guardvibe 0.6.4 → 0.8.0

package/LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2026 VibeGuard Security
+Copyright (c) 2026 GokLab
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/build/data/rules/auth.d.ts

@@ -0,0 +1,3 @@
+import type { SecurityRule } from "./types.js";
+export declare const authRules: SecurityRule[];
+//# sourceMappingURL=auth.d.ts.map

package/build/data/rules/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/data/rules/auth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,eAAO,MAAM,SAAS,EAAE,YAAY,EAsHnC,CAAC"}

package/build/data/rules/auth.js

@@ -0,0 +1,100 @@
+// Security rules for Clerk, Auth.js, and general auth patterns
+export const authRules = [
+    {
+        id: "VG420",
+        name: "Unprotected Route Handler",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "Route handler accesses database without authentication check. Anyone can call this endpoint.",
+        pattern: /export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH)\s*\([^)]*\)\s*\{(?:(?!auth\s*\(|getServerSession|currentUser|getUser|requireAuth)[\s\S])*?(?:prisma|db|supabase)\.\w+/g,
+        languages: ["javascript", "typescript"],
+        fix: "Add authentication check at the start of every route handler that accesses data.",
+        fixCode: 'import { auth } from "@clerk/nextjs/server";\n\nexport async function GET() {\n  const { userId } = await auth();\n  if (!userId) return new Response("Unauthorized", { status: 401 });\n  const data = await db.query(...);\n}',
+        compliance: ["SOC2:CC6.6", "PCI-DSS:Req6.5.10", "HIPAA:§164.312(d)"],
+    },
+    {
+        id: "VG421",
+        name: "Auth Without Middleware",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "Importing auth() from Clerk without clerkMiddleware configured. auth() returns empty data without middleware.",
+        pattern: /import\s*\{[^}]*\bauth\b[^}]*\}\s*from\s*["']@clerk\/nextjs\/server["']/g,
+        languages: ["javascript", "typescript"],
+        fix: "Ensure clerkMiddleware() is configured in proxy.ts (Next.js 16) or middleware.ts.",
+        fixCode: '// proxy.ts or middleware.ts\nimport { clerkMiddleware } from "@clerk/nextjs/server";\nexport default clerkMiddleware();',
+        compliance: ["SOC2:CC6.6"],
+    },
+    {
+        id: "VG422",
+        name: "Clerk Secret Key Client Exposure",
+        severity: "critical",
+        owasp: "A07:2025 Sensitive Data Exposure",
+        description: "CLERK_SECRET_KEY is accessed in client-side code. This key grants full API access to your Clerk account.",
+        pattern: /["']use client["'][\s\S]*?CLERK_SECRET_KEY/g,
+        languages: ["javascript", "typescript"],
+        fix: "Never access CLERK_SECRET_KEY in client components. Use it only in server-side code.",
+        fixCode: '// Server-side only\nimport { clerkClient } from "@clerk/nextjs/server";\nconst users = await clerkClient.users.getUserList();',
+        compliance: ["SOC2:CC6.1", "HIPAA:§164.312(a)"],
+    },
+    {
+        id: "VG423",
+        name: "Auth.js Hardcoded Secret",
+        severity: "critical",
+        owasp: "A07:2025 Sensitive Data Exposure",
+        description: "NEXTAUTH_SECRET or AUTH_SECRET is hardcoded as a string literal instead of using an environment variable.",
+        pattern: /(?:NEXTAUTH_SECRET|AUTH_SECRET)\s*[:=]\s*["'][^"']{8,}["']/g,
+        languages: ["javascript", "typescript"],
+        fix: "Use environment variables for auth secrets. Generate with: npx auth secret",
+        fixCode: "# .env.local\nAUTH_SECRET= # Generated with: npx auth secret\n\n// auth.ts — AUTH_SECRET is read automatically from env",
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3"],
+    },
+    {
+        id: "VG424",
+        name: "Session Token in localStorage",
+        severity: "high",
+        owasp: "A07:2025 Sensitive Data Exposure",
+        description: "Auth token or session stored in localStorage. localStorage is accessible to any JavaScript on the page, making it vulnerable to XSS attacks.",
+        pattern: /localStorage\.setItem\s*\(\s*["'](?:auth|session|token|jwt|access|refresh|bearer)\w*["']/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Use httpOnly cookies for session tokens. They cannot be accessed by JavaScript.",
+        fixCode: '// Use httpOnly cookies instead\nresponse.cookies.set("session", token, {\n  httpOnly: true,\n  secure: true,\n  sameSite: "lax",\n  maxAge: 60 * 60 * 24,\n});',
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req6.5.10"],
+    },
+    {
+        id: "VG425",
+        name: "Auth Callback Open Redirect",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "Auth callback URL accepts unvalidated redirect parameter. Attackers can redirect users to phishing sites after authentication.",
+        pattern: /(?:callbackUrl|redirect_uri|returnTo|next)\s*[=:]\s*(?:req\.query|searchParams\.get|request\.url|params)\b/g,
+        languages: ["javascript", "typescript"],
+        fix: "Validate callback URLs against an allowlist of trusted domains.",
+        fixCode: '// Validate callback URL\nconst callbackUrl = searchParams.get("callbackUrl") ?? "/";\nconst url = new URL(callbackUrl, request.url);\nif (url.origin !== new URL(request.url).origin) {\n  redirect("/");\n}',
+        compliance: ["SOC2:CC6.6"],
+    },
+    {
+        id: "VG426",
+        name: "Missing Role Check on Admin Route",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "Admin or dashboard route handler does not verify user role or permissions.",
+        pattern: /(?:\/admin|\/dashboard)[\s\S]*?export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH|default)\s*\([^)]*\)\s*\{(?:(?!role|permission|isAdmin|orgRole|checkRole)[\s\S])*?\}/g,
+        languages: ["javascript", "typescript"],
+        fix: "Always verify user roles and permissions in admin routes.",
+        fixCode: 'import { auth } from "@clerk/nextjs/server";\n\nexport async function GET() {\n  const { userId, orgRole } = await auth();\n  if (orgRole !== "org:admin") {\n    return new Response("Forbidden", { status: 403 });\n  }\n}',
+        compliance: ["SOC2:CC6.6", "HIPAA:§164.312(d)"],
+    },
+    {
+        id: "VG427",
+        name: "Supabase getSession Instead of getUser",
+        severity: "medium",
+        owasp: "A07:2025 Sensitive Data Exposure",
+        description: "Using supabase.auth.getSession() on the server side is insecure. The JWT can be spoofed. Use getUser() which validates the token with Supabase Auth server.",
+        pattern: /supabase\.auth\.getSession\s*\(/g,
+        languages: ["javascript", "typescript"],
+        fix: "Use supabase.auth.getUser() on the server side.",
+        fixCode: '// CORRECT: validates with Auth server\nconst { data: { user }, error } = await supabase.auth.getUser();\nif (error || !user) throw new Error("Unauthorized");',
+        compliance: ["SOC2:CC6.6"],
+    },
+];
+//# sourceMappingURL=auth.js.map

package/build/data/rules/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../src/data/rules/auth.ts"],"names":[],"mappings":"AAEA,+DAA+D;AAC/D,MAAM,CAAC,MAAM,SAAS,GAAmB;IACvC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,8FAA8F;QAChG,OAAO,EACL,uLAAuL;QACzL,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,kFAAkF;QACvF,OAAO,EACL,iOAAiO;QACnO,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;KACrE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,+GAA+G;QACjH,OAAO,EACL,0EAA0E;QAC5E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,mFAAmF;QACxF,OAAO,EACL,0HAA0H;QAC5H,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,0GAA0G;QAC5G,OAAO,EAAE,6CAA6C;QACtD,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sFAAsF;QAC3F,OAAO,EACL,gIAAgI;QAClI,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,2GAA2G;QAC7G,OAAO,EAAE,6DAA6D;QACtE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4EAA4E;QACjF,OAAO,EACL,yHAAyH;QAC3H,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,8IAA8I;QAChJ,OAAO,EACL,4FAA4F;QAC9F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iFAAiF;QACtF,OAAO,EACL,iKAAiK;QACnK,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,gIAAgI;QAClI,OAAO,EACL,6GAA6G;QAC/G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iEAAiE;QACtE,OAAO,EACL,+MAA+M;QACjN,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,4EAA4E;QAC9E,OAAO,EACL,oLAAoL;QACtL,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2DAA2D;QAChE,OAAO,EACL,8NAA8N;QAChO,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,6JAA6J;QAC/J,OAAO,EAAE,kCAAkC;QAC3C,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iDAAiD;QACtD,OAAO,EACL,gKAAgK;QAClK,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}

package/build/data/rules/database.d.ts

@@ -0,0 +1,3 @@
+import type { SecurityRule } from "./types.js";
+export declare const databaseRules: SecurityRule[];
+//# sourceMappingURL=database.d.ts.map

package/build/data/rules/database.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"database.d.ts","sourceRoot":"","sources":["../../../src/data/rules/database.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,eAAO,MAAM,aAAa,EAAE,YAAY,EAmHvC,CAAC"}

package/build/data/rules/database.js

@@ -0,0 +1,100 @@
+// Security rules for Supabase, Prisma, and Drizzle ORM
+export const databaseRules = [
+    {
+        id: "VG430",
+        name: "Supabase Anon Key on Server",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "Using the anon/public key server-side bypasses Row Level Security. Use the service_role key on the server.",
+        pattern: /createClient\s*\([\s\S]*?(?:NEXT_PUBLIC_SUPABASE_ANON_KEY|supabaseAnonKey)/g,
+        languages: ["javascript", "typescript"],
+        fix: "Use SUPABASE_SERVICE_ROLE_KEY on the server. The anon key is for client-side use with RLS.",
+        fixCode: '// Server-side: use service role key\nconst supabase = createClient(\n  process.env.SUPABASE_URL!,\n  process.env.SUPABASE_SERVICE_ROLE_KEY!\n);',
+        compliance: ["SOC2:CC6.6", "HIPAA:§164.312(a)"],
+    },
+    {
+        id: "VG431",
+        name: "Supabase Missing RLS Warning",
+        severity: "medium",
+        owasp: "A01:2025 Broken Access Control",
+        description: "Supabase client queries data. Ensure Row Level Security policies are configured on your tables.",
+        pattern: /supabase\s*\.from\s*\(\s*["']\w+["']\s*\)\s*\.(?:select|insert|update|delete|upsert)\s*\(/g,
+        languages: ["javascript", "typescript"],
+        fix: "Enable Row Level Security (RLS) on all Supabase tables and create appropriate policies.",
+        fixCode: "-- Enable RLS on tables\nALTER TABLE posts ENABLE ROW LEVEL SECURITY;\n\nCREATE POLICY \"Users can read own posts\"\n  ON posts FOR SELECT\n  USING (auth.uid() = user_id);",
+        compliance: ["SOC2:CC6.6"],
+    },
+    {
+        id: "VG432",
+        name: "Prisma Raw Query Injection",
+        severity: "critical",
+        owasp: "A03:2025 Injection",
+        description: "Prisma $queryRaw or $executeRaw with template literal interpolation. Use Prisma.sql tagged template for safe parameterization.",
+        pattern: /\.\$(?:queryRaw|executeRaw)`[^`]*\$\{(?!Prisma\.)/g,
+        languages: ["javascript", "typescript"],
+        fix: "Use Prisma.sql tagged template for safe parameterization.",
+        fixCode: 'import { Prisma } from "@prisma/client";\n\nconst result = await prisma.$queryRaw(\n  Prisma.sql`SELECT * FROM users WHERE id = ${userId}`\n);',
+        compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
+    },
+    {
+        id: "VG433",
+        name: "Prisma queryRawUnsafe Usage",
+        severity: "critical",
+        owasp: "A03:2025 Injection",
+        description: "$queryRawUnsafe and $executeRawUnsafe pass raw SQL strings without parameterization. Extremely dangerous with user input.",
+        pattern: /\.\$(?:queryRawUnsafe|executeRawUnsafe)\s*\(/g,
+        languages: ["javascript", "typescript"],
+        fix: "Replace with $queryRaw using Prisma.sql tagged template.",
+        fixCode: "const result = await prisma.$queryRaw(\n  Prisma.sql`SELECT * FROM users WHERE id = ${userId}`\n);",
+        compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
+    },
+    {
+        id: "VG434",
+        name: "Drizzle Unsafe SQL Interpolation",
+        severity: "critical",
+        owasp: "A03:2025 Injection",
+        description: "Drizzle sql tagged template with direct variable interpolation. Use sql.placeholder() for safe parameterization.",
+        pattern: /(?:db\.execute|db\.run|db\.get|db\.all)\s*\(\s*sql`[^`]*\$\{/g,
+        languages: ["javascript", "typescript"],
+        fix: "Use sql.placeholder() for dynamic values in Drizzle queries.",
+        fixCode: 'import { sql } from "drizzle-orm";\n\nconst result = await db.execute(\n  sql`SELECT * FROM users WHERE id = ${sql.placeholder("id")}`,\n  { id: userId }\n);',
+        compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
+    },
+    {
+        id: "VG435",
+        name: "Database URL Client Exposure",
+        severity: "critical",
+        owasp: "A07:2025 Sensitive Data Exposure",
+        description: "DATABASE_URL or DIRECT_URL is accessed in client-side code. This exposes your database connection string to the browser.",
+        pattern: /["']use client["'][\s\S]*?process\.env\.(?:DATABASE_URL|DIRECT_URL)/g,
+        languages: ["javascript", "typescript"],
+        fix: "Never access database URLs in client components. Use Server Components or API routes.",
+        fixCode: "// Access database only server-side (no 'use client')\nexport default async function Page() {\n  const data = await prisma.user.findMany();\n  return <UserList users={data} />;\n}",
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3", "HIPAA:§164.312(a)"],
+    },
+    {
+        id: "VG436",
+        name: "NEXT_PUBLIC Database URL",
+        severity: "critical",
+        owasp: "A07:2025 Sensitive Data Exposure",
+        description: "Database URL is prefixed with NEXT_PUBLIC_, exposing it in the client bundle.",
+        pattern: /NEXT_PUBLIC_\w*(?:DATABASE|DB|POSTGRES|MYSQL|MONGO|REDIS|SUPABASE_DB)\w*URL\s*=/gi,
+        languages: ["javascript", "typescript", "shell"],
+        fix: "Remove NEXT_PUBLIC_ prefix. Database URLs must only be server-side.",
+        fixCode: "# WRONG: exposed to client\n# NEXT_PUBLIC_DATABASE_URL=postgresql://...\n\n# CORRECT: server-side only\nDATABASE_URL=postgresql://...",
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3", "HIPAA:§164.312(a)"],
+    },
+    {
+        id: "VG437",
+        name: "Supabase Service Role Key in Client",
+        severity: "critical",
+        owasp: "A07:2025 Sensitive Data Exposure",
+        description: "SUPABASE_SERVICE_ROLE_KEY is accessed in client-side code. This key bypasses RLS and grants full database access.",
+        pattern: /["']use client["'][\s\S]*?(?:SUPABASE_SERVICE_ROLE_KEY|SERVICE_ROLE)/g,
+        languages: ["javascript", "typescript"],
+        fix: "Never use the service role key in client code.",
+        fixCode: '// Server-side only\n"use server";\nconst adminClient = createClient(url, process.env.SUPABASE_SERVICE_ROLE_KEY!);',
+        compliance: ["SOC2:CC6.1", "HIPAA:§164.312(a)"],
+    },
+];
+//# sourceMappingURL=database.js.map

package/build/data/rules/database.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"database.js","sourceRoot":"","sources":["../../../src/data/rules/database.ts"],"names":[],"mappings":"AAEA,uDAAuD;AACvD,MAAM,CAAC,MAAM,aAAa,GAAmB;IAC3C;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,4GAA4G;QAC9G,OAAO,EAAE,6EAA6E;QACtF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4FAA4F;QACjG,OAAO,EACL,kJAAkJ;QACpJ,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,iGAAiG;QACnG,OAAO,EACL,4FAA4F;QAC9F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,yFAAyF;QAC9F,OAAO,EACL,6KAA6K;QAC/K,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,gIAAgI;QAClI,OAAO,EAAE,oDAAoD;QAC7D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2DAA2D;QAChE,OAAO,EACL,gJAAgJ;QAClJ,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,2HAA2H;QAC7H,OAAO,EAAE,+CAA+C;QACxD,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,0DAA0D;QAC/D,OAAO,EACL,oGAAoG;QACtG,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,kHAAkH;QACpH,OAAO,EAAE,+DAA+D;QACxE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,8DAA8D;QACnE,OAAO,EACL,+JAA+J;QACjK,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,0HAA0H;QAC5H,OAAO,EAAE,sEAAsE;QAC/E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uFAAuF;QAC5F,OAAO,EACL,qLAAqL;QACvL,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,EAAE,mBAAmB,CAAC;KAClE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,+EAA+E;QACjF,OAAO,EACL,mFAAmF;QACrF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,qEAAqE;QAC1E,OAAO,EACL,uIAAuI;QACzI,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,EAAE,mBAAmB,CAAC;KAClE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,qCAAqC;QAC3C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,mHAAmH;QACrH,OAAO,EAAE,uEAAuE;QAChF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gDAAgD;QACrD,OAAO,EACL,oHAAoH;QACtH,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;CACF,CAAC"}

package/build/data/rules/deployment.d.ts

@@ -0,0 +1,3 @@
+import type { SecurityRule } from "./types.js";
+export declare const deploymentRules: SecurityRule[];
+//# sourceMappingURL=deployment.d.ts.map

package/build/data/rules/deployment.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"deployment.d.ts","sourceRoot":"","sources":["../../../src/data/rules/deployment.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,eAAO,MAAM,eAAe,EAAE,YAAY,EA+NzC,CAAC"}

package/build/data/rules/deployment.js

@@ -0,0 +1,192 @@
+// Security rules for deployment config files
+export const deploymentRules = [
+    // vercel.json / vercel.ts
+    {
+        id: "VG500",
+        name: "Vercel CORS Wildcard",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "Vercel config sets Access-Control-Allow-Origin to wildcard (*), allowing any website to make requests.",
+        pattern: /["']Access-Control-Allow-Origin["'][\s\S]*?["']\*["']/g,
+        languages: ["vercel-config", "json"],
+        fix: "Restrict CORS to specific trusted origins.",
+        fixCode: '// vercel.json\n{\n  "headers": [{\n    "source": "/api/(.*)",\n    "headers": [{ "key": "Access-Control-Allow-Origin", "value": "https://yourdomain.com" }]\n  }]\n}',
+        compliance: ["SOC2:CC6.6"],
+    },
+    {
+        id: "VG501",
+        name: "Vercel Internal Rewrite Exposure",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "Vercel rewrites expose internal service URLs to the public internet.",
+        pattern: /["']rewrites["']\s*:\s*\[[\s\S]*?["']destination["']\s*:\s*["']https?:\/\/(?:localhost|127\.0\.0\.1|10\.|172\.(?:1[6-9]|2\d|3[01])\.|192\.168\.)/g,
+        languages: ["vercel-config", "json"],
+        fix: "Do not rewrite to internal network addresses. Use Vercel environment variables for service URLs.",
+        compliance: ["SOC2:CC6.6"],
+    },
+    {
+        id: "VG503",
+        name: "Vercel Cron Missing Secret Verification",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "Cron jobs are configured but the endpoint may not verify CRON_SECRET. Anyone could trigger the cron endpoint manually.",
+        pattern: /["']crons["']\s*:\s*\[[\s\S]*?["']path["']\s*:\s*["'][^"']+["']/g,
+        languages: ["vercel-config", "json"],
+        fix: "Verify the CRON_SECRET header in your cron endpoint.",
+        fixCode: '// app/api/cron/route.ts\nexport async function GET(request: Request) {\n  const authHeader = request.headers.get("authorization");\n  if (authHeader !== `Bearer ${process.env.CRON_SECRET}`) {\n    return new Response("Unauthorized", { status: 401 });\n  }\n}',
+        compliance: ["SOC2:CC6.6"],
+    },
+    {
+        id: "VG504",
+        name: "Excessive Function Duration",
+        severity: "medium",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "Function maxDuration is set very high. Long-running functions increase costs and attack surface.",
+        pattern: /["']maxDuration["']\s*:\s*(?:[3-9]\d{2}|[1-9]\d{3,})/g,
+        languages: ["vercel-config", "json"],
+        fix: "Set maxDuration to the minimum required. Default 300s is sufficient for most use cases.",
+    },
+    {
+        id: "VG506",
+        name: "Hardcoded Secret in Vercel Config",
+        severity: "critical",
+        owasp: "A07:2025 Sensitive Data Exposure",
+        description: "Secret or API key hardcoded in vercel.json. This file is committed to git.",
+        pattern: /["'](?:SECRET|KEY|TOKEN|PASSWORD|CREDENTIAL)\w*["']\s*:\s*["'][A-Za-z0-9_\-]{12,}["']/gi,
+        languages: ["vercel-config", "json"],
+        fix: "Use Vercel environment variables (vercel env add) instead of hardcoding in config files.",
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3"],
+    },
+    // next.config
+    {
+        id: "VG507",
+        name: "Wildcard Remote Image Pattern",
+        severity: "high",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "next.config allows images from any hostname. This enables SSRF and hotlinking attacks.",
+        pattern: /remotePatterns\s*:\s*\[[\s\S]*?hostname\s*:\s*["'](?:\*\*|\*)["']/g,
+        languages: ["nextjs-config", "javascript", "typescript"],
+        fix: "Restrict remotePatterns to specific trusted hostnames.",
+        fixCode: '// next.config.ts\nimages: {\n  remotePatterns: [\n    { protocol: "https", hostname: "images.example.com" },\n  ]\n}',
+        compliance: ["SOC2:CC6.6"],
+    },
+    {
+        id: "VG509",
+        name: "Powered By Header Enabled",
+        severity: "low",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "X-Powered-By header reveals Next.js framework. This helps attackers target known vulnerabilities.",
+        pattern: /poweredByHeader\s*:\s*true/g,
+        languages: ["nextjs-config", "javascript", "typescript"],
+        fix: "Set poweredByHeader to false in next.config.ts.",
+        fixCode: "// next.config.ts\nconst config = {\n  poweredByHeader: false,\n};",
+    },
+    {
+        id: "VG510",
+        name: "Next Config CORS Wildcard",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "Next.js config headers() sets Access-Control-Allow-Origin to wildcard (*).",
+        pattern: /headers\s*\(\s*\)\s*\{[\s\S]*?Access-Control-Allow-Origin[\s\S]*?["']\*["']/g,
+        languages: ["nextjs-config", "javascript", "typescript"],
+        fix: "Restrict CORS to specific trusted origins.",
+        compliance: ["SOC2:CC6.6"],
+    },
+    {
+        id: "VG512",
+        name: "Source Maps in Production",
+        severity: "medium",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "Source maps enabled in production expose original source code to attackers.",
+        pattern: /devtool\s*:\s*["'](?:source-map|eval-source-map|cheap-source-map)["']/g,
+        languages: ["nextjs-config", "javascript", "typescript"],
+        fix: "Disable source maps in production.",
+        fixCode: "// next.config.ts\nconst config = {\n  productionBrowserSourceMaps: false,\n};",
+        compliance: ["SOC2:CC6.1"],
+    },
+    // docker-compose.yml
+    {
+        id: "VG513",
+        name: "Docker Compose Public Port Binding",
+        severity: "medium",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "Port bound to 0.0.0.0 exposes the service to all network interfaces.",
+        pattern: /ports\s*:\s*\n\s*-\s*["']?0\.0\.0\.0:/gm,
+        languages: ["docker-compose", "yaml"],
+        fix: "Bind to 127.0.0.1 for local-only access.",
+        fixCode: '# Bind to localhost only\nports:\n  - "127.0.0.1:3000:3000"',
+        compliance: ["SOC2:CC6.6"],
+    },
+    {
+        id: "VG514",
+        name: "Docker Compose Hardcoded Secret",
+        severity: "critical",
+        owasp: "A07:2025 Sensitive Data Exposure",
+        description: "Secret hardcoded in docker-compose environment section. Use Docker secrets or .env file.",
+        pattern: /environment\s*:\s*\n(?:\s*-\s*|\s*\w+\s*:\s*)[\s\S]*?(?:SECRET|PASSWORD|TOKEN|KEY|CREDENTIAL)\w*\s*[=:]\s*\S{8,}/gi,
+        languages: ["docker-compose", "yaml"],
+        fix: "Use Docker secrets or reference a .env file instead of hardcoding.",
+        fixCode: "# Use .env file\nservices:\n  app:\n    env_file:\n      - .env",
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3"],
+    },
+    {
+        id: "VG515",
+        name: "Docker Compose Privileged Container",
+        severity: "critical",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "Container runs in privileged mode with full host access. This is a severe security risk.",
+        pattern: /privileged\s*:\s*true/g,
+        languages: ["docker-compose", "yaml"],
+        fix: "Remove privileged: true. Use specific capabilities (cap_add) if needed.",
+        fixCode: "# Instead of privileged: true, use specific capabilities\nservices:\n  app:\n    cap_add:\n      - NET_ADMIN",
+        compliance: ["SOC2:CC6.1"],
+    },
+    {
+        id: "VG516",
+        name: "Docker Compose Host Volume Mount",
+        severity: "high",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "Mounting the entire host filesystem gives the container excessive access.",
+        pattern: /volumes\s*:\s*\n\s*-\s*["']?(?:\/:|\/etc|\/var|\/root|\/home)\s*:/gm,
+        languages: ["docker-compose", "yaml"],
+        fix: "Mount only specific directories needed by the application.",
+        fixCode: "# Mount only what's needed\nvolumes:\n  - ./data:/app/data",
+        compliance: ["SOC2:CC6.1"],
+    },
+    // fly.toml / render.yaml / netlify.toml
+    {
+        id: "VG517",
+        name: "Platform Config Hardcoded Secret",
+        severity: "critical",
+        owasp: "A07:2025 Sensitive Data Exposure",
+        description: "Secret hardcoded in deployment platform config file. These files are committed to git.",
+        pattern: /\[env\][\s\S]*?(?:SECRET|PASSWORD|TOKEN|KEY|CREDENTIAL)\w*\s*=\s*["']?[A-Za-z0-9_\-]{12,}/gi,
+        languages: ["fly-config", "render-config", "netlify-config", "toml"],
+        fix: "Use your platform's secret management (fly secrets set, Render env groups, Netlify env vars).",
+        fixCode: '# fly.toml — don\'t put secrets here\n# Instead: fly secrets set SECRET_KEY=value\n\n[env]\n  LOG_LEVEL = "info"',
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3"],
+    },
+    {
+        id: "VG518",
+        name: "Platform Internal Port Exposed",
+        severity: "medium",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "Internal service port (database, cache) is exposed publicly.",
+        pattern: /internal_port\s*=\s*(?:5432|3306|6379|27017|9200|2379)/g,
+        languages: ["fly-config", "toml"],
+        fix: "Don't expose database or cache ports publicly. Use internal networking.",
+        compliance: ["SOC2:CC6.6"],
+    },
+    {
+        id: "VG520",
+        name: "Missing HTTPS Redirect",
+        severity: "medium",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "No HTTP to HTTPS redirect configured. Traffic may be sent unencrypted.",
+        pattern: /force_https\s*=\s*false/g,
+        languages: ["fly-config", "toml"],
+        fix: "Enable force_https to redirect all HTTP traffic to HTTPS.",
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req4.1"],
+    },
+];
+//# sourceMappingURL=deployment.js.map

package/build/data/rules/deployment.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"deployment.js","sourceRoot":"","sources":["../../../src/data/rules/deployment.ts"],"names":[],"mappings":"AAEA,6CAA6C;AAC7C,MAAM,CAAC,MAAM,eAAe,GAAmB;IAC7C,0BAA0B;IAC1B;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,wGAAwG;QAC1G,OAAO,EAAE,wDAAwD;QACjE,SAAS,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACpC,GAAG,EAAE,4CAA4C;QACjD,OAAO,EACL,uKAAuK;QACzK,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,sEAAsE;QACxE,OAAO,EACL,mJAAmJ;QACrJ,SAAS,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACpC,GAAG,EAAE,kGAAkG;QACvG,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,yCAAyC;QAC/C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,wHAAwH;QAC1H,OAAO,EACL,kEAAkE;QACpE,SAAS,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACpC,GAAG,EAAE,sDAAsD;QAC3D,OAAO,EACL,qQAAqQ;QACvQ,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,kGAAkG;QACpG,OAAO,EAAE,uDAAuD;QAChE,SAAS,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACpC,GAAG,EAAE,yFAAyF;KAC/F;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,4EAA4E;QAC9E,OAAO,EACL,yFAAyF;QAC3F,SAAS,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACpC,GAAG,EAAE,0FAA0F;QAC/F,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IAED,cAAc;IACd;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,wFAAwF;QAC1F,OAAO,EAAE,oEAAoE;QAC7E,SAAS,EAAE,CAAC,eAAe,EAAE,YAAY,EAAE,YAAY,CAAC;QACxD,GAAG,EAAE,wDAAwD;QAC7D,OAAO,EACL,uHAAuH;QACzH,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,KAAK;QACf,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,mGAAmG;QACrG,OAAO,EAAE,6BAA6B;QACtC,SAAS,EAAE,CAAC,eAAe,EAAE,YAAY,EAAE,YAAY,CAAC;QACxD,GAAG,EAAE,iDAAiD;QACtD,OAAO,EAAE,oEAAoE;KAC9E;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,4EAA4E;QAC9E,OAAO,EACL,8EAA8E;QAChF,SAAS,EAAE,CAAC,eAAe,EAAE,YAAY,EAAE,YAAY,CAAC;QACxD,GAAG,EAAE,4CAA4C;QACjD,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,6EAA6E;QAC/E,OAAO,EACL,wEAAwE;QAC1E,SAAS,EAAE,CAAC,eAAe,EAAE,YAAY,EAAE,YAAY,CAAC;QACxD,GAAG,EAAE,oCAAoC;QACzC,OAAO,EACL,gFAAgF;QAClF,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,qBAAqB;IACrB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,sEAAsE;QACxE,OAAO,EAAE,yCAAyC;QAClD,SAAS,EAAE,CAAC,gBAAgB,EAAE,MAAM,CAAC;QACrC,GAAG,EAAE,0CAA0C;QAC/C,OAAO,EAAE,6DAA6D;QACtE,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,0FAA0F;QAC5F,OAAO,EACL,oHAAoH;QACtH,SAAS,EAAE,CAAC,gBAAgB,EAAE,MAAM,CAAC;QACrC,GAAG,EAAE,oEAAoE;QACzE,OAAO,EACL,iEAAiE;QACnE,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,qCAAqC;QAC3C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,0FAA0F;QAC5F,OAAO,EAAE,wBAAwB;QACjC,SAAS,EAAE,CAAC,gBAAgB,EAAE,MAAM,CAAC;QACrC,GAAG,EAAE,yEAAyE;QAC9E,OAAO,EACL,8GAA8G;QAChH,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,2EAA2E;QAC7E,OAAO,EAAE,qEAAqE;QAC9E,SAAS,EAAE,CAAC,gBAAgB,EAAE,MAAM,CAAC;QACrC,GAAG,EAAE,4DAA4D;QACjE,OAAO,EACL,4DAA4D;QAC9D,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,wCAAwC;IACxC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,wFAAwF;QAC1F,OAAO,EACL,6FAA6F;QAC/F,SAAS,EAAE,CAAC,YAAY,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,CAAC;QACpE,GAAG,EAAE,+FAA+F;QACpG,OAAO,EACL,kHAAkH;QACpH,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,gCAAgC;QACtC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,8DAA8D;QAChE,OAAO,EAAE,yDAAyD;QAClE,SAAS,EAAE,CAAC,YAAY,EAAE,MAAM,CAAC;QACjC,GAAG,EAAE,yEAAyE;QAC9E,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,wEAAwE;QAC1E,OAAO,EAAE,0BAA0B;QACnC,SAAS,EAAE,CAAC,YAAY,EAAE,MAAM,CAAC;QACjC,GAAG,EAAE,2DAA2D;QAChE,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;CACF,CAAC"}

package/build/data/rules/index.d.ts

@@ -1,3 +1,4 @@
 export type { SecurityRule } from "./types.js";
 export declare const owaspRules: import("./types.js").SecurityRule[];
+export declare const builtinRules: import("./types.js").SecurityRule[];
 //# sourceMappingURL=index.d.ts.map

package/build/data/rules/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAO/C,eAAO,MAAM,UAAU,qCAMtB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAW/C,eAAO,MAAM,UAAU,qCAUtB,CAAC;AAGF,eAAO,MAAM,YAAY,qCAAa,CAAC"}

package/build/data/rules/index.js

@@ -3,11 +3,21 @@ import { goRules } from "./go.js";
 import { dockerfileRules } from "./dockerfile.js";
 import { cicdRules } from "./cicd.js";
 import { terraformRules } from "./terraform.js";
+import { nextjsRules } from "./nextjs.js";
+import { authRules } from "./auth.js";
+import { databaseRules } from "./database.js";
+import { deploymentRules } from "./deployment.js";
 export const owaspRules = [
     ...coreRules,
     ...goRules,
     ...dockerfileRules,
     ...cicdRules,
     ...terraformRules,
+    ...nextjsRules,
+    ...authRules,
+    ...databaseRules,
+    ...deploymentRules,
 ];
+// Alias for clarity — these are the built-in rules without plugins
+export const builtinRules = owaspRules;
 //# sourceMappingURL=index.js.map

package/build/data/rules/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAEhD,MAAM,CAAC,MAAM,UAAU,GAAG;IACxB,GAAG,SAAS;IACZ,GAAG,OAAO;IACV,GAAG,eAAe;IAClB,GAAG,SAAS;IACZ,GAAG,cAAc;CAClB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAElD,MAAM,CAAC,MAAM,UAAU,GAAG;IACxB,GAAG,SAAS;IACZ,GAAG,OAAO;IACV,GAAG,eAAe;IAClB,GAAG,SAAS;IACZ,GAAG,cAAc;IACjB,GAAG,WAAW;IACd,GAAG,SAAS;IACZ,GAAG,aAAa;IAChB,GAAG,eAAe;CACnB,CAAC;AAEF,mEAAmE;AACnE,MAAM,CAAC,MAAM,YAAY,GAAG,UAAU,CAAC"}

package/build/data/rules/nextjs.d.ts

@@ -0,0 +1,3 @@
+import type { SecurityRule } from "./types.js";
+export declare const nextjsRules: SecurityRule[];
+//# sourceMappingURL=nextjs.d.ts.map

package/build/data/rules/nextjs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"nextjs.d.ts","sourceRoot":"","sources":["../../../src/data/rules/nextjs.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,eAAO,MAAM,WAAW,EAAE,YAAY,EAkLrC,CAAC"}