@undercurrentai/eslint-plugin-ai-guard 2.0.0-beta.3

package/dist/index.js

@@ -0,0 +1,3679 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  default: () => index_default
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/rules/error-handling/no-empty-catch.ts
+var import_utils = require("@typescript-eslint/utils");
+var createRule = import_utils.ESLintUtils.RuleCreator(
+  (name) => `https://github.com/undercurrentai/eslint-plugin-ai-guard/blob/main/docs/rules/${name}.md`
+);
+var noEmptyCatch = createRule({
+  name: "no-empty-catch",
+  meta: {
+    type: "problem",
+    docs: {
+      description: "Disallow empty catch blocks. AI tools frequently generate try/catch with empty catch bodies that silently swallow errors, hiding failures in production."
+    },
+    fixable: void 0,
+    hasSuggestions: true,
+    schema: [],
+    messages: {
+      emptyCatch: "Catch block is empty. AI tools frequently generate empty catch blocks that silently swallow errors. Handle the error (log, rethrow, or recover), or add a comment explaining why it is intentionally empty.",
+      addTodoHandler: "Add a minimal placeholder so this catch block is not silently swallowing errors."
+    }
+  },
+  defaultOptions: [],
+  create(context) {
+    return {
+      CatchClause(node) {
+        if (node.body.body.length === 0) {
+          const sourceCode = context.sourceCode;
+          const comments = sourceCode.getCommentsInside(node.body);
+          if (comments.length > 0) {
+            return;
+          }
+          context.report({
+            node,
+            messageId: "emptyCatch",
+            suggest: [
+              {
+                messageId: "addTodoHandler",
+                fix: (fixer) => fixer.replaceText(node.body, "{ /* TODO: handle error */ }")
+              }
+            ]
+          });
+        }
+      }
+    };
+  }
+});
+
+// src/rules/error-handling/no-broad-exception.ts
+var import_utils2 = require("@typescript-eslint/utils");
+var createRule2 = import_utils2.ESLintUtils.RuleCreator(
+  (name) => `https://github.com/undercurrentai/eslint-plugin-ai-guard/blob/main/docs/rules/${name}.md`
+);
+var noBroadException = createRule2({
+  name: "no-broad-exception",
+  meta: {
+    type: "suggestion",
+    deprecated: true,
+    replacedBy: ["@typescript-eslint/no-explicit-any"],
+    docs: {
+      description: "[DEPRECATED \u2014 partial coverage by `@typescript-eslint/no-explicit-any` plus TypeScript `useUnknownInCatchVariables: true`] Disallow `catch (e: any)` or `catch (e: unknown)` without narrowing. Kept for backwards-compatibility in v2.x; removed in v3.0."
+    },
+    fixable: void 0,
+    schema: [],
+    messages: {
+      broadException: "[ai-guard deprecated \u2014 use `@typescript-eslint/no-explicit-any`] Catch parameter has an overly broad type annotation `{{type}}`. Use a specific error type or narrow with `instanceof` checks."
+    }
+  },
+  defaultOptions: [],
+  create(context) {
+    return {
+      CatchClause(node) {
+        const param = node.param;
+        if (!param) return;
+        if (param.type === import_utils2.AST_NODE_TYPES.Identifier && param.typeAnnotation && param.typeAnnotation.typeAnnotation) {
+          const typeAnnotation = param.typeAnnotation.typeAnnotation;
+          if (typeAnnotation.type === import_utils2.AST_NODE_TYPES.TSAnyKeyword) {
+            context.report({
+              node: param,
+              messageId: "broadException",
+              data: { type: "any" }
+            });
+            return;
+          }
+          if (typeAnnotation.type === import_utils2.AST_NODE_TYPES.TSUnknownKeyword) {
+            const hasNarrowing = checkForNarrowing(node, param.name);
+            if (!hasNarrowing) {
+              context.report({
+                node: param,
+                messageId: "broadException",
+                data: { type: "unknown" }
+              });
+            }
+          }
+        }
+      }
+    };
+  }
+});
+function checkForNarrowing(catchClause, paramName) {
+  const bodyStatements = catchClause.body.body;
+  for (const stmt of bodyStatements) {
+    if (containsInstanceofCheck(stmt, paramName)) {
+      return true;
+    }
+  }
+  return false;
+}
+function containsInstanceofCheck(node, paramName) {
+  if (!node || typeof node !== "object") return false;
+  if (node.type === import_utils2.AST_NODE_TYPES.BinaryExpression && node.operator === "instanceof" && node.left?.type === import_utils2.AST_NODE_TYPES.Identifier && node.left.name === paramName) {
+    return true;
+  }
+  for (const key of Object.keys(node)) {
+    if (key === "parent") continue;
+    const child = node[key];
+    if (Array.isArray(child)) {
+      for (const item of child) {
+        if (containsInstanceofCheck(item, paramName)) return true;
+      }
+    } else if (child && typeof child === "object" && child.type) {
+      if (containsInstanceofCheck(child, paramName)) return true;
+    }
+  }
+  return false;
+}
+
+// src/rules/error-handling/no-catch-log-rethrow.ts
+var import_utils3 = require("@typescript-eslint/utils");
+var createRule3 = import_utils3.ESLintUtils.RuleCreator(
+  (name) => `https://github.com/undercurrentai/eslint-plugin-ai-guard/blob/main/docs/rules/${name}.md`
+);
+function isConsoleCallStatement(statement) {
+  if (statement.type !== import_utils3.AST_NODE_TYPES.ExpressionStatement) {
+    return false;
+  }
+  const expression = statement.expression;
+  if (expression.type !== import_utils3.AST_NODE_TYPES.CallExpression) {
+    return false;
+  }
+  if (expression.callee.type !== import_utils3.AST_NODE_TYPES.MemberExpression) {
+    return false;
+  }
+  return expression.callee.object.type === import_utils3.AST_NODE_TYPES.Identifier && expression.callee.object.name === "console" && expression.callee.property.type === import_utils3.AST_NODE_TYPES.Identifier && ["log", "error", "warn", "info", "debug"].includes(expression.callee.property.name);
+}
+function isRethrowOfCatchParam(statement, catchParamName) {
+  return statement.type === import_utils3.AST_NODE_TYPES.ThrowStatement && statement.argument !== null && statement.argument.type === import_utils3.AST_NODE_TYPES.Identifier && statement.argument.name === catchParamName;
+}
+var noCatchLogRethrow = createRule3({
+  name: "no-catch-log-rethrow",
+  meta: {
+    type: "suggestion",
+    docs: {
+      description: "Disallow catch blocks that only log and rethrow the same error. AI tools frequently generate catch-log-rethrow patterns that add noise without recovery or context."
+    },
+    fixable: void 0,
+    schema: [],
+    messages: {
+      catchLogRethrow: "This catch block only logs and rethrows the same error. AI tools frequently generate this noisy pattern without adding recovery. Either remove the catch block or add meaningful handling/context."
+    }
+  },
+  defaultOptions: [],
+  create(context) {
+    return {
+      CatchClause(node) {
+        if (!node.param || node.param.type !== import_utils3.AST_NODE_TYPES.Identifier) {
+          return;
+        }
+        const bodyStatements = node.body.body;
+        if (bodyStatements.length < 2) {
+          return;
+        }
+        const lastStatement = bodyStatements[bodyStatements.length - 1];
+        if (!isRethrowOfCatchParam(lastStatement, node.param.name)) {
+          return;
+        }
+        const leadingStatements = bodyStatements.slice(0, -1);
+        const allConsoleCalls = leadingStatements.every(isConsoleCallStatement);
+        if (allConsoleCalls) {
+          context.report({
+            node,
+            messageId: "catchLogRethrow"
+          });
+        }
+      }
+    };
+  }
+});
+
+// src/rules/error-handling/no-catch-without-use.ts
+var import_utils4 = require("@typescript-eslint/utils");
+var createRule4 = import_utils4.ESLintUtils.RuleCreator(
+  (name) => `https://github.com/undercurrentai/eslint-plugin-ai-guard/blob/main/docs/rules/${name}.md`
+);
+var noCatchWithoutUse = createRule4({
+  name: "no-catch-without-use",
+  meta: {
+    type: "suggestion",
+    deprecated: true,
+    replacedBy: ["@typescript-eslint/no-unused-vars"],
+    docs: {
+      description: '[DEPRECATED \u2014 use `@typescript-eslint/no-unused-vars` with `caughtErrors: "all"`] Disallow catch parameters that are never used. Kept for backwards-compatibility in v2.x; removed in v3.0.'
+    },
+    fixable: void 0,
+    schema: [],
+    messages: {
+      unusedCatchParam: '[ai-guard deprecated \u2014 use `@typescript-eslint/no-unused-vars` with `caughtErrors: "all"`] Catch parameter `{{name}}` is never used.'
+    }
+  },
+  defaultOptions: [],
+  create(context) {
+    return {
+      CatchClause(node) {
+        if (!node.param || node.param.type !== import_utils4.AST_NODE_TYPES.Identifier) {
+          return;
+        }
+        const catchParamName = node.param.name;
+        if (catchParamName.startsWith("_")) {
+          return;
+        }
+        const tokens = context.sourceCode.getTokens(node.body);
+        const hasUsage = tokens.some(
+          (token) => token.type === "Identifier" && token.value === catchParamName
+        );
+        if (!hasUsage) {
+          context.report({
+            node: node.param,
+            messageId: "unusedCatchParam",
+            data: { name: catchParamName }
+          });
+        }
+      }
+    };
+  }
+});
+
+// src/rules/async/no-async-array-callback.ts
+var import_utils6 = require("@typescript-eslint/utils");
+
+// src/utils/async-scope.ts
+var import_utils5 = require("@typescript-eslint/utils");
+function isAstNode(value) {
+  return typeof value === "object" && value !== null && "type" in value;
+}
+var FUNCTION_SCOPE_BOUNDARY_TYPES = /* @__PURE__ */ new Set([
+  import_utils5.AST_NODE_TYPES.FunctionDeclaration,
+  import_utils5.AST_NODE_TYPES.FunctionExpression,
+  import_utils5.AST_NODE_TYPES.ArrowFunctionExpression
+]);
+function nodeHasCatchClause(node) {
+  if (node.type === import_utils5.AST_NODE_TYPES.TryStatement && !!node.handler) {
+    return true;
+  }
+  for (const [key, value] of Object.entries(node)) {
+    if (key === "parent") continue;
+    if (Array.isArray(value)) {
+      for (const item of value) {
+        if (isAstNode(item) && !FUNCTION_SCOPE_BOUNDARY_TYPES.has(item.type) && nodeHasCatchClause(item)) {
+          return true;
+        }
+      }
+      continue;
+    }
+    if (isAstNode(value) && !FUNCTION_SCOPE_BOUNDARY_TYPES.has(value.type) && nodeHasCatchClause(value)) {
+      return true;
+    }
+  }
+  return false;
+}
+function isAsyncFunctionLike(node) {
+  if (!node) return false;
+  if (node.type === import_utils5.AST_NODE_TYPES.FunctionDeclaration) {
+    return node.async;
+  }
+  if (node.type === import_utils5.AST_NODE_TYPES.FunctionExpression || node.type === import_utils5.AST_NODE_TYPES.ArrowFunctionExpression) {
+    return node.async;
+  }
+  if (node.type === import_utils5.AST_NODE_TYPES.VariableDeclarator && node.init && (node.init.type === import_utils5.AST_NODE_TYPES.FunctionExpression || node.init.type === import_utils5.AST_NODE_TYPES.ArrowFunctionExpression)) {
+    return node.init.async;
+  }
+  return false;
+}
+function getAsyncBindingInfo(node) {
+  if (!node) {
+    return { isAsync: false, hasInternalErrorHandling: false };
+  }
+  if (node.type === import_utils5.AST_NODE_TYPES.FunctionDeclaration) {
+    return {
+      isAsync: node.async,
+      hasInternalErrorHandling: node.body ? nodeHasCatchClause(node.body) : false
+    };
+  }
+  if (node.type === import_utils5.AST_NODE_TYPES.FunctionExpression || node.type === import_utils5.AST_NODE_TYPES.ArrowFunctionExpression) {
+    return {
+      isAsync: node.async,
+      hasInternalErrorHandling: node.body.type === import_utils5.AST_NODE_TYPES.BlockStatement ? nodeHasCatchClause(node.body) : false
+    };
+  }
+  if (node.type === import_utils5.AST_NODE_TYPES.VariableDeclarator && node.init && (node.init.type === import_utils5.AST_NODE_TYPES.FunctionExpression || node.init.type === import_utils5.AST_NODE_TYPES.ArrowFunctionExpression)) {
+    return {
+      isAsync: node.init.async,
+      hasInternalErrorHandling: node.init.body.type === import_utils5.AST_NODE_TYPES.BlockStatement ? nodeHasCatchClause(node.init.body) : false
+    };
+  }
+  return { isAsync: false, hasInternalErrorHandling: false };
+}
+function findVariableInScope(scope, name) {
+  const fromMap = scope.set?.get(name);
+  if (fromMap) {
+    return fromMap;
+  }
+  if (scope.variables) {
+    const fromArray = scope.variables.find((v) => v.name === name);
+    if (fromArray) {
+      return fromArray;
+    }
+  }
+  return null;
+}
+function isIdentifierBoundToAsyncFunction(identifier, context) {
+  let scope = context.sourceCode.getScope(identifier);
+  while (scope) {
+    const variable = findVariableInScope(scope, identifier.name);
+    if (variable) {
+      const defs = variable.defs ?? [];
+      for (const def of defs) {
+        const info = getAsyncBindingInfo(def.node);
+        if (info.isAsync) {
+          return info;
+        }
+      }
+      if (defs.length === 0 && isAsyncFunctionLike(variable)) {
+        return getAsyncBindingInfo(variable);
+      }
+      return { isAsync: false, hasInternalErrorHandling: false };
+    }
+    scope = scope.upper;
+  }
+  return { isAsync: false, hasInternalErrorHandling: false };
+}
+
+// src/rules/async/no-async-array-callback.ts
+var createRule5 = import_utils6.ESLintUtils.RuleCreator(
+  (name) => `https://github.com/undercurrentai/eslint-plugin-ai-guard/blob/main/docs/rules/${name}.md`
+);
+var ARRAY_CALLBACK_METHODS = ["map", "filter", "forEach", "reduce", "flatMap", "find", "findIndex", "some", "every"];
+var PROMISE_COMBINATORS = ["all", "allSettled", "race", "any"];
+var METHODS_ALLOWING_PROMISE_COLLECTION = /* @__PURE__ */ new Set(["map", "flatMap"]);
+function isNode(value) {
+  return typeof value === "object" && value !== null && "type" in value;
+}
+function getChildNodes(node) {
+  const children = [];
+  for (const [key, value] of Object.entries(node)) {
+    if (key === "parent") continue;
+    if (!value) continue;
+    if (Array.isArray(value)) {
+      for (const item of value) {
+        if (isNode(item)) {
+          children.push(item);
+        }
+      }
+      continue;
+    }
+    if (isNode(value)) {
+      children.push(value);
+    }
+  }
+  return children;
+}
+function isPromiseCombinatorCall(node) {
+  return node.callee.type === import_utils6.AST_NODE_TYPES.MemberExpression && node.callee.object.type === import_utils6.AST_NODE_TYPES.Identifier && node.callee.object.name === "Promise" && node.callee.property.type === import_utils6.AST_NODE_TYPES.Identifier && PROMISE_COMBINATORS.includes(
+    node.callee.property.name
+  );
+}
+function isWrappedInPromiseCombinator(node, context) {
+  const ancestors = context.sourceCode.getAncestors(node);
+  const directParent = node.parent;
+  if (directParent && directParent.type === import_utils6.AST_NODE_TYPES.CallExpression && isPromiseCombinatorCall(directParent)) {
+    return true;
+  }
+  for (let i = ancestors.length - 1; i >= 0; i--) {
+    const ancestor = ancestors[i];
+    if (ancestor.type === import_utils6.AST_NODE_TYPES.CallExpression && isPromiseCombinatorCall(ancestor)) {
+      return true;
+    }
+    if (ancestor.type === import_utils6.AST_NODE_TYPES.CallExpression) {
+      break;
+    }
+  }
+  return false;
+}
+function isIdentifierConsumedByPromiseCombinator(node, identifierName) {
+  let found = false;
+  const visit = (current) => {
+    if (found) return;
+    if (current.type === import_utils6.AST_NODE_TYPES.CallExpression && isPromiseCombinatorCall(current)) {
+      for (const arg of current.arguments) {
+        if (arg.type === import_utils6.AST_NODE_TYPES.Identifier && arg.name === identifierName) {
+          found = true;
+          return;
+        }
+      }
+    }
+    for (const child of getChildNodes(current)) {
+      visit(child);
+      if (found) return;
+    }
+  };
+  visit(node);
+  return found;
+}
+function isAssignedAndConsumedByPromiseCombinator(node) {
+  if (!node.parent || node.parent.type !== import_utils6.AST_NODE_TYPES.VariableDeclarator || node.parent.id.type !== import_utils6.AST_NODE_TYPES.Identifier) {
+    return false;
+  }
+  const variableName = node.parent.id.name;
+  const declaration = node.parent.parent;
+  if (!declaration || declaration.type !== import_utils6.AST_NODE_TYPES.VariableDeclaration) {
+    return false;
+  }
+  let container = declaration.parent;
+  let anchor = declaration;
+  if (container && container.type === import_utils6.AST_NODE_TYPES.ExportNamedDeclaration) {
+    anchor = container;
+    container = container.parent;
+  }
+  if (!container || container.type !== import_utils6.AST_NODE_TYPES.Program && container.type !== import_utils6.AST_NODE_TYPES.BlockStatement) {
+    return false;
+  }
+  const body = container.body;
+  const declarationIndex = body.findIndex((statement) => statement === anchor);
+  if (declarationIndex === -1) {
+    return false;
+  }
+  for (let i = declarationIndex + 1; i < body.length; i++) {
+    const statement = body[i];
+    if (isIdentifierConsumedByPromiseCombinator(statement, variableName)) {
+      return true;
+    }
+  }
+  return false;
+}
+function isAsyncCallback(node, context) {
+  if (node.type === import_utils6.AST_NODE_TYPES.Identifier) {
+    return isIdentifierBoundToAsyncFunction(node, context).isAsync;
+  }
+  return (node.type === import_utils6.AST_NODE_TYPES.FunctionExpression || node.type === import_utils6.AST_NODE_TYPES.ArrowFunctionExpression) && node.async;
+}
+var noAsyncArrayCallback = createRule5({
+  name: "no-async-array-callback",
+  meta: {
+    type: "problem",
+    docs: {
+      description: "Disallow async callbacks in array iteration methods (map, filter, forEach, reduce). AI tools generate `array.map(async ...)` which returns `Promise[]` instead of resolved values \u2014 a silent bug."
+    },
+    fixable: void 0,
+    schema: [],
+    messages: {
+      asyncArrayCallback: "Async callback passed to Array.{{method}}(). This returns an array of Promises, not resolved values. AI tools frequently generate this pattern. Wrap with `await Promise.all(array.{{method}}(...))` or use a for...of loop."
+    }
+  },
+  defaultOptions: [],
+  create(context) {
+    return {
+      CallExpression(node) {
+        if (node.callee.type !== import_utils6.AST_NODE_TYPES.MemberExpression || node.callee.property.type !== import_utils6.AST_NODE_TYPES.Identifier) {
+          return;
+        }
+        const methodName = node.callee.property.name;
+        if (!ARRAY_CALLBACK_METHODS.includes(
+          methodName
+        )) {
+          return;
+        }
+        const callback = node.arguments[0];
+        if (!callback) {
+          return;
+        }
+        if (isAsyncCallback(callback, context)) {
+          if (isWrappedInPromiseCombinator(node, context)) {
+            return;
+          }
+          if (METHODS_ALLOWING_PROMISE_COLLECTION.has(methodName) && isAssignedAndConsumedByPromiseCombinator(node)) {
+            return;
+          }
+          context.report({
+            node: callback,
+            messageId: "asyncArrayCallback",
+            data: {
+              method: methodName
+            }
+          });
+        }
+      }
+    };
+  }
+});
+
+// src/rules/async/no-floating-promise.ts
+var import_utils7 = require("@typescript-eslint/utils");
+var createRule6 = import_utils7.ESLintUtils.RuleCreator(
+  (name) => `https://github.com/undercurrentai/eslint-plugin-ai-guard/blob/main/docs/rules/${name}.md`
+);
+var KNOWN_PROMISE_FACTORIES = /* @__PURE__ */ new Set([
+  "fetch"
+]);
+var PROMISE_STATIC_METHODS = /* @__PURE__ */ new Set([
+  "resolve",
+  "reject",
+  "all",
+  "allSettled",
+  "race",
+  "any"
+]);
+function isLocallyAsyncCallee(node, context) {
+  if (node.callee.type === import_utils7.AST_NODE_TYPES.Identifier) {
+    const info = isIdentifierBoundToAsyncFunction(node.callee, context);
+    if (info.isAsync) {
+      return info;
+    }
+  }
+  if ((node.callee.type === import_utils7.AST_NODE_TYPES.FunctionExpression || node.callee.type === import_utils7.AST_NODE_TYPES.ArrowFunctionExpression) && node.callee.async) {
+    return {
+      isAsync: true,
+      hasInternalErrorHandling: node.callee.body.type === import_utils7.AST_NODE_TYPES.BlockStatement ? nodeHasCatchClause(node.callee.body) : false
+    };
+  }
+  return { isAsync: false, hasInternalErrorHandling: false };
+}
+function isKnownPromiseFactoryCall(node) {
+  if (node.callee.type === import_utils7.AST_NODE_TYPES.Identifier) {
+    return KNOWN_PROMISE_FACTORIES.has(node.callee.name);
+  }
+  if (node.callee.type === import_utils7.AST_NODE_TYPES.MemberExpression && node.callee.object.type === import_utils7.AST_NODE_TYPES.Identifier && node.callee.object.name === "Promise" && node.callee.property.type === import_utils7.AST_NODE_TYPES.Identifier) {
+    return PROMISE_STATIC_METHODS.has(node.callee.property.name);
+  }
+  return false;
+}
+function getParserServices(context) {
+  const services = context.sourceCode.parserServices;
+  if (!services || typeof services !== "object") {
+    return null;
+  }
+  return services;
+}
+function isPromiseLikeByTypeInfo(node, context) {
+  const services = getParserServices(context);
+  if (!services?.program || !services.esTreeNodeToTSNodeMap) {
+    return false;
+  }
+  try {
+    const tsNode = services.esTreeNodeToTSNodeMap.get(node);
+    if (!tsNode) {
+      return false;
+    }
+    const checker = services.program.getTypeChecker();
+    const type = checker.getTypeAtLocation(tsNode);
+    if (typeof checker.getPromisedTypeOfPromise === "function") {
+      if (checker.getPromisedTypeOfPromise(type)) {
+        return true;
+      }
+    }
+    const text = checker.typeToString(type).toLowerCase();
+    return text === "promise" || text.includes("promise<") || text.includes("promiselike<") || text.includes("thenable");
+  } catch {
+    return false;
+  }
+}
+function getCallExpression(expression) {
+  if (expression.type === import_utils7.AST_NODE_TYPES.CallExpression) {
+    return expression;
+  }
+  if (expression.type === import_utils7.AST_NODE_TYPES.ChainExpression && expression.expression.type === import_utils7.AST_NODE_TYPES.CallExpression) {
+    return expression.expression;
+  }
+  return null;
+}
+function isExpressionHandled(node) {
+  const expr = node.expression;
+  const callExpr = getCallExpression(expr);
+  if (callExpr) {
+    if (callExpr.callee.type === import_utils7.AST_NODE_TYPES.MemberExpression) {
+      const prop = callExpr.callee.property;
+      if (prop.type === import_utils7.AST_NODE_TYPES.Identifier) {
+        if (prop.name === "then" || prop.name === "catch" || prop.name === "finally") {
+          return true;
+        }
+      }
+    }
+  }
+  if (expr.type === import_utils7.AST_NODE_TYPES.UnaryExpression && expr.operator === "void") {
+    return true;
+  }
+  return false;
+}
+var noFloatingPromise = createRule6({
+  name: "no-floating-promise",
+  meta: {
+    type: "problem",
+    docs: {
+      description: "Disallow calling an async function or Promise-returning function without awaiting or handling the result. AI tools frequently generate floating promises where errors disappear silently."
+    },
+    fixable: void 0,
+    schema: [],
+    messages: {
+      floatingPromise: "This async call is not awaited, returned, or error-handled (.catch). AI tools frequently generate floating promises, causing errors to be silently lost. Add `await`, `.catch()`, or assign the result."
+    }
+  },
+  defaultOptions: [],
+  create(context) {
+    return {
+      // Check ExpressionStatements — standalone call expressions
+      ExpressionStatement(node) {
+        if (node.expression.type === import_utils7.AST_NODE_TYPES.NewExpression && node.expression.callee.type === import_utils7.AST_NODE_TYPES.Identifier && node.expression.callee.name === "Promise") {
+          context.report({
+            node,
+            messageId: "floatingPromise"
+          });
+          return;
+        }
+        if (isExpressionHandled(node)) {
+          return;
+        }
+        const callExpr = getCallExpression(node.expression);
+        if (!callExpr) {
+          return;
+        }
+        const localAsyncInfo = isLocallyAsyncCallee(callExpr, context);
+        if (localAsyncInfo.isAsync && localAsyncInfo.hasInternalErrorHandling) {
+          return;
+        }
+        if (localAsyncInfo.isAsync || isKnownPromiseFactoryCall(callExpr) || isPromiseLikeByTypeInfo(callExpr, context)) {
+          context.report({
+            node,
+            messageId: "floatingPromise"
+          });
+        }
+      }
+    };
+  }
+});
+
+// src/rules/async/no-await-in-loop.ts
+var import_utils8 = require("@typescript-eslint/utils");
+var createRule7 = import_utils8.ESLintUtils.RuleCreator(
+  (name) => `https://github.com/undercurrentai/eslint-plugin-ai-guard/blob/main/docs/rules/${name}.md`
+);
+var LOOP_TYPES = /* @__PURE__ */ new Set([
+  import_utils8.AST_NODE_TYPES.ForStatement,
+  import_utils8.AST_NODE_TYPES.ForInStatement,
+  import_utils8.AST_NODE_TYPES.ForOfStatement,
+  import_utils8.AST_NODE_TYPES.WhileStatement,
+  import_utils8.AST_NODE_TYPES.DoWhileStatement
+]);
+var SUPPRESSION_REGEX = /ai-guard-disable\s+no-await-in-loop\b/i;
+var RETRY_NAME_REGEX = /(retry|retries|attempt|attempts|fallback|tryagain|recovery)/i;
+var SEQUENTIAL_DEPENDENCY_NAME_REGEX = /(previous|prev|last|carry|accumulator|stateful)/i;
+var ERROR_CODE_HINTS = [
+  "access-denied",
+  "timeout",
+  "rate-limit",
+  "not-found"
+];
+var CONTROL_AWAIT_HINTS = [
+  "sleep",
+  "delay",
+  "wait",
+  "throttle",
+  "ratelimit",
+  "backoff"
+];
+var MUTATION_METHOD_NAMES = /* @__PURE__ */ new Set([
+  "push",
+  "pop",
+  "shift",
+  "unshift",
+  "splice",
+  "set",
+  "add",
+  "delete",
+  "clear"
+]);
+function isFunctionNode(node) {
+  return node.type === import_utils8.AST_NODE_TYPES.FunctionDeclaration || node.type === import_utils8.AST_NODE_TYPES.FunctionExpression || node.type === import_utils8.AST_NODE_TYPES.ArrowFunctionExpression;
+}
+function isNodeLike(value) {
+  return typeof value === "object" && value !== null && "type" in value;
+}
+function walkNode(node, visitor, skipNestedFunctions, isRoot = true) {
+  visitor(node);
+  for (const [key, value] of Object.entries(node)) {
+    if (key === "parent" || !value) continue;
+    if (Array.isArray(value)) {
+      for (const item of value) {
+        if (!isNodeLike(item)) continue;
+        if (skipNestedFunctions && !isRoot && isFunctionNode(item)) continue;
+        walkNode(item, visitor, skipNestedFunctions, false);
+      }
+      continue;
+    }
+    if (!isNodeLike(value)) continue;
+    if (skipNestedFunctions && !isRoot && isFunctionNode(value)) continue;
+    walkNode(value, visitor, skipNestedFunctions, false);
+  }
+}
+function collectPatternNames(pattern, bucket) {
+  if (pattern.type === import_utils8.AST_NODE_TYPES.Identifier) {
+    bucket.add(pattern.name);
+    return;
+  }
+  if (pattern.type === import_utils8.AST_NODE_TYPES.AssignmentPattern) {
+    collectPatternNames(pattern.left, bucket);
+    return;
+  }
+  if (pattern.type === import_utils8.AST_NODE_TYPES.RestElement) {
+    collectPatternNames(pattern.argument, bucket);
+    return;
+  }
+  if (pattern.type === import_utils8.AST_NODE_TYPES.ArrayPattern) {
+    for (const element of pattern.elements) {
+      if (!element) continue;
+      if (element.type === import_utils8.AST_NODE_TYPES.RestElement) {
+        collectPatternNames(element.argument, bucket);
+        continue;
+      }
+      collectPatternNames(element, bucket);
+    }
+    return;
+  }
+  if (pattern.type === import_utils8.AST_NODE_TYPES.ObjectPattern) {
+    for (const prop of pattern.properties) {
+      if (prop.type === import_utils8.AST_NODE_TYPES.RestElement) {
+        collectPatternNames(prop.argument, bucket);
+        continue;
+      }
+      collectPatternNames(prop.value, bucket);
+    }
+  }
+}
+function getLoopNodeName(type) {
+  switch (type) {
+    case import_utils8.AST_NODE_TYPES.ForStatement:
+      return "for loop";
+    case import_utils8.AST_NODE_TYPES.ForInStatement:
+      return "for...in loop";
+    case import_utils8.AST_NODE_TYPES.ForOfStatement:
+      return "for...of loop";
+    case import_utils8.AST_NODE_TYPES.WhileStatement:
+      return "while loop";
+    case import_utils8.AST_NODE_TYPES.DoWhileStatement:
+      return "do...while loop";
+    default:
+      return "loop";
+  }
+}
+function hasSuppressionComment(comments) {
+  return comments.some((comment) => SUPPRESSION_REGEX.test(comment.value));
+}
+function hasFileSuppression(sourceCode) {
+  return hasSuppressionComment(sourceCode.getAllComments());
+}
+function hasLoopSuppression(loopNode, sourceCode) {
+  const commentsBefore = sourceCode.getCommentsBefore(loopNode);
+  if (hasSuppressionComment(commentsBefore)) {
+    return true;
+  }
+  const allComments = sourceCode.getAllComments();
+  const nearComments = allComments.filter((comment) => {
+    if (!comment.range || !loopNode.range) {
+      return false;
+    }
+    const [, commentEnd] = comment.range;
+    const [loopStart] = loopNode.range;
+    return commentEnd <= loopStart && loopStart - commentEnd < 160;
+  });
+  return hasSuppressionComment(nearComments);
+}
+function getCalleeName(callee) {
+  if (callee.type === import_utils8.AST_NODE_TYPES.Identifier) {
+    return callee.name;
+  }
+  if (callee.type === import_utils8.AST_NODE_TYPES.MemberExpression && callee.property.type === import_utils8.AST_NODE_TYPES.Identifier) {
+    return callee.property.name;
+  }
+  return null;
+}
+function getRootIdentifierName(node) {
+  if (node.type === import_utils8.AST_NODE_TYPES.Identifier) {
+    return node.name;
+  }
+  if (node.type === import_utils8.AST_NODE_TYPES.MemberExpression) {
+    return getRootIdentifierName(node.object);
+  }
+  return null;
+}
+function collectLocalBindings(loopNode) {
+  const bindings = /* @__PURE__ */ new Set();
+  if (loopNode.type === import_utils8.AST_NODE_TYPES.ForStatement && loopNode.init?.type === import_utils8.AST_NODE_TYPES.VariableDeclaration) {
+    for (const decl of loopNode.init.declarations) {
+      collectPatternNames(decl.id, bindings);
+    }
+  }
+  if ((loopNode.type === import_utils8.AST_NODE_TYPES.ForOfStatement || loopNode.type === import_utils8.AST_NODE_TYPES.ForInStatement) && loopNode.left.type === import_utils8.AST_NODE_TYPES.VariableDeclaration) {
+    for (const decl of loopNode.left.declarations) {
+      collectPatternNames(decl.id, bindings);
+    }
+  }
+  walkNode(
+    loopNode.body,
+    (node) => {
+      if (node.type === import_utils8.AST_NODE_TYPES.VariableDeclarator) {
+        collectPatternNames(node.id, bindings);
+      }
+      if (node.type === import_utils8.AST_NODE_TYPES.FunctionDeclaration && node.id) {
+        bindings.add(node.id.name);
+      }
+    },
+    true
+  );
+  return bindings;
+}
+function collectSiblingStatements(loopNode) {
+  if (!loopNode.parent || loopNode.parent.type !== import_utils8.AST_NODE_TYPES.BlockStatement) {
+    return [];
+  }
+  const siblings = loopNode.parent.body;
+  const idx = siblings.findIndex((stmt) => stmt === loopNode);
+  if (idx === -1) return [];
+  const result = [];
+  if (idx > 0) result.push(siblings[idx - 1]);
+  if (idx < siblings.length - 1) result.push(siblings[idx + 1]);
+  return result;
+}
+function nodeContainsErrorCodeHint(node) {
+  let found = false;
+  walkNode(
+    node,
+    (current) => {
+      if (found) return;
+      if (current.type !== import_utils8.AST_NODE_TYPES.Literal || typeof current.value !== "string") {
+        return;
+      }
+      const lower = current.value.toLowerCase();
+      if (ERROR_CODE_HINTS.some((hint) => lower.includes(hint))) {
+        found = true;
+      }
+    },
+    true
+  );
+  return found;
+}
+function analyzeIntent(loopNode) {
+  if (loopNode.type === import_utils8.AST_NODE_TYPES.ForOfStatement && loopNode.await) {
+    return { isIndependent: false };
+  }
+  const localBindings = collectLocalBindings(loopNode);
+  const siblingStatements = collectSiblingStatements(loopNode);
+  let hasRetryNameHint = false;
+  let hasCounterIncrement = false;
+  let hasEarlyExit = false;
+  let hasCatchContinue = false;
+  let hasErrorCodeHint = false;
+  let hasSequentialDependency = false;
+  let hasControlAwait = false;
+  const checkIdentifierName = (name) => {
+    if (RETRY_NAME_REGEX.test(name)) {
+      hasRetryNameHint = true;
+    }
+    if (SEQUENTIAL_DEPENDENCY_NAME_REGEX.test(name)) {
+      hasSequentialDependency = true;
+    }
+  };
+  walkNode(
+    loopNode,
+    (node) => {
+      if (node.type === import_utils8.AST_NODE_TYPES.Identifier) {
+        checkIdentifierName(node.name);
+      }
+      if (node.type === import_utils8.AST_NODE_TYPES.AwaitExpression && node.argument.type === import_utils8.AST_NODE_TYPES.CallExpression) {
+        const calleeName = getCalleeName(node.argument.callee);
+        if (calleeName) {
+          const lower = calleeName.toLowerCase();
+          if (CONTROL_AWAIT_HINTS.some((hint) => lower.includes(hint))) {
+            hasControlAwait = true;
+          }
+        }
+      }
+      if (node.type === import_utils8.AST_NODE_TYPES.UpdateExpression) {
+        const target = node.argument;
+        if (target.type === import_utils8.AST_NODE_TYPES.Identifier) {
+          checkIdentifierName(target.name);
+          if (RETRY_NAME_REGEX.test(target.name)) {
+            hasCounterIncrement = true;
+          }
+          if (!localBindings.has(target.name)) {
+            hasSequentialDependency = true;
+          }
+        }
+      }
+      if (node.type === import_utils8.AST_NODE_TYPES.AssignmentExpression) {
+        if (node.left.type === import_utils8.AST_NODE_TYPES.Identifier) {
+          checkIdentifierName(node.left.name);
+          if (RETRY_NAME_REGEX.test(node.left.name)) {
+            hasCounterIncrement = true;
+          }
+          if (!localBindings.has(node.left.name)) {
+            hasSequentialDependency = true;
+          }
+        }
+        if (node.left.type === import_utils8.AST_NODE_TYPES.MemberExpression) {
+          const root = getRootIdentifierName(node.left.object);
+          if (root && !localBindings.has(root)) {
+            hasSequentialDependency = true;
+          }
+        }
+      }
+      if (node.type === import_utils8.AST_NODE_TYPES.ReturnStatement || node.type === import_utils8.AST_NODE_TYPES.BreakStatement || node.type === import_utils8.AST_NODE_TYPES.ContinueStatement) {
+        hasEarlyExit = true;
+      }
+      if (node.type === import_utils8.AST_NODE_TYPES.TryStatement && node.handler) {
+        let catchHasContinue = false;
+        walkNode(
+          node.handler.body,
+          (catchNode) => {
+            if (catchNode.type === import_utils8.AST_NODE_TYPES.ContinueStatement) {
+              catchHasContinue = true;
+            }
+          },
+          true
+        );
+        if (catchHasContinue) {
+          hasCatchContinue = true;
+        }
+      }
+      if (node.type === import_utils8.AST_NODE_TYPES.CallExpression) {
+        if (node.callee.type === import_utils8.AST_NODE_TYPES.MemberExpression && node.callee.property.type === import_utils8.AST_NODE_TYPES.Identifier) {
+          const method = node.callee.property.name.toLowerCase();
+          if (MUTATION_METHOD_NAMES.has(method)) {
+            const root = getRootIdentifierName(node.callee.object);
+            if (root && !localBindings.has(root)) {
+              hasSequentialDependency = true;
+            }
+          }
+        }
+      }
+      if (node.type === import_utils8.AST_NODE_TYPES.Literal && typeof node.value === "string") {
+        const lower = node.value.toLowerCase();
+        if (ERROR_CODE_HINTS.some((hint) => lower.includes(hint))) {
+          hasErrorCodeHint = true;
+        }
+      }
+    },
+    true
+  );
+  if (!hasRetryNameHint && siblingStatements.length > 0) {
+    for (const sibling of siblingStatements) {
+      if (nodeContainsErrorCodeHint(sibling)) {
+        hasErrorCodeHint = true;
+      }
+      walkNode(
+        sibling,
+        (node) => {
+          if (node.type === import_utils8.AST_NODE_TYPES.Identifier) {
+            checkIdentifierName(node.name);
+          }
+        },
+        true
+      );
+    }
+  }
+  const hasRetryOrFallbackIntent = hasRetryNameHint || hasCounterIncrement || hasEarlyExit || hasCatchContinue || hasErrorCodeHint || hasSequentialDependency || hasControlAwait;
+  return {
+    isIndependent: !hasRetryOrFallbackIntent
+  };
+}
+function getLoopBodyStatements(loopNode) {
+  return loopNode.body.type === import_utils8.AST_NODE_TYPES.BlockStatement ? loopNode.body.body : [loopNode.body];
+}
+function getForOfParamName(loopNode) {
+  if (loopNode.left.type === import_utils8.AST_NODE_TYPES.Identifier) {
+    return loopNode.left.name;
+  }
+  if (loopNode.left.type === import_utils8.AST_NODE_TYPES.VariableDeclaration) {
+    if (loopNode.left.declarations.length !== 1) return null;
+    const id = loopNode.left.declarations[0].id;
+    if (id.type !== import_utils8.AST_NODE_TYPES.Identifier) return null;
+    return id.name;
+  }
+  return null;
+}
+function buildSafeAutofix(loopNode, awaitNode, sourceCode) {
+  if (!loopNode.parent || loopNode.parent.type !== import_utils8.AST_NODE_TYPES.BlockStatement || !loopNode.parent.parent || !isFunctionNode(loopNode.parent.parent)) {
+    return null;
+  }
+  if (loopNode.type !== import_utils8.AST_NODE_TYPES.ForOfStatement || loopNode.await) {
+    return null;
+  }
+  const loopStatements = getLoopBodyStatements(loopNode);
+  if (loopStatements.length !== 1) {
+    return null;
+  }
+  const onlyStatement = loopStatements[0];
+  if (onlyStatement.type !== import_utils8.AST_NODE_TYPES.ExpressionStatement || onlyStatement.expression.type !== import_utils8.AST_NODE_TYPES.AwaitExpression || onlyStatement.expression !== awaitNode || onlyStatement.expression.argument.type !== import_utils8.AST_NODE_TYPES.CallExpression) {
+    return null;
+  }
+  const paramName = getForOfParamName(loopNode);
+  if (!paramName) {
+    return null;
+  }
+  const iterableText = sourceCode.getText(loopNode.right);
+  const awaitedCallText = sourceCode.getText(onlyStatement.expression.argument);
+  return `const results = await Promise.all(${iterableText}.map(async (${paramName}) => await ${awaitedCallText}));`;
+}
+var noAwaitInLoop = createRule7({
+  name: "no-await-in-loop",
+  meta: {
+    type: "suggestion",
+    deprecated: true,
+    replacedBy: ["no-await-in-loop"],
+    docs: {
+      description: "[DEPRECATED \u2014 use ESLint core `no-await-in-loop`] Disallow independent `await` usage inside loops. Kept for backwards-compatibility in v2.x; removed in v3.0."
+    },
+    fixable: "code",
+    schema: [],
+    messages: {
+      awaitInLoop: "[ai-guard deprecated \u2014 use ESLint core `no-await-in-loop`] Unexpected `await` inside a {{loopType}}. AI tools frequently generate sequential awaits in loops, causing O(n) latency. Consider `Promise.all()` for parallel execution."
+    }
+  },
+  defaultOptions: [],
+  create(context) {
+    if (hasFileSuppression(context.sourceCode)) {
+      return {};
+    }
+    const loopIntentCache = /* @__PURE__ */ new WeakMap();
+    const reportedLoops = /* @__PURE__ */ new WeakSet();
+    const functionBoundary = [];
+    function enterFunction(node) {
+      functionBoundary.push(node);
+    }
+    function exitFunction() {
+      functionBoundary.pop();
+    }
+    return {
+      FunctionDeclaration: enterFunction,
+      FunctionExpression: enterFunction,
+      ArrowFunctionExpression: enterFunction,
+      "FunctionDeclaration:exit": exitFunction,
+      "FunctionExpression:exit": exitFunction,
+      "ArrowFunctionExpression:exit": exitFunction,
+      AwaitExpression(node) {
+        const ancestors = context.sourceCode.getAncestors(node);
+        const currentFunction = functionBoundary[functionBoundary.length - 1];
+        let enclosingLoop = null;
+        for (let i = ancestors.length - 1; i >= 0; i--) {
+          const ancestor = ancestors[i];
+          if (ancestor === currentFunction) {
+            break;
+          }
+          if (LOOP_TYPES.has(ancestor.type)) {
+            enclosingLoop = ancestor;
+            break;
+          }
+        }
+        if (!enclosingLoop) {
+          return;
+        }
+        if (reportedLoops.has(enclosingLoop)) {
+          return;
+        }
+        if (hasLoopSuppression(enclosingLoop, context.sourceCode)) {
+          return;
+        }
+        const intent = loopIntentCache.get(enclosingLoop) ?? analyzeIntent(enclosingLoop);
+        loopIntentCache.set(enclosingLoop, intent);
+        if (!intent.isIndependent) {
+          return;
+        }
+        const fixText = buildSafeAutofix(enclosingLoop, node, context.sourceCode);
+        const loopName = getLoopNodeName(enclosingLoop.type);
+        context.report({
+          node,
+          messageId: "awaitInLoop",
+          data: { loopType: loopName },
+          fix: fixText === null ? void 0 : (fixer) => fixer.replaceText(enclosingLoop, fixText)
+        });
+        reportedLoops.add(enclosingLoop);
+      }
+    };
+  }
+});
+
+// src/rules/async/no-async-without-await.ts
+var import_utils9 = require("@typescript-eslint/utils");
+var createRule8 = import_utils9.ESLintUtils.RuleCreator(
+  (name) => `https://github.com/undercurrentai/eslint-plugin-ai-guard/blob/main/docs/rules/${name}.md`
+);
+function containsAwaitExpression(node) {
+  if (node.type === import_utils9.AST_NODE_TYPES.AwaitExpression) {
+    return true;
+  }
+  if (node.type === import_utils9.AST_NODE_TYPES.ForOfStatement && node.await) {
+    return true;
+  }
+  if (node.type === import_utils9.AST_NODE_TYPES.FunctionDeclaration || node.type === import_utils9.AST_NODE_TYPES.FunctionExpression || node.type === import_utils9.AST_NODE_TYPES.ArrowFunctionExpression) {
+    return false;
+  }
+  const entries = Object.entries(node);
+  for (const [key, value] of entries) {
+    if (key === "parent") {
+      continue;
+    }
+    if (Array.isArray(value)) {
+      for (const child of value) {
+        if (child && typeof child === "object" && "type" in child) {
+          if (containsAwaitExpression(child)) {
+            return true;
+          }
+        }
+      }
+      continue;
+    }
+    if (value && typeof value === "object" && "type" in value) {
+      if (containsAwaitExpression(value)) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+var noAsyncWithoutAwait = createRule8({
+  name: "no-async-without-await",
+  meta: {
+    type: "suggestion",
+    deprecated: true,
+    replacedBy: ["@typescript-eslint/require-await"],
+    docs: {
+      description: "[DEPRECATED \u2014 use `@typescript-eslint/require-await`] Disallow async functions that never use await. Kept for backwards-compatibility in v2.x; removed in v3.0."
+    },
+    fixable: void 0,
+    schema: [],
+    messages: {
+      asyncWithoutAwait: "[ai-guard deprecated \u2014 use `@typescript-eslint/require-await`] Async function does not contain `await`. Remove `async` or add proper await logic."
+    }
+  },
+  defaultOptions: [],
+  create(context) {
+    function reportIfNeeded(node) {
+      if (!node.async) {
+        return;
+      }
+      if (node.body.type !== import_utils9.AST_NODE_TYPES.BlockStatement) {
+        if (node.body.type !== import_utils9.AST_NODE_TYPES.AwaitExpression) {
+          context.report({
+            node,
+            messageId: "asyncWithoutAwait"
+          });
+        }
+        return;
+      }
+      if (!containsAwaitExpression(node.body)) {
+        context.report({
+          node,
+          messageId: "asyncWithoutAwait"
+        });
+      }
+    }
+    return {
+      FunctionDeclaration: reportIfNeeded,
+      FunctionExpression: reportIfNeeded,
+      ArrowFunctionExpression: reportIfNeeded
+    };
+  }
+});
+
+// src/rules/async/no-redundant-await.ts
+var import_utils10 = require("@typescript-eslint/utils");
+var createRule9 = import_utils10.ESLintUtils.RuleCreator(
+  (name) => `https://github.com/undercurrentai/eslint-plugin-ai-guard/blob/main/docs/rules/${name}.md`
+);
+function isInsideTryLikeBlock(returnNode, context) {
+  const ancestors = context.sourceCode.getAncestors(returnNode);
+  for (let i = ancestors.length - 1; i >= 0; i -= 1) {
+    const ancestor = ancestors[i];
+    if (ancestor.type === import_utils10.AST_NODE_TYPES.FunctionDeclaration || ancestor.type === import_utils10.AST_NODE_TYPES.FunctionExpression || ancestor.type === import_utils10.AST_NODE_TYPES.ArrowFunctionExpression) {
+      break;
+    }
+    if (ancestor.type === import_utils10.AST_NODE_TYPES.TryStatement) {
+      return true;
+    }
+  }
+  return false;
+}
+function isInsideAsyncFunction(returnNode, context) {
+  const ancestors = context.sourceCode.getAncestors(returnNode);
+  for (let i = ancestors.length - 1; i >= 0; i -= 1) {
+    const ancestor = ancestors[i];
+    if (ancestor.type === import_utils10.AST_NODE_TYPES.FunctionDeclaration || ancestor.type === import_utils10.AST_NODE_TYPES.FunctionExpression || ancestor.type === import_utils10.AST_NODE_TYPES.ArrowFunctionExpression) {
+      return ancestor.async;
+    }
+  }
+  return false;
+}
+var noRedundantAwait = createRule9({
+  name: "no-redundant-await",
+  meta: {
+    type: "suggestion",
+    deprecated: true,
+    replacedBy: ["@typescript-eslint/return-await"],
+    docs: {
+      description: "[DEPRECATED \u2014 use `@typescript-eslint/return-await`] Disallow `return await` in async functions when not inside try/catch/finally. Kept for backwards-compatibility in v2.x; removed in v3.0."
+    },
+    fixable: void 0,
+    schema: [],
+    messages: {
+      redundantAwait: "[ai-guard deprecated \u2014 use `@typescript-eslint/return-await`] Redundant `return await` detected. Return the Promise directly unless you need await for try/catch behavior."
+    }
+  },
+  defaultOptions: [],
+  create(context) {
+    return {
+      ReturnStatement(node) {
+        if (!node.argument || node.argument.type !== import_utils10.AST_NODE_TYPES.AwaitExpression) {
+          return;
+        }
+        if (!isInsideAsyncFunction(node, context)) {
+          return;
+        }
+        if (isInsideTryLikeBlock(node, context)) {
+          return;
+        }
+        context.report({
+          node: node.argument,
+          messageId: "redundantAwait"
+        });
+      },
+      ArrowFunctionExpression(node) {
+        if (!node.async || node.body.type !== import_utils10.AST_NODE_TYPES.AwaitExpression) {
+          return;
+        }
+        context.report({
+          node: node.body,
+          messageId: "redundantAwait"
+        });
+      }
+    };
+  }
+});
+
+// src/rules/security/no-hardcoded-secret.ts
+var import_utils11 = require("@typescript-eslint/utils");
+var createRule10 = import_utils11.ESLintUtils.RuleCreator(
+  (name) => `https://github.com/undercurrentai/eslint-plugin-ai-guard/blob/main/docs/rules/${name}.md`
+);
+var SECRET_TOKENS = /* @__PURE__ */ new Set([
+  "secret",
+  "password",
+  "passwd",
+  "apikey",
+  "authtoken",
+  "accesstoken",
+  "privatekey",
+  "clientsecret",
+  "jwtsecret",
+  "encryptionkey",
+  "signingkey"
+]);
+var SECRET_TOKEN_PAIRS = [
+  ["api", "key"],
+  ["auth", "token"],
+  ["access", "token"],
+  ["private", "key"],
+  ["client", "secret"],
+  ["jwt", "secret"],
+  ["encryption", "key"],
+  ["signing", "key"]
+];
+function tokenizeIdentifier(name) {
+  return name.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/([A-Z])([A-Z][a-z])/g, "$1_$2").split(/[_\-]+/).map((t) => t.toLowerCase()).filter((t) => t.length > 0);
+}
+function isSecretName(name) {
+  const tokens = tokenizeIdentifier(name);
+  for (const t of tokens) {
+    if (SECRET_TOKENS.has(t)) return true;
+  }
+  for (let i = 0; i < tokens.length - 1; i++) {
+    for (const [a, b] of SECRET_TOKEN_PAIRS) {
+      if (tokens[i] === a && tokens[i + 1] === b) return true;
+    }
+  }
+  return false;
+}
+var FALSE_POSITIVE_VALUES = /* @__PURE__ */ new Set([
+  "password",
+  "secret",
+  "token",
+  "key",
+  "api_key",
+  "apikey",
+  "",
+  "undefined",
+  "null",
+  "test",
+  "example",
+  "placeholder",
+  "changeme",
+  "your-api-key",
+  "your-secret",
+  "YOUR_API_KEY",
+  "YOUR_SECRET",
+  "xxx",
+  "TODO"
+]);
+var noHardcodedSecret = createRule10({
+  name: "no-hardcoded-secret",
+  meta: {
+    type: "problem",
+    docs: {
+      description: "Disallow hardcoded secrets, API keys, passwords, and tokens in source code. AI tools frequently generate placeholder credentials that get committed to version control, creating security vulnerabilities."
+    },
+    fixable: void 0,
+    schema: [],
+    messages: {
+      hardcodedSecret: "Possible hardcoded secret in variable `{{name}}`. AI tools frequently generate placeholder credentials that get committed to version control. Use environment variables (e.g., `process.env.{{envName}}`) instead."
+    }
+  },
+  defaultOptions: [],
+  create(context) {
+    return {
+      VariableDeclarator(node) {
+        if (!node.init) return;
+        if (!node.id || node.id.type !== import_utils11.AST_NODE_TYPES.Identifier) return;
+        const varName = node.id.name;
+        if (!isSecretName(varName)) return;
+        const value = getStringValue(node.init);
+        if (value === null) return;
+        if (FALSE_POSITIVE_VALUES.has(value)) return;
+        if (value.length < 8) return;
+        if (isProcessEnvAccess(node.init)) return;
+        context.report({
+          node: node.init,
+          messageId: "hardcodedSecret",
+          data: {
+            name: varName,
+            envName: toEnvVarName(varName)
+          }
+        });
+      },
+      // Also check: obj.secret = 'literal_value' (including quoted / bracket
+      // forms like obj['secret'] = '...', obj["apiKey"] = '...').
+      AssignmentExpression(node) {
+        if (node.left.type !== import_utils11.AST_NODE_TYPES.MemberExpression) return;
+        const propName = getStaticMemberPropertyName(node.left);
+        if (!propName) return;
+        if (!isSecretName(propName)) return;
+        const value = getStringValue(node.right);
+        if (value === null) return;
+        if (FALSE_POSITIVE_VALUES.has(value)) return;
+        if (value.length < 8) return;
+        if (isProcessEnvAccess(node.right)) return;
+        context.report({
+          node: node.right,
+          messageId: "hardcodedSecret",
+          data: {
+            name: propName,
+            envName: toEnvVarName(propName)
+          }
+        });
+      },
+      // Check property assignments in object literals. Accept both bare
+      // Identifier keys `{ secret: 'value' }` and string-Literal keys
+      // `{ 'apiKey': 'sk-...' }` / `{ ["apiKey"]: '...' }`. Prettier / JSON-to-
+      // config codegen routinely quotes keys, and skipping that form lets
+      // placeholder credentials slip into version control.
+      Property(node) {
+        const propName = getStaticObjectPropertyKey(node);
+        if (!propName) return;
+        if (isRuleMetaMessagesProperty(node)) return;
+        if (!isSecretName(propName)) return;
+        const value = getStringValue(node.value);
+        if (value === null) return;
+        if (FALSE_POSITIVE_VALUES.has(value)) return;
+        if (value.length < 8) return;
+        if (isProcessEnvAccess(node.value)) return;
+        context.report({
+          node: node.value,
+          messageId: "hardcodedSecret",
+          data: {
+            name: propName,
+            envName: toEnvVarName(propName)
+          }
+        });
+      }
+    };
+  }
+});
+function getStaticObjectPropertyKey(node) {
+  if (!node.computed && node.key.type === import_utils11.AST_NODE_TYPES.Identifier) {
+    return node.key.name;
+  }
+  if (node.key.type === import_utils11.AST_NODE_TYPES.Literal && typeof node.key.value === "string") {
+    return node.key.value;
+  }
+  return null;
+}
+function getStaticMemberPropertyName(node) {
+  if (!node.computed && node.property.type === import_utils11.AST_NODE_TYPES.Identifier) {
+    return node.property.name;
+  }
+  if (node.property.type === import_utils11.AST_NODE_TYPES.Literal && typeof node.property.value === "string") {
+    return node.property.value;
+  }
+  return null;
+}
+function getStringValue(node) {
+  if (node.type === import_utils11.AST_NODE_TYPES.Literal && typeof node.value === "string") {
+    return node.value;
+  }
+  if (node.type === import_utils11.AST_NODE_TYPES.TemplateLiteral && node.expressions.length === 0 && node.quasis.length === 1) {
+    return node.quasis[0].value.cooked ?? null;
+  }
+  return null;
+}
+function isRuleMetaMessagesProperty(node) {
+  if (!node.parent || node.parent.type !== import_utils11.AST_NODE_TYPES.ObjectExpression) {
+    return false;
+  }
+  const parentProperty = node.parent.parent;
+  if (!parentProperty || parentProperty.type !== import_utils11.AST_NODE_TYPES.Property) {
+    return false;
+  }
+  return parentProperty.key.type === import_utils11.AST_NODE_TYPES.Identifier && parentProperty.key.name === "messages";
+}
+function isProcessEnvAccess(node) {
+  return node.type === import_utils11.AST_NODE_TYPES.MemberExpression && node.object.type === import_utils11.AST_NODE_TYPES.MemberExpression && node.object.object.type === import_utils11.AST_NODE_TYPES.Identifier && node.object.object.name === "process" && node.object.property.type === import_utils11.AST_NODE_TYPES.Identifier && node.object.property.name === "env";
+}
+function toEnvVarName(name) {
+  return name.replace(/([a-z])([A-Z])/g, "$1_$2").replace(/[-\s]/g, "_").toUpperCase();
+}
+
+// src/rules/security/no-eval-dynamic.ts
+var import_utils12 = require("@typescript-eslint/utils");
+var createRule11 = import_utils12.ESLintUtils.RuleCreator(
+  (name) => `https://github.com/undercurrentai/eslint-plugin-ai-guard/blob/main/docs/rules/${name}.md`
+);
+var noEvalDynamic = createRule11({
+  name: "no-eval-dynamic",
+  meta: {
+    type: "problem",
+    docs: {
+      description: "Disallow `eval()` and `new Function()` with non-literal arguments. AI tools frequently generate dynamic code evaluation patterns that create serious security vulnerabilities including code injection and XSS."
+    },
+    fixable: void 0,
+    schema: [],
+    messages: {
+      evalDynamic: "Dangerous use of `{{callee}}` with a dynamic argument. AI tools frequently generate `eval()` or `new Function()` patterns that enable code injection attacks. Use safer alternatives like JSON.parse(), a lookup table, or a sandboxed evaluator.",
+      newFunctionDynamic: "Dangerous use of `new Function()` with a dynamic argument. AI tools frequently generate this pattern which enables arbitrary code execution. Use safer alternatives like a lookup table or pre-defined functions."
+    }
+  },
+  defaultOptions: [],
+  create(context) {
+    return {
+      CallExpression(node) {
+        if (node.callee.type === import_utils12.AST_NODE_TYPES.Identifier && node.callee.name === "eval") {
+          if (node.arguments.length === 0) return;
+          const firstArg = node.arguments[0];
+          if (isLiteral(firstArg)) return;
+          context.report({
+            node,
+            messageId: "evalDynamic",
+            data: { callee: "eval()" }
+          });
+          return;
+        }
+        if (node.callee.type === import_utils12.AST_NODE_TYPES.MemberExpression && node.callee.property.type === import_utils12.AST_NODE_TYPES.Identifier && node.callee.property.name === "eval" && node.callee.object.type === import_utils12.AST_NODE_TYPES.Identifier && (node.callee.object.name === "window" || node.callee.object.name === "globalThis")) {
+          if (node.arguments.length === 0) return;
+          const firstArg = node.arguments[0];
+          if (isLiteral(firstArg)) return;
+          context.report({
+            node,
+            messageId: "evalDynamic",
+            data: { callee: `${node.callee.object.name}.eval()` }
+          });
+          return;
+        }
+        if (isFunctionConstructorCallee(node.callee)) {
+          if (node.arguments.length === 0) return;
+          const allLiteral = node.arguments.every(isLiteral);
+          if (allLiteral) return;
+          context.report({
+            node,
+            messageId: "newFunctionDynamic"
+          });
+        }
+      },
+      NewExpression(node) {
+        if (isFunctionConstructorCallee(node.callee)) {
+          if (node.arguments.length === 0) return;
+          const allLiteral = node.arguments.every(isLiteral);
+          if (allLiteral) return;
+          context.report({
+            node,
+            messageId: "newFunctionDynamic"
+          });
+        }
+      }
+    };
+  }
+});
+function isFunctionConstructorCallee(callee) {
+  if (callee.type === import_utils12.AST_NODE_TYPES.Identifier && callee.name === "Function") {
+    return true;
+  }
+  if (callee.type === import_utils12.AST_NODE_TYPES.MemberExpression && callee.property.type === import_utils12.AST_NODE_TYPES.Identifier && callee.property.name === "Function" && callee.object.type === import_utils12.AST_NODE_TYPES.Identifier && (callee.object.name === "window" || callee.object.name === "globalThis")) {
+    return true;
+  }
+  return false;
+}
+function isLiteral(node) {
+  if (node.type === import_utils12.AST_NODE_TYPES.Literal) return true;
+  if (node.type === import_utils12.AST_NODE_TYPES.TemplateLiteral && node.expressions.length === 0) {
+    return true;
+  }
+  return false;
+}
+
+// src/rules/security/no-sql-string-concat.ts
+var import_utils13 = require("@typescript-eslint/utils");
+var createRule12 = import_utils13.ESLintUtils.RuleCreator(
+  (name) => `https://github.com/undercurrentai/eslint-plugin-ai-guard/blob/main/docs/rules/${name}.md`
+);
+var SQL_STATEMENT_PATTERN = /\b(select\s+[\s\S]*\s+from|insert\s+into|update\s+\S+\s+set|delete\s+from|drop\s+table|create\s+(table|database)|alter\s+table|truncate\s+table|exec(?:ute)?\s+\S+|union\s+select)\b/i;
+var SQL_SINK_METHODS = /* @__PURE__ */ new Set([
+  "query",
+  "execute",
+  "queryraw",
+  "queryrawunsafe",
+  "executeraw",
+  "executerawunsafe",
+  "raw",
+  "run",
+  "all",
+  "get",
+  "prepare"
+]);
+var SQL_SINK_FUNCTIONS = /* @__PURE__ */ new Set(["query", "execute"]);
+function getIdentifierName(node) {
+  if (node.type === import_utils13.AST_NODE_TYPES.Identifier) {
+    return node.name;
+  }
+  return null;
+}
+function isSqlSinkCall(node) {
+  if (node.callee.type === import_utils13.AST_NODE_TYPES.Identifier) {
+    return SQL_SINK_FUNCTIONS.has(node.callee.name.toLowerCase());
+  }
+  if (node.callee.type === import_utils13.AST_NODE_TYPES.MemberExpression && node.callee.property.type === import_utils13.AST_NODE_TYPES.Identifier) {
+    const methodName = node.callee.property.name.toLowerCase().replace(/^\$/, "");
+    return SQL_SINK_METHODS.has(methodName);
+  }
+  return false;
+}
+function resolveExpression(node, variableMap) {
+  const identifier = getIdentifierName(node);
+  if (identifier && variableMap.has(identifier)) {
+    return variableMap.get(identifier);
+  }
+  return node;
+}
+function isDynamicSqlExpression(node) {
+  if (node.type === import_utils13.AST_NODE_TYPES.TemplateLiteral) {
+    if (node.expressions.length === 0) {
+      return false;
+    }
+    const staticText = node.quasis.map((q) => q.value.raw).join(" ");
+    return SQL_STATEMENT_PATTERN.test(staticText);
+  }
+  if (node.type === import_utils13.AST_NODE_TYPES.BinaryExpression && node.operator === "+") {
+    const staticText = collectStaticText(node);
+    if (!SQL_STATEMENT_PATTERN.test(staticText)) {
+      return false;
+    }
+    return hasDynamicParts(node);
+  }
+  return false;
+}
+var noSqlStringConcat = createRule12({
+  name: "no-sql-string-concat",
+  meta: {
+    type: "problem",
+    docs: {
+      description: "Disallow string concatenation or interpolation with variables in SQL query contexts. AI tools frequently generate SQL queries using template literals or string concatenation with user input, creating SQL injection vulnerabilities."
+    },
+    fixable: void 0,
+    schema: [],
+    messages: {
+      sqlStringConcat: 'Potential SQL injection: string concatenation or interpolation detected in a SQL query. AI tools frequently generate this pattern. Use parameterized queries (e.g., `db.query("SELECT * FROM users WHERE id = $1", [id])`) instead.'
+    }
+  },
+  defaultOptions: [],
+  create(context) {
+    const variableMap = /* @__PURE__ */ new Map();
+    return {
+      VariableDeclarator(node) {
+        if (node.id.type === import_utils13.AST_NODE_TYPES.Identifier && node.init && node.init.type !== import_utils13.AST_NODE_TYPES.AwaitExpression) {
+          variableMap.set(node.id.name, node.init);
+        }
+      },
+      AssignmentExpression(node) {
+        if (node.left.type === import_utils13.AST_NODE_TYPES.Identifier && node.right.type !== import_utils13.AST_NODE_TYPES.AwaitExpression) {
+          variableMap.set(node.left.name, node.right);
+        }
+      },
+      CallExpression(node) {
+        if (!isSqlSinkCall(node)) {
+          return;
+        }
+        const firstArg = node.arguments[0];
+        if (!firstArg || firstArg.type === import_utils13.AST_NODE_TYPES.SpreadElement) {
+          return;
+        }
+        const resolved = resolveExpression(firstArg, variableMap);
+        if (!isDynamicSqlExpression(resolved)) {
+          return;
+        }
+        context.report({
+          node: firstArg,
+          messageId: "sqlStringConcat"
+        });
+      }
+    };
+  }
+});
+function collectStaticText(node) {
+  if (node.type === import_utils13.AST_NODE_TYPES.BinaryExpression && node.operator === "+") {
+    return `${collectStaticText(node.left)} ${collectStaticText(node.right)}`;
+  }
+  if (node.type === import_utils13.AST_NODE_TYPES.TemplateLiteral) {
+    return node.quasis.map((q) => q.value.raw).join(" ");
+  }
+  const literalValue = getStringLiteralValue(node);
+  return literalValue ?? "";
+}
+function hasDynamicParts(node) {
+  if (node.type === import_utils13.AST_NODE_TYPES.BinaryExpression && node.operator === "+") {
+    return hasDynamicParts(node.left) || hasDynamicParts(node.right);
+  }
+  return !isStaticString(node);
+}
+function getStringLiteralValue(node) {
+  if (node.type === import_utils13.AST_NODE_TYPES.Literal && typeof node.value === "string") {
+    return node.value;
+  }
+  return null;
+}
+function isStaticString(node) {
+  if (node.type === import_utils13.AST_NODE_TYPES.Literal && typeof node.value === "string") {
+    return true;
+  }
+  if (node.type === import_utils13.AST_NODE_TYPES.TemplateLiteral && node.expressions.length === 0) {
+    return true;
+  }
+  return false;
+}
+
+// src/rules/security/no-unsafe-deserialize.ts
+var import_utils14 = require("@typescript-eslint/utils");
+var createRule13 = import_utils14.ESLintUtils.RuleCreator(
+  (name) => `https://github.com/undercurrentai/eslint-plugin-ai-guard/blob/main/docs/rules/${name}.md`
+);
+var UNTRUSTED_IDENTIFIER_NAMES = [
+  "input",
+  "userInput",
+  "rawBody",
+  "payload",
+  "body",
+  "query",
+  "param",
+  "params",
+  "data",
+  "requestBody"
+];
+var UNTRUSTED_REQUEST_OBJECTS = ["req", "request"];
+var UNTRUSTED_REQUEST_PROPERTIES = ["body", "query", "params", "param"];
+var UNTRUSTED_LOCATION_PROPERTIES = ["hash", "search", "href"];
+var UNTRUSTED_DOCUMENT_PROPERTIES = ["URL", "referrer"];
+function includesName(list, name) {
+  return list.includes(name);
+}
+function isJsonParseCall(node) {
+  return node.callee.type === import_utils14.AST_NODE_TYPES.MemberExpression && node.callee.object.type === import_utils14.AST_NODE_TYPES.Identifier && node.callee.object.name === "JSON" && node.callee.property.type === import_utils14.AST_NODE_TYPES.Identifier && node.callee.property.name === "parse";
+}
+function unwrapCoercion(node) {
+  let current = node;
+  for (let depth = 0; depth < 5; depth += 1) {
+    if (current.type !== import_utils14.AST_NODE_TYPES.CallExpression) {
+      break;
+    }
+    if (current.callee.type === import_utils14.AST_NODE_TYPES.Identifier && current.callee.name === "String" && current.arguments.length === 1 && current.arguments[0].type !== import_utils14.AST_NODE_TYPES.SpreadElement) {
+      current = current.arguments[0];
+      continue;
+    }
+    if (current.callee.type === import_utils14.AST_NODE_TYPES.MemberExpression && current.callee.property.type === import_utils14.AST_NODE_TYPES.Identifier && current.callee.property.name === "toString" && current.arguments.length === 0) {
+      current = current.callee.object;
+      continue;
+    }
+    break;
+  }
+  return current;
+}
+function isUntrustedMemberExpression(node) {
+  if (node.object.type === import_utils14.AST_NODE_TYPES.Identifier && includesName(UNTRUSTED_REQUEST_OBJECTS, node.object.name) && node.property.type === import_utils14.AST_NODE_TYPES.Identifier && includesName(UNTRUSTED_REQUEST_PROPERTIES, node.property.name)) {
+    return true;
+  }
+  if (node.object.type === import_utils14.AST_NODE_TYPES.Identifier && node.object.name === "location" && node.property.type === import_utils14.AST_NODE_TYPES.Identifier && includesName(UNTRUSTED_LOCATION_PROPERTIES, node.property.name)) {
+    return true;
+  }
+  if (node.object.type === import_utils14.AST_NODE_TYPES.MemberExpression && node.object.object.type === import_utils14.AST_NODE_TYPES.Identifier && node.object.object.name === "window" && node.object.property.type === import_utils14.AST_NODE_TYPES.Identifier && node.object.property.name === "location" && node.property.type === import_utils14.AST_NODE_TYPES.Identifier && includesName(UNTRUSTED_LOCATION_PROPERTIES, node.property.name)) {
+    return true;
+  }
+  if (node.object.type === import_utils14.AST_NODE_TYPES.Identifier && node.object.name === "document" && node.property.type === import_utils14.AST_NODE_TYPES.Identifier && includesName(UNTRUSTED_DOCUMENT_PROPERTIES, node.property.name)) {
+    return true;
+  }
+  if (isLikelyUntrustedSource(node.object)) {
+    return true;
+  }
+  return false;
+}
+function isLikelyUntrustedSource(node) {
+  if (node.type === import_utils14.AST_NODE_TYPES.Identifier) {
+    return includesName(UNTRUSTED_IDENTIFIER_NAMES, node.name);
+  }
+  if (node.type === import_utils14.AST_NODE_TYPES.MemberExpression) {
+    return isUntrustedMemberExpression(node);
+  }
+  return false;
+}
+var noUnsafeDeserialize = createRule13({
+  name: "no-unsafe-deserialize",
+  meta: {
+    type: "suggestion",
+    docs: {
+      description: "Disallow JSON.parse() on likely untrusted input without visible validation. AI tools frequently parse request/user payloads directly, which can introduce unsafe deserialization and downstream injection risks."
+    },
+    fixable: void 0,
+    schema: [],
+    messages: {
+      unsafeDeserialize: "Potential unsafe deserialization: JSON.parse() is used on likely untrusted input without visible schema validation. AI tools frequently generate this shortcut. Validate input before parsing."
+    }
+  },
+  defaultOptions: [],
+  create(context) {
+    function resolvesToUntrustedConst(idNode) {
+      let scope = context.sourceCode.getScope(idNode);
+      while (scope) {
+        const variable = scope.variables.find((v) => v.name === idNode.name);
+        if (variable) {
+          if (variable.defs.length !== 1) {
+            return false;
+          }
+          const declNode = variable.defs[0].node;
+          if (declNode.type === import_utils14.AST_NODE_TYPES.VariableDeclarator && declNode.init !== null && declNode.parent.type === import_utils14.AST_NODE_TYPES.VariableDeclaration && declNode.parent.kind === "const") {
+            return isLikelyUntrustedSource(declNode.init);
+          }
+          return false;
+        }
+        scope = scope.upper;
+      }
+      return false;
+    }
+    return {
+      CallExpression(node) {
+        if (!isJsonParseCall(node)) {
+          return;
+        }
+        const rawArg = node.arguments[0];
+        if (!rawArg || rawArg.type === import_utils14.AST_NODE_TYPES.SpreadElement) {
+          return;
+        }
+        const inputArg = unwrapCoercion(rawArg);
+        const flagged = isLikelyUntrustedSource(inputArg) || inputArg.type === import_utils14.AST_NODE_TYPES.Identifier && resolvesToUntrustedConst(inputArg);
+        if (flagged) {
+          context.report({
+            node,
+            messageId: "unsafeDeserialize"
+          });
+        }
+      }
+    };
+  }
+});
+
+// src/rules/security/require-auth-middleware.ts
+var import_utils15 = require("@typescript-eslint/utils");
+var createRule14 = import_utils15.ESLintUtils.RuleCreator(
+  (name) => `https://github.com/undercurrentai/eslint-plugin-ai-guard/blob/main/docs/rules/${name}.md`
+);
+var HTTP_METHODS = /* @__PURE__ */ new Set([
+  "get",
+  "post",
+  "put",
+  "patch",
+  "delete",
+  "all",
+  "options",
+  "head"
+]);
+var DEFAULT_AUTH_MIDDLEWARE_NAMES = /* @__PURE__ */ new Set([
+  "authenticate",
+  "requireAuth",
+  "isAuthenticated",
+  "verifyToken",
+  "protect",
+  "authorized",
+  "authorize",
+  "isAdmin",
+  "ensureAuthenticated",
+  "ensureLoggedIn",
+  "auth",
+  "authMiddleware",
+  "requireLogin",
+  "checkAuth",
+  "validateToken",
+  "passport.authenticate",
+  "jwt",
+  "requireSession"
+]);
+var PUBLIC_ROUTE_PATTERNS = [
+  /^\/?$/,
+  // '/' root
+  /^\*$/,
+  // '*' SPA fallback
+  /^\/\*$/,
+  // '/*' SPA fallback
+  /^\/health/,
+  // health checks
+  /^\/ping/,
+  // ping
+  /^\/status/,
+  // status
+  /^\/api\/v\d+\/auth/,
+  // auth routes
+  /^\/auth/,
+  // auth routes
+  /^\/login/,
+  // login
+  /^\/register/,
+  // register
+  /^\/signup/,
+  // signup
+  /^\/forgot/,
+  // forgot password
+  /^\/reset/,
+  // reset password
+  /^\/webhook/,
+  // webhooks
+  /^\/public/,
+  // explicitly public
+  /^\/assets/,
+  // static assets
+  /^\/static/,
+  // static files
+  /^\/favicon/,
+  // favicon
+  /^\/robots/,
+  // robots.txt
+  /^\/sitemap/
+  // sitemap
+];
+var requireAuthMiddleware = createRule14({
+  name: "require-auth-middleware",
+  meta: {
+    type: "suggestion",
+    deprecated: true,
+    replacedBy: ["require-framework-auth"],
+    docs: {
+      description: "Require authentication middleware on Express/Fastify route definitions. AI tools frequently generate route handlers without auth middleware, creating unprotected endpoints that expose sensitive data or operations."
+    },
+    fixable: void 0,
+    schema: [
+      {
+        type: "object",
+        properties: {
+          authMiddlewareNames: {
+            type: "array",
+            items: { type: "string" },
+            description: "Additional custom middleware names to recognize as authentication middleware."
+          }
+        },
+        additionalProperties: false
+      }
+    ],
+    messages: {
+      missingAuth: "[ai-guard deprecated \u2014 use require-framework-auth] Route `{{method}} {{path}}` appears to have no authentication middleware. Add authentication middleware (e.g., `protect`, `authenticate`) to the handler chain."
+    }
+  },
+  defaultOptions: [{}],
+  create(context, [options]) {
+    const customNames = new Set(options.authMiddlewareNames ?? []);
+    const allAuthNames = /* @__PURE__ */ new Set([...DEFAULT_AUTH_MIDDLEWARE_NAMES, ...customNames]);
+    let hasRouterUseAuth = false;
+    return {
+      CallExpression(node) {
+        if (isRouterUseAuth(node, allAuthNames)) {
+          hasRouterUseAuth = true;
+          return;
+        }
+        if (!isRouteDefinition(node)) return;
+        if (hasRouterUseAuth) return;
+        const callee = node.callee;
+        const method = callee.property.name;
+        const args = node.arguments;
+        if (args.length < 2) return;
+        const pathArg = args[0];
+        const pathStr = getPathString(pathArg);
+        if (pathStr && isPublicRoute(pathStr)) return;
+        const middlewareArgs = args.slice(1, -1);
+        if (middlewareArgs.length === 0 && args.length === 2) {
+          context.report({
+            node,
+            messageId: "missingAuth",
+            data: {
+              method: method.toUpperCase(),
+              path: pathStr || "<dynamic>"
+            }
+          });
+          return;
+        }
+        const hasAuth = middlewareArgs.some((arg) => isAuthMiddleware(arg, allAuthNames));
+        if (!hasAuth) {
+          context.report({
+            node,
+            messageId: "missingAuth",
+            data: {
+              method: method.toUpperCase(),
+              path: pathStr || "<dynamic>"
+            }
+          });
+        }
+      }
+    };
+  }
+});
+function isRouteDefinition(node) {
+  if (node.callee.type !== import_utils15.AST_NODE_TYPES.MemberExpression) return false;
+  if (node.callee.property.type !== import_utils15.AST_NODE_TYPES.Identifier) return false;
+  const methodName = node.callee.property.name;
+  if (!HTTP_METHODS.has(methodName)) return false;
+  const obj = node.callee.object;
+  if (obj.type === import_utils15.AST_NODE_TYPES.Identifier) {
+    const name = obj.name.toLowerCase();
+    return name === "router" || name === "app" || name.includes("router");
+  }
+  if (obj.type === import_utils15.AST_NODE_TYPES.CallExpression) return true;
+  return false;
+}
+function isRouterUseAuth(node, authNames) {
+  if (node.callee.type !== import_utils15.AST_NODE_TYPES.MemberExpression) return false;
+  if (node.callee.property.type !== import_utils15.AST_NODE_TYPES.Identifier) return false;
+  if (node.callee.property.name !== "use") return false;
+  return node.arguments.some((arg) => isAuthMiddleware(arg, authNames));
+}
+function isAuthMiddleware(node, authNames) {
+  if (node.type === import_utils15.AST_NODE_TYPES.Identifier) {
+    return authNames.has(node.name);
+  }
+  if (node.type === import_utils15.AST_NODE_TYPES.CallExpression) {
+    if (node.callee.type === import_utils15.AST_NODE_TYPES.Identifier) {
+      return authNames.has(node.callee.name);
+    }
+    if (node.callee.type === import_utils15.AST_NODE_TYPES.MemberExpression && node.callee.object.type === import_utils15.AST_NODE_TYPES.Identifier && node.callee.property.type === import_utils15.AST_NODE_TYPES.Identifier) {
+      const fullName = `${node.callee.object.name}.${node.callee.property.name}`;
+      return authNames.has(fullName) || authNames.has(node.callee.property.name);
+    }
+  }
+  return false;
+}
+function getPathString(node) {
+  if (node.type === import_utils15.AST_NODE_TYPES.Literal && typeof node.value === "string") {
+    return node.value;
+  }
+  if (node.type === import_utils15.AST_NODE_TYPES.TemplateLiteral) {
+    if (node.expressions.length === 0 && node.quasis.length === 1) {
+      return node.quasis[0].value.cooked ?? null;
+    }
+    if (node.quasis.length > 0) {
+      return node.quasis[0].value.cooked ?? null;
+    }
+  }
+  return null;
+}
+function isPublicRoute(pathStr) {
+  return PUBLIC_ROUTE_PATTERNS.some((pattern) => pattern.test(pathStr));
+}
+
+// src/rules/security/require-authz-check.ts
+var import_utils16 = require("@typescript-eslint/utils");
+var createRule15 = import_utils16.ESLintUtils.RuleCreator(
+  (name) => `https://github.com/undercurrentai/eslint-plugin-ai-guard/blob/main/docs/rules/${name}.md`
+);
+var ROUTE_METHODS = ["get", "post", "put", "patch", "delete"];
+var AUTHZ_HELPER_NAMES = [
+  "authorize",
+  "authorise",
+  "checkOwnership",
+  "ensureOwner",
+  "isOwner",
+  "canAccess",
+  "canModify",
+  "hasAccess"
+];
+function isRouteRegistrationCall(node) {
+  if (node.callee.type !== import_utils16.AST_NODE_TYPES.MemberExpression || node.callee.property.type !== import_utils16.AST_NODE_TYPES.Identifier) {
+    return false;
+  }
+  if (!ROUTE_METHODS.includes(node.callee.property.name)) {
+    return false;
+  }
+  const firstArg = node.arguments[0];
+  if (!firstArg) {
+    return false;
+  }
+  return firstArg.type === import_utils16.AST_NODE_TYPES.Literal && typeof firstArg.value === "string" || firstArg.type === import_utils16.AST_NODE_TYPES.TemplateLiteral && firstArg.expressions.length === 0;
+}
+function getStaticPathArg(node) {
+  const firstArg = node.arguments[0];
+  if (!firstArg) return null;
+  if (firstArg.type === import_utils16.AST_NODE_TYPES.Literal && typeof firstArg.value === "string") {
+    return firstArg.value;
+  }
+  if (firstArg.type === import_utils16.AST_NODE_TYPES.TemplateLiteral && firstArg.expressions.length === 0) {
+    return firstArg.quasis[0]?.value.cooked ?? null;
+  }
+  return null;
+}
+function getMemberPath(node) {
+  if (node.type === import_utils16.AST_NODE_TYPES.Identifier) {
+    return [node.name];
+  }
+  if (node.type !== import_utils16.AST_NODE_TYPES.MemberExpression || node.computed) {
+    return null;
+  }
+  const objectPath = getMemberPath(node.object);
+  if (!objectPath) {
+    return null;
+  }
+  if (node.property.type !== import_utils16.AST_NODE_TYPES.Identifier) {
+    return null;
+  }
+  return [...objectPath, node.property.name];
+}
+function hasPathPrefix(path, prefix) {
+  if (!path || path.length < prefix.length) {
+    return false;
+  }
+  for (let i = 0; i < prefix.length; i += 1) {
+    if (path[i] !== prefix[i]) {
+      return false;
+    }
+  }
+  return true;
+}
+function isLikelyResourceIdPath(path) {
+  if (!path || path.length < 3) {
+    return false;
+  }
+  if (!hasPathPrefix(path, ["req", "params"]) && !hasPathPrefix(path, ["req", "body"]) && !hasPathPrefix(path, ["req", "query"])) {
+    return false;
+  }
+  const last = path[path.length - 1].toLowerCase();
+  return last === "id" || last.endsWith("id");
+}
+function isReqUserPath(path) {
+  return hasPathPrefix(path, ["req", "user"]);
+}
+function containsAuthorizationHelper(node) {
+  if (node.type === import_utils16.AST_NODE_TYPES.CallExpression && (node.callee.type === import_utils16.AST_NODE_TYPES.Identifier && AUTHZ_HELPER_NAMES.includes(node.callee.name) || node.callee.type === import_utils16.AST_NODE_TYPES.MemberExpression && node.callee.property.type === import_utils16.AST_NODE_TYPES.Identifier && AUTHZ_HELPER_NAMES.includes(node.callee.property.name))) {
+    return true;
+  }
+  const entries = Object.entries(node);
+  for (const [key, value] of entries) {
+    if (key === "parent") continue;
+    if (Array.isArray(value)) {
+      for (const child of value) {
+        if (child && typeof child === "object" && "type" in child) {
+          if (containsAuthorizationHelper(child)) return true;
+        }
+      }
+      continue;
+    }
+    if (value && typeof value === "object" && "type" in value) {
+      if (containsAuthorizationHelper(value)) return true;
+    }
+  }
+  return false;
+}
+function collectBodySignals(node) {
+  let hasResourceIdAccess = false;
+  let hasOwnershipCheck = false;
+  const walk = (current) => {
+    if (current.type === import_utils16.AST_NODE_TYPES.BinaryExpression && ["===", "==", "!==", "!="].includes(current.operator)) {
+      const leftPath = getMemberPath(current.left);
+      const rightPath = getMemberPath(current.right);
+      const leftIsUser = isReqUserPath(leftPath);
+      const rightIsUser = isReqUserPath(rightPath);
+      const leftIsResource = isLikelyResourceIdPath(leftPath);
+      const rightIsResource = isLikelyResourceIdPath(rightPath);
+      if (leftIsUser && rightIsResource || rightIsUser && leftIsResource) {
+        hasOwnershipCheck = true;
+      }
+    }
+    if (current.type === import_utils16.AST_NODE_TYPES.MemberExpression) {
+      const path = getMemberPath(current);
+      if (isLikelyResourceIdPath(path)) {
+        hasResourceIdAccess = true;
+      }
+    }
+    if (containsAuthorizationHelper(current)) {
+      hasOwnershipCheck = true;
+    }
+    const entries = Object.entries(current);
+    for (const [key, value] of entries) {
+      if (key === "parent") continue;
+      if (Array.isArray(value)) {
+        for (const child of value) {
+          if (child && typeof child === "object" && "type" in child) {
+            walk(child);
+          }
+        }
+        continue;
+      }
+      if (value && typeof value === "object" && "type" in value) {
+        walk(value);
+      }
+    }
+  };
+  walk(node);
+  return { hasResourceIdAccess, hasOwnershipCheck };
+}
+var requireAuthzCheck = createRule15({
+  name: "require-authz-check",
+  meta: {
+    type: "suggestion",
+    deprecated: true,
+    replacedBy: ["require-framework-authz"],
+    docs: {
+      description: "Require a visible authorization/ownership check when route handlers access resource identifiers (e.g., req.params.id). AI tools often add auth middleware but forget per-resource authorization checks."
+    },
+    fixable: void 0,
+    schema: [],
+    messages: {
+      missingAuthz: "[ai-guard deprecated \u2014 use require-framework-authz] Potential missing authorization check. This handler uses resource identifiers (like req.params.id) but no visible ownership/authorization guard was found."
+    }
+  },
+  defaultOptions: [],
+  create(context) {
+    return {
+      CallExpression(node) {
+        if (!isRouteRegistrationCall(node)) {
+          return;
+        }
+        const routePath = getStaticPathArg(node);
+        const hasRouteIdParam = typeof routePath === "string" && routePath.includes(":");
+        for (const arg of node.arguments) {
+          if (arg.type !== import_utils16.AST_NODE_TYPES.FunctionExpression && arg.type !== import_utils16.AST_NODE_TYPES.ArrowFunctionExpression) {
+            continue;
+          }
+          if (arg.body.type !== import_utils16.AST_NODE_TYPES.BlockStatement) {
+            continue;
+          }
+          const signals = collectBodySignals(arg.body);
+          const isSensitive = hasRouteIdParam && signals.hasResourceIdAccess;
+          if (isSensitive && !signals.hasOwnershipCheck) {
+            context.report({
+              node: arg,
+              messageId: "missingAuthz"
+            });
+          }
+        }
+      }
+    };
+  }
+});
+
+// src/rules/security/require-framework-auth.ts
+var import_utils18 = require("@typescript-eslint/utils");
+
+// src/utils/framework-detectors.ts
+var import_utils17 = require("@typescript-eslint/utils");
+var FRAMEWORK_MODULES = {
+  express: "express",
+  fastify: "fastify",
+  hono: "hono",
+  "@nestjs/common": "nestjs",
+  "@nestjs/core": "nestjs"
+};
+var NEXTJS_ROUTE_PATTERN = /[/\\]app[/\\](.*[/\\])?route\.(ts|tsx|js|jsx)$/;
+function buildImportMap(sourceCode) {
+  const modules = /* @__PURE__ */ new Map();
+  const locals = /* @__PURE__ */ new Map();
+  for (const node of sourceCode.ast.body) {
+    if (node.type !== import_utils17.AST_NODE_TYPES.ImportDeclaration) continue;
+    const mod = node.source.value;
+    if (!modules.has(mod)) {
+      modules.set(mod, /* @__PURE__ */ new Set());
+    }
+    const names = modules.get(mod);
+    for (const spec of node.specifiers) {
+      switch (spec.type) {
+        case import_utils17.AST_NODE_TYPES.ImportDefaultSpecifier:
+          names.add("default");
+          locals.set(spec.local.name, mod);
+          break;
+        case import_utils17.AST_NODE_TYPES.ImportSpecifier:
+          names.add(spec.imported.type === import_utils17.AST_NODE_TYPES.Identifier ? spec.imported.name : spec.imported.value);
+          locals.set(spec.local.name, mod);
+          break;
+        case import_utils17.AST_NODE_TYPES.ImportNamespaceSpecifier:
+          names.add("*");
+          locals.set(spec.local.name, mod);
+          break;
+      }
+    }
+  }
+  return { modules, locals };
+}
+function detectFramework(importMap, filename) {
+  for (const [mod, kind] of Object.entries(FRAMEWORK_MODULES)) {
+    if (importMap.modules.has(mod)) return kind;
+  }
+  if (isNextjsRouteHandler(filename)) return "nextjs-app-router";
+  return "unknown";
+}
+function isNextjsRouteHandler(filename) {
+  return NEXTJS_ROUTE_PATTERN.test(filename);
+}
+function hasImport(importMap, moduleName) {
+  return importMap.modules.has(moduleName);
+}
+function localComesFrom(importMap, localName, moduleName) {
+  return importMap.locals.get(localName) === moduleName;
+}
+function hasDecoratorNamed(node, names) {
+  const decorators = node.decorators;
+  if (!decorators) return false;
+  return decorators.some((d) => {
+    const name = getDecoratorCallName(d);
+    return name !== null && names.has(name);
+  });
+}
+function getDecoratorCallName(decorator) {
+  const expr = decorator.expression;
+  if (expr.type === import_utils17.AST_NODE_TYPES.Identifier) {
+    return expr.name;
+  }
+  if (expr.type === import_utils17.AST_NODE_TYPES.MemberExpression && expr.property.type === import_utils17.AST_NODE_TYPES.Identifier) {
+    return expr.property.name;
+  }
+  if (expr.type === import_utils17.AST_NODE_TYPES.CallExpression) {
+    if (expr.callee.type === import_utils17.AST_NODE_TYPES.Identifier) {
+      return expr.callee.name;
+    }
+    if (expr.callee.type === import_utils17.AST_NODE_TYPES.MemberExpression && expr.callee.property.type === import_utils17.AST_NODE_TYPES.Identifier) {
+      return expr.callee.property.name;
+    }
+  }
+  return null;
+}
+function getMemberPath2(node) {
+  const unwrapped = unwrapTSExpression(node);
+  if (unwrapped.type === import_utils17.AST_NODE_TYPES.Identifier) {
+    return [unwrapped.name];
+  }
+  if (unwrapped.type !== import_utils17.AST_NODE_TYPES.MemberExpression || unwrapped.computed) {
+    return null;
+  }
+  const objectPath = getMemberPath2(unwrapped.object);
+  if (!objectPath) return null;
+  if (unwrapped.property.type !== import_utils17.AST_NODE_TYPES.Identifier) return null;
+  return [...objectPath, unwrapped.property.name];
+}
+function getStaticPropKey(prop) {
+  if (prop.type !== import_utils17.AST_NODE_TYPES.Property) return null;
+  if (prop.key.type === import_utils17.AST_NODE_TYPES.Identifier) return prop.key.name;
+  if (prop.key.type === import_utils17.AST_NODE_TYPES.Literal && typeof prop.key.value === "string") {
+    return prop.key.value;
+  }
+  return null;
+}
+function getPathString2(node) {
+  if (node.type === import_utils17.AST_NODE_TYPES.Literal && typeof node.value === "string") {
+    return node.value;
+  }
+  if (node.type === import_utils17.AST_NODE_TYPES.TemplateLiteral) {
+    if (node.expressions.length === 0 && node.quasis.length === 1) {
+      return node.quasis[0].value.cooked ?? null;
+    }
+    if (node.quasis.length > 0) {
+      const first = node.quasis[0].value.cooked ?? null;
+      if (first === "" || first === "/") return null;
+      return first;
+    }
+  }
+  return null;
+}
+function isCallToName(node, names) {
+  if (node.callee.type === import_utils17.AST_NODE_TYPES.Identifier) {
+    return names.has(node.callee.name);
+  }
+  if (node.callee.type === import_utils17.AST_NODE_TYPES.MemberExpression && node.callee.property.type === import_utils17.AST_NODE_TYPES.Identifier) {
+    if (names.has(node.callee.property.name)) return true;
+    if (node.callee.object.type === import_utils17.AST_NODE_TYPES.Identifier) {
+      return names.has(`${node.callee.object.name}.${node.callee.property.name}`);
+    }
+  }
+  return false;
+}
+function bodyContainsCallTo(body, names) {
+  return walkForCall(body, names);
+}
+var AST_SKIP_KEYS = /* @__PURE__ */ new Set([
+  "parent",
+  "loc",
+  "range",
+  "typeAnnotation",
+  "returnType",
+  "typeParameters",
+  "typeArguments"
+]);
+var STOP_DESCENT_NODE_TYPES = /* @__PURE__ */ new Set([
+  import_utils17.AST_NODE_TYPES.FunctionDeclaration,
+  import_utils17.AST_NODE_TYPES.ClassDeclaration,
+  import_utils17.AST_NODE_TYPES.ClassExpression,
+  import_utils17.AST_NODE_TYPES.MethodDefinition
+]);
+function walkForCall(node, names, seen = /* @__PURE__ */ new WeakSet()) {
+  if (seen.has(node)) return false;
+  seen.add(node);
+  if (node.type === import_utils17.AST_NODE_TYPES.CallExpression && isCallToName(node, names)) {
+    return true;
+  }
+  for (const key of Object.keys(node)) {
+    if (AST_SKIP_KEYS.has(key)) continue;
+    const value = node[key];
+    if (Array.isArray(value)) {
+      for (const child of value) {
+        if (isASTNode(child) && !STOP_DESCENT_NODE_TYPES.has(child.type)) {
+          if (walkForCall(child, names, seen)) return true;
+        }
+      }
+    } else if (isASTNode(value) && !STOP_DESCENT_NODE_TYPES.has(value.type)) {
+      if (walkForCall(value, names, seen)) return true;
+    }
+  }
+  return false;
+}
+function safeCompileRegex(pattern, maxLength = 200) {
+  if (pattern.length > maxLength) return null;
+  if (/\([^)]*[+*]\)[+*?{]/.test(pattern)) return null;
+  if (/\(([^|)]+)\|\1\)[+*]/.test(pattern)) return null;
+  try {
+    return new RegExp(pattern);
+  } catch {
+    return null;
+  }
+}
+function unwrapTSExpression(node) {
+  let current = node;
+  while (current.type === import_utils17.AST_NODE_TYPES.TSAsExpression || current.type === import_utils17.AST_NODE_TYPES.TSTypeAssertion || current.type === import_utils17.AST_NODE_TYPES.TSNonNullExpression || current.type === import_utils17.AST_NODE_TYPES.TSSatisfiesExpression) {
+    current = current.expression;
+  }
+  return current;
+}
+function isASTNode(value) {
+  return typeof value === "object" && value !== null && "type" in value && typeof value.type === "string";
+}
+
+// src/rules/security/require-framework-auth.ts
+var createRule16 = import_utils18.ESLintUtils.RuleCreator(
+  (name) => `https://github.com/undercurrentai/eslint-plugin-ai-guard/blob/main/docs/rules/${name}.md`
+);
+var HTTP_METHODS2 = /* @__PURE__ */ new Set([
+  "get",
+  "post",
+  "put",
+  "patch",
+  "delete",
+  "all",
+  "options",
+  "head"
+]);
+var MUTATING_METHODS = /* @__PURE__ */ new Set(["post", "put", "patch", "delete"]);
+var NEXTJS_EXPORT_METHODS = /* @__PURE__ */ new Set(["POST", "PUT", "PATCH", "DELETE", "GET"]);
+var DEFAULT_AUTH_NAMES = /* @__PURE__ */ new Set([
+  "authenticate",
+  "requireAuth",
+  "isAuthenticated",
+  "verifyToken",
+  "protect",
+  "authorized",
+  "authorize",
+  "isAdmin",
+  "ensureAuthenticated",
+  "ensureLoggedIn",
+  "auth",
+  "authMiddleware",
+  "requireLogin",
+  "checkAuth",
+  "validateToken",
+  "passport.authenticate",
+  "jwt",
+  "requireSession",
+  "clerkMiddleware",
+  "withAuth",
+  "requireAuthentication"
+]);
+var DEFAULT_NEXTJS_AUTH_CALLERS = /* @__PURE__ */ new Set([
+  "auth",
+  "auth.protect",
+  "currentUser",
+  "getServerSession",
+  "getToken",
+  "verifySession",
+  "getUser",
+  "supabase.auth.getUser"
+]);
+var DEFAULT_SKIP_DECORATORS = /* @__PURE__ */ new Set([
+  "Public",
+  "SkipAuth",
+  "AllowAnonymous",
+  "NoAuth"
+]);
+var NESTJS_HTTP_DECORATORS = /* @__PURE__ */ new Set([
+  "Get",
+  "Post",
+  "Put",
+  "Patch",
+  "Delete",
+  "All",
+  "Options",
+  "Head"
+]);
+var NESTJS_MUTATING_DECORATORS = /* @__PURE__ */ new Set(["Post", "Put", "Patch", "Delete"]);
+var DEFAULT_PUBLIC_ROUTE_PATTERNS = [
+  /^\/?$/,
+  /^\*$/,
+  /^\/\*$/,
+  /^\/health(\/|$)/,
+  /^\/healthz(\/|$)/,
+  /^\/ping(\/|$)/,
+  /^\/status(\/|$)/,
+  /^\/api\/v\d+\/auth(\/|$)/,
+  /^\/auth(\/|$)/,
+  /^\/login(\/|$)/,
+  /^\/register(\/|$)/,
+  /^\/signup(\/|$)/,
+  /^\/forgot(\/|$)/,
+  /^\/reset(\/|$)/,
+  /^\/public(\/|$)/,
+  /^\/assets(\/|$)/,
+  /^\/static(\/|$)/,
+  /^\/favicon(\/|$|\.ico$)/,
+  /^\/robots(\/|$|\.txt$)/,
+  /^\/sitemap(\/|$|\.xml$)/,
+  /^\/\.well-known(\/|$)/
+];
+var HONO_AUTH_MODULES = /* @__PURE__ */ new Set([
+  "hono/basic-auth",
+  "hono/bearer-auth",
+  "hono/jwt"
+]);
+var requireFrameworkAuth = createRule16({
+  name: "require-framework-auth",
+  meta: {
+    type: "suggestion",
+    docs: {
+      description: "Require authentication on route handlers across Express, Fastify, Hono, NestJS, and Next.js App Router. Detects missing auth middleware, guards, or imperative auth calls."
+    },
+    fixable: void 0,
+    schema: [
+      {
+        type: "object",
+        properties: {
+          knownAuthCallers: {
+            type: "array",
+            items: { type: "string" },
+            description: "Additional function/middleware names recognized as auth checks."
+          },
+          publicRoutePatterns: {
+            type: "array",
+            items: { type: "string" },
+            description: "Regex patterns for routes that should not require auth."
+          },
+          skipDecorators: {
+            type: "array",
+            items: { type: "string" },
+            description: "NestJS decorator names that mark a handler as public."
+          },
+          assumeGlobalAuth: {
+            type: "boolean",
+            description: "If true, suppresses reports when global auth may exist."
+          },
+          mutatingOnly: {
+            type: "boolean",
+            description: "If true, only check POST/PUT/PATCH/DELETE routes."
+          }
+        },
+        additionalProperties: false
+      }
+    ],
+    messages: {
+      missingAuth: "Route handler `{{method}} {{path}}` has no visible authentication check. Add auth middleware or configure `knownAuthCallers`.",
+      missingAuthNextjs: "Exported `{{method}}` handler in App Router route file has no visible auth call. Add an auth check (e.g., `auth()`, `getServerSession()`) or configure `knownAuthCallers`.",
+      missingAuthNestjs: "Method `{{method}}` in `@Controller` class has no `@UseGuards` decorator. Add `@UseGuards(AuthGuard)` at method or class level, or mark with `@Public()`."
+    }
+  },
+  defaultOptions: [{}],
+  create(context, [options]) {
+    const customAuthNames = new Set(options.knownAuthCallers ?? []);
+    const allAuthNames = /* @__PURE__ */ new Set([...DEFAULT_AUTH_NAMES, ...customAuthNames]);
+    const allNextjsCallers = /* @__PURE__ */ new Set([...DEFAULT_NEXTJS_AUTH_CALLERS, ...customAuthNames]);
+    const skipDecoratorNames = /* @__PURE__ */ new Set([
+      ...DEFAULT_SKIP_DECORATORS,
+      ...options.skipDecorators ?? []
+    ]);
+    const assumeGlobalAuth = options.assumeGlobalAuth ?? false;
+    const mutatingOnly = options.mutatingOnly ?? false;
+    const userPublicPatterns = (options.publicRoutePatterns ?? []).map((p) => safeCompileRegex(p)).filter((r) => r !== null);
+    const allPublicPatterns = [...DEFAULT_PUBLIC_ROUTE_PATTERNS, ...userPublicPatterns];
+    let importMap = null;
+    let framework2 = null;
+    let hasBlanketAuth = false;
+    let hasHonoAuthImport = false;
+    function getImportMap() {
+      if (!importMap) {
+        importMap = buildImportMap(context.sourceCode);
+        framework2 = detectFramework(importMap, context.filename);
+        for (const mod of HONO_AUTH_MODULES) {
+          if (hasImport(importMap, mod)) {
+            hasHonoAuthImport = true;
+            break;
+          }
+        }
+      }
+      return importMap;
+    }
+    function isPublicRoute2(path) {
+      return allPublicPatterns.some((p) => p.test(path));
+    }
+    function isAuthMiddleware2(node) {
+      if (node.type === import_utils18.AST_NODE_TYPES.Identifier) {
+        return allAuthNames.has(node.name);
+      }
+      if (node.type === import_utils18.AST_NODE_TYPES.CallExpression) {
+        return isCallToName(node, allAuthNames);
+      }
+      return false;
+    }
+    function isFastifyRouteReceiver(objNode) {
+      const obj = unwrapTSExpression(objNode);
+      if (obj.type === import_utils18.AST_NODE_TYPES.Identifier) {
+        const name = obj.name.toLowerCase();
+        if (name === "router" || name === "app" || name === "fastify" || name === "server" || name.includes("router")) {
+          return true;
+        }
+        if (importMap) {
+          const sourceMod = importMap.locals.get(obj.name);
+          if (sourceMod === "fastify") return true;
+        }
+        return false;
+      }
+      return obj.type === import_utils18.AST_NODE_TYPES.CallExpression;
+    }
+    function isRouteDefinition2(node) {
+      if (node.callee.type !== import_utils18.AST_NODE_TYPES.MemberExpression) return false;
+      if (node.callee.property.type !== import_utils18.AST_NODE_TYPES.Identifier) return false;
+      const methodName = node.callee.property.name;
+      if (!HTTP_METHODS2.has(methodName)) return false;
+      if (mutatingOnly && !MUTATING_METHODS.has(methodName)) return false;
+      const obj = unwrapTSExpression(node.callee.object);
+      if (obj.type === import_utils18.AST_NODE_TYPES.Identifier) {
+        const name = obj.name.toLowerCase();
+        if (name === "router" || name === "app" || name === "fastify" || name === "server" || name.includes("router")) {
+          return true;
+        }
+        if (importMap) {
+          const sourceMod = importMap.locals.get(obj.name);
+          if (sourceMod && (sourceMod === "express" || sourceMod === "fastify" || sourceMod === "hono")) {
+            return true;
+          }
+        }
+        return false;
+      }
+      if (obj.type === import_utils18.AST_NODE_TYPES.CallExpression) return true;
+      return false;
+    }
+    function checkBlanketAuth(node) {
+      if (node.callee.type !== import_utils18.AST_NODE_TYPES.MemberExpression) return;
+      if (node.callee.property.type !== import_utils18.AST_NODE_TYPES.Identifier) return;
+      const propName = node.callee.property.name;
+      if (propName === "use") {
+        if (node.arguments.some((arg) => isAuthMiddleware2(arg))) {
+          hasBlanketAuth = true;
+        }
+        return;
+      }
+      if (propName === "addHook" && node.arguments.length >= 2) {
+        const hookName = node.arguments[0];
+        if (hookName.type === import_utils18.AST_NODE_TYPES.Literal && typeof hookName.value === "string" && (hookName.value === "preHandler" || hookName.value === "onRequest")) {
+          if (node.arguments.slice(1).some((arg) => isAuthMiddleware2(arg))) {
+            hasBlanketAuth = true;
+          }
+        }
+      }
+    }
+    function checkFastifyRouteOptions(node, _methodName) {
+      for (const arg of node.arguments) {
+        if (arg.type !== import_utils18.AST_NODE_TYPES.ObjectExpression) continue;
+        for (const prop of arg.properties) {
+          const keyName = getStaticPropKey(prop);
+          if (keyName !== "preHandler" && keyName !== "onRequest") continue;
+          const propValue = prop.value;
+          if (propValue.type === import_utils18.AST_NODE_TYPES.ArrayExpression) {
+            if (propValue.elements.some((el) => el && isAuthMiddleware2(el))) {
+              return true;
+            }
+          }
+          if (isAuthMiddleware2(propValue)) return true;
+        }
+      }
+      return false;
+    }
+    function checkHonoOnRoute(node) {
+      const args = node.arguments;
+      if (args.length < 3) return;
+      const methodArg = args[0];
+      let methodLabel = "";
+      let isMutating = false;
+      const recordMethod = (s) => {
+        const lower = s.toLowerCase();
+        if (MUTATING_METHODS.has(lower)) isMutating = true;
+        methodLabel = methodLabel ? `${methodLabel}|${s.toUpperCase()}` : s.toUpperCase();
+      };
+      if (methodArg.type === import_utils18.AST_NODE_TYPES.Literal && typeof methodArg.value === "string") {
+        recordMethod(methodArg.value);
+      } else if (methodArg.type === import_utils18.AST_NODE_TYPES.ArrayExpression) {
+        if (methodArg.elements.length === 0) return;
+        let hasUnknownMethod = false;
+        for (const el of methodArg.elements) {
+          if (el && el.type === import_utils18.AST_NODE_TYPES.Literal && typeof el.value === "string") {
+            recordMethod(el.value);
+          } else if (el) {
+            hasUnknownMethod = true;
+          }
+        }
+        if (hasUnknownMethod) {
+          isMutating = true;
+          methodLabel = methodLabel ? `${methodLabel}|<dynamic>` : "<dynamic>";
+        }
+      } else {
+        isMutating = true;
+        methodLabel = "<dynamic>";
+      }
+      if (mutatingOnly && !isMutating) return;
+      const pathStr = getPathString2(args[1]);
+      if (pathStr && isPublicRoute2(pathStr)) return;
+      const middlewareArgs = args.slice(2, -1);
+      if (middlewareArgs.some((arg) => isAuthMiddleware2(arg))) return;
+      context.report({
+        node,
+        messageId: "missingAuth",
+        data: { method: methodLabel || "ON", path: pathStr || "<dynamic>" }
+      });
+    }
+    function checkExpressHonoRoute(node) {
+      const callee = node.callee;
+      const method = callee.property.name;
+      const args = node.arguments;
+      function getRoutePathFromChain(start) {
+        let current = unwrapTSExpression(start);
+        while (current.type === import_utils18.AST_NODE_TYPES.CallExpression) {
+          if (current.callee.type !== import_utils18.AST_NODE_TYPES.MemberExpression || current.callee.property.type !== import_utils18.AST_NODE_TYPES.Identifier) {
+            return void 0;
+          }
+          const propName = current.callee.property.name;
+          if (propName === "route") {
+            return current.arguments[0] ? getPathString2(current.arguments[0]) : null;
+          }
+          if (!HTTP_METHODS2.has(propName)) return void 0;
+          current = unwrapTSExpression(current.callee.object);
+        }
+        return void 0;
+      }
+      const inheritedPath = getRoutePathFromChain(callee.object);
+      if (inheritedPath !== void 0) {
+        if (inheritedPath && isPublicRoute2(inheritedPath)) return;
+        const middlewareArgs2 = args.slice(0, -1);
+        if (args.length === 0) return;
+        if (args.length === 1) {
+          context.report({
+            node,
+            messageId: "missingAuth",
+            data: { method: method.toUpperCase(), path: inheritedPath || "<dynamic>" }
+          });
+          return;
+        }
+        if (!middlewareArgs2.some((arg) => isAuthMiddleware2(arg))) {
+          context.report({
+            node,
+            messageId: "missingAuth",
+            data: { method: method.toUpperCase(), path: inheritedPath || "<dynamic>" }
+          });
+        }
+        return;
+      }
+      if (args.length < 2) return;
+      const pathStr = getPathString2(args[0]);
+      if (pathStr && isPublicRoute2(pathStr)) return;
+      const middlewareArgs = args.slice(1, -1);
+      if (middlewareArgs.length === 0 && args.length === 2) {
+        if (hasHonoAuthImport) return;
+        context.report({
+          node,
+          messageId: "missingAuth",
+          data: { method: method.toUpperCase(), path: pathStr || "<dynamic>" }
+        });
+        return;
+      }
+      if (!middlewareArgs.some((arg) => isAuthMiddleware2(arg))) {
+        context.report({
+          node,
+          messageId: "missingAuth",
+          data: { method: method.toUpperCase(), path: pathStr || "<dynamic>" }
+        });
+      }
+    }
+    function checkFastifyRoute(node) {
+      const callee = node.callee;
+      const method = callee.property.name;
+      const args = node.arguments;
+      if (args.length < 1) return;
+      if (method === "route") {
+        const optsArg = args[0];
+        if (optsArg.type === import_utils18.AST_NODE_TYPES.ObjectExpression) {
+          let routeMethod = "";
+          let routeUrl = "";
+          for (const prop of optsArg.properties) {
+            const keyName = getStaticPropKey(prop);
+            if (keyName === null) continue;
+            const propValue = prop.value;
+            if (keyName === "method" && propValue.type === import_utils18.AST_NODE_TYPES.Literal) {
+              routeMethod = String(propValue.value).toUpperCase();
+            }
+            if (keyName === "url") {
+              routeUrl = getPathString2(propValue) || "<dynamic>";
+            }
+          }
+          if (routeUrl && isPublicRoute2(routeUrl)) return;
+          if (mutatingOnly && !MUTATING_METHODS.has(routeMethod.toLowerCase())) return;
+          if (!checkFastifyRouteOptions(node, routeMethod)) {
+            context.report({
+              node,
+              messageId: "missingAuth",
+              data: { method: routeMethod || "ROUTE", path: routeUrl || "<dynamic>" }
+            });
+          }
+        }
+        return;
+      }
+      if (args.length < 2) return;
+      const pathStr = getPathString2(args[0]);
+      if (pathStr && isPublicRoute2(pathStr)) return;
+      if (checkFastifyRouteOptions(node, method)) return;
+      const middlewareArgs = args.slice(1, -1);
+      if (middlewareArgs.some((arg) => isAuthMiddleware2(arg))) return;
+      context.report({
+        node,
+        messageId: "missingAuth",
+        data: { method: method.toUpperCase(), path: pathStr || "<dynamic>" }
+      });
+    }
+    return {
+      CallExpression(node) {
+        getImportMap();
+        if (assumeGlobalAuth) return;
+        if (framework2 === "nestjs" || framework2 === "nextjs-app-router") return;
+        checkBlanketAuth(node);
+        if (hasBlanketAuth) return;
+        if (framework2 === "hono" && node.callee.type === import_utils18.AST_NODE_TYPES.MemberExpression && node.callee.property.type === import_utils18.AST_NODE_TYPES.Identifier && node.callee.property.name === "on") {
+          checkHonoOnRoute(node);
+          return;
+        }
+        if (framework2 === "fastify" && node.callee.type === import_utils18.AST_NODE_TYPES.MemberExpression && node.callee.property.type === import_utils18.AST_NODE_TYPES.Identifier && node.callee.property.name === "route" && isFastifyRouteReceiver(node.callee.object)) {
+          checkFastifyRoute(node);
+          return;
+        }
+        if (!isRouteDefinition2(node)) return;
+        if (framework2 === "fastify") {
+          checkFastifyRoute(node);
+        } else {
+          checkExpressHonoRoute(node);
+        }
+      },
+      ClassDeclaration(node) {
+        getImportMap();
+        if (framework2 !== "nestjs") return;
+        if (assumeGlobalAuth) return;
+        if (!hasDecoratorNamed(node, /* @__PURE__ */ new Set(["Controller"]))) return;
+        const classHasGuards = hasDecoratorNamed(node, /* @__PURE__ */ new Set(["UseGuards"]));
+        for (const member of node.body.body) {
+          if (member.type !== import_utils18.AST_NODE_TYPES.MethodDefinition) continue;
+          if (member.kind !== "method") continue;
+          if (member.static) continue;
+          const httpDecorators = member.decorators?.filter((d) => {
+            const name = getDecoratorCallName(d);
+            return name !== null && NESTJS_HTTP_DECORATORS.has(name);
+          }) ?? [];
+          if (httpDecorators.length === 0) continue;
+          const httpDecName = getDecoratorCallName(httpDecorators[0]) ?? "unknown";
+          if (mutatingOnly && !NESTJS_MUTATING_DECORATORS.has(httpDecName)) continue;
+          if (hasDecoratorNamed(member, skipDecoratorNames)) continue;
+          if (classHasGuards) continue;
+          if (hasDecoratorNamed(member, /* @__PURE__ */ new Set(["UseGuards"]))) continue;
+          const methodName = member.key.type === import_utils18.AST_NODE_TYPES.Identifier ? member.key.name : "<computed>";
+          context.report({
+            node: member,
+            messageId: "missingAuthNestjs",
+            data: { method: methodName }
+          });
+        }
+      },
+      ExportNamedDeclaration(node) {
+        getImportMap();
+        if (framework2 !== "nextjs-app-router") return;
+        if (assumeGlobalAuth) return;
+        const decl = node.declaration;
+        if (!decl) return;
+        if (decl.type === import_utils18.AST_NODE_TYPES.FunctionDeclaration && decl.id && NEXTJS_EXPORT_METHODS.has(decl.id.name)) {
+          const method = decl.id.name;
+          if (mutatingOnly && method === "GET") return;
+          if (decl.body && !bodyContainsCallTo(decl.body, allNextjsCallers)) {
+            context.report({
+              node: decl,
+              messageId: "missingAuthNextjs",
+              data: { method }
+            });
+          }
+        }
+        if (decl.type === import_utils18.AST_NODE_TYPES.VariableDeclaration) {
+          for (const declarator of decl.declarations) {
+            if (declarator.id.type === import_utils18.AST_NODE_TYPES.Identifier && NEXTJS_EXPORT_METHODS.has(declarator.id.name) && declarator.init) {
+              const method = declarator.id.name;
+              if (mutatingOnly && method === "GET") continue;
+              const init = declarator.init;
+              if (init.type === import_utils18.AST_NODE_TYPES.ArrowFunctionExpression || init.type === import_utils18.AST_NODE_TYPES.FunctionExpression) {
+                if (!bodyContainsCallTo(init.body, allNextjsCallers)) {
+                  context.report({
+                    node: declarator,
+                    messageId: "missingAuthNextjs",
+                    data: { method }
+                  });
+                }
+              }
+            }
+          }
+        }
+      }
+    };
+  }
+});
+
+// src/rules/security/require-framework-authz.ts
+var import_utils19 = require("@typescript-eslint/utils");
+var createRule17 = import_utils19.ESLintUtils.RuleCreator(
+  (name) => `https://github.com/undercurrentai/eslint-plugin-ai-guard/blob/main/docs/rules/${name}.md`
+);
+var ROUTE_METHODS2 = /* @__PURE__ */ new Set(["get", "post", "put", "patch", "delete"]);
+var DEFAULT_AUTHZ_HELPERS = /* @__PURE__ */ new Set([
+  "authorize",
+  "authorise",
+  "checkOwnership",
+  "ensureOwner",
+  "isOwner",
+  "canAccess",
+  "canModify",
+  "hasAccess",
+  "checkPermission",
+  "checkPermissions"
+]);
+var CASL_METHODS = /* @__PURE__ */ new Set(["can", "cannot", "throwUnlessCan"]);
+var CASL_MODULES = /* @__PURE__ */ new Set(["@casl/ability"]);
+var CASBIN_METHODS = /* @__PURE__ */ new Set(["enforce", "enforceSync"]);
+var CASBIN_MODULES = /* @__PURE__ */ new Set(["casbin"]);
+var CERBOS_METHODS = /* @__PURE__ */ new Set(["checkResource", "checkResources", "isAllowed"]);
+var CERBOS_MODULES = /* @__PURE__ */ new Set(["@cerbos/grpc", "@cerbos/http", "@cerbos/core"]);
+var PERMIT_METHODS = /* @__PURE__ */ new Set(["check"]);
+var PERMIT_MODULES = /* @__PURE__ */ new Set(["permitio"]);
+function isRouteRegistration(node) {
+  if (node.callee.type !== import_utils19.AST_NODE_TYPES.MemberExpression) return false;
+  if (node.callee.property.type !== import_utils19.AST_NODE_TYPES.Identifier) return false;
+  if (!ROUTE_METHODS2.has(node.callee.property.name)) return false;
+  return true;
+}
+function hasPathPrefix2(path, prefix) {
+  if (!path || path.length < prefix.length) return false;
+  for (let i = 0; i < prefix.length; i++) {
+    if (path[i] !== prefix[i]) return false;
+  }
+  return true;
+}
+var REQUEST_NAMES = ["req", "request"];
+var RESOURCE_FIELDS = ["params", "body", "query"];
+function isLikelyResourceIdPath2(path) {
+  if (!path || path.length < 3) return false;
+  let matched = false;
+  for (const reqName of REQUEST_NAMES) {
+    for (const field of RESOURCE_FIELDS) {
+      if (hasPathPrefix2(path, [reqName, field])) {
+        matched = true;
+        break;
+      }
+    }
+    if (matched) break;
+  }
+  if (!matched) return false;
+  const last = path[path.length - 1].toLowerCase();
+  return last === "id" || last.endsWith("id");
+}
+function isReqUserPath2(path) {
+  return hasPathPrefix2(path, ["req", "user"]) || hasPathPrefix2(path, ["request", "user"]);
+}
+var requireFrameworkAuthz = createRule17({
+  name: "require-framework-authz",
+  meta: {
+    type: "suggestion",
+    docs: {
+      description: "Require a visible authorization/ownership check when route handlers access resource identifiers. Supports CASL, Casbin, Cerbos, Permit.io, and custom authz helpers."
+    },
+    fixable: void 0,
+    schema: [
+      {
+        type: "object",
+        properties: {
+          authzHelperNames: {
+            type: "array",
+            items: { type: "string" },
+            description: "Additional function names recognized as authorization checks."
+          }
+        },
+        additionalProperties: false
+      }
+    ],
+    messages: {
+      missingAuthz: "This handler accesses resource identifiers (`{{access}}`) but has no visible authorization check. Add an ownership guard, policy check (CASL, Casbin, Cerbos), or configure `authzHelperNames`."
+    }
+  },
+  defaultOptions: [{}],
+  create(context, [options]) {
+    const customHelpers = new Set(options.authzHelperNames ?? []);
+    const allHelpers = /* @__PURE__ */ new Set([...DEFAULT_AUTHZ_HELPERS, ...customHelpers]);
+    let importMap = null;
+    let hasCasl = false;
+    let hasCasbin = false;
+    let hasCerbos = false;
+    let hasPermit = false;
+    function getImports() {
+      if (importMap) return;
+      importMap = buildImportMap(context.sourceCode);
+      for (const mod of CASL_MODULES) {
+        if (hasImport(importMap, mod)) hasCasl = true;
+      }
+      for (const mod of CASBIN_MODULES) {
+        if (hasImport(importMap, mod)) hasCasbin = true;
+      }
+      for (const mod of CERBOS_MODULES) {
+        if (hasImport(importMap, mod)) hasCerbos = true;
+      }
+      for (const mod of PERMIT_MODULES) {
+        if (hasImport(importMap, mod)) hasPermit = true;
+      }
+    }
+    function hasAuthzCall(body) {
+      return walkForAuthz(body, /* @__PURE__ */ new WeakSet());
+    }
+    function walkForAuthz(node, seen) {
+      if (seen.has(node)) return false;
+      seen.add(node);
+      if (node.type === import_utils19.AST_NODE_TYPES.CallExpression) {
+        if (node.callee.type === import_utils19.AST_NODE_TYPES.Identifier && allHelpers.has(node.callee.name)) {
+          return true;
+        }
+        if (node.callee.type === import_utils19.AST_NODE_TYPES.MemberExpression && node.callee.property.type === import_utils19.AST_NODE_TYPES.Identifier) {
+          const method = node.callee.property.name;
+          if (allHelpers.has(method)) return true;
+          if (hasCasl && CASL_METHODS.has(method)) return true;
+          if (hasCasbin && CASBIN_METHODS.has(method)) return true;
+          if (hasCerbos && CERBOS_METHODS.has(method)) return true;
+          if (hasPermit && PERMIT_METHODS.has(method)) return true;
+        }
+      }
+      if (node.type === import_utils19.AST_NODE_TYPES.BinaryExpression && ["===", "==", "!==", "!="].includes(node.operator)) {
+        const leftPath = getMemberPath2(node.left);
+        const rightPath = getMemberPath2(node.right);
+        const leftIsUser = isReqUserPath2(leftPath);
+        const rightIsUser = isReqUserPath2(rightPath);
+        const leftIsResource = isLikelyResourceIdPath2(leftPath);
+        const rightIsResource = isLikelyResourceIdPath2(rightPath);
+        if (leftIsUser && rightIsResource || rightIsUser && leftIsResource) {
+          return true;
+        }
+      }
+      for (const key of Object.keys(node)) {
+        if (AST_SKIP_KEYS.has(key)) continue;
+        const value = node[key];
+        if (Array.isArray(value)) {
+          for (const child of value) {
+            if (isASTNode(child) && !STOP_DESCENT_NODE_TYPES.has(child.type)) {
+              if (walkForAuthz(child, seen)) return true;
+            }
+          }
+        } else if (isASTNode(value) && !STOP_DESCENT_NODE_TYPES.has(value.type)) {
+          if (walkForAuthz(value, seen)) return true;
+        }
+      }
+      return false;
+    }
+    function findResourceAccess(body) {
+      return walkForResourceAccess(body, /* @__PURE__ */ new WeakSet());
+    }
+    function walkForResourceAccess(node, seen) {
+      if (seen.has(node)) return null;
+      seen.add(node);
+      if (node.type === import_utils19.AST_NODE_TYPES.MemberExpression) {
+        const path = getMemberPath2(node);
+        if (isLikelyResourceIdPath2(path)) {
+          return path.join(".");
+        }
+      }
+      if (node.type === import_utils19.AST_NODE_TYPES.VariableDeclarator && node.id.type === import_utils19.AST_NODE_TYPES.ObjectPattern && node.init) {
+        const initPath = getMemberPath2(node.init);
+        if (initPath && initPath.length === 2) {
+          const sourceMatches = REQUEST_NAMES.includes(initPath[0]) && RESOURCE_FIELDS.includes(initPath[1]);
+          if (sourceMatches) {
+            for (const prop of node.id.properties) {
+              if (prop.type !== import_utils19.AST_NODE_TYPES.Property) continue;
+              let sourceKey = null;
+              if (prop.key.type === import_utils19.AST_NODE_TYPES.Identifier) {
+                sourceKey = prop.key.name;
+              } else if (prop.key.type === import_utils19.AST_NODE_TYPES.Literal && typeof prop.key.value === "string") {
+                sourceKey = prop.key.value;
+              }
+              let bindingName = null;
+              if (prop.value.type === import_utils19.AST_NODE_TYPES.Identifier) {
+                bindingName = prop.value.name;
+              } else if (prop.value.type === import_utils19.AST_NODE_TYPES.AssignmentPattern && prop.value.left.type === import_utils19.AST_NODE_TYPES.Identifier) {
+                bindingName = prop.value.left.name;
+              }
+              const isIdLike = (n) => n !== null && (n.toLowerCase() === "id" || n.toLowerCase().endsWith("id"));
+              if (isIdLike(sourceKey) || isIdLike(bindingName)) {
+                const reportKey = sourceKey ?? bindingName ?? "<unknown>";
+                return `${initPath[0]}.${initPath[1]}.${reportKey}`;
+              }
+            }
+          }
+        }
+      }
+      for (const key of Object.keys(node)) {
+        if (AST_SKIP_KEYS.has(key)) continue;
+        const value = node[key];
+        if (Array.isArray(value)) {
+          for (const child of value) {
+            if (isASTNode(child) && !STOP_DESCENT_NODE_TYPES.has(child.type)) {
+              const found = walkForResourceAccess(child, seen);
+              if (found) return found;
+            }
+          }
+        } else if (isASTNode(value) && !STOP_DESCENT_NODE_TYPES.has(value.type)) {
+          const found = walkForResourceAccess(value, seen);
+          if (found) return found;
+        }
+      }
+      return null;
+    }
+    return {
+      CallExpression(node) {
+        getImports();
+        if (!isRouteRegistration(node)) return;
+        const routePath = node.arguments[0] ? getPathString2(node.arguments[0]) : null;
+        const hasRouteIdParam = typeof routePath === "string" && routePath.includes(":");
+        for (const arg of node.arguments) {
+          if (arg.type !== import_utils19.AST_NODE_TYPES.FunctionExpression && arg.type !== import_utils19.AST_NODE_TYPES.ArrowFunctionExpression) {
+            continue;
+          }
+          const resourceAccess = findResourceAccess(arg.body);
+          const isSensitive = hasRouteIdParam && resourceAccess !== null;
+          if (isSensitive && !hasAuthzCall(arg.body)) {
+            context.report({
+              node: arg,
+              messageId: "missingAuthz",
+              data: { access: resourceAccess }
+            });
+          }
+        }
+      }
+    };
+  }
+});
+
+// src/rules/security/require-webhook-signature.ts
+var import_utils20 = require("@typescript-eslint/utils");
+var createRule18 = import_utils20.ESLintUtils.RuleCreator(
+  (name) => `https://github.com/undercurrentai/eslint-plugin-ai-guard/blob/main/docs/rules/${name}.md`
+);
+var HTTP_METHODS3 = /* @__PURE__ */ new Set([
+  "get",
+  "post",
+  "put",
+  "patch",
+  "delete",
+  "all"
+]);
+var DEFAULT_WEBHOOK_PATTERNS = [
+  /\/webhook/i,
+  /\/webhooks/i,
+  /\/api\/webhook/i,
+  /\/api\/webhooks/i
+];
+var VERIFICATION_METHODS = /* @__PURE__ */ new Set([
+  "constructEvent",
+  "constructEventAsync",
+  "verify",
+  "timingSafeEqual",
+  "createSlackEventAdapter"
+]);
+var VERIFICATION_CALLERS = /* @__PURE__ */ new Set([
+  "stripe.webhooks.constructEvent",
+  "stripe.webhooks.constructEventAsync",
+  "crypto.timingSafeEqual",
+  "crypto.createHmac"
+]);
+var requireWebhookSignature = createRule18({
+  name: "require-webhook-signature",
+  meta: {
+    type: "problem",
+    docs: {
+      description: "Require signature verification in webhook handlers. Detects Stripe, GitHub, Svix, and Slack patterns. Unverified webhooks allow spoofed payloads."
+    },
+    fixable: void 0,
+    schema: [
+      {
+        type: "object",
+        properties: {
+          webhookRoutePatterns: {
+            type: "array",
+            items: { type: "string" },
+            description: "Additional regex patterns for webhook route paths."
+          },
+          verificationFunctions: {
+            type: "array",
+            items: { type: "string" },
+            description: "Additional function names recognized as signature verification."
+          }
+        },
+        additionalProperties: false
+      }
+    ],
+    messages: {
+      missingWebhookSig: "Webhook handler `{{method}} {{path}}` has no visible signature verification. Verify the payload signature (e.g., `stripe.webhooks.constructEvent()`, `crypto.timingSafeEqual()`) to prevent spoofing."
+    }
+  },
+  defaultOptions: [{}],
+  create(context, [options]) {
+    const userPatterns = (options.webhookRoutePatterns ?? []).map((p) => {
+      const safe = safeCompileRegex(p);
+      if (!safe) return null;
+      return new RegExp(safe.source, "i");
+    }).filter((r) => r !== null);
+    const allPatterns = [...DEFAULT_WEBHOOK_PATTERNS, ...userPatterns];
+    const userVerifyFns = new Set(options.verificationFunctions ?? []);
+    const allVerifyMethods = /* @__PURE__ */ new Set([...VERIFICATION_METHODS, ...userVerifyFns]);
+    const allVerifyCallers = /* @__PURE__ */ new Set([...VERIFICATION_CALLERS, ...userVerifyFns]);
+    let importMap = null;
+    let hasSvix = false;
+    let hasOctokit = false;
+    function getImports() {
+      if (importMap) return;
+      importMap = buildImportMap(context.sourceCode);
+      hasSvix = hasImport(importMap, "svix");
+      hasOctokit = hasImport(importMap, "@octokit/webhooks");
+    }
+    function isWebhookRoute(path) {
+      return allPatterns.some((p) => p.test(path));
+    }
+    function isWebhookFile() {
+      const fn = context.filename.toLowerCase();
+      if (/[/\\]__tests__[/\\]/.test(fn) || /\.(test|spec)\.[cm]?[jt]sx?$/.test(fn) || /[/\\](tests?|fixtures?|mocks?|__mocks__)[/\\]/.test(fn)) {
+        return false;
+      }
+      return fn.includes("webhook");
+    }
+    function handlerHasVerification(body) {
+      return walkForVerification(body, /* @__PURE__ */ new WeakSet());
+    }
+    function walkForVerification(node, seen) {
+      if (seen.has(node)) return false;
+      seen.add(node);
+      if (node.type === import_utils20.AST_NODE_TYPES.CallExpression) {
+        if (node.callee.type === import_utils20.AST_NODE_TYPES.Identifier && allVerifyMethods.has(node.callee.name)) {
+          return true;
+        }
+        if (node.callee.type === import_utils20.AST_NODE_TYPES.MemberExpression && node.callee.property.type === import_utils20.AST_NODE_TYPES.Identifier) {
+          const method = node.callee.property.name;
+          if (allVerifyMethods.has(method)) {
+            if (method === "verify") {
+              return isLocalFromWebhookLib(node.callee.object);
+            }
+            return true;
+          }
+          const path = buildCallPath(node.callee);
+          if (path && allVerifyCallers.has(path)) return true;
+        }
+      }
+      for (const key of Object.keys(node)) {
+        if (AST_SKIP_KEYS.has(key)) continue;
+        const value = node[key];
+        if (Array.isArray(value)) {
+          for (const child of value) {
+            if (isASTNode(child) && !STOP_DESCENT_NODE_TYPES.has(child.type)) {
+              if (walkForVerification(child, seen)) return true;
+            }
+          }
+        } else if (isASTNode(value) && !STOP_DESCENT_NODE_TYPES.has(value.type)) {
+          if (walkForVerification(value, seen)) return true;
+        }
+      }
+      return false;
+    }
+    function isLocalFromWebhookLib(node) {
+      if (node.type === import_utils20.AST_NODE_TYPES.Identifier && importMap) {
+        if (localComesFrom(importMap, node.name, "svix") || localComesFrom(importMap, node.name, "@octokit/webhooks")) {
+          return true;
+        }
+      }
+      if (node.type === import_utils20.AST_NODE_TYPES.NewExpression && importMap) {
+        if (node.callee.type === import_utils20.AST_NODE_TYPES.Identifier) {
+          if (localComesFrom(importMap, node.callee.name, "svix") || localComesFrom(importMap, node.callee.name, "@octokit/webhooks")) {
+            return true;
+          }
+        }
+      }
+      if (!hasSvix && !hasOctokit) return false;
+      if (node.type === import_utils20.AST_NODE_TYPES.Identifier) {
+        return isWebhookBindingName(node.name);
+      }
+      if (node.type === import_utils20.AST_NODE_TYPES.MemberExpression && node.property.type === import_utils20.AST_NODE_TYPES.Identifier) {
+        return isWebhookBindingName(node.property.name);
+      }
+      return false;
+    }
+    function isWebhookBindingName(name) {
+      const lower = name.toLowerCase();
+      return lower === "wh" || lower === "webhook" || lower === "webhooks" || lower === "hook" || lower === "svix" || lower === "octokit" || lower.endsWith("webhook") || lower.endsWith("webhooks");
+    }
+    function buildCallPath(node) {
+      const parts = [];
+      let current = node;
+      while (current.type === import_utils20.AST_NODE_TYPES.MemberExpression && current.property.type === import_utils20.AST_NODE_TYPES.Identifier && !current.computed) {
+        parts.unshift(current.property.name);
+        current = current.object;
+      }
+      if (current.type === import_utils20.AST_NODE_TYPES.Identifier) {
+        parts.unshift(current.name);
+        return parts.join(".");
+      }
+      return null;
+    }
+    function getRoutePathFromChain(start) {
+      let current = start;
+      while (current.type === import_utils20.AST_NODE_TYPES.CallExpression) {
+        if (current.callee.type !== import_utils20.AST_NODE_TYPES.MemberExpression || current.callee.property.type !== import_utils20.AST_NODE_TYPES.Identifier) {
+          return void 0;
+        }
+        const propName = current.callee.property.name;
+        if (propName === "route") {
+          return current.arguments[0] ? getPathString2(current.arguments[0]) : null;
+        }
+        if (!HTTP_METHODS3.has(propName)) return void 0;
+        current = current.callee.object;
+      }
+      return void 0;
+    }
+    return {
+      CallExpression(node) {
+        getImports();
+        if (node.callee.type !== import_utils20.AST_NODE_TYPES.MemberExpression) return;
+        if (node.callee.property.type !== import_utils20.AST_NODE_TYPES.Identifier) return;
+        const methodName = node.callee.property.name;
+        if (!HTTP_METHODS3.has(methodName)) return;
+        const args = node.arguments;
+        let pathStr = null;
+        let firstHandlerArgIndex = 1;
+        const inheritedPath = getRoutePathFromChain(node.callee.object);
+        if (inheritedPath !== void 0) {
+          if (args.length < 1) return;
+          pathStr = inheritedPath;
+          firstHandlerArgIndex = 0;
+        } else {
+          if (args.length < 2) return;
+          pathStr = getPathString2(args[0]);
+        }
+        const routeIsWebhook = pathStr ? isWebhookRoute(pathStr) : isWebhookFile();
+        if (!routeIsWebhook) return;
+        for (let i = args.length - 1; i >= firstHandlerArgIndex; i--) {
+          const arg = args[i];
+          if (arg.type === import_utils20.AST_NODE_TYPES.FunctionExpression || arg.type === import_utils20.AST_NODE_TYPES.ArrowFunctionExpression) {
+            if (!handlerHasVerification(arg.body)) {
+              context.report({
+                node,
+                messageId: "missingWebhookSig",
+                data: {
+                  method: methodName.toUpperCase(),
+                  path: pathStr || "<dynamic>"
+                }
+              });
+            }
+            return;
+          }
+        }
+      }
+    };
+  }
+});
+
+// src/rules/quality/no-console-in-handler.ts
+var import_utils21 = require("@typescript-eslint/utils");
+var createRule19 = import_utils21.ESLintUtils.RuleCreator(
+  (name) => `https://github.com/undercurrentai/eslint-plugin-ai-guard/blob/main/docs/rules/${name}.md`
+);
+var ROUTE_METHODS3 = [
+  "get",
+  "post",
+  "put",
+  "patch",
+  "delete",
+  "options",
+  "all"
+];
+function isRouteRegistrationCall2(node) {
+  if (node.callee.type !== import_utils21.AST_NODE_TYPES.MemberExpression || node.callee.property.type !== import_utils21.AST_NODE_TYPES.Identifier) {
+    return false;
+  }
+  const methodName = node.callee.property.name;
+  if (!ROUTE_METHODS3.includes(methodName)) {
+    return false;
+  }
+  if (node.arguments.length === 0) {
+    return false;
+  }
+  const firstArg = node.arguments[0];
+  if (firstArg.type === import_utils21.AST_NODE_TYPES.Literal && typeof firstArg.value === "string" && firstArg.value.startsWith("/")) {
+    return true;
+  }
+  if (firstArg.type === import_utils21.AST_NODE_TYPES.TemplateLiteral && firstArg.expressions.length === 0 && firstArg.quasis[0]?.value.raw.startsWith("/")) {
+    return true;
+  }
+  return false;
+}
+function traverseForConsoleCalls(node, onConsoleCall) {
+  if (node.type === import_utils21.AST_NODE_TYPES.CallExpression && node.callee.type === import_utils21.AST_NODE_TYPES.MemberExpression && node.callee.object.type === import_utils21.AST_NODE_TYPES.Identifier && node.callee.object.name === "console" && node.callee.property.type === import_utils21.AST_NODE_TYPES.Identifier) {
+    onConsoleCall(node);
+  }
+  if (node.type === import_utils21.AST_NODE_TYPES.FunctionDeclaration || node.type === import_utils21.AST_NODE_TYPES.FunctionExpression || node.type === import_utils21.AST_NODE_TYPES.ArrowFunctionExpression) {
+    return;
+  }
+  const entries = Object.entries(node);
+  for (const [key, value] of entries) {
+    if (key === "parent") {
+      continue;
+    }
+    if (Array.isArray(value)) {
+      for (const child of value) {
+        if (child && typeof child === "object" && "type" in child) {
+          traverseForConsoleCalls(child, onConsoleCall);
+        }
+      }
+      continue;
+    }
+    if (value && typeof value === "object" && "type" in value) {
+      traverseForConsoleCalls(value, onConsoleCall);
+    }
+  }
+}
+var noConsoleInHandler = createRule19({
+  name: "no-console-in-handler",
+  meta: {
+    type: "suggestion",
+    docs: {
+      description: "Disallow console logging inside route handlers. AI tools frequently leave debug logs in request handlers, which can leak operational data and create noisy production logs."
+    },
+    fixable: void 0,
+    hasSuggestions: true,
+    schema: [],
+    messages: {
+      noConsoleInHandler: "Avoid console logging inside route handlers. AI tools frequently leave debug statements in handlers. Use structured application logging instead.",
+      removeConsoleCall: "Remove this console statement from the route handler."
+    }
+  },
+  defaultOptions: [],
+  create(context) {
+    return {
+      CallExpression(node) {
+        if (!isRouteRegistrationCall2(node)) {
+          return;
+        }
+        for (const argument of node.arguments) {
+          if (argument.type !== import_utils21.AST_NODE_TYPES.FunctionExpression && argument.type !== import_utils21.AST_NODE_TYPES.ArrowFunctionExpression) {
+            continue;
+          }
+          traverseForConsoleCalls(argument.body, (callNode) => {
+            const parent = callNode.parent;
+            const canSuggestRemoval = parent?.type === import_utils21.AST_NODE_TYPES.ExpressionStatement;
+            context.report({
+              node: callNode,
+              messageId: "noConsoleInHandler",
+              suggest: canSuggestRemoval ? [
+                {
+                  messageId: "removeConsoleCall",
+                  fix: (fixer) => fixer.remove(parent)
+                }
+              ] : void 0
+            });
+          });
+        }
+      }
+    };
+  }
+});
+
+// src/rules/logic/no-duplicate-logic-block.ts
+var import_utils22 = require("@typescript-eslint/utils");
+var createRule20 = import_utils22.ESLintUtils.RuleCreator(
+  (name) => `https://github.com/undercurrentai/eslint-plugin-ai-guard/blob/main/docs/rules/${name}.md`
+);
+function normalizeStatementText(source) {
+  return source.replace(/\s+/g, " ").trim();
+}
+function isLikelyMeaningfulStatement(node, sourceCodeText) {
+  if (node.type === import_utils22.AST_NODE_TYPES.EmptyStatement || node.type === import_utils22.AST_NODE_TYPES.BreakStatement || node.type === import_utils22.AST_NODE_TYPES.ContinueStatement) {
+    return false;
+  }
+  return sourceCodeText.length >= 30;
+}
+var noDuplicateLogicBlock = createRule20({
+  name: "no-duplicate-logic-block",
+  meta: {
+    type: "suggestion",
+    docs: {
+      description: "Disallow consecutive duplicated logic statements. AI tools often copy-paste the same logic block with minimal or no changes, which should usually be extracted or consolidated."
+    },
+    fixable: void 0,
+    schema: [],
+    messages: {
+      duplicateLogic: "Duplicate consecutive logic block detected. AI-generated code often repeats the same block. Consider extracting shared logic into a function or removing duplication."
+    }
+  },
+  defaultOptions: [],
+  create(context) {
+    const checkStatementList = (statements) => {
+      if (statements.length < 2) {
+        return;
+      }
+      for (let i = 0; i < statements.length - 1; i += 1) {
+        const current = statements[i];
+        const next = statements[i + 1];
+        const currentTextRaw = context.sourceCode.getText(current);
+        const nextTextRaw = context.sourceCode.getText(next);
+        if (!isLikelyMeaningfulStatement(current, currentTextRaw)) {
+          continue;
+        }
+        if (!isLikelyMeaningfulStatement(next, nextTextRaw)) {
+          continue;
+        }
+        const currentText = normalizeStatementText(currentTextRaw);
+        const nextText = normalizeStatementText(nextTextRaw);
+        if (currentText === nextText) {
+          context.report({
+            node: next,
+            messageId: "duplicateLogic"
+          });
+        }
+      }
+    };
+    return {
+      Program(node) {
+        checkStatementList(node.body);
+      },
+      BlockStatement(node) {
+        checkStatementList(node.body);
+      }
+    };
+  }
+});
+
+// src/rules/index.ts
+var allRules = {
+  "no-empty-catch": noEmptyCatch,
+  "no-broad-exception": noBroadException,
+  "no-catch-log-rethrow": noCatchLogRethrow,
+  "no-catch-without-use": noCatchWithoutUse,
+  "no-async-array-callback": noAsyncArrayCallback,
+  "no-floating-promise": noFloatingPromise,
+  "no-await-in-loop": noAwaitInLoop,
+  "no-async-without-await": noAsyncWithoutAwait,
+  "no-redundant-await": noRedundantAwait,
+  "no-hardcoded-secret": noHardcodedSecret,
+  "no-eval-dynamic": noEvalDynamic,
+  "no-sql-string-concat": noSqlStringConcat,
+  "no-unsafe-deserialize": noUnsafeDeserialize,
+  "require-auth-middleware": requireAuthMiddleware,
+  "require-authz-check": requireAuthzCheck,
+  "require-framework-auth": requireFrameworkAuth,
+  "require-framework-authz": requireFrameworkAuthz,
+  "require-webhook-signature": requireWebhookSignature,
+  "no-console-in-handler": noConsoleInHandler,
+  "no-duplicate-logic-block": noDuplicateLogicBlock
+};
+
+// src/configs/recommended.ts
+var recommended = {
+  plugins: ["ai-guard"],
+  rules: {
+    // Adoption-first default:
+    // Keep only high-confidence, high-impact rules at error so first run is actionable,
+    // not overwhelming. Context-sensitive rules are warn/off by design.
+    //
+    // v2.0: removed 5 rules that overlap with typescript-eslint / ESLint core.
+    // Those rules remain available in the plugin for backwards compatibility but are
+    // not enabled by default. See docs/guides/compat-config.md and
+    // docs/migration/v1-to-v2.md for the upstream replacements.
+    // Critical (error): low-noise, high-impact correctness/security failures.
+    "ai-guard/no-empty-catch": "error",
+    "ai-guard/no-floating-promise": "error",
+    "ai-guard/no-hardcoded-secret": "error",
+    "ai-guard/no-eval-dynamic": "error",
+    // Important but noisier/context-dependent (warn): useful guidance without blocking.
+    "ai-guard/require-framework-auth": "warn",
+    "ai-guard/no-sql-string-concat": "warn",
+    // Kept as warn in recommended to reduce false positives in mixed codebases.
+    "ai-guard/no-async-array-callback": "warn",
+    // Optional/contextual (off): available for teams via strict/custom configs.
+    "ai-guard/no-console-in-handler": "off",
+    "ai-guard/no-unsafe-deserialize": "warn",
+    "ai-guard/no-catch-log-rethrow": "off",
+    "ai-guard/require-framework-authz": "warn",
+    "ai-guard/require-webhook-signature": "warn",
+    "ai-guard/no-duplicate-logic-block": "off"
+  }
+};
+var recommended_default = recommended;
+
+// src/configs/strict.ts
+var strict = {
+  plugins: ["ai-guard"],
+  rules: {
+    // Strict preset: enforce every active ai-guard rule at error for mature teams
+    // that want maximum coverage and are ready to tune exceptions locally.
+    //
+    // v2.0: 5 deprecated rules removed from strict — users who want them must
+    // opt in explicitly in their own config (they remain available). See
+    // docs/migration/v1-to-v2.md for the upstream replacements.
+    // Error Handling - all at error
+    "ai-guard/no-empty-catch": "error",
+    "ai-guard/no-catch-log-rethrow": "error",
+    // Async - all at error
+    "ai-guard/no-async-array-callback": "error",
+    "ai-guard/no-floating-promise": "error",
+    // Security - all at error
+    "ai-guard/no-hardcoded-secret": "error",
+    "ai-guard/no-eval-dynamic": "error",
+    "ai-guard/no-sql-string-concat": "error",
+    "ai-guard/no-unsafe-deserialize": "error",
+    "ai-guard/require-framework-auth": "error",
+    "ai-guard/require-framework-authz": "error",
+    "ai-guard/require-webhook-signature": "error",
+    // Quality - all at error
+    "ai-guard/no-console-in-handler": "error",
+    "ai-guard/no-duplicate-logic-block": "error"
+  }
+};
+var strict_default = strict;
+
+// src/configs/security.ts
+var security = {
+  plugins: ["ai-guard"],
+  rules: {
+    // Security-only preset:
+    // Error = direct high-risk patterns. Warn = security-relevant but context-sensitive.
+    "ai-guard/no-hardcoded-secret": "error",
+    "ai-guard/no-eval-dynamic": "error",
+    "ai-guard/no-sql-string-concat": "error",
+    "ai-guard/no-unsafe-deserialize": "warn",
+    "ai-guard/require-framework-auth": "warn",
+    "ai-guard/require-framework-authz": "warn",
+    "ai-guard/require-webhook-signature": "warn"
+  }
+};
+var security_default = security;
+
+// src/configs/compat.ts
+var compat = {
+  plugins: ["ai-guard"],
+  rules: {
+    "ai-guard/no-await-in-loop": "off",
+    "ai-guard/no-async-without-await": "off",
+    "ai-guard/no-redundant-await": "off",
+    "ai-guard/no-broad-exception": "off",
+    "ai-guard/no-catch-without-use": "off",
+    "ai-guard/require-auth-middleware": "off",
+    "ai-guard/require-authz-check": "off"
+  }
+};
+var compat_default = compat;
+
+// src/configs/framework.ts
+var framework = {
+  plugins: ["ai-guard"],
+  rules: {
+    "ai-guard/require-framework-auth": "error",
+    "ai-guard/require-framework-authz": "warn",
+    "ai-guard/require-webhook-signature": "error"
+  }
+};
+var framework_default = framework;
+
+// src/index.ts
+var plugin = {
+  meta: {
+    name: "@undercurrentai/eslint-plugin-ai-guard",
+    version: "2.0.0-beta.3"
+  },
+  rules: allRules,
+  configs: {
+    recommended: recommended_default,
+    strict: strict_default,
+    security: security_default,
+    compat: compat_default,
+    framework: framework_default
+  }
+};
+var index_default = plugin;
+// CJS interop: expose the default export as module.exports directly.
+// The `typeof module` guard makes this safe to re-run and no-op under
+// ESM hosts where `module` is not defined.
+if (typeof module !== "undefined" && module.exports && module.exports.default) { module.exports = module.exports.default; }
+//# sourceMappingURL=index.js.map