npm - depwire-cli - Versions diffs - 0.9.25 → 0.9.27 - Mend

depwire-cli 0.9.25 → 0.9.27

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md +32 -2
package/dist/{chunk-QHVWDUSX.js → chunk-DA5LWNJ4.js} +1484 -16
package/dist/{chunk-ORGAO3HT.js → chunk-RGD3YJYQ.js} +79 -13
package/dist/index.js +232 -39
package/dist/mcpb-entry.js +2 -2
package/dist/sdk.d.ts +49 -1
package/dist/sdk.js +3 -1
package/package.json +6 -6

package/dist/{chunk-QHVWDUSX.js → chunk-DA5LWNJ4.js} RENAMED Viewed

@@ -106,7 +106,7 @@ function findProjectRoot(startDir = process.cwd()) {
 // src/parser/index.ts
 import { readFileSync as readFileSync5, statSync as statSync2 } from "fs";
-import { join as join8 } from "path";
+import { join as join8, resolve as resolve3 } from "path";
 // src/parser/detect.ts
 import { extname as extname3 } from "path";
@@ -1578,7 +1578,7 @@ var javascriptParser = {
 // src/parser/go.ts
 import { existsSync as existsSync5, readFileSync as readFileSync2, readdirSync as readdirSync2 } from "fs";
-import { join as join5, dirname as dirname4 } from "path";
+import { join as join5, dirname as dirname4, resolve as resolve2 } from "path";
 function parseGoFile(filePath, sourceCode, projectRoot) {
   const parser = getParser("go");
   const tree = parser.parse(sourceCode, null, { bufferSize: 1024 * 1024 });
@@ -1860,7 +1860,7 @@ function processCallExpression4(node, context) {
 function readGoModuleName(projectRoot) {
   let currentDir = projectRoot;
   for (let i = 0; i < 5; i++) {
-    const goModPath = join5(currentDir, "go.mod");
+    const goModPath = resolve2(currentDir, "go.mod");
     if (existsSync5(goModPath)) {
       try {
         const content = readFileSync2(goModPath, "utf-8");
@@ -2822,6 +2822,10 @@ async function parseProject(projectRoot, options) {
   for (const file of files) {
     try {
       const fullPath = join8(projectRoot, file);
+      if (!resolve3(fullPath).startsWith(resolve3(projectRoot))) {
+        skippedFiles++;
+        continue;
+      }
       if (options?.exclude) {
         const shouldExclude2 = options.exclude.some(
           (pattern) => minimatch(file, pattern, { matchBase: true })
@@ -3508,7 +3512,7 @@ function calculateDepthScore(graph) {
 // src/health/index.ts
 import { readFileSync as readFileSync6, writeFileSync, existsSync as existsSync8, mkdirSync } from "fs";
-import { join as join9, dirname as dirname8 } from "path";
+import { dirname as dirname8, resolve as resolve4 } from "path";
 function calculateHealthScore(graph, projectRoot) {
   const coupling = calculateCouplingScore(graph);
   const cohesion = calculateCohesionScore(graph);
@@ -3607,7 +3611,11 @@ function getHealthTrend(projectRoot, currentScore) {
   }
 }
 function saveHealthHistory(projectRoot, report) {
-  const historyFile = join9(projectRoot, ".depwire", "health-history.json");
+  const resolvedRoot = resolve4(projectRoot);
+  const historyFile = resolve4(resolvedRoot, ".depwire", "health-history.json");
+  if (!historyFile.startsWith(resolvedRoot)) {
+    return;
+  }
   const entry = {
     timestamp: report.timestamp,
     score: report.overall,
@@ -3621,6 +3629,7 @@ function saveHealthHistory(projectRoot, report) {
   let history = [];
   if (existsSync8(historyFile)) {
     try {
+      if (!historyFile.startsWith(resolvedRoot)) return;
       const content = readFileSync6(historyFile, "utf-8");
       history = JSON.parse(content);
     } catch {
@@ -3631,14 +3640,17 @@ function saveHealthHistory(projectRoot, report) {
     history = history.slice(-50);
   }
   mkdirSync(dirname8(historyFile), { recursive: true });
+  if (!historyFile.startsWith(resolvedRoot)) return;
   writeFileSync(historyFile, JSON.stringify(history, null, 2), "utf-8");
 }
 function loadHealthHistory(projectRoot) {
-  const historyFile = join9(projectRoot, ".depwire", "health-history.json");
-  if (!existsSync8(historyFile)) {
+  const resolvedRoot = resolve4(projectRoot);
+  const historyFile = resolve4(resolvedRoot, ".depwire", "health-history.json");
+  if (!historyFile.startsWith(resolvedRoot) || !existsSync8(historyFile)) {
     return [];
   }
   try {
+    if (!historyFile.startsWith(resolvedRoot)) return [];
     const content = readFileSync6(historyFile, "utf-8");
     return JSON.parse(content);
   } catch {
@@ -3777,8 +3789,9 @@ function isRelevantForDeadCodeDetection(attrs) {
 }
 function getPackageEntryPoints(projectRoot) {
   const entryPoints = /* @__PURE__ */ new Set();
-  const packageJsonPath = path2.join(projectRoot, "package.json");
-  if (!existsSync9(packageJsonPath)) {
+  const resolvedRoot = path2.resolve(projectRoot);
+  const packageJsonPath = path2.resolve(resolvedRoot, "package.json");
+  if (!packageJsonPath.startsWith(resolvedRoot) || !existsSync9(packageJsonPath)) {
     return entryPoints;
   }
   try {
@@ -7441,7 +7454,7 @@ function getTopLevelDir2(filePath) {
 // src/docs/status.ts
 import { readFileSync as readFileSync8, existsSync as existsSync10 } from "fs";
-import { join as join10 } from "path";
+import { resolve as resolve5 } from "path";
 function generateStatus(graph, projectRoot, version) {
   let output = "";
   const now = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
@@ -7474,7 +7487,11 @@ function getFileCount11(graph) {
 }
 function extractComments(projectRoot, filePath) {
   const comments = [];
-  const fullPath = join10(projectRoot, filePath);
+  const resolvedRoot = resolve5(projectRoot);
+  const fullPath = resolve5(resolvedRoot, filePath);
+  if (!fullPath.startsWith(resolvedRoot)) {
+    return comments;
+  }
   if (!existsSync10(fullPath)) {
     return comments;
   }
@@ -8059,10 +8076,11 @@ function generateConfidenceSection(title, description, symbols, projectRoot) {
 // src/docs/metadata.ts
 import { existsSync as existsSync11, readFileSync as readFileSync9, writeFileSync as writeFileSync2 } from "fs";
-import { join as join11 } from "path";
+import { resolve as resolve6 } from "path";
 function loadMetadata(outputDir) {
-  const metadataPath = join11(outputDir, "metadata.json");
-  if (!existsSync11(metadataPath)) {
+  const resolvedDir = resolve6(outputDir);
+  const metadataPath = resolve6(resolvedDir, "metadata.json");
+  if (!metadataPath.startsWith(resolvedDir) || !existsSync11(metadataPath)) {
     return null;
   }
   try {
@@ -8074,7 +8092,11 @@ function loadMetadata(outputDir) {
   }
 }
 function saveMetadata(outputDir, metadata) {
-  const metadataPath = join11(outputDir, "metadata.json");
+  const resolvedDir = resolve6(outputDir);
+  const metadataPath = resolve6(resolvedDir, "metadata.json");
+  if (!metadataPath.startsWith(resolvedDir)) {
+    throw new Error(`Path traversal attempt blocked: ${metadataPath}`);
+  }
   writeFileSync2(metadataPath, JSON.stringify(metadata, null, 2), "utf-8");
 }
 function createMetadata(version, projectPath, fileCount, symbolCount, edgeCount, docTypes) {
@@ -8662,6 +8684,1451 @@ var SimulationEngine = class {
   }
 };
+// src/security/scanner.ts
+import { existsSync as existsSync14 } from "fs";
+import { join as join23 } from "path";
+// src/security/checks/dependencies.ts
+import { execSync as execSync2 } from "child_process";
+import { existsSync as existsSync13, readFileSync as readFileSync10, readdirSync as readdirSync5 } from "fs";
+import { join as join14 } from "path";
+function cvssToSeverity(score) {
+  if (score >= 9) return "critical";
+  if (score >= 7) return "high";
+  if (score >= 4) return "medium";
+  return "low";
+}
+async function checkDependencies(_files, projectRoot) {
+  const findings = [];
+  try {
+    if (existsSync13(join14(projectRoot, "package.json"))) {
+      findings.push(...checkNpmAudit(projectRoot));
+      findings.push(...checkPackageJsonPatterns(projectRoot));
+      findings.push(...checkPostinstallScripts(projectRoot));
+    }
+    if (existsSync13(join14(projectRoot, "requirements.txt")) || existsSync13(join14(projectRoot, "pyproject.toml"))) {
+      findings.push(...checkPipAudit(projectRoot));
+    }
+    if (existsSync13(join14(projectRoot, "Cargo.toml"))) {
+      findings.push(...checkCargoAudit(projectRoot));
+    }
+    if (existsSync13(join14(projectRoot, "go.mod"))) {
+      findings.push(...checkGoVerify(projectRoot));
+    }
+  } catch (err) {
+    findings.push({
+      id: "",
+      severity: "info",
+      vulnerabilityClass: "dependency-cve",
+      file: "package.json",
+      title: "Dependency audit error",
+      description: `Dependency audit encountered an error: ${String(err)}`,
+      attackScenario: "N/A",
+      suggestedFix: "Ensure audit tools are installed and try again."
+    });
+  }
+  return findings;
+}
+function checkNpmAudit(projectRoot) {
+  const findings = [];
+  try {
+    const output = execSync2("npm audit --json", {
+      cwd: projectRoot,
+      encoding: "utf-8",
+      timeout: 3e4,
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    const audit = JSON.parse(output);
+    const vulnerabilities = audit.vulnerabilities || {};
+    for (const [name, vuln] of Object.entries(vulnerabilities)) {
+      const severity = vuln.severity === "critical" ? "critical" : vuln.severity === "high" ? "high" : vuln.severity === "moderate" ? "medium" : "low";
+      findings.push({
+        id: "",
+        severity,
+        vulnerabilityClass: "dependency-cve",
+        file: "package.json",
+        title: `Vulnerable dependency: ${name}`,
+        description: `${name}@${vuln.range || "unknown"} has a known ${vuln.severity} vulnerability. ${vuln.title || ""}`.trim(),
+        attackScenario: `An attacker could exploit the known vulnerability in ${name} to compromise the application.`,
+        suggestedFix: vuln.fixAvailable ? `Update ${name} to a patched version.` : `No fix currently available. Consider replacing ${name}.`
+      });
+    }
+  } catch (err) {
+    if (err.stdout) {
+      try {
+        const audit = JSON.parse(err.stdout);
+        const vulnerabilities = audit.vulnerabilities || {};
+        for (const [name, vuln] of Object.entries(vulnerabilities)) {
+          const severity = vuln.severity === "critical" ? "critical" : vuln.severity === "high" ? "high" : vuln.severity === "moderate" ? "medium" : "low";
+          findings.push({
+            id: "",
+            severity,
+            vulnerabilityClass: "dependency-cve",
+            file: "package.json",
+            title: `Vulnerable dependency: ${name}`,
+            description: `${name}@${vuln.range || "unknown"} has a known ${vuln.severity} vulnerability.`,
+            attackScenario: `An attacker could exploit the known vulnerability in ${name}.`,
+            suggestedFix: vuln.fixAvailable ? `Update ${name} to a patched version.` : `No fix currently available.`
+          });
+        }
+      } catch {
+        findings.push({
+          id: "",
+          severity: "info",
+          vulnerabilityClass: "dependency-cve",
+          file: "package.json",
+          title: "npm audit unavailable",
+          description: "Could not parse npm audit output.",
+          attackScenario: "N/A",
+          suggestedFix: "Run npm audit manually to check for vulnerabilities."
+        });
+      }
+    } else {
+      findings.push({
+        id: "",
+        severity: "info",
+        vulnerabilityClass: "dependency-cve",
+        file: "package.json",
+        title: "npm audit unavailable",
+        description: "npm audit command failed or is not available.",
+        attackScenario: "N/A",
+        suggestedFix: "Ensure npm is installed and run npm audit manually."
+      });
+    }
+  }
+  return findings;
+}
+function checkPackageJsonPatterns(projectRoot) {
+  const findings = [];
+  try {
+    const pkgPath = join14(projectRoot, "package.json");
+    const pkg = JSON.parse(readFileSync10(pkgPath, "utf-8"));
+    const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+    for (const [name, version] of Object.entries(allDeps)) {
+      if (version.startsWith("^") || version.startsWith("~")) {
+        findings.push({
+          id: "",
+          severity: "info",
+          vulnerabilityClass: "supply-chain",
+          file: "package.json",
+          title: `Flexible version range: ${name}@${version}`,
+          description: `${name} uses a ${version.startsWith("^") ? "caret" : "tilde"} version range which allows automatic minor/patch updates.`,
+          attackScenario: "A compromised patch release could be automatically installed.",
+          suggestedFix: `Pin to an exact version or use a lockfile to ensure reproducible builds.`
+        });
+      }
+    }
+  } catch {
+  }
+  return findings;
+}
+function checkPostinstallScripts(projectRoot) {
+  const findings = [];
+  const nodeModules = join14(projectRoot, "node_modules");
+  if (!existsSync13(nodeModules)) return findings;
+  try {
+    const topLevelDeps = readdirSync5(nodeModules).filter((d) => !d.startsWith("."));
+    for (const dep of topLevelDeps) {
+      const depPkgPath = join14(nodeModules, dep, "package.json");
+      if (!existsSync13(depPkgPath)) continue;
+      try {
+        const depPkg = JSON.parse(readFileSync10(depPkgPath, "utf-8"));
+        const scripts = depPkg.scripts || {};
+        if (scripts.postinstall || scripts.preinstall || scripts.install) {
+          const scriptName = scripts.postinstall ? "postinstall" : scripts.preinstall ? "preinstall" : "install";
+          const scriptContent = scripts[scriptName];
+          findings.push({
+            id: "",
+            severity: "high",
+            vulnerabilityClass: "supply-chain",
+            file: `node_modules/${dep}/package.json`,
+            title: `Supply chain risk: ${dep} has ${scriptName} script`,
+            description: `The dependency ${dep} runs a ${scriptName} script on install: "${scriptContent}".`,
+            attackScenario: `A compromised version of ${dep} could execute arbitrary code during npm install via its ${scriptName} script.`,
+            suggestedFix: `Review the ${scriptName} script. Consider using --ignore-scripts or switching to a dependency without lifecycle scripts.`
+          });
+        }
+      } catch {
+      }
+    }
+  } catch {
+  }
+  return findings;
+}
+function checkPipAudit(projectRoot) {
+  const findings = [];
+  try {
+    const output = execSync2("pip audit --format json", {
+      cwd: projectRoot,
+      encoding: "utf-8",
+      timeout: 3e4,
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    const audit = JSON.parse(output);
+    for (const vuln of audit.vulnerabilities || []) {
+      findings.push({
+        id: "",
+        severity: cvssToSeverity(vuln.cvss?.score || 5),
+        vulnerabilityClass: "dependency-cve",
+        file: existsSync13(join14(projectRoot, "requirements.txt")) ? "requirements.txt" : "pyproject.toml",
+        title: `Vulnerable Python dependency: ${vuln.name}`,
+        description: `${vuln.name}@${vuln.version} \u2014 ${vuln.id}: ${vuln.description || "Known vulnerability"}`,
+        attackScenario: `An attacker could exploit the vulnerability in ${vuln.name}.`,
+        suggestedFix: vuln.fix_versions?.length ? `Update to version ${vuln.fix_versions.join(" or ")}.` : "No fix available."
+      });
+    }
+  } catch {
+    findings.push({
+      id: "",
+      severity: "info",
+      vulnerabilityClass: "dependency-cve",
+      file: "requirements.txt",
+      title: "pip audit unavailable",
+      description: "pip audit command failed or is not installed.",
+      attackScenario: "N/A",
+      suggestedFix: "Install pip-audit: pip install pip-audit"
+    });
+  }
+  return findings;
+}
+function checkCargoAudit(projectRoot) {
+  const findings = [];
+  try {
+    const output = execSync2("cargo audit --json", {
+      cwd: projectRoot,
+      encoding: "utf-8",
+      timeout: 3e4,
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    const audit = JSON.parse(output);
+    for (const advisory of audit.vulnerabilities?.list || []) {
+      const a = advisory.advisory || {};
+      findings.push({
+        id: "",
+        severity: cvssToSeverity(a.cvss?.score || 5),
+        vulnerabilityClass: "dependency-cve",
+        file: "Cargo.toml",
+        title: `Vulnerable Rust crate: ${a.package || "unknown"}`,
+        description: `${a.id || "RUSTSEC"}: ${a.title || "Known vulnerability"}`,
+        attackScenario: `An attacker could exploit the vulnerability in the crate.`,
+        suggestedFix: a.patched_versions?.length ? `Update to a patched version.` : "No fix available."
+      });
+    }
+  } catch {
+    findings.push({
+      id: "",
+      severity: "info",
+      vulnerabilityClass: "dependency-cve",
+      file: "Cargo.toml",
+      title: "cargo audit unavailable",
+      description: "cargo audit command failed or is not installed.",
+      attackScenario: "N/A",
+      suggestedFix: "Install cargo-audit: cargo install cargo-audit"
+    });
+  }
+  return findings;
+}
+function checkGoVerify(projectRoot) {
+  const findings = [];
+  try {
+    execSync2("go mod verify", {
+      cwd: projectRoot,
+      encoding: "utf-8",
+      timeout: 3e4,
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+  } catch (err) {
+    const output = err.stdout || err.stderr || "";
+    if (output.includes("SECURITY")) {
+      findings.push({
+        id: "",
+        severity: "high",
+        vulnerabilityClass: "dependency-cve",
+        file: "go.mod",
+        title: "Go module verification failed",
+        description: `go mod verify reported issues: ${output.substring(0, 200)}`,
+        attackScenario: "Tampered modules could contain malicious code.",
+        suggestedFix: "Run go mod verify and resolve integrity issues."
+      });
+    } else {
+      findings.push({
+        id: "",
+        severity: "info",
+        vulnerabilityClass: "dependency-cve",
+        file: "go.mod",
+        title: "go mod verify unavailable",
+        description: "go mod verify command failed.",
+        attackScenario: "N/A",
+        suggestedFix: "Ensure Go is installed and run go mod verify manually."
+      });
+    }
+  }
+  return findings;
+}
+// src/security/checks/injection.ts
+import { readFileSync as readFileSync11 } from "fs";
+import { join as join15 } from "path";
+var SKIP_DIRS = ["node_modules/", "dist/", ".git/", ".wrangler/", "src/security/checks/"];
+var TEST_PATTERNS = ["test", "spec", "fixture", "mock", "__tests__", "__mocks__"];
+var USER_INPUT_NAMES = /(?:input|user|name|path|query|branch|hash|cmd|command|req\.|params|body|args|url|dir|file|subdirectory)/i;
+var PATTERNS = [
+  {
+    regex: /execSync\s*\(\s*`[^`]*\$\{/,
+    title: "Shell Injection via execSync template literal",
+    vulnClass: "shell-injection",
+    baseSeverity: "high",
+    description: "execSync called with a template literal containing interpolated values \u2014 potential RCE.",
+    attackScenario: "An attacker could inject shell metacharacters through the interpolated variable to execute arbitrary commands.",
+    suggestedFix: "Use execFileSync with an argument array instead of string interpolation, or validate input with a strict allowlist regex."
+  },
+  {
+    regex: /exec\s*\(\s*`[^`]*\$\{/,
+    title: "Shell Injection via exec template literal",
+    vulnClass: "shell-injection",
+    baseSeverity: "high",
+    description: "exec called with a template literal containing interpolated values \u2014 potential RCE.",
+    attackScenario: "An attacker could inject shell metacharacters through the interpolated variable.",
+    suggestedFix: "Use execFile with an argument array instead of string interpolation."
+  },
+  {
+    regex: /spawn\s*\([^)]*,\s*\[[^\]]*(?:input|user|path|query|cmd|command|args|req\.|params|body)/i,
+    title: "Potentially unsafe spawn with user-controlled arguments",
+    vulnClass: "shell-injection",
+    baseSeverity: "medium",
+    description: "spawn called with arguments that may originate from user input.",
+    attackScenario: "An attacker could inject malicious arguments to the spawned process.",
+    suggestedFix: "Validate all arguments against a strict allowlist before passing to spawn."
+  },
+  {
+    regex: /subprocess\.run\s*\([^)]*shell\s*=\s*True/,
+    title: "Python shell=True in subprocess.run",
+    vulnClass: "shell-injection",
+    baseSeverity: "high",
+    description: "subprocess.run called with shell=True \u2014 command string is executed through the shell.",
+    attackScenario: "An attacker could inject shell metacharacters if user input reaches the command string.",
+    suggestedFix: "Use shell=False (default) and pass arguments as a list."
+  },
+  {
+    regex: /os\.system\s*\(/,
+    title: "Python os.system() call",
+    vulnClass: "shell-injection",
+    baseSeverity: "high",
+    description: "os.system() executes a command string through the shell.",
+    attackScenario: "An attacker could inject shell metacharacters if user input reaches the command string.",
+    suggestedFix: "Use subprocess.run with shell=False and pass arguments as a list."
+  },
+  {
+    regex: /eval\s*\(/,
+    title: "eval() usage detected",
+    vulnClass: "code-injection",
+    baseSeverity: "high",
+    description: "eval() executes arbitrary code from a string.",
+    attackScenario: "An attacker could inject malicious code if user input reaches eval().",
+    suggestedFix: "Remove eval() and use safe alternatives (JSON.parse for data, specific parsers for expressions)."
+  },
+  {
+    regex: /new\s+Function\s*\(/,
+    title: "new Function() constructor",
+    vulnClass: "code-injection",
+    baseSeverity: "high",
+    description: "new Function() creates a function from a string \u2014 equivalent to eval().",
+    attackScenario: "An attacker could inject malicious code if user input reaches the Function constructor.",
+    suggestedFix: "Remove new Function() and use a safe alternative."
+  },
+  {
+    regex: /fmt\.Sprintf\s*\([^)]*(?:SELECT|INSERT|UPDATE|DELETE)/i,
+    title: "Go SQL injection via fmt.Sprintf",
+    vulnClass: "code-injection",
+    baseSeverity: "high",
+    description: "SQL query built using fmt.Sprintf \u2014 vulnerable to SQL injection.",
+    attackScenario: "An attacker could inject SQL through interpolated values to read or modify database data.",
+    suggestedFix: "Use parameterized queries with ? or $1 placeholders instead of string formatting."
+  },
+  {
+    regex: /db\.Query\s*\(\s*fmt\.Sprintf/,
+    title: "Go SQL injection via db.Query with fmt.Sprintf",
+    vulnClass: "code-injection",
+    baseSeverity: "high",
+    description: "Database query built using fmt.Sprintf directly passed to db.Query.",
+    attackScenario: "An attacker could inject SQL through interpolated values.",
+    suggestedFix: 'Use parameterized queries: db.Query("SELECT ... WHERE id = ?", id)'
+  }
+];
+function shouldSkip(filePath) {
+  return SKIP_DIRS.some((d) => filePath.includes(d));
+}
+function isTestFile4(filePath) {
+  const lower = filePath.toLowerCase();
+  return TEST_PATTERNS.some((p) => lower.includes(p));
+}
+async function checkInjection(files, projectRoot) {
+  const findings = [];
+  try {
+    for (const file of files) {
+      if (shouldSkip(file.filePath) || isTestFile4(file.filePath)) continue;
+      let content;
+      try {
+        content = readFileSync11(join15(projectRoot, file.filePath), "utf-8");
+      } catch {
+        continue;
+      }
+      const lines = content.split("\n");
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if (line.trimStart().startsWith("//") || line.trimStart().startsWith("#") || line.trimStart().startsWith("*")) {
+          continue;
+        }
+        if (line.includes("depwire-security-reviewed")) continue;
+        for (const pattern of PATTERNS) {
+          if (pattern.regex.test(line)) {
+            let severity = pattern.baseSeverity;
+            if (severity === "medium" && USER_INPUT_NAMES.test(line)) {
+              severity = "high";
+            }
+            findings.push({
+              id: "",
+              severity,
+              vulnerabilityClass: pattern.vulnClass,
+              file: file.filePath,
+              line: i + 1,
+              title: pattern.title,
+              description: pattern.description,
+              attackScenario: pattern.attackScenario,
+              suggestedFix: pattern.suggestedFix
+            });
+          }
+        }
+      }
+    }
+  } catch {
+  }
+  return findings;
+}
+// src/security/checks/secrets.ts
+import { readFileSync as readFileSync12 } from "fs";
+import { join as join16 } from "path";
+var SKIP_DIRS2 = ["node_modules/", "dist/", ".git/", ".wrangler/", "src/security/checks/"];
+var TEST_PATTERNS2 = ["test", "spec", "fixture", "mock", "__tests__", "__mocks__", ".example", ".sample"];
+var SECRET_PATTERNS = [
+  // API Keys
+  { pattern: /sk-[a-zA-Z0-9]{32,}/, title: "OpenAI API Key", severity: "critical" },
+  { pattern: /AKIA[0-9A-Z]{16}/, title: "AWS Access Key", severity: "critical" },
+  { pattern: /sk_live_[a-zA-Z0-9]{24,}/, title: "Stripe Live Key", severity: "critical" },
+  { pattern: /ghp_[a-zA-Z0-9]{36}/, title: "GitHub Personal Token", severity: "critical" },
+  { pattern: /-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----/, title: "Private Key", severity: "critical" },
+  // Hardcoded passwords/secrets
+  { pattern: /password\s*=\s*['"][^'"]{4,}['"]/, title: "Hardcoded Password", severity: "high" },
+  { pattern: /secret\s*=\s*['"][^'"]{4,}['"]/, title: "Hardcoded Secret", severity: "high" },
+  { pattern: /salt\s*=\s*['"][^'"]{4,}['"]/, title: "Hardcoded Salt", severity: "high" },
+  { pattern: /api_key\s*=\s*['"][^'"]{4,}['"]/, title: "Hardcoded API Key", severity: "high" },
+  { pattern: /token\s*=\s*['"][^'"]{8,}['"]/, title: "Hardcoded Token", severity: "high" },
+  // Weak but not critical
+  { pattern: /Math\.random\(\).*(?:token|session|id|key|secret)/i, title: "Math.random() for Security Value", severity: "high" }
+];
+function shouldSkip2(filePath) {
+  return SKIP_DIRS2.some((d) => filePath.includes(d));
+}
+function isTestFile5(filePath) {
+  const lower = filePath.toLowerCase();
+  return TEST_PATTERNS2.some((p) => lower.includes(p));
+}
+async function checkSecrets(files, projectRoot) {
+  const findings = [];
+  try {
+    for (const file of files) {
+      if (shouldSkip2(file.filePath) || isTestFile5(file.filePath)) continue;
+      let content;
+      try {
+        content = readFileSync12(join16(projectRoot, file.filePath), "utf-8");
+      } catch {
+        continue;
+      }
+      const lines = content.split("\n");
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if (line.trimStart().startsWith("//") || line.trimStart().startsWith("#") || line.trimStart().startsWith("*")) {
+          continue;
+        }
+        for (const sp of SECRET_PATTERNS) {
+          if (sp.pattern.test(line)) {
+            findings.push({
+              id: "",
+              severity: sp.severity,
+              vulnerabilityClass: "secrets",
+              file: file.filePath,
+              line: i + 1,
+              title: sp.title,
+              description: `Potential ${sp.title.toLowerCase()} detected in source code.`,
+              attackScenario: "An attacker with source code access could extract credentials and use them to access external services or escalate privileges.",
+              suggestedFix: "Move secrets to environment variables or a secrets manager. Never commit secrets to source control."
+            });
+          }
+        }
+      }
+    }
+  } catch {
+  }
+  return findings;
+}
+// src/security/checks/path-traversal.ts
+import { readFileSync as readFileSync13 } from "fs";
+import { join as join17 } from "path";
+var SKIP_DIRS3 = ["node_modules/", "dist/", ".git/", ".wrangler/", "src/security/checks/"];
+var USER_INPUT_VARS = /(?:req\.|params|query|body|input|path|dir|subdirectory|file|userInput|fileName|filePath)/i;
+var PATTERNS2 = [
+  {
+    regex: /path\.join\s*\(\s*(?:__dirname|root|base|projectRoot)[^)]*,/,
+    title: "Potential path traversal via path.join",
+    description: "path.join called with a root directory and a variable that may contain user input \u2014 without resolve() containment check.",
+    suggestedFix: 'Use path.resolve() and verify the result starts with the expected root: if (!resolved.startsWith(root)) throw new Error("path traversal")'
+  },
+  {
+    regex: /readFileSync\s*\([^)]*(?:input|user|path|dir|file|query|params|body|req\.)/i,
+    title: "readFileSync with potentially user-controlled path",
+    description: "readFileSync called with a variable that may originate from user input.",
+    suggestedFix: "Validate and sanitize the file path. Use path.resolve() and verify it starts with the expected root directory."
+  },
+  {
+    regex: /writeFileSync\s*\([^)]*(?:input|user|path|dir|file|query|params|body|req\.)/i,
+    title: "writeFileSync with potentially user-controlled path",
+    description: "writeFileSync called with a variable that may originate from user input.",
+    suggestedFix: "Validate and sanitize the file path. Use path.resolve() and verify it starts with the expected root directory."
+  },
+  {
+    regex: /createReadStream\s*\([^)]*(?:input|user|path|dir|file|query|params|body|req\.)/i,
+    title: "createReadStream with potentially user-controlled path",
+    description: "createReadStream called with a path that may originate from user input.",
+    suggestedFix: "Validate and sanitize the file path before creating the stream."
+  }
+];
+function shouldSkip3(filePath) {
+  if (SKIP_DIRS3.some((d) => filePath.includes(d))) return true;
+  if (filePath.includes("wasm-init")) return true;
+  return false;
+}
+function isRouteOrTool(filePath) {
+  const lower = filePath.toLowerCase();
+  return lower.includes("route") || lower.includes("api/") || lower.includes("mcp/") || lower.includes("handler") || lower.includes("controller");
+}
+var SAFE_OUTPUT_PATTERNS = /(?:output|outPath|outFile|dest|target|docPath).*\.(?:md|json|html|ts|js)['"]|['"][^'"]+\.(?:md|json|html|ts|js)['"]/;
+var SAFE_DIRNAME_ARGS = /(?:grammar|wasm|wasmPath|wasmFile|grammars)/i;
+async function checkPathTraversal(files, projectRoot) {
+  const findings = [];
+  try {
+    for (const file of files) {
+      if (shouldSkip3(file.filePath)) continue;
+      let content;
+      try {
+        content = readFileSync13(join17(projectRoot, file.filePath), "utf-8");
+      } catch {
+        continue;
+      }
+      const lines = content.split("\n");
+      const inRouteOrTool = isRouteOrTool(file.filePath);
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if (line.trimStart().startsWith("//") || line.trimStart().startsWith("#")) continue;
+        for (const pattern of PATTERNS2) {
+          if (pattern.regex.test(line)) {
+            if (!USER_INPUT_VARS.test(line)) continue;
+            if (/writeFileSync/.test(line) && SAFE_OUTPUT_PATTERNS.test(line)) continue;
+            if (/(?:writeFileSync|readFileSync)/.test(line)) {
+              const context = lines.slice(Math.max(0, i - 2), i + 1).join("\n");
+              if (SAFE_OUTPUT_PATTERNS.test(context)) continue;
+            }
+            if (/__dirname/.test(line) && SAFE_DIRNAME_ARGS.test(line)) continue;
+            const nearbyLines = lines.slice(Math.max(0, i - 15), Math.min(lines.length, i + 4)).join("\n");
+            if (nearbyLines.includes("startsWith") && /resolve/.test(nearbyLines)) continue;
+            const severity = inRouteOrTool ? "high" : "medium";
+            findings.push({
+              id: "",
+              severity,
+              vulnerabilityClass: "path-traversal",
+              file: file.filePath,
+              line: i + 1,
+              title: pattern.title,
+              description: pattern.description,
+              attackScenario: "An attacker could use ../ sequences to traverse outside the intended directory and read or write arbitrary files on the server.",
+              suggestedFix: pattern.suggestedFix
+            });
+          }
+        }
+      }
+    }
+  } catch {
+  }
+  return findings;
+}
+// src/security/checks/auth.ts
+import { readFileSync as readFileSync14 } from "fs";
+import { join as join18 } from "path";
+var SKIP_DIRS4 = ["node_modules/", "dist/", ".git/", ".wrangler/", "src/security/checks/"];
+function shouldSkip4(filePath) {
+  return SKIP_DIRS4.some((d) => filePath.includes(d));
+}
+function isAuthRelatedFile(filePath) {
+  const lower = filePath.toLowerCase();
+  return /(?:auth|session|token|jwt|oauth|login|passport)/.test(lower);
+}
+async function checkAuth(files, projectRoot) {
+  const findings = [];
+  try {
+    for (const file of files) {
+      if (shouldSkip4(file.filePath)) continue;
+      let content;
+      try {
+        content = readFileSync14(join18(projectRoot, file.filePath), "utf-8");
+      } catch {
+        continue;
+      }
+      const lines = content.split("\n");
+      const isAuthFile = isAuthRelatedFile(file.filePath);
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if (line.trimStart().startsWith("//") || line.trimStart().startsWith("#")) continue;
+        if (/catch\s*\([^)]*\)\s*\{/.test(line)) {
+          const catchBlock = lines.slice(i, Math.min(lines.length, i + 5)).join("\n");
+          if (/(?:next\s*\(|return\s+true|resolve\s*\(\s*true\s*\))/.test(catchBlock)) {
+            findings.push({
+              id: "",
+              severity: "medium",
+              vulnerabilityClass: "auth",
+              file: file.filePath,
+              line: i + 1,
+              title: "Fail-open catch block may bypass authentication",
+              description: "A catch block that calls next(), returns true, or resolves true could bypass auth checks when an error occurs.",
+              attackScenario: "An attacker could trigger an error condition (e.g., malformed token) to bypass authentication.",
+              suggestedFix: "Ensure catch blocks deny access by default. Return false, call next(err), or throw."
+            });
+          }
+        }
+        if (/[?&](?:token|session|key|auth)=/.test(line)) {
+          findings.push({
+            id: "",
+            severity: "high",
+            vulnerabilityClass: "auth",
+            file: file.filePath,
+            line: i + 1,
+            title: "Credential in URL query parameter",
+            description: "Token, session, or auth key passed as a URL query parameter.",
+            attackScenario: "URL query parameters are logged in server access logs, browser history, and referrer headers \u2014 exposing credentials.",
+            suggestedFix: "Send credentials in Authorization headers or secure HTTP-only cookies instead."
+          });
+        }
+        if (/Math\.random\(\)/.test(line) && isAuthFile) {
+          findings.push({
+            id: "",
+            severity: "high",
+            vulnerabilityClass: "auth",
+            file: file.filePath,
+            line: i + 1,
+            title: "Math.random() used in auth-related file",
+            description: "Math.random() is not cryptographically secure and should not be used for tokens, session IDs, or any security value.",
+            attackScenario: "An attacker could predict Math.random() output and forge tokens or session IDs.",
+            suggestedFix: "Use crypto.randomBytes() or crypto.randomUUID() for security-sensitive values."
+          });
+        }
+        if (/jwt\.verify\s*\(/.test(line)) {
+          const nearbyLines = lines.slice(Math.max(0, i - 5), Math.min(lines.length, i + 11)).join("\n");
+          if (!/(?:expiresIn|exp\s*:|maxAge)/.test(nearbyLines)) {
+            findings.push({
+              id: "",
+              severity: "medium",
+              vulnerabilityClass: "auth",
+              file: file.filePath,
+              line: i + 1,
+              title: "JWT verification without expiry check",
+              description: "jwt.verify called without expiresIn or exp option nearby \u2014 tokens may never expire.",
+              attackScenario: "A stolen JWT could be used indefinitely if it has no expiration.",
+              suggestedFix: "Set expiresIn when signing and verify exp claim during verification."
+            });
+          }
+        }
+        if (/state.*cookie/i.test(line)) {
+          const nearbyLines = lines.slice(i, Math.min(lines.length, i + 10)).join("\n");
+          if (!/(?:maxAge.*0|clearCookie|delete.*state)/i.test(nearbyLines)) {
+            findings.push({
+              id: "",
+              severity: "low",
+              vulnerabilityClass: "auth",
+              file: file.filePath,
+              line: i + 1,
+              title: "OAuth state cookie not cleared after use",
+              description: "OAuth state parameter stored in cookie may not be cleared after consumption.",
+              attackScenario: "A stale state cookie could be replayed in a CSRF attack against the OAuth flow.",
+              suggestedFix: "Clear the state cookie immediately after successful validation."
+            });
+          }
+        }
+      }
+    }
+  } catch {
+  }
+  return findings;
+}
+// src/security/checks/input-validation.ts
+import { readFileSync as readFileSync15 } from "fs";
+import { join as join19 } from "path";
+var SKIP_DIRS5 = ["node_modules/", "dist/", ".git/", ".wrangler/", "src/security/checks/"];
+function shouldSkip5(filePath) {
+  return SKIP_DIRS5.some((d) => filePath.includes(d));
+}
+async function checkInputValidation(files, projectRoot) {
+  const findings = [];
+  try {
+    for (const file of files) {
+      if (shouldSkip5(file.filePath)) continue;
+      let content;
+      try {
+        content = readFileSync15(join19(projectRoot, file.filePath), "utf-8");
+      } catch {
+        continue;
+      }
+      const lines = content.split("\n");
+      const fullContent = content;
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if (line.trimStart().startsWith("//") || line.trimStart().startsWith("#")) continue;
+        if (/cors\s*\(\s*\{\s*origin\s*:\s*['"]\*['"]/.test(line) || /Access-Control-Allow-Origin.*\*/.test(line)) {
+          findings.push({
+            id: "",
+            severity: "medium",
+            vulnerabilityClass: "input-validation",
+            file: file.filePath,
+            line: i + 1,
+            title: "CORS wildcard origin",
+            description: "CORS is configured to allow all origins (*), which permits any website to make requests to this API.",
+            attackScenario: "An attacker could create a malicious website that makes authenticated requests to this API using the victim's cookies.",
+            suggestedFix: "Restrict CORS origin to specific trusted domains instead of using wildcard."
+          });
+        }
+        if (/express\.json\s*\(\s*\)/.test(line)) {
+          if (!/limit/.test(line)) {
+            findings.push({
+              id: "",
+              severity: "medium",
+              vulnerabilityClass: "input-validation",
+              file: file.filePath,
+              line: i + 1,
+              title: "No body size limit on JSON parser",
+              description: "express.json() used without a size limit \u2014 the server may be vulnerable to large payload attacks.",
+              attackScenario: "An attacker could send extremely large JSON payloads to exhaust server memory (denial of service).",
+              suggestedFix: 'Set a body size limit: express.json({ limit: "1mb" })'
+            });
+          }
+        }
+        if (/req\.params\.id/.test(line)) {
+          const nearbyLines = lines.slice(Math.max(0, i - 3), Math.min(lines.length, i + 4)).join("\n");
+          if (!/(?:isValidUUID|uuid|^[0-9a-f-]{36}|validate|isValid|parseInt)/.test(nearbyLines)) {
+            findings.push({
+              id: "",
+              severity: "medium",
+              vulnerabilityClass: "input-validation",
+              file: file.filePath,
+              line: i + 1,
+              title: "req.params.id used without validation",
+              description: "A route parameter (req.params.id) is used without apparent validation \u2014 could allow injection or invalid lookups.",
+              attackScenario: "An attacker could pass malformed IDs to trigger unexpected behavior or SQL/NoSQL injection.",
+              suggestedFix: "Validate req.params.id against expected format (e.g., UUID regex or parseInt) before use."
+            });
+          }
+        }
+        if (/(?:INSERT|db\.put|db\.create|\.save\(|\.insert\()/.test(line) && /req\.body/.test(line)) {
+          const nearbyLines = lines.slice(Math.max(0, i - 5), Math.min(lines.length, i + 3)).join("\n");
+          if (!/\.length/.test(nearbyLines)) {
+            findings.push({
+              id: "",
+              severity: "low",
+              vulnerabilityClass: "input-validation",
+              file: file.filePath,
+              line: i + 1,
+              title: "User input stored without length validation",
+              description: "User input from req.body is stored to a database without apparent length validation.",
+              attackScenario: "An attacker could store extremely long strings to waste storage or cause display issues.",
+              suggestedFix: "Add length validation before storing user input: if (input.length > MAX_LENGTH) return res.status(400)..."
+            });
+          }
+        }
+      }
+    }
+  } catch {
+  }
+  return findings;
+}
+// src/security/checks/information-disclosure.ts
+import { readFileSync as readFileSync16 } from "fs";
+import { join as join20 } from "path";
+var SKIP_DIRS6 = ["node_modules/", "dist/", ".git/", ".wrangler/", "src/security/checks/"];
+function shouldSkip6(filePath) {
+  return SKIP_DIRS6.some((d) => filePath.includes(d));
+}
+async function checkInformationDisclosure(files, projectRoot) {
+  const findings = [];
+  try {
+    for (const file of files) {
+      if (shouldSkip6(file.filePath)) continue;
+      let content;
+      try {
+        content = readFileSync16(join20(projectRoot, file.filePath), "utf-8");
+      } catch {
+        continue;
+      }
+      const lines = content.split("\n");
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if (line.trimStart().startsWith("//") || line.trimStart().startsWith("#")) continue;
+        if (/res\.(?:json|send)\s*\(\s*\{[^}]*err\.stack/.test(line) || /res\.(?:json|send)\s*\(\s*\{[^}]*stack\s*:/.test(line)) {
+          findings.push({
+            id: "",
+            severity: "medium",
+            vulnerabilityClass: "information-disclosure",
+            file: file.filePath,
+            line: i + 1,
+            title: "Stack trace in API response",
+            description: "Error stack trace is included in an API response \u2014 exposes internal code paths and dependencies.",
+            attackScenario: "An attacker could use stack traces to map internal code structure, identify frameworks, and find vulnerable code paths.",
+            suggestedFix: 'Log stack traces to stderr and return a generic error message to clients: res.json({ error: "Internal server error" })'
+          });
+        }
+        if (/console\.(?:log|error|warn)\s*\(\s*process\.env\s*\)/.test(line) || /Object\.keys\s*\(\s*process\.env\s*\)/.test(line)) {
+          findings.push({
+            id: "",
+            severity: "low",
+            vulnerabilityClass: "information-disclosure",
+            file: file.filePath,
+            line: i + 1,
+            title: "Environment variable enumeration",
+            description: "Entire process.env object is logged or enumerated \u2014 may expose secrets in log output.",
+            attackScenario: "An attacker with log access could see all environment variables including API keys and database credentials.",
+            suggestedFix: "Only log specific environment variable names (not values) when needed for debugging."
+          });
+        }
+        if (/`[^`]*(?:clone|fetch|pull|push)[^`]*\$\{.*(?:url|token|key|auth).*\}`/i.test(line)) {
+          findings.push({
+            id: "",
+            severity: "medium",
+            vulnerabilityClass: "information-disclosure",
+            file: file.filePath,
+            line: i + 1,
+            title: "Potential credential in error/log message",
+            description: "A URL or token may be interpolated into an error or log message \u2014 could expose credentials.",
+            attackScenario: "An attacker with log access could extract credentials from logged URLs containing embedded tokens.",
+            suggestedFix: "Sanitize URLs before logging: strip query parameters and embedded credentials."
+          });
+        }
+        if (/console\.(?:log|debug|info)\s*\(.*(?:token|password|secret|key|auth|credential)/i.test(line)) {
+          if (!/['"].*(?:token|password|secret|key|auth).*['"]/.test(line)) {
+            findings.push({
+              id: "",
+              severity: "low",
+              vulnerabilityClass: "information-disclosure",
+              file: file.filePath,
+              line: i + 1,
+              title: "Debug log may contain sensitive value",
+              description: "A console.log statement references a variable with a sensitive name (token, password, secret, key, auth).",
+              attackScenario: "An attacker with log access could extract sensitive values from debug output.",
+              suggestedFix: "Remove debug logging of sensitive values, or use a structured logger that redacts sensitive fields."
+            });
+          }
+        }
+      }
+    }
+  } catch {
+  }
+  return findings;
+}
+// src/security/checks/cryptography.ts
+import { readFileSync as readFileSync17 } from "fs";
+import { join as join21 } from "path";
+var SKIP_DIRS7 = ["node_modules/", "dist/", ".git/", ".wrangler/", "src/security/checks/"];
+function shouldSkip7(filePath) {
+  return SKIP_DIRS7.some((d) => filePath.includes(d));
+}
+function isAuthOrCryptoFile(filePath) {
+  const lower = filePath.toLowerCase();
+  return /(?:auth|password|crypto|hash|session|token|jwt)/.test(lower);
+}
+async function checkCryptography(files, projectRoot) {
+  const findings = [];
+  try {
+    for (const file of files) {
+      if (shouldSkip7(file.filePath)) continue;
+      let content;
+      try {
+        content = readFileSync17(join21(projectRoot, file.filePath), "utf-8");
+      } catch {
+        continue;
+      }
+      const lines = content.split("\n");
+      const isCryptoFile = isAuthOrCryptoFile(file.filePath);
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if (line.trimStart().startsWith("//") || line.trimStart().startsWith("#")) continue;
+        if (/createHash\s*\(\s*['"]md5['"]\s*\)/.test(line) || /hashlib\.md5\s*\(/.test(line)) {
+          findings.push({
+            id: "",
+            severity: isCryptoFile ? "high" : "medium",
+            vulnerabilityClass: "cryptography",
+            file: file.filePath,
+            line: i + 1,
+            title: "Weak hash algorithm: MD5",
+            description: "MD5 is cryptographically broken \u2014 collisions can be generated in seconds.",
+            attackScenario: "An attacker could generate MD5 collisions to bypass integrity checks or forge password hashes.",
+            suggestedFix: "Use SHA-256 or SHA-3 for integrity checks. Use bcrypt, scrypt, or argon2 for password hashing."
+          });
+        }
+        if (/createHash\s*\(\s*['"]sha1['"]\s*\)/.test(line) || /hashlib\.sha1\s*\(/.test(line)) {
+          findings.push({
+            id: "",
+            severity: isCryptoFile ? "high" : "medium",
+            vulnerabilityClass: "cryptography",
+            file: file.filePath,
+            line: i + 1,
+            title: "Weak hash algorithm: SHA-1",
+            description: "SHA-1 has known collision attacks (SHAttered) \u2014 should not be used for security purposes.",
+            attackScenario: "An attacker could generate SHA-1 collisions to bypass integrity checks.",
+            suggestedFix: "Use SHA-256 or SHA-3 for integrity checks. Use bcrypt, scrypt, or argon2 for password hashing."
+          });
+        }
+        if (/Math\.random\(\)/.test(line) && isCryptoFile) {
+          findings.push({
+            id: "",
+            severity: "high",
+            vulnerabilityClass: "cryptography",
+            file: file.filePath,
+            line: i + 1,
+            title: "Math.random() in cryptography-related file",
+            description: "Math.random() is not cryptographically secure \u2014 its output can be predicted.",
+            attackScenario: "An attacker could predict Math.random() values to forge tokens, nonces, or other security-critical random values.",
+            suggestedFix: "Use crypto.randomBytes() or crypto.getRandomValues() for cryptographic purposes."
+          });
+        }
+        if (/(?:fetch|axios\.(?:get|post|put|delete|patch)|http\.request)\s*\(\s*['"]http:\/\/(?!(?:localhost|127\.))/i.test(line)) {
+          findings.push({
+            id: "",
+            severity: "medium",
+            vulnerabilityClass: "cryptography",
+            file: file.filePath,
+            line: i + 1,
+            title: "HTTP used instead of HTTPS",
+            description: "An HTTP (not HTTPS) URL is used for an external request \u2014 data is transmitted unencrypted.",
+            attackScenario: "An attacker on the network path could intercept, read, or modify data in transit (man-in-the-middle).",
+            suggestedFix: "Use HTTPS for all external requests to ensure data confidentiality and integrity."
+          });
+        }
+        if (/pbkdf2/.test(line) && /['"][a-zA-Z0-9+/=]{8,}['"]/.test(line)) {
+          findings.push({
+            id: "",
+            severity: "high",
+            vulnerabilityClass: "cryptography",
+            file: file.filePath,
+            line: i + 1,
+            title: "Hardcoded salt in key derivation",
+            description: "A hardcoded salt is used with PBKDF2 \u2014 all users share the same salt.",
+            attackScenario: "An attacker could precompute rainbow tables with the known salt to crack all passwords at once.",
+            suggestedFix: "Generate a unique random salt per user using crypto.randomBytes(16)."
+          });
+        }
+      }
+    }
+  } catch {
+  }
+  return findings;
+}
+// src/security/checks/frontend.ts
+import { readFileSync as readFileSync18 } from "fs";
+import { join as join22 } from "path";
+var SKIP_DIRS8 = ["node_modules/", "dist/", ".git/", ".wrangler/", "src/security/checks/"];
+function shouldSkip8(filePath) {
+  return SKIP_DIRS8.some((d) => filePath.includes(d));
+}
+function isFrontendFile(filePath) {
+  return /\.(?:tsx|jsx|html)$/.test(filePath);
+}
+async function checkFrontend(files, projectRoot) {
+  const findings = [];
+  try {
+    for (const file of files) {
+      if (shouldSkip8(file.filePath)) continue;
+      if (!isFrontendFile(file.filePath)) continue;
+      let content;
+      try {
+        content = readFileSync18(join22(projectRoot, file.filePath), "utf-8");
+      } catch {
+        continue;
+      }
+      const lines = content.split("\n");
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if (line.trimStart().startsWith("//") || line.trimStart().startsWith("{/*")) continue;
+        if (/dangerouslySetInnerHTML/.test(line)) {
+          findings.push({
+            id: "",
+            severity: "high",
+            vulnerabilityClass: "frontend-xss",
+            file: file.filePath,
+            line: i + 1,
+            title: "dangerouslySetInnerHTML usage",
+            description: "dangerouslySetInnerHTML renders raw HTML \u2014 bypasses React's XSS protections.",
+            attackScenario: "An attacker could inject malicious HTML/JavaScript if user input reaches dangerouslySetInnerHTML.",
+            suggestedFix: "Sanitize HTML with DOMPurify before rendering, or use React components instead of raw HTML."
+          });
+        }
+        if (/\.innerHTML\s*=/.test(line)) {
+          findings.push({
+            id: "",
+            severity: "high",
+            vulnerabilityClass: "frontend-xss",
+            file: file.filePath,
+            line: i + 1,
+            title: "innerHTML assignment",
+            description: "Direct innerHTML assignment renders raw HTML without sanitization.",
+            attackScenario: "An attacker could inject malicious scripts through user-controlled content assigned to innerHTML.",
+            suggestedFix: "Use textContent for plain text, or sanitize with DOMPurify before setting innerHTML."
+          });
+        }
+        if (/document\.write\s*\(/.test(line)) {
+          findings.push({
+            id: "",
+            severity: "medium",
+            vulnerabilityClass: "frontend-xss",
+            file: file.filePath,
+            line: i + 1,
+            title: "document.write() usage",
+            description: "document.write() can introduce XSS vulnerabilities and degrades performance.",
+            attackScenario: "An attacker could inject scripts through user input that reaches document.write().",
+            suggestedFix: "Use DOM manipulation methods (createElement, appendChild) instead of document.write()."
+          });
+        }
+        if (/target\s*=\s*["']_blank["']/.test(line)) {
+          const fullLine = line;
+          if (!/rel\s*=\s*["'][^"']*noopener[^"']*["']/.test(fullLine)) {
+            findings.push({
+              id: "",
+              severity: "low",
+              vulnerabilityClass: "frontend-xss",
+              file: file.filePath,
+              line: i + 1,
+              title: 'Missing rel="noopener" on target="_blank"',
+              description: 'Links with target="_blank" without rel="noopener noreferrer" give the opened page access to window.opener.',
+              attackScenario: "The opened page could use window.opener to redirect the original page to a phishing site.",
+              suggestedFix: 'Add rel="noopener noreferrer" to all links with target="_blank".'
+            });
+          }
+        }
+        if (/(?:localStorage|sessionStorage)\.setItem\s*\([^)]*(?:token|password|secret|key|auth)/i.test(line)) {
+          findings.push({
+            id: "",
+            severity: "high",
+            vulnerabilityClass: "frontend-xss",
+            file: file.filePath,
+            line: i + 1,
+            title: "Sensitive data stored in browser storage",
+            description: "A sensitive value (token, password, secret, key, auth) is stored in localStorage or sessionStorage.",
+            attackScenario: "Any XSS vulnerability would allow an attacker to read all localStorage/sessionStorage data, including sensitive tokens.",
+            suggestedFix: "Use secure HTTP-only cookies for sensitive tokens instead of browser storage."
+          });
+        }
+      }
+    }
+  } catch {
+  }
+  return findings;
+}
+// src/security/checks/architecture.ts
+var AUTH_KEYWORDS = /(?:auth|token|session|jwt|oauth|login|passport|credential)/i;
+var DATA_KEYWORDS = /(?:query|insert|fetch|get|find|select|update|delete|save|create|put|remove)/i;
+var DB_IMPORT_KEYWORDS = /(?:db|database|prisma|mongoose|d1|sql|knex|sequelize|typeorm|drizzle)/i;
+var CRYPTO_KEYWORDS = /(?:auth|crypto|token|session|jwt|password|hash)/i;
+function isSecurityFile(filePath) {
+  return CRYPTO_KEYWORDS.test(filePath.toLowerCase());
+}
+function isRouteFile(filePath) {
+  const lower = filePath.toLowerCase();
+  return /(?:routes?\/|api\/|handler|controller|endpoint)/.test(lower);
+}
+async function checkArchitecture(files, projectRoot, graph) {
+  const findings = [];
+  try {
+    findings.push(...checkGodFilesWithAuthAndData(graph));
+    findings.push(...checkCircularAuthDeps(graph));
+    findings.push(...checkDirectDbFromRoutes(graph));
+    findings.push(...checkDeadAuthCode(graph));
+    findings.push(...checkUnauthHighFanIn(graph));
+  } catch {
+  }
+  return findings;
+}
+function checkGodFilesWithAuthAndData(graph) {
+  const findings = [];
+  const fileConnections = /* @__PURE__ */ new Map();
+  const fileSymbolNames = /* @__PURE__ */ new Map();
+  graph.forEachNode((_node, attrs) => {
+    const fp = attrs.filePath;
+    if (!fileSymbolNames.has(fp)) fileSymbolNames.set(fp, []);
+    fileSymbolNames.get(fp).push(attrs.name);
+  });
+  graph.forEachEdge((_edge, _attrs, source, target) => {
+    const sf = graph.getNodeAttributes(source).filePath;
+    const tf = graph.getNodeAttributes(target).filePath;
+    if (sf !== tf) {
+      fileConnections.set(sf, (fileConnections.get(sf) || 0) + 1);
+      fileConnections.set(tf, (fileConnections.get(tf) || 0) + 1);
+    }
+  });
+  const connections = Array.from(fileConnections.values());
+  const avg = connections.length > 0 ? connections.reduce((a, b) => a + b, 0) / connections.length : 0;
+  const godThreshold = avg * 3;
+  for (const [filePath, count] of fileConnections.entries()) {
+    if (count <= godThreshold) continue;
+    const symbols = fileSymbolNames.get(filePath) || [];
+    const hasAuth = symbols.some((s) => AUTH_KEYWORDS.test(s));
+    const hasData = symbols.some((s) => DATA_KEYWORDS.test(s));
+    if (hasAuth && hasData) {
+      findings.push({
+        id: "",
+        severity: "medium",
+        vulnerabilityClass: "architecture",
+        file: filePath,
+        title: "God file mixes auth and data access logic",
+        description: `${filePath} has ${count} connections and contains both auth-related and data-access symbols. This violates separation of concerns and makes security auditing difficult.`,
+        attackScenario: "A bug in data access logic could inadvertently bypass auth checks when auth and data are tightly coupled in a single file.",
+        suggestedFix: "Split auth logic and data access into separate modules with a clear service layer boundary."
+      });
+    }
+  }
+  return findings;
+}
+function checkCircularAuthDeps(graph) {
+  const findings = [];
+  const fileGraph = /* @__PURE__ */ new Map();
+  graph.forEachEdge((_edge, _attrs, source, target) => {
+    const sf = graph.getNodeAttributes(source).filePath;
+    const tf = graph.getNodeAttributes(target).filePath;
+    if (sf !== tf) {
+      if (!fileGraph.has(sf)) fileGraph.set(sf, /* @__PURE__ */ new Set());
+      fileGraph.get(sf).add(tf);
+    }
+  });
+  const visited = /* @__PURE__ */ new Set();
+  const recStack = /* @__PURE__ */ new Set();
+  const cycles = [];
+  function dfs(node, path6) {
+    if (recStack.has(node)) {
+      const cycleStart = path6.indexOf(node);
+      if (cycleStart >= 0) cycles.push(path6.slice(cycleStart));
+      return;
+    }
+    if (visited.has(node)) return;
+    visited.add(node);
+    recStack.add(node);
+    path6.push(node);
+    const neighbors = fileGraph.get(node);
+    if (neighbors) {
+      for (const neighbor of neighbors) {
+        dfs(neighbor, [...path6]);
+      }
+    }
+    recStack.delete(node);
+  }
+  for (const node of fileGraph.keys()) {
+    if (!visited.has(node)) dfs(node, []);
+  }
+  const seen = /* @__PURE__ */ new Set();
+  for (const cycle of cycles) {
+    const key = [...cycle].sort().join(",");
+    if (seen.has(key)) continue;
+    seen.add(key);
+    const hasSecurityFile = cycle.some((f) => isSecurityFile(f));
+    if (hasSecurityFile) {
+      findings.push({
+        id: "",
+        severity: "high",
+        vulnerabilityClass: "architecture",
+        file: cycle[0],
+        title: "Circular dependency in auth/crypto module",
+        description: `Circular dependency detected involving security-critical files: ${cycle.join(" \u2192 ")}`,
+        attackScenario: "Circular dependencies in auth modules can lead to initialization order bugs where auth checks are bypassed during startup.",
+        suggestedFix: "Break the circular dependency by extracting shared types/interfaces into a separate module."
+      });
+    }
+  }
+  return findings;
+}
+function checkDirectDbFromRoutes(graph) {
+  const findings = [];
+  const fileImports = /* @__PURE__ */ new Map();
+  graph.forEachEdge((_edge, attrs, source, target) => {
+    const sf = graph.getNodeAttributes(source).filePath;
+    const tf = graph.getNodeAttributes(target).filePath;
+    if (sf !== tf) {
+      if (!fileImports.has(sf)) fileImports.set(sf, /* @__PURE__ */ new Set());
+      fileImports.get(sf).add(tf);
+    }
+  });
+  for (const [filePath, imports] of fileImports.entries()) {
+    if (!isRouteFile(filePath)) continue;
+    for (const importedFile of imports) {
+      const importedName = importedFile.toLowerCase();
+      if (DB_IMPORT_KEYWORDS.test(importedName)) {
+        findings.push({
+          id: "",
+          severity: "medium",
+          vulnerabilityClass: "architecture",
+          file: filePath,
+          title: "Direct DB access from route handler",
+          description: `Route file ${filePath} imports directly from ${importedFile} (database client) without a service layer.`,
+          attackScenario: "Direct DB access from routes makes it harder to enforce consistent authorization, validation, and audit logging.",
+          suggestedFix: "Introduce a service layer between routes and database access for consistent security checks."
+        });
+      }
+    }
+  }
+  return findings;
+}
+var SKIP_FILE_PATTERNS = ["test/", "tests/", "test/fixtures/", "__tests__/", "fixtures/", "spec/"];
+function checkDeadAuthCode(graph) {
+  const findings = [];
+  const seen = /* @__PURE__ */ new Set();
+  graph.forEachNode((node, attrs) => {
+    if (!attrs.exported) return;
+    if (!isSecurityFile(attrs.filePath)) return;
+    const lowerPath = attrs.filePath.toLowerCase();
+    if (SKIP_FILE_PATTERNS.some((p) => lowerPath.includes(p))) return;
+    if (!attrs.name || attrs.name.length < 4) return;
+    const SKIP_NAMES = /* @__PURE__ */ new Set(["line", "lines", "content", "findings", "result", "results", "data", "options", "args", "config", "error", "catchBlock", "nearbyLines", "isCryptoFile", "isAuthFile", "isAuthRelatedFile"]);
+    if (SKIP_NAMES.has(attrs.name)) return;
+    if (graph.inDegree(node) === 0) {
+      const dedupKey = `${attrs.filePath}:${attrs.startLine}:${attrs.name}`;
+      if (seen.has(dedupKey)) return;
+      seen.add(dedupKey);
+      findings.push({
+        id: "",
+        severity: "info",
+        vulnerabilityClass: "architecture",
+        file: attrs.filePath,
+        line: attrs.startLine,
+        symbol: attrs.name,
+        title: `Dead exported function in security file: ${attrs.name}`,
+        description: `${attrs.name} in ${attrs.filePath} is exported but has zero dependents \u2014 may indicate an orphaned auth path.`,
+        attackScenario: "Dead auth code may indicate incomplete security migration, leaving old vulnerable code paths accessible.",
+        suggestedFix: "Review and remove dead auth code, or verify it is intentionally unused (e.g., SDK export)."
+      });
+    }
+  });
+  return findings;
+}
+function checkUnauthHighFanIn(graph) {
+  const findings = [];
+  const fileIncoming = /* @__PURE__ */ new Map();
+  const fileImportedModules = /* @__PURE__ */ new Map();
+  graph.forEachEdge((_edge, _attrs, source, target) => {
+    const sf = graph.getNodeAttributes(source).filePath;
+    const tf = graph.getNodeAttributes(target).filePath;
+    if (sf !== tf) {
+      fileIncoming.set(tf, (fileIncoming.get(tf) || 0) + 1);
+      if (!fileImportedModules.has(sf)) fileImportedModules.set(sf, /* @__PURE__ */ new Set());
+      fileImportedModules.get(sf).add(tf);
+    }
+  });
+  for (const [filePath, count] of fileIncoming.entries()) {
+    if (!isRouteFile(filePath)) continue;
+    const imports = fileImportedModules.get(filePath) || /* @__PURE__ */ new Set();
+    const hasAuthImport = Array.from(imports).some((imp) => AUTH_KEYWORDS.test(imp.toLowerCase()));
+    if (hasAuthImport) continue;
+    let severity;
+    if (count > 10) severity = "high";
+    else if (count > 5) severity = "medium";
+    else if (count > 0) severity = "low";
+    else continue;
+    findings.push({
+      id: "",
+      severity,
+      vulnerabilityClass: "architecture",
+      file: filePath,
+      title: `Unauthenticated route with high fan-in (${count})`,
+      description: `${filePath} appears to be a route file with ${count} incoming references but imports no auth middleware.`,
+      attackScenario: "A route without authentication that is widely depended upon could expose sensitive functionality to unauthorized users.",
+      suggestedFix: "Add authentication middleware to this route or verify it is intentionally public."
+    });
+  }
+  return findings;
+}
+// src/security/graph-aware.ts
+var MCP_PATTERN = /(?:mcp\/|mcp-|\.mcp\.)/i;
+var ROUTE_PATTERN = /(?:routes?\/|api\/|handler|controller|endpoint|server)/i;
+var CLI_PATTERN = /(?:commands?\/|cli\/|bin\/)/i;
+var AUTH_PATTERN = /(?:auth|session|token|jwt|oauth|login|passport|middleware)/i;
+function classifyEntryPoint(filePath) {
+  if (MCP_PATTERN.test(filePath)) return "mcp-tool";
+  if (ROUTE_PATTERN.test(filePath)) return "http-route";
+  if (CLI_PATTERN.test(filePath)) return "cli-command";
+  return null;
+}
+function isUnauthenticatedRoute(filePath, graph) {
+  if (!ROUTE_PATTERN.test(filePath)) return false;
+  const routeNodes = [];
+  graph.forEachNode((nodeId, attrs) => {
+    if (attrs.filePath === filePath) routeNodes.push(nodeId);
+  });
+  for (const nodeId of routeNodes) {
+    const outNeighbors = graph.outNeighbors(nodeId);
+    for (const neighbor of outNeighbors) {
+      const neighborAttrs = graph.getNodeAttributes(neighbor);
+      if (AUTH_PATTERN.test(neighborAttrs.filePath) || AUTH_PATTERN.test(neighborAttrs.name)) {
+        return false;
+      }
+    }
+  }
+  return true;
+}
+function findReachableEntryPoints(filePath, graph) {
+  const entryPoints = [];
+  const visited = /* @__PURE__ */ new Set();
+  const queue = [];
+  graph.forEachNode((nodeId, attrs) => {
+    if (attrs.filePath === filePath) {
+      queue.push(nodeId);
+      visited.add(nodeId);
+    }
+  });
+  while (queue.length > 0) {
+    const current = queue.shift();
+    const dependents = graph.inNeighbors(current);
+    for (const dep of dependents) {
+      if (visited.has(dep)) continue;
+      visited.add(dep);
+      queue.push(dep);
+      const attrs = graph.getNodeAttributes(dep);
+      const epType = classifyEntryPoint(attrs.filePath);
+      if (epType && !entryPoints.some((ep) => ep.filePath === attrs.filePath)) {
+        entryPoints.push({ filePath: attrs.filePath, type: epType });
+      }
+    }
+  }
+  return entryPoints;
+}
+function elevateByReachability(finding, graph, _projectRoot) {
+  try {
+    const entryPoints = findReachableEntryPoints(finding.file, graph);
+    if (entryPoints.length === 0) return finding;
+    const mcpEntryPoints = entryPoints.filter((ep) => ep.type === "mcp-tool");
+    const httpEntryPoints = entryPoints.filter((ep) => ep.type === "http-route");
+    const cliEntryPoints = entryPoints.filter((ep) => ep.type === "cli-command");
+    let newSeverity = finding.severity;
+    let elevationReason = "";
+    if (finding.severity === "high") {
+      const unauthRoutes = httpEntryPoints.filter((ep) => isUnauthenticatedRoute(ep.filePath, graph));
+      if (unauthRoutes.length > 0) {
+        newSeverity = "critical";
+        elevationReason = `reachable from unauthenticated HTTP route: ${unauthRoutes[0].filePath}`;
+      }
+    }
+    if (finding.severity === "medium" && httpEntryPoints.length > 0) {
+      newSeverity = "high";
+      elevationReason = `reachable from HTTP route: ${httpEntryPoints[0].filePath}`;
+    }
+    if (finding.severity === "medium" && mcpEntryPoints.length > 0) {
+      if (newSeverity === "medium") {
+        newSeverity = "high";
+        elevationReason = `reachable from MCP tool: ${mcpEntryPoints[0].filePath}`;
+      }
+    }
+    if (finding.severity === "low" && entryPoints.length > 0) {
+      newSeverity = "medium";
+      elevationReason = `reachable from ${entryPoints.length} external entry point(s)`;
+    }
+    const allEntryPointPaths = entryPoints.map((ep) => `${ep.type}: ${ep.filePath}`);
+    return {
+      ...finding,
+      severity: newSeverity,
+      graphReachability: {
+        entryPoints: allEntryPointPaths,
+        reachableFrom: entryPoints.length,
+        elevatedBy: elevationReason
+      }
+    };
+  } catch {
+    return finding;
+  }
+}
+// src/security/scanner.ts
+var SEVERITY_ORDER = ["critical", "high", "medium", "low", "info"];
+async function scanSecurity(projectRoot, graph, options = {}) {
+  const startTime = Date.now();
+  const parsedFiles = await parseProject(projectRoot);
+  const filteredFiles = options.target ? parsedFiles.filter((f) => f.filePath === options.target || f.filePath.endsWith(options.target)) : parsedFiles;
+  const hasFrontendFiles = filteredFiles.some((f) => /\.(?:tsx|jsx|html)$/.test(f.filePath));
+  const checkResults = await Promise.all([
+    // Skip dependency checks for single-file scans — they are repo-wide by nature
+    options.target ? Promise.resolve([]) : checkDependencies(filteredFiles, projectRoot),
+    checkInjection(filteredFiles, projectRoot),
+    checkSecrets(filteredFiles, projectRoot),
+    checkPathTraversal(filteredFiles, projectRoot),
+    checkAuth(filteredFiles, projectRoot),
+    checkInputValidation(filteredFiles, projectRoot),
+    checkInformationDisclosure(filteredFiles, projectRoot),
+    checkCryptography(filteredFiles, projectRoot),
+    hasFrontendFiles ? checkFrontend(filteredFiles, projectRoot) : Promise.resolve([]),
+    checkArchitecture(filteredFiles, projectRoot, graph)
+  ]);
+  let findings = checkResults.flat();
+  if (options.classes && options.classes.length > 0) {
+    const allowedClasses = new Set(options.classes);
+    findings = findings.filter((f) => allowedClasses.has(f.vulnerabilityClass));
+  }
+  if (options.graphAware !== false) {
+    findings = findings.map((f) => elevateByReachability(f, graph, projectRoot));
+  }
+  findings.sort((a, b) => {
+    return SEVERITY_ORDER.indexOf(a.severity) - SEVERITY_ORDER.indexOf(b.severity);
+  });
+  findings.forEach((f, i) => {
+    f.id = `SEC-${String(i + 1).padStart(3, "0")}`;
+  });
+  const summary = {
+    critical: findings.filter((f) => f.severity === "critical").length,
+    high: findings.filter((f) => f.severity === "high").length,
+    medium: findings.filter((f) => f.severity === "medium").length,
+    low: findings.filter((f) => f.severity === "low").length,
+    info: findings.filter((f) => f.severity === "info").length,
+    total: findings.length
+  };
+  const depFindings = checkResults[0];
+  const hasDeps = depFindings.length > 0;
+  return {
+    scannedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    projectRoot,
+    filesScanned: filteredFiles.length,
+    findings,
+    summary,
+    dependencyAudit: {
+      ran: hasDeps,
+      packageManager: hasDeps ? detectPackageManager(projectRoot) : null,
+      rawOutput: ""
+    }
+  };
+}
+function detectPackageManager(projectRoot) {
+  if (existsSync14(join23(projectRoot, "package.json"))) return "npm";
+  if (existsSync14(join23(projectRoot, "requirements.txt"))) return "pip";
+  if (existsSync14(join23(projectRoot, "pyproject.toml"))) return "pip";
+  if (existsSync14(join23(projectRoot, "Cargo.toml"))) return "cargo";
+  if (existsSync14(join23(projectRoot, "go.mod"))) return "go";
+  return "unknown";
+}
 export {
   findProjectRoot,
   parseTypeScriptFile,
@@ -8680,5 +10147,6 @@ export {
   analyzeDeadCode,
   loadMetadata,
   generateDocs,
-  SimulationEngine
+  SimulationEngine,
+  scanSecurity
 };