eslint-plugin-crypto 1.0.0

package/AGENTS.md

@@ -0,0 +1,110 @@
+# AGENTS.md - AI Agent Context for eslint-plugin-crypto
+
+## Plugin Purpose
+
+Security-focused ESLint plugin with **24 rules** for cryptographic best practices. Covers Node.js `crypto`, Web Crypto API, and npm packages (crypto-hash, crypto-random-string, crypto-js).
+
+## Quick Reference
+
+### Core Crypto Rules (8)
+
+| Rule                          | CWE | Detects        | Fix              |
+| ----------------------------- | --- | -------------- | ---------------- |
+| `no-weak-hash-algorithm`      | 327 | MD5, SHA1, MD4 | SHA-256/512      |
+| `no-weak-cipher-algorithm`    | 327 | DES, 3DES, RC4 | AES-256-GCM      |
+| `no-deprecated-cipher-method` | 327 | createCipher() | createCipheriv() |
+| `no-static-iv`                | 329 | Hardcoded IVs  | randomBytes(16)  |
+| `no-ecb-mode`                 | 327 | ECB mode       | GCM or CBC       |
+| `no-insecure-key-derivation`  | 916 | PBKDF2 < 100k  | ≥100k iterations |
+| `no-hardcoded-crypto-key`     | 321 | Literal keys   | env vars/KMS     |
+| `require-random-iv`           | 329 | Non-random IVs | randomBytes()    |
+
+### CVE-Specific Rules (3)
+
+| Rule                           | CVE        | Vulnerability |
+| ------------------------------ | ---------- | ------------- |
+| `no-insecure-rsa-padding`      | 2023-46809 | Marvin Attack |
+| `no-cryptojs-weak-random`      | 2020-36732 | Weak PRNG     |
+| `require-secure-pbkdf2-digest` | 2023-46233 | SHA1 PBKDF2   |
+
+### Advanced Security (7)
+
+| Rule                               | CWE | Focus           |
+| ---------------------------------- | --- | --------------- |
+| `no-math-random-crypto`            | 338 | Insecure PRNG   |
+| `no-predictable-salt`              | 331 | Weak salts      |
+| `require-authenticated-encryption` | 327 | CBC without MAC |
+| `no-key-reuse`                     | 323 | Same key twice  |
+| `no-self-signed-certs`             | 295 | TLS bypass      |
+| `no-timing-unsafe-compare`         | 208 | Timing attacks  |
+| `require-key-length`               | 326 | AES-128/192     |
+| `no-web-crypto-export`             | 321 | Key export      |
+
+### Package Rules (6)
+
+| Rule                        | Package              | Issue          |
+| --------------------------- | -------------------- | -------------- |
+| `no-sha1-hash`              | crypto-hash          | sha1()         |
+| `require-sufficient-length` | crypto-random-string | < 32 chars     |
+| `no-numeric-only-tokens`    | crypto-random-string | Low entropy    |
+| `no-cryptojs`               | crypto-js            | Deprecated     |
+| `no-cryptojs-weak-random`   | crypto-js            | CVE-2020-36732 |
+| `prefer-native-crypto`      | Various              | Third-party    |
+
+## Fix Patterns
+
+```diff
+# Weak Hash
+- crypto.createHash('md5')
++ crypto.createHash('sha256')
+
+# RSA Padding (CVE-2023-46809)
+- padding: crypto.constants.RSA_PKCS1_PADDING
++ padding: crypto.constants.RSA_PKCS1_OAEP_PADDING
+
+# Math.random for crypto
+- const token = Math.random().toString(36)
++ const token = crypto.randomBytes(32).toString('hex')
+
+# Timing-safe compare
+- if (userToken === storedToken)
++ if (crypto.timingSafeEqual(Buffer.from(userToken), Buffer.from(storedToken)))
+
+# Authenticated encryption
+- crypto.createCipheriv('aes-256-cbc', key, iv)
++ crypto.createCipheriv('aes-256-gcm', key, iv)
+
+# TLS validation
+- { rejectUnauthorized: false }
++ { rejectUnauthorized: true }
+```
+
+## Presets (5)
+
+| Preset               | Use Case                |
+| -------------------- | ----------------------- |
+| `recommended`        | Most projects           |
+| `strict`             | High-security apps      |
+| `cryptojs-migration` | Migrating off crypto-js |
+| `nodejs-only`        | Server-side only        |
+| `cve-focused`        | Known CVE protection    |
+
+## Architecture
+
+```
+src/
+├── index.ts          # Plugin entry, 5 configs
+├── types/index.ts    # 24 rule option types
+└── rules/            # 24 rule directories
+    ├── no-weak-hash-algorithm/
+    ├── no-insecure-rsa-padding/
+    └── ...
+```
+
+## CWE Coverage
+
+208, 295, 321, 323, 326, 327, 328, 329, 330, 331, 338, 916, 1104
+
+## Version
+
+1.0.0 (24 rules)

package/CHANGELOG.md

@@ -0,0 +1,68 @@
+# Changelog
+
+All notable changes to `eslint-plugin-crypto` will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [1.0.0] - 2025-12-29
+
+### Added
+
+#### Core Node.js Crypto Rules (8)
+
+- `no-weak-hash-algorithm` - Detect MD5, SHA1, MD4, RIPEMD (CWE-327)
+- `no-weak-cipher-algorithm` - Detect DES, 3DES, RC4, Blowfish (CWE-327)
+- `no-deprecated-cipher-method` - Detect createCipher/createDecipher (CWE-327)
+- `no-static-iv` - Detect hardcoded initialization vectors (CWE-329)
+- `no-ecb-mode` - Detect ECB encryption mode (CWE-327)
+- `no-insecure-key-derivation` - Detect PBKDF2 < 100k iterations (CWE-916)
+- `no-hardcoded-crypto-key` - Detect literal encryption keys (CWE-321)
+- `require-random-iv` - Ensure IV from crypto.randomBytes() (CWE-329)
+
+#### CVE-Specific Rules (3)
+
+- `no-insecure-rsa-padding` - **CVE-2023-46809** Marvin Attack detection (CWE-327)
+- `no-cryptojs-weak-random` - **CVE-2020-36732** crypto-js weak PRNG (CWE-338)
+- `require-secure-pbkdf2-digest` - **CVE-2023-46233** PBKDF2 SHA1 default (CWE-328)
+
+#### Advanced Security Rules (7)
+
+- `no-math-random-crypto` - Detect Math.random() in crypto contexts (CWE-338)
+- `no-predictable-salt` - Detect empty/hardcoded salts (CWE-331)
+- `require-authenticated-encryption` - Flag CBC/CTR without MAC (CWE-327)
+- `no-key-reuse` - Warn on key reuse across operations (CWE-323)
+- `no-self-signed-certs` - Detect rejectUnauthorized: false (CWE-295)
+- `no-timing-unsafe-compare` - Detect timing-unsafe secret comparison (CWE-208)
+- `require-key-length` - Recommend AES-256 over AES-128/192 (CWE-326)
+- `no-web-crypto-export` - Warn on key export (CWE-321)
+
+#### Package-Specific Rules (6)
+
+- `no-sha1-hash` - Detect sha1() from crypto-hash (CWE-327)
+- `require-sufficient-length` - Require crypto-random-string ≥32 chars (CWE-330)
+- `no-numeric-only-tokens` - Warn on type: 'numeric' (CWE-330)
+- `no-cryptojs` - Warn on deprecated crypto-js usage (CWE-1104)
+- `no-cryptojs-weak-random` - CVE-2020-36732 (CWE-338)
+- `prefer-native-crypto` - Recommend native crypto (CWE-1104)
+
+#### Presets (5)
+
+- `recommended` - Balanced security defaults
+- `strict` - All 24 rules as errors
+- `cryptojs-migration` - For migrating off crypto-js
+- `nodejs-only` - Server-side only (no package rules)
+- `cve-focused` - Rules targeting specific CVEs
+
+#### Features
+
+- LLM-optimized error messages with CWE references
+- Auto-fix suggestions where safe
+- OWASP-aligned recommendations
+- TypeScript support
+- Comprehensive test coverage (302 edge case tests)
+
+### Security
+
+- Covers 13 CWEs: 208, 295, 321, 323, 326, 327, 328, 329, 330, 331, 338, 916, 1104
+- Detects 3 specific CVEs: CVE-2023-46809, CVE-2020-36732, CVE-2023-46233

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Ofri Peretz
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,144 @@
+# eslint-plugin-crypto
+
+> Security-focused ESLint plugin with **24 AI-parseable rules** for cryptographic best practices.
+
+Detects weak algorithms, insecure key handling, deprecated crypto patterns, CVE vulnerabilities, and guides you to modern, secure alternatives.
+
+## Features
+
+- 🔐 **24 Rules** covering crypto best practices
+- 🎯 **CVE Detection** (CVE-2023-46809, CVE-2020-36732, CVE-2023-46233)
+- 🤖 **AI-Optimized** messages with CWE references
+- ⚡ **Auto-Fix** suggestions where safe
+- 📦 **Package Support** for crypto-hash, crypto-random-string, crypto-js
+
+## Installation
+
+```bash
+npm install eslint-plugin-crypto --save-dev
+```
+
+## Usage
+
+### ESLint Flat Config (eslint.config.js)
+
+```javascript
+import crypto from 'eslint-plugin-crypto';
+
+export default [crypto.configs.recommended];
+```
+
+## Presets
+
+| Preset               | Description                                  |
+| -------------------- | -------------------------------------------- |
+| `recommended`        | Balanced security defaults for most projects |
+| `strict`             | All 24 rules as errors for maximum security  |
+| `cryptojs-migration` | For teams migrating from crypto-js           |
+| `nodejs-only`        | Only Node.js crypto rules                    |
+| `cve-focused`        | Rules targeting specific CVEs                |
+
+## Rule Categories
+
+### Core Node.js Crypto (8 rules)
+
+| Rule                          | Description                     | CWE     |
+| ----------------------------- | ------------------------------- | ------- |
+| `no-weak-hash-algorithm`      | Disallow MD5, SHA1, MD4         | CWE-327 |
+| `no-weak-cipher-algorithm`    | Disallow DES, 3DES, RC4         | CWE-327 |
+| `no-deprecated-cipher-method` | Disallow createCipher()         | CWE-327 |
+| `no-static-iv`                | Disallow hardcoded IVs          | CWE-329 |
+| `no-ecb-mode`                 | Disallow ECB encryption         | CWE-327 |
+| `no-insecure-key-derivation`  | Require PBKDF2 ≥100k iterations | CWE-916 |
+| `no-hardcoded-crypto-key`     | Disallow hardcoded keys         | CWE-321 |
+| `require-random-iv`           | Require IV from randomBytes()   | CWE-329 |
+
+### CVE-Specific Rules (3 rules)
+
+| Rule                           | CVE            | Description                     |
+| ------------------------------ | -------------- | ------------------------------- |
+| `no-insecure-rsa-padding`      | CVE-2023-46809 | Marvin Attack (RSA PKCS#1 v1.5) |
+| `no-cryptojs-weak-random`      | CVE-2020-36732 | Weak PRNG in crypto-js < 3.2.1  |
+| `require-secure-pbkdf2-digest` | CVE-2023-46233 | Weak PBKDF2 defaults (SHA1)     |
+
+### Advanced Security (7 rules)
+
+| Rule                               | Description                        | CWE     |
+| ---------------------------------- | ---------------------------------- | ------- |
+| `no-math-random-crypto`            | Disallow Math.random() for crypto  | CWE-338 |
+| `no-predictable-salt`              | Disallow empty/hardcoded salts     | CWE-331 |
+| `require-authenticated-encryption` | Require GCM instead of CBC         | CWE-327 |
+| `no-key-reuse`                     | Warn on key reuse                  | CWE-323 |
+| `no-self-signed-certs`             | Disallow rejectUnauthorized: false | CWE-295 |
+| `no-timing-unsafe-compare`         | Require timingSafeEqual()          | CWE-208 |
+| `require-key-length`               | Require AES-256                    | CWE-326 |
+| `no-web-crypto-export`             | Warn on key export                 | CWE-321 |
+
+### Package-Specific Rules (6 rules)
+
+| Package              | Rule                        | Description            |
+| -------------------- | --------------------------- | ---------------------- |
+| crypto-hash          | `no-sha1-hash`              | Disallow sha1()        |
+| crypto-random-string | `require-sufficient-length` | Require min 32 chars   |
+| crypto-random-string | `no-numeric-only-tokens`    | Warn on numeric-only   |
+| crypto-js            | `no-cryptojs`               | Warn on deprecated lib |
+| crypto-js            | `no-cryptojs-weak-random`   | CVE-2020-36732         |
+| Various              | `prefer-native-crypto`      | Prefer native crypto   |
+
+## Examples
+
+### ❌ Bad
+
+```javascript
+// CVE-2023-46809: Marvin Attack
+crypto.privateDecrypt({ key, padding: crypto.constants.RSA_PKCS1_PADDING }, buffer);
+
+// CWE-338: Weak random
+const token = Math.random().toString(36);
+
+// CWE-327: ECB mode leaks patterns
+crypto.createCipheriv('aes-256-ecb', key, iv);
+
+// CWE-208: Timing attack
+if (userToken === storedToken) { ... }
+```
+
+### ✅ Good
+
+```javascript
+// Use OAEP padding
+crypto.privateDecrypt({ key, padding: crypto.constants.RSA_PKCS1_OAEP_PADDING }, buffer);
+
+// Secure random
+const token = crypto.randomBytes(32).toString('hex');
+
+// GCM provides authentication
+crypto.createCipheriv('aes-256-gcm', key, iv);
+
+// Constant-time comparison
+if (crypto.timingSafeEqual(Buffer.from(userToken), Buffer.from(storedToken))) { ... }
+```
+
+## Peer Dependencies (Optional)
+
+```json
+{
+  "crypto-hash": ">=3.0.0",
+  "crypto-random-string": ">=4.0.0",
+  "crypto-js": ">=4.0.0"
+}
+```
+
+## AI-Optimized Messages
+
+All rules include LLM-optimized error messages with:
+
+- CWE references for vulnerability classification
+- CVE references for known vulnerabilities
+- Severity levels (CRITICAL, HIGH, MEDIUM, LOW)
+- Direct fix suggestions with code examples
+- Documentation links
+
+## License
+
+MIT © [Ofri Peretz](https://github.com/ofri-peretz)

package/package.json

@@ -0,0 +1,80 @@
+{
+  "name": "eslint-plugin-crypto",
+  "version": "1.0.0",
+  "description": "Security-focused ESLint plugin with 24 AI-parseable rules for cryptographic best practices. Detects weak algorithms, insecure key handling, CVE-specific vulnerabilities, and deprecated crypto patterns.",
+  "type": "commonjs",
+  "main": "./src/index.js",
+  "types": "./src/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./src/index.d.ts",
+      "default": "./src/index.js"
+    },
+    "./types": {
+      "types": "./src/types/index.d.ts",
+      "default": "./src/types/index.js"
+    }
+  },
+  "author": "Ofri Peretz <ofriperetzdev@gmail.com>",
+  "license": "MIT",
+  "homepage": "https://github.com/ofri-peretz/eslint/blob/main/packages/eslint-plugin-crypto/README.md",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/ofri-peretz/eslint.git",
+    "directory": "packages/eslint-plugin-crypto"
+  },
+  "bugs": {
+    "url": "https://github.com/ofri-peretz/eslint/issues"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "files": [
+    "src/",
+    "dist/",
+    "docs/",
+    "README.md",
+    "LICENSE",
+    "CHANGELOG.md",
+    "AGENTS.md"
+  ],
+  "keywords": [
+    "eslint",
+    "eslint-plugin",
+    "eslintplugin",
+    "security",
+    "crypto",
+    "cryptography",
+    "encryption",
+    "hashing",
+    "nodejs-crypto",
+    "cve",
+    "cwe",
+    "owasp",
+    "vulnerability",
+    "llm-optimized",
+    "ai-assistant",
+    "auto-fix",
+    "typescript",
+    "marvin-attack",
+    "timing-attack"
+  ],
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "dependencies": {
+    "@interlace/eslint-devkit": "^1.2.1",
+    "tslib": "^2.3.0"
+  },
+  "devDependencies": {
+    "@typescript-eslint/parser": "^8.46.2",
+    "@typescript-eslint/rule-tester": "^8.46.2",
+    "@vitest/coverage-v8": "^4.0.6",
+    "vitest": "^4.0.6"
+  },
+  "scripts": {
+    "test": "vitest run",
+    "test:watch": "vitest watch",
+    "test:coverage": "vitest run --coverage"
+  }
+}

package/src/index.d.ts

@@ -0,0 +1,35 @@
+/**
+ * eslint-plugin-crypto
+ *
+ * Security-focused ESLint plugin with 24 rules for cryptographic best practices.
+ * Covers Node.js crypto, crypto-hash, crypto-random-string, cryptojs, and Web Crypto.
+ *
+ * Features:
+ * - LLM-optimized error messages with CWE references
+ * - Auto-fix suggestions where safe
+ * - OWASP-aligned recommendations
+ * - CVE-specific detection (CVE-2023-46809, CVE-2020-36732, CVE-2023-46233)
+ *
+ * @see https://github.com/ofri-peretz/eslint/tree/main/packages/eslint-plugin-crypto
+ */
+import type { TSESLint } from '@interlace/eslint-devkit';
+/**
+ * Collection of all crypto security rules (24 total)
+ */
+export declare const rules: Record<string, TSESLint.RuleModule<string, readonly unknown[]>>;
+/**
+ * ESLint Plugin object
+ */
+export declare const plugin: TSESLint.FlatConfig.Plugin;
+/**
+ * Preset configurations
+ */
+export declare const configs: Record<string, TSESLint.FlatConfig.Config>;
+/**
+ * Default export for ESLint plugin
+ */
+export default plugin;
+/**
+ * Re-export all types
+ */
+export * from './types/index';

package/src/index.js

@@ -0,0 +1,213 @@
+"use strict";
+/**
+ * eslint-plugin-crypto
+ *
+ * Security-focused ESLint plugin with 24 rules for cryptographic best practices.
+ * Covers Node.js crypto, crypto-hash, crypto-random-string, cryptojs, and Web Crypto.
+ *
+ * Features:
+ * - LLM-optimized error messages with CWE references
+ * - Auto-fix suggestions where safe
+ * - OWASP-aligned recommendations
+ * - CVE-specific detection (CVE-2023-46809, CVE-2020-36732, CVE-2023-46233)
+ *
+ * @see https://github.com/ofri-peretz/eslint/tree/main/packages/eslint-plugin-crypto
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.configs = exports.plugin = exports.rules = void 0;
+const tslib_1 = require("tslib");
+// Core Node.js crypto rules
+const no_weak_hash_algorithm_1 = require("./rules/no-weak-hash-algorithm");
+const no_weak_cipher_algorithm_1 = require("./rules/no-weak-cipher-algorithm");
+const no_deprecated_cipher_method_1 = require("./rules/no-deprecated-cipher-method");
+const no_static_iv_1 = require("./rules/no-static-iv");
+const no_ecb_mode_1 = require("./rules/no-ecb-mode");
+const no_insecure_key_derivation_1 = require("./rules/no-insecure-key-derivation");
+const no_hardcoded_crypto_key_1 = require("./rules/no-hardcoded-crypto-key");
+const require_random_iv_1 = require("./rules/require-random-iv");
+// crypto-hash package rules
+const no_sha1_hash_1 = require("./rules/no-sha1-hash");
+// crypto-random-string package rules
+const require_sufficient_length_1 = require("./rules/require-sufficient-length");
+const no_numeric_only_tokens_1 = require("./rules/no-numeric-only-tokens");
+// cryptojs package rules
+const no_cryptojs_1 = require("./rules/no-cryptojs");
+const no_cryptojs_weak_random_1 = require("./rules/no-cryptojs-weak-random");
+const prefer_native_crypto_1 = require("./rules/prefer-native-crypto");
+// NEW: CVE and advanced security rules
+const no_math_random_crypto_1 = require("./rules/no-math-random-crypto");
+const no_insecure_rsa_padding_1 = require("./rules/no-insecure-rsa-padding");
+const require_secure_pbkdf2_digest_1 = require("./rules/require-secure-pbkdf2-digest");
+const no_predictable_salt_1 = require("./rules/no-predictable-salt");
+const require_authenticated_encryption_1 = require("./rules/require-authenticated-encryption");
+const no_key_reuse_1 = require("./rules/no-key-reuse");
+const no_self_signed_certs_1 = require("./rules/no-self-signed-certs");
+const no_timing_unsafe_compare_1 = require("./rules/no-timing-unsafe-compare");
+const require_key_length_1 = require("./rules/require-key-length");
+const no_web_crypto_export_1 = require("./rules/no-web-crypto-export");
+/**
+ * Collection of all crypto security rules (24 total)
+ */
+exports.rules = {
+    // Core Node.js crypto rules (8)
+    'no-weak-hash-algorithm': no_weak_hash_algorithm_1.noWeakHashAlgorithm,
+    'no-weak-cipher-algorithm': no_weak_cipher_algorithm_1.noWeakCipherAlgorithm,
+    'no-deprecated-cipher-method': no_deprecated_cipher_method_1.noDeprecatedCipherMethod,
+    'no-static-iv': no_static_iv_1.noStaticIv,
+    'no-ecb-mode': no_ecb_mode_1.noEcbMode,
+    'no-insecure-key-derivation': no_insecure_key_derivation_1.noInsecureKeyDerivation,
+    'no-hardcoded-crypto-key': no_hardcoded_crypto_key_1.noHardcodedCryptoKey,
+    'require-random-iv': require_random_iv_1.requireRandomIv,
+    // crypto-hash package rules (1)
+    'no-sha1-hash': no_sha1_hash_1.noSha1Hash,
+    // crypto-random-string package rules (2)
+    'require-sufficient-length': require_sufficient_length_1.requireSufficientLength,
+    'no-numeric-only-tokens': no_numeric_only_tokens_1.noNumericOnlyTokens,
+    // cryptojs package rules (3)
+    'no-cryptojs': no_cryptojs_1.noCryptojs,
+    'no-cryptojs-weak-random': no_cryptojs_weak_random_1.noCryptojsWeakRandom,
+    'prefer-native-crypto': prefer_native_crypto_1.preferNativeCrypto,
+    // Advanced security rules (10)
+    'no-math-random-crypto': no_math_random_crypto_1.noMathRandomCrypto,
+    'no-insecure-rsa-padding': no_insecure_rsa_padding_1.noInsecureRsaPadding,
+    'require-secure-pbkdf2-digest': require_secure_pbkdf2_digest_1.requireSecurePbkdf2Digest,
+    'no-predictable-salt': no_predictable_salt_1.noPredictableSalt,
+    'require-authenticated-encryption': require_authenticated_encryption_1.requireAuthenticatedEncryption,
+    'no-key-reuse': no_key_reuse_1.noKeyReuse,
+    'no-self-signed-certs': no_self_signed_certs_1.noSelfSignedCerts,
+    'no-timing-unsafe-compare': no_timing_unsafe_compare_1.noTimingUnsafeCompare,
+    'require-key-length': require_key_length_1.requireKeyLength,
+    'no-web-crypto-export': no_web_crypto_export_1.noWebCryptoExport,
+};
+/**
+ * ESLint Plugin object
+ */
+exports.plugin = {
+    meta: {
+        name: 'eslint-plugin-crypto',
+        version: '1.0.0',
+    },
+    rules: exports.rules,
+};
+/**
+ * Recommended rules - balanced between security and practicality
+ */
+const recommendedRules = {
+    // Critical - Always error
+    'crypto/no-weak-hash-algorithm': 'error',
+    'crypto/no-weak-cipher-algorithm': 'error',
+    'crypto/no-deprecated-cipher-method': 'error',
+    'crypto/no-hardcoded-crypto-key': 'error',
+    'crypto/no-ecb-mode': 'error',
+    'crypto/no-cryptojs-weak-random': 'error',
+    'crypto/no-math-random-crypto': 'error',
+    'crypto/no-insecure-rsa-padding': 'error',
+    'crypto/no-self-signed-certs': 'error',
+    // High - Error for most projects
+    'crypto/no-static-iv': 'error',
+    'crypto/no-insecure-key-derivation': 'error',
+    'crypto/require-random-iv': 'warn',
+    'crypto/no-sha1-hash': 'error',
+    'crypto/require-secure-pbkdf2-digest': 'error',
+    'crypto/no-predictable-salt': 'error',
+    'crypto/no-timing-unsafe-compare': 'warn',
+    // Medium - Warnings
+    'crypto/require-sufficient-length': 'warn',
+    'crypto/no-numeric-only-tokens': 'warn',
+    'crypto/no-cryptojs': 'warn',
+    'crypto/prefer-native-crypto': 'warn',
+    'crypto/require-authenticated-encryption': 'warn',
+    'crypto/no-key-reuse': 'warn',
+    'crypto/require-key-length': 'warn',
+    'crypto/no-web-crypto-export': 'warn',
+};
+/**
+ * Preset configurations
+ */
+exports.configs = {
+    /**
+     * Recommended configuration - sensible defaults
+     */
+    recommended: {
+        plugins: {
+            crypto: exports.plugin,
+        },
+        rules: recommendedRules,
+    },
+    /**
+     * Strict configuration - all rules as errors
+     */
+    strict: {
+        plugins: {
+            crypto: exports.plugin,
+        },
+        rules: Object.fromEntries(Object.keys(exports.rules).map(ruleName => [`crypto/${ruleName}`, 'error'])),
+    },
+    /**
+     * CryptoJS migration configuration
+     * For teams migrating from crypto-js to native crypto
+     */
+    'cryptojs-migration': {
+        plugins: {
+            crypto: exports.plugin,
+        },
+        rules: {
+            'crypto/no-cryptojs': 'error',
+            'crypto/no-cryptojs-weak-random': 'error',
+            'crypto/prefer-native-crypto': 'error',
+        },
+    },
+    /**
+     * Node.js-only configuration
+     * Only Node.js crypto rules, no package-specific rules
+     */
+    'nodejs-only': {
+        plugins: {
+            crypto: exports.plugin,
+        },
+        rules: {
+            'crypto/no-weak-hash-algorithm': 'error',
+            'crypto/no-weak-cipher-algorithm': 'error',
+            'crypto/no-deprecated-cipher-method': 'error',
+            'crypto/no-static-iv': 'error',
+            'crypto/no-ecb-mode': 'error',
+            'crypto/no-insecure-key-derivation': 'error',
+            'crypto/no-hardcoded-crypto-key': 'error',
+            'crypto/require-random-iv': 'warn',
+            'crypto/no-math-random-crypto': 'error',
+            'crypto/no-insecure-rsa-padding': 'error',
+            'crypto/require-secure-pbkdf2-digest': 'error',
+            'crypto/no-predictable-salt': 'error',
+            'crypto/require-authenticated-encryption': 'warn',
+            'crypto/no-key-reuse': 'warn',
+            'crypto/no-self-signed-certs': 'error',
+            'crypto/no-timing-unsafe-compare': 'warn',
+            'crypto/require-key-length': 'warn',
+        },
+    },
+    /**
+     * CVE-focused configuration
+     * Rules specifically targeting known CVEs
+     */
+    'cve-focused': {
+        plugins: {
+            crypto: exports.plugin,
+        },
+        rules: {
+            'crypto/no-insecure-rsa-padding': 'error', // CVE-2023-46809 (Marvin Attack)
+            'crypto/no-cryptojs-weak-random': 'error', // CVE-2020-36732
+            'crypto/require-secure-pbkdf2-digest': 'error', // CVE-2023-46233
+            'crypto/no-weak-hash-algorithm': 'error', // Various CVEs
+            'crypto/no-weak-cipher-algorithm': 'error', // Various CVEs
+        },
+    },
+};
+/**
+ * Default export for ESLint plugin
+ */
+exports.default = exports.plugin;
+/**
+ * Re-export all types
+ */
+tslib_1.__exportStar(require("./types/index"), exports);
+//# sourceMappingURL=index.js.map

package/src/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../packages/eslint-plugin-crypto/src/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;;AAEH,4BAA4B;AAC5B,2EAAqE;AACrE,+EAAyE;AACzE,qFAA+E;AAC/E,uDAAkD;AAClD,qDAAgD;AAChD,mFAA6E;AAC7E,6EAAuE;AACvE,iEAA4D;AAE5D,4BAA4B;AAC5B,uDAAkD;AAElD,qCAAqC;AACrC,iFAA4E;AAC5E,2EAAqE;AAErE,yBAAyB;AACzB,qDAAiD;AACjD,6EAAuE;AACvE,uEAAkE;AAElE,uCAAuC;AACvC,yEAAmE;AACnE,6EAAuE;AACvE,uFAAiF;AACjF,qEAAgE;AAChE,+FAA0F;AAC1F,uDAAkD;AAClD,uEAAiE;AACjE,+EAAyE;AACzE,mEAA8D;AAC9D,uEAAiE;AAIjE;;GAEG;AACU,QAAA,KAAK,GAAoE;IACpF,gCAAgC;IAChC,wBAAwB,EAAE,4CAAmB;IAC7C,0BAA0B,EAAE,gDAAqB;IACjD,6BAA6B,EAAE,sDAAwB;IACvD,cAAc,EAAE,yBAAU;IAC1B,aAAa,EAAE,uBAAS;IACxB,4BAA4B,EAAE,oDAAuB;IACrD,yBAAyB,EAAE,8CAAoB;IAC/C,mBAAmB,EAAE,mCAAe;IAEpC,gCAAgC;IAChC,cAAc,EAAE,yBAAU;IAE1B,yCAAyC;IACzC,2BAA2B,EAAE,mDAAuB;IACpD,wBAAwB,EAAE,4CAAmB;IAE7C,6BAA6B;IAC7B,aAAa,EAAE,wBAAU;IACzB,yBAAyB,EAAE,8CAAoB;IAC/C,sBAAsB,EAAE,yCAAkB;IAE1C,+BAA+B;IAC/B,uBAAuB,EAAE,0CAAkB;IAC3C,yBAAyB,EAAE,8CAAoB;IAC/C,8BAA8B,EAAE,wDAAyB;IACzD,qBAAqB,EAAE,uCAAiB;IACxC,kCAAkC,EAAE,iEAA8B;IAClE,cAAc,EAAE,yBAAU;IAC1B,sBAAsB,EAAE,wCAAiB;IACzC,0BAA0B,EAAE,gDAAqB;IACjD,oBAAoB,EAAE,qCAAgB;IACtC,sBAAsB,EAAE,wCAAiB;CACgC,CAAC;AAE5E;;GAEG;AACU,QAAA,MAAM,GAA+B;IAChD,IAAI,EAAE;QACJ,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,OAAO;KACjB;IACD,KAAK,EAAL,aAAK;CAC+B,CAAC;AAEvC;;GAEG;AACH,MAAM,gBAAgB,GAAkD;IACtE,0BAA0B;IAC1B,+BAA+B,EAAE,OAAO;IACxC,iCAAiC,EAAE,OAAO;IAC1C,oCAAoC,EAAE,OAAO;IAC7C,gCAAgC,EAAE,OAAO;IACzC,oBAAoB,EAAE,OAAO;IAC7B,gCAAgC,EAAE,OAAO;IACzC,8BAA8B,EAAE,OAAO;IACvC,gCAAgC,EAAE,OAAO;IACzC,6BAA6B,EAAE,OAAO;IAEtC,iCAAiC;IACjC,qBAAqB,EAAE,OAAO;IAC9B,mCAAmC,EAAE,OAAO;IAC5C,0BAA0B,EAAE,MAAM;IAClC,qBAAqB,EAAE,OAAO;IAC9B,qCAAqC,EAAE,OAAO;IAC9C,4BAA4B,EAAE,OAAO;IACrC,iCAAiC,EAAE,MAAM;IAEzC,oBAAoB;IACpB,kCAAkC,EAAE,MAAM;IAC1C,+BAA+B,EAAE,MAAM;IACvC,oBAAoB,EAAE,MAAM;IAC5B,6BAA6B,EAAE,MAAM;IACrC,yCAAyC,EAAE,MAAM;IACjD,qBAAqB,EAAE,MAAM;IAC7B,2BAA2B,EAAE,MAAM;IACnC,6BAA6B,EAAE,MAAM;CACtC,CAAC;AAEF;;GAEG;AACU,QAAA,OAAO,GAA+C;IACjE;;OAEG;IACH,WAAW,EAAE;QACX,OAAO,EAAE;YACP,MAAM,EAAE,cAAM;SACf;QACD,KAAK,EAAE,gBAAgB;KACa;IAEtC;;OAEG;IACH,MAAM,EAAE;QACN,OAAO,EAAE;YACP,MAAM,EAAE,cAAM;SACf;QACD,KAAK,EAAE,MAAM,CAAC,WAAW,CACvB,MAAM,CAAC,IAAI,CAAC,aAAK,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,UAAU,QAAQ,EAAE,EAAE,OAAO,CAAC,CAAC,CACpE;KACmC;IAEtC;;;OAGG;IACH,oBAAoB,EAAE;QACpB,OAAO,EAAE;YACP,MAAM,EAAE,cAAM;SACf;QACD,KAAK,EAAE;YACL,oBAAoB,EAAE,OAAO;YAC7B,gCAAgC,EAAE,OAAO;YACzC,6BAA6B,EAAE,OAAO;SACvC;KACmC;IAEtC;;;OAGG;IACH,aAAa,EAAE;QACb,OAAO,EAAE;YACP,MAAM,EAAE,cAAM;SACf;QACD,KAAK,EAAE;YACL,+BAA+B,EAAE,OAAO;YACxC,iCAAiC,EAAE,OAAO;YAC1C,oCAAoC,EAAE,OAAO;YAC7C,qBAAqB,EAAE,OAAO;YAC9B,oBAAoB,EAAE,OAAO;YAC7B,mCAAmC,EAAE,OAAO;YAC5C,gCAAgC,EAAE,OAAO;YACzC,0BAA0B,EAAE,MAAM;YAClC,8BAA8B,EAAE,OAAO;YACvC,gCAAgC,EAAE,OAAO;YACzC,qCAAqC,EAAE,OAAO;YAC9C,4BAA4B,EAAE,OAAO;YACrC,yCAAyC,EAAE,MAAM;YACjD,qBAAqB,EAAE,MAAM;YAC7B,6BAA6B,EAAE,OAAO;YACtC,iCAAiC,EAAE,MAAM;YACzC,2BAA2B,EAAE,MAAM;SACpC;KACmC;IAEtC;;;OAGG;IACH,aAAa,EAAE;QACb,OAAO,EAAE;YACP,MAAM,EAAE,cAAM;SACf;QACD,KAAK,EAAE;YACL,gCAAgC,EAAE,OAAO,EAAM,iCAAiC;YAChF,gCAAgC,EAAE,OAAO,EAAM,iBAAiB;YAChE,qCAAqC,EAAE,OAAO,EAAE,iBAAiB;YACjE,+BAA+B,EAAE,OAAO,EAAO,eAAe;YAC9D,iCAAiC,EAAE,OAAO,EAAK,eAAe;SAC/D;KACmC;CACvC,CAAC;AAEF;;GAEG;AACH,kBAAe,cAAM,CAAC;AAEtB;;GAEG;AACH,wDAA8B"}