getdoorman 1.0.0

package/src/rules/security/cors.js

@@ -0,0 +1,127 @@
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+const isJS = (f) => JS_EXT.some(ext => f.endsWith(ext));
+const isTest = (f) => f.includes('test') || f.includes('spec') || f.includes('mock');
+
+const rules = [
+  // SEC-CORS-001
+  {
+    id: 'SEC-CORS-001', category: 'security', severity: 'high', confidence: 'likely',
+    title: 'CORS allows all origins (wildcard *)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp) || isTest(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].trim().startsWith('//')) continue;
+          if (lines[i].match(/(?:Access-Control-Allow-Origin|origin)\s*[:=]\s*['"`]\*['"`]/i) ||
+              lines[i].match(/cors\(\s*\)/) // cors() with no config = allow all
+          ) {
+            findings.push({
+              ruleId: 'SEC-CORS-001', category: 'security', severity: 'high',
+              title: 'CORS allows all origins — any website can make requests to your API',
+              description: 'Restrict CORS to specific trusted domains.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-CORS-002
+  {
+    id: 'SEC-CORS-002', category: 'security', severity: 'critical', confidence: 'definite',
+    title: 'CORS reflects Origin header',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp) || isTest(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/origin\s*[:=]\s*(?:req|request)\.headers\.origin/i) ||
+              lines[i].match(/Access-Control-Allow-Origin.*req\.headers\.origin/i)) {
+            findings.push({
+              ruleId: 'SEC-CORS-002', category: 'security', severity: 'critical',
+              title: 'CORS reflects any Origin header — effectively allows all origins with credentials',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-CORS-003
+  {
+    id: 'SEC-CORS-003', category: 'security', severity: 'critical', confidence: 'definite',
+    title: 'CORS allows credentials with wildcard origin',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp) || isTest(fp)) continue;
+        if (content.includes('credentials: true') || content.includes('Access-Control-Allow-Credentials')) {
+          if (content.match(/origin\s*[:=]\s*['"`]\*['"`]/) || content.match(/cors\(\s*\)/)) {
+            findings.push({
+              ruleId: 'SEC-CORS-003', category: 'security', severity: 'critical',
+              title: 'CORS allows credentials with wildcard origin — critical security vulnerability',
+              file: fp, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-CORS-004
+  {
+    id: 'SEC-CORS-004', category: 'security', severity: 'medium', confidence: 'likely',
+    title: 'CORS exposes sensitive headers',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp) || isTest(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/exposedHeaders.*(?:Authorization|X-Api-Key|Set-Cookie)/i)) {
+            findings.push({
+              ruleId: 'SEC-CORS-004', category: 'security', severity: 'medium',
+              title: 'CORS exposes sensitive headers (Authorization, API keys)',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-CORS-005
+  {
+    id: 'SEC-CORS-005', category: 'security', severity: 'medium', confidence: 'likely',
+    title: 'Overly permissive CORS methods',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp) || isTest(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/methods\s*[:=]\s*['"`]\*['"`]/) ||
+              lines[i].match(/Access-Control-Allow-Methods.*\*/)) {
+            findings.push({
+              ruleId: 'SEC-CORS-005', category: 'security', severity: 'medium',
+              title: 'CORS allows all HTTP methods — restrict to only needed methods',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;

package/src/rules/security/crypto.js

@@ -0,0 +1,527 @@
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+const isJS = (f) => JS_EXT.some(ext => f.endsWith(ext));
+const isTest = (f) => f.includes('test') || f.includes('spec') || f.includes('mock');
+
+const rules = [
+  // SEC-CRY-001
+  {
+    id: 'SEC-CRY-001', category: 'security', severity: 'high', confidence: 'likely',
+    title: 'Using MD5 for hashing',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp) || isTest(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].trim().startsWith('//')) continue;
+          if (lines[i].match(/(?:createHash|crypto\.hash)\s*\(\s*['"]md5['"]/i) ||
+              lines[i].match(/md5\s*\(/)) {
+            findings.push({
+              ruleId: 'SEC-CRY-001', category: 'security', severity: 'high',
+              title: 'MD5 hashing detected — cryptographically broken, use SHA-256+ or bcrypt',
+              confidence: 'definite',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-CRY-002
+  {
+    id: 'SEC-CRY-002', category: 'security', severity: 'high', confidence: 'likely',
+    title: 'Using SHA1 for hashing',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp) || isTest(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].trim().startsWith('//')) continue;
+          if (lines[i].match(/createHash\s*\(\s*['"]sha1['"]/i)) {
+            findings.push({
+              ruleId: 'SEC-CRY-002', category: 'security', severity: 'high',
+              title: 'SHA1 hashing detected — deprecated for security purposes, use SHA-256+',
+              confidence: 'definite',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-CRY-003
+  {
+    id: 'SEC-CRY-003', category: 'security', severity: 'high', confidence: 'likely',
+    title: 'Weak random number generation',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp) || isTest(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].trim().startsWith('//')) continue;
+          // Math.random() used in security context
+          if (lines[i].includes('Math.random()') &&
+              (content.includes('token') || content.includes('secret') || content.includes('password') ||
+               content.includes('session') || content.includes('nonce') || content.includes('salt'))) {
+            findings.push({
+              ruleId: 'SEC-CRY-003', category: 'security', severity: 'high',
+              title: 'Math.random() used in security context — not cryptographically secure',
+              description: 'Use crypto.randomBytes() or crypto.randomUUID() instead.',
+              confidence: 'definite',
+              file: fp, line: i + 1, fix: null,
+            });
+            break; // One per file is enough
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-CRY-004
+  {
+    id: 'SEC-CRY-004', category: 'security', severity: 'high', confidence: 'likely',
+    title: 'Hardcoded initialization vector (IV)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp) || isTest(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].trim().startsWith('//')) continue;
+          if (lines[i].match(/(?:iv|nonce|initializationVector)\s*[:=]\s*(?:Buffer\.from\s*\(\s*)?['"][a-fA-F0-9]{16,}['"]/i)) {
+            findings.push({
+              ruleId: 'SEC-CRY-004', category: 'security', severity: 'high',
+              title: 'Hardcoded IV/nonce — must be randomly generated for each encryption',
+              confidence: 'definite',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-CRY-005
+  {
+    id: 'SEC-CRY-005', category: 'security', severity: 'high', confidence: 'likely',
+    title: 'ECB mode encryption',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp) || isTest(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/aes.*ecb/i) || lines[i].match(/['"]aes-\d+-ecb['"]/i)) {
+            findings.push({
+              ruleId: 'SEC-CRY-005', category: 'security', severity: 'high',
+              title: 'AES-ECB mode used — patterns visible in ciphertext, use CBC or GCM',
+              confidence: 'definite',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-CRY-006
+  {
+    id: 'SEC-CRY-006', category: 'security', severity: 'high', confidence: 'likely',
+    title: 'Missing HTTPS enforcement',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+      const hasHttpsRedirect = [...files.values()].some(c =>
+        c.includes('https://') && c.includes('redirect') ||
+        c.includes('SECURE_SSL_REDIRECT') ||
+        c.includes('forceSSL') ||
+        c.includes('requireHTTPS') ||
+        c.includes("protocol === 'https'") ||
+        c.includes('Strict-Transport-Security')
+      );
+      const hasHelmet = 'helmet' in (stack.dependencies || {});
+      if (!hasHttpsRedirect && !hasHelmet) {
+        const hasServer = [...files.values()].some(c => c.includes('.listen(') || c.includes('createServer'));
+        if (hasServer) {
+          findings.push({
+            ruleId: 'SEC-CRY-006', category: 'security', severity: 'high',
+            title: 'No HTTPS enforcement detected — traffic may be unencrypted',
+            confidence: 'suggestion',
+            fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-CRY-007
+  {
+    id: 'SEC-CRY-007', category: 'security', severity: 'medium', confidence: 'likely',
+    title: 'Self-signed certificate in production',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (fp.includes('test') || fp.includes('dev')) continue;
+        if (content.includes('rejectUnauthorized: false') || content.includes('NODE_TLS_REJECT_UNAUTHORIZED')) {
+          findings.push({
+            ruleId: 'SEC-CRY-007', category: 'security', severity: 'medium',
+            title: 'TLS certificate verification disabled — man-in-the-middle attacks possible',
+            confidence: 'likely',
+            file: fp, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-CRY-008
+  {
+    id: 'SEC-CRY-008', category: 'security', severity: 'high', confidence: 'likely',
+    title: 'Deprecated TLS version allowed',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (fp.includes('test')) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/(?:minVersion|secureProtocol).*(?:TLSv1(?:\.0)?|TLSv1\.1|SSLv3)/i)) {
+            findings.push({
+              ruleId: 'SEC-CRY-008', category: 'security', severity: 'high',
+              title: 'TLS 1.0 or 1.1 allowed — use TLS 1.2+ minimum',
+              confidence: 'definite',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-CRY-009
+  {
+    id: 'SEC-CRY-009', category: 'security', severity: 'medium', confidence: 'likely',
+    title: 'Weak cipher suites allowed',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (fp.includes('test')) continue;
+        if (content.match(/(?:ciphers|cipher).*(?:RC4|DES|3DES|RC2|SEED|IDEA)/i)) {
+          findings.push({
+            ruleId: 'SEC-CRY-009', category: 'security', severity: 'medium',
+            title: 'Weak cipher suites detected (RC4, DES, 3DES) — use modern ciphers',
+            confidence: 'definite',
+            file: fp, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-CRY-010
+  {
+    id: 'SEC-CRY-010', category: 'security', severity: 'high', confidence: 'likely',
+    title: 'Using deprecated createCipher',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp) || isTest(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/crypto\.createCipher\s*\(/) && !lines[i].includes('createCipheriv')) {
+            findings.push({
+              ruleId: 'SEC-CRY-010', category: 'security', severity: 'high',
+              title: 'Using deprecated crypto.createCipher — use createCipheriv with a random IV',
+              confidence: 'definite',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;
+
+// SEC-CRY-011: Hardcoded encryption key
+rules.push({
+  id: 'SEC-CRY-011', category: 'security', severity: 'critical', confidence: 'definite',
+  title: 'Hardcoded encryption key or IV',
+  check({ files }) {
+    const findings = [];
+    const p = /(?:key|iv|secret|password)\s*[:=]\s*['"][A-Za-z0-9+/=]{16,}['"]/i;
+    const cryptoCtx = /createCipher|createDecipher|encrypt|decrypt|AES|DES|RSA/i;
+    for (const [fp, c] of files) {
+      if (!isJS(fp) || isTest(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (p.test(lines[i]) && !/process\.env/.test(lines[i])) {
+          const ctx = lines.slice(Math.max(0, i - 5), Math.min(lines.length, i + 5)).join('\n');
+          if (cryptoCtx.test(ctx)) findings.push({ ruleId: 'SEC-CRY-011', category: 'security', severity: 'critical', title: 'Hardcoded encryption key — rotate immediately', description: 'Encryption keys hardcoded in source are compromised when code is exposed. Load keys from a secrets manager or environment variable.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-CRY-012: Using DES or 3DES
+rules.push({
+  id: 'SEC-CRY-012', category: 'security', severity: 'high', confidence: 'definite',
+  title: 'DES or 3DES encryption used — broken algorithm',
+  check({ files }) {
+    const findings = [];
+    const p = /(?:des|3des|des3|triple.?des)/i;
+    for (const [fp, c] of files) {
+      if (!isJS(fp) || isTest(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (p.test(lines[i]) && /createCipher|cipher|encrypt/i.test(lines[i])) findings.push({ ruleId: 'SEC-CRY-012', category: 'security', severity: 'high', title: 'DES/3DES detected — use AES-256-GCM instead', description: 'DES is broken (56-bit key). 3DES is deprecated and vulnerable to Sweet32 attack. Migrate to AES-256-GCM.', file: fp, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-CRY-013: Insecure random bytes for IV/nonce
+rules.push({
+  id: 'SEC-CRY-013', category: 'security', severity: 'high', confidence: 'likely',
+  title: 'Math.random() used for cryptographic IV or nonce',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isJS(fp) || isTest(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/Math\.random\s*\(/.test(lines[i])) {
+          const ctx = lines.slice(Math.max(0, i - 3), Math.min(lines.length, i + 3)).join('\n');
+          if (/iv|nonce|salt|key|cipher|encrypt/i.test(ctx)) findings.push({ ruleId: 'SEC-CRY-013', category: 'security', severity: 'high', title: 'Math.random() for IV/nonce — not cryptographically secure', description: 'Use crypto.randomBytes(16) to generate cryptographically random IVs and nonces.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-CRY-014: CBC mode without authentication
+rules.push({
+  id: 'SEC-CRY-014', category: 'security', severity: 'high', confidence: 'likely',
+  title: 'AES-CBC without HMAC authentication — padding oracle risk',
+  check({ files }) {
+    const findings = [];
+    const p = /aes-(?:128|192|256)-cbc|AES.*CBC/i;
+    const hmacPat = /hmac|createHmac|authenticate|tag|GCM/i;
+    for (const [fp, c] of files) {
+      if (!isJS(fp) || isTest(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (p.test(lines[i]) && !hmacPat.test(lines[i])) {
+          const ctx = lines.slice(Math.max(0, i - 10), Math.min(lines.length, i + 10)).join('\n');
+          if (!hmacPat.test(ctx)) findings.push({ ruleId: 'SEC-CRY-014', category: 'security', severity: 'high', title: 'AES-CBC without HMAC — padding oracle attack possible', description: 'AES-CBC without message authentication is vulnerable to padding oracle attacks. Use AES-256-GCM which provides authenticated encryption.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-CRY-015: Weak RSA key size
+rules.push({
+  id: 'SEC-CRY-015', category: 'security', severity: 'high', confidence: 'definite',
+  title: 'RSA key size less than 2048 bits',
+  check({ files }) {
+    const findings = [];
+    const p = /(?:modulusLength|keySize)\s*[:=]\s*(?:512|768|1024)\b/i;
+    for (const [fp, c] of files) {
+      if (!isJS(fp) || isTest(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (p.test(lines[i])) findings.push({ ruleId: 'SEC-CRY-015', category: 'security', severity: 'high', title: 'RSA key size < 2048 bits — insufficient security', description: 'RSA keys under 2048 bits can be factored. Use at least 2048 bits; prefer 4096 for long-lived keys.', file: fp, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-CRY-016: TLS minimum version not set
+rules.push({
+  id: 'SEC-CRY-016', category: 'security', severity: 'medium', confidence: 'suggestion',
+  title: 'TLS server created without minimum version requirement',
+  check({ files }) {
+    const findings = [];
+    const p = /createServer|https\.createServer|tls\.createServer/i;
+    const minVersion = /minVersion|secureProtocol|TLSv1_2|TLSv1_3/i;
+    for (const [fp, c] of files) {
+      if (!isJS(fp) || isTest(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (p.test(lines[i]) && /tls|https/i.test(lines[i])) {
+          const ctx = lines.slice(Math.max(0, i - 5), Math.min(lines.length, i + 10)).join('\n');
+          if (!minVersion.test(ctx)) findings.push({ ruleId: 'SEC-CRY-016', category: 'security', severity: 'medium', title: 'TLS server without minVersion — may accept TLS 1.0/1.1', description: 'Set minVersion: "TLSv1.2" or "TLSv1.3" to prevent downgrade attacks to deprecated TLS versions.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-CRY-017: bcrypt with weak rounds
+rules.push({
+  id: 'SEC-CRY-017', category: 'security', severity: 'medium', confidence: 'definite',
+  title: 'bcrypt used with too few rounds (< 10)',
+  check({ files }) {
+    const findings = [];
+    const p = /bcrypt\s*\.\s*(?:hash|genSalt)\s*\([^,]+,\s*([1-9])\b/;
+    for (const [fp, c] of files) {
+      if (!isJS(fp) || isTest(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        const m = lines[i].match(/bcrypt\s*\.\s*(?:hash|genSalt)\s*\(\s*\w+\s*,\s*(\d+)/);
+        if (m && parseInt(m[1], 10) < 10) findings.push({ ruleId: 'SEC-CRY-017', category: 'security', severity: 'medium', title: `bcrypt rounds=${m[1]} — too low, use at least 12`, description: 'Low bcrypt cost factor allows faster offline cracking. Use at least 10 rounds; 12+ is recommended.', file: fp, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-CRY-018: Sensitive data in URL (query string)
+rules.push({
+  id: 'SEC-CRY-018', category: 'security', severity: 'high', confidence: 'likely',
+  title: 'Sensitive data passed in URL query string',
+  check({ files }) {
+    const findings = [];
+    const p = /[?&](?:password|passwd|pwd|token|api_key|apikey|secret|auth)[=]/i;
+    for (const [fp, c] of files) {
+      if (!isJS(fp) || isTest(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (p.test(lines[i])) findings.push({ ruleId: 'SEC-CRY-018', category: 'security', severity: 'high', title: 'Credential in URL query string — logged in server access logs', description: 'Passwords and tokens in URLs appear in server logs, browser history, and Referer headers. Use POST body or Authorization header instead.', file: fp, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-CRY-019 through SEC-CRY-030: Additional crypto rules
+
+// SEC-CRY-019: Password reset token not time-limited
+rules.push({
+  id: 'SEC-CRY-019', category: 'security', severity: 'high', confidence: 'suggestion',
+  title: 'Password reset token without expiry',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isJS(fp) || isTest(fp)) continue;
+      if (/resetToken|reset_token|passwordReset|forgotPassword/i.test(c)) {
+        if (!/expires|expiry|expiresAt|ttl|timeout/i.test(c)) {
+          findings.push({ ruleId: 'SEC-CRY-019', category: 'security', severity: 'high', title: 'Password reset token without expiry — valid indefinitely', description: 'Password reset tokens must expire (typically 15-60 minutes). Tokens valid indefinitely can be used long after a breach.', file: fp, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-CRY-020: Random token generation with low entropy
+rules.push({
+  id: 'SEC-CRY-020', category: 'security', severity: 'high', confidence: 'likely',
+  title: 'Low entropy token generation (< 128 bits)',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isJS(fp) || isTest(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        const m = lines[i].match(/crypto\.randomBytes\s*\(\s*(\d+)\s*\)/);
+        if (m && parseInt(m[1]) < 16) {
+          findings.push({ ruleId: 'SEC-CRY-020', category: 'security', severity: 'high', title: `crypto.randomBytes(${m[1]}) — only ${parseInt(m[1]) * 8} bits, use at least 128 bits (16 bytes)`, description: 'Security tokens need at least 128 bits (16 bytes) of entropy. Use crypto.randomBytes(32) for session tokens and API keys.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-CRY-021: Hardcoded salt
+rules.push({
+  id: 'SEC-CRY-021', category: 'security', severity: 'critical', confidence: 'definite',
+  title: 'Hardcoded salt for password hashing',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isJS(fp) || isTest(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/salt\s*[:=]\s*['"][A-Za-z0-9+/=]{8,}['"]/.test(lines[i]) && !/process\.env/.test(lines[i])) {
+          const ctx = lines.slice(Math.max(0, i - 3), Math.min(lines.length, i + 3)).join('\n');
+          if (/hash|bcrypt|pbkdf2|scrypt|crypto/i.test(ctx)) {
+            findings.push({ ruleId: 'SEC-CRY-021', category: 'security', severity: 'critical', title: 'Hardcoded salt used in hashing — salt must be random per-hash', description: 'Salts must be randomly generated per password using crypto.randomBytes(). A hardcoded salt turns it into a pepper at best, and allows rainbow table attacks.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// SEC-CRY-022: Missing HSTS header
+rules.push({
+  id: 'SEC-CRY-022', category: 'security', severity: 'medium', confidence: 'suggestion',
+  title: 'No HTTP Strict Transport Security (HSTS) header configured',
+  check({ files, stack }) {
+    const findings = [];
+    const deps = { ...stack.dependencies, ...stack.devDependencies };
+    // helmet enables HSTS by default
+    if (deps.helmet) return findings;
+    const hasExpress = [...files.values()].some(c => /require.*express|from.*express/i.test(c));
+    const hasHSTS = [...files.values()].some(c => /Strict-Transport-Security|hsts|maxAge.*includeSubDomains/i.test(c));
+    if (hasExpress && !hasHSTS) {
+      findings.push({ ruleId: 'SEC-CRY-022', category: 'security', severity: 'medium', title: 'No HSTS header — browsers may connect over HTTP first', description: 'Set Strict-Transport-Security: max-age=31536000; includeSubDomains to force HTTPS. Use helmet.hsts() or set the header manually.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// SEC-CRY-023: Secret comparison with early exit
+rules.push({
+  id: 'SEC-CRY-023', category: 'security', severity: 'high', confidence: 'likely',
+  title: 'HMAC or signature compared character-by-character — timing oracle',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isJS(fp) || isTest(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/(?:hmac|signature|digest)\s*(?:!==|===|==|!=)\s*\w|(?:signature|hmac).*\.startsWith\s*\(/.test(lines[i]) && !/timingSafeEqual/i.test(lines[i])) {
+          findings.push({ ruleId: 'SEC-CRY-023', category: 'security', severity: 'high', title: 'HMAC/signature compared with === — timing attack leaks secret', description: 'Use crypto.timingSafeEqual() for all HMAC and signature comparisons to prevent timing attacks.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});