ship-safe 3.0.0 → 3.2.0

package/cli/commands/scan.js

@@ -21,11 +21,12 @@
 
 import fs from 'fs';
 import path from 'path';
-import { glob } from 'glob';
+import fg from 'fast-glob';
 import ora from 'ora';
 import chalk from 'chalk';
 import {
   SECRET_PATTERNS,
+  SECURITY_PATTERNS,
   SKIP_DIRS,
   SKIP_EXTENSIONS,
   TEST_FILE_PATTERNS,
@@ -94,7 +95,7 @@ export async function scanCommand(targetPath = '.', options = {}) {
 
   // Load custom patterns from .ship-safe.json
   const customPatterns = loadCustomPatterns(absolutePath);
-  const allPatterns = [...SECRET_PATTERNS, ...customPatterns];
+  const allPatterns = [...SECRET_PATTERNS, ...SECURITY_PATTERNS, ...customPatterns];
 
   if (customPatterns.length > 0 && options.verbose) {
     output.info(`Loaded ${customPatterns.length} custom pattern(s) from .ship-safe.json`);
@@ -102,7 +103,7 @@ export async function scanCommand(targetPath = '.', options = {}) {
 
   // Start spinner
   const spinner = ora({
-    text: 'Scanning for secrets...',
+    text: 'Scanning for secrets and vulnerabilities...',
     color: 'cyan'
   }).start();
 
@@ -204,10 +205,10 @@ async function findFiles(rootPath, ignorePatterns, options = {}) {
   const globIgnore = Array.from(SKIP_DIRS).map(dir => `**/${dir}/**`);
 
   // Find all files
-  const files = await glob('**/*', {
+  const files = await fg('**/*', {
     cwd: rootPath,
     absolute: true,
-    nodir: true,
+    onlyFiles: true,
     ignore: globIgnore,
     dot: true
   });
@@ -284,7 +285,8 @@ async function scanFile(filePath, patterns = SECRET_PATTERNS) {
             patternName: pattern.name,
             severity: pattern.severity,
             confidence,
-            description: pattern.description
+            description: pattern.description,
+            category: pattern.category || 'secret'
           });
         }
       }
@@ -293,7 +295,17 @@ async function scanFile(filePath, patterns = SECRET_PATTERNS) {
     // Skip files that can't be read (binary, permissions, etc.)
   }
 
-  return findings;
+  // Deduplicate: multiple patterns can match the same secret on the same line
+  // (e.g. Stripe and Clerk both match sk_live_...). Keep one finding per
+  // unique (line, matched-text) pair — first match wins (patterns are ordered
+  // by severity: critical → high → medium).
+  const seen = new Set();
+  return findings.filter(f => {
+    const key = `${f.line}:${f.matched}`;
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  });
 }
 
 // =============================================================================
@@ -301,11 +313,24 @@ async function scanFile(filePath, patterns = SECRET_PATTERNS) {
 // =============================================================================
 
 function outputPretty(results, filesScanned, rootPath) {
+  // Separate findings into secrets and code vulnerabilities
+  const secretResults = [];
+  const vulnResults = [];
+
+  for (const { file, findings } of results) {
+    const secrets = findings.filter(f => f.category !== 'vulnerability');
+    const vulns = findings.filter(f => f.category === 'vulnerability');
+    if (secrets.length > 0) secretResults.push({ file, findings: secrets });
+    if (vulns.length > 0) vulnResults.push({ file, findings: vulns });
+  }
+
   const stats = {
     total: 0,
     critical: 0,
     high: 0,
     medium: 0,
+    secretsTotal: 0,
+    vulnsTotal: 0,
     filesScanned
   };
 
@@ -313,31 +338,45 @@ function outputPretty(results, filesScanned, rootPath) {
     for (const f of findings) {
       stats.total++;
       stats[f.severity] = (stats[f.severity] || 0) + 1;
+      if (f.category === 'vulnerability') stats.vulnsTotal++;
+      else stats.secretsTotal++;
     }
   }
 
   output.header('Scan Results');
 
   if (results.length === 0) {
-    output.success('No secrets detected in your codebase!');
+    output.success('No secrets or vulnerabilities detected in your codebase!');
     console.log();
     console.log(chalk.gray('Note: Uses pattern matching + entropy scoring. Test files excluded by default.'));
     console.log(chalk.gray('Tip:  Run with --include-tests to also scan test files.'));
     console.log(chalk.gray('Tip:  Add a .ship-safeignore file to exclude paths.'));
   } else {
-    for (const { file, findings } of results) {
-      const relPath = path.relative(rootPath, file);
-
-      for (const f of findings) {
-        output.finding(
-          relPath,
-          f.line,
-          f.patternName,
-          f.severity,
-          f.matched,
-          f.description,
-          f.confidence
-        );
+    // ── Secrets section ────────────────────────────────────────────────────
+    if (secretResults.length > 0) {
+      console.log();
+      console.log(chalk.red.bold(`  Secrets (${stats.secretsTotal})`));
+      console.log(chalk.red('  ' + '─'.repeat(58)));
+
+      for (const { file, findings } of secretResults) {
+        const relPath = path.relative(rootPath, file);
+        for (const f of findings) {
+          output.finding(relPath, f.line, f.patternName, f.severity, f.matched, f.description, f.confidence);
+        }
+      }
+    }
+
+    // ── Code Vulnerabilities section ───────────────────────────────────────
+    if (vulnResults.length > 0) {
+      console.log();
+      console.log(chalk.yellow.bold(`  Code Vulnerabilities (${stats.vulnsTotal})`));
+      console.log(chalk.yellow('  ' + '─'.repeat(58)));
+
+      for (const { file, findings } of vulnResults) {
+        const relPath = path.relative(rootPath, file);
+        for (const f of findings) {
+          output.vulnerabilityFinding(relPath, f.line, f.patternName, f.severity, f.matched, f.description);
+        }
       }
     }
 
@@ -346,7 +385,8 @@ function outputPretty(results, filesScanned, rootPath) {
     console.log(chalk.gray('Suppress a finding: add  # ship-safe-ignore  as a comment on that line'));
     console.log(chalk.gray('Exclude a path:     add it to .ship-safeignore'));
 
-    output.recommendations();
+    if (secretResults.length > 0) output.recommendations();
+    if (vulnResults.length > 0) output.vulnRecommendations();
   }
 
   output.summary(stats);
@@ -367,10 +407,11 @@ function outputJSON(results, filesScanned) {
         file,
         line: f.line,
         column: f.column,
+        category: f.category || 'secret',
         severity: f.severity,
         confidence: f.confidence,
         type: f.patternName,
-        matched: output.maskSecret(f.matched),
+        matched: f.category === 'vulnerability' ? f.matched : output.maskSecret(f.matched),
         description: f.description
       });
     }

package/cli/commands/score.js

@@ -0,0 +1,446 @@
+/**
+ * Score Command
+ * =============
+ *
+ * Compute a 0-100 security health score for your project.
+ * Combines secret detection, code vulnerability detection, and dependency auditing.
+ *
+ * USAGE:
+ *   npx ship-safe score [path]          Score the project in the current directory
+ *   npx ship-safe score . --no-deps     Skip dependency audit (faster)
+ *
+ * SCORING ALGORITHM (starts at 100):
+ *   Secrets:       critical −25, high −15, medium −5   (capped at −40)
+ *   Code Vulns:    critical −20, high −10, medium −3   (capped at −30)
+ *   Dependencies:  critical −20, high −10, moderate −5 (capped at −30)
+ *
+ * GRADES:
+ *   A  90–100  Ship it!
+ *   B  75–89   Minor issues to review
+ *   C  60–74   Fix before shipping
+ *   D  40–59   Significant security risks
+ *   F  0–39    Not safe to ship
+ *
+ * EXIT CODES:
+ *   0 - Score is A or B (90+/75+)
+ *   1 - Score is C or below (< 75)
+ */
+
+import fs from 'fs';
+import path from 'path';
+import fg from 'fast-glob';
+import chalk from 'chalk';
+import ora from 'ora';
+import {
+  SECRET_PATTERNS,
+  SECURITY_PATTERNS,
+  SKIP_DIRS,
+  SKIP_EXTENSIONS,
+  TEST_FILE_PATTERNS,
+  MAX_FILE_SIZE
+} from '../utils/patterns.js';
+import { isHighEntropyMatch } from '../utils/entropy.js';
+import { runDepsAudit } from './deps.js';
+import * as output from '../utils/output.js';
+
+// =============================================================================
+// SCORING CONSTANTS
+// =============================================================================
+
+const SECRET_DEDUCTIONS = { critical: 25, high: 15, medium: 5 };
+const SECRET_CAP = 40;
+
+const VULN_DEDUCTIONS = { critical: 20, high: 10, medium: 3 };
+const VULN_CAP = 30;
+
+const DEP_DEDUCTIONS = { critical: 20, high: 10, moderate: 5, medium: 5 };
+const DEP_CAP = 30;
+
+const GRADES = [
+  { min: 90, letter: 'A', label: 'Ship it!' },
+  { min: 75, letter: 'B', label: 'Minor issues to review' },
+  { min: 60, letter: 'C', label: 'Fix before shipping' },
+  { min: 40, letter: 'D', label: 'Significant security risks' },
+  { min: 0,  letter: 'F', label: 'Not safe to ship' },
+];
+
+// =============================================================================
+// MAIN COMMAND
+// =============================================================================
+
+export async function scoreCommand(targetPath = '.', options = {}) {
+  const absolutePath = path.resolve(targetPath);
+
+  if (!fs.existsSync(absolutePath)) {
+    output.error(`Path does not exist: ${absolutePath}`);
+    process.exit(1);
+  }
+
+  console.log();
+  output.header('Security Health Score');
+  console.log();
+
+  const runDeps = options.deps !== false; // --no-deps sets options.deps = false
+
+  // ── 1. Scan for secrets and code vulns ──────────────────────────────────────
+  const spinner = ora({ text: 'Scanning for secrets and vulnerabilities...', color: 'cyan' }).start();
+
+  let findings = [];
+  let filesScanned = 0;
+
+  try {
+    const files = await findFiles(absolutePath);
+    filesScanned = files.length;
+    spinner.text = `Scanning ${files.length} files...`;
+
+    for (const file of files) {
+      const fileFindings = scanFile(file);
+      findings = findings.concat(fileFindings);
+    }
+    spinner.stop();
+  } catch (err) {
+    spinner.fail('Scan failed');
+    output.error(err.message);
+    process.exit(1);
+  }
+
+  const secretFindings = findings.filter(f => f.category !== 'vulnerability');
+  const vulnFindings   = findings.filter(f => f.category === 'vulnerability');
+
+  // ── 2. Dependency audit ──────────────────────────────────────────────────────
+  let depVulns = [];
+  let pm = null;
+
+  if (runDeps) {
+    const depSpinner = ora({ text: 'Auditing dependencies...', color: 'cyan' }).start();
+    try {
+      const result = await runDepsAudit(absolutePath);
+      pm = result.pm;
+      depVulns = result.vulns;
+      depSpinner.stop();
+    } catch {
+      depSpinner.stop();
+      // Dep audit failure doesn't block scoring — just skip
+    }
+  }
+
+  // ── 3. Compute score ─────────────────────────────────────────────────────────
+  const { score, secretDeduction, vulnDeduction, depDeduction, secretCounts, vulnCounts, depCounts } =
+    computeScore(secretFindings, vulnFindings, depVulns);
+
+  const grade = GRADES.find(g => score >= g.min);
+
+  // ── 4. Print results ─────────────────────────────────────────────────────────
+  printScore(score, grade, {
+    secretDeduction, vulnDeduction, depDeduction,
+    secretCounts, vulnCounts, depCounts,
+    filesScanned, pm, runDeps
+  });
+
+  // Exit 0 for A/B, exit 1 for C/D/F
+  process.exit(score >= 75 ? 0 : 1);
+}
+
+// =============================================================================
+// SCORE COMPUTATION
+// =============================================================================
+
+function computeScore(secretFindings, vulnFindings, depVulns) {
+  // ── Count by severity ────────────────────────────────────────────────────────
+  const secretCounts = countBySeverity(secretFindings);
+  const vulnCounts   = countBySeverity(vulnFindings);
+  const depCounts    = countBySeverity(depVulns);
+
+  // ── Compute deductions ───────────────────────────────────────────────────────
+  let secretDeduction = 0;
+  for (const [sev, pts] of Object.entries(SECRET_DEDUCTIONS)) {
+    secretDeduction += (secretCounts[sev] || 0) * pts;
+  }
+  secretDeduction = Math.min(secretDeduction, SECRET_CAP);
+
+  let vulnDeduction = 0;
+  for (const [sev, pts] of Object.entries(VULN_DEDUCTIONS)) {
+    vulnDeduction += (vulnCounts[sev] || 0) * pts;
+  }
+  vulnDeduction = Math.min(vulnDeduction, VULN_CAP);
+
+  let depDeduction = 0;
+  for (const [sev, pts] of Object.entries(DEP_DEDUCTIONS)) {
+    depDeduction += (depCounts[sev] || 0) * pts;
+  }
+  depDeduction = Math.min(depDeduction, DEP_CAP);
+
+  const score = Math.max(0, 100 - secretDeduction - vulnDeduction - depDeduction);
+
+  return { score, secretDeduction, vulnDeduction, depDeduction, secretCounts, vulnCounts, depCounts };
+}
+
+function countBySeverity(findings) {
+  const counts = {};
+  for (const f of findings) {
+    const sev = f.severity || 'unknown';
+    counts[sev] = (counts[sev] || 0) + 1;
+  }
+  return counts;
+}
+
+// =============================================================================
+// OUTPUT
+// =============================================================================
+
+const GRADE_COLOR = {
+  A: chalk.green.bold,
+  B: chalk.cyan.bold,
+  C: chalk.yellow.bold,
+  D: chalk.red,
+  F: chalk.red.bold,
+};
+
+function printScore(score, grade, ctx) {
+  const gradeColor = GRADE_COLOR[grade.letter] || chalk.white;
+  const scoreColor = score >= 75 ? chalk.green.bold : score >= 60 ? chalk.yellow.bold : chalk.red.bold;
+
+  // ── Score headline ───────────────────────────────────────────────────────────
+  console.log(
+    chalk.white.bold('  Ship Safe Score: ') +
+    scoreColor(`${score}/100`) +
+    chalk.gray('  ') +
+    gradeColor(`${grade.letter}`) +
+    chalk.gray(` — ${grade.label}`)
+  );
+  console.log(chalk.cyan('  ' + '─'.repeat(58)));
+  console.log();
+
+  // ── Row: Secrets ─────────────────────────────────────────────────────────────
+  const secretCount = Object.values(ctx.secretCounts).reduce((a, b) => a + b, 0);
+  const secretIcon = secretCount === 0 ? chalk.green('✔') : chalk.red('✘');
+  const secretStatus = secretCount === 0
+    ? chalk.green('0 found')
+    : chalk.red(`${secretCount} found`);
+  const secretDeductStr = ctx.secretDeduction === 0
+    ? chalk.gray('+0 deductions')
+    : chalk.red(`−${ctx.secretDeduction} points`) + chalk.gray(` (${formatCounts(ctx.secretCounts)})`);
+
+  console.log(
+    `  ${secretIcon}  ${chalk.white.bold('Secrets       ')}  ${secretStatus.padEnd(18)}  ${secretDeductStr}`
+  );
+
+  // ── Row: Code Vulns ───────────────────────────────────────────────────────────
+  const vulnCount = Object.values(ctx.vulnCounts).reduce((a, b) => a + b, 0);
+  const vulnIcon = vulnCount === 0 ? chalk.green('✔') : chalk.yellow('✘');
+  const vulnStatus = vulnCount === 0
+    ? chalk.green('0 found')
+    : chalk.yellow(`${vulnCount} found`);
+  const vulnDeductStr = ctx.vulnDeduction === 0
+    ? chalk.gray('+0 deductions')
+    : chalk.yellow(`−${ctx.vulnDeduction} points`) + chalk.gray(` (${formatCounts(ctx.vulnCounts)})`);
+
+  console.log(
+    `  ${vulnIcon}  ${chalk.white.bold('Code Vulns    ')}  ${vulnStatus.padEnd(18)}  ${vulnDeductStr}`
+  );
+
+  // ── Row: Dependencies ─────────────────────────────────────────────────────────
+  if (ctx.runDeps) {
+    const depCount = Object.values(ctx.depCounts).reduce((a, b) => a + b, 0);
+    const depIcon = depCount === 0 ? chalk.green('✔') : chalk.red('✘');
+    const depLabel = ctx.pm ? `Dependencies  ` : 'Dependencies  ';
+
+    let depStatus, depDeductStr;
+
+    if (!ctx.pm) {
+      depStatus  = chalk.gray('no manifest');
+      depDeductStr = chalk.gray('+0 deductions');
+    } else if (depCount === 0) {
+      depStatus  = chalk.green('0 CVEs');
+      depDeductStr = chalk.gray('+0 deductions');
+    } else {
+      depStatus  = chalk.red(`${depCount} CVEs`);
+      depDeductStr = chalk.red(`−${ctx.depDeduction} points`) + chalk.gray(` (${formatCounts(ctx.depCounts)})`);
+    }
+
+    console.log(
+      `  ${depIcon}  ${chalk.white.bold(depLabel)}  ${depStatus.padEnd(18)}  ${depDeductStr}`
+    );
+  } else {
+    console.log(
+      `  ${chalk.gray('–')}  ${chalk.gray('Dependencies    skipped (--no-deps)')}`
+    );
+  }
+
+  console.log();
+  console.log(chalk.cyan('  ' + '─'.repeat(58)));
+  console.log(chalk.gray(`  Files scanned: ${ctx.filesScanned}`));
+
+  // ── Next steps ────────────────────────────────────────────────────────────────
+  if (score < 100) {
+    console.log();
+    const actions = [];
+    if (Object.values(ctx.secretCounts).some(n => n > 0)) {
+      actions.push(chalk.white('  npx ship-safe agent .') + chalk.gray('     # AI audit: classify + auto-fix secrets'));
+    }
+    if (Object.values(ctx.vulnCounts).some(n => n > 0)) {
+      actions.push(chalk.white('  npx ship-safe agent .') + chalk.gray('     # AI audit: classify + fix suggestions'));
+    }
+    if (ctx.runDeps && Object.values(ctx.depCounts).some(n => n > 0) && ctx.pm) {
+      actions.push(chalk.white(`  npx ship-safe deps .`) + chalk.gray('      # See full dependency CVE details'));
+    }
+    if (actions.length > 0) {
+      console.log(chalk.gray('  Fix issues:'));
+      // Deduplicate (agent appears for both secrets and vulns)
+      const seen = new Set();
+      for (const a of actions) {
+        if (!seen.has(a)) { console.log(a); seen.add(a); }
+      }
+    }
+  } else {
+    console.log();
+    console.log(chalk.green('  All clear — safe to ship!'));
+  }
+
+  console.log(chalk.cyan('='.repeat(60)));
+  console.log();
+}
+
+function formatCounts(counts) {
+  const SEV_ORDER = ['critical', 'high', 'moderate', 'medium', 'low'];
+  return SEV_ORDER
+    .filter(s => counts[s] > 0)
+    .map(s => `${counts[s]} ${s}`)
+    .join(', ');
+}
+
+// =============================================================================
+// INTERNAL SCAN (no subprocess — import patterns directly)
+// =============================================================================
+
+const ALL_PATTERNS = [...SECRET_PATTERNS, ...SECURITY_PATTERNS];
+
+/**
+ * Find all scannable files (same logic as scan.js, without test-exclusion
+ * and without .ship-safeignore loading — score is a quick overview).
+ */
+async function findFiles(rootPath) {
+  const globIgnore = Array.from(SKIP_DIRS).map(dir => `**/${dir}/**`);
+
+  const files = await fg('**/*', {
+    cwd: rootPath,
+    absolute: true,
+    onlyFiles: true,
+    ignore: globIgnore,
+    dot: true
+  });
+
+  const filtered = [];
+
+  for (const file of files) {
+    const ext = path.extname(file).toLowerCase();
+    if (SKIP_EXTENSIONS.has(ext)) continue;
+
+    const basename = path.basename(file);
+    if (basename.endsWith('.min.js') || basename.endsWith('.min.css')) continue;
+
+    // Load and respect .ship-safeignore
+    if (isIgnoredByFile(file, rootPath)) continue;
+
+    try {
+      const stats = fs.statSync(file);
+      if (stats.size > MAX_FILE_SIZE) continue;
+    } catch {
+      continue;
+    }
+
+    filtered.push(file);
+  }
+
+  return filtered;
+}
+
+// Cache ignore patterns per root to avoid re-reading the file thousands of times
+const _ignoreCache = new Map();
+
+function loadIgnorePatterns(rootPath) {
+  if (_ignoreCache.has(rootPath)) return _ignoreCache.get(rootPath);
+
+  const ignorePath = path.join(rootPath, '.ship-safeignore');
+  let patterns = [];
+
+  if (fs.existsSync(ignorePath)) {
+    try {
+      patterns = fs.readFileSync(ignorePath, 'utf-8')
+        .split('\n')
+        .map(l => l.trim())
+        .filter(l => l && !l.startsWith('#'));
+    } catch {
+      // ignore read error
+    }
+  }
+
+  _ignoreCache.set(rootPath, patterns);
+  return patterns;
+}
+
+function isIgnoredByFile(filePath, rootPath) {
+  const patterns = loadIgnorePatterns(rootPath);
+  if (patterns.length === 0) return false;
+
+  const relPath = path.relative(rootPath, filePath).replace(/\\/g, '/');
+
+  return patterns.some(pattern => {
+    if (pattern.endsWith('/')) {
+      return relPath.startsWith(pattern) || relPath.includes('/' + pattern);
+    }
+    const escaped = pattern
+      .replace(/[.+^${}()|[\]\\]/g, '\\$&')
+      .replace(/\*/g, '[^/]*')
+      .replace(/\?/g, '[^/]');
+    return new RegExp(`(^|/)${escaped}($|/)`).test(relPath);
+  });
+}
+
+/**
+ * Scan a single file and return normalized findings.
+ * Same algorithm as scan.js — inline here to avoid circular dependency
+ * (scan.js has process.exit() side effects).
+ */
+function scanFile(filePath) {
+  const findings = [];
+
+  try {
+    const content = fs.readFileSync(filePath, 'utf-8');
+    const lines = content.split('\n');
+
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+      const line = lines[lineNum];
+
+      if (/ship-safe-ignore/i.test(line)) continue;
+
+      for (const pattern of ALL_PATTERNS) {
+        pattern.pattern.lastIndex = 0;
+
+        let match;
+        while ((match = pattern.pattern.exec(line)) !== null) {
+          if (pattern.requiresEntropyCheck && !isHighEntropyMatch(match[0])) {
+            continue;
+          }
+
+          findings.push({
+            line: lineNum + 1,
+            severity: pattern.severity,
+            category: pattern.category || 'secret',
+          });
+        }
+      }
+    }
+  } catch {
+    // Skip unreadable files
+  }
+
+  // Deduplicate: same (line, severity, category)
+  const seen = new Set();
+  return findings.filter(f => {
+    const key = `${f.line}:${f.severity}:${f.category}`;
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  });
+}

package/cli/index.js

@@ -9,4 +9,7 @@
 export { scanCommand } from './commands/scan.js';
 export { checklistCommand } from './commands/checklist.js';
 export { initCommand } from './commands/init.js';
-export { SECRET_PATTERNS, SKIP_DIRS, SKIP_EXTENSIONS } from './utils/patterns.js';
+export { agentCommand } from './commands/agent.js';
+export { depsCommand, runDepsAudit } from './commands/deps.js';
+export { scoreCommand } from './commands/score.js';
+export { SECRET_PATTERNS, SECURITY_PATTERNS, SKIP_DIRS, SKIP_EXTENSIONS } from './utils/patterns.js';

package/cli/utils/entropy.js

@@ -100,6 +100,12 @@ export function isHighEntropyMatch(matched) {
     /^(insert|replace|changeme|placeholder|todo|fixme)/i,
     /([-_]here|[-_]goes|[-_]key|[-_]token|[-_]secret)$/i,
     /^[a-z]+[-_][a-z]+[-_][a-z]+$/, // looks like-a-passphrase not a key
+    /^(add[-_]?your|put[-_]?your|enter[-_]?your|set[-_]?your)/i,
+    /^(secret|password|token|apikey|api_key|key|value)[-_]?[0-9]*$/i,
+    /^(n\/a|null|undefined|none|empty|blank)/i,
+    /^(demo|staging|dev|development|local)[-_]/i,
+    /^(abcdef|qwerty|asdfgh|123456|letmein)/i,
+    /(.)\1{5,}/, // 6+ repeated chars: aaaaaaa, 111111
   ];
 
   if (PLACEHOLDER_PATTERNS.some(p => p.test(value))) return false;