npm - guardvibe - Versions diffs - 1.3.3 → 1.5.0 - Mend

guardvibe 1.3.3 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (66) hide show

package/build/data/compliance-metadata.d.ts +24 -0
package/build/data/compliance-metadata.d.ts.map +1 -0
package/build/data/compliance-metadata.js +274 -0
package/build/data/compliance-metadata.js.map +1 -0
package/build/data/rules/api-security.d.ts.map +1 -1
package/build/data/rules/api-security.js +1 -0
package/build/data/rules/api-security.js.map +1 -1
package/build/data/rules/deployment.d.ts.map +1 -1
package/build/data/rules/deployment.js +6 -0
package/build/data/rules/deployment.js.map +1 -1
package/build/data/rules/index.d.ts.map +1 -1
package/build/data/rules/index.js +3 -2
package/build/data/rules/index.js.map +1 -1
package/build/data/rules/payments.d.ts.map +1 -1
package/build/data/rules/payments.js +3 -0
package/build/data/rules/payments.js.map +1 -1
package/build/data/rules/react-native.d.ts.map +1 -1
package/build/data/rules/react-native.js +3 -0
package/build/data/rules/react-native.js.map +1 -1
package/build/data/rules/services.d.ts.map +1 -1
package/build/data/rules/services.js +5 -0
package/build/data/rules/services.js.map +1 -1
package/build/data/rules/types.d.ts +2 -0
package/build/data/rules/types.d.ts.map +1 -1
package/build/data/rules/web-security.d.ts.map +1 -1
package/build/data/rules/web-security.js +8 -0
package/build/data/rules/web-security.js.map +1 -1
package/build/index.js +77 -8
package/build/index.js.map +1 -1
package/build/tools/audit-config.d.ts +11 -0
package/build/tools/audit-config.d.ts.map +1 -0
package/build/tools/audit-config.js +370 -0
package/build/tools/audit-config.js.map +1 -0
package/build/tools/compliance-report.d.ts +1 -1
package/build/tools/compliance-report.d.ts.map +1 -1
package/build/tools/compliance-report.js +110 -11
package/build/tools/compliance-report.js.map +1 -1
package/build/tools/generate-policy.d.ts +2 -0
package/build/tools/generate-policy.d.ts.map +1 -0
package/build/tools/generate-policy.js +368 -0
package/build/tools/generate-policy.js.map +1 -0
package/build/tools/policy-check.d.ts +3 -0
package/build/tools/policy-check.d.ts.map +1 -0
package/build/tools/policy-check.js +208 -0
package/build/tools/policy-check.js.map +1 -0
package/build/tools/review-pr.d.ts +3 -0
package/build/tools/review-pr.d.ts.map +1 -0
package/build/tools/review-pr.js +179 -0
package/build/tools/review-pr.js.map +1 -0
package/build/tools/scan-directory.d.ts +1 -1
package/build/tools/scan-directory.d.ts.map +1 -1
package/build/tools/scan-directory.js +121 -7
package/build/tools/scan-directory.js.map +1 -1
package/build/tools/scan-secrets-history.d.ts +9 -0
package/build/tools/scan-secrets-history.d.ts.map +1 -0
package/build/tools/scan-secrets-history.js +142 -0
package/build/tools/scan-secrets-history.js.map +1 -0
package/build/tools/taint-analysis.d.ts +23 -0
package/build/tools/taint-analysis.d.ts.map +1 -0
package/build/tools/taint-analysis.js +183 -0
package/build/tools/taint-analysis.js.map +1 -0
package/build/utils/config.d.ts +14 -0
package/build/utils/config.d.ts.map +1 -1
package/build/utils/config.js +7 -0
package/build/utils/config.js.map +1 -1
package/package.json +2 -2

package/build/data/compliance-metadata.d.ts ADDED Viewed

@@ -0,0 +1,24 @@
+/**
+ * Extended compliance metadata for all rules.
+ * Maps rule IDs to GDPR/ISO27001 mappings and exploit/audit descriptions.
+ * This is merged into rules at load time to keep rule files clean.
+ */
+interface ComplianceExtension {
+    gdpr?: string[];
+    iso27001?: string[];
+    exploit?: string;
+    audit?: string;
+}
+export declare const complianceMetadata: Record<string, ComplianceExtension>;
+/**
+ * Apply compliance metadata to a set of rules.
+ * Merges GDPR/ISO27001 mappings into compliance[] and adds exploit/audit fields.
+ */
+export declare function enrichRulesWithCompliance<T extends {
+    id: string;
+    compliance?: string[];
+    exploit?: string;
+    audit?: string;
+}>(rules: T[]): T[];
+export {};
+//# sourceMappingURL=compliance-metadata.d.ts.map

package/build/data/compliance-metadata.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"compliance-metadata.d.ts","sourceRoot":"","sources":["../../src/data/compliance-metadata.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,UAAU,mBAAmB;IAC3B,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAGD,eAAO,MAAM,kBAAkB,EAAE,MAAM,CAAC,MAAM,EAAE,mBAAmB,CA8PlE,CAAC;AAEF;;;GAGG;AACH,wBAAgB,yBAAyB,CAAC,CAAC,SAAS;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,EAAE,KAAK,EAAE,CAAC,EAAE,GAAG,CAAC,EAAE,CAc5I"}

package/build/data/compliance-metadata.js ADDED Viewed

@@ -0,0 +1,274 @@
+/**
+ * Extended compliance metadata for all rules.
+ * Maps rule IDs to GDPR/ISO27001 mappings and exploit/audit descriptions.
+ * This is merged into rules at load time to keep rule files clean.
+ */
+// guardvibe-ignore — this file contains security rule descriptions, not vulnerable code
+export const complianceMetadata = {
+    // === CORE RULES (VG001-VG100) ===
+    VG001: {
+        gdpr: ["GDPR:Art32(1)(a)", "GDPR:Art5(1)(f)"],
+        iso27001: ["ISO27001:A.8.24", "ISO27001:A.5.33"],
+        exploit: "Attacker clones the public repo or decompiles the client bundle to extract hardcoded credentials, then uses them to access backend services, databases, or third-party APIs.",
+        audit: "Search codebase for patterns matching API key/password assignments. Show git history to prove no secrets were ever committed. Demonstrate that a secrets manager or environment variables are used instead.",
+    },
+    VG002: {
+        gdpr: ["GDPR:Art32(1)(b)"],
+        iso27001: ["ISO27001:A.8.3", "ISO27001:A.8.24"],
+        exploit: "Attacker sends crafted SQL input through unvalidated form fields or URL parameters to extract, modify, or delete database records.",
+        audit: "Demonstrate that all database queries use parameterized statements or ORM methods. Show code review checklist that includes SQL injection testing.",
+    },
+    VG003: {
+        gdpr: ["GDPR:Art32(1)(a)"],
+        iso27001: ["ISO27001:A.8.24"],
+        exploit: "Attacker injects shell metacharacters into user input that is passed to shell functions, achieving remote code execution on the server.",
+        audit: "Show that no user input is passed to shell functions. Demonstrate use of safe alternatives with argument arrays.",
+    },
+    VG010: {
+        gdpr: ["GDPR:Art32(1)(b)", "GDPR:Art25"],
+        iso27001: ["ISO27001:A.8.3", "ISO27001:A.5.15"],
+        exploit: "Attacker accesses API endpoints or resources without authentication, reading or modifying data belonging to other users.",
+        audit: "Show middleware/auth layer that protects all sensitive endpoints. Demonstrate that unauthenticated requests return 401/403.",
+    },
+    VG042: {
+        gdpr: ["GDPR:Art32(1)(a)"],
+        iso27001: ["ISO27001:A.8.24"],
+        exploit: "Attacker injects malicious JavaScript through user-provided content rendered without sanitization, stealing session cookies or performing actions as the victim.",
+        audit: "Show that all user-generated content is escaped or sanitized before rendering. Demonstrate CSP headers that block inline scripts.",
+    },
+    VG060: {
+        gdpr: ["GDPR:Art5(1)(f)", "GDPR:Art32(1)(a)"],
+        iso27001: ["ISO27001:A.8.24", "ISO27001:A.5.33"],
+        exploit: "Attacker finds hardcoded JWT secret and forges valid authentication tokens, impersonating any user including admins.",
+        audit: "Show that JWT secrets are stored in environment variables or a secrets manager, never in source code.",
+    },
+    VG062: {
+        gdpr: ["GDPR:Art5(1)(f)", "GDPR:Art32(1)(a)"],
+        iso27001: ["ISO27001:A.8.24", "ISO27001:A.5.33"],
+        exploit: "Attacker extracts hardcoded API keys from source code or client bundles to access paid services, steal data, or run up costs.",
+        audit: "Scan entire codebase for credential patterns. Verify all sensitive values come from environment variables.",
+    },
+    // === NEXTJS RULES (VG400-VG412) ===
+    VG400: {
+        gdpr: ["GDPR:Art5(1)(f)", "GDPR:Art32(1)(a)"],
+        iso27001: ["ISO27001:A.8.24", "ISO27001:A.5.33"],
+        exploit: "Server-side secrets in client components are embedded in the JavaScript bundle. Attacker opens browser DevTools to read the secret value directly.",
+        audit: "Run next build and inspect the generated client bundles for any process.env references that are not NEXT_PUBLIC_.",
+    },
+    VG401: {
+        gdpr: ["GDPR:Art32(1)(a)", "GDPR:Art25"],
+        iso27001: ["ISO27001:A.8.24", "ISO27001:A.8.28"],
+        exploit: "Attacker crafts malicious form data (SQL fragments, script tags, oversized values) to exploit the unvalidated Server Action, causing injection or data corruption.",
+        audit: "Show that every Server Action validates input with a schema library (Zod, Yup) before processing.",
+    },
+    VG402: {
+        gdpr: ["GDPR:Art32(1)(b)", "GDPR:Art25"],
+        iso27001: ["ISO27001:A.5.15", "ISO27001:A.8.3"],
+        exploit: "Anyone can POST directly to a Server Action URL without authentication. Attacker discovers the action endpoint and calls it to delete data, modify records, or escalate privileges.",
+        audit: "Verify every exported Server Action checks auth() at the top. Show access control test cases.",
+    },
+    VG403: {
+        gdpr: ["GDPR:Art32(1)(a)"],
+        iso27001: ["ISO27001:A.8.24", "ISO27001:A.5.15"],
+        exploit: "With CORS wildcard, any malicious website can make authenticated requests to your API using the victim browser cookies/tokens.",
+        audit: "Show CORS configuration with explicit origin allowlist. Test that cross-origin requests from unlisted domains are rejected.",
+    },
+    VG404: {
+        gdpr: ["GDPR:Art32(1)(b)"],
+        iso27001: ["ISO27001:A.5.15", "ISO27001:A.8.3"],
+        exploit: "Overly broad matcher may expose admin or internal routes that were intended to be protected, bypassing access controls.",
+        audit: "Review middleware matcher patterns against actual protected routes. Show that no sensitive routes are accidentally excluded.",
+    },
+    VG405: {
+        gdpr: ["GDPR:Art32(1)(a)"],
+        iso27001: ["ISO27001:A.8.24", "ISO27001:A.8.20"],
+        exploit: "Without security headers, the app is vulnerable to clickjacking, MIME sniffing, and XSS due to missing X-Frame-Options, X-Content-Type-Options, and CSP.",
+        audit: "Check response headers using browser DevTools or curl. Verify CSP, HSTS, X-Frame-Options, and X-Content-Type-Options are present.",
+    },
+    VG406: {
+        gdpr: ["GDPR:Art32(1)(a)"],
+        iso27001: ["ISO27001:A.8.24", "ISO27001:A.8.28"],
+        exploit: "Attacker manipulates dynamic route params to access unauthorized records or inject into database queries.",
+        audit: "Show that all route params are validated with Zod/schema before use in queries. Test with malformed param values.",
+    },
+    VG407: {
+        gdpr: ["GDPR:Art5(1)(f)", "GDPR:Art32(1)(a)"],
+        iso27001: ["ISO27001:A.8.24", "ISO27001:A.5.33"],
+        exploit: "Sensitive data passed as props to client components is serialized into HTML/JSON and visible in page source or network tab.",
+        audit: "Inspect rendered HTML for sensitive data leakage. Verify server-only data never appears in client component props.",
+    },
+    VG408: {
+        gdpr: ["GDPR:Art32(1)(a)"],
+        iso27001: ["ISO27001:A.8.24"],
+        exploit: "Unsafe innerHTML renders unsanitized HTML. If the content includes user input, attacker injects script tags for XSS.",
+        audit: "Grep for unsafe innerHTML usage. Verify that all instances use DOMPurify or equivalent sanitization.",
+    },
+    VG409: {
+        gdpr: ["GDPR:Art32(1)(a)"],
+        iso27001: ["ISO27001:A.8.24"],
+        exploit: "Attacker crafts a URL with redirect parameter pointing to a malicious site, tricking the victim after authentication to enable phishing.",
+        audit: "Show redirect URL validation against a domain allowlist. Test with external URLs to verify they are rejected.",
+    },
+    VG410: {
+        gdpr: ["GDPR:Art32(1)(b)"],
+        iso27001: ["ISO27001:A.5.15"],
+        exploit: "Attacker triggers cache revalidation on unauthenticated endpoints, causing stale data to be served or DoS via excessive revalidation.",
+        audit: "Show that revalidation endpoints require authentication. Test unauthenticated calls return 401.",
+    },
+    VG411: {
+        gdpr: ["GDPR:Art5(1)(f)", "GDPR:Art32(1)(a)"],
+        iso27001: ["ISO27001:A.8.24", "ISO27001:A.5.33"],
+        exploit: "NEXT_PUBLIC_ variables with secret names are embedded in the client JavaScript bundle. Anyone visiting the site can extract them from the bundle source.",
+        audit: "Search .env files for NEXT_PUBLIC_ with secret keywords. Run next build and search output bundles for leaked values.",
+    },
+    VG412: {
+        gdpr: ["GDPR:Art5(1)(c)", "GDPR:Art25"],
+        iso27001: ["ISO27001:A.8.24", "ISO27001:A.5.33"],
+        exploit: "Server Action returns full database objects including sensitive fields (passwordHash, internalNotes). Client receives all data in the response.",
+        audit: "Review Server Action return values. Verify select/pick is used to return only necessary fields.",
+    },
+    // === AUTH RULES (VG420-VG430) ===
+    VG420: {
+        gdpr: ["GDPR:Art32(1)(b)", "GDPR:Art32(1)(d)"],
+        iso27001: ["ISO27001:A.5.15", "ISO27001:A.8.5"],
+        exploit: "Without session expiration, stolen session tokens remain valid indefinitely. Attacker uses a leaked token months later to access the account.",
+        audit: "Show session configuration with maxAge/expiry. Demonstrate that expired sessions are rejected.",
+    },
+    VG421: {
+        gdpr: ["GDPR:Art32(1)(b)"],
+        iso27001: ["ISO27001:A.5.15", "ISO27001:A.8.3"],
+        exploit: "Missing CSRF protection allows attacker to trick authenticated users into performing unintended actions via crafted forms on malicious sites.",
+        audit: "Show CSRF token implementation. Test that requests without valid CSRF tokens are rejected.",
+    },
+    VG422: {
+        gdpr: ["GDPR:Art32(1)(a)", "GDPR:Art32(1)(b)"],
+        iso27001: ["ISO27001:A.8.5", "ISO27001:A.5.17"],
+        exploit: "Weak password policy allows brute force attacks. Attacker uses common password lists to compromise accounts in minutes.",
+        audit: "Show password policy enforcement (minimum length, complexity). Demonstrate that weak passwords are rejected.",
+    },
+    // === DATABASE RULES ===
+    VG440: {
+        gdpr: ["GDPR:Art32(1)(b)", "GDPR:Art25"],
+        iso27001: ["ISO27001:A.8.3", "ISO27001:A.5.15"],
+        exploit: "Without Supabase RLS, any client with the anon key can read/write all rows in the table directly via the PostgREST API.",
+        audit: "Query pg_policies to verify RLS is enabled on all tables. Test that anon/authenticated roles only access permitted rows.",
+    },
+    VG441: {
+        gdpr: ["GDPR:Art32(1)(b)"],
+        iso27001: ["ISO27001:A.5.15", "ISO27001:A.8.3"],
+        exploit: "Supabase service role key in client code bypasses all RLS policies. Attacker extracts it and has full database access.",
+        audit: "Search client bundles for service_role key. Verify it is only used server-side.",
+    },
+    // === PAYMENT RULES ===
+    VG460: {
+        gdpr: ["GDPR:Art32(1)(a)"],
+        iso27001: ["ISO27001:A.8.24", "ISO27001:A.5.33"],
+        exploit: "Stripe secret key in client code gives attacker full control over the Stripe account: create charges, issue refunds, access customer data.",
+        audit: "Search for sk_live_ and sk_test_ patterns in client bundles. Verify Stripe keys are server-only.",
+    },
+    VG461: {
+        gdpr: ["GDPR:Art32(1)(a)"],
+        iso27001: ["ISO27001:A.8.24"],
+        exploit: "Without webhook signature verification, attacker sends forged webhook events to grant themselves premium access or trigger refunds.",
+        audit: "Show Stripe constructEvent() call with webhook secret. Test with invalid signatures to verify rejection.",
+    },
+    // === WEB SECURITY RULES ===
+    VG650: {
+        gdpr: ["GDPR:Art32(1)(a)"],
+        iso27001: ["ISO27001:A.8.24"],
+        exploit: "Without signature verification, attacker sends forged webhook payloads to trigger business logic (grant access, process fake payments, delete data).",
+        audit: "Show HMAC/signature verification code in webhook handler. Test with modified payloads to verify rejection.",
+    },
+    VG655: {
+        gdpr: ["GDPR:Art5(1)(f)", "GDPR:Art32(1)(a)"],
+        iso27001: ["ISO27001:A.8.24", "ISO27001:A.5.33"],
+        exploit: "NEXT_PUBLIC_ credentials are compiled into client JavaScript. Attacker views page source to extract service keys.",
+        audit: "Audit .env files for NEXT_PUBLIC_ prefix on sensitive vars. Search built client bundles for leaked values.",
+    },
+    VG656: {
+        gdpr: ["GDPR:Art5(1)(f)", "GDPR:Art33"],
+        iso27001: ["ISO27001:A.8.24", "ISO27001:A.5.33"],
+        exploit: "Secrets in git history persist even if the file is later deleted. Attacker clones the repo and runs git log to find credentials.",
+        audit: "Run git log on .env files to verify they were never committed. Check .gitignore includes .env patterns.",
+    },
+    // === DEPLOYMENT RULES ===
+    VG500: {
+        gdpr: ["GDPR:Art32(1)(a)"],
+        iso27001: ["ISO27001:A.8.24"],
+        exploit: "CORS wildcard allows any website to make authenticated API requests using the victim session.",
+        audit: "Inspect vercel.json headers configuration. Test CORS with requests from unauthorized origins.",
+    },
+    VG503: {
+        gdpr: ["GDPR:Art32(1)(b)"],
+        iso27001: ["ISO27001:A.5.15"],
+        exploit: "Without CRON_SECRET verification, attacker discovers the cron endpoint URL and triggers it repeatedly, causing data corruption or excessive costs.",
+        audit: "Show authorization header check in cron handler. Test unauthenticated calls return 401.",
+    },
+    VG506: {
+        gdpr: ["GDPR:Art5(1)(f)", "GDPR:Art32(1)(a)"],
+        iso27001: ["ISO27001:A.8.24", "ISO27001:A.5.33"],
+        exploit: "Hardcoded secrets in vercel.json are visible to anyone with repository access, including in git history.",
+        audit: "Scan vercel.json for secret patterns. Verify all sensitive values use Vercel environment variables.",
+    },
+    VG507: {
+        gdpr: ["GDPR:Art32(1)(a)"],
+        iso27001: ["ISO27001:A.8.24"],
+        exploit: "Wildcard remote image pattern allows attacker to use your server as a proxy for SSRF attacks against internal services.",
+        audit: "Review remotePatterns in next.config. Verify only trusted hostnames are allowed.",
+    },
+    // === AI SECURITY RULES ===
+    VG800: {
+        gdpr: ["GDPR:Art32(1)(a)", "GDPR:Art22"],
+        iso27001: ["ISO27001:A.8.24"],
+        exploit: "Attacker crafts input that manipulates the LLM into ignoring system instructions, accessing restricted data, or performing unauthorized actions.",
+        audit: "Show input validation/sanitization before LLM calls. Demonstrate prompt injection test cases.",
+    },
+    VG801: {
+        gdpr: ["GDPR:Art32(1)(a)"],
+        iso27001: ["ISO27001:A.8.24"],
+        exploit: "LLM output rendered without sanitization can contain malicious HTML/JS enabling stored XSS.",
+        audit: "Show that LLM output is sanitized before rendering. Verify safe rendering methods are used with AI output.",
+    },
+    // === SUPPLY CHAIN RULES ===
+    VG950: {
+        gdpr: ["GDPR:Art32(1)(a)"],
+        iso27001: ["ISO27001:A.8.24", "ISO27001:A.5.19"],
+        exploit: "Malicious postinstall script runs arbitrary code during npm install, stealing env vars, injecting backdoors, or exfiltrating data.",
+        audit: "Review package.json scripts section. Use npm audit and check for suspicious lifecycle scripts in dependencies.",
+    },
+    // === MODERN STACK RULES ===
+    VG960: {
+        gdpr: ["GDPR:Art32(1)(a)", "GDPR:Art25"],
+        iso27001: ["ISO27001:A.8.24", "ISO27001:A.8.28"],
+        exploit: "Without schema validation, attacker sends malformed data that crashes the server, corrupts the database, or bypasses business logic.",
+        audit: "Show Zod/Yup/Valibot schema validation at all API boundaries. Demonstrate that invalid payloads are rejected.",
+    },
+    VG970: {
+        gdpr: ["GDPR:Art32(1)(a)"],
+        iso27001: ["ISO27001:A.8.24"],
+        exploit: "Unrestricted file upload allows attacker to upload malicious executables, web shells, or oversized files that crash the server.",
+        audit: "Show file type validation, size limits, and virus scanning for all upload endpoints.",
+    },
+};
+/**
+ * Apply compliance metadata to a set of rules.
+ * Merges GDPR/ISO27001 mappings into compliance[] and adds exploit/audit fields.
+ */
+export function enrichRulesWithCompliance(rules) {
+    for (const rule of rules) {
+        const meta = complianceMetadata[rule.id];
+        if (!meta)
+            continue;
+        if (meta.gdpr || meta.iso27001) {
+            const existing = rule.compliance ?? [];
+            const additions = [...(meta.gdpr ?? []), ...(meta.iso27001 ?? [])];
+            rule.compliance = [...new Set([...existing, ...additions])];
+        }
+        if (meta.exploit)
+            rule.exploit = meta.exploit;
+        if (meta.audit)
+            rule.audit = meta.audit;
+    }
+    return rules;
+}
+//# sourceMappingURL=compliance-metadata.js.map

package/build/data/compliance-metadata.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"compliance-metadata.js","sourceRoot":"","sources":["../../src/data/compliance-metadata.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AASH,wFAAwF;AACxF,MAAM,CAAC,MAAM,kBAAkB,GAAwC;IACrE,mCAAmC;IACnC,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,kBAAkB,EAAE,iBAAiB,CAAC;QAC7C,QAAQ,EAAE,CAAC,iBAAiB,EAAE,iBAAiB,CAAC;QAChD,OAAO,EAAE,8KAA8K;QACvL,KAAK,EAAE,6MAA6M;KACrN;IACD,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,kBAAkB,CAAC;QAC1B,QAAQ,EAAE,CAAC,gBAAgB,EAAE,iBAAiB,CAAC;QAC/C,OAAO,EAAE,oIAAoI;QAC7I,KAAK,EAAE,oJAAoJ;KAC5J;IACD,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,kBAAkB,CAAC;QAC1B,QAAQ,EAAE,CAAC,iBAAiB,CAAC;QAC7B,OAAO,EAAE,yIAAyI;QAClJ,KAAK,EAAE,kHAAkH;KAC1H;IACD,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,kBAAkB,EAAE,YAAY,CAAC;QACxC,QAAQ,EAAE,CAAC,gBAAgB,EAAE,iBAAiB,CAAC;QAC/C,OAAO,EAAE,0HAA0H;QACnI,KAAK,EAAE,6HAA6H;KACrI;IACD,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,kBAAkB,CAAC;QAC1B,QAAQ,EAAE,CAAC,iBAAiB,CAAC;QAC7B,OAAO,EAAE,kKAAkK;QAC3K,KAAK,EAAE,mIAAmI;KAC3I;IACD,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,iBAAiB,EAAE,kBAAkB,CAAC;QAC7C,QAAQ,EAAE,CAAC,iBAAiB,EAAE,iBAAiB,CAAC;QAChD,OAAO,EAAE,sHAAsH;QAC/H,KAAK,EAAE,uGAAuG;KAC/G;IACD,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,iBAAiB,EAAE,kBAAkB,CAAC;QAC7C,QAAQ,EAAE,CAAC,iBAAiB,EAAE,iBAAiB,CAAC;QAChD,OAAO,EAAE,+HAA+H;QACxI,KAAK,EAAE,4GAA4G;KACpH;IAED,qCAAqC;IACrC,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,iBAAiB,EAAE,kBAAkB,CAAC;QAC7C,QAAQ,EAAE,CAAC,iBAAiB,EAAE,iBAAiB,CAAC;QAChD,OAAO,EAAE,oJAAoJ;QAC7J,KAAK,EAAE,mHAAmH;KAC3H;IACD,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,kBAAkB,EAAE,YAAY,CAAC;QACxC,QAAQ,EAAE,CAAC,iBAAiB,EAAE,iBAAiB,CAAC;QAChD,OAAO,EAAE,oKAAoK;QAC7K,KAAK,EAAE,mGAAmG;KAC3G;IACD,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,kBAAkB,EAAE,YAAY,CAAC;QACxC,QAAQ,EAAE,CAAC,iBAAiB,EAAE,gBAAgB,CAAC;QAC/C,OAAO,EAAE,qLAAqL;QAC9L,KAAK,EAAE,+FAA+F;KACvG;IACD,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,kBAAkB,CAAC;QAC1B,QAAQ,EAAE,CAAC,iBAAiB,EAAE,iBAAiB,CAAC;QAChD,OAAO,EAAE,gIAAgI;QACzI,KAAK,EAAE,6HAA6H;KACrI;IACD,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,kBAAkB,CAAC;QAC1B,QAAQ,EAAE,CAAC,iBAAiB,EAAE,gBAAgB,CAAC;QAC/C,OAAO,EAAE,yHAAyH;QAClI,KAAK,EAAE,8HAA8H;KACtI;IACD,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,kBAAkB,CAAC;QAC1B,QAAQ,EAAE,CAAC,iBAAiB,EAAE,iBAAiB,CAAC;QAChD,OAAO,EAAE,0JAA0J;QACnK,KAAK,EAAE,mIAAmI;KAC3I;IACD,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,kBAAkB,CAAC;QAC1B,QAAQ,EAAE,CAAC,iBAAiB,EAAE,iBAAiB,CAAC;QAChD,OAAO,EAAE,2GAA2G;QACpH,KAAK,EAAE,mHAAmH;KAC3H;IACD,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,iBAAiB,EAAE,kBAAkB,CAAC;QAC7C,QAAQ,EAAE,CAAC,iBAAiB,EAAE,iBAAiB,CAAC;QAChD,OAAO,EAAE,6HAA6H;QACtI,KAAK,EAAE,oHAAoH;KAC5H;IACD,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,kBAAkB,CAAC;QAC1B,QAAQ,EAAE,CAAC,iBAAiB,CAAC;QAC7B,OAAO,EAAE,sHAAsH;QAC/H,KAAK,EAAE,sGAAsG;KAC9G;IACD,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,kBAAkB,CAAC;QAC1B,QAAQ,EAAE,CAAC,iBAAiB,CAAC;QAC7B,OAAO,EAAE,0IAA0I;QACnJ,KAAK,EAAE,+GAA+G;KACvH;IACD,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,kBAAkB,CAAC;QAC1B,QAAQ,EAAE,CAAC,iBAAiB,CAAC;QAC7B,OAAO,EAAE,uIAAuI;QAChJ,KAAK,EAAE,iGAAiG;KACzG;IACD,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,iBAAiB,EAAE,kBAAkB,CAAC;QAC7C,QAAQ,EAAE,CAAC,iBAAiB,EAAE,iBAAiB,CAAC;QAChD,OAAO,EAAE,0JAA0J;QACnK,KAAK,EAAE,sHAAsH;KAC9H;IACD,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,iBAAiB,EAAE,YAAY,CAAC;QACvC,QAAQ,EAAE,CAAC,iBAAiB,EAAE,iBAAiB,CAAC;QAChD,OAAO,EAAE,iJAAiJ;QAC1J,KAAK,EAAE,iGAAiG;KACzG;IAED,mCAAmC;IACnC,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,kBAAkB,EAAE,kBAAkB,CAAC;QAC9C,QAAQ,EAAE,CAAC,iBAAiB,EAAE,gBAAgB,CAAC;QAC/C,OAAO,EAAE,+IAA+I;QACxJ,KAAK,EAAE,gGAAgG;KACxG;IACD,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,kBAAkB,CAAC;QAC1B,QAAQ,EAAE,CAAC,iBAAiB,EAAE,gBAAgB,CAAC;QAC/C,OAAO,EAAE,+IAA+I;QACxJ,KAAK,EAAE,4FAA4F;KACpG;IACD,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,kBAAkB,EAAE,kBAAkB,CAAC;QAC9C,QAAQ,EAAE,CAAC,gBAAgB,EAAE,iBAAiB,CAAC;QAC/C,OAAO,EAAE,yHAAyH;QAClI,KAAK,EAAE,8GAA8G;KACtH;IAED,yBAAyB;IACzB,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,kBAAkB,EAAE,YAAY,CAAC;QACxC,QAAQ,EAAE,CAAC,gBAAgB,EAAE,iBAAiB,CAAC;QAC/C,OAAO,EAAE,yHAAyH;QAClI,KAAK,EAAE,0HAA0H;KAClI;IACD,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,kBAAkB,CAAC;QAC1B,QAAQ,EAAE,CAAC,iBAAiB,EAAE,gBAAgB,CAAC;QAC/C,OAAO,EAAE,wHAAwH;QACjI,KAAK,EAAE,iFAAiF;KACzF;IAED,wBAAwB;IACxB,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,kBAAkB,CAAC;QAC1B,QAAQ,EAAE,CAAC,iBAAiB,EAAE,iBAAiB,CAAC;QAChD,OAAO,EAAE,4IAA4I;QACrJ,KAAK,EAAE,kGAAkG;KAC1G;IACD,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,kBAAkB,CAAC;QAC1B,QAAQ,EAAE,CAAC,iBAAiB,CAAC;QAC7B,OAAO,EAAE,qIAAqI;QAC9I,KAAK,EAAE,0GAA0G;KAClH;IAED,6BAA6B;IAC7B,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,kBAAkB,CAAC;QAC1B,QAAQ,EAAE,CAAC,iBAAiB,CAAC;QAC7B,OAAO,EAAE,sJAAsJ;QAC/J,KAAK,EAAE,4GAA4G;KACpH;IACD,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,iBAAiB,EAAE,kBAAkB,CAAC;QAC7C,QAAQ,EAAE,CAAC,iBAAiB,EAAE,iBAAiB,CAAC;QAChD,OAAO,EAAE,mHAAmH;QAC5H,KAAK,EAAE,4GAA4G;KACpH;IACD,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,iBAAiB,EAAE,YAAY,CAAC;QACvC,QAAQ,EAAE,CAAC,iBAAiB,EAAE,iBAAiB,CAAC;QAChD,OAAO,EAAE,kIAAkI;QAC3I,KAAK,EAAE,yGAAyG;KACjH;IAED,2BAA2B;IAC3B,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,kBAAkB,CAAC;QAC1B,QAAQ,EAAE,CAAC,iBAAiB,CAAC;QAC7B,OAAO,EAAE,+FAA+F;QACxG,KAAK,EAAE,+FAA+F;KACvG;IACD,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,kBAAkB,CAAC;QAC1B,QAAQ,EAAE,CAAC,iBAAiB,CAAC;QAC7B,OAAO,EAAE,oJAAoJ;QAC7J,KAAK,EAAE,yFAAyF;KACjG;IACD,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,iBAAiB,EAAE,kBAAkB,CAAC;QAC7C,QAAQ,EAAE,CAAC,iBAAiB,EAAE,iBAAiB,CAAC;QAChD,OAAO,EAAE,0GAA0G;QACnH,KAAK,EAAE,qGAAqG;KAC7G;IACD,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,kBAAkB,CAAC;QAC1B,QAAQ,EAAE,CAAC,iBAAiB,CAAC;QAC7B,OAAO,EAAE,yHAAyH;QAClI,KAAK,EAAE,kFAAkF;KAC1F;IAED,4BAA4B;IAC5B,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,kBAAkB,EAAE,YAAY,CAAC;QACxC,QAAQ,EAAE,CAAC,iBAAiB,CAAC;QAC7B,OAAO,EAAE,kJAAkJ;QAC3J,KAAK,EAAE,+FAA+F;KACvG;IACD,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,kBAAkB,CAAC;QAC1B,QAAQ,EAAE,CAAC,iBAAiB,CAAC;QAC7B,OAAO,EAAE,6FAA6F;QACtG,KAAK,EAAE,4GAA4G;KACpH;IAED,6BAA6B;IAC7B,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,kBAAkB,CAAC;QAC1B,QAAQ,EAAE,CAAC,iBAAiB,EAAE,iBAAiB,CAAC;QAChD,OAAO,EAAE,oIAAoI;QAC7I,KAAK,EAAE,gHAAgH;KACxH;IAED,6BAA6B;IAC7B,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,kBAAkB,EAAE,YAAY,CAAC;QACxC,QAAQ,EAAE,CAAC,iBAAiB,EAAE,iBAAiB,CAAC;QAChD,OAAO,EAAE,sIAAsI;QAC/I,KAAK,EAAE,+GAA+G;KACvH;IACD,KAAK,EAAE;QACL,IAAI,EAAE,CAAC,kBAAkB,CAAC;QAC1B,QAAQ,EAAE,CAAC,iBAAiB,CAAC;QAC7B,OAAO,EAAE,iIAAiI;QAC1I,KAAK,EAAE,sFAAsF;KAC9F;CACF,CAAC;AAEF;;;GAGG;AACH,MAAM,UAAU,yBAAyB,CAAoF,KAAU;IACrI,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACzC,IAAI,CAAC,IAAI;YAAE,SAAS;QAEpB,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC/B,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,IAAI,EAAE,CAAC;YACvC,MAAM,SAAS,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC,EAAE,GAAG,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,CAAC;YACnE,IAAI,CAAC,UAAU,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,QAAQ,EAAE,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;QAC9D,CAAC;QACD,IAAI,IAAI,CAAC,OAAO;YAAE,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;QAC9C,IAAI,IAAI,CAAC,KAAK;YAAE,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;IAC1C,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/build/data/rules/api-security.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"api-security.d.ts","sourceRoot":"","sources":["../../../src/data/rules/api-security.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAI/C,eAAO,MAAM,gBAAgB,EAAE,YAAY,~~EAkK1C~~,CAAC"}
1	+ {"version":3,"file":"api-security.d.ts","sourceRoot":"","sources":["../../../src/data/rules/api-security.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAI/C,eAAO,MAAM,gBAAgB,EAAE,YAAY,EAoK1C,CAAC"}

package/build/data/rules/api-security.js CHANGED Viewed

@@ -112,6 +112,7 @@ export const apiSecurityRules = [
         pattern: /(?:deleteAccount|deleteUser|cancelSubscription|transferFunds|refund|terminat)\w*\s*(?:=\s*async|\([\s\S]*?\)\s*(?:=>|{))(?:(?!confirm|verify|reauthenticate|twoFactor|2fa|otp|challenge)[\s\S]){10,}?(?:delete|destroy|remove|cancel)\s*\(/gi,
         languages: ["javascript", "typescript"],
         fix: "Add a confirmation step or re-authentication before destructive operations.",
+        fixCode: '"use server";\nexport async function deleteAccount(confirmToken: string) {\n  // Verify confirmation token (sent via email/SMS)\n  const valid = await verifyConfirmationToken(confirmToken);\n  if (!valid) throw new Error("Invalid confirmation");\n  // Re-authenticate\n  const { userId } = await auth();\n  if (!userId) throw new Error("Unauthorized");\n  await db.user.delete({ where: { id: userId } });\n}',
         compliance: ["SOC2:CC6.6"],
     },
     // API8:2023 — Security Misconfiguration

package/build/data/rules/api-security.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"api-security.js","sourceRoot":"","sources":["../../../src/data/rules/api-security.ts"],"names":[],"mappings":"AAEA,kCAAkC;AAClC,uCAAuC;AACvC,MAAM,CAAC,MAAM,gBAAgB,GAAmB;IAC9C,uDAAuD;IACvD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uDAAuD;QAC7D,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,6CAA6C;QACpD,WAAW,EACT,uLAAuL;QACzL,OAAO,EACL,+JAA+J;QACjK,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2HAA2H;QAChI,OAAO,EACL,8PAA8P;QAChQ,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;KACrE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oDAAoD;QAC1D,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,6CAA6C;QACpD,WAAW,EACT,4JAA4J;QAC9J,OAAO,EACL,2NAA2N;QAC7N,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gGAAgG;QACrG,OAAO,EACL,oKAAoK;QACtK,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;KACrE;IAED,oCAAoC;IACpC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,iCAAiC;QACxC,WAAW,EACT,sIAAsI;QACxI,OAAO,EACL,sQAAsQ;QACxQ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,mFAAmF;QACxF,OAAO,EACL,kNAAkN;QACpN,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IAED,2EAA2E;IAC3E;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uDAAuD;QAC7D,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,sDAAsD;QAC7D,WAAW,EACT,8KAA8K;QAChL,OAAO,EACL,2JAA2J;QAC7J,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,yJAAyJ;QAC9J,OAAO,EACL,gPAAgP;QAClP,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,gDAAgD;QACtD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,sDAAsD;QAC7D,WAAW,EACT,2IAA2I;QAC7I,OAAO,EACL,sHAAsH;QACxH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iFAAiF;QACtF,OAAO,EACL,sJAAsJ;QACxJ,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,gDAAgD;IAChD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,qCAAqC;QAC3C,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,6CAA6C;QACpD,WAAW,EACT,8JAA8J;QAChK,OAAO,EACL,qHAAqH;QACvH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iGAAiG;QACtG,OAAO,EACL,uLAAuL;QACzL,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,6CAA6C;QACpD,WAAW,EACT,wLAAwL;QAC1L,OAAO,EACL,2NAA2N;QAC7N,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,yHAAyH;QAC9H,OAAO,EACL,mYAAmY;QACrY,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,kDAAkD;IAClD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0CAA0C;QAChD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,+CAA+C;QACtD,WAAW,EACT,iKAAiK;QACnK,OAAO,EACL,+OAA+O;QACjP,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,0DAA0D;QAC/D,OAAO,EACL,oIAAoI;QACtI,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IAED,8DAA8D;IAC9D;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mDAAmD;QACzD,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,2DAA2D;QAClE,WAAW,EACT,yJAAyJ;QAC3J,OAAO,EACL,8OAA8O;QAChP,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,6EAA6E;QAClF,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,wCAAwC;IACxC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+CAA+C;QACrD,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,qCAAqC;QAC5C,WAAW,EACT,sIAAsI;QACxI,OAAO,EACL,qLAAqL;QACvL,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oFAAoF;QACzF,OAAO,EACL,oMAAoM;QACtM,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
1	+ {"version":3,"file":"api-security.js","sourceRoot":"","sources":["../../../src/data/rules/api-security.ts"],"names":[],"mappings":"AAEA,kCAAkC;AAClC,uCAAuC;AACvC,MAAM,CAAC,MAAM,gBAAgB,GAAmB;IAC9C,uDAAuD;IACvD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uDAAuD;QAC7D,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,6CAA6C;QACpD,WAAW,EACT,uLAAuL;QACzL,OAAO,EACL,+JAA+J;QACjK,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2HAA2H;QAChI,OAAO,EACL,8PAA8P;QAChQ,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;KACrE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oDAAoD;QAC1D,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,6CAA6C;QACpD,WAAW,EACT,4JAA4J;QAC9J,OAAO,EACL,2NAA2N;QAC7N,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gGAAgG;QACrG,OAAO,EACL,oKAAoK;QACtK,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;KACrE;IAED,oCAAoC;IACpC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,iCAAiC;QACxC,WAAW,EACT,sIAAsI;QACxI,OAAO,EACL,sQAAsQ;QACxQ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,mFAAmF;QACxF,OAAO,EACL,kNAAkN;QACpN,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IAED,2EAA2E;IAC3E;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uDAAuD;QAC7D,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,sDAAsD;QAC7D,WAAW,EACT,8KAA8K;QAChL,OAAO,EACL,2JAA2J;QAC7J,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,yJAAyJ;QAC9J,OAAO,EACL,gPAAgP;QAClP,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,gDAAgD;QACtD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,sDAAsD;QAC7D,WAAW,EACT,2IAA2I;QAC7I,OAAO,EACL,sHAAsH;QACxH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iFAAiF;QACtF,OAAO,EACL,sJAAsJ;QACxJ,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,gDAAgD;IAChD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,qCAAqC;QAC3C,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,6CAA6C;QACpD,WAAW,EACT,8JAA8J;QAChK,OAAO,EACL,qHAAqH;QACvH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iGAAiG;QACtG,OAAO,EACL,uLAAuL;QACzL,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,6CAA6C;QACpD,WAAW,EACT,wLAAwL;QAC1L,OAAO,EACL,2NAA2N;QAC7N,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,yHAAyH;QAC9H,OAAO,EACL,mYAAmY;QACrY,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,kDAAkD;IAClD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0CAA0C;QAChD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,+CAA+C;QACtD,WAAW,EACT,iKAAiK;QACnK,OAAO,EACL,+OAA+O;QACjP,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,0DAA0D;QAC/D,OAAO,EACL,oIAAoI;QACtI,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IAED,8DAA8D;IAC9D;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mDAAmD;QACzD,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,2DAA2D;QAClE,WAAW,EACT,yJAAyJ;QAC3J,OAAO,EACL,8OAA8O;QAChP,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,6EAA6E;QAClF,OAAO,EACL,yZAAyZ;QAC3Z,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,wCAAwC;IACxC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+CAA+C;QACrD,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,qCAAqC;QAC5C,WAAW,EACT,sIAAsI;QACxI,OAAO,EACL,qLAAqL;QACvL,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oFAAoF;QACzF,OAAO,EACL,oMAAoM;QACtM,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}

package/build/data/rules/deployment.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"deployment.d.ts","sourceRoot":"","sources":["../../../src/data/rules/deployment.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,eAAO,MAAM,eAAe,EAAE,YAAY,~~EA+NzC~~,CAAC"}
1	+ {"version":3,"file":"deployment.d.ts","sourceRoot":"","sources":["../../../src/data/rules/deployment.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,eAAO,MAAM,eAAe,EAAE,YAAY,EA2OzC,CAAC"}

package/build/data/rules/deployment.js CHANGED Viewed

@@ -22,6 +22,7 @@ export const deploymentRules = [
         pattern: /["']rewrites["']\s*:\s*\[[\s\S]*?["']destination["']\s*:\s*["']https?:\/\/(?:localhost|127\.0\.0\.1|10\.|172\.(?:1[6-9]|2\d|3[01])\.|192\.168\.)/g,
         languages: ["vercel-config", "json"],
         fix: "Do not rewrite to internal network addresses. Use Vercel environment variables for service URLs.",
+        fixCode: '// Use environment variable for backend URL\n{\n  "rewrites": [{\n    "source": "/api/:path*",\n    "destination": "https://api.yourdomain.com/:path*"\n  }]\n}',
         compliance: ["SOC2:CC6.6"],
     },
     {
@@ -45,6 +46,7 @@ export const deploymentRules = [
         pattern: /["']maxDuration["']\s*:\s*(?:[3-9]\d{2}|[1-9]\d{3,})/g,
         languages: ["vercel-config", "json"],
         fix: "Set maxDuration to the minimum required. Default 300s is sufficient for most use cases.",
+        fixCode: '// Set reasonable maxDuration\nexport const maxDuration = 60; // seconds — adjust to actual need',
     },
     {
         id: "VG506",
@@ -55,6 +57,7 @@ export const deploymentRules = [
         pattern: /["'](?:SECRET|KEY|TOKEN|PASSWORD|CREDENTIAL)\w*["']\s*:\s*["'][A-Za-z0-9_\-]{12,}["']/gi,
         languages: ["vercel-config", "json"],
         fix: "Use Vercel environment variables (vercel env add) instead of hardcoding in config files.",
+        fixCode: '# Store secrets as Vercel env vars\nvercel env add SECRET_KEY production\n\n# Reference in code\nconst key = process.env.SECRET_KEY;',
         compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3"],
     },
     // next.config
@@ -90,6 +93,7 @@ export const deploymentRules = [
         pattern: /headers\s*\(\s*\)\s*\{[\s\S]*?Access-Control-Allow-Origin[\s\S]*?["']\*["']/g,
         languages: ["nextjs-config", "javascript", "typescript"],
         fix: "Restrict CORS to specific trusted origins.",
+        fixCode: '// Restrict to specific origins\nheaders: [\n  { key: "Access-Control-Allow-Origin", value: "https://yourdomain.com" }\n]',
         compliance: ["SOC2:CC6.6"],
     },
     {
@@ -175,6 +179,7 @@ export const deploymentRules = [
         pattern: /internal_port\s*=\s*(?:5432|3306|6379|27017|9200|2379)/g,
         languages: ["fly-config", "toml"],
         fix: "Don't expose database or cache ports publicly. Use internal networking.",
+        fixCode: '# fly.toml — only expose your app port\n[[services]]\n  internal_port = 3000  # app port only\n\n# Access database via internal Fly DNS\n# DATABASE_URL=postgres://db.internal:5432/mydb',
         compliance: ["SOC2:CC6.6"],
     },
     {
@@ -186,6 +191,7 @@ export const deploymentRules = [
         pattern: /force_https\s*=\s*false/g,
         languages: ["fly-config", "toml"],
         fix: "Enable force_https to redirect all HTTP traffic to HTTPS.",
+        fixCode: '# fly.toml\n[[services]]\n  [services.concurrency]\n    hard_limit = 25\n  [[services.ports]]\n    force_https = true\n    port = 80',
         compliance: ["SOC2:CC6.1", "PCI-DSS:Req4.1"],
     },
 ];

package/build/data/rules/deployment.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"deployment.js","sourceRoot":"","sources":["../../../src/data/rules/deployment.ts"],"names":[],"mappings":"AAEA,6CAA6C;AAC7C,MAAM,CAAC,MAAM,eAAe,GAAmB;IAC7C,0BAA0B;IAC1B;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,wGAAwG;QAC1G,OAAO,EAAE,wDAAwD;QACjE,SAAS,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACpC,GAAG,EAAE,4CAA4C;QACjD,OAAO,EACL,uKAAuK;QACzK,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,sEAAsE;QACxE,OAAO,EACL,mJAAmJ;QACrJ,SAAS,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACpC,GAAG,EAAE,kGAAkG;QACvG,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,yCAAyC;QAC/C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,wHAAwH;QAC1H,OAAO,EACL,kEAAkE;QACpE,SAAS,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACpC,GAAG,EAAE,sDAAsD;QAC3D,OAAO,EACL,qQAAqQ;QACvQ,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,kGAAkG;QACpG,OAAO,EAAE,uDAAuD;QAChE,SAAS,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACpC,GAAG,EAAE,yFAAyF;~~KAC/F~~;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,4EAA4E;QAC9E,OAAO,EACL,yFAAyF;QAC3F,SAAS,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACpC,GAAG,EAAE,0FAA0F;QAC/F,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IAED,cAAc;IACd;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,wFAAwF;QAC1F,OAAO,EAAE,oEAAoE;QAC7E,SAAS,EAAE,CAAC,eAAe,EAAE,YAAY,EAAE,YAAY,CAAC;QACxD,GAAG,EAAE,wDAAwD;QAC7D,OAAO,EACL,uHAAuH;QACzH,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,KAAK;QACf,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,mGAAmG;QACrG,OAAO,EAAE,6BAA6B;QACtC,SAAS,EAAE,CAAC,eAAe,EAAE,YAAY,EAAE,YAAY,CAAC;QACxD,GAAG,EAAE,iDAAiD;QACtD,OAAO,EAAE,oEAAoE;KAC9E;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,4EAA4E;QAC9E,OAAO,EACL,8EAA8E;QAChF,SAAS,EAAE,CAAC,eAAe,EAAE,YAAY,EAAE,YAAY,CAAC;QACxD,GAAG,EAAE,4CAA4C;QACjD,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,6EAA6E;QAC/E,OAAO,EACL,wEAAwE;QAC1E,SAAS,EAAE,CAAC,eAAe,EAAE,YAAY,EAAE,YAAY,CAAC;QACxD,GAAG,EAAE,oCAAoC;QACzC,OAAO,EACL,gFAAgF;QAClF,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,qBAAqB;IACrB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,sEAAsE;QACxE,OAAO,EAAE,yCAAyC;QAClD,SAAS,EAAE,CAAC,gBAAgB,EAAE,MAAM,CAAC;QACrC,GAAG,EAAE,0CAA0C;QAC/C,OAAO,EAAE,6DAA6D;QACtE,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,0FAA0F;QAC5F,OAAO,EACL,oHAAoH;QACtH,SAAS,EAAE,CAAC,gBAAgB,EAAE,MAAM,CAAC;QACrC,GAAG,EAAE,oEAAoE;QACzE,OAAO,EACL,iEAAiE;QACnE,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,qCAAqC;QAC3C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,0FAA0F;QAC5F,OAAO,EAAE,wBAAwB;QACjC,SAAS,EAAE,CAAC,gBAAgB,EAAE,MAAM,CAAC;QACrC,GAAG,EAAE,yEAAyE;QAC9E,OAAO,EACL,8GAA8G;QAChH,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,2EAA2E;QAC7E,OAAO,EAAE,qEAAqE;QAC9E,SAAS,EAAE,CAAC,gBAAgB,EAAE,MAAM,CAAC;QACrC,GAAG,EAAE,4DAA4D;QACjE,OAAO,EACL,4DAA4D;QAC9D,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,wCAAwC;IACxC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,wFAAwF;QAC1F,OAAO,EACL,6FAA6F;QAC/F,SAAS,EAAE,CAAC,YAAY,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,CAAC;QACpE,GAAG,EAAE,+FAA+F;QACpG,OAAO,EACL,kHAAkH;QACpH,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,gCAAgC;QACtC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,8DAA8D;QAChE,OAAO,EAAE,yDAAyD;QAClE,SAAS,EAAE,CAAC,YAAY,EAAE,MAAM,CAAC;QACjC,GAAG,EAAE,yEAAyE;QAC9E,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,wEAAwE;QAC1E,OAAO,EAAE,0BAA0B;QACnC,SAAS,EAAE,CAAC,YAAY,EAAE,MAAM,CAAC;QACjC,GAAG,EAAE,2DAA2D;QAChE,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;CACF,CAAC"}
1	+ {"version":3,"file":"deployment.js","sourceRoot":"","sources":["../../../src/data/rules/deployment.ts"],"names":[],"mappings":"AAEA,6CAA6C;AAC7C,MAAM,CAAC,MAAM,eAAe,GAAmB;IAC7C,0BAA0B;IAC1B;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,wGAAwG;QAC1G,OAAO,EAAE,wDAAwD;QACjE,SAAS,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACpC,GAAG,EAAE,4CAA4C;QACjD,OAAO,EACL,uKAAuK;QACzK,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,sEAAsE;QACxE,OAAO,EACL,mJAAmJ;QACrJ,SAAS,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACpC,GAAG,EAAE,kGAAkG;QACvG,OAAO,EACL,iKAAiK;QACnK,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,yCAAyC;QAC/C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,wHAAwH;QAC1H,OAAO,EACL,kEAAkE;QACpE,SAAS,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACpC,GAAG,EAAE,sDAAsD;QAC3D,OAAO,EACL,qQAAqQ;QACvQ,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,kGAAkG;QACpG,OAAO,EAAE,uDAAuD;QAChE,SAAS,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACpC,GAAG,EAAE,yFAAyF;QAC9F,OAAO,EACL,kGAAkG;KACrG;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,4EAA4E;QAC9E,OAAO,EACL,yFAAyF;QAC3F,SAAS,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACpC,GAAG,EAAE,0FAA0F;QAC/F,OAAO,EACL,sIAAsI;QACxI,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IAED,cAAc;IACd;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,wFAAwF;QAC1F,OAAO,EAAE,oEAAoE;QAC7E,SAAS,EAAE,CAAC,eAAe,EAAE,YAAY,EAAE,YAAY,CAAC;QACxD,GAAG,EAAE,wDAAwD;QAC7D,OAAO,EACL,uHAAuH;QACzH,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,KAAK;QACf,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,mGAAmG;QACrG,OAAO,EAAE,6BAA6B;QACtC,SAAS,EAAE,CAAC,eAAe,EAAE,YAAY,EAAE,YAAY,CAAC;QACxD,GAAG,EAAE,iDAAiD;QACtD,OAAO,EAAE,oEAAoE;KAC9E;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,4EAA4E;QAC9E,OAAO,EACL,8EAA8E;QAChF,SAAS,EAAE,CAAC,eAAe,EAAE,YAAY,EAAE,YAAY,CAAC;QACxD,GAAG,EAAE,4CAA4C;QACjD,OAAO,EACL,2HAA2H;QAC7H,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,6EAA6E;QAC/E,OAAO,EACL,wEAAwE;QAC1E,SAAS,EAAE,CAAC,eAAe,EAAE,YAAY,EAAE,YAAY,CAAC;QACxD,GAAG,EAAE,oCAAoC;QACzC,OAAO,EACL,gFAAgF;QAClF,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,qBAAqB;IACrB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,sEAAsE;QACxE,OAAO,EAAE,yCAAyC;QAClD,SAAS,EAAE,CAAC,gBAAgB,EAAE,MAAM,CAAC;QACrC,GAAG,EAAE,0CAA0C;QAC/C,OAAO,EAAE,6DAA6D;QACtE,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,0FAA0F;QAC5F,OAAO,EACL,oHAAoH;QACtH,SAAS,EAAE,CAAC,gBAAgB,EAAE,MAAM,CAAC;QACrC,GAAG,EAAE,oEAAoE;QACzE,OAAO,EACL,iEAAiE;QACnE,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,qCAAqC;QAC3C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,0FAA0F;QAC5F,OAAO,EAAE,wBAAwB;QACjC,SAAS,EAAE,CAAC,gBAAgB,EAAE,MAAM,CAAC;QACrC,GAAG,EAAE,yEAAyE;QAC9E,OAAO,EACL,8GAA8G;QAChH,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,2EAA2E;QAC7E,OAAO,EAAE,qEAAqE;QAC9E,SAAS,EAAE,CAAC,gBAAgB,EAAE,MAAM,CAAC;QACrC,GAAG,EAAE,4DAA4D;QACjE,OAAO,EACL,4DAA4D;QAC9D,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,wCAAwC;IACxC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,wFAAwF;QAC1F,OAAO,EACL,6FAA6F;QAC/F,SAAS,EAAE,CAAC,YAAY,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,CAAC;QACpE,GAAG,EAAE,+FAA+F;QACpG,OAAO,EACL,kHAAkH;QACpH,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,gCAAgC;QACtC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,8DAA8D;QAChE,OAAO,EAAE,yDAAyD;QAClE,SAAS,EAAE,CAAC,YAAY,EAAE,MAAM,CAAC;QACjC,GAAG,EAAE,yEAAyE;QAC9E,OAAO,EACL,0LAA0L;QAC5L,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,wEAAwE;QAC1E,OAAO,EAAE,0BAA0B;QACnC,SAAS,EAAE,CAAC,YAAY,EAAE,MAAM,CAAC;QACjC,GAAG,EAAE,2DAA2D;QAChE,OAAO,EACL,sIAAsI;QACxI,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;CACF,CAAC"}

package/build/data/rules/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;~~AAwB~~/C,eAAO,MAAM,UAAU,~~qCAuBtB~~,CAAC;~~AAGF~~,eAAO,MAAM,YAAY,qCAAa,CAAC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAyB/C,eAAO,MAAM,UAAU,qCAuBrB,CAAC;AAGH,eAAO,MAAM,YAAY,qCAAa,CAAC"}

package/build/data/rules/index.js CHANGED Viewed

@@ -20,7 +20,8 @@ import { supplyChainRules } from "./supply-chain.js";
 import { cveVersionRules } from "./cve-versions.js";
 import { apiSecurityRules } from "./api-security.js";
 import { modernStackRules } from "./modern-stack.js";
-export const owaspRules = [
+import { enrichRulesWithCompliance } from "../compliance-metadata.js";
+export const owaspRules = enrichRulesWithCompliance([
     ...coreRules,
     ...goRules,
     ...dockerfileRules,
@@ -43,7 +44,7 @@ export const owaspRules = [
     ...cveVersionRules,
     ...apiSecurityRules,
     ...modernStackRules,
-];
+]);
 // Alias for clarity — these are the built-in rules without plugins
 export const builtinRules = owaspRules;
 //# sourceMappingURL=index.js.map

package/build/data/rules/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AACxC,OAAO,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAC;AACpC,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;~~AAErD~~,MAAM,CAAC,MAAM,UAAU,GAAG;~~IACxB~~,GAAG,SAAS;IACZ,GAAG,OAAO;IACV,GAAG,eAAe;IAClB,GAAG,SAAS;IACZ,GAAG,cAAc;IACjB,GAAG,WAAW;IACd,GAAG,SAAS;IACZ,GAAG,aAAa;IAChB,GAAG,eAAe;IAClB,GAAG,YAAY;IACf,GAAG,YAAY;IACf,GAAG,gBAAgB;IACnB,GAAG,gBAAgB;IACnB,GAAG,aAAa;IAChB,GAAG,iBAAiB;IACpB,GAAG,UAAU;IACb,GAAG,QAAQ;IACX,GAAG,eAAe;IAClB,GAAG,gBAAgB;IACnB,GAAG,eAAe;IAClB,GAAG,gBAAgB;IACnB,GAAG,gBAAgB;CACpB,CAAC;~~AAEF~~,mEAAmE;AACnE,MAAM,CAAC,MAAM,YAAY,GAAG,UAAU,CAAC"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AACxC,OAAO,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAC;AACpC,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,yBAAyB,EAAE,MAAM,2BAA2B,CAAC;AAEtE,MAAM,CAAC,MAAM,UAAU,GAAG,yBAAyB,CAAC;IAClD,GAAG,SAAS;IACZ,GAAG,OAAO;IACV,GAAG,eAAe;IAClB,GAAG,SAAS;IACZ,GAAG,cAAc;IACjB,GAAG,WAAW;IACd,GAAG,SAAS;IACZ,GAAG,aAAa;IAChB,GAAG,eAAe;IAClB,GAAG,YAAY;IACf,GAAG,YAAY;IACf,GAAG,gBAAgB;IACnB,GAAG,gBAAgB;IACnB,GAAG,aAAa;IAChB,GAAG,iBAAiB;IACpB,GAAG,UAAU;IACb,GAAG,QAAQ;IACX,GAAG,eAAe;IAClB,GAAG,gBAAgB;IACnB,GAAG,eAAe;IAClB,GAAG,gBAAgB;IACnB,GAAG,gBAAgB;CACpB,CAAC,CAAC;AAEH,mEAAmE;AACnE,MAAM,CAAC,MAAM,YAAY,GAAG,UAAU,CAAC"}

package/build/data/rules/payments.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"payments.d.ts","sourceRoot":"","sources":["../../../src/data/rules/payments.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,YAAY,EAAE,YAAY,~~EAiItC~~,CAAC"}
1	+ {"version":3,"file":"payments.d.ts","sourceRoot":"","sources":["../../../src/data/rules/payments.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,YAAY,EAAE,YAAY,EAuItC,CAAC"}

package/build/data/rules/payments.js CHANGED Viewed

@@ -70,6 +70,7 @@ export const paymentRules = [
         pattern: /["']use client["'][\s\S]{0,500}?(?:LEMONSQUEEZY_API_KEY|LEMON_SQUEEZY_API_KEY)/g,
         languages: ["javascript", "typescript"],
         fix: "Use LemonSqueezy API key only in server-side code.",
+        fixCode: '// Server-side only (API route)\nimport { lemonSqueezySetup } from "@lemonsqueezy/lemonsqueezy.js";\nlemonSqueezySetup({ apiKey: process.env.LEMONSQUEEZY_API_KEY! });',
         compliance: ["SOC2:CC6.1"],
     },
     {
@@ -94,6 +95,7 @@ export const paymentRules = [
         pattern: /["']use client["'][\s\S]{0,500}?(?:POLAR_ACCESS_TOKEN|POLAR_API_KEY|polar.*(?:access_token|api_key))/gi,
         languages: ["javascript", "typescript"],
         fix: "Use Polar API keys only in server-side code.",
+        fixCode: '// Server-side only\nimport { Polar } from "@polar-sh/sdk";\nconst polar = new Polar({ accessToken: process.env.POLAR_ACCESS_TOKEN! });',
         compliance: ["SOC2:CC6.1"],
     },
     {
@@ -105,6 +107,7 @@ export const paymentRules = [
         pattern: /(?:\/api\/webhook|\/api\/payment|\/api\/checkout)[\s\S]*?export\s+(?:async\s+)?function\s+POST\s*\([^)]*\)\s*\{(?:(?!verify|signature|constructEvent|hmac|crypto\.createHmac|webhookSecret)[\s\S])*?\}/g,
         languages: ["javascript", "typescript"],
         fix: "Always verify webhook signatures before processing payment events.",
+        fixCode: "// Verify webhook signature\nimport crypto from 'crypto';\nconst sig = request.headers.get('x-webhook-signature');\nconst expected = crypto.createHmac('sha256', process.env.WEBHOOK_SECRET!)\n  .update(body).digest('hex');\nif (sig !== expected) return new Response('Unauthorized', { status: 401 });",
         compliance: ["SOC2:CC6.6", "PCI-DSS:Req6.5.10"],
     },
 ];

package/build/data/rules/payments.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"payments.js","sourceRoot":"","sources":["../../../src/data/rules/payments.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,YAAY,GAAmB;IAC1C,SAAS;IACT;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,mHAAmH;QACrH,OAAO,EAAE,oDAAoD;QAC7D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uFAAuF;QAC5F,OAAO,EACL,4IAA4I;QAC9I,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+CAA+C;QACrD,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,wHAAwH;QAC1H,OAAO,EACL,kLAAkL;QACpL,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iFAAiF;QACtF,OAAO,EACL,wLAAwL;QAC1L,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,0BAA0B;QACjC,WAAW,EACT,uGAAuG;QACzG,OAAO,EACL,sHAAsH;QACxH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,6HAA6H;QAClI,OAAO,EACL,mMAAmM;QACrM,UAAU,EAAE,CAAC,kBAAkB,CAAC;KACjC;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,0EAA0E;QAC5E,OAAO,EAAE,qEAAqE;QAC9E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4CAA4C;QACjD,OAAO,EAAE,4DAA4D;QACrE,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,qGAAqG;QACvG,OAAO,EAAE,kCAAkC;QAC3C,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,8GAA8G;QACnH,OAAO,EACL,sIAAsI;QACxI,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IAED,eAAe;IACf;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,mDAAmD;QAChE,OAAO,EACL,iFAAiF;QACnF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oDAAoD;QACzD,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,iFAAiF;QACnF,OAAO,EACL,wJAAwJ;QAC1J,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2EAA2E;QAChF,OAAO,EACL,wSAAwS;QAC1S,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,WAAW;IACX;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,+DAA+D;QAC5E,OAAO,EACL,wGAAwG;QAC1G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,8CAA8C;QACnD,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,qHAAqH;QACvH,OAAO,EACL,yMAAyM;QAC3M,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oEAAoE;QACzE,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;CACF,CAAC"}
1	+ {"version":3,"file":"payments.js","sourceRoot":"","sources":["../../../src/data/rules/payments.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,YAAY,GAAmB;IAC1C,SAAS;IACT;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,mHAAmH;QACrH,OAAO,EAAE,oDAAoD;QAC7D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uFAAuF;QAC5F,OAAO,EACL,4IAA4I;QAC9I,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+CAA+C;QACrD,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,wHAAwH;QAC1H,OAAO,EACL,kLAAkL;QACpL,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iFAAiF;QACtF,OAAO,EACL,wLAAwL;QAC1L,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,0BAA0B;QACjC,WAAW,EACT,uGAAuG;QACzG,OAAO,EACL,sHAAsH;QACxH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,6HAA6H;QAClI,OAAO,EACL,mMAAmM;QACrM,UAAU,EAAE,CAAC,kBAAkB,CAAC;KACjC;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,0EAA0E;QAC5E,OAAO,EAAE,qEAAqE;QAC9E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4CAA4C;QACjD,OAAO,EAAE,4DAA4D;QACrE,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,qGAAqG;QACvG,OAAO,EAAE,kCAAkC;QAC3C,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,8GAA8G;QACnH,OAAO,EACL,sIAAsI;QACxI,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IAED,eAAe;IACf;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,mDAAmD;QAChE,OAAO,EACL,iFAAiF;QACnF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oDAAoD;QACzD,OAAO,EACL,wKAAwK;QAC1K,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,iFAAiF;QACnF,OAAO,EACL,wJAAwJ;QAC1J,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2EAA2E;QAChF,OAAO,EACL,wSAAwS;QAC1S,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,WAAW;IACX;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,+DAA+D;QAC5E,OAAO,EACL,wGAAwG;QAC1G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,8CAA8C;QACnD,OAAO,EACL,yIAAyI;QAC3I,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,qHAAqH;QACvH,OAAO,EACL,yMAAyM;QAC3M,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oEAAoE;QACzE,OAAO,EACL,4SAA4S;QAC9S,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;CACF,CAAC"}

package/build/data/rules/react-native.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"react-native.d.ts","sourceRoot":"","sources":["../../../src/data/rules/react-native.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,gBAAgB,EAAE,YAAY,~~EAsH1C~~,CAAC"}
1	+ {"version":3,"file":"react-native.d.ts","sourceRoot":"","sources":["../../../src/data/rules/react-native.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,gBAAgB,EAAE,YAAY,EA4H1C,CAAC"}

package/build/data/rules/react-native.js CHANGED Viewed

@@ -68,6 +68,7 @@ export const reactNativeRules = [
         pattern: /(?:fetch|axios|http)\s*[\.\(][\s\S]{0,200}?(?:api\.|\/api\/)[\s\S]{0,300}?(?:Authorization|Bearer|token)/gi,
         languages: ["javascript", "typescript"],
         fix: "Implement certificate pinning using react-native-ssl-pinning or expo-certificate-transparency.",
+        fixCode: '// Use react-native-ssl-pinning\nimport { fetch } from "react-native-ssl-pinning";\nconst res = await fetch("https://api.example.com/data", {\n  sslPinning: { certs: ["api-cert"] },\n  headers: { Authorization: `Bearer ${token}` },\n});',
         compliance: ["SOC2:CC6.1", "PCI-DSS:Req4"],
     },
     {
@@ -91,6 +92,7 @@ export const reactNativeRules = [
         pattern: /NSAppTransportSecurity[\s\S]{0,200}?NSAllowsArbitraryLoads[\s\S]{0,50}?(?:true|YES|<true\s*\/>)/gi,
         languages: ["xml", "json", "javascript", "typescript"],
         fix: "Do not disable ATS. If specific domains need HTTP, use NSExceptionDomains instead of blanket allow.",
+        fixCode: "<!-- Info.plist — allow HTTP only for specific domains -->\n<key>NSAppTransportSecurity</key>\n<dict>\n  <key>NSExceptionDomains</key>\n  <dict>\n    <key>legacy-api.example.com</key>\n    <dict>\n      <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>\n      <true/>\n    </dict>\n  </dict>\n</dict>",
         compliance: ["SOC2:CC6.1", "PCI-DSS:Req4"],
     },
     {
@@ -114,6 +116,7 @@ export const reactNativeRules = [
         pattern: /NativeModules\.\w+\.\w+\s*\([\s\S]{0,200}?(?:token|secret|password|key|credential|jwt|session)/gi,
         languages: ["javascript", "typescript"],
         fix: "Encrypt sensitive data before passing through the bridge. Use native secure storage instead.",
+        fixCode: '// Use secure storage instead of passing through bridge\nimport * as SecureStore from "expo-secure-store";\nawait SecureStore.setItemAsync("authToken", token);\n\n// Read securely\nconst token = await SecureStore.getItemAsync("authToken");',
         compliance: ["SOC2:CC6.1"],
     },
 ];

package/build/data/rules/react-native.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"react-native.js","sourceRoot":"","sources":["../../../src/data/rules/react-native.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,gBAAgB,GAAmB;IAC9C;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,kKAAkK;QAC/K,OAAO,EAAE,8IAA8I;QACvJ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,qFAAqF;QAC1F,OAAO,EAAE,wGAAwG;QACjH,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,qDAAqD;QAC5D,WAAW,EAAE,2JAA2J;QACxK,OAAO,EAAE,mIAAmI;QAC5I,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sGAAsG;QAC3G,OAAO,EAAE,8OAA8O;QACvP,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,gHAAgH;QAC7H,OAAO,EAAE,oHAAoH;QAC7H,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sEAAsE;QAC3E,OAAO,EAAE,uMAAuM;QAChN,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,oGAAoG;QACjH,OAAO,EAAE,oHAAoH;QAC7H,SAAS,EAAE,CAAC,MAAM,EAAE,YAAY,EAAE,YAAY,CAAC;QAC/C,GAAG,EAAE,wEAAwE;QAC7E,OAAO,EAAE,kMAAkM;QAC3M,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EAAE,0HAA0H;QACvI,OAAO,EAAE,4LAA4L;QACrM,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,mHAAmH;QACxH,OAAO,EAAE,kPAAkP;QAC3P,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,gIAAgI;QAC7I,OAAO,EAAE,4GAA4G;QACrH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gGAAgG;QACrG,UAAU,EAAE,CAAC,YAAY,EAAE,cAAc,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,iIAAiI;QAC9I,OAAO,EAAE,kGAAkG;QAC3G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uDAAuD;QAC5D,OAAO,EAAE,kIAAkI;QAC3I,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,0FAA0F;QACvG,OAAO,EAAE,mGAAmG;QAC5G,SAAS,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,YAAY,CAAC;QACtD,GAAG,EAAE,qGAAqG;QAC1G,UAAU,EAAE,CAAC,YAAY,EAAE,cAAc,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,gKAAgK;QAC7K,OAAO,EAAE,kLAAkL;QAC3L,SAAS,EAAE,CAAC,MAAM,EAAE,YAAY,EAAE,YAAY,CAAC;QAC/C,GAAG,EAAE,mGAAmG;QACxG,OAAO,EAAE,qMAAqM;QAC9M,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,4KAA4K;QACzL,OAAO,EAAE,kGAAkG;QAC3G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,8FAA8F;QACnG,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
1	+ {"version":3,"file":"react-native.js","sourceRoot":"","sources":["../../../src/data/rules/react-native.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,gBAAgB,GAAmB;IAC9C;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,kKAAkK;QAC/K,OAAO,EAAE,8IAA8I;QACvJ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,qFAAqF;QAC1F,OAAO,EAAE,wGAAwG;QACjH,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,qDAAqD;QAC5D,WAAW,EAAE,2JAA2J;QACxK,OAAO,EAAE,mIAAmI;QAC5I,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sGAAsG;QAC3G,OAAO,EAAE,8OAA8O;QACvP,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,gHAAgH;QAC7H,OAAO,EAAE,oHAAoH;QAC7H,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sEAAsE;QAC3E,OAAO,EAAE,uMAAuM;QAChN,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,oGAAoG;QACjH,OAAO,EAAE,oHAAoH;QAC7H,SAAS,EAAE,CAAC,MAAM,EAAE,YAAY,EAAE,YAAY,CAAC;QAC/C,GAAG,EAAE,wEAAwE;QAC7E,OAAO,EAAE,kMAAkM;QAC3M,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EAAE,0HAA0H;QACvI,OAAO,EAAE,4LAA4L;QACrM,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,mHAAmH;QACxH,OAAO,EAAE,kPAAkP;QAC3P,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,gIAAgI;QAC7I,OAAO,EAAE,4GAA4G;QACrH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gGAAgG;QACrG,OAAO,EACL,8OAA8O;QAChP,UAAU,EAAE,CAAC,YAAY,EAAE,cAAc,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,iIAAiI;QAC9I,OAAO,EAAE,kGAAkG;QAC3G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uDAAuD;QAC5D,OAAO,EAAE,kIAAkI;QAC3I,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,0FAA0F;QACvG,OAAO,EAAE,mGAAmG;QAC5G,SAAS,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,YAAY,CAAC;QACtD,GAAG,EAAE,qGAAqG;QAC1G,OAAO,EACL,mTAAmT;QACrT,UAAU,EAAE,CAAC,YAAY,EAAE,cAAc,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,gKAAgK;QAC7K,OAAO,EAAE,kLAAkL;QAC3L,SAAS,EAAE,CAAC,MAAM,EAAE,YAAY,EAAE,YAAY,CAAC;QAC/C,GAAG,EAAE,mGAAmG;QACxG,OAAO,EAAE,qMAAqM;QAC9M,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,4KAA4K;QACzL,OAAO,EAAE,kGAAkG;QAC3G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,8FAA8F;QACnG,OAAO,EACL,iPAAiP;QACnP,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}

package/build/data/rules/services.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"services.d.ts","sourceRoot":"","sources":["../../../src/data/rules/services.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,YAAY,EAAE,YAAY,~~EAyItC~~,CAAC"}
1	+ {"version":3,"file":"services.d.ts","sourceRoot":"","sources":["../../../src/data/rules/services.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,YAAY,EAAE,YAAY,EAmJtC,CAAC"}

package/build/data/rules/services.js CHANGED Viewed

@@ -58,6 +58,7 @@ export const serviceRules = [
         pattern: /(?:redis|Redis|upstash)[\s\S]{0,100}?(?:url|token)\s*[:=]\s*["'](?:https?:\/\/|redis:\/\/|rediss:\/\/)[^"']{10,}["']/gi,
         languages: ["javascript", "typescript"],
         fix: "Use environment variables for Redis connection details.",
+        fixCode: '// Use environment variables\nimport { Redis } from "@upstash/redis";\nconst redis = new Redis({\n  url: process.env.UPSTASH_REDIS_REST_URL!,\n  token: process.env.UPSTASH_REDIS_REST_TOKEN!,\n});',
         compliance: ["SOC2:CC6.1"],
     },
     {
@@ -69,6 +70,7 @@ export const serviceRules = [
         pattern: /NEXT_PUBLIC_\w*(?:REDIS|UPSTASH|KV)\w*(?:URL|TOKEN|SECRET)\s*=/gi,
         languages: ["javascript", "typescript", "shell"],
         fix: "Remove NEXT_PUBLIC_ prefix from Redis credentials. Access them only server-side.",
+        fixCode: "# .env.local — WRONG\n# NEXT_PUBLIC_UPSTASH_REDIS_REST_URL=https://...\n\n# CORRECT — server-side only\nUPSTASH_REDIS_REST_URL=https://...\nUPSTASH_REDIS_REST_TOKEN=...",
         compliance: ["SOC2:CC6.1"],
     },
     // Pinecone
@@ -81,6 +83,7 @@ export const serviceRules = [
         pattern: /["']use client["'][\s\S]{0,500}?PINECONE_API_KEY/g,
         languages: ["javascript", "typescript"],
         fix: "Use Pinecone API key only in server-side code.",
+        fixCode: '// Server-side only\nimport { Pinecone } from "@pinecone-database/pinecone";\nconst pc = new Pinecone({ apiKey: process.env.PINECONE_API_KEY! });',
         compliance: ["SOC2:CC6.1"],
     },
     {
@@ -92,6 +95,7 @@ export const serviceRules = [
         pattern: /NEXT_PUBLIC_\w*PINECONE\w*(?:KEY|SECRET|TOKEN)\s*=/gi,
         languages: ["javascript", "typescript", "shell"],
         fix: "Remove NEXT_PUBLIC_ prefix. Pinecone keys must be server-side only.",
+        fixCode: "# .env.local — WRONG\n# NEXT_PUBLIC_PINECONE_API_KEY=pc-xxx\n\n# CORRECT\nPINECONE_API_KEY=pc-xxx",
         compliance: ["SOC2:CC6.1"],
     },
     // PostHog
@@ -129,6 +133,7 @@ export const serviceRules = [
         pattern: /(?:gtag|ga|dataLayer\.push)\s*\([\s\S]{0,300}?(?:email|user_email|phone|ssn|password)/gi,
         languages: ["javascript", "typescript"],
         fix: "Never send PII to Google Analytics. Use anonymous IDs.",
+        fixCode: "// Use anonymous IDs, never PII\ngtag('event', 'purchase', {\n  user_id: hashedUserId,  // hashed, not email\n  value: 29.99,\n  currency: 'USD',\n});",
         compliance: ["SOC2:CC6.1"],
     },
 ];