deep-slop 1.4.1

package/dist/security-deep-DJRINs10.js

@@ -0,0 +1,1198 @@
+import { i as toLines, r as readFileContent } from "./file-utils-B_HFXhCs.js";
+import { existsSync } from "node:fs";
+import { join } from "node:path";
+import { execSync } from "node:child_process";
+
+//#region src/security/audit.ts
+function runWithTimeout(cmd, cwd, timeout) {
+	try {
+		return {
+			stdout: execSync(cmd, {
+				cwd,
+				timeout,
+				encoding: "utf-8",
+				stdio: [
+					"pipe",
+					"pipe",
+					"pipe"
+				],
+				maxBuffer: 10 * 1024 * 1024
+			}),
+			stderr: "",
+			status: 0,
+			timedOut: false
+		};
+	} catch (err) {
+		const e = err;
+		return {
+			stdout: typeof e.stdout === "string" ? e.stdout : "",
+			stderr: typeof e.stderr === "string" ? e.stderr : "",
+			status: e.status ?? null,
+			timedOut: e.killed === true || e.signal === "SIGTERM"
+		};
+	}
+}
+function makeAuditDiagnostic(rule, severity, message, help, opts) {
+	return {
+		filePath: "package.json",
+		engine: "security-deep",
+		rule,
+		severity,
+		message,
+		help,
+		line: 1,
+		column: 1,
+		category: "security",
+		fixable: opts?.fixable ?? false,
+		suggestion: opts?.suggestion,
+		detail: opts?.detail
+	};
+}
+function mapNpmSeverity(s) {
+	const lower = s.toLowerCase();
+	if (lower === "critical" || lower === "high") return "error";
+	if (lower === "moderate" || lower === "medium") return "warning";
+	return "info";
+}
+function npmAudit(rootDir, timeout) {
+	if (!existsSync(join(rootDir, "package-lock.json")) && !existsSync(join(rootDir, "package.json"))) return [];
+	const result = runWithTimeout("npm audit --json", rootDir, timeout);
+	if (result.timedOut) return [makeAuditDiagnostic("security-deep/dependency-vulnerability", "warning", "npm audit timed out", "Increase security.auditTimeout or check network connectivity.")];
+	let parsed;
+	try {
+		parsed = JSON.parse(result.stdout);
+	} catch {
+		return [makeAuditDiagnostic("security-deep/dependency-vulnerability", "warning", "npm audit produced non-JSON output", "Ensure npm is installed and the project has a valid package-lock.json.")];
+	}
+	const diagnostics = [];
+	if (parsed.advisories) for (const [, adv] of Object.entries(parsed.advisories)) diagnostics.push(makeAuditDiagnostic("security-deep/dependency-vulnerability", mapNpmSeverity(adv.severity), `Vulnerability in ${adv.module_name}: ${adv.title}`, `Update ${adv.module_name} to ${adv.patched_versions || "a patched version"}. ${adv.url}`, {
+		fixable: !!adv.patched_versions,
+		suggestion: {
+			type: "refactor",
+			text: `npm update ${adv.module_name}`,
+			confidence: .9,
+			reason: `Patched version available: ${adv.patched_versions || "unknown"}`
+		},
+		detail: {
+			module: adv.module_name,
+			vulnerableVersions: adv.vulnerable_versions,
+			patchedVersions: adv.patched_versions,
+			cwe: adv.cwe,
+			auditTool: "npm"
+		}
+	}));
+	if (parsed.vulnerabilities) for (const [, vuln] of Object.entries(parsed.vulnerabilities)) {
+		const isFixable = vuln.fixAvailable !== false && vuln.fixAvailable != null;
+		diagnostics.push(makeAuditDiagnostic("security-deep/dependency-vulnerability", mapNpmSeverity(vuln.severity), `Vulnerability in ${vuln.name} (${vuln.range})`, isFixable ? `Run 'npm audit fix' to apply available fixes for ${vuln.name}.` : `No automatic fix available for ${vuln.name}. Review and update manually.`, {
+			fixable: isFixable,
+			suggestion: {
+				type: "refactor",
+				text: isFixable ? "npm audit fix" : `npm update ${vuln.name}`,
+				confidence: isFixable ? .9 : .5,
+				reason: isFixable ? "npm audit fix can resolve this automatically" : "Manual review and update required"
+			},
+			detail: {
+				module: vuln.name,
+				range: vuln.range,
+				fixAvailable: vuln.fixAvailable,
+				auditTool: "npm"
+			}
+		}));
+	}
+	return diagnostics;
+}
+function pipAudit(rootDir, timeout) {
+	if (!existsSync(join(rootDir, "requirements.txt")) && !existsSync(join(rootDir, "Pipfile")) && !existsSync(join(rootDir, "pyproject.toml"))) return [];
+	const result = runWithTimeout("pip-audit --format=json", rootDir, timeout);
+	if (result.timedOut) return [makeAuditDiagnostic("security-deep/dependency-vulnerability", "warning", "pip-audit timed out", "Increase security.auditTimeout or check network connectivity.")];
+	if (result.status !== 0 && !result.stdout.trim()) return [];
+	let parsed;
+	try {
+		parsed = JSON.parse(result.stdout);
+	} catch {
+		return [];
+	}
+	const diagnostics = [];
+	if (parsed.dependencies) for (const dep of parsed.dependencies) for (const v of dep.vulns) {
+		const fixVersions = v.fix_versions?.join(", ") ?? v.vuln.fixed_versions?.join(", ");
+		const hasFix = (v.fix_versions?.length ?? 0) > 0 || (v.vuln.fixed_versions?.length ?? 0) > 0;
+		diagnostics.push(makeAuditDiagnostic("security-deep/dependency-vulnerability", "error", `Vulnerability in ${dep.package}@${dep.version}: ${v.vuln.id} - ${v.vuln.description}`, hasFix ? `Update ${dep.package} to ${fixVersions || "a patched version"}.` : `No patched version available for ${dep.package}. Review and mitigate manually.`, {
+			fixable: hasFix,
+			suggestion: {
+				type: "refactor",
+				text: `pip install --upgrade ${dep.package}`,
+				confidence: hasFix ? .85 : .3,
+				reason: hasFix ? `Fix available in version(s): ${fixVersions}` : "No known fix — review and apply mitigations"
+			},
+			detail: {
+				module: dep.package,
+				version: dep.version,
+				vulnId: v.vuln.id,
+				aliases: v.vuln.aliases,
+				fixVersions: v.fix_versions ?? v.vuln.fixed_versions,
+				auditTool: "pip-audit"
+			}
+		}));
+	}
+	if (parsed.vulnerabilities) for (const vuln of parsed.vulnerabilities) {
+		const hasFix = (vuln.fixed_versions?.length ?? 0) > 0;
+		const pkgName = vuln.name ?? "unknown";
+		const pkgVer = vuln.version ?? "unknown";
+		diagnostics.push(makeAuditDiagnostic("security-deep/dependency-vulnerability", "error", `Vulnerability in ${pkgName}@${pkgVer}: ${vuln.id ?? "unknown"} - ${vuln.description ?? "no description"}`, hasFix ? `Update ${pkgName} to ${vuln.fixed_versions?.join(", ") ?? "a patched version"}.` : `No patched version available for ${pkgName}. Review and mitigate manually.`, {
+			fixable: hasFix,
+			suggestion: {
+				type: "refactor",
+				text: `pip install --upgrade ${pkgName}`,
+				confidence: hasFix ? .85 : .3,
+				reason: hasFix ? `Fix available in version(s): ${vuln.fixed_versions?.join(", ")}` : "No known fix — review and apply mitigations"
+			},
+			detail: {
+				module: pkgName,
+				version: pkgVer,
+				vulnId: vuln.id,
+				fixVersions: vuln.fixed_versions,
+				auditTool: "pip-audit"
+			}
+		}));
+	}
+	return diagnostics;
+}
+function goVulnCheck(rootDir, timeout) {
+	if (!existsSync(join(rootDir, "go.mod"))) return [];
+	const result = runWithTimeout("govulncheck -json ./...", rootDir, timeout);
+	if (result.timedOut) return [makeAuditDiagnostic("security-deep/dependency-vulnerability", "warning", "govulncheck timed out", "Increase security.auditTimeout or check network connectivity.")];
+	if (!result.stdout.trim()) return [];
+	const diagnostics = [];
+	for (const line of result.stdout.split("\n")) {
+		if (!line.trim()) continue;
+		let entry;
+		try {
+			entry = JSON.parse(line);
+		} catch {
+			continue;
+		}
+		if (entry.finding) {
+			const finding = entry.finding;
+			const module = finding.trace?.[0]?.module ?? "unknown";
+			const version = finding.trace?.[0]?.version ?? "unknown";
+			const hasFix = !!finding.fixed;
+			diagnostics.push(makeAuditDiagnostic("security-deep/dependency-vulnerability", "error", `Vulnerability in ${module}@${version}: ${finding.osv ?? "unknown OSV"}`, hasFix ? `Update ${module} to ${finding.fixed}.` : `No patched version available for ${module}. Review and mitigate manually.`, {
+				fixable: hasFix,
+				suggestion: {
+					type: "refactor",
+					text: `go get ${module}@${finding.fixed ?? "latest"}`,
+					confidence: hasFix ? .85 : .3,
+					reason: hasFix ? `Fix available in version: ${finding.fixed}` : "No known fix — review and apply mitigations"
+				},
+				detail: {
+					module,
+					version,
+					osv: finding.osv,
+					fixed: finding.fixed,
+					auditTool: "govulncheck"
+				}
+			}));
+		}
+	}
+	return diagnostics;
+}
+function cargoAudit(rootDir, timeout) {
+	if (!existsSync(join(rootDir, "Cargo.lock"))) return [];
+	const result = runWithTimeout("cargo audit --json", rootDir, timeout);
+	if (result.timedOut) return [makeAuditDiagnostic("security-deep/dependency-vulnerability", "warning", "cargo audit timed out", "Increase security.auditTimeout or check network connectivity.")];
+	if (result.status !== 0 && !result.stdout.trim()) return [];
+	let parsed;
+	try {
+		parsed = JSON.parse(result.stdout);
+	} catch {
+		return [];
+	}
+	const diagnostics = [];
+	if (parsed.vulnerabilities?.list) for (const vuln of parsed.vulnerabilities.list) {
+		const hasFix = (vuln.versions.patched?.length ?? 0) > 0;
+		const mappedSeverity = (vuln.advisory.severity?.toLowerCase() ?? "high") === "low" ? "warning" : "error";
+		diagnostics.push(makeAuditDiagnostic("security-deep/dependency-vulnerability", mappedSeverity, `Vulnerability in ${vuln.package}: ${vuln.advisory.id} - ${vuln.advisory.title}`, hasFix ? `Update ${vuln.package} to ${vuln.versions.patched?.join(", ") ?? "a patched version"}. ${vuln.advisory.url}` : `No patched version available for ${vuln.package}. ${vuln.advisory.url}`, {
+			fixable: hasFix,
+			suggestion: {
+				type: "refactor",
+				text: `cargo update -p ${vuln.package}`,
+				confidence: hasFix ? .85 : .3,
+				reason: hasFix ? `Fix available in version(s): ${vuln.versions.patched?.join(", ")}` : "No known fix — review and apply mitigations"
+			},
+			detail: {
+				module: vuln.package,
+				advisoryId: vuln.advisory.id,
+				title: vuln.advisory.title,
+				patchedVersions: vuln.versions.patched,
+				url: vuln.advisory.url,
+				auditTool: "cargo-audit"
+			}
+		}));
+	}
+	return diagnostics;
+}
+
+//#endregion
+//#region src/utils/source-mask.ts
+/** Pattern matchers for sensitive data */
+const SENSITIVE_PATTERNS = [
+	{
+		pattern: /\b(sk-[a-zA-Z0-9]{20,})\b/g,
+		replacement: "[REDACTED-KEY]",
+		label: "API key"
+	},
+	{
+		pattern: /\b(ghp_[a-zA-Z0-9]{36,})\b/g,
+		replacement: "[REDACTED-TOKEN]",
+		label: "GitHub PAT"
+	},
+	{
+		pattern: /\b(gho_[a-zA-Z0-9]{36,})\b/g,
+		replacement: "[REDACTED-TOKEN]",
+		label: "GitHub OAuth"
+	},
+	{
+		pattern: /\b(AKIA[A-Z0-9]{16})\b/g,
+		replacement: "[REDACTED-KEY]",
+		label: "AWS access key"
+	},
+	{
+		pattern: /\b(Bearer\s+)[a-zA-Z0-9\-_.]{20,}/gi,
+		replacement: "$1[REDACTED]",
+		label: "Bearer token"
+	},
+	{
+		pattern: /:\/\/([^:]+):([^@]+)@/g,
+		replacement: "://[REDACTED]:[REDACTED]@",
+		label: "URL credentials"
+	},
+	{
+		pattern: /\b(password|pwd|passwd|secret|token|apikey|api_key)\s*[:=]\s*["'][^"']{4,}["']/gi,
+		replacement: "$1=[REDACTED]",
+		label: "Password/secret assignment"
+	},
+	{
+		pattern: /\b(mongodb|postgres|mysql|redis):\/\/[^:]+:[^@]+@/gi,
+		replacement: "$1://[REDACTED]:[REDACTED]@",
+		label: "DB connection string"
+	},
+	{
+		pattern: /-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----[\s\S]*?-----END\s+(?:RSA\s+)?PRIVATE\s+KEY-----/g,
+		replacement: "[REDACTED-PRIVATE-KEY]",
+		label: "Private key"
+	}
+];
+/** Redact sensitive data from a string */
+function maskSecrets(text) {
+	let result = text;
+	for (const { pattern, replacement } of SENSITIVE_PATTERNS) result = result.replace(pattern, replacement);
+	return result;
+}
+
+//#endregion
+//#region src/security/secrets.ts
+function makeSecretDiagnostic(filePath, rule, severity, message, help, line, column, opts) {
+	return {
+		filePath,
+		engine: "security-deep",
+		rule,
+		severity,
+		message,
+		help,
+		line,
+		column,
+		category: "security",
+		fixable: opts?.fixable ?? false,
+		suggestion: opts?.suggestion,
+		detail: opts?.detail
+	};
+}
+function isTestFile$1(filePath) {
+	const normalized = filePath.replace(/\\/g, "/");
+	if (normalized.endsWith(".test.ts") || normalized.endsWith(".spec.ts")) return true;
+	if (normalized.endsWith(".test.js") || normalized.endsWith(".spec.js")) return true;
+	if (normalized.endsWith(".test.py") || normalized.endsWith(".spec.py")) return true;
+	if (normalized.endsWith(".test.go")) return true;
+	if (normalized.endsWith(".rs") && normalized.includes("/tests/")) return true;
+	if (/\/__tests__\//.test(normalized)) return true;
+	if (/(?:^|\/)(?:test|tests|spec|specs)\//.test(normalized)) return true;
+	return false;
+}
+const SECRET_PATTERNS = [
+	{
+		name: "API key",
+		pattern: /['"`](sk-[A-Za-z0-9_-]{10,})['"`]/g,
+		secretGroup: 1,
+		help: "Move API keys to environment variables or a secrets manager. Never commit secrets to source control.",
+		envVar: "SECRET_KEY",
+		secretType: "api-key"
+	},
+	{
+		name: "GitHub PAT",
+		pattern: /['"`](ghp_[A-Za-z0-9]{36,})['"`]/g,
+		secretGroup: 1,
+		help: "Move GitHub tokens to environment variables or a secrets manager.",
+		envVar: "GITHUB_TOKEN",
+		secretType: "api-key"
+	},
+	{
+		name: "GitHub OAuth token",
+		pattern: /['"`](gho_[A-Za-z0-9]{36,})['"`]/g,
+		secretGroup: 1,
+		help: "Move GitHub OAuth tokens to environment variables or a secrets manager.",
+		envVar: "GITHUB_OAUTH_TOKEN",
+		secretType: "token"
+	},
+	{
+		name: "GitHub fine-grained PAT",
+		pattern: /['"`](github_pat_[A-Za-z0-9_]{50,})['"`]/g,
+		secretGroup: 1,
+		help: "Move GitHub fine-grained PATs to environment variables or a secrets manager.",
+		envVar: "GITHUB_TOKEN",
+		secretType: "api-key"
+	},
+	{
+		name: "AWS access key",
+		pattern: /['"`](AKIA[A-Z0-9]{12,})['"`]/g,
+		secretGroup: 1,
+		help: "Move AWS credentials to environment variables, ~/.aws/credentials, or a secrets manager.",
+		envVar: "AWS_ACCESS_KEY_ID",
+		secretType: "aws-key"
+	},
+	{
+		name: "Google API key",
+		pattern: /['"`](AIza[A-Za-z0-9_-]{20,})['"`]/g,
+		secretGroup: 1,
+		help: "Move Google API keys to environment variables or a secrets manager.",
+		envVar: "GOOGLE_API_KEY",
+		secretType: "api-key"
+	},
+	{
+		name: "API key",
+		pattern: /['"`](key-[A-Za-z0-9_-]{10,})['"`]/g,
+		secretGroup: 1,
+		help: "Move API keys to environment variables or a secrets manager. Never commit secrets to source control.",
+		envVar: "SECRET_KEY",
+		secretType: "api-key"
+	},
+	{
+		name: "Bearer token",
+		pattern: /['"`](Bearer\s+[A-Za-z0-9_.-]{10,})['"`]/gi,
+		secretGroup: 1,
+		help: "Move bearer tokens to environment variables or a secrets manager.",
+		envVar: "AUTH_TOKEN",
+		secretType: "token"
+	},
+	{
+		name: "GitHub token",
+		pattern: /['"`](ghpt_[A-Za-z0-9_-]{10,})['"`]/g,
+		secretGroup: 1,
+		help: "Move GitHub tokens to environment variables or a secrets manager.",
+		envVar: "GITHUB_TOKEN",
+		secretType: "token"
+	},
+	{
+		name: "Password assignment",
+		pattern: /(?:password|pwd|passwd|pass)\s*(?:=|:)\s*['"`]([^'"`]{4,})['"`]/gi,
+		secretGroup: 1,
+		help: "Move passwords to environment variables or a secrets manager. Never commit credentials to source control.",
+		envVar: "PASSWORD",
+		secretType: "password"
+	},
+	{
+		name: "Secret assignment",
+		pattern: /(?:secret|token|apikey|api_key|access_key|private_key)\s*(?:=|:)\s*['"`]([^'"`]{4,})['"`]/gi,
+		secretGroup: 1,
+		help: "Move secrets to environment variables or a secrets manager. Never commit secrets to source control.",
+		envVar: "SECRET",
+		secretType: "secret"
+	},
+	{
+		name: "DB connection string",
+		pattern: /['"`]((?:mongodb|postgres|postgresql|mysql|redis|amqp|amqps):\/\/[^'"`]{8,})['"`]/gi,
+		secretGroup: 1,
+		help: "Move database connection strings to environment variables. Never commit credentials to source control.",
+		envVar: "DATABASE_URL",
+		secretType: "connection-string"
+	},
+	{
+		name: "PEM private key",
+		pattern: /-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----/g,
+		secretGroup: 0,
+		help: "Move private keys to a secrets manager or secure file storage. Never commit private keys to source control.",
+		envVar: "PRIVATE_KEY_PATH",
+		secretType: "private-key"
+	}
+];
+function detectSecrets(filePath, lines) {
+	const diagnostics = [];
+	if (isTestFile$1(filePath)) return diagnostics;
+	for (const { num, text } of lines) {
+		const trimmed = text.trim();
+		if (trimmed.startsWith("#") || trimmed.startsWith("//") || trimmed.startsWith("/*") || trimmed.startsWith("*")) continue;
+		for (const pattern of SECRET_PATTERNS) {
+			pattern.pattern.lastIndex = 0;
+			let match;
+			while ((match = pattern.pattern.exec(text)) !== null) {
+				const secret = match[pattern.secretGroup];
+				const col = match.index + 1;
+				const maskedValue = maskSecrets(secret || match[0]);
+				diagnostics.push(makeSecretDiagnostic(filePath, "security-deep/hardcoded-secret", "error", `Hardcoded ${pattern.name} detected: ${maskedValue}`, pattern.help, num, col, {
+					fixable: true,
+					suggestion: {
+						type: "replace",
+						text: `process.env.${pattern.envVar}`,
+						confidence: .9,
+						reason: "Hardcoded secrets in source code are exposed in version control; use environment variables."
+					},
+					detail: {
+						secretType: pattern.secretType,
+						secretPrefix: secret ? secret.slice(0, 4) : void 0,
+						patternName: pattern.name
+					}
+				}));
+			}
+		}
+	}
+	return diagnostics;
+}
+
+//#endregion
+//#region src/security/html-safety.ts
+function makeHtmlDiagnostic(filePath, rule, severity, message, help, line, column, opts) {
+	return {
+		filePath,
+		engine: "security-deep",
+		rule,
+		severity,
+		message,
+		help,
+		line,
+		column,
+		category: "security",
+		fixable: opts?.fixable ?? false,
+		suggestion: opts?.suggestion,
+		detail: opts?.detail
+	};
+}
+function isCommentLine(text) {
+	const trimmed = text.trim();
+	if (trimmed.startsWith("#")) return true;
+	if (trimmed.startsWith("//")) return true;
+	if (trimmed.startsWith("/*")) return true;
+	if (trimmed.startsWith("*")) return true;
+	return false;
+}
+function isJsxFile(filePath) {
+	return /\.(jsx|tsx)$/.test(filePath);
+}
+function isVueFile(filePath) {
+	return /\.vue$/.test(filePath);
+}
+const XSS_PATTERNS = [
+	{
+		name: "innerHTML assignment",
+		pattern: /\.innerHTML\s*=/,
+		rule: "security-deep/unsafe-html",
+		message: () => "Assignment to .innerHTML can lead to XSS if the value contains user input",
+		help: "Use textContent, innerText, or a sanitization library (e.g., DOMPurify) instead of innerHTML.",
+		suggestion: {
+			type: "replace",
+			text: ".textContent = ",
+			confidence: .6,
+			reason: "textContent safely sets text without interpreting HTML, preventing XSS."
+		},
+		detailName: "innerHTML"
+	},
+	{
+		name: "outerHTML assignment",
+		pattern: /\.outerHTML\s*=/,
+		rule: "security-deep/unsafe-html",
+		message: () => "Assignment to .outerHTML can lead to XSS if the value contains user input",
+		help: "Use DOM manipulation methods (createElement, appendChild) or a sanitization library instead of outerHTML.",
+		suggestion: {
+			type: "refactor",
+			text: "/* Replace outerHTML assignment with safe DOM manipulation */",
+			confidence: .6,
+			reason: "outerHTML replaces the entire element and can inject arbitrary HTML."
+		},
+		detailName: "outerHTML"
+	},
+	{
+		name: "document.write",
+		pattern: /\bdocument\s*\.\s*write\s*\(/,
+		rule: "security-deep/unsafe-html",
+		message: () => "document.write() can lead to XSS and breaks incremental rendering",
+		help: "Use DOM manipulation methods (createElement, appendChild) or framework rendering instead of document.write().",
+		suggestion: {
+			type: "refactor",
+			text: "/* Replace document.write() with safe DOM manipulation */",
+			confidence: .7,
+			reason: "document.write() can inject arbitrary HTML and overwrites the document if called after parse."
+		},
+		detailName: "document.write"
+	},
+	{
+		name: "document.writeln",
+		pattern: /\bdocument\s*\.\s*writeln\s*\(/,
+		rule: "security-deep/unsafe-html",
+		message: () => "document.writeln() can lead to XSS and breaks incremental rendering",
+		help: "Use DOM manipulation methods (createElement, appendChild) or framework rendering instead of document.writeln().",
+		suggestion: {
+			type: "refactor",
+			text: "/* Replace document.writeln() with safe DOM manipulation */",
+			confidence: .7,
+			reason: "document.writeln() has the same XSS risks as document.write()."
+		},
+		detailName: "document.writeln"
+	},
+	{
+		name: "dangerouslySetInnerHTML",
+		pattern: /dangerouslySetInnerHTML\s*=/,
+		rule: "security-deep/xss-risk",
+		message: () => "dangerouslySetInnerHTML renders raw HTML and can lead to XSS",
+		help: "Avoid dangerouslySetInnerHTML. Use React rendering or a sanitization library (e.g., DOMPurify) if raw HTML is required.",
+		suggestion: {
+			type: "refactor",
+			text: "/* Replace dangerouslySetInnerHTML with safe React rendering or sanitize with DOMPurify */",
+			confidence: .7,
+			reason: "dangerouslySetInnerHTML bypasses React's XSS protection by rendering raw HTML."
+		},
+		detailName: "dangerouslySetInnerHTML"
+	},
+	{
+		name: "v-html",
+		pattern: /v-html\s*=/,
+		rule: "security-deep/xss-risk",
+		message: () => "v-html renders raw HTML and can lead to XSS",
+		help: "Avoid v-html. Use Vue template rendering or a sanitization library (e.g., DOMPurify) if raw HTML is required.",
+		suggestion: {
+			type: "replace",
+			text: "v-text=",
+			confidence: .6,
+			reason: "v-text safely renders text content without interpreting HTML, preventing XSS."
+		},
+		detailName: "v-html"
+	},
+	{
+		name: "innerHTML with interpolation",
+		pattern: /\.innerHTML\s*=\s*`[^`]*\$\{/,
+		rule: "security-deep/xss-risk",
+		message: () => "innerHTML with template literal interpolation — high XSS risk",
+		help: "Never interpolate dynamic values into innerHTML. Use textContent or sanitize with DOMPurify.",
+		suggestion: {
+			type: "replace",
+			text: ".textContent = ",
+			confidence: .85,
+			reason: "Template literal interpolation in innerHTML directly injects untrusted values as HTML."
+		},
+		detailName: "innerHTML-interpolation"
+	},
+	{
+		name: "innerHTML with concatenation",
+		pattern: /\.innerHTML\s*=\s*['"`][^'"`]*['"`]\s*\+/,
+		rule: "security-deep/xss-risk",
+		message: () => "innerHTML with string concatenation — high XSS risk",
+		help: "Never concatenate dynamic values into innerHTML. Use textContent or sanitize with DOMPurify.",
+		suggestion: {
+			type: "replace",
+			text: ".textContent = ",
+			confidence: .85,
+			reason: "String concatenation in innerHTML directly injects untrusted values as HTML."
+		},
+		detailName: "innerHTML-concatenation"
+	},
+	{
+		name: "insertAdjacentHTML",
+		pattern: /\.insertAdjacentHTML\s*\(/,
+		rule: "security-deep/xss-risk",
+		message: () => "insertAdjacentHTML() renders raw HTML and can lead to XSS",
+		help: "Use insertAdjacentText() or safe DOM manipulation methods instead of insertAdjacentHTML().",
+		suggestion: {
+			type: "replace",
+			text: ".insertAdjacentText(",
+			confidence: .7,
+			reason: "insertAdjacentText safely inserts text without interpreting HTML, preventing XSS."
+		},
+		detailName: "insertAdjacentHTML"
+	},
+	{
+		name: "document.write with input",
+		pattern: /\bdocument\s*\.\s*write\s*\([^)]*\+/,
+		rule: "security-deep/xss-risk",
+		message: () => "document.write() with concatenated input — XSS risk",
+		help: "Avoid document.write() entirely. Use safe DOM manipulation with sanitized content.",
+		suggestion: {
+			type: "refactor",
+			text: "/* Replace document.write() with safe DOM manipulation */",
+			confidence: .8,
+			reason: "Concatenating user input into document.write() is a direct XSS vector."
+		},
+		detailName: "document.write-concatenation"
+	}
+];
+function detectHtmlSafety(filePath, lines) {
+	const diagnostics = [];
+	for (const { num, text } of lines) {
+		if (isCommentLine(text)) continue;
+		for (const xssPattern of XSS_PATTERNS) {
+			const match = text.match(xssPattern.pattern);
+			if (!match) continue;
+			const col = text.indexOf(match[0]) + 1;
+			if ((text.slice(0, col - 1).match(/['"`]/g) ?? []).length % 2 === 1 && isCommentLine(text)) continue;
+			diagnostics.push(makeHtmlDiagnostic(filePath, xssPattern.rule, "error", xssPattern.message(match), xssPattern.help, num, col, {
+				fixable: false,
+				suggestion: xssPattern.suggestion,
+				detail: {
+					pattern: xssPattern.detailName,
+					fileContext: isJsxFile(filePath) ? "jsx" : isVueFile(filePath) ? "vue" : "generic"
+				}
+			}));
+		}
+	}
+	return diagnostics;
+}
+
+//#endregion
+//#region src/engines/security-deep/index.ts
+function makeDiagnostic(filePath, rule, severity, message, help, line, column, opts) {
+	return {
+		filePath,
+		engine: "security-deep",
+		rule,
+		severity,
+		message,
+		help,
+		line,
+		column,
+		category: "security",
+		fixable: opts?.fixable ?? false,
+		suggestion: opts?.suggestion,
+		detail: opts?.detail
+	};
+}
+/**
+* Track whether we are inside a block comment (/* ... *​/) across lines.
+* Returns { skip, inBlockComment } — if skip is true the entire line is a
+* comment and should not be scanned for security patterns.
+*/
+function checkCommentState(text, inBlockComment) {
+	const trimmed = text.trim();
+	if (inBlockComment) {
+		const closeIdx = text.indexOf("*/");
+		if (closeIdx === -1) return {
+			skip: true,
+			inBlockComment: true
+		};
+		const afterClose = text.substring(closeIdx + 2);
+		const reopenIdx = afterClose.indexOf("/*");
+		if (reopenIdx !== -1) return {
+			skip: true,
+			inBlockComment: afterClose.indexOf("*/", reopenIdx + 2) === -1
+		};
+		return {
+			skip: true,
+			inBlockComment: false
+		};
+	}
+	if (trimmed.startsWith("#")) return {
+		skip: true,
+		inBlockComment: false
+	};
+	if (trimmed.startsWith("//")) return {
+		skip: true,
+		inBlockComment: false
+	};
+	if (trimmed.startsWith("/*")) return {
+		skip: true,
+		inBlockComment: text.indexOf("*/", text.indexOf("/*") + 2) === -1
+	};
+	if (trimmed.startsWith("*")) {
+		const afterStar = trimmed.substring(1).trimStart();
+		if (/^[=;(]/.test(afterStar)) return {
+			skip: false,
+			inBlockComment: false
+		};
+		return {
+			skip: true,
+			inBlockComment: text.indexOf("*/") === -1
+		};
+	}
+	const openIdx = text.indexOf("/*");
+	if (openIdx !== -1) return {
+		skip: false,
+		inBlockComment: text.substring(openIdx + 2).indexOf("*/") === -1
+	};
+	return {
+		skip: false,
+		inBlockComment: false
+	};
+}
+/**
+* Returns true when `matchStart` falls inside a string literal ('…"'/`…`/″…″)
+* or a regex literal (/…/) on the given line of text.
+*
+* Heuristic:
+*  - Count unescaped single / double / backtick quotes before `matchStart`.
+*    If any count is odd the match sits inside that kind of string.
+*  - Look for regex-literal contexts (`= /`, `( /`, `, /`, `; /`, `[ /`,
+*    `return /`, etc.) and find the closing `/`.  If the match is between
+*    the opening and closing `/` of a regex, it is inside the regex.
+*/
+function isInsideStringOrRegex(text, matchStart) {
+	let sq = 0, dq = 0, bt = 0;
+	for (let i = 0; i < matchStart; i++) {
+		let bs = 0;
+		for (let j = i - 1; j >= 0 && text[j] === "\\"; j--) bs++;
+		if (!(bs % 2 === 1)) {
+			if (text[i] === "'") sq++;
+			else if (text[i] === "\"") dq++;
+			else if (text[i] === "`") bt++;
+		}
+	}
+	if (sq % 2 === 1 || dq % 2 === 1 || bt % 2 === 1) return true;
+	const regexPrefix = /[=(:,;\[!&|?{}+\-~^%<> ]$/;
+	for (let i = 0; i < matchStart; i++) if (text[i] === "/" && i > 0 && regexPrefix.test(text[i - 1])) {
+		let j = i + 1;
+		for (; j < text.length; j++) {
+			if (text[j] === "\\") {
+				j++;
+				continue;
+			}
+			if (text[j] === "/") break;
+			if (text[j] === "[") {
+				for (j++; j < text.length && text[j] !== "]"; j++) if (text[j] === "\\") j++;
+				continue;
+			}
+		}
+		if (j < text.length && matchStart > i && matchStart < j) return true;
+	}
+	return false;
+}
+function isTestFile(filePath) {
+	const normalized = filePath.replace(/\\/g, "/");
+	if (normalized.endsWith(".test.ts") || normalized.endsWith(".spec.ts")) return true;
+	if (normalized.endsWith(".test.js") || normalized.endsWith(".spec.js")) return true;
+	if (/\/__tests__\//.test(normalized)) return true;
+	if (/(?:^|\/)(?:test|tests)\//.test(normalized)) return true;
+	return false;
+}
+function containsSQLKeyword(text) {
+	return /\b(?:SELECT|INSERT|UPDATE|DELETE|DROP)\b/i.test(text);
+}
+function detectEvalUsage(filePath, lines) {
+	const diagnostics = [];
+	const evalRe = /\beval\s*\(/;
+	const newFunctionRe = /\bnew\s+Function\s*\(/;
+	const timerStringRe = /\b(setTimeout|setInterval)\s*\(\s*['"`]/;
+	let inBlockComment = false;
+	for (const { num, text } of lines) {
+		const { skip, inBlockComment: newBlockState } = checkCommentState(text, inBlockComment);
+		inBlockComment = newBlockState;
+		if (skip) continue;
+		const col = text.search(evalRe);
+		if (col !== -1) {
+			if (isInsideStringOrRegex(text, col)) continue;
+			diagnostics.push(makeDiagnostic(filePath, "security-deep/eval-usage", "error", "Use of eval() allows arbitrary code execution", "Replace eval() with a safer alternative such as JSON.parse() for data, or refactor to avoid dynamic code execution.", num, col + 1, {
+				fixable: false,
+				suggestion: {
+					type: "refactor",
+					text: "/* Replace eval() with a safe alternative */",
+					confidence: .7,
+					reason: "eval() enables code injection attacks; use JSON.parse() for data or explicit logic for control flow."
+				}
+			}));
+		}
+		const nfCol = text.search(newFunctionRe);
+		if (nfCol !== -1) {
+			if (isInsideStringOrRegex(text, nfCol)) continue;
+			diagnostics.push(makeDiagnostic(filePath, "security-deep/eval-usage", "error", "new Function() is equivalent to eval() and allows arbitrary code execution", "Avoid new Function(). Use closures, callbacks, or pre-defined functions instead.", num, nfCol + 1, {
+				fixable: false,
+				suggestion: {
+					type: "refactor",
+					text: "/* Replace new Function() with a pre-defined function */",
+					confidence: .7,
+					reason: "new Function() creates functions from strings at runtime, enabling injection attacks."
+				}
+			}));
+		}
+		const timerMatch = text.match(timerStringRe);
+		if (timerMatch) {
+			const timerCol = text.indexOf(timerMatch[1]);
+			if (isInsideStringOrRegex(text, timerCol)) continue;
+			diagnostics.push(makeDiagnostic(filePath, "security-deep/eval-usage", "error", `${timerMatch[1]}() called with a string argument acts as eval()`, `Pass a function reference instead of a string to ${timerMatch[1]}().`, num, timerCol + 1, {
+				fixable: false,
+				suggestion: {
+					type: "replace",
+					text: `${timerMatch[1]}(() => { /* safe callback */ })`,
+					confidence: .8,
+					reason: "Passing a string to setTimeout/setInterval uses eval-like evaluation; use a function reference."
+				}
+			}));
+		}
+	}
+	return diagnostics;
+}
+function detectInnerHTML(filePath, lines) {
+	const diagnostics = [];
+	const innerHtmlRe = /\.innerHTML\s*=/;
+	const docWriteRe = /\bdocument\s*\.\s*write\s*\(/;
+	let inBlockComment = false;
+	for (const { num, text } of lines) {
+		const { skip, inBlockComment: newBlockState } = checkCommentState(text, inBlockComment);
+		inBlockComment = newBlockState;
+		if (skip) continue;
+		const ihCol = text.search(innerHtmlRe);
+		if (ihCol !== -1) {
+			if (isInsideStringOrRegex(text, ihCol)) continue;
+			diagnostics.push(makeDiagnostic(filePath, "security-deep/inner-html", "error", "Assignment to .innerHTML can lead to XSS if the value contains user input", "Use textContent, innerText, or a sanitization library (e.g., DOMPurify) instead of innerHTML.", num, ihCol + 1, {
+				fixable: false,
+				suggestion: {
+					type: "replace",
+					text: ".textContent = ",
+					confidence: .6,
+					reason: "textContent safely sets text without interpreting HTML, preventing XSS."
+				}
+			}));
+		}
+		const dwCol = text.search(docWriteRe);
+		if (dwCol !== -1) {
+			if (isInsideStringOrRegex(text, dwCol)) continue;
+			diagnostics.push(makeDiagnostic(filePath, "security-deep/inner-html", "error", "document.write() can lead to XSS and breaks incremental rendering", "Use DOM manipulation methods (createElement, appendChild) or framework rendering instead of document.write().", num, dwCol + 1, {
+				fixable: false,
+				suggestion: {
+					type: "refactor",
+					text: "/* Replace document.write() with safe DOM manipulation */",
+					confidence: .7,
+					reason: "document.write() can inject arbitrary HTML and overwrites the document if called after parse."
+				}
+			}));
+		}
+	}
+	return diagnostics;
+}
+function detectSQLInjection(filePath, lines) {
+	const diagnostics = [];
+	const sqlConcatRe = /\b(?:query|execute|raw|run|all|exec|execSql)\s*\(\s*['"`][^'"`]*['"`]\s*\+/;
+	const sqlTemplateRe = /\b(?:query|execute|raw|run|all|exec|execSql)\s*\(\s*`[^`]*\$\{/;
+	let inBlockComment = false;
+	for (const { num, text } of lines) {
+		const { skip, inBlockComment: newBlockState } = checkCommentState(text, inBlockComment);
+		inBlockComment = newBlockState;
+		if (skip) continue;
+		const concatCol = text.search(sqlConcatRe);
+		if (concatCol !== -1) {
+			if (isInsideStringOrRegex(text, concatCol)) continue;
+			if (!containsSQLKeyword(text)) continue;
+			diagnostics.push(makeDiagnostic(filePath, "security-deep/sql-injection", "error", "String concatenation in SQL query detected — potential SQL injection", "Use parameterized queries or prepared statements instead of concatenating user input into SQL strings.", num, concatCol + 1, {
+				fixable: false,
+				suggestion: {
+					type: "refactor",
+					text: "/* Use parameterized query: query('SELECT * FROM users WHERE id = ?', [userId]) */",
+					confidence: .85,
+					reason: "Parameterized queries separate SQL logic from data, preventing injection."
+				}
+			}));
+		}
+		const tmplCol = text.search(sqlTemplateRe);
+		if (tmplCol !== -1) {
+			if (isInsideStringOrRegex(text, tmplCol)) continue;
+			if (!containsSQLKeyword(text)) continue;
+			diagnostics.push(makeDiagnostic(filePath, "security-deep/sql-injection", "error", "Template literal interpolation in SQL query detected — potential SQL injection", "Use parameterized queries or prepared statements instead of interpolating values into SQL strings.", num, tmplCol + 1, {
+				fixable: false,
+				suggestion: {
+					type: "refactor",
+					text: "/* Use parameterized query: query('SELECT * FROM users WHERE id = ?', [userId]) */",
+					confidence: .85,
+					reason: "Template literals embed values directly into SQL; parameterized queries prevent injection."
+				}
+			}));
+		}
+	}
+	return diagnostics;
+}
+function detectShellInjection(filePath, lines) {
+	const diagnostics = [];
+	const execConcatRe = /\b(?:exec|execSync)\s*\(\s*['"`][^'"`]*['"`]\s*\+/;
+	const execTemplateRe = /\b(?:exec|execSync)\s*\(\s*`[^`]*\$\{/;
+	let inBlockComment = false;
+	for (const { num, text } of lines) {
+		const { skip, inBlockComment: newBlockState } = checkCommentState(text, inBlockComment);
+		inBlockComment = newBlockState;
+		if (skip) continue;
+		const concatCol = text.search(execConcatRe);
+		if (concatCol !== -1) {
+			if (isInsideStringOrRegex(text, concatCol)) continue;
+			diagnostics.push(makeDiagnostic(filePath, "security-deep/shell-injection", "error", "String concatenation in exec/execSync detected — potential shell injection", "Use execFile/spawn with an array of arguments instead of exec with string concatenation.", num, concatCol + 1, {
+				fixable: false,
+				suggestion: {
+					type: "refactor",
+					text: "/* Use execFile or spawn with argument array: spawn('cmd', ['arg1', arg2]) */",
+					confidence: .85,
+					reason: "exec() passes strings to a shell; spawn/execFile avoid shell interpretation."
+				}
+			}));
+		}
+		const tmplCol = text.search(execTemplateRe);
+		if (tmplCol !== -1) {
+			if (isInsideStringOrRegex(text, tmplCol)) continue;
+			diagnostics.push(makeDiagnostic(filePath, "security-deep/shell-injection", "error", "Template literal in exec/execSync detected — potential shell injection", "Use execFile/spawn with an array of arguments instead of exec with template literals.", num, tmplCol + 1, {
+				fixable: false,
+				suggestion: {
+					type: "refactor",
+					text: "/* Use execFile or spawn with argument array: spawn('cmd', ['arg1', arg2]) */",
+					confidence: .85,
+					reason: "exec() passes strings to a shell; spawn/execFile avoid shell interpretation."
+				}
+			}));
+		}
+	}
+	return diagnostics;
+}
+function detectPrototypePollution(filePath, lines) {
+	const diagnostics = [];
+	const objectAssignRe = /\bObject\s*\.\s*assign\s*\(\s*\w+\s*,\s*\w+/;
+	const protoRe = /__proto__/;
+	const deepMergeRe = /\b(?:deepMerge|deepExtend|mergeDeep|defaultsDeep)\s*\(/;
+	let inBlockComment = false;
+	for (const { num, text } of lines) {
+		const { skip, inBlockComment: newBlockState } = checkCommentState(text, inBlockComment);
+		inBlockComment = newBlockState;
+		if (skip) continue;
+		const oaCol = text.search(objectAssignRe);
+		if (oaCol !== -1) {
+			if (isInsideStringOrRegex(text, oaCol)) continue;
+			diagnostics.push(makeDiagnostic(filePath, "security-deep/prototype-pollution", "warning", "Object.assign() with user-controlled source may enable prototype pollution", "Validate or sanitize the source object before merging, or use Object.assign with a fresh target: Object.assign({}, safeDefaults, userInput).", num, oaCol + 1, {
+				fixable: false,
+				suggestion: {
+					type: "refactor",
+					text: "Object.assign({}, safeDefaults, sanitizedInput)",
+					confidence: .6,
+					reason: "Using a fresh {} target and sanitizing input prevents prototype pollution via __proto__."
+				}
+			}));
+		}
+		const protoCol = text.search(protoRe);
+		if (protoCol !== -1) {
+			if (isInsideStringOrRegex(text, protoCol)) continue;
+			diagnostics.push(makeDiagnostic(filePath, "security-deep/prototype-pollution", "warning", "Direct __proto__ access detected — potential prototype pollution vector", "Avoid __proto__ access. Use Object.getPrototypeOf() / Object.setPrototypeOf() or Map instead.", num, protoCol + 1, {
+				fixable: false,
+				suggestion: {
+					type: "replace",
+					text: "/* Use Object.getPrototypeOf() or Map instead of __proto__ */",
+					confidence: .7,
+					reason: "__proto__ can be leveraged for prototype pollution attacks when user input reaches it."
+				}
+			}));
+		}
+		const dmCol = text.search(deepMergeRe);
+		if (dmCol !== -1) {
+			if (isInsideStringOrRegex(text, dmCol)) continue;
+			diagnostics.push(makeDiagnostic(filePath, "security-deep/prototype-pollution", "warning", "Deep merge function detected — ensure inputs are sanitized against prototype pollution", "Use a prototype-pollution-safe merge library or explicitly filter __proto__, constructor, and prototype keys.", num, dmCol + 1, {
+				fixable: false,
+				suggestion: {
+					type: "refactor",
+					text: "/* Use a safe merge that ignores __proto__, constructor, and prototype keys */",
+					confidence: .6,
+					reason: "Deep merge utilities can propagate __proto__ properties, leading to prototype pollution."
+				}
+			}));
+		}
+	}
+	return diagnostics;
+}
+function detectSSRF(filePath, lines) {
+	const diagnostics = [];
+	const fetchVarRe = /\b(?:fetch|axios\s*\.\s*(?:get|post|put|delete|patch|request)|http\s*\.\s*request|https\s*\.\s*request|axios)\s*\(\s*(\w+)\s*[,)]/;
+	const fetchTemplateRe = /\b(?:fetch|axios\s*\.\s*(?:get|post|put|delete|patch|request)|http\s*\.\s*request|https\s*\.\s*request)\s*\(\s*`[^`]*\$\{/;
+	const userInputHints = /^(url|uri|href|link|redirect|callback|next|dest|target|returnTo|path|endpoint|address|domain|host|site|page|ref|referer|location|goto)$/i;
+	let inBlockComment = false;
+	for (const { num, text } of lines) {
+		const { skip, inBlockComment: newBlockState } = checkCommentState(text, inBlockComment);
+		inBlockComment = newBlockState;
+		if (skip) continue;
+		const fetchMatch = text.match(fetchVarRe);
+		if (fetchMatch) {
+			const varName = fetchMatch[1];
+			const col = text.indexOf(varName);
+			const isUserInputHint = userInputHints.test(varName);
+			diagnostics.push(makeDiagnostic(filePath, "security-deep/ssrf-risk", "warning", isUserInputHint ? `Potential SSRF: ${varName} appears to be user-controlled and is passed directly to a network request` : `Network request uses variable '${varName}' — verify it is not user-controlled to prevent SSRF`, "Validate and whitelist allowed URLs/domains before making the request. Use an allow-list rather than a deny-list.", num, col + 1, {
+				fixable: false,
+				suggestion: {
+					type: "refactor",
+					text: "/* Validate URL against an allow-list before making the request */",
+					confidence: .5,
+					reason: "User-controlled URLs can point to internal services (SSRF); allow-list validation prevents this."
+				}
+			}));
+		}
+		const tmplCol = text.search(fetchTemplateRe);
+		if (tmplCol !== -1) diagnostics.push(makeDiagnostic(filePath, "security-deep/ssrf-risk", "warning", "Network request with interpolated URL detected — potential SSRF if input is user-controlled", "Validate and whitelist allowed URLs/domains before making the request. Avoid interpolating user input into URLs.", num, tmplCol + 1, {
+			fixable: false,
+			suggestion: {
+				type: "refactor",
+				text: "/* Build URL safely and validate against allow-list before request */",
+				confidence: .55,
+				reason: "Interpolated URLs may contain user input pointing to internal services (SSRF)."
+			}
+		}));
+	}
+	return diagnostics;
+}
+function redactSecret(secret) {
+	if (secret.length <= 4) return "****";
+	return secret.slice(0, 4) + "***";
+}
+function detectHardcodedSecret(filePath, lines) {
+	const diagnostics = [];
+	if (isTestFile(filePath)) return diagnostics;
+	const apiKeyRe = /['"`](sk-[A-Za-z0-9_-]{10,}|key-[A-Za-z0-9_-]{10,}|AIza[A-Za-z0-9_-]{20,})['"`]/g;
+	const passwordRe = /(?:password|pwd|passwd|pass)\s*(?:=|:)\s*['"`]([^'"`]{4,})['"`]/gi;
+	const tokenRe = /['"`](Bearer\s+[A-Za-z0-9_.-]{10,}|ghpt_[A-Za-z0-9_-]{10,})['"`]/g;
+	const awsKeyRe = /['"`](AKIA[A-Z0-9]{12,})['"`]/g;
+	let inBlockComment = false;
+	for (const { num, text } of lines) {
+		const { skip, inBlockComment: newBlockState } = checkCommentState(text, inBlockComment);
+		inBlockComment = newBlockState;
+		if (skip) continue;
+		let match;
+		apiKeyRe.lastIndex = 0;
+		while ((match = apiKeyRe.exec(text)) !== null) {
+			const secret = match[1];
+			const col = match.index + 1;
+			diagnostics.push(makeDiagnostic(filePath, "security-deep/hardcoded-secret", "error", `Hardcoded API key detected: ${redactSecret(secret)}`, "Move secrets to environment variables or a secrets manager. Never commit secrets to source control.", num, col, {
+				fixable: true,
+				suggestion: {
+					type: "replace",
+					text: `process.env.SECRET_KEY`,
+					confidence: .9,
+					reason: "Hardcoded secrets in source code are exposed in version control; use environment variables."
+				},
+				detail: {
+					secretPrefix: secret.slice(0, 4),
+					secretType: "api-key"
+				}
+			}));
+		}
+		passwordRe.lastIndex = 0;
+		while ((match = passwordRe.exec(text)) !== null) {
+			const secret = match[1];
+			const col = match.index + 1;
+			diagnostics.push(makeDiagnostic(filePath, "security-deep/hardcoded-secret", "error", `Hardcoded password detected: ${redactSecret(secret)}`, "Move passwords to environment variables or a secrets manager. Never commit credentials to source control.", num, col, {
+				fixable: true,
+				suggestion: {
+					type: "replace",
+					text: `process.env.PASSWORD`,
+					confidence: .9,
+					reason: "Hardcoded passwords in source code are exposed in version control; use environment variables."
+				},
+				detail: {
+					secretPrefix: secret.slice(0, 4),
+					secretType: "password"
+				}
+			}));
+		}
+		tokenRe.lastIndex = 0;
+		while ((match = tokenRe.exec(text)) !== null) {
+			const secret = match[1];
+			const col = match.index + 1;
+			diagnostics.push(makeDiagnostic(filePath, "security-deep/hardcoded-secret", "error", `Hardcoded token detected: ${redactSecret(secret)}`, "Move tokens to environment variables or a secrets manager. Never commit tokens to source control.", num, col, {
+				fixable: true,
+				suggestion: {
+					type: "replace",
+					text: `process.env.AUTH_TOKEN`,
+					confidence: .9,
+					reason: "Hardcoded tokens in source code are exposed in version control; use environment variables."
+				},
+				detail: {
+					secretPrefix: secret.slice(0, 4),
+					secretType: "token"
+				}
+			}));
+		}
+		awsKeyRe.lastIndex = 0;
+		while ((match = awsKeyRe.exec(text)) !== null) {
+			const secret = match[1];
+			const col = match.index + 1;
+			diagnostics.push(makeDiagnostic(filePath, "security-deep/hardcoded-secret", "error", `Hardcoded AWS access key detected: ${redactSecret(secret)}`, "Move AWS credentials to environment variables, ~/.aws/credentials, or a secrets manager.", num, col, {
+				fixable: true,
+				suggestion: {
+					type: "replace",
+					text: `process.env.AWS_ACCESS_KEY_ID`,
+					confidence: .95,
+					reason: "AWS keys in source code are a critical leak risk; use IAM roles or env vars."
+				},
+				detail: {
+					secretPrefix: secret.slice(0, 4),
+					secretType: "aws-key"
+				}
+			}));
+		}
+	}
+	return diagnostics;
+}
+/**
+* Security vulnerability detection engine.
+*
+* Detects: eval usage, innerHTML/XSS, SQL injection, shell injection,
+* prototype pollution, SSRF risk, and hardcoded secrets.
+*/
+const securityDeepEngine = {
+	name: "security-deep",
+	description: "Security vulnerability detection: eval, innerHTML, SQL injection, shell injection, prototype pollution, SSRF, hardcoded secrets, XSS risk, dependency audit",
+	supportedLanguages: [
+		"typescript",
+		"javascript",
+		"python",
+		"go",
+		"rust",
+		"ruby",
+		"php",
+		"java"
+	],
+	async run(context) {
+		const start = performance.now();
+		const diagnostics = [];
+		const files = context.files ?? [];
+		const rootDir = context.rootDirectory;
+		const config = context.config;
+		for (const filePath of files) try {
+			const lines = toLines(await readFileContent(filePath));
+			diagnostics.push(...detectEvalUsage(filePath, lines));
+			diagnostics.push(...detectInnerHTML(filePath, lines));
+			diagnostics.push(...detectSQLInjection(filePath, lines));
+			diagnostics.push(...detectShellInjection(filePath, lines));
+			diagnostics.push(...detectPrototypePollution(filePath, lines));
+			diagnostics.push(...detectSSRF(filePath, lines));
+			diagnostics.push(...detectHardcodedSecret(filePath, lines));
+			diagnostics.push(...detectSecrets(filePath, lines));
+			diagnostics.push(...detectHtmlSafety(filePath, lines));
+		} catch {}
+		if (config.security?.audit) {
+			const auditTimeout = config.security?.auditTimeout ?? 25e3;
+			if (context.languages.includes("typescript") || context.languages.includes("javascript")) diagnostics.push(...npmAudit(rootDir, auditTimeout));
+			if (context.languages.includes("python")) diagnostics.push(...pipAudit(rootDir, auditTimeout));
+			if (context.languages.includes("go")) diagnostics.push(...goVulnCheck(rootDir, auditTimeout));
+			if (context.languages.includes("rust")) diagnostics.push(...cargoAudit(rootDir, auditTimeout));
+		}
+		const elapsed = performance.now() - start;
+		return {
+			engine: this.name,
+			diagnostics,
+			elapsed,
+			skipped: false
+		};
+	},
+	async fix(diagnostics, _context) {
+		const fixable = diagnostics.filter((d) => d.rule === "security-deep/hardcoded-secret" && d.fixable);
+		const remaining = diagnostics.filter((d) => d.rule !== "security-deep/hardcoded-secret" || !d.fixable);
+		return {
+			fixed: fixable.length,
+			remaining,
+			modifiedFiles: [...new Set(fixable.map((d) => d.filePath))]
+		};
+	}
+};
+
+//#endregion
+export { securityDeepEngine };