prodlint 0.3.0 → 0.5.0

package/dist/mcp.js

@@ -167,6 +167,133 @@ var NODE_BUILTINS = /* @__PURE__ */ new Set([
   // node: prefixed are handled separately
 ]);
 
+// src/utils/ast.ts
+import { parse } from "@babel/parser";
+function parseFile(content, fileName) {
+  const plugins = ["decorators"];
+  if (/\.tsx?$/.test(fileName)) {
+    plugins.push("typescript");
+  }
+  if (/\.[jt]sx$/.test(fileName)) {
+    plugins.push("jsx");
+  }
+  if (/\.(js|mjs|cjs)$/.test(fileName)) {
+    plugins.push("jsx");
+  }
+  try {
+    return parse(content, {
+      sourceType: "module",
+      allowImportExportEverywhere: true,
+      allowReturnOutsideFunction: true,
+      plugins
+    });
+  } catch {
+    return null;
+  }
+}
+function walkAST(node, visitor, parent = null) {
+  if (!node || typeof node !== "object") return;
+  visitor(node, parent);
+  for (const key of Object.keys(node)) {
+    if (key === "start" || key === "end" || key === "loc" || key === "type") continue;
+    const val = node[key];
+    if (Array.isArray(val)) {
+      for (const item of val) {
+        if (item && typeof item === "object" && item.type) {
+          walkAST(item, visitor, node);
+        }
+      }
+    } else if (val && typeof val === "object" && val.type) {
+      walkAST(val, visitor, node);
+    }
+  }
+}
+function isTaggedTemplateSql(node) {
+  const tag = node.tag;
+  if (tag.type === "Identifier" && tag.name === "sql") return true;
+  if (tag.type === "MemberExpression") {
+    const prop = tag.property;
+    if (prop.type === "Identifier" && (prop.name === "sql" || prop.name === "query" || prop.name === "raw")) {
+      return true;
+    }
+  }
+  return false;
+}
+function findLoopsAST(ast) {
+  const loops = [];
+  walkAST(ast.program, (node) => {
+    if (node.type === "ForStatement" || node.type === "ForInStatement" || node.type === "ForOfStatement" || node.type === "WhileStatement" || node.type === "DoWhileStatement") {
+      const loop = node;
+      const body = loop.body;
+      if (body.loc && node.loc) {
+        loops.push({
+          loopLine: node.loc.start.line - 1,
+          bodyStart: body.loc.start.line - 1,
+          bodyEnd: body.loc.end.line - 1
+        });
+      }
+    }
+    if (node.type === "CallExpression") {
+      const call = node;
+      if (call.callee.type === "MemberExpression" && call.callee.property.type === "Identifier" && (call.callee.property.name === "forEach" || call.callee.property.name === "map")) {
+        const callback = call.arguments[0];
+        if (callback && callback.loc && node.loc) {
+          loops.push({
+            loopLine: node.loc.start.line - 1,
+            bodyStart: callback.loc.start.line - 1,
+            bodyEnd: callback.loc.end.line - 1
+          });
+        }
+      }
+    }
+  });
+  return loops;
+}
+
+// src/utils/frameworks.ts
+var FRAMEWORK_SAFE_METHODS = {
+  prisma: ["contains", "startsWith", "endsWith", "has", "hasEvery", "hasSome", "isEmpty"],
+  supabase: ["contains", "containedBy", "overlaps", "eq", "neq", "gt", "gte", "lt", "lte"],
+  drizzle: ["arrayContains", "arrayContainedIn", "arrayOverlaps"],
+  lodash: ["flatten", "flattenDeep", "contains", "includes", "has"],
+  mongoose: ["contains"]
+};
+function isFrameworkSafeMethod(methodName, frameworks) {
+  for (const framework of frameworks) {
+    const safeMethods = FRAMEWORK_SAFE_METHODS[framework];
+    if (safeMethods && safeMethods.includes(methodName)) {
+      return true;
+    }
+  }
+  return false;
+}
+var DEPENDENCY_TO_FRAMEWORK = {
+  "@prisma/client": "prisma",
+  "prisma": "prisma",
+  "@supabase/supabase-js": "supabase",
+  "@supabase/ssr": "supabase",
+  "drizzle-orm": "drizzle",
+  "@trpc/server": "trpc",
+  "next-auth": "next-auth",
+  "@auth/nextjs": "next-auth",
+  "@auth/core": "next-auth",
+  "express": "express",
+  "fastify": "fastify",
+  "hono": "hono",
+  "lodash": "lodash",
+  "lodash-es": "lodash",
+  "underscore": "lodash",
+  "mongoose": "mongoose",
+  "typeorm": "typeorm",
+  "sequelize": "sequelize",
+  "knex": "knex",
+  "@upstash/ratelimit": "upstash-ratelimit",
+  "express-rate-limit": "express-rate-limit",
+  "rate-limiter-flexible": "rate-limiter-flexible"
+};
+var SQL_SAFE_ORMS = /* @__PURE__ */ new Set(["prisma", "drizzle", "knex", "typeorm", "sequelize"]);
+var RATE_LIMIT_FRAMEWORKS = /* @__PURE__ */ new Set(["upstash-ratelimit", "express-rate-limit", "rate-limiter-flexible"]);
+
 // src/utils/file-walker.ts
 var DEFAULT_IGNORES = [
   "**/node_modules/**",
@@ -193,6 +320,7 @@ var SCAN_EXTENSIONS = [
   "cjs",
   "json"
 ];
+var AST_EXTENSIONS = /* @__PURE__ */ new Set(["ts", "tsx", "js", "jsx", "mjs", "cjs"]);
 var MAX_FILE_SIZE = 1024 * 1024;
 async function walkFiles(root, extraIgnores = []) {
   const patterns = SCAN_EXTENSIONS.map((ext) => `**/*.${ext}`);
@@ -217,14 +345,23 @@ async function readFileContext(root, relativePath) {
     if (fileStats.size > MAX_FILE_SIZE) return null;
     const content = await readFile(absolutePath, "utf-8");
     const lines = content.split(/\r?\n|\r/);
+    const ext = extname(relativePath).slice(1);
+    let ast = void 0;
+    if (AST_EXTENSIONS.has(ext)) {
+      try {
+        ast = parseFile(content, relativePath);
+      } catch {
+        ast = null;
+      }
+    }
     return {
       absolutePath,
       relativePath,
       content,
       lines,
-      ext: extname(relativePath).slice(1),
-      // remove leading dot
-      commentMap: buildCommentMap(lines)
+      ext,
+      commentMap: buildCommentMap(lines),
+      ast
     };
   } catch {
     return null;
@@ -235,6 +372,8 @@ async function buildProjectContext(root, files) {
   let declaredDependencies = /* @__PURE__ */ new Set();
   let tsconfigPaths = /* @__PURE__ */ new Set();
   let hasAuthMiddleware = false;
+  let hasRateLimiting = false;
+  const detectedFrameworks = /* @__PURE__ */ new Set();
   let gitignoreContent = null;
   let envInGitignore = false;
   try {
@@ -246,6 +385,18 @@ async function buildProjectContext(root, files) {
       ...packageJson?.peerDependencies ?? {}
     };
     declaredDependencies = new Set(Object.keys(deps));
+    for (const dep of declaredDependencies) {
+      const framework = DEPENDENCY_TO_FRAMEWORK[dep];
+      if (framework) {
+        detectedFrameworks.add(framework);
+      }
+    }
+    for (const framework of detectedFrameworks) {
+      if (RATE_LIMIT_FRAMEWORKS.has(framework)) {
+        hasRateLimiting = true;
+        break;
+      }
+    }
   } catch {
   }
   try {
@@ -289,6 +440,18 @@ async function buildProjectContext(root, files) {
     }
   } catch {
   }
+  if (!hasRateLimiting) {
+    for (const name of ["middleware.ts", "middleware.js", "src/middleware.ts", "src/middleware.js"]) {
+      try {
+        const content = await readFile(resolve(root, name), "utf-8");
+        if (/rateLimit/i.test(content) || /throttle/i.test(content)) {
+          hasRateLimiting = true;
+          break;
+        }
+      } catch {
+      }
+    }
+  }
   try {
     gitignoreContent = await readFile(resolve(root, ".gitignore"), "utf-8");
     envInGitignore = /^\.env$/m.test(gitignoreContent) || /^\.env\*$/m.test(gitignoreContent) || /^\.env\.\*$/m.test(gitignoreContent) || /^\.env\.local$/m.test(gitignoreContent);
@@ -300,6 +463,8 @@ async function buildProjectContext(root, files) {
     declaredDependencies,
     tsconfigPaths,
     hasAuthMiddleware,
+    hasRateLimiting,
+    detectedFrameworks,
     gitignoreContent,
     envInGitignore,
     allFiles: files
@@ -324,26 +489,58 @@ function getVersion() {
 
 // src/scorer.ts
 var CATEGORIES = ["security", "reliability", "performance", "ai-quality"];
+var CATEGORY_WEIGHTS = {
+  "security": 0.4,
+  "reliability": 0.3,
+  "performance": 0.15,
+  "ai-quality": 0.15
+};
 var DEDUCTIONS = {
-  critical: 10,
-  warning: 3,
-  info: 1
+  critical: 8,
+  warning: 2,
+  info: 0.5
+};
+var PER_RULE_CAP = {
+  critical: 1,
+  warning: 2,
+  info: 3
 };
 function calculateScores(findings) {
   const categoryScores = CATEGORIES.map((category) => {
     const categoryFindings = findings.filter((f) => f.category === category);
-    let score = 100;
+    const byRule = /* @__PURE__ */ new Map();
     for (const f of categoryFindings) {
-      score -= DEDUCTIONS[f.severity] ?? 0;
+      const arr = byRule.get(f.ruleId) ?? [];
+      arr.push(f);
+      byRule.set(f.ruleId, arr);
+    }
+    let totalDeduction = 0;
+    for (const [, ruleFindings] of byRule) {
+      const bySeverity = { critical: 0, warning: 0, info: 0 };
+      for (const f of ruleFindings) {
+        bySeverity[f.severity]++;
+      }
+      for (const sev of ["critical", "warning", "info"]) {
+        const count = Math.min(bySeverity[sev], PER_RULE_CAP[sev]);
+        totalDeduction += count * DEDUCTIONS[sev];
+      }
+    }
+    let effectiveDeduction;
+    if (totalDeduction <= 30) {
+      effectiveDeduction = totalDeduction;
+    } else if (totalDeduction <= 50) {
+      effectiveDeduction = 30 + (totalDeduction - 30) * 0.5;
+    } else {
+      effectiveDeduction = 30 + (50 - 30) * 0.5 + (totalDeduction - 50) * 0.25;
     }
     return {
       category,
-      score: Math.max(0, score),
+      score: Math.max(0, Math.round(100 - effectiveDeduction)),
       findingCount: categoryFindings.length
     };
   });
   const overallScore = Math.round(
-    categoryScores.reduce((sum, c) => sum + c.score, 0) / CATEGORIES.length
+    categoryScores.reduce((sum, c) => sum + c.score * CATEGORY_WEIGHTS[c.category], 0)
   );
   return { overallScore, categoryScores };
 }
@@ -514,25 +711,36 @@ var AUTH_PATTERNS = [
   /jwt\.verify\s*\(/,
   /createRouteHandlerClient/,
   /createServerComponentClient/,
+  /createMiddlewareClient/,
   /authorization/i,
-  /bearer/i
+  /getAuth\s*\(/,
+  /withPageAuth/,
+  /cookies\(\).*auth/s
 ];
+var MUTATION_EXPORT = /export\s+(?:async\s+)?function\s+(POST|PUT|PATCH|DELETE)\b/;
 var authChecksRule = {
   id: "auth-checks",
   name: "Missing Auth Checks",
   description: "Detects API routes that lack authentication checks",
   category: "security",
-  severity: "critical",
+  severity: "warning",
   fileExtensions: ["ts", "tsx", "js", "jsx"],
   check(file, project) {
     if (!isApiRoute(file.relativePath)) return [];
     for (const pattern of AUTH_EXEMPT_PATTERNS) {
       if (pattern.test(file.relativePath)) return [];
     }
-    const severity = project.hasAuthMiddleware ? "info" : "critical";
     for (const pattern of AUTH_PATTERNS) {
       if (pattern.test(file.content)) return [];
     }
+    let severity;
+    if (project.hasAuthMiddleware) {
+      severity = "info";
+    } else if (MUTATION_EXPORT.test(file.content)) {
+      severity = "critical";
+    } else {
+      severity = "info";
+    }
     let handlerLine = 1;
     for (let i = 0; i < file.lines.length; i++) {
       if (/export\s+(async\s+)?function\s+(GET|POST|PUT|PATCH|DELETE|handler)/i.test(file.lines[i])) {
@@ -629,7 +837,10 @@ var errorHandlingRule = {
     if (!isApiRoute(file.relativePath)) return [];
     const hasFrameworkServe = /\bserve\s*\(/.test(file.content) || /createTRPCHandle/.test(file.content) || /fetchRequestHandler/.test(file.content);
     const hasTryCatch = /try\s*\{/.test(file.content);
-    if (hasTryCatch || hasFrameworkServe) return [];
+    const hasCatchChain = /\.catch\s*\(/.test(file.content);
+    const hasOnError = /onError\s*[:(]/.test(file.content);
+    const hasNextResponseError = /NextResponse\.json\s*\([^)]*(?:error|status:\s*[45]\d{2})/.test(file.content);
+    if (hasTryCatch || hasFrameworkServe || hasCatchChain || hasOnError || hasNextResponseError) return [];
     let handlerLine = 1;
     for (let i = 0; i < file.lines.length; i++) {
       if (/export\s+(async\s+)?function\s+(GET|POST|PUT|PATCH|DELETE|handler)/i.test(file.lines[i])) {
@@ -734,10 +945,11 @@ var rateLimitingRule = {
   name: "Missing Rate Limiting",
   description: "Detects API routes without rate limiting",
   category: "security",
-  severity: "warning",
+  severity: "info",
   fileExtensions: ["ts", "tsx", "js", "jsx"],
-  check(file, _project) {
+  check(file, project) {
     if (!isApiRoute(file.relativePath)) return [];
+    if (project.hasRateLimiting) return [];
     for (const pattern of EXEMPT_PATTERNS) {
       if (pattern.test(file.relativePath)) return [];
     }
@@ -757,7 +969,7 @@ var rateLimitingRule = {
       line: handlerLine,
       column: 1,
       message: "No rate limiting \u2014 anyone could spam this endpoint and run up your API costs",
-      severity: "warning",
+      severity: "info",
       category: "security"
     }];
   }
@@ -985,6 +1197,8 @@ var SQL_INJECTION_PATTERNS = [
   // .query() or .execute() with template literal
   { pattern: /\.(?:query|execute|raw)\s*\(\s*`[^`]*\$\{/, message: "Database query with template literal interpolation \u2014 use parameterized queries" }
 ];
+var TAGGED_TEMPLATE_PREFIX = /\b(?:sql|Prisma\.sql|db\.sql|db\.query)\s*`/;
+var PARAMETERIZED_QUERY = /\.(?:query|execute)\s*\([^,]+,\s*\[/;
 var sqlInjectionRule = {
   id: "sql-injection",
   name: "SQL Injection Risk",
@@ -992,20 +1206,42 @@ var sqlInjectionRule = {
   category: "security",
   severity: "critical",
   fileExtensions: ["ts", "tsx", "js", "jsx", "mjs", "cjs"],
-  check(file, _project) {
+  check(file, project) {
     const findings = [];
+    const safeTaggedLines = /* @__PURE__ */ new Set();
+    if (file.ast) {
+      try {
+        walkAST(file.ast.program, (node) => {
+          if (node.type === "TaggedTemplateExpression") {
+            const tagged = node;
+            if (isTaggedTemplateSql(tagged) && tagged.loc) {
+              for (let l = tagged.loc.start.line; l <= tagged.loc.end.line; l++) {
+                safeTaggedLines.add(l);
+              }
+            }
+          }
+        });
+      } catch {
+      }
+    }
+    const usesORM = [...project.detectedFrameworks].some((f) => SQL_SAFE_ORMS.has(f));
     for (let i = 0; i < file.lines.length; i++) {
       if (isCommentLine(file.lines, i, file.commentMap)) continue;
       const line = file.lines[i];
+      const lineNum = i + 1;
+      if (safeTaggedLines.has(lineNum)) continue;
+      if (!file.ast && TAGGED_TEMPLATE_PREFIX.test(line)) continue;
+      if (PARAMETERIZED_QUERY.test(line)) continue;
       for (const { pattern, message } of SQL_INJECTION_PATTERNS) {
         if (pattern.test(line)) {
+          const severity = usesORM ? "warning" : "critical";
           findings.push({
             ruleId: "sql-injection",
             file: file.relativePath,
-            line: i + 1,
+            line: lineNum,
             column: 1,
             message,
-            severity: "critical",
+            severity,
             category: "security"
           });
           break;
@@ -1027,7 +1263,7 @@ var PLACEHOLDERS = [
   { pattern: /['"]password123['"]/, label: 'Placeholder password "password123"' },
   { pattern: /['"]changeme['"]/, label: 'Placeholder value "changeme"' },
   { pattern: /['"]your-api-key-here['"]/, label: "Placeholder API key" },
-  { pattern: /['"]replace-with-['"]/, label: 'Placeholder "replace-with-" value' },
+  { pattern: /['"]replace-with-[^'"]*['"]/, label: 'Placeholder "replace-with-" value' },
   { pattern: /['"]xxx+['"]/, label: 'Placeholder "xxx" value' },
   { pattern: /['"]TODO:?\s*replace['"/]/i, label: "TODO replace placeholder" }
 ];
@@ -1067,13 +1303,13 @@ var placeholderContentRule = {
 // src/rules/stale-fallback.ts
 var STALE_PATTERNS = [
   { pattern: /['"]http:\/\/localhost:\d+['"]/, label: "Hardcoded localhost URL" },
-  { pattern: /['"]https?:\/\/127\.0\.0\.1[:'"]/, label: "Hardcoded 127.0.0.1 URL" },
-  { pattern: /['"]redis:\/\/localhost['"]/, label: "Hardcoded Redis localhost URL" },
-  { pattern: /['"]mongodb:\/\/localhost['"]/, label: "Hardcoded MongoDB localhost URL" },
-  { pattern: /['"]mongodb\+srv:\/\/localhost['"]/, label: "Hardcoded MongoDB localhost URL" },
-  { pattern: /['"]postgres:\/\/localhost['"]/, label: "Hardcoded Postgres localhost URL" },
-  { pattern: /['"]postgresql:\/\/localhost['"]/, label: "Hardcoded Postgres localhost URL" },
-  { pattern: /['"]amqp:\/\/localhost['"]/, label: "Hardcoded AMQP localhost URL" }
+  { pattern: /['"]https?:\/\/127\.0\.0\.1[/:'"]/, label: "Hardcoded 127.0.0.1 URL" },
+  { pattern: /['"]redis:\/\/localhost[/'"]/, label: "Hardcoded Redis localhost URL" },
+  { pattern: /['"]mongodb:\/\/localhost[/'"]/, label: "Hardcoded MongoDB localhost URL" },
+  { pattern: /['"]mongodb\+srv:\/\/localhost[/'"]/, label: "Hardcoded MongoDB localhost URL" },
+  { pattern: /['"]postgres:\/\/localhost[/'"]/, label: "Hardcoded Postgres localhost URL" },
+  { pattern: /['"]postgresql:\/\/localhost[/'"]/, label: "Hardcoded Postgres localhost URL" },
+  { pattern: /['"]amqp:\/\/localhost[/'"]/, label: "Hardcoded AMQP localhost URL" }
 ];
 var staleFallbackRule = {
   id: "stale-fallback",
@@ -1112,15 +1348,15 @@ var staleFallbackRule = {
 
 // src/rules/hallucinated-api.ts
 var HALLUCINATED_APIS = [
-  { pattern: /\.flatten\s*\(/, fix: "Use .flat() instead of .flatten()" },
-  { pattern: /\.contains\s*\(/, fix: "Use .includes() instead of .contains()" },
-  { pattern: /\.substr\s*\(/, fix: "Use .substring() or .slice() instead of deprecated .substr()" },
-  { pattern: /\.trimLeft\s*\(/, fix: "Use .trimStart() instead of deprecated .trimLeft()" },
-  { pattern: /\.trimRight\s*\(/, fix: "Use .trimEnd() instead of deprecated .trimRight()" },
-  { pattern: /response\.body\.json\s*\(/, fix: "Use response.json() instead of response.body.json()" },
-  { pattern: /fetch\.abort\s*\(/, fix: "Use AbortController instead of fetch.abort()" },
-  { pattern: /\.isArray\s*\(\s*\)/, fix: "Array.isArray() is static \u2014 use Array.isArray(value)" },
-  { pattern: /\.hasOwnProperty\s*\(/, fix: "Use Object.hasOwn() instead of .hasOwnProperty()" }
+  { pattern: /\.flatten\s*\(/, fix: "Use .flat() instead of .flatten()", methodName: "flatten" },
+  { pattern: /\.contains\s*\(/, fix: "Use .includes() instead of .contains()", methodName: "contains" },
+  { pattern: /\.substr\s*\(/, fix: "Use .substring() or .slice() instead of deprecated .substr()", methodName: "substr" },
+  { pattern: /\.trimLeft\s*\(/, fix: "Use .trimStart() instead of deprecated .trimLeft()", methodName: "trimLeft" },
+  { pattern: /\.trimRight\s*\(/, fix: "Use .trimEnd() instead of deprecated .trimRight()", methodName: "trimRight" },
+  { pattern: /response\.body\.json\s*\(/, fix: "Use response.json() instead of response.body.json()", methodName: "json" },
+  { pattern: /fetch\.abort\s*\(/, fix: "Use AbortController instead of fetch.abort()", methodName: "abort" },
+  { pattern: /\.isArray\s*\(\s*\)/, fix: "Array.isArray() is static \u2014 use Array.isArray(value)", methodName: "isArray" },
+  { pattern: /(?<!Object\.prototype)\.hasOwnProperty\s*\(/, fix: "Use Object.hasOwn() instead of .hasOwnProperty()", methodName: "hasOwnProperty" }
 ];
 var hallucinatedApiRule = {
   id: "hallucinated-api",
@@ -1129,14 +1365,16 @@ var hallucinatedApiRule = {
   category: "ai-quality",
   severity: "warning",
   fileExtensions: ["ts", "tsx", "js", "jsx"],
-  check(file, _project) {
+  check(file, project) {
     const findings = [];
+    const frameworks = project.detectedFrameworks;
     for (let i = 0; i < file.lines.length; i++) {
       if (isCommentLine(file.lines, i, file.commentMap)) continue;
       const line = file.lines[i];
-      for (const { pattern, fix } of HALLUCINATED_APIS) {
+      for (const { pattern, fix, methodName } of HALLUCINATED_APIS) {
         const match = pattern.exec(line);
         if (match) {
+          if (isFrameworkSafeMethod(methodName, frameworks)) continue;
           findings.push({
             ruleId: "hallucinated-api",
             file: file.relativePath,
@@ -1154,7 +1392,7 @@ var hallucinatedApiRule = {
 };
 
 // src/rules/open-redirect.ts
-var CRITICAL_PATTERNS = [
+var DIRECT_INPUT_PATTERNS = [
   // redirect(searchParams.get(...)) or redirect(searchParams.get('x')!)
   /redirect\s*\(\s*(?:searchParams|query|params)\s*\.get\s*\(/,
   // redirect(req.query.x) or redirect(request.nextUrl.searchParams.get(...))
@@ -1163,21 +1401,21 @@ var CRITICAL_PATTERNS = [
   /NextResponse\.redirect\s*\(\s*new\s+URL\s*\(\s*(?:searchParams|query|params)\s*\.get\s*\(/
 ];
 var WARNING_PATTERNS = [
-  /redirect\s*\(\s*(?:url|returnUrl|returnTo|redirectUrl|redirectTo|next|callbackUrl|destination)\s*[,)]/
+  /redirect\s*\(\s*(?:url|returnUrl|returnTo|redirectUrl|redirectTo|next|callbackUrl|destination|redirect|goto|to|target|uri|href)\s*[,)]/
 ];
 var openRedirectRule = {
   id: "open-redirect",
   name: "Open Redirect",
   description: "Detects user-controlled input passed directly to redirect functions",
   category: "security",
-  severity: "critical",
+  severity: "warning",
   fileExtensions: ["ts", "tsx", "js", "jsx"],
   check(file, _project) {
     const findings = [];
     for (let i = 0; i < file.lines.length; i++) {
       if (isCommentLine(file.lines, i, file.commentMap)) continue;
       const line = file.lines[i];
-      for (const pattern of CRITICAL_PATTERNS) {
+      for (const pattern of DIRECT_INPUT_PATTERNS) {
         const match = pattern.exec(line);
         if (match) {
           findings.push({
@@ -1186,7 +1424,7 @@ var openRedirectRule = {
             line: i + 1,
             column: match.index + 1,
             message: "User input in redirect \u2014 validate against an allowlist to prevent open redirect",
-            severity: "critical",
+            severity: "warning",
             category: "security"
           });
           break;
@@ -1251,6 +1489,7 @@ var noSyncFsRule = {
 
 // src/rules/no-n-plus-one.ts
 var DB_CALL_PATTERN = /(?:prisma\.\w+\.\w+\(|\.findUnique\s*\(|\.findFirst\s*\(|\.findMany\s*\(|\.insert\s*\(|\.upsert\s*\(|fetch\s*\()/;
+var PROMISE_ALL_MAP = /Promise\.(?:all|allSettled)\s*\(\s*\w+\.map\s*\(/;
 var noNPlusOneRule = {
   id: "no-n-plus-one",
   name: "No N+1 Queries",
@@ -1261,14 +1500,33 @@ var noNPlusOneRule = {
   check(file, _project) {
     if (isTestFile(file.relativePath)) return [];
     if (isScriptFile(file.relativePath)) return [];
+    const promiseAllMapLines = /* @__PURE__ */ new Set();
+    for (let i = 0; i < file.lines.length; i++) {
+      if (PROMISE_ALL_MAP.test(file.lines[i])) {
+        for (let j = Math.max(0, i - 1); j < Math.min(file.lines.length, i + 20); j++) {
+          promiseAllMapLines.add(j);
+        }
+      }
+    }
     const findings = [];
-    const loops = findLoopBodies(file.lines, file.commentMap);
+    let loops;
+    if (file.ast) {
+      try {
+        loops = findLoopsAST(file.ast);
+      } catch {
+        loops = findLoopBodies(file.lines, file.commentMap);
+      }
+    } else {
+      loops = findLoopBodies(file.lines, file.commentMap);
+    }
     const reported = /* @__PURE__ */ new Set();
     for (const loop of loops) {
       if (reported.has(loop.loopLine)) continue;
+      if (promiseAllMapLines.has(loop.loopLine)) continue;
       for (let i = loop.bodyStart; i <= loop.bodyEnd; i++) {
         if (isCommentLine(file.lines, i, file.commentMap)) continue;
         const line = file.lines[i];
+        if (promiseAllMapLines.has(i)) continue;
         const match = DB_CALL_PATTERN.exec(line);
         if (match) {
           reported.add(loop.loopLine);
@@ -1402,6 +1660,10 @@ var HANDLED_PATTERNS = [
   /Promise\.allSettled/,
   /Promise\.race/
 ];
+var CHAIN_START_PATTERNS = [
+  /\.from\s*\(/,
+  /\.rpc\s*\(/
+];
 var unhandledPromiseRule = {
   id: "unhandled-promise",
   name: "Unhandled Promise",
@@ -1421,6 +1683,19 @@ var unhandledPromiseRule = {
       if (!asyncMatch) continue;
       const isHandled = HANDLED_PATTERNS.some((p) => p.test(trimmed));
       if (isHandled) continue;
+      const isChainContinuation = CHAIN_START_PATTERNS.some((p) => p.test(trimmed));
+      if (isChainContinuation) {
+        let chainHandled = false;
+        for (let j = i - 1; j >= Math.max(0, i - 10); j--) {
+          const prevTrimmed = file.lines[j].trim();
+          if (prevTrimmed === "" || prevTrimmed.endsWith(";")) break;
+          if (/\bawait\b/.test(prevTrimmed) || /\bconst\s+\w/.test(prevTrimmed) || /\blet\s+\w/.test(prevTrimmed) || /=\s*await\b/.test(prevTrimmed) || /\breturn\b/.test(prevTrimmed)) {
+            chainHandled = true;
+            break;
+          }
+        }
+        if (chainHandled) continue;
+      }
       let handledAbove = false;
       for (let j = i - 1; j >= Math.max(0, i - 5); j--) {
         const prevTrimmed = file.lines[j].trim();
@@ -1488,9 +1763,9 @@ var missingErrorBoundaryRule = {
   severity: "info",
   fileExtensions: ["tsx", "jsx", "ts", "js"],
   check(file, project) {
-    const match = file.relativePath.match(/^app\/(.+\/)layout\.(tsx?|jsx?)$/);
+    const match = file.relativePath.match(/^((?:src\/)?app\/)(.+\/)layout\.(tsx?|jsx?)$/);
     if (!match) return [];
-    const dir = "app/" + match[1];
+    const dir = match[1] + match[2];
     const hasErrorBoundary = project.allFiles.some(
       (f) => f.startsWith(dir) && /^error\.(tsx?|jsx?)$/.test(f.slice(dir.length))
     );
@@ -1668,7 +1943,8 @@ var deadExportsRule = {
       (f) => ["ts", "tsx", "js", "jsx"].includes(f.ext) && !isTestFile(f.relativePath) && !isScriptFile(f.relativePath)
     );
     const exports = /* @__PURE__ */ new Map();
-    const imports = /* @__PURE__ */ new Set();
+    const imports = /* @__PURE__ */ new Map();
+    const allImportedSymbols = /* @__PURE__ */ new Set();
     const importedFiles = /* @__PURE__ */ new Set();
     for (const file of sourceFiles) {
       if (isEntryPoint(file.relativePath)) continue;
@@ -1692,14 +1968,28 @@ var deadExportsRule = {
     for (const file of files) {
       for (const line of file.lines) {
         let match;
+        const fromMatch = line.match(/from\s+['"]([^'"]+)['"]/);
+        const fromBasename = fromMatch ? fromMatch[1].split("/").pop()?.replace(/\.\w+$/, "") ?? "" : "";
         const bracesRe = /import\s*(?:type\s*)?\{([^}]+)\}\s*from/g;
         while ((match = bracesRe.exec(line)) !== null) {
           const symbols = match[1].split(",").map((s) => s.trim().split(/\s+as\s+/)[0].trim()).filter(Boolean);
-          for (const sym of symbols) imports.add(sym);
+          for (const sym of symbols) {
+            allImportedSymbols.add(sym);
+            if (fromBasename) {
+              const set = imports.get(fromBasename) ?? /* @__PURE__ */ new Set();
+              set.add(sym);
+              imports.set(fromBasename, set);
+            }
+          }
         }
         const defaultRe = /import\s+(\w+)\s+from/g;
         while ((match = defaultRe.exec(line)) !== null) {
-          imports.add(match[1]);
+          allImportedSymbols.add(match[1]);
+          if (fromBasename) {
+            const set = imports.get(fromBasename) ?? /* @__PURE__ */ new Set();
+            set.add(match[1]);
+            imports.set(fromBasename, set);
+          }
         }
         const fromRe = /from\s+['"]([^'"]+)['"]/g;
         while ((match = fromRe.exec(line)) !== null) {
@@ -1710,7 +2000,10 @@ var deadExportsRule = {
     const deadByFile = /* @__PURE__ */ new Map();
     for (const [key, loc] of exports) {
       const symbolName = key.split("::")[1];
-      if (!imports.has(symbolName)) {
+      const exportFileBasename = loc.file.split("/").pop()?.replace(/\.\w+$/, "") ?? "";
+      const importSet = imports.get(exportFileBasename);
+      const isImported = importSet?.has(symbolName) ?? false;
+      if (!isImported && !allImportedSymbols.has(symbolName)) {
         deadByFile.set(loc.file, (deadByFile.get(loc.file) ?? 0) + 1);
       }
     }
@@ -1780,12 +2073,33 @@ var shallowCatchRule = {
       if (braceStart === -1) continue;
       let depth = 0;
       let bodyEnd = braceStart;
+      let inSingle = false;
+      let inDouble = false;
+      let inTemplate = false;
       for (let j = braceStart; j < file.lines.length; j++) {
         const line = file.lines[j];
         const startPos = j === braceStart ? line.indexOf("{") : 0;
         for (let k = startPos; k < line.length; k++) {
-          if (line[k] === "{") depth++;
-          if (line[k] === "}") {
+          const ch = line[k];
+          const prev = k > 0 ? line[k - 1] : "";
+          const escaped = prev === "\\" && (k < 2 || line[k - 2] !== "\\");
+          if (!escaped) {
+            if (ch === "'" && !inDouble && !inTemplate) {
+              inSingle = !inSingle;
+              continue;
+            }
+            if (ch === '"' && !inSingle && !inTemplate) {
+              inDouble = !inDouble;
+              continue;
+            }
+            if (ch === "`" && !inSingle && !inDouble) {
+              inTemplate = !inTemplate;
+              continue;
+            }
+          }
+          if (inSingle || inDouble || inTemplate) continue;
+          if (ch === "{") depth++;
+          if (ch === "}") {
             depth--;
             if (depth === 0) {
               bodyEnd = j;
@@ -1952,6 +2266,22 @@ var PHANTOM_PACKAGES = /* @__PURE__ */ new Set([
   "gpt-tokenizer"
   // exists but often confused
 ]);
+var KNOWN_SHORT_PACKAGES = /* @__PURE__ */ new Set([
+  "pg",
+  "ws",
+  "ms",
+  "qs",
+  "ip",
+  "is",
+  "he",
+  "ky",
+  "bl",
+  "rc",
+  "io",
+  "db",
+  "fp",
+  "rx"
+]);
 var SUSPICIOUS_PATTERNS = [
   /^[a-z]{1,2}$/,
   // 1-2 char names
@@ -1990,7 +2320,7 @@ var phantomDependencyRule = {
         });
       }
       for (const pattern of SUSPICIOUS_PATTERNS) {
-        if (pattern.test(name) && !name.startsWith("@")) {
+        if (pattern.test(name) && !name.startsWith("@") && !KNOWN_SHORT_PACKAGES.has(name)) {
           findings.push({
             ruleId: "phantom-dependency",
             file: "package.json",
@@ -2008,6 +2338,210 @@ var phantomDependencyRule = {
   }
 };
 
+// src/rules/insecure-cookie.ts
+var SENSITIVE_COOKIE_NAMES = /['"](?:session|token|auth|sid|jwt)['"]|\.set\s*\(\s*['"](?:session|token|auth|sid|jwt)['"]/i;
+var COOKIE_SET_PATTERNS = [
+  /cookies\(\)\s*\.set\s*\(/,
+  /res\.cookie\s*\(/,
+  /response\.cookies\.set\s*\(/
+];
+var SECURE_OPTIONS = [
+  /httpOnly\s*:\s*true/,
+  /secure\s*:\s*true/,
+  /sameSite\s*:/
+];
+var insecureCookieRule = {
+  id: "insecure-cookie",
+  name: "Insecure Cookie",
+  description: "Detects sensitive cookies set without httpOnly, secure, or sameSite options",
+  category: "security",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isScriptFile(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      const isCookieSet = COOKIE_SET_PATTERNS.some((p) => p.test(line));
+      if (!isCookieSet) continue;
+      if (!SENSITIVE_COOKIE_NAMES.test(line)) continue;
+      const block = file.lines.slice(i, Math.min(i + 8, file.lines.length)).join("\n");
+      const missingOptions = SECURE_OPTIONS.filter((p) => !p.test(block));
+      if (missingOptions.length > 0) {
+        const missing = [];
+        if (!/httpOnly\s*:\s*true/.test(block)) missing.push("httpOnly");
+        if (!/secure\s*:\s*true/.test(block)) missing.push("secure");
+        if (!/sameSite\s*:/.test(block)) missing.push("sameSite");
+        findings.push({
+          ruleId: "insecure-cookie",
+          file: file.relativePath,
+          line: i + 1,
+          column: 1,
+          message: `Sensitive cookie missing security options: ${missing.join(", ")}`,
+          severity: "warning",
+          category: "security",
+          fix: "Add { httpOnly: true, secure: true, sameSite: 'lax' } to cookie options"
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/leaked-env-in-logs.ts
+var CONSOLE_WITH_ENV = /console\.(log|warn|error|info|debug)\s*\([^)]*process\.env\./;
+var leakedEnvInLogsRule = {
+  id: "leaked-env-in-logs",
+  name: "Leaked Env in Logs",
+  description: "Detects process.env values logged to console \u2014 potential secret exposure",
+  category: "security",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isScriptFile(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      const match = CONSOLE_WITH_ENV.exec(line);
+      if (match) {
+        findings.push({
+          ruleId: "leaked-env-in-logs",
+          file: file.relativePath,
+          line: i + 1,
+          column: match.index + 1,
+          message: "process.env value in console output \u2014 may leak secrets in production logs",
+          severity: "warning",
+          category: "security",
+          fix: "Remove process.env.* from console output \u2014 log a redacted summary instead"
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/insecure-random.ts
+var SECURITY_VAR_NAMES = /(?:token|secret|nonce|key|password|salt|session|csrf|otp|pin|code)/i;
+var MATH_RANDOM = /Math\.random\s*\(\)/;
+var insecureRandomRule = {
+  id: "insecure-random",
+  name: "Insecure Random",
+  description: "Detects Math.random() used near security-sensitive variable names",
+  category: "security",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isScriptFile(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      const match = MATH_RANDOM.exec(line);
+      if (!match) continue;
+      const context = file.lines.slice(Math.max(0, i - 2), i + 1).join("\n");
+      if (SECURITY_VAR_NAMES.test(context)) {
+        findings.push({
+          ruleId: "insecure-random",
+          file: file.relativePath,
+          line: i + 1,
+          column: match.index + 1,
+          message: "Math.random() used in security-sensitive context \u2014 not cryptographically secure",
+          severity: "warning",
+          category: "security",
+          fix: "Use crypto.randomUUID() or crypto.getRandomValues() for security-sensitive values"
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/next-server-action-validation.ts
+var USE_SERVER = /['"]use server['"]/;
+var FORM_DATA_GET = /formData\.get\s*\(/;
+var VALIDATION_PATTERNS2 = [
+  /\.parse\s*\(/,
+  /\.safeParse\s*\(/,
+  /\bvalidate\s*\(/,
+  /\.parseAsync\s*\(/,
+  /\.safeParseAsync\s*\(/
+];
+var nextServerActionValidationRule = {
+  id: "next-server-action-validation",
+  name: "Next.js Server Action Validation",
+  description: "Detects server actions using formData without schema validation \u2014 unvalidated user input",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!USE_SERVER.test(file.content)) return [];
+    if (!FORM_DATA_GET.test(file.content)) return [];
+    const hasValidation = VALIDATION_PATTERNS2.some((p) => p.test(file.content));
+    if (hasValidation) return [];
+    let reportLine = 1;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (FORM_DATA_GET.test(file.lines[i])) {
+        reportLine = i + 1;
+        break;
+      }
+    }
+    return [{
+      ruleId: "next-server-action-validation",
+      file: file.relativePath,
+      line: reportLine,
+      column: 1,
+      message: "Server action reads formData without schema validation \u2014 unvalidated user input",
+      severity: "critical",
+      category: "security",
+      fix: "Validate with Zod: const data = schema.safeParse(Object.fromEntries(formData))"
+    }];
+  }
+};
+
+// src/rules/missing-transaction.ts
+var PRISMA_WRITE_OPS = /prisma\.\w+\.(?:create|update|delete|upsert|createMany|updateMany|deleteMany)\s*\(/;
+var PRISMA_TRANSACTION = /\$transaction\s*\(/;
+var missingTransactionRule = {
+  id: "missing-transaction",
+  name: "Missing Transaction",
+  description: "Detects multiple Prisma write operations without $transaction \u2014 atomicity risk",
+  category: "reliability",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isScriptFile(file.relativePath)) return [];
+    if (!project.declaredDependencies.has("@prisma/client") && !project.detectedFrameworks.has("prisma")) return [];
+    let writeCount = 0;
+    let firstWriteLine = -1;
+    const hasTransaction = PRISMA_TRANSACTION.test(file.content);
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      if (PRISMA_WRITE_OPS.test(file.lines[i])) {
+        writeCount++;
+        if (firstWriteLine === -1) firstWriteLine = i;
+      }
+    }
+    if (writeCount < 2 || hasTransaction) return [];
+    return [{
+      ruleId: "missing-transaction",
+      file: file.relativePath,
+      line: firstWriteLine + 1,
+      column: 1,
+      message: `${writeCount} Prisma write operations without $transaction \u2014 partial writes may leave inconsistent state`,
+      severity: "warning",
+      category: "reliability",
+      fix: "Wrap sequential writes in prisma.$transaction([...]) for atomicity"
+    }];
+  }
+};
+
 // src/rules/index.ts
 var rules = [
   // Security
@@ -2021,6 +2555,10 @@ var rules = [
   openRedirectRule,
   rateLimitingRule,
   phantomDependencyRule,
+  insecureCookieRule,
+  leakedEnvInLogsRule,
+  insecureRandomRule,
+  nextServerActionValidationRule,
   // Reliability
   hallucinatedImportsRule,
   errorHandlingRule,
@@ -2028,6 +2566,7 @@ var rules = [
   shallowCatchRule,
   missingLoadingStateRule,
   missingErrorBoundaryRule,
+  missingTransactionRule,
   // Performance
   noSyncFsRule,
   noNPlusOneRule,