npm - technical-debt-radar - Versions diffs - 1.15.0 → 1.16.0 - Mend

technical-debt-radar 1.15.0 → 1.16.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -2,7 +2,7 @@
 **Stop Node.js production crashes before merge.**
-Detects event-loop blockers, dangerous ORM patterns, and architecture drift in your PRs. 47 detection patterns across 5 categories. Works with NestJS, Express, Fastify, Koa, Hapi + 7 ORMs.
+Detects event-loop blockers, dangerous ORM patterns, security issues, and architecture drift in your PRs. 65 deterministic detection rules across 6 categories. Works with NestJS, Express, Fastify, Koa, Hapi + 7 ORMs.
 ## Quick Start
@@ -14,7 +14,7 @@ First scan is free. No account needed.
 ## What It Finds
-- **Runtime risks** — sync I/O, crypto, ReDoS in request handlers (11 patterns)
+- **Runtime risks** — sync I/O, crypto, child_process, ReDoS in request handlers (12 patterns)
 - **Performance** — N+1 queries, unbounded fetches, missing pagination (9 patterns, volume-aware)
 - **Reliability** — unhandled promises, missing timeouts, empty catches (8 patterns)
 - **Architecture** — layer violations, circular dependencies (4 rules)

package/dist/index.js CHANGED Viewed

@@ -39,7 +39,7 @@ var require_constants = __commonJS({
   "../../packages/shared/dist/constants/index.js"(exports2) {
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.DEBT_DELTA_WARN_THRESHOLD = exports2.DEBT_DELTA_BLOCK_THRESHOLD = exports2.DEFAULT_LARGE_FILE_THRESHOLD = exports2.DEFAULT_COMPLEXITY_THRESHOLD = exports2.MAX_CHANGED_FILES_PER_PR = exports2.FIRST_SCAN_TIMEOUT_MS = exports2.PR_ANALYSIS_TIMEOUT_MS = exports2.MAX_AI_OUTPUT_TOKENS = exports2.MAX_AI_TOKENS_PER_FUNCTION = exports2.MAX_SUSPECT_FUNCTIONS_PER_PR = exports2.MAX_CALLER_TRACE_DEPTH = exports2.MAX_CROSS_FILE_SUSPECTS = exports2.CROSS_FILE_RULES = exports2.ARCHITECTURE_RULES = exports2.MAINTAINABILITY_RULES = exports2.PERFORMANCE_RULES = exports2.RELIABILITY_RULES = exports2.RUNTIME_RISK_RULES = exports2.VOLUME_THRESHOLDS = exports2.DEFAULT_SCORING = exports2.DEFAULT_MODE = void 0;
+    exports2.DEBT_DELTA_WARN_THRESHOLD = exports2.DEBT_DELTA_BLOCK_THRESHOLD = exports2.DEFAULT_LARGE_FILE_THRESHOLD = exports2.DEFAULT_COMPLEXITY_THRESHOLD = exports2.MAX_CHANGED_FILES_PER_PR = exports2.FIRST_SCAN_TIMEOUT_MS = exports2.PR_ANALYSIS_TIMEOUT_MS = exports2.MAX_AI_OUTPUT_TOKENS = exports2.MAX_AI_TOKENS_PER_FUNCTION = exports2.MAX_SUSPECT_FUNCTIONS_PER_PR = exports2.MAX_CALLER_TRACE_DEPTH = exports2.MAX_CROSS_FILE_SUSPECTS = exports2.SECURITY_RULES = exports2.CROSS_FILE_RULES = exports2.ARCHITECTURE_RULES = exports2.MAINTAINABILITY_RULES = exports2.PERFORMANCE_RULES = exports2.RELIABILITY_RULES = exports2.RUNTIME_RISK_RULES = exports2.VOLUME_THRESHOLDS = exports2.DEFAULT_SCORING = exports2.DEFAULT_MODE = void 0;
     exports2.DEFAULT_MODE = "warn";
     exports2.DEFAULT_SCORING = {
       architecture_violation: 5,
@@ -78,7 +78,8 @@ var require_constants = __commonJS({
       CPU_HEAVY_LOOP_IN_HANDLER: "cpu-heavy-loop-in-handler",
       UNBOUNDED_ARRAY_OPERATION: "unbounded-array-operation",
       DYNAMIC_BUFFER_ALLOC: "dynamic-buffer-alloc",
-      UNBOUNDED_PARALLEL_CALLS: "unbounded-parallel-external-calls"
+      UNBOUNDED_PARALLEL_CALLS: "unbounded-parallel-external-calls",
+      SYNC_CHILD_PROCESS: "sync-child-process"
     };
     exports2.RELIABILITY_RULES = {
       UNHANDLED_PROMISE_REJECTION: "unhandled-promise-rejection",
@@ -105,7 +106,8 @@ var require_constants = __commonJS({
       UNFILTERED_COUNT: "unfiltered-count-large-table",
       RAW_SQL_NO_LIMIT: "raw-sql-no-limit",
       RAW_SQL_UNSAFE: "raw-sql-unsafe",
-      DANGEROUS_DELETE_ALL: "dangerous-delete-all"
+      DANGEROUS_DELETE_ALL: "dangerous-delete-all",
+      RAW_SQL_TEMPLATE_INJECTION: "raw-sql-template-injection"
     };
     exports2.MAINTAINABILITY_RULES = {
       HIGH_COMPLEXITY: "high-complexity",
@@ -133,7 +135,14 @@ var require_constants = __commonJS({
       INDIRECT_SYNC_COMPRESSION: "indirect-sync-compression",
       INDIRECT_BUSY_WAIT: "indirect-busy-wait",
       INDIRECT_UNBOUNDED_JSON_PARSE: "indirect-unbounded-json-parse",
-      INDIRECT_DYNAMIC_BUFFER: "indirect-dynamic-buffer-alloc"
+      INDIRECT_DYNAMIC_BUFFER: "indirect-dynamic-buffer-alloc",
+      INDIRECT_SYNC_CHILD_PROCESS: "indirect-sync-child-process"
+    };
+    exports2.SECURITY_RULES = {
+      HARDCODED_SECRET_LITERAL: "hardcoded-secret-literal",
+      EVAL_USAGE: "eval-usage",
+      MATH_RANDOM_FOR_SECURITY: "math-random-for-security",
+      TLS_VALIDATION_DISABLED: "tls-validation-disabled"
     };
     exports2.MAX_CROSS_FILE_SUSPECTS = 10;
     exports2.MAX_CALLER_TRACE_DEPTH = 2;
@@ -244,6 +253,7 @@ var require_plans = __commonJS({
           githubAction: true,
           prGate: false,
           prCommentsDeterministic: true,
+          /* Intentional: Free users get informational PR comments (no blocking). Conversion lever for Solo upgrade. */
           prCommentsAI: false,
           aiScanSummary: false,
           aiCrossFile: false,
@@ -3270,8 +3280,8 @@ var require_resolve = __commonJS({
       }
       return count;
     }
-    function getFullPath(resolver, id = "", normalize) {
-      if (normalize !== false)
+    function getFullPath(resolver, id = "", normalize2) {
+      if (normalize2 !== false)
         id = normalizeId(id);
       const p = resolver.parse(id);
       return _getFullPath(resolver, p);
@@ -4611,7 +4621,7 @@ var require_fast_uri = __commonJS({
     "use strict";
     var { normalizeIPv6, removeDotSegments, recomposeAuthority, normalizeComponentEncoding, isIPv4, nonSimpleDomain } = require_utils();
     var { SCHEMES, getSchemeHandler } = require_schemes();
-    function normalize(uri, options) {
+    function normalize2(uri, options) {
       if (typeof uri === "string") {
         uri = /** @type {T} */
         serialize(parse(uri, options), options);
@@ -4847,7 +4857,7 @@ var require_fast_uri = __commonJS({
     }
     var fastUri = {
       SCHEMES,
-      normalize,
+      normalize: normalize2,
       resolve: resolve7,
       resolveComponent,
       equal,
@@ -9941,6 +9951,7 @@ var require_shared_rules = __commonJS({
         "sync-fs-in-handler",
         "sync-crypto",
         "sync-compression",
+        "sync-child-process",
         "redos-vulnerable-regex",
         "busy-wait-loop",
         "unhandled-promise"
@@ -14088,6 +14099,7 @@ var require_runtime_risk_detector = __commonJS({
         detectSyncFs(sourceFile, file.path, handlers, allFunctions, policy, violations, unflaggedPatterns);
         detectSyncCrypto(sourceFile, file.path, handlers, allFunctions, policy, violations, unflaggedPatterns);
         detectSyncCompression(sourceFile, file.path, handlers, allFunctions, policy, violations, unflaggedPatterns);
+        detectSyncChildProcess(sourceFile, file.path, handlers, allFunctions, policy, violations, unflaggedPatterns);
         detectRedosRegex(sourceFile, file.path, allFunctions, policy, violations);
         detectBusyWaitLoop(sourceFile, file.path, handlers, allFunctions, policy, violations, unflaggedPatterns);
         detectUnhandledPromise(sourceFile, file.path, allFunctions, policy, violations);
@@ -14436,6 +14448,30 @@ var require_runtime_risk_detector = __commonJS({
         }
       });
     }
+    var SYNC_CHILD_PROCESS_METHODS = /* @__PURE__ */ new Set([
+      "execSync",
+      "spawnSync",
+      "execFileSync"
+    ]);
+    function detectSyncChildProcess(sourceFile, filePath, handlers, allFunctions, policy, violations, unflaggedPatterns) {
+      sourceFile.forEachDescendant((node) => {
+        if (!ts_morph_1.Node.isCallExpression(node))
+          return;
+        const expr = node.getExpression();
+        const methodName = ts_morph_1.Node.isPropertyAccessExpression(expr) ? expr.getName() : ts_morph_1.Node.isIdentifier(expr) ? expr.getText() : null;
+        if (methodName && SYNC_CHILD_PROCESS_METHODS.has(methodName)) {
+          const handler = isInsideHandler(node, handlers);
+          if (handler) {
+            violations.push(makeViolation(shared_1.RUNTIME_RISK_RULES.SYNC_CHILD_PROCESS, filePath, node.getStartLineNumber(), `Synchronous child process '${methodName}' inside handler '${handler.name}' blocks the event loop`, policy, handler.name, `Use the async equivalent \u2014 child_process.${methodName.replace("Sync", "")}() with a Promise, or spawn/execFile`));
+          } else {
+            const enclosingFn = getEnclosingFunction(node, allFunctions);
+            if (enclosingFn && enclosingFn.name !== "<anonymous>") {
+              unflaggedPatterns.push(makeUnflagged(shared_1.RUNTIME_RISK_RULES.SYNC_CHILD_PROCESS, filePath, node.getStartLineNumber(), enclosingFn.name, methodName, `Synchronous child process '${methodName}' in '${enclosingFn.name}' (not in handler scope)`, extractSnippet(node, sourceFile)));
+            }
+          }
+        }
+      });
+    }
     function detectRedosRegex(sourceFile, filePath, allFunctions, policy, violations) {
       sourceFile.forEachDescendant((node) => {
         if (!ts_morph_1.Node.isRegularExpressionLiteral(node))
@@ -16467,6 +16503,7 @@ var require_perf_pattern_detector = __commonJS({
       "$executeRawUnsafe"
     ]);
     var TYPEORM_RAW_SQL_METHODS = /* @__PURE__ */ new Set(["query"]);
+    var SQL_BOUNDING_CLAUSE_REGEX = /\bLIMIT\b|\bTOP\s*\(?\s*(?:\d+|@\w+|:\w+|\$\d+|\?)|\bFETCH\s+(?:NEXT|FIRST)\s+(?:\d+|@\w+|\?)\s+ROWS?\s+ONLY\b|\bROWNUM\s*<=?\s*\d/i;
     function detectRawSqlNoLimit(sourceFile, filePath, fns, policy, violations) {
       sourceFile.forEachDescendant((node) => {
         if (ts_morph_1.Node.isCallExpression(node)) {
@@ -16506,7 +16543,27 @@ var require_perf_pattern_detector = __commonJS({
           const firstArg = args[0];
           if (ts_morph_1.Node.isStringLiteral(firstArg)) {
             sqlText = firstArg.getLiteralValue();
-          } else if (ts_morph_1.Node.isTemplateExpression(firstArg) || ts_morph_1.Node.isNoSubstitutionTemplateLiteral(firstArg)) {
+          } else if (ts_morph_1.Node.isTemplateExpression(firstArg)) {
+            sqlText = firstArg.getText();
+            if (firstArg.getTemplateSpans().length > 0) {
+              const tplFn = getEnclosingFn(node, fns);
+              violations.push({
+                category: "performance",
+                type: shared_1.PERFORMANCE_RULES.RAW_SQL_TEMPLATE_INJECTION,
+                ruleId: shared_1.PERFORMANCE_RULES.RAW_SQL_TEMPLATE_INJECTION,
+                severity: "critical",
+                source: "deterministic",
+                confidence: "high",
+                file: filePath,
+                line: node.getStartLineNumber(),
+                function: tplFn?.name,
+                message: `${method}() with template literal interpolation \u2014 SQL injection risk. Interpolated values become executable SQL syntax.`,
+                suggestion: "Use parameterized queries: pass values as bound parameters (e.g. $1, @param, ?) instead of interpolating them into the SQL string.",
+                debtPoints: policy.scoring.performance_risk_critical,
+                gateAction: "block"
+              });
+            }
+          } else if (ts_morph_1.Node.isNoSubstitutionTemplateLiteral(firstArg)) {
             sqlText = firstArg.getText();
           } else if (ts_morph_1.Node.isBinaryExpression(firstArg)) {
             sqlText = firstArg.getText();
@@ -16584,8 +16641,8 @@ var require_perf_pattern_detector = __commonJS({
         }
         return;
       }
-      const hasLimit = /\bLIMIT\b/i.test(sqlText);
-      if (hasLimit && !isUnsafe)
+      const hasBoundingClause = SQL_BOUNDING_CLAUSE_REGEX.test(sqlText);
+      if (hasBoundingClause && !isUnsafe)
         return;
       if (/\b(COUNT|SUM|AVG|MIN|MAX)\s*\(/i.test(sqlText) && !isUnsafe)
         return;
@@ -16609,8 +16666,8 @@ var require_perf_pattern_detector = __commonJS({
           debtPoints: policy.scoring.performance_risk_critical,
           gateAction: "block"
         });
-        if (!hasLimit) {
-          pushIfNotNull(violations, makeViolation(shared_1.PERFORMANCE_RULES.RAW_SQL_NO_LIMIT, filePath, line, `Raw SQL SELECT without LIMIT${vol ? ` on '${entity}' (${vol.size} volume)` : ""} \u2014 may return unbounded results`, policy, vol, fn?.name, "Add LIMIT clause to the SQL query"));
+        if (!hasBoundingClause) {
+          pushIfNotNull(violations, makeViolation(shared_1.PERFORMANCE_RULES.RAW_SQL_NO_LIMIT, filePath, line, `Raw SQL SELECT without a row-limiting clause (LIMIT / TOP / FETCH)${vol ? ` on '${entity}' (${vol.size} volume)` : ""} \u2014 may return unbounded results`, policy, vol, fn?.name, "Add LIMIT clause to the SQL query"));
         }
       } else {
         pushIfNotNull(violations, makeViolation(shared_1.PERFORMANCE_RULES.RAW_SQL_NO_LIMIT, filePath, line, `Raw SQL SELECT without LIMIT${vol ? ` on '${entity}' (${vol.size} volume)` : ""} \u2014 may return unbounded results`, policy, vol, fn?.name, "Add LIMIT clause to the SQL query"));
@@ -18667,6 +18724,7 @@ var require_cross_file_analyzer = __commonJS({
       "sync-fs-in-handler": "indirect-sync-fs",
       "sync-crypto": "indirect-sync-crypto",
       "sync-compression": "indirect-sync-compression",
+      "sync-child-process": "indirect-sync-child-process",
       "busy-wait-loop": "indirect-busy-wait",
       "unbounded-json-parse": "indirect-unbounded-json-parse",
       "dynamic-buffer-alloc": "indirect-dynamic-buffer-alloc"
@@ -19883,6 +19941,437 @@ var require_coverage_delta_detector = __commonJS({
   }
 });
+// ../../packages/analyzers/dist/typescript/secret-scanner.js
+var require_secret_scanner = __commonJS({
+  "../../packages/analyzers/dist/typescript/secret-scanner.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.detectHardcodedSecrets = detectHardcodedSecrets;
+    var shared_1 = require_dist();
+    var ts_morph_1 = require("ts-morph");
+    var SECRET_PATTERNS = [
+      { id: "npm", name: "npm access token", regex: /\bnpm_[A-Za-z0-9]{36,}\b/ },
+      { id: "stripe-live", name: "Stripe live secret key", regex: /\bsk_live_[A-Za-z0-9]{24,}\b/ },
+      { id: "stripe-test", name: "Stripe test secret key", regex: /\bsk_test_[A-Za-z0-9]{24,}\b/ },
+      { id: "github-pat", name: "GitHub personal access token", regex: /\bghp_[A-Za-z0-9]{36}\b/ },
+      { id: "github-app", name: "GitHub App token", regex: /\bghs_[A-Za-z0-9]{36}\b/ },
+      { id: "github-oauth", name: "GitHub OAuth token", regex: /\bgho_[A-Za-z0-9]{36}\b/ },
+      { id: "paddle-live", name: "Paddle live API key", regex: /\bpdl_live_apikey_[A-Za-z0-9_]{8,}/ },
+      { id: "paddle-sandbox", name: "Paddle sandbox API key", regex: /\bpdl_sdbx_apikey_[A-Za-z0-9_]{8,}/ },
+      { id: "aws-access-key", name: "AWS access key ID", regex: /\bAKIA[0-9A-Z]{16}\b/ },
+      { id: "google-api", name: "Google API key", regex: /\bAIza[A-Za-z0-9_-]{35}\b/ },
+      { id: "slack", name: "Slack token", regex: /\bxox[bpsa]-\d+-\d+-[A-Za-z0-9]+\b/ },
+      { id: "anthropic", name: "Anthropic API key", regex: /\bsk-ant-[A-Za-z0-9-]{32,}\b/ },
+      { id: "openai", name: "OpenAI API key", regex: /\bsk-(?:proj-)?[A-Za-z0-9_-]{32,}\b/ },
+      { id: "resend", name: "Resend API key", regex: /\bre_[A-Za-z0-9_]{20,}\b/ },
+      { id: "jwt", name: "JSON Web Token", regex: /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/ },
+      { id: "private-key", name: "private key (PEM block)", regex: /-----BEGIN (?:(?:RSA|EC|OPENSSH|DSA|PGP) )?PRIVATE KEY-----/ }
+    ];
+    var EXCLUDED_PATH_REGEX = /(\.spec\.|\.test\.|\.fixture\.|\.example\.|\.stories\.|\.d\.ts$)|(^|\/)(__tests__|__mocks__|__fixtures__|test|tests|e2e|fixtures|examples|mocks|validation)(\/|$)/i;
+    var PLACEHOLDER_SUBSTRINGS = [
+      "placeholder",
+      "example",
+      "dummy",
+      "fake",
+      "mock",
+      "your-",
+      "xxx",
+      "redacted"
+    ];
+    var DOC_PROPERTY_KEYS = /* @__PURE__ */ new Set([
+      "example",
+      "placeholder",
+      "description",
+      "comment",
+      "docexample",
+      "sample"
+    ]);
+    async function detectHardcodedSecrets(input, policy) {
+      const violations = [];
+      const project = new ts_morph_1.Project({ useInMemoryFileSystem: true });
+      for (const file of input.changedFiles) {
+        if (file.status === "deleted")
+          continue;
+        if (!/\.(ts|tsx|js|jsx)$/.test(file.path))
+          continue;
+        if (EXCLUDED_PATH_REGEX.test(file.path))
+          continue;
+        const sourceFile = project.createSourceFile(file.path, file.content);
+        scanFile(sourceFile, file.path, policy, violations);
+        project.removeSourceFile(sourceFile);
+      }
+      return violations;
+    }
+    function scanFile(sourceFile, filePath, policy, violations) {
+      sourceFile.forEachDescendant((node) => {
+        let value;
+        if (ts_morph_1.Node.isStringLiteral(node)) {
+          value = node.getLiteralValue();
+        } else if (ts_morph_1.Node.isNoSubstitutionTemplateLiteral(node)) {
+          value = node.getLiteralValue();
+        } else {
+          return;
+        }
+        if (!value || value.length < 12)
+          return;
+        const lower = value.toLowerCase();
+        if (PLACEHOLDER_SUBSTRINGS.some((s) => lower.includes(s)))
+          return;
+        if (isDocumentationValue(node))
+          return;
+        for (const pattern of SECRET_PATTERNS) {
+          if (pattern.regex.test(value)) {
+            violations.push({
+              category: "runtime_risk",
+              type: shared_1.SECURITY_RULES.HARDCODED_SECRET_LITERAL,
+              ruleId: shared_1.SECURITY_RULES.HARDCODED_SECRET_LITERAL,
+              severity: "critical",
+              source: "deterministic",
+              confidence: "high",
+              file: filePath,
+              line: node.getStartLineNumber(),
+              message: `Hardcoded ${pattern.name} found in source \u2014 credentials must never be committed to version control.`,
+              suggestion: "Move the value to an environment variable or a secret manager, and rotate the exposed credential immediately.",
+              debtPoints: policy.scoring.runtime_risk_critical,
+              gateAction: "block"
+            });
+            break;
+          }
+        }
+      });
+    }
+    function isDocumentationValue(node) {
+      const parent = node.getParent();
+      if (parent && ts_morph_1.Node.isPropertyAssignment(parent)) {
+        const name = parent.getName().toLowerCase().replace(/['"`]/g, "");
+        if (DOC_PROPERTY_KEYS.has(name))
+          return true;
+      }
+      return false;
+    }
+  }
+});
+// ../../packages/analyzers/dist/typescript/eval-detector.js
+var require_eval_detector = __commonJS({
+  "../../packages/analyzers/dist/typescript/eval-detector.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.detectEvalUsage = detectEvalUsage;
+    var shared_1 = require_dist();
+    var ts_morph_1 = require("ts-morph");
+    async function detectEvalUsage(input, policy) {
+      const violations = [];
+      const project = new ts_morph_1.Project({ useInMemoryFileSystem: true });
+      for (const file of input.changedFiles) {
+        if (file.status === "deleted")
+          continue;
+        if (!/\.(ts|tsx|js|jsx)$/.test(file.path))
+          continue;
+        const sourceFile = project.createSourceFile(file.path, file.content);
+        scanFile(sourceFile, file.path, policy, violations);
+        project.removeSourceFile(sourceFile);
+      }
+      return violations;
+    }
+    function makeViolation(file, line, message, suggestion, policy) {
+      return {
+        category: "runtime_risk",
+        type: shared_1.SECURITY_RULES.EVAL_USAGE,
+        ruleId: shared_1.SECURITY_RULES.EVAL_USAGE,
+        severity: "critical",
+        source: "deterministic",
+        confidence: "high",
+        file,
+        line,
+        message,
+        suggestion,
+        debtPoints: policy.scoring.runtime_risk_critical,
+        gateAction: "block"
+      };
+    }
+    function scanFile(sourceFile, filePath, policy, violations) {
+      sourceFile.forEachDescendant((node) => {
+        if (ts_morph_1.Node.isCallExpression(node)) {
+          const expr = node.getExpression();
+          if (ts_morph_1.Node.isIdentifier(expr) && expr.getText() === "eval") {
+            violations.push(makeViolation(filePath, node.getStartLineNumber(), "eval() executes its string argument as code \u2014 an arbitrary code execution vector.", "Remove eval(): parse data with JSON.parse(), use a lookup object/map, or refactor to avoid dynamic code.", policy));
+            return;
+          }
+          const calleeName = ts_morph_1.Node.isIdentifier(expr) ? expr.getText() : ts_morph_1.Node.isPropertyAccessExpression(expr) ? expr.getName() : "";
+          if (calleeName === "setTimeout" || calleeName === "setInterval") {
+            const args = node.getArguments();
+            if (args.length > 0 && isStringArgument(args[0])) {
+              violations.push(makeViolation(filePath, node.getStartLineNumber(), `${calleeName}() called with a string argument \u2014 the string is evaluated as code.`, `Pass a function instead: ${calleeName}(() => { /* ... */ }, delay).`, policy));
+            }
+            return;
+          }
+        }
+        if (ts_morph_1.Node.isNewExpression(node)) {
+          const expr = node.getExpression();
+          if (ts_morph_1.Node.isIdentifier(expr) && expr.getText() === "Function") {
+            const args = node.getArguments();
+            if (args.length >= 1) {
+              violations.push(makeViolation(filePath, node.getStartLineNumber(), "new Function() compiles a function from a string \u2014 equivalent to eval(), an arbitrary code execution vector.", "Refactor to avoid building code at runtime \u2014 use a closure, a lookup table, or a real parser.", policy));
+            }
+            return;
+          }
+        }
+      });
+    }
+    function isStringArgument(node) {
+      return ts_morph_1.Node.isStringLiteral(node) || ts_morph_1.Node.isTemplateExpression(node) || ts_morph_1.Node.isNoSubstitutionTemplateLiteral(node);
+    }
+  }
+});
+// ../../packages/analyzers/dist/typescript/math-random-detector.js
+var require_math_random_detector = __commonJS({
+  "../../packages/analyzers/dist/typescript/math-random-detector.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.detectMathRandomForSecurity = detectMathRandomForSecurity;
+    var shared_1 = require_dist();
+    var ts_morph_1 = require("ts-morph");
+    var SECURITY_KEYWORDS = [
+      "token",
+      "secret",
+      "password",
+      "passwd",
+      "apikey",
+      "api_key",
+      "nonce",
+      "salt",
+      "csrf",
+      "otp",
+      "verifier",
+      "sessionid",
+      "session_id",
+      "session",
+      "credential",
+      "privatekey"
+    ];
+    var NON_SECURITY_KEYWORDS = [
+      "color",
+      "colour",
+      "position",
+      "rotation",
+      "delay",
+      "jitter",
+      "sample",
+      "index",
+      "angle",
+      "opacity",
+      "offset",
+      "hue",
+      "duration",
+      "mock",
+      "fake",
+      "dummy",
+      "demo"
+    ];
+    var EXCLUDED_PATH_REGEX = /(\.spec\.|\.test\.|\.fixture\.|\.example\.|\.stories\.|\.d\.ts$)|(^|\/)(__tests__|__mocks__|test|tests|e2e|mocks)(\/|$)/i;
+    async function detectMathRandomForSecurity(input, policy) {
+      const violations = [];
+      const project = new ts_morph_1.Project({ useInMemoryFileSystem: true });
+      for (const file of input.changedFiles) {
+        if (file.status === "deleted")
+          continue;
+        if (!/\.(ts|tsx|js|jsx)$/.test(file.path))
+          continue;
+        if (EXCLUDED_PATH_REGEX.test(file.path))
+          continue;
+        const sourceFile = project.createSourceFile(file.path, file.content);
+        scanFile(sourceFile, file.path, policy, violations);
+        project.removeSourceFile(sourceFile);
+      }
+      return violations;
+    }
+    function scanFile(sourceFile, filePath, policy, violations) {
+      sourceFile.forEachDescendant((node) => {
+        if (!ts_morph_1.Node.isCallExpression(node))
+          return;
+        const expr = node.getExpression();
+        if (!ts_morph_1.Node.isPropertyAccessExpression(expr))
+          return;
+        if (expr.getName() !== "random")
+          return;
+        const obj = expr.getExpression();
+        if (!ts_morph_1.Node.isIdentifier(obj) || obj.getText() !== "Math")
+          return;
+        const contextName = findContextName(node);
+        if (!contextName || !isSecurityContext(contextName))
+          return;
+        violations.push({
+          category: "runtime_risk",
+          type: shared_1.SECURITY_RULES.MATH_RANDOM_FOR_SECURITY,
+          ruleId: shared_1.SECURITY_RULES.MATH_RANDOM_FOR_SECURITY,
+          severity: "warning",
+          source: "deterministic",
+          confidence: "medium",
+          file: filePath,
+          line: node.getStartLineNumber(),
+          message: `Math.random() used for security-sensitive value '${contextName}' \u2014 its output is predictable, not cryptographically secure.`,
+          suggestion: "Use crypto.randomBytes() / crypto.randomUUID() (Node) or crypto.getRandomValues() (Web) for tokens, secrets, and IDs.",
+          debtPoints: policy.scoring.runtime_risk_warning,
+          gateAction: "warn"
+        });
+      });
+    }
+    function findContextName(randomCall) {
+      let current = randomCall;
+      for (let depth = 0; depth < 15; depth++) {
+        const parent = current.getParent();
+        if (!parent)
+          return void 0;
+        if (ts_morph_1.Node.isVariableDeclaration(parent)) {
+          return parent.getName();
+        }
+        if (ts_morph_1.Node.isPropertyAssignment(parent) || ts_morph_1.Node.isShorthandPropertyAssignment(parent)) {
+          return parent.getName().replace(/['"`]/g, "");
+        }
+        if (ts_morph_1.Node.isPropertyDeclaration(parent)) {
+          return parent.getName();
+        }
+        if (ts_morph_1.Node.isBinaryExpression(parent)) {
+          const op = parent.getOperatorToken().getText();
+          if (op === "=" || op === "+=") {
+            return lastSegment(parent.getLeft().getText());
+          }
+          current = parent;
+          continue;
+        }
+        if (ts_morph_1.Node.isReturnStatement(parent)) {
+          const fn = parent.getFirstAncestor((a) => ts_morph_1.Node.isFunctionDeclaration(a) || ts_morph_1.Node.isMethodDeclaration(a));
+          if (fn && (ts_morph_1.Node.isFunctionDeclaration(fn) || ts_morph_1.Node.isMethodDeclaration(fn))) {
+            return fn.getName() ?? void 0;
+          }
+          return void 0;
+        }
+        if (ts_morph_1.Node.isCallExpression(parent)) {
+          if (parent.getArguments().some((a) => a === current))
+            return void 0;
+          current = parent;
+          continue;
+        }
+        if (ts_morph_1.Node.isParenthesizedExpression(parent) || ts_morph_1.Node.isPropertyAccessExpression(parent) || ts_morph_1.Node.isAwaitExpression(parent) || ts_morph_1.Node.isAsExpression(parent) || ts_morph_1.Node.isTemplateSpan(parent) || ts_morph_1.Node.isTemplateExpression(parent) || ts_morph_1.Node.isNonNullExpression(parent)) {
+          current = parent;
+          continue;
+        }
+        return void 0;
+      }
+      return void 0;
+    }
+    function lastSegment(text) {
+      const parts = text.split(".");
+      return parts[parts.length - 1] ?? text;
+    }
+    function isSecurityContext(name) {
+      const n = name.toLowerCase();
+      if (NON_SECURITY_KEYWORDS.some((k) => n.includes(k)))
+        return false;
+      return SECURITY_KEYWORDS.some((k) => n.includes(k));
+    }
+  }
+});
+// ../../packages/analyzers/dist/typescript/tls-detector.js
+var require_tls_detector = __commonJS({
+  "../../packages/analyzers/dist/typescript/tls-detector.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.detectTlsValidationDisabled = detectTlsValidationDisabled;
+    var shared_1 = require_dist();
+    var ts_morph_1 = require("ts-morph");
+    var EXCLUDED_PATH_REGEX = /(\.spec\.|\.test\.|\.fixture\.|\.example\.|\.stories\.|\.d\.ts$)|(^|\/)(__tests__|__mocks__|test|tests|e2e|mocks)(\/|$)/i;
+    var ALLOW_COMMENT_REGEX = /\b(dev-only|local-only|allow-insecure)\b/i;
+    async function detectTlsValidationDisabled(input, policy) {
+      const violations = [];
+      const project = new ts_morph_1.Project({ useInMemoryFileSystem: true });
+      for (const file of input.changedFiles) {
+        if (file.status === "deleted")
+          continue;
+        if (!/\.(ts|tsx|js|jsx)$/.test(file.path))
+          continue;
+        if (EXCLUDED_PATH_REGEX.test(file.path))
+          continue;
+        const sourceFile = project.createSourceFile(file.path, file.content);
+        scanFile(sourceFile, file.path, policy, violations);
+        project.removeSourceFile(sourceFile);
+      }
+      return violations;
+    }
+    function scanFile(sourceFile, filePath, policy, violations) {
+      sourceFile.forEachDescendant((node) => {
+        if (!ts_morph_1.Node.isPropertyAssignment(node))
+          return;
+        const name = node.getName().replace(/['"`]/g, "");
+        const init = node.getInitializer();
+        if (!init)
+          return;
+        let problem;
+        if ((name === "rejectUnauthorized" || name === "strictSSL") && init.getText().trim() === "false") {
+          problem = `${name}: false disables TLS certificate verification`;
+        } else if (name === "checkServerIdentity" && isNoOpFunction(init)) {
+          problem = "checkServerIdentity is overridden with a no-op \u2014 TLS hostname verification is disabled";
+        }
+        if (!problem)
+          return;
+        if (hasAllowComment(node, sourceFile))
+          return;
+        violations.push({
+          category: "runtime_risk",
+          type: shared_1.SECURITY_RULES.TLS_VALIDATION_DISABLED,
+          ruleId: shared_1.SECURITY_RULES.TLS_VALIDATION_DISABLED,
+          severity: "warning",
+          source: "deterministic",
+          confidence: "high",
+          file: filePath,
+          line: node.getStartLineNumber(),
+          function: getEnclosingFunctionName(node),
+          message: `${problem} \u2014 the connection becomes vulnerable to man-in-the-middle attacks.`,
+          suggestion: "Keep TLS verification enabled. For a self-signed certificate, register its CA via the `ca` option instead of disabling verification.",
+          debtPoints: policy.scoring.runtime_risk_warning,
+          gateAction: "warn"
+        });
+      });
+    }
+    function isNoOpFunction(node) {
+      if (!ts_morph_1.Node.isArrowFunction(node) && !ts_morph_1.Node.isFunctionExpression(node))
+        return false;
+      const body = node.getBody();
+      if (!body)
+        return false;
+      if (!ts_morph_1.Node.isBlock(body)) {
+        const text = body.getText().trim();
+        return text === "undefined" || text === "null" || text === "void 0";
+      }
+      const statements = body.getStatements();
+      if (statements.length === 0)
+        return true;
+      if (statements.length === 1 && ts_morph_1.Node.isReturnStatement(statements[0])) {
+        const returned = statements[0].getExpression()?.getText().trim() ?? "";
+        return returned === "" || returned === "undefined" || returned === "null" || returned === "void 0";
+      }
+      return false;
+    }
+    function hasAllowComment(node, sourceFile) {
+      const leading = node.getLeadingCommentRanges().map((r) => r.getText()).join(" ");
+      if (ALLOW_COMMENT_REGEX.test(leading))
+        return true;
+      const lineText = sourceFile.getFullText().split("\n")[node.getStartLineNumber() - 1] ?? "";
+      return ALLOW_COMMENT_REGEX.test(lineText);
+    }
+    function getEnclosingFunctionName(node) {
+      const fn = node.getFirstAncestor((a) => ts_morph_1.Node.isFunctionDeclaration(a) || ts_morph_1.Node.isMethodDeclaration(a));
+      if (fn && (ts_morph_1.Node.isFunctionDeclaration(fn) || ts_morph_1.Node.isMethodDeclaration(fn))) {
+        return fn.getName() ?? void 0;
+      }
+      return void 0;
+    }
+  }
+});
 // ../../packages/analyzers/dist/typescript/orchestrator.js
 var require_orchestrator = __commonJS({
   "../../packages/analyzers/dist/typescript/orchestrator.js"(exports2) {
@@ -19940,6 +20429,10 @@ var require_orchestrator = __commonJS({
     var missing_tests_detector_1 = require_missing_tests_detector();
     var dead_code_detector_1 = require_dead_code_detector();
     var coverage_delta_detector_1 = require_coverage_delta_detector();
+    var secret_scanner_1 = require_secret_scanner();
+    var eval_detector_1 = require_eval_detector();
+    var math_random_detector_1 = require_math_random_detector();
+    var tls_detector_1 = require_tls_detector();
     var EXCLUDED_FILE_PATTERNS = [
       /\.spec\.(ts|tsx|js|jsx)$/,
       /\.test\.(ts|tsx|js|jsx)$/,
@@ -19968,7 +20461,7 @@ var require_orchestrator = __commonJS({
         changedFiles: input.changedFiles.filter((f) => !isExcludedFile(f.path))
       };
       const projectRoot = input.projectRoot ?? deriveProjectRoot(input);
-      const [importGraph, complexityDeltas, runtimeResult, perfViolations, reliabilityViolations, duplicationResult, missingTestsResult, deadCodeResult, coverageDeltaResult] = await Promise.all([
+      const [importGraph, complexityDeltas, runtimeResult, perfViolations, reliabilityViolations, duplicationResult, missingTestsResult, deadCodeResult, coverageDeltaResult, secretViolations, evalViolations, mathRandomViolations, tlsViolations] = await Promise.all([
         (0, import_graph_1.buildImportGraph)(filteredInput, policy),
         (0, complexity_calculator_1.calculateComplexity)(filteredInput),
         (0, runtime_risk_detector_1.detectRuntimeRisks)(filteredInput, policy),
@@ -19977,7 +20470,11 @@ var require_orchestrator = __commonJS({
         (0, duplication_detector_1.detectDuplication)(filteredInput),
         projectRoot ? (0, missing_tests_detector_1.detectMissingTests)(filteredInput, projectRoot, buildMissingTestsConfig(policy)) : Promise.resolve(null),
         (0, dead_code_detector_1.detectDeadCode)(filteredInput, { excludeBarrels: false, excludeTypes: false }, projectRoot),
-        projectRoot ? Promise.resolve((0, coverage_delta_detector_1.detectCoverageDelta)(projectRoot)) : Promise.resolve(null)
+        projectRoot ? Promise.resolve((0, coverage_delta_detector_1.detectCoverageDelta)(projectRoot)) : Promise.resolve(null),
+        (0, secret_scanner_1.detectHardcodedSecrets)(filteredInput, policy),
+        (0, eval_detector_1.detectEvalUsage)(filteredInput, policy),
+        (0, math_random_detector_1.detectMathRandomForSecurity)(filteredInput, policy),
+        (0, tls_detector_1.detectTlsValidationDisabled)(filteredInput, policy)
       ]);
       const runtimeViolations = runtimeResult.violations;
       const unflaggedPatterns = runtimeResult.unflaggedPatterns;
@@ -19992,6 +20489,10 @@ var require_orchestrator = __commonJS({
       const complexityViolations = complexityDeltasToViolations(complexityDeltas, filteredInput);
       const largeFileViolations = detectLargeFiles(filteredInput);
       const rawViolations = [
+        ...secretViolations,
+        ...evalViolations,
+        ...mathRandomViolations,
+        ...tlsViolations,
         ...boundaryViolations,
         ...circularViolations,
         ...runtimeViolations,
@@ -20336,7 +20837,7 @@ var require_dist3 = __commonJS({
   "../../packages/analyzers/dist/index.js"(exports2) {
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.runFullAnalysis = exports2.detectCoverageDelta = exports2.detectDeadCode = exports2.analyzeCrossFileWithAI = exports2.buildReverseImportGraph = exports2.analyzeCrossFile = exports2.detectMissingTests = exports2.detectDuplication = exports2.detectReliabilityIssues = exports2.detectPerformanceRisks = exports2.detectRuntimeRisks = exports2.calculateComplexity = exports2.detectCircularDeps = exports2.checkBoundaries = exports2.buildImportGraph = void 0;
+    exports2.runFullAnalysis = exports2.detectTlsValidationDisabled = exports2.detectMathRandomForSecurity = exports2.detectEvalUsage = exports2.detectHardcodedSecrets = exports2.detectCoverageDelta = exports2.detectDeadCode = exports2.analyzeCrossFileWithAI = exports2.buildReverseImportGraph = exports2.analyzeCrossFile = exports2.detectMissingTests = exports2.detectDuplication = exports2.detectReliabilityIssues = exports2.detectPerformanceRisks = exports2.detectRuntimeRisks = exports2.calculateComplexity = exports2.detectCircularDeps = exports2.checkBoundaries = exports2.buildImportGraph = void 0;
     var import_graph_1 = require_import_graph();
     Object.defineProperty(exports2, "buildImportGraph", { enumerable: true, get: function() {
       return import_graph_1.buildImportGraph;
@@ -20392,6 +20893,22 @@ var require_dist3 = __commonJS({
     Object.defineProperty(exports2, "detectCoverageDelta", { enumerable: true, get: function() {
       return coverage_delta_detector_1.detectCoverageDelta;
     } });
+    var secret_scanner_1 = require_secret_scanner();
+    Object.defineProperty(exports2, "detectHardcodedSecrets", { enumerable: true, get: function() {
+      return secret_scanner_1.detectHardcodedSecrets;
+    } });
+    var eval_detector_1 = require_eval_detector();
+    Object.defineProperty(exports2, "detectEvalUsage", { enumerable: true, get: function() {
+      return eval_detector_1.detectEvalUsage;
+    } });
+    var math_random_detector_1 = require_math_random_detector();
+    Object.defineProperty(exports2, "detectMathRandomForSecurity", { enumerable: true, get: function() {
+      return math_random_detector_1.detectMathRandomForSecurity;
+    } });
+    var tls_detector_1 = require_tls_detector();
+    Object.defineProperty(exports2, "detectTlsValidationDisabled", { enumerable: true, get: function() {
+      return tls_detector_1.detectTlsValidationDisabled;
+    } });
     var orchestrator_1 = require_orchestrator();
     Object.defineProperty(exports2, "runFullAnalysis", { enumerable: true, get: function() {
       return orchestrator_1.runFullAnalysis;
@@ -20399,6 +20916,81 @@ var require_dist3 = __commonJS({
   }
 });
+// package.json
+var require_package = __commonJS({
+  "package.json"(exports2, module2) {
+    module2.exports = {
+      name: "technical-debt-radar",
+      version: "1.16.0",
+      description: "Stop Node.js production crashes before merge. 65 detection rules across 5 categories.",
+      bin: {
+        radar: "dist/index.js",
+        "technical-debt-radar": "dist/index.js"
+      },
+      files: [
+        "dist/",
+        "README.md",
+        "LICENSE"
+      ],
+      keywords: [
+        "technical-debt",
+        "code-quality",
+        "architecture",
+        "nestjs",
+        "express",
+        "fastify",
+        "typescript",
+        "linter",
+        "pr-gate",
+        "node",
+        "orm",
+        "static-analysis",
+        "code-review"
+      ],
+      author: "Khalid Elattar",
+      license: "MIT",
+      repository: {
+        type: "git",
+        url: "git+https://github.com/khalid-Elattar/technical_dept_radar.git"
+      },
+      homepage: "https://technicaldebtradar.com",
+      engines: {
+        node: ">=18"
+      },
+      scripts: {
+        build: "tsc",
+        "build:publish": "tsup",
+        dev: "ts-node src/index.ts",
+        test: "jest --passWithNoTests",
+        prepublishOnly: "npm run build:publish"
+      },
+      dependencies: {
+        "@anthropic-ai/sdk": "^0.78.0",
+        chalk: "^4.1.2",
+        commander: "^14.0.3",
+        inquirer: "^13.3.0",
+        "js-yaml": "^4.1.1",
+        ora: "^5.4.1",
+        "ts-morph": "^27.0.2",
+        typescript: "^5.9.3"
+      },
+      devDependencies: {
+        "@radar/analyzers": "*",
+        "@radar/policy-engine": "*",
+        "@radar/shared": "*",
+        "@types/inquirer": "^9.0.9",
+        "@types/jest": "^29.5.0",
+        "@types/js-yaml": "^4.0.9",
+        "@types/node": "^22.0.0",
+        jest: "^29.7.0",
+        "ts-jest": "^29.1.0",
+        "ts-node": "^10.9.2",
+        tsup: "^8.5.1"
+      }
+    };
+  }
+});
 // src/index.ts
 var import_commander = require("commander");
@@ -20839,6 +21431,45 @@ function printAnonymousScanCTA() {
   console.log(import_chalk.default.cyan("\u2502") + ` Solo ($15): PR blocking + AI fixes               ` + import_chalk.default.cyan("\u2502"));
   console.log(import_chalk.default.cyan("\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518"));
 }
+function getGitRemoteOwnerRepo() {
+  try {
+    const { execSync: execSync3 } = require("child_process");
+    const url = execSync3("git remote get-url origin", { encoding: "utf-8", stdio: ["pipe", "pipe", "ignore"] }).trim();
+    const match = url.match(/[/:]([\w.-]+)\/([\w.-]+?)(?:\.git)?$/);
+    if (match) return { owner: match[1], repo: match[2] };
+  } catch {
+  }
+  return null;
+}
+function printPostScanHints(isAnonymous, hasViolations) {
+  if (!process.stdout.isTTY) return;
+  const remote = getGitRemoteOwnerRepo();
+  const badgeCmd = remote ? `radar badge --owner ${remote.owner} --repo ${remote.repo}` : "radar badge --owner <owner> --repo <repo>";
+  console.log("");
+  console.log(import_chalk.default.dim("  \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501"));
+  if (isAnonymous) {
+    console.log(import_chalk.default.bold("  What's next?"));
+    console.log("");
+    console.log(`  ${import_chalk.default.dim("\u2192")} Create a free account for 5 scans/month:`);
+    console.log(`    ${import_chalk.default.cyan("radar login")}`);
+    console.log(`  ${import_chalk.default.dim("\u2192")} Enforce on every PR with GitHub Actions:`);
+    console.log(`    ${import_chalk.default.dim("https://technicaldebtradar.com/docs/integrations/github-action")}`);
+  } else if (hasViolations) {
+    console.log(import_chalk.default.bold("  Fix these violations:"));
+    console.log("");
+    console.log(`  ${import_chalk.default.dim("\u2192")} AI-powered fix: ${import_chalk.default.cyan("radar fix")}`);
+    console.log(`  ${import_chalk.default.dim("\u2192")} Copy for Claude/Cursor: ${import_chalk.default.cyan("radar scan --format ai-prompt")}`);
+    console.log(`  ${import_chalk.default.dim("\u2192")} Add a quality badge: ${import_chalk.default.cyan(badgeCmd)}`);
+  } else {
+    console.log(import_chalk.default.bold("  All clear!"));
+    console.log("");
+    console.log(`  ${import_chalk.default.dim("\u2192")} Add a quality badge to your README:`);
+    console.log(`    ${import_chalk.default.cyan(badgeCmd)}`);
+    console.log(`  ${import_chalk.default.dim("\u2192")} Enforce on every PR: ${import_chalk.default.dim("https://technicaldebtradar.com/docs/integrations/github-action")}`);
+  }
+  console.log(import_chalk.default.dim("  \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501"));
+  console.log("");
+}
 async function enforceAuth(allowAnonymous = false) {
   const client = RadarApiClient.fromConfigOrEnv();
   if (!client) {
@@ -20982,6 +21613,7 @@ async function scanCommand(targetPath, options) {
   if (isAnonymous) {
     markAnonymousScanUsed();
     printAnonymousScanCTA();
+    printPostScanHints(true, result.violations.length > 0);
   }
   if (client) {
     const blocking = result.violations.filter((v) => v.gateAction === "block");
@@ -21047,6 +21679,9 @@ async function scanCommand(targetPath, options) {
       console.log(import_chalk.default.yellow(`  \u26A0\uFE0F  Could not sync results to dashboard${detail}`));
     }
   }
+  if (!isAnonymous) {
+    printPostScanHints(false, result.violations.length > 0);
+  }
   if (mode === "warn") {
     if (gateEval.gateWouldFail) {
       console.log(import_chalk.default.yellow("\n  \u26A0\uFE0F  Warning mode \u2014 gate would have BLOCKED this PR in enforce mode"));
@@ -22025,10 +22660,23 @@ async function quickScanFile(targetPath, filePath, options) {
   }
 }
 function resolveViolationPath(vFile, projectRoot) {
-  if (path5.isAbsolute(vFile)) return vFile;
-  const withSlash = "/" + vFile;
-  if (withSlash.startsWith(projectRoot)) return withSlash;
-  return path5.resolve(projectRoot, vFile);
+  let resolved;
+  if (path5.isAbsolute(vFile)) {
+    resolved = vFile;
+  } else {
+    const withSlash = "/" + vFile;
+    if (withSlash.startsWith(projectRoot)) {
+      resolved = withSlash;
+    } else {
+      resolved = path5.resolve(projectRoot, vFile);
+    }
+  }
+  const normalized = path5.normalize(resolved);
+  const normalizedRoot = path5.normalize(projectRoot) + path5.sep;
+  if (!normalized.startsWith(normalizedRoot) && normalized !== path5.normalize(projectRoot)) {
+    throw new Error(`Path traversal blocked: ${vFile} resolves outside project root`);
+  }
+  return normalized;
 }
 function detectTestCommand(projectRoot) {
   try {
@@ -22496,6 +23144,7 @@ ${relativePath} (${fileViolations.length} violations)
   ${newCount} violations remaining. Run radar fix again or fix manually.`));
     } else {
       console.log(import_chalk4.default.green("\n  All violations fixed! Code is clean."));
+      console.log(import_chalk4.default.dim(`  \u2192 Add a quality badge: ${import_chalk4.default.cyan("radar badge --owner <owner> --repo <repo>")}`));
     }
   }
 }
@@ -22732,9 +23381,10 @@ async function loginCommand(options) {
   console.log(`If the browser doesn't open, visit: ${import_chalk6.default.underline(authUrl)}
 `);
   try {
-    const { exec } = await import("child_process");
+    const { execFile } = await import("child_process");
     const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
-    exec(`${cmd} ${authUrl}`);
+    execFile(cmd, [authUrl], () => {
+    });
   } catch {
   }
   const readline = await import("readline");
@@ -22847,16 +23497,17 @@ async function upgradeCommand() {
   console.log(`If the browser doesn't open, visit: ${import_chalk9.default.underline(url)}
 `);
   try {
-    const { exec } = await import("child_process");
+    const { execFile } = await import("child_process");
     const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
-    exec(`${cmd} ${url}`);
+    execFile(cmd, [url], () => {
+    });
   } catch {
   }
 }
 // src/index.ts
 var program = new import_commander.Command();
-program.name("radar").description("Technical Debt Radar \u2014 Architecture & Runtime Safety CLI").version("1.0.1");
+program.name("radar").description("Technical Debt Radar \u2014 Architecture & Runtime Safety CLI").version(require_package().version);
 program.command("scan <path>").description("Scan a directory for technical debt").option("-c, --config <path>", "Path to radar.yml", "./radar.yml").option("-r, --rules <path>", "Path to rules.yml (default: ./rules.yml)").option("-f, --format <type>", "Output format: text, json, table, markdown, ai-prompt, ai-json, pr", "text").option("--fail-on <severity>", "Exit code 1 on: critical, warning", "critical").option("--no-ai", "Skip AI analysis (faster, no API cost)").action(async (targetPath, options) => {
   await scanCommand(targetPath, options);
 });
@@ -22878,7 +23529,7 @@ program.command("validate").description("Validate radar.yml + rules.yml syntax a
 program.command("run <path>").description("CI-friendly scan \u2014 exits 1 on critical violations").option("-c, --config <path>", "Path to radar.yml", "./radar.yml").option("-r, --rules <path>", "Path to rules.yml (default: ./rules.yml)").action(async (targetPath, options) => {
   await runCommand(targetPath, options);
 });
-program.command("badge").description("Generate badge markdown for your README").requiredOption("--owner <owner>", "Repository owner (org or user)").requiredOption("--repo <repo>", "Repository name").option("--api-url <url>", "Radar API base URL", "https://radar-api.example.com").action((options) => {
+program.command("badge").description("Generate badge markdown for your README").requiredOption("--owner <owner>", "Repository owner (org or user)").requiredOption("--repo <repo>", "Repository name").option("--api-url <url>", "Radar API base URL", loadConfig()?.apiUrl || getDefaultApiUrl()).action((options) => {
   badgeCommand(options);
 });
 var packCmd = program.command("pack").description("Manage rule packs \u2014 pre-configured rules for specific stacks");

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "technical-debt-radar",
-  "version": "1.15.0",
-  "description": "Stop Node.js production crashes before merge. 47 detection patterns across 5 categories.",
+  "version": "1.16.0",
+  "description": "Stop Node.js production crashes before merge. 65 detection rules across 5 categories.",
   "bin": {
     "radar": "dist/index.js",
     "technical-debt-radar": "dist/index.js"