@runa-ai/runa-cli 0.6.0 → 0.7.1

package/dist/{vuln-checker-2QXGN5YT.js → vuln-checker-EJJTNDNE.js}

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { createRequire } from 'module';
-import { CLI_VERSION } from './chunk-GOGRLQNP.js';
+import { CLI_VERSION } from './chunk-AFY3TX4I.js';
 import { init_esm_shims } from './chunk-VRXHCR5K.js';
 import { glob } from 'glob';
 import { exec } from 'child_process';
@@ -499,6 +499,10 @@ var TENANT_ISOLATION_PATTERNS = [
   /\(\s*auth\.jwt\s*\(\)\s*->>?\s*['"][^'"]+['"]\s*\)\s*::/i
 ];
 var SYSTEM_TABLE_PATTERNS = ["_", "schema_migrations", "drizzle_migrations"];
+var SUPABASE_STORAGE_TABLES = ["storage.objects", "storage.buckets"];
+function isStorageTable(tableName) {
+  return SUPABASE_STORAGE_TABLES.includes(tableName.toLowerCase());
+}
 function isPgTableCall(callExpr) {
   const expression = callExpr.getExpression();
   if (Node.isIdentifier(expression)) {
@@ -753,6 +757,15 @@ function checkTableForIssues(table, tablesWithPolicies, policies) {
   const fullTableName = `${table.schema}.${table.name}`;
   if (isSystemTable(table.name)) return findings;
   if (!tablesWithPolicies.has(fullTableName)) {
+    if (isStorageTable(fullTableName)) {
+      findings.push({
+        ...createMissingRLSFinding(table, fullTableName),
+        severity: "medium",
+        description: `Storage table "${fullTableName}" \u2014 Supabase provides default storage policies. Custom RLS may still be needed.`,
+        confidence: 0.4
+      });
+      return findings;
+    }
     findings.push(createMissingRLSFinding(table, fullTableName));
     return findings;
   }
@@ -775,7 +788,17 @@ var RLSAnalyzer = class {
     const tableFindings = tables.flatMap(
       (table) => checkTableForIssues(table, tablesWithPolicies, policies)
     );
-    const policyFindings = policies.filter(isPermissivePolicy).map(createPermissiveFinding);
+    const policyFindings = policies.filter(isPermissivePolicy).map((policy) => {
+      if (isStorageTable(policy.table) && /SELECT/i.test(policy.operation)) {
+        return {
+          ...createPermissiveFinding(policy),
+          severity: "info",
+          description: `Policy "${policy.name}" on "${policy.table}" allows public SELECT. This is common for public file downloads. Verify this is intentional.`,
+          confidence: 0.3
+        };
+      }
+      return createPermissiveFinding(policy);
+    });
     return [...tableFindings, ...policyFindings];
   }
 };
@@ -784,6 +807,7 @@ var RLSAnalyzer = class {
 init_esm_shims();
 var MAX_LINE_LENGTH = 2e3;
 var MAX_FILE_SIZE = 1024 * 1024;
+var SECRET_SCAN_SKIPPED_RULE_ID = "secret/scan-skipped";
 var SECRET_PATTERNS = [
   // AWS
   {
@@ -1483,6 +1507,52 @@ function createBase64SecretFinding(line, lineNumber, filePath, base64Match, secr
     confidence: 0.85
   };
 }
+function createSkippedLineScanFinding(filePath, firstLineNumber, skippedLineCount) {
+  return {
+    ruleId: SECRET_SCAN_SKIPPED_RULE_ID,
+    severity: "low",
+    title: "Secret Scan Partially Skipped",
+    description: `Secret scan skipped ${skippedLineCount} overlong line(s) exceeding ${MAX_LINE_LENGTH} characters.`,
+    location: {
+      file: filePath,
+      line: firstLineNumber,
+      column: 0
+    },
+    fix: {
+      description: "Split minified or generated content so the scanner can inspect each line safely"
+    },
+    metadata: {
+      skippedLineCount,
+      maxLineLength: MAX_LINE_LENGTH
+    },
+    cweId: CWE.HARDCODED_CREDENTIALS,
+    owaspCategory: OWASP_2021.CRYPTO_FAILURES,
+    confidence: 1
+  };
+}
+function createSkippedFileScanFinding(filePath, sizeBytes) {
+  return {
+    ruleId: SECRET_SCAN_SKIPPED_RULE_ID,
+    severity: "low",
+    title: "Secret Scan Skipped Large File",
+    description: `Secret scan skipped a file larger than ${MAX_FILE_SIZE} bytes.`,
+    location: {
+      file: filePath,
+      line: 1,
+      column: 0
+    },
+    fix: {
+      description: "Reduce file size or split generated artifacts so secret scanning can inspect the content"
+    },
+    metadata: {
+      sizeBytes,
+      maxFileSize: MAX_FILE_SIZE
+    },
+    cweId: CWE.HARDCODED_CREDENTIALS,
+    owaspCategory: OWASP_2021.CRYPTO_FAILURES,
+    confidence: 1
+  };
+}
 function collectBase64SecretFindings(line, lineNumber, filePath) {
   const findings = [];
   for (const base64Match of line.matchAll(BASE64_SECRET_PATTERN)) {
@@ -1508,15 +1578,26 @@ function scanLineForSecrets(line, lineNumber, filePath) {
 async function scanFileForSecrets(filePath) {
   const stats = await fs.stat(filePath);
   if (stats.size > MAX_FILE_SIZE) {
-    return [];
+    return [createSkippedFileScanFinding(filePath, stats.size)];
   }
   const content = await fs.readFile(filePath, "utf-8");
   const lines = content.split("\n");
   const findings = [];
+  let skippedLineCount = 0;
+  let firstSkippedLineNumber = null;
   for (let i = 0; i < lines.length; i++) {
-    const lineFindings = scanLineForSecrets(lines[i], i + 1, filePath);
+    const lineNumber = i + 1;
+    if (lines[i].length > MAX_LINE_LENGTH) {
+      skippedLineCount += 1;
+      firstSkippedLineNumber ??= lineNumber;
+      continue;
+    }
+    const lineFindings = scanLineForSecrets(lines[i], lineNumber, filePath);
     findings.push(...lineFindings);
   }
+  if (firstSkippedLineNumber !== null) {
+    findings.push(createSkippedLineScanFinding(filePath, firstSkippedLineNumber, skippedLineCount));
+  }
   const multiLineFindings = scanMultiLineSecrets(content, filePath);
   findings.push(...multiLineFindings);
   return findings;
@@ -1700,10 +1781,10 @@ function hasUserInputInterpolation(text) {
     for (const expr of interpolations) {
       const innerExpr = expr.slice(2, -1).trim();
       if (/^\d+$/.test(innerExpr)) continue;
+      if (SAFE_VARIABLE_PATTERNS.some((p) => p.test(text))) continue;
       if (USER_INPUT_PATTERNS.some((p) => p.test(innerExpr))) {
         return true;
       }
-      if (SAFE_VARIABLE_PATTERNS.some((p) => p.test(text))) ;
     }
     return false;
   }
@@ -1720,6 +1801,116 @@ function hasArrayBasedSqlBuilding(text) {
   ];
   return arrayBuildPatterns.some((p) => p.test(text));
 }
+function buildDefinitionPositionsFromNodes(nodes) {
+  return new Set(nodes.map((node) => `${node.getSourceFile().getFilePath()}:${node.getPos()}`));
+}
+function hasDefinitionMatch(node, definitionPositions) {
+  if (!Node.isIdentifier(node)) return false;
+  const nodeDefinitions = node.getDefinitions().map((definition) => definition.getNode());
+  return nodeDefinitions.some(
+    (definitionNode) => definitionPositions.has(
+      `${definitionNode.getSourceFile().getFilePath()}:${definitionNode.getPos()}`
+    )
+  );
+}
+function buildJoinedArrayBuilderRisk(node, sourceFile) {
+  const joinTarget = getIdentifierFromJoinCall(node);
+  if (!joinTarget) return null;
+  const scopeNode = node.getFirstAncestor((ancestor) => Node.isBlock(ancestor) || Node.isSourceFile(ancestor)) ?? sourceFile;
+  if (isDynamicArrayPushInScope(scopeNode.getText(), joinTarget.getText())) {
+    return {
+      confidence: 0.6,
+      description: "SQL query variable may be built dynamically from array concatenation."
+    };
+  }
+  const arrayDefinitionPositions = getDefinitionPositions(joinTarget);
+  if (arrayDefinitionPositions.size === 0) return null;
+  if (hasDynamicPushArgumentFromDefinition(
+    sourceFile.getDescendantsOfKind(SyntaxKind.CallExpression),
+    arrayDefinitionPositions
+  )) {
+    return {
+      confidence: 0.6,
+      description: "SQL query variable may be built dynamically from array concatenation."
+    };
+  }
+  return null;
+}
+function getIdentifierFromJoinCall(node) {
+  if (!Node.isCallExpression(node)) return null;
+  const expression = node.getExpression();
+  if (!Node.isPropertyAccessExpression(expression) || expression.getName() !== "join") return null;
+  const joinTarget = expression.getExpression();
+  return Node.isIdentifier(joinTarget) ? joinTarget : null;
+}
+function isDynamicArrayPushInScope(scopedText, arrayName) {
+  return hasDynamicArrayPush(scopedText, arrayName);
+}
+function getDefinitionPositions(identifier) {
+  return buildDefinitionPositionsFromNodes(
+    identifier.getDefinitions().map((definition) => definition.getNode()).filter((node) => node !== void 0)
+  );
+}
+function hasDynamicPushArgumentFromDefinition(callExpressions, definitionPositions) {
+  for (const call of callExpressions) {
+    const pushExpression = call.getExpression();
+    if (!Node.isPropertyAccessExpression(pushExpression) || pushExpression.getName() !== "push") {
+      continue;
+    }
+    const pushTarget = pushExpression.getExpression();
+    if (!Node.isIdentifier(pushTarget) || !hasDefinitionMatch(pushTarget, definitionPositions)) {
+      continue;
+    }
+    const pushArg = call.getArguments()[0];
+    if (!pushArg) continue;
+    if ((Node.isTemplateExpression(pushArg) || Node.isBinaryExpression(pushArg)) && hasUserInputInterpolation(pushArg.getText())) {
+      return true;
+    }
+  }
+  return false;
+}
+function hasDynamicArrayPush(scopedText, arrayName) {
+  return new RegExp(`\\b${arrayName}\\.push\\s*\\(\\s*\`[^\\\`]*\\$\\{`, "m").test(scopedText) || new RegExp(`\\b${arrayName}\\.push\\s*\\(\\s*['"][^'"]*['"]\\s*\\+`, "m").test(scopedText);
+}
+function collectIdentifierDefinitionRisk(definitionNode, sourceFile) {
+  if (!Node.isVariableDeclaration(definitionNode)) return null;
+  const initializer = definitionNode.getInitializer();
+  if (!initializer) return null;
+  const risk = classifyDynamicSqlNode(initializer);
+  if (risk) return risk;
+  return buildJoinedArrayBuilderRisk(initializer, sourceFile);
+}
+function detectAssignmentRisk(sourceFile, identifierName, definitionPositions) {
+  for (const expression of sourceFile.getDescendantsOfKind(SyntaxKind.BinaryExpression)) {
+    if (expression.getOperatorToken().getKind() !== SyntaxKind.EqualsToken) continue;
+    const left = expression.getLeft();
+    if (!Node.isIdentifier(left) || left.getText() !== identifierName) continue;
+    if (!hasDefinitionMatch(left, definitionPositions)) continue;
+    const risk = classifyDynamicSqlNode(expression.getRight());
+    if (risk) return risk;
+    const joinRisk = buildJoinedArrayBuilderRisk(expression.getRight(), sourceFile);
+    if (joinRisk) return joinRisk;
+  }
+  return null;
+}
+function detectIdentifierJoinPattern(firstArg, identifierName, sourceFile) {
+  const scopeNode = firstArg.getFirstAncestor(
+    (ancestor) => Node.isBlock(ancestor) || Node.isSourceFile(ancestor)
+  ) ?? sourceFile;
+  const scopedText = scopeNode.getText();
+  const identifierJoinPattern = new RegExp(
+    `(?:const|let|var)\\s+${identifierName}\\s*=\\s*(\\w+)\\.join\\s*\\(`,
+    "m"
+  );
+  const joinMatch = scopedText.match(identifierJoinPattern);
+  if (!joinMatch?.[1]) return null;
+  const arrayName = joinMatch[1];
+  if (!hasDynamicArrayPush(scopedText, arrayName)) return null;
+  return {
+    confidence: 0.6,
+    description: "SQL query variable may be built dynamically from array concatenation."
+  };
+}
 function isDynamicQueryBuilder(text) {
   const builderPatterns = [
     /buildQuery\s*\(/i,
@@ -1731,6 +1922,183 @@ function isDynamicQueryBuilder(text) {
   ];
   return builderPatterns.some((p) => p.test(text));
 }
+var SQL_EXECUTION_METHODS = ["query", "execute", "raw", "unsafe", "sql", "runQuery"];
+var DB_CALLER_PATTERN = /\b(?:db|client|pool|connection|knex|prisma|drizzle|supabase|pg|postgres|conn|database)\b/i;
+var SQL_SAFE_PATTERNS = [/^sql`/, /^sql\.raw\(sql`/, /\$\d+/, /\?/, /:[\w]+/];
+var CLIENT_FILE_PATTERNS = [/\/hooks\//i, /\/components\//i, /use[A-Z]\w*\.tsx?$/];
+var ROUTE_METHODS = [
+  "get",
+  "post",
+  "put",
+  "patch",
+  "delete",
+  "app.get",
+  "app.post",
+  "app.put",
+  "app.patch",
+  "app.delete",
+  "router.get",
+  "router.post"
+];
+var AUTH_MIDDLEWARE_PATTERNS = [
+  /\bauth(?:enticate)?(?:Middleware)?\b/i,
+  /\bisAuthenticated\b/i,
+  /\brequireAuth\b/i,
+  /\bprotect(?:ed)?(?:Route)?\b/i,
+  /\bverify(?:Token|JWT|Session)\b/i,
+  /\bcheck(?:Auth|Token|Session)\b/i,
+  /\bguard\b/i,
+  /\bmiddleware\(/i,
+  /\buse\s*\(\s*auth/i
+];
+var PUBLIC_ROUTE_PATTERNS = [
+  /\/public\//i,
+  /\/health(?:check)?(?:\/|$)/i,
+  /\/(?:login|logout|signin|signout)(?:\/|$)/i,
+  /\/(?:signup|register)(?:\/|$)/i,
+  /\/(?:forgot|reset)-?password/i,
+  /\/callback(?:\/|$)/i,
+  /\/webhook(?:s)?(?:\/|$)/i,
+  /\/api\/v\d+\/public\//i,
+  /\/\.well-known\//i,
+  /\/robots\.txt/i,
+  /\/favicon/i,
+  /\/status(?:\/|$)/i,
+  /\/ping(?:\/|$)/i,
+  /\/version(?:\/|$)/i
+];
+function isSqlExecutionCall(expressionText) {
+  const isSqlMethod = SQL_EXECUTION_METHODS.some(
+    (method) => expressionText.endsWith(`.${method}`) || expressionText === method
+  );
+  const isDbExec = expressionText.endsWith(".exec") && DB_CALLER_PATTERN.test(expressionText);
+  return isSqlMethod || isDbExec;
+}
+function isSafeSqlArgument(argText) {
+  return SQL_SAFE_PATTERNS.some((pattern) => pattern.test(argText));
+}
+function classifyDynamicSqlNode(node) {
+  const text = node.getText();
+  if (Node.isTemplateExpression(node) && hasUserInputInterpolation(text)) {
+    return {
+      confidence: 0.9,
+      description: "Template literal with user input in SQL query."
+    };
+  }
+  if (Node.isBinaryExpression(node) && hasUserInputInterpolation(text)) {
+    return {
+      confidence: 0.85,
+      description: "String concatenation with user input in SQL query."
+    };
+  }
+  if (isDynamicQueryBuilder(text)) {
+    return {
+      confidence: 0.7,
+      description: "SQL query built by function that may use string concatenation."
+    };
+  }
+  if (hasArrayBasedSqlBuilding(text)) {
+    return {
+      confidence: 0.6,
+      description: "SQL query variable may be built dynamically from array concatenation."
+    };
+  }
+  return null;
+}
+function findIdentifierSqlConstruction(firstArg) {
+  if (!Node.isIdentifier(firstArg)) return null;
+  const identifierName = firstArg.getText();
+  const definitionNodes = firstArg.getDefinitions().map((definition) => definition.getNode()).filter((node) => node !== void 0);
+  const sourceFile = firstArg.getSourceFile();
+  const definitionPositions = buildDefinitionPositionsFromNodes(definitionNodes);
+  for (const definitionNode of definitionNodes) {
+    const risk = collectIdentifierDefinitionRisk(definitionNode, sourceFile);
+    if (risk) return risk;
+  }
+  const assignmentRisk = detectAssignmentRisk(sourceFile, identifierName, definitionPositions);
+  if (assignmentRisk) return assignmentRisk;
+  const directMatchRisk = detectIdentifierJoinPattern(firstArg, identifierName, sourceFile);
+  if (directMatchRisk) {
+    return directMatchRisk;
+  }
+  return null;
+}
+function evaluateSqlInjectionRisk(firstArg) {
+  const argText = firstArg.getText();
+  if (isSafeSqlArgument(argText)) {
+    return { isDangerous: false, confidence: 0, description: "" };
+  }
+  const directRisk = classifyDynamicSqlNode(firstArg);
+  if (directRisk) {
+    return {
+      isDangerous: true,
+      confidence: directRisk.confidence,
+      description: directRisk.description
+    };
+  }
+  const identifierRisk = findIdentifierSqlConstruction(firstArg);
+  if (identifierRisk) {
+    return {
+      isDangerous: true,
+      confidence: identifierRisk.confidence,
+      description: identifierRisk.description
+    };
+  }
+  return { isDangerous: false, confidence: 0, description: "" };
+}
+function isClientSideRouteFile(filePath) {
+  return CLIENT_FILE_PATTERNS.some((pattern) => pattern.test(filePath));
+}
+function isRouteMethodCall(expressionText) {
+  return ROUTE_METHODS.some(
+    (method) => expressionText === method || expressionText.endsWith(`.${method.split(".").pop()}`)
+  );
+}
+function hasHookOrEventWrapper(node) {
+  let current = node.getParent();
+  let depth = 0;
+  while (current && depth < 10) {
+    if (Node.isCallExpression(current)) {
+      const callee = current.getExpression().getText();
+      if (/^use[A-Z]/.test(callee)) return true;
+    }
+    if (Node.isPropertyAssignment(current)) {
+      const name = current.getName();
+      if (/^on[A-Z]/.test(name)) return true;
+    }
+    current = current.getParent();
+    depth += 1;
+  }
+  return false;
+}
+function hasAuthMiddlewareArg(args) {
+  const middlewareArgs = args.slice(1, -1);
+  return middlewareArgs.some((arg) => {
+    const argText = arg.getText();
+    return AUTH_MIDDLEWARE_PATTERNS.some((pattern) => pattern.test(argText));
+  });
+}
+function hasInlineAuthCheck(lastArg, fullText) {
+  const handlerText = lastArg.getText();
+  const handlerPatterns = [
+    /headers\.authorization/i,
+    /getToken\s*\(/i,
+    /session\./i,
+    /req\.user\b/i,
+    /ctx\.(?:user|auth|session)\b/i,
+    /throw.*(?:Unauthorized|401)/i
+  ];
+  return handlerPatterns.some((pattern) => pattern.test(handlerText)) || AUTH_MIDDLEWARE_PATTERNS.some((pattern) => pattern.test(fullText));
+}
+function isPublicRoute(fullText) {
+  return PUBLIC_ROUTE_PATTERNS.some((pattern) => pattern.test(fullText));
+}
+function buildAuthConfidence(expressionText, fullText) {
+  let confidence = 0.4;
+  if (/\/(?:api|admin|user|account|setting|profile)/i.test(fullText)) confidence = 0.6;
+  if (/\.(post|put|patch|delete)\s*\(/i.test(expressionText)) confidence += 0.1;
+  return confidence;
+}
 var TS_RULES = [
   // SQL Injection Detection
   {
@@ -1740,77 +2108,27 @@ var TS_RULES = [
       if (!Node.isCallExpression(node)) return null;
       const expression = node.getExpression();
       const expressionText = expression.getText();
-      const sqlMethods = ["query", "execute", "raw", "unsafe", "exec", "sql", "runQuery"];
-      const isSqlMethod = sqlMethods.some(
-        (m) => expressionText.endsWith(`.${m}`) || expressionText === m
-      );
-      if (!isSqlMethod) return null;
+      if (!isSqlExecutionCall(expressionText)) return null;
       const args = node.getArguments();
       if (args.length === 0) return null;
       const firstArg = args[0];
-      const argText = firstArg.getText();
-      const safePatterns = [
-        /^sql`/,
-        // Tagged template literal (Drizzle)
-        /^sql\.raw\(sql`/,
-        // sql.raw(sql`...`) is parameterized
-        /\$\d+/,
-        // Positional parameters ($1, $2)
-        /\?/,
-        // Question mark parameters
-        /:[\w]+/
-        // Named parameters (:name)
-      ];
-      if (safePatterns.some((p) => p.test(argText))) {
-        return null;
-      }
-      let isDangerous = false;
-      let confidence = 0.8;
-      let description = "String interpolation in SQL query detected.";
-      if (Node.isTemplateExpression(firstArg)) {
-        if (hasUserInputInterpolation(argText)) {
-          isDangerous = true;
-          confidence = 0.9;
-          description = "Template literal with user input in SQL query.";
-        }
-      }
-      if (Node.isBinaryExpression(firstArg) && hasUserInputInterpolation(argText)) {
-        isDangerous = true;
-        confidence = 0.85;
-        description = "String concatenation with user input in SQL query.";
-      }
-      if (Node.isIdentifier(firstArg)) {
-        const sourceFile = node.getSourceFile();
-        const fileText = sourceFile.getText();
-        if (hasArrayBasedSqlBuilding(fileText)) {
-          isDangerous = true;
-          confidence = 0.6;
-          description = "SQL query variable may be built dynamically from array concatenation.";
-        }
-      }
-      if (Node.isCallExpression(firstArg) && isDynamicQueryBuilder(argText)) {
-        isDangerous = true;
-        confidence = 0.7;
-        description = "SQL query built by function that may use string concatenation.";
-      }
-      if (isDangerous) {
-        return {
-          ruleId: "injection/sql",
-          severity: "critical",
-          title: "Potential SQL Injection",
-          description: `${description} Use parameterized queries to prevent SQL injection.`,
-          location: getLocation(node, context.filePath),
-          snippet: getSnippet(node),
-          fix: {
-            description: "Use parameterized queries or Drizzle ORM",
-            replacement: "Use db.select().from(table).where(eq(column, value))"
-          },
-          cweId: CWE.SQL_INJECTION,
-          owaspCategory: OWASP_2021.INJECTION,
-          confidence
-        };
-      }
-      return null;
+      const risk = evaluateSqlInjectionRisk(firstArg);
+      if (!risk.isDangerous) return null;
+      return {
+        ruleId: "injection/sql",
+        severity: "critical",
+        title: "Potential SQL Injection",
+        description: `${risk.description} Use parameterized queries to prevent SQL injection.`,
+        location: getLocation(node, context.filePath),
+        snippet: getSnippet(node),
+        fix: {
+          description: "Use parameterized queries or Drizzle ORM",
+          replacement: "Use db.select().from(table).where(eq(column, value))"
+        },
+        cweId: CWE.SQL_INJECTION,
+        owaspCategory: OWASP_2021.INJECTION,
+        confidence: risk.confidence
+      };
     }
   },
   // XSS Detection
@@ -1851,6 +2169,17 @@ var TS_RULES = [
     id: "injection/command",
     name: "Command Injection",
     detect: (node, context) => {
+      const NON_RUNTIME_PATH_PATTERNS = [
+        /\/scripts\//i,
+        /\/tools\//i,
+        /\/bin\//i,
+        /\.config\./i,
+        /\/__tests__\//i,
+        /\.test\./i,
+        /\.spec\./i,
+        /\/migrations?\//i,
+        /\/seeds?\//i
+      ];
       if (!Node.isCallExpression(node)) return null;
       const expression = node.getExpression();
       const expressionText = expression.getText();
@@ -1870,9 +2199,10 @@ var TS_RULES = [
       if (args.length === 0) return null;
       const firstArg = args[0];
       if (Node.isTemplateExpression(firstArg) || Node.isBinaryExpression(firstArg)) {
+        const isNonRuntime = NON_RUNTIME_PATH_PATTERNS.some((p) => p.test(context.filePath));
         return {
           ruleId: "injection/command",
-          severity: "critical",
+          severity: isNonRuntime ? "medium" : "critical",
           title: "Potential Command Injection",
           description: "User input in command execution detected. Use parameterized commands or input validation.",
           location: getLocation(node, context.filePath),
@@ -1882,7 +2212,7 @@ var TS_RULES = [
           },
           cweId: CWE.COMMAND_INJECTION,
           owaspCategory: OWASP_2021.INJECTION,
-          confidence: 0.7
+          confidence: isNonRuntime ? 0.5 : 0.7
         };
       }
       return null;
@@ -1926,78 +2256,21 @@ var TS_RULES = [
     name: "Missing Authentication Check",
     detect: (node, context) => {
       if (!Node.isCallExpression(node)) return null;
+      if (isClientSideRouteFile(context.filePath)) return null;
       const expression = node.getExpression();
       const expressionText = expression.getText();
-      const routeMethods = [
-        "get",
-        "post",
-        "put",
-        "patch",
-        "delete",
-        "app.get",
-        "app.post",
-        "app.put",
-        "app.patch",
-        "app.delete",
-        "router.get",
-        "router.post"
-      ];
-      const isRoute = routeMethods.some(
-        (m) => expressionText === m || expressionText.endsWith(`.${m.split(".").pop()}`)
-      );
-      if (!isRoute) return null;
+      if (!isRouteMethodCall(expressionText)) return null;
+      if (hasHookOrEventWrapper(node)) return null;
       const args = node.getArguments();
       if (args.length < 2) return null;
       const fullText = node.getText();
-      const authMiddlewarePatterns = [
-        /\bauth(?:enticate)?(?:Middleware)?\b/i,
-        /\bisAuthenticated\b/i,
-        /\brequireAuth\b/i,
-        /\bprotect(?:ed)?(?:Route)?\b/i,
-        /\bverify(?:Token|JWT|Session)\b/i,
-        /\bcheck(?:Auth|Token|Session)\b/i,
-        /\bguard\b/i,
-        /\bmiddleware\(/i,
-        /\buse\s*\(\s*auth/i
-      ];
-      const middlewareArgs = args.slice(1, -1);
-      const hasAuthMiddleware = middlewareArgs.some((arg) => {
-        const argText = arg.getText();
-        return authMiddlewarePatterns.some((p) => p.test(argText));
-      });
+      const hasAuthMiddleware = hasAuthMiddlewareArg(args);
       const lastArg = args[args.length - 1];
-      const handlerText = lastArg?.getText() || "";
-      const hasInlineAuthCheck = /headers\.authorization/i.test(handlerText) || /getToken\s*\(/i.test(handlerText) || /session\./i.test(handlerText) || /req\.user\b/i.test(handlerText) || /ctx\.(?:user|auth|session)\b/i.test(handlerText) || /throw.*(?:Unauthorized|401)/i.test(handlerText);
-      const hasAuthInFullText = authMiddlewarePatterns.some((p) => p.test(fullText));
-      const hasAuth = hasAuthMiddleware || hasInlineAuthCheck || hasAuthInFullText;
-      const publicRoutePatterns = [
-        /\/public\//i,
-        /\/health(?:check)?(?:\/|$)/i,
-        /\/(?:login|logout|signin|signout)(?:\/|$)/i,
-        /\/(?:signup|register)(?:\/|$)/i,
-        /\/(?:forgot|reset)-?password/i,
-        /\/callback(?:\/|$)/i,
-        // OAuth callbacks
-        /\/webhook(?:s)?(?:\/|$)/i,
-        // Webhooks often have their own auth
-        /\/api\/v\d+\/public\//i,
-        /\/\.well-known\//i,
-        // OpenID discovery, etc.
-        /\/robots\.txt/i,
-        /\/favicon/i,
-        /\/status(?:\/|$)/i,
-        /\/ping(?:\/|$)/i,
-        /\/version(?:\/|$)/i
-      ];
-      const isPublic = publicRoutePatterns.some((p) => p.test(fullText));
+      const inlineAuthDetected = hasInlineAuthCheck(lastArg, fullText);
+      const hasAuth = hasAuthMiddleware || inlineAuthDetected;
+      const isPublic = isPublicRoute(fullText);
       if (!hasAuth && !isPublic) {
-        let confidence = 0.4;
-        if (/\/(?:api|admin|user|account|setting|profile)/i.test(fullText)) {
-          confidence = 0.6;
-        }
-        if (/\.(post|put|patch|delete)\s*\(/i.test(expressionText)) {
-          confidence += 0.1;
-        }
+        const confidence = buildAuthConfidence(expressionText, fullText);
         return {
           ruleId: "auth/missing-check",
           severity: "medium",

package/dist/{watch-UCDVOQAH.js → watch-PNTKZYFB.js}

@@ -284,7 +284,7 @@ function validateSqlSchema(content, errors, warnings) {
 var riskDetectorLoader = null;
 function loadRiskDetectorModule() {
   if (!riskDetectorLoader) {
-    riskDetectorLoader = import('./risk-detector-BXUY2WKS.js').then((module) => ({
+    riskDetectorLoader = import('./risk-detector-4U6ZJ2G5.js').then((module) => ({
       detectSchemaRisks: module.detectSchemaRisks
     })).catch((error) => {
       riskDetectorLoader = null;