@triedotdev/mcp 1.0.0

package/dist/chunk-MR755QGT.js

@@ -0,0 +1,927 @@
+import {
+  AhoCorasick
+} from "./chunk-6NLHFIYA.js";
+
+// src/trie/vulnerability-signatures.ts
+var ALWAYS_EXCLUDED_FILES = [
+  /vulnerability-signatures\.[jt]s$/,
+  // CRITICAL: Never scan ourselves!
+  /vibe-code-signatures\.[jt]s$/,
+  // Never scan signature files
+  /package-lock\.json$/,
+  // Lock files
+  /yarn\.lock$/,
+  /pnpm-lock\.yaml$/,
+  /node_modules\//,
+  // Dependencies
+  /\.d\.ts$/,
+  // Type definitions
+  /\.min\.[jt]s$/,
+  // Minified files
+  /dist\//,
+  // Build output
+  /build\//
+];
+var EXCLUDED_FILE_PATTERNS = [
+  /\.test\.[jt]sx?$/,
+  // Test files
+  /\.spec\.[jt]sx?$/,
+  // Spec files
+  /__tests__\//,
+  // Test directories
+  /\/test\//,
+  // test/ directory
+  /\/tests\//,
+  // tests/ directory
+  /\.stories\.[jt]sx?$/,
+  // Storybook files
+  /\.config\.[jt]s$/,
+  // Config files
+  /example/i,
+  // Example files
+  /demo/i,
+  // Demo files
+  /fixture/i,
+  // Test fixtures
+  /mock/i
+  // Mock files
+];
+function shouldAlwaysExcludeFile(filePath) {
+  return ALWAYS_EXCLUDED_FILES.some((pattern) => pattern.test(filePath));
+}
+function shouldExcludeFile(filePath, patternCategory) {
+  if (shouldAlwaysExcludeFile(filePath)) {
+    return true;
+  }
+  if (patternCategory === "secrets" || patternCategory === "exposed-secrets") {
+    return false;
+  }
+  return EXCLUDED_FILE_PATTERNS.some((pattern) => pattern.test(filePath));
+}
+var SQL_CONTEXT_KEYWORDS = [
+  "SELECT",
+  "INSERT",
+  "UPDATE",
+  "DELETE",
+  "FROM",
+  "WHERE",
+  "JOIN",
+  "query",
+  "execute",
+  "sql",
+  "prisma",
+  "knex",
+  "sequelize",
+  "createQueryBuilder",
+  "rawQuery",
+  ".raw("
+];
+function isInSQLContext(line, surroundingLines) {
+  const allContent = [line, ...surroundingLines].join(" ").toLowerCase();
+  return SQL_CONTEXT_KEYWORDS.some(
+    (keyword) => allContent.includes(keyword.toLowerCase())
+  );
+}
+var VULNERABILITY_PATTERNS = [
+  // ============================================
+  // CRITICAL: Injection vulnerabilities
+  // ============================================
+  {
+    pattern: "eval(",
+    metadata: {
+      type: "vulnerability",
+      severity: "critical",
+      category: "injection",
+      description: "eval() can execute arbitrary code - potential RCE",
+      cwe: "CWE-95",
+      fix: "Use safer alternatives like JSON.parse() or a sandboxed interpreter"
+    }
+  },
+  {
+    pattern: "new Function(",
+    metadata: {
+      type: "vulnerability",
+      severity: "critical",
+      category: "injection",
+      description: "new Function() can execute arbitrary code",
+      cwe: "CWE-95",
+      fix: "Avoid dynamic function creation from user input"
+    }
+  },
+  {
+    pattern: "exec(",
+    metadata: {
+      type: "vulnerability",
+      severity: "critical",
+      category: "injection",
+      description: "Command execution - potential command injection",
+      cwe: "CWE-78",
+      fix: "Use parameterized commands and validate/sanitize all inputs"
+    }
+  },
+  {
+    pattern: "execSync(",
+    metadata: {
+      type: "vulnerability",
+      severity: "critical",
+      category: "injection",
+      description: "Synchronous command execution - potential injection",
+      cwe: "CWE-78",
+      fix: "Use spawn with argument arrays instead of shell strings"
+    }
+  },
+  {
+    pattern: "spawn(",
+    metadata: {
+      type: "vulnerability",
+      severity: "serious",
+      category: "injection",
+      description: "Process spawn - verify inputs are sanitized",
+      cwe: "CWE-78",
+      fix: "Use shell: false and pass arguments as array"
+    }
+  },
+  {
+    pattern: "child_process",
+    metadata: {
+      type: "vulnerability",
+      severity: "serious",
+      category: "injection",
+      description: "Child process module - review for command injection",
+      cwe: "CWE-78",
+      fix: "Validate all inputs passed to child processes"
+    }
+  },
+  // ============================================
+  // CRITICAL: SQL Injection patterns
+  // NOTE: ${} is NOT flagged here - we check SQL context in isFalsePositive
+  // ============================================
+  {
+    pattern: "SELECT * FROM",
+    metadata: {
+      type: "vulnerability",
+      severity: "moderate",
+      category: "sql-injection",
+      description: "Raw SQL query detected - verify parameterization",
+      cwe: "CWE-89",
+      fix: "Use ORM or parameterized queries"
+    }
+  },
+  {
+    pattern: "INSERT INTO",
+    metadata: {
+      type: "vulnerability",
+      severity: "moderate",
+      category: "sql-injection",
+      description: "Raw SQL INSERT - verify parameterization",
+      cwe: "CWE-89",
+      fix: "Use parameterized queries"
+    }
+  },
+  {
+    pattern: "DELETE FROM",
+    metadata: {
+      type: "vulnerability",
+      severity: "moderate",
+      category: "sql-injection",
+      description: "Raw SQL DELETE - verify parameterization",
+      cwe: "CWE-89",
+      fix: "Use parameterized queries"
+    }
+  },
+  {
+    pattern: ".raw(`",
+    metadata: {
+      type: "vulnerability",
+      severity: "serious",
+      category: "sql-injection",
+      description: "Raw query with template literal - high injection risk",
+      cwe: "CWE-89",
+      fix: "Avoid raw queries with interpolation or use proper escaping"
+    }
+  },
+  {
+    pattern: ".raw('",
+    metadata: {
+      type: "vulnerability",
+      severity: "moderate",
+      category: "sql-injection",
+      description: "Raw query method - verify for injection risk",
+      cwe: "CWE-89",
+      fix: "Use parameterized queries instead of raw SQL"
+    }
+  },
+  {
+    pattern: '.raw("',
+    metadata: {
+      type: "vulnerability",
+      severity: "moderate",
+      category: "sql-injection",
+      description: "Raw query method - verify for injection risk",
+      cwe: "CWE-89",
+      fix: "Use parameterized queries instead of raw SQL"
+    }
+  },
+  {
+    pattern: "`SELECT",
+    metadata: {
+      type: "vulnerability",
+      severity: "serious",
+      category: "sql-injection",
+      description: "SQL in template literal - check for injection",
+      cwe: "CWE-89",
+      fix: "Use parameterized queries with placeholders"
+    }
+  },
+  {
+    pattern: "`INSERT",
+    metadata: {
+      type: "vulnerability",
+      severity: "serious",
+      category: "sql-injection",
+      description: "SQL INSERT in template literal - check for injection",
+      cwe: "CWE-89",
+      fix: "Use parameterized queries with placeholders"
+    }
+  },
+  {
+    pattern: "`UPDATE",
+    metadata: {
+      type: "vulnerability",
+      severity: "serious",
+      category: "sql-injection",
+      description: "SQL UPDATE in template literal - check for injection",
+      cwe: "CWE-89",
+      fix: "Use parameterized queries with placeholders"
+    }
+  },
+  {
+    pattern: "`DELETE",
+    metadata: {
+      type: "vulnerability",
+      severity: "serious",
+      category: "sql-injection",
+      description: "SQL DELETE in template literal - check for injection",
+      cwe: "CWE-89",
+      fix: "Use parameterized queries with placeholders"
+    }
+  },
+  // ============================================
+  // CRITICAL: XSS vulnerabilities
+  // ============================================
+  {
+    pattern: "innerHTML",
+    metadata: {
+      type: "vulnerability",
+      severity: "serious",
+      category: "xss",
+      description: "innerHTML can inject malicious scripts",
+      cwe: "CWE-79",
+      fix: "Use textContent or sanitize HTML with DOMPurify"
+    }
+  },
+  {
+    pattern: "outerHTML",
+    metadata: {
+      type: "vulnerability",
+      severity: "serious",
+      category: "xss",
+      description: "outerHTML can inject malicious scripts",
+      cwe: "CWE-79",
+      fix: "Avoid outerHTML with user input"
+    }
+  },
+  {
+    pattern: "document.write",
+    metadata: {
+      type: "vulnerability",
+      severity: "serious",
+      category: "xss",
+      description: "document.write can inject malicious content",
+      cwe: "CWE-79",
+      fix: "Use DOM methods like createElement instead"
+    }
+  },
+  {
+    pattern: "dangerouslySetInnerHTML",
+    metadata: {
+      type: "vulnerability",
+      severity: "serious",
+      category: "xss",
+      description: "React dangerouslySetInnerHTML - XSS risk",
+      cwe: "CWE-79",
+      fix: "Sanitize with DOMPurify before using"
+    }
+  },
+  {
+    pattern: "v-html",
+    metadata: {
+      type: "vulnerability",
+      severity: "serious",
+      category: "xss",
+      description: "Vue v-html directive - XSS risk",
+      cwe: "CWE-79",
+      fix: "Sanitize content or use v-text"
+    }
+  },
+  {
+    pattern: "[innerHTML]",
+    metadata: {
+      type: "vulnerability",
+      severity: "serious",
+      category: "xss",
+      description: "Angular innerHTML binding - XSS risk",
+      cwe: "CWE-79",
+      fix: "Use Angular DomSanitizer"
+    }
+  },
+  // ============================================
+  // CRITICAL: Hardcoded secrets
+  // More specific patterns to reduce false positives
+  // ============================================
+  {
+    pattern: "password = '",
+    metadata: {
+      type: "vulnerability",
+      severity: "critical",
+      category: "secrets",
+      description: "Hardcoded password in string",
+      cwe: "CWE-798",
+      fix: "Use environment variables or secret management"
+    }
+  },
+  {
+    pattern: 'password = "',
+    metadata: {
+      type: "vulnerability",
+      severity: "critical",
+      category: "secrets",
+      description: "Hardcoded password in string",
+      cwe: "CWE-798",
+      fix: "Use environment variables or secret management"
+    }
+  },
+  {
+    pattern: "password: '",
+    metadata: {
+      type: "vulnerability",
+      severity: "critical",
+      category: "secrets",
+      description: "Hardcoded password in config",
+      cwe: "CWE-798",
+      fix: "Use environment variables or secret management"
+    }
+  },
+  {
+    pattern: 'password: "',
+    metadata: {
+      type: "vulnerability",
+      severity: "critical",
+      category: "secrets",
+      description: "Hardcoded password in config",
+      cwe: "CWE-798",
+      fix: "Use environment variables or secret management"
+    }
+  },
+  {
+    pattern: "api_key = '",
+    metadata: {
+      type: "vulnerability",
+      severity: "critical",
+      category: "secrets",
+      description: "Hardcoded API key",
+      cwe: "CWE-798",
+      fix: "Use environment variables"
+    }
+  },
+  {
+    pattern: 'api_key = "',
+    metadata: {
+      type: "vulnerability",
+      severity: "critical",
+      category: "secrets",
+      description: "Hardcoded API key",
+      cwe: "CWE-798",
+      fix: "Use environment variables"
+    }
+  },
+  {
+    pattern: "apiKey: '",
+    metadata: {
+      type: "vulnerability",
+      severity: "critical",
+      category: "secrets",
+      description: "Hardcoded API key in config",
+      cwe: "CWE-798",
+      fix: "Use environment variables"
+    }
+  },
+  {
+    pattern: 'apiKey: "',
+    metadata: {
+      type: "vulnerability",
+      severity: "critical",
+      category: "secrets",
+      description: "Hardcoded API key in config",
+      cwe: "CWE-798",
+      fix: "Use environment variables"
+    }
+  },
+  {
+    pattern: "secret = '",
+    metadata: {
+      type: "vulnerability",
+      severity: "critical",
+      category: "secrets",
+      description: "Hardcoded secret",
+      cwe: "CWE-798",
+      fix: "Use environment variables or secret management"
+    }
+  },
+  {
+    pattern: 'secret = "',
+    metadata: {
+      type: "vulnerability",
+      severity: "critical",
+      category: "secrets",
+      description: "Hardcoded secret",
+      cwe: "CWE-798",
+      fix: "Use environment variables or secret management"
+    }
+  },
+  {
+    pattern: "AWS_SECRET_ACCESS_KEY=",
+    metadata: {
+      type: "vulnerability",
+      severity: "critical",
+      category: "secrets",
+      description: "AWS secret key assignment",
+      cwe: "CWE-798",
+      fix: "Use IAM roles or AWS Secrets Manager"
+    }
+  },
+  {
+    pattern: "'Bearer ",
+    metadata: {
+      type: "vulnerability",
+      severity: "serious",
+      category: "secrets",
+      description: "Hardcoded bearer token in string",
+      cwe: "CWE-798",
+      fix: "Use environment variables for tokens"
+    }
+  },
+  {
+    pattern: '"Bearer ',
+    metadata: {
+      type: "vulnerability",
+      severity: "serious",
+      category: "secrets",
+      description: "Hardcoded bearer token in string",
+      cwe: "CWE-798",
+      fix: "Use environment variables for tokens"
+    }
+  },
+  // ============================================
+  // SERIOUS: Authentication issues
+  // ============================================
+  {
+    pattern: "password ==",
+    metadata: {
+      type: "vulnerability",
+      severity: "critical",
+      category: "auth",
+      description: "Plain text password comparison",
+      cwe: "CWE-256",
+      fix: "Use bcrypt.compare() or similar secure comparison"
+    }
+  },
+  {
+    pattern: "password ===",
+    metadata: {
+      type: "vulnerability",
+      severity: "critical",
+      category: "auth",
+      description: "Plain text password comparison",
+      cwe: "CWE-256",
+      fix: "Use bcrypt.compare() or similar secure comparison"
+    }
+  },
+  {
+    pattern: "MD5(",
+    metadata: {
+      type: "vulnerability",
+      severity: "serious",
+      category: "crypto",
+      description: "MD5 is cryptographically broken",
+      cwe: "CWE-328",
+      fix: "Use SHA-256 or bcrypt for passwords"
+    }
+  },
+  {
+    pattern: "md5(",
+    metadata: {
+      type: "vulnerability",
+      severity: "serious",
+      category: "crypto",
+      description: "MD5 is cryptographically broken",
+      cwe: "CWE-328",
+      fix: "Use SHA-256 or bcrypt for passwords"
+    }
+  },
+  {
+    pattern: "SHA1(",
+    metadata: {
+      type: "vulnerability",
+      severity: "moderate",
+      category: "crypto",
+      description: "SHA1 is deprecated for security use",
+      cwe: "CWE-328",
+      fix: "Use SHA-256 or stronger"
+    }
+  },
+  {
+    pattern: "sha1(",
+    metadata: {
+      type: "vulnerability",
+      severity: "moderate",
+      category: "crypto",
+      description: "SHA1 is deprecated for security use",
+      cwe: "CWE-328",
+      fix: "Use SHA-256 or stronger"
+    }
+  },
+  {
+    pattern: "Math.random()",
+    metadata: {
+      type: "vulnerability",
+      severity: "serious",
+      category: "crypto",
+      description: "Math.random() is not cryptographically secure",
+      cwe: "CWE-338",
+      fix: "Use crypto.randomBytes() or crypto.getRandomValues()"
+    }
+  },
+  // ============================================
+  // SERIOUS: Insecure configurations
+  // ============================================
+  {
+    pattern: "cors: true",
+    metadata: {
+      type: "vulnerability",
+      severity: "moderate",
+      category: "config",
+      description: "CORS enabled - verify origin restrictions",
+      cwe: "CWE-942",
+      fix: "Specify allowed origins explicitly"
+    }
+  },
+  {
+    pattern: "origin: '*'",
+    metadata: {
+      type: "vulnerability",
+      severity: "serious",
+      category: "config",
+      description: "CORS allows all origins",
+      cwe: "CWE-942",
+      fix: "Restrict to specific trusted origins"
+    }
+  },
+  {
+    pattern: 'origin: "*"',
+    metadata: {
+      type: "vulnerability",
+      severity: "serious",
+      category: "config",
+      description: "CORS allows all origins",
+      cwe: "CWE-942",
+      fix: "Restrict to specific trusted origins"
+    }
+  },
+  {
+    pattern: "secure: false",
+    metadata: {
+      type: "vulnerability",
+      severity: "serious",
+      category: "config",
+      description: "Insecure cookie/connection setting",
+      cwe: "CWE-614",
+      fix: "Set secure: true in production"
+    }
+  },
+  {
+    pattern: "httpOnly: false",
+    metadata: {
+      type: "vulnerability",
+      severity: "serious",
+      category: "config",
+      description: "Cookie accessible to JavaScript",
+      cwe: "CWE-1004",
+      fix: "Set httpOnly: true to prevent XSS cookie theft"
+    }
+  },
+  {
+    pattern: "rejectUnauthorized: false",
+    metadata: {
+      type: "vulnerability",
+      severity: "critical",
+      category: "config",
+      description: "TLS certificate validation disabled",
+      cwe: "CWE-295",
+      fix: "Enable certificate validation in production"
+    }
+  },
+  {
+    pattern: "NODE_TLS_REJECT_UNAUTHORIZED",
+    metadata: {
+      type: "vulnerability",
+      severity: "critical",
+      category: "config",
+      description: "TLS validation may be disabled",
+      cwe: "CWE-295",
+      fix: "Never disable TLS validation in production"
+    }
+  },
+  // ============================================
+  // MODERATE: Common bugs and issues
+  // ============================================
+  {
+    pattern: ".forEach(async",
+    metadata: {
+      type: "vulnerability",
+      severity: "serious",
+      category: "async",
+      description: "async forEach does not await - unexpected behavior",
+      cwe: "CWE-703",
+      fix: "Use for...of loop or Promise.all(arr.map())"
+    }
+  },
+  {
+    pattern: "JSON.parse(",
+    metadata: {
+      type: "vulnerability",
+      severity: "moderate",
+      category: "error-handling",
+      description: "JSON.parse can throw - needs try/catch",
+      cwe: "CWE-755",
+      fix: "Wrap in try/catch block"
+    }
+  },
+  {
+    pattern: "atob(",
+    metadata: {
+      type: "vulnerability",
+      severity: "low",
+      category: "encoding",
+      description: "atob can throw on invalid input",
+      cwe: "CWE-755",
+      fix: "Wrap in try/catch and validate input"
+    }
+  },
+  // ============================================
+  // Privacy & Compliance patterns
+  // ============================================
+  {
+    pattern: "console.log(",
+    metadata: {
+      type: "vulnerability",
+      severity: "low",
+      category: "logging",
+      description: "Console logging - may leak sensitive data",
+      cwe: "CWE-532",
+      fix: "Remove or replace with proper logging in production"
+    }
+  },
+  {
+    pattern: "localStorage.setItem",
+    metadata: {
+      type: "vulnerability",
+      severity: "moderate",
+      category: "storage",
+      description: "localStorage is accessible to XSS attacks",
+      cwe: "CWE-922",
+      fix: "Avoid storing sensitive data in localStorage"
+    }
+  },
+  {
+    pattern: "sessionStorage.setItem",
+    metadata: {
+      type: "vulnerability",
+      severity: "moderate",
+      category: "storage",
+      description: "sessionStorage is accessible to XSS attacks",
+      cwe: "CWE-922",
+      fix: "Avoid storing sensitive data in sessionStorage"
+    }
+  }
+];
+var vulnerabilityTrie = null;
+function getVulnerabilityTrie() {
+  if (!vulnerabilityTrie) {
+    vulnerabilityTrie = new AhoCorasick();
+    for (const { pattern, metadata } of VULNERABILITY_PATTERNS) {
+      vulnerabilityTrie.addPattern(pattern, metadata, metadata);
+    }
+    vulnerabilityTrie.build();
+    console.error(`   \u{1F527} Loaded ${VULNERABILITY_PATTERNS.length} vulnerability signatures into trie`);
+  }
+  return vulnerabilityTrie;
+}
+function scanForVulnerabilities(code, filePath) {
+  if (shouldAlwaysExcludeFile(filePath)) {
+    return [];
+  }
+  const trie = getVulnerabilityTrie();
+  const rawMatches = trie.search(code);
+  const lines = code.split("\n");
+  const matches = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const match of rawMatches) {
+    const key = `${match.line}:${match.pattern}`;
+    if (seen.has(key)) continue;
+    seen.add(key);
+    const meta = match.metadata;
+    if (shouldExcludeFile(filePath, meta.category || "")) continue;
+    if (isFalsePositive(code, match, filePath, lines)) continue;
+    const vulnMatch = {
+      pattern: match.pattern,
+      line: match.line,
+      column: match.column,
+      severity: meta.severity,
+      category: meta.category || "unknown",
+      description: meta.description || "",
+      fix: meta.fix || ""
+    };
+    if (meta.cwe !== void 0) {
+      vulnMatch.cwe = meta.cwe;
+    }
+    matches.push(vulnMatch);
+  }
+  return matches;
+}
+function getSurroundingLines(lines, lineNum, range = 3) {
+  const start = Math.max(0, lineNum - range - 1);
+  const end = Math.min(lines.length, lineNum + range);
+  return lines.slice(start, end);
+}
+function isFalsePositive(_code, match, filePath, lines) {
+  const line = lines[match.line - 1] || "";
+  const trimmedLine = line.trim();
+  const pattern = match.pattern;
+  const category = match.metadata?.category || "";
+  if (filePath.includes("signature") || filePath.includes("patterns") || filePath.includes("rules")) {
+    if (/pattern\s*[:=]/.test(line)) {
+      return true;
+    }
+  }
+  if (/^\s*(pattern|regex|rule|signature)\s*[:=]/.test(trimmedLine)) {
+    return true;
+  }
+  if (isTestFile(filePath)) {
+    if (category === "secrets") {
+      if (/test|mock|fake|dummy|example|fixture|sample|placeholder/i.test(line)) {
+        return true;
+      }
+      if (/'[a-z_]*password[a-z_0-9]*'|"[a-z_]*password[a-z_0-9]*"|'[a-z_]*secret[a-z_0-9]*'|"[a-z_]*secret[a-z_0-9]*"/i.test(line)) {
+        return true;
+      }
+      if (/sk-[a-z0-9]{10,20}"|'sk-[a-z0-9]{10,20}'|api[_-]?key.*['"][a-z0-9_-]{5,30}['"]/i.test(line)) {
+        return true;
+      }
+    }
+    return true;
+  }
+  if (trimmedLine.startsWith("//") || trimmedLine.startsWith("*") || trimmedLine.startsWith("/*") || trimmedLine.startsWith("#") || trimmedLine.startsWith("<!--")) {
+    return true;
+  }
+  if (/^\s*\*\s/.test(line) || /@(param|returns|example|description|see|link)/i.test(line)) {
+    return true;
+  }
+  if (/^\s*(description|fix|message|help|hint|reason|why)\s*[:=]/.test(trimmedLine)) {
+    return true;
+  }
+  if (/^\s*(interface|type|export\s+interface|export\s+type)\s/.test(line)) {
+    return true;
+  }
+  if (/:\s*(string|number|boolean|any|unknown|null|undefined|void)\s*(;|,|\)|$)/.test(line)) {
+    return true;
+  }
+  if (/^\s*\w+\s*\??\s*:\s*(string|number|boolean|any)/.test(trimmedLine)) {
+    return true;
+  }
+  if (/process\.env|import\.meta\.env|getenv|os\.environ|Deno\.env|\.env\.|config\.\w+|settings\.\w+/.test(line)) {
+    return true;
+  }
+  if (filePath.endsWith("package-lock.json") || filePath.endsWith("yarn.lock") || filePath.endsWith("pnpm-lock.yaml") || filePath.includes("node_modules/")) {
+    return true;
+  }
+  if (/^\s*(severity|category|type|level|priority|cwe|owasp)\s*:\s*['"]/.test(trimmedLine)) {
+    return true;
+  }
+  if (category === "sql-injection") {
+    const surroundingLines = getSurroundingLines(lines, match.line);
+    if (!isInSQLContext(line, surroundingLines)) {
+      return true;
+    }
+  }
+  if (category === "secrets" || category === "auth") {
+    if (/\(\s*[^)]*\w+\s*:\s*(string|any)/.test(line)) {
+      return true;
+    }
+    if (/\{\s*\w*password\w*\s*(,|\}|:)/.test(line) && !/'|"|`/.test(line.split(/password/i)[1] || "")) {
+      return true;
+    }
+    if (/=\s*(process\.env|config\.|options\.|settings\.|env\.)/.test(line)) {
+      return true;
+    }
+    if (/password\s*[=:](?!\s*['"`])/.test(line)) {
+      return true;
+    }
+    if (/password\s*=\s*\w+(\.|$)/.test(line) && !/'|"|`/.test(line)) {
+      return true;
+    }
+    if (/error|message|log|warn|info|debug|throw|new Error/i.test(line)) {
+      return true;
+    }
+    if (/regex|RegExp|\/.*password.*\//i.test(line)) {
+      return true;
+    }
+  }
+  if (category === "logging") {
+    if (pattern === "console.error(" || pattern === "console.warn(") {
+      return true;
+    }
+    if (/catch|error|err\b/.test(line)) {
+      return true;
+    }
+  }
+  if (category === "config") {
+    if (/secure:\s*true/.test(line) || /httpOnly:\s*true/.test(line)) {
+      return true;
+    }
+    if (/NODE_ENV|process\.env|production|development/.test(line)) {
+      return true;
+    }
+    if (/if\s*\(|ternary|\?.*:/.test(line)) {
+      return true;
+    }
+  }
+  if (category === "crypto") {
+    if (/checksum|hash.*file|etag|cache.*key|fingerprint|integrity|content.*hash/i.test(line)) {
+      return true;
+    }
+    if (pattern === "Math.random()") {
+      if (!/token|secret|password|key|auth|session|csrf|nonce/i.test(line)) {
+        return true;
+      }
+    }
+  }
+  if (category === "async") {
+    if (/\/\/.*intentional|\/\/.*fire.?and.?forget|\/\/.*parallel/i.test(line)) {
+      return true;
+    }
+  }
+  if (/password.*length|validate.*password|check.*password|verify.*password|is.*valid/i.test(line)) {
+    return true;
+  }
+  if (/bcrypt|argon|scrypt|pbkdf|compare.*hash|hash.*compare|verify.*hash/i.test(line)) {
+    return true;
+  }
+  if (/z\.|yup\.|joi\.|schema|validation|validator/i.test(line)) {
+    return true;
+  }
+  if (/^\s*(import|require|from)\s/.test(trimmedLine)) {
+    return true;
+  }
+  if (/example|demo|sample|tutorial|readme/i.test(filePath)) {
+    return true;
+  }
+  return false;
+}
+function isTestFile(filePath) {
+  return /\.(test|spec)\.[jt]sx?$/.test(filePath) || /__tests__\//.test(filePath) || /test\//.test(filePath) || /tests\//.test(filePath) || /\.stories\.[jt]sx?$/.test(filePath);
+}
+function getVulnerabilityStats() {
+  const byCategory = {};
+  const bySeverity = {};
+  for (const { metadata } of VULNERABILITY_PATTERNS) {
+    const cat = metadata.category || "unknown";
+    const sev = metadata.severity || "unknown";
+    byCategory[cat] = (byCategory[cat] || 0) + 1;
+    bySeverity[sev] = (bySeverity[sev] || 0) + 1;
+  }
+  return {
+    total: VULNERABILITY_PATTERNS.length,
+    byCategory,
+    bySeverity
+  };
+}
+
+export {
+  shouldAlwaysExcludeFile,
+  shouldExcludeFile,
+  getVulnerabilityTrie,
+  scanForVulnerabilities,
+  getVulnerabilityStats
+};
+//# sourceMappingURL=chunk-MR755QGT.js.map