@rigour-labs/core 4.3.1 → 4.3.3

package/dist/gates/context-window-artifacts.js

@@ -36,9 +36,10 @@ export class ContextWindowArtifactsGate extends Gate {
         if (!this.config.enabled)
             return [];
         const failures = [];
+        const scanPatterns = context.patterns || ['**/*.{ts,js,tsx,jsx,py}'];
         const files = await FileScanner.findFiles({
             cwd: context.cwd,
-            patterns: ['**/*.{ts,js,tsx,jsx,py}'],
+            patterns: scanPatterns,
             ignore: [...(context.ignore || []), '**/node_modules/**', '**/dist/**', '**/*.test.*', '**/*.spec.*', '**/*.min.*'],
         });
         Logger.info(`Context Window Artifacts: Scanning ${files.length} files`);

package/dist/gates/deprecated-apis.js

@@ -48,9 +48,11 @@ export class DeprecatedApisGate extends Gate {
             return [];
         const failures = [];
         const deprecated = [];
+        const defaultPatterns = ['**/*.{ts,js,tsx,jsx,py,go,cs,java,kt}'];
+        const scanPatterns = context.patterns || defaultPatterns;
         const files = await FileScanner.findFiles({
             cwd: context.cwd,
-            patterns: ['**/*.{ts,js,tsx,jsx,py,go,cs,java,kt}'],
+            patterns: scanPatterns,
             ignore: [...(context.ignore || []), '**/node_modules/**', '**/dist/**', '**/build/**',
                 '**/*.test.*', '**/*.spec.*', '**/__tests__/**',
                 '**/.venv/**', '**/venv/**', '**/vendor/**', '**/__pycache__/**',

package/dist/gates/duplication-drift.js

@@ -33,9 +33,10 @@ export class DuplicationDriftGate extends Gate {
             return [];
         const failures = [];
         const functions = [];
+        const scanPatterns = context.patterns || ['**/*.{ts,js,tsx,jsx,py}'];
         const files = await FileScanner.findFiles({
             cwd: context.cwd,
-            patterns: ['**/*.{ts,js,tsx,jsx,py}'],
+            patterns: scanPatterns,
             ignore: [...(context.ignore || []), '**/node_modules/**', '**/dist/**', '**/*.test.*', '**/*.spec.*'],
         });
         Logger.info(`Duplication Drift: Scanning ${files.length} files`);

package/dist/gates/frontend-secret-exposure.d.ts

@@ -0,0 +1,59 @@
+/**
+ * Frontend Secret Exposure Gate
+ *
+ * Detects server-side secret keys (Stripe, OpenAI, AWS, etc.) referenced
+ * in frontend-accessible files where they would be bundled into client JS.
+ *
+ * The "vibe-coded startup" attack pattern:
+ *   process.env.STRIPE_SECRET_KEY inside a React component
+ *   → bundled by webpack/Vite → visible in DevTools → $2,500 in fraudulent charges
+ *
+ * Two detection modes:
+ *   1. Env-var name detection: process.env.VARNAME / import.meta.env.VARNAME
+ *      where VARNAME matches secret_env_name_patterns and lacks a safe public prefix.
+ *   2. Literal key detection: actual live API key values embedded in source
+ *      (sk_live_..., sk-proj-..., AKIA..., ghp_..., etc.)
+ *
+ * @since v4.4.0
+ * @see CWE-312 Cleartext Storage of Sensitive Information
+ */
+import { Gate, GateContext } from './base.js';
+import { Failure, Provenance } from '../types/index.js';
+export interface FrontendSecretExposureConfig {
+    enabled?: boolean;
+    block_on_severity?: 'critical' | 'high' | 'medium' | 'low';
+    check_process_env?: boolean;
+    check_import_meta_env?: boolean;
+    secret_env_name_patterns?: string[];
+    safe_public_prefixes?: string[];
+    frontend_path_patterns?: string[];
+    server_path_patterns?: string[];
+    allowlist_env_names?: string[];
+}
+export declare class FrontendSecretExposureGate extends Gate {
+    private cfg;
+    private secretNamePatterns;
+    private safePrefixPatterns;
+    private frontendPathPatterns;
+    private serverPathPatterns;
+    constructor(config?: FrontendSecretExposureConfig);
+    protected get provenance(): Provenance;
+    run(context: GateContext): Promise<Failure[]>;
+    /** Classify a file path as frontend, server, or ambiguous based on config patterns. */
+    private classifyFile;
+    /** Test/fixture files are excluded — they legitimately contain dummy keys. */
+    private isTestFile;
+    /**
+     * Check whether a var name looks like a server-side secret:
+     * - Matches at least one secret_env_name_pattern
+     * - Does NOT start with a safe public prefix
+     * - Is NOT in the user allowlist
+     */
+    private isSecretVar;
+    /** Scan one file for env-var references and literal key values. */
+    private scanFile;
+    private makeEnvRefExposure;
+    /** Filters out trivial dummy/placeholder text to reduce false positives. */
+    private isDummyValue;
+    private toFailures;
+}

package/dist/gates/frontend-secret-exposure.js

@@ -0,0 +1,354 @@
+/**
+ * Frontend Secret Exposure Gate
+ *
+ * Detects server-side secret keys (Stripe, OpenAI, AWS, etc.) referenced
+ * in frontend-accessible files where they would be bundled into client JS.
+ *
+ * The "vibe-coded startup" attack pattern:
+ *   process.env.STRIPE_SECRET_KEY inside a React component
+ *   → bundled by webpack/Vite → visible in DevTools → $2,500 in fraudulent charges
+ *
+ * Two detection modes:
+ *   1. Env-var name detection: process.env.VARNAME / import.meta.env.VARNAME
+ *      where VARNAME matches secret_env_name_patterns and lacks a safe public prefix.
+ *   2. Literal key detection: actual live API key values embedded in source
+ *      (sk_live_..., sk-proj-..., AKIA..., ghp_..., etc.)
+ *
+ * @since v4.4.0
+ * @see CWE-312 Cleartext Storage of Sensitive Information
+ */
+import { Gate } from './base.js';
+import { FileScanner } from '../utils/scanner.js';
+import { Logger } from '../utils/logger.js';
+import fs from 'fs-extra';
+import path from 'path';
+/**
+ * Literal API key patterns — actual values that are always dangerous in frontend code.
+ * These bypass the env-name heuristic and fire regardless of variable naming.
+ */
+const LITERAL_KEY_PATTERNS = [
+    {
+        label: 'Stripe Live Secret Key',
+        regex: /\bsk_live_[a-zA-Z0-9]{24,}\b/g,
+        severity: 'critical',
+        hint: 'Live Stripe secret key (sk_live_...) exposed in client bundle. ' +
+            'Attackers can charge cards without a frontend. Move to server-side only.',
+        cwe: 'CWE-312',
+    },
+    {
+        label: 'Stripe Live Restricted Key',
+        regex: /\brk_live_[a-zA-Z0-9]{24,}\b/g,
+        severity: 'critical',
+        hint: 'Live Stripe restricted key (rk_live_...) must never appear in frontend code.',
+        cwe: 'CWE-312',
+    },
+    {
+        label: 'OpenAI API Key',
+        regex: /\bsk-proj-[a-zA-Z0-9_-]{40,}\b/g,
+        severity: 'critical',
+        hint: 'OpenAI project API key (sk-proj-...) exposed in client bundle. ' +
+            'Attackers can make unlimited API calls at your expense.',
+        cwe: 'CWE-312',
+    },
+    {
+        label: 'OpenAI Legacy API Key',
+        regex: /\bsk-[a-zA-Z0-9]{48,}\b/g,
+        severity: 'critical',
+        hint: 'OpenAI API key (sk-...) exposed in client bundle. Move to server-side proxy.',
+        cwe: 'CWE-312',
+    },
+    {
+        label: 'AWS Access Key ID',
+        regex: /\bAKIA[A-Z2-7]{16}\b/g,
+        severity: 'critical',
+        hint: 'AWS Access Key ID exposed in client bundle. This grants AWS API access.',
+        cwe: 'CWE-312',
+    },
+    {
+        label: 'GitHub Personal Access Token',
+        regex: /\bghp_[a-zA-Z0-9]{36,}\b/g,
+        severity: 'critical',
+        hint: 'GitHub PAT (ghp_...) in frontend code. Grants repo access to anyone who views bundle.',
+        cwe: 'CWE-312',
+    },
+    {
+        label: 'GitHub Fine-Grained PAT',
+        regex: /\bgithub_pat_[a-zA-Z0-9_]{55,}\b/g,
+        severity: 'critical',
+        hint: 'GitHub fine-grained PAT (github_pat_...) must never appear in frontend code.',
+        cwe: 'CWE-312',
+    },
+    {
+        label: 'Anthropic API Key',
+        regex: /\bsk-ant-api\d{2}-[a-zA-Z0-9_-]{90,}\b/g,
+        severity: 'critical',
+        hint: 'Anthropic API key exposed in client bundle. Move to a server-side proxy.',
+        cwe: 'CWE-312',
+    },
+    {
+        label: 'SendGrid API Key',
+        regex: /\bSG\.[a-zA-Z0-9_-]{22,}\.[a-zA-Z0-9_-]{43,}\b/g,
+        severity: 'critical',
+        hint: 'SendGrid API key exposed in client bundle. Attackers can send spam as you.',
+        cwe: 'CWE-312',
+    },
+];
+/** Severity ordering for threshold comparison */
+const SEVERITY_ORDER = { critical: 0, high: 1, medium: 2, low: 3 };
+/**
+ * Extracts the env var name from a single-reference line.
+ *   process.env.VARNAME          → "VARNAME"
+ *   process.env["VARNAME"]       → "VARNAME"
+ *   import.meta.env.VARNAME      → "VARNAME"
+ * Returns null if no match.
+ */
+function extractEnvVarName(line, checkProcessEnv, checkImportMetaEnv) {
+    if (checkProcessEnv) {
+        const dot = line.match(/process\.env\.([A-Z][A-Z0-9_]*)/);
+        if (dot)
+            return dot[1];
+        const bracket = line.match(/process\.env\[['"]([A-Z][A-Z0-9_]*)['"]\]/);
+        if (bracket)
+            return bracket[1];
+    }
+    if (checkImportMetaEnv) {
+        const vite = line.match(/import\.meta\.env\.([A-Z_][A-Z0-9_]*)/);
+        if (vite)
+            return vite[1];
+    }
+    return null;
+}
+/**
+ * Finds all var names from destructuring:
+ *   const { STRIPE_SECRET_KEY, OPENAI_KEY } = process.env
+ */
+function extractDestructuredEnvVars(line) {
+    if (!/=\s*process\.env\b/.test(line))
+        return [];
+    const brace = line.match(/\{\s*([^}]+)\s*\}/);
+    if (!brace)
+        return [];
+    return brace[1]
+        .split(',')
+        .map(s => s.split(':')[0].trim()) // handle "SECRET_KEY: renamed"
+        .filter(s => /^[A-Z_][A-Z0-9_]*$/.test(s));
+}
+export class FrontendSecretExposureGate extends Gate {
+    cfg;
+    secretNamePatterns;
+    safePrefixPatterns;
+    frontendPathPatterns;
+    serverPathPatterns;
+    constructor(config = {}) {
+        super('frontend-secret-exposure', 'Frontend Secret Exposure');
+        this.cfg = {
+            enabled: config.enabled ?? true,
+            block_on_severity: config.block_on_severity ?? 'high',
+            check_process_env: config.check_process_env ?? true,
+            check_import_meta_env: config.check_import_meta_env ?? true,
+            secret_env_name_patterns: config.secret_env_name_patterns ?? [
+                '(?:^|_)(?:secret|private)(?:_|$)',
+                '(?:^|_)(?:token|api[_-]?key|access[_-]?key|client[_-]?secret|signing|webhook)(?:_|$)',
+                '(?:^|_)(?:db[_-]?url|database[_-]?url|connection[_-]?string)(?:_|$)',
+            ],
+            safe_public_prefixes: config.safe_public_prefixes ?? [
+                'NEXT_PUBLIC_', 'VITE_', 'PUBLIC_', 'NUXT_PUBLIC_', 'REACT_APP_',
+            ],
+            frontend_path_patterns: config.frontend_path_patterns ?? [
+                '(^|/)pages/(?!api/)',
+                '(^|/)components/',
+                '(^|/)src/components/',
+                '(^|/)src/views/',
+                '(^|/)src/app/',
+                '(^|/)app/(?!api/)',
+                '(^|/)views/',
+                '(^|/)public/',
+            ],
+            server_path_patterns: config.server_path_patterns ?? [
+                '(^|/)pages/api/',
+                '(^|/)src/pages/api/',
+                '(^|/)app/api/',
+                '(^|/)src/app/api/',
+                '\\.server\\.(?:ts|tsx|js|jsx|mjs|cjs)$',
+            ],
+            allowlist_env_names: config.allowlist_env_names ?? [],
+        };
+        this.secretNamePatterns = this.cfg.secret_env_name_patterns.map(p => new RegExp(p, 'i'));
+        // Escape prefix strings to safe regex literals
+        this.safePrefixPatterns = this.cfg.safe_public_prefixes.map(prefix => new RegExp(`^${prefix.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}`));
+        this.frontendPathPatterns = this.cfg.frontend_path_patterns.map(p => new RegExp(p));
+        this.serverPathPatterns = this.cfg.server_path_patterns.map(p => new RegExp(p));
+    }
+    get provenance() { return 'security'; }
+    async run(context) {
+        if (!this.cfg.enabled)
+            return [];
+        const scanPatterns = context.patterns || ['**/*.{ts,tsx,js,jsx,mjs,cjs,vue,svelte}'];
+        const files = await FileScanner.findFiles({
+            cwd: context.cwd,
+            patterns: scanPatterns,
+            ignore: [
+                ...(context.ignore || []),
+                '**/node_modules/**', '**/dist/**', '**/build/**',
+                '**/.next/**', '**/coverage/**', '**/out/**',
+            ],
+        });
+        // Skip test/fixture files — they routinely use dummy keys
+        const sourceFiles = files.filter(f => !this.isTestFile(f));
+        Logger.info(`Frontend Secret Exposure Gate: scanning ${sourceFiles.length} files`);
+        const exposures = [];
+        for (const file of sourceFiles) {
+            const fileContext = this.classifyFile(file);
+            if (fileContext === 'server')
+                continue;
+            try {
+                const fullPath = path.join(context.cwd, file);
+                const content = await fs.readFile(fullPath, 'utf-8');
+                // Skip files guarded by Next.js server-only import
+                if (/import\s+['"]server-only['"]/.test(content))
+                    continue;
+                this.scanFile(content, file, fileContext, exposures);
+            }
+            catch {
+                // Unreadable — skip silently
+            }
+        }
+        return this.toFailures(exposures);
+    }
+    /** Classify a file path as frontend, server, or ambiguous based on config patterns. */
+    classifyFile(file) {
+        const n = file.replace(/\\/g, '/');
+        // Server paths take priority over frontend paths
+        if (this.serverPathPatterns.some(p => p.test(n)))
+            return 'server';
+        if (this.frontendPathPatterns.some(p => p.test(n)))
+            return 'frontend';
+        return 'ambiguous';
+    }
+    /** Test/fixture files are excluded — they legitimately contain dummy keys. */
+    isTestFile(file) {
+        const n = file.replace(/\\/g, '/');
+        return /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(n)
+            || /\/__tests__\//.test(n)
+            || /\/(?:fixtures|mocks|stubs)\//.test(n);
+    }
+    /**
+     * Check whether a var name looks like a server-side secret:
+     * - Matches at least one secret_env_name_pattern
+     * - Does NOT start with a safe public prefix
+     * - Is NOT in the user allowlist
+     */
+    isSecretVar(varName) {
+        if (this.cfg.allowlist_env_names.includes(varName))
+            return false;
+        if (this.safePrefixPatterns.some(p => p.test(varName)))
+            return false;
+        return this.secretNamePatterns.some(p => p.test(varName));
+    }
+    /** Scan one file for env-var references and literal key values. */
+    scanFile(content, file, fileContext, out) {
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            const lineNum = i + 1;
+            // Skip comment lines to avoid flagging docs/examples
+            const trimmed = line.trimStart();
+            if (trimmed.startsWith('//') ||
+                trimmed.startsWith('*') ||
+                trimmed.startsWith('#') ||
+                trimmed.startsWith('<!--'))
+                continue;
+            // 1. Env-var name detection (process.env / import.meta.env)
+            if (this.cfg.check_process_env || this.cfg.check_import_meta_env) {
+                const single = extractEnvVarName(line, this.cfg.check_process_env, this.cfg.check_import_meta_env);
+                if (single && this.isSecretVar(single)) {
+                    out.push(this.makeEnvRefExposure(file, lineNum, line, single, fileContext));
+                }
+                // Destructuring: const { STRIPE_SECRET_KEY } = process.env
+                if (this.cfg.check_process_env) {
+                    for (const varName of extractDestructuredEnvVars(line)) {
+                        if (this.isSecretVar(varName)) {
+                            out.push(this.makeEnvRefExposure(file, lineNum, line, varName, fileContext));
+                        }
+                    }
+                }
+            }
+            // 2. Literal API key detection
+            for (const pattern of LITERAL_KEY_PATTERNS) {
+                pattern.regex.lastIndex = 0;
+                let m;
+                while ((m = pattern.regex.exec(line)) !== null) {
+                    // Skip dummy/placeholder values and test-mode keys
+                    if (this.isDummyValue(m[0]))
+                        continue;
+                    if (/(?:sk_test_|pk_test_|_test_|_sandbox_)/i.test(m[0]))
+                        continue;
+                    out.push({
+                        file,
+                        line: lineNum,
+                        lineText: line.trim().slice(0, 80),
+                        varName: m[0].slice(0, 24) + (m[0].length > 24 ? '...' : ''),
+                        kind: 'literal',
+                        serviceLabel: pattern.label,
+                        hint: pattern.hint,
+                        cwe: pattern.cwe,
+                        severity: pattern.severity,
+                        fileContext,
+                    });
+                }
+            }
+        }
+    }
+    makeEnvRefExposure(file, line, lineText, varName, fileContext) {
+        // Definite frontend → critical; ambiguous → high (may be a shared util)
+        const severity = fileContext === 'frontend' ? 'critical' : 'high';
+        return {
+            file,
+            line,
+            lineText: lineText.trim().slice(0, 80),
+            varName,
+            kind: 'env-ref',
+            serviceLabel: 'Secret Env Var',
+            hint: `\`${varName}\` looks like a server-side secret but is referenced in a ` +
+                `client-bundled file. Use an API route (Next.js /api, Remix action, ` +
+                `Nuxt server route) to proxy calls instead of exposing the secret to the browser.`,
+            cwe: 'CWE-312',
+            severity,
+            fileContext,
+        };
+    }
+    /** Filters out trivial dummy/placeholder text to reduce false positives. */
+    isDummyValue(text) {
+        return /(?:example|placeholder|your[_-]|xxx+|dummy|fake|changeme)/i.test(text);
+    }
+    toFailures(exposures) {
+        if (exposures.length === 0)
+            return [];
+        const blockThreshold = SEVERITY_ORDER[this.cfg.block_on_severity];
+        // Deduplicate: same file + line + varName from parallel patterns
+        const seen = new Set();
+        const unique = exposures.filter(e => {
+            const key = `${e.file}:${e.line}:${e.varName}`;
+            if (seen.has(key))
+                return false;
+            seen.add(key);
+            return true;
+        });
+        // Sort critical first
+        unique.sort((a, b) => SEVERITY_ORDER[a.severity] - SEVERITY_ORDER[b.severity]);
+        const failures = [];
+        for (const exp of unique) {
+            if (SEVERITY_ORDER[exp.severity] > blockThreshold)
+                continue;
+            const ctx = exp.fileContext === 'frontend' ? '[definite frontend]' : '[possible frontend]';
+            const kind = exp.kind === 'literal' ? 'literal key' : 'env var ref';
+            failures.push(this.createFailure(`[${exp.cwe}] ${exp.serviceLabel} (${kind}) in ${ctx} file — ` +
+                `\`${exp.varName}\` at line ${exp.line}`, [exp.file], exp.hint, `Security: Frontend Secret Exposure — ${exp.serviceLabel}`, exp.line, exp.line, exp.severity));
+        }
+        if (unique.length > 0 && failures.length === 0) {
+            Logger.info(`Frontend Secret Exposure: ${unique.length} issue(s) below ` +
+                `${this.cfg.block_on_severity} threshold`);
+        }
+        return failures;
+    }
+}

package/dist/gates/frontend-secret-exposure.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/gates/frontend-secret-exposure.test.js

@@ -0,0 +1,95 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { FrontendSecretExposureGate } from './frontend-secret-exposure.js';
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+describe('FrontendSecretExposureGate', () => {
+    let testDir;
+    beforeEach(() => {
+        testDir = fs.mkdtempSync(path.join(os.tmpdir(), 'frontend-secret-test-'));
+    });
+    afterEach(() => {
+        fs.rmSync(testDir, { recursive: true, force: true });
+    });
+    it('detects process.env secret usage in client-bundled file', async () => {
+        const filePath = path.join(testDir, 'src/components/Checkout.tsx');
+        fs.mkdirSync(path.dirname(filePath), { recursive: true });
+        fs.writeFileSync(filePath, `
+            export function Checkout() {
+                const key = process.env.STRIPE_SECRET_KEY;
+                return <div>{key}</div>;
+            }
+        `);
+        const gate = new FrontendSecretExposureGate();
+        const failures = await gate.run({ cwd: testDir });
+        expect(failures.length).toBeGreaterThan(0);
+        expect(failures[0].id).toBe('frontend-secret-exposure');
+        expect(failures[0].files).toContain('src/components/Checkout.tsx');
+    });
+    it('detects import.meta.env secret usage in frontend app path', async () => {
+        const filePath = path.join(testDir, 'src/app/page.tsx');
+        fs.mkdirSync(path.dirname(filePath), { recursive: true });
+        fs.writeFileSync(filePath, `
+            export default function Page() {
+                return <span>{import.meta.env.OPENAI_API_KEY}</span>;
+            }
+        `);
+        const gate = new FrontendSecretExposureGate();
+        const failures = await gate.run({ cwd: testDir });
+        expect(failures.length).toBeGreaterThan(0);
+    });
+    it('does not flag public env prefixes in client files', async () => {
+        const filePath = path.join(testDir, 'components/Header.tsx');
+        fs.mkdirSync(path.dirname(filePath), { recursive: true });
+        fs.writeFileSync(filePath, `
+            export const key = process.env.NEXT_PUBLIC_STRIPE_KEY;
+        `);
+        const gate = new FrontendSecretExposureGate();
+        const failures = await gate.run({ cwd: testDir });
+        expect(failures).toHaveLength(0);
+    });
+    it('does not flag server-only API route', async () => {
+        const filePath = path.join(testDir, 'pages/api/charge.ts');
+        fs.mkdirSync(path.dirname(filePath), { recursive: true });
+        fs.writeFileSync(filePath, `
+            export default function handler() {
+                return process.env.STRIPE_SECRET_KEY;
+            }
+        `);
+        const gate = new FrontendSecretExposureGate();
+        const failures = await gate.run({ cwd: testDir });
+        expect(failures).toHaveLength(0);
+    });
+    it('does not flag .server files', async () => {
+        const filePath = path.join(testDir, 'src/lib/payments.server.ts');
+        fs.mkdirSync(path.dirname(filePath), { recursive: true });
+        fs.writeFileSync(filePath, `
+            export const stripeSecret = process.env.STRIPE_SECRET_KEY;
+        `);
+        const gate = new FrontendSecretExposureGate();
+        const failures = await gate.run({ cwd: testDir });
+        expect(failures).toHaveLength(0);
+    });
+    it('respects explicit allowlist env names', async () => {
+        const filePath = path.join(testDir, 'src/views/App.tsx');
+        fs.mkdirSync(path.dirname(filePath), { recursive: true });
+        fs.writeFileSync(filePath, `
+            export const x = process.env.INTERNAL_TOKEN_FOR_DOCS;
+        `);
+        const gate = new FrontendSecretExposureGate({
+            allowlist_env_names: ['INTERNAL_TOKEN_FOR_DOCS'],
+        });
+        const failures = await gate.run({ cwd: testDir });
+        expect(failures).toHaveLength(0);
+    });
+    it('skips when disabled', async () => {
+        const filePath = path.join(testDir, 'src/components/Client.tsx');
+        fs.mkdirSync(path.dirname(filePath), { recursive: true });
+        fs.writeFileSync(filePath, `
+            export const x = process.env.OPENAI_API_KEY;
+        `);
+        const gate = new FrontendSecretExposureGate({ enabled: false });
+        const failures = await gate.run({ cwd: testDir });
+        expect(failures).toHaveLength(0);
+    });
+});

package/dist/gates/hallucinated-imports.js

@@ -47,9 +47,11 @@ export class HallucinatedImportsGate extends Gate {
             return [];
         const failures = [];
         const hallucinated = [];
+        const defaultPatterns = ['**/*.{ts,js,tsx,jsx,py,go,rb,cs,rs,java,kt}'];
+        const scanPatterns = context.patterns || defaultPatterns;
         const files = await FileScanner.findFiles({
             cwd: context.cwd,
-            patterns: ['**/*.{ts,js,tsx,jsx,py,go,rb,cs,rs,java,kt}'],
+            patterns: scanPatterns,
             ignore: [...(context.ignore || []), '**/node_modules/**', '**/dist/**', '**/build/**',
                 '**/examples/**',
                 '**/studio-dist/**', '**/.next/**', '**/coverage/**',

package/dist/gates/inconsistent-error-handling.js

@@ -41,9 +41,10 @@ export class InconsistentErrorHandlingGate extends Gate {
             return [];
         const failures = [];
         const handlers = [];
+        const scanPatterns = context.patterns || ['**/*.{ts,js,tsx,jsx}'];
         const files = await FileScanner.findFiles({
             cwd: context.cwd,
-            patterns: ['**/*.{ts,js,tsx,jsx}'],
+            patterns: scanPatterns,
             ignore: [...(context.ignore || []), '**/node_modules/**', '**/dist/**', '**/*.test.*', '**/*.spec.*'],
         });
         Logger.info(`Inconsistent Error Handling: Scanning ${files.length} files`);

package/dist/gates/phantom-apis.js

@@ -45,9 +45,11 @@ export class PhantomApisGate extends Gate {
             return [];
         const failures = [];
         const phantoms = [];
+        const defaultPatterns = ['**/*.{ts,js,tsx,jsx,py,go,cs,java,kt}'];
+        const scanPatterns = context.patterns || defaultPatterns;
         const files = await FileScanner.findFiles({
             cwd: context.cwd,
-            patterns: ['**/*.{ts,js,tsx,jsx,py,go,cs,java,kt}'],
+            patterns: scanPatterns,
             ignore: [...(context.ignore || []), '**/node_modules/**', '**/dist/**', '**/build/**',
                 '**/*.test.*', '**/*.spec.*', '**/__tests__/**',
                 '**/.venv/**', '**/venv/**', '**/vendor/**', '**/__pycache__/**',

package/dist/gates/promise-safety-helpers.js

@@ -39,7 +39,7 @@ export function extractIndentedBody(content, startIdx) {
 }
 export function isInsideTryBlock(lines, lineIdx) {
     let braceDepth = 0;
-    for (let j = lineIdx - 1; j >= Math.max(0, lineIdx - 30); j--) {
+    for (let j = lineIdx - 1; j >= Math.max(0, lineIdx - 100); j--) {
         const prevLine = stripStrings(lines[j]);
         for (const ch of prevLine) {
             if (ch === '}')
@@ -56,7 +56,7 @@ export function isInsideTryBlock(lines, lineIdx) {
 }
 export function isInsidePythonTry(lines, lineIdx) {
     const lineIndent = lines[lineIdx].length - lines[lineIdx].trimStart().length;
-    for (let j = lineIdx - 1; j >= Math.max(0, lineIdx - 30); j--) {
+    for (let j = lineIdx - 1; j >= Math.max(0, lineIdx - 100); j--) {
         const trimmed = lines[j].trim();
         if (trimmed === '')
             continue;
@@ -71,7 +71,7 @@ export function isInsidePythonTry(lines, lineIdx) {
     return false;
 }
 export function isInsideRubyRescue(lines, lineIdx) {
-    for (let j = lineIdx - 1; j >= Math.max(0, lineIdx - 30); j--) {
+    for (let j = lineIdx - 1; j >= Math.max(0, lineIdx - 100); j--) {
         const trimmed = lines[j].trim();
         if (trimmed === 'begin')
             return true;
@@ -83,14 +83,14 @@ export function isInsideRubyRescue(lines, lineIdx) {
     return false;
 }
 export function hasCatchAhead(lines, idx) {
-    for (let j = idx; j < Math.min(idx + 10, lines.length); j++) {
+    for (let j = idx; j < Math.min(idx + 50, lines.length); j++) {
         if (/\.catch\s*\(/.test(lines[j]))
             return true;
     }
     return false;
 }
 export function hasStatusCheckAhead(lines, idx) {
-    for (let j = idx; j < Math.min(idx + 10, lines.length); j++) {
+    for (let j = idx; j < Math.min(idx + 50, lines.length); j++) {
         if (/\.\s*ok\b/.test(lines[j]) || /\.status(?:Text)?\b/.test(lines[j]))
             return true;
     }