periderm-cli 0.1.0

package/dist/scanner/checks.js

@@ -0,0 +1,664 @@
+/**
+ * The deterministic check layer.
+ * Each check is a pure function: (source, file, ast) => Finding[].
+ *
+ * This is intentionally focused on signal-rich, low-false-positive patterns
+ * we can detect via regex + AST without a full type-checker.
+ */
+import traverseDefault from "@babel/traverse";
+// @babel/traverse ships CJS; pick the default export defensively.
+const traverse = traverseDefault.default
+    ?? traverseDefault;
+const lineOf = (source, idx) => source.slice(0, idx).split("\n").length;
+function stripStrings(source) {
+    return source.replace(/`[^`]*`|"[^"\n]*"|'[^'\n]*'/g, "''");
+}
+/** Match a pattern in code/comments only — skips string literals and JSX text. */
+function matchInCode(source, pattern) {
+    const stripped = stripStrings(source);
+    const probe = new RegExp(pattern.source, pattern.flags);
+    if (!probe.test(stripped))
+        return null;
+    const re = new RegExp(pattern.source, pattern.flags.includes("g") ? pattern.flags : pattern.flags + "g");
+    let m;
+    while ((m = re.exec(source))) {
+        const strippedBefore = stripStrings(source.slice(0, m.index)).length;
+        if (stripped.slice(strippedBefore, strippedBefore + m[0].length) === m[0])
+            return m;
+    }
+    return null;
+}
+// ───────────────────────────────────────────────────────────────────────
+// 1. Silent catch — try/catch with empty body or console-only body
+// ───────────────────────────────────────────────────────────────────────
+const silentCatch = (source, file, ast) => {
+    const out = [];
+    if (!ast)
+        return out;
+    traverse(ast, {
+        CatchClause(p) {
+            const body = p.node.body.body;
+            const catchSrc = source.slice(p.node.start ?? 0, p.node.end ?? 0);
+            if (/periderm-ignore/.test(catchSrc))
+                return;
+            if (body.length === 0) {
+                out.push(mkFinding({
+                    id: "silent-catch",
+                    category: "Runtime Stability",
+                    severity: "high",
+                    file, line: p.node.loc?.start.line ?? 1,
+                    message: "Empty catch block swallows errors.",
+                    why: "When this fails, you and your users will have no idea. Bugs become invisible, support tickets get vague.",
+                    fix: "Log the error with context, surface a user-facing error state, or report to your error tracker.",
+                    aiPrompt: `In ${file} near line ${p.node.loc?.start.line ?? 1}, an empty catch block silently swallows errors. Replace it with: (1) a console.error including the operation that failed, and (2) propagate or surface a user-visible error state if this runs in a UI path.`,
+                }));
+                return;
+            }
+            const onlyConsole = body.every((stmt) => {
+                if (stmt.type !== "ExpressionStatement")
+                    return false;
+                const e = stmt.expression;
+                return e.type === "CallExpression"
+                    && e.callee.type === "MemberExpression"
+                    && e.callee.object.type === "Identifier"
+                    && e.callee.object.name === "console";
+            });
+            if (onlyConsole) {
+                out.push(mkFinding({
+                    id: "silent-catch-console",
+                    category: "Runtime Stability",
+                    severity: "medium",
+                    file, line: p.node.loc?.start.line ?? 1,
+                    message: "Catch block only logs — no recovery, no user feedback.",
+                    why: "Logging is not handling. Your users will still see a broken UI or stuck spinner.",
+                    fix: "Set an error state, retry, or render a fallback. console.error is for you; users need a visible signal.",
+                    aiPrompt: `In ${file} near line ${p.node.loc?.start.line ?? 1}, the catch block only console.errors. Add proper handling: set an error state, show a toast or inline error message, and offer the user a retry path.`,
+                }));
+            }
+        },
+    });
+    return out;
+};
+// ───────────────────────────────────────────────────────────────────────
+// 2. Env leak — process.env.SECRET / KEY / TOKEN used in a non-server file
+// ───────────────────────────────────────────────────────────────────────
+const envLeak = (source, file) => {
+    const out = [];
+    const isServer = /\.server\.|\/api\/|\.functions\.|server-fn|createServerFn/.test(file + source);
+    if (isServer)
+        return out;
+    const re = /process\.env\.([A-Z_][A-Z0-9_]*)/g;
+    let m;
+    while ((m = re.exec(source))) {
+        const name = m[1];
+        if (/^(NODE_ENV|VITE_)/.test(name))
+            continue;
+        if (/(SECRET|KEY|TOKEN|PASSWORD|PRIVATE)/.test(name)) {
+            out.push(mkFinding({
+                id: "env-leak",
+                category: "Security",
+                severity: "critical",
+                file, line: lineOf(source, m.index),
+                message: `Secret-shaped env var \`${name}\` accessed in a non-server file.`,
+                why: "If this file ships to the client, the secret leaks. Bundlers inline process.env at build time.",
+                fix: "Move the read into a server function / server route, or rename + expose only via VITE_ if it's truly public.",
+                aiPrompt: `In ${file}, process.env.${name} is read in client-reachable code. Move this read into a server function (createServerFn handler) or a server route handler, and have the client call that function instead of reading the env directly.`,
+            }));
+        }
+    }
+    return out;
+};
+// ───────────────────────────────────────────────────────────────────────
+// 3. ts-ignore / @ts-nocheck in critical paths
+// ───────────────────────────────────────────────────────────────────────
+const tsIgnore = (source, file) => {
+    const out = [];
+    const re = /(\/\/\s*@ts-ignore|\/\/\s*@ts-nocheck|\/\/\s*@ts-expect-error)/g;
+    let m;
+    while ((m = re.exec(source))) {
+        out.push(mkFinding({
+            id: "ts-ignore",
+            category: "Data Integrity",
+            severity: "medium",
+            file, line: lineOf(source, m.index),
+            message: `\`${m[1].trim()}\` suppresses a real type error.`,
+            why: "Suppressed type errors are bug seeds. They almost always become runtime errors under unexpected input.",
+            fix: "Fix the type, narrow the value, or accept it explicitly with a typed assertion that documents why.",
+            aiPrompt: `In ${file} near line ${lineOf(source, m.index)}, remove the \`${m[1].trim()}\` and fix the underlying type error properly — either narrow the value, add a runtime guard, or refactor the API surface.`,
+        }));
+    }
+    return out;
+};
+// ───────────────────────────────────────────────────────────────────────
+// 4. <img> without alt
+// ───────────────────────────────────────────────────────────────────────
+const imgAlt = (source, file, ast) => {
+    const out = [];
+    if (!ast || !/\.(tsx|jsx)$/.test(file))
+        return out;
+    traverse(ast, {
+        JSXOpeningElement(p) {
+            const n = p.node.name;
+            if (n.type !== "JSXIdentifier" || n.name !== "img")
+                return;
+            const hasAlt = p.node.attributes.some((a) => a.type === "JSXAttribute" && a.name.type === "JSXIdentifier" && a.name.name === "alt");
+            if (!hasAlt) {
+                out.push(mkFinding({
+                    id: "img-alt",
+                    category: "Accessibility",
+                    severity: "medium",
+                    file, line: p.node.loc?.start.line ?? 1,
+                    message: "<img> is missing an `alt` attribute.",
+                    why: "Screen readers can't describe it, and if the image fails to load there's no fallback text.",
+                    fix: "Add a descriptive `alt`. Use `alt=\"\"` only for purely decorative images.",
+                    aiPrompt: `In ${file} near line ${p.node.loc?.start.line ?? 1}, add a descriptive alt attribute to the <img> element. If decorative, use alt="".`,
+                }));
+            }
+        },
+    });
+    return out;
+};
+// ───────────────────────────────────────────────────────────────────────
+// 5. <a href="#..."> or onClick on div — keyboard a11y
+// ───────────────────────────────────────────────────────────────────────
+const clickableDiv = (source, file, ast) => {
+    const out = [];
+    if (!ast || !/\.(tsx|jsx)$/.test(file))
+        return out;
+    traverse(ast, {
+        JSXOpeningElement(p) {
+            const n = p.node.name;
+            if (n.type !== "JSXIdentifier")
+                return;
+            if (n.name !== "div" && n.name !== "span")
+                return;
+            const hasOnClick = p.node.attributes.some((a) => a.type === "JSXAttribute" && a.name.type === "JSXIdentifier" && a.name.name === "onClick");
+            const hasRole = p.node.attributes.some((a) => a.type === "JSXAttribute" && a.name.type === "JSXIdentifier" && a.name.name === "role");
+            if (hasOnClick && !hasRole) {
+                out.push(mkFinding({
+                    id: "clickable-div",
+                    category: "Accessibility",
+                    severity: "medium",
+                    file, line: p.node.loc?.start.line ?? 1,
+                    message: `<${n.name}> has onClick but no role/keyboard handler.`,
+                    why: "Keyboard users can't activate it. Screen readers won't announce it as interactive.",
+                    fix: "Use a <button>, or add role=\"button\", tabIndex={0} and an onKeyDown that fires on Enter/Space.",
+                    aiPrompt: `In ${file} near line ${p.node.loc?.start.line ?? 1}, replace this clickable <${n.name}> with a <button>, or add role="button", tabIndex={0}, and an onKeyDown handler that triggers on Enter and Space.`,
+                }));
+            }
+        },
+    });
+    return out;
+};
+// ───────────────────────────────────────────────────────────────────────
+// 6. fetch / await inside .map — N+1 / cost risk
+// ───────────────────────────────────────────────────────────────────────
+const nPlusOne = (source, file) => {
+    const out = [];
+    const re = /\.map\s*\(\s*(?:async\s*)?\(?[^)]*\)?\s*=>\s*\{[\s\S]{0,400}?(await\s+fetch|await\s+supabase|await\s+openai)/g;
+    let m;
+    while ((m = re.exec(source))) {
+        out.push(mkFinding({
+            id: "n-plus-one",
+            category: "Runaway Cloud Costs",
+            severity: "high",
+            file, line: lineOf(source, m.index),
+            message: "Awaited network call inside .map() — N+1 pattern.",
+            why: "One user action = N sequential round trips. Slow for users, expensive on serverless / paid APIs.",
+            fix: "Batch the request, use Promise.all on a mapped array of promises, or move the loop into a single SQL/API query.",
+            aiPrompt: `In ${file} near line ${lineOf(source, m.index)}, an awaited network call sits inside a .map(). Refactor to either (a) Promise.all over .map(item => fetchSomething(item)) so calls run in parallel, or (b) replace with a single batched request that takes the array of ids.`,
+        }));
+    }
+    return out;
+};
+// ───────────────────────────────────────────────────────────────────────
+// 7. Recursive function call with no obvious guard — runaway risk
+// ───────────────────────────────────────────────────────────────────────
+const recursiveRunaway = (source, file, ast) => {
+    const out = [];
+    if (!ast)
+        return out;
+    traverse(ast, {
+        FunctionDeclaration(p) {
+            const name = p.node.id?.name;
+            if (!name)
+                return;
+            const bodySrc = source.slice(p.node.body.start ?? 0, p.node.body.end ?? 0);
+            const calls = new RegExp(`\\b${name}\\s*\\(`, "g");
+            if (!calls.test(bodySrc))
+                return;
+            const hasGuard = /\bif\s*\(|return\s|throw\s/.test(bodySrc);
+            if (!hasGuard) {
+                out.push(mkFinding({
+                    id: "recursive-runaway",
+                    category: "Runaway Cloud Costs",
+                    severity: "critical",
+                    file, line: p.node.loc?.start.line ?? 1,
+                    message: `Function \`${name}\` calls itself with no visible termination guard.`,
+                    why: "On serverless this can bill you for a weekend. Locally it crashes with a stack overflow on first run.",
+                    fix: "Add a base case (if/return) and a hard recursion-depth limit. Consider rewriting as a loop.",
+                    aiPrompt: `In ${file}, function \`${name}\` recurses without a clear base case. Add: (1) an explicit base-case if/return, (2) a depth parameter that throws when exceeded, and (3) a unit test for the base case.`,
+                }));
+            }
+        },
+    });
+    return out;
+};
+// ───────────────────────────────────────────────────────────────────────
+// 8. innerHTML / dangerouslySetInnerHTML with non-literal value
+// ───────────────────────────────────────────────────────────────────────
+const dangerousHtml = (source, file) => {
+    const out = [];
+    const re = /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html:\s*([^}]+)\}/g;
+    let m;
+    while ((m = re.exec(source))) {
+        const expr = m[1].trim();
+        const isLiteral = /^["'`]/.test(expr);
+        const hasSanitize = /DOMPurify\.sanitize/.test(source);
+        if (!isLiteral && !hasSanitize) {
+            out.push(mkFinding({
+                id: "dangerous-html",
+                category: "Security",
+                severity: "high",
+                file, line: lineOf(source, m.index),
+                message: "dangerouslySetInnerHTML with a non-literal value (XSS risk).",
+                why: "If any part of that value came from a user or an API, you have an XSS vector.",
+                fix: "Sanitize with DOMPurify before injecting, or render through React text/markdown components.",
+                aiPrompt: `In ${file} near line ${lineOf(source, m.index)}, dangerouslySetInnerHTML receives a dynamic value. Either render the content through a safe markdown component, or sanitize the input with DOMPurify before passing __html.`,
+            }));
+        }
+    }
+    return out;
+};
+// ───────────────────────────────────────────────────────────────────────
+// 9. <a href> referencing a route that does not exist (cheap heuristic)
+// ───────────────────────────────────────────────────────────────────────
+const deadLink = (source, file) => {
+    const out = [];
+    // We only flag obvious placeholder/dead patterns we can identify w/o full graph.
+    const re = /href\s*=\s*["'](\/(?:privacy|terms|cookies|about|contact|pricing|docs)(?:\/[a-z0-9\-]*)?)["']/gi;
+    if (!/\.(tsx|jsx|html)$/.test(file))
+        return out;
+    let m;
+    while ((m = re.exec(source))) {
+        // Note: full route-graph dead-link detection lives in the cross-file pass.
+        // This per-file pass only flags raw <a href> when a Link/router import is in scope,
+        // because <a> bypasses the type-safe router and is the more common dead-link source.
+        if (!/from\s+["']@tanstack\/react-router["']/.test(source))
+            continue;
+        out.push(mkFinding({
+            id: "raw-anchor-route",
+            category: "Routing & Navigation",
+            severity: "medium",
+            file, line: lineOf(source, m.index),
+            message: `Raw <a href="${m[1]}"> in a router-aware file — bypasses type-safe routing.`,
+            why: "If the route is renamed or removed, the type checker won't flag the broken link. Users hit a dead end.",
+            fix: `Use <Link to="${m[1]}"> from @tanstack/react-router so the route is type-checked.`,
+            aiPrompt: `In ${file} near line ${lineOf(source, m.index)}, replace the raw <a href="${m[1]}"> with TanStack Router's <Link to="${m[1]}"> so the route is type-checked at build time.`,
+        }));
+    }
+    return out;
+};
+// ───────────────────────────────────────────────────────────────────────
+// 10. setInterval / setTimeout in useEffect with no cleanup
+// ───────────────────────────────────────────────────────────────────────
+const missingCleanup = (source, file) => {
+    const out = [];
+    if (!/\.(tsx|jsx|ts|js)$/.test(file))
+        return out;
+    const re = /useEffect\s*\(\s*\(\s*\)\s*=>\s*\{([\s\S]*?)\}\s*,\s*\[/g;
+    let m;
+    while ((m = re.exec(source))) {
+        const body = m[1];
+        const usesTimer = /\b(setInterval|addEventListener|subscribe)\s*\(/.test(body);
+        const hasCleanup = /return\s*\(?\s*\(?\s*\)?\s*=>/.test(body) || /return\s+function/.test(body);
+        if (usesTimer && !hasCleanup) {
+            out.push(mkFinding({
+                id: "missing-cleanup",
+                category: "Runtime Stability",
+                severity: "high",
+                file, line: lineOf(source, m.index),
+                message: "useEffect sets up an interval/listener/subscription but returns no cleanup.",
+                why: "On every re-render or unmount you leak a timer or listener. The page slows, costs climb, and weird bugs appear.",
+                fix: "Return a cleanup function from the effect that clears the interval / removes the listener / unsubscribes.",
+                aiPrompt: `In ${file} near line ${lineOf(source, m.index)}, the useEffect creates a long-lived resource (interval, listener, or subscription) but returns no cleanup. Add a return () => { ... } that tears it down on unmount.`,
+            }));
+        }
+    }
+    return out;
+};
+// ───────────────────────────────────────────────────────────────────────
+// 11. Hardcoded API keys / secrets
+// ───────────────────────────────────────────────────────────────────────
+const hardcodedSecret = (source, file) => {
+    const out = [];
+    if (/\.(md|json|lock|env\.example)$/.test(file))
+        return out;
+    const patterns = [
+        [/sk_(live|test)_[A-Za-z0-9]{20,}/g, "Stripe secret key"],
+        [/sk-[A-Za-z0-9]{20,}/g, "OpenAI-style API key"],
+        [/AKIA[0-9A-Z]{16}/g, "AWS access key id"],
+        [/AIza[0-9A-Za-z_\-]{30,}/g, "Google API key"],
+        [/gsk_[A-Za-z0-9]{40,}/g, "Groq API key"],
+        [/eyJ[A-Za-z0-9_\-]{20,}\.[A-Za-z0-9_\-]{20,}\.[A-Za-z0-9_\-]{20,}/g, "JWT / Supabase service-role-shaped token"],
+    ];
+    for (const [re, label] of patterns) {
+        let m;
+        while ((m = re.exec(source))) {
+            out.push(mkFinding({
+                id: "hardcoded-secret",
+                category: "Security",
+                severity: "critical",
+                file, line: lineOf(source, m.index),
+                message: `Hardcoded ${label} detected in source.`,
+                why: "Anyone who reads the repo (or the built JS bundle) gets your key. Rotate it immediately.",
+                fix: "Move the value into a server-only secret (Lovable Cloud / process.env), rotate the leaked key, and read it inside a server function.",
+                aiPrompt: `In ${file} near line ${lineOf(source, m.index)}, a ${label} is hardcoded. Replace the literal with process.env.<NAME> inside a server function, add the secret to the server env, and rotate the leaked key with the provider.`,
+            }));
+        }
+    }
+    return out;
+};
+// ───────────────────────────────────────────────────────────────────────
+// 12. console.log left in production code
+// ───────────────────────────────────────────────────────────────────────
+const consoleLog = (source, file) => {
+    const out = [];
+    if (!/\.(tsx|jsx|ts|js)$/.test(file))
+        return out;
+    if (/\.test\.|\.spec\.|\/scripts\//.test(file))
+        return out;
+    const matches = source.match(/console\.log\s*\(/g);
+    if (matches && matches.length >= 1) {
+        const idx = source.indexOf("console.log");
+        out.push(mkFinding({
+            id: "console-log-prod",
+            category: "Observability",
+            severity: "low",
+            file, line: lineOf(source, idx),
+            message: `console.log left in source (${matches.length} occurrence${matches.length === 1 ? "" : "s"}).`,
+            why: "Production logs are noisy at best and leak data at worst (tokens, user emails, internal IDs).",
+            fix: "Remove debug logs, or route through a logger you can disable in production.",
+            aiPrompt: `In ${file}, remove all console.log statements (or replace with a debug-only logger). Keep console.error / console.warn for genuine failure paths.`,
+        }));
+    }
+    return out;
+};
+// ───────────────────────────────────────────────────────────────────────
+// 13. TODO / FIXME left in code
+// ───────────────────────────────────────────────────────────────────────
+const todoLeftover = (source, file) => {
+    const out = [];
+    const re = /\/\/\s*(TODO|FIXME|XXX|HACK)\b/g;
+    let m;
+    let count = 0;
+    let firstIdx = -1;
+    while ((m = re.exec(source))) {
+        count++;
+        if (firstIdx < 0)
+            firstIdx = m.index;
+    }
+    if (count > 0) {
+        out.push(mkFinding({
+            id: "todo-leftover",
+            category: "Polish & Embarrassment Risks",
+            severity: "low",
+            file, line: lineOf(source, firstIdx),
+            message: `${count} TODO/FIXME comment${count === 1 ? "" : "s"} left in source.`,
+            why: "Leftover TODOs are unspoken known-issues. They become bug reports the day after launch.",
+            fix: "Resolve, file as a tracked issue, or delete.",
+            aiPrompt: `In ${file}, list every TODO/FIXME comment with surrounding context and propose either a concrete fix or a one-line issue title that could be filed.`,
+        }));
+    }
+    return out;
+};
+// ───────────────────────────────────────────────────────────────────────
+// 14. Placeholder content (Lorem ipsum, "coming soon")
+// ───────────────────────────────────────────────────────────────────────
+const placeholderContent = (source, file) => {
+    const out = [];
+    if (!/\.(tsx|jsx|md|html)$/.test(file))
+        return out;
+    const re = /(lorem\s+ipsum|coming\s+soon|under\s+construction|placeholder\s+text)/i;
+    const m = matchInCode(source, re);
+    if (m) {
+        out.push(mkFinding({
+            id: "placeholder-content",
+            category: "Polish & Embarrassment Risks",
+            severity: "medium",
+            file, line: lineOf(source, m.index),
+            message: `Placeholder content detected: "${m[1]}".`,
+            why: "Visible placeholder content is the #1 sign of an unfinished app. Users notice instantly.",
+            fix: "Replace with real copy, or remove the section until it's ready.",
+            aiPrompt: `In ${file} near line ${lineOf(source, m.index)}, replace the placeholder text "${m[1]}" with concrete copy that matches the surrounding section's purpose.`,
+        }));
+    }
+    return out;
+};
+// ───────────────────────────────────────────────────────────────────────
+// 15. fetch call without .catch / try/catch nearby
+// ───────────────────────────────────────────────────────────────────────
+const unhandledFetch = (source, file) => {
+    const out = [];
+    if (!/\.(tsx|jsx|ts|js)$/.test(file))
+        return out;
+    const re = /\bfetch\s*\(/g;
+    let m;
+    while ((m = re.exec(source))) {
+        // Look 200 chars in either direction for .catch or try
+        const window = source.slice(Math.max(0, m.index - 80), m.index + 400);
+        const handled = /\.catch\s*\(|try\s*\{[\s\S]*?await\s+[\s\S]{0,40}fetch/.test(window)
+            || /try\s*\{/.test(source.slice(Math.max(0, m.index - 200), m.index));
+        if (!handled) {
+            out.push(mkFinding({
+                id: "unhandled-fetch",
+                category: "Runtime Stability",
+                severity: "high",
+                file, line: lineOf(source, m.index),
+                message: "fetch call has no visible .catch or try/catch.",
+                why: "Network requests fail. Without a catch, the UI silently breaks and the user has no idea why.",
+                fix: "Wrap in try/catch (for await) or chain .catch — set an error state and surface a retry path.",
+                aiPrompt: `In ${file} near line ${lineOf(source, m.index)}, wrap the fetch call in try/catch (or chain .catch), set an error UI state on failure, and offer the user a retry button.`,
+            }));
+            return out; // one per file is enough signal
+        }
+    }
+    return out;
+};
+// ───────────────────────────────────────────────────────────────────────
+// 16. dangerouslySetInnerHTML already covered above. Add: optional-chain on user obj
+// ───────────────────────────────────────────────────────────────────────
+const unsafeUserAccess = (source, file) => {
+    const out = [];
+    if (!/\.(tsx|jsx|ts)$/.test(file))
+        return out;
+    const re = /\b(user|profile|currentUser|me)\.(avatar|photo|image|name|email|phone|bio)\.(url|src|href|toLowerCase|toUpperCase|length)\b/g;
+    const m = matchInCode(source, re);
+    if (m) {
+        out.push(mkFinding({
+            id: "unsafe-user-access",
+            category: "Reality & Resilience",
+            severity: "high",
+            file, line: lineOf(source, m.index),
+            message: `\`${m[0]}\` assumes nested user data exists.`,
+            why: "Real users often have missing avatars, names, or phones. This crashes the UI with 'Cannot read properties of undefined'.",
+            fix: "Use optional chaining (`?.`) and provide a fallback. Render a default avatar / placeholder string when data is missing.",
+            aiPrompt: `In ${file} near line ${lineOf(source, m.index)}, the expression \`${m[0]}\` assumes nested user data exists. Add optional chaining and a sensible fallback (default avatar URL, empty string, or placeholder component).`,
+        }));
+    }
+    return out;
+};
+// ───────────────────────────────────────────────────────────────────────
+// 17. Source Maps Enabled in Production
+// ───────────────────────────────────────────────────────────────────────
+const sourceMaps = (source, file) => {
+    const out = [];
+    if (!/(vite|next|webpack)\.config\.(ts|js)$/.test(file))
+        return out;
+    if (/sourcemap:\s*true/.test(source) && !/process\.env\.NODE_ENV\s*===\s*['"]development['"]/.test(source)) {
+        out.push(mkFinding({
+            id: "exposed-sourcemaps",
+            category: "Security",
+            severity: "medium",
+            file, line: 1,
+            message: "Source maps enabled in production.",
+            why: "Source maps expose your original, unminified source code to everyone.",
+            fix: "Set sourcemap to false in production, or restrict access to source maps.",
+            aiPrompt: `In ${file}, disable sourcemaps for production builds.`,
+        }));
+    }
+    return out;
+};
+// ───────────────────────────────────────────────────────────────────────
+// 18. Unauthenticated Admin Dashboard
+// ───────────────────────────────────────────────────────────────────────
+const unauthAdmin = (source, file) => {
+    const out = [];
+    if (!/\badmin\b/i.test(file))
+        return out;
+    if (!/\.(tsx|jsx|ts)$/.test(file))
+        return out;
+    // Routes inside _authenticated/ are protected by the parent layout's beforeLoad.
+    if (/_authenticated[/\\]/.test(file))
+        return out;
+    const isRoute = /export const Route =|createFileRoute/i.test(source) || /export default function /i.test(source);
+    const hasAuth = /useAuth|getUser|requireAuth|protected|middleware/i.test(source);
+    if (isRoute && !hasAuth && !/components?\/|lib\//.test(file)) {
+        out.push(mkFinding({
+            id: "unauth-admin",
+            category: "Security",
+            severity: "critical",
+            file, line: 1,
+            message: "Admin page missing authentication check.",
+            why: "Anyone who guesses the URL can access your admin dashboard.",
+            fix: "Add an authentication check (e.g. getUser()) and redirect unauthenticated users.",
+            aiPrompt: `In ${file}, this admin route appears to be missing an authentication check. Add a check to ensure the user is logged in and has an admin role before rendering.`,
+        }));
+    }
+    return out;
+};
+// ───────────────────────────────────────────────────────────────────────
+// 19. Missing Rate Limit on Paid APIs
+// ───────────────────────────────────────────────────────────────────────
+const missingRateLimit = (source, file) => {
+    const out = [];
+    if (!/\/api\/|\.server\./.test(file))
+        return out;
+    const isRoute = /export const (POST|GET|PUT|DELETE|Route) =|createServerFn/i.test(source);
+    const touchesPaidApi = /openai|anthropic|stripe|sendgrid|resend/i.test(source);
+    const hasRateLimit = /ratelimit|throttle|upstash/i.test(source);
+    if (isRoute && touchesPaidApi && !hasRateLimit) {
+        out.push(mkFinding({
+            id: "missing-rate-limit",
+            category: "Runaway Cloud Costs",
+            severity: "high",
+            file, line: 1,
+            message: "API endpoint touching paid service lacks rate limiting.",
+            why: "A malicious user (or buggy script) can drain your API credits or run up thousands of dollars in charges.",
+            fix: "Add a rate limiter (e.g., Upstash Redis) to restrict requests per IP or user.",
+            aiPrompt: `In ${file}, this API endpoint calls a paid external service but has no rate limiting. Implement a rate limiter to prevent abuse.`,
+        }));
+    }
+    return out;
+};
+// ───────────────────────────────────────────────────────────────────────
+// 20. IDOR Data Fetch
+// ───────────────────────────────────────────────────────────────────────
+const idorDataFetch = (source, file) => {
+    const out = [];
+    if (!/\/api\/|\.server\./.test(file))
+        return out;
+    const re = /\.from\(['"][^'"]+['"]\)\s*\.select\(['"][^'"]*['"]\)\s*\.eq\(['"]id['"]\s*,\s*[^)]+\)/g;
+    let m;
+    while ((m = re.exec(source))) {
+        const window = source.slice(Math.max(0, m.index - 50), m.index + 200);
+        if (!window.includes(".eq('user_id'") && !window.includes('.eq("user_id"')) {
+            out.push(mkFinding({
+                id: "idor-data-fetch",
+                category: "Security",
+                severity: "critical",
+                file, line: lineOf(source, m.index),
+                message: "Fetching record by ID without checking user ownership.",
+                why: "Taking a user URL into another PC or browser gives access to that user's data (IDOR).",
+                fix: "Chain \`.eq('user_id', auth.uid)\` to the query so users can only access their own records.",
+                aiPrompt: `In ${file} near line ${lineOf(source, m.index)}, a database query fetches a record by ID but does not check if the current user owns it. Add an .eq("user_id", currentUserId) clause.`,
+            }));
+        }
+    }
+    return out;
+};
+// ───────────────────────────────────────────────────────────────────────
+// 21. Dead End Page (No Navigation/Layout)
+// ───────────────────────────────────────────────────────────────────────
+const deadEndPage = (source, file) => {
+    const out = [];
+    if (!/\.(tsx|jsx)$/.test(file))
+        return out;
+    if (!/src\/routes\//.test(file))
+        return out; // Only check route pages
+    if (/__root|_layout|\.server/.test(file))
+        return out; // Ignore layouts
+    const isRoute = /createFileRoute|export default function/i.test(source);
+    if (!isRoute)
+        return out;
+    // _authenticated/ children inherit DashShell from the parent route layout.
+    if (/_authenticated[/\\]/.test(file))
+        return out;
+    const hasLayout = /DashShell|Layout|Navbar|Sidebar|Header|Footer/.test(source);
+    const hasLink = /<Link|useRouter\(\)\.history\.back|useNavigate/i.test(source);
+    const hasOutlet = /<Outlet/.test(source);
+    if (!hasLayout && !hasLink && !hasOutlet) {
+        out.push(mkFinding({
+            id: "dead-end-page",
+            category: "Routing & Navigation",
+            severity: "high",
+            file, line: 1,
+            message: "Page appears to be a dead end with no layout or navigation links.",
+            why: "If a user lands on this page, they cannot navigate away without using the browser's back button. This traps users.",
+            fix: "Wrap the page content in your application's layout component (e.g., <DashShell>) or add a <Link> back to the previous page.",
+            aiPrompt: `In ${file}, this route lacks a layout wrapper or any navigation links. Wrap the component in the standard layout (e.g., <DashShell>) so the user isn't trapped.`,
+        }));
+    }
+    return out;
+};
+// ───────────────────────────────────────────────────────────────────────
+// Registry
+// ───────────────────────────────────────────────────────────────────────
+const CHECKS = [
+    silentCatch,
+    envLeak,
+    tsIgnore,
+    imgAlt,
+    clickableDiv,
+    nPlusOne,
+    recursiveRunaway,
+    dangerousHtml,
+    deadLink,
+    missingCleanup,
+    hardcodedSecret,
+    consoleLog,
+    todoLeftover,
+    placeholderContent,
+    unhandledFetch,
+    unsafeUserAccess,
+    sourceMaps,
+    unauthAdmin,
+    missingRateLimit,
+    idorDataFetch,
+    deadEndPage,
+];
+export const PER_FILE_CHECK_COUNT = CHECKS.length;
+export function runChecks(source, file, ast) {
+    const out = [];
+    for (const c of CHECKS) {
+        try {
+            out.push(...c(source, file, ast));
+        }
+        catch (e) {
+            console.error(`[periderm] Check failed on ${file}:`, e);
+            out.push(mkFinding({ id: "internal-error", category: "Runtime Stability", severity: "high", file, line: 1, message: `Scanner crashed: ${e}`, why: "Internal exception in scanner rule.", fix: "Report this issue.", aiPrompt: "Fix the crash in the scanner rule." }));
+        }
+    }
+    return out;
+}
+function mkFinding(f) { return f; }