prodlint 0.5.0 → 0.7.0

package/dist/index.js

@@ -240,6 +240,81 @@ function findLoopsAST(ast) {
   });
   return loops;
 }
+function isUserInputNode(node) {
+  if (node.type === "MemberExpression") {
+    const mem = node;
+    if (mem.object.type === "MemberExpression") {
+      const inner = mem.object;
+      if (inner.object.type === "Identifier") {
+        const objName = inner.object.name;
+        if (objName === "req" || objName === "request") {
+          if (inner.property.type === "Identifier") {
+            const prop = inner.property.name;
+            if (prop === "query" || prop === "body" || prop === "params") return true;
+          }
+        }
+      }
+    }
+  }
+  if (node.type === "CallExpression") {
+    const call = node;
+    if (call.callee.type === "MemberExpression") {
+      const callee = call.callee;
+      if (callee.property.type === "Identifier" && callee.property.name === "get") {
+        if (callee.object.type === "Identifier") {
+          const name = callee.object.name;
+          if (name === "searchParams" || name === "formData") return true;
+        }
+        if (callee.object.type === "MemberExpression") {
+          const inner = callee.object;
+          if (inner.property.type === "Identifier" && inner.property.name === "searchParams") {
+            return true;
+          }
+        }
+      }
+    }
+  }
+  return false;
+}
+function isStaticString(node) {
+  if (node.type === "StringLiteral") return true;
+  if (node.type === "TemplateLiteral") {
+    return node.expressions.length === 0;
+  }
+  return false;
+}
+function findUseEffectRanges(ast) {
+  const ranges = [];
+  walkAST(ast.program, (node) => {
+    if (node.type !== "CallExpression") return;
+    const call = node;
+    if (call.callee.type !== "Identifier" || call.callee.name !== "useEffect") return;
+    const callback = call.arguments[0];
+    if (!callback || !callback.loc) return;
+    ranges.push({
+      start: callback.loc.start.line - 1,
+      end: callback.loc.end.line - 1
+    });
+  });
+  return ranges;
+}
+function subtreeContains(node, predicate) {
+  if (predicate(node)) return true;
+  for (const key of Object.keys(node)) {
+    if (key === "start" || key === "end" || key === "loc" || key === "type") continue;
+    const val = node[key];
+    if (Array.isArray(val)) {
+      for (const item of val) {
+        if (item && typeof item === "object" && item.type) {
+          if (subtreeContains(item, predicate)) return true;
+        }
+      }
+    } else if (val && typeof val === "object" && val.type) {
+      if (subtreeContains(val, predicate)) return true;
+    }
+  }
+  return false;
+}
 
 // src/utils/frameworks.ts
 var FRAMEWORK_SAFE_METHODS = {
@@ -309,7 +384,8 @@ var SCAN_EXTENSIONS = [
   "jsx",
   "mjs",
   "cjs",
-  "json"
+  "json",
+  "sql"
 ];
 var AST_EXTENSIONS = /* @__PURE__ */ new Set(["ts", "tsx", "js", "jsx", "mjs", "cjs"]);
 var MAX_FILE_SIZE = 1024 * 1024;
@@ -1141,6 +1217,81 @@ var unsafeHtmlRule = {
   fileExtensions: ["ts", "tsx", "js", "jsx"],
   check(file, _project) {
     const findings = [];
+    if (file.ast) {
+      try {
+        walkAST(file.ast.program, (node) => {
+          if (node.type === "JSXAttribute") {
+            const attr = node;
+            if (attr.name?.type === "JSXIdentifier" && attr.name.name === "dangerouslySetInnerHTML" && attr.loc) {
+              if (attr.value && subtreeContains(attr.value, (n) => {
+                if (n.type !== "CallExpression") return false;
+                const call = n;
+                if (call.callee.type === "MemberExpression") {
+                  const mem = call.callee;
+                  return mem.object.type === "Identifier" && mem.object.name === "JSON" && mem.property.type === "Identifier" && mem.property.name === "stringify";
+                }
+                return false;
+              })) {
+                return;
+              }
+              const line = attr.loc.start.line;
+              findings.push({
+                ruleId: "unsafe-html",
+                file: file.relativePath,
+                line,
+                column: file.lines[line - 1].indexOf("dangerouslySetInnerHTML") + 1,
+                message: "dangerouslySetInnerHTML is an XSS risk \u2014 sanitize with DOMPurify or similar",
+                severity: "critical",
+                category: "security"
+              });
+            }
+          }
+          if (node.type === "ObjectProperty") {
+            const prop = node;
+            if (prop.key?.type === "Identifier" && prop.key.name === "dangerouslySetInnerHTML" && prop.loc) {
+              if (prop.value && subtreeContains(prop.value, (n) => {
+                if (n.type !== "CallExpression") return false;
+                const call = n;
+                if (call.callee.type === "MemberExpression") {
+                  const mem = call.callee;
+                  return mem.object.type === "Identifier" && mem.object.name === "JSON" && mem.property.type === "Identifier" && mem.property.name === "stringify";
+                }
+                return false;
+              })) {
+                return;
+              }
+              const line = prop.loc.start.line;
+              findings.push({
+                ruleId: "unsafe-html",
+                file: file.relativePath,
+                line,
+                column: file.lines[line - 1].indexOf("dangerouslySetInnerHTML") + 1,
+                message: "dangerouslySetInnerHTML is an XSS risk \u2014 sanitize with DOMPurify or similar",
+                severity: "critical",
+                category: "security"
+              });
+            }
+          }
+          if (node.type === "AssignmentExpression") {
+            const assign = node;
+            if (assign.left?.type === "MemberExpression" && assign.left.property?.type === "Identifier" && assign.left.property.name === "innerHTML" && assign.loc) {
+              const line = assign.loc.start.line;
+              findings.push({
+                ruleId: "unsafe-html",
+                file: file.relativePath,
+                line,
+                column: file.lines[line - 1].indexOf(".innerHTML") + 1,
+                message: "Direct innerHTML assignment is an XSS risk",
+                severity: "critical",
+                category: "security"
+              });
+            }
+          }
+        });
+        return findings;
+      } catch {
+      }
+    }
     for (let i = 0; i < file.lines.length; i++) {
       if (isCommentLine(file.lines, i, file.commentMap)) continue;
       const line = file.lines[i];
@@ -1394,6 +1545,22 @@ var DIRECT_INPUT_PATTERNS = [
 var WARNING_PATTERNS = [
   /redirect\s*\(\s*(?:url|returnUrl|returnTo|redirectUrl|redirectTo|next|callbackUrl|destination|redirect|goto|to|target|uri|href)\s*[,)]/
 ];
+var SUSPICIOUS_VAR_NAMES = /* @__PURE__ */ new Set([
+  "url",
+  "returnUrl",
+  "returnTo",
+  "redirectUrl",
+  "redirectTo",
+  "next",
+  "callbackUrl",
+  "destination",
+  "redirect",
+  "goto",
+  "to",
+  "target",
+  "uri",
+  "href"
+]);
 var openRedirectRule = {
   id: "open-redirect",
   name: "Open Redirect",
@@ -1403,6 +1570,62 @@ var openRedirectRule = {
   fileExtensions: ["ts", "tsx", "js", "jsx"],
   check(file, _project) {
     const findings = [];
+    if (file.ast) {
+      try {
+        walkAST(file.ast.program, (node) => {
+          if (node.type !== "CallExpression") return;
+          const call = node;
+          if (!call.loc) return;
+          let isRedirect = false;
+          if (call.callee.type === "Identifier" && call.callee.name === "redirect") {
+            isRedirect = true;
+          }
+          if (call.callee.type === "MemberExpression") {
+            const mem = call.callee;
+            if (mem.object.type === "Identifier" && mem.object.name === "NextResponse" && mem.property.type === "Identifier" && mem.property.name === "redirect") {
+              isRedirect = true;
+            }
+          }
+          if (!isRedirect) return;
+          const arg = call.arguments[0];
+          if (!arg) return;
+          if (isStaticString(arg)) return;
+          let targetArg = arg;
+          if (arg.type === "NewExpression" && arg.callee.type === "Identifier" && arg.callee.name === "URL") {
+            targetArg = arg.arguments[0];
+            if (!targetArg) return;
+            if (isStaticString(targetArg)) return;
+          }
+          const lineNum = call.loc.start.line;
+          const col = call.loc.start.column + 1;
+          if (isUserInputNode(targetArg)) {
+            findings.push({
+              ruleId: "open-redirect",
+              file: file.relativePath,
+              line: lineNum,
+              column: col,
+              message: "User input in redirect \u2014 validate against an allowlist to prevent open redirect",
+              severity: "warning",
+              category: "security"
+            });
+            return;
+          }
+          if (targetArg.type === "Identifier" && SUSPICIOUS_VAR_NAMES.has(targetArg.name)) {
+            findings.push({
+              ruleId: "open-redirect",
+              file: file.relativePath,
+              line: lineNum,
+              column: col,
+              message: "Possible user input in redirect \u2014 verify the URL is validated before use",
+              severity: "warning",
+              category: "security"
+            });
+          }
+        });
+        return findings;
+      } catch {
+      }
+    }
     for (let i = 0; i < file.lines.length; i++) {
       if (isCommentLine(file.lines, i, file.commentMap)) continue;
       const line = file.lines[i];
@@ -2050,6 +2273,34 @@ var shallowCatchRule = {
     if (isTestFile(file.relativePath)) return [];
     if (isScriptFile(file.relativePath)) return [];
     const findings = [];
+    if (file.ast) {
+      try {
+        walkAST(file.ast.program, (node) => {
+          if (node.type !== "CatchClause") return;
+          if (!node.loc) return;
+          const catchLine = node.loc.start.line - 1;
+          const body = node.body;
+          if (!body || !body.loc) return;
+          const bodyStart = body.loc.start.line - 1;
+          const bodyEnd = body.loc.end.line - 1;
+          const bodyLines = file.lines.slice(bodyStart + 1, bodyEnd);
+          const { score, label } = scoreCatchBody(bodyLines);
+          if (score <= 1) {
+            findings.push({
+              ruleId: "shallow-catch",
+              file: file.relativePath,
+              line: catchLine + 1,
+              column: file.lines[catchLine].indexOf("catch") + 1,
+              message: score === 0 ? "Empty catch block \u2014 errors are silently swallowed" : `Decorative error handler: ${label}`,
+              severity: score === 0 ? "warning" : "info",
+              category: "reliability"
+            });
+          }
+        });
+        return findings;
+      } catch {
+      }
+    }
     for (let i = 0; i < file.lines.length; i++) {
       if (isCommentLine(file.lines, i, file.commentMap)) continue;
       const trimmed = file.lines[i].trim();
@@ -2383,6 +2634,7 @@ var insecureCookieRule = {
 
 // src/rules/leaked-env-in-logs.ts
 var CONSOLE_WITH_ENV = /console\.(log|warn|error|info|debug)\s*\([^)]*process\.env\./;
+var CONSOLE_METHODS = /* @__PURE__ */ new Set(["log", "warn", "error", "info", "debug"]);
 var leakedEnvInLogsRule = {
   id: "leaked-env-in-logs",
   name: "Leaked Env in Logs",
@@ -2394,6 +2646,48 @@ var leakedEnvInLogsRule = {
     if (isTestFile(file.relativePath)) return [];
     if (isScriptFile(file.relativePath)) return [];
     const findings = [];
+    if (file.ast) {
+      try {
+        walkAST(file.ast.program, (node) => {
+          if (node.type !== "CallExpression") return;
+          const call = node;
+          if (!call.loc) return;
+          if (call.callee.type !== "MemberExpression") return;
+          const mem = call.callee;
+          if (mem.object.type !== "Identifier" || mem.object.name !== "console") return;
+          if (mem.property.type !== "Identifier" || !CONSOLE_METHODS.has(mem.property.name)) return;
+          let hasEnvAccess = false;
+          for (const arg of call.arguments) {
+            if (subtreeContains(arg, (n) => {
+              if (n.type !== "MemberExpression") return false;
+              const m = n;
+              if (m.object.type === "MemberExpression") {
+                const inner = m.object;
+                return inner.object.type === "Identifier" && inner.object.name === "process" && inner.property.type === "Identifier" && inner.property.name === "env";
+              }
+              return false;
+            })) {
+              hasEnvAccess = true;
+              break;
+            }
+          }
+          if (hasEnvAccess) {
+            findings.push({
+              ruleId: "leaked-env-in-logs",
+              file: file.relativePath,
+              line: call.loc.start.line,
+              column: call.loc.start.column + 1,
+              message: "process.env value in console output \u2014 may leak secrets in production logs",
+              severity: "warning",
+              category: "security",
+              fix: "Remove process.env.* from console output \u2014 log a redacted summary instead"
+            });
+          }
+        });
+        return findings;
+      } catch {
+      }
+    }
     for (let i = 0; i < file.lines.length; i++) {
       if (isCommentLine(file.lines, i, file.commentMap)) continue;
       const line = file.lines[i];
@@ -2498,6 +2792,15 @@ var nextServerActionValidationRule = {
 // src/rules/missing-transaction.ts
 var PRISMA_WRITE_OPS = /prisma\.\w+\.(?:create|update|delete|upsert|createMany|updateMany|deleteMany)\s*\(/;
 var PRISMA_TRANSACTION = /\$transaction\s*\(/;
+var PRISMA_WRITE_METHODS = /* @__PURE__ */ new Set([
+  "create",
+  "update",
+  "delete",
+  "upsert",
+  "createMany",
+  "updateMany",
+  "deleteMany"
+]);
 var missingTransactionRule = {
   id: "missing-transaction",
   name: "Missing Transaction",
@@ -2509,6 +2812,60 @@ var missingTransactionRule = {
     if (isTestFile(file.relativePath)) return [];
     if (isScriptFile(file.relativePath)) return [];
     if (!project.declaredDependencies.has("@prisma/client") && !project.detectedFrameworks.has("prisma")) return [];
+    if (file.ast) {
+      try {
+        const parentMap = /* @__PURE__ */ new Map();
+        walkAST(file.ast.program, (node, parent) => {
+          if (parent) parentMap.set(node, parent);
+        });
+        const writesByScope = /* @__PURE__ */ new Map();
+        const transactionScopes = /* @__PURE__ */ new Set();
+        walkAST(file.ast.program, (node) => {
+          if (node.type !== "CallExpression") return;
+          const call = node;
+          if (!call.loc) return;
+          if (call.callee.type === "MemberExpression") {
+            const mem = call.callee;
+            if (mem.property.type === "Identifier" && mem.property.name === "$transaction") {
+              const scope2 = findEnclosingFunction(node, parentMap);
+              transactionScopes.add(scope2);
+              return;
+            }
+          }
+          if (call.callee.type !== "MemberExpression") return;
+          const outerMem = call.callee;
+          if (outerMem.property.type !== "Identifier") return;
+          if (!PRISMA_WRITE_METHODS.has(outerMem.property.name)) return;
+          if (outerMem.object.type !== "MemberExpression") return;
+          const innerMem = outerMem.object;
+          if (innerMem.object.type !== "Identifier" || innerMem.object.name !== "prisma") return;
+          const scope = findEnclosingFunction(node, parentMap);
+          const existing = writesByScope.get(scope);
+          if (existing) {
+            existing.count++;
+          } else {
+            writesByScope.set(scope, { count: 1, firstLine: call.loc.start.line });
+          }
+        });
+        const findings = [];
+        for (const [scope, { count, firstLine }] of writesByScope) {
+          if (count < 2) continue;
+          if (transactionScopes.has(scope)) continue;
+          findings.push({
+            ruleId: "missing-transaction",
+            file: file.relativePath,
+            line: firstLine,
+            column: 1,
+            message: `${count} Prisma write operations without $transaction \u2014 partial writes may leave inconsistent state`,
+            severity: "warning",
+            category: "reliability",
+            fix: "Wrap sequential writes in prisma.$transaction([...]) for atomicity"
+          });
+        }
+        return findings;
+      } catch {
+      }
+    }
     let writeCount = 0;
     let firstWriteLine = -1;
     const hasTransaction = PRISMA_TRANSACTION.test(file.content);
@@ -2532,6 +2889,1276 @@ var missingTransactionRule = {
     }];
   }
 };
+function findEnclosingFunction(node, parentMap) {
+  let current = parentMap.get(node);
+  while (current) {
+    if (current.type === "FunctionDeclaration" || current.type === "FunctionExpression" || current.type === "ArrowFunctionExpression") {
+      return current;
+    }
+    current = parentMap.get(current);
+  }
+  return null;
+}
+
+// src/rules/redirect-in-try-catch.ts
+var redirectInTryCatchRule = {
+  id: "redirect-in-try-catch",
+  name: "Redirect Inside Try/Catch",
+  description: "Detects Next.js redirect() inside try/catch blocks \u2014 redirect throws internally and the catch swallows it",
+  category: "reliability",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!/redirect\s*\(/.test(file.content)) return [];
+    const findings = [];
+    let tryDepth = 0;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      const trimmed = line.trim();
+      if (/\btry\s*\{/.test(trimmed) || trimmed === "try {") {
+        tryDepth++;
+      }
+      if (/\}\s*catch\s*[\s(]/.test(trimmed)) {
+      }
+      if (tryDepth > 0) {
+        const match = /\bredirect\s*\(/.exec(line);
+        if (match && !/\/\//.test(line.slice(0, match.index))) {
+          findings.push({
+            ruleId: "redirect-in-try-catch",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: "redirect() inside try/catch \u2014 Next.js redirect throws internally, the catch block will intercept it",
+            severity: "critical",
+            category: "reliability",
+            fix: 'Move redirect() outside the try/catch block, or re-throw redirect errors in the catch: if (e instanceof Error && e.message === "NEXT_REDIRECT") throw e'
+          });
+        }
+      }
+      for (const ch of trimmed) {
+        if (ch === "{" && tryDepth > 0) {
+        }
+      }
+      if (tryDepth > 0 && /^\}\s*$/.test(trimmed)) {
+        let nextLine = "";
+        for (let j = i + 1; j < file.lines.length; j++) {
+          nextLine = file.lines[j].trim();
+          if (nextLine) break;
+        }
+        if (!/^catch\b/.test(nextLine) && !/^finally\b/.test(nextLine)) {
+          tryDepth--;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/missing-revalidation.ts
+var USE_SERVER2 = /['"]use server['"]/;
+var DB_MUTATIONS = [
+  /\.insert\s*\(/,
+  /\.update\s*\(/,
+  /\.delete\s*\(/,
+  /\.upsert\s*\(/,
+  /\.create\s*\(/,
+  /\.createMany\s*\(/,
+  /\.updateMany\s*\(/,
+  /\.deleteMany\s*\(/,
+  /\.remove\s*\(/,
+  /\.save\s*\(/,
+  /\.destroy\s*\(/
+];
+var REVALIDATION = [
+  /revalidatePath\s*\(/,
+  /revalidateTag\s*\(/,
+  /redirect\s*\(/
+];
+var missingRevalidationRule = {
+  id: "missing-revalidation",
+  name: "Missing Revalidation After Mutation",
+  description: "Detects server actions that mutate data without calling revalidatePath or revalidateTag \u2014 UI shows stale data",
+  category: "reliability",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!USE_SERVER2.test(file.content)) return [];
+    const hasMutation = DB_MUTATIONS.some((p) => p.test(file.content));
+    if (!hasMutation) return [];
+    const hasRevalidation = REVALIDATION.some((p) => p.test(file.content));
+    if (hasRevalidation) return [];
+    let reportLine = 1;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (DB_MUTATIONS.some((p) => p.test(file.lines[i]))) {
+        reportLine = i + 1;
+        break;
+      }
+    }
+    return [{
+      ruleId: "missing-revalidation",
+      file: file.relativePath,
+      line: reportLine,
+      column: 1,
+      message: "Server action mutates data without revalidatePath() or revalidateTag() \u2014 UI will show stale data",
+      severity: "warning",
+      category: "reliability",
+      fix: 'Add revalidatePath("/affected-route") after the mutation'
+    }];
+  }
+};
+
+// src/rules/use-client-overuse.ts
+var CLIENT_APIS = [
+  /\buseState\b/,
+  /\buseEffect\b/,
+  /\buseRef\b/,
+  /\buseReducer\b/,
+  /\buseCallback\b/,
+  /\buseMemo\b/,
+  /\buseContext\b/,
+  /\buseLayoutEffect\b/,
+  /\buseInsertionEffect\b/,
+  /\buseTransition\b/,
+  /\buseDeferredValue\b/,
+  /\buseSyncExternalStore\b/,
+  /\buseFormStatus\b/,
+  /\buseFormState\b/,
+  /\buseOptimistic\b/,
+  /\bonClick\b\s*[=:]/,
+  /\bonChange\b\s*[=:]/,
+  /\bonSubmit\b\s*[=:]/,
+  /\bonBlur\b\s*[=:]/,
+  /\bonFocus\b\s*[=:]/,
+  /\bonKeyDown\b\s*[=:]/,
+  /\bonKeyUp\b\s*[=:]/,
+  /\bonMouseDown\b\s*[=:]/,
+  /\bonMouseUp\b\s*[=:]/,
+  /\bonScroll\b\s*[=:]/,
+  /\bonInput\b\s*[=:]/,
+  /\bonDrag\b/,
+  /\bonDrop\b/,
+  /\bonTouchStart\b/,
+  /\bcreateContext\b/,
+  /\bwindow\./,
+  /\bdocument\./,
+  /\blocalStorage\b/,
+  /\bsessionStorage\b/,
+  /\bnavigator\b/,
+  /\bIntersectionObserver\b/,
+  /\bResizeObserver\b/,
+  /\bMutationObserver\b/
+];
+var useClientOveruseRule = {
+  id: "use-client-overuse",
+  name: '"use client" Overuse',
+  description: `Detects files with "use client" that don't use any client-side APIs \u2014 unnecessary client rendering`,
+  category: "ai-quality",
+  severity: "info",
+  fileExtensions: ["tsx", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isConfigFile(file.relativePath)) return [];
+    if (!isClientComponent(file.content)) return [];
+    const usesClientApi = CLIENT_APIS.some((p) => p.test(file.content));
+    if (usesClientApi) return [];
+    return [{
+      ruleId: "use-client-overuse",
+      file: file.relativePath,
+      line: 1,
+      column: 1,
+      message: '"use client" directive but no client-side APIs (hooks, event handlers, browser APIs) \u2014 this component could be a server component',
+      severity: "info",
+      category: "ai-quality",
+      fix: 'Remove "use client" to let Next.js render this as a server component for better performance'
+    }];
+  }
+};
+
+// src/rules/env-fallback-secret.ts
+var SENSITIVE_ENV = /process\.env\.(JWT_SECRET|SECRET_KEY|AUTH_SECRET|SESSION_SECRET|ENCRYPTION_KEY|API_SECRET|PRIVATE_KEY|SIGNING_KEY|NEXTAUTH_SECRET|TOKEN_SECRET|APP_SECRET|COOKIE_SECRET|HASH_SECRET)\s*(?:\|\||&&|\?\?)\s*['"`]/i;
+var ENV_FALLBACK = /process\.env\.\w*(SECRET|KEY|PASSWORD|TOKEN)\w*\s*(?:\|\||\?\?)\s*['"`]/i;
+var envFallbackSecretRule = {
+  id: "env-fallback-secret",
+  name: "Secret with Fallback Value",
+  description: "Detects security-sensitive env vars with hardcoded fallback values \u2014 if the env var is missing, the fallback becomes the production secret",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx", "mjs", "cjs"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      const directMatch = SENSITIVE_ENV.exec(line);
+      if (directMatch) {
+        findings.push({
+          ruleId: "env-fallback-secret",
+          file: file.relativePath,
+          line: i + 1,
+          column: directMatch.index + 1,
+          message: `Secret env var has a hardcoded fallback \u2014 if ${directMatch[1] || "the var"} is unset, this literal becomes the production secret`,
+          severity: "critical",
+          category: "security",
+          fix: 'Throw an error if the env var is missing: const secret = process.env.SECRET ?? (() => { throw new Error("SECRET is required") })()'
+        });
+        continue;
+      }
+      const genericMatch = ENV_FALLBACK.exec(line);
+      if (genericMatch && !isConfigFile(file.relativePath)) {
+        findings.push({
+          ruleId: "env-fallback-secret",
+          file: file.relativePath,
+          line: i + 1,
+          column: genericMatch.index + 1,
+          message: "Security-sensitive env var has a hardcoded fallback \u2014 defaults to a literal string when missing",
+          severity: "warning",
+          category: "security",
+          fix: "Fail fast when required env vars are missing instead of falling back to a default value"
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/verbose-error-response.ts
+var ERROR_LEAK_PATTERNS = [
+  { pattern: /error\.stack/, msg: "error.stack exposed \u2014 leaks internal file paths and code structure" },
+  { pattern: /error\.message/, msg: "error.message may leak internal details to clients" }
+];
+var verboseErrorResponseRule = {
+  id: "verbose-error-response",
+  name: "Verbose Error Response",
+  description: "Detects error details (stack traces, error messages) sent directly in API responses",
+  category: "security",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!isApiRoute(file.relativePath) && !/['"]use server['"]/.test(file.content)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      for (const { pattern, msg } of ERROR_LEAK_PATTERNS) {
+        const match = pattern.exec(line);
+        if (match) {
+          const severity = pattern.source.includes("stack") ? "warning" : "info";
+          findings.push({
+            ruleId: "verbose-error-response",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: msg,
+            severity,
+            category: "security",
+            fix: 'Return a generic error message: { error: "Internal server error" }. Log the real error server-side.'
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/missing-webhook-verification.ts
+var WEBHOOK_PATH = /webhook/i;
+var VERIFICATION_PATTERNS = [
+  /constructEvent\s*\(/,
+  // Stripe
+  /webhooks\.verify\s*\(/,
+  // Clerk, GitHub
+  /verify\s*\(/,
+  // Generic
+  /verifySignature\s*\(/,
+  // Generic
+  /validateWebhook\s*\(/,
+  // Generic
+  /svix.*verify/i,
+  // Svix (used by Clerk, Resend)
+  /crypto\.timingSafeEqual\s*\(/,
+  // Manual HMAC comparison
+  /hmac/i,
+  // HMAC verification
+  /x-hub-signature/i,
+  // GitHub webhooks
+  /stripe-signature/i,
+  // Stripe signature header
+  /svix-signature/i,
+  // Svix signature header
+  /webhook-secret/i
+];
+var missingWebhookVerificationRule = {
+  id: "missing-webhook-verification",
+  name: "Missing Webhook Verification",
+  description: "Detects webhook endpoints without signature verification \u2014 anyone can send fake events",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!isApiRoute(file.relativePath)) return [];
+    if (!WEBHOOK_PATH.test(file.relativePath)) return [];
+    const hasVerification = VERIFICATION_PATTERNS.some((p) => p.test(file.content));
+    if (hasVerification) return [];
+    let handlerLine = 1;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (/export\s+(async\s+)?function\s+POST\b/.test(file.lines[i])) {
+        handlerLine = i + 1;
+        break;
+      }
+    }
+    return [{
+      ruleId: "missing-webhook-verification",
+      file: file.relativePath,
+      line: handlerLine,
+      column: 1,
+      message: "Webhook endpoint has no signature verification \u2014 anyone can forge events to this route",
+      severity: "critical",
+      category: "security",
+      fix: "Verify the webhook signature before processing. For Stripe: stripe.webhooks.constructEvent(body, sig, secret)"
+    }];
+  }
+};
+
+// src/rules/server-action-auth.ts
+var USE_SERVER3 = /['"]use server['"]/;
+var AUTH_PATTERNS2 = [
+  /getServerSession\s*\(/,
+  /getSession\s*\(/,
+  /\.auth\.getUser\s*\(/,
+  /auth\(\)/,
+  /authenticate\s*\(/,
+  /isAuthenticated/,
+  /requireAuth/,
+  /withAuth/,
+  /getToken\s*\(/,
+  /verifyToken\s*\(/,
+  /jwt\.verify\s*\(/,
+  /createServerComponentClient/,
+  /currentUser\s*\(/,
+  /getAuth\s*\(/,
+  /cookies\(\).*auth/s,
+  /session/i
+];
+var PUBLIC_ACTION_NAMES = [
+  /contact/i,
+  /subscribe/i,
+  /newsletter/i,
+  /feedback/i,
+  /signup/i,
+  /login/i,
+  /register/i
+];
+var serverActionAuthRule = {
+  id: "server-action-auth",
+  name: "Server Action Without Auth",
+  description: "Detects server actions that perform mutations without any authentication check",
+  category: "security",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!USE_SERVER3.test(file.content)) return [];
+    if (project.hasAuthMiddleware) return [];
+    for (const p of PUBLIC_ACTION_NAMES) {
+      if (p.test(file.relativePath)) return [];
+    }
+    const hasAuth = AUTH_PATTERNS2.some((p) => p.test(file.content));
+    if (hasAuth) return [];
+    const hasMutation = /\.(insert|update|delete|create|upsert|remove|destroy|save|push|set)\s*\(/i.test(file.content) || /\b(INSERT|UPDATE|DELETE)\b/.test(file.content);
+    if (!hasMutation) return [];
+    let reportLine = 1;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (USE_SERVER3.test(file.lines[i])) {
+        reportLine = i + 1;
+        break;
+      }
+    }
+    return [{
+      ruleId: "server-action-auth",
+      file: file.relativePath,
+      line: reportLine,
+      column: 1,
+      message: "Server action performs mutations without any authentication check \u2014 anyone can call this action",
+      severity: "warning",
+      category: "security",
+      fix: 'Add auth check: const session = await auth(); if (!session) throw new Error("Unauthorized")'
+    }];
+  }
+};
+
+// src/rules/eval-injection.ts
+var EVAL_PATTERNS = [
+  { pattern: /\beval\s*\(/, msg: "eval() executes arbitrary code \u2014 never use with dynamic input" },
+  { pattern: /\bnew\s+Function\s*\(/, msg: "new Function() is equivalent to eval \u2014 avoid dynamic code execution" },
+  { pattern: /\bsetTimeout\s*\(\s*['"`]/, msg: "setTimeout with a string argument is eval \u2014 pass a function instead" },
+  { pattern: /\bsetInterval\s*\(\s*['"`]/, msg: "setInterval with a string argument is eval \u2014 pass a function instead" }
+];
+var evalInjectionRule = {
+  id: "eval-injection",
+  name: "Eval / Code Injection",
+  description: "Detects eval(), new Function(), and string arguments to setTimeout/setInterval",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx", "mjs", "cjs"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      for (const { pattern, msg } of EVAL_PATTERNS) {
+        const match = pattern.exec(line);
+        if (match) {
+          findings.push({
+            ruleId: "eval-injection",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: msg,
+            severity: "critical",
+            category: "security"
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/missing-useeffect-cleanup.ts
+var NEEDS_CLEANUP = [
+  /\bsetInterval\s*\(/,
+  /\baddEventListener\s*\(/,
+  /\.subscribe\s*\(/,
+  /\.on\s*\(\s*['"`]/,
+  /new\s+WebSocket\s*\(/,
+  /new\s+EventSource\s*\(/,
+  /new\s+IntersectionObserver\s*\(/,
+  /new\s+ResizeObserver\s*\(/,
+  /new\s+MutationObserver\s*\(/
+];
+var missingUseEffectCleanupRule = {
+  id: "missing-useeffect-cleanup",
+  name: "Missing useEffect Cleanup",
+  description: "Detects useEffect hooks with subscriptions or timers but no cleanup return function \u2014 causes memory leaks",
+  category: "reliability",
+  severity: "warning",
+  fileExtensions: ["tsx", "jsx", "ts", "js"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!isClientComponent(file.content)) return [];
+    if (!/useEffect/.test(file.content)) return [];
+    const findings = [];
+    const lines = file.lines;
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (!/\buseEffect\s*\(/.test(line)) continue;
+      let braceDepth = 0;
+      let effectStart = -1;
+      let effectEnd = -1;
+      let started = false;
+      for (let j = i; j < lines.length && j < i + 100; j++) {
+        for (const ch of lines[j]) {
+          if (ch === "(") {
+            if (!started) {
+              started = true;
+            }
+            braceDepth++;
+          } else if (ch === ")") {
+            braceDepth--;
+            if (started && braceDepth === 0) {
+              effectEnd = j;
+              break;
+            }
+          } else if (ch === "{" && effectStart === -1 && started) {
+            effectStart = j;
+          }
+        }
+        if (effectEnd !== -1) break;
+      }
+      if (effectStart === -1 || effectEnd === -1) continue;
+      const effectBody = lines.slice(effectStart, effectEnd + 1).join("\n");
+      const needsCleanup = NEEDS_CLEANUP.some((p) => p.test(effectBody));
+      if (!needsCleanup) continue;
+      const hasReturn = /return\s*(?:\(\s*\)\s*=>|function|\(\))/.test(effectBody) || /return\s*\(\s*\)\s*\{/.test(effectBody) || /return\s+\w+\s*;?\s*$/.test(effectBody);
+      if (!hasReturn) {
+        const hasCleanupReturn = /return\s+(?:\(\)|(?:\(\s*\)\s*=>)|(?:function))/.test(effectBody);
+        if (!hasCleanupReturn) {
+          findings.push({
+            ruleId: "missing-useeffect-cleanup",
+            file: file.relativePath,
+            line: i + 1,
+            column: 1,
+            message: "useEffect with subscription/timer but no cleanup return \u2014 will leak memory on unmount",
+            severity: "warning",
+            category: "reliability",
+            fix: "Return a cleanup function: useEffect(() => { const id = setInterval(...); return () => clearInterval(id); }, [])"
+          });
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/next-public-sensitive.ts
+var SENSITIVE_PATTERN = /NEXT_PUBLIC_\w*(SECRET|PRIVATE|PASSWORD|DATABASE_URL|SERVICE_ROLE|SERVICE_KEY|ADMIN_KEY|sk_live|sk_test|SIGNING|ENCRYPTION)/i;
+var nextPublicSensitiveRule = {
+  id: "next-public-sensitive",
+  name: "Sensitive Env Var with NEXT_PUBLIC_ Prefix",
+  description: "Detects NEXT_PUBLIC_ prefix on environment variables that should be server-only \u2014 exposes secrets to the browser",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx", "mjs", "env", "env.local", "env.production"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      const match = SENSITIVE_PATTERN.exec(line);
+      if (match) {
+        findings.push({
+          ruleId: "next-public-sensitive",
+          file: file.relativePath,
+          line: i + 1,
+          column: match.index + 1,
+          message: `NEXT_PUBLIC_ prefix on a sensitive env var \u2014 this value will be embedded in the client-side JavaScript bundle`,
+          severity: "critical",
+          category: "security",
+          fix: "Remove the NEXT_PUBLIC_ prefix. Access this value only in server components, API routes, or server actions."
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/ssrf-risk.ts
+var USER_INPUT_IN_FETCH = [
+  /fetch\s*\(\s*(?:req|request)\.(?:body|query|params|nextUrl)/,
+  /fetch\s*\(\s*(?:url|href|endpoint|target|link|src)\s*[,)]/,
+  /fetch\s*\(\s*searchParams\.get\s*\(/,
+  /fetch\s*\(\s*formData\.get\s*\(/,
+  /new\s+URL\s*\(\s*(?:req|request)\.(?:body|query)/,
+  /axios\s*[.(]\s*(?:req|request)\.(?:body|query)/,
+  /axios\.get\s*\(\s*(?:url|href|endpoint|target|link)\s*[,)]/
+];
+var VALIDATION_PATTERNS3 = [
+  /allowlist/i,
+  /allowedUrls/i,
+  /allowedHosts/i,
+  /allowedDomains/i,
+  /whitelist/i,
+  /validUrl/i,
+  /validateUrl/i,
+  /URL\.canParse/,
+  /new\s+URL\s*\(.*\)\.host/,
+  /\.startsWith\s*\(\s*['"]https?:\/\//,
+  /\.hostname\s*[!=]==?\s*['"`]/
+];
+var SUSPICIOUS_URL_VARS = /* @__PURE__ */ new Set([
+  "url",
+  "href",
+  "endpoint",
+  "target",
+  "link",
+  "src"
+]);
+var ssrfRiskRule = {
+  id: "ssrf-risk",
+  name: "SSRF Risk",
+  description: "Detects fetch/HTTP calls with user-controlled URLs without validation \u2014 allows attackers to probe internal services",
+  category: "security",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!isApiRoute(file.relativePath) && !/['"]use server['"]/.test(file.content)) return [];
+    const findings = [];
+    if (file.ast) {
+      try {
+        const hasValidationInCode = VALIDATION_PATTERNS3.some((p) => p.test(file.content));
+        walkAST(file.ast.program, (node) => {
+          if (node.type !== "CallExpression") return;
+          const call = node;
+          if (!call.loc) return;
+          let isFetchLike = false;
+          if (call.callee.type === "Identifier" && call.callee.name === "fetch") {
+            isFetchLike = true;
+          }
+          if (call.callee.type === "MemberExpression") {
+            const mem = call.callee;
+            if (mem.object.type === "Identifier" && mem.object.name === "axios") {
+              isFetchLike = true;
+            }
+          }
+          if (!isFetchLike) return;
+          const arg = call.arguments[0];
+          if (!arg) return;
+          if (isStaticString(arg)) return;
+          const lineNum = call.loc.start.line;
+          const col = call.loc.start.column + 1;
+          if (isUserInputNode(arg)) {
+            findings.push({
+              ruleId: "ssrf-risk",
+              file: file.relativePath,
+              line: lineNum,
+              column: col,
+              message: "User-controlled URL passed to fetch \u2014 validate against an allowlist to prevent SSRF",
+              severity: "warning",
+              category: "security",
+              fix: "Validate the URL against an allowlist of permitted domains before making the request"
+            });
+            return;
+          }
+          if (arg.type === "Identifier" && SUSPICIOUS_URL_VARS.has(arg.name)) {
+            if (hasValidationInCode) return;
+            findings.push({
+              ruleId: "ssrf-risk",
+              file: file.relativePath,
+              line: lineNum,
+              column: col,
+              message: "User-controlled URL passed to fetch \u2014 validate against an allowlist to prevent SSRF",
+              severity: "warning",
+              category: "security",
+              fix: "Validate the URL against an allowlist of permitted domains before making the request"
+            });
+          }
+        });
+        return findings;
+      } catch {
+      }
+    }
+    const hasValidation = VALIDATION_PATTERNS3.some((p) => p.test(file.content));
+    if (hasValidation) return [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      for (const pattern of USER_INPUT_IN_FETCH) {
+        const match = pattern.exec(line);
+        if (match) {
+          findings.push({
+            ruleId: "ssrf-risk",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: "User-controlled URL passed to fetch \u2014 validate against an allowlist to prevent SSRF",
+            severity: "warning",
+            category: "security",
+            fix: "Validate the URL against an allowlist of permitted domains before making the request"
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/path-traversal.ts
+var FS_WITH_USER_INPUT = [
+  { pattern: /(?:readFile|readFileSync|createReadStream)\s*\(\s*(?:req|request)\.(?:query|body|params)/, msg: "File read with user-controlled path \u2014 allows reading arbitrary files" },
+  { pattern: /(?:readFile|readFileSync|createReadStream)\s*\(\s*(?:filePath|fileName|path|file|name)\s*[,)]/, msg: "File read with potentially user-controlled path \u2014 validate before use" },
+  { pattern: /(?:writeFile|writeFileSync|createWriteStream)\s*\(\s*(?:req|request)\.(?:query|body|params)/, msg: "File write with user-controlled path \u2014 allows writing arbitrary files" },
+  { pattern: /(?:unlink|unlinkSync|rm|rmSync)\s*\(\s*(?:req|request)\.(?:query|body|params)/, msg: "File delete with user-controlled path \u2014 allows deleting arbitrary files" },
+  { pattern: /path\.join\s*\([^)]*(?:req|request)\.(?:query|body|params)/, msg: "path.join with user input \u2014 still vulnerable to traversal with ../" },
+  { pattern: /\.sendFile\s*\(\s*(?:req|request)\.(?:query|body|params)/, msg: "express.sendFile with user-controlled path \u2014 validate against a base directory" }
+];
+var SANITIZATION_PATTERNS = [
+  /path\.resolve\s*\(.*\)\.startsWith/,
+  /\.replace\s*\(\s*['"]\.\.['"],?\s*['"].*['"]\s*\)/,
+  /\.includes\s*\(\s*['"]\.\.['"].*\)/,
+  /normalize/,
+  /sanitize/i,
+  /realpath/
+];
+var FS_FUNCTION_NAMES = /* @__PURE__ */ new Set([
+  "readFile",
+  "readFileSync",
+  "createReadStream",
+  "writeFile",
+  "writeFileSync",
+  "createWriteStream",
+  "unlink",
+  "unlinkSync",
+  "rm",
+  "rmSync"
+]);
+var SUSPICIOUS_PATH_VARS = /* @__PURE__ */ new Set([
+  "filePath",
+  "fileName",
+  "path",
+  "file",
+  "name"
+]);
+var pathTraversalRule = {
+  id: "path-traversal",
+  name: "Path Traversal",
+  description: "Detects filesystem operations with user-controlled paths \u2014 allows reading/writing arbitrary files via ../ sequences",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    const findings = [];
+    if (file.ast) {
+      try {
+        walkAST(file.ast.program, (node) => {
+          if (node.type !== "CallExpression") return;
+          const call = node;
+          if (!call.loc) return;
+          let fnName = null;
+          if (call.callee.type === "Identifier" && FS_FUNCTION_NAMES.has(call.callee.name)) {
+            fnName = call.callee.name;
+          }
+          if (call.callee.type === "MemberExpression") {
+            const mem = call.callee;
+            if (mem.property.type === "Identifier") {
+              if (FS_FUNCTION_NAMES.has(mem.property.name)) {
+                fnName = mem.property.name;
+              }
+              if (mem.property.name === "join" && mem.object.type === "Identifier" && mem.object.name === "path") {
+                fnName = "path.join";
+              }
+              if (mem.property.name === "sendFile") {
+                fnName = "sendFile";
+              }
+            }
+          }
+          if (!fnName) return;
+          const argsToCheck = fnName === "path.join" ? call.arguments : [call.arguments[0]];
+          for (const arg of argsToCheck) {
+            if (!arg) continue;
+            if (isStaticString(arg)) continue;
+            const lineNum = call.loc.start.line;
+            const col = call.loc.start.column + 1;
+            if (isUserInputNode(arg)) {
+              const action = fnName.includes("write") || fnName.includes("Write") ? "write" : fnName.includes("unlink") || fnName === "rm" || fnName === "rmSync" ? "delete" : fnName === "sendFile" ? "send" : "read";
+              findings.push({
+                ruleId: "path-traversal",
+                file: file.relativePath,
+                line: lineNum,
+                column: col,
+                message: fnName === "path.join" ? "path.join with user input \u2014 still vulnerable to traversal with ../" : `File ${action} with user-controlled path \u2014 allows ${action === "send" ? "sending" : action + "ing"} arbitrary files`,
+                severity: "critical",
+                category: "security",
+                fix: "Validate the resolved path starts with an expected base directory: path.resolve(base, input).startsWith(path.resolve(base))"
+              });
+              return;
+            }
+            if (arg.type === "Identifier" && SUSPICIOUS_PATH_VARS.has(arg.name)) {
+              findings.push({
+                ruleId: "path-traversal",
+                file: file.relativePath,
+                line: lineNum,
+                column: col,
+                message: `File operation with potentially user-controlled path \u2014 validate before use`,
+                severity: "warning",
+                category: "security",
+                fix: "Validate the resolved path starts with an expected base directory: path.resolve(base, input).startsWith(path.resolve(base))"
+              });
+              return;
+            }
+          }
+        });
+        return findings;
+      } catch {
+      }
+    }
+    const hasSanitization = SANITIZATION_PATTERNS.some((p) => p.test(file.content));
+    if (hasSanitization) return [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      for (const { pattern, msg } of FS_WITH_USER_INPUT) {
+        const match = pattern.exec(line);
+        if (match) {
+          const severity = /req|request/.test(match[0]) ? "critical" : "warning";
+          findings.push({
+            ruleId: "path-traversal",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: msg,
+            severity,
+            category: "security",
+            fix: "Validate the resolved path starts with an expected base directory: path.resolve(base, input).startsWith(path.resolve(base))"
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/hydration-mismatch.ts
+var BROWSER_ONLY_PATTERNS = [
+  { pattern: /\bwindow\./, msg: "window access in server-rendered code \u2014 will differ between server and client" },
+  { pattern: /\bdocument\./, msg: "document access in server-rendered code \u2014 undefined on the server" },
+  { pattern: /\blocalStorage\b/, msg: "localStorage in render path \u2014 undefined on server, causes hydration mismatch" },
+  { pattern: /\bsessionStorage\b/, msg: "sessionStorage in render path \u2014 undefined on server, causes hydration mismatch" },
+  { pattern: /\bnavigator\./, msg: "navigator access in render path \u2014 undefined on server" }
+];
+var NONDETERMINISTIC_PATTERNS = [
+  { pattern: /\bnew\s+Date\s*\(\s*\)/, msg: "new Date() in render path \u2014 server and client will have different timestamps, causing hydration mismatch" },
+  { pattern: /\bDate\.now\s*\(\s*\)/, msg: "Date.now() in render path \u2014 different on server vs client" },
+  { pattern: /\bMath\.random\s*\(\s*\)/, msg: "Math.random() in render path \u2014 produces different values on server vs client" }
+];
+var hydrationMismatchRule = {
+  id: "hydration-mismatch",
+  name: "Hydration Mismatch Risk",
+  description: "Detects browser-only APIs and non-deterministic calls in server component render paths",
+  category: "reliability",
+  severity: "warning",
+  fileExtensions: ["tsx", "jsx", "ts", "js"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isClientComponent(file.content)) return [];
+    if (!/(?:^|\/)(?:src\/)?app\//.test(file.relativePath)) return [];
+    if (/route\.[jt]sx?$/.test(file.relativePath)) return [];
+    const findings = [];
+    let useEffectRanges = [];
+    if (file.ast) {
+      try {
+        useEffectRanges = findUseEffectRanges(file.ast);
+      } catch {
+      }
+    }
+    const hasAstRanges = useEffectRanges.length > 0 || file.ast != null;
+    let insideUseEffect = false;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      if (hasAstRanges) {
+        const inEffect = useEffectRanges.some((r) => i >= r.start && i <= r.end);
+        if (inEffect) continue;
+      } else {
+        if (/\buseEffect\s*\(/.test(line)) {
+          insideUseEffect = true;
+        }
+        if (insideUseEffect) {
+          if (/^\s*\}\s*,\s*\[/.test(line) || /^\s*\}\s*\)\s*;?\s*$/.test(line)) {
+            insideUseEffect = false;
+          }
+          continue;
+        }
+      }
+      for (const { pattern, msg } of [...BROWSER_ONLY_PATTERNS, ...NONDETERMINISTIC_PATTERNS]) {
+        const match = pattern.exec(line);
+        if (match) {
+          findings.push({
+            ruleId: "hydration-mismatch",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: msg,
+            severity: "warning",
+            category: "reliability",
+            fix: 'Move this to a useEffect hook, or add "use client" if this component needs browser APIs'
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/server-component-fetch-self.ts
+var SELF_FETCH_PATTERNS = [
+  /fetch\s*\(\s*['"`]\/api\//,
+  /fetch\s*\(\s*['"`]http:\/\/localhost/,
+  /fetch\s*\(\s*['"`]https?:\/\/localhost/,
+  /fetch\s*\(\s*`\$\{.*\}\/api\//,
+  /fetch\s*\(\s*(?:process\.env\.\w+\s*\+\s*)?['"`]\/api\//
+];
+var serverComponentFetchSelfRule = {
+  id: "server-component-fetch-self",
+  name: "Server Component Fetching Own API",
+  description: "Detects server components that fetch their own API routes instead of calling data logic directly \u2014 unnecessary network roundtrip",
+  category: "performance",
+  severity: "info",
+  fileExtensions: ["tsx", "jsx", "ts", "js"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isClientComponent(file.content)) return [];
+    if (!/(?:^|\/)(?:src\/)?app\//.test(file.relativePath)) return [];
+    if (/route\.[jt]sx?$/.test(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      for (const pattern of SELF_FETCH_PATTERNS) {
+        const match = pattern.exec(line);
+        if (match) {
+          findings.push({
+            ruleId: "server-component-fetch-self",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: "Server component fetches its own API route \u2014 call the data logic directly instead of making a network request to yourself",
+            severity: "info",
+            category: "performance",
+            fix: 'Import and call the data function directly instead of fetch("/api/...")'
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/unsafe-file-upload.ts
+var UPLOAD_PATTERNS = [
+  /\.get\s*\(\s*['"`]file['"`]\s*\)/,
+  /\.get\s*\(\s*['"`]image['"`]\s*\)/,
+  /\.get\s*\(\s*['"`]upload['"`]\s*\)/,
+  /\.get\s*\(\s*['"`]attachment['"`]\s*\)/,
+  /\.get\s*\(\s*['"`]document['"`]\s*\)/,
+  /\.get\s*\(\s*['"`]avatar['"`]\s*\)/,
+  /\.get\s*\(\s*['"`]photo['"`]\s*\)/,
+  /\.type\s*===?\s*['"`]file['"`]/,
+  /req\.file\b/,
+  /multer/i,
+  /busboy/i,
+  /formidable/i
+];
+var VALIDATION_PATTERNS4 = [
+  /\.type\b.*(?:image|video|audio|pdf|text)\//,
+  /content-type/i,
+  /mime/i,
+  /\.size\s*[><!]/,
+  /maxFileSize/i,
+  /maxSize/i,
+  /fileSizeLimit/i,
+  /allowedTypes/i,
+  /acceptedTypes/i,
+  /fileFilter/i,
+  /\.endsWith\s*\(\s*['"`]\./,
+  /\.extension/i
+];
+var unsafeFileUploadRule = {
+  id: "unsafe-file-upload",
+  name: "Unsafe File Upload",
+  description: "Detects file upload handlers without type or size validation",
+  category: "security",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!isApiRoute(file.relativePath) && !/['"]use server['"]/.test(file.content)) return [];
+    const hasUpload = UPLOAD_PATTERNS.some((p) => p.test(file.content));
+    if (!hasUpload) return [];
+    const hasValidation = VALIDATION_PATTERNS4.some((p) => p.test(file.content));
+    if (hasValidation) return [];
+    let reportLine = 1;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (UPLOAD_PATTERNS.some((p) => p.test(file.lines[i]))) {
+        reportLine = i + 1;
+        break;
+      }
+    }
+    return [{
+      ruleId: "unsafe-file-upload",
+      file: file.relativePath,
+      line: reportLine,
+      column: 1,
+      message: "File upload without type or size validation \u2014 accepts any file type and size",
+      severity: "warning",
+      category: "security",
+      fix: "Validate file type (check MIME type, not just extension) and enforce a size limit before processing"
+    }];
+  }
+};
+
+// src/rules/supabase-missing-rls.ts
+var CREATE_TABLE = /CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?(?:public\.)?(\w+)/gi;
+var ENABLE_RLS = /ALTER\s+TABLE\s+(?:(?:public|"public")\.)?(\w+)\s+ENABLE\s+ROW\s+LEVEL\s+SECURITY/gi;
+var supabaseMissingRlsRule = {
+  id: "supabase-missing-rls",
+  name: "Missing Row-Level Security",
+  description: "Detects SQL migrations that create tables without enabling Row-Level Security \u2014 all data is publicly accessible",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["sql"],
+  check(file, project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!/migration|supabase|schema/i.test(file.relativePath)) return [];
+    const content = file.content;
+    const findings = [];
+    const tables = [];
+    CREATE_TABLE.lastIndex = 0;
+    let match;
+    while ((match = CREATE_TABLE.exec(content)) !== null) {
+      const name = match[1];
+      if (name.startsWith("_") || name === "schema_migrations") continue;
+      const beforeMatch = content.slice(0, match.index);
+      const line = beforeMatch.split("\n").length;
+      tables.push({ name, line });
+    }
+    if (tables.length === 0) return [];
+    const rlsTables = /* @__PURE__ */ new Set();
+    ENABLE_RLS.lastIndex = 0;
+    while ((match = ENABLE_RLS.exec(content)) !== null) {
+      rlsTables.add(match[1].toLowerCase());
+    }
+    for (const filePath of project.allFiles) {
+      if (!filePath.endsWith(".sql")) continue;
+      if (filePath === file.relativePath) continue;
+    }
+    for (const table of tables) {
+      if (!rlsTables.has(table.name.toLowerCase())) {
+        findings.push({
+          ruleId: "supabase-missing-rls",
+          file: file.relativePath,
+          line: table.line,
+          column: 1,
+          message: `Table "${table.name}" created without ENABLE ROW LEVEL SECURITY \u2014 all rows are publicly accessible via the Supabase API`,
+          severity: "critical",
+          category: "security",
+          fix: `Add: ALTER TABLE ${table.name} ENABLE ROW LEVEL SECURITY; and create appropriate policies`
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/deprecated-oauth-flow.ts
+var IMPLICIT_GRANT = /response_type\s*[=:]\s*['"`]?token['"`]?/;
+var deprecatedOauthFlowRule = {
+  id: "deprecated-oauth-flow",
+  name: "Deprecated OAuth Flow",
+  description: "Detects OAuth Implicit Grant flow (response_type=token) \u2014 deprecated in OAuth 2.1, vulnerable to token interception",
+  category: "security",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx", "mjs", "cjs"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      const match = IMPLICIT_GRANT.exec(line);
+      if (match) {
+        findings.push({
+          ruleId: "deprecated-oauth-flow",
+          file: file.relativePath,
+          line: i + 1,
+          column: match.index + 1,
+          message: "OAuth Implicit Grant flow (response_type=token) is deprecated \u2014 tokens are exposed in the URL fragment",
+          severity: "warning",
+          category: "security",
+          fix: "Use Authorization Code flow with PKCE: response_type=code with code_challenge and code_verifier"
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/jwt-no-expiry.ts
+var JWT_SIGN = /jwt\.sign\s*\(/;
+var HAS_EXPIRY = [
+  /expiresIn/,
+  /exp\s*:/,
+  /expirationTime/,
+  /maxAge/
+];
+var EXPIRY_KEYS = /* @__PURE__ */ new Set(["expiresIn", "exp", "expirationTime", "maxAge"]);
+var jwtNoExpiryRule = {
+  id: "jwt-no-expiry",
+  name: "JWT Without Expiration",
+  description: "Detects jwt.sign() calls without an expiresIn option \u2014 tokens never expire, compromised tokens are valid forever",
+  category: "security",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx", "mjs", "cjs"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!JWT_SIGN.test(file.content)) return [];
+    const findings = [];
+    if (file.ast) {
+      try {
+        walkAST(file.ast.program, (node) => {
+          if (node.type !== "CallExpression") return;
+          const call = node;
+          if (!call.loc) return;
+          if (call.callee.type !== "MemberExpression") return;
+          const mem = call.callee;
+          if (mem.object.type !== "Identifier" || mem.object.name !== "jwt") return;
+          if (mem.property.type !== "Identifier" || mem.property.name !== "sign") return;
+          let hasExpiry = false;
+          for (const arg of call.arguments) {
+            if (arg.type === "ObjectExpression") {
+              const obj = arg;
+              for (const prop of obj.properties) {
+                if (prop.type === "ObjectProperty" && prop.key.type === "Identifier" && EXPIRY_KEYS.has(prop.key.name)) {
+                  hasExpiry = true;
+                  break;
+                }
+              }
+            }
+            if (hasExpiry) break;
+          }
+          if (!hasExpiry && call.arguments[0]?.type === "ObjectExpression") {
+            const payload = call.arguments[0];
+            for (const prop of payload.properties) {
+              if (prop.type === "ObjectProperty" && prop.key.type === "Identifier" && prop.key.name === "exp") {
+                hasExpiry = true;
+                break;
+              }
+            }
+          }
+          if (!hasExpiry) {
+            findings.push({
+              ruleId: "jwt-no-expiry",
+              file: file.relativePath,
+              line: call.loc.start.line,
+              column: call.loc.start.column + 1,
+              message: "jwt.sign() without expiresIn \u2014 tokens never expire, a compromised token is valid forever",
+              severity: "warning",
+              category: "security",
+              fix: 'Add expiration: jwt.sign(payload, secret, { expiresIn: "1h" })'
+            });
+          }
+        });
+        return findings;
+      } catch {
+      }
+    }
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      const match = JWT_SIGN.exec(line);
+      if (!match) continue;
+      const context = file.lines.slice(i, i + 6).join("\n");
+      const hasExpiry = HAS_EXPIRY.some((p) => p.test(context));
+      if (!hasExpiry) {
+        findings.push({
+          ruleId: "jwt-no-expiry",
+          file: file.relativePath,
+          line: i + 1,
+          column: match.index + 1,
+          message: "jwt.sign() without expiresIn \u2014 tokens never expire, a compromised token is valid forever",
+          severity: "warning",
+          category: "security",
+          fix: 'Add expiration: jwt.sign(payload, secret, { expiresIn: "1h" })'
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/client-side-auth-only.ts
+var CLIENT_AUTH_PATTERNS = [
+  /localStorage\.(?:get|set)Item\s*\(\s*['"`](?:token|auth|session|jwt|access_token|user)['"`]/,
+  /sessionStorage\.(?:get|set)Item\s*\(\s*['"`](?:token|auth|session|jwt|access_token|user)['"`]/
+];
+var PASSWORD_CHECK = /(?:password|passwd)\s*[!=]==?\s*['"`]/;
+var clientSideAuthOnlyRule = {
+  id: "client-side-auth-only",
+  name: "Client-Side Auth Only",
+  description: "Detects authentication logic implemented only in client-side code \u2014 easily bypassed via browser DevTools",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["tsx", "jsx", "ts", "js"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!isClientComponent(file.content)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      const line = file.lines[i];
+      const match = PASSWORD_CHECK.exec(line);
+      if (match) {
+        findings.push({
+          ruleId: "client-side-auth-only",
+          file: file.relativePath,
+          line: i + 1,
+          column: match.index + 1,
+          message: "Password comparison in client-side code \u2014 the password is visible in the JavaScript bundle",
+          severity: "critical",
+          category: "security",
+          fix: "Move authentication logic to a server action or API route"
+        });
+      }
+    }
+    for (let i = 0; i < file.lines.length; i++) {
+      const line = file.lines[i];
+      for (const pattern of CLIENT_AUTH_PATTERNS) {
+        const match = pattern.exec(line);
+        if (match) {
+          findings.push({
+            ruleId: "client-side-auth-only",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: "Auth token in localStorage \u2014 accessible to any script on the page (XSS risk). Use httpOnly cookies instead.",
+            severity: "warning",
+            category: "security",
+            fix: "Store auth tokens in httpOnly cookies set by the server, not in localStorage"
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/missing-abort-controller.ts
+var FETCH_CALL = /\bfetch\s*\(/;
+var HAS_TIMEOUT = [
+  /AbortController/,
+  /abort/i,
+  /signal\s*:/,
+  /timeout/i,
+  /setTimeout.*abort/s
+];
+var missingAbortControllerRule = {
+  id: "missing-abort-controller",
+  name: "Missing Abort Controller",
+  description: "Detects fetch calls in API routes without timeout or AbortController \u2014 requests can hang indefinitely",
+  category: "performance",
+  severity: "info",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!isApiRoute(file.relativePath) && !/['"]use server['"]/.test(file.content)) return [];
+    if (!FETCH_CALL.test(file.content)) return [];
+    const hasTimeout = HAS_TIMEOUT.some((p) => p.test(file.content));
+    if (hasTimeout) return [];
+    let reportLine = 1;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      if (FETCH_CALL.test(file.lines[i])) {
+        reportLine = i + 1;
+        break;
+      }
+    }
+    return [{
+      ruleId: "missing-abort-controller",
+      file: file.relativePath,
+      line: reportLine,
+      column: 1,
+      message: "fetch() without timeout or AbortController \u2014 request will hang indefinitely if the upstream server doesn't respond",
+      severity: "info",
+      category: "performance",
+      fix: "Add a timeout: const controller = new AbortController(); setTimeout(() => controller.abort(), 10000); fetch(url, { signal: controller.signal })"
+    }];
+  }
+};
 
 // src/rules/index.ts
 var rules = [
@@ -2550,6 +4177,19 @@ var rules = [
   leakedEnvInLogsRule,
   insecureRandomRule,
   nextServerActionValidationRule,
+  envFallbackSecretRule,
+  verboseErrorResponseRule,
+  missingWebhookVerificationRule,
+  serverActionAuthRule,
+  evalInjectionRule,
+  nextPublicSensitiveRule,
+  ssrfRiskRule,
+  pathTraversalRule,
+  unsafeFileUploadRule,
+  supabaseMissingRlsRule,
+  deprecatedOauthFlowRule,
+  jwtNoExpiryRule,
+  clientSideAuthOnlyRule,
   // Reliability
   hallucinatedImportsRule,
   errorHandlingRule,
@@ -2558,11 +4198,17 @@ var rules = [
   missingLoadingStateRule,
   missingErrorBoundaryRule,
   missingTransactionRule,
+  redirectInTryCatchRule,
+  missingRevalidationRule,
+  missingUseEffectCleanupRule,
+  hydrationMismatchRule,
   // Performance
   noSyncFsRule,
   noNPlusOneRule,
   noUnboundedQueryRule,
   noDynamicImportLoopRule,
+  serverComponentFetchSelfRule,
+  missingAbortControllerRule,
   // AI Quality
   aiSmellsRule,
   placeholderContentRule,
@@ -2570,7 +4216,8 @@ var rules = [
   staleFallbackRule,
   comprehensionDebtRule,
   codebaseConsistencyRule,
-  deadExportsRule
+  deadExportsRule,
+  useClientOveruseRule
 ];
 
 // src/scanner.ts