npm - vibecheck-ai - Versions diffs - 5.0.1 → 5.1.0 - Mend

vibecheck-ai 5.0.1 → 5.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/scanner/index.js CHANGED Viewed

@@ -23,14 +23,15 @@ __export(scanner_exports, {
   ALL_ENGINES: () => ALL_ENGINES,
   RULE_CATALOG: () => RULE_CATALOG,
   applyFixes: () => applyFixes,
+  checkISLCompliance: () => checkISLCompliance,
   classifyPath: () => classifyPath,
   fix: () => fix,
   getRuleOrDefault: () => getRuleOrDefault,
   scan: () => scan
 });
 module.exports = __toCommonJS(scanner_exports);
-var import_fs3 = require("fs");
-var import_path4 = require("path");
+var import_fs4 = require("fs");
+var import_path5 = require("path");
 var import_crypto = require("crypto");
 // src/scanner/classifiers/path-classifier.ts
@@ -865,6 +866,138 @@ var RULE_CATALOG = {
     fix: "Use a mutex/lock, or restructure to avoid shared mutable state.",
     tags: ["async", "race-condition", "concurrency"],
     autoFixable: false
+  },
+  // ═══════════════════════════════════════════════════════════════════════════
+  // FLOW TRACE (FT)
+  // ═══════════════════════════════════════════════════════════════════════════
+  FT001: {
+    ruleId: "FT001",
+    name: "SQL Injection via Tainted Input",
+    category: "security",
+    severity: "critical",
+    description: "User-controlled input flows to a SQL query without parameterization",
+    why: "Attackers can inject arbitrary SQL through user input, reading, modifying, or deleting your entire database. This is the #1 web vulnerability (OWASP A03).",
+    fix: 'Use parameterized queries (prepared statements). Never concatenate user input into SQL strings. Example: db.query("SELECT * FROM users WHERE id = $1", [userId])',
+    tags: ["injection", "sql", "taint", "flow-trace"],
+    autoFixable: false,
+    cwe: "CWE-89"
+  },
+  FT002: {
+    ruleId: "FT002",
+    name: "Command Injection via Tainted Input",
+    category: "security",
+    severity: "critical",
+    description: "User-controlled input flows to a shell command without sanitization",
+    why: "Attackers can execute arbitrary system commands on your server. A single unsanitized input in exec() can give full server access.",
+    fix: "Avoid exec/execSync with user input. Use execFile() or spawn() with argument arrays instead of string concatenation. Validate input against an allowlist.",
+    tags: ["injection", "command", "taint", "flow-trace"],
+    autoFixable: false,
+    cwe: "CWE-78"
+  },
+  FT003: {
+    ruleId: "FT003",
+    name: "XSS via Tainted Input",
+    category: "security",
+    severity: "high",
+    description: "User-controlled input flows to HTML output without escaping",
+    why: "Attackers can inject scripts that steal cookies, session tokens, or redirect users to malicious sites. innerHTML and dangerouslySetInnerHTML bypass React's XSS protection.",
+    fix: "Use textContent instead of innerHTML. In React, avoid dangerouslySetInnerHTML. If HTML rendering is required, use DOMPurify.sanitize() or a similar library.",
+    tags: ["xss", "html", "taint", "flow-trace"],
+    autoFixable: false,
+    cwe: "CWE-79"
+  },
+  FT004: {
+    ruleId: "FT004",
+    name: "Path Traversal via Tainted Input",
+    category: "security",
+    severity: "high",
+    description: "User-controlled input flows to filesystem operations without path validation",
+    why: 'Attackers can use "../" sequences to read or write files outside the intended directory, accessing /etc/passwd, .env files, or overwriting critical system files.',
+    fix: 'Validate that the resolved path starts with the expected base directory. Use path.resolve() and check with startsWith(). Reject paths containing "..".',
+    tags: ["path-traversal", "filesystem", "taint", "flow-trace"],
+    autoFixable: false,
+    cwe: "CWE-22"
+  },
+  FT005: {
+    ruleId: "FT005",
+    name: "Open Redirect via Tainted Input",
+    category: "security",
+    severity: "high",
+    description: "User-controlled input flows to a redirect without URL validation",
+    why: "Attackers can craft URLs that redirect users to phishing sites while appearing to come from your domain. This is commonly used in credential theft attacks.",
+    fix: 'Validate redirect URLs against an allowlist of trusted domains. Only allow relative paths (starting with "/") or check against a set of approved hosts.',
+    tags: ["redirect", "phishing", "taint", "flow-trace"],
+    autoFixable: false,
+    cwe: "CWE-601"
+  },
+  // ═══════════════════════════════════════════════════════════════════════════
+  // ISL COMPLIANCE (ISL)
+  // ═══════════════════════════════════════════════════════════════════════════
+  ISL001: {
+    ruleId: "ISL001",
+    name: "Unimplemented Behavior",
+    category: "drift",
+    severity: "high",
+    description: "Behavior declared in spec.isl has no matching route or handler in the codebase",
+    why: "Your ISL spec declares this behavior as part of your system contract. If no code implements it, the spec is lying \u2014 the feature doesn't exist. This is spec drift, the equivalent of a ghost feature in your architecture.",
+    fix: "Either implement the route/handler for this behavior, or remove it from spec.isl if it's no longer planned.",
+    tags: ["isl", "spec-drift", "behavior", "unimplemented"],
+    autoFixable: false
+  },
+  ISL002: {
+    ruleId: "ISL002",
+    name: "Unimplemented Entity",
+    category: "drift",
+    severity: "medium",
+    description: "Entity declared in spec.isl has no matching type, interface, or model in the codebase",
+    why: "Your ISL spec declares this entity as a core data structure. If no type/model matches it in code, your implementation has diverged from your specification. Data model drift causes bugs when teams assume the spec is accurate.",
+    fix: "Create a TypeScript interface, database model, or schema that matches this entity definition. Example: interface User { id: string; email: string; ... }",
+    tags: ["isl", "spec-drift", "entity", "schema"],
+    autoFixable: false
+  },
+  ISL003: {
+    ruleId: "ISL003",
+    name: "Unenforced Security Policy",
+    category: "security",
+    severity: "critical",
+    description: "Security policy declared in spec.isl has no matching enforcement in the codebase",
+    why: "Your ISL spec declares a security requirement that cannot be found in the code. This means you've documented a security guarantee that isn't actually enforced \u2014 users and auditors may assume this protection exists when it doesn't.",
+    fix: "Implement the security enforcement described in the policy. For password hashing: use bcrypt/argon2. For authentication: add auth middleware to protected routes.",
+    tags: ["isl", "spec-drift", "security", "unenforced-policy"],
+    autoFixable: false
+  },
+  ISL004: {
+    ruleId: "ISL004",
+    name: "Missing Rate Limiting",
+    category: "security",
+    severity: "high",
+    description: "Rate limiting policy declared in spec.isl but no rate limiter found in the codebase",
+    why: "Your ISL spec declares rate limiting as a requirement, but no rate-limiting middleware or library was detected. Without rate limiting, your endpoints are vulnerable to brute-force attacks and abuse.",
+    fix: "Add rate limiting middleware. For Express: use express-rate-limit. For Fastify: use @fastify/rate-limit. Apply to the endpoints specified in the policy.",
+    tags: ["isl", "spec-drift", "rate-limit", "security"],
+    autoFixable: false
+  },
+  ISL005: {
+    ruleId: "ISL005",
+    name: "ISL Spec Parse Error",
+    category: "drift",
+    severity: "high",
+    description: "spec.isl could not be parsed \u2014 the specification file has syntax errors",
+    why: "A malformed spec.isl means your system contract is unreadable. No compliance checks can run, and the spec cannot serve as documentation or verification input.",
+    fix: 'Fix the syntax errors in spec.isl. Ensure it starts with "domain Name {" and uses valid ISL syntax for entities, behaviors, and policies.',
+    tags: ["isl", "spec", "parse-error"],
+    autoFixable: false
+  },
+  QLT006: {
+    ruleId: "QLT006",
+    name: "Unreachable Code",
+    category: "code-quality",
+    severity: "medium",
+    description: "Code after return/throw statement is unreachable and will never execute",
+    why: "Unreachable code is a sign of logic errors or incomplete refactoring. It confuses maintainers and may indicate that important logic was accidentally placed after an early return.",
+    fix: "Remove the unreachable code, or restructure the function so the code executes before the return/throw.",
+    tags: ["dead-code", "unreachable", "ast-verified"],
+    autoFixable: false
   }
 };
 function getRuleOrDefault(ruleId) {
@@ -3106,6 +3239,992 @@ ${additions}`, "utf-8");
   };
 }
+// src/scanner/utils/ast-helpers.ts
+var import_parser = require("@babel/parser");
+var astCache = /* @__PURE__ */ new Map();
+function parseToAST(code, filePath) {
+  const cacheKey = filePath;
+  if (astCache.has(cacheKey)) return astCache.get(cacheKey);
+  const ext = filePath.split(".").pop()?.toLowerCase() ?? "";
+  const plugins = ["decorators-legacy", "classProperties", "dynamicImport", "optionalChaining", "nullishCoalescingOperator"];
+  if (["ts", "tsx"].includes(ext)) {
+    plugins.push("typescript");
+  }
+  if (["tsx", "jsx"].includes(ext)) {
+    plugins.push("jsx");
+  }
+  try {
+    const ast = (0, import_parser.parse)(code, {
+      sourceType: "module",
+      plugins,
+      errorRecovery: true,
+      allowImportExportEverywhere: true,
+      allowReturnOutsideFunction: true
+    });
+    astCache.set(cacheKey, ast);
+    return ast;
+  } catch {
+    astCache.set(cacheKey, null);
+    return null;
+  }
+}
+function clearASTCache() {
+  astCache.clear();
+}
+function walkAST(node, visitor, parent = null) {
+  if (!node || typeof node !== "object") return;
+  visitor(node, parent);
+  const record = node;
+  for (const key of Object.keys(record)) {
+    if (key === "loc" || key === "start" || key === "end" || key === "type" || key.startsWith("_")) continue;
+    const child = record[key];
+    if (Array.isArray(child)) {
+      for (const item of child) {
+        if (item && typeof item === "object" && "type" in item) {
+          walkAST(item, visitor, node);
+        }
+      }
+    } else if (child && typeof child === "object" && "type" in child) {
+      walkAST(child, visitor, node);
+    }
+  }
+}
+function getLine(node) {
+  return node.loc?.start?.line ?? 0;
+}
+function getCodeSnippet(node, lines) {
+  const line = getLine(node);
+  if (line > 0 && line <= lines.length) {
+    return lines[line - 1].trim();
+  }
+  return "";
+}
+// src/scanner/engines/ast-analysis.ts
+function makeFinding2(ruleId, file, node, message, severity, confidence) {
+  const rule = getRuleOrDefault(ruleId);
+  const line = getLine(node);
+  const code = getCodeSnippet(node, file.lines);
+  const finalSeverity = escalateSeverity(severity, file.classification.isCriticalPath);
+  return {
+    id: `${ruleId}-ast-${file.path}-${line}`,
+    ruleId,
+    engine: "ast-analysis",
+    category: rule.category,
+    severity: finalSeverity,
+    confidence: confidence >= 85 ? "certain" : confidence >= 65 ? "likely" : "possible",
+    confidenceScore: confidence,
+    file: file.path,
+    line,
+    code,
+    message,
+    why: rule.why,
+    fix: rule.fix,
+    autoFixable: false,
+    tags: [...rule.tags, "ast-verified"],
+    verified: false,
+    _dedup: `${ruleId}:ast:${file.path}:${line}`
+  };
+}
+function isFunctionNode(node) {
+  return node.type === "FunctionDeclaration" || node.type === "FunctionExpression" || node.type === "ArrowFunctionExpression" || node.type === "ObjectMethod" || node.type === "ClassMethod";
+}
+function getFunctionName(node, parent) {
+  if (node.type === "FunctionDeclaration" && node.id) {
+    return node.id.name;
+  }
+  if (parent?.type === "VariableDeclarator" && parent.id) {
+    return parent.id.name ?? "<anonymous>";
+  }
+  if (node.type === "ClassMethod" || node.type === "ObjectMethod") {
+    const key = node.key;
+    return key?.name ?? "<anonymous>";
+  }
+  return "<anonymous>";
+}
+function isAsyncFunction(node) {
+  return !!node.async;
+}
+function getFunctionBody(node) {
+  const body = node.body;
+  return body ?? null;
+}
+function detectEmptyFunctions(ast, file) {
+  if (!ast) return [];
+  const findings = [];
+  walkAST(ast, (node, parent) => {
+    if (!isFunctionNode(node)) return;
+    const body = getFunctionBody(node);
+    if (!body) return;
+    if (body.type !== "BlockStatement") return;
+    const block = body;
+    if (block.body.length === 0) {
+      const name = getFunctionName(node, parent);
+      if (/noop|passthrough|placeholder|abstract|override/i.test(name)) return;
+      if (file.classification.category === "test") return;
+      findings.push(makeFinding2(
+        "FAKE001",
+        file,
+        node,
+        `Empty function body: '${name}()' has no implementation`,
+        "high",
+        92
+      ));
+    }
+  });
+  return findings;
+}
+function detectAsyncWithoutAwait(ast, file) {
+  if (!ast) return [];
+  const findings = [];
+  walkAST(ast, (node, parent) => {
+    if (!isFunctionNode(node)) return;
+    if (!isAsyncFunction(node)) return;
+    const body = getFunctionBody(node);
+    if (!body || body.type !== "BlockStatement") return;
+    const block = body;
+    if (block.body.length <= 1) return;
+    let hasAwait = false;
+    walkAST(body, (inner) => {
+      if (inner !== body && isFunctionNode(inner)) return;
+      if (inner.type === "AwaitExpression") {
+        hasAwait = true;
+      }
+    });
+    if (!hasAwait) {
+      const name = getFunctionName(node, parent);
+      findings.push(makeFinding2(
+        "RV002",
+        file,
+        node,
+        `Async function '${name}' never uses await (AST-verified)`,
+        "medium",
+        88
+      ));
+    }
+  });
+  return findings;
+}
+function detectSilentCatch(ast, file) {
+  if (!ast) return [];
+  const findings = [];
+  walkAST(ast, (node) => {
+    if (node.type !== "CatchClause") return;
+    if (file.classification.category === "test") return;
+    const catchNode = node;
+    const body = catchNode.body.body;
+    if (body.length === 0) {
+      findings.push(makeFinding2(
+        "FAKE003",
+        file,
+        node,
+        "Empty catch block \u2014 errors silently swallowed (AST-verified)",
+        "high",
+        95
+      ));
+      return;
+    }
+    if (body.length === 1 && body[0].type === "ReturnStatement") {
+      const ret = body[0];
+      if (ret.argument) {
+        if (ret.argument.type === "BooleanLiteral" && ret.argument.value === true) {
+          findings.push(makeFinding2(
+            "FAKE002",
+            file,
+            node,
+            "Catch block returns true \u2014 error swallowed with fake success (AST-verified)",
+            "critical",
+            95
+          ));
+        }
+        if (ret.argument.type === "ObjectExpression") {
+          const props = ret.argument.properties;
+          for (const prop of props) {
+            if (prop.type === "ObjectProperty") {
+              const key = prop.key;
+              const value = prop.value;
+              if (key?.name === "success" && value?.type === "BooleanLiteral" && value.value === true) {
+                findings.push(makeFinding2(
+                  "FAKE002",
+                  file,
+                  node,
+                  "Catch block returns { success: true } \u2014 error swallowed with fake success (AST-verified)",
+                  "critical",
+                  97
+                ));
+              }
+            }
+          }
+        }
+      }
+    }
+  });
+  return findings;
+}
+function detectStubReturns(ast, file) {
+  if (!ast) return [];
+  const findings = [];
+  walkAST(ast, (node, parent) => {
+    if (!isFunctionNode(node)) return;
+    if (file.classification.category === "test") return;
+    const body = getFunctionBody(node);
+    if (!body || body.type !== "BlockStatement") return;
+    const block = body;
+    if (block.body.length === 0 || block.body.length > 5) return;
+    const returns = [];
+    let hasNonReturn = false;
+    for (const stmt of block.body) {
+      if (stmt.type === "ReturnStatement") {
+        returns.push(stmt);
+      } else {
+        hasNonReturn = true;
+      }
+    }
+    if (returns.length === 1 && !hasNonReturn) {
+      const ret = returns[0];
+      if (ret.argument) {
+        const arg = ret.argument;
+        const isLiteral = arg.type === "StringLiteral" || arg.type === "NumericLiteral" || arg.type === "BooleanLiteral" || arg.type === "NullLiteral" || arg.type === "ObjectExpression" || arg.type === "ArrayExpression";
+        if (isLiteral) {
+          const name = getFunctionName(node, parent);
+          if (/^(get|default|config|initial|placeholder)/i.test(name)) return;
+          findings.push(makeFinding2(
+            "FAKE002",
+            file,
+            node,
+            `Function '${name}' only returns a hardcoded literal \u2014 likely a stub (AST-verified)`,
+            "medium",
+            75
+          ));
+        }
+      }
+    }
+  });
+  return findings;
+}
+function detectUnreachableCode(ast, file) {
+  if (!ast) return [];
+  const findings = [];
+  walkAST(ast, (node) => {
+    if (node.type !== "BlockStatement") return;
+    const block = node;
+    for (let i = 0; i < block.body.length - 1; i++) {
+      const stmt = block.body[i];
+      if (stmt.type === "ReturnStatement" || stmt.type === "ThrowStatement") {
+        const next = block.body[i + 1];
+        if (next.type === "FunctionDeclaration" || next.type === "VariableDeclaration") continue;
+        findings.push(makeFinding2(
+          "QLT006",
+          file,
+          next,
+          "Unreachable code after return/throw statement (AST-verified)",
+          "medium",
+          92
+        ));
+        break;
+      }
+    }
+  });
+  return findings;
+}
+var astAnalysisEngine = {
+  name: "ast-analysis",
+  description: "Babel-powered AST analysis for scope-aware detection of empty functions, async bugs, and stub code",
+  async scan(files, _options) {
+    const findings = [];
+    clearASTCache();
+    for (const [, file] of files) {
+      if (![".ts", ".tsx", ".js", ".jsx", ".mjs", ".cjs"].includes(file.ext)) continue;
+      if (file.classification.excludeByDefault) continue;
+      const ast = parseToAST(file.content, file.path);
+      if (!ast) continue;
+      findings.push(...detectEmptyFunctions(ast, file));
+      findings.push(...detectAsyncWithoutAwait(ast, file));
+      findings.push(...detectSilentCatch(ast, file));
+      findings.push(...detectStubReturns(ast, file));
+      findings.push(...detectUnreachableCode(ast, file));
+    }
+    return findings;
+  }
+};
+// src/scanner/engines/flow-trace.ts
+var TAINT_SOURCES = [
+  // Express / Fastify request objects
+  { pattern: /req\.(?:body|params|query|headers)\b(?:\.\w+|\[['"`]\w+['"`]\])?/, label: "HTTP request input" },
+  { pattern: /request\.(?:body|params|query|headers)\b/, label: "HTTP request input" },
+  { pattern: /ctx\.(?:request|params|query)\b/, label: "Koa context input" },
+  // Next.js
+  { pattern: /searchParams\b(?:\.\w+|\[['"`]\w+['"`]\])?/, label: "URL search params" },
+  { pattern: /useSearchParams\(\)/, label: "URL search params" },
+  // General user input
+  { pattern: /document\.getElementById\(.+\)\.value/, label: "DOM input value" },
+  { pattern: /formData\.get\(.+\)/, label: "Form data input" },
+  { pattern: /event\.target\.value/, label: "Event target value" },
+  // Environment-specific
+  { pattern: /process\.argv\b/, label: "CLI argument" },
+  { pattern: /Deno\.args\b/, label: "CLI argument" }
+];
+var TAINT_SINKS = [
+  // FT001: SQL Injection
+  { pattern: /\.query\s*\(\s*[`'"]\s*(?:SELECT|INSERT|UPDATE|DELETE|CREATE|DROP|ALTER)\b/i, ruleId: "FT001", label: "SQL query (string interpolation)", severity: "critical", confidence: 92 },
+  { pattern: /\.query\s*\(\s*`[^`]*\$\{/, ruleId: "FT001", label: "SQL query (template literal)", severity: "critical", confidence: 90 },
+  { pattern: /\.raw\s*\(\s*[`'"]/, ruleId: "FT001", label: "Raw SQL query", severity: "critical", confidence: 88 },
+  { pattern: /db\.exec(?:ute)?\s*\(\s*[`'"]/, ruleId: "FT001", label: "Database execute", severity: "critical", confidence: 88 },
+  // FT002: Command Injection
+  { pattern: /(?:child_process\.)?exec\s*\(/, ruleId: "FT002", label: "Shell exec", severity: "critical", confidence: 90 },
+  { pattern: /(?:child_process\.)?execSync\s*\(/, ruleId: "FT002", label: "Shell execSync", severity: "critical", confidence: 90 },
+  { pattern: /(?:child_process\.)?spawn\s*\(/, ruleId: "FT002", label: "Process spawn", severity: "high", confidence: 75 },
+  { pattern: /Deno\.run\s*\(/, ruleId: "FT002", label: "Deno process run", severity: "critical", confidence: 88 },
+  // FT003: XSS
+  { pattern: /\.innerHTML\s*=/, ruleId: "FT003", label: "innerHTML assignment", severity: "high", confidence: 85 },
+  { pattern: /document\.write\s*\(/, ruleId: "FT003", label: "document.write", severity: "high", confidence: 88 },
+  { pattern: /dangerouslySetInnerHTML/, ruleId: "FT003", label: "dangerouslySetInnerHTML", severity: "high", confidence: 82 },
+  { pattern: /\$\(\s*['"`].*['"`]\s*\)\.html\s*\(/, ruleId: "FT003", label: "jQuery .html()", severity: "high", confidence: 80 },
+  // FT004: Path Traversal
+  { pattern: /(?:readFileSync|readFile|createReadStream|writeFileSync|writeFile|unlink)\s*\(/, ruleId: "FT004", label: "File system operation", severity: "high", confidence: 78 },
+  { pattern: /path\.join\s*\(.*,/, ruleId: "FT004", label: "Path join (check base dir)", severity: "medium", confidence: 65 },
+  // FT005: Unvalidated Redirect
+  { pattern: /res\.redirect\s*\(/, ruleId: "FT005", label: "HTTP redirect", severity: "high", confidence: 80 },
+  { pattern: /window\.location\s*=/, ruleId: "FT005", label: "Window location assignment", severity: "high", confidence: 78 },
+  { pattern: /window\.location\.href\s*=/, ruleId: "FT005", label: "Window location.href assignment", severity: "high", confidence: 78 },
+  { pattern: /router\.push\s*\(/, ruleId: "FT005", label: "Router push", severity: "medium", confidence: 65 }
+];
+var SANITIZERS = [
+  // SQL sanitizers
+  { pattern: /(?:escape|sanitize|parameterize|prepare|placeholder)\s*\(/i, sanitizes: ["FT001"] },
+  { pattern: /\.prepare\s*\(/, sanitizes: ["FT001"] },
+  // Command sanitizers
+  { pattern: /(?:shellEscape|escapeShell|quote)\s*\(/i, sanitizes: ["FT002"] },
+  // XSS sanitizers
+  { pattern: /(?:escape|encode|sanitize|DOMPurify|xss)\s*\(/i, sanitizes: ["FT003"] },
+  { pattern: /encodeURIComponent\s*\(/, sanitizes: ["FT003", "FT005"] },
+  // Path sanitizers
+  { pattern: /path\.(?:normalize|resolve)\s*\(/, sanitizes: ["FT004"] },
+  { pattern: /\.startsWith\s*\(/, sanitizes: ["FT004"] },
+  { pattern: /\.includes\s*\(\s*['"`]\.\.\//i, sanitizes: ["FT004"] },
+  // Redirect sanitizers
+  { pattern: /(?:allowlist|whitelist|allowedUrls|safeUrls)\b/i, sanitizes: ["FT005"] },
+  { pattern: /\.startsWith\s*\(\s*['"`]\//, sanitizes: ["FT005"] },
+  // Generic validators
+  { pattern: /(?:parseInt|parseFloat|Number|Boolean)\s*\(/, sanitizes: ["FT001", "FT002", "FT003", "FT004", "FT005"] },
+  { pattern: /\.(?:match|test)\s*\(\s*\//, sanitizes: ["FT001", "FT002", "FT003", "FT004", "FT005"] },
+  { pattern: /(?:zod|yup|joi|ajv|superstruct).*\.parse\s*\(/i, sanitizes: ["FT001", "FT002", "FT003", "FT004", "FT005"] }
+];
+function traceFlows(file) {
+  const findings = [];
+  const lines = file.lines;
+  const tainted = /* @__PURE__ */ new Map();
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const trimmed = line.trim();
+    if (trimmed.startsWith("//") || trimmed.startsWith("*") || trimmed.startsWith("/*")) continue;
+    for (const source of TAINT_SOURCES) {
+      if (!source.pattern.test(line)) continue;
+      const assignMatch = line.match(/(?:const|let|var)\s+(\w+)\s*=.*$/);
+      if (assignMatch) {
+        tainted.set(assignMatch[1], {
+          name: assignMatch[1],
+          sourceLine: i + 1,
+          sourceLabel: source.label,
+          sanitizedFor: /* @__PURE__ */ new Set()
+        });
+        continue;
+      }
+      const destructMatch = line.match(/(?:const|let|var)\s+\{\s*([^}]+)\}\s*=/);
+      if (destructMatch) {
+        const vars = destructMatch[1].split(",").map((v) => v.trim().split(":")[0].trim().split("=")[0].trim());
+        for (const v of vars) {
+          if (v && /^\w+$/.test(v)) {
+            tainted.set(v, {
+              name: v,
+              sourceLine: i + 1,
+              sourceLabel: source.label,
+              sanitizedFor: /* @__PURE__ */ new Set()
+            });
+          }
+        }
+      }
+    }
+    for (const [varName, taintInfo] of tainted) {
+      if (!line.includes(varName)) continue;
+      for (const sanitizer of SANITIZERS) {
+        if (sanitizer.pattern.test(line)) {
+          for (const ruleId of sanitizer.sanitizes) {
+            taintInfo.sanitizedFor.add(ruleId);
+          }
+        }
+      }
+    }
+    for (const [varName] of tainted) {
+      const propMatch = line.match(new RegExp(`(?:const|let|var)\\s+(\\w+)\\s*=.*\\b${varName}\\b`));
+      if (propMatch && propMatch[1] !== varName) {
+        const existing = tainted.get(varName);
+        tainted.set(propMatch[1], {
+          name: propMatch[1],
+          sourceLine: existing.sourceLine,
+          sourceLabel: existing.sourceLabel,
+          sanitizedFor: new Set(existing.sanitizedFor)
+        });
+      }
+    }
+    for (const sink of TAINT_SINKS) {
+      if (!sink.pattern.test(line)) continue;
+      for (const [varName, taintInfo] of tainted) {
+        if (!line.includes(varName)) continue;
+        if (taintInfo.sanitizedFor.has(sink.ruleId)) continue;
+        const rule = getRuleOrDefault(sink.ruleId);
+        const severity = escalateSeverity(sink.severity, file.classification.isCriticalPath);
+        findings.push({
+          id: `${sink.ruleId}-flow-${file.path}-${i + 1}`,
+          ruleId: sink.ruleId,
+          engine: "flow-trace",
+          category: "security",
+          severity,
+          confidence: sink.confidence >= 85 ? "certain" : sink.confidence >= 65 ? "likely" : "possible",
+          confidenceScore: sink.confidence,
+          file: file.path,
+          line: i + 1,
+          code: trimmed,
+          message: `Tainted data flows to ${sink.label} \u2014 '${varName}' originates from ${taintInfo.sourceLabel} (line ${taintInfo.sourceLine}) without sanitization`,
+          why: rule.why || `User-controlled input ('${varName}' from ${taintInfo.sourceLabel}) reaches a dangerous sink (${sink.label}) without sanitization or validation. This can be exploited by attackers to inject malicious payloads.`,
+          fix: rule.fix || `Validate and sanitize '${varName}' before passing it to ${sink.label}. Use parameterized queries for SQL, escape functions for HTML, and allowlists for redirects.`,
+          autoFixable: false,
+          tags: [...rule.tags || [], "flow-trace", "taint-analysis"],
+          cwe: getCWE(sink.ruleId),
+          verified: false,
+          _dedup: `${sink.ruleId}:flow:${file.path}:${i + 1}:${varName}`
+        });
+      }
+    }
+  }
+  return findings;
+}
+function getCWE(ruleId) {
+  switch (ruleId) {
+    case "FT001":
+      return "CWE-89";
+    // SQL Injection
+    case "FT002":
+      return "CWE-78";
+    // OS Command Injection
+    case "FT003":
+      return "CWE-79";
+    // XSS
+    case "FT004":
+      return "CWE-22";
+    // Path Traversal
+    case "FT005":
+      return "CWE-601";
+    // Open Redirect
+    default:
+      return void 0;
+  }
+}
+var flowTraceEngine = {
+  name: "flow-trace",
+  description: "Intra-file data-flow tracking: traces user input from sources to dangerous sinks",
+  async scan(files, _options) {
+    const findings = [];
+    for (const [, file] of files) {
+      if (![".ts", ".tsx", ".js", ".jsx", ".mjs", ".cjs", ".py"].includes(file.ext)) continue;
+      if (file.classification.excludeByDefault) continue;
+      if (file.classification.category === "test") continue;
+      if (file.classification.category === "config") continue;
+      findings.push(...traceFlows(file));
+    }
+    return findings;
+  }
+};
+// src/scanner/isl-compliance.ts
+var import_fs3 = require("fs");
+var import_path4 = require("path");
+var CODE_EXTENSIONS = /* @__PURE__ */ new Set([".ts", ".tsx", ".js", ".jsx", ".mjs", ".cjs", ".py", ".go", ".rs"]);
+var EXCLUDE_DIRS = /* @__PURE__ */ new Set(["node_modules", ".git", "dist", "build", ".next", ".nuxt", "coverage", "__pycache__", ".venv"]);
+function loadCodeFiles(projectRoot) {
+  const results = [];
+  const maxFiles = 500;
+  const maxFileSize = 256 * 1024;
+  function walk(dir) {
+    if (results.length >= maxFiles) return;
+    let entries;
+    try {
+      entries = (0, import_fs3.readdirSync)(dir);
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      if (results.length >= maxFiles) return;
+      if (EXCLUDE_DIRS.has(entry) || entry.startsWith(".")) continue;
+      const fullPath = (0, import_path4.join)(dir, entry);
+      let stat;
+      try {
+        stat = (0, import_fs3.statSync)(fullPath);
+      } catch {
+        continue;
+      }
+      if (stat.isDirectory()) {
+        walk(fullPath);
+        continue;
+      }
+      const ext = (0, import_path4.extname)(entry).toLowerCase();
+      if (!CODE_EXTENSIONS.has(ext)) continue;
+      if (stat.size > maxFileSize) continue;
+      try {
+        const content = (0, import_fs3.readFileSync)(fullPath, "utf-8");
+        results.push({ path: (0, import_path4.relative)(projectRoot, fullPath).replace(/\\/g, "/"), content });
+      } catch {
+      }
+    }
+  }
+  walk(projectRoot);
+  return results;
+}
+function extractISLSpec(source) {
+  const domainMatch = source.match(/domain\s+(\w+)/);
+  if (!domainMatch) return null;
+  const spec = {
+    domain: domainMatch[1],
+    behaviors: [],
+    entities: [],
+    policies: []
+  };
+  const versionMatch = source.match(/version\s*:\s*["']([^"']+)["']/);
+  if (versionMatch) spec.version = versionMatch[1];
+  const lines = source.split("\n");
+  let currentBlock = "none";
+  let currentName = "";
+  let currentLine = 0;
+  let braceDepth = 0;
+  let blockBraceStart = 0;
+  let fields = [];
+  let preconditions = [];
+  let postconditions = [];
+  let policyRule = "";
+  let policyEnforce = "";
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const trimmed = line.trim();
+    if (trimmed.startsWith("//") || trimmed.startsWith("/*") || trimmed.startsWith("*")) continue;
+    for (const ch of trimmed) {
+      if (ch === "{") braceDepth++;
+      if (ch === "}") braceDepth--;
+    }
+    const behaviorMatch = trimmed.match(/^behavior\s+(\w+)\s*\{?/);
+    if (behaviorMatch) {
+      currentBlock = "behavior";
+      currentName = behaviorMatch[1];
+      currentLine = i + 1;
+      blockBraceStart = braceDepth;
+      preconditions = [];
+      postconditions = [];
+      continue;
+    }
+    const entityMatch = trimmed.match(/^entity\s+(\w+)\s*\{?/);
+    if (entityMatch) {
+      currentBlock = "entity";
+      currentName = entityMatch[1];
+      currentLine = i + 1;
+      blockBraceStart = braceDepth;
+      fields = [];
+      continue;
+    }
+    const policyMatch = trimmed.match(/^policy\s+(\w+)\s*\{?/);
+    if (policyMatch) {
+      currentBlock = "policy";
+      currentName = policyMatch[1];
+      currentLine = i + 1;
+      blockBraceStart = braceDepth;
+      policyRule = "";
+      policyEnforce = "";
+      continue;
+    }
+    if (currentBlock === "entity") {
+      const fieldMatch = trimmed.match(/^(\w+)\s*:/);
+      if (fieldMatch && !["meta", "version", "description", "ship_score", "security_level"].includes(fieldMatch[1])) {
+        fields.push(fieldMatch[1]);
+      }
+    }
+    if (currentBlock === "behavior") {
+      const preMatch = trimmed.match(/^pre\s*:\s*\[([^\]]+)\]/);
+      if (preMatch) {
+        preconditions = preMatch[1].split(",").map((s) => s.trim());
+      }
+      const postMatch = trimmed.match(/^post\s*:\s*\[([^\]]+)\]/);
+      if (postMatch) {
+        postconditions = postMatch[1].split(",").map((s) => s.trim());
+      }
+    }
+    if (currentBlock === "policy") {
+      const ruleMatch = trimmed.match(/^rule\s*:\s*["']([^"']+)["']/);
+      if (ruleMatch) policyRule = ruleMatch[1];
+      const enforceMatch = trimmed.match(/^enforce\s*:\s*(.+)/);
+      if (enforceMatch) policyEnforce = enforceMatch[1].trim();
+    }
+    if (trimmed.includes("}") && currentBlock !== "none" && braceDepth <= blockBraceStart - 1) {
+      if (currentBlock === "behavior") {
+        spec.behaviors.push({ name: currentName, line: currentLine, preconditions, postconditions });
+      } else if (currentBlock === "entity") {
+        spec.entities.push({ name: currentName, line: currentLine, fields });
+      } else if (currentBlock === "policy") {
+        spec.policies.push({ name: currentName, line: currentLine, rule: policyRule, enforce: policyEnforce });
+      }
+      currentBlock = "none";
+    }
+  }
+  return spec;
+}
+function behaviorToRoutePatterns(name) {
+  const lower = name.toLowerCase();
+  const patterns = [
+    new RegExp(`[/'"]\\/?(?:api\\/)?${lower}['"/]`, "i"),
+    new RegExp(`[/'"]\\/?(?:api\\/)?auth\\/${lower}['"/]`, "i"),
+    new RegExp(`[/'"]\\/?(?:api\\/)?v\\d+\\/${lower}['"/]`, "i")
+  ];
+  const specialRoutes = {
+    login: ["/login", "/auth/login", "/api/auth/login", "/api/login", "/signin", "/sign-in"],
+    register: ["/register", "/auth/register", "/api/auth/register", "/signup", "/sign-up", "/api/register"],
+    resetpassword: ["/reset-password", "/forgot-password", "/auth/reset-password", "/api/auth/reset-password"],
+    logout: ["/logout", "/auth/logout", "/api/auth/logout", "/signout"],
+    getuser: ["/user", "/users", "/api/user", "/api/users", "/me", "/api/me"]
+  };
+  const mapped = specialRoutes[lower];
+  if (mapped) {
+    for (const route of mapped) {
+      patterns.push(new RegExp(route.replace(/[.*+?^${}()|[\]\\]/g, "\\$&"), "i"));
+    }
+  }
+  return patterns;
+}
+function behaviorToFunctionPatterns(name) {
+  return [
+    new RegExp(`(?:function|const|let|var|async\\s+function)\\s+${name}\\b`, "i"),
+    new RegExp(`(?:export\\s+(?:async\\s+)?function)\\s+${name}\\b`, "i"),
+    new RegExp(`\\.${name.toLowerCase()}\\s*=`, "i"),
+    new RegExp(`['"]${name.toLowerCase()}['"]\\s*:`, "i")
+  ];
+}
+function entityToCodePatterns(name) {
+  return [
+    new RegExp(`(?:interface|type|class|model)\\s+${name}\\b`, "i"),
+    new RegExp(`(?:schema|Schema)\\s*\\(\\s*['"\`]${name}['"\`]`, "i"),
+    new RegExp(`createTable\\s*\\(\\s*['"\`]${name.toLowerCase()}s?['"\`]`, "i"),
+    new RegExp(`model\\s+${name}\\s*\\{`, "i"),
+    // Prisma
+    new RegExp(`@Entity\\s*\\(.*['"\`]${name}['"\`]`, "i")
+    // TypeORM
+  ];
+}
+function securityEnforcePatterns(enforce, policyName) {
+  const patterns = [];
+  const lower = enforce.toLowerCase();
+  if (lower.includes("bcrypt") || lower.includes("hash")) {
+    patterns.push(/bcrypt/i, /argon2/i, /scrypt/i, /hash\s*\(/i, /hashPassword/i);
+  }
+  if (lower.includes("jwt") || lower.includes("token")) {
+    patterns.push(/jwt\.sign/i, /jsonwebtoken/i, /jose/i);
+  }
+  if (lower.includes("rate_limit") || policyName.toLowerCase().includes("rate")) {
+    patterns.push(/rate[-_]?limit/i, /rateLimit/i, /express-rate-limit/i, /throttle/i, /@fastify\/rate-limit/i);
+  }
+  if (lower.includes("auth") || lower.includes("authenticated")) {
+    patterns.push(/(?:isAuthenticated|requireAuth|auth\s*\(|middleware.*auth|verifyToken|getServerSession)/i);
+  }
+  if (lower.includes("encrypt")) {
+    patterns.push(/encrypt/i, /crypto\.createCipher/i, /AES/i);
+  }
+  return patterns;
+}
+function checkISLCompliance(projectRoot, files) {
+  const specPath = (0, import_path4.join)(projectRoot, "spec.isl");
+  const findings = [];
+  if (!(0, import_fs3.existsSync)(specPath)) {
+    return {
+      result: {
+        specFound: false,
+        specPath,
+        domain: "",
+        parseSuccess: false,
+        parseErrors: [],
+        checks: [],
+        score: 100,
+        // No spec = no compliance requirements
+        summary: { totalChecks: 0, passed: 0, failed: 0, warnings: 0 }
+      },
+      findings: []
+    };
+  }
+  let source;
+  try {
+    source = (0, import_fs3.readFileSync)(specPath, "utf-8");
+  } catch {
+    return {
+      result: {
+        specFound: true,
+        specPath,
+        domain: "",
+        parseSuccess: false,
+        parseErrors: ["Failed to read spec.isl"],
+        checks: [],
+        score: 0,
+        summary: { totalChecks: 0, passed: 0, failed: 0, warnings: 0 }
+      },
+      findings: [{
+        id: "ISL005-parse-error",
+        ruleId: "ISL005",
+        engine: "isl-compliance",
+        category: "drift",
+        severity: "high",
+        confidence: "certain",
+        confidenceScore: 100,
+        file: "spec.isl",
+        line: 1,
+        code: "",
+        message: "Failed to read spec.isl",
+        why: getRuleOrDefault("ISL005").why,
+        fix: getRuleOrDefault("ISL005").fix,
+        autoFixable: false,
+        tags: ["isl", "spec", "parse-error"],
+        verified: false
+      }]
+    };
+  }
+  const spec = extractISLSpec(source);
+  if (!spec) {
+    const rule = getRuleOrDefault("ISL005");
+    return {
+      result: {
+        specFound: true,
+        specPath,
+        domain: "",
+        parseSuccess: false,
+        parseErrors: ["Could not parse domain declaration in spec.isl"],
+        checks: [],
+        score: 0,
+        summary: { totalChecks: 0, passed: 0, failed: 0, warnings: 0 }
+      },
+      findings: [{
+        id: "ISL005-no-domain",
+        ruleId: "ISL005",
+        engine: "isl-compliance",
+        category: "drift",
+        severity: "high",
+        confidence: "certain",
+        confidenceScore: 100,
+        file: "spec.isl",
+        line: 1,
+        code: source.split("\n")[0] ?? "",
+        message: "spec.isl has no valid domain declaration",
+        why: rule.why,
+        fix: rule.fix,
+        autoFixable: false,
+        tags: ["isl", "spec", "parse-error"],
+        verified: false
+      }]
+    };
+  }
+  let fileContents;
+  if (files.size > 0) {
+    fileContents = [];
+    for (const [, file] of files) {
+      if (file.classification.excludeByDefault) continue;
+      fileContents.push({ path: file.path, content: file.content });
+    }
+  } else {
+    fileContents = loadCodeFiles(projectRoot);
+  }
+  const checks = [];
+  for (const behavior of spec.behaviors) {
+    const routePatterns = behaviorToRoutePatterns(behavior.name);
+    const funcPatterns = behaviorToFunctionPatterns(behavior.name);
+    const allPatterns = [...routePatterns, ...funcPatterns];
+    const matchedFiles = [];
+    for (const file of fileContents) {
+      for (const pattern of allPatterns) {
+        if (pattern.test(file.content)) {
+          matchedFiles.push(file.path);
+          break;
+        }
+      }
+    }
+    if (matchedFiles.length > 0) {
+      checks.push({
+        type: "behavior",
+        name: behavior.name,
+        status: "pass",
+        message: `Behavior '${behavior.name}' has matching implementation`,
+        specLine: behavior.line,
+        matchedFiles
+      });
+    } else {
+      checks.push({
+        type: "behavior",
+        name: behavior.name,
+        status: "fail",
+        message: `Behavior '${behavior.name}' declared in spec.isl but no matching route or handler found in codebase`,
+        specLine: behavior.line
+      });
+      const rule = getRuleOrDefault("ISL001");
+      findings.push({
+        id: `ISL001-${behavior.name}`,
+        ruleId: "ISL001",
+        engine: "isl-compliance",
+        category: "drift",
+        severity: "high",
+        confidence: "likely",
+        confidenceScore: 78,
+        file: "spec.isl",
+        line: behavior.line,
+        code: `behavior ${behavior.name} { ... }`,
+        message: `Behavior '${behavior.name}' declared in spec but no matching route/handler found`,
+        why: rule.why,
+        fix: rule.fix,
+        autoFixable: false,
+        tags: ["isl", "spec-drift", "unimplemented-behavior"],
+        verified: false,
+        _dedup: `ISL001:${behavior.name}`
+      });
+    }
+  }
+  for (const entity of spec.entities) {
+    const patterns = entityToCodePatterns(entity.name);
+    const matchedFiles = [];
+    for (const file of fileContents) {
+      for (const pattern of patterns) {
+        if (pattern.test(file.content)) {
+          matchedFiles.push(file.path);
+          break;
+        }
+      }
+    }
+    if (matchedFiles.length > 0) {
+      checks.push({
+        type: "entity",
+        name: entity.name,
+        status: "pass",
+        message: `Entity '${entity.name}' has matching type/model definition`,
+        specLine: entity.line,
+        matchedFiles
+      });
+    } else {
+      checks.push({
+        type: "entity",
+        name: entity.name,
+        status: "fail",
+        message: `Entity '${entity.name}' declared in spec.isl but no matching type/model/schema found`,
+        specLine: entity.line
+      });
+      const rule = getRuleOrDefault("ISL002");
+      findings.push({
+        id: `ISL002-${entity.name}`,
+        ruleId: "ISL002",
+        engine: "isl-compliance",
+        category: "drift",
+        severity: "medium",
+        confidence: "likely",
+        confidenceScore: 72,
+        file: "spec.isl",
+        line: entity.line,
+        code: `entity ${entity.name} { ${entity.fields.join(", ")} }`,
+        message: `Entity '${entity.name}' declared in spec but no matching type/model found`,
+        why: rule.why,
+        fix: rule.fix,
+        autoFixable: false,
+        tags: ["isl", "spec-drift", "unimplemented-entity"],
+        verified: false,
+        _dedup: `ISL002:${entity.name}`
+      });
+    }
+  }
+  for (const policy of spec.policies) {
+    const patterns = securityEnforcePatterns(policy.enforce, policy.name);
+    if (patterns.length === 0) {
+      checks.push({
+        type: "policy",
+        name: policy.name,
+        status: "warn",
+        message: `Policy '${policy.name}' could not be automatically verified (unrecognized enforce pattern)`,
+        specLine: policy.line
+      });
+      continue;
+    }
+    const matchedFiles = [];
+    for (const file of fileContents) {
+      for (const pattern of patterns) {
+        if (pattern.test(file.content)) {
+          matchedFiles.push(file.path);
+          break;
+        }
+      }
+    }
+    if (matchedFiles.length > 0) {
+      checks.push({
+        type: "policy",
+        name: policy.name,
+        status: "pass",
+        message: `Policy '${policy.name}' has matching enforcement in codebase`,
+        specLine: policy.line,
+        matchedFiles
+      });
+    } else {
+      const isRateLimit = policy.name.toLowerCase().includes("rate") || policy.enforce.toLowerCase().includes("rate_limit");
+      const ruleId = isRateLimit ? "ISL004" : "ISL003";
+      const rule = getRuleOrDefault(ruleId);
+      const severity = isRateLimit ? "high" : "critical";
+      checks.push({
+        type: "policy",
+        name: policy.name,
+        status: "fail",
+        message: `Policy '${policy.name}' (${policy.rule}) has no matching enforcement found`,
+        specLine: policy.line
+      });
+      findings.push({
+        id: `${ruleId}-${policy.name}`,
+        ruleId,
+        engine: "isl-compliance",
+        category: "security",
+        severity,
+        confidence: "likely",
+        confidenceScore: 75,
+        file: "spec.isl",
+        line: policy.line,
+        code: `policy ${policy.name} { enforce: ${policy.enforce} }`,
+        message: `Policy '${policy.name}' declared in spec but no enforcement found: ${policy.rule}`,
+        why: rule.why,
+        fix: rule.fix,
+        autoFixable: false,
+        tags: ["isl", "spec-drift", "unenforced-policy"],
+        verified: false,
+        _dedup: `${ruleId}:${policy.name}`
+      });
+    }
+  }
+  const passed = checks.filter((c) => c.status === "pass").length;
+  const failed = checks.filter((c) => c.status === "fail").length;
+  const warned = checks.filter((c) => c.status === "warn").length;
+  const total = checks.length;
+  const score = total > 0 ? Math.round(passed / total * 100) : 100;
+  return {
+    result: {
+      specFound: true,
+      specPath,
+      domain: spec.domain,
+      parseSuccess: true,
+      parseErrors: [],
+      checks,
+      score,
+      summary: {
+        totalChecks: total,
+        passed,
+        failed,
+        warnings: warned
+      }
+    },
+    findings
+  };
+}
 // src/scanner/index.ts
 var ALL_ENGINES = [
   credentialsEngine,
@@ -3115,7 +4234,9 @@ var ALL_ENGINES = [
   deadUIEngine,
   codeQualityEngine,
   importGraphEngine,
-  runtimeVerifyEngine
+  runtimeVerifyEngine,
+  astAnalysisEngine,
+  flowTraceEngine
 ];
 var DEFAULT_EXCLUDE = [
   "node_modules",
@@ -3137,22 +4258,22 @@ function loadFiles(projectRoot, options) {
   function walk(dir) {
     let entries;
     try {
-      entries = (0, import_fs3.readdirSync)(dir);
+      entries = (0, import_fs4.readdirSync)(dir);
     } catch {
       return;
     }
     for (const entry of entries) {
-      const fullPath = (0, import_path4.join)(dir, entry);
+      const fullPath = (0, import_path5.join)(dir, entry);
       if (exclude.some((e) => entry === e || entry.startsWith("."))) {
         try {
-          if ((0, import_fs3.statSync)(fullPath).isDirectory()) continue;
+          if ((0, import_fs4.statSync)(fullPath).isDirectory()) continue;
         } catch {
           continue;
         }
       }
       let stat;
       try {
-        stat = (0, import_fs3.statSync)(fullPath);
+        stat = (0, import_fs4.statSync)(fullPath);
       } catch {
         continue;
       }
@@ -3162,19 +4283,19 @@ function loadFiles(projectRoot, options) {
       }
       if (!isCodeFile(fullPath)) continue;
       if (stat.size > maxFileSize) continue;
-      const relativePath = (0, import_path4.relative)(projectRoot, fullPath);
+      const relativePath = (0, import_path5.relative)(projectRoot, fullPath);
       const classification = classifyPath(relativePath);
       if (classification.excludeByDefault && classification.category !== "test") continue;
       if (classification.category === "test" && !options.includeTests) continue;
       try {
-        const content = (0, import_fs3.readFileSync)(fullPath, "utf-8");
+        const content = (0, import_fs4.readFileSync)(fullPath, "utf-8");
         const hash = (0, import_crypto.createHash)("md5").update(content).digest("hex");
         files.set(relativePath, {
           path: relativePath,
           absolutePath: fullPath,
           content,
           lines: content.split("\n"),
-          ext: (0, import_path4.extname)(fullPath).toLowerCase(),
+          ext: (0, import_path5.extname)(fullPath).toLowerCase(),
           hash,
           classification
         });
@@ -3184,10 +4305,10 @@ function loadFiles(projectRoot, options) {
   }
   if (options.files && options.files.length > 0) {
     for (const filePath of options.files) {
-      const fullPath = (0, import_path4.join)(projectRoot, filePath);
-      if (!(0, import_fs3.existsSync)(fullPath)) continue;
+      const fullPath = (0, import_path5.join)(projectRoot, filePath);
+      if (!(0, import_fs4.existsSync)(fullPath)) continue;
       try {
-        const content = (0, import_fs3.readFileSync)(fullPath, "utf-8");
+        const content = (0, import_fs4.readFileSync)(fullPath, "utf-8");
         const hash = (0, import_crypto.createHash)("md5").update(content).digest("hex");
         const classification = classifyPath(filePath);
         files.set(filePath, {
@@ -3195,7 +4316,7 @@ function loadFiles(projectRoot, options) {
           absolutePath: fullPath,
           content,
           lines: content.split("\n"),
-          ext: (0, import_path4.extname)(fullPath).toLowerCase(),
+          ext: (0, import_path5.extname)(fullPath).toLowerCase(),
           hash,
           classification
         });
@@ -3320,6 +4441,35 @@ async function scan(options) {
     elapsedMs: Date.now() - startTime
   });
   const { deduplicated, suppressedCount } = deduplicateFindings(allFindings);
+  let specCompliance;
+  const islStart = Date.now();
+  try {
+    const { result: islResult, findings: islFindings } = checkISLCompliance(options.projectRoot, files);
+    if (islResult.specFound) {
+      specCompliance = {
+        specFound: islResult.specFound,
+        domain: islResult.domain,
+        score: islResult.score,
+        summary: islResult.summary,
+        checks: islResult.checks
+      };
+      deduplicated.push(...islFindings);
+      engineResults.push({
+        engine: "isl-compliance",
+        findings: islFindings.length,
+        durationMs: Date.now() - islStart,
+        success: true
+      });
+    }
+  } catch {
+    engineResults.push({
+      engine: "isl-compliance",
+      findings: 0,
+      durationMs: Date.now() - islStart,
+      success: false,
+      error: "ISL compliance check failed"
+    });
+  }
   const severityOrder = ["low", "medium", "high", "critical"];
   const minSeverityIndex = severityOrder.indexOf(options.severityThreshold ?? "low");
   const filtered = deduplicated.filter(
@@ -3370,7 +4520,8 @@ async function scan(options) {
       durationMs,
       filesPerSecond: files.size > 0 ? Math.round(files.size / durationMs * 1e3) : 0,
       engineTimings
-    }
+    },
+    specCompliance
   };
 }
 async function fix(options) {
@@ -3387,6 +4538,7 @@ async function fix(options) {
   ALL_ENGINES,
   RULE_CATALOG,
   applyFixes,
+  checkISLCompliance,
   classifyPath,
   fix,
   getRuleOrDefault,