driftdetect-detectors 0.1.0

package/dist/auth/rbac-patterns.js

@@ -0,0 +1,143 @@
+/**
+ * RBAC Patterns Detector - Role-Based Access Control pattern detection
+ *
+ * Detects RBAC patterns including role definitions, role assignments,
+ * and role-based authorization.
+ *
+ * @requirements 11.4 - RBAC patterns
+ */
+import { RegexDetector } from '../base/index.js';
+export const ROLE_DEFINITION_PATTERNS = [
+    // TypeScript/JavaScript patterns
+    /(?:enum|const)\s+(?:Role|Roles|UserRole)\s*[={]/gi,
+    /roles?\s*:\s*\[\s*['"`](?:admin|user|moderator|editor|viewer)/gi,
+    /(?:ADMIN|USER|MODERATOR|EDITOR|VIEWER)\s*[=:]/gi,
+    /type\s+Role\s*=/gi,
+    // Python patterns - Enum classes, role constants
+    /class\s+(?:Role|Roles|UserRole)\s*\(\s*(?:str\s*,\s*)?Enum\s*\)/gi,
+    /(?:ADMIN|USER|MODERATOR|EDITOR|VIEWER)\s*=\s*['"`]/gi,
+    /ROLES?\s*=\s*\[/gi,
+    /role_choices\s*=/gi,
+];
+export const ROLE_ASSIGNMENT_PATTERNS = [
+    // TypeScript/JavaScript patterns
+    /user\.role\s*=\s*['"`]?\w+/gi,
+    /setRole\s*\(/gi,
+    /assignRole\s*\(/gi,
+    /grantRole\s*\(/gi,
+    /role\s*:\s*['"`](?:admin|user|moderator)/gi,
+    // Python patterns - snake_case methods
+    /user\.role\s*=\s*['"`]?\w+/gi,
+    /set_role\s*\(/gi,
+    /assign_role\s*\(/gi,
+    /grant_role\s*\(/gi,
+    /role\s*=\s*['"`](?:admin|user|moderator)/gi,
+    /update_user_role\s*\(/gi,
+];
+export const ROLE_CHECK_PATTERNS = [
+    // TypeScript/JavaScript patterns
+    /user\.role\s*===?\s*['"`]?\w+/gi,
+    /hasRole\s*\(\s*['"`]\w+['"`]/gi,
+    /isAdmin|isModerator|isEditor/gi,
+    /role\s*===?\s*(?:Role\.)?\w+/gi,
+    /roles?\.includes\s*\(/gi,
+    // Python patterns - snake_case, equality checks
+    /user\.role\s*==\s*['"`]?\w+/gi,
+    /has_role\s*\(/gi,
+    /is_admin|is_moderator|is_editor/gi,
+    /role\s*==\s*(?:Role\.)?\w+/gi,
+    /role\s+in\s+\[/gi,
+    /check_role\s*\(/gi,
+    /require_role\s*\(/gi,
+];
+export const ROLE_HIERARCHY_PATTERNS = [
+    /roleHierarchy/gi,
+    /parentRole/gi,
+    /inheritedRoles/gi,
+    /roleInherits/gi,
+];
+export const EXCLUDED_FILE_PATTERNS = [/\.test\.[jt]sx?$/, /\.spec\.[jt]sx?$/, /node_modules\//, /\.d\.ts$/, /_test\.py$/, /test_.*\.py$/, /conftest\.py$/];
+export function shouldExcludeFile(filePath) {
+    return EXCLUDED_FILE_PATTERNS.some(p => p.test(filePath));
+}
+function isInsideComment(content, index) {
+    const before = content.slice(0, index);
+    const lastNewline = before.lastIndexOf('\n');
+    const line = before.slice(lastNewline + 1);
+    if (line.includes('//') && index - lastNewline - 1 > line.indexOf('//'))
+        return true;
+    return before.lastIndexOf('/*') > before.lastIndexOf('*/');
+}
+function getPosition(content, index) {
+    const before = content.slice(0, index);
+    return { line: before.split('\n').length, column: index - before.lastIndexOf('\n') };
+}
+function detectPatterns(content, file, patterns, type) {
+    const results = [];
+    const lines = content.split('\n');
+    for (const pattern of patterns) {
+        const regex = new RegExp(pattern.source, pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+            if (isInsideComment(content, match.index))
+                continue;
+            const { line, column } = getPosition(content, match.index);
+            results.push({ type, file, line, column, matchedText: match[0], context: lines[line - 1] || '' });
+        }
+    }
+    return results;
+}
+export function detectRoleDefinitions(content, file) {
+    return detectPatterns(content, file, ROLE_DEFINITION_PATTERNS, 'role-definition');
+}
+export function detectRoleChecks(content, file) {
+    return detectPatterns(content, file, ROLE_CHECK_PATTERNS, 'role-check');
+}
+export function detectRoleAssignments(content, file) {
+    return detectPatterns(content, file, ROLE_ASSIGNMENT_PATTERNS, 'role-assignment');
+}
+export function detectRoleHierarchy(content, file) {
+    return detectPatterns(content, file, ROLE_HIERARCHY_PATTERNS, 'role-hierarchy');
+}
+export function analyzeRbac(content, file) {
+    if (shouldExcludeFile(file)) {
+        return { patterns: [], violations: [], roles: [], hasRoleHierarchy: false };
+    }
+    const patterns = [
+        ...detectRoleDefinitions(content, file),
+        ...detectRoleAssignments(content, file),
+        ...detectRoleChecks(content, file),
+        ...detectRoleHierarchy(content, file),
+    ];
+    const roleMatches = content.match(/['"`](admin|user|moderator|editor|viewer|guest|owner|member)['"`]/gi) || [];
+    const roles = [...new Set(roleMatches.map(r => r.replace(/['"`]/g, '').toLowerCase()))];
+    const hasRoleHierarchy = patterns.some(p => p.type === 'role-hierarchy');
+    return { patterns, violations: [], roles, hasRoleHierarchy };
+}
+export const analyzeRBACPatterns = analyzeRbac;
+export class RbacPatternsDetector extends RegexDetector {
+    id = 'auth/rbac-patterns';
+    name = 'RBAC Patterns Detector';
+    description = 'Detects Role-Based Access Control patterns';
+    category = 'auth';
+    subcategory = 'rbac';
+    supportedLanguages = ['typescript', 'javascript', 'python'];
+    async detect(context) {
+        const { content, file } = context;
+        if (shouldExcludeFile(file))
+            return this.createEmptyResult();
+        const analysis = analyzeRbac(content, file);
+        return this.createResult([], [], analysis.patterns.length > 0 ? 0.85 : 1.0);
+    }
+    generateQuickFix() {
+        return null;
+    }
+}
+// Alias for backward compatibility
+export const RBACPatternsDetector = RbacPatternsDetector;
+export function createRbacPatternsDetector() {
+    return new RbacPatternsDetector();
+}
+// Alias for backward compatibility
+export const createRBACPatternsDetector = createRbacPatternsDetector;
+//# sourceMappingURL=rbac-patterns.js.map

package/dist/auth/rbac-patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac-patterns.js","sourceRoot":"","sources":["../../src/auth/rbac-patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAAE,aAAa,EAA+C,MAAM,kBAAkB,CAAC;AAmC9F,MAAM,CAAC,MAAM,wBAAwB,GAAG;IACtC,iCAAiC;IACjC,mDAAmD;IACnD,iEAAiE;IACjE,iDAAiD;IACjD,mBAAmB;IACnB,iDAAiD;IACjD,mEAAmE;IACnE,sDAAsD;IACtD,mBAAmB;IACnB,oBAAoB;CACZ,CAAC;AAEX,MAAM,CAAC,MAAM,wBAAwB,GAAG;IACtC,iCAAiC;IACjC,8BAA8B;IAC9B,gBAAgB;IAChB,mBAAmB;IACnB,kBAAkB;IAClB,4CAA4C;IAC5C,uCAAuC;IACvC,8BAA8B;IAC9B,iBAAiB;IACjB,oBAAoB;IACpB,mBAAmB;IACnB,4CAA4C;IAC5C,yBAAyB;CACjB,CAAC;AAEX,MAAM,CAAC,MAAM,mBAAmB,GAAG;IACjC,iCAAiC;IACjC,iCAAiC;IACjC,gCAAgC;IAChC,gCAAgC;IAChC,gCAAgC;IAChC,yBAAyB;IACzB,gDAAgD;IAChD,+BAA+B;IAC/B,iBAAiB;IACjB,mCAAmC;IACnC,8BAA8B;IAC9B,kBAAkB;IAClB,mBAAmB;IACnB,qBAAqB;CACb,CAAC;AAEX,MAAM,CAAC,MAAM,uBAAuB,GAAG;IACrC,iBAAiB;IACjB,cAAc;IACd,kBAAkB;IAClB,gBAAgB;CACR,CAAC;AAEX,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,kBAAkB,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,UAAU,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,CAAC,CAAC;AAE5J,MAAM,UAAU,iBAAiB,CAAC,QAAgB;IAChD,OAAO,sBAAsB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,eAAe,CAAC,OAAe,EAAE,KAAa;IACrD,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IACvC,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;IAC7C,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,WAAW,GAAG,CAAC,CAAC,CAAC;IAC3C,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,KAAK,GAAG,WAAW,GAAG,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACrF,OAAO,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;AAC7D,CAAC;AAED,SAAS,WAAW,CAAC,OAAe,EAAE,KAAa;IACjD,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IACvC,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC;AACvF,CAAC;AAED,SAAS,cAAc,CAAC,OAAe,EAAE,IAAY,EAAE,QAA2B,EAAE,IAAqB;IACvG,MAAM,OAAO,GAAsB,EAAE,CAAC;IACtC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAElC,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QACxD,IAAI,KAA6B,CAAC;QAClC,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC9C,IAAI,eAAe,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC;gBAAE,SAAS;YACpD,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,WAAW,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;YAC3D,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QACpG,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,OAAe,EAAE,IAAY;IACjE,OAAO,cAAc,CAAC,OAAO,EAAE,IAAI,EAAE,wBAAwB,EAAE,iBAAiB,CAAC,CAAC;AACpF,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,OAAe,EAAE,IAAY;IAC5D,OAAO,cAAc,CAAC,OAAO,EAAE,IAAI,EAAE,mBAAmB,EAAE,YAAY,CAAC,CAAC;AAC1E,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,OAAe,EAAE,IAAY;IACjE,OAAO,cAAc,CAAC,OAAO,EAAE,IAAI,EAAE,wBAAwB,EAAE,iBAAiB,CAAC,CAAC;AACpF,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,OAAe,EAAE,IAAY;IAC/D,OAAO,cAAc,CAAC,OAAO,EAAE,IAAI,EAAE,uBAAuB,EAAE,gBAAgB,CAAC,CAAC;AAClF,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,OAAe,EAAE,IAAY;IACvD,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,gBAAgB,EAAE,KAAK,EAAE,CAAC;IAC9E,CAAC;IAED,MAAM,QAAQ,GAAsB;QAClC,GAAG,qBAAqB,CAAC,OAAO,EAAE,IAAI,CAAC;QACvC,GAAG,qBAAqB,CAAC,OAAO,EAAE,IAAI,CAAC;QACvC,GAAG,gBAAgB,CAAC,OAAO,EAAE,IAAI,CAAC;QAClC,GAAG,mBAAmB,CAAC,OAAO,EAAE,IAAI,CAAC;KACtC,CAAC;IAEF,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC,qEAAqE,CAAC,IAAI,EAAE,CAAC;IAC/G,MAAM,KAAK,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,CAAC;IACxF,MAAM,gBAAgB,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,gBAAgB,CAAC,CAAC;IAEzE,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,EAAE,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC;AAC/D,CAAC;AAMD,MAAM,CAAC,MAAM,mBAAmB,GAAG,WAAW,CAAC;AAE/C,MAAM,OAAO,oBAAqB,SAAQ,aAAa;IAC5C,EAAE,GAAG,oBAAoB,CAAC;IAC1B,IAAI,GAAG,wBAAwB,CAAC;IAChC,WAAW,GAAG,4CAA4C,CAAC;IAC3D,QAAQ,GAAG,MAAM,CAAC;IAClB,WAAW,GAAG,MAAM,CAAC;IACrB,kBAAkB,GAAe,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC,CAAC;IAEjF,KAAK,CAAC,MAAM,CAAC,OAAyB;QACpC,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC;QAClC,IAAI,iBAAiB,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAE7D,MAAM,QAAQ,GAAG,WAAW,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,EAAE,QAAQ,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAC9E,CAAC;IAED,gBAAgB;QACd,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAED,mCAAmC;AACnC,MAAM,CAAC,MAAM,oBAAoB,GAAG,oBAAoB,CAAC;AAEzD,MAAM,UAAU,0BAA0B;IACxC,OAAO,IAAI,oBAAoB,EAAE,CAAC;AACpC,CAAC;AAED,mCAAmC;AACnC,MAAM,CAAC,MAAM,0BAA0B,GAAG,0BAA0B,CAAC"}

package/dist/auth/resource-ownership.d.ts

@@ -0,0 +1,77 @@
+/**
+ * Resource Ownership Detector - Ownership pattern detection
+ *
+ * Detects resource ownership patterns including:
+ * - User ID checks on resources
+ * - Owner field validation
+ * - Tenant/organization scoping
+ * - Resource access control patterns
+ * - Ownership transfer patterns
+ *
+ * Flags violations:
+ * - Missing ownership checks on sensitive operations
+ * - Direct resource access without ownership validation
+ * - Inconsistent ownership patterns
+ *
+ * @requirements 11.5 - Resource ownership patterns
+ */
+import type { Language } from 'driftdetect-core';
+import { RegexDetector, type DetectionContext, type DetectionResult } from '../base/index.js';
+export type OwnershipPatternType = 'user-id-check' | 'owner-field' | 'tenant-scope' | 'created-by' | 'ownership-query' | 'ownership-transfer';
+export type OwnershipViolationType = 'missing-ownership-check' | 'direct-resource-access' | 'inconsistent-ownership';
+export interface OwnershipPatternInfo {
+    type: OwnershipPatternType;
+    file: string;
+    line: number;
+    column: number;
+    matchedText: string;
+    ownerField?: string;
+    context?: string;
+}
+export interface OwnershipViolationInfo {
+    type: OwnershipViolationType;
+    file: string;
+    line: number;
+    column: number;
+    endLine: number;
+    endColumn: number;
+    value: string;
+    issue: string;
+    suggestedFix?: string;
+    lineContent: string;
+}
+export interface OwnershipAnalysis {
+    patterns: OwnershipPatternInfo[];
+    violations: OwnershipViolationInfo[];
+    hasOwnershipChecks: boolean;
+    dominantPattern: OwnershipPatternType | null;
+    confidence: number;
+}
+export declare const USER_ID_CHECK_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+export declare const OWNER_FIELD_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+export declare const TENANT_SCOPE_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+export declare const CREATED_BY_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp];
+export declare const OWNERSHIP_QUERY_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+export declare const OWNERSHIP_TRANSFER_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp];
+export declare const SENSITIVE_OPERATION_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+export declare const EXCLUDED_FILE_PATTERNS: RegExp[];
+export declare function shouldExcludeFile(filePath: string): boolean;
+export declare function detectUserIdChecks(content: string, file: string): OwnershipPatternInfo[];
+export declare function detectOwnerFields(content: string, file: string): OwnershipPatternInfo[];
+export declare function detectTenantScoping(content: string, file: string): OwnershipPatternInfo[];
+export declare function detectCreatedByPatterns(content: string, file: string): OwnershipPatternInfo[];
+export declare function detectOwnershipQueries(content: string, file: string): OwnershipPatternInfo[];
+export declare function detectMissingOwnershipViolations(patterns: OwnershipPatternInfo[], content: string, file: string): OwnershipViolationInfo[];
+export declare function analyzeOwnership(content: string, file: string): OwnershipAnalysis;
+export declare class ResourceOwnershipDetector extends RegexDetector {
+    readonly id = "auth/resource-ownership";
+    readonly name = "Resource Ownership Detector";
+    readonly description = "Detects resource ownership patterns and missing ownership checks";
+    readonly category = "auth";
+    readonly subcategory = "ownership";
+    readonly supportedLanguages: Language[];
+    detect(context: DetectionContext): Promise<DetectionResult>;
+    generateQuickFix(): null;
+}
+export declare function createResourceOwnershipDetector(): ResourceOwnershipDetector;
+//# sourceMappingURL=resource-ownership.d.ts.map

package/dist/auth/resource-ownership.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resource-ownership.d.ts","sourceRoot":"","sources":["../../src/auth/resource-ownership.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,aAAa,EAAE,KAAK,gBAAgB,EAAE,KAAK,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAM9F,MAAM,MAAM,oBAAoB,GAC5B,eAAe,GACf,aAAa,GACb,cAAc,GACd,YAAY,GACZ,iBAAiB,GACjB,oBAAoB,CAAC;AAEzB,MAAM,MAAM,sBAAsB,GAC9B,yBAAyB,GACzB,wBAAwB,GACxB,wBAAwB,CAAC;AAE7B,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE,oBAAoB,CAAC;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,sBAAsB;IACrC,IAAI,EAAE,sBAAsB,CAAC;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,oBAAoB,EAAE,CAAC;IACjC,UAAU,EAAE,sBAAsB,EAAE,CAAC;IACrC,kBAAkB,EAAE,OAAO,CAAC;IAC5B,eAAe,EAAE,oBAAoB,GAAG,IAAI,CAAC;IAC7C,UAAU,EAAE,MAAM,CAAC;CACpB;AAMD,eAAO,MAAM,sBAAsB,mFAYzB,CAAC;AAEX,eAAO,MAAM,oBAAoB,2FAavB,CAAC;AAEX,eAAO,MAAM,qBAAqB,mHAgBxB,CAAC;AAEX,eAAO,MAAM,mBAAmB,2CAKtB,CAAC;AAEX,eAAO,MAAM,wBAAwB,mGAc3B,CAAC;AAEX,eAAO,MAAM,2BAA2B,2CAK9B,CAAC;AAEX,eAAO,MAAM,4BAA4B,2DAO/B,CAAC;AAEX,eAAO,MAAM,sBAAsB,UAQlC,CAAC;AAMF,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAE3D;AAmBD,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,oBAAoB,EAAE,CAmBxF;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,oBAAoB,EAAE,CAoBvF;AAED,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,oBAAoB,EAAE,CAmBzF;AAED,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,oBAAoB,EAAE,CAmB7F;AAED,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,oBAAoB,EAAE,CAmB5F;AAED,wBAAgB,gCAAgC,CAC9C,QAAQ,EAAE,oBAAoB,EAAE,EAChC,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,GACX,sBAAsB,EAAE,CAgC1B;AAMD,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,iBAAiB,CAsCjF;AAMD,qBAAa,yBAA0B,SAAQ,aAAa;IAC1D,QAAQ,CAAC,EAAE,6BAA6B;IACxC,QAAQ,CAAC,IAAI,iCAAiC;IAC9C,QAAQ,CAAC,WAAW,sEAAsE;IAC1F,QAAQ,CAAC,QAAQ,UAAU;IAC3B,QAAQ,CAAC,WAAW,eAAe;IACnC,QAAQ,CAAC,kBAAkB,EAAE,QAAQ,EAAE,CAA0C;IAE3E,MAAM,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC;IAQjE,gBAAgB,IAAI,IAAI;CAGzB;AAED,wBAAgB,+BAA+B,IAAI,yBAAyB,CAE3E"}

package/dist/auth/resource-ownership.js

@@ -0,0 +1,324 @@
+/**
+ * Resource Ownership Detector - Ownership pattern detection
+ *
+ * Detects resource ownership patterns including:
+ * - User ID checks on resources
+ * - Owner field validation
+ * - Tenant/organization scoping
+ * - Resource access control patterns
+ * - Ownership transfer patterns
+ *
+ * Flags violations:
+ * - Missing ownership checks on sensitive operations
+ * - Direct resource access without ownership validation
+ * - Inconsistent ownership patterns
+ *
+ * @requirements 11.5 - Resource ownership patterns
+ */
+import { RegexDetector } from '../base/index.js';
+// ============================================================================
+// Constants
+// ============================================================================
+export const USER_ID_CHECK_PATTERNS = [
+    // TypeScript/JavaScript patterns
+    /userId\s*===?\s*(?:resource|item|record|data)\.\s*userId/gi,
+    /(?:resource|item|record|data)\.userId\s*===?\s*userId/gi,
+    /user\.id\s*===?\s*(?:resource|item)\.(?:userId|ownerId|createdBy)/gi,
+    /req\.user\.id\s*===?\s*\w+\.(?:userId|ownerId)/gi,
+    /session\.userId\s*===?\s*\w+\.(?:userId|ownerId)/gi,
+    // Python patterns - snake_case, equality checks
+    /user_id\s*==\s*(?:resource|item|record|data)\.user_id/gi,
+    /(?:resource|item|record|data)\.user_id\s*==\s*user_id/gi,
+    /current_user\.id\s*==\s*\w+\.(?:user_id|owner_id|created_by)/gi,
+    /request\.user\.id\s*==\s*\w+\.(?:user_id|owner_id)/gi,
+];
+export const OWNER_FIELD_PATTERNS = [
+    // TypeScript/JavaScript patterns
+    /\.ownerId\b/gi,
+    /\.owner\s*[=:]/gi,
+    /ownerId\s*[=:]/gi,
+    /ownerUserId/gi,
+    /resourceOwner/gi,
+    // Python patterns - snake_case
+    /\.owner_id\b/gi,
+    /owner_id\s*=/gi,
+    /owner_user_id/gi,
+    /resource_owner/gi,
+    /owned_by/gi,
+];
+export const TENANT_SCOPE_PATTERNS = [
+    // TypeScript/JavaScript patterns
+    /tenantId\s*[=:]/gi,
+    /organizationId\s*[=:]/gi,
+    /orgId\s*[=:]/gi,
+    /\.tenantId\b/gi,
+    /\.organizationId\b/gi,
+    /workspaceId\s*[=:]/gi,
+    // Python patterns - snake_case
+    /tenant_id\s*=/gi,
+    /organization_id\s*=/gi,
+    /org_id\s*=/gi,
+    /\.tenant_id\b/gi,
+    /\.organization_id\b/gi,
+    /workspace_id\s*=/gi,
+    /account_id\s*=/gi,
+];
+export const CREATED_BY_PATTERNS = [
+    /createdBy\s*[=:]/gi,
+    /\.createdBy\b/gi,
+    /authorId\s*[=:]/gi,
+    /\.authorId\b/gi,
+];
+export const OWNERSHIP_QUERY_PATTERNS = [
+    // TypeScript/JavaScript patterns
+    /WHERE\s+(?:user_?id|owner_?id|tenant_?id)\s*=/gi,
+    /\.where\s*\(\s*['"`]?(?:userId|ownerId|tenantId)['"`]?\s*,/gi,
+    /\.eq\s*\(\s*['"`](?:user_id|owner_id|tenant_id)['"`]/gi,
+    /findBy(?:User|Owner|Tenant)Id/gi,
+    // Python patterns - SQLAlchemy, Django ORM, Supabase
+    /\.filter\s*\(\s*\w+\.user_id\s*==/gi,
+    /\.filter\s*\(\s*\w+\.owner_id\s*==/gi,
+    /\.filter_by\s*\(\s*user_id\s*=/gi,
+    /\.filter_by\s*\(\s*owner_id\s*=/gi,
+    /objects\.filter\s*\(\s*user_id\s*=/gi,
+    /objects\.filter\s*\(\s*owner\s*=/gi,
+    /\.select\s*\(\s*\)\s*\.eq\s*\(\s*['"`]user_id['"`]/gi,
+];
+export const OWNERSHIP_TRANSFER_PATTERNS = [
+    /transferOwnership/gi,
+    /changeOwner/gi,
+    /setOwner/gi,
+    /updateOwner/gi,
+];
+export const SENSITIVE_OPERATION_PATTERNS = [
+    /\.delete\s*\(/gi,
+    /\.update\s*\(/gi,
+    /\.remove\s*\(/gi,
+    /\.destroy\s*\(/gi,
+    /DELETE\s+FROM/gi,
+    /UPDATE\s+\w+\s+SET/gi,
+];
+export const EXCLUDED_FILE_PATTERNS = [
+    /\.test\.[jt]sx?$/,
+    /\.spec\.[jt]sx?$/,
+    /node_modules\//,
+    /\.d\.ts$/,
+    /_test\.py$/,
+    /test_.*\.py$/,
+    /conftest\.py$/,
+];
+// ============================================================================
+// Helper Functions
+// ============================================================================
+export function shouldExcludeFile(filePath) {
+    return EXCLUDED_FILE_PATTERNS.some(p => p.test(filePath));
+}
+function isInsideComment(content, index) {
+    const before = content.slice(0, index);
+    const lastNewline = before.lastIndexOf('\n');
+    const line = before.slice(lastNewline + 1);
+    if (line.includes('//') && index - lastNewline - 1 > line.indexOf('//'))
+        return true;
+    return before.lastIndexOf('/*') > before.lastIndexOf('*/');
+}
+function getPosition(content, index) {
+    const before = content.slice(0, index);
+    return { line: before.split('\n').length, column: index - before.lastIndexOf('\n') };
+}
+// ============================================================================
+// Detection Functions
+// ============================================================================
+export function detectUserIdChecks(content, file) {
+    const results = [];
+    const lines = content.split('\n');
+    for (const pattern of USER_ID_CHECK_PATTERNS) {
+        const regex = new RegExp(pattern.source, pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+            if (isInsideComment(content, match.index))
+                continue;
+            const { line, column } = getPosition(content, match.index);
+            results.push({
+                type: 'user-id-check',
+                file, line, column,
+                matchedText: match[0],
+                context: lines[line - 1] || '',
+            });
+        }
+    }
+    return results;
+}
+export function detectOwnerFields(content, file) {
+    const results = [];
+    const lines = content.split('\n');
+    for (const pattern of OWNER_FIELD_PATTERNS) {
+        const regex = new RegExp(pattern.source, pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+            if (isInsideComment(content, match.index))
+                continue;
+            const { line, column } = getPosition(content, match.index);
+            results.push({
+                type: 'owner-field',
+                file, line, column,
+                matchedText: match[0],
+                ownerField: match[0].replace(/[.:=\s]/g, ''),
+                context: lines[line - 1] || '',
+            });
+        }
+    }
+    return results;
+}
+export function detectTenantScoping(content, file) {
+    const results = [];
+    const lines = content.split('\n');
+    for (const pattern of TENANT_SCOPE_PATTERNS) {
+        const regex = new RegExp(pattern.source, pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+            if (isInsideComment(content, match.index))
+                continue;
+            const { line, column } = getPosition(content, match.index);
+            results.push({
+                type: 'tenant-scope',
+                file, line, column,
+                matchedText: match[0],
+                context: lines[line - 1] || '',
+            });
+        }
+    }
+    return results;
+}
+export function detectCreatedByPatterns(content, file) {
+    const results = [];
+    const lines = content.split('\n');
+    for (const pattern of CREATED_BY_PATTERNS) {
+        const regex = new RegExp(pattern.source, pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+            if (isInsideComment(content, match.index))
+                continue;
+            const { line, column } = getPosition(content, match.index);
+            results.push({
+                type: 'created-by',
+                file, line, column,
+                matchedText: match[0],
+                context: lines[line - 1] || '',
+            });
+        }
+    }
+    return results;
+}
+export function detectOwnershipQueries(content, file) {
+    const results = [];
+    const lines = content.split('\n');
+    for (const pattern of OWNERSHIP_QUERY_PATTERNS) {
+        const regex = new RegExp(pattern.source, pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+            if (isInsideComment(content, match.index))
+                continue;
+            const { line, column } = getPosition(content, match.index);
+            results.push({
+                type: 'ownership-query',
+                file, line, column,
+                matchedText: match[0],
+                context: lines[line - 1] || '',
+            });
+        }
+    }
+    return results;
+}
+export function detectMissingOwnershipViolations(patterns, content, file) {
+    const violations = [];
+    const lines = content.split('\n');
+    const hasOwnershipChecks = patterns.length > 0;
+    // Only check files that look like they handle resources
+    if (!file.includes('service') && !file.includes('repository') && !file.includes('controller')) {
+        return violations;
+    }
+    if (!hasOwnershipChecks) {
+        for (const pattern of SENSITIVE_OPERATION_PATTERNS) {
+            const regex = new RegExp(pattern.source, pattern.flags);
+            let match;
+            while ((match = regex.exec(content)) !== null) {
+                if (isInsideComment(content, match.index))
+                    continue;
+                const { line, column } = getPosition(content, match.index);
+                violations.push({
+                    type: 'missing-ownership-check',
+                    file, line, column,
+                    endLine: line,
+                    endColumn: column + match[0].length,
+                    value: match[0],
+                    issue: 'Sensitive operation without visible ownership check',
+                    suggestedFix: 'Add ownership validation before modifying resources',
+                    lineContent: lines[line - 1] || '',
+                });
+                break; // Only flag once per file
+            }
+        }
+    }
+    return violations;
+}
+// ============================================================================
+// Main Analysis Function
+// ============================================================================
+export function analyzeOwnership(content, file) {
+    if (shouldExcludeFile(file)) {
+        return { patterns: [], violations: [], hasOwnershipChecks: false, dominantPattern: null, confidence: 1.0 };
+    }
+    const userIdChecks = detectUserIdChecks(content, file);
+    const ownerFields = detectOwnerFields(content, file);
+    const tenantScoping = detectTenantScoping(content, file);
+    const createdBy = detectCreatedByPatterns(content, file);
+    const ownershipQueries = detectOwnershipQueries(content, file);
+    const allPatterns = [...userIdChecks, ...ownerFields, ...tenantScoping, ...createdBy, ...ownershipQueries];
+    const violations = detectMissingOwnershipViolations(allPatterns, content, file);
+    // Determine dominant pattern
+    const typeCounts = {};
+    for (const p of allPatterns) {
+        typeCounts[p.type] = (typeCounts[p.type] || 0) + 1;
+    }
+    let dominantPattern = null;
+    let maxCount = 0;
+    for (const [type, count] of Object.entries(typeCounts)) {
+        if (count > maxCount) {
+            maxCount = count;
+            dominantPattern = type;
+        }
+    }
+    const confidence = allPatterns.length > 0 ? Math.max(0.5, 1 - violations.length * 0.1) : 1.0;
+    return {
+        patterns: allPatterns,
+        violations,
+        hasOwnershipChecks: allPatterns.length > 0,
+        dominantPattern,
+        confidence,
+    };
+}
+// ============================================================================
+// Detector Class
+// ============================================================================
+export class ResourceOwnershipDetector extends RegexDetector {
+    id = 'auth/resource-ownership';
+    name = 'Resource Ownership Detector';
+    description = 'Detects resource ownership patterns and missing ownership checks';
+    category = 'auth';
+    subcategory = 'ownership';
+    supportedLanguages = ['typescript', 'javascript', 'python'];
+    async detect(context) {
+        const { content, file } = context;
+        if (shouldExcludeFile(file))
+            return this.createEmptyResult();
+        const analysis = analyzeOwnership(content, file);
+        return this.createResult([], [], analysis.confidence);
+    }
+    generateQuickFix() {
+        return null;
+    }
+}
+export function createResourceOwnershipDetector() {
+    return new ResourceOwnershipDetector();
+}
+//# sourceMappingURL=resource-ownership.js.map

package/dist/auth/resource-ownership.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resource-ownership.js","sourceRoot":"","sources":["../../src/auth/resource-ownership.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAGH,OAAO,EAAE,aAAa,EAA+C,MAAM,kBAAkB,CAAC;AAkD9F,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,MAAM,CAAC,MAAM,sBAAsB,GAAG;IACpC,iCAAiC;IACjC,4DAA4D;IAC5D,yDAAyD;IACzD,qEAAqE;IACrE,kDAAkD;IAClD,oDAAoD;IACpD,gDAAgD;IAChD,yDAAyD;IACzD,yDAAyD;IACzD,gEAAgE;IAChE,sDAAsD;CAC9C,CAAC;AAEX,MAAM,CAAC,MAAM,oBAAoB,GAAG;IAClC,iCAAiC;IACjC,eAAe;IACf,kBAAkB;IAClB,kBAAkB;IAClB,eAAe;IACf,iBAAiB;IACjB,+BAA+B;IAC/B,gBAAgB;IAChB,gBAAgB;IAChB,iBAAiB;IACjB,kBAAkB;IAClB,YAAY;CACJ,CAAC;AAEX,MAAM,CAAC,MAAM,qBAAqB,GAAG;IACnC,iCAAiC;IACjC,mBAAmB;IACnB,yBAAyB;IACzB,gBAAgB;IAChB,gBAAgB;IAChB,sBAAsB;IACtB,sBAAsB;IACtB,+BAA+B;IAC/B,iBAAiB;IACjB,uBAAuB;IACvB,cAAc;IACd,iBAAiB;IACjB,uBAAuB;IACvB,oBAAoB;IACpB,kBAAkB;CACV,CAAC;AAEX,MAAM,CAAC,MAAM,mBAAmB,GAAG;IACjC,oBAAoB;IACpB,iBAAiB;IACjB,mBAAmB;IACnB,gBAAgB;CACR,CAAC;AAEX,MAAM,CAAC,MAAM,wBAAwB,GAAG;IACtC,iCAAiC;IACjC,iDAAiD;IACjD,8DAA8D;IAC9D,wDAAwD;IACxD,iCAAiC;IACjC,qDAAqD;IACrD,qCAAqC;IACrC,sCAAsC;IACtC,kCAAkC;IAClC,mCAAmC;IACnC,sCAAsC;IACtC,oCAAoC;IACpC,sDAAsD;CAC9C,CAAC;AAEX,MAAM,CAAC,MAAM,2BAA2B,GAAG;IACzC,qBAAqB;IACrB,eAAe;IACf,YAAY;IACZ,eAAe;CACP,CAAC;AAEX,MAAM,CAAC,MAAM,4BAA4B,GAAG;IAC1C,iBAAiB;IACjB,iBAAiB;IACjB,iBAAiB;IACjB,kBAAkB;IAClB,iBAAiB;IACjB,sBAAsB;CACd,CAAC;AAEX,MAAM,CAAC,MAAM,sBAAsB,GAAG;IACpC,kBAAkB;IAClB,kBAAkB;IAClB,gBAAgB;IAChB,UAAU;IACV,YAAY;IACZ,cAAc;IACd,eAAe;CAChB,CAAC;AAEF,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E,MAAM,UAAU,iBAAiB,CAAC,QAAgB;IAChD,OAAO,sBAAsB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,eAAe,CAAC,OAAe,EAAE,KAAa;IACrD,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IACvC,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;IAC7C,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,WAAW,GAAG,CAAC,CAAC,CAAC;IAC3C,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,KAAK,GAAG,WAAW,GAAG,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACrF,OAAO,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;AAC7D,CAAC;AAED,SAAS,WAAW,CAAC,OAAe,EAAE,KAAa;IACjD,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IACvC,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC;AACvF,CAAC;AAED,+EAA+E;AAC/E,sBAAsB;AACtB,+EAA+E;AAE/E,MAAM,UAAU,kBAAkB,CAAC,OAAe,EAAE,IAAY;IAC9D,MAAM,OAAO,GAA2B,EAAE,CAAC;IAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAElC,KAAK,MAAM,OAAO,IAAI,sBAAsB,EAAE,CAAC;QAC7C,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QACxD,IAAI,KAAK,CAAC;QACV,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC9C,IAAI,eAAe,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC;gBAAE,SAAS;YACpD,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,WAAW,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;YAC3D,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI,EAAE,eAAe;gBACrB,IAAI,EAAE,IAAI,EAAE,MAAM;gBAClB,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC;gBACrB,OAAO,EAAE,KAAK,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE;aAC/B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,OAAe,EAAE,IAAY;IAC7D,MAAM,OAAO,GAA2B,EAAE,CAAC;IAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAElC,KAAK,MAAM,OAAO,IAAI,oBAAoB,EAAE,CAAC;QAC3C,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QACxD,IAAI,KAAK,CAAC;QACV,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC9C,IAAI,eAAe,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC;gBAAE,SAAS;YACpD,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,WAAW,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;YAC3D,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI,EAAE,aAAa;gBACnB,IAAI,EAAE,IAAI,EAAE,MAAM;gBAClB,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC;gBACrB,UAAU,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC;gBAC5C,OAAO,EAAE,KAAK,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE;aAC/B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,OAAe,EAAE,IAAY;IAC/D,MAAM,OAAO,GAA2B,EAAE,CAAC;IAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAElC,KAAK,MAAM,OAAO,IAAI,qBAAqB,EAAE,CAAC;QAC5C,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QACxD,IAAI,KAAK,CAAC;QACV,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC9C,IAAI,eAAe,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC;gBAAE,SAAS;YACpD,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,WAAW,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;YAC3D,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI,EAAE,cAAc;gBACpB,IAAI,EAAE,IAAI,EAAE,MAAM;gBAClB,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC;gBACrB,OAAO,EAAE,KAAK,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE;aAC/B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,OAAe,EAAE,IAAY;IACnE,MAAM,OAAO,GAA2B,EAAE,CAAC;IAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAElC,KAAK,MAAM,OAAO,IAAI,mBAAmB,EAAE,CAAC;QAC1C,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QACxD,IAAI,KAAK,CAAC;QACV,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC9C,IAAI,eAAe,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC;gBAAE,SAAS;YACpD,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,WAAW,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;YAC3D,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI,EAAE,YAAY;gBAClB,IAAI,EAAE,IAAI,EAAE,MAAM;gBAClB,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC;gBACrB,OAAO,EAAE,KAAK,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE;aAC/B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,OAAe,EAAE,IAAY;IAClE,MAAM,OAAO,GAA2B,EAAE,CAAC;IAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAElC,KAAK,MAAM,OAAO,IAAI,wBAAwB,EAAE,CAAC;QAC/C,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QACxD,IAAI,KAAK,CAAC;QACV,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC9C,IAAI,eAAe,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC;gBAAE,SAAS;YACpD,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,WAAW,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;YAC3D,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI,EAAE,iBAAiB;gBACvB,IAAI,EAAE,IAAI,EAAE,MAAM;gBAClB,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC;gBACrB,OAAO,EAAE,KAAK,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE;aAC/B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,gCAAgC,CAC9C,QAAgC,EAChC,OAAe,EACf,IAAY;IAEZ,MAAM,UAAU,GAA6B,EAAE,CAAC;IAChD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,kBAAkB,GAAG,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IAE/C,wDAAwD;IACxD,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;QAC9F,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACxB,KAAK,MAAM,OAAO,IAAI,4BAA4B,EAAE,CAAC;YACnD,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;YACxD,IAAI,KAAK,CAAC;YACV,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAC9C,IAAI,eAAe,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC;oBAAE,SAAS;gBACpD,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,WAAW,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;gBAC3D,UAAU,CAAC,IAAI,CAAC;oBACd,IAAI,EAAE,yBAAyB;oBAC/B,IAAI,EAAE,IAAI,EAAE,MAAM;oBAClB,OAAO,EAAE,IAAI;oBACb,SAAS,EAAE,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM;oBACnC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;oBACf,KAAK,EAAE,qDAAqD;oBAC5D,YAAY,EAAE,qDAAqD;oBACnE,WAAW,EAAE,KAAK,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE;iBACnC,CAAC,CAAC;gBACH,MAAM,CAAC,0BAA0B;YACnC,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,+EAA+E;AAC/E,yBAAyB;AACzB,+EAA+E;AAE/E,MAAM,UAAU,gBAAgB,CAAC,OAAe,EAAE,IAAY;IAC5D,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,kBAAkB,EAAE,KAAK,EAAE,eAAe,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;IAC7G,CAAC;IAED,MAAM,YAAY,GAAG,kBAAkB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IACvD,MAAM,WAAW,GAAG,iBAAiB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IACrD,MAAM,aAAa,GAAG,mBAAmB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IACzD,MAAM,SAAS,GAAG,uBAAuB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IACzD,MAAM,gBAAgB,GAAG,sBAAsB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IAE/D,MAAM,WAAW,GAAG,CAAC,GAAG,YAAY,EAAE,GAAG,WAAW,EAAE,GAAG,aAAa,EAAE,GAAG,SAAS,EAAE,GAAG,gBAAgB,CAAC,CAAC;IAC3G,MAAM,UAAU,GAAG,gCAAgC,CAAC,WAAW,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;IAEhF,6BAA6B;IAC7B,MAAM,UAAU,GAA2B,EAAE,CAAC;IAC9C,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;QAC5B,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IACrD,CAAC;IAED,IAAI,eAAe,GAAgC,IAAI,CAAC;IACxD,IAAI,QAAQ,GAAG,CAAC,CAAC;IACjB,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;QACvD,IAAI,KAAK,GAAG,QAAQ,EAAE,CAAC;YACrB,QAAQ,GAAG,KAAK,CAAC;YACjB,eAAe,GAAG,IAA4B,CAAC;QACjD,CAAC;IACH,CAAC;IAED,MAAM,UAAU,GAAG,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,GAAG,UAAU,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IAE7F,OAAO;QACL,QAAQ,EAAE,WAAW;QACrB,UAAU;QACV,kBAAkB,EAAE,WAAW,CAAC,MAAM,GAAG,CAAC;QAC1C,eAAe;QACf,UAAU;KACX,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,iBAAiB;AACjB,+EAA+E;AAE/E,MAAM,OAAO,yBAA0B,SAAQ,aAAa;IACjD,EAAE,GAAG,yBAAyB,CAAC;IAC/B,IAAI,GAAG,6BAA6B,CAAC;IACrC,WAAW,GAAG,kEAAkE,CAAC;IACjF,QAAQ,GAAG,MAAM,CAAC;IAClB,WAAW,GAAG,WAAW,CAAC;IAC1B,kBAAkB,GAAe,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC,CAAC;IAEjF,KAAK,CAAC,MAAM,CAAC,OAAyB;QACpC,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC;QAClC,IAAI,iBAAiB,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAE7D,MAAM,QAAQ,GAAG,gBAAgB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QACjD,OAAO,IAAI,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,EAAE,QAAQ,CAAC,UAAU,CAAC,CAAC;IACxD,CAAC;IAED,gBAAgB;QACd,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAED,MAAM,UAAU,+BAA+B;IAC7C,OAAO,IAAI,yBAAyB,EAAE,CAAC;AACzC,CAAC"}

package/dist/auth/token-handling.d.ts

@@ -0,0 +1,64 @@
+/**
+ * Token Handling Detector - Token pattern detection
+ *
+ * Detects token handling patterns including JWT storage, refresh tokens,
+ * token validation, and secure token practices.
+ *
+ * Flags violations: Insecure token storage, missing refresh logic, exposed tokens.
+ *
+ * @requirements 11.2 - Token handling patterns
+ */
+import type { Language } from 'driftdetect-core';
+import { RegexDetector, type DetectionContext, type DetectionResult } from '../base/index.js';
+export type TokenPatternType = 'jwt-storage' | 'refresh-token' | 'token-validation' | 'token-extraction' | 'secure-cookie';
+export type TokenViolationType = 'insecure-storage' | 'missing-refresh' | 'token-in-url' | 'token-logged';
+export interface TokenPatternInfo {
+    type: TokenPatternType;
+    file: string;
+    line: number;
+    column: number;
+    matchedText: string;
+    storageType?: string;
+    context?: string;
+}
+export interface TokenViolationInfo {
+    type: TokenViolationType;
+    file: string;
+    line: number;
+    column: number;
+    endLine: number;
+    endColumn: number;
+    value: string;
+    issue: string;
+    suggestedFix?: string;
+    lineContent: string;
+}
+export interface TokenAnalysis {
+    patterns: TokenPatternInfo[];
+    violations: TokenViolationInfo[];
+    usesSecureStorage: boolean;
+    hasRefreshLogic: boolean;
+}
+export declare const TOKEN_STORAGE_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp];
+export declare const SECURE_COOKIE_PATTERNS: readonly [RegExp, RegExp, RegExp];
+export declare const REFRESH_TOKEN_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp];
+export declare const TOKEN_VALIDATION_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+export declare const TOKEN_EXTRACTION_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp];
+export declare const INSECURE_STORAGE_PATTERNS: readonly [RegExp];
+export declare const TOKEN_IN_URL_PATTERNS: readonly [RegExp, RegExp, RegExp];
+export declare const TOKEN_LOGGED_PATTERNS: readonly [RegExp, RegExp, RegExp];
+export declare const EXCLUDED_FILE_PATTERNS: RegExp[];
+export declare function shouldExcludeFile(filePath: string): boolean;
+export declare function analyzeTokenHandling(content: string, file: string): TokenAnalysis;
+export declare class TokenHandlingDetector extends RegexDetector {
+    readonly id = "auth/token-handling";
+    readonly name = "Token Handling Detector";
+    readonly description = "Detects token handling patterns and security issues";
+    readonly category = "auth";
+    readonly subcategory = "tokens";
+    readonly supportedLanguages: Language[];
+    detect(context: DetectionContext): Promise<DetectionResult>;
+    generateQuickFix(): null;
+}
+export declare function createTokenHandlingDetector(): TokenHandlingDetector;
+//# sourceMappingURL=token-handling.d.ts.map

package/dist/auth/token-handling.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-handling.d.ts","sourceRoot":"","sources":["../../src/auth/token-handling.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,aAAa,EAAE,KAAK,gBAAgB,EAAE,KAAK,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAE9F,MAAM,MAAM,gBAAgB,GAAG,aAAa,GAAG,eAAe,GAAG,kBAAkB,GAAG,kBAAkB,GAAG,eAAe,CAAC;AAC3H,MAAM,MAAM,kBAAkB,GAAG,kBAAkB,GAAG,iBAAiB,GAAG,cAAc,GAAG,cAAc,CAAC;AAE1G,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,gBAAgB,CAAC;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,kBAAkB,CAAC;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,gBAAgB,EAAE,CAAC;IAC7B,UAAU,EAAE,kBAAkB,EAAE,CAAC;IACjC,iBAAiB,EAAE,OAAO,CAAC;IAC3B,eAAe,EAAE,OAAO,CAAC;CAC1B;AAED,eAAO,MAAM,sBAAsB,2CAKzB,CAAC;AAEX,eAAO,MAAM,sBAAsB,mCAIzB,CAAC;AAEX,eAAO,MAAM,sBAAsB,mDAMzB,CAAC;AAEX,eAAO,MAAM,yBAAyB,2DAO5B,CAAC;AAEX,eAAO,MAAM,yBAAyB,mDAM5B,CAAC;AAEX,eAAO,MAAM,yBAAyB,mBAE5B,CAAC;AAEX,eAAO,MAAM,qBAAqB,mCAIxB,CAAC;AAEX,eAAO,MAAM,qBAAqB,mCAIxB,CAAC;AAEX,eAAO,MAAM,sBAAsB,UAAyE,CAAC;AAE7G,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAE3D;AAoDD,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,aAAa,CA0BjF;AAED,qBAAa,qBAAsB,SAAQ,aAAa;IACtD,QAAQ,CAAC,EAAE,yBAAyB;IACpC,QAAQ,CAAC,IAAI,6BAA6B;IAC1C,QAAQ,CAAC,WAAW,yDAAyD;IAC7E,QAAQ,CAAC,QAAQ,UAAU;IAC3B,QAAQ,CAAC,WAAW,YAAY;IAChC,QAAQ,CAAC,kBAAkB,EAAE,QAAQ,EAAE,CAA0C;IAE3E,MAAM,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC;IAUjE,gBAAgB,IAAI,IAAI;CAGzB;AAED,wBAAgB,2BAA2B,IAAI,qBAAqB,CAEnE"}