npm - codesift-mcp - Versions diffs - 0.2.18 → 0.4.0 - Mend

codesift-mcp 0.2.18 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (461) hide show

package/README.md +143 -20
package/dist/cache/hono-cache.d.ts +50 -0
package/dist/cache/hono-cache.d.ts.map +1 -0
package/dist/cache/hono-cache.js +132 -0
package/dist/cache/hono-cache.js.map +1 -0
package/dist/cli/setup.d.ts.map +1 -1
package/dist/cli/setup.js +17 -2
package/dist/cli/setup.js.map +1 -1
package/dist/formatters-shortening.d.ts +13 -0
package/dist/formatters-shortening.d.ts.map +1 -1
package/dist/formatters-shortening.js +131 -0
package/dist/formatters-shortening.js.map +1 -1
package/dist/formatters.d.ts +38 -0
package/dist/formatters.d.ts.map +1 -1
package/dist/formatters.js +498 -0
package/dist/formatters.js.map +1 -1
package/dist/instructions.d.ts +1 -1
package/dist/instructions.d.ts.map +1 -1
package/dist/instructions.js +27 -26
package/dist/instructions.js.map +1 -1
package/dist/lsp/lsp-servers.d.ts.map +1 -1
package/dist/lsp/lsp-servers.js +5 -0
package/dist/lsp/lsp-servers.js.map +1 -1
package/dist/lsp/lsp-tools.d.ts.map +1 -1
package/dist/lsp/lsp-tools.js +1 -0
package/dist/lsp/lsp-tools.js.map +1 -1
package/dist/parser/astro-template.d.ts +47 -0
package/dist/parser/astro-template.d.ts.map +1 -0
package/dist/parser/astro-template.js +171 -0
package/dist/parser/astro-template.js.map +1 -0
package/dist/parser/extractors/_shared.d.ts +4 -0
package/dist/parser/extractors/_shared.d.ts.map +1 -1
package/dist/parser/extractors/_shared.js +8 -0
package/dist/parser/extractors/_shared.js.map +1 -1
package/dist/parser/extractors/astro.d.ts +4 -5
package/dist/parser/extractors/astro.d.ts.map +1 -1
package/dist/parser/extractors/astro.js +102 -26
package/dist/parser/extractors/astro.js.map +1 -1
package/dist/parser/extractors/gradle-kts.d.ts +4 -0
package/dist/parser/extractors/gradle-kts.d.ts.map +1 -0
package/dist/parser/extractors/gradle-kts.js +246 -0
package/dist/parser/extractors/gradle-kts.js.map +1 -0
package/dist/parser/extractors/hono-inline-analyzer.d.ts +34 -0
package/dist/parser/extractors/hono-inline-analyzer.d.ts.map +1 -0
package/dist/parser/extractors/hono-inline-analyzer.js +465 -0
package/dist/parser/extractors/hono-inline-analyzer.js.map +1 -0
package/dist/parser/extractors/hono-model.d.ts +196 -0
package/dist/parser/extractors/hono-model.d.ts.map +1 -0
package/dist/parser/extractors/hono-model.js +10 -0
package/dist/parser/extractors/hono-model.js.map +1 -0
package/dist/parser/extractors/hono.d.ts +118 -0
package/dist/parser/extractors/hono.d.ts.map +1 -0
package/dist/parser/extractors/hono.js +1527 -0
package/dist/parser/extractors/hono.js.map +1 -0
package/dist/parser/extractors/kotlin.d.ts +4 -0
package/dist/parser/extractors/kotlin.d.ts.map +1 -0
package/dist/parser/extractors/kotlin.js +521 -0
package/dist/parser/extractors/kotlin.js.map +1 -0
package/dist/parser/extractors/php.d.ts +22 -0
package/dist/parser/extractors/php.d.ts.map +1 -0
package/dist/parser/extractors/php.js +326 -0
package/dist/parser/extractors/php.js.map +1 -0
package/dist/parser/extractors/python.d.ts.map +1 -1
package/dist/parser/extractors/python.js +234 -11
package/dist/parser/extractors/python.js.map +1 -1
package/dist/parser/extractors/sql.d.ts +33 -0
package/dist/parser/extractors/sql.d.ts.map +1 -0
package/dist/parser/extractors/sql.js +506 -0
package/dist/parser/extractors/sql.js.map +1 -0
package/dist/parser/extractors/typescript.d.ts.map +1 -1
package/dist/parser/extractors/typescript.js +166 -3
package/dist/parser/extractors/typescript.js.map +1 -1
package/dist/parser/languages/tree-sitter-javascript.wasm +0 -0
package/dist/parser/languages/tree-sitter-kotlin.wasm +0 -0
package/dist/parser/languages/tree-sitter-php.wasm +0 -0
package/dist/parser/languages/tree-sitter-php_only.wasm +0 -0
package/dist/parser/languages/tree-sitter-python.wasm +0 -0
package/dist/parser/parser-manager.d.ts +32 -0
package/dist/parser/parser-manager.d.ts.map +1 -1
package/dist/parser/parser-manager.js +82 -3
package/dist/parser/parser-manager.js.map +1 -1
package/dist/parser/symbol-extractor.d.ts.map +1 -1
package/dist/parser/symbol-extractor.js +16 -0
package/dist/parser/symbol-extractor.js.map +1 -1
package/dist/register-tools.d.ts +37 -1
package/dist/register-tools.d.ts.map +1 -1
package/dist/register-tools.js +2657 -191
package/dist/register-tools.js.map +1 -1
package/dist/search/reranker.js +1 -1
package/dist/search/reranker.js.map +1 -1
package/dist/server-helpers.d.ts.map +1 -1
package/dist/server-helpers.js +11 -0
package/dist/server-helpers.js.map +1 -1
package/dist/server.js +28 -1
package/dist/server.js.map +1 -1
package/dist/storage/index-store.d.ts +15 -1
package/dist/storage/index-store.d.ts.map +1 -1
package/dist/storage/index-store.js +27 -1
package/dist/storage/index-store.js.map +1 -1
package/dist/storage/session-state.d.ts +1 -1
package/dist/storage/session-state.d.ts.map +1 -1
package/dist/storage/session-state.js +6 -4
package/dist/storage/session-state.js.map +1 -1
package/dist/tools/agent-config-tools.d.ts +24 -0
package/dist/tools/agent-config-tools.d.ts.map +1 -0
package/dist/tools/agent-config-tools.js +119 -0
package/dist/tools/agent-config-tools.js.map +1 -0
package/dist/tools/architecture-tools.d.ts +23 -0
package/dist/tools/architecture-tools.d.ts.map +1 -0
package/dist/tools/architecture-tools.js +140 -0
package/dist/tools/architecture-tools.js.map +1 -0
package/dist/tools/astro-config.d.ts +33 -0
package/dist/tools/astro-config.d.ts.map +1 -0
package/dist/tools/astro-config.js +260 -0
package/dist/tools/astro-config.js.map +1 -0
package/dist/tools/astro-islands.d.ts +61 -0
package/dist/tools/astro-islands.d.ts.map +1 -0
package/dist/tools/astro-islands.js +240 -0
package/dist/tools/astro-islands.js.map +1 -0
package/dist/tools/astro-routes.d.ts +49 -0
package/dist/tools/astro-routes.d.ts.map +1 -0
package/dist/tools/astro-routes.js +119 -0
package/dist/tools/astro-routes.js.map +1 -0
package/dist/tools/audit-tools.d.ts +38 -0
package/dist/tools/audit-tools.d.ts.map +1 -0
package/dist/tools/audit-tools.js +248 -0
package/dist/tools/audit-tools.js.map +1 -0
package/dist/tools/celery-tools.d.ts +38 -0
package/dist/tools/celery-tools.d.ts.map +1 -0
package/dist/tools/celery-tools.js +154 -0
package/dist/tools/celery-tools.js.map +1 -0
package/dist/tools/clone-tools.js +1 -1
package/dist/tools/clone-tools.js.map +1 -1
package/dist/tools/complexity-tools.d.ts +4 -0
package/dist/tools/complexity-tools.d.ts.map +1 -1
package/dist/tools/complexity-tools.js +78 -4
package/dist/tools/complexity-tools.js.map +1 -1
package/dist/tools/compose-tools.d.ts +60 -0
package/dist/tools/compose-tools.d.ts.map +1 -0
package/dist/tools/compose-tools.js +203 -0
package/dist/tools/compose-tools.js.map +1 -0
package/dist/tools/coupling-tools.d.ts +50 -0
package/dist/tools/coupling-tools.d.ts.map +1 -0
package/dist/tools/coupling-tools.js +262 -0
package/dist/tools/coupling-tools.js.map +1 -0
package/dist/tools/dependency-audit-tools.d.ts +65 -0
package/dist/tools/dependency-audit-tools.d.ts.map +1 -0
package/dist/tools/dependency-audit-tools.js +553 -0
package/dist/tools/dependency-audit-tools.js.map +1 -0
package/dist/tools/django-settings.d.ts +22 -0
package/dist/tools/django-settings.d.ts.map +1 -0
package/dist/tools/django-settings.js +301 -0
package/dist/tools/django-settings.js.map +1 -0
package/dist/tools/frequency-tools.js +1 -1
package/dist/tools/frequency-tools.js.map +1 -1
package/dist/tools/graph-tools.d.ts +8 -2
package/dist/tools/graph-tools.d.ts.map +1 -1
package/dist/tools/graph-tools.js +44 -3
package/dist/tools/graph-tools.js.map +1 -1
package/dist/tools/hilt-tools.d.ts +55 -0
package/dist/tools/hilt-tools.d.ts.map +1 -0
package/dist/tools/hilt-tools.js +258 -0
package/dist/tools/hilt-tools.js.map +1 -0
package/dist/tools/hono-analyze-app.d.ts +48 -0
package/dist/tools/hono-analyze-app.d.ts.map +1 -0
package/dist/tools/hono-analyze-app.js +102 -0
package/dist/tools/hono-analyze-app.js.map +1 -0
package/dist/tools/hono-api-contract.d.ts +22 -0
package/dist/tools/hono-api-contract.d.ts.map +1 -0
package/dist/tools/hono-api-contract.js +80 -0
package/dist/tools/hono-api-contract.js.map +1 -0
package/dist/tools/hono-conditional-middleware.d.ts +27 -0
package/dist/tools/hono-conditional-middleware.d.ts.map +1 -0
package/dist/tools/hono-conditional-middleware.js +62 -0
package/dist/tools/hono-conditional-middleware.js.map +1 -0
package/dist/tools/hono-context-flow.d.ts +24 -0
package/dist/tools/hono-context-flow.d.ts.map +1 -0
package/dist/tools/hono-context-flow.js +78 -0
package/dist/tools/hono-context-flow.js.map +1 -0
package/dist/tools/hono-dead-routes.d.ts +26 -0
package/dist/tools/hono-dead-routes.d.ts.map +1 -0
package/dist/tools/hono-dead-routes.js +109 -0
package/dist/tools/hono-dead-routes.js.map +1 -0
package/dist/tools/hono-env-regression.d.ts +29 -0
package/dist/tools/hono-env-regression.d.ts.map +1 -0
package/dist/tools/hono-env-regression.js +157 -0
package/dist/tools/hono-env-regression.js.map +1 -0
package/dist/tools/hono-inline-analyze.d.ts +31 -0
package/dist/tools/hono-inline-analyze.d.ts.map +1 -0
package/dist/tools/hono-inline-analyze.js +67 -0
package/dist/tools/hono-inline-analyze.js.map +1 -0
package/dist/tools/hono-middleware-chain.d.ts +22 -0
package/dist/tools/hono-middleware-chain.d.ts.map +1 -0
package/dist/tools/hono-middleware-chain.js +84 -0
package/dist/tools/hono-middleware-chain.js.map +1 -0
package/dist/tools/hono-modules.d.ts +22 -0
package/dist/tools/hono-modules.d.ts.map +1 -0
package/dist/tools/hono-modules.js +126 -0
package/dist/tools/hono-modules.js.map +1 -0
package/dist/tools/hono-response-types.d.ts +37 -0
package/dist/tools/hono-response-types.d.ts.map +1 -0
package/dist/tools/hono-response-types.js +84 -0
package/dist/tools/hono-response-types.js.map +1 -0
package/dist/tools/hono-rpc-types.d.ts +21 -0
package/dist/tools/hono-rpc-types.d.ts.map +1 -0
package/dist/tools/hono-rpc-types.js +57 -0
package/dist/tools/hono-rpc-types.js.map +1 -0
package/dist/tools/hono-security.d.ts +21 -0
package/dist/tools/hono-security.d.ts.map +1 -0
package/dist/tools/hono-security.js +98 -0
package/dist/tools/hono-security.js.map +1 -0
package/dist/tools/hono-visualize.d.ts +13 -0
package/dist/tools/hono-visualize.d.ts.map +1 -0
package/dist/tools/hono-visualize.js +72 -0
package/dist/tools/hono-visualize.js.map +1 -0
package/dist/tools/hotspot-tools.d.ts.map +1 -1
package/dist/tools/hotspot-tools.js +9 -7
package/dist/tools/hotspot-tools.js.map +1 -1
package/dist/tools/index-tools.d.ts +17 -0
package/dist/tools/index-tools.d.ts.map +1 -1
package/dist/tools/index-tools.js +210 -10
package/dist/tools/index-tools.js.map +1 -1
package/dist/tools/kotlin-tools.d.ts +142 -0
package/dist/tools/kotlin-tools.d.ts.map +1 -0
package/dist/tools/kotlin-tools.js +572 -0
package/dist/tools/kotlin-tools.js.map +1 -0
package/dist/tools/legacy-hono-conventions.d.ts +14 -0
package/dist/tools/legacy-hono-conventions.d.ts.map +1 -0
package/dist/tools/legacy-hono-conventions.js +152 -0
package/dist/tools/legacy-hono-conventions.js.map +1 -0
package/dist/tools/migration-lint-tools.d.ts +26 -0
package/dist/tools/migration-lint-tools.d.ts.map +1 -0
package/dist/tools/migration-lint-tools.js +247 -0
package/dist/tools/migration-lint-tools.js.map +1 -0
package/dist/tools/model-tools.d.ts +30 -0
package/dist/tools/model-tools.d.ts.map +1 -0
package/dist/tools/model-tools.js +145 -0
package/dist/tools/model-tools.js.map +1 -0
package/dist/tools/nest-ext-tools.d.ts +92 -0
package/dist/tools/nest-ext-tools.d.ts.map +1 -0
package/dist/tools/nest-ext-tools.js +359 -0
package/dist/tools/nest-ext-tools.js.map +1 -0
package/dist/tools/nest-tools.d.ts +171 -0
package/dist/tools/nest-tools.d.ts.map +1 -0
package/dist/tools/nest-tools.js +1042 -0
package/dist/tools/nest-tools.js.map +1 -0
package/dist/tools/nextjs-api-contract-readers.d.ts +14 -0
package/dist/tools/nextjs-api-contract-readers.d.ts.map +1 -0
package/dist/tools/nextjs-api-contract-readers.js +204 -0
package/dist/tools/nextjs-api-contract-readers.js.map +1 -0
package/dist/tools/nextjs-api-contract-tools.d.ts +57 -0
package/dist/tools/nextjs-api-contract-tools.d.ts.map +1 -0
package/dist/tools/nextjs-api-contract-tools.js +144 -0
package/dist/tools/nextjs-api-contract-tools.js.map +1 -0
package/dist/tools/nextjs-boundary-tools.d.ts +39 -0
package/dist/tools/nextjs-boundary-tools.d.ts.map +1 -0
package/dist/tools/nextjs-boundary-tools.js +152 -0
package/dist/tools/nextjs-boundary-tools.js.map +1 -0
package/dist/tools/nextjs-component-tools.d.ts +121 -0
package/dist/tools/nextjs-component-tools.d.ts.map +1 -0
package/dist/tools/nextjs-component-tools.js +460 -0
package/dist/tools/nextjs-component-tools.js.map +1 -0
package/dist/tools/nextjs-data-flow-tools.d.ts +42 -0
package/dist/tools/nextjs-data-flow-tools.d.ts.map +1 -0
package/dist/tools/nextjs-data-flow-tools.js +158 -0
package/dist/tools/nextjs-data-flow-tools.js.map +1 -0
package/dist/tools/nextjs-framework-audit-tools.d.ts +37 -0
package/dist/tools/nextjs-framework-audit-tools.d.ts.map +1 -0
package/dist/tools/nextjs-framework-audit-tools.js +211 -0
package/dist/tools/nextjs-framework-audit-tools.js.map +1 -0
package/dist/tools/nextjs-link-tools.d.ts +41 -0
package/dist/tools/nextjs-link-tools.d.ts.map +1 -0
package/dist/tools/nextjs-link-tools.js +157 -0
package/dist/tools/nextjs-link-tools.js.map +1 -0
package/dist/tools/nextjs-metadata-tools.d.ts +74 -0
package/dist/tools/nextjs-metadata-tools.d.ts.map +1 -0
package/dist/tools/nextjs-metadata-tools.js +252 -0
package/dist/tools/nextjs-metadata-tools.js.map +1 -0
package/dist/tools/nextjs-middleware-coverage-tools.d.ts +41 -0
package/dist/tools/nextjs-middleware-coverage-tools.d.ts.map +1 -0
package/dist/tools/nextjs-middleware-coverage-tools.js +88 -0
package/dist/tools/nextjs-middleware-coverage-tools.js.map +1 -0
package/dist/tools/nextjs-route-tools.d.ts +100 -0
package/dist/tools/nextjs-route-tools.d.ts.map +1 -0
package/dist/tools/nextjs-route-tools.js +493 -0
package/dist/tools/nextjs-route-tools.js.map +1 -0
package/dist/tools/nextjs-security-readers.d.ts +22 -0
package/dist/tools/nextjs-security-readers.d.ts.map +1 -0
package/dist/tools/nextjs-security-readers.js +318 -0
package/dist/tools/nextjs-security-readers.js.map +1 -0
package/dist/tools/nextjs-security-scoring.d.ts +15 -0
package/dist/tools/nextjs-security-scoring.d.ts.map +1 -0
package/dist/tools/nextjs-security-scoring.js +65 -0
package/dist/tools/nextjs-security-scoring.js.map +1 -0
package/dist/tools/nextjs-security-tools.d.ts +75 -0
package/dist/tools/nextjs-security-tools.d.ts.map +1 -0
package/dist/tools/nextjs-security-tools.js +153 -0
package/dist/tools/nextjs-security-tools.js.map +1 -0
package/dist/tools/nextjs-tools.d.ts +15 -0
package/dist/tools/nextjs-tools.d.ts.map +1 -0
package/dist/tools/nextjs-tools.js +15 -0
package/dist/tools/nextjs-tools.js.map +1 -0
package/dist/tools/outline-tools.d.ts.map +1 -1
package/dist/tools/outline-tools.js +20 -0
package/dist/tools/outline-tools.js.map +1 -1
package/dist/tools/pattern-tools.d.ts +8 -0
package/dist/tools/pattern-tools.d.ts.map +1 -1
package/dist/tools/pattern-tools.js +561 -3
package/dist/tools/pattern-tools.js.map +1 -1
package/dist/tools/perf-tools.d.ts +32 -0
package/dist/tools/perf-tools.d.ts.map +1 -0
package/dist/tools/perf-tools.js +227 -0
package/dist/tools/perf-tools.js.map +1 -0
package/dist/tools/php-tools.d.ts +176 -0
package/dist/tools/php-tools.d.ts.map +1 -0
package/dist/tools/php-tools.js +543 -0
package/dist/tools/php-tools.js.map +1 -0
package/dist/tools/prisma-schema-tools.d.ts +44 -0
package/dist/tools/prisma-schema-tools.d.ts.map +1 -0
package/dist/tools/prisma-schema-tools.js +358 -0
package/dist/tools/prisma-schema-tools.js.map +1 -0
package/dist/tools/project-tools.d.ts +115 -6
package/dist/tools/project-tools.d.ts.map +1 -1
package/dist/tools/project-tools.js +594 -217
package/dist/tools/project-tools.js.map +1 -1
package/dist/tools/pyproject-tools.d.ts +23 -0
package/dist/tools/pyproject-tools.d.ts.map +1 -0
package/dist/tools/pyproject-tools.js +133 -0
package/dist/tools/pyproject-tools.js.map +1 -0
package/dist/tools/pytest-tools.d.ts +20 -0
package/dist/tools/pytest-tools.d.ts.map +1 -0
package/dist/tools/pytest-tools.js +106 -0
package/dist/tools/pytest-tools.js.map +1 -0
package/dist/tools/python-callers.d.ts +28 -0
package/dist/tools/python-callers.d.ts.map +1 -0
package/dist/tools/python-callers.js +110 -0
package/dist/tools/python-callers.js.map +1 -0
package/dist/tools/python-circular-imports.d.ts +19 -0
package/dist/tools/python-circular-imports.d.ts.map +1 -0
package/dist/tools/python-circular-imports.js +126 -0
package/dist/tools/python-circular-imports.js.map +1 -0
package/dist/tools/python-deps-analyzer.d.ts +46 -0
package/dist/tools/python-deps-analyzer.d.ts.map +1 -0
package/dist/tools/python-deps-analyzer.js +227 -0
package/dist/tools/python-deps-analyzer.js.map +1 -0
package/dist/tools/query-tools.d.ts +23 -0
package/dist/tools/query-tools.d.ts.map +1 -0
package/dist/tools/query-tools.js +256 -0
package/dist/tools/query-tools.js.map +1 -0
package/dist/tools/react-tools.d.ts +218 -0
package/dist/tools/react-tools.d.ts.map +1 -0
package/dist/tools/react-tools.js +714 -0
package/dist/tools/react-tools.js.map +1 -0
package/dist/tools/report-tools.js +47 -0
package/dist/tools/report-tools.js.map +1 -1
package/dist/tools/review-diff-tools.d.ts +2 -6
package/dist/tools/review-diff-tools.d.ts.map +1 -1
package/dist/tools/review-diff-tools.js +51 -66
package/dist/tools/review-diff-tools.js.map +1 -1
package/dist/tools/room-tools.d.ts +36 -0
package/dist/tools/room-tools.d.ts.map +1 -0
package/dist/tools/room-tools.js +147 -0
package/dist/tools/room-tools.js.map +1 -0
package/dist/tools/route-tools.d.ts +27 -1
package/dist/tools/route-tools.d.ts.map +1 -1
package/dist/tools/route-tools.js +744 -18
package/dist/tools/route-tools.js.map +1 -1
package/dist/tools/ruff-tools.d.ts +32 -0
package/dist/tools/ruff-tools.d.ts.map +1 -0
package/dist/tools/ruff-tools.js +114 -0
package/dist/tools/ruff-tools.js.map +1 -0
package/dist/tools/search-ranker.d.ts.map +1 -1
package/dist/tools/search-ranker.js +7 -0
package/dist/tools/search-ranker.js.map +1 -1
package/dist/tools/serialization-tools.d.ts +24 -0
package/dist/tools/serialization-tools.d.ts.map +1 -0
package/dist/tools/serialization-tools.js +156 -0
package/dist/tools/serialization-tools.js.map +1 -0
package/dist/tools/sql-tools.d.ts +234 -0
package/dist/tools/sql-tools.d.ts.map +1 -0
package/dist/tools/sql-tools.js +1037 -0
package/dist/tools/sql-tools.js.map +1 -0
package/dist/tools/status-tools.d.ts +10 -0
package/dist/tools/status-tools.d.ts.map +1 -0
package/dist/tools/status-tools.js +32 -0
package/dist/tools/status-tools.js.map +1 -0
package/dist/tools/symbol-tools.d.ts +19 -0
package/dist/tools/symbol-tools.d.ts.map +1 -1
package/dist/tools/symbol-tools.js +78 -4
package/dist/tools/symbol-tools.js.map +1 -1
package/dist/tools/test-impact-tools.d.ts +29 -0
package/dist/tools/test-impact-tools.d.ts.map +1 -0
package/dist/tools/test-impact-tools.js +156 -0
package/dist/tools/test-impact-tools.js.map +1 -0
package/dist/tools/typecheck-tools.d.ts +39 -0
package/dist/tools/typecheck-tools.d.ts.map +1 -0
package/dist/tools/typecheck-tools.js +191 -0
package/dist/tools/typecheck-tools.js.map +1 -0
package/dist/tools/wiring-tools.d.ts +19 -0
package/dist/tools/wiring-tools.d.ts.map +1 -0
package/dist/tools/wiring-tools.js +147 -0
package/dist/tools/wiring-tools.js.map +1 -0
package/dist/types.d.ts +9 -1
package/dist/types.d.ts.map +1 -1
package/dist/utils/framework-detect.d.ts +18 -2
package/dist/utils/framework-detect.d.ts.map +1 -1
package/dist/utils/framework-detect.js +150 -3
package/dist/utils/framework-detect.js.map +1 -1
package/dist/utils/import-graph.d.ts +36 -0
package/dist/utils/import-graph.d.ts.map +1 -1
package/dist/utils/import-graph.js +212 -9
package/dist/utils/import-graph.js.map +1 -1
package/dist/utils/language-detect.d.ts +21 -0
package/dist/utils/language-detect.d.ts.map +1 -0
package/dist/utils/language-detect.js +183 -0
package/dist/utils/language-detect.js.map +1 -0
package/dist/utils/nextjs-ast-readers.d.ts +44 -0
package/dist/utils/nextjs-ast-readers.d.ts.map +1 -0
package/dist/utils/nextjs-ast-readers.js +341 -0
package/dist/utils/nextjs-ast-readers.js.map +1 -0
package/dist/utils/nextjs-audit-cache.d.ts +51 -0
package/dist/utils/nextjs-audit-cache.d.ts.map +1 -0
package/dist/utils/nextjs-audit-cache.js +116 -0
package/dist/utils/nextjs-audit-cache.js.map +1 -0
package/dist/utils/nextjs-metadata-readers.d.ts +65 -0
package/dist/utils/nextjs-metadata-readers.d.ts.map +1 -0
package/dist/utils/nextjs-metadata-readers.js +447 -0
package/dist/utils/nextjs-metadata-readers.js.map +1 -0
package/dist/utils/nextjs.d.ts +42 -0
package/dist/utils/nextjs.d.ts.map +1 -0
package/dist/utils/nextjs.js +284 -0
package/dist/utils/nextjs.js.map +1 -0
package/dist/utils/python-import-resolver.d.ts +42 -0
package/dist/utils/python-import-resolver.d.ts.map +1 -0
package/dist/utils/python-import-resolver.js +101 -0
package/dist/utils/python-import-resolver.js.map +1 -0
package/dist/utils/python-imports.d.ts +28 -0
package/dist/utils/python-imports.d.ts.map +1 -0
package/dist/utils/python-imports.js +117 -0
package/dist/utils/python-imports.js.map +1 -0
package/dist/utils/react-alias.d.ts +15 -0
package/dist/utils/react-alias.d.ts.map +1 -0
package/dist/utils/react-alias.js +31 -0
package/dist/utils/react-alias.js.map +1 -0
package/dist/utils/test-file.d.ts.map +1 -1
package/dist/utils/test-file.js +7 -0
package/dist/utils/test-file.js.map +1 -1
package/dist/utils/walk.d.ts +22 -0
package/dist/utils/walk.d.ts.map +1 -1
package/dist/utils/walk.js +70 -2
package/dist/utils/walk.js.map +1 -1
package/package.json +3 -2
package/rules/codesift.md +34 -5
package/rules/codesift.mdc +34 -5
package/rules/codex.md +34 -5
package/rules/gemini.md +34 -5
package/src/parser/languages/tree-sitter-javascript.wasm +0 -0
package/src/parser/languages/tree-sitter-kotlin.wasm +0 -0
package/src/parser/languages/tree-sitter-php.wasm +0 -0
package/src/parser/languages/tree-sitter-php_only.wasm +0 -0
package/src/parser/languages/tree-sitter-python.wasm +0 -0

package/dist/tools/nextjs-security-readers.js ADDED Viewed

@@ -0,0 +1,318 @@
+/**
+ * AST readers for Next.js Server Actions security audit (T2).
+ *
+ * Each reader is a focused, pure function that extracts a specific signal
+ * from a parsed tree-sitter Tree. The orchestrator in `nextjs-security-tools.ts`
+ * composes them into a per-action audit.
+ */
+import { extractZodSchema } from "../utils/nextjs.js";
+/** Determine if a tree-sitter program has a file-scope `"use server"` directive. */
+function hasFileScopeUseServer(tree) {
+    const root = tree.rootNode;
+    const first = root.namedChildren[0];
+    if (!first)
+        return false;
+    if (first.type !== "expression_statement")
+        return false;
+    const inner = first.namedChildren[0];
+    if (!inner)
+        return false;
+    if (inner.type !== "string")
+        return false;
+    const text = inner.text.length >= 2 ? inner.text.slice(1, -1) : inner.text;
+    return text === "use server";
+}
+/** Returns true if the function body's first statement is `"use server"` directive. */
+function hasInlineUseServer(body) {
+    if (body.type !== "statement_block")
+        return false;
+    const first = body.namedChildren[0];
+    if (!first)
+        return false;
+    if (first.type !== "expression_statement")
+        return false;
+    const inner = first.namedChildren[0];
+    if (!inner || inner.type !== "string")
+        return false;
+    const text = inner.text.length >= 2 ? inner.text.slice(1, -1) : inner.text;
+    return text === "use server";
+}
+export function extractServerActionFunctions(tree, _source, file) {
+    const out = [];
+    const root = tree.rootNode;
+    const fileScope = hasFileScopeUseServer(tree);
+    if (fileScope) {
+        // All exported functions in this file are server actions.
+        for (const exp of root.descendantsOfType("export_statement")) {
+            // function_declaration form
+            for (const fn of exp.descendantsOfType("function_declaration")) {
+                // Skip nested function declarations
+                if (fn.parent?.id !== exp.id && fn.parent?.parent?.id !== exp.id)
+                    continue;
+                const name = fn.childForFieldName("name")?.text ?? "<anon>";
+                const isAsync = /\basync\b/.test(exp.text.split("function")[0] ?? "");
+                const body = fn.childForFieldName("body");
+                out.push({
+                    name,
+                    file,
+                    line: fn.startPosition.row + 1,
+                    isAsync,
+                    bodyNode: body ?? null,
+                    fnNode: fn,
+                });
+            }
+            // const x = async () => { ... }   OR   const x = wrap(async () => { ... })
+            for (const decl of exp.descendantsOfType("variable_declarator")) {
+                const name = decl.childForFieldName("name")?.text;
+                const value = decl.childForFieldName("value");
+                if (!name || !value)
+                    continue;
+                // Direct arrow / function_expression
+                if (value.type === "arrow_function" || value.type === "function_expression") {
+                    const isAsync = /^\s*async\b/.test(value.text);
+                    const body = value.childForFieldName("body");
+                    out.push({
+                        name,
+                        file,
+                        line: decl.startPosition.row + 1,
+                        isAsync,
+                        bodyNode: body ?? null,
+                        fnNode: value,
+                    });
+                }
+                else if (value.type === "call_expression") {
+                    // HOC wrapper: find the inner arrow/function expression argument.
+                    const args = value.childForFieldName("arguments") ?? value.namedChild(1);
+                    if (!args)
+                        continue;
+                    for (const arg of args.namedChildren) {
+                        if (arg.type === "arrow_function" || arg.type === "function_expression") {
+                            const isAsync = /^\s*async\b/.test(arg.text);
+                            const body = arg.childForFieldName("body");
+                            out.push({
+                                name,
+                                file,
+                                line: decl.startPosition.row + 1,
+                                isAsync,
+                                bodyNode: body && body.type === "statement_block" ? body : null,
+                                fnNode: arg,
+                            });
+                            break;
+                        }
+                    }
+                }
+            }
+        }
+        return out;
+    }
+    // No file-scope directive: walk all functions and find inline `"use server"`.
+    const allFns = [
+        ...root.descendantsOfType("function_declaration"),
+        ...root.descendantsOfType("arrow_function"),
+        ...root.descendantsOfType("function_expression"),
+    ];
+    for (const fn of allFns) {
+        const body = fn.childForFieldName("body");
+        if (!body || body.type !== "statement_block")
+            continue;
+        if (!hasInlineUseServer(body))
+            continue;
+        let name = "<anon>";
+        if (fn.type === "function_declaration") {
+            name = fn.childForFieldName("name")?.text ?? "<anon>";
+        }
+        else {
+            // Try to find enclosing variable_declarator for name
+            let p = fn.parent;
+            while (p) {
+                if (p.type === "variable_declarator") {
+                    name = p.childForFieldName("name")?.text ?? "<anon>";
+                    break;
+                }
+                p = p.parent;
+            }
+        }
+        const isAsync = /^\s*async\b/.test(fn.text);
+        out.push({
+            name,
+            file,
+            line: fn.startPosition.row + 1,
+            isAsync,
+            bodyNode: body,
+            fnNode: fn,
+        });
+    }
+    return out;
+}
+// ---------------------------------------------------------------------------
+// Auth guard detection (Task 15)
+// ---------------------------------------------------------------------------
+/** Default identifier set for auth detection. */
+const AUTH_CALL_NAMES = new Set([
+    "auth",
+    "getSession",
+    "getServerSession",
+    "currentUser",
+    "validateRequest",
+    "getAuth",
+    "getUser",
+]);
+const AUTH_HOC_NAMES = new Set(["withAuth", "requireAuth", "withSession"]);
+export function detectAuthGuard(fn) {
+    const body = fn.bodyNode;
+    // 0) HOC wrapper detection — if the function node is the argument of a known HOC wrapper.
+    let p = fn.fnNode.parent;
+    while (p) {
+        if (p.type === "call_expression") {
+            const callee = p.childForFieldName("function") ?? p.namedChild(0);
+            if (callee?.type === "identifier" && AUTH_HOC_NAMES.has(callee.text)) {
+                return { confidence: "medium", pattern: "hoc" };
+            }
+        }
+        p = p.parent;
+    }
+    if (!body) {
+        return { confidence: "none", pattern: "none" };
+    }
+    // 1) Look for direct auth call expressions inside body.
+    let firstAuthCall = null;
+    for (const call of body.descendantsOfType("call_expression")) {
+        const callee = call.childForFieldName("function") ?? call.namedChild(0);
+        if (callee?.type === "identifier" && AUTH_CALL_NAMES.has(callee.text)) {
+            firstAuthCall = { name: callee.text, line: call.startPosition.row + 1, node: call };
+            break;
+        }
+        // Member access like auth.protect()
+        if (callee?.type === "member_expression") {
+            const obj = callee.childForFieldName("object") ?? callee.namedChild(0);
+            const prop = callee.childForFieldName("property") ?? callee.namedChild(1);
+            if (obj?.type === "identifier" && AUTH_CALL_NAMES.has(obj.text)) {
+                firstAuthCall = {
+                    name: `${obj.text}.${prop?.text ?? ""}`,
+                    line: call.startPosition.row + 1,
+                    node: call,
+                };
+                break;
+            }
+        }
+    }
+    if (firstAuthCall) {
+        // Walk forward in body looking for if(!result)/throw/return within the next 5 statements.
+        const callLine = firstAuthCall.line;
+        const callIndex = firstAuthCall.node.endIndex;
+        let resultChecked = false;
+        for (const ifStmt of body.descendantsOfType("if_statement")) {
+            if (ifStmt.startIndex >= callIndex && ifStmt.startPosition.row <= callLine + 5) {
+                // Heuristic: any if-throw/return after the auth call counts as "checked"
+                const inner = ifStmt.text;
+                if (/throw|return\s|redirect/.test(inner)) {
+                    resultChecked = true;
+                    break;
+                }
+            }
+        }
+        // Also handle assignment + checked condition: if (!session) { ... }
+        if (!resultChecked) {
+            // Look for any assignment storing the call result, then a usage in if-condition
+            for (const decl of body.descendantsOfType("variable_declarator")) {
+                const value = decl.childForFieldName("value");
+                if (!value)
+                    continue;
+                // Skip assignments before the auth call
+                if (decl.startIndex < firstAuthCall.node.startIndex)
+                    continue;
+                const varName = decl.childForFieldName("name")?.text;
+                if (!varName)
+                    continue;
+                // Check for usage in subsequent if condition
+                for (const ifStmt of body.descendantsOfType("if_statement")) {
+                    if (ifStmt.startIndex < decl.endIndex)
+                        continue;
+                    const cond = ifStmt.childForFieldName("condition") ?? ifStmt.namedChild(0);
+                    if (cond && new RegExp(`\\b${varName}\\b`).test(cond.text)) {
+                        const inner = ifStmt.text;
+                        if (/throw|return\s|redirect/.test(inner)) {
+                            resultChecked = true;
+                            break;
+                        }
+                    }
+                }
+                if (resultChecked)
+                    break;
+            }
+        }
+        return {
+            confidence: resultChecked ? "high" : "medium",
+            pattern: "direct",
+            callsite: { name: firstAuthCall.name, line: firstAuthCall.line },
+        };
+    }
+    // 2) Comment-only mention as fallback (low).
+    const bodyText = body.text;
+    if (/(?:\/\/|\/\*)\s*[^*]*\b(auth|session|user|permission)/i.test(bodyText)) {
+        return { confidence: "low", pattern: "none" };
+    }
+    return { confidence: "none", pattern: "none" };
+}
+// ---------------------------------------------------------------------------
+// Input validation detection (Task 16)
+// ---------------------------------------------------------------------------
+export function detectInputValidation(fn, tree, source) {
+    const body = fn.bodyNode;
+    if (!body)
+        return { lib: "none", confidence: "high" };
+    // 1) Look for `.parse()` or `.safeParse()` call expressions on a Zod schema.
+    for (const call of body.descendantsOfType("call_expression")) {
+        const callee = call.childForFieldName("function") ?? call.namedChild(0);
+        if (callee?.type !== "member_expression")
+            continue;
+        const prop = callee.childForFieldName("property") ?? callee.namedChild(1);
+        if (prop?.type !== "property_identifier")
+            continue;
+        if (prop.text !== "parse" && prop.text !== "safeParse")
+            continue;
+        // Disambiguate Zod from other libs by inspecting the file for a Zod schema.
+        const zodShape = extractZodSchema(tree, source);
+        if (zodShape) {
+            return { lib: "zod", confidence: "high" };
+        }
+        // Fallback: at least the .parse() call indicates structured validation.
+        return { lib: "manual", confidence: "medium" };
+    }
+    // 2) Manual validation: count if-throw statements in the first 5 statements.
+    let manualCount = 0;
+    const stmts = body.namedChildren.slice(0, 5);
+    for (const s of stmts) {
+        if (s.type !== "if_statement")
+            continue;
+        if (/throw\b/.test(s.text))
+            manualCount++;
+    }
+    if (manualCount >= 1) {
+        return { lib: "manual", confidence: "medium" };
+    }
+    return { lib: "none", confidence: "high" };
+}
+// ---------------------------------------------------------------------------
+// Rate limiting detection (Task 16)
+// ---------------------------------------------------------------------------
+const RATE_LIMIT_PATTERNS = [
+    { regex: /\bratelimit\.limit\s*\(/, lib: "upstash" },
+    { regex: /\@upstash\/ratelimit/, lib: "upstash" },
+    { regex: /\bcreateRateLimiter\s*\(/, lib: "manual" },
+    { regex: /\brateLimit\s*\(/, lib: "manual" },
+    { regex: /\bnext\/rate-limit/, lib: "vercel" },
+];
+export function detectRateLimiting(fn, _tree, _source) {
+    const body = fn.bodyNode;
+    if (!body)
+        return { lib: "none", confidence: "high" };
+    const text = body.text;
+    for (const { regex, lib } of RATE_LIMIT_PATTERNS) {
+        if (regex.test(text)) {
+            return { lib, confidence: "high" };
+        }
+    }
+    return { lib: "none", confidence: "high" };
+}
+//# sourceMappingURL=nextjs-security-readers.js.map

package/dist/tools/nextjs-security-readers.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"nextjs-security-readers.js","sourceRoot":"","sources":["../../src/tools/nextjs-security-readers.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAOtD,oFAAoF;AACpF,SAAS,qBAAqB,CAAC,IAAiB;IAC9C,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC;IAC3B,MAAM,KAAK,GAAG,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;IACpC,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,IAAI,KAAK,CAAC,IAAI,KAAK,sBAAsB;QAAE,OAAO,KAAK,CAAC;IACxD,MAAM,KAAK,GAAG,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;IACrC,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC1C,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC;IAC3E,OAAO,IAAI,KAAK,YAAY,CAAC;AAC/B,CAAC;AAED,uFAAuF;AACvF,SAAS,kBAAkB,CAAC,IAAuB;IACjD,IAAI,IAAI,CAAC,IAAI,KAAK,iBAAiB;QAAE,OAAO,KAAK,CAAC;IAClD,MAAM,KAAK,GAAG,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;IACpC,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,IAAI,KAAK,CAAC,IAAI,KAAK,sBAAsB;QAAE,OAAO,KAAK,CAAC;IACxD,MAAM,KAAK,GAAG,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;IACrC,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IACpD,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC;IAC3E,OAAO,IAAI,KAAK,YAAY,CAAC;AAC/B,CAAC;AAeD,MAAM,UAAU,4BAA4B,CAC1C,IAAiB,EACjB,OAAe,EACf,IAAY;IAEZ,MAAM,GAAG,GAAqB,EAAE,CAAC;IACjC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC;IAE3B,MAAM,SAAS,GAAG,qBAAqB,CAAC,IAAI,CAAC,CAAC;IAE9C,IAAI,SAAS,EAAE,CAAC;QACd,0DAA0D;QAC1D,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,iBAAiB,CAAC,kBAAkB,CAAC,EAAE,CAAC;YAC7D,4BAA4B;YAC5B,KAAK,MAAM,EAAE,IAAI,GAAG,CAAC,iBAAiB,CAAC,sBAAsB,CAAC,EAAE,CAAC;gBAC/D,oCAAoC;gBACpC,IAAI,EAAE,CAAC,MAAM,EAAE,EAAE,KAAK,GAAG,CAAC,EAAE,IAAI,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,EAAE,KAAK,GAAG,CAAC,EAAE;oBAAE,SAAS;gBAC3E,MAAM,IAAI,GAAG,EAAE,CAAC,iBAAiB,CAAC,MAAM,CAAC,EAAE,IAAI,IAAI,QAAQ,CAAC;gBAC5D,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;gBACtE,MAAM,IAAI,GAAG,EAAE,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;gBAC1C,GAAG,CAAC,IAAI,CAAC;oBACP,IAAI;oBACJ,IAAI;oBACJ,IAAI,EAAE,EAAE,CAAC,aAAa,CAAC,GAAG,GAAG,CAAC;oBAC9B,OAAO;oBACP,QAAQ,EAAE,IAAI,IAAI,IAAI;oBACtB,MAAM,EAAE,EAAE;iBACX,CAAC,CAAC;YACL,CAAC;YACD,2EAA2E;YAC3E,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,iBAAiB,CAAC,qBAAqB,CAAC,EAAE,CAAC;gBAChE,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC;gBAClD,MAAM,KAAK,GAAG,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;gBAC9C,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK;oBAAE,SAAS;gBAC9B,qCAAqC;gBACrC,IAAI,KAAK,CAAC,IAAI,KAAK,gBAAgB,IAAI,KAAK,CAAC,IAAI,KAAK,qBAAqB,EAAE,CAAC;oBAC5E,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;oBAC/C,MAAM,IAAI,GAAG,KAAK,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;oBAC7C,GAAG,CAAC,IAAI,CAAC;wBACP,IAAI;wBACJ,IAAI;wBACJ,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,GAAG,GAAG,CAAC;wBAChC,OAAO;wBACP,QAAQ,EAAE,IAAI,IAAI,IAAI;wBACtB,MAAM,EAAE,KAAK;qBACd,CAAC,CAAC;gBACL,CAAC;qBAAM,IAAI,KAAK,CAAC,IAAI,KAAK,iBAAiB,EAAE,CAAC;oBAC5C,kEAAkE;oBAClE,MAAM,IAAI,GAAG,KAAK,CAAC,iBAAiB,CAAC,WAAW,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;oBACzE,IAAI,CAAC,IAAI;wBAAE,SAAS;oBACpB,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;wBACrC,IAAI,GAAG,CAAC,IAAI,KAAK,gBAAgB,IAAI,GAAG,CAAC,IAAI,KAAK,qBAAqB,EAAE,CAAC;4BACxE,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;4BAC7C,MAAM,IAAI,GAAG,GAAG,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;4BAC3C,GAAG,CAAC,IAAI,CAAC;gCACP,IAAI;gCACJ,IAAI;gCACJ,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,GAAG,GAAG,CAAC;gCAChC,OAAO;gCACP,QAAQ,EAAE,IAAI,IAAI,IAAI,CAAC,IAAI,KAAK,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI;gCAC/D,MAAM,EAAE,GAAG;6BACZ,CAAC,CAAC;4BACH,MAAM;wBACR,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAED,8EAA8E;IAC9E,MAAM,MAAM,GAAwB;QAClC,GAAG,IAAI,CAAC,iBAAiB,CAAC,sBAAsB,CAAC;QACjD,GAAG,IAAI,CAAC,iBAAiB,CAAC,gBAAgB,CAAC;QAC3C,GAAG,IAAI,CAAC,iBAAiB,CAAC,qBAAqB,CAAC;KACjD,CAAC;IACF,KAAK,MAAM,EAAE,IAAI,MAAM,EAAE,CAAC;QACxB,MAAM,IAAI,GAAG,EAAE,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;QAC1C,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,KAAK,iBAAiB;YAAE,SAAS;QACvD,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC;YAAE,SAAS;QAExC,IAAI,IAAI,GAAG,QAAQ,CAAC;QACpB,IAAI,EAAE,CAAC,IAAI,KAAK,sBAAsB,EAAE,CAAC;YACvC,IAAI,GAAG,EAAE,CAAC,iBAAiB,CAAC,MAAM,CAAC,EAAE,IAAI,IAAI,QAAQ,CAAC;QACxD,CAAC;aAAM,CAAC;YACN,qDAAqD;YACrD,IAAI,CAAC,GAA6B,EAAE,CAAC,MAAM,CAAC;YAC5C,OAAO,CAAC,EAAE,CAAC;gBACT,IAAI,CAAC,CAAC,IAAI,KAAK,qBAAqB,EAAE,CAAC;oBACrC,IAAI,GAAG,CAAC,CAAC,iBAAiB,CAAC,MAAM,CAAC,EAAE,IAAI,IAAI,QAAQ,CAAC;oBACrD,MAAM;gBACR,CAAC;gBACD,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;YACf,CAAC;QACH,CAAC;QACD,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;QAC5C,GAAG,CAAC,IAAI,CAAC;YACP,IAAI;YACJ,IAAI;YACJ,IAAI,EAAE,EAAE,CAAC,aAAa,CAAC,GAAG,GAAG,CAAC;YAC9B,OAAO;YACP,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,EAAE;SACX,CAAC,CAAC;IACL,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,8EAA8E;AAC9E,iCAAiC;AACjC,8EAA8E;AAE9E,iDAAiD;AACjD,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC;IAC9B,MAAM;IACN,YAAY;IACZ,kBAAkB;IAClB,aAAa;IACb,iBAAiB;IACjB,SAAS;IACT,SAAS;CACV,CAAC,CAAC;AAEH,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,CAAC,UAAU,EAAE,aAAa,EAAE,aAAa,CAAC,CAAC,CAAC;AAE3E,MAAM,UAAU,eAAe,CAAC,EAAkB;IAChD,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC;IAEzB,0FAA0F;IAC1F,IAAI,CAAC,GAA6B,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC;IACnD,OAAO,CAAC,EAAE,CAAC;QACT,IAAI,CAAC,CAAC,IAAI,KAAK,iBAAiB,EAAE,CAAC;YACjC,MAAM,MAAM,GAAG,CAAC,CAAC,iBAAiB,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YAClE,IAAI,MAAM,EAAE,IAAI,KAAK,YAAY,IAAI,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrE,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;YAClD,CAAC;QACH,CAAC;QACD,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;IACf,CAAC;IAED,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;IACjD,CAAC;IAED,wDAAwD;IACxD,IAAI,aAAa,GAAmE,IAAI,CAAC;IACzF,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,iBAAiB,CAAC,iBAAiB,CAAC,EAAE,CAAC;QAC7D,MAAM,MAAM,GAAG,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QACxE,IAAI,MAAM,EAAE,IAAI,KAAK,YAAY,IAAI,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;YACtE,aAAa,GAAG,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,GAAG,GAAG,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;YACpF,MAAM;QACR,CAAC;QACD,oCAAoC;QACpC,IAAI,MAAM,EAAE,IAAI,KAAK,mBAAmB,EAAE,CAAC;YACzC,MAAM,GAAG,GAAG,MAAM,CAAC,iBAAiB,CAAC,QAAQ,CAAC,IAAI,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YACvE,MAAM,IAAI,GAAG,MAAM,CAAC,iBAAiB,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YAC1E,IAAI,GAAG,EAAE,IAAI,KAAK,YAAY,IAAI,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChE,aAAa,GAAG;oBACd,IAAI,EAAE,GAAG,GAAG,CAAC,IAAI,IAAI,IAAI,EAAE,IAAI,IAAI,EAAE,EAAE;oBACvC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,GAAG,GAAG,CAAC;oBAChC,IAAI,EAAE,IAAI;iBACX,CAAC;gBACF,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,aAAa,EAAE,CAAC;QAClB,0FAA0F;QAC1F,MAAM,QAAQ,GAAG,aAAa,CAAC,IAAI,CAAC;QACpC,MAAM,SAAS,GAAG,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC;QAC9C,IAAI,aAAa,GAAG,KAAK,CAAC;QAC1B,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,iBAAiB,CAAC,cAAc,CAAC,EAAE,CAAC;YAC5D,IAAI,MAAM,CAAC,UAAU,IAAI,SAAS,IAAI,MAAM,CAAC,aAAa,CAAC,GAAG,IAAI,QAAQ,GAAG,CAAC,EAAE,CAAC;gBAC/E,yEAAyE;gBACzE,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC;gBAC1B,IAAI,yBAAyB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC1C,aAAa,GAAG,IAAI,CAAC;oBACrB,MAAM;gBACR,CAAC;YACH,CAAC;QACH,CAAC;QACD,oEAAoE;QACpE,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,gFAAgF;YAChF,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,iBAAiB,CAAC,qBAAqB,CAAC,EAAE,CAAC;gBACjE,MAAM,KAAK,GAAG,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;gBAC9C,IAAI,CAAC,KAAK;oBAAE,SAAS;gBACrB,wCAAwC;gBACxC,IAAI,IAAI,CAAC,UAAU,GAAG,aAAa,CAAC,IAAI,CAAC,UAAU;oBAAE,SAAS;gBAC9D,MAAM,OAAO,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC;gBACrD,IAAI,CAAC,OAAO;oBAAE,SAAS;gBACvB,6CAA6C;gBAC7C,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,iBAAiB,CAAC,cAAc,CAAC,EAAE,CAAC;oBAC5D,IAAI,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,QAAQ;wBAAE,SAAS;oBAChD,MAAM,IAAI,GAAG,MAAM,CAAC,iBAAiB,CAAC,WAAW,CAAC,IAAI,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;oBAC3E,IAAI,IAAI,IAAI,IAAI,MAAM,CAAC,MAAM,OAAO,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC3D,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC;wBAC1B,IAAI,yBAAyB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;4BAC1C,aAAa,GAAG,IAAI,CAAC;4BACrB,MAAM;wBACR,CAAC;oBACH,CAAC;gBACH,CAAC;gBACD,IAAI,aAAa;oBAAE,MAAM;YAC3B,CAAC;QACH,CAAC;QAED,OAAO;YACL,UAAU,EAAE,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;YAC7C,OAAO,EAAE,QAAQ;YACjB,QAAQ,EAAE,EAAE,IAAI,EAAE,aAAa,CAAC,IAAI,EAAE,IAAI,EAAE,aAAa,CAAC,IAAI,EAAE;SACjE,CAAC;IACJ,CAAC;IAED,6CAA6C;IAC7C,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC;IAC3B,IAAI,wDAAwD,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC5E,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;IAChD,CAAC;IAED,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;AACjD,CAAC;AAED,8EAA8E;AAC9E,uCAAuC;AACvC,8EAA8E;AAE9E,MAAM,UAAU,qBAAqB,CACnC,EAAkB,EAClB,IAAiB,EACjB,MAAc;IAEd,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC;IACzB,IAAI,CAAC,IAAI;QAAE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC;IAEtD,6EAA6E;IAC7E,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,iBAAiB,CAAC,iBAAiB,CAAC,EAAE,CAAC;QAC7D,MAAM,MAAM,GAAG,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QACxE,IAAI,MAAM,EAAE,IAAI,KAAK,mBAAmB;YAAE,SAAS;QACnD,MAAM,IAAI,GAAG,MAAM,CAAC,iBAAiB,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAC1E,IAAI,IAAI,EAAE,IAAI,KAAK,qBAAqB;YAAE,SAAS;QACnD,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW;YAAE,SAAS;QAEjE,4EAA4E;QAC5E,MAAM,QAAQ,GAAG,gBAAgB,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAChD,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC;QAC5C,CAAC;QACD,wEAAwE;QACxE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC;IACjD,CAAC;IAED,6EAA6E;IAC7E,IAAI,WAAW,GAAG,CAAC,CAAC;IACpB,MAAM,KAAK,GAAG,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAC7C,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,IAAI,CAAC,CAAC,IAAI,KAAK,cAAc;YAAE,SAAS;QACxC,IAAI,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;YAAE,WAAW,EAAE,CAAC;IAC5C,CAAC;IACD,IAAI,WAAW,IAAI,CAAC,EAAE,CAAC;QACrB,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC;IACjD,CAAC;IAED,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC;AAC7C,CAAC;AAED,8EAA8E;AAC9E,oCAAoC;AACpC,8EAA8E;AAE9E,MAAM,mBAAmB,GAA2D;IAClF,EAAE,KAAK,EAAE,yBAAyB,EAAE,GAAG,EAAE,SAAS,EAAE;IACpD,EAAE,KAAK,EAAE,sBAAsB,EAAE,GAAG,EAAE,SAAS,EAAE;IACjD,EAAE,KAAK,EAAE,0BAA0B,EAAE,GAAG,EAAE,QAAQ,EAAE;IACpD,EAAE,KAAK,EAAE,kBAAkB,EAAE,GAAG,EAAE,QAAQ,EAAE;IAC5C,EAAE,KAAK,EAAE,oBAAoB,EAAE,GAAG,EAAE,QAAQ,EAAE;CAC/C,CAAC;AAEF,MAAM,UAAU,kBAAkB,CAChC,EAAkB,EAClB,KAAkB,EAClB,OAAe;IAEf,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC;IACzB,IAAI,CAAC,IAAI;QAAE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC;IACtD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;IAEvB,KAAK,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,mBAAmB,EAAE,CAAC;QACjD,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACrB,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC;QACrC,CAAC;IACH,CAAC;IACD,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC;AAC7C,CAAC"}

package/dist/tools/nextjs-security-scoring.d.ts ADDED Viewed

@@ -0,0 +1,15 @@
+/**
+ * Pure scoring helpers for Server Actions security audit (T2).
+ *
+ * Takes per-check info objects (auth, validation, rate, error) and produces
+ * a numeric score 0-100, a grade bucket, and a list of top missing checks.
+ */
+import type { AuthGuardInfo, InputValidationInfo, RateLimitingInfo, ErrorHandlingInfo, SecurityScore } from "./nextjs-security-tools.js";
+export interface ServerActionAuditInput {
+    auth: AuthGuardInfo;
+    input_validation: InputValidationInfo;
+    rate_limiting: RateLimitingInfo;
+    error_handling: ErrorHandlingInfo;
+}
+export declare function scoreServerAction(audit: ServerActionAuditInput): SecurityScore;
+//# sourceMappingURL=nextjs-security-scoring.d.ts.map

package/dist/tools/nextjs-security-scoring.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"nextjs-security-scoring.d.ts","sourceRoot":"","sources":["../../src/tools/nextjs-security-scoring.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,aAAa,EACb,mBAAmB,EACnB,gBAAgB,EAChB,iBAAiB,EACjB,aAAa,EACd,MAAM,4BAA4B,CAAC;AAEpC,MAAM,WAAW,sBAAsB;IACrC,IAAI,EAAE,aAAa,CAAC;IACpB,gBAAgB,EAAE,mBAAmB,CAAC;IACtC,aAAa,EAAE,gBAAgB,CAAC;IAChC,cAAc,EAAE,iBAAiB,CAAC;CACnC;AAuBD,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,sBAAsB,GAAG,aAAa,CAsC9E"}

package/dist/tools/nextjs-security-scoring.js ADDED Viewed

@@ -0,0 +1,65 @@
+/**
+ * Pure scoring helpers for Server Actions security audit (T2).
+ *
+ * Takes per-check info objects (auth, validation, rate, error) and produces
+ * a numeric score 0-100, a grade bucket, and a list of top missing checks.
+ */
+const WEIGHTS = {
+    auth: 40,
+    input_validation: 30,
+    rate_limiting: 20,
+    error_handling: 10,
+};
+const CONFIDENCE_MULTIPLIER = {
+    high: 1.0,
+    medium: 0.5,
+    low: 0.2,
+    none: 0,
+};
+function gradeFor(score) {
+    if (score >= 90)
+        return "excellent";
+    if (score >= 70)
+        return "good";
+    if (score >= 40)
+        return "needs_work";
+    return "poor";
+}
+export function scoreServerAction(audit) {
+    // Auth: score from confidence multiplier
+    const authMult = CONFIDENCE_MULTIPLIER[audit.auth.confidence] ?? 0;
+    const authPoints = Math.round(WEIGHTS.auth * authMult);
+    // Input validation: zero unless lib != none
+    let validationMult = 0;
+    if (audit.input_validation.lib !== "none") {
+        validationMult = CONFIDENCE_MULTIPLIER[audit.input_validation.confidence] ?? 0;
+    }
+    const validationPoints = Math.round(WEIGHTS.input_validation * validationMult);
+    // Rate limiting: zero unless lib != none
+    let rateMult = 0;
+    if (audit.rate_limiting.lib !== "none") {
+        rateMult = CONFIDENCE_MULTIPLIER[audit.rate_limiting.confidence] ?? 0;
+    }
+    const ratePoints = Math.round(WEIGHTS.rate_limiting * rateMult);
+    // Error handling: try/catch present?
+    const errorPoints = audit.error_handling.has_try_catch
+        ? Math.round(WEIGHTS.error_handling * (CONFIDENCE_MULTIPLIER[audit.error_handling.confidence] ?? 0))
+        : 0;
+    const score = authPoints + validationPoints + ratePoints + errorPoints;
+    // Top missing list (highest weight first)
+    const top_missing = [];
+    if (authPoints < WEIGHTS.auth)
+        top_missing.push("auth");
+    if (validationPoints < WEIGHTS.input_validation)
+        top_missing.push("input_validation");
+    if (ratePoints < WEIGHTS.rate_limiting)
+        top_missing.push("rate_limiting");
+    if (errorPoints < WEIGHTS.error_handling)
+        top_missing.push("error_handling");
+    return {
+        score,
+        grade: gradeFor(score),
+        top_missing,
+    };
+}
+//# sourceMappingURL=nextjs-security-scoring.js.map

package/dist/tools/nextjs-security-scoring.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"nextjs-security-scoring.js","sourceRoot":"","sources":["../../src/tools/nextjs-security-scoring.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAiBH,MAAM,OAAO,GAAG;IACd,IAAI,EAAE,EAAE;IACR,gBAAgB,EAAE,EAAE;IACpB,aAAa,EAAE,EAAE;IACjB,cAAc,EAAE,EAAE;CACV,CAAC;AAEX,MAAM,qBAAqB,GAA2B;IACpD,IAAI,EAAE,GAAG;IACT,MAAM,EAAE,GAAG;IACX,GAAG,EAAE,GAAG;IACR,IAAI,EAAE,CAAC;CACR,CAAC;AAEF,SAAS,QAAQ,CAAC,KAAa;IAC7B,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,WAAW,CAAC;IACpC,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,MAAM,CAAC;IAC/B,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,YAAY,CAAC;IACrC,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,KAA6B;IAC7D,yCAAyC;IACzC,MAAM,QAAQ,GAAG,qBAAqB,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;IACnE,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,GAAG,QAAQ,CAAC,CAAC;IAEvD,4CAA4C;IAC5C,IAAI,cAAc,GAAG,CAAC,CAAC;IACvB,IAAI,KAAK,CAAC,gBAAgB,CAAC,GAAG,KAAK,MAAM,EAAE,CAAC;QAC1C,cAAc,GAAG,qBAAqB,CAAC,KAAK,CAAC,gBAAgB,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;IACjF,CAAC;IACD,MAAM,gBAAgB,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,gBAAgB,GAAG,cAAc,CAAC,CAAC;IAE/E,yCAAyC;IACzC,IAAI,QAAQ,GAAG,CAAC,CAAC;IACjB,IAAI,KAAK,CAAC,aAAa,CAAC,GAAG,KAAK,MAAM,EAAE,CAAC;QACvC,QAAQ,GAAG,qBAAqB,CAAC,KAAK,CAAC,aAAa,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;IACxE,CAAC;IACD,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,aAAa,GAAG,QAAQ,CAAC,CAAC;IAEhE,qCAAqC;IACrC,MAAM,WAAW,GAAG,KAAK,CAAC,cAAc,CAAC,aAAa;QACpD,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,cAAc,GAAG,CAAC,qBAAqB,CAAC,KAAK,CAAC,cAAc,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC;QACpG,CAAC,CAAC,CAAC,CAAC;IAEN,MAAM,KAAK,GAAG,UAAU,GAAG,gBAAgB,GAAG,UAAU,GAAG,WAAW,CAAC;IAEvE,0CAA0C;IAC1C,MAAM,WAAW,GAAa,EAAE,CAAC;IACjC,IAAI,UAAU,GAAG,OAAO,CAAC,IAAI;QAAE,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACxD,IAAI,gBAAgB,GAAG,OAAO,CAAC,gBAAgB;QAAE,WAAW,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IACtF,IAAI,UAAU,GAAG,OAAO,CAAC,aAAa;QAAE,WAAW,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAC1E,IAAI,WAAW,GAAG,OAAO,CAAC,cAAc;QAAE,WAAW,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IAE7E,OAAO;QACL,KAAK;QACL,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC;QACtB,WAAW;KACZ,CAAC;AACJ,CAAC"}

package/dist/tools/nextjs-security-tools.d.ts ADDED Viewed

@@ -0,0 +1,75 @@
+/**
+ * Next.js Server Actions security audit (T2).
+ *
+ * Walks files containing `"use server"` (file-scope or inline) and audits each
+ * exported server action against four checks: authorization guards, input
+ * validation, rate limiting, and structured error handling. Per-action scoring
+ * follows a weighted formula (auth 40, validation 30, rate 20, error 10).
+ *
+ * This file is the public-facing entry point and types module. The reader and
+ * scoring helpers live in their own files (`nextjs-security-readers.ts` and
+ * `nextjs-security-scoring.ts`) per the 3-file split (D10).
+ */
+export type AuthConfidence = "high" | "medium" | "low" | "none";
+export type ValidationLib = "zod" | "manual" | "none";
+export type RateLimitLib = "upstash" | "vercel" | "express" | "manual" | "none";
+export interface AuthGuardInfo {
+    confidence: AuthConfidence;
+    pattern: "direct" | "hoc" | "none";
+    callsite?: {
+        name: string;
+        line: number;
+    };
+}
+export interface InputValidationInfo {
+    lib: ValidationLib;
+    confidence: "high" | "medium" | "low";
+}
+export interface RateLimitingInfo {
+    lib: RateLimitLib;
+    confidence: "high" | "medium" | "low";
+}
+export interface ErrorHandlingInfo {
+    has_try_catch: boolean;
+    confidence: "high" | "medium" | "low";
+}
+export interface ServerActionAudit {
+    name: string;
+    file: string;
+    line: number;
+    is_async: boolean;
+    auth: AuthGuardInfo;
+    input_validation: InputValidationInfo;
+    rate_limiting: RateLimitingInfo;
+    error_handling: ErrorHandlingInfo;
+    score: number;
+    grade: "poor" | "needs_work" | "good" | "excellent";
+    top_missing: string[];
+}
+export interface SecurityScore {
+    score: number;
+    grade: "poor" | "needs_work" | "good" | "excellent";
+    top_missing: string[];
+}
+export interface ServerActionsAuditCounts {
+    excellent: number;
+    good: number;
+    needs_work: number;
+    poor: number;
+}
+export interface ServerActionsAuditResult {
+    total: number;
+    actions: ServerActionAudit[];
+    counts: ServerActionsAuditCounts;
+    violations: string[];
+    parse_failures: string[];
+    scan_errors: string[];
+    workspaces_scanned: string[];
+    limitations: string[];
+}
+export interface NextjsAuditServerActionsOptions {
+    workspace?: string | undefined;
+    max_files?: number | undefined;
+}
+export declare function nextjsAuditServerActions(repo: string, options?: NextjsAuditServerActionsOptions): Promise<ServerActionsAuditResult>;
+//# sourceMappingURL=nextjs-security-tools.d.ts.map

package/dist/tools/nextjs-security-tools.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"nextjs-security-tools.d.ts","sourceRoot":"","sources":["../../src/tools/nextjs-security-tools.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAoBH,MAAM,MAAM,cAAc,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;AAEhE,MAAM,MAAM,aAAa,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;AAEtD,MAAM,MAAM,YAAY,GAAG,SAAS,GAAG,QAAQ,GAAG,SAAS,GAAG,QAAQ,GAAG,MAAM,CAAC;AAEhF,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,cAAc,CAAC;IAC3B,OAAO,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;IACnC,QAAQ,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;CAC3C;AAED,MAAM,WAAW,mBAAmB;IAClC,GAAG,EAAE,aAAa,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;CACvC;AAED,MAAM,WAAW,gBAAgB;IAC/B,GAAG,EAAE,YAAY,CAAC;IAClB,UAAU,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;CACvC;AAED,MAAM,WAAW,iBAAiB;IAChC,aAAa,EAAE,OAAO,CAAC;IACvB,UAAU,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;CACvC;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,OAAO,CAAC;IAClB,IAAI,EAAE,aAAa,CAAC;IACpB,gBAAgB,EAAE,mBAAmB,CAAC;IACtC,aAAa,EAAE,gBAAgB,CAAC;IAChC,cAAc,EAAE,iBAAiB,CAAC;IAClC,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,GAAG,YAAY,GAAG,MAAM,GAAG,WAAW,CAAC;IACpD,WAAW,EAAE,MAAM,EAAE,CAAC;CACvB;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,GAAG,YAAY,GAAG,MAAM,GAAG,WAAW,CAAC;IACpD,WAAW,EAAE,MAAM,EAAE,CAAC;CACvB;AAED,MAAM,WAAW,wBAAwB;IACvC,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,wBAAwB;IACvC,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,iBAAiB,EAAE,CAAC;IAC7B,MAAM,EAAE,wBAAwB,CAAC;IACjC,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,kBAAkB,EAAE,MAAM,EAAE,CAAC;IAC7B,WAAW,EAAE,MAAM,EAAE,CAAC;CACvB;AAED,MAAM,WAAW,+BAA+B;IAC9C,SAAS,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC/B,SAAS,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;CAChC;AAiBD,wBAAsB,wBAAwB,CAC5C,IAAI,EAAE,MAAM,EACZ,OAAO,CAAC,EAAE,+BAA+B,GACxC,OAAO,CAAC,wBAAwB,CAAC,CA2HnC"}

package/dist/tools/nextjs-security-tools.js ADDED Viewed

@@ -0,0 +1,153 @@
+/**
+ * Next.js Server Actions security audit (T2).
+ *
+ * Walks files containing `"use server"` (file-scope or inline) and audits each
+ * exported server action against four checks: authorization guards, input
+ * validation, rate limiting, and structured error handling. Per-action scoring
+ * follows a weighted formula (auth 40, validation 30, rate 20, error 10).
+ *
+ * This file is the public-facing entry point and types module. The reader and
+ * scoring helpers live in their own files (`nextjs-security-readers.ts` and
+ * `nextjs-security-scoring.ts`) per the 3-file split (D10).
+ */
+import { readFile } from "node:fs/promises";
+import { join, relative } from "node:path";
+import { discoverWorkspaces } from "../utils/nextjs.js";
+import { cachedParseFile as parseFile } from "../utils/nextjs-audit-cache.js";
+import { cachedWalkDirectory as walkDirectory } from "../utils/nextjs-audit-cache.js";
+import { getCodeIndex } from "./index-tools.js";
+import { extractServerActionFunctions, detectAuthGuard, detectInputValidation, detectRateLimiting, } from "./nextjs-security-readers.js";
+import { scoreServerAction } from "./nextjs-security-scoring.js";
+// ---------------------------------------------------------------------------
+// Orchestrator (Task 18)
+// ---------------------------------------------------------------------------
+const ACTION_EXTS = new Set([".ts", ".tsx", ".js", ".jsx"]);
+const PARSE_CONCURRENCY = 10;
+const MAX_FILE_SIZE_BYTES = 2_097_152;
+const DEFAULT_MAX_FILES = 2000;
+/** Quick sniff: does the file mention `"use server"` directive at all? */
+function quickHasUseServer(source) {
+    // Cheap text check before invoking the parser.
+    return source.includes("use server");
+}
+export async function nextjsAuditServerActions(repo, options) {
+    if (process.env.CODESIFT_DISABLE_TOOLS?.includes("nextjs_audit_server_actions")) {
+        throw new Error("nextjs_audit_server_actions is disabled via CODESIFT_DISABLE_TOOLS");
+    }
+    const index = await getCodeIndex(repo);
+    if (!index) {
+        throw new Error(`Repository not found: ${repo}. Run index_folder first.`);
+    }
+    const projectRoot = index.root;
+    let workspaces;
+    if (options?.workspace) {
+        workspaces = [join(projectRoot, options.workspace)];
+    }
+    else {
+        const discovered = await discoverWorkspaces(projectRoot);
+        workspaces = discovered.length > 0 ? discovered.map((w) => w.root) : [projectRoot];
+    }
+    const maxFiles = options?.max_files ?? DEFAULT_MAX_FILES;
+    const actions = [];
+    const parse_failures = [];
+    const scan_errors = [];
+    const workspaces_scanned = [];
+    const violations = new Set();
+    for (const workspace of workspaces) {
+        workspaces_scanned.push(workspace);
+        const candidates = [];
+        for (const subdir of ["app", "src/app", "lib", "src/lib", "actions", "src/actions"]) {
+            const fullDir = join(workspace, subdir);
+            try {
+                const walked = await walkDirectory(fullDir, {
+                    followSymlinks: true,
+                    fileFilter: (ext) => ACTION_EXTS.has(ext),
+                    maxFileSize: MAX_FILE_SIZE_BYTES,
+                });
+                candidates.push(...walked);
+            }
+            catch (err) {
+                scan_errors.push(`${fullDir}: ${err instanceof Error ? err.message : String(err)}`);
+            }
+        }
+        const remaining = maxFiles - actions.length;
+        const toProcess = candidates.slice(0, Math.max(0, remaining));
+        for (let i = 0; i < toProcess.length; i += PARSE_CONCURRENCY) {
+            const chunk = toProcess.slice(i, i + PARSE_CONCURRENCY);
+            const results = await Promise.all(chunk.map(async (filePath) => {
+                const rel = relative(projectRoot, filePath);
+                try {
+                    const source = await readFile(filePath, "utf8");
+                    if (!quickHasUseServer(source))
+                        return null;
+                    const tree = await parseFile(filePath, source);
+                    if (!tree) {
+                        parse_failures.push(rel);
+                        return null;
+                    }
+                    const fns = extractServerActionFunctions(tree, source, rel);
+                    if (fns.length === 0)
+                        return null;
+                    return fns.map((fn) => {
+                        const auth = detectAuthGuard(fn);
+                        const input_validation = detectInputValidation(fn, tree, source);
+                        const rate_limiting = detectRateLimiting(fn, tree, source);
+                        const error_handling = {
+                            has_try_catch: fn.bodyNode ? /\btry\s*\{/.test(fn.bodyNode.text) : false,
+                            confidence: "high",
+                        };
+                        const score = scoreServerAction({ auth, input_validation, rate_limiting, error_handling });
+                        const audit = {
+                            name: fn.name,
+                            file: fn.file,
+                            line: fn.line,
+                            is_async: fn.isAsync,
+                            auth,
+                            input_validation,
+                            rate_limiting,
+                            error_handling,
+                            score: score.score,
+                            grade: score.grade,
+                            top_missing: score.top_missing,
+                        };
+                        for (const m of score.top_missing)
+                            violations.add(m);
+                        return audit;
+                    });
+                }
+                catch (err) {
+                    parse_failures.push(`${rel}: ${err instanceof Error ? err.message : String(err)}`);
+                    return null;
+                }
+            }));
+            for (const r of results) {
+                if (!r)
+                    continue;
+                actions.push(...r);
+            }
+        }
+    }
+    const counts = {
+        excellent: 0,
+        good: 0,
+        needs_work: 0,
+        poor: 0,
+    };
+    for (const a of actions) {
+        counts[a.grade]++;
+    }
+    return {
+        total: actions.length,
+        actions,
+        counts,
+        violations: [...violations],
+        parse_failures,
+        scan_errors,
+        workspaces_scanned,
+        limitations: [
+            "auth detection limited to default identifier set (auth, getSession, currentUser, etc.)",
+            "input validation detection currently Zod-only (Yup/Joi/TypeBox not detected)",
+        ],
+    };
+}
+//# sourceMappingURL=nextjs-security-tools.js.map