bastion-scan 0.1.0

package/dist/index.js

@@ -0,0 +1,3424 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import { createRequire } from "module";
+
+// src/cli.ts
+import { Command, Option } from "commander";
+import chalk2 from "chalk";
+import ora from "ora";
+import { OUTPUT_FORMATS } from "@bastion/shared";
+
+// src/scanner.ts
+import { readdir, readFile as readFile9, stat } from "fs/promises";
+import { resolve, join as join10, relative } from "path";
+
+// src/checks/gitignore.ts
+import { readFile } from "fs/promises";
+import { join } from "path";
+var REQUIRED_ENTRIES = [
+  {
+    id: "gitignore-env",
+    pattern: ".env",
+    severity: "critical",
+    description: "Environment file (.env) is not gitignored \u2014 secrets may be committed",
+    fix: "Add `.env` to your .gitignore file",
+    aiPrompt: "My project .gitignore is missing `.env`. Explain the security risk of committing environment files and suggest a comprehensive .gitignore for my project."
+  },
+  {
+    id: "gitignore-env-local",
+    pattern: ".env.local",
+    severity: "critical",
+    description: "Local environment file (.env.local) is not gitignored \u2014 secrets may be committed",
+    fix: "Add `.env.local` to your .gitignore (or `.env*` to cover all env variants)",
+    aiPrompt: "My project .gitignore is missing `.env.local`. Explain why local environment files should never be committed and how to properly manage environment variables."
+  },
+  {
+    id: "gitignore-node-modules",
+    pattern: "node_modules",
+    severity: "high",
+    description: "node_modules is not gitignored \u2014 bloats repository and may leak internal paths",
+    fix: "Add `node_modules` to your .gitignore file",
+    aiPrompt: "My project .gitignore is missing `node_modules`. Explain why dependencies should not be committed and the security implications."
+  },
+  {
+    id: "gitignore-pem",
+    pattern: "*.pem",
+    severity: "high",
+    description: "PEM certificate files (*.pem) are not gitignored \u2014 private keys may be committed",
+    fix: "Add `*.pem` to your .gitignore file",
+    aiPrompt: "My project .gitignore is missing `*.pem`. Explain the risk of committing SSL/TLS certificates and private keys."
+  },
+  {
+    id: "gitignore-key",
+    pattern: "*.key",
+    severity: "high",
+    description: "Key files (*.key) are not gitignored \u2014 private keys may be committed",
+    fix: "Add `*.key` to your .gitignore file",
+    aiPrompt: "My project .gitignore is missing `*.key`. Explain the risk of committing cryptographic key files to version control."
+  },
+  {
+    id: "gitignore-next",
+    pattern: ".next",
+    severity: "medium",
+    description: "Next.js build output (.next) is not gitignored \u2014 build artifacts bloat the repository",
+    fix: "Add `.next` to your .gitignore file",
+    aiPrompt: "My project .gitignore is missing `.next`. Explain why build artifacts should not be committed."
+  },
+  {
+    id: "gitignore-dist",
+    pattern: "dist",
+    severity: "medium",
+    description: "Build output (dist) is not gitignored \u2014 compiled files bloat the repository",
+    fix: "Add `dist` to your .gitignore file",
+    aiPrompt: "My project .gitignore is missing `dist`. Explain why build output should be gitignored."
+  },
+  {
+    id: "gitignore-build",
+    pattern: "build",
+    severity: "medium",
+    description: "Build output (build) is not gitignored \u2014 compiled files bloat the repository",
+    fix: "Add `build` to your .gitignore file",
+    aiPrompt: "My project .gitignore is missing `build`. Explain why build output directories should be gitignored."
+  },
+  {
+    id: "gitignore-ds-store",
+    pattern: ".DS_Store",
+    severity: "medium",
+    description: "macOS metadata files (.DS_Store) are not gitignored \u2014 OS-specific files should not be committed",
+    fix: "Add `.DS_Store` to your .gitignore file",
+    aiPrompt: "My project .gitignore is missing `.DS_Store`. Explain why OS-specific metadata files should be gitignored."
+  }
+];
+function parseGitignore(content) {
+  return content.split("\n").map((line) => line.trim()).filter((line) => line.length > 0 && !line.startsWith("#"));
+}
+function normalizeLine(line) {
+  let result = line;
+  if (result.startsWith("/")) result = result.slice(1);
+  if (result.endsWith("/")) result = result.slice(0, -1);
+  return result;
+}
+function escapeRegex(s) {
+  return s.replace(/[.+^${}()|[\]\\?]/g, "\\$&");
+}
+function globMatches(pattern, text) {
+  const regexStr = pattern.split("*").map(escapeRegex).join("[^/]*");
+  return new RegExp(`^${regexStr}$`).test(text);
+}
+function isEntryCovered(entry, lines) {
+  for (const raw of lines) {
+    const line = normalizeLine(raw);
+    if (line.startsWith("!")) continue;
+    if (line === entry) return true;
+    if (entry.includes("*")) continue;
+    if (line.includes("*") && globMatches(line, entry)) return true;
+  }
+  return false;
+}
+var gitignoreCheck = async (context) => {
+  let content;
+  try {
+    content = await readFile(join(context.projectPath, ".gitignore"), "utf-8");
+  } catch (error) {
+    const isNotFound = error instanceof Error && "code" in error && error.code === "ENOENT";
+    if (isNotFound) {
+      return [
+        {
+          id: "gitignore-missing",
+          name: ".gitignore coverage",
+          status: "fail",
+          severity: "critical",
+          category: "configuration",
+          description: "No .gitignore file found \u2014 sensitive files, dependencies, and build artifacts may be committed",
+          fix: "Create a .gitignore file with entries for .env, node_modules, build outputs, and key files",
+          aiPrompt: `My ${context.stack.language} project has no .gitignore file. Generate a comprehensive .gitignore that covers environment files, dependencies, build outputs, IDE files, OS files, and cryptographic keys.`
+        }
+      ];
+    }
+    return [
+      {
+        id: "gitignore-error",
+        name: ".gitignore coverage",
+        status: "skip",
+        severity: "info",
+        category: "configuration",
+        description: `Could not read .gitignore: ${error instanceof Error ? error.message : String(error)}`
+      }
+    ];
+  }
+  const lines = parseGitignore(content);
+  const results = [];
+  for (const entry of REQUIRED_ENTRIES) {
+    if (!isEntryCovered(entry.pattern, lines)) {
+      results.push({
+        id: entry.id,
+        name: ".gitignore coverage",
+        status: "fail",
+        severity: entry.severity,
+        category: "configuration",
+        location: ".gitignore",
+        description: entry.description,
+        fix: entry.fix,
+        aiPrompt: entry.aiPrompt
+      });
+    }
+  }
+  if (results.length === 0) {
+    return [
+      {
+        id: "gitignore-coverage",
+        name: ".gitignore coverage",
+        status: "pass",
+        severity: "info",
+        category: "configuration",
+        location: ".gitignore",
+        description: "All essential entries are present in .gitignore"
+      }
+    ];
+  }
+  return results;
+};
+var gitignore_default = gitignoreCheck;
+
+// src/checks/secrets.ts
+import { readFile as readFile2 } from "fs/promises";
+import { join as join2, basename } from "path";
+var SCANNABLE_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".ts",
+  ".js",
+  ".tsx",
+  ".jsx",
+  ".env",
+  ".json",
+  ".yaml",
+  ".yml"
+]);
+var IGNORED_DIRS = /* @__PURE__ */ new Set(["node_modules", "dist", "build", ".git", "tests", "__tests__", "test", "fixtures"]);
+var SECRET_PATTERNS = [
+  {
+    name: "OpenAI API key",
+    regex: /sk-[A-Za-z0-9]{20,}/,
+    description: "OpenAI API key detected"
+  },
+  {
+    name: "Stripe secret key",
+    regex: /sk_live_[A-Za-z0-9]{20,}/,
+    description: "Stripe secret key detected"
+  },
+  {
+    name: "Stripe publishable key",
+    regex: /pk_live_[A-Za-z0-9]{20,}/,
+    description: "Stripe publishable live key detected"
+  },
+  {
+    name: "AWS access key",
+    regex: /AKIA[0-9A-Z]{16}/,
+    description: "AWS access key ID detected"
+  },
+  {
+    name: "Generic API key assignment",
+    regex: /(?:api[_-]?key|apikey|api[_-]?secret)\s*[:=]\s*['"][A-Za-z0-9_\-/.]{8,}['"]/i,
+    description: "Hardcoded API key assignment detected"
+  },
+  {
+    name: "Bearer token",
+    regex: /['"]Bearer\s+[A-Za-z0-9_\-/.+]{20,}['"]/,
+    description: "Hardcoded Bearer token detected"
+  },
+  {
+    name: "Database connection string",
+    regex: /(?:mongodb(?:\+srv)?|postgres(?:ql)?|mysql|redis):\/\/[^:]+:[^@\s]+@/i,
+    description: "Database connection string with embedded password detected"
+  }
+];
+var AI_PROMPT = "I found a hardcoded secret in my source code. Help me move it to an environment variable. Show me: (1) how to add it to .env, (2) how to read it with process.env or the equivalent for my framework, (3) how to add the key name to .env.example with a placeholder value, and (4) how to validate at startup that the variable is set.";
+function isScannableFile(relativePath) {
+  const segments = relativePath.split("/");
+  const fileName = segments[segments.length - 1] ?? "";
+  const ext = fileName.includes(".") ? "." + (fileName.split(".").pop() ?? "") : "";
+  if (!SCANNABLE_EXTENSIONS.has(ext)) return false;
+  if (segments.some((s) => IGNORED_DIRS.has(s))) return false;
+  if (basename(relativePath) === ".env.example") return false;
+  if (/\.(?:test|spec)\.[jt]sx?$/.test(fileName)) return false;
+  return true;
+}
+function scanContent(content, relativePath) {
+  const lines = content.split("\n");
+  const results = [];
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (line === void 0) continue;
+    const trimmed = line.trim();
+    if (trimmed.startsWith("//") || trimmed.startsWith("#") || trimmed.startsWith("*")) {
+      continue;
+    }
+    if (trimmed.startsWith("'") || trimmed.startsWith('"') || trimmed.startsWith("`") || trimmed.startsWith("/")) {
+      continue;
+    }
+    if (/^\w+\s*:\s*['"`/([]/.test(trimmed)) {
+      continue;
+    }
+    for (const pattern of SECRET_PATTERNS) {
+      if (pattern.regex.test(line)) {
+        results.push({
+          id: "secrets",
+          name: `Hardcoded secret: ${pattern.name}`,
+          status: "fail",
+          severity: "critical",
+          category: "Secrets",
+          location: `${relativePath}:${i + 1}`,
+          description: pattern.description,
+          fix: `Remove the hardcoded value and load it from an environment variable instead. Add the key to .env (gitignored) and a placeholder to .env.example.`,
+          aiPrompt: AI_PROMPT
+        });
+      }
+    }
+  }
+  return results;
+}
+var secretsCheck = async (context) => {
+  const filesToScan = context.files.filter(isScannableFile);
+  if (filesToScan.length === 0) {
+    return [
+      {
+        id: "secrets",
+        name: "Hardcoded secrets",
+        status: "skip",
+        severity: "info",
+        description: "No scannable files found"
+      }
+    ];
+  }
+  const allResults = [];
+  const settled = await Promise.allSettled(
+    filesToScan.map(async (file) => {
+      const content = await readFile2(join2(context.projectPath, file), "utf-8");
+      return scanContent(content, file);
+    })
+  );
+  for (const outcome of settled) {
+    if (outcome.status === "fulfilled") {
+      allResults.push(...outcome.value);
+    }
+  }
+  if (allResults.length === 0) {
+    return [
+      {
+        id: "secrets",
+        name: "Hardcoded secrets",
+        status: "pass",
+        severity: "info",
+        description: "No hardcoded secrets detected"
+      }
+    ];
+  }
+  return allResults;
+};
+var secrets_default = secretsCheck;
+
+// src/checks/dependencies.ts
+import { execSync } from "child_process";
+import { existsSync } from "fs";
+import { join as join3 } from "path";
+var CHECK_ID = "dep-vuln";
+var CHECK_NAME = "Dependency vulnerabilities";
+var CATEGORY = "dependencies";
+var SEVERITY_MAP = {
+  critical: "critical",
+  high: "high",
+  moderate: "medium",
+  low: "low"
+};
+function mapSeverity(npmSeverity) {
+  return SEVERITY_MAP[npmSeverity] ?? "info";
+}
+function findAdvisory(via) {
+  return via.find((v) => typeof v !== "string");
+}
+function runNpmAudit(cwd) {
+  try {
+    return execSync("npm audit --json", { cwd, encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] });
+  } catch (error) {
+    if (error !== null && typeof error === "object" && "stdout" in error) {
+      const stdout = String(error.stdout);
+      if (stdout.trim()) return stdout;
+    }
+    throw error;
+  }
+}
+function toCheckResult(vuln) {
+  const advisory = findAdvisory(vuln.via);
+  const severity = mapSeverity(vuln.severity);
+  const title = advisory?.title ?? "Vulnerability";
+  const url = advisory?.url;
+  const description = url ? `${vuln.name}: ${title} (${url})` : `${vuln.name}: ${title}`;
+  return {
+    id: `${CHECK_ID}-${vuln.name}`,
+    name: CHECK_NAME,
+    status: "fail",
+    severity,
+    category: CATEGORY,
+    description,
+    fix: `Run \`npm audit fix\` or update the package: \`npm install ${vuln.name}@latest\``,
+    aiPrompt: `I have a ${vuln.severity}-severity vulnerability in the npm package "${vuln.name}".${url ? ` Advisory: ${url}.` : ""} Help me fix this by running \`npm update ${vuln.name}\` or \`npm install ${vuln.name}@latest\`. If this requires a major version upgrade, help me understand what breaking changes to expect and how to migrate my code.`
+  };
+}
+var dependencyCheck = async (context) => {
+  if (!context.packageJson) {
+    return [{
+      id: CHECK_ID,
+      name: CHECK_NAME,
+      status: "skip",
+      severity: "info",
+      category: CATEGORY,
+      description: "No package.json found \u2014 skipping dependency audit"
+    }];
+  }
+  if (!existsSync(join3(context.projectPath, "node_modules"))) {
+    return [{
+      id: CHECK_ID,
+      name: CHECK_NAME,
+      status: "warn",
+      severity: "medium",
+      category: CATEGORY,
+      description: "node_modules not found \u2014 run npm install before scanning",
+      fix: "Run `npm install` to install dependencies before scanning."
+    }];
+  }
+  let output;
+  try {
+    output = runNpmAudit(context.projectPath);
+  } catch {
+    return [{
+      id: CHECK_ID,
+      name: CHECK_NAME,
+      status: "skip",
+      severity: "info",
+      category: CATEGORY,
+      description: "npm audit could not be run \u2014 ensure npm is installed and available"
+    }];
+  }
+  let report;
+  try {
+    report = JSON.parse(output);
+  } catch {
+    return [{
+      id: CHECK_ID,
+      name: CHECK_NAME,
+      status: "skip",
+      severity: "info",
+      category: CATEGORY,
+      description: "Failed to parse npm audit output"
+    }];
+  }
+  const vulns = report.vulnerabilities;
+  if (!vulns || Object.keys(vulns).length === 0) {
+    return [{
+      id: CHECK_ID,
+      name: CHECK_NAME,
+      status: "pass",
+      severity: "info",
+      category: CATEGORY,
+      description: "No known vulnerabilities found in dependencies"
+    }];
+  }
+  return Object.values(vulns).map(toCheckResult);
+};
+var dependencies_default = dependencyCheck;
+
+// src/checks/env-example.ts
+import { readFile as readFile3 } from "fs/promises";
+import { join as join4 } from "path";
+var CHECK_ID2 = "env-example";
+var CHECK_NAME2 = ".env.example exists";
+var STRONG_PREFIXES = [
+  "AKIA",
+  "ghp_",
+  "gho_",
+  "github_pat_",
+  "xoxb-",
+  "xoxp-",
+  "glpat-"
+];
+var WEAK_PREFIXES = [
+  "sk-",
+  "sk_live_",
+  "sk_test_",
+  "pk_live_",
+  "pk_test_"
+];
+var PLACEHOLDER_WORDS = [
+  "your_",
+  "your-",
+  "changeme",
+  "change_me",
+  "change-me",
+  "replace",
+  "xxx",
+  "placeholder",
+  "example",
+  "sample",
+  "todo",
+  "fixme",
+  "insert",
+  "<",
+  ">"
+];
+function matchesEnvPattern(line) {
+  const trimmed = line.trim();
+  if (!trimmed || trimmed.startsWith("#") || trimmed.startsWith("!")) {
+    return false;
+  }
+  const clean = trimmed.startsWith("/") ? trimmed.slice(1) : trimmed;
+  return clean === ".env" || clean === ".env*";
+}
+function isEnvGitignored(content) {
+  return content.split(/\r?\n/).some(matchesEnvPattern);
+}
+function looksLikeRealSecret(value) {
+  const trimmed = value.trim().replace(/^["']|["']$/g, "");
+  if (!trimmed) return false;
+  if (STRONG_PREFIXES.some((prefix) => trimmed.startsWith(prefix))) return true;
+  const lower = trimmed.toLowerCase();
+  if (PLACEHOLDER_WORDS.some((w) => lower.includes(w))) return false;
+  if (WEAK_PREFIXES.some((prefix) => trimmed.startsWith(prefix))) return true;
+  if (/^[a-zA-Z0-9+/=_-]{40,}$/.test(trimmed)) return true;
+  return false;
+}
+function findRealSecrets(content) {
+  const secrets = [];
+  for (const line of content.split(/\r?\n/)) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const eqIndex = trimmed.indexOf("=");
+    if (eqIndex === -1) continue;
+    const key = trimmed.slice(0, eqIndex);
+    const value = trimmed.slice(eqIndex + 1);
+    if (looksLikeRealSecret(value)) {
+      secrets.push(key);
+    }
+  }
+  return secrets;
+}
+async function readProjectFile(projectPath, filename) {
+  try {
+    return await readFile3(join4(projectPath, filename), "utf-8");
+  } catch {
+    return void 0;
+  }
+}
+var envExampleCheck = async (context) => {
+  try {
+    const gitignoreContent = await readProjectFile(context.projectPath, ".gitignore");
+    if (gitignoreContent === void 0) {
+      return [
+        {
+          id: CHECK_ID2,
+          name: CHECK_NAME2,
+          status: "skip",
+          severity: "info",
+          description: "No .gitignore found \u2014 cannot determine if .env is excluded"
+        }
+      ];
+    }
+    if (!isEnvGitignored(gitignoreContent)) {
+      return [
+        {
+          id: CHECK_ID2,
+          name: CHECK_NAME2,
+          status: "skip",
+          severity: "info",
+          description: ".env is not in .gitignore \u2014 see gitignore check for coverage"
+        }
+      ];
+    }
+    const hasExample = context.files.includes(".env.example");
+    const hasSample = context.files.includes(".env.sample");
+    if (!hasExample && !hasSample) {
+      return [
+        {
+          id: CHECK_ID2,
+          name: CHECK_NAME2,
+          status: "fail",
+          severity: "high",
+          category: "configuration",
+          description: ".env is gitignored but no .env.example or .env.sample exists. New developers won\u2019t know which environment variables are required, leading to broken setups and wasted onboarding time.",
+          fix: "Create a .env.example file listing every required environment variable with placeholder values (e.g. DATABASE_URL=your_database_url_here). Commit it to the repository so new team members can copy it to .env and fill in their own values.",
+          aiPrompt: "I have a project with a .env file that is gitignored. Generate a .env.example file based on my .env file. Replace all real values with descriptive placeholders (e.g. YOUR_API_KEY_HERE, your_database_url_here). Add comments explaining what each variable is for and where to get the value. Keep the structure identical to the original .env."
+        }
+      ];
+    }
+    const templateFile = hasExample ? ".env.example" : ".env.sample";
+    const templateContent = await readProjectFile(context.projectPath, templateFile);
+    if (templateContent === void 0) {
+      return [
+        {
+          id: CHECK_ID2,
+          name: CHECK_NAME2,
+          status: "pass",
+          severity: "info",
+          category: "configuration",
+          description: `${templateFile} exists (content could not be verified)`
+        }
+      ];
+    }
+    const realSecrets = findRealSecrets(templateContent);
+    if (realSecrets.length > 0) {
+      return [
+        {
+          id: CHECK_ID2,
+          name: CHECK_NAME2,
+          status: "fail",
+          severity: "high",
+          category: "configuration",
+          location: templateFile,
+          description: `${templateFile} appears to contain real secret values for: ${realSecrets.join(", ")}. Template files should only contain placeholders, not actual credentials.`,
+          fix: `Replace real values in ${templateFile} with descriptive placeholders like YOUR_API_KEY_HERE or empty strings. Never commit actual secrets to version control, even in example files.`,
+          aiPrompt: `Review my ${templateFile} file and replace any real-looking secret values with safe placeholders. Keep the variable names but replace values with descriptive placeholders like YOUR_API_KEY_HERE. Add a comment above each variable explaining what it\u2019s for.`
+        }
+      ];
+    }
+    return [
+      {
+        id: CHECK_ID2,
+        name: CHECK_NAME2,
+        status: "pass",
+        severity: "info",
+        category: "configuration",
+        description: `${templateFile} exists with placeholder values`
+      }
+    ];
+  } catch (error) {
+    return [
+      {
+        id: CHECK_ID2,
+        name: CHECK_NAME2,
+        status: "skip",
+        severity: "info",
+        description: `Check failed: ${error instanceof Error ? error.message : String(error)}`
+      }
+    ];
+  }
+};
+var env_example_default = envExampleCheck;
+
+// src/checks/security-txt.ts
+import { readFile as readFile4 } from "fs/promises";
+import { join as join5 } from "path";
+var SECURITY_TXT_PATHS = [".well-known/security.txt", "security.txt"];
+var SECURITY_MD = "SECURITY.md";
+var CHECK_ID3 = "security-txt";
+function parseFields(content) {
+  const fields = /* @__PURE__ */ new Map();
+  for (const line of content.split("\n")) {
+    const trimmed = line.trim();
+    if (trimmed === "" || trimmed.startsWith("#") || trimmed.startsWith("-----")) continue;
+    const colonIndex = trimmed.indexOf(":");
+    if (colonIndex === -1) continue;
+    const key = trimmed.slice(0, colonIndex).trim().toLowerCase();
+    const value = trimmed.slice(colonIndex + 1).trim();
+    if (value === "") continue;
+    const existing = fields.get(key);
+    fields.set(key, existing ? [...existing, value] : [value]);
+  }
+  return fields;
+}
+function isExpired(value) {
+  const date = new Date(value);
+  return !isNaN(date.getTime()) && date.getTime() < Date.now();
+}
+function validateSecurityTxt(fields, location) {
+  const results = [];
+  const hasContact = (fields.get("contact") ?? []).length > 0;
+  const firstExpires = (fields.get("expires") ?? [])[0];
+  const hasExpires = firstExpires !== void 0;
+  if (!hasContact) {
+    results.push({
+      id: `${CHECK_ID3}-contact`,
+      name: "security.txt missing Contact field",
+      status: "fail",
+      severity: "medium",
+      category: "disclosure",
+      location,
+      description: "security.txt is missing the required Contact field. Security researchers need a way to reach you.",
+      fix: "Add a Contact field to your security.txt. Example: Contact: mailto:security@example.com",
+      aiPrompt: "My security.txt file is missing the required Contact field. Add a Contact field with my security email address using mailto: URI format per RFC 9116."
+    });
+  }
+  if (!hasExpires) {
+    results.push({
+      id: `${CHECK_ID3}-expires`,
+      name: "security.txt missing Expires field",
+      status: "fail",
+      severity: "medium",
+      category: "disclosure",
+      location,
+      description: "security.txt is missing the required Expires field. This field ensures the information stays current.",
+      fix: "Add an Expires field with a date no more than 1 year in the future. Example: Expires: 2027-12-31T23:59:59.000Z",
+      aiPrompt: "My security.txt file is missing the required Expires field. Add an Expires field set to one year from today in ISO 8601 date-time format per RFC 9116."
+    });
+  } else if (isExpired(firstExpires)) {
+    results.push({
+      id: `${CHECK_ID3}-expired`,
+      name: "security.txt has expired",
+      status: "warn",
+      severity: "medium",
+      category: "disclosure",
+      location,
+      description: `security.txt Expires date (${firstExpires}) is in the past. An expired security.txt signals the contact information may be stale.`,
+      fix: "Update the Expires field to a future date, no more than 1 year ahead. Use the generator at https://securitytxt.org/",
+      aiPrompt: "My security.txt Expires field is in the past. Update it to one year from today in ISO 8601 date-time format. Also review the Contact field to ensure it is still accurate."
+    });
+  }
+  if (hasContact && hasExpires && !isExpired(firstExpires)) {
+    results.push({
+      id: CHECK_ID3,
+      name: "security.txt is valid",
+      status: "pass",
+      severity: "info",
+      category: "disclosure",
+      location,
+      description: "security.txt exists with required Contact and Expires fields."
+    });
+  }
+  return results;
+}
+var securityTxtCheck = async (context) => {
+  const securityTxtFile = SECURITY_TXT_PATHS.find((p) => context.files.includes(p));
+  const hasSecurityMd = context.files.includes(SECURITY_MD);
+  if (!securityTxtFile && !hasSecurityMd) {
+    return [
+      {
+        id: CHECK_ID3,
+        name: "Security policy missing",
+        status: "fail",
+        severity: "medium",
+        category: "disclosure",
+        description: "No security.txt or SECURITY.md found. A security disclosure policy tells researchers how to report vulnerabilities.",
+        fix: "Create .well-known/security.txt with Contact and Expires fields. Use the generator at https://securitytxt.org/",
+        aiPrompt: "Generate a security.txt file for my project following RFC 9116. Include Contact (use my email: [YOUR_EMAIL]), Expires (1 year from now), and Preferred-Languages fields. Place it at .well-known/security.txt. Also create a SECURITY.md with a vulnerability disclosure policy."
+      }
+    ];
+  }
+  const results = [];
+  if (securityTxtFile) {
+    try {
+      const content = await readFile4(join5(context.projectPath, securityTxtFile), "utf-8");
+      results.push(...validateSecurityTxt(parseFields(content), securityTxtFile));
+    } catch {
+      results.push({
+        id: CHECK_ID3,
+        name: "security.txt unreadable",
+        status: "skip",
+        severity: "info",
+        category: "disclosure",
+        location: securityTxtFile,
+        description: `Could not read ${securityTxtFile}. Skipping validation.`
+      });
+    }
+  }
+  if (hasSecurityMd) {
+    results.push({
+      id: `${CHECK_ID3}-md`,
+      name: "SECURITY.md exists",
+      status: "pass",
+      severity: "info",
+      category: "disclosure",
+      location: SECURITY_MD,
+      description: "SECURITY.md found \u2014 vulnerability disclosure policy is documented."
+    });
+  }
+  return results;
+};
+var security_txt_default = securityTxtCheck;
+
+// src/utils/fetch-with-retry.ts
+var RETRY_DELAY_MS = 2e3;
+var TIMEOUT_PER_ATTEMPT_MS = 1e4;
+var CONNECTION_ERROR_PATTERNS = [
+  "ECONNREFUSED",
+  "ETIMEDOUT",
+  "ENOTFOUND"
+];
+function isConnectionError(error) {
+  if (error instanceof DOMException && error.name === "AbortError") {
+    return true;
+  }
+  const message = error instanceof Error ? error.message : "";
+  const causeMessage = error instanceof Error && error.cause instanceof Error ? error.cause.message : "";
+  const combined = `${message} ${causeMessage}`;
+  return CONNECTION_ERROR_PATTERNS.some((code) => combined.includes(code));
+}
+function delay(ms) {
+  return new Promise((resolve2) => setTimeout(resolve2, ms));
+}
+async function fetchWithRetry(url, init) {
+  for (let attempt = 1; attempt <= 2; attempt++) {
+    try {
+      const response = await fetch(url, {
+        ...init,
+        signal: AbortSignal.timeout(TIMEOUT_PER_ATTEMPT_MS)
+      });
+      return { response, attempts: attempt };
+    } catch (error) {
+      if (attempt === 1 && isConnectionError(error)) {
+        await delay(RETRY_DELAY_MS);
+        continue;
+      }
+      return { error, attempts: attempt };
+    }
+  }
+  return { error: new Error("Unexpected retry exhaustion"), attempts: 2 };
+}
+
+// src/checks/headers.ts
+var CHECK_ID4 = "headers";
+var CATEGORY2 = "headers";
+var REQUIRED_HEADERS = [
+  {
+    header: "content-security-policy",
+    label: "Content-Security-Policy",
+    description: "Content-Security-Policy header is missing. CSP prevents cross-site scripting (XSS) and data injection attacks by controlling which resources the browser is allowed to load.",
+    fix: "Add a Content-Security-Policy header. Start with a restrictive policy like `default-src 'self'` and loosen as needed."
+  },
+  {
+    header: "strict-transport-security",
+    label: "Strict-Transport-Security",
+    description: "Strict-Transport-Security header is missing. HSTS forces browsers to use HTTPS, preventing protocol downgrade attacks and cookie hijacking.",
+    fix: "Add `Strict-Transport-Security: max-age=31536000; includeSubDomains` to enforce HTTPS for one year."
+  },
+  {
+    header: "x-content-type-options",
+    label: "X-Content-Type-Options",
+    description: "X-Content-Type-Options header is missing. This header prevents MIME-type sniffing, which can turn non-executable MIME types into executable ones.",
+    fix: "Add `X-Content-Type-Options: nosniff` to prevent browsers from MIME-sniffing the response."
+  },
+  {
+    header: "x-frame-options",
+    label: "X-Frame-Options",
+    description: "X-Frame-Options header is missing. This header prevents your site from being embedded in iframes, protecting against clickjacking attacks.",
+    fix: "Add `X-Frame-Options: DENY` (or SAMEORIGIN if you need to embed your own pages)."
+  },
+  {
+    header: "referrer-policy",
+    label: "Referrer-Policy",
+    description: "Referrer-Policy header is missing. Without it, the browser may leak the full URL (including query parameters with sensitive data) to third-party sites.",
+    fix: "Add `Referrer-Policy: strict-origin-when-cross-origin` to limit referrer information sent to other origins."
+  },
+  {
+    header: "permissions-policy",
+    label: "Permissions-Policy",
+    description: "Permissions-Policy header is missing. This header controls which browser features (camera, microphone, geolocation) your site can use, reducing attack surface.",
+    fix: "Add a Permissions-Policy header disabling unused features. Example: `Permissions-Policy: camera=(), microphone=(), geolocation=()`."
+  }
+];
+function buildAiPrompt(missing, context) {
+  const headerList = missing.join(", ");
+  const framework = context.stack.framework?.toLowerCase();
+  if (framework === "express" || framework === "fastify" || framework === "koa") {
+    return `My ${framework} app is missing these security headers: ${headerList}. Install and configure helmet.js to add all recommended security headers. Show the middleware setup.`;
+  }
+  if (framework === "next" || framework === "nextjs") {
+    return `My Next.js app is missing these security headers: ${headerList}. Add them using the headers() function in next.config.js. Show the full configuration.`;
+  }
+  return `My web app is missing these security headers: ${headerList}. Show how to configure my web server or framework to add each header with recommended values.`;
+}
+var headersCheck = async (context) => {
+  if (!context.url) {
+    return [
+      {
+        id: CHECK_ID4,
+        name: "Security headers skipped",
+        status: "skip",
+        severity: "info",
+        category: CATEGORY2,
+        description: "No URL provided \u2014 skipping HTTP security header check. Pass --url to enable."
+      }
+    ];
+  }
+  const { response } = await fetchWithRetry(context.url);
+  if (!response) {
+    const hostname = safeHostname(context.url);
+    return [
+      {
+        id: CHECK_ID4,
+        name: "Security headers skipped",
+        status: "skip",
+        severity: "info",
+        category: CATEGORY2,
+        description: `Could not connect to ${hostname} after 2 attempts. Skipping header check.`
+      }
+    ];
+  }
+  if (response.status !== 200) {
+    return [
+      {
+        id: CHECK_ID4,
+        name: "Security headers skipped",
+        status: "skip",
+        severity: "info",
+        category: CATEGORY2,
+        description: `Received HTTP ${response.status} from ${safeHostname(context.url)}. Skipping header check (expected 200).`
+      }
+    ];
+  }
+  const missing = [];
+  for (const spec of REQUIRED_HEADERS) {
+    if (!response.headers.has(spec.header)) {
+      missing.push(spec);
+    }
+  }
+  if (missing.length === 0) {
+    return [
+      {
+        id: CHECK_ID4,
+        name: "All security headers present",
+        status: "pass",
+        severity: "info",
+        category: CATEGORY2,
+        description: `All ${REQUIRED_HEADERS.length} recommended security headers are present.`
+      }
+    ];
+  }
+  const aiPrompt = buildAiPrompt(
+    missing.map((s) => s.label),
+    context
+  );
+  const results = missing.map((spec) => ({
+    id: `${CHECK_ID4}-${spec.header}`,
+    name: `Missing ${spec.label}`,
+    status: "fail",
+    severity: "high",
+    category: CATEGORY2,
+    location: context.url,
+    description: spec.description,
+    fix: spec.fix,
+    aiPrompt
+  }));
+  return results;
+};
+function safeHostname(url) {
+  try {
+    return new URL(url).hostname;
+  } catch {
+    return url;
+  }
+}
+var headers_default = headersCheck;
+
+// src/checks/security-txt-url.ts
+var CHECK_ID5 = "security-txt-url";
+var PATHS = ["/.well-known/security.txt", "/security.txt"];
+function parseFields2(content) {
+  const fields = /* @__PURE__ */ new Map();
+  for (const line of content.split("\n")) {
+    const trimmed = line.trim();
+    if (trimmed === "" || trimmed.startsWith("#") || trimmed.startsWith("-----")) continue;
+    const colonIndex = trimmed.indexOf(":");
+    if (colonIndex === -1) continue;
+    const key = trimmed.slice(0, colonIndex).trim().toLowerCase();
+    const value = trimmed.slice(colonIndex + 1).trim();
+    if (value === "") continue;
+    const existing = fields.get(key);
+    fields.set(key, existing ? [...existing, value] : [value]);
+  }
+  return fields;
+}
+function isExpired2(value) {
+  const date = new Date(value);
+  return !isNaN(date.getTime()) && date.getTime() < Date.now();
+}
+async function fetchSecurityTxt(url) {
+  const { response } = await fetchWithRetry(url);
+  if (!response || !response.ok) return null;
+  const contentType = response.headers.get("content-type") ?? "";
+  if (!contentType.includes("text/plain")) return null;
+  return await response.text();
+}
+function validateFields(fields, location) {
+  const results = [];
+  const hasContact = (fields.get("contact") ?? []).length > 0;
+  const firstExpires = (fields.get("expires") ?? [])[0];
+  const hasExpires = firstExpires !== void 0;
+  if (!hasContact) {
+    results.push({
+      id: `${CHECK_ID5}-contact`,
+      name: "security.txt missing Contact field",
+      status: "fail",
+      severity: "medium",
+      category: "disclosure",
+      location,
+      description: "security.txt is missing the required Contact field. Security researchers need a way to reach you.",
+      fix: "Add a Contact field to your security.txt. Example: Contact: mailto:security@example.com. See https://securitytxt.org/",
+      aiPrompt: "My security.txt file is missing the required Contact field. Add a Contact field with my security email address using mailto: URI format per RFC 9116."
+    });
+  }
+  if (!hasExpires) {
+    results.push({
+      id: `${CHECK_ID5}-expires`,
+      name: "security.txt missing Expires field",
+      status: "fail",
+      severity: "medium",
+      category: "disclosure",
+      location,
+      description: "security.txt is missing the required Expires field. This field ensures the information stays current.",
+      fix: "Add an Expires field with a date no more than 1 year in the future. Example: Expires: 2027-12-31T23:59:59.000Z. See https://securitytxt.org/",
+      aiPrompt: "My security.txt file is missing the required Expires field. Add an Expires field set to one year from today in ISO 8601 date-time format per RFC 9116."
+    });
+  } else if (isExpired2(firstExpires)) {
+    results.push({
+      id: `${CHECK_ID5}-expired`,
+      name: "security.txt has expired",
+      status: "warn",
+      severity: "medium",
+      category: "disclosure",
+      location,
+      description: `security.txt Expires date (${firstExpires}) is in the past. An expired security.txt signals the contact information may be stale.`,
+      fix: "Update the Expires field to a future date, no more than 1 year ahead. Use the generator at https://securitytxt.org/",
+      aiPrompt: "My security.txt Expires field is in the past. Update it to one year from today in ISO 8601 date-time format. Also review the Contact field to ensure it is still accurate."
+    });
+  }
+  if (hasContact && hasExpires && !isExpired2(firstExpires)) {
+    results.push({
+      id: CHECK_ID5,
+      name: "security.txt is valid (via URL)",
+      status: "pass",
+      severity: "info",
+      category: "disclosure",
+      location,
+      description: "security.txt found via URL with required Contact and Expires fields."
+    });
+  }
+  return results;
+}
+var securityTxtUrlCheck = async (context) => {
+  if (!context.url) {
+    return [
+      {
+        id: CHECK_ID5,
+        name: "security.txt URL check skipped",
+        status: "skip",
+        severity: "info",
+        category: "disclosure",
+        description: "No URL provided \u2014 skipping remote security.txt check."
+      }
+    ];
+  }
+  const base = context.url.replace(/\/+$/, "");
+  for (const path of PATHS) {
+    const url = `${base}${path}`;
+    const body = await fetchSecurityTxt(url);
+    if (body !== null) {
+      return validateFields(parseFields2(body), url);
+    }
+  }
+  return [
+    {
+      id: CHECK_ID5,
+      name: "security.txt not found via URL",
+      status: "fail",
+      severity: "medium",
+      category: "disclosure",
+      description: `No security.txt found at ${base}${PATHS[0]} or ${base}${PATHS[1]}. A security.txt file tells researchers how to report vulnerabilities.`,
+      fix: "Create a security.txt file and serve it at /.well-known/security.txt. Use the generator at https://securitytxt.org/",
+      aiPrompt: "Generate a security.txt file for my project following RFC 9116. Include Contact (use my email: [YOUR_EMAIL]), Expires (1 year from now), and Preferred-Languages fields. Serve it at /.well-known/security.txt."
+    }
+  ];
+};
+var security_txt_url_default = securityTxtUrlCheck;
+
+// src/checks/ssl.ts
+import { connect as tlsConnect } from "tls";
+import { request as httpRequest } from "http";
+var CHECK_ID6 = "ssl";
+var CATEGORY3 = "transport";
+var TIMEOUT_MS = 1e4;
+var CERT_ERROR_MESSAGES = {
+  CERT_HAS_EXPIRED: "SSL certificate has expired",
+  DEPTH_ZERO_SELF_SIGNED_CERT: "Self-signed certificate (not trusted by browsers)",
+  SELF_SIGNED_CERT_IN_CHAIN: "Self-signed certificate in the certificate chain",
+  UNABLE_TO_VERIFY_LEAF_SIGNATURE: "Unable to verify the certificate",
+  ERR_TLS_CERT_ALTNAME_INVALID: "Certificate hostname does not match the domain"
+};
+var CONNECTION_ERRORS = /* @__PURE__ */ new Set([
+  "ECONNREFUSED",
+  "ECONNRESET",
+  "ETIMEDOUT",
+  "ENOTFOUND",
+  "EHOSTUNREACH"
+]);
+function verifyCertificate(hostname, port) {
+  return new Promise((resolve2, reject) => {
+    let settled = false;
+    const socket = tlsConnect(
+      { host: hostname, port, servername: hostname, rejectUnauthorized: true },
+      () => {
+        if (settled) return;
+        settled = true;
+        socket.destroy();
+        resolve2();
+      }
+    );
+    socket.setTimeout(TIMEOUT_MS);
+    socket.on("timeout", () => {
+      if (settled) return;
+      settled = true;
+      socket.destroy();
+      reject(Object.assign(new Error("Connection timed out"), { code: "ETIMEDOUT" }));
+    });
+    socket.on("error", (err) => {
+      if (settled) return;
+      settled = true;
+      socket.destroy();
+      reject(err);
+    });
+  });
+}
+function checkHttpsRedirect(hostname) {
+  return new Promise((resolve2) => {
+    let settled = false;
+    const req = httpRequest(
+      { hostname, port: 80, method: "HEAD", path: "/" },
+      (res) => {
+        if (settled) return;
+        settled = true;
+        const status = res.statusCode ?? 0;
+        const location = res.headers.location ?? "";
+        const isRedirect = status >= 300 && status < 400;
+        resolve2(isRedirect && location.startsWith("https://"));
+      }
+    );
+    req.setTimeout(TIMEOUT_MS);
+    req.on("timeout", () => {
+      if (settled) return;
+      settled = true;
+      resolve2(false);
+      req.destroy();
+    });
+    req.on("error", () => {
+      if (settled) return;
+      settled = true;
+      resolve2(false);
+    });
+    req.end();
+  });
+}
+var RETRY_DELAY_MS2 = 2e3;
+function delay2(ms) {
+  return new Promise((resolve2) => setTimeout(resolve2, ms));
+}
+async function verifyCertificateWithRetry(hostname, port) {
+  try {
+    await verifyCertificate(hostname, port);
+  } catch (error) {
+    const code = error instanceof Error ? error.code ?? "" : "";
+    if (CONNECTION_ERRORS.has(code)) {
+      await delay2(RETRY_DELAY_MS2);
+      await verifyCertificate(hostname, port);
+    } else {
+      throw error;
+    }
+  }
+}
+function buildCertErrorResult(error, hostname) {
+  const code = error.code ?? "";
+  if (CONNECTION_ERRORS.has(code)) {
+    return {
+      id: `${CHECK_ID6}-cert`,
+      name: "SSL certificate could not be verified",
+      status: "skip",
+      severity: "info",
+      category: CATEGORY3,
+      location: hostname,
+      description: `Could not connect to ${hostname} after 2 attempts. Skipping SSL certificate check.`
+    };
+  }
+  const message = CERT_ERROR_MESSAGES[code] ?? `Certificate verification failed: ${error.message}`;
+  return {
+    id: `${CHECK_ID6}-cert`,
+    name: "Invalid SSL certificate",
+    status: "fail",
+    severity: "critical",
+    category: CATEGORY3,
+    location: hostname,
+    description: `${message} for ${hostname}. Visitors will see a browser warning and their data may be intercepted.`,
+    fix: "Obtain a valid TLS certificate. Let's Encrypt provides free certificates via Certbot.",
+    aiPrompt: `My website ${hostname} has an SSL/TLS certificate error: "${message}". Help me fix this by setting up a valid certificate using Let's Encrypt and Certbot. Show me how to install Certbot, obtain a certificate for my domain, and configure automatic renewal.`
+  };
+}
+var sslCheck = async (context) => {
+  if (!context.url) {
+    return [
+      {
+        id: CHECK_ID6,
+        name: "SSL/TLS check",
+        status: "skip",
+        severity: "info",
+        category: CATEGORY3,
+        description: "No URL provided \u2014 skipping SSL/TLS verification."
+      }
+    ];
+  }
+  let parsed;
+  try {
+    parsed = new URL(context.url);
+  } catch {
+    return [
+      {
+        id: CHECK_ID6,
+        name: "SSL/TLS check",
+        status: "skip",
+        severity: "info",
+        category: CATEGORY3,
+        description: `Invalid URL "${context.url}" \u2014 skipping SSL/TLS verification.`
+      }
+    ];
+  }
+  const { hostname } = parsed;
+  const isHttps = parsed.protocol === "https:";
+  const results = [];
+  if (!isHttps) {
+    results.push({
+      id: `${CHECK_ID6}-no-https`,
+      name: "URL does not use HTTPS",
+      status: "fail",
+      severity: "critical",
+      category: CATEGORY3,
+      location: context.url,
+      description: `${context.url} uses plain HTTP. All traffic is unencrypted, exposing user data to interception.`,
+      fix: "Configure your server to use HTTPS. Let's Encrypt provides free TLS certificates via Certbot.",
+      aiPrompt: "My website is served over HTTP without SSL/TLS encryption. Help me set up HTTPS using Let's Encrypt and Certbot. Show me the steps to obtain a free TLS certificate, configure my web server (Nginx/Apache/Node.js), and enable automatic renewal."
+    });
+  }
+  if (isHttps) {
+    const port = parsed.port ? parseInt(parsed.port, 10) : 443;
+    try {
+      await verifyCertificateWithRetry(hostname, port);
+      results.push({
+        id: `${CHECK_ID6}-cert`,
+        name: "SSL certificate is valid",
+        status: "pass",
+        severity: "info",
+        category: CATEGORY3,
+        location: hostname,
+        description: `SSL/TLS certificate for ${hostname} is valid and trusted.`
+      });
+    } catch (error) {
+      results.push(
+        error instanceof Error ? buildCertErrorResult(error, hostname) : {
+          id: `${CHECK_ID6}-cert`,
+          name: "SSL certificate verification failed",
+          status: "skip",
+          severity: "info",
+          category: CATEGORY3,
+          location: hostname,
+          description: `Could not verify SSL certificate for ${hostname}.`
+        }
+      );
+    }
+  }
+  const redirects = await checkHttpsRedirect(hostname);
+  if (redirects) {
+    results.push({
+      id: `${CHECK_ID6}-redirect`,
+      name: "HTTP redirects to HTTPS",
+      status: "pass",
+      severity: "info",
+      category: CATEGORY3,
+      location: hostname,
+      description: `HTTP requests to ${hostname} are redirected to HTTPS.`
+    });
+  } else {
+    results.push({
+      id: `${CHECK_ID6}-redirect`,
+      name: "No HTTP to HTTPS redirect",
+      status: "fail",
+      severity: "medium",
+      category: CATEGORY3,
+      location: hostname,
+      description: `HTTP requests to ${hostname} are not redirected to HTTPS. Users who type the URL without https:// will use an insecure connection.`,
+      fix: "Configure your web server to return a 301 redirect from HTTP to HTTPS for all requests.",
+      aiPrompt: `My website ${hostname} does not redirect HTTP to HTTPS. Help me configure a permanent 301 redirect from HTTP to HTTPS on my web server. Show me configurations for Nginx, Apache, and common hosting platforms.`
+    });
+  }
+  return results;
+};
+var ssl_default = sslCheck;
+
+// src/checks/code-patterns.ts
+import { readFile as readFile5 } from "fs/promises";
+import { join as join6 } from "path";
+var CODE_EXTENSIONS = /* @__PURE__ */ new Set([".ts", ".js", ".tsx", ".jsx"]);
+var IGNORED_DIRS2 = /* @__PURE__ */ new Set(["node_modules", "dist", "build", ".git", "tests", "__tests__", "test", "fixtures"]);
+var PATTERN_DEFS = [
+  {
+    id: "eval",
+    name: "eval() or new Function()",
+    severity: "high",
+    regex: /\b(?:eval\s*\(|new\s+Function\s*\()/,
+    fix: "Replace eval() with a safe parser (e.g. JSON.parse for data, a sandboxed interpreter for expressions). Never pass user input to eval() or new Function().",
+    aiPromptTemplate: (stack) => `I have an eval() or new Function() call in my ${stack?.framework ?? "JavaScript"} project. Help me replace it with a safe alternative. Show me: (1) why eval is dangerous (code injection), (2) what safe alternative to use for my specific case (JSON.parse, a schema validator, or a sandboxed parser), and (3) the refactored code.`
+  },
+  {
+    id: "innerHTML",
+    name: "innerHTML assignment with variable",
+    severity: "medium",
+    regex: /\.innerHTML\s*=\s*(?:[a-zA-Z_$`]|['"][^'"]*['"]\s*\+)/,
+    fix: "Use textContent for plain text, or use a DOM API (createElement, appendChild) to build markup safely. In React/Vue, use framework-provided rendering instead of innerHTML.",
+    aiPromptTemplate: (stack) => `I'm assigning to innerHTML with a variable in my ${stack?.framework ?? "JavaScript"} project. Help me replace it safely. Show me: (1) why innerHTML with variables enables XSS, (2) how to use textContent or DOM APIs instead, ${stack?.framework ? `(3) the idiomatic ${stack.framework} approach (e.g. JSX, template syntax)` : "(3) how to sanitize if HTML is truly needed (DOMPurify)"}.`
+  },
+  {
+    id: "sql-injection",
+    name: "SQL string concatenation",
+    severity: "critical",
+    regex: /\b(?:SELECT\s+|INSERT\s+INTO\s+|UPDATE\s+|DELETE\s+FROM\s+)[^;]*?(?:\$\{|['"]\s*\+)/i,
+    fix: "Use parameterized queries or a query builder. Never concatenate user input into SQL strings.",
+    aiPromptTemplate: (stack) => {
+      const db = stack?.database;
+      const dbHint = db ? `I'm using ${db}. Show me the ${db} way to use parameterized queries.` : "Show me how to use parameterized queries with my database driver.";
+      return `I have SQL string concatenation in my ${stack?.framework ?? "Node.js"} project. This is vulnerable to SQL injection. ${dbHint} Show me: (1) how the current code is exploitable, (2) the safe version with parameterized queries or a query builder, and (3) how to validate/sanitize input as defense-in-depth.`;
+    }
+  },
+  {
+    id: "document-write",
+    name: "document.write()",
+    severity: "medium",
+    regex: /\bdocument\.write(?:ln)?\s*\(/,
+    fix: "Use DOM APIs (createElement, appendChild, textContent) instead of document.write(). document.write() can overwrite the entire page and enables XSS if used with untrusted input.",
+    aiPromptTemplate: (stack) => `I have document.write() in my ${stack?.framework ?? "JavaScript"} project. Help me replace it. Show me: (1) why document.write() is dangerous (XSS, page overwrite), (2) the safe DOM API alternative (createElement, textContent), ${stack?.framework ? `(3) the idiomatic ${stack.framework} approach` : "(3) how to safely inject content into the DOM"}.`
+  },
+  {
+    id: "exec-injection",
+    name: "child_process.exec with dynamic input",
+    severity: "high",
+    regex: /\b(?:exec|execSync)\s*\(\s*(?:`[^`]*\$\{|['"][^'"]*['"]\s*\+)/,
+    fix: "Use execFile() or spawn() with an argument array instead of exec() with string concatenation. This prevents shell injection by separating the command from its arguments.",
+    aiPromptTemplate: (stack) => `I have a child_process.exec() call with dynamic input in my ${stack?.framework ?? "Node.js"} project. Help me fix this command injection vulnerability. Show me: (1) why exec with string interpolation is dangerous, (2) how to refactor to execFile() or spawn() with an argument array, and (3) how to validate the input before passing it to any shell command.`
+  },
+  {
+    id: "math-random-security",
+    name: "Math.random() for tokens/IDs",
+    severity: "medium",
+    regex: /\bMath\.random\(\)\.toString\(/,
+    fix: "Use crypto.randomUUID() or crypto.getRandomValues() for security-sensitive random values. Math.random() is not cryptographically secure.",
+    aiPromptTemplate: (stack) => `I'm using Math.random().toString() to generate tokens or IDs in my ${stack?.framework ?? "JavaScript"} project. Help me replace it with a cryptographically secure alternative. Show me: (1) why Math.random() is predictable and unsuitable for security, (2) how to use crypto.randomUUID() for IDs, and (3) how to use crypto.getRandomValues() for custom token formats.`
+  }
+];
+var DISPLAY_VAR_PATTERN = /\b(?:const|let|var)\s+(?:example|code|snippet|demo|preview|diff|before|after|label|text|content|description|title|display|render|show|mock|sample|placeholder)\w*\s*=/i;
+function isSqlDisplayContext(trimmed) {
+  if (DISPLAY_VAR_PATTERN.test(trimmed)) return true;
+  if (trimmed.startsWith("{") || trimmed.startsWith("<")) return true;
+  return false;
+}
+function isCodeFile(relativePath) {
+  const segments = relativePath.split("/");
+  const fileName = segments[segments.length - 1] ?? "";
+  const ext = fileName.includes(".") ? "." + (fileName.split(".").pop() ?? "") : "";
+  if (!CODE_EXTENSIONS.has(ext)) return false;
+  if (segments.some((s) => IGNORED_DIRS2.has(s))) return false;
+  if (/\.(?:test|spec)\.[jt]sx?$/.test(fileName)) return false;
+  return true;
+}
+function scanFileContent(content, relativePath, stack) {
+  const lines = content.split("\n");
+  const results = [];
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (line === void 0) continue;
+    const trimmed = line.trim();
+    if (trimmed.startsWith("//") || trimmed.startsWith("*") || trimmed.startsWith("/*")) {
+      continue;
+    }
+    if (trimmed.startsWith("'") || trimmed.startsWith('"') || trimmed.startsWith("`") || trimmed.startsWith("/")) {
+      continue;
+    }
+    if (/^\w+\s*:\s*['"`/([]/.test(trimmed)) {
+      continue;
+    }
+    for (const pattern of PATTERN_DEFS) {
+      if (pattern.regex.test(line)) {
+        if (pattern.id === "sql-injection" && isSqlDisplayContext(trimmed)) {
+          continue;
+        }
+        results.push({
+          id: "code-patterns",
+          name: `Insecure pattern: ${pattern.name}`,
+          status: "fail",
+          severity: pattern.severity,
+          category: "Code Patterns",
+          location: `${relativePath}:${i + 1}`,
+          description: `${pattern.name} detected \u2014 ${pattern.fix.split(".")[0]}.`,
+          fix: pattern.fix,
+          aiPrompt: pattern.aiPromptTemplate(stack)
+        });
+      }
+    }
+  }
+  return results;
+}
+var codePatternCheck = async (context) => {
+  const filesToScan = context.files.filter(isCodeFile);
+  if (filesToScan.length === 0) {
+    return [
+      {
+        id: "code-patterns",
+        name: "Insecure code patterns",
+        status: "skip",
+        severity: "info",
+        description: "No code files (.ts, .js, .tsx, .jsx) found to scan"
+      }
+    ];
+  }
+  const stackHint = {
+    framework: context.stack.framework,
+    database: context.stack.database
+  };
+  const allResults = [];
+  const settled = await Promise.allSettled(
+    filesToScan.map(async (file) => {
+      const content = await readFile5(join6(context.projectPath, file), "utf-8");
+      return scanFileContent(content, file, stackHint);
+    })
+  );
+  for (const outcome of settled) {
+    if (outcome.status === "fulfilled") {
+      allResults.push(...outcome.value);
+    }
+  }
+  if (allResults.length === 0) {
+    return [
+      {
+        id: "code-patterns",
+        name: "Insecure code patterns",
+        status: "pass",
+        severity: "info",
+        description: "No insecure code patterns detected"
+      }
+    ];
+  }
+  return allResults;
+};
+var code_patterns_default = codePatternCheck;
+
+// src/checks/cors.ts
+import { readFile as readFile6 } from "fs/promises";
+import { join as join7 } from "path";
+var CHECK_ID7 = "cors";
+var CHECK_NAME3 = "CORS configuration";
+var SCANNABLE_EXTENSIONS2 = /* @__PURE__ */ new Set([".ts", ".js", ".tsx", ".jsx", ".mjs", ".cjs"]);
+var IGNORED_DIRS3 = /* @__PURE__ */ new Set(["node_modules", "dist", "build", ".git", ".next", "tests", "__tests__", "test", "fixtures"]);
+var CORS_PATTERNS = [
+  {
+    name: "Access-Control-Allow-Origin: * (header method)",
+    regex: /(?:\.setHeader|\.header|headers\.set|\.append)\s*\(\s*['"]Access-Control-Allow-Origin['"]\s*,\s*['"]\*['"]/,
+    kind: "wildcard-header"
+  },
+  {
+    name: "Access-Control-Allow-Origin: * (object literal)",
+    regex: /['"]Access-Control-Allow-Origin['"]\s*:\s*['"]\*['"]/,
+    kind: "wildcard-header"
+  },
+  {
+    name: "Wildcard origin in CORS config",
+    regex: /\borigin\s*:\s*['"]\*['"]/,
+    kind: "wildcard-config"
+  },
+  {
+    name: "cors() with no configuration",
+    regex: /\bcors\(\s*\)/,
+    kind: "bare-cors"
+  }
+];
+var CREDENTIALS_REGEX = /\bcredentials\s*:\s*true\b/;
+function isScannableFile2(relativePath) {
+  const segments = relativePath.split("/");
+  const fileName = segments[segments.length - 1] ?? "";
+  const ext = fileName.includes(".") ? "." + (fileName.split(".").pop() ?? "") : "";
+  if (!SCANNABLE_EXTENSIONS2.has(ext)) return false;
+  if (segments.some((s) => IGNORED_DIRS3.has(s))) return false;
+  if (/\.(?:test|spec)\.[jt]sx?$/.test(fileName)) return false;
+  return true;
+}
+function hasCredentialsInCode(lines) {
+  return lines.some((line) => {
+    const trimmed = line.trim();
+    if (trimmed.startsWith("//") || trimmed.startsWith("#") || trimmed.startsWith("*")) {
+      return false;
+    }
+    return CREDENTIALS_REGEX.test(line);
+  });
+}
+function buildAiPrompt2(stack) {
+  switch (stack.framework) {
+    case "express":
+      return "I found a permissive CORS configuration in my Express app. Help me fix it by: (1) replacing cors() or cors({ origin: '*' }) with cors({ origin: 'https://yourdomain.com' }), (2) listing only trusted origins if multiple are needed, (3) explaining when credentials: true is safe to use, (4) showing how to use a dynamic origin function for multiple allowed domains.";
+    case "next.js":
+      return "I found a permissive CORS configuration in my Next.js app. Help me fix it by: (1) replacing Access-Control-Allow-Origin: * with my specific domain in API routes or middleware, (2) showing the correct way to handle CORS in Next.js App Router and Pages Router, (3) explaining how to handle OPTIONS preflight requests, (4) showing how to use next.config.js headers for static CORS if needed.";
+    case "fastify":
+      return "I found a permissive CORS configuration in my Fastify app. Help me fix it by: (1) replacing origin: '*' with my specific domain in the @fastify/cors plugin options, (2) showing how to configure @fastify/cors with a whitelist of allowed origins, (3) explaining the difference between origin: true and origin: '*', (4) showing how to handle credentials safely with Fastify CORS.";
+    default:
+      return "I found a permissive CORS configuration in my project. Help me fix it by: (1) replacing Access-Control-Allow-Origin: * with my specific domain, (2) listing only trusted origins, (3) explaining when credentials: true is safe and how it interacts with wildcard origins, (4) showing the correct CORS configuration for my framework.";
+  }
+}
+function scanContent2(content, relativePath, stack) {
+  const lines = content.split("\n");
+  const hasCredentials = hasCredentialsInCode(lines);
+  const results = [];
+  const aiPrompt = buildAiPrompt2(stack);
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (line === void 0) continue;
+    const trimmed = line.trim();
+    if (trimmed.startsWith("//") || trimmed.startsWith("#") || trimmed.startsWith("*")) {
+      continue;
+    }
+    if (trimmed.startsWith("'") || trimmed.startsWith('"') || trimmed.startsWith("`") || trimmed.startsWith("/")) {
+      continue;
+    }
+    if (/^(?!origin\b)\w+\s*:\s*['"`/([]/.test(trimmed)) {
+      continue;
+    }
+    for (const pattern of CORS_PATTERNS) {
+      if (!pattern.regex.test(line)) continue;
+      if (pattern.kind === "bare-cors") {
+        results.push({
+          id: CHECK_ID7,
+          name: `CORS: ${pattern.name}`,
+          status: "fail",
+          severity: "medium",
+          category: "CORS",
+          location: `${relativePath}:${i + 1}`,
+          description: "cors() called with no configuration allows all origins by default. Any website can make requests to your API.",
+          fix: "Pass an options object with a restrictive origin: cors({ origin: 'https://yourdomain.com' })",
+          aiPrompt
+        });
+      } else {
+        const severity = hasCredentials ? "critical" : "high";
+        const credentialsNote = hasCredentials ? " Combined with credentials: true, this allows any site to make authenticated requests \u2014 a serious security risk." : "";
+        const description = pattern.kind === "wildcard-header" ? `Access-Control-Allow-Origin is set to "*", allowing any website to read responses from your API.${credentialsNote}` : `CORS origin is configured as "*", allowing any website to make requests to your API.${credentialsNote}`;
+        const fix = hasCredentials ? 'Set a specific origin instead of "*" and only enable credentials for trusted origins. Browsers block credentials with wildcard origins, but misconfigured proxies or non-browser clients can still exploit this.' : `Set a specific origin instead of "*" \u2014 e.g., origin: 'https://yourdomain.com'. Only allow origins you trust.`;
+        results.push({
+          id: CHECK_ID7,
+          name: hasCredentials ? "CORS: Credentials with wildcard origin" : `CORS: ${pattern.name}`,
+          status: "fail",
+          severity,
+          category: "CORS",
+          location: `${relativePath}:${i + 1}`,
+          description,
+          fix,
+          aiPrompt
+        });
+      }
+    }
+  }
+  return results;
+}
+var corsCheck = async (context) => {
+  const filesToScan = context.files.filter(isScannableFile2);
+  if (filesToScan.length === 0) {
+    return [
+      {
+        id: CHECK_ID7,
+        name: CHECK_NAME3,
+        status: "skip",
+        severity: "info",
+        description: "No scannable source files found"
+      }
+    ];
+  }
+  const allResults = [];
+  const settled = await Promise.allSettled(
+    filesToScan.map(async (file) => {
+      const content = await readFile6(join7(context.projectPath, file), "utf-8");
+      return scanContent2(content, file, context.stack);
+    })
+  );
+  for (const outcome of settled) {
+    if (outcome.status === "fulfilled") {
+      allResults.push(...outcome.value);
+    }
+  }
+  if (allResults.length === 0) {
+    return [
+      {
+        id: CHECK_ID7,
+        name: CHECK_NAME3,
+        status: "pass",
+        severity: "info",
+        description: "No permissive CORS configurations detected"
+      }
+    ];
+  }
+  return allResults;
+};
+var cors_default = corsCheck;
+
+// src/checks/rate-limit.ts
+import { readFile as readFile7 } from "fs/promises";
+import { join as join8 } from "path";
+var RATE_LIMIT_PACKAGES = [
+  "express-rate-limit",
+  "@upstash/ratelimit",
+  "rate-limiter-flexible",
+  "@fastify/rate-limit",
+  "fastify-rate-limit"
+];
+var RATE_LIMIT_PATTERNS = [
+  // Package imports (ESM)
+  /from\s+['"]express-rate-limit['"]/,
+  /from\s+['"]@upstash\/ratelimit['"]/,
+  /from\s+['"]rate-limiter-flexible['"]/,
+  /from\s+['"]@fastify\/rate-limit['"]/,
+  /from\s+['"]hono\/rate-limit['"]/,
+  // Package imports (CJS)
+  /require\s*\(\s*['"]express-rate-limit['"]\s*\)/,
+  /require\s*\(\s*['"]@upstash\/ratelimit['"]\s*\)/,
+  /require\s*\(\s*['"]rate-limiter-flexible['"]\s*\)/,
+  /require\s*\(\s*['"]@fastify\/rate-limit['"]\s*\)/,
+  // Common function call patterns
+  /rateLimit\s*\(/,
+  // rate-limiter-flexible class constructors
+  /RateLimiterMemory|RateLimiterRedis|RateLimiterMongo/
+];
+var SCANNABLE_EXTENSIONS3 = /* @__PURE__ */ new Set([".ts", ".js", ".tsx", ".jsx"]);
+var IGNORED_DIRS4 = /* @__PURE__ */ new Set(["node_modules", "dist", "build", ".git"]);
+function getRecommendation(stack) {
+  switch (stack.framework) {
+    case "express":
+      return {
+        packageName: "express-rate-limit",
+        install: "npm install express-rate-limit"
+      };
+    case "fastify":
+      return {
+        packageName: "@fastify/rate-limit",
+        install: "npm install @fastify/rate-limit"
+      };
+    case "hono":
+      return {
+        packageName: "hono (built-in)",
+        install: 'import { rateLimiter } from "hono/rate-limit"'
+      };
+    case "next.js":
+      return {
+        packageName: "@upstash/ratelimit",
+        install: "npm install @upstash/ratelimit @upstash/redis"
+      };
+    default:
+      return {
+        packageName: "rate-limiter-flexible",
+        install: "npm install rate-limiter-flexible"
+      };
+  }
+}
+function buildAiPrompt3(stack) {
+  const rec = getRecommendation(stack);
+  const framework = stack.framework ?? "my web application";
+  return `I need to add rate limiting to my ${framework} project. The recommended package is ${rec.packageName}. Show me: (1) how to install and configure it, (2) how to apply it to my API routes with sensible defaults, (3) recommended limits for login and API endpoints (e.g. 5 login attempts per 15 minutes, 100 API requests per minute), and (4) how to return proper 429 Too Many Requests responses with Retry-After headers.`;
+}
+function isScannableFile3(relativePath) {
+  const segments = relativePath.split("/");
+  const fileName = segments[segments.length - 1] ?? "";
+  const ext = fileName.includes(".") ? "." + (fileName.split(".").pop() ?? "") : "";
+  if (!SCANNABLE_EXTENSIONS3.has(ext)) return false;
+  if (segments.some((s) => IGNORED_DIRS4.has(s))) return false;
+  return true;
+}
+function findRateLimitDependency(dependencies) {
+  return dependencies.find((dep) => RATE_LIMIT_PACKAGES.includes(dep));
+}
+function hasRateLimitPattern(content) {
+  return RATE_LIMIT_PATTERNS.some((pattern) => pattern.test(content));
+}
+var rateLimitCheck = async (context) => {
+  const dependencies = context.stack.dependencies ?? [];
+  const foundPackage = findRateLimitDependency(dependencies);
+  if (foundPackage) {
+    return [
+      {
+        id: "rate-limit",
+        name: "Rate limiting",
+        status: "pass",
+        severity: "info",
+        category: "API Security",
+        description: `Rate limiting package detected: ${foundPackage}`
+      }
+    ];
+  }
+  const filesToScan = context.files.filter(isScannableFile3);
+  if (filesToScan.length > 0) {
+    const settled = await Promise.allSettled(
+      filesToScan.map(async (file) => {
+        const content = await readFile7(
+          join8(context.projectPath, file),
+          "utf-8"
+        );
+        return hasRateLimitPattern(content);
+      })
+    );
+    const foundInSource = settled.some(
+      (outcome) => outcome.status === "fulfilled" && outcome.value
+    );
+    if (foundInSource) {
+      return [
+        {
+          id: "rate-limit",
+          name: "Rate limiting",
+          status: "pass",
+          severity: "info",
+          category: "API Security",
+          description: "Rate limiting middleware detected in source code"
+        }
+      ];
+    }
+  }
+  const rec = getRecommendation(context.stack);
+  return [
+    {
+      id: "rate-limit",
+      name: "Rate limiting",
+      status: "fail",
+      severity: "high",
+      category: "API Security",
+      description: "No rate limiting middleware detected \u2014 brute-force and denial-of-service attacks are trivial without it",
+      fix: `Install a rate limiting package: ${rec.install}. Apply it to all API routes, especially authentication endpoints.`,
+      aiPrompt: buildAiPrompt3(context.stack)
+    }
+  ];
+};
+var rate_limit_default = rateLimitCheck;
+
+// src/checks/auth.ts
+import { readFile as readFile8 } from "fs/promises";
+import { join as join9 } from "path";
+var PROVIDER_NAMES = {
+  clerk: "Clerk",
+  auth0: "Auth0",
+  "next-auth": "NextAuth.js",
+  "supabase-auth": "Supabase Auth",
+  passport: "Passport.js",
+  lucia: "Lucia"
+};
+var CUSTOM_AUTH_PACKAGES = [
+  "bcrypt",
+  "bcryptjs",
+  "argon2",
+  "jsonwebtoken"
+];
+var AUTH_FILE_PATTERNS = [
+  { name: "crypto.scrypt", regex: /crypto\.scrypt(?:Sync)?\s*\(/ },
+  { name: "crypto.pbkdf2", regex: /crypto\.pbkdf2(?:Sync)?\s*\(/ },
+  { name: "jwt.sign", regex: /jwt\.sign\s*\(/ },
+  { name: "jwt.verify", regex: /jwt\.verify\s*\(/ },
+  { name: "password hashing", regex: /(?:hashPassword|comparePassword|verifyPassword|passwordHash)\s*[=(]/ }
+];
+var SCANNABLE_EXTENSIONS4 = /* @__PURE__ */ new Set([".ts", ".js", ".tsx", ".jsx"]);
+var IGNORED_DIRS5 = /* @__PURE__ */ new Set(["node_modules", "dist", "build", ".git"]);
+var USER_FACING_DIRS = /* @__PURE__ */ new Set(["api", "routes", "pages", "views"]);
+function findCustomAuthDeps(dependencies) {
+  return dependencies.filter((dep) => CUSTOM_AUTH_PACKAGES.includes(dep));
+}
+function scanFileForAuthPatterns(content) {
+  const found = [];
+  for (const pattern of AUTH_FILE_PATTERNS) {
+    if (pattern.regex.test(content)) {
+      found.push(pattern.name);
+    }
+  }
+  return found;
+}
+function hasUserFacingFeatures(context) {
+  if (context.stack.framework) return true;
+  return context.files.some(
+    (f) => f.split("/").some((segment) => USER_FACING_DIRS.has(segment))
+  );
+}
+function isLibraryOrCli(context) {
+  if (!context.packageJson) return false;
+  if (context.packageJson["bin"]) return true;
+  if (context.packageJson["private"] && context.packageJson["workspaces"]) return true;
+  if (!context.stack.framework && (context.packageJson["main"] || context.packageJson["exports"])) {
+    return true;
+  }
+  return false;
+}
+function getRecommendedProvider(stack) {
+  switch (stack.framework) {
+    case "next.js":
+      return stack.database === "supabase" ? "Supabase Auth" : "Clerk or NextAuth.js";
+    case "express":
+    case "fastify":
+    case "hono":
+      return "Auth0 or Passport.js";
+    case "remix":
+      return "Auth0 or Lucia";
+    case "sveltekit":
+      return "Lucia or Auth.js";
+    case "nuxt":
+      return "Auth0 or Sidebase Auth";
+    case "astro":
+      return "Lucia or Auth.js";
+    default:
+      return "Clerk or Auth0";
+  }
+}
+function isScannableFile4(relativePath) {
+  const segments = relativePath.split("/");
+  const fileName = segments[segments.length - 1] ?? "";
+  const ext = fileName.includes(".") ? "." + (fileName.split(".").pop() ?? "") : "";
+  if (!SCANNABLE_EXTENSIONS4.has(ext)) return false;
+  if (segments.some((s) => IGNORED_DIRS5.has(s))) return false;
+  return true;
+}
+var authCheck = async (context) => {
+  const recommended = getRecommendedProvider(context.stack);
+  const stackLabel = context.stack.framework ?? context.stack.language;
+  if (context.stack.auth) {
+    const providerName = PROVIDER_NAMES[context.stack.auth] ?? context.stack.auth;
+    return [
+      {
+        id: "auth",
+        name: "Authentication method",
+        status: "pass",
+        severity: "info",
+        category: "Authentication",
+        description: `Established auth provider detected: ${providerName}`,
+        fix: `Ensure ${providerName} is configured securely with proper session management and CSRF protection.`,
+        aiPrompt: `I'm using ${providerName} for authentication in my ${stackLabel} project. Help me ensure it's configured securely. Show me: (1) how to protect all API routes, (2) how to set up role-based access control, (3) how to implement secure session management, (4) best practices for ${providerName} specifically.`
+      }
+    ];
+  }
+  const deps = context.stack.dependencies ?? [];
+  const customAuthDeps = findCustomAuthDeps(deps);
+  if (customAuthDeps.length > 0) {
+    return [
+      {
+        id: "auth",
+        name: "Authentication method",
+        status: "warn",
+        severity: "medium",
+        category: "Authentication",
+        description: `Custom auth implementation detected via dependencies: ${customAuthDeps.join(", ")}. Consider using an established auth provider.`,
+        fix: `Replace custom auth with ${recommended}. Established providers handle password hashing, session management, CSRF protection, and security updates automatically.`,
+        aiPrompt: `I'm using custom authentication (${customAuthDeps.join(", ")}) in my ${stackLabel} project. Help me migrate to ${recommended}. Show me: (1) how to install and configure it, (2) how to protect API routes, (3) how to handle user sessions, (4) how to implement sign-up and login flows.`
+      }
+    ];
+  }
+  const filesToScan = context.files.filter(isScannableFile4);
+  const allPatterns = [];
+  if (filesToScan.length > 0) {
+    const settled = await Promise.allSettled(
+      filesToScan.map(async (file) => {
+        const content = await readFile8(join9(context.projectPath, file), "utf-8");
+        return scanFileForAuthPatterns(content);
+      })
+    );
+    for (const outcome of settled) {
+      if (outcome.status === "fulfilled" && outcome.value.length > 0) {
+        allPatterns.push(...outcome.value);
+      }
+    }
+  }
+  if (allPatterns.length > 0) {
+    const unique = [...new Set(allPatterns)];
+    return [
+      {
+        id: "auth",
+        name: "Authentication method",
+        status: "warn",
+        severity: "medium",
+        category: "Authentication",
+        description: `Custom auth patterns detected: ${unique.join(", ")}. Consider using an established auth provider.`,
+        fix: `Replace custom auth with ${recommended}. Established providers handle password hashing, session management, CSRF protection, and security updates automatically.`,
+        aiPrompt: `I'm using custom authentication patterns (${unique.join(", ")}) in my ${stackLabel} project. Help me migrate to ${recommended}. Show me: (1) how to install and configure it, (2) how to protect API routes, (3) how to handle user sessions, (4) how to implement sign-up and login flows.`
+      }
+    ];
+  }
+  if (isLibraryOrCli(context)) {
+    return [
+      {
+        id: "auth",
+        name: "Authentication method",
+        status: "skip",
+        severity: "info",
+        category: "Authentication",
+        description: "Project appears to be a library or CLI tool \u2014 authentication check not applicable."
+      }
+    ];
+  }
+  if (hasUserFacingFeatures(context)) {
+    return [
+      {
+        id: "auth",
+        name: "Authentication method",
+        status: "fail",
+        severity: "high",
+        category: "Authentication",
+        description: "No authentication detected in a project with API routes or user-facing features.",
+        fix: `Add authentication using ${recommended}. This protects your API routes and user data from unauthorized access.`,
+        aiPrompt: `My ${stackLabel} project has no authentication. Help me add authentication using ${recommended}. Show me: (1) how to install and configure it, (2) how to protect API routes and pages, (3) how to implement sign-up, login, and logout flows, (4) how to manage user sessions securely.`
+      }
+    ];
+  }
+  return [
+    {
+      id: "auth",
+      name: "Authentication method",
+      status: "skip",
+      severity: "info",
+      category: "Authentication",
+      description: "No user-facing features detected \u2014 authentication check not applicable."
+    }
+  ];
+};
+var auth_default = authCheck;
+
+// src/checks/cookies.ts
+var CHECK_ID8 = "cookies";
+var CATEGORY4 = "cookies";
+function parseCookie(raw) {
+  const name = raw.split("=")[0].trim();
+  const lower = raw.toLowerCase();
+  return {
+    name,
+    httpOnly: lower.includes("httponly"),
+    secure: lower.includes("secure"),
+    sameSite: lower.includes("samesite")
+  };
+}
+var cookieCheck = async (context) => {
+  if (!context.url) {
+    return [{
+      id: CHECK_ID8,
+      name: "Cookie security flags",
+      status: "skip",
+      severity: "info",
+      category: CATEGORY4,
+      description: "No URL provided \u2014 skipping cookie flag check."
+    }];
+  }
+  const target = context.url.startsWith("http") ? context.url : `https://${context.url}`;
+  const { response, error } = await fetchWithRetry(target, { redirect: "follow" });
+  if (!response) {
+    return [{
+      id: CHECK_ID8,
+      name: "Cookie security flags",
+      status: "skip",
+      severity: "info",
+      category: CATEGORY4,
+      description: `Could not reach ${target}: ${error instanceof Error ? error.message : "unknown error"}`
+    }];
+  }
+  const setCookies = [];
+  response.headers.forEach((value, key) => {
+    if (key.toLowerCase() === "set-cookie") {
+      setCookies.push(value);
+    }
+  });
+  const expanded = [];
+  for (const raw of setCookies) {
+    const parts = raw.split(/,\s*(?=[a-zA-Z_][a-zA-Z0-9_]*=)/);
+    expanded.push(...parts);
+  }
+  if (expanded.length === 0) {
+    return [{
+      id: CHECK_ID8,
+      name: "Cookie security flags",
+      status: "pass",
+      severity: "info",
+      category: CATEGORY4,
+      location: target,
+      description: "No cookies set \u2014 nothing to check."
+    }];
+  }
+  const results = [];
+  for (const raw of expanded) {
+    const cookie = parseCookie(raw);
+    if (!cookie.name) continue;
+    const missing = [];
+    if (!cookie.httpOnly) missing.push("HttpOnly");
+    if (!cookie.secure) missing.push("Secure");
+    if (!cookie.sameSite) missing.push("SameSite");
+    if (missing.length === 0) {
+      results.push({
+        id: CHECK_ID8,
+        name: `Cookie: ${cookie.name}`,
+        status: "pass",
+        severity: "info",
+        category: CATEGORY4,
+        location: target,
+        description: `Cookie "${cookie.name}" has all recommended security flags.`
+      });
+    } else {
+      const hasHttpOnlyOrSecure = missing.includes("HttpOnly") || missing.includes("Secure");
+      results.push({
+        id: CHECK_ID8,
+        name: `Cookie: ${cookie.name}`,
+        status: "warn",
+        severity: hasHttpOnlyOrSecure ? "medium" : "low",
+        category: CATEGORY4,
+        location: target,
+        description: `Cookie "${cookie.name}" is missing: ${missing.join(", ")}. ${!cookie.httpOnly ? "Without HttpOnly, JavaScript can access this cookie (XSS risk). " : ""}${!cookie.secure ? "Without Secure, the cookie may be sent over plain HTTP. " : ""}${!cookie.sameSite ? "Without SameSite, the cookie is vulnerable to CSRF attacks." : ""}`,
+        fix: `Add the missing flags: Set-Cookie: ${cookie.name}=...; ${missing.join("; ")}`
+      });
+    }
+  }
+  if (results.length === 0) {
+    return [{
+      id: CHECK_ID8,
+      name: "Cookie security flags",
+      status: "pass",
+      severity: "info",
+      category: CATEGORY4,
+      location: target,
+      description: "No cookies set \u2014 nothing to check."
+    }];
+  }
+  return results;
+};
+var cookies_default = cookieCheck;
+
+// src/checks/server-disclosure.ts
+var CHECK_ID9 = "server-disclosure";
+var CATEGORY5 = "headers";
+var VERSION_PATTERN = /\b(?:apache|nginx|iis|litespeed|openresty|tomcat|jetty|caddy|gunicorn|uwsgi|express|kestrel)\b.*?\d+/i;
+var GENERIC_SERVERS = /* @__PURE__ */ new Set([
+  "cloudflare",
+  "cloudfront",
+  "vercel",
+  "netlify",
+  "akamaighost",
+  "fastly",
+  "gws",
+  "gse",
+  "fly.io"
+]);
+var serverDisclosureCheck = async (context) => {
+  if (!context.url) {
+    return [{
+      id: CHECK_ID9,
+      name: "Server header disclosure",
+      status: "skip",
+      severity: "info",
+      category: CATEGORY5,
+      description: "No URL provided \u2014 skipping server header check."
+    }];
+  }
+  const target = context.url.startsWith("http") ? context.url : `https://${context.url}`;
+  const { response, error } = await fetchWithRetry(target, { redirect: "follow" });
+  if (!response) {
+    return [{
+      id: CHECK_ID9,
+      name: "Server header disclosure",
+      status: "skip",
+      severity: "info",
+      category: CATEGORY5,
+      description: `Could not reach ${target}: ${error instanceof Error ? error.message : "unknown error"}`
+    }];
+  }
+  const server = response.headers.get("server");
+  if (!server) {
+    return [{
+      id: CHECK_ID9,
+      name: "Server header disclosure",
+      status: "pass",
+      severity: "info",
+      category: CATEGORY5,
+      location: target,
+      description: "No Server header present \u2014 no information disclosed."
+    }];
+  }
+  const lower = server.toLowerCase().trim();
+  if (GENERIC_SERVERS.has(lower)) {
+    return [{
+      id: CHECK_ID9,
+      name: "Server header disclosure",
+      status: "pass",
+      severity: "info",
+      category: CATEGORY5,
+      location: target,
+      description: `Server header is generic: "${server}". No version disclosed.`
+    }];
+  }
+  if (VERSION_PATTERN.test(server)) {
+    return [{
+      id: CHECK_ID9,
+      name: "Server header disclosure",
+      status: "warn",
+      severity: "low",
+      category: CATEGORY5,
+      location: target,
+      description: `Server header reveals software and version: "${server}". Attackers can use this to target known vulnerabilities for that version.`,
+      fix: 'Remove or genericize the Server header. In nginx: `server_tokens off;`. In Apache: `ServerTokens Prod`. In Express: `app.disable("x-powered-by")`.'
+    }];
+  }
+  return [{
+    id: CHECK_ID9,
+    name: "Server header disclosure",
+    status: "pass",
+    severity: "info",
+    category: CATEGORY5,
+    location: target,
+    description: `Server header present ("${server}") but no specific version disclosed.`
+  }];
+};
+var server_disclosure_default = serverDisclosureCheck;
+
+// src/checks/dmarc.ts
+import { resolveTxt } from "dns/promises";
+var CHECK_ID10 = "dmarc";
+var CATEGORY6 = "email";
+function extractDomain(url) {
+  try {
+    const parsed = new URL(url.startsWith("http") ? url : `https://${url}`);
+    return parsed.hostname;
+  } catch {
+    return url;
+  }
+}
+var dmarcCheck = async (context) => {
+  if (!context.url) {
+    return [{
+      id: CHECK_ID10,
+      name: "DMARC record",
+      status: "skip",
+      severity: "info",
+      category: CATEGORY6,
+      description: "No URL provided \u2014 skipping DMARC check."
+    }];
+  }
+  const domain = extractDomain(context.url);
+  const dmarcHost = `_dmarc.${domain}`;
+  let records;
+  try {
+    records = await resolveTxt(dmarcHost);
+  } catch (err) {
+    const code = err.code;
+    if (code === "ENODATA" || code === "ENOTFOUND" || code === "SERVFAIL") {
+      return [{
+        id: CHECK_ID10,
+        name: "DMARC record",
+        status: "warn",
+        severity: "medium",
+        category: CATEGORY6,
+        location: dmarcHost,
+        description: `No DMARC record found for ${domain}. Without DMARC, attackers can spoof emails from your domain to phish your users.`,
+        fix: `Add a TXT record at _dmarc.${domain} with value: "v=DMARC1; p=reject; rua=mailto:dmarc@${domain}"`
+      }];
+    }
+    return [{
+      id: CHECK_ID10,
+      name: "DMARC record",
+      status: "skip",
+      severity: "info",
+      category: CATEGORY6,
+      description: `DNS lookup failed for ${dmarcHost}: ${err instanceof Error ? err.message : "unknown error"}`
+    }];
+  }
+  const flat = records.map((chunks) => chunks.join(""));
+  const dmarc = flat.find((r) => r.toLowerCase().startsWith("v=dmarc1"));
+  if (!dmarc) {
+    return [{
+      id: CHECK_ID10,
+      name: "DMARC record",
+      status: "warn",
+      severity: "medium",
+      category: CATEGORY6,
+      location: dmarcHost,
+      description: `TXT records exist at ${dmarcHost} but no valid DMARC record (must start with "v=DMARC1").`,
+      fix: `Add a TXT record at _dmarc.${domain} with value: "v=DMARC1; p=reject; rua=mailto:dmarc@${domain}"`
+    }];
+  }
+  const policyMatch = dmarc.match(/;\s*p\s*=\s*(reject|quarantine|none)/i);
+  const policy = policyMatch ? policyMatch[1].toLowerCase() : "unknown";
+  if (policy === "reject") {
+    return [{
+      id: CHECK_ID10,
+      name: "DMARC record",
+      status: "pass",
+      severity: "info",
+      category: CATEGORY6,
+      location: dmarcHost,
+      description: `DMARC record found with p=reject \u2014 the strongest policy. Spoofed emails from ${domain} will be rejected.`
+    }];
+  }
+  if (policy === "quarantine") {
+    return [{
+      id: CHECK_ID10,
+      name: "DMARC record",
+      status: "pass",
+      severity: "info",
+      category: CATEGORY6,
+      location: dmarcHost,
+      description: `DMARC record found with p=quarantine. Spoofed emails may be delivered to spam. Consider upgrading to p=reject.`
+    }];
+  }
+  return [{
+    id: CHECK_ID10,
+    name: "DMARC record",
+    status: "warn",
+    severity: "low",
+    category: CATEGORY6,
+    location: dmarcHost,
+    description: `DMARC record found but policy is p=${policy}. This only monitors \u2014 it does not prevent email spoofing.`,
+    fix: `Upgrade your DMARC policy to p=quarantine or p=reject once you have verified legitimate email sources are aligned.`
+  }];
+};
+var dmarc_default = dmarcCheck;
+
+// src/checks/index.ts
+function getAllChecks() {
+  return [
+    gitignore_default,
+    secrets_default,
+    dependencies_default,
+    env_example_default,
+    security_txt_default,
+    headers_default,
+    security_txt_url_default,
+    ssl_default,
+    code_patterns_default,
+    cors_default,
+    rate_limit_default,
+    auth_default,
+    cookies_default,
+    server_disclosure_default,
+    dmarc_default
+  ];
+}
+function getUrlOnlyChecks() {
+  return [headers_default, ssl_default, security_txt_url_default, cookies_default, server_disclosure_default, dmarc_default];
+}
+function getStaticSiteSkippableChecks() {
+  return [
+    { fn: rate_limit_default, id: "rate-limit", name: "Rate limiting" },
+    { fn: auth_default, id: "auth", name: "Authentication" },
+    { fn: cors_default, id: "cors", name: "CORS configuration" },
+    { fn: env_example_default, id: "env-example", name: ".env.example exists" }
+  ];
+}
+
+// src/detectors/stack.ts
+var FRAMEWORK_MATCHERS = [
+  { packages: ["next"], value: "next.js" },
+  { packages: ["express"], value: "express" },
+  { packages: ["fastify"], value: "fastify" },
+  { packages: ["@remix-run/node", "@remix-run/react"], value: "remix" },
+  { packages: ["astro"], value: "astro" },
+  { packages: ["nuxt"], value: "nuxt" },
+  { packages: ["@sveltejs/kit"], value: "sveltekit" },
+  { packages: ["hono"], value: "hono" }
+];
+var DATABASE_MATCHERS = [
+  { packages: ["@supabase/supabase-js"], value: "supabase" },
+  { packages: ["@prisma/client", "prisma"], value: "prisma" },
+  { packages: ["drizzle-orm"], value: "drizzle" },
+  { packages: ["mongoose"], value: "mongoose" },
+  { packages: ["typeorm"], value: "typeorm" },
+  { packages: ["sequelize"], value: "sequelize" }
+];
+var AUTH_MATCHERS = [
+  { packages: ["@clerk/nextjs", "@clerk/clerk-sdk-node", "@clerk/express"], value: "clerk" },
+  { packages: ["auth0", "@auth0/nextjs-auth0", "@auth0/auth0-react"], value: "auth0" },
+  { packages: ["next-auth", "@auth/core"], value: "next-auth" },
+  { packages: ["@supabase/auth-helpers-nextjs", "@supabase/auth-helpers-react", "@supabase/ssr"], value: "supabase-auth" },
+  { packages: ["passport"], value: "passport" },
+  { packages: ["lucia"], value: "lucia" }
+];
+function findMatch(matchers, deps) {
+  for (const matcher of matchers) {
+    if (matcher.packages.some((pkg2) => deps.has(pkg2))) {
+      return matcher.value;
+    }
+  }
+  return void 0;
+}
+function detectHosting(fileSet) {
+  if (fileSet.has("vercel.json")) return "vercel";
+  if (fileSet.has("netlify.toml")) return "netlify";
+  if (fileSet.has("Dockerfile") || fileSet.has("dockerfile")) return "docker";
+  return void 0;
+}
+function detectLanguage(files, hasPackageJson) {
+  if (files.some((f) => f === "tsconfig.json" || f.endsWith("/tsconfig.json"))) {
+    return "typescript";
+  }
+  return hasPackageJson ? "javascript" : "unknown";
+}
+function detectPackageManager(fileSet, hasPackageJson) {
+  if (fileSet.has("pnpm-lock.yaml")) return "pnpm";
+  if (fileSet.has("yarn.lock")) return "yarn";
+  if (fileSet.has("bun.lockb") || fileSet.has("bun.lock")) return "bun";
+  if (fileSet.has("package-lock.json")) return "npm";
+  return hasPackageJson ? "npm" : void 0;
+}
+function extractDependencies(packageJson) {
+  const deps = packageJson["dependencies"];
+  const devDeps = packageJson["devDependencies"];
+  const names = [];
+  if (deps !== null && typeof deps === "object" && !Array.isArray(deps)) {
+    names.push(...Object.keys(deps));
+  }
+  if (devDeps !== null && typeof devDeps === "object" && !Array.isArray(devDeps)) {
+    names.push(...Object.keys(devDeps));
+  }
+  return names;
+}
+function detectStack(packageJson, files) {
+  const hasPackageJson = packageJson !== void 0;
+  const dependencies = hasPackageJson ? extractDependencies(packageJson) : [];
+  const depSet = new Set(dependencies);
+  const fileSet = new Set(files);
+  return {
+    language: detectLanguage(files, hasPackageJson),
+    framework: findMatch(FRAMEWORK_MATCHERS, depSet),
+    database: findMatch(DATABASE_MATCHERS, depSet),
+    auth: findMatch(AUTH_MATCHERS, depSet),
+    hosting: detectHosting(fileSet),
+    packageManager: detectPackageManager(fileSet, hasPackageJson),
+    dependencies
+  };
+}
+
+// src/education/prompts.ts
+function buildStackDescription(stack) {
+  const parts = [];
+  if (stack.framework) {
+    parts.push(stack.framework);
+  } else if (stack.language !== "unknown") {
+    parts.push(`a ${stack.language} project`);
+  }
+  if (stack.database) parts.push(stack.database);
+  if (stack.auth) parts.push(`${stack.auth} for authentication`);
+  if (stack.hosting) parts.push(`deployed on ${stack.hosting}`);
+  if (parts.length === 0) return "";
+  return `I'm using ${parts.join(" with ")}.`;
+}
+function locationHint(location) {
+  if (!location) return "";
+  return ` The issue is in \`${location}\`.`;
+}
+function getRateLimitPackage(stack) {
+  switch (stack.framework) {
+    case "express":
+      return "express-rate-limit";
+    case "fastify":
+      return "@fastify/rate-limit";
+    case "next.js":
+      return "@upstash/ratelimit";
+    case "hono":
+      return "the built-in hono rate limiter";
+    default:
+      return "rate-limiter-flexible";
+  }
+}
+function getRecommendedAuth(stack) {
+  switch (stack.framework) {
+    case "next.js":
+      return stack.database === "supabase" ? "Supabase Auth" : "Clerk";
+    case "express":
+    case "fastify":
+      return "Passport.js with Auth0";
+    case "remix":
+      return "Lucia";
+    default:
+      return "Clerk or Auth0";
+  }
+}
+var gitignorePrompt = (result, context) => {
+  const stack = buildStackDescription(context.stack);
+  const fw = context.stack.framework ?? context.stack.language;
+  if (result.id === "gitignore-missing") {
+    return `${stack} My project has no .gitignore file. Generate a comprehensive .gitignore for ${fw} that covers: environment files (.env*), dependencies (node_modules), build outputs (dist, build${context.stack.framework === "next.js" ? ", .next" : ""}), IDE files, OS files (.DS_Store), and cryptographic keys (*.pem, *.key). Show me the complete file.`;
+  }
+  const pattern = result.description.match(/\(([^)]+)\)/)?.[1] ?? result.id.replace("gitignore-", ".");
+  return `${stack} My .gitignore is missing \`${pattern}\`. Show me: (1) the exact line to add to .gitignore, (2) how to remove it from git history if already committed (\`git rm --cached\`), and (3) any related patterns I should also add for a ${fw} project.`;
+};
+var secretsPrompt = (result, context) => {
+  const stack = buildStackDescription(context.stack);
+  const loc = locationHint(result.location);
+  const secretType = result.name.replace("Hardcoded secret: ", "");
+  return `${stack}${loc} I found a hardcoded ${secretType} in my source code. Help me fix this by: (1) moving the value to a .env file (gitignored), (2) loading it via process.env in my ${context.stack.framework ?? "Node.js"} code, (3) adding a placeholder to .env.example, and (4) adding a startup check that validates the variable is set. Show me the complete code changes.`;
+};
+var depVulnPrompt = (result, context) => {
+  const stack = buildStackDescription(context.stack);
+  return `${stack} ${result.description} Help me fix this by: (1) updating the package safely (\`npm audit fix\` or \`npm install pkg@latest\`), (2) identifying any breaking changes in the new version, and (3) verifying the fix doesn't break my application. If the vulnerability can't be fixed by updating, suggest alternative packages.`;
+};
+var envExamplePrompt = (result, context) => {
+  const stack = buildStackDescription(context.stack);
+  const loc = locationHint(result.location);
+  if (result.description.includes("real secret values") || result.description.includes("contain real")) {
+    return `${stack}${loc} My .env.example file contains what appear to be real secret values. Help me replace every real-looking value with a safe descriptive placeholder (e.g. YOUR_API_KEY_HERE). Add a comment above each variable explaining what it's for and where to get the value.`;
+  }
+  const db = context.stack.database ? ` with ${context.stack.database}` : "";
+  const auth = context.stack.auth ? ` and ${context.stack.auth}` : "";
+  return `${stack} My project has a .env file (gitignored) but no .env.example template. Generate a .env.example that lists every required environment variable for a ${context.stack.framework ?? context.stack.language} project${db}${auth}. Use descriptive placeholders and add comments explaining each variable.`;
+};
+var securityTxtPrompt = (result, context) => {
+  const stack = buildStackDescription(context.stack);
+  const hosting = context.stack.hosting;
+  if (result.description.includes("expired") || result.description.includes("Expires")) {
+    return `${stack} My security.txt has an expired or missing Expires field. Help me update it with a valid Expires date (one year from today in RFC 3339 format) and verify all required fields (Contact, Expires) are present per RFC 9116.`;
+  }
+  if (result.description.includes("Contact")) {
+    return `${stack} My security.txt is missing the required Contact field (RFC 9116). Generate a complete security.txt with Contact (email or URL), Expires (one year from today), and optional fields (Preferred-Languages, Policy). Show me where to place it (/.well-known/security.txt).`;
+  }
+  return `${stack} My project needs a security.txt file. Generate a valid security.txt per RFC 9116 with Contact, Expires, Preferred-Languages, and Policy fields. Show me where to place it in my ${context.stack.framework ?? "web"} project${hosting ? ` deployed on ${hosting}` : ""}.`;
+};
+var headersPrompt = (result, context) => {
+  const stack = buildStackDescription(context.stack);
+  const headerName = result.name.replace("Missing ", "");
+  const framework = context.stack.framework;
+  if (framework === "express" || framework === "fastify" || framework === "hono") {
+    return `${stack} My app is missing the ${headerName} security header. Show me how to add it using ${framework === "express" ? "helmet.js middleware" : `the ${framework} equivalent`}. Include the recommended value and explain what attacks it prevents. Show me the complete middleware configuration.`;
+  }
+  if (framework === "next.js") {
+    return `${stack} My app is missing the ${headerName} security header. Show me how to add it in next.config.js using the headers() function. Include the recommended value and explain what attacks it prevents.`;
+  }
+  return `${stack} My web app is missing the ${headerName} security header. ${result.description} Show me how to configure it with the recommended value for my framework.`;
+};
+var sslPrompt = (result, context) => {
+  const stack = buildStackDescription(context.stack);
+  const hosting = context.stack.hosting;
+  const managed = hosting === "vercel" || hosting === "netlify";
+  if (result.id.includes("redirect")) {
+    if (managed) {
+      return `${stack} My site does not redirect HTTP to HTTPS. Since I'm on ${hosting}, this should be automatic. Help me verify the redirect is configured correctly and show how to force HTTPS in my ${context.stack.framework ?? "web"} app.`;
+    }
+    return `${stack} My site does not redirect HTTP to HTTPS. Show me how to configure a permanent 301 redirect from HTTP to HTTPS for my web server (Nginx, Apache, or Node.js). Include HSTS header configuration.`;
+  }
+  if (managed) {
+    return `${stack} ${result.description} Since I'm on ${hosting}, SSL should be handled automatically. Help me verify the certificate is configured correctly and troubleshoot the issue.`;
+  }
+  return `${stack} ${result.description} Help me set up a valid SSL certificate using Let's Encrypt and Certbot. Show me: (1) how to install Certbot, (2) how to obtain a certificate, (3) how to configure automatic renewal, and (4) how to set up HTTPS in my web server.`;
+};
+var codePatternsPrompt = (result, context) => {
+  const stack = buildStackDescription(context.stack);
+  const loc = locationHint(result.location);
+  const patternName = result.name.replace("Insecure pattern: ", "");
+  const fw = context.stack.framework ?? "my framework";
+  return `${stack}${loc} I have an insecure code pattern: ${patternName}. ${result.fix ?? result.description} Show me: (1) why this is dangerous with an exploit example, (2) the safe replacement code for ${fw}, and (3) an ESLint rule or equivalent to prevent this in the future.`;
+};
+var corsPrompt = (result, context) => {
+  const stack = buildStackDescription(context.stack);
+  const loc = locationHint(result.location);
+  const framework = context.stack.framework ?? "my web application";
+  return `${stack}${loc} ${result.description.split(".")[0]}. Help me fix this by: (1) replacing the wildcard origin with my specific domain(s), (2) showing the correct CORS configuration for ${framework}, (3) handling preflight OPTIONS requests properly, and (4) configuring credentials mode safely. Show me the complete working code.`;
+};
+var rateLimitPrompt = (result, context) => {
+  const stack = buildStackDescription(context.stack);
+  const framework = context.stack.framework;
+  const pkg2 = getRateLimitPackage(context.stack);
+  return `${stack} My API routes have no rate limiting. Generate middleware using ${pkg2} that: (1) limits requests to 10 per 15 seconds per IP, (2) returns 429 with Retry-After header, (3) applies to all API routes${framework === "next.js" ? " and works with the App Router" : ""}, and (4) has separate stricter limits for auth endpoints (5 per 15 minutes). Show me the complete working code.`;
+};
+var authPrompt = (result, context) => {
+  const stack = buildStackDescription(context.stack);
+  const rec = getRecommendedAuth(context.stack);
+  if (result.status === "warn") {
+    return `${stack} I'm using custom authentication instead of an established provider. Help me migrate to ${rec}. Show me: (1) installation and configuration, (2) protecting all API routes and pages, (3) complete sign-up, login, and logout flows, and (4) session management best practices. Show me the complete working code.`;
+  }
+  return `${stack} My project has no authentication but has user-facing features. Help me add ${rec}. Show me: (1) installation and initial setup, (2) protecting API routes and pages, (3) complete sign-up, login, and logout flows, and (4) secure session management. Show me the complete working code.`;
+};
+var GENERATOR_MATCHERS = [
+  { prefix: "security-txt-url", generator: securityTxtPrompt },
+  { prefix: "security-txt", generator: securityTxtPrompt },
+  { prefix: "gitignore", generator: gitignorePrompt },
+  { prefix: "headers", generator: headersPrompt },
+  { prefix: "dep-vuln", generator: depVulnPrompt },
+  { prefix: "env-example", generator: envExamplePrompt },
+  { prefix: "code-patterns", generator: codePatternsPrompt },
+  { prefix: "ssl", generator: sslPrompt },
+  { prefix: "cors", generator: corsPrompt },
+  { prefix: "rate-limit", generator: rateLimitPrompt },
+  { prefix: "secrets", generator: secretsPrompt },
+  { prefix: "auth", generator: authPrompt }
+];
+function findGenerator(checkId) {
+  for (const matcher of GENERATOR_MATCHERS) {
+    if (checkId === matcher.prefix || checkId.startsWith(`${matcher.prefix}-`)) {
+      return matcher.generator;
+    }
+  }
+  return void 0;
+}
+function buildGenericPrompt(result, context) {
+  const stack = buildStackDescription(context.stack);
+  const loc = locationHint(result.location);
+  return `${stack}${loc} ${result.description} ${result.fix ? `Recommended fix: ${result.fix} ` : ""}Help me fix this security issue. Show me the complete working code with an explanation.`;
+}
+function generatePrompt(result, context) {
+  const generator = findGenerator(result.id);
+  if (generator) return generator(result, context);
+  return buildGenericPrompt(result, context);
+}
+function enrichWithAiPrompts(results, context) {
+  return results.map((result) => {
+    if (result.status === "pass" || result.status === "skip") {
+      return result;
+    }
+    return { ...result, aiPrompt: generatePrompt(result, context) };
+  });
+}
+
+// src/scanner.ts
+var EXCLUDED_DIRS = /* @__PURE__ */ new Set([
+  "node_modules",
+  ".git",
+  "dist",
+  ".next",
+  "out",
+  "coverage",
+  "__pycache__",
+  ".venv",
+  "build",
+  ".svn",
+  ".hg",
+  "tests",
+  "__tests__",
+  "test",
+  "fixtures"
+]);
+var SERVER_FRAMEWORKS = /* @__PURE__ */ new Set([
+  "express",
+  "fastify",
+  "next",
+  "nuxt",
+  "remix",
+  "@remix-run/node",
+  "hono",
+  "koa",
+  "@nestjs/core",
+  "@adonisjs/core",
+  "sails",
+  "hapi",
+  "@hapi/hapi"
+]);
+var FULLSTACK_FRAMEWORKS = /* @__PURE__ */ new Set([
+  "next",
+  "nuxt",
+  "remix",
+  "@remix-run/node",
+  "@sveltejs/kit"
+]);
+function getAllDependencyNames(pkgJson) {
+  const deps = pkgJson.dependencies;
+  const devDeps = pkgJson.devDependencies;
+  return [...Object.keys(deps ?? {}), ...Object.keys(devDeps ?? {})];
+}
+function hasServerSideFiles(files) {
+  return files.some((f) => {
+    const segments = f.split("/");
+    const name = segments.at(-1) ?? "";
+    if (/^server\.(ts|js|mjs|cjs)$/.test(name)) return true;
+    if (segments.includes("api")) return true;
+    if (segments.includes("routes")) return true;
+    return false;
+  });
+}
+function detectProjectType(packageJson, files) {
+  const hasCodeFiles = files.some((f) => CODE_EXTENSIONS2.test(f));
+  const hasServerFiles = hasServerSideFiles(files);
+  if (!packageJson) {
+    if (!hasCodeFiles && !hasServerFiles) return "static";
+    return hasServerFiles ? "api" : "unknown";
+  }
+  const allDeps = getAllDependencyNames(packageJson);
+  const hasServerDep = allDeps.some((d) => SERVER_FRAMEWORKS.has(d));
+  if (!hasServerDep && !hasServerFiles) {
+    return "static";
+  }
+  if (allDeps.some((d) => FULLSTACK_FRAMEWORKS.has(d))) {
+    return "fullstack";
+  }
+  const hasFrontendFiles = files.some(
+    (f) => f.endsWith(".tsx") || f.endsWith(".jsx") || f.endsWith(".vue") || f.endsWith(".svelte")
+  );
+  return hasFrontendFiles ? "fullstack" : "api";
+}
+async function buildContext(options) {
+  const projectPath = resolve(options.path);
+  const info = await stat(projectPath).catch(() => null);
+  if (!info?.isDirectory()) {
+    throw new Error(`Not a directory: ${projectPath}`);
+  }
+  let packageJson;
+  try {
+    const raw = await readFile9(join10(projectPath, "package.json"), "utf-8");
+    packageJson = JSON.parse(raw);
+  } catch {
+  }
+  const entries = await readdir(projectPath, { recursive: true, withFileTypes: true });
+  const files = entries.filter((e) => e.isFile()).map((e) => relative(projectPath, join10(e.parentPath, e.name))).filter((f) => !f.split("/").some((segment) => EXCLUDED_DIRS.has(segment)));
+  const stack = detectStack(packageJson, files);
+  const typeOverride = options.type ?? "auto";
+  const projectType = typeOverride === "auto" ? detectProjectType(packageJson, files) : typeOverride;
+  const projectTypeSource = typeOverride === "auto" ? "auto" : "manual";
+  return {
+    projectPath,
+    url: options.url,
+    stack,
+    packageJson,
+    files,
+    verbose: options.verbose,
+    projectType,
+    projectTypeSource
+  };
+}
+async function runChecks(context, checks) {
+  const start = Date.now();
+  const settled = await Promise.allSettled(checks.map((check) => check(context)));
+  const results = [];
+  for (const outcome of settled) {
+    if (outcome.status === "fulfilled") {
+      results.push(...outcome.value);
+    } else {
+      results.push({
+        id: "error",
+        name: "Check error",
+        status: "skip",
+        severity: "info",
+        description: `Check threw: ${outcome.reason instanceof Error ? outcome.reason.message : String(outcome.reason)}`
+      });
+    }
+  }
+  const enrichedResults = enrichWithAiPrompts(results, context);
+  return {
+    results: enrichedResults,
+    score: calculateScore(enrichedResults),
+    summary: summarizeResults(enrichedResults),
+    duration: Date.now() - start
+  };
+}
+var PROJECT_INDICATORS = ["package.json", ".gitignore", ".git", "src", "lib"];
+var CODE_EXTENSIONS2 = /\.(ts|js|tsx|jsx)$/;
+function hasProjectFiles(files, projectPath, packageJson) {
+  if (packageJson) return true;
+  for (const f of files) {
+    const first = f.split("/")[0];
+    if (PROJECT_INDICATORS.includes(first)) return true;
+    if (CODE_EXTENSIONS2.test(f)) return true;
+  }
+  return false;
+}
+async function scan(context) {
+  const isUrlOnly = context.url && !hasProjectFiles(context.files, context.projectPath, context.packageJson);
+  if (isUrlOnly) {
+    const report2 = await runChecks(context, getUrlOnlyChecks());
+    return { ...report2, urlOnly: true, projectType: context.projectType, projectTypeSource: context.projectTypeSource };
+  }
+  const allChecks = getAllChecks();
+  if (context.projectType === "static") {
+    const skipInfos = getStaticSiteSkippableChecks();
+    const hasEnvFile = context.files.some((f) => f === ".env");
+    const skipFns = new Set(
+      skipInfos.filter((s) => s.id === "env-example" ? !hasEnvFile : true).map((s) => s.fn)
+    );
+    const checksToRun = allChecks.filter((c) => !skipFns.has(c));
+    const notApplicableResults = skipInfos.filter((s) => skipFns.has(s.fn)).map((s) => ({
+      id: s.id,
+      name: s.name,
+      status: "not-applicable",
+      severity: "info",
+      category: "static-site",
+      description: "Not applicable \u2014 static site has no server-side code"
+    }));
+    const report2 = await runChecks(context, checksToRun);
+    return {
+      ...report2,
+      results: [...report2.results, ...notApplicableResults],
+      summary: summarizeResults([...report2.results, ...notApplicableResults]),
+      projectType: context.projectType,
+      projectTypeSource: context.projectTypeSource
+    };
+  }
+  const report = await runChecks(context, allChecks);
+  return { ...report, projectType: context.projectType, projectTypeSource: context.projectTypeSource };
+}
+function calculateScore(results) {
+  const ran = results.filter((r) => r.status !== "skip" && r.status !== "not-applicable");
+  if (ran.length === 0) return 100;
+  const passed = ran.filter((r) => r.status !== "fail").length;
+  return Math.max(0, Math.round(passed / ran.length * 100));
+}
+function summarizeResults(results) {
+  let pass = 0;
+  let fail = 0;
+  let warn = 0;
+  let skip = 0;
+  let notApplicable = 0;
+  for (const r of results) {
+    if (r.status === "pass") pass++;
+    else if (r.status === "fail") fail++;
+    else if (r.status === "warn") warn++;
+    else if (r.status === "not-applicable") notApplicable++;
+    else skip++;
+  }
+  return { pass, fail, warn, skip, notApplicable, checksRun: pass + fail + warn, total: results.length };
+}
+
+// src/reporters/terminal.ts
+import chalk from "chalk";
+function resultIcon(result) {
+  if (result.status === "pass") return chalk.green("\u2713");
+  if (result.status === "skip") return chalk.dim("\u2013");
+  if (result.status === "not-applicable") return chalk.dim("\u25CB");
+  if (result.status === "warn") return chalk.yellow("\u26A0");
+  switch (result.severity) {
+    case "critical":
+      return chalk.red("\u2715");
+    case "high":
+      return chalk.yellow("\u26A0");
+    case "medium":
+      return chalk.blue("\u25CF");
+    case "low":
+      return chalk.dim("\u25CB");
+    case "info":
+      return chalk.dim("\xB7");
+  }
+}
+function formatScore(score) {
+  const text = `${score}/100`;
+  if (score >= 80) return chalk.green(text);
+  if (score >= 50) return chalk.yellow(text);
+  return chalk.red(text);
+}
+function groupByCategory(results) {
+  const groups = /* @__PURE__ */ new Map();
+  for (const r of results) {
+    const key = r.category ?? "General";
+    const list = groups.get(key);
+    if (list) {
+      list.push(r);
+    } else {
+      groups.set(key, [r]);
+    }
+  }
+  return groups;
+}
+function formatTerminalReport(report, verbose) {
+  if (report.results.length === 0) {
+    return [
+      "",
+      `  ${chalk.dim("No security checks were run. Add checks to get started.")}`,
+      ""
+    ].join("\n");
+  }
+  const lines = [];
+  const grouped = groupByCategory(report.results);
+  for (const [category, results] of grouped) {
+    lines.push("");
+    lines.push(`  ${chalk.bold.underline(category)}`);
+    lines.push("");
+    for (const r of results) {
+      if (r.status === "not-applicable") {
+        lines.push(`    ${resultIcon(r)} ${chalk.dim(`${r.name} \u2014 not applicable (static site)`)}`);
+        continue;
+      }
+      const loc = r.location ? chalk.dim(` ${r.location}`) : "";
+      lines.push(`    ${resultIcon(r)} ${r.name}${loc}`);
+      lines.push(`      ${chalk.dim(r.description)}`);
+      if (verbose && r.fix) {
+        lines.push(`      ${chalk.cyan("Fix:")} ${r.fix}`);
+      }
+      if (verbose && r.aiPrompt) {
+        lines.push(`      ${chalk.magenta("AI:")} ${r.aiPrompt}`);
+      }
+    }
+  }
+  const { pass, fail, warn, skip, notApplicable, checksRun, total } = report.summary;
+  lines.push("");
+  const parts = [`${pass} passed`, `${fail} failed`, `${warn} warnings`, `${skip} skipped`];
+  if (notApplicable > 0) {
+    parts.push(`${notApplicable} N/A`);
+  }
+  parts.push(`Score: ${formatScore(report.score)} (based on ${checksRun} of ${total} checks)`);
+  lines.push(`  ${parts.join(" \xB7 ")}`);
+  if (skip > 0 && skip > total / 2) {
+    lines.push(
+      `  ${chalk.yellow("\u26A0")} Score may not be representative \u2014 ${skip} checks could not run. Pass --url to enable HTTP checks.`
+    );
+  }
+  lines.push("");
+  return lines.join("\n");
+}
+
+// src/reporters/json.ts
+function mapResult(result) {
+  return {
+    id: result.id,
+    title: result.name,
+    severity: result.severity,
+    status: result.status,
+    category: result.category ?? "General",
+    location: result.location ?? null,
+    description: result.description,
+    fix: result.fix ?? null,
+    aiPrompt: result.aiPrompt ?? null
+  };
+}
+function formatJsonReport(report, metadata) {
+  return JSON.stringify(
+    {
+      score: report.score,
+      summary: report.summary,
+      results: report.results.map(mapResult),
+      metadata
+    },
+    null,
+    2
+  );
+}
+
+// src/generators/config.ts
+import { writeFile, mkdir } from "fs/promises";
+import { join as join11 } from "path";
+function expressHelmetConfig() {
+  return {
+    name: "Helmet.js Security Headers",
+    filename: "helmet-setup.js",
+    language: "javascript",
+    description: "Express middleware that sets security-related HTTP headers via helmet.js",
+    code: `// helmet-setup.js \u2014 Security headers for Express
+// Install: npm install helmet
+import helmet from 'helmet';
+
+/**
+ * Configure helmet.js with recommended security headers.
+ * Add this BEFORE your route definitions.
+ *
+ * Usage:
+ *   import { securityHeaders } from './helmet-setup.js';
+ *   app.use(securityHeaders);
+ */
+export const securityHeaders = helmet({
+  // Content-Security-Policy: restricts resource loading sources
+  contentSecurityPolicy: {
+    directives: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'"],
+      styleSrc: ["'self'", "'unsafe-inline'"],
+      imgSrc: ["'self'", 'data:', 'https:'],
+      connectSrc: ["'self'"],
+      fontSrc: ["'self'"],
+      objectSrc: ["'none'"],
+      frameAncestors: ["'none'"],
+      upgradeInsecureRequests: [],
+    },
+  },
+  // Strict-Transport-Security: force HTTPS
+  hsts: {
+    maxAge: 31536000, // 1 year
+    includeSubDomains: true,
+    preload: true,
+  },
+  // X-Content-Type-Options: prevent MIME sniffing
+  noSniff: true,
+  // X-Frame-Options: prevent clickjacking
+  frameguard: { action: 'deny' },
+  // Referrer-Policy: control referrer information
+  referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
+  // Permissions-Policy: restrict browser features
+  permittedCrossDomainPolicies: { permittedPolicies: 'none' },
+});`
+  };
+}
+function expressCorsConfig() {
+  return {
+    name: "CORS Configuration",
+    filename: "cors-setup.js",
+    language: "javascript",
+    description: "Express CORS middleware with secure defaults \u2014 never use wildcard origins in production",
+    code: `// cors-setup.js \u2014 Secure CORS configuration for Express
+// Install: npm install cors
+import cors from 'cors';
+
+/**
+ * Configure CORS with explicit allowed origins.
+ * NEVER use origin: '*' or origin: true in production.
+ *
+ * Usage:
+ *   import { corsMiddleware } from './cors-setup.js';
+ *   app.use(corsMiddleware);
+ */
+const ALLOWED_ORIGINS = [
+  process.env.FRONTEND_URL || 'http://localhost:3000',
+  // Add your production domain(s) here:
+  // 'https://yourdomain.com',
+];
+
+export const corsMiddleware = cors({
+  origin: (origin, callback) => {
+    // Allow requests with no origin (server-to-server, curl, etc.)
+    if (!origin || ALLOWED_ORIGINS.includes(origin)) {
+      callback(null, true);
+    } else {
+      callback(new Error('Not allowed by CORS'));
+    }
+  },
+  methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH'],
+  allowedHeaders: ['Content-Type', 'Authorization'],
+  credentials: true,
+  maxAge: 86400, // 24 hours \u2014 browsers cache preflight responses
+});`
+  };
+}
+function expressRateLimitConfig() {
+  return {
+    name: "Rate Limiter Setup",
+    filename: "rate-limit-setup.js",
+    language: "javascript",
+    description: "Express rate limiting middleware to prevent brute-force and DDoS attacks",
+    code: `// rate-limit-setup.js \u2014 Rate limiting for Express
+// Install: npm install express-rate-limit
+import rateLimit from 'express-rate-limit';
+
+/**
+ * General API rate limiter \u2014 100 requests per 15 minutes per IP.
+ *
+ * Usage:
+ *   import { apiLimiter, authLimiter } from './rate-limit-setup.js';
+ *   app.use('/api/', apiLimiter);
+ *   app.use('/api/auth/', authLimiter);
+ */
+export const apiLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100, // limit each IP to 100 requests per window
+  standardHeaders: true, // Return rate limit info in \`RateLimit-*\` headers
+  legacyHeaders: false, // Disable \`X-RateLimit-*\` headers
+  message: { error: 'Too many requests, please try again later.' },
+});
+
+/**
+ * Stricter limiter for auth endpoints \u2014 5 requests per 15 minutes per IP.
+ * Prevents brute-force login/signup attacks.
+ */
+export const authLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 5,
+  standardHeaders: true,
+  legacyHeaders: false,
+  message: { error: 'Too many auth attempts, please try again later.' },
+});`
+  };
+}
+function nextSecurityHeadersConfig() {
+  return {
+    name: "Next.js Security Headers",
+    filename: "next-security-headers.js",
+    language: "javascript",
+    description: "Security headers configuration for next.config.js \u2014 add to your existing config",
+    code: `// next-security-headers.js \u2014 Security headers for Next.js
+// Copy the headers() function into your next.config.js
+
+/**
+ * Recommended security headers for Next.js.
+ *
+ * Usage in next.config.js:
+ *   import { securityHeaders } from './next-security-headers.js';
+ *   export default {
+ *     async headers() {
+ *       return [{ source: '/(.*)', headers: securityHeaders }];
+ *     },
+ *   };
+ */
+export const securityHeaders = [
+  {
+    key: 'Content-Security-Policy',
+    value: [
+      "default-src 'self'",
+      "script-src 'self' 'unsafe-eval' 'unsafe-inline'",
+      "style-src 'self' 'unsafe-inline'",
+      "img-src 'self' data: https:",
+      "connect-src 'self'",
+      "font-src 'self'",
+      "object-src 'none'",
+      "frame-ancestors 'none'",
+      "upgrade-insecure-requests",
+    ].join('; '),
+  },
+  {
+    key: 'Strict-Transport-Security',
+    value: 'max-age=31536000; includeSubDomains; preload',
+  },
+  {
+    key: 'X-Content-Type-Options',
+    value: 'nosniff',
+  },
+  {
+    key: 'X-Frame-Options',
+    value: 'DENY',
+  },
+  {
+    key: 'Referrer-Policy',
+    value: 'strict-origin-when-cross-origin',
+  },
+  {
+    key: 'Permissions-Policy',
+    value: 'camera=(), microphone=(), geolocation=(), interest-cohort=()',
+  },
+];`
+  };
+}
+function nextRateLimitMiddlewareConfig() {
+  return {
+    name: "Next.js Rate Limiting Middleware",
+    filename: "middleware-rate-limit.ts",
+    language: "typescript",
+    description: "Edge-compatible rate limiting middleware for Next.js App Router using in-memory store",
+    code: `// middleware-rate-limit.ts \u2014 Rate limiting for Next.js middleware
+// For production, consider @upstash/ratelimit with Redis for distributed rate limiting.
+// This in-memory implementation works for single-instance deployments.
+
+import { NextResponse } from 'next/server';
+import type { NextRequest } from 'next/server';
+
+/** Rate limit window configuration */
+const WINDOW_MS = 15 * 60 * 1000; // 15 minutes
+const MAX_REQUESTS = 100; // requests per window
+const AUTH_MAX_REQUESTS = 5; // stricter limit for auth routes
+
+interface RateLimitEntry {
+  readonly count: number;
+  readonly resetTime: number;
+}
+
+/** In-memory store \u2014 use Redis (@upstash/ratelimit) in production */
+const store = new Map<string, RateLimitEntry>();
+
+function getClientIp(request: NextRequest): string {
+  return (
+    request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ??
+    request.headers.get('x-real-ip') ??
+    'unknown'
+  );
+}
+
+function isRateLimited(key: string, max: number): boolean {
+  const now = Date.now();
+  const entry = store.get(key);
+
+  if (!entry || now > entry.resetTime) {
+    store.set(key, { count: 1, resetTime: now + WINDOW_MS });
+    return false;
+  }
+
+  if (entry.count >= max) {
+    return true;
+  }
+
+  store.set(key, { ...entry, count: entry.count + 1 });
+  return false;
+}
+
+/**
+ * Next.js middleware with rate limiting.
+ *
+ * Usage: Save as middleware.ts in your project root.
+ */
+export function middleware(request: NextRequest): NextResponse {
+  const ip = getClientIp(request);
+  const isAuthRoute = request.nextUrl.pathname.startsWith('/api/auth');
+  const max = isAuthRoute ? AUTH_MAX_REQUESTS : MAX_REQUESTS;
+  const key = \`\${ip}:\${isAuthRoute ? 'auth' : 'api'}\`;
+
+  if (isRateLimited(key, max)) {
+    return NextResponse.json(
+      { error: 'Too many requests, please try again later.' },
+      { status: 429, headers: { 'Retry-After': String(Math.ceil(WINDOW_MS / 1000)) } },
+    );
+  }
+
+  return NextResponse.next();
+}
+
+export const config = {
+  matcher: '/api/:path*',
+};`
+  };
+}
+function fastifyHelmetConfig() {
+  return {
+    name: "Fastify Helmet Plugin",
+    filename: "fastify-helmet-setup.js",
+    language: "javascript",
+    description: "Fastify security headers plugin using @fastify/helmet",
+    code: `// fastify-helmet-setup.js \u2014 Security headers for Fastify
+// Install: npm install @fastify/helmet
+import helmet from '@fastify/helmet';
+
+/**
+ * Register @fastify/helmet with recommended security headers.
+ *
+ * Usage:
+ *   import { registerHelmet } from './fastify-helmet-setup.js';
+ *   await registerHelmet(fastify);
+ */
+export async function registerHelmet(fastify) {
+  await fastify.register(helmet, {
+    contentSecurityPolicy: {
+      directives: {
+        defaultSrc: ["'self'"],
+        scriptSrc: ["'self'"],
+        styleSrc: ["'self'", "'unsafe-inline'"],
+        imgSrc: ["'self'", 'data:', 'https:'],
+        connectSrc: ["'self'"],
+        fontSrc: ["'self'"],
+        objectSrc: ["'none'"],
+        frameAncestors: ["'none'"],
+        upgradeInsecureRequests: [],
+      },
+    },
+    hsts: {
+      maxAge: 31536000,
+      includeSubDomains: true,
+      preload: true,
+    },
+  });
+}`
+  };
+}
+function fastifyCorsConfig() {
+  return {
+    name: "Fastify CORS Plugin",
+    filename: "fastify-cors-setup.js",
+    language: "javascript",
+    description: "Fastify CORS plugin with secure defaults \u2014 never use wildcard origins in production",
+    code: `// fastify-cors-setup.js \u2014 Secure CORS configuration for Fastify
+// Install: npm install @fastify/cors
+import cors from '@fastify/cors';
+
+/**
+ * Register @fastify/cors with explicit allowed origins.
+ *
+ * Usage:
+ *   import { registerCors } from './fastify-cors-setup.js';
+ *   await registerCors(fastify);
+ */
+const ALLOWED_ORIGINS = [
+  process.env.FRONTEND_URL || 'http://localhost:3000',
+  // Add your production domain(s) here:
+  // 'https://yourdomain.com',
+];
+
+export async function registerCors(fastify) {
+  await fastify.register(cors, {
+    origin: (origin, callback) => {
+      if (!origin || ALLOWED_ORIGINS.includes(origin)) {
+        callback(null, true);
+      } else {
+        callback(new Error('Not allowed by CORS'), false);
+      }
+    },
+    methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH'],
+    allowedHeaders: ['Content-Type', 'Authorization'],
+    credentials: true,
+    maxAge: 86400,
+  });
+}`
+  };
+}
+function fastifyRateLimitConfig() {
+  return {
+    name: "Fastify Rate Limit Plugin",
+    filename: "fastify-rate-limit-setup.js",
+    language: "javascript",
+    description: "Fastify rate limiting plugin to prevent brute-force and DDoS attacks",
+    code: `// fastify-rate-limit-setup.js \u2014 Rate limiting for Fastify
+// Install: npm install @fastify/rate-limit
+import rateLimit from '@fastify/rate-limit';
+
+/**
+ * Register @fastify/rate-limit with default and route-specific limits.
+ *
+ * Usage:
+ *   import { registerRateLimit } from './fastify-rate-limit-setup.js';
+ *   await registerRateLimit(fastify);
+ *
+ *   // Stricter limit on a specific route:
+ *   fastify.post('/login', { config: { rateLimit: { max: 5, timeWindow: '15 minutes' } } }, handler);
+ */
+export async function registerRateLimit(fastify) {
+  await fastify.register(rateLimit, {
+    global: true,
+    max: 100, // 100 requests per window per IP
+    timeWindow: '15 minutes',
+    addHeaders: {
+      'x-ratelimit-limit': true,
+      'x-ratelimit-remaining': true,
+      'x-ratelimit-reset': true,
+      'retry-after': true,
+    },
+    errorResponseBuilder: () => ({
+      statusCode: 429,
+      error: 'Too Many Requests',
+      message: 'Too many requests, please try again later.',
+    }),
+  });
+}`
+  };
+}
+function gitignoreConfig() {
+  return {
+    name: ".gitignore Security Additions",
+    filename: ".gitignore-additions",
+    language: "gitignore",
+    description: "Essential .gitignore patterns to prevent committing secrets, keys, and build artifacts",
+    code: `# === Security-critical patterns (add to your .gitignore) ===
+
+# Environment files \u2014 may contain secrets
+.env
+.env.local
+.env.*.local
+.env.production
+
+# Cryptographic keys
+*.pem
+*.key
+*.crt
+*.p12
+*.pfx
+
+# Dependency directories
+node_modules/
+
+# Build outputs
+dist/
+build/
+.next/
+out/
+
+# IDE and OS files
+.vscode/
+.idea/
+.DS_Store
+Thumbs.db
+
+# Log files
+*.log
+npm-debug.log*
+
+# Coverage and test reports
+coverage/
+.nyc_output/`
+  };
+}
+function envExampleConfig() {
+  return {
+    name: ".env.example Template",
+    filename: ".env.example",
+    language: "shell",
+    description: "Environment variable template with safe placeholders \u2014 commit this file, never .env",
+    code: `# .env.example \u2014 Template for required environment variables
+# Copy this file to .env and fill in real values. NEVER commit .env.
+
+# \u2500\u2500\u2500 Application \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+NODE_ENV=development
+PORT=3000
+
+# \u2500\u2500\u2500 Database \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+# DATABASE_URL=postgresql://user:password@localhost:5432/mydb
+
+# \u2500\u2500\u2500 Authentication \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+# AUTH_SECRET=generate-a-random-32-char-string-here
+# NEXTAUTH_URL=http://localhost:3000
+
+# \u2500\u2500\u2500 Third-Party APIs \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+# OPENAI_API_KEY=sk-your-key-here
+# STRIPE_SECRET_KEY=sk_test_your-key-here
+# STRIPE_WEBHOOK_SECRET=whsec_your-secret-here
+
+# \u2500\u2500\u2500 CORS \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+FRONTEND_URL=http://localhost:3000`
+  };
+}
+var FRAMEWORK_GENERATORS = [
+  {
+    framework: "express",
+    generators: [expressHelmetConfig, expressCorsConfig, expressRateLimitConfig]
+  },
+  {
+    framework: "next.js",
+    generators: [nextSecurityHeadersConfig, nextRateLimitMiddlewareConfig]
+  },
+  {
+    framework: "fastify",
+    generators: [fastifyHelmetConfig, fastifyCorsConfig, fastifyRateLimitConfig]
+  }
+];
+var GENERIC_GENERATORS = [
+  gitignoreConfig,
+  envExampleConfig
+];
+function generateConfigs(stack) {
+  const snippets = [];
+  if (stack.framework) {
+    const match = FRAMEWORK_GENERATORS.find(
+      (fg) => fg.framework === stack.framework
+    );
+    if (match) {
+      for (const gen of match.generators) {
+        snippets.push(gen());
+      }
+    }
+  }
+  for (const gen of GENERIC_GENERATORS) {
+    snippets.push(gen());
+  }
+  return snippets;
+}
+function formatConfigSnippet(snippet) {
+  const lines = [];
+  lines.push(`\u2500\u2500 ${snippet.name} \u2500\u2500`);
+  lines.push(snippet.description);
+  lines.push(`File: ${snippet.filename}`);
+  lines.push("");
+  lines.push(`\`\`\`${snippet.language}`);
+  lines.push(snippet.code);
+  lines.push("```");
+  return lines.join("\n");
+}
+function formatConfigOutput(snippets) {
+  if (snippets.length === 0) {
+    return "No configuration snippets to generate.";
+  }
+  const sections = snippets.map(formatConfigSnippet);
+  return `
+  Generated Security Configs
+  ${snippets.length} snippet${snippets.length === 1 ? "" : "s"} for your stack
+
+` + sections.join("\n\n") + "\n";
+}
+async function writeConfigFiles(snippets, outputDir) {
+  await mkdir(outputDir, { recursive: true });
+  const paths = [];
+  for (const snippet of snippets) {
+    const filePath = join11(outputDir, snippet.filename);
+    await writeFile(filePath, snippet.code + "\n", "utf-8");
+    paths.push(filePath);
+  }
+  return paths;
+}
+
+// src/cli.ts
+function createProgram(version) {
+  const program = new Command();
+  program.name("bastion").description("Privacy-first security checker for AI-era builders").version(version);
+  program.command("scan").description("Scan a project for security issues").option("-p, --path <dir>", "path to project directory", ".").option("-f, --format <type>", "output format (terminal, json, markdown)", "terminal").option("-v, --verbose", "show detailed output", false).option("-u, --url <url>", "URL for HTTP-based checks").option("-o, --output <file>", "output file path (for markdown/json formats)").option("--generate-configs", "generate security config snippets for detected stack", false).option("--output-dir <dir>", "write generated config files to directory").addOption(
+    new Option("-t, --type <type>", "project type override").choices(["auto", "static", "api", "fullstack"]).default("auto")
+  ).action(async (options) => {
+    await runScan(options, version);
+  });
+  const generate = program.command("generate").description("Generate security configuration files");
+  generate.command("security-txt").description("Create a valid security.txt file (RFC 9116)").option("-c, --contact <value>", "contact email or URL (enables non-interactive mode)").option("-e, --expires <date>", "expires date in ISO 8601 (default: 1 year from now)").option("-l, --languages <langs>", "preferred languages (default: en)").option("--policy <url>", "policy URL").option("--acknowledgments <url>", "acknowledgments URL").option("-p, --path <dir>", "project directory", ".").action(async (options) => {
+    await runSecurityTxtGenerator(options);
+  });
+  return program;
+}
+async function runScan(options, version) {
+  const isJson = options.format === "json";
+  if (!isJson) {
+    printBanner(version);
+  }
+  if (!isValidFormat(options.format)) {
+    console.error(
+      chalk2.red(`
+  Error: Invalid format "${options.format}". Use: ${OUTPUT_FORMATS.join(", ")}`)
+    );
+    process.exitCode = 1;
+    return;
+  }
+  if (!isJson && options.verbose) {
+    const { resolve: resolve2 } = await import("path");
+    console.log(chalk2.dim(`  Path:   ${resolve2(options.path)}`));
+    console.log(chalk2.dim(`  Format: ${options.format}`));
+    if (options.url) {
+      console.log(chalk2.dim(`  URL:    ${options.url}`));
+    }
+    if (options.type !== "auto") {
+      console.log(chalk2.dim(`  Type:   ${options.type} (manual override)`));
+    }
+    console.log();
+  }
+  const spinner = isJson ? null : ora({ text: "Scanning...", indent: 2 }).start();
+  try {
+    const context = await buildContext({
+      path: options.path,
+      url: options.url,
+      verbose: options.verbose,
+      type: options.type
+    });
+    const report = await scan(context);
+    if (isJson) {
+      const metadata = {
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        version,
+        projectPath: context.projectPath,
+        detectedStack: context.stack,
+        projectType: report.projectType,
+        projectTypeSource: report.projectTypeSource
+      };
+      console.log(formatJsonReport(report, metadata));
+    } else {
+      spinner?.succeed(`Scan complete (${report.duration}ms)`);
+      if (report.urlOnly) {
+        console.log(chalk2.yellow("\n  URL-only scan \u2014 6 HTTP checks performed."));
+        console.log(chalk2.dim("  Point --path at your source code for a full 15-check audit.\n"));
+      }
+      if (report.projectType && report.projectType !== "unknown") {
+        const source = report.projectTypeSource === "manual" ? "manual" : "auto-detected";
+        console.log(chalk2.dim(`
+  Project type: ${report.projectType} (${source})`));
+      }
+      if (report.projectType === "static" && report.summary.notApplicable > 0) {
+        console.log(chalk2.dim(`  Static site detected \u2014 ${report.summary.notApplicable} checks not applicable`));
+      }
+      console.log(formatTerminalReport(report, options.verbose));
+    }
+    if (options.generateConfigs || options.outputDir) {
+      const snippets = generateConfigs(context.stack);
+      if (options.outputDir) {
+        const paths = await writeConfigFiles(snippets, options.outputDir);
+        if (!isJson) {
+          console.log(chalk2.green(`
+  \u2713 Wrote ${paths.length} config file${paths.length === 1 ? "" : "s"} to ${options.outputDir}/`));
+          for (const p of paths) {
+            console.log(chalk2.dim(`    ${p}`));
+          }
+          console.log();
+        }
+      } else if (!isJson) {
+        console.log(formatConfigOutput(snippets));
+      }
+    }
+    if (report.summary.fail > 0) {
+      process.exitCode = 1;
+    }
+  } catch (error) {
+    if (isJson) {
+      console.error(JSON.stringify({ error: error instanceof Error ? error.message : String(error) }));
+    } else {
+      spinner?.fail("Scan failed");
+      console.error(
+        chalk2.red(`
+  ${error instanceof Error ? error.message : String(error)}
+`)
+      );
+    }
+    process.exitCode = 1;
+  }
+}
+function printBanner(version) {
+  console.log();
+  console.log(chalk2.bold.cyan("  Bastion") + chalk2.dim(` v${version}`));
+  console.log(chalk2.dim("  Privacy-first security checker"));
+  console.log();
+}
+function isValidFormat(format) {
+  return OUTPUT_FORMATS.includes(format);
+}
+
+// src/index.ts
+var require2 = createRequire(import.meta.url);
+var pkg = require2("../package.json");
+createProgram(pkg.version).parse();