verification-layer 0.20.0 → 0.22.0

package/dist/scanners/rbac/index.js

@@ -0,0 +1,145 @@
+/**
+ * Role-Based Access Control (RBAC) Scanner
+ * Detects missing authorization checks and HIPAA minimum necessary violations
+ */
+import * as fs from 'fs/promises';
+import { ALL_RBAC_PATTERNS } from './patterns.js';
+export const rbacScanner = {
+    name: 'Role-Based Access Control Scanner',
+    category: 'access-control',
+    async scan(files, options) {
+        const findings = [];
+        // Filter to code files
+        const codeFiles = files.filter((f) => /\.(js|ts|jsx|tsx|sql|prisma)$/i.test(f));
+        for (const file of codeFiles) {
+            try {
+                const content = await fs.readFile(file, 'utf-8');
+                const lines = content.split('\n');
+                // Determine if this is a client-side file for RBAC-002
+                const isClientFile = isClientSideFile(file, content);
+                for (const pattern of ALL_RBAC_PATTERNS) {
+                    // Special handling for RBAC-002 (only scan client-side files)
+                    if (pattern.id === 'RBAC-002' && !isClientFile) {
+                        continue;
+                    }
+                    // Special handling for RBAC-001 (check authorization in surrounding context)
+                    if (pattern.id === 'RBAC-001') {
+                        await scanPHIAccessWithoutAuthz(file, content, lines, pattern, findings);
+                        continue;
+                    }
+                    // Standard pattern matching for RBAC-002 and RBAC-003
+                    for (let i = 0; i < lines.length; i++) {
+                        const line = lines[i];
+                        const lineNumber = i + 1;
+                        // Skip comments
+                        if (/^\s*(?:\/\/|#|\/\*|\*)/.test(line))
+                            continue;
+                        // Check if line matches violation pattern
+                        const matched = pattern.patterns.some((p) => p.test(line));
+                        if (!matched)
+                            continue;
+                        // Check if negative patterns indicate compliance
+                        const isCompliant = pattern.negativePatterns?.some((p) => {
+                            // For RBAC-002, check if in server-side context
+                            if (pattern.id === 'RBAC-002') {
+                                return p.test(file) || p.test(content);
+                            }
+                            // For RBAC-003, check current line and surrounding lines
+                            const context = lines.slice(Math.max(0, i - 2), i + 3).join('\n');
+                            return p.test(context);
+                        });
+                        if (isCompliant)
+                            continue;
+                        // Create finding
+                        findings.push({
+                            id: pattern.id,
+                            category: 'access-control',
+                            severity: pattern.severity,
+                            title: pattern.name,
+                            description: `${pattern.description}\n\nCode: ${line.trim()}`,
+                            file: file,
+                            line: lineNumber,
+                            recommendation: pattern.recommendation,
+                            hipaaReference: pattern.hipaaReference,
+                            confidence: 'high',
+                        });
+                    }
+                }
+            }
+            catch (error) {
+                // Skip files that can't be read
+            }
+        }
+        return findings;
+    },
+};
+/**
+ * Determine if a file is client-side code
+ */
+function isClientSideFile(file, content) {
+    // Client-side indicators
+    const clientPatterns = [
+        /\/(?:components?|pages?|app)\//i,
+        /\.client\./i,
+        /use client/i,
+        /useState|useEffect|useContext/i,
+        /window\./i,
+        /document\./i,
+    ];
+    // Server-side indicators (take precedence)
+    const serverPatterns = [
+        /\/api\//i,
+        /\.server\./i,
+        /getServerSideProps/i,
+        /getStaticProps/i,
+        /use server/i,
+    ];
+    // If file has server indicators, it's server-side
+    if (serverPatterns.some((p) => p.test(file) || p.test(content))) {
+        return false;
+    }
+    // If file has client indicators, it's client-side
+    if (clientPatterns.some((p) => p.test(file) || p.test(content))) {
+        return true;
+    }
+    // Default: treat as client-side if in common web directories
+    return /\/(?:src|components?|pages?|app|views?)\//i.test(file);
+}
+/**
+ * Scan for PHI data access without authorization checks
+ */
+async function scanPHIAccessWithoutAuthz(file, content, lines, pattern, findings) {
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        const lineNumber = i + 1;
+        // Skip comments
+        if (/^\s*(?:\/\/|#|\/\*|\*)/.test(line))
+            continue;
+        // Check if line contains PHI data access
+        const hasPHIAccess = pattern.patterns.some((p) => p.test(line));
+        if (!hasPHIAccess)
+            continue;
+        // Check surrounding context (10 lines before and 5 lines after) for authorization
+        const contextStart = Math.max(0, i - 10);
+        const contextEnd = Math.min(lines.length, i + 6);
+        const context = lines.slice(contextStart, contextEnd).join('\n');
+        // Check if authorization is present in context
+        const hasAuthorization = pattern.negativePatterns?.some((p) => p.test(context));
+        if (hasAuthorization)
+            continue;
+        // Create finding
+        findings.push({
+            id: pattern.id,
+            category: 'access-control',
+            severity: pattern.severity,
+            title: pattern.name,
+            description: `${pattern.description}\n\nCode: ${line.trim()}\n\nNo authorization check found in surrounding code.`,
+            file: file,
+            line: lineNumber,
+            recommendation: pattern.recommendation,
+            hipaaReference: pattern.hipaaReference,
+            confidence: 'high',
+        });
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/scanners/rbac/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/scanners/rbac/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,MAAM,aAAa,CAAC;AAElC,OAAO,EAAE,iBAAiB,EAAoB,MAAM,eAAe,CAAC;AAEpE,MAAM,CAAC,MAAM,WAAW,GAAY;IAClC,IAAI,EAAE,mCAAmC;IACzC,QAAQ,EAAE,gBAAgB;IAE1B,KAAK,CAAC,IAAI,CAAC,KAAe,EAAE,OAAoB;QAC9C,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,uBAAuB;QACvB,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACnC,gCAAgC,CAAC,IAAI,CAAC,CAAC,CAAC,CACzC,CAAC;QAEF,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;gBACjD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAElC,uDAAuD;gBACvD,MAAM,YAAY,GAAG,gBAAgB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;gBAErD,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;oBACxC,8DAA8D;oBAC9D,IAAI,OAAO,CAAC,EAAE,KAAK,UAAU,IAAI,CAAC,YAAY,EAAE,CAAC;wBAC/C,SAAS;oBACX,CAAC;oBAED,6EAA6E;oBAC7E,IAAI,OAAO,CAAC,EAAE,KAAK,UAAU,EAAE,CAAC;wBAC9B,MAAM,yBAAyB,CAC7B,IAAI,EACJ,OAAO,EACP,KAAK,EACL,OAAO,EACP,QAAQ,CACT,CAAC;wBACF,SAAS;oBACX,CAAC;oBAED,sDAAsD;oBACtD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;wBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;wBACtB,MAAM,UAAU,GAAG,CAAC,GAAG,CAAC,CAAC;wBAEzB,gBAAgB;wBAChB,IAAI,wBAAwB,CAAC,IAAI,CAAC,IAAI,CAAC;4BAAE,SAAS;wBAElD,0CAA0C;wBAC1C,MAAM,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;wBAC3D,IAAI,CAAC,OAAO;4BAAE,SAAS;wBAEvB,iDAAiD;wBACjD,MAAM,WAAW,GAAG,OAAO,CAAC,gBAAgB,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;4BACvD,gDAAgD;4BAChD,IAAI,OAAO,CAAC,EAAE,KAAK,UAAU,EAAE,CAAC;gCAC9B,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;4BACzC,CAAC;4BACD,yDAAyD;4BACzD,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;4BAClE,OAAO,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;wBACzB,CAAC,CAAC,CAAC;wBAEH,IAAI,WAAW;4BAAE,SAAS;wBAE1B,iBAAiB;wBACjB,QAAQ,CAAC,IAAI,CAAC;4BACZ,EAAE,EAAE,OAAO,CAAC,EAAE;4BACd,QAAQ,EAAE,gBAAgB;4BAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ;4BAC1B,KAAK,EAAE,OAAO,CAAC,IAAI;4BACnB,WAAW,EAAE,GAAG,OAAO,CAAC,WAAW,aAAa,IAAI,CAAC,IAAI,EAAE,EAAE;4BAC7D,IAAI,EAAE,IAAI;4BACV,IAAI,EAAE,UAAU;4BAChB,cAAc,EAAE,OAAO,CAAC,cAAc;4BACtC,cAAc,EAAE,OAAO,CAAC,cAAc;4BACtC,UAAU,EAAE,MAAM;yBACnB,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,gCAAgC;YAClC,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF;;GAEG;AACH,SAAS,gBAAgB,CAAC,IAAY,EAAE,OAAe;IACrD,yBAAyB;IACzB,MAAM,cAAc,GAAG;QACrB,iCAAiC;QACjC,aAAa;QACb,aAAa;QACb,gCAAgC;QAChC,WAAW;QACX,aAAa;KACd,CAAC;IAEF,2CAA2C;IAC3C,MAAM,cAAc,GAAG;QACrB,UAAU;QACV,aAAa;QACb,qBAAqB;QACrB,iBAAiB;QACjB,aAAa;KACd,CAAC;IAEF,kDAAkD;IAClD,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;QAChE,OAAO,KAAK,CAAC;IACf,CAAC;IAED,kDAAkD;IAClD,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;QAChE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,6DAA6D;IAC7D,OAAO,4CAA4C,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACjE,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,yBAAyB,CACtC,IAAY,EACZ,OAAe,EACf,KAAe,EACf,OAAoB,EACpB,QAAmB;IAEnB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,MAAM,UAAU,GAAG,CAAC,GAAG,CAAC,CAAC;QAEzB,gBAAgB;QAChB,IAAI,wBAAwB,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,SAAS;QAElD,yCAAyC;QACzC,MAAM,YAAY,GAAG,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QAChE,IAAI,CAAC,YAAY;YAAE,SAAS;QAE5B,kFAAkF;QAClF,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC;QACzC,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QACjD,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAEjE,+CAA+C;QAC/C,MAAM,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAC5D,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAChB,CAAC;QAEF,IAAI,gBAAgB;YAAE,SAAS;QAE/B,iBAAiB;QACjB,QAAQ,CAAC,IAAI,CAAC;YACZ,EAAE,EAAE,OAAO,CAAC,EAAE;YACd,QAAQ,EAAE,gBAAgB;YAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,KAAK,EAAE,OAAO,CAAC,IAAI;YACnB,WAAW,EAAE,GAAG,OAAO,CAAC,WAAW,aAAa,IAAI,CAAC,IAAI,EAAE,uDAAuD;YAClH,IAAI,EAAE,IAAI;YACV,IAAI,EAAE,UAAU;YAChB,cAAc,EAAE,OAAO,CAAC,cAAc;YACtC,cAAc,EAAE,OAAO,CAAC,cAAc;YACtC,UAAU,EAAE,MAAM;SACnB,CAAC,CAAC;IACL,CAAC;AACH,CAAC"}

package/dist/scanners/rbac/index.test.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Tests for Role-Based Access Control Scanner
+ */
+export {};
+//# sourceMappingURL=index.test.d.ts.map

package/dist/scanners/rbac/index.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.test.d.ts","sourceRoot":"","sources":["../../../src/scanners/rbac/index.test.ts"],"names":[],"mappings":"AAAA;;GAEG"}

package/dist/scanners/rbac/index.test.js

@@ -0,0 +1,422 @@
+/**
+ * Tests for Role-Based Access Control Scanner
+ */
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { rbacScanner } from './index.js';
+import * as fs from 'fs/promises';
+import * as path from 'path';
+import * as os from 'os';
+describe('RBAC Scanner', () => {
+    let tempDir = '';
+    let testFiles = [];
+    beforeEach(async () => {
+        tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'rbac-test-'));
+    });
+    afterEach(async () => {
+        // Cleanup
+        for (const file of testFiles) {
+            try {
+                await fs.unlink(file);
+            }
+            catch {
+                // Ignore
+            }
+        }
+        try {
+            await fs.rm(tempDir, { recursive: true, force: true });
+        }
+        catch {
+            // Ignore
+        }
+        testFiles = [];
+    });
+    async function createTestFile(filename, content) {
+        const filePath = path.join(tempDir, filename);
+        await fs.writeFile(filePath, content, 'utf-8');
+        testFiles.push(filePath);
+        return filePath;
+    }
+    const scanOptions = {
+        path: tempDir,
+    };
+    describe('RBAC-001: PHI Access Without Authorization', () => {
+        it('should detect SQL query to patients table without role check', async () => {
+            const file = await createTestFile('api.ts', `
+export async function getPatients(req: Request) {
+  const result = await db.query(
+    'SELECT * FROM patients WHERE active = true'
+  );
+  return result.rows;
+}
+        `);
+            const findings = await rbacScanner.scan([file], scanOptions);
+            const rbacFindings = findings.filter((f) => f.id === 'RBAC-001');
+            expect(rbacFindings.length).toBeGreaterThan(0);
+            expect(rbacFindings[0].severity).toBe('high');
+            expect(rbacFindings[0].hipaaReference).toContain('164.312(a)(1)');
+        });
+        it('should detect ORM query to health_records without permission check', async () => {
+            const file = await createTestFile('records.ts', `
+async function getMedicalRecords(patientId: string) {
+  const records = await MedicalRecord.findAll({
+    where: { patientId }
+  });
+  return records;
+}
+        `);
+            const findings = await rbacScanner.scan([file], scanOptions);
+            const rbacFindings = findings.filter((f) => f.id === 'RBAC-001');
+            expect(rbacFindings.length).toBeGreaterThan(0);
+        });
+        it('should detect Supabase query to prescriptions without authorization', async () => {
+            const file = await createTestFile('prescriptions.ts', `
+export async function getPrescriptions(userId: string) {
+  const { data } = await supabase
+    .from('prescriptions')
+    .select('*')
+    .eq('user_id', userId);
+  return data;
+}
+        `);
+            const findings = await rbacScanner.scan([file], scanOptions);
+            const rbacFindings = findings.filter((f) => f.id === 'RBAC-001');
+            expect(rbacFindings.length).toBeGreaterThan(0);
+        });
+        it('should detect Prisma query to patients without role verification', async () => {
+            const file = await createTestFile('patient-service.ts', `
+async function listPatients() {
+  const patients = await prisma.patient.findMany({
+    take: 100
+  });
+  return patients;
+}
+        `);
+            const findings = await rbacScanner.scan([file], scanOptions);
+            const rbacFindings = findings.filter((f) => f.id === 'RBAC-001');
+            expect(rbacFindings.length).toBeGreaterThan(0);
+        });
+        it('should not flag query with role verification', async () => {
+            const file = await createTestFile('secure-api.ts', `
+export async function getPatients(req: Request, user: User) {
+  if (!hasPermission(user, 'read:patients')) {
+    throw new Error('Unauthorized');
+  }
+
+  const result = await db.query(
+    'SELECT * FROM patients WHERE active = true'
+  );
+  return result.rows;
+}
+        `);
+            const findings = await rbacScanner.scan([file], scanOptions);
+            const rbacFindings = findings.filter((f) => f.id === 'RBAC-001');
+            expect(rbacFindings.length).toBe(0);
+        });
+        it('should not flag query with isAdmin check', async () => {
+            const file = await createTestFile('admin-route.ts', `
+async function getMedicalRecords(user: User) {
+  if (!user.isAdmin) {
+    throw new ForbiddenError();
+  }
+
+  const records = await MedicalRecord.findAll();
+  return records;
+}
+        `);
+            const findings = await rbacScanner.scan([file], scanOptions);
+            const rbacFindings = findings.filter((f) => f.id === 'RBAC-001');
+            expect(rbacFindings.length).toBe(0);
+        });
+        it('should not flag query with canAccess verification', async () => {
+            const file = await createTestFile('authorization.ts', `
+export async function getDiagnosis(diagnosisId: string, userId: string) {
+  const canAccess = await checkAccess(userId, 'diagnosis', diagnosisId);
+  if (!canAccess) return null;
+
+  const diagnosis = await db.query(
+    'SELECT * FROM diagnosis WHERE id = $1',
+    [diagnosisId]
+  );
+  return diagnosis;
+}
+        `);
+            const findings = await rbacScanner.scan([file], scanOptions);
+            const rbacFindings = findings.filter((f) => f.id === 'RBAC-001');
+            expect(rbacFindings.length).toBe(0);
+        });
+    });
+    describe('RBAC-002: Service Role in Client-Side Code', () => {
+        it('should detect service_role in client component', async () => {
+            const file = await createTestFile('components/Dashboard.tsx', `
+'use client';
+
+import { createClient } from '@supabase/supabase-js';
+
+const supabase = createClient(
+  'https://myproject.supabase.co',
+  'eyJhbGci...service_role_key_here'
+);
+
+export function Dashboard() {
+  return <div>Dashboard</div>;
+}
+        `);
+            const findings = await rbacScanner.scan([file], scanOptions);
+            const rbacFindings = findings.filter((f) => f.id === 'RBAC-002');
+            expect(rbacFindings.length).toBeGreaterThan(0);
+            expect(rbacFindings[0].severity).toBe('critical');
+        });
+        it('should detect serviceRole in pages directory', async () => {
+            const file = await createTestFile('pages/admin.tsx', `
+const serviceRole = 'secret_service_role_key';
+
+export default function AdminPage() {
+  return <div>Admin</div>;
+}
+        `);
+            const findings = await rbacScanner.scan([file], scanOptions);
+            const rbacFindings = findings.filter((f) => f.id === 'RBAC-002');
+            expect(rbacFindings.length).toBeGreaterThan(0);
+        });
+        it('should detect isAdmin default to true', async () => {
+            const file = await createTestFile('components/UserProfile.tsx', `
+export function UserProfile() {
+  const [isAdmin, setIsAdmin] = useState(true);
+
+  return (
+    <div>
+      {isAdmin && <AdminPanel />}
+    </div>
+  );
+}
+        `);
+            const findings = await rbacScanner.scan([file], scanOptions);
+            const rbacFindings = findings.filter((f) => f.id === 'RBAC-002');
+            expect(rbacFindings.length).toBeGreaterThan(0);
+        });
+        it('should detect role default to admin', async () => {
+            const file = await createTestFile('app/layout.tsx', `
+const user = {
+  email: 'user@example.com',
+  role: 'admin'
+};
+
+export default function Layout() {
+  return <div />;
+}
+        `);
+            const findings = await rbacScanner.scan([file], scanOptions);
+            const rbacFindings = findings.filter((f) => f.id === 'RBAC-002');
+            expect(rbacFindings.length).toBeGreaterThan(0);
+        });
+        it('should detect always-admin condition', async () => {
+            const file = await createTestFile('components/Auth.tsx', `
+function checkAdmin() {
+  const isAdmin = true;
+  if (isAdmin) {
+    return <AdminDashboard />;
+  }
+}
+        `);
+            const findings = await rbacScanner.scan([file], scanOptions);
+            const rbacFindings = findings.filter((f) => f.id === 'RBAC-002');
+            expect(rbacFindings.length).toBeGreaterThan(0);
+        });
+        it('should not flag service_role in API route', async () => {
+            const file = await createTestFile('api/admin.ts', `
+import { createClient } from '@supabase/supabase-js';
+
+const supabase = createClient(
+  process.env.SUPABASE_URL,
+  process.env.SUPABASE_SERVICE_ROLE_KEY
+);
+
+export async function GET(req: Request) {
+  const data = await supabase.from('users').select('*');
+  return Response.json(data);
+}
+        `);
+            const findings = await rbacScanner.scan([file], scanOptions);
+            const rbacFindings = findings.filter((f) => f.id === 'RBAC-002');
+            expect(rbacFindings.length).toBe(0);
+        });
+        it('should not flag service_role in .server file', async () => {
+            const file = await createTestFile('lib/supabase.server.ts', `
+export const serviceRole = process.env.SUPABASE_SERVICE_ROLE_KEY;
+        `);
+            const findings = await rbacScanner.scan([file], scanOptions);
+            const rbacFindings = findings.filter((f) => f.id === 'RBAC-002');
+            expect(rbacFindings.length).toBe(0);
+        });
+        it('should not flag isAdmin in test files', async () => {
+            const file = await createTestFile('components/Auth.test.tsx', `
+describe('Auth', () => {
+  it('should grant admin access', () => {
+    const isAdmin = true;
+    expect(isAdmin).toBe(true);
+  });
+});
+        `);
+            const findings = await rbacScanner.scan([file], scanOptions);
+            const rbacFindings = findings.filter((f) => f.id === 'RBAC-002');
+            expect(rbacFindings.length).toBe(0);
+        });
+    });
+    describe('RBAC-003: SELECT * on PHI Tables', () => {
+        it('should detect SELECT * FROM patients', async () => {
+            const file = await createTestFile('queries.ts', `
+async function getAllPatients() {
+  const result = await db.query('SELECT * FROM patients');
+  return result.rows;
+}
+        `);
+            const findings = await rbacScanner.scan([file], scanOptions);
+            const rbacFindings = findings.filter((f) => f.id === 'RBAC-003');
+            expect(rbacFindings.length).toBeGreaterThan(0);
+            expect(rbacFindings[0].severity).toBe('medium');
+            expect(rbacFindings[0].hipaaReference).toContain('164.502(b)');
+        });
+        it('should detect SELECT * FROM medical_records', async () => {
+            const file = await createTestFile('medical.ts', `
+const query = \`
+  SELECT * FROM medical_records
+  WHERE patient_id = ?
+\`;
+        `);
+            const findings = await rbacScanner.scan([file], scanOptions);
+            const rbacFindings = findings.filter((f) => f.id === 'RBAC-003');
+            expect(rbacFindings.length).toBeGreaterThan(0);
+        });
+        it('should detect .select("*") on prescriptions', async () => {
+            const file = await createTestFile('prescriptions-api.ts', `
+export async function getPrescriptions(patientId: string) {
+  const { data } = await supabase
+    .from('prescriptions')
+    .select('*')
+    .eq('patient_id', patientId);
+  return data;
+}
+        `);
+            const findings = await rbacScanner.scan([file], scanOptions);
+            const rbacFindings = findings.filter((f) => f.id === 'RBAC-003');
+            expect(rbacFindings.length).toBeGreaterThan(0);
+        });
+        it('should detect .select(*) without quotes', async () => {
+            const file = await createTestFile('diagnosis.ts', `
+const diagnoses = await db.from('diagnosis').select(*);
+        `);
+            const findings = await rbacScanner.scan([file], scanOptions);
+            const rbacFindings = findings.filter((f) => f.id === 'RBAC-003');
+            expect(rbacFindings.length).toBeGreaterThan(0);
+        });
+        it('should not flag SELECT with specific fields', async () => {
+            const file = await createTestFile('minimal-query.ts', `
+async function getPatientNames() {
+  const result = await db.query(
+    'SELECT id, name, dob FROM patients WHERE active = true'
+  );
+  return result.rows;
+}
+        `);
+            const findings = await rbacScanner.scan([file], scanOptions);
+            const rbacFindings = findings.filter((f) => f.id === 'RBAC-003');
+            expect(rbacFindings.length).toBe(0);
+        });
+        it('should not flag .select() with specific fields', async () => {
+            const file = await createTestFile('specific-fields.ts', `
+const { data } = await supabase
+  .from('prescriptions')
+  .select('id, medication_name, dosage, patient_id')
+  .eq('patient_id', patientId);
+        `);
+            const findings = await rbacScanner.scan([file], scanOptions);
+            const rbacFindings = findings.filter((f) => f.id === 'RBAC-003');
+            expect(rbacFindings.length).toBe(0);
+        });
+        it('should not flag SELECT * on non-PHI tables', async () => {
+            const file = await createTestFile('settings.ts', `
+const settings = await db.query('SELECT * FROM app_settings');
+        `);
+            const findings = await rbacScanner.scan([file], scanOptions);
+            const rbacFindings = findings.filter((f) => f.id === 'RBAC-003');
+            expect(rbacFindings.length).toBe(0);
+        });
+    });
+    describe('General Scanner Behavior', () => {
+        it('should only scan code files', async () => {
+            await createTestFile('README.md', 'SELECT * FROM patients');
+            await createTestFile('data.json', '{"query": "SELECT * FROM patients"}');
+            await createTestFile('code.ts', 'SELECT * FROM patients');
+            const findings = await rbacScanner.scan(testFiles, scanOptions);
+            // Should only find findings in .ts file
+            const mdFindings = findings.filter((f) => f.file.endsWith('.md'));
+            const jsonFindings = findings.filter((f) => f.file.endsWith('.json'));
+            expect(mdFindings.length).toBe(0);
+            expect(jsonFindings.length).toBe(0);
+        });
+        it('should skip comment lines', async () => {
+            const file = await createTestFile('commented.ts', `
+// SELECT * FROM patients - this is how you would do it
+/*
+ * const result = await db.query('SELECT * FROM patients');
+ */
+const validCode = true;
+        `);
+            const findings = await rbacScanner.scan([file], scanOptions);
+            const rbacFindings = findings.filter((f) => f.id === 'RBAC-003');
+            expect(rbacFindings.length).toBe(0);
+        });
+        it('should include confidence scores', async () => {
+            const file = await createTestFile('test.ts', `
+const patients = await db.query('SELECT * FROM patients');
+        `);
+            const findings = await rbacScanner.scan([file], scanOptions);
+            for (const finding of findings) {
+                expect(finding.confidence).toBeDefined();
+                expect(['high', 'medium', 'low']).toContain(finding.confidence);
+            }
+        });
+        it('should include proper HIPAA references', async () => {
+            const file = await createTestFile('multi-violation.ts', `
+// RBAC-001 violation
+const records = await MedicalRecord.findAll();
+
+// RBAC-003 violation
+const query = 'SELECT * FROM diagnoses';
+        `);
+            const findings = await rbacScanner.scan([file], scanOptions);
+            for (const finding of findings) {
+                expect(finding.hipaaReference).toBeDefined();
+                expect(finding.hipaaReference).toMatch(/164\./);
+            }
+        });
+        it('should detect multiple violations in same file', async () => {
+            const file = await createTestFile('components/BadComponent.tsx', `
+'use client';
+
+// RBAC-002: service_role in client
+const SERVICE_ROLE_KEY = 'service_role_secret';
+
+// RBAC-002: admin default
+const [isAdmin, setIsAdmin] = useState(true);
+
+async function loadData() {
+  // RBAC-001: No authorization check
+  const patients = await db.from('patients').select('*');
+
+  // RBAC-003: SELECT *
+  return patients;
+}
+        `);
+            const findings = await rbacScanner.scan([file], scanOptions);
+            expect(findings.length).toBeGreaterThan(2);
+            const rbac001 = findings.filter((f) => f.id === 'RBAC-001');
+            const rbac002 = findings.filter((f) => f.id === 'RBAC-002');
+            const rbac003 = findings.filter((f) => f.id === 'RBAC-003');
+            expect(rbac001.length).toBeGreaterThan(0);
+            expect(rbac002.length).toBeGreaterThan(0);
+            expect(rbac003.length).toBeGreaterThan(0);
+        });
+    });
+});
+//# sourceMappingURL=index.test.js.map

package/dist/scanners/rbac/index.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.test.js","sourceRoot":"","sources":["../../../src/scanners/rbac/index.test.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAEzC,OAAO,KAAK,EAAE,MAAM,aAAa,CAAC;AAClC,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AAEzB,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;IAC5B,IAAI,OAAO,GAAW,EAAE,CAAC;IACzB,IAAI,SAAS,GAAa,EAAE,CAAC;IAE7B,UAAU,CAAC,KAAK,IAAI,EAAE;QACpB,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,YAAY,CAAC,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,UAAU;QACV,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,IAAI,CAAC;gBACH,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACxB,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;QACH,CAAC;QACD,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACzD,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,SAAS,GAAG,EAAE,CAAC;IACjB,CAAC,CAAC,CAAC;IAEH,KAAK,UAAU,cAAc,CAC3B,QAAgB,EAChB,OAAe;QAEf,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC9C,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;QAC/C,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACzB,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,WAAW,GAAgB;QAC/B,IAAI,EAAE,OAAO;KACd,CAAC;IAEF,QAAQ,CAAC,4CAA4C,EAAE,GAAG,EAAE;QAC1D,EAAE,CAAC,8DAA8D,EAAE,KAAK,IAAI,EAAE;YAC5E,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,QAAQ,EACR;;;;;;;SAOC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAC7D,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAC/C,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC9C,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;QACpE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oEAAoE,EAAE,KAAK,IAAI,EAAE;YAClF,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,YAAY,EACZ;;;;;;;SAOC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAC7D,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qEAAqE,EAAE,KAAK,IAAI,EAAE;YACnF,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,kBAAkB,EAClB;;;;;;;;SAQC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAC7D,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kEAAkE,EAAE,KAAK,IAAI,EAAE;YAChF,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,oBAAoB,EACpB;;;;;;;SAOC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAC7D,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;YAC5D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,eAAe,EACf;;;;;;;;;;;SAWC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAC7D,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;YACxD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,gBAAgB,EAChB;;;;;;;;;SASC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAC7D,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;YACjE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,kBAAkB,EAClB;;;;;;;;;;;SAWC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAC7D,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,4CAA4C,EAAE,GAAG,EAAE;QAC1D,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;YAC9D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,0BAA0B,EAC1B;;;;;;;;;;;;;SAaC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAC7D,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAC/C,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACpD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;YAC5D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,iBAAiB,EACjB;;;;;;SAMC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAC7D,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;YACrD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,4BAA4B,EAC5B;;;;;;;;;;SAUC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAC7D,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;YACnD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,gBAAgB,EAChB;;;;;;;;;SASC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAC7D,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;YACpD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,qBAAqB,EACrB;;;;;;;SAOC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAC7D,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;YACzD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,cAAc,EACd;;;;;;;;;;;;SAYC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAC7D,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;YAC5D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,wBAAwB,EACxB;;SAEC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAC7D,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;YACrD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,0BAA0B,EAC1B;;;;;;;SAOC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAC7D,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAChD,EAAE,CAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;YACpD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,YAAY,EACZ;;;;;SAKC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAC7D,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAC/C,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAChD,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;YAC3D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,YAAY,EACZ;;;;;SAKC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAC7D,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;YAC3D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,sBAAsB,EACtB;;;;;;;;SAQC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAC7D,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;YACvD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,cAAc,EACd;;SAEC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAC7D,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;YAC3D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,kBAAkB,EAClB;;;;;;;SAOC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAC7D,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;YAC9D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,oBAAoB,EACpB;;;;;SAKC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAC7D,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;YAC1D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,aAAa,EACb;;SAEC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAC7D,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,0BAA0B,EAAE,GAAG,EAAE;QACxC,EAAE,CAAC,6BAA6B,EAAE,KAAK,IAAI,EAAE;YAC3C,MAAM,cAAc,CAAC,WAAW,EAAE,wBAAwB,CAAC,CAAC;YAC5D,MAAM,cAAc,CAAC,WAAW,EAAE,qCAAqC,CAAC,CAAC;YACzE,MAAM,cAAc,CAAC,SAAS,EAAE,wBAAwB,CAAC,CAAC;YAE1D,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;YAEhE,wCAAwC;YACxC,MAAM,UAAU,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;YAClE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;YAEtE,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClC,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2BAA2B,EAAE,KAAK,IAAI,EAAE;YACzC,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,cAAc,EACd;;;;;;SAMC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAC7D,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kCAAkC,EAAE,KAAK,IAAI,EAAE;YAChD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,SAAS,EACT;;SAEC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAE7D,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;gBAC/B,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE,CAAC;gBACzC,MAAM,CAAC,CAAC,MAAM,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;YAClE,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;YACtD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,oBAAoB,EACpB;;;;;;SAMC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAE7D,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;gBAC/B,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,WAAW,EAAE,CAAC;gBAC7C,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;YAClD,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;YAC9D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,6BAA6B,EAC7B;;;;;;;;;;;;;;;;SAgBC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAE7D,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAE3C,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAC5D,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAC5D,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAE5D,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAC1C,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAC1C,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAC5C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/scanners/rbac/patterns.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Role-Based Access Control (RBAC) Detection Patterns
+ * Enforces proper authorization and minimum necessary principle per HIPAA
+ */
+export interface RBACPattern {
+    id: string;
+    name: string;
+    description: string;
+    severity: 'critical' | 'high' | 'medium';
+    hipaaReference: string;
+    patterns: RegExp[];
+    negativePatterns?: RegExp[];
+    recommendation: string;
+    category: string;
+}
+/**
+ * RBAC-001: PHI Data Access Without Role/Permission Verification
+ * Detects database queries to PHI tables without authorization checks
+ */
+export declare const PHI_ACCESS_NO_AUTHZ: RBACPattern;
+/**
+ * RBAC-002: Service Role Keys in Client-Side Code
+ * Detects privileged keys exposed to client, admin defaults, or always-admin conditions
+ */
+export declare const SERVICE_ROLE_CLIENT_SIDE: RBACPattern;
+/**
+ * RBAC-003: SELECT * on PHI Tables (Violates Minimum Necessary)
+ * Detects SELECT * queries that retrieve all columns from PHI tables
+ */
+export declare const SELECT_ALL_PHI: RBACPattern;
+export declare const ALL_RBAC_PATTERNS: RBACPattern[];
+//# sourceMappingURL=patterns.d.ts.map

package/dist/scanners/rbac/patterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../../src/scanners/rbac/patterns.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,CAAC;IACzC,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,eAAO,MAAM,mBAAmB,EAAE,WAoCjC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,wBAAwB,EAAE,WA2CtC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,cAAc,EAAE,WAmC5B,CAAC;AAEF,eAAO,MAAM,iBAAiB,EAAE,WAAW,EAI1C,CAAC"}