prodlint 0.1.0

package/dist/cli.js

@@ -0,0 +1,1173 @@
+#!/usr/bin/env node
+
+// src/cli.ts
+import { parseArgs } from "util";
+
+// src/utils/file-walker.ts
+import fg from "fast-glob";
+import { readFile, stat } from "fs/promises";
+import { resolve, extname } from "path";
+
+// src/utils/patterns.ts
+function isApiRoute(relativePath) {
+  if (/app\/.*route\.(ts|js|tsx|jsx)$/.test(relativePath)) return true;
+  if (/pages\/api\//.test(relativePath)) return true;
+  return false;
+}
+function isClientComponent(content) {
+  const firstLines = content.slice(0, 500);
+  return /^(['"])use client\1/m.test(firstLines);
+}
+function buildCommentMap(lines) {
+  const map = new Array(lines.length).fill(false);
+  let inBlock = false;
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (inBlock) {
+      map[i] = true;
+      if (line.includes("*/")) {
+        inBlock = false;
+      }
+      continue;
+    }
+    const trimmed = line.trim();
+    if (trimmed.startsWith("/*")) {
+      map[i] = true;
+      if (!trimmed.includes("*/")) {
+        inBlock = true;
+      }
+      continue;
+    }
+    if (trimmed.startsWith("*")) {
+      map[i] = true;
+    }
+  }
+  return map;
+}
+function isCommentLine(lines, lineIndex, commentMap) {
+  if (commentMap[lineIndex]) return true;
+  const trimmed = lines[lineIndex]?.trim() ?? "";
+  return trimmed.startsWith("//");
+}
+function isLineSuppressed(lines, lineIndex, ruleId) {
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (trimmed === "" || trimmed.startsWith("//") || trimmed.startsWith("/*")) {
+      const match = trimmed.match(/prodlint-disable\s+(.+)/);
+      if (match) {
+        const ids = match[1].split(/[\s,]+/).filter(Boolean);
+        if (ids.includes(ruleId)) return true;
+      }
+      continue;
+    }
+    break;
+  }
+  if (lineIndex > 0) {
+    const prevLine = lines[lineIndex - 1].trim();
+    const match = prevLine.match(/prodlint-disable-next-line\s+(.+)/);
+    if (match) {
+      const ids = match[1].split(/[\s,]+/).filter(Boolean);
+      if (ids.includes(ruleId)) return true;
+    }
+  }
+  return false;
+}
+var NODE_BUILTINS = /* @__PURE__ */ new Set([
+  "assert",
+  "async_hooks",
+  "buffer",
+  "child_process",
+  "cluster",
+  "console",
+  "constants",
+  "crypto",
+  "dgram",
+  "diagnostics_channel",
+  "dns",
+  "domain",
+  "events",
+  "fs",
+  "http",
+  "http2",
+  "https",
+  "inspector",
+  "module",
+  "net",
+  "os",
+  "path",
+  "perf_hooks",
+  "process",
+  "punycode",
+  "querystring",
+  "readline",
+  "repl",
+  "stream",
+  "string_decoder",
+  "sys",
+  "timers",
+  "tls",
+  "trace_events",
+  "tty",
+  "url",
+  "util",
+  "v8",
+  "vm",
+  "wasi",
+  "worker_threads",
+  "zlib"
+  // node: prefixed are handled separately
+]);
+
+// src/utils/file-walker.ts
+var DEFAULT_IGNORES = [
+  "**/node_modules/**",
+  "**/dist/**",
+  "**/build/**",
+  "**/.next/**",
+  "**/.git/**",
+  "**/coverage/**",
+  "**/*.min.js",
+  "**/*.min.css",
+  "**/package-lock.json",
+  "**/yarn.lock",
+  "**/pnpm-lock.yaml",
+  "**/bun.lockb",
+  "**/*.map",
+  "**/*.d.ts"
+];
+var SCAN_EXTENSIONS = [
+  "ts",
+  "tsx",
+  "js",
+  "jsx",
+  "mjs",
+  "cjs",
+  "json"
+];
+var MAX_FILE_SIZE = 1024 * 1024;
+async function walkFiles(root, extraIgnores = []) {
+  const patterns = SCAN_EXTENSIONS.map((ext) => `**/*.${ext}`);
+  patterns.push("**/.env", "**/.env.*");
+  patterns.push("**/.gitignore");
+  const files = await fg(patterns, {
+    cwd: root,
+    ignore: [...DEFAULT_IGNORES, ...extraIgnores],
+    absolute: false,
+    dot: true
+  });
+  return files.sort();
+}
+async function readFileContext(root, relativePath) {
+  try {
+    const absolutePath = resolve(root, relativePath);
+    const fileStats = await stat(absolutePath);
+    if (fileStats.size > MAX_FILE_SIZE) return null;
+    const content = await readFile(absolutePath, "utf-8");
+    const lines = content.split("\n");
+    return {
+      absolutePath,
+      relativePath,
+      content,
+      lines,
+      ext: extname(relativePath).slice(1),
+      // remove leading dot
+      commentMap: buildCommentMap(lines)
+    };
+  } catch {
+    return null;
+  }
+}
+async function buildProjectContext(root, files) {
+  let packageJson = null;
+  let declaredDependencies = /* @__PURE__ */ new Set();
+  let tsconfigPaths = /* @__PURE__ */ new Set();
+  let hasAuthMiddleware = false;
+  let gitignoreContent = null;
+  let envInGitignore = false;
+  try {
+    const raw = await readFile(resolve(root, "package.json"), "utf-8");
+    packageJson = JSON.parse(raw);
+    const deps = {
+      ...packageJson?.dependencies ?? {},
+      ...packageJson?.devDependencies ?? {},
+      ...packageJson?.peerDependencies ?? {}
+    };
+    declaredDependencies = new Set(Object.keys(deps));
+  } catch {
+  }
+  try {
+    const raw = await readFile(resolve(root, "tsconfig.json"), "utf-8");
+    const stripped = raw.replace(/\/\/.*$/gm, "");
+    const tsconfig = JSON.parse(stripped);
+    const paths = tsconfig?.compilerOptions?.paths;
+    if (paths) {
+      for (const alias of Object.keys(paths)) {
+        const prefix = alias.replace(/\/?\*$/, "");
+        if (prefix) tsconfigPaths.add(prefix);
+      }
+    }
+  } catch {
+  }
+  try {
+    for (const name of ["middleware.ts", "middleware.js", "src/middleware.ts", "src/middleware.js"]) {
+      try {
+        const content = await readFile(resolve(root, name), "utf-8");
+        const authPatterns = [
+          /getSession/i,
+          /getUser/i,
+          /auth\(\)/,
+          /withAuth/i,
+          /clerkMiddleware/i,
+          /authMiddleware/i,
+          /NextAuth/i,
+          /supabase.*auth/i,
+          /createMiddlewareClient/i,
+          /getToken/i,
+          /verifyToken/i,
+          /jwt/i,
+          /updateSession/i
+        ];
+        if (authPatterns.some((p) => p.test(content))) {
+          hasAuthMiddleware = true;
+          break;
+        }
+      } catch {
+      }
+    }
+  } catch {
+  }
+  try {
+    gitignoreContent = await readFile(resolve(root, ".gitignore"), "utf-8");
+    envInGitignore = /^\.env$/m.test(gitignoreContent) || /^\.env\*$/m.test(gitignoreContent) || /^\.env\.\*$/m.test(gitignoreContent) || /^\.env\.local$/m.test(gitignoreContent);
+  } catch {
+  }
+  return {
+    root,
+    packageJson,
+    declaredDependencies,
+    tsconfigPaths,
+    hasAuthMiddleware,
+    gitignoreContent,
+    envInGitignore,
+    allFiles: files
+  };
+}
+
+// src/utils/version.ts
+import { readFileSync } from "fs";
+import { fileURLToPath } from "url";
+import { dirname, resolve as resolve2 } from "path";
+function getVersion() {
+  try {
+    const dir = dirname(fileURLToPath(import.meta.url));
+    const pkg = JSON.parse(
+      readFileSync(resolve2(dir, "..", "package.json"), "utf-8")
+    );
+    return pkg.version ?? "0.0.0";
+  } catch {
+    return "0.0.0";
+  }
+}
+
+// src/scorer.ts
+var CATEGORIES = ["security", "reliability", "performance", "ai-quality"];
+var DEDUCTIONS = {
+  critical: 10,
+  warning: 3,
+  info: 1
+};
+function calculateScores(findings) {
+  const categoryScores = CATEGORIES.map((category) => {
+    const categoryFindings = findings.filter((f) => f.category === category);
+    let score = 100;
+    for (const f of categoryFindings) {
+      score -= DEDUCTIONS[f.severity] ?? 0;
+    }
+    return {
+      category,
+      score: Math.max(0, score),
+      findingCount: categoryFindings.length
+    };
+  });
+  const overallScore = Math.round(
+    categoryScores.reduce((sum, c) => sum + c.score, 0) / CATEGORIES.length
+  );
+  return { overallScore, categoryScores };
+}
+function summarizeFindings(findings) {
+  return {
+    critical: findings.filter((f) => f.severity === "critical").length,
+    warning: findings.filter((f) => f.severity === "warning").length,
+    info: findings.filter((f) => f.severity === "info").length
+  };
+}
+
+// src/rules/secrets.ts
+var SECRET_PATTERNS = [
+  { name: "Stripe secret key", pattern: /sk_live_[a-zA-Z0-9]{20,}/ },
+  { name: "Stripe test key", pattern: /sk_test_[a-zA-Z0-9]{20,}/ },
+  { name: "AWS access key", pattern: /AKIA[0-9A-Z]{16}/ },
+  { name: "AWS secret key", pattern: /(?:aws_secret_access_key|AWS_SECRET)\s*[=:]\s*['"]?[A-Za-z0-9/+=]{40}['"]?/ },
+  { name: "Supabase service role key", pattern: /eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[A-Za-z0-9_-]{50,}\.[A-Za-z0-9_-]{20,}/ },
+  { name: "OpenAI API key", pattern: /sk-[a-zA-Z0-9]{20,}T3BlbkFJ[a-zA-Z0-9]{20,}/ },
+  { name: "GitHub token", pattern: /gh[ps]_[A-Za-z0-9_]{36,}/ },
+  { name: "GitHub fine-grained token", pattern: /github_pat_[A-Za-z0-9_]{22,}/ },
+  { name: "Generic API key assignment", pattern: /(?:api_key|apikey|api_secret|secret_key|private_key)\s*[=:]\s*['"][a-zA-Z0-9_\-]{20,}['"]/ },
+  { name: "SendGrid API key", pattern: /SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}/ }
+];
+var secretsRule = {
+  id: "secrets",
+  name: "Hardcoded Secrets",
+  description: "Detects hardcoded API keys, tokens, and credentials in source code",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx", "mjs", "cjs", "json"],
+  check(file, _project) {
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      const line = file.lines[i];
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      for (const { name, pattern } of SECRET_PATTERNS) {
+        const match = pattern.exec(line);
+        if (match) {
+          findings.push({
+            ruleId: "secrets",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: `Hardcoded ${name} detected`,
+            severity: "critical",
+            category: "security"
+          });
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/hallucinated-imports.ts
+var IMPLICIT_PACKAGES = /* @__PURE__ */ new Set([
+  "react",
+  "react-dom",
+  "react/jsx-runtime",
+  "react/jsx-dev-runtime",
+  "next",
+  "next/server",
+  "next/image",
+  "next/link",
+  "next/font",
+  "next/navigation",
+  "next/headers",
+  "next/dynamic",
+  "next/script",
+  "next/router",
+  "next/head",
+  "next/app",
+  "next/document"
+]);
+var LINE_IMPORT_PATTERNS = [
+  /from\s+['"]([^'"./][^'"]*)['"]/,
+  /require\s*\(\s*['"]([^'"./][^'"]*)['"]\s*\)/,
+  /import\s*\(\s*['"]([^'"./][^'"]*)['"]\s*\)/
+];
+function getPackageName(importPath) {
+  if (importPath.startsWith("@")) {
+    const parts = importPath.split("/");
+    return parts.slice(0, 2).join("/");
+  }
+  return importPath.split("/")[0];
+}
+function isNodeBuiltin(name) {
+  if (name.startsWith("node:")) return true;
+  return NODE_BUILTINS.has(name);
+}
+function isPathAlias(importPath, tsconfigPaths) {
+  if (importPath.startsWith("@/") || importPath === "@") return true;
+  if (importPath.startsWith("~/") || importPath.startsWith("#/")) return true;
+  for (const prefix of tsconfigPaths) {
+    if (importPath === prefix || importPath.startsWith(prefix + "/")) return true;
+  }
+  return false;
+}
+var hallucinatedImportsRule = {
+  id: "hallucinated-imports",
+  name: "Hallucinated Imports",
+  description: "Detects imports of packages not declared in package.json and not Node.js built-ins",
+  category: "reliability",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx", "mjs", "cjs"],
+  check(file, project) {
+    if (!project.packageJson) return [];
+    const findings = [];
+    const seen = /* @__PURE__ */ new Set();
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      for (const pattern of LINE_IMPORT_PATTERNS) {
+        const match = pattern.exec(line);
+        if (!match) continue;
+        const importPath = match[1];
+        const pkgName = getPackageName(importPath);
+        if (seen.has(pkgName)) continue;
+        seen.add(pkgName);
+        if (isPathAlias(importPath, project.tsconfigPaths)) continue;
+        if (isNodeBuiltin(pkgName)) continue;
+        if (IMPLICIT_PACKAGES.has(importPath) || IMPLICIT_PACKAGES.has(pkgName)) continue;
+        if (project.declaredDependencies.has(pkgName)) continue;
+        findings.push({
+          ruleId: "hallucinated-imports",
+          file: file.relativePath,
+          line: i + 1,
+          column: match.index + 1,
+          message: `Package "${pkgName}" is imported but not in package.json`,
+          severity: "critical",
+          category: "reliability"
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/auth-checks.ts
+var AUTH_EXEMPT_PATTERNS = [
+  /auth/i,
+  /login/i,
+  /signup/i,
+  /register/i,
+  /callback/i,
+  /webhook/i,
+  /health/i,
+  /ping/i,
+  /cron/i,
+  /inngest/i,
+  /stripe/i,
+  /public/i
+];
+var AUTH_PATTERNS = [
+  /getServerSession\s*\(/,
+  /getSession\s*\(/,
+  /\.auth\.getUser\s*\(/,
+  /auth\(\)/,
+  /authenticate\s*\(/,
+  /isAuthenticated/,
+  /requireAuth/,
+  /withAuth/,
+  /NextAuth/,
+  /getToken\s*\(/,
+  /verifyToken\s*\(/,
+  /jwt\.verify\s*\(/,
+  /createRouteHandlerClient/,
+  /createServerComponentClient/,
+  /authorization/i,
+  /bearer/i
+];
+var authChecksRule = {
+  id: "auth-checks",
+  name: "Missing Auth Checks",
+  description: "Detects API routes that lack authentication checks",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, project) {
+    if (!isApiRoute(file.relativePath)) return [];
+    for (const pattern of AUTH_EXEMPT_PATTERNS) {
+      if (pattern.test(file.relativePath)) return [];
+    }
+    const severity = project.hasAuthMiddleware ? "info" : "critical";
+    for (const pattern of AUTH_PATTERNS) {
+      if (pattern.test(file.content)) return [];
+    }
+    let handlerLine = 1;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (/export\s+(async\s+)?function\s+(GET|POST|PUT|PATCH|DELETE|handler)/i.test(file.lines[i])) {
+        handlerLine = i + 1;
+        break;
+      }
+    }
+    const message = project.hasAuthMiddleware ? "API route has no inline auth check (middleware auth detected \u2014 verify coverage)" : "API route has no authentication check";
+    return [{
+      ruleId: "auth-checks",
+      file: file.relativePath,
+      line: handlerLine,
+      column: 1,
+      message,
+      severity,
+      category: "security"
+    }];
+  }
+};
+
+// src/rules/env-exposure.ts
+var SERVER_ENV_PATTERN = /process\.env\.(?!NEXT_PUBLIC_)([A-Z][A-Z0-9_]*)/g;
+var SENSITIVE_ENV_NAMES = /* @__PURE__ */ new Set([
+  "DATABASE_URL",
+  "SUPABASE_SERVICE_ROLE_KEY",
+  "STRIPE_SECRET_KEY",
+  "STRIPE_WEBHOOK_SECRET",
+  "OPENAI_API_KEY",
+  "ANTHROPIC_API_KEY",
+  "AWS_SECRET_ACCESS_KEY",
+  "JWT_SECRET",
+  "SESSION_SECRET",
+  "REDIS_URL",
+  "SMTP_PASSWORD",
+  "SENDGRID_API_KEY"
+]);
+var envExposureRule = {
+  id: "env-exposure",
+  name: "Environment Variable Exposure",
+  description: "Detects server environment variables used in client components and .env files not in .gitignore",
+  category: "security",
+  severity: "critical",
+  fileExtensions: [],
+  check(file, project) {
+    const findings = [];
+    if (file.relativePath === ".gitignore") {
+      if (!project.envInGitignore) {
+        findings.push({
+          ruleId: "env-exposure",
+          file: file.relativePath,
+          line: 1,
+          column: 1,
+          message: ".env is not listed in .gitignore \u2014 secrets may be committed",
+          severity: "critical",
+          category: "security"
+        });
+      }
+      return findings;
+    }
+    if (!["ts", "tsx", "js", "jsx"].includes(file.ext)) return findings;
+    if (!isClientComponent(file.content)) return findings;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      const regex = new RegExp(SERVER_ENV_PATTERN.source, SERVER_ENV_PATTERN.flags);
+      let match;
+      while ((match = regex.exec(line)) !== null) {
+        const envName = match[1];
+        const isSensitive = SENSITIVE_ENV_NAMES.has(envName);
+        findings.push({
+          ruleId: "env-exposure",
+          file: file.relativePath,
+          line: i + 1,
+          column: match.index + 1,
+          message: isSensitive ? `Sensitive server env var "${envName}" used in client component` : `Server env var "${envName}" used in client component (will be undefined at runtime)`,
+          severity: isSensitive ? "critical" : "warning",
+          category: "security"
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/error-handling.ts
+var errorHandlingRule = {
+  id: "error-handling",
+  name: "Missing Error Handling",
+  description: "Detects API routes without try/catch and empty catch blocks",
+  category: "reliability",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    const findings = [];
+    if (isApiRoute(file.relativePath)) {
+      const hasTryCatch = /try\s*\{/.test(file.content);
+      if (!hasTryCatch) {
+        let handlerLine = 1;
+        for (let i = 0; i < file.lines.length; i++) {
+          if (/export\s+(async\s+)?function\s+(GET|POST|PUT|PATCH|DELETE|handler)/i.test(file.lines[i])) {
+            handlerLine = i + 1;
+            break;
+          }
+        }
+        findings.push({
+          ruleId: "error-handling",
+          file: file.relativePath,
+          line: handlerLine,
+          column: 1,
+          message: "API route handler has no try/catch block",
+          severity: "warning",
+          category: "reliability"
+        });
+      }
+    }
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      if (/catch\s*(\([^)]*\))?\s*\{\s*\}/.test(line)) {
+        findings.push({
+          ruleId: "error-handling",
+          file: file.relativePath,
+          line: i + 1,
+          column: line.indexOf("catch") + 1,
+          message: "Empty catch block silently swallows errors",
+          severity: "warning",
+          category: "reliability"
+        });
+        continue;
+      }
+      if (/catch\s*(\([^)]*\))?\s*\{\s*$/.test(line)) {
+        const nextLine = file.lines[i + 1]?.trim();
+        if (nextLine === "}") {
+          findings.push({
+            ruleId: "error-handling",
+            file: file.relativePath,
+            line: i + 1,
+            column: line.indexOf("catch") + 1,
+            message: "Empty catch block silently swallows errors",
+            severity: "warning",
+            category: "reliability"
+          });
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/input-validation.ts
+var VALIDATION_PATTERNS = [
+  /\.parse\s*\(/,
+  /\.safeParse\s*\(/,
+  /\.validate\s*\(/,
+  /\.validateSync\s*\(/,
+  /Joi\.object/,
+  /z\.object/,
+  /z\.string/,
+  /z\.number/,
+  /z\.array/,
+  /yup\.object/,
+  /ajv/i,
+  /typebox/i,
+  /valibot/i,
+  /typeof\s+.*body/
+];
+var BODY_ACCESS_PATTERNS = [
+  /req\.body/,
+  /request\.json\s*\(\)/,
+  /req\.json\s*\(\)/
+];
+var inputValidationRule = {
+  id: "input-validation",
+  name: "Missing Input Validation",
+  description: "Detects API routes that access request body without validation",
+  category: "security",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (!isApiRoute(file.relativePath)) return [];
+    const accessesBody = BODY_ACCESS_PATTERNS.some((p) => p.test(file.content));
+    if (!accessesBody) return [];
+    const hasValidation = VALIDATION_PATTERNS.some((p) => p.test(file.content));
+    if (hasValidation) return [];
+    let bodyLine = 1;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (BODY_ACCESS_PATTERNS.some((p) => p.test(file.lines[i]))) {
+        bodyLine = i + 1;
+        break;
+      }
+    }
+    return [{
+      ruleId: "input-validation",
+      file: file.relativePath,
+      line: bodyLine,
+      column: 1,
+      message: "Request body accessed without validation (consider using Zod, Yup, or similar)",
+      severity: "warning",
+      category: "security"
+    }];
+  }
+};
+
+// src/rules/rate-limiting.ts
+var RATE_LIMIT_PATTERNS = [
+  /rateLimit/i,
+  /rateLimiter/i,
+  /rate-limit/i,
+  /upstash.*ratelimit/i,
+  /Ratelimit/,
+  /@upstash\/ratelimit/,
+  /express-rate-limit/,
+  /limiter/i,
+  /throttle/i,
+  /slidingWindow/,
+  /fixedWindow/,
+  /tokenBucket/
+];
+var EXEMPT_PATTERNS = [
+  /health/i,
+  /ping/i,
+  /webhook/i,
+  /cron/i,
+  /inngest/i
+];
+var rateLimitingRule = {
+  id: "rate-limiting",
+  name: "Missing Rate Limiting",
+  description: "Detects API routes without rate limiting",
+  category: "security",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (!isApiRoute(file.relativePath)) return [];
+    for (const pattern of EXEMPT_PATTERNS) {
+      if (pattern.test(file.relativePath)) return [];
+    }
+    for (const pattern of RATE_LIMIT_PATTERNS) {
+      if (pattern.test(file.content)) return [];
+    }
+    let handlerLine = 1;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (/export\s+(async\s+)?function\s+(GET|POST|PUT|PATCH|DELETE|handler)/i.test(file.lines[i])) {
+        handlerLine = i + 1;
+        break;
+      }
+    }
+    return [{
+      ruleId: "rate-limiting",
+      file: file.relativePath,
+      line: handlerLine,
+      column: 1,
+      message: "API route has no rate limiting",
+      severity: "warning",
+      category: "security"
+    }];
+  }
+};
+
+// src/rules/cors-config.ts
+var corsConfigRule = {
+  id: "cors-config",
+  name: "Permissive CORS",
+  description: "Detects overly permissive CORS configuration",
+  category: "security",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx", "mjs", "cjs"],
+  check(file, _project) {
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      if (/['"]Access-Control-Allow-Origin['"]\s*[,:]\s*['"]\*['"]/.test(line)) {
+        findings.push({
+          ruleId: "cors-config",
+          file: file.relativePath,
+          line: i + 1,
+          column: line.indexOf("Access-Control") + 1,
+          message: 'Access-Control-Allow-Origin set to "*" allows any domain',
+          severity: "warning",
+          category: "security"
+        });
+      }
+      if (/cors\(\s*\)/.test(line)) {
+        findings.push({
+          ruleId: "cors-config",
+          file: file.relativePath,
+          line: i + 1,
+          column: line.indexOf("cors(") + 1,
+          message: "cors() called without config allows all origins",
+          severity: "warning",
+          category: "security"
+        });
+      }
+      if (/origin\s*:\s*['"]\*['"]/.test(line)) {
+        findings.push({
+          ruleId: "cors-config",
+          file: file.relativePath,
+          line: i + 1,
+          column: line.indexOf("origin") + 1,
+          message: 'CORS origin set to "*" allows any domain',
+          severity: "warning",
+          category: "security"
+        });
+      }
+      if (/origin\s*:\s*true/.test(line)) {
+        findings.push({
+          ruleId: "cors-config",
+          file: file.relativePath,
+          line: i + 1,
+          column: line.indexOf("origin") + 1,
+          message: "CORS origin set to true mirrors any requesting origin",
+          severity: "warning",
+          category: "security"
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/ai-smells.ts
+var CONSOLE_LOG_THRESHOLD = 5;
+var ANY_TYPE_THRESHOLD = 5;
+var COMMENTED_CODE_THRESHOLD = 3;
+var aiSmellsRule = {
+  id: "ai-smells",
+  name: "AI Code Smells",
+  description: "Detects TODOs, placeholder functions, excessive console.log, any types, and commented-out code",
+  category: "ai-quality",
+  severity: "info",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    const findings = [];
+    let consoleLogCount = 0;
+    let anyTypeCount = 0;
+    let commentedCodeRun = 0;
+    for (let i = 0; i < file.lines.length; i++) {
+      const line = file.lines[i];
+      const trimmed = line.trim();
+      if (file.commentMap[i]) {
+        commentedCodeRun = 0;
+        continue;
+      }
+      if (trimmed.startsWith("//")) {
+        const todoMatch = trimmed.match(/\/\/\s*(TODO|FIXME|HACK|XXX)\b(.*)/);
+        if (todoMatch) {
+          findings.push({
+            ruleId: "ai-smells",
+            file: file.relativePath,
+            line: i + 1,
+            column: line.indexOf(todoMatch[1]) + 1,
+            message: `${todoMatch[1]} comment: ${todoMatch[2].trim() || "(no description)"}`,
+            severity: "info",
+            category: "ai-quality"
+          });
+        }
+        const commentContent = trimmed.slice(2).trim();
+        const looksLikeCode = /^(import |export |const |let |var |function |if |for |while |return |await |async |class |switch )/.test(commentContent) || /[{};=]$/.test(commentContent) || /^\w+\(/.test(commentContent);
+        if (looksLikeCode) {
+          commentedCodeRun++;
+          if (commentedCodeRun === COMMENTED_CODE_THRESHOLD) {
+            findings.push({
+              ruleId: "ai-smells",
+              file: file.relativePath,
+              line: i + 1 - COMMENTED_CODE_THRESHOLD + 1,
+              column: 1,
+              message: `${COMMENTED_CODE_THRESHOLD}+ consecutive lines of commented-out code`,
+              severity: "info",
+              category: "ai-quality"
+            });
+          }
+        } else {
+          commentedCodeRun = 0;
+        }
+        continue;
+      }
+      commentedCodeRun = 0;
+      if (/(?:throw new Error|throw Error)\s*\(\s*['"]not implemented['"]/i.test(line)) {
+        findings.push({
+          ruleId: "ai-smells",
+          file: file.relativePath,
+          line: i + 1,
+          column: 1,
+          message: 'Placeholder "not implemented" function',
+          severity: "warning",
+          category: "ai-quality"
+        });
+      }
+      if (/console\.log\s*\(/.test(line)) {
+        consoleLogCount++;
+      }
+      if (/:\s*any\b/.test(line) || /\bas\s+any\b/.test(line) || /<any>/.test(line)) {
+        anyTypeCount++;
+      }
+    }
+    if (consoleLogCount > CONSOLE_LOG_THRESHOLD) {
+      findings.push({
+        ruleId: "ai-smells",
+        file: file.relativePath,
+        line: 1,
+        column: 1,
+        message: `${consoleLogCount} console.log statements (consider a proper logger)`,
+        severity: "warning",
+        category: "ai-quality"
+      });
+    }
+    if (anyTypeCount > ANY_TYPE_THRESHOLD) {
+      findings.push({
+        ruleId: "ai-smells",
+        file: file.relativePath,
+        line: 1,
+        column: 1,
+        message: `${anyTypeCount} uses of "any" type (consider proper typing)`,
+        severity: "warning",
+        category: "ai-quality"
+      });
+    }
+    return findings;
+  }
+};
+
+// src/rules/unsafe-html.ts
+var unsafeHtmlRule = {
+  id: "unsafe-html",
+  name: "Unsafe HTML Rendering",
+  description: "Detects dangerouslySetInnerHTML and other XSS vectors in JSX/DOM code",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      if (/dangerouslySetInnerHTML\s*=/.test(line) || /dangerouslySetInnerHTML\s*:/.test(line)) {
+        findings.push({
+          ruleId: "unsafe-html",
+          file: file.relativePath,
+          line: i + 1,
+          column: line.indexOf("dangerouslySetInnerHTML") + 1,
+          message: "dangerouslySetInnerHTML is an XSS risk \u2014 sanitize with DOMPurify or similar",
+          severity: "critical",
+          category: "security"
+        });
+      }
+      if (/\w\.innerHTML\s*=/.test(line)) {
+        findings.push({
+          ruleId: "unsafe-html",
+          file: file.relativePath,
+          line: i + 1,
+          column: line.indexOf(".innerHTML") + 1,
+          message: "Direct innerHTML assignment is an XSS risk",
+          severity: "critical",
+          category: "security"
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/sql-injection.ts
+var SQL_INJECTION_PATTERNS = [
+  // Template literals with SQL keywords and interpolation
+  { pattern: /`\s*(?:SELECT|INSERT|UPDATE|DELETE|DROP|ALTER|CREATE)\b[^`]*\$\{/, message: "SQL query built with template literal interpolation \u2014 use parameterized queries" },
+  // String concatenation with SQL
+  { pattern: /(?:SELECT|INSERT|UPDATE|DELETE|DROP)\b.*['"]?\s*\+\s*\w/, message: "SQL query built with string concatenation \u2014 use parameterized queries" },
+  // .query() or .execute() with template literal
+  { pattern: /\.(?:query|execute|raw)\s*\(\s*`[^`]*\$\{/, message: "Database query with template literal interpolation \u2014 use parameterized queries" }
+];
+var sqlInjectionRule = {
+  id: "sql-injection",
+  name: "SQL Injection Risk",
+  description: "Detects SQL queries built with string interpolation or concatenation",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx", "mjs", "cjs"],
+  check(file, _project) {
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      for (const { pattern, message } of SQL_INJECTION_PATTERNS) {
+        if (pattern.test(line)) {
+          findings.push({
+            ruleId: "sql-injection",
+            file: file.relativePath,
+            line: i + 1,
+            column: 1,
+            message,
+            severity: "critical",
+            category: "security"
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/index.ts
+var rules = [
+  secretsRule,
+  hallucinatedImportsRule,
+  authChecksRule,
+  envExposureRule,
+  errorHandlingRule,
+  inputValidationRule,
+  rateLimitingRule,
+  corsConfigRule,
+  aiSmellsRule,
+  unsafeHtmlRule,
+  sqlInjectionRule
+];
+
+// src/scanner.ts
+import { resolve as resolve3 } from "path";
+async function scan(options) {
+  const start = performance.now();
+  const root = resolve3(options.path);
+  const filePaths = await walkFiles(root, options.ignore);
+  const project = await buildProjectContext(root, filePaths);
+  const findings = [];
+  for (const relativePath of filePaths) {
+    const file = await readFileContext(root, relativePath);
+    if (!file) continue;
+    for (const rule of rules) {
+      if (rule.fileExtensions.length > 0 && !rule.fileExtensions.includes(file.ext)) {
+        continue;
+      }
+      const ruleFindings = rule.check(file, project);
+      for (const finding of ruleFindings) {
+        if (!isLineSuppressed(file.lines, finding.line - 1, finding.ruleId)) {
+          findings.push(finding);
+        }
+      }
+    }
+  }
+  const { overallScore, categoryScores } = calculateScores(findings);
+  const summary = summarizeFindings(findings);
+  return {
+    version: getVersion(),
+    scannedPath: root,
+    filesScanned: filePaths.length,
+    scanDurationMs: Math.round(performance.now() - start),
+    findings,
+    overallScore,
+    categoryScores,
+    summary
+  };
+}
+
+// src/reporter.ts
+import pc from "picocolors";
+var SEVERITY_COLORS = {
+  critical: pc.red,
+  warning: pc.yellow,
+  info: pc.blue
+};
+var SEVERITY_LABELS = {
+  critical: "CRIT",
+  warning: "WARN",
+  info: "INFO"
+};
+function scoreColor(score) {
+  if (score >= 80) return pc.green;
+  if (score >= 50) return pc.yellow;
+  return pc.red;
+}
+function groupByFile(findings) {
+  const map = /* @__PURE__ */ new Map();
+  for (const f of findings) {
+    const group = map.get(f.file) ?? [];
+    group.push(f);
+    map.set(f.file, group);
+  }
+  return map;
+}
+function reportPretty(result) {
+  const lines = [];
+  lines.push("");
+  lines.push(pc.bold("  prodlint") + pc.dim(` v${result.version}`));
+  lines.push(pc.dim(`  Scanned ${result.filesScanned} files in ${result.scanDurationMs}ms`));
+  lines.push("");
+  if (result.findings.length > 0) {
+    const grouped = groupByFile(result.findings);
+    for (const [file, findings] of grouped) {
+      lines.push(pc.underline(file));
+      for (const f of findings) {
+        const color = SEVERITY_COLORS[f.severity];
+        const label = SEVERITY_LABELS[f.severity];
+        lines.push(
+          `  ${pc.dim(`${f.line}:${f.column}`)}  ${color(label)}  ${f.message}  ${pc.dim(f.ruleId)}`
+        );
+      }
+      lines.push("");
+    }
+  }
+  lines.push(pc.bold("  Scores"));
+  for (const cs of result.categoryScores) {
+    const color = scoreColor(cs.score);
+    const bar = renderBar(cs.score);
+    lines.push(`  ${cs.category.padEnd(14)} ${color(String(cs.score).padStart(3))} ${bar}  ${pc.dim(`(${cs.findingCount} issues)`)}`);
+  }
+  lines.push("");
+  const overallColor = scoreColor(result.overallScore);
+  lines.push(pc.bold(`  Overall: ${overallColor(String(result.overallScore))}/100`));
+  lines.push("");
+  const { critical, warning, info } = result.summary;
+  const parts = [];
+  if (critical > 0) parts.push(pc.red(`${critical} critical`));
+  if (warning > 0) parts.push(pc.yellow(`${warning} warnings`));
+  if (info > 0) parts.push(pc.blue(`${info} info`));
+  if (parts.length === 0) {
+    lines.push(pc.green("  No issues found!"));
+  } else {
+    lines.push(`  ${parts.join(pc.dim(" \xB7 "))}`);
+  }
+  lines.push("");
+  return lines.join("\n");
+}
+function reportJson(result) {
+  return JSON.stringify(result, null, 2);
+}
+function renderBar(score) {
+  const width = 20;
+  const filled = Math.round(score / 100 * width);
+  const empty = width - filled;
+  const color = scoreColor(score);
+  return color("\u2588".repeat(filled)) + pc.dim("\u2591".repeat(empty));
+}
+
+// src/cli.ts
+async function main() {
+  const { values, positionals } = parseArgs({
+    allowPositionals: true,
+    options: {
+      json: { type: "boolean", default: false },
+      ignore: { type: "string", multiple: true, default: [] },
+      help: { type: "boolean", short: "h", default: false },
+      version: { type: "boolean", short: "v", default: false }
+    }
+  });
+  if (values.help) {
+    printHelp();
+    process.exit(0);
+  }
+  if (values.version) {
+    console.log(getVersion());
+    process.exit(0);
+  }
+  const targetPath = positionals[0] ?? ".";
+  const result = await scan({
+    path: targetPath,
+    ignore: values.ignore
+  });
+  if (values.json) {
+    console.log(reportJson(result));
+  } else {
+    console.log(reportPretty(result));
+  }
+  if (result.summary.critical > 0) {
+    process.exit(1);
+  }
+}
+function printHelp() {
+  console.log(`
+  prodlint - Scan AI-generated projects for production readiness issues
+
+  Usage:
+    npx prodlint [path] [options]
+
+  Options:
+    --json             Output results as JSON
+    --ignore <pattern> Glob patterns to ignore (can be repeated)
+    -h, --help         Show this help message
+    -v, --version      Show version
+
+  Examples:
+    npx prodlint                    Scan current directory
+    npx prodlint ./my-app           Scan specific path
+    npx prodlint --json             JSON output
+    npx prodlint --ignore "*.test"  Ignore test files
+`);
+}
+main().catch((err) => {
+  console.error(err);
+  process.exit(2);
+});
+//# sourceMappingURL=cli.js.map