xploitscan 1.0.0 → 1.0.2

package/dist/index.js

@@ -1,14 +1,17 @@
 #!/usr/bin/env node
 import {
   checkUsage,
+  clearProRulesCache,
   clearToken,
+  downloadProRulesBundle,
   getStoredToken,
   incrementUsage,
   isAuthenticated,
+  loadCachedProRules,
   storeToken,
   syncUser,
   uploadScanResults
-} from "./chunk-CBDFSACC.js";
+} from "./chunk-IHRV7UHG.js";
 
 // src/index.ts
 import { Command } from "commander";
@@ -666,58 +669,6 @@ var nextPublicSecret = {
     return matches;
   }
 };
-var firebaseClientConfig = {
-  id: "VC012",
-  title: "Firebase Config with API Key in Client Code",
-  severity: "medium",
-  category: "Configuration",
-  description: "Firebase config objects in client code expose your API key. While Firebase API keys aren't secret, they should be restricted in the Firebase console.",
-  check(content, filePath) {
-    if (!/firebase/i.test(content)) return [];
-    const patterns = [
-      /firebaseConfig\s*=\s*\{[^}]*apiKey\s*:/gi,
-      /initializeApp\s*\(\s*\{[^}]*apiKey\s*:/gi
-    ];
-    const matches = [];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        firebaseClientConfig,
-        filePath,
-        () => "Move Firebase config to environment variables. Restrict the API key in Firebase Console > Project Settings > API restrictions."
-      ));
-    }
-    return matches;
-  }
-};
-var supabaseAnonAdmin = {
-  id: "VC013",
-  title: "Supabase Anon Key Used for Admin Operations",
-  severity: "high",
-  category: "Authorization",
-  description: "Using the Supabase anon key for operations that require elevated privileges is insecure.",
-  check(content, filePath) {
-    if (!/supabase/i.test(content)) return [];
-    if (!/anon/i.test(content)) return [];
-    if (/service_role/i.test(content)) return [];
-    const patterns = [
-      /supabase[^.]*\.auth\.admin/gi,
-      /supabase[^.]*\.rpc\s*\(/gi
-    ];
-    const matches = [];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        supabaseAnonAdmin,
-        filePath,
-        () => "Use the service_role key on the server side for admin operations. Never expose it to the client."
-      ));
-    }
-    return matches;
-  }
-};
 var envNotGitignored = {
   id: "VC014",
   title: ".env File Not in .gitignore",
@@ -874,46 +825,6 @@ var exposedAuthSecret = {
     return matches;
   }
 };
-var insecureElectronWindow = {
-  id: "VC019",
-  title: "Insecure Electron BrowserWindow Configuration",
-  severity: "high",
-  category: "Configuration",
-  description: "Electron BrowserWindow with nodeIntegration enabled, contextIsolation disabled, or sandbox disabled allows renderer processes to access Node.js APIs, enabling remote code execution.",
-  check(content, filePath) {
-    if (isTestFile(filePath)) return [];
-    if (!/BrowserWindow/i.test(content)) return [];
-    const matches = [];
-    const patterns = [
-      /nodeIntegration\s*:\s*true/g,
-      /contextIsolation\s*:\s*false/g,
-      /sandbox\s*:\s*false/g,
-      /webSecurity\s*:\s*false/g,
-      /allowRunningInsecureContent\s*:\s*true/g
-    ];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        insecureElectronWindow,
-        filePath,
-        (m) => `Set ${m[0].split(":")[0].trim()}: ${m[0].includes("true") ? "false" : "true"}. Enable contextIsolation, sandbox, and webSecurity; disable nodeIntegration and allowRunningInsecureContent.`
-      ));
-    }
-    if (/new\s+BrowserWindow\s*\(/g.test(content)) {
-      if (!/sandbox\s*:/i.test(content)) {
-        matches.push(...findMatches(
-          content,
-          /new\s+BrowserWindow\s*\(/g,
-          { ...insecureElectronWindow, title: "Electron BrowserWindow Missing sandbox:true" },
-          filePath,
-          () => "Add sandbox: true to BrowserWindow webPreferences for defense in depth."
-        ));
-      }
-    }
-    return matches;
-  }
-};
 var missingCSP = {
   id: "VC020",
   title: "Missing Content Security Policy (CSP)",
@@ -938,311 +849,6 @@ var missingCSP = {
     return [];
   }
 };
-var ipcPathTraversal = {
-  id: "VC021",
-  title: "IPC/File Handler Without Path Validation",
-  severity: "medium",
-  category: "Injection",
-  description: "IPC handlers that read or write files based on renderer-supplied paths without validation allow path traversal attacks, potentially exposing sensitive files like .ssh keys or .env files.",
-  check(content, filePath) {
-    if (!/ipcMain\.handle|ipcMain\.on/i.test(content)) return [];
-    const matches = [];
-    const hasFileOps = /readFile|writeFile|readFileSync|writeFileSync|createReadStream|createWriteStream/i.test(content);
-    if (!hasFileOps) return [];
-    const hasPathValidation = /(?:path\.resolve|path\.normalize|startsWith|isAbsolute|\.includes\s*\(\s*["'`]\.\.["'`]\s*\)|allowedPaths|safePath|validatePath|sanitizePath)/i.test(content);
-    if (!hasPathValidation) {
-      matches.push(...findMatches(
-        content,
-        /ipcMain\.(?:handle|on)\s*\(\s*["'`][^"'`]*(?:read|write|file|save|load|open|export)[^"'`]*["'`]/gi,
-        ipcPathTraversal,
-        filePath,
-        () => "Validate file paths in IPC handlers: ensure paths are within an allowed directory (e.g., app.getPath('userData')), reject paths containing '..', and block access to sensitive directories (.ssh, .env, etc)."
-      ));
-    }
-    return matches;
-  }
-};
-var unsanitizedHTMLExport = {
-  id: "VC022",
-  title: "HTML Export/Render Without Sanitization",
-  severity: "critical",
-  category: "Injection",
-  description: "Generating HTML from user content without sanitization (e.g., DOMPurify) allows stored XSS attacks. Malicious content saved in documents could execute scripts when exported or previewed.",
-  check(content, filePath) {
-    if (isTestFile(filePath)) return [];
-    if (/DOMPurify|dompurify/i.test(content)) return [];
-    if (filePath.match(/\.(jsx|tsx|vue|svelte)$/) && !/innerHTML|document\.write|\.html\s*=/i.test(content)) return [];
-    const hasSanitizer = /sanitize|escapeHtml|escapeHTML|xss|htmlEncode|purify/i.test(content);
-    if (hasSanitizer) return [];
-    if (!/(?:export|download|save|write|send).*(?:html|HTML)|\.innerHTML\s*=|document\.write|res\.send\s*\(/i.test(content)) return [];
-    const matches = [];
-    const htmlBuildPatterns = [
-      /`<[^`]*\$\{[^}]*(?:content|title|body|text|name|message|description|input|value|data)[^}]*\}[^`]*>`/gi,
-      /["']<[^"']*['"]\s*\+\s*(?:content|title|body|text|message|data|doc\.|post\.|article\.)/gi
-    ];
-    for (const p of htmlBuildPatterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        unsanitizedHTMLExport,
-        filePath,
-        () => "Sanitize user content before embedding in HTML. Use DOMPurify: DOMPurify.sanitize(content). For plain text, use a function to escape HTML entities (<, >, &, quotes)."
-      ));
-    }
-    return matches;
-  }
-};
-var prototypePollution = {
-  id: "VC023",
-  title: "Prototype Pollution Risk",
-  severity: "high",
-  category: "Injection",
-  description: "Parsing JSON from localStorage, URL params, or external sources and merging it into objects without validation can lead to prototype pollution, allowing attackers to inject __proto__ or constructor properties.",
-  check(content, filePath) {
-    const matches = [];
-    const storageParsePatterns = [
-      /JSON\.parse\s*\(\s*(?:localStorage|sessionStorage)\.getItem/g,
-      /JSON\.parse\s*\(\s*window\.localStorage/g
-    ];
-    const hasValidation = /schema|validate|sanitize|whitelist|allowedKeys|pick\(|Object\.freeze|zod|yup|joi|ajv/i.test(content);
-    if (hasValidation) return [];
-    const hasUnsafeMerge = /Object\.assign\s*\([^)]*JSON\.parse|\.\.\.JSON\.parse|\{.*\.\.\.(?:stored|saved|cached|parsed|data)/i.test(content);
-    if (hasUnsafeMerge) {
-      matches.push(...findMatches(
-        content,
-        /Object\.assign\s*\([^)]*JSON\.parse|\.\.\.JSON\.parse/g,
-        prototypePollution,
-        filePath,
-        () => "Validate parsed data against an expected schema before merging into objects. Use Object.freeze(), a validation library (Zod, Yup), or manually check for __proto__ and constructor keys."
-      ));
-    }
-    for (const p of storageParsePatterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        prototypePollution,
-        filePath,
-        () => "Validate localStorage data against an expected schema before using it. Malicious extensions or XSS can modify localStorage values."
-      ));
-    }
-    return matches;
-  }
-};
-var missingFileSizeLimits = {
-  id: "VC024",
-  title: "File Write/Save Without Size Limit",
-  severity: "medium",
-  category: "Availability",
-  description: "File save or upload handlers without size validation can lead to denial-of-service via disk exhaustion or memory exhaustion.",
-  check(content, filePath) {
-    if (!/(?:writeFile|save|upload|export)/i.test(filePath) && !/(?:writeFile|writeFileSync|createWriteStream)/i.test(content)) return [];
-    const hasWriteOps = /(?:ipcMain|app\.(?:post|put)|router\.(?:post|put)).*(?:writeFile|save|export)/is.test(content) || /(?:writeFile|writeFileSync)\s*\(/g.test(content);
-    if (!hasWriteOps) return [];
-    const hasSizeCheck = /(?:size|length|byteLength|bytes)\s*(?:>|>=|<|<=|===)\s*\d|maxSize|MAX_SIZE|sizeLimit|content-length/i.test(content);
-    if (hasSizeCheck) return [];
-    return findMatches(
-      content,
-      /(?:writeFile|writeFileSync)\s*\(/g,
-      missingFileSizeLimits,
-      filePath,
-      () => "Add file size validation before writing. Check content.length or Buffer.byteLength() against a maximum (e.g., 10MB) to prevent disk exhaustion."
-    );
-  }
-};
-var unsanitizedFilenames = {
-  id: "VC025",
-  title: "Unsanitized Filename in File Operations",
-  severity: "medium",
-  category: "Injection",
-  description: "Using user-supplied filenames without sanitization in file operations can enable path traversal, overwriting system files, or executing commands via special characters.",
-  check(content, filePath) {
-    const matches = [];
-    const patterns = [
-      /(?:writeFile|writeFileSync|createWriteStream|rename|copyFile)\s*\(\s*(?:`[^`]*\$\{|[^"'`\s,]+\s*\+)/g,
-      /(?:dialog\.showSaveDialog|saveDialog).*(?:defaultPath|fileName)\s*:\s*(?!["'`])/g,
-      /\.download\s*=\s*(?!["'`])/g
-    ];
-    const hasSanitization = /sanitize|cleanFilename|safeFilename|replace\s*\(\s*\/\[.*\]\//i.test(content);
-    if (hasSanitization) return [];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        unsanitizedFilenames,
-        filePath,
-        () => "Sanitize filenames before use: strip path separators (/ \\), special chars, and '..' sequences. Example: name.replace(/[^a-zA-Z0-9._-]/g, '_')"
-      ));
-    }
-    return matches;
-  }
-};
-var electronNavigationUnrestricted = {
-  id: "VC026",
-  title: "Electron: External Navigation Not Blocked",
-  severity: "medium",
-  category: "Configuration",
-  description: "Electron apps that don't block navigation to external URLs or new window creation are vulnerable to phishing and drive-by downloads. Malicious links in app content can redirect the entire app to an attacker's site.",
-  check(content, filePath) {
-    if (!/BrowserWindow|electron/i.test(content)) return [];
-    if (!/main|index/i.test(filePath)) return [];
-    const hasNavBlock = /will-navigate|new-window|setWindowOpenHandler|webContents\.on.*navigate/i.test(content);
-    if (hasNavBlock) return [];
-    if (/new\s+BrowserWindow/i.test(content)) {
-      return findMatches(
-        content,
-        /new\s+BrowserWindow\s*\(/g,
-        electronNavigationUnrestricted,
-        filePath,
-        () => "Block external navigation: win.webContents.on('will-navigate', (e, url) => { if (!url.startsWith('file://')) e.preventDefault(); }); and use setWindowOpenHandler to block new windows."
-      );
-    }
-    return [];
-  }
-};
-var missingSecurityMeta = {
-  id: "VC027",
-  title: "Missing Security Meta Tags / Headers",
-  severity: "medium",
-  category: "Configuration",
-  description: "HTML pages without X-Content-Type-Options, referrer policy, or other security meta tags are more susceptible to MIME-sniffing attacks and information leakage.",
-  check(content, filePath) {
-    if (!filePath.match(/\.(html|htm)$/)) return [];
-    const matches = [];
-    if (!/X-Content-Type-Options/i.test(content) && !/<meta[^>]*nosniff/i.test(content)) {
-      matches.push({
-        rule: "VC027",
-        title: "Missing X-Content-Type-Options Header",
-        severity: "medium",
-        category: "Configuration",
-        file: filePath,
-        line: 1,
-        snippet: getSnippet(content, 1),
-        fix: 'Add <meta http-equiv="X-Content-Type-Options" content="nosniff"> to prevent MIME-type sniffing.'
-      });
-    }
-    if (!/referrer/i.test(content)) {
-      matches.push({
-        rule: "VC027",
-        title: "Missing Referrer Policy",
-        severity: "medium",
-        category: "Configuration",
-        file: filePath,
-        line: 1,
-        snippet: getSnippet(content, 1),
-        fix: 'Add <meta name="referrer" content="no-referrer"> or "strict-origin-when-cross-origin" to limit referrer leakage.'
-      });
-    }
-    return matches;
-  }
-};
-var unvalidatedAPIParams = {
-  id: "VC028",
-  title: "Unvalidated API Request Parameters",
-  severity: "high",
-  category: "Injection",
-  description: "API requests constructed with unvalidated user input (API keys, model names, URLs) can be exploited for injection attacks or unauthorized access to different API models/endpoints.",
-  check(content, filePath) {
-    const matches = [];
-    const apiKeyPatterns = [
-      /(?:apiKey|api_key|authorization)\s*[:=]\s*(?:req\.body|req\.query|params|input|formData|body)\./gi,
-      /headers\s*:\s*\{[^}]*Authorization\s*:\s*(?!["'`]Bearer\s)/gi
-    ];
-    const hasValidation = /validate|sanitize|regex|test\(|match\(|pattern|allowList|whitelist|enum|includes\(/i.test(content);
-    if (hasValidation) return [];
-    if (/model\s*[:=]\s*(?:req\.body|params|input|body)\./i.test(content) || /model\s*[:=]\s*(?!["'`])[a-z]/i.test(content)) {
-      const hasModelValidation = /allowedModels|validModels|models\s*\.\s*includes|model.*(?:===|!==|includes)/i.test(content);
-      if (!hasModelValidation && /(?:openai|anthropic|claude|gpt|llm)/i.test(content)) {
-        matches.push(...findMatches(
-          content,
-          /model\s*[:=]\s*(?:req\.body|params|input|body)\./gi,
-          unvalidatedAPIParams,
-          filePath,
-          () => "Validate model selection against an allowlist of approved models. Example: const ALLOWED_MODELS = ['gpt-4', 'claude-3']; if (!ALLOWED_MODELS.includes(model)) throw new Error('Invalid model');"
-        ));
-      }
-    }
-    for (const p of apiKeyPatterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        unvalidatedAPIParams,
-        filePath,
-        () => "Validate API key format before using it (e.g., check prefix and length). Never pass user-supplied API keys directly to third-party services without validation."
-      ));
-    }
-    return matches;
-  }
-};
-var unvalidatedEventData = {
-  id: "VC029",
-  title: "Unvalidated Event or PostMessage Data",
-  severity: "medium",
-  category: "Injection",
-  description: "Custom events, postMessage, or IPC message data used without type-checking can lead to injection attacks or unexpected behavior when malicious data is sent through event channels.",
-  check(content, filePath) {
-    const matches = [];
-    if (/addEventListener\s*\(\s*["'`]message["'`]/i.test(content)) {
-      if (!/event\.origin|e\.origin|message\.origin/i.test(content)) {
-        matches.push(...findMatches(
-          content,
-          /addEventListener\s*\(\s*["'`]message["'`]/g,
-          unvalidatedEventData,
-          filePath,
-          () => "Always verify event.origin in message event handlers to prevent cross-origin attacks. Example: if (event.origin !== 'https://trusted.com') return;"
-        ));
-      }
-    }
-    if (/new\s+CustomEvent\s*\(/i.test(content) || /ipcRenderer\.send/i.test(content)) {
-      const hasTypeCheck = /typeof\s|instanceof|z\.|schema|validate|Number\.isFinite|parseInt|parseFloat/i.test(content);
-      if (!hasTypeCheck) {
-        matches.push(...findMatches(
-          content,
-          /new\s+CustomEvent\s*\(/g,
-          unvalidatedEventData,
-          filePath,
-          () => "Type-check custom event data before using it. Validate that data.detail contains expected types to prevent injection."
-        ));
-      }
-    }
-    return matches;
-  }
-};
-var insecureDeserialization = {
-  id: "VC030",
-  title: "Insecure Deserialization",
-  severity: "critical",
-  category: "Injection",
-  description: "Deserializing untrusted data (pickle, unserialize, yaml.load) can execute arbitrary code. Attackers craft malicious payloads to gain remote code execution.",
-  check(content, filePath) {
-    const matches = [];
-    const patterns = [
-      // Python pickle
-      /pickle\.loads?\s*\(/g,
-      /cPickle\.loads?\s*\(/g,
-      // PHP unserialize
-      /unserialize\s*\(/g,
-      // Ruby Marshal
-      /Marshal\.load\s*\(/g,
-      // YAML unsafe load (Python)
-      /yaml\.load\s*\([^)]*(?!Loader\s*=\s*yaml\.SafeLoader)/g,
-      /yaml\.unsafe_load\s*\(/g,
-      // Java ObjectInputStream
-      /ObjectInputStream\s*\(/g,
-      // Node.js node-serialize
-      /serialize\.unserialize\s*\(/g
-    ];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        insecureDeserialization,
-        filePath,
-        () => "Never deserialize untrusted data. Use JSON instead of pickle/Marshal/unserialize. For YAML, use yaml.safe_load(). Validate and sanitize all input before deserialization."
-      ));
-    }
-    return matches;
-  }
-};
 var hardcodedJWTSecret = {
   id: "VC031",
   title: "Hardcoded JWT Secret",
@@ -1359,33 +965,6 @@ var insecureRandomness = {
     return matches;
   }
 };
-var openRedirectParams = {
-  id: "VC035",
-  title: "Open Redirect via URL Parameters",
-  severity: "high",
-  category: "Injection",
-  description: "Redirect parameters like ?redirect_url=, ?return_to=, ?next= passed directly to redirects enable phishing attacks.",
-  check(content, filePath) {
-    const matches = [];
-    const patterns = [
-      // Reading redirect-like query params and using in redirect
-      /(?:redirect_url|redirect_uri|return_to|return_url|next|callback_url|continue|goto|target|dest|destination|forward|redir)\s*(?:=|:)\s*(?:req\.query|req\.params|searchParams|query|params)\./gi,
-      /redirect\s*\(\s*(?:req\.query|req\.params|searchParams\.get)\s*\(\s*["'`](?:redirect|return|next|callback|url|goto)/gi
-    ];
-    const hasValidation = /allowedUrls|allowedDomains|allowedHosts|validUrl|safeDomain|whitelist|startsWith.*https|new URL.*hostname/i.test(content);
-    if (hasValidation) return [];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        openRedirectParams,
-        filePath,
-        () => "Validate redirect URLs against an allowlist of trusted domains. Use: const url = new URL(input); if (!ALLOWED_HOSTS.includes(url.hostname)) reject."
-      ));
-    }
-    return matches;
-  }
-};
 var missingErrorBoundary = {
   id: "VC036",
   title: "React App Missing Error Boundary",
@@ -1449,29 +1028,6 @@ var exposedStackTraces = {
     return matches;
   }
 };
-var insecureFileUpload = {
-  id: "VC038",
-  title: "Insecure File Upload Validation",
-  severity: "high",
-  category: "Injection",
-  description: "File uploads validated only by extension (not MIME type or content) allow attackers to upload executable files disguised as images or documents.",
-  check(content, filePath) {
-    if (!/upload|multer|formidable|busboy|multipart/i.test(content)) return [];
-    const matches = [];
-    const hasExtCheck = /\.(?:endsWith|match|test)\s*\([^)]*(?:\.jpg|\.png|\.pdf|\.doc|ext)/i.test(content);
-    const hasMimeCheck = /mimetype|content-type|file\.type|mime|magic\.detect|file-type/i.test(content);
-    if (hasExtCheck && !hasMimeCheck) {
-      matches.push(...findMatches(
-        content,
-        /upload|multer|formidable|busboy/gi,
-        insecureFileUpload,
-        filePath,
-        () => "Validate file uploads by MIME type AND magic bytes, not just extension. Use the 'file-type' package to detect actual file type from content. Also enforce size limits."
-      ));
-    }
-    return matches;
-  }
-};
 var missingLockFile = {
   id: "VC039",
   title: "Missing Dependency Lock File",
@@ -1493,2711 +1049,332 @@ var missingLockFile = {
     return [];
   }
 };
-var exposedGitDir = {
-  id: "VC040",
-  title: "Exposed .git Directory via Web Server",
-  severity: "critical",
-  category: "Information Leakage",
-  description: "Web server configs that don't block access to .git directories expose your entire source code, commit history, secrets, and credentials.",
-  check(content, filePath) {
-    if (!filePath.match(/(?:nginx|apache|httpd|caddy|\.htaccess|vercel\.json|netlify\.toml|server\.[jt]s)/i)) return [];
-    if (/(?:static|serve|express\.static|serveStatic|public)/i.test(content)) {
-      const blocksGit = /\.git|dotfiles|hidden/i.test(content);
-      if (!blocksGit) {
-        return findMatches(
-          content,
-          /(?:static|serve|express\.static|serveStatic)\s*\(/g,
-          exposedGitDir,
-          filePath,
-          () => "Block access to .git and other dotfiles in your static file server config. For Express: app.use('/.git', (req, res) => res.status(403).end()). For Nginx: location ~ /\\.git { deny all; }"
-        );
-      }
-    }
-    return [];
-  }
-};
-var ssrfVulnerability = {
-  id: "VC041",
-  title: "Potential Server-Side Request Forgery (SSRF)",
+var weakHashing = {
+  id: "VC060",
+  title: "Weak Hashing Algorithm for Passwords",
   severity: "critical",
-  category: "Injection",
-  description: "Fetching URLs from user input without validation allows attackers to access internal services, cloud metadata endpoints (169.254.169.254), and private networks.",
+  category: "Cryptography",
+  description: "MD5 and SHA1/SHA256 are too fast for password hashing \u2014 they can be brute-forced at billions of attempts per second. Use bcrypt, scrypt, or argon2 instead.",
   check(content, filePath) {
-    if (isTestFile(filePath)) return [];
-    const isServerFile = /(?:\/api\/|routes?\/|controllers?\/|server\.|handler|middleware)/i.test(filePath);
-    if (!isServerFile) return [];
+    if (filePath.includes("test") || filePath.includes("mock")) return [];
+    if (/bcrypt|scrypt|argon2/i.test(content)) return [];
     const matches = [];
     const patterns = [
-      /(?:fetch|axios\.get|axios\.post|axios|got|request|http\.get|https\.get)\s*\(\s*(?:req\.(?:body|query|params))\./gi
-    ];
-    const hasValidation = /allowedHosts|allowedDomains|allowedUrls|safeDomain|whitelist|urlValidator|new URL.*hostname.*includes|isAllowedUrl|validateUrl|isValidUrl/i.test(content);
-    if (hasValidation) return [];
-    for (const p of patterns) {
-      const rawMatches = findMatches(
-        content,
-        p,
-        ssrfVulnerability,
-        filePath,
-        () => "Validate URLs against an allowlist before fetching. Block internal IPs: 127.0.0.1, 10.x, 172.16-31.x, 192.168.x, 169.254.169.254 (cloud metadata). Use: const url = new URL(input); if (!ALLOWED_HOSTS.includes(url.hostname)) throw new Error('Blocked');"
-      );
-      for (const rm3 of rawMatches) {
-        const lineText = content.split("\n")[rm3.line - 1] || "";
-        const varMatch = lineText.match(/(?:fetch|axios\.\w+|got|request|https?\.get)\s*\(\s*(\w+)/);
-        if (varMatch) {
-          const varName = varMatch[1];
-          const constDef = new RegExp(`const\\s+${varName}\\s*=\\s*["'\`]https?://`, "i");
-          if (constDef.test(content)) continue;
-        }
-        matches.push(rm3);
-      }
-    }
-    return matches;
-  }
-};
-var massAssignment = {
-  id: "VC042",
-  title: "Mass Assignment Vulnerability",
-  severity: "high",
-  category: "Authorization",
-  description: "Spreading or assigning request body directly into database models allows attackers to set fields they shouldn't (e.g., isAdmin, role, verified).",
-  check(content, filePath) {
-    const isApiFile = /(?:\/api\/|routes?\/|controllers?\/|server\.|handler)/i.test(filePath);
-    if (!isApiFile) return [];
-    const matches = [];
-    const patterns = [
-      // Object.assign(model, req.body)
-      /Object\.assign\s*\(\s*(?:user|account|profile|record|doc|model|entity)[^,]*,\s*(?:req\.body|body|input|data)\s*\)/gi,
-      // Spread req.body into create/update
-      /(?:create|update|insert|save|findOneAndUpdate|updateOne|upsert)\s*\(\s*\{[^}]*\.\.\.(?:req\.body|body|input|data)/gi,
-      // Direct req.body into DB
-      /(?:create|insert|save)\s*\(\s*(?:req\.body|body)\s*\)/gi
+      /(?:md5|sha1|sha256|sha512)\s*\([^)]*(?:password|passwd|pwd)/gi,
+      /createHash\s*\(\s*["'`](?:md5|sha1|sha256)["'`]\).*(?:password|passwd|pwd)/gi,
+      /(?:password|passwd|pwd).*createHash\s*\(\s*["'`](?:md5|sha1|sha256)["'`]\)/gi,
+      /hashlib\.(?:md5|sha1|sha256)\s*\([^)]*(?:password|passwd|pwd)/gi,
+      /Digest::(?:MD5|SHA1|SHA256).*(?:password|passwd|pwd)/gi
     ];
-    const hasSanitization = /pick\(|omit\(|allowedFields|sanitize|whitelist|permit|strong_params/i.test(content);
-    if (hasSanitization) return [];
     for (const p of patterns) {
       matches.push(...findMatches(
         content,
         p,
-        massAssignment,
+        weakHashing,
         filePath,
-        () => "Never pass req.body directly to database operations. Explicitly pick allowed fields: const { name, email } = req.body; await db.create({ name, email });"
+        () => "Use bcrypt, scrypt, or argon2 for password hashing \u2014 they're intentionally slow. Example: const hash = await bcrypt.hash(password, 12);"
       ));
     }
     return matches;
   }
 };
-var timingAttack = {
-  id: "VC043",
-  title: "Timing-Unsafe Secret Comparison",
-  severity: "medium",
+var disabledTLSVerification = {
+  id: "VC061",
+  title: "Disabled TLS Certificate Verification",
+  severity: "critical",
   category: "Cryptography",
-  description: "Using === to compare secrets, tokens, or hashes leaks information via timing side-channels. Attackers can determine the correct value one character at a time.",
+  description: "Disabling TLS certificate verification (NODE_TLS_REJECT_UNAUTHORIZED=0 or rejectUnauthorized:false) makes all HTTPS connections vulnerable to man-in-the-middle attacks.",
   check(content, filePath) {
-    if (filePath.includes("test") || filePath.includes("mock")) return [];
     const matches = [];
     const patterns = [
-      /(?:token|secret|hash|digest|signature|hmac|apiKey|api_key)\s*(?:===|!==)\s*(?:req\.|body\.|params\.|query\.|input)/gi,
-      /(?:req\.|body\.|params\.|query\.|input)[\w.]*(?:token|secret|hash|digest|signature|hmac)\s*(?:===|!==)/gi
+      /NODE_TLS_REJECT_UNAUTHORIZED\s*[:=]\s*["'`]?0["'`]?/g,
+      /rejectUnauthorized\s*:\s*false/g,
+      /verify\s*[:=]\s*false.*(?:ssl|tls|cert|https)/gi,
+      /PYTHONHTTPSVERIFY\s*[:=]\s*["'`]?0["'`]?/g,
+      /ssl_verify\s*[:=]\s*false/gi,
+      /InsecureSkipVerify\s*:\s*true/g
     ];
-    const hasTimingSafe = /timingSafeEqual|constantTimeEqual|safeCompare|secureCompare/i.test(content);
-    if (hasTimingSafe) return [];
     for (const p of patterns) {
       matches.push(...findMatches(
         content,
         p,
-        timingAttack,
+        disabledTLSVerification,
         filePath,
-        () => "Use crypto.timingSafeEqual() for comparing secrets: crypto.timingSafeEqual(Buffer.from(a), Buffer.from(b)). This prevents timing-based side-channel attacks."
+        () => "Never disable TLS certificate verification in production. Fix the root cause: install the correct CA certificate, or use NODE_EXTRA_CA_CERTS for custom CAs."
       ));
     }
     return matches;
   }
 };
-var logInjection = {
-  id: "VC044",
-  title: "Potential Log Injection",
-  severity: "medium",
+var dangerousInnerHTML = {
+  id: "VC063",
+  title: "Unsanitized dangerouslySetInnerHTML",
+  severity: "critical",
   category: "Injection",
-  description: "Logging unsanitized user input allows attackers to forge log entries, inject malicious content, or exploit log aggregation systems via newlines and special characters.",
-  check(content, filePath) {
-    if (filePath.includes("test") || filePath.includes("mock")) return [];
-    const isServerFile = /(?:\/api\/|routes?\/|controllers?\/|server\.|middleware|handler)/i.test(filePath);
-    if (!isServerFile) return [];
-    const matches = [];
-    const patterns = [
-      /console\.(?:log|warn|error|info)\s*\([^)]*(?:req\.body|req\.query|req\.params|req\.headers)\s*\)/gi,
-      /(?:logger|log)\.(?:info|warn|error|debug)\s*\([^)]*(?:req\.body|req\.query|req\.params)\s*\)/gi
-    ];
-    const hasSanitization = /sanitize|escape|JSON\.stringify|replace.*\\n/i.test(content);
-    if (hasSanitization) return [];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        logInjection,
-        filePath,
-        () => "Sanitize user input before logging: strip newlines and control characters. Use JSON.stringify() or a structured logger (e.g., pino, winston) that escapes values automatically."
-      ));
-    }
-    return matches;
-  }
-};
-var weakPasswordRequirements = {
-  id: "VC045",
-  title: "Weak Password Requirements",
-  severity: "high",
-  category: "Authentication",
-  description: "Registration or password-change endpoints without minimum length or complexity validation allow weak passwords that are easily brute-forced.",
-  check(content, filePath) {
-    if (isTestFile(filePath)) return [];
-    if (!/(?:password|passwd|pwd)/i.test(content)) return [];
-    if (!/(?:register|signup|sign.up|createUser|create.user|changePassword|resetPassword|set.password)/i.test(content) && !/(?:\/api\/|routes?\/|controllers?\/)/i.test(filePath)) return [];
-    const hasValidation = /(?:password|pwd).*(?:\.length|minLength|minlength|min_length)\s*(?:>=?|<|>)\s*\d|(?:password|pwd).*(?:match|test|regex|pattern)|zxcvbn|password-validator|passwordStrength|isStrongPassword|joi\.|yup\.|zod\.|validate|schema/i.test(content);
-    if (hasValidation) return [];
-    const hasPasswordHandling = /(?:password|pwd)\s*[:=]\s*(?:req\.body|body|input|params|args)\./i.test(content);
-    if (!hasPasswordHandling) return [];
-    const rawMatches = findMatches(
-      content,
-      /(?:password|pwd)\s*[:=]\s*(?:req\.body|body|input|params|args)\./gi,
-      weakPasswordRequirements,
-      filePath,
-      () => "Enforce minimum password requirements: at least 8 characters, mix of letters/numbers/symbols. Use a library like zxcvbn for strength estimation."
-    );
-    const lines = content.split("\n");
-    const validationPattern = /\.length|minLength|minlength|min_length|match|test|regex|pattern|validate|schema|zxcvbn|isStrongPassword/i;
-    return rawMatches.filter((rm3) => {
-      const start = Math.max(0, rm3.line - 1 - 10);
-      const end = Math.min(lines.length, rm3.line - 1 + 10);
-      const nearby = lines.slice(start, end).join("\n");
-      return !validationPattern.test(nearby);
-    });
-  }
-};
-var sessionFixation = {
-  id: "VC046",
-  title: "Session Fixation Risk",
-  severity: "high",
-  category: "Authentication",
-  description: "Not regenerating session IDs after login allows attackers to pre-set a session ID and hijack the authenticated session.",
-  check(content, filePath) {
-    if (!/(?:login|signin|sign.in|authenticate)/i.test(content)) return [];
-    if (!/session/i.test(content)) return [];
-    const hasRegenerate = /regenerate|destroy.*create|req\.session\.id\s*=|session\.regenerateId|rotateSession/i.test(content);
-    if (hasRegenerate) return [];
-    const hasLogin = /(?:login|signin|authenticate)\s*(?:=|:|\()/i.test(content);
-    if (!hasLogin) return [];
-    return findMatches(
-      content,
-      /(?:login|signin|authenticate)\s*(?:=|:|\()/gi,
-      sessionFixation,
-      filePath,
-      () => "Regenerate the session ID after successful login: req.session.regenerate() (Express) or equivalent. This prevents session fixation attacks."
-    );
-  }
-};
-var missingBruteForce = {
-  id: "VC047",
-  title: "Login Without Brute Force Protection",
-  severity: "high",
-  category: "Authentication",
-  description: "Login endpoints without rate limiting, account lockout, or progressive delays are vulnerable to credential stuffing and brute force attacks.",
+  description: "Using dangerouslySetInnerHTML without sanitization (DOMPurify) enables XSS attacks. User-controlled content injected as raw HTML can execute arbitrary JavaScript.",
   check(content, filePath) {
-    const isLoginFile = /(?:login|signin|sign.in|auth)/i.test(filePath) || /(?:login|signin|authenticate).*(?:post|handler|route)/i.test(content);
-    if (!isLoginFile) return [];
-    if (!/(?:password|credential)/i.test(content)) return [];
-    const hasBruteForce = /rate.?limit|throttle|lockout|maxAttempts|max_attempts|failedAttempts|loginAttempts|brute|express-brute|express-rate-limit|slowDown/i.test(content);
-    if (hasBruteForce) return [];
+    if (!filePath.match(/\.(jsx|tsx)$/)) return [];
+    if (!/dangerouslySetInnerHTML/i.test(content)) return [];
+    const hasSanitize = /DOMPurify|sanitize|purify|xss|sanitizeHtml|isomorphic-dompurify/i.test(content);
+    if (hasSanitize) return [];
     return findMatches(
       content,
-      /\.(post|handler)\s*\([^)]*(?:login|signin|auth)/gi,
-      missingBruteForce,
+      /dangerouslySetInnerHTML\s*=\s*\{\s*\{/g,
+      dangerousInnerHTML,
       filePath,
-      () => "Add brute force protection to login endpoints: rate limiting (5 attempts/minute), progressive delays, or account lockout after N failures. Use express-rate-limit or similar."
+      () => "Sanitize HTML before using dangerouslySetInnerHTML: dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(content) }}. Install: npm install dompurify"
     );
   }
 };
-var nosqlInjection = {
-  id: "VC048",
-  title: "Potential NoSQL Injection",
-  severity: "critical",
-  category: "Injection",
-  description: "Passing unsanitized user input directly into MongoDB/NoSQL queries allows attackers to bypass authentication, extract data, or modify queries using operators like $gt, $ne, $regex.",
-  check(content, filePath) {
-    if (!/(?:mongo|mongoose|findOne|findById|find\(|collection|aggregate)/i.test(content)) return [];
-    const matches = [];
-    const patterns = [
-      // Direct req.body in MongoDB queries
-      /\.find(?:One)?\s*\(\s*(?:req\.body|body|input|params)\s*\)/gi,
-      /\.find(?:One)?\s*\(\s*\{[^}]*:\s*(?:req\.body|body|input|params)\./gi,
-      // $where with user input
-      /\$where\s*:\s*(?!["'`])/g,
-      // Direct variable in query without sanitization
-      /\.(?:findOne|findById|deleteOne|updateOne|findOneAndUpdate)\s*\(\s*\{[^}]*:\s*(?:req\.(?:body|query|params))\./gi
-    ];
-    const hasSanitization = /sanitize|escape|mongo-sanitize|express-mongo-sanitize|validator|typeof.*===.*string/i.test(content);
-    if (hasSanitization) return [];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        nosqlInjection,
-        filePath,
-        () => "Sanitize MongoDB query inputs: use express-mongo-sanitize, validate types (ensure strings aren't objects), and avoid $where. Example: if (typeof input !== 'string') throw new Error('Invalid input');"
-      ));
-    }
-    return matches;
-  }
-};
-var exposedDBCredentials = {
-  id: "VC049",
-  title: "Database Credentials in Config File",
-  severity: "critical",
-  category: "Secrets",
-  description: "Database connection strings with embedded usernames and passwords in committed config files expose credentials to anyone with repo access.",
-  check(content, filePath) {
-    if (filePath.endsWith(".example") || filePath.endsWith(".template")) return [];
-    if (!filePath.match(/(?:config|setting|database|db|knexfile|sequelize|drizzle|prisma)/i) && !filePath.match(/\.(json|yaml|yml|toml|js|ts)$/)) return [];
-    if (filePath.match(/\.env/)) return [];
-    const patterns = [
-      // Connection strings with credentials
-      /(?:host|server|database|db).*(?:password|passwd|pwd)\s*[:=]\s*["'`][^"'`]{3,}["'`]/gi,
-      // Inline connection URLs with credentials
-      /(?:connection|database|db).*(?:postgres|mysql|mongodb|redis):\/\/[^:]+:[^@]+@/gi
-    ];
-    const matches = [];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        exposedDBCredentials,
-        filePath,
-        () => "Move database credentials to environment variables. Use: process.env.DATABASE_URL instead of hardcoding connection strings in config files."
-      ));
-    }
-    return matches;
-  }
-};
-var missingDBEncryption = {
-  id: "VC050",
-  title: "Database Connection Without SSL/TLS",
-  severity: "high",
-  category: "Configuration",
-  description: "Database connections without SSL/TLS encryption transmit credentials and data in plaintext, allowing eavesdropping on the network.",
-  check(content, filePath) {
-    if (!/(?:createConnection|createPool|createClient|connect|new.*Client|knex|sequelize|drizzle)/i.test(content)) return [];
-    if (!/(?:postgres|mysql|mariadb|pg|mongo)/i.test(content)) return [];
-    const matches = [];
-    const sslDisabled = [
-      /ssl\s*:\s*false/gi,
-      /sslmode\s*[:=]\s*["'`]?disable["'`]?/gi,
-      /rejectUnauthorized\s*:\s*false/gi
-    ];
-    for (const p of sslDisabled) {
-      matches.push(...findMatches(
-        content,
-        p,
-        missingDBEncryption,
-        filePath,
-        () => "Enable SSL/TLS for database connections: { ssl: { rejectUnauthorized: true } }. In production, always verify server certificates."
-      ));
-    }
-    return matches;
-  }
-};
-var graphqlIntrospection = {
-  id: "VC051",
-  title: "GraphQL Introspection Enabled in Production",
-  severity: "medium",
-  category: "Information Leakage",
-  description: "GraphQL introspection exposes your entire API schema, types, queries, and mutations to attackers, making it easy to find attack vectors.",
-  check(content, filePath) {
-    if (!/graphql/i.test(content) && !/graphql/i.test(filePath)) return [];
-    const matches = [];
-    if (/introspection\s*:\s*true/i.test(content)) {
-      matches.push(...findMatches(
-        content,
-        /introspection\s*:\s*true/gi,
-        graphqlIntrospection,
-        filePath,
-        () => "Disable GraphQL introspection in production: introspection: process.env.NODE_ENV !== 'production'. This prevents schema exposure."
-      ));
-    }
-    if (/(?:ApolloServer|GraphQLServer|createYoga|buildSchema|makeExecutableSchema)\s*\(/i.test(content)) {
-      if (!/introspection/i.test(content)) {
-        matches.push(...findMatches(
-          content,
-          /(?:ApolloServer|GraphQLServer|createYoga)\s*\(/gi,
-          graphqlIntrospection,
-          filePath,
-          () => "Explicitly disable introspection in production: new ApolloServer({ introspection: process.env.NODE_ENV !== 'production' })"
-        ));
-      }
-    }
-    return matches;
-  }
-};
-var missingRequestSizeLimit = {
-  id: "VC052",
-  title: "Missing Request Body Size Limit",
-  severity: "medium",
-  category: "Availability",
-  description: "Express/Hono/Fastify servers without request body size limits are vulnerable to denial-of-service via oversized payloads that exhaust memory.",
-  check(content, filePath) {
-    if (!/(?:server|app|index|main)\.[jt]sx?$/.test(filePath)) return [];
-    if (!/(?:express|hono|fastify|koa)/i.test(content)) return [];
-    const matches = [];
-    if (/express\.json\s*\(\s*\)/g.test(content)) {
-      matches.push(...findMatches(
-        content,
-        /express\.json\s*\(\s*\)/g,
-        missingRequestSizeLimit,
-        filePath,
-        () => "Set a body size limit: express.json({ limit: '1mb' }). Without this, attackers can send huge payloads to crash your server."
-      ));
-    }
-    if (/bodyParser\.json\s*\(\s*\)/g.test(content)) {
-      matches.push(...findMatches(
-        content,
-        /bodyParser\.json\s*\(\s*\)/g,
-        missingRequestSizeLimit,
-        filePath,
-        () => "Set a body size limit: bodyParser.json({ limit: '1mb' })."
-      ));
-    }
-    return matches;
-  }
-};
-var hardcodedIPAllowlist = {
-  id: "VC053",
-  title: "Hardcoded IP or Host Allowlist",
-  severity: "medium",
-  category: "Configuration",
-  description: "Hardcoded IP addresses or hostnames in allowlists are brittle and hard to update. They should be in environment variables or configuration files.",
-  check(content, filePath) {
-    if (filePath.includes("test") || filePath.includes("mock") || filePath.match(/\.(md|txt)$/)) return [];
-    const matches = [];
-    const patterns = [
-      /(?:allowedIPs|allowed_ips|whitelist|allowlist|trustedHosts)\s*[:=]\s*\[\s*["'`]\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/gi,
-      /(?:allowedIPs|allowed_ips|whitelist|allowlist|trustedHosts)\s*[:=]\s*\[\s*["'`][\w.-]+\.(?:com|net|org|io)/gi
-    ];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        hardcodedIPAllowlist,
-        filePath,
-        () => "Move IP/host allowlists to environment variables or a config file: const allowed = process.env.ALLOWED_IPS?.split(',') || [];"
-      ));
-    }
-    return matches;
+function detectFramework(files) {
+  const frameworks = /* @__PURE__ */ new Set();
+  for (const { path, content } of files) {
+    if (path.match(/next\.config/i) || /from\s+["']next/i.test(content)) frameworks.add("next.js");
+    if (/from\s+["']react-native/i.test(content) || path.match(/react-native\.config/i)) frameworks.add("react-native");
+    else if (/from\s+["']react/i.test(content) || /import\s+React/i.test(content)) frameworks.add("react");
+    if (/from\s+["']express/i.test(content) || /require\s*\(\s*["']express/i.test(content)) frameworks.add("express");
+    if (/from\s+["']hono/i.test(content)) frameworks.add("hono");
+    if (/from\s+["']fastify/i.test(content)) frameworks.add("fastify");
+    if (/from\s+["']electron/i.test(content) || path.match(/electron/i)) frameworks.add("electron");
+    if (path.match(/settings\.py$/) || /from\s+django/i.test(content)) frameworks.add("django");
+    if (/from\s+flask/i.test(content) || /Flask\s*\(/i.test(content)) frameworks.add("flask");
+    if (/from\s+["']vue/i.test(content) || path.match(/vue\.config/i)) frameworks.add("vue");
+    if (/from\s+["']svelte/i.test(content) || path.match(/svelte\.config/i)) frameworks.add("svelte");
   }
-};
-var sensitiveLocalStorage = {
-  id: "VC054",
-  title: "Sensitive Data in localStorage",
-  severity: "high",
-  category: "Secrets",
-  description: "Storing tokens, passwords, or secrets in localStorage is insecure \u2014 it's accessible to any JavaScript on the page (XSS) and persists indefinitely. Use httpOnly cookies instead.",
-  check(content, filePath) {
-    if (!filePath.match(/\.(jsx?|tsx?|vue|svelte)$/)) return [];
-    if (isTestFile(filePath)) return [];
-    if (/mock|spec/i.test(filePath)) return [];
-    if (!/localStorage\.setItem|localStorage\[/i.test(content)) return [];
-    const matches = [];
-    const patterns = [
-      /localStorage\.setItem\s*\(\s*["'`](?:token|access_token|auth_token|jwt|session|refresh_token|api_key|password|secret)/gi,
-      /localStorage\s*\[\s*["'`](?:token|access_token|auth_token|jwt|session|refresh_token|api_key|password|secret)/gi
-    ];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        sensitiveLocalStorage,
-        filePath,
-        () => "Don't store tokens/secrets in localStorage \u2014 use httpOnly cookies instead. localStorage is accessible to any XSS attack. For session tokens, set them as httpOnly, secure, sameSite cookies."
-      ));
-    }
-    return matches;
+  if (frameworks.size === 0) frameworks.add("unknown");
+  return [...frameworks];
+}
+function calculateGrade(findings, totalFiles) {
+  if (findings.length === 0) {
+    return { grade: "A+", score: 100, summary: "No security issues detected. Excellent!" };
   }
-};
-var exposedSourceMaps = {
-  id: "VC055",
-  title: "Source Maps Exposed in Production",
-  severity: "medium",
-  category: "Information Leakage",
-  description: "Source map files (.map) in production expose your original source code, comments, and internal logic to anyone who downloads them.",
-  check(content, filePath) {
-    if (!filePath.match(/(?:webpack|vite|rollup|next)\.config|tsconfig/i)) return [];
-    const matches = [];
-    if (/(?:sourceMap|source-map|sourcemap)\s*[:=]\s*true/i.test(content)) {
-      const hasEnvCheck = /process\.env\.NODE_ENV|NODE_ENV|production/i.test(content);
-      if (!hasEnvCheck) {
-        matches.push(...findMatches(
-          content,
-          /(?:sourceMap|source-map|sourcemap)\s*[:=]\s*true/gi,
-          exposedSourceMaps,
-          filePath,
-          () => "Disable source maps in production builds: sourceMap: process.env.NODE_ENV !== 'production'. Or use 'hidden-source-map' to generate maps without exposing them."
-        ));
-      }
-    }
-    if (/productionSourceMap\s*:\s*true/i.test(content)) {
-      matches.push(...findMatches(
-        content,
-        /productionSourceMap\s*:\s*true/gi,
-        exposedSourceMaps,
-        filePath,
-        () => "Set productionSourceMap: false to avoid exposing source code in production."
-      ));
+  let deductions = 0;
+  for (const f of findings) {
+    switch (f.severity) {
+      case "critical":
+        deductions += 15;
+        break;
+      case "high":
+        deductions += 8;
+        break;
+      case "medium":
+        deductions += 4;
+        break;
+      case "low":
+        deductions += 1;
+        break;
     }
-    return matches;
   }
-};
-var clickjacking = {
-  id: "VC056",
-  title: "Clickjacking \u2014 Missing X-Frame-Options",
-  severity: "medium",
-  category: "Configuration",
-  description: "Without X-Frame-Options or frame-ancestors CSP directive, your page can be embedded in an attacker's iframe for UI redress (clickjacking) attacks.",
-  check(content, filePath) {
-    if (filePath.match(/\.(html|htm)$/)) {
-      if (!/X-Frame-Options|frame-ancestors/i.test(content)) {
-        return [{
-          rule: "VC056",
-          title: clickjacking.title,
-          severity: "medium",
-          category: "Configuration",
-          file: filePath,
-          line: 1,
-          snippet: getSnippet(content, 1),
-          fix: 'Add <meta http-equiv="X-Frame-Options" content="DENY"> or set frame-ancestors in CSP to prevent clickjacking.'
-        }];
-      }
-    }
-    if (/(?:server|app|index|main)\.[jt]sx?$/.test(filePath)) {
-      if (/(?:express|hono|fastify|koa)/i.test(content)) {
-        if (!/X-Frame-Options|frame-ancestors|helmet/i.test(content)) {
-          return findMatches(
-            content,
-            /(?:express|hono|fastify|koa)\s*\(/gi,
-            clickjacking,
-            filePath,
-            () => "Add X-Frame-Options header: res.setHeader('X-Frame-Options', 'DENY'). Or use helmet: app.use(helmet()) which sets this and other security headers."
-          );
-        }
-      }
-    }
-    return [];
-  }
-};
-var overlyPermissiveIAM = {
-  id: "VC057",
-  title: "Overly Permissive IAM/Cloud Permissions",
-  severity: "critical",
-  category: "Authorization",
-  description: "Wildcard (*) permissions in AWS IAM, GCP, or Terraform configs grant unrestricted access, violating the principle of least privilege.",
-  check(content, filePath) {
-    if (!filePath.match(/\.(tf|hcl|json|yaml|yml)$/) && !filePath.match(/(?:iam|policy|role|permission)/i)) return [];
-    const matches = [];
-    const patterns = [
-      // AWS IAM wildcard
-      /["'`]Action["'`]\s*:\s*["'`]\*["'`]/g,
-      /["'`]Resource["'`]\s*:\s*["'`]\*["'`]/g,
-      // Terraform aws_iam
-      /actions\s*=\s*\[\s*["'`]\*["'`]\s*\]/g,
-      /resources\s*=\s*\[\s*["'`]\*["'`]\s*\]/g,
-      // GCP bindings
-      /role\s*[:=]\s*["'`]roles\/(?:owner|editor)["'`]/g
-    ];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        overlyPermissiveIAM,
-        filePath,
-        () => "Follow the principle of least privilege: replace wildcard (*) with specific actions and resources. Example: 'Action': 's3:GetObject' instead of '*'."
-      ));
-    }
-    return matches;
-  }
-};
-var dockerRunAsRoot = {
-  id: "VC058",
-  title: "Docker Container Running as Root",
-  severity: "high",
-  category: "Configuration",
-  description: "Containers running as root give attackers full system access if they escape the container. Always run as a non-root user.",
-  check(content, filePath) {
-    if (!filePath.match(/Dockerfile$/i)) return [];
-    const hasUser = /^\s*USER\s+/m.test(content);
-    if (hasUser) return [];
-    return [{
-      rule: "VC058",
-      title: dockerRunAsRoot.title,
-      severity: "high",
-      category: "Configuration",
-      file: filePath,
-      line: 1,
-      snippet: getSnippet(content, 1),
-      fix: "Add a USER directive: RUN addgroup -S app && adduser -S app -G app\\nUSER app. Place it after installing dependencies but before COPY/CMD."
-    }];
-  }
-};
-var exposedDockerPorts = {
-  id: "VC059",
-  title: "Docker Compose Binding to All Interfaces",
-  severity: "medium",
-  category: "Configuration",
-  description: "Binding ports to 0.0.0.0 (default) in Docker Compose exposes services to the entire network. Bind to 127.0.0.1 for local-only access.",
-  check(content, filePath) {
-    if (!filePath.match(/docker-compose|compose\.(yaml|yml)$/i)) return [];
-    const matches = [];
-    const portPattern = /ports:\s*\n(?:\s*-\s*["'`]?\d+:\d+["'`]?\s*\n?)+/g;
-    if (portPattern.test(content) && !/127\.0\.0\.1:/i.test(content)) {
-      matches.push(...findMatches(
-        content,
-        /^\s*-\s*["'`]?\d+:\d+["'`]?/gm,
-        exposedDockerPorts,
-        filePath,
-        () => "Bind to localhost only: '127.0.0.1:3000:3000' instead of '3000:3000'. This prevents external network access to the service."
-      ));
-    }
-    return matches;
-  }
-};
-var weakHashing = {
-  id: "VC060",
-  title: "Weak Hashing Algorithm for Passwords",
-  severity: "critical",
-  category: "Cryptography",
-  description: "MD5 and SHA1/SHA256 are too fast for password hashing \u2014 they can be brute-forced at billions of attempts per second. Use bcrypt, scrypt, or argon2 instead.",
-  check(content, filePath) {
-    if (filePath.includes("test") || filePath.includes("mock")) return [];
-    if (/bcrypt|scrypt|argon2/i.test(content)) return [];
-    const matches = [];
-    const patterns = [
-      /(?:md5|sha1|sha256|sha512)\s*\([^)]*(?:password|passwd|pwd)/gi,
-      /createHash\s*\(\s*["'`](?:md5|sha1|sha256)["'`]\).*(?:password|passwd|pwd)/gi,
-      /(?:password|passwd|pwd).*createHash\s*\(\s*["'`](?:md5|sha1|sha256)["'`]\)/gi,
-      /hashlib\.(?:md5|sha1|sha256)\s*\([^)]*(?:password|passwd|pwd)/gi,
-      /Digest::(?:MD5|SHA1|SHA256).*(?:password|passwd|pwd)/gi
-    ];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        weakHashing,
-        filePath,
-        () => "Use bcrypt, scrypt, or argon2 for password hashing \u2014 they're intentionally slow. Example: const hash = await bcrypt.hash(password, 12);"
-      ));
-    }
-    return matches;
-  }
-};
-var disabledTLSVerification = {
-  id: "VC061",
-  title: "Disabled TLS Certificate Verification",
-  severity: "critical",
-  category: "Cryptography",
-  description: "Disabling TLS certificate verification (NODE_TLS_REJECT_UNAUTHORIZED=0 or rejectUnauthorized:false) makes all HTTPS connections vulnerable to man-in-the-middle attacks.",
-  check(content, filePath) {
-    const matches = [];
-    const patterns = [
-      /NODE_TLS_REJECT_UNAUTHORIZED\s*[:=]\s*["'`]?0["'`]?/g,
-      /rejectUnauthorized\s*:\s*false/g,
-      /verify\s*[:=]\s*false.*(?:ssl|tls|cert|https)/gi,
-      /PYTHONHTTPSVERIFY\s*[:=]\s*["'`]?0["'`]?/g,
-      /ssl_verify\s*[:=]\s*false/gi,
-      /InsecureSkipVerify\s*:\s*true/g
-    ];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        disabledTLSVerification,
-        filePath,
-        () => "Never disable TLS certificate verification in production. Fix the root cause: install the correct CA certificate, or use NODE_EXTRA_CA_CERTS for custom CAs."
-      ));
-    }
-    return matches;
-  }
-};
-var hardcodedEncryptionKey = {
-  id: "VC062",
-  title: "Hardcoded Encryption Key or IV",
-  severity: "critical",
-  category: "Cryptography",
-  description: "Hardcoded encryption keys and initialization vectors (IVs) in source code can be extracted to decrypt all data. IVs must be random per encryption operation.",
-  check(content, filePath) {
-    if (filePath.endsWith(".example") || filePath.endsWith(".template")) return [];
-    if (isTestFile(filePath)) return [];
-    if (filePath.match(/\.(html|htm|xml|plist|svg|xhtml)$/)) return [];
-    if (!/(?:cipher|encrypt|decrypt|crypto|aes|createCipher)/i.test(content)) return [];
-    const matches = [];
-    const patterns = [
-      // Encryption key as string literal
-      /(?:encryption_key|encryptionKey|cipher_key|cipherKey|aes_key|AES_KEY|ENCRYPTION_KEY)\s*[:=]\s*["'`][^"'`]{8,}["'`]/g,
-      // createCipheriv with hardcoded key
-      /createCipher(?:iv)?\s*\(\s*["'`][^"'`]+["'`]\s*,\s*["'`][^"'`]+["'`]/g,
-      // Buffer.from with hardcoded key near cipher context
-      /(?:key|iv|nonce)\s*[:=]\s*Buffer\.from\s*\(\s*["'`][^"'`]{8,}["'`]/gi,
-      // Static IV (should be random) — only in crypto context
-      /(?:^|[\s,({])(?:iv|nonce|initialVector)\s*[:=]\s*["'`][0-9a-fA-F]{16,}["'`]/gi
-    ];
-    for (const p of patterns) {
-      const rawMatches = findMatches(
-        content,
-        p,
-        hardcodedEncryptionKey,
-        filePath,
-        () => "Move encryption keys to environment variables. Generate IVs randomly per operation: crypto.randomBytes(16). Never reuse IVs."
-      );
-      for (const rm3 of rawMatches) {
-        const lineStart = content.lastIndexOf("\n", content.split("\n").slice(0, rm3.line - 1).join("\n").length) + 1;
-        const lineEnd = content.indexOf("\n", lineStart + 1);
-        const lineText = content.substring(lineStart, lineEnd === -1 ? content.length : lineEnd);
-        if (/meta\s+http-equiv|Content-Security-Policy|X-Frame-Options|X-Content-Type/i.test(lineText)) continue;
-        matches.push(rm3);
-      }
-    }
-    return matches;
-  }
-};
-var dangerousInnerHTML = {
-  id: "VC063",
-  title: "Unsanitized dangerouslySetInnerHTML",
-  severity: "critical",
-  category: "Injection",
-  description: "Using dangerouslySetInnerHTML without sanitization (DOMPurify) enables XSS attacks. User-controlled content injected as raw HTML can execute arbitrary JavaScript.",
-  check(content, filePath) {
-    if (!filePath.match(/\.(jsx|tsx)$/)) return [];
-    if (!/dangerouslySetInnerHTML/i.test(content)) return [];
-    const hasSanitize = /DOMPurify|sanitize|purify|xss|sanitizeHtml|isomorphic-dompurify/i.test(content);
-    if (hasSanitize) return [];
-    return findMatches(
-      content,
-      /dangerouslySetInnerHTML\s*=\s*\{\s*\{/g,
-      dangerousInnerHTML,
-      filePath,
-      () => "Sanitize HTML before using dangerouslySetInnerHTML: dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(content) }}. Install: npm install dompurify"
-    );
-  }
-};
-var exposedServerActions = {
-  id: "VC064",
-  title: "Next.js Server Action Without Auth Check",
-  severity: "high",
-  category: "Authorization",
-  description: "Next.js Server Actions ('use server') are publicly callable endpoints. Without authentication checks, anyone can invoke them directly.",
-  check(content, filePath) {
-    if (!filePath.match(/\.(jsx?|tsx?)$/)) return [];
-    if (!/["']use server["']/i.test(content)) return [];
-    const hasAuth = /getServerSession|auth\(\)|currentUser|getUser|requireAuth|session|clerk|getAuth/i.test(content);
-    if (hasAuth) return [];
-    if (/export\s+async\s+function/i.test(content)) {
-      return findMatches(
-        content,
-        /export\s+async\s+function\s+\w+/g,
-        exposedServerActions,
-        filePath,
-        () => "Add authentication to Server Actions: const session = await getServerSession(); if (!session) throw new Error('Unauthorized');"
-      );
-    }
-    return [];
-  }
-};
-var unprotectedAPIRoutes = {
-  id: "VC065",
-  title: "Unprotected Next.js API Route",
-  severity: "high",
-  category: "Authorization",
-  description: "Next.js API routes under /api/ without authentication middleware can be called by anyone, exposing data or mutations.",
-  check(content, filePath) {
-    if (!filePath.match(/\/api\/.*\.(jsx?|tsx?)$/) && !filePath.match(/\/app\/api\/.*route\.(jsx?|tsx?)$/)) return [];
-    if (/health|status|public|webhook/i.test(filePath)) return [];
-    const hasAuth = /getServerSession|auth\(\)|currentUser|getUser|requireAuth|session|clerk|getAuth|verifyToken|authenticate|middleware/i.test(content);
-    if (hasAuth) return [];
-    const hasHandler = /export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH)|export\s+default/i.test(content);
-    if (hasHandler) {
-      return findMatches(
-        content,
-        /export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH)/g,
-        unprotectedAPIRoutes,
-        filePath,
-        () => "Add authentication to API routes: const session = await getServerSession(authOptions); if (!session) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });"
-      );
-    }
-    return [];
-  }
-};
-var clientComponentSecret = {
-  id: "VC066",
-  title: "Secret Used in Client Component",
-  severity: "critical",
-  category: "Secrets",
-  description: "Using server-side secrets (process.env without NEXT_PUBLIC_) in 'use client' components exposes them in the browser bundle.",
-  check(content, filePath) {
-    if (!filePath.match(/\.(jsx?|tsx?)$/)) return [];
-    if (!/["']use client["']/i.test(content)) return [];
-    const pattern = /process\.env\.(?!NEXT_PUBLIC_)[A-Z_]{3,}/g;
-    if (pattern.test(content)) {
-      return findMatches(
-        content,
-        /process\.env\.(?!NEXT_PUBLIC_)[A-Z_]{3,}/g,
-        clientComponentSecret,
-        filePath,
-        () => "Server-side env vars are not available in client components and may leak in builds. Move this logic to a Server Component or API route."
-      );
-    }
-    return [];
-  }
-};
-var insecureDeepLink = {
-  id: "VC067",
-  title: "Insecure Deep Link Handling",
-  severity: "high",
-  category: "Injection",
-  description: "Deep links that navigate or execute actions without validating the URL scheme, host, or parameters can be exploited for phishing or unauthorized actions.",
-  check(content, filePath) {
-    if (!/(?:Linking|DeepLinking|deep.?link|handleURL|openURL|url.?scheme)/i.test(content)) return [];
-    const matches = [];
-    const patterns = [
-      /Linking\.addEventListener\s*\([^)]*(?:url|link)/gi,
-      /Linking\.getInitialURL\s*\(\)/g,
-      /handleOpenURL|handleDeepLink|onDeepLink/gi
-    ];
-    const hasValidation = /allowedSchemes|allowedHosts|validateURL|isAllowedURL|whitelist|URL.*hostname.*includes/i.test(content);
-    if (hasValidation) return [];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        insecureDeepLink,
-        filePath,
-        () => "Validate deep link URLs: check the scheme and host against an allowlist before navigating or executing actions."
-      ));
-    }
-    return matches;
-  }
-};
-var sensitiveAsyncStorage = {
-  id: "VC068",
-  title: "Sensitive Data in AsyncStorage",
-  severity: "high",
-  category: "Secrets",
-  description: "React Native AsyncStorage is unencrypted. Storing tokens, passwords, or secrets there makes them readable by other apps or anyone with device access.",
-  check(content, filePath) {
-    if (!/AsyncStorage/i.test(content)) return [];
-    const patterns = [
-      /AsyncStorage\.setItem\s*\(\s*["'`](?:token|access_token|auth_token|jwt|session|refresh_token|api_key|password|secret|private_key)/gi
-    ];
-    const matches = [];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        sensitiveAsyncStorage,
-        filePath,
-        () => "Use react-native-keychain or expo-secure-store instead of AsyncStorage for sensitive data. These use the OS keychain (encrypted)."
-      ));
-    }
-    return matches;
-  }
-};
-var missingCertPinning = {
-  id: "VC069",
-  title: "Missing Certificate Pinning in Mobile App",
-  severity: "medium",
-  category: "Cryptography",
-  description: "Mobile apps without SSL certificate pinning are vulnerable to MITM attacks via compromised or rogue CAs. Pin your API server's certificate.",
-  check(content, filePath) {
-    if (!/(?:react.native|expo|android|ios|mobile)/i.test(filePath) && !/(?:React.*Native|expo)/i.test(content)) return [];
-    if (!/(?:fetch|axios|http|api|request)/i.test(content)) return [];
-    if (/axios\.create|new\s+(?:HttpClient|ApiClient)/i.test(content)) {
-      const hasPinning = /pinning|certificate|cert|ssl|TrustKit|react-native-ssl-pinning|cert-pinner/i.test(content);
-      if (!hasPinning) {
-        return findMatches(
-          content,
-          /axios\.create|new\s+(?:HttpClient|ApiClient)/gi,
-          missingCertPinning,
-          filePath,
-          () => "Add SSL certificate pinning: use react-native-ssl-pinning or TrustKit. This prevents MITM attacks via rogue certificates."
-        );
-      }
-    }
-    return [];
-  }
-};
-var androidDebuggable = {
-  id: "VC070",
-  title: "Android App Debuggable in Production",
-  severity: "high",
-  category: "Configuration",
-  description: "android:debuggable='true' in AndroidManifest.xml allows attackers to attach debuggers, inspect memory, and bypass security controls.",
-  check(content, filePath) {
-    if (!filePath.match(/AndroidManifest\.xml$/i)) return [];
-    if (/android:debuggable\s*=\s*["']true["']/i.test(content)) {
-      return findMatches(
-        content,
-        /android:debuggable\s*=\s*["']true["']/gi,
-        androidDebuggable,
-        filePath,
-        () => "Remove android:debuggable='true' or set it to false. Debug builds should use build variants, not manifest flags."
-      );
-    }
-    return [];
-  }
-};
-var djangoDebug = {
-  id: "VC071",
-  title: "Django DEBUG Mode Enabled",
-  severity: "critical",
-  category: "Configuration",
-  description: "Django with DEBUG=True exposes detailed error pages with source code, database queries, environment variables, and installed apps to anyone.",
-  check(content, filePath) {
-    if (!filePath.match(/settings\.py$/i) && !filePath.match(/config.*\.py$/i)) return [];
-    if (/^\s*DEBUG\s*=\s*True\s*$/m.test(content)) {
-      const hasEnvCheck = /os\.environ|env\(|config\(|getenv/i.test(content);
-      if (!hasEnvCheck) {
-        return findMatches(
-          content,
-          /^\s*DEBUG\s*=\s*True/gm,
-          djangoDebug,
-          filePath,
-          () => "Use environment variable: DEBUG = os.environ.get('DEBUG', 'False') == 'True'. Never hardcode DEBUG=True."
-        );
-      }
-    }
-    return [];
-  }
-};
-var flaskSecretKey = {
-  id: "VC072",
-  title: "Flask Secret Key Hardcoded",
-  severity: "critical",
-  category: "Secrets",
-  description: "Hardcoded Flask secret_key allows attackers to forge sessions, CSRF tokens, and signed cookies. Must be a random value from environment variables.",
-  check(content, filePath) {
-    if (!filePath.match(/\.py$/)) return [];
-    const patterns = [
-      /(?:app\.)?secret_key\s*=\s*["'`][^"'`]{3,}["'`]/g,
-      /(?:app\.config)\s*\[\s*["']SECRET_KEY["']\s*\]\s*=\s*["'`][^"'`]{3,}["'`]/g
-    ];
-    const hasEnv = /os\.environ|env\(|config\(|getenv/i.test(content);
-    if (hasEnv) return [];
-    const matches = [];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        flaskSecretKey,
-        filePath,
-        () => `Use environment variable: app.secret_key = os.environ['SECRET_KEY']. Generate with: python -c "import secrets; print(secrets.token_hex(32))"`
-      ));
-    }
-    return matches;
-  }
-};
-var pickleDeserialization = {
-  id: "VC073",
-  title: "Unsafe Pickle Deserialization",
-  severity: "critical",
-  category: "Injection",
-  description: "pickle.loads() on untrusted data allows arbitrary code execution. An attacker can craft a pickle payload that runs system commands on your server.",
-  check(content, filePath) {
-    if (!filePath.match(/\.py$/)) return [];
-    const matches = [];
-    const patterns = [
-      /pickle\.loads?\s*\(/g,
-      /cPickle\.loads?\s*\(/g,
-      /shelve\.open\s*\(/g,
-      /yaml\.load\s*\([^)]*(?!Loader\s*=\s*yaml\.SafeLoader)/g
-    ];
-    const hasSafe = /restricted_loads|SafeUnpickler|safe_load|yaml\.safe_load/i.test(content);
-    if (hasSafe) return [];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        pickleDeserialization,
-        filePath,
-        () => "Never unpickle untrusted data \u2014 it allows arbitrary code execution. Use JSON for data exchange, or yaml.safe_load() for YAML."
-      ));
-    }
-    return matches;
-  }
-};
-var missingCSRF = {
-  id: "VC074",
-  title: "CSRF Protection Disabled",
-  severity: "high",
-  category: "Authorization",
-  description: "Using @csrf_exempt on state-changing views (POST/PUT/DELETE) allows attackers to forge requests from other sites, performing actions as authenticated users.",
-  check(content, filePath) {
-    if (!filePath.match(/\.py$/)) return [];
-    const matches = [];
-    if (/csrf_exempt/i.test(content)) {
-      matches.push(...findMatches(
-        content,
-        /@csrf_exempt/g,
-        missingCSRF,
-        filePath,
-        () => "Remove @csrf_exempt and use proper CSRF tokens. For APIs, use token-based auth (JWT) instead of session cookies."
-      ));
-    }
-    if (/MIDDLEWARE.*=.*\[/s.test(content) && !/CsrfViewMiddleware/i.test(content) && /django/i.test(content)) {
-      matches.push(...findMatches(
-        content,
-        /MIDDLEWARE\s*=/g,
-        missingCSRF,
-        filePath,
-        () => "Re-add 'django.middleware.csrf.CsrfViewMiddleware' to MIDDLEWARE. CSRF protection is essential for session-based auth."
-      ));
-    }
-    return matches;
-  }
-};
-var githubActionsInjection = {
-  id: "VC075",
-  title: "GitHub Actions Script Injection",
-  severity: "critical",
-  category: "Injection",
-  description: "Using ${{ github.event.* }} directly in 'run:' steps allows attackers to inject shell commands via PR titles, issue bodies, or branch names.",
-  check(content, filePath) {
-    if (!filePath.match(/\.github\/workflows\/.*\.(yml|yaml)$/i)) return [];
-    const matches = [];
-    const patterns = [
-      /run:.*\$\{\{\s*github\.event\.(?:issue|pull_request|comment|review|head_commit)\.(?:title|body|message)/gi,
-      /run:.*\$\{\{\s*github\.event\.(?:inputs|head_ref|base_ref)/gi
-    ];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        githubActionsInjection,
-        filePath,
-        () => "Never use ${{ github.event.* }} directly in 'run:'. Pass it as an environment variable: env: TITLE: ${{ github.event.issue.title }} then use $TITLE in the script."
-      ));
-    }
-    return matches;
-  }
-};
-var secretsInCI = {
-  id: "VC076",
-  title: "Hardcoded Secrets in CI/CD Config",
-  severity: "critical",
-  category: "Secrets",
-  description: "Hardcoded tokens, passwords, or API keys in CI/CD workflow files are visible to anyone with repo access. Use encrypted secrets instead.",
-  check(content, filePath) {
-    if (!filePath.match(/\.github\/workflows\/|\.gitlab-ci|Jenkinsfile|\.circleci|bitbucket-pipelines/i)) return [];
-    const matches = [];
-    const patterns = [
-      /(?:password|token|key|secret|api_key|apikey)\s*[:=]\s*["'`][A-Za-z0-9+/=_-]{20,}["'`]/gi,
-      /(?:DOCKER_PASSWORD|NPM_TOKEN|AWS_SECRET_ACCESS_KEY|GH_TOKEN|GITHUB_TOKEN)\s*[:=]\s*["'`][^"'`$]+["'`]/gi
-    ];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        secretsInCI,
-        filePath,
-        () => "Use repository secrets: ${{ secrets.MY_TOKEN }} (GitHub) or CI/CD variable settings. Never hardcode credentials in workflow files."
-      ));
-    }
-    return matches;
-  }
-};
-var corsServerless = {
-  id: "VC077",
-  title: "CORS Wildcard in Serverless Config",
-  severity: "high",
-  category: "Configuration",
-  description: "Setting Access-Control-Allow-Origin: * in serverless.yml, vercel.json, or similar configs allows any website to make authenticated requests to your API.",
-  check(content, filePath) {
-    if (!filePath.match(/serverless\.(yml|yaml)|vercel\.json|netlify\.toml|amplify\.yml/i)) return [];
-    const matches = [];
-    if (/(?:Access-Control-Allow-Origin|allowOrigin|cors).*['"]\*['"]/i.test(content)) {
-      matches.push(...findMatches(
-        content,
-        /(?:Access-Control-Allow-Origin|allowOrigin|cors).*['"]\*['"]/gi,
-        corsServerless,
-        filePath,
-        () => "Replace wildcard CORS with specific origins: allowOrigin: ['https://yourdomain.com']. Wildcard allows any site to call your API."
-      ));
-    }
-    return matches;
-  }
-};
-var k8sPrivileged = {
-  id: "VC078",
-  title: "Kubernetes Privileged Container",
-  severity: "critical",
-  category: "Configuration",
-  description: "Running containers with privileged: true or as root in Kubernetes gives full host access, making container escapes trivial.",
-  check(content, filePath) {
-    if (!filePath.match(/\.(yaml|yml)$/) || !/(?:kind|apiVersion|container)/i.test(content)) return [];
-    const matches = [];
-    const patterns = [
-      /privileged\s*:\s*true/g,
-      /runAsUser\s*:\s*0\b/g,
-      /runAsNonRoot\s*:\s*false/g,
-      /allowPrivilegeEscalation\s*:\s*true/g
-    ];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        k8sPrivileged,
-        filePath,
-        () => "Set securityContext: { privileged: false, runAsNonRoot: true, allowPrivilegeEscalation: false }. Never run containers as root in production."
-      ));
-    }
-    return matches;
-  }
-};
-function detectFramework(files) {
-  const frameworks = /* @__PURE__ */ new Set();
-  for (const { path, content } of files) {
-    if (path.match(/next\.config/i) || /from\s+["']next/i.test(content)) frameworks.add("next.js");
-    if (/from\s+["']react-native/i.test(content) || path.match(/react-native\.config/i)) frameworks.add("react-native");
-    else if (/from\s+["']react/i.test(content) || /import\s+React/i.test(content)) frameworks.add("react");
-    if (/from\s+["']express/i.test(content) || /require\s*\(\s*["']express/i.test(content)) frameworks.add("express");
-    if (/from\s+["']hono/i.test(content)) frameworks.add("hono");
-    if (/from\s+["']fastify/i.test(content)) frameworks.add("fastify");
-    if (/from\s+["']electron/i.test(content) || path.match(/electron/i)) frameworks.add("electron");
-    if (path.match(/settings\.py$/) || /from\s+django/i.test(content)) frameworks.add("django");
-    if (/from\s+flask/i.test(content) || /Flask\s*\(/i.test(content)) frameworks.add("flask");
-    if (/from\s+["']vue/i.test(content) || path.match(/vue\.config/i)) frameworks.add("vue");
-    if (/from\s+["']svelte/i.test(content) || path.match(/svelte\.config/i)) frameworks.add("svelte");
-  }
-  if (frameworks.size === 0) frameworks.add("unknown");
-  return [...frameworks];
-}
-function calculateGrade(findings, totalFiles) {
-  if (findings.length === 0) {
-    return { grade: "A+", score: 100, summary: "No security issues detected. Excellent!" };
-  }
-  let deductions = 0;
-  for (const f of findings) {
-    switch (f.severity) {
-      case "critical":
-        deductions += 15;
-        break;
-      case "high":
-        deductions += 8;
-        break;
-      case "medium":
-        deductions += 4;
-        break;
-      case "low":
-        deductions += 1;
-        break;
-    }
-  }
-  const sizeBuffer = Math.min(Math.log2(Math.max(totalFiles, 1)) * 2, 15);
-  const score = Math.max(0, Math.min(100, 100 - deductions + sizeBuffer));
-  let grade;
-  let summary;
-  if (score >= 95) {
-    grade = "A+";
-    summary = "Excellent security posture with minimal issues.";
-  } else if (score >= 85) {
-    grade = "A";
-    summary = "Strong security with a few minor concerns.";
-  } else if (score >= 70) {
-    grade = "B";
-    summary = "Good security but some issues need attention.";
-  } else if (score >= 55) {
-    grade = "C";
-    summary = "Fair security \u2014 several vulnerabilities should be fixed.";
-  } else if (score >= 35) {
-    grade = "D";
-    summary = "Poor security \u2014 critical issues require immediate attention.";
-  } else {
-    grade = "F";
-    summary = "Failing \u2014 serious vulnerabilities present. Fix critical issues immediately.";
-  }
-  return { grade, score: Math.round(score), summary };
-}
-var jwtAlgConfusion = {
-  id: "VC079",
-  title: "JWT Algorithm Confusion (alg:none)",
-  severity: "critical",
-  category: "Authentication",
-  description: "Accepting 'none' as a JWT algorithm allows attackers to forge tokens by removing the signature entirely.",
-  check(content, filePath) {
-    if (!/jwt|jsonwebtoken|jose/i.test(content)) return [];
-    const matches = [];
-    const patterns = [
-      /algorithms\s*:\s*\[.*["']none["']/gi,
-      /algorithm\s*[:=]\s*["']none["']/gi
-    ];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        jwtAlgConfusion,
-        filePath,
-        () => "Never allow algorithm 'none'. Explicitly specify: algorithms: ['RS256'] or algorithms: ['HS256']. Reject tokens with alg:none."
-      ));
-    }
-    if (/jwt\.verify\s*\([^)]*\)\s*(?!.*algorithms)/i.test(content) && !/algorithms/i.test(content)) {
-      matches.push(...findMatches(
-        content,
-        /jwt\.verify\s*\(/g,
-        jwtAlgConfusion,
-        filePath,
-        () => "Specify allowed algorithms in jwt.verify: jwt.verify(token, secret, { algorithms: ['HS256'] })."
-      ));
-    }
-    return matches;
-  }
-};
-var regexDos = {
-  id: "VC080",
-  title: "Potential Regular Expression DoS (ReDoS)",
-  severity: "high",
-  category: "Availability",
-  description: "Nested quantifiers like (a+)+ or (a*){2,} cause catastrophic backtracking, allowing attackers to freeze your server with crafted input.",
-  check(content, filePath) {
-    if (filePath.includes("test") || filePath.includes("mock")) return [];
-    const matches = [];
-    const patterns = [
-      /new\s+RegExp\s*\(\s*["'`].*\([^)]*[+*]\)[+*{]/g,
-      /\/.*\([^)]*[+*]\)[+*{].*\//g
-    ];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        regexDos,
-        filePath,
-        () => "Avoid nested quantifiers in regex. Use atomic groups, possessive quantifiers, or the 're2' library for safe regex execution."
-      ));
-    }
-    return matches;
-  }
-};
-var xxeVulnerability = {
-  id: "VC081",
-  title: "XML External Entity (XXE) Injection",
-  severity: "critical",
-  category: "Injection",
-  description: "XML parsers that process external entities allow attackers to read files, perform SSRF, or cause DoS via billion-laughs attacks.",
-  check(content, filePath) {
-    if (!/xml|parseXML|DOMParser|SAXParser|etree|lxml/i.test(content)) return [];
-    const matches = [];
-    const patterns = [
-      /\.parseXML\s*\(/g,
-      /new\s+DOMParser\s*\(\)/g,
-      /etree\.parse\s*\(/g,
-      /lxml\.etree/g,
-      /SAXParserFactory/g,
-      /XMLReaderFactory/g
-    ];
-    const hasProtection = /noent.*false|resolveExternals.*false|FEATURE_EXTERNAL.*false|defusedxml|disallow-doctype-decl/i.test(content);
-    if (hasProtection) return [];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        xxeVulnerability,
-        filePath,
-        () => "Disable external entities: set noent: false, or use defusedxml (Python). For Java: factory.setFeature('http://apache.org/xml/features/disallow-doctype-decl', true)."
-      ));
-    }
-    return matches;
-  }
-};
-var ssti = {
-  id: "VC082",
-  title: "Server-Side Template Injection (SSTI)",
-  severity: "critical",
-  category: "Injection",
-  description: "Rendering templates from user-controlled strings allows attackers to execute arbitrary code on the server.",
-  check(content, filePath) {
-    if (filePath.includes("test") || filePath.includes("mock")) return [];
-    const matches = [];
-    const patterns = [
-      /render_template_string\s*\(\s*(?!["'`])/g,
-      /Template\s*\(\s*(?:req\.|body\.|input|params|args|user)/gi,
-      /engine\.render\s*\(\s*(?:req\.|body\.|input)/gi,
-      /nunjucks\.renderString\s*\(\s*(?:req\.|body\.|input)/gi,
-      /ejs\.render\s*\(\s*(?:req\.|body\.|input)/gi
-    ];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        ssti,
-        filePath,
-        () => "Never render templates from user input. Use pre-defined templates and pass data as context variables: render_template('template.html', data=user_data)."
-      ));
-    }
-    return matches;
-  }
-};
-var javaDeserialization = {
-  id: "VC083",
-  title: "Insecure Java Deserialization",
-  severity: "critical",
-  category: "Injection",
-  description: "ObjectInputStream.readObject() on untrusted data allows arbitrary code execution via gadget chains in the classpath.",
-  check(content, filePath) {
-    if (!filePath.match(/\.java$|\.kt$/)) return [];
-    const matches = [];
-    const patterns = [
-      /ObjectInputStream\s*\(/g,
-      /\.readObject\s*\(\)/g,
-      /XMLDecoder\s*\(/g,
-      /XStream\s*\(\)/g
-    ];
-    const hasSafe = /ValidatingObjectInputStream|ObjectInputFilter|SerialKiller|NotSerializableException/i.test(content);
-    if (hasSafe) return [];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        javaDeserialization,
-        filePath,
-        () => "Use ValidatingObjectInputStream with an allowlist of classes, or avoid Java serialization entirely. Use JSON instead."
-      ));
-    }
-    return matches;
-  }
-};
-var missingSRI = {
-  id: "VC084",
-  title: "Missing Subresource Integrity (SRI)",
-  severity: "medium",
-  category: "Configuration",
-  description: "External scripts and stylesheets loaded without integrity= attributes can be tampered with if the CDN is compromised.",
-  check(content, filePath) {
-    if (!filePath.match(/\.(html|htm|jsx|tsx|ejs|hbs)$/)) return [];
-    const matches = [];
-    const scriptPattern = /<script\s+[^>]*src\s*=\s*["']https?:\/\/[^"']+["'][^>]*>/gi;
-    let m;
-    const re = new RegExp(scriptPattern.source, scriptPattern.flags);
-    while ((m = re.exec(content)) !== null) {
-      if (!m[0].includes("integrity")) {
-        const lineNum = content.substring(0, m.index).split("\n").length;
-        matches.push({
-          rule: "VC084",
-          title: missingSRI.title,
-          severity: "medium",
-          category: "Configuration",
-          file: filePath,
-          line: lineNum,
-          snippet: getSnippet(content, lineNum),
-          fix: 'Add integrity and crossorigin attributes: <script src="..." integrity="sha384-..." crossorigin="anonymous">'
-        });
-      }
-    }
-    return matches;
-  }
-};
-var exposedAdminRoutes = {
-  id: "VC085",
-  title: "Exposed Admin or Debug Route",
-  severity: "high",
-  category: "Information Leakage",
-  description: "Routes like /admin, /debug, /phpinfo, or /actuator without authentication expose sensitive controls and information to attackers.",
-  check(content, filePath) {
-    if (!/(?:\/api\/|routes?\/|server\.|app\.|index\.[jt]s)/i.test(filePath)) return [];
-    const matches = [];
-    const patterns = [
-      /[.'"]\s*(?:get|use|all)\s*\(\s*["'`]\/(?:admin|debug|_debug|__debug__|phpinfo|actuator|graphiql|playground|swagger)["'`]/gi
-    ];
-    const hasAuth = /auth|requireAuth|isAdmin|requireAdmin|authenticate|middleware.*admin/i.test(content);
-    if (hasAuth) return [];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        exposedAdminRoutes,
-        filePath,
-        () => "Protect admin/debug routes with authentication middleware. In production, disable debug endpoints entirely."
-      ));
-    }
-    return matches;
-  }
-};
-var insecureWebSocket = {
-  id: "VC086",
-  title: "Insecure WebSocket Connection (ws://)",
-  severity: "medium",
-  category: "Configuration",
-  description: "Using ws:// instead of wss:// transmits data in plaintext, vulnerable to eavesdropping and man-in-the-middle attacks.",
-  check(content, filePath) {
-    if (filePath.includes("test") || filePath.includes("mock")) return [];
-    return findMatches(
-      content,
-      /new\s+WebSocket\s*\(\s*["'`]ws:\/\//g,
-      insecureWebSocket,
-      filePath,
-      () => "Use wss:// (WebSocket Secure) instead of ws:// for encrypted connections: new WebSocket('wss://...')."
-    );
-  }
-};
-var missingHSTS = {
-  id: "VC087",
-  title: "Missing HTTP Strict Transport Security (HSTS)",
-  severity: "medium",
-  category: "Configuration",
-  description: "Without HSTS headers, browsers allow downgrade attacks from HTTPS to HTTP, exposing traffic to interception.",
-  check(content, filePath) {
-    if (!/(?:server|app|index|main)\.[jt]sx?$/.test(filePath)) return [];
-    if (!/(?:express|hono|fastify|koa)/i.test(content)) return [];
-    if (/Strict-Transport-Security|hsts|helmet/i.test(content)) return [];
-    return findMatches(
-      content,
-      /(?:express|hono|fastify|koa)\s*\(/gi,
-      missingHSTS,
-      filePath,
-      () => "Add HSTS header: res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains'). Or use helmet()."
-    );
-  }
-};
-var sensitiveURLParams = {
-  id: "VC088",
-  title: "Sensitive Data in URL Parameters",
-  severity: "high",
-  category: "Information Leakage",
-  description: "Passing passwords, tokens, or API keys in URL query parameters exposes them in server logs, browser history, and referrer headers.",
-  check(content, filePath) {
-    if (filePath.includes("test") || filePath.includes("mock")) return [];
-    const matches = [];
-    const patterns = [
-      /\?\s*(?:password|token|secret|api_key|apiKey|access_token|ssn|credit_card)\s*=/gi,
-      /[&?](?:password|token|secret|api_key|apiKey|access_token)\s*=\s*\$\{/gi
-    ];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        sensitiveURLParams,
-        filePath,
-        () => "Never pass sensitive data in URL parameters. Use request headers (Authorization: Bearer ...) or POST body instead."
-      ));
-    }
-    return matches;
-  }
-};
-var missingContentDisposition = {
-  id: "VC089",
-  title: "File Download Missing Content-Disposition",
-  severity: "medium",
-  category: "Configuration",
-  description: "File download endpoints without Content-Disposition headers may render files inline, leading to XSS if the file contains HTML/JS.",
-  check(content, filePath) {
-    if (!/(?:download|sendFile|send_file|pipe|createReadStream)/i.test(content)) return [];
-    if (!/(?:\/api\/|routes?\/|controllers?\/|server\.|handler)/i.test(filePath)) return [];
-    if (/Content-Disposition|attachment|download/i.test(content)) return [];
-    return findMatches(
-      content,
-      /(?:sendFile|send_file|createReadStream|\.pipe)\s*\(/gi,
-      missingContentDisposition,
-      filePath,
-      () => `Set Content-Disposition: attachment header on file downloads: res.setHeader('Content-Disposition', 'attachment; filename="file.pdf"').`
-    );
-  }
-};
-var hostHeaderRedirect = {
-  id: "VC090",
-  title: "Open Redirect via Host Header",
-  severity: "high",
-  category: "Injection",
-  description: "Using req.headers.host to construct redirect URLs allows attackers to inject a malicious host header, redirecting users to phishing sites.",
-  check(content, filePath) {
-    if (filePath.includes("test") || filePath.includes("mock")) return [];
-    const matches = [];
-    if (/req\.headers\.host|req\.get\s*\(\s*["']host["']\)/i.test(content) && /redirect|location/i.test(content)) {
-      matches.push(...findMatches(
-        content,
-        /req\.headers\.host|req\.get\s*\(\s*["']host["']\)/gi,
-        hostHeaderRedirect,
-        filePath,
-        () => "Don't use req.headers.host for redirects \u2014 it's attacker-controlled. Use a hardcoded domain or environment variable."
-      ));
-    }
-    return matches;
-  }
-};
-var raceCondition = {
-  id: "VC091",
-  title: "Potential Race Condition (TOCTOU)",
-  severity: "high",
-  category: "Authorization",
-  description: "Check-then-act patterns (e.g., checking if a file exists then writing to it) are vulnerable to race conditions where state changes between the check and the action.",
-  check(content, filePath) {
-    if (filePath.includes("test") || filePath.includes("mock")) return [];
-    const matches = [];
-    const patterns = [
-      /(?:existsSync|exists)\s*\([^)]+\)[\s\S]{0,50}(?:writeFileSync|writeFile|unlinkSync|unlink|renameSync)\s*\(/g,
-      /os\.path\.exists\s*\([^)]+\)[\s\S]{0,50}open\s*\(/g,
-      /File\.exists\?\s*\([^)]+\)[\s\S]{0,50}File\.(?:write|delete)/g
-    ];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        raceCondition,
-        filePath,
-        () => "Use atomic operations instead of check-then-act. For files: use fs.open with 'wx' flag (exclusive create), or use file locks."
-      ));
-    }
-    return matches;
-  }
-};
-var unsafeObjectAssign = {
-  id: "VC092",
-  title: "Unsafe Object Spread from User Input",
-  severity: "medium",
-  category: "Injection",
-  description: "Spreading request body into a new object can copy __proto__, constructor, or other dangerous properties, enabling prototype pollution.",
-  check(content, filePath) {
-    if (filePath.includes("test") || filePath.includes("mock")) return [];
-    const matches = [];
-    const patterns = [
-      /Object\.assign\s*\(\s*\{\s*\}\s*,\s*(?:req\.(?:body|query|params)|body|input)\s*\)/gi,
-      /\{\s*\.\.\.(?:req\.(?:body|query|params)|body|input)\s*\}/gi
-    ];
-    const hasSafe = /omit.*__proto__|sanitize|pick\(|lodash\.pick|stripProto/i.test(content);
-    if (hasSafe) return [];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        unsafeObjectAssign,
-        filePath,
-        () => "Explicitly pick allowed properties instead of spreading: const { name, email } = req.body; const safe = { name, email };"
-      ));
-    }
-    return matches;
-  }
-};
-var unprotectedDownload = {
-  id: "VC093",
-  title: "File Download Without Path Validation",
-  severity: "medium",
-  category: "Authorization",
-  description: "File download endpoints that accept user-controlled filenames without path validation allow directory traversal to read arbitrary files.",
-  check(content, filePath) {
-    if (!/(?:download|sendFile|send_file)/i.test(content)) return [];
-    if (!/(?:\/api\/|routes?\/|controllers?\/|server\.|handler)/i.test(filePath)) return [];
-    const matches = [];
-    if (/(?:sendFile|download|send_file)\s*\([^)]*(?:req\.|params\.|query\.|body\.)/i.test(content)) {
-      const hasValidation = /path\.resolve|path\.normalize|path\.join.*__dirname|realpath|includes\s*\(\s*["']\.\./i.test(content);
-      if (!hasValidation) {
-        matches.push(...findMatches(
-          content,
-          /(?:sendFile|download|send_file)\s*\(/gi,
-          unprotectedDownload,
-          filePath,
-          () => "Validate file paths: const safePath = path.resolve(DOWNLOAD_DIR, filename); if (!safePath.startsWith(DOWNLOAD_DIR)) throw new Error('Invalid path');"
-        ));
-      }
-    }
-    return matches;
-  }
-};
-var commandInjection = {
-  id: "VC094",
-  title: "Potential Command Injection",
-  severity: "critical",
-  category: "Injection",
-  description: "Passing user input to shell commands (exec, system, child_process) allows attackers to execute arbitrary system commands.",
-  check(content, filePath) {
-    if (filePath.includes("test") || filePath.includes("mock")) return [];
-    const matches = [];
-    const patterns = [
-      // Node.js
-      /(?:exec|execSync)\s*\(\s*(?:`[^`]*\$\{|["'][^"']*\+\s*(?:req\.|body\.|input|params|args|user))/gi,
-      /child_process.*exec\s*\(\s*(?!["'`])/g,
-      // Python
-      /os\.system\s*\(\s*(?!["'`].*["'`]\s*\))/g,
-      /subprocess\.(?:call|run|Popen)\s*\([^)]*shell\s*=\s*True/gi,
-      // Ruby
-      /system\s*\(\s*["'].*#\{/g
-    ];
-    const hasSafe = /execFile|spawn|escapeshellarg|shlex\.quote|shellEscape/i.test(content);
-    if (hasSafe) return [];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        commandInjection,
-        filePath,
-        () => "Use execFile/spawn instead of exec (avoids shell). Never concatenate user input into shell commands. Use parameterized arguments."
-      ));
-    }
-    return matches;
-  }
-};
-var corsLocalhost = {
-  id: "VC095",
-  title: "Hardcoded Localhost CORS Origin",
-  severity: "medium",
-  category: "Configuration",
-  description: "Hardcoded localhost CORS origins in production code allow any local process to make authenticated requests to your API.",
-  check(content, filePath) {
-    if (filePath.includes("test") || filePath.includes("mock") || filePath.includes(".env")) return [];
-    if (!/origin/i.test(content)) return [];
-    return findMatches(
-      content,
-      /origin\s*[:=]\s*["'`]http:\/\/localhost/gi,
-      corsLocalhost,
-      filePath,
-      () => "Use environment variables for CORS origins: origin: process.env.ALLOWED_ORIGIN. Remove localhost from production configs."
-    );
-  }
-};
-var insecureGRPC = {
-  id: "VC096",
-  title: "Unencrypted gRPC Channel",
-  severity: "medium",
-  category: "Configuration",
-  description: "Using insecure gRPC channels transmits data including credentials in plaintext.",
-  check(content, filePath) {
-    if (!/grpc/i.test(content)) return [];
-    return findMatches(
-      content,
-      /(?:insecure_channel|createInsecure|grpc\.Insecure)/gi,
-      insecureGRPC,
-      filePath,
-      () => "Use encrypted gRPC channels: grpc.ssl_channel_credentials() or grpc.credentials.createSsl()."
-    );
-  }
-};
-var complianceMap = {
-  VC001: { owasp: "A07:2021", cwe: "CWE-798" },
-  VC002: { owasp: "A05:2021", cwe: "CWE-200" },
-  VC003: { owasp: "A01:2021", cwe: "CWE-862" },
-  VC004: { owasp: "A01:2021", cwe: "CWE-284" },
-  VC005: { owasp: "A08:2021", cwe: "CWE-345" },
-  VC006: { owasp: "A03:2021", cwe: "CWE-89" },
-  VC007: { owasp: "A03:2021", cwe: "CWE-79" },
-  VC008: { owasp: "A04:2021", cwe: "CWE-770" },
-  VC009: { owasp: "A05:2021", cwe: "CWE-942" },
-  VC010: { owasp: "A01:2021", cwe: "CWE-602" },
-  VC011: { owasp: "A07:2021", cwe: "CWE-798" },
-  VC012: { owasp: "A05:2021", cwe: "CWE-200" },
-  VC013: { owasp: "A01:2021", cwe: "CWE-269" },
-  VC014: { owasp: "A05:2021", cwe: "CWE-538" },
-  VC015: { owasp: "A03:2021", cwe: "CWE-95" },
-  VC016: { owasp: "A01:2021", cwe: "CWE-601" },
-  VC017: { owasp: "A05:2021", cwe: "CWE-614" },
-  VC018: { owasp: "A07:2021", cwe: "CWE-798" },
-  VC019: { owasp: "A05:2021", cwe: "CWE-693" },
-  VC020: { owasp: "A05:2021", cwe: "CWE-1021" },
-  VC021: { owasp: "A01:2021", cwe: "CWE-22" },
-  VC022: { owasp: "A03:2021", cwe: "CWE-79" },
-  VC023: { owasp: "A08:2021", cwe: "CWE-1321" },
-  VC024: { owasp: "A04:2021", cwe: "CWE-770" },
-  VC025: { owasp: "A03:2021", cwe: "CWE-22" },
-  VC026: { owasp: "A05:2021", cwe: "CWE-693" },
-  VC027: { owasp: "A05:2021", cwe: "CWE-693" },
-  VC028: { owasp: "A07:2021", cwe: "CWE-20" },
-  VC029: { owasp: "A08:2021", cwe: "CWE-20" },
-  VC030: { owasp: "A08:2021", cwe: "CWE-502" },
-  VC031: { owasp: "A02:2021", cwe: "CWE-321" },
-  VC032: { owasp: "A05:2021", cwe: "CWE-319" },
-  VC033: { owasp: "A05:2021", cwe: "CWE-215" },
-  VC034: { owasp: "A02:2021", cwe: "CWE-338" },
-  VC035: { owasp: "A01:2021", cwe: "CWE-601" },
-  VC036: { owasp: "A04:2021", cwe: "CWE-755" },
-  VC037: { owasp: "A09:2021", cwe: "CWE-209" },
-  VC038: { owasp: "A04:2021", cwe: "CWE-434" },
-  VC039: { owasp: "A06:2021", cwe: "CWE-1104" },
-  VC040: { owasp: "A05:2021", cwe: "CWE-538" },
-  VC041: { owasp: "A10:2021", cwe: "CWE-918" },
-  VC042: { owasp: "A01:2021", cwe: "CWE-915" },
-  VC043: { owasp: "A02:2021", cwe: "CWE-208" },
-  VC044: { owasp: "A09:2021", cwe: "CWE-117" },
-  VC045: { owasp: "A07:2021", cwe: "CWE-521" },
-  VC046: { owasp: "A07:2021", cwe: "CWE-384" },
-  VC047: { owasp: "A07:2021", cwe: "CWE-307" },
-  VC048: { owasp: "A03:2021", cwe: "CWE-943" },
-  VC049: { owasp: "A07:2021", cwe: "CWE-798" },
-  VC050: { owasp: "A02:2021", cwe: "CWE-319" },
-  VC051: { owasp: "A05:2021", cwe: "CWE-200" },
-  VC052: { owasp: "A04:2021", cwe: "CWE-770" },
-  VC053: { owasp: "A05:2021", cwe: "CWE-798" },
-  VC054: { owasp: "A07:2021", cwe: "CWE-922" },
-  VC055: { owasp: "A05:2021", cwe: "CWE-540" },
-  VC056: { owasp: "A05:2021", cwe: "CWE-1021" },
-  VC057: { owasp: "A01:2021", cwe: "CWE-269" },
-  VC058: { owasp: "A05:2021", cwe: "CWE-250" },
-  VC059: { owasp: "A05:2021", cwe: "CWE-284" },
-  VC060: { owasp: "A02:2021", cwe: "CWE-328" },
-  VC061: { owasp: "A02:2021", cwe: "CWE-295" },
-  VC062: { owasp: "A02:2021", cwe: "CWE-321" },
-  VC063: { owasp: "A03:2021", cwe: "CWE-79" },
-  VC064: { owasp: "A01:2021", cwe: "CWE-862" },
-  VC065: { owasp: "A01:2021", cwe: "CWE-862" },
-  VC066: { owasp: "A07:2021", cwe: "CWE-798" },
-  VC067: { owasp: "A01:2021", cwe: "CWE-601" },
-  VC068: { owasp: "A07:2021", cwe: "CWE-922" },
-  VC069: { owasp: "A02:2021", cwe: "CWE-295" },
-  VC070: { owasp: "A05:2021", cwe: "CWE-489" },
-  VC071: { owasp: "A05:2021", cwe: "CWE-215" },
-  VC072: { owasp: "A07:2021", cwe: "CWE-798" },
-  VC073: { owasp: "A08:2021", cwe: "CWE-502" },
-  VC074: { owasp: "A01:2021", cwe: "CWE-352" },
-  VC075: { owasp: "A03:2021", cwe: "CWE-78" },
-  VC076: { owasp: "A07:2021", cwe: "CWE-798" },
-  VC077: { owasp: "A05:2021", cwe: "CWE-942" },
-  VC078: { owasp: "A05:2021", cwe: "CWE-250" },
-  VC079: { owasp: "A02:2021", cwe: "CWE-327" },
-  VC080: { owasp: "A04:2021", cwe: "CWE-1333" },
-  VC081: { owasp: "A03:2021", cwe: "CWE-611" },
-  VC082: { owasp: "A03:2021", cwe: "CWE-94" },
-  VC083: { owasp: "A08:2021", cwe: "CWE-502" },
-  VC084: { owasp: "A06:2021", cwe: "CWE-353" },
-  VC085: { owasp: "A01:2021", cwe: "CWE-862" },
-  VC086: { owasp: "A02:2021", cwe: "CWE-319" },
-  VC087: { owasp: "A05:2021", cwe: "CWE-311" },
-  VC088: { owasp: "A07:2021", cwe: "CWE-598" },
-  VC089: { owasp: "A05:2021", cwe: "CWE-430" },
-  VC090: { owasp: "A01:2021", cwe: "CWE-601" },
-  VC091: { owasp: "A04:2021", cwe: "CWE-367" },
-  VC092: { owasp: "A08:2021", cwe: "CWE-1321" },
-  VC093: { owasp: "A01:2021", cwe: "CWE-22" },
-  VC094: { owasp: "A03:2021", cwe: "CWE-78" },
-  VC095: { owasp: "A05:2021", cwe: "CWE-942" },
-  VC096: { owasp: "A02:2021", cwe: "CWE-319" },
-  VC097: { owasp: "A09:2021", cwe: "CWE-532" },
-  VC098: { owasp: "A04:2021", cwe: "CWE-400" },
-  VC099: { owasp: "A04:2021", cwe: "CWE-401" },
-  VC100: { owasp: "A04:2021", cwe: "CWE-400" },
-  VC101: { owasp: "A04:2021", cwe: "CWE-400" },
-  VC102: { owasp: "A04:2021", cwe: "CWE-400" },
-  VC103: { owasp: "A04:2021", cwe: "CWE-710" },
-  VC104: { owasp: "A04:2021", cwe: "CWE-390" },
-  VC105: { owasp: "A04:2021", cwe: "CWE-710" },
-  VC106: { owasp: "A04:2021", cwe: "CWE-710" },
-  VC107: { owasp: "A02:2021", cwe: "CWE-311" },
-  VC108: { owasp: "A01:2021", cwe: "CWE-284" },
-  VC109: { owasp: "A01:2021", cwe: "CWE-284" },
-  VC110: { owasp: "A09:2021", cwe: "CWE-778" },
-  VC111: { owasp: "A05:2021", cwe: "CWE-16" },
-  VC112: { owasp: "A06:2021", cwe: "CWE-1104" },
-  VC113: { owasp: "A05:2021", cwe: "CWE-200" },
-  VC114: { owasp: "A05:2021", cwe: "CWE-16" },
-  VC115: { owasp: "A02:2021", cwe: "CWE-311" },
-  VC116: { owasp: "A05:2021", cwe: "CWE-770" },
-  VC117: { owasp: "A03:2021", cwe: "CWE-22" },
-  VC118: { owasp: "A09:2021", cwe: "CWE-532" },
-  VC119: { owasp: "A07:2021", cwe: "CWE-798" },
-  VC120: { owasp: "A07:2021", cwe: "CWE-352" },
-  VC121: { owasp: "A06:2021", cwe: "CWE-1104" },
-  VC122: { owasp: "A02:2021", cwe: "CWE-326" },
-  VC123: { owasp: "A02:2021", cwe: "CWE-326" },
-  VC124: { owasp: "A02:2021", cwe: "CWE-327" },
-  VC125: { owasp: "A07:2021", cwe: "CWE-640" },
-  VC126: { owasp: "A05:2021", cwe: "CWE-200" },
-  VC127: { owasp: "A01:2021", cwe: "CWE-862" },
-  VC128: { owasp: "A05:2021", cwe: "CWE-444" },
-  VC129: { owasp: "A02:2021", cwe: "CWE-311" },
-  VC130: { owasp: "A07:2021", cwe: "CWE-307" },
-  VC131: { owasp: "A06:2021", cwe: "CWE-1104" }
-};
-var consoleLogProduction = {
-  id: "VC097",
-  title: "Console.log Left in Production Code",
-  severity: "medium",
-  category: "Performance",
-  description: "console.log statements left in production code can leak sensitive data, slow down rendering, and clutter browser consoles.",
-  check(content, filePath) {
-    if (filePath.match(/test|spec|mock|__tests__|fixture|\.test\.|\.spec\./i)) return [];
-    if (!/console\.log\s*\(/g.test(content)) return [];
-    const lines = content.split("\n");
-    const matches = [];
-    for (let i = 0; i < lines.length; i++) {
-      const line = lines[i].trim();
-      if (/console\.log\s*\(/.test(line) && !line.startsWith("//") && !line.startsWith("*") && !/if\s*\(\s*(?:debug|process\.env)/i.test(lines[Math.max(0, i - 1)] + line)) {
-        matches.push({ rule: "VC097", title: consoleLogProduction.title, severity: "medium", category: "Performance", file: filePath, line: i + 1, snippet: getSnippet(content, i + 1), fix: "Remove console.log or use a logger that can be disabled in production." });
-      }
-    }
-    return matches.slice(0, 3);
-  }
-};
-var syncFileOps = {
-  id: "VC098",
-  title: "Synchronous File Operations",
-  severity: "medium",
-  category: "Performance",
-  description: "Synchronous file operations (readFileSync, writeFileSync) block the event loop, causing all other requests to wait.",
-  check(content, filePath) {
-    if (filePath.match(/test|spec|mock|__tests__|fixture|config|\.config\./i)) return [];
-    return findMatches(
-      content,
-      /(?:readFileSync|writeFileSync|appendFileSync|mkdirSync|rmdirSync|statSync)\s*\(/g,
-      syncFileOps,
-      filePath,
-      () => "Use async file operations (readFile, writeFile) to avoid blocking the event loop."
-    );
-  }
-};
-var eventListenerLeak = {
-  id: "VC099",
-  title: "Memory Leak: Event Listener Not Cleaned Up",
-  severity: "high",
-  category: "Performance",
-  description: "Adding event listeners in React useEffect without a cleanup function causes memory leaks as listeners accumulate on re-renders.",
-  check(content, filePath) {
-    if (!filePath.match(/\.(jsx|tsx)$/)) return [];
-    if (!/addEventListener/i.test(content)) return [];
-    if (/removeEventListener/i.test(content)) return [];
-    if (!/useEffect/i.test(content)) return [];
-    return findMatches(
-      content,
-      /addEventListener\s*\(/g,
-      eventListenerLeak,
-      filePath,
-      () => "Return a cleanup function from useEffect: useEffect(() => { window.addEventListener('resize', fn); return () => window.removeEventListener('resize', fn); }, []);"
-    );
-  }
-};
-var nPlusOneQuery = {
-  id: "VC100",
-  title: "N+1 Query Pattern Detected",
-  severity: "medium",
-  category: "Performance",
-  description: "Database queries inside loops cause N+1 performance problems \u2014 one query per iteration instead of a single batch query.",
-  check(content, filePath) {
-    if (filePath.match(/test|spec|mock/i)) return [];
-    const hasLoopWithQuery = /(?:for\s*\(|\.forEach\s*\(|\.map\s*\(|while\s*\()[^}]*(?:\.find\(|\.findOne\(|\.findById\(|\.query\(|\.execute\(|SELECT\s)/is.test(content);
-    if (!hasLoopWithQuery) return [];
-    return findMatches(
-      content,
-      /(?:for\s*\(|\.forEach\s*\(|\.map\s*\(|while\s*\()/g,
-      nPlusOneQuery,
-      filePath,
-      () => "Fetch all data in a single query using WHERE IN, JOIN, or batch operations instead of querying per item in a loop."
-    ).slice(0, 2);
-  }
-};
-var largeBundleImport = {
-  id: "VC101",
-  title: "Importing Entire Library (Large Bundle)",
-  severity: "medium",
-  category: "Performance",
-  description: "Importing entire libraries like lodash or moment.js adds hundreds of KB to your bundle. Import only the functions you need.",
-  check(content, filePath) {
-    if (!filePath.match(/\.(jsx?|tsx?)$/)) return [];
-    const matches = [];
-    const patterns = [
-      /import\s+_\s+from\s+['"]lodash['"]/g,
-      /import\s+\*\s+as\s+_\s+from\s+['"]lodash['"]/g,
-      /import\s+moment\s+from\s+['"]moment['"]/g,
-      /const\s+_\s*=\s*require\s*\(\s*['"]lodash['"]\s*\)/g,
-      /const\s+moment\s*=\s*require\s*\(\s*['"]moment['"]\s*\)/g
-    ];
-    for (const p of patterns) {
-      matches.push(...findMatches(
-        content,
-        p,
-        largeBundleImport,
-        filePath,
-        () => "Import only what you need: import { debounce } from 'lodash/debounce'. Or switch to lighter alternatives like date-fns instead of moment."
-      ));
-    }
-    return matches;
-  }
-};
-var blockingMainThread = {
-  id: "VC102",
-  title: "Blocking Main Thread with Heavy Computation",
-  severity: "medium",
-  category: "Performance",
-  description: "Infinite loops or deeply nested iterations on the main thread freeze the UI and cause unresponsiveness.",
-  check(content, filePath) {
-    if (filePath.match(/worker|test|spec|mock/i)) return [];
-    const matches = [];
-    if (/while\s*\(\s*true\s*\)/g.test(content)) {
-      matches.push(...findMatches(
-        content,
-        /while\s*\(\s*true\s*\)/g,
-        blockingMainThread,
-        filePath,
-        () => "Avoid while(true) on the main thread. Use Web Workers for heavy computation or requestIdleCallback for non-urgent work."
-      ));
-    }
-    return matches;
-  }
-};
-var todoLeftInCode = {
-  id: "VC103",
-  title: "TODO/FIXME Left in Code",
-  severity: "low",
-  category: "Code Quality",
-  description: "TODO, FIXME, HACK, and XXX comments indicate unfinished work that should be resolved before shipping to production.",
-  check(content, filePath) {
-    if (filePath.match(/test|spec|mock|__tests__|fixture|node_modules/i)) return [];
-    return findMatches(
-      content,
-      /\/\/\s*(?:TODO|FIXME|HACK|XXX)\b/gi,
-      todoLeftInCode,
-      filePath,
-      () => "Resolve TODO/FIXME comments before shipping. If it's intentional tech debt, track it in your issue tracker instead."
-    ).slice(0, 5);
-  }
-};
-var emptyCatchBlock = {
-  id: "VC104",
-  title: "Empty Catch Block",
-  severity: "medium",
-  category: "Code Quality",
-  description: "Empty catch blocks silently swallow errors, making bugs impossible to diagnose. At minimum, log the error.",
-  check(content, filePath) {
-    if (filePath.match(/test|spec|mock/i)) return [];
-    return findMatches(
-      content,
-      /catch\s*(?:\([^)]*\))?\s*\{\s*\}/g,
-      emptyCatchBlock,
-      filePath,
-      () => "Handle errors in catch blocks: catch(err) { console.error('Operation failed:', err); } or re-throw if appropriate."
-    );
-  }
-};
-var callbackHell = {
-  id: "VC105",
-  title: "Deeply Nested Callbacks (Promise Chain)",
-  severity: "medium",
-  category: "Code Quality",
-  description: "Long .then() chains or deeply nested callbacks are hard to read, debug, and maintain. Refactor to async/await.",
-  check(content, filePath) {
-    if (filePath.match(/test|spec|mock/i)) return [];
-    return findMatches(
-      content,
-      /\.then\s*\([^)]*\)\s*\.then\s*\([^)]*\)\s*\.then/g,
-      callbackHell,
-      filePath,
-      () => "Refactor .then() chains to async/await for cleaner, more readable code."
-    );
-  }
-};
-var magicNumbers = {
-  id: "VC106",
-  title: "Magic Numbers in Code",
-  severity: "low",
-  category: "Code Quality",
-  description: "Unnamed numeric constants in conditions or calculations make code hard to understand. Extract them into named constants.",
-  check(content, filePath) {
-    if (filePath.match(/test|spec|mock|config|\.config\.|constant|enum|migration/i)) return [];
-    if (!filePath.match(/\.(jsx?|tsx?)$/)) return [];
-    const matches = [];
-    const lines = content.split("\n");
-    for (let i = 0; i < lines.length; i++) {
-      const line = lines[i].trim();
-      if (line.startsWith("//") || line.startsWith("*")) continue;
-      if (/(?:===|!==|>=?|<=?)\s*\d{3,}/.test(line) || /(?:setTimeout|setInterval)\s*\([^,]+,\s*\d{4,}/.test(line)) {
-        matches.push({ rule: "VC106", title: magicNumbers.title, severity: "low", category: "Code Quality", file: filePath, line: i + 1, snippet: getSnippet(content, i + 1), fix: "Extract magic numbers into named constants: const MAX_RETRIES = 3; const TIMEOUT_MS = 5000;" });
-      }
-    }
-    return matches.slice(0, 3);
-  }
-};
-var s3BucketNoEncryption = {
-  id: "VC107",
-  title: "S3 Bucket Without Encryption",
-  severity: "high",
-  category: "Infrastructure",
-  description: "AWS S3 buckets without server-side encryption leave data at rest unprotected. Enable encryption to protect sensitive data.",
-  check(content, filePath) {
-    if (!filePath.match(/\.tf$/)) return [];
-    if (!/resource\s+"aws_s3_bucket"/.test(content)) return [];
-    const matches = [];
-    const bucketPattern = /resource\s+"aws_s3_bucket"\s+"(\w+)"/g;
-    let m;
-    while ((m = bucketPattern.exec(content)) !== null) {
-      if (isCommentLine(content, m.index)) continue;
-      const blockEnd = Math.min(m.index + 2e3, content.length);
-      const blockContent = content.substring(m.index, blockEnd);
-      if (!/server_side_encryption/.test(blockContent)) {
-        const lineNum = content.substring(0, m.index).split("\n").length;
-        matches.push({
-          rule: "VC107",
-          title: s3BucketNoEncryption.title,
-          severity: "high",
-          category: "Infrastructure",
-          file: filePath,
-          line: lineNum,
-          snippet: getSnippet(content, lineNum),
-          fix: "Enable S3 bucket encryption: server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { sse_algorithm = 'aws:kms' } } }"
-        });
-      }
-    }
-    return matches;
-  }
-};
-var securityGroupAllInbound = {
-  id: "VC108",
-  title: "Security Group Allows All Inbound",
-  severity: "critical",
-  category: "Infrastructure",
-  description: "Security groups allowing all inbound traffic (0.0.0.0/0 on all ports) expose resources to the entire internet.",
-  check(content, filePath) {
-    if (!filePath.match(/\.(tf|json|yaml|yml)$/)) return [];
-    const matches = [];
-    if (filePath.match(/\.tf$/)) {
-      const ingressPattern = /ingress\s*\{[^}]*cidr_blocks\s*=\s*\[\s*"0\.0\.0\.0\/0"\s*\][^}]*\}/gs;
-      let m;
-      while ((m = ingressPattern.exec(content)) !== null) {
-        if (isCommentLine(content, m.index)) continue;
-        if (/from_port\s*=\s*0/.test(m[0]) || !/from_port/.test(m[0])) {
-          const lineNum = content.substring(0, m.index).split("\n").length;
-          matches.push({
-            rule: "VC108",
-            title: securityGroupAllInbound.title,
-            severity: "critical",
-            category: "Infrastructure",
-            file: filePath,
-            line: lineNum,
-            snippet: getSnippet(content, lineNum),
-            fix: "Restrict security group ingress to specific IP ranges and ports."
-          });
-        }
-      }
-    }
-    if (filePath.match(/\.(json|yaml|yml)$/)) {
-      const cfnPattern = /AWS::EC2::SecurityGroup/g;
-      if (cfnPattern.test(content) && /CidrIp\s*:\s*["']?0\.0\.0\.0\/0/.test(content)) {
-        matches.push(...findMatches(
-          content,
-          /CidrIp\s*:\s*["']?0\.0\.0\.0\/0/g,
-          securityGroupAllInbound,
-          filePath,
-          () => "Restrict security group ingress to specific IP ranges and ports."
-        ));
-      }
-    }
-    return matches;
-  }
-};
-var rdsPubliclyAccessible = {
-  id: "VC109",
-  title: "RDS Instance Publicly Accessible",
-  severity: "critical",
-  category: "Infrastructure",
-  description: "RDS instances with publicly_accessible = true are exposed to the internet, risking unauthorized database access.",
-  check(content, filePath) {
-    if (!filePath.match(/\.tf$/)) return [];
-    if (!/resource\s+"aws_db_instance"/.test(content)) return [];
-    return findMatches(
-      content,
-      /publicly_accessible\s*=\s*true/g,
-      rdsPubliclyAccessible,
-      filePath,
-      () => "Set publicly_accessible = false. Access RDS through VPC private subnets."
-    );
-  }
-};
-var missingCloudTrail = {
-  id: "VC110",
-  title: "Missing CloudTrail Logging",
-  severity: "high",
-  category: "Infrastructure",
-  description: "AWS environments without CloudTrail lack audit logging of API calls, making it difficult to detect unauthorized activity.",
-  check(content, filePath) {
-    if (!filePath.match(/\.tf$/)) return [];
-    if (!/provider\s+"aws"/.test(content)) return [];
-    if (/aws_cloudtrail/.test(content)) return [];
-    const lineNum = content.substring(0, content.search(/provider\s+"aws"/)).split("\n").length;
-    return [{
-      rule: "VC110",
-      title: missingCloudTrail.title,
-      severity: "high",
-      category: "Infrastructure",
-      file: filePath,
-      line: lineNum,
-      snippet: getSnippet(content, lineNum),
-      fix: "Enable CloudTrail for audit logging of all AWS API calls."
-    }];
-  }
-};
-var lambdaWithoutVPC = {
-  id: "VC111",
-  title: "Lambda Without VPC",
-  severity: "medium",
-  category: "Infrastructure",
-  description: "Lambda functions not placed in a VPC lack network isolation and cannot access VPC-only resources securely.",
-  check(content, filePath) {
-    if (!filePath.match(/\.tf$/)) return [];
-    if (!/resource\s+"aws_lambda_function"/.test(content)) return [];
-    const matches = [];
-    const lambdaPattern = /resource\s+"aws_lambda_function"\s+"(\w+)"/g;
-    let m;
-    while ((m = lambdaPattern.exec(content)) !== null) {
-      if (isCommentLine(content, m.index)) continue;
-      const blockEnd = Math.min(m.index + 2e3, content.length);
-      const blockContent = content.substring(m.index, blockEnd);
-      if (!/vpc_config\s*\{/.test(blockContent)) {
-        const lineNum = content.substring(0, m.index).split("\n").length;
-        matches.push({
-          rule: "VC111",
-          title: lambdaWithoutVPC.title,
-          severity: "medium",
-          category: "Infrastructure",
-          file: filePath,
-          line: lineNum,
-          snippet: getSnippet(content, lineNum),
-          fix: "Place Lambda functions in a VPC for network isolation."
-        });
-      }
-    }
-    return matches;
-  }
-};
-var dockerLatestTag = {
-  id: "VC112",
-  title: "Docker Image Using Latest Tag",
-  severity: "high",
-  category: "Configuration",
-  description: "Using :latest or no tag in Docker FROM directives leads to non-reproducible builds and potential security regressions.",
-  check(content, filePath) {
-    if (!filePath.match(/Dockerfile$/i)) return [];
-    const matches = [];
-    const fromPattern = /^FROM\s+(?!scratch)(\S+?)(?:\s+AS\s+\S+)?\s*$/gm;
-    let m;
-    while ((m = fromPattern.exec(content)) !== null) {
-      const image = m[1];
-      if (image.endsWith(":latest") || !image.includes(":") && !image.startsWith("$")) {
-        const lineNum = content.substring(0, m.index).split("\n").length;
-        matches.push({
-          rule: "VC112",
-          title: dockerLatestTag.title,
-          severity: "high",
-          category: "Configuration",
-          file: filePath,
-          line: lineNum,
-          snippet: getSnippet(content, lineNum),
-          fix: "Pin Docker image versions: FROM node:20-alpine instead of FROM node:latest"
-        });
-      }
-    }
-    return matches;
-  }
-};
-var dockerCopySensitive = {
-  id: "VC113",
-  title: "Docker COPY With Sensitive Files",
-  severity: "high",
-  category: "Configuration",
-  description: "Using COPY . . or ADD . . without a .dockerignore can leak .env files, .git history, and other sensitive data into the Docker image.",
-  check(content, filePath) {
-    if (!filePath.match(/Dockerfile$/i)) return [];
-    if (!/(?:COPY|ADD)\s+\.\s+\./.test(content)) return [];
-    return findMatches(
-      content,
-      /(?:COPY|ADD)\s+\.\s+\./g,
-      dockerCopySensitive,
-      filePath,
-      () => "Use .dockerignore to exclude .env, .git, node_modules, and sensitive files from the Docker build context."
-    );
-  }
-};
-var dockerTooManyPorts = {
-  id: "VC114",
-  title: "Docker Exposing Too Many Ports",
-  severity: "medium",
-  category: "Configuration",
-  description: "Exposing many ports or wide port ranges increases the attack surface of a container.",
-  check(content, filePath) {
-    if (!filePath.match(/Dockerfile$/i)) return [];
-    const matches = [];
-    const rangePattern = /^EXPOSE\s+\d+-\d+/gm;
-    matches.push(...findMatches(
-      content,
-      rangePattern,
-      dockerTooManyPorts,
-      filePath,
-      () => "Only expose necessary ports. Each EXPOSE should have a clear purpose."
-    ));
-    const exposeLines = content.split("\n").filter((l) => /^\s*EXPOSE\s+/.test(l));
-    if (exposeLines.length > 3) {
-      const firstExpose = content.search(/^\s*EXPOSE\s+/m);
-      if (firstExpose >= 0) {
-        const lineNum = content.substring(0, firstExpose).split("\n").length;
-        matches.push({
-          rule: "VC114",
-          title: dockerTooManyPorts.title,
-          severity: "medium",
-          category: "Configuration",
-          file: filePath,
-          line: lineNum,
-          snippet: getSnippet(content, lineNum),
-          fix: "Only expose necessary ports. Each EXPOSE should have a clear purpose."
-        });
-      }
-    }
-    return matches;
-  }
-};
-var k8sSecretNotEncrypted = {
-  id: "VC115",
-  title: "Kubernetes Secret Not Encrypted",
-  severity: "high",
-  category: "Infrastructure",
-  description: "Kubernetes Secrets stored as plain base64 in manifests are not encrypted and can be trivially decoded. Use sealed-secrets or external-secrets.",
-  check(content, filePath) {
-    if (!filePath.match(/\.(yaml|yml)$/)) return [];
-    if (!/kind\s*:\s*Secret/i.test(content)) return [];
-    if (/sealedsecrets\.bitnami\.com|external-secrets\.io/i.test(content)) return [];
-    return findMatches(
-      content,
-      /kind\s*:\s*Secret/g,
-      k8sSecretNotEncrypted,
-      filePath,
-      () => "Use sealed-secrets or external-secrets-operator. Never store plain secrets in manifests."
-    );
-  }
-};
-var k8sNoResourceLimits = {
-  id: "VC116",
-  title: "Kubernetes Pod Without Resource Limits",
-  severity: "medium",
-  category: "Infrastructure",
-  description: "Pods or deployments without resource limits can consume excessive CPU/memory, causing cluster instability.",
-  check(content, filePath) {
-    if (!filePath.match(/\.(yaml|yml)$/)) return [];
-    if (!/kind\s*:\s*(?:Pod|Deployment|StatefulSet|DaemonSet|Job|CronJob)/i.test(content)) return [];
-    if (/resources\s*:\s*\n\s+limits\s*:/m.test(content)) return [];
-    if (/resources\s*:.*limits/i.test(content)) return [];
-    const kindMatch = content.match(/kind\s*:\s*(?:Pod|Deployment|StatefulSet|DaemonSet|Job|CronJob)/i);
-    if (!kindMatch) return [];
-    const lineNum = content.substring(0, kindMatch.index).split("\n").length;
-    return [{
-      rule: "VC116",
-      title: k8sNoResourceLimits.title,
-      severity: "medium",
-      category: "Infrastructure",
-      file: filePath,
-      line: lineNum,
-      snippet: getSnippet(content, lineNum),
-      fix: "Set resource limits to prevent pods from consuming excessive CPU/memory."
-    }];
-  }
-};
-var pathTraversal = {
-  id: "VC117",
-  title: "Path Traversal Vulnerability",
-  severity: "critical",
-  category: "Injection",
-  description: "User input is used to construct file paths without sanitization, allowing attackers to read/write arbitrary files (e.g., ../../etc/passwd).",
-  check(content, filePath) {
-    if (isTestFile(filePath)) return [];
-    if (!filePath.match(/\.(js|ts|jsx|tsx|py|rb|go|php|java)$/)) return [];
-    const findings = [];
-    const patterns = [
-      /(?:readFile|readFileSync|createReadStream|writeFile|writeFileSync|appendFile|unlink|unlinkSync|access|stat|statSync|existsSync)\s*\(\s*(?:req\.|request\.|ctx\.|params\.|query\.)/gi,
-      /(?:path\.join|path\.resolve)\s*\([^)]*(?:req\.|request\.|ctx\.|params\.|query\.)[^)]*\)/gi,
-      /(?:res\.sendFile|res\.download)\s*\([^)]*(?:req\.|request\.)/gi,
-      /open\s*\(\s*(?:request\.|params\[|args\.)/gi
-    ];
-    for (const pat of patterns) {
-      let m;
-      while ((m = pat.exec(content)) !== null) {
-        if (isCommentLine(content, m.index)) continue;
-        const surrounding = content.substring(Math.max(0, m.index - 200), m.index + 200);
-        if (/path\.normalize|sanitize|\.replace\(\s*['"]\.\./i.test(surrounding)) continue;
-        const lineNum = content.substring(0, m.index).split("\n").length;
-        findings.push({
-          rule: "VC117",
-          title: pathTraversal.title,
-          severity: "critical",
-          category: "Injection",
-          file: filePath,
-          line: lineNum,
-          snippet: getSnippet(content, lineNum),
-          fix: "Sanitize file paths: use path.normalize(), reject paths containing '..', and validate against an allowed base directory."
-        });
-      }
-    }
-    return findings;
-  }
-};
-var piiInLogs = {
-  id: "VC118",
-  title: "Personally Identifiable Information in Logs",
-  severity: "high",
-  category: "Information Leakage",
-  description: "Logging statements that include email addresses, passwords, SSNs, credit card numbers, or other PII can leak sensitive data to log aggregation systems.",
-  check(content, filePath) {
-    if (isTestFile(filePath)) return [];
-    if (!filePath.match(/\.(js|ts|jsx|tsx|py|rb|go|java|php)$/)) return [];
-    const findings = [];
-    const logPattern = /(?:console\.(?:log|info|warn|error|debug)|logger\.(?:info|warn|error|debug|log)|log\.(?:info|warn|error|debug)|logging\.(?:info|warn|error|debug))\s*\([^)]*(?:password|passwd|secret|ssn|social.?security|credit.?card|cardNumber|cvv|token|bearer|authorization)\b/gi;
-    let m;
-    while ((m = logPattern.exec(content)) !== null) {
-      if (isCommentLine(content, m.index)) continue;
-      if (isInsideFixMessage(content, m.index)) continue;
-      const lineNum = content.substring(0, m.index).split("\n").length;
-      findings.push({
-        rule: "VC118",
-        title: piiInLogs.title,
-        severity: "high",
-        category: "Information Leakage",
-        file: filePath,
-        line: lineNum,
-        snippet: getSnippet(content, lineNum),
-        fix: "Never log sensitive data. Redact or mask PII before logging: log('user login', { email: maskEmail(email) })."
-      });
-    }
-    return findings;
-  }
-};
-var hardcodedOAuthSecret = {
-  id: "VC119",
-  title: "Hardcoded OAuth Client Secret",
-  severity: "critical",
-  category: "Secrets",
-  description: "OAuth client secrets hardcoded in source code can be extracted and used to impersonate your application.",
-  check(content, filePath) {
-    if (isTestFile(filePath)) return [];
-    if (!filePath.match(/\.(js|ts|jsx|tsx|py|rb|go|java|php|env|json|yaml|yml)$/)) return [];
-    if (/package-lock|yarn\.lock|pnpm-lock|composer\.lock/i.test(filePath)) return [];
-    const findings = [];
-    const patterns = [
-      /client[_-]?secret\s*[:=]\s*["'][a-zA-Z0-9_\-]{20,}["']/gi,
-      /GOOGLE_CLIENT_SECRET\s*[:=]\s*["'][^"']{10,}["']/gi,
-      /GITHUB_CLIENT_SECRET\s*[:=]\s*["'][^"']{10,}["']/gi,
-      /FACEBOOK_APP_SECRET\s*[:=]\s*["'][^"']{10,}["']/gi,
-      /AUTH0_CLIENT_SECRET\s*[:=]\s*["'][^"']{10,}["']/gi
-    ];
-    for (const pat of patterns) {
-      let m;
-      while ((m = pat.exec(content)) !== null) {
-        if (isCommentLine(content, m.index)) continue;
-        if (/process\.env|os\.environ|ENV\[|getenv|\$\{|<your|CHANGE_ME|xxx|placeholder/i.test(m[0])) continue;
-        const lineNum = content.substring(0, m.index).split("\n").length;
-        findings.push({
-          rule: "VC119",
-          title: hardcodedOAuthSecret.title,
-          severity: "critical",
-          category: "Secrets",
-          file: filePath,
-          line: lineNum,
-          snippet: getSnippet(content, lineNum),
-          fix: "Move OAuth client secrets to environment variables. Never commit secrets to source control."
-        });
-      }
-    }
-    return findings;
-  }
-};
-var missingOAuthState = {
-  id: "VC120",
-  title: "OAuth Flow Missing State Parameter",
-  severity: "high",
-  category: "Authentication",
-  description: "OAuth authorization requests without a state parameter are vulnerable to CSRF attacks, allowing attackers to link their account to a victim's session.",
-  check(content, filePath) {
-    if (isTestFile(filePath)) return [];
-    if (!filePath.match(/\.(js|ts|jsx|tsx|py|rb|go|java|php)$/)) return [];
-    const findings = [];
-    const oauthUrlPattern = /(?:authorize\?|\/oauth\/authorize|\/auth\?|authorization_endpoint)[^}]*(?:client_id|response_type)/gi;
-    let m;
-    while ((m = oauthUrlPattern.exec(content)) !== null) {
-      if (isCommentLine(content, m.index)) continue;
-      const surrounding = content.substring(m.index, Math.min(content.length, m.index + 500));
-      if (/state\s*[=:]/i.test(surrounding)) continue;
-      const lineNum = content.substring(0, m.index).split("\n").length;
-      findings.push({
-        rule: "VC120",
-        title: missingOAuthState.title,
-        severity: "high",
-        category: "Authentication",
-        file: filePath,
-        line: lineNum,
-        snippet: getSnippet(content, lineNum),
-        fix: "Always include a cryptographically random 'state' parameter in OAuth authorization requests and validate it on callback."
-      });
-    }
-    return findings;
-  }
-};
-var unpinnedGitHubAction = {
-  id: "VC121",
-  title: "Unpinned GitHub Actions Version",
-  severity: "high",
-  category: "Supply Chain",
-  description: "GitHub Actions using branch references (@main, @master) instead of commit SHAs can be compromised via supply-chain attacks.",
-  check(content, filePath) {
-    if (!filePath.match(/\.github\/workflows\/.*\.(yml|yaml)$/)) return [];
-    const findings = [];
-    const usesPattern = /uses\s*:\s*[\w\-]+\/[\w\-]+@(main|master|dev|develop|latest)\b/gi;
-    let m;
-    while ((m = usesPattern.exec(content)) !== null) {
-      if (isCommentLine(content, m.index)) continue;
-      const lineNum = content.substring(0, m.index).split("\n").length;
-      findings.push({
-        rule: "VC121",
-        title: unpinnedGitHubAction.title,
-        severity: "high",
-        category: "Supply Chain",
-        file: filePath,
-        line: lineNum,
-        snippet: getSnippet(content, lineNum),
-        fix: "Pin GitHub Actions to a specific commit SHA instead of a branch name: uses: owner/action@<full-sha>"
-      });
-    }
-    return findings;
-  }
-};
-var deprecatedTLS = {
-  id: "VC122",
-  title: "Deprecated TLS Version Configured",
-  severity: "high",
-  category: "Cryptography",
-  description: "TLS 1.0 and 1.1 are deprecated and have known vulnerabilities. Only TLS 1.2+ should be used.",
-  check(content, filePath) {
-    if (isTestFile(filePath)) return [];
-    if (!filePath.match(/\.(js|ts|py|rb|go|java|yaml|yml|json|conf|cfg|xml)$/)) return [];
-    const findings = [];
-    const patterns = [
-      /(?:TLSv1_METHOD|TLSv1\.0|TLSv1\.1|ssl\.PROTOCOL_TLSv1|SSLv3|SSLv2|TLS_1_0|TLS_1_1|minVersion\s*[:=]\s*["']TLSv1(?:\.1)?["'])/gi,
-      /(?:tls\.DEFAULT_MIN_VERSION|secureProtocol)\s*[:=]\s*["'](?:TLSv1_method|TLSv1_1_method|SSLv3_method)["']/gi,
-      /ssl_protocols\s+.*(?:TLSv1(?:\.1)?(?:\s|;))/gi
-    ];
-    for (const pat of patterns) {
-      let m;
-      while ((m = pat.exec(content)) !== null) {
-        if (isCommentLine(content, m.index)) continue;
-        const lineNum = content.substring(0, m.index).split("\n").length;
-        findings.push({
-          rule: "VC122",
-          title: deprecatedTLS.title,
-          severity: "high",
-          category: "Cryptography",
-          file: filePath,
-          line: lineNum,
-          snippet: getSnippet(content, lineNum),
-          fix: "Use TLS 1.2 or higher. Set minVersion to 'TLSv1.2' and remove support for TLS 1.0/1.1."
-        });
-      }
-    }
-    return findings;
-  }
-};
-var weakRSAKeySize = {
-  id: "VC123",
-  title: "Weak RSA Key Size",
-  severity: "high",
-  category: "Cryptography",
-  description: "RSA keys smaller than 2048 bits are considered insecure and can be factored with modern hardware.",
-  check(content, filePath) {
-    if (isTestFile(filePath)) return [];
-    if (!filePath.match(/\.(js|ts|py|rb|go|java|php)$/)) return [];
-    const findings = [];
-    const patterns = [
-      /generateKeyPair\s*\(\s*["']rsa["']\s*,\s*\{[^}]*modulusLength\s*:\s*(512|768|1024)\b/gi,
-      /RSA\.generate\s*\(\s*(512|768|1024)\b/gi,
-      /rsa\.GenerateKey\s*\([^,]*,\s*(512|768|1024)\b/gi,
-      /KeyPairGenerator.*initialize\s*\(\s*(512|768|1024)\b/gi
-    ];
-    for (const pat of patterns) {
-      let m;
-      while ((m = pat.exec(content)) !== null) {
-        if (isCommentLine(content, m.index)) continue;
-        const lineNum = content.substring(0, m.index).split("\n").length;
-        findings.push({
-          rule: "VC123",
-          title: weakRSAKeySize.title,
-          severity: "high",
-          category: "Cryptography",
-          file: filePath,
-          line: lineNum,
-          snippet: getSnippet(content, lineNum),
-          fix: "Use RSA key sizes of at least 2048 bits. 4096 bits is recommended for long-term security."
-        });
-      }
-    }
-    return findings;
-  }
-};
-var ecbModeEncryption = {
-  id: "VC124",
-  title: "Insecure ECB Mode Encryption",
-  severity: "high",
-  category: "Cryptography",
-  description: "ECB (Electronic Codebook) mode encrypts identical plaintext blocks to identical ciphertext, leaking patterns in the data.",
-  check(content, filePath) {
-    if (isTestFile(filePath)) return [];
-    if (!filePath.match(/\.(js|ts|py|rb|go|java|php)$/)) return [];
-    const findings = [];
-    const patterns = [
-      /createCipher(?:iv)?\s*\(\s*["'](?:aes-(?:128|192|256)-ecb|des-ecb)["']/gi,
-      /AES\.(?:new|MODE_ECB)|MODE_ECB/gi,
-      /Cipher\.getInstance\s*\(\s*["']AES\/ECB/gi,
-      /aes\.NewCipher|cipher\.NewECBEncrypter/gi
-    ];
-    for (const pat of patterns) {
-      let m;
-      while ((m = pat.exec(content)) !== null) {
-        if (isCommentLine(content, m.index)) continue;
-        const lineNum = content.substring(0, m.index).split("\n").length;
-        findings.push({
-          rule: "VC124",
-          title: ecbModeEncryption.title,
-          severity: "high",
-          category: "Cryptography",
-          file: filePath,
-          line: lineNum,
-          snippet: getSnippet(content, lineNum),
-          fix: "Use AES-GCM or AES-CBC with HMAC instead of ECB mode. GCM provides both encryption and authentication."
-        });
-      }
-    }
-    return findings;
-  }
-};
-var insecurePasswordReset = {
-  id: "VC125",
-  title: "Insecure Password Reset Implementation",
-  severity: "high",
-  category: "Authentication",
-  description: "Password reset using predictable tokens, no expiration, or user-enumeration leaks can be exploited to take over accounts.",
-  check(content, filePath) {
-    if (isTestFile(filePath)) return [];
-    if (!filePath.match(/\.(js|ts|jsx|tsx|py|rb|go|java|php)$/)) return [];
-    if (!/(?:reset|forgot).*(?:password|passwd)/i.test(content)) return [];
-    const findings = [];
-    const weakTokens = /(?:reset|forgot).*(?:token|code)\s*[:=].*(?:Date\.now|Math\.random|uuid\(\)|nanoid\(\))/gi;
-    let m;
-    while ((m = weakTokens.exec(content)) !== null) {
-      if (isCommentLine(content, m.index)) continue;
-      const lineNum = content.substring(0, m.index).split("\n").length;
-      findings.push({
-        rule: "VC125",
-        title: insecurePasswordReset.title,
-        severity: "high",
-        category: "Authentication",
-        file: filePath,
-        line: lineNum,
-        snippet: getSnippet(content, lineNum),
-        fix: "Use crypto.randomBytes(32).toString('hex') for reset tokens. Set expiration (15-60 minutes) and single-use enforcement."
-      });
-    }
-    const enumeration = /(?:user|email|account)\s*(?:not\s*found|does\s*not\s*exist|invalid)/gi;
-    while ((m = enumeration.exec(content)) !== null) {
-      if (isCommentLine(content, m.index)) continue;
-      const surrounding = content.substring(Math.max(0, m.index - 500), m.index);
-      if (!/(?:reset|forgot).*password/i.test(surrounding)) continue;
-      const lineNum = content.substring(0, m.index).split("\n").length;
-      findings.push({
-        rule: "VC125",
-        title: insecurePasswordReset.title,
-        severity: "high",
-        category: "Authentication",
-        file: filePath,
-        line: lineNum,
-        snippet: getSnippet(content, lineNum),
-        fix: "Always return the same response regardless of whether the email exists. Say 'If an account exists, a reset link was sent.'"
-      });
-    }
-    return findings;
-  }
-};
-var terraformStateExposed = {
-  id: "VC126",
-  title: "Terraform State File Committed",
-  severity: "critical",
-  category: "Secrets",
-  description: "Terraform state files contain sensitive infrastructure details, secrets, and access credentials in plaintext. They must never be committed to version control.",
-  check(content, filePath) {
-    const findings = [];
-    if (/terraform\.tfstate(\.backup)?$/.test(filePath)) {
-      findings.push({
-        rule: "VC126",
-        title: terraformStateExposed.title,
-        severity: "critical",
-        category: "Secrets",
-        file: filePath,
-        line: 1,
-        snippet: getSnippet(content, 1),
-        fix: "Add '*.tfstate' and '*.tfstate.backup' to .gitignore. Use remote state backends (S3, GCS, Terraform Cloud) instead."
-      });
-    }
-    if (filePath.endsWith(".gitignore") && !content.includes("tfstate")) {
-      if (/\.tf$/.test(filePath) || content.includes(".tf")) {
-      }
-    }
-    return findings;
-  }
-};
-var insecureHTTPMethods = {
-  id: "VC127",
-  title: "Dangerous HTTP Methods Without Auth",
-  severity: "high",
-  category: "Authorization",
-  description: "DELETE, PUT, and PATCH endpoints without authentication checks allow unauthorized data modification or deletion.",
-  check(content, filePath) {
-    if (isTestFile(filePath)) return [];
-    if (!filePath.match(/\.(js|ts|jsx|tsx|py|rb|go|java|php)$/)) return [];
-    const findings = [];
-    const routePatterns = [
-      /(?:app|router|server)\.(delete|put|patch)\s*\(\s*["']/gi
-    ];
-    for (const pat of routePatterns) {
-      let m;
-      while ((m = pat.exec(content)) !== null) {
-        if (isCommentLine(content, m.index)) continue;
-        const handlerBlock = content.substring(m.index, Math.min(content.length, m.index + 500));
-        if (/auth|authenticate|authorize|requireAuth|isAuthenticated|protect|guard|middleware|session|jwt|verify|clerk|getAuth/i.test(handlerBlock)) continue;
-        const lineNum = content.substring(0, m.index).split("\n").length;
-        findings.push({
-          rule: "VC127",
-          title: insecureHTTPMethods.title,
-          severity: "high",
-          category: "Authorization",
-          file: filePath,
-          line: lineNum,
-          snippet: getSnippet(content, lineNum),
-          fix: "Add authentication middleware to DELETE, PUT, and PATCH routes. Verify the user has permission to modify the resource."
-        });
-      }
-    }
-    return findings;
-  }
-};
-var httpRequestSmuggling = {
-  id: "VC128",
-  title: "HTTP Request Smuggling Risk",
-  severity: "high",
-  category: "Configuration",
-  description: "Manually parsing Content-Length or Transfer-Encoding headers can lead to request smuggling when behind a reverse proxy.",
-  check(content, filePath) {
-    if (isTestFile(filePath)) return [];
-    if (!filePath.match(/\.(js|ts|py|rb|go|java|php)$/)) return [];
-    const findings = [];
-    const patterns = [
-      /(?:headers?\[?|getHeader\s*\(\s*)["'](?:content-length|transfer-encoding)["']\s*\]?\s*\)/gi,
-      /parseInt\s*\(\s*(?:req|request)\.headers?\[?\s*["']content-length["']/gi
-    ];
-    for (const pat of patterns) {
-      let m;
-      while ((m = pat.exec(content)) !== null) {
-        if (isCommentLine(content, m.index)) continue;
-        const lineNum = content.substring(0, m.index).split("\n").length;
-        findings.push({
-          rule: "VC128",
-          title: httpRequestSmuggling.title,
-          severity: "high",
-          category: "Configuration",
-          file: filePath,
-          line: lineNum,
-          snippet: getSnippet(content, lineNum),
-          fix: "Let your framework handle Content-Length and Transfer-Encoding headers. Do not manually parse or trust these values."
-        });
-      }
-    }
-    return findings;
+  const sizeBuffer = Math.min(Math.log2(Math.max(totalFiles, 1)) * 2, 15);
+  const score = Math.max(0, Math.min(100, 100 - deductions + sizeBuffer));
+  let grade;
+  let summary;
+  if (score >= 95) {
+    grade = "A+";
+    summary = "Excellent security posture with minimal issues.";
+  } else if (score >= 85) {
+    grade = "A";
+    summary = "Strong security with a few minor concerns.";
+  } else if (score >= 70) {
+    grade = "B";
+    summary = "Good security but some issues need attention.";
+  } else if (score >= 55) {
+    grade = "C";
+    summary = "Fair security \u2014 several vulnerabilities should be fixed.";
+  } else if (score >= 35) {
+    grade = "D";
+    summary = "Poor security \u2014 critical issues require immediate attention.";
+  } else {
+    grade = "F";
+    summary = "Failing \u2014 serious vulnerabilities present. Fix critical issues immediately.";
   }
+  return { grade, score: Math.round(score), summary };
+}
+var complianceMap = {
+  VC001: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC002: { owasp: "A05:2021", cwe: "CWE-200" },
+  VC003: { owasp: "A01:2021", cwe: "CWE-862" },
+  VC004: { owasp: "A01:2021", cwe: "CWE-284" },
+  VC005: { owasp: "A08:2021", cwe: "CWE-345" },
+  VC006: { owasp: "A03:2021", cwe: "CWE-89" },
+  VC007: { owasp: "A03:2021", cwe: "CWE-79" },
+  VC008: { owasp: "A04:2021", cwe: "CWE-770" },
+  VC009: { owasp: "A05:2021", cwe: "CWE-942" },
+  VC010: { owasp: "A01:2021", cwe: "CWE-602" },
+  VC011: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC012: { owasp: "A05:2021", cwe: "CWE-200" },
+  VC013: { owasp: "A01:2021", cwe: "CWE-269" },
+  VC014: { owasp: "A05:2021", cwe: "CWE-538" },
+  VC015: { owasp: "A03:2021", cwe: "CWE-95" },
+  VC016: { owasp: "A01:2021", cwe: "CWE-601" },
+  VC017: { owasp: "A05:2021", cwe: "CWE-614" },
+  VC018: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC019: { owasp: "A05:2021", cwe: "CWE-693" },
+  VC020: { owasp: "A05:2021", cwe: "CWE-1021" },
+  VC021: { owasp: "A01:2021", cwe: "CWE-22" },
+  VC022: { owasp: "A03:2021", cwe: "CWE-79" },
+  VC023: { owasp: "A08:2021", cwe: "CWE-1321" },
+  VC024: { owasp: "A04:2021", cwe: "CWE-770" },
+  VC025: { owasp: "A03:2021", cwe: "CWE-22" },
+  VC026: { owasp: "A05:2021", cwe: "CWE-693" },
+  VC027: { owasp: "A05:2021", cwe: "CWE-693" },
+  VC028: { owasp: "A07:2021", cwe: "CWE-20" },
+  VC029: { owasp: "A08:2021", cwe: "CWE-20" },
+  VC030: { owasp: "A08:2021", cwe: "CWE-502" },
+  VC031: { owasp: "A02:2021", cwe: "CWE-321" },
+  VC032: { owasp: "A05:2021", cwe: "CWE-319" },
+  VC033: { owasp: "A05:2021", cwe: "CWE-215" },
+  VC034: { owasp: "A02:2021", cwe: "CWE-338" },
+  VC035: { owasp: "A01:2021", cwe: "CWE-601" },
+  VC036: { owasp: "A04:2021", cwe: "CWE-755" },
+  VC037: { owasp: "A09:2021", cwe: "CWE-209" },
+  VC038: { owasp: "A04:2021", cwe: "CWE-434" },
+  VC039: { owasp: "A06:2021", cwe: "CWE-1104" },
+  VC040: { owasp: "A05:2021", cwe: "CWE-538" },
+  VC041: { owasp: "A10:2021", cwe: "CWE-918" },
+  VC042: { owasp: "A01:2021", cwe: "CWE-915" },
+  VC043: { owasp: "A02:2021", cwe: "CWE-208" },
+  VC044: { owasp: "A09:2021", cwe: "CWE-117" },
+  VC045: { owasp: "A07:2021", cwe: "CWE-521" },
+  VC046: { owasp: "A07:2021", cwe: "CWE-384" },
+  VC047: { owasp: "A07:2021", cwe: "CWE-307" },
+  VC048: { owasp: "A03:2021", cwe: "CWE-943" },
+  VC049: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC050: { owasp: "A02:2021", cwe: "CWE-319" },
+  VC051: { owasp: "A05:2021", cwe: "CWE-200" },
+  VC052: { owasp: "A04:2021", cwe: "CWE-770" },
+  VC053: { owasp: "A05:2021", cwe: "CWE-798" },
+  VC054: { owasp: "A07:2021", cwe: "CWE-922" },
+  VC055: { owasp: "A05:2021", cwe: "CWE-540" },
+  VC056: { owasp: "A05:2021", cwe: "CWE-1021" },
+  VC057: { owasp: "A01:2021", cwe: "CWE-269" },
+  VC058: { owasp: "A05:2021", cwe: "CWE-250" },
+  VC059: { owasp: "A05:2021", cwe: "CWE-284" },
+  VC060: { owasp: "A02:2021", cwe: "CWE-328" },
+  VC061: { owasp: "A02:2021", cwe: "CWE-295" },
+  VC062: { owasp: "A02:2021", cwe: "CWE-321" },
+  VC063: { owasp: "A03:2021", cwe: "CWE-79" },
+  VC064: { owasp: "A01:2021", cwe: "CWE-862" },
+  VC065: { owasp: "A01:2021", cwe: "CWE-862" },
+  VC066: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC067: { owasp: "A01:2021", cwe: "CWE-601" },
+  VC068: { owasp: "A07:2021", cwe: "CWE-922" },
+  VC069: { owasp: "A02:2021", cwe: "CWE-295" },
+  VC070: { owasp: "A05:2021", cwe: "CWE-489" },
+  VC071: { owasp: "A05:2021", cwe: "CWE-215" },
+  VC072: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC073: { owasp: "A08:2021", cwe: "CWE-502" },
+  VC074: { owasp: "A01:2021", cwe: "CWE-352" },
+  VC075: { owasp: "A03:2021", cwe: "CWE-78" },
+  VC076: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC077: { owasp: "A05:2021", cwe: "CWE-942" },
+  VC078: { owasp: "A05:2021", cwe: "CWE-250" },
+  VC079: { owasp: "A02:2021", cwe: "CWE-327" },
+  VC080: { owasp: "A04:2021", cwe: "CWE-1333" },
+  VC081: { owasp: "A03:2021", cwe: "CWE-611" },
+  VC082: { owasp: "A03:2021", cwe: "CWE-94" },
+  VC083: { owasp: "A08:2021", cwe: "CWE-502" },
+  VC084: { owasp: "A06:2021", cwe: "CWE-353" },
+  VC085: { owasp: "A01:2021", cwe: "CWE-862" },
+  VC086: { owasp: "A02:2021", cwe: "CWE-319" },
+  VC087: { owasp: "A05:2021", cwe: "CWE-311" },
+  VC088: { owasp: "A07:2021", cwe: "CWE-598" },
+  VC089: { owasp: "A05:2021", cwe: "CWE-430" },
+  VC090: { owasp: "A01:2021", cwe: "CWE-601" },
+  VC091: { owasp: "A04:2021", cwe: "CWE-367" },
+  VC092: { owasp: "A08:2021", cwe: "CWE-1321" },
+  VC093: { owasp: "A01:2021", cwe: "CWE-22" },
+  VC094: { owasp: "A03:2021", cwe: "CWE-78" },
+  VC095: { owasp: "A05:2021", cwe: "CWE-942" },
+  VC096: { owasp: "A02:2021", cwe: "CWE-319" },
+  VC097: { owasp: "A09:2021", cwe: "CWE-532" },
+  VC098: { owasp: "A04:2021", cwe: "CWE-400" },
+  VC099: { owasp: "A04:2021", cwe: "CWE-401" },
+  VC100: { owasp: "A04:2021", cwe: "CWE-400" },
+  VC101: { owasp: "A04:2021", cwe: "CWE-400" },
+  VC102: { owasp: "A04:2021", cwe: "CWE-400" },
+  VC103: { owasp: "A04:2021", cwe: "CWE-710" },
+  VC104: { owasp: "A04:2021", cwe: "CWE-390" },
+  VC105: { owasp: "A04:2021", cwe: "CWE-710" },
+  VC106: { owasp: "A04:2021", cwe: "CWE-710" },
+  VC107: { owasp: "A02:2021", cwe: "CWE-311" },
+  VC108: { owasp: "A01:2021", cwe: "CWE-284" },
+  VC109: { owasp: "A01:2021", cwe: "CWE-284" },
+  VC110: { owasp: "A09:2021", cwe: "CWE-778" },
+  VC111: { owasp: "A05:2021", cwe: "CWE-16" },
+  VC112: { owasp: "A06:2021", cwe: "CWE-1104" },
+  VC113: { owasp: "A05:2021", cwe: "CWE-200" },
+  VC114: { owasp: "A05:2021", cwe: "CWE-16" },
+  VC115: { owasp: "A02:2021", cwe: "CWE-311" },
+  VC116: { owasp: "A05:2021", cwe: "CWE-770" },
+  VC117: { owasp: "A03:2021", cwe: "CWE-22" },
+  VC118: { owasp: "A09:2021", cwe: "CWE-532" },
+  VC119: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC120: { owasp: "A07:2021", cwe: "CWE-352" },
+  VC121: { owasp: "A06:2021", cwe: "CWE-1104" },
+  VC122: { owasp: "A02:2021", cwe: "CWE-326" },
+  VC123: { owasp: "A02:2021", cwe: "CWE-326" },
+  VC124: { owasp: "A02:2021", cwe: "CWE-327" },
+  VC125: { owasp: "A07:2021", cwe: "CWE-640" },
+  VC126: { owasp: "A05:2021", cwe: "CWE-200" },
+  VC127: { owasp: "A01:2021", cwe: "CWE-862" },
+  VC128: { owasp: "A05:2021", cwe: "CWE-444" },
+  VC129: { owasp: "A02:2021", cwe: "CWE-311" },
+  VC130: { owasp: "A07:2021", cwe: "CWE-307" },
+  VC131: { owasp: "A06:2021", cwe: "CWE-1104" }
 };
-var unencryptedPII = {
-  id: "VC129",
-  title: "Sensitive Data Stored Without Encryption",
-  severity: "high",
-  category: "Information Leakage",
-  description: "Database schemas storing PII (SSN, credit cards, health records) in plaintext violate compliance requirements and expose data in breaches.",
+var consoleLogProduction = {
+  id: "VC097",
+  title: "Console.log Left in Production Code",
+  severity: "medium",
+  category: "Performance",
+  description: "console.log statements left in production code can leak sensitive data, slow down rendering, and clutter browser consoles.",
   check(content, filePath) {
-    if (isTestFile(filePath)) return [];
-    if (!filePath.match(/\.(sql|prisma|py|ts|js|rb)$/)) return [];
-    const findings = [];
-    const schemaPatterns = [
-      /(?:column|field|Column|Field)\s*\(\s*["'](?:ssn|social_security|tax_id|credit_card|card_number|cvv|passport|driver_license|bank_account|routing_number)["']\s*,\s*(?:String|TEXT|VARCHAR|Text|text)/gi,
-      /(?:ssn|social_security|tax_id|credit_card|card_number|cvv|passport_number|driver_license|bank_account|routing_number)\s+(?:TEXT|VARCHAR|String|text|character varying)/gi
-    ];
-    for (const pat of schemaPatterns) {
-      let m;
-      while ((m = pat.exec(content)) !== null) {
-        if (isCommentLine(content, m.index)) continue;
-        const lineNum = content.substring(0, m.index).split("\n").length;
-        findings.push({
-          rule: "VC129",
-          title: unencryptedPII.title,
-          severity: "high",
-          category: "Information Leakage",
-          file: filePath,
-          line: lineNum,
-          snippet: getSnippet(content, lineNum),
-          fix: "Encrypt sensitive fields at the application level before storing. Use field-level encryption with a KMS for SSN, credit cards, and health data."
-        });
+    if (filePath.match(/test|spec|mock|__tests__|fixture|\.test\.|\.spec\./i)) return [];
+    if (!/console\.log\s*\(/g.test(content)) return [];
+    const lines = content.split("\n");
+    const matches = [];
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i].trim();
+      if (/console\.log\s*\(/.test(line) && !line.startsWith("//") && !line.startsWith("*") && !/if\s*\(\s*(?:debug|process\.env)/i.test(lines[Math.max(0, i - 1)] + line)) {
+        matches.push({ rule: "VC097", title: consoleLogProduction.title, severity: "medium", category: "Performance", file: filePath, line: i + 1, snippet: getSnippet(content, i + 1), fix: "Remove console.log or use a logger that can be disabled in production." });
       }
     }
-    return findings;
+    return matches.slice(0, 3);
   }
 };
-var missingAuthRateLimit = {
-  id: "VC130",
-  title: "Authentication Endpoint Without Rate Limiting",
-  severity: "high",
-  category: "Authentication",
-  description: "Login, registration, and password reset endpoints without rate limiting are vulnerable to credential stuffing and brute-force attacks.",
+var todoLeftInCode = {
+  id: "VC103",
+  title: "TODO/FIXME Left in Code",
+  severity: "low",
+  category: "Code Quality",
+  description: "TODO, FIXME, HACK, and XXX comments indicate unfinished work that should be resolved before shipping to production.",
   check(content, filePath) {
-    if (isTestFile(filePath)) return [];
-    if (!filePath.match(/\.(js|ts|jsx|tsx|py|rb|go|java|php)$/)) return [];
-    const findings = [];
-    const authRoutePattern = /(?:app|router|server)\.(?:post|put)\s*\(\s*["'](?:\/(?:api\/)?(?:auth\/)?(?:login|signin|sign-in|register|signup|sign-up|forgot-password|reset-password))["']/gi;
-    let m;
-    while ((m = authRoutePattern.exec(content)) !== null) {
-      if (isCommentLine(content, m.index)) continue;
-      const surrounding = content.substring(Math.max(0, m.index - 300), Math.min(content.length, m.index + 300));
-      if (/rateLimit|rateLimiter|throttle|slowDown|express-rate-limit|rate_limit|RateLimiter|limiter/i.test(surrounding)) continue;
-      const lineNum = content.substring(0, m.index).split("\n").length;
-      findings.push({
-        rule: "VC130",
-        title: missingAuthRateLimit.title,
-        severity: "high",
-        category: "Authentication",
-        file: filePath,
-        line: lineNum,
-        snippet: getSnippet(content, lineNum),
-        fix: "Add rate limiting to authentication endpoints. Limit to 5-10 attempts per minute per IP. Use express-rate-limit or similar."
-      });
-    }
-    return findings;
+    if (filePath.match(/test|spec|mock|__tests__|fixture|node_modules/i)) return [];
+    return findMatches(
+      content,
+      /\/\/\s*(?:TODO|FIXME|HACK|XXX)\b/gi,
+      todoLeftInCode,
+      filePath,
+      () => "Resolve TODO/FIXME comments before shipping. If it's intentional tech debt, track it in your issue tracker instead."
+    ).slice(0, 5);
   }
 };
-var vulnerableDependencies = {
-  id: "VC131",
-  title: "Potentially Vulnerable Dependency",
-  severity: "high",
-  category: "Supply Chain",
-  description: "Dependencies with known security issues that are commonly found in AI-generated codebases.",
+var emptyCatchBlock = {
+  id: "VC104",
+  title: "Empty Catch Block",
+  severity: "medium",
+  category: "Code Quality",
+  description: "Empty catch blocks silently swallow errors, making bugs impossible to diagnose. At minimum, log the error.",
   check(content, filePath) {
-    if (!filePath.endsWith("package.json")) return [];
-    if (/node_modules|\.next|dist|build/.test(filePath)) return [];
-    const findings = [];
-    const vulnerablePackages = [
-      [/"jsonwebtoken"\s*:\s*"[\^~]?[0-7]\./g, "jsonwebtoken < 8.x has signature bypass vulnerabilities"],
-      [/"lodash"\s*:\s*"[\^~]?[0-3]\./g, "lodash < 4.x has prototype pollution vulnerabilities"],
-      [/"minimist"\s*:\s*"[\^~]?[01]\.[01]\./g, "minimist < 1.2.6 has prototype pollution"],
-      [/"node-fetch"\s*:\s*"[\^~]?[12]\./g, "node-fetch < 3.x has data exposure issues"],
-      [/"express"\s*:\s*"[\^~]?[0-3]\./g, "express < 4.x has multiple known vulnerabilities"],
-      [/"axios"\s*:\s*"[\^~]?0\.[0-9]\./g, "axios < 0.21 has SSRF vulnerabilities"],
-      [/"tar"\s*:\s*"[\^~]?[0-5]\./g, "tar < 6.x has path traversal vulnerabilities"],
-      [/"glob-parent"\s*:\s*"[\^~]?[0-4]\./g, "glob-parent < 5.1.2 has ReDoS vulnerability"]
-    ];
-    for (const [pat, message] of vulnerablePackages) {
-      let m;
-      while ((m = pat.exec(content)) !== null) {
-        const lineNum = content.substring(0, m.index).split("\n").length;
-        findings.push({
-          rule: "VC131",
-          title: vulnerableDependencies.title,
-          severity: "high",
-          category: "Supply Chain",
-          file: filePath,
-          line: lineNum,
-          snippet: getSnippet(content, lineNum),
-          fix: `${message}. Update to the latest version and run 'npm audit' regularly.`
-        });
-      }
-    }
-    return findings;
+    if (filePath.match(/test|spec|mock/i)) return [];
+    return findMatches(
+      content,
+      /catch\s*(?:\([^)]*\))?\s*\{\s*\}/g,
+      emptyCatchBlock,
+      filePath,
+      () => "Handle errors in catch blocks: catch(err) { console.error('Operation failed:', err); } or re-throw if appropriate."
+    );
   }
 };
 var freeRules = [
@@ -4262,160 +1439,12 @@ var freeRules = [
   disabledTLSVerification
   // VC061
 ];
-var proRules = [
-  hardcodedSecrets,
-  exposedEnvFile,
-  missingAuthMiddleware,
-  supabaseNoRLS,
-  stripeWebhookUnprotected,
-  sqlInjection,
-  xssVulnerability,
-  noRateLimiting,
-  corsWildcard,
-  clientSideAuth,
-  nextPublicSecret,
-  firebaseClientConfig,
-  supabaseAnonAdmin,
-  envNotGitignored,
-  evalUsage,
-  unvalidatedRedirect,
-  insecureCookies,
-  exposedAuthSecret,
-  insecureElectronWindow,
-  missingCSP,
-  ipcPathTraversal,
-  unsanitizedHTMLExport,
-  prototypePollution,
-  missingFileSizeLimits,
-  unsanitizedFilenames,
-  electronNavigationUnrestricted,
-  missingSecurityMeta,
-  unvalidatedAPIParams,
-  unvalidatedEventData,
-  insecureDeserialization,
-  hardcodedJWTSecret,
-  missingHTTPS,
-  exposedDebugMode,
-  insecureRandomness,
-  openRedirectParams,
-  missingErrorBoundary,
-  exposedStackTraces,
-  insecureFileUpload,
-  missingLockFile,
-  exposedGitDir,
-  ssrfVulnerability,
-  massAssignment,
-  timingAttack,
-  logInjection,
-  weakPasswordRequirements,
-  sessionFixation,
-  missingBruteForce,
-  nosqlInjection,
-  exposedDBCredentials,
-  missingDBEncryption,
-  graphqlIntrospection,
-  missingRequestSizeLimit,
-  hardcodedIPAllowlist,
-  sensitiveLocalStorage,
-  exposedSourceMaps,
-  clickjacking,
-  overlyPermissiveIAM,
-  dockerRunAsRoot,
-  exposedDockerPorts,
-  weakHashing,
-  disabledTLSVerification,
-  hardcodedEncryptionKey,
-  dangerousInnerHTML,
-  exposedServerActions,
-  unprotectedAPIRoutes,
-  clientComponentSecret,
-  insecureDeepLink,
-  sensitiveAsyncStorage,
-  missingCertPinning,
-  androidDebuggable,
-  djangoDebug,
-  flaskSecretKey,
-  pickleDeserialization,
-  missingCSRF,
-  githubActionsInjection,
-  secretsInCI,
-  corsServerless,
-  k8sPrivileged,
-  jwtAlgConfusion,
-  regexDos,
-  xxeVulnerability,
-  ssti,
-  javaDeserialization,
-  missingSRI,
-  exposedAdminRoutes,
-  insecureWebSocket,
-  missingHSTS,
-  sensitiveURLParams,
-  missingContentDisposition,
-  hostHeaderRedirect,
-  raceCondition,
-  unsafeObjectAssign,
-  unprotectedDownload,
-  commandInjection,
-  corsLocalhost,
-  insecureGRPC,
-  consoleLogProduction,
-  syncFileOps,
-  eventListenerLeak,
-  nPlusOneQuery,
-  largeBundleImport,
-  blockingMainThread,
-  todoLeftInCode,
-  emptyCatchBlock,
-  callbackHell,
-  magicNumbers,
-  s3BucketNoEncryption,
-  securityGroupAllInbound,
-  rdsPubliclyAccessible,
-  missingCloudTrail,
-  lambdaWithoutVPC,
-  dockerLatestTag,
-  dockerCopySensitive,
-  dockerTooManyPorts,
-  k8sSecretNotEncrypted,
-  k8sNoResourceLimits,
-  pathTraversal,
-  // VC117
-  piiInLogs,
-  // VC118
-  hardcodedOAuthSecret,
-  // VC119
-  missingOAuthState,
-  // VC120
-  unpinnedGitHubAction,
-  // VC121
-  deprecatedTLS,
-  // VC122
-  weakRSAKeySize,
-  // VC123
-  ecbModeEncryption,
-  // VC124
-  insecurePasswordReset,
-  // VC125
-  terraformStateExposed,
-  // VC126
-  insecureHTTPMethods,
-  // VC127
-  httpRequestSmuggling,
-  // VC128
-  unencryptedPII,
-  // VC129
-  missingAuthRateLimit,
-  // VC130
-  vulnerableDependencies
-  // VC131
-];
-function runCustomRules(content, filePath, disabledRules = [], tier = "free") {
+function runCustomRules(content, filePath, disabledRules = [], tier = "free", extraRules = []) {
   const findings = [];
   if (/function runScan\(files\)|export function runCustomRules/.test(content) && /const (?:rules|allRules)\s*[:=]/.test(content) && /findMatches/.test(content)) {
     return findings;
   }
-  const ruleset = tier === "pro" ? proRules : freeRules;
+  const ruleset = tier === "pro" && extraRules.length > 0 ? [...freeRules, ...extraRules] : freeRules;
   for (const rule of ruleset) {
     if (disabledRules.includes(rule.id)) continue;
     const matches = rule.check(content, filePath);
@@ -6032,6 +3061,22 @@ async function scanCommand(directory, options) {
 `));
     }
   }
+  let proRulesExtra = [];
+  if (tier === "pro") {
+    const cached = loadCachedProRules();
+    if (cached) {
+      proRulesExtra = cached;
+    } else {
+      if (!isSilent) console.log(chalk2.gray("  Downloading Pro rules..."));
+      const downloaded = await downloadProRulesBundle();
+      if (downloaded) {
+        proRulesExtra = loadCachedProRules() || [];
+      }
+      if (proRulesExtra.length === 0 && !isSilent) {
+        console.log(chalk2.yellow("  Could not load Pro rules \u2014 scanning with free rules only"));
+      }
+    }
+  }
   const spinner = ora({
     text: "Scanning files...",
     color: "cyan",
@@ -6071,7 +3116,7 @@ async function scanCommand(directory, options) {
     fileContentsForAnalysis.push({ path: filePath, content });
     const astCtx = buildASTContext(content, filePath);
     if (astCtx.isScannerFile) continue;
-    const findings = runCustomRules(content, filePath, config.disableRules, tier);
+    const findings = runCustomRules(content, filePath, config.disableRules, tier, proRulesExtra);
     for (const f of findings) {
       if (astCtx.isTestFile) {
         f.confidence = "low";
@@ -6311,6 +3356,7 @@ async function logoutCommand() {
     return;
   }
   clearToken();
+  clearProRulesCache();
   console.log(chalk3.green("Logged out successfully."));
 }
 async function whoamiCommand() {
@@ -6448,7 +3494,7 @@ auth.command("login").description("Log in to your XploitScan account").action(lo
 auth.command("logout").description("Log out of your XploitScan account").action(logoutCommand);
 auth.command("whoami").description("Show current logged-in user").action(whoamiCommand);
 program.command("upgrade").description("Upgrade to XploitScan Pro for unlimited scans").action(async () => {
-  const { getStoredToken: getStoredToken2, getCheckoutUrl } = await import("./api-Z7VNGPT2.js");
+  const { getStoredToken: getStoredToken2, getCheckoutUrl } = await import("./api-ZNWEMMEL.js");
   const chalk4 = (await import("chalk")).default;
   const token = getStoredToken2();
   if (!token) {