@sfdxy/mule-lint 1.20.0 → 1.22.0

package/dist/src/rules/operations/UnusedVariableRule.js

@@ -0,0 +1,103 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UnusedVariableRule = void 0;
+const BaseRule_1 = require("../base/BaseRule");
+/**
+ * HYG-005: Unused Variable
+ *
+ * Detects variables that are set in a flow but never referenced later
+ * in the same flow. This is a common code smell that indicates dead code
+ * or incomplete refactoring.
+ *
+ * Checks for set-variable elements whose variableName is not referenced
+ * by any subsequent expression in the same flow via `vars.variableName`
+ * or `#[vars.variableName]` patterns.
+ *
+ * Note: This is a best-effort heuristic — variables consumed outside the
+ * flow (via flow-ref caller, for example) cannot be detected.
+ */
+class UnusedVariableRule extends BaseRule_1.BaseRule {
+    id = 'HYG-005';
+    name = 'Unused Variable';
+    description = 'Variables set in a flow should be referenced within the same flow';
+    severity = 'info';
+    category = 'operations';
+    issueType = 'code-smell';
+    /** Well-known variables that are always considered "used" (consumed by connectors/listeners) */
+    WELL_KNOWN_VARS = new Set([
+        'httpStatus',
+        'outboundHeaders',
+        'statusCode',
+        'correlationId',
+    ]);
+    validate(doc, _context) {
+        const issues = [];
+        const flows = this.select('//mule:flow | //mule:sub-flow', doc);
+        for (const flow of flows) {
+            const flowName = this.getAttribute(flow, 'name') ?? '';
+            // Collect all set-variable declarations in this flow
+            const setVars = this.select('.//*[local-name()="set-variable"]', flow);
+            const variables = [];
+            for (const setVar of setVars) {
+                const varName = this.getAttribute(setVar, 'variableName');
+                if (varName && !this.WELL_KNOWN_VARS.has(varName)) {
+                    variables.push({ name: varName, node: setVar });
+                }
+            }
+            if (variables.length === 0) {
+                continue;
+            }
+            // Get the full text content of the flow to search for references
+            const flowText = this.serializeNode(flow);
+            for (const { name, node } of variables) {
+                // Check for common reference patterns:
+                // vars.name, vars['name'], vars["name"], vars.name
+                const patterns = [`vars.${name}`, `vars['${name}']`, `vars["${name}"]`, `#[vars.${name}]`];
+                const isReferenced = patterns.some((pattern) => {
+                    // Count occurrences — must appear beyond just the set-variable itself
+                    const regex = new RegExp(this.escapeRegex(pattern), 'g');
+                    const matches = flowText.match(regex);
+                    return matches !== null && matches.length > 0;
+                });
+                if (!isReferenced) {
+                    issues.push(this.createIssue(node, `Variable "${name}" is set in flow "${flowName}" but never referenced within the same flow`, {
+                        suggestion: `Remove the unused variable or verify it is consumed by a downstream flow via flow-ref`,
+                    }));
+                }
+            }
+        }
+        return issues;
+    }
+    serializeNode(node) {
+        // Get all text content and attribute values from the node subtree
+        const parts = [];
+        this.collectTextContent(node, parts);
+        return parts.join(' ');
+    }
+    collectTextContent(node, parts) {
+        if (node.nodeType === 3 /* TEXT_NODE */) {
+            parts.push(node.textContent ?? '');
+        }
+        else if (node.nodeType === 1 /* ELEMENT_NODE */) {
+            // Include attribute values (expressions live in attributes)
+            const element = node;
+            if (element.attributes) {
+                for (let i = 0; i < element.attributes.length; i++) {
+                    parts.push(element.attributes[i].value);
+                }
+            }
+            // Recurse into children
+            const children = node.childNodes;
+            if (children) {
+                for (let i = 0; i < children.length; i++) {
+                    this.collectTextContent(children[i], parts);
+                }
+            }
+        }
+    }
+    escapeRegex(str) {
+        return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+    }
+}
+exports.UnusedVariableRule = UnusedVariableRule;
+//# sourceMappingURL=UnusedVariableRule.js.map

package/dist/src/rules/operations/UnusedVariableRule.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"UnusedVariableRule.js","sourceRoot":"","sources":["../../../../src/rules/operations/UnusedVariableRule.ts"],"names":[],"mappings":";;;AACA,+CAA4C;AAE5C;;;;;;;;;;;;;GAaG;AACH,MAAa,kBAAmB,SAAQ,mBAAQ;IAC9C,EAAE,GAAG,SAAS,CAAC;IACf,IAAI,GAAG,iBAAiB,CAAC;IACzB,WAAW,GAAG,mEAAmE,CAAC;IAClF,QAAQ,GAAG,MAAe,CAAC;IAC3B,QAAQ,GAAG,YAAqB,CAAC;IACjC,SAAS,GAAc,YAAY,CAAC;IAEpC,gGAAgG;IAC/E,eAAe,GAAG,IAAI,GAAG,CAAC;QACzC,YAAY;QACZ,iBAAiB;QACjB,YAAY;QACZ,eAAe;KAChB,CAAC,CAAC;IAEH,QAAQ,CAAC,GAAa,EAAE,QAA2B;QACjD,MAAM,MAAM,GAAY,EAAE,CAAC;QAE3B,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,+BAA+B,EAAE,GAAG,CAAC,CAAC;QAEhE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC;YAEvD,qDAAqD;YACrD,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,mCAAmC,EAAE,IAAI,CAAC,CAAC;YACvE,MAAM,SAAS,GAAwC,EAAE,CAAC;YAE1D,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;gBAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;gBAC1D,IAAI,OAAO,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;oBAClD,SAAS,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;gBAClD,CAAC;YACH,CAAC;YAED,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC3B,SAAS;YACX,CAAC;YAED,iEAAiE;YACjE,MAAM,QAAQ,GAAG,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;YAE1C,KAAK,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,SAAS,EAAE,CAAC;gBACvC,uCAAuC;gBACvC,mDAAmD;gBACnD,MAAM,QAAQ,GAAG,CAAC,QAAQ,IAAI,EAAE,EAAE,SAAS,IAAI,IAAI,EAAE,SAAS,IAAI,IAAI,EAAE,UAAU,IAAI,GAAG,CAAC,CAAC;gBAE3F,MAAM,YAAY,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE;oBAC7C,sEAAsE;oBACtE,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,GAAG,CAAC,CAAC;oBACzD,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;oBACtC,OAAO,OAAO,KAAK,IAAI,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC;gBAChD,CAAC,CAAC,CAAC;gBAEH,IAAI,CAAC,YAAY,EAAE,CAAC;oBAClB,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CACd,IAAI,EACJ,aAAa,IAAI,qBAAqB,QAAQ,6CAA6C,EAC3F;wBACE,UAAU,EAAE,uFAAuF;qBACpG,CACF,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,aAAa,CAAC,IAAU;QAC9B,kEAAkE;QAClE,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,IAAI,CAAC,kBAAkB,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QACrC,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACzB,CAAC;IAEO,kBAAkB,CAAC,IAAU,EAAE,KAAe;QACpD,IAAI,IAAI,CAAC,QAAQ,KAAK,CAAC,CAAC,eAAe,EAAE,CAAC;YACxC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;QACrC,CAAC;aAAM,IAAI,IAAI,CAAC,QAAQ,KAAK,CAAC,CAAC,kBAAkB,EAAE,CAAC;YAClD,4DAA4D;YAC5D,MAAM,OAAO,GAAG,IAA0B,CAAC;YAC3C,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;gBACvB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;oBACnD,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;gBAC1C,CAAC;YACH,CAAC;YACD,wBAAwB;YACxB,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC;YACjC,IAAI,QAAQ,EAAE,CAAC;gBACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;oBACzC,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;gBAC9C,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAEO,WAAW,CAAC,GAAW;QAC7B,OAAO,GAAG,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;IACpD,CAAC;CACF;AAtGD,gDAsGC"}

package/dist/src/rules/performance/ListenerReconnectForeverRule.d.ts

@@ -0,0 +1,28 @@
+import { ValidationContext, Issue } from '../../types';
+import { BaseRule } from '../base/BaseRule';
+/**
+ * RES-002: Listener Reconnect-Forever
+ *
+ * HTTP listener-config elements should use reconnect-forever rather than
+ * bounded reconnect strategies. Unlike outbound connectors where bounded
+ * retries make sense, the listener is the application's entry point — if
+ * it can't bind to the port, the app should keep trying indefinitely.
+ *
+ * Real-world accelerator pattern:
+ *   <http:listener-config>
+ *     <http:listener-connection host="0.0.0.0" port="${http.port}">
+ *       <reconnection>
+ *         <reconnect-forever frequency="5000" />
+ *       </reconnection>
+ *     </http:listener-connection>
+ *   </http:listener-config>
+ */
+export declare class ListenerReconnectForeverRule extends BaseRule {
+    id: string;
+    name: string;
+    description: string;
+    severity: "warning";
+    category: "performance";
+    validate(doc: Document, _context: ValidationContext): Issue[];
+}
+//# sourceMappingURL=ListenerReconnectForeverRule.d.ts.map

package/dist/src/rules/performance/ListenerReconnectForeverRule.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ListenerReconnectForeverRule.d.ts","sourceRoot":"","sources":["../../../../src/rules/performance/ListenerReconnectForeverRule.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AACvD,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,4BAA6B,SAAQ,QAAQ;IACxD,EAAE,SAAa;IACf,IAAI,SAAgC;IACpC,WAAW,SAAsE;IACjF,QAAQ,EAAG,SAAS,CAAU;IAC9B,QAAQ,EAAG,aAAa,CAAU;IAElC,QAAQ,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,iBAAiB,GAAG,KAAK,EAAE;CA2C9D"}

package/dist/src/rules/performance/ListenerReconnectForeverRule.js

@@ -0,0 +1,56 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ListenerReconnectForeverRule = void 0;
+const BaseRule_1 = require("../base/BaseRule");
+/**
+ * RES-002: Listener Reconnect-Forever
+ *
+ * HTTP listener-config elements should use reconnect-forever rather than
+ * bounded reconnect strategies. Unlike outbound connectors where bounded
+ * retries make sense, the listener is the application's entry point — if
+ * it can't bind to the port, the app should keep trying indefinitely.
+ *
+ * Real-world accelerator pattern:
+ *   <http:listener-config>
+ *     <http:listener-connection host="0.0.0.0" port="${http.port}">
+ *       <reconnection>
+ *         <reconnect-forever frequency="5000" />
+ *       </reconnection>
+ *     </http:listener-connection>
+ *   </http:listener-config>
+ */
+class ListenerReconnectForeverRule extends BaseRule_1.BaseRule {
+    id = 'RES-002';
+    name = 'Listener Reconnect-Forever';
+    description = 'HTTP listener-config should use reconnect-forever for resilience';
+    severity = 'warning';
+    category = 'performance';
+    validate(doc, _context) {
+        const issues = [];
+        const listenerConfigs = this.select('//*[local-name()="listener-config"]', doc);
+        for (const config of listenerConfigs) {
+            const name = this.getNameAttribute(config) ?? 'HTTP Listener';
+            // Check if reconnect-forever exists anywhere inside the config
+            const hasReconnectForever = this.exists('.//*[local-name()="reconnect-forever"]', config);
+            if (hasReconnectForever) {
+                continue; // Good — has reconnect-forever
+            }
+            // Check if there's a bounded reconnect (which is suboptimal for listeners)
+            const hasBoundedReconnect = this.exists('.//*[local-name()="reconnect"]', config) ||
+                this.exists('.//*[local-name()="reconnection"]', config);
+            if (hasBoundedReconnect) {
+                issues.push(this.createIssue(config, `Listener config "${name}" uses bounded reconnect instead of reconnect-forever`, {
+                    suggestion: 'Replace <reconnect count="..." .../> with <reconnect-forever frequency="5000" /> for HTTP listeners — the app should keep trying to bind',
+                }));
+            }
+            else {
+                issues.push(this.createIssue(config, `Listener config "${name}" has no reconnection strategy`, {
+                    suggestion: 'Add <reconnection><reconnect-forever frequency="5000" /></reconnection> inside the listener-connection element',
+                }));
+            }
+        }
+        return issues;
+    }
+}
+exports.ListenerReconnectForeverRule = ListenerReconnectForeverRule;
+//# sourceMappingURL=ListenerReconnectForeverRule.js.map

package/dist/src/rules/performance/ListenerReconnectForeverRule.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ListenerReconnectForeverRule.js","sourceRoot":"","sources":["../../../../src/rules/performance/ListenerReconnectForeverRule.ts"],"names":[],"mappings":";;;AACA,+CAA4C;AAE5C;;;;;;;;;;;;;;;;GAgBG;AACH,MAAa,4BAA6B,SAAQ,mBAAQ;IACxD,EAAE,GAAG,SAAS,CAAC;IACf,IAAI,GAAG,4BAA4B,CAAC;IACpC,WAAW,GAAG,kEAAkE,CAAC;IACjF,QAAQ,GAAG,SAAkB,CAAC;IAC9B,QAAQ,GAAG,aAAsB,CAAC;IAElC,QAAQ,CAAC,GAAa,EAAE,QAA2B;QACjD,MAAM,MAAM,GAAY,EAAE,CAAC;QAE3B,MAAM,eAAe,GAAG,IAAI,CAAC,MAAM,CAAC,qCAAqC,EAAE,GAAG,CAAC,CAAC;QAEhF,KAAK,MAAM,MAAM,IAAI,eAAe,EAAE,CAAC;YACrC,MAAM,IAAI,GAAG,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,IAAI,eAAe,CAAC;YAE9D,+DAA+D;YAC/D,MAAM,mBAAmB,GAAG,IAAI,CAAC,MAAM,CAAC,wCAAwC,EAAE,MAAM,CAAC,CAAC;YAE1F,IAAI,mBAAmB,EAAE,CAAC;gBACxB,SAAS,CAAC,+BAA+B;YAC3C,CAAC;YAED,2EAA2E;YAC3E,MAAM,mBAAmB,GACvB,IAAI,CAAC,MAAM,CAAC,gCAAgC,EAAE,MAAM,CAAC;gBACrD,IAAI,CAAC,MAAM,CAAC,mCAAmC,EAAE,MAAM,CAAC,CAAC;YAE3D,IAAI,mBAAmB,EAAE,CAAC;gBACxB,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CACd,MAAM,EACN,oBAAoB,IAAI,uDAAuD,EAC/E;oBACE,UAAU,EACR,0IAA0I;iBAC7I,CACF,CACF,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,oBAAoB,IAAI,gCAAgC,EAAE;oBACjF,UAAU,EACR,gHAAgH;iBACnH,CAAC,CACH,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AAlDD,oEAkDC"}

package/dist/src/rules/performance/ReconnectionStrategyRule.d.ts

@@ -5,12 +5,14 @@ import { BaseRule } from '../base/BaseRule';
  *
  * Connectors should have reconnection strategies configured for resilience.
  *
+ * Enhanced to differentiate listener vs request configs:
+ * - Listeners (inbound): recommend `reconnect-forever` (service must stay alive)
+ * - Requests (outbound): recommend bounded `reconnect count="3"` (fail fast for callers)
+ *
  * Per the Mule HTTP connector XSD, `<reconnection>` is a child element of
  * `<http:request-connection>`, NOT a direct child of `<http:request-config>`.
- * Placing `<reconnection>` directly under `<http:request-config>` causes a
- * SAXParseException at build time. The rule uses a descendant search (`.//*`)
- * to correctly resolve reconnection elements at any depth, including the valid
- * `http:request-config > http:request-connection > reconnection` nesting.
+ * The rule uses a descendant search (`.//*`) to correctly resolve reconnection
+ * elements at any depth.
  */
 export declare class ReconnectionStrategyRule extends BaseRule {
     id: string;
@@ -19,5 +21,6 @@ export declare class ReconnectionStrategyRule extends BaseRule {
     severity: "warning";
     category: "performance";
     validate(doc: Document, _context: ValidationContext): Issue[];
+    private hasAnyReconnection;
 }
 //# sourceMappingURL=ReconnectionStrategyRule.d.ts.map

package/dist/src/rules/performance/ReconnectionStrategyRule.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ReconnectionStrategyRule.d.ts","sourceRoot":"","sources":["../../../../src/rules/performance/ReconnectionStrategyRule.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AACvD,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C;;;;;;;;;;;GAWG;AACH,qBAAa,wBAAyB,SAAQ,QAAQ;IACpD,EAAE,SAAa;IACf,IAAI,SAA2B;IAC/B,WAAW,SAA+D;IAC1E,QAAQ,EAAG,SAAS,CAAU;IAC9B,QAAQ,EAAG,aAAa,CAAU;IAElC,QAAQ,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,iBAAiB,GAAG,KAAK,EAAE;CAkE9D"}
+{"version":3,"file":"ReconnectionStrategyRule.d.ts","sourceRoot":"","sources":["../../../../src/rules/performance/ReconnectionStrategyRule.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AACvD,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C;;;;;;;;;;;;;GAaG;AACH,qBAAa,wBAAyB,SAAQ,QAAQ;IACpD,EAAE,SAAa;IACf,IAAI,SAA2B;IAC/B,WAAW,SAA+D;IAC1E,QAAQ,EAAG,SAAS,CAAU;IAC9B,QAAQ,EAAG,aAAa,CAAU;IAElC,QAAQ,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,iBAAiB,GAAG,KAAK,EAAE;IAkG7D,OAAO,CAAC,kBAAkB;CAO3B"}

package/dist/src/rules/performance/ReconnectionStrategyRule.js

@@ -7,12 +7,14 @@ const BaseRule_1 = require("../base/BaseRule");
  *
  * Connectors should have reconnection strategies configured for resilience.
  *
+ * Enhanced to differentiate listener vs request configs:
+ * - Listeners (inbound): recommend `reconnect-forever` (service must stay alive)
+ * - Requests (outbound): recommend bounded `reconnect count="3"` (fail fast for callers)
+ *
  * Per the Mule HTTP connector XSD, `<reconnection>` is a child element of
  * `<http:request-connection>`, NOT a direct child of `<http:request-config>`.
- * Placing `<reconnection>` directly under `<http:request-config>` causes a
- * SAXParseException at build time. The rule uses a descendant search (`.//*`)
- * to correctly resolve reconnection elements at any depth, including the valid
- * `http:request-config > http:request-connection > reconnection` nesting.
+ * The rule uses a descendant search (`.//*`) to correctly resolve reconnection
+ * elements at any depth.
  */
 class ReconnectionStrategyRule extends BaseRule_1.BaseRule {
     id = 'RES-001';
@@ -22,52 +24,70 @@ class ReconnectionStrategyRule extends BaseRule_1.BaseRule {
     category = 'performance';
     validate(doc, _context) {
         const issues = [];
-        // Specific connector configurations that benefit from reconnection strategies
-        // Using more specific patterns to avoid false positives on generic "config" elements
-        const connectorConfigs = [
+        // Listener configs (inbound) — recommend reconnect-forever
+        const listenerConfigs = [{ pattern: 'listener-config', name: 'HTTP Listener' }];
+        for (const connector of listenerConfigs) {
+            const configs = this.select(`//*[local-name()="${connector.pattern}"]`, doc);
+            for (const config of configs) {
+                const hasReconnection = this.hasAnyReconnection(config);
+                if (!hasReconnection) {
+                    const name = this.getNameAttribute(config) ?? connector.name;
+                    issues.push(this.createIssue(config, `${connector.name} config "${name}" has no reconnection strategy`, {
+                        suggestion: 'Add <reconnection><reconnect-forever frequency="5000"/></reconnection> for listener configs — the service should always attempt to reconnect',
+                    }));
+                }
+            }
+        }
+        // Request/outbound configs — recommend bounded reconnect
+        const requestConfigs = [
             { pattern: 'request-config', name: 'HTTP Request' },
-            { pattern: 'listener-config', name: 'HTTP Listener' },
             { pattern: 'jms-config', name: 'JMS' },
             { pattern: 'amqp-config', name: 'AMQP' },
             { pattern: 'sftp-config', name: 'SFTP' },
             { pattern: 'ftp-config', name: 'FTP' },
             { pattern: 'vm-config', name: 'VM' },
         ];
-        for (const connector of connectorConfigs) {
+        for (const connector of requestConfigs) {
             const configs = this.select(`//*[local-name()="${connector.pattern}"]`, doc);
             for (const config of configs) {
-                // Use descendant search (.//*) so that reconnection elements nested anywhere
-                // inside the config element are detected. This handles the XSD-correct pattern:
-                //   <http:request-config>
-                //     <http:request-connection>
-                //       <reconnection>...</reconnection>   ← correct per HTTP connector XSD
-                //     </http:request-connection>
-                //   </http:request-config>
-                const hasReconnection = this.exists('.//*[local-name()="reconnection"]', config) ||
-                    this.exists('.//*[local-name()="reconnect"]', config) ||
-                    this.exists('.//*[local-name()="reconnect-forever"]', config);
+                const hasReconnection = this.hasAnyReconnection(config);
                 if (!hasReconnection) {
                     const name = this.getNameAttribute(config) ?? connector.name;
                     issues.push(this.createIssue(config, `${connector.name} config "${name}" has no reconnection strategy`, {
-                        suggestion: 'Add <reconnection><reconnect count="3" frequency="2000"/></reconnection> inside <http:request-connection> for HTTP connectors',
+                        suggestion: 'Add <reconnection><reconnect count="3" frequency="2000"/></reconnection> inside the connection element for outbound connectors',
                     }));
                 }
             }
         }
-        // Database configs specifically - check for db namespace
+        // Database configs — check for db namespace
         const dbConfigs = this.select('//*[local-name()="config" and starts-with(name(), "db:")]', doc);
         for (const config of dbConfigs) {
-            const hasReconnection = this.exists('.//*[local-name()="reconnection"]', config) ||
-                this.exists('.//*[local-name()="reconnect"]', config);
+            const hasReconnection = this.hasAnyReconnection(config);
             if (!hasReconnection) {
                 const name = this.getNameAttribute(config) ?? 'Database';
                 issues.push(this.createIssue(config, `Database config "${name}" has no reconnection strategy`, {
-                    suggestion: 'Add <reconnection> inside the connection element',
+                    suggestion: 'Add <reconnection><reconnect count="3" frequency="2000"/></reconnection> inside the connection element',
+                }));
+            }
+        }
+        // Salesforce configs — check for sfdc-config
+        const sfdcConfigs = this.select('//*[local-name()="sfdc-config" or local-name()="config" and starts-with(name(), "salesforce:")]', doc);
+        for (const config of sfdcConfigs) {
+            const hasReconnection = this.hasAnyReconnection(config);
+            if (!hasReconnection) {
+                const name = this.getNameAttribute(config) ?? 'Salesforce';
+                issues.push(this.createIssue(config, `Salesforce config "${name}" has no reconnection strategy`, {
+                    suggestion: 'Add <reconnection><reconnect count="3" frequency="2000"/></reconnection> inside the Salesforce connection element',
                 }));
             }
         }
         return issues;
     }
+    hasAnyReconnection(config) {
+        return (this.exists('.//*[local-name()="reconnection"]', config) ||
+            this.exists('.//*[local-name()="reconnect"]', config) ||
+            this.exists('.//*[local-name()="reconnect-forever"]', config));
+    }
 }
 exports.ReconnectionStrategyRule = ReconnectionStrategyRule;
 //# sourceMappingURL=ReconnectionStrategyRule.js.map

package/dist/src/rules/performance/ReconnectionStrategyRule.js.map

@@ -1 +1 @@
-{"version":3,"file":"ReconnectionStrategyRule.js","sourceRoot":"","sources":["../../../../src/rules/performance/ReconnectionStrategyRule.ts"],"names":[],"mappings":";;;AACA,+CAA4C;AAE5C;;;;;;;;;;;GAWG;AACH,MAAa,wBAAyB,SAAQ,mBAAQ;IACpD,EAAE,GAAG,SAAS,CAAC;IACf,IAAI,GAAG,uBAAuB,CAAC;IAC/B,WAAW,GAAG,2DAA2D,CAAC;IAC1E,QAAQ,GAAG,SAAkB,CAAC;IAC9B,QAAQ,GAAG,aAAsB,CAAC;IAElC,QAAQ,CAAC,GAAa,EAAE,QAA2B;QACjD,MAAM,MAAM,GAAY,EAAE,CAAC;QAE3B,8EAA8E;QAC9E,qFAAqF;QACrF,MAAM,gBAAgB,GAAG;YACvB,EAAE,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,cAAc,EAAE;YACnD,EAAE,OAAO,EAAE,iBAAiB,EAAE,IAAI,EAAE,eAAe,EAAE;YACrD,EAAE,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,KAAK,EAAE;YACtC,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,EAAE;YACxC,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,EAAE;YACxC,EAAE,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,KAAK,EAAE;YACtC,EAAE,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,IAAI,EAAE;SACrC,CAAC;QAEF,KAAK,MAAM,SAAS,IAAI,gBAAgB,EAAE,CAAC;YACzC,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,qBAAqB,SAAS,CAAC,OAAO,IAAI,EAAE,GAAG,CAAC,CAAC;YAE7E,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;gBAC7B,6EAA6E;gBAC7E,gFAAgF;gBAChF,0BAA0B;gBAC1B,gCAAgC;gBAChC,4EAA4E;gBAC5E,iCAAiC;gBACjC,2BAA2B;gBAC3B,MAAM,eAAe,GACnB,IAAI,CAAC,MAAM,CAAC,mCAAmC,EAAE,MAAM,CAAC;oBACxD,IAAI,CAAC,MAAM,CAAC,gCAAgC,EAAE,MAAM,CAAC;oBACrD,IAAI,CAAC,MAAM,CAAC,wCAAwC,EAAE,MAAM,CAAC,CAAC;gBAEhE,IAAI,CAAC,eAAe,EAAE,CAAC;oBACrB,MAAM,IAAI,GAAG,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC,IAAI,CAAC;oBAC7D,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CACd,MAAM,EACN,GAAG,SAAS,CAAC,IAAI,YAAY,IAAI,gCAAgC,EACjE;wBACE,UAAU,EACR,+HAA+H;qBAClI,CACF,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,yDAAyD;QACzD,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,2DAA2D,EAAE,GAAG,CAAC,CAAC;QAChG,KAAK,MAAM,MAAM,IAAI,SAAS,EAAE,CAAC;YAC/B,MAAM,eAAe,GACnB,IAAI,CAAC,MAAM,CAAC,mCAAmC,EAAE,MAAM,CAAC;gBACxD,IAAI,CAAC,MAAM,CAAC,gCAAgC,EAAE,MAAM,CAAC,CAAC;YAExD,IAAI,CAAC,eAAe,EAAE,CAAC;gBACrB,MAAM,IAAI,GAAG,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,IAAI,UAAU,CAAC;gBACzD,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,oBAAoB,IAAI,gCAAgC,EAAE;oBACjF,UAAU,EAAE,kDAAkD;iBAC/D,CAAC,CACH,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AAzED,4DAyEC"}
+{"version":3,"file":"ReconnectionStrategyRule.js","sourceRoot":"","sources":["../../../../src/rules/performance/ReconnectionStrategyRule.ts"],"names":[],"mappings":";;;AACA,+CAA4C;AAE5C;;;;;;;;;;;;;GAaG;AACH,MAAa,wBAAyB,SAAQ,mBAAQ;IACpD,EAAE,GAAG,SAAS,CAAC;IACf,IAAI,GAAG,uBAAuB,CAAC;IAC/B,WAAW,GAAG,2DAA2D,CAAC;IAC1E,QAAQ,GAAG,SAAkB,CAAC;IAC9B,QAAQ,GAAG,aAAsB,CAAC;IAElC,QAAQ,CAAC,GAAa,EAAE,QAA2B;QACjD,MAAM,MAAM,GAAY,EAAE,CAAC;QAE3B,2DAA2D;QAC3D,MAAM,eAAe,GAAG,CAAC,EAAE,OAAO,EAAE,iBAAiB,EAAE,IAAI,EAAE,eAAe,EAAE,CAAC,CAAC;QAEhF,KAAK,MAAM,SAAS,IAAI,eAAe,EAAE,CAAC;YACxC,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,qBAAqB,SAAS,CAAC,OAAO,IAAI,EAAE,GAAG,CAAC,CAAC;YAE7E,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;gBAC7B,MAAM,eAAe,GAAG,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC;gBAExD,IAAI,CAAC,eAAe,EAAE,CAAC;oBACrB,MAAM,IAAI,GAAG,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC,IAAI,CAAC;oBAC7D,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CACd,MAAM,EACN,GAAG,SAAS,CAAC,IAAI,YAAY,IAAI,gCAAgC,EACjE;wBACE,UAAU,EACR,8IAA8I;qBACjJ,CACF,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,yDAAyD;QACzD,MAAM,cAAc,GAAG;YACrB,EAAE,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,cAAc,EAAE;YACnD,EAAE,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,KAAK,EAAE;YACtC,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,EAAE;YACxC,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,EAAE;YACxC,EAAE,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,KAAK,EAAE;YACtC,EAAE,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,IAAI,EAAE;SACrC,CAAC;QAEF,KAAK,MAAM,SAAS,IAAI,cAAc,EAAE,CAAC;YACvC,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,qBAAqB,SAAS,CAAC,OAAO,IAAI,EAAE,GAAG,CAAC,CAAC;YAE7E,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;gBAC7B,MAAM,eAAe,GAAG,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC;gBAExD,IAAI,CAAC,eAAe,EAAE,CAAC;oBACrB,MAAM,IAAI,GAAG,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC,IAAI,CAAC;oBAC7D,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CACd,MAAM,EACN,GAAG,SAAS,CAAC,IAAI,YAAY,IAAI,gCAAgC,EACjE;wBACE,UAAU,EACR,gIAAgI;qBACnI,CACF,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,4CAA4C;QAC5C,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,2DAA2D,EAAE,GAAG,CAAC,CAAC;QAChG,KAAK,MAAM,MAAM,IAAI,SAAS,EAAE,CAAC;YAC/B,MAAM,eAAe,GAAG,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC;YAExD,IAAI,CAAC,eAAe,EAAE,CAAC;gBACrB,MAAM,IAAI,GAAG,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,IAAI,UAAU,CAAC;gBACzD,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,oBAAoB,IAAI,gCAAgC,EAAE;oBACjF,UAAU,EACR,wGAAwG;iBAC3G,CAAC,CACH,CAAC;YACJ,CAAC;QACH,CAAC;QAED,6CAA6C;QAC7C,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAC7B,iGAAiG,EACjG,GAAG,CACJ,CAAC;QACF,KAAK,MAAM,MAAM,IAAI,WAAW,EAAE,CAAC;YACjC,MAAM,eAAe,GAAG,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC;YAExD,IAAI,CAAC,eAAe,EAAE,CAAC;gBACrB,MAAM,IAAI,GAAG,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,IAAI,YAAY,CAAC;gBAC3D,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,sBAAsB,IAAI,gCAAgC,EAAE;oBACnF,UAAU,EACR,mHAAmH;iBACtH,CAAC,CACH,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,kBAAkB,CAAC,MAAY;QACrC,OAAO,CACL,IAAI,CAAC,MAAM,CAAC,mCAAmC,EAAE,MAAM,CAAC;YACxD,IAAI,CAAC,MAAM,CAAC,gCAAgC,EAAE,MAAM,CAAC;YACrD,IAAI,CAAC,MAAM,CAAC,wCAAwC,EAAE,MAAM,CAAC,CAC9D,CAAC;IACJ,CAAC;CACF;AAhHD,4DAgHC"}

package/dist/src/rules/security/ConnectorCredentialsSecuredRule.d.ts

@@ -0,0 +1,36 @@
+import { ValidationContext, Issue, IssueType } from '../../types';
+import { BaseRule } from '../base/BaseRule';
+/**
+ * SEC-007: Connector Credentials Secured
+ *
+ * Salesforce, NetSuite, Database, and other connector configurations must
+ * use `${secure::...}` (not plain `${...}`) for credential attributes.
+ *
+ * Plain property placeholders like `${sf.password}` store the value in
+ * clear text in property files.  The `${secure::...}` prefix ensures the
+ * value is read from an encrypted secure properties file.
+ *
+ * Covered connectors and attributes:
+ *   - Salesforce: username, password, securityToken, consumerKey, consumerSecret
+ *   - NetSuite: consumerKey, consumerSecret, tokenId, tokenSecret
+ *   - Database: password, user (when not using connection URL)
+ *   - HTTP Basic Auth: username, password
+ *   - SMTP: password
+ */
+export declare class ConnectorCredentialsSecuredRule extends BaseRule {
+    id: string;
+    name: string;
+    description: string;
+    severity: "error";
+    category: "security";
+    issueType: IssueType;
+    /**
+     * Map of element local-name patterns to their sensitive attributes.
+     * We match on local-name() to be namespace-agnostic.
+     */
+    private readonly CONNECTOR_SENSITIVE_ATTRS;
+    validate(doc: Document, _context: ValidationContext): Issue[];
+    private findSensitiveAttrs;
+    private extractPropertyName;
+}
+//# sourceMappingURL=ConnectorCredentialsSecuredRule.d.ts.map

package/dist/src/rules/security/ConnectorCredentialsSecuredRule.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ConnectorCredentialsSecuredRule.d.ts","sourceRoot":"","sources":["../../../../src/rules/security/ConnectorCredentialsSecuredRule.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,+BAAgC,SAAQ,QAAQ;IAC3D,EAAE,SAAa;IACf,IAAI,SAAmC;IACvC,WAAW,SAAsE;IACjF,QAAQ,EAAG,OAAO,CAAU;IAC5B,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,SAAS,CAAmB;IAEvC;;;OAGG;IACH,OAAO,CAAC,QAAQ,CAAC,yBAAyB,CA+BxC;IAEF,QAAQ,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,iBAAiB,GAAG,KAAK,EAAE;IA4D7D,OAAO,CAAC,kBAAkB;IAc1B,OAAO,CAAC,mBAAmB;CAI5B"}

package/dist/src/rules/security/ConnectorCredentialsSecuredRule.js

@@ -0,0 +1,124 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ConnectorCredentialsSecuredRule = void 0;
+const BaseRule_1 = require("../base/BaseRule");
+/**
+ * SEC-007: Connector Credentials Secured
+ *
+ * Salesforce, NetSuite, Database, and other connector configurations must
+ * use `${secure::...}` (not plain `${...}`) for credential attributes.
+ *
+ * Plain property placeholders like `${sf.password}` store the value in
+ * clear text in property files.  The `${secure::...}` prefix ensures the
+ * value is read from an encrypted secure properties file.
+ *
+ * Covered connectors and attributes:
+ *   - Salesforce: username, password, securityToken, consumerKey, consumerSecret
+ *   - NetSuite: consumerKey, consumerSecret, tokenId, tokenSecret
+ *   - Database: password, user (when not using connection URL)
+ *   - HTTP Basic Auth: username, password
+ *   - SMTP: password
+ */
+class ConnectorCredentialsSecuredRule extends BaseRule_1.BaseRule {
+    id = 'SEC-007';
+    name = 'Connector Credentials Secured';
+    description = 'Connector credentials must use ${secure::} property placeholders';
+    severity = 'error';
+    category = 'security';
+    issueType = 'vulnerability';
+    /**
+     * Map of element local-name patterns to their sensitive attributes.
+     * We match on local-name() to be namespace-agnostic.
+     */
+    CONNECTOR_SENSITIVE_ATTRS = {
+        // Salesforce connector
+        'sfdc-config': ['username', 'password', 'securityToken', 'consumerKey', 'consumerSecret'],
+        'salesforce-config': ['username', 'password', 'securityToken', 'consumerKey', 'consumerSecret'],
+        'basic-connection': [
+            'username',
+            'password',
+            'securityToken',
+            'consumerKey',
+            'consumerSecret',
+            'tokenId',
+            'tokenSecret',
+        ],
+        'oauth-user-pass-connection': ['consumerKey', 'consumerSecret'],
+        'oauth-jwt-connection': ['consumerKey', 'keyStorePath', 'storePassword'],
+        // NetSuite connector (token-based)
+        'token-based-authentication-connection': [
+            'consumerKey',
+            'consumerSecret',
+            'tokenId',
+            'tokenSecret',
+        ],
+        // Database connector
+        'derby-connection': ['password'],
+        'generic-connection': ['password'],
+        'my-sql-connection': ['password'],
+        'mssql-connection': ['password'],
+        'oracle-connection': ['password'],
+        'data-source-connection': ['password'],
+        // SMTP
+        'smtps-connection': ['password'],
+    };
+    validate(doc, _context) {
+        const issues = [];
+        const allElements = doc.getElementsByTagName('*');
+        for (let i = 0; i < allElements.length; i++) {
+            const element = allElements[i];
+            const localName = element.localName;
+            const sensitiveAttrs = this.findSensitiveAttrs(localName);
+            if (!sensitiveAttrs) {
+                continue;
+            }
+            for (const attrName of sensitiveAttrs) {
+                const value = element.getAttribute(attrName);
+                if (!value || value.trim() === '') {
+                    continue;
+                }
+                // Skip DataWeave expressions — they're computed at runtime
+                if (value.startsWith('#[')) {
+                    continue;
+                }
+                // Must use ${secure::...} — plain ${...} is not sufficient
+                if (value.includes('${') && !value.includes('${secure::')) {
+                    issues.push(this.createIssue(element, `Credential "${attrName}" uses plain property placeholder — must use \${secure::} for encryption`, {
+                        suggestion: `Replace ${value} with \${secure::${this.extractPropertyName(value)}}`,
+                    }));
+                }
+                // Hardcoded value — no placeholder at all
+                if (!value.includes('${') && !value.startsWith('#[')) {
+                    // Ignore booleans and numbers
+                    if (value === 'true' || value === 'false' || !isNaN(Number(value))) {
+                        continue;
+                    }
+                    issues.push(this.createIssue(element, `Credential "${attrName}" is hardcoded — must use \${secure::} property placeholder`, {
+                        severity: 'error',
+                        suggestion: `Use \${secure::${localName}.${attrName}} instead of the hardcoded value`,
+                    }));
+                }
+            }
+        }
+        return issues;
+    }
+    findSensitiveAttrs(localName) {
+        // Exact match first
+        if (this.CONNECTOR_SENSITIVE_ATTRS[localName]) {
+            return this.CONNECTOR_SENSITIVE_ATTRS[localName];
+        }
+        // Partial match for compound names
+        for (const [key, attrs] of Object.entries(this.CONNECTOR_SENSITIVE_ATTRS)) {
+            if (localName.includes(key)) {
+                return attrs;
+            }
+        }
+        return undefined;
+    }
+    extractPropertyName(placeholder) {
+        const match = /\$\{([^}]+)\}/.exec(placeholder);
+        return match ? match[1] : placeholder;
+    }
+}
+exports.ConnectorCredentialsSecuredRule = ConnectorCredentialsSecuredRule;
+//# sourceMappingURL=ConnectorCredentialsSecuredRule.js.map

package/dist/src/rules/security/ConnectorCredentialsSecuredRule.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ConnectorCredentialsSecuredRule.js","sourceRoot":"","sources":["../../../../src/rules/security/ConnectorCredentialsSecuredRule.ts"],"names":[],"mappings":";;;AACA,+CAA4C;AAE5C;;;;;;;;;;;;;;;;GAgBG;AACH,MAAa,+BAAgC,SAAQ,mBAAQ;IAC3D,EAAE,GAAG,SAAS,CAAC;IACf,IAAI,GAAG,+BAA+B,CAAC;IACvC,WAAW,GAAG,kEAAkE,CAAC;IACjF,QAAQ,GAAG,OAAgB,CAAC;IAC5B,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAc,eAAe,CAAC;IAEvC;;;OAGG;IACc,yBAAyB,GAA6B;QACrE,uBAAuB;QACvB,aAAa,EAAE,CAAC,UAAU,EAAE,UAAU,EAAE,eAAe,EAAE,aAAa,EAAE,gBAAgB,CAAC;QACzF,mBAAmB,EAAE,CAAC,UAAU,EAAE,UAAU,EAAE,eAAe,EAAE,aAAa,EAAE,gBAAgB,CAAC;QAC/F,kBAAkB,EAAE;YAClB,UAAU;YACV,UAAU;YACV,eAAe;YACf,aAAa;YACb,gBAAgB;YAChB,SAAS;YACT,aAAa;SACd;QACD,4BAA4B,EAAE,CAAC,aAAa,EAAE,gBAAgB,CAAC;QAC/D,sBAAsB,EAAE,CAAC,aAAa,EAAE,cAAc,EAAE,eAAe,CAAC;QACxE,mCAAmC;QACnC,uCAAuC,EAAE;YACvC,aAAa;YACb,gBAAgB;YAChB,SAAS;YACT,aAAa;SACd;QACD,qBAAqB;QACrB,kBAAkB,EAAE,CAAC,UAAU,CAAC;QAChC,oBAAoB,EAAE,CAAC,UAAU,CAAC;QAClC,mBAAmB,EAAE,CAAC,UAAU,CAAC;QACjC,kBAAkB,EAAE,CAAC,UAAU,CAAC;QAChC,mBAAmB,EAAE,CAAC,UAAU,CAAC;QACjC,wBAAwB,EAAE,CAAC,UAAU,CAAC;QACtC,OAAO;QACP,kBAAkB,EAAE,CAAC,UAAU,CAAC;KACjC,CAAC;IAEF,QAAQ,CAAC,GAAa,EAAE,QAA2B;QACjD,MAAM,MAAM,GAAY,EAAE,CAAC;QAC3B,MAAM,WAAW,GAAG,GAAG,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC;QAElD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,WAAW,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5C,MAAM,OAAO,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;YAC/B,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;YAEpC,MAAM,cAAc,GAAG,IAAI,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAC;YAC1D,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpB,SAAS;YACX,CAAC;YAED,KAAK,MAAM,QAAQ,IAAI,cAAc,EAAE,CAAC;gBACtC,MAAM,KAAK,GAAG,OAAO,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;gBAC7C,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;oBAClC,SAAS;gBACX,CAAC;gBAED,2DAA2D;gBAC3D,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC3B,SAAS;gBACX,CAAC;gBAED,2DAA2D;gBAC3D,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;oBAC1D,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CACd,OAAO,EACP,eAAe,QAAQ,0EAA0E,EACjG;wBACE,UAAU,EAAE,WAAW,KAAK,oBAAoB,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,GAAG;qBACnF,CACF,CACF,CAAC;gBACJ,CAAC;gBAED,0CAA0C;gBAC1C,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;oBACrD,8BAA8B;oBAC9B,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;wBACnE,SAAS;oBACX,CAAC;oBACD,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CACd,OAAO,EACP,eAAe,QAAQ,6DAA6D,EACpF;wBACE,QAAQ,EAAE,OAAO;wBACjB,UAAU,EAAE,kBAAkB,SAAS,IAAI,QAAQ,kCAAkC;qBACtF,CACF,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,kBAAkB,CAAC,SAAiB;QAC1C,oBAAoB;QACpB,IAAI,IAAI,CAAC,yBAAyB,CAAC,SAAS,CAAC,EAAE,CAAC;YAC9C,OAAO,IAAI,CAAC,yBAAyB,CAAC,SAAS,CAAC,CAAC;QACnD,CAAC;QACD,mCAAmC;QACnC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,yBAAyB,CAAC,EAAE,CAAC;YAC1E,IAAI,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC5B,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAEO,mBAAmB,CAAC,WAAmB;QAC7C,MAAM,KAAK,GAAG,eAAe,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAChD,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;IACxC,CAAC;CACF;AA3HD,0EA2HC"}

package/dist/src/rules/security/HardcodedCredentialsRule.d.ts

@@ -4,6 +4,10 @@ import { BaseRule } from '../base/BaseRule';
  * MULE-201: Hardcoded Credentials
  *
  * Passwords and secrets should use secure property placeholders.
+ *
+ * Enhanced to cover Salesforce connector-specific sensitive attributes
+ * (consumerKey, storePassword, tokenId, tokenSecret) and NetSuite
+ * OAuth attributes (consumerSecret, tokenKey, tokenSecret).
  */
 export declare class HardcodedCredentialsRule extends BaseRule {
     id: string;

package/dist/src/rules/security/HardcodedCredentialsRule.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"HardcodedCredentialsRule.d.ts","sourceRoot":"","sources":["../../../../src/rules/security/HardcodedCredentialsRule.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C;;;;GAIG;AACH,qBAAa,wBAAyB,SAAQ,QAAQ;IACpD,EAAE,SAAc;IAChB,IAAI,SAA2B;IAC/B,WAAW,SAA+E;IAC1F,QAAQ,EAAG,OAAO,CAAU;IAC5B,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,SAAS,CAAmB;IAEvC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAU9B;IAEF,QAAQ,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,iBAAiB,GAAG,KAAK,EAAE;IA+B7D,OAAO,CAAC,oBAAoB;IAI5B,OAAO,CAAC,WAAW;CAoBpB"}
+{"version":3,"file":"HardcodedCredentialsRule.d.ts","sourceRoot":"","sources":["../../../../src/rules/security/HardcodedCredentialsRule.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C;;;;;;;;GAQG;AACH,qBAAa,wBAAyB,SAAQ,QAAQ;IACpD,EAAE,SAAc;IAChB,IAAI,SAA2B;IAC/B,WAAW,SAA+E;IAC1F,QAAQ,EAAG,OAAO,CAAU;IAC5B,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,SAAS,CAAmB;IAEvC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAqB9B;IAEF,QAAQ,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,iBAAiB,GAAG,KAAK,EAAE;IA+B7D,OAAO,CAAC,oBAAoB;IAI5B,OAAO,CAAC,WAAW;CAoBpB"}

package/dist/src/rules/security/HardcodedCredentialsRule.js

@@ -6,6 +6,10 @@ const BaseRule_1 = require("../base/BaseRule");
  * MULE-201: Hardcoded Credentials
  *
  * Passwords and secrets should use secure property placeholders.
+ *
+ * Enhanced to cover Salesforce connector-specific sensitive attributes
+ * (consumerKey, storePassword, tokenId, tokenSecret) and NetSuite
+ * OAuth attributes (consumerSecret, tokenKey, tokenSecret).
  */
 class HardcodedCredentialsRule extends BaseRule_1.BaseRule {
     id = 'MULE-201';
@@ -24,6 +28,17 @@ class HardcodedCredentialsRule extends BaseRule_1.BaseRule {
         'token',
         'accessToken',
         'privateKey',
+        // Salesforce connector attrs
+        'consumerKey',
+        'consumerSecret',
+        'storePassword',
+        'tokenId',
+        'tokenSecret',
+        // NetSuite OAuth attrs
+        'tokenKey',
+        // Keystore/truststore
+        'keyPassword',
+        'keystorePassword',
     ];
     validate(doc, _context) {
         const issues = [];

package/dist/src/rules/security/HardcodedCredentialsRule.js.map

@@ -1 +1 @@
-{"version":3,"file":"HardcodedCredentialsRule.js","sourceRoot":"","sources":["../../../../src/rules/security/HardcodedCredentialsRule.ts"],"names":[],"mappings":";;;AACA,+CAA4C;AAE5C;;;;GAIG;AACH,MAAa,wBAAyB,SAAQ,mBAAQ;IACpD,EAAE,GAAG,UAAU,CAAC;IAChB,IAAI,GAAG,uBAAuB,CAAC;IAC/B,WAAW,GAAG,2EAA2E,CAAC;IAC1F,QAAQ,GAAG,OAAgB,CAAC;IAC5B,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAc,eAAe,CAAC;IAEtB,eAAe,GAAG;QACjC,UAAU;QACV,QAAQ;QACR,cAAc;QACd,eAAe;QACf,QAAQ;QACR,SAAS;QACT,OAAO;QACP,aAAa;QACb,YAAY;KACb,CAAC;IAEF,QAAQ,CAAC,GAAa,EAAE,QAA2B;QACjD,MAAM,MAAM,GAAY,EAAE,CAAC;QAC3B,MAAM,WAAW,GAAG,GAAG,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC;QAElD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,WAAW,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5C,MAAM,OAAO,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;YAC/B,MAAM,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC;YAEjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;gBACzC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;gBAEzB,yCAAyC;gBACzC,IAAI,IAAI,CAAC,oBAAoB,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;oBACnE,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CACd,OAAO,EACP,aAAa,IAAI,CAAC,IAAI,0CAA0C,EAChE;wBACE,UAAU,EAAE,kBAAkB,IAAI,CAAC,IAAI,8BAA8B;qBACtE,CACF,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,oBAAoB,CAAC,QAAgB;QAC3C,OAAO,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IAC9F,CAAC;IAEO,WAAW,CAAC,KAAa;QAC/B,iCAAiC;QACjC,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YAClC,OAAO,KAAK,CAAC;QACf,CAAC;QAED,sEAAsE;QACtE,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YACnE,OAAO,KAAK,CAAC;QACf,CAAC;QAED,+DAA+D;QAC/D,yDAAyD;QACzD,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACnD,OAAO,KAAK,CAAC;QACf,CAAC;QAED,4DAA4D;QAC5D,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AA3ED,4DA2EC"}
+{"version":3,"file":"HardcodedCredentialsRule.js","sourceRoot":"","sources":["../../../../src/rules/security/HardcodedCredentialsRule.ts"],"names":[],"mappings":";;;AACA,+CAA4C;AAE5C;;;;;;;;GAQG;AACH,MAAa,wBAAyB,SAAQ,mBAAQ;IACpD,EAAE,GAAG,UAAU,CAAC;IAChB,IAAI,GAAG,uBAAuB,CAAC;IAC/B,WAAW,GAAG,2EAA2E,CAAC;IAC1F,QAAQ,GAAG,OAAgB,CAAC;IAC5B,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAc,eAAe,CAAC;IAEtB,eAAe,GAAG;QACjC,UAAU;QACV,QAAQ;QACR,cAAc;QACd,eAAe;QACf,QAAQ;QACR,SAAS;QACT,OAAO;QACP,aAAa;QACb,YAAY;QACZ,6BAA6B;QAC7B,aAAa;QACb,gBAAgB;QAChB,eAAe;QACf,SAAS;QACT,aAAa;QACb,uBAAuB;QACvB,UAAU;QACV,sBAAsB;QACtB,aAAa;QACb,kBAAkB;KACnB,CAAC;IAEF,QAAQ,CAAC,GAAa,EAAE,QAA2B;QACjD,MAAM,MAAM,GAAY,EAAE,CAAC;QAC3B,MAAM,WAAW,GAAG,GAAG,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC;QAElD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,WAAW,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5C,MAAM,OAAO,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;YAC/B,MAAM,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC;YAEjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;gBACzC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;gBAEzB,yCAAyC;gBACzC,IAAI,IAAI,CAAC,oBAAoB,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;oBACnE,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,WAAW,CACd,OAAO,EACP,aAAa,IAAI,CAAC,IAAI,0CAA0C,EAChE;wBACE,UAAU,EAAE,kBAAkB,IAAI,CAAC,IAAI,8BAA8B;qBACtE,CACF,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,oBAAoB,CAAC,QAAgB;QAC3C,OAAO,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IAC9F,CAAC;IAEO,WAAW,CAAC,KAAa;QAC/B,iCAAiC;QACjC,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YAClC,OAAO,KAAK,CAAC;QACf,CAAC;QAED,sEAAsE;QACtE,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YACnE,OAAO,KAAK,CAAC;QACf,CAAC;QAED,+DAA+D;QAC/D,yDAAyD;QACzD,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACnD,OAAO,KAAK,CAAC;QACf,CAAC;QAED,4DAA4D;QAC5D,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAtFD,4DAsFC"}

package/dist/src/rules/security/SecurePropertiesEncryptionRule.d.ts

@@ -0,0 +1,25 @@
+import { ValidationContext, Issue, IssueType } from '../../types';
+import { BaseRule } from '../base/BaseRule';
+/**
+ * SEC-010: Secure Properties Encryption Algorithm
+ *
+ * When `<secure-properties:config>` specifies an encryption algorithm, it
+ * should use a strong algorithm (AES, Blowfish) and not a weak or
+ * deprecated one (DES, RC2, RC4).
+ *
+ * Also validates that when secure properties are used, the `encrypt`
+ * element exists (i.e., properties are actually encrypted, not just
+ * marked as "secure" with no encryption).
+ */
+export declare class SecurePropertiesEncryptionRule extends BaseRule {
+    id: string;
+    name: string;
+    description: string;
+    severity: "warning";
+    category: "security";
+    issueType: IssueType;
+    private readonly WEAK_ALGORITHMS;
+    private readonly STRONG_ALGORITHMS;
+    validate(doc: Document, _context: ValidationContext): Issue[];
+}
+//# sourceMappingURL=SecurePropertiesEncryptionRule.d.ts.map

package/dist/src/rules/security/SecurePropertiesEncryptionRule.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SecurePropertiesEncryptionRule.d.ts","sourceRoot":"","sources":["../../../../src/rules/security/SecurePropertiesEncryptionRule.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C;;;;;;;;;;GAUG;AACH,qBAAa,8BAA+B,SAAQ,QAAQ;IAC1D,EAAE,SAAa;IACf,IAAI,SAAkC;IACtC,WAAW,SAA6D;IACxE,QAAQ,EAAG,SAAS,CAAU;IAC9B,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,SAAS,CAAmB;IAEvC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAmC;IACnE,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAuB;IAEzD,QAAQ,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,iBAAiB,GAAG,KAAK,EAAE;CAsD9D"}