pumuki 6.3.293 → 6.3.295

package/core/facts/detectors/typescript/index.ts

@@ -1910,6 +1910,149 @@ const objectExpressionPropertyNames = (node: AstNode): Set<string> => {
   );
 };
 
+const hasPropertyMatching = (propertyNames: ReadonlySet<string>, pattern: RegExp): boolean => {
+  for (const propertyName of propertyNames) {
+    if (pattern.test(propertyName)) {
+      return true;
+    }
+  }
+  return false;
+};
+
+const backendAccessTokenPropertyPattern = /^(accessToken|access_token)$/;
+const backendRefreshTokenPropertyPattern = /^(refreshToken|refresh_token)$/;
+
+const isBackendAuthResponseObjectWithoutRefreshToken = (node: AstNode): boolean => {
+  if (node.type !== 'ObjectExpression') {
+    return false;
+  }
+  const propertyNames = objectExpressionPropertyNames(node);
+  return (
+    hasPropertyMatching(propertyNames, backendAccessTokenPropertyPattern) &&
+    !hasPropertyMatching(propertyNames, backendRefreshTokenPropertyPattern)
+  );
+};
+
+export const findBackendAuthResponseWithoutRefreshTokenLines = (ast: unknown): readonly number[] => {
+  return collectLineMatchesWithAncestors(ast, (node, ancestors) => {
+    if (!isBackendAuthResponseObjectWithoutRefreshToken(node)) {
+      return false;
+    }
+    const parent = ancestors[ancestors.length - 1];
+    if (isObject(parent) && parent.type === 'ReturnStatement' && parent.argument === node) {
+      return true;
+    }
+    return ancestors.some((ancestor) => {
+      if (ancestor.type !== 'CallExpression' || !Array.isArray(ancestor.arguments)) {
+        return false;
+      }
+      if (!ancestor.arguments.includes(node) || !isObject(ancestor.callee)) {
+        return false;
+      }
+      const methodName = memberExpressionPropertyName(ancestor.callee);
+      return methodName !== undefined && httpResponseMethodNames.has(methodName);
+    });
+  });
+};
+
+export const hasBackendAuthResponseWithoutRefreshToken = (ast: unknown): boolean =>
+  findBackendAuthResponseWithoutRefreshTokenLines(ast).length > 0;
+
+const isProcessEnvMemberExpression = (node: unknown): boolean => {
+  if (!isObject(node) || node.type !== 'MemberExpression') {
+    return false;
+  }
+  const propertyName = memberExpressionPropertyName(node);
+  if (typeof propertyName !== 'string' || propertyName.length === 0) {
+    return false;
+  }
+  const objectNode = node.object;
+  return (
+    isObject(objectNode) &&
+    objectNode.type === 'MemberExpression' &&
+    memberExpressionObjectName(objectNode) === 'process' &&
+    memberExpressionPropertyName(objectNode) === 'env'
+  );
+};
+
+const isLiteralConfigFallback = (node: unknown): boolean => {
+  if (!isObject(node)) {
+    return false;
+  }
+  return (
+    node.type === 'StringLiteral' ||
+    node.type === 'NumericLiteral' ||
+    node.type === 'BooleanLiteral' ||
+    (node.type === 'TemplateLiteral' &&
+      Array.isArray(node.expressions) &&
+      node.expressions.length === 0)
+  );
+};
+
+const isBackendProcessEnvDefaultFallback = (node: AstNode): boolean => {
+  return (
+    node.type === 'LogicalExpression' &&
+    (node.operator === '||' || node.operator === '??') &&
+    isProcessEnvMemberExpression(node.left) &&
+    isLiteralConfigFallback(node.right)
+  );
+};
+
+export const findBackendProcessEnvDefaultFallbackLines = (ast: unknown): readonly number[] =>
+  collectLineMatchesWithAncestors(ast, (node) => isBackendProcessEnvDefaultFallback(node), {
+    max: 12,
+  });
+
+export const hasBackendProcessEnvDefaultFallback = (ast: unknown): boolean =>
+  findBackendProcessEnvDefaultFallbackLines(ast).length > 0;
+
+export const findBackendDirectProcessEnvReadLines = (ast: unknown): readonly number[] =>
+  collectLineMatchesWithAncestors(ast, (node) => isProcessEnvMemberExpression(node), {
+    max: 12,
+  });
+
+export const hasBackendDirectProcessEnvRead = (ast: unknown): boolean =>
+  findBackendDirectProcessEnvReadLines(ast).length > 0;
+
+const isConfigModuleForRootCall = (node: AstNode): boolean => {
+  if (node.type !== 'CallExpression' || !isObject(node.callee)) {
+    return false;
+  }
+  const callee = node.callee;
+  return (
+    callee.type === 'MemberExpression' &&
+    memberExpressionObjectName(callee) === 'ConfigModule' &&
+    memberExpressionPropertyName(callee) === 'forRoot'
+  );
+};
+
+const hasConfigValidationOption = (node: unknown): boolean => {
+  if (!isObject(node) || node.type !== 'ObjectExpression') {
+    return false;
+  }
+  const propertyNames = objectExpressionPropertyNames(node);
+  return propertyNames.has('validationSchema') || propertyNames.has('validate');
+};
+
+const isBackendConfigModuleForRootWithoutValidation = (node: AstNode): boolean => {
+  if (!isConfigModuleForRootCall(node)) {
+    return false;
+  }
+  const args = Array.isArray(node.arguments) ? node.arguments : [];
+  const options = args.find((argument) => isObject(argument) && argument.type === 'ObjectExpression');
+  return !hasConfigValidationOption(options);
+};
+
+export const findBackendConfigModuleWithoutValidationLines = (ast: unknown): readonly number[] =>
+  collectLineMatchesWithAncestors(
+    ast,
+    (node) => isBackendConfigModuleForRootWithoutValidation(node),
+    { max: 12 }
+  );
+
+export const hasBackendConfigModuleWithoutValidation = (ast: unknown): boolean =>
+  findBackendConfigModuleWithoutValidationLines(ast).length > 0;
+
 const isErrorStatusCallExpression = (node: unknown): boolean => {
   if (!isObject(node) || node.type !== 'CallExpression') {
     return false;
@@ -2155,7 +2298,7 @@ const isCorsPermissiveValue = (node: unknown): boolean => {
   );
 };
 
-const objectPropertyName = (node: unknown): string | undefined => {
+const validationPipeObjectPropertyName = (node: unknown): string | undefined => {
   if (!isObject(node) || (node.type !== 'ObjectProperty' && node.type !== 'Property')) {
     return undefined;
   }
@@ -2259,6 +2402,34 @@ export const findBackendStringLiteralUnionEnumCandidateLines = (
 export const hasBackendStringLiteralUnionEnumCandidate = (ast: unknown): boolean =>
   findBackendStringLiteralUnionEnumCandidateLines(ast).length > 0;
 
+const backendCacheWriteMethodNames = new Set(['hset', 'mset', 'set', 'setex']);
+const backendCacheObjectPattern = /(cache|cacheManager|redis)/i;
+
+const isBackendSensitiveCacheWriteCall = (node: AstNode): boolean => {
+  if (node.type !== 'CallExpression' || !isObject(node.callee)) {
+    return false;
+  }
+  const callee = node.callee;
+  const methodName = memberExpressionPropertyName(callee);
+  if (methodName === undefined || !backendCacheWriteMethodNames.has(methodName)) {
+    return false;
+  }
+  const objectName =
+    callee.type === 'MemberExpression' ? identifierNameFromNode(callee.object) : undefined;
+  if (objectName === undefined || !backendCacheObjectPattern.test(objectName)) {
+    return false;
+  }
+  const args = Array.isArray(node.arguments) ? node.arguments : [];
+  return args.some(hasSensitiveIdentifierReference);
+};
+
+export const findBackendSensitiveCacheWriteLines = (ast: unknown): readonly number[] => {
+  return collectLineMatchesWithAncestors(ast, (node) => isBackendSensitiveCacheWriteCall(node));
+};
+
+export const hasBackendSensitiveCacheWrite = (ast: unknown): boolean =>
+  findBackendSensitiveCacheWriteLines(ast).length > 0;
+
 const isLoggingCall = (node: AstNode): boolean => {
   if (node.type !== 'CallExpression' || !isObject(node.callee)) {
     return false;
@@ -2766,6 +2937,12 @@ const nestJsClassDecoratorNames = new Set([
 ]);
 const nestJsRouteDecoratorNames = new Set(['Delete', 'Get', 'Head', 'Options', 'Patch', 'Post', 'Put']);
 const nestJsUseGuardsDecoratorNames = new Set(['UseGuards']);
+const nestJsRolesDecoratorNames = new Set(['Roles']);
+const nestJsOnEventDecoratorNames = new Set(['OnEvent']);
+const nestJsThrottleDecoratorNames = new Set(['Throttle']);
+const backendEventHandlerNamePattern = /(^handle[A-Z].*Event$|EventHandler$|EventsHandler$)/;
+const backendAuthRouteNamePattern =
+  /(forgot|login|password|refresh|register|reset|signin|sign-in|signup|sign-up|token)/i;
 
 const decoratorExpressionName = (node: unknown): string | undefined => {
   if (!isObject(node)) {
@@ -2801,12 +2978,42 @@ const hasDecoratorFrom = (node: AstNode, allowedNames: ReadonlySet<string>): boo
   });
 };
 
+const decoratorCallArguments = (decorator: AstNode): readonly unknown[] => {
+  const expression = decorator.expression;
+  if (!isObject(expression) || expression.type !== 'CallExpression') {
+    return [];
+  }
+  return Array.isArray(expression.arguments) ? expression.arguments : [];
+};
+
 const hasNestJsRouteDecorator = (node: AstNode): boolean =>
   hasDecoratorFrom(node, nestJsRouteDecoratorNames);
 
 const hasNestJsUseGuardsDecorator = (node: AstNode): boolean =>
   hasDecoratorFrom(node, nestJsUseGuardsDecoratorNames);
 
+const isRolesSetMetadataDecorator = (decorator: AstNode): boolean => {
+  const name = decoratorExpressionName(decorator.expression);
+  if (name !== 'SetMetadata') {
+    return false;
+  }
+  const [metadataKey] = decoratorCallArguments(decorator);
+  return isObject(metadataKey) && metadataKey.type === 'StringLiteral' && metadataKey.value === 'roles';
+};
+
+const hasNestJsRolesDecorator = (node: AstNode): boolean => {
+  if (!Array.isArray(node.decorators)) {
+    return false;
+  }
+  return node.decorators.some((decorator) => {
+    if (!isObject(decorator)) {
+      return false;
+    }
+    const name = decoratorExpressionName(decorator.expression);
+    return (name !== undefined && nestJsRolesDecoratorNames.has(name)) || isRolesSetMetadataDecorator(decorator);
+  });
+};
+
 const isClassLikeNode = (node: unknown): node is AstNode =>
   isObject(node) && (node.type === 'ClassDeclaration' || node.type === 'ClassExpression');
 
@@ -2926,6 +3133,102 @@ export const findBackendControllerRouteWithoutGuardLines = (ast: unknown): reado
 export const hasBackendControllerRouteWithoutGuard = (ast: unknown): boolean =>
   findBackendControllerRouteWithoutGuardLines(ast).length > 0;
 
+export const findBackendControllerRouteWithoutRolesLines = (ast: unknown): readonly number[] => {
+  return collectLineMatchesWithAncestors(ast, (node, ancestors) => {
+    if (!isClassMethodLikeNode(node) || !hasNestJsRouteDecorator(node)) {
+      return false;
+    }
+    const ownerClass = [...ancestors].reverse().find(isClassLikeNode);
+    const hasGuard = hasNestJsUseGuardsDecorator(node) || (ownerClass !== undefined && hasNestJsUseGuardsDecorator(ownerClass));
+    if (!hasGuard) {
+      return false;
+    }
+    return !hasNestJsRolesDecorator(node) && (ownerClass === undefined || !hasNestJsRolesDecorator(ownerClass));
+  });
+};
+
+export const hasBackendControllerRouteWithoutRoles = (ast: unknown): boolean =>
+  findBackendControllerRouteWithoutRolesLines(ast).length > 0;
+
+const isBackendEventHandlerClassOrMethod = (node: AstNode): boolean => {
+  if (node.type === 'ClassDeclaration' || node.type === 'ClassExpression') {
+    return backendEventHandlerNamePattern.test(classNameFromNode(node));
+  }
+  if (!isClassMethodLikeNode(node)) {
+    return false;
+  }
+  const methodName = methodNameFromNode(node.key);
+  return typeof methodName === 'string' && backendEventHandlerNamePattern.test(methodName);
+};
+
+const hasOnEventDecoratedClassMember = (node: AstNode): boolean => {
+  if (node.type !== 'ClassDeclaration' && node.type !== 'ClassExpression') {
+    return false;
+  }
+  const members = isObject(node.body) && Array.isArray(node.body.body) ? node.body.body : [];
+  return members.some((member) => isObject(member) && hasDecoratorFrom(member, nestJsOnEventDecoratorNames));
+};
+
+export const findBackendEventHandlerWithoutOnEventLines = (ast: unknown): readonly number[] => {
+  return collectLineMatchesWithAncestors(ast, (node, ancestors) => {
+    if (!isBackendEventHandlerClassOrMethod(node)) {
+      return false;
+    }
+    if (hasDecoratorFrom(node, nestJsOnEventDecoratorNames)) {
+      return false;
+    }
+    if (isClassLikeNode(node) && hasOnEventDecoratedClassMember(node)) {
+      return false;
+    }
+    const ownerClass = [...ancestors].reverse().find(isClassLikeNode);
+    return ownerClass === undefined || !hasDecoratorFrom(ownerClass, nestJsOnEventDecoratorNames);
+  });
+};
+
+export const hasBackendEventHandlerWithoutOnEvent = (ast: unknown): boolean =>
+  findBackendEventHandlerWithoutOnEventLines(ast).length > 0;
+
+const isBackendAuthRouteMethod = (node: AstNode): boolean => {
+  if (!isClassMethodLikeNode(node) || !hasNestJsRouteDecorator(node)) {
+    return false;
+  }
+  const methodName = methodNameFromNode(node.key);
+  if (methodName !== undefined && backendAuthRouteNamePattern.test(methodName)) {
+    return true;
+  }
+  if (!Array.isArray(node.decorators)) {
+    return false;
+  }
+  return node.decorators.some((decorator) => {
+    if (!isObject(decorator)) {
+      return false;
+    }
+    const decoratorName = decoratorExpressionName(decorator.expression);
+    if (decoratorName === undefined || !nestJsRouteDecoratorNames.has(decoratorName)) {
+      return false;
+    }
+    const [firstArgument] = decoratorCallArguments(decorator);
+    const routePath = literalTextFromNode(firstArgument);
+    return routePath !== undefined && backendAuthRouteNamePattern.test(routePath);
+  });
+};
+
+export const findBackendAuthRouteWithoutThrottleLines = (ast: unknown): readonly number[] => {
+  return collectLineMatchesWithAncestors(ast, (node, ancestors) => {
+    if (!isBackendAuthRouteMethod(node)) {
+      return false;
+    }
+    if (hasDecoratorFrom(node, nestJsThrottleDecoratorNames)) {
+      return false;
+    }
+    const ownerClass = [...ancestors].reverse().find(isClassLikeNode);
+    return ownerClass === undefined || !hasDecoratorFrom(ownerClass, nestJsThrottleDecoratorNames);
+  });
+};
+
+export const hasBackendAuthRouteWithoutThrottle = (ast: unknown): boolean =>
+  findBackendAuthRouteWithoutThrottleLines(ast).length > 0;
+
 const persistenceMutationNames = new Set([
   'create',
   'delete',
@@ -3128,6 +3431,19 @@ const hasClassValidatorDecorator = (node: AstNode): boolean => {
   });
 };
 
+const hasApiPropertyDecorator = (node: AstNode): boolean => {
+  if (!Array.isArray(node.decorators)) {
+    return false;
+  }
+  return node.decorators.some((decorator) => {
+    if (!isObject(decorator)) {
+      return false;
+    }
+    const name = decoratorExpressionName(decorator.expression);
+    return name === 'ApiProperty' || name === 'ApiPropertyOptional';
+  });
+};
+
 const hasDtoNestedValidationDecorator = (node: AstNode): boolean => {
   if (!Array.isArray(node.decorators)) {
     return false;
@@ -3227,6 +3543,19 @@ export const findDtoPropertyWithoutValidationMatch = (
 export const hasDtoPropertyWithoutValidation = (ast: unknown): boolean =>
   findDtoPropertyWithoutValidationMatch(ast) !== undefined;
 
+export const findDtoPropertyWithoutApiPropertyLines = (ast: unknown): readonly number[] =>
+  collectLineMatchesWithAncestors(ast, (node, ancestors) => {
+    if (!isDtoPropertyNode(node) || hasApiPropertyDecorator(node)) {
+      return false;
+    }
+    return ancestors.some(
+      (ancestor) => ancestor.type === 'ClassDeclaration' && isDtoClassName(classNameFromNode(ancestor))
+    );
+  }, { max: 12 });
+
+export const hasDtoPropertyWithoutApiProperty = (ast: unknown): boolean =>
+  findDtoPropertyWithoutApiPropertyLines(ast).length > 0;
+
 export type TypeScriptDtoNestedPropertyWithoutNestedValidationMatch = {
   lines: readonly number[];
   primary_node: string;
@@ -3290,6 +3619,329 @@ export const findDtoNestedPropertyWithoutNestedValidationMatch = (
 export const hasDtoNestedPropertyWithoutNestedValidation = (ast: unknown): boolean =>
   findDtoNestedPropertyWithoutNestedValidationMatch(ast) !== undefined;
 
+const isValidationPipeCallee = (node: unknown): boolean => {
+  return isObject(node) && node.type === 'Identifier' && node.name === 'ValidationPipe';
+};
+
+const objectPropertyName = (node: unknown): string | undefined => {
+  if (!isObject(node)) {
+    return undefined;
+  }
+  if (isObject(node.key)) {
+    return methodNameFromNode(node.key);
+  }
+  return undefined;
+};
+
+const isBooleanTrueLiteral = (node: unknown): boolean => {
+  return isObject(node) && node.type === 'BooleanLiteral' && node.value === true;
+};
+
+const validationPipeOptionsEnableWhitelist = (node: unknown): boolean => {
+  if (!isObject(node) || node.type !== 'ObjectExpression' || !Array.isArray(node.properties)) {
+    return false;
+  }
+  return node.properties.some((property) => {
+    return (
+      isObject(property) &&
+      validationPipeObjectPropertyName(property) === 'whitelist' &&
+      isBooleanTrueLiteral(property.value)
+    );
+  });
+};
+
+const isStrictValidationPipeExpression = (node: unknown): boolean => {
+  if (!isObject(node)) {
+    return false;
+  }
+  if (node.type !== 'NewExpression' && node.type !== 'CallExpression') {
+    return false;
+  }
+  if (!isValidationPipeCallee(node.callee)) {
+    return false;
+  }
+  const args = Array.isArray(node.arguments) ? node.arguments : [];
+  return args.some(validationPipeOptionsEnableWhitelist);
+};
+
+const isUseGlobalPipesCall = (node: AstNode): boolean => {
+  return node.type === 'CallExpression' && callExpressionMemberName(node) === 'useGlobalPipes';
+};
+
+const isStrictUseGlobalPipesCall = (node: AstNode): boolean => {
+  if (!isUseGlobalPipesCall(node)) {
+    return false;
+  }
+  const args = Array.isArray(node.arguments) ? node.arguments : [];
+  return args.some(isStrictValidationPipeExpression);
+};
+
+const isBackendValidationNestFactoryCreateCall = (node: AstNode): boolean => {
+  if (node.type !== 'CallExpression') {
+    return false;
+  }
+  const memberName = callExpressionMemberName(node);
+  const objectName = callExpressionObjectName(node);
+  return memberName === 'create' && objectName === 'NestFactory';
+};
+
+export const findBackendMissingGlobalValidationPipeLines = (ast: unknown): readonly number[] => {
+  const unsafeUseGlobalPipesLines = collectLineMatchesWithAncestors(
+    ast,
+    (node) => isUseGlobalPipesCall(node) && !isStrictUseGlobalPipesCall(node)
+  );
+  if (unsafeUseGlobalPipesLines.length > 0) {
+    return unsafeUseGlobalPipesLines;
+  }
+
+  if (!hasNode(ast, isBackendValidationNestFactoryCreateCall)) {
+    return [];
+  }
+  if (hasNode(ast, isStrictUseGlobalPipesCall)) {
+    return [];
+  }
+  return collectLineMatchesWithAncestors(ast, isBackendValidationNestFactoryCreateCall, { max: 1 });
+};
+
+export const hasBackendMissingGlobalValidationPipe = (ast: unknown): boolean =>
+  findBackendMissingGlobalValidationPipeLines(ast).length > 0;
+
+const isHelmetCallee = (node: unknown): boolean => {
+  return isObject(node) && node.type === 'Identifier' && node.name === 'helmet';
+};
+
+const isHelmetCallExpression = (node: unknown): boolean => {
+  return isObject(node) && node.type === 'CallExpression' && isHelmetCallee(node.callee);
+};
+
+const isAppUseHelmetCall = (node: AstNode): boolean => {
+  if (node.type !== 'CallExpression' || callExpressionMemberName(node) !== 'use') {
+    return false;
+  }
+  const args = Array.isArray(node.arguments) ? node.arguments : [];
+  return args.some(isHelmetCallExpression);
+};
+
+export const findBackendMissingHelmetSecurityHeadersLines = (ast: unknown): readonly number[] => {
+  if (!hasNode(ast, isBackendValidationNestFactoryCreateCall)) {
+    return [];
+  }
+  if (hasNode(ast, isAppUseHelmetCall)) {
+    return [];
+  }
+  return collectLineMatchesWithAncestors(ast, isBackendValidationNestFactoryCreateCall, { max: 1 });
+};
+
+export const hasBackendMissingHelmetSecurityHeaders = (ast: unknown): boolean =>
+  findBackendMissingHelmetSecurityHeadersLines(ast).length > 0;
+
+const isCompressionCallee = (node: unknown): boolean => {
+  return isObject(node) && node.type === 'Identifier' && node.name === 'compression';
+};
+
+const isCompressionCallExpression = (node: unknown): boolean => {
+  return isObject(node) && node.type === 'CallExpression' && isCompressionCallee(node.callee);
+};
+
+const isAppUseCompressionCall = (node: AstNode): boolean => {
+  if (node.type !== 'CallExpression' || callExpressionMemberName(node) !== 'use') {
+    return false;
+  }
+  const args = Array.isArray(node.arguments) ? node.arguments : [];
+  return args.some(isCompressionCallExpression);
+};
+
+export const findBackendMissingCompressionMiddlewareLines = (
+  ast: unknown
+): readonly number[] => {
+  if (!hasNode(ast, isBackendValidationNestFactoryCreateCall)) {
+    return [];
+  }
+  if (hasNode(ast, isAppUseCompressionCall)) {
+    return [];
+  }
+  return collectLineMatchesWithAncestors(ast, isBackendValidationNestFactoryCreateCall, { max: 1 });
+};
+
+export const hasBackendMissingCompressionMiddleware = (ast: unknown): boolean =>
+  findBackendMissingCompressionMiddlewareLines(ast).length > 0;
+
+const backendRouteDecoratorNames = new Set([
+  'All',
+  'Delete',
+  'Get',
+  'Head',
+  'Options',
+  'Patch',
+  'Post',
+  'Put',
+]);
+
+const backendControllerBusinessLogicNodeTypes = new Set([
+  'DoWhileStatement',
+  'ForInStatement',
+  'ForOfStatement',
+  'ForStatement',
+  'IfStatement',
+  'SwitchStatement',
+  'WhileStatement',
+]);
+
+const hasBackendRouteDecorator = (node: AstNode): boolean => {
+  if (!Array.isArray(node.decorators)) {
+    return false;
+  }
+  return node.decorators.some((decorator) => {
+    if (!isObject(decorator)) {
+      return false;
+    }
+    const name = decoratorExpressionName(decorator.expression);
+    return name !== undefined && backendRouteDecoratorNames.has(name);
+  });
+};
+
+const isBackendControllerRouteMethod = (node: AstNode): boolean => {
+  return (
+    (node.type === 'ClassMethod' ||
+      node.type === 'ClassPrivateMethod' ||
+      node.type === 'ObjectMethod') &&
+    hasBackendRouteDecorator(node)
+  );
+};
+
+const isBackendControllerBusinessLogicNode = (node: AstNode): boolean => {
+  if (typeof node.type === 'string' && backendControllerBusinessLogicNodeTypes.has(node.type)) {
+    return true;
+  }
+  if (isPersistenceMutationCall(node)) {
+    return true;
+  }
+  const objectName = callExpressionObjectName(node);
+  const rootObjectName =
+    node.type === 'CallExpression' && isObject(node.callee)
+      ? memberExpressionRootObjectName(node.callee)
+      : undefined;
+  return (
+    (objectName !== undefined && /(?:repository|repo|prisma|supabase|model|collection)$/i.test(objectName)) ||
+    (rootObjectName !== undefined && /(?:repository|repo|prisma|supabase|model|collection)$/i.test(rootObjectName))
+  );
+};
+
+export type TypeScriptBackendControllerBusinessLogicMatch = {
+  lines: readonly number[];
+  primary_node: string;
+  related_nodes: readonly string[];
+  why: string;
+  impact: string;
+  expected_fix: string;
+};
+
+export const findBackendControllerBusinessLogicMatch = (
+  ast: unknown
+): TypeScriptBackendControllerBusinessLogicMatch | undefined => {
+  const match = findFirstNodeWithAncestors(ast, (node) => {
+    if (!isBackendControllerRouteMethod(node)) {
+      return false;
+    }
+    return hasDescendantNode(
+      node,
+      (nested) => nested !== node && isBackendControllerBusinessLogicNode(nested)
+    );
+  });
+
+  if (match === undefined) {
+    return undefined;
+  }
+
+  const methodName = methodNameFromNode(match.node.key) ?? 'anonymous controller route';
+  const line = toPositiveLine(match.node);
+
+  return {
+    lines: line === null ? [] : sortedUniqueLines([line]),
+    primary_node: methodName,
+    related_nodes: ['NestJS route handler', 'business logic in controller'],
+    why: `El handler ${methodName} contiene logica de negocio o acceso a persistencia dentro del controller.`,
+    impact:
+      'El controller deja de ser una frontera HTTP delgada, mezcla routing con dominio/aplicacion y dificulta testabilidad y reutilizacion.',
+    expected_fix:
+      'Mueve la logica a un service/use case inyectado y deja el controller solo con routing, validacion de entrada y delegacion.',
+  };
+};
+
+export const findBackendControllerBusinessLogicLines = (ast: unknown): readonly number[] =>
+  findBackendControllerBusinessLogicMatch(ast)?.lines ?? [];
+
+export const hasBackendControllerBusinessLogic = (ast: unknown): boolean =>
+  findBackendControllerBusinessLogicMatch(ast) !== undefined;
+
+const isBackendRepositoryClassName = (name: string | undefined): boolean =>
+  name !== undefined && /(?:Repository|Repo)$/i.test(name);
+
+const isBackendRepositoryBusinessLogicMethod = (node: AstNode): boolean => {
+  if (
+    node.type !== 'ClassMethod' &&
+    node.type !== 'ClassPrivateMethod' &&
+    node.type !== 'ObjectMethod'
+  ) {
+    return false;
+  }
+  return hasDescendantNode(node, (nested) => {
+    return (
+      nested !== node &&
+      typeof nested.type === 'string' &&
+      backendControllerBusinessLogicNodeTypes.has(nested.type)
+    );
+  });
+};
+
+export type TypeScriptBackendRepositoryBusinessLogicMatch = {
+  lines: readonly number[];
+  primary_node: string;
+  related_nodes: readonly string[];
+  why: string;
+  impact: string;
+  expected_fix: string;
+};
+
+export const findBackendRepositoryBusinessLogicMatch = (
+  ast: unknown
+): TypeScriptBackendRepositoryBusinessLogicMatch | undefined => {
+  const match = findFirstNodeWithAncestors(ast, (node) => {
+    if (node.type !== 'ClassDeclaration' || !isBackendRepositoryClassName(classNameFromNode(node))) {
+      return false;
+    }
+    const body = isObject(node.body) && Array.isArray(node.body.body) ? node.body.body : [];
+    return body.some((member) => isObject(member) && isBackendRepositoryBusinessLogicMethod(member));
+  });
+
+  if (match === undefined) {
+    return undefined;
+  }
+
+  const className = classNameFromNode(match.node) ?? 'Repository';
+  const body = isObject(match.node.body) && Array.isArray(match.node.body.body) ? match.node.body.body : [];
+  const method = body.find((member) => isObject(member) && isBackendRepositoryBusinessLogicMethod(member));
+  const methodName = isObject(method) ? methodNameFromNode(method.key) : undefined;
+  const line = isObject(method) ? toPositiveLine(method) : toPositiveLine(match.node);
+
+  return {
+    lines: line === null ? [] : sortedUniqueLines([line]),
+    primary_node: className,
+    related_nodes: methodName === undefined ? ['repository method'] : [methodName],
+    why: `El repositorio ${className} contiene ramas de decision dentro de un metodo de persistencia.`,
+    impact:
+      'El repositorio mezcla reglas de negocio con acceso a datos, rompiendo Clean Architecture y dificultando pruebas de casos de uso.',
+    expected_fix:
+      'Mueve la decision de negocio a un use case/service y deja el repositorio limitado a CRUD, queries expresivas y mapeo de datos.',
+  };
+};
+
+export const findBackendRepositoryBusinessLogicLines = (ast: unknown): readonly number[] =>
+  findBackendRepositoryBusinessLogicMatch(ast)?.lines ?? [];
+
+export const hasBackendRepositoryBusinessLogic = (ast: unknown): boolean =>
+  findBackendRepositoryBusinessLogicMatch(ast) !== undefined;
+
 const isRecordTypeName = (node: unknown): boolean => {
   return (
     isObject(node) &&