itworksbut 0.3.0 → 0.5.0

package/README.md

@@ -197,7 +197,7 @@ Secret-like findings never print the full secret value. Findings report the file
 
 ## What It Detects
 
-The baseline includes 30 modular checks:
+The baseline includes 50 modular checks:
 
 - `git.gitignore-missing`
 - `git.gitignore-incomplete`
@@ -206,6 +206,7 @@ The baseline includes 30 modular checks:
 - `env.env-example-missing`
 - `env.possible-secret-in-code`
 - `env.frontend-secret-exposure`
+- `secrets.secrets-in-logs`
 - `dependencies.lockfile-missing`
 - `dependencies.multiple-lockfiles`
 - `dependencies.install-scripts-risk`
@@ -219,16 +220,35 @@ The baseline includes 30 modular checks:
 - `node.rate-limit-missing`
 - `node.helmet-missing`
 - `node.cors-wildcard`
+- `node.child-process-user-input`
 - `web.client-side-auth-only`
 - `web.dangerous-inner-html`
 - `web.missing-output-sanitization`
 - `api.missing-auth-on-routes`
 - `api.idor-risk`
+- `auth.jwt-secret-weak-or-fallback`
+- `auth.password-hashing-missing`
+- `auth.missing-csrf-protection`
+- `api.missing-method-guard`
+- `api.mass-assignment-risk`
+- `api.no-schema-validation`
 - `database.raw-sql-interpolation`
 - `database.no-migrations`
+- `cookies.insecure-session-cookie`
+- `uploads.public-executable-upload`
+- `webhooks.missing-raw-body`
+- `llm.prompt-injection-risk`
+- `frontend.sourcemaps-production`
+- `frontend.localstorage-token`
+- `files.path-traversal-risk`
+- `ssrf.user-controlled-fetch`
+- `next.public-server-code-risk`
+- `config.debug-production`
 - `electron.node-integration-enabled`
 - `electron.context-isolation-disabled`
+- `electron.remote-content-with-node`
 - `tauri.dangerous-allowlist-or-capabilities`
+- `tauri.remote-url-permissions-risk`
 
 Each check is a plain ESM module with an `id`, metadata, and async `run(context)` function. Add new checks under `src/checks/` and register them in `src/checks/index.js`.
 

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "itworksbut",
-    "version": "0.3.0",
+    "version": "0.5.0",
     "description": "Static CI checks for common security, repo, dependency, build, and deployment risks in JavaScript vibe coding projects.",
     "type": "module",
     "bin": {

package/src/checks/api/mass-assignment-risk.js

@@ -0,0 +1,81 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, lineFromOffset, readNearby } from "../helpers.js";
+
+const MASS_ASSIGNMENT_PATTERNS = [
+  {
+    regex: /\b(?:prisma\.\w+\.)?(?:create|update|upsert)\s*\(\s*{[\s\S]{0,600}?\bdata\s*:\s*(?:req\.body|body|input)\b/g,
+    label: "direct data object",
+    severity: "high"
+  },
+  {
+    regex: /\b(?:db|database|collection|\w+)\.(?:update|updateOne|updateMany|findOneAndUpdate)\s*\([\s\S]{0,300}?(?:req\.body|body|input)\b/g,
+    label: "direct update payload",
+    severity: "high"
+  },
+  {
+    regex: /\b(?:User|Account|Profile|Model|model|\w+)\.(?:create|update)\s*\(\s*(?:req\.body|body|input)\b/g,
+    label: "model create/update payload",
+    severity: "high"
+  },
+  {
+    regex: /\$set\s*:\s*(?:req\.body|body|input)\b/g,
+    label: "mongodb set payload",
+    severity: "high"
+  },
+  {
+    regex: /Object\.assign\s*\(\s*(?:user|entity|account|profile|record|model)[\w$]*\s*,\s*(?:req\.body|body|input)\b/g,
+    label: "object assign from request input",
+    severity: "medium"
+  },
+  {
+    regex: /\{\s*\.\.\.(?:req\.body|body)\s*}/g,
+    label: "spread request body",
+    severity: "medium",
+    requiresCreateOrUpdateContext: true
+  }
+];
+
+const SAFE_FIELD_RE =
+  /\b(?:pick|omit|allowedFields|allowlist|whitelist|safeData|validatedData|schema\.parse|schema\.safeParse|safeParse|zod|Joi|joi|yup|valibot)\b/i;
+const RISKY_FIELD_RE =
+  /\b(?:role|isAdmin|admin|plan|verified|emailVerified|ownerId|userId|tenantId|accountId|permissions|credits|balance|price|status)\b/i;
+const CREATE_OR_UPDATE_RE = /\b(?:create|update|upsert|insert|save|data\s*:|\$set)\b/i;
+
+export default {
+  id: "api.mass-assignment-risk",
+  title: "Create and update operations should not trust raw request bodies",
+  category: "api",
+  severity: "high",
+  tags: ["api", "database", "mass-assignment", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !/\b(?:req\.body|body|input|Object\.assign|\$set)\b/.test(content)) continue;
+
+      for (const pattern of MASS_ASSIGNMENT_PATTERNS) {
+        pattern.regex.lastIndex = 0;
+        let match;
+        while ((match = pattern.regex.exec(content)) !== null) {
+          const line = lineFromOffset(content, match.index);
+          const nearby = await readNearby(context, file, line, 8);
+          if (pattern.requiresCreateOrUpdateContext && !CREATE_OR_UPDATE_RE.test(nearby)) continue;
+          if (SAFE_FIELD_RE.test(nearby)) continue;
+
+          findings.push({
+            severity: RISKY_FIELD_RE.test(nearby) ? "high" : pattern.severity === "high" ? "high" : "medium",
+            message: "User-controlled input appears to be passed directly into a create or update operation.",
+            file,
+            line,
+            recommendation: "Whitelist allowed fields explicitly. Never pass req.body directly into database create/update calls.",
+            heuristic: true,
+            metadata: { pattern: pattern.label }
+          });
+        }
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};

package/src/checks/api/missing-method-guard.js

@@ -0,0 +1,68 @@
+import { isServerOrApiFile, lineFromOffset, readNearby } from "../helpers.js";
+
+const ALL_ROUTE_RE = /\b(?:app|router|server)\.all\s*\(/g;
+const NEXT_PAGES_HANDLER_RE = /\bexport\s+default\s+(?:async\s+)?function\s+\w*\s*\(\s*(?:req|request)\s*,\s*(?:res|response)\s*\)/g;
+const NAMED_HANDLER_RE = /\bexport\s+(?:async\s+)?function\s+handler\s*\(\s*(?:req|request)\s*,\s*(?:res|response)\s*\)/g;
+const METHOD_GUARD_RE =
+  /\b(?:req|request)\.method\b|\bswitch\s*\(\s*(?:req|request)\.method\s*\)|\ballowedMethods\b|\bmethodNotAllowed\b|\breturn\s+new\s+Response\s*\([^)]*405|\bstatus\s*\(\s*405\s*\)/i;
+const METHOD_EXPORT_RE = /\bexport\s+(?:async\s+)?function\s+(?:GET|POST|PUT|PATCH|DELETE|HEAD|OPTIONS)\s*\(/;
+
+export default {
+  id: "api.missing-method-guard",
+  title: "API handlers should restrict HTTP methods",
+  category: "api",
+  severity: "medium",
+  tags: ["api", "http-methods", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (!isApiCandidate(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content) continue;
+
+      ALL_ROUTE_RE.lastIndex = 0;
+      let allMatch;
+      while ((allMatch = ALL_ROUTE_RE.exec(content)) !== null) {
+        const line = lineFromOffset(content, allMatch.index);
+        const nearby = await readNearby(context, file, line, 8);
+        if (/\b(?:allowedMethods|methodNotAllowed|405)\b/i.test(nearby)) continue;
+        findings.push(methodFinding(file, line, "app-router-all"));
+      }
+
+      if (METHOD_EXPORT_RE.test(content) || METHOD_GUARD_RE.test(content)) continue;
+
+      for (const pattern of [NEXT_PAGES_HANDLER_RE, NAMED_HANDLER_RE]) {
+        pattern.lastIndex = 0;
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          findings.push(methodFinding(file, lineFromOffset(content, match.index), "handler-without-method-guard"));
+        }
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function isApiCandidate(file) {
+  return (
+    /\.[cm]?[jt]sx?$/.test(file) &&
+    (isServerOrApiFile(file) ||
+      file.startsWith("routes/") ||
+      file.startsWith("api/") ||
+      file.includes("/controllers/") ||
+      file.includes("/handlers/"))
+  );
+}
+
+function methodFinding(file, line, pattern) {
+  return {
+    message: "This API handler appears to process requests without an explicit HTTP method guard.",
+    file,
+    line,
+    recommendation: "Restrict API routes to the intended HTTP methods and return 405 Method Not Allowed for unsupported methods.",
+    heuristic: true,
+    metadata: { pattern }
+  };
+}

package/src/checks/api/no-schema-validation.js

@@ -0,0 +1,68 @@
+import { isServerOrApiFile, lineFromOffset, readNearby } from "../helpers.js";
+
+const REQUEST_INPUT_RE =
+  /\breq\.(?:body|query|params)\b|\brequest\.json\s*\(|\bsearchParams\.get\s*\(|\bnew\s+URL\s*\(\s*(?:req|request)\.url\s*\)\.searchParams\b|\bformData\s*\(|\bctx\.request\.body\b/g;
+const VALIDATION_RE =
+  /\b(?:zod|Joi|joi|yup|valibot|ajv|superstruct|TypeBox|validator|validatedData)\b|\.safeParse\s*\(|\.parse\s*\(\s*(?:req\.body|body|input|payload|data)|\.validate\s*\(\s*(?:req\.body|body|input|payload|data)|\bschema\.(?:validate|parse|safeParse)\b/i;
+const GLOBAL_VALIDATION_RE = /\b(?:app|router|server)\.use\s*\([^)]*(?:validate|validator|schema|zod|joi|yup|ajv|valibot)/i;
+
+export default {
+  id: "api.no-schema-validation",
+  title: "API request input should be schema validated",
+  category: "api",
+  severity: "high",
+  tags: ["api", "validation", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+    const globalValidationSeen = await hasGlobalValidationMiddleware(context);
+    if (globalValidationSeen) return [];
+
+    for (const file of context.textFiles) {
+      if (!isApiFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content) continue;
+      if (VALIDATION_RE.test(content)) continue;
+
+      REQUEST_INPUT_RE.lastIndex = 0;
+      const match = REQUEST_INPUT_RE.exec(content);
+      if (!match) continue;
+
+      const line = lineFromOffset(content, match.index);
+      const nearby = await readNearby(context, file, line, 10);
+      if (VALIDATION_RE.test(nearby)) continue;
+
+      findings.push({
+        message: "This API route appears to consume request input without an obvious schema validation step.",
+        file,
+        line,
+        recommendation: "Validate request body, query and params with a schema library such as Zod, Joi, Valibot, AJV or equivalent.",
+        heuristic: true,
+        metadata: { pattern: "request-input-without-schema-validation" }
+      });
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function isApiFile(file) {
+  return (
+    /\.[cm]?[jt]sx?$/.test(file) &&
+    (isServerOrApiFile(file) ||
+      file.startsWith("api/") ||
+      file.startsWith("routes/") ||
+      file.startsWith("handlers/") ||
+      file.startsWith("controllers/") ||
+      file.includes("/handlers/") ||
+      file.includes("/controllers/"))
+  );
+}
+
+async function hasGlobalValidationMiddleware(context) {
+  for (const file of context.textFiles) {
+    if (!/\.[cm]?[jt]sx?$/.test(file) || !isServerOrApiFile(file)) continue;
+    const content = await context.readFileSafe(file);
+    if (content && GLOBAL_VALIDATION_RE.test(content)) return true;
+  }
+  return false;
+}

package/src/checks/auth/jwt-secret-weak-or-fallback.js

@@ -0,0 +1,72 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile } from "../helpers.js";
+
+const WEAK_JWT_VALUES = [
+  "secret",
+  "changeme",
+  "change-me",
+  "dev-secret",
+  "development",
+  "password",
+  "123456",
+  "jwt-secret",
+  "supersecret",
+  "test",
+  "local"
+];
+
+const WEAK_VALUE_RE = `(?:${WEAK_JWT_VALUES.map(escapeRegExp).join("|")})`;
+const DIRECT_JWT_RE = new RegExp(`\\bjwt\\.(?:sign|verify)\\s*\\([^\\n;]*?,\\s*["'\`]${WEAK_VALUE_RE}["'\`]`, "i");
+const FALLBACK_RE = new RegExp(`\\bprocess\\.env\\.JWT_SECRET\\s*(?:\\|\\||\\?\\?)\\s*["'\`]${WEAK_VALUE_RE}["'\`]`, "i");
+const ASSIGNMENT_RE = new RegExp(`\\bJWT_SECRET\\b\\s*(?:=|:)\\s*["'\`]${WEAK_VALUE_RE}["'\`]`, "i");
+
+export default {
+  id: "auth.jwt-secret-weak-or-fallback",
+  title: "JWT secrets should not use weak hardcoded values or fallbacks",
+  category: "auth",
+  severity: "high",
+  tags: ["auth", "jwt", "secrets", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !/\bJWT_SECRET\b|\bjwt\.(?:sign|verify)\b/i.test(content)) continue;
+
+      const lines = content.split(/\r?\n/);
+      for (let index = 0; index < lines.length; index += 1) {
+        const line = lines[index];
+
+        if (DIRECT_JWT_RE.test(line)) {
+          findings.push(jwtFinding(file, index + 1, "direct-hardcoded-jwt-secret", "critical"));
+        } else if (FALLBACK_RE.test(line)) {
+          findings.push(jwtFinding(file, index + 1, "environment-fallback", "high"));
+        } else if (ASSIGNMENT_RE.test(line)) {
+          findings.push(jwtFinding(file, index + 1, "weak-jwt-secret-assignment", "high"));
+        }
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function jwtFinding(file, line, pattern, severity) {
+  return {
+    severity,
+    message: "JWT signing or verification appears to use a weak hardcoded secret or a development fallback.",
+    file,
+    line,
+    recommendation:
+      "Require a strong JWT secret from the environment in production and fail startup if it is missing.",
+    heuristic: true,
+    metadata: {
+      pattern,
+      valueRedacted: true
+    }
+  };
+}
+
+function escapeRegExp(value) {
+  return value.replace(/[|\\{}()[\]^$+?.]/g, "\\$&");
+}

package/src/checks/auth/missing-csrf-protection.js

@@ -0,0 +1,75 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, lineFromOffset } from "../helpers.js";
+
+const COOKIE_AUTH_RE =
+  /\b(?:res\.cookie|cookies\(\)\.set|response\.cookies\.set|setCookie|serialize)\s*\(\s*["'`](?:session|token|auth|jwt)["'`]|cookieSession\s*\(|express-session|\bsession\s*\(|credentials\s*:\s*["'`]include["'`]|withCredentials\s*:\s*true/gi;
+const CSRF_PROTECTION_RE =
+  /\b(?:csrf|csurf|csrfToken|anti-csrf|verifyCsrf|validateCsrf|csrfProtection)\b|double\s+submit|\bsameSite\s*:\s*["'`]?(?:strict|lax)["'`]?\b/gi;
+const STATE_CHANGING_ROUTE_RE =
+  /\b(?:app|router|server)\.(?:post|put|patch|delete)\s*\(|\bmethod\s*:\s*["'`](?:POST|PUT|PATCH|DELETE)["'`]|\breq\.method\s*={0,3}\s*["'`](?:POST|PUT|PATCH|DELETE)["'`]|\bexport\s+async\s+function\s+(?:POST|PUT|PATCH|DELETE)\s*\(/g;
+
+export default {
+  id: "auth.missing-csrf-protection",
+  title: "Cookie-based authentication should include CSRF protection",
+  category: "auth",
+  severity: "high",
+  tags: ["auth", "csrf", "cookies", "heuristic"],
+  run: async (context) => {
+    const cookieMatches = [];
+    const stateChangingRoutes = [];
+    let csrfProtectionSeen = false;
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content) continue;
+
+      CSRF_PROTECTION_RE.lastIndex = 0;
+      if (CSRF_PROTECTION_RE.test(content)) {
+        csrfProtectionSeen = true;
+        break;
+      }
+
+      COOKIE_AUTH_RE.lastIndex = 0;
+      let cookieMatch;
+      while ((cookieMatch = COOKIE_AUTH_RE.exec(content)) !== null) {
+        cookieMatches.push({
+          file,
+          line: lineFromOffset(content, cookieMatch.index),
+          pattern: normalizePattern(cookieMatch[0])
+        });
+        if (cookieMatches.length >= 25) break;
+      }
+
+      STATE_CHANGING_ROUTE_RE.lastIndex = 0;
+      let routeMatch;
+      while ((routeMatch = STATE_CHANGING_ROUTE_RE.exec(content)) !== null) {
+        stateChangingRoutes.push({
+          file,
+          line: lineFromOffset(content, routeMatch.index),
+          pattern: normalizePattern(routeMatch[0])
+        });
+        if (stateChangingRoutes.length >= 25) break;
+      }
+    }
+
+    if (csrfProtectionSeen || cookieMatches.length === 0 || stateChangingRoutes.length === 0) return [];
+
+    const primaryCookie = cookieMatches[0];
+    return stateChangingRoutes.slice(0, 25).map((route) => ({
+      message: "Cookie-based authentication appears to be used without an obvious CSRF protection mechanism.",
+      file: route.file,
+      line: route.line,
+      recommendation: "Use SameSite cookies, CSRF tokens or another explicit CSRF mitigation for state-changing routes.",
+      heuristic: true,
+      metadata: {
+        pattern: "cookie-auth-with-state-changing-route",
+        cookieFile: primaryCookie.file,
+        cookieLine: primaryCookie.line
+      }
+    }));
+  }
+};
+
+function normalizePattern(value) {
+  return String(value || "").replace(/\s+/g, " ").slice(0, 80);
+}

package/src/checks/auth/password-hashing-missing.js

@@ -0,0 +1,56 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, lineFromOffset } from "../helpers.js";
+
+const USER_CREATE_TERMS_RE = /\b(register|signup|createUser|users|INSERT\s+INTO\s+users|prisma\.user\.create|db\.user\.create)\b/i;
+const PASSWORD_TERM_RE = /\bpassword\b/i;
+const HASHING_RE = /\b(?:bcrypt|bcryptjs|argon2|scrypt|crypto\.scrypt|pbkdf2|hashPassword|passwordHash|hashedPassword)\b/i;
+
+const RISKY_PASSWORD_STORAGE_RE =
+  /\bpassword\s*:\s*(?:password|req\.body\.password|request\.body\.password|body\.password)|\bpassword\s*=\s*(?:password|req\.body\.password|request\.body\.password|body\.password)|INSERT\s+INTO\s+users\s*\([^)]*password|prisma\.user\.create\s*\(\s*{[\s\S]{0,800}?data\s*:\s*{[\s\S]{0,500}?password\s*:|db\.user\.create\s*\(\s*{[\s\S]{0,800}?password\s*:/gi;
+
+export default {
+  id: "auth.password-hashing-missing",
+  title: "User passwords should be hashed before storage",
+  category: "auth",
+  severity: "critical",
+  tags: ["auth", "passwords", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !PASSWORD_TERM_RE.test(content) || !USER_CREATE_TERMS_RE.test(content)) continue;
+
+      RISKY_PASSWORD_STORAGE_RE.lastIndex = 0;
+      let match;
+      while ((match = RISKY_PASSWORD_STORAGE_RE.exec(content)) !== null) {
+        const line = lineFromOffset(content, match.index);
+        const nearby = nearbyText(content, line, 10);
+        if (HASHING_RE.test(nearby)) continue;
+
+        findings.push({
+          message:
+            "This code appears to create users or store passwords without an obvious password hashing step.",
+          file,
+          line,
+          recommendation:
+            "Hash passwords with argon2, bcrypt, scrypt or PBKDF2 before storage. Never store raw passwords.",
+          heuristic: true,
+          metadata: {
+            pattern: "password-storage-without-nearby-hashing"
+          }
+        });
+        break;
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function nearbyText(content, line, radius) {
+  const lines = content.split(/\r?\n/);
+  const start = Math.max(0, line - radius - 1);
+  const end = Math.min(lines.length, line + radius);
+  return lines.slice(start, end).join("\n");
+}

package/src/checks/config/debug-production.js

@@ -0,0 +1,65 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, lineFromOffset } from "../helpers.js";
+
+const DEBUG_FLAG_RE =
+  /\b(?:debug|verbose|dev|exposeErrors|stackTrace|showStack)\s*:\s*true\b|\bapp\.set\s*\(\s*["'`]env["'`]\s*,\s*["'`]development["'`]\s*\)|\bNODE_ENV\s*=\s*["'`]development["'`]|\bdevtool\s*:\s*["'`](?:eval|eval-source-map|inline-source-map|cheap-module-source-map)["'`]/gi;
+
+export default {
+  id: "config.debug-production",
+  title: "Production configuration should not enable debug behavior",
+  category: "config",
+  severity: "medium",
+  tags: ["config", "debug", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      if (!isRiskyConfigFile(file)) continue;
+
+      const content = await context.readFileSafe(file);
+      if (!content) continue;
+
+      DEBUG_FLAG_RE.lastIndex = 0;
+      let match;
+      while ((match = DEBUG_FLAG_RE.exec(content)) !== null) {
+        const productionLike = isProductionLikeFile(file);
+        findings.push({
+          severity: productionLike ? "high" : "medium",
+          message: "Debug or development flags appear to be enabled in production-like configuration.",
+          file,
+          line: lineFromOffset(content, match.index),
+          recommendation:
+            "Disable verbose errors and debug flags in production. Avoid exposing stack traces, internal paths or development tooling.",
+          heuristic: true,
+          metadata: {
+            productionLike,
+            pattern: classifyDebugPattern(match[0])
+          }
+        });
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function isRiskyConfigFile(file) {
+  return (
+    isProductionLikeFile(file) ||
+    /^next\.config\.[cm]?[jt]s$/.test(file) ||
+    /^vite\.config\.[cm]?[jt]s$/.test(file) ||
+    /^webpack\.config\.[cm]?[jt]s$/.test(file) ||
+    /(^|\/)(server|app)\.[cm]?[jt]s$/.test(file)
+  );
+}
+
+function isProductionLikeFile(file) {
+  return /^config\/production\./.test(file) || /\.production\./.test(file);
+}
+
+function classifyDebugPattern(value) {
+  if (/devtool/i.test(value)) return "unsafe-devtool";
+  if (/NODE_ENV|app\.set/i.test(value)) return "development-environment";
+  if (/stack|showStack|exposeErrors/i.test(value)) return "verbose-errors";
+  return "debug-flag";
+}

package/src/checks/cookies/insecure-session-cookie.js

@@ -0,0 +1,69 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, readNearby } from "../helpers.js";
+
+const COOKIE_CALL_RE =
+  /\b(?:res\.cookie|cookies\(\)\.set|response\.cookies\.set|setCookie|serialize)\s*\(\s*["'`]([^"'`]+)["'`]/g;
+const AUTH_COOKIE_NAME_RE = /\b(session|auth|token|jwt)\b/i;
+
+export default {
+  id: "cookies.insecure-session-cookie",
+  title: "Session cookies should use secure attributes",
+  category: "cookies",
+  severity: "high",
+  tags: ["cookies", "auth", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !/cookie|setCookie|serialize/i.test(content)) continue;
+      const lines = content.split(/\r?\n/);
+
+      for (let index = 0; index < lines.length; index += 1) {
+        COOKIE_CALL_RE.lastIndex = 0;
+        let match;
+        while ((match = COOKIE_CALL_RE.exec(lines[index])) !== null) {
+          const cookieName = match[1] || "";
+          const nearby = await readNearby(context, file, index + 1, 6);
+          if (hasSecureCookieAttributes(nearby)) continue;
+
+          findings.push({
+            severity: AUTH_COOKIE_NAME_RE.test(cookieName) ? "high" : "medium",
+            message: "A session or auth cookie appears to be set without secure cookie attributes.",
+            file,
+            line: index + 1,
+            recommendation:
+              "Set httpOnly, secure and sameSite for session cookies. Use secure: true in production.",
+            heuristic: true,
+            metadata: {
+              cookieName: redactCookieName(cookieName),
+              missingAttributes: missingAttributes(nearby)
+            }
+          });
+        }
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function hasSecureCookieAttributes(value) {
+  return (
+    /\bhttpOnly\s*:\s*true\b/i.test(value) &&
+    /\bsecure\s*:\s*true\b/i.test(value) &&
+    /\bsameSite\s*:\s*["'`]?(?:lax|strict|none)["'`]?/i.test(value)
+  );
+}
+
+function missingAttributes(value) {
+  const missing = [];
+  if (!/\bhttpOnly\s*:\s*true\b/i.test(value)) missing.push("httpOnly");
+  if (!/\bsecure\s*:\s*true\b/i.test(value)) missing.push("secure");
+  if (!/\bsameSite\s*:\s*["'`]?(?:lax|strict|none)["'`]?/i.test(value)) missing.push("sameSite");
+  return missing;
+}
+
+function redactCookieName(cookieName) {
+  return AUTH_COOKIE_NAME_RE.test(cookieName) ? cookieName : "non-auth-cookie";
+}

package/src/checks/electron/remote-content-with-node.js

@@ -0,0 +1,52 @@
+import { hasText, lineFromOffset, readNearby } from "../helpers.js";
+
+const LOAD_REMOTE_RE =
+  /\b(?:mainWindow|win|window|BrowserWindow|\w+)\.loadURL\s*\(\s*(?:["'`]https?:\/\/[^"'`]+["'`]|remoteUrl|process\.env\.\w+|config\.url)\s*\)/g;
+const RISKY_WEB_PREFERENCES_RE =
+  /\b(?:nodeIntegration\s*:\s*true|contextIsolation\s*:\s*false|webSecurity\s*:\s*false|allowRunningInsecureContent\s*:\s*true|experimentalFeatures\s*:\s*true|enableRemoteModule\s*:\s*true|sandbox\s*:\s*false)\b/i;
+
+export default {
+  id: "electron.remote-content-with-node",
+  title: "Electron remote content should not run with privileged renderer settings",
+  category: "electron",
+  severity: "critical",
+  tags: ["electron", "desktop", "xss", "heuristic"],
+  run: async (context) => {
+    if (!(await isElectronProject(context))) return [];
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (!/\.[cm]?[jt]s$/.test(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !/loadURL\s*\(/.test(content) || !RISKY_WEB_PREFERENCES_RE.test(content)) continue;
+
+      LOAD_REMOTE_RE.lastIndex = 0;
+      let match;
+      while ((match = LOAD_REMOTE_RE.exec(content)) !== null) {
+        const line = lineFromOffset(content, match.index);
+        const nearby = await readNearby(context, file, line, 20);
+        if (!RISKY_WEB_PREFERENCES_RE.test(nearby) && !RISKY_WEB_PREFERENCES_RE.test(content)) continue;
+
+        findings.push({
+          message: "Electron appears to load remote content while enabling risky renderer privileges.",
+          file,
+          line,
+          recommendation:
+            "Avoid loading remote content with Node.js integration. Use nodeIntegration: false, contextIsolation: true, sandbox: true, webSecurity: true and a minimal preload bridge.",
+          heuristic: true,
+          metadata: { pattern: "remote-load-url-with-risky-web-preferences" }
+        });
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+async function isElectronProject(context) {
+  return (
+    context.hasDependency("electron") ||
+    context.hasDevDependency("electron") ||
+    (await hasText(context, /\b(?:from\s+["'`]electron["'`]|require\s*\(\s*["'`]electron["'`]\s*\)|BrowserWindow)\b/g))
+  );
+}