npm - getdoorman - Versions diffs - 1.1.1 → 1.2.1 - Mend

getdoorman 1.1.1 → 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/bin/doorman.js CHANGED Viewed

@@ -1,11 +1,9 @@
 #!/usr/bin/env node
-import { Command } from 'commander';
-import { check } from '../src/index.js';
-import { generateReport } from '../src/compliance.js';
 import { readFileSync } from 'fs';
 import { fileURLToPath } from 'url';
-import { dirname, join } from 'path';
+import { dirname, join, resolve } from 'path';
+import { Command } from 'commander';
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const pkg = JSON.parse(readFileSync(join(__dirname, '..', 'package.json'), 'utf-8'));
@@ -14,449 +12,52 @@ const program = new Command();
 program
   .name('getdoorman')
-  .description('Find security issues. Tell your AI to fix them.')
+  .description('10 checks. Zero false positives. Ship with confidence.')
   .version(pkg.version);
 program
-  .command('check')
-  .alias('scan')
-  .description('Scan your code for issues (always free)')
-  .argument('[path]', 'Path to scan', '.')
-  .option('--ci', 'CI mode — exit with code 1 if score below threshold')
-  .option('--min-score <number>', 'Minimum score to pass in CI mode', '70')
+  .command('check', { isDefault: true })
+  .description('Check your code before shipping')
+  .argument('[path]', 'Path to check', '.')
   .option('--json', 'Output results as JSON')
-  .option('--sarif [path]', 'Output SARIF 2.1.0 report (for GitHub Code Scanning, VS Code)')
-  .option('--html [path]', 'Output standalone HTML report')
-  .option('--category <categories>', 'Only run specific categories (comma-separated)')
-  .option('--severity <level>', 'Minimum severity to report (critical,high,medium,low,info)', 'low')
-  .option('--full', 'Force full scan (skip incremental)')
-  .option('--no-cache', 'Disable file hash caching (force re-scan all files)')
-  .option('--timeout <seconds>', 'Custom scan timeout in seconds', '60')
-  .option('--verbose', 'Show all findings including suggestions')
-  .option('--detail', 'Show all findings individually (disables smart summary)')
-  .option('--strict', 'Show all severity levels including medium/low')
-  .option('-q, --quiet', 'Only show one-line summary (no findings detail)')
-  .option('--config <path>', 'Path to a custom config file')
-  .option('--baseline [path]', 'Only show NEW findings (diff against baseline file)')
-  .option('--save-baseline [path]', 'Save current findings as baseline for future diffs')
-  .option('--profile', 'Show performance profile of slowest rules')
-  .option('--share', 'Generate a shareable score card')
-  .option('--deep', 'Run full 2,500+ rule scan (advanced)')
+  .option('--ci', 'Exit with code 1 if issues found')
   .action(async (path, options) => {
     try {
-      // Default: simple 10-check mode. --deep for full scan.
-      if (!options.deep && !options.json && !options.sarif && !options.html && !options.ci && !options.detail && !options.strict) {
-        const { collectFiles } = await import('../src/scanner.js');
-        const { runSimpleChecks, printSimpleReport } = await import('../src/simple-reporter.js');
-        const files = await collectFiles(path, { silent: true });
-        const results = runSimpleChecks(files);
+      const { collectFiles } = await import('../src/scanner.js');
+      const { runSimpleChecks, printSimpleReport } = await import('../src/simple-reporter.js');
+      const files = await collectFiles(resolve(path), { silent: true });
+      const results = runSimpleChecks(files);
+      if (options.json) {
+        const output = results.map(r => ({
+          check: r.name,
+          passed: r.passed,
+          issues: r.findings.map(f => ({ message: f.message, file: f.file, line: f.line })),
+        }));
+        console.log(JSON.stringify(output, null, 2));
+      } else {
         printSimpleReport(results);
+      }
-        // Viral hooks on first scan
+      // On first scan: add doorman to AI tool configs
+      try {
         const { isFirstScan, installClaudeMd, installAgentsMd, installCursorRules, installClaudeHook } = await import('../src/hooks.js');
-        const { resolve } = await import('path');
         const resolvedPath = resolve(path);
         if (isFirstScan(resolvedPath)) {
-          const chalk = (await import('chalk')).default;
           installClaudeMd(resolvedPath);
           installAgentsMd(resolvedPath);
           installCursorRules(resolvedPath);
           installClaudeHook(resolvedPath);
         }
+      } catch {}
-        const failCount = results.filter(r => !r.passed).length;
-        process.exit(failCount > 0 ? 1 : 0);
-        return;
-      }
-      // Deep mode: full 2,500+ rule scan
-      const result = await check(path, options);
-      // Generate shareable score card
-      if (options.share && result) {
-        const { generateScoreCard } = await import('../src/share.js');
-        const cardPath = generateScoreCard(path, result);
-        const chalk = (await import('chalk')).default;
-        console.log('');
-        console.log(chalk.bold.green('  Score card saved!'));
-        console.log(chalk.gray(`  Open: ${cardPath}`));
-        console.log(chalk.gray('  Share it on Twitter, Discord, or Slack.'));
-        console.log('');
-      }
-      // After first scan: add CLAUDE.md, offer hooks, collect email
-      if (!options.ci && !options.quiet && !options.json && !options.sarif && !options.html && !options.silent) {
-        const { isFirstScan, installClaudeMd, installAgentsMd, installCursorRules, installClaudeHook } = await import('../src/hooks.js');
-        const { loadAuth, saveAuth } = await import('../src/auth.js');
-        const { resolve } = await import('path');
-        const resolvedPath = resolve(path);
-        if (isFirstScan(resolvedPath)) {
-          const chalk = (await import('chalk')).default;
-          // Add Doorman instructions to AI config files (only appends, never overwrites)
-          const claudeMd = installClaudeMd(resolvedPath);
-          const agentsMd = installAgentsMd(resolvedPath);
-          const cursorRules = installCursorRules(resolvedPath);
-          if (claudeMd) console.log(chalk.dim('  Added Doorman to CLAUDE.md'));
-          if (agentsMd) console.log(chalk.dim('  Added Doorman to AGENTS.md'));
-          if (cursorRules) console.log(chalk.dim('  Added Doorman to .cursorrules'));
-          // Auto-run hook for Claude Code (non-blocking, just a scan)
-          const hookInstalled = installClaudeHook(resolvedPath);
-          if (hookInstalled) console.log(chalk.dim('  Auto-run enabled for Claude Code'));
-          // NOTE: No pre-commit hook on first scan — too aggressive.
-          // Users can opt in with: npx getdoorman init
-          // Collect email
-          const auth = loadAuth();
-          if (!auth?.email) {
-            const readline = await import('readline');
-            const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
-            console.log('');
-            const email = await new Promise(r => {
-              rl.question(chalk.green('  Enter your email for updates (optional): '), a => { rl.close(); r(a.trim()); });
-            });
-            if (email && email.includes('@')) {
-              saveAuth(email);
-              console.log(chalk.green('  ✓ Saved!'));
-            }
-          }
-          console.log('');
-        }
-      }
-      process.exit(result.exitCode || 0);
-    } catch (err) {
-      console.error('Error:', err.message);
-      process.exit(2);
-    }
-  });
-program
-  .command('fix')
-  .description('Tell your AI to fix issues — works in Claude, Codex, Cursor')
-  .argument('[path]', 'Path to scan', '.')
-  .action(async (path) => {
-    const chalk = (await import('chalk')).default;
-    const { collectFiles } = await import('../src/scanner.js');
-    const { runSimpleChecks } = await import('../src/simple-reporter.js');
-    const files = await collectFiles(path, { silent: true });
-    const results = runSimpleChecks(files);
-    const failed = results.filter(r => !r.passed);
-    if (failed.length === 0) {
-      console.log('');
-      console.log(chalk.green.bold('  All clear. Nothing to fix.'));
-      console.log('');
-      return;
-    }
-    // Build the prompt
-    const issues = [];
-    for (const r of failed) {
-      for (const f of r.findings.slice(0, 5)) {
-        const loc = f.file ? ` in ${f.file}${f.line ? ':' + f.line : ''}` : '';
-        issues.push(`- ${r.name}: ${f.message}${loc}`);
-      }
-    }
-    const prompt = `Fix these issues in my code:\n\n${issues.join('\n')}`;
-    // Detect environment: AI tool or manual terminal
-    const isAI = process.env.CLAUDE_CODE || process.env.CURSOR_SESSION || process.env.CODEX_SANDBOX || process.env.TERM_PROGRAM === 'claude';
-    const isCI = process.env.CI || process.env.GITHUB_ACTIONS;
-    if (isAI) {
-      // Inside an AI tool — just output the prompt directly, the AI will act on it
-      console.log(prompt);
-    } else if (isCI) {
-      // CI — just list issues
-      console.log(prompt);
-    } else {
-      // Manual terminal — show formatted + copy to clipboard
-      console.log('');
-      console.log(chalk.bold('  Paste this into Claude, Codex, or Cursor:'));
-      console.log('');
-      console.log(chalk.cyan('  ┌───────────────────────────────────────────────'));
-      for (const line of prompt.split('\n')) {
-        console.log(chalk.cyan('  │ ') + line);
-      }
-      console.log(chalk.cyan('  └───────────────────────────────────────────────'));
-      console.log('');
-      // Copy to clipboard
-      try {
-        const { execSync } = await import('child_process');
-        const cmd = process.platform === 'darwin' ? 'pbcopy' : process.platform === 'win32' ? 'clip' : 'xclip -selection clipboard';
-        execSync(cmd, { input: prompt, stdio: ['pipe', 'ignore', 'ignore'] });
-        console.log(chalk.green('  ✓ Copied to clipboard! Just paste it.'));
-      } catch {
-        console.log(chalk.dim('  Tip: copy the text above and paste into your AI tool'));
-      }
-      console.log('');
-    }
-  });
-program
-  .command('review')
-  .description('Review only changed files (for git hooks and PRs)')
-  .argument('[path]', 'Path to scan', '.')
-  .option('--json', 'Output as JSON')
-  .option('--min-score <number>', 'Minimum score', '70')
-  .action(async (path, options) => {
-    try {
-      const result = await check(path, { ...options, incremental: true });
-      process.exit(result.exitCode || 0);
+      const failCount = results.filter(r => !r.passed).length;
+      process.exit(options.ci && failCount > 0 ? 1 : 0);
     } catch (err) {
       console.error('Error:', err.message);
       process.exit(2);
     }
   });
-program
-  .command('ignore')
-  .description('Ignore a rule (mark as false positive)')
-  .argument('<ruleId>', 'Rule ID to ignore (e.g., SEC-INJ-001)')
-  .option('--file <path>', 'Only ignore in this file')
-  .option('--reason <reason>', 'Reason for ignoring')
-  .action(async (ruleId, options) => {
-    const { addIgnore } = await import('../src/config.js');
-    addIgnore('.', ruleId, options.file || null, options.reason || 'User dismissed');
-    console.log(`Ignored ${ruleId}${options.file ? ' in ' + options.file : ''}`);
-  });
-program
-  .command('init')
-  .description('Initialize Doorman: create config, hooks, and auto-run')
-  .option('--no-hook', 'Skip pre-commit hook installation')
-  .option('--claude', 'Install Claude Code auto-run hook')
-  .action(async (options) => {
-    const { writeFileSync, existsSync, mkdirSync } = await import('fs');
-    const { installClaudeHook, installGitHook, installClaudeMd } = await import('../src/hooks.js');
-    const { resolve } = await import('path');
-    // 1. Config file — create .doormanrc with recommended preset
-    if (existsSync('.doormanrc') || existsSync('.doormanrc.json')) {
-      const which = existsSync('.doormanrc') ? '.doormanrc' : '.doormanrc.json';
-      console.log(`  ✓ Config already exists at ${which}`);
-    } else {
-      const config = {
-        extends: 'recommended',
-        rules: {},
-        categories: [],
-        severity: 'medium',
-        ignore: ['test/**', 'vendor/**', '*.min.js'],
-      };
-      writeFileSync('.doormanrc', JSON.stringify(config, null, 2) + '\n');
-      console.log('  ✓ Created .doormanrc (recommended preset)');
-    }
-    // 2. Pre-commit hook
-    if (options.hook !== false) {
-      const installed = installGitHook(resolve('.'));
-      if (installed) {
-        console.log('  ✓ Installed pre-commit hook — critical issues will block commits');
-      } else if (!existsSync('.git')) {
-        console.log('  ⚠ Not a git repository — skipping pre-commit hook');
-      } else {
-        console.log('  ✓ Pre-commit hook already installed');
-      }
-    }
-    // 3. Claude Code hook
-    if (options.claude) {
-      const installed = installClaudeHook(resolve('.'));
-      if (installed) {
-        console.log('  ✓ Claude Code hook installed — Doorman runs after every file edit');
-      } else {
-        console.log('  ✓ Claude Code hook already installed');
-      }
-    }
-    // 4. CLAUDE.md — teach Claude to use Doorman
-    const mdInstalled = installClaudeMd(resolve('.'));
-    if (mdInstalled) {
-      console.log('  ✓ Added Doorman to CLAUDE.md — Claude will suggest it automatically');
-    } else {
-      console.log('  ✓ CLAUDE.md already mentions Doorman');
-    }
-    console.log('');
-    console.log('Doorman is ready. Run `npx getdoorman check` to scan your codebase.');
-    if (!options.claude) {
-      console.log('Tip: Run `npx getdoorman init --claude` to auto-scan when Claude writes code.');
-    }
-  });
-program
-  .command('dashboard')
-  .description('Open your project dashboard in the browser')
-  .argument('[path]', 'Project path', '.')
-  .action(async (path) => {
-    const chalk = (await import('chalk')).default;
-    const { openDashboard } = await import('../src/dashboard.js');
-    const result = openDashboard(path);
-    if (result.error) {
-      console.log('');
-      console.log(chalk.yellow(`  ${result.error}`));
-      console.log('');
-    } else {
-      console.log('');
-      console.log(chalk.green(`  ✓ Dashboard opened: ${result.path}`));
-      console.log('');
-    }
-  });
-program
-  .command('benchmark')
-  .description('Run the real-world vulnerability detection benchmark')
-  .action(async () => {
-    console.log('Running Doorman benchmark...');
-    const { execSync } = await import('child_process');
-    try {
-      execSync('node --test test/benchmark-real-world.test.js', { stdio: 'inherit' });
-    } catch (e) {
-      // Test runner reports results
-    }
-  });
-program
-  .command('hook')
-  .description('Install Doorman as a pre-commit git hook')
-  .option('--remove', 'Remove the git hook')
-  .action(async (options) => {
-    const { writeFileSync, unlinkSync, existsSync, mkdirSync } = await import('fs');
-    const hookPath = '.git/hooks/pre-commit';
-    if (options.remove) {
-      if (existsSync(hookPath)) {
-        unlinkSync(hookPath);
-        console.log('Removed Doorman pre-commit hook');
-      }
-      return;
-    }
-    if (!existsSync('.git/hooks')) mkdirSync('.git/hooks', { recursive: true });
-    const hookScript = `#!/bin/sh
-# Doorman pre-commit hook
-npx getdoorman review --min-score 70
-`;
-    writeFileSync(hookPath, hookScript, { mode: 0o755 });
-    console.log('Installed Doorman pre-commit hook');
-    console.log('Every commit will be checked. Remove with: doorman hook --remove');
-  });
-program
-  .command('credits')
-  .description('Check your credit balance or buy more')
-  .option('--buy', 'Open the credit purchase page')
-  .action(async (options) => {
-    const chalk = (await import('chalk')).default;
-    const { loadAuth, checkCredits, getCreditPacks } = await import('../src/auth.js');
-    const auth = loadAuth();
-    if (!auth || !auth.email) {
-      console.log('');
-      console.log(chalk.dim('  No account yet. Run `npx getdoorman fix` to get 3 free credits.'));
-      console.log('');
-      return;
-    }
-    const credits = await checkCredits(auth.email);
-    const packs = getCreditPacks(auth.email);
-    console.log('');
-    console.log(chalk.bold('  Doorman Account'));
-    console.log(`    Email:   ${auth.email}`);
-    console.log(`    Credits: ${credits ? credits.credits : 'unknown (offline)'}`);
-    console.log('');
-    if (options.buy || (credits && credits.credits <= 0)) {
-      console.log(chalk.bold('  Buy credits:'));
-      console.log('');
-      for (const pack of packs) {
-        const bonus = pack.bonus ? chalk.green(` (${pack.bonus})`) : '';
-        console.log(`    ${String(pack.credits).padStart(3)} credits — ${pack.price}${bonus}   ${chalk.cyan(pack.buyUrl)}`);
-      }
-      console.log('');
-      // Try to open browser
-      try {
-        const { execSync } = await import('child_process');
-        const cmd = process.platform === 'darwin' ? 'open' : process.platform === 'win32' ? 'start' : 'xdg-open';
-        execSync(`${cmd} ${packs[0].buyUrl}`, { stdio: 'ignore' });
-        console.log(chalk.dim('  Opened in your browser.'));
-      } catch { /* ignore */ }
-    }
-    console.log('');
-  });
-// ai-fix is now merged into `fix` — kept as hidden alias for backward compat
-program
-  .command('ai-fix')
-  .description(false)  // hidden
-  .argument('[path]', 'Path to scan', '.')
-  .action(async () => {
-    console.log('ai-fix has been merged into `fix`. Just run: npx getdoorman fix');
-  });
-program
-  .command('report')
-  .description('Generate a compliance report (SOC2, GDPR, HIPAA, PCI-DSS)')
-  .argument('[path]', 'Path to scan', '.')
-  .option('--framework <name>', 'Framework: SOC2, GDPR, HIPAA, PCI, or all', 'all')
-  .option('--output <path>', 'Output file path', 'doorman-report.html')
-  .option('--project <name>', 'Project name for the report')
-  .action(async (path, options) => {
-    const chalk = (await import('chalk')).default;
-    const { basename, resolve } = await import('path');
-    const framework = options.framework.toLowerCase();
-    const validFrameworks = ['soc2', 'gdpr', 'hipaa', 'pci', 'all'];
-    if (!validFrameworks.includes(framework)) {
-      console.error(`Error: Unknown framework "${options.framework}". Choose from: SOC2, GDPR, HIPAA, PCI, or all`);
-      process.exit(1);
-    }
-    const projectName = options.project || basename(resolve(path));
-    console.log('');
-    console.log(chalk.bold.cyan('  Doorman — Compliance Report Generator'));
-    console.log('');
-    // Step 1: Run a full scan
-    console.log(chalk.gray('  Running full scan...'));
-    let result;
-    try {
-      result = await check(path, { silent: true, full: true });
-    } catch (err) {
-      console.error(chalk.red(`  Scan failed: ${err.message}`));
-      process.exit(1);
-    }
-    console.log(chalk.gray(`  Found ${result.findings.length} finding(s), score: ${result.score}/100`));
-    console.log('');
-    // Step 2: Generate the compliance report
-    const { summary } = generateReport(
-      { findings: result.findings, score: result.score, stack: result.stack },
-      { framework, projectName, outputPath: options.output }
-    );
-    // Step 3: Print summary
-    const frameworkEntries = Object.entries(summary.frameworks);
-    for (const [, fw] of frameworkEntries) {
-      const statusColor = fw.status === 'compliant' ? chalk.green : fw.status === 'partial' ? chalk.yellow : chalk.red;
-      console.log(`  ${fw.name.padEnd(22)} ${statusColor(fw.status.toUpperCase().padEnd(15))} ${fw.score}%`);
-    }
-    console.log('');
-    console.log(chalk.bold.green(`  Report saved to ${options.output}`));
-    console.log(chalk.gray('  Open in a browser to view the full compliance report.'));
-    console.log('');
-  });
 program.parse();

package/bin/getdoorman.js CHANGED Viewed

@@ -1,11 +1,9 @@
 #!/usr/bin/env node
-import { Command } from 'commander';
-import { check } from '../src/index.js';
-import { generateReport } from '../src/compliance.js';
 import { readFileSync } from 'fs';
 import { fileURLToPath } from 'url';
-import { dirname, join } from 'path';
+import { dirname, join, resolve } from 'path';
+import { Command } from 'commander';
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const pkg = JSON.parse(readFileSync(join(__dirname, '..', 'package.json'), 'utf-8'));
@@ -14,449 +12,52 @@ const program = new Command();
 program
   .name('getdoorman')
-  .description('Find security issues. Tell your AI to fix them.')
+  .description('10 checks. Zero false positives. Ship with confidence.')
   .version(pkg.version);
 program
-  .command('check')
-  .alias('scan')
-  .description('Scan your code for issues (always free)')
-  .argument('[path]', 'Path to scan', '.')
-  .option('--ci', 'CI mode — exit with code 1 if score below threshold')
-  .option('--min-score <number>', 'Minimum score to pass in CI mode', '70')
+  .command('check', { isDefault: true })
+  .description('Check your code before shipping')
+  .argument('[path]', 'Path to check', '.')
   .option('--json', 'Output results as JSON')
-  .option('--sarif [path]', 'Output SARIF 2.1.0 report (for GitHub Code Scanning, VS Code)')
-  .option('--html [path]', 'Output standalone HTML report')
-  .option('--category <categories>', 'Only run specific categories (comma-separated)')
-  .option('--severity <level>', 'Minimum severity to report (critical,high,medium,low,info)', 'low')
-  .option('--full', 'Force full scan (skip incremental)')
-  .option('--no-cache', 'Disable file hash caching (force re-scan all files)')
-  .option('--timeout <seconds>', 'Custom scan timeout in seconds', '60')
-  .option('--verbose', 'Show all findings including suggestions')
-  .option('--detail', 'Show all findings individually (disables smart summary)')
-  .option('--strict', 'Show all severity levels including medium/low')
-  .option('-q, --quiet', 'Only show one-line summary (no findings detail)')
-  .option('--config <path>', 'Path to a custom config file')
-  .option('--baseline [path]', 'Only show NEW findings (diff against baseline file)')
-  .option('--save-baseline [path]', 'Save current findings as baseline for future diffs')
-  .option('--profile', 'Show performance profile of slowest rules')
-  .option('--share', 'Generate a shareable score card')
-  .option('--deep', 'Run full 2,500+ rule scan (advanced)')
+  .option('--ci', 'Exit with code 1 if issues found')
   .action(async (path, options) => {
     try {
-      // Default: simple 10-check mode. --deep for full scan.
-      if (!options.deep && !options.json && !options.sarif && !options.html && !options.ci && !options.detail && !options.strict) {
-        const { collectFiles } = await import('../src/scanner.js');
-        const { runSimpleChecks, printSimpleReport } = await import('../src/simple-reporter.js');
-        const files = await collectFiles(path, { silent: true });
-        const results = runSimpleChecks(files);
+      const { collectFiles } = await import('../src/scanner.js');
+      const { runSimpleChecks, printSimpleReport } = await import('../src/simple-reporter.js');
+      const files = await collectFiles(resolve(path), { silent: true });
+      const results = runSimpleChecks(files);
+      if (options.json) {
+        const output = results.map(r => ({
+          check: r.name,
+          passed: r.passed,
+          issues: r.findings.map(f => ({ message: f.message, file: f.file, line: f.line })),
+        }));
+        console.log(JSON.stringify(output, null, 2));
+      } else {
         printSimpleReport(results);
+      }
-        // Viral hooks on first scan
+      // On first scan: add doorman to AI tool configs
+      try {
         const { isFirstScan, installClaudeMd, installAgentsMd, installCursorRules, installClaudeHook } = await import('../src/hooks.js');
-        const { resolve } = await import('path');
         const resolvedPath = resolve(path);
         if (isFirstScan(resolvedPath)) {
-          const chalk = (await import('chalk')).default;
           installClaudeMd(resolvedPath);
           installAgentsMd(resolvedPath);
           installCursorRules(resolvedPath);
           installClaudeHook(resolvedPath);
         }
+      } catch {}
-        const failCount = results.filter(r => !r.passed).length;
-        process.exit(failCount > 0 ? 1 : 0);
-        return;
-      }
-      // Deep mode: full 2,500+ rule scan
-      const result = await check(path, options);
-      // Generate shareable score card
-      if (options.share && result) {
-        const { generateScoreCard } = await import('../src/share.js');
-        const cardPath = generateScoreCard(path, result);
-        const chalk = (await import('chalk')).default;
-        console.log('');
-        console.log(chalk.bold.green('  Score card saved!'));
-        console.log(chalk.gray(`  Open: ${cardPath}`));
-        console.log(chalk.gray('  Share it on Twitter, Discord, or Slack.'));
-        console.log('');
-      }
-      // After first scan: add CLAUDE.md, offer hooks, collect email
-      if (!options.ci && !options.quiet && !options.json && !options.sarif && !options.html && !options.silent) {
-        const { isFirstScan, installClaudeMd, installAgentsMd, installCursorRules, installClaudeHook } = await import('../src/hooks.js');
-        const { loadAuth, saveAuth } = await import('../src/auth.js');
-        const { resolve } = await import('path');
-        const resolvedPath = resolve(path);
-        if (isFirstScan(resolvedPath)) {
-          const chalk = (await import('chalk')).default;
-          // Add Doorman instructions to AI config files (only appends, never overwrites)
-          const claudeMd = installClaudeMd(resolvedPath);
-          const agentsMd = installAgentsMd(resolvedPath);
-          const cursorRules = installCursorRules(resolvedPath);
-          if (claudeMd) console.log(chalk.dim('  Added Doorman to CLAUDE.md'));
-          if (agentsMd) console.log(chalk.dim('  Added Doorman to AGENTS.md'));
-          if (cursorRules) console.log(chalk.dim('  Added Doorman to .cursorrules'));
-          // Auto-run hook for Claude Code (non-blocking, just a scan)
-          const hookInstalled = installClaudeHook(resolvedPath);
-          if (hookInstalled) console.log(chalk.dim('  Auto-run enabled for Claude Code'));
-          // NOTE: No pre-commit hook on first scan — too aggressive.
-          // Users can opt in with: npx getdoorman init
-          // Collect email
-          const auth = loadAuth();
-          if (!auth?.email) {
-            const readline = await import('readline');
-            const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
-            console.log('');
-            const email = await new Promise(r => {
-              rl.question(chalk.green('  Enter your email for updates (optional): '), a => { rl.close(); r(a.trim()); });
-            });
-            if (email && email.includes('@')) {
-              saveAuth(email);
-              console.log(chalk.green('  ✓ Saved!'));
-            }
-          }
-          console.log('');
-        }
-      }
-      process.exit(result.exitCode || 0);
-    } catch (err) {
-      console.error('Error:', err.message);
-      process.exit(2);
-    }
-  });
-program
-  .command('fix')
-  .description('Tell your AI to fix issues — works in Claude, Codex, Cursor')
-  .argument('[path]', 'Path to scan', '.')
-  .action(async (path) => {
-    const chalk = (await import('chalk')).default;
-    const { collectFiles } = await import('../src/scanner.js');
-    const { runSimpleChecks } = await import('../src/simple-reporter.js');
-    const files = await collectFiles(path, { silent: true });
-    const results = runSimpleChecks(files);
-    const failed = results.filter(r => !r.passed);
-    if (failed.length === 0) {
-      console.log('');
-      console.log(chalk.green.bold('  All clear. Nothing to fix.'));
-      console.log('');
-      return;
-    }
-    // Build the prompt
-    const issues = [];
-    for (const r of failed) {
-      for (const f of r.findings.slice(0, 5)) {
-        const loc = f.file ? ` in ${f.file}${f.line ? ':' + f.line : ''}` : '';
-        issues.push(`- ${r.name}: ${f.message}${loc}`);
-      }
-    }
-    const prompt = `Fix these issues in my code:\n\n${issues.join('\n')}`;
-    // Detect environment: AI tool or manual terminal
-    const isAI = process.env.CLAUDE_CODE || process.env.CURSOR_SESSION || process.env.CODEX_SANDBOX || process.env.TERM_PROGRAM === 'claude';
-    const isCI = process.env.CI || process.env.GITHUB_ACTIONS;
-    if (isAI) {
-      // Inside an AI tool — just output the prompt directly, the AI will act on it
-      console.log(prompt);
-    } else if (isCI) {
-      // CI — just list issues
-      console.log(prompt);
-    } else {
-      // Manual terminal — show formatted + copy to clipboard
-      console.log('');
-      console.log(chalk.bold('  Paste this into Claude, Codex, or Cursor:'));
-      console.log('');
-      console.log(chalk.cyan('  ┌───────────────────────────────────────────────'));
-      for (const line of prompt.split('\n')) {
-        console.log(chalk.cyan('  │ ') + line);
-      }
-      console.log(chalk.cyan('  └───────────────────────────────────────────────'));
-      console.log('');
-      // Copy to clipboard
-      try {
-        const { execSync } = await import('child_process');
-        const cmd = process.platform === 'darwin' ? 'pbcopy' : process.platform === 'win32' ? 'clip' : 'xclip -selection clipboard';
-        execSync(cmd, { input: prompt, stdio: ['pipe', 'ignore', 'ignore'] });
-        console.log(chalk.green('  ✓ Copied to clipboard! Just paste it.'));
-      } catch {
-        console.log(chalk.dim('  Tip: copy the text above and paste into your AI tool'));
-      }
-      console.log('');
-    }
-  });
-program
-  .command('review')
-  .description('Review only changed files (for git hooks and PRs)')
-  .argument('[path]', 'Path to scan', '.')
-  .option('--json', 'Output as JSON')
-  .option('--min-score <number>', 'Minimum score', '70')
-  .action(async (path, options) => {
-    try {
-      const result = await check(path, { ...options, incremental: true });
-      process.exit(result.exitCode || 0);
+      const failCount = results.filter(r => !r.passed).length;
+      process.exit(options.ci && failCount > 0 ? 1 : 0);
     } catch (err) {
       console.error('Error:', err.message);
       process.exit(2);
     }
   });
-program
-  .command('ignore')
-  .description('Ignore a rule (mark as false positive)')
-  .argument('<ruleId>', 'Rule ID to ignore (e.g., SEC-INJ-001)')
-  .option('--file <path>', 'Only ignore in this file')
-  .option('--reason <reason>', 'Reason for ignoring')
-  .action(async (ruleId, options) => {
-    const { addIgnore } = await import('../src/config.js');
-    addIgnore('.', ruleId, options.file || null, options.reason || 'User dismissed');
-    console.log(`Ignored ${ruleId}${options.file ? ' in ' + options.file : ''}`);
-  });
-program
-  .command('init')
-  .description('Initialize Doorman: create config, hooks, and auto-run')
-  .option('--no-hook', 'Skip pre-commit hook installation')
-  .option('--claude', 'Install Claude Code auto-run hook')
-  .action(async (options) => {
-    const { writeFileSync, existsSync, mkdirSync } = await import('fs');
-    const { installClaudeHook, installGitHook, installClaudeMd } = await import('../src/hooks.js');
-    const { resolve } = await import('path');
-    // 1. Config file — create .doormanrc with recommended preset
-    if (existsSync('.doormanrc') || existsSync('.doormanrc.json')) {
-      const which = existsSync('.doormanrc') ? '.doormanrc' : '.doormanrc.json';
-      console.log(`  ✓ Config already exists at ${which}`);
-    } else {
-      const config = {
-        extends: 'recommended',
-        rules: {},
-        categories: [],
-        severity: 'medium',
-        ignore: ['test/**', 'vendor/**', '*.min.js'],
-      };
-      writeFileSync('.doormanrc', JSON.stringify(config, null, 2) + '\n');
-      console.log('  ✓ Created .doormanrc (recommended preset)');
-    }
-    // 2. Pre-commit hook
-    if (options.hook !== false) {
-      const installed = installGitHook(resolve('.'));
-      if (installed) {
-        console.log('  ✓ Installed pre-commit hook — critical issues will block commits');
-      } else if (!existsSync('.git')) {
-        console.log('  ⚠ Not a git repository — skipping pre-commit hook');
-      } else {
-        console.log('  ✓ Pre-commit hook already installed');
-      }
-    }
-    // 3. Claude Code hook
-    if (options.claude) {
-      const installed = installClaudeHook(resolve('.'));
-      if (installed) {
-        console.log('  ✓ Claude Code hook installed — Doorman runs after every file edit');
-      } else {
-        console.log('  ✓ Claude Code hook already installed');
-      }
-    }
-    // 4. CLAUDE.md — teach Claude to use Doorman
-    const mdInstalled = installClaudeMd(resolve('.'));
-    if (mdInstalled) {
-      console.log('  ✓ Added Doorman to CLAUDE.md — Claude will suggest it automatically');
-    } else {
-      console.log('  ✓ CLAUDE.md already mentions Doorman');
-    }
-    console.log('');
-    console.log('Doorman is ready. Run `npx getdoorman check` to scan your codebase.');
-    if (!options.claude) {
-      console.log('Tip: Run `npx getdoorman init --claude` to auto-scan when Claude writes code.');
-    }
-  });
-program
-  .command('dashboard')
-  .description('Open your project dashboard in the browser')
-  .argument('[path]', 'Project path', '.')
-  .action(async (path) => {
-    const chalk = (await import('chalk')).default;
-    const { openDashboard } = await import('../src/dashboard.js');
-    const result = openDashboard(path);
-    if (result.error) {
-      console.log('');
-      console.log(chalk.yellow(`  ${result.error}`));
-      console.log('');
-    } else {
-      console.log('');
-      console.log(chalk.green(`  ✓ Dashboard opened: ${result.path}`));
-      console.log('');
-    }
-  });
-program
-  .command('benchmark')
-  .description('Run the real-world vulnerability detection benchmark')
-  .action(async () => {
-    console.log('Running Doorman benchmark...');
-    const { execSync } = await import('child_process');
-    try {
-      execSync('node --test test/benchmark-real-world.test.js', { stdio: 'inherit' });
-    } catch (e) {
-      // Test runner reports results
-    }
-  });
-program
-  .command('hook')
-  .description('Install Doorman as a pre-commit git hook')
-  .option('--remove', 'Remove the git hook')
-  .action(async (options) => {
-    const { writeFileSync, unlinkSync, existsSync, mkdirSync } = await import('fs');
-    const hookPath = '.git/hooks/pre-commit';
-    if (options.remove) {
-      if (existsSync(hookPath)) {
-        unlinkSync(hookPath);
-        console.log('Removed Doorman pre-commit hook');
-      }
-      return;
-    }
-    if (!existsSync('.git/hooks')) mkdirSync('.git/hooks', { recursive: true });
-    const hookScript = `#!/bin/sh
-# Doorman pre-commit hook
-npx getdoorman review --min-score 70
-`;
-    writeFileSync(hookPath, hookScript, { mode: 0o755 });
-    console.log('Installed Doorman pre-commit hook');
-    console.log('Every commit will be checked. Remove with: doorman hook --remove');
-  });
-program
-  .command('credits')
-  .description('Check your credit balance or buy more')
-  .option('--buy', 'Open the credit purchase page')
-  .action(async (options) => {
-    const chalk = (await import('chalk')).default;
-    const { loadAuth, checkCredits, getCreditPacks } = await import('../src/auth.js');
-    const auth = loadAuth();
-    if (!auth || !auth.email) {
-      console.log('');
-      console.log(chalk.dim('  No account yet. Run `npx getdoorman fix` to get 3 free credits.'));
-      console.log('');
-      return;
-    }
-    const credits = await checkCredits(auth.email);
-    const packs = getCreditPacks(auth.email);
-    console.log('');
-    console.log(chalk.bold('  Doorman Account'));
-    console.log(`    Email:   ${auth.email}`);
-    console.log(`    Credits: ${credits ? credits.credits : 'unknown (offline)'}`);
-    console.log('');
-    if (options.buy || (credits && credits.credits <= 0)) {
-      console.log(chalk.bold('  Buy credits:'));
-      console.log('');
-      for (const pack of packs) {
-        const bonus = pack.bonus ? chalk.green(` (${pack.bonus})`) : '';
-        console.log(`    ${String(pack.credits).padStart(3)} credits — ${pack.price}${bonus}   ${chalk.cyan(pack.buyUrl)}`);
-      }
-      console.log('');
-      // Try to open browser
-      try {
-        const { execSync } = await import('child_process');
-        const cmd = process.platform === 'darwin' ? 'open' : process.platform === 'win32' ? 'start' : 'xdg-open';
-        execSync(`${cmd} ${packs[0].buyUrl}`, { stdio: 'ignore' });
-        console.log(chalk.dim('  Opened in your browser.'));
-      } catch { /* ignore */ }
-    }
-    console.log('');
-  });
-// ai-fix is now merged into `fix` — kept as hidden alias for backward compat
-program
-  .command('ai-fix')
-  .description(false)  // hidden
-  .argument('[path]', 'Path to scan', '.')
-  .action(async () => {
-    console.log('ai-fix has been merged into `fix`. Just run: npx getdoorman fix');
-  });
-program
-  .command('report')
-  .description('Generate a compliance report (SOC2, GDPR, HIPAA, PCI-DSS)')
-  .argument('[path]', 'Path to scan', '.')
-  .option('--framework <name>', 'Framework: SOC2, GDPR, HIPAA, PCI, or all', 'all')
-  .option('--output <path>', 'Output file path', 'doorman-report.html')
-  .option('--project <name>', 'Project name for the report')
-  .action(async (path, options) => {
-    const chalk = (await import('chalk')).default;
-    const { basename, resolve } = await import('path');
-    const framework = options.framework.toLowerCase();
-    const validFrameworks = ['soc2', 'gdpr', 'hipaa', 'pci', 'all'];
-    if (!validFrameworks.includes(framework)) {
-      console.error(`Error: Unknown framework "${options.framework}". Choose from: SOC2, GDPR, HIPAA, PCI, or all`);
-      process.exit(1);
-    }
-    const projectName = options.project || basename(resolve(path));
-    console.log('');
-    console.log(chalk.bold.cyan('  Doorman — Compliance Report Generator'));
-    console.log('');
-    // Step 1: Run a full scan
-    console.log(chalk.gray('  Running full scan...'));
-    let result;
-    try {
-      result = await check(path, { silent: true, full: true });
-    } catch (err) {
-      console.error(chalk.red(`  Scan failed: ${err.message}`));
-      process.exit(1);
-    }
-    console.log(chalk.gray(`  Found ${result.findings.length} finding(s), score: ${result.score}/100`));
-    console.log('');
-    // Step 2: Generate the compliance report
-    const { summary } = generateReport(
-      { findings: result.findings, score: result.score, stack: result.stack },
-      { framework, projectName, outputPath: options.output }
-    );
-    // Step 3: Print summary
-    const frameworkEntries = Object.entries(summary.frameworks);
-    for (const [, fw] of frameworkEntries) {
-      const statusColor = fw.status === 'compliant' ? chalk.green : fw.status === 'partial' ? chalk.yellow : chalk.red;
-      console.log(`  ${fw.name.padEnd(22)} ${statusColor(fw.status.toUpperCase().padEnd(15))} ${fw.score}%`);
-    }
-    console.log('');
-    console.log(chalk.bold.green(`  Report saved to ${options.output}`));
-    console.log(chalk.gray('  Open in a browser to view the full compliance report.'));
-    console.log('');
-  });
 program.parse();

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "getdoorman",
-  "version": "1.1.1",
+  "version": "1.2.1",
   "description": "Zero-config security scanner for AI-assisted development. 2000+ rules, 11 languages, 4 detection engines.",
   "main": "src/index.js",
   "exports": {

package/src/simple-checks.js CHANGED Viewed

@@ -12,14 +12,52 @@ const CHECKS = [
     fail: 'API key hardcoded in source code',
     check(files) {
       const patterns = [
+        // Cloud providers
         { name: 'AWS Access Key', regex: /(?:^|[^A-Z0-9])AKIA[0-9A-Z]{16}(?:[^A-Z0-9]|$)/ },
-        { name: 'Stripe Secret Key', regex: /sk_live_[0-9a-zA-Z]{24,}/ },
-        { name: 'OpenAI API Key', regex: /sk-[a-zA-Z0-9]{20,}T3BlbkFJ/ },
+        { name: 'AWS Secret Key', regex: /(?:aws_secret|secret_access_key)\s*[:=]\s*['"][A-Za-z0-9/+=]{40}['"]/ },
+        { name: 'Google API Key', regex: /AIza[0-9A-Za-z_-]{35}/ },
+        { name: 'Google OAuth Secret', regex: /GOCSPX-[a-zA-Z0-9_-]{28}/ },
+        { name: 'Vercel Token', regex: /vercel_[a-zA-Z0-9]{24,}/ },
+        { name: 'Netlify Token', regex: /nfp_[a-zA-Z0-9]{40,}/ },
+        // AI providers
+        { name: 'OpenAI API Key', regex: /sk-(?:proj-)?[a-zA-Z0-9]{32,}/ },
         { name: 'Anthropic API Key', regex: /sk-ant-[a-zA-Z0-9-]{20,}/ },
+        { name: 'Groq API Key', regex: /gsk_[a-zA-Z0-9]{48,}/ },
+        { name: 'Replicate API Token', regex: /r8_[a-zA-Z0-9]{38}/ },
+        { name: 'Hugging Face Token', regex: /hf_[a-zA-Z0-9]{34}/ },
+        { name: 'Together AI Key', regex: /tog_[a-zA-Z0-9]{40,}/ },
+        { name: 'Pinecone API Key', regex: /pcsk_[a-zA-Z0-9]{50,}/ },
+        // Payment
+        { name: 'Stripe Secret Key', regex: /sk_live_[0-9a-zA-Z]{24,}/ },
+        { name: 'Stripe Publishable (live)', regex: /pk_live_[0-9a-zA-Z]{24,}/ },
+        // Auth
+        { name: 'Clerk Secret Key', regex: /sk_live_[a-zA-Z0-9]{27,}/ },
+        { name: 'Clerk Publishable Key', regex: /pk_live_[a-zA-Z0-9]{27,}/ },
+        { name: 'Auth0 Client Secret', regex: /(?:auth0|AUTH0).*secret.*['"][a-zA-Z0-9_-]{32,}['"]/ },
+        // Dev tools
         { name: 'GitHub Token', regex: /ghp_[0-9a-zA-Z]{36}/ },
+        { name: 'GitHub OAuth Secret', regex: /gho_[0-9a-zA-Z]{36}/ },
+        { name: 'GitLab Token', regex: /glpat-[0-9a-zA-Z_-]{20,}/ },
+        { name: 'Slack Bot Token', regex: /xoxb-[0-9]{11,}-[0-9a-zA-Z]{24,}/ },
+        { name: 'Slack Webhook', regex: /hooks\.slack\.com\/services\/T[A-Z0-9]+\/B[A-Z0-9]+\/[a-zA-Z0-9]+/ },
+        { name: 'Discord Bot Token', regex: /[MN][A-Za-z0-9]{23,}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27}/ },
+        { name: 'Twilio Auth Token', regex: /(?:twilio|TWILIO).*[0-9a-f]{32}/ },
+        { name: 'SendGrid API Key', regex: /SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}/ },
+        { name: 'Resend API Key', regex: /re_[a-zA-Z0-9]{30,}/ },
+        { name: 'Mailgun API Key', regex: /key-[0-9a-zA-Z]{32}/ },
+        { name: 'Postmark Token', regex: /(?:postmark|POSTMARK).*['"][0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['"]/ },
+        // Database
         { name: 'Supabase Service Key', regex: /eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[a-zA-Z0-9_-]{50,}/ },
-        { name: 'Google API Key', regex: /AIza[0-9A-Za-z_-]{35}/ },
-        { name: 'Slack Token', regex: /xoxb-[0-9]{11,}-[0-9a-zA-Z]{24,}/ },
+        { name: 'Firebase Private Key', regex: /-----BEGIN RSA PRIVATE KEY-----/ },
+        { name: 'MongoDB Connection String', regex: /mongodb\+srv:\/\/[^:]+:[^@]+@/ },
+        { name: 'Postgres Connection String', regex: /postgres(?:ql)?:\/\/[^:]+:[^@]+@/ },
+        { name: 'PlanetScale Connection', regex: /mysql:\/\/[^:]+:[^@]+@aws\.connect\.psdb\.cloud/ },
+        { name: 'Neon Postgres', regex: /postgres(?:ql)?:\/\/[^:]+:[^@]+@[^/]*neon\.tech/ },
+        { name: 'Turso Database Token', regex: /eyJhbGciOiJFZERTQS[a-zA-Z0-9_-]{50,}/ },
+        { name: 'Upstash Redis Token', regex: /AX[a-zA-Z0-9]{34,}/ },
+        { name: 'Redis Connection String', regex: /redis:\/\/[^:]+:[^@]+@/ },
+        // SSH & certificates
+        { name: 'SSH Private Key', regex: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/ },
       ];
       const findings = [];
       for (const [fp, content] of files) {
@@ -64,15 +102,25 @@ const CHECKS = [
     fail: 'SQL query built with user input',
     check(files) {
       const findings = [];
-      const sqlPattern = /(?:query|execute|raw)\s*\(\s*`[^`]*(?:SELECT|INSERT|UPDATE|DELETE|FROM|WHERE)\b[^`]*\$\{/i;
+      const patterns = [
+        // JS/TS template literals with SQL
+        /(?:query|execute|raw|prepare)\s*\(\s*`[^`]*(?:SELECT|INSERT|UPDATE|DELETE)\s.*(?:FROM|INTO|SET)\b[^`]*\$\{/i,
+        // String concatenation with SQL keywords
+        /(?:query|execute)\s*\(\s*['"](?:SELECT|INSERT|UPDATE|DELETE)\s.*['"]\s*\+\s*(?:req\.|params\.|input|user)/i,
+        // Python f-string/format SQL
+        /(?:execute|cursor\.execute)\s*\(\s*f['"].*(?:SELECT|INSERT|UPDATE|DELETE)\b/i,
+      ];
       for (const [fp, content] of files) {
         if (/test|spec|mock/i.test(fp)) continue;
         if (!fp.match(/\.(js|ts|jsx|tsx|py|rb|go|java|php)$/)) continue;
         const lines = content.split('\n');
         for (let i = 0; i < lines.length; i++) {
           const block = lines.slice(i, i + 3).join(' ');
-          if (sqlPattern.test(block)) {
-            findings.push({ message: 'SQL query built with template literal', file: fp, line: i + 1 });
+          for (const p of patterns) {
+            if (p.test(block)) {
+              findings.push({ message: 'SQL query built with user input', file: fp, line: i + 1 });
+              break;
+            }
           }
         }
       }
@@ -90,14 +138,23 @@ const CHECKS = [
       for (const [fp, content] of files) {
         if (/test|spec|mock/i.test(fp)) continue;
         if (!fp.match(/\.(js|ts|jsx|tsx)$/)) continue;
-        if (!fp.match(/api|route|handler|controller/i)) continue;
+        if (!fp.match(/api|route|handler|controller|middleware/i)) continue;
         const lines = content.split('\n');
         for (let i = 0; i < lines.length; i++) {
+          // Next.js route handlers
           if (/export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH)\b/.test(lines[i])) {
             const body = lines.slice(i, Math.min(lines.length, i + 30)).join('\n');
-            if (!/try\s*\{|\.catch\s*\(/.test(body)) {
+            if (!/try\s*\{|\.catch\s*\(|errorHandler|withErrorHandling/.test(body)) {
               findings.push({ message: `${fp.split('/').pop()} has no error handling`, file: fp, line: i + 1 });
-              break; // one per file
+              break;
+            }
+          }
+          // Express route handlers
+          if (/(?:app|router)\.\s*(?:get|post|put|delete|patch)\s*\(/.test(lines[i])) {
+            const body = lines.slice(i, Math.min(lines.length, i + 20)).join('\n');
+            if (/async/.test(body) && !/try\s*\{|\.catch\s*\(|asyncHandler|expressAsyncErrors/.test(body)) {
+              findings.push({ message: `Async route without try/catch`, file: fp, line: i + 1 });
+              break;
             }
           }
         }
@@ -113,14 +170,20 @@ const CHECKS = [
     fail: 'Password or secret hardcoded in source',
     check(files) {
       const findings = [];
-      const pattern = /(?:password|passwd|pwd|secret|secret_key|jwt_secret)\s*[:=]\s*['"][^'"]{8,}['"]/i;
+      const patterns = [
+        /(?:password|passwd|pwd)\s*[:=]\s*['"][^'"]{8,}['"]/i,
+        /(?:secret|secret_key|jwt_secret|app_secret|client_secret)\s*[:=]\s*['"][^'"]{8,}['"]/i,
+        /(?:auth_token|access_token|bearer)\s*[:=]\s*['"][^'"]{20,}['"]/i,
+        /(?:database_url|db_url|database_password|db_password)\s*[:=]\s*['"][^'"]{8,}['"]/i,
+      ];
+      const combined = new RegExp(patterns.map(p => p.source).join('|'), 'i');
       for (const [fp, content] of files) {
-        if (/test|spec|mock|example|sample|\.env/i.test(fp)) continue;
+        if (/test|spec|mock|example|sample|\.env|fixture/i.test(fp)) continue;
         if (!fp.match(/\.(js|ts|jsx|tsx|py|rb|go|java|php|yml|yaml|json)$/)) continue;
         const lines = content.split('\n');
         for (let i = 0; i < lines.length; i++) {
           if (/^\s*(\/\/|#|\*|\/\*)/.test(lines[i])) continue;
-          if (pattern.test(lines[i]) && !/process\.env|os\.environ|ENV\[|config\.|getenv/i.test(lines[i])) {
+          if (combined.test(lines[i]) && !/process\.env|os\.environ|ENV\[|config\.|getenv|placeholder|example|changeme|TODO/i.test(lines[i])) {
             findings.push({ message: 'Hardcoded secret', file: fp, line: i + 1 });
           }
         }
@@ -152,20 +215,21 @@ const CHECKS = [
     },
   },
   {
-    id: 'ai-cost-waste',
-    name: 'AI Cost Waste',
-    icon: '💰',
-    pass: 'AI API calls look efficient',
-    fail: 'AI API called without caching or limits',
+    id: 'sensitive-logs',
+    name: 'Sensitive Data in Logs',
+    icon: '📋',
+    pass: 'No passwords or tokens in logs',
+    fail: 'Sensitive data may be logged',
     check(files) {
       const findings = [];
       for (const [fp, content] of files) {
         if (/test|spec|mock/i.test(fp)) continue;
-        if (!fp.match(/\.(js|ts|jsx|tsx)$/)) continue;
-        // Check for AI API calls without max_tokens
-        if (/openai|anthropic|chat\.completions\.create|messages\.create/i.test(content)) {
-          if (!/max_tokens|maxTokens|max_output_tokens/i.test(content)) {
-            findings.push({ message: 'AI API call without token limit', file: fp });
+        if (!fp.match(/\.(js|ts|jsx|tsx|py|rb|go|java|php)$/)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/console\.log\(.*(?:password|secret|token|apiKey|api_key|authorization|credential)/i.test(lines[i]) ||
+              /logger?\.\w+\(.*(?:password|secret|token|apiKey|credential)/i.test(lines[i])) {
+            findings.push({ message: 'Password or token may be logged', file: fp, line: i + 1 });
           }
         }
       }

package/src/simple-reporter.js CHANGED Viewed

@@ -52,7 +52,7 @@ export function printSimpleReport(results) {
     console.log(chalk.green.bold('  All clear. Ship it.'));
   } else {
     console.log(chalk.yellow(`  ${failCount} issue${failCount === 1 ? '' : 's'} to fix before shipping.`));
-    console.log(chalk.gray('  Run `npx getdoorman fix` to generate a prompt for Claude/Codex.'));
+    console.log(chalk.gray('  Tell Claude or Codex: "fix the issues Doorman found"'));
   }
   console.log('');