  throw new Error("URL not allowed");
-}
-
-const response = await fetch(url.toString());`
+            recommendedFix: `Validate and sanitize the URL before use. Use an allowlist of permitted domains or URL patterns. Block requests to internal networks (10.x.x.x, 172.16-31.x.x, 192.168.x.x), localhost (127.x.x.x), and cloud metadata endpoints (169.254.169.254). Parse with new URL() and validate url.hostname.`
+            // No patch for SSRF validation - requires defining application-specific allowlist of permitted domains
           },
           links: {
             cwe: "https://cwe.mitre.org/data/definitions/918.html",
@@ -2713,22 +3392,8 @@ async function scanOpenRedirect(context) {
           category: "network",
           evidence,
           remediation: {
-            recommendedFix: `Validate the redirect URL against an allowlist of permitted paths or domains. Never redirect to arbitrary user-provided URLs without validation.`,
-            patch: `// Validate redirect URL before use
-const allowedPaths = ['/dashboard', '/profile', '/settings'];
-const redirectUrl = searchParams.get('next') || '/';
-
-// Option 1: Only allow relative paths
-if (!redirectUrl.startsWith('/') || redirectUrl.startsWith('//')) {
-  return NextResponse.redirect(new URL('/', request.url));
-}
-
-// Option 2: Allowlist check
-if (!allowedPaths.some(path => redirectUrl.startsWith(path))) {
-  return NextResponse.redirect(new URL('/', request.url));
-}
-
-return NextResponse.redirect(new URL(redirectUrl, request.url));`
+            recommendedFix: `Validate the redirect URL against an allowlist of permitted paths or domains. Never redirect to arbitrary user-provided URLs without validation. Options: (1) Only allow relative paths: check !url.startsWith('/') || url.startsWith('//'), (2) Use allowlist: check allowedPaths.some(path => url.startsWith(path)).`
+            // No patch for redirect validation - requires defining application-specific allowlist of permitted paths/domains
           },
           links: {
             cwe: "https://cwe.mitre.org/data/definitions/601.html",
@@ -2786,26 +3451,8 @@ async function scanCorsMisconfiguration(context) {
         category: "network",
         evidence,
         remediation: {
-          recommendedFix: `When using credentials, you must specify explicit allowed origins instead of "*". Use an allowlist of trusted domains.`,
-          patch: `// Instead of:
-// cors({ origin: "*", credentials: true })
-
-// Use an allowlist:
-const allowedOrigins = [
-  'https://app.example.com',
-  'https://admin.example.com',
-];
-
-app.use(cors({
-  origin: (origin, callback) => {
-    if (!origin || allowedOrigins.includes(origin)) {
-      callback(null, true);
-    } else {
-      callback(new Error('Not allowed by CORS'));
-    }
-  },
-  credentials: true,
-}));`
+          recommendedFix: `When using credentials, you must specify explicit allowed origins instead of "*". Use an allowlist of trusted domains. Example: cors({ origin: (origin, callback) => { if (allowedOrigins.includes(origin)) callback(null, true); else callback(new Error('Not allowed')); }, credentials: true })`
+          // No patch for CORS fixes - requires defining application-specific allowlist of trusted origins
         },
         links: {
           cwe: "https://cwe.mitre.org/data/definitions/942.html",
@@ -2862,28 +3509,8 @@ async function scanMissingTimeout(context) {
           category: "network",
           evidence,
           remediation: {
-            recommendedFix: `Add a timeout to prevent indefinite hangs. For fetch, use AbortController; for axios, use the timeout option.`,
-            patch: `// For fetch, use AbortController:
-const controller = new AbortController();
-const timeoutId = setTimeout(() => controller.abort(), 5000);
-
-try {
-  const response = await fetch(url, {
-    signal: controller.signal,
-  });
-  clearTimeout(timeoutId);
-  return response;
-} catch (error) {
-  if (error.name === 'AbortError') {
-    throw new Error('Request timed out');
-  }
-  throw error;
-}
-
-// For axios:
-const response = await axios.get(url, {
-  timeout: 5000,
-});`
+            recommendedFix: `Add a timeout to prevent indefinite hangs. For fetch, use AbortController with setTimeout(() => controller.abort(), 5000) and handle AbortError. For axios, add timeout: 5000 to options. Choose timeout duration based on expected response times.`
+            // No patch for timeout fixes - implementation varies by method (fetch vs axios) and requires choosing appropriate timeout duration
           },
           links: {
             cwe: "https://cwe.mitre.org/data/definitions/400.html"
@@ -3153,19 +3780,8 @@ async function scanNextAuthNotEnforced(context) {
       category: "auth",
       evidence,
       remediation: {
-        recommendedFix: "Add authentication middleware or explicit auth checks to API routes. See https://next-auth.js.org/configuration/nextjs",
-        patch: `// middleware.ts
-import { withAuth } from "next-auth/middleware";
-
-export default withAuth({
-  callbacks: {
-    authorized: ({ token }) => !!token,
-  },
-});
-
-export const config = {
-  matcher: ["/api/:path*"],
-};`
+        recommendedFix: "Add authentication middleware or explicit auth checks to API routes. Create middleware.ts using next-auth's withAuth helper with matcher for /api/:path*. See https://next-auth.js.org/configuration/nextjs"
+        // No patch for file creation - apply-patches only handles modifications to existing files
       },
       links: {
         owasp: "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
@@ -3257,33 +3873,8 @@ async function scanMissingRateLimit(context) {
         category: "middleware",
         evidence,
         remediation: {
-          recommendedFix: `Add rate limiting to protect against abuse. Consider using @upstash/ratelimit for serverless, or express-rate-limit for Express apps.`,
-          patch: `// Using @upstash/ratelimit with Vercel KV:
-import { Ratelimit } from "@upstash/ratelimit";
-import { kv } from "@vercel/kv";
-
-const ratelimit = new Ratelimit({
-  redis: kv,
-  limiter: Ratelimit.slidingWindow(10, "60 s"), // 10 requests per minute
-});
-
-export async function POST(request: Request) {
-  const ip = request.headers.get("x-forwarded-for") ?? "127.0.0.1";
-  const { success, limit, reset, remaining } = await ratelimit.limit(ip);
-
-  if (!success) {
-    return new Response("Too Many Requests", {
-      status: 429,
-      headers: {
-        "X-RateLimit-Limit": limit.toString(),
-        "X-RateLimit-Remaining": remaining.toString(),
-        "X-RateLimit-Reset": reset.toString(),
-      },
-    });
-  }
-
-  // ... rest of handler
-}`
+          recommendedFix: `Add rate limiting to protect against abuse. For serverless: use @upstash/ratelimit with Ratelimit.slidingWindow(10, "60 s") and check success before proceeding. For Express: use express-rate-limit middleware. Limit by IP address or user ID.`
+          // No patch for rate limiting - implementation varies by infrastructure (serverless vs traditional) and requires setup (Redis connection, identifier strategy)
         },
         links: {
           owasp: "https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html",
@@ -3345,21 +3936,8 @@ async function scanMathRandomTokens(context) {
         category: "crypto",
         evidence,
         remediation: {
-          recommendedFix: `Use crypto.randomBytes() or crypto.randomUUID() for security-sensitive random values.`,
-          patch: `import { randomBytes, randomUUID } from 'crypto';
-
-// For tokens/keys (hex string):
-const token = randomBytes(32).toString('hex');
-
-// For session IDs (URL-safe base64):
-const sessionId = randomBytes(24).toString('base64url');
-
-// For UUIDs:
-const id = randomUUID();
-
-// For numbers in a range (e.g., 6-digit code):
-const code = randomBytes(4).readUInt32BE() % 1000000;
-const resetCode = code.toString().padStart(6, '0');`
+          recommendedFix: `Use crypto.randomBytes() or crypto.randomUUID() for security-sensitive random values. For tokens/keys: randomBytes(32).toString('hex'). For session IDs: randomBytes(24).toString('base64url'). For UUIDs: randomUUID(). For numeric codes: randomBytes(4).readUInt32BE() % range.`
+          // No patch for crypto random fixes - the correct replacement depends on the specific use case
         },
         links: {
           cwe: "https://cwe.mitre.org/data/definitions/338.html",
@@ -3414,26 +3992,8 @@ async function scanJwtDecodeUnverified(context) {
         category: "crypto",
         evidence,
         remediation: {
-          recommendedFix: `Use jwt.verify() instead of jwt.decode() to ensure the token signature is valid.`,
-          patch: `import jwt from 'jsonwebtoken';
-
-// WRONG - doesn't verify signature:
-// const payload = jwt.decode(token);
-
-// CORRECT - verifies signature:
-try {
-  const payload = jwt.verify(token, process.env.JWT_SECRET);
-  // Token is valid, payload can be trusted
-} catch (error) {
-  // Token is invalid or expired
-  throw new Error('Invalid token');
-}
-
-// If you need to read claims before verification (e.g., to get kid for key lookup):
-const header = jwt.decode(token, { complete: true })?.header;
-const kid = header?.kid;
-// ... look up the correct key ...
-const payload = jwt.verify(token, key); // MUST verify before trusting`
+          recommendedFix: `Use jwt.verify() instead of jwt.decode() to ensure the token signature is valid. Example: jwt.verify(token, process.env.JWT_SECRET) with proper error handling. If you need to read claims before verification (e.g., to get kid for key lookup), decode the header first, look up the correct key, then verify with that key.`
+          // No patch for JWT fixes - requires knowing secret location and error handling context
         },
         links: {
           cwe: "https://cwe.mitre.org/data/definitions/347.html",
@@ -3474,30 +4034,19 @@ async function scanWeakHashing(context) {
       });
       let title;
       let description;
-      let patch;
+      let recommendedFix;
       if (usage.algorithm.startsWith("bcrypt")) {
         title = "Bcrypt with insufficient salt rounds";
         description = `Bcrypt is configured with low salt rounds (${usage.algorithm}). The cost factor should be at least 10 (ideally 12+) to provide adequate protection against brute-force attacks. Lower values make password cracking significantly faster.`;
-        patch = `import bcrypt from 'bcrypt';
-
-// Use at least 10 salt rounds (12 recommended):
-const SALT_ROUNDS = 12;
-
-const hashedPassword = await bcrypt.hash(password, SALT_ROUNDS);`;
+        recommendedFix = "Increase bcrypt salt rounds to at least 10 (12 recommended): await bcrypt.hash(password, 12)";
       } else if (usage.algorithm === "md5" || usage.algorithm === "sha1") {
         title = `Weak hash algorithm (${usage.algorithm.toUpperCase()}) ${usage.isPasswordContext ? "for password" : "detected"}`;
         description = `${usage.algorithm.toUpperCase()} is cryptographically broken and should not be used for security purposes${usage.isPasswordContext ? ", especially for passwords" : ""}. MD5 can be brute-forced or attacked with rainbow tables in seconds. SHA1 has known collision vulnerabilities.`;
-        patch = `// For passwords, use bcrypt or argon2:
-import bcrypt from 'bcrypt';
-const hashedPassword = await bcrypt.hash(password, 12);
-
-// For non-password hashing (integrity checks, etc.):
-import { createHash } from 'crypto';
-const hash = createHash('sha256').update(data).digest('hex');`;
+        recommendedFix = usage.isPasswordContext ? "For passwords, use bcrypt: await bcrypt.hash(password, 12)" : "For non-password hashing, use SHA-256: createHash('sha256').update(data).digest('hex')";
       } else {
         title = `Weak cryptographic configuration: ${usage.algorithm}`;
         description = `The cryptographic configuration "${usage.algorithm}" is considered weak and should be updated to current standards.`;
-        patch = `// Use modern, secure algorithms and configurations`;
+        recommendedFix = "Use modern, secure algorithms and configurations";
       }
       findings.push({
         id: generateFindingId({
@@ -3514,8 +4063,8 @@ const hash = createHash('sha256').update(data).digest('hex');`;
         category: "crypto",
         evidence,
         remediation: {
-          recommendedFix: usage.isPasswordContext ? "Use bcrypt with at least 10 salt rounds, or argon2id for new applications." : "Use SHA-256 or stronger for integrity checks. For passwords, use bcrypt or argon2.",
-          patch
+          recommendedFix
+          // No patch for crypto changes - too context-dependent
         },
         links: {
           cwe: "https://cwe.mitre.org/data/definitions/328.html",
@@ -3582,36 +4131,8 @@ async function scanMissingUploadConstraints(context) {
           category: "uploads",
           evidence,
           remediation: {
-            recommendedFix: `Add both size limits and file type validation to your upload handler.`,
-            patch: upload.uploadMethod === "multer" ? `// For multer, add limits and fileFilter:
-const upload = multer({
-  limits: {
-    fileSize: 5 * 1024 * 1024, // 5MB limit
-    files: 1, // Single file
-  },
-  fileFilter: (req, file, cb) => {
-    const allowedTypes = ['image/jpeg', 'image/png', 'image/gif'];
-    if (allowedTypes.includes(file.mimetype)) {
-      cb(null, true);
-    } else {
-      cb(new Error('Invalid file type'));
-    }
-  },
-});` : `// For Next.js formData, validate the file:
-const formData = await request.formData();
-const file = formData.get('file') as File;
-
-// Check file size
-const MAX_SIZE = 5 * 1024 * 1024; // 5MB
-if (file.size > MAX_SIZE) {
-  return Response.json({ error: 'File too large' }, { status: 400 });
-}
-
-// Check file type
-const allowedTypes = ['image/jpeg', 'image/png', 'image/gif'];
-if (!allowedTypes.includes(file.type)) {
-  return Response.json({ error: 'Invalid file type' }, { status: 400 });
-}`
+            recommendedFix: `Add both size limits and file type validation to your upload handler. For multer: add limits.fileSize and fileFilter callback. For Next.js formData: check file.size and file.type. Define allowed MIME types based on your use case (images, documents, etc.) and appropriate size limits.`
+            // No patch for upload constraints - requires knowing appropriate size limits and allowed file types for the specific use case
           },
           links: {
             cwe: "https://cwe.mitre.org/data/definitions/434.html",
@@ -3668,29 +4189,8 @@ async function scanPublicUploadPath(context) {
         category: "uploads",
         evidence,
         remediation: {
-          recommendedFix: `Store uploads outside the public directory and serve them through a controlled API endpoint. Always sanitize and generate safe filenames.`,
-          patch: `// DON'T: Write directly to public folder
-// fs.writeFile(path.join('public', filename), buffer);
-
-// DO: Store outside public with generated names
-import { randomUUID } from 'crypto';
-import path from 'path';
-
-// Generate safe filename
-const ext = path.extname(originalFilename).toLowerCase();
-const allowedExtensions = ['.jpg', '.jpeg', '.png', '.gif'];
-if (!allowedExtensions.includes(ext)) {
-  throw new Error('Invalid file extension');
-}
-
-const safeFilename = \`\${randomUUID()}\${ext}\`;
-const uploadPath = path.join(process.cwd(), 'uploads', safeFilename);
-
-// Write to non-public directory
-await fs.writeFile(uploadPath, buffer);
-
-// Serve through API route:
-// GET /api/files/[id] -> Stream file from uploads directory`
+          recommendedFix: `Store uploads outside the public directory and serve them through a controlled API endpoint. Always sanitize and generate safe filenames using randomUUID() + validated extension. Store in a non-public directory (e.g., uploads/) and serve through an API route that handles authorization and content-type headers.`
+          // No patch for upload path fixes - requires restructuring file handling, creating API routes, and implementing authorization logic
         },
         links: {
           cwe: "https://cwe.mitre.org/data/definitions/434.html",
@@ -4048,59 +4548,25 @@ function generateDescription(match, missing, costMultiplier, routePath) {
   return `This endpoint (${routePath}) performs ${categoryDescriptions[match.category]}. Without proper controls, attackers can abuse this endpoint causing significant financial damage or service degradation. Estimated cost amplification: ${costMultiplier}x per request. Missing enforcement: ${missingText}.`;
 }
 function generateRemediation(category, missing) {
-  const patches = [];
+  const recommendations = [];
   if (missing.includes("auth")) {
-    patches.push(`// Add authentication
-const session = await getServerSession(authOptions);
-if (!session) {
-  return Response.json({ error: "Unauthorized" }, { status: 401 });
-}`);
+    recommendations.push("authentication (e.g., getServerSession with 401 for unauthorized)");
   }
   if (missing.includes("rate_limit")) {
-    patches.push(`// Add rate limiting
-import { Ratelimit } from "@upstash/ratelimit";
-const ratelimit = new Ratelimit({
-  redis: kv,
-  limiter: Ratelimit.slidingWindow(10, "60 s"),
-});
-const { success } = await ratelimit.limit(userId);
-if (!success) {
-  return Response.json({ error: "Rate limit exceeded" }, { status: 429 });
-}`);
+    recommendations.push("rate limiting (e.g., @upstash/ratelimit with sliding window)");
   }
   if (missing.includes("request_size_limit")) {
-    patches.push(`// Add request size limit
-const body = await request.json();
-const size = JSON.stringify(body).length;
-if (size > 100 * 1024) { // 100KB limit
-  return Response.json({ error: "Request too large" }, { status: 413 });
-}`);
+    recommendations.push("request size limits (check JSON.stringify(body).length, reject if > threshold)");
   }
   if (missing.includes("timeout")) {
-    patches.push(`// Add timeout
-const controller = new AbortController();
-const timeout = setTimeout(() => controller.abort(), 30000); // 30s timeout
-try {
-  const result = await expensiveOperation({ signal: controller.signal });
-} finally {
-  clearTimeout(timeout);
-}`);
+    recommendations.push("timeout enforcement (use AbortController with setTimeout)");
   }
   if (missing.includes("input_validation")) {
-    patches.push(`// Add input validation
-import { z } from "zod";
-const schema = z.object({
-  prompt: z.string().max(4000),
-  model: z.enum(["gpt-4", "gpt-3.5-turbo"]),
-});
-const { success, data } = schema.safeParse(body);
-if (!success) {
-  return Response.json({ error: "Invalid input" }, { status: 400 });
-}`);
+    recommendations.push("input validation (use Zod/Yup to validate and limit input size)");
   }
   return {
-    recommendedFix: `Add the following enforcement controls to protect against compute abuse: ${missing.map((m) => m.replace(/_/g, " ")).join(", ")}.`,
-    patch: patches.join("\n\n")
+    recommendedFix: `Add the following enforcement controls to protect against compute abuse: ${recommendations.join("; ")}.`
+    // No patch for compute abuse fixes - each requires different implementation based on the specific operation and infrastructure
   };
 }
 
@@ -6333,7 +6799,7 @@ var supplyChainPack = {
 
 // src/phase3/proof-trace-builder.ts
 import crypto3 from "crypto";
-import path3 from "path";
+import path4 from "path";
 import { SyntaxKind as SyntaxKind2 } from "ts-morph";
 var MAX_TRACE_DEPTH = 2;
 function generateRouteId(routePath, method, file) {
@@ -6362,7 +6828,7 @@ function extractRoutePath6(routePart) {
 function buildRouteMap(ctx) {
   const routes = [];
   for (const routeFile of ctx.fileIndex.routeFiles) {
-    const absolutePath = path3.join(ctx.repoRoot, routeFile);
+    const absolutePath = path4.join(ctx.repoRoot, routeFile);
     const sourceFile = ctx.helpers.parseFile(absolutePath);
     if (!sourceFile) continue;
     const handlers = ctx.helpers.findRouteHandlers(sourceFile);
@@ -6387,7 +6853,7 @@ function buildMiddlewareMap(ctx) {
   if (!ctx.fileIndex.middlewareFile) {
     return middlewareList;
   }
-  const absolutePath = path3.join(ctx.repoRoot, ctx.fileIndex.middlewareFile);
+  const absolutePath = path4.join(ctx.repoRoot, ctx.fileIndex.middlewareFile);
   const sourceFile = ctx.helpers.parseFile(absolutePath);
   if (!sourceFile) return middlewareList;
   const relPath = ctx.fileIndex.middlewareFile.replace(/\\/g, "/");
@@ -6447,7 +6913,7 @@ function buildProofTrace(ctx, route) {
   let authProven = false;
   let validationProven = false;
   const sourceFile = ctx.helpers.parseFile(
-    path3.join(ctx.repoRoot, route.file)
+    path4.join(ctx.repoRoot, route.file)
   );
   if (!sourceFile) {
     return {
@@ -6534,13 +7000,13 @@ function buildProofTrace(ctx, route) {
 }
 function getLocalImports(sourceFile, repoRoot, currentFile) {
   const imports = [];
-  const currentDir = path3.dirname(path3.join(repoRoot, currentFile));
+  const currentDir = path4.dirname(path4.join(repoRoot, currentFile));
   for (const importDecl of sourceFile.getImportDeclarations()) {
     const moduleSpecifier = importDecl.getModuleSpecifierValue();
     if (!moduleSpecifier.startsWith(".")) {
       continue;
     }
-    let absolutePath = path3.resolve(currentDir, moduleSpecifier);
+    let absolutePath = path4.resolve(currentDir, moduleSpecifier);
     const extensions = [".ts", ".tsx", ".js", ".jsx"];
     let resolved = false;
     for (const ext of extensions) {
@@ -6556,7 +7022,7 @@ function getLocalImports(sourceFile, repoRoot, currentFile) {
     }
     if (!resolved) {
       for (const ext of extensions) {
-        const indexPath = path3.join(absolutePath, `index${ext}`);
+        const indexPath = path4.join(absolutePath, `index${ext}`);
         try {
           if (sourceFile.getProject().getSourceFile(indexPath)) {
             absolutePath = indexPath;
@@ -6596,7 +7062,7 @@ function traceImportedModule(ctx, importInfo, depth, needAuth, needValidation) {
   if (!sourceFile) {
     return result;
   }
-  const relPath = path3.relative(ctx.repoRoot, importInfo.absolutePath).replace(/\\/g, "/");
+  const relPath = path4.relative(ctx.repoRoot, importInfo.absolutePath).replace(/\\/g, "/");
   if (needAuth) {
     sourceFile.forEachDescendant((node) => {
       if (result.authProven) return;
@@ -6701,7 +7167,7 @@ function buildAllProofTraces(ctx, routes) {
 
 // src/phase3/intent-miner.ts
 import crypto4 from "crypto";
-import path4 from "path";
+import path5 from "path";
 import { SyntaxKind as SyntaxKind3 } from "ts-morph";
 var INTENT_PATTERNS = [
   // Auth patterns
@@ -6740,7 +7206,7 @@ function generateIntentId(type, file, line, evidence) {
 function mineIntentClaims(ctx, sourceFile, routes) {
   const claims = [];
   const filePath = sourceFile.getFilePath();
-  const relPath = path4.relative(ctx.repoRoot, filePath).replace(/\\/g, "/");
+  const relPath = path5.relative(ctx.repoRoot, filePath).replace(/\\/g, "/");
   claims.push(...mineFromComments(sourceFile, relPath, routes));
   claims.push(...mineFromImports(sourceFile, relPath));
   claims.push(...mineFromIdentifiers(sourceFile, relPath, routes));
@@ -6912,7 +7378,7 @@ function truncateEvidence(text) {
 function mineAllIntentClaims(ctx, routes) {
   const allClaims = [];
   for (const file of ctx.fileIndex.allSourceFiles) {
-    const absolutePath = path4.join(ctx.repoRoot, file);
+    const absolutePath = path5.join(ctx.repoRoot, file);
     const sourceFile = ctx.helpers.parseFile(absolutePath);
     if (!sourceFile) continue;
     const claims = mineIntentClaims(ctx, sourceFile, routes);
@@ -7212,7 +7678,7 @@ function generateFingerprint3(route) {
 
 // src/phase3/scanners/validation-claimed-missing.ts
 import crypto7 from "crypto";
-import path5 from "path";
+import path6 from "path";
 var RULE_ID34 = "VC-HALL-012";
 async function scanValidationClaimedMissing(ctx) {
   const findings = [];
@@ -7229,7 +7695,7 @@ async function scanValidationClaimedMissing(ctx) {
     claimsByFile.set(claim.location.file, existing);
   }
   for (const [file, claims] of claimsByFile) {
-    const sourceFile = ctx.helpers.parseFile(path5.join(ctx.repoRoot, file));
+    const sourceFile = ctx.helpers.parseFile(path6.join(ctx.repoRoot, file));
     if (!sourceFile) continue;
     const fileRoutes = routes.filter((r) => r.file === file);
     const handlers = ctx.helpers.findRouteHandlers(sourceFile);
@@ -7357,7 +7823,7 @@ function checkUnusedValidationImports(ctx, routes, claims) {
   );
   for (const claim of importClaims) {
     const sourceFile = ctx.helpers.parseFile(
-      path5.join(ctx.repoRoot, claim.location.file)
+      path6.join(ctx.repoRoot, claim.location.file)
     );
     if (!sourceFile) continue;
     const hasSchemas = ctx.helpers.hasValidationSchemas(sourceFile);
@@ -7398,7 +7864,7 @@ function generateFingerprint4(route, issueType) {
 
 // src/phase3/scanners/auth-by-ui-server-gap.ts
 import crypto8 from "crypto";
-import path6 from "path";
+import path7 from "path";
 var RULE_ID35 = "VC-AUTH-010";
 var CLIENT_AUTH_PATTERNS = [
   // React/Next.js session hooks
@@ -7439,7 +7905,7 @@ async function scanAuthByUiServerGap(ctx) {
     const sourceFile = ctx.helpers.parseFile(componentFile);
     if (!sourceFile) continue;
     const fullText = sourceFile.getFullText();
-    const relPath = path6.relative(ctx.repoRoot, componentFile).replace(/\\/g, "/");
+    const relPath = path7.relative(ctx.repoRoot, componentFile).replace(/\\/g, "/");
     const hasClientAuth = CLIENT_AUTH_PATTERNS.some((p) => p.test(fullText));
     if (!hasClientAuth) continue;
     const apiCalls = findApiCalls(fullText, relPath, sourceFile);
@@ -8210,7 +8676,7 @@ function sarifToJson(sarif, pretty = true) {
 }
 
 // src/utils/progress.ts
-import path7 from "path";
+import path8 from "path";
 var ANSI = {
   reset: "\x1B[0m",
   bold: "\x1B[1m",
@@ -8285,7 +8751,7 @@ var ScanProgress = class {
     const packNum = `[${String(this.currentPack + 1).padStart(2)}/${this.packs.length}]`;
     const filePercent = this.totalFiles > 0 ? Math.min(Math.round(this.filesProcessed / this.totalFiles * 100), 100) : 0;
     const progressBar = createProgressBar(this.filesProcessed, this.totalFiles, 20);
-    const fileName = this.currentFile ? path7.basename(this.currentFile) : "";
+    const fileName = this.currentFile ? path8.basename(this.currentFile) : "";
     const truncatedFile = truncateEnd(fileName, 28);
     const statusText = `${ANSI.dim}${truncatedFile}${ANSI.reset} ${ANSI.cyan}${String(filePercent).padStart(3)}%${ANSI.reset}`;
     const packName = truncateEnd(pack.name, 32);
@@ -8362,13 +8828,13 @@ function normalizePath(p) {
 }
 function getOutputPath(basePath, format, targetDir) {
   let outputPath = basePath;
-  if (!path8.isAbsolute(outputPath)) {
+  if (!path9.isAbsolute(outputPath)) {
     outputPath = resolvePath(targetDir, outputPath);
   }
-  const ext = path8.extname(outputPath);
+  const ext = path9.extname(outputPath);
   if (!ext) {
     const filename = format === "sarif" ? "vibecheck-scan.sarif" : "vibecheck-scan.json";
-    outputPath = path8.join(outputPath, filename);
+    outputPath = path9.join(outputPath, filename);
   } else if (format === "sarif" && ext === ".json") {
     outputPath = outputPath.replace(/\.json$/, ".sarif");
   } else if (format === "json" && ext === ".sarif") {
@@ -8376,11 +8842,19 @@ function getOutputPath(basePath, format, targetDir) {
   }
   return outputPath;
 }
-async function runScannersWithProgress(baseContext, totalFiles) {
+async function runScannersWithProgress(baseContext, totalFiles, customScanners = []) {
   const allFindings = [];
   const seenFingerprints = /* @__PURE__ */ new Set();
+  const packs = [...ALL_SCANNER_PACKS];
+  if (customScanners.length > 0) {
+    packs.push({
+      id: "custom",
+      name: "Custom Rules",
+      scanners: customScanners
+    });
+  }
   const progress = new ScanProgress(
-    ALL_SCANNER_PACKS.map((pack) => ({
+    packs.map((pack) => ({
       id: pack.id,
       name: pack.name,
       scannerCount: pack.scanners.length
@@ -8405,8 +8879,8 @@ async function runScannersWithProgress(baseContext, totalFiles) {
     prismaSchemaInfo: baseContext.prismaSchemaInfo
   });
   progress.start();
-  for (let packIndex = 0; packIndex < ALL_SCANNER_PACKS.length; packIndex++) {
-    const pack = ALL_SCANNER_PACKS[packIndex];
+  for (let packIndex = 0; packIndex < packs.length; packIndex++) {
+    const pack = packs[packIndex];
     progress.startPack(packIndex);
     for (let scannerIndex = 0; scannerIndex < pack.scanners.length; scannerIndex++) {
       const scanner = pack.scanners[scannerIndex];
@@ -8588,7 +9062,31 @@ async function executeScan(targetDir, options) {
   console.log(`\x1B[90m   \u251C\u2500 API routes: ${initialContext.fileIndex.apiRouteFiles.length}\x1B[0m`);
   console.log(`\x1B[90m   \u251C\u2500 Config files: ${initialContext.fileIndex.configFiles.length}\x1B[0m`);
   console.log(`\x1B[90m   \u2514\u2500 Framework: ${initialContext.repoMeta.framework}\x1B[0m`);
-  const findings = await runScannersWithProgress(initialContext, totalFiles);
+  let customScanners = [];
+  if (options.rules) {
+    const rulesSpinner = new Spinner("Loading custom rules");
+    rulesSpinner.start();
+    try {
+      const customRules = loadRulesFromDirectory(options.rules);
+      const validation = validateCustomRules(customRules);
+      if (validation.errors.length > 0) {
+        rulesSpinner.fail("Failed to validate custom rules");
+        console.error("\n\x1B[31mCustom rule validation errors:\x1B[0m");
+        for (const error of validation.errors) {
+          console.error(`  [${error.ruleId}] ${error.error}`);
+        }
+        return 1;
+      }
+      customScanners = createScannersFromRules(validation.valid);
+      rulesSpinner.succeed(`Loaded ${validation.valid.length} custom rule(s)`);
+      printRulesSummary(validation.valid);
+    } catch (error) {
+      rulesSpinner.fail("Failed to load custom rules");
+      console.error(`\x1B[31m${error instanceof Error ? error.message : String(error)}\x1B[0m`);
+      return 1;
+    }
+  }
+  const findings = await runScannersWithProgress(initialContext, totalFiles, customScanners);
   const endTime = Date.now();
   const scanDurationMs = endTime - startTime;
   let phase3Data;
@@ -8712,13 +9210,13 @@ async function executeScan(targetDir, options) {
   const outputFiles = [];
   if (format === "json" || format === "both") {
     const jsonPath = getOutputPath(options.out, "json", absoluteTarget);
-    ensureDir(path8.dirname(jsonPath));
+    ensureDir(path9.dirname(jsonPath));
     writeFileSync(jsonPath, JSON.stringify(artifact, null, 2));
     outputFiles.push(jsonPath);
   }
   if (format === "sarif" || format === "both") {
     const sarifPath = getOutputPath(options.out, "sarif", absoluteTarget);
-    ensureDir(path8.dirname(sarifPath));
+    ensureDir(path9.dirname(sarifPath));
     const sarifLog = toSarif(artifact);
     writeFileSync(sarifPath, sarifToJson(sarifLog));
     outputFiles.push(sarifPath);
@@ -8730,6 +9228,39 @@ async function executeScan(targetDir, options) {
     }
   }
   printSummary(artifact, options);
+  if (options.applyFixes) {
+    console.log("\n" + "=".repeat(60));
+    console.log("Applying Patches");
+    console.log("=".repeat(60));
+    const patchSummary = await applyPatches(
+      artifact.findings,
+      absoluteTarget,
+      {
+        force: options.force,
+        dryRun: false
+      }
+    );
+    console.log("\n" + "-".repeat(60));
+    console.log("Patch Summary");
+    console.log("-".repeat(60));
+    console.log(`Total patchable findings: ${patchSummary.totalPatchable}`);
+    console.log(`\x1B[32mSuccessfully applied: ${patchSummary.applied}\x1B[0m`);
+    if (patchSummary.failed > 0) {
+      console.log(`\x1B[31mFailed: ${patchSummary.failed}\x1B[0m`);
+    }
+    if (patchSummary.skipped > 0) {
+      console.log(`\x1B[90mSkipped: ${patchSummary.skipped}\x1B[0m`);
+    }
+    if (patchSummary.failed > 0) {
+      console.log("\nFailed patches:");
+      for (const result of patchSummary.results) {
+        if (!result.success && result.error !== "User declined") {
+          console.log(`  \x1B[31m\u2717\x1B[0m ${result.file}: ${result.error}`);
+        }
+      }
+    }
+    console.log("");
+  }
   if (shouldFail(findings, failOn)) {
     console.log(
       `\x1B[31mFailing: Found findings with severity >= ${failOn}\x1B[0m`
@@ -8748,7 +9279,7 @@ function registerScanCommand(program2) {
   ).option(
     "-o, --out <path>",
     "Output file or directory path",
-    path8.join(DEFAULT_OUTPUT_DIR, DEFAULT_OUTPUT_FILE)
+    path9.join(DEFAULT_OUTPUT_DIR, DEFAULT_OUTPUT_FILE)
   ).option(
     "-f, --format <format>",
     "Output format: json, sarif, or both",
@@ -8783,6 +9314,15 @@ function registerScanCommand(program2) {
   ).option(
     "--no-emit-traces",
     "Exclude proof traces from output"
+  ).option(
+    "--apply-fixes",
+    "Apply patches from findings after scan (requires confirmation unless --force is used)"
+  ).option(
+    "--force",
+    "Skip confirmation prompts when applying patches (use with --apply-fixes)"
+  ).option(
+    "-r, --rules <path>",
+    "Path to directory containing custom YAML rules or a single YAML rule file"
   ).addHelpText(
     "after",
     `
@@ -8805,6 +9345,10 @@ Examples:
   $ vibecheck scan --include-tests              Include test files
   $ vibecheck scan --no-emit-intents            Skip intent mining
   $ vibecheck scan --no-emit-traces             Skip proof trace building
+  $ vibecheck scan --apply-fixes                Apply patches from findings (with confirmation)
+  $ vibecheck scan --apply-fixes --force        Apply patches without confirmation prompts
+  $ vibecheck scan --rules ./custom-rules       Load custom YAML rules from directory
+  $ vibecheck scan -r my-rule.yaml              Load a single custom YAML rule file
 
 Windows-safe output paths:
   $ vibecheck scan --out vibecheck-scan.json    Relative path (recommended)
@@ -8830,7 +9374,10 @@ Default excludes:
       emitTraces: cmdOptions.emitTraces !== false,
       // default true
       exclude: cmdOptions.exclude,
-      includeTests: Boolean(cmdOptions.includeTests)
+      includeTests: Boolean(cmdOptions.includeTests),
+      applyFixes: Boolean(cmdOptions.applyFixes),
+      force: Boolean(cmdOptions.force),
+      rules: cmdOptions.rules
     };
     const exitCode = await executeScan(targetDir, options);
     process.exit(exitCode);
@@ -9351,7 +9898,7 @@ function registerDemoArtifactCommand(program2) {
 }
 
 // src/commands/intent.ts
-import path9 from "path";
+import path10 from "path";
 async function executeIntent(targetDir, options) {
   const absoluteTarget = resolvePath(targetDir);
   console.log(`Mining intent map: ${absoluteTarget}`);
@@ -9386,7 +9933,7 @@ Completed in ${endTime - startTime}ms`);
     options.repoName
   );
   let outputPath = options.out;
-  if (!path9.isAbsolute(outputPath)) {
+  if (!path10.isAbsolute(outputPath)) {
     outputPath = resolvePath(absoluteTarget, outputPath);
   }
   if (options.format === "json") {
@@ -9512,63 +10059,63 @@ function registerIntentCommand(program2) {
 }
 
 // src/commands/evaluate.ts
-import path10 from "path";
+import path11 from "path";
 
 // ../policy/dist/schemas/waiver.js
-import { z as z7 } from "zod";
-var WaiverMatchSchema = z7.object({
+import { z as z8 } from "zod";
+var WaiverMatchSchema = z8.object({
   /** Exact fingerprint match */
-  fingerprint: z7.string().optional(),
+  fingerprint: z8.string().optional(),
   /** Rule ID (exact or prefix like "VC-AUTH-*") */
-  ruleId: z7.string().optional(),
+  ruleId: z8.string().optional(),
   /** Path glob pattern for evidence file matching */
-  pathPattern: z7.string().optional()
+  pathPattern: z8.string().optional()
 });
-var WaiverSchema = z7.object({
+var WaiverSchema = z8.object({
   /** Unique waiver ID */
-  id: z7.string(),
+  id: z8.string(),
   /** Match criteria */
   match: WaiverMatchSchema.refine((m) => m.fingerprint || m.ruleId, { message: "Waiver must specify fingerprint or ruleId" }),
   /** Justification for the waiver */
-  reason: z7.string().min(1),
+  reason: z8.string().min(1),
   /** Who created this waiver */
-  createdBy: z7.string().min(1),
+  createdBy: z8.string().min(1),
   /** When the waiver was created */
-  createdAt: z7.string().datetime(),
+  createdAt: z8.string().datetime(),
   /** Optional expiration date */
-  expiresAt: z7.string().datetime().optional(),
+  expiresAt: z8.string().datetime().optional(),
   /** Optional ticket/issue reference */
-  ticketRef: z7.string().optional()
+  ticketRef: z8.string().optional()
 });
-var WaiversFileSchema = z7.object({
+var WaiversFileSchema = z8.object({
   /** Schema version */
-  version: z7.literal("0.1"),
+  version: z8.literal("0.1"),
   /** List of waivers */
-  waivers: z7.array(WaiverSchema)
+  waivers: z8.array(WaiverSchema)
 });
 
 // ../policy/dist/schemas/policy-config.js
-import { z as z8 } from "zod";
-var ProfileNameSchema = z8.enum(["startup", "strict", "compliance-lite"]);
-var ThresholdsSchema = z8.object({
+import { z as z9 } from "zod";
+var ProfileNameSchema = z9.enum(["startup", "strict", "compliance-lite"]);
+var ThresholdsSchema = z9.object({
   /** Minimum severity to trigger FAIL status */
   failOnSeverity: SeveritySchema.default("high"),
   /** Minimum severity to trigger WARN status */
   warnOnSeverity: SeveritySchema.default("medium"),
   /** Minimum confidence (0-1) for a finding to trigger FAIL */
-  minConfidenceForFail: z8.number().min(0).max(1).default(0.7),
+  minConfidenceForFail: z9.number().min(0).max(1).default(0.7),
   /** Minimum confidence (0-1) for a finding to trigger WARN */
-  minConfidenceForWarn: z8.number().min(0).max(1).default(0.5),
+  minConfidenceForWarn: z9.number().min(0).max(1).default(0.5),
   /** Special lower confidence threshold for critical findings */
-  minConfidenceCritical: z8.number().min(0).max(1).default(0.5),
+  minConfidenceCritical: z9.number().min(0).max(1).default(0.5),
   /** Maximum number of findings before auto-fail (0 = unlimited) */
-  maxFindings: z8.number().int().min(0).default(0),
+  maxFindings: z9.number().int().min(0).default(0),
   /** Maximum number of critical findings before auto-fail (0 = unlimited) */
-  maxCritical: z8.number().int().min(0).default(0),
+  maxCritical: z9.number().int().min(0).default(0),
   /** Maximum number of high findings before auto-fail (0 = unlimited) */
-  maxHigh: z8.number().int().min(0).default(0)
+  maxHigh: z9.number().int().min(0).default(0)
 });
-var OverrideActionSchema = z8.enum([
+var OverrideActionSchema = z9.enum([
   "ignore",
   // Skip this finding entirely
   "downgrade",
@@ -9580,62 +10127,62 @@ var OverrideActionSchema = z8.enum([
   "fail"
   // Always fail on this
 ]);
-var OverrideSchema = z8.object({
+var OverrideSchema = z9.object({
   /** Rule ID pattern (exact or prefix like "VC-AUTH-*") */
-  ruleId: z8.string().optional(),
+  ruleId: z9.string().optional(),
   /** Category to match */
   category: CategorySchema.optional(),
   /** Path pattern for evidence file matching (glob-like) */
-  pathPattern: z8.string().optional(),
+  pathPattern: z9.string().optional(),
   /** Action to take when matched */
   action: OverrideActionSchema,
   /** Override severity when action is downgrade/upgrade */
   severity: SeveritySchema.optional(),
   /** Comment explaining the override */
-  comment: z8.string().optional()
+  comment: z9.string().optional()
 });
-var RegressionPolicySchema = z8.object({
+var RegressionPolicySchema = z9.object({
   /** Fail on any new high/critical findings */
-  failOnNewHighCritical: z8.boolean().default(true),
+  failOnNewHighCritical: z9.boolean().default(true),
   /** Fail on any severity regression (e.g., medium became high) */
-  failOnSeverityRegression: z8.boolean().default(false),
+  failOnSeverityRegression: z9.boolean().default(false),
   /** Fail on net increase in findings */
-  failOnNetIncrease: z8.boolean().default(false),
+  failOnNetIncrease: z9.boolean().default(false),
   /** Warn on any new findings */
-  warnOnNewFindings: z8.boolean().default(true),
+  warnOnNewFindings: z9.boolean().default(true),
   /** Fail on protection removed from routes (auth/validation coverage decreased) */
-  failOnProtectionRemoved: z8.boolean().default(false),
+  failOnProtectionRemoved: z9.boolean().default(false),
   /** Warn on protection removed from routes */
-  warnOnProtectionRemoved: z8.boolean().default(true),
+  warnOnProtectionRemoved: z9.boolean().default(true),
   /** Fail on any semantic regression (coverage decrease, severity group increase) */
-  failOnSemanticRegression: z8.boolean().default(false)
+  failOnSemanticRegression: z9.boolean().default(false)
 });
-var PolicyConfigSchema = z8.object({
+var PolicyConfigSchema = z9.object({
   /** Profile name for presets */
   profile: ProfileNameSchema.optional(),
   /** Threshold configuration */
   thresholds: ThresholdsSchema.default({}),
   /** Override rules */
-  overrides: z8.array(OverrideSchema).default([]),
+  overrides: z9.array(OverrideSchema).default([]),
   /** Regression policy */
   regression: RegressionPolicySchema.default({})
 });
-var ConfigFileSchema = z8.object({
+var ConfigFileSchema = z9.object({
   /** Policy configuration */
   policy: PolicyConfigSchema.optional(),
   /** Path to waivers file */
-  waiversPath: z8.string().optional()
+  waiversPath: z9.string().optional()
 });
 
 // ../policy/dist/schemas/policy-report.js
-import { z as z9 } from "zod";
+import { z as z10 } from "zod";
 var POLICY_REPORT_VERSION = "0.1";
-var PolicyStatusSchema = z9.enum(["pass", "warn", "fail"]);
-var PolicyReasonSchema = z9.object({
+var PolicyStatusSchema = z10.enum(["pass", "warn", "fail"]);
+var PolicyReasonSchema = z10.object({
   /** The status this reason contributes to */
   status: PolicyStatusSchema,
   /** Machine-readable reason code */
-  code: z9.enum([
+  code: z10.enum([
     "severity_threshold",
     "confidence_threshold",
     "count_threshold",
@@ -9651,47 +10198,47 @@ var PolicyReasonSchema = z9.object({
     "semantic_regression"
   ]),
   /** Human-readable description */
-  message: z9.string(),
+  message: z10.string(),
   /** Optional finding IDs that triggered this */
-  findingIds: z9.array(z9.string()).optional(),
+  findingIds: z10.array(z10.string()).optional(),
   /** Optional details */
-  details: z9.record(z9.unknown()).optional()
+  details: z10.record(z10.unknown()).optional()
 });
-var PolicySummaryCountsSchema = z9.object({
+var PolicySummaryCountsSchema = z10.object({
   /** Total findings after filtering */
-  total: z9.number().int(),
+  total: z10.number().int(),
   /** By severity */
-  bySeverity: z9.object({
-    critical: z9.number().int(),
-    high: z9.number().int(),
-    medium: z9.number().int(),
-    low: z9.number().int(),
-    info: z9.number().int()
+  bySeverity: z10.object({
+    critical: z10.number().int(),
+    high: z10.number().int(),
+    medium: z10.number().int(),
+    low: z10.number().int(),
+    info: z10.number().int()
   }),
   /** By category */
-  byCategory: z9.record(CategorySchema, z9.number().int()),
+  byCategory: z10.record(CategorySchema, z10.number().int()),
   /** Count of waived findings */
-  waived: z9.number().int(),
+  waived: z10.number().int(),
   /** Count of ignored by override */
-  ignored: z9.number().int()
+  ignored: z10.number().int()
 });
-var ProtectionRegressionSchema = z9.object({
+var ProtectionRegressionSchema = z10.object({
   /** Route identifier (e.g., "/api/users:POST") */
-  routeId: z9.string(),
+  routeId: z10.string(),
   /** File containing the route */
-  file: z9.string(),
+  file: z10.string(),
   /** HTTP method */
-  method: z9.string(),
+  method: z10.string(),
   /** Type of protection that was removed */
-  protectionType: z9.enum(["auth", "validation", "rate-limit", "middleware"]),
+  protectionType: z10.enum(["auth", "validation", "rate-limit", "middleware"]),
   /** Description of what changed */
-  description: z9.string(),
+  description: z10.string(),
   /** Related finding fingerprints */
-  relatedFingerprints: z9.array(z9.string()).optional()
+  relatedFingerprints: z10.array(z10.string()).optional()
 });
-var SemanticRegressionSchema = z9.object({
+var SemanticRegressionSchema = z10.object({
   /** Type of semantic regression */
-  type: z9.enum([
+  type: z10.enum([
     "protection_removed",
     // Auth/validation removed from route
     "coverage_decreased",
@@ -9702,68 +10249,68 @@ var SemanticRegressionSchema = z9.object({
   /** Severity of this regression */
   severity: SeveritySchema,
   /** Human-readable description */
-  description: z9.string(),
+  description: z10.string(),
   /** Route or fingerprint group affected */
-  affectedId: z9.string(),
+  affectedId: z10.string(),
   /** Detailed evidence */
-  details: z9.record(z9.unknown()).optional()
+  details: z10.record(z10.unknown()).optional()
 });
-var RegressionSummarySchema = z9.object({
+var RegressionSummarySchema = z10.object({
   /** Baseline artifact path or identifier */
-  baselineId: z9.string(),
+  baselineId: z10.string(),
   /** When baseline was generated */
-  baselineGeneratedAt: z9.string(),
+  baselineGeneratedAt: z10.string(),
   /** New findings (not in baseline) */
-  newFindings: z9.array(z9.object({
-    findingId: z9.string(),
-    fingerprint: z9.string(),
+  newFindings: z10.array(z10.object({
+    findingId: z10.string(),
+    fingerprint: z10.string(),
     severity: SeveritySchema,
-    ruleId: z9.string(),
-    title: z9.string()
+    ruleId: z10.string(),
+    title: z10.string()
   })),
   /** Resolved findings (in baseline but not current) */
-  resolvedFindings: z9.array(z9.object({
-    fingerprint: z9.string(),
+  resolvedFindings: z10.array(z10.object({
+    fingerprint: z10.string(),
     severity: SeveritySchema,
-    ruleId: z9.string(),
-    title: z9.string()
+    ruleId: z10.string(),
+    title: z10.string()
   })),
   /** Persisting findings (in both) */
-  persistingCount: z9.number().int(),
+  persistingCount: z10.number().int(),
   /** Severity regressions (same fingerprint but higher severity) */
-  severityRegressions: z9.array(z9.object({
-    fingerprint: z9.string(),
-    ruleId: z9.string(),
+  severityRegressions: z10.array(z10.object({
+    fingerprint: z10.string(),
+    ruleId: z10.string(),
     previousSeverity: SeveritySchema,
     currentSeverity: SeveritySchema,
-    title: z9.string()
+    title: z10.string()
   })),
   /** Net change in finding count */
-  netChange: z9.number().int(),
+  netChange: z10.number().int(),
   /** Protection regressions (auth/validation removed from routes) */
-  protectionRegressions: z9.array(ProtectionRegressionSchema).optional(),
+  protectionRegressions: z10.array(ProtectionRegressionSchema).optional(),
   /** Semantic regressions (abstract security property degradations) */
-  semanticRegressions: z9.array(SemanticRegressionSchema).optional()
+  semanticRegressions: z10.array(SemanticRegressionSchema).optional()
 });
-var WaivedFindingSchema = z9.object({
+var WaivedFindingSchema = z10.object({
   /** The finding that was waived */
-  finding: z9.object({
-    id: z9.string(),
-    fingerprint: z9.string(),
-    ruleId: z9.string(),
+  finding: z10.object({
+    id: z10.string(),
+    fingerprint: z10.string(),
+    ruleId: z10.string(),
     severity: SeveritySchema,
-    title: z9.string()
+    title: z10.string()
   }),
   /** The waiver that matched */
   waiver: WaiverSchema,
   /** Whether waiver is expired */
-  expired: z9.boolean()
+  expired: z10.boolean()
 });
-var PolicyReportSchema = z9.object({
+var PolicyReportSchema = z10.object({
   /** Report schema version */
-  policyVersion: z9.literal(POLICY_REPORT_VERSION),
+  policyVersion: z10.literal(POLICY_REPORT_VERSION),
   /** When evaluation was performed */
-  evaluatedAt: z9.string().datetime(),
+  evaluatedAt: z10.string().datetime(),
   /** Profile name used */
   profileName: ProfileNameSchema.nullable(),
   /** Final status */
@@ -9771,36 +10318,36 @@ var PolicyReportSchema = z9.object({
   /** Thresholds applied */
   thresholds: ThresholdsSchema,
   /** Overrides applied */
-  overrides: z9.array(OverrideSchema),
+  overrides: z10.array(OverrideSchema),
   /** Regression policy applied */
   regressionPolicy: RegressionPolicySchema,
   /** Summary counts */
   summary: PolicySummaryCountsSchema,
   /** Reasons for the status */
-  reasons: z9.array(PolicyReasonSchema),
+  reasons: z10.array(PolicyReasonSchema),
   /** Regression summary (if baseline provided) */
   regression: RegressionSummarySchema.optional(),
   /** Waived findings */
-  waivedFindings: z9.array(WaivedFindingSchema),
+  waivedFindings: z10.array(WaivedFindingSchema),
   /** Active (non-waived, non-ignored) findings included in evaluation */
-  activeFindings: z9.array(z9.object({
-    id: z9.string(),
-    fingerprint: z9.string(),
-    ruleId: z9.string(),
+  activeFindings: z10.array(z10.object({
+    id: z10.string(),
+    fingerprint: z10.string(),
+    ruleId: z10.string(),
     severity: SeveritySchema,
     originalSeverity: SeveritySchema.optional(),
-    confidence: z9.number(),
-    title: z9.string(),
+    confidence: z10.number(),
+    title: z10.string(),
     category: CategorySchema,
-    evidencePaths: z9.array(z9.string())
+    evidencePaths: z10.array(z10.string())
   })),
   /** Recommended exit code (0 = pass/warn, 1 = fail) */
-  exitCode: z9.union([z9.literal(0), z9.literal(1)]),
+  exitCode: z10.union([z10.literal(0), z10.literal(1)]),
   /** Source artifact info */
-  artifact: z9.object({
-    path: z9.string().optional(),
-    generatedAt: z9.string(),
-    repoName: z9.string().optional()
+  artifact: z10.object({
+    path: z10.string().optional(),
+    generatedAt: z10.string(),
+    repoName: z10.string().optional()
   })
 });
 
@@ -9928,7 +10475,7 @@ var PROFILE_DESCRIPTIONS = {
 };
 
 // ../policy/dist/waivers.js
-import micromatch from "micromatch";
+import micromatch2 from "micromatch";
 function matchRuleId(ruleId, pattern) {
   if (pattern.endsWith("*")) {
     const prefix = pattern.slice(0, -1);
@@ -9937,7 +10484,7 @@ function matchRuleId(ruleId, pattern) {
   return ruleId === pattern;
 }
 function matchPathPattern(evidencePaths, pattern) {
-  return evidencePaths.some((path14) => micromatch.isMatch(path14, pattern));
+  return evidencePaths.some((path15) => micromatch2.isMatch(path15, pattern));
 }
 function isWaiverExpired(waiver, now = /* @__PURE__ */ new Date()) {
   if (!waiver.expiresAt) {
@@ -10748,7 +11295,7 @@ async function executeEvaluate(options) {
   });
   if (options.out) {
     const outPath = resolvePath(options.out);
-    ensureDir(path10.dirname(outPath));
+    ensureDir(path11.dirname(outPath));
     writeFileSync(outPath, JSON.stringify(report, null, 2));
     if (!options.quiet) {
       console.log(`Policy report written to: ${outPath}`);
@@ -10826,7 +11373,7 @@ Examples:
 }
 
 // src/commands/waivers.ts
-import path11 from "path";
+import path12 from "path";
 var DEFAULT_WAIVERS_FILE = "vibecheck-waivers.json";
 function loadWaiversFile(filepath) {
   const absolutePath = resolvePath(filepath);
@@ -10846,7 +11393,7 @@ function loadWaiversFile(filepath) {
 }
 function saveWaiversFile(filepath, file) {
   const absolutePath = resolvePath(filepath);
-  ensureDir(path11.dirname(absolutePath));
+  ensureDir(path12.dirname(absolutePath));
   writeFileSync(absolutePath, JSON.stringify(file, null, 2));
 }
 function executeWaiversInit(filepath, force) {
@@ -11019,13 +11566,13 @@ Examples:
 }
 
 // src/commands/view.ts
-import { existsSync as existsSync3 } from "fs";
-import { resolve as resolve2, join as join3 } from "path";
+import { existsSync as existsSync4 } from "fs";
+import { resolve as resolve2, join as join4 } from "path";
 
 // src/utils/static-server.ts
 import { createServer } from "http";
-import { existsSync, readFileSync as readFileSync2, statSync, readdirSync } from "fs";
-import { join, extname } from "path";
+import { existsSync as existsSync2, readFileSync as readFileSync5, statSync as statSync2, readdirSync as readdirSync2 } from "fs";
+import { join as join2, extname as extname3 } from "path";
 var MIME_TYPES = {
   ".html": "text/html; charset=utf-8",
   ".js": "application/javascript; charset=utf-8",
@@ -11050,7 +11597,7 @@ var MIME_TYPES = {
   ".map": "application/json"
 };
 function getMimeType(filePath) {
-  const ext = extname(filePath).toLowerCase();
+  const ext = extname3(filePath).toLowerCase();
   return MIME_TYPES[ext] || "application/octet-stream";
 }
 function resolveFilePath(staticDir, urlPath) {
@@ -11064,49 +11611,49 @@ function resolveFilePath(staticDir, urlPath) {
   if (queryIndex !== -1) {
     decodedPath = decodedPath.substring(0, queryIndex);
   }
-  let filePath = join(staticDir, decodedPath === "/" ? "index.html" : decodedPath);
-  const normalizedPath = join(filePath);
+  let filePath = join2(staticDir, decodedPath === "/" ? "index.html" : decodedPath);
+  const normalizedPath = join2(filePath);
   if (!normalizedPath.startsWith(staticDir)) {
     return null;
   }
-  if (existsSync(filePath)) {
-    const stat = statSync(filePath);
+  if (existsSync2(filePath)) {
+    const stat = statSync2(filePath);
     if (stat.isDirectory()) {
-      filePath = join(filePath, "index.html");
-      if (!existsSync(filePath)) {
+      filePath = join2(filePath, "index.html");
+      if (!existsSync2(filePath)) {
         return null;
       }
     }
     return filePath;
   }
-  if (existsSync(filePath + ".html")) {
+  if (existsSync2(filePath + ".html")) {
     return filePath + ".html";
   }
   const segments = decodedPath.split("/").filter(Boolean);
   if (segments.length >= 2) {
     const parentPath = segments.slice(0, -1).join("/");
-    const parentDir = join(staticDir, parentPath);
-    if (existsSync(parentDir) && statSync(parentDir).isDirectory()) {
+    const parentDir = join2(staticDir, parentPath);
+    if (existsSync2(parentDir) && statSync2(parentDir).isDirectory()) {
       try {
-        const files = readdirSync(parentDir);
+        const files = readdirSync2(parentDir);
         const htmlFile = files.find((f) => f.endsWith(".html"));
         if (htmlFile) {
-          return join(parentDir, htmlFile);
+          return join2(parentDir, htmlFile);
         }
       } catch {
       }
     }
-    const parentHtml = join(staticDir, parentPath + ".html");
-    if (existsSync(parentHtml)) {
+    const parentHtml = join2(staticDir, parentPath + ".html");
+    if (existsSync2(parentHtml)) {
       return parentHtml;
     }
-    const parentIndexHtml = join(staticDir, parentPath, "index.html");
-    if (existsSync(parentIndexHtml)) {
+    const parentIndexHtml = join2(staticDir, parentPath, "index.html");
+    if (existsSync2(parentIndexHtml)) {
       return parentIndexHtml;
     }
   }
-  const indexPath = join(staticDir, "index.html");
-  if (existsSync(indexPath)) {
+  const indexPath = join2(staticDir, "index.html");
+  if (existsSync2(indexPath)) {
     return indexPath;
   }
   return null;
@@ -11120,7 +11667,7 @@ function handleRequest(staticDir, req, res) {
     return;
   }
   try {
-    const content = readFileSync2(filePath);
+    const content = readFileSync5(filePath);
     const contentType = getMimeType(filePath);
     res.writeHead(200, {
       "Content-Type": contentType,
@@ -11140,9 +11687,9 @@ async function startStaticServer(options) {
     const server = createServer((req, res) => {
       const urlPath = req.url || "/";
       if (urlPath === "/__vibecheck__/artifact" || urlPath === "/__vibecheck__/artifact.json") {
-        if (artifactPath && existsSync(artifactPath)) {
+        if (artifactPath && existsSync2(artifactPath)) {
           try {
-            const content = readFileSync2(artifactPath);
+            const content = readFileSync5(artifactPath);
             res.writeHead(200, {
               "Content-Type": "application/json",
               "Content-Length": content.length,
@@ -11222,22 +11769,22 @@ function isPortAvailable(port) {
 }
 
 // src/utils/viewer-cache.ts
-import { existsSync as existsSync2, mkdirSync, writeFileSync as writeFileSync3, readFileSync as readFileSync3, rmSync } from "fs";
-import { join as join2 } from "path";
+import { existsSync as existsSync3, mkdirSync, writeFileSync as writeFileSync3, readFileSync as readFileSync6, rmSync } from "fs";
+import { join as join3 } from "path";
 import { homedir } from "os";
 import { execSync as execSync2 } from "child_process";
 import { extract } from "tar";
-var CACHE_DIR = join2(homedir(), ".vibecheck");
-var VIEWER_DIR = join2(CACHE_DIR, "viewer");
-var VIEWER_DIST_DIR = join2(VIEWER_DIR, "dist");
-var VERSION_FILE = join2(VIEWER_DIR, ".version");
+var CACHE_DIR = join3(homedir(), ".vibecheck");
+var VIEWER_DIR = join3(CACHE_DIR, "viewer");
+var VIEWER_DIST_DIR = join3(VIEWER_DIR, "dist");
+var VERSION_FILE = join3(VIEWER_DIR, ".version");
 var VIEWER_PACKAGE = "@quantracode/vibecheck-viewer";
 function getInstalledVersion() {
-  if (!existsSync2(VERSION_FILE)) {
+  if (!existsSync3(VERSION_FILE)) {
     return null;
   }
   try {
-    return readFileSync3(VERSION_FILE, "utf-8").trim();
+    return readFileSync6(VERSION_FILE, "utf-8").trim();
   } catch {
     return null;
   }
@@ -11266,7 +11813,7 @@ async function downloadPackage(version) {
       stdio: ["pipe", "pipe", "pipe"]
     }
   ).trim();
-  if (existsSync2(VIEWER_DIR)) {
+  if (existsSync3(VIEWER_DIR)) {
     rmSync(VIEWER_DIR, { recursive: true, force: true });
   }
   mkdirSync(VIEWER_DIR, { recursive: true });
@@ -11274,7 +11821,7 @@ async function downloadPackage(version) {
   if (!response.ok) {
     throw new Error(`Failed to download viewer: ${response.statusText}`);
   }
-  const tarPath = join2(CACHE_DIR, "viewer.tgz");
+  const tarPath = join3(CACHE_DIR, "viewer.tgz");
   const buffer = Buffer.from(await response.arrayBuffer());
   writeFileSync3(tarPath, buffer);
   await extract({
@@ -11292,7 +11839,7 @@ async function ensureViewer(forceUpdate = false) {
   try {
     latestVersion = await getLatestVersion();
   } catch (error) {
-    if (installedVersion && existsSync2(join2(VIEWER_DIST_DIR, "index.html"))) {
+    if (installedVersion && existsSync3(join3(VIEWER_DIST_DIR, "index.html"))) {
       return {
         path: VIEWER_DIST_DIR,
         version: installedVersion
@@ -11300,7 +11847,7 @@ async function ensureViewer(forceUpdate = false) {
     }
     throw error;
   }
-  const needsUpdate = forceUpdate || !installedVersion || installedVersion !== latestVersion || !existsSync2(join2(VIEWER_DIST_DIR, "index.html"));
+  const needsUpdate = forceUpdate || !installedVersion || installedVersion !== latestVersion || !existsSync3(join3(VIEWER_DIST_DIR, "index.html"));
   if (needsUpdate) {
     console.log(
       installedVersion ? `Updating viewer from ${installedVersion} to ${latestVersion}...` : `Installing viewer v${latestVersion}...`
@@ -11315,7 +11862,7 @@ async function ensureViewer(forceUpdate = false) {
   };
 }
 function clearViewerCache() {
-  if (existsSync2(VIEWER_DIR)) {
+  if (existsSync3(VIEWER_DIR)) {
     rmSync(VIEWER_DIR, { recursive: true, force: true });
     console.log("Viewer cache cleared.");
   } else {
@@ -11425,7 +11972,7 @@ Check your network connection and try again.`);
 `);
     process.exit(1);
   }
-  if (!existsSync3(join3(viewerInfo.path, "index.html"))) {
+  if (!existsSync4(join4(viewerInfo.path, "index.html"))) {
     console.error(`\x1B[31mError: Viewer files not found.\x1B[0m`);
     console.error(`Try reinstalling: vibecheck view --update
 `);
@@ -11434,7 +11981,7 @@ Check your network connection and try again.`);
   let artifactPath;
   if (options.artifact) {
     artifactPath = resolve2(options.artifact);
-    if (!existsSync3(artifactPath)) {
+    if (!existsSync4(artifactPath)) {
       console.log(
         `\x1B[33mWarning: Artifact file not found: ${options.artifact}\x1B[0m
 `
@@ -11450,7 +11997,7 @@ Check your network connection and try again.`);
     ];
     for (const p of commonPaths) {
       const fullPath = resolve2(p);
-      if (existsSync3(fullPath)) {
+      if (existsSync4(fullPath)) {
         artifactPath = fullPath;
         console.log(`\x1B[90mAuto-detected artifact: ${p}\x1B[0m`);
         break;
@@ -11515,11 +12062,11 @@ Workflow:
 }
 
 // src/commands/license.ts
-import { readFileSync as readFileSync4, writeFileSync as writeFileSync4, existsSync as existsSync4, mkdirSync as mkdirSync2, unlinkSync } from "fs";
+import { readFileSync as readFileSync7, writeFileSync as writeFileSync4, existsSync as existsSync5, mkdirSync as mkdirSync2, unlinkSync } from "fs";
 import { homedir as homedir2 } from "os";
-import { join as join4 } from "path";
+import { join as join5 } from "path";
 import chalk from "chalk";
-import readline from "readline";
+import readline2 from "readline";
 
 // ../license/dist/types.js
 var PLAN_FEATURES = {
@@ -11733,17 +12280,17 @@ function inspectLicense(licenseKey) {
 }
 
 // src/commands/license.ts
-var CONFIG_DIR = join4(homedir2(), ".vibecheck");
-var LICENSE_FILE = join4(CONFIG_DIR, "license.key");
+var CONFIG_DIR = join5(homedir2(), ".vibecheck");
+var LICENSE_FILE = join5(CONFIG_DIR, "license.key");
 function ensureConfigDir() {
-  if (!existsSync4(CONFIG_DIR)) {
+  if (!existsSync5(CONFIG_DIR)) {
     mkdirSync2(CONFIG_DIR, { recursive: true });
   }
 }
 function getStoredLicenseKey() {
   try {
-    if (existsSync4(LICENSE_FILE)) {
-      return readFileSync4(LICENSE_FILE, "utf-8").trim();
+    if (existsSync5(LICENSE_FILE)) {
+      return readFileSync7(LICENSE_FILE, "utf-8").trim();
     }
   } catch {
   }
@@ -11755,7 +12302,7 @@ function storeLicenseKey(licenseKey) {
 }
 function clearLicenseKey() {
   try {
-    if (existsSync4(LICENSE_FILE)) {
+    if (existsSync5(LICENSE_FILE)) {
       unlinkSync(LICENSE_FILE);
       return true;
     }
@@ -11764,7 +12311,7 @@ function clearLicenseKey() {
   return false;
 }
 function promptInput(question) {
-  const rl = readline.createInterface({
+  const rl = readline2.createInterface({
     input: process.stdin,
     output: process.stdout
   });
@@ -11935,11 +12482,11 @@ async function createLicenseAction(options) {
   }
   let privateKey;
   if (options.key) {
-    if (!existsSync4(options.key)) {
+    if (!existsSync5(options.key)) {
       console.error(chalk.red(`Error: Key file not found: ${options.key}`));
       process.exit(1);
     }
-    privateKey = readFileSync4(options.key, "utf-8").trim();
+    privateKey = readFileSync7(options.key, "utf-8").trim();
   } else if (process.env[options.keyEnv]) {
     privateKey = process.env[options.keyEnv];
   }
@@ -12111,7 +12658,7 @@ async function keygenAction() {
 }
 
 // src/commands/verify-determinism.ts
-import path12 from "path";
+import path13 from "path";
 import crypto9 from "crypto";
 function normalizeArtifact(artifact) {
   const normalized = JSON.parse(JSON.stringify(artifact));
@@ -12371,8 +12918,8 @@ async function executeVerifyDeterminism(targetDir, options) {
   printCertificate(certificate, verbose);
   if (out) {
     const outPath = resolvePath(out);
-    ensureDir(path12.dirname(outPath));
-    const certPath = outPath.endsWith(".json") ? outPath : path12.join(outPath, "determinism-cert.json");
+    ensureDir(path13.dirname(outPath));
+    const certPath = outPath.endsWith(".json") ? outPath : path13.join(outPath, "determinism-cert.json");
     writeFileSync(certPath, JSON.stringify(certificate, null, 2));
     console.log(`Certificate written to: ${certPath}
 `);
@@ -12418,7 +12965,7 @@ What it does:
 }
 
 // src/commands/badge.ts
-import path13 from "path";
+import path14 from "path";
 var COLORS = {
   brightgreen: "#4c1",
   green: "#97ca00",
@@ -12653,7 +13200,7 @@ async function executeBadge(options) {
   const writtenFiles = [];
   for (const badge of badges) {
     const svg = generateSvgBadge(badge, style);
-    const filePath = path13.join(absoluteOutPath, badge.filename);
+    const filePath = path14.join(absoluteOutPath, badge.filename);
     writeFileSync(filePath, svg);
     writtenFiles.push(filePath);
     console.log(`  \x1B[32m\u2713\x1B[0m ${badge.filename} (${badge.label}: ${badge.message})`);
@@ -12662,8 +13209,8 @@ async function executeBadge(options) {
 \x1B[32m${writtenFiles.length} badges generated\x1B[0m
 `);
   console.log(`\x1B[90mUsage in README.md:\x1B[0m`);
-  console.log(`  ![VibeCheck Status](${path13.basename(absoluteOutPath)}/vibecheck-status.svg)`);
-  console.log(`  ![VibeCheck Score](${path13.basename(absoluteOutPath)}/vibecheck-score.svg)
+  console.log(`  ![VibeCheck Status](${path14.basename(absoluteOutPath)}/vibecheck-status.svg)`);
+  console.log(`  ![VibeCheck Score](${path14.basename(absoluteOutPath)}/vibecheck-score.svg)
 `);
   return 0;
 }