itworksbut 0.2.0 → 0.4.0

package/README.md

@@ -6,7 +6,7 @@ It focuses on common "it works, but..." risks often found in AI-generated or rus
 
 For every finding, ItWorksBut gives you a copy-ready fix prompt you can paste into your coding agent. It does not just say what is wrong; it tells your AI exactly what to inspect, what to change, and what not to leak.
 
-It only reads files and reports findings. It does not call external APIs, does not send telemetry, and does not modify the scanned project.
+It only reads files and reports findings. It does not call external APIs, does not send telemetry, and does not modify the scanned project unless you explicitly ask it to write `todo.md` with `--todo`.
 
 ## Installation
 
@@ -40,6 +40,7 @@ itworksbut scan --path .
 itworksbut scan --fail-on high
 itworksbut scan --json
 itworksbut scan --sarif > itworksbut.sarif
+itworksbut scan --todo
 itworksbut scan --config itworksbut.config.json
 itworksbut scan --verbose
 itworksbut --version
@@ -56,6 +57,7 @@ itworksbut scan [options]
 - `--fail-on <severity>`: Exit with code `1` when a finding at or above the severity exists. Levels: `critical`, `high`, `medium`, `low`, `info`. Default: `low`.
 - `--json`: Print machine-readable JSON only. No banner, colors, spinner, table, or extra text.
 - `--sarif`: Print SARIF JSON for GitHub Code Scanning. No banner, colors, spinner, table, or extra text.
+- `--todo`: Write an AI-ready `todo.md` into the scanned project with prioritized findings, fix prompts, and acceptance criteria.
 - `--verbose`: Include scanner warnings and extra metadata in console output.
 - `--quiet`: Print only the summary.
 - `--no-color`: Disable colored output.
@@ -87,6 +89,14 @@ Console-only flags:
 
 In CI, spinners and banners are automatically disabled. With `--json` and `--sarif`, stdout contains only valid machine-readable output. The edgy tone applies only to the Console Reporter.
 
+To create a fix list for a coding agent:
+
+```sh
+itworksbut scan --todo
+```
+
+This writes `todo.md` to the scanned project. The file is ordered by severity and includes agent rules, exact fix prompts, locations, recommendations, and final verification checkboxes.
+
 ## GitHub Actions
 
 ```yaml
@@ -155,20 +165,21 @@ release/**
 
 ## Example Output
 
-```text
-✖  CRITICAL  It works, but your .env is tracked.
-   ✔ Check: env.env-file-tracked
-   📁 File:  .env
-   🤔 Why:   .env appears to be tracked by git. Secrets may be exposed.
-   🤖 prompt:   You are a senior security engineer working in this repository. Fix the ItWorksBut finding env.env-file-tracked at .env. Treat this as a concrete finding. Problem: .env appears to be tracked by git. Secrets may be exposed. Required change: Remove tracked env files from git, add safe examples such as .env.example, and make sure any exposed credentials are treated as compromised. Do not print, log, or preserve raw secret values; use placeholders only. Keep existing behavior intact where possible, add or update focused tests when useful, and do not silence the check unless the underlying risk is actually fixed.
-
-▲  HIGH  It works, but your SQL query is one template string away from pain.
-   ✔ Check: database.raw-sql-interpolation
-   📁 File:  src/db.js:12
-   🤔 Why:   Possible SQL injection risk: raw SQL appears to be built with template string interpolation.
-   🤖 prompt:   You are a senior security engineer working in this repository. Fix the ItWorksBut finding database.raw-sql-interpolation at src/db.js:12. This finding is heuristic, so inspect the code first and only change behavior when the risk is real. Problem: Possible SQL injection risk: raw SQL appears to be built with template string interpolation. Required change: Replace SQL string interpolation or concatenation with parameterized queries, prepared statements, or a safe ORM query builder. Keep existing behavior intact where possible, add or update focused tests when useful, and do not silence the check unless the underlying risk is actually fixed.
+![screenshot of an example output](/assets/medium_problems.webp)
+✖ CRITICAL It works, but your .env is tracked.
+✔ Check: env.env-file-tracked
+📁 File: .env
+🤔 Why: .env appears to be tracked by git. Secrets may be exposed.
+🤖 prompt: You are a senior security engineer working in this repository. Fix the ItWorksBut finding env.env-file-tracked at .env. Treat this as a concrete finding. Problem: .env appears to be tracked by git. Secrets may be exposed. Required change: Remove tracked env files from git, add safe examples such as .env.example, and make sure any exposed credentials are treated as compromised. Do not print, log, or preserve raw secret values; use placeholders only. Keep existing behavior intact where possible, add or update focused tests when useful, and do not silence the check unless the underlying risk is actually fixed.
+
+▲ HIGH It works, but your SQL query is one template string away from pain.
+✔ Check: database.raw-sql-interpolation
+📁 File: src/db.js:12
+🤔 Why: Possible SQL injection risk: raw SQL appears to be built with template string interpolation.
+🤖 prompt: You are a senior security engineer working in this repository. Fix the ItWorksBut finding database.raw-sql-interpolation at src/db.js:12. This finding is heuristic, so inspect the code first and only change behavior when the risk is real. Problem: Possible SQL injection risk: raw SQL appears to be built with template string interpolation. Required change: Replace SQL string interpolation or concatenation with parameterized queries, prepared statements, or a safe ORM query builder. Keep existing behavior intact where possible, add or update focused tests when useful, and do not silence the check unless the underlying risk is actually fixed.
 
 SUMMARY
+
 - ship status: DO NOT SHIP
 - Fix the red stuff before production.
 - total findings: 2
@@ -179,13 +190,14 @@ SUMMARY
 - info: 0
 - fail-on: high
 - exit decision: 1
+
 ```
 
 Secret-like findings never print the full secret value. Findings report the file, line, and secret type where possible.
 
 ## What It Detects
 
-The baseline includes 30 modular checks:
+The baseline includes 40 modular checks:
 
 - `git.gitignore-missing`
 - `git.gitignore-incomplete`
@@ -194,6 +206,7 @@ The baseline includes 30 modular checks:
 - `env.env-example-missing`
 - `env.possible-secret-in-code`
 - `env.frontend-secret-exposure`
+- `secrets.secrets-in-logs`
 - `dependencies.lockfile-missing`
 - `dependencies.multiple-lockfiles`
 - `dependencies.install-scripts-risk`
@@ -207,13 +220,22 @@ The baseline includes 30 modular checks:
 - `node.rate-limit-missing`
 - `node.helmet-missing`
 - `node.cors-wildcard`
+- `node.child-process-user-input`
 - `web.client-side-auth-only`
 - `web.dangerous-inner-html`
 - `web.missing-output-sanitization`
 - `api.missing-auth-on-routes`
 - `api.idor-risk`
+- `auth.jwt-secret-weak-or-fallback`
+- `auth.password-hashing-missing`
 - `database.raw-sql-interpolation`
 - `database.no-migrations`
+- `cookies.insecure-session-cookie`
+- `uploads.public-executable-upload`
+- `webhooks.missing-raw-body`
+- `llm.prompt-injection-risk`
+- `frontend.sourcemaps-production`
+- `config.debug-production`
 - `electron.node-integration-enabled`
 - `electron.context-isolation-disabled`
 - `tauri.dangerous-allowlist-or-capabilities`
@@ -225,3 +247,4 @@ Each check is a plain ESM module with an `id`, metadata, and async `run(context)
 ItWorksBut is a static heuristic scanner, not a pentest, SAST replacement, dependency vulnerability database, or runtime security monitor. Findings intentionally use wording such as "possible", "potential", and "appears to" when a check is heuristic.
 
 Use it as a CI guardrail for common project hygiene and security mistakes. For production systems, combine it with code review, tests, dependency scanning, secrets scanning, threat modeling, and focused security assessment.
+```

package/bin/itworksbut.js

@@ -9,6 +9,7 @@ import { getExitCode } from '../src/core/findings.js';
 import { reportConsole } from '../src/reporters/consoleReporter.js';
 import { reportJson } from '../src/reporters/jsonReporter.js';
 import { reportSarif } from '../src/reporters/sarifReporter.js';
+import { writeTodoReport } from '../src/reporters/todoReporter.js';
 
 async function main() {
     const args = parseArgs(process.argv.slice(2));
@@ -51,6 +52,9 @@ async function main() {
         process.stdout.write(`${JSON.stringify(reportSarif(result), null, 2)}\n`);
     } else if (args.json) {
         process.stdout.write(`${JSON.stringify(reportJson(result), null, 2)}\n`);
+    } else if (args.todo) {
+        const filePath = await writeTodoReport(result);
+        if (!args.quiet) process.stdout.write(`Wrote AI todo file: ${filePath}\n`);
     } else {
         reportConsole(result, args);
     }

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "itworksbut",
-    "version": "0.2.0",
+    "version": "0.4.0",
     "description": "Static CI checks for common security, repo, dependency, build, and deployment risks in JavaScript vibe coding projects.",
     "type": "module",
     "bin": {

package/src/checks/auth/jwt-secret-weak-or-fallback.js

@@ -0,0 +1,72 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile } from "../helpers.js";
+
+const WEAK_JWT_VALUES = [
+  "secret",
+  "changeme",
+  "change-me",
+  "dev-secret",
+  "development",
+  "password",
+  "123456",
+  "jwt-secret",
+  "supersecret",
+  "test",
+  "local"
+];
+
+const WEAK_VALUE_RE = `(?:${WEAK_JWT_VALUES.map(escapeRegExp).join("|")})`;
+const DIRECT_JWT_RE = new RegExp(`\\bjwt\\.(?:sign|verify)\\s*\\([^\\n;]*?,\\s*["'\`]${WEAK_VALUE_RE}["'\`]`, "i");
+const FALLBACK_RE = new RegExp(`\\bprocess\\.env\\.JWT_SECRET\\s*(?:\\|\\||\\?\\?)\\s*["'\`]${WEAK_VALUE_RE}["'\`]`, "i");
+const ASSIGNMENT_RE = new RegExp(`\\bJWT_SECRET\\b\\s*(?:=|:)\\s*["'\`]${WEAK_VALUE_RE}["'\`]`, "i");
+
+export default {
+  id: "auth.jwt-secret-weak-or-fallback",
+  title: "JWT secrets should not use weak hardcoded values or fallbacks",
+  category: "auth",
+  severity: "high",
+  tags: ["auth", "jwt", "secrets", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !/\bJWT_SECRET\b|\bjwt\.(?:sign|verify)\b/i.test(content)) continue;
+
+      const lines = content.split(/\r?\n/);
+      for (let index = 0; index < lines.length; index += 1) {
+        const line = lines[index];
+
+        if (DIRECT_JWT_RE.test(line)) {
+          findings.push(jwtFinding(file, index + 1, "direct-hardcoded-jwt-secret", "critical"));
+        } else if (FALLBACK_RE.test(line)) {
+          findings.push(jwtFinding(file, index + 1, "environment-fallback", "high"));
+        } else if (ASSIGNMENT_RE.test(line)) {
+          findings.push(jwtFinding(file, index + 1, "weak-jwt-secret-assignment", "high"));
+        }
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function jwtFinding(file, line, pattern, severity) {
+  return {
+    severity,
+    message: "JWT signing or verification appears to use a weak hardcoded secret or a development fallback.",
+    file,
+    line,
+    recommendation:
+      "Require a strong JWT secret from the environment in production and fail startup if it is missing.",
+    heuristic: true,
+    metadata: {
+      pattern,
+      valueRedacted: true
+    }
+  };
+}
+
+function escapeRegExp(value) {
+  return value.replace(/[|\\{}()[\]^$+?.]/g, "\\$&");
+}

package/src/checks/auth/password-hashing-missing.js

@@ -0,0 +1,56 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, lineFromOffset } from "../helpers.js";
+
+const USER_CREATE_TERMS_RE = /\b(register|signup|createUser|users|INSERT\s+INTO\s+users|prisma\.user\.create|db\.user\.create)\b/i;
+const PASSWORD_TERM_RE = /\bpassword\b/i;
+const HASHING_RE = /\b(?:bcrypt|bcryptjs|argon2|scrypt|crypto\.scrypt|pbkdf2|hashPassword|passwordHash|hashedPassword)\b/i;
+
+const RISKY_PASSWORD_STORAGE_RE =
+  /\bpassword\s*:\s*(?:password|req\.body\.password|request\.body\.password|body\.password)|\bpassword\s*=\s*(?:password|req\.body\.password|request\.body\.password|body\.password)|INSERT\s+INTO\s+users\s*\([^)]*password|prisma\.user\.create\s*\(\s*{[\s\S]{0,800}?data\s*:\s*{[\s\S]{0,500}?password\s*:|db\.user\.create\s*\(\s*{[\s\S]{0,800}?password\s*:/gi;
+
+export default {
+  id: "auth.password-hashing-missing",
+  title: "User passwords should be hashed before storage",
+  category: "auth",
+  severity: "critical",
+  tags: ["auth", "passwords", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !PASSWORD_TERM_RE.test(content) || !USER_CREATE_TERMS_RE.test(content)) continue;
+
+      RISKY_PASSWORD_STORAGE_RE.lastIndex = 0;
+      let match;
+      while ((match = RISKY_PASSWORD_STORAGE_RE.exec(content)) !== null) {
+        const line = lineFromOffset(content, match.index);
+        const nearby = nearbyText(content, line, 10);
+        if (HASHING_RE.test(nearby)) continue;
+
+        findings.push({
+          message:
+            "This code appears to create users or store passwords without an obvious password hashing step.",
+          file,
+          line,
+          recommendation:
+            "Hash passwords with argon2, bcrypt, scrypt or PBKDF2 before storage. Never store raw passwords.",
+          heuristic: true,
+          metadata: {
+            pattern: "password-storage-without-nearby-hashing"
+          }
+        });
+        break;
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function nearbyText(content, line, radius) {
+  const lines = content.split(/\r?\n/);
+  const start = Math.max(0, line - radius - 1);
+  const end = Math.min(lines.length, line + radius);
+  return lines.slice(start, end).join("\n");
+}

package/src/checks/config/debug-production.js

@@ -0,0 +1,65 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, lineFromOffset } from "../helpers.js";
+
+const DEBUG_FLAG_RE =
+  /\b(?:debug|verbose|dev|exposeErrors|stackTrace|showStack)\s*:\s*true\b|\bapp\.set\s*\(\s*["'`]env["'`]\s*,\s*["'`]development["'`]\s*\)|\bNODE_ENV\s*=\s*["'`]development["'`]|\bdevtool\s*:\s*["'`](?:eval|eval-source-map|inline-source-map|cheap-module-source-map)["'`]/gi;
+
+export default {
+  id: "config.debug-production",
+  title: "Production configuration should not enable debug behavior",
+  category: "config",
+  severity: "medium",
+  tags: ["config", "debug", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      if (!isRiskyConfigFile(file)) continue;
+
+      const content = await context.readFileSafe(file);
+      if (!content) continue;
+
+      DEBUG_FLAG_RE.lastIndex = 0;
+      let match;
+      while ((match = DEBUG_FLAG_RE.exec(content)) !== null) {
+        const productionLike = isProductionLikeFile(file);
+        findings.push({
+          severity: productionLike ? "high" : "medium",
+          message: "Debug or development flags appear to be enabled in production-like configuration.",
+          file,
+          line: lineFromOffset(content, match.index),
+          recommendation:
+            "Disable verbose errors and debug flags in production. Avoid exposing stack traces, internal paths or development tooling.",
+          heuristic: true,
+          metadata: {
+            productionLike,
+            pattern: classifyDebugPattern(match[0])
+          }
+        });
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function isRiskyConfigFile(file) {
+  return (
+    isProductionLikeFile(file) ||
+    /^next\.config\.[cm]?[jt]s$/.test(file) ||
+    /^vite\.config\.[cm]?[jt]s$/.test(file) ||
+    /^webpack\.config\.[cm]?[jt]s$/.test(file) ||
+    /(^|\/)(server|app)\.[cm]?[jt]s$/.test(file)
+  );
+}
+
+function isProductionLikeFile(file) {
+  return /^config\/production\./.test(file) || /\.production\./.test(file);
+}
+
+function classifyDebugPattern(value) {
+  if (/devtool/i.test(value)) return "unsafe-devtool";
+  if (/NODE_ENV|app\.set/i.test(value)) return "development-environment";
+  if (/stack|showStack|exposeErrors/i.test(value)) return "verbose-errors";
+  return "debug-flag";
+}

package/src/checks/cookies/insecure-session-cookie.js

@@ -0,0 +1,69 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, readNearby } from "../helpers.js";
+
+const COOKIE_CALL_RE =
+  /\b(?:res\.cookie|cookies\(\)\.set|response\.cookies\.set|setCookie|serialize)\s*\(\s*["'`]([^"'`]+)["'`]/g;
+const AUTH_COOKIE_NAME_RE = /\b(session|auth|token|jwt)\b/i;
+
+export default {
+  id: "cookies.insecure-session-cookie",
+  title: "Session cookies should use secure attributes",
+  category: "cookies",
+  severity: "high",
+  tags: ["cookies", "auth", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !/cookie|setCookie|serialize/i.test(content)) continue;
+      const lines = content.split(/\r?\n/);
+
+      for (let index = 0; index < lines.length; index += 1) {
+        COOKIE_CALL_RE.lastIndex = 0;
+        let match;
+        while ((match = COOKIE_CALL_RE.exec(lines[index])) !== null) {
+          const cookieName = match[1] || "";
+          const nearby = await readNearby(context, file, index + 1, 6);
+          if (hasSecureCookieAttributes(nearby)) continue;
+
+          findings.push({
+            severity: AUTH_COOKIE_NAME_RE.test(cookieName) ? "high" : "medium",
+            message: "A session or auth cookie appears to be set without secure cookie attributes.",
+            file,
+            line: index + 1,
+            recommendation:
+              "Set httpOnly, secure and sameSite for session cookies. Use secure: true in production.",
+            heuristic: true,
+            metadata: {
+              cookieName: redactCookieName(cookieName),
+              missingAttributes: missingAttributes(nearby)
+            }
+          });
+        }
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function hasSecureCookieAttributes(value) {
+  return (
+    /\bhttpOnly\s*:\s*true\b/i.test(value) &&
+    /\bsecure\s*:\s*true\b/i.test(value) &&
+    /\bsameSite\s*:\s*["'`]?(?:lax|strict|none)["'`]?/i.test(value)
+  );
+}
+
+function missingAttributes(value) {
+  const missing = [];
+  if (!/\bhttpOnly\s*:\s*true\b/i.test(value)) missing.push("httpOnly");
+  if (!/\bsecure\s*:\s*true\b/i.test(value)) missing.push("secure");
+  if (!/\bsameSite\s*:\s*["'`]?(?:lax|strict|none)["'`]?/i.test(value)) missing.push("sameSite");
+  return missing;
+}
+
+function redactCookieName(cookieName) {
+  return AUTH_COOKIE_NAME_RE.test(cookieName) ? cookieName : "non-auth-cookie";
+}

package/src/checks/frontend/sourcemaps-production.js

@@ -0,0 +1,90 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, lineFromOffset } from "../helpers.js";
+import { normalizeRelativePath } from "../../utils/path.js";
+
+const SOURCEMAP_CONFIG_RE =
+  /\b(?:sourcemap|productionBrowserSourceMaps)\s*:\s*true\b|\bGENERATE_SOURCEMAP\s*=\s*true\b|\bdevtool\s*:\s*["'`](?:source-map|inline-source-map|eval-source-map)["'`]/gi;
+const SOURCEMAP_DIRS = ["dist", "build", ".next", "out"];
+const MAX_SOURCEMAP_FILES = 100;
+
+export default {
+  id: "frontend.sourcemaps-production",
+  title: "Production source maps should not be served publicly by accident",
+  category: "frontend",
+  severity: "medium",
+  tags: ["frontend", "sourcemaps", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content) continue;
+
+      SOURCEMAP_CONFIG_RE.lastIndex = 0;
+      let match;
+      while ((match = SOURCEMAP_CONFIG_RE.exec(content)) !== null) {
+        findings.push(sourceMapFinding(file, lineFromOffset(content, match.index), "sourcemap-config-enabled"));
+      }
+    }
+
+    const mapFiles = await collectGeneratedSourceMaps(context.rootPath);
+    for (const file of mapFiles) {
+      findings.push(sourceMapFinding(file, undefined, "generated-map-file"));
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function sourceMapFinding(file, line, pattern) {
+  return {
+    message: "Production source maps appear to be enabled or generated.",
+    file,
+    line,
+    recommendation:
+      "Disable public production source maps unless intentionally needed. If needed, upload them privately to error tracking instead of serving them publicly.",
+    heuristic: true,
+    metadata: {
+      pattern
+    }
+  };
+}
+
+async function collectGeneratedSourceMaps(rootPath) {
+  const results = [];
+
+  for (const directory of SOURCEMAP_DIRS) {
+    await visit(path.join(rootPath, directory), rootPath, results);
+    if (results.length >= MAX_SOURCEMAP_FILES) break;
+  }
+
+  return results.slice(0, MAX_SOURCEMAP_FILES);
+}
+
+async function visit(directory, rootPath, results) {
+  if (results.length >= MAX_SOURCEMAP_FILES) return;
+
+  let entries;
+  try {
+    entries = await fs.readdir(directory, { withFileTypes: true });
+  } catch {
+    return;
+  }
+
+  for (const entry of entries) {
+    if (results.length >= MAX_SOURCEMAP_FILES) return;
+    if (entry.name === "node_modules") continue;
+
+    const absolutePath = path.join(directory, entry.name);
+    if (entry.isDirectory()) {
+      await visit(absolutePath, rootPath, results);
+      continue;
+    }
+
+    if (entry.isFile() && entry.name.endsWith(".map")) {
+      results.push(normalizeRelativePath(path.relative(rootPath, absolutePath)));
+    }
+  }
+}

package/src/checks/index.js

@@ -5,6 +5,7 @@ import envFileTracked from "./env/env-file-tracked.js";
 import envExampleMissing from "./env/env-example-missing.js";
 import possibleSecretInCode from "./env/possible-secret-in-code.js";
 import frontendSecretExposure from "./env/frontend-secret-exposure.js";
+import secretsInLogs from "./secrets/secrets-in-logs.js";
 import lockfileMissing from "./dependencies/lockfile-missing.js";
 import multipleLockfiles from "./dependencies/multiple-lockfiles.js";
 import installScriptsRisk from "./dependencies/install-scripts-risk.js";
@@ -18,13 +19,22 @@ import expressJsonLimitMissing from "./node/express-json-limit-missing.js";
 import rateLimitMissing from "./node/rate-limit-missing.js";
 import helmetMissing from "./node/helmet-missing.js";
 import corsWildcard from "./node/cors-wildcard.js";
+import childProcessUserInput from "./node/child-process-user-input.js";
 import clientSideAuthOnly from "./web/client-side-auth-only.js";
 import dangerousInnerHtml from "./web/dangerous-inner-html.js";
 import missingOutputSanitization from "./web/missing-output-sanitization.js";
 import missingAuthOnRoutes from "./auth/missing-auth-on-routes.js";
 import idorRisk from "./auth/idor-risk.js";
+import jwtSecretWeakOrFallback from "./auth/jwt-secret-weak-or-fallback.js";
+import passwordHashingMissing from "./auth/password-hashing-missing.js";
 import rawSqlInterpolation from "./database/raw-sql-interpolation.js";
 import noMigrations from "./database/no-migrations.js";
+import insecureSessionCookie from "./cookies/insecure-session-cookie.js";
+import publicExecutableUpload from "./uploads/public-executable-upload.js";
+import missingRawBody from "./webhooks/missing-raw-body.js";
+import promptInjectionRisk from "./llm/prompt-injection-risk.js";
+import sourceMapsProduction from "./frontend/sourcemaps-production.js";
+import debugProduction from "./config/debug-production.js";
 import electronNodeIntegrationEnabled from "./electron/node-integration-enabled.js";
 import electronContextIsolationDisabled from "./electron/context-isolation-disabled.js";
 import tauriDangerousAllowlistOrCapabilities from "./tauri/dangerous-allowlist-or-capabilities.js";
@@ -37,6 +47,7 @@ export default [
   envExampleMissing,
   possibleSecretInCode,
   frontendSecretExposure,
+  secretsInLogs,
   lockfileMissing,
   multipleLockfiles,
   installScriptsRisk,
@@ -50,13 +61,22 @@ export default [
   rateLimitMissing,
   helmetMissing,
   corsWildcard,
+  childProcessUserInput,
   clientSideAuthOnly,
   dangerousInnerHtml,
   missingOutputSanitization,
   missingAuthOnRoutes,
   idorRisk,
+  jwtSecretWeakOrFallback,
+  passwordHashingMissing,
   rawSqlInterpolation,
   noMigrations,
+  insecureSessionCookie,
+  publicExecutableUpload,
+  missingRawBody,
+  promptInjectionRisk,
+  sourceMapsProduction,
+  debugProduction,
   electronNodeIntegrationEnabled,
   electronContextIsolationDisabled,
   tauriDangerousAllowlistOrCapabilities

package/src/checks/llm/prompt-injection-risk.js

@@ -0,0 +1,57 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, lineFromOffset } from "../helpers.js";
+
+const LLM_USAGE_RE =
+  /\b(?:openai\.chat\.completions\.create|openai\.responses\.create|anthropic\.messages\.create|generateText|streamText|ollama|langchain|aiOutput|completion|modelOutput|llmResponse)\b/i;
+const LLM_OUTPUT_RE = /\b(?:aiOutput|completion|modelOutput|llmResponse|llmResult|modelResponse)\b/i;
+const DANGEROUS_USE_RE =
+  /\b(?:eval|exec|execSync|spawn|spawnSync|db\.query|JSON\.parse|fetch)\s*\(\s*([^)\n;]+)|\bnew\s+Function\s*\(\s*([^)\n;]+)|\bprisma\.\$queryRawUnsafe\s*\(\s*([^)\n;]+)|\binnerHTML\s*=\s*([^;\n]+)|dangerouslySetInnerHTML\s*=\s*{{[\s\S]{0,200}?__html\s*:\s*([^}\n]+)|\bfs\.writeFile\s*\([^,\n]+,\s*([^)\n;]+)/gi;
+
+export default {
+  id: "llm.prompt-injection-risk",
+  title: "LLM output should not flow directly into dangerous actions",
+  category: "llm",
+  severity: "high",
+  tags: ["llm", "prompt-injection", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !LLM_USAGE_RE.test(content)) continue;
+
+      DANGEROUS_USE_RE.lastIndex = 0;
+      let match;
+      while ((match = DANGEROUS_USE_RE.exec(content)) !== null) {
+        const argument = match.slice(1).find(Boolean) || "";
+        if (!LLM_OUTPUT_RE.test(argument)) continue;
+
+        findings.push({
+          message:
+            "LLM output appears to flow into code execution, shell commands, HTML injection, database queries, file writes or network requests.",
+          file,
+          line: lineFromOffset(content, match.index),
+          recommendation:
+            "Treat model output as untrusted input. Validate with schemas, use allowlists, require human approval for dangerous actions, and never execute raw model output.",
+          heuristic: true,
+          metadata: {
+            pattern: classifyDangerousUse(match[0])
+          }
+        });
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function classifyDangerousUse(value) {
+  if (/\beval\b|\bFunction\b/.test(value)) return "code-execution";
+  if (/\bexec|spawn/.test(value)) return "shell-command";
+  if (/innerHTML|dangerouslySetInnerHTML/.test(value)) return "html-injection";
+  if (/query/.test(value)) return "database-query";
+  if (/writeFile/.test(value)) return "file-write";
+  if (/fetch/.test(value)) return "network-request";
+  if (/JSON\.parse/.test(value)) return "unvalidated-json-parse";
+  return "dangerous-llm-output-use";
+}

package/src/checks/node/child-process-user-input.js

@@ -0,0 +1,54 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, lineFromOffset } from "../helpers.js";
+
+const CHILD_PROCESS_RE = /\b(?:exec|execSync|spawn|spawnSync|fork)\s*\(([^;\n]*)/gi;
+const CHILD_PROCESS_IMPORT_RE = /\bchild_process\b|\bfrom\s+["'`]node:child_process["'`]|\brequire\s*\(\s*["'`](?:node:)?child_process["'`]\s*\)/i;
+const USER_INPUT_RE =
+  /\b(?:req\.(?:body|query|params)|request\.body|searchParams|process\.argv|formData|userInput|input|filename|branch|url)\b/i;
+const ALLOWLIST_RE = /\b(?:allowlist|allowed|whitelist|safeList|zod|schema|validate|validator|assertAllowed)\b/i;
+
+export default {
+  id: "node.child-process-user-input",
+  title: "Child process commands should not trust user input",
+  category: "node",
+  severity: "critical",
+  tags: ["node", "command-injection", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !CHILD_PROCESS_IMPORT_RE.test(content)) continue;
+
+      CHILD_PROCESS_RE.lastIndex = 0;
+      let match;
+      while ((match = CHILD_PROCESS_RE.exec(content)) !== null) {
+        const line = lineFromOffset(content, match.index);
+        const nearby = nearbyText(content, line, 8);
+        if (!USER_INPUT_RE.test(match[1] || nearby)) continue;
+        if (ALLOWLIST_RE.test(nearby)) continue;
+
+        findings.push({
+          message: "User-controlled input appears to flow into a child process command.",
+          file,
+          line,
+          recommendation:
+            "Avoid shell execution with user input. Use spawn with fixed command and argument arrays, validate against allowlists, and never concatenate shell strings.",
+          heuristic: true,
+          metadata: {
+            pattern: "child-process-user-input"
+          }
+        });
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function nearbyText(content, line, radius) {
+  const lines = content.split(/\r?\n/);
+  const start = Math.max(0, line - radius - 1);
+  const end = Math.min(lines.length, line + radius);
+  return lines.slice(start, end).join("\n");
+}

package/src/checks/secrets/secrets-in-logs.js

@@ -0,0 +1,86 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile } from "../helpers.js";
+
+const LOG_CALL_RE = /\b(?:console\.(?:log|error|debug|info|warn)|logger\.(?:info|debug|error|warn|trace))\s*\(([^)]*)\)/g;
+const SECRET_TERMS = [
+  "SECRET",
+  "TOKEN",
+  "KEY",
+  "PASSWORD",
+  "DATABASE_URL",
+  "PRIVATE",
+  "SERVICE_ROLE",
+  "OPENAI_API_KEY",
+  "STRIPE_SECRET_KEY",
+  "JWT_SECRET",
+  "GITHUB_TOKEN",
+  "AWS_SECRET_ACCESS_KEY"
+];
+
+export default {
+  id: "secrets.secrets-in-logs",
+  title: "Logs should not include secrets or sensitive request data",
+  category: "secrets",
+  severity: "high",
+  tags: ["secrets", "logging", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content) continue;
+      const lines = content.split(/\r?\n/);
+
+      for (let index = 0; index < lines.length; index += 1) {
+        const line = lines[index];
+        LOG_CALL_RE.lastIndex = 0;
+
+        let match;
+        while ((match = LOG_CALL_RE.exec(line)) !== null) {
+          const args = match[1] || "";
+          if (!containsSensitiveLogTarget(args)) continue;
+
+          findings.push({
+            message:
+              "Logging environment variables, headers, request bodies or secret-like config values may expose sensitive data.",
+            file,
+            line: index + 1,
+            recommendation:
+              "Remove sensitive logging, mask secrets, and log only explicit non-sensitive fields.",
+            heuristic: true,
+            metadata: {
+              secretType: detectSecretType(args),
+              valueRedacted: true
+            }
+          });
+          break;
+        }
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function containsSensitiveLogTarget(value) {
+  return (
+    /\bprocess\.env(?:\.[A-Z0-9_]+)?\b/.test(value) ||
+    /\b(?:req|request)\.(?:headers|body)\b/.test(value) ||
+    /\bconfig\b/i.test(value) ||
+    SECRET_TERMS.some((term) => new RegExp(`\\b${escapeRegExp(term)}\\b`, "i").test(value))
+  );
+}
+
+function detectSecretType(value) {
+  const match = SECRET_TERMS.find((term) => new RegExp(`\\b${escapeRegExp(term)}\\b`, "i").test(value));
+  if (match) return match;
+  if (/\bprocess\.env\b/.test(value)) return "ENVIRONMENT";
+  if (/\b(?:req|request)\.headers\b/.test(value)) return "REQUEST_HEADERS";
+  if (/\b(?:req|request)\.body\b/.test(value)) return "REQUEST_BODY";
+  if (/\bconfig\b/i.test(value)) return "CONFIG";
+  return "UNKNOWN";
+}
+
+function escapeRegExp(value) {
+  return value.replace(/[|\\{}()[\]^$+?.]/g, "\\$&");
+}

package/src/checks/uploads/public-executable-upload.js

@@ -0,0 +1,63 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, lineFromOffset } from "../helpers.js";
+
+const PUBLIC_UPLOAD_PATH_RE = /(?:public|static|dist|build|\.next\/static)\/(?:uploads|files)/i;
+const PUBLIC_UPLOAD_PATTERNS = [
+  /multer\s*\(\s*{[\s\S]{0,500}?dest\s*:\s*["'`](?:public|static|dist|build|\.next\/static)\/(?:uploads|files)["'`]/gi,
+  /\b(?:uploadDir|uploadsDir|destination)\b\s*=\s*["'`](?:public|static|dist|build|\.next\/static)\/(?:uploads|files)["'`]/gi,
+  /path\.join\s*\([^)]*["'`](?:public|static|dist|build)["'`]\s*,\s*["'`](?:uploads|files)["'`]/gi,
+  /fs\.writeFile\s*\(\s*["'`](?:public|static|dist|build|\.next\/static)\/(?:uploads|files)\//gi,
+  /app\.use\s*\(\s*["'`]\/(?:uploads|files)["'`]\s*,\s*express\.static\s*\(/gi,
+  /express\.static\s*\(\s*["'`](?:public|static)["'`]\s*\)/gi
+];
+const VALIDATION_RE = /\b(?:fileFilter|limits\s*:\s*{[\s\S]{0,120}?fileSize|limits\.fileSize|mimetype|allowedTypes|allowedMimeTypes)\b/i;
+
+export default {
+  id: "uploads.public-executable-upload",
+  title: "Uploads should not be stored directly in public web roots",
+  category: "uploads",
+  severity: "high",
+  tags: ["uploads", "static-files", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !/(upload|multer|express\.static|writeFile|public\/|static\/)/i.test(content)) continue;
+
+      for (const regex of PUBLIC_UPLOAD_PATTERNS) {
+        regex.lastIndex = 0;
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+          if (!PUBLIC_UPLOAD_PATH_RE.test(match[0]) && !/\/(?:uploads|files)/i.test(match[0])) continue;
+          const line = lineFromOffset(content, match.index);
+          const validationMissing = !VALIDATION_RE.test(nearbyText(content, line, 12));
+
+          findings.push({
+            message:
+              "Uploaded files appear to be stored in a public directory, possibly without strict file type and size validation.",
+            file,
+            line,
+            recommendation:
+              "Store uploads outside the public web root, validate MIME type and extension, enforce file size limits, and serve files through controlled routes.",
+            heuristic: true,
+            metadata: {
+              validationMissing
+            }
+          });
+          break;
+        }
+        if (findings.some((finding) => finding.file === file)) break;
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function nearbyText(content, line, radius) {
+  const lines = content.split(/\r?\n/);
+  const start = Math.max(0, line - radius - 1);
+  const end = Math.min(lines.length, line + radius);
+  return lines.slice(start, end).join("\n");
+}

package/src/checks/webhooks/missing-raw-body.js

@@ -0,0 +1,82 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, lineFromOffset } from "../helpers.js";
+
+const PROVIDER_RE =
+  /\b(?:stripe\.webhooks\.constructEvent|github webhook signature|x-hub-signature|svix|clerk|lemon\s*squeezy|lemonsqueezy|polar|paddle|webhook signature)\b/i;
+const PARSED_BODY_SIGNATURE_RE = /\b(?:stripe\.webhooks\.)?constructEvent\s*\(\s*req\.body\b/gi;
+const RAW_BODY_RE = /\b(?:express\.raw\s*\(|bodyParser\.raw\s*\(|rawBody|req\.rawBody|buffer)\b/i;
+const GLOBAL_JSON_RE = /\bapp\.use\s*\(\s*express\.json\s*\(/i;
+const WEBHOOK_ROUTE_RE = /\bapp\.(?:post|put|patch)\s*\(\s*["'`][^"'`]*webhook/i;
+
+export default {
+  id: "webhooks.missing-raw-body",
+  title: "Signed webhooks should verify the exact raw body",
+  category: "webhooks",
+  severity: "high",
+  tags: ["webhooks", "signatures", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !PROVIDER_RE.test(content)) continue;
+
+      PARSED_BODY_SIGNATURE_RE.lastIndex = 0;
+      let match;
+      while ((match = PARSED_BODY_SIGNATURE_RE.exec(content)) !== null) {
+        const line = lineFromOffset(content, match.index);
+        if (RAW_BODY_RE.test(nearbyText(content, line, 12))) continue;
+        findings.push(webhookFinding(file, line, "parsed-body-signature-check"));
+      }
+
+      const jsonLine = firstLineMatching(content, GLOBAL_JSON_RE);
+      const routeLine = firstLineMatching(content, WEBHOOK_ROUTE_RE);
+      if (jsonLine && routeLine && jsonLine < routeLine && !RAW_BODY_RE.test(content)) {
+        findings.push(webhookFinding(file, jsonLine, "json-parser-before-webhook-route"));
+      }
+    }
+
+    return dedupe(findings).slice(0, 100);
+  }
+};
+
+function webhookFinding(file, line, pattern) {
+  return {
+    message:
+      "Webhook signature verification appears to use a parsed request body. Some providers require the exact raw body.",
+    file,
+    line,
+    recommendation:
+      "Use a raw body parser for signed webhook routes and register it before JSON parsing middleware.",
+    heuristic: true,
+    metadata: {
+      pattern
+    }
+  };
+}
+
+function firstLineMatching(content, regex) {
+  const lines = content.split(/\r?\n/);
+  for (let index = 0; index < lines.length; index += 1) {
+    regex.lastIndex = 0;
+    if (regex.test(lines[index])) return index + 1;
+  }
+  return null;
+}
+
+function nearbyText(content, line, radius) {
+  const lines = content.split(/\r?\n/);
+  const start = Math.max(0, line - radius - 1);
+  const end = Math.min(lines.length, line + radius);
+  return lines.slice(start, end).join("\n");
+}
+
+function dedupe(findings) {
+  const seen = new Set();
+  return findings.filter((finding) => {
+    const key = `${finding.file}:${finding.line}:${finding.metadata.pattern}`;
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  });
+}

package/src/cli/output.js

@@ -14,6 +14,7 @@ Options:
                      Levels: critical, high, medium, low, info. Default: low.
   --json              Print machine-readable JSON.
   --sarif             Print SARIF for GitHub Code Scanning.
+  --todo              Write an AI-ready todo.md to the scanned project.
   --no-color          Disable color styling.
   --no-banner         Disable the intro banner.
   --quiet             Print only the summary.

package/src/cli/parseArgs.js

@@ -1,5 +1,5 @@
 const FLAG_WITH_VALUE = new Set(["--fail-on", "--config", "--path"]);
-const BOOLEAN_FLAGS = new Set(["--json", "--sarif", "--verbose", "--help", "-h", "--version", "-v", "--no-color", "--no-banner", "--quiet"]);
+const BOOLEAN_FLAGS = new Set(["--json", "--sarif", "--todo", "--verbose", "--help", "-h", "--version", "-v", "--no-color", "--no-banner", "--quiet"]);
 
 export function parseArgs(argv) {
   const args = {
@@ -9,6 +9,7 @@ export function parseArgs(argv) {
     failOn: undefined,
     json: false,
     sarif: false,
+    todo: false,
     verbose: false,
     noColor: false,
     noBanner: false,
@@ -46,6 +47,7 @@ export function parseArgs(argv) {
       if (token === "--version" || token === "-v") args.version = true;
       if (token === "--json") args.json = true;
       if (token === "--sarif") args.sarif = true;
+      if (token === "--todo") args.todo = true;
       if (token === "--verbose") args.verbose = true;
       if (token === "--no-color") args.noColor = true;
       if (token === "--no-banner") args.noBanner = true;
@@ -56,8 +58,8 @@ export function parseArgs(argv) {
     throw new Error(`Unknown argument: ${token}`);
   }
 
-  if (args.json && args.sarif) {
-    throw new Error("Use only one output format: --json or --sarif");
+  if ([args.json, args.sarif, args.todo].filter(Boolean).length > 1) {
+    throw new Error("Use only one output format: --json, --sarif, or --todo");
   }
 
   return args;

package/src/cli/terminal.js

@@ -19,11 +19,11 @@ const SPINNER_TEXT = {
 };
 
 export function isFancyOutputEnabled(options = {}, env = process.env, stdout = process.stdout) {
-  return Boolean(stdout.isTTY) && !env.CI && !options.json && !options.sarif && !options.noColor;
+  return Boolean(stdout.isTTY) && !env.CI && !options.json && !options.sarif && !options.todo && !options.noColor;
 }
 
 export function isColorEnabled(options = {}, env = process.env, stdout = process.stdout) {
-  if (options.noColor || options.json || options.sarif) return false;
+  if (options.noColor || options.json || options.sarif || options.todo) return false;
   if (env.FORCE_COLOR && env.FORCE_COLOR !== "0") return true;
   if (env.CI) return false;
   return Boolean(stdout.isTTY);
@@ -40,6 +40,7 @@ export function shouldUseSpinner(options = {}, env = process.env, stdout = proce
     !env.CI &&
     !options.json &&
     !options.sarif &&
+    !options.todo &&
     !options.quiet
   );
 }
@@ -54,7 +55,7 @@ export function createScanSpinner(options = {}) {
 }
 
 export function printIntro(options = {}) {
-  if (options.json || options.sarif || options.noBanner || options.quiet || process.env.CI || !process.stdout.isTTY) {
+  if (options.json || options.sarif || options.todo || options.noBanner || options.quiet || process.env.CI || !process.stdout.isTTY) {
     return;
   }
 

package/src/reporters/consoleStyle.js

@@ -7,6 +7,7 @@ const EDGY_TITLES = {
     'env.env-file-tracked': 'It works, but your .env is tracked.',
     'env.possible-secret-in-code': 'It works, but your repo may be leaking secrets.',
     'env.frontend-secret-exposure': 'It works, but your frontend env variable smells like a backend secret.',
+    'secrets.secrets-in-logs': 'It works, but your logs may be leaking secrets.',
     'git.gitignore-missing': 'It works, but your repo forgot what not to commit.',
     'git.gitignore-incomplete': 'It works, but your .gitignore has holes.',
     'git.ignored-files-tracked': 'It works, but Git is already tracking files you meant to ignore.',
@@ -19,11 +20,20 @@ const EDGY_TITLES = {
     'node.rate-limit-missing': 'It works, but your endpoints have no brakes.',
     'node.helmet-missing': 'It works, but your HTTP headers are underdressed.',
     'node.cors-wildcard': 'It works, but CORS is holding the door open.',
+    'node.child-process-user-input': 'It works, but your shell command trusts the internet.',
     'web.dangerous-inner-html': 'It works, but your frontend is injecting HTML with sharp edges.',
     'api.missing-auth-on-routes': 'It works, but this API route appears to trust strangers.',
     'api.idor-risk': 'It works, but this ID lookup may belong to someone else.',
+    'auth.jwt-secret-weak-or-fallback': 'It works, but your JWT secret has a fallback key.',
+    'auth.password-hashing-missing': 'It works, but your passwords may be stored too honestly.',
     'database.raw-sql-interpolation': 'It works, but your SQL query is one template string away from pain.',
     'database.no-migrations': 'It works, but your database schema has no paper trail.',
+    'cookies.insecure-session-cookie': 'It works, but your session cookie is dressed for localhost.',
+    'uploads.public-executable-upload': 'It works, but your uploads are sitting in the front window.',
+    'webhooks.missing-raw-body': 'It works, but your webhook signature check may be checking the wrong body.',
+    'llm.prompt-injection-risk': 'It works, but your AI output has admin energy.',
+    'frontend.sourcemaps-production': 'It works, but your source code may be shipping with the app.',
+    'config.debug-production': 'It works, but production still thinks it is a dev server.',
     'electron.node-integration-enabled': 'It works, but Electron is holding the Node.js door open.',
     'electron.context-isolation-disabled': 'It works, but your renderer and backend are sharing a room.',
     'tauri.dangerous-allowlist-or-capabilities': 'It works, but your Tauri permissions look too generous.',
@@ -44,6 +54,8 @@ const FIX_PROMPT_ACTIONS = {
         'Move hardcoded secret material into a runtime secret store or CI secret, replace committed values with placeholders, and avoid printing secret values anywhere.',
     'env.frontend-secret-exposure':
         'Move secret-like frontend environment variables to server-side code and keep only intentionally public values behind public prefixes.',
+    'secrets.secrets-in-logs':
+        'Remove sensitive logging, mask secrets, and log only explicit non-sensitive fields.',
     'git.gitignore-missing':
         'Add a project-appropriate .gitignore for dependencies, local env files, build output, logs, databases, OS files, and coverage artifacts.',
     'git.gitignore-incomplete':
@@ -73,6 +85,8 @@ const FIX_PROMPT_ACTIONS = {
         'Install and apply Helmet or equivalent security headers early in the Express middleware stack.',
     'node.cors-wildcard':
         'Restrict CORS origins to trusted application origins and avoid wildcard or credentials-unsafe configurations.',
+    'node.child-process-user-input':
+        'Avoid shell execution with user input. Use spawn with fixed command and argument arrays, validate against allowlists, and never concatenate shell strings.',
     'web.client-side-auth-only':
         'Move authorization enforcement to server-side API or route handlers and keep frontend checks as UI-only hints.',
     'web.dangerous-inner-html':
@@ -82,9 +96,25 @@ const FIX_PROMPT_ACTIONS = {
         'Add explicit authentication and authorization to the route, or document why the route is intentionally public.',
     'api.idor-risk':
         'Scope object access by authenticated user, owner, tenant, account, or organization in addition to object id.',
+    'auth.jwt-secret-weak-or-fallback':
+        'Require a strong JWT secret from the environment in production and fail startup if it is missing.',
+    'auth.password-hashing-missing':
+        'Hash passwords with argon2, bcrypt, scrypt or PBKDF2 before storage. Never store raw passwords.',
     'database.raw-sql-interpolation':
         'Replace SQL string interpolation or concatenation with parameterized queries, prepared statements, or a safe ORM query builder.',
     'database.no-migrations': 'Add versioned database migrations that match the detected ORM or database stack.',
+    'cookies.insecure-session-cookie':
+        'Set httpOnly, secure and sameSite for session cookies. Use secure: true in production.',
+    'uploads.public-executable-upload':
+        'Store uploads outside the public web root, validate MIME type and extension, enforce file size limits, and serve files through controlled routes.',
+    'webhooks.missing-raw-body':
+        'Use a raw body parser for signed webhook routes and register it before JSON parsing middleware.',
+    'llm.prompt-injection-risk':
+        'Treat model output as untrusted input. Validate with schemas, use allowlists, require human approval for dangerous actions, and never execute raw model output.',
+    'frontend.sourcemaps-production':
+        'Disable public production source maps unless intentionally needed. If needed, upload them privately to error tracking instead of serving them publicly.',
+    'config.debug-production':
+        'Disable verbose errors and debug flags in production. Avoid exposing stack traces, internal paths or development tooling.',
     'electron.node-integration-enabled':
         'Set nodeIntegration to false and expose only narrowly scoped APIs through preload.',
     'electron.context-isolation-disabled':

package/src/reporters/todoReporter.js

@@ -0,0 +1,133 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+import { SEVERITIES } from "../core/config.js";
+import { countBySeverity, getExitCode } from "../core/findings.js";
+import { getConsoleFindingTitle, getFixPrompt } from "./consoleStyle.js";
+
+export async function writeTodoReport(result, options = {}) {
+  const filePath = options.filePath || path.join(result.meta.rootPath, "todo.md");
+  await fs.writeFile(filePath, reportTodo(result), "utf8");
+  return filePath;
+}
+
+export function reportTodo(result) {
+  const counts = countBySeverity(result.findings);
+  const exitCode = getExitCode(result.findings, result.config.failOn);
+  const findingsBySeverity = new Map(
+    SEVERITIES.map((severity) => [severity, result.findings.filter((finding) => finding.severity === severity)])
+  );
+
+  return `${[
+    "# AI Fix Todo",
+    "",
+    "This file was generated by ItWorksBut. It is optimized for coding agents: work top to bottom, keep changes focused, and mark tasks complete only after verification.",
+    "",
+    "## Agent Rules",
+    "",
+    "- Fix critical and high findings before lower-priority cleanup.",
+    "- Inspect the referenced code before editing, especially for heuristic findings.",
+    "- Preserve existing behavior unless the finding explicitly requires changing it.",
+    "- Add or update focused tests when the change has behavioral risk.",
+    "- Do not silence ItWorksBut checks unless the underlying issue is actually fixed.",
+    "- Never print, log, or preserve raw secret values. Use placeholders only.",
+    "",
+    "## Scan Summary",
+    "",
+    `- Tool: ${result.meta.tool || "ItWorksBut"} ${result.meta.version || ""}`.trim(),
+    `- Project: ${result.meta.rootPath || "unknown"}`,
+    `- Completed: ${result.meta.completedAt || "unknown"}`,
+    `- Files scanned: ${result.meta.filesScanned ?? "unknown"}`,
+    `- Text files scanned: ${result.meta.textFilesScanned ?? "unknown"}`,
+    `- Fail-on: ${result.config.failOn}`,
+    `- Exit decision: ${exitCode}`,
+    `- Total findings: ${result.findings.length}`,
+    ...SEVERITIES.map((severity) => `- ${capitalize(severity)}: ${counts[severity]}`),
+    "",
+    renderFindingSections(findingsBySeverity),
+    renderWarnings(result.warnings),
+    "## Final Verification",
+    "",
+    "- [ ] Run the relevant test suite.",
+    "- [ ] Run `itworksbut scan` again.",
+    "- [ ] Confirm there are no remaining findings at or above the configured fail-on severity.",
+    "",
+  ].join("\n")}\n`;
+}
+
+function renderFindingSections(findingsBySeverity) {
+  const sections = [];
+
+  for (const severity of SEVERITIES) {
+    const findings = findingsBySeverity.get(severity) || [];
+    if (findings.length === 0) continue;
+
+    sections.push(`## ${capitalize(severity)} Findings`);
+    sections.push("");
+
+    findings.forEach((finding, index) => {
+      sections.push(renderFinding(finding, index + 1));
+      sections.push("");
+    });
+  }
+
+  if (sections.length === 0) {
+    return [
+      "## Findings",
+      "",
+      "No findings were detected. Keep this file as a record or delete it when no longer useful.",
+      "",
+    ].join("\n");
+  }
+
+  return sections.join("\n");
+}
+
+function renderFinding(finding, number) {
+  const location = finding.file
+    ? `${finding.file}${finding.line ? `:${finding.line}` : ""}${finding.column ? `:${finding.column}` : ""}`
+    : "project-wide";
+  const heuristic = finding.heuristic ? "yes" : "no";
+  const tags = finding.tags?.length ? finding.tags.join(", ") : "none";
+
+  return [
+    `### ${number}. ${getConsoleFindingTitle(finding)}`,
+    "",
+    "- [ ] Fix this finding.",
+    `- Check ID: \`${finding.checkId}\``,
+    `- Severity: \`${finding.severity}\``,
+    `- Category: \`${finding.category || "unknown"}\``,
+    `- Location: \`${location}\``,
+    `- Heuristic: \`${heuristic}\``,
+    `- Tags: ${tags}`,
+    `- Problem: ${finding.message}`,
+    `- Recommendation: ${finding.recommendation || "Fix the underlying issue without suppressing the scanner."}`,
+    "",
+    "#### Agent Prompt",
+    "",
+    "```text",
+    getFixPrompt(finding),
+    "```",
+    "",
+    "#### Acceptance Criteria",
+    "",
+    `- [ ] The issue behind \`${finding.checkId}\` is fixed at the source.`,
+    "- [ ] Existing behavior is preserved or intentional behavior changes are covered by tests.",
+    "- [ ] No raw secrets, tokens, credentials, or private values were added to code, logs, tests, or this todo.",
+    "- [ ] The relevant scanner finding no longer appears after rerunning ItWorksBut.",
+  ].join("\n");
+}
+
+function renderWarnings(warnings = []) {
+  if (!warnings.length) return "";
+
+  return [
+    "## Scanner Warnings",
+    "",
+    ...warnings.map((warning) => `- \`${warning.checkId}\`: ${warning.message}`),
+    "",
+  ].join("\n");
+}
+
+function capitalize(value) {
+  return `${value.charAt(0).toUpperCase()}${value.slice(1)}`;
+}