getdoorman 1.0.0

package/src/rules/data/index.js

@@ -0,0 +1,2503 @@
+const JS_EXTENSIONS = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+function isSourceFile(f) { return JS_EXTENSIONS.some(ext => f.endsWith(ext)); }
+
+const rules = [
+  // DATA-001: Weak password hashing
+  {
+    id: 'DATA-001',
+    category: 'data',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Weak Password Hashing',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (!isSourceFile(filepath)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/(?:md5|sha1|sha256)\s*\(/) &&
+              (content.includes('password') || content.includes('passwd'))) {
+            findings.push({
+              ruleId: 'DATA-001', category: 'data', severity: 'critical',
+              title: 'Using MD5/SHA1/SHA256 for password hashing — use bcrypt or argon2',
+              description: 'These hash functions are too fast for passwords and vulnerable to brute force. Use bcrypt, scrypt, or argon2.',
+              file: filepath, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-002: No input validation library
+  {
+    id: 'DATA-002',
+    category: 'data',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'No Input Validation Library',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+
+      const hasValidation = Object.keys({ ...stack.dependencies, ...stack.devDependencies }).some(dep =>
+        ['zod', 'joi', 'yup', 'class-validator', 'superstruct', 'valibot', 'ajv'].includes(dep)
+      );
+
+      if (!hasValidation) {
+        const hasApiRoutes = [...files.keys()].some(f => f.includes('/api/') || f.includes('routes'));
+        if (hasApiRoutes) {
+          findings.push({
+            ruleId: 'DATA-002', category: 'data', severity: 'high',
+            title: 'No input validation library detected (zod, joi, yup, etc.)',
+            description: 'Validate all user input on the server. Never trust data from the client.',
+            fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-003: Logging sensitive data
+  {
+    id: 'DATA-003',
+    category: 'data',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Potentially Logging Sensitive Data',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (!isSourceFile(filepath)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/console\.log.*(?:password|token|secret|credit.?card|ssn|api.?key)/i) ||
+              lines[i].match(/logger?\.(?:info|debug|log).*(?:password|token|secret|credit.?card|ssn)/i)) {
+            findings.push({
+              ruleId: 'DATA-003', category: 'data', severity: 'high',
+              title: 'Potentially logging sensitive data (passwords, tokens, etc.)',
+              description: 'Never log passwords, tokens, or PII. Redact sensitive fields before logging.',
+              file: filepath, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-004: Verbose errors in production
+  {
+    id: 'DATA-004',
+    category: 'data',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Verbose Error Messages Exposed',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (!isSourceFile(filepath)) continue;
+        if (!filepath.includes('api/') && !filepath.includes('route')) continue;
+
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // Sending error stack/message directly to client
+          if (lines[i].match(/(?:res\.(?:json|send|status)).*(?:err\.message|err\.stack|error\.message|error\.stack)/)) {
+            findings.push({
+              ruleId: 'DATA-004', category: 'data', severity: 'medium',
+              title: 'Error details sent to client — information disclosure risk',
+              description: 'Send generic error messages to users. Log detailed errors server-side only.',
+              file: filepath, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-005: No .env.example
+  {
+    id: 'DATA-005',
+    category: 'data',
+    severity: 'low',
+    confidence: 'suggestion',
+    title: 'No .env.example File',
+    check({ files }) {
+      const findings = [];
+      const hasEnv = [...files.keys()].some(f => f === '.env' || f === '.env.local');
+      const hasExample = [...files.keys()].some(f => f === '.env.example' || f === '.env.template');
+
+      if (hasEnv && !hasExample) {
+        findings.push({
+          ruleId: 'DATA-005', category: 'data', severity: 'low',
+          title: 'No .env.example file — developers won\'t know what env vars are needed',
+          description: 'Create a .env.example with placeholder values so new developers know what to configure.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  // DATA-ENC-001: HTTP URLs for API calls
+  { id: 'DATA-ENC-001', category: 'data', severity: 'high', confidence: 'likely', title: 'HTTP URL in API Call (Not HTTPS)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/fetch\s*\(\s*['"`]http:\/\/(?!localhost|127\.0\.0\.1)/) ||
+              lines[i].match(/axios\.\w+\s*\(\s*['"`]http:\/\/(?!localhost|127\.0\.0\.1)/)) {
+            findings.push({ ruleId: 'DATA-ENC-001', category: 'data', severity: 'high',
+              title: 'API call over HTTP instead of HTTPS — data transmitted in plaintext', description: 'Use HTTPS for all API calls in production. HTTP exposes data to man-in-the-middle attacks.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-ENC-002: ECB mode for AES
+  { id: 'DATA-ENC-002', category: 'data', severity: 'critical', confidence: 'definite', title: 'AES-ECB Mode — Insecure Encryption',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/aes-\d+-ecb|AES.*ECB/i)) {
+            findings.push({ ruleId: 'DATA-ENC-002', category: 'data', severity: 'critical',
+              title: 'AES-ECB mode is insecure — patterns in plaintext are visible in ciphertext', description: 'Use AES-GCM or AES-CBC with a random IV. ECB mode produces identical ciphertexts for identical plaintexts.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-ENC-003: Hardcoded IV/nonce
+  { id: 'DATA-ENC-003', category: 'data', severity: 'critical', confidence: 'definite', title: 'Hardcoded IV or Nonce',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/\biv\s*=\s*['"`][0-9a-fA-F]{16,}['"`]|Buffer\.from\s*\(\s*['"`][0-9a-fA-F]+['"`]\s*,\s*['"`]hex['"`]\s*\)/)) {
+            findings.push({ ruleId: 'DATA-ENC-003', category: 'data', severity: 'critical',
+              title: 'Hardcoded IV/nonce — breaks encryption security', description: 'Always generate a random IV with crypto.randomBytes(16). A fixed IV with the same key allows ciphertext comparison attacks.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-ENC-004: Cookie not marked Secure
+  { id: 'DATA-ENC-004', category: 'data', severity: 'high', confidence: 'likely', title: 'Cookie Not Marked Secure',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/res\.cookie\s*\(/) || lines[i].match(/setCookie\s*\(/)) {
+            const block = lines.slice(i, Math.min(i + 5, lines.length)).join('\n');
+            if (!block.match(/secure\s*:\s*true|secure:\s*true/)) {
+              findings.push({ ruleId: 'DATA-ENC-004', category: 'data', severity: 'high',
+                title: 'Cookie set without Secure flag — sent over HTTP connections', description: "Add secure: true so cookies are only sent over HTTPS. In Express: res.cookie('name', value, { secure: true })", file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-ENC-005: Weak RSA key size
+  { id: 'DATA-ENC-005', category: 'data', severity: 'high', confidence: 'likely', title: 'Weak RSA Key Size (<2048 bits)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/modulusLength\s*:\s*(?:512|768|1024)\b/)) {
+            findings.push({ ruleId: 'DATA-ENC-005', category: 'data', severity: 'high',
+              title: 'RSA key size < 2048 bits is considered weak', description: 'Use modulusLength: 4096 for new keys. 512/768/1024-bit RSA keys can be factored with modern hardware.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-PII-001: SSN pattern in code
+  { id: 'DATA-PII-001', category: 'data', severity: 'critical', confidence: 'definite', title: 'Social Security Number Handling',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/\bssn\b|\bsocial.?security/i)) {
+          findings.push({ ruleId: 'DATA-PII-001', category: 'data', severity: 'critical',
+            title: 'SSN (Social Security Number) handling detected', description: 'SSNs require strict access controls, encryption, and PCI/HIPAA compliance. Minimize collection and ensure field-level encryption.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-PII-002: PII in URL query params
+  { id: 'DATA-PII-002', category: 'data', severity: 'high', confidence: 'likely', title: 'PII in URL Query Parameters',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/[?&](?:email|name|phone|dob|ssn|password)=/i) ||
+              lines[i].match(/\`[^`]*[?&](?:email|name|phone)=\$\{/i)) {
+            findings.push({ ruleId: 'DATA-PII-002', category: 'data', severity: 'high',
+              title: 'PII in URL query parameters — logged in server access logs', description: 'Never put PII (email, name, phone) in URLs. Use POST body or encrypted tokens instead.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-PII-003: Full name/email in logs
+  { id: 'DATA-PII-003', category: 'data', severity: 'high', confidence: 'likely', title: 'User PII Logged',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/console\.(?:log|info|debug|error)|logger\.(?:info|debug|error)/)) {
+            if (lines[i].match(/user\.email|user\.name|user\.phone|req\.user\.email|profile\.email/)) {
+              findings.push({ ruleId: 'DATA-PII-003', category: 'data', severity: 'high',
+                title: 'User PII (email/name) being logged', description: 'Do not log PII. Log user IDs instead of emails/names to enable debugging without exposing personal data.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-VAL-001: No max length on string inputs
+  { id: 'DATA-VAL-001', category: 'data', severity: 'medium', confidence: 'likely', title: 'No Max Length on String Inputs',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if ((fp.includes('api/') || fp.includes('route')) && (c.includes('req.body') || c.includes('req.query'))) {
+          if (!c.match(/maxLength|max_length|max:.*\d+|\.max\s*\(\s*\d+/)) {
+            findings.push({ ruleId: 'DATA-VAL-001', category: 'data', severity: 'medium',
+              title: 'No max length validation on user input', description: 'Without max length, users can send megabyte strings that exhaust memory or cause ReDoS. Add .max(255) or similar limits.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-VAL-002: No email validation
+  { id: 'DATA-VAL-002', category: 'data', severity: 'medium', confidence: 'likely', title: 'No Email Format Validation',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if ((fp.includes('api/') || fp.includes('route')) && c.match(/req\.body\.email|body\.email/)) {
+          if (!c.match(/email\(\)|isEmail|EmailStr|z\.string\(\)\.email|@IsEmail|validateEmail/)) {
+            findings.push({ ruleId: 'DATA-VAL-002', category: 'data', severity: 'medium',
+              title: 'Email field used without format validation', description: "Validate email format before saving. Use zod's .email(), joi's .email(), or a library like validator.js.", file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-VAL-003: No file size limit on uploads
+  { id: 'DATA-VAL-003', category: 'data', severity: 'high', confidence: 'likely', title: 'No File Size Limit on Uploads',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.includes('multer') || c.includes('formidable') || c.includes('busboy')) {
+          if (!c.match(/fileSize|maxFileSize|maxSize|limits\s*:\s*\{/)) {
+            findings.push({ ruleId: 'DATA-VAL-003', category: 'data', severity: 'high',
+              title: 'File upload without size limit — denial of service risk', description: 'Set limits.fileSize in multer or equivalent to prevent oversized file uploads from exhausting disk/memory.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-STORE-001: S3 bucket with public read
+  { id: 'DATA-STORE-001', category: 'data', severity: 'critical', confidence: 'definite', title: 'S3 Bucket With Public Read Access',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (c.match(/public-read|PublicRead|ACL.*public/i)) {
+          findings.push({ ruleId: 'DATA-STORE-001', category: 'data', severity: 'critical',
+            title: 'S3 bucket configured with public-read ACL', description: 'Public-read exposes all objects to the internet. Use pre-signed URLs for controlled access instead.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-STORE-002: Sensitive data in localStorage
+  { id: 'DATA-STORE-002', category: 'data', severity: 'high', confidence: 'likely', title: 'Sensitive Data in localStorage',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/localStorage\.setItem\s*\(/) && lines[i].match(/token|password|secret|key|auth|session/i)) {
+            findings.push({ ruleId: 'DATA-STORE-002', category: 'data', severity: 'high',
+              title: 'Storing sensitive data (token/password) in localStorage — XSS risk', description: 'localStorage is accessible to any JavaScript on the page. Use httpOnly cookies for auth tokens.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-STORE-003: File uploads stored in webroot
+  { id: 'DATA-STORE-003', category: 'data', severity: 'high', confidence: 'likely', title: 'File Uploads Stored in Webroot',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/multer|upload|formidable/) && c.match(/dest\s*:\s*['"`]public|uploads.*public|public.*uploads/)) {
+          findings.push({ ruleId: 'DATA-STORE-003', category: 'data', severity: 'high',
+            title: 'Uploaded files stored in public webroot directory', description: 'Files stored in /public are directly accessible via URL. Store uploads outside the webroot and serve via authenticated endpoints.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-STORE-004: No virus scan on uploads
+  { id: 'DATA-STORE-004', category: 'data', severity: 'high', confidence: 'likely', title: 'No Virus/Malware Scanning on Uploads',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasUpload = [...files.values()].some(c => c.includes('multer') || c.includes('upload') || c.includes('formidable'));
+      const hasScan = 'clamscan' in allDeps || 'nodejs-clamscan' in allDeps || [...files.values()].some(c => c.match(/clamav|virustotal|malware.*scan|scan.*file/i));
+      if (hasUpload && !hasScan) {
+        findings.push({ ruleId: 'DATA-STORE-004', category: 'data', severity: 'high',
+          title: 'File uploads without virus/malware scanning', description: 'Users can upload malware that gets distributed to other users. Scan with ClamAV or a cloud virus scanning service.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // DATA-LIFE-001: No TTL on Redis keys with PII
+  { id: 'DATA-LIFE-001', category: 'data', severity: 'medium', confidence: 'likely', title: 'No TTL on Redis Keys Containing PII',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/redis|ioredis/) && c.match(/\.set\s*\(.*(?:user|session|token|email|profile)/i)) {
+          if (!c.match(/EX\s+\d+|expire\s*\(|\bEX\b|\bPX\b|ttl/i)) {
+            findings.push({ ruleId: 'DATA-LIFE-001', category: 'data', severity: 'medium',
+              title: 'Redis keys containing user data set without TTL', description: 'PII stored in Redis without expiry persists indefinitely. Set EX (seconds) or PX (milliseconds) on all user-related keys.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-QUAL-001: Currency stored as float
+  { id: 'DATA-QUAL-001', category: 'data', severity: 'high', confidence: 'likely', title: 'Currency Stored as Float',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/(?:price|amount|cost|total|balance)\s*:.*Float|Float.*(?:price|amount|cost)/i) ||
+            c.match(/type\s*:\s*['"`]FLOAT['"`].*(?:price|amount)|DECIMAL.*price/i)) {
+          if (!c.match(/Integer|BigInt|BIGINT|INT.*(?:price|amount)/i)) {
+            findings.push({ ruleId: 'DATA-QUAL-001', category: 'data', severity: 'high',
+              title: 'Currency stored as Float — floating point precision errors in money calculations', description: 'Store monetary values as integers (cents/smallest unit). Float arithmetic causes errors like $1.10 + $2.20 = $3.3000000000000003.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-QUAL-002: Timestamps without timezone
+  { id: 'DATA-QUAL-002', category: 'data', severity: 'medium', confidence: 'likely', title: 'Timestamps Without Timezone Info',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/new Date\(\)|Date\.now\(\)/) && c.match(/save|insert|create|store/i)) {
+          if (!c.match(/toISOString|UTC|timezone|Intl\.DateTimeFormat/)) {
+            findings.push({ ruleId: 'DATA-QUAL-002', category: 'data', severity: 'medium',
+              title: 'Timestamps stored without explicit timezone information', description: 'Always store timestamps in UTC (Date.toISOString() or timestamp with timezone). Local times cause bugs when servers change timezone.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-ENC-006: No HSTS header
+  { id: 'DATA-ENC-006', category: 'data', severity: 'high', confidence: 'likely', title: 'No HSTS Header Configured',
+    check({ files }) {
+      const findings = [];
+      const has = [...files.values()].some(c => c.match(/Strict-Transport-Security|hsts|helmet/i));
+      if (!has) findings.push({ ruleId: 'DATA-ENC-006', category: 'data', severity: 'high', title: 'No HTTP Strict-Transport-Security header — browsers may allow HTTP downgrade', description: "Add helmet() or set 'Strict-Transport-Security: max-age=31536000; includeSubDomains'.", fix: null });
+      return findings;
+    },
+  },
+
+  // DATA-ENC-007: TLS 1.0/1.1 enabled
+  { id: 'DATA-ENC-007', category: 'data', severity: 'high', confidence: 'likely', title: 'Legacy TLS Version Enabled',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/TLSv1[^.2]|TLSv1\.0|TLSv1\.1|ssl.*v3|SSLv3/i)) {
+            findings.push({ ruleId: 'DATA-ENC-007', category: 'data', severity: 'high', title: 'Legacy TLS 1.0/1.1 or SSLv3 enabled — vulnerable to POODLE/BEAST', description: 'Enforce TLS 1.2 minimum, prefer TLS 1.3. Disable TLSv1.0, TLSv1.1, SSLv3.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-ENC-008: TLS certificate validation disabled
+  { id: 'DATA-ENC-008', category: 'data', severity: 'high', confidence: 'likely', title: 'TLS Certificate Validation Disabled',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/rejectUnauthorized\s*:\s*false|NODE_TLS_REJECT_UNAUTHORIZED.*0/)) {
+            findings.push({ ruleId: 'DATA-ENC-008', category: 'data', severity: 'high', title: 'TLS certificate validation disabled — vulnerable to MITM', description: 'Never set rejectUnauthorized: false or NODE_TLS_REJECT_UNAUTHORIZED=0 in production. Use a valid CA-signed certificate.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-ENC-009: Weak password hashing (MD5/SHA1)
+  { id: 'DATA-ENC-009', category: 'data', severity: 'critical', confidence: 'definite', title: 'Weak Password Hashing Algorithm',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/createHash\(['"]md5['"]\)|createHash\(['"]sha1['"]\)|md5\(password|sha1\(password/i)) {
+            findings.push({ ruleId: 'DATA-ENC-009', category: 'data', severity: 'critical', title: 'Password hashed with MD5 or SHA1 — trivially cracked with rainbow tables', description: 'Use bcrypt, argon2, or scrypt for password hashing.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-ENC-010: Secrets in docker-compose environment
+  { id: 'DATA-ENC-010', category: 'data', severity: 'high', confidence: 'definite', title: 'Hardcoded Secret in docker-compose',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/docker-compose|compose\.ya?ml/i)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/PASSWORD\s*:|SECRET\s*:|API_KEY\s*:|TOKEN\s*:/i) && lines[i].match(/:\s*\S{6,}/)) {
+            findings.push({ ruleId: 'DATA-ENC-010', category: 'data', severity: 'high', title: 'Hardcoded secret in docker-compose environment', description: 'Use Docker secrets (secrets:) or env_file with a gitignored .env. Never embed passwords in compose files.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-PII-004: User email in logs
+  { id: 'DATA-PII-004', category: 'data', severity: 'high', confidence: 'likely', title: 'User Email Logged Directly',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/console\.(log|info|warn|error)|logger\.(info|debug|warn|error)/i) && lines[i].match(/user\.email|req\.user\.email|body\.email/i)) {
+            findings.push({ ruleId: 'DATA-PII-004', category: 'data', severity: 'high', title: 'User email address logged — PII exposure in log files', description: 'Log user IDs instead of emails. GDPR and CCPA restrict logging personal data in plaintext.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-PII-005: Phone number logged
+  { id: 'DATA-PII-005', category: 'data', severity: 'high', confidence: 'likely', title: 'Phone Number in Logs',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/console\.|logger\./i) && lines[i].match(/phone|phoneNumber|mobile|msisdn/i)) {
+            findings.push({ ruleId: 'DATA-PII-005', category: 'data', severity: 'high', title: 'Phone number potentially logged — PII in logs', description: 'Mask phone numbers in logs (e.g., +1-XXX-XXX-1234). Phone numbers are PII under GDPR and CCPA.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-PII-006: Full name in query string
+  { id: 'DATA-PII-006', category: 'data', severity: 'medium', confidence: 'likely', title: 'Full Name in URL Query String',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/[?&](name|fullName|firstName|lastName|username)=/i)) {
+            findings.push({ ruleId: 'DATA-PII-006', category: 'data', severity: 'medium', title: 'PII (name) exposed in URL query string — logged by proxies and servers', description: 'Move PII to POST body or headers. Query strings are logged by web servers, proxies, and browsers.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-PII-007: User IP stored without anonymization
+  { id: 'DATA-PII-007', category: 'data', severity: 'medium', confidence: 'likely', title: 'IP Address Stored Without Anonymization',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/req\.ip|req\.socket\.remoteAddress|x-forwarded-for/i) && lines[i].match(/save|insert|create|store|log/i)) {
+            findings.push({ ruleId: 'DATA-PII-007', category: 'data', severity: 'medium', title: 'IP address stored — truncate last octet for GDPR compliance', description: 'IP addresses are personal data under GDPR. Truncate last octet (192.168.1.0) or pseudonymize before storage.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-PII-008: Credit card data in logs
+  { id: 'DATA-PII-008', category: 'data', severity: 'critical', confidence: 'definite', title: 'Payment Card Data in Logs',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/console\.|logger\./i) && lines[i].match(/card|cardNumber|pan|cvv|expiry|expirationDate/i)) {
+            findings.push({ ruleId: 'DATA-PII-008', category: 'data', severity: 'critical', title: 'Payment card data potentially logged — PCI DSS violation', description: 'Never log card numbers, CVV, or track data. This is a PCI DSS requirement and triggers mandatory breach notification.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-VAL-004: User content rendered without sanitization
+  { id: 'DATA-VAL-004', category: 'data', severity: 'high', confidence: 'likely', title: 'User Content Rendered Without Sanitization',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/dangerouslySetInnerHTML|innerHTML\s*=|document\.write/) && !lines[i].match(/DOMPurify|sanitize|xss/i)) {
+            findings.push({ ruleId: 'DATA-VAL-004', category: 'data', severity: 'high', title: 'HTML rendered without sanitization — XSS risk', description: 'Use DOMPurify.sanitize() before inserting HTML. Never pass raw user content to dangerouslySetInnerHTML or innerHTML.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-VAL-005: No request body schema validation
+  { id: 'DATA-VAL-005', category: 'data', severity: 'medium', confidence: 'likely', title: 'No Request Body Schema Validation Library',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasValidation = ['joi', 'zod', 'yup', 'ajv', 'class-validator', 'express-validator', '@hapi/joi'].some(d => d in allDeps);
+      if (stack.framework && !hasValidation) {
+        findings.push({ ruleId: 'DATA-VAL-005', category: 'data', severity: 'medium', title: 'No input validation library — API accepts unvalidated request bodies', description: 'Add Joi, Zod, or express-validator. Without schema validation, malformed data reaches your database.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // DATA-VAL-006: User input in RegExp (ReDoS)
+  { id: 'DATA-VAL-006', category: 'data', severity: 'high', confidence: 'likely', title: 'ReDoS Risk: User Input in RegExp Constructor',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/new RegExp\(.*(?:req\.|body\.|params\.|query\.)/)) {
+            findings.push({ ruleId: 'DATA-VAL-006', category: 'data', severity: 'high', title: 'User input used in new RegExp() — Regular Expression Denial of Service (ReDoS)', description: 'Validate and escape user input before using in regex. Use safe-regex or re2 to prevent catastrophic backtracking.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-VAL-007: Numeric input without bounds check
+  { id: 'DATA-VAL-007', category: 'data', severity: 'medium', confidence: 'likely', title: 'Numeric Input Without Bounds Check',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/parseInt\(.*(?:req\.|body\.|params\.|query\.)|Number\(.*(?:req\.|body\.|params\.|query\.)/)) {
+            const nearby = lines.slice(Math.max(0, i - 2), i + 4).join('\n');
+            if (!nearby.match(/isNaN|isFinite|min|max|<\s*\d|>\s*\d/)) {
+              findings.push({ ruleId: 'DATA-VAL-007', category: 'data', severity: 'medium', title: 'Numeric user input parsed without bounds or NaN check', description: 'After parseInt/parseFloat, check isNaN() and enforce min/max bounds to prevent logic errors.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-STORE-005: Database connection string hardcoded
+  { id: 'DATA-STORE-005', category: 'data', severity: 'critical', confidence: 'definite', title: 'Database Connection String Hardcoded',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/mongodb:\/\/[^${\s'"]{3,}:[^${\s'"]{3,}@|postgresql:\/\/[^${\s'"]{3,}:[^${\s'"]{3,}@|mysql:\/\/[^${\s'"]{3,}:[^${\s'"]{3,}@/)) {
+            findings.push({ ruleId: 'DATA-STORE-005', category: 'data', severity: 'critical', title: 'Database connection string with credentials hardcoded', description: 'Move database URLs to environment variables. Rotate credentials immediately if committed to git.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-STORE-006: No database connection pooling
+  { id: 'DATA-STORE-006', category: 'data', severity: 'medium', confidence: 'likely', title: 'No Database Connection Pooling',
+    check({ files, stack }) {
+      const findings = [];
+      if (!stack.database) return findings;
+      const allCode = [...files.values()].join('\n');
+      if (!allCode.match(/pool:|poolSize|connectionLimit|max.*connections|pg\.Pool|createPool/i)) {
+        findings.push({ ruleId: 'DATA-STORE-006', category: 'data', severity: 'medium', title: 'No database connection pooling configured', description: 'Configure pooling (pool: { min: 2, max: 10 }). Without pooling, each request opens a new DB connection.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // DATA-STORE-007: S3 bucket without versioning
+  { id: 'DATA-STORE-007', category: 'data', severity: 'medium', confidence: 'likely', title: 'S3 Bucket Without Versioning',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(tf|json|ya?ml)$/)) continue;
+        if (c.match(/aws_s3_bucket|S3Bucket|Type.*AWS::S3/i) && !c.match(/versioning|VersioningConfiguration/i)) {
+          findings.push({ ruleId: 'DATA-STORE-007', category: 'data', severity: 'medium', title: 'S3 bucket without versioning — accidental deletions are unrecoverable', description: 'Enable S3 versioning and MFA delete for production buckets.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-STORE-008: MongoDB without authentication
+  { id: 'DATA-STORE-008', category: 'data', severity: 'critical', confidence: 'definite', title: 'MongoDB Connection Without Authentication',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/mongoose\.connect\(['"]mongodb:\/\/localhost|mongodb\.connect\(['"]mongodb:\/\/localhost/) && !lines[i].match(/authSource|username|password/i)) {
+            findings.push({ ruleId: 'DATA-STORE-008', category: 'data', severity: 'critical', title: 'MongoDB connection without authentication credentials', description: 'Enable MongoDB auth (--auth) and create least-privilege user accounts.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-STORE-009: Redis without password
+  { id: 'DATA-STORE-009', category: 'data', severity: 'high', confidence: 'likely', title: 'Redis Connection Without Password',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/new Redis\(\)|createClient\(\)|redis\.createClient\(\)/) && !lines[i].match(/password|auth/i)) {
+            findings.push({ ruleId: 'DATA-STORE-009', category: 'data', severity: 'high', title: 'Redis connected without password — exposed Redis has led to many breaches', description: 'Set requirepass in redis.conf and pass password in the client config.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-STORE-010: Path traversal risk in file operations
+  { id: 'DATA-STORE-010', category: 'data', severity: 'critical', confidence: 'definite', title: 'Path Traversal Risk in File Operations',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/readFile|writeFile|createReadStream|createWriteStream|unlink/i) && lines[i].match(/req\.(params|query|body)\.|params\.|query\.|body\./) && !lines[i].match(/path\.basename|path\.resolve|sanitize/)) {
+            findings.push({ ruleId: 'DATA-STORE-010', category: 'data', severity: 'critical', title: 'User-controlled path in file operation — path traversal risk', description: 'Use path.basename() to strip directory components. Validate the resolved path is within the allowed directory.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-LIFE-002: No backup strategy
+  { id: 'DATA-LIFE-002', category: 'data', severity: 'medium', confidence: 'likely', title: 'No Database Backup Strategy',
+    check({ files }) {
+      const findings = [];
+      const allCode = [...files.values()].join('\n');
+      const allPaths = [...files.keys()].join(' ');
+      if (!allCode.match(/backup|pg_dump|mongodump|snapshots|point-in-time|rds.*backup/i) && !allPaths.match(/backup/i)) {
+        findings.push({ ruleId: 'DATA-LIFE-002', category: 'data', severity: 'medium', title: 'No database backup strategy detected', description: 'Configure automated backups (RDS automated backups, MongoDB Atlas, or custom pg_dump scripts). Test restores regularly.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // DATA-LIFE-003: No soft delete for user records
+  { id: 'DATA-LIFE-003', category: 'data', severity: 'low', confidence: 'suggestion', title: 'No Soft Delete for User Records',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/destroy\(\)|deleteOne\(\)|deleteMany\(\)/i) && c.match(/user|account|profile/i) && !c.match(/deletedAt|soft.*delete|paranoid|is_deleted/i)) {
+          findings.push({ ruleId: 'DATA-LIFE-003', category: 'data', severity: 'low', title: 'Hard delete on user records — no audit trail', description: 'Add deletedAt column (paranoid mode in Sequelize). Hard deletes make GDPR right-to-erasure audits impossible.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-LIFE-004: No data classification on sensitive fields
+  { id: 'DATA-LIFE-004', category: 'data', severity: 'low', confidence: 'suggestion', title: 'No Data Classification on Sensitive Fields',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/model|schema|entity|migration/i) || !isSourceFile(fp)) continue;
+        if (c.match(/password|ssn|credit_card|card_number|secret|api_key/i) && !c.match(/@sensitive|@pii|@encrypted|data_classification|PII/)) {
+          findings.push({ ruleId: 'DATA-LIFE-004', category: 'data', severity: 'low', title: 'Sensitive database fields without data classification annotations', description: 'Add @sensitive or @pii comments to fields containing PII or secrets. Enables automated scanning and access controls.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-QUAL-003: Date parsed without ISO format
+  { id: 'DATA-QUAL-003', category: 'data', severity: 'low', confidence: 'suggestion', title: 'Date Parsed Without ISO Format',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/new Date\(['"][0-9]{1,2}\/[0-9]{1,2}\/['"]/)) {
+            findings.push({ ruleId: 'DATA-QUAL-003', category: 'data', severity: 'low', title: 'Date string parsed without ISO format — locale-dependent behavior', description: 'Use ISO 8601 format (YYYY-MM-DD) or a date library (date-fns, dayjs). MM/DD/YYYY vs DD/MM/YYYY differs by locale.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-QUAL-004: Sensitive data in error messages
+  { id: 'DATA-QUAL-004', category: 'data', severity: 'high', confidence: 'likely', title: 'Sensitive Data in Error Messages',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/throw new Error|new Error\(/) && lines[i].match(/password|secret|token|key|credential/i)) {
+            findings.push({ ruleId: 'DATA-QUAL-004', category: 'data', severity: 'high', title: 'Sensitive value included in error message — may leak to logs or client', description: 'Use generic error messages for the user. Log details server-side without credentials.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-QUAL-005: Floating point for monetary values
+  { id: 'DATA-QUAL-005', category: 'data', severity: 'medium', confidence: 'likely', title: 'Floating Point for Monetary Values',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/price|amount|balance|total|cost/i) && lines[i].match(/:\s*Float|:\s*FLOAT|:\s*DOUBLE|type.*float/i)) {
+            findings.push({ ruleId: 'DATA-QUAL-005', category: 'data', severity: 'medium', title: 'Monetary value stored as float — rounding errors accumulate', description: 'Store money as integers (cents) or use DECIMAL/NUMERIC SQL type. Use dinero.js for arithmetic. Float is imprecise for currency.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-QUAL-006: DB connection pool exhaustion
+  { id: 'DATA-QUAL-006', category: 'data', severity: 'high', confidence: 'likely', title: 'Database Connection Pool Exhaustion Risk',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/const\s+client\s*=\s*await\s+pool\.connect\(\)/)) {
+            const block = lines.slice(i, i + 30).join('\n');
+            if (!block.match(/finally[\s\S]*client\.release/)) {
+              findings.push({ ruleId: 'DATA-QUAL-006', category: 'data', severity: 'high', title: 'pool.connect() without client.release() in finally — connection pool exhaustion', description: 'Always call client.release() in a finally block. Leaked connections exhaust the pool causing timeouts.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-QUAL-007: JSON.stringify on circular objects
+  { id: 'DATA-QUAL-007', category: 'data', severity: 'medium', confidence: 'likely', title: 'JSON.stringify on Potentially Circular Object',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/JSON\.stringify\(/) && lines[i].match(/req\.|res\.|error|Error/i) && !lines[i].match(/replacer|circular|safe-json/i)) {
+            findings.push({ ruleId: 'DATA-QUAL-007', category: 'data', severity: 'medium', title: 'JSON.stringify on potentially circular object — may throw at runtime', description: 'Use safe-json-stringify or custom replacer when serializing request/response/error objects. Express req/res are circular.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-QUAL-008: Unbounded array growth in module scope
+  { id: 'DATA-QUAL-008', category: 'data', severity: 'medium', confidence: 'likely', title: 'Unbounded Array in Module Scope',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/^(?:const|let|var)\s+\w+\s*=\s*\[\]/) && !lines[i].match(/\/\/ bounded|MAX_SIZE/)) {
+            const rest = lines.slice(i + 1, i + 50).join('\n');
+            if (rest.match(/\.push\(/) && !rest.match(/\.shift\(\)|\.splice\(|\.slice\(|maxLength|MAX_/)) {
+              findings.push({ ruleId: 'DATA-QUAL-008', category: 'data', severity: 'medium', title: 'Module-scope array grows unboundedly — potential memory leak', description: 'Cap the array size or use a circular buffer. Unbounded module-level arrays leak memory over time.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-QUAL-009: Object spread loses prototype methods
+  { id: 'DATA-QUAL-009', category: 'data', severity: 'low', confidence: 'suggestion', title: 'Object Spread on Class Instance Loses Methods',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/\{\s*\.\.\.(new\s+\w+|await\s+\w+\.\w+\()/)) {
+            findings.push({ ruleId: 'DATA-QUAL-009', category: 'data', severity: 'low', title: 'Spreading class instance — prototype methods and non-enumerable props lost', description: 'Use Object.assign() or explicitly list fields. Spreading a class instance only copies own enumerable properties.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-QUAL-010: Large payload serialized to string for comparison
+  { id: 'DATA-QUAL-010', category: 'data', severity: 'medium', confidence: 'likely', title: 'JSON Serialization for Object Comparison',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/JSON\.stringify\(.*\)\s*===?\s*JSON\.stringify\(|JSON\.stringify\(.*\)\s*!==?\s*JSON\.stringify\(/)) {
+            findings.push({ ruleId: 'DATA-QUAL-010', category: 'data', severity: 'medium', title: 'JSON.stringify used for object equality comparison — fragile and slow', description: 'Use deep-equal library or compare individual fields. JSON.stringify comparison fails for different key ordering and ignores undefined values.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-ENC-011: No end-to-end encryption for sensitive messages
+  { id: 'DATA-ENC-011', category: 'data', severity: 'high', confidence: 'likely', title: 'Sensitive Messages Without E2E Encryption',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/message|chat|inbox|dm\b|directMessage/i) && c.match(/save|send|store|insert/i)) {
+          if (!c.match(/e2e|end.*to.*end|encrypt.*message|sealed|libsodium|signal.*protocol/i)) {
+            findings.push({ ruleId: 'DATA-ENC-011', category: 'data', severity: 'high', title: 'Messages stored/sent without end-to-end encryption', description: 'If privacy is a feature, implement E2E encryption using libsodium or the Signal Protocol. Server should not be able to read message contents.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-PII-009: Health data stored without consent
+  { id: 'DATA-PII-009', category: 'data', severity: 'critical', confidence: 'definite', title: 'Health Data Collected Without Explicit Consent',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/health|medical|fitness|sleep|heart.*rate|bloodPressure|diagnosis/i) && c.match(/save|create|insert|store/i)) {
+          if (!c.match(/consent|hipaa|authorization|permission/i)) {
+            findings.push({ ruleId: 'DATA-PII-009', category: 'data', severity: 'critical', title: 'Health data stored without explicit consent or HIPAA authorization', description: 'Obtain explicit consent before collecting health data. Document the purpose, obtain written authorization, and implement HIPAA safeguards.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-STORE-011: No database index on foreign keys
+  { id: 'DATA-STORE-011', category: 'data', severity: 'medium', confidence: 'likely', title: 'Foreign Keys Without Index',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/migration|schema|model/i) || !isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/\.integer\(.*Id\)|\.bigInteger\(.*Id\)|references\(\)|foreign.*key/i)) {
+            const nearby = lines.slice(Math.max(0, i - 3), i + 5).join('\n');
+            if (!nearby.match(/\.index\(\)|index.*true|createIndex/i)) {
+              findings.push({ ruleId: 'DATA-STORE-011', category: 'data', severity: 'medium', title: 'Foreign key column without explicit index', description: 'Add index to foreign key columns: table.index("userId"). JOINs and WHERE clauses on FK columns are slow without indexes.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-STORE-012: Storing secrets in database as plain text
+  { id: 'DATA-STORE-012', category: 'data', severity: 'critical', confidence: 'definite', title: 'Secrets Stored as Plain Text in Database',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/api_key|apiKey|secret|token|access_token/i) && c.match(/save|insert|create|store/i)) {
+          if (!c.match(/encrypt|hash|bcrypt|argon|vault|kms/i)) {
+            findings.push({ ruleId: 'DATA-STORE-012', category: 'data', severity: 'critical', title: 'API keys/secrets potentially stored as plain text in database', description: 'Encrypt sensitive values before storage using KMS or AES-256-GCM. Plain text secrets in DB become breached if DB is compromised.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-QUAL-011: Using parseInt with no radix
+  { id: 'DATA-QUAL-011', category: 'data', severity: 'low', confidence: 'suggestion', title: 'parseInt Without Radix Parameter',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/parseInt\s*\([^,)]+\)/) && !lines[i].match(/parseInt\s*\([^,)]+,\s*10\)/)) {
+            findings.push({ ruleId: 'DATA-QUAL-011', category: 'data', severity: 'low', title: 'parseInt() called without radix — octal parsing of strings starting with 0', description: 'Always pass radix 10: parseInt(str, 10). Without radix, "08" returns 0 in some engines (octal). Enable ESLint radix rule.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-QUAL-012: Inconsistent null handling
+  { id: 'DATA-QUAL-012', category: 'data', severity: 'medium', confidence: 'likely', title: 'Optional Chaining Not Used Consistently',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const looseChecks = (c.match(/if\s*\(\s*\w+\s*&&\s*\w+\.\w+\s*&&\s*\w+\.\w+\.\w+/g) || []).length;
+        const optionalChaining = (c.match(/\?\./g) || []).length;
+        if (looseChecks > 5 && optionalChaining === 0) {
+          findings.push({ ruleId: 'DATA-QUAL-012', category: 'data', severity: 'medium', title: `${looseChecks} manual null-guard chains — use optional chaining (?.)`, description: 'Replace a && a.b && a.b.c with a?.b?.c. Optional chaining is safer and more concise, reducing null dereference errors.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-LIFE-005: No PII anonymization in test data
+  { id: 'DATA-LIFE-005', category: 'data', severity: 'high', confidence: 'likely', title: 'Production PII Used in Test Data',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/seed|fixture|factory|test.*data|mock.*data/i)) continue;
+        if (c.match(/john@|jane@|@gmail\.com|@yahoo\.com/i) || c.match(/"firstName".*"John"|"lastName".*"Smith"/i)) {
+          findings.push({ ruleId: 'DATA-LIFE-005', category: 'data', severity: 'high', title: 'Real-looking PII in test data/fixtures — may be copied from production', description: 'Use obviously fake data (test@example.com, user@test.invalid). Never copy production PII to test environments. Use faker.js to generate synthetic data.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-ENC-012: JWT with none algorithm
+  { id: 'DATA-ENC-012', category: 'data', severity: 'critical', confidence: 'definite', title: 'JWT Algorithm Set to None',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/algorithm.*['"]none['"]|alg.*['"]none['"]/i)) {
+            findings.push({ ruleId: 'DATA-ENC-012', category: 'data', severity: 'critical', title: 'JWT configured with algorithm "none" — tokens are unsigned and forgeable', description: 'Remove "none" algorithm. jwt.verify() must specify allowed algorithms: verify(token, secret, { algorithms: ["HS256"] }).', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-STORE-013: Using eval() to parse untrusted JSON
+  { id: 'DATA-STORE-013', category: 'data', severity: 'critical', confidence: 'definite', title: 'eval() Used to Parse JSON',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/eval\s*\(.*json|eval\s*\(.*response|eval\s*\(.*body/i)) {
+            findings.push({ ruleId: 'DATA-STORE-013', category: 'data', severity: 'critical', title: 'eval() used to parse JSON — arbitrary code execution', description: 'Use JSON.parse() instead of eval(). eval() executes any JavaScript in the string, enabling remote code execution from malicious JSON.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DATA-ENC-013: No certificate pinning for mobile
+  { id: 'DATA-ENC-013', category: 'data', severity: 'medium', confidence: 'likely', title: 'No Certificate Pinning for Mobile App',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const isMobile = ['react-native', 'expo', '@capacitor/core'].some(d => d in allDeps);
+      const hasPinning = [...files.values()].some(c => c.match(/certificate.*pin|ssl.*pin|publicKeyHash|RNCNetworkingReactNative/i));
+      if (isMobile && !hasPinning) {
+        findings.push({ ruleId: 'DATA-ENC-013', category: 'data', severity: 'medium', title: 'Mobile app without certificate pinning — MITM interception possible', description: 'Implement certificate pinning for API calls. Without pinning, attackers can install root CA on devices and intercept all encrypted traffic.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // DATA-VAL-008: URL validation without protocol check
+  { id: 'DATA-VAL-008', category: 'data', severity: 'high', confidence: 'likely', title: 'URL Validation Without Protocol Allowlist',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/new URL\(.*req\.|URL\(.*body\.|URL\(.*params\./)) {
+            if (!lines.slice(i, i + 5).join('\n').match(/protocol.*https|startsWith.*https|allowedProtocols/i)) {
+              findings.push({ ruleId: 'DATA-VAL-008', category: 'data', severity: 'high', title: 'URL parsed from user input without protocol validation — SSRF risk', description: 'Validate protocol: if (!url.protocol.startsWith("https")) throw. Accepting javascript:// or file:// enables XSS or SSRF attacks.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DATA-STORE-014: Large objects cached in memory indefinitely
+  { id: 'DATA-STORE-014', category: 'data', severity: 'medium', confidence: 'likely', title: 'In-Memory Cache Without Size Limit or TTL',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/^(?:const|let|var)\s+(?:cache|Cache|CACHE)\s*=\s*new\s+Map\(\)|^(?:const|let|var)\s+\w*cache\w*\s*=\s*\{\}/) ) {
+            const rest = lines.slice(i, i + 50).join('\n');
+            if (!rest.match(/\.delete\(|expire|ttl|maxSize|LRU|lru/i)) {
+              findings.push({ ruleId: 'DATA-STORE-014', category: 'data', severity: 'medium', title: 'In-memory cache without eviction policy or TTL — memory leak', description: 'Use a proper LRU cache (lru-cache) with maxSize and TTL. Unlimited Maps leak memory as entries accumulate indefinitely.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DATA-QUAL-013: Missing input trimming
+  { id: 'DATA-QUAL-013', category: 'data', severity: 'low', confidence: 'suggestion', title: 'User Text Input Not Trimmed',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/req\.body\.\w+|req\.query\.\w+/) && lines[i].match(/==/)) {
+            const nearby = lines.slice(Math.max(0, i - 5), i + 5).join('\n');
+            if (!nearby.match(/\.trim\(\)|sanitize|normalize/)) {
+              findings.push({ ruleId: 'DATA-QUAL-013', category: 'data', severity: 'low', title: 'User input compared without trimming — leading/trailing spaces cause logic bugs', description: 'Always trim user input before comparison or storage: req.body.email.trim(). Leading/trailing whitespace causes "john@ex.com " to not match "john@ex.com".', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DATA-PII-010: Social media access tokens stored insecurely
+  { id: 'DATA-PII-010', category: 'data', severity: 'high', confidence: 'likely', title: 'OAuth Access Tokens Stored Insecurely',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/accessToken|access_token|oauthToken/i) && c.match(/localStorage|cookie|req\.session/i)) {
+          if (!c.match(/httpOnly.*true|Secure.*true|encrypt/i)) {
+            findings.push({ ruleId: 'DATA-PII-010', category: 'data', severity: 'high', title: 'OAuth access token stored without security flags', description: 'Store OAuth tokens in httpOnly, Secure cookies or encrypt before storing. Tokens in non-httpOnly cookies or localStorage are accessible to XSS.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DATA-ENC-014: Using MD5 for data integrity
+  { id: 'DATA-ENC-014', category: 'data', severity: 'high', confidence: 'likely', title: 'MD5 Used for Data Integrity Check',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/createHash\(['"]md5['"]\)/i) && !lines[i].match(/\/\//)) {
+            findings.push({ ruleId: 'DATA-ENC-014', category: 'data', severity: 'high', title: 'MD5 used for integrity check — trivially collide-able', description: 'Use SHA-256 or SHA-3 for integrity checks. MD5 has known collision attacks that allow forging files with the same hash.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DATA-QUAL-014: Using JSON.parse without try/catch
+  { id: 'DATA-QUAL-014', category: 'data', severity: 'medium', confidence: 'likely', title: 'JSON.parse Without Error Handling',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/JSON\.parse\s*\(/) && !lines[i].match(/\/\//)) {
+            const context = lines.slice(Math.max(0, i - 5), i + 5).join('\n');
+            if (!context.match(/try\s*\{/) && !context.match(/catch\s*\(/)) {
+              if (lines[i].match(/req\.|res\.|body\.|query\.|param\.|process\.env\.|config\./)) {
+                findings.push({ ruleId: 'DATA-QUAL-014', category: 'data', severity: 'medium', title: 'JSON.parse on external data without try/catch — crashes on malformed input', description: 'Wrap JSON.parse in try/catch when parsing external data. Malformed JSON throws SyntaxError which crashes the request if not caught.', file: fp, line: i + 1, fix: null });
+              }
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DATA-STORE-015: Storing passwords as password_hash with MD5/SHA1
+  { id: 'DATA-STORE-015', category: 'data', severity: 'critical', confidence: 'definite', title: 'Weak Password Hashing Algorithm',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/createHash\(['"]sha1['"]|createHash\(['"]md5['"]\)/) && lines.slice(Math.max(0, i - 3), i + 3).some(l => l.match(/password|passwd|pwd/i))) {
+            findings.push({ ruleId: 'DATA-STORE-015', category: 'data', severity: 'critical', title: 'Password hashed with MD5/SHA1 — crackable via rainbow tables', description: 'Use bcrypt, Argon2id, or scrypt for password hashing. MD5/SHA1 are fast hash functions — unsuitable for passwords. Rainbow table attacks crack them instantly.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DATA-ENC-015: Encryption key derived from user input directly
+  { id: 'DATA-ENC-015', category: 'data', severity: 'high', confidence: 'likely', title: 'Encryption Key Derived from Password Without KDF',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/createCipheriv|AES|crypto\.createCipher\b/) && !lines[i].match(/\/\//)) {
+            const ctx = lines.slice(Math.max(0, i - 10), i + 3).join('\n');
+            if (ctx.match(/password|passphrase|userKey/i) && !ctx.match(/pbkdf2|scrypt|argon2|bcrypt/i)) {
+              findings.push({ ruleId: 'DATA-ENC-015', category: 'data', severity: 'high', title: 'Encryption key derived from password without KDF', description: 'Use PBKDF2, scrypt, or Argon2 to derive encryption keys from passwords. Raw passwords as keys are weak and predictable due to low entropy.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DATA-PII-011: PII returned in API response body unnecessarily
+  { id: 'DATA-PII-011', category: 'data', severity: 'medium', confidence: 'likely', title: 'PII Fields Returned in API Response Without Filtering',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/res\.json\s*\(|res\.send\s*\(/) && !lines[i].match(/\/\//)) {
+            const ctx = lines.slice(Math.max(0, i - 5), i + 3).join('\n');
+            if (ctx.match(/password|ssn|credit_card|cardNumber|social_security/i)) {
+              findings.push({ ruleId: 'DATA-PII-011', category: 'data', severity: 'medium', title: 'Sensitive PII fields in API response — over-exposure risk', description: 'Explicitly select fields to return in API responses. Use a DTO/serializer pattern to ensure password, SSN, and card data are never accidentally serialized.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DATA-VAL-009: Missing input length validation
+  { id: 'DATA-VAL-009', category: 'data', severity: 'medium', confidence: 'likely', title: 'No Maximum Length Validation on Text Inputs',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/req\.body\.\w+|req\.query\.\w+/) && !lines[i].match(/\.length|maxlength|max\s*:|\.max\s*\(/i)) {
+            const ctx = lines.slice(Math.max(0, i - 2), i + 5).join('\n');
+            if (!ctx.match(/\.max\s*\(|maxLength|MAX_LENGTH|\.slice\s*\(|\.substring\s*\(|\.length\s*[<>]/)) {
+              findings.push({ ruleId: 'DATA-VAL-009', category: 'data', severity: 'medium', title: 'User input used without maximum length check', description: 'Add maximum length validation for all user inputs. Unconstrained input length enables denial of service (memory), database column truncation bugs, and ReDoS.', file: fp, line: i + 1, fix: null });
+              break;
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DATA-LIFE-006: No data archiving strategy
+  { id: 'DATA-LIFE-006', category: 'data', severity: 'low', confidence: 'suggestion', title: 'No Data Archiving Strategy for Old Records',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasDB = ['pg', 'mysql', 'mysql2', 'mongoose'].some(d => d in allDeps);
+      const hasArchive = [...files.values()].some(c => c.match(/archive|partition|cold.?storage|glacier|s3.*old|TTL|expires_at/i));
+      const hasLargeModels = [...files.values()].some(c => c.match(/createdAt|created_at|timestamp/i));
+      if (hasDB && hasLargeModels && !hasArchive) {
+        findings.push({ ruleId: 'DATA-LIFE-006', category: 'data', severity: 'low', title: 'No data archiving strategy — database grows unbounded over time', description: 'Implement archiving for historical data (partitioning, archive tables, S3 cold storage). Unbounded database growth increases query times and storage costs.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // DATA-STORE-016: Using localStorage for sensitive data
+  { id: 'DATA-STORE-016', category: 'data', severity: 'high', confidence: 'likely', title: 'Sensitive Data Stored in localStorage',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(js|jsx|ts|tsx)$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/localStorage\.setItem\s*\(.*?(token|password|secret|key|auth|credential)/i) && !lines[i].match(/\/\//)) {
+            findings.push({ ruleId: 'DATA-STORE-016', category: 'data', severity: 'high', title: 'Sensitive data stored in localStorage — accessible to XSS attacks', description: 'Store authentication tokens in httpOnly cookies. localStorage is accessible to JavaScript and any XSS vulnerability can steal all stored tokens.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DATA-ENC-016: Weak random number for cryptographic purpose
+  { id: 'DATA-ENC-016', category: 'data', severity: 'high', confidence: 'likely', title: 'Math.random() Used for Security-Sensitive Randomness',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/Math\.random\s*\(\s*\)/) && !lines[i].match(/\/\//)) {
+            const ctx = lines.slice(Math.max(0, i - 5), i + 5).join('\n');
+            if (ctx.match(/token|session|key|salt|nonce|otp|code|password|secret|csrf/i)) {
+              findings.push({ ruleId: 'DATA-ENC-016', category: 'data', severity: 'high', title: 'Math.random() used for security token — not cryptographically secure', description: 'Use crypto.randomBytes() or crypto.randomUUID(). Math.random() is a PRNG seeded from system time, predictable, and unsuitable for security tokens.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DATA-STORE-017: Database queries with no transaction for multi-step writes
+  { id: 'DATA-STORE-017', category: 'data', severity: 'high', confidence: 'likely', title: 'Multi-Step DB Write Without Transaction',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        let insertCount = 0;
+        let hasTransaction = false;
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/\.save\s*\(\s*\)|\.insert\s*\(|\.create\s*\(/)) insertCount++;
+          if (lines[i].match(/transaction|beginTransaction|BEGIN\s+TRANSACTION/i)) hasTransaction = true;
+        }
+        if (insertCount >= 3 && !hasTransaction) {
+          findings.push({ ruleId: 'DATA-STORE-017', category: 'data', severity: 'high', title: 'Multiple DB writes without transaction — partial write on failure leaves data corrupt', description: 'Wrap related writes in a database transaction. Without transactions, a failure midway through a multi-step write leaves the database in an inconsistent state.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // DATA-QUAL-015: Comparing dates as strings
+  { id: 'DATA-QUAL-015', category: 'data', severity: 'medium', confidence: 'likely', title: 'Date Comparison Using String Comparison',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/date.*[><=!]{1,2}.*date|createdAt.*[><=!]+.*date|updatedAt.*[><=!]+/i) && lines[i].match(/['"`]\d{4}-\d{2}-\d{2}['"`]/)) {
+            findings.push({ ruleId: 'DATA-QUAL-015', category: 'data', severity: 'medium', title: 'Date compared as string — breaks with non-ISO formats', description: 'Convert to Date objects before comparing. String date comparison only works for ISO 8601 format and breaks with locale-specific formats.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DATA-STORE-018: Caching sensitive user data without expiry
+  { id: 'DATA-STORE-018', category: 'data', severity: 'high', confidence: 'likely', title: 'Sensitive Data Cached Without Expiry',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/cache\.set\s*\(|redis\.set\s*\(/) && !lines[i].match(/\/\//)) {
+            const ctx = lines.slice(i, Math.min(lines.length, i + 3)).join(' ');
+            if (ctx.match(/password|token|session|credit|ssn|secret/i) && !ctx.match(/EX|TTL|expire|ttl/i)) {
+              findings.push({ ruleId: 'DATA-STORE-018', category: 'data', severity: 'high', title: 'Sensitive data cached without TTL/expiry', description: 'Always set expiry (EX/TTL) when caching sensitive data. Without expiry, stale tokens and credentials persist in cache indefinitely after invalidation.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DATA-PII-012: No data anonymization for analytics
+  { id: 'DATA-PII-012', category: 'data', severity: 'medium', confidence: 'likely', title: 'Raw PII Sent to Analytics Without Anonymization',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/analytics|mixpanel|amplitude|segment|heap/i) && lines[i].match(/\.track\s*\(|\.identify\s*\(/)) {
+            const ctx = lines.slice(i, Math.min(lines.length, i + 10)).join('\n');
+            if (ctx.match(/email|phone|name|address|ip_address|userId.*@/i)) {
+              findings.push({ ruleId: 'DATA-PII-012', category: 'data', severity: 'medium', title: 'Raw PII sent to analytics platform', description: 'Hash or pseudonymize PII before sending to analytics. Many jurisdictions require that analytics data cannot be used to identify individuals.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DATA-VAL-010: Trusting user-supplied Content-Type
+  { id: 'DATA-VAL-010', category: 'data', severity: 'high', confidence: 'likely', title: 'File Type Validated Only by Content-Type Header',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/req\.(file|files).*mimetype|mimetype.*image|mimetype.*pdf/i) && !lines[i].match(/\/\//)) {
+            const ctx = lines.slice(Math.max(0, i - 2), i + 10).join('\n');
+            if (!ctx.match(/magic|file-type|mmmagic|file\.signature|Buffer\.from.*header/i)) {
+              findings.push({ ruleId: 'DATA-VAL-010', category: 'data', severity: 'high', title: 'File upload validated only by Content-Type — easily spoofed', description: 'Validate file type using magic bytes (file-type package) not just Content-Type header. The mimetype header is user-controlled and can be set to any value to bypass content-type checks.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DATA-STORE-019: Using eval to deserialize data from storage
+  { id: 'DATA-STORE-019', category: 'data', severity: 'critical', confidence: 'definite', title: 'eval() Used to Deserialize Stored Data',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/eval\s*\(/) && !lines[i].match(/\/\//)) {
+            const ctx = lines.slice(Math.max(0, i - 5), i + 3).join('\n');
+            if (ctx.match(/redis|cache|storage|db\.|database|localStorage|session/i)) {
+              findings.push({ ruleId: 'DATA-STORE-019', category: 'data', severity: 'critical', title: 'eval() used to deserialize data from storage — RCE if storage is compromised', description: 'Never use eval() to deserialize data. Use JSON.parse with schema validation. If an attacker can write to your cache or database, eval() enables full remote code execution.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DATA-ENC-017: Hardcoded initialization vector (IV)
+  { id: 'DATA-ENC-017', category: 'data', severity: 'critical', confidence: 'definite', title: 'Hardcoded IV/Nonce for Encryption',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/iv\s*=\s*Buffer\.from\s*\(['"`][0-9a-f]{16,}['"`]\)|iv\s*=\s*['"`][0-9a-f]{16,}['"`]/i)) {
+            findings.push({ ruleId: 'DATA-ENC-017', category: 'data', severity: 'critical', title: 'Hardcoded encryption IV — deterministic ciphertext enables plaintext recovery', description: 'Generate a random IV for every encryption with crypto.randomBytes(16). Reusing the same IV with AES-CBC or AES-CTR breaks confidentiality and allows plaintext recovery.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DATA-PII-013: Full user object passed to logging
+  { id: 'DATA-PII-013', category: 'data', severity: 'high', confidence: 'likely', title: 'Full User Object Passed to Logger',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/log(?:ger)?\.(info|debug|warn|error)\s*\(/) && lines[i].match(/req\.user\b|user:\s*req\.user|user,/i) && !lines[i].match(/user\.id\b|userId/)) {
+            findings.push({ ruleId: 'DATA-PII-013', category: 'data', severity: 'high', title: 'Full user object logged — may contain password hash, PII, or tokens', description: 'Log only user.id not the entire user object. User objects typically contain password hashes, email addresses, and profile data that should not appear in logs.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DATA-QUAL-016: Object spread for deep merge (shallow copies only)
+  { id: 'DATA-QUAL-016', category: 'data', severity: 'medium', confidence: 'likely', title: 'Object Spread Used for Deep Merge (Shallow Copy Only)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/=\s*\{\s*\.\.\.\w+,\s*\.\.\.\w+\s*\}/) && !lines[i].match(/\/\//)) {
+            const ctx = lines.slice(Math.max(0, i - 3), i + 5).join('\n');
+            if (ctx.match(/config|settings|options|defaults|override/i)) {
+              findings.push({ ruleId: 'DATA-QUAL-016', category: 'data', severity: 'medium', title: 'Object spread for config merge — only shallow merge, nested objects replaced not merged', description: 'Use lodash.merge or a deep merge utility for nested config objects. {...a, ...b} only copies top-level properties; nested objects in b completely replace those in a.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DATA-STORE-020: In-memory session with no store
+  { id: 'DATA-STORE-020', category: 'data', severity: 'high', confidence: 'likely', title: 'Express Session Using In-Memory Store',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasSession = 'express-session' in allDeps;
+      const hasSessionStore = ['connect-redis', 'connect-mongo', 'connect-pg-simple', 'express-mysql-session', 'memcached'].some(d => d in allDeps);
+      if (hasSession && !hasSessionStore) {
+        findings.push({ ruleId: 'DATA-STORE-020', category: 'data', severity: 'high', title: 'express-session without persistent store — sessions lost on server restart', description: 'Use connect-redis or connect-mongo for session storage. The default MemoryStore leaks memory, cannot be shared across processes, and loses all sessions on restart.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // DATA-ENC-018: Using DES or 3DES encryption
+  { id: 'DATA-ENC-018', category: 'data', severity: 'critical', confidence: 'definite', title: 'DES or 3DES Encryption Algorithm Used',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/createCipher.*des|des-cbc|des3|triple.?des|3des/i) && !lines[i].match(/\/\//)) {
+            findings.push({ ruleId: 'DATA-ENC-018', category: 'data', severity: 'critical', title: 'DES/3DES algorithm used — deprecated, vulnerable to Sweet32 attack', description: 'Replace DES/3DES with AES-256-GCM. DES was deprecated in 2005 and 3DES is vulnerable to the Sweet32 birthday attack. NIST deprecated 3DES in 2023.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DATA-LIFE-007: No data export capability for users
+  { id: 'DATA-LIFE-007', category: 'data', severity: 'medium', confidence: 'likely', title: 'No User Data Export Functionality',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasAuth = ['passport', 'jsonwebtoken', 'express-session', 'auth0'].some(d => d in allDeps);
+      const hasExport = [...files.values()].some(c => c.match(/export.*user|user.*export|download.*data|data.*portability|gdpr.*export/i));
+      if (hasAuth && !hasExport) {
+        findings.push({ ruleId: 'DATA-LIFE-007', category: 'data', severity: 'medium', title: 'Authenticated application without user data export feature', description: 'Implement a user data export endpoint. GDPR Article 20 grants data portability rights — users must be able to download their data in a machine-readable format (JSON/CSV).', fix: null });
+      }
+      return findings;
+    },
+  },
+  // DATA-VAL-011: Missing sanitization of HTML input
+  { id: 'DATA-VAL-011', category: 'data', severity: 'high', confidence: 'likely', title: 'HTML Content Stored Without Sanitization',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasSanitizer = ['dompurify', 'sanitize-html', 'xss', 'isomorphic-dompurify'].some(d => d in allDeps);
+      const storesHTML = [...files.values()].some(c => c.match(/richText|htmlContent|bodyHtml|content.*html|html.*content/i) && c.match(/save\s*\(|insert|create\s*\(|update\s*\(/));
+      if (storesHTML && !hasSanitizer) {
+        findings.push({ ruleId: 'DATA-VAL-011', category: 'data', severity: 'high', title: 'HTML content stored without sanitization library', description: 'Use DOMPurify or sanitize-html before storing rich text. Unsanitized HTML creates stored XSS vulnerabilities that execute malicious scripts for all users viewing the content.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // DATA-STORE-021: Soft-deleted records returned in queries
+  { id: 'DATA-STORE-021', category: 'data', severity: 'medium', confidence: 'likely', title: 'Soft Delete Without Default Scope Filter',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const hasSoftDelete = c.match(/deletedAt|deleted_at|is_deleted|isDeleted/i);
+        const hasDefaultScope = c.match(/defaultScope|paranoid:\s*true|where.*deletedAt.*null|soft.?delete/i);
+        if (hasSoftDelete && !hasDefaultScope) {
+          findings.push({ ruleId: 'DATA-STORE-021', category: 'data', severity: 'medium', title: 'Soft delete field exists but no default scope — deleted records may appear in queries', description: 'Add a default scope that filters out soft-deleted records (where deletedAt IS NULL). Without it, every query must manually exclude deleted records, and omissions cause data leaks.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // DATA-QUAL-017: Mutable global config object
+  { id: 'DATA-QUAL-017', category: 'data', severity: 'medium', confidence: 'likely', title: 'Global Configuration Object Mutable at Runtime',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/^(?:const|let|var)\s+config\s*=\s*\{/) && !lines[i].match(/Object\.freeze/)) {
+            const ctx = lines.slice(i, Math.min(lines.length, i + 30)).join('\n');
+            if (!ctx.match(/Object\.freeze\s*\(/) && ctx.match(/module\.exports|export default|export\s+\{/)) {
+              findings.push({ ruleId: 'DATA-QUAL-017', category: 'data', severity: 'medium', title: 'Exported config object not frozen — accidental mutation possible', description: 'Use Object.freeze(config) before exporting. Mutable config objects can be accidentally modified by code that imports them, causing hard-to-debug configuration drift.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DATA-PII-014: SSN or date-of-birth stored in plain text
+  { id: 'DATA-PII-014', category: 'data', severity: 'critical', confidence: 'definite', title: 'SSN or Date of Birth Stored in Plain Text',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/\bssn\b|social_security_number|social_security\b|date_of_birth\s*[=:]/i) && lines[i].match(/String|TEXT|VARCHAR|string:/i) && !lines[i].match(/encrypt|hash|mask|tokenize/i)) {
+            findings.push({ ruleId: 'DATA-PII-014', category: 'data', severity: 'critical', title: 'SSN/Date of birth field stored without encryption annotation', description: 'Encrypt SSN and full date-of-birth at the application layer or use database-level column encryption. These are high-value PII targets that require encryption at rest.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;
+
+// DATA-015: Sensitive data in query string
+rules.push({
+  id: 'DATA-015', category: 'data', severity: 'high', confidence: 'likely', title: 'Sensitive data passed in URL query string',
+  check({ files }) {
+    const findings = [];
+    const p = /[?&](?:password|passwd|token|api_key|apikey|secret|auth|ssn|credit_card)[=]/i;
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (p.test(lines[i])) findings.push({ ruleId: 'DATA-015', category: 'data', severity: 'high', title: 'Credential in URL query string — visible in server logs and browser history', description: 'Never pass passwords, tokens, or API keys as query parameters. They appear in server access logs, browser history, and Referer headers. Use POST body or Authorization header.', file: fp, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-016: Unencrypted sensitive data at rest
+rules.push({
+  id: 'DATA-016', category: 'data', severity: 'high', confidence: 'likely', title: 'Sensitive field stored without encryption indication',
+  check({ files }) {
+    const findings = [];
+    const sensitiveField = /(?:credit_card|ssn|social_security|bank_account|passport_number|drivers_license)\s*[:=]/i;
+    const encryptMarker = /encrypt|cipher|@Encrypted|hashed|tokenize/i;
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (sensitiveField.test(lines[i]) && /String|TEXT|VARCHAR|string:/i.test(lines[i]) && !encryptMarker.test(lines[i])) {
+          findings.push({ ruleId: 'DATA-016', category: 'data', severity: 'high', title: 'Sensitive PII field stored without encryption annotation', description: 'Financial and government ID fields must be encrypted at rest. Use application-level encryption or database column encryption for SSNs, card numbers, and similar data.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-017: SSN returned in API response
+rules.push({
+  id: 'DATA-017', category: 'data', severity: 'critical', confidence: 'definite', title: 'Full SSN returned in API response — data exposure',
+  check({ files }) {
+    const findings = [];
+    const p = /(?:res\.json|res\.send|return.*json)\s*\([^)]*(?:ssn|social_security|socialSecurity)/i;
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (p.test(lines[i]) && !/mask|redact|xxxx|last.*4/i.test(lines[i])) {
+          findings.push({ ruleId: 'DATA-017', category: 'data', severity: 'critical', title: 'SSN included in API response without masking', description: 'Never return full SSNs in API responses. Return only masked versions (***-**-1234) and only when necessary.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-018: Full card number in API response
+rules.push({
+  id: 'DATA-018', category: 'data', severity: 'critical', confidence: 'definite', title: 'Full card number returned in API response',
+  check({ files }) {
+    const findings = [];
+    const p = /(?:res\.json|res\.send|return.*json)\s*\([^)]*(?:cardNumber|card_number|pan|creditCard)/i;
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (p.test(lines[i]) && !/mask|last.*4|xxxx|\*{4}/i.test(lines[i])) {
+          findings.push({ ruleId: 'DATA-018', category: 'data', severity: 'critical', title: 'Full card number in API response — PCI-DSS violation', description: 'Never return full card numbers in API responses. Return only the last 4 digits. Full PANs must never traverse an API that is not PCI-certified.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-019: JSON.stringify of sensitive objects in logs
+rules.push({
+  id: 'DATA-019', category: 'data', severity: 'high', confidence: 'likely', title: 'JSON.stringify of user/request object in logs — credential exposure',
+  check({ files }) {
+    const findings = [];
+    const p = /(?:console\.|logger\.)\w*\s*\([^)]*JSON\.stringify\s*\(\s*(?:req|user|body|session|ctx)/i;
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (p.test(lines[i])) {
+          findings.push({ ruleId: 'DATA-019', category: 'data', severity: 'high', title: 'JSON.stringify(req/user/body) logged — may expose passwords and tokens', description: 'Logging entire request objects or user records can expose passwords, tokens, and PII. Log only specific safe fields.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-020: Insecure deserialization
+rules.push({
+  id: 'DATA-020', category: 'data', severity: 'high', confidence: 'likely', title: 'Insecure deserialization of user-controlled data',
+  check({ files }) {
+    const findings = [];
+    const p = /(?:unserialize|deserialize|eval\s*\(|Function\s*\()\s*\(\s*(?:req\.|body\.|params\.|query\.|input)/;
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (p.test(lines[i])) {
+          findings.push({ ruleId: 'DATA-020', category: 'data', severity: 'high', title: 'Unsafe deserialization of user input — code execution risk', description: 'Deserializing untrusted data can lead to remote code execution. Validate and sanitize input before deserialization. Never use eval() on user data.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-021: Missing input sanitization before DB storage
+rules.push({
+  id: 'DATA-021', category: 'data', severity: 'high', confidence: 'likely', title: 'User input stored in DB without sanitization',
+  check({ files }) {
+    const findings = [];
+    const p = /\.(?:create|insert|save|upsert)\s*\(\s*\{[^}]*req\.body/;
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (p.test(lines[i]) && !/sanitize|validate|joi|zod|yup|schema/i.test(c.substring(0, c.indexOf(lines[i])))) {
+          findings.push({ ruleId: 'DATA-021', category: 'data', severity: 'high', title: 'req.body passed directly to DB create/insert without validation', description: 'Validate and sanitize all user input before storing to prevent mass assignment, XSS payload storage, and injection attacks.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-022: Field-level encryption missing for PII
+rules.push({
+  id: 'DATA-022', category: 'data', severity: 'high', confidence: 'likely', title: 'PII fields stored without field-level encryption',
+  check({ files }) {
+    const findings = [];
+    const piiFields = /(?:email|phone_number|address|ip_address|fingerprint)\s*[:=]\s*(?:req\.|String|TEXT)/i;
+    const encryptMarker = /encrypt|cipher|@Encrypted|tokenize/i;
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (piiFields.test(lines[i]) && !encryptMarker.test(lines[i])) {
+          const ctx = lines.slice(Math.max(0, i - 3), Math.min(lines.length, i + 3)).join('\n');
+          if (!encryptMarker.test(ctx)) {
+            findings.push({ ruleId: 'DATA-022', category: 'data', severity: 'high', title: 'PII field without field-level encryption', description: 'Email addresses, phone numbers, and IP addresses are PII under GDPR. Consider field-level encryption to minimize breach impact.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-023: Debug data exposure in error responses
+rules.push({
+  id: 'DATA-023', category: 'data', severity: 'high', confidence: 'likely', title: 'Error response includes internal stack trace or sensitive details',
+  check({ files }) {
+    const findings = [];
+    const p = /res\.(?:json|send|status\s*\(\s*\d+\s*\)\.json)\s*\([^)]*(?:err\.stack|error\.stack|stack:|err\.message|stackTrace)/i;
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (p.test(lines[i])) {
+          findings.push({ ruleId: 'DATA-023', category: 'data', severity: 'high', title: 'Stack trace returned in HTTP response — information disclosure', description: 'Returning error stack traces in API responses reveals internal paths, library versions, and architecture. Return generic error messages in production.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-024: Sensitive data in browser storage
+rules.push({
+  id: 'DATA-024', category: 'data', severity: 'high', confidence: 'likely', title: 'PII or sensitive data stored in localStorage/sessionStorage',
+  check({ files }) {
+    const findings = [];
+    const p = /(?:localStorage|sessionStorage)\.setItem\s*\(\s*['"][^'"]*['"],\s*[^)]*(?:password|ssn|credit|social_security|passport|dob)/i;
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (p.test(lines[i])) {
+          findings.push({ ruleId: 'DATA-024', category: 'data', severity: 'high', title: 'Sensitive data stored in browser storage — accessible to XSS', description: 'localStorage and sessionStorage are accessible to all JavaScript. Never store passwords, SSNs, or financial data in browser storage.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-025: User data logged without masking
+rules.push({
+  id: 'DATA-025', category: 'data', severity: 'high', confidence: 'likely', title: 'User email or personal data logged without masking',
+  check({ files }) {
+    const findings = [];
+    const p = /(?:console\.|logger\.)\w*\s*\([^)]*(?:user\.email|req\.user\.|profile\.email|email\s*:)/i;
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (p.test(lines[i]) && !/mask|redact|hash/i.test(lines[i])) {
+          findings.push({ ruleId: 'DATA-025', category: 'data', severity: 'high', title: 'User email logged without masking — PII in log files', description: 'Logging email addresses creates PII in log files, which may be stored, shipped to third-party services, and subject to breach notification. Mask emails in logs: u***@example.com.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-026: Prototype pollution via merge of user data
+rules.push({
+  id: 'DATA-026', category: 'data', severity: 'high', confidence: 'likely', title: 'Deep merge with user data — prototype pollution risk',
+  check({ files }) {
+    const findings = [];
+    const p = /(?:_.merge|deepmerge|merge\s*\(|assign\s*\()\s*\([^)]*(?:req\.body|req\.query|user|input)/i;
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (p.test(lines[i])) {
+          findings.push({ ruleId: 'DATA-026', category: 'data', severity: 'high', title: 'Deep merge with user-supplied data — prototype pollution vulnerability', description: 'Deep merging user input can pollute Object.prototype via __proto__ or constructor keys. Use JSON.parse(JSON.stringify(obj)) or a safe-merge library.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-027: Sensitive response fields not excluded
+rules.push({
+  id: 'DATA-027', category: 'data', severity: 'high', confidence: 'likely', title: 'User object returned in response without excluding sensitive fields',
+  check({ files }) {
+    const findings = [];
+    const p = /res\.json\s*\(\s*(?:user|account|profile)\s*\)|return.*(?:user|account|profile)\s*;/;
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (p.test(lines[i])) {
+          const ctx = lines.slice(Math.max(0, i - 10), i).join('\n');
+          if (!/delete.*password|omit|exclude|select.*{/.test(ctx)) {
+            findings.push({ ruleId: 'DATA-027', category: 'data', severity: 'high', title: 'User object returned in API response may include password hash', description: 'Remove sensitive fields (password, passwordHash, salt, tokens) before returning user objects. Use a DTO pattern or delete the fields explicitly.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-028 through DATA-045: Additional data rules
+
+// DATA-028: Password stored with reversible encryption
+rules.push({
+  id: 'DATA-028', category: 'data', severity: 'critical', confidence: 'definite', title: 'Password stored with reversible encryption instead of one-way hash',
+  check({ files }) {
+    const findings = [];
+    const encryptPassword = /(?:encrypt|cipher|aes|des)\s*\([^)]*password|password\s*[:=]\s*(?:encrypt|cipher)/i;
+    const safeHash = /bcrypt|argon2|scrypt|pbkdf2/i;
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (safeHash.test(c)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (encryptPassword.test(lines[i])) {
+          findings.push({ ruleId: 'DATA-028', category: 'data', severity: 'critical', title: 'Password encrypted (reversible) instead of hashed — use bcrypt/argon2', description: 'Passwords should be hashed with a one-way function (bcrypt, argon2). Reversible encryption allows credential recovery if the key is compromised.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-029: PII transmitted over HTTP
+rules.push({
+  id: 'DATA-029', category: 'data', severity: 'critical', confidence: 'definite', title: 'PII data transmitted over insecure HTTP',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/fetch\s*\(\s*['"]http:\/\//.test(lines[i]) && !/localhost|127\.0\.0\.1|0\.0\.0\.0/.test(lines[i])) {
+          const ctx = lines.slice(Math.max(0, i - 3), Math.min(lines.length, i + 5)).join('\n');
+          if (/email|password|phone|address|ssn|name/i.test(ctx)) {
+            findings.push({ ruleId: 'DATA-029', category: 'data', severity: 'critical', title: 'PII transmitted over HTTP (not HTTPS)', description: 'Personal data must only be transmitted over encrypted HTTPS connections. Plain HTTP exposes data to network eavesdropping.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-030: Raw error messages with internal details exposed
+rules.push({
+  id: 'DATA-030', category: 'data', severity: 'medium', confidence: 'likely', title: 'Database error messages exposed to client',
+  check({ files }) {
+    const findings = [];
+    const p = /res\.(?:json|send)\s*\([^)]*(?:err|error)\.message/i;
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (p.test(lines[i])) {
+          findings.push({ ruleId: 'DATA-030', category: 'data', severity: 'medium', title: 'Raw error message returned to client — may expose SQL/schema details', description: 'Database error messages may contain table names, column names, or SQL syntax. Return generic error messages to clients in production.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-031: Audit log without immutability
+rules.push({
+  id: 'DATA-031', category: 'data', severity: 'medium', confidence: 'likely', title: 'Audit logs without write-once/immutability protection',
+  check({ files }) {
+    const findings = [];
+    const hasAuditLog = [...files.values()].some(c => /auditLog|AuditLog|audit_log/i.test(c));
+    const hasImmutability = [...files.values()].some(c => /s3.*object.*lock|worm|immutable.*log|append.*only|CloudTrail/i.test(c));
+    if (hasAuditLog && !hasImmutability) {
+      findings.push({ ruleId: 'DATA-031', category: 'data', severity: 'medium', title: 'Audit logs without immutability protection — logs could be tampered with', description: 'Audit logs must be tamper-evident. Store audit logs in append-only storage, S3 with Object Lock, or a dedicated SIEM that prevents modification.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// DATA-032: User-generated content not sanitized before storage
+rules.push({
+  id: 'DATA-032', category: 'data', severity: 'high', confidence: 'likely', title: 'User-generated content stored without HTML sanitization',
+  check({ files }) {
+    const findings = [];
+    const ugcSave = /(?:create|update|save|insert)\s*\([^)]*(?:content|body|description|bio|comment|post|message)/i;
+    const hasSanitize = /DOMPurify|sanitize-html|xss|sanitize|escape/i;
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (!ugcSave.test(c)) continue;
+      if (!hasSanitize.test(c)) {
+        findings.push({ ruleId: 'DATA-032', category: 'data', severity: 'high', title: 'User content saved without HTML sanitization — stored XSS risk', description: 'User-generated HTML content must be sanitized before storage and on output. Use DOMPurify or sanitize-html to strip malicious tags.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-033: Direct SQL in migration without parameterization
+rules.push({
+  id: 'DATA-033', category: 'data', severity: 'medium', confidence: 'likely', title: 'Migration file with dynamic SQL construction',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/migration/i) || !isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/queryInterface\.(?:bulkInsert|sequelize\.query)\s*\([^)]*\$\{/i.test(lines[i])) {
+          findings.push({ ruleId: 'DATA-033', category: 'data', severity: 'medium', title: 'Migration SQL with template literals — injection risk if data is external', description: 'Avoid dynamic SQL in migrations. Use bind parameters for any variable data in migration scripts.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-034: GraphQL introspection enabled in production
+rules.push({
+  id: 'DATA-034', category: 'data', severity: 'medium', confidence: 'likely', title: 'GraphQL introspection enabled in production — schema exposure',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (/graphql|ApolloServer/i.test(c) && !/introspection.*false|disableIntrospection/i.test(c)) {
+        const hasProduction = /NODE_ENV.*production|process\.env\.NODE_ENV/i.test(c);
+        if (!hasProduction || !/introspection.*NODE_ENV.*development|NODE_ENV.*development.*introspection/i.test(c)) {
+          findings.push({ ruleId: 'DATA-034', category: 'data', severity: 'medium', title: 'GraphQL introspection not disabled for production — full schema exposed', description: 'Disable GraphQL introspection in production: { introspection: process.env.NODE_ENV !== "production" }. Introspection reveals your entire API schema to attackers.', file: fp, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-035 through DATA-050: More data rules
+
+// DATA-035: API response includes internal IDs
+rules.push({
+  id: 'DATA-035', category: 'data', severity: 'low', confidence: 'suggestion', title: 'Internal database IDs exposed in API response',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/res\.json\s*\([^)]*\bid\b[^)]*\)/.test(lines[i]) && !/uuid|externalId|publicId/i.test(lines[i])) {
+          findings.push({ ruleId: 'DATA-035', category: 'data', severity: 'low', title: 'Sequential integer ID exposed in API — enables enumeration attacks', description: 'Exposing sequential database IDs allows attackers to enumerate resources. Use UUIDs or a separate public ID field for external references.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-036: No rate limiting on data export
+rules.push({
+  id: 'DATA-036', category: 'data', severity: 'medium', confidence: 'likely', title: 'Data export endpoint without rate limiting',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/(?:router|app)\.\w+\s*\(\s*['"`][^'"`]*(?:export|download|csv|report)[^'"`]*['"`]/i.test(lines[i])) {
+          const ctx = lines.slice(Math.max(0, i - 5), Math.min(lines.length, i + 10)).join('\n');
+          if (!/rateLimit|throttle|rate-limit/i.test(ctx)) {
+            findings.push({ ruleId: 'DATA-036', category: 'data', severity: 'medium', title: 'Data export endpoint without rate limiting — bulk data exfiltration risk', description: 'Data export endpoints should be rate limited and require authentication. Unlimited exports can be used for data exfiltration.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-037: Logging request/response body in middleware
+rules.push({
+  id: 'DATA-037', category: 'data', severity: 'high', confidence: 'likely', title: 'Request body logged in middleware — may expose credentials',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/console\.|logger\./.test(lines[i]) && /req\.body|request\.body/.test(lines[i])) {
+          findings.push({ ruleId: 'DATA-037', category: 'data', severity: 'high', title: 'req.body logged in middleware — passwords and tokens exposed in logs', description: 'Never log full request bodies. They may contain passwords, tokens, and payment information. Log only safe fields or redact sensitive keys.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-038: Sensitive headers forwarded to third parties
+rules.push({
+  id: 'DATA-038', category: 'data', severity: 'high', confidence: 'likely', title: 'Authorization header forwarded to third-party API',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/headers.*Authorization.*req\.headers|req\.headers.*Authorization.*forward/i.test(lines[i])) {
+          findings.push({ ruleId: 'DATA-038', category: 'data', severity: 'high', title: 'User\'s Authorization header forwarded to external service', description: 'Forwarding user authorization headers to third-party APIs exposes user credentials. Generate service-to-service credentials for downstream calls.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-039: No data classification system
+rules.push({
+  id: 'DATA-039', category: 'data', severity: 'low', confidence: 'suggestion', title: 'No data classification labels in code — sensitivity unknown',
+  check({ files }) {
+    const findings = [];
+    const hasPII = [...files.values()].some(c => /email|ssn|phone|address|credit_card/i.test(c));
+    const hasClassification = [...files.values()].some(c => /PUBLIC|CONFIDENTIAL|RESTRICTED|PII|PHI|@sensitive|@classified|DataClassification/i.test(c));
+    if (hasPII && !hasClassification) {
+      findings.push({ ruleId: 'DATA-039', category: 'data', severity: 'low', title: 'PII fields without data classification annotations', description: 'Annotate PII and sensitive fields with classification labels (@PII, @Sensitive) to enable automated data governance and access control policies.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// DATA-040: Missing data validation on file uploads
+rules.push({
+  id: 'DATA-040', category: 'data', severity: 'high', confidence: 'likely', title: 'File upload without content-type or size validation',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (/multer|formidable|busboy|multipart|file.*upload/i.test(c)) {
+        if (!/fileSize|maxSize|mimetype|allowedTypes|fileFilter|limits/i.test(c)) {
+          findings.push({ ruleId: 'DATA-040', category: 'data', severity: 'high', title: 'File upload handler without size or MIME type validation', description: 'File uploads without validation allow uploading malicious files (web shells) or very large files (DoS). Validate MIME type and set file size limits.', file: fp, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-041: Sending PII to analytics
+rules.push({
+  id: 'DATA-041', category: 'data', severity: 'high', confidence: 'likely', title: 'PII potentially sent to analytics service',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/(?:analytics|gtag|fbq|mixpanel|heap|segment)\s*\.[^(]*\([^)]*(?:email|phone|name|ssn)/i.test(lines[i])) {
+          findings.push({ ruleId: 'DATA-041', category: 'data', severity: 'high', title: 'PII sent to analytics provider — GDPR/CCPA violation', description: 'Sending email addresses, phone numbers, or names to third-party analytics violates GDPR and CCPA data minimization requirements. Hash identifiers before sending.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-042: Sensitive fields returned in paginated list responses
+rules.push({
+  id: 'DATA-042', category: 'data', severity: 'high', confidence: 'likely', title: 'User list endpoint returning sensitive fields',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.js') && !fp.endsWith('.ts')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/find\s*\(\s*\)\s*\.select|findAll\s*\(\s*\)/.test(lines[i])) {
+          const block = lines.slice(i, Math.min(lines.length, i+5)).join('\n');
+          if (/password|token|secret|ssn|creditCard/i.test(block)) findings.push({ ruleId: 'DATA-042', category: 'data', severity: 'high', title: 'User list query may return sensitive fields', description: 'Explicitly exclude sensitive fields from list queries using .select("-password -token").', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-043: Unmasked PAN in API response
+rules.push({
+  id: 'DATA-043', category: 'data', severity: 'critical', confidence: 'definite', title: 'Credit card PAN returned in API response without masking',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.js') && !fp.endsWith('.ts')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/res\.(?:json|send)\s*\([^)]*(?:cardNumber|card_number|pan|creditCard)/i.test(lines[i])) {
+          findings.push({ ruleId: 'DATA-043', category: 'data', severity: 'critical', title: 'Credit card number in API response — must be masked (show only last 4 digits)', description: 'Never return full card numbers in API responses. Mask to show only last 4 digits.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-044: Database IDs exposed directly in API
+rules.push({
+  id: 'DATA-044', category: 'data', severity: 'medium', confidence: 'likely', title: 'Sequential integer IDs exposed in API — enumeration attack risk',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.js') && !fp.endsWith('.ts')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/req\.params\.id\s*\*1|parseInt\s*\(\s*req\.params\.id|Number\s*\(\s*req\.params\.id/.test(lines[i])) {
+          findings.push({ ruleId: 'DATA-044', category: 'data', severity: 'medium', title: 'Sequential integer ID in route — enables enumeration attacks', description: 'Use UUIDs or Hashids instead of sequential integers to prevent data enumeration.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-045: Passwords stored with reversible hashing
+rules.push({
+  id: 'DATA-045', category: 'data', severity: 'critical', confidence: 'definite', title: 'Password hashed with reversible algorithm (MD5/SHA1)',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.js') && !fp.endsWith('.ts')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/(?:md5|sha1|sha256)\s*\([^)]*password|password[^=]*=\s*(?:md5|sha1|sha256)\s*\(/i.test(lines[i])) {
+          findings.push({ ruleId: 'DATA-045', category: 'data', severity: 'critical', title: 'Password hashed with non-password-hashing algorithm — use bcrypt/argon2', description: 'Hash passwords with bcrypt, argon2, or scrypt. MD5/SHA1/SHA256 are not suitable for passwords.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-046: User data written to temp files without cleanup
+rules.push({
+  id: 'DATA-046', category: 'data', severity: 'high', confidence: 'likely', title: 'Sensitive data written to temp files without cleanup',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.js') && !fp.endsWith('.ts')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/(?:writeFile|writeFileSync)\s*\([^)]*(?:\/tmp|os\.tmpdir|\btmp\b)/i.test(lines[i])) {
+          const block = lines.slice(i, Math.min(lines.length, i + 20)).join('\n');
+          if (!/unlink|rm\s*\(|delete|cleanup|finally/.test(block)) findings.push({ ruleId: 'DATA-046', category: 'data', severity: 'high', title: 'Data written to temp file without cleanup — sensitive data persists on disk', description: 'Delete temporary files in a finally block or use a temp file library that cleans up automatically.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-047: Unencrypted backup files
+rules.push({
+  id: 'DATA-047', category: 'data', severity: 'high', confidence: 'likely', title: 'Database backup script without encryption',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.sh') && !fp.endsWith('.bash') && !fp.endsWith('.js') && !fp.endsWith('.ts')) continue;
+      if (/pg_dump|mysqldump|mongodump/i.test(c) && !/encrypt|gpg|openssl|aes|cipher/i.test(c)) {
+        findings.push({ ruleId: 'DATA-047', category: 'data', severity: 'high', title: 'Database backup without encryption — backup files contain plaintext data', description: 'Encrypt backup files using gpg or openssl before storing or transmitting.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-048: GraphQL mutation accepting entire user object
+rules.push({
+  id: 'DATA-048', category: 'data', severity: 'high', confidence: 'likely', title: 'GraphQL mutation accepting full user input object — mass assignment risk',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.js') && !fp.endsWith('.ts') && !fp.endsWith('.graphql') && !fp.endsWith('.gql')) continue;
+      if (/mutation\s+\w+\s*\([^)]*input:\s*\w*Input\b/i.test(c) && !/role|permission|isAdmin/i.test(c)) {
+        findings.push({ ruleId: 'DATA-048', category: 'data', severity: 'high', title: 'GraphQL mutation with generic input type — may allow mass assignment of privileged fields', description: 'Use specific input types and explicitly whitelist allowed fields in GraphQL mutations.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-049: Personal data not anonymized in test databases
+rules.push({
+  id: 'DATA-049', category: 'data', severity: 'high', confidence: 'likely', title: 'Production data patterns in test fixtures — potential PII in tests',
+  check({ files }) {
+    const findings = [];
+    const emailPattern = /[a-zA-Z0-9._%+-]+@(?:gmail|yahoo|hotmail|outlook)\.[a-zA-Z]{2,}/;
+    for (const [fp, c] of files) {
+      if (!fp.includes('fixture') && !fp.includes('seed') && !fp.includes('test')) continue;
+      if (!fp.endsWith('.js') && !fp.endsWith('.ts') && !fp.endsWith('.json')) continue;
+      if (emailPattern.test(c) && /password|ssn|creditCard|phone/i.test(c)) {
+        findings.push({ ruleId: 'DATA-049', category: 'data', severity: 'high', title: 'Real-looking PII in test fixtures — use anonymous test data', description: 'Use fake/anonymous data in test fixtures. Real email addresses and personal data should never appear in test files.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-050: Sensitive data in URL query parameters logged by web server
+rules.push({
+  id: 'DATA-050', category: 'data', severity: 'high', confidence: 'likely', title: 'Sensitive data passed as URL query parameter — logged in access logs',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.js') && !fp.endsWith('.ts') && !fp.match(/\.[jt]sx?$/)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/(?:fetch|axios)\s*\([^)]*\?.*(?:token|password|secret|key)=/i.test(lines[i]) || /window\.location.*\?.*(?:token|password|secret)=/i.test(lines[i])) {
+          findings.push({ ruleId: 'DATA-050', category: 'data', severity: 'high', title: 'Sensitive data in URL query string — visible in server logs and browser history', description: 'Pass sensitive values in request headers or body, never as URL query parameters.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-051: User data exported without authorization check
+rules.push({
+  id: 'DATA-051', category: 'data', severity: 'high', confidence: 'likely', title: 'Data export endpoint without ownership/authorization check',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.js') && !fp.endsWith('.ts')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/(?:router|app)\.get\s*\([^)]*(?:export|download)/i.test(lines[i])) {
+          const body = lines.slice(i, Math.min(lines.length, i + 20)).join('\n');
+          if (!/req\.user|userId|ownerId|authorize|permission/i.test(body)) findings.push({ ruleId: 'DATA-051', category: 'data', severity: 'high', title: 'Export endpoint without authorization check — IDOR vulnerability', description: 'Verify that the authenticated user owns the data being exported before allowing the download.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-052: Sensitive data returned in error stack traces
+rules.push({
+  id: 'DATA-052', category: 'data', severity: 'high', confidence: 'likely', title: 'Error responses include stack traces — may leak sensitive data',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.js') && !fp.endsWith('.ts')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/res\.(?:json|send)\s*\([^)]*error\.stack|message:\s*err\.stack|stack:\s*err\.stack/.test(lines[i])) {
+          findings.push({ ruleId: 'DATA-052', category: 'data', severity: 'high', title: 'Error stack trace in API response — exposes internal code structure', description: 'Never send error.stack to clients. Log it server-side and return a generic error message.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-053: Missing data masking for logs
+rules.push({
+  id: 'DATA-053', category: 'data', severity: 'high', confidence: 'likely', title: 'User object logged without redacting sensitive fields',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.js') && !fp.endsWith('.ts')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/(?:console\.log|logger\.\w+)\s*\([^)]*\buser\b/.test(lines[i]) && !/redact|mask|omit|sanitize|exclude|select/i.test(lines[i])) {
+          findings.push({ ruleId: 'DATA-053', category: 'data', severity: 'high', title: 'User object logged without redacting sensitive fields', description: 'Before logging user objects, redact sensitive fields: const { password, token, ...safeUser } = user.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-054: User-controlled sort/order by parameter in database query
+rules.push({
+  id: 'DATA-054', category: 'data', severity: 'high', confidence: 'likely', title: 'Database sort/orderBy field controlled directly by user input',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.js') && !fp.endsWith('.ts')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/(?:orderBy|sort)\s*:\s*(?:req\.|body\.|params\.|query\.)/i.test(lines[i])) {
+          findings.push({ ruleId: 'DATA-054', category: 'data', severity: 'high', title: 'User-controlled orderBy/sort — SQL injection or data leakage risk', description: 'Validate sort fields against an allowlist before using in database queries.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-055: Sensitive data in localStorage
+rules.push({
+  id: 'DATA-055', category: 'data', severity: 'high', confidence: 'likely', title: 'Sensitive user data stored in localStorage',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.[jt]sx?$/)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/localStorage\.setItem\s*\([^)]*(?:ssn|creditCard|card_number|password|secret|privateKey)/i.test(lines[i])) {
+          findings.push({ ruleId: 'DATA-055', category: 'data', severity: 'high', title: 'Sensitive data stored in localStorage — accessible to XSS attacks', description: 'Never store sensitive data in localStorage. Use sessionStorage or encrypt before storing.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-056: Event sourcing without encryption for PII events
+rules.push({
+  id: 'DATA-056', category: 'data', severity: 'high', confidence: 'likely', title: 'Event store records containing PII without encryption',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.js') && !fp.endsWith('.ts')) continue;
+      if (/eventStore|EventStore|event_store|appendToStream|saveEvent/i.test(c) && /email|phone|ssn|address/i.test(c) && !/encrypt|cipher|crypto/i.test(c)) {
+        findings.push({ ruleId: 'DATA-056', category: 'data', severity: 'high', title: 'Event store contains PII fields without encryption', description: 'Encrypt PII fields in event store records. Events are immutable so encryption must be applied at write time.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-057: Missing data retention policy implementation
+rules.push({
+  id: 'DATA-057', category: 'data', severity: 'medium', confidence: 'likely', title: 'No data retention/deletion job found — stale data accumulation',
+  check({ files }) {
+    const findings = [];
+    const hasDeletion = [...files.values()].some(c => /deleteMany\s*\(\s*\{[^}]*(?:createdAt|date|expir)/i.test(c) || /cron|schedule|retention/i.test(c));
+    if (!hasDeletion) {
+      const dbFiles = [...files.keys()].filter(f => (f.endsWith('.js') || f.endsWith('.ts')) && /model|schema|entity/.test(f));
+      if (dbFiles.length > 0) findings.push({ ruleId: 'DATA-057', category: 'data', severity: 'medium', title: 'No data retention job found — stale records accumulate over time', description: 'Implement scheduled jobs to delete or archive records older than your retention policy.', file: dbFiles[0], fix: null });
+    }
+    return findings;
+  },
+});
+
+// DATA-058: Geolocation data stored without consent
+rules.push({
+  id: 'DATA-058', category: 'data', severity: 'high', confidence: 'likely', title: 'Geolocation data stored without explicit user consent',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.[jt]sx?$/)) continue;
+      if (/navigator\.geolocation|getCurrentPosition|watchPosition/i.test(c) && !/consent|permission|hasPermission/i.test(c)) {
+        findings.push({ ruleId: 'DATA-058', category: 'data', severity: 'high', title: 'Geolocation accessed without checking stored consent', description: 'Check for and store user consent before accessing or storing geolocation data.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-059: Biometric data without special category treatment
+rules.push({
+  id: 'DATA-059', category: 'data', severity: 'critical', confidence: 'definite', title: 'Biometric data processed without GDPR special category controls',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.js') && !fp.endsWith('.ts')) continue;
+      if (/fingerprint|faceId|biometric|voicePrint|retina/i.test(c) && !/explicit.consent|special.category|gdpr|article.9/i.test(c)) {
+        findings.push({ ruleId: 'DATA-059', category: 'data', severity: 'critical', title: 'Biometric data requires GDPR Article 9 explicit consent and special protections', description: 'Biometric data is a special category under GDPR. Implement explicit consent, strict access controls, and document processing basis.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-060: Unvalidated JSON merge patch
+rules.push({
+  id: 'DATA-060', category: 'data', severity: 'high', confidence: 'likely', title: 'JSON merge patch applied without field validation — mass assignment',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.js') && !fp.endsWith('.ts')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/Object\.assign\s*\(\s*\w+,\s*(?:req\.body|body\b)/i.test(lines[i]) || /\.\.\.\s*req\.body/.test(lines[i])) {
+          findings.push({ ruleId: 'DATA-060', category: 'data', severity: 'high', title: 'Object.assign/spread with req.body — mass assignment vulnerability', description: 'Explicitly whitelist fields from req.body before assigning to database objects.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DATA-061: Missing data minimization in API responses
+rules.push({
+  id: 'DATA-061', category: 'data', severity: 'medium', confidence: 'likely', title: 'API response may include more fields than required (over-sharing)',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.js') && !fp.endsWith('.ts')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/res\.json\s*\(\s*(?:await\s+)?\w+\.findById\s*\(|res\.json\s*\(\s*(?:await\s+)?\w+\.findOne\s*\(/.test(lines[i]) && !/\.select\s*\(|\.toJSON\s*\(|\.toObject\s*\(|pick\s*\(|omit\s*\(/.test(lines[i])) {
+          findings.push({ ruleId: 'DATA-061', category: 'data', severity: 'medium', title: 'Database document returned directly in response without field selection', description: 'Use .select() or toSafeObject() to explicitly include only needed fields in API responses.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});