verification-layer 0.4.0

package/dist/scan.js

@@ -0,0 +1,96 @@
+import { glob } from 'glob';
+import { loadConfig, isPathIgnored } from './config.js';
+import { phiScanner } from './scanners/phi/index.js';
+import { encryptionScanner } from './scanners/encryption/index.js';
+import { auditScanner } from './scanners/audit/index.js';
+import { accessScanner } from './scanners/access/index.js';
+import { retentionScanner } from './scanners/retention/index.js';
+import { securityScanner } from './scanners/security/index.js';
+import { detectStack, getStackDisplayName } from './stack-detector/index.js';
+import { getStackSummary } from './stack-detector/stack-guides.js';
+const ALL_CATEGORIES = [
+    'phi-exposure',
+    'encryption',
+    'audit-logging',
+    'access-control',
+    'data-retention',
+];
+const scanners = {
+    'phi-exposure': phiScanner,
+    'encryption': encryptionScanner,
+    'audit-logging': auditScanner,
+    'access-control': accessScanner,
+    'data-retention': retentionScanner,
+};
+// Additional scanners that run with specific categories
+const additionalScanners = {
+    'access-control': [securityScanner], // Security scanner runs with access-control
+};
+export async function scan(options) {
+    const startTime = Date.now();
+    // Load configuration
+    const config = await loadConfig(options.path, options.configFile);
+    const optionsWithConfig = { ...options, config };
+    const categories = options.categories ?? config.categories ?? ALL_CATEGORIES;
+    // Get all files to scan
+    const defaultExclude = [
+        '**/node_modules/**',
+        '**/dist/**',
+        '**/build/**',
+        '**/.git/**',
+        '**/coverage/**',
+    ];
+    const excludePatterns = [
+        ...defaultExclude,
+        ...(options.exclude ?? []),
+        ...(config.exclude ?? []),
+    ];
+    const files = await glob('**/*', {
+        cwd: options.path,
+        nodir: true,
+        ignore: excludePatterns,
+        absolute: true,
+    });
+    // Filter out ignored paths from config
+    const filteredFiles = files.filter(f => !isPathIgnored(f, config));
+    // Run scanners for selected categories
+    const findings = [];
+    for (const category of categories) {
+        const scanner = scanners[category];
+        if (scanner) {
+            const categoryFindings = await scanner.scan(filteredFiles, optionsWithConfig);
+            findings.push(...categoryFindings);
+        }
+        // Run additional scanners for this category
+        const additional = additionalScanners[category];
+        if (additional) {
+            for (const extraScanner of additional) {
+                const extraFindings = await extraScanner.scan(filteredFiles, optionsWithConfig);
+                findings.push(...extraFindings);
+            }
+        }
+    }
+    // Sort findings by severity
+    const severityOrder = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
+    findings.sort((a, b) => severityOrder[a.severity] - severityOrder[b.severity]);
+    // Detect project stack
+    const detectedStack = await detectStack(options.path);
+    const stackDisplayNames = getStackDisplayName(detectedStack);
+    const stackRecommendations = getStackSummary(detectedStack);
+    const stack = {
+        framework: detectedStack.framework,
+        database: detectedStack.database,
+        auth: detectedStack.auth,
+        frameworkDisplay: stackDisplayNames.framework,
+        databaseDisplay: stackDisplayNames.database,
+        authDisplay: stackDisplayNames.auth,
+        recommendations: stackRecommendations,
+    };
+    return {
+        findings,
+        scannedFiles: filteredFiles.length,
+        scanDuration: Date.now() - startTime,
+        stack,
+    };
+}
+//# sourceMappingURL=scan.js.map

package/dist/scan.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan.js","sourceRoot":"","sources":["../src/scan.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAE5B,OAAO,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AACrD,OAAO,EAAE,iBAAiB,EAAE,MAAM,gCAAgC,CAAC;AACnE,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AACzD,OAAO,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAC3D,OAAO,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAC;AACjE,OAAO,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAC;AAC/D,OAAO,EAAE,WAAW,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAC7E,OAAO,EAAE,eAAe,EAAE,MAAM,kCAAkC,CAAC;AAEnE,MAAM,cAAc,GAAyB;IAC3C,cAAc;IACd,YAAY;IACZ,eAAe;IACf,gBAAgB;IAChB,gBAAgB;CACjB,CAAC;AAEF,MAAM,QAAQ,GAAwC;IACpD,cAAc,EAAE,UAAU;IAC1B,YAAY,EAAE,iBAAiB;IAC/B,eAAe,EAAE,YAAY;IAC7B,gBAAgB,EAAE,aAAa;IAC/B,gBAAgB,EAAE,gBAAgB;CACnC,CAAC;AAEF,wDAAwD;AACxD,MAAM,kBAAkB,GAAmD;IACzE,gBAAgB,EAAE,CAAC,eAAe,CAAC,EAAE,4CAA4C;CAClF,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,IAAI,CAAC,OAAoB;IAC7C,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE7B,qBAAqB;IACrB,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IAClE,MAAM,iBAAiB,GAAG,EAAE,GAAG,OAAO,EAAE,MAAM,EAAE,CAAC;IAEjD,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,MAAM,CAAC,UAAU,IAAI,cAAc,CAAC;IAE7E,wBAAwB;IACxB,MAAM,cAAc,GAAG;QACrB,oBAAoB;QACpB,YAAY;QACZ,aAAa;QACb,YAAY;QACZ,gBAAgB;KACjB,CAAC;IAEF,MAAM,eAAe,GAAG;QACtB,GAAG,cAAc;QACjB,GAAG,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,CAAC;QAC1B,GAAG,CAAC,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC;KAC1B,CAAC;IAEF,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,MAAM,EAAE;QAC/B,GAAG,EAAE,OAAO,CAAC,IAAI;QACjB,KAAK,EAAE,IAAI;QACX,MAAM,EAAE,eAAe;QACvB,QAAQ,EAAE,IAAI;KACf,CAAC,CAAC;IAEH,uCAAuC;IACvC,MAAM,aAAa,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,aAAa,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IAEnE,uCAAuC;IACvC,MAAM,QAAQ,GAAc,EAAE,CAAC;IAE/B,KAAK,MAAM,QAAQ,IAAI,UAAU,EAAE,CAAC;QAClC,MAAM,OAAO,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACnC,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,gBAAgB,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,aAAa,EAAE,iBAAiB,CAAC,CAAC;YAC9E,QAAQ,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,CAAC;QACrC,CAAC;QAED,4CAA4C;QAC5C,MAAM,UAAU,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QAChD,IAAI,UAAU,EAAE,CAAC;YACf,KAAK,MAAM,YAAY,IAAI,UAAU,EAAE,CAAC;gBACtC,MAAM,aAAa,GAAG,MAAM,YAAY,CAAC,IAAI,CAAC,aAAa,EAAE,iBAAiB,CAAC,CAAC;gBAChF,QAAQ,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,CAAC;YAClC,CAAC;QACH,CAAC;IACH,CAAC;IAED,4BAA4B;IAC5B,MAAM,aAAa,GAAG,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;IAC3E,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;IAE/E,uBAAuB;IACvB,MAAM,aAAa,GAAG,MAAM,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IACtD,MAAM,iBAAiB,GAAG,mBAAmB,CAAC,aAAa,CAAC,CAAC;IAC7D,MAAM,oBAAoB,GAAG,eAAe,CAAC,aAAa,CAAC,CAAC;IAE5D,MAAM,KAAK,GAAc;QACvB,SAAS,EAAE,aAAa,CAAC,SAAS;QAClC,QAAQ,EAAE,aAAa,CAAC,QAAQ;QAChC,IAAI,EAAE,aAAa,CAAC,IAAI;QACxB,gBAAgB,EAAE,iBAAiB,CAAC,SAAS;QAC7C,eAAe,EAAE,iBAAiB,CAAC,QAAQ;QAC3C,WAAW,EAAE,iBAAiB,CAAC,IAAI;QACnC,eAAe,EAAE,oBAAoB;KACtC,CAAC;IAEF,OAAO;QACL,QAAQ;QACR,YAAY,EAAE,aAAa,CAAC,MAAM;QAClC,YAAY,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;QACpC,KAAK;KACN,CAAC;AACJ,CAAC"}

package/dist/scanners/access/index.d.ts

@@ -0,0 +1,3 @@
+import type { Scanner } from '../../types.js';
+export declare const accessScanner: Scanner;
+//# sourceMappingURL=index.d.ts.map

package/dist/scanners/access/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/scanners/access/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAwB,MAAM,gBAAgB,CAAC;AA+DpE,eAAO,MAAM,aAAa,EAAE,OA2C3B,CAAC"}

package/dist/scanners/access/index.js

@@ -0,0 +1,102 @@
+import { readFile } from 'fs/promises';
+import { DEFAULT_CONFIG } from '../../config.js';
+import { getContextLines } from '../../utils/context.js';
+const ACCESS_CONTROL_ISSUES = [
+    {
+        regex: /\*\s*FROM\s+(patient|user|health|medical)/i,
+        id: 'select-star',
+        severity: 'medium',
+        title: 'SELECT * on sensitive table',
+        description: 'Using SELECT * may retrieve more PHI than necessary.',
+        recommendation: 'Select only required columns to minimize PHI exposure (minimum necessary).',
+    },
+    {
+        regex: /role\s*[:=]\s*['"`](admin|root|superuser)['"`]/i,
+        id: 'hardcoded-admin',
+        severity: 'high',
+        title: 'Hardcoded admin role',
+        description: 'Hardcoded administrative role assignment detected.',
+        recommendation: 'Use role-based access control (RBAC) with proper authentication.',
+    },
+    {
+        regex: /bypass.*auth|auth.*bypass|skip.*auth/i,
+        id: 'auth-bypass',
+        severity: 'critical',
+        title: 'Potential authentication bypass',
+        description: 'Code pattern suggests authentication may be bypassed.',
+        recommendation: 'Remove any authentication bypass mechanisms in production code.',
+    },
+    {
+        regex: /isAdmin\s*[:=]\s*true|admin\s*[:=]\s*true/i,
+        id: 'admin-flag',
+        severity: 'medium',
+        title: 'Hardcoded admin flag',
+        description: 'Admin privileges set via hardcoded flag.',
+        recommendation: 'Determine admin status through secure authentication flow.',
+    },
+    {
+        regex: /public\s+(static\s+)?.*password|password.*public/i,
+        id: 'public-password',
+        severity: 'critical',
+        title: 'Password field with public visibility',
+        description: 'Password field may have public accessibility.',
+        recommendation: 'Password fields should be private and never exposed.',
+    },
+    {
+        regex: /allow.*origin.*\*/i,
+        id: 'cors-wildcard',
+        severity: 'high',
+        title: 'CORS wildcard origin',
+        description: 'CORS configured to allow all origins.',
+        recommendation: 'Restrict CORS to specific trusted domains for PHI-handling endpoints.',
+    },
+    {
+        regex: /session.*expires?\s*[:=]\s*0|maxAge\s*:\s*0/i,
+        id: 'no-session-expiry',
+        severity: 'high',
+        title: 'Session without expiration',
+        description: 'Session configured without expiration.',
+        recommendation: 'Implement automatic session timeout for PHI access (HIPAA recommends 15 min idle).',
+    },
+];
+export const accessScanner = {
+    name: 'Access Control Scanner',
+    category: 'access-control',
+    async scan(files, options) {
+        const findings = [];
+        const config = options.config ?? DEFAULT_CONFIG;
+        const contextSize = config.contextLines ?? 2;
+        const codeExtensions = ['.ts', '.js', '.tsx', '.jsx', '.py', '.java', '.go', '.rb', '.php', '.sql'];
+        const codeFiles = files.filter(f => codeExtensions.some(ext => f.endsWith(ext)));
+        for (const filePath of codeFiles) {
+            try {
+                const content = await readFile(filePath, 'utf-8');
+                const lines = content.split('\n');
+                for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+                    const line = lines[lineNum];
+                    for (const issue of ACCESS_CONTROL_ISSUES) {
+                        if (issue.regex.test(line)) {
+                            findings.push({
+                                id: `access-${issue.id}-${lineNum}`,
+                                category: 'access-control',
+                                severity: issue.severity,
+                                title: issue.title,
+                                description: issue.description,
+                                file: filePath,
+                                line: lineNum + 1,
+                                recommendation: issue.recommendation,
+                                hipaaReference: '§164.312(a)(1), §164.312(d)',
+                                context: getContextLines(lines, lineNum, contextSize),
+                            });
+                        }
+                    }
+                }
+            }
+            catch {
+                // Skip files that can't be read
+            }
+        }
+        return findings;
+    },
+};
+//# sourceMappingURL=index.js.map

package/dist/scanners/access/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/scanners/access/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAEvC,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAEzD,MAAM,qBAAqB,GAAG;IAC5B;QACE,KAAK,EAAE,4CAA4C;QACnD,EAAE,EAAE,aAAa;QACjB,QAAQ,EAAE,QAAiB;QAC3B,KAAK,EAAE,6BAA6B;QACpC,WAAW,EAAE,sDAAsD;QACnE,cAAc,EAAE,4EAA4E;KAC7F;IACD;QACE,KAAK,EAAE,iDAAiD;QACxD,EAAE,EAAE,iBAAiB;QACrB,QAAQ,EAAE,MAAe;QACzB,KAAK,EAAE,sBAAsB;QAC7B,WAAW,EAAE,oDAAoD;QACjE,cAAc,EAAE,kEAAkE;KACnF;IACD;QACE,KAAK,EAAE,uCAAuC;QAC9C,EAAE,EAAE,aAAa;QACjB,QAAQ,EAAE,UAAmB;QAC7B,KAAK,EAAE,iCAAiC;QACxC,WAAW,EAAE,uDAAuD;QACpE,cAAc,EAAE,iEAAiE;KAClF;IACD;QACE,KAAK,EAAE,4CAA4C;QACnD,EAAE,EAAE,YAAY;QAChB,QAAQ,EAAE,QAAiB;QAC3B,KAAK,EAAE,sBAAsB;QAC7B,WAAW,EAAE,0CAA0C;QACvD,cAAc,EAAE,4DAA4D;KAC7E;IACD;QACE,KAAK,EAAE,mDAAmD;QAC1D,EAAE,EAAE,iBAAiB;QACrB,QAAQ,EAAE,UAAmB;QAC7B,KAAK,EAAE,uCAAuC;QAC9C,WAAW,EAAE,+CAA+C;QAC5D,cAAc,EAAE,sDAAsD;KACvE;IACD;QACE,KAAK,EAAE,oBAAoB;QAC3B,EAAE,EAAE,eAAe;QACnB,QAAQ,EAAE,MAAe;QACzB,KAAK,EAAE,sBAAsB;QAC7B,WAAW,EAAE,uCAAuC;QACpD,cAAc,EAAE,uEAAuE;KACxF;IACD;QACE,KAAK,EAAE,8CAA8C;QACrD,EAAE,EAAE,mBAAmB;QACvB,QAAQ,EAAE,MAAe;QACzB,KAAK,EAAE,4BAA4B;QACnC,WAAW,EAAE,wCAAwC;QACrD,cAAc,EAAE,oFAAoF;KACrG;CACF,CAAC;AAEF,MAAM,CAAC,MAAM,aAAa,GAAY;IACpC,IAAI,EAAE,wBAAwB;IAC9B,QAAQ,EAAE,gBAAgB;IAE1B,KAAK,CAAC,IAAI,CAAC,KAAe,EAAE,OAAoB;QAC9C,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,cAAc,CAAC;QAChD,MAAM,WAAW,GAAG,MAAM,CAAC,YAAY,IAAI,CAAC,CAAC;QAC7C,MAAM,cAAc,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;QACpG,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAEjF,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;YACjC,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;gBAClD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAElC,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;oBACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;oBAE5B,KAAK,MAAM,KAAK,IAAI,qBAAqB,EAAE,CAAC;wBAC1C,IAAI,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;4BAC3B,QAAQ,CAAC,IAAI,CAAC;gCACZ,EAAE,EAAE,UAAU,KAAK,CAAC,EAAE,IAAI,OAAO,EAAE;gCACnC,QAAQ,EAAE,gBAAgB;gCAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;gCACxB,KAAK,EAAE,KAAK,CAAC,KAAK;gCAClB,WAAW,EAAE,KAAK,CAAC,WAAW;gCAC9B,IAAI,EAAE,QAAQ;gCACd,IAAI,EAAE,OAAO,GAAG,CAAC;gCACjB,cAAc,EAAE,KAAK,CAAC,cAAc;gCACpC,cAAc,EAAE,6BAA6B;gCAC7C,OAAO,EAAE,eAAe,CAAC,KAAK,EAAE,OAAO,EAAE,WAAW,CAAC;6BACtD,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,gCAAgC;YAClC,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC"}

package/dist/scanners/audit/index.d.ts

@@ -0,0 +1,3 @@
+import type { Scanner } from '../../types.js';
+export declare const auditScanner: Scanner;
+//# sourceMappingURL=index.d.ts.map

package/dist/scanners/audit/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/scanners/audit/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAwB,MAAM,gBAAgB,CAAC;AAiBpE,eAAO,MAAM,YAAY,EAAE,OAuF1B,CAAC"}

package/dist/scanners/audit/index.js

@@ -0,0 +1,94 @@
+import { readFile } from 'fs/promises';
+import { DEFAULT_CONFIG } from '../../config.js';
+import { getContextLines } from '../../utils/context.js';
+const LOGGING_FRAMEWORKS = [
+    'winston', 'bunyan', 'pino', 'log4js', 'morgan',
+    'logging', 'logger', 'structlog', 'loguru',
+];
+const AUDIT_REQUIRED_ACTIONS = [
+    { pattern: /\.(create|insert|save|add)\s*\(/i, action: 'create' },
+    { pattern: /\.(update|modify|patch|put)\s*\(/i, action: 'update' },
+    { pattern: /\.(delete|remove|destroy)\s*\(/i, action: 'delete' },
+    { pattern: /\.(read|get|find|fetch|select)\s*\(/i, action: 'read' },
+    { pattern: /\.(login|authenticate|authorize)\s*\(/i, action: 'auth' },
+];
+export const auditScanner = {
+    name: 'Audit Logging Scanner',
+    category: 'audit-logging',
+    async scan(files, options) {
+        const findings = [];
+        const config = options.config ?? DEFAULT_CONFIG;
+        const contextSize = config.contextLines ?? 2;
+        // Check for logging framework presence
+        const packageJsonFiles = files.filter(f => f.endsWith('package.json'));
+        let hasLoggingFramework = false;
+        for (const pkgFile of packageJsonFiles) {
+            try {
+                const content = await readFile(pkgFile, 'utf-8');
+                if (LOGGING_FRAMEWORKS.some(fw => content.includes(fw))) {
+                    hasLoggingFramework = true;
+                    break;
+                }
+            }
+            catch {
+                // Skip
+            }
+        }
+        if (!hasLoggingFramework && packageJsonFiles.length > 0) {
+            findings.push({
+                id: 'audit-no-framework',
+                category: 'audit-logging',
+                severity: 'high',
+                title: 'No audit logging framework detected',
+                description: 'No recognized logging framework found in dependencies.',
+                file: packageJsonFiles[0],
+                recommendation: 'Implement structured audit logging using winston, pino, or similar.',
+                hipaaReference: '§164.312(b)',
+            });
+        }
+        // Check code files for unlogged operations
+        const codeExtensions = ['.ts', '.js', '.tsx', '.jsx', '.py', '.java', '.go'];
+        const codeFiles = files.filter(f => codeExtensions.some(ext => f.endsWith(ext)));
+        for (const filePath of codeFiles) {
+            // Skip test files
+            if (filePath.includes('test') || filePath.includes('spec')) {
+                continue;
+            }
+            try {
+                const content = await readFile(filePath, 'utf-8');
+                const lines = content.split('\n');
+                // Simple heuristic: check if file has PHI-related operations without logging
+                const hasPhiKeywords = /patient|health|medical|diagnosis|treatment/i.test(content);
+                const hasLogging = /\.(log|info|warn|error|audit)\s*\(/i.test(content) ||
+                    /logger\./i.test(content);
+                if (hasPhiKeywords) {
+                    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+                        const line = lines[lineNum];
+                        for (const { pattern, action } of AUDIT_REQUIRED_ACTIONS) {
+                            if (pattern.test(line) && !hasLogging) {
+                                findings.push({
+                                    id: `audit-unlogged-${action}-${lineNum}`,
+                                    category: 'audit-logging',
+                                    severity: 'medium',
+                                    title: `PHI ${action} operation may lack audit logging`,
+                                    description: `A ${action} operation on PHI-related data was found without apparent audit logging in this file.`,
+                                    file: filePath,
+                                    line: lineNum + 1,
+                                    recommendation: `Log all ${action} operations on PHI with timestamp, user ID, and action details.`,
+                                    hipaaReference: '§164.312(b)',
+                                    context: getContextLines(lines, lineNum, contextSize),
+                                });
+                                break; // One finding per file for this pattern
+                            }
+                        }
+                    }
+                }
+            }
+            catch {
+                // Skip files that can't be read
+            }
+        }
+        return findings;
+    },
+};
+//# sourceMappingURL=index.js.map

package/dist/scanners/audit/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/scanners/audit/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAEvC,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAEzD,MAAM,kBAAkB,GAAG;IACzB,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ;IAC/C,SAAS,EAAE,QAAQ,EAAE,WAAW,EAAE,QAAQ;CAC3C,CAAC;AAEF,MAAM,sBAAsB,GAAG;IAC7B,EAAE,OAAO,EAAE,kCAAkC,EAAE,MAAM,EAAE,QAAQ,EAAE;IACjE,EAAE,OAAO,EAAE,mCAAmC,EAAE,MAAM,EAAE,QAAQ,EAAE;IAClE,EAAE,OAAO,EAAE,iCAAiC,EAAE,MAAM,EAAE,QAAQ,EAAE;IAChE,EAAE,OAAO,EAAE,sCAAsC,EAAE,MAAM,EAAE,MAAM,EAAE;IACnE,EAAE,OAAO,EAAE,wCAAwC,EAAE,MAAM,EAAE,MAAM,EAAE;CACtE,CAAC;AAEF,MAAM,CAAC,MAAM,YAAY,GAAY;IACnC,IAAI,EAAE,uBAAuB;IAC7B,QAAQ,EAAE,eAAe;IAEzB,KAAK,CAAC,IAAI,CAAC,KAAe,EAAE,OAAoB;QAC9C,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,cAAc,CAAC;QAChD,MAAM,WAAW,GAAG,MAAM,CAAC,YAAY,IAAI,CAAC,CAAC;QAE7C,uCAAuC;QACvC,MAAM,gBAAgB,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,CAAC;QACvE,IAAI,mBAAmB,GAAG,KAAK,CAAC;QAEhC,KAAK,MAAM,OAAO,IAAI,gBAAgB,EAAE,CAAC;YACvC,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;gBACjD,IAAI,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;oBACxD,mBAAmB,GAAG,IAAI,CAAC;oBAC3B,MAAM;gBACR,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO;YACT,CAAC;QACH,CAAC;QAED,IAAI,CAAC,mBAAmB,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxD,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,oBAAoB;gBACxB,QAAQ,EAAE,eAAe;gBACzB,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,qCAAqC;gBAC5C,WAAW,EAAE,wDAAwD;gBACrE,IAAI,EAAE,gBAAgB,CAAC,CAAC,CAAC;gBACzB,cAAc,EAAE,qEAAqE;gBACrF,cAAc,EAAE,aAAa;aAC9B,CAAC,CAAC;QACL,CAAC;QAED,2CAA2C;QAC3C,MAAM,cAAc,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;QAC7E,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAEjF,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;YACjC,kBAAkB;YAClB,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC3D,SAAS;YACX,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;gBAClD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAElC,6EAA6E;gBAC7E,MAAM,cAAc,GAAG,6CAA6C,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBACnF,MAAM,UAAU,GAAG,qCAAqC,CAAC,IAAI,CAAC,OAAO,CAAC;oBACpD,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAE5C,IAAI,cAAc,EAAE,CAAC;oBACnB,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;wBACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;wBAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,sBAAsB,EAAE,CAAC;4BACzD,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;gCACtC,QAAQ,CAAC,IAAI,CAAC;oCACZ,EAAE,EAAE,kBAAkB,MAAM,IAAI,OAAO,EAAE;oCACzC,QAAQ,EAAE,eAAe;oCACzB,QAAQ,EAAE,QAAQ;oCAClB,KAAK,EAAE,OAAO,MAAM,mCAAmC;oCACvD,WAAW,EAAE,KAAK,MAAM,uFAAuF;oCAC/G,IAAI,EAAE,QAAQ;oCACd,IAAI,EAAE,OAAO,GAAG,CAAC;oCACjB,cAAc,EAAE,WAAW,MAAM,iEAAiE;oCAClG,cAAc,EAAE,aAAa;oCAC7B,OAAO,EAAE,eAAe,CAAC,KAAK,EAAE,OAAO,EAAE,WAAW,CAAC;iCACtD,CAAC,CAAC;gCACH,MAAM,CAAC,wCAAwC;4BACjD,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,gCAAgC;YAClC,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC"}

package/dist/scanners/encryption/index.d.ts

@@ -0,0 +1,3 @@
+import type { Scanner } from '../../types.js';
+export declare const encryptionScanner: Scanner;
+//# sourceMappingURL=index.d.ts.map

package/dist/scanners/encryption/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/scanners/encryption/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAiC,MAAM,gBAAgB,CAAC;AAiC7E,eAAO,MAAM,iBAAiB,EAAE,OAkE/B,CAAC"}

package/dist/scanners/encryption/index.js

@@ -0,0 +1,86 @@
+import { readFile } from 'fs/promises';
+import { isSafeHttpUrl, DEFAULT_CONFIG } from '../../config.js';
+import { getContextLines } from '../../utils/context.js';
+const WEAK_CRYPTO_PATTERNS = [
+    { regex: /\bmd5\s*\(/i, issue: 'MD5 hash function', severity: 'high' },
+    { regex: /\bsha1\s*\(/i, issue: 'SHA1 hash function', severity: 'medium' },
+    { regex: /\bdes\b/i, issue: 'DES encryption', severity: 'critical' },
+    { regex: /\b(rc4|arcfour)\b/i, issue: 'RC4 encryption', severity: 'critical' },
+    { regex: /createCipher\s*\(/i, issue: 'Deprecated cipher method', severity: 'high' },
+    { regex: /\bECB\b/, issue: 'ECB mode encryption', severity: 'high' },
+];
+const MISSING_ENCRYPTION_PATTERNS = [
+    { regex: /http:\/\/(?!localhost|127\.0\.0\.1)/i, issue: 'Unencrypted HTTP URL', severity: 'high', checkSafe: true, fixType: 'http-url' },
+    { regex: /ssl\s*[:=]\s*false/i, issue: 'SSL disabled', severity: 'critical' },
+    { regex: /verify\s*[:=]\s*false.*ssl/i, issue: 'SSL verification disabled', severity: 'critical' },
+    { regex: /rejectUnauthorized\s*:\s*false/i, issue: 'TLS certificate validation disabled', severity: 'critical' },
+    // Unencrypted backup patterns
+    { regex: /backup.*encrypt\s*[:=]\s*false|encrypt\s*[:=]\s*false.*backup/i, issue: 'Backup encryption disabled', severity: 'critical', fixType: 'backup-unencrypted' },
+    { regex: /mysqldump(?!.*--ssl).*password|pg_dump(?!.*--ssl)/i, issue: 'Database backup without SSL', severity: 'high' },
+    { regex: /backup.*(\.sql|\.csv|\.json|\.txt)\b(?!.*encrypt|.*gpg|.*aes)/i, issue: 'Unencrypted backup file format', severity: 'high', fixType: 'backup-unencrypted' },
+    { regex: /writeFile.*backup.*patient|patient.*backup.*writeFile/i, issue: 'PHI backup without encryption', severity: 'critical', fixType: 'backup-unencrypted' },
+    { regex: /s3.*upload.*backup(?!.*encrypt|.*sse|.*kms)/i, issue: 'S3 backup without server-side encryption', severity: 'high' },
+    { regex: /backup.*storage(?!.*encrypt)|storage.*backup(?!.*encrypt)/i, issue: 'Backup storage without encryption specified', severity: 'medium' },
+];
+export const encryptionScanner = {
+    name: 'Encryption Scanner',
+    category: 'encryption',
+    async scan(files, options) {
+        const findings = [];
+        const config = options.config ?? DEFAULT_CONFIG;
+        const contextSize = config.contextLines ?? 2;
+        const codeExtensions = ['.ts', '.js', '.tsx', '.jsx', '.py', '.java', '.go', '.rb', '.php', '.env', '.yaml', '.yml', '.json', '.xml'];
+        const codeFiles = files.filter(f => codeExtensions.some(ext => f.endsWith(ext)));
+        for (const filePath of codeFiles) {
+            try {
+                const content = await readFile(filePath, 'utf-8');
+                const lines = content.split('\n');
+                for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+                    const line = lines[lineNum];
+                    for (const pattern of WEAK_CRYPTO_PATTERNS) {
+                        if (pattern.regex.test(line)) {
+                            findings.push({
+                                id: `enc-weak-${lineNum}`,
+                                category: 'encryption',
+                                severity: pattern.severity,
+                                title: `Weak cryptography: ${pattern.issue}`,
+                                description: `${pattern.issue} is not suitable for protecting PHI.`,
+                                file: filePath,
+                                line: lineNum + 1,
+                                recommendation: 'Use AES-256-GCM for encryption and SHA-256 or stronger for hashing.',
+                                hipaaReference: '§164.312(a)(2)(iv), §164.312(e)(2)(ii)',
+                                context: getContextLines(lines, lineNum, contextSize),
+                            });
+                        }
+                    }
+                    for (const pattern of MISSING_ENCRYPTION_PATTERNS) {
+                        if (pattern.regex.test(line)) {
+                            // Check if this is a safe HTTP URL (CDN, namespace, etc.)
+                            if (pattern.checkSafe && isSafeHttpUrl(line, config)) {
+                                continue;
+                            }
+                            findings.push({
+                                id: `enc-missing-${lineNum}`,
+                                category: 'encryption',
+                                severity: pattern.severity,
+                                title: `Encryption issue: ${pattern.issue}`,
+                                description: `${pattern.issue} may expose PHI during transmission.`,
+                                file: filePath,
+                                line: lineNum + 1,
+                                recommendation: 'Enforce TLS 1.2+ for all data transmission containing PHI.',
+                                hipaaReference: '§164.312(e)(1)',
+                                context: getContextLines(lines, lineNum, contextSize),
+                                fixType: pattern.fixType,
+                            });
+                        }
+                    }
+                }
+            }
+            catch {
+                // Skip files that can't be read
+            }
+        }
+        return findings;
+    },
+};
+//# sourceMappingURL=index.js.map

package/dist/scanners/encryption/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/scanners/encryption/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAEvC,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAEzD,MAAM,oBAAoB,GAAG;IAC3B,EAAE,KAAK,EAAE,aAAa,EAAE,KAAK,EAAE,mBAAmB,EAAE,QAAQ,EAAE,MAAe,EAAE;IAC/E,EAAE,KAAK,EAAE,cAAc,EAAE,KAAK,EAAE,oBAAoB,EAAE,QAAQ,EAAE,QAAiB,EAAE;IACnF,EAAE,KAAK,EAAE,UAAU,EAAE,KAAK,EAAE,gBAAgB,EAAE,QAAQ,EAAE,UAAmB,EAAE;IAC7E,EAAE,KAAK,EAAE,oBAAoB,EAAE,KAAK,EAAE,gBAAgB,EAAE,QAAQ,EAAE,UAAmB,EAAE;IACvF,EAAE,KAAK,EAAE,oBAAoB,EAAE,KAAK,EAAE,0BAA0B,EAAE,QAAQ,EAAE,MAAe,EAAE;IAC7F,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,qBAAqB,EAAE,QAAQ,EAAE,MAAe,EAAE;CAC9E,CAAC;AAEF,MAAM,2BAA2B,GAM5B;IACH,EAAE,KAAK,EAAE,sCAAsC,EAAE,KAAK,EAAE,sBAAsB,EAAE,QAAQ,EAAE,MAAe,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE;IACjJ,EAAE,KAAK,EAAE,qBAAqB,EAAE,KAAK,EAAE,cAAc,EAAE,QAAQ,EAAE,UAAmB,EAAE;IACtF,EAAE,KAAK,EAAE,6BAA6B,EAAE,KAAK,EAAE,2BAA2B,EAAE,QAAQ,EAAE,UAAmB,EAAE;IAC3G,EAAE,KAAK,EAAE,iCAAiC,EAAE,KAAK,EAAE,qCAAqC,EAAE,QAAQ,EAAE,UAAmB,EAAE;IACzH,8BAA8B;IAC9B,EAAE,KAAK,EAAE,gEAAgE,EAAE,KAAK,EAAE,4BAA4B,EAAE,QAAQ,EAAE,UAAmB,EAAE,OAAO,EAAE,oBAA+B,EAAE;IACzL,EAAE,KAAK,EAAE,oDAAoD,EAAE,KAAK,EAAE,6BAA6B,EAAE,QAAQ,EAAE,MAAe,EAAE;IAChI,EAAE,KAAK,EAAE,gEAAgE,EAAE,KAAK,EAAE,gCAAgC,EAAE,QAAQ,EAAE,MAAe,EAAE,OAAO,EAAE,oBAA+B,EAAE;IACzL,EAAE,KAAK,EAAE,wDAAwD,EAAE,KAAK,EAAE,+BAA+B,EAAE,QAAQ,EAAE,UAAmB,EAAE,OAAO,EAAE,oBAA+B,EAAE;IACpL,EAAE,KAAK,EAAE,8CAA8C,EAAE,KAAK,EAAE,0CAA0C,EAAE,QAAQ,EAAE,MAAe,EAAE;IACvI,EAAE,KAAK,EAAE,4DAA4D,EAAE,KAAK,EAAE,6CAA6C,EAAE,QAAQ,EAAE,QAAiB,EAAE;CAC3J,CAAC;AAEF,MAAM,CAAC,MAAM,iBAAiB,GAAY;IACxC,IAAI,EAAE,oBAAoB;IAC1B,QAAQ,EAAE,YAAY;IAEtB,KAAK,CAAC,IAAI,CAAC,KAAe,EAAE,OAAoB;QAC9C,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,cAAc,CAAC;QAChD,MAAM,WAAW,GAAG,MAAM,CAAC,YAAY,IAAI,CAAC,CAAC;QAC7C,MAAM,cAAc,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;QACtI,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAEjF,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;YACjC,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;gBAClD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAElC,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;oBACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;oBAE5B,KAAK,MAAM,OAAO,IAAI,oBAAoB,EAAE,CAAC;wBAC3C,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;4BAC7B,QAAQ,CAAC,IAAI,CAAC;gCACZ,EAAE,EAAE,YAAY,OAAO,EAAE;gCACzB,QAAQ,EAAE,YAAY;gCACtB,QAAQ,EAAE,OAAO,CAAC,QAAQ;gCAC1B,KAAK,EAAE,sBAAsB,OAAO,CAAC,KAAK,EAAE;gCAC5C,WAAW,EAAE,GAAG,OAAO,CAAC,KAAK,sCAAsC;gCACnE,IAAI,EAAE,QAAQ;gCACd,IAAI,EAAE,OAAO,GAAG,CAAC;gCACjB,cAAc,EAAE,qEAAqE;gCACrF,cAAc,EAAE,wCAAwC;gCACxD,OAAO,EAAE,eAAe,CAAC,KAAK,EAAE,OAAO,EAAE,WAAW,CAAC;6BACtD,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;oBAED,KAAK,MAAM,OAAO,IAAI,2BAA2B,EAAE,CAAC;wBAClD,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;4BAC7B,0DAA0D;4BAC1D,IAAI,OAAO,CAAC,SAAS,IAAI,aAAa,CAAC,IAAI,EAAE,MAAM,CAAC,EAAE,CAAC;gCACrD,SAAS;4BACX,CAAC;4BAED,QAAQ,CAAC,IAAI,CAAC;gCACZ,EAAE,EAAE,eAAe,OAAO,EAAE;gCAC5B,QAAQ,EAAE,YAAY;gCACtB,QAAQ,EAAE,OAAO,CAAC,QAAQ;gCAC1B,KAAK,EAAE,qBAAqB,OAAO,CAAC,KAAK,EAAE;gCAC3C,WAAW,EAAE,GAAG,OAAO,CAAC,KAAK,sCAAsC;gCACnE,IAAI,EAAE,QAAQ;gCACd,IAAI,EAAE,OAAO,GAAG,CAAC;gCACjB,cAAc,EAAE,4DAA4D;gCAC5E,cAAc,EAAE,gBAAgB;gCAChC,OAAO,EAAE,eAAe,CAAC,KAAK,EAAE,OAAO,EAAE,WAAW,CAAC;gCACrD,OAAO,EAAE,OAAO,CAAC,OAAO;6BACzB,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,gCAAgC;YAClC,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC"}

package/dist/scanners/phi/index.d.ts

@@ -0,0 +1,3 @@
+import type { Scanner } from '../../types.js';
+export declare const phiScanner: Scanner;
+//# sourceMappingURL=index.d.ts.map

package/dist/scanners/phi/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/scanners/phi/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAwB,MAAM,gBAAgB,CAAC;AAKpE,eAAO,MAAM,UAAU,EAAE,OA8CxB,CAAC"}

package/dist/scanners/phi/index.js

@@ -0,0 +1,47 @@
+import { readFile } from 'fs/promises';
+import { DEFAULT_CONFIG } from '../../config.js';
+import { getContextLines } from '../../utils/context.js';
+import { PHI_PATTERNS } from './patterns.js';
+export const phiScanner = {
+    name: 'PHI Exposure Scanner',
+    category: 'phi-exposure',
+    async scan(files, options) {
+        const findings = [];
+        const config = options.config ?? DEFAULT_CONFIG;
+        const contextSize = config.contextLines ?? 2;
+        // Filter to code files
+        const codeExtensions = ['.ts', '.js', '.tsx', '.jsx', '.py', '.java', '.go', '.rb', '.php'];
+        const codeFiles = files.filter(f => codeExtensions.some(ext => f.endsWith(ext)));
+        for (const filePath of codeFiles) {
+            try {
+                const content = await readFile(filePath, 'utf-8');
+                const lines = content.split('\n');
+                for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+                    const line = lines[lineNum];
+                    for (const pattern of PHI_PATTERNS) {
+                        if (pattern.regex.test(line)) {
+                            findings.push({
+                                id: `phi-${pattern.id}-${lineNum}`,
+                                category: 'phi-exposure',
+                                severity: pattern.severity,
+                                title: pattern.title,
+                                description: pattern.description,
+                                file: filePath,
+                                line: lineNum + 1,
+                                recommendation: pattern.recommendation,
+                                hipaaReference: '§164.502, §164.514',
+                                context: getContextLines(lines, lineNum, contextSize),
+                                fixType: pattern.fixType,
+                            });
+                        }
+                    }
+                }
+            }
+            catch {
+                // Skip files that can't be read
+            }
+        }
+        return findings;
+    },
+};
+//# sourceMappingURL=index.js.map

package/dist/scanners/phi/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/scanners/phi/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAEvC,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAE7C,MAAM,CAAC,MAAM,UAAU,GAAY;IACjC,IAAI,EAAE,sBAAsB;IAC5B,QAAQ,EAAE,cAAc;IAExB,KAAK,CAAC,IAAI,CAAC,KAAe,EAAE,OAAoB;QAC9C,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,cAAc,CAAC;QAChD,MAAM,WAAW,GAAG,MAAM,CAAC,YAAY,IAAI,CAAC,CAAC;QAE7C,uBAAuB;QACvB,MAAM,cAAc,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QAC5F,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAEjF,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;YACjC,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;gBAClD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAElC,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;oBACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;oBAE5B,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;wBACnC,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;4BAC7B,QAAQ,CAAC,IAAI,CAAC;gCACZ,EAAE,EAAE,OAAO,OAAO,CAAC,EAAE,IAAI,OAAO,EAAE;gCAClC,QAAQ,EAAE,cAAc;gCACxB,QAAQ,EAAE,OAAO,CAAC,QAAQ;gCAC1B,KAAK,EAAE,OAAO,CAAC,KAAK;gCACpB,WAAW,EAAE,OAAO,CAAC,WAAW;gCAChC,IAAI,EAAE,QAAQ;gCACd,IAAI,EAAE,OAAO,GAAG,CAAC;gCACjB,cAAc,EAAE,OAAO,CAAC,cAAc;gCACtC,cAAc,EAAE,oBAAoB;gCACpC,OAAO,EAAE,eAAe,CAAC,KAAK,EAAE,OAAO,EAAE,WAAW,CAAC;gCACrD,OAAO,EAAE,OAAO,CAAC,OAAO;6BACzB,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,gCAAgC;YAClC,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC"}

package/dist/scanners/phi/patterns.d.ts

@@ -0,0 +1,13 @@
+import type { Severity, FixType } from '../../types.js';
+interface PHIPattern {
+    id: string;
+    regex: RegExp;
+    severity: Severity;
+    title: string;
+    description: string;
+    recommendation: string;
+    fixType?: FixType;
+}
+export declare const PHI_PATTERNS: PHIPattern[];
+export {};
+//# sourceMappingURL=patterns.d.ts.map

package/dist/scanners/phi/patterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../../src/scanners/phi/patterns.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AAExD,UAAU,UAAU;IAClB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,QAAQ,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;IACvB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,eAAO,MAAM,YAAY,EAAE,UAAU,EAuPpC,CAAC"}