@vibecodiq/cli 0.2.0 → 0.4.0

package/dist/index.js

@@ -1,4327 +1,19 @@
 #!/usr/bin/env node
-
-// src/scanner.ts
-import path2 from "path";
-
-// src/lib/grep.ts
-async function grepFiles(ctx, pattern, globs) {
-  const matches = [];
-  let filesToSearch = ctx.files;
-  if (globs && globs.length > 0) {
-    filesToSearch = filesToSearch.filter(
-      (f) => globs.some((g) => matchGlob(f, g))
-    );
-  }
-  for (const file of filesToSearch) {
-    let content;
-    try {
-      content = await ctx.readFile(file);
-    } catch {
-      continue;
-    }
-    const lines = content.split("\n");
-    for (let i = 0; i < lines.length; i++) {
-      if (pattern.test(lines[i])) {
-        matches.push({ file, line: i + 1, content: lines[i].trim() });
-      }
-    }
-  }
-  return matches;
-}
-function matchGlob(filePath, glob) {
-  if (glob.startsWith("!")) {
-    return !matchGlob(filePath, glob.slice(1));
-  }
-  if (glob.startsWith("**/")) {
-    const suffix = glob.slice(3);
-    return filePath.includes(suffix);
-  }
-  if (glob.endsWith("/**")) {
-    const prefix = glob.slice(0, -3);
-    return filePath.startsWith(prefix);
-  }
-  if (glob.includes("*")) {
-    const regex = new RegExp("^" + glob.replace(/\*/g, ".*") + "$");
-    return regex.test(filePath);
-  }
-  return filePath === glob || filePath.startsWith(glob + "/");
-}
-function isClientFile(file) {
-  return file.startsWith("src/") || file.startsWith("components/") || file.startsWith("app/") || file.startsWith("pages/") || file.includes("/components/") || file.includes("/hooks/") || file.includes("/contexts/");
-}
-function isServerFile(file) {
-  return file.includes("/api/") || file.includes("route.ts") || file.includes("route.js") || file.includes("server/") || file.includes("actions.ts") || file.includes("actions.js");
-}
-function isMigrationFile(file) {
-  return file.includes("migration") || file.includes("supabase/") || file.endsWith(".sql");
-}
-function isEnvFile(file) {
-  const base = file.split("/").pop() || "";
-  return base.startsWith(".env");
-}
-
-// src/checks/auth-01.ts
-var AUTH_01 = {
-  id: "AUTH-01",
-  name: "service_role key not in client code",
-  module: "auth",
-  priority: "P0",
-  aliases: ["ADM-17"],
-  description: "service_role bypasses all RLS \u2014 must never appear in client-side code or NEXT_PUBLIC_ vars",
-  async run(ctx) {
-    const pattern = /service_role|SERVICE_ROLE|SUPABASE_SERVICE_ROLE|sb_secret_/i;
-    const matches = await ctx.grepFiles(pattern);
-    const clientMatches = matches.filter((m) => {
-      if (m.content.includes("NEXT_PUBLIC_")) return true;
-      if (m.file.includes("use client")) return false;
-      if (isClientFile(m.file) && !m.file.includes("/api/") && !m.file.includes("route.")) return true;
-      return false;
-    });
-    const nextPublicMatches = matches.filter(
-      (m) => m.content.includes("NEXT_PUBLIC_") && /service_role|SERVICE_ROLE/i.test(m.content)
-    );
-    const allBad = [...clientMatches, ...nextPublicMatches];
-    const unique = [...new Map(allBad.map((m) => [`${m.file}:${m.line}`, m])).values()];
-    if (unique.length > 0) {
-      return {
-        result: "FAIL",
-        message: `service_role key found in client-accessible code (${unique.length} location${unique.length > 1 ? "s" : ""})`,
-        evidence: unique.map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-      };
-    }
-    const serverMatches = matches.filter(
-      (m) => !m.content.startsWith("//") && !m.content.startsWith("#") && !m.content.startsWith("*")
-    );
-    if (serverMatches.length > 0) {
-      return {
-        result: "PASS",
-        message: "service_role key found only in server-side code"
-      };
-    }
-    return {
-      result: "UNKNOWN",
-      message: "No service_role references found \u2014 Supabase may not be used"
-    };
-  }
-};
-
-// src/checks/auth-02.ts
-var AUTH_02 = {
-  id: "AUTH-02",
-  name: "RLS enabled on all tables",
-  module: "auth",
-  priority: "P0",
-  description: "Every table must have Row Level Security enabled. Without RLS, anon key = full DB access.",
-  async run(ctx) {
-    const sqlFiles = ctx.files.filter(isMigrationFile);
-    if (sqlFiles.length === 0) {
-      return {
-        result: "UNKNOWN",
-        message: "No SQL migration files found"
-      };
-    }
-    const createTablePattern = /CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?(?:public\.)?(\w+)/gi;
-    const rlsPattern = /ALTER\s+TABLE\s+(?:public\.)?(\w+)\s+ENABLE\s+ROW\s+LEVEL\s+SECURITY/gi;
-    const systemTables = /* @__PURE__ */ new Set(["schema_migrations", "_prisma_migrations", "migrations"]);
-    const allTables = /* @__PURE__ */ new Set();
-    const rlsEnabledTables = /* @__PURE__ */ new Set();
-    for (const file of sqlFiles) {
-      let content;
-      try {
-        content = await ctx.readFile(file);
-      } catch {
-        continue;
-      }
-      let match;
-      const createRegex = new RegExp(createTablePattern.source, "gi");
-      while ((match = createRegex.exec(content)) !== null) {
-        const tableName = match[1].toLowerCase();
-        if (!systemTables.has(tableName)) {
-          allTables.add(tableName);
-        }
-      }
-      const rlsRegex = new RegExp(rlsPattern.source, "gi");
-      while ((match = rlsRegex.exec(content)) !== null) {
-        rlsEnabledTables.add(match[1].toLowerCase());
-      }
-    }
-    if (allTables.size === 0) {
-      return {
-        result: "UNKNOWN",
-        message: "No CREATE TABLE statements found in migrations"
-      };
-    }
-    const unprotected = [...allTables].filter((t) => !rlsEnabledTables.has(t));
-    if (unprotected.length > 0) {
-      return {
-        result: "FAIL",
-        message: `${unprotected.length} table${unprotected.length > 1 ? "s" : ""} without RLS (of ${allTables.size} total)`,
-        evidence: unprotected.map((t) => `Table "${t}" \u2014 missing ENABLE ROW LEVEL SECURITY`)
-      };
-    }
-    return {
-      result: "PASS",
-      message: `All ${allTables.size} tables have RLS enabled`
-    };
-  }
-};
-
-// src/checks/auth-03.ts
-var AUTH_03 = {
-  id: "AUTH-03",
-  name: "RLS policies have WITH CHECK",
-  module: "auth",
-  priority: "P0",
-  description: "INSERT/UPDATE policies need WITH CHECK clause. USING alone lets users insert data owned by others.",
-  async run(ctx) {
-    const sqlFiles = ctx.files.filter(isMigrationFile);
-    if (sqlFiles.length === 0) {
-      return { result: "UNKNOWN", message: "No SQL migration files found" };
-    }
-    const tautologyIssues = [];
-    const missingWithCheck = [];
-    for (const file of sqlFiles) {
-      let content;
-      try {
-        content = await ctx.readFile(file);
-      } catch {
-        continue;
-      }
-      const policyRegex = /CREATE\s+POLICY\s+"?(\w+)"?\s+ON\s+(?:public\.)?(\w+)\s+(?:AS\s+\w+\s+)?FOR\s+(INSERT|UPDATE|ALL)\b([\s\S]*?)(?=CREATE\s+POLICY|$)/gi;
-      let match;
-      while ((match = policyRegex.exec(content)) !== null) {
-        const policyName = match[1];
-        const table = match[2];
-        const action = match[3].toUpperCase();
-        const body = match[4];
-        if (action === "INSERT" || action === "UPDATE" || action === "ALL") {
-          if (/WITH\s+CHECK\s*\(\s*true\s*\)/i.test(body)) {
-            tautologyIssues.push(`${file}: policy "${policyName}" on ${table} \u2014 WITH CHECK (true) is permissive`);
-          } else if (!/WITH\s+CHECK/i.test(body)) {
-            missingWithCheck.push(`${file}: policy "${policyName}" on ${table} (${action}) \u2014 missing WITH CHECK`);
-          }
-        }
-      }
-    }
-    const allIssues = [...tautologyIssues, ...missingWithCheck];
-    if (allIssues.length > 0) {
-      return {
-        result: "FAIL",
-        message: `${allIssues.length} RLS policy issue${allIssues.length > 1 ? "s" : ""} found`,
-        evidence: allIssues.slice(0, 5)
-      };
-    }
-    const anyPolicy = sqlFiles.some((f) => {
-      try {
-        const c = ctx.files.includes(f) ? f : "";
-        return /CREATE\s+POLICY/i.test(c);
-      } catch {
-        return false;
-      }
-    });
-    const policyMatches = await ctx.grepFiles(/CREATE\s+POLICY/i);
-    if (policyMatches.length === 0) {
-      return { result: "UNKNOWN", message: "No RLS policies found in migrations" };
-    }
-    return {
-      result: "PASS",
-      message: "All INSERT/UPDATE RLS policies have proper WITH CHECK clauses"
-    };
-  }
-};
-
-// src/checks/auth-04.ts
-var AUTH_04 = {
-  id: "AUTH-04",
-  name: "Server-side auth on protected routes",
-  module: "auth",
-  priority: "P0",
-  description: "Every protected API route/server action must verify auth server-side. Middleware-only auth is bypassable (CVE-2025-29927).",
-  async run(ctx) {
-    const routeFiles = ctx.files.filter(
-      (f) => (f.includes("route.") || f.includes("actions.")) && isServerFile(f)
-    );
-    if (routeFiles.length === 0) {
-      return { result: "UNKNOWN", message: "No API route handlers found" };
-    }
-    const authPatterns = /getUser|getSession|auth\(\)|verifyToken|requireAuth|requireAdmin|checkPermission|requireRole|currentUser|validateSession/i;
-    const publicRoutePatterns = /webhook|health|status|public|og|sitemap|robots|favicon|_next/i;
-    const unprotected = [];
-    for (const file of routeFiles) {
-      if (publicRoutePatterns.test(file)) continue;
-      let content;
-      try {
-        content = await ctx.readFile(file);
-      } catch {
-        continue;
-      }
-      if (!authPatterns.test(content)) {
-        unprotected.push(file);
-      }
-    }
-    if (unprotected.length > 0) {
-      return {
-        result: "FAIL",
-        message: `${unprotected.length} API route${unprotected.length > 1 ? "s" : ""} without server-side auth check`,
-        evidence: unprotected.slice(0, 5).map((f) => `${f} \u2014 no auth verification detected`)
-      };
-    }
-    return {
-      result: "PASS",
-      message: `All ${routeFiles.length} API routes have server-side auth checks`
-    };
-  }
-};
-
-// src/checks/auth-05.ts
-var AUTH_05 = {
-  id: "AUTH-05",
-  name: "No secrets with NEXT_PUBLIC_ prefix",
-  module: "auth",
-  priority: "P0",
-  description: "NEXT_PUBLIC_ vars are bundled in the browser. Secrets must never use this prefix.",
-  async run(ctx) {
-    const dangerousPatterns = [
-      /NEXT_PUBLIC_.*SERVICE_ROLE/i,
-      /NEXT_PUBLIC_.*SECRET/i,
-      /NEXT_PUBLIC_.*DATABASE_URL/i,
-      /NEXT_PUBLIC_.*DB_URL/i,
-      /NEXT_PUBLIC_.*PRIVATE/i,
-      /NEXT_PUBLIC_.*PASSWORD/i,
-      /NEXT_PUBLIC_.*JWT_SECRET/i,
-      /VITE_.*SERVICE_ROLE/i,
-      /VITE_.*SECRET_KEY/i,
-      /VITE_.*DATABASE_URL/i,
-      /EXPO_PUBLIC_.*SERVICE_ROLE/i,
-      /EXPO_PUBLIC_.*SECRET/i
-    ];
-    const envFiles = ctx.files.filter(isEnvFile);
-    const allMatches = [];
-    for (const file of envFiles) {
-      let content;
-      try {
-        content = await ctx.readFile(file);
-      } catch {
-        continue;
-      }
-      const lines = content.split("\n");
-      for (let i = 0; i < lines.length; i++) {
-        const line = lines[i].trim();
-        if (line.startsWith("#") || !line) continue;
-        for (const pattern of dangerousPatterns) {
-          if (pattern.test(line)) {
-            allMatches.push({ file, line: i + 1, content: line.split("=")[0] });
-            break;
-          }
-        }
-      }
-    }
-    if (allMatches.length > 0) {
-      return {
-        result: "FAIL",
-        message: `Secret keys exposed via public prefix (${allMatches.length} found)`,
-        evidence: allMatches.map((m) => `${m.file}:${m.line} \u2192 ${m.content}`)
-      };
-    }
-    if (envFiles.length === 0) {
-      return {
-        result: "UNKNOWN",
-        message: "No .env files found to check"
-      };
-    }
-    return {
-      result: "PASS",
-      message: "No secrets found with NEXT_PUBLIC_/VITE_/EXPO_PUBLIC_ prefix"
-    };
-  }
-};
-
-// src/checks/auth-06.ts
-var AUTH_06 = {
-  id: "AUTH-06",
-  name: "Protected routes redirect unauthenticated users",
-  module: "auth",
-  priority: "P1",
-  description: "Middleware or route guard must redirect unauthenticated users to /login for protected pages.",
-  async run(ctx) {
-    const middlewareFile = ctx.files.find((f) => /^middleware\.(ts|js)$/.test(f));
-    if (!middlewareFile) {
-      const layoutGuards = await ctx.grepFiles(/redirect.*login|redirect.*auth|redirect.*sign/i);
-      if (layoutGuards.length > 0) {
-        return { result: "PASS", message: "Route guards with login redirect detected" };
-      }
-      return {
-        result: "FAIL",
-        message: "No middleware.ts and no route guards found \u2014 unauthenticated users can access protected pages",
-        evidence: ["Missing: middleware.ts or per-page auth redirect"]
-      };
-    }
-    let content;
-    try {
-      content = await ctx.readFile(middlewareFile);
-    } catch {
-      return { result: "UNKNOWN", message: "Could not read middleware file" };
-    }
-    if (/redirect.*login|redirect.*auth|NextResponse.*redirect/i.test(content)) {
-      return { result: "PASS", message: "Middleware redirects unauthenticated users to login" };
-    }
-    return {
-      result: "FAIL",
-      message: "Middleware exists but no login redirect detected",
-      evidence: [`${middlewareFile} \u2014 no redirect to /login or /auth`]
-    };
-  }
-};
-
-// src/checks/auth-07.ts
-var AUTH_07 = {
-  id: "AUTH-07",
-  name: "Session tokens in httpOnly cookies",
-  module: "auth",
-  priority: "P2",
-  description: "Tokens in localStorage are accessible via XSS. httpOnly cookies prevent JavaScript access to session tokens.",
-  async run(ctx) {
-    const localStorageToken = /localStorage.*(?:token|session|jwt|access_token)|sessionStorage.*(?:token|session|jwt)/i;
-    const httpOnly = /httpOnly|cookie.*session|supabase.*ssr|@supabase\/ssr/i;
-    const badMatches = await ctx.grepFiles(localStorageToken);
-    const goodMatches = await ctx.grepFiles(httpOnly);
-    const realBad = badMatches.filter((m) => !m.content.trimStart().startsWith("//"));
-    if (realBad.length > 0 && goodMatches.length === 0) {
-      return {
-        result: "FAIL",
-        message: `Session tokens stored in localStorage (${realBad.length} location${realBad.length > 1 ? "s" : ""})`,
-        evidence: realBad.slice(0, 3).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-      };
-    }
-    if (goodMatches.length > 0) {
-      return { result: "PASS", message: "httpOnly cookies or @supabase/ssr detected for session management" };
-    }
-    return { result: "UNKNOWN", message: "No explicit token storage pattern detected" };
-  }
-};
-
-// src/checks/auth-08.ts
-var AUTH_08 = {
-  id: "AUTH-08",
-  name: "Password hashing (if custom auth)",
-  module: "auth",
-  priority: "P0",
-  description: "Passwords must be hashed with bcrypt/argon2/scrypt. N/A if using Supabase Auth (handles hashing internally).",
-  async run(ctx) {
-    const supabaseAuth = /supabase|@supabase|createBrowserClient|createServerClient/i;
-    const supabaseMatches = await ctx.grepFiles(supabaseAuth);
-    if (supabaseMatches.length > 0) {
-      return { result: "N/A", message: "Supabase Auth handles password hashing internally (bcrypt/Argon2)" };
-    }
-    const hashPatterns = /bcrypt|argon2|scrypt|pbkdf2/i;
-    const plaintext = /password.*=.*req\.body|password.*=.*body\.|plaintext|md5.*password|sha1.*password/i;
-    const hashMatches = await ctx.grepFiles(hashPatterns);
-    const plaintextMatches = await ctx.grepFiles(plaintext);
-    if (plaintextMatches.length > 0 && hashMatches.length === 0) {
-      return {
-        result: "FAIL",
-        message: "Password handling without secure hashing detected",
-        evidence: plaintextMatches.slice(0, 3).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-      };
-    }
-    if (hashMatches.length > 0) {
-      return { result: "PASS", message: "Secure password hashing detected (bcrypt/argon2/scrypt)" };
-    }
-    return { result: "UNKNOWN", message: "No custom auth password handling detected" };
-  }
-};
-
-// src/checks/auth-09.ts
-var AUTH_09 = {
-  id: "AUTH-09",
-  name: "Rate limiting on auth endpoints",
-  module: "auth",
-  priority: "P1",
-  description: "Login/register endpoints without rate limiting are vulnerable to brute force attacks.",
-  async run(ctx) {
-    const authFiles = ctx.files.filter((f) => /auth|login|register|sign/i.test(f));
-    const rateLimitPattern = /rateLimit|rate.limit|throttle|limiter|too.many.requests|429|upstash/i;
-    if (authFiles.length === 0) {
-      return { result: "UNKNOWN", message: "No auth endpoint files found" };
-    }
-    const matches = await ctx.grepFiles(rateLimitPattern, authFiles);
-    if (matches.length > 0) {
-      return { result: "PASS", message: "Rate limiting detected on auth endpoints" };
-    }
-    const globalMatches = await ctx.grepFiles(rateLimitPattern);
-    if (globalMatches.length > 0) {
-      return { result: "PASS", message: "Rate limiting detected in codebase (verify it covers auth endpoints)" };
-    }
-    const supabaseAuth = await ctx.grepFiles(/supabase.*auth|@supabase/i);
-    if (supabaseAuth.length > 0) {
-      return { result: "PASS", message: "Supabase Auth has built-in rate limiting for auth endpoints" };
-    }
-    return {
-      result: "FAIL",
-      message: "No rate limiting found on auth endpoints",
-      evidence: ["Missing: rate limiting middleware on login/register routes"]
-    };
-  }
-};
-
-// src/checks/auth-10.ts
-var AUTH_10 = {
-  id: "AUTH-10",
-  name: "Profile sync trigger with safe search_path",
-  module: "auth",
-  priority: "P1",
-  description: "handle_new_user() trigger must use SECURITY DEFINER with restricted search_path to prevent privilege escalation.",
-  async run(ctx) {
-    const sqlFiles = ctx.files.filter(isMigrationFile);
-    if (sqlFiles.length === 0) {
-      return { result: "UNKNOWN", message: "No SQL migration files found" };
-    }
-    const triggerPattern = /handle_new_user|on_auth_user_created|AFTER\s+INSERT\s+ON\s+auth\.users/i;
-    const securityDefiner = /SECURITY\s+DEFINER/i;
-    const searchPath = /search_path|SET\s+search_path/i;
-    const triggerMatches = await ctx.grepFiles(triggerPattern);
-    if (triggerMatches.length === 0) {
-      return {
-        result: "FAIL",
-        message: "No profile sync trigger found (handle_new_user or equivalent)",
-        evidence: ["Missing trigger: new auth.users rows won't sync to profiles table"]
-      };
-    }
-    for (const file of sqlFiles) {
-      let content;
-      try {
-        content = await ctx.readFile(file);
-      } catch {
-        continue;
-      }
-      if (triggerPattern.test(content)) {
-        const hasDefiner = securityDefiner.test(content);
-        const hasSearchPath = searchPath.test(content);
-        if (hasDefiner && !hasSearchPath) {
-          return {
-            result: "FAIL",
-            message: "Profile trigger uses SECURITY DEFINER without restricted search_path",
-            evidence: [`${file} \u2014 SECURITY DEFINER without SET search_path = '' (privilege escalation risk)`]
-          };
-        }
-        if (hasDefiner && hasSearchPath) {
-          return {
-            result: "PASS",
-            message: "Profile sync trigger found with SECURITY DEFINER and restricted search_path"
-          };
-        }
-        return {
-          result: "PASS",
-          message: "Profile sync trigger found"
-        };
-      }
-    }
-    return {
-      result: "PASS",
-      message: "Profile sync trigger detected"
-    };
-  }
-};
-
-// src/checks/auth-11.ts
-var AUTH_11 = {
-  id: "AUTH-11",
-  name: "Client/server auth separation",
-  module: "auth",
-  priority: "P0",
-  description: "Separate Supabase clients for browser and server. One shared client leaks service_role to browser or uses anon key on server.",
-  async run(ctx) {
-    const browserClient = /createBrowserClient|createClient.*browser/i;
-    const serverClient = /createServerClient|createClient.*server/i;
-    const genericClient = /createClient\s*\(/;
-    const browserMatches = await ctx.grepFiles(browserClient);
-    const serverMatches = await ctx.grepFiles(serverClient);
-    const genericMatches = await ctx.grepFiles(genericClient);
-    if (browserMatches.length > 0 && serverMatches.length > 0) {
-      return {
-        result: "PASS",
-        message: "Separate browser and server Supabase clients detected"
-      };
-    }
-    if (browserMatches.length > 0 || serverMatches.length > 0) {
-      return {
-        result: "PASS",
-        message: "Dedicated Supabase client pattern detected (@supabase/ssr)"
-      };
-    }
-    if (genericMatches.length > 0) {
-      const supabaseGeneric = genericMatches.filter((m) => /supabase|createClient/.test(m.content));
-      if (supabaseGeneric.length > 0) {
-        return {
-          result: "FAIL",
-          message: "Single generic createClient() used \u2014 no client/server separation",
-          evidence: supabaseGeneric.slice(0, 3).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-        };
-      }
-    }
-    return {
-      result: "UNKNOWN",
-      message: "No Supabase client initialization found"
-    };
-  }
-};
-
-// src/checks/auth-12.ts
-var AUTH_12 = {
-  id: "AUTH-12",
-  name: "Auth environment variables present",
-  module: "auth",
-  priority: "P2",
-  description: "Missing auth env vars = hardcoded keys or broken auth in production.",
-  async run(ctx) {
-    const envFiles = ctx.files.filter(isEnvFile);
-    if (envFiles.length === 0) {
-      return { result: "UNKNOWN", message: "No .env files found" };
-    }
-    const requiredVars = ["SUPABASE_URL", "SUPABASE_ANON_KEY"];
-    const found = [];
-    for (const file of envFiles) {
-      let content;
-      try {
-        content = await ctx.readFile(file);
-      } catch {
-        continue;
-      }
-      for (const v of requiredVars) {
-        if (content.includes(v) && !found.includes(v)) found.push(v);
-      }
-    }
-    const supabaseRef = await ctx.grepFiles(/supabase/i);
-    if (supabaseRef.length === 0) {
-      return { result: "UNKNOWN", message: "No Supabase references found" };
-    }
-    const missing = requiredVars.filter((v) => !found.includes(v));
-    if (missing.length > 0) {
-      return {
-        result: "FAIL",
-        message: `Missing auth env vars: ${missing.join(", ")}`,
-        evidence: missing.map((v) => `${v} not found in any .env file`)
-      };
-    }
-    return { result: "PASS", message: "Auth environment variables configured" };
-  }
-};
-
-// src/checks/auth-13.ts
-var AUTH_13 = {
-  id: "AUTH-13",
-  name: "getUser() not getSession() for server-side auth",
-  module: "auth",
-  priority: "P0",
-  description: "getSession() reads JWT without server verification. Use getUser() for auth decisions.",
-  async run(ctx) {
-    const getSessionPattern = /\.auth\.getSession\s*\(/;
-    const getUserPattern = /\.auth\.getUser\s*\(/;
-    const sessionMatches = await ctx.grepFiles(getSessionPattern);
-    const userMatches = await ctx.grepFiles(getUserPattern);
-    const serverSessionUsage = sessionMatches.filter((m) => isServerFile(m.file));
-    const serverUserUsage = userMatches.filter((m) => isServerFile(m.file));
-    if (serverSessionUsage.length > 0 && serverUserUsage.length === 0) {
-      return {
-        result: "FAIL",
-        message: `Server-side code uses getSession() without getUser() (${serverSessionUsage.length} location${serverSessionUsage.length > 1 ? "s" : ""})`,
-        evidence: serverSessionUsage.map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-      };
-    }
-    if (serverSessionUsage.length > 0 && serverUserUsage.length > 0) {
-      return {
-        result: "FAIL",
-        message: `Server code uses both getSession() and getUser() \u2014 getSession() in server context is insecure`,
-        evidence: serverSessionUsage.map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-      };
-    }
-    if (serverUserUsage.length > 0) {
-      return {
-        result: "PASS",
-        message: "Server-side auth uses getUser() for verification"
-      };
-    }
-    if (sessionMatches.length === 0 && userMatches.length === 0) {
-      return {
-        result: "UNKNOWN",
-        message: "No getSession/getUser calls found \u2014 Supabase Auth may not be used"
-      };
-    }
-    return {
-      result: "PASS",
-      message: "getSession() used only in client code (acceptable for UI state)"
-    };
-  }
-};
-
-// src/checks/auth-14.ts
-var AUTH_14 = {
-  id: "AUTH-14",
-  name: "No eval() or dangerouslySetInnerHTML with user data",
-  module: "auth",
-  priority: "P0",
-  description: "eval() and dangerouslySetInnerHTML enable XSS attacks \u2014 session theft and account takeover.",
-  async run(ctx) {
-    const evalPattern = /\beval\s*\(/;
-    const innerHtmlPattern = /dangerouslySetInnerHTML/;
-    const evalMatches = await ctx.grepFiles(evalPattern);
-    const innerHtmlMatches = await ctx.grepFiles(innerHtmlPattern);
-    const dangerousEval = evalMatches.filter((m) => {
-      if (m.content.trimStart().startsWith("//")) return false;
-      if (m.content.trimStart().startsWith("*")) return false;
-      if (m.file.includes("node_modules")) return false;
-      return true;
-    });
-    const dangerousHtml = innerHtmlMatches.filter((m) => {
-      if (m.content.trimStart().startsWith("//")) return false;
-      if (m.file.includes("node_modules")) return false;
-      return true;
-    });
-    const allDangerous = [...dangerousEval, ...dangerousHtml];
-    if (allDangerous.length > 0) {
-      return {
-        result: "FAIL",
-        message: `Unsafe code patterns found (${dangerousEval.length} eval, ${dangerousHtml.length} dangerouslySetInnerHTML)`,
-        evidence: allDangerous.slice(0, 5).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-      };
-    }
-    return {
-      result: "PASS",
-      message: "No eval() or dangerouslySetInnerHTML found"
-    };
-  }
-};
-
-// src/checks/auth-15.ts
-var AUTH_15 = {
-  id: "AUTH-15",
-  name: "CORS configuration",
-  module: "auth",
-  priority: "P2",
-  description: "Access-Control-Allow-Origin: * with credentials allows any website to read auth cookies and data.",
-  async run(ctx) {
-    const wildcardCors = /Access-Control-Allow-Origin.*\*|cors.*origin.*\*|origin:\s*['"]?\*/i;
-    const credentialsCors = /credentials.*true|allowCredentials|Access-Control-Allow-Credentials/i;
-    const wildcardMatches = await ctx.grepFiles(wildcardCors);
-    const credMatches = await ctx.grepFiles(credentialsCors);
-    if (wildcardMatches.length > 0 && credMatches.length > 0) {
-      return {
-        result: "FAIL",
-        message: "CORS wildcard (*) used with credentials \u2014 any website can read auth data",
-        evidence: wildcardMatches.slice(0, 3).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-      };
-    }
-    if (wildcardMatches.length > 0) {
-      return {
-        result: "FAIL",
-        message: "CORS wildcard (*) detected \u2014 consider restricting to specific origins",
-        evidence: wildcardMatches.slice(0, 3).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-      };
-    }
-    return { result: "PASS", message: "No dangerous CORS wildcard configuration detected" };
-  }
-};
-
-// src/checks/auth-16.ts
-var AUTH_16 = {
-  id: "AUTH-16",
-  name: "Token/session expiration configured",
-  module: "auth",
-  priority: "P2",
-  description: "Infinite sessions mean a stolen token works forever. Configure JWT expiration and session timeouts.",
-  async run(ctx) {
-    const expiryPatterns = /expiresIn|maxAge|session.*expir|jwt.*expir|SESSION_EXPIRY|JWT_EXPIRY|token.*expir/i;
-    const matches = await ctx.grepFiles(expiryPatterns);
-    if (matches.length > 0) {
-      return { result: "PASS", message: "Token/session expiration configured" };
-    }
-    const supabaseRef = await ctx.grepFiles(/supabase/i);
-    if (supabaseRef.length > 0) {
-      return { result: "PASS", message: "Supabase Auth has default JWT expiry (3600s)" };
-    }
-    return {
-      result: "FAIL",
-      message: "No token/session expiration configuration found",
-      evidence: ["Missing: expiresIn, maxAge, or session expiry configuration"]
-    };
-  }
-};
-
-// src/checks/auth-17.ts
-var AUTH_17 = {
-  id: "AUTH-17",
-  name: "Storage bucket RLS",
-  module: "auth",
-  priority: "P0",
-  description: "Supabase storage buckets must have RLS on storage.objects. Without it, all files are publicly accessible.",
-  async run(ctx) {
-    const sqlFiles = ctx.files.filter(isMigrationFile);
-    if (sqlFiles.length === 0) {
-      return { result: "UNKNOWN", message: "No SQL migration files found" };
-    }
-    const storageBucket = /storage\.buckets|create.*bucket|INSERT.*storage\.buckets/i;
-    const storageRls = /storage\.objects.*ENABLE.*ROW.*LEVEL|RLS.*storage\.objects|POLICY.*storage\.objects/i;
-    const bucketMatches = await ctx.grepFiles(storageBucket, sqlFiles);
-    const rlsMatches = await ctx.grepFiles(storageRls, sqlFiles);
-    if (bucketMatches.length === 0) {
-      const codeStorageRef = await ctx.grepFiles(/supabase.*storage|storage\.from\(/i);
-      if (codeStorageRef.length === 0) {
-        return { result: "N/A", message: "No Supabase storage usage detected" };
-      }
-      return {
-        result: "UNKNOWN",
-        message: "Storage used in code but no bucket creation in migrations"
-      };
-    }
-    if (rlsMatches.length > 0) {
-      return { result: "PASS", message: "Storage bucket RLS policies detected" };
-    }
-    return {
-      result: "FAIL",
-      message: "Storage buckets created without RLS on storage.objects \u2014 files may be publicly accessible",
-      evidence: bucketMatches.slice(0, 3).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-    };
-  }
-};
-
-// src/checks/auth-18.ts
-var AUTH_18 = {
-  id: "AUTH-18",
-  name: "RBAC in app_metadata not user_metadata",
-  module: "auth",
-  priority: "P0",
-  description: "Roles in user_metadata are user-editable. Use app_metadata for RBAC (server-only).",
-  async run(ctx) {
-    const userMetaRole = /user_meta_?data.*role|raw_user_meta_?data.*role|user\.user_metadata.*role/i;
-    const appMetaRole = /app_meta_?data.*role|user\.app_metadata.*role/i;
-    const updateUserMeta = /updateUser\s*\(\s*\{[\s\S]*?data\s*:\s*\{[\s\S]*?role/;
-    const userMetaMatches = await ctx.grepFiles(userMetaRole);
-    const appMetaMatches = await ctx.grepFiles(appMetaRole);
-    const selfAssignMatches = await ctx.grepFiles(updateUserMeta);
-    if (userMetaMatches.length > 0) {
-      return {
-        result: "FAIL",
-        message: `Role stored in user_metadata (user-editable) \u2014 ${userMetaMatches.length} location${userMetaMatches.length > 1 ? "s" : ""}`,
-        evidence: userMetaMatches.map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-      };
-    }
-    if (selfAssignMatches.length > 0) {
-      return {
-        result: "FAIL",
-        message: "Role set via updateUser() data field (user-editable user_metadata)",
-        evidence: selfAssignMatches.map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-      };
-    }
-    if (appMetaMatches.length > 0) {
-      return {
-        result: "PASS",
-        message: "Role stored in app_metadata (server-only, not user-editable)"
-      };
-    }
-    return {
-      result: "UNKNOWN",
-      message: "No role/RBAC references found in codebase"
-    };
-  }
-};
-
-// src/checks/auth-19.ts
-var AUTH_19 = {
-  id: "AUTH-19",
-  name: "Multi-tenancy data isolation",
-  module: "auth",
-  priority: "P1",
-  description: "RLS policies must include tenant_id or organization_id to prevent cross-tenant data access.",
-  async run(ctx) {
-    const sqlFiles = ctx.files.filter(isMigrationFile);
-    const tenantPattern = /tenant_id|organization_id|org_id|team_id|workspace_id/i;
-    const schemaMatches = await ctx.grepFiles(tenantPattern, sqlFiles.length > 0 ? sqlFiles : void 0);
-    const codeMatches = await ctx.grepFiles(tenantPattern);
-    if (schemaMatches.length === 0 && codeMatches.length === 0) {
-      return { result: "N/A", message: "No multi-tenancy pattern detected (single-tenant app)" };
-    }
-    const rlsPolicyTenant = await ctx.grepFiles(/POLICY[\s\S]*?tenant_id|POLICY[\s\S]*?org_id|POLICY[\s\S]*?organization_id/i, sqlFiles);
-    if (rlsPolicyTenant.length > 0) {
-      return { result: "PASS", message: "RLS policies include tenant isolation" };
-    }
-    return {
-      result: "FAIL",
-      message: "Multi-tenant schema detected but RLS policies don't include tenant_id filtering",
-      evidence: ["Tenant columns exist but RLS policies may allow cross-tenant data access"]
-    };
-  }
-};
-
-// src/checks/auth-20.ts
-var AUTH_20 = {
-  id: "AUTH-20",
-  name: "OAuth domain restriction",
-  module: "auth",
-  priority: "P1",
-  description: "Social login (Google, GitHub) should restrict allowed email domains to prevent unauthorized access.",
-  async run(ctx) {
-    const oauthPattern = /signInWithOAuth|signIn.*provider|google|github.*login|oauth/i;
-    const domainRestriction = /allowedDomain|domain.*restrict|email.*domain|hd=|hosted_domain/i;
-    const oauthMatches = await ctx.grepFiles(oauthPattern);
-    if (oauthMatches.length === 0) {
-      return { result: "N/A", message: "No OAuth/social login detected" };
-    }
-    const domainMatches = await ctx.grepFiles(domainRestriction);
-    if (domainMatches.length > 0) {
-      return { result: "PASS", message: "OAuth domain restriction detected" };
-    }
-    return {
-      result: "FAIL",
-      message: "OAuth login enabled without domain restriction \u2014 any Google/GitHub account can sign in",
-      evidence: oauthMatches.slice(0, 3).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-    };
-  }
-};
-
-// src/checks/auth-21.ts
-var AUTH_21 = {
-  id: "AUTH-21",
-  name: "Force dynamic on auth routes",
-  module: "auth",
-  priority: "P1",
-  description: "Auth routes must use force-dynamic to prevent ISR cache serving wrong user data.",
-  async run(ctx) {
-    const authRouteFiles = ctx.files.filter(
-      (f) => /auth|login|register|signup|sign-in|sign-up/i.test(f) && (f.includes("page.") || f.includes("route.")) && (f.endsWith(".ts") || f.endsWith(".tsx") || f.endsWith(".js") || f.endsWith(".jsx"))
-    );
-    if (authRouteFiles.length === 0) {
-      return { result: "UNKNOWN", message: "No auth route/page files found" };
-    }
-    const dynamicExport = /export\s+const\s+dynamic\s*=\s*['"]force-dynamic['"]/;
-    const noStore = /unstable_noStore|noStore|revalidate\s*=\s*0/;
-    const missingDynamic = [];
-    for (const file of authRouteFiles) {
-      let content;
-      try {
-        content = await ctx.readFile(file);
-      } catch {
-        continue;
-      }
-      if (!dynamicExport.test(content) && !noStore.test(content)) {
-        if (file.includes("page.")) {
-          missingDynamic.push(file);
-        }
-      }
-    }
-    if (missingDynamic.length > 0) {
-      return {
-        result: "FAIL",
-        message: `${missingDynamic.length} auth page${missingDynamic.length > 1 ? "s" : ""} without force-dynamic \u2014 may serve cached auth state`,
-        evidence: missingDynamic.slice(0, 5).map((f) => `${f} \u2014 missing export const dynamic = 'force-dynamic'`)
-      };
-    }
-    return {
-      result: "PASS",
-      message: "Auth routes use force-dynamic or equivalent"
-    };
-  }
-};
-
-// src/checks/auth-22.ts
-var AUTH_22 = {
-  id: "AUTH-22",
-  name: "CSRF protection on Route Handlers",
-  module: "auth",
-  priority: "P2",
-  description: "Server Actions have built-in CSRF protection (Next.js 14+). Route Handlers do NOT \u2014 they need explicit CSRF tokens or SameSite cookies.",
-  async run(ctx) {
-    const routeHandlers = ctx.files.filter((f) => /route\.(ts|js)$/i.test(f));
-    if (routeHandlers.length === 0) {
-      return { result: "UNKNOWN", message: "No Route Handler files found" };
-    }
-    const mutationHandlers = [];
-    for (const file of routeHandlers) {
-      let content;
-      try {
-        content = await ctx.readFile(file);
-      } catch {
-        continue;
-      }
-      if (/export\s+(?:async\s+)?function\s+(?:POST|PUT|PATCH|DELETE)/i.test(content)) {
-        mutationHandlers.push(file);
-      }
-    }
-    if (mutationHandlers.length === 0) {
-      return { result: "PASS", message: "No mutation Route Handlers found (only GET)" };
-    }
-    const csrfPatterns = /csrf|csurf|csrfToken|SameSite|x-csrf|anti.?forgery/i;
-    const csrfMatches = await ctx.grepFiles(csrfPatterns);
-    if (csrfMatches.length > 0) {
-      return { result: "PASS", message: "CSRF protection detected" };
-    }
-    const serverActions = await ctx.grepFiles(/["']use server["']/i);
-    if (serverActions.length > 0 && mutationHandlers.length <= 2) {
-      return { result: "PASS", message: "Mutations use Server Actions (built-in CSRF protection)" };
-    }
-    return {
-      result: "FAIL",
-      message: `${mutationHandlers.length} mutation Route Handler${mutationHandlers.length > 1 ? "s" : ""} without CSRF protection`,
-      evidence: mutationHandlers.slice(0, 3).map((f) => `${f} \u2014 POST/PUT/PATCH/DELETE without CSRF token`)
-    };
-  }
-};
-
-// src/checks/auth-23.ts
-var AUTH_23 = {
-  id: "AUTH-23",
-  name: "Email verification required",
-  module: "auth",
-  priority: "P2",
-  description: "Without email verification, anyone can sign up with any email \u2014 spam accounts and impersonation.",
-  async run(ctx) {
-    const emailVerifyPattern = /email_confirmed_at|emailConfirmed|verifyEmail|confirmEmail|email.*verif|verification.*email/i;
-    const matches = await ctx.grepFiles(emailVerifyPattern);
-    if (matches.length > 0) {
-      return { result: "PASS", message: "Email verification check detected" };
-    }
-    const supabaseRef = await ctx.grepFiles(/supabase/i);
-    if (supabaseRef.length > 0) {
-      return { result: "PASS", message: "Supabase Auth has configurable email verification (check dashboard settings)" };
-    }
-    return {
-      result: "FAIL",
-      message: "No email verification enforcement found",
-      evidence: ["Missing: email_confirmed_at check or equivalent verification flow"]
-    };
-  }
-};
-
-// src/checks/auth-24.ts
-var AUTH_24 = {
-  id: "AUTH-24",
-  name: "Account enumeration prevention",
-  module: "auth",
-  priority: "P2",
-  description: "Login/register error messages must not reveal whether an email exists. Consistent messages prevent user enumeration.",
-  async run(ctx) {
-    const enumPatterns = /email.*not.*found|user.*not.*found|no.*account.*with|email.*already.*registered|email.*already.*exists|account.*already.*exists/i;
-    const matches = await ctx.grepFiles(enumPatterns);
-    const codeMatches = matches.filter((m) => !m.content.trimStart().startsWith("//") && !m.content.trimStart().startsWith("*"));
-    if (codeMatches.length > 0) {
-      return {
-        result: "FAIL",
-        message: `Account enumeration possible \u2014 error messages reveal email existence (${codeMatches.length} location${codeMatches.length > 1 ? "s" : ""})`,
-        evidence: codeMatches.slice(0, 3).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-      };
-    }
-    return { result: "PASS", message: "No account enumeration patterns detected in error messages" };
-  }
-};
-
-// src/checks/auth-25.ts
-var AUTH_25 = {
-  id: "AUTH-25",
-  name: "Refresh token reuse detection",
-  module: "auth",
-  priority: "P2",
-  description: "Token rotation prevents stolen refresh tokens from being reused. Supabase supports this via config.",
-  async run(ctx) {
-    const rotationPattern = /token.*rotation|refresh.*token.*reuse|reuse.*detection|GOTRUE_SECURITY_REFRESH_TOKEN_REUSE_INTERVAL/i;
-    const matches = await ctx.grepFiles(rotationPattern);
-    if (matches.length > 0) {
-      return { result: "PASS", message: "Refresh token rotation/reuse detection configured" };
-    }
-    const supabaseRef = await ctx.grepFiles(/supabase/i);
-    if (supabaseRef.length > 0) {
-      return { result: "PASS", message: "Supabase Auth has built-in refresh token rotation (check dashboard config)" };
-    }
-    return { result: "UNKNOWN", message: "No refresh token configuration detected" };
-  }
-};
-
-// src/checks/auth-26.ts
-var AUTH_26 = {
-  id: "AUTH-26",
-  name: "Sign-out revokes server session",
-  module: "auth",
-  priority: "P2",
-  description: "Sign-out must revoke the server session (scope: 'global'), not just clear client cookies.",
-  async run(ctx) {
-    const signOutPattern = /signOut|sign_out|logout|log_out/i;
-    const globalScope = /scope.*global|global.*scope/i;
-    const signOutMatches = await ctx.grepFiles(signOutPattern);
-    if (signOutMatches.length === 0) {
-      return { result: "UNKNOWN", message: "No sign-out implementation found" };
-    }
-    const globalMatches = await ctx.grepFiles(globalScope);
-    if (globalMatches.length > 0) {
-      return { result: "PASS", message: "Sign-out uses global scope (revokes all sessions)" };
-    }
-    return {
-      result: "FAIL",
-      message: "Sign-out found but no global scope \u2014 sessions may persist on other devices",
-      evidence: signOutMatches.slice(0, 2).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-    };
-  }
-};
-
-// src/checks/auth-27.ts
-var AUTH_27 = {
-  id: "AUTH-27",
-  name: "Email link poisoning mitigation",
-  module: "auth",
-  priority: "P2",
-  description: "SITE_URL and REDIRECT_ALLOW_LIST must be configured to prevent email link redirect attacks.",
-  async run(ctx) {
-    const siteUrlPattern = /SITE_URL|GOTRUE_SITE_URL/i;
-    const redirectAllowPattern = /REDIRECT_ALLOW_LIST|ADDITIONAL_REDIRECT_URLS|redirect.*allow/i;
-    const siteUrlMatches = await ctx.grepFiles(siteUrlPattern);
-    const redirectMatches = await ctx.grepFiles(redirectAllowPattern);
-    if (siteUrlMatches.length > 0 && redirectMatches.length > 0) {
-      return { result: "PASS", message: "SITE_URL and REDIRECT_ALLOW_LIST configured" };
-    }
-    if (siteUrlMatches.length > 0) {
-      return { result: "PASS", message: "SITE_URL configured (check REDIRECT_ALLOW_LIST in Supabase dashboard)" };
-    }
-    const supabaseRef = await ctx.grepFiles(/supabase/i);
-    if (supabaseRef.length === 0) {
-      return { result: "N/A", message: "No Supabase usage detected" };
-    }
-    return {
-      result: "FAIL",
-      message: "No SITE_URL or REDIRECT_ALLOW_LIST found \u2014 email magic links may redirect to attacker domains",
-      evidence: ["Missing: SITE_URL and REDIRECT_ALLOW_LIST in env configuration"]
-    };
-  }
-};
-
-// src/checks/auth-28.ts
-var AUTH_28 = {
-  id: "AUTH-28",
-  name: "Realtime presence authorization",
-  module: "auth",
-  priority: "P2",
-  description: "Supabase Realtime Presence channels must have authorization. Without it, any user can see who's online.",
-  async run(ctx) {
-    const realtimePattern = /realtime|presence|channel.*subscribe|supabase.*channel/i;
-    const matches = await ctx.grepFiles(realtimePattern);
-    if (matches.length === 0) {
-      return { result: "N/A", message: "No Supabase Realtime/Presence usage detected" };
-    }
-    const authInRealtime = /authorized|RLS.*realtime|realtime.*auth|channel.*auth/i;
-    const authMatches = await ctx.grepFiles(authInRealtime);
-    if (authMatches.length > 0) {
-      return { result: "PASS", message: "Realtime channel authorization detected" };
-    }
-    return {
-      result: "FAIL",
-      message: "Realtime/Presence channels found without authorization",
-      evidence: matches.slice(0, 3).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-    };
-  }
-};
-
-// src/checks/bil-01.ts
-var BIL_01 = {
-  id: "BIL-01",
-  name: "Stripe secret key not in client code",
-  module: "billing",
-  priority: "P0",
-  description: "sk_live_/sk_test_ in client code = full Stripe API access for any visitor",
-  async run(ctx) {
-    const hardcodedPattern = /sk_live_[a-zA-Z0-9]{20,}|sk_test_[a-zA-Z0-9]{20,}/;
-    const envRefPattern = /STRIPE_SECRET|NEXT_PUBLIC_.*STRIPE.*SECRET|VITE_.*STRIPE.*SECRET/i;
-    const hardcodedMatches = await ctx.grepFiles(hardcodedPattern);
-    const hardcodedInCode = hardcodedMatches.filter(
-      (m) => !isEnvFile(m.file) && !m.content.trimStart().startsWith("#") && !m.content.trimStart().startsWith("//")
-    );
-    if (hardcodedInCode.length > 0) {
-      return {
-        result: "FAIL",
-        message: `Hardcoded Stripe secret key found in source code (${hardcodedInCode.length} location${hardcodedInCode.length > 1 ? "s" : ""})`,
-        evidence: hardcodedInCode.map((m) => `${m.file}:${m.line} \u2192 sk_***_[REDACTED]`)
-      };
-    }
-    const envRefMatches = await ctx.grepFiles(envRefPattern);
-    const publicPrefix = envRefMatches.filter(
-      (m) => /NEXT_PUBLIC_|VITE_|EXPO_PUBLIC_/i.test(m.content) && /STRIPE.*SECRET/i.test(m.content)
-    );
-    if (publicPrefix.length > 0) {
-      return {
-        result: "FAIL",
-        message: "Stripe secret key exposed via NEXT_PUBLIC_/VITE_ prefix",
-        evidence: publicPrefix.map((m) => `${m.file}:${m.line} \u2192 ${m.content.split("=")[0]}`)
-      };
-    }
-    const clientUsage = envRefMatches.filter(
-      (m) => isClientFile(m.file) && /STRIPE_SECRET/i.test(m.content) && !m.file.includes("/api/") && !m.file.includes("route.")
-    );
-    if (clientUsage.length > 0) {
-      return {
-        result: "FAIL",
-        message: "Stripe secret key referenced in client-side file",
-        evidence: clientUsage.map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-      };
-    }
-    const anyStripeRef = envRefMatches.filter((m) => /STRIPE_SECRET/i.test(m.content));
-    if (anyStripeRef.length > 0) {
-      return {
-        result: "PASS",
-        message: "Stripe secret key found only in server-side/env files"
-      };
-    }
-    return {
-      result: "UNKNOWN",
-      message: "No Stripe secret key references found \u2014 Stripe may not be used"
-    };
-  }
-};
-
-// src/checks/bil-02.ts
-var BIL_02 = {
-  id: "BIL-02",
-  name: "Webhook signature verification",
-  module: "billing",
-  priority: "P0",
-  aliases: ["ADM-15"],
-  description: "Stripe webhook handler must verify signature via constructEvent(). Without it, anyone can send fake webhooks.",
-  async run(ctx) {
-    const webhookFilePattern = /webhook/i;
-    const webhookFiles = ctx.files.filter((f) => webhookFilePattern.test(f));
-    if (webhookFiles.length === 0) {
-      return {
-        result: "UNKNOWN",
-        message: "No webhook handler files found"
-      };
-    }
-    const constructEventPattern = /constructEvent|constructEventAsync|webhooks\.construct/;
-    const signaturePattern = /stripe-signature|Stripe-Signature|STRIPE_WEBHOOK_SECRET|webhook.*secret/i;
-    const constructMatches = await ctx.grepFiles(constructEventPattern, webhookFiles);
-    const signatureMatches = await ctx.grepFiles(signaturePattern, webhookFiles);
-    if (constructMatches.length > 0) {
-      return {
-        result: "PASS",
-        message: "Webhook handler uses constructEvent() for signature verification"
-      };
-    }
-    if (signatureMatches.length > 0) {
-      return {
-        result: "PASS",
-        message: "Webhook handler references signature verification"
-      };
-    }
-    const stripeInWebhook = await ctx.grepFiles(/stripe|Stripe/, webhookFiles);
-    if (stripeInWebhook.length > 0) {
-      return {
-        result: "FAIL",
-        message: "Stripe webhook handler found WITHOUT signature verification",
-        evidence: webhookFiles.map((f) => `${f} \u2014 no constructEvent() or signature check`)
-      };
-    }
-    return {
-      result: "UNKNOWN",
-      message: "Webhook files found but no Stripe references \u2014 may not be Stripe webhooks"
-    };
-  }
-};
-
-// src/checks/bil-03.ts
-var BIL_03 = {
-  id: "BIL-03",
-  name: "Raw body preservation in webhook",
-  module: "billing",
-  priority: "P0",
-  description: "Webhook signature verification requires raw request body. req.json() breaks it \u2014 use req.text() or bodyParser: false.",
-  async run(ctx) {
-    const webhookFiles = ctx.files.filter((f) => /webhook/i.test(f));
-    if (webhookFiles.length === 0) {
-      return { result: "UNKNOWN", message: "No webhook handler files found" };
-    }
-    const rawBodyPatterns = /request\.text\(\)|req\.text\(\)|bodyParser\s*:\s*false|getRawBody|raw\s*:\s*true|rawBody/;
-    const badBodyPatterns = /request\.json\(\)|req\.body(?!\s*Parser)|JSON\.parse/;
-    const rawMatches = await ctx.grepFiles(rawBodyPatterns, webhookFiles);
-    const badMatches = await ctx.grepFiles(badBodyPatterns, webhookFiles);
-    if (rawMatches.length > 0) {
-      return {
-        result: "PASS",
-        message: "Webhook handler preserves raw body for signature verification"
-      };
-    }
-    const stripeInWebhook = await ctx.grepFiles(/stripe|constructEvent/i, webhookFiles);
-    if (stripeInWebhook.length === 0) {
-      return { result: "UNKNOWN", message: "Webhook files found but no Stripe references" };
-    }
-    if (badMatches.length > 0) {
-      return {
-        result: "FAIL",
-        message: "Webhook handler uses req.json()/req.body instead of raw body \u2014 signature verification will fail",
-        evidence: badMatches.slice(0, 3).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-      };
-    }
-    return {
-      result: "FAIL",
-      message: "Stripe webhook handler found but no raw body preservation detected",
-      evidence: webhookFiles.map((f) => `${f} \u2014 missing request.text() or bodyParser: false`)
-    };
-  }
-};
-
-// src/checks/bil-04.ts
-var BIL_04 = {
-  id: "BIL-04",
-  name: "Idempotent webhook processing",
-  module: "billing",
-  priority: "P1",
-  description: "Stripe retries webhooks by design. Without idempotency checks, duplicate credits and double subscriptions occur.",
-  async run(ctx) {
-    const webhookFiles = ctx.files.filter((f) => /webhook/i.test(f));
-    if (webhookFiles.length === 0) {
-      return { result: "UNKNOWN", message: "No webhook handler files found" };
-    }
-    const idempotencyPatterns = /event\.id|event_id|idempoten|UNIQUE.*event|duplicate.*check|processed.*events|already.*processed/i;
-    const matches = await ctx.grepFiles(idempotencyPatterns, webhookFiles);
-    const stripeRef = await ctx.grepFiles(/stripe|constructEvent/i, webhookFiles);
-    if (stripeRef.length === 0) {
-      return { result: "UNKNOWN", message: "No Stripe webhook handler found" };
-    }
-    if (matches.length > 0) {
-      return { result: "PASS", message: "Webhook idempotency check detected" };
-    }
-    return {
-      result: "FAIL",
-      message: "Stripe webhook handler has no idempotency check \u2014 duplicate processing possible",
-      evidence: ["No event.id tracking or duplicate check in webhook handler"]
-    };
-  }
-};
-
-// src/checks/bil-05.ts
-var BIL_05 = {
-  id: "BIL-05",
-  name: "Subscription state machine",
-  module: "billing",
-  priority: "P1",
-  description: "Stripe has 8 subscription states. Handling only active/canceled causes access issues for past_due, trialing, incomplete, unpaid.",
-  async run(ctx) {
-    const fullStates = /past_due|trialing|incomplete|unpaid/i;
-    const basicStates = /active|canceled/i;
-    const matches = await ctx.grepFiles(fullStates);
-    const basicMatches = await ctx.grepFiles(basicStates);
-    if (matches.length >= 2) {
-      return { result: "PASS", message: "Multiple subscription states handled beyond active/canceled" };
-    }
-    if (basicMatches.length > 0 && matches.length === 0) {
-      return {
-        result: "FAIL",
-        message: "Only active/canceled states handled \u2014 missing past_due, trialing, incomplete, unpaid",
-        evidence: ["Subscription state machine is incomplete \u2014 users may lose access incorrectly"]
-      };
-    }
-    const stripeRef = await ctx.grepFiles(/subscription|stripe/i);
-    if (stripeRef.length === 0) {
-      return { result: "UNKNOWN", message: "No subscription handling found" };
-    }
-    return {
-      result: "FAIL",
-      message: "Subscription code found but no explicit state handling",
-      evidence: ["Missing: past_due, trialing, incomplete, unpaid state handling"]
-    };
-  }
-};
-
-// src/checks/bil-06.ts
-var BIL_06 = {
-  id: "BIL-06",
-  name: "Entitlement/plan limit checking",
-  module: "billing",
-  priority: "P1",
-  description: "Stripe doesn't track usage limits. Without app-side entitlement checks, free users access paid features.",
-  async run(ctx) {
-    const patterns = /checkPlan|checkEntitle|planLimit|featureGate|subscription.*check|plan.*limit|canAccess|hasFeature|isSubscribed|entitlement/i;
-    const matches = await ctx.grepFiles(patterns);
-    if (matches.length > 0) {
-      return { result: "PASS", message: "Entitlement/plan limit checking detected" };
-    }
-    const stripeRef = await ctx.grepFiles(/subscription|stripe.*plan|pricing/i);
-    if (stripeRef.length === 0) {
-      return { result: "UNKNOWN", message: "No subscription/pricing code found" };
-    }
-    return {
-      result: "FAIL",
-      message: "Subscription code exists but no entitlement/plan limit checks found",
-      evidence: ["Missing: checkPlanLimit, checkEntitlement, featureGate, or equivalent"]
-    };
-  }
-};
-
-// src/checks/bil-07.ts
-var BIL_07 = {
-  id: "BIL-07",
-  name: "Customer \u2194 User sync",
-  module: "billing",
-  priority: "P1",
-  description: "Every user must map to exactly one Stripe customer. Missing sync = orphaned customers, broken subscription lookups.",
-  async run(ctx) {
-    const schemaPattern = /stripe_customer_id|stripeCustomerId|customer_id.*stripe/i;
-    const createCustomerPattern = /customers\.create|createCustomer|stripe.*customer/i;
-    const sqlFiles = ctx.files.filter(isMigrationFile);
-    const schemaMatches = await ctx.grepFiles(schemaPattern, sqlFiles.length > 0 ? sqlFiles : void 0);
-    const codeMatches = await ctx.grepFiles(createCustomerPattern);
-    if (schemaMatches.length > 0) {
-      return {
-        result: "PASS",
-        message: "stripe_customer_id found in database schema \u2014 user-customer sync exists"
-      };
-    }
-    if (codeMatches.length > 0) {
-      return {
-        result: "PASS",
-        message: "Stripe customer creation found in code"
-      };
-    }
-    const stripeRef = await ctx.grepFiles(/stripe/i);
-    if (stripeRef.length > 0) {
-      return {
-        result: "FAIL",
-        message: "Stripe is used but no stripe_customer_id in schema and no customer creation logic",
-        evidence: ["Missing: stripe_customer_id column in users/profiles table"]
-      };
-    }
-    return {
-      result: "UNKNOWN",
-      message: "No Stripe references found"
-    };
-  }
-};
-
-// src/checks/bil-08.ts
-var BIL_08 = {
-  id: "BIL-08",
-  name: "Webhook returns 200 for unknown events",
-  module: "billing",
-  priority: "P1",
-  description: "Returning 400/500 for unhandled events triggers Stripe retry loops and eventual endpoint deactivation.",
-  async run(ctx) {
-    const webhookFiles = ctx.files.filter((f) => /webhook/i.test(f));
-    if (webhookFiles.length === 0) {
-      return { result: "UNKNOWN", message: "No webhook handler files found" };
-    }
-    const badDefault = /else\s*\{[\s\S]*?(?:return.*(?:4\d\d|5\d\d)|throw|NextResponse.*(?:4\d\d|5\d\d))/i;
-    const goodDefault = /default\s*:[\s\S]*?(?:200|ok|return\s+new\s+Response)/i;
-    const badMatches = await ctx.grepFiles(badDefault, webhookFiles);
-    const goodMatches = await ctx.grepFiles(goodDefault, webhookFiles);
-    if (badMatches.length > 0) {
-      return {
-        result: "FAIL",
-        message: "Webhook handler returns error for unknown events \u2014 will trigger Stripe retry loop",
-        evidence: badMatches.slice(0, 3).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-      };
-    }
-    if (goodMatches.length > 0) {
-      return { result: "PASS", message: "Webhook handler returns 200 for unhandled events" };
-    }
-    return { result: "UNKNOWN", message: "Could not determine webhook default response behavior" };
-  }
-};
-
-// src/checks/bil-09.ts
-var BIL_09 = {
-  id: "BIL-09",
-  name: "No client-side billing state as source of truth",
-  module: "billing",
-  priority: "P1",
-  description: "Subscription state in localStorage/React state can be manipulated. Server must be source of truth.",
-  async run(ctx) {
-    const clientStatePatterns = /localStorage.*(?:subscription|plan|billing)|sessionStorage.*(?:subscription|plan)|useState.*(?:subscription|isPro|isPaid|plan)/i;
-    const matches = await ctx.grepFiles(clientStatePatterns);
-    const clientMatches = matches.filter((m) => isClientFile(m.file));
-    if (clientMatches.length > 0) {
-      return {
-        result: "FAIL",
-        message: `Client-side billing state found (${clientMatches.length} location${clientMatches.length > 1 ? "s" : ""})`,
-        evidence: clientMatches.slice(0, 3).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-      };
-    }
-    return { result: "PASS", message: "No client-side billing state as source of truth detected" };
-  }
-};
-
-// src/checks/bil-10.ts
-var BIL_10 = {
-  id: "BIL-10",
-  name: "Reconciliation mechanism",
-  module: "billing",
-  priority: "P2",
-  description: "Even good webhook handling drifts 1-2x/month. A reconciliation job comparing Stripe vs DB prevents silent revenue loss.",
-  async run(ctx) {
-    const patterns = /reconcil|sync.*stripe|stripe.*sync|cron.*billing|billing.*cron|verify.*subscription|subscription.*verify/i;
-    const filePattern = ctx.files.filter((f) => /reconcil/i.test(f));
-    const grepMatches = await ctx.grepFiles(patterns);
-    if (filePattern.length > 0 || grepMatches.length > 0) {
-      return { result: "PASS", message: "Reconciliation mechanism detected" };
-    }
-    const stripeRef = await ctx.grepFiles(/stripe/i);
-    if (stripeRef.length === 0) {
-      return { result: "UNKNOWN", message: "No Stripe references found" };
-    }
-    return {
-      result: "FAIL",
-      message: "No billing reconciliation mechanism found",
-      evidence: ["Missing: reconciliation script/job to compare Stripe state vs DB state"]
-    };
-  }
-};
-
-// src/checks/bil-11.ts
-var BIL_11 = {
-  id: "BIL-11",
-  name: "Cancellation handling",
-  module: "billing",
-  priority: "P1",
-  description: "Explicit cancel flow: server-side cancellation + webhook processing + DB update + access revocation.",
-  async run(ctx) {
-    const cancelPatterns = /cancel.*subscription|subscription.*cancel|customer\.subscription\.deleted|cancelAt|cancel_at_period_end/i;
-    const matches = await ctx.grepFiles(cancelPatterns);
-    if (matches.length >= 2) {
-      return { result: "PASS", message: "Cancellation handling detected in multiple locations" };
-    }
-    if (matches.length === 1) {
-      return { result: "PASS", message: "Cancellation handling detected" };
-    }
-    const stripeRef = await ctx.grepFiles(/subscription|stripe/i);
-    if (stripeRef.length === 0) {
-      return { result: "UNKNOWN", message: "No subscription code found" };
-    }
-    return {
-      result: "FAIL",
-      message: "No cancellation handling found \u2014 users may retain access after canceling or be charged after canceling",
-      evidence: ["Missing: cancel subscription flow, subscription.deleted webhook handler"]
-    };
-  }
-};
-
-// src/checks/bil-12.ts
-var BIL_12 = {
-  id: "BIL-12",
-  name: "Stripe env vars configured",
-  module: "billing",
-  priority: "P2",
-  description: "Missing Stripe env vars = billing won't work in production or keys get hardcoded.",
-  async run(ctx) {
-    const envFiles = ctx.files.filter(isEnvFile);
-    if (envFiles.length === 0) {
-      return { result: "UNKNOWN", message: "No .env files found" };
-    }
-    const requiredVars = ["STRIPE_SECRET_KEY", "STRIPE_WEBHOOK_SECRET", "STRIPE_PUBLISHABLE_KEY"];
-    const found = [];
-    const missing = [];
-    for (const file of envFiles) {
-      let content;
-      try {
-        content = await ctx.readFile(file);
-      } catch {
-        continue;
-      }
-      for (const v of requiredVars) {
-        if (content.includes(v) && !found.includes(v)) found.push(v);
-      }
-    }
-    for (const v of requiredVars) {
-      if (!found.includes(v)) missing.push(v);
-    }
-    const stripeRef = await ctx.grepFiles(/stripe/i);
-    if (stripeRef.length === 0) {
-      return { result: "UNKNOWN", message: "No Stripe references found" };
-    }
-    if (missing.length > 0) {
-      return {
-        result: "FAIL",
-        message: `Missing Stripe env vars: ${missing.join(", ")}`,
-        evidence: missing.map((v) => `${v} not found in any .env file`)
-      };
-    }
-    return { result: "PASS", message: "All required Stripe env vars configured" };
-  }
-};
-
-// src/checks/bil-13.ts
-var BIL_13 = {
-  id: "BIL-13",
-  name: "Error handling in payment flows",
-  module: "billing",
-  priority: "P2",
-  description: "Missing error handling around Stripe API calls = white screen on payment failure, no diagnostics.",
-  async run(ctx) {
-    const stripeApiCall = /stripe\.\w+\.\w+\(|checkout\.sessions\.create|subscriptions\.create|customers\.create/i;
-    const errorHandling = /try\s*\{|\.catch\s*\(|catch\s*\(/;
-    const apiFiles = ctx.files.filter((f) => /api|route|action|server/i.test(f));
-    const stripeMatches = await ctx.grepFiles(stripeApiCall, apiFiles.length > 0 ? apiFiles : void 0);
-    if (stripeMatches.length === 0) {
-      return { result: "UNKNOWN", message: "No Stripe API calls found" };
-    }
-    const errorMatches = await ctx.grepFiles(errorHandling, apiFiles.length > 0 ? apiFiles : void 0);
-    if (errorMatches.length > 0) {
-      return { result: "PASS", message: "Error handling found in payment flow files" };
-    }
-    return {
-      result: "FAIL",
-      message: "Stripe API calls found without error handling",
-      evidence: stripeMatches.slice(0, 3).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-    };
-  }
-};
-
-// src/checks/bil-14.ts
-var BIL_14 = {
-  id: "BIL-14",
-  name: "Checkout flow is server-initiated",
-  module: "billing",
-  priority: "P0",
-  description: "Checkout session must be created on the server. Client-side creation requires secret key in browser.",
-  async run(ctx) {
-    const checkoutPattern = /checkout\.sessions\.create|createCheckoutSession/;
-    const matches = await ctx.grepFiles(checkoutPattern);
-    if (matches.length === 0) {
-      return { result: "UNKNOWN", message: "No Checkout session creation found" };
-    }
-    const clientSide = matches.filter((m) => isClientFile(m.file) && !isServerFile(m.file));
-    for (const m of clientSide) {
-      let content;
-      try {
-        content = await ctx.readFile(m.file);
-      } catch {
-        continue;
-      }
-      if (/["']use client["']/.test(content)) {
-        return {
-          result: "FAIL",
-          message: "Checkout session created in client component \u2014 secret key required in browser",
-          evidence: [`${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`]
-        };
-      }
-    }
-    const serverSide = matches.filter((m) => isServerFile(m.file));
-    if (serverSide.length > 0) {
-      return { result: "PASS", message: "Checkout session created server-side" };
-    }
-    return { result: "PASS", message: "Checkout session creation found (not in client component)" };
-  }
-};
-
-// src/checks/bil-15.ts
-var BIL_15 = {
-  id: "BIL-15",
-  name: "Stripe Price ID tampering prevention",
-  module: "billing",
-  priority: "P0",
-  description: "Price ID from client request must be validated server-side against an allowlist. Client can send any price_id.",
-  async run(ctx) {
-    const checkoutPattern = /checkout\.sessions\.create|createCheckoutSession/;
-    const checkoutMatches = await ctx.grepFiles(checkoutPattern);
-    if (checkoutMatches.length === 0) {
-      return { result: "UNKNOWN", message: "No Stripe Checkout session creation found" };
-    }
-    const priceFromRequest = /req\.body.*price|req\.json.*price|request\.json.*price|body\.price|priceId|price_id/i;
-    const priceValidation = /allowedPrices|ALLOWED_PRICES|validPrices|PRICE_IDS|priceWhitelist|priceLookup|PLANS\[|plans\[|PRICES\[|prices\./i;
-    const requestPriceMatches = await ctx.grepFiles(priceFromRequest);
-    const validationMatches = await ctx.grepFiles(priceValidation);
-    if (requestPriceMatches.length > 0 && validationMatches.length === 0) {
-      return {
-        result: "FAIL",
-        message: "Price ID accepted from client without server-side validation",
-        evidence: requestPriceMatches.slice(0, 3).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-      };
-    }
-    if (validationMatches.length > 0) {
-      return {
-        result: "PASS",
-        message: "Price ID validation/allowlist detected"
-      };
-    }
-    return {
-      result: "PASS",
-      message: "Checkout session creation found with no client price input detected"
-    };
-  }
-};
-
-// src/checks/bil-16.ts
-var BIL_16 = {
-  id: "BIL-16",
-  name: "Never fulfill on success_url",
-  module: "billing",
-  priority: "P0",
-  description: "Fulfillment (DB writes, access grants) must happen via webhook, not on the success redirect page.",
-  async run(ctx) {
-    const successPagePatterns = [
-      /success/i,
-      /thank/i,
-      /payment.*confirm/i
-    ];
-    const successPages = ctx.files.filter((f) => {
-      const isPage = f.includes("page.") || f.includes("index.");
-      return isPage && successPagePatterns.some((p) => p.test(f));
-    });
-    if (successPages.length === 0) {
-      return {
-        result: "UNKNOWN",
-        message: "No success/thank-you pages found"
-      };
-    }
-    const fulfillmentPatterns = /\.insert\(|\.update\(|\.upsert\(|createSubscription|grantAccess|activateUser|fulfillOrder|UPDATE.*SET|INSERT.*INTO/i;
-    const dangerousMatches = [];
-    for (const file of successPages) {
-      let content;
-      try {
-        content = await ctx.readFile(file);
-      } catch {
-        continue;
-      }
-      const lines = content.split("\n");
-      for (let i = 0; i < lines.length; i++) {
-        if (fulfillmentPatterns.test(lines[i])) {
-          dangerousMatches.push({ file, line: i + 1, content: lines[i].trim() });
-        }
-      }
-    }
-    if (dangerousMatches.length > 0) {
-      return {
-        result: "FAIL",
-        message: `Fulfillment logic found in success page (${dangerousMatches.length} location${dangerousMatches.length > 1 ? "s" : ""}) \u2014 must use webhook instead`,
-        evidence: dangerousMatches.map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-      };
-    }
-    return {
-      result: "PASS",
-      message: "Success pages contain no fulfillment logic"
-    };
-  }
-};
-
-// src/checks/bil-17.ts
-var BIL_17 = {
-  id: "BIL-17",
-  name: "PCI raw card data safety",
-  module: "billing",
-  priority: "P0",
-  description: "Raw card numbers, CVV, expiration must never touch your server. Use Stripe Elements or Checkout.",
-  async run(ctx) {
-    const rawCardPatterns = /card\s*\[\s*number\s*\]|cardNumber|card_number|cvv|cvc|expiry.*month|card.*expir/i;
-    const inputPatterns = /<input[^>]*(?:card|cvv|cvc|expir)/i;
-    const stripeElements = /CardElement|PaymentElement|useStripe|useElements|@stripe\/react-stripe-js|stripe\.elements/i;
-    const rawCardMatches = await ctx.grepFiles(rawCardPatterns);
-    const inputMatches = await ctx.grepFiles(inputPatterns);
-    const codeMatches = [...rawCardMatches, ...inputMatches].filter((m) => {
-      if (m.content.trimStart().startsWith("//")) return false;
-      if (m.content.trimStart().startsWith("*")) return false;
-      if (m.content.trimStart().startsWith("#")) return false;
-      if (m.file.includes("test") || m.file.includes("spec")) return false;
-      if (m.file.includes(".md")) return false;
-      return true;
-    });
-    const elementsMatches = await ctx.grepFiles(stripeElements);
-    if (codeMatches.length > 0 && elementsMatches.length === 0) {
-      return {
-        result: "FAIL",
-        message: `Raw card data handling detected without Stripe Elements (${codeMatches.length} location${codeMatches.length > 1 ? "s" : ""})`,
-        evidence: codeMatches.slice(0, 5).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-      };
-    }
-    if (elementsMatches.length > 0) {
-      return {
-        result: "PASS",
-        message: "Stripe Elements/Checkout detected \u2014 card data handled by Stripe"
-      };
-    }
-    return {
-      result: "UNKNOWN",
-      message: "No card data handling or Stripe Elements detected"
-    };
-  }
-};
-
-// src/checks/bil-18.ts
-var BIL_18 = {
-  id: "BIL-18",
-  name: "Refund/dispute handling",
-  module: "billing",
-  priority: "P1",
-  description: "Webhook must handle charge.refunded and charge.dispute.created to revoke access and update billing state.",
-  async run(ctx) {
-    const webhookFiles = ctx.files.filter((f) => /webhook/i.test(f));
-    if (webhookFiles.length === 0) {
-      return { result: "UNKNOWN", message: "No webhook handler files found" };
-    }
-    const refundPattern = /charge\.refunded|refund/i;
-    const disputePattern = /charge\.dispute|dispute/i;
-    const refundMatches = await ctx.grepFiles(refundPattern, webhookFiles);
-    const disputeMatches = await ctx.grepFiles(disputePattern, webhookFiles);
-    if (refundMatches.length > 0 && disputeMatches.length > 0) {
-      return { result: "PASS", message: "Both refund and dispute handling detected in webhook" };
-    }
-    if (refundMatches.length > 0 || disputeMatches.length > 0) {
-      return { result: "PASS", message: "Partial refund/dispute handling detected" };
-    }
-    const stripeRef = await ctx.grepFiles(/stripe/i, webhookFiles);
-    if (stripeRef.length === 0) {
-      return { result: "UNKNOWN", message: "No Stripe webhook handler found" };
-    }
-    return {
-      result: "FAIL",
-      message: "No refund or dispute handling in webhook \u2014 access may persist after refund",
-      evidence: ["Missing: charge.refunded and charge.dispute.created event handlers"]
-    };
-  }
-};
-
-// src/checks/bil-19.ts
-var BIL_19 = {
-  id: "BIL-19",
-  name: "Stripe API version pinning",
-  module: "billing",
-  priority: "P2",
-  description: "Pin Stripe API version to avoid breaking changes from automatic upgrades.",
-  async run(ctx) {
-    const versionPattern = /apiVersion|api_version/i;
-    const matches = await ctx.grepFiles(versionPattern);
-    if (matches.length > 0) {
-      return { result: "PASS", message: "Stripe API version pinning detected" };
-    }
-    const stripeInit = await ctx.grepFiles(/new\s+Stripe\s*\(|Stripe\s*\(/i);
-    if (stripeInit.length === 0) {
-      return { result: "UNKNOWN", message: "No Stripe initialization found" };
-    }
-    return {
-      result: "FAIL",
-      message: "Stripe initialized without explicit API version \u2014 may break on Stripe upgrades",
-      evidence: stripeInit.slice(0, 2).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-    };
-  }
-};
-
-// src/checks/bil-20.ts
-var BIL_20 = {
-  id: "BIL-20",
-  name: "Portal session auth",
-  module: "billing",
-  priority: "P1",
-  description: "Billing portal session must use customer ID from authenticated user, not from client request.",
-  async run(ctx) {
-    const portalPattern = /billingPortal|billing_portal|customer_portal/i;
-    const matches = await ctx.grepFiles(portalPattern);
-    if (matches.length === 0) {
-      return { result: "UNKNOWN", message: "No billing portal usage found" };
-    }
-    const authBeforePortal = /getUser|getSession|auth\(\)|requireAuth/i;
-    const portalFiles = [...new Set(matches.map((m) => m.file))];
-    const authMatches = await ctx.grepFiles(authBeforePortal, portalFiles);
-    if (authMatches.length > 0) {
-      return { result: "PASS", message: "Billing portal session created with authenticated customer ID" };
-    }
-    return {
-      result: "FAIL",
-      message: "Billing portal session created without verifying authenticated user",
-      evidence: matches.slice(0, 3).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-    };
-  }
-};
-
-// src/checks/bil-21.ts
-var BIL_21 = {
-  id: "BIL-21",
-  name: "Webhook event coverage",
-  module: "billing",
-  priority: "P1",
-  description: "Webhook handler must process at minimum 3 core subscription events. Missing events = state drift.",
-  async run(ctx) {
-    const webhookFiles = ctx.files.filter((f) => /webhook/i.test(f));
-    if (webhookFiles.length === 0) {
-      return { result: "UNKNOWN", message: "No webhook handler files found" };
-    }
-    const coreEvents = [
-      { pattern: /checkout\.session\.completed/i, name: "checkout.session.completed" },
-      { pattern: /customer\.subscription\.updated/i, name: "customer.subscription.updated" },
-      { pattern: /customer\.subscription\.deleted/i, name: "customer.subscription.deleted" },
-      { pattern: /invoice\.payment_succeeded/i, name: "invoice.payment_succeeded" },
-      { pattern: /invoice\.payment_failed/i, name: "invoice.payment_failed" }
-    ];
-    const foundEvents = [];
-    const missingEvents = [];
-    for (const event of coreEvents) {
-      const matches = await ctx.grepFiles(event.pattern, webhookFiles);
-      if (matches.length > 0) {
-        foundEvents.push(event.name);
-      } else {
-        missingEvents.push(event.name);
-      }
-    }
-    if (foundEvents.length === 0) {
-      const stripeRef = await ctx.grepFiles(/stripe/i, webhookFiles);
-      if (stripeRef.length === 0) {
-        return { result: "UNKNOWN", message: "Webhook files found but no Stripe event handling" };
-      }
-      return {
-        result: "FAIL",
-        message: "Stripe webhook handler found but no subscription events handled",
-        evidence: ["Missing: checkout.session.completed, subscription.updated, subscription.deleted"]
-      };
-    }
-    if (foundEvents.length < 3) {
-      return {
-        result: "FAIL",
-        message: `Only ${foundEvents.length}/5 core webhook events handled`,
-        evidence: [
-          `Handled: ${foundEvents.join(", ")}`,
-          `Missing: ${missingEvents.join(", ")}`
-        ]
-      };
-    }
-    return {
-      result: "PASS",
-      message: `${foundEvents.length}/5 core webhook events handled`
-    };
-  }
-};
-
-// src/checks/bil-22.ts
-var BIL_22 = {
-  id: "BIL-22",
-  name: "Trial period handling",
-  module: "billing",
-  priority: "P2",
-  description: "If trials are offered, handle trial_will_end webhook and trial-to-paid conversion properly.",
-  async run(ctx) {
-    const trialPattern = /trial_period_days|trial_end|trialing|trial_will_end|trialDays/i;
-    const matches = await ctx.grepFiles(trialPattern);
-    if (matches.length >= 2) {
-      return { result: "PASS", message: "Trial period handling detected" };
-    }
-    if (matches.length === 1) {
-      return { result: "PASS", message: "Trial reference found (verify trial_will_end webhook is handled)" };
-    }
-    const stripeRef = await ctx.grepFiles(/subscription|stripe/i);
-    if (stripeRef.length === 0) {
-      return { result: "UNKNOWN", message: "No subscription code found" };
-    }
-    return { result: "N/A", message: "No trial period usage detected" };
-  }
-};
-
-// src/checks/bil-23.ts
-var BIL_23 = {
-  id: "BIL-23",
-  name: "Card testing protection",
-  module: "billing",
-  priority: "P2",
-  description: "Rate limiting on payment endpoints prevents card testing attacks (automated validation of stolen cards).",
-  async run(ctx) {
-    const paymentFiles = ctx.files.filter((f) => /checkout|payment|billing|subscribe/i.test(f));
-    if (paymentFiles.length === 0) {
-      return { result: "UNKNOWN", message: "No payment endpoint files found" };
-    }
-    const rateLimitPattern = /rateLimit|rate.limit|throttle|limiter|too.many.requests|429|upstash/i;
-    const matches = await ctx.grepFiles(rateLimitPattern, paymentFiles);
-    if (matches.length > 0) {
-      return { result: "PASS", message: "Rate limiting detected on payment endpoints" };
-    }
-    const globalRateLimit = await ctx.grepFiles(rateLimitPattern);
-    if (globalRateLimit.length > 0) {
-      return { result: "PASS", message: "Rate limiting detected in codebase (verify it covers payment endpoints)" };
-    }
-    return {
-      result: "FAIL",
-      message: "No rate limiting found on payment endpoints \u2014 vulnerable to card testing",
-      evidence: ["Missing: rate limiting middleware on checkout/payment routes"]
-    };
-  }
-};
-
-// src/checks/bil-24.ts
-var BIL_24 = {
-  id: "BIL-24",
-  name: "Metered billing usage reporting",
-  module: "billing",
-  priority: "P2",
-  description: "If using metered pricing, usage must be reported to Stripe. Missing reporting = customers never billed for usage.",
-  async run(ctx) {
-    const meteredPattern = /metered|usage_type|usageRecord|usage.*report|createUsageRecord|meter/i;
-    const matches = await ctx.grepFiles(meteredPattern);
-    if (matches.length >= 2) {
-      return { result: "PASS", message: "Metered billing usage reporting detected" };
-    }
-    if (matches.length === 1) {
-      return { result: "PASS", message: "Metered billing reference found" };
-    }
-    return { result: "N/A", message: "No metered billing usage detected" };
-  }
-};
-
-// src/checks/adm-01.ts
-var ADM_01 = {
-  id: "ADM-01",
-  name: "Admin endpoints have server-side auth",
-  module: "admin",
-  priority: "P0",
-  description: "Every /admin or /api/admin endpoint must verify admin role server-side. Server Actions are public POST endpoints.",
-  async run(ctx) {
-    const adminRoutes = ctx.files.filter(
-      (f) => /api\/admin|app\/api\/admin/i.test(f) && (f.endsWith(".ts") || f.endsWith(".js"))
-    );
-    if (adminRoutes.length === 0) {
-      return { result: "UNKNOWN", message: "No admin API route handlers found" };
-    }
-    const adminAuthPatterns = /requireAdmin|role.*admin|isAdmin|checkPermission|requireRole|app_metadata.*admin|admin.*guard/i;
-    const unprotected = [];
-    for (const file of adminRoutes) {
-      let content;
-      try {
-        content = await ctx.readFile(file);
-      } catch {
-        continue;
-      }
-      if (!adminAuthPatterns.test(content)) {
-        unprotected.push(file);
-      }
-    }
-    if (unprotected.length > 0) {
-      return {
-        result: "FAIL",
-        message: `${unprotected.length} admin API route${unprotected.length > 1 ? "s" : ""} without admin role verification`,
-        evidence: unprotected.slice(0, 5).map((f) => `${f} \u2014 no admin role check detected`)
-      };
-    }
-    return {
-      result: "PASS",
-      message: `All ${adminRoutes.length} admin API routes have admin role verification`
-    };
-  }
-};
-
-// src/checks/adm-02.ts
-var ADM_02 = {
-  id: "ADM-02",
-  name: "Admin routes not accessible without auth",
-  module: "admin",
-  priority: "P0",
-  description: "Admin pages and API must return 401/403 without valid admin token. Middleware alone is insufficient (CVE-2025-29927).",
-  async run(ctx) {
-    const adminPages = ctx.files.filter(
-      (f) => /app\/admin\/.*page\.|pages\/admin\//i.test(f)
-    );
-    if (adminPages.length === 0) {
-      return { result: "UNKNOWN", message: "No admin pages found" };
-    }
-    const authGuardPatterns = /getUser|getSession|requireAuth|requireAdmin|redirect.*login|redirect.*auth|middleware|auth\(\)|checkPermission/i;
-    const unprotected = [];
-    for (const file of adminPages) {
-      let content;
-      try {
-        content = await ctx.readFile(file);
-      } catch {
-        continue;
-      }
-      if (!authGuardPatterns.test(content)) {
-        unprotected.push(file);
-      }
-    }
-    const hasMiddleware = ctx.files.some((f) => /middleware\.(ts|js)$/i.test(f));
-    let middlewareCoversAdmin = false;
-    if (hasMiddleware) {
-      const mwFile = ctx.files.find((f) => /middleware\.(ts|js)$/i.test(f));
-      if (mwFile) {
-        try {
-          const content = await ctx.readFile(mwFile);
-          middlewareCoversAdmin = /admin/i.test(content);
-        } catch {
-        }
-      }
-    }
-    if (unprotected.length > 0 && !middlewareCoversAdmin) {
-      return {
-        result: "FAIL",
-        message: `${unprotected.length} admin page${unprotected.length > 1 ? "s" : ""} without auth guard (no middleware coverage either)`,
-        evidence: unprotected.slice(0, 5).map((f) => `${f} \u2014 no auth guard detected`)
-      };
-    }
-    if (unprotected.length > 0 && middlewareCoversAdmin) {
-      return {
-        result: "PASS",
-        message: `Admin pages protected via middleware (${adminPages.length} pages). Note: add per-route auth for defense-in-depth.`
-      };
-    }
-    return {
-      result: "PASS",
-      message: `All ${adminPages.length} admin pages have auth guards`
-    };
-  }
-};
-
-// src/checks/adm-03.ts
-var ADM_03 = {
-  id: "ADM-03",
-  name: "No client-side-only role checks",
-  module: "admin",
-  priority: "P1",
-  description: "Role checks in JSX ({isAdmin && <Panel/>}) without server-side enforcement are bypassable via dev tools.",
-  async run(ctx) {
-    const clientRolePattern = /isAdmin|is_admin|role.*admin|admin.*role/i;
-    const serverRolePattern = /requireAdmin|requireRole|checkPermission|app_metadata.*admin/i;
-    const clientMatches = await ctx.grepFiles(clientRolePattern);
-    const clientOnly = clientMatches.filter((m) => isClientFile(m.file) && !isServerFile(m.file));
-    if (clientOnly.length === 0) {
-      return { result: "PASS", message: "No client-side-only role checks detected" };
-    }
-    const serverMatches = await ctx.grepFiles(serverRolePattern);
-    if (serverMatches.length > 0) {
-      return { result: "PASS", message: "Client-side role checks backed by server-side enforcement" };
-    }
-    return {
-      result: "FAIL",
-      message: `Client-side role checks found without server-side enforcement (${clientOnly.length} location${clientOnly.length > 1 ? "s" : ""})`,
-      evidence: clientOnly.slice(0, 3).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-    };
-  }
-};
-
-// src/checks/adm-04.ts
-var ADM_04 = {
-  id: "ADM-04",
-  name: "Audit log for admin actions",
-  module: "admin",
-  priority: "P1",
-  description: "Admin operations (delete user, change role, modify data) must be logged. Required for SOC 2 compliance.",
-  async run(ctx) {
-    const codePattern = /audit.*log|admin.*log|action.*log|createAuditEntry|logAdminAction|activity.*log/i;
-    const schemaPattern = /audit_log|admin_log|activity_log/i;
-    const codeMatches = await ctx.grepFiles(codePattern);
-    const sqlFiles = ctx.files.filter(isMigrationFile);
-    const schemaMatches = await ctx.grepFiles(schemaPattern, sqlFiles.length > 0 ? sqlFiles : void 0);
-    if (codeMatches.length > 0 || schemaMatches.length > 0) {
-      return { result: "PASS", message: "Audit logging detected for admin actions" };
-    }
-    const adminRef = await ctx.grepFiles(/admin/i);
-    if (adminRef.length === 0) {
-      return { result: "UNKNOWN", message: "No admin functionality detected" };
-    }
-    return {
-      result: "FAIL",
-      message: "No audit logging found for admin actions",
-      evidence: ["Missing: audit_log table or logAdminAction function"]
-    };
-  }
-};
-
-// src/checks/adm-05.ts
-var ADM_05 = {
-  id: "ADM-05",
-  name: "RBAC beyond binary admin",
-  module: "admin",
-  priority: "P2",
-  description: "Binary admin/user model means every admin can do everything. Granular roles limit blast radius.",
-  async run(ctx) {
-    const sqlFiles = ctx.files.filter(isMigrationFile);
-    const rbacPattern = /RBAC|permission|capability|role.*check|roles.*table|user_roles/i;
-    const binaryPattern = /isAdmin|is_admin|boolean.*admin/i;
-    const rbacMatches = await ctx.grepFiles(rbacPattern);
-    const schemaRoles = await ctx.grepFiles(/role.*enum|roles.*table|permissions.*table/i, sqlFiles.length > 0 ? sqlFiles : void 0);
-    if (rbacMatches.length > 0 || schemaRoles.length > 0) {
-      return { result: "PASS", message: "RBAC or granular permissions model detected" };
-    }
-    const binaryMatches = await ctx.grepFiles(binaryPattern);
-    if (binaryMatches.length > 0) {
-      return {
-        result: "FAIL",
-        message: "Binary admin model (isAdmin boolean) \u2014 no granular permissions",
-        evidence: binaryMatches.slice(0, 3).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-      };
-    }
-    return { result: "UNKNOWN", message: "No admin role model detected" };
-  }
-};
-
-// src/checks/adm-06.ts
-var ADM_06 = {
-  id: "ADM-06",
-  name: "Safe impersonation (if exists)",
-  module: "admin",
-  priority: "P1",
-  description: "If admin can 'login as user', the action must be logged with admin ID preserved. Replacing admin session = invisible abuse.",
-  async run(ctx) {
-    const impersonatePattern = /impersonat|loginAs|actAs|switchUser|act_as|login_as/i;
-    const matches = await ctx.grepFiles(impersonatePattern);
-    if (matches.length === 0) {
-      return { result: "N/A", message: "No impersonation functionality detected" };
-    }
-    const auditPattern = /audit|log.*admin|admin.*log|logAction|track/i;
-    const auditMatches = await ctx.grepFiles(auditPattern);
-    if (auditMatches.length > 0) {
-      return { result: "PASS", message: "Impersonation exists with audit logging" };
-    }
-    return {
-      result: "FAIL",
-      message: "Impersonation found without audit logging \u2014 admin actions will appear as user actions",
-      evidence: matches.slice(0, 3).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-    };
-  }
-};
-
-// src/checks/adm-07.ts
-var ADM_07 = {
-  id: "ADM-07",
-  name: "UUIDs not sequential IDs",
-  module: "admin",
-  priority: "P1",
-  description: "Sequential integer IDs enable enumeration attacks (IDOR). Use UUIDs for all user-facing primary keys.",
-  async run(ctx) {
-    const sqlFiles = ctx.files.filter(isMigrationFile);
-    if (sqlFiles.length === 0) {
-      return { result: "UNKNOWN", message: "No SQL migration files found" };
-    }
-    const serialPattern = /(?:SERIAL|BIGSERIAL|INTEGER\s+PRIMARY\s+KEY\s+(?:AUTO_INCREMENT|GENERATED))/i;
-    const uuidPattern = /UUID\s+(?:PRIMARY\s+KEY\s+)?DEFAULT\s+(?:gen_random_uuid|uuid_generate)/i;
-    const serialMatches = await ctx.grepFiles(serialPattern, sqlFiles);
-    const uuidMatches = await ctx.grepFiles(uuidPattern, sqlFiles);
-    const realSerialIssues = serialMatches.filter((m) => {
-      if (/migration|schema_migration|_prisma/i.test(m.content)) return false;
-      return true;
-    });
-    if (realSerialIssues.length > 0 && uuidMatches.length === 0) {
-      return {
-        result: "FAIL",
-        message: `Sequential IDs found without UUID usage (${realSerialIssues.length} table${realSerialIssues.length > 1 ? "s" : ""})`,
-        evidence: realSerialIssues.slice(0, 5).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-      };
-    }
-    if (uuidMatches.length > 0) {
-      return {
-        result: "PASS",
-        message: "UUID primary keys detected in schema"
-      };
-    }
-    return {
-      result: "UNKNOWN",
-      message: "No primary key definitions found in migrations"
-    };
-  }
-};
-
-// src/checks/adm-08.ts
-var ADM_08 = {
-  id: "ADM-08",
-  name: "No unprotected debug/admin routes",
-  module: "admin",
-  priority: "P0",
-  description: "Debug, internal, and admin routes must have auth guards. Hidden URLs are not security.",
-  async run(ctx) {
-    const suspiciousRoutes = [
-      /app\/admin\//,
-      /pages\/admin\//,
-      /app\/internal\//,
-      /app\/debug\//,
-      /api\/admin\//,
-      /api\/debug\//,
-      /api\/internal\//,
-      /api\/graphql/,
-      /api\/seed/,
-      /api\/reset/,
-      /api\/test/
-    ];
-    const foundRoutes = ctx.files.filter(
-      (f) => suspiciousRoutes.some((p) => p.test(f))
-    );
-    if (foundRoutes.length === 0) {
-      return {
-        result: "PASS",
-        message: "No admin/debug/internal routes detected"
-      };
-    }
-    const authPatterns = /requireAdmin|requireAuth|getUser|getSession|verifyToken|isAdmin|checkPermission|requireRole|auth\(\)|middleware/i;
-    const unprotected = [];
-    for (const file of foundRoutes) {
-      if (!file.endsWith(".ts") && !file.endsWith(".tsx") && !file.endsWith(".js") && !file.endsWith(".jsx")) continue;
-      let content;
-      try {
-        content = await ctx.readFile(file);
-      } catch {
-        continue;
-      }
-      if (!authPatterns.test(content)) {
-        unprotected.push(file);
-      }
-    }
-    if (unprotected.length > 0) {
-      return {
-        result: "FAIL",
-        message: `${unprotected.length} admin/debug route${unprotected.length > 1 ? "s" : ""} without auth check`,
-        evidence: unprotected.map((f) => `${f} \u2014 no auth guard detected`)
-      };
-    }
-    return {
-      result: "PASS",
-      message: `All ${foundRoutes.length} admin/debug routes have auth checks`
-    };
-  }
-};
-
-// src/checks/adm-09.ts
-var ADM_09 = {
-  id: "ADM-09",
-  name: "Destructive ops require extra authorization",
-  module: "admin",
-  priority: "P2",
-  description: "Bulk delete, data wipe, billing override should require confirmation step or elevated permission.",
-  async run(ctx) {
-    const destructivePattern = /deleteAll|bulkDelete|wipeData|truncate|DROP\s+TABLE|removeAll|destroyAll|purge/i;
-    const confirmPattern = /confirm|double.*auth|re.?authenticate|verification.*step|two.*step/i;
-    const destructiveMatches = await ctx.grepFiles(destructivePattern);
-    const adminDestructive = destructiveMatches.filter((m) => /admin/i.test(m.file));
-    if (adminDestructive.length === 0) {
-      return { result: "N/A", message: "No bulk destructive admin operations detected" };
-    }
-    const confirmMatches = await ctx.grepFiles(confirmPattern);
-    if (confirmMatches.length > 0) {
-      return { result: "PASS", message: "Confirmation/extra auth detected for destructive operations" };
-    }
-    return {
-      result: "FAIL",
-      message: "Destructive admin operations without extra authorization",
-      evidence: adminDestructive.slice(0, 3).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-    };
-  }
-};
-
-// src/checks/adm-10.ts
-var ADM_10 = {
-  id: "ADM-10",
-  name: "Admin code separated from user app",
-  module: "admin",
-  priority: "P2",
-  description: "Admin code in separate directories prevents user app bugs from affecting admin, and vice versa.",
-  async run(ctx) {
-    const adminDir = ctx.files.some((f) => /^app\/admin\/|^domains\/admin\/|^src\/admin\//i.test(f));
-    const adminScattered = ctx.files.filter((f) => /admin/i.test(f) && !/(app|domains|src)\/admin\//i.test(f));
-    if (adminDir) {
-      return { result: "PASS", message: "Admin code in dedicated directory (app/admin/ or domains/admin/)" };
-    }
-    if (adminScattered.length > 0) {
-      return {
-        result: "FAIL",
-        message: "Admin code scattered across user-facing directories",
-        evidence: adminScattered.slice(0, 5).map((f) => f)
-      };
-    }
-    return { result: "N/A", message: "No admin code detected" };
-  }
-};
-
-// src/checks/adm-11.ts
-var ADM_11 = {
-  id: "ADM-11",
-  name: "No hardcoded admin credentials",
-  module: "admin",
-  priority: "P0",
-  description: "Hardcoded admin passwords, tokens, or emails in source code = anyone with repo access is admin",
-  async run(ctx) {
-    const patterns = [
-      /admin.*password\s*[:=]\s*["']/i,
-      /admin.*token\s*[:=]\s*["']/i,
-      /admin.*secret\s*[:=]\s*["']/i,
-      /password\s*[:=]\s*["'](?:admin|password|123456|secret)/i,
-      /DEFAULT_ADMIN_PASSWORD/i,
-      /ADMIN_PASSWORD\s*[:=]/i,
-      /seed.*admin.*password/i
-    ];
-    const allMatches = [];
-    for (const pattern of patterns) {
-      const matches = await ctx.grepFiles(pattern);
-      const codeMatches = matches.filter((m) => {
-        if (isEnvFile(m.file)) return false;
-        if (m.content.trimStart().startsWith("//")) return false;
-        if (m.content.trimStart().startsWith("#")) return false;
-        if (m.content.trimStart().startsWith("*")) return false;
-        if (m.file.includes("test") || m.file.includes("spec")) return false;
-        return true;
-      });
-      allMatches.push(...codeMatches);
-    }
-    const unique = [...new Map(allMatches.map((m) => [`${m.file}:${m.line}`, m])).values()];
-    if (unique.length > 0) {
-      return {
-        result: "FAIL",
-        message: `Hardcoded admin credentials found (${unique.length} location${unique.length > 1 ? "s" : ""})`,
-        evidence: unique.map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 80).replace(/["'][^"']{8,}["']/g, '"[REDACTED]"')}`)
-      };
-    }
-    return {
-      result: "PASS",
-      message: "No hardcoded admin credentials found in source code"
-    };
-  }
-};
-
-// src/checks/adm-12.ts
-var ADM_12 = {
-  id: "ADM-12",
-  name: "Admin error handling",
-  module: "admin",
-  priority: "P2",
-  description: "Admin API errors must not leak stack traces, SQL queries, or internal schema details.",
-  async run(ctx) {
-    const adminFiles = ctx.files.filter((f) => /admin.*route|api.*admin/i.test(f));
-    if (adminFiles.length === 0) {
-      return { result: "UNKNOWN", message: "No admin API routes found" };
-    }
-    const errorHandling = /try\s*\{|\.catch\s*\(|catch\s*\(/;
-    const leakPatterns = /stack|trace|SQL|query.*error|\.message/i;
-    let hasErrorHandling = false;
-    const leaks = [];
-    for (const file of adminFiles) {
-      let content;
-      try {
-        content = await ctx.readFile(file);
-      } catch {
-        continue;
-      }
-      if (errorHandling.test(content)) hasErrorHandling = true;
-      const lines = content.split("\n");
-      for (let i = 0; i < lines.length; i++) {
-        if (/error\.stack|error\.message|err\.stack|JSON\.stringify.*error/i.test(lines[i])) {
-          leaks.push({ file, line: i + 1, content: lines[i].trim() });
-        }
-      }
-    }
-    if (leaks.length > 0) {
-      return {
-        result: "FAIL",
-        message: "Admin API may leak error details (stack traces, error messages)",
-        evidence: leaks.slice(0, 3).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-      };
-    }
-    if (!hasErrorHandling) {
-      return {
-        result: "FAIL",
-        message: "No error handling in admin API routes",
-        evidence: adminFiles.slice(0, 3).map((f) => `${f} \u2014 no try/catch`)
-      };
-    }
-    return { result: "PASS", message: "Admin error handling present without obvious information leaks" };
-  }
-};
-
-// src/checks/adm-13.ts
-var ADM_13 = {
-  id: "ADM-13",
-  name: "MFA requirement for admin roles",
-  module: "admin",
-  priority: "P0",
-  description: "Admin auth must require MFA/AAL2. Compromised admin password without MFA = total takeover.",
-  async run(ctx) {
-    const mfaPatterns = /mfa|aal2|getAuthenticatorAssuranceLevel|totp|authenticator|multi.?factor|two.?factor/i;
-    const adminFiles = ctx.files.filter((f) => /admin/i.test(f));
-    if (adminFiles.length === 0) {
-      return { result: "UNKNOWN", message: "No admin files found" };
-    }
-    const mfaInAdmin = await ctx.grepFiles(mfaPatterns, adminFiles);
-    const mfaGlobal = await ctx.grepFiles(mfaPatterns);
-    if (mfaInAdmin.length > 0) {
-      return {
-        result: "PASS",
-        message: "MFA/AAL2 enforcement detected in admin code"
-      };
-    }
-    if (mfaGlobal.length > 0) {
-      return {
-        result: "PASS",
-        message: "MFA implementation detected in codebase (verify it covers admin routes)"
-      };
-    }
-    return {
-      result: "FAIL",
-      message: "No MFA/AAL2 enforcement found for admin roles",
-      evidence: ["No references to mfa, aal2, totp, or authenticator in admin code"]
-    };
-  }
-};
-
-// src/checks/adm-14.ts
-var ADM_14 = {
-  id: "ADM-14",
-  name: "Rate limiting on admin endpoints",
-  module: "admin",
-  priority: "P1",
-  description: "Admin API endpoints without rate limiting are vulnerable to brute force and DoS attacks.",
-  async run(ctx) {
-    const adminFiles = ctx.files.filter((f) => /api.*admin|admin.*route/i.test(f));
-    if (adminFiles.length === 0) {
-      return { result: "UNKNOWN", message: "No admin API endpoints found" };
-    }
-    const rateLimitPattern = /rateLimit|rate.limit|throttle|limiter|upstash|redis.*limit|too.many.requests|429/i;
-    const matches = await ctx.grepFiles(rateLimitPattern, adminFiles);
-    if (matches.length > 0) {
-      return { result: "PASS", message: "Rate limiting detected on admin endpoints" };
-    }
-    const globalMatches = await ctx.grepFiles(rateLimitPattern);
-    if (globalMatches.length > 0) {
-      return { result: "PASS", message: "Rate limiting detected in codebase (verify it covers admin endpoints)" };
-    }
-    return {
-      result: "FAIL",
-      message: "No rate limiting found on admin endpoints",
-      evidence: ["Missing: rate limiting middleware on admin API routes"]
-    };
-  }
-};
-
-// src/checks/adm-16.ts
-var ADM_16 = {
-  id: "ADM-16",
-  name: "Separate admin session timeouts",
-  module: "admin",
-  priority: "P1",
-  description: "Admin sessions should have shorter timeouts than user sessions to limit session hijacking window.",
-  async run(ctx) {
-    const sessionDiffPattern = /admin.*timeout|admin.*expir|admin.*maxAge|admin.*session.*duration|session.*admin.*short/i;
-    const matches = await ctx.grepFiles(sessionDiffPattern);
-    if (matches.length > 0) {
-      return { result: "PASS", message: "Differentiated admin session timeout detected" };
-    }
-    const adminRef = await ctx.grepFiles(/admin/i);
-    if (adminRef.length === 0) {
-      return { result: "UNKNOWN", message: "No admin functionality detected" };
-    }
-    return {
-      result: "FAIL",
-      message: "No separate admin session timeout \u2014 admin sessions use same duration as user sessions",
-      evidence: ["Missing: shorter session timeout for admin roles"]
-    };
-  }
-};
-
-// src/checks/adm-18.ts
-var ADM_18 = {
-  id: "ADM-18",
-  name: "Admin action notification/alerting",
-  module: "admin",
-  priority: "P2",
-  description: "Critical admin actions should trigger notifications (Slack, email) so compromised admin accounts are detected quickly.",
-  async run(ctx) {
-    const notifyPattern = /slack.*webhook|sendSlack|sendEmail.*admin|notify.*admin|alert.*admin|admin.*notify|admin.*alert|webhook.*notify/i;
-    const adminFiles = ctx.files.filter((f) => /admin/i.test(f));
-    if (adminFiles.length === 0) {
-      return { result: "UNKNOWN", message: "No admin functionality detected" };
-    }
-    const matches = await ctx.grepFiles(notifyPattern, adminFiles);
-    const globalMatches = await ctx.grepFiles(notifyPattern);
-    if (matches.length > 0 || globalMatches.length > 0) {
-      return { result: "PASS", message: "Admin action notifications/alerting detected" };
-    }
-    return {
-      result: "FAIL",
-      message: "No notification/alerting for admin actions \u2014 compromised admin goes undetected",
-      evidence: ["Missing: Slack webhook, email alert, or notification for critical admin actions"]
-    };
-  }
-};
-
-// src/checks/adm-19.ts
-var ADM_19 = {
-  id: "ADM-19",
-  name: "CSRF protection for admin mutations",
-  module: "admin",
-  priority: "P1",
-  description: "Admin mutation endpoints need CSRF protection. If victim is admin, CSRF compromises entire app.",
-  async run(ctx) {
-    const adminRoutes = ctx.files.filter((f) => /admin.*route\.(ts|js)$|api.*admin/i.test(f));
-    if (adminRoutes.length === 0) {
-      return { result: "UNKNOWN", message: "No admin route handlers found" };
-    }
-    const csrfPattern = /csrf|csurf|csrfToken|SameSite|x-csrf|anti.?forgery/i;
-    const csrfMatches = await ctx.grepFiles(csrfPattern);
-    if (csrfMatches.length > 0) {
-      return { result: "PASS", message: "CSRF protection detected" };
-    }
-    const serverActions = await ctx.grepFiles(/["']use server["']/i);
-    if (serverActions.length > 0) {
-      return { result: "PASS", message: "Server Actions used (built-in CSRF protection in Next.js 14+)" };
-    }
-    return {
-      result: "FAIL",
-      message: "No CSRF protection on admin mutation routes",
-      evidence: adminRoutes.slice(0, 3).map((f) => `${f} \u2014 no CSRF token or SameSite cookie`)
-    };
-  }
-};
-
-// src/checks/adm-20.ts
-var ADM_20 = {
-  id: "ADM-20",
-  name: "Data export controls",
-  module: "admin",
-  priority: "P1",
-  description: "Admin bulk export/download must have authorization and logging. Compromised admin can exfiltrate all user data.",
-  async run(ctx) {
-    const exportPattern = /export.*csv|downloadCSV|bulk.*fetch|dump.*data|export.*users|export.*data/i;
-    const matches = await ctx.grepFiles(exportPattern);
-    if (matches.length === 0) {
-      return { result: "N/A", message: "No bulk data export functionality detected" };
-    }
-    const authPattern = /requireAdmin|requireAuth|getUser|checkPermission/i;
-    const logPattern = /audit|log.*export|log.*download/i;
-    const exportFiles = [...new Set(matches.map((m) => m.file))];
-    const authMatches = await ctx.grepFiles(authPattern, exportFiles);
-    const logMatches = await ctx.grepFiles(logPattern, exportFiles);
-    if (authMatches.length > 0 && logMatches.length > 0) {
-      return { result: "PASS", message: "Data export has auth and logging" };
-    }
-    if (authMatches.length > 0) {
-      return { result: "PASS", message: "Data export has auth (consider adding export logging)" };
-    }
-    return {
-      result: "FAIL",
-      message: "Data export without auth/logging \u2014 PII exfiltration risk",
-      evidence: matches.slice(0, 3).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-    };
-  }
-};
-
-// src/checks/adm-21.ts
-var ADM_21 = {
-  id: "ADM-21",
-  name: "Admin provisioning control",
-  module: "admin",
-  priority: "P1",
-  description: "Admin role must not be self-assignable. AI tools often generate 'isFirstUser \u2192 admin' or open role selection on signup.",
-  async run(ctx) {
-    const selfAssignPatterns = /role\s*=\s*['"]admin['"]|isFirstUser|first.*user.*admin|role.*select|self.*assign.*admin/i;
-    const signupFiles = ctx.files.filter((f) => /signup|register|onboard/i.test(f));
-    const allMatches = await ctx.grepFiles(selfAssignPatterns);
-    const signupMatches = signupFiles.length > 0 ? await ctx.grepFiles(selfAssignPatterns, signupFiles) : [];
-    const dangerous = [...signupMatches, ...allMatches.filter((m) => /signup|register|onboard/i.test(m.file))];
-    const unique = [...new Map(dangerous.map((m) => [`${m.file}:${m.line}`, m])).values()];
-    if (unique.length > 0) {
-      return {
-        result: "FAIL",
-        message: "Self-assign admin pattern detected in signup/onboarding flow",
-        evidence: unique.slice(0, 3).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 120)}`)
-      };
-    }
-    return { result: "PASS", message: "No self-assign admin pattern detected in signup flow" };
-  }
-};
-
-// src/checks/drift-auth-01.ts
-var AUTH_DIRS = ["/auth/", "middleware.ts", "middleware.js", "/domains/auth/"];
-var AUTH_PATTERNS = /\b(getUser|createServerClient|supabase\.auth|currentUser|clerkMiddleware|useUser|getServerSession|useSession|authOptions|getSession)\b/;
-function isAuthDir(file) {
-  return AUTH_DIRS.some((d) => file.includes(d));
-}
-function isIgnored(file) {
-  return file.includes("node_modules") || file.includes(".next/") || file.includes("test") || file.includes("spec") || file.includes(".d.ts") || file.includes("types.ts") || file.includes("types.js");
-}
-var DRIFT_AUTH_01 = {
-  id: "DRIFT-AUTH-01",
-  name: "Auth logic spreading outside auth directory",
-  module: "auth",
-  priority: "P1",
-  category: "drift",
-  description: "Auth patterns (getUser, createServerClient, etc.) found outside auth directories indicate module boundary drift.",
-  async run(ctx) {
-    const matches = await ctx.grepFiles(AUTH_PATTERNS);
-    const outsideAuth = matches.filter((m) => {
-      if (isIgnored(m.file)) return false;
-      if (m.content.trimStart().startsWith("//")) return false;
-      if (m.content.trimStart().startsWith("*")) return false;
-      if (isAuthDir(m.file)) return false;
-      return true;
-    });
-    if (outsideAuth.length > 3) {
-      return {
-        result: "FAIL",
-        message: `Auth logic found in ${outsideAuth.length} locations outside auth directories \u2014 module boundary is leaking`,
-        evidence: outsideAuth.slice(0, 5).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 100)}`)
-      };
-    }
-    if (outsideAuth.length > 0) {
-      return {
-        result: "PASS",
-        message: `Minor auth references outside auth dir (${outsideAuth.length}) \u2014 within acceptable range`
-      };
-    }
-    return {
-      result: "PASS",
-      message: "Auth logic is contained within auth directories"
-    };
-  }
-};
-
-// src/checks/drift-auth-02.ts
-var MIDDLEWARE_AUTH_PATTERN = /\b(getUser|createServerClient|supabase\.auth|currentUser|clerkMiddleware|auth\(\)|getServerSession|NextAuth)\b/;
-var DRIFT_AUTH_02 = {
-  id: "DRIFT-AUTH-02",
-  name: "Duplicate auth middleware files",
-  module: "auth",
-  priority: "P1",
-  category: "drift",
-  description: "Multiple middleware files with auth logic indicate fragmented auth \u2014 a common AI generation pattern.",
-  async run(ctx) {
-    const middlewareFiles = ctx.files.filter(
-      (f) => (f.includes("middleware.ts") || f.includes("middleware.js")) && !f.includes("node_modules") && !f.includes(".next/")
-    );
-    const authMiddleware = [];
-    for (const file of middlewareFiles) {
-      try {
-        const content = await ctx.readFile(file);
-        if (MIDDLEWARE_AUTH_PATTERN.test(content)) {
-          authMiddleware.push(file);
-        }
-      } catch {
-        continue;
-      }
-    }
-    if (authMiddleware.length > 1) {
-      return {
-        result: "FAIL",
-        message: `${authMiddleware.length} middleware files contain auth logic \u2014 auth should have a single entry point`,
-        evidence: authMiddleware.map((f) => f)
-      };
-    }
-    if (authMiddleware.length === 1) {
-      return {
-        result: "PASS",
-        message: `Single auth middleware found: ${authMiddleware[0]}`
-      };
-    }
-    return {
-      result: "UNKNOWN",
-      message: "No middleware with auth logic found"
-    };
-  }
-};
-
-// src/checks/drift-auth-03.ts
-var AUTH_CHECK_PATTERN = /\b(getUser|createServerClient|supabase\.auth|currentUser|auth\(\)|getServerSession|requireAuth|withAuth|isAuthenticated)\b/;
-var DRIFT_AUTH_03 = {
-  id: "DRIFT-AUTH-03",
-  name: "New API routes without auth checks",
-  module: "auth",
-  priority: "P0",
-  category: "drift",
-  description: "API route handlers without auth verification \u2014 any visitor can call unprotected endpoints.",
-  async run(ctx) {
-    const apiRoutes = ctx.files.filter(
-      (f) => f.includes("/api/") && (f.endsWith("route.ts") || f.endsWith("route.js")) && !f.includes("node_modules") && !f.includes(".next/") && !f.includes("/api/auth/") && !f.includes("/api/webhook") && !f.includes("/api/health") && !f.includes("/api/public")
-    );
-    if (apiRoutes.length === 0) {
-      return {
-        result: "UNKNOWN",
-        message: "No API route files found"
-      };
-    }
-    const unprotected = [];
-    for (const file of apiRoutes) {
-      try {
-        const content = await ctx.readFile(file);
-        if (!AUTH_CHECK_PATTERN.test(content)) {
-          unprotected.push(file);
-        }
-      } catch {
-        continue;
-      }
-    }
-    if (unprotected.length > 0) {
-      return {
-        result: "FAIL",
-        message: `${unprotected.length} of ${apiRoutes.length} API routes have no auth verification`,
-        evidence: unprotected.slice(0, 5).map((f) => f)
-      };
-    }
-    return {
-      result: "PASS",
-      message: `All ${apiRoutes.length} API routes have auth checks`
-    };
-  }
-};
-
-// src/checks/drift-auth-04.ts
-var CLIENT_ROLE_PATTERN = /\b(isAdmin|role\s*===?\s*['"`]admin['"`]|user\.role|userRole|hasRole)\b/;
-var SERVER_ROLE_PATTERN = /\b(getUser|createServerClient|supabase\.auth|currentUser|getServerSession|requireAdmin|checkAdmin)\b/;
-var DRIFT_AUTH_04 = {
-  id: "DRIFT-AUTH-04",
-  name: "Client-side auth bypass \u2014 role check without server verification",
-  module: "auth",
-  priority: "P1",
-  category: "drift",
-  description: "Role checks in JSX/client code without server-side verification \u2014 UI-only gates can be bypassed.",
-  async run(ctx) {
-    const clientRoleMatches = await ctx.grepFiles(CLIENT_ROLE_PATTERN);
-    const clientOnly = clientRoleMatches.filter((m) => {
-      if (m.content.trimStart().startsWith("//")) return false;
-      if (m.file.includes("node_modules")) return false;
-      if (m.file.includes(".next/")) return false;
-      return isClientFile(m.file);
-    });
-    if (clientOnly.length === 0) {
-      return {
-        result: "PASS",
-        message: "No client-side role checks found"
-      };
-    }
-    const serverRoleMatches = await ctx.grepFiles(SERVER_ROLE_PATTERN, ["**/api/**", "**/server/**", "**/actions.*"]);
-    const hasServerVerification = serverRoleMatches.some((m) => !m.file.includes("node_modules"));
-    if (clientOnly.length > 0 && !hasServerVerification) {
-      return {
-        result: "FAIL",
-        message: `${clientOnly.length} client-side role checks found but no server-side role verification \u2014 admin UI can be bypassed`,
-        evidence: clientOnly.slice(0, 5).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 100)}`)
-      };
-    }
-    return {
-      result: "PASS",
-      message: `Client-side role checks (${clientOnly.length}) backed by server-side verification`
-    };
-  }
-};
-
-// src/checks/drift-auth-05.ts
-var LOCALSTORAGE_AUTH_PATTERN = /localStorage\.(getItem|setItem|removeItem)\s*\(\s*['"`](token|jwt|session|auth|access_token|refresh_token|user)/;
-var DRIFT_AUTH_05 = {
-  id: "DRIFT-AUTH-05",
-  name: "Auth tokens stored in localStorage",
-  module: "auth",
-  priority: "P1",
-  category: "drift",
-  description: "localStorage for auth tokens is vulnerable to XSS \u2014 use httpOnly cookies or secure session management.",
-  async run(ctx) {
-    const matches = await ctx.grepFiles(LOCALSTORAGE_AUTH_PATTERN);
-    const relevant = matches.filter((m) => {
-      if (m.content.trimStart().startsWith("//")) return false;
-      if (m.file.includes("node_modules")) return false;
-      if (m.file.includes(".next/")) return false;
-      return true;
-    });
-    if (relevant.length > 0) {
-      return {
-        result: "FAIL",
-        message: `Auth tokens stored in localStorage (${relevant.length} location${relevant.length > 1 ? "s" : ""}) \u2014 vulnerable to XSS`,
-        evidence: relevant.slice(0, 5).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 100)}`)
-      };
-    }
-    return {
-      result: "PASS",
-      message: "No localStorage auth token usage found"
-    };
-  }
-};
-
-// src/checks/drift-bil-01.ts
-var BILLING_DIRS = ["/billing/", "/stripe/", "/webhook/", "/payment/", "/subscription/", "/domains/billing/"];
-var BILLING_PATTERNS = /\b(stripe|Stripe|createCheckout|price_id|priceId|subscription_id|subscriptionId|checkout\.sessions|customer\.subscriptions)\b/;
-function isBillingDir(file) {
-  return BILLING_DIRS.some((d) => file.includes(d));
-}
-function isIgnored2(file) {
-  return file.includes("node_modules") || file.includes(".next/") || file.includes("test") || file.includes("spec") || file.includes(".d.ts") || file.includes("types.ts") || file.includes("types.js") || file.includes("package.json") || file.includes("package-lock") || file.includes("pnpm-lock") || file.includes(".env");
-}
-var DRIFT_BIL_01 = {
-  id: "DRIFT-BIL-01",
-  name: "Billing logic spreading outside billing directory",
-  module: "billing",
-  priority: "P1",
-  category: "drift",
-  description: "Stripe/payment imports outside billing directories indicate module boundary drift.",
-  async run(ctx) {
-    const matches = await ctx.grepFiles(BILLING_PATTERNS);
-    const outsideBilling = matches.filter((m) => {
-      if (isIgnored2(m.file)) return false;
-      if (m.content.trimStart().startsWith("//")) return false;
-      if (m.content.trimStart().startsWith("*")) return false;
-      if (m.content.trimStart().startsWith("#")) return false;
-      if (isBillingDir(m.file)) return false;
-      return true;
-    });
-    if (outsideBilling.length > 3) {
-      return {
-        result: "FAIL",
-        message: `Billing/Stripe logic found in ${outsideBilling.length} locations outside billing directories \u2014 module boundary is leaking`,
-        evidence: outsideBilling.slice(0, 5).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 100)}`)
-      };
-    }
-    if (outsideBilling.length > 0) {
-      return {
-        result: "PASS",
-        message: `Minor billing references outside billing dir (${outsideBilling.length}) \u2014 within acceptable range`
-      };
-    }
-    return {
-      result: "PASS",
-      message: "Billing logic is contained within billing directories"
-    };
-  }
-};
-
-// src/checks/drift-bil-02.ts
-var WEBHOOK_ROUTE_PATTERN = /\b(webhook|stripe.*event|event\.type|constructEvent)\b/i;
-var DRIFT_BIL_02 = {
-  id: "DRIFT-BIL-02",
-  name: "Duplicate webhook handler endpoints",
-  module: "billing",
-  priority: "P0",
-  category: "drift",
-  description: "Multiple webhook endpoints create race conditions and duplicate event processing.",
-  async run(ctx) {
-    const webhookFiles = ctx.files.filter(
-      (f) => !f.includes("node_modules") && !f.includes(".next/") && !f.includes("test") && (f.includes("webhook") || f.includes("stripe")) && (f.endsWith(".ts") || f.endsWith(".js") || f.endsWith(".py"))
-    );
-    const confirmedWebhookHandlers = [];
-    for (const file of webhookFiles) {
-      try {
-        const content = await ctx.readFile(file);
-        if (WEBHOOK_ROUTE_PATTERN.test(content)) {
-          confirmedWebhookHandlers.push(file);
-        }
-      } catch {
-        continue;
-      }
-    }
-    if (confirmedWebhookHandlers.length > 1) {
-      return {
-        result: "FAIL",
-        message: `${confirmedWebhookHandlers.length} webhook handler files found \u2014 should be exactly 1`,
-        evidence: confirmedWebhookHandlers
-      };
-    }
-    if (confirmedWebhookHandlers.length === 1) {
-      return {
-        result: "PASS",
-        message: `Single webhook handler: ${confirmedWebhookHandlers[0]}`
-      };
-    }
-    return {
-      result: "UNKNOWN",
-      message: "No webhook handler files found \u2014 Stripe webhooks may not be configured"
-    };
-  }
-};
-
-// src/checks/drift-bil-03.ts
-var CLIENT_SUB_PATTERN = /\b(subscription|plan|isPro|isFreeTier|isPaid|currentPlan|userPlan|hasSubscription)\b/;
-var DRIFT_BIL_03 = {
-  id: "DRIFT-BIL-03",
-  name: "Client-side subscription check without server verification",
-  module: "billing",
-  priority: "P1",
-  category: "drift",
-  description: "Plan/subscription checks in client code without server-side verification \u2014 users can bypass paywalls.",
-  async run(ctx) {
-    const clientMatches = await ctx.grepFiles(CLIENT_SUB_PATTERN);
-    const clientSubs = clientMatches.filter((m) => {
-      if (m.content.trimStart().startsWith("//")) return false;
-      if (m.file.includes("node_modules")) return false;
-      if (m.file.includes(".next/")) return false;
-      if (m.file.includes("test")) return false;
-      if (m.file.includes("types")) return false;
-      return isClientFile(m.file) && !m.file.includes("/api/");
-    });
-    if (clientSubs.length === 0) {
-      return {
-        result: "PASS",
-        message: "No client-side subscription checks found"
-      };
-    }
-    const serverSubMatches = await ctx.grepFiles(
-      /\b(subscription|check.*plan|check.*limit|entitlement|getSubscription)\b/i,
-      ["**/api/**", "**/server/**", "**/actions.*", "**/billing/**"]
-    );
-    const hasServerCheck = serverSubMatches.some((m) => !m.file.includes("node_modules"));
-    if (clientSubs.length > 0 && !hasServerCheck) {
-      return {
-        result: "FAIL",
-        message: `${clientSubs.length} client-side subscription checks but no server-side plan verification \u2014 paywall can be bypassed`,
-        evidence: clientSubs.slice(0, 5).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 100)}`)
-      };
-    }
-    return {
-      result: "PASS",
-      message: `Client-side subscription checks (${clientSubs.length}) backed by server-side verification`
-    };
-  }
-};
-
-// src/checks/drift-bil-04.ts
-var HARDCODED_PRICE_PATTERN = /(?:price|amount|cost|fee)\s*[:=]\s*(\d{2,}(?:\.\d{2})?|['"`]\$?\d+)/i;
-var HARDCODED_CENTS_PATTERN = /(?:amount|price|unit_amount)\s*[:=]\s*\d{3,}/;
-var DRIFT_BIL_04 = {
-  id: "DRIFT-BIL-04",
-  name: "Hardcoded prices instead of plan configuration",
-  module: "billing",
-  priority: "P2",
-  category: "drift",
-  description: "Hardcoded dollar amounts or price values should come from plan configuration or Stripe metadata.",
-  async run(ctx) {
-    const priceMatches = await ctx.grepFiles(HARDCODED_PRICE_PATTERN);
-    const centsMatches = await ctx.grepFiles(HARDCODED_CENTS_PATTERN);
-    const allMatches = [...priceMatches, ...centsMatches];
-    const relevant = allMatches.filter((m) => {
-      if (m.content.trimStart().startsWith("//")) return false;
-      if (m.content.trimStart().startsWith("*")) return false;
-      if (m.file.includes("node_modules")) return false;
-      if (m.file.includes(".next/")) return false;
-      if (m.file.includes("test")) return false;
-      if (m.file.includes("package.json")) return false;
-      if (m.file.includes(".lock")) return false;
-      if (m.file.includes(".css")) return false;
-      if (m.file.includes("migration")) return false;
-      return true;
-    });
-    if (relevant.length > 3) {
-      return {
-        result: "FAIL",
-        message: `${relevant.length} hardcoded price/amount values found \u2014 prices should come from plan config or Stripe`,
-        evidence: relevant.slice(0, 5).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 100)}`)
-      };
-    }
-    if (relevant.length > 0) {
-      return {
-        result: "PASS",
-        message: `Minor hardcoded amounts found (${relevant.length}) \u2014 review recommended`
-      };
-    }
-    return {
-      result: "PASS",
-      message: "No hardcoded price values detected"
-    };
-  }
-};
-
-// src/checks/drift-bil-05.ts
-var FEATURE_GATE_PATTERN = /\b(canAccess|hasFeature|featureEnabled|isEnabled|featureFlag|canUse)\b/;
-var BILLING_CHECK_PATTERN = /\b(checkLimit|checkSubscription|checkPlan|entitlement|billingGuard|requirePlan|checkQuota)\b/;
-var DRIFT_BIL_05 = {
-  id: "DRIFT-BIL-05",
-  name: "Feature access without billing verification",
-  module: "billing",
-  priority: "P2",
-  category: "drift",
-  description: "New features with access gates but no billing/entitlement check \u2014 free users can access paid features.",
-  async run(ctx) {
-    const featureGates = await ctx.grepFiles(FEATURE_GATE_PATTERN);
-    const relevant = featureGates.filter((m) => {
-      if (m.content.trimStart().startsWith("//")) return false;
-      if (m.file.includes("node_modules")) return false;
-      if (m.file.includes(".next/")) return false;
-      if (m.file.includes("test")) return false;
-      return true;
-    });
-    if (relevant.length === 0) {
-      return {
-        result: "UNKNOWN",
-        message: "No feature gate patterns found \u2014 may not use feature flags"
-      };
-    }
-    const billingChecks = await ctx.grepFiles(BILLING_CHECK_PATTERN);
-    const hasBillingVerification = billingChecks.some(
-      (m) => !m.file.includes("node_modules") && !m.file.includes(".next/")
-    );
-    if (relevant.length > 0 && !hasBillingVerification) {
-      return {
-        result: "FAIL",
-        message: `${relevant.length} feature gate(s) found but no billing/entitlement verification \u2014 paid features may be accessible for free`,
-        evidence: relevant.slice(0, 5).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 100)}`)
-      };
-    }
-    return {
-      result: "PASS",
-      message: `Feature gates (${relevant.length}) backed by billing verification`
-    };
-  }
-};
-
-// src/checks/drift-adm-01.ts
-var ADMIN_DIRS = ["/admin/", "/domains/admin/"];
-var ADMIN_PATTERNS = /\b(isAdmin|requireAdmin|checkAdmin|adminGuard|role\s*===?\s*['"`]admin['"`]|user_role|superAdmin|isSuperAdmin)\b/;
-function isAdminDir(file) {
-  return ADMIN_DIRS.some((d) => file.includes(d));
-}
-function isIgnored3(file) {
-  return file.includes("node_modules") || file.includes(".next/") || file.includes("test") || file.includes("spec") || file.includes(".d.ts") || file.includes("types.ts") || file.includes("types.js") || file.includes("migration") || file.includes(".sql");
-}
-var DRIFT_ADM_01 = {
-  id: "DRIFT-ADM-01",
-  name: "Admin logic spreading outside admin directory",
-  module: "admin",
-  priority: "P1",
-  category: "drift",
-  description: "Admin permission patterns found outside admin directories indicate module boundary drift.",
-  async run(ctx) {
-    const matches = await ctx.grepFiles(ADMIN_PATTERNS);
-    const outsideAdmin = matches.filter((m) => {
-      if (isIgnored3(m.file)) return false;
-      if (m.content.trimStart().startsWith("//")) return false;
-      if (m.content.trimStart().startsWith("*")) return false;
-      if (isAdminDir(m.file)) return false;
-      return true;
-    });
-    if (outsideAdmin.length > 3) {
-      return {
-        result: "FAIL",
-        message: `Admin logic found in ${outsideAdmin.length} locations outside admin directories \u2014 module boundary is leaking`,
-        evidence: outsideAdmin.slice(0, 5).map((m) => `${m.file}:${m.line} \u2192 ${m.content.substring(0, 100)}`)
-      };
-    }
-    if (outsideAdmin.length > 0) {
-      return {
-        result: "PASS",
-        message: `Minor admin references outside admin dir (${outsideAdmin.length}) \u2014 within acceptable range`
-      };
-    }
-    return {
-      result: "PASS",
-      message: "Admin logic is contained within admin directories"
-    };
-  }
-};
-
-// src/checks/drift-adm-02.ts
-var ADMIN_GUARD_PATTERN = /\b(requireAdmin|checkAdmin|adminGuard|isAdmin|role\s*===?\s*['"`]admin['"`]|isSuperAdmin)\b/;
-var DRIFT_ADM_02 = {
-  id: "DRIFT-ADM-02",
-  name: "New admin routes without permission guards",
-  module: "admin",
-  priority: "P0",
-  category: "drift",
-  description: "Admin route handlers without permission checks \u2014 any authenticated user can access admin features.",
-  async run(ctx) {
-    const adminRoutes = ctx.files.filter(
-      (f) => f.includes("/admin/") && !f.includes("node_modules") && !f.includes(".next/") && !f.includes("test") && (f.endsWith("route.ts") || f.endsWith("route.js") || f.endsWith("page.tsx") || f.endsWith("page.jsx") || f.endsWith("page.ts"))
-    );
-    if (adminRoutes.length === 0) {
-      return {
-        result: "UNKNOWN",
-        message: "No admin route files found"
-      };
-    }
-    const unguarded = [];
-    for (const file of adminRoutes) {
-      try {
-        const content = await ctx.readFile(file);
-        if (!ADMIN_GUARD_PATTERN.test(content)) {
-          unguarded.push(file);
-        }
-      } catch {
-        continue;
-      }
-    }
-    if (unguarded.length > 0) {
-      return {
-        result: "FAIL",
-        message: `${unguarded.length} of ${adminRoutes.length} admin routes have no permission guard`,
-        evidence: unguarded.slice(0, 5).map((f) => f)
-      };
-    }
-    return {
-      result: "PASS",
-      message: `All ${adminRoutes.length} admin routes have permission guards`
-    };
-  }
-};
-
-// src/checks/drift-adm-03.ts
-var AUDIT_LOG_PATTERN = /\b(logAuditEvent|auditLog|audit_log|createAuditEntry|logAdminAction|insertAuditLog)\b/;
-var ADMIN_MUTATION_PATTERN = /\b(DELETE|PUT|PATCH|POST)\b/;
-var DRIFT_ADM_03 = {
-  id: "DRIFT-ADM-03",
-  name: "Admin mutations without audit logging",
-  module: "admin",
-  priority: "P1",
-  category: "drift",
-  description: "Admin mutation endpoints (POST/PUT/DELETE) without audit log calls \u2014 no trail of admin actions.",
-  async run(ctx) {
-    const adminApiRoutes = ctx.files.filter(
-      (f) => f.includes("/admin/") && f.includes("/api/") && !f.includes("node_modules") && !f.includes(".next/") && !f.includes("test") && (f.endsWith("route.ts") || f.endsWith("route.js"))
-    );
-    if (adminApiRoutes.length === 0) {
-      const adminActions = ctx.files.filter(
-        (f) => f.includes("/admin/") && !f.includes("node_modules") && !f.includes(".next/") && (f.includes("action") || f.includes("service") || f.includes("handler")) && (f.endsWith(".ts") || f.endsWith(".js") || f.endsWith(".py"))
-      );
-      if (adminActions.length === 0) {
-        return {
-          result: "UNKNOWN",
-          message: "No admin API routes or action files found"
-        };
-      }
-      const unlogged2 = [];
-      for (const file of adminActions) {
-        try {
-          const content = await ctx.readFile(file);
-          if (ADMIN_MUTATION_PATTERN.test(content) && !AUDIT_LOG_PATTERN.test(content)) {
-            unlogged2.push(file);
-          }
-        } catch {
-          continue;
-        }
-      }
-      if (unlogged2.length > 0) {
-        return {
-          result: "FAIL",
-          message: `${unlogged2.length} admin action file(s) with mutations but no audit logging`,
-          evidence: unlogged2.slice(0, 5)
-        };
-      }
-      return {
-        result: "PASS",
-        message: `Admin action files have audit logging`
-      };
-    }
-    const unlogged = [];
-    for (const file of adminApiRoutes) {
-      try {
-        const content = await ctx.readFile(file);
-        if (ADMIN_MUTATION_PATTERN.test(content) && !AUDIT_LOG_PATTERN.test(content)) {
-          unlogged.push(file);
-        }
-      } catch {
-        continue;
-      }
-    }
-    if (unlogged.length > 0) {
-      return {
-        result: "FAIL",
-        message: `${unlogged.length} of ${adminApiRoutes.length} admin API routes have mutations without audit logging`,
-        evidence: unlogged.slice(0, 5)
-      };
-    }
-    return {
-      result: "PASS",
-      message: `All ${adminApiRoutes.length} admin API routes have audit logging`
-    };
-  }
-};
-
-// src/checks/registry.ts
-var ALL_CHECKS = [
-  // Auth checks (28)
-  AUTH_01,
-  AUTH_02,
-  AUTH_03,
-  AUTH_04,
-  AUTH_05,
-  AUTH_06,
-  AUTH_07,
-  AUTH_08,
-  AUTH_09,
-  AUTH_10,
-  AUTH_11,
-  AUTH_12,
-  AUTH_13,
-  AUTH_14,
-  AUTH_15,
-  AUTH_16,
-  AUTH_17,
-  AUTH_18,
-  AUTH_19,
-  AUTH_20,
-  AUTH_21,
-  AUTH_22,
-  AUTH_23,
-  AUTH_24,
-  AUTH_25,
-  AUTH_26,
-  AUTH_27,
-  AUTH_28,
-  // Billing checks (24)
-  BIL_01,
-  BIL_02,
-  BIL_03,
-  BIL_04,
-  BIL_05,
-  BIL_06,
-  BIL_07,
-  BIL_08,
-  BIL_09,
-  BIL_10,
-  BIL_11,
-  BIL_12,
-  BIL_13,
-  BIL_14,
-  BIL_15,
-  BIL_16,
-  BIL_17,
-  BIL_18,
-  BIL_19,
-  BIL_20,
-  BIL_21,
-  BIL_22,
-  BIL_23,
-  BIL_24,
-  // Admin checks (19 unique + 2 aliases = 21 total)
-  ADM_01,
-  ADM_02,
-  ADM_03,
-  ADM_04,
-  ADM_05,
-  ADM_06,
-  ADM_07,
-  ADM_08,
-  ADM_09,
-  ADM_10,
-  ADM_11,
-  ADM_12,
-  ADM_13,
-  ADM_14,
-  ADM_16,
-  ADM_18,
-  ADM_19,
-  ADM_20,
-  ADM_21,
-  // Drift checks (13) — module boundary detection
-  DRIFT_AUTH_01,
-  DRIFT_AUTH_02,
-  DRIFT_AUTH_03,
-  DRIFT_AUTH_04,
-  DRIFT_AUTH_05,
-  DRIFT_BIL_01,
-  DRIFT_BIL_02,
-  DRIFT_BIL_03,
-  DRIFT_BIL_04,
-  DRIFT_BIL_05,
-  DRIFT_ADM_01,
-  DRIFT_ADM_02,
-  DRIFT_ADM_03
-];
-
-// src/lib/files.ts
-import fs from "fs/promises";
-import path from "path";
-var IGNORE_DIRS = /* @__PURE__ */ new Set([
-  "node_modules",
-  ".git",
-  ".next",
-  "dist",
-  "build",
-  ".vercel",
-  ".turbo",
-  "coverage",
-  ".nyc_output",
-  "__pycache__",
-  ".svelte-kit"
-]);
-var CODE_EXTENSIONS = /* @__PURE__ */ new Set([
-  ".ts",
-  ".tsx",
-  ".js",
-  ".jsx",
-  ".mjs",
-  ".cjs",
-  ".sql",
-  ".env",
-  ".env.local",
-  ".env.example"
-]);
-async function listFiles(rootDir) {
-  const results = [];
-  await walk(rootDir, rootDir, results);
-  return results;
-}
-async function walk(dir, rootDir, results) {
-  let entries;
-  try {
-    entries = await fs.readdir(dir, { withFileTypes: true });
-  } catch {
-    return;
-  }
-  for (const entry of entries) {
-    if (entry.name.startsWith(".") && entry.name !== ".env" && entry.name !== ".env.local" && entry.name !== ".env.example") {
-      if (entry.isDirectory()) continue;
-    }
-    if (entry.isDirectory()) {
-      if (IGNORE_DIRS.has(entry.name)) continue;
-      await walk(path.join(dir, entry.name), rootDir, results);
-    } else {
-      const ext = path.extname(entry.name);
-      const basename = entry.name;
-      if (CODE_EXTENSIONS.has(ext) || CODE_EXTENSIONS.has(basename)) {
-        results.push(path.relative(rootDir, path.join(dir, entry.name)));
-      }
-    }
-  }
-}
-async function readFile(rootDir, filePath) {
-  const fullPath = path.resolve(rootDir, filePath);
-  return fs.readFile(fullPath, "utf-8");
-}
-
-// src/scanner.ts
-async function runScan(targetDir) {
-  const rootDir = path2.resolve(targetDir);
-  const files = await listFiles(rootDir);
-  const ctx = {
-    rootDir,
-    files,
-    readFile: (filePath) => readFile(rootDir, filePath),
-    grepFiles: (pattern, globs) => grepFiles({ rootDir, files, readFile: (f) => readFile(rootDir, f) }, pattern, globs)
-  };
-  const results = [];
-  for (const check of ALL_CHECKS) {
-    try {
-      const output = await check.run(ctx);
-      results.push({
-        id: check.id,
-        name: check.name,
-        module: check.module,
-        priority: check.priority,
-        category: check.category,
-        result: output.result,
-        message: output.message,
-        evidence: output.evidence
-      });
-    } catch (err) {
-      results.push({
-        id: check.id,
-        name: check.name,
-        module: check.module,
-        priority: check.priority,
-        category: check.category,
-        result: "UNKNOWN",
-        message: `Check failed with error: ${err instanceof Error ? err.message : String(err)}`
-      });
-    }
-  }
-  const projectName = path2.basename(rootDir);
-  const safetyResults = results.filter((r) => r.category !== "drift");
-  const driftResults = results.filter((r) => r.category === "drift");
-  return {
-    project: projectName,
-    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-    checks: results,
-    summary: {
-      billing: computeModuleScore(safetyResults, "billing"),
-      auth: computeModuleScore(safetyResults, "auth"),
-      admin: computeModuleScore(safetyResults, "admin")
-    },
-    drift: {
-      billing: computeModuleScore(driftResults, "billing"),
-      auth: computeModuleScore(driftResults, "auth"),
-      admin: computeModuleScore(driftResults, "admin")
-    }
-  };
-}
-function computeModuleScore(results, module) {
-  const moduleChecks = results.filter((r) => r.module === module);
-  const applicable = moduleChecks.filter((r) => r.result !== "N/A");
-  const passed = applicable.filter((r) => r.result === "PASS").length;
-  const failed = applicable.filter((r) => r.result === "FAIL").length;
-  const total = applicable.length;
-  const score = total > 0 ? Math.round(passed / total * 10) : 0;
-  return { passed, failed, total, score };
-}
-
-// src/lib/output.ts
-var RESET = "\x1B[0m";
-var BOLD = "\x1B[1m";
-var DIM = "\x1B[2m";
-var RED = "\x1B[31m";
-var GREEN = "\x1B[32m";
-var YELLOW = "\x1B[33m";
-var CYAN = "\x1B[36m";
-var WHITE = "\x1B[37m";
-var BG_RED = "\x1B[41m";
-var BG_YELLOW = "\x1B[43m";
-function resultIcon(result) {
-  switch (result) {
-    case "PASS":
-      return `${GREEN}\u2713${RESET}`;
-    case "FAIL":
-      return `${RED}\u2717${RESET}`;
-    case "UNKNOWN":
-      return `${YELLOW}?${RESET}`;
-    case "N/A":
-      return `${DIM}\u2014${RESET}`;
-    default:
-      return " ";
-  }
-}
-function priorityTag(priority) {
-  switch (priority) {
-    case "P0":
-      return `${BG_RED}${WHITE}${BOLD} P0 ${RESET}`;
-    case "P1":
-      return `${BG_YELLOW}${WHITE}${BOLD} P1 ${RESET}`;
-    case "P2":
-      return `${DIM} P2 ${RESET}`;
-    default:
-      return ` ${priority} `;
-  }
-}
-function scoreBar(score) {
-  const filled = score.score;
-  const empty = 10 - filled;
-  const color = filled >= 7 ? GREEN : filled >= 4 ? YELLOW : RED;
-  return `${color}${"\u2588".repeat(filled)}${DIM}${"\u2591".repeat(empty)}${RESET}  ${filled}/10`;
-}
-function scoreLabel(score) {
-  if (score >= 8) return `${GREEN}GOOD${RESET}`;
-  if (score >= 5) return `${YELLOW}HIGH${RESET}`;
-  return `${RED}CRITICAL${RESET}`;
-}
-function printReport(report) {
-  const w = process.stdout.write.bind(process.stdout);
-  const log = (s) => w(s + "\n");
-  log("");
-  log(`${BOLD}\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557${RESET}`);
-  log(`${BOLD}\u2551        VIBECODIQ \u2014 PRODUCTION SAFETY SCAN           \u2551${RESET}`);
-  log(`${BOLD}\u2551        Project: ${report.project.padEnd(37)}\u2551${RESET}`);
-  log(`${BOLD}\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D${RESET}`);
-  log("");
-  const modules = [
-    { key: "billing", label: "Billing Safety", score: report.summary.billing },
-    { key: "auth", label: "Auth Safety", score: report.summary.auth },
-    { key: "admin", label: "Admin Safety", score: report.summary.admin }
-  ];
-  for (const mod of modules) {
-    log(`  ${BOLD}${mod.label.padEnd(20)}${RESET} ${scoreBar(mod.score)}  ${scoreLabel(mod.score.score)}`);
-  }
-  if (report.drift) {
-    log("");
-    log(`${DIM}${"\u2500".repeat(60)}${RESET}`);
-    log("");
-    log(`${BOLD}${CYAN}  MODULE BOUNDARY (DRIFT DETECTION)${RESET}`);
-    log("");
-    const driftModules = [
-      { key: "auth", label: "Auth Boundary", score: report.drift.auth },
-      { key: "billing", label: "Billing Boundary", score: report.drift.billing },
-      { key: "admin", label: "Admin Boundary", score: report.drift.admin }
-    ];
-    for (const mod of driftModules) {
-      log(`  ${BOLD}${mod.label.padEnd(20)}${RESET} ${scoreBar(mod.score)}  ${scoreLabel(mod.score.score)}`);
-    }
-  }
-  log("");
-  log(`${DIM}${"\u2500".repeat(60)}${RESET}`);
-  const safetyChecks = report.checks.filter((c) => c.category !== "drift");
-  const driftChecks = report.checks.filter((c) => c.category === "drift");
-  const failedChecks = safetyChecks.filter((c) => c.result === "FAIL");
-  const passedChecks = safetyChecks.filter((c) => c.result === "PASS");
-  const unknownChecks = safetyChecks.filter((c) => c.result === "UNKNOWN");
-  if (failedChecks.length > 0) {
-    log("");
-    log(`${RED}${BOLD}  FAILED CHECKS (${failedChecks.length})${RESET}`);
-    log("");
-    for (const check of failedChecks) {
-      log(`  ${resultIcon(check.result)} ${priorityTag(check.priority)} ${BOLD}${check.id}${RESET} ${check.name}`);
-      log(`    ${DIM}${check.message}${RESET}`);
-      if (check.evidence) {
-        for (const e of check.evidence.slice(0, 3)) {
-          log(`    ${DIM}\u2192 ${e}${RESET}`);
-        }
-        if (check.evidence.length > 3) {
-          log(`    ${DIM}  ... and ${check.evidence.length - 3} more${RESET}`);
-        }
-      }
-      log("");
-    }
-  }
-  if (passedChecks.length > 0) {
-    log(`${GREEN}${BOLD}  PASSED CHECKS (${passedChecks.length})${RESET}`);
-    log("");
-    for (const check of passedChecks) {
-      log(`  ${resultIcon(check.result)} ${DIM}${check.id}${RESET} ${check.name}`);
-    }
-    log("");
-  }
-  if (unknownChecks.length > 0) {
-    log(`${YELLOW}${BOLD}  UNKNOWN (${unknownChecks.length})${RESET}`);
-    log("");
-    for (const check of unknownChecks) {
-      log(`  ${resultIcon(check.result)} ${DIM}${check.id}${RESET} ${check.name} \u2014 ${DIM}${check.message}${RESET}`);
-    }
-    log("");
-  }
-  const driftFailed = driftChecks.filter((c) => c.result === "FAIL");
-  const driftPassed = driftChecks.filter((c) => c.result === "PASS");
-  const driftUnknown = driftChecks.filter((c) => c.result === "UNKNOWN");
-  if (driftChecks.length > 0) {
-    log(`${DIM}${"\u2500".repeat(60)}${RESET}`);
-    log("");
-    log(`${CYAN}${BOLD}  DRIFT DETECTION (${driftChecks.length} checks)${RESET}`);
-    if (driftFailed.length > 0) {
-      log("");
-      for (const check of driftFailed) {
-        log(`  ${resultIcon(check.result)} ${priorityTag(check.priority)} ${BOLD}${check.id}${RESET} ${check.name}`);
-        log(`    ${DIM}${check.message}${RESET}`);
-        if (check.evidence) {
-          for (const e of check.evidence.slice(0, 3)) {
-            log(`    ${DIM}\u2192 ${e}${RESET}`);
-          }
-          if (check.evidence.length > 3) {
-            log(`    ${DIM}  ... and ${check.evidence.length - 3} more${RESET}`);
-          }
-        }
-        log("");
-      }
-    }
-    if (driftPassed.length > 0) {
-      for (const check of driftPassed) {
-        log(`  ${resultIcon(check.result)} ${DIM}${check.id}${RESET} ${check.name}`);
-      }
-      log("");
-    }
-    if (driftUnknown.length > 0) {
-      for (const check of driftUnknown) {
-        log(`  ${resultIcon(check.result)} ${DIM}${check.id}${RESET} ${check.name} \u2014 ${DIM}${check.message}${RESET}`);
-      }
-      log("");
-    }
-  }
-  log(`${DIM}${"\u2500".repeat(60)}${RESET}`);
-  const totalFailed = failedChecks.length;
-  const totalPassed = passedChecks.length;
-  const safetyTotal = safetyChecks.length;
-  const driftTotal = driftChecks.length;
-  log("");
-  log(`  ${BOLD}Safety:${RESET} ${totalPassed}/${safetyTotal} passed, ${totalFailed} failed, ${unknownChecks.length} unknown`);
-  if (driftTotal > 0) {
-    log(`  ${BOLD}Drift:${RESET}  ${driftPassed.length}/${driftTotal} passed, ${driftFailed.length} failed, ${driftUnknown.length} unknown`);
-  }
-  log("");
-  if (totalFailed > 0) {
-    log(`  ${YELLOW}Fix the ${RED}${BOLD}${totalFailed} failed${RESET}${YELLOW} check${totalFailed > 1 ? "s" : ""} before going to production.${RESET}`);
-    log(`  ${DIM}Learn more: https://asastandard.org/checks${RESET}`);
-  } else {
-    log(`  ${GREEN}${BOLD}All checks passed.${RESET}`);
-  }
-  log("");
-}
-function printJson(report) {
-  console.log(JSON.stringify(report, null, 2));
-}
-
-// src/commands/guard-init.ts
-import fs2 from "fs";
-import path3 from "path";
-
-// src/templates/check-structure.ts
-var CHECK_STRUCTURE_SCRIPT = [
-  "#!/bin/bash",
-  "# ASA Structure Check \u2014 validates Slice Architecture rules",
-  "# Run: npx @vibecodiq/cli guard check (or ./check-structure.sh)",
-  "",
-  "set -e",
-  "",
-  'RULES_FILE=".asa/rules/architecture.md"',
-  "ERRORS=0",
-  "WARNINGS=0",
-  "",
-  'echo "\u{1F50D} ASA Structure Check \u2014 validating architecture rules..."',
-  'echo "   Rules: $RULES_FILE"',
-  'echo ""',
-  "",
-  "fail() {",
-  '  echo "\u274C FAIL: $1"',
-  '  echo "   \u2192 $2"',
-  '  echo "   \u2192 Fix: see $RULES_FILE"',
-  '  echo ""',
-  "  ERRORS=$((ERRORS + 1))",
-  "}",
-  "",
-  "warn() {",
-  '  echo "\u26A0\uFE0F  WARN: $1"',
-  '  echo "   \u2192 $2"',
-  '  echo ""',
-  "  WARNINGS=$((WARNINGS + 1))",
-  "}",
-  "",
-  "pass() {",
-  '  echo "\u2705 PASS: $1"',
-  "}",
-  "",
-  "# CHECK 1: Business logic in src/domains/",
-  'echo "--- Check 1: Business logic in src/domains/ ---"',
-  "",
-  'BIZ_IN_PAGES=$(grep -rl "supabase\\.\\(from\\|auth\\|rpc\\|storage\\)" src/pages/ 2>/dev/null || true)',
-  'if [ -n "$BIZ_IN_PAGES" ]; then',
-  "  for f in $BIZ_IN_PAGES; do",
-  '    fail "Business logic in page file: $f" \\',
-  '         "Supabase calls must be in src/domains/, not in pages."',
-  "  done",
-  "else",
-  '  pass "No business logic found in src/pages/"',
-  "fi",
-  "",
-  'if [ -d "src/components" ]; then',
-  '  BIZ_IN_COMPONENTS=$(grep -rl "supabase\\.\\(from\\|auth\\|rpc\\|storage\\)" src/components/ 2>/dev/null || true)',
-  '  if [ -n "$BIZ_IN_COMPONENTS" ]; then',
-  "    for f in $BIZ_IN_COMPONENTS; do",
-  '      fail "Business logic in component file: $f" \\',
-  '           "Supabase calls must be in src/domains/, not in components/."',
-  "    done",
-  "  else",
-  '    pass "No business logic found in src/components/"',
-  "  fi",
-  "fi",
-  "",
-  "# CHECK 2: src/domains/ directory exists",
-  'echo ""',
-  'echo "--- Check 2: src/domains/ directory exists ---"',
-  "",
-  'TS_FILES=$(find src/ -name "*.ts" -o -name "*.tsx" | grep -v "node_modules" | grep -v "vite-env" | wc -l)',
-  "",
-  'if [ "$TS_FILES" -gt 5 ]; then',
-  '  if [ -d "src/domains" ]; then',
-  '    pass "src/domains/ directory exists"',
-  "    DOMAIN_COUNT=$(find src/domains -mindepth 1 -maxdepth 1 -type d | wc -l)",
-  '    if [ "$DOMAIN_COUNT" -gt 0 ]; then',
-  '      pass "Found $DOMAIN_COUNT domain(s) in src/domains/"',
-  "    else",
-  '      warn "src/domains/ exists but is empty" \\',
-  '           "Add domain folders like src/domains/auth/, src/domains/tasks/"',
-  "    fi",
-  "  else",
-  '    fail "src/domains/ directory missing" \\',
-  '         "Business logic must be in src/domains/<domain>/<slice>/."',
-  "  fi",
-  "else",
-  '  pass "Project is small ($TS_FILES files) \u2014 src/domains/ not yet required"',
-  "fi",
-  "",
-  "# CHECK 3: No cross-domain imports",
-  'echo ""',
-  'echo "--- Check 3: No cross-domain imports ---"',
-  "",
-  'if [ -d "src/domains" ]; then',
-  "  CROSS_DOMAIN_VIOLATIONS=0",
-  "  for domain_dir in src/domains/*/; do",
-  '    [ ! -d "$domain_dir" ] && continue',
-  '    domain_name=$(basename "$domain_dir")',
-  '    OTHER_DOMAINS=$(find src/domains -mindepth 1 -maxdepth 1 -type d ! -name "$domain_name" -exec basename {} \\;)',
-  "    for other in $OTHER_DOMAINS; do",
-  '      VIOLATIONS=$(grep -rn "from.*domains/$other\\|import.*domains/$other" "$domain_dir" 2>/dev/null || true)',
-  '      if [ -n "$VIOLATIONS" ]; then',
-  "        while IFS= read -r line; do",
-  '          fail "Cross-domain import in $domain_name \u2192 $other" "$line"',
-  '        done <<< "$VIOLATIONS"',
-  "        CROSS_DOMAIN_VIOLATIONS=$((CROSS_DOMAIN_VIOLATIONS + 1))",
-  "      fi",
-  "    done",
-  "  done",
-  '  [ "$CROSS_DOMAIN_VIOLATIONS" -eq 0 ] && pass "No cross-domain imports detected"',
-  "else",
-  '  pass "No domains yet \u2014 cross-domain check skipped"',
-  "fi",
-  "",
-  "# CHECK 4: Pages are thin wrappers",
-  'echo ""',
-  'echo "--- Check 4: Pages are thin wrappers ---"',
-  "",
-  'if [ -d "src/pages" ]; then',
-  "  for page in src/pages/*.tsx; do",
-  '    [ ! -f "$page" ] && continue',
-  '    PAGE_LINES=$(wc -l < "$page")',
-  '    if [ "$PAGE_LINES" -gt 80 ]; then',
-  '      fail "Page too large: $page ($PAGE_LINES lines)" \\',
-  '           "Pages should be <80 lines. Move logic to src/domains/."',
-  "    fi",
-  "  done",
-  '  pass "Page thin wrapper check complete"',
-  "fi",
-  "",
-  "# CHECK 5: shared/ has no business logic",
-  'echo ""',
-  'echo "--- Check 5: shared/ has no business logic ---"',
-  "",
-  'if [ -d "src/shared" ]; then',
-  '  BIZ_IN_SHARED=$(grep -rln "TaskList\\|TaskForm\\|PricingCard\\|AdminUser\\|LoginForm\\|RegisterForm" src/shared/ 2>/dev/null || true)',
-  '  if [ -n "$BIZ_IN_SHARED" ]; then',
-  "    for f in $BIZ_IN_SHARED; do",
-  '      fail "Business component in shared/: $f" \\',
-  '           "Domain-specific components belong in src/domains/."',
-  "    done",
-  "  else",
-  '    pass "No business logic found in src/shared/"',
-  "  fi",
-  "else",
-  '  pass "src/shared/ not yet created \u2014 check skipped"',
-  "fi",
-  "",
-  "# RESULTS",
-  'echo ""',
-  'echo "=========================================="',
-  'if [ "$ERRORS" -gt 0 ]; then',
-  '  echo "\u274C ASA STRUCTURE CHECK FAILED"',
-  '  echo "   $ERRORS error(s), $WARNINGS warning(s)"',
-  '  echo "   Read the architecture rules: $RULES_FILE"',
-  '  echo "=========================================="',
-  "  exit 1",
-  "else",
-  '  echo "\u2705 ASA STRUCTURE CHECK PASSED"',
-  '  echo "   0 errors, $WARNINGS warning(s)"',
-  '  echo "=========================================="',
-  "  exit 0",
-  "fi",
-  ""
-].join("\n");
-
-// src/templates/index.ts
-var ARCHITECTURE_RULES = [
-  "# ASA Architecture Rules",
-  "",
-  "This project follows the ASA Slice Architecture. All code in this repository",
-  "MUST follow these rules. CI checks will fail if rules are violated.",
-  "",
-  "---",
-  "",
-  "## Rule 1: Business logic goes in `src/domains/`",
-  "",
-  "All business logic MUST be organized in domain folders:",
-  "",
-  "```",
-  "src/domains/",
-  "\u251C\u2500\u2500 auth/           # Authentication and authorization",
-  "\u251C\u2500\u2500 billing/        # Payments and subscriptions",
-  "\u2514\u2500\u2500 admin/          # Admin panel and user management",
-  "```",
-  "",
-  "Each domain contains **slices** \u2014 self-contained features:",
-  "",
-  "```",
-  "src/domains/<domain>/<slice>/",
-  "\u251C\u2500\u2500 <Component>.tsx     # React component (UI)",
-  "\u251C\u2500\u2500 use<Action>.ts      # React hook (data fetching / mutations)",
-  "\u2514\u2500\u2500 types.ts            # Types (optional)",
-  "```",
-  "",
-  "### What is a Slice?",
-  "",
-  "One slice = one user action. Examples:",
-  "",
-  "| Domain | Slice | What it does |",
-  "|--------|-------|-------------|",
-  "| `auth` | `login` | User logs in |",
-  "| `auth` | `register` | User creates account |",
-  "| `billing` | `subscribe` | User subscribes to a plan |",
-  "| `billing` | `check-limits` | Check if user hit plan limits |",
-  "| `admin` | `user-list` | Admin sees all users |",
-  "",
-  "---",
-  "",
-  "## Rule 2: Pages are thin wrappers",
-  "",
-  "Page files MUST be thin wrappers that import from `src/domains/`.",
-  "Pages contain NO business logic \u2014 only layout and composition.",
-  "Maximum 80 lines per page file.",
-  "",
-  "---",
-  "",
-  "## Rule 3: Shared infrastructure goes in `src/shared/`",
-  "",
-  "Database clients, auth helpers, and external service configs go in `src/shared/`:",
-  "",
-  "```",
-  "src/shared/",
-  "\u251C\u2500\u2500 db/",
-  "\u2502   \u2514\u2500\u2500 supabase-client.ts",
-  "\u251C\u2500\u2500 auth/",
-  "\u2502   \u251C\u2500\u2500 AuthGuard.tsx",
-  "\u2502   \u2514\u2500\u2500 useCurrentUser.ts",
-  "\u2514\u2500\u2500 billing/",
-  "    \u2514\u2500\u2500 stripe-client.ts",
-  "```",
-  "",
-  "---",
-  "",
-  "## Rule 4: No cross-domain imports",
-  "",
-  "A file in one domain MUST NOT import from another domain.",
-  "Use `src/shared/` for cross-domain communication.",
-  "",
-  "---",
-  "",
-  "## Rule 5: File naming conventions",
-  "",
-  "| Type | Pattern | Example |",
-  "|------|---------|---------|",
-  "| Component | `PascalCase.tsx` | `LoginForm.tsx` |",
-  "| Hook | `use<Action>.ts` | `useLogin.ts` |",
-  "| Types | `types.ts` | `types.ts` |",
-  "| Page | `page.tsx` | `page.tsx` |",
-  "| Shared utility | `camelCase.ts` | `supabase-client.ts` |",
-  "",
-  "---",
-  "",
-  "**If CI fails, restructure your code to follow these rules.**",
-  ""
-].join("\n");
-var ASA_GUARD_WORKFLOW = [
-  "name: ASA Structure Check",
-  "",
-  "on:",
-  "  push:",
-  "    branches: [main]",
-  "    paths-ignore:",
-  "      - '.asa/logs/**'",
-  "  pull_request:",
-  "    branches: [main]",
-  "",
-  "permissions:",
-  "  contents: write",
-  "",
-  "jobs:",
-  "  asa-structure-check:",
-  "    name: ASA Architecture Validation",
-  "    runs-on: ubuntu-latest",
-  "",
-  "    steps:",
-  "      - name: Checkout code",
-  "        uses: actions/checkout@v4",
-  "        with:",
-  "          fetch-depth: 0",
-  "",
-  "      - name: Run ASA structure check",
-  "        id: check",
-  "        run: |",
-  "          chmod +x check-structure.sh",
-  "          ./check-structure.sh 2>&1 | tee /tmp/check_output.txt || true",
-  '          if grep -q "ASA STRUCTURE CHECK FAILED" /tmp/check_output.txt; then',
-  '            echo "check_failed=true" >> "$GITHUB_OUTPUT"',
-  "          else",
-  '            echo "check_failed=false" >> "$GITHUB_OUTPUT"',
-  "          fi",
-  "",
-  "      - name: Fail if architecture check failed",
-  "        if: steps.check.outputs.check_failed == 'true'",
-  "        run: |",
-  '          echo ""',
-  '          echo "\u274C ASA Architecture Check FAILED."',
-  '          echo "   See output above for details."',
-  '          echo "   Fix violations and push again."',
-  "          exit 1",
-  ""
-].join("\n");
-
-// src/commands/guard-init.ts
-var CYAN2 = "\x1B[36m";
-var GREEN2 = "\x1B[32m";
-var YELLOW2 = "\x1B[33m";
-var BOLD2 = "\x1B[1m";
-var DIM2 = "\x1B[2m";
-var RESET2 = "\x1B[0m";
-async function guardInit(targetDir, isPro) {
-  const root = path3.resolve(targetDir);
-  if (isPro) {
-    console.log("");
-    console.log(`  ${YELLOW2}\u26A1 guard init --pro requires a Vibecodiq Pro license.${RESET2}`);
-    console.log(`  ${DIM2}   Get yours at: https://vibecodiq.com/guard${RESET2}`);
-    console.log(`  ${DIM2}   Run: npx @vibecodiq/cli login${RESET2}`);
-    console.log("");
-    process.exit(1);
-  }
-  console.log("");
-  console.log(`  ${CYAN2}\u{1F6E1}\uFE0F  Initializing ASA Guard in ${root}${RESET2}`);
-  console.log("");
-  const files = [
-    {
-      path: ".asa/rules/architecture.md",
-      content: ARCHITECTURE_RULES
-    },
-    {
-      path: ".github/workflows/asa-guard.yml",
-      content: ASA_GUARD_WORKFLOW
-    },
-    {
-      path: "check-structure.sh",
-      content: CHECK_STRUCTURE_SCRIPT,
-      executable: true
-    }
-  ];
-  let created = 0;
-  let skipped = 0;
-  for (const file of files) {
-    const fullPath = path3.join(root, file.path);
-    const dir = path3.dirname(fullPath);
-    if (!fs2.existsSync(dir)) {
-      fs2.mkdirSync(dir, { recursive: true });
-    }
-    if (fs2.existsSync(fullPath)) {
-      console.log(`  ${YELLOW2}\u23ED  ${file.path}${RESET2} ${DIM2}(already exists)${RESET2}`);
-      skipped++;
-    } else {
-      fs2.writeFileSync(fullPath, file.content, "utf-8");
-      if (file.executable) {
-        fs2.chmodSync(fullPath, 493);
-      }
-      console.log(`  ${GREEN2}\u2713  ${file.path}${RESET2}`);
-      created++;
-    }
-  }
-  console.log("");
-  console.log(`  ${BOLD2}Done:${RESET2} ${created} file${created !== 1 ? "s" : ""} created, ${skipped} skipped.`);
-  console.log("");
-  console.log(`  ${BOLD2}Next steps:${RESET2}`);
-  console.log(`  ${DIM2}1.${RESET2} Commit the new files: ${DIM2}git add -A && git commit -m "chore: add ASA Guard"${RESET2}`);
-  console.log(`  ${DIM2}2.${RESET2} Push to GitHub \u2014 CI will run architecture checks on every PR`);
-  console.log(`  ${DIM2}3.${RESET2} Run locally: ${DIM2}npx @vibecodiq/cli guard check${RESET2}`);
-  console.log("");
-  console.log(`  ${DIM2}Learn more: https://asastandard.org/checks/methodology${RESET2}`);
-  console.log("");
-}
-
-// src/commands/guard-check.ts
-import fs3 from "fs";
-import path4 from "path";
-var CYAN3 = "\x1B[36m";
-var GREEN3 = "\x1B[32m";
-var YELLOW3 = "\x1B[33m";
-var RED2 = "\x1B[31m";
-var BOLD3 = "\x1B[1m";
-var DIM3 = "\x1B[2m";
-var RESET3 = "\x1B[0m";
-async function guardCheck(targetDir, isPro) {
-  const root = path4.resolve(targetDir);
-  if (isPro) {
-    console.log("");
-    console.log(`  ${YELLOW3}\u26A1 guard check --pro requires a Vibecodiq Pro license.${RESET3}`);
-    console.log(`  ${DIM3}   Get yours at: https://vibecodiq.com/guard${RESET3}`);
-    console.log(`  ${DIM3}   Run: npx @vibecodiq/cli login${RESET3}`);
-    console.log("");
-    process.exit(1);
-  }
-  console.log("");
-  console.log(`  ${CYAN3}\u{1F6E1}\uFE0F  ASA Guard \u2014 Architecture Check${RESET3}`);
-  console.log(`  ${DIM3}   Target: ${root}${RESET3}`);
-  console.log("");
-  const results = [];
-  const srcDir = findSrcDir(root);
-  results.push(await checkBusinessLogicInDomains(root, srcDir));
-  results.push(await checkDomainsExist(root, srcDir));
-  results.push(await checkNoCrossDomainImports(root, srcDir));
-  results.push(await checkThinPages(root, srcDir));
-  results.push(await checkSharedNoBusinessLogic(root, srcDir));
-  let errors = 0;
-  let warnings = 0;
-  let passed = 0;
-  for (const r of results) {
-    const icon = r.status === "PASS" ? `${GREEN3}\u2705${RESET3}` : r.status === "FAIL" ? `${RED2}\u274C${RESET3}` : r.status === "WARN" ? `${YELLOW3}\u26A0\uFE0F${RESET3}` : `${DIM3}\u23ED${RESET3}`;
-    console.log(`  ${icon} ${r.name}`);
-    if (r.status !== "PASS" && r.status !== "SKIP") {
-      console.log(`     ${DIM3}${r.message}${RESET3}`);
-      if (r.evidence) {
-        for (const e of r.evidence.slice(0, 3)) {
-          console.log(`     ${DIM3}\u2192 ${e}${RESET3}`);
-        }
-      }
-    }
-    if (r.status === "FAIL") errors++;
-    else if (r.status === "WARN") warnings++;
-    else if (r.status === "PASS") passed++;
-  }
-  console.log("");
-  if (errors > 0) {
-    console.log(`  ${RED2}${BOLD3}\u274C ASA GUARD CHECK FAILED${RESET3} \u2014 ${errors} error${errors > 1 ? "s" : ""}, ${warnings} warning${warnings > 1 ? "s" : ""}`);
-    console.log(`  ${DIM3}   Fix violations and run again.${RESET3}`);
-    console.log(`  ${DIM3}   Rules: .asa/rules/architecture.md${RESET3}`);
-  } else {
-    console.log(`  ${GREEN3}${BOLD3}\u2705 ASA GUARD CHECK PASSED${RESET3} \u2014 ${passed} passed, ${warnings} warning${warnings > 1 ? "s" : ""}`);
-  }
-  console.log("");
-  process.exit(errors > 0 ? 1 : 0);
-}
-function findSrcDir(root) {
-  if (fs3.existsSync(path4.join(root, "src"))) return "src";
-  if (fs3.existsSync(path4.join(root, "app"))) return "app";
-  return null;
-}
-function getAllFiles(dir, ext) {
-  const results = [];
-  if (!fs3.existsSync(dir)) return results;
-  const entries = fs3.readdirSync(dir, { withFileTypes: true });
-  for (const entry of entries) {
-    const full = path4.join(dir, entry.name);
-    if (entry.name === "node_modules" || entry.name === ".git") continue;
-    if (entry.isDirectory()) {
-      results.push(...getAllFiles(full, ext));
-    } else if (ext.some((e) => entry.name.endsWith(e))) {
-      results.push(full);
-    }
-  }
-  return results;
-}
-async function checkBusinessLogicInDomains(root, srcDir) {
-  const name = "Business logic in domains/";
-  if (!srcDir) return { name, status: "SKIP", message: "No src/ directory found" };
-  const pagesDir = path4.join(root, srcDir, "pages");
-  const componentsDir = path4.join(root, srcDir, "components");
-  const violations = [];
-  const bizPattern = /supabase\.(from|auth|rpc|storage)\b/;
-  for (const dir of [pagesDir, componentsDir]) {
-    if (!fs3.existsSync(dir)) continue;
-    const files = getAllFiles(dir, [".ts", ".tsx", ".js", ".jsx"]);
-    for (const file of files) {
-      const content = fs3.readFileSync(file, "utf-8");
-      if (bizPattern.test(content)) {
-        violations.push(path4.relative(root, file));
-      }
-    }
-  }
-  if (violations.length > 0) {
-    return {
-      name,
-      status: "FAIL",
-      message: `Supabase calls found in pages/components (${violations.length} file${violations.length > 1 ? "s" : ""})`,
-      evidence: violations
-    };
-  }
-  return { name, status: "PASS", message: "" };
-}
-async function checkDomainsExist(root, srcDir) {
-  const name = "domains/ directory exists";
-  if (!srcDir) return { name, status: "SKIP", message: "No src/ directory found" };
-  const domainsDir = path4.join(root, srcDir, "domains");
-  const tsFiles = getAllFiles(path4.join(root, srcDir), [".ts", ".tsx"]);
-  if (tsFiles.length <= 5) {
-    return { name, status: "PASS", message: "Project is small \u2014 domains/ not yet required" };
-  }
-  if (!fs3.existsSync(domainsDir)) {
-    return {
-      name,
-      status: "FAIL",
-      message: `${tsFiles.length} files in ${srcDir}/ but no domains/ directory`,
-      evidence: ["Create src/domains/<domain>/<slice>/ for business logic"]
-    };
-  }
-  const domains = fs3.readdirSync(domainsDir, { withFileTypes: true }).filter((d) => d.isDirectory());
-  if (domains.length === 0) {
-    return { name, status: "WARN", message: "domains/ exists but is empty" };
-  }
-  return { name, status: "PASS", message: `${domains.length} domain${domains.length > 1 ? "s" : ""} found` };
-}
-async function checkNoCrossDomainImports(root, srcDir) {
-  const name = "No cross-domain imports";
-  if (!srcDir) return { name, status: "SKIP", message: "No src/ directory found" };
-  const domainsDir = path4.join(root, srcDir, "domains");
-  if (!fs3.existsSync(domainsDir)) {
-    return { name, status: "PASS", message: "No domains yet" };
-  }
-  const domains = fs3.readdirSync(domainsDir, { withFileTypes: true }).filter((d) => d.isDirectory()).map((d) => d.name);
-  const violations = [];
-  for (const domain of domains) {
-    const domainPath = path4.join(domainsDir, domain);
-    const files = getAllFiles(domainPath, [".ts", ".tsx", ".js", ".jsx"]);
-    const otherDomains = domains.filter((d) => d !== domain);
-    for (const file of files) {
-      const content = fs3.readFileSync(file, "utf-8");
-      for (const other of otherDomains) {
-        const importPattern = new RegExp(`from.*domains/${other}|import.*domains/${other}`);
-        if (importPattern.test(content)) {
-          violations.push(`${path4.relative(root, file)} \u2192 imports from ${other}/`);
-        }
-      }
-    }
-  }
-  if (violations.length > 0) {
-    return {
-      name,
-      status: "FAIL",
-      message: `${violations.length} cross-domain import${violations.length > 1 ? "s" : ""} found`,
-      evidence: violations
-    };
-  }
-  return { name, status: "PASS", message: "" };
-}
-async function checkThinPages(root, srcDir) {
-  const name = "Pages are thin wrappers";
-  if (!srcDir) return { name, status: "SKIP", message: "No src/ directory found" };
-  const pagesDir = path4.join(root, srcDir, "pages");
-  if (!fs3.existsSync(pagesDir)) {
-    return { name, status: "PASS", message: "No pages/ directory (Next.js App Router or no pages)" };
-  }
-  const files = getAllFiles(pagesDir, [".tsx", ".jsx"]);
-  const fat = [];
-  for (const file of files) {
-    const content = fs3.readFileSync(file, "utf-8");
-    const lines = content.split("\n").length;
-    if (lines > 80) {
-      fat.push(`${path4.relative(root, file)} (${lines} lines)`);
-    }
-  }
-  if (fat.length > 0) {
-    return {
-      name,
-      status: "FAIL",
-      message: `${fat.length} page${fat.length > 1 ? "s" : ""} over 80 lines`,
-      evidence: fat
-    };
-  }
-  return { name, status: "PASS", message: "" };
-}
-async function checkSharedNoBusinessLogic(root, srcDir) {
-  const name = "shared/ has no business logic";
-  if (!srcDir) return { name, status: "SKIP", message: "No src/ directory found" };
-  const sharedDir = path4.join(root, srcDir, "shared");
-  if (!fs3.existsSync(sharedDir)) {
-    return { name, status: "PASS", message: "No shared/ directory yet" };
-  }
-  const bizNames = /TaskList|TaskForm|PricingCard|AdminUser|LoginForm|RegisterForm/;
-  const files = getAllFiles(sharedDir, [".ts", ".tsx", ".js", ".jsx"]);
-  const violations = [];
-  for (const file of files) {
-    const content = fs3.readFileSync(file, "utf-8");
-    if (bizNames.test(content)) {
-      violations.push(path4.relative(root, file));
-    }
-  }
-  if (violations.length > 0) {
-    return {
-      name,
-      status: "FAIL",
-      message: `Business components found in shared/ (${violations.length} file${violations.length > 1 ? "s" : ""})`,
-      evidence: violations
-    };
-  }
-  return { name, status: "PASS", message: "" };
-}
-
-// src/commands/guard-upgrade.ts
-import fs4 from "fs";
-import path5 from "path";
-var GREEN4 = "\x1B[32m";
-var YELLOW4 = "\x1B[33m";
-var CYAN4 = "\x1B[36m";
-var BOLD4 = "\x1B[1m";
-var DIM4 = "\x1B[2m";
-var RESET4 = "\x1B[0m";
-async function guardUpgrade(targetDir) {
-  const root = path5.resolve(targetDir);
-  console.log("");
-  console.log(`  ${CYAN4}\u{1F504} Upgrading ASA Guard rules...${RESET4}`);
-  console.log("");
-  const files = [
-    { path: ".asa/rules/architecture.md", content: ARCHITECTURE_RULES },
-    { path: ".github/workflows/asa-guard.yml", content: ASA_GUARD_WORKFLOW },
-    { path: "check-structure.sh", content: CHECK_STRUCTURE_SCRIPT, executable: true }
-  ];
-  let updated = 0;
-  for (const file of files) {
-    const fullPath = path5.join(root, file.path);
-    if (!fs4.existsSync(fullPath)) {
-      console.log(`  ${YELLOW4}\u23ED  ${file.path}${RESET4} ${DIM4}(not found \u2014 run guard init first)${RESET4}`);
-      continue;
-    }
-    const existing = fs4.readFileSync(fullPath, "utf-8");
-    if (existing === file.content) {
-      console.log(`  ${DIM4}\u2713  ${file.path} (already up to date)${RESET4}`);
-      continue;
-    }
-    fs4.writeFileSync(fullPath, file.content, "utf-8");
-    if (file.executable) fs4.chmodSync(fullPath, 493);
-    console.log(`  ${GREEN4}\u2713  ${file.path}${RESET4} ${BOLD4}updated${RESET4}`);
-    updated++;
-  }
-  console.log("");
-  if (updated > 0) {
-    console.log(`  ${BOLD4}${updated} file${updated > 1 ? "s" : ""} updated.${RESET4} Commit the changes.`);
-  } else {
-    console.log(`  ${DIM4}All rules are already up to date.${RESET4}`);
-  }
-  console.log("");
-}
-
-// src/index.ts
-var VERSION = "0.2.0";
-var BOLD5 = "\x1B[1m";
-var DIM5 = "\x1B[2m";
-var CYAN5 = "\x1B[36m";
-var YELLOW5 = "\x1B[33m";
-var RESET5 = "\x1B[0m";
-var args = process.argv.slice(2);
-var command = args[0];
-var subcommand = args[1];
-function getPath(args2) {
-  for (const a of args2.slice(1)) {
-    if (!a.startsWith("-")) return a;
-  }
-  return ".";
-}
-function hasFlag(flag) {
-  return args.includes(flag);
-}
-function proStub(feature) {
-  console.log("");
-  console.log(`  ${YELLOW5}\u26A1 ${feature} requires a Vibecodiq Pro license.${RESET5}`);
-  console.log("");
-  console.log(`  ${DIM5}  Get yours at: https://vibecodiq.com/pricing${RESET5}`);
-  console.log(`  ${DIM5}  Then run:     npx @vibecodiq/cli login${RESET5}`);
-  console.log("");
-  process.exit(1);
-}
-if (command === "scan") {
-  if (hasFlag("--fix")) {
-    proStub("scan --fix (AI fix prompts)");
-  }
-  if (hasFlag("--full")) {
-    proStub("scan --full (full audit mode)");
-  }
-  const targetDir = getPath(args);
-  const jsonOutput = hasFlag("--json");
-  if (!jsonOutput) {
-    console.log("");
-    console.log(`  ${CYAN5}\u23F3 Scanning project...${RESET5}`);
-  }
-  const report = await runScan(targetDir);
-  if (jsonOutput) {
-    printJson(report);
-  } else {
-    printReport(report);
-  }
-  const hasFails = report.checks.some((c) => c.result === "FAIL");
-  process.exit(hasFails ? 1 : 0);
-} else if (command === "guard") {
-  if (subcommand === "init") {
-    const targetDir = getPath(args.slice(1));
-    const isPro = hasFlag("--pro");
-    await guardInit(targetDir, isPro);
-  } else if (subcommand === "check") {
-    const targetDir = getPath(args.slice(1));
-    const isPro = hasFlag("--pro");
-    await guardCheck(targetDir, isPro);
-  } else if (subcommand === "upgrade") {
-    const targetDir = getPath(args.slice(1));
-    await guardUpgrade(targetDir);
-  } else {
-    console.log("");
-    console.log(`  ${BOLD5}@vibecodiq/cli guard${RESET5} \u2014 Architecture rules & CI enforcement`);
-    console.log("");
-    console.log(`  ${BOLD5}Commands:${RESET5}`);
-    console.log(`    guard init              Install ASA rules + CI into your repo`);
-    console.log(`    guard init --pro        + connect to Vibecodiq API ${DIM5}(Pro)${RESET5}`);
-    console.log(`    guard check             Run 5 architecture checks locally`);
-    console.log(`    guard check --pro       Run full checks via remote API ${DIM5}(Pro)${RESET5}`);
-    console.log(`    guard upgrade           Upgrade rules to latest version`);
-    console.log("");
-    console.log(`  ${DIM5}Learn more: https://vibecodiq.com/guard${RESET5}`);
-    console.log("");
-  }
-} else if (command === "login") {
-  proStub("login (Pro authentication)");
-} else if (command === "logout") {
-  proStub("logout (Pro authentication)");
-} else if (command === "--version" || command === "-v") {
-  console.log(`@vibecodiq/cli v${VERSION}`);
-} else {
-  console.log("");
-  console.log(`  ${BOLD5}@vibecodiq/cli${RESET5} v${VERSION} \u2014 Production safety for AI-built apps`);
-  console.log("");
-  console.log(`  ${BOLD5}Scan${RESET5} ${DIM5}(check what you already have)${RESET5}`);
-  console.log(`    scan [path]             Run 71 safety checks ${DIM5}(Free)${RESET5}`);
-  console.log(`    scan --json             JSON output for CI pipelines`);
-  console.log(`    scan --fix              AI fix prompts for failures ${DIM5}(Pro)${RESET5}`);
-  console.log(`    scan --full             Full audit with Trust Score ${DIM5}(Pro)${RESET5}`);
-  console.log("");
-  console.log(`  ${BOLD5}Guard${RESET5} ${DIM5}(build safely from day one)${RESET5}`);
-  console.log(`    guard init              Install ASA rules + CI ${DIM5}(Free)${RESET5}`);
-  console.log(`    guard check             Run 5 architecture checks ${DIM5}(Free)${RESET5}`);
-  console.log(`    guard check --pro       Full architecture + safety ${DIM5}(Pro)${RESET5}`);
-  console.log(`    guard upgrade           Upgrade rules to latest`);
-  console.log("");
-  console.log(`  ${BOLD5}Account${RESET5}`);
-  console.log(`    login                   Authenticate for Pro features`);
-  console.log(`    logout                  Sign out`);
-  console.log(`    --version               Show version`);
-  console.log("");
-  console.log(`  ${DIM5}Docs:    https://asastandard.org/checks${RESET5}`);
-  console.log(`  ${DIM5}Pricing: https://vibecodiq.com/pricing${RESET5}`);
-  console.log("");
-}
+import{createHash as Hs}from"crypto";import Si from"path";var pe={id:"ARCH-01",name:"Business logic in domains/",module:"architecture",layer:"L1",priority:"P0",description:"Supabase/DB calls in pages or components indicate business logic outside domains/",fixCost:250,fixSize:"L",async run(e){let t=/supabase\.(from|auth|rpc|storage)\b|\.from\(\s*['"`]/,n=[],i=e.files.filter(s=>(s.includes("/pages/")||s.includes("/app/"))&&!s.includes("/api/")&&!s.includes("route.")&&!s.includes("layout.")&&!s.includes("globals.")&&(s.endsWith(".ts")||s.endsWith(".tsx")||s.endsWith(".js")||s.endsWith(".jsx"))),r=e.files.filter(s=>s.includes("/components/")&&(s.endsWith(".ts")||s.endsWith(".tsx")||s.endsWith(".js")||s.endsWith(".jsx")));for(let s of[...i,...r]){let o;try{o=await e.readFile(s)}catch{continue}t.test(o)&&n.push(s)}return n.length>0?{result:"FAIL",message:`Supabase/DB calls found in pages/components (${n.length} file${n.length>1?"s":""})`,evidence:n.slice(0,5)}:{result:"PASS",message:"No business logic detected in pages/components"}}};var fe={id:"ARCH-02",name:"domains/ directory exists",module:"architecture",layer:"L1",priority:"P0",description:"Projects with >5 source files need a domains/ directory for organized business logic",fixCost:250,fixSize:"L",async run(e){let t=e.files.filter(r=>(r.endsWith(".ts")||r.endsWith(".tsx")||r.endsWith(".js")||r.endsWith(".jsx"))&&!r.includes("node_modules"));if(t.length<=5)return{result:"PASS",message:"Project is small \u2014 domains/ not yet required"};if(!e.files.some(r=>r.includes("domains/")||r.includes("src/domains/")))return{result:"FAIL",message:`${t.length} source files but no domains/ directory`,evidence:["Create domains/<domain>/<slice>/ for business logic"]};let i=new Set;for(let r of e.files){let s=r.match(/(?:src\/)?domains\/([^/]+)\//);s&&i.add(s[1])}return i.size===0?{result:"FAIL",message:"domains/ exists but is empty"}:{result:"PASS",message:`${i.size} domain${i.size>1?"s":""} found`}}};var me={id:"ARCH-03",name:"No cross-domain imports",module:"architecture",layer:"L1",priority:"P1",description:"Files in one domain must not import from another domain \u2014 use shared/ for cross-domain communication",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(r=>r.includes("domains/"));if(t.length===0)return{result:"PASS",message:"No domains/ directory yet"};let n=new Set;for(let r of t){let s=r.match(/(?:src\/)?domains\/([^/]+)\//);s&&n.add(s[1])}let i=[];for(let r of t){if(!r.endsWith(".ts")&&!r.endsWith(".tsx")&&!r.endsWith(".js")&&!r.endsWith(".jsx"))continue;let s=r.match(/(?:src\/)?domains\/([^/]+)\//)?.[1];if(!s)continue;let o;try{o=await e.readFile(r)}catch{continue}for(let a of n){if(a===s)continue;new RegExp(`from.*domains/${a}|import.*domains/${a}`).test(o)&&i.push(`${r} \u2192 imports from ${a}/`)}}return i.length>0?{result:"FAIL",message:`${i.length} cross-domain import${i.length>1?"s":""} found`,evidence:i.slice(0,5)}:{result:"PASS",message:"No cross-domain imports detected"}}};var ge={id:"ARCH-04",name:"Pages are thin wrappers",module:"architecture",layer:"L1",priority:"P1",description:"Page files should be thin wrappers (<80 lines) that compose domain components",fixCost:250,fixSize:"L",async run(e){let t=e.files.filter(i=>(i.includes("/pages/")||i.match(/app\/.*\/page\.(ts|tsx|js|jsx)$/))&&(i.endsWith(".tsx")||i.endsWith(".jsx")));if(t.length===0)return{result:"PASS",message:"No page files found"};let n=[];for(let i of t){let r;try{r=await e.readFile(i)}catch{continue}let s=r.split(`
+`).length;s>80&&n.push(`${i} (${s} lines)`)}return n.length>0?{result:"FAIL",message:`${n.length} page${n.length>1?"s":""} over 80 lines \u2014 extract logic to domains/`,evidence:n.slice(0,5)}:{result:"PASS",message:`All ${t.length} pages are thin wrappers`}}};var he={id:"ARCH-05",name:"shared/ has no business logic",module:"architecture",layer:"L1",priority:"P1",description:"shared/ should contain only infrastructure (DB clients, auth helpers) \u2014 not domain-specific components",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(s=>(s.includes("shared/")||s.includes("src/shared/"))&&(s.endsWith(".ts")||s.endsWith(".tsx")||s.endsWith(".js")||s.endsWith(".jsx")));if(t.length===0)return{result:"PASS",message:"No shared/ directory yet"};let n=/supabase\.(from|rpc)\(|\.insert\(|\.update\(|\.delete\(|\.select\(/,i=/TaskList|TaskForm|PricingCard|AdminUser|LoginForm|RegisterForm|InvoiceTable|OrderList|ProductCard/,r=[];for(let s of t){let o;try{o=await e.readFile(s)}catch{continue}i.test(o)?r.push(`${s} \u2014 business component name detected`):n.test(o)&&!s.includes("/db/")&&!s.includes("/auth/")&&!s.includes("/billing/")&&r.push(`${s} \u2014 direct DB operations outside infrastructure`)}return r.length>0?{result:"FAIL",message:`Business logic found in shared/ (${r.length} file${r.length>1?"s":""})`,evidence:r.slice(0,5)}:{result:"PASS",message:`shared/ contains only infrastructure (${t.length} files)`}}};async function Se(e,t,n){let i=[],r=e.files;n&&n.length>0&&(r=r.filter(s=>n.some(o=>ye(s,o))));for(let s of r){let o;try{o=await e.readFile(s)}catch{continue}let a=o.split(`
+`);for(let c=0;c<a.length;c++)t.test(a[c])&&i.push({file:s,line:c+1,content:a[c].trim()})}return i}function ye(e,t){if(t.startsWith("!"))return!ye(e,t.slice(1));if(t.startsWith("**/")){let n=t.slice(3);return e.includes(n)}if(t.endsWith("/**")){let n=t.slice(0,-3);return e.startsWith(n)}return t.includes("*")?new RegExp("^"+t.replace(/\*/g,".*")+"$").test(e):e===t||e.startsWith(t+"/")}function v(e){return e.startsWith("src/")||e.startsWith("components/")||e.startsWith("app/")||e.startsWith("pages/")||e.includes("/components/")||e.includes("/hooks/")||e.includes("/contexts/")}function w(e){return e.includes("/api/")||e.includes("route.ts")||e.includes("route.js")||e.includes("server/")||e.includes("actions.ts")||e.includes("actions.js")}function b(e){return e.includes("migration")||e.includes("supabase/")||e.endsWith(".sql")}function E(e){return(e.split("/").pop()||"").startsWith(".env")}var Ae={id:"AUTH-01",name:"service_role key not in client code",module:"auth",layer:"L2",priority:"P0",aliases:["ADM-17"],description:"service_role bypasses all RLS \u2014 must never appear in client-side code or NEXT_PUBLIC_ vars",fixCost:100,fixSize:"M",async run(e){let t=/service_role|SERVICE_ROLE|SUPABASE_SERVICE_ROLE|sb_secret_/i,n=await e.grepFiles(t),i=n.filter(c=>c.content.includes("NEXT_PUBLIC_")?!0:c.file.includes("use client")?!1:!!(v(c.file)&&!c.file.includes("/api/")&&!c.file.includes("route."))),r=n.filter(c=>c.content.includes("NEXT_PUBLIC_")&&/service_role|SERVICE_ROLE/i.test(c.content)),s=[...i,...r],o=[...new Map(s.map(c=>[`${c.file}:${c.line}`,c])).values()];return o.length>0?{result:"FAIL",message:`service_role key found in client-accessible code (${o.length} location${o.length>1?"s":""})`,evidence:o.map(c=>`${c.file}:${c.line} \u2192 ${c.content.substring(0,120)}`)}:n.filter(c=>!c.content.startsWith("//")&&!c.content.startsWith("#")&&!c.content.startsWith("*")).length>0?{result:"PASS",message:"service_role key found only in server-side code"}:{result:"UNKNOWN",message:"No service_role references found \u2014 Supabase may not be used"}}};var be={id:"AUTH-02",name:"RLS enabled on all tables",module:"auth",layer:"L2",priority:"P0",description:"Every table must have Row Level Security enabled. Without RLS, anon key = full DB access.",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(b);if(t.length===0)return{result:"UNKNOWN",message:"No SQL migration files found"};let n=/CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?(?:public\.)?(\w+)/gi,i=/ALTER\s+TABLE\s+(?:public\.)?(\w+)\s+ENABLE\s+ROW\s+LEVEL\s+SECURITY/gi,r=new Set(["schema_migrations","_prisma_migrations","migrations"]),s=new Set,o=new Set;for(let c of t){let l;try{l=await e.readFile(c)}catch{continue}let p,f=new RegExp(n.source,"gi");for(;(p=f.exec(l))!==null;){let A=p[1].toLowerCase();r.has(A)||s.add(A)}let S=new RegExp(i.source,"gi");for(;(p=S.exec(l))!==null;)o.add(p[1].toLowerCase())}if(s.size===0)return{result:"UNKNOWN",message:"No CREATE TABLE statements found in migrations"};let a=[...s].filter(c=>!o.has(c));return a.length>0?{result:"FAIL",message:`${a.length} table${a.length>1?"s":""} without RLS (of ${s.size} total)`,evidence:a.map(c=>`Table "${c}" \u2014 missing ENABLE ROW LEVEL SECURITY`)}:{result:"PASS",message:`All ${s.size} tables have RLS enabled`}}};var $e={id:"AUTH-03",name:"RLS policies have WITH CHECK",module:"auth",layer:"L2",priority:"P0",description:"INSERT/UPDATE policies need WITH CHECK clause. USING alone lets users insert data owned by others.",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(b);if(t.length===0)return{result:"UNKNOWN",message:"No SQL migration files found"};let n=[],i=[];for(let a of t){let c;try{c=await e.readFile(a)}catch{continue}let l=/CREATE\s+POLICY\s+"?(\w+)"?\s+ON\s+(?:public\.)?(\w+)\s+(?:AS\s+\w+\s+)?FOR\s+(INSERT|UPDATE|ALL)\b([\s\S]*?)(?=CREATE\s+POLICY|$)/gi,p;for(;(p=l.exec(c))!==null;){let f=p[1],S=p[2],A=p[3].toUpperCase(),P=p[4];(A==="INSERT"||A==="UPDATE"||A==="ALL")&&(/WITH\s+CHECK\s*\(\s*true\s*\)/i.test(P)?n.push(`${a}: policy "${f}" on ${S} \u2014 WITH CHECK (true) is permissive`):/WITH\s+CHECK/i.test(P)||i.push(`${a}: policy "${f}" on ${S} (${A}) \u2014 missing WITH CHECK`))}}let r=[...n,...i];if(r.length>0)return{result:"FAIL",message:`${r.length} RLS policy issue${r.length>1?"s":""} found`,evidence:r.slice(0,5)};let s=t.some(a=>{try{let c=e.files.includes(a)?a:"";return/CREATE\s+POLICY/i.test(c)}catch{return!1}});return(await e.grepFiles(/CREATE\s+POLICY/i)).length===0?{result:"UNKNOWN",message:"No RLS policies found in migrations"}:{result:"PASS",message:"All INSERT/UPDATE RLS policies have proper WITH CHECK clauses"}}};var ve={id:"AUTH-04",name:"Server-side auth on protected routes",module:"auth",layer:"L2",priority:"P0",description:"Every protected API route/server action must verify auth server-side. Middleware-only auth is bypassable (CVE-2025-29927).",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(s=>(s.includes("route.")||s.includes("actions."))&&w(s));if(t.length===0)return{result:"UNKNOWN",message:"No API route handlers found"};let n=/getUser|getSession|auth\(\)|verifyToken|requireAuth|requireAdmin|checkPermission|requireRole|currentUser|validateSession/i,i=/webhook|health|status|public|og|sitemap|robots|favicon|_next/i,r=[];for(let s of t){if(i.test(s))continue;let o;try{o=await e.readFile(s)}catch{continue}n.test(o)||r.push(s)}return r.length>0?{result:"FAIL",message:`${r.length} API route${r.length>1?"s":""} without server-side auth check`,evidence:r.slice(0,5).map(s=>`${s} \u2014 no auth verification detected`)}:{result:"PASS",message:`All ${t.length} API routes have server-side auth checks`}}};var Ce={id:"AUTH-05",name:"No secrets with NEXT_PUBLIC_ prefix",module:"auth",layer:"L2",priority:"P0",description:"NEXT_PUBLIC_ vars are bundled in the browser. Secrets must never use this prefix.",fixCost:100,fixSize:"M",async run(e){let t=[/NEXT_PUBLIC_.*SERVICE_ROLE/i,/NEXT_PUBLIC_.*SECRET/i,/NEXT_PUBLIC_.*DATABASE_URL/i,/NEXT_PUBLIC_.*DB_URL/i,/NEXT_PUBLIC_.*PRIVATE/i,/NEXT_PUBLIC_.*PASSWORD/i,/NEXT_PUBLIC_.*JWT_SECRET/i,/VITE_.*SERVICE_ROLE/i,/VITE_.*SECRET_KEY/i,/VITE_.*DATABASE_URL/i,/EXPO_PUBLIC_.*SERVICE_ROLE/i,/EXPO_PUBLIC_.*SECRET/i],n=e.files.filter(E),i=[];for(let r of n){let s;try{s=await e.readFile(r)}catch{continue}let o=s.split(`
+`);for(let a=0;a<o.length;a++){let c=o[a].trim();if(!(c.startsWith("#")||!c)){for(let l of t)if(l.test(c)){i.push({file:r,line:a+1,content:c.split("=")[0]});break}}}}return i.length>0?{result:"FAIL",message:`Secret keys exposed via public prefix (${i.length} found)`,evidence:i.map(r=>`${r.file}:${r.line} \u2192 ${r.content}`)}:n.length===0?{result:"UNKNOWN",message:"No .env files found to check"}:{result:"PASS",message:"No secrets found with NEXT_PUBLIC_/VITE_/EXPO_PUBLIC_ prefix"}}};var _e={id:"AUTH-06",name:"Protected routes redirect unauthenticated users",module:"auth",layer:"L2",priority:"P1",description:"Middleware or route guard must redirect unauthenticated users to /login for protected pages.",fixCost:100,fixSize:"M",async run(e){let t=e.files.find(i=>/^middleware\.(ts|js)$/.test(i));if(!t)return(await e.grepFiles(/redirect.*login|redirect.*auth|redirect.*sign/i)).length>0?{result:"PASS",message:"Route guards with login redirect detected"}:{result:"FAIL",message:"No middleware.ts and no route guards found \u2014 unauthenticated users can access protected pages",evidence:["Missing: middleware.ts or per-page auth redirect"]};let n;try{n=await e.readFile(t)}catch{return{result:"UNKNOWN",message:"Could not read middleware file"}}return/redirect.*login|redirect.*auth|NextResponse.*redirect/i.test(n)?{result:"PASS",message:"Middleware redirects unauthenticated users to login"}:{result:"FAIL",message:"Middleware exists but no login redirect detected",evidence:[`${t} \u2014 no redirect to /login or /auth`]}}};var ke={id:"AUTH-07",name:"Session tokens in httpOnly cookies",module:"auth",layer:"L2",priority:"P2",description:"Tokens in localStorage are accessible via XSS. httpOnly cookies prevent JavaScript access to session tokens.",fixCost:100,fixSize:"M",async run(e){let t=/localStorage.*(?:token|session|jwt|access_token)|sessionStorage.*(?:token|session|jwt)/i,n=/httpOnly|cookie.*session|supabase.*ssr|@supabase\/ssr/i,i=await e.grepFiles(t),r=await e.grepFiles(n),s=i.filter(o=>!o.content.trimStart().startsWith("//"));return s.length>0&&r.length===0?{result:"FAIL",message:`Session tokens stored in localStorage (${s.length} location${s.length>1?"s":""})`,evidence:s.slice(0,3).map(o=>`${o.file}:${o.line} \u2192 ${o.content.substring(0,120)}`)}:r.length>0?{result:"PASS",message:"httpOnly cookies or @supabase/ssr detected for session management"}:{result:"UNKNOWN",message:"No explicit token storage pattern detected"}}};var Ie={id:"AUTH-08",name:"Password hashing (if custom auth)",module:"auth",layer:"L2",priority:"P0",description:"Passwords must be hashed with bcrypt/argon2/scrypt. N/A if using Supabase Auth (handles hashing internally).",fixCost:100,fixSize:"M",async run(e){let t=/supabase|@supabase|createBrowserClient|createServerClient/i;if((await e.grepFiles(t)).length>0)return{result:"N/A",message:"Supabase Auth handles password hashing internally (bcrypt/Argon2)"};let i=/bcrypt|argon2|scrypt|pbkdf2/i,r=/password.*=.*req\.body|password.*=.*body\.|plaintext|md5.*password|sha1.*password/i,s=await e.grepFiles(i),o=await e.grepFiles(r);return o.length>0&&s.length===0?{result:"FAIL",message:"Password handling without secure hashing detected",evidence:o.slice(0,3).map(a=>`${a.file}:${a.line} \u2192 ${a.content.substring(0,120)}`)}:s.length>0?{result:"PASS",message:"Secure password hashing detected (bcrypt/argon2/scrypt)"}:{result:"UNKNOWN",message:"No custom auth password handling detected"}}};var Pe={id:"AUTH-09",name:"Rate limiting on auth endpoints",module:"auth",layer:"L2",priority:"P1",description:"Login/register endpoints without rate limiting are vulnerable to brute force attacks.",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(o=>/auth|login|register|sign/i.test(o)),n=/rateLimit|rate.limit|throttle|limiter|too.many.requests|429|upstash/i;return t.length===0?{result:"UNKNOWN",message:"No auth endpoint files found"}:(await e.grepFiles(n,t)).length>0?{result:"PASS",message:"Rate limiting detected on auth endpoints"}:(await e.grepFiles(n)).length>0?{result:"PASS",message:"Rate limiting detected in codebase (verify it covers auth endpoints)"}:(await e.grepFiles(/supabase.*auth|@supabase/i)).length>0?{result:"PASS",message:"Supabase Auth has built-in rate limiting for auth endpoints"}:{result:"FAIL",message:"No rate limiting found on auth endpoints",evidence:["Missing: rate limiting middleware on login/register routes"]}}};var we={id:"AUTH-10",name:"Profile sync trigger with safe search_path",module:"auth",layer:"L2",priority:"P1",description:"handle_new_user() trigger must use SECURITY DEFINER with restricted search_path to prevent privilege escalation.",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(b);if(t.length===0)return{result:"UNKNOWN",message:"No SQL migration files found"};let n=/handle_new_user|on_auth_user_created|AFTER\s+INSERT\s+ON\s+auth\.users/i,i=/SECURITY\s+DEFINER/i,r=/search_path|SET\s+search_path/i;if((await e.grepFiles(n)).length===0)return{result:"FAIL",message:"No profile sync trigger found (handle_new_user or equivalent)",evidence:["Missing trigger: new auth.users rows won't sync to profiles table"]};for(let o of t){let a;try{a=await e.readFile(o)}catch{continue}if(n.test(a)){let c=i.test(a),l=r.test(a);return c&&!l?{result:"FAIL",message:"Profile trigger uses SECURITY DEFINER without restricted search_path",evidence:[`${o} \u2014 SECURITY DEFINER without SET search_path = '' (privilege escalation risk)`]}:c&&l?{result:"PASS",message:"Profile sync trigger found with SECURITY DEFINER and restricted search_path"}:{result:"PASS",message:"Profile sync trigger found"}}}return{result:"PASS",message:"Profile sync trigger detected"}}};var Le={id:"AUTH-11",name:"Client/server auth separation",module:"auth",layer:"L2",priority:"P0",description:"Separate Supabase clients for browser and server. One shared client leaks service_role to browser or uses anon key on server.",fixCost:100,fixSize:"M",async run(e){let t=/createBrowserClient|createClient.*browser/i,n=/createServerClient|createClient.*server/i,i=/createClient\s*\(/,r=await e.grepFiles(t),s=await e.grepFiles(n),o=await e.grepFiles(i);if(r.length>0&&s.length>0)return{result:"PASS",message:"Separate browser and server Supabase clients detected"};if(r.length>0||s.length>0)return{result:"PASS",message:"Dedicated Supabase client pattern detected (@supabase/ssr)"};if(o.length>0){let a=o.filter(c=>/supabase|createClient/.test(c.content));if(a.length>0)return{result:"FAIL",message:"Single generic createClient() used \u2014 no client/server separation",evidence:a.slice(0,3).map(c=>`${c.file}:${c.line} \u2192 ${c.content.substring(0,120)}`)}}return{result:"UNKNOWN",message:"No Supabase client initialization found"}}};var Ne={id:"AUTH-12",name:"Auth environment variables present",module:"auth",layer:"L2",priority:"P2",description:"Missing auth env vars = hardcoded keys or broken auth in production.",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(E);if(t.length===0)return{result:"UNKNOWN",message:"No .env files found"};let n=["SUPABASE_URL","SUPABASE_ANON_KEY"],i=[];for(let o of t){let a;try{a=await e.readFile(o)}catch{continue}for(let c of n)a.includes(c)&&!i.includes(c)&&i.push(c)}if((await e.grepFiles(/supabase/i)).length===0)return{result:"UNKNOWN",message:"No Supabase references found"};let s=n.filter(o=>!i.includes(o));return s.length>0?{result:"FAIL",message:`Missing auth env vars: ${s.join(", ")}`,evidence:s.map(o=>`${o} not found in any .env file`)}:{result:"PASS",message:"Auth environment variables configured"}}};var Re={id:"AUTH-13",name:"getUser() not getSession() for server-side auth",module:"auth",layer:"L2",priority:"P0",description:"getSession() reads JWT without server verification. Use getUser() for auth decisions.",fixCost:100,fixSize:"M",async run(e){let t=/\.auth\.getSession\s*\(/,n=/\.auth\.getUser\s*\(/,i=await e.grepFiles(t),r=await e.grepFiles(n);if(i.length===0&&r.length===0)return{result:"UNKNOWN",message:"No getSession/getUser calls found \u2014 Supabase Auth may not be used"};let s=i.filter(l=>w(l.file)),o=r.filter(l=>w(l.file));if(s.length>0&&o.length===0)return{result:"FAIL",message:`Server-side code uses getSession() without getUser() (${s.length} location${s.length>1?"s":""})`,evidence:s.map(l=>`${l.file}:${l.line} \u2192 ${l.content.substring(0,120)}`)};if(s.length>0&&o.length>0)return{result:"FAIL",message:"Server code uses both getSession() and getUser() \u2014 getSession() in server context is insecure",evidence:s.map(l=>`${l.file}:${l.line} \u2192 ${l.content.substring(0,120)}`)};let a=i.filter(l=>!w(l.file)&&!/supabase\/functions\//i.test(l.file)),c=r.filter(l=>!w(l.file)&&!/supabase\/functions\//i.test(l.file));return a.length>0&&c.length===0&&o.length===0?{result:"FAIL",message:`Client code uses getSession() (${a.length} location${a.length>1?"s":""}) but getUser() never called \u2014 auth relies on unverified JWT`,evidence:a.slice(0,3).map(l=>`${l.file}:${l.line} \u2192 ${l.content.substring(0,120)}`)}:o.length>0||c.length>0?{result:"PASS",message:"Auth uses getUser() for verification"}:{result:"PASS",message:"getUser() is used for auth verification"}}};var Ee={id:"AUTH-14",name:"No eval() or dangerouslySetInnerHTML with user data",module:"auth",layer:"L2",priority:"P0",description:"eval() and dangerouslySetInnerHTML enable XSS attacks \u2014 session theft and account takeover.",fixCost:100,fixSize:"M",async run(e){let t=/\beval\s*\(/,n=/dangerouslySetInnerHTML/,i=await e.grepFiles(t),r=await e.grepFiles(n),s=i.filter(c=>!(c.content.trimStart().startsWith("//")||c.content.trimStart().startsWith("*")||c.file.includes("node_modules"))),o=r.filter(c=>!(c.content.trimStart().startsWith("//")||c.file.includes("node_modules"))),a=[...s,...o];return a.length>0?{result:"FAIL",message:`Unsafe code patterns found (${s.length} eval, ${o.length} dangerouslySetInnerHTML)`,evidence:a.slice(0,5).map(c=>`${c.file}:${c.line} \u2192 ${c.content.substring(0,120)}`)}:{result:"PASS",message:"No eval() or dangerouslySetInnerHTML found"}}};var Fe={id:"AUTH-15",name:"CORS configuration",module:"auth",layer:"L2",priority:"P2",description:"Access-Control-Allow-Origin: * with credentials allows any website to read auth cookies and data.",fixCost:100,fixSize:"M",async run(e){let t=/Access-Control-Allow-Origin.*\*|cors.*origin.*\*|origin:\s*['"]?\*/i,n=/credentials.*true|allowCredentials|Access-Control-Allow-Credentials/i,i=await e.grepFiles(t),r=await e.grepFiles(n);return i.length>0&&r.length>0?{result:"FAIL",message:"CORS wildcard (*) used with credentials \u2014 any website can read auth data",evidence:i.slice(0,3).map(s=>`${s.file}:${s.line} \u2192 ${s.content.substring(0,120)}`)}:i.length>0?{result:"FAIL",message:"CORS wildcard (*) detected \u2014 consider restricting to specific origins",evidence:i.slice(0,3).map(s=>`${s.file}:${s.line} \u2192 ${s.content.substring(0,120)}`)}:{result:"PASS",message:"No dangerous CORS wildcard configuration detected"}}};var Te={id:"AUTH-16",name:"Token/session expiration configured",module:"auth",layer:"L2",priority:"P2",description:"Infinite sessions mean a stolen token works forever. Configure JWT expiration and session timeouts.",fixCost:100,fixSize:"M",async run(e){let t=/expiresIn|maxAge|session.*expir|jwt.*expir|SESSION_EXPIRY|JWT_EXPIRY|token.*expir/i;return(await e.grepFiles(t)).length>0?{result:"PASS",message:"Token/session expiration configured"}:(await e.grepFiles(/supabase/i)).length>0?{result:"PASS",message:"Supabase Auth has default JWT expiry (3600s)"}:{result:"FAIL",message:"No token/session expiration configuration found",evidence:["Missing: expiresIn, maxAge, or session expiry configuration"]}}};var xe={id:"AUTH-17",name:"Storage bucket RLS",module:"auth",layer:"L2",priority:"P0",description:"Supabase storage buckets must have RLS on storage.objects. Without it, all files are publicly accessible.",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(b);if(t.length===0)return{result:"UNKNOWN",message:"No SQL migration files found"};let n=/storage\.buckets|create.*bucket|INSERT.*storage\.buckets/i,i=/storage\.objects.*ENABLE.*ROW.*LEVEL|RLS.*storage\.objects|POLICY.*storage\.objects/i,r=await e.grepFiles(n,t),s=await e.grepFiles(i,t);return r.length===0?(await e.grepFiles(/supabase.*storage|storage\.from\(/i)).length===0?{result:"N/A",message:"No Supabase storage usage detected"}:{result:"UNKNOWN",message:"Storage used in code but no bucket creation in migrations"}:s.length>0?{result:"PASS",message:"Storage bucket RLS policies detected"}:{result:"FAIL",message:"Storage buckets created without RLS on storage.objects \u2014 files may be publicly accessible",evidence:r.slice(0,3).map(o=>`${o.file}:${o.line} \u2192 ${o.content.substring(0,120)}`)}}};var De={id:"AUTH-18",name:"RBAC in app_metadata not user_metadata",module:"auth",layer:"L2",priority:"P0",description:"Roles in user_metadata are user-editable. Use app_metadata for RBAC (server-only).",fixCost:100,fixSize:"M",async run(e){let t=/user_meta_?data.*role|raw_user_meta_?data.*role|user\.user_metadata.*role/i,n=/app_meta_?data.*role|user\.app_metadata.*role/i,i=/updateUser\s*\(\s*\{[\s\S]*?data\s*:\s*\{[\s\S]*?role/,r=await e.grepFiles(t),s=await e.grepFiles(n),o=await e.grepFiles(i);return r.length>0?{result:"FAIL",message:`Role stored in user_metadata (user-editable) \u2014 ${r.length} location${r.length>1?"s":""}`,evidence:r.map(a=>`${a.file}:${a.line} \u2192 ${a.content.substring(0,120)}`)}:o.length>0?{result:"FAIL",message:"Role set via updateUser() data field (user-editable user_metadata)",evidence:o.map(a=>`${a.file}:${a.line} \u2192 ${a.content.substring(0,120)}`)}:s.length>0?{result:"PASS",message:"Role stored in app_metadata (server-only, not user-editable)"}:{result:"UNKNOWN",message:"No role/RBAC references found in codebase"}}};var Ue={id:"AUTH-19",name:"Multi-tenancy data isolation",module:"auth",layer:"L2",priority:"P1",description:"RLS policies must include tenant_id or organization_id to prevent cross-tenant data access.",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(b),n=/tenant_id|organization_id|org_id|team_id|workspace_id/i,i=await e.grepFiles(n,t.length>0?t:void 0),r=await e.grepFiles(n);return i.length===0&&r.length===0?{result:"N/A",message:"No multi-tenancy pattern detected (single-tenant app)"}:(await e.grepFiles(/POLICY[\s\S]*?tenant_id|POLICY[\s\S]*?org_id|POLICY[\s\S]*?organization_id/i,t)).length>0?{result:"PASS",message:"RLS policies include tenant isolation"}:{result:"FAIL",message:"Multi-tenant schema detected but RLS policies don't include tenant_id filtering",evidence:["Tenant columns exist but RLS policies may allow cross-tenant data access"]}}};var Me={id:"AUTH-20",name:"OAuth domain restriction",module:"auth",layer:"L2",priority:"P1",description:"Social login (Google, GitHub) should restrict allowed email domains to prevent unauthorized access.",fixCost:100,fixSize:"M",async run(e){let t=/signInWithOAuth|signIn.*provider|google|github.*login|oauth/i,n=/allowedDomain|domain.*restrict|email.*domain|hd=|hosted_domain/i,i=await e.grepFiles(t);return i.length===0?{result:"N/A",message:"No OAuth/social login detected"}:(await e.grepFiles(n)).length>0?{result:"PASS",message:"OAuth domain restriction detected"}:{result:"FAIL",message:"OAuth login enabled without domain restriction \u2014 any Google/GitHub account can sign in",evidence:i.slice(0,3).map(s=>`${s.file}:${s.line} \u2192 ${s.content.substring(0,120)}`)}}};var Oe={id:"AUTH-21",name:"Force dynamic on auth routes",module:"auth",layer:"L2",priority:"P1",description:"Auth routes must use force-dynamic to prevent ISR cache serving wrong user data.",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(s=>/auth|login|register|signup|sign-in|sign-up/i.test(s)&&(s.includes("page.")||s.includes("route."))&&(s.endsWith(".ts")||s.endsWith(".tsx")||s.endsWith(".js")||s.endsWith(".jsx")));if(t.length===0)return{result:"UNKNOWN",message:"No auth route/page files found"};let n=/export\s+const\s+dynamic\s*=\s*['"]force-dynamic['"]/,i=/unstable_noStore|noStore|revalidate\s*=\s*0/,r=[];for(let s of t){let o;try{o=await e.readFile(s)}catch{continue}!n.test(o)&&!i.test(o)&&s.includes("page.")&&r.push(s)}return r.length>0?{result:"FAIL",message:`${r.length} auth page${r.length>1?"s":""} without force-dynamic \u2014 may serve cached auth state`,evidence:r.slice(0,5).map(s=>`${s} \u2014 missing export const dynamic = 'force-dynamic'`)}:{result:"PASS",message:"Auth routes use force-dynamic or equivalent"}}};var We={id:"AUTH-22",name:"CSRF protection on Route Handlers",module:"auth",layer:"L2",priority:"P2",description:"Server Actions have built-in CSRF protection (Next.js 14+). Route Handlers do NOT \u2014 they need explicit CSRF tokens or SameSite cookies.",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(o=>/route\.(ts|js)$/i.test(o));if(t.length===0)return{result:"UNKNOWN",message:"No Route Handler files found"};let n=[];for(let o of t){let a;try{a=await e.readFile(o)}catch{continue}/export\s+(?:async\s+)?function\s+(?:POST|PUT|PATCH|DELETE)/i.test(a)&&n.push(o)}if(n.length===0)return{result:"PASS",message:"No mutation Route Handlers found (only GET)"};let i=/csrf|csurf|csrfToken|SameSite|x-csrf|anti.?forgery/i;return(await e.grepFiles(i)).length>0?{result:"PASS",message:"CSRF protection detected"}:(await e.grepFiles(/["']use server["']/i)).length>0&&n.length<=2?{result:"PASS",message:"Mutations use Server Actions (built-in CSRF protection)"}:{result:"FAIL",message:`${n.length} mutation Route Handler${n.length>1?"s":""} without CSRF protection`,evidence:n.slice(0,3).map(o=>`${o} \u2014 POST/PUT/PATCH/DELETE without CSRF token`)}}};var je={id:"AUTH-23",name:"Email verification required",module:"auth",layer:"L2",priority:"P2",description:"Without email verification, anyone can sign up with any email \u2014 spam accounts and impersonation.",fixCost:100,fixSize:"M",async run(e){let t=/email_confirmed_at|emailConfirmed|verifyEmail|confirmEmail|email.*verif|verification.*email/i;return(await e.grepFiles(t)).length>0?{result:"PASS",message:"Email verification check detected"}:(await e.grepFiles(/supabase/i)).length>0?{result:"PASS",message:"Supabase Auth has configurable email verification (check dashboard settings)"}:{result:"FAIL",message:"No email verification enforcement found",evidence:["Missing: email_confirmed_at check or equivalent verification flow"]}}};var Be={id:"AUTH-24",name:"Account enumeration prevention",module:"auth",layer:"L2",priority:"P2",description:"Login/register error messages must not reveal whether an email exists. Consistent messages prevent user enumeration.",fixCost:100,fixSize:"M",async run(e){let t=/email.*not.*found|user.*not.*found|no.*account.*with|email.*already.*registered|email.*already.*exists|account.*already.*exists/i,i=(await e.grepFiles(t)).filter(r=>!r.content.trimStart().startsWith("//")&&!r.content.trimStart().startsWith("*"));return i.length>0?{result:"FAIL",message:`Account enumeration possible \u2014 error messages reveal email existence (${i.length} location${i.length>1?"s":""})`,evidence:i.slice(0,3).map(r=>`${r.file}:${r.line} \u2192 ${r.content.substring(0,120)}`)}:{result:"PASS",message:"No account enumeration patterns detected in error messages"}}};var He={id:"AUTH-25",name:"Refresh token reuse detection",module:"auth",layer:"L2",priority:"P2",description:"Token rotation prevents stolen refresh tokens from being reused. Supabase supports this via config.",fixCost:100,fixSize:"M",async run(e){let t=/token.*rotation|refresh.*token.*reuse|reuse.*detection|GOTRUE_SECURITY_REFRESH_TOKEN_REUSE_INTERVAL/i;return(await e.grepFiles(t)).length>0?{result:"PASS",message:"Refresh token rotation/reuse detection configured"}:(await e.grepFiles(/supabase/i)).length>0?{result:"PASS",message:"Supabase Auth has built-in refresh token rotation (check dashboard config)"}:{result:"UNKNOWN",message:"No refresh token configuration detected"}}};var ze={id:"AUTH-26",name:"Sign-out revokes server session",module:"auth",layer:"L2",priority:"P2",description:"Sign-out must revoke the server session (scope: 'global'), not just clear client cookies.",fixCost:100,fixSize:"M",async run(e){let t=/signOut|sign_out|logout|log_out/i,n=/scope.*global|global.*scope/i,i=await e.grepFiles(t);return i.length===0?{result:"UNKNOWN",message:"No sign-out implementation found"}:(await e.grepFiles(n)).length>0?{result:"PASS",message:"Sign-out uses global scope (revokes all sessions)"}:{result:"FAIL",message:"Sign-out found but no global scope \u2014 sessions may persist on other devices",evidence:i.slice(0,2).map(s=>`${s.file}:${s.line} \u2192 ${s.content.substring(0,120)}`)}}};var qe={id:"AUTH-27",name:"Email link poisoning mitigation",module:"auth",layer:"L2",priority:"P2",description:"SITE_URL and REDIRECT_ALLOW_LIST must be configured to prevent email link redirect attacks.",fixCost:100,fixSize:"M",async run(e){let t=/SITE_URL|GOTRUE_SITE_URL/i,n=/REDIRECT_ALLOW_LIST|ADDITIONAL_REDIRECT_URLS|redirect.*allow/i,i=await e.grepFiles(t),r=await e.grepFiles(n);return i.length>0&&r.length>0?{result:"PASS",message:"SITE_URL and REDIRECT_ALLOW_LIST configured"}:i.length>0?{result:"PASS",message:"SITE_URL configured (check REDIRECT_ALLOW_LIST in Supabase dashboard)"}:(await e.grepFiles(/supabase/i)).length===0?{result:"N/A",message:"No Supabase usage detected"}:{result:"FAIL",message:"No SITE_URL or REDIRECT_ALLOW_LIST found \u2014 email magic links may redirect to attacker domains",evidence:["Missing: SITE_URL and REDIRECT_ALLOW_LIST in env configuration"]}}};var Ke={id:"AUTH-28",name:"Realtime presence authorization",module:"auth",layer:"L2",priority:"P2",description:"Supabase Realtime Presence channels must have authorization. Without it, any user can see who's online.",fixCost:100,fixSize:"M",async run(e){let t=/realtime|presence|channel.*subscribe|supabase.*channel/i,n=await e.grepFiles(t);if(n.length===0)return{result:"N/A",message:"No Supabase Realtime/Presence usage detected"};let i=/authorized|RLS.*realtime|realtime.*auth|channel.*auth/i;return(await e.grepFiles(i)).length>0?{result:"PASS",message:"Realtime channel authorization detected"}:{result:"FAIL",message:"Realtime/Presence channels found without authorization",evidence:n.slice(0,3).map(s=>`${s.file}:${s.line} \u2192 ${s.content.substring(0,120)}`)}}};var Ge={id:"BIL-01",name:"Stripe secret key not in client code",module:"billing",layer:"L2",priority:"P0",description:"sk_live_/sk_test_ in client code = full Stripe API access for any visitor",fixCost:100,fixSize:"M",async run(e){let t=/sk_live_[a-zA-Z0-9]{20,}|sk_test_[a-zA-Z0-9]{20,}/,n=/STRIPE_SECRET|NEXT_PUBLIC_.*STRIPE.*SECRET|VITE_.*STRIPE.*SECRET/i,r=(await e.grepFiles(t)).filter(l=>!E(l.file)&&!l.content.trimStart().startsWith("#")&&!l.content.trimStart().startsWith("//"));if(r.length>0)return{result:"FAIL",message:`Hardcoded Stripe secret key found in source code (${r.length} location${r.length>1?"s":""})`,evidence:r.map(l=>`${l.file}:${l.line} \u2192 sk_***_[REDACTED]`)};let s=await e.grepFiles(n),o=s.filter(l=>/NEXT_PUBLIC_|VITE_|EXPO_PUBLIC_/i.test(l.content)&&/STRIPE.*SECRET/i.test(l.content));if(o.length>0)return{result:"FAIL",message:"Stripe secret key exposed via NEXT_PUBLIC_/VITE_ prefix",evidence:o.map(l=>`${l.file}:${l.line} \u2192 ${l.content.split("=")[0]}`)};let a=s.filter(l=>v(l.file)&&/STRIPE_SECRET/i.test(l.content)&&!l.file.includes("/api/")&&!l.file.includes("route."));return a.length>0?{result:"FAIL",message:"Stripe secret key referenced in client-side file",evidence:a.map(l=>`${l.file}:${l.line} \u2192 ${l.content.substring(0,120)}`)}:s.filter(l=>/STRIPE_SECRET/i.test(l.content)).length>0?{result:"PASS",message:"Stripe secret key found only in server-side/env files"}:{result:"UNKNOWN",message:"No Stripe secret key references found \u2014 Stripe may not be used"}}};var Ve={id:"BIL-02",name:"Webhook signature verification",module:"billing",layer:"L2",priority:"P0",aliases:["ADM-15"],description:"Stripe webhook handler must verify signature via constructEvent(). Without it, anyone can send fake webhooks.",fixCost:100,fixSize:"M",async run(e){let t=/webhook/i,n=e.files.filter(c=>t.test(c));if(n.length===0)return{result:"UNKNOWN",message:"No webhook handler files found"};let i=/constructEvent|constructEventAsync|webhooks\.construct/,r=/stripe-signature|Stripe-Signature|STRIPE_WEBHOOK_SECRET|webhook.*secret/i,s=await e.grepFiles(i,n),o=await e.grepFiles(r,n);if(s.length>0){for(let c of n){let l;try{l=await e.readFile(c)}catch{continue}let p=/constructEvent|constructEventAsync|webhooks\.construct/.test(l),f=/JSON\.parse\s*\(.*body/i.test(l),S=/if\s*\(\s*(?:webhook_?[Ss]ecret|STRIPE_WEBHOOK_SECRET|secret)/i.test(l)||/if\s*\(\s*!?\s*webhook_?[Ss]ecret/i.test(l);if(p&&f&&S)return{result:"FAIL",message:"Webhook signature verification is conditional \u2014 JSON.parse fallback bypasses constructEvent() when secret is missing",evidence:[`${c} \u2014 constructEvent() inside conditional, JSON.parse(body) fallback allows unverified webhooks`]}}return{result:"PASS",message:"Webhook handler uses constructEvent() for signature verification"}}return o.length>0?{result:"PASS",message:"Webhook handler references signature verification"}:(await e.grepFiles(/stripe|Stripe/,n)).length>0?{result:"FAIL",message:"Stripe webhook handler found WITHOUT signature verification",evidence:n.map(c=>`${c} \u2014 no constructEvent() or signature check`)}:{result:"UNKNOWN",message:"Webhook files found but no Stripe references \u2014 may not be Stripe webhooks"}}};var Ye={id:"BIL-03",name:"Raw body preservation in webhook",module:"billing",layer:"L2",priority:"P0",description:"Webhook signature verification requires raw request body. req.json() breaks it \u2014 use req.text() or bodyParser: false.",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(a=>/webhook/i.test(a));if(t.length===0)return{result:"UNKNOWN",message:"No webhook handler files found"};let n=/request\.text\(\)|req\.text\(\)|bodyParser\s*:\s*false|getRawBody|raw\s*:\s*true|rawBody/,i=/request\.json\(\)|req\.body(?!\s*Parser)|JSON\.parse/,r=await e.grepFiles(n,t),s=await e.grepFiles(i,t);return r.length>0?{result:"PASS",message:"Webhook handler preserves raw body for signature verification"}:(await e.grepFiles(/stripe|constructEvent/i,t)).length===0?{result:"UNKNOWN",message:"Webhook files found but no Stripe references"}:s.length>0?{result:"FAIL",message:"Webhook handler uses req.json()/req.body instead of raw body \u2014 signature verification will fail",evidence:s.slice(0,3).map(a=>`${a.file}:${a.line} \u2192 ${a.content.substring(0,120)}`)}:{result:"FAIL",message:"Stripe webhook handler found but no raw body preservation detected",evidence:t.map(a=>`${a} \u2014 missing request.text() or bodyParser: false`)}}};var Xe={id:"BIL-04",name:"Idempotent webhook processing",module:"billing",layer:"L2",priority:"P1",description:"Stripe retries webhooks by design. Without idempotency checks, duplicate credits and double subscriptions occur.",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(s=>/webhook/i.test(s));if(t.length===0)return{result:"UNKNOWN",message:"No webhook handler files found"};let n=/event\.id|event_id|idempoten|UNIQUE.*event|duplicate.*check|processed.*events|already.*processed/i,i=await e.grepFiles(n,t);return(await e.grepFiles(/stripe|constructEvent/i,t)).length===0?{result:"UNKNOWN",message:"No Stripe webhook handler found"}:i.length>0?{result:"PASS",message:"Webhook idempotency check detected"}:{result:"FAIL",message:"Stripe webhook handler has no idempotency check \u2014 duplicate processing possible",evidence:["No event.id tracking or duplicate check in webhook handler"]}}};var Qe={id:"BIL-05",name:"Subscription state machine",module:"billing",layer:"L2",priority:"P1",description:"Stripe has 8 subscription states. Handling only active/canceled causes access issues for past_due, trialing, incomplete, unpaid.",fixCost:100,fixSize:"M",async run(e){let t=/past_due|trialing|incomplete|unpaid/i,n=/active|canceled/i,i=await e.grepFiles(t),r=await e.grepFiles(n);return i.length>=2?{result:"PASS",message:"Multiple subscription states handled beyond active/canceled"}:r.length>0&&i.length===0?{result:"FAIL",message:"Only active/canceled states handled \u2014 missing past_due, trialing, incomplete, unpaid",evidence:["Subscription state machine is incomplete \u2014 users may lose access incorrectly"]}:(await e.grepFiles(/subscription|stripe/i)).length===0?{result:"UNKNOWN",message:"No subscription handling found"}:{result:"FAIL",message:"Subscription code found but no explicit state handling",evidence:["Missing: past_due, trialing, incomplete, unpaid state handling"]}}};var Je={id:"BIL-06",name:"Entitlement/plan limit checking",module:"billing",layer:"L2",priority:"P1",description:"Stripe doesn't track usage limits. Without app-side entitlement checks, free users access paid features.",fixCost:100,fixSize:"M",async run(e){let t=/checkPlan|checkEntitle|planLimit|featureGate|subscription.*check|plan.*limit|canAccess|hasFeature|isSubscribed|entitlement/i;return(await e.grepFiles(t)).length>0?{result:"PASS",message:"Entitlement/plan limit checking detected"}:(await e.grepFiles(/subscription|stripe.*plan|pricing/i)).length===0?{result:"UNKNOWN",message:"No subscription/pricing code found"}:{result:"FAIL",message:"Subscription code exists but no entitlement/plan limit checks found",evidence:["Missing: checkPlanLimit, checkEntitlement, featureGate, or equivalent"]}}};var Ze={id:"BIL-07",name:"Customer \u2194 User sync",module:"billing",layer:"L2",priority:"P1",description:"Every user must map to exactly one Stripe customer. Missing sync = orphaned customers, broken subscription lookups.",fixCost:100,fixSize:"M",async run(e){let t=/stripe_customer_id|stripeCustomerId|customer_id.*stripe/i,n=/customers\.create|createCustomer|stripe.*customer/i,i=e.files.filter(b),r=await e.grepFiles(t,i.length>0?i:void 0),s=await e.grepFiles(n);return r.length>0?{result:"PASS",message:"stripe_customer_id found in database schema \u2014 user-customer sync exists"}:s.length>0?{result:"PASS",message:"Stripe customer creation found in code"}:(await e.grepFiles(/stripe/i)).length>0?{result:"FAIL",message:"Stripe is used but no stripe_customer_id in schema and no customer creation logic",evidence:["Missing: stripe_customer_id column in users/profiles table"]}:{result:"UNKNOWN",message:"No Stripe references found"}}};var et={id:"BIL-08",name:"Webhook returns 200 for unknown events",module:"billing",layer:"L2",priority:"P1",description:"Returning 400/500 for unhandled events triggers Stripe retry loops and eventual endpoint deactivation.",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(o=>/webhook/i.test(o));if(t.length===0)return{result:"UNKNOWN",message:"No webhook handler files found"};let n=/else\s*\{[\s\S]*?(?:return.*(?:4\d\d|5\d\d)|throw|NextResponse.*(?:4\d\d|5\d\d))/i,i=/default\s*:[\s\S]*?(?:200|ok|return\s+new\s+Response)/i,r=await e.grepFiles(n,t),s=await e.grepFiles(i,t);return r.length>0?{result:"FAIL",message:"Webhook handler returns error for unknown events \u2014 will trigger Stripe retry loop",evidence:r.slice(0,3).map(o=>`${o.file}:${o.line} \u2192 ${o.content.substring(0,120)}`)}:s.length>0?{result:"PASS",message:"Webhook handler returns 200 for unhandled events"}:{result:"UNKNOWN",message:"Could not determine webhook default response behavior"}}};var tt={id:"BIL-09",name:"No client-side billing state as source of truth",module:"billing",layer:"L2",priority:"P1",description:"Subscription state in localStorage/React state can be manipulated. Server must be source of truth.",fixCost:100,fixSize:"M",async run(e){let t=[],n=/localStorage.*(?:subscription|plan|billing)|sessionStorage.*(?:subscription|plan)|useState.*(?:subscription|isPro|isPaid|plan)/i,r=(await e.grepFiles(n)).filter(p=>v(p.file));for(let p of r)t.push(`${p.file}:${p.line} \u2192 ${p.content.substring(0,120)}`);let s=/\.from\s*\(\s*['"](?:subscriptions|plans|credits|billing)['"]\s*\)\s*\.\s*select/i,a=(await e.grepFiles(s)).filter(p=>v(p.file));for(let p of a)t.push(`${p.file}:${p.line} \u2192 ${p.content.substring(0,120)}`);let c=/(?:useSubscription|useBilling|usePlan)\b/,l=e.files.filter(p=>c.test(p)||/hook/i.test(p));for(let p of l){let f;try{f=await e.readFile(p)}catch{continue}let S=/from\s*\(\s*['"](?:subscriptions|plans|credits)['"]\s*\)/.test(f),A=/isPro|isPaid|plan\s*===|plan\s*!==|plan\s*==|plan\s*!=/.test(f);S&&A&&t.push(`${p} \u2192 Client hook reads billing table and derives plan/isPro locally`)}return t.length>0?{result:"FAIL",message:`Client-side billing state as source of truth (${t.length} location${t.length>1?"s":""})`,evidence:t.slice(0,5)}:{result:"PASS",message:"No client-side billing state as source of truth detected"}}};var it={id:"BIL-10",name:"Reconciliation mechanism",module:"billing",layer:"L2",priority:"P2",description:"Even good webhook handling drifts 1-2x/month. A reconciliation job comparing Stripe vs DB prevents silent revenue loss.",fixCost:100,fixSize:"M",async run(e){let t=/reconcil|sync.*stripe|stripe.*sync|cron.*billing|billing.*cron|verify.*subscription|subscription.*verify/i,n=e.files.filter(s=>/reconcil/i.test(s)),i=await e.grepFiles(t);return n.length>0||i.length>0?{result:"PASS",message:"Reconciliation mechanism detected"}:(await e.grepFiles(/stripe/i)).length===0?{result:"UNKNOWN",message:"No Stripe references found"}:{result:"FAIL",message:"No billing reconciliation mechanism found",evidence:["Missing: reconciliation script/job to compare Stripe state vs DB state"]}}};var st={id:"BIL-11",name:"Cancellation handling",module:"billing",layer:"L2",priority:"P1",description:"Explicit cancel flow: server-side cancellation + webhook processing + DB update + access revocation.",fixCost:100,fixSize:"M",async run(e){let t=/cancel.*subscription|subscription.*cancel|customer\.subscription\.deleted|cancelAt|cancel_at_period_end/i,n=await e.grepFiles(t);return n.length>=2?{result:"PASS",message:"Cancellation handling detected in multiple locations"}:n.length===1?{result:"PASS",message:"Cancellation handling detected"}:(await e.grepFiles(/subscription|stripe/i)).length===0?{result:"UNKNOWN",message:"No subscription code found"}:{result:"FAIL",message:"No cancellation handling found \u2014 users may retain access after canceling or be charged after canceling",evidence:["Missing: cancel subscription flow, subscription.deleted webhook handler"]}}};var nt={id:"BIL-12",name:"Stripe env vars configured",module:"billing",layer:"L2",priority:"P2",description:"Missing Stripe env vars = billing won't work in production or keys get hardcoded.",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(E);if(t.length===0)return{result:"UNKNOWN",message:"No .env files found"};let n=["STRIPE_SECRET_KEY","STRIPE_WEBHOOK_SECRET","STRIPE_PUBLISHABLE_KEY"],i=[],r=[];for(let o of t){let a;try{a=await e.readFile(o)}catch{continue}for(let c of n)a.includes(c)&&!i.includes(c)&&i.push(c)}for(let o of n)i.includes(o)||r.push(o);return(await e.grepFiles(/stripe/i)).length===0?{result:"UNKNOWN",message:"No Stripe references found"}:r.length>0?{result:"FAIL",message:`Missing Stripe env vars: ${r.join(", ")}`,evidence:r.map(o=>`${o} not found in any .env file`)}:{result:"PASS",message:"All required Stripe env vars configured"}}};var rt={id:"BIL-13",name:"Error handling in payment flows",module:"billing",layer:"L2",priority:"P2",description:"Missing error handling around Stripe API calls = white screen on payment failure, no diagnostics.",fixCost:100,fixSize:"M",async run(e){let t=/stripe\.\w+\.\w+\(|checkout\.sessions\.create|subscriptions\.create|customers\.create/i,n=/try\s*\{|\.catch\s*\(|catch\s*\(/,i=e.files.filter(o=>/api|route|action|server/i.test(o)),r=await e.grepFiles(t,i.length>0?i:void 0);return r.length===0?{result:"UNKNOWN",message:"No Stripe API calls found"}:(await e.grepFiles(n,i.length>0?i:void 0)).length>0?{result:"PASS",message:"Error handling found in payment flow files"}:{result:"FAIL",message:"Stripe API calls found without error handling",evidence:r.slice(0,3).map(o=>`${o.file}:${o.line} \u2192 ${o.content.substring(0,120)}`)}}};var ot={id:"BIL-14",name:"Checkout flow is server-initiated",module:"billing",layer:"L2",priority:"P0",description:"Checkout session must be created on the server. Client-side creation requires secret key in browser.",fixCost:100,fixSize:"M",async run(e){let t=/checkout\.sessions\.create|createCheckoutSession/,n=await e.grepFiles(t);if(n.length===0)return{result:"UNKNOWN",message:"No Checkout session creation found"};let i=n.filter(s=>v(s.file)&&!w(s.file));for(let s of i){let o;try{o=await e.readFile(s.file)}catch{continue}if(/["']use client["']/.test(o))return{result:"FAIL",message:"Checkout session created in client component \u2014 secret key required in browser",evidence:[`${s.file}:${s.line} \u2192 ${s.content.substring(0,120)}`]}}return n.filter(s=>w(s.file)).length>0?{result:"PASS",message:"Checkout session created server-side"}:{result:"PASS",message:"Checkout session creation found (not in client component)"}}};var at={id:"BIL-15",name:"Stripe Price ID tampering prevention",module:"billing",layer:"L2",priority:"P0",description:"Price ID from client request must be validated server-side against an allowlist. Client can send any price_id.",fixCost:100,fixSize:"M",async run(e){let t=/checkout\.sessions\.create|createCheckoutSession/;if((await e.grepFiles(t)).length===0)return{result:"UNKNOWN",message:"No Stripe Checkout session creation found"};let i=/req\.body.*price|req\.json.*price|request\.json.*price|body\.price|priceId|price_id/i,r=/allowedPrices|ALLOWED_PRICES|validPrices|PRICE_IDS|priceWhitelist|priceLookup|PLANS\[|plans\[|PRICES\[|prices\./i,s=await e.grepFiles(i),o=await e.grepFiles(r);return s.length>0&&o.length===0?{result:"FAIL",message:"Price ID accepted from client without server-side validation",evidence:s.slice(0,3).map(a=>`${a.file}:${a.line} \u2192 ${a.content.substring(0,120)}`)}:o.length>0?{result:"PASS",message:"Price ID validation/allowlist detected"}:{result:"PASS",message:"Checkout session creation found with no client price input detected"}}};var ct={id:"BIL-16",name:"Never fulfill on success_url",module:"billing",layer:"L2",priority:"P0",description:"Fulfillment (DB writes, access grants) must happen via webhook, not on the success redirect page.",fixCost:100,fixSize:"M",async run(e){let t=[/success/i,/thank/i,/payment.*confirm/i],n=e.files.filter(s=>(s.includes("page.")||s.includes("index."))&&t.some(a=>a.test(s)));if(n.length===0)return{result:"UNKNOWN",message:"No success/thank-you pages found"};let i=/\.insert\(|\.update\(|\.upsert\(|createSubscription|grantAccess|activateUser|fulfillOrder|UPDATE.*SET|INSERT.*INTO/i,r=[];for(let s of n){let o;try{o=await e.readFile(s)}catch{continue}let a=o.split(`
+`);for(let c=0;c<a.length;c++)i.test(a[c])&&r.push({file:s,line:c+1,content:a[c].trim()})}return r.length>0?{result:"FAIL",message:`Fulfillment logic found in success page (${r.length} location${r.length>1?"s":""}) \u2014 must use webhook instead`,evidence:r.map(s=>`${s.file}:${s.line} \u2192 ${s.content.substring(0,120)}`)}:{result:"PASS",message:"Success pages contain no fulfillment logic"}}};var lt={id:"BIL-17",name:"PCI raw card data safety",module:"billing",layer:"L2",priority:"P0",description:"Raw card numbers, CVV, expiration must never touch your server. Use Stripe Elements or Checkout.",fixCost:100,fixSize:"M",async run(e){let t=/card\s*\[\s*number\s*\]|cardNumber|card_number|cvv|cvc|expiry.*month|card.*expir/i,n=/<input[^>]*(?:card|cvv|cvc|expir)/i,i=/CardElement|PaymentElement|useStripe|useElements|@stripe\/react-stripe-js|stripe\.elements/i,r=await e.grepFiles(t),s=await e.grepFiles(n),o=[...r,...s].filter(c=>!(c.content.trimStart().startsWith("//")||c.content.trimStart().startsWith("*")||c.content.trimStart().startsWith("#")||c.file.includes("test")||c.file.includes("spec")||c.file.includes(".md"))),a=await e.grepFiles(i);return o.length>0&&a.length===0?{result:"FAIL",message:`Raw card data handling detected without Stripe Elements (${o.length} location${o.length>1?"s":""})`,evidence:o.slice(0,5).map(c=>`${c.file}:${c.line} \u2192 ${c.content.substring(0,120)}`)}:a.length>0?{result:"PASS",message:"Stripe Elements/Checkout detected \u2014 card data handled by Stripe"}:{result:"UNKNOWN",message:"No card data handling or Stripe Elements detected"}}};var ut={id:"BIL-18",name:"Refund/dispute handling",module:"billing",layer:"L2",priority:"P1",description:"Webhook must handle charge.refunded and charge.dispute.created to revoke access and update billing state.",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(a=>/webhook/i.test(a));if(t.length===0)return{result:"UNKNOWN",message:"No webhook handler files found"};let n=/charge\.refunded|refund/i,i=/charge\.dispute|dispute/i,r=await e.grepFiles(n,t),s=await e.grepFiles(i,t);return r.length>0&&s.length>0?{result:"PASS",message:"Both refund and dispute handling detected in webhook"}:r.length>0||s.length>0?{result:"PASS",message:"Partial refund/dispute handling detected"}:(await e.grepFiles(/stripe/i,t)).length===0?{result:"UNKNOWN",message:"No Stripe webhook handler found"}:{result:"FAIL",message:"No refund or dispute handling in webhook \u2014 access may persist after refund",evidence:["Missing: charge.refunded and charge.dispute.created event handlers"]}}};var dt={id:"BIL-19",name:"Stripe API version pinning",module:"billing",layer:"L2",priority:"P2",description:"Pin Stripe API version to avoid breaking changes from automatic upgrades.",fixCost:100,fixSize:"M",async run(e){let t=/apiVersion|api_version/i;if((await e.grepFiles(t)).length>0)return{result:"PASS",message:"Stripe API version pinning detected"};let i=await e.grepFiles(/new\s+Stripe\s*\(|Stripe\s*\(/i);return i.length===0?{result:"UNKNOWN",message:"No Stripe initialization found"}:{result:"FAIL",message:"Stripe initialized without explicit API version \u2014 may break on Stripe upgrades",evidence:i.slice(0,2).map(r=>`${r.file}:${r.line} \u2192 ${r.content.substring(0,120)}`)}}};var pt={id:"BIL-20",name:"Portal session auth",module:"billing",layer:"L2",priority:"P1",description:"Billing portal session must use customer ID from authenticated user, not from client request.",fixCost:100,fixSize:"M",async run(e){let t=/billingPortal|billing_portal|customer_portal/i,n=await e.grepFiles(t);if(n.length===0)return{result:"UNKNOWN",message:"No billing portal usage found"};let i=/getUser|getSession|auth\(\)|requireAuth/i,r=[...new Set(n.map(o=>o.file))];return(await e.grepFiles(i,r)).length>0?{result:"PASS",message:"Billing portal session created with authenticated customer ID"}:{result:"FAIL",message:"Billing portal session created without verifying authenticated user",evidence:n.slice(0,3).map(o=>`${o.file}:${o.line} \u2192 ${o.content.substring(0,120)}`)}}};var ft={id:"BIL-21",name:"Webhook event coverage",module:"billing",layer:"L2",priority:"P1",description:"Webhook handler must process at minimum 3 core subscription events. Missing events = state drift.",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(s=>/webhook/i.test(s));if(t.length===0)return{result:"UNKNOWN",message:"No webhook handler files found"};let n=[{pattern:/checkout\.session\.completed/i,name:"checkout.session.completed"},{pattern:/customer\.subscription\.updated/i,name:"customer.subscription.updated"},{pattern:/customer\.subscription\.deleted/i,name:"customer.subscription.deleted"},{pattern:/invoice\.payment_succeeded/i,name:"invoice.payment_succeeded"},{pattern:/invoice\.payment_failed/i,name:"invoice.payment_failed"}],i=[],r=[];for(let s of n)(await e.grepFiles(s.pattern,t)).length>0?i.push(s.name):r.push(s.name);return i.length===0?(await e.grepFiles(/stripe/i,t)).length===0?{result:"UNKNOWN",message:"Webhook files found but no Stripe event handling"}:{result:"FAIL",message:"Stripe webhook handler found but no subscription events handled",evidence:["Missing: checkout.session.completed, subscription.updated, subscription.deleted"]}:i.length<3?{result:"FAIL",message:`Only ${i.length}/5 core webhook events handled`,evidence:[`Handled: ${i.join(", ")}`,`Missing: ${r.join(", ")}`]}:{result:"PASS",message:`${i.length}/5 core webhook events handled`}}};var mt={id:"BIL-22",name:"Trial period handling",module:"billing",layer:"L2",priority:"P2",description:"If trials are offered, handle trial_will_end webhook and trial-to-paid conversion properly.",fixCost:100,fixSize:"M",async run(e){let t=/trial_period_days|trial_end|trialing|trial_will_end|trialDays/i,n=await e.grepFiles(t);return n.length>=2?{result:"PASS",message:"Trial period handling detected"}:n.length===1?{result:"PASS",message:"Trial reference found (verify trial_will_end webhook is handled)"}:(await e.grepFiles(/subscription|stripe/i)).length===0?{result:"UNKNOWN",message:"No subscription code found"}:{result:"N/A",message:"No trial period usage detected"}}};var gt={id:"BIL-23",name:"Card testing protection",module:"billing",layer:"L2",priority:"P2",description:"Rate limiting on payment endpoints prevents card testing attacks (automated validation of stolen cards).",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(s=>/checkout|payment|billing|subscribe/i.test(s));if(t.length===0)return{result:"UNKNOWN",message:"No payment endpoint files found"};let n=/rateLimit|rate.limit|throttle|limiter|too.many.requests|429|upstash/i;return(await e.grepFiles(n,t)).length>0?{result:"PASS",message:"Rate limiting detected on payment endpoints"}:(await e.grepFiles(n)).length>0?{result:"PASS",message:"Rate limiting detected in codebase (verify it covers payment endpoints)"}:{result:"FAIL",message:"No rate limiting found on payment endpoints \u2014 vulnerable to card testing",evidence:["Missing: rate limiting middleware on checkout/payment routes"]}}};var ht={id:"BIL-24",name:"Metered billing usage reporting",module:"billing",layer:"L2",priority:"P2",description:"If using metered pricing, usage must be reported to Stripe. Missing reporting = customers never billed for usage.",fixCost:100,fixSize:"M",async run(e){let t=/metered|usage_type|usageRecord|usage.*report|createUsageRecord|meter/i,n=await e.grepFiles(t);return n.length>=2?{result:"PASS",message:"Metered billing usage reporting detected"}:n.length===1?{result:"PASS",message:"Metered billing reference found"}:{result:"N/A",message:"No metered billing usage detected"}}};var St={id:"BIL-25",name:"Subscription table user-writable",module:"billing",layer:"L2",priority:"P0",description:"RLS policies on billing tables (subscriptions, plans, credits) must not allow authenticated users to UPDATE or INSERT plan/status columns. User-writable billing state enables subscription fraud (Free \u2192 Pro without payment).",fixCost:250,fixSize:"L",async run(e){let t=["subscriptions","plans","credits","billing"],n=/create\s+table\s+(?:public\.)?(subscriptions|plans|credits|billing)/i,i=e.files.filter(l=>/\.sql$/i.test(l)||/supabase.*migration/i.test(l)),r=await e.grepFiles(n,i.length>0?i:void 0);if(r.length===0){let l=await e.grepFiles(n);if(l.length===0)return{result:"PASS",message:"No billing tables (subscriptions/plans/credits) found"};r.push(...l)}let s=new Set(r.map(l=>{let p=l.content.match(/(?:public\.)?(subscriptions|plans|credits|billing)/i);return p?p[1].toLowerCase():null}).filter(Boolean)),o=[];for(let l of s)for(let p of i.length>0?i:e.files.filter(f=>/\.sql$/i.test(f))){let f;try{f=await e.readFile(p)}catch{continue}let S=new RegExp(`create\\s+policy[^;]*?on\\s+(?:public\\.)?${l}\\s+for\\s+(update|insert|all)`,"gis"),A;for(;(A=S.exec(f))!==null;){let P=Math.max(0,A.index),F=f.substring(P,f.indexOf(";",A.index)+1||P+500),d=/auth\.uid\(\)/i.test(F),y=/with\s+check\s*\([^)]*(?:false|service_role|is_admin)/i.test(F);if(d&&!y){let q=f.substring(0,A.index).split(`
+`).length,Mi=A[1].toUpperCase();o.push(`${p}:${q} \u2192 RLS ${Mi} policy on ${l} allows user writes (auth.uid() = user_id)`)}}}if(o.length>0)return{result:"FAIL",message:`Billing table${s.size>1?"s":""} (${[...s].join(", ")}) allow user writes via RLS \u2014 subscription fraud risk`,evidence:o.slice(0,5)};let a=/\.from\s*\(\s*['"](?:subscriptions|plans|credits|billing)['"]\s*\)\s*\.\s*(?:update|insert|upsert)/i,c=await e.grepFiles(a);return c.length>0?{result:"FAIL",message:`Client-side writes to billing table detected (${c.length} location${c.length>1?"s":""})`,evidence:c.slice(0,3).map(l=>`${l.file}:${l.line} \u2192 ${l.content.substring(0,120)}`)}:{result:"PASS",message:"No user-writable billing tables detected"}}};var yt={id:"ADM-01",name:"Admin endpoints have server-side auth",module:"admin",layer:"L2",priority:"P0",description:"Every /admin or /api/admin endpoint must verify admin role server-side. Server Actions are public POST endpoints.",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(r=>/api\/admin|app\/api\/admin/i.test(r)&&(r.endsWith(".ts")||r.endsWith(".js")));if(t.length===0)return{result:"UNKNOWN",message:"No admin API route handlers found"};let n=/requireAdmin|role.*admin|isAdmin|checkPermission|requireRole|app_metadata.*admin|admin.*guard/i,i=[];for(let r of t){let s;try{s=await e.readFile(r)}catch{continue}n.test(s)||i.push(r)}return i.length>0?{result:"FAIL",message:`${i.length} admin API route${i.length>1?"s":""} without admin role verification`,evidence:i.slice(0,5).map(r=>`${r} \u2014 no admin role check detected`)}:{result:"PASS",message:`All ${t.length} admin API routes have admin role verification`}}};var At={id:"ADM-02",name:"Admin routes not accessible without auth",module:"admin",layer:"L2",priority:"P0",description:"Admin pages and API must return 401/403 without valid admin token. Middleware alone is insufficient (CVE-2025-29927).",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(o=>/app\/admin\/.*page\.|pages\/admin\//i.test(o)||/(?:pages|views|routes)\/Admin[A-Z][^/]*\.(tsx|ts|jsx|js)$/.test(o)||/(?:pages|views|routes)\/admin-[^/]*\.(tsx|ts|jsx|js)$/.test(o));if(t.length===0)return{result:"UNKNOWN",message:"No admin pages found"};let n=/getUser|getSession|requireAuth|requireAdmin|redirect.*login|redirect.*auth|middleware|auth\(\)|checkPermission/i,i=[];for(let o of t){let a;try{a=await e.readFile(o)}catch{continue}n.test(a)||i.push(o)}let r=e.files.some(o=>/middleware\.(ts|js)$/i.test(o)),s=!1;if(r){let o=e.files.find(a=>/middleware\.(ts|js)$/i.test(a));if(o)try{let a=await e.readFile(o);s=/admin/i.test(a)}catch{}}return i.length>0&&!s?{result:"FAIL",message:`${i.length} admin page${i.length>1?"s":""} without auth guard (no middleware coverage either)`,evidence:i.slice(0,5).map(o=>`${o} \u2014 no auth guard detected`)}:i.length>0&&s?{result:"PASS",message:`Admin pages protected via middleware (${t.length} pages). Note: add per-route auth for defense-in-depth.`}:{result:"PASS",message:`All ${t.length} admin pages have auth guards`}}};var bt={id:"ADM-03",name:"No client-side-only role checks",module:"admin",layer:"L2",priority:"P1",description:"Role checks in JSX ({isAdmin && <Panel/>}) without server-side enforcement are bypassable via dev tools.",fixCost:100,fixSize:"M",async run(e){let t=/isAdmin|is_admin|role.*admin|admin.*role/i,n=/requireAdmin|requireRole|checkPermission|app_metadata.*admin/i,r=(await e.grepFiles(t)).filter(o=>v(o.file)&&!w(o.file));return r.length===0?{result:"PASS",message:"No client-side-only role checks detected"}:(await e.grepFiles(n)).length>0?{result:"PASS",message:"Client-side role checks backed by server-side enforcement"}:{result:"FAIL",message:`Client-side role checks found without server-side enforcement (${r.length} location${r.length>1?"s":""})`,evidence:r.slice(0,3).map(o=>`${o.file}:${o.line} \u2192 ${o.content.substring(0,120)}`)}}};var $t={id:"ADM-04",name:"Audit log for admin actions",module:"admin",layer:"L2",priority:"P1",description:"Admin operations (delete user, change role, modify data) must be logged. Required for SOC 2 compliance.",fixCost:100,fixSize:"M",async run(e){let t=/audit.*log|admin.*log|action.*log|createAuditEntry|logAdminAction|activity.*log/i,n=/audit_log|admin_log|activity_log/i,i=await e.grepFiles(t),r=e.files.filter(b),s=await e.grepFiles(n,r.length>0?r:void 0);return i.length>0||s.length>0?{result:"PASS",message:"Audit logging detected for admin actions"}:(await e.grepFiles(/admin/i)).length===0?{result:"UNKNOWN",message:"No admin functionality detected"}:{result:"FAIL",message:"No audit logging found for admin actions",evidence:["Missing: audit_log table or logAdminAction function"]}}};var vt={id:"ADM-05",name:"RBAC beyond binary admin",module:"admin",layer:"L2",priority:"P2",description:"Binary admin/user model means every admin can do everything. Granular roles limit blast radius.",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(b),n=/RBAC|permission|capability|role.*check|roles.*table|user_roles/i,i=/isAdmin|is_admin|boolean.*admin/i,r=await e.grepFiles(n),s=await e.grepFiles(/role.*enum|roles.*table|permissions.*table/i,t.length>0?t:void 0);if(r.length>0||s.length>0)return{result:"PASS",message:"RBAC or granular permissions model detected"};let o=await e.grepFiles(i);return o.length>0?{result:"FAIL",message:"Binary admin model (isAdmin boolean) \u2014 no granular permissions",evidence:o.slice(0,3).map(a=>`${a.file}:${a.line} \u2192 ${a.content.substring(0,120)}`)}:{result:"UNKNOWN",message:"No admin role model detected"}}};var Ct={id:"ADM-06",name:"Safe impersonation (if exists)",module:"admin",layer:"L2",priority:"P1",description:"If admin can 'login as user', the action must be logged with admin ID preserved. Replacing admin session = invisible abuse.",fixCost:100,fixSize:"M",async run(e){let t=/impersonat|loginAs|actAs|switchUser|act_as|login_as/i,n=await e.grepFiles(t);if(n.length===0)return{result:"N/A",message:"No impersonation functionality detected"};let i=/audit|log.*admin|admin.*log|logAction|track/i;return(await e.grepFiles(i)).length>0?{result:"PASS",message:"Impersonation exists with audit logging"}:{result:"FAIL",message:"Impersonation found without audit logging \u2014 admin actions will appear as user actions",evidence:n.slice(0,3).map(s=>`${s.file}:${s.line} \u2192 ${s.content.substring(0,120)}`)}}};var _t={id:"ADM-07",name:"UUIDs not sequential IDs",module:"admin",layer:"L2",priority:"P1",description:"Sequential integer IDs enable enumeration attacks (IDOR). Use UUIDs for all user-facing primary keys.",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(b);if(t.length===0)return{result:"UNKNOWN",message:"No SQL migration files found"};let n=/(?:SERIAL|BIGSERIAL|INTEGER\s+PRIMARY\s+KEY\s+(?:AUTO_INCREMENT|GENERATED))/i,i=/UUID\s+(?:PRIMARY\s+KEY\s+)?DEFAULT\s+(?:gen_random_uuid|uuid_generate)/i,r=await e.grepFiles(n,t),s=await e.grepFiles(i,t),o=r.filter(a=>!/migration|schema_migration|_prisma/i.test(a.content));return o.length>0&&s.length===0?{result:"FAIL",message:`Sequential IDs found without UUID usage (${o.length} table${o.length>1?"s":""})`,evidence:o.slice(0,5).map(a=>`${a.file}:${a.line} \u2192 ${a.content.substring(0,120)}`)}:s.length>0?{result:"PASS",message:"UUID primary keys detected in schema"}:{result:"UNKNOWN",message:"No primary key definitions found in migrations"}}};var kt={id:"ADM-08",name:"No unprotected debug/admin routes",module:"admin",layer:"L2",priority:"P0",description:"Debug, internal, and admin routes must have auth guards. Hidden URLs are not security.",fixCost:100,fixSize:"M",async run(e){let t=[/app\/admin\//,/pages\/admin\//,/app\/internal\//,/app\/debug\//,/api\/admin\//,/api\/debug\//,/api\/internal\//,/api\/graphql/,/api\/seed/,/api\/reset/,/api\/test/,/supabase\/functions\/.*(?:seed|admin|debug|reset|test)/],n=e.files.filter(s=>t.some(o=>o.test(s)));if(n.length===0)return{result:"PASS",message:"No admin/debug/internal routes detected"};let i=/requireAdmin|requireAuth|getUser|getSession|verifyToken|isAdmin|checkPermission|requireRole|auth\(\)|middleware/i,r=[];for(let s of n){if(!s.endsWith(".ts")&&!s.endsWith(".tsx")&&!s.endsWith(".js")&&!s.endsWith(".jsx"))continue;let o;try{o=await e.readFile(s)}catch{continue}i.test(o)||r.push(s)}return r.length>0?{result:"FAIL",message:`${r.length} admin/debug route${r.length>1?"s":""} without auth check`,evidence:r.map(s=>`${s} \u2014 no auth guard detected`)}:{result:"PASS",message:`All ${n.length} admin/debug routes have auth checks`}}};var It={id:"ADM-09",name:"Destructive ops require extra authorization",module:"admin",layer:"L2",priority:"P2",description:"Bulk delete, data wipe, billing override should require confirmation step or elevated permission.",fixCost:100,fixSize:"M",async run(e){let t=/deleteAll|bulkDelete|wipeData|truncate|DROP\s+TABLE|removeAll|destroyAll|purge/i,n=/confirm|double.*auth|re.?authenticate|verification.*step|two.*step/i,r=(await e.grepFiles(t)).filter(o=>/admin/i.test(o.file));return r.length===0?{result:"N/A",message:"No bulk destructive admin operations detected"}:(await e.grepFiles(n)).length>0?{result:"PASS",message:"Confirmation/extra auth detected for destructive operations"}:{result:"FAIL",message:"Destructive admin operations without extra authorization",evidence:r.slice(0,3).map(o=>`${o.file}:${o.line} \u2192 ${o.content.substring(0,120)}`)}}};var Pt={id:"ADM-10",name:"Admin code separated from user app",module:"admin",layer:"L2",priority:"P2",description:"Admin code in separate directories prevents user app bugs from affecting admin, and vice versa.",fixCost:100,fixSize:"M",async run(e){let t=e.files.some(i=>/^app\/admin\/|^domains\/admin\/|^src\/admin\//i.test(i)),n=e.files.filter(i=>/admin/i.test(i)&&!/(app|domains|src)\/admin\//i.test(i));return t?{result:"PASS",message:"Admin code in dedicated directory (app/admin/ or domains/admin/)"}:n.length>0?{result:"FAIL",message:"Admin code scattered across user-facing directories",evidence:n.slice(0,5).map(i=>i)}:{result:"N/A",message:"No admin code detected"}}};var wt={id:"ADM-11",name:"No hardcoded admin credentials",module:"admin",layer:"L2",priority:"P0",description:"Hardcoded admin passwords, tokens, or emails in source code = anyone with repo access is admin",fixCost:100,fixSize:"M",async run(e){let t=[/admin.*password\s*[:=]\s*["']/i,/admin.*token\s*[:=]\s*["']/i,/admin.*secret\s*[:=]\s*["']/i,/password\s*[:=]\s*["'](?:admin|password|123456|secret)/i,/DEFAULT_ADMIN_PASSWORD/i,/ADMIN_PASSWORD\s*[:=]/i,/seed.*admin.*password/i],n=[];for(let r of t){let o=(await e.grepFiles(r)).filter(a=>!(E(a.file)||a.content.trimStart().startsWith("//")||a.content.trimStart().startsWith("#")||a.content.trimStart().startsWith("*")||a.file.includes("test")||a.file.includes("spec")));n.push(...o)}let i=[...new Map(n.map(r=>[`${r.file}:${r.line}`,r])).values()];return i.length>0?{result:"FAIL",message:`Hardcoded admin credentials found (${i.length} location${i.length>1?"s":""})`,evidence:i.map(r=>`${r.file}:${r.line} \u2192 ${r.content.substring(0,80).replace(/["'][^"']{8,}["']/g,'"[REDACTED]"')}`)}:{result:"PASS",message:"No hardcoded admin credentials found in source code"}}};var Lt={id:"ADM-12",name:"Admin error handling",module:"admin",layer:"L2",priority:"P2",description:"Admin API errors must not leak stack traces, SQL queries, or internal schema details.",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(o=>/admin.*route|api.*admin/i.test(o));if(t.length===0)return{result:"UNKNOWN",message:"No admin API routes found"};let n=/try\s*\{|\.catch\s*\(|catch\s*\(/,i=/stack|trace|SQL|query.*error|\.message/i,r=!1,s=[];for(let o of t){let a;try{a=await e.readFile(o)}catch{continue}n.test(a)&&(r=!0);let c=a.split(`
+`);for(let l=0;l<c.length;l++)/error\.stack|error\.message|err\.stack|JSON\.stringify.*error/i.test(c[l])&&s.push({file:o,line:l+1,content:c[l].trim()})}return s.length>0?{result:"FAIL",message:"Admin API may leak error details (stack traces, error messages)",evidence:s.slice(0,3).map(o=>`${o.file}:${o.line} \u2192 ${o.content.substring(0,120)}`)}:r?{result:"PASS",message:"Admin error handling present without obvious information leaks"}:{result:"FAIL",message:"No error handling in admin API routes",evidence:t.slice(0,3).map(o=>`${o} \u2014 no try/catch`)}}};var Nt={id:"ADM-13",name:"MFA requirement for admin roles",module:"admin",layer:"L2",priority:"P0",description:"Admin auth must require MFA/AAL2. Compromised admin password without MFA = total takeover.",fixCost:100,fixSize:"M",async run(e){let t=/mfa|aal2|getAuthenticatorAssuranceLevel|totp|authenticator|multi.?factor|two.?factor/i,n=e.files.filter(s=>/admin/i.test(s));if(n.length===0)return{result:"UNKNOWN",message:"No admin files found"};let i=await e.grepFiles(t,n),r=await e.grepFiles(t);return i.length>0?{result:"PASS",message:"MFA/AAL2 enforcement detected in admin code"}:r.length>0?{result:"PASS",message:"MFA implementation detected in codebase (verify it covers admin routes)"}:{result:"FAIL",message:"No MFA/AAL2 enforcement found for admin roles",evidence:["No references to mfa, aal2, totp, or authenticator in admin code"]}}};var Rt={id:"ADM-14",name:"Rate limiting on admin endpoints",module:"admin",layer:"L2",priority:"P1",description:"Admin API endpoints without rate limiting are vulnerable to brute force and DoS attacks.",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(s=>/api.*admin|admin.*route/i.test(s));if(t.length===0)return{result:"UNKNOWN",message:"No admin API endpoints found"};let n=/rateLimit|rate.limit|throttle|limiter|upstash|redis.*limit|too.many.requests|429/i;return(await e.grepFiles(n,t)).length>0?{result:"PASS",message:"Rate limiting detected on admin endpoints"}:(await e.grepFiles(n)).length>0?{result:"PASS",message:"Rate limiting detected in codebase (verify it covers admin endpoints)"}:{result:"FAIL",message:"No rate limiting found on admin endpoints",evidence:["Missing: rate limiting middleware on admin API routes"]}}};var Et={id:"ADM-16",name:"Separate admin session timeouts",module:"admin",layer:"L2",priority:"P1",description:"Admin sessions should have shorter timeouts than user sessions to limit session hijacking window.",fixCost:100,fixSize:"M",async run(e){let t=/admin.*timeout|admin.*expir|admin.*maxAge|admin.*session.*duration|session.*admin.*short/i;return(await e.grepFiles(t)).length>0?{result:"PASS",message:"Differentiated admin session timeout detected"}:(await e.grepFiles(/admin/i)).length===0?{result:"UNKNOWN",message:"No admin functionality detected"}:{result:"FAIL",message:"No separate admin session timeout \u2014 admin sessions use same duration as user sessions",evidence:["Missing: shorter session timeout for admin roles"]}}};var Ft={id:"ADM-18",name:"Admin action notification/alerting",module:"admin",layer:"L2",priority:"P2",description:"Critical admin actions should trigger notifications (Slack, email) so compromised admin accounts are detected quickly.",fixCost:100,fixSize:"M",async run(e){let t=/slack.*webhook|sendSlack|sendEmail.*admin|notify.*admin|alert.*admin|admin.*notify|admin.*alert|webhook.*notify/i,n=e.files.filter(s=>/admin/i.test(s));if(n.length===0)return{result:"UNKNOWN",message:"No admin functionality detected"};let i=await e.grepFiles(t,n),r=await e.grepFiles(t);return i.length>0||r.length>0?{result:"PASS",message:"Admin action notifications/alerting detected"}:{result:"FAIL",message:"No notification/alerting for admin actions \u2014 compromised admin goes undetected",evidence:["Missing: Slack webhook, email alert, or notification for critical admin actions"]}}};var Tt={id:"ADM-19",name:"CSRF protection for admin mutations",module:"admin",layer:"L2",priority:"P1",description:"Admin mutation endpoints need CSRF protection. If victim is admin, CSRF compromises entire app.",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(s=>/admin.*route\.(ts|js)$|api.*admin/i.test(s));if(t.length===0)return{result:"UNKNOWN",message:"No admin route handlers found"};let n=/csrf|csurf|csrfToken|SameSite|x-csrf|anti.?forgery/i;return(await e.grepFiles(n)).length>0?{result:"PASS",message:"CSRF protection detected"}:(await e.grepFiles(/["']use server["']/i)).length>0?{result:"PASS",message:"Server Actions used (built-in CSRF protection in Next.js 14+)"}:{result:"FAIL",message:"No CSRF protection on admin mutation routes",evidence:t.slice(0,3).map(s=>`${s} \u2014 no CSRF token or SameSite cookie`)}}};var xt={id:"ADM-20",name:"Data export controls",module:"admin",layer:"L2",priority:"P1",description:"Admin bulk export/download must have authorization and logging. Compromised admin can exfiltrate all user data.",fixCost:100,fixSize:"M",async run(e){let t=/export.*csv|downloadCSV|bulk.*fetch|dump.*data|export.*users|export.*data/i,n=await e.grepFiles(t);if(n.length===0)return{result:"N/A",message:"No bulk data export functionality detected"};let i=/requireAdmin|requireAuth|getUser|checkPermission/i,r=/audit|log.*export|log.*download/i,s=[...new Set(n.map(c=>c.file))],o=await e.grepFiles(i,s),a=await e.grepFiles(r,s);return o.length>0&&a.length>0?{result:"PASS",message:"Data export has auth and logging"}:o.length>0?{result:"PASS",message:"Data export has auth (consider adding export logging)"}:{result:"FAIL",message:"Data export without auth/logging \u2014 PII exfiltration risk",evidence:n.slice(0,3).map(c=>`${c.file}:${c.line} \u2192 ${c.content.substring(0,120)}`)}}};var Dt={id:"ADM-21",name:"Admin provisioning control",module:"admin",layer:"L2",priority:"P1",description:"Admin role must not be self-assignable. AI tools often generate 'isFirstUser \u2192 admin' or open role selection on signup.",fixCost:100,fixSize:"M",async run(e){let t=/role\s*=\s*['"]admin['"]|isFirstUser|first.*user.*admin|role.*select|self.*assign.*admin/i,n=e.files.filter(a=>/signup|register|onboard/i.test(a)),i=await e.grepFiles(t),s=[...n.length>0?await e.grepFiles(t,n):[],...i.filter(a=>/signup|register|onboard/i.test(a.file))],o=[...new Map(s.map(a=>[`${a.file}:${a.line}`,a])).values()];return o.length>0?{result:"FAIL",message:"Self-assign admin pattern detected in signup/onboarding flow",evidence:o.slice(0,3).map(a=>`${a.file}:${a.line} \u2192 ${a.content.substring(0,120)}`)}:{result:"PASS",message:"No self-assign admin pattern detected in signup flow"}}};var Ut={id:"ADM-22",name:"Edge Function authentication",module:"admin",layer:"L2",priority:"P0",description:"Supabase Edge Functions must verify the Authorization header or user session. Unprotected Edge Functions can be called by anyone with the public anon key, enabling privilege escalation (e.g. seed-admin).",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(r=>/supabase\/functions\/[^/]+\/index\.(ts|js)$/i.test(r));if(t.length===0)return{result:"PASS",message:"No Supabase Edge Functions found"};let n=/auth\.getUser|authorization.*header|req\.headers\.get\s*\(\s*['"]authorization['"]\)|verifyJWT|supabaseClient\.auth|createClient.*serviceRole/i,i=[];for(let r of t){let s=await e.readFile(r);n.test(s)||i.push(r)}return i.length>0?{result:"FAIL",message:`${i.length} Edge Function${i.length>1?"s":""} without auth verification`,evidence:i.slice(0,5).map(r=>`${r} \u2192 No Authorization header check or auth.getUser() call`)}:{result:"PASS",message:`All ${t.length} Edge Functions have auth checks`}}};var Oi=["/auth/","middleware.ts","middleware.js","/domains/auth/"],Wi=/\b(getUser|createServerClient|supabase\.auth|currentUser|clerkMiddleware|useUser|getServerSession|useSession|authOptions|getSession)\b/;function ji(e){return Oi.some(t=>e.includes(t))}function Bi(e){return e.includes("node_modules")||e.includes(".next/")||e.includes("test")||e.includes("spec")||e.includes(".d.ts")||e.includes("types.ts")||e.includes("types.js")}var Mt={id:"DRIFT-AUTH-01",name:"Auth logic spreading outside auth directory",module:"auth",layer:"L2",priority:"P1",category:"drift",description:"Auth patterns (getUser, createServerClient, etc.) found outside auth directories indicate module boundary drift.",fixCost:100,fixSize:"M",async run(e){let n=(await e.grepFiles(Wi)).filter(i=>!(Bi(i.file)||i.content.trimStart().startsWith("//")||i.content.trimStart().startsWith("*")||ji(i.file)));return n.length>3?{result:"FAIL",message:`Auth logic found in ${n.length} locations outside auth directories \u2014 module boundary is leaking`,evidence:n.slice(0,5).map(i=>`${i.file}:${i.line} \u2192 ${i.content.substring(0,100)}`)}:n.length>0?{result:"PASS",message:`Minor auth references outside auth dir (${n.length}) \u2014 within acceptable range`}:{result:"PASS",message:"Auth logic is contained within auth directories"}}};var Hi=/\b(getUser|createServerClient|supabase\.auth|currentUser|clerkMiddleware|auth\(\)|getServerSession|NextAuth)\b/,Ot={id:"DRIFT-AUTH-02",name:"Duplicate auth middleware files",module:"auth",layer:"L2",priority:"P1",category:"drift",description:"Multiple middleware files with auth logic indicate fragmented auth \u2014 a common AI generation pattern.",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(i=>(i.includes("middleware.ts")||i.includes("middleware.js"))&&!i.includes("node_modules")&&!i.includes(".next/")),n=[];for(let i of t)try{let r=await e.readFile(i);Hi.test(r)&&n.push(i)}catch{continue}return n.length>1?{result:"FAIL",message:`${n.length} middleware files contain auth logic \u2014 auth should have a single entry point`,evidence:n.map(i=>i)}:n.length===1?{result:"PASS",message:`Single auth middleware found: ${n[0]}`}:{result:"UNKNOWN",message:"No middleware with auth logic found"}}};var zi=/\b(getUser|createServerClient|supabase\.auth|currentUser|auth\(\)|getServerSession|requireAuth|withAuth|isAuthenticated)\b/,Wt={id:"DRIFT-AUTH-03",name:"New API routes without auth checks",module:"auth",layer:"L2",priority:"P0",category:"drift",description:"API route handlers without auth verification \u2014 any visitor can call unprotected endpoints.",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(i=>i.includes("/api/")&&(i.endsWith("route.ts")||i.endsWith("route.js"))&&!i.includes("node_modules")&&!i.includes(".next/")&&!i.includes("/api/auth/")&&!i.includes("/api/webhook")&&!i.includes("/api/health")&&!i.includes("/api/public"));if(t.length===0)return{result:"UNKNOWN",message:"No API route files found"};let n=[];for(let i of t)try{let r=await e.readFile(i);zi.test(r)||n.push(i)}catch{continue}return n.length>0?{result:"FAIL",message:`${n.length} of ${t.length} API routes have no auth verification`,evidence:n.slice(0,5).map(i=>i)}:{result:"PASS",message:`All ${t.length} API routes have auth checks`}}};var qi=/\b(isAdmin|role\s*===?\s*['"`]admin['"`]|user\.role|userRole|hasRole)\b/,Ki=/\b(getUser|createServerClient|supabase\.auth|currentUser|getServerSession|requireAdmin|checkAdmin)\b/,jt={id:"DRIFT-AUTH-04",name:"Client-side auth bypass \u2014 role check without server verification",module:"auth",layer:"L2",priority:"P1",category:"drift",description:"Role checks in JSX/client code without server-side verification \u2014 UI-only gates can be bypassed.",fixCost:100,fixSize:"M",async run(e){let n=(await e.grepFiles(qi)).filter(s=>s.content.trimStart().startsWith("//")||s.file.includes("node_modules")||s.file.includes(".next/")?!1:v(s.file));if(n.length===0)return{result:"PASS",message:"No client-side role checks found"};let r=(await e.grepFiles(Ki,["**/api/**","**/server/**","**/actions.*"])).some(s=>!s.file.includes("node_modules"));return n.length>0&&!r?{result:"FAIL",message:`${n.length} client-side role checks found but no server-side role verification \u2014 admin UI can be bypassed`,evidence:n.slice(0,5).map(s=>`${s.file}:${s.line} \u2192 ${s.content.substring(0,100)}`)}:{result:"PASS",message:`Client-side role checks (${n.length}) backed by server-side verification`}}};var Gi=/localStorage\.(getItem|setItem|removeItem)\s*\(\s*['"`](token|jwt|session|auth|access_token|refresh_token|user)/,Bt={id:"DRIFT-AUTH-05",name:"Auth tokens stored in localStorage",module:"auth",layer:"L2",priority:"P1",category:"drift",description:"localStorage for auth tokens is vulnerable to XSS \u2014 use httpOnly cookies or secure session management.",fixCost:100,fixSize:"M",async run(e){let n=(await e.grepFiles(Gi)).filter(i=>!(i.content.trimStart().startsWith("//")||i.file.includes("node_modules")||i.file.includes(".next/")));return n.length>0?{result:"FAIL",message:`Auth tokens stored in localStorage (${n.length} location${n.length>1?"s":""}) \u2014 vulnerable to XSS`,evidence:n.slice(0,5).map(i=>`${i.file}:${i.line} \u2192 ${i.content.substring(0,100)}`)}:{result:"PASS",message:"No localStorage auth token usage found"}}};var Vi=["/billing/","/stripe/","/webhook/","/payment/","/subscription/","/domains/billing/"],Yi=/\b(stripe|Stripe|createCheckout|price_id|priceId|subscription_id|subscriptionId|checkout\.sessions|customer\.subscriptions)\b/;function Xi(e){return Vi.some(t=>e.includes(t))}function Qi(e){return e.includes("node_modules")||e.includes(".next/")||e.includes("test")||e.includes("spec")||e.includes(".d.ts")||e.includes("types.ts")||e.includes("types.js")||e.includes("package.json")||e.includes("package-lock")||e.includes("pnpm-lock")||e.includes(".env")}var Ht={id:"DRIFT-BIL-01",name:"Billing logic spreading outside billing directory",module:"billing",layer:"L2",priority:"P1",category:"drift",description:"Stripe/payment imports outside billing directories indicate module boundary drift.",fixCost:100,fixSize:"M",async run(e){let n=(await e.grepFiles(Yi)).filter(i=>!(Qi(i.file)||i.content.trimStart().startsWith("//")||i.content.trimStart().startsWith("*")||i.content.trimStart().startsWith("#")||Xi(i.file)));return n.length>3?{result:"FAIL",message:`Billing/Stripe logic found in ${n.length} locations outside billing directories \u2014 module boundary is leaking`,evidence:n.slice(0,5).map(i=>`${i.file}:${i.line} \u2192 ${i.content.substring(0,100)}`)}:n.length>0?{result:"PASS",message:`Minor billing references outside billing dir (${n.length}) \u2014 within acceptable range`}:{result:"PASS",message:"Billing logic is contained within billing directories"}}};var Ji=/\b(webhook|stripe.*event|event\.type|constructEvent)\b/i,zt={id:"DRIFT-BIL-02",name:"Duplicate webhook handler endpoints",module:"billing",layer:"L2",priority:"P0",category:"drift",description:"Multiple webhook endpoints create race conditions and duplicate event processing.",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(i=>!i.includes("node_modules")&&!i.includes(".next/")&&!i.includes("test")&&(i.includes("webhook")||i.includes("stripe"))&&(i.endsWith(".ts")||i.endsWith(".js")||i.endsWith(".py"))),n=[];for(let i of t)try{let r=await e.readFile(i);Ji.test(r)&&n.push(i)}catch{continue}return n.length>1?{result:"FAIL",message:`${n.length} webhook handler files found \u2014 should be exactly 1`,evidence:n}:n.length===1?{result:"PASS",message:`Single webhook handler: ${n[0]}`}:{result:"UNKNOWN",message:"No webhook handler files found \u2014 Stripe webhooks may not be configured"}}};var Zi=/\b(subscription|plan|isPro|isFreeTier|isPaid|currentPlan|userPlan|hasSubscription)\b/,qt={id:"DRIFT-BIL-03",name:"Client-side subscription check without server verification",module:"billing",layer:"L2",priority:"P1",category:"drift",description:"Plan/subscription checks in client code without server-side verification \u2014 users can bypass paywalls.",fixCost:100,fixSize:"M",async run(e){let n=(await e.grepFiles(Zi)).filter(s=>s.content.trimStart().startsWith("//")||s.file.includes("node_modules")||s.file.includes(".next/")||s.file.includes("test")||s.file.includes("types")?!1:v(s.file)&&!s.file.includes("/api/"));if(n.length===0)return{result:"PASS",message:"No client-side subscription checks found"};let r=(await e.grepFiles(/\b(subscription|check.*plan|check.*limit|entitlement|getSubscription)\b/i,["**/api/**","**/server/**","**/actions.*","**/billing/**"])).some(s=>!s.file.includes("node_modules"));return n.length>0&&!r?{result:"FAIL",message:`${n.length} client-side subscription checks but no server-side plan verification \u2014 paywall can be bypassed`,evidence:n.slice(0,5).map(s=>`${s.file}:${s.line} \u2192 ${s.content.substring(0,100)}`)}:{result:"PASS",message:`Client-side subscription checks (${n.length}) backed by server-side verification`}}};var es=/(?:price|amount|cost|fee)\s*[:=]\s*(\d{2,}(?:\.\d{2})?|['"`]\$?\d+)/i,ts=/(?:amount|price|unit_amount)\s*[:=]\s*\d{3,}/,Kt={id:"DRIFT-BIL-04",name:"Hardcoded prices instead of plan configuration",module:"billing",layer:"L2",priority:"P2",category:"drift",description:"Hardcoded dollar amounts or price values should come from plan configuration or Stripe metadata.",fixCost:100,fixSize:"M",async run(e){let t=await e.grepFiles(es),n=await e.grepFiles(ts),r=[...t,...n].filter(s=>!(s.content.trimStart().startsWith("//")||s.content.trimStart().startsWith("*")||s.file.includes("node_modules")||s.file.includes(".next/")||s.file.includes("test")||s.file.includes("package.json")||s.file.includes(".lock")||s.file.includes(".css")||s.file.includes("migration")));return r.length>3?{result:"FAIL",message:`${r.length} hardcoded price/amount values found \u2014 prices should come from plan config or Stripe`,evidence:r.slice(0,5).map(s=>`${s.file}:${s.line} \u2192 ${s.content.substring(0,100)}`)}:r.length>0?{result:"PASS",message:`Minor hardcoded amounts found (${r.length}) \u2014 review recommended`}:{result:"PASS",message:"No hardcoded price values detected"}}};var is=/\b(canAccess|hasFeature|featureEnabled|isEnabled|featureFlag|canUse)\b/,ss=/\b(checkLimit|checkSubscription|checkPlan|entitlement|billingGuard|requirePlan|checkQuota)\b/,Gt={id:"DRIFT-BIL-05",name:"Feature access without billing verification",module:"billing",layer:"L2",priority:"P2",category:"drift",description:"New features with access gates but no billing/entitlement check \u2014 free users can access paid features.",fixCost:100,fixSize:"M",async run(e){let n=(await e.grepFiles(is)).filter(s=>!(s.content.trimStart().startsWith("//")||s.file.includes("node_modules")||s.file.includes(".next/")||s.file.includes("test")));if(n.length===0)return{result:"UNKNOWN",message:"No feature gate patterns found \u2014 may not use feature flags"};let r=(await e.grepFiles(ss)).some(s=>!s.file.includes("node_modules")&&!s.file.includes(".next/"));return n.length>0&&!r?{result:"FAIL",message:`${n.length} feature gate(s) found but no billing/entitlement verification \u2014 paid features may be accessible for free`,evidence:n.slice(0,5).map(s=>`${s.file}:${s.line} \u2192 ${s.content.substring(0,100)}`)}:{result:"PASS",message:`Feature gates (${n.length}) backed by billing verification`}}};var ns=["/admin/","/domains/admin/"],rs=/\b(isAdmin|requireAdmin|checkAdmin|adminGuard|role\s*===?\s*['"`]admin['"`]|user_role|superAdmin|isSuperAdmin)\b/;function os(e){return ns.some(t=>e.includes(t))}function as(e){return e.includes("node_modules")||e.includes(".next/")||e.includes("test")||e.includes("spec")||e.includes(".d.ts")||e.includes("types.ts")||e.includes("types.js")||e.includes("migration")||e.includes(".sql")}var Vt={id:"DRIFT-ADM-01",name:"Admin logic spreading outside admin directory",module:"admin",layer:"L2",priority:"P1",category:"drift",description:"Admin permission patterns found outside admin directories indicate module boundary drift.",fixCost:100,fixSize:"M",async run(e){let n=(await e.grepFiles(rs)).filter(i=>!(as(i.file)||i.content.trimStart().startsWith("//")||i.content.trimStart().startsWith("*")||os(i.file)));return n.length>3?{result:"FAIL",message:`Admin logic found in ${n.length} locations outside admin directories \u2014 module boundary is leaking`,evidence:n.slice(0,5).map(i=>`${i.file}:${i.line} \u2192 ${i.content.substring(0,100)}`)}:n.length>0?{result:"PASS",message:`Minor admin references outside admin dir (${n.length}) \u2014 within acceptable range`}:{result:"PASS",message:"Admin logic is contained within admin directories"}}};var cs=/\b(requireAdmin|checkAdmin|adminGuard|isAdmin|role\s*===?\s*['"`]admin['"`]|isSuperAdmin)\b/,Yt={id:"DRIFT-ADM-02",name:"New admin routes without permission guards",module:"admin",layer:"L2",priority:"P0",category:"drift",description:"Admin route handlers without permission checks \u2014 any authenticated user can access admin features.",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(i=>i.includes("/admin/")&&!i.includes("node_modules")&&!i.includes(".next/")&&!i.includes("test")&&(i.endsWith("route.ts")||i.endsWith("route.js")||i.endsWith("page.tsx")||i.endsWith("page.jsx")||i.endsWith("page.ts")));if(t.length===0)return{result:"UNKNOWN",message:"No admin route files found"};let n=[];for(let i of t)try{let r=await e.readFile(i);cs.test(r)||n.push(i)}catch{continue}return n.length>0?{result:"FAIL",message:`${n.length} of ${t.length} admin routes have no permission guard`,evidence:n.slice(0,5).map(i=>i)}:{result:"PASS",message:`All ${t.length} admin routes have permission guards`}}};var Xt=/\b(logAuditEvent|auditLog|audit_log|createAuditEntry|logAdminAction|insertAuditLog)\b/,Qt=/\b(DELETE|PUT|PATCH|POST)\b/,Jt={id:"DRIFT-ADM-03",name:"Admin mutations without audit logging",module:"admin",layer:"L2",priority:"P1",category:"drift",description:"Admin mutation endpoints (POST/PUT/DELETE) without audit log calls \u2014 no trail of admin actions.",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(i=>i.includes("/admin/")&&i.includes("/api/")&&!i.includes("node_modules")&&!i.includes(".next/")&&!i.includes("test")&&(i.endsWith("route.ts")||i.endsWith("route.js")));if(t.length===0){let i=e.files.filter(s=>s.includes("/admin/")&&!s.includes("node_modules")&&!s.includes(".next/")&&(s.includes("action")||s.includes("service")||s.includes("handler"))&&(s.endsWith(".ts")||s.endsWith(".js")||s.endsWith(".py")));if(i.length===0)return{result:"UNKNOWN",message:"No admin API routes or action files found"};let r=[];for(let s of i)try{let o=await e.readFile(s);Qt.test(o)&&!Xt.test(o)&&r.push(s)}catch{continue}return r.length>0?{result:"FAIL",message:`${r.length} admin action file(s) with mutations but no audit logging`,evidence:r.slice(0,5)}:{result:"PASS",message:"Admin action files have audit logging"}}let n=[];for(let i of t)try{let r=await e.readFile(i);Qt.test(r)&&!Xt.test(r)&&n.push(i)}catch{continue}return n.length>0?{result:"FAIL",message:`${n.length} of ${t.length} admin API routes have mutations without audit logging`,evidence:n.slice(0,5)}:{result:"PASS",message:`All ${t.length} admin API routes have audit logging`}}};var Zt={id:"ENV-01",name:".env.example exists",module:"foundation",layer:"L3",priority:"P1",description:"Project should have .env.example documenting required environment variables",fixCost:50,fixSize:"S",async run(e){return e.files.some(i=>i===".env.example"||i.endsWith("/.env.example"))?{result:"PASS",message:".env.example found"}:e.files.some(i=>i===".env"||i===".env.local"||i.endsWith("/.env")||i.endsWith("/.env.local"))?{result:"FAIL",message:"Project uses .env files but has no .env.example for documentation",evidence:["Create .env.example listing all required vars (without secret values)"]}:{result:"UNKNOWN",message:"No .env files found \u2014 project may not use environment variables"}}};var ei={id:"ENV-02",name:"No secrets in committed .env",module:"foundation",layer:"L3",priority:"P0",description:"Committed .env files must not contain actual secret values \u2014 only .env.example with placeholders",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(s=>{let o=s.split("/").pop()||"";return(o===".env"||o===".env.local"||o===".env.production")&&!o.includes("example")});if(t.length===0)return{result:"PASS",message:"No committed .env files found"};let n=/^[A-Z_]+=(?:sk_live_|sk_test_|whsec_|sbp_|eyJ|ghp_|gho_|AKIA|supabase.*service_role)/m,i=/^[A-Z_]+=.{20,}/m,r=[];for(let s of t){let o;try{o=await e.readFile(s)}catch{continue}if(n.test(o))r.push(`${s} \u2014 contains secret key patterns`);else if(i.test(o)){let a=o.split(`
+`).filter(c=>/^[A-Z_]+=.{20,}/.test(c)&&!c.startsWith("#")&&!c.includes("your_")&&!c.includes("xxx"));a.length>2&&r.push(`${s} \u2014 appears to contain real values (${a.length} long values)`)}}return r.length>0?{result:"FAIL",message:`Secrets found in committed .env file${r.length>1?"s":""}`,evidence:r}:{result:"FAIL",message:`.env file${t.length>1?"s":""} committed to git \u2014 should be in .gitignore`,evidence:t.map(s=>`${s} \u2014 add to .gitignore`)}}};var ti={id:"CFG-01",name:"TypeScript strict mode",module:"foundation",layer:"L3",priority:"P1",description:"tsconfig.json should have strict: true to catch type errors at build time",fixCost:250,fixSize:"L",async run(e){let t;try{t=await e.readFile("tsconfig.json")}catch{return{result:"UNKNOWN",message:"No tsconfig.json found \u2014 project may not use TypeScript"}}return/"strict"\s*:\s*true/.test(t)?{result:"PASS",message:"TypeScript strict mode is enabled"}:/"strict"\s*:\s*false/.test(t)?{result:"FAIL",message:"TypeScript strict mode is explicitly disabled",evidence:['tsconfig.json \u2014 set "strict": true']}:{result:"FAIL",message:"TypeScript strict mode not configured (defaults to false)",evidence:['tsconfig.json \u2014 add "strict": true to compilerOptions']}}};var ii={id:"ERR-01",name:"Global error boundary exists",module:"foundation",layer:"L3",priority:"P1",description:"React apps should have a top-level error boundary to prevent full white-screen crashes",fixCost:100,fixSize:"M",async run(e){if(e.files.filter(i=>i.endsWith(".tsx")||i.endsWith(".jsx")).length===0)return{result:"UNKNOWN",message:"No React files found"};let n=/ErrorBoundary|componentDidCatch|getDerivedStateFromError|error\.tsx|error\.jsx/;for(let i of e.files){if(!i.endsWith(".ts")&&!i.endsWith(".tsx")&&!i.endsWith(".js")&&!i.endsWith(".jsx"))continue;let r;try{r=await e.readFile(i)}catch{continue}if(n.test(r))return{result:"PASS",message:`Error boundary found in ${i}`}}return{result:"FAIL",message:"No error boundary component found \u2014 unhandled errors will crash the entire app",evidence:["Add an ErrorBoundary component wrapping your app root or use Next.js error.tsx"]}}};var si={id:"ERR-03",name:"Unhandled promise rejection handling",module:"foundation",layer:"L3",priority:"P1",description:"Application should handle unhandled promise rejections to prevent silent failures",fixCost:50,fixSize:"S",async run(e){let t=e.files.filter(r=>(r.includes("/api/")||r.includes("route.ts")||r.includes("route.js")||r.includes("actions.ts")||r.includes("actions.js"))&&(r.endsWith(".ts")||r.endsWith(".js")));if(t.length===0)return{result:"UNKNOWN",message:"No API routes or server actions found"};let n=/try\s*\{/,i=[];for(let r of t){let s;try{s=await e.readFile(r)}catch{continue}/async\s+function|async\s*\(/.test(s)&&!n.test(s)&&i.push(r)}return i.length>0?{result:"FAIL",message:`${i.length} async API route${i.length>1?"s":""} without try/catch error handling`,evidence:i.slice(0,5).map(r=>`${r} \u2014 add try/catch around async operations`)}:{result:"PASS",message:`All ${t.length} API routes have error handling`}}};var ni={id:"SCH-01",name:"Database migrations exist",module:"schema",layer:"L4",priority:"P1",description:"Project should have migration files (Supabase, Prisma, or Drizzle) for reproducible schema changes",fixCost:100,fixSize:"M",async run(e){let t=[/supabase\/migrations\//,/prisma\/migrations\//,/drizzle\/migrations\//,/migrations\/.*\.sql$/,/schema\.prisma$/],n=e.files.filter(o=>t.some(a=>a.test(o)));if(n.length>0)return{result:"PASS",message:`${n.length} migration file${n.length>1?"s":""} found`};let i=e.files.some(o=>o.includes("supabase")||o.includes("@supabase")),r=e.files.some(o=>o.includes("prisma")),s=e.files.some(o=>o.includes("drizzle"));return i||r||s?{result:"FAIL",message:"Database ORM/client detected but no migration files found",evidence:["Create migration files to track schema changes reproducibly"]}:{result:"UNKNOWN",message:"No database usage detected"}}};var ri={id:"SCH-02",name:"No raw SQL in application code",module:"schema",layer:"L4",priority:"P2",description:"Inline SQL in route handlers/components instead of ORM/query builder is fragile and injection-prone",fixCost:250,fixSize:"L",async run(e){let t=e.files.filter(r=>!r.includes("migration")&&!r.endsWith(".sql")&&!r.includes("seed")&&!r.includes("supabase/")&&!r.includes("prisma/")&&!r.includes("drizzle/")&&(r.endsWith(".ts")||r.endsWith(".tsx")||r.endsWith(".js")||r.endsWith(".jsx"))),n=/\b(SELECT|INSERT INTO|UPDATE\s+\w+\s+SET|DELETE FROM|CREATE TABLE|ALTER TABLE|DROP TABLE)\b/,i=[];for(let r of t){let s;try{s=await e.readFile(r)}catch{continue}let o=s.split(`
+`);for(let a=0;a<o.length;a++){let c=o[a].trim();c.startsWith("//")||c.startsWith("*")||c.startsWith("#")||n.test(c)&&i.push(`${r}:${a+1} \u2192 ${c.substring(0,100)}`)}}return i.length>0?{result:"FAIL",message:`Raw SQL found in ${i.length} location${i.length>1?"s":""} in application code`,evidence:i.slice(0,5)}:{result:"PASS",message:"No raw SQL detected in application code"}}};var oi={id:"SCH-04",name:"Soft delete pattern consistency",module:"schema",layer:"L4",priority:"P2",description:"If soft delete is used, all delete operations should use the same pattern (deleted_at column)",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(s=>(s.endsWith(".ts")||s.endsWith(".tsx")||s.endsWith(".js")||s.endsWith(".jsx"))&&!s.includes("node_modules")),n=!1,i=!1,r=[];for(let s of t){let o;try{o=await e.readFile(s)}catch{continue}/deleted_at|deletedAt|is_deleted|isDeleted|soft.?delete/i.test(o)&&(n=!0),/\.delete\(\)|\.remove\(\)|DELETE FROM/i.test(o)&&!o.includes("deleted_at")&&(i=!0,r.push(s))}return!n&&!i?{result:"UNKNOWN",message:"No delete operations detected"}:n&&i?{result:"FAIL",message:"Mixed soft delete and hard delete patterns \u2014 inconsistent data deletion strategy",evidence:r.slice(0,5).map(s=>`${s} \u2014 uses hard delete while project has soft delete pattern`)}:n?{result:"PASS",message:"Consistent soft delete pattern used"}:{result:"PASS",message:"Consistent hard delete pattern (no soft delete used)"}}};var ai={id:"SCH-09",name:"N+1 query pattern detection",module:"schema",layer:"L4",priority:"P2",description:"Detects fetch-list-then-fetch-each-item patterns that cause performance collapse under load",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(o=>(o.endsWith(".ts")||o.endsWith(".tsx")||o.endsWith(".js")||o.endsWith(".jsx"))&&!o.includes("node_modules")&&!o.includes("migration")),n=/\.(from|select)\(.*\)(?:(?!\.single\(\)).)*$/,i=/for\s*\(.*\)\s*\{[^}]*(?:\.from\(|\.select\(|\.rpc\(|supabase\.|fetch\()/s,r=/\.map\(\s*(?:async\s*)?\([^)]*\)\s*=>\s*(?:{[^}]*)?(?:\.from\(|\.select\(|\.rpc\(|supabase\.|fetch\()/s,s=[];for(let o of t){let a;try{a=await e.readFile(o)}catch{continue}i.test(a)?s.push(`${o} \u2014 DB/API call inside for loop`):r.test(a)&&s.push(`${o} \u2014 DB/API call inside .map()`)}return s.length>0?{result:"FAIL",message:`N+1 query pattern detected in ${s.length} file${s.length>1?"s":""}`,evidence:s.slice(0,5)}:{result:"PASS",message:"No N+1 query patterns detected"}}};var ci={id:"SCH-10",name:"Unbounded query guard",module:"schema",layer:"L4",priority:"P2",description:"Queries without LIMIT/pagination can exhaust memory under real data volumes",fixCost:100,fixSize:"M",async run(e){let t=e.files.filter(s=>(s.endsWith(".ts")||s.endsWith(".tsx")||s.endsWith(".js")||s.endsWith(".jsx"))&&!s.includes("node_modules")&&!s.includes("migration")&&!s.includes("seed")),n=/\.from\(['"`]\w+['"`]\)\s*\.select\(/,i=/\.limit\(|\.range\(|\.single\(|\.maybeSingle\(|\.eq\(.*id|pagination|paginate|page\s*[=:]/i,r=[];for(let s of t){let o;try{o=await e.readFile(s)}catch{continue}n.test(o)&&!i.test(o)&&r.push(`${s} \u2014 .from().select() without .limit()/.range()/.single()`)}return r.length>0?{result:"FAIL",message:`Unbounded queries found in ${r.length} file${r.length>1?"s":""}`,evidence:r.slice(0,5)}:{result:"PASS",message:"All queries appear to have bounds (limit/range/single)"}}};var ls=new Set(["ARCH-01","ARCH-02","ARCH-03","ARCH-04","ARCH-05","AUTH-01","AUTH-02","AUTH-03","AUTH-05","AUTH-06","AUTH-11","AUTH-13","AUTH-14","BIL-01","BIL-02","BIL-03","BIL-04","BIL-09","BIL-14","BIL-16","BIL-17","ADM-01","ADM-02","ADM-08","ADM-11","ENV-01","ENV-02","CFG-01","ERR-01"]),ui=[pe,fe,me,ge,he,Ae,be,$e,ve,Ce,_e,ke,Ie,Pe,we,Le,Ne,Re,Ee,Fe,Te,xe,De,Ue,Me,Oe,We,je,Be,He,ze,qe,Ke,Ge,Ve,Ye,Xe,Qe,Je,Ze,et,tt,it,st,nt,rt,ot,at,ct,lt,ut,dt,pt,ft,mt,gt,ht,St,yt,At,bt,$t,vt,Ct,_t,kt,It,Pt,wt,Lt,Nt,Rt,Et,Ft,Tt,xt,Dt,Ut,Mt,Ot,Wt,jt,Bt,Ht,zt,qt,Kt,Gt,Vt,Yt,Jt,Zt,ei,ti,ii,si,ni,ri,oi,ai,ci],li={"AUTH-01":"supabase","AUTH-02":"supabase","AUTH-03":"supabase","AUTH-10":"supabase","AUTH-11":"supabase","AUTH-13":"supabase","AUTH-17":"supabase","AUTH-18":"supabase","AUTH-27":"supabase","AUTH-28":"supabase","BIL-01":"stripe","BIL-02":"stripe","BIL-03":"stripe","BIL-05":"stripe","BIL-12":"stripe","BIL-15":"stripe","BIL-19":"stripe","BIL-20":"stripe","BIL-22":"stripe"};for(let e of ui)e.phase=ls.has(e.id)?1:2,li[e.id]&&(e.vendor=li[e.id]);var di=ui;import fi from"fs/promises";import K from"path";var us=new Set(["node_modules",".git",".next","dist","build",".vercel",".turbo","coverage",".nyc_output","__pycache__",".svelte-kit"]),pi=new Set([".ts",".tsx",".js",".jsx",".mjs",".cjs",".sql",".env",".env.local",".env.example"]);async function mi(e){let t=[];return await gi(e,e,t),t}async function gi(e,t,n){let i;try{i=await fi.readdir(e,{withFileTypes:!0})}catch{return}for(let r of i)if(!(r.name.startsWith(".")&&r.name!==".env"&&r.name!==".env.local"&&r.name!==".env.example"&&r.isDirectory()))if(r.isDirectory()){if(us.has(r.name))continue;await gi(K.join(e,r.name),t,n)}else{let s=K.extname(r.name),o=r.name;(pi.has(s)||pi.has(o))&&n.push(K.relative(t,K.join(e,r.name)))}}async function Y(e,t){let n=K.resolve(e,t);return fi.readFile(n,"utf-8")}import ds from"fs/promises";import ps from"path";async function hi(e,t,n){let i={hasStripe:!1,hasSupabase:!1,detectedVendors:[]},r=ps.join(e,"package.json");try{let s=await ds.readFile(r,"utf-8"),o=JSON.parse(s),a={...o.dependencies,...o.devDependencies};(a.stripe||a["@stripe/stripe-js"]||a["@stripe/react-stripe-js"])&&(i.hasStripe=!0),(a["@supabase/supabase-js"]||a["@supabase/ssr"]||a["@supabase/auth-helpers-nextjs"])&&(i.hasSupabase=!0)}catch{}if((!i.hasStripe||!i.hasSupabase)&&t&&n){let s=/from\s+["']stripe["']|new\s+Stripe\s*\(|stripe[_-]webhook|STRIPE_SECRET|loadStripe\s*\(/,o=/from\s+["']@supabase|createClient\s*\(|SUPABASE_URL|supabase\.auth\.|supabase\.from\s*\(/,a=t.filter(f=>f.endsWith(".ts")||f.endsWith(".tsx")||f.endsWith(".js")||f.endsWith(".jsx")),c=a.filter(f=>/stripe|billing|payment|webhook|checkout|supabase|auth/i.test(f)),l=a.filter(f=>!/stripe|billing|payment|webhook|checkout|supabase|auth/i.test(f)),p=[...c,...l.slice(0,30)];for(let f of p){if(i.hasStripe&&i.hasSupabase)break;try{let S=await n(f);!i.hasStripe&&s.test(S)&&(i.hasStripe=!0),!i.hasSupabase&&o.test(S)&&(i.hasSupabase=!0)}catch{continue}}}return i.hasStripe&&i.detectedVendors.push("stripe"),i.hasSupabase&&i.detectedVendors.push("supabase"),i}var fs={L1:"Architecture",L2:"Safety",L3:"Foundation",L4:"Schema"},X=class{evaluate(t,n,i){let r=this.computeLayerScores(t);return{project:i,timestamp:new Date().toISOString(),mode:n,checks:t,layers:r}}computeLayerScores(t){let n={},i=new Set;for(let r of t)i.add(r.layer);for(let r of i){let o=t.filter(f=>f.layer===r).filter(f=>f.result!=="N/A"&&f.result!=="UNKNOWN"&&f.result!=="NOT_APPLICABLE"),a=o.filter(f=>f.result==="PASS").length,c=o.filter(f=>f.result==="FAIL").length,l=o.length,p=l>0?Math.round(a/l*10):0;n[r]={name:fs[r]??r,passed:a,failed:c,total:l,score:p}}return n}};var ms={"trust-score":["L2","L3","L4"],architecture:["L1"],all:["L1","L2","L3","L4"]};async function yi(e,t={}){let{mode:n="trust-score",engine:i=new X,allChecks:r=!1,disabledChecks:s}=t,o=Si.resolve(e),a=await mi(o),c=ms[n],p=await hi(o,a,d=>Y(o,d)),f={rootDir:o,files:a,fingerprint:p,readFile:d=>Y(o,d),grepFiles:(d,y)=>Se({rootDir:o,files:a,readFile:q=>Y(o,q)},d,y)},S=s??gs(),A=di.filter(d=>c.includes(d.layer)&&(r||d.phase===1)),P=[];for(let d of A)if(!S.has(d.id)){if(hs(d,p)){P.push({id:d.id,name:d.name,module:d.module,layer:d.layer,priority:d.priority,category:d.category,result:"NOT_APPLICABLE",message:Ss(d)});continue}try{let y=await d.run(f);P.push({id:d.id,name:d.name,module:d.module,layer:d.layer,priority:d.priority,category:d.category,result:y.result,message:y.message,evidence:y.evidence,shadow:d.shadow})}catch(y){P.push({id:d.id,name:d.name,module:d.module,layer:d.layer,priority:d.priority,category:d.category,result:"UNKNOWN",message:`Check failed with error: ${y instanceof Error?y.message:String(y)}`,shadow:d.shadow})}}let F=Si.basename(o);return i.evaluate(P,n,F)}function gs(){let e=process.env.VIBECODIQ_DISABLED_CHECKS||"";return e.trim()?new Set(e.split(",").map(t=>t.trim().toUpperCase()).filter(Boolean)):new Set}function hs(e,t){return e.vendor==="stripe"&&!t.hasStripe||e.vendor==="supabase"&&!t.hasSupabase}function Ss(e){return e.vendor==="stripe"?"No Stripe integration detected \u2014 check not applicable":e.vendor==="supabase"?"No Supabase integration detected \u2014 check not applicable":"Prerequisite not detected \u2014 check not applicable"}var u="\x1B[0m",g="\x1B[1m",m="\x1B[2m",I="\x1B[31m",C="\x1B[32m",R="\x1B[33m",ne="\x1B[36m",Q="\x1B[37m",ys="\x1B[41m";var As="\x1B[43m";function T(e){switch(e){case"PASS":return`${C}\u2713${u}`;case"FAIL":return`${I}\u2717${u}`;case"REVIEW":return`${R}\u26A0${u}`;case"UNKNOWN":return`${R}?${u}`;case"NOT_APPLICABLE":return`${m}\u25CB${u}`;case"N/A":return`${m}\u2014${u}`;default:return" "}}function $i(e){switch(e){case"P0":return`${ys}${Q}${g} P0 ${u}`;case"P1":return`${As}${Q}${g} P1 ${u}`;case"P2":return`${m} P2 ${u}`;default:return` ${e} `}}function vi(e){let t=e.score,n=10-t;return`${t>=7?C:t>=4?R:I}${"\u2588".repeat(t)}${m}${"\u2591".repeat(n)}${u} ${t}/10`}var Ci={"trust-score":"SAFETY SCAN",architecture:"ARCHITECTURE SCAN",all:"FULL SCAN"};function bs(e,t,n){return e>0?{icon:"\u{1F534}",text:"NOT READY FOR PRODUCTION",color:I}:t>0?{icon:"\u{1F7E1}",text:"NEEDS ATTENTION",color:R}:n>0?{icon:"\u26AA",text:"MINOR ISSUES",color:m}:{icon:"\u{1F7E2}",text:"READY FOR PRODUCTION",color:C}}function J(e){let t=d=>process.stdout.write(d+`
+`),n=Ci[e.mode]??"SCAN",i=e.checks.filter(d=>!d.shadow),r=i.filter(d=>d.result==="FAIL"),s=i.filter(d=>d.result==="PASS"),o=i.filter(d=>d.result==="UNKNOWN"),a=i.filter(d=>d.result==="NOT_APPLICABLE"),c=i.filter(d=>d.result==="REVIEW"),l=r.filter(d=>d.priority==="P0"),p=r.filter(d=>d.priority==="P1"),f=r.filter(d=>d.priority!=="P0"&&d.priority!=="P1"),S=bs(l.length,p.length,f.length);if(t(""),t(`${g}\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557${u}`),t(`${g}\u2551  VIBECODIQ \u2014 ${n.padEnd(43)}\u2551${u}`),t(`${g}\u2551  Project: ${e.project.padEnd(46)}\u2551${u}`),t(`${g}\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D${u}`),t(""),t(`  ${S.icon} ${g}${S.color}${S.text}${u}`),r.length>0){let d=[];l.length>0&&d.push(`${I}${l.length} critical${u}`),p.length>0&&d.push(`${R}${p.length} important${u}`),f.length>0&&d.push(`${m}${f.length} quality${u}`),t(`     ${r.length} issues found (${d.join(", ")})`)}t(""),t(`${m}${"\u2500".repeat(62)}${u}`),t("");let A=["L1","L2","L3","L4"];for(let d of A){let y=e.layers[d];if(!y)continue;let q=`${d} ${y.name}`;t(`  ${g}${q.padEnd(22)}${u} ${vi(y)}  ${y.passed}/${y.total} pass  ${y.failed>0?`${I}${y.failed} fail${u}`:`${C}0 fail${u}`}`)}if(l.length>0){t(""),t(`${m}${"\u2500".repeat(62)}${u}`),t(""),t(`  \u{1F534} ${I}${g}TIER 1 \u2014 Launch Blockers (${l.length})${u}`);for(let d of l)if(t(""),t(`  ${T(d.result)} ${$i(d.priority)} ${g}${d.id}${u} ${d.name}`),t(`    ${m}${d.message}${u}`),d.evidence){for(let y of d.evidence.slice(0,3))t(`    ${m}\u2192 ${y}${u}`);d.evidence.length>3&&t(`    ${m}  ... and ${d.evidence.length-3} more${u}`)}}if(p.length>0){t(""),t(`${m}${"\u2500".repeat(62)}${u}`),t(""),t(`  \u{1F7E1} ${R}${g}TIER 2 \u2014 Important Issues (${p.length})${u}`),t("");for(let d of p)t(`  ${T(d.result)} ${m}${d.id.padEnd(16)}${u}${d.name}`);t(""),t(`  ${ne}\u2192 npx @vibecodiq/cli scan --fix${u}  ${m}for details + AI fix prompts${u}`)}if(f.length>0){t(""),t(`${m}${"\u2500".repeat(62)}${u}`),t(""),t(`  \u26AA ${m}${g}TIER 3 \u2014 Quality & Drift (${f.length})${u}`),t("");for(let d of f)t(`  ${T(d.result)} ${m}${d.id.padEnd(16)}${d.name}${u}`)}if(s.length>0){t(""),t(`${m}${"\u2500".repeat(62)}${u}`),t(""),t(`${C}${g}  PASSED (${s.length})${u}`),t("");for(let d of s)t(`  ${T(d.result)} ${m}${d.id.padEnd(16)}${u}${d.name}`)}if(c.length>0){t(""),t(`${m}${"\u2500".repeat(62)}${u}`),t(""),t(`${R}${g}  MANUAL REVIEW (${c.length})${u} ${m}\u2014 pattern detected, needs verification${u}`),t("");for(let d of c)t(`  ${T(d.result)} ${m}${d.id.padEnd(16)}${u}${d.name}`)}if(o.length>0){t(""),t(`${m}${"\u2500".repeat(62)}${u}`),t(""),t(`${R}${g}  UNKNOWN (${o.length})${u} ${m}\u2014 could not determine${u}`),t("");for(let d of o)t(`  ${T(d.result)} ${m}${d.id.padEnd(16)}${d.name}${u}`)}if(a.length>0){t(""),t(`${m}${"\u2500".repeat(62)}${u}`),t(""),t(`${m}${g}  NOT APPLICABLE (${a.length})${u} ${m}\u2014 vendor/feature not detected in project${u}`),t("");for(let d of a)t(`  ${T(d.result)} ${m}${d.id.padEnd(16)}${d.name}${u}`)}t(""),t(`${m}${"\u2500".repeat(62)}${u}`),t("");let P=e.checks.length,F=[`${C}${s.length} pass${u}`,r.length>0?`${I}${r.length} fail${u}`:`${C}0 fail${u}`];c.length>0&&F.push(`${R}${c.length} review${u}`),o.length>0&&F.push(`${o.length} unknown`),a.length>0&&F.push(`${m}${a.length} n/a${u}`),t(`  ${g}Total:${u} ${P} checks \u2014 ${F.join(", ")}`),r.length>0?(t(""),t(`  ${ne}${g}npx @vibecodiq/cli scan --fix${u}  ${m}Trust Score + fix cost + AI fix prompts (Pro)${u}`)):t(`  ${C}${g}All checks passed.${u}`),ki()}function Z(e){console.log(JSON.stringify(e,null,2))}var Ai="\x1B[35m";function bi(e){switch(e){case"A":return C;case"B":return C;case"C":return R;case"D":return I;case"F":return I;default:return Q}}function _i(e,t){let n=p=>process.stdout.write(p+`
+`),i=Ci[e.mode]??"SCAN",r=e.checks.filter(p=>!p.shadow),s=r.filter(p=>p.result==="FAIL"),o=r.filter(p=>p.result==="PASS"),a=r.filter(p=>p.result==="UNKNOWN");n(""),n(`${g}\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557${u}`),n(`${g}\u2551  VIBECODIQ \u2014 ${i.padEnd(43)}\u2551${u}`),n(`${g}\u2551  Project: ${e.project.padEnd(46)}\u2551${u}`),n(`${g}\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D${u}`),n(""),n(`  ${g}Trust Score:${u}  ${bi(t.grade)}${g}${t.grade}${u} ${m}(${t.trust_score}/100)${u}`),n(`  ${g}Fix Cost:${u}     ${ne}~${t.fix_cost_hours}h${u} estimated`),n(`  ${g}Verdict:${u}      ${t.fix_vs_rebuild==="FIX"?`${C}FIX${u} \u2014 worth fixing`:`${I}REBUILD${u} \u2014 consider rebuilding`}`),n(""),n(`${m}${"\u2500".repeat(62)}${u}`),n("");let c=["L1","L2","L3","L4"];for(let p of c){let f=e.layers[p];if(!f)continue;let S=`${p} ${f.name}`;n(`  ${g}${S.padEnd(22)}${u} ${vi(f)}  ${f.passed}/${f.total} pass  ${f.failed>0?`${I}${f.failed} fail${u}`:`${C}0 fail${u}`}`)}if(s.length>0){n(""),n(`${m}${"\u2500".repeat(62)}${u}`),n(""),n(`  ${I}${g}FAILED (${s.length})${u}`);for(let p of s)if(n(""),n(`  ${T(p.result)} ${$i(p.priority)} ${g}${p.id}${u} ${p.name}`),n(`    ${m}${p.message}${u}`),p.evidence){for(let f of p.evidence.slice(0,3))n(`    ${m}\u2192 ${f}${u}`);p.evidence.length>3&&n(`    ${m}  ... and ${p.evidence.length-3} more${u}`)}}if(t.fix_batches&&t.fix_batches.length>0){n(""),n(`${m}${"\u2500".repeat(62)}${u}`),n(""),n(`  ${Ai}${g}FIX BATCHES (${t.fix_batches.length})${u}`),n(`  ${m}Copy-paste these prompts into your AI tool to fix issues.${u}`);for(let p of t.fix_batches)n(""),n(`  ${Ai}${g}Batch: ${p.title}${u} ${m}(${p.checks.join(", ")})${u}`),n(`  ${m}${"\u2504".repeat(56)}${u}`),n(`  ${Q}${p.prompt}${u}`)}if(o.length>0){n(""),n(`${m}${"\u2500".repeat(62)}${u}`),n(""),n(`${C}${g}  PASSED (${o.length})${u}`),n("");for(let p of o)n(`  ${T(p.result)} ${m}${p.id.padEnd(16)}${u}${p.name}`)}n(""),n(`${m}${"\u2500".repeat(62)}${u}`),n("");let l=e.checks.length;n(`  ${g}Total:${u} ${l} checks \u2014 ${C}${o.length} pass${u}, ${s.length>0?`${I}${s.length} fail${u}`:`${C}0 fail${u}`}, ${a.length} unknown`),n(`  ${g}Trust Score:${u} ${bi(t.grade)}${g}${t.grade}${u} (${t.trust_score}/100)  ${g}Fix:${u} ~${t.fix_cost_hours}h  ${g}Verdict:${u} ${t.fix_vs_rebuild}`),n(""),n(`  ${m}${t.summary}${u}`),ki()}function ki(){let e=t=>process.stdout.write(t+`
+`);e(""),e(`${m}${"\u2500".repeat(62)}${u}`),e(`  ${m}Static source-code analysis focused on high-confidence patterns.${u}`),e(`  ${m}Not a complete security audit. Some findings may need manual review.${u}`),e(`  ${m}https://vibecodiq.com/scan  |  https://asastandard.org${u}`),e("")}function re(){let e=t=>process.stdout.write(t+`
+`);e(""),e(`  ${R}\u26A0 API unavailable. Showing local results only.${u}`),e(`    ${m}Run again later for Trust Score + fix prompts.${u}`),e(`    ${m}Status: https://status.vibecodiq.com${u}`),e("")}import V from"fs";import oe from"path";var G=["#!/bin/bash","# ASA Structure Check \u2014 validates Slice Architecture rules","# Run: npx @vibecodiq/cli guard check (or ./check-structure.sh)","","set -e","",'RULES_FILE=".asa/rules/architecture.md"',"ERRORS=0","WARNINGS=0","",'echo "\u{1F50D} ASA Structure Check \u2014 validating architecture rules..."','echo "   Rules: $RULES_FILE"','echo ""',"","fail() {",'  echo "\u274C FAIL: $1"','  echo "   \u2192 $2"','  echo "   \u2192 Fix: see $RULES_FILE"','  echo ""',"  ERRORS=$((ERRORS + 1))","}","","warn() {",'  echo "\u26A0\uFE0F  WARN: $1"','  echo "   \u2192 $2"','  echo ""',"  WARNINGS=$((WARNINGS + 1))","}","","pass() {",'  echo "\u2705 PASS: $1"',"}","","# CHECK 1: Business logic in src/domains/",'echo "--- Check 1: Business logic in src/domains/ ---"',"",'BIZ_IN_PAGES=$(grep -rl "supabase\\.\\(from\\|auth\\|rpc\\|storage\\)" src/pages/ 2>/dev/null || true)','if [ -n "$BIZ_IN_PAGES" ]; then',"  for f in $BIZ_IN_PAGES; do",'    fail "Business logic in page file: $f" \\','         "Supabase calls must be in src/domains/, not in pages."',"  done","else",'  pass "No business logic found in src/pages/"',"fi","",'if [ -d "src/components" ]; then','  BIZ_IN_COMPONENTS=$(grep -rl "supabase\\.\\(from\\|auth\\|rpc\\|storage\\)" src/components/ 2>/dev/null || true)','  if [ -n "$BIZ_IN_COMPONENTS" ]; then',"    for f in $BIZ_IN_COMPONENTS; do",'      fail "Business logic in component file: $f" \\','           "Supabase calls must be in src/domains/, not in components/."',"    done","  else",'    pass "No business logic found in src/components/"',"  fi","fi","","# CHECK 2: src/domains/ directory exists",'echo ""','echo "--- Check 2: src/domains/ directory exists ---"',"",'TS_FILES=$(find src/ -name "*.ts" -o -name "*.tsx" | grep -v "node_modules" | grep -v "vite-env" | wc -l)',"",'if [ "$TS_FILES" -gt 5 ]; then','  if [ -d "src/domains" ]; then','    pass "src/domains/ directory exists"',"    DOMAIN_COUNT=$(find src/domains -mindepth 1 -maxdepth 1 -type d | wc -l)",'    if [ "$DOMAIN_COUNT" -gt 0 ]; then','      pass "Found $DOMAIN_COUNT domain(s) in src/domains/"',"    else",'      warn "src/domains/ exists but is empty" \\','           "Add domain folders like src/domains/auth/, src/domains/tasks/"',"    fi","  else",'    fail "src/domains/ directory missing" \\','         "Business logic must be in src/domains/<domain>/<slice>/."',"  fi","else",'  pass "Project is small ($TS_FILES files) \u2014 src/domains/ not yet required"',"fi","","# CHECK 3: No cross-domain imports",'echo ""','echo "--- Check 3: No cross-domain imports ---"',"",'if [ -d "src/domains" ]; then',"  CROSS_DOMAIN_VIOLATIONS=0","  for domain_dir in src/domains/*/; do",'    [ ! -d "$domain_dir" ] && continue','    domain_name=$(basename "$domain_dir")','    OTHER_DOMAINS=$(find src/domains -mindepth 1 -maxdepth 1 -type d ! -name "$domain_name" -exec basename {} \\;)',"    for other in $OTHER_DOMAINS; do",'      VIOLATIONS=$(grep -rn "from.*domains/$other\\|import.*domains/$other" "$domain_dir" 2>/dev/null || true)','      if [ -n "$VIOLATIONS" ]; then',"        while IFS= read -r line; do",'          fail "Cross-domain import in $domain_name \u2192 $other" "$line"','        done <<< "$VIOLATIONS"',"        CROSS_DOMAIN_VIOLATIONS=$((CROSS_DOMAIN_VIOLATIONS + 1))","      fi","    done","  done",'  [ "$CROSS_DOMAIN_VIOLATIONS" -eq 0 ] && pass "No cross-domain imports detected"',"else",'  pass "No domains yet \u2014 cross-domain check skipped"',"fi","","# CHECK 4: Pages are thin wrappers",'echo ""','echo "--- Check 4: Pages are thin wrappers ---"',"",'if [ -d "src/pages" ]; then',"  for page in src/pages/*.tsx; do",'    [ ! -f "$page" ] && continue','    PAGE_LINES=$(wc -l < "$page")','    if [ "$PAGE_LINES" -gt 80 ]; then','      fail "Page too large: $page ($PAGE_LINES lines)" \\','           "Pages should be <80 lines. Move logic to src/domains/."',"    fi","  done",'  pass "Page thin wrapper check complete"',"fi","","# CHECK 5: shared/ has no business logic",'echo ""','echo "--- Check 5: shared/ has no business logic ---"',"",'if [ -d "src/shared" ]; then','  BIZ_IN_SHARED=$(grep -rln "TaskList\\|TaskForm\\|PricingCard\\|AdminUser\\|LoginForm\\|RegisterForm" src/shared/ 2>/dev/null || true)','  if [ -n "$BIZ_IN_SHARED" ]; then',"    for f in $BIZ_IN_SHARED; do",'      fail "Business component in shared/: $f" \\','           "Domain-specific components belong in src/domains/."',"    done","  else",'    pass "No business logic found in src/shared/"',"  fi","else",'  pass "src/shared/ not yet created \u2014 check skipped"',"fi","","# RESULTS",'echo ""','echo "=========================================="','if [ "$ERRORS" -gt 0 ]; then','  echo "\u274C ASA STRUCTURE CHECK FAILED"','  echo "   $ERRORS error(s), $WARNINGS warning(s)"','  echo "   Read the architecture rules: $RULES_FILE"','  echo "=========================================="',"  exit 1","else",'  echo "\u2705 ASA STRUCTURE CHECK PASSED"','  echo "   0 errors, $WARNINGS warning(s)"','  echo "=========================================="',"  exit 0","fi",""].join(`
+`);var ee=["# ASA Architecture Rules","","This project follows the ASA Slice Architecture. All code in this repository","MUST follow these rules. CI checks will fail if rules are violated.","","---","","## Rule 1: Business logic goes in `src/domains/`","","All business logic MUST be organized in domain folders:","","```","src/domains/","\u251C\u2500\u2500 auth/           # Authentication and authorization","\u251C\u2500\u2500 billing/        # Payments and subscriptions","\u2514\u2500\u2500 admin/          # Admin panel and user management","```","","Each domain contains **slices** \u2014 self-contained features:","","```","src/domains/<domain>/<slice>/","\u251C\u2500\u2500 <Component>.tsx     # React component (UI)","\u251C\u2500\u2500 use<Action>.ts      # React hook (data fetching / mutations)","\u2514\u2500\u2500 types.ts            # Types (optional)","```","","### What is a Slice?","","One slice = one user action. Examples:","","| Domain | Slice | What it does |","|--------|-------|-------------|","| `auth` | `login` | User logs in |","| `auth` | `register` | User creates account |","| `billing` | `subscribe` | User subscribes to a plan |","| `billing` | `check-limits` | Check if user hit plan limits |","| `admin` | `user-list` | Admin sees all users |","","---","","## Rule 2: Pages are thin wrappers","","Page files MUST be thin wrappers that import from `src/domains/`.","Pages contain NO business logic \u2014 only layout and composition.","Maximum 80 lines per page file.","","---","","## Rule 3: Shared infrastructure goes in `src/shared/`","","Database clients, auth helpers, and external service configs go in `src/shared/`:","","```","src/shared/","\u251C\u2500\u2500 db/","\u2502   \u2514\u2500\u2500 supabase-client.ts","\u251C\u2500\u2500 auth/","\u2502   \u251C\u2500\u2500 AuthGuard.tsx","\u2502   \u2514\u2500\u2500 useCurrentUser.ts","\u2514\u2500\u2500 billing/","    \u2514\u2500\u2500 stripe-client.ts","```","","---","","## Rule 4: No cross-domain imports","","A file in one domain MUST NOT import from another domain.","Use `src/shared/` for cross-domain communication.","","---","","## Rule 5: File naming conventions","","| Type | Pattern | Example |","|------|---------|---------|","| Component | `PascalCase.tsx` | `LoginForm.tsx` |","| Hook | `use<Action>.ts` | `useLogin.ts` |","| Types | `types.ts` | `types.ts` |","| Page | `page.tsx` | `page.tsx` |","| Shared utility | `camelCase.ts` | `supabase-client.ts` |","","---","","**If CI fails, restructure your code to follow these rules.**",""].join(`
+`),te=["name: Vibecodiq Guard","","on:","  push:","    branches: [main]","    paths-ignore:","      - '.asa/logs/**'","  pull_request:","    branches: [main]","","permissions:","  contents: read","  pull-requests: write","  actions: read","","jobs:","  vibecodiq-guard:","    name: Vibecodiq Safety Scan","    runs-on: ubuntu-latest","","    steps:","      - name: Checkout code","        uses: actions/checkout@v4","        with:","          fetch-depth: 0","","      - name: Setup Node.js","        uses: actions/setup-node@v4","        with:","          node-version: '18'","","      - name: Run Vibecodiq scan","        id: scan","        run: |","          npx @vibecodiq/cli@latest scan --all --json > /tmp/scan-result.json 2>/dev/null || true",`          FAIL_COUNT=$(cat /tmp/scan-result.json | python3 -c "import sys,json; r=json.load(sys.stdin); print(sum(1 for c in r.get('checks',[]) if c.get('result')=='FAIL'))" 2>/dev/null || echo 0)`,`          TOTAL=$(cat /tmp/scan-result.json | python3 -c "import sys,json; r=json.load(sys.stdin); print(len(r.get('checks',[])))" 2>/dev/null || echo 0)`,'          echo "fail_count=$FAIL_COUNT" >> "$GITHUB_OUTPUT"','          echo "total=$TOTAL" >> "$GITHUB_OUTPUT"','          if [ "$FAIL_COUNT" -gt 0 ]; then','            echo "has_failures=true" >> "$GITHUB_OUTPUT"',"          else",'            echo "has_failures=false" >> "$GITHUB_OUTPUT"',"          fi","","      - name: Call API for fix prompts","        id: api","        if: steps.scan.outputs.has_failures == 'true' && env.VIBECODIQ_API_TOKEN != ''","        env:","          VIBECODIQ_API_TOKEN: ${{ secrets.VIBECODIQ_API_TOKEN }}","        run: |","          npx @vibecodiq/cli@latest scan --all --fix --json > /tmp/fix-result.json 2>/dev/null || true","          if [ -s /tmp/fix-result.json ]; then",'            echo "api_ok=true" >> "$GITHUB_OUTPUT"',"          else",'            echo "api_ok=false" >> "$GITHUB_OUTPUT"',"          fi","","      - name: Upload scan artifact","        if: always()","        uses: actions/upload-artifact@v4","        with:","          name: vibecodiq-scan","          path: /tmp/scan-result.json","          retention-days: 30","","      - name: Write job summary","        if: always()","        run: |","          echo '## Vibecodiq Safety Scan' >> $GITHUB_STEP_SUMMARY","          FAIL_COUNT=${{ steps.scan.outputs.fail_count }}","          TOTAL=${{ steps.scan.outputs.total }}",'          if [ "$FAIL_COUNT" = "0" ]; then',"            echo '\u2705 **All checks passed** \u2014 your app is production-ready.' >> $GITHUB_STEP_SUMMARY","          else",'            echo "\u274C **$FAIL_COUNT failures** out of $TOTAL checks." >> $GITHUB_STEP_SUMMARY',"            echo '' >> $GITHUB_STEP_SUMMARY","            echo 'Download the scan artifact for full details.' >> $GITHUB_STEP_SUMMARY","          fi","          echo '' >> $GITHUB_STEP_SUMMARY","          echo '---' >> $GITHUB_STEP_SUMMARY","          echo '*Scanned by [Vibecodiq](https://vibecodiq.com) production-readiness checks*' >> $GITHUB_STEP_SUMMARY","","      - name: Post PR comment","        if: github.event_name == 'pull_request' && steps.scan.outputs.has_failures == 'true'","        uses: actions/github-script@v7","        with:","          script: |","            const fs = require('fs');","            const failCount = '${{ steps.scan.outputs.fail_count }}';","            const total = '${{ steps.scan.outputs.total }}';","            ","            // Build comment body","            let body = `## \u274C Vibecodiq Safety Scan \u2014 ${failCount} failures\\n\\n`;","            body += `**${failCount}** of **${total}** checks failed.\\n\\n`;","            ","            // Try to include fix prompts from API result","            try {","              const fixResult = JSON.parse(fs.readFileSync('/tmp/fix-result.json', 'utf-8'));","              if (fixResult.fix_batches && fixResult.fix_batches.length > 0) {","                body += `**Trust Score:** ${fixResult.grade} (${fixResult.trust_score}/100) \xB7 `;","                body += `**Fix:** ~${fixResult.fix_cost_hours}h \xB7 `;","                body += `**Verdict:** ${fixResult.fix_vs_rebuild}\\n\\n`;","                body += `### Top Fix Batches\\n\\n`;","                for (const batch of fixResult.fix_batches.slice(0, 3)) {","                  body += `<details>\\n<summary>${batch.title} (${batch.checks.join(', ')})</summary>\\n\\n`;","                  body += '```\\n' + batch.prompt + '\\n```\\n\\n';","                  body += `</details>\\n\\n`;","                }","              }","            } catch (e) {}","            ","            body += `---\\n*Scanned by [Vibecodiq](https://vibecodiq.com) production-readiness checks*`;","            ","            // Find and update existing comment (sticky)","            const marker = '## \u274C Vibecodiq Safety Scan';","            const { data: comments } = await github.rest.issues.listComments({","              owner: context.repo.owner,","              repo: context.repo.repo,","              issue_number: context.issue.number,","            });","            const existing = comments.find(c => c.body && c.body.startsWith(marker));","            ","            if (existing) {","              await github.rest.issues.updateComment({","                owner: context.repo.owner,","                repo: context.repo.repo,","                comment_id: existing.id,","                body: body,","              });","            } else {","              await github.rest.issues.createComment({","                owner: context.repo.owner,","                repo: context.repo.repo,","                issue_number: context.issue.number,","                body: body,","              });","            }","","      - name: Delete PR comment on pass","        if: github.event_name == 'pull_request' && steps.scan.outputs.has_failures == 'false'","        uses: actions/github-script@v7","        with:","          script: |","            const marker = '## \u274C Vibecodiq Safety Scan';","            const { data: comments } = await github.rest.issues.listComments({","              owner: context.repo.owner,","              repo: context.repo.repo,","              issue_number: context.issue.number,","            });","            const existing = comments.find(c => c.body && c.body.startsWith(marker));","            if (existing) {","              await github.rest.issues.deleteComment({","                owner: context.repo.owner,","                repo: context.repo.repo,","                comment_id: existing.id,","              });","            }","","      - name: Fail if checks failed","        if: steps.scan.outputs.has_failures == 'true'","        run: |",'          echo "\u274C Vibecodiq scan found ${{ steps.scan.outputs.fail_count }} failures."','          echo "Download the scan artifact or check the PR comment for fix instructions."',"          exit 1",""].join(`
+`);var $s="\x1B[36m",vs="\x1B[32m",Cs="\x1B[33m";var Ii="\x1B[1m",M="\x1B[2m",L="\x1B[0m";async function Pi(e,t=!1){let n=oe.resolve(e);console.log(""),console.log(`  ${$s}\u{1F6E1}\uFE0F  Initializing ASA Guard in ${n}${L}`),console.log("");let i=[{path:".asa/rules/architecture.md",content:ee},{path:".github/workflows/asa-guard.yml",content:te},{path:"check-structure.sh",content:G,executable:!0}],r=0,s=0;for(let o of i){let a=oe.join(n,o.path),c=oe.dirname(a);V.existsSync(c)||V.mkdirSync(c,{recursive:!0}),V.existsSync(a)?(console.log(`  ${Cs}\u23ED  ${o.path}${L} ${M}(already exists)${L}`),s++):(V.writeFileSync(a,o.content,"utf-8"),o.executable&&V.chmodSync(a,493),console.log(`  ${vs}\u2713  ${o.path}${L}`),r++)}console.log(""),console.log(`  ${Ii}Done:${L} ${r} file${r!==1?"s":""} created, ${s} skipped.`),console.log(""),console.log(`  ${Ii}Next steps:${L}`),console.log(`  ${M}1.${L} Commit the new files: ${M}git add -A && git commit -m "chore: add ASA Guard"${L}`),console.log(`  ${M}2.${L} Push to GitHub \u2014 CI will run architecture checks on every PR`),console.log(`  ${M}3.${L} Run locally: ${M}npx @vibecodiq/cli guard check${L}`),console.log(""),console.log(`  ${M}Learn more: https://asastandard.org/checks/methodology${L}`),console.log("")}import _ from"fs";import $ from"path";var _s="\x1B[36m",wi="\x1B[32m",ks="\x1B[33m",Li="\x1B[31m",Ni="\x1B[1m",W="\x1B[2m",N="\x1B[0m";async function Ri(e){let t=$.resolve(e);console.log(""),console.log(`  ${_s}\u{1F6E1}\uFE0F  ASA Guard \u2014 Architecture Check${N}`),console.log(`  ${W}   Target: ${t}${N}`),console.log("");let n=[],i=Is(t);n.push(await Ps(t,i)),n.push(await ws(t,i)),n.push(await Ls(t,i)),n.push(await Ns(t,i)),n.push(await Rs(t,i));let r=0,s=0,o=0;for(let a of n){let c=a.status==="PASS"?`${wi}\u2705${N}`:a.status==="FAIL"?`${Li}\u274C${N}`:a.status==="WARN"?`${ks}\u26A0\uFE0F${N}`:`${W}\u23ED${N}`;if(console.log(`  ${c} ${a.name}`),a.status!=="PASS"&&a.status!=="SKIP"&&(console.log(`     ${W}${a.message}${N}`),a.evidence))for(let l of a.evidence.slice(0,3))console.log(`     ${W}\u2192 ${l}${N}`);a.status==="FAIL"?r++:a.status==="WARN"?s++:a.status==="PASS"&&o++}console.log(""),r>0?(console.log(`  ${Li}${Ni}\u274C ASA GUARD CHECK FAILED${N} \u2014 ${r} error${r>1?"s":""}, ${s} warning${s>1?"s":""}`),console.log(`  ${W}   Fix violations and run again.${N}`),console.log(`  ${W}   Rules: .asa/rules/architecture.md${N}`)):console.log(`  ${wi}${Ni}\u2705 ASA GUARD CHECK PASSED${N} \u2014 ${o} passed, ${s} warning${s>1?"s":""}`),console.log(""),process.exit(r>0?1:0)}function Is(e){return _.existsSync($.join(e,"src"))?"src":_.existsSync($.join(e,"app"))?"app":null}function j(e,t){let n=[];if(!_.existsSync(e))return n;let i=_.readdirSync(e,{withFileTypes:!0});for(let r of i){let s=$.join(e,r.name);r.name==="node_modules"||r.name===".git"||(r.isDirectory()?n.push(...j(s,t)):t.some(o=>r.name.endsWith(o))&&n.push(s))}return n}async function Ps(e,t){let n="Business logic in domains/";if(!t)return{name:n,status:"SKIP",message:"No src/ directory found"};let i=$.join(e,t,"pages"),r=$.join(e,t,"components"),s=[],o=/supabase\.(from|auth|rpc|storage)\b/;for(let a of[i,r]){if(!_.existsSync(a))continue;let c=j(a,[".ts",".tsx",".js",".jsx"]);for(let l of c){let p=_.readFileSync(l,"utf-8");o.test(p)&&s.push($.relative(e,l))}}return s.length>0?{name:n,status:"FAIL",message:`Supabase calls found in pages/components (${s.length} file${s.length>1?"s":""})`,evidence:s}:{name:n,status:"PASS",message:""}}async function ws(e,t){let n="domains/ directory exists";if(!t)return{name:n,status:"SKIP",message:"No src/ directory found"};let i=$.join(e,t,"domains"),r=j($.join(e,t),[".ts",".tsx"]);if(r.length<=5)return{name:n,status:"PASS",message:"Project is small \u2014 domains/ not yet required"};if(!_.existsSync(i))return{name:n,status:"FAIL",message:`${r.length} files in ${t}/ but no domains/ directory`,evidence:["Create src/domains/<domain>/<slice>/ for business logic"]};let s=_.readdirSync(i,{withFileTypes:!0}).filter(o=>o.isDirectory());return s.length===0?{name:n,status:"WARN",message:"domains/ exists but is empty"}:{name:n,status:"PASS",message:`${s.length} domain${s.length>1?"s":""} found`}}async function Ls(e,t){let n="No cross-domain imports";if(!t)return{name:n,status:"SKIP",message:"No src/ directory found"};let i=$.join(e,t,"domains");if(!_.existsSync(i))return{name:n,status:"PASS",message:"No domains yet"};let r=_.readdirSync(i,{withFileTypes:!0}).filter(o=>o.isDirectory()).map(o=>o.name),s=[];for(let o of r){let a=$.join(i,o),c=j(a,[".ts",".tsx",".js",".jsx"]),l=r.filter(p=>p!==o);for(let p of c){let f=_.readFileSync(p,"utf-8");for(let S of l)new RegExp(`from.*domains/${S}|import.*domains/${S}`).test(f)&&s.push(`${$.relative(e,p)} \u2192 imports from ${S}/`)}}return s.length>0?{name:n,status:"FAIL",message:`${s.length} cross-domain import${s.length>1?"s":""} found`,evidence:s}:{name:n,status:"PASS",message:""}}async function Ns(e,t){let n="Pages are thin wrappers";if(!t)return{name:n,status:"SKIP",message:"No src/ directory found"};let i=$.join(e,t,"pages");if(!_.existsSync(i))return{name:n,status:"PASS",message:"No pages/ directory (Next.js App Router or no pages)"};let r=j(i,[".tsx",".jsx"]),s=[];for(let o of r){let c=_.readFileSync(o,"utf-8").split(`
+`).length;c>80&&s.push(`${$.relative(e,o)} (${c} lines)`)}return s.length>0?{name:n,status:"FAIL",message:`${s.length} page${s.length>1?"s":""} over 80 lines`,evidence:s}:{name:n,status:"PASS",message:""}}async function Rs(e,t){let n="shared/ has no business logic";if(!t)return{name:n,status:"SKIP",message:"No src/ directory found"};let i=$.join(e,t,"shared");if(!_.existsSync(i))return{name:n,status:"PASS",message:"No shared/ directory yet"};let r=/TaskList|TaskForm|PricingCard|AdminUser|LoginForm|RegisterForm/,s=j(i,[".ts",".tsx",".js",".jsx"]),o=[];for(let a of s){let c=_.readFileSync(a,"utf-8");r.test(c)&&o.push($.relative(e,a))}return o.length>0?{name:n,status:"FAIL",message:`Business components found in shared/ (${o.length} file${o.length>1?"s":""})`,evidence:o}:{name:n,status:"PASS",message:""}}import ie from"fs";import Ei from"path";var Es="\x1B[32m",Fs="\x1B[33m",Ts="\x1B[36m",Fi="\x1B[1m",ae="\x1B[2m",x="\x1B[0m";async function Ti(e){let t=Ei.resolve(e);console.log(""),console.log(`  ${Ts}\u{1F504} Upgrading ASA Guard rules...${x}`),console.log("");let n=[{path:".asa/rules/architecture.md",content:ee},{path:".github/workflows/asa-guard.yml",content:te},{path:"check-structure.sh",content:G,executable:!0}],i=0;for(let r of n){let s=Ei.join(t,r.path);if(!ie.existsSync(s)){console.log(`  ${Fs}\u23ED  ${r.path}${x} ${ae}(not found \u2014 run guard init first)${x}`);continue}if(ie.readFileSync(s,"utf-8")===r.content){console.log(`  ${ae}\u2713  ${r.path} (already up to date)${x}`);continue}ie.writeFileSync(s,r.content,"utf-8"),r.executable&&ie.chmodSync(s,493),console.log(`  ${Es}\u2713  ${r.path}${x} ${Fi}updated${x}`),i++}console.log(""),i>0?console.log(`  ${Fi}${i} file${i>1?"s":""} updated.${x} Commit the changes.`):console.log(`  ${ae}All rules are already up to date.${x}`),console.log("")}function xs(e,t){if(e.startsWith(t))return e.slice(t.length).replace(/^[/\\]/,"");let n=/^\/(?:home|Users)\/[^/]+\//;if(n.test(e))return e.replace(n,"");let i=/^[A-Z]:\\Users\\[^\\]+\\/i;return i.test(e)?e.replace(i,""):e}function Ds(e,t){return e.map(n=>n.replace(/(?:\/(?:home|Users)\/[^\s:]+|[A-Z]:\\Users\\[^\s:]+)/g,i=>xs(i,t)))}function xi(e,t,n,i,r){let s=e.map(o=>({check_id:o.id,result:o.result,name:o.name,module:o.module,layer:o.layer,priority:o.priority,category:o.category,message:o.message,evidence:o.evidence?Ds(o.evidence,t):void 0}));return{cli_version:n,scan_mode:i,project_name:r,timestamp:new Date().toISOString(),findings:s}}import{readFileSync as Us}from"fs";import{join as Ms}from"path";import{homedir as Os}from"os";var Ws=process.env.VIBECODIQ_API_URL||"https://api.vibecodiq.com",js=1e4,ce=1;async function Bs(e,t,n){let i=new AbortController,r=setTimeout(()=>i.abort(),n);try{return await fetch(e,{...t,signal:i.signal})}finally{clearTimeout(r)}}async function Di(e,t){for(let n=0;n<=ce;n++)try{let i=await Bs(`${Ws}/scan`,{method:"POST",headers:{"Content-Type":"application/json",Authorization:`Bearer ${t}`},body:JSON.stringify(e)},js);if(i.ok)return await i.json();if(i.status===401){let r=await i.json().catch(()=>({detail:"Unauthorized"}));throw new B(r.detail??"Invalid API token")}if(i.status>=500&&n<ce)continue;return null}catch(i){if(i instanceof B)throw i;if(n<ce)continue;return null}return null}var B=class extends Error{constructor(t){super(t),this.name="AuthError"}};function Ui(){let e=process.env.VIBECODIQ_API_TOKEN;if(e)return e;try{let t=Ms(Os(),".vibecodiq","token"),n=Us(t,"utf-8").trim();if(n)return n}catch{}return null}var zs="533f2e11ca9bf0419a066f73ff9cc910e23a39053fcb3051eb03f9521794e8db",le="0.4.0",D="\x1B[1m",k="\x1B[2m",H="\x1B[36m",ue="\x1B[33m",h="\x1B[0m",U=process.argv.slice(2),z=U[0],de=U[1];function se(e){for(let t of e.slice(1))if(!t.startsWith("-"))return t;return"."}function O(e){return U.includes(e)}if(z==="scan"){let e=O("--fix"),t=se(U),n=O("--json"),i=!1;if(O("--unreleased")){let l=process.env.VIBECODIQ_INTERNAL_KEY||"";Hs("sha256").update(l).digest("hex")!==zs&&(console.log(""),console.log(`  ${ue}\u26A0 --unreleased requires VIBECODIQ_INTERNAL_KEY environment variable.${h}`),console.log(`  ${k}This flag is restricted to authorized internal use.${h}`),console.log(""),process.exit(1)),i=!0}let r="trust-score";O("--architecture")&&(r="architecture"),O("--all")&&(r="all");let s=i?"all checks":"Phase 1",o=r==="trust-score"?`Safety Scan (${s})`:r==="architecture"?`Architecture Scan (${s})`:`Full Scan (${s})`;n||(console.log(""),console.log(`  ${H}\u23F3 Scanning project \u2014 ${o}...${h}`));let a=await yi(t,{mode:r,allChecks:i}),c=a.checks.some(l=>l.result==="FAIL");if(e){let l=Ui();l||(console.log(""),console.log(`  ${ue}\u26A0 No API token found.${h}`),console.log(""),console.log("  Set your token via:"),console.log(`    ${H}export VIBECODIQ_API_TOKEN=<your-token>${h}`),console.log("  Or save to file:"),console.log(`    ${H}mkdir -p ~/.vibecodiq && echo "<your-token>" > ~/.vibecodiq/token${h}`),console.log(""),console.log(`  ${k}Get your token at: https://vibecodiq.com/pricing${h}`),console.log(""),process.exit(1)),n||console.log(`  ${H}\u23F3 Sending sanitized findings to API...${h}`);let p=xi(a.checks,t.startsWith("/")?t:process.cwd(),le,r,a.project);try{let f=await Di(p,l);f?n?console.log(JSON.stringify({...a,...f},null,2)):_i(a,f):n?Z(a):(J(a),re())}catch(f){f instanceof B&&(console.log(""),console.log(`  ${ue}\u26A0 API authentication failed: ${f.message}${h}`),console.log(`  ${k}Check your VIBECODIQ_API_TOKEN.${h}`),console.log(""),process.exit(1)),n?Z(a):(J(a),re())}process.exit(c?1:0)}n?Z(a):J(a),process.exit(c?1:0)}else if(z==="guard")if(de==="init"){let e=se(U.slice(1)),t=O("--architecture"),n=O("--all");await Pi(e,t||n)}else if(de==="check"){let e=se(U.slice(1));await Ri(e)}else if(de==="upgrade"){let e=se(U.slice(1));await Ti(e)}else console.log(""),console.log(`  ${D}@vibecodiq/cli guard${h} \u2014 Architecture rules & CI enforcement`),console.log(""),console.log(`  ${D}Commands:${h}`),console.log("    guard init                Install safety rules + CI into your repo"),console.log("    guard init --architecture + ASA architecture rules"),console.log("    guard init --all          Install everything"),console.log("    guard check               Run architecture checks locally"),console.log("    guard upgrade             Upgrade rules to latest version"),console.log(""),console.log(`  ${k}Learn more: https://vibecodiq.com/guard${h}`),console.log("");else if(z==="login"){let e=U[1];e||(console.log(""),console.log(`  ${D}@vibecodiq/cli login${h} \u2014 Save your API token`),console.log(""),console.log(`  ${D}Usage:${h}`),console.log("    npx @vibecodiq/cli login <your-token>"),console.log(""),console.log(`  ${k}Your token is saved to ~/.vibecodiq/token${h}`),console.log(`  ${k}Get your token at: https://vibecodiq.com/pricing${h}`),console.log(""),process.exit(1));let{mkdirSync:t,writeFileSync:n}=await import("fs"),{join:i}=await import("path"),{homedir:r}=await import("os"),s=i(r(),".vibecodiq"),o=i(s,"token");t(s,{recursive:!0}),n(o,e.trim()+`
+`,{mode:384}),console.log(""),console.log(`  ${H}\u2713${h} Token saved to ${k}${o}${h}`),console.log(`  ${k}Run: npx @vibecodiq/cli scan --fix${h}`),console.log("")}else if(z==="logout"){let{unlinkSync:e,existsSync:t}=await import("fs"),{join:n}=await import("path"),{homedir:i}=await import("os"),r=n(i(),".vibecodiq","token");t(r)?(e(r),console.log(""),console.log(`  ${H}\u2713${h} Token removed.`),console.log("")):(console.log(""),console.log(`  ${k}No token found. Already logged out.${h}`),console.log(""))}else z==="--version"||z==="-v"?console.log(`@vibecodiq/cli v${le}`):(console.log(""),console.log(`  ${D}@vibecodiq/cli${h} v${le} \u2014 Production safety for AI-built apps`),console.log(""),console.log(`  ${D}Scan${h} ${k}(check what you already have)${h}`),console.log("    scan [path]               Safety scan \u2014 Phase 1 (L2+L3+L4)"),console.log("    scan --architecture       Architecture scan \u2014 Phase 1 (L1)"),console.log("    scan --all                Full scan \u2014 Phase 1 (all layers)"),console.log(`    scan --unreleased         Run all checks incl. unreleased ${k}(internal)${h}`),console.log("    scan --json               JSON output for CI pipelines"),console.log(`    scan --fix                AI fix prompts for failures ${k}(Pro)${h}`),console.log(""),console.log(`  ${D}Guard${h} ${k}(build safely from day one)${h}`),console.log("    guard init                Install safety rules + CI"),console.log("    guard init --architecture + ASA architecture rules"),console.log("    guard init --all          Install everything"),console.log("    guard check               Run architecture checks locally"),console.log("    guard upgrade             Upgrade rules to latest"),console.log(""),console.log(`  ${D}Account${h}`),console.log("    login                     Authenticate for Pro features"),console.log("    logout                    Sign out"),console.log("    --version                 Show version"),console.log(""),console.log(`  ${k}Docs:    https://asastandard.org/checks${h}`),console.log(`  ${k}Pricing: https://vibecodiq.com/pricing${h}`),console.log(""));