npm - ship18ion - Versions diffs - 1.0.0 - Mend

ship18ion 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (36) hide show

package/README.md +105 -0
package/SHIPPING.md +57 -0
package/dist/cli/index.js +35 -0
package/dist/engine/ast.js +108 -0
package/dist/engine/config.js +22 -0
package/dist/engine/runner.js +24 -0
package/dist/engine/scanner.js +14 -0
package/dist/engine/secrets.js +28 -0
package/dist/engine/types.js +2 -0
package/dist/reporters/console.js +61 -0
package/dist/rules/build.js +66 -0
package/dist/rules/env.js +98 -0
package/dist/rules/frameworks/nextjs.js +31 -0
package/dist/rules/git.js +34 -0
package/dist/rules/secrets.js +53 -0
package/dist/rules/security.js +52 -0
package/package.json +37 -0
package/src/cli/index.ts +34 -0
package/src/engine/ast.ts +84 -0
package/src/engine/config.ts +28 -0
package/src/engine/runner.ts +27 -0
package/src/engine/scanner.ts +13 -0
package/src/engine/secrets.ts +26 -0
package/src/engine/types.ts +15 -0
package/src/reporters/console.ts +62 -0
package/src/rules/build.ts +74 -0
package/src/rules/env.ts +99 -0
package/src/rules/frameworks/nextjs.ts +33 -0
package/src/rules/git.ts +36 -0
package/src/rules/secrets.ts +53 -0
package/src/rules/security.ts +55 -0
package/tests/fixtures/leaky-app/.env +3 -0
package/tests/fixtures/leaky-app/package.json +7 -0
package/tests/fixtures/leaky-app/src/index.js +21 -0
package/tsconfig.json +15 -0
package/walkthrough.md +51 -0

package/README.md ADDED Viewed

@@ -0,0 +1,105 @@
+# 🚀 ship18ion
+> **"Production Readiness Inspector" for your apps.**
+`ship18ion` (read as "ship-tion") is a CLI tool designed to prevent production disasters before they happen. It scans your codebase for environment configuration issues, leaked secrets, dangerous security misconfigurations, and build artifacts that shouldn't be there.
+Think of it as `eslint` but for **deployability**.
+![npm version](https://img.shields.io/npm/v/ship18ion)
+![license](https://img.shields.io/npm/l/ship18ion)
+## ✨ Features
+- **🌱 Environment Hygiene**:
+  - Finds unused variables in your `.env` files.
+  - Detects usage of `process.env.VAR` that are missing definitions.
+  - Supports `.env`, `.env.production` and `import.meta.env` (Vite).
+- **🔐 Secret Detection**:
+  - Catches hardcoded secrets (AWS keys, Stripe keys, generic private keys).
+  - Uses entropy heuristics to find potential secrets hidden in plain sight.
+  - **Next.js Safety**: Warns if `NEXT_PUBLIC_` variables contain high-entropy strings (potential accidental leaks).
+- **⚠️ Security & Config**:
+  - Alerts on `debug: true` or `NODE_ENV` mismatches.
+  - Detects dangerous CORS configurations (`origin: '*'`).
+  - Finds hardcoded database connection strings.
+- **📦 Build Safety**:
+  - Prevents source maps (`.map`) from leaking into production builds.
+  - Ensures `.env` files are not bundled into build output directories.
+  - Checks for dev dependencies (like `eslint`) accidentally listed in `dependencies`.
+- **👷 CI/CD Ready**:
+  - Zero config by default.
+  - Returns exit code `1` on failure to block bad builds.
+## 📦 Installation
+You can use it directly with `npx`:
+```bash
+npx ship18ion check
+```
+Or install it as a dev dependency:
+```bash
+npm install --save-dev ship18ion
+```
+## 🚀 Usage
+Run the check in your project root:
+```bash
+npx ship18ion
+```
+### CI Mode
+For Continuous Integration pipelines (GitHub Actions, GitLab CI, etc.), use the `--ci` flag for minimal output and standard exit codes:
+```bash
+npx ship18ion check --ci
+```
+## ⚙️ Configuration
+`ship18ion` works out of the box, but you can customize it by creating a `ship18ion.config.json` file in your root directory:
+```json
+{
+  "env": {
+    "required": ["DATABASE_URL", "JWT_SECRET"],
+    "disallowed": ["DEBUG_TOKEN"]
+  },
+  "security": {
+    "noCorsWildcard": true,
+    "requireRateLimit": false
+  },
+  "ignore": [
+    "**/legacy-code/**",
+    "**/test-fixtures/**"
+  ]
+}
+```
+## 🛡️ Rules Breakdown
+| Category | Rule | Description |
+|----------|------|-------------|
+| **Env** | `env-unused` | A variable is defined in `.env` but never referenced in code. |
+| **Env** | `env-missing` | A variable is used in code (`process.env.X`) but not defined. |
+| **Secrets** | `secret-pattern` | Matches regex for known keys (AWS, Stripe, OpenAI). |
+| **Next.js** | `nextjs-public-secret` | High-entropy string found in `NEXT_PUBLIC_` variable. |
+| **Security** | `security-cors` | Detects wildcard `Access-Control-Allow-Origin`. |
+| **Git** | `git-dirty` | Warns if deploying with uncommitted changes. |
+## 🤝 Contributing
+Contributions are welcome! Please feel free to submit a Pull Request.
+## 📄 License
+ISC

package/SHIPPING.md ADDED Viewed

@@ -0,0 +1,57 @@
+# Shipping ship18ion
+## 1. Local Testing (Link)
+To test `ship18ion` on your other local projects without publishing, use `npm link`.
+1. **In this directory (ship18ion):**
+   ```bash
+   npm run build
+   npm link
+   ```
+   This creates a global symlink to your local version.
+2. **In your target project directory:**
+   ```bash
+   npm link ship18ion
+   ```
+   Now you can run:
+   ```bash
+   npx ship18ion check
+   ```
+3. **To unlink:**
+   ```bash
+   # In target project
+   npm unlink -g ship18ion
+   # In ship18ion directory
+   npm unlink -g
+   ```
+## 2. Publishing to NPM
+To share this tool with the world.
+1. **Login to NPM:**
+   ```bash
+   npm login
+   ```
+2. **Prepare:**
+   - Ensure `package.json` has the correct version.
+   - Run tests: `npm test` (or verifying script).
+3. **Publish:**
+   ```bash
+   npm publish
+   ```
+   If you have a scoped package (e.g. `@yourname/ship18ion`), use:
+   ```bash
+   npm publish --access public
+   ```
+## 3. Usage for Users
+Once published, anyone can use it without installation:
+```bash
+npx ship18ion@latest
+```

package/dist/cli/index.js ADDED Viewed

@@ -0,0 +1,35 @@
+#!/usr/bin/env node
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const commander_1 = require("commander");
+const chalk_1 = __importDefault(require("chalk"));
+const config_1 = require("../engine/config");
+const runner_1 = require("../engine/runner");
+const console_1 = require("../reporters/console");
+const program = new commander_1.Command();
+program
+    .name('ship18ion')
+    .description('Production Readiness Inspector')
+    .version('0.1.0');
+program
+    .command('check', { isDefault: true })
+    .description('Run production readiness checks')
+    .option('--ci', 'Run in CI mode (minimal output, exit codes)')
+    .action(async (options) => {
+    // console.log(chalk.blue('Starting ship18ion checks...'));
+    const cwd = process.cwd();
+    const config = await (0, config_1.loadConfig)(cwd);
+    try {
+        const results = await (0, runner_1.runChecks)(config, cwd);
+        // Uses console reporter for both normal and CI for now (it handles exit codes)
+        (0, console_1.reportConsole)(results, cwd);
+    }
+    catch (e) {
+        console.error(chalk_1.default.red('Error running checks:'), e);
+        process.exit(1);
+    }
+});
+program.parse(process.argv);

package/dist/engine/ast.js ADDED Viewed

@@ -0,0 +1,108 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.findEnvUsages = findEnvUsages;
+const fs_1 = __importDefault(require("fs"));
+const parser = __importStar(require("@babel/parser"));
+const traverse_1 = __importDefault(require("@babel/traverse"));
+const t = __importStar(require("@babel/types"));
+function findEnvUsages(filePath) {
+    if (!fs_1.default.existsSync(filePath))
+        return [];
+    const code = fs_1.default.readFileSync(filePath, 'utf-8');
+    const usages = [];
+    // Only parse JS/TS files
+    if (!/\.(js|ts|jsx|tsx)$/.test(filePath)) {
+        return [];
+    }
+    try {
+        const ast = parser.parse(code, {
+            sourceType: 'module',
+            plugins: ['typescript', 'jsx'],
+        });
+        (0, traverse_1.default)(ast, {
+            MemberExpression(path) {
+                // 1. Check for process.env.VAR
+                if (t.isMemberExpression(path.node.object) &&
+                    t.isIdentifier(path.node.object.object) &&
+                    path.node.object.object.name === 'process' &&
+                    t.isIdentifier(path.node.object.property) &&
+                    path.node.object.property.name === 'env') {
+                    if (t.isIdentifier(path.node.property)) {
+                        usages.push({
+                            name: path.node.property.name,
+                            line: path.node.loc?.start.line || 0,
+                            file: filePath
+                        });
+                    }
+                    else if (t.isStringLiteral(path.node.property)) {
+                        usages.push({
+                            name: path.node.property.value,
+                            line: path.node.loc?.start.line || 0,
+                            file: filePath
+                        });
+                    }
+                }
+                // 2. Check for import.meta.env.VAR (Vite)
+                // AST structure: MemberExpression
+                //   object: MemberExpression
+                //     object: MetaProperty (import.meta)
+                //     property: Identifier (env)
+                //   property: Identifier (VAR)
+                if (t.isMemberExpression(path.node.object) &&
+                    t.isMetaProperty(path.node.object.object) &&
+                    path.node.object.object.meta.name === 'import' &&
+                    path.node.object.object.property.name === 'meta' &&
+                    t.isIdentifier(path.node.object.property) &&
+                    path.node.object.property.name === 'env') {
+                    if (t.isIdentifier(path.node.property)) {
+                        usages.push({
+                            name: path.node.property.name,
+                            line: path.node.loc?.start.line || 0,
+                            file: filePath
+                        });
+                    }
+                }
+            }
+        });
+    }
+    catch (e) {
+        // console.warn(`Failed to parse ${filePath}:`, e);
+    }
+    return usages;
+}

package/dist/engine/config.js ADDED Viewed

@@ -0,0 +1,22 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadConfig = loadConfig;
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+async function loadConfig(cwd = process.cwd()) {
+    const configPath = path_1.default.join(cwd, 'ship18ion.config.json');
+    if (fs_1.default.existsSync(configPath)) {
+        const content = fs_1.default.readFileSync(configPath, 'utf-8');
+        try {
+            return JSON.parse(content);
+        }
+        catch (e) {
+            console.error('Failed to parse config file:', e);
+            return {};
+        }
+    }
+    return {};
+}

package/dist/engine/runner.js ADDED Viewed

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runChecks = runChecks;
+const scanner_1 = require("./scanner");
+const env_1 = require("../rules/env");
+const secrets_1 = require("../rules/secrets");
+const security_1 = require("../rules/security");
+const build_1 = require("../rules/build");
+const nextjs_1 = require("../rules/frameworks/nextjs");
+const git_1 = require("../rules/git");
+async function runChecks(config, cwd) {
+    const files = await (0, scanner_1.scanFiles)(cwd, config.ignore);
+    const ctx = { config, files, cwd };
+    const results = [];
+    // Run all checks
+    results.push(...await (0, env_1.checkEnvVars)(ctx));
+    results.push(...await (0, secrets_1.checkSecrets)(ctx));
+    results.push(...await (0, security_1.checkSecurity)(ctx));
+    results.push(...await (0, build_1.checkDependencies)(ctx));
+    results.push(...await (0, build_1.checkBuild)(ctx));
+    results.push(...await (0, nextjs_1.checkNextJs)(ctx));
+    results.push(...await (0, git_1.checkGit)(ctx));
+    return results;
+}

package/dist/engine/scanner.js ADDED Viewed

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scanFiles = scanFiles;
+const glob_1 = require("glob");
+async function scanFiles(cwd, ignore = []) {
+    const defaultIgnore = ['**/node_modules/**', '**/dist/**', '**/.git/**'];
+    // Scan for relevant files: JS/TS code, Configs (JSON/YAML), Env files
+    return (0, glob_1.glob)('**/*.{js,ts,jsx,tsx,json,yaml,yml,env,env.*}', {
+        cwd,
+        ignore: [...defaultIgnore, ...ignore],
+        absolute: true,
+        dot: true, // Include .env files
+    });
+}

package/dist/engine/secrets.js ADDED Viewed

@@ -0,0 +1,28 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SECRET_PATTERNS = void 0;
+exports.calculateEntropy = calculateEntropy;
+exports.isHighEntropy = isHighEntropy;
+exports.SECRET_PATTERNS = [
+    { name: 'AWS Access Key', regex: /AKIA[0-9A-Z]{16}/ },
+    { name: 'Google API Key', regex: /AIza[0-9A-Za-z\\-_]{35}/ },
+    { name: 'Stripe Secret Key', regex: /sk_live_[0-9a-zA-Z]{24}/ },
+    { name: 'GitHub Personal Access Token', regex: /ghp_[0-9a-zA-Z]{36}/ },
+    { name: 'Generic Private Key', regex: /-----BEGIN .* PRIVATE KEY-----/ },
+    { name: 'Slack Bot Token', regex: /xoxb-[0-9]{11}-[0-9]{12}-[0-9a-zA-Z]{24}/ },
+    { name: 'OpenAI API Key', regex: /sk-[a-zA-Z0-9]{48}/ }
+];
+function calculateEntropy(str) {
+    const len = str.length;
+    const frequencies = Array.from(str).reduce((freq, char) => {
+        freq[char] = (freq[char] || 0) + 1;
+        return freq;
+    }, {});
+    return Object.values(frequencies).reduce((sum, f) => {
+        const p = f / len;
+        return sum - (p * Math.log2(p));
+    }, 0);
+}
+function isHighEntropy(str, threshold = 4.5) {
+    return calculateEntropy(str) > threshold;
+}

package/dist/engine/types.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ "use strict";
2	+ Object.defineProperty(exports, "__esModule", { value: true });

package/dist/reporters/console.js ADDED Viewed

@@ -0,0 +1,61 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.reportConsole = reportConsole;
+const chalk_1 = __importDefault(require("chalk"));
+const path_1 = __importDefault(require("path"));
+const CATEGORIES = {
+    'env': { icon: '🌱', label: 'Environment' },
+    'secret': { icon: '🔐', label: 'Secrets' },
+    'security': { icon: '⚠️', label: 'Security' },
+    'dep': { icon: '📦', label: 'Dependency & Build' },
+    'build': { icon: '📦', label: 'Dependency & Build' },
+};
+function getCategory(ruleId) {
+    const prefix = ruleId.split('-')[0];
+    return CATEGORIES[prefix] || { icon: '❓', label: 'Other' };
+}
+function reportConsole(results, cwd) {
+    if (results.length === 0) {
+        console.log(chalk_1.default.green('\n✅  Production Readiness Check Passed!\n'));
+        return;
+    }
+    const fails = results.filter(r => r.status === 'fail');
+    const warns = results.filter(r => r.status === 'warn');
+    if (fails.length > 0) {
+        console.log(chalk_1.default.red('\n❌  Production Readiness Check Failed\n'));
+    }
+    else {
+        console.log(chalk_1.default.yellow('\n⚠️  Production Readiness Check Passed with Warnings\n'));
+    }
+    // Group by category
+    const grouped = {};
+    results.forEach(r => {
+        const cat = getCategory(r.ruleId);
+        const key = `${cat.icon} ${cat.label}`;
+        if (!grouped[key])
+            grouped[key] = [];
+        grouped[key].push(r);
+    });
+    for (const [category, items] of Object.entries(grouped)) {
+        console.log(chalk_1.default.bold(category));
+        for (const item of items) {
+            const sym = item.status === 'fail' ? chalk_1.default.red('✖') : chalk_1.default.yellow('!');
+            const location = item.file ? `${path_1.default.relative(cwd, item.file)}${item.line ? `:${item.line}` : ''}` : '';
+            console.log(`  ${sym} ${item.message} ${chalk_1.default.gray(location)}`);
+        }
+        console.log('');
+    }
+    const summary = [];
+    if (fails.length > 0)
+        summary.push(chalk_1.default.red(`${fails.length} errors`));
+    if (warns.length > 0)
+        summary.push(chalk_1.default.yellow(`${warns.length} warnings`));
+    console.log(`Summary: ${summary.join(', ')}`);
+    console.log('');
+    if (fails.length > 0) {
+        process.exit(1);
+    }
+}

package/dist/rules/build.js ADDED Viewed

@@ -0,0 +1,66 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkDependencies = checkDependencies;
+exports.checkBuild = checkBuild;
+const fs_1 = __importDefault(require("fs"));
+async function checkDependencies(ctx) {
+    const results = [];
+    const packageJsons = ctx.files.filter(f => f.endsWith('package.json') && !f.includes('node_modules'));
+    const devToolsInProd = ['eslint', 'jest', 'mocha', 'nodemon', 'ts-node', 'typescript', 'webpack', 'babel-loader'];
+    for (const pkgFile of packageJsons) {
+        try {
+            const content = JSON.parse(fs_1.default.readFileSync(pkgFile, 'utf-8'));
+            const deps = content.dependencies || {};
+            for (const tool of devToolsInProd) {
+                if (deps[tool]) {
+                    results.push({
+                        status: 'warn',
+                        message: `Dev dependency found in 'dependencies': ${tool}. Should be in 'devDependencies'?`,
+                        ruleId: 'dep-dev-in-prod',
+                        file: pkgFile
+                    });
+                }
+            }
+        }
+        catch (e) {
+            // ignore
+        }
+    }
+    return results;
+}
+async function checkBuild(ctx) {
+    const results = [];
+    // Check for source maps in potential build dirs (dist, build, out, .next)
+    // Scanner ignores dist by default, but if we want to check build artifacts we might need to scan explicitly OR assumes user runs this in root.
+    // If the scanner ignores 'dist', we won't see them.
+    // So this check is effective only if scanner INCLUDES build dirs or we explicitly look for them.
+    // Let's explicitly check common build folders in CWD if they exist, ignoring scanner's ignore list for this specific check?
+    // Or just warn if we find .map files in the file list (meaning they were NOT ignored/cleaned).
+    const mapFiles = ctx.files.filter(f => f.endsWith('.map'));
+    for (const file of mapFiles) {
+        // Only if it looks like a build artifact
+        if (file.includes('/dist/') || file.includes('/build/') || file.includes('/.next/')) {
+            results.push({
+                status: 'warn',
+                message: 'Source map found in build output (information leak)',
+                ruleId: 'build-source-map',
+                file
+            });
+        }
+    }
+    // Check for .env in build folders
+    const envInBuild = ctx.files.filter(f => (f.endsWith('.env') || f.includes('.env.')) &&
+        (f.includes('/dist/') || f.includes('/build/') || f.includes('/.next/')));
+    for (const file of envInBuild) {
+        results.push({
+            status: 'fail',
+            message: 'Environment file found in build output!',
+            ruleId: 'build-env-leak',
+            file
+        });
+    }
+    return results;
+}

package/dist/rules/env.js ADDED Viewed

@@ -0,0 +1,98 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkEnvVars = checkEnvVars;
+const fs_1 = __importDefault(require("fs"));
+const dotenv_1 = __importDefault(require("dotenv"));
+const ast_1 = require("../engine/ast");
+async function checkEnvVars(ctx) {
+    const results = [];
+    const declaredEnvs = new Set();
+    const usedEnvs = new Map();
+    // 1. Find and parse .env files (definition detection)
+    const envFiles = ctx.files.filter(f => f.match(/\.env(\..+)?$/));
+    for (const file of envFiles) {
+        const content = fs_1.default.readFileSync(file, 'utf-8');
+        try {
+            const parsed = dotenv_1.default.parse(content);
+            Object.keys(parsed).forEach(k => declaredEnvs.add(k));
+        }
+        catch (e) {
+            results.push({
+                status: 'warn',
+                message: `Failed to parse env file: ${file}`,
+                ruleId: 'env-parse-error',
+                file: file
+            });
+        }
+    }
+    // 2. Scan for usages
+    const codeFiles = ctx.files.filter(f => f.match(/\.(js|ts|jsx|tsx)$/));
+    for (const file of codeFiles) {
+        const usages = (0, ast_1.findEnvUsages)(file);
+        for (const u of usages) {
+            if (!usedEnvs.has(u.name)) {
+                usedEnvs.set(u.name, []);
+            }
+            usedEnvs.get(u.name)?.push({ file, line: u.line });
+        }
+    }
+    // 3. Rule: Unused env vars
+    // Fail if Env vars exist but never used
+    for (const env of declaredEnvs) {
+        if (!usedEnvs.has(env)) {
+            // Ignore some common framework vars if needed, but strict mode says unused is bad.
+            results.push({
+                status: 'warn', // Warn for now, maybe fail? User said "Fail if Env vars exist but never used"
+                message: `Unused environment variable: ${env}`,
+                ruleId: 'env-unused',
+                file: envFiles[0] // Just point to first env file for now
+            });
+        }
+    }
+    // 4. Rule: Missing required env vars
+    // "App references process.env.X But it’s not defined anywhere"
+    // Also check strict list from config
+    const required = ctx.config.env?.required || [];
+    // Check missing from strict config
+    for (const req of required) {
+        if (!declaredEnvs.has(req)) {
+            results.push({
+                status: 'fail',
+                message: `Missing required environment variable (configured): ${req}`,
+                ruleId: 'env-missing-config',
+            });
+        }
+    }
+    // Check usage without definition
+    const commonSystemVars = ['NODE_ENV', 'PORT', 'CI'];
+    for (const [env, locs] of usedEnvs) {
+        if (!declaredEnvs.has(env) && !commonSystemVars.includes(env)) {
+            // Check if it is in disallowed list?
+            if (ctx.config.env?.disallowed?.includes(env)) {
+                results.push({
+                    status: 'fail',
+                    message: `Disallowed environment variable used: ${env}`,
+                    ruleId: 'env-disallowed',
+                    file: locs[0].file,
+                    line: locs[0].line
+                });
+            }
+            else {
+                // It's used but not in .env.
+                // We should probably warn unless we are in strict mode.
+                // User said: "Fail if Required env var is missing" -> checking usage implies requirement.
+                results.push({
+                    status: 'warn',
+                    message: `Environment variable used but not defined in .env: ${env}`,
+                    ruleId: 'env-missing-definition',
+                    file: locs[0].file,
+                    line: locs[0].line
+                });
+            }
+        }
+    }
+    return results;
+}

package/dist/rules/frameworks/nextjs.js ADDED Viewed

@@ -0,0 +1,31 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkNextJs = checkNextJs;
+const ast_1 = require("../../engine/ast");
+async function checkNextJs(ctx) {
+    const results = [];
+    // 1. Check for NEXT_PUBLIC_ secrets
+    const codeFiles = ctx.files.filter(f => f.match(/\.(js|ts|jsx|tsx)$/));
+    for (const file of codeFiles) {
+        const usages = (0, ast_1.findEnvUsages)(file);
+        for (const usage of usages) {
+            if (usage.name.startsWith('NEXT_PUBLIC_')) {
+                // Heuristic: Does it look like a secret?
+                // e.g. NEXT_PUBLIC_SECRET_KEY, NEXT_PUBLIC_API_SECRET
+                if (usage.name.match(/SECRET|PASSWORD|TOKEN|KEY|AUTH/i)) {
+                    // Exception: PUBLIC_KEY is often safe
+                    if (!usage.name.match(/PUBLIC_KEY/i)) {
+                        results.push({
+                            status: 'warn',
+                            message: `Potential secret exposed via NEXT_PUBLIC_ variable: ${usage.name}`,
+                            ruleId: 'nextjs-public-secret',
+                            file: file,
+                            line: usage.line
+                        });
+                    }
+                }
+            }
+        }
+    }
+    return results;
+}