getdoorman 1.0.0

package/src/rules/security/auth.js

@@ -0,0 +1,1328 @@
+/**
+ * Doorman CLI - Authentication Security Rules
+ * SEC-AUTH-001 through SEC-AUTH-020
+ *
+ * Detects authentication and session-management weaknesses
+ * across source files using regex/pattern analysis.
+ */
+
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+const isJS = (f) => JS_EXT.some((ext) => f.endsWith(ext));
+const isTest = (f) =>
+  f.includes('test') ||
+  f.includes('spec') ||
+  f.includes('mock') ||
+  f.includes('fixture');
+
+/**
+ * Return true when a trimmed line is a comment and should be ignored.
+ */
+function isCommentLine(line) {
+  const trimmed = line.trim();
+  return (
+    trimmed.startsWith('//') ||
+    trimmed.startsWith('#') ||
+    trimmed.startsWith('*') ||
+    trimmed.startsWith('/*')
+  );
+}
+
+/**
+ * Split file content into an array of { text, num } objects.
+ */
+function getLines(content) {
+  if (!content) return [];
+  return content.split('\n').map((text, i) => ({ text, num: i + 1 }));
+}
+
+/**
+ * Get a window of raw text around a given 1-based line number.
+ */
+function contextWindow(lines, lineNum, radius = 15) {
+  const start = Math.max(0, lineNum - 1 - radius);
+  const end = Math.min(lines.length, lineNum + radius);
+  return lines
+    .slice(start, end)
+    .map((l) => l.text)
+    .join('\n');
+}
+
+/**
+ * Build a single finding object that matches the expected shape.
+ */
+function mkFinding(rule, opts = {}) {
+  return {
+    ruleId: rule.id,
+    category: 'security',
+    severity: rule.severity,
+    title: rule.title,
+    description: opts.description || null,
+    confidence: opts.confidence || rule.confidence || null,
+    file: opts.file || null,
+    line: opts.line || null,
+    fix: null,
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Rules
+// ---------------------------------------------------------------------------
+
+const rules = [
+  // -----------------------------------------------------------------------
+  // SEC-AUTH-001 (critical): Plaintext password storage
+  // -----------------------------------------------------------------------
+  {
+    id: 'SEC-AUTH-001',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Plaintext password storage detected',
+    check({ files }) {
+      const findings = [];
+      const savePattern =
+        /(?:save|create|insert|store|write|update|set)\s*\(.*password/i;
+      const assignPattern =
+        /(?:password|passwd|pwd)\s*[:=]\s*(?:req\.body|params|args|input)/i;
+      const hashNearby =
+        /(?:hash|bcrypt|argon2|scrypt|pbkdf2|crypto\.)/i;
+
+      for (const [filePath, content] of files) {
+        if (!isJS(filePath) || isTest(filePath)) continue;
+        const lines = getLines(content);
+        for (const { text, num } of lines) {
+          if (isCommentLine(text)) continue;
+          if (savePattern.test(text) || assignPattern.test(text)) {
+            const ctx = contextWindow(lines, num, 20);
+            if (!hashNearby.test(ctx)) {
+              findings.push(
+                mkFinding(this, {
+                  description:
+                    'Password appears to be stored without hashing. Use bcrypt, argon2, or scrypt before persisting.',
+                  file: filePath,
+                  line: num,
+                })
+              );
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // SEC-AUTH-002 (critical): Weak password hashing (MD5/SHA1/SHA256)
+  // -----------------------------------------------------------------------
+  {
+    id: 'SEC-AUTH-002',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Weak password hashing algorithm',
+    check({ files }) {
+      const findings = [];
+      const weakHash =
+        /(?:createHash|\.hash)\s*\(\s*['"](?:md5|sha1|sha256)['"]/i;
+      const pwdContext = /password|passwd|pwd/i;
+
+      const strongHash = /bcrypt|argon2|scrypt|pbkdf2/i;
+      for (const [filePath, content] of files) {
+        if (!isJS(filePath) || isTest(filePath)) continue;
+        const lines = getLines(content);
+        for (const { text, num } of lines) {
+          if (isCommentLine(text)) continue;
+          if (strongHash.test(text)) continue; // bcrypt/argon2/scrypt are safe
+          if (weakHash.test(text)) {
+            const ctx = contextWindow(lines, num, 10);
+            if (pwdContext.test(ctx)) {
+              findings.push(
+                mkFinding(this, {
+                  description:
+                    'MD5, SHA-1, or SHA-256 is not suitable for password hashing. Use bcrypt, argon2, or scrypt instead.',
+                  file: filePath,
+                  line: num,
+                })
+              );
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // SEC-AUTH-003 (high): No password strength enforcement
+  // -----------------------------------------------------------------------
+  {
+    id: 'SEC-AUTH-003',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'No password strength validation',
+    check({ files }) {
+      const findings = [];
+      const registerPattern =
+        /(?:register|signup|sign_up|createUser|createAccount)/i;
+      const strengthCheck =
+        /(?:minLength|minlength|min_length|password.*\.length|password.*length|passwordStrength|zxcvbn|owasp-password|\.min\s*\(\s*\d|z\.string\(\).*\.min)/i;
+
+      for (const [filePath, content] of files) {
+        if (!isJS(filePath) || isTest(filePath)) continue;
+        if (!registerPattern.test(content || '')) continue;
+        if (!strengthCheck.test(content || '')) {
+          findings.push(
+            mkFinding(this, {
+              description:
+                'Registration/signup handler found without password length or strength validation. Enforce minimum password requirements.',
+              file: filePath,
+            })
+          );
+        }
+      }
+      return findings;
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // SEC-AUTH-004 (critical): JWT secret hardcoded
+  // -----------------------------------------------------------------------
+  {
+    id: 'SEC-AUTH-004',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Hardcoded JWT secret',
+    check({ files }) {
+      const findings = [];
+      const jwtSignInline =
+        /jwt\.sign\s*\([^)]*,\s*['"][^'"]{2,}['"]/i;
+      const envRef =
+        /process\.env|config\.|Configuration|getEnv|env\[/i;
+
+      for (const [filePath, content] of files) {
+        if (!isJS(filePath) || isTest(filePath)) continue;
+        const lines = getLines(content);
+        for (const { text, num } of lines) {
+          if (isCommentLine(text)) continue;
+          if (jwtSignInline.test(text) && !envRef.test(text)) {
+            findings.push(
+              mkFinding(this, {
+                description:
+                  'JWT is signed with a hardcoded string secret. Store the secret in an environment variable or secrets manager.',
+                file: filePath,
+                line: num,
+              })
+            );
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // SEC-AUTH-005 (high): JWT without expiration
+  // -----------------------------------------------------------------------
+  {
+    id: 'SEC-AUTH-005',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'JWT signed without expiration',
+    check({ files }) {
+      const findings = [];
+      const jwtSign = /jwt\.sign\s*\(/i;
+      const expiryOption =
+        /expiresIn|exp\s*:|exp['"]|expiresAt/i;
+
+      for (const [filePath, content] of files) {
+        if (!isJS(filePath) || isTest(filePath)) continue;
+        const lines = getLines(content);
+        for (let i = 0; i < lines.length; i++) {
+          const { text, num } = lines[i];
+          if (isCommentLine(text)) continue;
+          if (jwtSign.test(text)) {
+            // Check the jwt.sign call and next 5 lines for expiry
+            const window = lines
+              .slice(i, Math.min(lines.length, i + 6))
+              .map((l) => l.text)
+              .join('\n');
+            if (!expiryOption.test(window)) {
+              findings.push(
+                mkFinding(this, {
+                  description:
+                    'jwt.sign() called without an expiresIn option. Tokens without expiration remain valid indefinitely.',
+                  file: filePath,
+                  line: num,
+                })
+              );
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // SEC-AUTH-006 (critical): JWT algorithm none
+  // -----------------------------------------------------------------------
+  {
+    id: 'SEC-AUTH-006',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'JWT "none" algorithm allowed',
+    check({ files }) {
+      const findings = [];
+      const noneAlgo =
+        /algorithms\s*:\s*\[.*['"]none['"].*\]/i;
+      const algoNone =
+        /algorithm\s*[:=]\s*['"]none['"]/i;
+
+      for (const [filePath, content] of files) {
+        if (!isJS(filePath) || isTest(filePath)) continue;
+        const lines = getLines(content);
+        for (const { text, num } of lines) {
+          if (isCommentLine(text)) continue;
+          if (noneAlgo.test(text) || algoNone.test(text)) {
+            findings.push(
+              mkFinding(this, {
+                description:
+                  'JWT verification allows the "none" algorithm, which disables signature verification entirely.',
+                file: filePath,
+                line: num,
+              })
+            );
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // SEC-AUTH-007 (critical): Missing auth middleware on API routes
+  // -----------------------------------------------------------------------
+  {
+    id: 'SEC-AUTH-007',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'suggestion',
+    title: 'API route missing authentication middleware',
+    check({ files }) {
+      const findings = [];
+      const routeFile = /(?:route|router|api|endpoint)/i;
+      const routeDefinition =
+        /(?:router|app)\s*\.(?:get|post|put|patch|delete)\s*\(/i;
+      const authMiddleware =
+        /(?:auth|authenticate|verifyToken|protect|isAuthenticated|requireAuth|ensureAuth|passport\.authenticate|requireLogin|checkAuth)/i;
+      const publicRoute =
+        /(?:login|signup|register|health|ping|public|reset-password|verify-email|forgot|upload|webhook|static|assets)/i;
+
+      for (const [filePath, content] of files) {
+        if (!isJS(filePath) || isTest(filePath)) continue;
+        if (!routeFile.test(filePath)) continue;
+        if (publicRoute.test(filePath)) continue;
+
+        if (!routeDefinition.test(content)) continue;
+        if (authMiddleware.test(content)) continue;
+
+        // Check if another file imports this router and applies auth middleware before it
+        const routeBasename = filePath.replace(/.*\//, '').replace(/\.[^.]+$/, '');
+        let coveredByParent = false;
+        for (const [otherPath, otherContent] of files) {
+          if (otherPath === filePath) continue;
+          if (!isJS(otherPath) || isTest(otherPath)) continue;
+          // Look for import of the current router file
+          const importsRouter = new RegExp(
+            '(?:import|require)[^;]*' + routeBasename.replace(/[.*+?^${}()|[\]\\]/g, '\\$&'),
+            'i'
+          );
+          if (importsRouter.test(otherContent) && authMiddleware.test(otherContent)) {
+            coveredByParent = true;
+            break;
+          }
+        }
+        if (coveredByParent) continue;
+
+        findings.push(
+          mkFinding(this, {
+            description:
+              'Route file defines API endpoints but does not reference any authentication middleware.',
+            file: filePath,
+          })
+        );
+      }
+      return findings;
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // SEC-AUTH-008 (critical): No role check on admin routes
+  // -----------------------------------------------------------------------
+  {
+    id: 'SEC-AUTH-008',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'suggestion',
+    title: 'Admin route missing role/permission check',
+    check({ files }) {
+      const findings = [];
+      const adminFile = /admin/i;
+      const routeDef =
+        /(?:router|app)\s*\.(?:get|post|put|patch|delete)\s*\(/i;
+      const roleCheck =
+        /(?:role|permission|isAdmin|authorize|requireRole|checkRole|hasPermission|rbac|can\(|ability)/i;
+
+      for (const [filePath, content] of files) {
+        if (!isJS(filePath) || isTest(filePath)) continue;
+        if (!adminFile.test(filePath)) continue;
+
+        if (!routeDef.test(content)) continue;
+        if (roleCheck.test(content)) continue;
+
+        findings.push(
+          mkFinding(this, {
+            description:
+              'Admin route file does not include role or permission checks. Ensure admin endpoints verify user privileges.',
+            file: filePath,
+          })
+        );
+      }
+      return findings;
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // SEC-AUTH-009 (medium): User enumeration via distinct error messages
+  // -----------------------------------------------------------------------
+  {
+    id: 'SEC-AUTH-009',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'User enumeration via distinct error messages',
+    check({ files }) {
+      const findings = [];
+      const userNotFound =
+        /['"](?:user not found|no user|account not found|email not found|username not found|user does not exist|unknown user|no account)['"]/i;
+      const wrongPassword =
+        /['"](?:wrong password|incorrect password|invalid password|password is wrong|password mismatch|bad password)['"]/i;
+
+      for (const [filePath, content] of files) {
+        if (!isJS(filePath) || isTest(filePath)) continue;
+
+        if (!userNotFound.test(content) || !wrongPassword.test(content)) continue;
+
+        // Find the first occurrence line
+        const lines = getLines(content);
+        let lineNum = null;
+        for (const { text, num } of lines) {
+          if (userNotFound.test(text) || wrongPassword.test(text)) {
+            lineNum = num;
+            break;
+          }
+        }
+
+        findings.push(
+          mkFinding(this, {
+            description:
+              'Separate error messages for "user not found" and "wrong password" allow attackers to enumerate valid accounts. Use a generic message like "Invalid credentials".',
+            file: filePath,
+            line: lineNum,
+          })
+        );
+      }
+      return findings;
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // SEC-AUTH-010 (high): No brute force protection on login
+  // -----------------------------------------------------------------------
+  {
+    id: 'SEC-AUTH-010',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'Login handler missing brute force protection',
+    check({ files }) {
+      const findings = [];
+      const loginHandler =
+        /(?:login|signin|sign_in|authenticate)\s*(?:=|:|\()/i;
+      const routeLogin =
+        /\.(?:post|put)\s*\(\s*['"]\/(?:login|signin|auth\/login|auth\/signin)['"]/i;
+      const rateLimiting =
+        /(?:rateLimit|rateLimiter|RateLimit|rate_limit|throttle|slowDown|brute|express-rate-limit|express-brute|loginAttempts|maxAttempts|lockout)/i;
+      // Validation-only files (Joi/zod schemas) are not login handlers
+      const validationOnly =
+        /(?:Joi\.object|z\.object|Schema\s*=|schema\s*=)/i;
+
+      for (const [filePath, content] of files) {
+        if (!isJS(filePath) || isTest(filePath)) continue;
+
+        if (!loginHandler.test(content) && !routeLogin.test(content)) continue;
+        // Skip files that only define validation schemas (no actual route/handler)
+        if (validationOnly.test(content) && !routeLogin.test(content)) continue;
+        if (rateLimiting.test(content)) continue;
+
+        const lines = getLines(content);
+        let lineNum = null;
+        for (const { text, num } of lines) {
+          if (loginHandler.test(text) || routeLogin.test(text)) {
+            lineNum = num;
+            break;
+          }
+        }
+
+        findings.push(
+          mkFinding(this, {
+            description:
+              'Login handler does not reference rate limiting or brute force protection. Apply rate limiting to prevent credential stuffing.',
+            file: filePath,
+            line: lineNum,
+          })
+        );
+      }
+      return findings;
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // SEC-AUTH-011 (high): Session fixation - no session regeneration
+  // -----------------------------------------------------------------------
+  {
+    id: 'SEC-AUTH-011',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'Session fixation vulnerability',
+    check({ files }) {
+      const findings = [];
+      const sessionUsage = /req\.session/i;
+      const loginContext =
+        /(?:login|signin|sign_in|authenticate)/i;
+      const regenerate =
+        /session\.regenerate|regenerateSession|req\.session\.regenerate/i;
+      // Must set user identity on the session (not just flash or other non-auth fields)
+      const sessionIdentitySet =
+        /req\.session\.\s*(?:userId|user(?:Id|_id)?|uid|account|memberId|sub|principal|identity)\s*=/i;
+
+      for (const [filePath, content] of files) {
+        if (!isJS(filePath) || isTest(filePath)) continue;
+
+        if (!sessionUsage.test(content)) continue;
+        if (!loginContext.test(content)) continue;
+        if (regenerate.test(content)) continue;
+        // Only flag files that actually set a user identity in the session
+        if (!sessionIdentitySet.test(content)) continue;
+
+        findings.push(
+          mkFinding(this, {
+            description:
+              'Login handler uses sessions but does not call session.regenerate(). This may allow session fixation attacks.',
+            file: filePath,
+          })
+        );
+      }
+      return findings;
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // SEC-AUTH-012 (high): Insecure password reset token without expiry
+  // -----------------------------------------------------------------------
+  {
+    id: 'SEC-AUTH-012',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'Password reset token without expiration',
+    check({ files }) {
+      const findings = [];
+      const resetContext =
+        /(?:resetToken|reset_token|passwordReset|password_reset|forgotPassword|forgot_password)/i;
+      const expiryRef =
+        /(?:expires|expiresAt|expires_at|expiresIn|expires_in|ttl|expiry|expiration|validUntil|valid_until)/i;
+
+      for (const [filePath, content] of files) {
+        if (!isJS(filePath) || isTest(filePath)) continue;
+
+        if (!resetContext.test(content)) continue;
+        if (expiryRef.test(content)) continue;
+
+        findings.push(
+          mkFinding(this, {
+            description:
+              'Password reset logic generates a token but does not set an expiration. Reset tokens should expire within a short window (e.g. 1 hour).',
+            file: filePath,
+          })
+        );
+      }
+      return findings;
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // SEC-AUTH-013 (high): OAuth without state parameter
+  // -----------------------------------------------------------------------
+  {
+    id: 'SEC-AUTH-013',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'OAuth flow missing state parameter',
+    check({ files }) {
+      const findings = [];
+      const oauthUrl =
+        /(?:\/authorize|\/oauth|oauth2|openid|authorization_endpoint)/i;
+      const stateParam =
+        /(?:state\s*[:=]|[&?]state=|state\s*:\s*|\.state\b)/i;
+
+      for (const [filePath, content] of files) {
+        if (!isJS(filePath) || isTest(filePath)) continue;
+
+        if (!oauthUrl.test(content)) continue;
+
+        const lines = getLines(content);
+        for (const { text, num } of lines) {
+          if (isCommentLine(text)) continue;
+          if (oauthUrl.test(text)) {
+            const ctx = contextWindow(lines, num, 10);
+            if (!stateParam.test(ctx)) {
+              findings.push(
+                mkFinding(this, {
+                  description:
+                    'OAuth authorization request does not include a "state" parameter. This leaves the flow vulnerable to CSRF attacks.',
+                  file: filePath,
+                  line: num,
+                })
+              );
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // SEC-AUTH-014 (critical): OAuth open redirect
+  // -----------------------------------------------------------------------
+  {
+    id: 'SEC-AUTH-014',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'OAuth open redirect via unvalidated redirect_uri',
+    check({ files }) {
+      const findings = [];
+      const redirectFromInput =
+        /redirect_uri\s*[:=]\s*(?:req\.query|req\.body|req\.params|request\.query|ctx\.query|ctx\.request)/i;
+      const validation =
+        /(?:whitelist|allowedRedirects|allowedUrls|validRedirect|validateRedirect|isAllowedRedirect|redirectWhitelist|allowedOrigins|safelist)/i;
+
+      for (const [filePath, content] of files) {
+        if (!isJS(filePath) || isTest(filePath)) continue;
+        const lines = getLines(content);
+        for (const { text, num } of lines) {
+          if (isCommentLine(text)) continue;
+          if (redirectFromInput.test(text)) {
+    
+            if (!validation.test(content)) {
+              findings.push(
+                mkFinding(this, {
+                  description:
+                    'redirect_uri is taken directly from user input without validation against an allow-list. This enables open redirect attacks.',
+                  file: filePath,
+                  line: num,
+                })
+              );
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // SEC-AUTH-015 (medium): No multi-factor authentication references
+  // -----------------------------------------------------------------------
+  {
+    id: 'SEC-AUTH-015',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'No multi-factor authentication (MFA) implementation found',
+    check({ files }) {
+      const findings = [];
+      const mfaRef =
+        /(?:totp|mfa|2fa|two.?factor|authenticator|speakeasy|otplib|otp|one.?time.?password|google.?authenticator)/i;
+
+      // Only fire when the codebase has files containing actual login/signup
+      // route definitions — not on utility modules that merely verify tokens
+      // or hash passwords.
+      const authRoutePattern =
+        /\.(?:post|put)\s*\(\s*['"]\/(?:login|signin|auth\/login|signup|register)/i;
+
+      let hasAuthRoute = false;
+      let anyMfa = false;
+      for (const [filePath, content] of files) {
+        if (!isJS(filePath) || isTest(filePath)) continue;
+        if (content && authRoutePattern.test(content)) hasAuthRoute = true;
+        if (content && mfaRef.test(content)) anyMfa = true;
+      }
+      if (!hasAuthRoute) return findings;
+
+      if (!anyMfa) {
+        findings.push(
+          mkFinding(this, {
+            description:
+              'No references to multi-factor authentication (TOTP, 2FA, etc.) found in the codebase. Consider adding MFA for sensitive accounts.',
+          })
+        );
+      }
+      return findings;
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // SEC-AUTH-016 (high): Credentials in URL / query string
+  // -----------------------------------------------------------------------
+  {
+    id: 'SEC-AUTH-016',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Credentials passed in URL query string',
+    check({ files }) {
+      const findings = [];
+      const credInQuery =
+        /[?&](?:token|password|passwd|pwd|secret|api_key|apiKey|access_token|auth_token)=/i;
+      const templateCred =
+        /(?:\$\{.*(?:token|password|secret|api_key|apiKey).*\}|['"].*[?&](?:token|password|secret|api_key|apiKey)=['"]?\s*\+)/i;
+
+      for (const [filePath, content] of files) {
+        if (!isJS(filePath) || isTest(filePath)) continue;
+        const lines = getLines(content);
+        for (const { text, num } of lines) {
+          if (isCommentLine(text)) continue;
+          if (credInQuery.test(text) || templateCred.test(text)) {
+            findings.push(
+              mkFinding(this, {
+                description:
+                  'Credentials (token, password, API key) are passed via URL query string. Use headers or POST body instead to avoid logging exposure.',
+                file: filePath,
+                line: num,
+              })
+            );
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // SEC-AUTH-017 (critical): Default / well-known credentials
+  // -----------------------------------------------------------------------
+  {
+    id: 'SEC-AUTH-017',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Default or well-known credentials detected',
+    check({ files }) {
+      const findings = [];
+      const defaultCreds =
+        /(?:password|passwd|pwd|secret|token)\s*[:=]\s*['"](?:password123|admin123|changeme|letmein|qwerty|123456|passw0rd|welcome1|test1234)['"]/i;
+      const adminAdmin =
+        /(?:username|user|login)\s*[:=]\s*['"]admin['"]\s*[,;]?\s*(?:\n\s*)?(?:password|passwd|pwd)\s*[:=]\s*['"]admin['"]/i;
+
+      for (const [filePath, content] of files) {
+        if (!isJS(filePath) || isTest(filePath)) continue;
+        const lines = getLines(content);
+        for (const { text, num } of lines) {
+          if (isCommentLine(text)) continue;
+          if (defaultCreds.test(text)) {
+            findings.push(
+              mkFinding(this, {
+                description:
+                  'Default or well-known credentials found in source code. Remove hardcoded credentials and require secure values.',
+                file: filePath,
+                line: num,
+              })
+            );
+          }
+        }
+        // Check for admin/admin across adjacent lines
+
+        if (adminAdmin.test(content)) {
+          findings.push(
+            mkFinding(this, {
+              description:
+                'Default admin/admin credential pair detected. Remove hardcoded credentials and require secure values.',
+              file: filePath,
+            })
+          );
+        }
+      }
+      return findings;
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // SEC-AUTH-018 (medium): Insecure remember-me token
+  // -----------------------------------------------------------------------
+  {
+    id: 'SEC-AUTH-018',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Insecure remember-me token implementation',
+    check({ files }) {
+      const findings = [];
+      const rememberMe =
+        /(?:remember.?me|rememberMe|remember_me|keepLoggedIn|keep_logged_in|stayLoggedIn)/i;
+      const tokenExpiry =
+        /(?:maxAge|max_age|expires|expiresIn|expires_in|expiresAt|httpOnly|secure)/i;
+
+      for (const [filePath, content] of files) {
+        if (!isJS(filePath) || isTest(filePath)) continue;
+
+        if (!rememberMe.test(content)) continue;
+
+        const lines = getLines(content);
+        for (const { text, num } of lines) {
+          if (isCommentLine(text)) continue;
+          if (rememberMe.test(text)) {
+            const ctx = contextWindow(lines, num, 10);
+            if (!tokenExpiry.test(ctx)) {
+              findings.push(
+                mkFinding(this, {
+                  description:
+                    'Remember-me token is set without maxAge/expires or security flags. Ensure the token has a bounded lifetime and is marked httpOnly/secure.',
+                  file: filePath,
+                  line: num,
+                })
+              );
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // SEC-AUTH-019 (medium): Logout without session invalidation
+  // -----------------------------------------------------------------------
+  {
+    id: 'SEC-AUTH-019',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Logout handler does not invalidate session/token',
+    check({ files }) {
+      const findings = [];
+      const logoutRoute =
+        /(?:\/logout|\/signout|\/sign-out|\/sign_out)/i;
+      const logoutHandler =
+        /(?:logout|signout|sign_out|signOut|logOut)\s*(?:=|:|\(|async)/i;
+      const invalidation =
+        /(?:destroy|delete|invalidate|revoke|remove|clear|expire|blacklist|blocklist|\.del\(|\.remove\(|clearCookie|removeToken)/i;
+
+      for (const [filePath, content] of files) {
+        if (!isJS(filePath) || isTest(filePath)) continue;
+
+        if (!logoutRoute.test(content) && !logoutHandler.test(content)) continue;
+        if (invalidation.test(content)) continue;
+
+        const lines = getLines(content);
+        let lineNum = null;
+        for (const { text, num } of lines) {
+          if (logoutRoute.test(text) || logoutHandler.test(text)) {
+            lineNum = num;
+            break;
+          }
+        }
+
+        findings.push(
+          mkFinding(this, {
+            description:
+              'Logout handler does not destroy, delete, or invalidate the session or token. Clients may remain authenticated after logout.',
+            file: filePath,
+            line: lineNum,
+          })
+        );
+      }
+      return findings;
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // SEC-AUTH-020 (critical): API key in client-side code
+  // -----------------------------------------------------------------------
+  {
+    id: 'SEC-AUTH-020',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'API key exposed in client-side code',
+    check({ files }) {
+      const findings = [];
+      const clientDir =
+        /(?:^|\/)(?:pages|app|components|src\/components|src\/pages|src\/app|public|static|client|frontend|views)\//i;
+      const apiKeyPattern =
+        /(?:api[_-]?key|apiKey|API_KEY|secret[_-]?key|secretKey|SECRET_KEY|auth[_-]?token|AUTH_TOKEN)\s*[:=]\s*['"][A-Za-z0-9_\-/+=.]{8,}['"]/i;
+      const envRef =
+        /process\.env|import\.meta\.env|NEXT_PUBLIC_|REACT_APP_|VITE_/i;
+
+      for (const [filePath, content] of files) {
+        if (!isJS(filePath) || isTest(filePath)) continue;
+        if (!clientDir.test(filePath)) continue;
+        const lines = getLines(content);
+        for (const { text, num } of lines) {
+          if (isCommentLine(text)) continue;
+          if (apiKeyPattern.test(text) && !envRef.test(text)) {
+            findings.push(
+              mkFinding(this, {
+                description:
+                  'Hardcoded API key or secret found in client-side code. This will be exposed to end users. Use environment variables with a public prefix (NEXT_PUBLIC_, REACT_APP_, etc.) or a backend proxy.',
+                file: filePath,
+                line: num,
+              })
+            );
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;
+
+// SEC-AUTH-021: JWT algorithm:none vulnerability
+const _auth021 = {
+  id: 'SEC-AUTH-021', category: 'security', severity: 'critical', confidence: 'definite',
+  title: 'JWT algorithm:none — tokens accepted without signature',
+  check({ files }) {
+    const findings = [];
+    const noneAlg = /(?:algorithm|alg)\s*[:=]\s*['"]none['"]/i;
+    for (const [fp, c] of files) {
+      if (!JS_EXT.some(e => fp.endsWith(e)) || fp.includes('test') || fp.includes('spec')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (noneAlg.test(lines[i])) findings.push({ ruleId: 'SEC-AUTH-021', category: 'security', severity: 'critical', title: 'JWT alg:none disables signature verification — forge any token', description: 'Setting JWT algorithm to "none" disables signature verification, allowing attackers to forge tokens.', file: fp, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+};
+rules.push(_auth021);
+
+// SEC-AUTH-022: JWT signed with weak hardcoded secret
+rules.push({
+  id: 'SEC-AUTH-022', category: 'security', severity: 'critical', confidence: 'definite',
+  title: 'JWT signed with hardcoded weak secret',
+  check({ files }) {
+    const findings = [];
+    const p = /jwt\.sign\s*\([^,]+,\s*['"][^'"]{1,20}['"]/;
+    for (const [fp, c] of files) {
+      if (!JS_EXT.some(e => fp.endsWith(e)) || fp.includes('test') || fp.includes('spec')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (p.test(lines[i]) && !/process\.env/.test(lines[i])) findings.push({ ruleId: 'SEC-AUTH-022', category: 'security', severity: 'critical', title: 'JWT signed with short hardcoded secret — brute-forceable', description: 'Use a long random secret from environment variables for JWT signing.', file: fp, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-AUTH-023: JWT without expiry
+rules.push({
+  id: 'SEC-AUTH-023', category: 'security', severity: 'high', confidence: 'likely',
+  title: 'JWT issued without expiration (expiresIn not set)',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!JS_EXT.some(e => fp.endsWith(e)) || fp.includes('test') || fp.includes('spec')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/jwt\.sign\s*\(/.test(lines[i]) && !/expiresIn|exp\s*:/.test(lines[i])) {
+          const ctx = lines.slice(Math.max(0, i - 2), Math.min(lines.length, i + 4)).join('\n');
+          if (!/expiresIn|exp\s*:/.test(ctx)) findings.push({ ruleId: 'SEC-AUTH-023', category: 'security', severity: 'high', title: 'JWT signed without expiresIn — tokens valid forever', description: 'Tokens without expiry cannot be revoked if stolen. Set expiresIn to the shortest practical duration.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-AUTH-024: JWT verify without algorithm
+rules.push({
+  id: 'SEC-AUTH-024', category: 'security', severity: 'high', confidence: 'likely',
+  title: 'JWT verify() without explicit algorithms option',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!JS_EXT.some(e => fp.endsWith(e)) || fp.includes('test') || fp.includes('spec')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/jwt\.verify\s*\(/.test(lines[i])) {
+          const ctx = lines.slice(Math.max(0, i - 1), Math.min(lines.length, i + 4)).join('\n');
+          if (!/algorithms\s*:|algorithm\s*:/.test(ctx)) findings.push({ ruleId: 'SEC-AUTH-024', category: 'security', severity: 'high', title: 'jwt.verify() without algorithms option — alg confusion attack', description: 'Pass { algorithms: ["RS256"] } to jwt.verify() to prevent algorithm confusion attacks.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-AUTH-025: No rate limiting on auth endpoints
+rules.push({
+  id: 'SEC-AUTH-025', category: 'security', severity: 'high', confidence: 'suggestion',
+  title: 'No rate limiting on authentication endpoints',
+  check({ files }) {
+    const findings = [];
+    const authRoute = /(?:router|app)\s*\.post\s*\(\s*['"`][^'"`]*(?:login|signin|sign-in|auth\/token|\/token)[^'"`]*/i;
+    const rateLimit = /rateLimit|rate-limit|express-rate|throttle|slowDown/i;
+    for (const [fp, c] of files) {
+      if (!JS_EXT.some(e => fp.endsWith(e)) || fp.includes('test') || fp.includes('spec')) continue;
+      if (!authRoute.test(c)) continue;
+      if (!rateLimit.test(c)) {
+        const lines = c.split('\n');
+        let ln = null;
+        for (let i = 0; i < lines.length; i++) { if (authRoute.test(lines[i])) { ln = i + 1; break; } }
+        findings.push({ ruleId: 'SEC-AUTH-025', category: 'security', severity: 'high', title: 'Auth endpoint without rate limiting — brute-force risk', description: 'Authentication endpoints without rate limiting allow unlimited password guesses. Use express-rate-limit.', file: fp, line: ln, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-AUTH-026: Session fixation
+rules.push({
+  id: 'SEC-AUTH-026', category: 'security', severity: 'critical', confidence: 'likely',
+  title: 'Session fixation: session not regenerated after login',
+  check({ files }) {
+    const findings = [];
+    const loginPat = /(?:login|signin|sign_in|authenticate)\s*(?:=|:|\(|async)/i;
+    const regenPat = /session\.regenerate|req\.session\.regenerate/i;
+    for (const [fp, c] of files) {
+      if (!JS_EXT.some(e => fp.endsWith(e)) || fp.includes('test') || fp.includes('spec')) continue;
+      if (loginPat.test(c) && !regenPat.test(c) && /express-session|req\.session/.test(c)) {
+        findings.push({ ruleId: 'SEC-AUTH-026', category: 'security', severity: 'critical', title: 'Session not regenerated after login — session fixation vulnerability', description: 'Call req.session.regenerate() after successful login to prevent session fixation attacks.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-AUTH-027: Cookie without SameSite
+rules.push({
+  id: 'SEC-AUTH-027', category: 'security', severity: 'high', confidence: 'likely',
+  title: 'Cookie set without SameSite attribute',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!JS_EXT.some(e => fp.endsWith(e)) || fp.includes('test') || fp.includes('spec')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/res\.cookie\s*\(/.test(lines[i]) && !/sameSite|SameSite/.test(lines[i])) {
+          // Scan ahead to the closing ) to capture multi-line options object
+          let end = i + 1;
+          let depth = (lines[i].match(/\(/g)||[]).length - (lines[i].match(/\)/g)||[]).length;
+          while (end < lines.length && depth > 0) {
+            depth += (lines[end].match(/\(/g)||[]).length - (lines[end].match(/\)/g)||[]).length;
+            end++;
+          }
+          const ctx = lines.slice(i, Math.min(lines.length, end + 1)).join('\n');
+          if (!/sameSite|SameSite/.test(ctx)) findings.push({ ruleId: 'SEC-AUTH-027', category: 'security', severity: 'high', title: 'Cookie without SameSite attribute — CSRF risk', description: 'Set sameSite: "strict" or "lax" on all cookies to prevent CSRF attacks.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-AUTH-028: Bearer token logged
+rules.push({
+  id: 'SEC-AUTH-028', category: 'security', severity: 'high', confidence: 'likely',
+  title: 'Auth token or Bearer header logged',
+  check({ files }) {
+    const findings = [];
+    const p = /(?:console\.|logger\.)\w*\s*\([^)]*(?:Bearer|authorization|token|JWT)/i;
+    for (const [fp, c] of files) {
+      if (!JS_EXT.some(e => fp.endsWith(e)) || fp.includes('test') || fp.includes('spec')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (p.test(lines[i])) findings.push({ ruleId: 'SEC-AUTH-028', category: 'security', severity: 'high', title: 'Auth token logged — credential exposure in logs', description: 'Logging Bearer tokens or auth headers exposes credentials. Redact before logging.', file: fp, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-AUTH-029: OAuth missing state parameter
+rules.push({
+  id: 'SEC-AUTH-029', category: 'security', severity: 'medium', confidence: 'suggestion',
+  title: 'OAuth flow missing CSRF state parameter',
+  check({ files }) {
+    const findings = [];
+    const oauthPat = /authorization_code|oauth.*redirect_uri/i;
+    const statePat = /state\s*[:=]|&state=|\?state=/i;
+    for (const [fp, c] of files) {
+      if (!JS_EXT.some(e => fp.endsWith(e)) || fp.includes('test') || fp.includes('spec')) continue;
+      if (oauthPat.test(c) && !statePat.test(c)) {
+        findings.push({ ruleId: 'SEC-AUTH-029', category: 'security', severity: 'medium', title: 'OAuth flow without state parameter — CSRF possible', description: 'Include a random state parameter in OAuth flows and verify it on callback to prevent CSRF.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-AUTH-030: Auth token in localStorage
+rules.push({
+  id: 'SEC-AUTH-030', category: 'security', severity: 'high', confidence: 'likely',
+  title: 'Auth token stored in localStorage — XSS exposure',
+  check({ files }) {
+    const findings = [];
+    const p = /localStorage\.setItem\s*\(\s*['"][^'"]*(?:token|jwt|auth|session)[^'"]*['"]/i;
+    for (const [fp, c] of files) {
+      if (!JS_EXT.some(e => fp.endsWith(e)) || fp.includes('test') || fp.includes('spec')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (p.test(lines[i])) findings.push({ ruleId: 'SEC-AUTH-030', category: 'security', severity: 'high', title: 'Auth token in localStorage is accessible to XSS', description: 'Use httpOnly cookies for auth tokens. localStorage is accessible to any JavaScript running on the page.', file: fp, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-AUTH-031: Hardcoded admin credentials
+rules.push({
+  id: 'SEC-AUTH-031', category: 'security', severity: 'critical', confidence: 'definite',
+  title: 'Hardcoded default/admin credentials',
+  check({ files }) {
+    const findings = [];
+    const p = /(?:username|user|admin|password|passwd|pwd)\s*[:=]\s*['"]\s*(?:admin|password|123456|root|secret|admin123|pass|test)['"]/i;
+    for (const [fp, c] of files) {
+      if (!JS_EXT.some(e => fp.endsWith(e)) || fp.includes('test') || fp.includes('spec') || fp.includes('fixture')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (p.test(lines[i])) findings.push({ ruleId: 'SEC-AUTH-031', category: 'security', severity: 'critical', title: 'Hardcoded credentials found — rotate immediately', description: 'Hardcoded credentials in source code will be committed to version control. Use environment variables.', file: fp, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-AUTH-032: Missing account lockout
+rules.push({
+  id: 'SEC-AUTH-032', category: 'security', severity: 'medium', confidence: 'suggestion',
+  title: 'No account lockout after failed login attempts',
+  check({ files }) {
+    const findings = [];
+    const loginPat = /(?:router|app)\s*\.post\s*\(\s*['"`][^'"`]*(?:login|signin)[^'"`]*/i;
+    const lockoutPat = /lockout|failed.*attempt|attemptCount|loginAttempt|failCount|account.*lock/i;
+    for (const [fp, c] of files) {
+      if (!JS_EXT.some(e => fp.endsWith(e)) || fp.includes('test') || fp.includes('spec')) continue;
+      if (loginPat.test(c) && !lockoutPat.test(c)) {
+        findings.push({ ruleId: 'SEC-AUTH-032', category: 'security', severity: 'medium', title: 'Login route without account lockout logic', description: 'Implement account lockout or exponential backoff after repeated failed login attempts to prevent brute-force.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-AUTH-033: Insecure password reset via predictable token
+rules.push({
+  id: 'SEC-AUTH-033', category: 'security', severity: 'high', confidence: 'likely',
+  title: 'Password reset token using Math.random() — predictable',
+  check({ files }) {
+    const findings = [];
+    const resetPat = /(?:reset|forgot).*password|password.*reset/i;
+    const randPat = /Math\.random\(\)/;
+    for (const [fp, c] of files) {
+      if (!JS_EXT.some(e => fp.endsWith(e)) || fp.includes('test') || fp.includes('spec')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (isCommentLine(lines[i])) continue;
+        if (resetPat.test(lines[i]) && randPat.test(lines[i])) findings.push({ ruleId: 'SEC-AUTH-033', category: 'security', severity: 'high', title: 'Password reset using Math.random() — token is predictable', description: 'Use crypto.randomBytes() to generate cryptographically secure password reset tokens.', file: fp, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-AUTH-034: JWT decoded without verification
+rules.push({
+  id: 'SEC-AUTH-034', category: 'security', severity: 'critical', confidence: 'likely',
+  title: 'JWT decoded without signature verification',
+  check({ files }) {
+    const findings = [];
+    const p = /jwt\.decode\s*\(/;
+    for (const [fp, c] of files) {
+      if (!JS_EXT.some(e => fp.endsWith(e)) || fp.includes('test') || fp.includes('spec')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (isCommentLine(lines[i])) continue;
+        if (p.test(lines[i])) findings.push({ ruleId: 'SEC-AUTH-034', category: 'security', severity: 'critical', title: 'jwt.decode() used without verification — forged tokens accepted', description: 'Use jwt.verify() instead of jwt.decode(). The decode function does not validate the signature.', file: fp, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-AUTH-035: CSRF token not verified
+rules.push({
+  id: 'SEC-AUTH-035', category: 'security', severity: 'high', confidence: 'suggestion',
+  title: 'POST/PUT/DELETE route without CSRF protection',
+  check({ files, stack }) {
+    const findings = [];
+    // APIs using JWT/token auth or CORS are not vulnerable to CSRF
+    const deps = { ...stack.dependencies, ...stack.devDependencies };
+    if (deps.cors || deps['@fastify/cors'] || deps['hono']) return findings;
+    const routePat = /(?:router|app)\.(?:post|put|delete|patch)\s*\(/;
+    const csrfPat = /csrf|csurf|xsrf|_csrf|csrfToken/i;
+    const apiAuthPat = /Bearer|jwt|verifyToken|authenticate|passport|apiKey|api_key/i;
+    for (const [fp, c] of files) {
+      if (!JS_EXT.some(e => fp.endsWith(e)) || fp.includes('test') || fp.includes('spec')) continue;
+      // Skip API files — token-based auth makes CSRF moot
+      if (apiAuthPat.test(c)) continue;
+      if (routePat.test(c) && !csrfPat.test(c)) {
+        findings.push({ ruleId: 'SEC-AUTH-035', category: 'security', severity: 'high', title: 'Mutating routes without CSRF protection', description: 'Use csurf middleware or implement custom CSRF token validation for state-changing routes.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-AUTH-036: Wildcard CORS origin
+rules.push({
+  id: 'SEC-AUTH-036', category: 'security', severity: 'high', confidence: 'definite',
+  title: 'CORS configured with wildcard origin (*)',
+  check({ files }) {
+    const findings = [];
+    const p = /cors\s*\(\s*\{\s*origin\s*:\s*['"]\*['"]/;
+    for (const [fp, c] of files) {
+      if (!JS_EXT.some(e => fp.endsWith(e)) || fp.includes('test') || fp.includes('spec')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (isCommentLine(lines[i])) continue;
+        if (p.test(lines[i])) findings.push({ ruleId: 'SEC-AUTH-036', category: 'security', severity: 'high', title: 'CORS origin set to wildcard (*) — any domain can make requests', description: 'Restrict CORS to a specific list of trusted origins. Never use * in production.', file: fp, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-AUTH-037: Authentication bypass via type coercion
+rules.push({
+  id: 'SEC-AUTH-037', category: 'security', severity: 'critical', confidence: 'likely',
+  title: 'Password comparison with == — type coercion bypass',
+  check({ files }) {
+    const findings = [];
+    const p = /password\s*==\s*(?!==)|(?:pwd|pass|passwd)\s*==\s*(?!==)/i;
+    for (const [fp, c] of files) {
+      if (!JS_EXT.some(e => fp.endsWith(e)) || fp.includes('test') || fp.includes('spec')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (isCommentLine(lines[i])) continue;
+        if (p.test(lines[i])) findings.push({ ruleId: 'SEC-AUTH-037', category: 'security', severity: 'critical', title: 'Password compared with == instead of === — type coercion bypass', description: 'Use strict equality (===) or a constant-time comparison function like crypto.timingSafeEqual().', file: fp, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-AUTH-038: Session secret hardcoded or too short
+rules.push({
+  id: 'SEC-AUTH-038', category: 'security', severity: 'high', confidence: 'likely',
+  title: 'Session secret is short or hardcoded string',
+  check({ files }) {
+    const findings = [];
+    const p = /session\s*\(\s*\{[^}]*secret\s*:\s*['"][^'"]{1,15}['"]/;
+    for (const [fp, c] of files) {
+      if (!JS_EXT.some(e => fp.endsWith(e)) || fp.includes('test') || fp.includes('spec')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (isCommentLine(lines[i])) continue;
+        if (p.test(lines[i])) findings.push({ ruleId: 'SEC-AUTH-038', category: 'security', severity: 'high', title: 'Session secret is short or hardcoded — session hijacking risk', description: 'Use a randomly generated secret of at least 32 characters stored in an environment variable.', file: fp, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-AUTH-039: API key in request header logged
+rules.push({
+  id: 'SEC-AUTH-039', category: 'security', severity: 'high', confidence: 'likely',
+  title: 'API key from request headers passed to logger',
+  check({ files }) {
+    const findings = [];
+    const p = /(?:console\.log|logger\.\w+)\s*\([^)]*req\.headers/i;
+    for (const [fp, c] of files) {
+      if (!JS_EXT.some(e => fp.endsWith(e)) || fp.includes('test') || fp.includes('spec')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (isCommentLine(lines[i])) continue;
+        if (p.test(lines[i])) findings.push({ ruleId: 'SEC-AUTH-039', category: 'security', severity: 'high', title: 'Request headers logged — may expose API keys or auth tokens', description: 'Redact sensitive headers (Authorization, X-API-Key) before logging request objects.', file: fp, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-AUTH-040: Missing authentication on admin routes
+rules.push({
+  id: 'SEC-AUTH-040', category: 'security', severity: 'high', confidence: 'suggestion',
+  title: 'Admin route without authentication middleware',
+  check({ files }) {
+    const findings = [];
+    const routePat = /(?:router|app)\.(?:get|post|put|delete|patch)\s*\(\s*['"`][^'"`]*admin[^'"`]*/i;
+    const authPat = /authenticate|authorize|isAdmin|requireAuth|authMiddleware|passport\.authenticate|verifyToken|checkAuth/i;
+    for (const [fp, c] of files) {
+      if (!JS_EXT.some(e => fp.endsWith(e)) || fp.includes('test') || fp.includes('spec')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (isCommentLine(lines[i])) continue;
+        if (routePat.test(lines[i]) && !authPat.test(lines[i])) findings.push({ ruleId: 'SEC-AUTH-040', category: 'security', severity: 'critical', title: 'Admin route without visible auth middleware', description: 'Ensure admin routes are protected with authentication and authorization middleware.', file: fp, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-AUTH-041: Refresh token stored in localStorage
+rules.push({
+  id: 'SEC-AUTH-041', category: 'security', severity: 'high', confidence: 'likely',
+  title: 'Refresh token stored in localStorage — XSS theft risk',
+  check({ files }) {
+    const findings = [];
+    const p = /localStorage\s*\.\s*setItem\s*\([^)]*(?:refresh|refreshToken|refresh_token)/i;
+    for (const [fp, c] of files) {
+      if (!JS_EXT.some(e => fp.endsWith(e)) || fp.includes('test') || fp.includes('spec')) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (isCommentLine(lines[i])) continue;
+        if (p.test(lines[i])) findings.push({ ruleId: 'SEC-AUTH-041', category: 'security', severity: 'high', title: 'Refresh token in localStorage — accessible to XSS', description: 'Store refresh tokens in httpOnly, Secure cookies to prevent JavaScript access.', file: fp, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});