itworksbut 0.1.1

package/src/checks/node/rate-limit-missing.js

@@ -0,0 +1,30 @@
+import { hasText } from "../helpers.js";
+
+const RATE_LIMIT_PACKAGES = ["express-rate-limit", "@fastify/rate-limit", "rate-limiter-flexible"];
+
+export default {
+  id: "node.rate-limit-missing",
+  title: "API servers should include rate limiting",
+  category: "node",
+  severity: "medium",
+  tags: ["node", "api", "availability"],
+  run: async (context) => {
+    const serverDetected =
+      context.hasDependency("express") ||
+      context.hasDependency("fastify") ||
+      context.hasDependency("@fastify/fastify") ||
+      (await hasText(context, /\b(app|router)\.(get|post|put|patch|delete)\s*\(|\bfastify\.(get|post|put|patch|delete)\s*\(/g));
+
+    if (!serverDetected) return [];
+    if (RATE_LIMIT_PACKAGES.some((name) => context.hasDependency(name) || context.hasDevDependency(name))) return [];
+    if (await hasText(context, /\brateLimit\b|rate-limit|RateLimiter/g)) return [];
+
+    return [
+      {
+        message: "An API server appears to exist, but no rate-limit dependency or middleware was detected.",
+        recommendation: "Add route-appropriate rate limiting, for example express-rate-limit or @fastify/rate-limit, especially for auth and write endpoints.",
+        heuristic: true
+      }
+    ];
+  }
+};

package/src/checks/package/scripts-missing.js

@@ -0,0 +1,30 @@
+const REQUIRED_GROUPS = [
+  { label: "test", names: ["test"] },
+  { label: "lint", names: ["lint"] },
+  { label: "build", names: ["build"] },
+  { label: "start or dev", names: ["start", "dev"] },
+  { label: "check", names: ["check"] }
+];
+
+export default {
+  id: "package.scripts-missing",
+  title: "package.json should expose standard project scripts",
+  category: "package",
+  severity: "low",
+  tags: ["node", "ci", "developer-experience"],
+  run: async (context) => {
+    if (!context.packageJson) return [];
+    const scripts = context.packageJson.scripts || {};
+    const missing = REQUIRED_GROUPS.filter((group) => !group.names.some((name) => scripts[name])).map((group) => group.label);
+    if (missing.length === 0) return [];
+
+    return [
+      {
+        message: `package.json appears to be missing standard scripts: ${missing.join(", ")}.`,
+        file: "package.json",
+        recommendation: "Add predictable scripts so contributors and CI can run tests, linting, builds, startup, and aggregate checks consistently.",
+        metadata: { missing }
+      }
+    ];
+  }
+};

package/src/checks/tauri/dangerous-allowlist-or-capabilities.js

@@ -0,0 +1,142 @@
+import { parseJsonWithComments } from "../helpers.js";
+
+export default {
+  id: "tauri.dangerous-allowlist-or-capabilities",
+  title: "Tauri allowlists and capabilities should be narrowly scoped",
+  category: "tauri",
+  severity: "high",
+  tags: ["tauri", "desktop", "capabilities"],
+  run: async (context) => {
+    const findings = [];
+    await inspectTauriConfig(context, findings);
+    await inspectCapabilities(context, findings);
+    return findings;
+  }
+};
+
+async function inspectTauriConfig(context, findings) {
+  const configFiles = ["src-tauri/tauri.conf.json", "src-tauri/tauri.conf.json5"].filter((file) => context.allFiles.includes(file));
+  for (const file of configFiles) {
+    const content = await context.readFileSafe(file);
+    if (!content) continue;
+
+    let config;
+    try {
+      config = parseJsonWithComments(content);
+    } catch {
+      findings.push({
+        severity: "medium",
+        message: "Tauri config could not be parsed as JSON. Dangerous allowlist checks may be incomplete.",
+        file,
+        recommendation: "Keep Tauri config valid and review permissions manually."
+      });
+      continue;
+    }
+
+    const allowlist = config.tauri?.allowlist || config.allowlist || {};
+    if (allowlist.all === true) {
+      findings.push(broadFinding(file, "Tauri allowlist all=true grants broad API access.", "Set allowlist.all to false and enable only the APIs required by the app."));
+    }
+    if (allowlist.shell?.all === true || allowlist.shell?.open === true) {
+      findings.push(broadFinding(file, "Tauri shell permissions appear broadly enabled.", "Restrict shell/open permissions to explicit commands and scopes."));
+    }
+    if (allowlist.fs?.all === true || allowlist.fs?.scope === true || includesBroadScope(allowlist.fs?.scope)) {
+      findings.push(broadFinding(file, "Tauri filesystem permissions appear broadly scoped.", "Restrict filesystem scopes to app-specific directories and exact file patterns."));
+    }
+
+    const security = config.tauri?.security || config.app?.security || {};
+    if (!security.csp || /\b(unsafe-inline|unsafe-eval|\*)\b/i.test(String(security.csp))) {
+      findings.push({
+        severity: "medium",
+        message: "Tauri CSP is missing or appears overly permissive.",
+        file,
+        recommendation: "Define a strict CSP without unsafe-inline, unsafe-eval, or wildcard sources unless there is a documented exception.",
+        heuristic: true
+      });
+    }
+
+    const windows = config.tauri?.windows || config.app?.windows || [];
+    for (const windowConfig of Array.isArray(windows) ? windows : []) {
+      const url = String(windowConfig.url || "");
+      if (/^https?:\/\//i.test(url)) {
+        findings.push({
+          severity: "medium",
+          message: "Tauri window loads a remote URL. This increases the impact of remote content compromise.",
+          file,
+          recommendation: "Prefer bundled local assets. If remote URLs are required, restrict navigation, enforce strict CSP, and audit permissions carefully.",
+          heuristic: true,
+          metadata: { remoteUrl: url.replace(/[?#].*$/, "") }
+        });
+      }
+    }
+  }
+}
+
+async function inspectCapabilities(context, findings) {
+  const capabilityFiles = context.findFiles("src-tauri/capabilities/*.json");
+  for (const file of capabilityFiles) {
+    const content = await context.readFileSafe(file);
+    if (!content) continue;
+
+    let capability;
+    try {
+      capability = parseJsonWithComments(content);
+    } catch {
+      findings.push({
+        severity: "medium",
+        message: "Tauri capability file could not be parsed as JSON.",
+        file,
+        recommendation: "Keep capability files valid and review permissions manually."
+      });
+      continue;
+    }
+
+    const permissions = flattenPermissions(capability.permissions || []);
+    for (const permission of permissions) {
+      if (isBroadPermission(permission)) {
+        findings.push(broadFinding(file, `Tauri capability includes broad permission ${permission}.`, "Replace broad permissions with the narrowest command and path scopes required."));
+      }
+    }
+
+    if (includesBroadScope(capability.scope) || includesBroadScope(capability.fs?.scope)) {
+      findings.push(broadFinding(file, "Tauri capability appears to include a broad filesystem scope.", "Limit scopes to app-owned directories and exact files."));
+    }
+  }
+}
+
+function broadFinding(file, message, recommendation) {
+  return {
+    severity: "high",
+    message,
+    file,
+    recommendation,
+    heuristic: true
+  };
+}
+
+function flattenPermissions(permissions) {
+  const result = [];
+  for (const permission of permissions) {
+    if (typeof permission === "string") result.push(permission);
+    else if (permission && typeof permission.identifier === "string") result.push(permission.identifier);
+  }
+  return result;
+}
+
+function isBroadPermission(permission) {
+  return (
+    permission === "*" ||
+    permission.endsWith(":*") ||
+    permission.includes("allow-all") ||
+    permission.includes("shell:allow-open") ||
+    permission.includes("fs:allow")
+  );
+}
+
+function includesBroadScope(scope) {
+  const values = Array.isArray(scope) ? scope : scope ? [scope] : [];
+  return values.some((value) => {
+    const text = typeof value === "string" ? value : JSON.stringify(value);
+    return /\*\*|^\*$|^\/$|\$HOME|\$APPDATA|\$RESOURCE|\.\./i.test(text);
+  });
+}

package/src/checks/web/client-side-auth-only.js

@@ -0,0 +1,40 @@
+import { hasAuthKeyword, isFrontendFile, isServerOrApiFile } from "../helpers.js";
+
+const CLIENT_AUTH_RE = /\b(role\s*={2,3}\s*["']admin["']|isAdmin|user\.role|roles\.includes|hasRole)\b/i;
+
+export default {
+  id: "web.client-side-auth-only",
+  title: "Authorization should not appear to exist only in frontend code",
+  category: "web",
+  severity: "medium",
+  tags: ["web", "auth", "heuristic"],
+  run: async (context) => {
+    const clientMatches = [];
+    let serverAuthDetected = false;
+
+    for (const file of context.textFiles) {
+      const content = await context.readFileSafe(file);
+      if (!content) continue;
+
+      if (isFrontendFile(file) && CLIENT_AUTH_RE.test(content)) {
+        clientMatches.push(file);
+      }
+
+      if (isServerOrApiFile(file) && (CLIENT_AUTH_RE.test(content) || hasAuthKeyword(content))) {
+        serverAuthDetected = true;
+      }
+    }
+
+    if (clientMatches.length === 0 || serverAuthDetected) return [];
+
+    return [
+      {
+        message: "Possible role or admin checks appear in frontend files, but matching server/API authorization checks were not detected.",
+        file: clientMatches[0],
+        recommendation: "Enforce authorization on the server/API side. Treat frontend checks as UI hints only.",
+        heuristic: true,
+        metadata: { frontendFiles: clientMatches.slice(0, 10) }
+      }
+    ];
+  }
+};

package/src/checks/web/dangerous-inner-html.js

@@ -0,0 +1,33 @@
+const PATTERNS = [
+  { regex: /dangerouslySetInnerHTML/g, label: "dangerouslySetInnerHTML" },
+  { regex: /\.innerHTML\s*=/g, label: "innerHTML assignment" },
+  { regex: /insertAdjacentHTML\s*\(/g, label: "insertAdjacentHTML" }
+];
+
+export default {
+  id: "web.dangerous-inner-html",
+  title: "Direct HTML injection APIs should be reviewed",
+  category: "web",
+  severity: "high",
+  tags: ["web", "xss", "frontend"],
+  run: async (context) => {
+    const findings = [];
+    for (const pattern of PATTERNS) {
+      const matches = await context.grep(pattern.regex, {
+        include: ["*.js", "*.ts", "*.jsx", "*.tsx", "*.vue", "*.svelte", "*.html"],
+        maxMatches: 100
+      });
+      for (const match of matches) {
+        findings.push({
+          message: `${pattern.label} appears to be used. This can create XSS risk if any input is attacker-controlled.`,
+          file: match.file,
+          line: match.line,
+          column: match.column,
+          recommendation: "Avoid raw HTML insertion when possible. If HTML is required, sanitize with a proven sanitizer and keep trusted and untrusted content separate.",
+          heuristic: true
+        });
+      }
+    }
+    return findings;
+  }
+};

package/src/checks/web/missing-output-sanitization.js

@@ -0,0 +1,34 @@
+import { lineFromOffset } from "../helpers.js";
+
+const UNSAFE_HTML_RESPONSE_RE = /\b(?:res\.(?:send|end|write)|reply\.send|new Response)\s*\(\s*`[^`]*<[^`]*\$\{[^}]*(?:req\.(?:body|query|params)|request|searchParams|params)[^}]*\}[^`]*`/gis;
+
+export default {
+  id: "web.missing-output-sanitization",
+  title: "HTML built from request data should be sanitized or escaped",
+  category: "web",
+  severity: "medium",
+  tags: ["web", "xss", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (!/\.[cm]?[jt]sx?$/.test(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content) continue;
+
+      let match;
+      UNSAFE_HTML_RESPONSE_RE.lastIndex = 0;
+      while ((match = UNSAFE_HTML_RESPONSE_RE.exec(content)) !== null) {
+        findings.push({
+          message: "Possible HTML response construction from request-controlled data appears without obvious escaping.",
+          file,
+          line: lineFromOffset(content, match.index),
+          recommendation: "Escape output by context or use a templating/rendering layer that escapes by default. Sanitize only when raw HTML is explicitly required.",
+          heuristic: true
+        });
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};

package/src/cli/output.js

@@ -0,0 +1,29 @@
+export function printUsage() {
+  process.stdout.write(`ItWorksBut
+
+Usage:
+  itworksbut scan [options]
+  node ./bin/itworksbut.js scan [options]
+
+Options:
+  --path <path>       Project path to scan. Defaults to current directory.
+  --config <path>     Optional itworksbut.config.json path.
+  --fail-on <level>   Exit 1 when findings meet or exceed this severity.
+                     Levels: critical, high, medium, low, info. Default: low.
+  --json              Print machine-readable JSON.
+  --sarif             Print SARIF for GitHub Code Scanning.
+  --no-color          Disable color styling.
+  --no-banner         Disable the intro banner.
+  --no-spinner        Disable scan spinner.
+  --compact           Print one-line findings.
+  --quiet             Print only the summary.
+  --theme <theme>     Console theme: default, toxic, mono.
+  --verbose           Include scanner warnings and extra metadata.
+  --help              Show this help.
+`);
+}
+
+export function printRuntimeError(error) {
+  const message = error instanceof Error ? error.message : String(error);
+  process.stderr.write(`ItWorksBut runtime error: ${message}\n`);
+}

package/src/cli/parseArgs.js

@@ -0,0 +1,75 @@
+const FLAG_WITH_VALUE = new Set(["--fail-on", "--config", "--path", "--theme"]);
+const BOOLEAN_FLAGS = new Set(["--json", "--sarif", "--verbose", "--help", "-h", "--no-color", "--no-banner", "--no-spinner", "--compact", "--quiet"]);
+
+export function parseArgs(argv) {
+  const args = {
+    command: "scan",
+    path: ".",
+    config: undefined,
+    failOn: undefined,
+    json: false,
+    sarif: false,
+    verbose: false,
+    noColor: false,
+    noBanner: false,
+    noSpinner: false,
+    compact: false,
+    quiet: false,
+    theme: "default",
+    help: false
+  };
+
+  const tokens = [...argv];
+  if (tokens[0] && !tokens[0].startsWith("-")) {
+    args.command = tokens.shift();
+  }
+
+  for (let index = 0; index < tokens.length; index += 1) {
+    const token = tokens[index];
+
+    if (token.includes("=") && token.startsWith("--")) {
+      const [flag, ...rest] = token.split("=");
+      assignValue(args, flag, rest.join("="));
+      continue;
+    }
+
+    if (FLAG_WITH_VALUE.has(token)) {
+      const value = tokens[index + 1];
+      if (!value || value.startsWith("-")) {
+        throw new Error(`Missing value for ${token}`);
+      }
+      assignValue(args, token, value);
+      index += 1;
+      continue;
+    }
+
+    if (BOOLEAN_FLAGS.has(token)) {
+      if (token === "--help" || token === "-h") args.help = true;
+      if (token === "--json") args.json = true;
+      if (token === "--sarif") args.sarif = true;
+      if (token === "--verbose") args.verbose = true;
+      if (token === "--no-color") args.noColor = true;
+      if (token === "--no-banner") args.noBanner = true;
+      if (token === "--no-spinner") args.noSpinner = true;
+      if (token === "--compact") args.compact = true;
+      if (token === "--quiet") args.quiet = true;
+      continue;
+    }
+
+    throw new Error(`Unknown argument: ${token}`);
+  }
+
+  if (args.json && args.sarif) {
+    throw new Error("Use only one output format: --json or --sarif");
+  }
+
+  return args;
+}
+
+function assignValue(args, flag, value) {
+  if (flag === "--fail-on") args.failOn = value;
+  else if (flag === "--config") args.config = value;
+  else if (flag === "--path") args.path = value;
+  else if (flag === "--theme") args.theme = value;
+  else throw new Error(`Unknown argument: ${flag}`);
+}

package/src/cli/terminal.js

@@ -0,0 +1,112 @@
+import boxen from "boxen";
+import chalk, { Chalk } from "chalk";
+import figlet from "figlet";
+import gradient from "gradient-string";
+import ora from "ora";
+
+const THEMES = new Set(["default", "toxic", "mono"]);
+
+const SPINNER_TEXT = {
+  git: "Checking git hygiene",
+  env: "Sniffing for secrets",
+  dependencies: "Interrogating package.json",
+  ci: "Inspecting CI rituals",
+  node: "Poking the Node.js backend",
+  web: "Looking for frontend footguns",
+  api: "Testing the API trust issues",
+  database: "Watching SQL strings misbehave",
+  electron: "Opening the Electron danger drawer",
+  tauri: "Reading Tauri permissions",
+  default: "Looking for things that work but should not ship"
+};
+
+export function normalizeTheme(theme) {
+  const normalized = String(theme || "default").toLowerCase();
+  if (!THEMES.has(normalized)) {
+    throw new Error(`Invalid theme "${theme}". Expected one of: default, toxic, mono`);
+  }
+  return normalized;
+}
+
+export function isFancyOutputEnabled(options = {}, env = process.env, stdout = process.stdout) {
+  return Boolean(stdout.isTTY) && !env.CI && !options.json && !options.sarif && !options.noColor && normalizeTheme(options.theme) !== "mono";
+}
+
+export function isColorEnabled(options = {}, env = process.env, stdout = process.stdout) {
+  if (options.noColor || options.json || options.sarif) return false;
+  if (normalizeTheme(options.theme) === "mono") return false;
+  if (env.FORCE_COLOR && env.FORCE_COLOR !== "0") return true;
+  if (env.CI) return false;
+  return Boolean(stdout.isTTY);
+}
+
+export function getChalk(options = {}) {
+  if (!isColorEnabled(options)) return new Chalk({ level: 0 });
+  return chalk;
+}
+
+export function shouldUseSpinner(options = {}, env = process.env, stdout = process.stdout) {
+  return (
+    Boolean(stdout.isTTY) &&
+    !env.CI &&
+    !options.json &&
+    !options.sarif &&
+    !options.noSpinner &&
+    !options.quiet
+  );
+}
+
+export function createScanSpinner(options = {}) {
+  if (!shouldUseSpinner(options)) return null;
+  return ora({
+    text: SPINNER_TEXT.default,
+    stream: process.stderr,
+    color: normalizeTheme(options.theme) === "toxic" ? "green" : "cyan"
+  });
+}
+
+export function printIntro(options = {}) {
+  if (options.json || options.sarif || options.noBanner || options.quiet || process.env.CI || !process.stdout.isTTY) {
+    return;
+  }
+
+  const theme = normalizeTheme(options.theme);
+  const colors = getChalk(options);
+  const renderTheme = options.noColor ? "mono" : theme;
+  const title = renderTitle(renderTheme);
+  const claim =
+    theme === "toxic"
+      ? `${colors.bold("Green builds. Red flags.")}\n${colors.green("Let's see what breaks before production.")}`
+      : `${colors.bold("AI-built? Nice.")}\n${colors.yellow("Now let's see what breaks before production.")}`;
+
+  process.stdout.write(`${title}\n`);
+  process.stdout.write(
+    `${boxen(claim, {
+      padding: 1,
+      margin: 1,
+      borderStyle: "round",
+      borderColor: renderTheme === "mono" ? undefined : renderTheme === "toxic" ? "green" : "cyan"
+    })}\n`
+  );
+}
+
+function renderTitle(theme) {
+  let title = "ItWorksBut";
+  try {
+    title = figlet.textSync("ItWorksBut", {
+      font: "ANSI Shadow",
+      horizontalLayout: "default",
+      verticalLayout: "default"
+    });
+  } catch {
+    title = "ItWorksBut";
+  }
+
+  try {
+    if (theme === "mono") return title;
+    if (theme === "toxic") return gradient(["#faff00", "#39ff14", "#00f5ff"])(title);
+    return gradient.rainbow(title);
+  } catch {
+    return title;
+  }
+}

package/src/core/config.js

@@ -0,0 +1,51 @@
+import path from "node:path";
+import { fileExists, readJsonSafe } from "../utils/fs.js";
+
+export const SEVERITIES = ["critical", "high", "medium", "low", "info"];
+
+export const DEFAULT_IGNORE = [
+  "node_modules/**",
+  "dist/**",
+  "build/**",
+  ".next/**",
+  ".nuxt/**",
+  "coverage/**",
+  ".git/**",
+  "target/**",
+  "src-tauri/target/**",
+  "out/**",
+  "release/**",
+  ".vite/**"
+];
+
+export async function loadConfig(rootPath, configPath, overrides = {}) {
+  const resolvedConfigPath = configPath
+    ? path.resolve(rootPath, configPath)
+    : path.join(rootPath, "itworksbut.config.json");
+
+  let userConfig = {};
+  if (await fileExists(resolvedConfigPath)) {
+    userConfig = await readJsonSafe(resolvedConfigPath);
+    if (!userConfig || typeof userConfig !== "object" || Array.isArray(userConfig)) {
+      throw new Error(`Invalid config JSON: ${resolvedConfigPath}`);
+    }
+  }
+
+  const failOn = normalizeSeverity(overrides.failOn || userConfig.failOn || "low");
+
+  return {
+    ignore: [...DEFAULT_IGNORE, ...(Array.isArray(userConfig.ignore) ? userConfig.ignore : [])],
+    failOn,
+    checks: userConfig.checks && typeof userConfig.checks === "object" ? userConfig.checks : {},
+    configPath: await fileExists(resolvedConfigPath) ? resolvedConfigPath : null
+  };
+}
+
+export function normalizeSeverity(value) {
+  if (!value) return "low";
+  const normalized = String(value).toLowerCase();
+  if (!SEVERITIES.includes(normalized)) {
+    throw new Error(`Invalid severity "${value}". Expected one of: ${SEVERITIES.join(", ")}`);
+  }
+  return normalized;
+}

package/src/core/context.js

@@ -0,0 +1,87 @@
+import path from "node:path";
+import { loadConfig } from "./config.js";
+import { walkProject } from "./fileWalker.js";
+import { checkIgnored, collectGitInfo } from "./git.js";
+import { fileExists as fileExistsAbsolute, readFileSafe as readFileSafeAbsolute, resolveInside } from "../utils/fs.js";
+import { detectPackageManager, hasDependency as packageHasDependency, hasDevDependency as packageHasDevDependency, readPackageJson } from "../utils/packageJson.js";
+import { matchesGlob, normalizeRelativePath } from "../utils/path.js";
+import { maskSecret } from "../utils/mask.js";
+
+export async function createContext(options = {}) {
+  const rootPath = path.resolve(options.rootPath || ".");
+  const config = await loadConfig(rootPath, options.configPath, { failOn: options.failOn });
+  const { allFiles, textFiles } = await walkProject(rootPath, config.ignore);
+  const packageJson = await readPackageJson(rootPath);
+  const gitInfo = await collectGitInfo(rootPath);
+  const ignoredTrackedByCheckIgnore = gitInfo.available ? await checkIgnored(rootPath, gitInfo.trackedFiles) : [];
+
+  const context = {
+    rootPath,
+    packageJson,
+    packageManager: detectPackageManager(packageJson, allFiles),
+    allFiles,
+    textFiles,
+    gitTrackedFiles: gitInfo.trackedFiles,
+    gitIgnoredFiles: gitInfo.ignoredFiles,
+    gitIgnoredTrackedFiles: unique([...gitInfo.ignoredTrackedFiles, ...ignoredTrackedByCheckIgnore]),
+    gitStatusShort: gitInfo.statusShort,
+    gitAvailable: gitInfo.available,
+    config,
+    maskSecret,
+    readFileSafe: async (relativePath) => await readFileSafeAbsolute(resolveInside(rootPath, relativePath)),
+    fileExists: async (relativePath) => await fileExistsAbsolute(resolveInside(rootPath, relativePath)),
+    hasDependency: (name) => packageHasDependency(packageJson, name),
+    hasDevDependency: (name) => packageHasDevDependency(packageJson, name),
+    findFiles: (pattern) => allFiles.filter((file) => matchesGlob(file, pattern)),
+    grep: async (pattern, grepOptions = {}) => grep(context, pattern, grepOptions)
+  };
+
+  return context;
+}
+
+async function grep(context, pattern, options) {
+  const results = [];
+  const regex = pattern instanceof RegExp ? ensureGlobal(pattern) : new RegExp(escapeRegExp(String(pattern)), "g");
+  const include = options.include || ["**"];
+  const exclude = options.exclude || [];
+  const maxMatches = options.maxMatches || 500;
+
+  for (const file of context.textFiles) {
+    if (!include.some((glob) => glob === "**" || matchesGlob(file, glob))) continue;
+    if (exclude.some((glob) => matchesGlob(file, glob))) continue;
+
+    const content = await context.readFileSafe(file);
+    if (!content) continue;
+    const lines = content.split(/\r?\n/);
+
+    for (let index = 0; index < lines.length; index += 1) {
+      regex.lastIndex = 0;
+      let match;
+      while ((match = regex.exec(lines[index])) !== null) {
+        results.push({
+          file: normalizeRelativePath(file),
+          line: index + 1,
+          column: match.index + 1,
+          match,
+          text: lines[index]
+        });
+        if (results.length >= maxMatches) return results;
+        if (match.index === regex.lastIndex) regex.lastIndex += 1;
+      }
+    }
+  }
+
+  return results;
+}
+
+function ensureGlobal(regex) {
+  return regex.global ? regex : new RegExp(regex.source, `${regex.flags}g`);
+}
+
+function escapeRegExp(value) {
+  return value.replace(/[|\\{}()[\]^$+?.]/g, "\\$&");
+}
+
+function unique(values) {
+  return [...new Set(values)];
+}