@sfdxy/mule-lint 1.20.0 → 1.21.0

package/dist/src/rules/security/ConnectorCredentialsSecuredRule.js

@@ -0,0 +1,124 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ConnectorCredentialsSecuredRule = void 0;
+const BaseRule_1 = require("../base/BaseRule");
+/**
+ * SEC-007: Connector Credentials Secured
+ *
+ * Salesforce, NetSuite, Database, and other connector configurations must
+ * use `${secure::...}` (not plain `${...}`) for credential attributes.
+ *
+ * Plain property placeholders like `${sf.password}` store the value in
+ * clear text in property files.  The `${secure::...}` prefix ensures the
+ * value is read from an encrypted secure properties file.
+ *
+ * Covered connectors and attributes:
+ *   - Salesforce: username, password, securityToken, consumerKey, consumerSecret
+ *   - NetSuite: consumerKey, consumerSecret, tokenId, tokenSecret
+ *   - Database: password, user (when not using connection URL)
+ *   - HTTP Basic Auth: username, password
+ *   - SMTP: password
+ */
+class ConnectorCredentialsSecuredRule extends BaseRule_1.BaseRule {
+    id = 'SEC-007';
+    name = 'Connector Credentials Secured';
+    description = 'Connector credentials must use ${secure::} property placeholders';
+    severity = 'error';
+    category = 'security';
+    issueType = 'vulnerability';
+    /**
+     * Map of element local-name patterns to their sensitive attributes.
+     * We match on local-name() to be namespace-agnostic.
+     */
+    CONNECTOR_SENSITIVE_ATTRS = {
+        // Salesforce connector
+        'sfdc-config': ['username', 'password', 'securityToken', 'consumerKey', 'consumerSecret'],
+        'salesforce-config': ['username', 'password', 'securityToken', 'consumerKey', 'consumerSecret'],
+        'basic-connection': [
+            'username',
+            'password',
+            'securityToken',
+            'consumerKey',
+            'consumerSecret',
+            'tokenId',
+            'tokenSecret',
+        ],
+        'oauth-user-pass-connection': ['consumerKey', 'consumerSecret'],
+        'oauth-jwt-connection': ['consumerKey', 'keyStorePath', 'storePassword'],
+        // NetSuite connector (token-based)
+        'token-based-authentication-connection': [
+            'consumerKey',
+            'consumerSecret',
+            'tokenId',
+            'tokenSecret',
+        ],
+        // Database connector
+        'derby-connection': ['password'],
+        'generic-connection': ['password'],
+        'my-sql-connection': ['password'],
+        'mssql-connection': ['password'],
+        'oracle-connection': ['password'],
+        'data-source-connection': ['password'],
+        // SMTP
+        'smtps-connection': ['password'],
+    };
+    validate(doc, _context) {
+        const issues = [];
+        const allElements = doc.getElementsByTagName('*');
+        for (let i = 0; i < allElements.length; i++) {
+            const element = allElements[i];
+            const localName = element.localName;
+            const sensitiveAttrs = this.findSensitiveAttrs(localName);
+            if (!sensitiveAttrs) {
+                continue;
+            }
+            for (const attrName of sensitiveAttrs) {
+                const value = element.getAttribute(attrName);
+                if (!value || value.trim() === '') {
+                    continue;
+                }
+                // Skip DataWeave expressions — they're computed at runtime
+                if (value.startsWith('#[')) {
+                    continue;
+                }
+                // Must use ${secure::...} — plain ${...} is not sufficient
+                if (value.includes('${') && !value.includes('${secure::')) {
+                    issues.push(this.createIssue(element, `Credential "${attrName}" uses plain property placeholder — must use \${secure::} for encryption`, {
+                        suggestion: `Replace ${value} with \${secure::${this.extractPropertyName(value)}}`,
+                    }));
+                }
+                // Hardcoded value — no placeholder at all
+                if (!value.includes('${') && !value.startsWith('#[')) {
+                    // Ignore booleans and numbers
+                    if (value === 'true' || value === 'false' || !isNaN(Number(value))) {
+                        continue;
+                    }
+                    issues.push(this.createIssue(element, `Credential "${attrName}" is hardcoded — must use \${secure::} property placeholder`, {
+                        severity: 'error',
+                        suggestion: `Use \${secure::${localName}.${attrName}} instead of the hardcoded value`,
+                    }));
+                }
+            }
+        }
+        return issues;
+    }
+    findSensitiveAttrs(localName) {
+        // Exact match first
+        if (this.CONNECTOR_SENSITIVE_ATTRS[localName]) {
+            return this.CONNECTOR_SENSITIVE_ATTRS[localName];
+        }
+        // Partial match for compound names
+        for (const [key, attrs] of Object.entries(this.CONNECTOR_SENSITIVE_ATTRS)) {
+            if (localName.includes(key)) {
+                return attrs;
+            }
+        }
+        return undefined;
+    }
+    extractPropertyName(placeholder) {
+        const match = /\$\{([^}]+)\}/.exec(placeholder);
+        return match ? match[1] : placeholder;
+    }
+}
+exports.ConnectorCredentialsSecuredRule = ConnectorCredentialsSecuredRule;
+//# sourceMappingURL=ConnectorCredentialsSecuredRule.js.map

package/dist/src/rules/security/ConnectorCredentialsSecuredRule.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ConnectorCredentialsSecuredRule.js","sourceRoot":"","sources":["../../../../src/rules/security/ConnectorCredentialsSecuredRule.ts"],"names":[],"mappings":";;;AACA,+CAA4C;AAE5C;;;;;;;;;;;;;;;;GAgBG;AACH,MAAa,+BAAgC,SAAQ,mBAAQ;IAC3D,EAAE,GAAG,SAAS,CAAC;IACf,IAAI,GAAG,+BAA+B,CAAC;IACvC,WAAW,GAAG,kEAAkE,CAAC;IACjF,QAAQ,GAAG,OAAgB,CAAC;IAC5B,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAc,eAAe,CAAC;IAEvC;;;OAGG;IACc,yBAAyB,GAA6B;QACrE,uBAAuB;QACvB,aAAa,EAAE,CAAC,UAAU,EAAE,UAAU,EAAE,eAAe,EAAE,aAAa,EAAE,gBAAgB,CAAC;QACzF,mBAAmB,EAAE,CAAC,UAAU,EAAE,UAAU,EAAE,eAAe,EAAE,aAAa,EAAE,gBAAgB,CAAC;QAC/F,kBAAkB,EAAE;YAClB,UAAU;YACV,UAAU;YACV,eAAe;YACf,aAAa;YACb,gBAAgB;YAChB,SAAS;YACT,aAAa;SACd;QACD,4BAA4B,EAAE,CAAC,aAAa,EAAE,gBAAgB,CAAC;QAC/D,sBAAsB,EAAE,CAAC,aAAa,EAAE,cAAc,EAAE,eAAe,CAAC;QACxE,mCAAmC;QACnC,uCAAuC,EAAE;YACvC,aAAa;YACb,gBAAgB;YAChB,SAAS;YACT,aAAa;SACd;QACD,qBAAqB;QACrB,kBAAkB,EAAE,CAAC,UAAU,CAAC;QAChC,oBAAoB,EAAE,CAAC,UAAU,CAAC;QAClC,mBAAmB,EAAE,CAAC,UAAU,CAAC;QACjC,kBAAkB,EAAE,CAAC,UAAU,CAAC;QAChC,mBAAmB,EAAE,CAAC,UAAU,CAAC;QACjC,wBAAwB,EAAE,CAAC,UAAU,CAAC;QACtC,OAAO;QACP,kBAAkB,EAAE,CAAC,UAAU,CAAC;KACjC,CAAC;IAEF,QAAQ,CAAC,GAAa,EAAE,QAA2B;QACjD,MAAM,MAAM,GAAY,EAAE,CAAC;QAC3B,MAAM,WAAW,GAAG,GAAG,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC;QAElD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,WAAW,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5C,MAAM,OAAO,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;YAC/B,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;YAEpC,MAAM,cAAc,GAAG,IAAI,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAC;YAC1D,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpB,SAAS;YACX,CAAC;YAED,KAAK,MAAM,QAAQ,IAAI,cAAc,EAAE,CAAC;gBACtC,MAAM,KAAK,GAAG,OAAO,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;gBAC7C,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;oBAClC,SAAS;gBACX,CAAC;gBAED,2DAA2D;gBAC3D,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC3B,SAAS;gBACX,CAAC;gBAED,2DAA2D;gBAC3D,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;oBAC1D,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CACd,OAAO,EACP,eAAe,QAAQ,0EAA0E,EACjG;wBACE,UAAU,EAAE,WAAW,KAAK,oBAAoB,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,GAAG;qBACnF,CACF,CACF,CAAC;gBACJ,CAAC;gBAED,0CAA0C;gBAC1C,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;oBACrD,8BAA8B;oBAC9B,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;wBACnE,SAAS;oBACX,CAAC;oBACD,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CACd,OAAO,EACP,eAAe,QAAQ,6DAA6D,EACpF;wBACE,QAAQ,EAAE,OAAO;wBACjB,UAAU,EAAE,kBAAkB,SAAS,IAAI,QAAQ,kCAAkC;qBACtF,CACF,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,kBAAkB,CAAC,SAAiB;QAC1C,oBAAoB;QACpB,IAAI,IAAI,CAAC,yBAAyB,CAAC,SAAS,CAAC,EAAE,CAAC;YAC9C,OAAO,IAAI,CAAC,yBAAyB,CAAC,SAAS,CAAC,CAAC;QACnD,CAAC;QACD,mCAAmC;QACnC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,yBAAyB,CAAC,EAAE,CAAC;YAC1E,IAAI,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC5B,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAEO,mBAAmB,CAAC,WAAmB;QAC7C,MAAM,KAAK,GAAG,eAAe,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAChD,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;IACxC,CAAC;CACF;AA3HD,0EA2HC"}

package/dist/src/rules/security/HardcodedCredentialsRule.d.ts

@@ -4,6 +4,10 @@ import { BaseRule } from '../base/BaseRule';
  * MULE-201: Hardcoded Credentials
  *
  * Passwords and secrets should use secure property placeholders.
+ *
+ * Enhanced to cover Salesforce connector-specific sensitive attributes
+ * (consumerKey, storePassword, tokenId, tokenSecret) and NetSuite
+ * OAuth attributes (consumerSecret, tokenKey, tokenSecret).
  */
 export declare class HardcodedCredentialsRule extends BaseRule {
     id: string;

package/dist/src/rules/security/HardcodedCredentialsRule.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"HardcodedCredentialsRule.d.ts","sourceRoot":"","sources":["../../../../src/rules/security/HardcodedCredentialsRule.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C;;;;GAIG;AACH,qBAAa,wBAAyB,SAAQ,QAAQ;IACpD,EAAE,SAAc;IAChB,IAAI,SAA2B;IAC/B,WAAW,SAA+E;IAC1F,QAAQ,EAAG,OAAO,CAAU;IAC5B,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,SAAS,CAAmB;IAEvC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAU9B;IAEF,QAAQ,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,iBAAiB,GAAG,KAAK,EAAE;IA+B7D,OAAO,CAAC,oBAAoB;IAI5B,OAAO,CAAC,WAAW;CAoBpB"}
+{"version":3,"file":"HardcodedCredentialsRule.d.ts","sourceRoot":"","sources":["../../../../src/rules/security/HardcodedCredentialsRule.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C;;;;;;;;GAQG;AACH,qBAAa,wBAAyB,SAAQ,QAAQ;IACpD,EAAE,SAAc;IAChB,IAAI,SAA2B;IAC/B,WAAW,SAA+E;IAC1F,QAAQ,EAAG,OAAO,CAAU;IAC5B,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,SAAS,CAAmB;IAEvC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAqB9B;IAEF,QAAQ,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,iBAAiB,GAAG,KAAK,EAAE;IA+B7D,OAAO,CAAC,oBAAoB;IAI5B,OAAO,CAAC,WAAW;CAoBpB"}

package/dist/src/rules/security/HardcodedCredentialsRule.js

@@ -6,6 +6,10 @@ const BaseRule_1 = require("../base/BaseRule");
  * MULE-201: Hardcoded Credentials
  *
  * Passwords and secrets should use secure property placeholders.
+ *
+ * Enhanced to cover Salesforce connector-specific sensitive attributes
+ * (consumerKey, storePassword, tokenId, tokenSecret) and NetSuite
+ * OAuth attributes (consumerSecret, tokenKey, tokenSecret).
  */
 class HardcodedCredentialsRule extends BaseRule_1.BaseRule {
     id = 'MULE-201';
@@ -24,6 +28,17 @@ class HardcodedCredentialsRule extends BaseRule_1.BaseRule {
         'token',
         'accessToken',
         'privateKey',
+        // Salesforce connector attrs
+        'consumerKey',
+        'consumerSecret',
+        'storePassword',
+        'tokenId',
+        'tokenSecret',
+        // NetSuite OAuth attrs
+        'tokenKey',
+        // Keystore/truststore
+        'keyPassword',
+        'keystorePassword',
     ];
     validate(doc, _context) {
         const issues = [];

package/dist/src/rules/security/HardcodedCredentialsRule.js.map

@@ -1 +1 @@
-{"version":3,"file":"HardcodedCredentialsRule.js","sourceRoot":"","sources":["../../../../src/rules/security/HardcodedCredentialsRule.ts"],"names":[],"mappings":";;;AACA,+CAA4C;AAE5C;;;;GAIG;AACH,MAAa,wBAAyB,SAAQ,mBAAQ;IACpD,EAAE,GAAG,UAAU,CAAC;IAChB,IAAI,GAAG,uBAAuB,CAAC;IAC/B,WAAW,GAAG,2EAA2E,CAAC;IAC1F,QAAQ,GAAG,OAAgB,CAAC;IAC5B,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAc,eAAe,CAAC;IAEtB,eAAe,GAAG;QACjC,UAAU;QACV,QAAQ;QACR,cAAc;QACd,eAAe;QACf,QAAQ;QACR,SAAS;QACT,OAAO;QACP,aAAa;QACb,YAAY;KACb,CAAC;IAEF,QAAQ,CAAC,GAAa,EAAE,QAA2B;QACjD,MAAM,MAAM,GAAY,EAAE,CAAC;QAC3B,MAAM,WAAW,GAAG,GAAG,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC;QAElD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,WAAW,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5C,MAAM,OAAO,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;YAC/B,MAAM,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC;YAEjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;gBACzC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;gBAEzB,yCAAyC;gBACzC,IAAI,IAAI,CAAC,oBAAoB,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;oBACnE,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CACd,OAAO,EACP,aAAa,IAAI,CAAC,IAAI,0CAA0C,EAChE;wBACE,UAAU,EAAE,kBAAkB,IAAI,CAAC,IAAI,8BAA8B;qBACtE,CACF,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,oBAAoB,CAAC,QAAgB;QAC3C,OAAO,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IAC9F,CAAC;IAEO,WAAW,CAAC,KAAa;QAC/B,iCAAiC;QACjC,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YAClC,OAAO,KAAK,CAAC;QACf,CAAC;QAED,sEAAsE;QACtE,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YACnE,OAAO,KAAK,CAAC;QACf,CAAC;QAED,+DAA+D;QAC/D,yDAAyD;QACzD,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACnD,OAAO,KAAK,CAAC;QACf,CAAC;QAED,4DAA4D;QAC5D,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AA3ED,4DA2EC"}
+{"version":3,"file":"HardcodedCredentialsRule.js","sourceRoot":"","sources":["../../../../src/rules/security/HardcodedCredentialsRule.ts"],"names":[],"mappings":";;;AACA,+CAA4C;AAE5C;;;;;;;;GAQG;AACH,MAAa,wBAAyB,SAAQ,mBAAQ;IACpD,EAAE,GAAG,UAAU,CAAC;IAChB,IAAI,GAAG,uBAAuB,CAAC;IAC/B,WAAW,GAAG,2EAA2E,CAAC;IAC1F,QAAQ,GAAG,OAAgB,CAAC;IAC5B,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAc,eAAe,CAAC;IAEtB,eAAe,GAAG;QACjC,UAAU;QACV,QAAQ;QACR,cAAc;QACd,eAAe;QACf,QAAQ;QACR,SAAS;QACT,OAAO;QACP,aAAa;QACb,YAAY;QACZ,6BAA6B;QAC7B,aAAa;QACb,gBAAgB;QAChB,eAAe;QACf,SAAS;QACT,aAAa;QACb,uBAAuB;QACvB,UAAU;QACV,sBAAsB;QACtB,aAAa;QACb,kBAAkB;KACnB,CAAC;IAEF,QAAQ,CAAC,GAAa,EAAE,QAA2B;QACjD,MAAM,MAAM,GAAY,EAAE,CAAC;QAC3B,MAAM,WAAW,GAAG,GAAG,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC;QAElD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,WAAW,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5C,MAAM,OAAO,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;YAC/B,MAAM,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC;YAEjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;gBACzC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;gBAEzB,yCAAyC;gBACzC,IAAI,IAAI,CAAC,oBAAoB,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;oBACnE,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CACd,OAAO,EACP,aAAa,IAAI,CAAC,IAAI,0CAA0C,EAChE;wBACE,UAAU,EAAE,kBAAkB,IAAI,CAAC,IAAI,8BAA8B;qBACtE,CACF,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,oBAAoB,CAAC,QAAgB;QAC3C,OAAO,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IAC9F,CAAC;IAEO,WAAW,CAAC,KAAa;QAC/B,iCAAiC;QACjC,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YAClC,OAAO,KAAK,CAAC;QACf,CAAC;QAED,sEAAsE;QACtE,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YACnE,OAAO,KAAK,CAAC;QACf,CAAC;QAED,+DAA+D;QAC/D,yDAAyD;QACzD,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACnD,OAAO,KAAK,CAAC;QACf,CAAC;QAED,4DAA4D;QAC5D,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAtFD,4DAsFC"}

package/dist/src/rules/security/SecurePropertiesEncryptionRule.d.ts

@@ -0,0 +1,25 @@
+import { ValidationContext, Issue, IssueType } from '../../types';
+import { BaseRule } from '../base/BaseRule';
+/**
+ * SEC-010: Secure Properties Encryption Algorithm
+ *
+ * When `<secure-properties:config>` specifies an encryption algorithm, it
+ * should use a strong algorithm (AES, Blowfish) and not a weak or
+ * deprecated one (DES, RC2, RC4).
+ *
+ * Also validates that when secure properties are used, the `encrypt`
+ * element exists (i.e., properties are actually encrypted, not just
+ * marked as "secure" with no encryption).
+ */
+export declare class SecurePropertiesEncryptionRule extends BaseRule {
+    id: string;
+    name: string;
+    description: string;
+    severity: "warning";
+    category: "security";
+    issueType: IssueType;
+    private readonly WEAK_ALGORITHMS;
+    private readonly STRONG_ALGORITHMS;
+    validate(doc: Document, _context: ValidationContext): Issue[];
+}
+//# sourceMappingURL=SecurePropertiesEncryptionRule.d.ts.map

package/dist/src/rules/security/SecurePropertiesEncryptionRule.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SecurePropertiesEncryptionRule.d.ts","sourceRoot":"","sources":["../../../../src/rules/security/SecurePropertiesEncryptionRule.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C;;;;;;;;;;GAUG;AACH,qBAAa,8BAA+B,SAAQ,QAAQ;IAC1D,EAAE,SAAa;IACf,IAAI,SAAkC;IACtC,WAAW,SAA6D;IACxE,QAAQ,EAAG,SAAS,CAAU;IAC9B,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,SAAS,CAAmB;IAEvC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAmC;IACnE,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAuB;IAEzD,QAAQ,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,iBAAiB,GAAG,KAAK,EAAE;CAsD9D"}

package/dist/src/rules/security/SecurePropertiesEncryptionRule.js

@@ -0,0 +1,59 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SecurePropertiesEncryptionRule = void 0;
+const BaseRule_1 = require("../base/BaseRule");
+/**
+ * SEC-010: Secure Properties Encryption Algorithm
+ *
+ * When `<secure-properties:config>` specifies an encryption algorithm, it
+ * should use a strong algorithm (AES, Blowfish) and not a weak or
+ * deprecated one (DES, RC2, RC4).
+ *
+ * Also validates that when secure properties are used, the `encrypt`
+ * element exists (i.e., properties are actually encrypted, not just
+ * marked as "secure" with no encryption).
+ */
+class SecurePropertiesEncryptionRule extends BaseRule_1.BaseRule {
+    id = 'SEC-010';
+    name = 'Secure Properties Encryption';
+    description = 'Secure properties must use strong encryption algorithms';
+    severity = 'warning';
+    category = 'security';
+    issueType = 'vulnerability';
+    WEAK_ALGORITHMS = ['DES', 'DESede', 'RC2', 'RC4'];
+    STRONG_ALGORITHMS = ['AES', 'Blowfish'];
+    validate(doc, _context) {
+        const issues = [];
+        // Match secure-properties:config or secure-configuration-properties
+        const secureConfigs = this.select('//*[local-name()="config" and contains(namespace-uri(), "secure-properties")] | ' +
+            '//*[local-name()="secure-configuration-properties"]', doc);
+        for (const config of secureConfigs) {
+            // Check for encrypt element presence
+            const encryptElements = this.select('.//*[local-name()="encrypt"]', config);
+            if (encryptElements.length === 0) {
+                const docName = this.getDocName(config) ?? 'Secure Properties Config';
+                issues.push(this.createIssue(config, `"${docName}" has no <encrypt> element — properties may not be encrypted`, {
+                    severity: 'warning',
+                    suggestion: 'Add <secure-properties:encrypt algorithm="AES" mode="CBC"/> to enable encryption',
+                }));
+                continue;
+            }
+            // Check encryption algorithm
+            for (const encrypt of encryptElements) {
+                const algorithm = this.getAttribute(encrypt, 'algorithm');
+                if (!algorithm) {
+                    continue;
+                }
+                if (this.WEAK_ALGORITHMS.includes(algorithm)) {
+                    issues.push(this.createIssue(encrypt, `Weak encryption algorithm "${algorithm}" — use ${this.STRONG_ALGORITHMS.join(' or ')} instead`, {
+                        severity: 'error',
+                        suggestion: `Replace algorithm="${algorithm}" with algorithm="AES"`,
+                    }));
+                }
+            }
+        }
+        return issues;
+    }
+}
+exports.SecurePropertiesEncryptionRule = SecurePropertiesEncryptionRule;
+//# sourceMappingURL=SecurePropertiesEncryptionRule.js.map

package/dist/src/rules/security/SecurePropertiesEncryptionRule.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"SecurePropertiesEncryptionRule.js","sourceRoot":"","sources":["../../../../src/rules/security/SecurePropertiesEncryptionRule.ts"],"names":[],"mappings":";;;AACA,+CAA4C;AAE5C;;;;;;;;;;GAUG;AACH,MAAa,8BAA+B,SAAQ,mBAAQ;IAC1D,EAAE,GAAG,SAAS,CAAC;IACf,IAAI,GAAG,8BAA8B,CAAC;IACtC,WAAW,GAAG,yDAAyD,CAAC;IACxE,QAAQ,GAAG,SAAkB,CAAC;IAC9B,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAc,eAAe,CAAC;IAEtB,eAAe,GAAG,CAAC,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;IAClD,iBAAiB,GAAG,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IAEzD,QAAQ,CAAC,GAAa,EAAE,QAA2B;QACjD,MAAM,MAAM,GAAY,EAAE,CAAC;QAE3B,oEAAoE;QACpE,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM,CAC/B,kFAAkF;YAChF,qDAAqD,EACvD,GAAG,CACJ,CAAC;QAEF,KAAK,MAAM,MAAM,IAAI,aAAa,EAAE,CAAC;YACnC,qCAAqC;YACrC,MAAM,eAAe,GAAG,IAAI,CAAC,MAAM,CAAC,8BAA8B,EAAE,MAAkB,CAAC,CAAC;YAExF,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACjC,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,0BAA0B,CAAC;gBACtE,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CACd,MAAM,EACN,IAAI,OAAO,8DAA8D,EACzE;oBACE,QAAQ,EAAE,SAAS;oBACnB,UAAU,EACR,kFAAkF;iBACrF,CACF,CACF,CAAC;gBACF,SAAS;YACX,CAAC;YAED,6BAA6B;YAC7B,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;gBACtC,MAAM,SAAS,GAAG,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;gBAC1D,IAAI,CAAC,SAAS,EAAE,CAAC;oBACf,SAAS;gBACX,CAAC;gBAED,IAAI,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;oBAC7C,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CACd,OAAO,EACP,8BAA8B,SAAS,WAAW,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,EAC/F;wBACE,QAAQ,EAAE,OAAO;wBACjB,UAAU,EAAE,sBAAsB,SAAS,wBAAwB;qBACpE,CACF,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AAjED,wEAiEC"}

package/dist/src/rules/security/SecurePropertiesKeyRule.d.ts

@@ -0,0 +1,23 @@
+import { ValidationContext, Issue, IssueType } from '../../types';
+import { BaseRule } from '../base/BaseRule';
+/**
+ * SEC-008: Secure Properties Key Configuration
+ *
+ * The `<secure-properties:config>` element's `key` attribute must use a
+ * property placeholder (`${...}`) — never a hardcoded encryption key.
+ *
+ * A hardcoded key in the XML defeats the purpose of encryption because
+ * anyone with access to the source code can decrypt all secure properties.
+ * The key should be injected via a system property or environment variable
+ * at deployment time (e.g., `-Dsecure.key=...` in the Mule runtime args).
+ */
+export declare class SecurePropertiesKeyRule extends BaseRule {
+    id: string;
+    name: string;
+    description: string;
+    severity: "error";
+    category: "security";
+    issueType: IssueType;
+    validate(doc: Document, _context: ValidationContext): Issue[];
+}
+//# sourceMappingURL=SecurePropertiesKeyRule.d.ts.map

package/dist/src/rules/security/SecurePropertiesKeyRule.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SecurePropertiesKeyRule.d.ts","sourceRoot":"","sources":["../../../../src/rules/security/SecurePropertiesKeyRule.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C;;;;;;;;;;GAUG;AACH,qBAAa,uBAAwB,SAAQ,QAAQ;IACnD,EAAE,SAAa;IACf,IAAI,SAA2B;IAC/B,WAAW,SAA4D;IACvE,QAAQ,EAAG,OAAO,CAAU;IAC5B,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,SAAS,CAAmB;IAEvC,QAAQ,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,iBAAiB,GAAG,KAAK,EAAE;CAkC9D"}

package/dist/src/rules/security/SecurePropertiesKeyRule.js

@@ -0,0 +1,45 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SecurePropertiesKeyRule = void 0;
+const BaseRule_1 = require("../base/BaseRule");
+/**
+ * SEC-008: Secure Properties Key Configuration
+ *
+ * The `<secure-properties:config>` element's `key` attribute must use a
+ * property placeholder (`${...}`) — never a hardcoded encryption key.
+ *
+ * A hardcoded key in the XML defeats the purpose of encryption because
+ * anyone with access to the source code can decrypt all secure properties.
+ * The key should be injected via a system property or environment variable
+ * at deployment time (e.g., `-Dsecure.key=...` in the Mule runtime args).
+ */
+class SecurePropertiesKeyRule extends BaseRule_1.BaseRule {
+    id = 'SEC-008';
+    name = 'Secure Properties Key';
+    description = 'Secure properties encryption key must not be hardcoded';
+    severity = 'error';
+    category = 'security';
+    issueType = 'vulnerability';
+    validate(doc, _context) {
+        const issues = [];
+        // Match secure-properties:config or secure-configuration-properties
+        const secureConfigs = this.select('//*[local-name()="config" and contains(namespace-uri(), "secure-properties")] | ' +
+            '//*[local-name()="secure-configuration-properties"]', doc);
+        for (const config of secureConfigs) {
+            const key = this.getAttribute(config, 'key');
+            if (!key) {
+                continue;
+            }
+            // Key must be a property placeholder
+            if (!key.includes('${')) {
+                const docName = this.getDocName(config) ?? 'Secure Properties Config';
+                issues.push(this.createIssue(config, `"${docName}" has hardcoded encryption key — defeats the purpose of property encryption`, {
+                    suggestion: 'Use a property placeholder: key="${secure.key}" and inject via -Dsecure.key=... at runtime',
+                }));
+            }
+        }
+        return issues;
+    }
+}
+exports.SecurePropertiesKeyRule = SecurePropertiesKeyRule;
+//# sourceMappingURL=SecurePropertiesKeyRule.js.map

package/dist/src/rules/security/SecurePropertiesKeyRule.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"SecurePropertiesKeyRule.js","sourceRoot":"","sources":["../../../../src/rules/security/SecurePropertiesKeyRule.ts"],"names":[],"mappings":";;;AACA,+CAA4C;AAE5C;;;;;;;;;;GAUG;AACH,MAAa,uBAAwB,SAAQ,mBAAQ;IACnD,EAAE,GAAG,SAAS,CAAC;IACf,IAAI,GAAG,uBAAuB,CAAC;IAC/B,WAAW,GAAG,wDAAwD,CAAC;IACvE,QAAQ,GAAG,OAAgB,CAAC;IAC5B,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAc,eAAe,CAAC;IAEvC,QAAQ,CAAC,GAAa,EAAE,QAA2B;QACjD,MAAM,MAAM,GAAY,EAAE,CAAC;QAE3B,oEAAoE;QACpE,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM,CAC/B,kFAAkF;YAChF,qDAAqD,EACvD,GAAG,CACJ,CAAC;QAEF,KAAK,MAAM,MAAM,IAAI,aAAa,EAAE,CAAC;YACnC,MAAM,GAAG,GAAG,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;YAC7C,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,SAAS;YACX,CAAC;YAED,qCAAqC;YACrC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;gBACxB,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,0BAA0B,CAAC;gBACtE,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CACd,MAAM,EACN,IAAI,OAAO,6EAA6E,EACxF;oBACE,UAAU,EACR,4FAA4F;iBAC/F,CACF,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AA1CD,0DA0CC"}

package/dist/src/rules/security/TlsKeystorePasswordRule.d.ts

@@ -0,0 +1,25 @@
+import { ValidationContext, Issue, IssueType } from '../../types';
+import { BaseRule } from '../base/BaseRule';
+/**
+ * SEC-009: TLS Keystore/Truststore Passwords Secured
+ *
+ * TLS context keystore and truststore passwords must use secure property
+ * placeholders (`${secure::...}`) rather than plain-text placeholders or
+ * hardcoded values.
+ *
+ * These passwords protect the private keys and certificates used for
+ * mutual TLS (mTLS) authentication.  Leaking them enables impersonation
+ * attacks and man-in-the-middle interception.
+ */
+export declare class TlsKeystorePasswordRule extends BaseRule {
+    id: string;
+    name: string;
+    description: string;
+    severity: "error";
+    category: "security";
+    issueType: IssueType;
+    private readonly PASSWORD_ATTRS;
+    validate(doc: Document, _context: ValidationContext): Issue[];
+    private extractPropName;
+}
+//# sourceMappingURL=TlsKeystorePasswordRule.d.ts.map

package/dist/src/rules/security/TlsKeystorePasswordRule.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"TlsKeystorePasswordRule.d.ts","sourceRoot":"","sources":["../../../../src/rules/security/TlsKeystorePasswordRule.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C;;;;;;;;;;GAUG;AACH,qBAAa,uBAAwB,SAAQ,QAAQ;IACnD,EAAE,SAAa;IACf,IAAI,SAAmC;IACvC,WAAW,SAAyE;IACpF,QAAQ,EAAG,OAAO,CAAU;IAC5B,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,SAAS,CAAmB;IAEvC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAA+B;IAE9D,QAAQ,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,iBAAiB,GAAG,KAAK,EAAE;IAoD7D,OAAO,CAAC,eAAe;CAIxB"}

package/dist/src/rules/security/TlsKeystorePasswordRule.js

@@ -0,0 +1,63 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TlsKeystorePasswordRule = void 0;
+const BaseRule_1 = require("../base/BaseRule");
+/**
+ * SEC-009: TLS Keystore/Truststore Passwords Secured
+ *
+ * TLS context keystore and truststore passwords must use secure property
+ * placeholders (`${secure::...}`) rather than plain-text placeholders or
+ * hardcoded values.
+ *
+ * These passwords protect the private keys and certificates used for
+ * mutual TLS (mTLS) authentication.  Leaking them enables impersonation
+ * attacks and man-in-the-middle interception.
+ */
+class TlsKeystorePasswordRule extends BaseRule_1.BaseRule {
+    id = 'SEC-009';
+    name = 'TLS Keystore Password Secured';
+    description = 'TLS keystore/truststore passwords must use ${secure::} placeholders';
+    severity = 'error';
+    category = 'security';
+    issueType = 'vulnerability';
+    PASSWORD_ATTRS = ['password', 'keyPassword'];
+    validate(doc, _context) {
+        const issues = [];
+        // Select all key-store and trust-store elements
+        const stores = this.select('//*[local-name()="key-store" or local-name()="trust-store"]', doc);
+        for (const store of stores) {
+            for (const attrName of this.PASSWORD_ATTRS) {
+                const value = this.getAttribute(store, attrName);
+                if (!value || value.trim() === '') {
+                    continue;
+                }
+                // DataWeave expressions are OK
+                if (value.startsWith('#[')) {
+                    continue;
+                }
+                // Must use ${secure::...}
+                if (value.includes('${') && !value.includes('${secure::')) {
+                    const storeName = store.localName;
+                    issues.push(this.createIssue(store, `TLS ${storeName} "${attrName}" uses plain property placeholder — must use \${secure::}`, {
+                        suggestion: `Replace ${value} with \${secure::${this.extractPropName(value)}}`,
+                    }));
+                }
+                // Hardcoded value
+                if (!value.includes('${') && !value.startsWith('#[')) {
+                    const storeName = store.localName;
+                    issues.push(this.createIssue(store, `TLS ${storeName} "${attrName}" is hardcoded — must use \${secure::} placeholder`, {
+                        severity: 'error',
+                        suggestion: `Use \${secure::tls.${storeName}.${attrName}} instead of the hardcoded value`,
+                    }));
+                }
+            }
+        }
+        return issues;
+    }
+    extractPropName(placeholder) {
+        const match = /\$\{([^}]+)\}/.exec(placeholder);
+        return match ? match[1] : placeholder;
+    }
+}
+exports.TlsKeystorePasswordRule = TlsKeystorePasswordRule;
+//# sourceMappingURL=TlsKeystorePasswordRule.js.map

package/dist/src/rules/security/TlsKeystorePasswordRule.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"TlsKeystorePasswordRule.js","sourceRoot":"","sources":["../../../../src/rules/security/TlsKeystorePasswordRule.ts"],"names":[],"mappings":";;;AACA,+CAA4C;AAE5C;;;;;;;;;;GAUG;AACH,MAAa,uBAAwB,SAAQ,mBAAQ;IACnD,EAAE,GAAG,SAAS,CAAC;IACf,IAAI,GAAG,+BAA+B,CAAC;IACvC,WAAW,GAAG,qEAAqE,CAAC;IACpF,QAAQ,GAAG,OAAgB,CAAC;IAC5B,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAc,eAAe,CAAC;IAEtB,cAAc,GAAG,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;IAE9D,QAAQ,CAAC,GAAa,EAAE,QAA2B;QACjD,MAAM,MAAM,GAAY,EAAE,CAAC;QAE3B,gDAAgD;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,6DAA6D,EAAE,GAAG,CAAC,CAAC;QAE/F,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;gBAC3C,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;gBACjD,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;oBAClC,SAAS;gBACX,CAAC;gBAED,+BAA+B;gBAC/B,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC3B,SAAS;gBACX,CAAC;gBAED,0BAA0B;gBAC1B,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;oBAC1D,MAAM,SAAS,GAAI,KAAiB,CAAC,SAAS,CAAC;oBAC/C,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CACd,KAAK,EACL,OAAO,SAAS,KAAK,QAAQ,2DAA2D,EACxF;wBACE,UAAU,EAAE,WAAW,KAAK,oBAAoB,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,GAAG;qBAC/E,CACF,CACF,CAAC;gBACJ,CAAC;gBAED,kBAAkB;gBAClB,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;oBACrD,MAAM,SAAS,GAAI,KAAiB,CAAC,SAAS,CAAC;oBAC/C,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CACd,KAAK,EACL,OAAO,SAAS,KAAK,QAAQ,oDAAoD,EACjF;wBACE,QAAQ,EAAE,OAAO;wBACjB,UAAU,EAAE,sBAAsB,SAAS,IAAI,QAAQ,kCAAkC;qBAC1F,CACF,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,eAAe,CAAC,WAAmB;QACzC,MAAM,KAAK,GAAG,eAAe,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAChD,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;IACxC,CAAC;CACF;AAlED,0DAkEC"}

package/dist/src/rules/standards/ApikitRouteVariableConsistencyRule.d.ts

@@ -0,0 +1,26 @@
+import { ValidationContext, Issue, IssueType } from '../../types';
+import { BaseRule } from '../base/BaseRule';
+/**
+ * STD-001: APIKit Route Variable Consistency
+ *
+ * In APIKit projects, implementation flows (get:\resource:config, etc.)
+ * should follow a consistent pattern for setting response variables.
+ * For example, if some flows set httpStatus but others don't, this
+ * inconsistency can lead to unexpected HTTP responses.
+ *
+ * This rule flags APIKit implementation flows that deviate from the
+ * most common pattern in the file (e.g., if 4/5 flows set httpStatus
+ * but one doesn't, the outlier is flagged).
+ */
+export declare class ApikitRouteVariableConsistencyRule extends BaseRule {
+    id: string;
+    name: string;
+    description: string;
+    severity: "info";
+    category: "standards";
+    issueType: IssueType;
+    /** Pattern for APIKit-generated flow names */
+    private readonly APIKIT_FLOW_PATTERN;
+    validate(doc: Document, _context: ValidationContext): Issue[];
+}
+//# sourceMappingURL=ApikitRouteVariableConsistencyRule.d.ts.map

package/dist/src/rules/standards/ApikitRouteVariableConsistencyRule.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ApikitRouteVariableConsistencyRule.d.ts","sourceRoot":"","sources":["../../../../src/rules/standards/ApikitRouteVariableConsistencyRule.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C;;;;;;;;;;;GAWG;AACH,qBAAa,kCAAmC,SAAQ,QAAQ;IAC9D,EAAE,SAAa;IACf,IAAI,SAAuC;IAC3C,WAAW,SAC8E;IACzF,QAAQ,EAAG,MAAM,CAAU;IAC3B,QAAQ,EAAG,WAAW,CAAU;IAChC,SAAS,EAAE,SAAS,CAAgB;IAEpC,8CAA8C;IAC9C,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAkD;IAEtF,QAAQ,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,iBAAiB,GAAG,KAAK,EAAE;CAoD9D"}

package/dist/src/rules/standards/ApikitRouteVariableConsistencyRule.js

@@ -0,0 +1,61 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ApikitRouteVariableConsistencyRule = void 0;
+const BaseRule_1 = require("../base/BaseRule");
+/**
+ * STD-001: APIKit Route Variable Consistency
+ *
+ * In APIKit projects, implementation flows (get:\resource:config, etc.)
+ * should follow a consistent pattern for setting response variables.
+ * For example, if some flows set httpStatus but others don't, this
+ * inconsistency can lead to unexpected HTTP responses.
+ *
+ * This rule flags APIKit implementation flows that deviate from the
+ * most common pattern in the file (e.g., if 4/5 flows set httpStatus
+ * but one doesn't, the outlier is flagged).
+ */
+class ApikitRouteVariableConsistencyRule extends BaseRule_1.BaseRule {
+    id = 'STD-001';
+    name = 'APIKit Route Variable Consistency';
+    description = 'APIKit implementation flows should follow consistent patterns for response variables';
+    severity = 'info';
+    category = 'standards';
+    issueType = 'code-smell';
+    /** Pattern for APIKit-generated flow names */
+    APIKIT_FLOW_PATTERN = /^(get|post|put|patch|delete|head|options):\\/;
+    validate(doc, _context) {
+        const issues = [];
+        const flows = this.select('//mule:flow', doc);
+        // Collect APIKit implementation flows
+        const apikitFlows = [];
+        for (const flow of flows) {
+            const flowName = this.getAttribute(flow, 'name') ?? '';
+            if (!this.APIKIT_FLOW_PATTERN.test(flowName)) {
+                continue;
+            }
+            const setsHttpStatus = this.exists('.//*[local-name()="set-variable" and @variableName="httpStatus"]', flow);
+            apikitFlows.push({ name: flowName, node: flow, setsHttpStatus });
+        }
+        // Need at least 3 flows to detect a meaningful pattern
+        if (apikitFlows.length < 3) {
+            return issues;
+        }
+        // Determine the majority pattern
+        const withStatus = apikitFlows.filter((f) => f.setsHttpStatus).length;
+        const withoutStatus = apikitFlows.length - withStatus;
+        // Only flag if there's a clear majority (>60%) and at least one outlier
+        if (withStatus > withoutStatus && withoutStatus > 0 && withStatus / apikitFlows.length > 0.6) {
+            // Majority sets httpStatus — flag those that don't
+            for (const flow of apikitFlows) {
+                if (!flow.setsHttpStatus) {
+                    issues.push(this.createIssue(flow.node, `APIKit flow "${flow.name}" does not set httpStatus, but ${withStatus}/${apikitFlows.length} other flows do`, {
+                        suggestion: 'Add a set-variable for httpStatus to maintain consistency across all APIKit implementation flows',
+                    }));
+                }
+            }
+        }
+        return issues;
+    }
+}
+exports.ApikitRouteVariableConsistencyRule = ApikitRouteVariableConsistencyRule;
+//# sourceMappingURL=ApikitRouteVariableConsistencyRule.js.map

package/dist/src/rules/standards/ApikitRouteVariableConsistencyRule.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ApikitRouteVariableConsistencyRule.js","sourceRoot":"","sources":["../../../../src/rules/standards/ApikitRouteVariableConsistencyRule.ts"],"names":[],"mappings":";;;AACA,+CAA4C;AAE5C;;;;;;;;;;;GAWG;AACH,MAAa,kCAAmC,SAAQ,mBAAQ;IAC9D,EAAE,GAAG,SAAS,CAAC;IACf,IAAI,GAAG,mCAAmC,CAAC;IAC3C,WAAW,GACT,sFAAsF,CAAC;IACzF,QAAQ,GAAG,MAAe,CAAC;IAC3B,QAAQ,GAAG,WAAoB,CAAC;IAChC,SAAS,GAAc,YAAY,CAAC;IAEpC,8CAA8C;IAC7B,mBAAmB,GAAG,8CAA8C,CAAC;IAEtF,QAAQ,CAAC,GAAa,EAAE,QAA2B;QACjD,MAAM,MAAM,GAAY,EAAE,CAAC;QAE3B,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC;QAE9C,sCAAsC;QACtC,MAAM,WAAW,GAAiE,EAAE,CAAC;QAErF,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC;YACvD,IAAI,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC7C,SAAS;YACX,CAAC;YAED,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,CAChC,kEAAkE,EAClE,IAAI,CACL,CAAC;YAEF,WAAW,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC;QACnE,CAAC;QAED,uDAAuD;QACvD,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC3B,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,iCAAiC;QACjC,MAAM,UAAU,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,MAAM,CAAC;QACtE,MAAM,aAAa,GAAG,WAAW,CAAC,MAAM,GAAG,UAAU,CAAC;QAEtD,wEAAwE;QACxE,IAAI,UAAU,GAAG,aAAa,IAAI,aAAa,GAAG,CAAC,IAAI,UAAU,GAAG,WAAW,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;YAC7F,mDAAmD;YACnD,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;gBAC/B,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;oBACzB,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CACd,IAAI,CAAC,IAAI,EACT,gBAAgB,IAAI,CAAC,IAAI,kCAAkC,UAAU,IAAI,WAAW,CAAC,MAAM,iBAAiB,EAC5G;wBACE,UAAU,EACR,kGAAkG;qBACrG,CACF,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AAhED,gFAgEC"}

package/dist/src/rules/standards/ConfigPropertiesOrderingRule.d.ts

@@ -0,0 +1,34 @@
+import { ValidationContext, Issue } from '../../types';
+import { BaseRule } from '../base/BaseRule';
+/**
+ * CFG-001: Configuration Properties Ordering
+ *
+ * Mule configuration-properties elements should be loaded in the correct
+ * order: global defaults first, then environment-specific overrides, then
+ * secure properties. This ensures predictable property resolution (Mule
+ * uses last-wins for overlapping keys).
+ *
+ * Expected ordering pattern:
+ *   1. config/global.yaml (or common.yaml, defaults.yaml)
+ *   2. config/${mule.env}.yaml (environment-specific)
+ *   3. secure-properties:config (encrypted secrets)
+ *   4. entity-config/*.yaml (optional, additive)
+ *
+ * This rule flags when env-specific properties appear before global
+ * defaults, which would cause globals to override env-specific values.
+ */
+export declare class ConfigPropertiesOrderingRule extends BaseRule {
+    id: string;
+    name: string;
+    description: string;
+    severity: "info";
+    category: "standards";
+    /** Patterns that identify global/default property files */
+    private readonly GLOBAL_PATTERNS;
+    /** Patterns that identify env-specific property files */
+    private readonly ENV_PATTERNS;
+    validate(doc: Document, _context: ValidationContext): Issue[];
+    private isGlobalFile;
+    private isEnvSpecificFile;
+}
+//# sourceMappingURL=ConfigPropertiesOrderingRule.d.ts.map

package/dist/src/rules/standards/ConfigPropertiesOrderingRule.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ConfigPropertiesOrderingRule.d.ts","sourceRoot":"","sources":["../../../../src/rules/standards/ConfigPropertiesOrderingRule.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AACvD,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,4BAA6B,SAAQ,QAAQ;IACxD,EAAE,SAAa;IACf,IAAI,SAAuC;IAC3C,WAAW,SACwF;IACnG,QAAQ,EAAG,MAAM,CAAU;IAC3B,QAAQ,EAAG,WAAW,CAAU;IAEhC,2DAA2D;IAC3D,OAAO,CAAC,QAAQ,CAAC,eAAe,CAO9B;IAEF,yDAAyD;IACzD,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAoD;IAEjF,QAAQ,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,iBAAiB,GAAG,KAAK,EAAE;IA6C7D,OAAO,CAAC,YAAY;IAIpB,OAAO,CAAC,iBAAiB;CAG1B"}