prodlint 0.5.0 → 0.6.0

package/dist/cli.js

@@ -314,7 +314,8 @@ var SCAN_EXTENSIONS = [
   "jsx",
   "mjs",
   "cjs",
-  "json"
+  "json",
+  "sql"
 ];
 var AST_EXTENSIONS = /* @__PURE__ */ new Set(["ts", "tsx", "js", "jsx", "mjs", "cjs"]);
 var MAX_FILE_SIZE = 1024 * 1024;
@@ -2538,6 +2539,1058 @@ var missingTransactionRule = {
   }
 };
 
+// src/rules/redirect-in-try-catch.ts
+var redirectInTryCatchRule = {
+  id: "redirect-in-try-catch",
+  name: "Redirect Inside Try/Catch",
+  description: "Detects Next.js redirect() inside try/catch blocks \u2014 redirect throws internally and the catch swallows it",
+  category: "reliability",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!/redirect\s*\(/.test(file.content)) return [];
+    const findings = [];
+    let tryDepth = 0;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      const trimmed = line.trim();
+      if (/\btry\s*\{/.test(trimmed) || trimmed === "try {") {
+        tryDepth++;
+      }
+      if (/\}\s*catch\s*[\s(]/.test(trimmed)) {
+      }
+      if (tryDepth > 0) {
+        const match = /\bredirect\s*\(/.exec(line);
+        if (match && !/\/\//.test(line.slice(0, match.index))) {
+          findings.push({
+            ruleId: "redirect-in-try-catch",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: "redirect() inside try/catch \u2014 Next.js redirect throws internally, the catch block will intercept it",
+            severity: "critical",
+            category: "reliability",
+            fix: 'Move redirect() outside the try/catch block, or re-throw redirect errors in the catch: if (e instanceof Error && e.message === "NEXT_REDIRECT") throw e'
+          });
+        }
+      }
+      for (const ch of trimmed) {
+        if (ch === "{" && tryDepth > 0) {
+        }
+      }
+      if (tryDepth > 0 && /^\}\s*$/.test(trimmed)) {
+        let nextLine = "";
+        for (let j = i + 1; j < file.lines.length; j++) {
+          nextLine = file.lines[j].trim();
+          if (nextLine) break;
+        }
+        if (!/^catch\b/.test(nextLine) && !/^finally\b/.test(nextLine)) {
+          tryDepth--;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/missing-revalidation.ts
+var USE_SERVER2 = /['"]use server['"]/;
+var DB_MUTATIONS = [
+  /\.insert\s*\(/,
+  /\.update\s*\(/,
+  /\.delete\s*\(/,
+  /\.upsert\s*\(/,
+  /\.create\s*\(/,
+  /\.createMany\s*\(/,
+  /\.updateMany\s*\(/,
+  /\.deleteMany\s*\(/,
+  /\.remove\s*\(/,
+  /\.save\s*\(/,
+  /\.destroy\s*\(/
+];
+var REVALIDATION = [
+  /revalidatePath\s*\(/,
+  /revalidateTag\s*\(/,
+  /redirect\s*\(/
+];
+var missingRevalidationRule = {
+  id: "missing-revalidation",
+  name: "Missing Revalidation After Mutation",
+  description: "Detects server actions that mutate data without calling revalidatePath or revalidateTag \u2014 UI shows stale data",
+  category: "reliability",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!USE_SERVER2.test(file.content)) return [];
+    const hasMutation = DB_MUTATIONS.some((p) => p.test(file.content));
+    if (!hasMutation) return [];
+    const hasRevalidation = REVALIDATION.some((p) => p.test(file.content));
+    if (hasRevalidation) return [];
+    let reportLine = 1;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (DB_MUTATIONS.some((p) => p.test(file.lines[i]))) {
+        reportLine = i + 1;
+        break;
+      }
+    }
+    return [{
+      ruleId: "missing-revalidation",
+      file: file.relativePath,
+      line: reportLine,
+      column: 1,
+      message: "Server action mutates data without revalidatePath() or revalidateTag() \u2014 UI will show stale data",
+      severity: "warning",
+      category: "reliability",
+      fix: 'Add revalidatePath("/affected-route") after the mutation'
+    }];
+  }
+};
+
+// src/rules/use-client-overuse.ts
+var CLIENT_APIS = [
+  /\buseState\b/,
+  /\buseEffect\b/,
+  /\buseRef\b/,
+  /\buseReducer\b/,
+  /\buseCallback\b/,
+  /\buseMemo\b/,
+  /\buseContext\b/,
+  /\buseLayoutEffect\b/,
+  /\buseInsertionEffect\b/,
+  /\buseTransition\b/,
+  /\buseDeferredValue\b/,
+  /\buseSyncExternalStore\b/,
+  /\buseFormStatus\b/,
+  /\buseFormState\b/,
+  /\buseOptimistic\b/,
+  /\bonClick\b\s*[=:]/,
+  /\bonChange\b\s*[=:]/,
+  /\bonSubmit\b\s*[=:]/,
+  /\bonBlur\b\s*[=:]/,
+  /\bonFocus\b\s*[=:]/,
+  /\bonKeyDown\b\s*[=:]/,
+  /\bonKeyUp\b\s*[=:]/,
+  /\bonMouseDown\b\s*[=:]/,
+  /\bonMouseUp\b\s*[=:]/,
+  /\bonScroll\b\s*[=:]/,
+  /\bonInput\b\s*[=:]/,
+  /\bonDrag\b/,
+  /\bonDrop\b/,
+  /\bonTouchStart\b/,
+  /\bcreateContext\b/,
+  /\bwindow\./,
+  /\bdocument\./,
+  /\blocalStorage\b/,
+  /\bsessionStorage\b/,
+  /\bnavigator\b/,
+  /\bIntersectionObserver\b/,
+  /\bResizeObserver\b/,
+  /\bMutationObserver\b/
+];
+var useClientOveruseRule = {
+  id: "use-client-overuse",
+  name: '"use client" Overuse',
+  description: `Detects files with "use client" that don't use any client-side APIs \u2014 unnecessary client rendering`,
+  category: "ai-quality",
+  severity: "info",
+  fileExtensions: ["tsx", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isConfigFile(file.relativePath)) return [];
+    if (!isClientComponent(file.content)) return [];
+    const usesClientApi = CLIENT_APIS.some((p) => p.test(file.content));
+    if (usesClientApi) return [];
+    return [{
+      ruleId: "use-client-overuse",
+      file: file.relativePath,
+      line: 1,
+      column: 1,
+      message: '"use client" directive but no client-side APIs (hooks, event handlers, browser APIs) \u2014 this component could be a server component',
+      severity: "info",
+      category: "ai-quality",
+      fix: 'Remove "use client" to let Next.js render this as a server component for better performance'
+    }];
+  }
+};
+
+// src/rules/env-fallback-secret.ts
+var SENSITIVE_ENV = /process\.env\.(JWT_SECRET|SECRET_KEY|AUTH_SECRET|SESSION_SECRET|ENCRYPTION_KEY|API_SECRET|PRIVATE_KEY|SIGNING_KEY|NEXTAUTH_SECRET|TOKEN_SECRET|APP_SECRET|COOKIE_SECRET|HASH_SECRET)\s*(?:\|\||&&|\?\?)\s*['"`]/i;
+var ENV_FALLBACK = /process\.env\.\w*(SECRET|KEY|PASSWORD|TOKEN)\w*\s*(?:\|\||\?\?)\s*['"`]/i;
+var envFallbackSecretRule = {
+  id: "env-fallback-secret",
+  name: "Secret with Fallback Value",
+  description: "Detects security-sensitive env vars with hardcoded fallback values \u2014 if the env var is missing, the fallback becomes the production secret",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx", "mjs", "cjs"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      const directMatch = SENSITIVE_ENV.exec(line);
+      if (directMatch) {
+        findings.push({
+          ruleId: "env-fallback-secret",
+          file: file.relativePath,
+          line: i + 1,
+          column: directMatch.index + 1,
+          message: `Secret env var has a hardcoded fallback \u2014 if ${directMatch[1] || "the var"} is unset, this literal becomes the production secret`,
+          severity: "critical",
+          category: "security",
+          fix: 'Throw an error if the env var is missing: const secret = process.env.SECRET ?? (() => { throw new Error("SECRET is required") })()'
+        });
+        continue;
+      }
+      const genericMatch = ENV_FALLBACK.exec(line);
+      if (genericMatch && !isConfigFile(file.relativePath)) {
+        findings.push({
+          ruleId: "env-fallback-secret",
+          file: file.relativePath,
+          line: i + 1,
+          column: genericMatch.index + 1,
+          message: "Security-sensitive env var has a hardcoded fallback \u2014 defaults to a literal string when missing",
+          severity: "warning",
+          category: "security",
+          fix: "Fail fast when required env vars are missing instead of falling back to a default value"
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/verbose-error-response.ts
+var ERROR_LEAK_PATTERNS = [
+  { pattern: /error\.stack/, msg: "error.stack exposed \u2014 leaks internal file paths and code structure" },
+  { pattern: /error\.message/, msg: "error.message may leak internal details to clients" }
+];
+var verboseErrorResponseRule = {
+  id: "verbose-error-response",
+  name: "Verbose Error Response",
+  description: "Detects error details (stack traces, error messages) sent directly in API responses",
+  category: "security",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!isApiRoute(file.relativePath) && !/['"]use server['"]/.test(file.content)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      for (const { pattern, msg } of ERROR_LEAK_PATTERNS) {
+        const match = pattern.exec(line);
+        if (match) {
+          const severity = pattern.source.includes("stack") ? "warning" : "info";
+          findings.push({
+            ruleId: "verbose-error-response",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: msg,
+            severity,
+            category: "security",
+            fix: 'Return a generic error message: { error: "Internal server error" }. Log the real error server-side.'
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/missing-webhook-verification.ts
+var WEBHOOK_PATH = /webhook/i;
+var VERIFICATION_PATTERNS = [
+  /constructEvent\s*\(/,
+  // Stripe
+  /webhooks\.verify\s*\(/,
+  // Clerk, GitHub
+  /verify\s*\(/,
+  // Generic
+  /verifySignature\s*\(/,
+  // Generic
+  /validateWebhook\s*\(/,
+  // Generic
+  /svix.*verify/i,
+  // Svix (used by Clerk, Resend)
+  /crypto\.timingSafeEqual\s*\(/,
+  // Manual HMAC comparison
+  /hmac/i,
+  // HMAC verification
+  /x-hub-signature/i,
+  // GitHub webhooks
+  /stripe-signature/i,
+  // Stripe signature header
+  /svix-signature/i,
+  // Svix signature header
+  /webhook-secret/i
+];
+var missingWebhookVerificationRule = {
+  id: "missing-webhook-verification",
+  name: "Missing Webhook Verification",
+  description: "Detects webhook endpoints without signature verification \u2014 anyone can send fake events",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!isApiRoute(file.relativePath)) return [];
+    if (!WEBHOOK_PATH.test(file.relativePath)) return [];
+    const hasVerification = VERIFICATION_PATTERNS.some((p) => p.test(file.content));
+    if (hasVerification) return [];
+    let handlerLine = 1;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (/export\s+(async\s+)?function\s+POST\b/.test(file.lines[i])) {
+        handlerLine = i + 1;
+        break;
+      }
+    }
+    return [{
+      ruleId: "missing-webhook-verification",
+      file: file.relativePath,
+      line: handlerLine,
+      column: 1,
+      message: "Webhook endpoint has no signature verification \u2014 anyone can forge events to this route",
+      severity: "critical",
+      category: "security",
+      fix: "Verify the webhook signature before processing. For Stripe: stripe.webhooks.constructEvent(body, sig, secret)"
+    }];
+  }
+};
+
+// src/rules/server-action-auth.ts
+var USE_SERVER3 = /['"]use server['"]/;
+var AUTH_PATTERNS2 = [
+  /getServerSession\s*\(/,
+  /getSession\s*\(/,
+  /\.auth\.getUser\s*\(/,
+  /auth\(\)/,
+  /authenticate\s*\(/,
+  /isAuthenticated/,
+  /requireAuth/,
+  /withAuth/,
+  /getToken\s*\(/,
+  /verifyToken\s*\(/,
+  /jwt\.verify\s*\(/,
+  /createServerComponentClient/,
+  /currentUser\s*\(/,
+  /getAuth\s*\(/,
+  /cookies\(\).*auth/s,
+  /session/i
+];
+var PUBLIC_ACTION_NAMES = [
+  /contact/i,
+  /subscribe/i,
+  /newsletter/i,
+  /feedback/i,
+  /signup/i,
+  /login/i,
+  /register/i
+];
+var serverActionAuthRule = {
+  id: "server-action-auth",
+  name: "Server Action Without Auth",
+  description: "Detects server actions that perform mutations without any authentication check",
+  category: "security",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!USE_SERVER3.test(file.content)) return [];
+    if (project.hasAuthMiddleware) return [];
+    for (const p of PUBLIC_ACTION_NAMES) {
+      if (p.test(file.relativePath)) return [];
+    }
+    const hasAuth = AUTH_PATTERNS2.some((p) => p.test(file.content));
+    if (hasAuth) return [];
+    const hasMutation = /\.(insert|update|delete|create|upsert|remove|destroy|save|push|set)\s*\(/i.test(file.content) || /\b(INSERT|UPDATE|DELETE)\b/.test(file.content);
+    if (!hasMutation) return [];
+    let reportLine = 1;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (USE_SERVER3.test(file.lines[i])) {
+        reportLine = i + 1;
+        break;
+      }
+    }
+    return [{
+      ruleId: "server-action-auth",
+      file: file.relativePath,
+      line: reportLine,
+      column: 1,
+      message: "Server action performs mutations without any authentication check \u2014 anyone can call this action",
+      severity: "warning",
+      category: "security",
+      fix: 'Add auth check: const session = await auth(); if (!session) throw new Error("Unauthorized")'
+    }];
+  }
+};
+
+// src/rules/eval-injection.ts
+var EVAL_PATTERNS = [
+  { pattern: /\beval\s*\(/, msg: "eval() executes arbitrary code \u2014 never use with dynamic input" },
+  { pattern: /\bnew\s+Function\s*\(/, msg: "new Function() is equivalent to eval \u2014 avoid dynamic code execution" },
+  { pattern: /\bsetTimeout\s*\(\s*['"`]/, msg: "setTimeout with a string argument is eval \u2014 pass a function instead" },
+  { pattern: /\bsetInterval\s*\(\s*['"`]/, msg: "setInterval with a string argument is eval \u2014 pass a function instead" }
+];
+var evalInjectionRule = {
+  id: "eval-injection",
+  name: "Eval / Code Injection",
+  description: "Detects eval(), new Function(), and string arguments to setTimeout/setInterval",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx", "mjs", "cjs"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      for (const { pattern, msg } of EVAL_PATTERNS) {
+        const match = pattern.exec(line);
+        if (match) {
+          findings.push({
+            ruleId: "eval-injection",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: msg,
+            severity: "critical",
+            category: "security"
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/missing-useeffect-cleanup.ts
+var NEEDS_CLEANUP = [
+  /\bsetInterval\s*\(/,
+  /\baddEventListener\s*\(/,
+  /\.subscribe\s*\(/,
+  /\.on\s*\(\s*['"`]/,
+  /new\s+WebSocket\s*\(/,
+  /new\s+EventSource\s*\(/,
+  /new\s+IntersectionObserver\s*\(/,
+  /new\s+ResizeObserver\s*\(/,
+  /new\s+MutationObserver\s*\(/
+];
+var missingUseEffectCleanupRule = {
+  id: "missing-useeffect-cleanup",
+  name: "Missing useEffect Cleanup",
+  description: "Detects useEffect hooks with subscriptions or timers but no cleanup return function \u2014 causes memory leaks",
+  category: "reliability",
+  severity: "warning",
+  fileExtensions: ["tsx", "jsx", "ts", "js"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!isClientComponent(file.content)) return [];
+    if (!/useEffect/.test(file.content)) return [];
+    const findings = [];
+    const lines = file.lines;
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (!/\buseEffect\s*\(/.test(line)) continue;
+      let braceDepth = 0;
+      let effectStart = -1;
+      let effectEnd = -1;
+      let started = false;
+      for (let j = i; j < lines.length && j < i + 100; j++) {
+        for (const ch of lines[j]) {
+          if (ch === "(") {
+            if (!started) {
+              started = true;
+            }
+            braceDepth++;
+          } else if (ch === ")") {
+            braceDepth--;
+            if (started && braceDepth === 0) {
+              effectEnd = j;
+              break;
+            }
+          } else if (ch === "{" && effectStart === -1 && started) {
+            effectStart = j;
+          }
+        }
+        if (effectEnd !== -1) break;
+      }
+      if (effectStart === -1 || effectEnd === -1) continue;
+      const effectBody = lines.slice(effectStart, effectEnd + 1).join("\n");
+      const needsCleanup = NEEDS_CLEANUP.some((p) => p.test(effectBody));
+      if (!needsCleanup) continue;
+      const hasReturn = /return\s*(?:\(\s*\)\s*=>|function|\(\))/.test(effectBody) || /return\s*\(\s*\)\s*\{/.test(effectBody) || /return\s+\w+\s*;?\s*$/.test(effectBody);
+      if (!hasReturn) {
+        const hasCleanupReturn = /return\s+(?:\(\)|(?:\(\s*\)\s*=>)|(?:function))/.test(effectBody);
+        if (!hasCleanupReturn) {
+          findings.push({
+            ruleId: "missing-useeffect-cleanup",
+            file: file.relativePath,
+            line: i + 1,
+            column: 1,
+            message: "useEffect with subscription/timer but no cleanup return \u2014 will leak memory on unmount",
+            severity: "warning",
+            category: "reliability",
+            fix: "Return a cleanup function: useEffect(() => { const id = setInterval(...); return () => clearInterval(id); }, [])"
+          });
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/next-public-sensitive.ts
+var SENSITIVE_PATTERN = /NEXT_PUBLIC_\w*(SECRET|PRIVATE|PASSWORD|DATABASE_URL|SERVICE_ROLE|SERVICE_KEY|ADMIN_KEY|sk_live|sk_test|SIGNING|ENCRYPTION)/i;
+var nextPublicSensitiveRule = {
+  id: "next-public-sensitive",
+  name: "Sensitive Env Var with NEXT_PUBLIC_ Prefix",
+  description: "Detects NEXT_PUBLIC_ prefix on environment variables that should be server-only \u2014 exposes secrets to the browser",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx", "mjs", "env", "env.local", "env.production"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      const match = SENSITIVE_PATTERN.exec(line);
+      if (match) {
+        findings.push({
+          ruleId: "next-public-sensitive",
+          file: file.relativePath,
+          line: i + 1,
+          column: match.index + 1,
+          message: `NEXT_PUBLIC_ prefix on a sensitive env var \u2014 this value will be embedded in the client-side JavaScript bundle`,
+          severity: "critical",
+          category: "security",
+          fix: "Remove the NEXT_PUBLIC_ prefix. Access this value only in server components, API routes, or server actions."
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/ssrf-risk.ts
+var USER_INPUT_IN_FETCH = [
+  /fetch\s*\(\s*(?:req|request)\.(?:body|query|params|nextUrl)/,
+  /fetch\s*\(\s*(?:url|href|endpoint|target|link|src)\s*[,)]/,
+  /fetch\s*\(\s*searchParams\.get\s*\(/,
+  /fetch\s*\(\s*formData\.get\s*\(/,
+  /new\s+URL\s*\(\s*(?:req|request)\.(?:body|query)/,
+  /axios\s*[.(]\s*(?:req|request)\.(?:body|query)/,
+  /axios\.get\s*\(\s*(?:url|href|endpoint|target|link)\s*[,)]/
+];
+var VALIDATION_PATTERNS3 = [
+  /allowlist/i,
+  /allowedUrls/i,
+  /allowedHosts/i,
+  /allowedDomains/i,
+  /whitelist/i,
+  /validUrl/i,
+  /validateUrl/i,
+  /URL\.canParse/,
+  /new\s+URL\s*\(.*\)\.host/,
+  /\.startsWith\s*\(\s*['"]https?:\/\//,
+  /\.hostname\s*[!=]==?\s*['"`]/
+];
+var ssrfRiskRule = {
+  id: "ssrf-risk",
+  name: "SSRF Risk",
+  description: "Detects fetch/HTTP calls with user-controlled URLs without validation \u2014 allows attackers to probe internal services",
+  category: "security",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!isApiRoute(file.relativePath) && !/['"]use server['"]/.test(file.content)) return [];
+    const hasValidation = VALIDATION_PATTERNS3.some((p) => p.test(file.content));
+    if (hasValidation) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      for (const pattern of USER_INPUT_IN_FETCH) {
+        const match = pattern.exec(line);
+        if (match) {
+          findings.push({
+            ruleId: "ssrf-risk",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: "User-controlled URL passed to fetch \u2014 validate against an allowlist to prevent SSRF",
+            severity: "warning",
+            category: "security",
+            fix: "Validate the URL against an allowlist of permitted domains before making the request"
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/path-traversal.ts
+var FS_WITH_USER_INPUT = [
+  { pattern: /(?:readFile|readFileSync|createReadStream)\s*\(\s*(?:req|request)\.(?:query|body|params)/, msg: "File read with user-controlled path \u2014 allows reading arbitrary files" },
+  { pattern: /(?:readFile|readFileSync|createReadStream)\s*\(\s*(?:filePath|fileName|path|file|name)\s*[,)]/, msg: "File read with potentially user-controlled path \u2014 validate before use" },
+  { pattern: /(?:writeFile|writeFileSync|createWriteStream)\s*\(\s*(?:req|request)\.(?:query|body|params)/, msg: "File write with user-controlled path \u2014 allows writing arbitrary files" },
+  { pattern: /(?:unlink|unlinkSync|rm|rmSync)\s*\(\s*(?:req|request)\.(?:query|body|params)/, msg: "File delete with user-controlled path \u2014 allows deleting arbitrary files" },
+  { pattern: /path\.join\s*\([^)]*(?:req|request)\.(?:query|body|params)/, msg: "path.join with user input \u2014 still vulnerable to traversal with ../" },
+  { pattern: /\.sendFile\s*\(\s*(?:req|request)\.(?:query|body|params)/, msg: "express.sendFile with user-controlled path \u2014 validate against a base directory" }
+];
+var SANITIZATION_PATTERNS = [
+  /path\.resolve\s*\(.*\)\.startsWith/,
+  /\.replace\s*\(\s*['"]\.\.['"],?\s*['"].*['"]\s*\)/,
+  /\.includes\s*\(\s*['"]\.\.['"].*\)/,
+  /normalize/,
+  /sanitize/i,
+  /realpath/
+];
+var pathTraversalRule = {
+  id: "path-traversal",
+  name: "Path Traversal",
+  description: "Detects filesystem operations with user-controlled paths \u2014 allows reading/writing arbitrary files via ../ sequences",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    const hasSanitization = SANITIZATION_PATTERNS.some((p) => p.test(file.content));
+    if (hasSanitization) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      for (const { pattern, msg } of FS_WITH_USER_INPUT) {
+        const match = pattern.exec(line);
+        if (match) {
+          const severity = /req|request/.test(match[0]) ? "critical" : "warning";
+          findings.push({
+            ruleId: "path-traversal",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: msg,
+            severity,
+            category: "security",
+            fix: "Validate the resolved path starts with an expected base directory: path.resolve(base, input).startsWith(path.resolve(base))"
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/hydration-mismatch.ts
+var BROWSER_ONLY_PATTERNS = [
+  { pattern: /\bwindow\./, msg: "window access in server-rendered code \u2014 will differ between server and client" },
+  { pattern: /\bdocument\./, msg: "document access in server-rendered code \u2014 undefined on the server" },
+  { pattern: /\blocalStorage\b/, msg: "localStorage in render path \u2014 undefined on server, causes hydration mismatch" },
+  { pattern: /\bsessionStorage\b/, msg: "sessionStorage in render path \u2014 undefined on server, causes hydration mismatch" },
+  { pattern: /\bnavigator\./, msg: "navigator access in render path \u2014 undefined on server" }
+];
+var NONDETERMINISTIC_PATTERNS = [
+  { pattern: /\bnew\s+Date\s*\(\s*\)/, msg: "new Date() in render path \u2014 server and client will have different timestamps, causing hydration mismatch" },
+  { pattern: /\bDate\.now\s*\(\s*\)/, msg: "Date.now() in render path \u2014 different on server vs client" },
+  { pattern: /\bMath\.random\s*\(\s*\)/, msg: "Math.random() in render path \u2014 produces different values on server vs client" }
+];
+var hydrationMismatchRule = {
+  id: "hydration-mismatch",
+  name: "Hydration Mismatch Risk",
+  description: "Detects browser-only APIs and non-deterministic calls in server component render paths",
+  category: "reliability",
+  severity: "warning",
+  fileExtensions: ["tsx", "jsx", "ts", "js"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isClientComponent(file.content)) return [];
+    if (!/(?:^|\/)(?:src\/)?app\//.test(file.relativePath)) return [];
+    if (/route\.[jt]sx?$/.test(file.relativePath)) return [];
+    const findings = [];
+    let insideUseEffect = false;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      if (/\buseEffect\s*\(/.test(line)) {
+        insideUseEffect = true;
+      }
+      if (insideUseEffect) {
+        if (/^\s*\}\s*,\s*\[/.test(line) || /^\s*\}\s*\)\s*;?\s*$/.test(line)) {
+          insideUseEffect = false;
+        }
+        continue;
+      }
+      for (const { pattern, msg } of [...BROWSER_ONLY_PATTERNS, ...NONDETERMINISTIC_PATTERNS]) {
+        const match = pattern.exec(line);
+        if (match) {
+          findings.push({
+            ruleId: "hydration-mismatch",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: msg,
+            severity: "warning",
+            category: "reliability",
+            fix: 'Move this to a useEffect hook, or add "use client" if this component needs browser APIs'
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/server-component-fetch-self.ts
+var SELF_FETCH_PATTERNS = [
+  /fetch\s*\(\s*['"`]\/api\//,
+  /fetch\s*\(\s*['"`]http:\/\/localhost/,
+  /fetch\s*\(\s*['"`]https?:\/\/localhost/,
+  /fetch\s*\(\s*`\$\{.*\}\/api\//,
+  /fetch\s*\(\s*(?:process\.env\.\w+\s*\+\s*)?['"`]\/api\//
+];
+var serverComponentFetchSelfRule = {
+  id: "server-component-fetch-self",
+  name: "Server Component Fetching Own API",
+  description: "Detects server components that fetch their own API routes instead of calling data logic directly \u2014 unnecessary network roundtrip",
+  category: "performance",
+  severity: "info",
+  fileExtensions: ["tsx", "jsx", "ts", "js"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isClientComponent(file.content)) return [];
+    if (!/(?:^|\/)(?:src\/)?app\//.test(file.relativePath)) return [];
+    if (/route\.[jt]sx?$/.test(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      for (const pattern of SELF_FETCH_PATTERNS) {
+        const match = pattern.exec(line);
+        if (match) {
+          findings.push({
+            ruleId: "server-component-fetch-self",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: "Server component fetches its own API route \u2014 call the data logic directly instead of making a network request to yourself",
+            severity: "info",
+            category: "performance",
+            fix: 'Import and call the data function directly instead of fetch("/api/...")'
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/unsafe-file-upload.ts
+var UPLOAD_PATTERNS = [
+  /\.get\s*\(\s*['"`]file['"`]\s*\)/,
+  /\.get\s*\(\s*['"`]image['"`]\s*\)/,
+  /\.get\s*\(\s*['"`]upload['"`]\s*\)/,
+  /\.get\s*\(\s*['"`]attachment['"`]\s*\)/,
+  /\.get\s*\(\s*['"`]document['"`]\s*\)/,
+  /\.get\s*\(\s*['"`]avatar['"`]\s*\)/,
+  /\.get\s*\(\s*['"`]photo['"`]\s*\)/,
+  /\.type\s*===?\s*['"`]file['"`]/,
+  /req\.file\b/,
+  /multer/i,
+  /busboy/i,
+  /formidable/i
+];
+var VALIDATION_PATTERNS4 = [
+  /\.type\b.*(?:image|video|audio|pdf|text)\//,
+  /content-type/i,
+  /mime/i,
+  /\.size\s*[><!]/,
+  /maxFileSize/i,
+  /maxSize/i,
+  /fileSizeLimit/i,
+  /allowedTypes/i,
+  /acceptedTypes/i,
+  /fileFilter/i,
+  /\.endsWith\s*\(\s*['"`]\./,
+  /\.extension/i
+];
+var unsafeFileUploadRule = {
+  id: "unsafe-file-upload",
+  name: "Unsafe File Upload",
+  description: "Detects file upload handlers without type or size validation",
+  category: "security",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!isApiRoute(file.relativePath) && !/['"]use server['"]/.test(file.content)) return [];
+    const hasUpload = UPLOAD_PATTERNS.some((p) => p.test(file.content));
+    if (!hasUpload) return [];
+    const hasValidation = VALIDATION_PATTERNS4.some((p) => p.test(file.content));
+    if (hasValidation) return [];
+    let reportLine = 1;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (UPLOAD_PATTERNS.some((p) => p.test(file.lines[i]))) {
+        reportLine = i + 1;
+        break;
+      }
+    }
+    return [{
+      ruleId: "unsafe-file-upload",
+      file: file.relativePath,
+      line: reportLine,
+      column: 1,
+      message: "File upload without type or size validation \u2014 accepts any file type and size",
+      severity: "warning",
+      category: "security",
+      fix: "Validate file type (check MIME type, not just extension) and enforce a size limit before processing"
+    }];
+  }
+};
+
+// src/rules/supabase-missing-rls.ts
+var CREATE_TABLE = /CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?(?:public\.)?(\w+)/gi;
+var ENABLE_RLS = /ALTER\s+TABLE\s+(?:(?:public|"public")\.)?(\w+)\s+ENABLE\s+ROW\s+LEVEL\s+SECURITY/gi;
+var supabaseMissingRlsRule = {
+  id: "supabase-missing-rls",
+  name: "Missing Row-Level Security",
+  description: "Detects SQL migrations that create tables without enabling Row-Level Security \u2014 all data is publicly accessible",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["sql"],
+  check(file, project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!/migration|supabase|schema/i.test(file.relativePath)) return [];
+    const content = file.content;
+    const findings = [];
+    const tables = [];
+    CREATE_TABLE.lastIndex = 0;
+    let match;
+    while ((match = CREATE_TABLE.exec(content)) !== null) {
+      const name = match[1];
+      if (name.startsWith("_") || name === "schema_migrations") continue;
+      const beforeMatch = content.slice(0, match.index);
+      const line = beforeMatch.split("\n").length;
+      tables.push({ name, line });
+    }
+    if (tables.length === 0) return [];
+    const rlsTables = /* @__PURE__ */ new Set();
+    ENABLE_RLS.lastIndex = 0;
+    while ((match = ENABLE_RLS.exec(content)) !== null) {
+      rlsTables.add(match[1].toLowerCase());
+    }
+    for (const filePath of project.allFiles) {
+      if (!filePath.endsWith(".sql")) continue;
+      if (filePath === file.relativePath) continue;
+    }
+    for (const table of tables) {
+      if (!rlsTables.has(table.name.toLowerCase())) {
+        findings.push({
+          ruleId: "supabase-missing-rls",
+          file: file.relativePath,
+          line: table.line,
+          column: 1,
+          message: `Table "${table.name}" created without ENABLE ROW LEVEL SECURITY \u2014 all rows are publicly accessible via the Supabase API`,
+          severity: "critical",
+          category: "security",
+          fix: `Add: ALTER TABLE ${table.name} ENABLE ROW LEVEL SECURITY; and create appropriate policies`
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/deprecated-oauth-flow.ts
+var IMPLICIT_GRANT = /response_type\s*[=:]\s*['"`]?token['"`]?/;
+var deprecatedOauthFlowRule = {
+  id: "deprecated-oauth-flow",
+  name: "Deprecated OAuth Flow",
+  description: "Detects OAuth Implicit Grant flow (response_type=token) \u2014 deprecated in OAuth 2.1, vulnerable to token interception",
+  category: "security",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx", "mjs", "cjs"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      const match = IMPLICIT_GRANT.exec(line);
+      if (match) {
+        findings.push({
+          ruleId: "deprecated-oauth-flow",
+          file: file.relativePath,
+          line: i + 1,
+          column: match.index + 1,
+          message: "OAuth Implicit Grant flow (response_type=token) is deprecated \u2014 tokens are exposed in the URL fragment",
+          severity: "warning",
+          category: "security",
+          fix: "Use Authorization Code flow with PKCE: response_type=code with code_challenge and code_verifier"
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/jwt-no-expiry.ts
+var JWT_SIGN = /jwt\.sign\s*\(/;
+var HAS_EXPIRY = [
+  /expiresIn/,
+  /exp\s*:/,
+  /expirationTime/,
+  /maxAge/
+];
+var jwtNoExpiryRule = {
+  id: "jwt-no-expiry",
+  name: "JWT Without Expiration",
+  description: "Detects jwt.sign() calls without an expiresIn option \u2014 tokens never expire, compromised tokens are valid forever",
+  category: "security",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx", "mjs", "cjs"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!JWT_SIGN.test(file.content)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      const match = JWT_SIGN.exec(line);
+      if (!match) continue;
+      const context = file.lines.slice(i, i + 6).join("\n");
+      const hasExpiry = HAS_EXPIRY.some((p) => p.test(context));
+      if (!hasExpiry) {
+        findings.push({
+          ruleId: "jwt-no-expiry",
+          file: file.relativePath,
+          line: i + 1,
+          column: match.index + 1,
+          message: "jwt.sign() without expiresIn \u2014 tokens never expire, a compromised token is valid forever",
+          severity: "warning",
+          category: "security",
+          fix: 'Add expiration: jwt.sign(payload, secret, { expiresIn: "1h" })'
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/client-side-auth-only.ts
+var CLIENT_AUTH_PATTERNS = [
+  /localStorage\.(?:get|set)Item\s*\(\s*['"`](?:token|auth|session|jwt|access_token|user)['"`]/,
+  /sessionStorage\.(?:get|set)Item\s*\(\s*['"`](?:token|auth|session|jwt|access_token|user)['"`]/
+];
+var PASSWORD_CHECK = /(?:password|passwd)\s*[!=]==?\s*['"`]/;
+var clientSideAuthOnlyRule = {
+  id: "client-side-auth-only",
+  name: "Client-Side Auth Only",
+  description: "Detects authentication logic implemented only in client-side code \u2014 easily bypassed via browser DevTools",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["tsx", "jsx", "ts", "js"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!isClientComponent(file.content)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      const line = file.lines[i];
+      const match = PASSWORD_CHECK.exec(line);
+      if (match) {
+        findings.push({
+          ruleId: "client-side-auth-only",
+          file: file.relativePath,
+          line: i + 1,
+          column: match.index + 1,
+          message: "Password comparison in client-side code \u2014 the password is visible in the JavaScript bundle",
+          severity: "critical",
+          category: "security",
+          fix: "Move authentication logic to a server action or API route"
+        });
+      }
+    }
+    for (let i = 0; i < file.lines.length; i++) {
+      const line = file.lines[i];
+      for (const pattern of CLIENT_AUTH_PATTERNS) {
+        const match = pattern.exec(line);
+        if (match) {
+          findings.push({
+            ruleId: "client-side-auth-only",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: "Auth token in localStorage \u2014 accessible to any script on the page (XSS risk). Use httpOnly cookies instead.",
+            severity: "warning",
+            category: "security",
+            fix: "Store auth tokens in httpOnly cookies set by the server, not in localStorage"
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/missing-abort-controller.ts
+var FETCH_CALL = /\bfetch\s*\(/;
+var HAS_TIMEOUT = [
+  /AbortController/,
+  /abort/i,
+  /signal\s*:/,
+  /timeout/i,
+  /setTimeout.*abort/s
+];
+var missingAbortControllerRule = {
+  id: "missing-abort-controller",
+  name: "Missing Abort Controller",
+  description: "Detects fetch calls in API routes without timeout or AbortController \u2014 requests can hang indefinitely",
+  category: "performance",
+  severity: "info",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!isApiRoute(file.relativePath) && !/['"]use server['"]/.test(file.content)) return [];
+    if (!FETCH_CALL.test(file.content)) return [];
+    const hasTimeout = HAS_TIMEOUT.some((p) => p.test(file.content));
+    if (hasTimeout) return [];
+    let reportLine = 1;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      if (FETCH_CALL.test(file.lines[i])) {
+        reportLine = i + 1;
+        break;
+      }
+    }
+    return [{
+      ruleId: "missing-abort-controller",
+      file: file.relativePath,
+      line: reportLine,
+      column: 1,
+      message: "fetch() without timeout or AbortController \u2014 request will hang indefinitely if the upstream server doesn't respond",
+      severity: "info",
+      category: "performance",
+      fix: "Add a timeout: const controller = new AbortController(); setTimeout(() => controller.abort(), 10000); fetch(url, { signal: controller.signal })"
+    }];
+  }
+};
+
 // src/rules/index.ts
 var rules = [
   // Security
@@ -2555,6 +3608,19 @@ var rules = [
   leakedEnvInLogsRule,
   insecureRandomRule,
   nextServerActionValidationRule,
+  envFallbackSecretRule,
+  verboseErrorResponseRule,
+  missingWebhookVerificationRule,
+  serverActionAuthRule,
+  evalInjectionRule,
+  nextPublicSensitiveRule,
+  ssrfRiskRule,
+  pathTraversalRule,
+  unsafeFileUploadRule,
+  supabaseMissingRlsRule,
+  deprecatedOauthFlowRule,
+  jwtNoExpiryRule,
+  clientSideAuthOnlyRule,
   // Reliability
   hallucinatedImportsRule,
   errorHandlingRule,
@@ -2563,11 +3629,17 @@ var rules = [
   missingLoadingStateRule,
   missingErrorBoundaryRule,
   missingTransactionRule,
+  redirectInTryCatchRule,
+  missingRevalidationRule,
+  missingUseEffectCleanupRule,
+  hydrationMismatchRule,
   // Performance
   noSyncFsRule,
   noNPlusOneRule,
   noUnboundedQueryRule,
   noDynamicImportLoopRule,
+  serverComponentFetchSelfRule,
+  missingAbortControllerRule,
   // AI Quality
   aiSmellsRule,
   placeholderContentRule,
@@ -2575,7 +3647,8 @@ var rules = [
   staleFallbackRule,
   comprehensionDebtRule,
   codebaseConsistencyRule,
-  deadExportsRule
+  deadExportsRule,
+  useClientOveruseRule
 ];
 
 // src/scanner.ts
@@ -2758,7 +3831,7 @@ async function main() {
 }
 function printHelp() {
   console.log(`
-  prodlint - Scan AI-generated projects for production readiness issues
+  prodlint - The linter for vibe-coded apps
 
   Usage:
     npx prodlint [path] [options]