vbguard 0.3.0 → 0.5.1

package/src/scanners/hallucinated-packages.js

@@ -0,0 +1,247 @@
+const fs = require('fs');
+const path = require('path');
+const https = require('https');
+const http = require('http');
+
+// Popular packages for typosquat detection (edit distance check)
+const POPULAR_NPM = [
+  'express', 'react', 'lodash', 'axios', 'moment', 'chalk', 'commander',
+  'inquirer', 'webpack', 'babel', 'typescript', 'eslint', 'prettier',
+  'mongoose', 'sequelize', 'prisma', 'next', 'vue', 'angular', 'svelte',
+  'tailwindcss', 'dotenv', 'cors', 'helmet', 'jsonwebtoken', 'bcrypt',
+  'uuid', 'dayjs', 'zod', 'yup', 'joi', 'socket.io', 'passport',
+  'nodemon', 'jest', 'mocha', 'vitest', 'puppeteer', 'playwright',
+  'cheerio', 'redis', 'pg', 'mysql2', 'sqlite3', 'stripe', 'twilio',
+  'aws-sdk', 'firebase', 'supabase', 'openai', 'langchain',
+];
+
+const POPULAR_PYPI = [
+  'flask', 'django', 'fastapi', 'requests', 'numpy', 'pandas', 'scipy',
+  'tensorflow', 'pytorch', 'scikit-learn', 'matplotlib', 'pillow',
+  'sqlalchemy', 'celery', 'redis', 'boto3', 'pydantic', 'uvicorn',
+  'gunicorn', 'pytest', 'black', 'mypy', 'openai', 'langchain',
+  'beautifulsoup4', 'scrapy', 'httpx', 'aiohttp', 'cryptography',
+  'pyyaml', 'python-dotenv', 'alembic', 'jinja2', 'click', 'typer',
+  'rich', 'stripe', 'twilio', 'paramiko', 'fabric',
+];
+
+function editDistance(a, b) {
+  const m = a.length, n = b.length;
+  const dp = Array.from({ length: m + 1 }, () => Array(n + 1).fill(0));
+  for (let i = 0; i <= m; i++) dp[i][0] = i;
+  for (let j = 0; j <= n; j++) dp[0][j] = j;
+  for (let i = 1; i <= m; i++) {
+    for (let j = 1; j <= n; j++) {
+      dp[i][j] = a[i - 1] === b[j - 1]
+        ? dp[i - 1][j - 1]
+        : 1 + Math.min(dp[i - 1][j], dp[i][j - 1], dp[i - 1][j - 1]);
+    }
+  }
+  return dp[m][n];
+}
+
+function findTyposquatTarget(name, popularList) {
+  for (const popular of popularList) {
+    if (name === popular) return null;
+    const dist = editDistance(name.toLowerCase(), popular.toLowerCase());
+    if (dist > 0 && dist <= 2) return popular;
+  }
+  return null;
+}
+
+function httpGet(url) {
+  return new Promise((resolve, reject) => {
+    const client = url.startsWith('https') ? https : http;
+    const req = client.get(url, { timeout: 10000 }, (res) => {
+      let data = '';
+      res.on('data', (chunk) => { data += chunk; });
+      res.on('end', () => resolve({ status: res.statusCode, data }));
+    });
+    req.on('error', reject);
+    req.on('timeout', () => { req.destroy(); reject(new Error('timeout')); });
+  });
+}
+
+function delay(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+async function checkNpmPackage(name) {
+  try {
+    const res = await httpGet(`https://registry.npmjs.org/${encodeURIComponent(name)}`);
+    if (res.status === 404) return { exists: false };
+    if (res.status === 200) {
+      try {
+        const pkg = JSON.parse(res.data);
+        const timeCreated = pkg.time && pkg.time.created ? new Date(pkg.time.created) : null;
+        return { exists: true, created: timeCreated, data: pkg };
+      } catch {
+        return { exists: true };
+      }
+    }
+    return { exists: true };
+  } catch {
+    return { exists: null }; // Network error — skip
+  }
+}
+
+async function checkPypiPackage(name) {
+  try {
+    const res = await httpGet(`https://pypi.org/pypi/${encodeURIComponent(name)}/json`);
+    if (res.status === 404) return { exists: false };
+    if (res.status === 200) {
+      try {
+        const pkg = JSON.parse(res.data);
+        // Get earliest release date
+        const urls = pkg.urls || [];
+        const firstUpload = urls.length > 0 ? new Date(urls[0].upload_time_iso_8601 || urls[0].upload_time) : null;
+        return { exists: true, created: firstUpload, data: pkg };
+      } catch {
+        return { exists: true };
+      }
+    }
+    return { exists: true };
+  } catch {
+    return { exists: null };
+  }
+}
+
+async function scanHallucinatedPackages(dir, opts = {}) {
+  if (opts.offline) return [];
+
+  const findings = [];
+  const RATE_LIMIT_MS = 100; // 100ms between requests
+
+  // Collect npm packages
+  const npmPackages = [];
+  const pkgPath = path.join(dir, 'package.json');
+  if (fs.existsSync(pkgPath)) {
+    try {
+      const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+      const allDeps = {
+        ...(pkg.dependencies || {}),
+        ...(pkg.devDependencies || {}),
+      };
+      for (const name of Object.keys(allDeps)) {
+        npmPackages.push(name);
+      }
+    } catch {}
+  }
+
+  // Collect Python packages
+  const pyPackages = [];
+  const reqPath = path.join(dir, 'requirements.txt');
+  if (fs.existsSync(reqPath)) {
+    try {
+      const content = fs.readFileSync(reqPath, 'utf-8');
+      for (const line of content.split('\n')) {
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith('#') || trimmed.startsWith('-')) continue;
+        const match = trimmed.match(/^([a-zA-Z0-9._-]+)/);
+        if (match) pyPackages.push(match[1]);
+      }
+    } catch {}
+  }
+
+  // Check npm packages
+  for (const name of npmPackages) {
+    await delay(RATE_LIMIT_MS);
+
+    const result = await checkNpmPackage(name);
+
+    if (result.exists === false) {
+      findings.push({
+        rule: 'hallucinated/npm-package-not-found',
+        severity: 'critical',
+        file: 'package.json',
+        line: null,
+        message: `Package "${name}" does not exist on npm. This is likely a hallucinated package name generated by AI. Installing it could pull in a malicious package if someone registers this name.`,
+        fix: `Remove "${name}" from package.json. Search npm for the correct package name. AI tools frequently invent plausible-sounding package names that don't exist.`,
+      });
+      continue;
+    }
+
+    if (result.exists === null) continue; // Network error, skip
+
+    // Check for very new + low download packages (potential typosquat)
+    if (result.created) {
+      const ageMs = Date.now() - result.created.getTime();
+      const ageDays = ageMs / (1000 * 60 * 60 * 24);
+      if (ageDays < 30) {
+        findings.push({
+          rule: 'hallucinated/npm-suspicious-new-package',
+          severity: 'high',
+          file: 'package.json',
+          line: null,
+          message: `Package "${name}" was created ${Math.floor(ageDays)} days ago. Very new packages may be typosquats or dependency confusion attacks targeting AI-generated code.`,
+          fix: `Verify "${name}" is the correct package. Check its npm page, GitHub repo, and download counts before using it.`,
+        });
+      }
+    }
+
+    // Typosquat check
+    const typosquatTarget = findTyposquatTarget(name, POPULAR_NPM);
+    if (typosquatTarget) {
+      findings.push({
+        rule: 'hallucinated/npm-potential-typosquat',
+        severity: 'high',
+        file: 'package.json',
+        line: null,
+        message: `Package "${name}" looks like a typosquat of popular package "${typosquatTarget}". AI tools frequently misspell package names.`,
+        fix: `Did you mean "${typosquatTarget}"? Verify the package name is correct.`,
+      });
+    }
+  }
+
+  // Check Python packages
+  for (const name of pyPackages) {
+    await delay(RATE_LIMIT_MS);
+
+    const result = await checkPypiPackage(name);
+
+    if (result.exists === false) {
+      findings.push({
+        rule: 'hallucinated/pypi-package-not-found',
+        severity: 'critical',
+        file: 'requirements.txt',
+        line: null,
+        message: `Package "${name}" does not exist on PyPI. This is likely a hallucinated package name generated by AI. A malicious actor could register this name and compromise your project.`,
+        fix: `Remove "${name}" from requirements.txt. Search PyPI for the correct package name.`,
+      });
+      continue;
+    }
+
+    if (result.exists === null) continue;
+
+    if (result.created) {
+      const ageMs = Date.now() - result.created.getTime();
+      const ageDays = ageMs / (1000 * 60 * 60 * 24);
+      if (ageDays < 30) {
+        findings.push({
+          rule: 'hallucinated/pypi-suspicious-new-package',
+          severity: 'high',
+          file: 'requirements.txt',
+          line: null,
+          message: `Package "${name}" was published ${Math.floor(ageDays)} days ago. Very new packages may be typosquats targeting AI-generated code.`,
+          fix: `Verify "${name}" is the correct package on PyPI before using it.`,
+        });
+      }
+    }
+
+    const typosquatTarget = findTyposquatTarget(name, POPULAR_PYPI);
+    if (typosquatTarget) {
+      findings.push({
+        rule: 'hallucinated/pypi-potential-typosquat',
+        severity: 'high',
+        file: 'requirements.txt',
+        line: null,
+        message: `Package "${name}" looks like a typosquat of popular package "${typosquatTarget}". AI tools frequently misspell package names.`,
+        fix: `Did you mean "${typosquatTarget}"? Verify the package name is correct.`,
+      });
+    }
+  }
+
+  return findings;
+}
+
+module.exports = { scanHallucinatedPackages, editDistance, findTyposquatTarget };

package/src/scanners/nextjs.js

@@ -0,0 +1,139 @@
+const fs = require('fs');
+const path = require('path');
+
+function scanNextjs(ctx, dir) {
+  const { content, relativePath, ext, basename } = ctx;
+  const findings = [];
+  const lines = content.split('\n');
+  const isJS = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'].includes(ext);
+
+  if (!isJS) return findings;
+
+  const isClientComponent = content.includes("'use client'") || content.includes('"use client"');
+  const isServerAction = content.includes("'use server'") || content.includes('"use server"');
+  const isAppApiRoute = /app\/api\//.test(relativePath.replace(/\\/g, '/'));
+  const isNextConfig = basename === 'next.config.js' || basename === 'next.config.mjs' || basename === 'next.config.ts';
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const lineNum = i + 1;
+    const trimmed = line.trim();
+
+    if (trimmed.startsWith('//') || trimmed.startsWith('*')) continue;
+
+    // === API keys in "use client" components ===
+    if (isClientComponent) {
+      const secretPatterns = [
+        { pattern: /(?:api[_-]?key|secret[_-]?key|private[_-]?key|auth[_-]?token)\s*[:=]\s*['"`][a-zA-Z0-9_-]{10,}['"`]/i, what: 'API key' },
+        { pattern: /sk[_-](?:live|test)[_-][a-zA-Z0-9]+/, what: 'Stripe secret key' },
+        { pattern: /(?:SUPABASE_SERVICE_ROLE|supabaseServiceRole)/, what: 'Supabase service role key' },
+      ];
+      for (const { pattern, what } of secretPatterns) {
+        if (pattern.test(line)) {
+          findings.push({
+            rule: 'nextjs/secret-in-client-component',
+            severity: 'critical',
+            file: relativePath,
+            line: lineNum,
+            message: `${what} found in a "use client" component. Client components are sent to the browser — this secret is exposed to every user.`,
+            fix: 'Move secrets to server-side code (API routes, Server Components, or Server Actions). Use environment variables without the NEXT_PUBLIC_ prefix.',
+          });
+          break;
+        }
+      }
+    }
+
+    // === Server actions with no input validation ===
+    if (isServerAction) {
+      const fnMatch = line.match(/(?:async\s+function\s+(\w+)|(?:const|let)\s+(\w+)\s*=\s*async)/);
+      if (fnMatch) {
+        const fnName = fnMatch[1] || fnMatch[2];
+        const fnBody = lines.slice(i, Math.min(lines.length, i + 20)).join('\n');
+        if (!/(?:zod|yup|joi|validate|parse|safeParse|schema\.|z\.|check|assert)/.test(fnBody) &&
+            /(formData|data|input|body|params|args)/.test(fnBody)) {
+          findings.push({
+            rule: 'nextjs/server-action-no-validation',
+            severity: 'high',
+            file: relativePath,
+            line: lineNum,
+            message: `Server Action "${fnName || '(anonymous)'}" processes input with no validation. Server Actions are public HTTP endpoints — anyone can call them with arbitrary data.`,
+            fix: 'Validate all inputs with zod, yup, or manual validation. Server Actions are POST endpoints, not internal functions.',
+          });
+        }
+      }
+    }
+
+    // === publicRuntimeConfig exposing secrets ===
+    if (isNextConfig && /publicRuntimeConfig/.test(line)) {
+      const configBlock = lines.slice(i, Math.min(lines.length, i + 15)).join('\n');
+      if (/(?:secret|key|token|password|private|auth|database|db_|api_key)/i.test(configBlock) &&
+          !/NEXT_PUBLIC_/.test(configBlock)) {
+        findings.push({
+          rule: 'nextjs/public-runtime-config-secrets',
+          severity: 'critical',
+          file: relativePath,
+          line: lineNum,
+          message: 'publicRuntimeConfig appears to expose secrets. publicRuntimeConfig is available in the browser — it\'s meant for public values only.',
+          fix: 'Move secrets to serverRuntimeConfig or environment variables (without NEXT_PUBLIC_ prefix). Only put truly public config in publicRuntimeConfig.',
+        });
+      }
+    }
+
+    // === API routes with no auth checks ===
+    if (isAppApiRoute) {
+      const handlerMatch = line.match(/export\s+(?:async\s+)?function\s+(GET|POST|PUT|PATCH|DELETE)/);
+      if (handlerMatch) {
+        const handlerBody = lines.slice(i, Math.min(lines.length, i + 25)).join('\n');
+        if (!/(?:auth|session|getServerSession|getToken|verify|currentUser|requireAuth|getSession|cookies|getUser|clerk|lucia|supabase.*auth)/.test(handlerBody)) {
+          findings.push({
+            rule: 'nextjs/api-route-no-auth',
+            severity: 'medium',
+            file: relativePath,
+            line: lineNum,
+            message: `Next.js API route handler ${handlerMatch[1]} has no authentication check. This endpoint is publicly accessible.`,
+            fix: 'Add authentication: const session = await getServerSession(); if (!session) return NextResponse.json({error: "Unauthorized"}, {status: 401})',
+          });
+        }
+      }
+    }
+
+    // === NEXT_PUBLIC_ prefix for sensitive data ===
+    if (/NEXT_PUBLIC_(?:SECRET|PRIVATE|PASSWORD|AUTH|TOKEN|API_SECRET|SERVICE_ROLE|DATABASE|DB_|ADMIN|MASTER)/i.test(line)) {
+      findings.push({
+        rule: 'nextjs/sensitive-env-public',
+        severity: 'critical',
+        file: relativePath,
+        line: lineNum,
+        message: 'Sensitive environment variable exposed with NEXT_PUBLIC_ prefix. NEXT_PUBLIC_ variables are embedded in the client-side JavaScript bundle and visible to all users.',
+        fix: 'Remove the NEXT_PUBLIC_ prefix. Access this variable only in server-side code (API routes, getServerSideProps, Server Components).',
+      });
+    }
+  }
+
+  return findings;
+}
+
+function scanNextjsProject(dir) {
+  const findings = [];
+
+  // Check for missing middleware.ts/js
+  const middlewareFiles = ['middleware.ts', 'middleware.js', 'src/middleware.ts', 'src/middleware.js'];
+  const hasMiddleware = middlewareFiles.some(f => fs.existsSync(path.join(dir, f)));
+  const hasAppDir = fs.existsSync(path.join(dir, 'app')) || fs.existsSync(path.join(dir, 'src', 'app'));
+  const hasNextConfig = fs.existsSync(path.join(dir, 'next.config.js')) || fs.existsSync(path.join(dir, 'next.config.mjs')) || fs.existsSync(path.join(dir, 'next.config.ts'));
+
+  if (hasNextConfig && hasAppDir && !hasMiddleware) {
+    findings.push({
+      rule: 'nextjs/missing-middleware',
+      severity: 'medium',
+      file: 'middleware.ts',
+      line: null,
+      message: 'Next.js project has no middleware.ts/js. Without middleware, there\'s no centralized auth check — every route must handle its own auth.',
+      fix: 'Create middleware.ts in the project root to handle authentication. Use matcher config to protect /api and /dashboard routes.',
+    });
+  }
+
+  return findings;
+}
+
+module.exports = { scanNextjs, scanNextjsProject };

package/src/scanners/supabase.js

@@ -0,0 +1,102 @@
+function scanSupabase(ctx) {
+  const { content, relativePath, ext } = ctx;
+  const findings = [];
+  const lines = content.split('\n');
+  const isJS = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'].includes(ext);
+
+  if (!isJS) return findings;
+
+  // Check if file even uses Supabase
+  if (!/supabase|createClient|@supabase/.test(content)) return findings;
+
+  const isClientSide = /['"`]use client['"`]|components?\/|pages?\/|src\/app|\.jsx|\.tsx/.test(relativePath.replace(/\\/g, '/')) ||
+    content.includes("'use client'") || content.includes('"use client"');
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const lineNum = i + 1;
+    const trimmed = line.trim();
+
+    if (trimmed.startsWith('//') || trimmed.startsWith('*')) continue;
+
+    // === Service role key exposed in client-side code ===
+    if (isClientSide) {
+      if (/(?:service_role|serviceRole|SERVICE_ROLE|SUPABASE_SERVICE_ROLE)/i.test(line) &&
+          /(?:key|token)/i.test(line)) {
+        findings.push({
+          rule: 'supabase/service-role-in-client',
+          severity: 'critical',
+          file: relativePath,
+          line: lineNum,
+          message: 'Supabase service role key used in client-side code. The service role key bypasses ALL Row Level Security — it grants full database access to anyone who finds it.',
+          fix: 'Never use the service role key in the browser. Use it only in server-side code (API routes, serverless functions). Client-side code should use the anon key with RLS enabled.',
+        });
+      }
+    }
+
+    // === .from('table').select('*') with no filter ===
+    if (/\.from\s*\(\s*['"`]\w+['"`]\s*\)\s*\.select\s*\(\s*['"`]\*['"`]\s*\)/.test(line)) {
+      const context = lines.slice(i, Math.min(lines.length, i + 5)).join(' ');
+      if (!/\.eq\s*\(|\.filter\s*\(|\.match\s*\(|\.in\s*\(|\.neq\s*\(|\.gt\s*\(|\.lt\s*\(|\.gte\s*\(|\.lte\s*\(|\.like\s*\(|\.ilike\s*\(|\.is\s*\(|\.single\s*\(|\.limit\s*\(|\.range\s*\(/.test(context)) {
+        findings.push({
+          rule: 'supabase/unfiltered-select',
+          severity: 'medium',
+          file: relativePath,
+          line: lineNum,
+          message: 'Selecting all rows from a Supabase table with no filter. Without RLS or a filter, this returns the entire table to the client, potentially exposing other users\' data.',
+          fix: 'Add a filter: .from("table").select("*").eq("user_id", userId). Better yet, ensure RLS policies restrict access.',
+        });
+      }
+    }
+
+    // === Anon key used without mention of RLS ===
+    if (/(?:anon|ANON|SUPABASE_ANON)/.test(line) && /(?:key|KEY)/.test(line)) {
+      // Check file and nearby for any mention of RLS
+      if (!/rls|row.level.security|policy|policies/i.test(content)) {
+        findings.push({
+          rule: 'supabase/anon-key-no-rls',
+          severity: 'high',
+          file: relativePath,
+          line: lineNum,
+          message: 'Supabase anon key used with no mention of Row Level Security. The anon key is public — without RLS, anyone with the key can read and write all data.',
+          fix: 'Enable RLS on all tables in Supabase Dashboard. Create policies that restrict access based on auth.uid(). Test policies thoroughly.',
+        });
+      }
+    }
+
+    // === Public storage bucket patterns ===
+    if (/\.storage\s*\.from\s*\(/.test(line)) {
+      const context = lines.slice(i, Math.min(lines.length, i + 10)).join('\n');
+      if (/(?:public|isPublic\s*:\s*true|public\s*:\s*true)/.test(context) &&
+          !/(?:policy|policies|rls|restrict|auth|signed)/.test(context)) {
+        findings.push({
+          rule: 'supabase/public-storage-no-policy',
+          severity: 'medium',
+          file: relativePath,
+          line: lineNum,
+          message: 'Supabase storage bucket configured as public with no access policies mentioned. Anyone can read all files in this bucket.',
+          fix: 'Add storage policies to restrict uploads and access. Use signed URLs for private content.',
+        });
+      }
+    }
+
+    // === Database functions with SECURITY DEFINER ===
+    if (/SECURITY\s+DEFINER/i.test(line)) {
+      const context = lines.slice(Math.max(0, i - 5), Math.min(lines.length, i + 10)).join('\n');
+      if (!/(?:auth\.uid|current_user|session_user|check|verify|assert|raise)/.test(context)) {
+        findings.push({
+          rule: 'supabase/security-definer-no-checks',
+          severity: 'high',
+          file: relativePath,
+          line: lineNum,
+          message: 'Database function uses SECURITY DEFINER without auth checks. SECURITY DEFINER functions run with the privileges of the function creator, bypassing RLS.',
+          fix: 'Add auth checks inside the function: IF auth.uid() IS NULL THEN RAISE EXCEPTION; Always validate the caller.',
+        });
+      }
+    }
+  }
+
+  return findings;
+}
+
+module.exports = { scanSupabase };

package/src/scanners/vibe-patterns.js

@@ -0,0 +1,193 @@
+function scanVibePatterns(ctx) {
+  const { content, relativePath, ext } = ctx;
+  const findings = [];
+  const lines = content.split('\n');
+  const isJS = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'].includes(ext);
+  const isPy = ['.py', '.pyw'].includes(ext);
+  const isCode = isJS || isPy;
+
+  if (!isCode && !['.html', '.htm', '.vue', '.svelte'].includes(ext)) return findings;
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const lineNum = i + 1;
+    const trimmed = line.trim();
+
+    // === Security-critical TODO/FIXME comments ===
+    if (/\/\/|#|\/\*|\*/.test(trimmed.substring(0, 3)) || /^\s*(\/\/|#|\/\*|\*)/.test(line)) {
+      const securityTodoPatterns = [
+        /(?:TODO|FIXME|HACK|XXX)\s*:?\s*.*(?:add|implement|enable|set\s*up)\s+(?:auth|authentication|authorization)/i,
+        /(?:TODO|FIXME|HACK|XXX)\s*:?\s*.*(?:add|implement|enable)\s+(?:validation|input\s*valid|sanitiz)/i,
+        /(?:TODO|FIXME|HACK|XXX)\s*:?\s*.*(?:add|implement|enable)\s+(?:rate\s*limit|throttl)/i,
+        /(?:TODO|FIXME|HACK|XXX)\s*:?\s*.*(?:add|implement|enable)\s+(?:encryption|ssl|tls|https)/i,
+        /(?:TODO|FIXME|HACK|XXX)\s*:?\s*.*(?:add|implement|enable)\s+(?:csrf|xss|injection)\s*(?:protect|prevent|check)/i,
+        /(?:TODO|FIXME|HACK|XXX)\s*:?\s*.*(?:remove|replace)\s+(?:hardcoded|hard-coded)\s+(?:secret|key|password|token|credential)/i,
+        /(?:TODO|FIXME|HACK|XXX)\s*:?\s*.*(?:fix|add|implement)\s+(?:security|permissions|access\s*control)/i,
+        /(?:TODO|FIXME|HACK|XXX)\s*:?\s*.*(?:hash|encrypt)\s+(?:password|secret|token)/i,
+      ];
+      for (const pattern of securityTodoPatterns) {
+        if (pattern.test(line)) {
+          findings.push({
+            rule: 'vibe/security-todo-left-behind',
+            severity: 'high',
+            file: relativePath,
+            line: lineNum,
+            message: `Security-critical TODO comment found: "${trimmed.substring(0, 100)}". AI tools leave these as placeholders but never come back to implement them.`,
+            fix: 'Implement the security feature described in this TODO now. Do not deploy with unimplemented security controls.',
+          });
+          break;
+        }
+      }
+    }
+
+    // === Placeholder/example data in non-test files ===
+    if (isCode && !/test|spec|fixture|mock|seed|sample|example|demo/i.test(relativePath)) {
+      const placeholderPatterns = [
+        { pattern: /['"`](?:test@test\.com|user@example\.com|admin@example\.com|email@example\.com|john@example\.com|jane@example\.com)['"`]/i, what: 'example email address' },
+        { pattern: /['"`]123-?456-?7890['"`]/, what: 'placeholder phone number' },
+        { pattern: /['"`](?:John\s+Doe|Jane\s+Doe|Test\s+User|Admin\s+User)['"`]/i, what: 'placeholder name' },
+        { pattern: /['"`](?:123\s+Main\s+St|456\s+Elm\s+St|123 Test)['"`]/i, what: 'placeholder address' },
+        { pattern: /['"`]password123['"`]|['"`]admin123['"`]|['"`]test123['"`]|['"`]changeme['"`]/i, what: 'placeholder password' },
+        { pattern: /['"`]sk[_-]test[_-][a-zA-Z0-9]+['"`]/, what: 'Stripe test key' },
+      ];
+      for (const { pattern, what } of placeholderPatterns) {
+        if (pattern.test(line)) {
+          findings.push({
+            rule: 'vibe/placeholder-data-in-code',
+            severity: 'medium',
+            file: relativePath,
+            line: lineNum,
+            message: `Found ${what} in production code: "${trimmed.substring(0, 80)}". AI tools generate example data that gets shipped to production.`,
+            fix: 'Replace placeholder data with real values or environment variables. Never ship example data to production.',
+          });
+          break;
+        }
+      }
+    }
+
+    // === Console.log leaking sensitive data ===
+    if (isJS) {
+      const sensitiveLogPattern = /console\.(log|info|debug|warn)\s*\(\s*.*(password|passwd|secret|token|apiKey|api_key|authorization|credit.?card|ssn|private.?key|session.?id)/i;
+      if (sensitiveLogPattern.test(line) && !/\/\//.test(line.split('console')[0])) {
+        findings.push({
+          rule: 'vibe/sensitive-data-in-log',
+          severity: 'high',
+          file: relativePath,
+          line: lineNum,
+          message: 'Console.log statement may leak sensitive data (passwords, tokens, keys). AI tools add these for debugging and never remove them.',
+          fix: 'Remove console.log statements that output sensitive data. Use a proper logging library with sensitive field redaction.',
+        });
+      }
+    }
+    if (isPy) {
+      const pyLogPattern = /(?:print|logging\.\w+)\s*\(.*(?:password|passwd|secret|token|api_key|authorization|private_key|session_id)/i;
+      if (pyLogPattern.test(line) && !trimmed.startsWith('#')) {
+        findings.push({
+          rule: 'vibe/sensitive-data-in-log',
+          severity: 'high',
+          file: relativePath,
+          line: lineNum,
+          message: 'Print/logging statement may leak sensitive data. AI tools add these for debugging and never remove them.',
+          fix: 'Remove print statements that output sensitive data. Use a proper logging library with sensitive field redaction.',
+        });
+      }
+    }
+
+    // === Commented-out security code ===
+    if (isJS && /^\s*\/\//.test(line)) {
+      const commentBody = trimmed.replace(/^\/\/+\s*/, '');
+      const commentedSecurityPatterns = [
+        /(?:requireAuth|isAuthenticated|checkAuth|verifyToken|authenticate|authorize)\s*\(/,
+        /(?:validate|sanitize|escape|purify)\s*\(/,
+        /(?:rateLimit|rateLimiter|throttle)\s*\(/,
+        /helmet\s*\(/,
+        /csrf|xss|cors/i,
+        /\.verify\s*\(/,
+      ];
+      for (const pattern of commentedSecurityPatterns) {
+        if (pattern.test(commentBody)) {
+          findings.push({
+            rule: 'vibe/commented-out-security',
+            severity: 'high',
+            file: relativePath,
+            line: lineNum,
+            message: `Security code appears to be commented out: "${trimmed.substring(0, 80)}". AI tools sometimes comment out security checks while debugging and never re-enable them.`,
+            fix: 'Uncomment this security code. If it was intentionally disabled, add a comment explaining why and what alternative protection is in place.',
+          });
+          break;
+        }
+      }
+    }
+
+    // === AI-generated boilerplate comments ===
+    if (/(?:Generated by|Created with|Auto-generated by|Built by|Scaffolded by|Made with)\s+(?:Cursor|Copilot|ChatGPT|GPT-4|Claude|Windsurf|Bolt|Lovable|v0|AI|GitHub Copilot|OpenAI|Anthropic)/i.test(line) ||
+        /Copilot suggestion|AI-generated|AI generated/i.test(line)) {
+      findings.push({
+        rule: 'vibe/ai-generated-marker',
+        severity: 'low',
+        file: relativePath,
+        line: lineNum,
+        message: 'AI-generated code marker found. This code may not have been reviewed by a human. AI-generated code frequently contains security issues.',
+        fix: 'Review this file for security issues. Remove the AI marker comment after a thorough review.',
+      });
+    }
+
+    // === Error responses that leak stack traces ===
+    if (isJS) {
+      const stackLeakPatterns = [
+        /res\.\w*\(.*err\.stack/,
+        /res\.(?:send|json|write)\s*\(\s*err\s*\)/,
+        /res\.status\s*\(\s*500\s*\)\.(?:send|json)\s*\(\s*\{\s*(?:error|message)\s*:\s*err/,
+        /res\.status\s*\(\s*500\s*\)\.send\s*\(\s*err\.(?:message|stack|toString)/,
+        /next\s*\(\s*err\s*\).*(?!production)/,
+      ];
+      for (const pattern of stackLeakPatterns) {
+        if (pattern.test(line)) {
+          findings.push({
+            rule: 'vibe/error-stack-leak',
+            severity: 'high',
+            file: relativePath,
+            line: lineNum,
+            message: 'Error response sends raw error/stack trace to client. This leaks internal paths, library versions, and server architecture to attackers.',
+            fix: 'Return a generic error message to clients. Log the full error server-side: res.status(500).json({ error: "Internal server error" })',
+          });
+          break;
+        }
+      }
+    }
+
+    // === Silent error swallowing ===
+    if (isJS) {
+      if (/catch\s*\(\s*\w*\s*\)\s*\{\s*\}/.test(line)) {
+        findings.push({
+          rule: 'vibe/silent-error-swallow',
+          severity: 'medium',
+          file: relativePath,
+          line: lineNum,
+          message: 'Empty catch block silently swallows errors. Security-critical failures (auth, validation, encryption) will fail silently, leaving the app in an insecure state.',
+          fix: 'At minimum, log the error. For security-critical code, re-throw or handle the error explicitly.',
+        });
+      } else if (/catch\s*\(\s*(\w+)\s*\)\s*\{/.test(line)) {
+        // Check if the catch body is just console.log
+        const catchVar = line.match(/catch\s*\(\s*(\w+)\s*\)\s*\{/);
+        if (catchVar) {
+          const nextLines = lines.slice(i + 1, Math.min(lines.length, i + 4)).join(' ').trim();
+          if (/^\s*console\.\w+\s*\(\s*\w+\s*\)\s*;?\s*\}/.test(nextLines)) {
+            findings.push({
+              rule: 'vibe/silent-error-swallow',
+              severity: 'medium',
+              file: relativePath,
+              line: lineNum,
+              message: 'Catch block only logs the error without any handling. Security failures will be logged but ignored, leaving the app vulnerable.',
+              fix: 'Add proper error handling: retry, return an error response, or re-throw. Just logging is not handling.',
+            });
+          }
+        }
+      }
+    }
+  }
+
+  return findings;
+}
+
+module.exports = { scanVibePatterns };