argusqa-os 9.2.0

package/src/utils/route-discoverer.js

@@ -0,0 +1,306 @@
+/**
+ * Argus Phase C3: Auto route discovery.
+ *
+ * C3.1  discoverFromSitemap(baseUrl)       — fetch /sitemap.xml, parse <loc> paths
+ * C3.2  discoverFromNextJs(sourceDir)      — scan pages/ + app/ directory structure
+ * C3.3  discoverFromReactRouter(sourceDir) — grep source for <Route path> patterns
+ * C3.4  mergeRoutes(manualRoutes, paths)   — deduplicate, preserve manual config
+ * C3.5  discoverRoutes(baseUrl, ...)       — orchestrate all sources
+ *
+ * Design decisions:
+ *   - discoverFromSitemap uses native fetch (Node 18+) with a 10s timeout; returns []
+ *     on any network or parse error so a missing sitemap never fails a crawl.
+ *   - discoverFromNextJs handles both pages/ (Next 12) and app/ (Next 13+) layouts.
+ *     Route groups like (auth) are stripped from app/ paths.
+ *   - discoverFromReactRouter is intentionally conservative: only static paths
+ *     (starting with /, no :param, no * wildcard) are extracted.
+ *   - mergeRoutes is pure — manual route config (critical, waitFor) is always preserved.
+ */
+
+import fs   from 'fs';
+import path from 'path';
+import { childLogger } from './logger.js';
+
+const logger = childLogger('route-discoverer');
+
+// File extensions to scan for page/route files
+const PAGE_EXTS = new Set(['.js', '.jsx', '.ts', '.tsx']);
+
+// Next.js pages/ entries to always skip
+const NEXTJS_SKIP = new Set(['_app', '_document', '_error', 'api']);
+
+// ── Helpers ───────────────────────────────────────────────────────────────────
+
+/** Derive a human-readable label from a URL path. */
+function nameFromPath(urlPath) {
+  if (urlPath === '/') return 'Home';
+  return urlPath
+    .split('/')
+    .filter(Boolean)
+    .map(seg => seg.charAt(0).toUpperCase() + seg.slice(1).replace(/-/g, ' '))
+    .join(' / ');
+}
+
+/** Recursively list all files under dir. Returns [] if dir doesn't exist. */
+function walkDir(dir) {
+  const results = [];
+  if (!fs.existsSync(dir)) return results;
+  for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+    if (entry.isSymbolicLink()) continue; // avoid symlink cycles
+    const full = path.join(dir, entry.name);
+    if (entry.isDirectory()) {
+      results.push(...walkDir(full));
+    } else {
+      results.push(full);
+    }
+  }
+  return results;
+}
+
+// ── C3.1: Sitemap discovery ───────────────────────────────────────────────────
+
+/**
+ * Fetch /sitemap.xml from baseUrl and return same-origin URL paths.
+ * Follows a single level of sitemap index indirection.
+ * Returns [] on any network or parse error.
+ *
+ * @param {string} baseUrl
+ * @returns {Promise<string[]>}
+ */
+const SITEMAP_MAX_BYTES = 5 * 1024 * 1024; // 5 MB cap — prevents OOM on giant sitemaps
+const SITEMAP_MAX_URLS  = 500;              // cap URL list to avoid unbounded crawls
+
+export async function discoverFromSitemap(baseUrl) {
+  const origin = new URL(baseUrl).origin;
+  const sitemapUrl = `${baseUrl.replace(/\/$/, '')}/sitemap.xml`;
+  try {
+    const res = await fetch(sitemapUrl, { signal: AbortSignal.timeout(10000) });
+    if (!res.ok) return [];
+
+    const buf = await res.arrayBuffer();
+    if (buf.byteLength > SITEMAP_MAX_BYTES) return []; // oversized — skip
+    const xml = new TextDecoder().decode(buf);
+
+    // Sitemap index: follow first child sitemap only (avoid unbounded fan-out)
+    // Match <loc> inside a <sitemap> element to avoid picking up a <url><loc> entry.
+    if (/<sitemapindex/i.test(xml)) {
+      const childMatch = xml.match(/<sitemap[^>]*>[\s\S]*?<loc>([\s\S]*?)<\/loc>/i);
+      if (!childMatch) return [];
+      const childUrl = childMatch[1].trim();
+      // SSRF: child sitemap must be same origin as baseUrl
+      try { if (new URL(childUrl).origin !== origin) return []; } catch { return []; }
+      const childRes = await fetch(childUrl, { signal: AbortSignal.timeout(10000) });
+      if (!childRes.ok) return [];
+      const childBuf = await childRes.arrayBuffer();
+      if (childBuf.byteLength > SITEMAP_MAX_BYTES) return [];
+      return parseLocElements(new TextDecoder().decode(childBuf), baseUrl);
+    }
+
+    return parseLocElements(xml, baseUrl);
+  } catch {
+    return [];
+  }
+}
+
+function parseLocElements(xml, baseUrl) {
+  const origin = new URL(baseUrl).origin;
+  const paths = new Set();
+  for (const m of xml.matchAll(/<loc>([\s\S]*?)<\/loc>/gi)) {
+    if (paths.size >= SITEMAP_MAX_URLS) break;
+    const raw = m[1].trim();
+    try {
+      const u = new URL(raw);
+      if (u.origin !== origin) continue;
+      paths.add(u.pathname || '/');
+    } catch { /* skip malformed loc entries */ }
+  }
+  return [...paths];
+}
+
+// ── C3.2: Next.js route discovery ─────────────────────────────────────────────
+
+/**
+ * Scan a Next.js project root for routable pages.
+ *
+ * pages/ layout (Next 12):
+ *   - pages/index.jsx        → /
+ *   - pages/blog/index.jsx   → /blog
+ *   - pages/about.tsx        → /about
+ *   - pages/[slug].tsx       → skipped  (dynamic — no concrete URL to crawl)
+ *   - pages/_app.jsx         → skipped
+ *   - pages/api/*            → skipped
+ *
+ * app/ layout (Next 13+):
+ *   - app/page.tsx           → /
+ *   - app/about/page.tsx     → /about
+ *   - app/(auth)/login/page.tsx → /login  (route group stripped)
+ *   - app/api/route.ts       → skipped (not a page.* file)
+ *
+ * @param {string} sourceDir  project root (contains pages/ and/or app/)
+ * @returns {string[]}
+ */
+export function discoverFromNextJs(sourceDir) {
+  const discovered = new Set();
+
+  // ── pages/ ────────────────────────────────────────────────────────────────
+  const pagesDir = path.join(sourceDir, 'pages');
+  if (fs.existsSync(pagesDir)) {
+    for (const file of walkDir(pagesDir)) {
+      const ext = path.extname(file);
+      if (!PAGE_EXTS.has(ext)) continue;
+
+      const rel   = path.relative(pagesDir, file);
+      const parts = rel.split(path.sep);
+
+      // Skip underscore files and reserved directories anywhere in path
+      if (parts.some(p => p.startsWith('_') || NEXTJS_SKIP.has(p.replace(/\..+$/, '')))) continue;
+
+      // Strip extension from final segment, collapse trailing 'index' to parent
+      const urlParts = parts.map((p, i) => i === parts.length - 1 ? p.replace(ext, '') : p);
+      if (urlParts[urlParts.length - 1] === 'index') urlParts.pop();
+
+      // Skip dynamic segments like [slug] — no concrete URL to crawl
+      if (urlParts.some(p => p.includes('['))) continue;
+
+      discovered.add(urlParts.length === 0 ? '/' : '/' + urlParts.join('/'));
+    }
+  }
+
+  // ── app/ ─────────────────────────────────────────────────────────────────
+  const appDir = path.join(sourceDir, 'app');
+  if (fs.existsSync(appDir)) {
+    for (const file of walkDir(appDir)) {
+      // Only files named page.{ext} are routes in the app/ router
+      if (!/^page\.(js|jsx|ts|tsx)$/.test(path.basename(file))) continue;
+
+      const relDir = path.dirname(path.relative(appDir, file));
+      const parts  = relDir === '.' ? [] : relDir.split(path.sep);
+
+      // Skip api/ and private _folders; strip route groups (parenthesized dirs)
+      if (parts.some(p => p === 'api' || p.startsWith('_'))) continue;
+      const filtered = parts.filter(p => !/^\(.*\)$/.test(p));
+
+      // Skip dynamic segments like [id] — no concrete URL to crawl
+      if (filtered.some(p => p.includes('['))) continue;
+
+      discovered.add(filtered.length === 0 ? '/' : '/' + filtered.join('/'));
+    }
+  }
+
+  return [...discovered];
+}
+
+// ── C3.3: React Router route discovery ───────────────────────────────────────
+
+/**
+ * Grep JS/TS source files for React Router path declarations.
+ *
+ * Detects:
+ *   <Route path="/foo" ... />
+ *   { path: '/foo', element: ... }  (createBrowserRouter / route objects)
+ *
+ * Only static paths are returned: must start with /, no :param segments, no * wildcards.
+ *
+ * @param {string} sourceDir
+ * @returns {string[]}
+ */
+export function discoverFromReactRouter(sourceDir) {
+  if (!fs.existsSync(sourceDir)) return [];
+
+  const files = walkDir(sourceDir).filter(f => PAGE_EXTS.has(path.extname(f)));
+  const discovered = new Set();
+
+  const PATTERNS = [
+    // JSX:  <Route path="/foo"
+    /<Route[^>]*\bpath\s*=\s*['"]([^'"]+)['"]/g,
+    // Object: path: '/foo'
+    /\bpath\s*:\s*['"]([^'"]+)['"]/g,
+  ];
+
+  for (const file of files) {
+    let src;
+    try { src = fs.readFileSync(file, 'utf8'); } catch { continue; }
+
+    for (const re of PATTERNS) {
+      re.lastIndex = 0;
+      for (const m of src.matchAll(re)) {
+        const p = m[1].trim();
+        // Only absolute, static paths
+        if (!p.startsWith('/') || p.includes(':') || p.includes('*')) continue;
+        if (p.includes('//') || /\.(js|ts|json|css)$/.test(p)) continue;
+        discovered.add(p);
+      }
+    }
+  }
+
+  return [...discovered];
+}
+
+// ── C3.4: Merge with manual routes ────────────────────────────────────────────
+
+/**
+ * Merge discovered paths into the manual routes array.
+ * Manual routes always take precedence — their config (critical, waitFor, name) is
+ * preserved as-is. New paths get sensible defaults and a `discovered: true` flag.
+ *
+ * @param {Array<{path: string}>} manualRoutes
+ * @param {string[]} discoveredPaths
+ * @returns {Array}
+ */
+export function mergeRoutes(manualRoutes, discoveredPaths) {
+  const known = new Set(manualRoutes.map(r => r.path));
+  const merged = [...manualRoutes];
+  for (const p of discoveredPaths) {
+    if (!known.has(p)) {
+      known.add(p);
+      merged.push({
+        path:       p,
+        name:       nameFromPath(p),
+        critical:   false,
+        waitFor:    null,
+        discovered: true,
+      });
+    }
+  }
+  return merged;
+}
+
+// ── C3.5: Orchestrator ────────────────────────────────────────────────────────
+
+/**
+ * Run all enabled discovery methods and return a merged route array.
+ *
+ * @param {string} baseUrl
+ * @param {string|null} sourceDir
+ * @param {{ sitemap?: boolean, nextjs?: boolean, reactRouter?: boolean }} autoDiscover
+ * @param {Array} manualRoutes
+ * @returns {Promise<Array>}
+ */
+export async function discoverRoutes(baseUrl, sourceDir, autoDiscover, manualRoutes) {
+  if (!autoDiscover) return manualRoutes;
+  const { sitemap = true, nextjs = true, reactRouter = false } = autoDiscover;
+  const allPaths = [];
+
+  if (sitemap) {
+    const paths = await discoverFromSitemap(baseUrl);
+    allPaths.push(...paths);
+    if (paths.length > 0) logger.info(`[ARGUS] C3: sitemap → ${paths.length} route(s)`);
+  }
+
+  if (nextjs && sourceDir) {
+    const paths = discoverFromNextJs(sourceDir);
+    allPaths.push(...paths);
+    if (paths.length > 0) logger.info(`[ARGUS] C3: Next.js → ${paths.length} route(s)`);
+  }
+
+  if (reactRouter && sourceDir) {
+    const paths = discoverFromReactRouter(sourceDir);
+    allPaths.push(...paths);
+    if (paths.length > 0) logger.info(`[ARGUS] C3: React Router → ${paths.length} route(s)`);
+  }
+
+  const merged = mergeRoutes(manualRoutes, allPaths);
+  const added  = merged.length - manualRoutes.length;
+  if (added > 0) logger.info(`[ARGUS] C3: ${added} new route(s) added (total: ${merged.length})`);
+  return merged;
+}

package/src/utils/security-analyzer.js

@@ -0,0 +1,302 @@
+/**
+ * ARGUS Security Analyzer (v3 Phase A4)
+ *
+ * Three detection surfaces:
+ *   1. DOM / browser context  — SECURITY_ANALYSIS_SCRIPT via evaluate_script
+ *      • localStorage keys with token/auth names or JWT-shaped values
+ *      • eval() in inline <script> tags
+ *      • JS-accessible cookies (no HttpOnly flag)
+ *      • Missing Content-Security-Policy and X-Frame-Options response headers
+ *        (checked via a same-origin fetch HEAD request)
+ *
+ *   2. Console messages       — analyzeSecurityConsole
+ *      • Mixed content (D6.9): "blocked" in message → critical; passive (image/audio) → warning
+ *      • Sensitive data patterns (email address, JWT, Bearer token, param=value)
+ *
+ *   3. Network request URLs   — analyzeSecurityNetwork
+ *      • Sensitive query parameters (?token=, ?key=, ?auth=, …)
+ *      • HTTP resource on HTTPS page (D6.9) — skips loopback; only fires on real HTTPS origins
+ */
+
+import { thresholds }  from '../config/targets.js';
+import { childLogger } from './logger.js';
+
+const logger = childLogger('security-analyzer');
+
+/**
+ * Async arrow function injected into the page via mcp.evaluate_script.
+ * Uses a fetch HEAD request to check response headers on the same origin.
+ * Returns a JSON string consumed by parseSecurityAnalysisResult().
+ * Timeout value is interpolated from thresholds.security.headTimeoutMs at module load.
+ */
+export const SECURITY_ANALYSIS_SCRIPT = `async () => {
+  // 1. localStorage — token-shaped key names or JWT-shaped values
+  const storageTokenKeys = [];
+  try {
+    var kPat = /token|jwt|auth|secret|apikey|api_key|password|credential|session/i;
+    var jwtPat = /^ey[A-Za-z0-9_-]{10,}\\.[A-Za-z0-9_-]+/;
+    var keys = Object.keys(localStorage || {});
+    for (var i = 0; i < keys.length; i++) {
+      var k = keys[i];
+      var v = (localStorage.getItem(k) || '').slice(0, 500);
+      if (kPat.test(k) || jwtPat.test(v)) storageTokenKeys.push(k);
+    }
+  } catch (e) {}
+
+  // 2. eval() in inline <script> tags
+  var evalUsage = false;
+  try {
+    var scripts = Array.prototype.slice.call(document.querySelectorAll('script:not([src])'));
+    evalUsage = scripts.some(function(s) { return /\\beval\\s*\\(/.test(s.textContent || ''); });
+  } catch (e) {}
+
+  // 3. JS-accessible cookies (visible to JS = no HttpOnly flag)
+  // Limitation: document.cookie only exposes cookies WITHOUT HttpOnly. HttpOnly cookies
+  // (most sensitive session tokens) are completely invisible here. The Secure flag also
+  // cannot be detected via JS — Secure-only cookies still appear in document.cookie.
+  // For HttpOnly detection, the only path is response headers (Set-Cookie inspection),
+  // which requires network-layer interception outside this DOM script.
+  var jsCookies = [];
+  try {
+    jsCookies = document.cookie.split(';')
+      .map(function(c) { return c.trim(); })
+      .filter(function(c) { return c.length > 0; })
+      .map(function(c) { return c.split('=')[0].trim(); });
+  } catch (e) {}
+
+  // 4. Response headers — CSP + X-Frame-Options via fetch HEAD (same-origin)
+  // Timeout is configurable via ARGUS_SECURITY_TIMEOUT (ms); defaults to 3000.
+  // Hardcoded 3s caused false negatives on staging servers behind VPNs/proxies.
+  var hasCSP = null, hasXFrame = null;
+  try {
+    var ctrl    = new AbortController();
+    var timeout = (typeof ARGUS_SECURITY_TIMEOUT !== 'undefined' ? ARGUS_SECURITY_TIMEOUT : ${thresholds.security.headTimeoutMs});
+    var tid     = setTimeout(function() { ctrl.abort(); }, timeout);
+    try {
+      // clearTimeout must run even if fetch rejects — use inner try/finally.
+      var r = await fetch(location.href, { method: 'HEAD', cache: 'no-store', signal: ctrl.signal });
+      hasCSP    = r.headers.has('Content-Security-Policy');
+      hasXFrame = r.headers.has('X-Frame-Options');
+    } finally {
+      clearTimeout(tid);
+    }
+  } catch (e) {}
+
+  // 5. iframe sandbox check
+  // Cross-origin iframes without the sandbox attribute can execute scripts,
+  // access top-level navigation, and exfiltrate cookies — significant security risk.
+  var unsandboxedIframes = [];
+  try {
+    var iframes = Array.prototype.slice.call(document.querySelectorAll('iframe[src]'));
+    for (var fi = 0; fi < iframes.length && fi < 20; fi++) {
+      var iframe = iframes[fi];
+      var iframeSrc = iframe.getAttribute('src') || '';
+      if (!iframe.hasAttribute('sandbox') && iframeSrc && !iframeSrc.startsWith('javascript:') && !iframeSrc.startsWith('about:') && !iframeSrc.startsWith('blob:')) {
+        unsandboxedIframes.push({ src: iframeSrc.slice(0, 100) });
+      }
+    }
+  } catch (e) {}
+
+  // 6. Links opening in new tabs without rel="noopener noreferrer"
+  // window.opener on the opened page allows it to navigate the opener — phishing vector.
+  var unsafeBlankLinks = [];
+  try {
+    var blankLinks = Array.prototype.slice.call(document.querySelectorAll('a[target="_blank"]'));
+    for (var li = 0; li < blankLinks.length && li < 30; li++) {
+      var link = blankLinks[li];
+      var rel = (link.getAttribute('rel') || '').toLowerCase();
+      if (!rel.includes('noopener') && !rel.includes('noreferrer')) {
+        unsafeBlankLinks.push({ href: (link.href || link.getAttribute('href') || '').slice(0, 100) });
+      }
+    }
+  } catch (e) {}
+
+  return JSON.stringify({ storageTokenKeys: storageTokenKeys, evalUsage: evalUsage, jsCookies: jsCookies, hasCSP: hasCSP, hasXFrame: hasXFrame, unsandboxedIframes: unsandboxedIframes, unsafeBlankLinks: unsafeBlankLinks });
+}`;
+
+/**
+ * Convert the raw evaluate_script result from SECURITY_ANALYSIS_SCRIPT into
+ * structured bug entries for the Argus report.
+ *
+ * @param {object|string|null} rawResult
+ * @param {string} url - Page URL for context
+ * @returns {object[]}
+ */
+export function parseSecurityAnalysisResult(rawResult, url) {
+  if (rawResult == null) return [];
+
+  let data;
+  try {
+    // Unwrap MCP { result: '...' } wrapper before parsing. Without this,
+    // JSON.stringify({ result: '{"key":"val"}' }) → parse → { result: '...' } and
+    // all field lookups (storageTokenKeys, evalUsage, etc.) return undefined — zero findings.
+    // JSON.stringify on a circular object throws; catch logs and returns [].
+    let raw = rawResult;
+    if (typeof raw === 'object' && !Array.isArray(raw) && raw !== null && raw.result !== undefined) {
+      raw = raw.result;
+    }
+    const str = typeof raw === 'string' ? raw : JSON.stringify(raw);
+    data = JSON.parse(str);
+  } catch (e) {
+    logger.warn('[ARGUS] parseSecurityAnalysisResult: parse failed —', e.message);
+    return [];
+  }
+
+  if (!data || typeof data !== 'object') return [];
+
+  const bugs = [];
+
+  if (Array.isArray(data.storageTokenKeys) && data.storageTokenKeys.length > 0) {
+    bugs.push({
+      type:     'security_token_in_storage',
+      keys:     data.storageTokenKeys,
+      message:  `Auth token stored in localStorage (keys: ${data.storageTokenKeys.join(', ')}) — XSS-accessible`,
+      severity: 'critical',
+      url,
+    });
+  }
+
+  if (data.evalUsage) {
+    bugs.push({
+      type:     'security_eval_usage',
+      message:  'eval() usage detected in inline script — security and performance risk',
+      severity: 'warning',
+      url,
+    });
+  }
+
+  if (Array.isArray(data.jsCookies) && data.jsCookies.length > 0) {
+    bugs.push({
+      type:     'security_cookie_no_httponly',
+      cookies:  data.jsCookies,
+      message:  `${data.jsCookies.length} cookie(s) readable by JavaScript (no HttpOnly flag): ${data.jsCookies.join(', ')}`,
+      severity: 'warning',
+      url,
+    });
+  }
+
+  if (data.hasCSP === false) {
+    bugs.push({
+      type:     'security_missing_csp',
+      message:  'Missing Content-Security-Policy response header — XSS risk',
+      severity: 'warning',
+      url,
+    });
+  }
+
+  if (data.hasXFrame === false) {
+    bugs.push({
+      type:     'security_missing_xframe',
+      message:  'Missing X-Frame-Options response header — clickjacking risk',
+      severity: 'warning',
+      url,
+    });
+  }
+
+  // unsandboxed cross-origin iframes
+  if (Array.isArray(data.unsandboxedIframes) && data.unsandboxedIframes.length > 0) {
+    for (const frame of data.unsandboxedIframes) {
+      bugs.push({
+        type:    'security_iframe_no_sandbox',
+        src:     frame.src,
+        message: `<iframe> with src="${String(frame.src).replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;').slice(0, 200)}" has no sandbox attribute — add sandbox="allow-scripts allow-same-origin" to restrict capabilities`,
+        severity: 'warning',
+        url,
+      });
+    }
+  }
+
+  // target="_blank" links without rel="noopener noreferrer"
+  // The opened page can access window.opener and redirect the parent tab — phishing vector.
+  if (Array.isArray(data.unsafeBlankLinks) && data.unsafeBlankLinks.length > 0) {
+    bugs.push({
+      type:    'security_unsafe_blank_link',
+      count:   data.unsafeBlankLinks.length,
+      hrefs:   data.unsafeBlankLinks.map(l => l.href),
+      message: `${data.unsafeBlankLinks.length} link(s) with target="_blank" missing rel="noopener noreferrer" — add rel="noopener noreferrer" to prevent opener hijacking`,
+      severity: 'warning',
+      url,
+    });
+  }
+
+  return bugs;
+}
+
+/**
+ * Scan console messages for mixed content warnings and sensitive data patterns.
+ * Targeted pattern avoids false positives on common error strings.
+ *
+ * @param {object[]} consoleMsgs - Raw console message objects ({ level, text })
+ * @param {string}   url
+ * @returns {object[]}
+ */
+export function analyzeSecurityConsole(consoleMsgs, url) {
+  const bugs = [];
+  // Targeted: require delimiter after keyword (password=, secret:) OR structural patterns
+  const sensitivePattern = /password[:=]|secret[:=]|api[_-]?key[:=]|credential[:=]|eyJ[A-Za-z0-9_-]{10,}|Bearer\s+\S{6,}|\b[A-Za-z0-9._%+\-]{1,64}@[A-Za-z0-9.\-]{1,253}\.[A-Za-z]{2,63}\b/i;
+  const mixedContentPattern = /mixed content/i;
+
+  for (const msg of (Array.isArray(consoleMsgs) ? consoleMsgs : [])) {
+    const text = String(msg.text ?? msg.message ?? msg ?? '');
+    if (!text) continue;
+    if (mixedContentPattern.test(text)) {
+      // D6.9: "blocked" in the message → active content, browser refuses to load → critical.
+      // No "blocked" → passive content (image/audio/video), browser loads with a warning → warning.
+      const isBlocked = /\bblocked\b/i.test(text);
+      bugs.push({
+        type:     'security_mixed_content',
+        message:  `Mixed content ${isBlocked ? 'blocked' : 'warning'}: ${text.slice(0, 200)}`,
+        severity: isBlocked ? 'critical' : 'warning',
+        url,
+      });
+    } else if (sensitivePattern.test(text)) {
+      bugs.push({
+        type:     'security_sensitive_console',
+        message:  `Sensitive data in console output: ${text.slice(0, 200)}`,
+        severity: 'warning',
+        url,
+      });
+    }
+  }
+  return bugs;
+}
+
+/**
+ * Scan network request URLs for sensitive query parameters.
+ *
+ * @param {object[]} networkReqs - Network request entries ({ url })
+ * @param {string}   url - Page URL for context
+ * @returns {object[]}
+ */
+export function analyzeSecurityNetwork(networkReqs, url) {
+  const bugs = [];
+  const sensitiveParams = /[?&](token|key|auth|password|secret|apikey|api_key|credential|jwt)=/i;
+  // D6.9: flag HTTP resources on HTTPS pages; skip loopback addresses (not mixed content).
+  const pageIsHttps = (url ?? '').startsWith('https://');
+  const isLoopback  = /^http:\/\/(localhost|127\.|0\.0\.0\.0)/i;
+
+  for (const req of (Array.isArray(networkReqs) ? networkReqs : [])) {
+    const reqUrl = req.url ?? req.requestUrl ?? '';
+    if (!reqUrl) continue;
+
+    if (pageIsHttps && reqUrl.startsWith('http://') && !isLoopback.test(reqUrl)) {
+      bugs.push({
+        type:       'security_mixed_content',
+        requestUrl: reqUrl,
+        message:    `Mixed content: HTTP resource "${reqUrl.slice(0, 200)}" on HTTPS page — request may be blocked`,
+        severity:   'critical',
+        url,
+      });
+    }
+
+    if (!sensitiveParams.test(reqUrl)) continue;
+    bugs.push({
+      type:       'security_token_in_url',
+      requestUrl: reqUrl,
+      message:    `Sensitive parameter in request URL: ${reqUrl.slice(0, 300)}`,
+      severity:   'critical',
+      url,
+    });
+  }
+  return bugs;
+}