pumuki 6.3.294 → 6.3.296

package/core/facts/detectors/typescript/index.ts

@@ -1910,6 +1910,149 @@ const objectExpressionPropertyNames = (node: AstNode): Set<string> => {
   );
 };
 
+const hasPropertyMatching = (propertyNames: ReadonlySet<string>, pattern: RegExp): boolean => {
+  for (const propertyName of propertyNames) {
+    if (pattern.test(propertyName)) {
+      return true;
+    }
+  }
+  return false;
+};
+
+const backendAccessTokenPropertyPattern = /^(accessToken|access_token)$/;
+const backendRefreshTokenPropertyPattern = /^(refreshToken|refresh_token)$/;
+
+const isBackendAuthResponseObjectWithoutRefreshToken = (node: AstNode): boolean => {
+  if (node.type !== 'ObjectExpression') {
+    return false;
+  }
+  const propertyNames = objectExpressionPropertyNames(node);
+  return (
+    hasPropertyMatching(propertyNames, backendAccessTokenPropertyPattern) &&
+    !hasPropertyMatching(propertyNames, backendRefreshTokenPropertyPattern)
+  );
+};
+
+export const findBackendAuthResponseWithoutRefreshTokenLines = (ast: unknown): readonly number[] => {
+  return collectLineMatchesWithAncestors(ast, (node, ancestors) => {
+    if (!isBackendAuthResponseObjectWithoutRefreshToken(node)) {
+      return false;
+    }
+    const parent = ancestors[ancestors.length - 1];
+    if (isObject(parent) && parent.type === 'ReturnStatement' && parent.argument === node) {
+      return true;
+    }
+    return ancestors.some((ancestor) => {
+      if (ancestor.type !== 'CallExpression' || !Array.isArray(ancestor.arguments)) {
+        return false;
+      }
+      if (!ancestor.arguments.includes(node) || !isObject(ancestor.callee)) {
+        return false;
+      }
+      const methodName = memberExpressionPropertyName(ancestor.callee);
+      return methodName !== undefined && httpResponseMethodNames.has(methodName);
+    });
+  });
+};
+
+export const hasBackendAuthResponseWithoutRefreshToken = (ast: unknown): boolean =>
+  findBackendAuthResponseWithoutRefreshTokenLines(ast).length > 0;
+
+const isProcessEnvMemberExpression = (node: unknown): boolean => {
+  if (!isObject(node) || node.type !== 'MemberExpression') {
+    return false;
+  }
+  const propertyName = memberExpressionPropertyName(node);
+  if (typeof propertyName !== 'string' || propertyName.length === 0) {
+    return false;
+  }
+  const objectNode = node.object;
+  return (
+    isObject(objectNode) &&
+    objectNode.type === 'MemberExpression' &&
+    memberExpressionObjectName(objectNode) === 'process' &&
+    memberExpressionPropertyName(objectNode) === 'env'
+  );
+};
+
+const isLiteralConfigFallback = (node: unknown): boolean => {
+  if (!isObject(node)) {
+    return false;
+  }
+  return (
+    node.type === 'StringLiteral' ||
+    node.type === 'NumericLiteral' ||
+    node.type === 'BooleanLiteral' ||
+    (node.type === 'TemplateLiteral' &&
+      Array.isArray(node.expressions) &&
+      node.expressions.length === 0)
+  );
+};
+
+const isBackendProcessEnvDefaultFallback = (node: AstNode): boolean => {
+  return (
+    node.type === 'LogicalExpression' &&
+    (node.operator === '||' || node.operator === '??') &&
+    isProcessEnvMemberExpression(node.left) &&
+    isLiteralConfigFallback(node.right)
+  );
+};
+
+export const findBackendProcessEnvDefaultFallbackLines = (ast: unknown): readonly number[] =>
+  collectLineMatchesWithAncestors(ast, (node) => isBackendProcessEnvDefaultFallback(node), {
+    max: 12,
+  });
+
+export const hasBackendProcessEnvDefaultFallback = (ast: unknown): boolean =>
+  findBackendProcessEnvDefaultFallbackLines(ast).length > 0;
+
+export const findBackendDirectProcessEnvReadLines = (ast: unknown): readonly number[] =>
+  collectLineMatchesWithAncestors(ast, (node) => isProcessEnvMemberExpression(node), {
+    max: 12,
+  });
+
+export const hasBackendDirectProcessEnvRead = (ast: unknown): boolean =>
+  findBackendDirectProcessEnvReadLines(ast).length > 0;
+
+const isConfigModuleForRootCall = (node: AstNode): boolean => {
+  if (node.type !== 'CallExpression' || !isObject(node.callee)) {
+    return false;
+  }
+  const callee = node.callee;
+  return (
+    callee.type === 'MemberExpression' &&
+    memberExpressionObjectName(callee) === 'ConfigModule' &&
+    memberExpressionPropertyName(callee) === 'forRoot'
+  );
+};
+
+const hasConfigValidationOption = (node: unknown): boolean => {
+  if (!isObject(node) || node.type !== 'ObjectExpression') {
+    return false;
+  }
+  const propertyNames = objectExpressionPropertyNames(node);
+  return propertyNames.has('validationSchema') || propertyNames.has('validate');
+};
+
+const isBackendConfigModuleForRootWithoutValidation = (node: AstNode): boolean => {
+  if (!isConfigModuleForRootCall(node)) {
+    return false;
+  }
+  const args = Array.isArray(node.arguments) ? node.arguments : [];
+  const options = args.find((argument) => isObject(argument) && argument.type === 'ObjectExpression');
+  return !hasConfigValidationOption(options);
+};
+
+export const findBackendConfigModuleWithoutValidationLines = (ast: unknown): readonly number[] =>
+  collectLineMatchesWithAncestors(
+    ast,
+    (node) => isBackendConfigModuleForRootWithoutValidation(node),
+    { max: 12 }
+  );
+
+export const hasBackendConfigModuleWithoutValidation = (ast: unknown): boolean =>
+  findBackendConfigModuleWithoutValidationLines(ast).length > 0;
+
 const isErrorStatusCallExpression = (node: unknown): boolean => {
   if (!isObject(node) || node.type !== 'CallExpression') {
     return false;
@@ -2259,6 +2402,34 @@ export const findBackendStringLiteralUnionEnumCandidateLines = (
 export const hasBackendStringLiteralUnionEnumCandidate = (ast: unknown): boolean =>
   findBackendStringLiteralUnionEnumCandidateLines(ast).length > 0;
 
+const backendCacheWriteMethodNames = new Set(['hset', 'mset', 'set', 'setex']);
+const backendCacheObjectPattern = /(cache|cacheManager|redis)/i;
+
+const isBackendSensitiveCacheWriteCall = (node: AstNode): boolean => {
+  if (node.type !== 'CallExpression' || !isObject(node.callee)) {
+    return false;
+  }
+  const callee = node.callee;
+  const methodName = memberExpressionPropertyName(callee);
+  if (methodName === undefined || !backendCacheWriteMethodNames.has(methodName)) {
+    return false;
+  }
+  const objectName =
+    callee.type === 'MemberExpression' ? identifierNameFromNode(callee.object) : undefined;
+  if (objectName === undefined || !backendCacheObjectPattern.test(objectName)) {
+    return false;
+  }
+  const args = Array.isArray(node.arguments) ? node.arguments : [];
+  return args.some(hasSensitiveIdentifierReference);
+};
+
+export const findBackendSensitiveCacheWriteLines = (ast: unknown): readonly number[] => {
+  return collectLineMatchesWithAncestors(ast, (node) => isBackendSensitiveCacheWriteCall(node));
+};
+
+export const hasBackendSensitiveCacheWrite = (ast: unknown): boolean =>
+  findBackendSensitiveCacheWriteLines(ast).length > 0;
+
 const isLoggingCall = (node: AstNode): boolean => {
   if (node.type !== 'CallExpression' || !isObject(node.callee)) {
     return false;
@@ -2767,6 +2938,11 @@ const nestJsClassDecoratorNames = new Set([
 const nestJsRouteDecoratorNames = new Set(['Delete', 'Get', 'Head', 'Options', 'Patch', 'Post', 'Put']);
 const nestJsUseGuardsDecoratorNames = new Set(['UseGuards']);
 const nestJsRolesDecoratorNames = new Set(['Roles']);
+const nestJsOnEventDecoratorNames = new Set(['OnEvent']);
+const nestJsThrottleDecoratorNames = new Set(['Throttle']);
+const backendEventHandlerNamePattern = /(^handle[A-Z].*Event$|EventHandler$|EventsHandler$)/;
+const backendAuthRouteNamePattern =
+  /(forgot|login|password|refresh|register|reset|signin|sign-in|signup|sign-up|token)/i;
 
 const decoratorExpressionName = (node: unknown): string | undefined => {
   if (!isObject(node)) {
@@ -2974,6 +3150,85 @@ export const findBackendControllerRouteWithoutRolesLines = (ast: unknown): reado
 export const hasBackendControllerRouteWithoutRoles = (ast: unknown): boolean =>
   findBackendControllerRouteWithoutRolesLines(ast).length > 0;
 
+const isBackendEventHandlerClassOrMethod = (node: AstNode): boolean => {
+  if (node.type === 'ClassDeclaration' || node.type === 'ClassExpression') {
+    return backendEventHandlerNamePattern.test(classNameFromNode(node));
+  }
+  if (!isClassMethodLikeNode(node)) {
+    return false;
+  }
+  const methodName = methodNameFromNode(node.key);
+  return typeof methodName === 'string' && backendEventHandlerNamePattern.test(methodName);
+};
+
+const hasOnEventDecoratedClassMember = (node: AstNode): boolean => {
+  if (node.type !== 'ClassDeclaration' && node.type !== 'ClassExpression') {
+    return false;
+  }
+  const members = isObject(node.body) && Array.isArray(node.body.body) ? node.body.body : [];
+  return members.some((member) => isObject(member) && hasDecoratorFrom(member, nestJsOnEventDecoratorNames));
+};
+
+export const findBackendEventHandlerWithoutOnEventLines = (ast: unknown): readonly number[] => {
+  return collectLineMatchesWithAncestors(ast, (node, ancestors) => {
+    if (!isBackendEventHandlerClassOrMethod(node)) {
+      return false;
+    }
+    if (hasDecoratorFrom(node, nestJsOnEventDecoratorNames)) {
+      return false;
+    }
+    if (isClassLikeNode(node) && hasOnEventDecoratedClassMember(node)) {
+      return false;
+    }
+    const ownerClass = [...ancestors].reverse().find(isClassLikeNode);
+    return ownerClass === undefined || !hasDecoratorFrom(ownerClass, nestJsOnEventDecoratorNames);
+  });
+};
+
+export const hasBackendEventHandlerWithoutOnEvent = (ast: unknown): boolean =>
+  findBackendEventHandlerWithoutOnEventLines(ast).length > 0;
+
+const isBackendAuthRouteMethod = (node: AstNode): boolean => {
+  if (!isClassMethodLikeNode(node) || !hasNestJsRouteDecorator(node)) {
+    return false;
+  }
+  const methodName = methodNameFromNode(node.key);
+  if (methodName !== undefined && backendAuthRouteNamePattern.test(methodName)) {
+    return true;
+  }
+  if (!Array.isArray(node.decorators)) {
+    return false;
+  }
+  return node.decorators.some((decorator) => {
+    if (!isObject(decorator)) {
+      return false;
+    }
+    const decoratorName = decoratorExpressionName(decorator.expression);
+    if (decoratorName === undefined || !nestJsRouteDecoratorNames.has(decoratorName)) {
+      return false;
+    }
+    const [firstArgument] = decoratorCallArguments(decorator);
+    const routePath = literalTextFromNode(firstArgument);
+    return routePath !== undefined && backendAuthRouteNamePattern.test(routePath);
+  });
+};
+
+export const findBackendAuthRouteWithoutThrottleLines = (ast: unknown): readonly number[] => {
+  return collectLineMatchesWithAncestors(ast, (node, ancestors) => {
+    if (!isBackendAuthRouteMethod(node)) {
+      return false;
+    }
+    if (hasDecoratorFrom(node, nestJsThrottleDecoratorNames)) {
+      return false;
+    }
+    const ownerClass = [...ancestors].reverse().find(isClassLikeNode);
+    return ownerClass === undefined || !hasDecoratorFrom(ownerClass, nestJsThrottleDecoratorNames);
+  });
+};
+
+export const hasBackendAuthRouteWithoutThrottle = (ast: unknown): boolean =>
+  findBackendAuthRouteWithoutThrottleLines(ast).length > 0;
+
 const persistenceMutationNames = new Set([
   'create',
   'delete',
@@ -3176,6 +3431,19 @@ const hasClassValidatorDecorator = (node: AstNode): boolean => {
   });
 };
 
+const hasApiPropertyDecorator = (node: AstNode): boolean => {
+  if (!Array.isArray(node.decorators)) {
+    return false;
+  }
+  return node.decorators.some((decorator) => {
+    if (!isObject(decorator)) {
+      return false;
+    }
+    const name = decoratorExpressionName(decorator.expression);
+    return name === 'ApiProperty' || name === 'ApiPropertyOptional';
+  });
+};
+
 const hasDtoNestedValidationDecorator = (node: AstNode): boolean => {
   if (!Array.isArray(node.decorators)) {
     return false;
@@ -3275,6 +3543,19 @@ export const findDtoPropertyWithoutValidationMatch = (
 export const hasDtoPropertyWithoutValidation = (ast: unknown): boolean =>
   findDtoPropertyWithoutValidationMatch(ast) !== undefined;
 
+export const findDtoPropertyWithoutApiPropertyLines = (ast: unknown): readonly number[] =>
+  collectLineMatchesWithAncestors(ast, (node, ancestors) => {
+    if (!isDtoPropertyNode(node) || hasApiPropertyDecorator(node)) {
+      return false;
+    }
+    return ancestors.some(
+      (ancestor) => ancestor.type === 'ClassDeclaration' && isDtoClassName(classNameFromNode(ancestor))
+    );
+  }, { max: 12 });
+
+export const hasDtoPropertyWithoutApiProperty = (ast: unknown): boolean =>
+  findDtoPropertyWithoutApiPropertyLines(ast).length > 0;
+
 export type TypeScriptDtoNestedPropertyWithoutNestedValidationMatch = {
   lines: readonly number[];
   primary_node: string;
@@ -3454,6 +3735,37 @@ export const findBackendMissingHelmetSecurityHeadersLines = (ast: unknown): read
 export const hasBackendMissingHelmetSecurityHeaders = (ast: unknown): boolean =>
   findBackendMissingHelmetSecurityHeadersLines(ast).length > 0;
 
+const isCompressionCallee = (node: unknown): boolean => {
+  return isObject(node) && node.type === 'Identifier' && node.name === 'compression';
+};
+
+const isCompressionCallExpression = (node: unknown): boolean => {
+  return isObject(node) && node.type === 'CallExpression' && isCompressionCallee(node.callee);
+};
+
+const isAppUseCompressionCall = (node: AstNode): boolean => {
+  if (node.type !== 'CallExpression' || callExpressionMemberName(node) !== 'use') {
+    return false;
+  }
+  const args = Array.isArray(node.arguments) ? node.arguments : [];
+  return args.some(isCompressionCallExpression);
+};
+
+export const findBackendMissingCompressionMiddlewareLines = (
+  ast: unknown
+): readonly number[] => {
+  if (!hasNode(ast, isBackendValidationNestFactoryCreateCall)) {
+    return [];
+  }
+  if (hasNode(ast, isAppUseCompressionCall)) {
+    return [];
+  }
+  return collectLineMatchesWithAncestors(ast, isBackendValidationNestFactoryCreateCall, { max: 1 });
+};
+
+export const hasBackendMissingCompressionMiddleware = (ast: unknown): boolean =>
+  findBackendMissingCompressionMiddlewareLines(ast).length > 0;
+
 const backendRouteDecoratorNames = new Set([
   'All',
   'Delete',

package/core/facts/extractHeuristicFacts.ts

@@ -76,6 +76,17 @@ const isBackendTypeScriptPath = (path: string): boolean => {
   return isTypeScriptHeuristicTargetPath(path) && path.startsWith('apps/backend/');
 };
 
+const isBackendNonConfigTypeScriptPath = (path: string): boolean => {
+  const normalized = path.replace(/\\/g, '/').toLowerCase();
+  return (
+    isBackendTypeScriptPath(path) &&
+    !normalized.includes('/config/') &&
+    !normalized.endsWith('.config.ts') &&
+    !normalized.endsWith('/configuration.ts') &&
+    !normalized.endsWith('/environment.ts')
+  );
+};
+
 const isBackendControllerTypeScriptPath = (path: string): boolean => {
   const normalized = path.replace(/\\/g, '/').toLowerCase();
   return isBackendTypeScriptPath(path) && normalized.endsWith('.controller.ts');
@@ -95,6 +106,10 @@ const isIOSSwiftPath = (path: string): boolean => {
   return path.endsWith('.swift') && path.startsWith('apps/ios/');
 };
 
+const isIOSSwiftPackageManifestPath = (path: string): boolean => {
+  return path.replace(/\\/g, '/') === 'apps/ios/Package.swift';
+};
+
 const isIOSPodfilePath = (path: string): boolean => {
   const normalized = path.replace(/\\/g, '/');
   return (
@@ -491,6 +506,10 @@ const astDetectorRegistry: ReadonlyArray<ASTDetectorRegistryEntry> = [
   { detect: TS.hasConsoleErrorCall, ruleId: 'heuristics.ts.console-error.ast', code: 'HEURISTICS_CONSOLE_ERROR_AST', message: 'AST heuristic detected console.error usage.' },
   { detect: TS.hasSensitiveDataLoggingCall, ruleId: 'heuristics.ts.backend.sensitive-data-logging.ast', code: 'HEURISTICS_BACKEND_SENSITIVE_DATA_LOGGING_AST', message: 'AST heuristic detected sensitive data passed to a logging sink.' },
   { detect: TS.hasBackendLogWithoutContext, locateLines: TS.findBackendLogWithoutContextLines, ruleId: 'heuristics.ts.backend.log-without-context.ast', code: 'HEURISTICS_BACKEND_LOG_WITHOUT_CONTEXT_AST', message: 'AST heuristic detected backend log call without request/user/trace context.', pathCheck: isBackendTypeScriptPath },
+  { detect: TS.hasBackendAuthResponseWithoutRefreshToken, locateLines: TS.findBackendAuthResponseWithoutRefreshTokenLines, ruleId: 'heuristics.ts.backend.auth-response-without-refresh-token.ast', code: 'HEURISTICS_BACKEND_AUTH_RESPONSE_WITHOUT_REFRESH_TOKEN_AST', message: 'AST heuristic detected backend auth response returning an access token without a refresh token.', pathCheck: isBackendTypeScriptPath },
+  { detect: TS.hasBackendProcessEnvDefaultFallback, locateLines: TS.findBackendProcessEnvDefaultFallbackLines, ruleId: 'heuristics.ts.backend.process-env-default-fallback.ast', code: 'HEURISTICS_BACKEND_PROCESS_ENV_DEFAULT_FALLBACK_AST', message: 'AST heuristic detected backend process.env configuration with a literal production fallback.', pathCheck: isBackendTypeScriptPath },
+  { detect: TS.hasBackendDirectProcessEnvRead, locateLines: TS.findBackendDirectProcessEnvReadLines, ruleId: 'heuristics.ts.backend.direct-process-env-read.ast', code: 'HEURISTICS_BACKEND_DIRECT_PROCESS_ENV_READ_AST', message: 'AST heuristic detected direct backend process.env read outside the configuration boundary.', pathCheck: isBackendNonConfigTypeScriptPath },
+  { detect: TS.hasBackendConfigModuleWithoutValidation, locateLines: TS.findBackendConfigModuleWithoutValidationLines, ruleId: 'heuristics.ts.backend.config-module-without-validation.ast', code: 'HEURISTICS_BACKEND_CONFIG_MODULE_WITHOUT_VALIDATION_AST', message: 'AST heuristic detected ConfigModule.forRoot without env validationSchema or validate.', pathCheck: isBackendTypeScriptPath },
   { detect: TS.hasBackendMagicNumberLiteral, ruleId: 'heuristics.ts.backend.magic-number-literal.ast', code: 'HEURISTICS_BACKEND_MAGIC_NUMBER_LITERAL_AST', message: 'AST heuristic detected an inline numeric literal; use a named constant for backend readability and maintainability.', pathCheck: isBackendTypeScriptPath },
   { detect: TS.hasBackendGenericErrorThrow, ruleId: 'heuristics.ts.backend.generic-error-throw.ast', code: 'HEURISTICS_BACKEND_GENERIC_ERROR_THROW_AST', message: 'AST heuristic detected throw new Error in backend code; use a specific domain/application exception.', pathCheck: isBackendTypeScriptPath },
   { detect: TS.hasBackendRawThrowExpression, locateLines: TS.findBackendRawThrowExpressionLines, ruleId: 'heuristics.ts.backend.raw-throw-expression.ast', code: 'HEURISTICS_BACKEND_RAW_THROW_EXPRESSION_AST', message: 'AST heuristic detected raw throw expression in backend code; throw a typed exception.', pathCheck: isBackendTypeScriptPath },
@@ -504,8 +523,10 @@ const astDetectorRegistry: ReadonlyArray<ASTDetectorRegistryEntry> = [
   { detect: TS.hasBackendAnemicDomainModel, ruleId: 'heuristics.ts.backend.anemic-domain-model.ast', code: 'HEURISTICS_BACKEND_ANEMIC_DOMAIN_MODEL_AST', message: 'AST heuristic detected an anemic backend domain entity without business behavior.', pathCheck: isBackendDomainEntityPath },
   { detect: TS.hasBackendPermissiveCorsConfiguration, locateLines: TS.findBackendPermissiveCorsConfigurationLines, ruleId: 'heuristics.ts.backend.permissive-cors.ast', code: 'HEURISTICS_BACKEND_PERMISSIVE_CORS_AST', message: 'AST heuristic detected permissive backend CORS configuration; restrict allowed origins explicitly.', pathCheck: isBackendTypeScriptPath },
   { detect: TS.hasBackendMissingHelmetSecurityHeaders, locateLines: TS.findBackendMissingHelmetSecurityHeadersLines, ruleId: 'heuristics.ts.backend.missing-helmet-security-headers.ast', code: 'HEURISTICS_BACKEND_MISSING_HELMET_SECURITY_HEADERS_AST', message: 'AST heuristic detected NestJS bootstrap without Helmet security headers middleware.', pathCheck: isBackendTypeScriptPath },
+  { detect: TS.hasBackendMissingCompressionMiddleware, locateLines: TS.findBackendMissingCompressionMiddlewareLines, ruleId: 'heuristics.ts.backend.missing-compression-middleware.ast', code: 'HEURISTICS_BACKEND_MISSING_COMPRESSION_MIDDLEWARE_AST', message: 'AST heuristic detected NestJS bootstrap without compression middleware.', pathCheck: isBackendTypeScriptPath },
   { detect: TS.hasBackendMissingGlobalValidationPipe, locateLines: TS.findBackendMissingGlobalValidationPipeLines, ruleId: 'heuristics.ts.backend.missing-global-validation-pipe.ast', code: 'HEURISTICS_BACKEND_MISSING_GLOBAL_VALIDATION_PIPE_AST', message: 'AST heuristic detected NestJS bootstrap without global ValidationPipe whitelist.', pathCheck: isBackendTypeScriptPath },
   { detect: TS.hasBackendStringLiteralUnionEnumCandidate, locateLines: TS.findBackendStringLiteralUnionEnumCandidateLines, ruleId: 'heuristics.ts.backend.string-literal-union-enum.ast', code: 'HEURISTICS_BACKEND_STRING_LITERAL_UNION_ENUM_AST', message: 'AST heuristic detected fixed backend string literal union; use an enum or centralized typed constants.', pathCheck: isBackendTypeScriptPath },
+  { detect: TS.hasBackendSensitiveCacheWrite, locateLines: TS.findBackendSensitiveCacheWriteLines, ruleId: 'heuristics.ts.backend.sensitive-cache-write.ast', code: 'HEURISTICS_BACKEND_SENSITIVE_CACHE_WRITE_AST', message: 'AST heuristic detected sensitive data written to backend cache.', pathCheck: isBackendTypeScriptPath },
   { detect: TS.hasEvalCall, ruleId: 'heuristics.ts.eval.ast', code: 'HEURISTICS_EVAL_AST', message: 'AST heuristic detected eval usage.' },
   { detect: TS.hasFunctionConstructorUsage, ruleId: 'heuristics.ts.function-constructor.ast', code: 'HEURISTICS_FUNCTION_CONSTRUCTOR_AST', message: 'AST heuristic detected Function constructor usage.' },
   { detect: TS.hasSetTimeoutStringCallback, ruleId: 'heuristics.ts.set-timeout-string.ast', code: 'HEURISTICS_SET_TIMEOUT_STRING_AST', message: 'AST heuristic detected setTimeout with a string callback.' },
@@ -532,9 +553,12 @@ const astDetectorRegistry: ReadonlyArray<ASTDetectorRegistryEntry> = [
   { detect: TS.hasNestJsConstructorDependencyWithoutDecorator, ruleId: 'heuristics.ts.nestjs.constructor-di-without-decorator.ast', code: 'HEURISTICS_NESTJS_CONSTRUCTOR_DI_WITHOUT_DECORATOR_AST', message: 'AST heuristic detected NestJS constructor dependency injection without an explicit class decorator.' },
   { detect: TS.hasBackendControllerRouteWithoutGuard, locateLines: TS.findBackendControllerRouteWithoutGuardLines, ruleId: 'heuristics.ts.backend.controller-route-without-guard.ast', code: 'HEURISTICS_BACKEND_CONTROLLER_ROUTE_WITHOUT_GUARD_AST', message: 'AST heuristic detected NestJS controller route without UseGuards at method or class level.', pathCheck: isBackendTypeScriptPath },
   { detect: TS.hasBackendControllerRouteWithoutRoles, locateLines: TS.findBackendControllerRouteWithoutRolesLines, ruleId: 'heuristics.ts.backend.controller-route-without-roles.ast', code: 'HEURISTICS_BACKEND_CONTROLLER_ROUTE_WITHOUT_ROLES_AST', message: 'AST heuristic detected guarded NestJS controller route without Roles/SetMetadata roles authorization.', pathCheck: isBackendTypeScriptPath },
+  { detect: TS.hasBackendAuthRouteWithoutThrottle, locateLines: TS.findBackendAuthRouteWithoutThrottleLines, ruleId: 'heuristics.ts.backend.auth-route-without-throttle.ast', code: 'HEURISTICS_BACKEND_AUTH_ROUTE_WITHOUT_THROTTLE_AST', message: 'AST heuristic detected authentication route without NestJS throttling/rate limiting.', pathCheck: isBackendTypeScriptPath },
+  { detect: TS.hasBackendEventHandlerWithoutOnEvent, locateLines: TS.findBackendEventHandlerWithoutOnEventLines, ruleId: 'heuristics.ts.backend.event-handler-without-on-event.ast', code: 'HEURISTICS_BACKEND_EVENT_HANDLER_WITHOUT_ON_EVENT_AST', message: 'AST heuristic detected backend event handler without @OnEvent subscription.', pathCheck: isBackendTypeScriptPath },
   { detect: TS.hasPersistenceMutationWithoutAuditEvent, ruleId: 'heuristics.ts.backend.persistence-mutation-without-audit-event.ast', code: 'HEURISTICS_BACKEND_PERSISTENCE_MUTATION_WITHOUT_AUDIT_EVENT_AST', message: 'AST heuristic detected backend persistence mutation without audit log or domain event.' },
   { detect: TS.hasBackendHardDeleteWithoutSoftDelete, locateLines: TS.findBackendHardDeleteWithoutSoftDeleteLines, ruleId: 'heuristics.ts.backend.hard-delete-without-soft-delete.ast', code: 'HEURISTICS_BACKEND_HARD_DELETE_WITHOUT_SOFT_DELETE_AST', message: 'AST heuristic detected backend physical delete; use soft delete with deletedAt/deleted_at.', pathCheck: isBackendTypeScriptPath },
   { detect: TS.hasDtoPropertyWithoutValidation, ruleId: 'heuristics.ts.backend.dto-property-without-validation.ast', code: 'HEURISTICS_BACKEND_DTO_PROPERTY_WITHOUT_VALIDATION_AST', message: 'AST heuristic detected DTO property without class-validator/class-transformer decorator.' },
+  { detect: TS.hasDtoPropertyWithoutApiProperty, locateLines: TS.findDtoPropertyWithoutApiPropertyLines, ruleId: 'heuristics.ts.backend.dto-property-without-api-property.ast', code: 'HEURISTICS_BACKEND_DTO_PROPERTY_WITHOUT_API_PROPERTY_AST', message: 'AST heuristic detected DTO property without Swagger ApiProperty decorator.' },
   { detect: TS.hasDtoNestedPropertyWithoutNestedValidation, ruleId: 'heuristics.ts.backend.dto-nested-property-without-nested-validation.ast', code: 'HEURISTICS_BACKEND_DTO_NESTED_PROPERTY_WITHOUT_NESTED_VALIDATION_AST', message: 'AST heuristic detected nested DTO property without @ValidateNested/@Type decorators.' },
   { detect: TS.hasLargeClassDeclaration, ruleId: 'heuristics.ts.god-class-large-class.ast', code: 'HEURISTICS_GOD_CLASS_LARGE_CLASS_AST', message: 'AST heuristic detected God Class candidate by mixed responsibility nodes in a single class declaration.' },
   { detect: TS.hasRecordStringUnknownType, locateLines: TS.findRecordStringUnknownTypeLines, ruleId: 'common.types.record_unknown_requires_type', code: 'COMMON_TYPES_RECORD_UNKNOWN_REQUIRES_TYPE_AST', message: 'AST heuristic detected Record<string, unknown> without explicit value union.' },
@@ -723,6 +747,7 @@ const textDetectorRegistry: ReadonlyArray<TextDetectorRegistryEntry> = [
   // iOS
   { platform: 'ios', pathCheck: isIOSPodfilePath, excludePaths: [], detect: detectsTrackedFilePresence, ruleId: 'heuristics.ios.dependencies.cocoapods.ast', code: 'HEURISTICS_IOS_DEPENDENCIES_COCOAPODS_AST', message: 'AST heuristic detected CocoaPods dependency files in an iOS project; Swift Package Manager remains the preferred baseline for new code.' },
   { platform: 'ios', pathCheck: isIOSCartfilePath, excludePaths: [], detect: detectsTrackedFilePresence, ruleId: 'heuristics.ios.dependencies.carthage.ast', code: 'HEURISTICS_IOS_DEPENDENCIES_CARTHAGE_AST', message: 'AST heuristic detected Carthage dependency files in an iOS project; Swift Package Manager remains the preferred baseline for new code.' },
+  { platform: 'ios', pathCheck: isIOSSwiftPackageManifestPath, excludePaths: [], detect: TextIOS.hasSwiftPackageBranchDependencyUsage, locateLines: TextIOS.collectSwiftPackageBranchDependencyLines, primaryNode: (lines) => ({ kind: 'call', name: 'SwiftPM .package(..., branch: ...)', lines }), relatedNodes: (lines) => [{ kind: 'call', name: 'replacement: .package(..., exact:/from: version)', lines }], why: 'Branch-based SwiftPM dependencies drift over time and do not provide a reproducible iOS dependency graph.', impact: 'A consumer can build different code from the same commit when the remote branch moves, making production audits and regressions non-deterministic.', expected_fix: 'Pin the dependency to an exact version or an approved semantic version requirement in Package.swift; avoid branch-based dependencies outside explicitly approved experiments.', ruleId: 'heuristics.ios.dependencies.swiftpm-branch-dependency.ast', code: 'HEURISTICS_IOS_DEPENDENCIES_SWIFTPM_BRANCH_DEPENDENCY_AST', message: 'AST heuristic detected a branch-based SwiftPM dependency in iOS Package.swift; use specific versions for reproducible builds.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftForceUnwrap, locateLines: TextIOS.collectSwiftForceUnwrapLines, primaryNode: (lines) => ({ kind: 'member', name: 'force unwrap postfix !', lines }), relatedNodes: (lines) => [{ kind: 'member', name: 'replacement: guarded optional binding or explicit failure path', lines }], why: 'Force unwrap turns optional handling into a runtime crash path instead of a checked domain, UI or infrastructure decision.', impact: 'A nil value can terminate the app outside the error boundary, making production behavior non-deterministic and hard to recover or test.', expected_fix: 'Replace postfix ! with guard let, if let, nil coalescing, throwing validation, or an explicit fallback. In modern Swift tests prefer #require when the unwrap is part of an assertion contract.', ruleId: 'heuristics.ios.force-unwrap.ast', code: 'HEURISTICS_IOS_FORCE_UNWRAP_AST', message: 'AST heuristic detected force unwrap usage.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftAnyViewUsage, locateLines: TextIOS.collectSwiftAnyViewLines, primaryNode: (lines) => ({ kind: 'call', name: 'type erasure wrapper AnyView', lines }), relatedNodes: (lines) => [{ kind: 'call', name: 'replacement: concrete View composition or @ViewBuilder branch', lines }], why: 'AnyView erases SwiftUI view identity and type information, hiding structural changes from the compiler and making diffing less predictable.', impact: 'SwiftUI may lose optimization opportunities, navigation/sheet branches become harder to reason about, and remediating UI regressions requires reading dynamic wrappers instead of concrete view composition.', expected_fix: 'Replace AnyView with concrete some View composition, @ViewBuilder branching, generic View parameters, or small extracted subviews that preserve static SwiftUI identity.', ruleId: 'heuristics.ios.anyview.ast', code: 'HEURISTICS_IOS_ANYVIEW_AST', message: 'AST heuristic detected AnyView usage.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftAnyTypeErasureUsage, locateLines: TextIOS.collectSwiftAnyTypeErasureLines, primaryNode: (lines) => ({ kind: 'property', name: 'Swift Any/AnyObject/AnyHashable type erasure', lines }), relatedNodes: (lines) => [{ kind: 'member', name: 'replacement: generics, associated types, protocol boundary or concrete domain type', lines }], why: 'General Swift type erasure hides domain contracts that should be expressed with generics, associated types or explicit protocol boundaries.', impact: 'Callers lose compile-time guarantees, invalid states travel through the codebase and remediation becomes runtime/debug driven instead of type-system driven.', expected_fix: 'Replace Any, AnyObject or AnyHashable usage with a generic parameter, associated type, concrete value object or narrow protocol boundary.', ruleId: 'heuristics.ios.type-erasure.any.ast', code: 'HEURISTICS_IOS_TYPE_ERASURE_ANY_AST', message: 'AST heuristic detected Swift Any/AnyObject/AnyHashable type erasure in production code.' },
@@ -738,6 +763,7 @@ const textDetectorRegistry: ReadonlyArray<TextDetectorRegistryEntry> = [
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftTaskDetachedUsage, ruleId: 'heuristics.ios.task-detached.ast', code: 'HEURISTICS_IOS_TASK_DETACHED_AST', message: 'AST heuristic detected Task.detached usage.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftAsyncWithoutAwaitUsage, ruleId: 'heuristics.ios.concurrency.async-without-await.ast', code: 'HEURISTICS_IOS_CONCURRENCY_ASYNC_WITHOUT_AWAIT_AST', message: 'AST heuristic detected a private async function without await; remove async unless a protocol/override boundary requires it.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftEmptyCatchUsage, ruleId: 'heuristics.ios.error.empty-catch.ast', code: 'HEURISTICS_IOS_ERROR_EMPTY_CATCH_AST', message: 'AST heuristic detected an empty Swift catch block; handle, log, or propagate the error.' },
+  { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftNSErrorThrowUsage, locateLines: TextIOS.collectSwiftNSErrorThrowLines, primaryNode: (lines) => ({ kind: 'call', name: 'throw NSError(...)', lines }), relatedNodes: (lines) => [{ kind: 'call', name: 'replacement: typed Swift Error enum case', lines }], why: 'NSError throws bypass the typed Swift error boundary that should model network, domain or infrastructure failures explicitly.', impact: 'Callers receive an untyped Foundation error instead of a remediable enum case, making recovery, tests and user-facing handling less deterministic.', expected_fix: 'Define a domain-specific Error enum such as NetworkError or AppError and throw typed cases instead of constructing NSError directly.', ruleId: 'heuristics.ios.error.nserror-throw.ast', code: 'HEURISTICS_IOS_ERROR_NSERROR_THROW_AST', message: 'AST heuristic detected throw NSError(...) in iOS production code; use typed Swift Error enums such as NetworkError or AppError.' },
   { platform: 'ios', pathCheck: isIOSPresentationPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftOnAppearTaskUsage, locateLines: TextIOS.collectSwiftOnAppearTaskLines, primaryNode: (lines) => ({ kind: 'call', name: 'Task launched inside SwiftUI onAppear', lines }), relatedNodes: (lines) => [{ kind: 'call', name: 'replacement: .task { ... } on the view', lines }], why: 'A Task launched from onAppear is not owned by the SwiftUI view lifecycle in the same way as .task.', impact: 'Async work can outlive view disappearance or require manual cancellation, and the gate must point to the exact Task line instead of blocking the whole file.', expected_fix: 'Move the async work from .onAppear { Task { ... } } into .task { ... } so SwiftUI owns automatic cancellation. Keep onAppear only for synchronous side effects such as analytics.', ruleId: 'heuristics.ios.swiftui.onappear-task.ast', code: 'HEURISTICS_IOS_SWIFTUI_ONAPPEAR_TASK_AST', message: 'AST heuristic detected Task launched from SwiftUI onAppear; .task/.task(id:) provides lifecycle-aware cancellation.' },
   { platform: 'ios', pathCheck: isIOSPresentationPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftOnChangeTaskUsage, locateLines: TextIOS.collectSwiftOnChangeTaskLines, primaryNode: (lines) => ({ kind: 'call', name: 'Task launched inside SwiftUI onChange', lines }), relatedNodes: (lines) => [{ kind: 'call', name: 'replacement: .task(id:) for value-dependent async work', lines }], why: 'A Task launched from onChange makes value-dependent async work manual instead of tying cancellation to the changing value.', impact: 'Search, load or refresh work can race after state changes because cancellation is not expressed through SwiftUI .task(id:).', expected_fix: 'Move value-dependent async work from .onChange { Task { ... } } into .task(id: value) { ... }. Keep onChange only for synchronous derivations or analytics.', ruleId: 'heuristics.ios.swiftui.onchange-task.ast', code: 'HEURISTICS_IOS_SWIFTUI_ONCHANGE_TASK_AST', message: 'AST heuristic detected Task launched from SwiftUI onChange; .task(id:) provides lifecycle-aware cancellation for value-dependent async work.' },
   { platform: 'ios', pathCheck: isIOSPresentationPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftOnChangeReadonlyVarUsage, locateLines: TextIOS.collectSwiftOnChangeReadonlyVarLines, primaryNode: (lines) => ({ kind: 'property', name: 'var declared inside SwiftUI onChange closure', lines }), relatedNodes: (lines) => [{ kind: 'property', name: 'replacement: let for read-only derived value inside onChange', lines }], why: 'A local var inside onChange hides whether the closure is deriving a read-only value or mutating state as part of a reactive update.', impact: 'Reactive closures become harder to audit because unnecessary mutability can mask accidental state changes and value-dependent side effects.', expected_fix: 'Use let for read-only derived values inside onChange. Keep var only when the local value is intentionally mutated and extract complex mutation out of the view closure.', ruleId: 'heuristics.ios.swiftui.onchange-readonly-var.ast', code: 'HEURISTICS_IOS_SWIFTUI_ONCHANGE_READONLY_VAR_AST', message: 'AST heuristic detected local var inside SwiftUI onChange; prefer let for read-only derived values.' },

package/core/rules/presets/heuristics/ios.test.ts

@@ -3,7 +3,7 @@ import test from 'node:test';
 import { iosRules } from './ios';
 
 test('iosRules define reglas heurísticas locked para plataforma ios', () => {
-  assert.equal(iosRules.length, 103);
+  assert.equal(iosRules.length, 105);
 
   const ids = iosRules.map((rule) => rule.id);
   assert.deepEqual(ids, [
@@ -21,6 +21,7 @@ test('iosRules define reglas heurísticas locked para plataforma ios', () => {
     'heuristics.ios.task-detached.ast',
     'heuristics.ios.concurrency.async-without-await.ast',
     'heuristics.ios.error.empty-catch.ast',
+    'heuristics.ios.error.nserror-throw.ast',
     'heuristics.ios.swiftui.onappear-task.ast',
     'heuristics.ios.swiftui.onchange-task.ast',
     'heuristics.ios.swiftui.onchange-readonly-var.ast',
@@ -43,6 +44,7 @@ test('iosRules define reglas heurísticas locked para plataforma ios', () => {
     'heuristics.ios.json.jsonserialization.ast',
     'heuristics.ios.dependencies.cocoapods.ast',
     'heuristics.ios.dependencies.carthage.ast',
+    'heuristics.ios.dependencies.swiftpm-branch-dependency.ast',
     'heuristics.ios.security.userdefaults-sensitive-data.ast',
     'heuristics.ios.security.insecure-transport.ast',
     'heuristics.ios.localization.localizable-strings.ast',
@@ -249,6 +251,14 @@ test('iosRules define reglas heurísticas locked para plataforma ios', () => {
     byId.get('heuristics.ios.assume-isolated.ast')?.then.code,
     'HEURISTICS_IOS_ASSUME_ISOLATED_AST'
   );
+  assert.equal(
+    byId.get('heuristics.ios.dependencies.swiftpm-branch-dependency.ast')?.then.code,
+    'HEURISTICS_IOS_DEPENDENCIES_SWIFTPM_BRANCH_DEPENDENCY_AST'
+  );
+  assert.equal(
+    byId.get('heuristics.ios.error.nserror-throw.ast')?.then.code,
+    'HEURISTICS_IOS_ERROR_NSERROR_THROW_AST'
+  );
   assert.equal(
     byId.get('heuristics.ios.legacy-swiftui-observable-wrapper.ast')?.then.code,
     'HEURISTICS_IOS_LEGACY_SWIFTUI_OBSERVABLE_WRAPPER_AST'

package/core/rules/presets/heuristics/ios.ts

@@ -255,6 +255,24 @@ export const iosRules: RuleSet = [
       code: 'HEURISTICS_IOS_ERROR_EMPTY_CATCH_AST',
     },
   },
+  {
+    id: 'heuristics.ios.error.nserror-throw.ast',
+    description: 'Detects direct NSError throws where typed Swift Error enums should be used.',
+    severity: 'WARN',
+    platform: 'ios',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.error.nserror-throw.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected throw NSError(...) in iOS production code.',
+      code: 'HEURISTICS_IOS_ERROR_NSERROR_THROW_AST',
+    },
+  },
   {
     id: 'heuristics.ios.swiftui.onappear-task.ast',
     description: 'Detects Task launches from SwiftUI onAppear where .task can provide lifecycle cancellation.',
@@ -667,6 +685,24 @@ export const iosRules: RuleSet = [
       code: 'HEURISTICS_IOS_DEPENDENCIES_CARTHAGE_AST',
     },
   },
+  {
+    id: 'heuristics.ios.dependencies.swiftpm-branch-dependency.ast',
+    description: 'Detects branch-based SwiftPM dependencies in iOS Package.swift.',
+    severity: 'WARN',
+    platform: 'ios',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.dependencies.swiftpm-branch-dependency.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected a branch-based SwiftPM dependency.',
+      code: 'HEURISTICS_IOS_DEPENDENCIES_SWIFTPM_BRANCH_DEPENDENCY_AST',
+    },
+  },
   {
     id: 'heuristics.ios.security.userdefaults-sensitive-data.ast',
     description: 'Detects sensitive data stored in UserDefaults/AppStorage; Keychain is the preferred baseline for secrets.',