npm - technical-debt-radar - Versions diffs - 1.16.0 → 1.17.0 - Mend

technical-debt-radar 1.16.0 → 1.17.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -2,7 +2,7 @@
 **Stop Node.js production crashes before merge.**
-Detects event-loop blockers, dangerous ORM patterns, security issues, and architecture drift in your PRs. 65 deterministic detection rules across 6 categories. Works with NestJS, Express, Fastify, Koa, Hapi + 7 ORMs.
+Detects event-loop blockers, dangerous ORM patterns, security issues, and architecture drift in your PRs. 74 deterministic detection rules across 6 categories. Works with NestJS, Express, Fastify, Koa, Hapi + 7 ORMs.
 ## Quick Start

package/dist/index.js CHANGED Viewed

@@ -39,7 +39,7 @@ var require_constants = __commonJS({
   "../../packages/shared/dist/constants/index.js"(exports2) {
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.DEBT_DELTA_WARN_THRESHOLD = exports2.DEBT_DELTA_BLOCK_THRESHOLD = exports2.DEFAULT_LARGE_FILE_THRESHOLD = exports2.DEFAULT_COMPLEXITY_THRESHOLD = exports2.MAX_CHANGED_FILES_PER_PR = exports2.FIRST_SCAN_TIMEOUT_MS = exports2.PR_ANALYSIS_TIMEOUT_MS = exports2.MAX_AI_OUTPUT_TOKENS = exports2.MAX_AI_TOKENS_PER_FUNCTION = exports2.MAX_SUSPECT_FUNCTIONS_PER_PR = exports2.MAX_CALLER_TRACE_DEPTH = exports2.MAX_CROSS_FILE_SUSPECTS = exports2.SECURITY_RULES = exports2.CROSS_FILE_RULES = exports2.ARCHITECTURE_RULES = exports2.MAINTAINABILITY_RULES = exports2.PERFORMANCE_RULES = exports2.RELIABILITY_RULES = exports2.RUNTIME_RISK_RULES = exports2.VOLUME_THRESHOLDS = exports2.DEFAULT_SCORING = exports2.DEFAULT_MODE = void 0;
+    exports2.DEBT_DELTA_WARN_THRESHOLD = exports2.DEBT_DELTA_BLOCK_THRESHOLD = exports2.DEFAULT_NESTING_DEPTH_THRESHOLD = exports2.DEFAULT_PARAMETER_COUNT_THRESHOLD = exports2.DEFAULT_FUNCTION_LENGTH_THRESHOLD = exports2.DEFAULT_LARGE_FILE_THRESHOLD = exports2.DEFAULT_COMPLEXITY_THRESHOLD = exports2.MAX_CHANGED_FILES_PER_PR = exports2.FIRST_SCAN_TIMEOUT_MS = exports2.PR_ANALYSIS_TIMEOUT_MS = exports2.MAX_AI_OUTPUT_TOKENS = exports2.MAX_AI_TOKENS_PER_FUNCTION = exports2.MAX_SUSPECT_FUNCTIONS_PER_PR = exports2.MAX_CALLER_TRACE_DEPTH = exports2.MAX_CROSS_FILE_SUSPECTS = exports2.SECURITY_RULES = exports2.CROSS_FILE_RULES = exports2.ARCHITECTURE_RULES = exports2.MAINTAINABILITY_RULES = exports2.PERFORMANCE_RULES = exports2.RELIABILITY_RULES = exports2.RUNTIME_RISK_RULES = exports2.VOLUME_THRESHOLDS = exports2.DEFAULT_SCORING = exports2.DEFAULT_MODE = void 0;
     exports2.DEFAULT_MODE = "warn";
     exports2.DEFAULT_SCORING = {
       architecture_violation: 5,
@@ -119,7 +119,13 @@ var require_constants = __commonJS({
       DEBUG_CONSOLE_LOG: "debug-console-log-in-production",
       LOW_TEST_COVERAGE: "low-test-coverage",
       LOW_BRANCH_COVERAGE: "low-branch-coverage",
-      COVERAGE_DROP: "coverage-drop"
+      COVERAGE_DROP: "coverage-drop",
+      PROCESS_ENV_TYPO: "process-env-typo",
+      FUNCTION_TOO_LONG: "function-too-long",
+      TOO_MANY_PARAMETERS: "too-many-parameters",
+      DEEP_NESTING: "deep-nesting",
+      CONSOLE_LOG_IN_PRODUCTION: "console-log-in-production",
+      STRAY_TODO_COMMENT: "stray-todo-comment"
     };
     exports2.ARCHITECTURE_RULES = {
       LAYER_VIOLATION: "layer-boundary-violation",
@@ -142,7 +148,10 @@ var require_constants = __commonJS({
       HARDCODED_SECRET_LITERAL: "hardcoded-secret-literal",
       EVAL_USAGE: "eval-usage",
       MATH_RANDOM_FOR_SECURITY: "math-random-for-security",
-      TLS_VALIDATION_DISABLED: "tls-validation-disabled"
+      TLS_VALIDATION_DISABLED: "tls-validation-disabled",
+      CORS_WILDCARD_CREDENTIALS: "cors-wildcard-credentials",
+      JWT_INSECURE_OPTIONS: "jwt-insecure-options",
+      DANGEROUSLY_SET_INNER_HTML_UNSANITIZED: "dangerously-set-inner-html-unsanitized"
     };
     exports2.MAX_CROSS_FILE_SUSPECTS = 10;
     exports2.MAX_CALLER_TRACE_DEPTH = 2;
@@ -154,6 +163,9 @@ var require_constants = __commonJS({
     exports2.MAX_CHANGED_FILES_PER_PR = 100;
     exports2.DEFAULT_COMPLEXITY_THRESHOLD = 10;
     exports2.DEFAULT_LARGE_FILE_THRESHOLD = 300;
+    exports2.DEFAULT_FUNCTION_LENGTH_THRESHOLD = 50;
+    exports2.DEFAULT_PARAMETER_COUNT_THRESHOLD = 4;
+    exports2.DEFAULT_NESTING_DEPTH_THRESHOLD = 4;
     exports2.DEBT_DELTA_BLOCK_THRESHOLD = 15;
     exports2.DEBT_DELTA_WARN_THRESHOLD = 8;
   }
@@ -1058,6 +1070,12 @@ var require_parser = __commonJS({
         }
         result.ignore_tests_for = m.ignore_tests_for.map(String);
       }
+      if (m.check_env_drift !== void 0) {
+        if (typeof m.check_env_drift !== "boolean") {
+          throw new PolicyValidationError("maintainability.check_env_drift must be a boolean");
+        }
+        result.check_env_drift = m.check_env_drift;
+      }
       return result;
     }
     function parseScoring(value) {
@@ -7714,7 +7732,8 @@ var require_validator = __commonJS({
           properties: {
             require_tests: { type: "boolean" },
             require_tests_for: { type: "array", items: { type: "string" } },
-            ignore_tests_for: { type: "array", items: { type: "string" } }
+            ignore_tests_for: { type: "array", items: { type: "string" } },
+            check_env_drift: { type: "boolean" }
           },
           additionalProperties: false
         }
@@ -20372,6 +20391,919 @@ var require_tls_detector = __commonJS({
   }
 });
+// ../../packages/analyzers/dist/typescript/parsed-files.js
+var require_parsed_files = __commonJS({
+  "../../packages/analyzers/dist/typescript/parsed-files.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.parseChangedFiles = parseChangedFiles;
+    var ts_morph_1 = require("ts-morph");
+    function parseChangedFiles(input) {
+      const project = new ts_morph_1.Project({ useInMemoryFileSystem: true });
+      const parsed = [];
+      for (const file of input.changedFiles) {
+        if (file.status === "deleted")
+          continue;
+        if (!/\.(ts|tsx|js|jsx)$/.test(file.path))
+          continue;
+        parsed.push({
+          path: file.path,
+          sourceFile: project.createSourceFile(file.path, file.content)
+        });
+      }
+      return parsed;
+    }
+  }
+});
+// ../../packages/analyzers/dist/typescript/cors-detector.js
+var require_cors_detector = __commonJS({
+  "../../packages/analyzers/dist/typescript/cors-detector.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.detectCorsWildcardCredentials = detectCorsWildcardCredentials;
+    var shared_1 = require_dist();
+    var ts_morph_1 = require("ts-morph");
+    var parsed_files_1 = require_parsed_files();
+    var EXCLUDED_PATH_REGEX = /(\.spec\.|\.test\.|\.fixture\.|\.example\.|\.stories\.|\.d\.ts$)|(^|\/)(__tests__|__mocks__|test|tests|e2e|mocks)(\/|$)/i;
+    async function detectCorsWildcardCredentials(input, policy, parsed) {
+      const violations = [];
+      for (const { path: path9, sourceFile } of parsed ?? (0, parsed_files_1.parseChangedFiles)(input)) {
+        if (EXCLUDED_PATH_REGEX.test(path9))
+          continue;
+        scanFile(sourceFile, path9, policy, violations);
+      }
+      return violations;
+    }
+    function scanFile(sourceFile, filePath, policy, violations) {
+      sourceFile.forEachDescendant((node) => {
+        if (!ts_morph_1.Node.isCallExpression(node))
+          return;
+        const options = corsOptionsObject(node);
+        if (!options)
+          return;
+        if (!hasDangerousCorsCombo(options))
+          return;
+        violations.push({
+          category: "runtime_risk",
+          type: shared_1.SECURITY_RULES.CORS_WILDCARD_CREDENTIALS,
+          ruleId: shared_1.SECURITY_RULES.CORS_WILDCARD_CREDENTIALS,
+          severity: "critical",
+          source: "deterministic",
+          confidence: "high",
+          file: filePath,
+          line: node.getStartLineNumber(),
+          function: getEnclosingFunctionName(node),
+          message: "CORS is configured with a wildcard/reflected origin and credentials: true \u2014 any website can make authenticated cross-origin requests to this API.",
+          suggestion: "When credentials are enabled, set `origin` to an explicit allow-list of trusted domains. A wildcard (or reflected) origin cannot be combined with credentials.",
+          debtPoints: policy.scoring.runtime_risk_critical,
+          gateAction: "block"
+        });
+      });
+    }
+    function corsOptionsObject(call) {
+      const expr = call.getExpression();
+      const args = call.getArguments();
+      if (ts_morph_1.Node.isIdentifier(expr) && expr.getText() === "cors") {
+        return objectLiteralArg(args, 0);
+      }
+      if (ts_morph_1.Node.isPropertyAccessExpression(expr)) {
+        const method = expr.getName();
+        if (method === "enableCors") {
+          return objectLiteralArg(args, 0);
+        }
+        if (method === "register" && argsReferenceCors(args)) {
+          for (const arg of args) {
+            if (ts_morph_1.Node.isObjectLiteralExpression(arg))
+              return arg;
+          }
+        }
+      }
+      return void 0;
+    }
+    function objectLiteralArg(args, index) {
+      const arg = args[index];
+      return arg && ts_morph_1.Node.isObjectLiteralExpression(arg) ? arg : void 0;
+    }
+    function argsReferenceCors(args) {
+      return args.some((a) => /cors/i.test(a.getText()));
+    }
+    function hasDangerousCorsCombo(obj) {
+      let originIsWildcard = false;
+      let credentialsEnabled = false;
+      for (const prop of obj.getProperties()) {
+        if (!ts_morph_1.Node.isPropertyAssignment(prop))
+          continue;
+        const name = prop.getName().replace(/['"`]/g, "");
+        const init = prop.getInitializer();
+        if (!init)
+          continue;
+        if (name === "origin" && isWildcardOrigin(init)) {
+          originIsWildcard = true;
+        } else if (name === "credentials" && init.getText().trim() === "true") {
+          credentialsEnabled = true;
+        }
+      }
+      return originIsWildcard && credentialsEnabled;
+    }
+    function isWildcardOrigin(init) {
+      if (ts_morph_1.Node.isStringLiteral(init))
+        return init.getLiteralValue() === "*";
+      if (init.getText().trim() === "true")
+        return true;
+      if (ts_morph_1.Node.isArrayLiteralExpression(init)) {
+        return init.getElements().some((el) => ts_morph_1.Node.isStringLiteral(el) && el.getLiteralValue() === "*");
+      }
+      return false;
+    }
+    function getEnclosingFunctionName(node) {
+      const fn = node.getFirstAncestor((a) => ts_morph_1.Node.isFunctionDeclaration(a) || ts_morph_1.Node.isMethodDeclaration(a));
+      if (fn && (ts_morph_1.Node.isFunctionDeclaration(fn) || ts_morph_1.Node.isMethodDeclaration(fn))) {
+        return fn.getName() ?? void 0;
+      }
+      return void 0;
+    }
+  }
+});
+// ../../packages/analyzers/dist/typescript/jwt-detector.js
+var require_jwt_detector = __commonJS({
+  "../../packages/analyzers/dist/typescript/jwt-detector.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.detectJwtInsecureOptions = detectJwtInsecureOptions;
+    var shared_1 = require_dist();
+    var ts_morph_1 = require("ts-morph");
+    var parsed_files_1 = require_parsed_files();
+    var EXCLUDED_PATH_REGEX = /(\.spec\.|\.test\.|\.fixture\.|\.example\.|\.stories\.|\.d\.ts$)|(^|\/)(__tests__|__mocks__|test|tests|e2e|mocks)(\/|$)/i;
+    var MIN_SECRET_LENGTH = 32;
+    var SIGN_METHODS = /* @__PURE__ */ new Set(["sign", "signAsync"]);
+    var VERIFY_METHODS = /* @__PURE__ */ new Set(["verify", "verifyAsync"]);
+    async function detectJwtInsecureOptions(input, policy, parsed) {
+      const violations = [];
+      for (const { path: path9, sourceFile } of parsed ?? (0, parsed_files_1.parseChangedFiles)(input)) {
+        if (EXCLUDED_PATH_REGEX.test(path9))
+          continue;
+        scanFile(sourceFile, path9, policy, violations);
+      }
+      return violations;
+    }
+    function scanFile(sourceFile, filePath, policy, violations) {
+      sourceFile.forEachDescendant((node) => {
+        if (!ts_morph_1.Node.isCallExpression(node))
+          return;
+        const call = jwtCallKind(node);
+        if (!call)
+          return;
+        const { kind, style } = call;
+        const args = node.getArguments();
+        const line = node.getStartLineNumber();
+        const fn = getEnclosingFunctionName(node);
+        const secretArg = style === "lib" ? args[1] : void 0;
+        const optionsArg = style === "lib" ? args[2] : args[1];
+        const optionsObj = optionsArg && ts_morph_1.Node.isObjectLiteralExpression(optionsArg) ? optionsArg : void 0;
+        if (optionsObj && hasAlgorithmNone(optionsObj)) {
+          violations.push({
+            category: "runtime_risk",
+            type: shared_1.SECURITY_RULES.JWT_INSECURE_OPTIONS,
+            ruleId: shared_1.SECURITY_RULES.JWT_INSECURE_OPTIONS,
+            severity: "critical",
+            source: "deterministic",
+            confidence: "high",
+            file: filePath,
+            line,
+            function: fn,
+            message: "JWT is configured with the 'none' algorithm \u2014 the token signature is disabled, so any forged token is accepted.",
+            suggestion: "Pin an explicit signing algorithm (e.g. algorithm: 'HS256' or 'RS256') and never include 'none' in the algorithms allow-list.",
+            debtPoints: policy.scoring.runtime_risk_critical,
+            gateAction: "block"
+          });
+        }
+        if (kind === "sign" && !hasExpiresIn(optionsArg, optionsObj)) {
+          violations.push({
+            category: "runtime_risk",
+            type: shared_1.SECURITY_RULES.JWT_INSECURE_OPTIONS,
+            ruleId: shared_1.SECURITY_RULES.JWT_INSECURE_OPTIONS,
+            severity: "warning",
+            source: "deterministic",
+            confidence: "high",
+            file: filePath,
+            line,
+            function: fn,
+            message: "JWT is signed without an `expiresIn` option \u2014 the issued token never expires and cannot be aged out.",
+            suggestion: "Pass an explicit lifetime, e.g. sign(payload, secret, { expiresIn: '15m' }).",
+            debtPoints: policy.scoring.runtime_risk_warning,
+            gateAction: "warn"
+          });
+        }
+        const secretLen = literalSecretLength(secretArg);
+        if (secretLen !== void 0 && secretLen < MIN_SECRET_LENGTH) {
+          violations.push({
+            category: "runtime_risk",
+            type: shared_1.SECURITY_RULES.JWT_INSECURE_OPTIONS,
+            ruleId: shared_1.SECURITY_RULES.JWT_INSECURE_OPTIONS,
+            severity: "warning",
+            source: "deterministic",
+            confidence: "high",
+            file: filePath,
+            line,
+            function: fn,
+            message: `JWT secret is a ${secretLen}-character string literal \u2014 HMAC secrets shorter than ${MIN_SECRET_LENGTH} characters are brute-forceable, and a literal secret is also hardcoded.`,
+            suggestion: 'Load the secret from an environment variable and use at least 32 random characters (e.g. `crypto.randomBytes(32).toString("hex")`).',
+            debtPoints: policy.scoring.runtime_risk_warning,
+            gateAction: "warn"
+          });
+        }
+      });
+    }
+    function jwtCallKind(call) {
+      const expr = call.getExpression();
+      if (!ts_morph_1.Node.isPropertyAccessExpression(expr))
+        return void 0;
+      const method = expr.getName();
+      const isSign = SIGN_METHODS.has(method);
+      const isVerify = VERIFY_METHODS.has(method);
+      if (!isSign && !isVerify)
+        return void 0;
+      const receiver = expr.getExpression().getText();
+      if (!/jwt|jsonwebtoken/i.test(receiver))
+        return void 0;
+      return {
+        kind: isSign ? "sign" : "verify",
+        style: /jwtService/i.test(receiver) ? "service" : "lib"
+      };
+    }
+    function hasAlgorithmNone(obj) {
+      for (const prop of obj.getProperties()) {
+        if (!ts_morph_1.Node.isPropertyAssignment(prop))
+          continue;
+        const name = prop.getName().replace(/['"`]/g, "");
+        if (name !== "algorithm" && name !== "algorithms")
+          continue;
+        const init = prop.getInitializer();
+        if (!init)
+          continue;
+        if (isNoneLiteral(init))
+          return true;
+        if (ts_morph_1.Node.isArrayLiteralExpression(init)) {
+          if (init.getElements().some(isNoneLiteral))
+            return true;
+        }
+      }
+      return false;
+    }
+    function isNoneLiteral(node) {
+      if (ts_morph_1.Node.isStringLiteral(node) || ts_morph_1.Node.isNoSubstitutionTemplateLiteral(node)) {
+        return node.getLiteralValue().toLowerCase() === "none";
+      }
+      return false;
+    }
+    function hasExpiresIn(optionsArg, optionsObj) {
+      if (!optionsArg)
+        return false;
+      if (!optionsObj)
+        return true;
+      return optionsObj.getProperties().some((prop) => {
+        if (ts_morph_1.Node.isPropertyAssignment(prop) || ts_morph_1.Node.isShorthandPropertyAssignment(prop)) {
+          return prop.getName().replace(/['"`]/g, "") === "expiresIn";
+        }
+        return false;
+      });
+    }
+    function literalSecretLength(node) {
+      if (!node)
+        return void 0;
+      if (ts_morph_1.Node.isStringLiteral(node) || ts_morph_1.Node.isNoSubstitutionTemplateLiteral(node)) {
+        return node.getLiteralValue().length;
+      }
+      return void 0;
+    }
+    function getEnclosingFunctionName(node) {
+      const fn = node.getFirstAncestor((a) => ts_morph_1.Node.isFunctionDeclaration(a) || ts_morph_1.Node.isMethodDeclaration(a));
+      if (fn && (ts_morph_1.Node.isFunctionDeclaration(fn) || ts_morph_1.Node.isMethodDeclaration(fn))) {
+        return fn.getName() ?? void 0;
+      }
+      return void 0;
+    }
+  }
+});
+// ../../packages/analyzers/dist/typescript/jsx-xss-detector.js
+var require_jsx_xss_detector = __commonJS({
+  "../../packages/analyzers/dist/typescript/jsx-xss-detector.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.detectDangerouslySetInnerHtml = detectDangerouslySetInnerHtml;
+    var shared_1 = require_dist();
+    var ts_morph_1 = require("ts-morph");
+    var parsed_files_1 = require_parsed_files();
+    var EXCLUDED_PATH_REGEX = /(\.spec\.|\.test\.|\.fixture\.|\.stories\.|\.d\.ts$)|(^|\/)(__tests__|__mocks__|test|tests|e2e|mocks)(\/|$)/i;
+    var SANITIZER_NAME_REGEX = /^(sanitize|sanitizeHtml|xss|escape|escapeHtml|striptags|purify)$/i;
+    async function detectDangerouslySetInnerHtml(input, policy, parsed) {
+      const violations = [];
+      for (const { path: path9, sourceFile } of parsed ?? (0, parsed_files_1.parseChangedFiles)(input)) {
+        if (!/\.(tsx|jsx)$/.test(path9))
+          continue;
+        if (EXCLUDED_PATH_REGEX.test(path9))
+          continue;
+        scanFile(sourceFile, path9, policy, violations);
+      }
+      return violations;
+    }
+    function scanFile(sourceFile, filePath, policy, violations) {
+      sourceFile.forEachDescendant((node) => {
+        if (!ts_morph_1.Node.isJsxAttribute(node))
+          return;
+        if (node.getNameNode().getText() !== "dangerouslySetInnerHTML")
+          return;
+        const htmlValue = extractHtmlValue(node);
+        if (!htmlValue)
+          return;
+        if (isSafeHtmlValue(htmlValue))
+          return;
+        violations.push({
+          category: "runtime_risk",
+          type: shared_1.SECURITY_RULES.DANGEROUSLY_SET_INNER_HTML_UNSANITIZED,
+          ruleId: shared_1.SECURITY_RULES.DANGEROUSLY_SET_INNER_HTML_UNSANITIZED,
+          severity: "warning",
+          source: "deterministic",
+          confidence: "medium",
+          file: filePath,
+          line: node.getStartLineNumber(),
+          message: "dangerouslySetInnerHTML is set from a value that is not a static string or a sanitizer call \u2014 untrusted HTML here is a cross-site scripting (XSS) sink.",
+          suggestion: "Sanitize the HTML before insertion, e.g. dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(value) }}, or render the value as text instead of HTML.",
+          debtPoints: policy.scoring.runtime_risk_warning,
+          gateAction: "warn"
+        });
+      });
+    }
+    function extractHtmlValue(attr) {
+      if (!ts_morph_1.Node.isJsxAttribute(attr))
+        return void 0;
+      const init = attr.getInitializer();
+      if (!init || !ts_morph_1.Node.isJsxExpression(init))
+        return void 0;
+      const expr = init.getExpression();
+      if (!expr || !ts_morph_1.Node.isObjectLiteralExpression(expr))
+        return void 0;
+      for (const prop of expr.getProperties()) {
+        if (ts_morph_1.Node.isPropertyAssignment(prop)) {
+          if (prop.getName().replace(/['"`]/g, "") === "__html") {
+            return prop.getInitializer();
+          }
+        } else if (ts_morph_1.Node.isShorthandPropertyAssignment(prop)) {
+          if (prop.getName() === "__html") {
+            return prop.getNameNode();
+          }
+        }
+      }
+      return void 0;
+    }
+    function isSafeHtmlValue(value) {
+      if (ts_morph_1.Node.isStringLiteral(value) || ts_morph_1.Node.isNoSubstitutionTemplateLiteral(value)) {
+        return true;
+      }
+      if (ts_morph_1.Node.isCallExpression(value)) {
+        return isSanitizerCall(value);
+      }
+      return false;
+    }
+    function isSanitizerCall(call) {
+      if (!ts_morph_1.Node.isCallExpression(call))
+        return false;
+      const expr = call.getExpression();
+      let name;
+      if (ts_morph_1.Node.isIdentifier(expr)) {
+        name = expr.getText();
+      } else if (ts_morph_1.Node.isPropertyAccessExpression(expr)) {
+        name = expr.getName();
+      }
+      return name !== void 0 && SANITIZER_NAME_REGEX.test(name);
+    }
+  }
+});
+// ../../packages/analyzers/dist/typescript/env-typo-detector.js
+var require_env_typo_detector = __commonJS({
+  "../../packages/analyzers/dist/typescript/env-typo-detector.js"(exports2) {
+    "use strict";
+    var __createBinding = exports2 && exports2.__createBinding || (Object.create ? (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      var desc = Object.getOwnPropertyDescriptor(m, k);
+      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+        desc = { enumerable: true, get: function() {
+          return m[k];
+        } };
+      }
+      Object.defineProperty(o, k2, desc);
+    }) : (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      o[k2] = m[k];
+    }));
+    var __setModuleDefault = exports2 && exports2.__setModuleDefault || (Object.create ? (function(o, v) {
+      Object.defineProperty(o, "default", { enumerable: true, value: v });
+    }) : function(o, v) {
+      o["default"] = v;
+    });
+    var __importStar = exports2 && exports2.__importStar || /* @__PURE__ */ (function() {
+      var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function(o2) {
+          var ar = [];
+          for (var k in o2) if (Object.prototype.hasOwnProperty.call(o2, k)) ar[ar.length] = k;
+          return ar;
+        };
+        return ownKeys(o);
+      };
+      return function(mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) {
+          for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        }
+        __setModuleDefault(result, mod);
+        return result;
+      };
+    })();
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.detectProcessEnvTypo = detectProcessEnvTypo;
+    var fs9 = __importStar(require("fs"));
+    var path9 = __importStar(require("path"));
+    var shared_1 = require_dist();
+    var ts_morph_1 = require("ts-morph");
+    var parsed_files_1 = require_parsed_files();
+    var EXCLUDED_PATH_REGEX = /(\.spec\.|\.test\.|\.fixture\.|\.d\.ts$)|(^|\/)(__tests__|__mocks__|test|tests|e2e|mocks)(\/|$)/i;
+    var PLATFORM_PROVIDED_ENV_VARS = /* @__PURE__ */ new Set([
+      // Node / shell runtime
+      "NODE_ENV",
+      "PORT",
+      "PWD",
+      "HOME",
+      "USER",
+      "PATH",
+      "SHELL",
+      "TERM",
+      "TZ",
+      "LANG",
+      "LC_ALL",
+      "LC_TIME",
+      "DEBUG",
+      "NODE_OPTIONS",
+      "CI",
+      // GitHub Actions — runner-injected, NOT app config
+      "GITHUB_ACTIONS",
+      "GITHUB_TOKEN",
+      "GITHUB_SHA",
+      "GITHUB_REPOSITORY",
+      "GITHUB_REPOSITORY_OWNER",
+      "GITHUB_REF",
+      "GITHUB_REF_NAME",
+      "GITHUB_REF_TYPE",
+      "GITHUB_HEAD_REF",
+      "GITHUB_BASE_REF",
+      "GITHUB_RUN_ID",
+      "GITHUB_RUN_NUMBER",
+      "GITHUB_RUN_ATTEMPT",
+      "GITHUB_WORKFLOW",
+      "GITHUB_EVENT_NAME",
+      "GITHUB_EVENT_PATH",
+      "GITHUB_WORKSPACE",
+      "GITHUB_ACTOR",
+      "GITHUB_ACTOR_ID",
+      "GITHUB_API_URL",
+      "GITHUB_SERVER_URL",
+      "GITHUB_GRAPHQL_URL",
+      "GITHUB_JOB",
+      "GITHUB_ACTION",
+      "GITHUB_ACTION_PATH",
+      "GITHUB_ACTION_REPOSITORY",
+      "GITHUB_RETENTION_DAYS",
+      // GitLab CI — runner-injected
+      "GITLAB_CI",
+      "GITLAB_USER_ID",
+      "GITLAB_USER_LOGIN",
+      "CI_JOB_TOKEN",
+      "CI_COMMIT_SHA",
+      "CI_COMMIT_REF_NAME",
+      "CI_COMMIT_BRANCH",
+      "CI_COMMIT_TAG",
+      "CI_PROJECT_ID",
+      "CI_PROJECT_PATH",
+      "CI_PROJECT_NAME",
+      "CI_PIPELINE_ID",
+      "CI_PIPELINE_IID",
+      "CI_PIPELINE_SOURCE",
+      "CI_JOB_ID",
+      "CI_MERGE_REQUEST_IID",
+      "CI_MERGE_REQUEST_PROJECT_PATH",
+      "CI_API_V4_URL",
+      "CI_SERVER_URL",
+      // Railway, Vercel, Netlify — platform-injected
+      "RAILWAY_ENVIRONMENT",
+      "RAILWAY_PROJECT_ID",
+      "RAILWAY_PROJECT_NAME",
+      "RAILWAY_SERVICE_ID",
+      "RAILWAY_SERVICE_NAME",
+      "RAILWAY_REPLICA_ID",
+      "RAILWAY_STATIC_URL",
+      "RAILWAY_PUBLIC_DOMAIN",
+      "RAILWAY_PRIVATE_DOMAIN",
+      "VERCEL",
+      "VERCEL_ENV",
+      "VERCEL_URL",
+      "VERCEL_BRANCH_URL",
+      "VERCEL_REGION",
+      "VERCEL_GIT_COMMIT_SHA",
+      "VERCEL_GIT_COMMIT_REF",
+      "VERCEL_GIT_PROVIDER",
+      "VERCEL_GIT_REPO_SLUG",
+      "VERCEL_GIT_REPO_OWNER",
+      "NETLIFY",
+      "NETLIFY_BUILD_BASE",
+      "NETLIFY_LOCAL",
+      "NETLIFY_DEV",
+      "CONTEXT",
+      "DEPLOY_URL",
+      "DEPLOY_PRIME_URL",
+      "BUILD_ID",
+      // Turbo internals
+      "TURBO_TEAM",
+      "TURBO_TOKEN",
+      "TURBO_REMOTE_CACHE_SIGNATURE_KEY"
+    ]);
+    function isPlatformProvidedEnvVar(name) {
+      if (PLATFORM_PROVIDED_ENV_VARS.has(name))
+        return true;
+      if (/^npm_(config_|package_|lifecycle_|execpath)/i.test(name))
+        return true;
+      return false;
+    }
+    async function detectProcessEnvTypo(input, projectRoot, policy, parsed) {
+      if (policy.maintainability?.check_env_drift !== true)
+        return [];
+      const declared = await readDeclaredEnvVars(projectRoot);
+      if (!declared)
+        return [];
+      const violations = [];
+      for (const { path: path10, sourceFile } of parsed ?? (0, parsed_files_1.parseChangedFiles)(input)) {
+        if (EXCLUDED_PATH_REGEX.test(path10))
+          continue;
+        scanFile(sourceFile, path10, declared, policy, violations);
+      }
+      return violations;
+    }
+    async function readDeclaredEnvVars(projectRoot) {
+      const envPath = path9.join(projectRoot, ".env.example");
+      let content;
+      try {
+        content = await fs9.promises.readFile(envPath, "utf-8");
+      } catch {
+        return void 0;
+      }
+      const declared = /* @__PURE__ */ new Set();
+      for (const line of content.split("\n")) {
+        const match = line.match(/^\s*(?:export\s+)?([A-Za-z_][A-Za-z0-9_]*)\s*=/);
+        if (match)
+          declared.add(match[1]);
+      }
+      return declared;
+    }
+    function scanFile(sourceFile, filePath, declared, policy, violations) {
+      void policy;
+      const seen = /* @__PURE__ */ new Set();
+      sourceFile.forEachDescendant((node) => {
+        const name = referencedEnvVar(node);
+        if (!name)
+          return;
+        if (declared.has(name) || isPlatformProvidedEnvVar(name))
+          return;
+        if (seen.has(name))
+          return;
+        seen.add(name);
+        violations.push({
+          category: "maintainability",
+          type: shared_1.MAINTAINABILITY_RULES.PROCESS_ENV_TYPO,
+          ruleId: shared_1.MAINTAINABILITY_RULES.PROCESS_ENV_TYPO,
+          severity: "warning",
+          source: "deterministic",
+          confidence: "medium",
+          file: filePath,
+          line: node.getStartLineNumber(),
+          message: `Env var ${name} is referenced in code but not declared in .env.example \u2014 it is either a typo or a missing entry.`,
+          suggestion: `Add ${name}= to .env.example, or correct the name in code to match a declared variable.`,
+          debtPoints: 2,
+          gateAction: "warn"
+        });
+      });
+    }
+    function referencedEnvVar(node) {
+      if (ts_morph_1.Node.isPropertyAccessExpression(node)) {
+        if (node.getExpression().getText() === "process.env") {
+          return node.getName();
+        }
+      }
+      if (ts_morph_1.Node.isElementAccessExpression(node)) {
+        if (node.getExpression().getText() === "process.env") {
+          const arg = node.getArgumentExpression();
+          if (arg && (ts_morph_1.Node.isStringLiteral(arg) || ts_morph_1.Node.isNoSubstitutionTemplateLiteral(arg))) {
+            return arg.getLiteralValue();
+          }
+        }
+      }
+      return void 0;
+    }
+  }
+});
+// ../../packages/analyzers/dist/typescript/maintainability-detector.js
+var require_maintainability_detector = __commonJS({
+  "../../packages/analyzers/dist/typescript/maintainability-detector.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.detectMaintainabilityIssues = detectMaintainabilityIssues;
+    var shared_1 = require_dist();
+    var ts_morph_1 = require("ts-morph");
+    var parsed_files_1 = require_parsed_files();
+    var EXCLUDED_PATH_REGEX = /(\.spec\.|\.test\.|\.d\.ts$)|(^|\/)(__tests__|__mocks__|test|tests|e2e|mocks)(\/|$)/i;
+    var DEFAULT_THRESHOLDS = {
+      functionLength: shared_1.DEFAULT_FUNCTION_LENGTH_THRESHOLD,
+      parameterCount: shared_1.DEFAULT_PARAMETER_COUNT_THRESHOLD,
+      nestingDepth: shared_1.DEFAULT_NESTING_DEPTH_THRESHOLD
+    };
+    async function detectMaintainabilityIssues(input, policy, thresholds = {}, parsed) {
+      const limits = { ...DEFAULT_THRESHOLDS, ...thresholds };
+      const violations = [];
+      for (const { path: path9, sourceFile } of parsed ?? (0, parsed_files_1.parseChangedFiles)(input)) {
+        if (EXCLUDED_PATH_REGEX.test(path9))
+          continue;
+        scanFile(sourceFile, path9, limits, policy, violations);
+      }
+      return violations;
+    }
+    function scanFile(sourceFile, filePath, limits, policy, violations) {
+      void policy;
+      sourceFile.forEachDescendant((node) => {
+        if (!isFunctionLike(node))
+          return;
+        const body = node.getBody();
+        if (body) {
+          const lineSpan = body.getEndLineNumber() - body.getStartLineNumber();
+          if (lineSpan > limits.functionLength) {
+            const name = getFunctionName(node);
+            violations.push({
+              category: "maintainability",
+              type: shared_1.MAINTAINABILITY_RULES.FUNCTION_TOO_LONG,
+              ruleId: shared_1.MAINTAINABILITY_RULES.FUNCTION_TOO_LONG,
+              severity: "warning",
+              source: "deterministic",
+              confidence: "high",
+              file: filePath,
+              line: node.getStartLineNumber(),
+              function: name,
+              message: `Function '${name}' is ${lineSpan} lines long (threshold: ${limits.functionLength}) \u2014 long functions are hard to read, test, and reuse.`,
+              suggestion: "Extract cohesive blocks into well-named helper functions.",
+              debtPoints: 2,
+              gateAction: "warn"
+            });
+          }
+          const depth = maxNestingDepth(body);
+          if (depth > limits.nestingDepth) {
+            const name = getFunctionName(node);
+            violations.push({
+              category: "maintainability",
+              type: shared_1.MAINTAINABILITY_RULES.DEEP_NESTING,
+              ruleId: shared_1.MAINTAINABILITY_RULES.DEEP_NESTING,
+              severity: "warning",
+              source: "deterministic",
+              confidence: "high",
+              file: filePath,
+              line: node.getStartLineNumber(),
+              function: name,
+              message: `Function '${name}' nests blocks ${depth} levels deep (threshold: ${limits.nestingDepth}) \u2014 deep nesting hides the control flow.`,
+              suggestion: "Flatten with early returns / guard clauses, or extract inner blocks into helper functions.",
+              debtPoints: 2,
+              gateAction: "warn"
+            });
+          }
+        }
+        const paramCount = node.getParameters().length;
+        if (paramCount > limits.parameterCount) {
+          const name = getFunctionName(node);
+          violations.push({
+            category: "maintainability",
+            type: shared_1.MAINTAINABILITY_RULES.TOO_MANY_PARAMETERS,
+            ruleId: shared_1.MAINTAINABILITY_RULES.TOO_MANY_PARAMETERS,
+            severity: "warning",
+            source: "deterministic",
+            confidence: "high",
+            file: filePath,
+            line: node.getStartLineNumber(),
+            function: name,
+            message: `Function '${name}' has ${paramCount} parameters (threshold: ${limits.parameterCount}) \u2014 long parameter lists are easy to mis-order and hard to call.`,
+            suggestion: "Group related parameters into a single options object.",
+            debtPoints: 2,
+            gateAction: "warn"
+          });
+        }
+      });
+    }
+    function isFunctionLike(node) {
+      return ts_morph_1.Node.isFunctionDeclaration(node) || ts_morph_1.Node.isFunctionExpression(node) || ts_morph_1.Node.isArrowFunction(node) || ts_morph_1.Node.isMethodDeclaration(node) || ts_morph_1.Node.isConstructorDeclaration(node) || ts_morph_1.Node.isGetAccessorDeclaration(node) || ts_morph_1.Node.isSetAccessorDeclaration(node);
+    }
+    function getFunctionName(node) {
+      if (ts_morph_1.Node.isConstructorDeclaration(node))
+        return "constructor";
+      if (ts_morph_1.Node.isFunctionDeclaration(node) || ts_morph_1.Node.isMethodDeclaration(node) || ts_morph_1.Node.isGetAccessorDeclaration(node) || ts_morph_1.Node.isSetAccessorDeclaration(node)) {
+        return node.getName() ?? "<anonymous>";
+      }
+      const parent = node.getParent();
+      if (ts_morph_1.Node.isVariableDeclaration(parent) || ts_morph_1.Node.isPropertyAssignment(parent)) {
+        return parent.getName();
+      }
+      if (ts_morph_1.Node.isFunctionExpression(node)) {
+        const own = node.getName();
+        if (own)
+          return own;
+      }
+      return "<anonymous>";
+    }
+    function maxNestingDepth(body) {
+      let max = 0;
+      function recurse(node, depth) {
+        node.forEachChild((child) => {
+          if (isFunctionLike(child))
+            return;
+          let childDepth = depth;
+          if (isNestingNode(child)) {
+            if (ts_morph_1.Node.isIfStatement(child) && isElseIf(child)) {
+              childDepth = depth;
+            } else {
+              childDepth = depth + 1;
+              if (childDepth > max)
+                max = childDepth;
+            }
+          }
+          recurse(child, childDepth);
+        });
+      }
+      recurse(body, 0);
+      return max;
+    }
+    function isNestingNode(node) {
+      return ts_morph_1.Node.isIfStatement(node) || ts_morph_1.Node.isForStatement(node) || ts_morph_1.Node.isForInStatement(node) || ts_morph_1.Node.isForOfStatement(node) || ts_morph_1.Node.isWhileStatement(node) || ts_morph_1.Node.isDoStatement(node) || ts_morph_1.Node.isTryStatement(node) || ts_morph_1.Node.isSwitchStatement(node) || ts_morph_1.Node.isCaseClause(node) || ts_morph_1.Node.isDefaultClause(node);
+    }
+    function isElseIf(node) {
+      const parent = node.getParent();
+      return parent !== void 0 && ts_morph_1.Node.isIfStatement(parent) && parent.getElseStatement() === node;
+    }
+  }
+});
+// ../../packages/analyzers/dist/typescript/console-in-production-detector.js
+var require_console_in_production_detector = __commonJS({
+  "../../packages/analyzers/dist/typescript/console-in-production-detector.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.detectConsoleInProduction = detectConsoleInProduction;
+    var shared_1 = require_dist();
+    var ts_morph_1 = require("ts-morph");
+    var parsed_files_1 = require_parsed_files();
+    var EXCLUDED_PATH_REGEX = /(\.spec\.|\.test\.|\.d\.ts$)|(^|\/)(__tests__|__mocks__|test|tests|e2e|mocks)(\/|$)/i;
+    var ALLOW_COMMENT = "radar:allow-console";
+    async function detectConsoleInProduction(input, policy, parsed) {
+      const violations = [];
+      for (const { path: path9, sourceFile } of parsed ?? (0, parsed_files_1.parseChangedFiles)(input)) {
+        if (isExcludedConsoleFile(path9))
+          continue;
+        if (hasAllowConsoleComment(sourceFile.getFullText()))
+          continue;
+        scanFile(sourceFile, path9, policy, violations);
+      }
+      return violations;
+    }
+    function isExcludedConsoleFile(filePath) {
+      if (EXCLUDED_PATH_REGEX.test(filePath))
+        return true;
+      if (/(^|\/)apps\/cli\/src\//.test(filePath))
+        return true;
+      if (/(^|\/)(scripts|build)\//.test(filePath))
+        return true;
+      const base = filePath.split("/").pop() ?? "";
+      if (base === "index.ts" || base === "index.js")
+        return true;
+      return false;
+    }
+    function hasAllowConsoleComment(content) {
+      return content.split("\n", 5).join("\n").includes(ALLOW_COMMENT);
+    }
+    function scanFile(sourceFile, filePath, policy, violations) {
+      void policy;
+      sourceFile.forEachDescendant((node) => {
+        if (!ts_morph_1.Node.isCallExpression(node))
+          return;
+        const expr = node.getExpression();
+        if (!ts_morph_1.Node.isPropertyAccessExpression(expr))
+          return;
+        if (expr.getExpression().getText() !== "console")
+          return;
+        const method = expr.getName();
+        violations.push({
+          category: "maintainability",
+          type: shared_1.MAINTAINABILITY_RULES.CONSOLE_LOG_IN_PRODUCTION,
+          ruleId: shared_1.MAINTAINABILITY_RULES.CONSOLE_LOG_IN_PRODUCTION,
+          severity: "info",
+          source: "deterministic",
+          confidence: "high",
+          file: filePath,
+          line: node.getStartLineNumber(),
+          function: getEnclosingFunctionName(node),
+          message: `console.${method}() in production source \u2014 console output is unstructured and bypasses log levels and transports.`,
+          suggestion: "Use the project's structured logger, or remove the call if it was a debugging leftover. Add `// radar:allow-console` at the top of the file to opt out.",
+          debtPoints: 1,
+          gateAction: "none"
+        });
+      });
+    }
+    function getEnclosingFunctionName(node) {
+      const fn = node.getFirstAncestor((a) => ts_morph_1.Node.isFunctionDeclaration(a) || ts_morph_1.Node.isMethodDeclaration(a));
+      if (fn && (ts_morph_1.Node.isFunctionDeclaration(fn) || ts_morph_1.Node.isMethodDeclaration(fn))) {
+        return fn.getName() ?? void 0;
+      }
+      return void 0;
+    }
+  }
+});
+// ../../packages/analyzers/dist/typescript/todo-comment-detector.js
+var require_todo_comment_detector = __commonJS({
+  "../../packages/analyzers/dist/typescript/todo-comment-detector.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.detectStrayTodoComments = detectStrayTodoComments;
+    var shared_1 = require_dist();
+    var parsed_files_1 = require_parsed_files();
+    var EXCLUDED_PATH_REGEX = /(\.spec\.|\.test\.|\.d\.ts$)|(^|\/)(__tests__|__mocks__|test|tests|e2e|mocks)(\/|$)/i;
+    var MARKER_REGEX = /\b(TODO|FIXME|HACK|XXX|TBD)\b\s*(\([^)]*\))?/gi;
+    var TRACKER_REGEX = /#\d+|[A-Z][A-Z0-9]+-\d+|https?:\/\//;
+    var LICENSE_REGEX = /SPDX-License-Identifier:|\bCopyright\b|\bLicen[sc]e\b/i;
+    async function detectStrayTodoComments(input, policy, parsed) {
+      const violations = [];
+      for (const { path: path9, sourceFile } of parsed ?? (0, parsed_files_1.parseChangedFiles)(input)) {
+        if (EXCLUDED_PATH_REGEX.test(path9))
+          continue;
+        scanFile(sourceFile, path9, policy, violations);
+      }
+      return violations;
+    }
+    function scanFile(sourceFile, filePath, policy, violations) {
+      void policy;
+      const seen = /* @__PURE__ */ new Set();
+      const consider = (range) => {
+        const pos = range.getPos();
+        if (seen.has(pos))
+          return;
+        seen.add(pos);
+        const keyword = strayMarkerKeyword(range.getText());
+        if (!keyword)
+          return;
+        const { line } = sourceFile.getLineAndColumnAtPos(pos);
+        violations.push({
+          category: "maintainability",
+          type: shared_1.MAINTAINABILITY_RULES.STRAY_TODO_COMMENT,
+          ruleId: shared_1.MAINTAINABILITY_RULES.STRAY_TODO_COMMENT,
+          severity: "info",
+          source: "deterministic",
+          confidence: "high",
+          file: filePath,
+          line,
+          message: `Stray ${keyword} comment in committed code \u2014 unresolved markers accumulate as silent, untracked debt.`,
+          suggestion: `Resolve the ${keyword}, or link it to a tracked issue, e.g. ${keyword}(#123): ....`,
+          debtPoints: 1,
+          gateAction: "none"
+        });
+      };
+      sourceFile.forEachDescendant((node) => {
+        for (const r of node.getLeadingCommentRanges())
+          consider(r);
+        for (const r of node.getTrailingCommentRanges())
+          consider(r);
+      });
+    }
+    function strayMarkerKeyword(commentText) {
+      if (LICENSE_REGEX.test(commentText))
+        return void 0;
+      MARKER_REGEX.lastIndex = 0;
+      let match;
+      while ((match = MARKER_REGEX.exec(commentText)) !== null) {
+        const reference = match[2] ?? "";
+        if (!TRACKER_REGEX.test(reference)) {
+          return match[1].toUpperCase();
+        }
+      }
+      return void 0;
+    }
+  }
+});
 // ../../packages/analyzers/dist/typescript/orchestrator.js
 var require_orchestrator = __commonJS({
   "../../packages/analyzers/dist/typescript/orchestrator.js"(exports2) {
@@ -20433,6 +21365,14 @@ var require_orchestrator = __commonJS({
     var eval_detector_1 = require_eval_detector();
     var math_random_detector_1 = require_math_random_detector();
     var tls_detector_1 = require_tls_detector();
+    var cors_detector_1 = require_cors_detector();
+    var jwt_detector_1 = require_jwt_detector();
+    var jsx_xss_detector_1 = require_jsx_xss_detector();
+    var env_typo_detector_1 = require_env_typo_detector();
+    var maintainability_detector_1 = require_maintainability_detector();
+    var console_in_production_detector_1 = require_console_in_production_detector();
+    var todo_comment_detector_1 = require_todo_comment_detector();
+    var parsed_files_1 = require_parsed_files();
     var EXCLUDED_FILE_PATTERNS = [
       /\.spec\.(ts|tsx|js|jsx)$/,
       /\.test\.(ts|tsx|js|jsx)$/,
@@ -20461,7 +21401,8 @@ var require_orchestrator = __commonJS({
         changedFiles: input.changedFiles.filter((f) => !isExcludedFile(f.path))
       };
       const projectRoot = input.projectRoot ?? deriveProjectRoot(input);
-      const [importGraph, complexityDeltas, runtimeResult, perfViolations, reliabilityViolations, duplicationResult, missingTestsResult, deadCodeResult, coverageDeltaResult, secretViolations, evalViolations, mathRandomViolations, tlsViolations] = await Promise.all([
+      const parsedFiles = (0, parsed_files_1.parseChangedFiles)(filteredInput);
+      const [importGraph, complexityDeltas, runtimeResult, perfViolations, reliabilityViolations, duplicationResult, missingTestsResult, deadCodeResult, coverageDeltaResult, secretViolations, evalViolations, mathRandomViolations, tlsViolations, corsViolations, jwtViolations, jsxXssViolations, envTypoViolations, maintainabilityViolations, consoleViolations, todoViolations] = await Promise.all([
         (0, import_graph_1.buildImportGraph)(filteredInput, policy),
         (0, complexity_calculator_1.calculateComplexity)(filteredInput),
         (0, runtime_risk_detector_1.detectRuntimeRisks)(filteredInput, policy),
@@ -20474,7 +21415,14 @@ var require_orchestrator = __commonJS({
         (0, secret_scanner_1.detectHardcodedSecrets)(filteredInput, policy),
         (0, eval_detector_1.detectEvalUsage)(filteredInput, policy),
         (0, math_random_detector_1.detectMathRandomForSecurity)(filteredInput, policy),
-        (0, tls_detector_1.detectTlsValidationDisabled)(filteredInput, policy)
+        (0, tls_detector_1.detectTlsValidationDisabled)(filteredInput, policy),
+        (0, cors_detector_1.detectCorsWildcardCredentials)(filteredInput, policy, parsedFiles),
+        (0, jwt_detector_1.detectJwtInsecureOptions)(filteredInput, policy, parsedFiles),
+        (0, jsx_xss_detector_1.detectDangerouslySetInnerHtml)(filteredInput, policy, parsedFiles),
+        projectRoot ? (0, env_typo_detector_1.detectProcessEnvTypo)(filteredInput, projectRoot, policy, parsedFiles) : Promise.resolve([]),
+        (0, maintainability_detector_1.detectMaintainabilityIssues)(filteredInput, policy, {}, parsedFiles),
+        (0, console_in_production_detector_1.detectConsoleInProduction)(filteredInput, policy, parsedFiles),
+        (0, todo_comment_detector_1.detectStrayTodoComments)(filteredInput, policy, parsedFiles)
       ]);
       const runtimeViolations = runtimeResult.violations;
       const unflaggedPatterns = runtimeResult.unflaggedPatterns;
@@ -20493,6 +21441,13 @@ var require_orchestrator = __commonJS({
         ...evalViolations,
         ...mathRandomViolations,
         ...tlsViolations,
+        ...corsViolations,
+        ...jwtViolations,
+        ...jsxXssViolations,
+        ...envTypoViolations,
+        ...maintainabilityViolations,
+        ...consoleViolations,
+        ...todoViolations,
         ...boundaryViolations,
         ...circularViolations,
         ...runtimeViolations,
@@ -20837,7 +21792,7 @@ var require_dist3 = __commonJS({
   "../../packages/analyzers/dist/index.js"(exports2) {
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.runFullAnalysis = exports2.detectTlsValidationDisabled = exports2.detectMathRandomForSecurity = exports2.detectEvalUsage = exports2.detectHardcodedSecrets = exports2.detectCoverageDelta = exports2.detectDeadCode = exports2.analyzeCrossFileWithAI = exports2.buildReverseImportGraph = exports2.analyzeCrossFile = exports2.detectMissingTests = exports2.detectDuplication = exports2.detectReliabilityIssues = exports2.detectPerformanceRisks = exports2.detectRuntimeRisks = exports2.calculateComplexity = exports2.detectCircularDeps = exports2.checkBoundaries = exports2.buildImportGraph = void 0;
+    exports2.runFullAnalysis = exports2.detectStrayTodoComments = exports2.detectConsoleInProduction = exports2.detectMaintainabilityIssues = exports2.detectProcessEnvTypo = exports2.detectDangerouslySetInnerHtml = exports2.detectJwtInsecureOptions = exports2.detectCorsWildcardCredentials = exports2.detectTlsValidationDisabled = exports2.detectMathRandomForSecurity = exports2.detectEvalUsage = exports2.detectHardcodedSecrets = exports2.detectCoverageDelta = exports2.detectDeadCode = exports2.analyzeCrossFileWithAI = exports2.buildReverseImportGraph = exports2.analyzeCrossFile = exports2.detectMissingTests = exports2.detectDuplication = exports2.detectReliabilityIssues = exports2.detectPerformanceRisks = exports2.detectRuntimeRisks = exports2.calculateComplexity = exports2.detectCircularDeps = exports2.checkBoundaries = exports2.buildImportGraph = void 0;
     var import_graph_1 = require_import_graph();
     Object.defineProperty(exports2, "buildImportGraph", { enumerable: true, get: function() {
       return import_graph_1.buildImportGraph;
@@ -20909,6 +21864,34 @@ var require_dist3 = __commonJS({
     Object.defineProperty(exports2, "detectTlsValidationDisabled", { enumerable: true, get: function() {
       return tls_detector_1.detectTlsValidationDisabled;
     } });
+    var cors_detector_1 = require_cors_detector();
+    Object.defineProperty(exports2, "detectCorsWildcardCredentials", { enumerable: true, get: function() {
+      return cors_detector_1.detectCorsWildcardCredentials;
+    } });
+    var jwt_detector_1 = require_jwt_detector();
+    Object.defineProperty(exports2, "detectJwtInsecureOptions", { enumerable: true, get: function() {
+      return jwt_detector_1.detectJwtInsecureOptions;
+    } });
+    var jsx_xss_detector_1 = require_jsx_xss_detector();
+    Object.defineProperty(exports2, "detectDangerouslySetInnerHtml", { enumerable: true, get: function() {
+      return jsx_xss_detector_1.detectDangerouslySetInnerHtml;
+    } });
+    var env_typo_detector_1 = require_env_typo_detector();
+    Object.defineProperty(exports2, "detectProcessEnvTypo", { enumerable: true, get: function() {
+      return env_typo_detector_1.detectProcessEnvTypo;
+    } });
+    var maintainability_detector_1 = require_maintainability_detector();
+    Object.defineProperty(exports2, "detectMaintainabilityIssues", { enumerable: true, get: function() {
+      return maintainability_detector_1.detectMaintainabilityIssues;
+    } });
+    var console_in_production_detector_1 = require_console_in_production_detector();
+    Object.defineProperty(exports2, "detectConsoleInProduction", { enumerable: true, get: function() {
+      return console_in_production_detector_1.detectConsoleInProduction;
+    } });
+    var todo_comment_detector_1 = require_todo_comment_detector();
+    Object.defineProperty(exports2, "detectStrayTodoComments", { enumerable: true, get: function() {
+      return todo_comment_detector_1.detectStrayTodoComments;
+    } });
     var orchestrator_1 = require_orchestrator();
     Object.defineProperty(exports2, "runFullAnalysis", { enumerable: true, get: function() {
       return orchestrator_1.runFullAnalysis;
@@ -20921,8 +21904,8 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "technical-debt-radar",
-      version: "1.16.0",
-      description: "Stop Node.js production crashes before merge. 65 detection rules across 5 categories.",
+      version: "1.17.0",
+      description: "Stop Node.js production crashes before merge. 74 detection rules across 5 categories.",
       bin: {
         radar: "dist/index.js",
         "technical-debt-radar": "dist/index.js"

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "technical-debt-radar",
-  "version": "1.16.0",
-  "description": "Stop Node.js production crashes before merge. 65 detection rules across 5 categories.",
+  "version": "1.17.0",
+  "description": "Stop Node.js production crashes before merge. 74 detection rules across 5 categories.",
   "bin": {
     "radar": "dist/index.js",
     "technical-debt-radar": "dist/index.js"