@rigour-labs/core 4.3.1 → 4.3.3

package/dist/gates/promise-safety.js

@@ -36,9 +36,10 @@ export class PromiseSafetyGate extends Gate {
             return [];
         const violations = [];
         const allPatterns = Object.values(LANG_GLOBS).flat();
+        const scanPatterns = context.patterns || allPatterns;
         const files = await FileScanner.findFiles({
             cwd: context.cwd,
-            patterns: allPatterns,
+            patterns: scanPatterns,
             ignore: [...(context.ignore || []), '**/node_modules/**', '**/dist/**', '**/build/**',
                 '**/*.test.*', '**/*.spec.*', '**/vendor/**', '**/__pycache__/**',
                 '**/bin/Debug/**', '**/bin/Release/**', '**/obj/**', '**/venv/**', '**/.venv/**'],
@@ -87,7 +88,7 @@ export class PromiseSafetyGate extends Gate {
             if (!/\.then\s*\(/.test(line))
                 continue;
             let hasCatch = false;
-            for (let j = i; j < Math.min(i + 10, lines.length); j++) {
+            for (let j = i; j < Math.min(i + 50, lines.length); j++) {
                 const lookahead = this.sanitizeLine(lines[j]);
                 if (/\.catch\s*\(/.test(lookahead)) {
                     hasCatch = true;
@@ -209,7 +210,7 @@ export class PromiseSafetyGate extends Gate {
             if (!httpPatterns.test(lines[i]) || isInsidePythonTry(lines, i))
                 continue;
             let hasCheck = false;
-            for (let j = i; j < Math.min(i + 10, lines.length); j++) {
+            for (let j = i; j < Math.min(i + 50, lines.length); j++) {
                 if (/raise_for_status|status_code/.test(lines[j])) {
                     hasCheck = true;
                     break;
@@ -317,7 +318,7 @@ export class PromiseSafetyGate extends Gate {
         for (let i = 0; i < lines.length; i++) {
             if (/\.(?:GetAsync|PostAsync|SendAsync)\s*\(/.test(lines[i]) && !isInsideTryBlock(lines, i)) {
                 let hasCheck = false;
-                for (let j = i; j < Math.min(i + 10, lines.length); j++) {
+                for (let j = i; j < Math.min(i + 50, lines.length); j++) {
                     if (/EnsureSuccess|IsSuccessStatusCode|StatusCode/.test(lines[j])) {
                         hasCheck = true;
                         break;

package/dist/gates/runner.js

@@ -15,6 +15,7 @@ import { RetryLoopBreakerGate } from './retry-loop-breaker.js';
 import { AgentTeamGate } from './agent-team.js';
 import { CheckpointGate } from './checkpoint.js';
 import { SecurityPatternsGate } from './security-patterns.js';
+import { FrontendSecretExposureGate } from './frontend-secret-exposure.js';
 import { DuplicationDriftGate } from './duplication-drift.js';
 import { HallucinatedImportsGate } from './hallucinated-imports.js';
 import { InconsistentErrorHandlingGate } from './inconsistent-error-handling.js';
@@ -67,6 +68,9 @@ export class GateRunner {
         if (this.config.gates.security?.enabled !== false) {
             this.gates.push(new SecurityPatternsGate(this.config.gates.security));
         }
+        if (this.config.gates.frontend_secret_exposure?.enabled !== false) {
+            this.gates.push(new FrontendSecretExposureGate(this.config.gates.frontend_secret_exposure));
+        }
         // v2.16+ AI-Native Drift Detection Gates (enabled by default)
         if (this.config.gates.duplication_drift?.enabled !== false) {
             this.gates.push(new DuplicationDriftGate(this.config.gates.duplication_drift));
@@ -195,13 +199,13 @@ export class GateRunner {
                 }
                 const isLocalDeepExecution = !deepOptions.apiKey || (deepOptions.provider || '').toLowerCase() === 'local';
                 const deepTier = isLocalDeepExecution
-                    ? (deepOptions.pro ? 'pro' : 'deep')
+                    ? (deepOptions.pro ? 'deep' : 'lite')
                     : 'cloud';
                 deepStats = {
                     enabled: true,
                     tier: deepTier,
                     model: isLocalDeepExecution
-                        ? (deepOptions.pro ? 'Qwen2.5-Coder-1.5B' : 'Qwen2.5-Coder-0.5B')
+                        ? (deepOptions.pro ? 'Qwen2.5-Coder-1.5B' : 'Qwen3.5-0.8B')
                         : (deepOptions.modelName || deepOptions.provider || 'cloud'),
                     total_ms: Date.now() - deepSetupStart,
                     findings_count: deepFailures.length,

package/dist/gates/runner.test.js

@@ -25,7 +25,7 @@ describe('GateRunner deep stats execution mode', () => {
             },
         });
     }
-    it('reports local deep tier when provider=local even with apiKey', async () => {
+    it('reports local lite tier when provider=local even with apiKey', async () => {
         vi.spyOn(DeepAnalysisGate.prototype, 'run').mockResolvedValue([]);
         const runner = createRunner();
         const report = await runner.run(testDir, undefined, {
@@ -34,10 +34,10 @@ describe('GateRunner deep stats execution mode', () => {
             provider: 'local',
             pro: false,
         });
-        expect(report.stats.deep?.tier).toBe('deep');
-        expect(report.stats.deep?.model).toBe('Qwen2.5-Coder-0.5B');
+        expect(report.stats.deep?.tier).toBe('lite');
+        expect(report.stats.deep?.model).toBe('Qwen3.5-0.8B');
     });
-    it('reports local pro tier when provider=local and pro=true', async () => {
+    it('reports local deep tier when provider=local and pro=true', async () => {
         vi.spyOn(DeepAnalysisGate.prototype, 'run').mockResolvedValue([]);
         const runner = createRunner();
         const report = await runner.run(testDir, undefined, {
@@ -46,7 +46,7 @@ describe('GateRunner deep stats execution mode', () => {
             provider: 'local',
             pro: true,
         });
-        expect(report.stats.deep?.tier).toBe('pro');
+        expect(report.stats.deep?.tier).toBe('deep');
         expect(report.stats.deep?.model).toBe('Qwen2.5-Coder-1.5B');
     });
     it('reports cloud tier/model for cloud providers', async () => {

package/dist/gates/security-patterns.js

@@ -251,9 +251,10 @@ export class SecurityPatternsGate extends Gate {
         }
         const failures = [];
         const vulnerabilities = [];
+        const scanPatterns = context.patterns || ['**/*.{ts,js,tsx,jsx,py,java,go}'];
         const files = await FileScanner.findFiles({
             cwd: context.cwd,
-            patterns: ['**/*.{ts,js,tsx,jsx,py,java,go}'],
+            patterns: scanPatterns,
             ignore: [...(context.ignore || []), '**/node_modules/**', '**/dist/**', '**/build/**', '**/.next/**', '**/coverage/**'],
         });
         const scanFiles = files.filter(file => !this.shouldSkipSecurityFile(file));

package/dist/gates/side-effect-analysis.js

@@ -73,9 +73,10 @@ export class SideEffectAnalysisGate extends Gate {
         if (!this.cfg.enabled)
             return [];
         const violations = [];
+        const scanPatterns = context.patterns || FILE_GLOBS;
         const files = await FileScanner.findFiles({
             cwd: context.cwd,
-            patterns: FILE_GLOBS,
+            patterns: scanPatterns,
             ignore: [
                 ...(context.ignore || []),
                 '**/node_modules/**', '**/dist/**', '**/build/**',

package/dist/gates/test-quality.js

@@ -50,16 +50,18 @@ export class TestQualityGate extends Gate {
             return [];
         const failures = [];
         const issues = [];
+        const defaultPatterns = [
+            '**/*.test.{ts,js,tsx,jsx}', '**/*.spec.{ts,js,tsx,jsx}',
+            '**/__tests__/**/*.{ts,js,tsx,jsx}',
+            '**/test_*.py', '**/*_test.py', '**/tests/**/*.py',
+            '**/*_test.go',
+            '**/*Test.java', '**/*Tests.java', '**/src/test/**/*.java',
+            '**/*Test.kt', '**/*Tests.kt', '**/src/test/**/*.kt',
+        ];
+        const scanPatterns = context.patterns || defaultPatterns;
         const files = await FileScanner.findFiles({
             cwd: context.cwd,
-            patterns: [
-                '**/*.test.{ts,js,tsx,jsx}', '**/*.spec.{ts,js,tsx,jsx}',
-                '**/__tests__/**/*.{ts,js,tsx,jsx}',
-                '**/test_*.py', '**/*_test.py', '**/tests/**/*.py',
-                '**/*_test.go',
-                '**/*Test.java', '**/*Tests.java', '**/src/test/**/*.java',
-                '**/*Test.kt', '**/*Tests.kt', '**/src/test/**/*.kt',
-            ],
+            patterns: scanPatterns,
             ignore: [...(context.ignore || []), '**/node_modules/**', '**/dist/**', '**/build/**',
                 '**/.venv/**', '**/venv/**', '**/vendor/**',
                 '**/target/**', '**/.gradle/**', '**/out/**'],

package/dist/index.d.ts

@@ -7,6 +7,7 @@ export * from './types/fix-packet.js';
 export { Gate, GateContext } from './gates/base.js';
 export { RetryLoopBreakerGate } from './gates/retry-loop-breaker.js';
 export { SideEffectAnalysisGate } from './gates/side-effect-analysis.js';
+export { FrontendSecretExposureGate } from './gates/frontend-secret-exposure.js';
 export * from './utils/logger.js';
 export * from './services/score-history.js';
 export * from './hooks/index.js';

package/dist/index.js

@@ -7,6 +7,7 @@ export * from './types/fix-packet.js';
 export { Gate } from './gates/base.js';
 export { RetryLoopBreakerGate } from './gates/retry-loop-breaker.js';
 export { SideEffectAnalysisGate } from './gates/side-effect-analysis.js';
+export { FrontendSecretExposureGate } from './gates/frontend-secret-exposure.js';
 export * from './utils/logger.js';
 export * from './services/score-history.js';
 export * from './hooks/index.js';

package/dist/inference/index.js

@@ -18,6 +18,8 @@ export function createProvider(options) {
         });
     }
     // Default: local sidecar
-    const tier = options.pro ? 'pro' : 'deep';
+    // deep = Qwen2.5-Coder-1.5B (full power, company-hosted)
+    // lite = Qwen3.5-0.8B (lightweight, default CLI sidecar)
+    const tier = options.pro ? 'deep' : 'lite';
     return new SidecarProvider(tier);
 }

package/dist/inference/sidecar-provider.js

@@ -27,7 +27,7 @@ export class SidecarProvider {
     modelPath = null;
     tier;
     threads;
-    constructor(tier = 'deep', threads = 4) {
+    constructor(tier = 'lite', threads = 4) {
         this.tier = tier;
         this.threads = threads;
     }

package/dist/inference/types.d.ts

@@ -60,8 +60,12 @@ export interface DeepAnalysisResult {
 }
 /**
  * Available model tiers.
+ *
+ * - deep: Qwen2.5-Coder-1.5B fine-tuned — full power, company-hosted
+ * - lite: Qwen3.5-0.8B fine-tuned — lightweight, ships as default CLI sidecar
+ * - legacy: Qwen2.5-Coder-0.5B fine-tuned — previous default, reproducibility
  */
-export type ModelTier = 'deep' | 'pro';
+export type ModelTier = 'deep' | 'lite' | 'legacy';
 /**
  * Model info for download/caching.
  */

package/dist/inference/types.js

@@ -8,20 +8,28 @@ export const MODEL_VERSION = '1';
 export const MODELS = {
     deep: {
         tier: 'deep',
-        name: 'Rigour-Deep-v1 (Qwen2.5-Coder-0.5B fine-tuned)',
+        name: 'Rigour-Deep-v1 (Qwen2.5-Coder-1.5B fine-tuned)',
         filename: `rigour-deep-v${MODEL_VERSION}-q4_k_m.gguf`,
         url: `https://huggingface.co/rigour-labs/rigour-deep-v1-gguf/resolve/main/rigour-deep-v${MODEL_VERSION}-q4_k_m.gguf`,
-        sizeBytes: 350_000_000,
-        sizeHuman: '350MB',
-    },
-    pro: {
-        tier: 'pro',
-        name: 'Rigour-Pro-v1 (Qwen2.5-Coder-1.5B fine-tuned)',
-        filename: `rigour-pro-v${MODEL_VERSION}-q4_k_m.gguf`,
-        url: `https://huggingface.co/rigour-labs/rigour-pro-v1-gguf/resolve/main/rigour-pro-v${MODEL_VERSION}-q4_k_m.gguf`,
         sizeBytes: 900_000_000,
         sizeHuman: '900MB',
     },
+    lite: {
+        tier: 'lite',
+        name: 'Rigour-Lite-v1 (Qwen3.5-0.8B fine-tuned)',
+        filename: `rigour-lite-v${MODEL_VERSION}-q4_k_m.gguf`,
+        url: `https://huggingface.co/rigour-labs/rigour-lite-v1-gguf/resolve/main/rigour-lite-v${MODEL_VERSION}-q4_k_m.gguf`,
+        sizeBytes: 500_000_000,
+        sizeHuman: '500MB',
+    },
+    legacy: {
+        tier: 'legacy',
+        name: 'Rigour-Legacy-v1 (Qwen2.5-Coder-0.5B fine-tuned)',
+        filename: `rigour-legacy-v${MODEL_VERSION}-q4_k_m.gguf`,
+        url: `https://huggingface.co/rigour-labs/rigour-legacy-v1-gguf/resolve/main/rigour-legacy-v${MODEL_VERSION}-q4_k_m.gguf`,
+        sizeBytes: 350_000_000,
+        sizeHuman: '350MB',
+    },
 };
 /**
  * Fallback stock models — used when fine-tuned model is not yet
@@ -30,18 +38,26 @@ export const MODELS = {
 export const FALLBACK_MODELS = {
     deep: {
         tier: 'deep',
-        name: 'Qwen2.5-Coder-0.5B-Instruct (stock)',
-        filename: 'qwen2.5-coder-0.5b-instruct-q4_k_m.gguf',
-        url: 'https://huggingface.co/Qwen/Qwen2.5-Coder-0.5B-Instruct-GGUF/resolve/main/qwen2.5-coder-0.5b-instruct-q4_k_m.gguf',
-        sizeBytes: 350_000_000,
-        sizeHuman: '350MB',
-    },
-    pro: {
-        tier: 'pro',
         name: 'Qwen2.5-Coder-1.5B-Instruct (stock)',
         filename: 'qwen2.5-coder-1.5b-instruct-q4_k_m.gguf',
         url: 'https://huggingface.co/Qwen/Qwen2.5-Coder-1.5B-Instruct-GGUF/resolve/main/qwen2.5-coder-1.5b-instruct-q4_k_m.gguf',
         sizeBytes: 900_000_000,
         sizeHuman: '900MB',
     },
+    lite: {
+        tier: 'lite',
+        name: 'Qwen3.5-0.8B (stock)',
+        filename: 'qwen3.5-0.8b-q4_k_m.gguf',
+        url: 'https://huggingface.co/Qwen/Qwen3.5-0.8B-GGUF/resolve/main/qwen3.5-0.8b-q4_k_m.gguf',
+        sizeBytes: 500_000_000,
+        sizeHuman: '500MB',
+    },
+    legacy: {
+        tier: 'legacy',
+        name: 'Qwen2.5-Coder-0.5B-Instruct (stock)',
+        filename: 'qwen2.5-coder-0.5b-instruct-q4_k_m.gguf',
+        url: 'https://huggingface.co/Qwen/Qwen2.5-Coder-0.5B-Instruct-GGUF/resolve/main/qwen2.5-coder-0.5b-instruct-q4_k_m.gguf',
+        sizeBytes: 350_000_000,
+        sizeHuman: '350MB',
+    },
 };

package/dist/templates/universal-config.js

@@ -72,6 +72,36 @@ export const UNIVERSAL_CONFIG = {
             command_injection: true,
             block_on_severity: 'high',
         },
+        frontend_secret_exposure: {
+            enabled: true,
+            block_on_severity: 'high',
+            check_process_env: true,
+            check_import_meta_env: true,
+            secret_env_name_patterns: [
+                '(?:^|_)(?:secret|private)(?:_|$)',
+                '(?:^|_)(?:token|api[_-]?key|access[_-]?key|client[_-]?secret|signing|webhook)(?:_|$)',
+                '(?:^|_)(?:db[_-]?url|database[_-]?url|connection[_-]?string)(?:_|$)',
+            ],
+            safe_public_prefixes: ['NEXT_PUBLIC_', 'VITE_', 'PUBLIC_', 'NUXT_PUBLIC_', 'REACT_APP_'],
+            frontend_path_patterns: [
+                '(^|/)pages/(?!api/)',
+                '(^|/)components/',
+                '(^|/)src/components/',
+                '(^|/)src/views/',
+                '(^|/)src/app/',
+                '(^|/)app/(?!api/)',
+                '(^|/)views/',
+                '(^|/)public/',
+            ],
+            server_path_patterns: [
+                '(^|/)pages/api/',
+                '(^|/)src/pages/api/',
+                '(^|/)app/api/',
+                '(^|/)src/app/api/',
+                '\\.server\\.(?:ts|tsx|js|jsx|mjs|cjs)$',
+            ],
+            allowlist_env_names: [],
+        },
         adaptive: {
             enabled: false,
             base_coverage_threshold: 80,

package/dist/types/index.d.ts

@@ -213,6 +213,37 @@ export declare const GatesSchema: z.ZodObject<{
         command_injection?: boolean | undefined;
         block_on_severity?: "critical" | "high" | "medium" | "low" | undefined;
     }>>>;
+    frontend_secret_exposure: z.ZodDefault<z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+        block_on_severity: z.ZodDefault<z.ZodOptional<z.ZodEnum<["critical", "high", "medium", "low"]>>>;
+        check_process_env: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+        check_import_meta_env: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+        secret_env_name_patterns: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
+        safe_public_prefixes: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
+        frontend_path_patterns: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
+        server_path_patterns: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
+        allowlist_env_names: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
+    }, "strip", z.ZodTypeAny, {
+        enabled: boolean;
+        block_on_severity: "critical" | "high" | "medium" | "low";
+        check_process_env: boolean;
+        check_import_meta_env: boolean;
+        secret_env_name_patterns: string[];
+        safe_public_prefixes: string[];
+        frontend_path_patterns: string[];
+        server_path_patterns: string[];
+        allowlist_env_names: string[];
+    }, {
+        enabled?: boolean | undefined;
+        block_on_severity?: "critical" | "high" | "medium" | "low" | undefined;
+        check_process_env?: boolean | undefined;
+        check_import_meta_env?: boolean | undefined;
+        secret_env_name_patterns?: string[] | undefined;
+        safe_public_prefixes?: string[] | undefined;
+        frontend_path_patterns?: string[] | undefined;
+        server_path_patterns?: string[] | undefined;
+        allowlist_env_names?: string[] | undefined;
+    }>>>;
     adaptive: z.ZodDefault<z.ZodOptional<z.ZodObject<{
         enabled: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
         base_coverage_threshold: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
@@ -674,6 +705,17 @@ export declare const GatesSchema: z.ZodObject<{
         command_injection: boolean;
         block_on_severity: "critical" | "high" | "medium" | "low";
     };
+    frontend_secret_exposure: {
+        enabled: boolean;
+        block_on_severity: "critical" | "high" | "medium" | "low";
+        check_process_env: boolean;
+        check_import_meta_env: boolean;
+        secret_env_name_patterns: string[];
+        safe_public_prefixes: string[];
+        frontend_path_patterns: string[];
+        server_path_patterns: string[];
+        allowlist_env_names: string[];
+    };
     adaptive: {
         enabled: boolean;
         base_coverage_threshold: number;
@@ -874,6 +916,17 @@ export declare const GatesSchema: z.ZodObject<{
         command_injection?: boolean | undefined;
         block_on_severity?: "critical" | "high" | "medium" | "low" | undefined;
     } | undefined;
+    frontend_secret_exposure?: {
+        enabled?: boolean | undefined;
+        block_on_severity?: "critical" | "high" | "medium" | "low" | undefined;
+        check_process_env?: boolean | undefined;
+        check_import_meta_env?: boolean | undefined;
+        secret_env_name_patterns?: string[] | undefined;
+        safe_public_prefixes?: string[] | undefined;
+        frontend_path_patterns?: string[] | undefined;
+        server_path_patterns?: string[] | undefined;
+        allowlist_env_names?: string[] | undefined;
+    } | undefined;
     adaptive?: {
         enabled?: boolean | undefined;
         base_coverage_threshold?: number | undefined;
@@ -1245,6 +1298,37 @@ export declare const ConfigSchema: z.ZodObject<{
             command_injection?: boolean | undefined;
             block_on_severity?: "critical" | "high" | "medium" | "low" | undefined;
         }>>>;
+        frontend_secret_exposure: z.ZodDefault<z.ZodOptional<z.ZodObject<{
+            enabled: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+            block_on_severity: z.ZodDefault<z.ZodOptional<z.ZodEnum<["critical", "high", "medium", "low"]>>>;
+            check_process_env: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+            check_import_meta_env: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+            secret_env_name_patterns: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
+            safe_public_prefixes: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
+            frontend_path_patterns: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
+            server_path_patterns: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
+            allowlist_env_names: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
+        }, "strip", z.ZodTypeAny, {
+            enabled: boolean;
+            block_on_severity: "critical" | "high" | "medium" | "low";
+            check_process_env: boolean;
+            check_import_meta_env: boolean;
+            secret_env_name_patterns: string[];
+            safe_public_prefixes: string[];
+            frontend_path_patterns: string[];
+            server_path_patterns: string[];
+            allowlist_env_names: string[];
+        }, {
+            enabled?: boolean | undefined;
+            block_on_severity?: "critical" | "high" | "medium" | "low" | undefined;
+            check_process_env?: boolean | undefined;
+            check_import_meta_env?: boolean | undefined;
+            secret_env_name_patterns?: string[] | undefined;
+            safe_public_prefixes?: string[] | undefined;
+            frontend_path_patterns?: string[] | undefined;
+            server_path_patterns?: string[] | undefined;
+            allowlist_env_names?: string[] | undefined;
+        }>>>;
         adaptive: z.ZodDefault<z.ZodOptional<z.ZodObject<{
             enabled: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
             base_coverage_threshold: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
@@ -1706,6 +1790,17 @@ export declare const ConfigSchema: z.ZodObject<{
             command_injection: boolean;
             block_on_severity: "critical" | "high" | "medium" | "low";
         };
+        frontend_secret_exposure: {
+            enabled: boolean;
+            block_on_severity: "critical" | "high" | "medium" | "low";
+            check_process_env: boolean;
+            check_import_meta_env: boolean;
+            secret_env_name_patterns: string[];
+            safe_public_prefixes: string[];
+            frontend_path_patterns: string[];
+            server_path_patterns: string[];
+            allowlist_env_names: string[];
+        };
         adaptive: {
             enabled: boolean;
             base_coverage_threshold: number;
@@ -1906,6 +2001,17 @@ export declare const ConfigSchema: z.ZodObject<{
             command_injection?: boolean | undefined;
             block_on_severity?: "critical" | "high" | "medium" | "low" | undefined;
         } | undefined;
+        frontend_secret_exposure?: {
+            enabled?: boolean | undefined;
+            block_on_severity?: "critical" | "high" | "medium" | "low" | undefined;
+            check_process_env?: boolean | undefined;
+            check_import_meta_env?: boolean | undefined;
+            secret_env_name_patterns?: string[] | undefined;
+            safe_public_prefixes?: string[] | undefined;
+            frontend_path_patterns?: string[] | undefined;
+            server_path_patterns?: string[] | undefined;
+            allowlist_env_names?: string[] | undefined;
+        } | undefined;
         adaptive?: {
             enabled?: boolean | undefined;
             base_coverage_threshold?: number | undefined;
@@ -2148,6 +2254,17 @@ export declare const ConfigSchema: z.ZodObject<{
             command_injection: boolean;
             block_on_severity: "critical" | "high" | "medium" | "low";
         };
+        frontend_secret_exposure: {
+            enabled: boolean;
+            block_on_severity: "critical" | "high" | "medium" | "low";
+            check_process_env: boolean;
+            check_import_meta_env: boolean;
+            secret_env_name_patterns: string[];
+            safe_public_prefixes: string[];
+            frontend_path_patterns: string[];
+            server_path_patterns: string[];
+            allowlist_env_names: string[];
+        };
         adaptive: {
             enabled: boolean;
             base_coverage_threshold: number;
@@ -2374,6 +2491,17 @@ export declare const ConfigSchema: z.ZodObject<{
             command_injection?: boolean | undefined;
             block_on_severity?: "critical" | "high" | "medium" | "low" | undefined;
         } | undefined;
+        frontend_secret_exposure?: {
+            enabled?: boolean | undefined;
+            block_on_severity?: "critical" | "high" | "medium" | "low" | undefined;
+            check_process_env?: boolean | undefined;
+            check_import_meta_env?: boolean | undefined;
+            secret_env_name_patterns?: string[] | undefined;
+            safe_public_prefixes?: string[] | undefined;
+            frontend_path_patterns?: string[] | undefined;
+            server_path_patterns?: string[] | undefined;
+            allowlist_env_names?: string[] | undefined;
+        } | undefined;
         adaptive?: {
             enabled?: boolean | undefined;
             base_coverage_threshold?: number | undefined;
@@ -2620,7 +2748,7 @@ export declare const ReportSchema: z.ZodObject<{
         }>>;
         deep: z.ZodOptional<z.ZodObject<{
             enabled: z.ZodBoolean;
-            tier: z.ZodOptional<z.ZodEnum<["deep", "pro", "cloud"]>>;
+            tier: z.ZodOptional<z.ZodEnum<["deep", "lite", "legacy", "cloud"]>>;
             model: z.ZodOptional<z.ZodString>;
             total_ms: z.ZodOptional<z.ZodNumber>;
             files_analyzed: z.ZodOptional<z.ZodNumber>;
@@ -2628,7 +2756,7 @@ export declare const ReportSchema: z.ZodObject<{
             findings_verified: z.ZodOptional<z.ZodNumber>;
         }, "strip", z.ZodTypeAny, {
             enabled: boolean;
-            tier?: "deep" | "pro" | "cloud" | undefined;
+            tier?: "deep" | "lite" | "legacy" | "cloud" | undefined;
             model?: string | undefined;
             total_ms?: number | undefined;
             files_analyzed?: number | undefined;
@@ -2636,7 +2764,7 @@ export declare const ReportSchema: z.ZodObject<{
             findings_verified?: number | undefined;
         }, {
             enabled: boolean;
-            tier?: "deep" | "pro" | "cloud" | undefined;
+            tier?: "deep" | "lite" | "legacy" | "cloud" | undefined;
             model?: string | undefined;
             total_ms?: number | undefined;
             files_analyzed?: number | undefined;
@@ -2647,7 +2775,7 @@ export declare const ReportSchema: z.ZodObject<{
         duration_ms: number;
         deep?: {
             enabled: boolean;
-            tier?: "deep" | "pro" | "cloud" | undefined;
+            tier?: "deep" | "lite" | "legacy" | "cloud" | undefined;
             model?: string | undefined;
             total_ms?: number | undefined;
             files_analyzed?: number | undefined;
@@ -2670,7 +2798,7 @@ export declare const ReportSchema: z.ZodObject<{
         duration_ms: number;
         deep?: {
             enabled: boolean;
-            tier?: "deep" | "pro" | "cloud" | undefined;
+            tier?: "deep" | "lite" | "legacy" | "cloud" | undefined;
             model?: string | undefined;
             total_ms?: number | undefined;
             files_analyzed?: number | undefined;
@@ -2695,7 +2823,7 @@ export declare const ReportSchema: z.ZodObject<{
         duration_ms: number;
         deep?: {
             enabled: boolean;
-            tier?: "deep" | "pro" | "cloud" | undefined;
+            tier?: "deep" | "lite" | "legacy" | "cloud" | undefined;
             model?: string | undefined;
             total_ms?: number | undefined;
             files_analyzed?: number | undefined;
@@ -2737,7 +2865,7 @@ export declare const ReportSchema: z.ZodObject<{
         duration_ms: number;
         deep?: {
             enabled: boolean;
-            tier?: "deep" | "pro" | "cloud" | undefined;
+            tier?: "deep" | "lite" | "legacy" | "cloud" | undefined;
             model?: string | undefined;
             total_ms?: number | undefined;
             files_analyzed?: number | undefined;

package/dist/types/index.js

@@ -95,6 +95,42 @@ export const GatesSchema = z.object({
         command_injection: z.boolean().optional().default(true),
         block_on_severity: z.enum(['critical', 'high', 'medium', 'low']).optional().default('high'),
     }).optional().default({}),
+    frontend_secret_exposure: z.object({
+        enabled: z.boolean().optional().default(true),
+        block_on_severity: z.enum(['critical', 'high', 'medium', 'low']).optional().default('high'),
+        check_process_env: z.boolean().optional().default(true),
+        check_import_meta_env: z.boolean().optional().default(true),
+        secret_env_name_patterns: z.array(z.string()).optional().default([
+            '(?:^|_)(?:secret|private)(?:_|$)',
+            '(?:^|_)(?:token|api[_-]?key|access[_-]?key|client[_-]?secret|signing|webhook)(?:_|$)',
+            '(?:^|_)(?:db[_-]?url|database[_-]?url|connection[_-]?string)(?:_|$)',
+        ]),
+        safe_public_prefixes: z.array(z.string()).optional().default([
+            'NEXT_PUBLIC_',
+            'VITE_',
+            'PUBLIC_',
+            'NUXT_PUBLIC_',
+            'REACT_APP_',
+        ]),
+        frontend_path_patterns: z.array(z.string()).optional().default([
+            '(^|/)pages/(?!api/)',
+            '(^|/)components/',
+            '(^|/)src/components/',
+            '(^|/)src/views/',
+            '(^|/)src/app/',
+            '(^|/)app/(?!api/)',
+            '(^|/)views/',
+            '(^|/)public/',
+        ]),
+        server_path_patterns: z.array(z.string()).optional().default([
+            '(^|/)pages/api/',
+            '(^|/)src/pages/api/',
+            '(^|/)app/api/',
+            '(^|/)src/app/api/',
+            '\\.server\\.(?:ts|tsx|js|jsx|mjs|cjs)$',
+        ]),
+        allowlist_env_names: z.array(z.string()).optional().default([]),
+    }).optional().default({}),
     adaptive: z.object({
         enabled: z.boolean().optional().default(false),
         base_coverage_threshold: z.number().optional().default(80),
@@ -347,7 +383,7 @@ export const ReportSchema = z.object({
         }).optional(),
         deep: z.object({
             enabled: z.boolean(),
-            tier: z.enum(['deep', 'pro', 'cloud']).optional(),
+            tier: z.enum(['deep', 'lite', 'legacy', 'cloud']).optional(),
             model: z.string().optional(),
             total_ms: z.number().optional(),
             files_analyzed: z.number().optional(),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rigour-labs/core",
-  "version": "4.3.1",
+  "version": "4.3.3",
   "description": "Deterministic quality gate engine for AI-generated code. AST analysis, drift detection, and Fix Packet generation across TypeScript, JavaScript, Python, Go, Ruby, and C#.",
   "license": "MIT",
   "homepage": "https://rigour.run",
@@ -59,11 +59,11 @@
     "@xenova/transformers": "^2.17.2",
     "better-sqlite3": "^11.0.0",
     "openai": "^4.104.0",
-    "@rigour-labs/brain-darwin-arm64": "4.3.1",
-    "@rigour-labs/brain-darwin-x64": "4.3.1",
-    "@rigour-labs/brain-linux-arm64": "4.3.1",
-    "@rigour-labs/brain-win-x64": "4.3.1",
-    "@rigour-labs/brain-linux-x64": "4.3.1"
+    "@rigour-labs/brain-darwin-arm64": "4.3.3",
+    "@rigour-labs/brain-linux-arm64": "4.3.3",
+    "@rigour-labs/brain-darwin-x64": "4.3.3",
+    "@rigour-labs/brain-win-x64": "4.3.3",
+    "@rigour-labs/brain-linux-x64": "4.3.3"
   },
   "devDependencies": {
     "@types/better-sqlite3": "^7.6.12",