ma-agents 3.2.0 → 3.3.0

package/.roo/skills/git-workflow-skill/scripts/start-feature.sh

@@ -0,0 +1,110 @@
+#!/bin/bash
+# start-feature.sh - Create a new feature branch in an isolated worktree
+# Usage: start-feature.sh <branch-type> <description>
+# Example: start-feature.sh feature add-oauth-support
+#
+# Creates a git worktree so multiple agents can work in parallel
+# without interfering with each other's working directories.
+
+set -e
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+CYAN='\033[0;36m'
+NC='\033[0m'
+
+error() { echo -e "${RED}ERROR: $1${NC}" >&2; exit 1; }
+warn() { echo -e "${YELLOW}WARNING: $1${NC}" >&2; }
+success() { echo -e "${GREEN}$1${NC}"; }
+info() { echo -e "${CYAN}$1${NC}"; }
+
+# Validate arguments
+BRANCH_TYPE="$1"
+DESCRIPTION="$2"
+
+if [[ -z "$BRANCH_TYPE" || -z "$DESCRIPTION" ]]; then
+    echo "Usage: $0 <branch-type> <description>"
+    echo "Branch types: feature, bugfix, hotfix, chore"
+    echo "Example: $0 feature add-oauth-support"
+    echo ""
+    echo "Creates an isolated worktree for parallel multi-agent development."
+    exit 1
+fi
+
+# Validate branch type
+case "$BRANCH_TYPE" in
+    feature|bugfix|hotfix|chore) ;;
+    *) error "Invalid branch type '$BRANCH_TYPE'. Use: feature, bugfix, hotfix, chore" ;;
+esac
+
+# Sanitize description (replace spaces with dashes, lowercase)
+DESCRIPTION=$(echo "$DESCRIPTION" | tr '[:upper:]' '[:lower:]' | tr ' ' '-' | tr -cd '[:alnum:]-')
+BRANCH_NAME="${BRANCH_TYPE}/${DESCRIPTION}"
+
+# Check we're in a git repo
+git rev-parse --git-dir > /dev/null 2>&1 || error "Not in a git repository"
+
+# Resolve the main repo root (works from inside a worktree too)
+GIT_COMMON=$(git rev-parse --git-common-dir 2>/dev/null)
+GIT_DIR=$(git rev-parse --git-dir 2>/dev/null)
+
+if [[ "$GIT_COMMON" != "$GIT_DIR" && "$GIT_COMMON" != "." ]]; then
+    # We're inside a worktree — resolve main repo from .git/worktrees/xxx/../../..
+    MAIN_REPO=$(cd "$GIT_COMMON/.." && pwd)
+else
+    MAIN_REPO=$(git rev-parse --show-toplevel)
+fi
+
+WORKTREE_DIR="${MAIN_REPO}/.worktrees/${DESCRIPTION}"
+
+# Fetch latest from remote
+echo "Fetching from remote..."
+git fetch origin
+
+# Verify dev branch exists
+if ! git branch -a | grep -qE '(^|\s)origin/dev$'; then
+    error "Branch 'dev' does not exist on remote. Please create it first."
+fi
+
+# Check if branch already exists
+if git show-ref --verify --quiet "refs/heads/${BRANCH_NAME}" 2>/dev/null || \
+   git show-ref --verify --quiet "refs/remotes/origin/${BRANCH_NAME}" 2>/dev/null; then
+    error "Branch '${BRANCH_NAME}' already exists. Use a different description or clean up the old branch."
+fi
+
+# Check if worktree directory already exists
+if [[ -d "$WORKTREE_DIR" ]]; then
+    error "Worktree directory already exists: ${WORKTREE_DIR}
+  To remove it: git worktree remove ${WORKTREE_DIR}"
+fi
+
+# Ensure .worktrees directory exists and is gitignored
+mkdir -p "${MAIN_REPO}/.worktrees"
+if [[ -f "${MAIN_REPO}/.gitignore" ]]; then
+    if ! grep -q '^\.worktrees' "${MAIN_REPO}/.gitignore" 2>/dev/null; then
+        echo ".worktrees/" >> "${MAIN_REPO}/.gitignore"
+        info "Added .worktrees/ to .gitignore"
+    fi
+else
+    echo ".worktrees/" > "${MAIN_REPO}/.gitignore"
+    info "Created .gitignore with .worktrees/"
+fi
+
+# Create worktree with new branch based on origin/dev
+echo "Creating worktree for '${BRANCH_NAME}'..."
+git worktree add -b "$BRANCH_NAME" "$WORKTREE_DIR" origin/dev
+
+success "Worktree created successfully"
+echo ""
+info "  Branch:    ${BRANCH_NAME}"
+info "  Directory: ${WORKTREE_DIR}"
+echo ""
+echo "Next steps:"
+echo "  1. cd ${WORKTREE_DIR}"
+echo "  2. Make your changes in this isolated directory"
+echo "  3. Commit: git commit -m 'type(scope): description'"
+echo "  4. Finish: run finish-feature.sh from inside the worktree"
+echo ""
+echo "Active worktrees:"
+git worktree list

package/.roo/skills/git-workflow-skill/scripts/validate-workflow.sh

@@ -0,0 +1,229 @@
+#!/bin/bash
+# validate-workflow.sh - Check if current state follows git workflow rules
+# Usage: validate-workflow.sh [--list]
+#
+# Worktree-aware: detects whether you're in a worktree or main repo
+# and validates accordingly.
+
+set -e
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+CYAN='\033[0;36m'
+NC='\033[0m'
+
+ERRORS=0
+WARNINGS=0
+
+error() { echo -e "${RED}x ERROR: $1${NC}"; ERRORS=$((ERRORS + 1)); }
+warn() { echo -e "${YELLOW}! WARNING: $1${NC}"; WARNINGS=$((WARNINGS + 1)); }
+ok() { echo -e "${GREEN}+ $1${NC}"; }
+info() { echo -e "  $1"; }
+
+# Handle --list flag to show active worktrees
+if [[ "$1" == "--list" ]]; then
+    echo "Active Worktrees"
+    echo "================"
+    git worktree list 2>/dev/null || echo "Not in a git repository"
+    exit 0
+fi
+
+echo "Git Workflow Validation (Worktree-Aware)"
+echo "========================================="
+echo ""
+
+# Check we're in a git repo
+if ! git rev-parse --git-dir > /dev/null 2>&1; then
+    error "Not in a git repository"
+    exit 1
+fi
+
+# Detect worktree status
+GIT_COMMON=$(git rev-parse --git-common-dir 2>/dev/null)
+GIT_DIR=$(git rev-parse --git-dir 2>/dev/null)
+CURRENT_DIR=$(git rev-parse --show-toplevel)
+
+IS_WORKTREE=false
+if [[ "$GIT_COMMON" != "$GIT_DIR" && "$GIT_COMMON" != "." ]]; then
+    IS_WORKTREE=true
+    MAIN_REPO=$(cd "$GIT_COMMON/.." && pwd)
+    echo -e "${CYAN}Context: Inside worktree${NC}"
+    info "Worktree: $CURRENT_DIR"
+    info "Main repo: $MAIN_REPO"
+else
+    MAIN_REPO="$CURRENT_DIR"
+    echo -e "${CYAN}Context: Main repository${NC}"
+    info "Repo: $MAIN_REPO"
+fi
+
+# Get current branch
+CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD)
+echo "Branch: $CURRENT_BRANCH"
+echo ""
+
+# Check 1: Not on protected branch
+echo "Checking branch..."
+if [[ "$CURRENT_BRANCH" == "dev" || "$CURRENT_BRANCH" == "main" || "$CURRENT_BRANCH" == "master" ]]; then
+    if [[ "$IS_WORKTREE" == true ]]; then
+        error "Worktree is on protected branch '$CURRENT_BRANCH'. Worktrees should be on feature branches."
+    else
+        # Main repo on dev is fine — that's the expected state
+        ok "Main repo is on '$CURRENT_BRANCH' (expected)"
+    fi
+else
+    ok "On feature branch '$CURRENT_BRANCH'"
+fi
+
+# Check 2: Branch naming convention (only for feature branches)
+if [[ "$CURRENT_BRANCH" != "dev" && "$CURRENT_BRANCH" != "main" && "$CURRENT_BRANCH" != "master" ]]; then
+    if echo "$CURRENT_BRANCH" | grep -qE '^(feature|bugfix|hotfix|chore)/[a-z0-9-]+$'; then
+        ok "Branch name follows convention"
+    else
+        warn "Branch name '$CURRENT_BRANCH' doesn't follow convention: <type>/<description>"
+        info "Expected: feature|bugfix|hotfix|chore followed by lowercase alphanumeric with dashes"
+    fi
+fi
+
+# Check 3: dev branch exists
+echo ""
+echo "Checking repository setup..."
+git fetch origin 2>/dev/null || warn "Could not fetch from origin"
+
+if git branch -a | grep -qE '(^|\s)origin/dev$'; then
+    ok "Remote 'dev' branch exists"
+else
+    error "Remote 'dev' branch not found. Create it before using this workflow."
+fi
+
+# Check 4: Up to date with dev (for feature branches)
+echo ""
+echo "Checking sync status..."
+if [[ "$CURRENT_BRANCH" != "dev" && "$CURRENT_BRANCH" != "main" && "$CURRENT_BRANCH" != "master" ]]; then
+    if git branch -a | grep -qE '(^|\s)origin/dev$'; then
+        BEHIND=$(git rev-list --count HEAD..origin/dev 2>/dev/null || echo "0")
+        if [[ "$BEHIND" == "0" ]]; then
+            ok "Branch is up to date with dev"
+        else
+            warn "Branch is $BEHIND commit(s) behind dev. Consider rebasing."
+            info "Run: git fetch origin dev && git rebase origin/dev"
+        fi
+    fi
+else
+    ok "On base branch — sync check not needed"
+fi
+
+# Check 5: Uncommitted changes
+echo ""
+echo "Checking working directory..."
+if git diff-index --quiet HEAD -- 2>/dev/null; then
+    ok "No uncommitted changes"
+else
+    warn "Uncommitted changes detected"
+    info "Run: git status"
+fi
+
+# Check 6: Untracked files (that aren't ignored)
+UNTRACKED=$(git ls-files --others --exclude-standard | wc -l)
+if [[ "$UNTRACKED" -gt 0 ]]; then
+    warn "$UNTRACKED untracked file(s) found"
+    info "Run: git status"
+else
+    ok "No untracked files"
+fi
+
+# Check 7: Validate recent commit messages (for feature branches)
+echo ""
+echo "Checking commit messages..."
+if [[ "$CURRENT_BRANCH" != "dev" && "$CURRENT_BRANCH" != "main" && "$CURRENT_BRANCH" != "master" ]]; then
+    COMMITS=$(git rev-list --count origin/dev..HEAD 2>/dev/null || echo "0")
+    if [[ "$COMMITS" -gt 0 ]]; then
+        INVALID=0
+        while IFS= read -r msg; do
+            if ! echo "$msg" | grep -qE '^(feat|fix|chore|docs|refactor|test)(\([^)]+\))?: .+'; then
+                INVALID=$((INVALID + 1))
+            fi
+        done < <(git log origin/dev..HEAD --pretty=format:"%s" 2>/dev/null)
+
+        if [[ "$INVALID" -eq 0 ]]; then
+            ok "All $COMMITS commit(s) follow conventional format"
+        else
+            warn "$INVALID of $COMMITS commit(s) don't follow conventional format"
+            info "Format: <type>(<scope>): <description>"
+            info "Types: feat, fix, chore, docs, refactor, test"
+        fi
+    else
+        info "No commits ahead of dev yet"
+    fi
+else
+    info "On base branch — commit check not needed"
+fi
+
+# Check 8: Git hooks installed
+echo ""
+echo "Checking git hooks..."
+HOOKS_DIR="${GIT_COMMON}/hooks"
+if [[ "$IS_WORKTREE" == true ]]; then
+    # Worktrees share hooks with the main repo
+    HOOKS_DIR="${GIT_COMMON}/hooks"
+fi
+
+if [[ -f "$HOOKS_DIR/pre-commit" && -x "$HOOKS_DIR/pre-commit" ]]; then
+    ok "pre-commit hook installed"
+else
+    warn "pre-commit hook not installed"
+    info "Run: ./scripts/install-hooks.sh"
+fi
+
+if [[ -f "$HOOKS_DIR/commit-msg" && -x "$HOOKS_DIR/commit-msg" ]]; then
+    ok "commit-msg hook installed"
+else
+    warn "commit-msg hook not installed"
+    info "Run: ./scripts/install-hooks.sh"
+fi
+
+# Check 9: Worktree health
+echo ""
+echo "Checking worktrees..."
+WORKTREE_COUNT=$(git worktree list | wc -l)
+ok "$WORKTREE_COUNT worktree(s) registered"
+
+# Check for stale worktrees
+STALE_COUNT=$(git worktree list --porcelain | grep -c "^prunable" 2>/dev/null || echo "0")
+if [[ "$STALE_COUNT" -gt 0 ]]; then
+    warn "$STALE_COUNT stale worktree(s) found"
+    info "Run: git worktree prune"
+else
+    ok "No stale worktrees"
+fi
+
+# Check .worktrees in .gitignore
+if [[ -f "${MAIN_REPO}/.gitignore" ]]; then
+    if grep -q '^\.worktrees' "${MAIN_REPO}/.gitignore" 2>/dev/null; then
+        ok ".worktrees/ is in .gitignore"
+    else
+        warn ".worktrees/ is NOT in .gitignore"
+        info "Add '.worktrees/' to your .gitignore"
+    fi
+fi
+
+# List active worktrees
+echo ""
+echo "Active worktrees:"
+git worktree list | while IFS= read -r line; do
+    echo "  $line"
+done
+
+# Summary
+echo ""
+echo "========================================="
+if [[ $ERRORS -gt 0 ]]; then
+    echo -e "${RED}Validation failed: $ERRORS error(s), $WARNINGS warning(s)${NC}"
+    exit 1
+elif [[ $WARNINGS -gt 0 ]]; then
+    echo -e "${YELLOW}Validation passed with $WARNINGS warning(s)${NC}"
+    exit 0
+else
+    echo -e "${GREEN}Validation passed: All checks OK${NC}"
+    exit 0
+fi

package/.roo/skills/js-ts-dependency-mgmt/SKILL.md

@@ -0,0 +1,49 @@
+---
+name: JS/TS Dependency Management
+description: Standardize package management and security across NPM, Yarn, and PNPM.
+---
+# JS/TS Dependency Management (NPM, Yarn, PNPM)
+
+This skill enforces best practices for managing dependencies in the JS/TS ecosystem, focusing on build stability, supply chain security, and environment hygiene.
+
+## Policies
+
+### 1. Build Stability & Reproducibility
+*   **Rule**: Always use a lockfile (`package-lock.json`, `yarn.lock`, or `pnpm-lock.yaml`) and pin versions.
+*   **Action**: 
+    - Use specific versions in `package.json` (prefer `1.2.3` over `^1.2.3` for critical production apps).
+    - NEVER use `*` or `latest`.
+    - Always commit the lockfile to version control.
+
+### 2. Supply Chain Security (OWASP A03:2025)
+*   **Rule**: Mandatory scanning for known vulnerabilities in dependencies.
+*   **Action**: 
+    - Consistently run `npm audit` or `yarn audit`.
+    - Ban insecure registry URLs (use HTTPS only).
+    - Avoid Git-based dependencies (`"pkg": "git+https://..."`) unless from an internal/verified source.
+    - Be cautious of "Typosquatting"—double-check package names before installation.
+
+### 3. Dependency Categorization
+*   **Rule**: Correctly distinguish between runtime and development dependencies.
+*   **Action**: 
+    - **dependencies**: Packages needed for the app to run (e.g., `express`, `react`).
+    - **devDependencies**: Packages needed only for building/testing (e.g., `typescript`, `jest`, `eslint`).
+    - **peerDependencies**: Libraries intended to be used with other specific versions of a host package.
+
+### 4. Registry Hygiene
+*   **Rule**: Standardize configuration via `.npmrc`.
+*   **Action**: 
+    - Define `save-exact=true` if pinning is the default project policy.
+    - Set up scoped registries for private packages correctly.
+
+### 5. Automated Updates
+*   **Rule**: Keep dependencies current while maintaining safety.
+*   **Action**: Use tools like `npm-check-updates` (ncu) to audit updates, but verify them in separate PRs/branches.
+
+## Process Reference
+
+| Tool | Lockfile | Installation | Audit |
+| :--- | :--- | :--- | :--- |
+| **NPM** | `package-lock.json` | `npm install` | `npm audit` |
+| **Yarn** | `yarn.lock` | `yarn install` | `yarn audit` |
+| **PNPM** | `pnpm-lock.yaml` | `pnpm install` | `pnpm audit` |

package/.roo/skills/js-ts-dependency-mgmt/examples/dependency_mgmt.md

@@ -0,0 +1,60 @@
+# JS/TS Dependency Management Examples
+
+### 1. Secure `package.json` Structure
+**Good Pattern:**
+```json
+{
+  "name": "secure-app",
+  "version": "1.0.0",
+  "dependencies": {
+    "axios": "1.6.2",        // Pinned version
+    "express": "4.18.2"      // Pinned version
+  },
+  "devDependencies": {
+    "typescript": "5.3.2",
+    "jest": "29.7.0",
+    "eslint": "8.54.0"
+  }
+}
+```
+
+### 2. Standardized `.npmrc`
+```text
+# Enforce exact version saving by default
+save-exact=true
+
+# Ensure every developer uses the same registry
+registry=https://registry.npmjs.org/
+
+# Forbid scrips for security during install if possible
+# ignore-scripts=true
+```
+
+### 3. Managing Scoped/Private Packages
+If you use a private registry (like Artifactory or GitHub Packages):
+```text
+@my-org:registry=https://npm.pkg.github.com
+//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}
+```
+
+### 4. Dependency Auditing Workflow
+**Routine Check:**
+```bash
+# Check for vulnerabilities
+npm audit
+
+# Fix minor issues automatically
+npm audit fix
+
+# Check for outdated packages without installing
+npx npm-check-updates
+```
+
+### 5. Cleaning up Node Modules
+```bash
+# Remove unused dependencies
+npm prune
+
+# Clean install (deletes node_modules and installs from lockfile)
+npm ci
+```

package/.roo/skills/js-ts-security-skill/SKILL.md

@@ -0,0 +1,64 @@
+---
+name: JS/TS Security
+description: Verify security of JavaScript and TypeScript codebases against OWASP Top 10 2025 standards
+---
+
+# JS/TS Security Skill
+
+This skill provides a set of tools and best practices to ensure that JavaScript and TypeScript code (both client-side and server-side) is secure and compliant with the latest security standards, specifically the **OWASP Top 10 2025**.
+
+## When to Use
+- Before committing code to a repository.
+- During a security audit of an existing codebase.
+- When adding new dependencies or updating CI/CD pipelines.
+- When implementing critical features like authentication, authorization, or error handling.
+
+## Security Checks (OWASP 2025 Mapping)
+
+### A01:2025 - Broken Access Control
+- Verification of authorization logic.
+- **SSRF (Server-Side Request Forgery)**: Detecting unvalidated URL fetching in `fetch`, `axios`, `http.get`.
+
+### A02:2025 - Security Misconfiguration
+- Auditing configuration files (`.env`, `docker-compose.yml`).
+- Checking for insecure defaults and exposed debug endpoints.
+
+### A03:2025 - Software Supply Chain Failures
+- **NEW**: Focusing on dependency integrity.
+- Verification of lockfiles (`package-lock.json`, `yarn.lock`).
+- Checking for insecure registry URLs (HTTP).
+
+### A04:2025 - Cryptographic Failures
+- Detecting weak hashing (MD5, SHA1).
+- Checking for insecure randomness (`Math.random()`).
+
+### A05:2025 - Injection
+- Expanded detection for OS commands (`child_process.exec`), SQL injection, and NoSQL injection.
+
+### A06:2025 - Insecure Design
+- Documentation on secure design principles (e.g., Fail Secure, Least Privilege).
+
+### A07:2025 - Authentication Failures
+- Checking for insecure cookies (`httpOnly: false`).
+- Hardcoded credentials and weak session management.
+
+### A08:2025 - Software or Data Integrity Failures
+- Detecting unsafe deserialization (`unserialize`, `JSON.parse` of untrusted input).
+
+### A09:2025 - Logging & Alerting Failures
+- Identifying lack of security logging.
+- Empty catch blocks that swallow security errors.
+
+### A10:2025 - Mishandling of Exceptional Conditions
+- **NEW**: Identifying insecure error handling.
+- Detecting empty `catch` blocks and `console.log(err)` in critical paths.
+
+## Usage
+
+### Run OWASP 2025 Security Scan
+The primary method for automated security verification is the `verify-security.sh` script. This script executes multiple scanning phases (SAST, Audit, Secret Scanning) and maps all findings directly to OWASP 2025 categories.
+
+Run the scan from the project root:
+```bash
+/d/Code/agents/skills/js-ts-security-skill/scripts/verify-security.sh
+```

package/.roo/skills/js-ts-security-skill/scripts/verify-security.sh

@@ -0,0 +1,136 @@
+#!/bin/bash
+
+# JS/TS Security Verification Script (OWASP Top 10 2025)
+# This script performs a series of security checks on a JavaScript/TypeScript project.
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+CYAN='\033[0;36m'
+NC='\033[0m' # No Color
+
+echo -e "${CYAN}====================================================${NC}"
+echo -e "${CYAN}   JS/TS Security Audit - OWASP Top 10 2025         ${NC}"
+echo -e "${CYAN}====================================================${NC}\n"
+
+# A03:2025 - Software Supply Chain Failures
+echo -e "${YELLOW}[1/5] A03:2025 - Software Supply Chain Failures${NC}"
+SUPPLY_CHAIN_ISSUES=0
+if [ ! -f "package-lock.json" ] && [ ! -f "yarn.lock" ] && [ ! -f "pnpm-lock.yaml" ]; then
+    echo -e "${RED}✗ CRITICAL: No lockfile found (package-lock.json, yarn.lock, or pnpm-lock.yaml).${NC}"
+    echo "  Impact: Non-deterministic builds increase supply chain vulnerability."
+    SUPPLY_CHAIN_ISSUES=$((SUPPLY_CHAIN_ISSUES + 1))
+fi
+
+HTTP_REGISTRY=$(grep -r "http://" package.json 2>/dev/null)
+if [ ! -z "$HTTP_REGISTRY" ]; then
+    echo -e "${RED}✗ WARNING: Insecure registry found in package.json (using HTTP instead of HTTPS).${NC}"
+    echo "$HTTP_REGISTRY"
+    SUPPLY_CHAIN_ISSUES=$((SUPPLY_CHAIN_ISSUES + 1))
+fi
+
+if [ $SUPPLY_CHAIN_ISSUES -eq 0 ]; then
+    echo -e "${GREEN}✓ No immediate supply chain issues found.${NC}\n"
+else
+    echo -e "${RED}✗ Total supply chain issues: $SUPPLY_CHAIN_ISSUES${NC}\n"
+fi
+
+# A03:2025 / A06:2021 - Dependency Audit
+echo -e "${YELLOW}[2/5] A03:2025 - Vulnerable Components (Audit)${NC}"
+if [ -f "package-lock.json" ]; then
+    npm audit --audit-level=high
+    AUDIT_EXIT=$?
+elif [ -f "yarn.lock" ]; then
+    yarn audit --level high
+    AUDIT_EXIT=$?
+else
+    echo -e "${YELLOW}  Skipping dependency audit: No lockfile found.${NC}"
+    AUDIT_EXIT=0
+fi
+
+if [ $AUDIT_EXIT -eq 0 ]; then
+    echo -e "${GREEN}✓ No high-severity vulnerabilities in dependencies.${NC}\n"
+else
+    echo -e "${RED}✗ Vulnerabilities found. Run 'npm audit fix'.${NC}\n"
+fi
+
+# A01/A04/A05/A08 - Static Analysis (SAST)
+echo -e "${YELLOW}[3/5] Static Analysis (OWASP A01, A04, A05, A08)${NC}"
+declare -A DANGEROUS_PATTERNS
+DANGEROUS_PATTERNS["A01: SSRF/Access Control"]="fetch\(\`|axios\.get\(\`|http\.get\(\`"
+DANGEROUS_PATTERNS["A05: Injection"]="eval\(|new Function\(|child_process\.exec\(|require\('child_process'\)\.exec"
+DANGEROUS_PATTERNS["A04: Cryptographic Failures"]="crypto\.createHash\('md5'\)|crypto\.createHash\('sha1'\)|Math\.random\(\)"
+DANGEROUS_PATTERNS["A08: Software/Data Integrity"]="unserialize\(|JSON\.parse\("
+DANGEROUS_PATTERNS["A07: Authentication Failures"]="res\.cookie\(.*httpOnly: false|res\.cookie\(.*secure: false"
+
+FOUND_ISSUES=0
+for cat in "A01: SSRF/Access Control" "A05: Injection" "A04: Cryptographic Failures" "A08: Software/Data Integrity" "A07: Authentication Failures"; do
+    pattern=${DANGEROUS_PATTERNS[$cat]}
+    MATCHES=$(grep -rnE "$pattern" --include="*.js" --include="*.ts" --exclude-dir=node_modules . 2>/dev/null)
+    if [ ! -z "$MATCHES" ]; then
+        echo -e "${RED}✗ Found Risk: [$cat]${NC}"
+        echo "$MATCHES" | sed 's/^/  /'
+        FOUND_ISSUES=$((FOUND_ISSUES + 1))
+    fi
+done
+
+if [ $FOUND_ISSUES -eq 0 ]; then
+    echo -e "${GREEN}✓ No dangerous patterns detected via SAST.${NC}\n"
+else
+    echo -e "${RED}✗ Total dangerous patterns: $FOUND_ISSUES${NC}\n"
+fi
+
+# A10:2025 - Mishandling of Exceptional Conditions
+echo -e "${YELLOW}[4/5] A10:2025 - Mishandling of Exceptional Conditions${NC}"
+EMPTY_CATCH=$(grep -rnE "catch\s*\(\w*\)\s*\{\s*\}" --include="*.js" --include="*.ts" --exclude-dir=node_modules . 2>/dev/null)
+FOUND_EXCEPTION_ISSUES=0
+if [ ! -z "$EMPTY_CATCH" ]; then
+    echo -e "${RED}✗ Found Risk: Empty catch blocks (Swallowing exceptions)${NC}"
+    echo "$EMPTY_CATCH" | sed 's/^/  /'
+    FOUND_EXCEPTION_ISSUES=$((FOUND_EXCEPTION_ISSUES + 1))
+fi
+
+if [ $FOUND_EXCEPTION_ISSUES -eq 0 ]; then
+    echo -e "${GREEN}✓ Exception handling patterns appear secure.${NC}\n"
+else
+    echo -e "${RED}✗ Total exception handling issues: $FOUND_EXCEPTION_ISSUES${NC}\n"
+fi
+
+# Secret Detection (A01/A07)
+echo -e "${YELLOW}[5/5] A01/A07 - Hardcoded Secrets Scanning${NC}"
+SECRET_PATTERNS=("AIza[0-9A-Za-z-_]{35}" "sk_live_[0-9a-zA-Z]{24}" "xox[pb]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32}" "-----BEGIN RSA PRIVATE KEY-----")
+
+FOUND_SECRETS=0
+for pattern in "${SECRET_PATTERNS[@]}"; do
+    MATCHES=$(grep -rnE "$pattern" --include="*.js" --include="*.ts" --include="*.env" --exclude-dir=node_modules . 2>/dev/null)
+    if [ ! -z "$MATCHES" ]; then
+        echo -e "${RED}✗ Found Risk: Potential secret leakage ($pattern)${NC}"
+        echo "$MATCHES" | sed 's/^/  /'
+        FOUND_SECRETS=$((FOUND_SECRETS + 1))
+    fi
+done
+
+if [ $FOUND_SECRETS -eq 0 ]; then
+    echo -e "${GREEN}✓ No hardcoded secrets detected.${NC}\n"
+else
+    echo -e "${RED}✗ Total secrets found: $FOUND_SECRETS${NC}\n"
+fi
+
+# Summary
+echo -e "${CYAN}----------------------------------------------------${NC}"
+echo -e "${CYAN}   OWASP 2025 Audit Summary                         ${NC}"
+echo -e "${CYAN}----------------------------------------------------${NC}"
+[ $SUPPLY_CHAIN_ISSUES -eq 0 ] && echo -e "A03: Supply Chain        - ${GREEN}PASS${NC}" || echo -e "A03: Supply Chain        - ${RED}FAIL${NC}"
+[ $AUDIT_EXIT -eq 0 ]           && echo -e "A03: Vulnerabilities     - ${GREEN}PASS${NC}" || echo -e "A03: Vulnerabilities     - ${RED}FAIL${NC}"
+[ $FOUND_ISSUES -eq 0 ]        && echo -e "A01/04/05/08: Code Patterns - ${GREEN}PASS${NC}" || echo -e "A01/04/05/08: Code Patterns - ${RED}FAIL${NC}"
+[ $FOUND_EXCEPTION_ISSUES -eq 0 ] && echo -e "A10: Exception Handling  - ${GREEN}PASS${NC}" || echo -e "A10: Exception Handling  - ${RED}FAIL${NC}"
+[ $FOUND_SECRETS -eq 0 ]       && echo -e "A01/A07: Secrets         - ${GREEN}PASS${NC}" || echo -e "A01/A07: Secrets         - ${RED}FAIL${NC}"
+echo -e "${CYAN}----------------------------------------------------${NC}"
+
+if [ $AUDIT_EXIT -eq 0 ] && [ $FOUND_ISSUES -eq 0 ] && [ $FOUND_SECRETS -eq 0 ] && [ $SUPPLY_CHAIN_ISSUES -eq 0 ] && [ $FOUND_EXCEPTION_ISSUES -eq 0 ]; then
+    echo -e "${GREEN}Final Result: SECURE${NC}"
+    exit 0
+else
+    echo -e "${RED}Final Result: VULNERABLE${NC}"
+    exit 1
+fi