@rigour-labs/core 4.3.1 → 4.3.2

package/dist/gates/frontend-secret-exposure.d.ts

@@ -0,0 +1,27 @@
+import { Gate, GateContext } from './base.js';
+import { Failure, Provenance } from '../types/index.js';
+export interface FrontendSecretExposureConfig {
+    enabled?: boolean;
+    block_on_severity?: 'critical' | 'high' | 'medium' | 'low';
+    check_process_env?: boolean;
+    check_import_meta_env?: boolean;
+    secret_env_name_patterns?: string[];
+    safe_public_prefixes?: string[];
+    frontend_path_patterns?: string[];
+    server_path_patterns?: string[];
+    allowlist_env_names?: string[];
+}
+export declare class FrontendSecretExposureGate extends Gate {
+    private config;
+    private severityOrder;
+    constructor(config?: FrontendSecretExposureConfig);
+    protected get provenance(): Provenance;
+    run(context: GateContext): Promise<Failure[]>;
+    private shouldSkipFile;
+    private isClientBundled;
+    private isServerOnlyContent;
+    private findEnvExposures;
+    private collectMatches;
+    private isSecretLikeEnvName;
+    private matchesAnyPattern;
+}

package/dist/gates/frontend-secret-exposure.js

@@ -0,0 +1,174 @@
+import { Gate } from './base.js';
+import { FileScanner } from '../utils/scanner.js';
+import { Logger } from '../utils/logger.js';
+import fs from 'fs-extra';
+import path from 'path';
+const DEFAULT_SECRET_ENV_NAME_PATTERNS = [
+    '(?:^|_)(?:secret|private)(?:_|$)',
+    '(?:^|_)(?:token|api[_-]?key|access[_-]?key|client[_-]?secret|signing|webhook)(?:_|$)',
+    '(?:^|_)(?:db[_-]?url|database[_-]?url|connection[_-]?string)(?:_|$)',
+];
+const DEFAULT_SAFE_PUBLIC_PREFIXES = [
+    'NEXT_PUBLIC_',
+    'VITE_',
+    'PUBLIC_',
+    'NUXT_PUBLIC_',
+    'REACT_APP_',
+];
+const DEFAULT_FRONTEND_PATH_PATTERNS = [
+    '(^|/)pages/(?!api/)',
+    '(^|/)components/',
+    '(^|/)src/components/',
+    '(^|/)src/views/',
+    '(^|/)src/app/',
+    '(^|/)app/(?!api/)',
+    '(^|/)views/',
+    '(^|/)public/',
+];
+const DEFAULT_SERVER_PATH_PATTERNS = [
+    '(^|/)pages/api/',
+    '(^|/)src/pages/api/',
+    '(^|/)app/api/',
+    '(^|/)src/app/api/',
+    '\\.server\\.(?:ts|tsx|js|jsx|mjs|cjs)$',
+];
+export class FrontendSecretExposureGate extends Gate {
+    config;
+    severityOrder = { critical: 0, high: 1, medium: 2, low: 3 };
+    constructor(config = {}) {
+        super('frontend-secret-exposure', 'Frontend Secret Exposure Detection');
+        this.config = {
+            enabled: config.enabled ?? true,
+            block_on_severity: config.block_on_severity ?? 'high',
+            check_process_env: config.check_process_env ?? true,
+            check_import_meta_env: config.check_import_meta_env ?? true,
+            secret_env_name_patterns: config.secret_env_name_patterns ?? DEFAULT_SECRET_ENV_NAME_PATTERNS,
+            safe_public_prefixes: config.safe_public_prefixes ?? DEFAULT_SAFE_PUBLIC_PREFIXES,
+            frontend_path_patterns: config.frontend_path_patterns ?? DEFAULT_FRONTEND_PATH_PATTERNS,
+            server_path_patterns: config.server_path_patterns ?? DEFAULT_SERVER_PATH_PATTERNS,
+            allowlist_env_names: config.allowlist_env_names ?? [],
+        };
+    }
+    get provenance() { return 'security'; }
+    async run(context) {
+        if (!this.config.enabled)
+            return [];
+        const files = await FileScanner.findFiles({
+            cwd: context.cwd,
+            patterns: ['**/*.{ts,tsx,js,jsx,mjs,cjs}'],
+            ignore: [...(context.ignore || []), '**/node_modules/**', '**/dist/**', '**/build/**', '**/.next/**', '**/coverage/**'],
+        });
+        const scanFiles = files.filter(file => !this.shouldSkipFile(file));
+        const findings = [];
+        Logger.info(`Frontend Secret Exposure Gate: Scanning ${scanFiles.length} files`);
+        for (const file of scanFiles) {
+            const fullPath = path.join(context.cwd, file);
+            let content = '';
+            try {
+                content = await fs.readFile(fullPath, 'utf-8');
+            }
+            catch {
+                continue;
+            }
+            if (!this.isClientBundled(file, content))
+                continue;
+            findings.push(...this.findEnvExposures(file, content));
+        }
+        findings.sort((a, b) => this.severityOrder[a.severity] - this.severityOrder[b.severity]);
+        const threshold = this.severityOrder[this.config.block_on_severity];
+        return findings
+            .filter(f => this.severityOrder[f.severity] <= threshold)
+            .map(f => this.createFailure(`Potential frontend secret exposure: ${f.source}.${f.envVar} is referenced in client-bundled code.`, [f.file], 'Move secret usage to server-only code (API route/server action) and expose only public-safe values.', 'Security: Frontend Secret Exposure', f.line, f.line, f.severity));
+    }
+    shouldSkipFile(file) {
+        const normalized = file.replace(/\\/g, '/');
+        if (/\.(test|spec)\.(?:ts|tsx|js|jsx|mjs|cjs)$/i.test(normalized))
+            return true;
+        if (/\/(?:__tests__|tests|test|__test__|e2e|fixtures|mocks)\//.test(`/${normalized}`))
+            return true;
+        if (/\/(?:examples|studio-dist)\//.test(`/${normalized}`))
+            return true;
+        return false;
+    }
+    isClientBundled(file, content) {
+        const normalized = file.replace(/\\/g, '/');
+        if (this.matchesAnyPattern(normalized, this.config.server_path_patterns))
+            return false;
+        if (this.isServerOnlyContent(content))
+            return false;
+        if (/^\s*['"]use client['"]\s*;?/m.test(content))
+            return true;
+        if (this.matchesAnyPattern(normalized, this.config.frontend_path_patterns))
+            return true;
+        return false;
+    }
+    isServerOnlyContent(content) {
+        if (/from\s+['"]server-only['"]/.test(content))
+            return true;
+        if (/import\s+['"]server-only['"]/.test(content))
+            return true;
+        if (/export\s+async\s+function\s+getServerSideProps\s*\(/.test(content))
+            return true;
+        if (/export\s+async\s+function\s+getStaticProps\s*\(/.test(content))
+            return true;
+        if (/['"]use server['"]/.test(content))
+            return true;
+        return false;
+    }
+    findEnvExposures(file, content) {
+        const findings = [];
+        if (this.config.check_process_env) {
+            const processEnvRegex = /process\.env\.([A-Za-z_][A-Za-z0-9_]*)/g;
+            findings.push(...this.collectMatches(file, content, processEnvRegex, 'process.env'));
+        }
+        if (this.config.check_import_meta_env) {
+            const importMetaRegex = /import\.meta\.env\.([A-Za-z_][A-Za-z0-9_]*)/g;
+            findings.push(...this.collectMatches(file, content, importMetaRegex, 'import.meta.env'));
+        }
+        return findings;
+    }
+    collectMatches(file, content, regex, source) {
+        const matches = [];
+        const scanRegex = new RegExp(regex.source, 'g');
+        for (const match of content.matchAll(scanRegex)) {
+            const envVar = match[1];
+            if (!this.isSecretLikeEnvName(envVar))
+                continue;
+            const startIndex = match.index ?? 0;
+            const beforeMatch = content.slice(0, startIndex);
+            const line = beforeMatch.split('\n').length;
+            matches.push({
+                file,
+                line,
+                envVar,
+                source,
+                severity: 'high',
+            });
+        }
+        return matches;
+    }
+    isSecretLikeEnvName(envVar) {
+        if (this.config.allowlist_env_names.includes(envVar))
+            return false;
+        if (this.config.safe_public_prefixes.some(prefix => envVar.startsWith(prefix)))
+            return false;
+        return this.config.secret_env_name_patterns.some(pattern => {
+            try {
+                return new RegExp(pattern, 'i').test(envVar);
+            }
+            catch {
+                return false;
+            }
+        });
+    }
+    matchesAnyPattern(value, patterns) {
+        return patterns.some(pattern => {
+            try {
+                return new RegExp(pattern, 'i').test(value);
+            }
+            catch {
+                return false;
+            }
+        });
+    }
+}

package/dist/gates/frontend-secret-exposure.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/gates/frontend-secret-exposure.test.js

@@ -0,0 +1,95 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { FrontendSecretExposureGate } from './frontend-secret-exposure.js';
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+describe('FrontendSecretExposureGate', () => {
+    let testDir;
+    beforeEach(() => {
+        testDir = fs.mkdtempSync(path.join(os.tmpdir(), 'frontend-secret-test-'));
+    });
+    afterEach(() => {
+        fs.rmSync(testDir, { recursive: true, force: true });
+    });
+    it('detects process.env secret usage in client-bundled file', async () => {
+        const filePath = path.join(testDir, 'src/components/Checkout.tsx');
+        fs.mkdirSync(path.dirname(filePath), { recursive: true });
+        fs.writeFileSync(filePath, `
+            export function Checkout() {
+                const key = process.env.STRIPE_SECRET_KEY;
+                return <div>{key}</div>;
+            }
+        `);
+        const gate = new FrontendSecretExposureGate();
+        const failures = await gate.run({ cwd: testDir });
+        expect(failures.length).toBeGreaterThan(0);
+        expect(failures[0].id).toBe('frontend-secret-exposure');
+        expect(failures[0].files).toContain('src/components/Checkout.tsx');
+    });
+    it('detects import.meta.env secret usage in frontend app path', async () => {
+        const filePath = path.join(testDir, 'src/app/page.tsx');
+        fs.mkdirSync(path.dirname(filePath), { recursive: true });
+        fs.writeFileSync(filePath, `
+            export default function Page() {
+                return <span>{import.meta.env.OPENAI_API_KEY}</span>;
+            }
+        `);
+        const gate = new FrontendSecretExposureGate();
+        const failures = await gate.run({ cwd: testDir });
+        expect(failures.length).toBeGreaterThan(0);
+    });
+    it('does not flag public env prefixes in client files', async () => {
+        const filePath = path.join(testDir, 'components/Header.tsx');
+        fs.mkdirSync(path.dirname(filePath), { recursive: true });
+        fs.writeFileSync(filePath, `
+            export const key = process.env.NEXT_PUBLIC_STRIPE_KEY;
+        `);
+        const gate = new FrontendSecretExposureGate();
+        const failures = await gate.run({ cwd: testDir });
+        expect(failures).toHaveLength(0);
+    });
+    it('does not flag server-only API route', async () => {
+        const filePath = path.join(testDir, 'pages/api/charge.ts');
+        fs.mkdirSync(path.dirname(filePath), { recursive: true });
+        fs.writeFileSync(filePath, `
+            export default function handler() {
+                return process.env.STRIPE_SECRET_KEY;
+            }
+        `);
+        const gate = new FrontendSecretExposureGate();
+        const failures = await gate.run({ cwd: testDir });
+        expect(failures).toHaveLength(0);
+    });
+    it('does not flag .server files', async () => {
+        const filePath = path.join(testDir, 'src/lib/payments.server.ts');
+        fs.mkdirSync(path.dirname(filePath), { recursive: true });
+        fs.writeFileSync(filePath, `
+            export const stripeSecret = process.env.STRIPE_SECRET_KEY;
+        `);
+        const gate = new FrontendSecretExposureGate();
+        const failures = await gate.run({ cwd: testDir });
+        expect(failures).toHaveLength(0);
+    });
+    it('respects explicit allowlist env names', async () => {
+        const filePath = path.join(testDir, 'src/views/App.tsx');
+        fs.mkdirSync(path.dirname(filePath), { recursive: true });
+        fs.writeFileSync(filePath, `
+            export const x = process.env.INTERNAL_TOKEN_FOR_DOCS;
+        `);
+        const gate = new FrontendSecretExposureGate({
+            allowlist_env_names: ['INTERNAL_TOKEN_FOR_DOCS'],
+        });
+        const failures = await gate.run({ cwd: testDir });
+        expect(failures).toHaveLength(0);
+    });
+    it('skips when disabled', async () => {
+        const filePath = path.join(testDir, 'src/components/Client.tsx');
+        fs.mkdirSync(path.dirname(filePath), { recursive: true });
+        fs.writeFileSync(filePath, `
+            export const x = process.env.OPENAI_API_KEY;
+        `);
+        const gate = new FrontendSecretExposureGate({ enabled: false });
+        const failures = await gate.run({ cwd: testDir });
+        expect(failures).toHaveLength(0);
+    });
+});

package/dist/gates/runner.js

@@ -15,6 +15,7 @@ import { RetryLoopBreakerGate } from './retry-loop-breaker.js';
 import { AgentTeamGate } from './agent-team.js';
 import { CheckpointGate } from './checkpoint.js';
 import { SecurityPatternsGate } from './security-patterns.js';
+import { FrontendSecretExposureGate } from './frontend-secret-exposure.js';
 import { DuplicationDriftGate } from './duplication-drift.js';
 import { HallucinatedImportsGate } from './hallucinated-imports.js';
 import { InconsistentErrorHandlingGate } from './inconsistent-error-handling.js';
@@ -67,6 +68,9 @@ export class GateRunner {
         if (this.config.gates.security?.enabled !== false) {
             this.gates.push(new SecurityPatternsGate(this.config.gates.security));
         }
+        if (this.config.gates.frontend_secret_exposure?.enabled !== false) {
+            this.gates.push(new FrontendSecretExposureGate(this.config.gates.frontend_secret_exposure));
+        }
         // v2.16+ AI-Native Drift Detection Gates (enabled by default)
         if (this.config.gates.duplication_drift?.enabled !== false) {
             this.gates.push(new DuplicationDriftGate(this.config.gates.duplication_drift));

package/dist/index.d.ts

@@ -7,6 +7,7 @@ export * from './types/fix-packet.js';
 export { Gate, GateContext } from './gates/base.js';
 export { RetryLoopBreakerGate } from './gates/retry-loop-breaker.js';
 export { SideEffectAnalysisGate } from './gates/side-effect-analysis.js';
+export { FrontendSecretExposureGate } from './gates/frontend-secret-exposure.js';
 export * from './utils/logger.js';
 export * from './services/score-history.js';
 export * from './hooks/index.js';

package/dist/index.js

@@ -7,6 +7,7 @@ export * from './types/fix-packet.js';
 export { Gate } from './gates/base.js';
 export { RetryLoopBreakerGate } from './gates/retry-loop-breaker.js';
 export { SideEffectAnalysisGate } from './gates/side-effect-analysis.js';
+export { FrontendSecretExposureGate } from './gates/frontend-secret-exposure.js';
 export * from './utils/logger.js';
 export * from './services/score-history.js';
 export * from './hooks/index.js';

package/dist/templates/universal-config.js

@@ -72,6 +72,36 @@ export const UNIVERSAL_CONFIG = {
             command_injection: true,
             block_on_severity: 'high',
         },
+        frontend_secret_exposure: {
+            enabled: true,
+            block_on_severity: 'high',
+            check_process_env: true,
+            check_import_meta_env: true,
+            secret_env_name_patterns: [
+                '(?:^|_)(?:secret|private)(?:_|$)',
+                '(?:^|_)(?:token|api[_-]?key|access[_-]?key|client[_-]?secret|signing|webhook)(?:_|$)',
+                '(?:^|_)(?:db[_-]?url|database[_-]?url|connection[_-]?string)(?:_|$)',
+            ],
+            safe_public_prefixes: ['NEXT_PUBLIC_', 'VITE_', 'PUBLIC_', 'NUXT_PUBLIC_', 'REACT_APP_'],
+            frontend_path_patterns: [
+                '(^|/)pages/(?!api/)',
+                '(^|/)components/',
+                '(^|/)src/components/',
+                '(^|/)src/views/',
+                '(^|/)src/app/',
+                '(^|/)app/(?!api/)',
+                '(^|/)views/',
+                '(^|/)public/',
+            ],
+            server_path_patterns: [
+                '(^|/)pages/api/',
+                '(^|/)src/pages/api/',
+                '(^|/)app/api/',
+                '(^|/)src/app/api/',
+                '\\.server\\.(?:ts|tsx|js|jsx|mjs|cjs)$',
+            ],
+            allowlist_env_names: [],
+        },
         adaptive: {
             enabled: false,
             base_coverage_threshold: 80,

package/dist/types/index.d.ts

@@ -213,6 +213,37 @@ export declare const GatesSchema: z.ZodObject<{
         command_injection?: boolean | undefined;
         block_on_severity?: "critical" | "high" | "medium" | "low" | undefined;
     }>>>;
+    frontend_secret_exposure: z.ZodDefault<z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+        block_on_severity: z.ZodDefault<z.ZodOptional<z.ZodEnum<["critical", "high", "medium", "low"]>>>;
+        check_process_env: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+        check_import_meta_env: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+        secret_env_name_patterns: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
+        safe_public_prefixes: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
+        frontend_path_patterns: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
+        server_path_patterns: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
+        allowlist_env_names: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
+    }, "strip", z.ZodTypeAny, {
+        enabled: boolean;
+        block_on_severity: "critical" | "high" | "medium" | "low";
+        check_process_env: boolean;
+        check_import_meta_env: boolean;
+        secret_env_name_patterns: string[];
+        safe_public_prefixes: string[];
+        frontend_path_patterns: string[];
+        server_path_patterns: string[];
+        allowlist_env_names: string[];
+    }, {
+        enabled?: boolean | undefined;
+        block_on_severity?: "critical" | "high" | "medium" | "low" | undefined;
+        check_process_env?: boolean | undefined;
+        check_import_meta_env?: boolean | undefined;
+        secret_env_name_patterns?: string[] | undefined;
+        safe_public_prefixes?: string[] | undefined;
+        frontend_path_patterns?: string[] | undefined;
+        server_path_patterns?: string[] | undefined;
+        allowlist_env_names?: string[] | undefined;
+    }>>>;
     adaptive: z.ZodDefault<z.ZodOptional<z.ZodObject<{
         enabled: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
         base_coverage_threshold: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
@@ -674,6 +705,17 @@ export declare const GatesSchema: z.ZodObject<{
         command_injection: boolean;
         block_on_severity: "critical" | "high" | "medium" | "low";
     };
+    frontend_secret_exposure: {
+        enabled: boolean;
+        block_on_severity: "critical" | "high" | "medium" | "low";
+        check_process_env: boolean;
+        check_import_meta_env: boolean;
+        secret_env_name_patterns: string[];
+        safe_public_prefixes: string[];
+        frontend_path_patterns: string[];
+        server_path_patterns: string[];
+        allowlist_env_names: string[];
+    };
     adaptive: {
         enabled: boolean;
         base_coverage_threshold: number;
@@ -874,6 +916,17 @@ export declare const GatesSchema: z.ZodObject<{
         command_injection?: boolean | undefined;
         block_on_severity?: "critical" | "high" | "medium" | "low" | undefined;
     } | undefined;
+    frontend_secret_exposure?: {
+        enabled?: boolean | undefined;
+        block_on_severity?: "critical" | "high" | "medium" | "low" | undefined;
+        check_process_env?: boolean | undefined;
+        check_import_meta_env?: boolean | undefined;
+        secret_env_name_patterns?: string[] | undefined;
+        safe_public_prefixes?: string[] | undefined;
+        frontend_path_patterns?: string[] | undefined;
+        server_path_patterns?: string[] | undefined;
+        allowlist_env_names?: string[] | undefined;
+    } | undefined;
     adaptive?: {
         enabled?: boolean | undefined;
         base_coverage_threshold?: number | undefined;
@@ -1245,6 +1298,37 @@ export declare const ConfigSchema: z.ZodObject<{
             command_injection?: boolean | undefined;
             block_on_severity?: "critical" | "high" | "medium" | "low" | undefined;
         }>>>;
+        frontend_secret_exposure: z.ZodDefault<z.ZodOptional<z.ZodObject<{
+            enabled: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+            block_on_severity: z.ZodDefault<z.ZodOptional<z.ZodEnum<["critical", "high", "medium", "low"]>>>;
+            check_process_env: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+            check_import_meta_env: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+            secret_env_name_patterns: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
+            safe_public_prefixes: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
+            frontend_path_patterns: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
+            server_path_patterns: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
+            allowlist_env_names: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
+        }, "strip", z.ZodTypeAny, {
+            enabled: boolean;
+            block_on_severity: "critical" | "high" | "medium" | "low";
+            check_process_env: boolean;
+            check_import_meta_env: boolean;
+            secret_env_name_patterns: string[];
+            safe_public_prefixes: string[];
+            frontend_path_patterns: string[];
+            server_path_patterns: string[];
+            allowlist_env_names: string[];
+        }, {
+            enabled?: boolean | undefined;
+            block_on_severity?: "critical" | "high" | "medium" | "low" | undefined;
+            check_process_env?: boolean | undefined;
+            check_import_meta_env?: boolean | undefined;
+            secret_env_name_patterns?: string[] | undefined;
+            safe_public_prefixes?: string[] | undefined;
+            frontend_path_patterns?: string[] | undefined;
+            server_path_patterns?: string[] | undefined;
+            allowlist_env_names?: string[] | undefined;
+        }>>>;
         adaptive: z.ZodDefault<z.ZodOptional<z.ZodObject<{
             enabled: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
             base_coverage_threshold: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
@@ -1706,6 +1790,17 @@ export declare const ConfigSchema: z.ZodObject<{
             command_injection: boolean;
             block_on_severity: "critical" | "high" | "medium" | "low";
         };
+        frontend_secret_exposure: {
+            enabled: boolean;
+            block_on_severity: "critical" | "high" | "medium" | "low";
+            check_process_env: boolean;
+            check_import_meta_env: boolean;
+            secret_env_name_patterns: string[];
+            safe_public_prefixes: string[];
+            frontend_path_patterns: string[];
+            server_path_patterns: string[];
+            allowlist_env_names: string[];
+        };
         adaptive: {
             enabled: boolean;
             base_coverage_threshold: number;
@@ -1906,6 +2001,17 @@ export declare const ConfigSchema: z.ZodObject<{
             command_injection?: boolean | undefined;
             block_on_severity?: "critical" | "high" | "medium" | "low" | undefined;
         } | undefined;
+        frontend_secret_exposure?: {
+            enabled?: boolean | undefined;
+            block_on_severity?: "critical" | "high" | "medium" | "low" | undefined;
+            check_process_env?: boolean | undefined;
+            check_import_meta_env?: boolean | undefined;
+            secret_env_name_patterns?: string[] | undefined;
+            safe_public_prefixes?: string[] | undefined;
+            frontend_path_patterns?: string[] | undefined;
+            server_path_patterns?: string[] | undefined;
+            allowlist_env_names?: string[] | undefined;
+        } | undefined;
         adaptive?: {
             enabled?: boolean | undefined;
             base_coverage_threshold?: number | undefined;
@@ -2148,6 +2254,17 @@ export declare const ConfigSchema: z.ZodObject<{
             command_injection: boolean;
             block_on_severity: "critical" | "high" | "medium" | "low";
         };
+        frontend_secret_exposure: {
+            enabled: boolean;
+            block_on_severity: "critical" | "high" | "medium" | "low";
+            check_process_env: boolean;
+            check_import_meta_env: boolean;
+            secret_env_name_patterns: string[];
+            safe_public_prefixes: string[];
+            frontend_path_patterns: string[];
+            server_path_patterns: string[];
+            allowlist_env_names: string[];
+        };
         adaptive: {
             enabled: boolean;
             base_coverage_threshold: number;
@@ -2374,6 +2491,17 @@ export declare const ConfigSchema: z.ZodObject<{
             command_injection?: boolean | undefined;
             block_on_severity?: "critical" | "high" | "medium" | "low" | undefined;
         } | undefined;
+        frontend_secret_exposure?: {
+            enabled?: boolean | undefined;
+            block_on_severity?: "critical" | "high" | "medium" | "low" | undefined;
+            check_process_env?: boolean | undefined;
+            check_import_meta_env?: boolean | undefined;
+            secret_env_name_patterns?: string[] | undefined;
+            safe_public_prefixes?: string[] | undefined;
+            frontend_path_patterns?: string[] | undefined;
+            server_path_patterns?: string[] | undefined;
+            allowlist_env_names?: string[] | undefined;
+        } | undefined;
         adaptive?: {
             enabled?: boolean | undefined;
             base_coverage_threshold?: number | undefined;

package/dist/types/index.js

@@ -95,6 +95,42 @@ export const GatesSchema = z.object({
         command_injection: z.boolean().optional().default(true),
         block_on_severity: z.enum(['critical', 'high', 'medium', 'low']).optional().default('high'),
     }).optional().default({}),
+    frontend_secret_exposure: z.object({
+        enabled: z.boolean().optional().default(true),
+        block_on_severity: z.enum(['critical', 'high', 'medium', 'low']).optional().default('high'),
+        check_process_env: z.boolean().optional().default(true),
+        check_import_meta_env: z.boolean().optional().default(true),
+        secret_env_name_patterns: z.array(z.string()).optional().default([
+            '(?:^|_)(?:secret|private)(?:_|$)',
+            '(?:^|_)(?:token|api[_-]?key|access[_-]?key|client[_-]?secret|signing|webhook)(?:_|$)',
+            '(?:^|_)(?:db[_-]?url|database[_-]?url|connection[_-]?string)(?:_|$)',
+        ]),
+        safe_public_prefixes: z.array(z.string()).optional().default([
+            'NEXT_PUBLIC_',
+            'VITE_',
+            'PUBLIC_',
+            'NUXT_PUBLIC_',
+            'REACT_APP_',
+        ]),
+        frontend_path_patterns: z.array(z.string()).optional().default([
+            '(^|/)pages/(?!api/)',
+            '(^|/)components/',
+            '(^|/)src/components/',
+            '(^|/)src/views/',
+            '(^|/)src/app/',
+            '(^|/)app/(?!api/)',
+            '(^|/)views/',
+            '(^|/)public/',
+        ]),
+        server_path_patterns: z.array(z.string()).optional().default([
+            '(^|/)pages/api/',
+            '(^|/)src/pages/api/',
+            '(^|/)app/api/',
+            '(^|/)src/app/api/',
+            '\\.server\\.(?:ts|tsx|js|jsx|mjs|cjs)$',
+        ]),
+        allowlist_env_names: z.array(z.string()).optional().default([]),
+    }).optional().default({}),
     adaptive: z.object({
         enabled: z.boolean().optional().default(false),
         base_coverage_threshold: z.number().optional().default(80),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rigour-labs/core",
-  "version": "4.3.1",
+  "version": "4.3.2",
   "description": "Deterministic quality gate engine for AI-generated code. AST analysis, drift detection, and Fix Packet generation across TypeScript, JavaScript, Python, Go, Ruby, and C#.",
   "license": "MIT",
   "homepage": "https://rigour.run",
@@ -59,11 +59,11 @@
     "@xenova/transformers": "^2.17.2",
     "better-sqlite3": "^11.0.0",
     "openai": "^4.104.0",
-    "@rigour-labs/brain-darwin-arm64": "4.3.1",
-    "@rigour-labs/brain-darwin-x64": "4.3.1",
-    "@rigour-labs/brain-linux-arm64": "4.3.1",
-    "@rigour-labs/brain-win-x64": "4.3.1",
-    "@rigour-labs/brain-linux-x64": "4.3.1"
+    "@rigour-labs/brain-darwin-arm64": "4.3.2",
+    "@rigour-labs/brain-linux-arm64": "4.3.2",
+    "@rigour-labs/brain-darwin-x64": "4.3.2",
+    "@rigour-labs/brain-win-x64": "4.3.2",
+    "@rigour-labs/brain-linux-x64": "4.3.2"
   },
   "devDependencies": {
     "@types/better-sqlite3": "^7.6.12",