@rigour-labs/core 3.0.0 → 3.0.2

package/dist/gates/hallucinated-imports.d.ts

@@ -46,10 +46,26 @@ export declare class HallucinatedImportsGate extends Gate {
     private isNodeBuiltin;
     private isPythonStdlib;
     /**
-     * Check Go imports — verify relative/project package paths exist
-     * Go stdlib packages are skipped; only project-relative imports are checked
+     * Check Go imports — verify project-relative package paths exist.
+     *
+     * Strategy:
+     *  1. Skip Go standard library (comprehensive list of 150+ packages)
+     *  2. Skip external modules (any path containing a dot → domain name)
+     *  3. Parse go.mod for the project module path
+     *  4. Only flag imports that match the project module prefix but don't resolve
+     *
+     * @since v3.0.1 — fixed false positives on Go stdlib (encoding/json, net/http, etc.)
      */
     private checkGoImports;
+    /**
+     * Comprehensive Go standard library package list.
+     * Includes all packages from Go 1.22+ (latest stable).
+     * Go stdlib is identified by having NO dots in the import path.
+     * We maintain an explicit list for packages with slashes (e.g. encoding/json).
+     *
+     * @since v3.0.1
+     */
+    private isGoStdlib;
     /**
      * Check Ruby imports — verify require_relative paths exist
      */

package/dist/gates/hallucinated-imports.js

@@ -295,12 +295,31 @@ export class HallucinatedImportsGate extends Gate {
         return stdlibs.has(topLevel);
     }
     /**
-     * Check Go imports — verify relative/project package paths exist
-     * Go stdlib packages are skipped; only project-relative imports are checked
+     * Check Go imports — verify project-relative package paths exist.
+     *
+     * Strategy:
+     *  1. Skip Go standard library (comprehensive list of 150+ packages)
+     *  2. Skip external modules (any path containing a dot → domain name)
+     *  3. Parse go.mod for the project module path
+     *  4. Only flag imports that match the project module prefix but don't resolve
+     *
+     * @since v3.0.1 — fixed false positives on Go stdlib (encoding/json, net/http, etc.)
      */
     checkGoImports(content, file, cwd, projectFiles, hallucinated) {
         const lines = content.split('\n');
         let inImportBlock = false;
+        // Try to read go.mod for the module path
+        const goModPath = path.join(cwd, 'go.mod');
+        let modulePath = null;
+        try {
+            if (fs.pathExistsSync(goModPath)) {
+                const goMod = fs.readFileSync(goModPath, 'utf-8');
+                const moduleMatch = goMod.match(/^module\s+(\S+)/m);
+                if (moduleMatch)
+                    modulePath = moduleMatch[1];
+            }
+        }
+        catch { /* no go.mod — skip project-relative checks entirely */ }
         for (let i = 0; i < lines.length; i++) {
             const line = lines[i].trim();
             // Detect import block: import ( ... )
@@ -312,30 +331,136 @@ export class HallucinatedImportsGate extends Gate {
                 inImportBlock = false;
                 continue;
             }
-            // Single import: import "path"
-            const singleMatch = line.match(/^import\s+"([^"]+)"/);
-            const blockMatch = inImportBlock ? line.match(/^\s*"([^"]+)"/) : null;
+            // Single import: import "path"  or  import alias "path"
+            const singleMatch = line.match(/^import\s+(?:\w+\s+)?"([^"]+)"/);
+            const blockMatch = inImportBlock ? line.match(/^\s*(?:\w+\s+)?"([^"]+)"/) : null;
             const importPath = singleMatch?.[1] || blockMatch?.[1];
             if (!importPath)
                 continue;
-            // Skip Go stdlib (no dots in path = stdlib or well-known)
-            if (!importPath.includes('.') && !importPath.includes('/'))
+            // 1. Skip Go standard library — comprehensive list
+            if (this.isGoStdlib(importPath))
                 continue;
-            // Project-relative imports (contain module path from go.mod)
-            // We only flag imports that look like project paths but don't resolve
-            if (importPath.includes('/') && !importPath.startsWith('github.com') && !importPath.startsWith('golang.org')) {
-                // Check if the path maps to a directory in the project
-                const dirPath = importPath.split('/').slice(-2).join('/');
-                const hasMatchingFile = [...projectFiles].some(f => f.includes(dirPath));
+            // 2. If we have a module path, check project-relative imports FIRST
+            //    (project imports like github.com/myorg/project/pkg also have dots)
+            if (modulePath && importPath.startsWith(modulePath + '/')) {
+                const relPath = importPath.slice(modulePath.length + 1);
+                const hasMatchingFile = [...projectFiles].some(f => f.endsWith('.go') && f.startsWith(relPath));
                 if (!hasMatchingFile) {
                     hallucinated.push({
                         file, line: i + 1, importPath, type: 'go',
-                        reason: `Go import '${importPath}' — package path not found in project`,
+                        reason: `Go import '${importPath}' — package directory '${relPath}' not found in project`,
                     });
                 }
+                continue;
             }
+            // 3. Skip external modules — any import containing a dot is a domain
+            //    e.g. github.com/*, google.golang.org/*, go.uber.org/*
+            if (importPath.includes('.'))
+                continue;
+            // 4. No dots, no go.mod match, not stdlib → likely an internal package
+            //    without go.mod context we can't verify, so skip to avoid false positives
         }
     }
+    /**
+     * Comprehensive Go standard library package list.
+     * Includes all packages from Go 1.22+ (latest stable).
+     * Go stdlib is identified by having NO dots in the import path.
+     * We maintain an explicit list for packages with slashes (e.g. encoding/json).
+     *
+     * @since v3.0.1
+     */
+    isGoStdlib(importPath) {
+        // Fast check: single-segment packages are always stdlib if no dots
+        if (!importPath.includes('/') && !importPath.includes('.'))
+            return true;
+        // Check the full path against known stdlib packages with sub-paths
+        const topLevel = importPath.split('/')[0];
+        // All Go stdlib top-level packages (including those with sub-packages)
+        const stdlibTopLevel = new Set([
+            // Single-word packages
+            'archive', 'bufio', 'builtin', 'bytes', 'cmp', 'compress',
+            'container', 'context', 'crypto', 'database', 'debug',
+            'embed', 'encoding', 'errors', 'expvar', 'flag', 'fmt',
+            'go', 'hash', 'html', 'image', 'index', 'io', 'iter',
+            'log', 'maps', 'math', 'mime', 'net', 'os', 'path',
+            'plugin', 'reflect', 'regexp', 'runtime', 'slices', 'sort',
+            'strconv', 'strings', 'structs', 'sync', 'syscall',
+            'testing', 'text', 'time', 'unicode', 'unique', 'unsafe',
+            // Internal packages (used by stdlib, sometimes by tools)
+            'internal', 'vendor',
+        ]);
+        if (stdlibTopLevel.has(topLevel))
+            return true;
+        // Explicit full-path list for maximum safety — covers all Go 1.22 stdlib paths
+        // This catches any edge case the top-level check might miss
+        const knownStdlibPaths = new Set([
+            // archive/*
+            'archive/tar', 'archive/zip',
+            // compress/*
+            'compress/bzip2', 'compress/flate', 'compress/gzip', 'compress/lzw', 'compress/zlib',
+            // container/*
+            'container/heap', 'container/list', 'container/ring',
+            // crypto/*
+            'crypto/aes', 'crypto/cipher', 'crypto/des', 'crypto/dsa',
+            'crypto/ecdh', 'crypto/ecdsa', 'crypto/ed25519', 'crypto/elliptic',
+            'crypto/hmac', 'crypto/md5', 'crypto/rand', 'crypto/rc4',
+            'crypto/rsa', 'crypto/sha1', 'crypto/sha256', 'crypto/sha512',
+            'crypto/subtle', 'crypto/tls', 'crypto/x509', 'crypto/x509/pkix',
+            // database/*
+            'database/sql', 'database/sql/driver',
+            // debug/*
+            'debug/buildinfo', 'debug/dwarf', 'debug/elf', 'debug/gosym',
+            'debug/macho', 'debug/pe', 'debug/plan9obj',
+            // encoding/*
+            'encoding/ascii85', 'encoding/asn1', 'encoding/base32', 'encoding/base64',
+            'encoding/binary', 'encoding/csv', 'encoding/gob', 'encoding/hex',
+            'encoding/json', 'encoding/pem', 'encoding/xml',
+            // go/*
+            'go/ast', 'go/build', 'go/build/constraint', 'go/constant',
+            'go/doc', 'go/doc/comment', 'go/format', 'go/importer',
+            'go/parser', 'go/printer', 'go/scanner', 'go/token', 'go/types', 'go/version',
+            // hash/*
+            'hash/adler32', 'hash/crc32', 'hash/crc64', 'hash/fnv', 'hash/maphash',
+            // html/*
+            'html/template',
+            // image/*
+            'image/color', 'image/color/palette', 'image/draw',
+            'image/gif', 'image/jpeg', 'image/png',
+            // index/*
+            'index/suffixarray',
+            // io/*
+            'io/fs', 'io/ioutil',
+            // log/*
+            'log/slog', 'log/syslog',
+            // math/*
+            'math/big', 'math/bits', 'math/cmplx', 'math/rand', 'math/rand/v2',
+            // mime/*
+            'mime/multipart', 'mime/quotedprintable',
+            // net/*
+            'net/http', 'net/http/cgi', 'net/http/cookiejar', 'net/http/fcgi',
+            'net/http/httptest', 'net/http/httptrace', 'net/http/httputil',
+            'net/http/pprof', 'net/mail', 'net/netip', 'net/rpc',
+            'net/rpc/jsonrpc', 'net/smtp', 'net/textproto', 'net/url',
+            // os/*
+            'os/exec', 'os/signal', 'os/user',
+            // path/*
+            'path/filepath',
+            // regexp/*
+            'regexp/syntax',
+            // runtime/*
+            'runtime/cgo', 'runtime/coverage', 'runtime/debug', 'runtime/metrics',
+            'runtime/pprof', 'runtime/race', 'runtime/trace',
+            // sync/*
+            'sync/atomic',
+            // testing/*
+            'testing/fstest', 'testing/iotest', 'testing/quick', 'testing/slogtest',
+            // text/*
+            'text/scanner', 'text/tabwriter', 'text/template', 'text/template/parse',
+            // unicode/*
+            'unicode/utf16', 'unicode/utf8',
+        ]);
+        return knownStdlibPaths.has(importPath);
+    }
     /**
      * Check Ruby imports — verify require_relative paths exist
      */

package/dist/gates/hallucinated-imports.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/gates/hallucinated-imports.test.js

@@ -0,0 +1,288 @@
+/**
+ * Hallucinated Imports Gate — Go Standard Library False Positive Regression Tests
+ *
+ * Tests the fix for https://github.com/rigour-labs/rigour/issues/XXX
+ * Previously, Go stdlib packages with slashes (encoding/json, net/http, etc.)
+ * were flagged as hallucinated imports because the gate only recognized
+ * single-word stdlib packages (fmt, os, io).
+ *
+ * @since v3.0.1
+ */
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { HallucinatedImportsGate } from './hallucinated-imports.js';
+// fs-extra is mocked via module-level mock fns above
+// Mock fs-extra — vi.hoisted ensures these are available when vi.mock runs (hoisted)
+const { mockPathExists, mockPathExistsSync, mockReadFile, mockReadFileSync, mockReadJson } = vi.hoisted(() => ({
+    mockPathExists: vi.fn(),
+    mockPathExistsSync: vi.fn(),
+    mockReadFile: vi.fn(),
+    mockReadFileSync: vi.fn(),
+    mockReadJson: vi.fn(),
+}));
+vi.mock('fs-extra', () => {
+    const mock = {
+        pathExists: mockPathExists,
+        pathExistsSync: mockPathExistsSync,
+        readFile: mockReadFile,
+        readFileSync: mockReadFileSync,
+        readJson: mockReadJson,
+    };
+    return {
+        ...mock,
+        default: mock,
+    };
+});
+// Mock FileScanner
+vi.mock('../utils/scanner.js', () => ({
+    FileScanner: {
+        findFiles: vi.fn().mockResolvedValue([]),
+    },
+}));
+import { FileScanner } from '../utils/scanner.js';
+describe('HallucinatedImportsGate — Go stdlib false positives', () => {
+    let gate;
+    const testCwd = '/tmp/test-go-project';
+    const context = {
+        cwd: testCwd,
+        ignore: [],
+    };
+    beforeEach(() => {
+        vi.clearAllMocks();
+        gate = new HallucinatedImportsGate({ enabled: true });
+    });
+    /**
+     * This is the exact scenario from PicoClaw — Go stdlib packages with slashes
+     * were being flagged as hallucinated. These are ALL real Go stdlib packages.
+     */
+    it('should NOT flag Go standard library packages as hallucinated (PicoClaw regression)', async () => {
+        const goFileContent = `package main
+
+import (
+    "encoding/json"
+    "path/filepath"
+    "net/http"
+    "crypto/rand"
+    "crypto/sha256"
+    "encoding/base64"
+    "os/exec"
+    "os/signal"
+    "net/url"
+    "fmt"
+    "io"
+    "os"
+    "strings"
+    "context"
+    "sync"
+    "time"
+    "log"
+    "errors"
+    "io/ioutil"
+    "io/fs"
+    "math/rand"
+    "regexp"
+    "strconv"
+    "bytes"
+    "bufio"
+    "sort"
+    "testing"
+    "net/http/httptest"
+    "database/sql"
+    "html/template"
+    "text/template"
+    "archive/zip"
+    "compress/gzip"
+    "runtime/debug"
+)
+
+func main() {}
+`;
+        const goFile = 'main.go';
+        FileScanner.findFiles.mockResolvedValue([goFile]);
+        mockReadFile.mockResolvedValue(goFileContent);
+        mockPathExists.mockResolvedValue(false);
+        mockPathExistsSync.mockReturnValue(false); // no go.mod
+        const failures = await gate.run(context);
+        // ZERO failures — every import above is a real Go stdlib package
+        expect(failures).toHaveLength(0);
+    });
+    it('should NOT flag external module imports (github.com, etc.)', async () => {
+        const goFileContent = `package main
+
+import (
+    "github.com/gin-gonic/gin"
+    "github.com/stretchr/testify/assert"
+    "google.golang.org/grpc"
+    "go.uber.org/zap"
+    "golang.org/x/crypto/bcrypt"
+)
+
+func main() {}
+`;
+        FileScanner.findFiles.mockResolvedValue(['main.go']);
+        mockReadFile.mockResolvedValue(goFileContent);
+        mockPathExists.mockResolvedValue(false);
+        mockPathExistsSync.mockReturnValue(false);
+        const failures = await gate.run(context);
+        expect(failures).toHaveLength(0);
+    });
+    it('should flag project-relative imports that do not resolve (with go.mod)', async () => {
+        const goMod = `module github.com/myorg/myproject
+
+go 1.22
+`;
+        const goFileContent = `package main
+
+import (
+    "fmt"
+    "github.com/myorg/myproject/pkg/realmodule"
+    "github.com/myorg/myproject/pkg/doesnotexist"
+)
+
+func main() {}
+`;
+        FileScanner.findFiles.mockResolvedValue(['cmd/main.go', 'pkg/realmodule/handler.go']);
+        mockReadFile.mockImplementation(async (filePath) => {
+            if (filePath.includes('handler.go'))
+                return 'package realmodule\n\nimport "fmt"\n\nfunc Handler() {}\n';
+            return goFileContent;
+        });
+        mockPathExists.mockResolvedValue(false);
+        mockPathExistsSync.mockReturnValue(true); // go.mod exists
+        mockReadFileSync.mockReturnValue(goMod);
+        const failures = await gate.run(context);
+        // Should flag doesnotexist but NOT realmodule
+        expect(failures).toHaveLength(1);
+        expect(failures[0].details).toContain('doesnotexist');
+        expect(failures[0].details).not.toContain('realmodule');
+    });
+    it('should NOT flag anything when no go.mod exists and imports have no dots', async () => {
+        // Without go.mod, we can't determine the project module path,
+        // so we skip project-relative checks to avoid false positives
+        const goFileContent = `package main
+
+import (
+    "fmt"
+    "net/http"
+    "internal/custom"
+)
+
+func main() {}
+`;
+        FileScanner.findFiles.mockResolvedValue(['main.go']);
+        mockReadFile.mockResolvedValue(goFileContent);
+        mockPathExists.mockResolvedValue(false);
+        mockPathExistsSync.mockReturnValue(false);
+        const failures = await gate.run(context);
+        expect(failures).toHaveLength(0);
+    });
+    it('should handle single-line imports', async () => {
+        const goFileContent = `package main
+
+import "fmt"
+import "encoding/json"
+import "net/http"
+
+func main() {}
+`;
+        FileScanner.findFiles.mockResolvedValue(['main.go']);
+        mockReadFile.mockResolvedValue(goFileContent);
+        mockPathExists.mockResolvedValue(false);
+        mockPathExistsSync.mockReturnValue(false);
+        const failures = await gate.run(context);
+        expect(failures).toHaveLength(0);
+    });
+    it('should handle aliased imports', async () => {
+        const goFileContent = `package main
+
+import (
+    "fmt"
+    mrand "math/rand"
+    _ "net/http/pprof"
+    . "os"
+)
+
+func main() {}
+`;
+        FileScanner.findFiles.mockResolvedValue(['main.go']);
+        mockReadFile.mockResolvedValue(goFileContent);
+        mockPathExists.mockResolvedValue(false);
+        mockPathExistsSync.mockReturnValue(false);
+        const failures = await gate.run(context);
+        expect(failures).toHaveLength(0);
+    });
+});
+describe('HallucinatedImportsGate — Python stdlib coverage', () => {
+    let gate;
+    const testCwd = '/tmp/test-py-project';
+    const context = {
+        cwd: testCwd,
+        ignore: [],
+    };
+    beforeEach(() => {
+        vi.clearAllMocks();
+        gate = new HallucinatedImportsGate({ enabled: true });
+    });
+    it('should NOT flag Python standard library imports', async () => {
+        const pyContent = `
+import os
+import sys
+import json
+import hashlib
+import pathlib
+import subprocess
+import argparse
+import typing
+import dataclasses
+import functools
+import itertools
+import collections
+import datetime
+import re
+import math
+import random
+import threading
+import asyncio
+from os.path import join, exists
+from collections import defaultdict
+from typing import List, Optional
+from urllib.parse import urlparse
+`;
+        FileScanner.findFiles.mockResolvedValue(['main.py']);
+        mockReadFile.mockResolvedValue(pyContent);
+        mockPathExists.mockResolvedValue(false);
+        const failures = await gate.run(context);
+        expect(failures).toHaveLength(0);
+    });
+});
+describe('HallucinatedImportsGate — JS/TS Node builtins', () => {
+    let gate;
+    const testCwd = '/tmp/test-node-project';
+    const context = {
+        cwd: testCwd,
+        ignore: [],
+    };
+    beforeEach(() => {
+        vi.clearAllMocks();
+        gate = new HallucinatedImportsGate({ enabled: true });
+    });
+    it('should NOT flag Node.js built-in modules', async () => {
+        const jsContent = `
+import fs from 'fs';
+import path from 'path';
+import crypto from 'crypto';
+import http from 'http';
+import https from 'https';
+import url from 'url';
+import os from 'os';
+import stream from 'stream';
+import util from 'util';
+import { readFile } from 'node:fs';
+import { join } from 'node:path';
+`;
+        FileScanner.findFiles.mockResolvedValue(['index.ts']);
+        mockReadFile.mockResolvedValue(jsContent);
+        mockPathExists.mockResolvedValue(false);
+        const failures = await gate.run(context);
+        expect(failures).toHaveLength(0);
+    });
+});

package/dist/gates/security-patterns-owasp.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/gates/security-patterns-owasp.test.js

@@ -0,0 +1,171 @@
+/**
+ * Tests for OWASP-aligned security patterns added in v3.0.0.
+ * Covers: ReDoS, overly permissive code, unsafe output, missing input validation.
+ */
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { SecurityPatternsGate, checkSecurityPatterns } from './security-patterns.js';
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+describe('SecurityPatternsGate — OWASP extended patterns', () => {
+    let testDir;
+    beforeEach(() => {
+        testDir = fs.mkdtempSync(path.join(os.tmpdir(), 'owasp-test-'));
+    });
+    afterEach(() => {
+        fs.rmSync(testDir, { recursive: true, force: true });
+    });
+    describe('ReDoS detection (OWASP #7)', () => {
+        it('should detect dynamic regex from user input', async () => {
+            const filePath = path.join(testDir, 'search.ts');
+            fs.writeFileSync(filePath, `
+                const pattern = new RegExp(req.query.search);
+                const matches = text.match(pattern);
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'redos')).toBe(true);
+        });
+        it('should detect nested quantifiers', async () => {
+            const filePath = path.join(testDir, 'regex.ts');
+            fs.writeFileSync(filePath, `
+                const re = /(?:a+)+b/;
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'redos')).toBe(true);
+        });
+        it('should allow safe regex patterns', async () => {
+            const filePath = path.join(testDir, 'safe-regex.ts');
+            fs.writeFileSync(filePath, `
+                const re = /^[a-z]+$/;
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.filter(v => v.type === 'redos')).toHaveLength(0);
+        });
+    });
+    describe('Overly Permissive Code (OWASP #9)', () => {
+        it('should detect CORS wildcard origin', async () => {
+            const filePath = path.join(testDir, 'server.ts');
+            fs.writeFileSync(filePath, `
+                import cors from 'cors';
+                app.use(cors({ origin: '*' }));
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'overly_permissive')).toBe(true);
+        });
+        it('should detect CORS origin true', async () => {
+            const filePath = path.join(testDir, 'server2.ts');
+            fs.writeFileSync(filePath, `
+                app.use(cors({ origin: true }));
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'overly_permissive')).toBe(true);
+        });
+        it('should detect 0.0.0.0 binding', async () => {
+            const filePath = path.join(testDir, 'listen.ts');
+            fs.writeFileSync(filePath, `
+                app.listen(3000, '0.0.0.0');
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'overly_permissive')).toBe(true);
+        });
+        it('should detect chmod 777', async () => {
+            const filePath = path.join(testDir, 'perms.ts');
+            fs.writeFileSync(filePath, `
+                fs.chmod('/tmp/data', 0o777);
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'overly_permissive')).toBe(true);
+        });
+        it('should detect wildcard CORS header', async () => {
+            const filePath = path.join(testDir, 'headers.ts');
+            fs.writeFileSync(filePath, `
+                res.setHeader('Access-Control-Allow-Origin', '*');
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'overly_permissive')).toBe(true);
+        });
+        it('should allow specific CORS origin', async () => {
+            const filePath = path.join(testDir, 'safe-cors.ts');
+            fs.writeFileSync(filePath, `
+                app.use(cors({ origin: 'https://myapp.com' }));
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.filter(v => v.type === 'overly_permissive')).toHaveLength(0);
+        });
+    });
+    describe('Unsafe Output Handling (OWASP #6)', () => {
+        it('should detect response reflecting user input', async () => {
+            const filePath = path.join(testDir, 'handler.ts');
+            fs.writeFileSync(filePath, `
+                app.get('/echo', (req, res) => {
+                    res.send(req.query.msg);
+                });
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'unsafe_output')).toBe(true);
+        });
+        it('should detect eval with user input', async () => {
+            const filePath = path.join(testDir, 'eval.ts');
+            fs.writeFileSync(filePath, `
+                eval(req.body.code);
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'unsafe_output')).toBe(true);
+        });
+        it('should allow safe response patterns', async () => {
+            const filePath = path.join(testDir, 'safe-res.ts');
+            fs.writeFileSync(filePath, `
+                res.json({ status: 'ok', data: processedData });
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.filter(v => v.type === 'unsafe_output')).toHaveLength(0);
+        });
+    });
+    describe('Missing Input Validation (OWASP #8)', () => {
+        it('should detect JSON.parse on raw body', async () => {
+            const filePath = path.join(testDir, 'parse.ts');
+            fs.writeFileSync(filePath, `
+                const data = JSON.parse(req.body);
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'missing_input_validation')).toBe(true);
+        });
+        it('should detect "as any" type assertion', async () => {
+            const filePath = path.join(testDir, 'assert.ts');
+            fs.writeFileSync(filePath, `
+                const user = payload as any;
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'missing_input_validation')).toBe(true);
+        });
+        it('should allow validated JSON parse', async () => {
+            const filePath = path.join(testDir, 'safe-parse.ts');
+            fs.writeFileSync(filePath, `
+                const data = JSON.parse(rawString);
+                const validated = schema.parse(data);
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.filter(v => v.type === 'missing_input_validation')).toHaveLength(0);
+        });
+    });
+    describe('config toggles for new patterns', () => {
+        it('should disable redos when configured', async () => {
+            const gate = new SecurityPatternsGate({ enabled: true, redos: false });
+            const filePath = path.join(testDir, 'regex.ts');
+            fs.writeFileSync(filePath, `
+                const pattern = new RegExp(req.query.search);
+            `);
+            const failures = await gate.run({ cwd: testDir });
+            expect(failures.filter(f => f.title?.includes('ReDoS') || f.title?.includes('regex'))).toHaveLength(0);
+        });
+        it('should disable overly_permissive when configured', async () => {
+            const gate = new SecurityPatternsGate({ enabled: true, overly_permissive: false });
+            const filePath = path.join(testDir, 'cors.ts');
+            fs.writeFileSync(filePath, `
+                app.use(cors({ origin: '*' }));
+            `);
+            const failures = await gate.run({ cwd: testDir });
+            expect(failures.filter(f => f.title?.includes('CORS') || f.title?.includes('permissive'))).toHaveLength(0);
+        });
+    });
+});