@runa-ai/runa-cli 0.5.71 → 0.6.0

package/dist/vuln-checker-2QXGN5YT.js

@@ -0,0 +1,2950 @@
+#!/usr/bin/env node
+import { createRequire } from 'module';
+import { CLI_VERSION } from './chunk-GOGRLQNP.js';
+import { init_esm_shims } from './chunk-VRXHCR5K.js';
+import { glob } from 'glob';
+import { exec } from 'child_process';
+import fs from 'fs/promises';
+import path2 from 'path';
+import { promisify } from 'util';
+import { Project, Node, SyntaxKind } from 'ts-morph';
+import yaml from 'js-yaml';
+import 'fs';
+import { minimatch } from 'minimatch';
+
+createRequire(import.meta.url);
+
+// src/internal/vuln-checker/index.ts
+init_esm_shims();
+
+// src/internal/vuln-checker/analyzers/dependency-analyzer.ts
+init_esm_shims();
+
+// src/internal/vuln-checker/constants.ts
+init_esm_shims();
+var OWASP_2021 = {
+  /** A01:2021 - Broken Access Control */
+  BROKEN_ACCESS_CONTROL: "A01:2021",
+  /** A02:2021 - Cryptographic Failures */
+  CRYPTO_FAILURES: "A02:2021",
+  /** A03:2021 - Injection */
+  INJECTION: "A03:2021",
+  /** A06:2021 - Vulnerable and Outdated Components */
+  VULNERABLE_COMPONENTS: "A06:2021",
+  /** A07:2021 - Identification and Authentication Failures */
+  AUTH_FAILURES: "A07:2021",
+  /** A08:2021 - Software and Data Integrity Failures */
+  INTEGRITY_FAILURES: "A08:2021",
+  /** A09:2021 - Security Logging and Monitoring Failures */
+  LOGGING_FAILURES: "A09:2021"};
+var CWE = {
+  /** CWE-78: OS Command Injection */
+  COMMAND_INJECTION: "CWE-78",
+  /** CWE-79: Cross-site Scripting (XSS) */
+  XSS: "CWE-79",
+  /** CWE-89: SQL Injection */
+  SQL_INJECTION: "CWE-89",
+  /** CWE-95: Eval Injection */
+  EVAL_INJECTION: "CWE-95",
+  /** CWE-284: Improper Access Control */
+  IMPROPER_ACCESS_CONTROL: "CWE-284",
+  /** CWE-306: Missing Authentication */
+  MISSING_AUTH: "CWE-306",
+  /** CWE-321: Use of Hard-coded Cryptographic Key */
+  HARDCODED_CRYPTO_KEY: "CWE-321",
+  /** CWE-330: Use of Insufficiently Random Values */
+  WEAK_RANDOM: "CWE-330",
+  /** CWE-532: Insertion of Sensitive Information into Log File */
+  SENSITIVE_LOG: "CWE-532",
+  /** CWE-798: Use of Hard-coded Credentials */
+  HARDCODED_CREDENTIALS: "CWE-798",
+  /** CWE-1104: Use of Unmaintained Third Party Components */
+  UNMAINTAINED_COMPONENTS: "CWE-1104",
+  /** CWE-494: Download of Code Without Integrity Check */
+  UNTRUSTED_DOWNLOAD: "CWE-494"
+};
+var SEVERITY_SCORE = {
+  critical: 10,
+  high: 8,
+  medium: 5,
+  low: 3,
+  info: 1
+};
+var TOOL = {
+  NAME: "runa-vuln-checker",
+  VERSION: CLI_VERSION,
+  REPO_URL: "https://github.com/r06-dev/runa"
+};
+
+// src/internal/vuln-checker/analyzers/dependency-analyzer.ts
+var execAsync = promisify(exec);
+function levenshteinDistance(a, b) {
+  const matrix = [];
+  for (let i = 0; i <= a.length; i++) {
+    matrix[i] = [i];
+  }
+  for (let j = 0; j <= b.length; j++) {
+    matrix[0][j] = j;
+  }
+  for (let i = 1; i <= a.length; i++) {
+    for (let j = 1; j <= b.length; j++) {
+      const cost = a[i - 1] === b[j - 1] ? 0 : 1;
+      matrix[i][j] = Math.min(
+        matrix[i - 1][j] + 1,
+        // deletion
+        matrix[i][j - 1] + 1,
+        // insertion
+        matrix[i - 1][j - 1] + cost
+        // substitution
+      );
+    }
+  }
+  return matrix[a.length][b.length];
+}
+var POPULAR_PACKAGES = [
+  // Web frameworks
+  "express",
+  "fastify",
+  "koa",
+  "hono",
+  "next",
+  "nuxt",
+  // React ecosystem
+  "react",
+  "react-dom",
+  "react-router",
+  "redux",
+  "zustand",
+  // Vue ecosystem
+  "vue",
+  "vuex",
+  "pinia",
+  // Utilities
+  "lodash",
+  "underscore",
+  "ramda",
+  "axios",
+  "node-fetch",
+  "got",
+  "moment",
+  "dayjs",
+  "date-fns",
+  // Build tools
+  "webpack",
+  "vite",
+  "esbuild",
+  "rollup",
+  "parcel",
+  "turbo",
+  // Testing
+  "jest",
+  "mocha",
+  "vitest",
+  "playwright",
+  "cypress",
+  // Type/schema
+  "typescript",
+  "zod",
+  "yup",
+  "joi",
+  // Database
+  "mongoose",
+  "sequelize",
+  "prisma",
+  "drizzle-orm",
+  "knex",
+  // CLI
+  "commander",
+  "yargs",
+  "inquirer",
+  "chalk",
+  "ora",
+  // Config
+  "dotenv",
+  "config",
+  "convict",
+  // Security
+  "jsonwebtoken",
+  "bcrypt",
+  "helmet",
+  "cors",
+  // Other popular
+  "uuid",
+  "nanoid",
+  "debug",
+  "winston",
+  "pino",
+  "socket.io",
+  "graphql",
+  "apollo-server"
+];
+var KNOWN_TYPOSQUATS = {
+  // lodash variants
+  lodsh: "lodash",
+  loadash: "lodash",
+  lodahs: "lodash",
+  "lodash-js": "lodash",
+  // express variants
+  expres: "express",
+  expresss: "express",
+  exress: "express",
+  // react variants
+  reakt: "react",
+  reactt: "react",
+  raect: "react",
+  // axios variants
+  axois: "axios",
+  axioss: "axios",
+  axio: "axios",
+  // moment variants
+  momnet: "moment",
+  momet: "moment",
+  momment: "moment",
+  // commander variants
+  comander: "commander",
+  comandr: "commander",
+  // mongoose variants
+  mongose: "mongoose",
+  mongoos: "mongoose",
+  // dotenv variants
+  dotenve: "dotenv",
+  // webpack variants
+  webpck: "webpack",
+  weback: "webpack",
+  // typescript variants
+  typescrip: "typescript",
+  typescrit: "typescript",
+  // npm variants
+  npmm: "npm"
+};
+function mapSeverity(npmSeverity) {
+  switch (npmSeverity) {
+    case "critical":
+      return "critical";
+    case "high":
+      return "high";
+    case "moderate":
+      return "medium";
+    case "low":
+      return "low";
+    default:
+      return "info";
+  }
+}
+function extractVulnDetails(pkgName, vuln) {
+  let title = `Vulnerable dependency: ${pkgName}`;
+  let description = `Package ${pkgName} has known vulnerabilities.`;
+  let cveUrl;
+  if (Array.isArray(vuln.via)) {
+    for (const via of vuln.via) {
+      if (typeof via === "object" && "title" in via) {
+        title = via.title;
+        description = `${via.title} in ${pkgName}`;
+        cveUrl = via.url;
+        break;
+      }
+    }
+  }
+  return { title, description, cveUrl };
+}
+function buildFixDescription(vuln) {
+  if (!vuln.fixAvailable || typeof vuln.fixAvailable !== "object") {
+    return "Update to a patched version";
+  }
+  const fix = vuln.fixAvailable;
+  let desc = `Update to ${fix.name}@${fix.version}`;
+  if (fix.isSemVerMajor) {
+    desc += " (major version update required)";
+  }
+  return desc;
+}
+function createVulnFinding(pkgName, vuln, packageJsonPath) {
+  const severity = mapSeverity(vuln.severity);
+  const { title, description, cveUrl } = extractVulnDetails(pkgName, vuln);
+  const depType = vuln.isDirect ? " (direct dependency)" : " (transitive dependency)";
+  return {
+    ruleId: "dependency/cve",
+    severity,
+    title,
+    description: `${description}${depType}`,
+    location: { file: packageJsonPath, line: 1, column: 1 },
+    fix: { description: buildFixDescription(vuln) },
+    metadata: {
+      package: pkgName,
+      range: vuln.range,
+      isDirect: vuln.isDirect,
+      url: cveUrl
+    },
+    cweId: CWE.UNMAINTAINED_COMPONENTS,
+    owaspCategory: OWASP_2021.VULNERABLE_COMPONENTS,
+    confidence: 0.95
+  };
+}
+function createKnownTyposquatFinding(depName, legitimate, packageJsonPath) {
+  return {
+    ruleId: "dependency/typosquat",
+    severity: "high",
+    title: "Known Typosquatting Package",
+    description: `Package "${depName}" is a known typosquatting attempt of "${legitimate}"`,
+    location: { file: packageJsonPath, line: 1, column: 1 },
+    fix: { description: `Replace with the legitimate package "${legitimate}"` },
+    metadata: { suspicious: depName, legitimate },
+    cweId: CWE.UNTRUSTED_DOWNLOAD,
+    owaspCategory: OWASP_2021.INTEGRITY_FAILURES,
+    confidence: 0.95
+  };
+}
+function createSimilarityTyposquatFinding(depName, popular, distance, packageJsonPath) {
+  return {
+    ruleId: "dependency/typosquat",
+    severity: "medium",
+    title: "Potential Typosquatting Package",
+    description: `Package "${depName}" is very similar to popular package "${popular}" (distance: ${distance})`,
+    location: { file: packageJsonPath, line: 1, column: 1 },
+    fix: { description: `Verify this is the correct package. Did you mean "${popular}"?` },
+    metadata: { suspicious: depName, legitimate: popular, levenshteinDistance: distance },
+    cweId: CWE.UNTRUSTED_DOWNLOAD,
+    owaspCategory: OWASP_2021.INTEGRITY_FAILURES,
+    confidence: 0.6
+  };
+}
+function isLikelyPackageVariant(name, baseName) {
+  return name.startsWith(`${baseName}-`) || name.endsWith(`-${baseName}`) || name.includes(`${baseName}-`) || name.includes(`-${baseName}`);
+}
+function getMaxTyposquatDistance(length) {
+  if (length <= 4) return 1;
+  if (length <= 8) return 2;
+  return 3;
+}
+function checkTyposquat(depName, packageJsonPath) {
+  const nameWithoutScope = depName.replace(/^@[^/]+\//, "").toLowerCase();
+  const knownLegitimate = KNOWN_TYPOSQUATS[nameWithoutScope];
+  if (knownLegitimate) {
+    return createKnownTyposquatFinding(depName, knownLegitimate, packageJsonPath);
+  }
+  for (const popular of POPULAR_PACKAGES) {
+    if (nameWithoutScope === popular.toLowerCase()) continue;
+    const maxDistance = getMaxTyposquatDistance(popular.length);
+    const distance = levenshteinDistance(nameWithoutScope, popular.toLowerCase());
+    if (distance > 0 && distance <= maxDistance && !isLikelyPackageVariant(nameWithoutScope, popular)) {
+      return createSimilarityTyposquatFinding(depName, popular, distance, packageJsonPath);
+    }
+  }
+  return null;
+}
+var SUSPICIOUS_NAME_PATTERNS = [
+  // Single character variants (e.g., "lodash-a", "react-x")
+  {
+    pattern: /^[^@].*-[a-zA-Z]$/,
+    description: "Single letter suffix",
+    confidence: 0.5
+  },
+  // Random number suffix (e.g., "express-123", "react-42")
+  // But not version-like (e.g., "es6-promise" is OK)
+  {
+    pattern: /-[0-9]{2,}$/,
+    description: "Random number suffix",
+    confidence: 0.4
+  },
+  // Single letter prefix (e.g., "a-lodash", "x-react")
+  {
+    pattern: /^[a-zA-Z]-[a-zA-Z]{2,}/,
+    description: "Single letter prefix",
+    confidence: 0.5
+  },
+  // Homoglyph characters (common attack vector)
+  {
+    pattern: /[а-яА-Я]/,
+    // Cyrillic characters that look like Latin
+    description: "Contains non-ASCII characters that may be homoglyphs",
+    confidence: 0.9
+  },
+  // Very short scoped packages (e.g., "@x/y")
+  {
+    pattern: /^@[a-zA-Z]\/[a-zA-Z]$/,
+    description: "Very short scoped package name",
+    confidence: 0.6
+  },
+  // Package names that look like they're trying to impersonate orgs
+  {
+    pattern: /^(?:react|vue|angular|node|npm|yarn|pnpm|vercel|next|nuxt)-(?:official|org|team|core|dev)$/i,
+    description: "Potentially impersonating official package",
+    confidence: 0.7
+  }
+];
+function checkSuspiciousName(depName, packageJsonPath) {
+  for (const { pattern, description, confidence } of SUSPICIOUS_NAME_PATTERNS) {
+    if (pattern.test(depName)) {
+      return {
+        ruleId: "dependency/suspicious",
+        severity: confidence >= 0.7 ? "high" : "medium",
+        title: "Suspicious Package Name",
+        description: `Package "${depName}" has a suspicious naming pattern: ${description}`,
+        location: { file: packageJsonPath, line: 1, column: 1 },
+        fix: { description: "Verify this package is legitimate before using" },
+        metadata: { package: depName, reason: description },
+        cweId: CWE.UNTRUSTED_DOWNLOAD,
+        owaspCategory: OWASP_2021.INTEGRITY_FAILURES,
+        confidence
+      };
+    }
+  }
+  return null;
+}
+var DependencyAnalyzer = class {
+  name = "DependencyAnalyzer";
+  categories = ["dependency"];
+  async analyze(options) {
+    const packageJsonPath = path2.join(options.rootDir, "package.json");
+    try {
+      await fs.access(packageJsonPath);
+    } catch {
+      return [];
+    }
+    const auditFindings = await this.runNpmAudit(options.rootDir, packageJsonPath);
+    const typosquatFindings = await this.checkTyposquatting(packageJsonPath);
+    return [...auditFindings, ...typosquatFindings];
+  }
+  async runNpmAudit(rootDir, packageJsonPath) {
+    try {
+      const stdout = await this.executeNpmAudit(rootDir);
+      const auditResult = JSON.parse(stdout);
+      return Object.entries(auditResult.vulnerabilities).map(
+        ([pkgName, vuln]) => createVulnFinding(pkgName, vuln, packageJsonPath)
+      );
+    } catch {
+      return [];
+    }
+  }
+  async executeNpmAudit(rootDir) {
+    try {
+      const { stdout } = await execAsync("npm audit --json", { cwd: rootDir });
+      return stdout;
+    } catch (error) {
+      const execError = error;
+      if (execError.stdout) {
+        return execError.stdout;
+      }
+      throw error;
+    }
+  }
+  async checkTyposquatting(packageJsonPath) {
+    try {
+      const content = await fs.readFile(packageJsonPath, "utf-8");
+      const packageJson = JSON.parse(content);
+      const allDeps = {
+        ...packageJson.dependencies || {},
+        ...packageJson.devDependencies || {}
+      };
+      const findings = [];
+      for (const depName of Object.keys(allDeps)) {
+        const typosquatFinding = checkTyposquat(depName, packageJsonPath);
+        if (typosquatFinding) findings.push(typosquatFinding);
+        const suspiciousFinding = checkSuspiciousName(depName, packageJsonPath);
+        if (suspiciousFinding) findings.push(suspiciousFinding);
+      }
+      return findings;
+    } catch {
+      return [];
+    }
+  }
+};
+
+// src/internal/vuln-checker/analyzers/rls-analyzer.ts
+init_esm_shims();
+var TENANT_COLUMN_PATTERNS = [
+  "tenant_id",
+  "client_id",
+  "org_id",
+  "organization_id",
+  "scope_id",
+  "account_id",
+  "workspace_id",
+  "team_id",
+  "company_id"
+];
+var TENANT_ISOLATION_PATTERNS = [
+  // Direct comparisons with tenant columns (various formats)
+  // Handles: tenant_id = (auth.jwt() ->> 'tenant_id')::uuid
+  // Handles: client_id = auth.jwt()->>'client_id'
+  // Handles: scope_id = current_setting('app.scope_id')
+  /(?:tenant_id|client_id|org_id|organization_id|scope_id|account_id|workspace_id|team_id|company_id)\s*=\s*.*(?:jwt|auth|current_setting)/i,
+  // Schema-qualified column comparisons
+  // Handles: accounts.clients.tenant_id = ...
+  /[\w]+\.[\w]+\.(?:tenant_id|client_id|org_id|scope_id)\s*=\s*.*(?:jwt|auth)/i,
+  // Helper function patterns (common naming conventions)
+  // Handles: get_current_tenant(), get_my_tenant_id(), current_tenant_id(), etc.
+  /(?:get_)?(?:current_|my_)?(?:tenant|client|org|scope|account)(?:_id)?\s*\(\)/i,
+  // Supabase auth functions
+  /auth\.uid\s*\(\)/i,
+  /auth\.jwt\s*\(\)/i,
+  /auth\.role\s*\(\)/i,
+  // IN clause with tenant subquery
+  // Handles: tenant_id IN (SELECT id FROM get_user_tenants())
+  /(?:tenant_id|client_id|org_id|scope_id)\s+IN\s*\(/i,
+  // EXISTS with tenant check
+  // Handles: EXISTS (SELECT 1 FROM ... WHERE tenant_id = ...)
+  /EXISTS\s*\(\s*SELECT.*(?:tenant_id|client_id|scope_id)/i,
+  // CTE reference patterns
+  // Handles: WITH tenant AS (...) ... WHERE tenant_id = tenant.id
+  /WITH\s+(?:tenant|current_tenant|user_tenant)/i,
+  // PostgreSQL current_setting for tenant context
+  // Handles: current_setting('app.tenant_id', true)
+  /current_setting\s*\(\s*['"](?:app\.|rls\.)?(?:tenant|client|org|scope)/i,
+  // Request header / session patterns (some frameworks)
+  // Handles: request.header('x-tenant-id')
+  /request\.(?:header|cookie|session)\s*\(\s*['"].*(?:tenant|client|org)/i,
+  // Type-casted JWT claim extraction
+  // Handles: ((auth.jwt() ->> 'tenant_id')::uuid)
+  /\(\s*auth\.jwt\s*\(\)\s*->>?\s*['"][^'"]+['"]\s*\)\s*::/i
+];
+var SYSTEM_TABLE_PATTERNS = ["_", "schema_migrations", "drizzle_migrations"];
+function isPgTableCall(callExpr) {
+  const expression = callExpr.getExpression();
+  if (Node.isIdentifier(expression)) {
+    const name = expression.getText();
+    return name === "pgTable" || name === "table";
+  }
+  if (Node.isPropertyAccessExpression(expression)) {
+    const propName = expression.getName();
+    return propName === "table";
+  }
+  return false;
+}
+function extractTableName(callExpr) {
+  const args = callExpr.getArguments();
+  if (args.length === 0) return null;
+  const firstArg = args[0];
+  if (Node.isStringLiteral(firstArg)) {
+    return firstArg.getLiteralValue();
+  }
+  return null;
+}
+function resolveSchemaFromDeclaration(sourceFile, schemaVarName) {
+  for (const decl of sourceFile.getVariableDeclarations()) {
+    if (decl.getName() !== schemaVarName) continue;
+    const init = decl.getInitializer();
+    if (!init || !Node.isCallExpression(init)) continue;
+    const callee = init.getExpression();
+    if (!Node.isIdentifier(callee) || callee.getText() !== "pgSchema") continue;
+    const schemaArgs = init.getArguments();
+    if (schemaArgs.length > 0 && Node.isStringLiteral(schemaArgs[0])) {
+      return schemaArgs[0].getLiteralValue();
+    }
+  }
+  return null;
+}
+function extractSchemaName(callExpr) {
+  const expression = callExpr.getExpression();
+  if (!Node.isPropertyAccessExpression(expression)) {
+    return "public";
+  }
+  const object = expression.getExpression();
+  if (!Node.isIdentifier(object)) {
+    return "public";
+  }
+  const schemaVarName = object.getText();
+  const sourceFile = callExpr.getSourceFile();
+  return resolveSchemaFromDeclaration(sourceFile, schemaVarName) ?? "public";
+}
+function isTenantColumnMatch(propName, initText) {
+  for (const tenantPattern of TENANT_COLUMN_PATTERNS) {
+    const matchesByName = propName === tenantPattern || propName.endsWith("Id");
+    const matchesByText = initText.includes(`'${tenantPattern}'`) || initText.includes(`"${tenantPattern}"`);
+    if (!matchesByName && !matchesByText) continue;
+    if (initText.includes("uuid(") && initText.includes(tenantPattern)) {
+      return propName;
+    }
+  }
+  return null;
+}
+function extractTenantColumnFromTable(callExpr) {
+  const args = callExpr.getArguments();
+  if (args.length < 2) return { hasTenantColumn: false };
+  const columnsArg = args[1];
+  if (!Node.isObjectLiteralExpression(columnsArg)) return { hasTenantColumn: false };
+  for (const prop of columnsArg.getProperties()) {
+    if (!Node.isPropertyAssignment(prop)) continue;
+    const propName = prop.getName();
+    const initializer = prop.getInitializer();
+    if (!initializer) continue;
+    const matchedName = isTenantColumnMatch(propName, initializer.getText());
+    if (matchedName) {
+      return { hasTenantColumn: true, tenantColumnName: matchedName };
+    }
+  }
+  return { hasTenantColumn: false };
+}
+function parseSchemaFileAST(sourceFile, filePath) {
+  const tables = [];
+  for (const varDecl of sourceFile.getVariableDeclarations()) {
+    const parent = varDecl.getParent()?.getParent();
+    if (!parent) continue;
+    const isExported = Node.isVariableStatement(parent) && parent.getModifiers()?.some((m) => m.getKind() === SyntaxKind.ExportKeyword);
+    if (!isExported) continue;
+    const initializer = varDecl.getInitializer();
+    if (!initializer || !Node.isCallExpression(initializer)) continue;
+    if (!isPgTableCall(initializer)) continue;
+    const tableName = extractTableName(initializer);
+    if (!tableName) continue;
+    const schemaName = extractSchemaName(initializer);
+    const { hasTenantColumn, tenantColumnName } = extractTenantColumnFromTable(initializer);
+    tables.push({
+      name: tableName,
+      schema: schemaName,
+      file: filePath,
+      line: varDecl.getStartLineNumber(),
+      hasRLS: false,
+      hasTenantColumn,
+      tenantColumnName
+    });
+  }
+  return tables;
+}
+async function parseSchemaFiles(rootDir) {
+  const schemaFiles = await glob(["**/schema/*.ts", "**/schema/**/*.ts"], {
+    cwd: rootDir,
+    ignore: ["**/node_modules/**", "**/dist/**", "**/*.test.ts", "**/*.spec.ts"],
+    absolute: true
+  });
+  const project = new Project({
+    skipAddingFilesFromTsConfig: true,
+    skipFileDependencyResolution: true
+  });
+  const tables = [];
+  for (const filePath of schemaFiles) {
+    try {
+      const sourceFile = project.addSourceFileAtPath(filePath);
+      const fileTables = parseSchemaFileAST(sourceFile, filePath);
+      tables.push(...fileTables);
+    } catch {
+    }
+  }
+  return tables;
+}
+function getLineNumber(content, matchIndex) {
+  return content.substring(0, matchIndex).split("\n").length;
+}
+function findPolicyMatches(content) {
+  const policyRegex = /CREATE\s+POLICY\s+(?:IF\s+NOT\s+EXISTS\s+)?["']?(\w+)["']?\s+ON\s+(?:["']?(\w+)["']?\.)?["']?(\w+)["']?\s+(?:FOR\s+(SELECT|INSERT|UPDATE|DELETE|ALL)\s+)?/gi;
+  const matches = [];
+  let match = policyRegex.exec(content);
+  while (match !== null) {
+    matches.push(match);
+    match = policyRegex.exec(content);
+  }
+  return matches;
+}
+function extractPolicyClauses(content, matchIndex) {
+  const remainder = content.substring(matchIndex);
+  const usingMatch = remainder.match(/USING\s*\(([\s\S]*?)(?:\)\s*(?:WITH\s+CHECK|;)|$)/i);
+  const using = usingMatch ? usingMatch[1].trim() : void 0;
+  const withCheckMatch = remainder.match(/WITH\s+CHECK\s*\(([\s\S]*?)\)\s*;/i);
+  const withCheck = withCheckMatch ? withCheckMatch[1].trim() : void 0;
+  return { using, withCheck };
+}
+function createPolicyFromMatch(match, content, filePath) {
+  const { using, withCheck } = extractPolicyClauses(content, match.index);
+  return {
+    name: match[1],
+    table: `${match[2] || "public"}.${match[3]}`,
+    operation: match[4]?.toUpperCase() || "ALL",
+    using,
+    withCheck,
+    file: filePath,
+    line: getLineNumber(content, match.index)
+  };
+}
+async function parseSqlFileForPolicies(filePath) {
+  const content = await fs.readFile(filePath, "utf-8");
+  const matches = findPolicyMatches(content);
+  return matches.map((match) => createPolicyFromMatch(match, content, filePath));
+}
+async function parseRLSPolicies(rootDir) {
+  const sqlFiles = await glob(["**/sql/**/*.sql", "**/rls/**/*.sql", "**/schemas/**/*.sql"], {
+    cwd: rootDir,
+    ignore: ["**/node_modules/**", "**/dist/**"],
+    absolute: true
+  });
+  const policies = [];
+  for (const filePath of sqlFiles) {
+    try {
+      const filePolicies = await parseSqlFileForPolicies(filePath);
+      policies.push(...filePolicies);
+    } catch {
+    }
+  }
+  return policies;
+}
+function normalizeClause(clause) {
+  return clause.replace(/--[^\n]*/g, " ").replace(/\/\*[\s\S]*?\*\//g, " ").replace(/\s+/g, " ").trim();
+}
+function hasTenantIsolation(policy) {
+  const usingClause = normalizeClause(policy.using || "");
+  const withCheckClause = normalizeClause(policy.withCheck || "");
+  const hasUsingIsolation = TENANT_ISOLATION_PATTERNS.some((pattern) => pattern.test(usingClause));
+  if (policy.operation === "SELECT") {
+    return hasUsingIsolation;
+  }
+  if (policy.operation === "INSERT") {
+    const hasWithCheckIsolation = TENANT_ISOLATION_PATTERNS.some(
+      (pattern) => pattern.test(withCheckClause)
+    );
+    return hasWithCheckIsolation || hasUsingIsolation;
+  }
+  return hasUsingIsolation;
+}
+function isSystemTable(tableName) {
+  return SYSTEM_TABLE_PATTERNS.some(
+    (pattern) => pattern === "_" ? tableName.startsWith("_") : tableName === pattern
+  );
+}
+function createMissingRLSFinding(table, fullTableName) {
+  return {
+    ruleId: "rls/missing-policy",
+    severity: "critical",
+    title: "Missing RLS Policy",
+    description: `Table "${fullTableName}" does not have Row Level Security enabled. All data is accessible without restrictions.`,
+    location: { file: table.file, line: table.line, column: 1 },
+    fix: {
+      description: `Enable RLS and create policies for table "${fullTableName}"`,
+      replacement: `ALTER TABLE ${fullTableName} ENABLE ROW LEVEL SECURITY;
+CREATE POLICY tenant_isolation ON ${fullTableName} USING (tenant_id = auth.jwt() ->> 'tenant_id');`
+    },
+    cweId: CWE.IMPROPER_ACCESS_CONTROL,
+    owaspCategory: OWASP_2021.BROKEN_ACCESS_CONTROL,
+    confidence: 0.9
+  };
+}
+function createWeakTenantFinding(table, fullTableName) {
+  return {
+    ruleId: "rls/weak-tenant",
+    severity: "high",
+    title: "Weak Tenant Isolation",
+    description: `Table "${fullTableName}" has a tenant column (${table.tenantColumnName}) but RLS policies don't enforce tenant isolation.`,
+    location: { file: table.file, line: table.line, column: 1 },
+    fix: {
+      description: "Add tenant isolation to RLS policy USING clause",
+      replacement: `USING (${table.tenantColumnName} = (auth.jwt() ->> 'tenant_id')::uuid)`
+    },
+    cweId: CWE.IMPROPER_ACCESS_CONTROL,
+    owaspCategory: OWASP_2021.BROKEN_ACCESS_CONTROL,
+    confidence: 0.8
+  };
+}
+function createPermissiveFinding(policy) {
+  return {
+    ruleId: "rls/permissive",
+    severity: "high",
+    title: "Overly Permissive RLS Policy",
+    description: `Policy "${policy.name}" on "${policy.table}" allows unrestricted access (USING true or empty).`,
+    location: { file: policy.file, line: policy.line, column: 1 },
+    fix: { description: "Add proper restrictions to the USING clause" },
+    cweId: CWE.IMPROPER_ACCESS_CONTROL,
+    owaspCategory: OWASP_2021.BROKEN_ACCESS_CONTROL,
+    confidence: 0.95
+  };
+}
+function isPermissivePolicy(policy) {
+  return policy.using === "true" || policy.using === "1=1" || policy.using === "";
+}
+function checkTableForIssues(table, tablesWithPolicies, policies) {
+  const findings = [];
+  const fullTableName = `${table.schema}.${table.name}`;
+  if (isSystemTable(table.name)) return findings;
+  if (!tablesWithPolicies.has(fullTableName)) {
+    findings.push(createMissingRLSFinding(table, fullTableName));
+    return findings;
+  }
+  if (table.hasTenantColumn) {
+    const tablePolicies = policies.filter((p) => p.table === fullTableName);
+    const hasIsolation = tablePolicies.some(hasTenantIsolation);
+    if (!hasIsolation && tablePolicies.length > 0) {
+      findings.push(createWeakTenantFinding(table, fullTableName));
+    }
+  }
+  return findings;
+}
+var RLSAnalyzer = class {
+  name = "RLSAnalyzer";
+  categories = ["rls"];
+  async analyze(options) {
+    const tables = await parseSchemaFiles(options.rootDir);
+    const policies = await parseRLSPolicies(options.rootDir);
+    const tablesWithPolicies = new Set(policies.map((p) => p.table));
+    const tableFindings = tables.flatMap(
+      (table) => checkTableForIssues(table, tablesWithPolicies, policies)
+    );
+    const policyFindings = policies.filter(isPermissivePolicy).map(createPermissiveFinding);
+    return [...tableFindings, ...policyFindings];
+  }
+};
+
+// src/internal/vuln-checker/analyzers/secret-analyzer.ts
+init_esm_shims();
+var MAX_LINE_LENGTH = 2e3;
+var MAX_FILE_SIZE = 1024 * 1024;
+var SECRET_PATTERNS = [
+  // AWS
+  {
+    id: "aws-access-key",
+    name: "AWS Access Key",
+    // AWS Access Key IDs always start with AKIA (user) or ASIA (temporary)
+    pattern: /(?:AKIA|ASIA)[0-9A-Z]{16}/g,
+    severity: "critical",
+    description: "AWS Access Key ID detected",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  {
+    id: "aws-secret-key",
+    name: "AWS Secret Key",
+    // AWS Secret Keys are 40 chars, but we require context clues to reduce false positives
+    // Look for assignment context: aws_secret, secret_key, AWS_SECRET, etc.
+    // SECURITY (Issue #463): Simplified pattern to avoid nested quantifiers
+    // Changed from nested optional groups to explicit alternation
+    pattern: /(?:aws_secret|aws-secret|awssecret|secret_key|secret-key|secretkey|secret_access_key|AWS_SECRET)\s{0,5}[:=]\s{0,5}['"]?([A-Za-z0-9/+=]{40})['"]?/gi,
+    severity: "critical",
+    description: "AWS Secret Access Key detected",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  // GitHub
+  {
+    id: "github-token",
+    name: "GitHub Token",
+    // SECURITY (Issue #463): Bounded quantifier to prevent ReDoS
+    pattern: /gh[pousr]_[A-Za-z0-9_]{36,100}/g,
+    severity: "critical",
+    description: "GitHub Personal Access Token detected",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  {
+    id: "github-oauth",
+    name: "GitHub OAuth",
+    pattern: /gho_[A-Za-z0-9]{36}/g,
+    severity: "critical",
+    description: "GitHub OAuth Token detected",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  // Google / Gemini
+  {
+    id: "google-api-key",
+    name: "Google / Gemini API Key",
+    pattern: /AIza[0-9A-Za-z\-_]{35}/g,
+    severity: "critical",
+    description: "Google API Key detected (used by Gemini, Vertex AI, Maps, etc.)",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  {
+    id: "google-oauth",
+    name: "Google OAuth",
+    pattern: /[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com/g,
+    severity: "high",
+    description: "Google OAuth Client ID detected",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  // Stripe
+  {
+    id: "stripe-secret",
+    name: "Stripe Secret Key",
+    // SECURITY (Issue #463): Bounded quantifier to prevent ReDoS
+    pattern: /sk_live_[0-9a-zA-Z]{24,100}/g,
+    severity: "critical",
+    description: "Stripe Live Secret Key detected",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  {
+    id: "stripe-test",
+    name: "Stripe Test Key",
+    // SECURITY (Issue #463): Bounded quantifier to prevent ReDoS
+    pattern: /sk_test_[0-9a-zA-Z]{24,100}/g,
+    severity: "medium",
+    description: "Stripe Test Secret Key detected",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  // Supabase
+  {
+    id: "supabase-service-role",
+    name: "Supabase Service Role Key",
+    // Supabase JWT: header.payload.signature
+    // Header: {"alg":"HS256","typ":"JWT"} (fixed)
+    // Payload prefix: {"iss":"supabase","ref": (24 bytes, 3-byte aligned = stable base64url)
+    // Service role marker: role":"service_role" = cm9sZSI6InNlcnZpY2Vfcm9sZSI (stable)
+    // Variable content between prefix and marker covers the encoded project ref
+    pattern: /eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6[A-Za-z0-9_-]+cm9sZSI6InNlcnZpY2Vfcm9sZSI[A-Za-z0-9_-]*\.[A-Za-z0-9_-]+/g,
+    severity: "critical",
+    description: "Supabase Service Role Key detected",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  // Private Keys
+  // NOTE: Patterns are split to avoid triggering publish-safety checks when bundled
+  {
+    id: "private-key-rsa",
+    name: "RSA Private Key",
+    pattern: new RegExp("-----BEGIN RSA PRIVATE KEY-----", "g"),
+    severity: "critical",
+    description: "RSA Private Key detected",
+    cweId: CWE.HARDCODED_CRYPTO_KEY
+  },
+  {
+    id: "private-key-openssh",
+    name: "OpenSSH Private Key",
+    pattern: new RegExp("-----BEGIN OPENSSH PRIVATE KEY-----", "g"),
+    severity: "critical",
+    description: "OpenSSH Private Key detected",
+    cweId: CWE.HARDCODED_CRYPTO_KEY
+  },
+  {
+    id: "private-key-ec",
+    name: "EC Private Key",
+    pattern: new RegExp("-----BEGIN EC PRIVATE KEY-----", "g"),
+    severity: "critical",
+    description: "EC Private Key detected",
+    cweId: CWE.HARDCODED_CRYPTO_KEY
+  },
+  // Generic patterns
+  // SECURITY (Issue #463): All generic patterns use bounded quantifiers to prevent ReDoS
+  {
+    id: "password-assignment",
+    name: "Password Assignment",
+    // Limited whitespace to max 5 chars, limited value length to max 200 chars
+    pattern: /(?:password|passwd|pwd)\s{0,5}[:=]\s{0,5}['"][^'"]{8,200}['"]/gi,
+    severity: "high",
+    description: "Hardcoded password detected",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  {
+    id: "api-key-assignment",
+    name: "API Key Assignment",
+    // Explicit alternation instead of nested optional groups
+    pattern: /(?:api_key|api-key|apikey)\s{0,5}[:=]\s{0,5}['"][^'"]{16,200}['"]/gi,
+    severity: "high",
+    description: "Hardcoded API key detected",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  {
+    id: "secret-assignment",
+    name: "Secret Assignment",
+    pattern: /(?:secret|token)\s{0,5}[:=]\s{0,5}['"][^'"]{16,200}['"]/gi,
+    severity: "high",
+    description: "Hardcoded secret/token detected",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  // Connection strings
+  {
+    id: "database-url",
+    name: "Database Connection String",
+    // Require actual credentials (not user:password placeholder patterns)
+    // Exclude common placeholder usernames: user, username, admin, root with simple passwords
+    // SECURITY (Issue #463): Bounded character classes to prevent ReDoS
+    // Limited each segment to max 200 chars
+    pattern: /(?:postgresql|mysql|mongodb|redis):\/\/(?!(?:user|username|admin|root):(?:password|pass|secret)@)[^\s'"]{1,200}:[^\s'"]{1,200}@[^\s'"]{1,200}/gi,
+    severity: "critical",
+    description: "Database connection string with credentials detected",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  // JWT - Lower severity because JWTs in code are often:
+  // 1. Test tokens with known secrets
+  // 2. Example tokens from documentation
+  // 3. Expired tokens used for testing
+  //
+  // Pattern notes:
+  // - Header (eyJ...): Base64-encoded {"alg":...,"typ":"JWT"}
+  // - Payload (eyJ...): Base64-encoded claims
+  // - Signature: Variable length (32-512+ chars depending on algorithm)
+  //   HS256: ~43 chars, RS256: ~342 chars, ES256: ~86 chars
+  {
+    id: "jwt-token",
+    name: "JWT Token",
+    // Improved: Require minimum signature length of 20 chars to reduce false positives
+    // from partial JWT-like strings in code
+    // SECURITY (Issue #463): Bounded quantifiers to prevent ReDoS
+    pattern: /eyJ[A-Za-z0-9_-]{10,500}\.eyJ[A-Za-z0-9_-]{10,1000}\.[A-Za-z0-9_-]{20,600}/g,
+    severity: "low",
+    // Changed from medium - often false positive
+    description: "JWT token detected (verify if production token)",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  // Slack
+  {
+    id: "slack-token",
+    name: "Slack Token",
+    // SECURITY (Issue #463): Bounded quantifier to prevent ReDoS
+    pattern: /xox[baprs]-[0-9A-Za-z-]{10,100}/g,
+    severity: "high",
+    description: "Slack token detected",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  // Discord
+  {
+    id: "discord-token",
+    name: "Discord Token",
+    // SECURITY (Issue #463): Bounded quantifier to prevent ReDoS
+    pattern: /[MN][A-Za-z\d]{23,100}\.[\w-]{6}\.[\w-]{27}/g,
+    severity: "high",
+    description: "Discord bot token detected",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  // SendGrid
+  {
+    id: "sendgrid-api-key",
+    name: "SendGrid API Key",
+    pattern: /SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}/g,
+    severity: "high",
+    description: "SendGrid API key detected",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  // Twilio
+  {
+    id: "twilio-api-key",
+    name: "Twilio API Key",
+    pattern: /SK[a-f0-9]{32}/g,
+    severity: "high",
+    description: "Twilio API Key detected",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  // Mailchimp
+  // Format: {32-char-hex}-us{datacenter}
+  // Datacenter can be 1-3 digits (us1 through us999 for future-proofing)
+  {
+    id: "mailchimp-api-key",
+    name: "Mailchimp API Key",
+    pattern: /[a-f0-9]{32}-us[0-9]{1,3}/g,
+    severity: "high",
+    description: "Mailchimp API key detected",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  // npm
+  {
+    id: "npm-token",
+    name: "npm Token",
+    pattern: /npm_[A-Za-z0-9]{36}/g,
+    severity: "high",
+    description: "npm access token detected",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  // Vercel
+  {
+    id: "vercel-token",
+    name: "Vercel Token",
+    pattern: /vercel_[A-Za-z0-9]{24}/g,
+    severity: "high",
+    description: "Vercel token detected",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  // AI Service API Keys (2024-2026 patterns)
+  // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  {
+    id: "openai-api-key",
+    name: "OpenAI API Key",
+    // Format: sk-{48+ alphanumeric chars} (real keys are typically 51 chars)
+    // SECURITY: Bounded quantifier to prevent ReDoS
+    pattern: /sk-[a-zA-Z0-9]{48,200}/g,
+    severity: "critical",
+    description: "OpenAI API key detected",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  {
+    id: "openai-project-key",
+    name: "OpenAI Project Key",
+    // Format: sk-proj-{48+ alphanumeric/dash/underscore chars}
+    // SECURITY: Bounded quantifier to prevent ReDoS
+    pattern: /sk-proj-[a-zA-Z0-9_-]{48,200}/g,
+    severity: "critical",
+    description: "OpenAI Project API key detected",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  {
+    id: "anthropic-api-key",
+    name: "Anthropic API Key",
+    // Format: sk-ant-api03-{base64-like string}
+    // SECURITY (Issue #463): Bounded quantifier to prevent ReDoS
+    pattern: /sk-ant-api\d{2}-[A-Za-z0-9_-]{40,200}/g,
+    severity: "critical",
+    description: "Anthropic (Claude) API key detected",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  {
+    id: "cohere-api-key",
+    name: "Cohere API Key",
+    // Format: varies, but often starts with identifiable prefix
+    // SECURITY (Issue #463): Explicit alternation instead of nested optional groups
+    pattern: /(?:cohere_api_key|cohere-api-key|cohere_key|cohere-key|coherekey|COHERE_API_KEY|COHERE_KEY)\s{0,5}[:=]\s{0,5}['"][A-Za-z0-9]{40,200}['"]/g,
+    severity: "high",
+    description: "Cohere API key detected",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  {
+    id: "mistral-api-key",
+    name: "Mistral API Key",
+    // Mistral keys have specific format
+    // SECURITY (Issue #463): Explicit alternation instead of nested optional groups
+    pattern: /(?:mistral_api_key|mistral-api-key|mistral_key|mistral-key|mistralkey|MISTRAL_API_KEY|MISTRAL_KEY)\s{0,5}[:=]\s{0,5}['"][A-Za-z0-9]{32,200}['"]/g,
+    severity: "high",
+    description: "Mistral AI API key detected",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  {
+    id: "openrouter-api-key",
+    name: "OpenRouter API Key",
+    // Format: sk-or-v1-{64 chars}
+    pattern: /sk-or-v1-[A-Za-z0-9]{64}/g,
+    severity: "critical",
+    description: "OpenRouter API key detected",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  {
+    id: "replicate-api-key",
+    name: "Replicate API Key",
+    // Format: r8_...
+    pattern: /r8_[A-Za-z0-9]{40}/g,
+    severity: "high",
+    description: "Replicate API key detected",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  {
+    id: "huggingface-token",
+    name: "HuggingFace Token",
+    // Format: hf_...
+    // SECURITY (Issue #463): Bounded quantifier to prevent ReDoS
+    pattern: /hf_[A-Za-z0-9]{34,100}/g,
+    severity: "high",
+    description: "HuggingFace API token detected",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  {
+    id: "groq-api-key",
+    name: "Groq API Key",
+    // Format: gsk_...
+    // SECURITY (Issue #463): Bounded quantifier to prevent ReDoS
+    pattern: /gsk_[A-Za-z0-9]{52,100}/g,
+    severity: "critical",
+    description: "Groq API key detected",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  {
+    id: "together-api-key",
+    name: "Together AI API Key",
+    // Context-based detection
+    // SECURITY (Issue #463): Explicit alternation instead of nested optional groups
+    pattern: /(?:together_api_key|together-api-key|together_key|together-key|togetherkey|TOGETHER_API_KEY|TOGETHER_KEY)\s{0,5}[:=]\s{0,5}['"][A-Za-z0-9]{64,200}['"]/g,
+    severity: "high",
+    description: "Together AI API key detected",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  },
+  {
+    id: "fireworks-api-key",
+    name: "Fireworks AI API Key",
+    // Format: fw_...
+    // SECURITY (Issue #463): Bounded quantifier to prevent ReDoS
+    pattern: /fw_[A-Za-z0-9]{40,100}/g,
+    severity: "high",
+    description: "Fireworks AI API key detected",
+    cweId: CWE.HARDCODED_CREDENTIALS
+  }
+];
+var BASE64_SECRET_INDICATORS = [
+  "sk-",
+  // OpenAI, Stripe
+  "ghp_",
+  // GitHub PAT
+  "gho_",
+  // GitHub OAuth
+  "AKIA",
+  // AWS Access Key
+  "eyJ",
+  // JWT (already base64, double-encoded)
+  "vercel_",
+  // Vercel
+  "sbp_"
+  // Supabase
+];
+function checkBase64ForSecrets(base64String) {
+  try {
+    if (!/^[A-Za-z0-9+/]+=*$/.test(base64String)) {
+      return { found: false };
+    }
+    if (base64String.length < 20) {
+      return { found: false };
+    }
+    const decoded = Buffer.from(base64String, "base64").toString("utf-8");
+    for (const indicator of BASE64_SECRET_INDICATORS) {
+      if (decoded.startsWith(indicator)) {
+        const secretType = getSecretTypeFromIndicator(indicator);
+        return { found: true, secretType };
+      }
+    }
+    return { found: false };
+  } catch {
+    return { found: false };
+  }
+}
+function getSecretTypeFromIndicator(indicator) {
+  const indicatorMap = {
+    "sk-": "OpenAI/Stripe API key",
+    ghp_: "GitHub Personal Access Token",
+    gho_: "GitHub OAuth Token",
+    AKIA: "AWS Access Key",
+    eyJ: "JWT Token",
+    vercel_: "Vercel Token",
+    sbp_: "Supabase Token"
+  };
+  return indicatorMap[indicator] ?? "Unknown secret type";
+}
+var EXCLUDED_PATTERNS = [
+  /\.env\.example$/,
+  /\.env\.sample$/,
+  /\.env\.template$/,
+  /node_modules/,
+  /\.git\//,
+  /dist\//,
+  /\.next\//,
+  /coverage\//,
+  /\.lock$/,
+  /lock\.json$/,
+  /\.test\./,
+  /\.spec\./,
+  /__tests__/,
+  /fixtures/,
+  /mocks/
+];
+function isCommentLine(line) {
+  const trimmed = line.trim();
+  return trimmed.startsWith("//") || trimmed.startsWith("#") || trimmed.startsWith("*") || trimmed.startsWith("/*") || trimmed.startsWith("<!--") || trimmed.startsWith("--");
+}
+function isInDocumentationContext(line) {
+  const lineLower = line.toLowerCase();
+  const docPatterns = [
+    "format:",
+    "example:",
+    "e.g.",
+    "e.g:",
+    "i.e.",
+    "sample:",
+    "template:",
+    "pattern:",
+    "@example",
+    "@param",
+    "@returns",
+    "@see",
+    "usage:",
+    "syntax:",
+    "like:",
+    "such as",
+    "documentation",
+    "readme",
+    "docs/"
+  ];
+  return docPatterns.some((p) => lineLower.includes(p));
+}
+function isInCodeExample(line) {
+  const trimmed = line.trim();
+  if (trimmed.startsWith("```") || trimmed.startsWith("~~~")) {
+    return true;
+  }
+  const exampleIndicators = [
+    "const example",
+    "let example",
+    "var example",
+    "// example",
+    "# example",
+    "example =",
+    "example:"
+  ];
+  return exampleIndicators.some((p) => line.toLowerCase().includes(p));
+}
+function calculateEntropy(str) {
+  if (str.length === 0) return 0;
+  const freq = /* @__PURE__ */ new Map();
+  for (const char of str) {
+    freq.set(char, (freq.get(char) || 0) + 1);
+  }
+  let entropy = 0;
+  const counts = Array.from(freq.values());
+  for (const count of counts) {
+    const p = count / str.length;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+function looksLikePlaceholder(match) {
+  if (match.length > 500) {
+    return false;
+  }
+  const matchLower = match.toLowerCase();
+  const placeholders = [
+    "your_",
+    "your-",
+    "yourkeyhere",
+    "your_key",
+    "replace_",
+    "replace-",
+    "replaceme",
+    "xxx",
+    "yyy",
+    "zzz",
+    "placeholder",
+    "example",
+    "sample",
+    "test",
+    "demo",
+    "fake",
+    "mock",
+    "dummy",
+    "todo",
+    "fixme",
+    "changeme",
+    "<your",
+    "[your",
+    "{your",
+    "****",
+    "....",
+    "----"
+  ];
+  if (placeholders.some((p) => matchLower.includes(p))) {
+    return true;
+  }
+  if (match.length >= 8) {
+    const uniqueChars = new Set(match).size;
+    const uniqueRatio = uniqueChars / match.length;
+    if (uniqueRatio < 0.15) {
+      return true;
+    }
+  }
+  if (/^[a-z]+$/.test(match) || /^[A-Z]+$/.test(match) || /^[0-9]+$/.test(match)) {
+    return true;
+  }
+  return false;
+}
+function isCodeDefinitionContext(lineLower) {
+  const codePatterns = [
+    "type ",
+    "interface ",
+    ": string",
+    "z.string()",
+    "zod.",
+    ".parse(",
+    "regexp",
+    "regex",
+    "/g,",
+    "/gi,"
+  ];
+  return codePatterns.some((p) => lineLower.includes(p));
+}
+function isTestContext(lineLower) {
+  const testPatterns = ["expect(", "assert", "should."];
+  return testPatterns.some((p) => lineLower.includes(p));
+}
+function isEnvReference(lineLower) {
+  const envPatterns = ["process.env", "env.", "getenv"];
+  return envPatterns.some((p) => lineLower.includes(p));
+}
+function isLikelyFalsePositive(line, match, patternId) {
+  const lineLower = line.toLowerCase();
+  if (isCommentLine(line)) return true;
+  if (isInDocumentationContext(line)) return true;
+  if (isInCodeExample(line)) return true;
+  if (isEnvReference(lineLower)) return true;
+  if (looksLikePlaceholder(match)) return true;
+  if (isCodeDefinitionContext(lineLower)) return true;
+  if (isTestContext(lineLower)) return true;
+  if (patternId === "aws-secret-key" && calculateEntropy(match) < 3.5) {
+    return true;
+  }
+  return false;
+}
+function maskSecret(secret) {
+  if (secret.length > 10) {
+    return `${secret.substring(0, 5)}...${secret.substring(secret.length - 3)}`;
+  }
+  return "***";
+}
+function calculateConfidence(pattern) {
+  const highConfidencePatterns = [
+    "aws-access-key",
+    // AKIA/ASIA prefix is unique to AWS
+    "github-token",
+    // ghp_/gho_/etc prefix is unique
+    "github-oauth",
+    "openai-api-key",
+    // sk- prefix with length constraint
+    "openai-project-key",
+    // sk-proj- prefix is unique
+    "anthropic-api-key",
+    // sk-ant-api prefix is unique
+    "google-api-key",
+    // AIza prefix is unique to Google (Gemini, Vertex AI, etc.)
+    "stripe-secret",
+    // sk_live_ prefix is unique
+    "stripe-test",
+    // sk_test_ prefix is unique
+    "sendgrid-api-key",
+    // SG. prefix is unique
+    "npm-token",
+    // npm_ prefix is unique
+    "vercel-token",
+    // vercel_ prefix is unique
+    "private-key-rsa",
+    // BEGIN RSA PRIVATE KEY is unique
+    "private-key-openssh",
+    "private-key-ec",
+    "slack-token"
+    // xox prefix is unique
+  ];
+  if (highConfidencePatterns.includes(pattern.id)) {
+    return 0.95;
+  }
+  const mediumConfidencePatterns = [
+    "google-oauth",
+    "database-url",
+    // Has structure but could be example
+    "aws-secret-key"
+    // Requires context clues
+  ];
+  if (mediumConfidencePatterns.includes(pattern.id)) {
+    return 0.7;
+  }
+  return 0.5;
+}
+function createSecretFinding(pattern, filePath, lineNumber, line, match) {
+  const matchText = match[0];
+  const maskedSecret = maskSecret(matchText);
+  const confidence = calculateConfidence(pattern);
+  return {
+    ruleId: `secret/${pattern.id}`,
+    severity: pattern.severity,
+    title: pattern.name,
+    description: `${pattern.description}. Value: ${maskedSecret}`,
+    location: {
+      file: filePath,
+      line: lineNumber,
+      column: match.index
+    },
+    snippet: {
+      text: line.length > 100 ? `${line.substring(0, 100)}...` : line,
+      highlightStart: match.index,
+      highlightEnd: match.index + matchText.length
+    },
+    fix: {
+      description: "Move secret to environment variable",
+      replacement: `process.env.${pattern.id.toUpperCase().replace(/-/g, "_")}`
+    },
+    cweId: pattern.cweId,
+    owaspCategory: OWASP_2021.CRYPTO_FAILURES,
+    confidence
+  };
+}
+function findPatternMatches(pattern, line) {
+  pattern.pattern.lastIndex = 0;
+  const matches = [];
+  let match = pattern.pattern.exec(line);
+  while (match !== null) {
+    matches.push(match);
+    match = pattern.pattern.exec(line);
+  }
+  return matches;
+}
+function collectPatternSecretFindings(line, lineNumber, filePath) {
+  const findings = [];
+  for (const pattern of SECRET_PATTERNS) {
+    const matches = findPatternMatches(pattern, line);
+    for (const match of matches) {
+      if (isLikelyFalsePositive(line, match[0], pattern.id)) continue;
+      findings.push(createSecretFinding(pattern, filePath, lineNumber, line, match));
+    }
+  }
+  return findings;
+}
+var BASE64_SECRET_PATTERN = /['"`]([A-Za-z0-9+/]{40,500}=*)['"`]/g;
+function createBase64SecretFinding(line, lineNumber, filePath, base64Match, secretType) {
+  const start = base64Match.index ?? 0;
+  const fullMatch = base64Match[0] ?? "";
+  return {
+    ruleId: "secret/base64-encoded",
+    severity: "high",
+    title: "Base64-Encoded Secret",
+    description: `Base64-encoded secret detected. Type: ${secretType}`,
+    location: {
+      file: filePath,
+      line: lineNumber,
+      column: start
+    },
+    snippet: {
+      text: line.length > 100 ? `${line.substring(0, 100)}...` : line,
+      highlightStart: start,
+      highlightEnd: start + fullMatch.length
+    },
+    fix: {
+      description: "Remove encoded secret and use environment variable",
+      replacement: "process.env.SECRET_KEY"
+    },
+    cweId: CWE.HARDCODED_CREDENTIALS,
+    owaspCategory: OWASP_2021.CRYPTO_FAILURES,
+    confidence: 0.85
+  };
+}
+function collectBase64SecretFindings(line, lineNumber, filePath) {
+  const findings = [];
+  for (const base64Match of line.matchAll(BASE64_SECRET_PATTERN)) {
+    const base64String = base64Match[1];
+    if (!base64String) continue;
+    const result = checkBase64ForSecrets(base64String);
+    if (!result.found) continue;
+    if (isLikelyFalsePositive(line, base64String, "base64-secret")) continue;
+    const secretType = result.secretType ?? "Unknown secret";
+    findings.push(createBase64SecretFinding(line, lineNumber, filePath, base64Match, secretType));
+  }
+  return findings;
+}
+function scanLineForSecrets(line, lineNumber, filePath) {
+  if (line.length > MAX_LINE_LENGTH) {
+    return [];
+  }
+  return [
+    ...collectPatternSecretFindings(line, lineNumber, filePath),
+    ...collectBase64SecretFindings(line, lineNumber, filePath)
+  ];
+}
+async function scanFileForSecrets(filePath) {
+  const stats = await fs.stat(filePath);
+  if (stats.size > MAX_FILE_SIZE) {
+    return [];
+  }
+  const content = await fs.readFile(filePath, "utf-8");
+  const lines = content.split("\n");
+  const findings = [];
+  for (let i = 0; i < lines.length; i++) {
+    const lineFindings = scanLineForSecrets(lines[i], i + 1, filePath);
+    findings.push(...lineFindings);
+  }
+  const multiLineFindings = scanMultiLineSecrets(content, filePath);
+  findings.push(...multiLineFindings);
+  return findings;
+}
+var MULTILINE_PATTERNS = [
+  {
+    id: "private-key-block",
+    name: "Private Key Block",
+    startPattern: new RegExp(
+      "-----BEGIN\\s+(?:RSA\\s+|EC\\s+|DSA\\s+|OPENSSH\\s+)?PRIVATE\\s+KEY-----"
+    ),
+    endPattern: new RegExp(
+      "-----END\\s+(?:RSA\\s+|EC\\s+|DSA\\s+|OPENSSH\\s+)?PRIVATE\\s+KEY-----"
+    ),
+    severity: "critical",
+    description: "Private key block detected"
+  },
+  {
+    id: "pgp-private-key-block",
+    name: "PGP Private Key Block",
+    startPattern: new RegExp("-----BEGIN\\s+PGP\\s+PRIVATE\\s+KEY\\s+BLOCK-----"),
+    endPattern: new RegExp("-----END\\s+PGP\\s+PRIVATE\\s+KEY\\s+BLOCK-----"),
+    severity: "critical",
+    description: "PGP private key block detected"
+  },
+  {
+    id: "certificate-block",
+    name: "Certificate Block",
+    startPattern: /-----BEGIN\s+CERTIFICATE-----/,
+    endPattern: /-----END\s+CERTIFICATE-----/,
+    severity: "medium",
+    description: "Certificate block detected (verify if private)"
+  }
+];
+function scanMultiLineSecrets(content, filePath) {
+  const findings = [];
+  const lines = content.split("\n");
+  for (const pattern of MULTILINE_PATTERNS) {
+    let startLine = -1;
+    let endLine = -1;
+    for (let i = 0; i < lines.length; i++) {
+      if (startLine === -1 && pattern.startPattern.test(lines[i])) {
+        startLine = i;
+      } else if (startLine !== -1 && pattern.endPattern.test(lines[i])) {
+        endLine = i;
+        const blockContent = lines.slice(startLine, endLine + 1).join("\n");
+        if (isMultiLineFalsePositive(blockContent, lines, startLine)) {
+          startLine = -1;
+          endLine = -1;
+          continue;
+        }
+        findings.push({
+          ruleId: `secret/${pattern.id}`,
+          severity: pattern.severity,
+          title: pattern.name,
+          description: `${pattern.description} (${endLine - startLine + 1} lines)`,
+          location: {
+            file: filePath,
+            line: startLine + 1,
+            column: 0
+          },
+          snippet: {
+            text: `${lines[startLine].substring(0, 60)}...`,
+            highlightStart: 0,
+            highlightEnd: lines[startLine].length
+          },
+          fix: {
+            description: "Remove private key and use environment variable or secret manager",
+            replacement: "process.env.PRIVATE_KEY"
+          },
+          cweId: CWE.HARDCODED_CRYPTO_KEY,
+          owaspCategory: OWASP_2021.CRYPTO_FAILURES,
+          confidence: 0.9
+        });
+        startLine = -1;
+        endLine = -1;
+      }
+    }
+  }
+  return findings;
+}
+function isMultiLineFalsePositive(blockContent, lines, startLine) {
+  const contentLower = blockContent.toLowerCase();
+  if (/placeholder|example|sample|test|demo|fake|mock|dummy/.test(contentLower)) {
+    return true;
+  }
+  const blockLines = blockContent.split("\n");
+  if (blockLines.length <= 3) {
+    return true;
+  }
+  if (startLine > 0) {
+    const prevLine = lines[startLine - 1].toLowerCase();
+    if (prevLine.includes("example") || prevLine.includes("template") || prevLine.includes("placeholder") || prevLine.includes("format:") || prevLine.trim().startsWith("//")) {
+      return true;
+    }
+  }
+  return false;
+}
+var SecretAnalyzer = class {
+  name = "SecretAnalyzer";
+  categories = ["secret"];
+  async analyze(options) {
+    const files = await this.getFilesToScan(options);
+    const findings = [];
+    for (const filePath of files) {
+      if (this.isExcluded(filePath)) continue;
+      try {
+        const fileFindings = await scanFileForSecrets(filePath);
+        findings.push(...fileFindings);
+      } catch {
+      }
+    }
+    return findings;
+  }
+  async getFilesToScan(options) {
+    return glob(
+      ["**/*.ts", "**/*.tsx", "**/*.js", "**/*.json", "**/*.yml", "**/*.yaml", "**/*.env*"],
+      {
+        cwd: options.rootDir,
+        ignore: options.exclude || ["**/node_modules/**", "**/dist/**"],
+        absolute: true,
+        dot: true
+      }
+    );
+  }
+  isExcluded(filePath) {
+    return EXCLUDED_PATTERNS.some((pattern) => pattern.test(filePath));
+  }
+};
+
+// src/internal/vuln-checker/analyzers/typescript-analyzer.ts
+init_esm_shims();
+function getLocation(node, filePath) {
+  const startLine = node.getStartLineNumber();
+  const startCol = node.getStartLinePos();
+  const endLine = node.getEndLineNumber();
+  return {
+    file: filePath,
+    line: startLine,
+    column: startCol,
+    endLine
+  };
+}
+function getSnippet(node) {
+  const text = node.getText();
+  return {
+    text: text.length > 200 ? `${text.substring(0, 200)}...` : text
+  };
+}
+var USER_INPUT_PATTERNS = [
+  /\breq(?:uest)?\.(?:params|query|body|headers|cookies)/i,
+  /\bparams\./i,
+  /\bquery\./i,
+  /\bbody\./i,
+  /\buser(?:Input|Data|Id)?\b/i,
+  /\binput\b/i,
+  /\bargs?\b/i,
+  /\bdata\./i,
+  /\bctx\.(?:params|query|body)/i
+  // Koa/Hono context
+];
+var SAFE_VARIABLE_PATTERNS = [
+  /\.parse\s*\(/,
+  // Zod .parse() result
+  /\.safeParse\s*\(/,
+  // Zod .safeParse() result
+  /validated\w*/i,
+  // validatedInput, validatedData
+  /sanitized\w*/i,
+  // sanitizedInput
+  /parsed\w*/i,
+  // parsedBody, parsedParams
+  /\bconst\s+\w+\s*:\s*(string|number|boolean)\b/i
+  // Typed constants
+];
+function hasUserInputInterpolation(text) {
+  if (USER_INPUT_PATTERNS.some((p) => p.test(text))) return true;
+  if (text.includes("${")) {
+    const interpolations = text.match(/\$\{([^}]+)\}/g);
+    if (!interpolations) return false;
+    for (const expr of interpolations) {
+      const innerExpr = expr.slice(2, -1).trim();
+      if (/^\d+$/.test(innerExpr)) continue;
+      if (USER_INPUT_PATTERNS.some((p) => p.test(innerExpr))) {
+        return true;
+      }
+      if (SAFE_VARIABLE_PATTERNS.some((p) => p.test(text))) ;
+    }
+    return false;
+  }
+  return false;
+}
+function hasArrayBasedSqlBuilding(text) {
+  const arrayBuildPatterns = [
+    /\.push\s*\(\s*`[^`]*\$\{/i,
+    // conditions.push(`field = ${value}`)
+    /\.push\s*\(\s*['"][^'"]*\s*\+/i,
+    // conditions.push('field = ' + value)
+    /\.join\s*\(\s*['"](?:\s*AND\s*|\s*OR\s*|\s*,\s*)['"]\s*\)/i
+    // .join(' AND ')
+  ];
+  return arrayBuildPatterns.some((p) => p.test(text));
+}
+function isDynamicQueryBuilder(text) {
+  const builderPatterns = [
+    /buildQuery\s*\(/i,
+    /buildSql\s*\(/i,
+    /createQuery\s*\(/i,
+    /makeQuery\s*\(/i,
+    /generateSql\s*\(/i,
+    /formatQuery\s*\(/i
+  ];
+  return builderPatterns.some((p) => p.test(text));
+}
+var TS_RULES = [
+  // SQL Injection Detection
+  {
+    id: "injection/sql",
+    name: "SQL Injection",
+    detect: (node, context) => {
+      if (!Node.isCallExpression(node)) return null;
+      const expression = node.getExpression();
+      const expressionText = expression.getText();
+      const sqlMethods = ["query", "execute", "raw", "unsafe", "exec", "sql", "runQuery"];
+      const isSqlMethod = sqlMethods.some(
+        (m) => expressionText.endsWith(`.${m}`) || expressionText === m
+      );
+      if (!isSqlMethod) return null;
+      const args = node.getArguments();
+      if (args.length === 0) return null;
+      const firstArg = args[0];
+      const argText = firstArg.getText();
+      const safePatterns = [
+        /^sql`/,
+        // Tagged template literal (Drizzle)
+        /^sql\.raw\(sql`/,
+        // sql.raw(sql`...`) is parameterized
+        /\$\d+/,
+        // Positional parameters ($1, $2)
+        /\?/,
+        // Question mark parameters
+        /:[\w]+/
+        // Named parameters (:name)
+      ];
+      if (safePatterns.some((p) => p.test(argText))) {
+        return null;
+      }
+      let isDangerous = false;
+      let confidence = 0.8;
+      let description = "String interpolation in SQL query detected.";
+      if (Node.isTemplateExpression(firstArg)) {
+        if (hasUserInputInterpolation(argText)) {
+          isDangerous = true;
+          confidence = 0.9;
+          description = "Template literal with user input in SQL query.";
+        }
+      }
+      if (Node.isBinaryExpression(firstArg) && hasUserInputInterpolation(argText)) {
+        isDangerous = true;
+        confidence = 0.85;
+        description = "String concatenation with user input in SQL query.";
+      }
+      if (Node.isIdentifier(firstArg)) {
+        const sourceFile = node.getSourceFile();
+        const fileText = sourceFile.getText();
+        if (hasArrayBasedSqlBuilding(fileText)) {
+          isDangerous = true;
+          confidence = 0.6;
+          description = "SQL query variable may be built dynamically from array concatenation.";
+        }
+      }
+      if (Node.isCallExpression(firstArg) && isDynamicQueryBuilder(argText)) {
+        isDangerous = true;
+        confidence = 0.7;
+        description = "SQL query built by function that may use string concatenation.";
+      }
+      if (isDangerous) {
+        return {
+          ruleId: "injection/sql",
+          severity: "critical",
+          title: "Potential SQL Injection",
+          description: `${description} Use parameterized queries to prevent SQL injection.`,
+          location: getLocation(node, context.filePath),
+          snippet: getSnippet(node),
+          fix: {
+            description: "Use parameterized queries or Drizzle ORM",
+            replacement: "Use db.select().from(table).where(eq(column, value))"
+          },
+          cweId: CWE.SQL_INJECTION,
+          owaspCategory: OWASP_2021.INJECTION,
+          confidence
+        };
+      }
+      return null;
+    }
+  },
+  // XSS Detection
+  {
+    id: "injection/xss",
+    name: "Cross-Site Scripting (XSS)",
+    detect: (node, context) => {
+      if (!Node.isJsxAttribute(node)) return null;
+      const nameNode = node.getNameNode();
+      const name = nameNode.getText();
+      if (name !== "dangerouslySetInnerHTML") return null;
+      const initializer = node.getInitializer();
+      if (initializer) {
+        const text = initializer.getText();
+        if (text.includes("DOMPurify") || text.includes("sanitize") || text.includes("escape")) {
+          return null;
+        }
+      }
+      return {
+        ruleId: "injection/xss",
+        severity: "high",
+        title: "Potential XSS Vulnerability",
+        description: "dangerouslySetInnerHTML used without sanitization. Use DOMPurify or similar library.",
+        location: getLocation(node, context.filePath),
+        snippet: getSnippet(node),
+        fix: {
+          description: "Sanitize HTML before rendering",
+          replacement: "dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(content) }}"
+        },
+        cweId: CWE.XSS,
+        owaspCategory: OWASP_2021.INJECTION,
+        confidence: 0.9
+      };
+    }
+  },
+  // Command Injection Detection
+  {
+    id: "injection/command",
+    name: "Command Injection",
+    detect: (node, context) => {
+      if (!Node.isCallExpression(node)) return null;
+      const expression = node.getExpression();
+      const expressionText = expression.getText();
+      const dangerousMethods = [
+        "exec",
+        "execSync",
+        "spawn",
+        "spawnSync",
+        "execFile",
+        "execFileSync"
+      ];
+      const isDangerous = dangerousMethods.some(
+        (m) => expressionText === m || expressionText.endsWith(`.${m}`)
+      );
+      if (!isDangerous) return null;
+      const args = node.getArguments();
+      if (args.length === 0) return null;
+      const firstArg = args[0];
+      if (Node.isTemplateExpression(firstArg) || Node.isBinaryExpression(firstArg)) {
+        return {
+          ruleId: "injection/command",
+          severity: "critical",
+          title: "Potential Command Injection",
+          description: "User input in command execution detected. Use parameterized commands or input validation.",
+          location: getLocation(node, context.filePath),
+          snippet: getSnippet(node),
+          fix: {
+            description: "Use spawn with array arguments instead of exec with string"
+          },
+          cweId: CWE.COMMAND_INJECTION,
+          owaspCategory: OWASP_2021.INJECTION,
+          confidence: 0.7
+        };
+      }
+      return null;
+    }
+  },
+  // Insecure Eval Detection
+  {
+    id: "injection/eval",
+    name: "Insecure Eval Usage",
+    detect: (node, context) => {
+      if (!Node.isCallExpression(node)) return null;
+      const expression = node.getExpression();
+      const expressionText = expression.getText();
+      const evalFunctions = ["eval", "Function", "setTimeout", "setInterval"];
+      if (!evalFunctions.includes(expressionText)) return null;
+      if (expressionText === "setTimeout" || expressionText === "setInterval") {
+        const args = node.getArguments();
+        if (args.length > 0 && !Node.isStringLiteral(args[0])) {
+          return null;
+        }
+      }
+      return {
+        ruleId: "injection/eval",
+        severity: "high",
+        title: "Insecure Eval Usage",
+        description: `${expressionText} can execute arbitrary code. Avoid using eval-like functions.`,
+        location: getLocation(node, context.filePath),
+        snippet: getSnippet(node),
+        fix: {
+          description: "Use safer alternatives like JSON.parse or explicit logic"
+        },
+        cweId: CWE.EVAL_INJECTION,
+        owaspCategory: OWASP_2021.INJECTION,
+        confidence: 0.85
+      };
+    }
+  },
+  // Missing Auth Check Detection
+  {
+    id: "auth/missing-check",
+    name: "Missing Authentication Check",
+    detect: (node, context) => {
+      if (!Node.isCallExpression(node)) return null;
+      const expression = node.getExpression();
+      const expressionText = expression.getText();
+      const routeMethods = [
+        "get",
+        "post",
+        "put",
+        "patch",
+        "delete",
+        "app.get",
+        "app.post",
+        "app.put",
+        "app.patch",
+        "app.delete",
+        "router.get",
+        "router.post"
+      ];
+      const isRoute = routeMethods.some(
+        (m) => expressionText === m || expressionText.endsWith(`.${m.split(".").pop()}`)
+      );
+      if (!isRoute) return null;
+      const args = node.getArguments();
+      if (args.length < 2) return null;
+      const fullText = node.getText();
+      const authMiddlewarePatterns = [
+        /\bauth(?:enticate)?(?:Middleware)?\b/i,
+        /\bisAuthenticated\b/i,
+        /\brequireAuth\b/i,
+        /\bprotect(?:ed)?(?:Route)?\b/i,
+        /\bverify(?:Token|JWT|Session)\b/i,
+        /\bcheck(?:Auth|Token|Session)\b/i,
+        /\bguard\b/i,
+        /\bmiddleware\(/i,
+        /\buse\s*\(\s*auth/i
+      ];
+      const middlewareArgs = args.slice(1, -1);
+      const hasAuthMiddleware = middlewareArgs.some((arg) => {
+        const argText = arg.getText();
+        return authMiddlewarePatterns.some((p) => p.test(argText));
+      });
+      const lastArg = args[args.length - 1];
+      const handlerText = lastArg?.getText() || "";
+      const hasInlineAuthCheck = /headers\.authorization/i.test(handlerText) || /getToken\s*\(/i.test(handlerText) || /session\./i.test(handlerText) || /req\.user\b/i.test(handlerText) || /ctx\.(?:user|auth|session)\b/i.test(handlerText) || /throw.*(?:Unauthorized|401)/i.test(handlerText);
+      const hasAuthInFullText = authMiddlewarePatterns.some((p) => p.test(fullText));
+      const hasAuth = hasAuthMiddleware || hasInlineAuthCheck || hasAuthInFullText;
+      const publicRoutePatterns = [
+        /\/public\//i,
+        /\/health(?:check)?(?:\/|$)/i,
+        /\/(?:login|logout|signin|signout)(?:\/|$)/i,
+        /\/(?:signup|register)(?:\/|$)/i,
+        /\/(?:forgot|reset)-?password/i,
+        /\/callback(?:\/|$)/i,
+        // OAuth callbacks
+        /\/webhook(?:s)?(?:\/|$)/i,
+        // Webhooks often have their own auth
+        /\/api\/v\d+\/public\//i,
+        /\/\.well-known\//i,
+        // OpenID discovery, etc.
+        /\/robots\.txt/i,
+        /\/favicon/i,
+        /\/status(?:\/|$)/i,
+        /\/ping(?:\/|$)/i,
+        /\/version(?:\/|$)/i
+      ];
+      const isPublic = publicRoutePatterns.some((p) => p.test(fullText));
+      if (!hasAuth && !isPublic) {
+        let confidence = 0.4;
+        if (/\/(?:api|admin|user|account|setting|profile)/i.test(fullText)) {
+          confidence = 0.6;
+        }
+        if (/\.(post|put|patch|delete)\s*\(/i.test(expressionText)) {
+          confidence += 0.1;
+        }
+        return {
+          ruleId: "auth/missing-check",
+          severity: "medium",
+          title: "Potentially Missing Authentication",
+          description: "Route handler may be missing authentication middleware. Verify if this endpoint should be protected.",
+          location: getLocation(node, context.filePath),
+          snippet: getSnippet(node),
+          fix: {
+            description: "Add authentication middleware to protected routes"
+          },
+          cweId: CWE.MISSING_AUTH,
+          owaspCategory: OWASP_2021.AUTH_FAILURES,
+          confidence
+        };
+      }
+      return null;
+    }
+  },
+  // Sensitive Data Logging Detection
+  {
+    id: "secret/logging",
+    name: "Sensitive Data Logging",
+    detect: (node, context) => {
+      if (!Node.isCallExpression(node)) return null;
+      const expression = node.getExpression();
+      const expressionText = expression.getText();
+      const logMethods = [
+        "console.log",
+        "console.info",
+        "console.debug",
+        "console.warn",
+        "console.error",
+        "logger.log",
+        "logger.info",
+        "logger.debug"
+      ];
+      if (!logMethods.includes(expressionText)) return null;
+      const args = node.getArguments();
+      for (const arg of args) {
+        const text = arg.getText().toLowerCase();
+        const sensitivePatterns = [
+          "password",
+          "secret",
+          "token",
+          "apikey",
+          "api_key",
+          "authorization",
+          "bearer",
+          "credential",
+          "private"
+        ];
+        if (sensitivePatterns.some((p) => text.includes(p))) {
+          return {
+            ruleId: "secret/logging",
+            severity: "high",
+            title: "Sensitive Data in Logs",
+            description: "Logging statement may contain sensitive data.",
+            location: getLocation(node, context.filePath),
+            snippet: getSnippet(node),
+            fix: {
+              description: "Remove sensitive data from log statements or redact"
+            },
+            cweId: CWE.SENSITIVE_LOG,
+            owaspCategory: OWASP_2021.LOGGING_FAILURES,
+            confidence: 0.7
+          };
+        }
+      }
+      return null;
+    }
+  },
+  // Insecure Randomness Detection
+  {
+    id: "crypto/weak-random",
+    name: "Insecure Randomness",
+    detect: (node, context) => {
+      if (!Node.isCallExpression(node)) return null;
+      const expression = node.getExpression();
+      const expressionText = expression.getText();
+      if (expressionText !== "Math.random") return null;
+      const parent = node.getParent();
+      const grandparent = parent?.getParent();
+      const contextText = (grandparent?.getText() || parent?.getText() || "").toLowerCase();
+      const securityContexts = [
+        "token",
+        "secret",
+        "password",
+        "session",
+        "id",
+        "key",
+        "nonce",
+        "salt"
+      ];
+      if (securityContexts.some((c) => contextText.includes(c))) {
+        return {
+          ruleId: "crypto/weak-random",
+          severity: "medium",
+          title: "Insecure Randomness for Security Context",
+          description: "Math.random() is not cryptographically secure. Use crypto.randomBytes() or crypto.randomUUID().",
+          location: getLocation(node, context.filePath),
+          snippet: getSnippet(node),
+          fix: {
+            description: "Use crypto.randomBytes() or crypto.randomUUID()",
+            replacement: "crypto.randomUUID() or crypto.randomBytes(32).toString('hex')"
+          },
+          cweId: CWE.WEAK_RANDOM,
+          owaspCategory: OWASP_2021.CRYPTO_FAILURES,
+          confidence: 0.6
+        };
+      }
+      return null;
+    }
+  }
+];
+var TypeScriptAnalyzer = class {
+  name = "TypeScriptAnalyzer";
+  categories = ["injection", "auth", "crypto", "secret"];
+  async analyze(options) {
+    const findings = [];
+    const files = await glob(["**/*.ts", "**/*.tsx"], {
+      cwd: options.rootDir,
+      ignore: options.exclude || ["**/node_modules/**", "**/dist/**"],
+      absolute: true
+    });
+    const project = new Project({
+      skipAddingFilesFromTsConfig: true,
+      compilerOptions: {
+        allowJs: true,
+        checkJs: false,
+        noEmit: true,
+        skipLibCheck: true
+      }
+    });
+    for (const filePath of files) {
+      try {
+        const sourceFile = project.addSourceFileAtPath(filePath);
+        const context = { filePath, project };
+        sourceFile.forEachDescendant((node) => {
+          for (const rule of TS_RULES) {
+            const finding = rule.detect(node, context);
+            if (finding) {
+              findings.push(finding);
+            }
+          }
+        });
+        project.removeSourceFile(sourceFile);
+      } catch {
+      }
+    }
+    return findings;
+  }
+};
+
+// src/internal/vuln-checker/config/loader.ts
+init_esm_shims();
+
+// src/internal/vuln-checker/security/path-validation.ts
+init_esm_shims();
+function containsPathTraversal(inputPath) {
+  const normalized = path2.normalize(inputPath);
+  if (normalized.includes("..")) return true;
+  if (inputPath.includes("\0")) return true;
+  return false;
+}
+function isPathWithinBoundary(filePath, boundaryDir) {
+  try {
+    const resolvedFile = path2.resolve(filePath);
+    const resolvedBoundary = path2.resolve(boundaryDir);
+    const relative = path2.relative(resolvedBoundary, resolvedFile);
+    return !relative.startsWith("..") && !path2.isAbsolute(relative);
+  } catch {
+    return false;
+  }
+}
+function resolvePathWithinBoundary(inputPath, boundaryDir) {
+  if (containsPathTraversal(inputPath)) {
+    throw new Error(`Path contains traversal patterns: ${inputPath}`);
+  }
+  const resolvedPath = path2.isAbsolute(inputPath) ? inputPath : path2.resolve(boundaryDir, inputPath);
+  if (!isPathWithinBoundary(resolvedPath, boundaryDir)) {
+    throw new Error(`Path is outside allowed boundary: ${inputPath}`);
+  }
+  return resolvedPath;
+}
+function filterPathsWithinBoundary(files, boundaryDir) {
+  const resolvedBoundary = path2.resolve(boundaryDir);
+  return files.filter((file) => isPathWithinBoundary(file, resolvedBoundary));
+}
+function validateGlobPatterns(patterns) {
+  for (const pattern of patterns) {
+    if (containsPathTraversal(pattern)) {
+      throw new Error(`Glob pattern contains path traversal: ${pattern}`);
+    }
+  }
+}
+
+// src/internal/vuln-checker/config/loader.ts
+async function loadConfig(configPath, rootDir) {
+  const fullPath = resolvePathWithinBoundary(configPath, rootDir);
+  try {
+    const content = await fs.readFile(fullPath, "utf-8");
+    if (fullPath.endsWith(".yml") || fullPath.endsWith(".yaml")) {
+      return yaml.load(content, { schema: yaml.JSON_SCHEMA });
+    }
+    return JSON.parse(content);
+  } catch (error) {
+    if (error.code === "ENOENT") {
+      return { version: 1 };
+    }
+    throw error;
+  }
+}
+async function loadIgnores(ignorePath, rootDir) {
+  const fullPath = resolvePathWithinBoundary(ignorePath, rootDir);
+  try {
+    const content = await fs.readFile(fullPath, "utf-8");
+    let parsed;
+    if (fullPath.endsWith(".yml") || fullPath.endsWith(".yaml")) {
+      parsed = yaml.load(content, { schema: yaml.JSON_SCHEMA });
+    } else {
+      parsed = JSON.parse(content);
+    }
+    const ignores = parsed?.ignores || [];
+    const now = /* @__PURE__ */ new Date();
+    return ignores.filter((ignore) => {
+      if (!ignore.expires) return true;
+      const expiresDate = new Date(ignore.expires);
+      return expiresDate > now;
+    });
+  } catch (error) {
+    if (error.code === "ENOENT") {
+      return [];
+    }
+    throw error;
+  }
+}
+
+// src/internal/vuln-checker/ignore/matcher.ts
+init_esm_shims();
+function normalizePath(filePath) {
+  const normalized = path2.normalize(filePath);
+  return normalized.replace(/\\/g, "/");
+}
+function normalizeRuleId(ruleId) {
+  return ruleId.toLowerCase().replace(/_/g, "-");
+}
+function matchIgnoreRule(rule, finding) {
+  if (rule.rule !== "*") {
+    const normalizedRule = normalizeRuleId(rule.rule);
+    const normalizedFinding = normalizeRuleId(finding.ruleId);
+    if (normalizedRule !== normalizedFinding) {
+      return false;
+    }
+  }
+  if (rule.path) {
+    const normalizedPath = normalizePath(finding.location.file);
+    const normalizedPattern = normalizePath(rule.path);
+    if (!minimatch(normalizedPath, normalizedPattern, { nocase: true })) {
+      return false;
+    }
+  }
+  return true;
+}
+var RULE_ID_PATTERN = "[a-zA-Z0-9\\-_\\/\\*]+";
+function createAnnotationPatterns() {
+  const commentPrefixes = [
+    "\\/\\/",
+    // JS single-line: //
+    "\\/\\*\\s*",
+    // JS block: /*
+    "#",
+    // Shell/YAML/SQL: #
+    "--"
+    // SQL: --
+  ].join("|");
+  const basePattern = (type) => new RegExp(
+    `(?:${commentPrefixes})\\s*@vuln-ignore${type}:(${RULE_ID_PATTERN})(?:\\s*-\\s*(.+?))?(?:\\s*\\*\\/)?$`,
+    "i"
+  );
+  return {
+    line: basePattern(""),
+    nextLine: basePattern("-next-line"),
+    file: basePattern("-file")
+  };
+}
+var ANNOTATION_PATTERNS = createAnnotationPatterns();
+async function parseInlineAnnotations(filePath) {
+  const annotations = [];
+  try {
+    const content = await fs.readFile(filePath, "utf-8");
+    const lines = content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      const lineNumber = i + 1;
+      const fileMatch = line.match(ANNOTATION_PATTERNS.file);
+      if (fileMatch) {
+        annotations.push({
+          // Normalize rule ID for consistent matching
+          ruleId: normalizeRuleId(fileMatch[1]),
+          reason: fileMatch[2]?.trim(),
+          scope: "file",
+          line: lineNumber
+        });
+        continue;
+      }
+      const nextLineMatch = line.match(ANNOTATION_PATTERNS.nextLine);
+      if (nextLineMatch) {
+        annotations.push({
+          ruleId: normalizeRuleId(nextLineMatch[1]),
+          reason: nextLineMatch[2]?.trim(),
+          scope: "next-line",
+          line: lineNumber
+        });
+        continue;
+      }
+      const lineMatch = line.match(ANNOTATION_PATTERNS.line);
+      if (lineMatch) {
+        annotations.push({
+          ruleId: normalizeRuleId(lineMatch[1]),
+          reason: lineMatch[2]?.trim(),
+          scope: "line",
+          line: lineNumber
+        });
+      }
+    }
+  } catch {
+  }
+  return annotations;
+}
+
+// src/internal/vuln-checker/reporters/console-reporter.ts
+init_esm_shims();
+var COLORS = {
+  reset: "\x1B[0m",
+  bold: "\x1B[1m",
+  dim: "\x1B[2m",
+  red: "\x1B[31m",
+  green: "\x1B[32m",
+  yellow: "\x1B[33m",
+  blue: "\x1B[34m",
+  magenta: "\x1B[35m",
+  cyan: "\x1B[36m",
+  white: "\x1B[37m",
+  bgRed: "\x1B[41m"};
+function getSeverityColor(severity) {
+  switch (severity) {
+    case "critical":
+      return COLORS.bgRed + COLORS.white;
+    case "high":
+      return COLORS.red;
+    case "medium":
+      return COLORS.yellow;
+    case "low":
+      return COLORS.cyan;
+    case "info":
+      return COLORS.blue;
+  }
+}
+function formatSeverity(severity) {
+  const color = getSeverityColor(severity);
+  const label = severity.toUpperCase().padEnd(8);
+  return `${color}${label}${COLORS.reset}`;
+}
+function formatFinding(finding, index) {
+  const lines = [];
+  lines.push(`
+${COLORS.bold}${index}. ${finding.title}${COLORS.reset}`);
+  lines.push(
+    `   ${formatSeverity(finding.severity)} ${COLORS.dim}${finding.ruleId}${COLORS.reset}`
+  );
+  const shortPath = finding.location.file.split("/").slice(-3).join("/");
+  lines.push(
+    `   ${COLORS.cyan}${shortPath}:${finding.location.line}:${finding.location.column}${COLORS.reset}`
+  );
+  lines.push(`   ${finding.description}`);
+  if (finding.snippet) {
+    lines.push(`   ${COLORS.dim}\u2502${COLORS.reset}`);
+    const snippetLines = finding.snippet.text.split("\n");
+    for (const snippetLine of snippetLines.slice(0, 3)) {
+      lines.push(`   ${COLORS.dim}\u2502${COLORS.reset} ${snippetLine}`);
+    }
+    if (snippetLines.length > 3) {
+      lines.push(`   ${COLORS.dim}\u2502 ... (${snippetLines.length - 3} more lines)${COLORS.reset}`);
+    }
+  }
+  if (finding.fix) {
+    lines.push(`   ${COLORS.green}Fix:${COLORS.reset} ${finding.fix.description}`);
+  }
+  return lines.join("\n");
+}
+var ConsoleReporter = class {
+  name = "console";
+  format(result) {
+    const lines = [];
+    lines.push(
+      `
+${COLORS.bold}${COLORS.magenta}\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550${COLORS.reset}`
+    );
+    lines.push(
+      `${COLORS.bold}${COLORS.magenta}                    VULNERABILITY SCAN RESULTS                   ${COLORS.reset}`
+    );
+    lines.push(
+      `${COLORS.bold}${COLORS.magenta}\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550${COLORS.reset}
+`
+    );
+    lines.push(`${COLORS.bold}Summary${COLORS.reset}`);
+    lines.push(`${"\u2500".repeat(40)}`);
+    if (result.summary.critical > 0) {
+      lines.push(`  ${formatSeverity("critical")} ${result.summary.critical}`);
+    }
+    if (result.summary.high > 0) {
+      lines.push(`  ${formatSeverity("high")} ${result.summary.high}`);
+    }
+    if (result.summary.medium > 0) {
+      lines.push(`  ${formatSeverity("medium")} ${result.summary.medium}`);
+    }
+    if (result.summary.low > 0) {
+      lines.push(`  ${formatSeverity("low")} ${result.summary.low}`);
+    }
+    if (result.summary.info > 0) {
+      lines.push(`  ${formatSeverity("info")} ${result.summary.info}`);
+    }
+    lines.push(`${"\u2500".repeat(40)}`);
+    lines.push(`  ${COLORS.bold}Total:${COLORS.reset} ${result.summary.total} findings`);
+    if (result.summary.ignored > 0) {
+      lines.push(`  ${COLORS.dim}Ignored: ${result.summary.ignored}${COLORS.reset}`);
+    }
+    lines.push(
+      `  ${COLORS.dim}Scanned ${result.metadata.filesScanned} files in ${result.metadata.duration}ms${COLORS.reset}`
+    );
+    if (result.findings.length > 0) {
+      lines.push(`
+${COLORS.bold}Findings${COLORS.reset}`);
+      lines.push(`${"\u2500".repeat(40)}`);
+      const sorted = [...result.findings].sort((a, b) => {
+        const order = ["critical", "high", "medium", "low", "info"];
+        return order.indexOf(a.severity) - order.indexOf(b.severity);
+      });
+      let index = 1;
+      for (const finding of sorted) {
+        lines.push(formatFinding(finding, index));
+        index++;
+      }
+    } else {
+      lines.push(`
+${COLORS.green}${COLORS.bold}\u2713 No vulnerabilities found!${COLORS.reset}`);
+    }
+    lines.push(`
+${COLORS.dim}${"\u2500".repeat(40)}${COLORS.reset}`);
+    lines.push(`${COLORS.dim}${TOOL.NAME} v${TOOL.VERSION}${COLORS.reset}
+`);
+    return lines.join("\n");
+  }
+};
+
+// src/internal/vuln-checker/reporters/json-reporter.ts
+init_esm_shims();
+var JsonReporter = class {
+  name = "json";
+  format(result) {
+    return JSON.stringify(result, null, 2);
+  }
+};
+
+// src/internal/vuln-checker/reporters/markdown-reporter.ts
+init_esm_shims();
+function escapeMarkdown(text) {
+  let escaped = text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+  escaped = escaped.replace(/\\/g, "\\\\").replace(/`/g, "\\`").replace(/\*/g, "\\*").replace(/_/g, "\\_").replace(/\{/g, "\\{").replace(/\}/g, "\\}").replace(/\[/g, "\\[").replace(/\]/g, "\\]").replace(/\(/g, "\\(").replace(/\)/g, "\\)").replace(/#/g, "\\#").replace(/\+/g, "\\+").replace(/-/g, "\\-").replace(/\./g, "\\.").replace(/!/g, "\\!").replace(/\|/g, "\\|");
+  return escaped;
+}
+function sanitizeCodeBlock(text) {
+  return text.replace(/```/g, "\\`\\`\\`");
+}
+var SEVERITY_EMOJI = {
+  critical: "\u{1F534}",
+  high: "\u{1F7E0}",
+  medium: "\u{1F7E1}",
+  low: "\u{1F7E2}",
+  info: "\u{1F535}"
+};
+var SEVERITY_ORDER = ["critical", "high", "medium", "low", "info"];
+function groupByCategory(findings) {
+  const byCategory = /* @__PURE__ */ new Map();
+  for (const finding of findings) {
+    const category = finding.ruleId.split("/")[0];
+    const existing = byCategory.get(category) || [];
+    existing.push(finding);
+    byCategory.set(category, existing);
+  }
+  return byCategory;
+}
+function sortBySeverity(findings) {
+  return [...findings].sort(
+    (a, b) => SEVERITY_ORDER.indexOf(a.severity) - SEVERITY_ORDER.indexOf(b.severity)
+  );
+}
+function formatFilePath(filePath) {
+  return filePath.split("/").slice(-3).join("/");
+}
+function formatMetadata(finding) {
+  const lines = [];
+  if (finding.cweId) {
+    lines.push(`- **CWE**: ${finding.cweId}`);
+  }
+  if (finding.owaspCategory) {
+    lines.push(`- **OWASP**: ${finding.owaspCategory}`);
+  }
+  return lines;
+}
+function formatSnippet(finding) {
+  if (!finding.snippet) return [];
+  return ["```", sanitizeCodeBlock(finding.snippet.text), "```\n"];
+}
+function formatFix(finding) {
+  if (!finding.fix) return [];
+  const lines = [`**Fix**: ${escapeMarkdown(finding.fix.description)}
+`];
+  if (finding.fix.replacement) {
+    lines.push("```", sanitizeCodeBlock(finding.fix.replacement), "```\n");
+  }
+  return lines;
+}
+function formatFinding2(finding) {
+  const emoji = SEVERITY_EMOJI[finding.severity];
+  const location = `${formatFilePath(finding.location.file)}:${finding.location.line}`;
+  const safeTitle = escapeMarkdown(finding.title);
+  const safeDescription = escapeMarkdown(finding.description);
+  return [
+    `#### ${emoji} ${safeTitle}
+`,
+    `- **Severity**: ${finding.severity}`,
+    `- **Location**: \`${location}\``,
+    `- **Rule**: \`${finding.ruleId}\``,
+    ...formatMetadata(finding),
+    `
+${safeDescription}
+`,
+    ...formatSnippet(finding),
+    ...formatFix(finding),
+    "---\n"
+  ];
+}
+function formatCategorySection(category, findings) {
+  const title = category.charAt(0).toUpperCase() + category.slice(1);
+  const sorted = sortBySeverity(findings);
+  return [`
+### ${title}
+`, ...sorted.flatMap(formatFinding2)];
+}
+function formatFindingsByCategory(findings) {
+  const byCategory = groupByCategory(findings);
+  const sections = Array.from(byCategory.entries()).flatMap(
+    ([category, categoryFindings]) => formatCategorySection(category, categoryFindings)
+  );
+  return sections.join("\n");
+}
+var MarkdownReporter = class {
+  name = "markdown";
+  format(result) {
+    const lines = [];
+    lines.push("# Security Vulnerability Report\n");
+    lines.push(`Generated: ${result.timestamp}
+`);
+    lines.push("## Summary\n");
+    lines.push("| Severity | Count |");
+    lines.push("|----------|-------|");
+    lines.push(`| \u{1F534} Critical | ${result.summary.critical} |`);
+    lines.push(`| \u{1F7E0} High | ${result.summary.high} |`);
+    lines.push(`| \u{1F7E1} Medium | ${result.summary.medium} |`);
+    lines.push(`| \u{1F7E2} Low | ${result.summary.low} |`);
+    lines.push(`| \u{1F535} Info | ${result.summary.info} |`);
+    lines.push(`| **Total** | **${result.summary.total}** |`);
+    lines.push(`| Ignored | ${result.summary.ignored} |
+`);
+    lines.push("## Scan Details\n");
+    lines.push(`- **Duration**: ${result.metadata.duration}ms`);
+    lines.push(`- **Files Scanned**: ${result.metadata.filesScanned}`);
+    lines.push(`- **Root Directory**: ${result.metadata.rootDir}
+`);
+    if (result.findings.length > 0) {
+      lines.push("## Findings\n");
+      lines.push(formatFindingsByCategory(result.findings));
+    } else {
+      lines.push("## Findings\n");
+      lines.push("No vulnerabilities found! \u{1F389}\n");
+    }
+    if (result.ignoredFindings && result.ignoredFindings.length > 0) {
+      lines.push("## Ignored Findings\n");
+      lines.push("The following findings were ignored based on configuration:\n");
+      for (const finding of result.ignoredFindings) {
+        const emoji = SEVERITY_EMOJI[finding.severity];
+        const safeTitle = escapeMarkdown(finding.title);
+        lines.push(
+          `- ${emoji} **${safeTitle}** at \`${finding.location.file}:${finding.location.line}\``
+        );
+      }
+      lines.push("");
+    }
+    lines.push("---");
+    lines.push(`*Generated by [${TOOL.NAME}](${TOOL.REPO_URL})*`);
+    return lines.join("\n");
+  }
+};
+
+// src/internal/vuln-checker/reporters/sarif-reporter.ts
+init_esm_shims();
+function mapToSarifLevel(severity) {
+  switch (severity) {
+    case "critical":
+    case "high":
+      return "error";
+    case "medium":
+      return "warning";
+    case "low":
+      return "note";
+    case "info":
+      return "none";
+  }
+}
+function buildRule(finding) {
+  return {
+    id: finding.ruleId,
+    name: finding.title,
+    shortDescription: {
+      text: finding.title
+    },
+    fullDescription: {
+      text: finding.description
+    },
+    help: {
+      text: finding.fix?.description || "No fix available",
+      markdown: finding.fix?.description || "No fix available"
+    },
+    properties: {
+      tags: [finding.cweId, finding.owaspCategory].filter(Boolean),
+      precision: "medium",
+      "security-severity": severityToScore(finding.severity).toString()
+    }
+  };
+}
+function severityToScore(severity) {
+  return SEVERITY_SCORE[severity] ?? 1;
+}
+function buildResult(finding) {
+  return {
+    ruleId: finding.ruleId,
+    level: mapToSarifLevel(finding.severity),
+    message: {
+      text: finding.description
+    },
+    locations: [
+      {
+        physicalLocation: {
+          artifactLocation: {
+            uri: finding.location.file,
+            uriBaseId: "%SRCROOT%"
+          },
+          region: {
+            startLine: finding.location.line,
+            startColumn: finding.location.column,
+            endLine: finding.location.endLine || finding.location.line,
+            snippet: finding.snippet ? {
+              text: finding.snippet.text
+            } : void 0
+          }
+        }
+      }
+    ],
+    fixes: finding.fix ? [
+      {
+        description: {
+          text: finding.fix.description
+        },
+        artifactChanges: finding.fix.replacement ? [
+          {
+            artifactLocation: {
+              uri: finding.location.file
+            },
+            replacements: [
+              {
+                deletedRegion: {
+                  startLine: finding.location.line,
+                  startColumn: finding.location.column
+                },
+                insertedContent: {
+                  text: finding.fix.replacement
+                }
+              }
+            ]
+          }
+        ] : []
+      }
+    ] : void 0,
+    properties: {
+      confidence: finding.confidence,
+      cweId: finding.cweId,
+      owaspCategory: finding.owaspCategory
+    }
+  };
+}
+var SarifReporter = class {
+  name = "sarif";
+  format(result) {
+    const rulesMap = /* @__PURE__ */ new Map();
+    for (const finding of result.findings) {
+      if (!rulesMap.has(finding.ruleId)) {
+        rulesMap.set(finding.ruleId, buildRule(finding));
+      }
+    }
+    const sarif = {
+      $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+      version: "2.1.0",
+      runs: [
+        {
+          tool: {
+            driver: {
+              name: TOOL.NAME,
+              version: TOOL.VERSION,
+              informationUri: TOOL.REPO_URL,
+              rules: Array.from(rulesMap.values())
+            }
+          },
+          results: result.findings.map(buildResult),
+          invocations: [
+            {
+              executionSuccessful: true,
+              endTimeUtc: result.timestamp
+            }
+          ]
+        }
+      ]
+    };
+    return JSON.stringify(sarif, null, 2);
+  }
+};
+
+// src/internal/vuln-checker/types.ts
+init_esm_shims();
+
+// src/internal/vuln-checker/index.ts
+var SEVERITY_ORDER2 = {
+  critical: 5,
+  high: 4,
+  medium: 3,
+  low: 2,
+  info: 1
+};
+async function buildInlineAnnotationsMap(files) {
+  const inlineAnnotations = /* @__PURE__ */ new Map();
+  for (const file of files) {
+    const annotations = await parseInlineAnnotations(file);
+    if (annotations.length === 0) continue;
+    const lineRules = buildLineRulesSet(annotations);
+    inlineAnnotations.set(file, lineRules);
+  }
+  return inlineAnnotations;
+}
+function buildLineRulesSet(annotations) {
+  const lineRules = /* @__PURE__ */ new Set();
+  for (const ann of annotations) {
+    const key = getAnnotationKey(ann);
+    if (key) lineRules.add(key);
+  }
+  return lineRules;
+}
+function getAnnotationKey(ann) {
+  if (ann.scope === "line" || ann.scope === "next-line") {
+    const targetLine = ann.scope === "next-line" ? ann.line + 1 : ann.line;
+    return `${targetLine}:${ann.ruleId}`;
+  }
+  if (ann.scope === "file") {
+    return `file:${ann.ruleId}`;
+  }
+  return null;
+}
+function isIgnoredByAnnotation(finding, fileAnnotations) {
+  if (!fileAnnotations) return false;
+  return fileAnnotations.has(`${finding.location.line}:${finding.ruleId}`) || fileAnnotations.has(`${finding.location.line}:*`) || fileAnnotations.has(`file:${finding.ruleId}`) || fileAnnotations.has("file:*");
+}
+function buildSummary(findings, ignoredCount) {
+  return {
+    total: findings.length,
+    critical: findings.filter((f) => f.severity === "critical").length,
+    high: findings.filter((f) => f.severity === "high").length,
+    medium: findings.filter((f) => f.severity === "medium").length,
+    low: findings.filter((f) => f.severity === "low").length,
+    info: findings.filter((f) => f.severity === "info").length,
+    ignored: ignoredCount
+  };
+}
+var VulnChecker = class {
+  options;
+  config;
+  ignores;
+  analyzers;
+  reporters;
+  errors = [];
+  constructor(options) {
+    this.options = {
+      rootDir: options.rootDir,
+      configFile: options.configFile || ".vuln-checker.yml",
+      ignoreFile: options.ignoreFile || ".vuln-ignore.yml",
+      categories: options.categories || [
+        "injection",
+        "auth",
+        "crypto",
+        "secret",
+        "config",
+        "rls",
+        "dependency",
+        "design"
+      ],
+      minSeverity: options.minSeverity || "low",
+      format: options.format || "console",
+      showIgnored: options.showIgnored || false,
+      include: options.include || ["**/*.ts", "**/*.tsx", "**/*.sql"],
+      exclude: options.exclude || [
+        "**/node_modules/**",
+        "**/dist/**",
+        "**/.next/**",
+        "**/coverage/**"
+      ]
+    };
+    this.config = { version: 1 };
+    this.ignores = [];
+    this.analyzers = [
+      new TypeScriptAnalyzer(),
+      new SecretAnalyzer(),
+      new DependencyAnalyzer(),
+      new RLSAnalyzer()
+    ];
+    this.reporters = /* @__PURE__ */ new Map([
+      ["json", new JsonReporter()],
+      ["sarif", new SarifReporter()],
+      ["markdown", new MarkdownReporter()],
+      ["console", new ConsoleReporter()]
+    ]);
+  }
+  async init() {
+    this.config = await loadConfig(this.options.configFile, this.options.rootDir);
+    this.ignores = await loadIgnores(this.options.ignoreFile, this.options.rootDir);
+    if (this.config.ignores) {
+      this.ignores.push(...this.config.ignores);
+    }
+  }
+  async scan() {
+    await this.init();
+    const startTime = Date.now();
+    const files = await this.getFiles();
+    const inlineAnnotations = await buildInlineAnnotationsMap(files);
+    const { findings, ignoredFindings } = await this.runAnalyzers(inlineAnnotations);
+    findings.sort((a, b) => SEVERITY_ORDER2[b.severity] - SEVERITY_ORDER2[a.severity]);
+    const result = {
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      summary: buildSummary(findings, ignoredFindings.length),
+      findings,
+      metadata: {
+        duration: Date.now() - startTime,
+        filesScanned: files.length,
+        rulesEvaluated: this.analyzers.reduce((acc, a) => acc + a.categories.length * 10, 0),
+        rootDir: this.options.rootDir
+      }
+    };
+    if (this.options.showIgnored) {
+      result.ignoredFindings = ignoredFindings;
+    }
+    return result;
+  }
+  async getFiles() {
+    validateGlobPatterns(this.options.include);
+    if (this.options.exclude) {
+      validateGlobPatterns(this.options.exclude);
+    }
+    const files = await glob(this.options.include, {
+      cwd: this.options.rootDir,
+      ignore: this.options.exclude,
+      absolute: true
+    });
+    return filterPathsWithinBoundary(files, this.options.rootDir);
+  }
+  async runAnalyzers(inlineAnnotations) {
+    const findings = [];
+    const ignoredFindings = [];
+    const analyzerOptions = {
+      rootDir: this.options.rootDir,
+      include: this.options.include,
+      exclude: this.options.exclude,
+      ignores: this.ignores
+    };
+    for (const analyzer of this.analyzers) {
+      if (!this.shouldRunAnalyzer(analyzer)) continue;
+      try {
+        const result = await analyzer.analyze(analyzerOptions);
+        this.classifyFindings(result, inlineAnnotations, findings, ignoredFindings);
+      } catch (error) {
+        this.errors.push({ analyzer: analyzer.name, error });
+      }
+    }
+    return { findings, ignoredFindings };
+  }
+  shouldRunAnalyzer(analyzer) {
+    return analyzer.categories.some((cat) => this.options.categories.includes(cat));
+  }
+  classifyFindings(analyzerFindings, inlineAnnotations, findings, ignoredFindings) {
+    for (const finding of analyzerFindings) {
+      if (!this.meetsMinSeverity(finding)) continue;
+      const isIgnored = this.isFindingIgnored(finding, inlineAnnotations);
+      if (isIgnored) {
+        ignoredFindings.push(finding);
+      } else {
+        findings.push(finding);
+      }
+    }
+  }
+  meetsMinSeverity(finding) {
+    return SEVERITY_ORDER2[finding.severity] >= SEVERITY_ORDER2[this.options.minSeverity];
+  }
+  isFindingIgnored(finding, inlineAnnotations) {
+    const isGloballyIgnored = this.ignores.some((ignore) => matchIgnoreRule(ignore, finding));
+    const fileAnnotations = inlineAnnotations.get(finding.location.file);
+    const isInlineIgnored = isIgnoredByAnnotation(finding, fileAnnotations);
+    return isGloballyIgnored || isInlineIgnored;
+  }
+  format(result) {
+    const reporter = this.reporters.get(this.options.format);
+    if (!reporter) {
+      throw new Error(`Unknown format: ${this.options.format}`);
+    }
+    return reporter.format(result);
+  }
+  async run() {
+    const result = await this.scan();
+    return this.format(result);
+  }
+  getExitCode(result, failOn = "high") {
+    const threshold = SEVERITY_ORDER2[failOn];
+    if (result.summary.critical > 0 && SEVERITY_ORDER2.critical >= threshold) return 1;
+    if (result.summary.high > 0 && SEVERITY_ORDER2.high >= threshold) return 1;
+    if (result.summary.medium > 0 && SEVERITY_ORDER2.medium >= threshold) return 1;
+    if (result.summary.low > 0 && SEVERITY_ORDER2.low >= threshold) return 1;
+    return 0;
+  }
+  /** Get errors that occurred during scanning */
+  getErrors() {
+    return this.errors;
+  }
+};
+
+export { VulnChecker };