verification-layer 0.20.0 → 0.22.0

package/dist/scanners/hipaa2026/patterns.js

@@ -0,0 +1,268 @@
+/**
+ * HIPAA 2026 Security Rule Detection Patterns
+ * Covers 15 technical requirements (all now "required" instead of "addressable")
+ * Expected enforcement: May 2026
+ */
+/**
+ * HIPAA-MFA-001: Multi-Factor Authentication Enforcement
+ */
+export const MFA_PATTERNS = {
+    id: 'HIPAA-MFA-001',
+    name: 'Missing Multi-Factor Authentication for PHI Access',
+    description: 'Endpoints accessing PHI must enforce MFA. All auth configs must require multi-factor authentication.',
+    severity: 'critical',
+    hipaaReference: '45 CFR §164.312(a)(2)(i) - Access Control (Required)',
+    patterns: [
+        // Login/auth without MFA
+        /(?:login|authenticate|signin|auth).*?(?:patient|phi|medical|health)(?!.*?(?:mfa|multi.?factor|2fa|totp|authenticator))/i,
+        // Auth configs without MFA
+        /(?:passport|auth0|okta|cognito)\.(?:use|configure).*?(?!.*?(?:mfa|multiFactor|requireMFA))/i,
+        // Admin endpoints without MFA
+        /\/admin.*?(?:patient|medical|phi)(?!.*?(?:mfa|2fa))/i,
+        // Session creation without MFA
+        /createSession.*?(?:user|admin)(?!.*?mfaVerified)/i,
+        // JWT without MFA claim
+        /jwt\.sign\(.*?(?:patient|phi)(?!.*?mfaVerified)/i,
+    ],
+    negativePatterns: [
+        /requireMFA:\s*true/i,
+        /mfaVerified/i,
+        /authenticator\.verify/i,
+        /totp\.validate/i,
+    ],
+    autoFix: 'Add MFA enforcement: requireMFA: true, verify TOTP/authenticator before granting access',
+    confidence: 'high',
+    category: 'access-control',
+};
+/**
+ * HIPAA-ENC-REST-001: Encryption at Rest
+ */
+export const ENCRYPTION_AT_REST_PATTERNS = {
+    id: 'HIPAA-ENC-REST-001',
+    name: 'ePHI Stored Without Encryption at Rest',
+    description: 'All ePHI must be encrypted at rest using AES-256 or stronger.',
+    severity: 'critical',
+    hipaaReference: '45 CFR §164.312(a)(2)(iv) - Encryption (Required)',
+    patterns: [
+        // Database without encryption
+        /(?:mongoose|sequelize|typeorm|prisma)\.(?:connect|createConnection).*?(?!.*?(?:encrypt|ssl|tls))/i,
+        // File storage without encryption
+        /(?:fs\.writeFile|writeFileSync|s3\.putObject).*?(?:patient|phi|medical)(?!.*?(?:encrypt|cipher))/i,
+        // LocalStorage with PHI
+        /localStorage\.setItem.*?(?:patient|ssn|mrn|phi)/i,
+        // Cookie with PHI unencrypted
+        /(?:res\.cookie|setCookie).*?(?:patient|phi|medical)(?!.*?(?:encrypt|secure|httpOnly))/i,
+        // MongoDB without encryption
+        /MongoClient\.connect.*?(?!.*?(?:ssl|tls|encryption))/i,
+        // PostgreSQL without encryption
+        /(?:pg|postgres)\.(?:connect|Pool).*?(?!.*?ssl)/i,
+    ],
+    negativePatterns: [
+        /encrypt:\s*true/i,
+        /ssl:\s*true/i,
+        /cipher\./i,
+        /aes-256/i,
+    ],
+    autoFix: 'Enable encryption at rest: Set encrypt: true in DB config, use crypto.cipher for file storage',
+    confidence: 'high',
+    category: 'encryption',
+};
+/**
+ * HIPAA-SESSION-001: Automatic Session Timeout
+ */
+export const SESSION_TIMEOUT_PATTERNS = {
+    id: 'HIPAA-SESSION-001',
+    name: 'Missing Automatic Session Timeout',
+    description: 'PHI access sessions must auto-expire within 15 minutes of inactivity.',
+    severity: 'high',
+    hipaaReference: '45 CFR §164.312(a)(2)(iii) - Session Control (Required)',
+    patterns: [
+        // Session config without expiration
+        /(?:express-session|session)\.(?:configure|use)(?!.*?(?:maxAge|expires|timeout))/i,
+        // Session with timeout > 15 min (900000 ms)
+        /maxAge:\s*(?:9[0-9]{5}[0-9]+|[1-9][0-9]{6,})/i,
+        // JWT without expiration
+        /jwt\.sign\([^)]*(?!.*?expiresIn)/i,
+        // Cookie session without expiration
+        /cookie-session.*?(?!.*?maxAge)/i,
+        // Missing idle timeout
+        /session.*?(?!.*?(?:idle|inactivity).*?timeout)/i,
+    ],
+    negativePatterns: [
+        /maxAge:\s*[1-8][0-9]{5}/i, // <= 900000 (15 min)
+        /expiresIn:\s*['"](?:1[0-5]m|[1-9]m)['"]/i,
+        /idleTimeout/i,
+    ],
+    autoFix: 'Set session timeout: maxAge: 900000 (15 min), implement idle timeout detector',
+    confidence: 'high',
+    category: 'access-control',
+};
+/**
+ * HIPAA-REVOKE-001: Immediate Access Revocation
+ */
+export const ACCESS_REVOCATION_PATTERNS = {
+    id: 'HIPAA-REVOKE-001',
+    name: 'Missing Immediate Access Revocation',
+    description: 'User deactivation must immediately invalidate all sessions and tokens.',
+    severity: 'critical',
+    hipaaReference: '45 CFR §164.308(a)(3)(ii)(C) - Termination Procedures (Required)',
+    patterns: [
+        // Deactivate user without token revocation
+        /(?:deactivate|disable|remove)User(?!.*?(?:revoke|invalidate|blacklist).*?(?:token|session))/i,
+        // Delete user without session cleanup
+        /(?:deleteUser|removeUser).*?(?!.*?(?:logout|invalidate|clearSessions))/i,
+        // Missing token blacklist
+        /(?:user|admin).*?(?:deactivat|terminat).*?(?!.*?blacklist)/i,
+        // Role change without re-auth
+        /(?:updateRole|changePermissions)(?!.*?(?:logout|reauth|invalidate))/i,
+    ],
+    negativePatterns: [
+        /revokeAllTokens/i,
+        /invalidateAllSessions/i,
+        /tokenBlacklist\.add/i,
+        /clearUserSessions/i,
+    ],
+    autoFix: 'Add token revocation: Call revokeAllTokens() and invalidateAllSessions() on user deactivation',
+    confidence: 'medium',
+    category: 'access-control',
+};
+/**
+ * HIPAA-BREACH-001: 24-Hour Breach Notification
+ */
+export const BREACH_NOTIFICATION_PATTERNS = {
+    id: 'HIPAA-BREACH-001',
+    name: 'Missing Breach Notification Mechanism',
+    description: 'Must have automated breach detection and notification within 24 hours.',
+    severity: 'critical',
+    hipaaReference: '45 CFR §164.308(a)(6)(ii) - Security Incident Procedures (Required)',
+    patterns: [
+        // Security errors without breach handler
+        /catch\s*\(.*?error.*?\).*?(?:security|unauthorized|breach)(?!.*?(?:notifyBreach|incidentResponse|alertSecurity))/i,
+        // Failed login attempts without monitoring
+        /(?:failed|invalid).*?(?:login|auth)(?!.*?(?:monitor|alert|notify))/i,
+        // Data access anomaly without alert
+        /(?:unusual|suspicious).*?access(?!.*?(?:alert|notify|incident))/i,
+    ],
+    negativePatterns: [
+        /breachNotification\./i,
+        /incidentResponse\.trigger/i,
+        /securityAlert\.send/i,
+        /notifyBreach/i,
+    ],
+    autoFix: 'Implement breach notification: Create incident response handler, set up 24h alert system',
+    confidence: 'medium',
+    category: 'audit-logging',
+};
+/**
+ * HIPAA-SEGMENT-001: Network Segmentation
+ */
+export const NETWORK_SEGMENTATION_PATTERNS = {
+    id: 'HIPAA-SEGMENT-001',
+    name: 'Missing Network Segmentation for PHI',
+    description: 'PHI services must be network-segmented with restricted CORS and firewall rules.',
+    severity: 'critical',
+    hipaaReference: '45 CFR §164.312(e)(1) - Transmission Security (Required)',
+    patterns: [
+        // CORS allowing all origins for PHI
+        /cors\(\{?\s*origin:\s*['"]?\*['"]?.*?(?:patient|phi|medical)/i,
+        // PHI API without network restrictions
+        /\/api.*?(?:patient|phi|medical)(?!.*?(?:firewall|vpc|subnet|private))/i,
+        // Internal PHI service publicly accessible
+        /(?:express|fastify|koa)\.listen.*?(?:patient|phi)(?!.*?(?:localhost|127\.0\.0\.1|private))/i,
+        // Missing VPC/subnet config
+        /(?:database|storage).*?(?:patient|phi)(?!.*?(?:vpc|subnet|securityGroup))/i,
+    ],
+    negativePatterns: [
+        /origin:\s*\[.*?\]/i, // Whitelist
+        /private.*?subnet/i,
+        /securityGroup/i,
+        /firewall.*?rules/i,
+    ],
+    autoFix: 'Implement network segmentation: Use VPC/subnet isolation, restrict CORS to whitelisted origins',
+    confidence: 'high',
+    category: 'access-control',
+};
+/**
+ * HIPAA-ASSET-001: Technology Asset Inventory
+ * Special pattern - triggers asset inventory generation
+ */
+export const ASSET_INVENTORY_PATTERNS = {
+    id: 'HIPAA-ASSET-001',
+    name: 'Generate ePHI Technology Asset Inventory',
+    description: 'Automatic inventory of all systems processing, storing, or transmitting ePHI.',
+    severity: 'high',
+    hipaaReference: '45 CFR §164.308(a)(1)(ii)(A) - Risk Analysis (Required)',
+    patterns: [
+        // Databases
+        /(?:mongoose|sequelize|prisma|typeorm|knex)\.(?:connect|model)/i,
+        // Storage services
+        /(?:s3|azure\.storage|gcs)\./i,
+        // Third-party integrations
+        /(?:stripe|twilio|sendgrid|mailgun)\.(?:api|client)/i,
+        // APIs
+        /(?:axios|fetch|got|request)\./i,
+    ],
+    autoFix: 'Asset inventory will be generated automatically in scan report',
+    confidence: 'high',
+    category: 'data-retention',
+};
+/**
+ * HIPAA-FLOW-001: ePHI Flow Mapping
+ * Special pattern - triggers flow map generation
+ */
+export const PHI_FLOW_MAPPING_PATTERNS = {
+    id: 'HIPAA-FLOW-001',
+    name: 'Generate ePHI Flow Map',
+    description: 'Automatic mapping of PHI data flow through system (input → processing → storage → output).',
+    severity: 'high',
+    hipaaReference: '45 CFR §164.308(a)(1)(ii)(A) - Risk Analysis (Required)',
+    patterns: [
+        // Input points
+        /(?:req\.body|req\.params|req\.query).*?(?:patient|phi|medical)/i,
+        // Processing
+        /(?:process|transform|validate).*?(?:patient|phi)/i,
+        // Storage
+        /(?:save|insert|update).*?(?:patient|phi)/i,
+        // Output
+        /(?:res\.(?:send|json)|return).*?(?:patient|phi)/i,
+    ],
+    autoFix: 'PHI flow map will be generated automatically in scan report',
+    confidence: 'high',
+    category: 'data-retention',
+};
+/**
+ * HIPAA-PENTEST-001: Vulnerability Scanning Configuration
+ */
+export const VULNERABILITY_SCANNING_PATTERNS = {
+    id: 'HIPAA-PENTEST-001',
+    name: 'Missing Vulnerability Scanning Configuration',
+    description: 'Must have automated vulnerability scanning (Dependabot, Snyk, Trivy) in CI/CD.',
+    severity: 'high',
+    hipaaReference: '45 CFR §164.308(a)(8) - Evaluation (Required)',
+    patterns: [
+        // Missing security scanning configs
+        /package\.json(?!.*?(?:snyk|audit|vulnerability))/i,
+    ],
+    negativePatterns: [
+        /dependabot\.yml/i,
+        /snyk\.yml/i,
+        /trivy/i,
+        /npm audit/i,
+        /security.*?scan/i,
+    ],
+    autoFix: 'Add vulnerability scanning: Enable Dependabot, add Snyk/Trivy to CI/CD pipeline',
+    confidence: 'medium',
+    category: 'audit-logging',
+};
+export const ALL_HIPAA_2026_PATTERNS = [
+    MFA_PATTERNS,
+    ENCRYPTION_AT_REST_PATTERNS,
+    SESSION_TIMEOUT_PATTERNS,
+    ACCESS_REVOCATION_PATTERNS,
+    BREACH_NOTIFICATION_PATTERNS,
+    NETWORK_SEGMENTATION_PATTERNS,
+    ASSET_INVENTORY_PATTERNS,
+    PHI_FLOW_MAPPING_PATTERNS,
+    VULNERABILITY_SCANNING_PATTERNS,
+];
+//# sourceMappingURL=patterns.js.map

package/dist/scanners/hipaa2026/patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../../src/scanners/hipaa2026/patterns.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAiBH;;GAEG;AACH,MAAM,CAAC,MAAM,YAAY,GAAqB;IAC5C,EAAE,EAAE,eAAe;IACnB,IAAI,EAAE,oDAAoD;IAC1D,WAAW,EAAE,sGAAsG;IACnH,QAAQ,EAAE,UAAU;IACpB,cAAc,EAAE,sDAAsD;IACtE,QAAQ,EAAE;QACR,yBAAyB;QACzB,yHAAyH;QACzH,2BAA2B;QAC3B,6FAA6F;QAC7F,8BAA8B;QAC9B,sDAAsD;QACtD,+BAA+B;QAC/B,mDAAmD;QACnD,wBAAwB;QACxB,kDAAkD;KACnD;IACD,gBAAgB,EAAE;QAChB,qBAAqB;QACrB,cAAc;QACd,wBAAwB;QACxB,iBAAiB;KAClB;IACD,OAAO,EAAE,yFAAyF;IAClG,UAAU,EAAE,MAAM;IAClB,QAAQ,EAAE,gBAAgB;CAC3B,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAqB;IAC3D,EAAE,EAAE,oBAAoB;IACxB,IAAI,EAAE,wCAAwC;IAC9C,WAAW,EAAE,+DAA+D;IAC5E,QAAQ,EAAE,UAAU;IACpB,cAAc,EAAE,mDAAmD;IACnE,QAAQ,EAAE;QACR,8BAA8B;QAC9B,mGAAmG;QACnG,kCAAkC;QAClC,mGAAmG;QACnG,wBAAwB;QACxB,kDAAkD;QAClD,8BAA8B;QAC9B,wFAAwF;QACxF,6BAA6B;QAC7B,uDAAuD;QACvD,gCAAgC;QAChC,iDAAiD;KAClD;IACD,gBAAgB,EAAE;QAChB,kBAAkB;QAClB,cAAc;QACd,WAAW;QACX,UAAU;KACX;IACD,OAAO,EAAE,+FAA+F;IACxG,UAAU,EAAE,MAAM;IAClB,QAAQ,EAAE,YAAY;CACvB,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAqB;IACxD,EAAE,EAAE,mBAAmB;IACvB,IAAI,EAAE,mCAAmC;IACzC,WAAW,EAAE,uEAAuE;IACpF,QAAQ,EAAE,MAAM;IAChB,cAAc,EAAE,yDAAyD;IACzE,QAAQ,EAAE;QACR,oCAAoC;QACpC,kFAAkF;QAClF,4CAA4C;QAC5C,+CAA+C;QAC/C,yBAAyB;QACzB,mCAAmC;QACnC,oCAAoC;QACpC,iCAAiC;QACjC,uBAAuB;QACvB,iDAAiD;KAClD;IACD,gBAAgB,EAAE;QAChB,0BAA0B,EAAE,qBAAqB;QACjD,0CAA0C;QAC1C,cAAc;KACf;IACD,OAAO,EAAE,+EAA+E;IACxF,UAAU,EAAE,MAAM;IAClB,QAAQ,EAAE,gBAAgB;CAC3B,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqB;IAC1D,EAAE,EAAE,kBAAkB;IACtB,IAAI,EAAE,qCAAqC;IAC3C,WAAW,EAAE,wEAAwE;IACrF,QAAQ,EAAE,UAAU;IACpB,cAAc,EAAE,kEAAkE;IAClF,QAAQ,EAAE;QACR,2CAA2C;QAC3C,8FAA8F;QAC9F,sCAAsC;QACtC,yEAAyE;QACzE,0BAA0B;QAC1B,6DAA6D;QAC7D,8BAA8B;QAC9B,sEAAsE;KACvE;IACD,gBAAgB,EAAE;QAChB,kBAAkB;QAClB,wBAAwB;QACxB,sBAAsB;QACtB,oBAAoB;KACrB;IACD,OAAO,EAAE,+FAA+F;IACxG,UAAU,EAAE,QAAQ;IACpB,QAAQ,EAAE,gBAAgB;CAC3B,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAAqB;IAC5D,EAAE,EAAE,kBAAkB;IACtB,IAAI,EAAE,uCAAuC;IAC7C,WAAW,EAAE,wEAAwE;IACrF,QAAQ,EAAE,UAAU;IACpB,cAAc,EAAE,qEAAqE;IACrF,QAAQ,EAAE;QACR,yCAAyC;QACzC,mHAAmH;QACnH,2CAA2C;QAC3C,qEAAqE;QACrE,oCAAoC;QACpC,kEAAkE;KACnE;IACD,gBAAgB,EAAE;QAChB,uBAAuB;QACvB,4BAA4B;QAC5B,sBAAsB;QACtB,eAAe;KAChB;IACD,OAAO,EAAE,0FAA0F;IACnG,UAAU,EAAE,QAAQ;IACpB,QAAQ,EAAE,eAAe;CAC1B,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,6BAA6B,GAAqB;IAC7D,EAAE,EAAE,mBAAmB;IACvB,IAAI,EAAE,sCAAsC;IAC5C,WAAW,EAAE,iFAAiF;IAC9F,QAAQ,EAAE,UAAU;IACpB,cAAc,EAAE,0DAA0D;IAC1E,QAAQ,EAAE;QACR,oCAAoC;QACpC,+DAA+D;QAC/D,uCAAuC;QACvC,wEAAwE;QACxE,2CAA2C;QAC3C,6FAA6F;QAC7F,4BAA4B;QAC5B,4EAA4E;KAC7E;IACD,gBAAgB,EAAE;QAChB,oBAAoB,EAAE,YAAY;QAClC,mBAAmB;QACnB,gBAAgB;QAChB,mBAAmB;KACpB;IACD,OAAO,EAAE,gGAAgG;IACzG,UAAU,EAAE,MAAM;IAClB,QAAQ,EAAE,gBAAgB;CAC3B,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAqB;IACxD,EAAE,EAAE,iBAAiB;IACrB,IAAI,EAAE,0CAA0C;IAChD,WAAW,EAAE,+EAA+E;IAC5F,QAAQ,EAAE,MAAM;IAChB,cAAc,EAAE,yDAAyD;IACzE,QAAQ,EAAE;QACR,YAAY;QACZ,gEAAgE;QAChE,mBAAmB;QACnB,8BAA8B;QAC9B,2BAA2B;QAC3B,qDAAqD;QACrD,OAAO;QACP,gCAAgC;KACjC;IACD,OAAO,EAAE,gEAAgE;IACzE,UAAU,EAAE,MAAM;IAClB,QAAQ,EAAE,gBAAgB;CAC3B,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAqB;IACzD,EAAE,EAAE,gBAAgB;IACpB,IAAI,EAAE,wBAAwB;IAC9B,WAAW,EAAE,4FAA4F;IACzG,QAAQ,EAAE,MAAM;IAChB,cAAc,EAAE,yDAAyD;IACzE,QAAQ,EAAE;QACR,eAAe;QACf,iEAAiE;QACjE,aAAa;QACb,mDAAmD;QACnD,UAAU;QACV,2CAA2C;QAC3C,SAAS;QACT,kDAAkD;KACnD;IACD,OAAO,EAAE,6DAA6D;IACtE,UAAU,EAAE,MAAM;IAClB,QAAQ,EAAE,gBAAgB;CAC3B,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,+BAA+B,GAAqB;IAC/D,EAAE,EAAE,mBAAmB;IACvB,IAAI,EAAE,8CAA8C;IACpD,WAAW,EAAE,gFAAgF;IAC7F,QAAQ,EAAE,MAAM;IAChB,cAAc,EAAE,+CAA+C;IAC/D,QAAQ,EAAE;QACR,oCAAoC;QACpC,mDAAmD;KACpD;IACD,gBAAgB,EAAE;QAChB,kBAAkB;QAClB,YAAY;QACZ,QAAQ;QACR,YAAY;QACZ,kBAAkB;KACnB;IACD,OAAO,EAAE,iFAAiF;IAC1F,UAAU,EAAE,QAAQ;IACpB,QAAQ,EAAE,eAAe;CAC1B,CAAC;AAEF,MAAM,CAAC,MAAM,uBAAuB,GAAuB;IACzD,YAAY;IACZ,2BAA2B;IAC3B,wBAAwB;IACxB,0BAA0B;IAC1B,4BAA4B;IAC5B,6BAA6B;IAC7B,wBAAwB;IACxB,yBAAyB;IACzB,+BAA+B;CAChC,CAAC"}

package/dist/scanners/operational/index.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Operational Security Scanner
+ * Detects database backup, data retention, and API security issues
+ */
+import type { Scanner } from '../../types.js';
+export declare const operationalScanner: Scanner;
+//# sourceMappingURL=index.d.ts.map

package/dist/scanners/operational/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/scanners/operational/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAwB,MAAM,gBAAgB,CAAC;AAIpE,eAAO,MAAM,kBAAkB,EAAE,OA8GhC,CAAC"}

package/dist/scanners/operational/index.js

@@ -0,0 +1,171 @@
+/**
+ * Operational Security Scanner
+ * Detects database backup, data retention, and API security issues
+ */
+import { ALL_OPERATIONAL_PATTERNS, DATABASE_WITHOUT_BACKUP } from './patterns.js';
+import * as fs from 'fs/promises';
+export const operationalScanner = {
+    name: 'Operational Security Scanner',
+    category: 'data-retention',
+    async scan(files, options) {
+        const findings = [];
+        // Handle BACKUP-001 separately (requires project-wide scan)
+        const backupFinding = await scanForBackupConfiguration(files);
+        if (backupFinding) {
+            findings.push(backupFinding);
+        }
+        // Handle other patterns with line-by-line scanning
+        for (const file of files) {
+            // Skip non-code files
+            if (!file.match(/\.(ts|tsx|js|jsx|mjs|cjs)$/)) {
+                continue;
+            }
+            try {
+                const content = await fs.readFile(file, 'utf-8');
+                const lines = content.split('\n');
+                for (const pattern of ALL_OPERATIONAL_PATTERNS) {
+                    // Skip BACKUP-001 (already handled)
+                    if (pattern.id === 'BACKUP-001') {
+                        continue;
+                    }
+                    for (let i = 0; i < lines.length; i++) {
+                        const line = lines[i];
+                        // Skip comment lines
+                        const trimmedLine = line.trim();
+                        if (trimmedLine.startsWith('//') || trimmedLine.startsWith('/*') || trimmedLine.startsWith('*')) {
+                            continue;
+                        }
+                        // Check if line matches any positive pattern
+                        const matched = pattern.patterns.some(p => p.test(line));
+                        if (!matched)
+                            continue;
+                        // Get context for negative pattern checking
+                        let contextLines;
+                        if (pattern.id === 'RETENTION-001') {
+                            // Check 15 lines of context for retention fields (larger object definition)
+                            const start = Math.max(0, i - 5);
+                            const end = Math.min(lines.length, i + 10);
+                            contextLines = lines.slice(start, end);
+                        }
+                        else if (pattern.id === 'API-002') {
+                            // Check 5 lines of context for limit configuration
+                            const start = Math.max(0, i - 2);
+                            const end = Math.min(lines.length, i + 3);
+                            contextLines = lines.slice(start, end);
+                        }
+                        else {
+                            contextLines = [line];
+                        }
+                        const context = contextLines.join('\n');
+                        // Filter out comments from context
+                        const contextWithoutComments = context
+                            .split('\n')
+                            .filter(l => {
+                            const t = l.trim();
+                            return !t.startsWith('//') && !t.startsWith('/*') && !t.startsWith('*');
+                        })
+                            .join('\n');
+                        // Check negative patterns
+                        if (pattern.negativePatterns) {
+                            const hasNegativeMatch = pattern.negativePatterns.some(np => np.test(contextWithoutComments));
+                            if (hasNegativeMatch) {
+                                continue;
+                            }
+                        }
+                        // Determine category based on pattern
+                        let category = 'data-retention';
+                        if (pattern.id === 'API-002') {
+                            category = 'access-control';
+                        }
+                        findings.push({
+                            id: pattern.id,
+                            title: pattern.name,
+                            description: `${pattern.description}\n\nCode: ${line.trim()}`,
+                            severity: pattern.severity,
+                            category: category,
+                            file,
+                            line: i + 1,
+                            column: line.indexOf(line.trim()) + 1,
+                            recommendation: pattern.recommendation,
+                            hipaaReference: pattern.hipaaReference,
+                            confidence: 'medium',
+                        });
+                    }
+                }
+            }
+            catch (error) {
+                // Skip files that can't be read
+                continue;
+            }
+        }
+        return findings;
+    },
+};
+/**
+ * Scan entire project for database usage and backup configuration
+ * Returns a finding if database is used but no backup configuration is found
+ */
+async function scanForBackupConfiguration(files) {
+    let hasDatabaseUsage = false;
+    let hasBackupConfig = false;
+    let firstDbFile = null;
+    let firstDbLine = 0;
+    let firstDbCode = '';
+    // Scan all files to detect database usage and backup configuration
+    for (const file of files) {
+        if (!file.match(/\.(ts|tsx|js|jsx|mjs|cjs|json|yml|yaml)$/)) {
+            continue;
+        }
+        try {
+            const content = await fs.readFile(file, 'utf-8');
+            const lines = content.split('\n');
+            // Check for database usage
+            if (!hasDatabaseUsage) {
+                for (let i = 0; i < lines.length; i++) {
+                    const line = lines[i];
+                    const matched = DATABASE_WITHOUT_BACKUP.patterns.some(p => p.test(line));
+                    if (matched) {
+                        hasDatabaseUsage = true;
+                        if (!firstDbFile) {
+                            firstDbFile = file;
+                            firstDbLine = i + 1;
+                            firstDbCode = line.trim();
+                        }
+                    }
+                }
+            }
+            // Check for backup configuration (negative patterns)
+            if (!hasBackupConfig && DATABASE_WITHOUT_BACKUP.negativePatterns) {
+                const hasBackup = DATABASE_WITHOUT_BACKUP.negativePatterns.some(np => np.test(content));
+                if (hasBackup) {
+                    hasBackupConfig = true;
+                }
+            }
+            // If we found both, we can stop early
+            if (hasDatabaseUsage && hasBackupConfig) {
+                break;
+            }
+        }
+        catch (error) {
+            // Skip files that can't be read
+            continue;
+        }
+    }
+    // If database is used but no backup config found, create a finding
+    if (hasDatabaseUsage && !hasBackupConfig && firstDbFile) {
+        return {
+            id: DATABASE_WITHOUT_BACKUP.id,
+            title: DATABASE_WITHOUT_BACKUP.name,
+            description: `${DATABASE_WITHOUT_BACKUP.description}\n\nCode: ${firstDbCode}`,
+            severity: DATABASE_WITHOUT_BACKUP.severity,
+            category: 'data-retention',
+            file: firstDbFile,
+            line: firstDbLine,
+            recommendation: DATABASE_WITHOUT_BACKUP.recommendation,
+            hipaaReference: DATABASE_WITHOUT_BACKUP.hipaaReference,
+            confidence: 'low', // Low confidence since this is advisory
+        };
+    }
+    return null;
+}
+//# sourceMappingURL=index.js.map

package/dist/scanners/operational/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/scanners/operational/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,wBAAwB,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAC;AAClF,OAAO,KAAK,EAAE,MAAM,aAAa,CAAC;AAElC,MAAM,CAAC,MAAM,kBAAkB,GAAY;IACzC,IAAI,EAAE,8BAA8B;IACpC,QAAQ,EAAE,gBAAgB;IAE1B,KAAK,CAAC,IAAI,CAAC,KAAe,EAAE,OAAoB;QAC9C,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,4DAA4D;QAC5D,MAAM,aAAa,GAAG,MAAM,0BAA0B,CAAC,KAAK,CAAC,CAAC;QAC9D,IAAI,aAAa,EAAE,CAAC;YAClB,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC/B,CAAC;QAED,mDAAmD;QACnD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,sBAAsB;YACtB,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,4BAA4B,CAAC,EAAE,CAAC;gBAC9C,SAAS;YACX,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;gBACjD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAElC,KAAK,MAAM,OAAO,IAAI,wBAAwB,EAAE,CAAC;oBAC/C,oCAAoC;oBACpC,IAAI,OAAO,CAAC,EAAE,KAAK,YAAY,EAAE,CAAC;wBAChC,SAAS;oBACX,CAAC;oBAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;wBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;wBAEtB,qBAAqB;wBACrB,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;wBAChC,IAAI,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;4BAChG,SAAS;wBACX,CAAC;wBAED,6CAA6C;wBAC7C,MAAM,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;wBACzD,IAAI,CAAC,OAAO;4BAAE,SAAS;wBAEvB,4CAA4C;wBAC5C,IAAI,YAAsB,CAAC;wBAE3B,IAAI,OAAO,CAAC,EAAE,KAAK,eAAe,EAAE,CAAC;4BACnC,4EAA4E;4BAC5E,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;4BACjC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC;4BAC3C,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;wBACzC,CAAC;6BAAM,IAAI,OAAO,CAAC,EAAE,KAAK,SAAS,EAAE,CAAC;4BACpC,mDAAmD;4BACnD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;4BACjC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;4BAC1C,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;wBACzC,CAAC;6BAAM,CAAC;4BACN,YAAY,GAAG,CAAC,IAAI,CAAC,CAAC;wBACxB,CAAC;wBAED,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;wBAExC,mCAAmC;wBACnC,MAAM,sBAAsB,GAAG,OAAO;6BACnC,KAAK,CAAC,IAAI,CAAC;6BACX,MAAM,CAAC,CAAC,CAAC,EAAE;4BACV,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;4BACnB,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;wBAC1E,CAAC,CAAC;6BACD,IAAI,CAAC,IAAI,CAAC,CAAC;wBAEd,0BAA0B;wBAC1B,IAAI,OAAO,CAAC,gBAAgB,EAAE,CAAC;4BAC7B,MAAM,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAC1D,EAAE,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAChC,CAAC;4BACF,IAAI,gBAAgB,EAAE,CAAC;gCACrB,SAAS;4BACX,CAAC;wBACH,CAAC;wBAED,sCAAsC;wBACtC,IAAI,QAAQ,GAAwC,gBAAgB,CAAC;wBACrE,IAAI,OAAO,CAAC,EAAE,KAAK,SAAS,EAAE,CAAC;4BAC7B,QAAQ,GAAG,gBAAgB,CAAC;wBAC9B,CAAC;wBAED,QAAQ,CAAC,IAAI,CAAC;4BACZ,EAAE,EAAE,OAAO,CAAC,EAAE;4BACd,KAAK,EAAE,OAAO,CAAC,IAAI;4BACnB,WAAW,EAAE,GAAG,OAAO,CAAC,WAAW,aAAa,IAAI,CAAC,IAAI,EAAE,EAAE;4BAC7D,QAAQ,EAAE,OAAO,CAAC,QAAQ;4BAC1B,QAAQ,EAAE,QAAQ;4BAClB,IAAI;4BACJ,IAAI,EAAE,CAAC,GAAG,CAAC;4BACX,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC;4BACrC,cAAc,EAAE,OAAO,CAAC,cAAc;4BACtC,cAAc,EAAE,OAAO,CAAC,cAAc;4BACtC,UAAU,EAAE,QAAQ;yBACrB,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,gCAAgC;gBAChC,SAAS;YACX,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF;;;GAGG;AACH,KAAK,UAAU,0BAA0B,CAAC,KAAe;IACvD,IAAI,gBAAgB,GAAG,KAAK,CAAC;IAC7B,IAAI,eAAe,GAAG,KAAK,CAAC;IAC5B,IAAI,WAAW,GAAkB,IAAI,CAAC;IACtC,IAAI,WAAW,GAAG,CAAC,CAAC;IACpB,IAAI,WAAW,GAAG,EAAE,CAAC;IAErB,mEAAmE;IACnE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,0CAA0C,CAAC,EAAE,CAAC;YAC5D,SAAS;QACX,CAAC;QAED,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YACjD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAElC,2BAA2B;YAC3B,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACtB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;oBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBACtB,MAAM,OAAO,GAAG,uBAAuB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;oBACzE,IAAI,OAAO,EAAE,CAAC;wBACZ,gBAAgB,GAAG,IAAI,CAAC;wBACxB,IAAI,CAAC,WAAW,EAAE,CAAC;4BACjB,WAAW,GAAG,IAAI,CAAC;4BACnB,WAAW,GAAG,CAAC,GAAG,CAAC,CAAC;4BACpB,WAAW,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;wBAC5B,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAED,qDAAqD;YACrD,IAAI,CAAC,eAAe,IAAI,uBAAuB,CAAC,gBAAgB,EAAE,CAAC;gBACjE,MAAM,SAAS,GAAG,uBAAuB,CAAC,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CACnE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,CACjB,CAAC;gBACF,IAAI,SAAS,EAAE,CAAC;oBACd,eAAe,GAAG,IAAI,CAAC;gBACzB,CAAC;YACH,CAAC;YAED,sCAAsC;YACtC,IAAI,gBAAgB,IAAI,eAAe,EAAE,CAAC;gBACxC,MAAM;YACR,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,gCAAgC;YAChC,SAAS;QACX,CAAC;IACH,CAAC;IAED,mEAAmE;IACnE,IAAI,gBAAgB,IAAI,CAAC,eAAe,IAAI,WAAW,EAAE,CAAC;QACxD,OAAO;YACL,EAAE,EAAE,uBAAuB,CAAC,EAAE;YAC9B,KAAK,EAAE,uBAAuB,CAAC,IAAI;YACnC,WAAW,EAAE,GAAG,uBAAuB,CAAC,WAAW,aAAa,WAAW,EAAE;YAC7E,QAAQ,EAAE,uBAAuB,CAAC,QAAQ;YAC1C,QAAQ,EAAE,gBAAgB;YAC1B,IAAI,EAAE,WAAW;YACjB,IAAI,EAAE,WAAW;YACjB,cAAc,EAAE,uBAAuB,CAAC,cAAc;YACtD,cAAc,EAAE,uBAAuB,CAAC,cAAc;YACtD,UAAU,EAAE,KAAK,EAAE,wCAAwC;SAC5D,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/scanners/operational/index.test.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Operational Security Scanner Tests
+ */
+export {};
+//# sourceMappingURL=index.test.d.ts.map

package/dist/scanners/operational/index.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.test.d.ts","sourceRoot":"","sources":["../../../src/scanners/operational/index.test.ts"],"names":[],"mappings":"AAAA;;GAEG"}