laxy-verify 1.2.2 → 1.2.3

package/dist/lighthouse.js

@@ -34,6 +34,8 @@ var __importStar = (this && this.__importStar) || (function () {
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.runLighthouse = runLighthouse;
+exports.runLighthouseOnUrl = runLighthouseOnUrl;
+exports.runLighthouseOnRoutes = runLighthouseOnRoutes;
 const node_child_process_1 = require("node:child_process");
 const fs = __importStar(require("node:fs"));
 const path = __importStar(require("node:path"));
@@ -114,13 +116,13 @@ const [url, reportPath, chromeDir] = process.argv.slice(2);
     // .cjs 확장자로 저장해서 Node가 CommonJS로 실행하도록 함
     fs.writeFileSync(runnerPath, source, "utf-8");
 }
-async function runLighthouse(port, runs) {
+async function runLighthouseCore(fullUrl, runs, label) {
     const baseTmpDir = path.join(process.cwd(), ".laxy-tmp", `lighthouse-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`);
     const reportsDir = path.join(baseTmpDir, "reports");
     const runnerPath = path.join(baseTmpDir, "run-lighthouse.cjs");
     fs.mkdirSync(reportsDir, { recursive: true });
     writeRunnerScript(runnerPath);
-    console.log(`\n  Running Lighthouse (${runs} run${runs > 1 ? "s" : ""})...`);
+    console.log(`\n  Running Lighthouse on ${label} (${runs} run${runs > 1 ? "s" : ""})...`);
     const errors = [];
     const allScores = [];
     for (let runIndex = 0; runIndex < runs; runIndex++) {
@@ -129,7 +131,7 @@ async function runLighthouse(port, runs) {
         const chromeDir = path.join(baseTmpDir, `chrome-${runNumber}`);
         fs.mkdirSync(chromeDir, { recursive: true });
         console.log(`  [lh] Run ${runNumber}/${runs}`);
-        const child = (0, node_child_process_1.spawn)("node", [runnerPath, `http://127.0.0.1:${port}/`, reportPath, chromeDir], {
+        const child = (0, node_child_process_1.spawn)("node", [runnerPath, fullUrl, reportPath, chromeDir], {
             shell: false,
             stdio: ["ignore", "pipe", "pipe"],
             env: {
@@ -196,3 +198,74 @@ async function runLighthouse(port, runs) {
         await removeDirWithRetries(baseTmpDir);
     }
 }
+async function runLighthouse(port, runs, routePath = "/") {
+    const normalizedPath = routePath.startsWith("/") ? routePath : `/${routePath}`;
+    const label = normalizedPath === "/" ? "/" : normalizedPath;
+    return runLighthouseCore(`http://127.0.0.1:${port}${normalizedPath}`, runs, label);
+}
+/** Run Lighthouse against an arbitrary external URL (Pro: compare-env feature). */
+async function runLighthouseOnUrl(fullUrl, runs) {
+    return runLighthouseCore(fullUrl, runs, fullUrl);
+}
+/**
+ * Run Lighthouse on multiple routes and aggregate results.
+ *
+ * Aggregation strategy (weighted average):
+ *   - Root route "/" receives weight 2 (most visible page)
+ *   - All other routes receive weight 1
+ *
+ * Gold eligibility: every route must individually pass all thresholds.
+ * Silver/Bronze eligibility: based on the weighted-average aggregate score.
+ */
+async function runLighthouseOnRoutes(port, runs, routes) {
+    // Deduplicate and ensure "/" comes first
+    const seen = new Set();
+    const ordered = [];
+    for (const r of ["/", ...routes]) {
+        const normalized = r.startsWith("/") ? r : `/${r}`;
+        if (!seen.has(normalized)) {
+            seen.add(normalized);
+            ordered.push(normalized);
+        }
+    }
+    const perRoute = [];
+    for (const route of ordered) {
+        const result = await runLighthouse(port, runs, route);
+        perRoute.push({ route, scores: result.scores, errors: result.errors });
+    }
+    // Weighted average across routes that produced scores
+    const withScores = perRoute.filter((r) => r.scores !== null);
+    let aggregated = null;
+    if (withScores.length > 0) {
+        let totalWeight = 0;
+        let sumPerf = 0;
+        let sumA11y = 0;
+        let sumSeo = 0;
+        let sumBp = 0;
+        for (const r of withScores) {
+            const weight = r.route === "/" ? 2 : 1;
+            totalWeight += weight;
+            sumPerf += r.scores.performance * weight;
+            sumA11y += r.scores.accessibility * weight;
+            sumSeo += r.scores.seo * weight;
+            sumBp += r.scores.bestPractices * weight;
+        }
+        aggregated = {
+            performance: Math.round(sumPerf / totalWeight),
+            accessibility: Math.round(sumA11y / totalWeight),
+            seo: Math.round(sumSeo / totalWeight),
+            bestPractices: Math.round(sumBp / totalWeight),
+        };
+        console.log(`  Lighthouse aggregate (weighted avg): P=${aggregated.performance} A=${aggregated.accessibility} S=${aggregated.seo} BP=${aggregated.bestPractices}`);
+    }
+    return {
+        aggregated,
+        perRoute,
+        allRoutesPass(thresholds) {
+            return withScores.every((r) => r.scores.performance >= thresholds.performance &&
+                r.scores.accessibility >= thresholds.accessibility &&
+                r.scores.seo >= thresholds.seo &&
+                r.scores.bestPractices >= thresholds.bestPractices);
+        },
+    };
+}

package/dist/outdated-check.d.ts

@@ -0,0 +1,17 @@
+export interface OutdatedPackage {
+    name: string;
+    current: string;
+    wanted: string;
+    latest: string;
+    severity: "major" | "minor" | "patch";
+}
+export interface OutdatedCheckResult {
+    passed: boolean;
+    totalChecked: number;
+    outdatedCount: number;
+    majorOutdated: number;
+    packages: OutdatedPackage[];
+    advisory: string;
+    skipped: boolean;
+}
+export declare function runOutdatedCheck(projectDir: string, timeoutMs?: number): Promise<OutdatedCheckResult>;

package/dist/outdated-check.js

@@ -0,0 +1,123 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runOutdatedCheck = runOutdatedCheck;
+/**
+ * Outdated dependency checker.
+ *
+ * Runs `npm outdated --json` and reports packages that are behind
+ * their latest version. Advisory-only — does not block deployment.
+ */
+const node_child_process_1 = require("node:child_process");
+function classifySemverDiff(current, latest) {
+    const parseVer = (v) => {
+        const cleaned = v.replace(/^\^|~|>=?|v/g, "").split(".")[0] ?? "0";
+        return parseInt(cleaned, 10) || 0;
+    };
+    const parseMinor = (v) => {
+        const parts = v.replace(/^\^|~|>=?|v/g, "").split(".");
+        return parseInt(parts[1] ?? "0", 10) || 0;
+    };
+    const curMajor = parseVer(current);
+    const latMajor = parseVer(latest);
+    if (latMajor > curMajor)
+        return "major";
+    const curMinor = parseMinor(current);
+    const latMinor = parseMinor(latest);
+    if (latMinor > curMinor)
+        return "minor";
+    return "patch";
+}
+async function runOutdatedCheck(projectDir, timeoutMs = 30000) {
+    console.log("  Running outdated dependency check...");
+    return new Promise((resolve) => {
+        const chunks = [];
+        const proc = process.platform === "win32"
+            ? (0, node_child_process_1.spawn)(process.env.ComSpec || "cmd.exe", ["/d", "/c", "npm outdated --json"], { stdio: ["ignore", "pipe", "pipe"], cwd: projectDir, shell: false })
+            : (0, node_child_process_1.spawn)("npm", ["outdated", "--json"], {
+                shell: true,
+                stdio: ["ignore", "pipe", "pipe"],
+                cwd: projectDir,
+            });
+        const timer = setTimeout(() => {
+            try {
+                proc.kill();
+            }
+            catch { }
+            resolve({
+                passed: true,
+                totalChecked: 0,
+                outdatedCount: 0,
+                majorOutdated: 0,
+                packages: [],
+                advisory: "Outdated check timed out",
+                skipped: false,
+            });
+        }, timeoutMs);
+        proc.stdout?.on("data", (chunk) => chunks.push(chunk.toString()));
+        proc.stderr?.on("data", () => { });
+        proc.on("exit", (code) => {
+            clearTimeout(timer);
+            const output = chunks.join("");
+            // npm outdated exits with code 1 when outdated packages exist
+            // and code 0 when everything is up to date
+            if (code === 0 || !output.trim()) {
+                console.log("  Outdated: all packages up to date");
+                resolve({
+                    passed: true,
+                    totalChecked: 0,
+                    outdatedCount: 0,
+                    majorOutdated: 0,
+                    packages: [],
+                    advisory: "All packages up to date",
+                    skipped: false,
+                });
+                return;
+            }
+            try {
+                const data = JSON.parse(output);
+                const packages = [];
+                for (const [name, info] of Object.entries(data)) {
+                    if (!info.current || !info.latest)
+                        continue;
+                    const severity = classifySemverDiff(info.current, info.latest);
+                    packages.push({
+                        name,
+                        current: info.current,
+                        wanted: info.wanted ?? info.current,
+                        latest: info.latest,
+                        severity,
+                    });
+                }
+                const majorOutdated = packages.filter((p) => p.severity === "major").length;
+                const outdatedCount = packages.length;
+                const advisory = majorOutdated > 0
+                    ? `${majorOutdated} major version(s) behind latest; ${outdatedCount} total outdated`
+                    : `${outdatedCount} package(s) behind latest (no major)`;
+                console.log(`  Outdated: ${advisory}`);
+                for (const pkg of packages.filter((p) => p.severity === "major").slice(0, 5)) {
+                    console.log(`    ${pkg.name}: ${pkg.current} → ${pkg.latest} (${pkg.severity})`);
+                }
+                resolve({
+                    passed: majorOutdated === 0,
+                    totalChecked: 0,
+                    outdatedCount,
+                    majorOutdated,
+                    packages,
+                    advisory,
+                    skipped: false,
+                });
+            }
+            catch {
+                resolve({
+                    passed: true,
+                    totalChecked: 0,
+                    outdatedCount: 0,
+                    majorOutdated: 0,
+                    packages: [],
+                    advisory: "Could not parse npm outdated output",
+                    skipped: false,
+                });
+            }
+        });
+    });
+}

package/dist/report-markdown.d.ts

@@ -2,6 +2,13 @@ import type { E2EScenarioResult } from "./e2e.js";
 import type { LighthouseScores } from "./grade.js";
 import type { TierVerificationView, VerificationReport } from "./verification-core/index.js";
 import { type VisualDiffResult } from "./visual-diff.js";
+import type { TypecheckResult } from "./typecheck.js";
+import type { SecretScanResult } from "./secret-scan.js";
+import type { BundleSizeResult } from "./bundle-size.js";
+import type { OutdatedCheckResult } from "./outdated-check.js";
+import type { A11yDeepResult } from "./a11y-deep.js";
+import type { SeoDeepResult } from "./seo-deep.js";
+import type { VitalsBudgetResult } from "./vitals-budget.js";
 export interface MarkdownReportResult {
     grade: string;
     timestamp: string;
@@ -20,6 +27,13 @@ export interface MarkdownReportResult {
         runs: number;
     }) | null;
     visualDiff?: VisualDiffResult | null;
+    typecheck?: TypecheckResult | null;
+    secretScan?: SecretScanResult | null;
+    bundleSize?: BundleSizeResult | null;
+    outdatedCheck?: OutdatedCheckResult | null;
+    a11yDeep?: A11yDeepResult | null;
+    seoDeep?: SeoDeepResult | null;
+    vitalsBudget?: VitalsBudgetResult | null;
     thresholds: {
         performance: number;
         accessibility: number;

package/dist/report-markdown.js

@@ -162,6 +162,27 @@ function renderMetrics(result) {
     if (result.visualDiff) {
         lines.push(`| Visual diff | ${(0, visual_diff_js_1.formatVisualDiffSummary)(result.visualDiff)} |`);
     }
+    if (result.typecheck && !result.typecheck.skipped) {
+        lines.push(`| TypeScript | ${result.typecheck.passed ? "OK" : `${result.typecheck.errorCount} error(s)`} |`);
+    }
+    if (result.secretScan && !result.secretScan.skipped) {
+        lines.push(`| Secret scan | ${result.secretScan.passed ? "OK" : `${result.secretScan.findings.length} finding(s)`} (${result.secretScan.filesScanned} files) |`);
+    }
+    if (result.bundleSize && !result.bundleSize.skipped) {
+        lines.push(`| Bundle size | ${result.bundleSize.advisory} |`);
+    }
+    if (result.outdatedCheck && !result.outdatedCheck.skipped) {
+        lines.push(`| Outdated deps | ${result.outdatedCheck.advisory} |`);
+    }
+    if (result.a11yDeep && !result.a11yDeep.skipped) {
+        lines.push(`| A11y deep | ${result.a11yDeep.summary} |`);
+    }
+    if (result.seoDeep && !result.seoDeep.skipped) {
+        lines.push(`| SEO deep | ${result.seoDeep.summary} |`);
+    }
+    if (result.vitalsBudget && !result.vitalsBudget.skipped) {
+        lines.push(`| Vitals budget | ${result.vitalsBudget.summary} |`);
+    }
     lines.push("");
     return `${lines.join("\n")}\n`;
 }

package/dist/route-discovery.d.ts

@@ -0,0 +1,7 @@
+export interface RuntimeRouteDiscoveryResult {
+    routes: string[];
+    scriptUrls: string[];
+}
+export declare function extractScriptUrlsFromHtml(html: string, baseUrl: string): string[];
+export declare function extractRoutesFromText(content: string): string[];
+export declare function discoverRuntimeRoutes(baseUrl: string): Promise<RuntimeRouteDiscoveryResult>;

package/dist/route-discovery.js

@@ -0,0 +1,108 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.extractScriptUrlsFromHtml = extractScriptUrlsFromHtml;
+exports.extractRoutesFromText = extractRoutesFromText;
+exports.discoverRuntimeRoutes = discoverRuntimeRoutes;
+const SCRIPT_SRC_REGEX = /<script[^>]+src=["']([^"'#?]+(?:\?[^"'#]*)?)["']/gi;
+const HTML_ROUTE_REGEX = /(?:href|data-href)=["'](\/[^"'#? ]*)/gi;
+const ROUTE_SNIPPET_REGEXES = [
+    /(?:path|pathname|href|to|route|router\.push|navigate)\s*[:=(]\s*["'`]((?:\/(?!\/)[^"'`?#]+))["'`]/g,
+    /["'`]((?:\/(?!\/)[a-z0-9][^"'`?#]*))["'`]/gi,
+];
+function normalizeRoute(candidate) {
+    const decoded = candidate
+        .replace(/\\u002F/gi, "/")
+        .replace(/\\\//g, "/")
+        .trim();
+    if (!decoded.startsWith("/"))
+        return null;
+    const normalized = decoded
+        .split("?")[0]
+        ?.split("#")[0]
+        ?.replace(/\/+/g, "/")
+        ?.replace(/\/$/, "") || "/";
+    if (normalized === "/" || normalized.length < 2)
+        return null;
+    if (normalized.startsWith("/_next/") || normalized.startsWith("/api/"))
+        return null;
+    if (/[.*:[\]]/.test(normalized))
+        return null;
+    if (/\.[a-z0-9]{2,8}$/i.test(normalized))
+        return null;
+    if (/\s/.test(normalized))
+        return null;
+    if (!/^\/[a-z0-9/_-]+$/i.test(normalized))
+        return null;
+    return normalized;
+}
+function extractScriptUrlsFromHtml(html, baseUrl) {
+    const urls = [];
+    const seen = new Set();
+    for (const match of html.matchAll(SCRIPT_SRC_REGEX)) {
+        const raw = match[1];
+        if (!raw)
+            continue;
+        try {
+            const scriptUrl = new URL(raw, baseUrl);
+            if (scriptUrl.origin !== new URL(baseUrl).origin)
+                continue;
+            const href = scriptUrl.href;
+            if (!seen.has(href)) {
+                seen.add(href);
+                urls.push(href);
+            }
+        }
+        catch {
+            // Ignore malformed URLs.
+        }
+    }
+    return urls;
+}
+function extractRoutesFromText(content) {
+    const routes = [];
+    const seen = new Set();
+    for (const regex of ROUTE_SNIPPET_REGEXES) {
+        for (const match of content.matchAll(regex)) {
+            const route = normalizeRoute(match[1] ?? "");
+            if (!route || seen.has(route))
+                continue;
+            seen.add(route);
+            routes.push(route);
+        }
+    }
+    return routes;
+}
+async function discoverRuntimeRoutes(baseUrl) {
+    const htmlRes = await fetch(baseUrl, {
+        signal: AbortSignal.timeout(8000),
+        headers: { accept: "text/html,application/xhtml+xml" },
+    });
+    const html = await htmlRes.text();
+    const routes = new Set(extractRoutesFromText(html));
+    for (const match of html.matchAll(HTML_ROUTE_REGEX)) {
+        const route = normalizeRoute(match[1] ?? "");
+        if (route)
+            routes.add(route);
+    }
+    const scriptUrls = extractScriptUrlsFromHtml(html, baseUrl)
+        .filter((url) => /\/_next\/static\/chunks\/|assets\/|static\/|build\//i.test(url))
+        .slice(0, 10);
+    await Promise.all(scriptUrls.map(async (scriptUrl) => {
+        try {
+            const res = await fetch(scriptUrl, { signal: AbortSignal.timeout(5000) });
+            if (!res.ok)
+                return;
+            const content = await res.text();
+            for (const route of extractRoutesFromText(content)) {
+                routes.add(route);
+            }
+        }
+        catch {
+            // Skip chunk fetch failures. This is best-effort coverage expansion.
+        }
+    }));
+    return {
+        routes: Array.from(routes).sort((a, b) => a.localeCompare(b)),
+        scriptUrls,
+    };
+}

package/dist/secret-scan.d.ts

@@ -0,0 +1,15 @@
+export interface SecretScanResult {
+    passed: boolean;
+    findings: SecretFinding[];
+    filesScanned: number;
+    skipped: boolean;
+}
+export interface SecretFinding {
+    file: string;
+    line: number;
+    pattern: string;
+    preview: string;
+}
+export declare function runSecretScan(projectDir: string, options?: {
+    ignorePaths?: string[];
+}): Promise<SecretScanResult>;

package/dist/secret-scan.js

@@ -0,0 +1,218 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runSecretScan = runSecretScan;
+/**
+ * Secret/credential leak scanner.
+ *
+ * Scans source files for hardcoded secrets using regex patterns.
+ * Supports ignore paths and custom ignore patterns from .laxy.yml.
+ */
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
+const DEFAULT_IGNORE_DIRS = new Set([
+    "node_modules",
+    ".git",
+    ".next",
+    "dist",
+    "build",
+    ".laxy-tmp",
+    ".laxy-baselines",
+    "coverage",
+    ".cache",
+    "test",
+    "tests",
+    "__tests__",
+    "spec",
+]);
+const SECRET_PATTERNS = [
+    { name: "AWS Access Key", regex: /AKIA[0-9A-Z]{16}/ },
+    { name: "AWS Secret Key", regex: /(?:aws_secret_access_key|AWS_SECRET_ACCESS_KEY)\s*[=:]\s*['"][A-Za-z0-9/+=]{40}['"]/ },
+    { name: "GitHub Token", regex: /ghp_[A-Za-z0-9]{36}/ },
+    { name: "GitHub OAuth", regex: /gho_[A-Za-z0-9]{36}/ },
+    { name: "GitHub App Token", regex: /(?:ghs_|ghu_)[A-Za-z0-9]{36}/ },
+    { name: "Slack Token", regex: /xox[baprs]-[A-Za-z0-9-]{10,}/ },
+    { name: "Slack Webhook", regex: /hooks\.slack\.com\/services\/T[A-Z0-9]+\/B[A-Z0-9]+\/[A-Za-z0-9]+/ },
+    { name: "Private Key Block", regex: /-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----/ },
+    { name: "Google API Key", regex: /AIza[0-9A-Za-z_-]{35}/ },
+    { name: "Google OAuth Token", regex: /[0-9]+-[a-z0-9_]{32}\.apps\.googleusercontent\.com/ },
+    { name: "Stripe Secret Key", regex: /sk_live_[0-9a-zA-Z]{24,}/ },
+    { name: "Stripe Publishable Key", regex: /pk_live_[0-9a-zA-Z]{24,}/ },
+    { name: "Twilio API Key", regex: /SK[0-9a-fA-F]{32}/ },
+    { name: "SendGrid API Key", regex: /SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}/ },
+    { name: "Mailgun API Key", regex: /key-[0-9a-zA-Z]{32}/ },
+    { name: "Hardcoded Bearer Token", regex: /Bearer\s+[A-Za-z0-9\-._~+/]+=*/ },
+    { name: "JWT-like Secret", regex: /['"]eyJ[A-Za-z0-9\-._~+/]+=*\.[A-Za-z0-9\-._~+/]+=*['"]/ },
+    { name: "Generic Secret Assignment", regex: /(?:secret|password|passwd|token|api_key|apikey|access_key|private_key)\s*[=:]\s*['"][^'"]{8,}['"]/i },
+];
+const ALLOWLIST_PATTERNS = [
+    // Common false positives
+    /process\.env\./,
+    /import\.meta\.env\./,
+    /NEXT_PUBLIC_/,
+    /VITE_/,
+    /REACT_APP_/,
+    /NUXT_ENV_/,
+    /placeholder/i,
+    /example/i,
+    /your[_-]?(?:api|secret|key|token)/i,
+    /xxx+/,
+    /<[^>]+>/,
+    /\$\{\{.*\}\}/, // GitHub Actions / CI template variables
+    /secrets\.[A-Z_]+/, // GitHub Actions secrets references
+    /env\.[A-Z_]+/, // CI env variable references
+    /regex:\s*\//, // Regex pattern definitions in source code
+    /^\s*\/\//, // Single-line comments (// ...)
+    /^\s*\*/, // Block comment lines (* ...)
+    /^\s*<!--/, // HTML comment lines
+];
+function shouldIgnoreLine(line) {
+    return ALLOWLIST_PATTERNS.some((p) => p.test(line));
+}
+/**
+ * Masks potential secret values in a line preview so that
+ * actual credentials are never exposed in JSON output or reports.
+ * Replaces quoted string contents after = or : with ***.
+ */
+function maskSecret(line) {
+    return line
+        // Mask single-quoted values: = '...' or : '...'
+        .replace(/([=:])\s*'([^']{4,})'/g, "$1 '***'")
+        // Mask double-quoted values: = "..." or : "..."
+        .replace(/([=:])\s*"([^"]{4,})"/g, '$1 "***"')
+        // Mask bare tokens after Bearer
+        .replace(/(Bearer\s+)[A-Za-z0-9\-._~+/]+=*/g, "$1***")
+        // Mask AKIA keys
+        .replace(/(AKIA)[0-9A-Z]{16}/g, "$1****************")
+        // Mask ghp_/gho_/ghs_/ghu_ tokens
+        .replace(/(gh[pous]_)[A-Za-z0-9]{36}/g, "$1************************************")
+        // Mask xoxb-/xoxp- etc tokens
+        .replace(/(xox[baprs]-)[A-Za-z0-9-]{10,}/g, "$1**********")
+        // Mask AIza keys
+        .replace(/(AIza)[0-9A-Za-z_-]{35}/g, "$1***********************************")
+        // Mask sk_live_/pk_live_ keys
+        .replace(/(s?k_live_)[0-9a-zA-Z]{24,}/g, "$1************************")
+        // Mask SK hex keys (Twilio)
+        .replace(/(SK)[0-9a-fA-F]{32}/g, "$1********************************")
+        // Mask key- prefix (Mailgun)
+        .replace(/(key-)[0-9a-zA-Z]{32}/g, "$1********************************")
+        // Mask SG. tokens (SendGrid)
+        .replace(/(SG\.)[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}/g, "$1**********************.*******************************************");
+}
+function scanFile(filePath, relativePath, ignorePatterns) {
+    if (ignorePatterns.some((p) => relativePath.includes(p)))
+        return [];
+    const findings = [];
+    let content;
+    try {
+        content = fs.readFileSync(filePath, "utf-8");
+    }
+    catch {
+        return [];
+    }
+    const lines = content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if (shouldIgnoreLine(line))
+            continue;
+        for (const { name, regex } of SECRET_PATTERNS) {
+            if (regex.test(line)) {
+                const preview = maskSecret(line.trim().slice(0, 120));
+                findings.push({
+                    file: relativePath,
+                    line: i + 1,
+                    pattern: name,
+                    preview,
+                });
+                break; // one finding per line max
+            }
+        }
+    }
+    return findings;
+}
+function walkDir(dir, rootDir, ignoreDirs, ignorePatterns) {
+    const results = [];
+    let entries;
+    try {
+        entries = fs.readdirSync(dir, { withFileTypes: true });
+    }
+    catch {
+        return results;
+    }
+    for (const entry of entries) {
+        if (ignoreDirs.has(entry.name))
+            continue;
+        if (entry.name.startsWith(".") && entry.name !== ".env")
+            continue;
+        const fullPath = path.join(dir, entry.name);
+        const relativePath = path.relative(rootDir, fullPath).replace(/\\/g, "/");
+        if (ignorePatterns.some((p) => relativePath.includes(p)))
+            continue;
+        if (entry.isDirectory()) {
+            results.push(...walkDir(fullPath, rootDir, ignoreDirs, ignorePatterns));
+        }
+        else if (entry.isFile()) {
+            const ext = path.extname(entry.name).toLowerCase();
+            if ([".ts", ".tsx", ".js", ".jsx", ".vue", ".svelte", ".env", ".json", ".yml", ".yaml", ".toml", ".py", ".rb"].includes(ext) ||
+                entry.name === ".env" || entry.name.startsWith(".env.")) {
+                results.push(fullPath);
+            }
+        }
+    }
+    return results;
+}
+async function runSecretScan(projectDir, options) {
+    const ignorePatterns = options?.ignorePaths ?? [];
+    const ignoreDirs = new Set(DEFAULT_IGNORE_DIRS);
+    console.log("  Running secret scan...");
+    const files = walkDir(projectDir, projectDir, ignoreDirs, ignorePatterns);
+    const allFindings = [];
+    for (const file of files) {
+        const relativePath = path.relative(projectDir, file).replace(/\\/g, "/");
+        const findings = scanFile(file, relativePath, ignorePatterns);
+        allFindings.push(...findings);
+    }
+    const passed = allFindings.length === 0;
+    if (passed) {
+        console.log(`  Secret scan: OK (${files.length} files scanned)`);
+    }
+    else {
+        console.log(`  Secret scan: ${allFindings.length} finding(s) in ${files.length} files`);
+        for (const f of allFindings.slice(0, 5)) {
+            console.error(`    ${f.file}:${f.line} [${f.pattern}]`);
+        }
+    }
+    return { passed, findings: allFindings, filesScanned: files.length, skipped: false };
+}

package/dist/security-audit.d.ts

@@ -5,5 +5,13 @@ export interface SecurityAuditResult {
     moderate: number;
     low: number;
     summary: string;
+    missingHeaders: string[];
+    headerCheckUrl?: string;
+    headerCheckError?: string;
 }
-export declare function runSecurityAudit(cwd: string, timeoutMs?: number): Promise<SecurityAuditResult>;
+export declare function auditSecurityHeaders(url: string): Promise<{
+    missingHeaders: string[];
+    checkedUrl: string;
+    error?: string;
+}>;
+export declare function runSecurityAudit(cwd: string, appUrl?: string, timeoutMs?: number): Promise<SecurityAuditResult>;