npm - @sfdxy/mule-lint - Versions diffs - 1.19.0 → 1.21.0 - Mend

@sfdxy/mule-lint 1.19.0 → 1.21.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (154) hide show

package/dist/src/rules/performance/ListenerReconnectForeverRule.d.ts ADDED Viewed

@@ -0,0 +1,28 @@
+import { ValidationContext, Issue } from '../../types';
+import { BaseRule } from '../base/BaseRule';
+/**
+ * RES-002: Listener Reconnect-Forever
+ *
+ * HTTP listener-config elements should use reconnect-forever rather than
+ * bounded reconnect strategies. Unlike outbound connectors where bounded
+ * retries make sense, the listener is the application's entry point — if
+ * it can't bind to the port, the app should keep trying indefinitely.
+ *
+ * Real-world accelerator pattern:
+ *   <http:listener-config>
+ *     <http:listener-connection host="0.0.0.0" port="${http.port}">
+ *       <reconnection>
+ *         <reconnect-forever frequency="5000" />
+ *       </reconnection>
+ *     </http:listener-connection>
+ *   </http:listener-config>
+ */
+export declare class ListenerReconnectForeverRule extends BaseRule {
+    id: string;
+    name: string;
+    description: string;
+    severity: "warning";
+    category: "performance";
+    validate(doc: Document, _context: ValidationContext): Issue[];
+}
+//# sourceMappingURL=ListenerReconnectForeverRule.d.ts.map

package/dist/src/rules/performance/ListenerReconnectForeverRule.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"ListenerReconnectForeverRule.d.ts","sourceRoot":"","sources":["../../../../src/rules/performance/ListenerReconnectForeverRule.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AACvD,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,4BAA6B,SAAQ,QAAQ;IACxD,EAAE,SAAa;IACf,IAAI,SAAgC;IACpC,WAAW,SAAsE;IACjF,QAAQ,EAAG,SAAS,CAAU;IAC9B,QAAQ,EAAG,aAAa,CAAU;IAElC,QAAQ,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,iBAAiB,GAAG,KAAK,EAAE;CA2C9D"}

package/dist/src/rules/performance/ListenerReconnectForeverRule.js ADDED Viewed

@@ -0,0 +1,56 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ListenerReconnectForeverRule = void 0;
+const BaseRule_1 = require("../base/BaseRule");
+/**
+ * RES-002: Listener Reconnect-Forever
+ *
+ * HTTP listener-config elements should use reconnect-forever rather than
+ * bounded reconnect strategies. Unlike outbound connectors where bounded
+ * retries make sense, the listener is the application's entry point — if
+ * it can't bind to the port, the app should keep trying indefinitely.
+ *
+ * Real-world accelerator pattern:
+ *   <http:listener-config>
+ *     <http:listener-connection host="0.0.0.0" port="${http.port}">
+ *       <reconnection>
+ *         <reconnect-forever frequency="5000" />
+ *       </reconnection>
+ *     </http:listener-connection>
+ *   </http:listener-config>
+ */
+class ListenerReconnectForeverRule extends BaseRule_1.BaseRule {
+    id = 'RES-002';
+    name = 'Listener Reconnect-Forever';
+    description = 'HTTP listener-config should use reconnect-forever for resilience';
+    severity = 'warning';
+    category = 'performance';
+    validate(doc, _context) {
+        const issues = [];
+        const listenerConfigs = this.select('//*[local-name()="listener-config"]', doc);
+        for (const config of listenerConfigs) {
+            const name = this.getNameAttribute(config) ?? 'HTTP Listener';
+            // Check if reconnect-forever exists anywhere inside the config
+            const hasReconnectForever = this.exists('.//*[local-name()="reconnect-forever"]', config);
+            if (hasReconnectForever) {
+                continue; // Good — has reconnect-forever
+            }
+            // Check if there's a bounded reconnect (which is suboptimal for listeners)
+            const hasBoundedReconnect = this.exists('.//*[local-name()="reconnect"]', config) ||
+                this.exists('.//*[local-name()="reconnection"]', config);
+            if (hasBoundedReconnect) {
+                issues.push(this.createIssue(config, `Listener config "${name}" uses bounded reconnect instead of reconnect-forever`, {
+                    suggestion: 'Replace <reconnect count="..." .../> with <reconnect-forever frequency="5000" /> for HTTP listeners — the app should keep trying to bind',
+                }));
+            }
+            else {
+                issues.push(this.createIssue(config, `Listener config "${name}" has no reconnection strategy`, {
+                    suggestion: 'Add <reconnection><reconnect-forever frequency="5000" /></reconnection> inside the listener-connection element',
+                }));
+            }
+        }
+        return issues;
+    }
+}
+exports.ListenerReconnectForeverRule = ListenerReconnectForeverRule;
+//# sourceMappingURL=ListenerReconnectForeverRule.js.map

package/dist/src/rules/performance/ListenerReconnectForeverRule.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"ListenerReconnectForeverRule.js","sourceRoot":"","sources":["../../../../src/rules/performance/ListenerReconnectForeverRule.ts"],"names":[],"mappings":";;;AACA,+CAA4C;AAE5C;;;;;;;;;;;;;;;;GAgBG;AACH,MAAa,4BAA6B,SAAQ,mBAAQ;IACxD,EAAE,GAAG,SAAS,CAAC;IACf,IAAI,GAAG,4BAA4B,CAAC;IACpC,WAAW,GAAG,kEAAkE,CAAC;IACjF,QAAQ,GAAG,SAAkB,CAAC;IAC9B,QAAQ,GAAG,aAAsB,CAAC;IAElC,QAAQ,CAAC,GAAa,EAAE,QAA2B;QACjD,MAAM,MAAM,GAAY,EAAE,CAAC;QAE3B,MAAM,eAAe,GAAG,IAAI,CAAC,MAAM,CAAC,qCAAqC,EAAE,GAAG,CAAC,CAAC;QAEhF,KAAK,MAAM,MAAM,IAAI,eAAe,EAAE,CAAC;YACrC,MAAM,IAAI,GAAG,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,IAAI,eAAe,CAAC;YAE9D,+DAA+D;YAC/D,MAAM,mBAAmB,GAAG,IAAI,CAAC,MAAM,CAAC,wCAAwC,EAAE,MAAM,CAAC,CAAC;YAE1F,IAAI,mBAAmB,EAAE,CAAC;gBACxB,SAAS,CAAC,+BAA+B;YAC3C,CAAC;YAED,2EAA2E;YAC3E,MAAM,mBAAmB,GACvB,IAAI,CAAC,MAAM,CAAC,gCAAgC,EAAE,MAAM,CAAC;gBACrD,IAAI,CAAC,MAAM,CAAC,mCAAmC,EAAE,MAAM,CAAC,CAAC;YAE3D,IAAI,mBAAmB,EAAE,CAAC;gBACxB,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CACd,MAAM,EACN,oBAAoB,IAAI,uDAAuD,EAC/E;oBACE,UAAU,EACR,0IAA0I;iBAC7I,CACF,CACF,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,oBAAoB,IAAI,gCAAgC,EAAE;oBACjF,UAAU,EACR,gHAAgH;iBACnH,CAAC,CACH,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AAlDD,oEAkDC"}

package/dist/src/rules/performance/ReconnectionStrategyRule.d.ts CHANGED Viewed

@@ -4,6 +4,15 @@ import { BaseRule } from '../base/BaseRule';
  * RES-001: Reconnection Strategy
  *
  * Connectors should have reconnection strategies configured for resilience.
+ *
+ * Enhanced to differentiate listener vs request configs:
+ * - Listeners (inbound): recommend `reconnect-forever` (service must stay alive)
+ * - Requests (outbound): recommend bounded `reconnect count="3"` (fail fast for callers)
+ *
+ * Per the Mule HTTP connector XSD, `<reconnection>` is a child element of
+ * `<http:request-connection>`, NOT a direct child of `<http:request-config>`.
+ * The rule uses a descendant search (`.//*`) to correctly resolve reconnection
+ * elements at any depth.
  */
 export declare class ReconnectionStrategyRule extends BaseRule {
     id: string;
@@ -12,5 +21,6 @@ export declare class ReconnectionStrategyRule extends BaseRule {
     severity: "warning";
     category: "performance";
     validate(doc: Document, _context: ValidationContext): Issue[];
+    private hasAnyReconnection;
 }
 //# sourceMappingURL=ReconnectionStrategyRule.d.ts.map

package/dist/src/rules/performance/ReconnectionStrategyRule.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"ReconnectionStrategyRule.d.ts","sourceRoot":"","sources":["../../../../src/rules/performance/ReconnectionStrategyRule.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AACvD,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C~~;;;;GAIG~~;AACH,qBAAa,wBAAyB,SAAQ,QAAQ;IACpD,EAAE,SAAa;IACf,IAAI,SAA2B;IAC/B,WAAW,SAA+D;IAC1E,QAAQ,EAAG,SAAS,CAAU;IAC9B,QAAQ,EAAG,aAAa,CAAU;IAElC,QAAQ,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,iBAAiB,GAAG,KAAK,EAAE;~~CA2D9D~~"}
1	+ {"version":3,"file":"ReconnectionStrategyRule.d.ts","sourceRoot":"","sources":["../../../../src/rules/performance/ReconnectionStrategyRule.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AACvD,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C;;;;;;;;;;;;;GAaG;AACH,qBAAa,wBAAyB,SAAQ,QAAQ;IACpD,EAAE,SAAa;IACf,IAAI,SAA2B;IAC/B,WAAW,SAA+D;IAC1E,QAAQ,EAAG,SAAS,CAAU;IAC9B,QAAQ,EAAG,aAAa,CAAU;IAElC,QAAQ,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,iBAAiB,GAAG,KAAK,EAAE;IAkG7D,OAAO,CAAC,kBAAkB;CAO3B"}

package/dist/src/rules/performance/ReconnectionStrategyRule.js CHANGED Viewed

@@ -6,6 +6,15 @@ const BaseRule_1 = require("../base/BaseRule");
  * RES-001: Reconnection Strategy
  *
  * Connectors should have reconnection strategies configured for resilience.
+ *
+ * Enhanced to differentiate listener vs request configs:
+ * - Listeners (inbound): recommend `reconnect-forever` (service must stay alive)
+ * - Requests (outbound): recommend bounded `reconnect count="3"` (fail fast for callers)
+ *
+ * Per the Mule HTTP connector XSD, `<reconnection>` is a child element of
+ * `<http:request-connection>`, NOT a direct child of `<http:request-config>`.
+ * The rule uses a descendant search (`.//*`) to correctly resolve reconnection
+ * elements at any depth.
  */
 class ReconnectionStrategyRule extends BaseRule_1.BaseRule {
     id = 'RES-001';
@@ -15,46 +24,70 @@ class ReconnectionStrategyRule extends BaseRule_1.BaseRule {
     category = 'performance';
     validate(doc, _context) {
         const issues = [];
-        // Specific connector configurations that benefit from reconnection strategies
-        // Using more specific patterns to avoid false positives on generic "config" elements
-        const connectorConfigs = [
+        // Listener configs (inbound) — recommend reconnect-forever
+        const listenerConfigs = [{ pattern: 'listener-config', name: 'HTTP Listener' }];
+        for (const connector of listenerConfigs) {
+            const configs = this.select(`//*[local-name()="${connector.pattern}"]`, doc);
+            for (const config of configs) {
+                const hasReconnection = this.hasAnyReconnection(config);
+                if (!hasReconnection) {
+                    const name = this.getNameAttribute(config) ?? connector.name;
+                    issues.push(this.createIssue(config, `${connector.name} config "${name}" has no reconnection strategy`, {
+                        suggestion: 'Add <reconnection><reconnect-forever frequency="5000"/></reconnection> for listener configs — the service should always attempt to reconnect',
+                    }));
+                }
+            }
+        }
+        // Request/outbound configs — recommend bounded reconnect
+        const requestConfigs = [
             { pattern: 'request-config', name: 'HTTP Request' },
-            { pattern: 'listener-config', name: 'HTTP Listener' },
             { pattern: 'jms-config', name: 'JMS' },
             { pattern: 'amqp-config', name: 'AMQP' },
             { pattern: 'sftp-config', name: 'SFTP' },
             { pattern: 'ftp-config', name: 'FTP' },
             { pattern: 'vm-config', name: 'VM' },
         ];
-        for (const connector of connectorConfigs) {
+        for (const connector of requestConfigs) {
             const configs = this.select(`//*[local-name()="${connector.pattern}"]`, doc);
             for (const config of configs) {
-                // Check for reconnection or reconnect child elements
-                const hasReconnection = this.exists('.//*[local-name()="reconnection"]', config) ||
-                    this.exists('.//*[local-name()="reconnect"]', config) ||
-                    this.exists('.//*[local-name()="reconnect-forever"]', config);
+                const hasReconnection = this.hasAnyReconnection(config);
                 if (!hasReconnection) {
                     const name = this.getNameAttribute(config) ?? connector.name;
                     issues.push(this.createIssue(config, `${connector.name} config "${name}" has no reconnection strategy`, {
-                        suggestion: 'Add <reconnection> or <reconnect-forever> for resilience',
+                        suggestion: 'Add <reconnection><reconnect count="3" frequency="2000"/></reconnection> inside the connection element for outbound connectors',
                     }));
                 }
             }
         }
-        // Database configs specifically - check for db namespace
+        // Database configs — check for db namespace
         const dbConfigs = this.select('//*[local-name()="config" and starts-with(name(), "db:")]', doc);
         for (const config of dbConfigs) {
-            const hasReconnection = this.exists('.//*[local-name()="reconnection"]', config) ||
-                this.exists('.//*[local-name()="reconnect"]', config);
+            const hasReconnection = this.hasAnyReconnection(config);
             if (!hasReconnection) {
                 const name = this.getNameAttribute(config) ?? 'Database';
                 issues.push(this.createIssue(config, `Database config "${name}" has no reconnection strategy`, {
-                    suggestion: 'Add <reconnection> inside the connection element',
+                    suggestion: 'Add <reconnection><reconnect count="3" frequency="2000"/></reconnection> inside the connection element',
+                }));
+            }
+        }
+        // Salesforce configs — check for sfdc-config
+        const sfdcConfigs = this.select('//*[local-name()="sfdc-config" or local-name()="config" and starts-with(name(), "salesforce:")]', doc);
+        for (const config of sfdcConfigs) {
+            const hasReconnection = this.hasAnyReconnection(config);
+            if (!hasReconnection) {
+                const name = this.getNameAttribute(config) ?? 'Salesforce';
+                issues.push(this.createIssue(config, `Salesforce config "${name}" has no reconnection strategy`, {
+                    suggestion: 'Add <reconnection><reconnect count="3" frequency="2000"/></reconnection> inside the Salesforce connection element',
                 }));
             }
         }
         return issues;
     }
+    hasAnyReconnection(config) {
+        return (this.exists('.//*[local-name()="reconnection"]', config) ||
+            this.exists('.//*[local-name()="reconnect"]', config) ||
+            this.exists('.//*[local-name()="reconnect-forever"]', config));
+    }
 }
 exports.ReconnectionStrategyRule = ReconnectionStrategyRule;
 //# sourceMappingURL=ReconnectionStrategyRule.js.map

package/dist/src/rules/performance/ReconnectionStrategyRule.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"ReconnectionStrategyRule.js","sourceRoot":"","sources":["../../../../src/rules/performance/ReconnectionStrategyRule.ts"],"names":[],"mappings":";;;AACA,+CAA4C;AAE5C~~;;;;GAIG~~;AACH,MAAa,wBAAyB,SAAQ,mBAAQ;IACpD,EAAE,GAAG,SAAS,CAAC;IACf,IAAI,GAAG,uBAAuB,CAAC;IAC/B,WAAW,GAAG,2DAA2D,CAAC;IAC1E,QAAQ,GAAG,SAAkB,CAAC;IAC9B,QAAQ,GAAG,aAAsB,CAAC;IAElC,QAAQ,CAAC,GAAa,EAAE,QAA2B;QACjD,MAAM,MAAM,GAAY,EAAE,CAAC;QAE3B,~~8EAA8E~~;~~QAC9E~~,~~qFAAqF;QACrF,~~MAAM,~~gBAAgB~~,GAAG;~~YACvB~~,EAAE,OAAO,EAAE,~~gBAAgB~~,EAAE,IAAI,EAAE,cAAc,~~EAAE~~;~~YACnD~~,EAAE,OAAO,EAAE,~~iBAAiB~~,EAAE,IAAI,EAAE,~~eAAe~~,EAAE;~~YACrD~~,EAAE,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,KAAK,EAAE;YACtC,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,EAAE;YACxC,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,EAAE;YACxC,EAAE,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,KAAK,EAAE;YACtC,EAAE,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,IAAI,EAAE;SACrC,CAAC;QAEF,KAAK,MAAM,SAAS,IAAI,~~gBAAgB~~,EAAE,CAAC;~~YACzC~~,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,qBAAqB,SAAS,CAAC,OAAO,IAAI,EAAE,GAAG,CAAC,CAAC;YAE7E,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;gBAC7B,~~qDAAqD;gBACrD,~~MAAM,eAAe,~~GACnB~~,IAAI,CAAC,~~MAAM~~,CAAC,~~mCAAmC,EAAE,~~MAAM,CAAC~~;oBACxD~~,~~IAAI,~~CAAC~~,MAAM,CAAC,gCAAgC,EAAE,MAAM,CAAC~~;~~oBACrD~~,IAAI,CAAC,~~MAAM,CAAC,wCAAwC,EAAE,MAAM,CAAC,CAAC;gBAEhE,IAAI,CAAC,~~eAAe,EAAE,CAAC;oBACrB,MAAM,IAAI,GAAG,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC,IAAI,CAAC;oBAC7D,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CACd,MAAM,EACN,GAAG,SAAS,CAAC,IAAI,YAAY,IAAI,gCAAgC,EACjE;wBACE,UAAU,~~EAAE~~,~~0DAA0D~~;~~qBACvE~~,CACF,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,~~yDAAyD~~;~~QACzD~~,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,2DAA2D,EAAE,GAAG,CAAC,CAAC;QAChG,KAAK,MAAM,MAAM,IAAI,SAAS,EAAE,CAAC;YAC/B,MAAM,eAAe,~~GACnB~~,IAAI,CAAC,MAAM,CAAC,~~mCAAmC~~,EAAE,MAAM,CAAC~~;gBACxD~~,IAAI,CAAC,MAAM,CAAC,gCAAgC,EAAE,MAAM,CAAC,CAAC;YAExD,IAAI,CAAC,eAAe,EAAE,CAAC;gBACrB,MAAM,IAAI,GAAG,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,IAAI,~~UAAU~~,CAAC;~~gBACzD~~,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,~~oBAAoB~~,IAAI,gCAAgC,EAAE;~~oBACjF~~,UAAU,~~EAAE~~,~~kDAAkD~~;~~iBAC/D~~,CAAC,CACH,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;~~AAlED~~,~~4DAkEC~~"}
1	+ {"version":3,"file":"ReconnectionStrategyRule.js","sourceRoot":"","sources":["../../../../src/rules/performance/ReconnectionStrategyRule.ts"],"names":[],"mappings":";;;AACA,+CAA4C;AAE5C;;;;;;;;;;;;;GAaG;AACH,MAAa,wBAAyB,SAAQ,mBAAQ;IACpD,EAAE,GAAG,SAAS,CAAC;IACf,IAAI,GAAG,uBAAuB,CAAC;IAC/B,WAAW,GAAG,2DAA2D,CAAC;IAC1E,QAAQ,GAAG,SAAkB,CAAC;IAC9B,QAAQ,GAAG,aAAsB,CAAC;IAElC,QAAQ,CAAC,GAAa,EAAE,QAA2B;QACjD,MAAM,MAAM,GAAY,EAAE,CAAC;QAE3B,2DAA2D;QAC3D,MAAM,eAAe,GAAG,CAAC,EAAE,OAAO,EAAE,iBAAiB,EAAE,IAAI,EAAE,eAAe,EAAE,CAAC,CAAC;QAEhF,KAAK,MAAM,SAAS,IAAI,eAAe,EAAE,CAAC;YACxC,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,qBAAqB,SAAS,CAAC,OAAO,IAAI,EAAE,GAAG,CAAC,CAAC;YAE7E,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;gBAC7B,MAAM,eAAe,GAAG,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC;gBAExD,IAAI,CAAC,eAAe,EAAE,CAAC;oBACrB,MAAM,IAAI,GAAG,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC,IAAI,CAAC;oBAC7D,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CACd,MAAM,EACN,GAAG,SAAS,CAAC,IAAI,YAAY,IAAI,gCAAgC,EACjE;wBACE,UAAU,EACR,8IAA8I;qBACjJ,CACF,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,yDAAyD;QACzD,MAAM,cAAc,GAAG;YACrB,EAAE,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,cAAc,EAAE;YACnD,EAAE,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,KAAK,EAAE;YACtC,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,EAAE;YACxC,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,EAAE;YACxC,EAAE,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,KAAK,EAAE;YACtC,EAAE,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,IAAI,EAAE;SACrC,CAAC;QAEF,KAAK,MAAM,SAAS,IAAI,cAAc,EAAE,CAAC;YACvC,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,qBAAqB,SAAS,CAAC,OAAO,IAAI,EAAE,GAAG,CAAC,CAAC;YAE7E,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;gBAC7B,MAAM,eAAe,GAAG,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC;gBAExD,IAAI,CAAC,eAAe,EAAE,CAAC;oBACrB,MAAM,IAAI,GAAG,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC,IAAI,CAAC;oBAC7D,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CACd,MAAM,EACN,GAAG,SAAS,CAAC,IAAI,YAAY,IAAI,gCAAgC,EACjE;wBACE,UAAU,EACR,gIAAgI;qBACnI,CACF,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,4CAA4C;QAC5C,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,2DAA2D,EAAE,GAAG,CAAC,CAAC;QAChG,KAAK,MAAM,MAAM,IAAI,SAAS,EAAE,CAAC;YAC/B,MAAM,eAAe,GAAG,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC;YAExD,IAAI,CAAC,eAAe,EAAE,CAAC;gBACrB,MAAM,IAAI,GAAG,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,IAAI,UAAU,CAAC;gBACzD,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,oBAAoB,IAAI,gCAAgC,EAAE;oBACjF,UAAU,EACR,wGAAwG;iBAC3G,CAAC,CACH,CAAC;YACJ,CAAC;QACH,CAAC;QAED,6CAA6C;QAC7C,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAC7B,iGAAiG,EACjG,GAAG,CACJ,CAAC;QACF,KAAK,MAAM,MAAM,IAAI,WAAW,EAAE,CAAC;YACjC,MAAM,eAAe,GAAG,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC;YAExD,IAAI,CAAC,eAAe,EAAE,CAAC;gBACrB,MAAM,IAAI,GAAG,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,IAAI,YAAY,CAAC;gBAC3D,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,sBAAsB,IAAI,gCAAgC,EAAE;oBACnF,UAAU,EACR,mHAAmH;iBACtH,CAAC,CACH,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,kBAAkB,CAAC,MAAY;QACrC,OAAO,CACL,IAAI,CAAC,MAAM,CAAC,mCAAmC,EAAE,MAAM,CAAC;YACxD,IAAI,CAAC,MAAM,CAAC,gCAAgC,EAAE,MAAM,CAAC;YACrD,IAAI,CAAC,MAAM,CAAC,wCAAwC,EAAE,MAAM,CAAC,CAC9D,CAAC;IACJ,CAAC;CACF;AAhHD,4DAgHC"}

package/dist/src/rules/security/ConnectorCredentialsSecuredRule.d.ts ADDED Viewed

@@ -0,0 +1,36 @@
+import { ValidationContext, Issue, IssueType } from '../../types';
+import { BaseRule } from '../base/BaseRule';
+/**
+ * SEC-007: Connector Credentials Secured
+ *
+ * Salesforce, NetSuite, Database, and other connector configurations must
+ * use `${secure::...}` (not plain `${...}`) for credential attributes.
+ *
+ * Plain property placeholders like `${sf.password}` store the value in
+ * clear text in property files.  The `${secure::...}` prefix ensures the
+ * value is read from an encrypted secure properties file.
+ *
+ * Covered connectors and attributes:
+ *   - Salesforce: username, password, securityToken, consumerKey, consumerSecret
+ *   - NetSuite: consumerKey, consumerSecret, tokenId, tokenSecret
+ *   - Database: password, user (when not using connection URL)
+ *   - HTTP Basic Auth: username, password
+ *   - SMTP: password
+ */
+export declare class ConnectorCredentialsSecuredRule extends BaseRule {
+    id: string;
+    name: string;
+    description: string;
+    severity: "error";
+    category: "security";
+    issueType: IssueType;
+    /**
+     * Map of element local-name patterns to their sensitive attributes.
+     * We match on local-name() to be namespace-agnostic.
+     */
+    private readonly CONNECTOR_SENSITIVE_ATTRS;
+    validate(doc: Document, _context: ValidationContext): Issue[];
+    private findSensitiveAttrs;
+    private extractPropertyName;
+}
+//# sourceMappingURL=ConnectorCredentialsSecuredRule.d.ts.map

package/dist/src/rules/security/ConnectorCredentialsSecuredRule.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"ConnectorCredentialsSecuredRule.d.ts","sourceRoot":"","sources":["../../../../src/rules/security/ConnectorCredentialsSecuredRule.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,+BAAgC,SAAQ,QAAQ;IAC3D,EAAE,SAAa;IACf,IAAI,SAAmC;IACvC,WAAW,SAAsE;IACjF,QAAQ,EAAG,OAAO,CAAU;IAC5B,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,SAAS,CAAmB;IAEvC;;;OAGG;IACH,OAAO,CAAC,QAAQ,CAAC,yBAAyB,CA+BxC;IAEF,QAAQ,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,iBAAiB,GAAG,KAAK,EAAE;IA4D7D,OAAO,CAAC,kBAAkB;IAc1B,OAAO,CAAC,mBAAmB;CAI5B"}

package/dist/src/rules/security/ConnectorCredentialsSecuredRule.js ADDED Viewed

@@ -0,0 +1,124 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ConnectorCredentialsSecuredRule = void 0;
+const BaseRule_1 = require("../base/BaseRule");
+/**
+ * SEC-007: Connector Credentials Secured
+ *
+ * Salesforce, NetSuite, Database, and other connector configurations must
+ * use `${secure::...}` (not plain `${...}`) for credential attributes.
+ *
+ * Plain property placeholders like `${sf.password}` store the value in
+ * clear text in property files.  The `${secure::...}` prefix ensures the
+ * value is read from an encrypted secure properties file.
+ *
+ * Covered connectors and attributes:
+ *   - Salesforce: username, password, securityToken, consumerKey, consumerSecret
+ *   - NetSuite: consumerKey, consumerSecret, tokenId, tokenSecret
+ *   - Database: password, user (when not using connection URL)
+ *   - HTTP Basic Auth: username, password
+ *   - SMTP: password
+ */
+class ConnectorCredentialsSecuredRule extends BaseRule_1.BaseRule {
+    id = 'SEC-007';
+    name = 'Connector Credentials Secured';
+    description = 'Connector credentials must use ${secure::} property placeholders';
+    severity = 'error';
+    category = 'security';
+    issueType = 'vulnerability';
+    /**
+     * Map of element local-name patterns to their sensitive attributes.
+     * We match on local-name() to be namespace-agnostic.
+     */
+    CONNECTOR_SENSITIVE_ATTRS = {
+        // Salesforce connector
+        'sfdc-config': ['username', 'password', 'securityToken', 'consumerKey', 'consumerSecret'],
+        'salesforce-config': ['username', 'password', 'securityToken', 'consumerKey', 'consumerSecret'],
+        'basic-connection': [
+            'username',
+            'password',
+            'securityToken',
+            'consumerKey',
+            'consumerSecret',
+            'tokenId',
+            'tokenSecret',
+        ],
+        'oauth-user-pass-connection': ['consumerKey', 'consumerSecret'],
+        'oauth-jwt-connection': ['consumerKey', 'keyStorePath', 'storePassword'],
+        // NetSuite connector (token-based)
+        'token-based-authentication-connection': [
+            'consumerKey',
+            'consumerSecret',
+            'tokenId',
+            'tokenSecret',
+        ],
+        // Database connector
+        'derby-connection': ['password'],
+        'generic-connection': ['password'],
+        'my-sql-connection': ['password'],
+        'mssql-connection': ['password'],
+        'oracle-connection': ['password'],
+        'data-source-connection': ['password'],
+        // SMTP
+        'smtps-connection': ['password'],
+    };
+    validate(doc, _context) {
+        const issues = [];
+        const allElements = doc.getElementsByTagName('*');
+        for (let i = 0; i < allElements.length; i++) {
+            const element = allElements[i];
+            const localName = element.localName;
+            const sensitiveAttrs = this.findSensitiveAttrs(localName);
+            if (!sensitiveAttrs) {
+                continue;
+            }
+            for (const attrName of sensitiveAttrs) {
+                const value = element.getAttribute(attrName);
+                if (!value || value.trim() === '') {
+                    continue;
+                }
+                // Skip DataWeave expressions — they're computed at runtime
+                if (value.startsWith('#[')) {
+                    continue;
+                }
+                // Must use ${secure::...} — plain ${...} is not sufficient
+                if (value.includes('${') && !value.includes('${secure::')) {
+                    issues.push(this.createIssue(element, `Credential "${attrName}" uses plain property placeholder — must use \${secure::} for encryption`, {
+                        suggestion: `Replace ${value} with \${secure::${this.extractPropertyName(value)}}`,
+                    }));
+                }
+                // Hardcoded value — no placeholder at all
+                if (!value.includes('${') && !value.startsWith('#[')) {
+                    // Ignore booleans and numbers
+                    if (value === 'true' || value === 'false' || !isNaN(Number(value))) {
+                        continue;
+                    }
+                    issues.push(this.createIssue(element, `Credential "${attrName}" is hardcoded — must use \${secure::} property placeholder`, {
+                        severity: 'error',
+                        suggestion: `Use \${secure::${localName}.${attrName}} instead of the hardcoded value`,
+                    }));
+                }
+            }
+        }
+        return issues;
+    }
+    findSensitiveAttrs(localName) {
+        // Exact match first
+        if (this.CONNECTOR_SENSITIVE_ATTRS[localName]) {
+            return this.CONNECTOR_SENSITIVE_ATTRS[localName];
+        }
+        // Partial match for compound names
+        for (const [key, attrs] of Object.entries(this.CONNECTOR_SENSITIVE_ATTRS)) {
+            if (localName.includes(key)) {
+                return attrs;
+            }
+        }
+        return undefined;
+    }
+    extractPropertyName(placeholder) {
+        const match = /\$\{([^}]+)\}/.exec(placeholder);
+        return match ? match[1] : placeholder;
+    }
+}
+exports.ConnectorCredentialsSecuredRule = ConnectorCredentialsSecuredRule;
+//# sourceMappingURL=ConnectorCredentialsSecuredRule.js.map

package/dist/src/rules/security/ConnectorCredentialsSecuredRule.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"ConnectorCredentialsSecuredRule.js","sourceRoot":"","sources":["../../../../src/rules/security/ConnectorCredentialsSecuredRule.ts"],"names":[],"mappings":";;;AACA,+CAA4C;AAE5C;;;;;;;;;;;;;;;;GAgBG;AACH,MAAa,+BAAgC,SAAQ,mBAAQ;IAC3D,EAAE,GAAG,SAAS,CAAC;IACf,IAAI,GAAG,+BAA+B,CAAC;IACvC,WAAW,GAAG,kEAAkE,CAAC;IACjF,QAAQ,GAAG,OAAgB,CAAC;IAC5B,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAc,eAAe,CAAC;IAEvC;;;OAGG;IACc,yBAAyB,GAA6B;QACrE,uBAAuB;QACvB,aAAa,EAAE,CAAC,UAAU,EAAE,UAAU,EAAE,eAAe,EAAE,aAAa,EAAE,gBAAgB,CAAC;QACzF,mBAAmB,EAAE,CAAC,UAAU,EAAE,UAAU,EAAE,eAAe,EAAE,aAAa,EAAE,gBAAgB,CAAC;QAC/F,kBAAkB,EAAE;YAClB,UAAU;YACV,UAAU;YACV,eAAe;YACf,aAAa;YACb,gBAAgB;YAChB,SAAS;YACT,aAAa;SACd;QACD,4BAA4B,EAAE,CAAC,aAAa,EAAE,gBAAgB,CAAC;QAC/D,sBAAsB,EAAE,CAAC,aAAa,EAAE,cAAc,EAAE,eAAe,CAAC;QACxE,mCAAmC;QACnC,uCAAuC,EAAE;YACvC,aAAa;YACb,gBAAgB;YAChB,SAAS;YACT,aAAa;SACd;QACD,qBAAqB;QACrB,kBAAkB,EAAE,CAAC,UAAU,CAAC;QAChC,oBAAoB,EAAE,CAAC,UAAU,CAAC;QAClC,mBAAmB,EAAE,CAAC,UAAU,CAAC;QACjC,kBAAkB,EAAE,CAAC,UAAU,CAAC;QAChC,mBAAmB,EAAE,CAAC,UAAU,CAAC;QACjC,wBAAwB,EAAE,CAAC,UAAU,CAAC;QACtC,OAAO;QACP,kBAAkB,EAAE,CAAC,UAAU,CAAC;KACjC,CAAC;IAEF,QAAQ,CAAC,GAAa,EAAE,QAA2B;QACjD,MAAM,MAAM,GAAY,EAAE,CAAC;QAC3B,MAAM,WAAW,GAAG,GAAG,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC;QAElD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,WAAW,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5C,MAAM,OAAO,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;YAC/B,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;YAEpC,MAAM,cAAc,GAAG,IAAI,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAC;YAC1D,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpB,SAAS;YACX,CAAC;YAED,KAAK,MAAM,QAAQ,IAAI,cAAc,EAAE,CAAC;gBACtC,MAAM,KAAK,GAAG,OAAO,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;gBAC7C,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;oBAClC,SAAS;gBACX,CAAC;gBAED,2DAA2D;gBAC3D,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC3B,SAAS;gBACX,CAAC;gBAED,2DAA2D;gBAC3D,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;oBAC1D,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CACd,OAAO,EACP,eAAe,QAAQ,0EAA0E,EACjG;wBACE,UAAU,EAAE,WAAW,KAAK,oBAAoB,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,GAAG;qBACnF,CACF,CACF,CAAC;gBACJ,CAAC;gBAED,0CAA0C;gBAC1C,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;oBACrD,8BAA8B;oBAC9B,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;wBACnE,SAAS;oBACX,CAAC;oBACD,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CACd,OAAO,EACP,eAAe,QAAQ,6DAA6D,EACpF;wBACE,QAAQ,EAAE,OAAO;wBACjB,UAAU,EAAE,kBAAkB,SAAS,IAAI,QAAQ,kCAAkC;qBACtF,CACF,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,kBAAkB,CAAC,SAAiB;QAC1C,oBAAoB;QACpB,IAAI,IAAI,CAAC,yBAAyB,CAAC,SAAS,CAAC,EAAE,CAAC;YAC9C,OAAO,IAAI,CAAC,yBAAyB,CAAC,SAAS,CAAC,CAAC;QACnD,CAAC;QACD,mCAAmC;QACnC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,yBAAyB,CAAC,EAAE,CAAC;YAC1E,IAAI,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC5B,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAEO,mBAAmB,CAAC,WAAmB;QAC7C,MAAM,KAAK,GAAG,eAAe,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAChD,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;IACxC,CAAC;CACF;AA3HD,0EA2HC"}

package/dist/src/rules/security/HardcodedCredentialsRule.d.ts CHANGED Viewed

@@ -4,6 +4,10 @@ import { BaseRule } from '../base/BaseRule';
  * MULE-201: Hardcoded Credentials
  *
  * Passwords and secrets should use secure property placeholders.
+ *
+ * Enhanced to cover Salesforce connector-specific sensitive attributes
+ * (consumerKey, storePassword, tokenId, tokenSecret) and NetSuite
+ * OAuth attributes (consumerSecret, tokenKey, tokenSecret).
  */
 export declare class HardcodedCredentialsRule extends BaseRule {
     id: string;

package/dist/src/rules/security/HardcodedCredentialsRule.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"HardcodedCredentialsRule.d.ts","sourceRoot":"","sources":["../../../../src/rules/security/HardcodedCredentialsRule.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C~~;;;;GAIG~~;AACH,qBAAa,wBAAyB,SAAQ,QAAQ;IACpD,EAAE,SAAc;IAChB,IAAI,SAA2B;IAC/B,WAAW,SAA+E;IAC1F,QAAQ,EAAG,OAAO,CAAU;IAC5B,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,SAAS,CAAmB;IAEvC,OAAO,CAAC,QAAQ,CAAC,eAAe,~~CAU9B~~;IAEF,QAAQ,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,iBAAiB,GAAG,KAAK,EAAE;IA+B7D,OAAO,CAAC,oBAAoB;IAI5B,OAAO,CAAC,WAAW;CAoBpB"}
1	+ {"version":3,"file":"HardcodedCredentialsRule.d.ts","sourceRoot":"","sources":["../../../../src/rules/security/HardcodedCredentialsRule.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C;;;;;;;;GAQG;AACH,qBAAa,wBAAyB,SAAQ,QAAQ;IACpD,EAAE,SAAc;IAChB,IAAI,SAA2B;IAC/B,WAAW,SAA+E;IAC1F,QAAQ,EAAG,OAAO,CAAU;IAC5B,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,SAAS,CAAmB;IAEvC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAqB9B;IAEF,QAAQ,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,iBAAiB,GAAG,KAAK,EAAE;IA+B7D,OAAO,CAAC,oBAAoB;IAI5B,OAAO,CAAC,WAAW;CAoBpB"}

package/dist/src/rules/security/HardcodedCredentialsRule.js CHANGED Viewed

@@ -6,6 +6,10 @@ const BaseRule_1 = require("../base/BaseRule");
  * MULE-201: Hardcoded Credentials
  *
  * Passwords and secrets should use secure property placeholders.
+ *
+ * Enhanced to cover Salesforce connector-specific sensitive attributes
+ * (consumerKey, storePassword, tokenId, tokenSecret) and NetSuite
+ * OAuth attributes (consumerSecret, tokenKey, tokenSecret).
  */
 class HardcodedCredentialsRule extends BaseRule_1.BaseRule {
     id = 'MULE-201';
@@ -24,6 +28,17 @@ class HardcodedCredentialsRule extends BaseRule_1.BaseRule {
         'token',
         'accessToken',
         'privateKey',
+        // Salesforce connector attrs
+        'consumerKey',
+        'consumerSecret',
+        'storePassword',
+        'tokenId',
+        'tokenSecret',
+        // NetSuite OAuth attrs
+        'tokenKey',
+        // Keystore/truststore
+        'keyPassword',
+        'keystorePassword',
     ];
     validate(doc, _context) {
         const issues = [];

package/dist/src/rules/security/HardcodedCredentialsRule.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"HardcodedCredentialsRule.js","sourceRoot":"","sources":["../../../../src/rules/security/HardcodedCredentialsRule.ts"],"names":[],"mappings":";;;AACA,+CAA4C;AAE5C~~;;;;GAIG~~;AACH,MAAa,wBAAyB,SAAQ,mBAAQ;IACpD,EAAE,GAAG,UAAU,CAAC;IAChB,IAAI,GAAG,uBAAuB,CAAC;IAC/B,WAAW,GAAG,2EAA2E,CAAC;IAC1F,QAAQ,GAAG,OAAgB,CAAC;IAC5B,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAc,eAAe,CAAC;IAEtB,eAAe,GAAG;QACjC,UAAU;QACV,QAAQ;QACR,cAAc;QACd,eAAe;QACf,QAAQ;QACR,SAAS;QACT,OAAO;QACP,aAAa;QACb,YAAY;~~KACb~~,CAAC;IAEF,QAAQ,CAAC,GAAa,EAAE,QAA2B;QACjD,MAAM,MAAM,GAAY,EAAE,CAAC;QAC3B,MAAM,WAAW,GAAG,GAAG,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC;QAElD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,WAAW,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5C,MAAM,OAAO,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;YAC/B,MAAM,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC;YAEjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;gBACzC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;gBAEzB,yCAAyC;gBACzC,IAAI,IAAI,CAAC,oBAAoB,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;oBACnE,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CACd,OAAO,EACP,aAAa,IAAI,CAAC,IAAI,0CAA0C,EAChE;wBACE,UAAU,EAAE,kBAAkB,IAAI,CAAC,IAAI,8BAA8B;qBACtE,CACF,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,oBAAoB,CAAC,QAAgB;QAC3C,OAAO,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IAC9F,CAAC;IAEO,WAAW,CAAC,KAAa;QAC/B,iCAAiC;QACjC,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YAClC,OAAO,KAAK,CAAC;QACf,CAAC;QAED,sEAAsE;QACtE,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YACnE,OAAO,KAAK,CAAC;QACf,CAAC;QAED,+DAA+D;QAC/D,yDAAyD;QACzD,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACnD,OAAO,KAAK,CAAC;QACf,CAAC;QAED,4DAA4D;QAC5D,OAAO,IAAI,CAAC;IACd,CAAC;CACF;~~AA3ED~~,~~4DA2EC~~"}
1	+ {"version":3,"file":"HardcodedCredentialsRule.js","sourceRoot":"","sources":["../../../../src/rules/security/HardcodedCredentialsRule.ts"],"names":[],"mappings":";;;AACA,+CAA4C;AAE5C;;;;;;;;GAQG;AACH,MAAa,wBAAyB,SAAQ,mBAAQ;IACpD,EAAE,GAAG,UAAU,CAAC;IAChB,IAAI,GAAG,uBAAuB,CAAC;IAC/B,WAAW,GAAG,2EAA2E,CAAC;IAC1F,QAAQ,GAAG,OAAgB,CAAC;IAC5B,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAc,eAAe,CAAC;IAEtB,eAAe,GAAG;QACjC,UAAU;QACV,QAAQ;QACR,cAAc;QACd,eAAe;QACf,QAAQ;QACR,SAAS;QACT,OAAO;QACP,aAAa;QACb,YAAY;QACZ,6BAA6B;QAC7B,aAAa;QACb,gBAAgB;QAChB,eAAe;QACf,SAAS;QACT,aAAa;QACb,uBAAuB;QACvB,UAAU;QACV,sBAAsB;QACtB,aAAa;QACb,kBAAkB;KACnB,CAAC;IAEF,QAAQ,CAAC,GAAa,EAAE,QAA2B;QACjD,MAAM,MAAM,GAAY,EAAE,CAAC;QAC3B,MAAM,WAAW,GAAG,GAAG,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC;QAElD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,WAAW,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5C,MAAM,OAAO,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;YAC/B,MAAM,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC;YAEjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;gBACzC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;gBAEzB,yCAAyC;gBACzC,IAAI,IAAI,CAAC,oBAAoB,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;oBACnE,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CACd,OAAO,EACP,aAAa,IAAI,CAAC,IAAI,0CAA0C,EAChE;wBACE,UAAU,EAAE,kBAAkB,IAAI,CAAC,IAAI,8BAA8B;qBACtE,CACF,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,oBAAoB,CAAC,QAAgB;QAC3C,OAAO,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IAC9F,CAAC;IAEO,WAAW,CAAC,KAAa;QAC/B,iCAAiC;QACjC,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YAClC,OAAO,KAAK,CAAC;QACf,CAAC;QAED,sEAAsE;QACtE,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YACnE,OAAO,KAAK,CAAC;QACf,CAAC;QAED,+DAA+D;QAC/D,yDAAyD;QACzD,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACnD,OAAO,KAAK,CAAC;QACf,CAAC;QAED,4DAA4D;QAC5D,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAtFD,4DAsFC"}

package/dist/src/rules/security/SecurePropertiesEncryptionRule.d.ts ADDED Viewed

@@ -0,0 +1,25 @@
+import { ValidationContext, Issue, IssueType } from '../../types';
+import { BaseRule } from '../base/BaseRule';
+/**
+ * SEC-010: Secure Properties Encryption Algorithm
+ *
+ * When `<secure-properties:config>` specifies an encryption algorithm, it
+ * should use a strong algorithm (AES, Blowfish) and not a weak or
+ * deprecated one (DES, RC2, RC4).
+ *
+ * Also validates that when secure properties are used, the `encrypt`
+ * element exists (i.e., properties are actually encrypted, not just
+ * marked as "secure" with no encryption).
+ */
+export declare class SecurePropertiesEncryptionRule extends BaseRule {
+    id: string;
+    name: string;
+    description: string;
+    severity: "warning";
+    category: "security";
+    issueType: IssueType;
+    private readonly WEAK_ALGORITHMS;
+    private readonly STRONG_ALGORITHMS;
+    validate(doc: Document, _context: ValidationContext): Issue[];
+}
+//# sourceMappingURL=SecurePropertiesEncryptionRule.d.ts.map

package/dist/src/rules/security/SecurePropertiesEncryptionRule.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"SecurePropertiesEncryptionRule.d.ts","sourceRoot":"","sources":["../../../../src/rules/security/SecurePropertiesEncryptionRule.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C;;;;;;;;;;GAUG;AACH,qBAAa,8BAA+B,SAAQ,QAAQ;IAC1D,EAAE,SAAa;IACf,IAAI,SAAkC;IACtC,WAAW,SAA6D;IACxE,QAAQ,EAAG,SAAS,CAAU;IAC9B,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,SAAS,CAAmB;IAEvC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAmC;IACnE,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAuB;IAEzD,QAAQ,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,iBAAiB,GAAG,KAAK,EAAE;CAsD9D"}

package/dist/src/rules/security/SecurePropertiesEncryptionRule.js ADDED Viewed

@@ -0,0 +1,59 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SecurePropertiesEncryptionRule = void 0;
+const BaseRule_1 = require("../base/BaseRule");
+/**
+ * SEC-010: Secure Properties Encryption Algorithm
+ *
+ * When `<secure-properties:config>` specifies an encryption algorithm, it
+ * should use a strong algorithm (AES, Blowfish) and not a weak or
+ * deprecated one (DES, RC2, RC4).
+ *
+ * Also validates that when secure properties are used, the `encrypt`
+ * element exists (i.e., properties are actually encrypted, not just
+ * marked as "secure" with no encryption).
+ */
+class SecurePropertiesEncryptionRule extends BaseRule_1.BaseRule {
+    id = 'SEC-010';
+    name = 'Secure Properties Encryption';
+    description = 'Secure properties must use strong encryption algorithms';
+    severity = 'warning';
+    category = 'security';
+    issueType = 'vulnerability';
+    WEAK_ALGORITHMS = ['DES', 'DESede', 'RC2', 'RC4'];
+    STRONG_ALGORITHMS = ['AES', 'Blowfish'];
+    validate(doc, _context) {
+        const issues = [];
+        // Match secure-properties:config or secure-configuration-properties
+        const secureConfigs = this.select('//*[local-name()="config" and contains(namespace-uri(), "secure-properties")] | ' +
+            '//*[local-name()="secure-configuration-properties"]', doc);
+        for (const config of secureConfigs) {
+            // Check for encrypt element presence
+            const encryptElements = this.select('.//*[local-name()="encrypt"]', config);
+            if (encryptElements.length === 0) {
+                const docName = this.getDocName(config) ?? 'Secure Properties Config';
+                issues.push(this.createIssue(config, `"${docName}" has no <encrypt> element — properties may not be encrypted`, {
+                    severity: 'warning',
+                    suggestion: 'Add <secure-properties:encrypt algorithm="AES" mode="CBC"/> to enable encryption',
+                }));
+                continue;
+            }
+            // Check encryption algorithm
+            for (const encrypt of encryptElements) {
+                const algorithm = this.getAttribute(encrypt, 'algorithm');
+                if (!algorithm) {
+                    continue;
+                }
+                if (this.WEAK_ALGORITHMS.includes(algorithm)) {
+                    issues.push(this.createIssue(encrypt, `Weak encryption algorithm "${algorithm}" — use ${this.STRONG_ALGORITHMS.join(' or ')} instead`, {
+                        severity: 'error',
+                        suggestion: `Replace algorithm="${algorithm}" with algorithm="AES"`,
+                    }));
+                }
+            }
+        }
+        return issues;
+    }
+}
+exports.SecurePropertiesEncryptionRule = SecurePropertiesEncryptionRule;
+//# sourceMappingURL=SecurePropertiesEncryptionRule.js.map

package/dist/src/rules/security/SecurePropertiesEncryptionRule.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"SecurePropertiesEncryptionRule.js","sourceRoot":"","sources":["../../../../src/rules/security/SecurePropertiesEncryptionRule.ts"],"names":[],"mappings":";;;AACA,+CAA4C;AAE5C;;;;;;;;;;GAUG;AACH,MAAa,8BAA+B,SAAQ,mBAAQ;IAC1D,EAAE,GAAG,SAAS,CAAC;IACf,IAAI,GAAG,8BAA8B,CAAC;IACtC,WAAW,GAAG,yDAAyD,CAAC;IACxE,QAAQ,GAAG,SAAkB,CAAC;IAC9B,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAc,eAAe,CAAC;IAEtB,eAAe,GAAG,CAAC,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;IAClD,iBAAiB,GAAG,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IAEzD,QAAQ,CAAC,GAAa,EAAE,QAA2B;QACjD,MAAM,MAAM,GAAY,EAAE,CAAC;QAE3B,oEAAoE;QACpE,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM,CAC/B,kFAAkF;YAChF,qDAAqD,EACvD,GAAG,CACJ,CAAC;QAEF,KAAK,MAAM,MAAM,IAAI,aAAa,EAAE,CAAC;YACnC,qCAAqC;YACrC,MAAM,eAAe,GAAG,IAAI,CAAC,MAAM,CAAC,8BAA8B,EAAE,MAAkB,CAAC,CAAC;YAExF,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACjC,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,0BAA0B,CAAC;gBACtE,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CACd,MAAM,EACN,IAAI,OAAO,8DAA8D,EACzE;oBACE,QAAQ,EAAE,SAAS;oBACnB,UAAU,EACR,kFAAkF;iBACrF,CACF,CACF,CAAC;gBACF,SAAS;YACX,CAAC;YAED,6BAA6B;YAC7B,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;gBACtC,MAAM,SAAS,GAAG,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;gBAC1D,IAAI,CAAC,SAAS,EAAE,CAAC;oBACf,SAAS;gBACX,CAAC;gBAED,IAAI,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;oBAC7C,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CACd,OAAO,EACP,8BAA8B,SAAS,WAAW,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,EAC/F;wBACE,QAAQ,EAAE,OAAO;wBACjB,UAAU,EAAE,sBAAsB,SAAS,wBAAwB;qBACpE,CACF,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AAjED,wEAiEC"}

package/dist/src/rules/security/SecurePropertiesKeyRule.d.ts ADDED Viewed

@@ -0,0 +1,23 @@
+import { ValidationContext, Issue, IssueType } from '../../types';
+import { BaseRule } from '../base/BaseRule';
+/**
+ * SEC-008: Secure Properties Key Configuration
+ *
+ * The `<secure-properties:config>` element's `key` attribute must use a
+ * property placeholder (`${...}`) — never a hardcoded encryption key.
+ *
+ * A hardcoded key in the XML defeats the purpose of encryption because
+ * anyone with access to the source code can decrypt all secure properties.
+ * The key should be injected via a system property or environment variable
+ * at deployment time (e.g., `-Dsecure.key=...` in the Mule runtime args).
+ */
+export declare class SecurePropertiesKeyRule extends BaseRule {
+    id: string;
+    name: string;
+    description: string;
+    severity: "error";
+    category: "security";
+    issueType: IssueType;
+    validate(doc: Document, _context: ValidationContext): Issue[];
+}
+//# sourceMappingURL=SecurePropertiesKeyRule.d.ts.map

package/dist/src/rules/security/SecurePropertiesKeyRule.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"SecurePropertiesKeyRule.d.ts","sourceRoot":"","sources":["../../../../src/rules/security/SecurePropertiesKeyRule.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C;;;;;;;;;;GAUG;AACH,qBAAa,uBAAwB,SAAQ,QAAQ;IACnD,EAAE,SAAa;IACf,IAAI,SAA2B;IAC/B,WAAW,SAA4D;IACvE,QAAQ,EAAG,OAAO,CAAU;IAC5B,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,SAAS,CAAmB;IAEvC,QAAQ,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,iBAAiB,GAAG,KAAK,EAAE;CAkC9D"}