@vibecheckai/cli 3.5.0 → 3.5.2

package/bin/runners/lib/engines/vibecheck-engines/lib/hardcoded-secrets-engine.js

@@ -1,10 +1,6 @@
 /**
  * Hardcoded Secrets Engine
- * Enhanced with:
- * - Shannon entropy analysis for high-entropy string detection
- * - More comprehensive secret patterns (50+ patterns)
- * - Better false positive detection (env vars, comments, placeholders)
- * - Context-aware detection
+ * Detects API keys, tokens, passwords, and private keys in code.
  */
 
 const { getAST, parseCode } = require("./ast-cache");
@@ -12,118 +8,22 @@ const traverse = require("@babel/traverse").default;
 const t = require("@babel/types");
 const { shouldExcludeFile, isTestContext, hasIgnoreDirective } = require("./file-filter");
 
-/**
- * Calculate Shannon entropy of a string
- * Higher entropy = more random = more likely to be a secret
- */
-function calculateEntropy(str) {
-  if (!str || str.length === 0) return 0;
-  
-  const len = str.length;
-  const frequencies = {};
-  
-  for (const char of str) {
-    frequencies[char] = (frequencies[char] || 0) + 1;
-  }
-  
-  let entropy = 0;
-  for (const count of Object.values(frequencies)) {
-    const p = count / len;
-    entropy -= p * Math.log2(p);
-  }
-  
-  return entropy;
-}
-
-/**
- * Entropy thresholds for secret detection
- * Based on analysis of real secrets vs normal strings
- */
-const ENTROPY_THRESHOLDS = {
-  HIGH: 4.5,      // Likely a secret (API keys, tokens)
-  MEDIUM: 3.5,    // Possibly a secret, needs context
-  LOW: 2.5,       // Unlikely to be a secret
-};
-
-/**
- * Check if a string has high entropy (looks random)
- */
-function hasHighEntropy(str, minLength = 16) {
-  if (!str || str.length < minLength) return false;
-  
-  const entropy = calculateEntropy(str);
-  const entropyPerChar = entropy; // Shannon entropy is already normalized
-  
-  // Longer strings should have proportionally higher entropy
-  const lengthFactor = Math.min(str.length / 32, 1.5);
-  const adjustedThreshold = ENTROPY_THRESHOLDS.HIGH / lengthFactor;
-  
-  return entropy >= adjustedThreshold;
-}
-
 // Enhanced patterns with more comprehensive detection
 const SECRET_PATTERNS = [
-  // Cloud Provider Keys
-  { name: "AWS Access Key ID", pattern: /AKIA[0-9A-Z]{16}/, severity: "BLOCK", confidence: "high" },
-  { name: "AWS Secret Access Key", pattern: /(?<![A-Za-z0-9/+])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=])/, severity: "BLOCK", confidence: "med", requiresEntropy: true },
-  { name: "AWS Session Token", pattern: /FwoGZXIvYXdzE/, severity: "BLOCK", confidence: "high" },
-  { name: "Google API Key", pattern: /AIza[0-9A-Za-z\-_]{35}/, severity: "BLOCK", confidence: "high" },
-  { name: "Google OAuth Token", pattern: /ya29\.[0-9A-Za-z\-_]+/, severity: "BLOCK", confidence: "high" },
-  { name: "Azure Storage Key", pattern: /(?:[A-Za-z0-9+/]{86}==)/, severity: "BLOCK", confidence: "med", requiresEntropy: true },
-  
-  // Version Control
-  { name: "GitHub Personal Access Token", pattern: /ghp_[0-9a-zA-Z]{36}/, severity: "BLOCK", confidence: "high" },
-  { name: "GitHub OAuth Token", pattern: /gho_[0-9a-zA-Z]{36}/, severity: "BLOCK", confidence: "high" },
-  { name: "GitHub App Token", pattern: /ghu_[0-9a-zA-Z]{36}/, severity: "BLOCK", confidence: "high" },
-  { name: "GitHub Refresh Token", pattern: /ghr_[0-9a-zA-Z]{36}/, severity: "BLOCK", confidence: "high" },
-  { name: "GitLab Token", pattern: /glpat-[0-9a-zA-Z\-_]{20,}/, severity: "BLOCK", confidence: "high" },
-  { name: "Bitbucket Token", pattern: /ATBB[0-9a-zA-Z]{32}/, severity: "BLOCK", confidence: "high" },
-  
-  // Payment Processors
-  { name: "Stripe Live Key", pattern: /sk_live_[0-9a-zA-Z]{24,}/, severity: "BLOCK", confidence: "high" },
-  { name: "Stripe Test Key", pattern: /sk_test_[0-9a-zA-Z]{24,}/, severity: "WARN", confidence: "high" },
-  { name: "Stripe Publishable Key", pattern: /pk_(live|test)_[0-9a-zA-Z]{24,}/, severity: "INFO", confidence: "high" },
-  { name: "PayPal Access Token", pattern: /access_token\$[a-zA-Z0-9]{16}\$[a-zA-Z0-9]{64}/, severity: "BLOCK", confidence: "high" },
-  { name: "Square Access Token", pattern: /sq0atp-[0-9A-Za-z\-_]{22}/, severity: "BLOCK", confidence: "high" },
-  
-  // Communication Services
-  { name: "Slack Bot Token", pattern: /xoxb-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}/, severity: "BLOCK", confidence: "high" },
-  { name: "Slack User Token", pattern: /xoxp-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24,}/, severity: "BLOCK", confidence: "high" },
-  { name: "Slack Webhook URL", pattern: /hooks\.slack\.com\/services\/T[a-zA-Z0-9_]+\/B[a-zA-Z0-9_]+\/[a-zA-Z0-9_]+/, severity: "BLOCK", confidence: "high" },
-  { name: "Twilio API Key", pattern: /SK[0-9a-fA-F]{32}/, severity: "BLOCK", confidence: "high" },
-  { name: "Twilio Auth Token", pattern: /(?<![a-zA-Z0-9])[a-f0-9]{32}(?![a-zA-Z0-9])/, severity: "WARN", confidence: "low", requiresContext: true },
-  { name: "SendGrid API Key", pattern: /SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}/, severity: "BLOCK", confidence: "high" },
-  { name: "Mailchimp API Key", pattern: /[a-f0-9]{32}-us[0-9]{1,2}/, severity: "BLOCK", confidence: "high" },
-  
-  // Database Connection Strings
-  { name: "MongoDB Connection String", pattern: /mongodb(\+srv)?:\/\/[^\s'"]+/, severity: "BLOCK", confidence: "high" },
-  { name: "PostgreSQL Connection String", pattern: /postgres(ql)?:\/\/[^\s'"]+/, severity: "BLOCK", confidence: "high" },
-  { name: "MySQL Connection String", pattern: /mysql:\/\/[^\s'"]+/, severity: "BLOCK", confidence: "high" },
-  { name: "Redis Connection String", pattern: /redis(s)?:\/\/[^\s'"]+/, severity: "BLOCK", confidence: "high" },
-  
-  // Auth Tokens
-  { name: "JWT Token", pattern: /eyJ[a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+/, severity: "WARN", confidence: "high" },
-  { name: "Bearer Token", pattern: /Bearer\s+[a-zA-Z0-9\-_\.]{20,}/i, severity: "WARN", confidence: "med" },
-  
-  // Private Keys
-  { name: "RSA Private Key", pattern: /-----BEGIN RSA PRIVATE KEY-----/, severity: "BLOCK", confidence: "high" },
-  { name: "EC Private Key", pattern: /-----BEGIN EC PRIVATE KEY-----/, severity: "BLOCK", confidence: "high" },
-  { name: "Private Key", pattern: /-----BEGIN PRIVATE KEY-----/, severity: "BLOCK", confidence: "high" },
-  { name: "OpenSSH Private Key", pattern: /-----BEGIN OPENSSH PRIVATE KEY-----/, severity: "BLOCK", confidence: "high" },
-  { name: "PGP Private Key", pattern: /-----BEGIN PGP PRIVATE KEY BLOCK-----/, severity: "BLOCK", confidence: "high" },
-  
-  // API Keys (Generic but with prefixes)
-  { name: "Heroku API Key", pattern: /[h|H]eroku.*[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}/, severity: "BLOCK", confidence: "high" },
-  { name: "NPM Token", pattern: /npm_[a-zA-Z0-9]{36}/, severity: "BLOCK", confidence: "high" },
-  { name: "PyPI Token", pattern: /pypi-[a-zA-Z0-9]{38,}/, severity: "BLOCK", confidence: "high" },
-  { name: "Docker Hub Token", pattern: /dckr_pat_[a-zA-Z0-9_-]{42,}/, severity: "BLOCK", confidence: "high" },
-  
-  // Credentials
-  { name: "Password Assignment", pattern: /(?:password|passwd|pwd|secret|credential)\s*[:=]\s*['"][^'"]{8,}['"]/i, severity: "WARN", confidence: "med", requiresContext: true },
-  { name: "Basic Auth", pattern: /Basic\s+[a-zA-Z0-9+/=]{20,}/, severity: "WARN", confidence: "med" },
-  
-  // High Entropy Generic (last resort)
-  { name: "High Entropy String", pattern: /[a-zA-Z0-9]{32,}/, severity: "INFO", confidence: "low", requiresEntropy: true },
+  { name: "AWS Access Key", pattern: /AKIA[0-9A-Z]{16}/ },
+  { name: "AWS Secret Key", pattern: /[0-9a-zA-Z/+]{40}/ },
+  { name: "GitHub Token", pattern: /ghp_[0-9a-zA-Z]{36}/ },
+  { name: "GitLab Token", pattern: /glpat-[0-9a-zA-Z\-_]{20,}/ },
+  { name: "Slack Token", pattern: /xox[baprs]-[0-9a-zA-Z]{10,48}/ },
+  { name: "Stripe Key", pattern: /sk_(live|test)_[0-9a-zA-Z]{24,}/ },
+  { name: "Generic API Key", pattern: /[a-zA-Z0-9]{32,}/ },
+  { name: "JWT Token", pattern: /eyJ[a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+/ },
+  { name: "Private Key", pattern: /-----BEGIN (RSA |EC )?PRIVATE KEY-----/ },
+  { name: "Database URL", pattern: /(mongodb|postgresql|mysql):\/\/[^\\s]+/ },
+  { name: "Password", pattern: /(password|passwd|pwd)\s*[:=]\s*['"][^'"]+['"]/i },
+  { name: "Bearer Token", pattern: /Bearer\s+[a-zA-Z0-9\-_\.]+/i },
+  { name: "OAuth Token", pattern: /ya29\.[0-9A-Za-z\-_]+/ },
+  { name: "Twilio Key", pattern: /SK[0-9a-fA-F]{32}/ },
 ];
 
 function getContext(code, start, length = 80) {
@@ -132,14 +32,10 @@ function getContext(code, start, length = 80) {
   return code.slice(contextStart, contextEnd).replace(/\n/g, " ").trim();
 }
 
-/**
- * Check if value matches common placeholder patterns
- */
-function isPlaceholder(value) {
+function isLikelyFalsePositive(value) {
+  // Exclude obvious placeholders
   const placeholders = [
     "YOUR_API_KEY",
-    "YOUR_SECRET",
-    "YOUR_TOKEN",
     "API_KEY_HERE",
     "REPLACE_ME",
     "CHANGE_ME",
@@ -147,122 +43,15 @@ function isPlaceholder(value) {
     "TODO",
     "EXAMPLE",
     "SAMPLE",
+    "TEST",
     "DUMMY",
-    "FAKE",
-    "MOCK",
-    "TEST_KEY",
-    "DEV_KEY",
-    "PLACEHOLDER",
-    "XXX",
-    "XXXXXXXX",
-    "12345",
-    "123456789",
-    "abcdef",
-    "0000000",
   ];
   const upper = String(value).toUpperCase();
-  return placeholders.some((p) => upper.includes(p)) ||
-         /^[0-9]+$/.test(value) || // All numbers
-         /^[a-z]+$/.test(value) || // All lowercase letters
-         /^[A-Z]+$/.test(value) || // All uppercase letters
-         /^(.)\1+$/.test(value);   // Repeated characters
-}
-
-/**
- * Check if value is an environment variable reference
- */
-function isEnvVarReference(value, code, position) {
-  // Direct env reference
-  if (/process\.env\./i.test(value)) return true;
-  if (/import\.meta\.env\./i.test(value)) return true;
-  
-  // Check surrounding code for env reference
-  const start = Math.max(0, position - 50);
-  const end = Math.min(code.length, position + value.length + 50);
-  const context = code.slice(start, end);
-  
-  return /process\.env\s*\[?\s*['"]/i.test(context) ||
-         /import\.meta\.env/i.test(context) ||
-         /getenv\s*\(/i.test(context);
-}
-
-/**
- * Check if value is in a safe context
- */
-function isInSafeContext(path, code) {
-  // Check if in a type annotation
-  const parent = path.parentPath;
-  if (parent?.isTypeAnnotation?.() || parent?.isTSTypeAnnotation?.()) {
-    return true;
-  }
-  
-  // Check if it's a key name (object property key)
-  if (parent?.isObjectProperty?.() && parent.node.key === path.node) {
-    return true;
-  }
-  
-  // Check if it's importing from a config/env file
-  const importParent = path.findParent(p => p.isImportDeclaration());
-  if (importParent) return true;
-  
-  // Check variable name for env/config indicators
-  if (parent?.isVariableDeclarator?.()) {
-    const varName = parent.node.id?.name || "";
-    if (/env|config|settings|options/i.test(varName)) {
-      return true;
-    }
-  }
-  
-  return false;
-}
-
-function isLikelyFalsePositive(value, path, code, position) {
-  // Basic placeholder check
-  if (isPlaceholder(value)) return true;
-  
-  // Environment variable reference
-  if (isEnvVarReference(value, code, position)) return true;
-  
-  // Check for common non-secret patterns
-  // URLs without credentials
-  if (/^https?:\/\/(?!.*:.*@)[^\s]+$/.test(value)) return true;
-  
-  // Common hash algorithms output
-  if (/^[a-f0-9]{32}$/.test(value) && /md5|hash/i.test(code.slice(Math.max(0, position - 100), position))) {
-    return true;
-  }
-  
-  // File paths
-  if (/^[./]|^[a-zA-Z]:\\/.test(value)) return true;
-  
-  // Base64 encoded common strings
-  const decoded = tryBase64Decode(value);
-  if (decoded && (isPlaceholder(decoded) || decoded.length < 8)) return true;
-  
-  // Skip if it's a safe context
-  if (path && isInSafeContext(path, code)) return true;
-  
-  return false;
-}
-
-/**
- * Try to decode base64
- */
-function tryBase64Decode(str) {
-  try {
-    if (!/^[A-Za-z0-9+/]+=*$/.test(str)) return null;
-    const decoded = Buffer.from(str, "base64").toString("utf8");
-    // Check if decoded is printable ASCII
-    if (/^[\x20-\x7E]+$/.test(decoded)) return decoded;
-    return null;
-  } catch {
-    return null;
-  }
+  return placeholders.some((p) => upper.includes(p));
 }
 
 function analyzeHardcodedSecrets(code, filePath) {
   const findings = [];
-  const foundSecrets = new Set(); // Avoid duplicate reports
 
   if (shouldExcludeFile(filePath)) return findings;
   if (isTestContext(code, filePath)) return findings;
@@ -273,121 +62,69 @@ function analyzeHardcodedSecrets(code, filePath) {
 
   const lines = code.split("\n");
 
-  function checkValue(value, path, position) {
-    if (!value || value.length < 12) return;
-    if (isLikelyFalsePositive(value, path, code, position)) return;
-    
-    // Create a unique key to avoid duplicates
-    const valueKey = `${position}:${value.substring(0, 20)}`;
-    if (foundSecrets.has(valueKey)) return;
-
-    for (const secretPattern of SECRET_PATTERNS) {
-      const match = value.match(secretPattern.pattern);
-      if (!match) continue;
-      
-      // For patterns that require high entropy, verify
-      if (secretPattern.requiresEntropy) {
-        const matchedValue = match[0];
-        if (!hasHighEntropy(matchedValue)) continue;
-      }
-      
-      // For patterns requiring context, check variable names
-      if (secretPattern.requiresContext) {
-        const context = getContext(code, position, 100);
-        const hasSecretContext = /(?:api_?key|secret|token|password|credential|auth)/i.test(context);
-        if (!hasSecretContext) continue;
-      }
-
-      const loc = path.node.loc?.start;
-      if (!loc) continue;
-
-      const line = loc.line;
-      const contextStr = getContext(code, position);
-      
-      // Mask the actual secret value in output
-      const maskedValue = maskSecret(match[0]);
-      
-      foundSecrets.add(valueKey);
-
-      findings.push({
-        type: "hardcoded_secret",
-        severity: secretPattern.severity || "BLOCK",
-        category: "Security",
-        file: filePath,
-        line,
-        column: loc.column,
-        title: `Hardcoded ${secretPattern.name} detected`,
-        message: `Found potential ${secretPattern.name} in code. Move to environment variables or secret manager.`,
-        codeSnippet: lines[line - 1]?.trim(),
-        evidence: `Detected pattern: ${maskedValue}`,
-        confidence: secretPattern.confidence || "high",
-        fixHint: `Replace with process.env.${suggestEnvVarName(secretPattern.name)}`,
-      });
-      
-      // Only report the first matching pattern per value
-      break;
-    }
-  }
-
   // Check string literals for secrets
   traverse(ast, {
     StringLiteral(path) {
       const value = path.node.value;
-      const position = path.node.start || 0;
-      checkValue(value, path, position);
+      if (!value || value.length < 12) return;
+      if (isLikelyFalsePositive(value)) return;
+
+      for (const secretPattern of SECRET_PATTERNS) {
+        const match = value.match(secretPattern.pattern);
+        if (!match) continue;
+
+        const loc = path.node.loc?.start;
+        if (!loc) continue;
+
+        const line = loc.line;
+        const context = getContext(code, path.node.start || 0);
+
+        findings.push({
+          type: "hardcoded_secret",
+          severity: "BLOCK",
+          category: "Security",
+          file: filePath,
+          line,
+          column: loc.column,
+          title: `Hardcoded ${secretPattern.name} detected`,
+          message: `Found potential ${secretPattern.name} in string literal. Move to environment variables or secret manager.`,
+          codeSnippet: lines[line - 1]?.trim(),
+          evidence: context,
+          confidence: secretPattern.name === "Generic API Key" ? "low" : "high",
+        });
+      }
     },
 
     TemplateLiteral(path) {
-      // Template literals may contain secrets in raw strings
+      // Template literals may contain secrets in raw strings (rare), but catch if a quasi looks like a token.
       for (const quasi of path.node.quasis || []) {
         const value = quasi.value?.cooked || "";
-        const position = quasi.start || path.node.start || 0;
-        checkValue(value, { node: quasi, parentPath: path }, position);
-      }
-    },
-    
-    // Also check object property values with secret-looking keys
-    ObjectProperty(path) {
-      const key = path.node.key;
-      const value = path.node.value;
-      
-      // Check if key suggests a secret
-      let keyName = "";
-      if (t.isIdentifier(key)) {
-        keyName = key.name;
-      } else if (t.isStringLiteral(key)) {
-        keyName = key.value;
-      }
-      
-      const isSecretKey = /(?:api_?key|secret|token|password|credential|auth_?token|private_?key)/i.test(keyName);
-      
-      if (isSecretKey && t.isStringLiteral(value)) {
-        const strValue = value.value;
-        if (strValue && strValue.length >= 8 && !isPlaceholder(strValue)) {
-          const position = value.start || 0;
-          
-          // Check entropy for generic values
-          if (hasHighEntropy(strValue, 8)) {
-            const loc = value.loc?.start;
-            if (loc && !foundSecrets.has(`${position}:${strValue.substring(0, 20)}`)) {
-              foundSecrets.add(`${position}:${strValue.substring(0, 20)}`);
-              
-              findings.push({
-                type: "hardcoded_secret",
-                severity: "WARN",
-                category: "Security",
-                file: filePath,
-                line: loc.line,
-                column: loc.column,
-                title: `Potential secret in '${keyName}' property`,
-                message: `High-entropy value in secret-looking property '${keyName}'. Consider using environment variables.`,
-                codeSnippet: lines[loc.line - 1]?.trim(),
-                evidence: `Property: ${keyName} = ${maskSecret(strValue)}`,
-                confidence: "med",
-                fixHint: `Replace with process.env.${keyName.toUpperCase()}`,
-              });
-            }
-          }
+        if (!value || value.length < 12) continue;
+        if (isLikelyFalsePositive(value)) continue;
+
+        for (const secretPattern of SECRET_PATTERNS) {
+          const match = value.match(secretPattern.pattern);
+          if (!match) continue;
+
+          const loc = quasi.loc?.start || path.node.loc?.start;
+          if (!loc) continue;
+
+          const line = loc.line;
+          const context = getContext(code, quasi.start || path.node.start || 0);
+
+          findings.push({
+            type: "hardcoded_secret",
+            severity: "BLOCK",
+            category: "Security",
+            file: filePath,
+            line,
+            column: loc.column,
+            title: `Hardcoded ${secretPattern.name} detected`,
+            message: `Found potential ${secretPattern.name} in template literal. Move to environment variables or secret manager.`,
+            codeSnippet: lines[line - 1]?.trim(),
+            evidence: context,
+            confidence: secretPattern.name === "Generic API Key" ? "low" : "high",
+          });
         }
       }
     },
@@ -396,44 +133,7 @@ function analyzeHardcodedSecrets(code, filePath) {
   return findings;
 }
 
-/**
- * Mask a secret value for safe display
- */
-function maskSecret(value) {
-  if (!value || value.length < 8) return "***";
-  
-  const visibleStart = Math.min(4, Math.floor(value.length / 4));
-  const visibleEnd = Math.min(4, Math.floor(value.length / 4));
-  
-  return value.substring(0, visibleStart) + 
-         "*".repeat(Math.max(4, value.length - visibleStart - visibleEnd)) + 
-         value.substring(value.length - visibleEnd);
-}
-
-/**
- * Suggest an environment variable name
- */
-function suggestEnvVarName(secretType) {
-  const mapping = {
-    "AWS Access Key ID": "AWS_ACCESS_KEY_ID",
-    "AWS Secret Access Key": "AWS_SECRET_ACCESS_KEY",
-    "GitHub Personal Access Token": "GITHUB_TOKEN",
-    "Stripe Live Key": "STRIPE_SECRET_KEY",
-    "Stripe Test Key": "STRIPE_TEST_KEY",
-    "Database URL": "DATABASE_URL",
-    "MongoDB Connection String": "MONGODB_URI",
-    "PostgreSQL Connection String": "DATABASE_URL",
-    "JWT Token": "JWT_SECRET",
-    "Slack Bot Token": "SLACK_BOT_TOKEN",
-    "SendGrid API Key": "SENDGRID_API_KEY",
-  };
-  
-  return mapping[secretType] || secretType.toUpperCase().replace(/\s+/g, "_");
-}
-
 module.exports = {
   analyzeHardcodedSecrets,
-  calculateEntropy,
-  hasHighEntropy,
   parseCode,
 };

package/bin/runners/lib/engines/vibecheck-engines/lib/mock-data-engine.js

@@ -0,0 +1,140 @@
+/**
+ * Mock Data Engine
+ * Detects mock, fake, or placeholder data in production code.
+ */
+
+const { getAST, parseCode } = require("./ast-cache");
+const traverse = require("@babel/traverse").default;
+const { shouldExcludeFile, isTestContext, hasIgnoreDirective } = require("./file-filter");
+
+// Enhanced mock data patterns
+const MOCK_PATTERNS = [
+  { pattern: /mock/i, type: "mock_reference", message: "Mock reference found" },
+  { pattern: /fake/i, type: "fake_data", message: "Fake data reference found" },
+  { pattern: /dummy/i, type: "dummy_data", message: "Dummy data reference found" },
+  { pattern: /test.*data/i, type: "test_data", message: "Test data reference found" },
+  { pattern: /lorem ipsum/i, type: "lorem_ipsum", message: "Lorem ipsum placeholder found" },
+  { pattern: /todo|fixme/i, type: "todo_fixme", message: "TODO/FIXME found in code" },
+  { pattern: /placeholder/i, type: "placeholder", message: "Placeholder reference found" },
+  { pattern: /example/i, type: "example_data", message: "Example reference found" },
+  { pattern: /sample/i, type: "sample_data", message: "Sample data reference found" },
+  { pattern: /hardcode/i, type: "hardcoded", message: "Hardcoded data reference found" },
+];
+
+// Common mock data values
+const MOCK_VALUES = [
+  "test",
+  "demo",
+  "example",
+  "sample",
+  "placeholder",
+  "lorem",
+  "ipsum",
+  "foo",
+  "bar",
+  "baz",
+  "mock",
+  "fake",
+  "dummy",
+  "12345",
+  "password",
+  "admin",
+  "user",
+];
+
+function analyzeMockData(code, filePath) {
+  const findings = [];
+
+  if (shouldExcludeFile(filePath)) return findings;
+  if (isTestContext(code, filePath)) return findings;
+  if (hasIgnoreDirective(code, "mock-data")) return findings;
+
+  const ast = getAST(code, filePath);
+  if (!ast) return findings;
+
+  const lines = code.split("\n");
+
+  // Check string literals for mock data
+  traverse(ast, {
+    StringLiteral(path) {
+      const value = path.node.value;
+      if (!value || value.length < 2) return;
+
+      // Check for common mock values (case-insensitive)
+      const lower = value.toLowerCase();
+      if (MOCK_VALUES.includes(lower)) {
+        const loc = path.node.loc?.start;
+        if (!loc) return;
+
+        findings.push({
+          type: "mock_value",
+          severity: "INFO",
+          category: "CodeQuality",
+          file: filePath,
+          line: loc.line,
+          column: loc.column,
+          title: "Potential mock value in string literal",
+          message: `String literal "${value}" looks like mock/placeholder data.`,
+          codeSnippet: lines[loc.line - 1]?.trim(),
+          confidence: "low",
+        });
+      }
+
+      // Check for mock patterns
+      for (const mockPattern of MOCK_PATTERNS) {
+        if (mockPattern.pattern.test(value)) {
+          const loc = path.node.loc?.start;
+          if (!loc) continue;
+
+          findings.push({
+            type: mockPattern.type,
+            severity: mockPattern.type === "todo_fixme" ? "WARN" : "INFO",
+            category: "CodeQuality",
+            file: filePath,
+            line: loc.line,
+            column: loc.column,
+            title: mockPattern.message,
+            message: `Found "${mockPattern.pattern}" in string literal: "${value}"`,
+            codeSnippet: lines[loc.line - 1]?.trim(),
+            confidence: "low",
+          });
+        }
+      }
+    },
+
+    Identifier(path) {
+      const name = path.node.name;
+      if (!name) return;
+
+      // Check for mock patterns in variable names (avoid huge noise: only longer names)
+      if (name.length < 5) return;
+
+      for (const mockPattern of MOCK_PATTERNS) {
+        if (mockPattern.pattern.test(name)) {
+          const loc = path.node.loc?.start;
+          if (!loc) continue;
+
+          findings.push({
+            type: mockPattern.type,
+            severity: mockPattern.type === "todo_fixme" ? "WARN" : "INFO",
+            category: "CodeQuality",
+            file: filePath,
+            line: loc.line,
+            column: loc.column,
+            title: `Mock-like identifier: ${name}`,
+            message: `Identifier name suggests mock/placeholder data: "${name}"`,
+            codeSnippet: lines[loc.line - 1]?.trim(),
+            confidence: "low",
+          });
+        }
+      }
+    },
+  });
+
+  return findings;
+}
+
+module.exports = {
+  analyzeMockData,
+  parseCode,
+};