@saiteja1123/mcp-server 1.1.3 → 1.1.5

package/src/project-bindings.mjs

@@ -0,0 +1,215 @@
+import fs from 'fs/promises';
+import path from 'path';
+
+import {
+  listProjects,
+  upsertProject,
+  normalizeLockedRoot,
+  verifyInstallBinding,
+} from './api-scan.mjs';
+import { createLock, isRuntimeCompatibleLock } from './lock.mjs';
+
+const bindingCache = new Map();
+let projectsCache = { at: 0, projects: [] };
+const PROJECTS_CACHE_MS = 30_000;
+
+function cacheKey(normalizedRoot) {
+  return normalizeLockedRoot(normalizedRoot);
+}
+
+export function findProjectForPath(projects, targetPath) {
+  const norm = normalizeLockedRoot(targetPath);
+  if (!norm) return null;
+  let best = null;
+  let bestLen = -1;
+  for (const project of projects) {
+    const hint = normalizeLockedRoot(project.lockedRootHint || '');
+    if (!hint) continue;
+    if (norm === hint || norm.startsWith(`${hint}/`)) {
+      if (hint.length > bestLen) {
+        best = project;
+        bestLen = hint.length;
+      }
+    }
+  }
+  return best;
+}
+
+export async function inferProjectRoot(targetPath) {
+  let dir = path.resolve(targetPath);
+  try {
+    const stat = await fs.stat(dir);
+    if (stat.isFile()) dir = path.dirname(dir);
+  } catch {
+    dir = path.resolve(targetPath);
+  }
+
+  let current = dir;
+  for (let depth = 0; depth < 24; depth += 1) {
+    try {
+      await fs.access(path.join(current, '.git'));
+      return current;
+    } catch {
+      // continue walking up
+    }
+    const parent = path.dirname(current);
+    if (parent === current) break;
+    current = parent;
+  }
+  return dir;
+}
+
+async function refreshProjects(authToken) {
+  const now = Date.now();
+  if (now - projectsCache.at < PROJECTS_CACHE_MS && projectsCache.projects.length) {
+    return projectsCache.projects;
+  }
+  const res = await listProjects({ authToken });
+  if (!res.ok || !res.json?.success) {
+    throw new Error(res.json?.error || res.error || 'Unable to list projects');
+  }
+  projectsCache = {
+    at: now,
+    projects: res.json.data?.projects || [],
+  };
+  return projectsCache.projects;
+}
+
+export function invalidateProjectsListCache() {
+  projectsCache = { at: 0, projects: [] };
+}
+
+async function writeServerLock(projectRoot, { installToken, lockedRootHash, account = 'server' }) {
+  await createLock({
+    rootPath: projectRoot,
+    account,
+    installToken,
+    lockedRootHash,
+    source: 'server',
+  });
+}
+
+/**
+ * Register or refresh a project binding and cache install credentials for scans.
+ */
+export async function ensureProjectBinding({
+  lockedRootPath,
+  name,
+  projectId,
+  authToken,
+  apiBase,
+} = {}) {
+  const resolvedRoot = path.resolve(lockedRootPath);
+  const res = await upsertProject({
+    lockedRootPath: resolvedRoot,
+    name,
+    projectId,
+    authToken,
+  });
+  if (!res.ok || !res.json?.success) {
+    return {
+      ok: false,
+      code: 'PROJECT_UPSERT_FAILED',
+      message: res.json?.error || res.error || `Project upsert failed (${res.status || 'unknown'})`,
+    };
+  }
+
+  const bind = res.json.data?.bind || {};
+  const project = res.json.data?.project || {};
+  const installToken = bind.installToken;
+  const lockedRootHash = bind.lockedRootHash;
+  if (!installToken || !lockedRootHash) {
+    return { ok: false, code: 'PROJECT_BIND_INCOMPLETE', message: 'Server did not return install credentials' };
+  }
+
+  await writeServerLock(resolvedRoot, { installToken, lockedRootHash });
+  const verify = await verifyInstallBinding({ installToken, lockedRootHash, apiBase });
+  if (!verify.ok || !verify.json?.success) {
+    return {
+      ok: false,
+      code: verify.json?.code || 'SERVER_BINDING_INVALID',
+      message: verify.json?.error || verify.error || 'Unable to verify project binding',
+    };
+  }
+
+  const entry = {
+    projectRoot: resolvedRoot,
+    normalizedRoot: normalizeLockedRoot(resolvedRoot),
+    installToken,
+    lockedRootHash,
+    projectHash: bind.projectHash || project.projectHash || null,
+    projectId: project.id || bind.projectId || null,
+    lock: {
+      source: 'server',
+      installToken,
+      lockedRootHash,
+      rootHash: lockedRootHash,
+      boundRoot: resolvedRoot,
+    },
+  };
+  bindingCache.set(cacheKey(resolvedRoot), entry);
+  projectsCache.at = 0;
+  return { ok: true, ...entry, action: res.json.data?.action || 'upserted' };
+}
+
+/**
+ * Resolve install credentials for a scan path in universal (account-wide) mode.
+ * Creates or updates the project when no matching binding exists.
+ */
+export async function resolveBindingForScanPath({
+  requestedPath,
+  authToken,
+  apiBase,
+  autoUpsert = true,
+} = {}) {
+  const target = path.resolve(requestedPath);
+  const cached = [...bindingCache.values()].find((entry) => {
+    const root = path.resolve(entry.projectRoot);
+    return target.startsWith(root + path.sep) || target === root;
+  });
+  if (cached) return { ok: true, ...cached, resolvedRoot: target };
+
+  let projects = [];
+  try {
+    projects = await refreshProjects(authToken);
+  } catch (err) {
+    if (!autoUpsert) {
+      return { ok: false, code: 'PROJECT_LIST_FAILED', message: err.message };
+    }
+  }
+
+  const matched = findProjectForPath(projects, target);
+  if (matched?.lockedRootHint) {
+    return ensureProjectBinding({
+      lockedRootPath: matched.lockedRootHint,
+      projectId: matched.id,
+      authToken,
+      apiBase,
+    });
+  }
+
+  if (!autoUpsert) {
+    return {
+      ok: false,
+      code: 'PROJECT_NOT_REGISTERED',
+      message:
+        `No project registered for "${target}". ` +
+        'Run projectUpsert with the codebase root before scanning.',
+    };
+  }
+
+  const inferredRoot = await inferProjectRoot(target);
+  return ensureProjectBinding({
+    lockedRootPath: inferredRoot,
+    authToken,
+    apiBase,
+  });
+}
+
+export function getCachedBinding(projectRoot) {
+  return bindingCache.get(cacheKey(projectRoot)) || null;
+}
+
+export function isRuntimeCompatibleBinding(lock) {
+  return isRuntimeCompatibleLock(lock);
+}

package/src/rule-engine/index.js

@@ -1,9 +1,10 @@
 /**
  * rule-engine/index.js
  * Bundled inline - no external @vibesecur/rule-engine dep needed.
- * This allows `npx @vibesecur/mcp-server` to work standalone.
+ * This allows `npx @saiteja1123/mcp-server` to work standalone.
  */
 export { JS_RULES, PY_RULES, CHECKLIST } from './rules.js';
+export { getRuleEngineMetadata } from './metadata.js';
+export { calculateScore, getGrade, getVerdict } from './score.js';
 export { localScan } from './localScan.js';
 export { buildClaudePrompt } from './prompt.js';
-export { calculateScore, getGrade, getVerdict } from './score.js';

package/src/rule-engine/localScan.js

@@ -1,7 +1,9 @@
 import crypto from 'crypto';
 import { JS_RULES, PY_RULES, CHECKLIST } from './rules.js';
 import { calculateScore, getGrade, getVerdict } from './score.js';
+import { getRuleEngineMetadata } from './metadata.js';
 
+// ── Main Local Scan ──────────────────────────────────────────────────────────
 export function localScan(code, lang = 'js') {
   const rules = lang === 'py'
     ? PY_RULES
@@ -10,34 +12,60 @@ export function localScan(code, lang = 'js') {
       : JS_RULES;
 
   const findings = [];
+  const lines = code.split('\n');
 
   for (const rule of rules) {
     const matches = [...code.matchAll(rule.re)];
     for (const match of matches) {
-      if (rule.id === 'A003' && /expiresIn|['"]exp['"]|,\s*exp\s*:/.test(match[0])) continue;
+      // A003 can over-match valid jwt.sign() calls. Skip when expiry is present.
+      if (rule.id === 'A003') {
+        const matchedCall = String(match[0] || '');
+        if (/expiresIn\s*:|exp\s*:/i.test(matchedCall)) {
+          continue;
+        }
+      }
 
       const lineNumber = code.substring(0, match.index).split('\n').length;
+
+      if (rule.cat === 'XSS' || rule.cat === 'Path Traversal' || rule.cat === 'SSRF') {
+        const matchedLine = (lines[lineNumber - 1] || '').trimStart();
+        if (matchedLine.startsWith('//') || matchedLine.startsWith('*') || matchedLine.startsWith('/*')) {
+          continue;
+        }
+      }
+
+      if (rule.cat === 'Path Traversal') {
+        const matchedLine = lines[lineNumber - 1] || '';
+        if (rule.id === 'PT002' && /\bres\.sendFile\s*\(/.test(matchedLine)) {
+          continue;
+        }
+        if (rule.id === 'PT004' && /\bpath\.normalize\s*\(/.test(matchedLine)) {
+          continue;
+        }
+      }
       const snippet = match[0].substring(0, 80) + (match[0].length > 80 ? '...' : '');
       findings.push({
-        ruleId: rule.id,
-        ruleName: rule.name,
-        severity: rule.sev,
-        category: rule.cat,
+        ruleId:      rule.id,
+        ruleName:    rule.name,
+        severity:    rule.sev,
+        category:    rule.cat,
         lineNumber,
+        endLineNumber: lineNumber,
         snippet,
-        fix: rule.fix,
+        snippetPreview: snippet,
+        fix:         rule.fix,
       });
     }
   }
 
-  const score = calculateScore(findings);
-  const grade = getGrade(score);
-  const verdict = getVerdict(score);
-  const codeHash = crypto.createHash('sha256').update(code).digest('hex');
+  const score     = calculateScore(findings);
+  const grade     = getGrade(score);
+  const verdict   = getVerdict(score);
+  const codeHash  = crypto.createHash('sha256').update(code).digest('hex');
 
-  const checklist = CHECKLIST.map((cl) => ({
+  const checklist = CHECKLIST.map(cl => ({
     ...cl,
-    pass: !cl.ruleIds.some((rid) => findings.find((f) => f.ruleId === rid)),
+    pass: !cl.ruleIds.some(rid => findings.find(f => f.ruleId === rid)),
   }));
 
   return {
@@ -49,6 +77,7 @@ export function localScan(code, lang = 'js') {
     codeHash,
     linesAnalysed: code.split('\n').length,
     engine: 'local',
+    engineMetadata: getRuleEngineMetadata('mcp-bundled'),
     summary: `Local engine found ${findings.length} issue${findings.length !== 1 ? 's' : ''}. ${
       findings.length === 0
         ? 'No common vibe coding vulnerabilities detected.'

package/src/rule-engine/metadata.js

@@ -0,0 +1,20 @@
+import { CHECKLIST, JS_RULES, PY_RULES } from './rules.js';
+
+export const RULE_ENGINE_NAME = 'vibesecur-rule-engine';
+export const RULE_ENGINE_PACKAGE = '@saiteja1123/rule-engine';
+export const RULE_ENGINE_VERSION = '1.0.1';
+
+export function getRuleEngineMetadata(surface = 'mcp-bundled') {
+  return {
+    name: RULE_ENGINE_NAME,
+    packageName: RULE_ENGINE_PACKAGE,
+    version: RULE_ENGINE_VERSION,
+    surface,
+    counts: {
+      javascript: JS_RULES.length,
+      python: PY_RULES.length,
+      deterministic: JS_RULES.length + PY_RULES.length,
+      checklist: CHECKLIST.length,
+    },
+  };
+}

package/src/rule-engine/prompt.js

@@ -1,11 +1,12 @@
+// ── Claude AI Prompt Builder ─────────────────────────────────────────────────
 export function buildClaudePrompt(code, platform, mode, lang) {
   const isSupabase = mode === 'supabase' || code.toLowerCase().includes('supabase');
-  const isPython = lang === 'py' || code.includes('import os') || code.includes('def ');
-  const deepMode = mode === 'deep' ? 'DEEP MODE: find subtle and complex issues.' : '';
-  const sbMode = isSupabase ? 'Focus especially on Supabase RLS policies and service key exposure.' : '';
+  const isPython   = lang === 'py' || code.includes('import os') || code.includes('def ');
+  const deepMode   = mode === 'deep' ? 'DEEP MODE: find subtle and complex issues.' : '';
+  const sbMode     = isSupabase ? 'Focus especially on Supabase RLS policies and service key exposure.' : '';
 
   return `You are Vibesecur, an expert AI security scanner for AI-generated code. Analyse this ${lang.toUpperCase()} code from ${platform}.
-Return ONLY valid JSON - no markdown, no explanation, no backticks.
+Return ONLY valid JSON — no markdown, no explanation, no backticks.
 
 \`\`\`${lang}
 ${code.substring(0, 8000)}
@@ -24,7 +25,7 @@ Return exactly this JSON structure:
       "severity": "<critical|high|medium|low>",
       "lineNumber": <integer or null>,
       "category": "<Secrets|Auth|Injection|CORS|RLS|Exposure|Python|SSRF>",
-      "description": "<what was found - be specific>",
+      "description": "<what was found — be specific>",
       "fix": "<exact actionable code fix>"
     }
   ],

package/src/rule-engine/rules.js

@@ -1,51 +1,79 @@
+// ── Rule Definitions ────────────────────────────────────────────────────────
 export const JS_RULES = [
-  { id: 'S001', name: 'Hardcoded API Key', sev: 'critical', re: /api[_-]?key\s*[:=]\s*['"][a-zA-Z0-9_\-]{16,}['"]/gi, fix: 'Move to .env: process.env.API_KEY', cat: 'Secrets' },
-  { id: 'S002', name: 'Hardcoded Password', sev: 'critical', re: /password\s*[:=]\s*['"][^'"]{4,}['"]/gi, fix: 'Use env var: process.env.PASSWORD', cat: 'Secrets' },
-  { id: 'S003', name: 'JWT Secret Hardcoded', sev: 'critical', re: /jwt[_-]?secret\s*[:=]\s*['"][^'"]{6,}['"]/gi, fix: 'Move to .env: JWT_SECRET=...', cat: 'Secrets' },
-  { id: 'S004', name: 'Database URL Exposed', sev: 'critical', re: /(mongodb|mysql|postgres|supabase):\/\/[^\s'"]{8,}/gi, fix: 'Move to .env: DATABASE_URL=...', cat: 'Secrets' },
-  { id: 'S005', name: 'AWS Access Key', sev: 'critical', re: /AKIA[0-9A-Z]{16}/g, fix: 'Rotate immediately. Use IAM roles.', cat: 'Secrets' },
-  { id: 'S006', name: 'Stripe Key Exposed', sev: 'critical', re: /(sk_live|sk_test)_[a-zA-Z0-9]{20,}/g, fix: 'Move to .env: STRIPE_SECRET_KEY=...', cat: 'Secrets' },
-  { id: 'S007', name: 'Private Key in Code', sev: 'critical', re: /-----BEGIN[A-Z ]*PRIVATE KEY-----/g, fix: 'Never commit private keys. Use a secrets manager.', cat: 'Secrets' },
-  { id: 'A001', name: 'MD5 Password Hashing', sev: 'critical', re: /md5\s*\(/gi, fix: 'Use bcrypt: await bcrypt.hash(password, 12)', cat: 'Auth' },
-  { id: 'A002', name: 'SHA1 Password Hashing', sev: 'critical', re: /sha1\s*\(/gi, fix: 'Use bcrypt or argon2 for passwords', cat: 'Auth' },
-  { id: 'A003', name: 'JWT Without Expiry', sev: 'critical', re: /jwt\.sign\s*\([^)]{0,200}\)/g, fix: 'Add: { expiresIn: "1h" }', cat: 'Auth' },
-  { id: 'A004', name: 'eval() Usage', sev: 'critical', re: /\beval\s*\(/g, fix: 'Never use eval() - arbitrary code execution', cat: 'Injection' },
-  { id: 'A005', name: 'SQL Injection Risk', sev: 'critical', re: /(SELECT|INSERT|UPDATE|DELETE)[^;`]{0,120}(\+\s*(req\.|user\.)|\$\{(req\.|user\.))/gi, fix: 'Use parameterized queries: db.query("?", [val])', cat: 'Injection' },
-  { id: 'A006', name: 'Wildcard CORS', sev: 'critical', re: /origin\s*:\s*['"]\*['"]/gi, fix: 'cors({ origin: process.env.ALLOWED_ORIGIN })', cat: 'CORS' },
-  { id: 'A007', name: 'Missing Rate Limit', sev: 'high', re: /app\.(post|put)\s*\(['"]\/(login|auth|register)/gi, fix: 'Add rateLimit({ windowMs:900000, max:5 }) middleware', cat: 'Auth' },
-  { id: 'RLS1', name: 'Supabase - Missing RLS', sev: 'critical', re: /supabase\.from\(['"`][^'"`]+['"`]\)\.(select|insert|update|delete)/gi, fix: 'ENABLE ROW LEVEL SECURITY on this table', cat: 'RLS' },
-  { id: 'RLS2', name: 'Supabase Service Key FE', sev: 'critical', re: /service_role|supabase_service/gi, fix: 'Service key must be server-side only - never in browser', cat: 'RLS' },
-  { id: 'RLS3', name: 'Firebase Open Rules', sev: 'critical', re: /allow read, write:\s*if true/gi, fix: 'Restrict: allow read if request.auth != null', cat: 'RLS' },
-  { id: 'E001', name: 'Credentials in Logs', sev: 'high', re: /console\.log\(.*?(password|token|secret|key)/gi, fix: 'Remove console.log with sensitive data', cat: 'Exposure' },
-  { id: 'E002', name: 'Debug Mode On', sev: 'high', re: /debug\s*[:=]\s*true/gi, fix: 'Set debug: false in production', cat: 'Exposure' },
-  { id: 'E003', name: 'Stack Trace Exposed', sev: 'high', re: /res\.(send|json)\(.*?err\.(stack|message)/gi, fix: 'return { error: "Server error" } only', cat: 'Exposure' },
-  { id: 'E004', name: 'TODO Security Note', sev: 'medium', re: /\/\/\s*(TODO|FIXME).*?(auth|security|password|token)/gi, fix: 'Resolve all security TODOs before deploy', cat: 'Exposure' },
-  { id: 'E005', name: 'Sensitive GET Params', sev: 'medium', re: /\?.*?(token|password|secret|key)=/gi, fix: 'Use POST body - never sensitive data in URL params', cat: 'Exposure' },
+  // Secrets
+  { id:'S001', name:'Hardcoded API Key',        sev:'critical', re:/api[_-]?key\s*[:=]\s*['"][a-zA-Z0-9_\-]{16,}['"]/gi,           fix:'Move to .env: process.env.API_KEY',                   cat:'Secrets' },
+  { id:'S002', name:'Hardcoded Password',       sev:'critical', re:/password\s*[:=]\s*['"][^'"]{4,}['"]/gi,                          fix:'Use env var: process.env.PASSWORD',                   cat:'Secrets' },
+  { id:'S003', name:'JWT Secret Hardcoded',     sev:'critical', re:/jwt[_-]?secret\s*[:=]\s*['"][^'"]{6,}['"]/gi,                   fix:'Move to .env: JWT_SECRET=...',                        cat:'Secrets' },
+  { id:'S004', name:'Database URL Exposed',     sev:'critical', re:/(mongodb|mysql|postgres|supabase):\/\/[^\s'"]{8,}/gi,            fix:'Move to .env: DATABASE_URL=...',                      cat:'Secrets' },
+  { id:'S005', name:'AWS Access Key',           sev:'critical', re:/AKIA[0-9A-Z]{16}/g,                                             fix:'Rotate immediately. Use IAM roles.',                  cat:'Secrets' },
+  { id:'S006', name:'Stripe Key Exposed',       sev:'critical', re:/(sk_live|sk_test)_[a-zA-Z0-9]{20,}/g,                           fix:'Move to .env: STRIPE_SECRET_KEY=...',                 cat:'Secrets' },
+  { id:'S007', name:'Private Key in Code',      sev:'critical', re:/-----BEGIN[A-Z ]*PRIVATE KEY-----/g,                            fix:'Never commit private keys. Use a secrets manager.',   cat:'Secrets' },
+  { id:'S008', name:'Stripe Key via Concatenation', sev:'critical', re:/\b(?:const|let|var)\s+([A-Za-z_$][\w$]*)\s*=\s*['"`]sk_(?:live|test)_['"`]\s*;[\s\S]{0,240}?\b[A-Za-z_$][\w$]*\s*=\s*\1\s*\+\s*[A-Za-z_$][\w$]*/g, fix:'Do not split secrets in source. Move the full Stripe key to server-side environment storage.', cat:'Secrets' },
+  // Auth
+  { id:'A001', name:'MD5 Password Hashing',     sev:'critical', re:/md5\s*\(/gi,                                                    fix:'Use bcrypt: await bcrypt.hash(password, 12)',          cat:'Auth'    },
+  { id:'A002', name:'SHA1 Password Hashing',    sev:'critical', re:/sha1\s*\(/gi,                                                   fix:'Use bcrypt or argon2 for passwords',                  cat:'Auth'    },
+  { id:'A003', name:'JWT Without Expiry',       sev:'critical', re:/jwt\.sign\s*\([^)]{0,200}\)/g,                                  fix:'Add: { expiresIn: "1h" }',                            cat:'Auth'    },
+  { id:'A004', name:'eval() Usage',             sev:'critical', re:/\beval\s*\(/g,                                                  fix:'Never use eval() — arbitrary code execution',         cat:'Injection'},
+  { id:'A005', name:'SQL Injection Risk',       sev:'critical', re:/(SELECT|INSERT|UPDATE|DELETE)[^;]{0,140}(\+\s*(req\.|user\.)|\$\{\s*(req|user)\.)/gi,  fix:'Use parameterized queries: db.query("?", [val])',      cat:'Injection'},
+  { id:'A006', name:'Wildcard CORS',            sev:'critical', re:/origin\s*:\s*['"]\*['"]/gi,                                     fix:'cors({ origin: process.env.ALLOWED_ORIGIN })',        cat:'CORS'    },
+  { id:'A007', name:'Missing Rate Limit',       sev:'high',     re:/app\.(post|put)\s*\(['"]\/(login|auth|register)/gi,             fix:'Add rateLimit({ windowMs:900000, max:5 }) middleware', cat:'Auth'    },
+  { id:'A013', name:'eval via concatenated name', sev:'critical', re:/\b(?:window|globalThis|global)\s*\[\s*[A-Za-z_$][\w$]*\s*\+\s*[A-Za-z_$][\w$]*\s*\]/g, fix:'Never invoke dynamic globals built from strings; use explicit allowlisted functions.', cat:'Injection'},
+  { id:'A014', name:'SQL keyword via concatenation', sev:'critical', re:/['"`]SEL['"`]\s*\+\s*['"`]ECT['"`]/gi, fix:'Avoid assembling SQL keywords or queries through string concatenation; use parameterized query builders.', cat:'Injection'},
+  // RLS / Firebase
+  { id:'RLS1', name:'Supabase — Missing RLS',   sev:'critical', re:/supabase\.from\(['"`][^'"`]+['"`]\)\.(select|insert|update|delete)/gi, fix:'ENABLE ROW LEVEL SECURITY on this table',     cat:'RLS'     },
+  { id:'RLS2', name:'Supabase Service Key FE',  sev:'critical', re:/service_role|supabase_service/gi,                              fix:'Service key must be server-side only — never in browser',cat:'RLS'  },
+  { id:'RLS3', name:'Firebase Open Rules',      sev:'critical', re:/allow read, write:\s*if true/gi,                               fix:'Restrict: allow read if request.auth != null',         cat:'RLS'     },
+  // Exposure
+  { id:'E001', name:'Credentials in Logs',      sev:'high',     re:/console\.log\(.*?(password|token|secret|key)/gi,               fix:'Remove console.log with sensitive data',               cat:'Exposure'},
+  { id:'E002', name:'Debug Mode On',            sev:'high',     re:/debug\s*[:=]\s*true/gi,                                         fix:'Set debug: false in production',                      cat:'Exposure'},
+  { id:'E003', name:'Stack Trace Exposed',      sev:'high',     re:/res\.(send|json)\(.*?err\.(stack|message)/gi,                   fix:'return { error: "Server error" } only',               cat:'Exposure'},
+  { id:'E004', name:'TODO Security Note',       sev:'medium',   re:/\/\/\s*(TODO|FIXME).*?(auth|security|password|token)/gi,       fix:'Resolve all security TODOs before deploy',            cat:'Exposure'},
+  { id:'E005', name:'Sensitive GET Params',     sev:'medium',   re:/\?.*?(token|password|secret|key)=/gi,                          fix:'Use POST body — never sensitive data in URL params',   cat:'Exposure'},
+  // XSS / DOM injection
+  { id:'XSS01', name:'innerHTML/outerHTML Assignment', sev:'high', re:/\.(innerHTML|outerHTML)\s*[+]?=/g, fix:'Use textContent or a sanitization library (DOMPurify) instead of innerHTML', cat:'XSS'},
+  { id:'XSS02', name:'document.write Usage', sev:'high', re:/document\.write(?:ln)?\s*\(/g, fix:'Never use document.write; use DOM APIs (createElement, appendChild)', cat:'XSS'},
+  { id:'XSS03', name:'dangerouslySetInnerHTML', sev:'high', re:/dangerouslySetInnerHTML/g, fix:'Sanitize HTML with DOMPurify before using dangerouslySetInnerHTML', cat:'XSS'},
+  { id:'XSS04', name:'jQuery .html() Injection', sev:'medium', re:/\.html\s*\(\s*[^)]+\)/g, fix:'Use .text() for user data, or sanitize before .html()', cat:'XSS'},
+  { id:'XSS05', name:'insertAdjacentHTML Usage', sev:'high', re:/\.insertAdjacentHTML\s*\(/g, fix:'Sanitize HTML content before insertAdjacentHTML, or use insertAdjacentText', cat:'XSS'},
+  // Path Traversal
+  { id:'PT001', name:'fs.readFile with Request Path', sev:'critical', re:/\bfs(?:\.promises)?\.(?:readFile|readFileSync)\s*\(\s*(?:req|request)\.(?:query|params|body)\.[A-Za-z_$][\w$]*/g, fix:'Validate file names against an allowlist and resolve inside a fixed root before reading', cat:'Path Traversal'},
+  { id:'PT002', name:'path.join/resolve with Request Path', sev:'high', re:/\bpath\.(?:join|resolve)\s*\([^)]*(?:req|request)\.(?:query|params|body)\.[A-Za-z_$][\w$][^)]*\)/g, fix:'Use a fixed root plus allowlisted or basename-normalized file names', cat:'Path Traversal'},
+  { id:'PT003', name:'sendFile with Request Path', sev:'high', re:/\bres\.sendFile\s*\(\s*path\.(?:join|resolve)\s*\([^)]*(?:req|request)\.(?:query|params|body)\.[A-Za-z_$][\w$][^)]*\)/g, fix:'Serve only allowlisted files from a configured root directory', cat:'Path Traversal'},
+  { id:'PT004', name:'Archive Extraction Path Join', sev:'high', re:/\bpath\.(?:join|resolve)\s*\([^)]*\b(?:entry|file|zipEntry|archiveEntry)\.(?:path|fileName|filename|name)\b[^)]*\)/g, fix:'Normalize extraction targets and reject paths outside the destination root', cat:'Path Traversal'},
+  // SSRF
+  { id:'SSRF01', name:'fetch with Request URL', sev:'high', re:/\bfetch\s*\(\s*(?:req|request)\.(?:query|params|body)\.[A-Za-z_$][\w$]*/g, fix:'Validate URL host against an allowlist before fetching', cat:'SSRF'},
+  { id:'SSRF02', name:'HTTP Client with Request URL', sev:'high', re:/\b(?:axios\.(?:get|post|put|patch|delete|request)|got|request(?:\.(?:get|post|put|patch|delete))?)\s*\(\s*(?:req|request)\.(?:query|params|body)\.[A-Za-z_$][\w$]*/g, fix:'Allowlist destination hosts before making outbound HTTP requests', cat:'SSRF'},
+  { id:'SSRF03', name:'http/https Request with Request URL', sev:'high', re:/\bhttps?\.(?:get|request)\s*\(\s*(?:req|request)\.(?:query|params|body)\.[A-Za-z_$][\w$]*/g, fix:'Allowlist destination hosts before making server-side HTTP requests', cat:'SSRF'},
+  { id:'SSRF04', name:'URL Constructor with Request Input', sev:'medium', re:/\bnew\s+URL\s*\(\s*(?:req|request)\.(?:query|params|body)\.[A-Za-z_$][\w$]*/g, fix:'Validate URL host and protocol immediately after construction', cat:'SSRF'},
+  { id:'SSRF05', name:'Cloud Metadata Endpoint Request', sev:'critical', re:/\b(?:fetch|got|request|axios\.(?:get|post|put|patch|delete|request)|https?\.(?:get|request))\s*\(\s*['"`]https?:\/\/(?:169\.254\.169\.254|metadata\.google\.internal)\b/g, fix:'Block cloud metadata endpoints and private network targets from server-side fetches', cat:'SSRF'},
 ];
 
 export const PY_RULES = [
-  { id: 'P001', name: 'Python eval()', sev: 'critical', re: /\beval\s*\(/g, fix: 'Never use eval() - arbitrary code execution', cat: 'Injection' },
-  { id: 'P002', name: 'Python pickle.loads()', sev: 'critical', re: /pickle\.loads?\s*\(/g, fix: 'Never unpickle untrusted data - use JSON', cat: 'Injection' },
-  { id: 'P003', name: 'Python SQL Concatenation', sev: 'critical', re: /cursor\.execute\s*\([^)]*%\s*|f"SELECT.*\{/gi, fix: 'Use parameterized queries: cursor.execute("?", (v,))', cat: 'Injection' },
-  { id: 'P004', name: 'Python Hardcoded Secret', sev: 'critical', re: /(password|api_key|secret|token)\s*=\s*['"][^'"]{6,}['"]/gi, fix: 'Use os.environ.get("SECRET")', cat: 'Secrets' },
-  { id: 'P005', name: 'Python subprocess shell', sev: 'high', re: /subprocess\.[^(]+\([^)]*shell\s*=\s*True/gi, fix: 'Avoid shell=True - use list args', cat: 'Injection' },
-  { id: 'P006', name: 'Python MD5 Passwords', sev: 'critical', re: /hashlib\.(md5|sha1)/gi, fix: 'Use bcrypt or argon2-cffi for passwords', cat: 'Auth' },
-  { id: 'P007', name: 'Python DEBUG=True', sev: 'high', re: /DEBUG\s*=\s*True/g, fix: 'Set DEBUG=False in production settings', cat: 'Exposure' },
-  { id: 'P008', name: 'Python Open Redirect', sev: 'medium', re: /redirect\s*\([^)]*request\.(args|form|params)/gi, fix: 'Validate redirect URLs against allowlist', cat: 'Auth' },
-  { id: 'P009', name: 'Python SSRF Risk', sev: 'high', re: /requests\.(get|post)\s*\([^)]*request\./gi, fix: 'Validate and allowlist URLs before fetching', cat: 'SSRF' },
+  { id:'P001', name:'Python eval()',            sev:'critical', re:/\beval\s*\(/g,                                                   fix:'Never use eval() — arbitrary code execution',         cat:'Injection'},
+  { id:'P002', name:'Python pickle.loads()',    sev:'critical', re:/pickle\.loads?\s*\(/g,                                          fix:'Never unpickle untrusted data — use JSON',            cat:'Injection'},
+  { id:'P003', name:'Python SQL Concatenation', sev:'critical', re:/cursor\.execute\s*\([^)]*%\s*|f"SELECT.*\{/gi,                  fix:'Use parameterized queries: cursor.execute("?", (v,))', cat:'Injection'},
+  { id:'P004', name:'Python Hardcoded Secret',  sev:'critical', re:/(password|api_key|secret|token)\s*=\s*['"][^'"]{6,}['"]/gi,    fix:'Use os.environ.get("SECRET")',                        cat:'Secrets' },
+  { id:'P005', name:'Python subprocess shell',  sev:'high',     re:/subprocess\.[^(]+\([^)]*shell\s*=\s*True/gi,                   fix:'Avoid shell=True — use list args',                    cat:'Injection'},
+  { id:'P006', name:'Python MD5 Passwords',     sev:'critical', re:/hashlib\.(md5|sha1)/gi,                                         fix:'Use bcrypt or argon2-cffi for passwords',             cat:'Auth'    },
+  { id:'P007', name:'Python DEBUG=True',        sev:'high',     re:/DEBUG\s*=\s*True/g,                                             fix:'Set DEBUG=False in production settings',              cat:'Exposure'},
+  { id:'P008', name:'Python Open Redirect',     sev:'medium',   re:/(?:redirect\s*\([^)]*(?:request|[A-Za-z_]\w*)\.(?:args|form|params)(?:\.get\s*\([^)]*\)|\.[A-Za-z_]\w*)|([A-Za-z_]\w*)\s*=\s*(?:request|[A-Za-z_]\w*)\.(?:args|form|params)\.get\s*\([^)]*\)[\s\S]{0,240}?redirect\s*\(\s*\1\b)/gi, fix:'Validate redirect URLs against allowlist', cat:'Auth' },
+  { id:'P009', name:'Python SSRF Risk',         sev:'high',     re:/(?:([A-Za-z_]\w*)\s*=\s*(?:request|[A-Za-z_]\w*)\.(?:args|form|params)\.get\s*\([^)]*\)[\s\S]{0,240}?requests\.(?:get|post)\s*\(\s*\1\b|requests\.(?:get|post)\s*\(\s*(?:request|[A-Za-z_]\w*)\.(?:args|form|params)(?:\.get\s*\([^)]*\)|\.[A-Za-z_]\w*))/gi, fix:'Validate and allowlist URLs before fetching', cat:'SSRF' },
 ];
 
 export const CHECKLIST = [
-  { id: 'CL01', item: 'No API keys hardcoded', critical: true, ruleIds: ['S001', 'S002', 'S003', 'S005', 'S006', 'P004'] },
-  { id: 'CL02', item: '.env in .gitignore', critical: true, ruleIds: [] },
-  { id: 'CL03', item: 'bcrypt/argon2 for passwords', critical: true, ruleIds: ['A001', 'A002', 'P006'] },
-  { id: 'CL04', item: 'JWT expiry set', critical: true, ruleIds: ['A003'] },
-  { id: 'CL05', item: 'Rate limiting on auth routes', critical: true, ruleIds: ['A007'] },
-  { id: 'CL06', item: 'CORS restricted', critical: true, ruleIds: ['A006'] },
-  { id: 'CL07', item: 'No SQL injection patterns', critical: true, ruleIds: ['A005', 'P003'] },
-  { id: 'CL08', item: 'Supabase RLS enabled', critical: true, ruleIds: ['RLS1', 'RLS2'] },
-  { id: 'CL09', item: 'Firebase rules restricted', critical: false, ruleIds: ['RLS3'] },
-  { id: 'CL10', item: 'No stack traces exposed', critical: false, ruleIds: ['E003'] },
-  { id: 'CL11', item: 'eval() not used', critical: true, ruleIds: ['A004', 'P001', 'P002'] },
-  { id: 'CL12', item: 'No debug mode in production', critical: false, ruleIds: ['E002', 'P007'] },
+  { id:'CL01', item:'No API keys hardcoded',          critical:true,  ruleIds:['S001','S002','S003','S005','S006','S008','P004'] },
+  { id:'CL02', item:'.env in .gitignore',             critical:true,  ruleIds:[] },
+  { id:'CL03', item:'bcrypt/argon2 for passwords',    critical:true,  ruleIds:['A001','A002','P006'] },
+  { id:'CL04', item:'JWT expiry set',                 critical:true,  ruleIds:['A003'] },
+  { id:'CL05', item:'Rate limiting on auth routes',   critical:true,  ruleIds:['A007'] },
+  { id:'CL06', item:'CORS restricted',                critical:true,  ruleIds:['A006'] },
+  { id:'CL07', item:'No SQL injection patterns',      critical:true,  ruleIds:['A005','A014','P003'] },
+  { id:'CL08', item:'Supabase RLS enabled',           critical:true,  ruleIds:['RLS1','RLS2'] },
+  { id:'CL09', item:'Firebase rules restricted',      critical:false, ruleIds:['RLS3'] },
+  { id:'CL10', item:'No stack traces exposed',        critical:false, ruleIds:['E003'] },
+  { id:'CL11', item:'eval() not used',                critical:true,  ruleIds:['A004','A013','P001','P002'] },
+  { id:'CL12', item:'No debug mode in production',    critical:false, ruleIds:['E002','P007'] },
+  { id:'CL13', item:'No XSS / DOM injection sinks',   critical:true,  ruleIds:['XSS01','XSS02','XSS03','XSS04','XSS05'] },
+  { id:'CL14', item:'No path traversal file access',  critical:true,  ruleIds:['PT001','PT002','PT003','PT004'] },
+  { id:'CL15', item:'No obvious SSRF network sinks',  critical:true,  ruleIds:['SSRF01','SSRF02','SSRF03','SSRF04','SSRF05'] },
 ];

package/src/rule-engine/score.js

@@ -1,8 +1,9 @@
+// ── Score Calculation ────────────────────────────────────────────────────────
 export function calculateScore(findings) {
   const WEIGHTS = { critical: 20, high: 10, medium: 5, low: 2 };
   let score = 100;
   for (const f of findings) score -= (WEIGHTS[f.severity] || 2);
-  const cats = new Set(findings.map((f) => f.category));
+  const cats = new Set(findings.map(f => f.category));
   if (cats.size >= 4) score -= 5;
   return Math.max(0, Math.min(100, Math.round(score)));
 }
@@ -16,7 +17,7 @@ export function getGrade(score) {
 }
 
 export function getVerdict(score) {
-  if (score >= 80) return 'Safe to Deploy';
-  if (score >= 60) return 'Review Before Deploy';
-  return 'Critical Issues - Do Not Ship';
+  if (score >= 80) return '✅ Safe to Deploy';
+  if (score >= 60) return '⚠️ Review Before Deploy';
+  return '🚫 Critical Issues — Do Not Ship';
 }