npm - @triedotdev/mcp - Versions diffs - 1.0.92 → 1.0.93 - Mend

@triedotdev/mcp 1.0.92 → 1.0.93

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (34) hide show

package/dist/{chunk-FK3DUQ5T.js → chunk-5Z7O66DE.js} RENAMED Viewed

@@ -11,19 +11,39 @@ var ALWAYS_EXCLUDED_FILES = [
   // CRITICAL: Never scan ourselves!
   /vibe-code-signatures\.[jt]s$/,
   // Never scan signature files
+  /legal\.[jt]s$/,
+  // Legal skill contains detection patterns
+  /security-scanner\.[jt]s$/,
+  // Security scanner contains patterns
+  /agent-smith\.[jt]s$/,
+  // Agent Smith contains patterns
+  /security\.[jt]s$/,
+  // Security skill
+  /privacy\.[jt]s$/,
+  // Privacy skill
+  /soc2\.[jt]s$/,
+  // SOC2 skill
+  /skills[\/\\]built-in[\/\\]/,
+  // Never scan Trie's own skill implementations
+  /skills[\/\\].*\.[jt]s$/,
+  // Never scan any skills directory
+  /trie-agents?[\/\\]src[\/\\]/,
+  // Never scan Trie's source when installed as dependency
+  /trie-agents?[\/\\]dist[\/\\]/,
+  // Never scan Trie's dist when installed
   /package-lock\.json$/,
   // Lock files
   /yarn\.lock$/,
   /pnpm-lock\.yaml$/,
-  /node_modules\//,
+  /node_modules[\/\\]/,
   // Dependencies
   /\.d\.ts$/,
   // Type definitions
   /\.min\.[jt]s$/,
   // Minified files
-  /dist\//,
+  /dist[\/\\]/,
   // Build output
-  /build\//
+  /build[\/\\]/
 ];
 var EXCLUDED_FILE_PATTERNS = [
   /\.test\.[jt]sx?$/,
@@ -50,7 +70,38 @@ var EXCLUDED_FILE_PATTERNS = [
   // Mock files
 ];
 function shouldAlwaysExcludeFile(filePath) {
-  return ALWAYS_EXCLUDED_FILES.some((pattern) => pattern.test(filePath));
+  const normalizedPath = filePath.replace(/\\/g, "/");
+  if (ALWAYS_EXCLUDED_FILES.some((pattern) => pattern.test(normalizedPath))) {
+    return true;
+  }
+  if (normalizedPath.includes("trie") && normalizedPath.includes("/src/")) {
+    return true;
+  }
+  const fileName = normalizedPath.split("/").pop() || "";
+  const TRIE_SCANNER_FILES = [
+    "vulnerability-signatures.ts",
+    "vulnerability-signatures.js",
+    "vibe-code-signatures.ts",
+    "vibe-code-signatures.js",
+    "legal.ts",
+    "legal.js",
+    "security-scanner.ts",
+    "security-scanner.js",
+    "agent-smith.ts",
+    "agent-smith.js",
+    "security.ts",
+    "security.js",
+    "privacy.ts",
+    "privacy.js",
+    "soc2.ts",
+    "soc2.js"
+  ];
+  if (TRIE_SCANNER_FILES.includes(fileName)) {
+    if (normalizedPath.includes("/skills/") || normalizedPath.includes("/trie/")) {
+      return true;
+    }
+  }
+  return false;
 }
 function shouldExcludeFile(filePath, patternCategory) {
   if (shouldAlwaysExcludeFile(filePath)) {
@@ -929,4 +980,4 @@ export {
   scanForVulnerabilities,
   getVulnerabilityStats
 };
-//# sourceMappingURL=chunk-FK3DUQ5T.js.map
+//# sourceMappingURL=chunk-5Z7O66DE.js.map

package/dist/chunk-5Z7O66DE.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/trie/vulnerability-signatures.ts"],"sourcesContent":["/**\n * Vulnerability Signature Database\n * \n * Pre-indexed security patterns using Aho-Corasick for O(n + z) scanning\n * where n = file size, z = number of matches.\n * \n * This is MUCH faster than running 100+ regex patterns on every file.\n * \n * IMPROVEMENTS (v2):\n * - Context-aware pattern matching to reduce false positives\n * - File path exclusions for test/lock files\n * - SQL injection detection only in SQL contexts\n * - Better secret detection avoiding package names/URLs\n */\n\nimport { AhoCorasick, PatternMetadata } from './trie.js';\nimport { isInteractiveMode } from '../utils/progress.js';\n\nexport interface VulnerabilityMatch {\n pattern: string;\n line: number;\n column: number;\n severity: 'critical' | 'serious' | 'moderate' | 'low';\n category: string;\n description: string;\n cwe?: string;\n fix: string;\n}\n\n/**\n * Files/patterns to ALWAYS exclude from scanning (never any false positives from these)\n */\nconst ALWAYS_EXCLUDED_FILES = [\n /vulnerability-signatures\\.[jt]s$/, // CRITICAL: Never scan ourselves!\n /vibe-code-signatures\\.[jt]s$/, // Never scan signature files\n /legal\\.[jt]s$/, // Legal skill contains detection patterns\n /security-scanner\\.[jt]s$/, // Security scanner contains patterns\n /agent-smith\\.[jt]s$/, // Agent Smith contains patterns\n /security\\.[jt]s$/, // Security skill\n /privacy\\.[jt]s$/, // Privacy skill\n /soc2\\.[jt]s$/, // SOC2 skill\n /skills[\\/\\\\]built-in[\\/\\\\]/, // Never scan Trie's own skill implementations\n /skills[\\/\\\\].*\\.[jt]s$/, // Never scan any skills directory\n /trie-agents?[\\/\\\\]src[\\/\\\\]/, // Never scan Trie's source when installed as dependency\n /trie-agents?[\\/\\\\]dist[\\/\\\\]/, // Never scan Trie's dist when installed\n /package-lock\\.json$/, // Lock files\n /yarn\\.lock$/,\n /pnpm-lock\\.yaml$/,\n /node_modules[\\/\\\\]/, // Dependencies\n /\\.d\\.ts$/, // Type definitions\n /\\.min\\.[jt]s$/, // Minified files\n /dist[\\/\\\\]/, // Build output\n /build[\\/\\\\]/,\n];\n\n/**\n * Files to exclude from non-critical checks (test files, examples, etc.)\n */\nconst EXCLUDED_FILE_PATTERNS = [\n /\\.test\\.[jt]sx?$/, // Test files\n /\\.spec\\.[jt]sx?$/, // Spec files\n /__tests__\\//, // Test directories\n /\\/test\\//, // test/ directory\n /\\/tests\\//, // tests/ directory\n /\\.stories\\.[jt]sx?$/, // Storybook files\n /\\.config\\.[jt]s$/, // Config files\n /example/i, // Example files\n /demo/i, // Demo files\n /fixture/i, // Test fixtures\n /mock/i, // Mock files\n];\n\n/**\n * Check if a file should be completely excluded from scanning\n */\nexport function shouldAlwaysExcludeFile(filePath: string): boolean {\n // Normalize path to use forward slashes for consistent matching\n const normalizedPath = filePath.replace(/\\\\/g, '/');\n \n // Check against exclusion patterns\n if (ALWAYS_EXCLUDED_FILES.some(pattern => pattern.test(normalizedPath))) {\n return true;\n }\n \n // Also exclude files in Trie's source directories (handles both installed and development)\n if (normalizedPath.includes('trie') && normalizedPath.includes('/src/')) {\n return true;\n }\n \n // Exclude specific Trie scanner/skill files by filename (regardless of path)\n const fileName = normalizedPath.split('/').pop() || '';\n const TRIE_SCANNER_FILES = [\n 'vulnerability-signatures.ts', 'vulnerability-signatures.js',\n 'vibe-code-signatures.ts', 'vibe-code-signatures.js',\n 'legal.ts', 'legal.js',\n 'security-scanner.ts', 'security-scanner.js',\n 'agent-smith.ts', 'agent-smith.js',\n 'security.ts', 'security.js',\n 'privacy.ts', 'privacy.js',\n 'soc2.ts', 'soc2.js',\n ];\n if (TRIE_SCANNER_FILES.includes(fileName)) {\n // Only exclude if it looks like it's in a skills/trie directory\n if (normalizedPath.includes('/skills/') || normalizedPath.includes('/trie/')) {\n return true;\n }\n }\n \n return false;\n}\n\n/**\n * Check if a file should be excluded from certain checks\n */\nexport function shouldExcludeFile(filePath: string, patternCategory: string): boolean {\n // CRITICAL: Always exclude signature files - never flag ourselves!\n if (shouldAlwaysExcludeFile(filePath)) {\n return true;\n }\n \n // For secrets in test files, we need extra context checking (done elsewhere)\n // Don't auto-exclude test files for secrets here, let isFalsePositive handle it\n if (patternCategory === 'secrets' || patternCategory === 'exposed-secrets') {\n return false;\n }\n \n // Exclude certain file types from non-critical checks\n return EXCLUDED_FILE_PATTERNS.some(pattern => pattern.test(filePath));\n}\n\n/**\n * SQL-related keywords that indicate a SQL context\n */\nconst SQL_CONTEXT_KEYWORDS = [\n 'SELECT', 'INSERT', 'UPDATE', 'DELETE', 'FROM', 'WHERE', 'JOIN',\n 'query', 'execute', 'sql', 'prisma', 'knex', 'sequelize',\n 'createQueryBuilder', 'rawQuery', '.raw('\n];\n\n/**\n * Check if a line is in a SQL context\n */\nfunction isInSQLContext(line: string, surroundingLines: string[]): boolean {\n const allContent = [line, ...surroundingLines].join(' ').toLowerCase();\n return SQL_CONTEXT_KEYWORDS.some(keyword => \n allContent.includes(keyword.toLowerCase())\n );\n}\n\n/**\n * Security vulnerability patterns organized by category\n */\nconst VULNERABILITY_PATTERNS: Array<{\n pattern: string;\n metadata: PatternMetadata;\n}> = [\n // ============================================\n // CRITICAL: Injection vulnerabilities\n // ============================================\n {\n pattern: 'eval(',\n metadata: {\n type: 'vulnerability',\n severity: 'critical',\n category: 'injection',\n description: 'eval() can execute arbitrary code - potential RCE',\n cwe: 'CWE-95',\n fix: 'Use safer alternatives like JSON.parse() or a sandboxed interpreter',\n },\n },\n {\n pattern: 'new Function(',\n metadata: {\n type: 'vulnerability',\n severity: 'critical',\n category: 'injection',\n description: 'new Function() can execute arbitrary code',\n cwe: 'CWE-95',\n fix: 'Avoid dynamic function creation from user input',\n },\n },\n {\n pattern: 'exec(',\n metadata: {\n type: 'vulnerability',\n severity: 'critical',\n category: 'injection',\n description: 'Command execution - potential command injection',\n cwe: 'CWE-78',\n fix: 'Use parameterized commands and validate/sanitize all inputs',\n },\n },\n {\n pattern: 'execSync(',\n metadata: {\n type: 'vulnerability',\n severity: 'critical',\n category: 'injection',\n description: 'Synchronous command execution - potential injection',\n cwe: 'CWE-78',\n fix: 'Use spawn with argument arrays instead of shell strings',\n },\n },\n {\n pattern: 'spawn(',\n metadata: {\n type: 'vulnerability',\n severity: 'serious',\n category: 'injection',\n description: 'Process spawn - verify inputs are sanitized',\n cwe: 'CWE-78',\n fix: 'Use shell: false and pass arguments as array',\n },\n },\n {\n pattern: 'child_process',\n metadata: {\n type: 'vulnerability',\n severity: 'serious',\n category: 'injection',\n description: 'Child process module - review for command injection',\n cwe: 'CWE-78',\n fix: 'Validate all inputs passed to child processes',\n },\n },\n\n // ============================================\n // CRITICAL: SQL Injection patterns\n // NOTE: ${} is NOT flagged here - we check SQL context in isFalsePositive\n // ============================================\n {\n pattern: 'SELECT * FROM',\n metadata: {\n type: 'vulnerability',\n severity: 'moderate',\n category: 'sql-injection',\n description: 'Raw SQL query detected - verify parameterization',\n cwe: 'CWE-89',\n fix: 'Use ORM or parameterized queries',\n },\n },\n {\n pattern: 'INSERT INTO',\n metadata: {\n type: 'vulnerability',\n severity: 'moderate',\n category: 'sql-injection',\n description: 'Raw SQL INSERT - verify parameterization',\n cwe: 'CWE-89',\n fix: 'Use parameterized queries',\n },\n },\n {\n pattern: 'DELETE FROM',\n metadata: {\n type: 'vulnerability',\n severity: 'moderate',\n category: 'sql-injection',\n description: 'Raw SQL DELETE - verify parameterization',\n cwe: 'CWE-89',\n fix: 'Use parameterized queries',\n },\n },\n {\n pattern: '.raw(`',\n metadata: {\n type: 'vulnerability',\n severity: 'serious',\n category: 'sql-injection',\n description: 'Raw query with template literal - high injection risk',\n cwe: 'CWE-89',\n fix: 'Avoid raw queries with interpolation or use proper escaping',\n },\n },\n {\n pattern: \".raw('\",\n metadata: {\n type: 'vulnerability',\n severity: 'moderate',\n category: 'sql-injection',\n description: 'Raw query method - verify for injection risk',\n cwe: 'CWE-89',\n fix: 'Use parameterized queries instead of raw SQL',\n },\n },\n {\n pattern: '.raw(\"',\n metadata: {\n type: 'vulnerability',\n severity: 'moderate',\n category: 'sql-injection',\n description: 'Raw query method - verify for injection risk',\n cwe: 'CWE-89',\n fix: 'Use parameterized queries instead of raw SQL',\n },\n },\n {\n pattern: '`SELECT',\n metadata: {\n type: 'vulnerability',\n severity: 'serious',\n category: 'sql-injection',\n description: 'SQL in template literal - check for injection',\n cwe: 'CWE-89',\n fix: 'Use parameterized queries with placeholders',\n },\n },\n {\n pattern: '`INSERT',\n metadata: {\n type: 'vulnerability',\n severity: 'serious',\n category: 'sql-injection',\n description: 'SQL INSERT in template literal - check for injection',\n cwe: 'CWE-89',\n fix: 'Use parameterized queries with placeholders',\n },\n },\n {\n pattern: '`UPDATE',\n metadata: {\n type: 'vulnerability',\n severity: 'serious',\n category: 'sql-injection',\n description: 'SQL UPDATE in template literal - check for injection',\n cwe: 'CWE-89',\n fix: 'Use parameterized queries with placeholders',\n },\n },\n {\n pattern: '`DELETE',\n metadata: {\n type: 'vulnerability',\n severity: 'serious',\n category: 'sql-injection',\n description: 'SQL DELETE in template literal - check for injection',\n cwe: 'CWE-89',\n fix: 'Use parameterized queries with placeholders',\n },\n },\n\n // ============================================\n // CRITICAL: XSS vulnerabilities\n // ============================================\n {\n pattern: 'innerHTML',\n metadata: {\n type: 'vulnerability',\n severity: 'serious',\n category: 'xss',\n description: 'innerHTML can inject malicious scripts',\n cwe: 'CWE-79',\n fix: 'Use textContent or sanitize HTML with DOMPurify',\n },\n },\n {\n pattern: 'outerHTML',\n metadata: {\n type: 'vulnerability',\n severity: 'serious',\n category: 'xss',\n description: 'outerHTML can inject malicious scripts',\n cwe: 'CWE-79',\n fix: 'Avoid outerHTML with user input',\n },\n },\n {\n pattern: 'document.write',\n metadata: {\n type: 'vulnerability',\n severity: 'serious',\n category: 'xss',\n description: 'document.write can inject malicious content',\n cwe: 'CWE-79',\n fix: 'Use DOM methods like createElement instead',\n },\n },\n {\n pattern: 'dangerouslySetInnerHTML',\n metadata: {\n type: 'vulnerability',\n severity: 'serious',\n category: 'xss',\n description: 'React dangerouslySetInnerHTML - XSS risk',\n cwe: 'CWE-79',\n fix: 'Sanitize with DOMPurify before using',\n },\n },\n {\n pattern: 'v-html',\n metadata: {\n type: 'vulnerability',\n severity: 'serious',\n category: 'xss',\n description: 'Vue v-html directive - XSS risk',\n cwe: 'CWE-79',\n fix: 'Sanitize content or use v-text',\n },\n },\n {\n pattern: '[innerHTML]',\n metadata: {\n type: 'vulnerability',\n severity: 'serious',\n category: 'xss',\n description: 'Angular innerHTML binding - XSS risk',\n cwe: 'CWE-79',\n fix: 'Use Angular DomSanitizer',\n },\n },\n\n // ============================================\n // CRITICAL: Hardcoded secrets\n // More specific patterns to reduce false positives\n // ============================================\n {\n pattern: \"password = '\",\n metadata: {\n type: 'vulnerability',\n severity: 'critical',\n category: 'secrets',\n description: 'Hardcoded password in string',\n cwe: 'CWE-798',\n fix: 'Use environment variables or secret management',\n },\n },\n {\n pattern: 'password = \"',\n metadata: {\n type: 'vulnerability',\n severity: 'critical',\n category: 'secrets',\n description: 'Hardcoded password in string',\n cwe: 'CWE-798',\n fix: 'Use environment variables or secret management',\n },\n },\n {\n pattern: \"password: '\",\n metadata: {\n type: 'vulnerability',\n severity: 'critical',\n category: 'secrets',\n description: 'Hardcoded password in config',\n cwe: 'CWE-798',\n fix: 'Use environment variables or secret management',\n },\n },\n {\n pattern: 'password: \"',\n metadata: {\n type: 'vulnerability',\n severity: 'critical',\n category: 'secrets',\n description: 'Hardcoded password in config',\n cwe: 'CWE-798',\n fix: 'Use environment variables or secret management',\n },\n },\n {\n pattern: \"api_key = '\",\n metadata: {\n type: 'vulnerability',\n severity: 'critical',\n category: 'secrets',\n description: 'Hardcoded API key',\n cwe: 'CWE-798',\n fix: 'Use environment variables',\n },\n },\n {\n pattern: 'api_key = \"',\n metadata: {\n type: 'vulnerability',\n severity: 'critical',\n category: 'secrets',\n description: 'Hardcoded API key',\n cwe: 'CWE-798',\n fix: 'Use environment variables',\n },\n },\n {\n pattern: \"apiKey: '\",\n metadata: {\n type: 'vulnerability',\n severity: 'critical',\n category: 'secrets',\n description: 'Hardcoded API key in config',\n cwe: 'CWE-798',\n fix: 'Use environment variables',\n },\n },\n {\n pattern: 'apiKey: \"',\n metadata: {\n type: 'vulnerability',\n severity: 'critical',\n category: 'secrets',\n description: 'Hardcoded API key in config',\n cwe: 'CWE-798',\n fix: 'Use environment variables',\n },\n },\n {\n pattern: \"secret = '\",\n metadata: {\n type: 'vulnerability',\n severity: 'critical',\n category: 'secrets',\n description: 'Hardcoded secret',\n cwe: 'CWE-798',\n fix: 'Use environment variables or secret management',\n },\n },\n {\n pattern: 'secret = \"',\n metadata: {\n type: 'vulnerability',\n severity: 'critical',\n category: 'secrets',\n description: 'Hardcoded secret',\n cwe: 'CWE-798',\n fix: 'Use environment variables or secret management',\n },\n },\n {\n pattern: 'AWS_SECRET_ACCESS_KEY=',\n metadata: {\n type: 'vulnerability',\n severity: 'critical',\n category: 'secrets',\n description: 'AWS secret key assignment',\n cwe: 'CWE-798',\n fix: 'Use IAM roles or AWS Secrets Manager',\n },\n },\n {\n pattern: \"'Bearer \",\n metadata: {\n type: 'vulnerability',\n severity: 'serious',\n category: 'secrets',\n description: 'Hardcoded bearer token in string',\n cwe: 'CWE-798',\n fix: 'Use environment variables for tokens',\n },\n },\n {\n pattern: '\"Bearer ',\n metadata: {\n type: 'vulnerability',\n severity: 'serious',\n category: 'secrets',\n description: 'Hardcoded bearer token in string',\n cwe: 'CWE-798',\n fix: 'Use environment variables for tokens',\n },\n },\n\n // ============================================\n // SERIOUS: Authentication issues\n // ============================================\n {\n pattern: 'password ==',\n metadata: {\n type: 'vulnerability',\n severity: 'critical',\n category: 'auth',\n description: 'Plain text password comparison',\n cwe: 'CWE-256',\n fix: 'Use bcrypt.compare() or similar secure comparison',\n },\n },\n {\n pattern: 'password ===',\n metadata: {\n type: 'vulnerability',\n severity: 'critical',\n category: 'auth',\n description: 'Plain text password comparison',\n cwe: 'CWE-256',\n fix: 'Use bcrypt.compare() or similar secure comparison',\n },\n },\n {\n pattern: 'MD5(',\n metadata: {\n type: 'vulnerability',\n severity: 'serious',\n category: 'crypto',\n description: 'MD5 is cryptographically broken',\n cwe: 'CWE-328',\n fix: 'Use SHA-256 or bcrypt for passwords',\n },\n },\n {\n pattern: 'md5(',\n metadata: {\n type: 'vulnerability',\n severity: 'serious',\n category: 'crypto',\n description: 'MD5 is cryptographically broken',\n cwe: 'CWE-328',\n fix: 'Use SHA-256 or bcrypt for passwords',\n },\n },\n {\n pattern: 'SHA1(',\n metadata: {\n type: 'vulnerability',\n severity: 'moderate',\n category: 'crypto',\n description: 'SHA1 is deprecated for security use',\n cwe: 'CWE-328',\n fix: 'Use SHA-256 or stronger',\n },\n },\n {\n pattern: 'sha1(',\n metadata: {\n type: 'vulnerability',\n severity: 'moderate',\n category: 'crypto',\n description: 'SHA1 is deprecated for security use',\n cwe: 'CWE-328',\n fix: 'Use SHA-256 or stronger',\n },\n },\n {\n pattern: 'Math.random()',\n metadata: {\n type: 'vulnerability',\n severity: 'serious',\n category: 'crypto',\n description: 'Math.random() is not cryptographically secure',\n cwe: 'CWE-338',\n fix: 'Use crypto.randomBytes() or crypto.getRandomValues()',\n },\n },\n\n // ============================================\n // SERIOUS: Insecure configurations\n // ============================================\n {\n pattern: 'cors: true',\n metadata: {\n type: 'vulnerability',\n severity: 'moderate',\n category: 'config',\n description: 'CORS enabled - verify origin restrictions',\n cwe: 'CWE-942',\n fix: 'Specify allowed origins explicitly',\n },\n },\n {\n pattern: \"origin: '*'\",\n metadata: {\n type: 'vulnerability',\n severity: 'serious',\n category: 'config',\n description: 'CORS allows all origins',\n cwe: 'CWE-942',\n fix: 'Restrict to specific trusted origins',\n },\n },\n {\n pattern: 'origin: \"*\"',\n metadata: {\n type: 'vulnerability',\n severity: 'serious',\n category: 'config',\n description: 'CORS allows all origins',\n cwe: 'CWE-942',\n fix: 'Restrict to specific trusted origins',\n },\n },\n {\n pattern: 'secure: false',\n metadata: {\n type: 'vulnerability',\n severity: 'serious',\n category: 'config',\n description: 'Insecure cookie/connection setting',\n cwe: 'CWE-614',\n fix: 'Set secure: true in production',\n },\n },\n {\n pattern: 'httpOnly: false',\n metadata: {\n type: 'vulnerability',\n severity: 'serious',\n category: 'config',\n description: 'Cookie accessible to JavaScript',\n cwe: 'CWE-1004',\n fix: 'Set httpOnly: true to prevent XSS cookie theft',\n },\n },\n {\n pattern: 'rejectUnauthorized: false',\n metadata: {\n type: 'vulnerability',\n severity: 'critical',\n category: 'config',\n description: 'TLS certificate validation disabled',\n cwe: 'CWE-295',\n fix: 'Enable certificate validation in production',\n },\n },\n {\n pattern: 'NODE_TLS_REJECT_UNAUTHORIZED',\n metadata: {\n type: 'vulnerability',\n severity: 'critical',\n category: 'config',\n description: 'TLS validation may be disabled',\n cwe: 'CWE-295',\n fix: 'Never disable TLS validation in production',\n },\n },\n\n // ============================================\n // MODERATE: Common bugs and issues\n // ============================================\n {\n pattern: '.forEach(async',\n metadata: {\n type: 'vulnerability',\n severity: 'serious',\n category: 'async',\n description: 'async forEach does not await - unexpected behavior',\n cwe: 'CWE-703',\n fix: 'Use for...of loop or Promise.all(arr.map())',\n },\n },\n {\n pattern: 'JSON.parse(',\n metadata: {\n type: 'vulnerability',\n severity: 'moderate',\n category: 'error-handling',\n description: 'JSON.parse can throw - needs try/catch',\n cwe: 'CWE-755',\n fix: 'Wrap in try/catch block',\n },\n },\n {\n pattern: 'atob(',\n metadata: {\n type: 'vulnerability',\n severity: 'low',\n category: 'encoding',\n description: 'atob can throw on invalid input',\n cwe: 'CWE-755',\n fix: 'Wrap in try/catch and validate input',\n },\n },\n\n // ============================================\n // Privacy & Compliance patterns\n // ============================================\n {\n pattern: 'console.log(',\n metadata: {\n type: 'vulnerability',\n severity: 'low',\n category: 'logging',\n description: 'Console logging - may leak sensitive data',\n cwe: 'CWE-532',\n fix: 'Remove or replace with proper logging in production',\n },\n },\n {\n pattern: 'localStorage.setItem',\n metadata: {\n type: 'vulnerability',\n severity: 'moderate',\n category: 'storage',\n description: 'localStorage is accessible to XSS attacks',\n cwe: 'CWE-922',\n fix: 'Avoid storing sensitive data in localStorage',\n },\n },\n {\n pattern: 'sessionStorage.setItem',\n metadata: {\n type: 'vulnerability',\n severity: 'moderate',\n category: 'storage',\n description: 'sessionStorage is accessible to XSS attacks',\n cwe: 'CWE-922',\n fix: 'Avoid storing sensitive data in sessionStorage',\n },\n },\n];\n\n/**\n * Build the vulnerability signature trie\n * Called once at startup, then O(1) access\n */\nlet vulnerabilityTrie: AhoCorasick<PatternMetadata> | null = null;\n\nexport function getVulnerabilityTrie(): AhoCorasick<PatternMetadata> {\n if (!vulnerabilityTrie) {\n vulnerabilityTrie = new AhoCorasick<PatternMetadata>();\n \n for (const { pattern, metadata } of VULNERABILITY_PATTERNS) {\n vulnerabilityTrie.addPattern(pattern, metadata, metadata);\n }\n \n vulnerabilityTrie.build();\n if (!isInteractiveMode()) {\n console.error(` Loaded ${VULNERABILITY_PATTERNS.length} vulnerability signatures into trie`);\n }\n }\n \n return vulnerabilityTrie;\n}\n\n/**\n * Scan code for vulnerabilities using the trie\n * O(n + z) where n = code length, z = number of matches\n */\nexport function scanForVulnerabilities(code: string, filePath: string): VulnerabilityMatch[] {\n // CRITICAL: Skip files that should never be scanned\n if (shouldAlwaysExcludeFile(filePath)) {\n return [];\n }\n \n const trie = getVulnerabilityTrie();\n const rawMatches = trie.search(code);\n const lines = code.split('\\n');\n \n // Deduplicate and filter false positives\n const matches: VulnerabilityMatch[] = [];\n const seen = new Set<string>();\n \n for (const match of rawMatches) {\n // Create unique key for deduplication\n const key = `${match.line}:${match.pattern}`;\n if (seen.has(key)) continue;\n seen.add(key);\n \n const meta = match.metadata!;\n \n // Check file exclusions\n if (shouldExcludeFile(filePath, meta.category || '')) continue;\n \n // Filter out false positives\n if (isFalsePositive(code, match, filePath, lines)) continue;\n \n const vulnMatch: VulnerabilityMatch = {\n pattern: match.pattern,\n line: match.line,\n column: match.column,\n severity: meta.severity as any,\n category: meta.category || 'unknown',\n description: meta.description || '',\n fix: meta.fix || '',\n };\n if (meta.cwe !== undefined) {\n vulnMatch.cwe = meta.cwe;\n }\n matches.push(vulnMatch);\n }\n \n return matches;\n}\n\n/**\n * Get surrounding lines for context analysis\n */\nfunction getSurroundingLines(lines: string[], lineNum: number, range: number = 3): string[] {\n const start = Math.max(0, lineNum - range - 1);\n const end = Math.min(lines.length, lineNum + range);\n return lines.slice(start, end);\n}\n\n/**\n * Filter out common false positives with enhanced context awareness\n */\nfunction isFalsePositive(_code: string, match: any, filePath: string, lines: string[]): boolean {\n const line = lines[match.line - 1] || '';\n const trimmedLine = line.trim();\n const pattern = match.pattern;\n const category = match.metadata?.category || '';\n \n // ============================================\n // CRITICAL: Skip signature/pattern definition files\n // ============================================\n if (filePath.includes('signature') || \n filePath.includes('patterns') ||\n filePath.includes('rules')) {\n // If the line contains 'pattern:' or 'pattern =' it's a definition, not a vulnerability\n if (/pattern\\s*[:=]/.test(line)) {\n return true;\n }\n }\n \n // Skip if line is a pattern string definition (in any file)\n // e.g., pattern: \"password = '\", or { pattern: 'secret' }\n if (/^\\s*(pattern|regex|rule|signature)\\s*[:=]/.test(trimmedLine)) {\n return true;\n }\n \n // ============================================\n // CRITICAL: Skip test files entirely for most patterns\n // ============================================\n if (isTestFile(filePath)) {\n // Test files can have intentional bad code for testing detection\n // Only flag REAL secrets (actual API keys that look real)\n if (category === 'secrets') {\n // Skip if it's clearly test/mock data\n if (/test|mock|fake|dummy|example|fixture|sample|placeholder/i.test(line)) {\n return true;\n }\n // Skip generic fake values like \"password123\", \"secret_test\", etc.\n if (/'[a-z_]*password[a-z_0-9]*'|\"[a-z_]*password[a-z_0-9]*\"|'[a-z_]*secret[a-z_0-9]*'|\"[a-z_]*secret[a-z_0-9]*\"/i.test(line)) {\n return true;\n }\n // Skip obviously fake API keys (short or with placeholder patterns)\n if (/sk-[a-z0-9]{10,20}\"|'sk-[a-z0-9]{10,20}'|api[_-]?key.*['\"][a-z0-9_-]{5,30}['\"]/i.test(line)) {\n return true;\n }\n }\n // For non-secrets, skip all test file findings\n return true;\n }\n \n // ============================================\n // SKIP: Comments and documentation\n // ============================================\n if (trimmedLine.startsWith('//') || \n trimmedLine.startsWith('*') || \n trimmedLine.startsWith('/*') ||\n trimmedLine.startsWith('#') ||\n trimmedLine.startsWith('<!--')) {\n return true;\n }\n \n // Skip JSDoc and documentation blocks\n if (/^\\s*\\*\\s/.test(line) || /@(param|returns|example|description|see|link)/i.test(line)) {\n return true;\n }\n \n // Skip description/fix/metadata strings (common in config objects)\n if (/^\\s*(description|fix|message|help|hint|reason|why)\\s*[:=]/.test(trimmedLine)) {\n return true;\n }\n \n // ============================================\n // SKIP: Type definitions and interfaces\n // ============================================\n if (/^\\s*(interface|type|export\\s+interface|export\\s+type)\\s/.test(line)) {\n return true;\n }\n \n // Skip TypeScript type annotations (e.g., password: string)\n if (/:\\s*(string|number|boolean|any|unknown|null|undefined|void)\\s*(;|,|\\)|$)/.test(line)) {\n return true;\n }\n \n // Skip interface/type property definitions\n if (/^\\s*\\w+\\s*\\??\\s*:\\s*(string|number|boolean|any)/.test(trimmedLine)) {\n return true;\n }\n \n // ============================================\n // SKIP: Environment variable reads (not hardcoded)\n // ============================================\n if (/process\\.env|import\\.meta\\.env|getenv|os\\.environ|Deno\\.env|\\.env\\.|config\\.\\w+|settings\\.\\w+/.test(line)) {\n return true;\n }\n \n // ============================================\n // SKIP: Lock files and package metadata\n // ============================================\n if (filePath.endsWith('package-lock.json') || \n filePath.endsWith('yarn.lock') ||\n filePath.endsWith('pnpm-lock.yaml') ||\n filePath.includes('node_modules/')) {\n return true;\n }\n \n // ============================================\n // SKIP: String in object definition (metadata, not code)\n // ============================================\n // Lines like: severity: 'critical', or category: 'secrets'\n if (/^\\s*(severity|category|type|level|priority|cwe|owasp)\\s*:\\s*['\"]/.test(trimmedLine)) {\n return true;\n }\n \n // ============================================\n // Category-specific false positive detection\n // ============================================\n \n // SQL Injection: Only flag in SQL contexts\n if (category === 'sql-injection') {\n const surroundingLines = getSurroundingLines(lines, match.line);\n if (!isInSQLContext(line, surroundingLines)) {\n return true;\n }\n }\n \n // Secrets: Very strict detection to avoid false positives\n if (category === 'secrets' || category === 'auth') {\n // Skip function parameters (function foo(password: string))\n if (/\\(\\s*[^)]*\\w+\\s*:\\s*(string|any)/.test(line)) {\n return true;\n }\n // Skip object destructuring ({ password })\n if (/\\{\\s*\\w*password\\w*\\s*(,|\\}|:)/.test(line) && !/'|\"|`/.test(line.split(/password/i)[1] || '')) {\n return true;\n }\n // Skip when reading from env or config\n if (/=\\s*(process\\.env|config\\.|options\\.|settings\\.|env\\.)/.test(line)) {\n return true;\n }\n // Skip variable declarations without string literals\n if (/password\\s*[=:](?!\\s*['\"`])/.test(line)) {\n return true;\n }\n // Skip if it's reading from another variable\n if (/password\\s*=\\s*\\w+(\\.|$)/.test(line) && !/'|\"|`/.test(line)) {\n return true;\n }\n // Skip error messages and logging about passwords\n if (/error|message|log|warn|info|debug|throw|new Error/i.test(line)) {\n return true;\n }\n // Skip regex patterns for password validation\n if (/regex|RegExp|\\/.*password.*\\//i.test(line)) {\n return true;\n }\n }\n \n // Logging: Skip in development/debug contexts\n if (category === 'logging') {\n // console.error is often intentional\n if (pattern === 'console.error(' || pattern === 'console.warn(') {\n return true;\n }\n // Skip if in catch block (error logging)\n if (/catch|error|err\\b/.test(line)) {\n return true;\n }\n }\n \n // Config patterns: Skip legitimate security config\n if (category === 'config') {\n // Skip when setting secure values\n if (/secure:\\s*true/.test(line) || /httpOnly:\\s*true/.test(line)) {\n return true;\n }\n // Skip environment-based config\n if (/NODE_ENV|process\\.env|production|development/.test(line)) {\n return true;\n }\n // Skip conditional configs\n if (/if\\s*\\(|ternary|\\?.*:/.test(line)) {\n return true;\n }\n }\n \n // Crypto: Skip in contexts where weak crypto is acceptable\n if (category === 'crypto') {\n // MD5/SHA1 for non-security purposes (checksums, cache keys)\n if (/checksum|hash.*file|etag|cache.*key|fingerprint|integrity|content.*hash/i.test(line)) {\n return true;\n }\n // Math.random for non-crypto purposes (UI, games, etc.)\n if (pattern === 'Math.random()') {\n // Only flag if in security context\n if (!/token|secret|password|key|auth|session|csrf|nonce/i.test(line)) {\n return true;\n }\n }\n }\n \n // Async: forEach async is sometimes intentional\n if (category === 'async') {\n // Skip if there's a comment indicating it's intentional\n if (/\\/\\/.*intentional|\\/\\/.*fire.?and.?forget|\\/\\/.*parallel/i.test(line)) {\n return true;\n }\n }\n \n // ============================================\n // SKIP: Validation/check patterns (not vulnerabilities)\n // ============================================\n // Skip password validation logic\n if (/password.*length|validate.*password|check.*password|verify.*password|is.*valid/i.test(line)) {\n return true;\n }\n \n // Skip comparison against hashed values\n if (/bcrypt|argon|scrypt|pbkdf|compare.*hash|hash.*compare|verify.*hash/i.test(line)) {\n return true;\n }\n \n // Skip schema definitions (Zod, Yup, etc.)\n if (/z\\.|yup\\.|joi\\.|schema|validation|validator/i.test(line)) {\n return true;\n }\n \n // ============================================\n // SKIP: Imports and requires\n // ============================================\n if (/^\\s*(import|require|from)\\s/.test(trimmedLine)) {\n return true;\n }\n \n // ============================================\n // SKIP: Example/Demo files\n // ============================================\n if (/example|demo|sample|tutorial|readme/i.test(filePath)) {\n return true;\n }\n \n return false;\n}\n\n/**\n * Check if file is a test file\n */\nfunction isTestFile(filePath: string): boolean {\n return /\\.(test|spec)\\.[jt]sx?$/.test(filePath) ||\n /__tests__\\//.test(filePath) ||\n /test\\//.test(filePath) ||\n /tests\\//.test(filePath) ||\n /\\.stories\\.[jt]sx?$/.test(filePath);\n}\n\n/**\n * Get vulnerability statistics\n */\nexport function getVulnerabilityStats(): { total: number; byCategory: Record<string, number>; bySeverity: Record<string, number> } {\n const byCategory: Record<string, number> = {};\n const bySeverity: Record<string, number> = {};\n \n for (const { metadata } of VULNERABILITY_PATTERNS) {\n const cat = metadata.category || 'unknown';\n const sev = metadata.severity || 'unknown';\n byCategory[cat] = (byCategory[cat] || 0) + 1;\n bySeverity[sev] = (bySeverity[sev] || 0) + 1;\n }\n \n return {\n total: VULNERABILITY_PATTERNS.length,\n byCategory,\n bySeverity,\n };\n}\n\n"],"mappings":";;;;;;;;AAgCA,IAAM,wBAAwB;AAAA,EAC5B;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AACF;AAKA,IAAM,yBAAyB;AAAA,EAC7B;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AACF;AAKO,SAAS,wBAAwB,UAA2B;AAEjE,QAAM,iBAAiB,SAAS,QAAQ,OAAO,GAAG;AAGlD,MAAI,sBAAsB,KAAK,aAAW,QAAQ,KAAK,cAAc,CAAC,GAAG;AACvE,WAAO;AAAA,EACT;AAGA,MAAI,eAAe,SAAS,MAAM,KAAK,eAAe,SAAS,OAAO,GAAG;AACvE,WAAO;AAAA,EACT;AAGA,QAAM,WAAW,eAAe,MAAM,GAAG,EAAE,IAAI,KAAK;AACpD,QAAM,qBAAqB;AAAA,IACzB;AAAA,IAA+B;AAAA,IAC/B;AAAA,IAA2B;AAAA,IAC3B;AAAA,IAAY;AAAA,IACZ;AAAA,IAAuB;AAAA,IACvB;AAAA,IAAkB;AAAA,IAClB;AAAA,IAAe;AAAA,IACf;AAAA,IAAc;AAAA,IACd;AAAA,IAAW;AAAA,EACb;AACA,MAAI,mBAAmB,SAAS,QAAQ,GAAG;AAEzC,QAAI,eAAe,SAAS,UAAU,KAAK,eAAe,SAAS,QAAQ,GAAG;AAC5E,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;AAKO,SAAS,kBAAkB,UAAkB,iBAAkC;AAEpF,MAAI,wBAAwB,QAAQ,GAAG;AACrC,WAAO;AAAA,EACT;AAIA,MAAI,oBAAoB,aAAa,oBAAoB,mBAAmB;AAC1E,WAAO;AAAA,EACT;AAGA,SAAO,uBAAuB,KAAK,aAAW,QAAQ,KAAK,QAAQ,CAAC;AACtE;AAKA,IAAM,uBAAuB;AAAA,EAC3B;AAAA,EAAU;AAAA,EAAU;AAAA,EAAU;AAAA,EAAU;AAAA,EAAQ;AAAA,EAAS;AAAA,EACzD;AAAA,EAAS;AAAA,EAAW;AAAA,EAAO;AAAA,EAAU;AAAA,EAAQ;AAAA,EAC7C;AAAA,EAAsB;AAAA,EAAY;AACpC;AAKA,SAAS,eAAe,MAAc,kBAAqC;AACzE,QAAM,aAAa,CAAC,MAAM,GAAG,gBAAgB,EAAE,KAAK,GAAG,EAAE,YAAY;AACrE,SAAO,qBAAqB;AAAA,IAAK,aAC/B,WAAW,SAAS,QAAQ,YAAY,CAAC;AAAA,EAC3C;AACF;AAKA,IAAM,yBAGD;AAAA;AAAA;AAAA;AAAA,EAIH;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU;AAAA,MACV,aAAa;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AACF;AAMA,IAAI,oBAAyD;AAEtD,SAAS,uBAAqD;AACnE,MAAI,CAAC,mBAAmB;AACtB,wBAAoB,IAAI,YAA6B;AAErD,eAAW,EAAE,SAAS,SAAS,KAAK,wBAAwB;AAC1D,wBAAkB,WAAW,SAAS,UAAU,QAAQ;AAAA,IAC1D;AAEA,sBAAkB,MAAM;AACxB,QAAI,CAAC,kBAAkB,GAAG;AACxB,cAAQ,MAAM,aAAa,uBAAuB,MAAM,qCAAqC;AAAA,IAC/F;AAAA,EACF;AAEA,SAAO;AACT;AAMO,SAAS,uBAAuB,MAAc,UAAwC;AAE3F,MAAI,wBAAwB,QAAQ,GAAG;AACrC,WAAO,CAAC;AAAA,EACV;AAEA,QAAM,OAAO,qBAAqB;AAClC,QAAM,aAAa,KAAK,OAAO,IAAI;AACnC,QAAM,QAAQ,KAAK,MAAM,IAAI;AAG7B,QAAM,UAAgC,CAAC;AACvC,QAAM,OAAO,oBAAI,IAAY;AAE7B,aAAW,SAAS,YAAY;AAE9B,UAAM,MAAM,GAAG,MAAM,IAAI,IAAI,MAAM,OAAO;AAC1C,QAAI,KAAK,IAAI,GAAG,EAAG;AACnB,SAAK,IAAI,GAAG;AAEZ,UAAM,OAAO,MAAM;AAGnB,QAAI,kBAAkB,UAAU,KAAK,YAAY,EAAE,EAAG;AAGtD,QAAI,gBAAgB,MAAM,OAAO,UAAU,KAAK,EAAG;AAEnD,UAAM,YAAgC;AAAA,MACpC,SAAS,MAAM;AAAA,MACf,MAAM,MAAM;AAAA,MACZ,QAAQ,MAAM;AAAA,MACd,UAAU,KAAK;AAAA,MACf,UAAU,KAAK,YAAY;AAAA,MAC3B,aAAa,KAAK,eAAe;AAAA,MACjC,KAAK,KAAK,OAAO;AAAA,IACnB;AACA,QAAI,KAAK,QAAQ,QAAW;AAC1B,gBAAU,MAAM,KAAK;AAAA,IACvB;AACA,YAAQ,KAAK,SAAS;AAAA,EACxB;AAEA,SAAO;AACT;AAKA,SAAS,oBAAoB,OAAiB,SAAiB,QAAgB,GAAa;AAC1F,QAAM,QAAQ,KAAK,IAAI,GAAG,UAAU,QAAQ,CAAC;AAC7C,QAAM,MAAM,KAAK,IAAI,MAAM,QAAQ,UAAU,KAAK;AAClD,SAAO,MAAM,MAAM,OAAO,GAAG;AAC/B;AAKA,SAAS,gBAAgB,OAAe,OAAY,UAAkB,OAA0B;AAC9F,QAAM,OAAO,MAAM,MAAM,OAAO,CAAC,KAAK;AACtC,QAAM,cAAc,KAAK,KAAK;AAC9B,QAAM,UAAU,MAAM;AACtB,QAAM,WAAW,MAAM,UAAU,YAAY;AAK7C,MAAI,SAAS,SAAS,WAAW,KAC7B,SAAS,SAAS,UAAU,KAC5B,SAAS,SAAS,OAAO,GAAG;AAE9B,QAAI,iBAAiB,KAAK,IAAI,GAAG;AAC/B,aAAO;AAAA,IACT;AAAA,EACF;AAIA,MAAI,4CAA4C,KAAK,WAAW,GAAG;AACjE,WAAO;AAAA,EACT;AAKA,MAAI,WAAW,QAAQ,GAAG;AAGxB,QAAI,aAAa,WAAW;AAE1B,UAAI,2DAA2D,KAAK,IAAI,GAAG;AACzE,eAAO;AAAA,MACT;AAEA,UAAI,+GAA+G,KAAK,IAAI,GAAG;AAC7H,eAAO;AAAA,MACT;AAEA,UAAI,kFAAkF,KAAK,IAAI,GAAG;AAChG,eAAO;AAAA,MACT;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAKA,MAAI,YAAY,WAAW,IAAI,KAC3B,YAAY,WAAW,GAAG,KAC1B,YAAY,WAAW,IAAI,KAC3B,YAAY,WAAW,GAAG,KAC1B,YAAY,WAAW,MAAM,GAAG;AAClC,WAAO;AAAA,EACT;AAGA,MAAI,WAAW,KAAK,IAAI,KAAK,iDAAiD,KAAK,IAAI,GAAG;AACxF,WAAO;AAAA,EACT;AAGA,MAAI,4DAA4D,KAAK,WAAW,GAAG;AACjF,WAAO;AAAA,EACT;AAKA,MAAI,0DAA0D,KAAK,IAAI,GAAG;AACxE,WAAO;AAAA,EACT;AAGA,MAAI,2EAA2E,KAAK,IAAI,GAAG;AACzF,WAAO;AAAA,EACT;AAGA,MAAI,kDAAkD,KAAK,WAAW,GAAG;AACvE,WAAO;AAAA,EACT;AAKA,MAAI,gGAAgG,KAAK,IAAI,GAAG;AAC9G,WAAO;AAAA,EACT;AAKA,MAAI,SAAS,SAAS,mBAAmB,KACrC,SAAS,SAAS,WAAW,KAC7B,SAAS,SAAS,gBAAgB,KAClC,SAAS,SAAS,eAAe,GAAG;AACtC,WAAO;AAAA,EACT;AAMA,MAAI,mEAAmE,KAAK,WAAW,GAAG;AACxF,WAAO;AAAA,EACT;AAOA,MAAI,aAAa,iBAAiB;AAChC,UAAM,mBAAmB,oBAAoB,OAAO,MAAM,IAAI;AAC9D,QAAI,CAAC,eAAe,MAAM,gBAAgB,GAAG;AAC3C,aAAO;AAAA,IACT;AAAA,EACF;AAGA,MAAI,aAAa,aAAa,aAAa,QAAQ;AAEjD,QAAI,mCAAmC,KAAK,IAAI,GAAG;AACjD,aAAO;AAAA,IACT;AAEA,QAAI,iCAAiC,KAAK,IAAI,KAAK,CAAC,QAAQ,KAAK,KAAK,MAAM,WAAW,EAAE,CAAC,KAAK,EAAE,GAAG;AAClG,aAAO;AAAA,IACT;AAEA,QAAI,yDAAyD,KAAK,IAAI,GAAG;AACvE,aAAO;AAAA,IACT;AAEA,QAAI,8BAA8B,KAAK,IAAI,GAAG;AAC5C,aAAO;AAAA,IACT;AAEA,QAAI,2BAA2B,KAAK,IAAI,KAAK,CAAC,QAAQ,KAAK,IAAI,GAAG;AAChE,aAAO;AAAA,IACT;AAEA,QAAI,qDAAqD,KAAK,IAAI,GAAG;AACnE,aAAO;AAAA,IACT;AAEA,QAAI,iCAAiC,KAAK,IAAI,GAAG;AAC/C,aAAO;AAAA,IACT;AAAA,EACF;AAGA,MAAI,aAAa,WAAW;AAE1B,QAAI,YAAY,oBAAoB,YAAY,iBAAiB;AAC/D,aAAO;AAAA,IACT;AAEA,QAAI,oBAAoB,KAAK,IAAI,GAAG;AAClC,aAAO;AAAA,IACT;AAAA,EACF;AAGA,MAAI,aAAa,UAAU;AAEzB,QAAI,iBAAiB,KAAK,IAAI,KAAK,mBAAmB,KAAK,IAAI,GAAG;AAChE,aAAO;AAAA,IACT;AAEA,QAAI,+CAA+C,KAAK,IAAI,GAAG;AAC7D,aAAO;AAAA,IACT;AAEA,QAAI,wBAAwB,KAAK,IAAI,GAAG;AACtC,aAAO;AAAA,IACT;AAAA,EACF;AAGA,MAAI,aAAa,UAAU;AAEzB,QAAI,2EAA2E,KAAK,IAAI,GAAG;AACzF,aAAO;AAAA,IACT;AAEA,QAAI,YAAY,iBAAiB;AAE/B,UAAI,CAAC,qDAAqD,KAAK,IAAI,GAAG;AACpE,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAGA,MAAI,aAAa,SAAS;AAExB,QAAI,4DAA4D,KAAK,IAAI,GAAG;AAC1E,aAAO;AAAA,IACT;AAAA,EACF;AAMA,MAAI,kFAAkF,KAAK,IAAI,GAAG;AAChG,WAAO;AAAA,EACT;AAGA,MAAI,sEAAsE,KAAK,IAAI,GAAG;AACpF,WAAO;AAAA,EACT;AAGA,MAAI,+CAA+C,KAAK,IAAI,GAAG;AAC7D,WAAO;AAAA,EACT;AAKA,MAAI,8BAA8B,KAAK,WAAW,GAAG;AACnD,WAAO;AAAA,EACT;AAKA,MAAI,uCAAuC,KAAK,QAAQ,GAAG;AACzD,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAKA,SAAS,WAAW,UAA2B;AAC7C,SAAO,0BAA0B,KAAK,QAAQ,KACvC,cAAc,KAAK,QAAQ,KAC3B,SAAS,KAAK,QAAQ,KACtB,UAAU,KAAK,QAAQ,KACvB,sBAAsB,KAAK,QAAQ;AAC5C;AAKO,SAAS,wBAAmH;AACjI,QAAM,aAAqC,CAAC;AAC5C,QAAM,aAAqC,CAAC;AAE5C,aAAW,EAAE,SAAS,KAAK,wBAAwB;AACjD,UAAM,MAAM,SAAS,YAAY;AACjC,UAAM,MAAM,SAAS,YAAY;AACjC,eAAW,GAAG,KAAK,WAAW,GAAG,KAAK,KAAK;AAC3C,eAAW,GAAG,KAAK,WAAW,GAAG,KAAK,KAAK;AAAA,EAC7C;AAEA,SAAO;AAAA,IACL,OAAO,uBAAuB;AAAA,IAC9B;AAAA,IACA;AAAA,EACF;AACF;","names":[]}

package/dist/{chunk-5DQLHWTT.js → chunk-BG2BHWCC.js} RENAMED Viewed

@@ -17,7 +17,7 @@ import {
   checkFileLevelIssues,
   getVibeCodeTrie,
   scanForVibeCodeIssues
-} from "./chunk-IYMJTY27.js";
+} from "./chunk-LVVG2DMW.js";
 import {
   AgentSmithSkill,
   BaseSkill,
@@ -4358,6 +4358,9 @@ var LegalSkill = class extends BaseSkill {
   async analyzeFiles(files, _context) {
     const issues = [];
     for (const file of files) {
+      if (this.shouldExcludeTrieFile(file)) {
+        continue;
+      }
       try {
         const content = await this.readFile(file);
         issues.push(...this.checkLicenseCompliance(content, file));
@@ -4922,12 +4925,22 @@ var LegalSkill = class extends BaseSkill {
       if (/\bno\s+credit\s+card\s+required\b/i.test(line)) {
         continue;
       }
-      const isCardDataCodeSignal = (
-        // Typical variable / object-key names in code (high-signal)
-        /\b(cardNumber|card_number|cvv|cvc|pan|expMonth|expYear|expiry|expiration|cardholder(Name)?|billingZip|postalCode)\b/i.test(line) || // HTML/JSX form fields collecting card data (high-signal)
-        /<input\b[^>]*(name|id|autoComplete)\s*=\s*["'{][^"'}]*(cc-number|cc-csc|cc-exp|card(number)?|cvv|cvc)[^"'}]*["'}][^>]*>/i.test(line) || // Server-side request body / params containing card fields (high-signal)
-        /\b(req|request)\.(body|query|params)\.[a-z0-9_]*(card|cvv|cvc|pan|exp)[a-z0-9_]*\b/i.test(line)
+      const hasExplicitCardDataField = (
+        // Explicit card number / CVV / CVC (very high signal)
+        /\b(cardNumber|card_number|card[-_]?num|ccNumber|cc_number)\b/i.test(line) || /\b(cvv|cvc|securityCode|security_code|cardCode|card_code)\b/i.test(line) || // PAN (Primary Account Number) - very high signal
+        /\bpan\b/i.test(line) && /\b(card|payment|credit|debit)\b/i.test(line)
+      );
+      const hasCardExpiryInPaymentContext = (
+        // Expiry only counts if combined with payment-related terms
+        /\b(expMonth|expYear|exp_month|exp_year|cardExp|card_exp)\b/i.test(line) || /\b(expiry|expiration)\b/i.test(line) && /\b(card|payment|credit|billing)\b/i.test(line)
+      );
+      const hasCardHolderData = (
+        // Cardholder name is high signal
+        /\b(cardholderName|cardholder_name|cardHolder|card_holder)\b/i.test(line)
       );
+      const isCardDataCodeSignal = hasExplicitCardDataField || hasCardExpiryInPaymentContext || hasCardHolderData || // HTML/JSX form fields collecting card data (high-signal, very specific autocomplete values)
+      /<input\b[^>]*(autoComplete|autocomplete)\s*=\s*["'{](cc-number|cc-csc|cc-exp)[^"'}]*["'}][^>]*>/i.test(line) || // Server-side request body containing explicit card fields
+      /\b(req|request)\.(body|query|params)\.(cardNumber|cvv|cvc|ccNumber)\b/i.test(line);
       const isLowSignalCardMention = /\bcredit\s*card\b/i.test(line) || /\bcard\s*number\b/i.test(line);
       if (!isCardDataCodeSignal) {
         if (isLowSignalCardMention) continue;
@@ -5043,10 +5056,9 @@ var LegalSkill = class extends BaseSkill {
       }
     }
     const testimonialIndicator = /\btestimonial(s)?\b/i;
-    const reviewIndicator = /\b(review(s)?|rating(s)?|feedback)\b/i;
-    const fakeIndicator = /\b(fake|synthetic)\b/i;
-    const generatedIndicator = /\b(generated|ai[-\s]?generated|generated\s+by\s+ai)\b/i;
-    const engineeringReviewContext = /\b(code\s+review|pr\s+review|profile\s+review|review\s+agent|reviewer|super-reviewer|trie_super_reviewer)\b/i;
+    const fakeTestimonialPattern = /\b(fake|synthetic|generated|fabricated)\s+(testimonial|review|rating|feedback)s?\b/i;
+    const testimonialGenerationPattern = /\b(generate|create|make)\s+(fake|synthetic)?\s*(testimonial|review|rating)s?\b/i;
+    const engineeringContext = /\b(code\s+review|pr\s+review|pull\s+request|profile\s+review|review\s+agent|reviewer|super-reviewer|trie|scout|ai[-\s]?generated\s+code|generated\s+(by\s+)?(ai|claude|gpt|llm|copilot)|code\s+generation|content\s+generation)\b/i;
     for (let i = 0; i < lines.length; i++) {
       const line = lines[i];
       const trimmed = line.trim();
@@ -5056,13 +5068,13 @@ var LegalSkill = class extends BaseSkill {
       const start = Math.max(0, i - 2);
       const end = Math.min(lines.length, i + 3);
       const window = lines.slice(start, end).join("\n");
-      const hasTestimonial = testimonialIndicator.test(window);
-      const hasReview = reviewIndicator.test(window);
-      const hasFake = fakeIndicator.test(window) || generatedIndicator.test(window);
-      if (!hasFake) continue;
-      if (engineeringReviewContext.test(window)) continue;
-      if (!isLikelyMarketingFile && !hasTestimonial) continue;
-      if (!(hasTestimonial || hasReview)) continue;
+      if (engineeringContext.test(window)) continue;
+      const hasFakeTestimonial = fakeTestimonialPattern.test(window);
+      const hasTestimonialGeneration = testimonialGenerationPattern.test(window);
+      const hasTestimonialWithFake = testimonialIndicator.test(window) && /\b(fake|synthetic|fabricated|made[-\s]?up)\b/i.test(window);
+      if (!hasFakeTestimonial && !hasTestimonialGeneration && !(isLikelyMarketingFile && hasTestimonialWithFake)) {
+        continue;
+      }
       issues.push(this.createIssue(
         this.generateIssueId(),
         "critical",
@@ -5376,6 +5388,41 @@ var LegalSkill = class extends BaseSkill {
     }
     return issues;
   }
+  /**
+   * Check if a file is part of Trie's own codebase (to prevent self-detection false positives)
+   */
+  shouldExcludeTrieFile(filePath) {
+    const normalizedPath = filePath.replace(/\\/g, "/");
+    if (normalizedPath.includes("trie") && normalizedPath.includes("/src/")) {
+      return true;
+    }
+    if (normalizedPath.includes("/skills/")) {
+      return true;
+    }
+    if (normalizedPath.includes("/trie/")) {
+      return true;
+    }
+    const fileName = normalizedPath.split("/").pop() || "";
+    const TRIE_SCANNER_FILES = [
+      "vulnerability-signatures.ts",
+      "vulnerability-signatures.js",
+      "vibe-code-signatures.ts",
+      "vibe-code-signatures.js",
+      "legal.ts",
+      "legal.js",
+      "security-scanner.ts",
+      "security-scanner.js",
+      "agent-smith.ts",
+      "agent-smith.js",
+      "security.ts",
+      "security.js",
+      "privacy.ts",
+      "privacy.js",
+      "soc2.ts",
+      "soc2.js"
+    ];
+    return TRIE_SCANNER_FILES.includes(fileName);
+  }
 };
 // src/skills/built-in/test.ts
@@ -10829,4 +10876,4 @@ export {
   CustomSkill,
   getSkillRegistry
 };
-//# sourceMappingURL=chunk-5DQLHWTT.js.map
+//# sourceMappingURL=chunk-BG2BHWCC.js.map