prodlint 0.1.0 → 0.2.1

package/dist/mcp.js

@@ -0,0 +1,1109 @@
+#!/usr/bin/env node
+
+// src/mcp.ts
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { z } from "zod";
+import { stat as stat2 } from "fs/promises";
+import { resolve as resolve4 } from "path";
+
+// src/utils/file-walker.ts
+import fg from "fast-glob";
+import { readFile, stat, realpath } from "fs/promises";
+import { resolve, extname, sep } from "path";
+
+// src/utils/patterns.ts
+function isApiRoute(relativePath) {
+  if (/app\/.*route\.(ts|js|tsx|jsx)$/.test(relativePath)) return true;
+  if (/pages\/api\//.test(relativePath)) return true;
+  return false;
+}
+function isClientComponent(content) {
+  const firstLines = content.slice(0, 500);
+  return /^(['"])use client\1/m.test(firstLines);
+}
+function buildCommentMap(lines) {
+  const map = new Array(lines.length).fill(false);
+  let inBlock = false;
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (inBlock) {
+      map[i] = true;
+      if (line.includes("*/")) {
+        inBlock = false;
+      }
+      continue;
+    }
+    const trimmed = line.trim();
+    if (trimmed.startsWith("/*")) {
+      map[i] = true;
+      if (!trimmed.includes("*/")) {
+        inBlock = true;
+      }
+      continue;
+    }
+    if (trimmed.startsWith("*")) {
+      map[i] = true;
+    }
+  }
+  return map;
+}
+function isCommentLine(lines, lineIndex, commentMap) {
+  if (commentMap[lineIndex]) return true;
+  const trimmed = lines[lineIndex]?.trim() ?? "";
+  return trimmed.startsWith("//");
+}
+function isLineSuppressed(lines, lineIndex, ruleId) {
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (trimmed === "" || trimmed.startsWith("//") || trimmed.startsWith("/*")) {
+      const match = trimmed.match(/prodlint-disable\s+(.+)/);
+      if (match) {
+        const ids = match[1].split(/[\s,]+/).filter(Boolean);
+        if (ids.includes(ruleId)) return true;
+      }
+      continue;
+    }
+    break;
+  }
+  if (lineIndex > 0) {
+    const prevLine = lines[lineIndex - 1].trim();
+    const match = prevLine.match(/prodlint-disable-next-line\s+(.+)/);
+    if (match) {
+      const ids = match[1].split(/[\s,]+/).filter(Boolean);
+      if (ids.includes(ruleId)) return true;
+    }
+  }
+  return false;
+}
+var NODE_BUILTINS = /* @__PURE__ */ new Set([
+  "assert",
+  "async_hooks",
+  "buffer",
+  "child_process",
+  "cluster",
+  "console",
+  "constants",
+  "crypto",
+  "dgram",
+  "diagnostics_channel",
+  "dns",
+  "domain",
+  "events",
+  "fs",
+  "http",
+  "http2",
+  "https",
+  "inspector",
+  "module",
+  "net",
+  "os",
+  "path",
+  "perf_hooks",
+  "process",
+  "punycode",
+  "querystring",
+  "readline",
+  "repl",
+  "stream",
+  "string_decoder",
+  "sys",
+  "timers",
+  "tls",
+  "trace_events",
+  "tty",
+  "url",
+  "util",
+  "v8",
+  "vm",
+  "wasi",
+  "worker_threads",
+  "zlib"
+  // node: prefixed are handled separately
+]);
+
+// src/utils/file-walker.ts
+var DEFAULT_IGNORES = [
+  "**/node_modules/**",
+  "**/dist/**",
+  "**/build/**",
+  "**/.next/**",
+  "**/.git/**",
+  "**/coverage/**",
+  "**/*.min.js",
+  "**/*.min.css",
+  "**/package-lock.json",
+  "**/yarn.lock",
+  "**/pnpm-lock.yaml",
+  "**/bun.lockb",
+  "**/*.map",
+  "**/*.d.ts"
+];
+var SCAN_EXTENSIONS = [
+  "ts",
+  "tsx",
+  "js",
+  "jsx",
+  "mjs",
+  "cjs",
+  "json"
+];
+var MAX_FILE_SIZE = 1024 * 1024;
+async function walkFiles(root, extraIgnores = []) {
+  const patterns = SCAN_EXTENSIONS.map((ext) => `**/*.${ext}`);
+  patterns.push("**/.env", "**/.env.*");
+  patterns.push("**/.gitignore");
+  const files = await fg(patterns, {
+    cwd: root,
+    ignore: [...DEFAULT_IGNORES, ...extraIgnores],
+    absolute: false,
+    dot: true,
+    followSymbolicLinks: false
+  });
+  return files.sort();
+}
+async function readFileContext(root, relativePath) {
+  try {
+    const absolutePath = resolve(root, relativePath);
+    const realRoot = await realpath(root);
+    const realFile = await realpath(absolutePath);
+    if (!realFile.startsWith(realRoot + sep) && realFile !== realRoot) return null;
+    const fileStats = await stat(absolutePath);
+    if (fileStats.size > MAX_FILE_SIZE) return null;
+    const content = await readFile(absolutePath, "utf-8");
+    const lines = content.split(/\r?\n|\r/);
+    return {
+      absolutePath,
+      relativePath,
+      content,
+      lines,
+      ext: extname(relativePath).slice(1),
+      // remove leading dot
+      commentMap: buildCommentMap(lines)
+    };
+  } catch {
+    return null;
+  }
+}
+async function buildProjectContext(root, files) {
+  let packageJson = null;
+  let declaredDependencies = /* @__PURE__ */ new Set();
+  let tsconfigPaths = /* @__PURE__ */ new Set();
+  let hasAuthMiddleware = false;
+  let gitignoreContent = null;
+  let envInGitignore = false;
+  try {
+    const raw = await readFile(resolve(root, "package.json"), "utf-8");
+    packageJson = JSON.parse(raw);
+    const deps = {
+      ...packageJson?.dependencies ?? {},
+      ...packageJson?.devDependencies ?? {},
+      ...packageJson?.peerDependencies ?? {}
+    };
+    declaredDependencies = new Set(Object.keys(deps));
+  } catch {
+  }
+  try {
+    const raw = await readFile(resolve(root, "tsconfig.json"), "utf-8");
+    const stripped = raw.replace(/\/\/.*$/gm, "");
+    const tsconfig = JSON.parse(stripped);
+    const paths = tsconfig?.compilerOptions?.paths;
+    if (paths) {
+      for (const alias of Object.keys(paths)) {
+        const prefix = alias.replace(/\/?\*$/, "");
+        if (prefix) tsconfigPaths.add(prefix);
+      }
+    }
+  } catch {
+  }
+  try {
+    for (const name of ["middleware.ts", "middleware.js", "src/middleware.ts", "src/middleware.js"]) {
+      try {
+        const content = await readFile(resolve(root, name), "utf-8");
+        const authPatterns = [
+          /getSession/i,
+          /getUser/i,
+          /auth\(\)/,
+          /withAuth/i,
+          /clerkMiddleware/i,
+          /authMiddleware/i,
+          /NextAuth/i,
+          /supabase.*auth/i,
+          /createMiddlewareClient/i,
+          /getToken/i,
+          /verifyToken/i,
+          /jwt/i,
+          /updateSession/i
+        ];
+        if (authPatterns.some((p) => p.test(content))) {
+          hasAuthMiddleware = true;
+          break;
+        }
+      } catch {
+      }
+    }
+  } catch {
+  }
+  try {
+    gitignoreContent = await readFile(resolve(root, ".gitignore"), "utf-8");
+    envInGitignore = /^\.env$/m.test(gitignoreContent) || /^\.env\*$/m.test(gitignoreContent) || /^\.env\.\*$/m.test(gitignoreContent) || /^\.env\.local$/m.test(gitignoreContent);
+  } catch {
+  }
+  return {
+    root,
+    packageJson,
+    declaredDependencies,
+    tsconfigPaths,
+    hasAuthMiddleware,
+    gitignoreContent,
+    envInGitignore,
+    allFiles: files
+  };
+}
+
+// src/utils/version.ts
+import { readFileSync } from "fs";
+import { fileURLToPath } from "url";
+import { dirname, resolve as resolve2 } from "path";
+function getVersion() {
+  try {
+    const dir = dirname(fileURLToPath(import.meta.url));
+    const pkg = JSON.parse(
+      readFileSync(resolve2(dir, "..", "package.json"), "utf-8")
+    );
+    return pkg.version ?? "0.0.0";
+  } catch {
+    return "0.0.0";
+  }
+}
+
+// src/scorer.ts
+var CATEGORIES = ["security", "reliability", "performance", "ai-quality"];
+var DEDUCTIONS = {
+  critical: 10,
+  warning: 3,
+  info: 1
+};
+function calculateScores(findings) {
+  const categoryScores = CATEGORIES.map((category) => {
+    const categoryFindings = findings.filter((f) => f.category === category);
+    let score = 100;
+    for (const f of categoryFindings) {
+      score -= DEDUCTIONS[f.severity] ?? 0;
+    }
+    return {
+      category,
+      score: Math.max(0, score),
+      findingCount: categoryFindings.length
+    };
+  });
+  const overallScore = Math.round(
+    categoryScores.reduce((sum, c) => sum + c.score, 0) / CATEGORIES.length
+  );
+  return { overallScore, categoryScores };
+}
+function summarizeFindings(findings) {
+  return {
+    critical: findings.filter((f) => f.severity === "critical").length,
+    warning: findings.filter((f) => f.severity === "warning").length,
+    info: findings.filter((f) => f.severity === "info").length
+  };
+}
+
+// src/rules/secrets.ts
+var SECRET_PATTERNS = [
+  { name: "Stripe secret key", pattern: /sk_live_[a-zA-Z0-9]{20,}/ },
+  { name: "Stripe test key", pattern: /sk_test_[a-zA-Z0-9]{20,}/ },
+  { name: "AWS access key", pattern: /AKIA[0-9A-Z]{16}/ },
+  { name: "AWS secret key", pattern: /(?:aws_secret_access_key|AWS_SECRET)\s*[=:]\s*['"]?[A-Za-z0-9/+=]{40}['"]?/ },
+  { name: "Supabase service role key", pattern: /eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[A-Za-z0-9_-]{50,}\.[A-Za-z0-9_-]{20,}/ },
+  { name: "OpenAI API key", pattern: /sk-[a-zA-Z0-9]{20,}T3BlbkFJ[a-zA-Z0-9]{20,}/ },
+  { name: "GitHub token", pattern: /gh[ps]_[A-Za-z0-9_]{36,}/ },
+  { name: "GitHub fine-grained token", pattern: /github_pat_[A-Za-z0-9_]{22,}/ },
+  { name: "Generic API key assignment", pattern: /(?:api_key|apikey|api_secret|secret_key|private_key)\s*[=:]\s*['"][a-zA-Z0-9_\-]{20,}['"]/ },
+  { name: "SendGrid API key", pattern: /SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}/ }
+];
+var secretsRule = {
+  id: "secrets",
+  name: "Hardcoded Secrets",
+  description: "Detects hardcoded API keys, tokens, and credentials in source code",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx", "mjs", "cjs", "json"],
+  check(file, _project) {
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      const line = file.lines[i];
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      for (const { name, pattern } of SECRET_PATTERNS) {
+        const match = pattern.exec(line);
+        if (match) {
+          findings.push({
+            ruleId: "secrets",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: `Hardcoded ${name} detected`,
+            severity: "critical",
+            category: "security"
+          });
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/hallucinated-imports.ts
+var IMPLICIT_PACKAGES = /* @__PURE__ */ new Set([
+  "react",
+  "react-dom",
+  "react/jsx-runtime",
+  "react/jsx-dev-runtime",
+  "next",
+  "next/server",
+  "next/image",
+  "next/link",
+  "next/font",
+  "next/navigation",
+  "next/headers",
+  "next/dynamic",
+  "next/script",
+  "next/router",
+  "next/head",
+  "next/app",
+  "next/document"
+]);
+var LINE_IMPORT_PATTERNS = [
+  /from\s+['"]([^'"./][^'"]*)['"]/,
+  /require\s*\(\s*['"]([^'"./][^'"]*)['"]\s*\)/,
+  /import\s*\(\s*['"]([^'"./][^'"]*)['"]\s*\)/
+];
+function getPackageName(importPath) {
+  if (importPath.startsWith("@")) {
+    const parts = importPath.split("/");
+    return parts.slice(0, 2).join("/");
+  }
+  return importPath.split("/")[0];
+}
+function isNodeBuiltin(name) {
+  if (name.startsWith("node:")) return true;
+  return NODE_BUILTINS.has(name);
+}
+function isPathAlias(importPath, tsconfigPaths) {
+  if (importPath.startsWith("@/") || importPath === "@") return true;
+  if (importPath.startsWith("~/") || importPath.startsWith("#/")) return true;
+  for (const prefix of tsconfigPaths) {
+    if (importPath === prefix || importPath.startsWith(prefix + "/")) return true;
+  }
+  return false;
+}
+var hallucinatedImportsRule = {
+  id: "hallucinated-imports",
+  name: "Hallucinated Imports",
+  description: "Detects imports of packages not declared in package.json and not Node.js built-ins",
+  category: "reliability",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx", "mjs", "cjs"],
+  check(file, project) {
+    if (!project.packageJson) return [];
+    const findings = [];
+    const seen = /* @__PURE__ */ new Set();
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      for (const pattern of LINE_IMPORT_PATTERNS) {
+        const match = pattern.exec(line);
+        if (!match) continue;
+        const importPath = match[1];
+        const pkgName = getPackageName(importPath);
+        if (seen.has(pkgName)) continue;
+        seen.add(pkgName);
+        if (isPathAlias(importPath, project.tsconfigPaths)) continue;
+        if (isNodeBuiltin(pkgName)) continue;
+        if (IMPLICIT_PACKAGES.has(importPath) || IMPLICIT_PACKAGES.has(pkgName)) continue;
+        if (project.declaredDependencies.has(pkgName)) continue;
+        findings.push({
+          ruleId: "hallucinated-imports",
+          file: file.relativePath,
+          line: i + 1,
+          column: match.index + 1,
+          message: `Package "${pkgName}" is imported but not in package.json`,
+          severity: "critical",
+          category: "reliability"
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/auth-checks.ts
+var AUTH_EXEMPT_PATTERNS = [
+  /auth/i,
+  /login/i,
+  /signup/i,
+  /register/i,
+  /callback/i,
+  /webhook/i,
+  /health/i,
+  /ping/i,
+  /cron/i,
+  /inngest/i,
+  /stripe/i,
+  /public/i
+];
+var AUTH_PATTERNS = [
+  /getServerSession\s*\(/,
+  /getSession\s*\(/,
+  /\.auth\.getUser\s*\(/,
+  /auth\(\)/,
+  /authenticate\s*\(/,
+  /isAuthenticated/,
+  /requireAuth/,
+  /withAuth/,
+  /NextAuth/,
+  /getToken\s*\(/,
+  /verifyToken\s*\(/,
+  /jwt\.verify\s*\(/,
+  /createRouteHandlerClient/,
+  /createServerComponentClient/,
+  /authorization/i,
+  /bearer/i
+];
+var authChecksRule = {
+  id: "auth-checks",
+  name: "Missing Auth Checks",
+  description: "Detects API routes that lack authentication checks",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, project) {
+    if (!isApiRoute(file.relativePath)) return [];
+    for (const pattern of AUTH_EXEMPT_PATTERNS) {
+      if (pattern.test(file.relativePath)) return [];
+    }
+    const severity = project.hasAuthMiddleware ? "info" : "critical";
+    for (const pattern of AUTH_PATTERNS) {
+      if (pattern.test(file.content)) return [];
+    }
+    let handlerLine = 1;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (/export\s+(async\s+)?function\s+(GET|POST|PUT|PATCH|DELETE|handler)/i.test(file.lines[i])) {
+        handlerLine = i + 1;
+        break;
+      }
+    }
+    const message = project.hasAuthMiddleware ? "API route has no inline auth check (middleware auth detected \u2014 verify coverage)" : "API route has no authentication check";
+    return [{
+      ruleId: "auth-checks",
+      file: file.relativePath,
+      line: handlerLine,
+      column: 1,
+      message,
+      severity,
+      category: "security"
+    }];
+  }
+};
+
+// src/rules/env-exposure.ts
+var SERVER_ENV_PATTERN = /process\.env\.(?!NEXT_PUBLIC_)([A-Z][A-Z0-9_]*)/g;
+var SENSITIVE_ENV_NAMES = /* @__PURE__ */ new Set([
+  "DATABASE_URL",
+  "SUPABASE_SERVICE_ROLE_KEY",
+  "STRIPE_SECRET_KEY",
+  "STRIPE_WEBHOOK_SECRET",
+  "OPENAI_API_KEY",
+  "ANTHROPIC_API_KEY",
+  "AWS_SECRET_ACCESS_KEY",
+  "JWT_SECRET",
+  "SESSION_SECRET",
+  "REDIS_URL",
+  "SMTP_PASSWORD",
+  "SENDGRID_API_KEY"
+]);
+var envExposureRule = {
+  id: "env-exposure",
+  name: "Environment Variable Exposure",
+  description: "Detects server environment variables used in client components and .env files not in .gitignore",
+  category: "security",
+  severity: "critical",
+  fileExtensions: [],
+  check(file, project) {
+    const findings = [];
+    if (file.relativePath === ".gitignore") {
+      if (!project.envInGitignore) {
+        findings.push({
+          ruleId: "env-exposure",
+          file: file.relativePath,
+          line: 1,
+          column: 1,
+          message: ".env is not listed in .gitignore \u2014 secrets may be committed",
+          severity: "critical",
+          category: "security"
+        });
+      }
+      return findings;
+    }
+    if (!["ts", "tsx", "js", "jsx"].includes(file.ext)) return findings;
+    if (!isClientComponent(file.content)) return findings;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      const regex = new RegExp(SERVER_ENV_PATTERN.source, SERVER_ENV_PATTERN.flags);
+      let match;
+      while ((match = regex.exec(line)) !== null) {
+        const envName = match[1];
+        const isSensitive = SENSITIVE_ENV_NAMES.has(envName);
+        findings.push({
+          ruleId: "env-exposure",
+          file: file.relativePath,
+          line: i + 1,
+          column: match.index + 1,
+          message: isSensitive ? `Sensitive server env var "${envName}" used in client component` : `Server env var "${envName}" used in client component (will be undefined at runtime)`,
+          severity: isSensitive ? "critical" : "warning",
+          category: "security"
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/error-handling.ts
+var errorHandlingRule = {
+  id: "error-handling",
+  name: "Missing Error Handling",
+  description: "Detects API routes without try/catch and empty catch blocks",
+  category: "reliability",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    const findings = [];
+    if (isApiRoute(file.relativePath)) {
+      const hasTryCatch = /try\s*\{/.test(file.content);
+      if (!hasTryCatch) {
+        let handlerLine = 1;
+        for (let i = 0; i < file.lines.length; i++) {
+          if (/export\s+(async\s+)?function\s+(GET|POST|PUT|PATCH|DELETE|handler)/i.test(file.lines[i])) {
+            handlerLine = i + 1;
+            break;
+          }
+        }
+        findings.push({
+          ruleId: "error-handling",
+          file: file.relativePath,
+          line: handlerLine,
+          column: 1,
+          message: "API route handler has no try/catch block",
+          severity: "warning",
+          category: "reliability"
+        });
+      }
+    }
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      if (/catch\s*(\([^)]*\))?\s*\{\s*\}/.test(line)) {
+        findings.push({
+          ruleId: "error-handling",
+          file: file.relativePath,
+          line: i + 1,
+          column: line.indexOf("catch") + 1,
+          message: "Empty catch block silently swallows errors",
+          severity: "warning",
+          category: "reliability"
+        });
+        continue;
+      }
+      if (/catch\s*(\([^)]*\))?\s*\{\s*$/.test(line)) {
+        const nextLine = file.lines[i + 1]?.trim();
+        if (nextLine === "}") {
+          findings.push({
+            ruleId: "error-handling",
+            file: file.relativePath,
+            line: i + 1,
+            column: line.indexOf("catch") + 1,
+            message: "Empty catch block silently swallows errors",
+            severity: "warning",
+            category: "reliability"
+          });
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/input-validation.ts
+var VALIDATION_PATTERNS = [
+  /\.parse\s*\(/,
+  /\.safeParse\s*\(/,
+  /\.validate\s*\(/,
+  /\.validateSync\s*\(/,
+  /Joi\.object/,
+  /z\.object/,
+  /z\.string/,
+  /z\.number/,
+  /z\.array/,
+  /yup\.object/,
+  /ajv/i,
+  /typebox/i,
+  /valibot/i,
+  /typeof\s+.*body/
+];
+var BODY_ACCESS_PATTERNS = [
+  /req\.body/,
+  /request\.json\s*\(\)/,
+  /req\.json\s*\(\)/
+];
+var inputValidationRule = {
+  id: "input-validation",
+  name: "Missing Input Validation",
+  description: "Detects API routes that access request body without validation",
+  category: "security",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (!isApiRoute(file.relativePath)) return [];
+    const accessesBody = BODY_ACCESS_PATTERNS.some((p) => p.test(file.content));
+    if (!accessesBody) return [];
+    const hasValidation = VALIDATION_PATTERNS.some((p) => p.test(file.content));
+    if (hasValidation) return [];
+    let bodyLine = 1;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (BODY_ACCESS_PATTERNS.some((p) => p.test(file.lines[i]))) {
+        bodyLine = i + 1;
+        break;
+      }
+    }
+    return [{
+      ruleId: "input-validation",
+      file: file.relativePath,
+      line: bodyLine,
+      column: 1,
+      message: "Request body accessed without validation (consider using Zod, Yup, or similar)",
+      severity: "warning",
+      category: "security"
+    }];
+  }
+};
+
+// src/rules/rate-limiting.ts
+var RATE_LIMIT_PATTERNS = [
+  /rateLimit/i,
+  /rateLimiter/i,
+  /rate-limit/i,
+  /upstash.*ratelimit/i,
+  /Ratelimit/,
+  /@upstash\/ratelimit/,
+  /express-rate-limit/,
+  /limiter/i,
+  /throttle/i,
+  /slidingWindow/,
+  /fixedWindow/,
+  /tokenBucket/
+];
+var EXEMPT_PATTERNS = [
+  /health/i,
+  /ping/i,
+  /webhook/i,
+  /cron/i,
+  /inngest/i
+];
+var rateLimitingRule = {
+  id: "rate-limiting",
+  name: "Missing Rate Limiting",
+  description: "Detects API routes without rate limiting",
+  category: "security",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (!isApiRoute(file.relativePath)) return [];
+    for (const pattern of EXEMPT_PATTERNS) {
+      if (pattern.test(file.relativePath)) return [];
+    }
+    for (const pattern of RATE_LIMIT_PATTERNS) {
+      if (pattern.test(file.content)) return [];
+    }
+    let handlerLine = 1;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (/export\s+(async\s+)?function\s+(GET|POST|PUT|PATCH|DELETE|handler)/i.test(file.lines[i])) {
+        handlerLine = i + 1;
+        break;
+      }
+    }
+    return [{
+      ruleId: "rate-limiting",
+      file: file.relativePath,
+      line: handlerLine,
+      column: 1,
+      message: "API route has no rate limiting",
+      severity: "warning",
+      category: "security"
+    }];
+  }
+};
+
+// src/rules/cors-config.ts
+var corsConfigRule = {
+  id: "cors-config",
+  name: "Permissive CORS",
+  description: "Detects overly permissive CORS configuration",
+  category: "security",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx", "mjs", "cjs"],
+  check(file, _project) {
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      if (/['"]Access-Control-Allow-Origin['"]\s*[,:]\s*['"]\*['"]/.test(line)) {
+        findings.push({
+          ruleId: "cors-config",
+          file: file.relativePath,
+          line: i + 1,
+          column: line.indexOf("Access-Control") + 1,
+          message: 'Access-Control-Allow-Origin set to "*" allows any domain',
+          severity: "warning",
+          category: "security"
+        });
+      }
+      if (/cors\(\s*\)/.test(line)) {
+        findings.push({
+          ruleId: "cors-config",
+          file: file.relativePath,
+          line: i + 1,
+          column: line.indexOf("cors(") + 1,
+          message: "cors() called without config allows all origins",
+          severity: "warning",
+          category: "security"
+        });
+      }
+      if (/origin\s*:\s*['"]\*['"]/.test(line)) {
+        findings.push({
+          ruleId: "cors-config",
+          file: file.relativePath,
+          line: i + 1,
+          column: line.indexOf("origin") + 1,
+          message: 'CORS origin set to "*" allows any domain',
+          severity: "warning",
+          category: "security"
+        });
+      }
+      if (/origin\s*:\s*true/.test(line)) {
+        findings.push({
+          ruleId: "cors-config",
+          file: file.relativePath,
+          line: i + 1,
+          column: line.indexOf("origin") + 1,
+          message: "CORS origin set to true mirrors any requesting origin",
+          severity: "warning",
+          category: "security"
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/ai-smells.ts
+var CONSOLE_LOG_THRESHOLD = 5;
+var ANY_TYPE_THRESHOLD = 5;
+var COMMENTED_CODE_THRESHOLD = 3;
+var aiSmellsRule = {
+  id: "ai-smells",
+  name: "AI Code Smells",
+  description: "Detects TODOs, placeholder functions, excessive console.log, any types, and commented-out code",
+  category: "ai-quality",
+  severity: "info",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    const findings = [];
+    let consoleLogCount = 0;
+    let anyTypeCount = 0;
+    let commentedCodeRun = 0;
+    for (let i = 0; i < file.lines.length; i++) {
+      const line = file.lines[i];
+      const trimmed = line.trim();
+      if (file.commentMap[i]) {
+        commentedCodeRun = 0;
+        continue;
+      }
+      if (trimmed.startsWith("//")) {
+        const todoMatch = trimmed.match(/\/\/\s*(TODO|FIXME|HACK|XXX)\b(.*)/);
+        if (todoMatch) {
+          findings.push({
+            ruleId: "ai-smells",
+            file: file.relativePath,
+            line: i + 1,
+            column: line.indexOf(todoMatch[1]) + 1,
+            message: `${todoMatch[1]} comment: ${todoMatch[2].trim() || "(no description)"}`,
+            severity: "info",
+            category: "ai-quality"
+          });
+        }
+        const commentContent = trimmed.slice(2).trim();
+        const looksLikeCode = /^(import |export |const |let |var |function |if |for |while |return |await |async |class |switch )/.test(commentContent) || /[{};=]$/.test(commentContent) || /^\w+\(/.test(commentContent);
+        if (looksLikeCode) {
+          commentedCodeRun++;
+          if (commentedCodeRun === COMMENTED_CODE_THRESHOLD) {
+            findings.push({
+              ruleId: "ai-smells",
+              file: file.relativePath,
+              line: i + 1 - COMMENTED_CODE_THRESHOLD + 1,
+              column: 1,
+              message: `${COMMENTED_CODE_THRESHOLD}+ consecutive lines of commented-out code`,
+              severity: "info",
+              category: "ai-quality"
+            });
+          }
+        } else {
+          commentedCodeRun = 0;
+        }
+        continue;
+      }
+      commentedCodeRun = 0;
+      if (/(?:throw new Error|throw Error)\s*\(\s*['"]not implemented['"]/i.test(line)) {
+        findings.push({
+          ruleId: "ai-smells",
+          file: file.relativePath,
+          line: i + 1,
+          column: 1,
+          message: 'Placeholder "not implemented" function',
+          severity: "warning",
+          category: "ai-quality"
+        });
+      }
+      if (/console\.log\s*\(/.test(line)) {
+        consoleLogCount++;
+      }
+      if (/:\s*any\b/.test(line) || /\bas\s+any\b/.test(line) || /<any>/.test(line)) {
+        anyTypeCount++;
+      }
+    }
+    if (consoleLogCount > CONSOLE_LOG_THRESHOLD) {
+      findings.push({
+        ruleId: "ai-smells",
+        file: file.relativePath,
+        line: 1,
+        column: 1,
+        message: `${consoleLogCount} console.log statements (consider a proper logger)`,
+        severity: "warning",
+        category: "ai-quality"
+      });
+    }
+    if (anyTypeCount > ANY_TYPE_THRESHOLD) {
+      findings.push({
+        ruleId: "ai-smells",
+        file: file.relativePath,
+        line: 1,
+        column: 1,
+        message: `${anyTypeCount} uses of "any" type (consider proper typing)`,
+        severity: "warning",
+        category: "ai-quality"
+      });
+    }
+    return findings;
+  }
+};
+
+// src/rules/unsafe-html.ts
+var unsafeHtmlRule = {
+  id: "unsafe-html",
+  name: "Unsafe HTML Rendering",
+  description: "Detects dangerouslySetInnerHTML and other XSS vectors in JSX/DOM code",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      if (/dangerouslySetInnerHTML\s*=/.test(line) || /dangerouslySetInnerHTML\s*:/.test(line)) {
+        findings.push({
+          ruleId: "unsafe-html",
+          file: file.relativePath,
+          line: i + 1,
+          column: line.indexOf("dangerouslySetInnerHTML") + 1,
+          message: "dangerouslySetInnerHTML is an XSS risk \u2014 sanitize with DOMPurify or similar",
+          severity: "critical",
+          category: "security"
+        });
+      }
+      if (/\w\.innerHTML\s*=/.test(line)) {
+        findings.push({
+          ruleId: "unsafe-html",
+          file: file.relativePath,
+          line: i + 1,
+          column: line.indexOf(".innerHTML") + 1,
+          message: "Direct innerHTML assignment is an XSS risk",
+          severity: "critical",
+          category: "security"
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/sql-injection.ts
+var SQL_INJECTION_PATTERNS = [
+  // Template literals with SQL keywords and interpolation
+  { pattern: /`\s*(?:SELECT|INSERT|UPDATE|DELETE|DROP|ALTER|CREATE)\b[^`]*\$\{/, message: "SQL query built with template literal interpolation \u2014 use parameterized queries" },
+  // String concatenation with SQL
+  { pattern: /(?:SELECT|INSERT|UPDATE|DELETE|DROP)\b.*['"]?\s*\+\s*\w/, message: "SQL query built with string concatenation \u2014 use parameterized queries" },
+  // .query() or .execute() with template literal
+  { pattern: /\.(?:query|execute|raw)\s*\(\s*`[^`]*\$\{/, message: "Database query with template literal interpolation \u2014 use parameterized queries" }
+];
+var sqlInjectionRule = {
+  id: "sql-injection",
+  name: "SQL Injection Risk",
+  description: "Detects SQL queries built with string interpolation or concatenation",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx", "mjs", "cjs"],
+  check(file, _project) {
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      for (const { pattern, message } of SQL_INJECTION_PATTERNS) {
+        if (pattern.test(line)) {
+          findings.push({
+            ruleId: "sql-injection",
+            file: file.relativePath,
+            line: i + 1,
+            column: 1,
+            message,
+            severity: "critical",
+            category: "security"
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/index.ts
+var rules = [
+  secretsRule,
+  hallucinatedImportsRule,
+  authChecksRule,
+  envExposureRule,
+  errorHandlingRule,
+  inputValidationRule,
+  rateLimitingRule,
+  corsConfigRule,
+  aiSmellsRule,
+  unsafeHtmlRule,
+  sqlInjectionRule
+];
+
+// src/scanner.ts
+import { resolve as resolve3 } from "path";
+async function scan(options) {
+  const start = performance.now();
+  const root = resolve3(options.path);
+  const filePaths = await walkFiles(root, options.ignore);
+  const project = await buildProjectContext(root, filePaths);
+  const findings = [];
+  for (const relativePath of filePaths) {
+    const file = await readFileContext(root, relativePath);
+    if (!file) continue;
+    for (const rule of rules) {
+      if (rule.fileExtensions.length > 0 && !rule.fileExtensions.includes(file.ext)) {
+        continue;
+      }
+      const ruleFindings = rule.check(file, project);
+      for (const finding of ruleFindings) {
+        if (!isLineSuppressed(file.lines, finding.line - 1, finding.ruleId)) {
+          findings.push(finding);
+        }
+      }
+    }
+  }
+  const { overallScore, categoryScores } = calculateScores(findings);
+  const summary = summarizeFindings(findings);
+  return {
+    version: getVersion(),
+    scannedPath: options.path,
+    filesScanned: filePaths.length,
+    scanDurationMs: Math.round(performance.now() - start),
+    findings,
+    overallScore,
+    categoryScores,
+    summary
+  };
+}
+
+// src/mcp.ts
+var server = new McpServer({
+  name: "prodlint",
+  version: getVersion()
+});
+server.tool(
+  "scan",
+  "Scan a project for production readiness issues. Returns a 0-100 score with findings across security, reliability, performance, and AI quality categories.",
+  {
+    path: z.string().describe("Absolute path to the project directory to scan"),
+    ignore: z.array(z.string()).optional().describe("Glob patterns to ignore")
+  },
+  async ({ path, ignore }) => {
+    const resolved = resolve4(path);
+    try {
+      const stats = await stat2(resolved);
+      if (!stats.isDirectory()) {
+        return {
+          content: [{ type: "text", text: `Error: ${path} is not a directory` }],
+          isError: true
+        };
+      }
+    } catch {
+      return {
+        content: [{ type: "text", text: `Error: ${path} does not exist or is not accessible` }],
+        isError: true
+      };
+    }
+    const result = await scan({ path: resolved, ignore });
+    const summary = [
+      `## Production Readiness Score: ${result.overallScore}/100`,
+      "",
+      `Scanned ${result.filesScanned} files in ${result.scanDurationMs}ms`,
+      "",
+      "### Category Scores",
+      ...result.categoryScores.map(
+        (c) => `- **${c.category}**: ${c.score}/100 (${c.findingCount} issues)`
+      ),
+      "",
+      `### Summary: ${result.summary.critical} critical, ${result.summary.warning} warnings, ${result.summary.info} info`
+    ];
+    if (result.findings.length > 0) {
+      summary.push("", "### Findings");
+      for (const f of result.findings.slice(0, 30)) {
+        summary.push(
+          `- **[${f.severity}]** \`${f.ruleId}\` ${f.file}:${f.line} \u2014 ${f.message}`
+        );
+      }
+      if (result.findings.length > 30) {
+        summary.push(`- ...and ${result.findings.length - 30} more findings`);
+      }
+    }
+    return {
+      content: [{ type: "text", text: summary.join("\n") }]
+    };
+  }
+);
+async function main() {
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+}
+main().catch((err) => {
+  console.error("Prodlint MCP server error:", err instanceof Error ? err.message : "Unknown error");
+  process.exit(1);
+});
+//# sourceMappingURL=mcp.js.map