coverme-scanner 1.12.0 → 2.0.0

package/dist/prompts/coverme-command.md

@@ -6,6 +6,28 @@ You are a **senior security consultant** with 15+ years of experience performing
 
 **Ultrathink** - Analyze deeply, read actual code, trace data flows, think like an attacker, profile performance hotspots.
 
+## ROI: Human vs Claude Code
+
+For every finding, include estimated fix time comparison:
+
+```json
+"estimatedEffort": {
+  "human": "4-6 hours (research, implement, test, deploy)",
+  "claudeCode": "15-20 minutes (automated detection, code generation, test creation)",
+  "roi": "18x faster with Claude Code"
+}
+```
+
+**Why this matters**:
+- Shows tangible value to developers and managers
+- Highlights Claude Code's ability to accelerate fix implementation
+- Quantifies ROI on security investment
+
+**Time estimates guide**:
+- **Quick fixes**: Human 30min-2h, Claude Code 5-10min (5-12x faster)
+- **Moderate fixes**: Human 4-6h, Claude Code 15-30min (12-18x faster)
+- **Complex fixes**: Human 1-2 days, Claude Code 1-2h (8-16x faster)
+
 ---
 
 ## PHASE 1: DISCOVERY & CONTEXT
@@ -489,13 +511,77 @@ Create `.coverme/scan.json` with this structure:
       "endLine": 52,
       "code": "const query = `SELECT * FROM users WHERE name = '${req.query.name}'`;",
       "description": "User input from req.query.name is directly concatenated into SQL query without sanitization. An attacker can inject arbitrary SQL commands.",
+
       "impact": "Complete database compromise. Attacker can:\n1. Extract all user data including passwords\n2. Modify or delete records\n3. Execute administrative operations\n4. Potential remote code execution via database extensions",
+
+      "businessImpact": {
+        "financial": "GDPR fine: €20M or 4% of revenue. Average data breach cost: $4.35M (IBM 2023)",
+        "reputation": "Customer trust loss: 6-12 months recovery. 65% customers leave after breach (PwC)",
+        "legal": "Class action lawsuit risk. SEC investigation if publicly traded",
+        "operational": "2-4 weeks incident response, forensics, customer notifications"
+      },
+
+      "realWorldExamples": [
+        "Equifax (2017): SQL injection → 147M records stolen → $700M settlement",
+        "TalkTalk (2015): SQL injection → 157K customers exposed → £400K fine",
+        "Your industry: 23% of companies experienced SQL injection in 2023 (Verizon DBIR)"
+      ],
+
       "attackChain": [
-        {"step": 1, "action": "Send name=' OR '1'='1' --", "result": "Query returns all users"},
-        {"step": 2, "action": "Use UNION SELECT to read other tables", "result": "Extract payment data, API keys"},
-        {"step": 3, "action": "Use INTO OUTFILE to write webshell", "result": "Remote code execution on server"}
+        {"step": 1, "action": "Send: GET /api/users?name=' OR '1'='1' --", "result": "Returns all users (authentication bypass)"},
+        {"step": 2, "action": "Send: name=' UNION SELECT password,email FROM admins--", "result": "Extract admin credentials"},
+        {"step": 3, "action": "Send: name='; DROP TABLE users; --", "result": "Data destruction (if permissions allow)"},
+        {"step": 4, "action": "Send: name=' INTO OUTFILE '/var/www/shell.php'--", "result": "Remote code execution"}
       ],
-      "recommendation": "Use parameterized queries:\n\n```typescript\nconst query = 'SELECT * FROM users WHERE name = $1';\nconst result = await db.query(query, [req.query.name]);\n```",
+
+      "proofOfConcept": "# Test this vulnerability:\ncurl 'https://api.example.com/users?name=%27%20OR%20%271%27%3D%271' \\\n  -H 'Authorization: Bearer $TOKEN'\n\n# Expected (vulnerable): Returns all users\n# Expected (fixed): Returns 400 Bad Request",
+
+      "recommendation": "Use parameterized queries:\n\n```typescript\n// ✅ SECURE - Parameterized query\nconst query = 'SELECT * FROM users WHERE name = $1';\nconst result = await db.query(query, [req.query.name]);\n```",
+
+      "quickFix": {
+        "description": "Add input validation (1 hour)",
+        "code": "// Quick temporary fix\nconst safeName = req.query.name.replace(/[^a-zA-Z0-9 ]/g, '');\nconst query = `SELECT * FROM users WHERE name = '${safeName}'`;",
+        "limitations": "Not foolproof - still vulnerable to advanced attacks"
+      },
+
+      "properFix": {
+        "description": "Switch to parameterized queries + add WAF (1 day)",
+        "code": "// Proper fix\nconst query = 'SELECT * FROM users WHERE name = $1';\nconst result = await db.query(query, [req.query.name]);",
+        "additionalSteps": [
+          "Add input validation middleware (Joi/Zod schema)",
+          "Enable SQL injection protection in WAF (Cloudflare/AWS WAF)",
+          "Add query logging for security monitoring",
+          "Run database user with minimal privileges (not root)"
+        ]
+      },
+
+      "testing": {
+        "description": "How to verify the fix works",
+        "manual": [
+          "Test: curl 'https://api.example.com/users?name=%27%20OR%20%271%27%3D%271'",
+          "Expected: 400 Bad Request with error message",
+          "Test: curl 'https://api.example.com/users?name=John'",
+          "Expected: Returns user 'John' only"
+        ],
+        "automated": "# Add security test\ntest('should reject SQL injection attempts', async () => {\n  const response = await request(app)\n    .get('/api/users?name=\\' OR \\'1\\'=\\'1')\n    .expect(400);\n  expect(response.body.error).toContain('Invalid input');\n});"
+      },
+
+      "detection": {
+        "description": "How to check if already exploited",
+        "commands": [
+          "# Check access logs for SQL injection patterns",
+          "grep -E \"(UNION|SELECT|INSERT|DROP|--|;)\" /var/log/nginx/access.log",
+          "# Check database audit logs",
+          "SELECT * FROM pg_stat_statements WHERE query LIKE '%UNION%' OR query LIKE '%--';"
+        ],
+        "indicators": [
+          "Unusual SQL errors in application logs",
+          "Multiple failed queries from same IP",
+          "Database queries with suspicious patterns (UNION, --, ;)",
+          "Unexpected spike in database CPU usage"
+        ]
+      },
+
       "dread": {
         "damage": 10,
         "reproducibility": 10,
@@ -504,33 +590,139 @@ Create `.coverme/scan.json` with this structure:
         "discoverability": 8,
         "score": 9.4
       },
+
       "cwe": "CWE-89",
       "owasp": "A03:2021-Injection",
+      "cvss": "9.8 (Critical)",
+
+      "references": [
+        "https://owasp.org/www-community/attacks/SQL_Injection",
+        "https://cwe.mitre.org/data/definitions/89.html",
+        "https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html"
+      ],
+
       "evidence": [
         "Input source: req.query.name (line 44) - no validation",
         "Sink: db.query() (line 45) - string concatenation",
         "No sanitization between source and sink",
-        "Endpoint is publicly accessible"
+        "Endpoint is publicly accessible",
+        "Database user has full privileges (checked schema)"
       ],
-      "fixOwner": "developer"
+
+      "fixOwner": "developer",
+      "estimatedEffort": {
+        "human": "4-6 hours (research parameterized queries, update all SQL calls, write tests, deploy)",
+        "claudeCode": "15-20 minutes (finds all SQL concatenations, generates parameterized versions, writes tests)",
+        "roi": "18x faster with Claude Code"
+      },
+      "priority": 1
     },
     {
       "id": "QUAL-001",
-      "title": "Silent Payment Error Handling",
+      "title": "Silent Payment Error Handling - Financial Loss Risk",
       "severity": "critical",
       "category": "quality",
       "file": "src/services/paymentService.ts",
       "line": 89,
       "endLine": 95,
       "code": "try {\n  await stripe.charges.create(charge);\n} catch (err) {\n  console.error('Payment error:', err);\n}\nreturn { success: true };",
-      "description": "Payment errors are caught and logged but execution continues. The function returns success:true even when payment fails. Customer receives product without paying.",
-      "impact": "Financial loss. Estimated $X per failed payment. Data shows 3% of payments fail, so ~$Y/month revenue loss.",
-      "recommendation": "Rethrow error or return failure:\n\n```typescript\ntry {\n  await stripe.charges.create(charge);\n  return { success: true };\n} catch (err) {\n  logger.error('Payment failed', { orderId, error: err });\n  throw new PaymentError('Payment processing failed');\n}\n```",
+
+      "description": "Payment errors are caught and logged but execution continues. The function returns success:true even when payment fails. Customer receives product without paying. This is a SILENT FAILURE - the most dangerous type of bug.",
+
+      "impact": "Direct financial loss. Orders are fulfilled without payment. Customer sees 'success' and receives product/service for $0.",
+
+      "businessImpact": {
+        "financial": "Stripe reports 3% payment failure rate. At 1000 orders/month × $50 avg = $1,500/month revenue loss = $18K/year",
+        "reputation": "Accounting discovers revenue discrepancy → loss of investor confidence",
+        "legal": "Incorrect financial reporting → potential audit/compliance issues",
+        "operational": "Manual reconciliation required to find unpaid orders"
+      },
+
+      "realWorldExamples": [
+        "Knight Capital (2012): Silent error handling → $440M loss in 45 minutes",
+        "Your scenario: Payment fails, user gets premium subscription free. Stripe dispute shows no payment.",
+        "Common pattern: 30% of payment bugs are silent failures (Sentry data 2023)"
+      ],
+
+      "attackChain": [
+        {"step": 1, "action": "User submits order for $100 product", "result": "Order processing begins"},
+        {"step": 2, "action": "Stripe payment fails (network error, card declined, etc)", "result": "Exception thrown, caught silently"},
+        {"step": 3, "action": "Code continues, returns {success: true}", "result": "User sees success message"},
+        {"step": 4, "action": "Fulfillment system processes 'successful' order", "result": "Product shipped/service activated for $0"}
+      ],
+
+      "proofOfConcept": "// Reproduce the bug:\n// 1. Set STRIPE_TEST_MODE=true\n// 2. Use test card 4000000000000341 (card declined)\n// 3. Submit order\n// 4. Observe: Payment fails but order succeeds\n\nawait fetch('/api/orders', {\n  method: 'POST',\n  body: JSON.stringify({\n    cardNumber: '4000000000000341', // Test card that declines\n    amount: 100\n  })\n});\n// Result: {success: true} even though payment failed",
+
+      "recommendation": "Rethrow error or return failure:\n\n```typescript\n// ✅ PROPER ERROR HANDLING\ntry {\n  const charge = await stripe.charges.create(chargeData);\n  await db.orders.update(orderId, { status: 'paid', chargeId: charge.id });\n  return { success: true, chargeId: charge.id };\n} catch (err) {\n  // Log with context\n  logger.error('Payment failed', { \n    orderId, \n    amount, \n    error: err.message,\n    userId \n  });\n  \n  // Update order status\n  await db.orders.update(orderId, { status: 'payment_failed' });\n  \n  // Return failure to caller\n  throw new PaymentError('Payment processing failed', { cause: err });\n}\n```",
+
+      "quickFix": {
+        "description": "Add return statement in catch (30 minutes)",
+        "code": "try {\n  await stripe.charges.create(charge);\n} catch (err) {\n  console.error('Payment error:', err);\n  return { success: false, error: 'Payment failed' }; // FIX: Return failure\n}\nreturn { success: true };",
+        "limitations": "Still loses error details, no proper logging, no order status update"
+      },
+
+      "properFix": {
+        "description": "Comprehensive error handling with transaction rollback (4 hours)",
+        "code": "async function processPayment(orderId, chargeData) {\n  const transaction = await db.transaction();\n  \n  try {\n    // 1. Charge the card\n    const charge = await stripe.charges.create(chargeData);\n    \n    // 2. Update order in transaction\n    await transaction.orders.update(orderId, { \n      status: 'paid',\n      chargeId: charge.id,\n      paidAt: new Date()\n    });\n    \n    await transaction.commit();\n    \n    return { success: true, chargeId: charge.id };\n    \n  } catch (err) {\n    // Rollback database changes\n    await transaction.rollback();\n    \n    // Structured logging\n    logger.error('Payment failed', {\n      orderId,\n      userId: chargeData.customer,\n      amount: chargeData.amount,\n      currency: chargeData.currency,\n      errorType: err.type,\n      errorMessage: err.message,\n      stripeRequestId: err.requestId\n    });\n    \n    // Update order status\n    await db.orders.update(orderId, { \n      status: 'payment_failed',\n      failureReason: err.message \n    });\n    \n    // Throw typed error\n    throw new PaymentError('Payment processing failed', { \n      cause: err,\n      orderId,\n      retryable: err.type === 'card_error'\n    });\n  }\n}",
+        "additionalSteps": [
+          "Add payment monitoring/alerting (e.g., Sentry, DataDog)",
+          "Implement dead letter queue for failed payments",
+          "Add manual reconciliation job (daily check: orders vs Stripe charges)",
+          "Create customer notification for payment failures"
+        ]
+      },
+
+      "testing": {
+        "description": "Test all error scenarios",
+        "manual": [
+          "Test 1: Use Stripe test card 4000000000000341 (card declined) → should return error",
+          "Test 2: Disable internet → should handle network error",
+          "Test 3: Invalid API key → should catch auth error",
+          "Test 4: Check database: failed orders should have status='payment_failed'"
+        ],
+        "automated": "describe('Payment error handling', () => {\n  it('should fail order when payment declines', async () => {\n    // Mock Stripe to throw error\n    stripe.charges.create.mockRejectedValue(\n      new Error('card_declined')\n    );\n    \n    await expect(\n      processPayment(orderId, chargeData)\n    ).rejects.toThrow(PaymentError);\n    \n    // Verify order status updated\n    const order = await db.orders.find(orderId);\n    expect(order.status).toBe('payment_failed');\n  });\n  \n  it('should not fulfill order on payment failure', async () => {\n    stripe.charges.create.mockRejectedValue(new Error());\n    \n    try {\n      await processPayment(orderId, chargeData);\n    } catch (err) {\n      // Expected\n    }\n    \n    const order = await db.orders.find(orderId);\n    expect(order.fulfilledAt).toBeNull();\n  });\n});"
+      },
+
+      "detection": {
+        "description": "Find orders that were fulfilled without payment",
+        "commands": [
+          "# Find orders with status='success' but no Stripe charge",
+          "SELECT * FROM orders WHERE status = 'completed' AND charge_id IS NULL;",
+          "",
+          "# Check logs for silent payment errors",
+          "grep 'Payment error' /var/log/app.log | grep -v 'PaymentError thrown'",
+          "",
+          "# Reconciliation: Compare orders vs Stripe charges",
+          "node scripts/reconcile-payments.js --date 2026-02-01"
+        ],
+        "indicators": [
+          "Orders table: status='completed' but charge_id is NULL",
+          "Stripe dashboard: Fewer charges than completed orders",
+          "Revenue mismatch: Reported revenue < Stripe deposits",
+          "Customer support: Users report being charged $0"
+        ]
+      },
+
+      "references": [
+        "https://stripe.com/docs/error-handling",
+        "https://martinfowler.com/articles/replaceThrowWithNotification.html"
+      ],
+
       "evidence": [
-        "catch block at line 91 only logs",
-        "No return/throw in catch",
-        "Success returned at line 95 regardless of payment result"
-      ]
+        "catch block at line 91 only logs - no rethrow, no return false",
+        "No return/throw in catch block",
+        "Success returned at line 95 regardless of payment result",
+        "No database rollback on payment failure",
+        "Checked Stripe webhook logs: confirms payment failures happen but are ignored"
+      ],
+
+      "fixOwner": "developer",
+      "estimatedEffort": {
+        "human": "4-6 hours (identify all error paths, add transaction handling, write error tests, manual reconciliation check)",
+        "claudeCode": "25-30 minutes (finds all try-catch blocks, adds proper error handling, generates test cases)",
+        "roi": "12x faster with Claude Code"
+      },
+      "priority": 1
     }
   ],
 
@@ -665,15 +857,91 @@ Before finishing:
   "id": "AUTH-001",
   "title": "JWT Accepts 'none' Algorithm - Authentication Bypass",
   "severity": "critical",
+  "category": "security",
   "file": "src/middleware/auth.ts",
   "line": 34,
+  "endLine": 34,
   "code": "jwt.verify(token, secret, { algorithms: ['HS256', 'none'] })",
-  "description": "JWT verification explicitly allows the 'none' algorithm. An attacker can forge tokens by removing the signature and setting alg='none'.",
+
+  "description": "JWT verification explicitly allows the 'none' algorithm. An attacker can forge tokens by removing the signature and setting alg='none'. This is a COMPLETE authentication bypass.",
+
+  "impact": "Total authentication bypass. Attacker can:\n1. Impersonate any user (including admins)\n2. Access all protected endpoints\n3. Modify/delete any data\n4. Create backdoor admin accounts",
+
+  "businessImpact": {
+    "financial": "Complete data breach. GDPR fine: €20M or 4% revenue. Average breach cost: $4.35M",
+    "reputation": "Loss of customer trust. 81% users abandon service after auth breach (Okta 2023)",
+    "legal": "Class action lawsuit risk. Negligence claim - 'none' algorithm is well-known vulnerability",
+    "operational": "Full incident response, forensics, password reset for all users, potential service shutdown"
+  },
+
+  "realWorldExamples": [
+    "Auth0 CVE-2015-9235: 'none' algorithm allowed → millions of tokens compromised",
+    "Pfsense (2018): JWT 'none' bypass → full admin access to firewall configs",
+    "Your scenario: Attacker becomes admin, exports entire customer database, posts on dark web"
+  ],
+
   "attackChain": [
-    {"step": 1, "action": "Capture valid JWT from /api/login response", "result": "Obtain token structure"},
-    {"step": 2, "action": "Base64 decode header, change alg to 'none', remove signature", "result": "Forged token: eyJ...Cg==.eyJ...fQ."},
-    {"step": 3, "action": "Send forged token with admin=true claim", "result": "Authenticated as admin"}
+    {"step": 1, "action": "Register normal user account, capture JWT from /api/login", "result": "Valid token: eyJhbGc..."},
+    {"step": 2, "action": "Base64 decode header, change {\"alg\":\"HS256\"} to {\"alg\":\"none\"}", "result": "Forged header"},
+    {"step": 3, "action": "Change payload to {\"userId\":1,\"role\":\"admin\"}, remove signature", "result": "Admin token without signature"},
+    {"step": 4, "action": "Send to /api/admin/users with forged token", "result": "Returns all users - authentication bypassed"}
   ],
+
+  "proofOfConcept": "# Exploit the vulnerability:\n\n# 1. Get valid token\nTOKEN=$(curl -X POST https://api.example.com/login \\\n  -d '{\"email\":\"attacker@evil.com\",\"password\":\"pass123\"}' | jq -r .token)\n\n# 2. Forge admin token (Python)\npython3 << EOF\nimport base64\nimport json\n\n# Decode original token parts\nheader = {\"alg\": \"none\", \"typ\": \"JWT\"}\npayload = {\"userId\": 1, \"role\": \"admin\", \"exp\": 9999999999}\n\n# Encode without signature\nforged = base64.urlsafe_b64encode(json.dumps(header).encode()).rstrip(b'=') + b'.'\nforged += base64.urlsafe_b64encode(json.dumps(payload).encode()).rstrip(b'=') + b'.'\n\nprint(forged.decode())\nEOF\n\n# 3. Use forged token\ncurl https://api.example.com/admin/users \\\n  -H \"Authorization: Bearer eyJhbGc...\" \\\n  # Result: Full user database returned",
+
+  "recommendation": "Remove 'none' from algorithms array:\n\n```typescript\n// ✅ SECURE - Only allow HS256\njwt.verify(token, secret, { algorithms: ['HS256'] })\n```",
+
+  "quickFix": {
+    "description": "Remove 'none' from algorithms array (5 minutes)",
+    "code": "jwt.verify(token, secret, { algorithms: ['HS256'] })",
+    "limitations": "Still using symmetric key (HS256) - shared between services. Consider asymmetric (RS256) for multi-service architecture."
+  },
+
+  "properFix": {
+    "description": "Upgrade to RS256 with public/private key pairs (4 hours)",
+    "code": "// Generate key pair (run once)\n// openssl genrsa -out private.key 2048\n// openssl rsa -in private.key -pubout -out public.key\n\nimport fs from 'fs';\nimport jwt from 'jsonwebtoken';\n\nconst publicKey = fs.readFileSync('public.key');\n\n// Verify with public key only\nfunction verifyToken(token: string) {\n  try {\n    const decoded = jwt.verify(token, publicKey, {\n      algorithms: ['RS256'],  // Only asymmetric\n      issuer: 'your-service',\n      audience: 'your-api'\n    });\n    return decoded;\n  } catch (err) {\n    throw new AuthError('Invalid token', { cause: err });\n  }\n}",
+    "additionalSteps": [
+      "Store private key in secure vault (AWS Secrets Manager, HashiCorp Vault)",
+      "Add key rotation policy (rotate every 90 days)",
+      "Implement token revocation list (Redis with TTL)",
+      "Add JWT ID (jti) claim for replay protection",
+      "Monitor for suspicious token patterns (e.g., expired tokens, wrong issuer)"
+    ]
+  },
+
+  "testing": {
+    "description": "Verify the fix prevents 'none' algorithm attacks",
+    "manual": [
+      "Test 1: Forge token with alg='none' → should reject with 'invalid algorithm'",
+      "Test 2: Valid HS256 token → should work",
+      "Test 3: Token with wrong signature → should reject",
+      "Test 4: Expired token → should reject"
+    ],
+    "automated": "describe('JWT security', () => {\n  it('should reject none algorithm', () => {\n    const forgedToken = 'eyJhbGciOiJub25lIn0.eyJ1c2VySWQiOjF9.';\n    \n    expect(() => {\n      verifyToken(forgedToken);\n    }).toThrow('invalid algorithm');\n  });\n  \n  it('should only accept HS256', () => {\n    const validToken = jwt.sign({ userId: 1 }, secret, { algorithm: 'HS256' });\n    const decoded = verifyToken(validToken);\n    expect(decoded.userId).toBe(1);\n    \n    // RS256 should fail\n    const rs256Token = jwt.sign({ userId: 1 }, privateKey, { algorithm: 'RS256' });\n    expect(() => verifyToken(rs256Token)).toThrow();\n  });\n});"
+  },
+
+  "detection": {
+    "description": "Check if this vulnerability was already exploited",
+    "commands": [
+      "# Check logs for tokens with 'none' algorithm",
+      "grep 'eyJhbGciOiJub25lIi' /var/log/nginx/access.log",
+      "",
+      "# Decode suspicious tokens from logs",
+      "cat access.log | grep 'Authorization: Bearer' | cut -d' ' -f3 | while read token; do",
+      "  echo $token | cut -d. -f1 | base64 -d",
+      "done | grep '\"alg\":\"none\"'",
+      "",
+      "# Check for admin actions from non-admin users",
+      "SELECT * FROM audit_log WHERE action LIKE 'admin.%' AND user_id NOT IN (SELECT id FROM users WHERE role='admin');"
+    ],
+    "indicators": [
+      "Tokens in logs with alg='none' in header",
+      "Admin actions performed by non-admin user IDs",
+      "Unusual API access patterns (e.g., all endpoints accessed by one user)",
+      "Failed JWT verification errors followed by successful requests"
+    ]
+  },
+
   "dread": {
     "damage": 10,
     "reproducibility": 10,
@@ -682,12 +950,296 @@ Before finishing:
     "discoverability": 7,
     "score": 9.2
   },
-  "recommendation": "Remove 'none' from algorithms array:\n\n```typescript\njwt.verify(token, secret, { algorithms: ['HS256'] })\n```",
+
+  "cwe": "CWE-347",
+  "owasp": "A02:2021-Cryptographic Failures",
+  "cvss": "9.8 (Critical)",
+
+  "references": [
+    "https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/",
+    "https://cwe.mitre.org/data/definitions/347.html",
+    "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/10-Testing_JSON_Web_Tokens"
+  ],
+
   "evidence": [
     "algorithms array at line 34 includes 'none'",
     "No additional signature validation",
-    "Endpoint /api/admin uses this middleware (routes.ts:89)"
-  ]
+    "Endpoint /api/admin uses this middleware (routes.ts:89)",
+    "No issuer/audience validation - accepts any token structure",
+    "Secret key hardcoded in config file (not rotated)"
+  ],
+
+  "fixOwner": "developer",
+  "estimatedEffort": {
+    "human": "4-6 hours (research JWT best practices, implement RS256, generate key pairs, update auth flow, test)",
+    "claudeCode": "20-30 minutes (updates jwt.verify config, generates RS256 implementation, creates key management code, writes tests)",
+    "roi": "12x faster with Claude Code"
+  },
+  "priority": 1
+}
+```
+
+### Excellent Performance Finding (Do This!)
+
+```json
+{
+  "id": "PERF-001",
+  "title": "N+1 Query in User Dashboard - 3000ms Page Load",
+  "severity": "high",
+  "category": "performance",
+  "file": "src/controllers/dashboardController.ts",
+  "line": 45,
+  "endLine": 52,
+  "code": "const users = await User.findAll();\nfor (const user of users) {\n  user.orders = await Order.findByUserId(user.id);\n}",
+
+  "description": "Dashboard loads all users (1,000+) then makes individual database query for each user's orders. 1 query to get users + 1,000 queries for orders = 1,001 total queries. At 3ms per query = 3+ seconds page load.",
+
+  "impact": "Severe performance degradation. Page load time increases linearly with user count:\n- 100 users: 300ms\n- 1,000 users: 3,000ms (current)\n- 10,000 users: 30,000ms (unusable)\n\nDatabase CPU spikes to 90% during peak hours. Users abandon page before it loads.",
+
+  "businessImpact": {
+    "financial": "53% users abandon pages loading >3s (Google). At 10k visits/day × $50 conversion = $265k/year lost revenue",
+    "reputation": "Poor reviews mentioning 'slow dashboard'. PageSpeed score: 23/100",
+    "operational": "Database overload causes cascading failures. RDS CPU alerts firing 20x/day",
+    "scalability": "Cannot scale past 1,000 users without major infrastructure upgrade"
+  },
+
+  "realWorldExamples": [
+    "Shopify (2015): N+1 queries → 20s checkout → fixed with eager loading → 2s",
+    "Your scenario: Admin dashboard times out during business hours",
+    "Industry data: N+1 queries are #2 cause of slow Rails apps (Rails community survey)"
+  ],
+
+  "attackChain": [
+    {"step": 1, "action": "Normal user visits /dashboard", "result": "Triggers 1,001 database queries"},
+    {"step": 2, "action": "Attacker sends 10 concurrent requests", "result": "10,010 queries → database CPU 95%"},
+    {"step": 3, "action": "Legitimate users affected", "result": "All API requests slow down"},
+    {"step": 4, "action": "Attacker continues requests", "result": "Accidental DoS - database becomes unresponsive"}
+  ],
+
+  "proofOfConcept": "# Measure the N+1 problem:\n\n# 1. Enable query logging\nDATABASE_LOG_QUERIES=true npm start\n\n# 2. Load dashboard\ncurl https://api.example.com/dashboard\n\n# 3. Count queries in log\ngrep 'SELECT.*FROM orders' logs/db.log | wc -l\n# Result: 1000+ queries\n\n# 4. Measure timing\ntime curl https://api.example.com/dashboard\n# Result: real 3.2s",
+
+  "recommendation": "Use eager loading (JOIN) to fetch all data in one query:\n\n```typescript\n// ✅ OPTIMIZED - Single query with JOIN\nconst users = await User.findAll({\n  include: [{\n    model: Order,\n    as: 'orders'\n  }]\n});\n\n// SQL generated:\n// SELECT users.*, orders.*\n// FROM users\n// LEFT JOIN orders ON orders.user_id = users.id\n// (1 query instead of 1,001)\n```",
+
+  "quickFix": {
+    "description": "Add eager loading to existing query (30 minutes)",
+    "code": "const users = await User.findAll({\n  include: ['orders']  // Sequelize eager loading\n});",
+    "limitations": "Still loads all users - may be slow with 10k+ users. Pagination recommended."
+  },
+
+  "properFix": {
+    "description": "Eager loading + pagination + caching (4 hours)",
+    "code": "// Proper solution with pagination\nasync function getDashboard(page = 1, limit = 50) {\n  const cacheKey = `dashboard:${page}`;\n  \n  // Check cache first\n  const cached = await redis.get(cacheKey);\n  if (cached) return JSON.parse(cached);\n  \n  // Single query with JOIN + pagination\n  const users = await User.findAll({\n    include: [{\n      model: Order,\n      as: 'orders',\n      limit: 10  // Limit orders per user\n    }],\n    limit,\n    offset: (page - 1) * limit,\n    order: [['createdAt', 'DESC']]\n  });\n  \n  // Cache for 5 minutes\n  await redis.setex(cacheKey, 300, JSON.stringify(users));\n  \n  return users;\n}",
+    "additionalSteps": [
+      "Add database index on orders.user_id (if missing)",
+      "Consider materialized view for dashboard data",
+      "Add connection pooling (min: 5, max: 20)",
+      "Set up read replicas for heavy queries",
+      "Monitor query performance with APM (DataDog, New Relic)"
+    ]
+  },
+
+  "testing": {
+    "description": "Verify performance improvement",
+    "manual": [
+      "Test 1: Load dashboard, check DB logs → should see 1-2 queries (not 1000+)",
+      "Test 2: Use Chrome DevTools → Time to First Byte should be <500ms",
+      "Test 3: Run with 10k users in test DB → should still load <1s",
+      "Test 4: Check database CPU during load → should stay <50%"
+    ],
+    "automated": "describe('Dashboard performance', () => {\n  it('should use eager loading (no N+1)', async () => {\n    // Track queries\n    const queries = [];\n    db.on('query', q => queries.push(q));\n    \n    await getDashboard();\n    \n    // Should be 1 SELECT with JOIN\n    expect(queries.length).toBeLessThan(5);\n    expect(queries[0]).toContain('JOIN orders');\n  });\n  \n  it('should load dashboard in <500ms', async () => {\n    const start = Date.now();\n    await getDashboard();\n    const duration = Date.now() - start;\n    \n    expect(duration).toBeLessThan(500);\n  });\n});"
+  },
+
+  "detection": {
+    "description": "Find other N+1 query problems in codebase",
+    "commands": [
+      "# Find loops with database queries inside",
+      "grep -r 'for.*await.*find' src/",
+      "grep -r '.map.*await' src/",
+      "",
+      "# Check database slow query log",
+      "cat /var/log/postgresql/slow-queries.log | grep 'SELECT.*FROM orders'",
+      "",
+      "# Use database profiler",
+      "npm install --save-dev sequelize-profiler",
+      "# Add to app: db.use(require('sequelize-profiler'))"
+    ],
+    "indicators": [
+      "Database query count proportional to result set size",
+      "Slow query log shows same query repeated 100+ times",
+      "APM shows 'database' taking 80%+ of response time",
+      "Database CPU spikes during list page loads"
+    ]
+  },
+
+  "dread": {
+    "damage": 7,
+    "reproducibility": 10,
+    "exploitability": 10,
+    "affectedUsers": 10,
+    "discoverability": 8,
+    "score": 9.0
+  },
+
+  "references": [
+    "https://guides.rubyonrails.org/active_record_querying.html#eager-loading-associations",
+    "https://sequelize.org/docs/v6/advanced-association-concepts/eager-loading/",
+    "https://use-the-index-luke.com/"
+  ],
+
+  "evidence": [
+    "Loop at line 46 calls Order.findByUserId() inside",
+    "No 'include' option in User.findAll() query",
+    "APM data shows 1,247 queries for single dashboard load",
+    "Database slow query log: 'SELECT * FROM orders WHERE user_id = ?' appears 1000+ times",
+    "PageSpeed Insights: Time to Interactive = 3.2s"
+  ],
+
+  "fixOwner": "developer",
+  "estimatedEffort": {
+    "human": "3-4 hours (find all N+1 queries, research eager loading, implement pagination, add caching, performance test)",
+    "claudeCode": "15-20 minutes (detects N+1 patterns, converts to eager loading, adds pagination and caching, generates performance tests)",
+    "roi": "12x faster with Claude Code"
+  },
+  "priority": 1
+}
+```
+
+### Excellent Architecture Finding (Do This!)
+
+```json
+{
+  "id": "ARCH-001",
+  "title": "Payment Secrets Hardcoded in Repository - Exposure Risk",
+  "severity": "critical",
+  "category": "architecture",
+  "file": "src/config/payment.ts",
+  "line": 12,
+  "endLine": 12,
+  "code": "const STRIPE_SECRET_KEY = 'sk_live_51Hqr2x...'",
+
+  "description": "Stripe LIVE secret key hardcoded in source code. Key has been committed to git history (commit abc123). Anyone with repository access can process payments, issue refunds, export customer data.",
+
+  "impact": "Complete payment system compromise:\n1. Process fraudulent charges\n2. Issue refunds to attacker's accounts\n3. Export all customer payment data (PCI violation)\n4. Delete customer payment methods\n5. Key exposed in git history - even if removed now, still accessible",
+
+  "businessImpact": {
+    "financial": "Fraudulent charges/refunds = unlimited financial loss. Stripe may suspend account. PCI Level 1 fine: $5k-$100k/month",
+    "reputation": "PCI compliance failure = cannot process credit cards. Customer data breach = loss of trust",
+    "legal": "PCI DSS violation = potential lawsuits. FTC investigation. Payment processor termination",
+    "operational": "Emergency key rotation, customer notification, forensic investigation, potential service shutdown"
+  },
+
+  "realWorldExamples": [
+    "Uber (2016): AWS keys in GitHub → 57M users exposed → $148M settlement",
+    "Twitter (2020): API keys leaked → account takeovers including Obama, Biden",
+    "Your risk: Developer laptop stolen → attacker has payment keys → can issue refunds to themselves"
+  ],
+
+  "attackChain": [
+    {"step": 1, "action": "Clone repository or access via ex-employee's account", "result": "Source code with secret key"},
+    {"step": 2, "action": "Use key to list all customers: curl https://api.stripe.com/v1/customers -u sk_live_...", "result": "Export entire customer database"},
+    {"step": 3, "action": "Issue refunds to attacker-controlled accounts", "result": "$10k+ fraudulent refunds"},
+    {"step": 4, "action": "Even if key rotated, check git history: git log -p config/payment.ts", "result": "Original key still in commits"}
+  ],
+
+  "proofOfConcept": "# Exploit hardcoded secret:\n\n# 1. Find the key in code\ngrep -r 'sk_live' .\n# Result: src/config/payment.ts:12:const STRIPE_SECRET_KEY = 'sk_live_51Hqr2x...'\n\n# 2. Check git history (even if removed)\ngit log --all -p | grep 'sk_live'\n# Result: Found in commits abc123, def456, ghi789\n\n# 3. Use the key to issue refund\ncurl https://api.stripe.com/v1/refunds \\\n  -u sk_live_51Hqr2x...: \\\n  -d charge=ch_xyz123 \\\n  -d amount=10000\n# Result: $100 refunded to attacker's card",
+
+  "recommendation": "Move secrets to environment variables and secret manager:\n\n```typescript\n// ✅ SECURE - Load from environment\nconst STRIPE_SECRET_KEY = process.env.STRIPE_SECRET_KEY;\n\nif (!STRIPE_SECRET_KEY) {\n  throw new Error('STRIPE_SECRET_KEY environment variable required');\n}\n```",
+
+  "quickFix": {
+    "description": "Move to .env file (NOT committed) - 1 hour",
+    "code": "// .env (add to .gitignore)\nSTRIPE_SECRET_KEY=sk_live_51Hqr2x...\n\n// src/config/payment.ts\nimport dotenv from 'dotenv';\ndotenv.config();\n\nconst STRIPE_SECRET_KEY = process.env.STRIPE_SECRET_KEY;",
+    "limitations": ".env still on server filesystem. If server compromised, key exposed. Better: use secret manager."
+  },
+
+  "properFix": {
+    "description": "Migrate to AWS Secrets Manager with key rotation (1 day)",
+    "code": "import { SecretsManagerClient, GetSecretValueCommand } from '@aws-sdk/client-secrets-manager';\n\nconst client = new SecretsManagerClient({ region: 'us-east-1' });\n\n// Fetch secret from AWS Secrets Manager\nasync function getStripeKey(): Promise<string> {\n  const response = await client.send(\n    new GetSecretValueCommand({ SecretId: 'prod/stripe/secret_key' })\n  );\n  \n  if (!response.SecretString) {\n    throw new Error('Stripe secret not found in Secrets Manager');\n  }\n  \n  return JSON.parse(response.SecretString).STRIPE_SECRET_KEY;\n}\n\n// Cache for 5 minutes (secrets manager charges per request)\nlet cachedKey: string | null = null;\nlet cacheExpiry = 0;\n\nexport async function getPaymentKey(): Promise<string> {\n  if (cachedKey && Date.now() < cacheExpiry) {\n    return cachedKey;\n  }\n  \n  cachedKey = await getStripeKey();\n  cacheExpiry = Date.now() + 5 * 60 * 1000;\n  return cachedKey;\n}",
+    "additionalSteps": [
+      "Rotate Stripe secret key IMMEDIATELY (current key is compromised)",
+      "Enable automatic key rotation in AWS Secrets Manager (90 days)",
+      "Remove key from ALL git history: git filter-branch or BFG Repo-Cleaner",
+      "Audit Stripe logs for suspicious activity (past 90 days)",
+      "Set up IAM roles - only production servers can read secrets",
+      "Enable CloudTrail logging for secret access",
+      "Add alerts for secret access from unexpected IPs",
+      "Document key rotation runbook"
+    ]
+  },
+
+  "testing": {
+    "description": "Verify secrets are properly secured",
+    "manual": [
+      "Test 1: grep -r 'sk_live' . → should return 0 results",
+      "Test 2: git log --all -p | grep 'sk_live' → check if still in history",
+      "Test 3: docker run --rm app → should fail with 'STRIPE_SECRET_KEY required'",
+      "Test 4: AWS Secrets Manager console → verify secret exists",
+      "Test 5: Attempt to access secret from dev laptop → should fail (IAM)"
+    ],
+    "automated": "describe('Secret management', () => {\n  it('should not have hardcoded secrets', () => {\n    const files = glob.sync('**/*.{ts,js}');\n    files.forEach(file => {\n      const content = fs.readFileSync(file, 'utf8');\n      expect(content).not.toMatch(/sk_live_[a-zA-Z0-9]{32}/);\n      expect(content).not.toMatch(/pk_live_[a-zA-Z0-9]{32}/);\n    });\n  });\n  \n  it('should require environment variables', () => {\n    delete process.env.STRIPE_SECRET_KEY;\n    expect(() => require('./config/payment')).toThrow('STRIPE_SECRET_KEY');\n  });\n});"
+  },
+
+  "detection": {
+    "description": "Find ALL hardcoded secrets in codebase",
+    "commands": [
+      "# Find Stripe keys",
+      "git log --all -p | grep -E 'sk_live_[a-zA-Z0-9]+'",
+      "",
+      "# Find AWS keys",
+      "git log --all -p | grep -E 'AKIA[A-Z0-9]{16}'",
+      "",
+      "# Find generic secrets (high entropy strings)",
+      "trufflehog git file://. --only-verified",
+      "",
+      "# Use automated scanner",
+      "npm install -g detect-secrets",
+      "detect-secrets scan --all-files",
+      "",
+      "# Check Stripe for unauthorized activity",
+      "# Login to Stripe dashboard → Developers → Logs → Filter by IP address"
+    ],
+    "indicators": [
+      "Stripe keys (sk_live_, pk_live_) in source code",
+      "AWS credentials (AKIA...) in config files",
+      "High entropy strings (40+ random chars) in code",
+      "Suspicious Stripe activity: refunds from unknown IPs, customer exports",
+      "GitHub secret scanning alerts (if repo is on GitHub)"
+    ]
+  },
+
+  "dread": {
+    "damage": 10,
+    "reproducibility": 10,
+    "exploitability": 10,
+    "affectedUsers": 10,
+    "discoverability": 9,
+    "score": 9.8
+  },
+
+  "cwe": "CWE-798",
+  "owasp": "A02:2021-Cryptographic Failures",
+  "cvss": "10.0 (Critical)",
+
+  "references": [
+    "https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html",
+    "https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password",
+    "https://stripe.com/docs/keys#safe-keys"
+  ],
+
+  "evidence": [
+    "Line 12: const STRIPE_SECRET_KEY = 'sk_live_51Hqr2x...'",
+    "Git history shows key in 14 commits dating back 6 months",
+    "Repository has 23 contributors (all have access to key)",
+    "No .gitignore entry for config files",
+    "GitHub shows 'Secret scanning alert' for this repository"
+  ],
+
+  "fixOwner": "devops + developer",
+  "estimatedEffort": {
+    "human": "1-2 days (setup AWS Secrets Manager, migrate all secrets, update deployment scripts, rotate keys, audit git history, cleanup with BFG)",
+    "claudeCode": "1-2 hours (finds all secrets, generates Secrets Manager integration, updates code, creates rotation scripts, provides git cleanup commands)",
+    "roi": "12x faster with Claude Code"
+  },
+  "priority": 1
 }
 ```
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "coverme-scanner",
-  "version": "1.12.0",
+  "version": "2.0.0",
   "description": "AI-powered code scanner with multi-agent verification for Claude Code. One command scans everything.",
   "main": "dist/index.js",
   "files": [