From ec4fa9e809b8a133d53b1fb086b342a9793b5a7e Mon Sep 17 00:00:00 2001
From: Ivan Grynenko <ivan.grynenko@gmail.com>
Date: Fri, 24 Oct 2025 16:26:29 +1100
Subject: [PATCH 1/2] refactor: Migrated Cursor rules to Markdown format

---
 .cursor/rules/accessibility-standards.mdc     |   83 +-
 .cursor/rules/api-standards.mdc               |   85 +-
 .cursor/rules/build-optimization.mdc          |   85 +-
 .cursor/rules/code-generation-standards.mdc   |  114 +-
 .cursor/rules/cursor-rules.mdc                |  208 +--
 .cursor/rules/debugging-standards.mdc         |   60 +-
 .cursor/rules/docker-compose-standards.mdc    |  228 ++-
 .../rules/drupal-authentication-failures.mdc  |  194 +--
 .../rules/drupal-broken-access-control.mdc    |  146 +-
 .../rules/drupal-cryptographic-failures.mdc   |  183 +-
 .cursor/rules/drupal-database-standards.mdc   |   56 +-
 .cursor/rules/drupal-file-permissions.mdc     |  241 ++-
 .cursor/rules/drupal-injection.mdc            |  154 +-
 .cursor/rules/drupal-insecure-design.mdc      |  195 +--
 .cursor/rules/drupal-integrity-failures.mdc   |  195 +--
 .cursor/rules/drupal-logging-failures.mdc     |  198 +--
 .../drupal-security-misconfiguration.mdc      |  185 +-
 .cursor/rules/drupal-ssrf.mdc                 |  187 +-
 .../rules/drupal-vulnerable-components.mdc    |  195 +--
 .cursor/rules/generic_bash_style.mdc          |   98 +-
 .cursor/rules/git-commit-standards.mdc        |   68 +-
 .cursor/rules/github-actions-standards.mdc    |   78 +-
 .../rules/improve-cursorrules-efficiency.mdc  |  183 +-
 .../javascript-broken-access-control.mdc      |  678 ++++----
 .../javascript-cryptographic-failures.mdc     |  505 +++---
 ...identification-authentication-failures.mdc |  858 ++++-----
 .cursor/rules/javascript-injection.mdc        |  370 ++--
 .cursor/rules/javascript-insecure-design.mdc  |  866 +++++----
 .cursor/rules/javascript-performance.mdc      |   35 +-
 ...t-security-logging-monitoring-failures.mdc | 1451 ++++++++--------
 .../javascript-security-misconfiguration.mdc  |  808 ++++-----
 ...javascript-server-side-request-forgery.mdc | 1545 ++++++++---------
 ...cript-software-data-integrity-failures.mdc | 1184 ++++++-------
 .cursor/rules/javascript-standards.mdc        |   75 +-
 ...ascript-vulnerable-outdated-components.mdc |  554 +++---
 .../rules/lagoon-docker-compose-standards.mdc |  132 +-
 .cursor/rules/lagoon-yml-standards.mdc        |  185 +-
 .cursor/rules/multi-agent-coordination.mdc    |   69 +-
 .cursor/rules/node-dependencies.mdc           |   47 +-
 .cursor/rules/php-drupal-best-practices.mdc   |  859 ++++-----
 .../php-drupal-development-standards.mdc      |  128 +-
 .cursor/rules/php-memory-optimisation.mdc     |  115 +-
 .cursor/rules/project-definition-template.mdc |  113 +-
 .../pull-request-changelist-instructions.mdc  |  202 ++-
 .../rules/python-authentication-failures.mdc  |  571 +++---
 .../rules/python-broken-access-control.mdc    |  204 +--
 .../rules/python-cryptographic-failures.mdc   |  301 ++--
 .cursor/rules/python-injection.mdc            |  276 ++-
 .cursor/rules/python-insecure-design.mdc      |  427 ++---
 .cursor/rules/python-integrity-failures.mdc   |  615 +++----
 .../python-logging-monitoring-failures.mdc    |  785 ++++-----
 .../python-security-misconfiguration.mdc      |  450 ++---
 .cursor/rules/python-ssrf.mdc                 |  542 +-----
 .../python-vulnerable-outdated-components.mdc |  407 ++---
 .cursor/rules/react-patterns.mdc              |   55 +-
 .../rules/readme-maintenance-standards.mdc    |   99 +-
 .cursor/rules/secret-detection.mdc            |  214 +--
 .cursor/rules/security-practices.mdc          |   62 +-
 .cursor/rules/tailwind-standards.mdc          |   53 +-
 .../rules/tests-documentation-maintenance.mdc |   59 +-
 .cursor/rules/third-party-integration.mdc     |   52 +-
 .cursor/rules/vortex-cicd-standards.mdc       |   77 +-
 .cursor/rules/vortex-scaffold-standards.mdc   |   85 +-
 .cursor/rules/vue-best-practices.mdc          |   56 +-
 64 files changed, 8085 insertions(+), 11503 deletions(-)

diff --git a/.cursor/rules/accessibility-standards.mdc b/.cursor/rules/accessibility-standards.mdc
index 7729123..ecc2b96 100644
--- a/.cursor/rules/accessibility-standards.mdc
+++ b/.cursor/rules/accessibility-standards.mdc
@@ -6,51 +6,38 @@ globs: *.vue, *.jsx, *.tsx, *.html, *.php
 
 Ensures WCAG compliance and accessibility best practices.
 
-<rule>
-name: accessibility_standards
-description: Enforce accessibility standards and WCAG compliance
-filters:
-  - type: file_extension
-    pattern: "\\.(vue|jsx|tsx|html|php|css|scss|sass)$" # Expanded to include CSS files
-
-actions:
-  - type: enforce
-    conditions:
-      - pattern: "<img[^>]+(?!alt=)[^>]*>"
-        message: "Images must have alt attributes for screen readers."
-      
-      - pattern: "aria-[a-z]+=\"\""
-        message: "ARIA attributes should not be empty; provide meaningful values."
-
-      - pattern: "<button[^>]*>(?![^<]*[^\\s])[^<]*</button>"
-        message: "Buttons should have meaningful, descriptive content."
-
-      - pattern: "<a[^>]*href=\"#[^\"]*\"[^>]*>(?![^<]*<svg)[^<]*</a>"
-        message: "Links with href='#' should either be removed or have an aria-label for context."
-
-      - pattern: "<input[^>]+type=\"(text|email|password|search|tel|url)\"[^>]*>"
-        pattern_negate: "aria-label|aria-labelledby|title"
-        message: "Form inputs should include an aria-label or aria-labelledby attribute for better screen reader support."
-
-      - pattern: "<video[^>]*>(?!<track)[^<]*</video>"
-        message: "Videos should include captions for accessibility."
-
-  - type: suggest
-    message: |
-      **Accessibility Best Practices:**
-      - **Heading Hierarchy:** Use headings (h1 to h6) in a logical order to structure content.
-      - **Keyboard Navigation:** Ensure all interactive elements are accessible via keyboard.
-      - **Semantic HTML:** Favor semantic elements like <nav>, <article>, <section>, and <aside> for better structure comprehension.
-      - **Color Contrast:** Check color contrast ratios meet WCAG guidelines (4.5:1 for normal text, 7:1 for large text).
-      - **Skip Navigation Links:** Provide 'skip to main content' links for keyboard users to bypass repetitive navigation.
-      - **Focus Management:** Ensure focus indicators are visible and manage focus for modal dialogs or dynamic content changes.
-      - **Form Labels:** Associate labels with form controls using the 'for' attribute or wrap controls with <label>.
-      - **Descriptive Links:** Use descriptive text for links, avoiding generic phrases like "click here."
-      - **Touch Targets:** Ensure touch target sizes are large enough (at least 44x44 pixels) for mobile users.
-      - **Timeouts:** Avoid or provide options to extend time limits where possible, or warn users before session expiry.
-      - **Language Attribute:** Set the lang attribute on the <html> element to indicate the primary language of the page.
-
-metadata:
-  priority: high
-  version: 1.1
-</rule>
\ No newline at end of file
+> Priority: high · Version: 1.1
+
+## Applies To
+- `*.vue`
+- `*.jsx`
+- `*.tsx`
+- `*.html`
+- `*.php`
+
+## Trigger Conditions
+- Files matching pattern `\.(vue|jsx|tsx|html|php|css|scss|sass)$`
+
+## Required Checks
+
+- Images must have alt attributes for screen readers.
+- ARIA attributes should not be empty; provide meaningful values.
+- Buttons should have meaningful, descriptive content.
+- Links with href='#' should either be removed or have an aria-label for context.
+- Form inputs should include an aria-label or aria-labelledby attribute for better screen reader support.
+- Videos should include captions for accessibility.
+
+## Recommendations
+
+**Accessibility Best Practices:**
+- **Heading Hierarchy:** Use headings (h1 to h6) in a logical order to structure content.
+- **Keyboard Navigation:** Ensure all interactive elements are accessible via keyboard.
+- **Semantic HTML:** Favor semantic elements like <nav>, <article>, <section>, and <aside> for better structure comprehension.
+- **Color Contrast:** Check color contrast ratios meet WCAG guidelines (4.5:1 for normal text, 7:1 for large text).
+- **Skip Navigation Links:** Provide 'skip to main content' links for keyboard users to bypass repetitive navigation.
+- **Focus Management:** Ensure focus indicators are visible and manage focus for modal dialogs or dynamic content changes.
+- **Form Labels:** Associate labels with form controls using the 'for' attribute or wrap controls with <label>.
+- **Descriptive Links:** Use descriptive text for links, avoiding generic phrases like "click here."
+- **Touch Targets:** Ensure touch target sizes are large enough (at least 44x44 pixels) for mobile users.
+- **Timeouts:** Avoid or provide options to extend time limits where possible, or warn users before session expiry.
+- **Language Attribute:** Set the lang attribute on the <html> element to indicate the primary language of the page.
diff --git a/.cursor/rules/api-standards.mdc b/.cursor/rules/api-standards.mdc
index 346d6e1..bde14d1 100644
--- a/.cursor/rules/api-standards.mdc
+++ b/.cursor/rules/api-standards.mdc
@@ -6,51 +6,40 @@ globs: *.php, *.js, *.ts
 
 Ensures consistent API design, documentation, and implementation best practices across PHP, JavaScript, and TypeScript files.
 
-<rule>
-name: enhanced_api_standards
-description: Enforce enhanced API design, implementation, and documentation standards
-filters:
-  - type: file_extension
-    pattern: "\\.(php|js|ts)$"
-
-actions:
-  - type: enforce
-    conditions:
-      - pattern: "@api\\s+(?!GET|POST|PUT|DELETE|PATCH|OPTIONS|HEAD)"
-        message: "Use standard HTTP methods (GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD) for API endpoints."
-
-      - pattern: "function\\s+[a-zA-Z]+Api\\s*\\([^)]*\\)\\s*\\{[^}]*\\}"
-        pattern_negate: "(?s)(throw new \\w+Exception|return\\s+(?:\\d{3}|4\\d\\d|5\\d\\d))"
-        message: "Ensure API functions handle or return errors appropriately using exceptions or HTTP status codes."
-
-      - pattern: "(?<!@api\\s+)(?<!\\s+returns\\s+)(?<!\\s+throws\\s+)[A-Z]{3,}(?!\\s+)"
-        message: "HTTP methods should be prefixed with '@api' for documentation purposes."
-
-      - pattern: "\\bresponse\\b(?![^;]*\\.json\\()"
-        message: "Ensure all API responses are properly formatted, preferably as JSON."
-
-  - type: suggest
-    message: |
-      **API Best Practices:**
-      - **HTTP Methods:** Use proper HTTP methods for operations (GET for retrieval, POST for creation, etc.).
-      - **Status Codes:** Use appropriate HTTP status codes to communicate the result of the request.
-      - **Versioning:** Implement API versioning to manage changes without breaking existing integrations.
-      - **Documentation:** 
-        - **Swagger/OpenAPI:** Use tools like Swagger for comprehensive API documentation.
-        - **Endpoint Descriptions:** Clearly document all endpoints including path, methods, parameters, and possible responses.
-      - **Authentication & Security:**
-        - Implement OAuth, JWT, or similar secure authentication methods.
-        - Use HTTPS for all API communications.
-      - **Rate Limiting:** Implement rate limiting to prevent abuse and ensure fair usage.
-      - **Error Handling:** 
-        - Provide clear, human-readable error messages with corresponding status codes.
-        - Implement error logging for debugging purposes.
-      - **Pagination:** For list endpoints, implement pagination to manage large datasets.
-      - **Validation:** Validate input data at the API level to ensure data integrity.
-      - **CORS:** Configure CORS headers if your API is meant to be consumed by web applications from different domains.
-      - **Monitoring:** Set up monitoring for API performance and usage statistics.
-
-metadata:
-  priority: high
-  version: 1.1
-</rule>
\ No newline at end of file
+> Priority: high · Version: 1.1
+
+## Applies To
+- `*.php`
+- `*.js`
+- `*.ts`
+
+## Trigger Conditions
+- Files matching pattern `\.(php|js|ts)$`
+
+## Required Checks
+
+- Use standard HTTP methods (GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD) for API endpoints.
+- Ensure API functions handle or return errors appropriately using exceptions or HTTP status codes.
+- HTTP methods should be prefixed with '@api' for documentation purposes.
+- Ensure all API responses are properly formatted, preferably as JSON.
+
+## Recommendations
+
+**API Best Practices:**
+- **HTTP Methods:** Use proper HTTP methods for operations (GET for retrieval, POST for creation, etc.).
+- **Status Codes:** Use appropriate HTTP status codes to communicate the result of the request.
+- **Versioning:** Implement API versioning to manage changes without breaking existing integrations.
+- **Documentation:** 
+  - **Swagger/OpenAPI:** Use tools like Swagger for comprehensive API documentation.
+  - **Endpoint Descriptions:** Clearly document all endpoints including path, methods, parameters, and possible responses.
+- **Authentication & Security:**
+  - Implement OAuth, JWT, or similar secure authentication methods.
+  - Use HTTPS for all API communications.
+- **Rate Limiting:** Implement rate limiting to prevent abuse and ensure fair usage.
+- **Error Handling:** 
+  - Provide clear, human-readable error messages with corresponding status codes.
+  - Implement error logging for debugging purposes.
+- **Pagination:** For list endpoints, implement pagination to manage large datasets.
+- **Validation:** Validate input data at the API level to ensure data integrity.
+- **CORS:** Configure CORS headers if your API is meant to be consumed by web applications from different domains.
+- **Monitoring:** Set up monitoring for API performance and usage statistics.
diff --git a/.cursor/rules/build-optimization.mdc b/.cursor/rules/build-optimization.mdc
index 1ba1680..af933f1 100644
--- a/.cursor/rules/build-optimization.mdc
+++ b/.cursor/rules/build-optimization.mdc
@@ -6,52 +6,39 @@ globs: webpack.config.js, vite.config.js, *.config.js
 
 Ensures optimal build configuration and process for better performance and maintainability.
 
-<rule>
-name: enhanced_build_optimization
-description: Enforce standards for optimizing build processes
-filters:
-  - type: file_extension
-    pattern: "\\.(js|ts|json)$"  # Expanded to cover more config file types
-
-actions:
-  - type: enforce
-    conditions:
-      - pattern: "mode:\\s*['\"]development['\"]"
-        pattern_negate: "process\\.env\\.NODE_ENV === 'development'"
-        message: "Set 'mode' to 'production' for production builds unless dynamically set by NODE_ENV."
-
-      - pattern: "devtool:\\s*['\"]eval"
-        message: "Use 'source-map' or 'hidden-source-map' for production builds to balance performance and debugging."
-
-      - pattern: "optimization:\\s*{[^}]*?splitChunks:\\s*{[^}]*?chunks:\\s*(?!'all')"
-        message: "Enable code splitting for all chunks in optimization settings."
-
-      - pattern: "optimization:\\s*{[^}]*?usedExports:\\s*(?!true)"
-        message: "Enable tree shaking by setting 'usedExports' to true."
-
-      - pattern: "output\\s*:\\s*{[^}]*?filename:\\s*['\"][^\\[]+['\"]"
-        message: "Use content hashing in filenames for better caching (e.g., '[name].[contenthash].js')."
-
-  - type: suggest
-    message: |
-      **Build Optimization Best Practices:**
-      - **Code Splitting:** Implement code splitting to load only what's necessary for each page or component.
-      - **Tree Shaking:** Enable tree shaking to eliminate dead code, which reduces bundle size.
-      - **Asset Optimization:**
-        - Compress images and use modern formats like WebP where supported.
-        - Use lazy loading for images and other media.
-      - **Caching:**
-        - Configure proper caching strategies (e.g., HTTP headers, service workers for PWA).
-        - Use long-term caching for static assets with content hashing in filenames.
-      - **Modern JavaScript:** 
-        - Use ES6+ features but ensure polyfills for older browsers if needed.
-        - Consider using features like module/nomodule for graceful degradation.
-      - **Minification & Compression:** Ensure all JavaScript and CSS are minified and consider enabling gzip compression on the server.
-      - **Performance Budgets:** Set performance budgets to keep bundle sizes in check.
-      - **Environment Variables:** Use environment variables for configuration differentiation between development and production.
-      - **CI/CD:** Integrate with CI/CD pipelines for automated builds and testing, ensuring only optimized code goes to production.
-
-metadata:
-  priority: high
-  version: 1.1
-</rule>
\ No newline at end of file
+> Priority: high · Version: 1.1
+
+## Applies To
+- `webpack.config.js`
+- `vite.config.js`
+- `*.config.js`
+
+## Trigger Conditions
+- Files matching pattern `\.(js|ts|json)$`
+
+## Required Checks
+
+- Set 'mode' to 'production' for production builds unless dynamically set by NODE_ENV.
+- Use 'source-map' or 'hidden-source-map' for production builds to balance performance and debugging.
+- Enable code splitting for all chunks in optimization settings.
+- Enable tree shaking by setting 'usedExports' to true.
+- Use content hashing in filenames for better caching (e.g., '[name].[contenthash].js').
+
+## Recommendations
+
+**Build Optimization Best Practices:**
+- **Code Splitting:** Implement code splitting to load only what's necessary for each page or component.
+- **Tree Shaking:** Enable tree shaking to eliminate dead code, which reduces bundle size.
+- **Asset Optimization:**
+  - Compress images and use modern formats like WebP where supported.
+  - Use lazy loading for images and other media.
+- **Caching:**
+  - Configure proper caching strategies (e.g., HTTP headers, service workers for PWA).
+  - Use long-term caching for static assets with content hashing in filenames.
+- **Modern JavaScript:** 
+  - Use ES6+ features but ensure polyfills for older browsers if needed.
+  - Consider using features like module/nomodule for graceful degradation.
+- **Minification & Compression:** Ensure all JavaScript and CSS are minified and consider enabling gzip compression on the server.
+- **Performance Budgets:** Set performance budgets to keep bundle sizes in check.
+- **Environment Variables:** Use environment variables for configuration differentiation between development and production.
+- **CI/CD:** Integrate with CI/CD pipelines for automated builds and testing, ensuring only optimized code goes to production.
diff --git a/.cursor/rules/code-generation-standards.mdc b/.cursor/rules/code-generation-standards.mdc
index a1689b4..93690cc 100644
--- a/.cursor/rules/code-generation-standards.mdc
+++ b/.cursor/rules/code-generation-standards.mdc
@@ -6,65 +6,55 @@ globs: *.php, *.js, *.ts, *.vue, *.jsx, *.tsx, *.py
 
 Ensures high-quality, executable code generation adhering to best practices across multiple programming languages.
 
-<rule>
-name: enhanced_code_generation_standards
-description: Enforce standards for code generation ensuring high quality and integration readiness
-filters:
-  - type: file_extension
-    pattern: "\\.(php|js|ts|vue|jsx|tsx|py|rb|java)$"  # Expanded to include Ruby and Java
-
-actions:
-  - type: enforce
-    conditions:
-      - pattern: "// TODO:|#\\s*TODO:"
-        message: "Replace TODOs with actual implementation - no placeholders allowed."
-
-      - pattern: "function\\s+\\w+\\s*\\([^)]*\\)\\s*\\{\\s*(?:return\\s+null|throw\\s+new\\s+Error|console\\.log)\\s*\\}"
-        message: "Implement full functionality - no stub methods."
-
-      - pattern: "\\bif\\b\\s*\\(\\s*false\\s*\\)"
-        message: "Remove or replace conditional statements that are always false."
-
-      - pattern: "\\bconsole\\.[^(]+|print\\s*\\("
-        pattern_negate: "DEBUG|LOGGING"
-        message: "Remove debug logging unless it's conditional on a debug flag."
-
-      - pattern: "^\\s*#\\s*\\w+:\\s*\\w+\\s*$"
-        language: python
-        message: "In Python, prefer type hints over comments for type annotations."
-
-  - type: suggest
-    message: |
-      **Code Generation Best Practices:**
-      - **Executable Solutions:** Generate fully functional code, not just skeletons or stubs.
-      - **Readability:** 
-        - Prioritize code readability, with clear naming conventions and logical structure.
-        - Use whitespace effectively to enhance code clarity.
-      - **Error Handling:** 
-        - Implement comprehensive error handling with appropriate exceptions or error codes.
-        - Consider edge cases and provide meaningful error messages.
-      - **Imports/Dependencies:** 
-        - Include all necessary imports or require statements at the beginning of the file.
-        - Manage dependencies to ensure the code is self-contained or clearly documented for setup.
-      - **Integration:** 
-        - Code should be immediately usable within the project's existing framework or technology stack.
-        - Ensure compatibility with existing patterns or libraries used in the project.
-      - **Formatting:** 
-        - Adhere to the project's coding style guide (e.g., Prettier, Black for Python, etc.).
-        - Use linters and formatters to maintain consistent code style.
-      - **Testing:** 
-        - Include unit or integration tests where applicable to validate generated code.
-        - Encourage test-driven development if part of the project's culture.
-      - **Documentation:** 
-        - Provide inline comments for complex logic or algorithms.
-        - Write docstrings or JSDoc for functions, classes, and modules to describe usage, parameters, and return values.
-        - Consider generating external documentation if the project uses tools like Swagger for APIs or Sphinx for Python.
-      - **Security:** 
-        - Avoid hardcoded credentials or sensitive information.
-        - Follow security best practices for the language (e.g., SQL injection prevention in PHP, XSS in JavaScript).
-      - **Performance:** While readability takes precedence, be mindful of performance implications of the generated code.
-
-metadata:
-  priority: critical
-  version: 1.1
-</rule>
\ No newline at end of file
+> Priority: critical · Version: 1.1
+
+## Applies To
+- `*.php`
+- `*.js`
+- `*.ts`
+- `*.vue`
+- `*.jsx`
+- `*.tsx`
+- `*.py`
+
+## Trigger Conditions
+- Files matching pattern `\.(php|js|ts|vue|jsx|tsx|py|rb|java)$`
+
+## Required Checks
+
+- Replace TODOs with actual implementation - no placeholders allowed.
+- Implement full functionality - no stub methods.
+- Remove or replace conditional statements that are always false.
+- Remove debug logging unless it's conditional on a debug flag.
+- In Python, prefer type hints over comments for type annotations.
+
+## Recommendations
+
+**Code Generation Best Practices:**
+- **Executable Solutions:** Generate fully functional code, not just skeletons or stubs.
+- **Readability:** 
+  - Prioritize code readability, with clear naming conventions and logical structure.
+  - Use whitespace effectively to enhance code clarity.
+- **Error Handling:** 
+  - Implement comprehensive error handling with appropriate exceptions or error codes.
+  - Consider edge cases and provide meaningful error messages.
+- **Imports/Dependencies:** 
+  - Include all necessary imports or require statements at the beginning of the file.
+  - Manage dependencies to ensure the code is self-contained or clearly documented for setup.
+- **Integration:** 
+  - Code should be immediately usable within the project's existing framework or technology stack.
+  - Ensure compatibility with existing patterns or libraries used in the project.
+- **Formatting:** 
+  - Adhere to the project's coding style guide (e.g., Prettier, Black for Python, etc.).
+  - Use linters and formatters to maintain consistent code style.
+- **Testing:** 
+  - Include unit or integration tests where applicable to validate generated code.
+  - Encourage test-driven development if part of the project's culture.
+- **Documentation:** 
+  - Provide inline comments for complex logic or algorithms.
+  - Write docstrings or JSDoc for functions, classes, and modules to describe usage, parameters, and return values.
+  - Consider generating external documentation if the project uses tools like Swagger for APIs or Sphinx for Python.
+- **Security:** 
+  - Avoid hardcoded credentials or sensitive information.
+  - Follow security best practices for the language (e.g., SQL injection prevention in PHP, XSS in JavaScript).
+- **Performance:** While readability takes precedence, be mindful of performance implications of the generated code.
diff --git a/.cursor/rules/cursor-rules.mdc b/.cursor/rules/cursor-rules.mdc
index b76782a..d8f25a4 100644
--- a/.cursor/rules/cursor-rules.mdc
+++ b/.cursor/rules/cursor-rules.mdc
@@ -2,142 +2,72 @@
 description: Describes how and where to create Cursor Rules
 globs: *.mdc
 ---
-# Cursor Rules Location
-
-Standards for placing and organizing Cursor rule files in the repository, ensuring rules are always up-to-date and follow best practices.
-
-<rule>
-name: cursor_rules_location_and_maintenance
-description: Standards for placing and maintaining Cursor rule files in the correct directory
-filters:
-  # Match any .mdc files
-  - type: file_extension
-    pattern: "\\.mdc$"
-  # Match files that look like Cursor rules
-  - type: content
-    pattern: "(?s)<rule>.*?</rule>"
-  # Match file creation or modification events
-  - type: event
-    pattern: "file_create|file_modify"
-
-actions:
-  - type: reject
-    conditions:
-      - pattern: "^(?!\\.\\/\\.cursor\\/rules\\/.*\\.mdc$)"
-        message: "Cursor rule files (.mdc) must be placed in the .cursor/rules directory"
-
-  - type: suggest
-    message: |
-      ## Cursor Rules Best Practices
-
-      ### 1. Location and Structure
-      - **Location:** Always place rule files in **PROJECT_ROOT/.cursor/rules/**
-      - **Directory Structure:**
-        ```
-        PROJECT_ROOT/
-        ├── .cursor/
-        │   └── rules/
-        │       ├── your-rule-name.mdc
-        │       └── ...
-        └── ...
-        ```
-
-      ### 2. Naming Conventions
-      - Use **kebab-case** for filenames (e.g., `php-drupal-standards.mdc`)
-      - Always use the **.mdc** extension
-      - Make names descriptive of the rule's purpose
-      - Group related rules with common prefixes (e.g., `drupal-*`, `lagoon-*`)
-
-      ### 3. Rule File Structure
-      ```
-      ---
-      description: Brief description of the rule
-      globs: *.php, *.module, *.inc
-      alwaysApply: false
-      ---
-      # Rule Title
-
-      <rule>
-      name: rule_name_in_snake_case
-      description: Detailed description of what the rule enforces
-      filters:
-        - type: file_extension
-          pattern: "pattern_to_match"
-      
-      actions:
-        - type: enforce|suggest|validate
-          conditions:
-            - pattern: "regex_pattern"
-              message: "Clear message explaining the issue"
-      
-      metadata:
-        priority: high|medium|low
-        version: 1.0
-      </rule>
-      ```
-
-      ### 4. Rule Maintenance
-      - **When adding new rules:**
-        - Check for overlapping or conflicting rules
-        - Ensure patterns are efficient and specific
-        - Test rules against sample code
-      - **When modifying existing rules:**
-        - Update version number
-        - Document changes in commit messages
-        - Review and update related rules for consistency
-        - Consider backward compatibility
-
-      ### 5. Best Practices for Rule Content
-      - Use clear, specific regex patterns
-      - Provide helpful, actionable messages
-      - Include examples of good and bad code
-      - Set appropriate priority levels
-      - Use multiple conditions for complex rules
-      - Consider performance impact of complex patterns
-
-      ### 6. Rule Testing
-      - Test rules against both compliant and non-compliant code
-      - Verify that messages are clear and helpful
-      - Check for false positives and false negatives
-      - Ensure rules don't conflict with each other
-
-examples:
-  - input: |
-      # Bad: Rule file in wrong location
-      rules/my-rule.mdc
-      my-rule.mdc
-      .rules/my-rule.mdc
-
-      # Good: Rule file in correct location
-      .cursor/rules/my-rule.mdc
-    output: "Correctly placed Cursor rule file"
-  
-  - input: |
-      # Bad: Poorly structured rule
-      <rule>
-      name: bad_rule
-      description: This rule does something
-      </rule>
-
-      # Good: Well-structured rule
-      <rule>
-      name: good_rule
-      description: This rule enforces proper error handling in PHP code
-      filters:
-        - type: file_extension
-          pattern: "\\.php$"
-      actions:
-        - type: enforce
-          conditions:
-            - pattern: "try\\s*{[^}]*}\\s*catch\\s*\\([^)]*\\)\\s*{\\s*}"
-              message: "Empty catch blocks should include at least error logging"
-      metadata:
-        priority: high
-        version: 1.0
-      </rule>
-    output: "Well-structured Cursor rule with proper components"
-
-metadata:
-  priority: high
-  version: 1.2
-</rule>
+# Cursor Rule Authoring Standards
+
+Standards for storing and maintaining Cursor rule files so every project installs consistent guidance.
+
+> Priority: high · Version: 1.2
+
+## Applies To
+- `*.mdc`
+
+## Trigger Conditions
+- New or modified rule files within the repository.
+- Rule files created outside `.cursor/rules/`.
+- Rules that still use the legacy `<rule>` XML-style format.
+
+## Hard Stops
+
+- Cursor rule files must live under `.cursor/rules/` in the project root.
+- Migrate any legacy `<rule>...</rule>` blocks to front matter + Markdown content.
+
+## Recommended Structure
+```
+---
+description: Short summary of what the rule enforces
+globs: *.ext, *.another
+alwaysApply: false
+---
+# Rule Title
+
+Introductory paragraph that explains scope and intent.
+
+> Priority: <low|medium|high> · Version: <semver>
+
+## Applies To
+- `*.ext`
+
+## Trigger Conditions
+- Bulleted list describing when reviewers should reference the rule.
+
+## Required Checks / Recommendations / Positive Signals
+- Use headings that suit the rule's enforcement style.
+- Keep bullets short, actionable, and framework-agnostic.
+- Include validation or positive examples when useful.
+
+## References
+- Optional external documentation or internal playbooks.
+```
+
+## Maintenance Checklist
+- Group related rules using consistent prefixes (e.g. `drupal-*`, `lagoon-*`).
+- Keep filenames kebab-cased with the `.mdc` extension.
+- Review neighbouring rules to avoid duplication or conflicting guidance.
+- Record significant rule updates (scope changes, removals) in commit messages or release notes.
+- Test rules against representative code snippets before distributing updates.
+- Refresh installer documentation and downstream repositories after introducing new rules.
+
+## Examples
+### Correct Placement
+```
+.cursor/rules/php-drupal-development-standards.mdc
+.cursor/rules/security-practices.mdc
+```
+Outcome: Rules are discoverable by Cursor and downstream tooling.
+
+### Incorrect Placement
+```
+rules/php-rule.mdc
+cursor-rules/drupal.mdc
+```
+Outcome: Rules outside `.cursor/rules/` will be ignored by Cursor installers.
diff --git a/.cursor/rules/debugging-standards.mdc b/.cursor/rules/debugging-standards.mdc
index 4fb041f..13af290 100644
--- a/.cursor/rules/debugging-standards.mdc
+++ b/.cursor/rules/debugging-standards.mdc
@@ -6,34 +6,32 @@ globs: *.php, *.js, *.ts, *.vue, *.jsx, *.tsx, *.py
 
 Ensures proper debugging practices and error handling.
 
-<rule>
-name: debugging_standards
-description: Enforce standards for debugging and error handling
-filters:
-  - type: file_extension
-    pattern: "\\.(php|js|ts|vue|jsx|tsx|py)$"
-
-actions:
-  - type: enforce
-    conditions:
-      - pattern: "console\\.log\\(|print_r\\(|var_dump\\("
-        message: "Replace debug statements with proper logging"
-
-      - pattern: "catch\\s*\\([^)]*\\)\\s*\\{\\s*\\}"
-        message: "Implement proper error handling in catch blocks"
-
-  - type: suggest
-    message: |
-      Debugging Best Practices:
-      - Address root causes, not symptoms
-      - Add descriptive logging messages
-      - Create isolated test functions
-      - Implement comprehensive error handling
-      - Use appropriate logging levels
-      - Add context to error messages
-      - Consider debugging tools integration
-
-metadata:
-  priority: high
-  version: 1.0
-</rule> 
\ No newline at end of file
+> Priority: high · Version: 1.0
+
+## Applies To
+- `*.php`
+- `*.js`
+- `*.ts`
+- `*.vue`
+- `*.jsx`
+- `*.tsx`
+- `*.py`
+
+## Trigger Conditions
+- Files matching pattern `\.(php|js|ts|vue|jsx|tsx|py)$`
+
+## Required Checks
+
+- Replace debug statements with proper logging
+- Implement proper error handling in catch blocks
+
+## Recommendations
+
+Debugging Best Practices:
+- Address root causes, not symptoms
+- Add descriptive logging messages
+- Create isolated test functions
+- Implement comprehensive error handling
+- Use appropriate logging levels
+- Add context to error messages
+- Consider debugging tools integration
diff --git a/.cursor/rules/docker-compose-standards.mdc b/.cursor/rules/docker-compose-standards.mdc
index 8bb85cd..4fb893e 100644
--- a/.cursor/rules/docker-compose-standards.mdc
+++ b/.cursor/rules/docker-compose-standards.mdc
@@ -3,137 +3,111 @@ description: Docker Compose standards Rule
 globs: 
 alwaysApply: false
 ---
-<rule>
-name: docker_compose_best_practices
-description: Enforces best practices in docker-compose files to ensure maintainability, security, and consistency
-filters:
-  - type: file_name
-    pattern: "docker-compose\\.ya?ml$"
-  - type: event
-    pattern: "(file_create|file_modify)"
-actions:
-  # 1. Prevent deprecated 'version' field
-  - type: reject
-    conditions:
-      - pattern: "^\\s*version\\s*:"
-        message: "The 'version' field is deprecated in Docker Compose files. Compose files are now version-less by default."
-  # 2. Enforce consistent indentation
-  - type: reject
-    conditions:
-      - pattern: "^(  |\t)"
-        message: "Inconsistent indentation detected. Use 2 spaces for indentation."
-  # 3. Prevent usage of deprecated 'links' key
-  - type: reject
-    conditions:
-      - pattern: "^\\s*links\\s*:"
-        message: "The 'links' key is deprecated. Use networks and service names for inter-service communication."
-  # 4. Enforce explicit image tags
-  - type: reject
-    conditions:
-      - pattern: "^\\s*image\\s*:\\s*[^:]+$"
-        message: "Specify an explicit image tag to ensure consistency."
-  # 5. Prevent services from running in privileged mode
-  - type: reject
-    conditions:
-      - pattern: "^\\s*privileged\\s*:\\s*true"
-        message: "Running services in privileged mode is discouraged for security reasons."
-  # 6. Enforce defining resource limits
-  - type: reject
-    conditions:
-      - pattern: "^\\s*services\\s*:\\s*[^\\n]+\\n(?!.*\\blimits\\b)"
-        message: "Define resource limits for each service to prevent resource exhaustion."
-  # Suggestions for best practices
-  - type: suggest
-    message: |
-      To adhere to Docker Compose best practices:
+> Priority: high · Version: 1.0
 
-      1. **Omit the 'version' field**: Compose files are version-less by default.
-         ```yaml
-         services:
-           web:
-             image: nginx
-         ```
+## Trigger Conditions
+- Filter `file_name` matching `docker-compose\.ya?ml$`
+- Events `(file_create|file_modify)`
 
-      2. **Use consistent indentation**: Use 2 spaces for indentation.
-         ```yaml
-         services:
-           web:
-             image: nginx
-         ```
+## Hard Stops
 
-      3. **Avoid 'links' key**: Use networks and service names for service communication.
-         ```yaml
-         services:
-           web:
-             image: nginx
-             networks:
-               - my-network
-           db:
-             image: mysql
-             networks:
-               - my-network
-         networks:
-           my-network:
-         ```
+- The 'version' field is deprecated in Docker Compose files. Compose files are now version-less by default.
+- Inconsistent indentation detected. Use 2 spaces for indentation.
+- The 'links' key is deprecated. Use networks and service names for inter-service communication.
+- Specify an explicit image tag to ensure consistency.
+- Running services in privileged mode is discouraged for security reasons.
+- Define resource limits for each service to prevent resource exhaustion.
 
-      4. **Specify explicit image tags**: Prevent unintended updates by defining image tags.
-         ```yaml
-         services:
-           web:
-             image: nginx:1.21.0
-         ```
+## Recommendations
 
-      5. **Avoid privileged mode**: Do not use 'privileged: true'. Grant specific capabilities if necessary.
-         ```yaml
-         services:
-           web:
-             image: nginx
-             cap_add:
-               - NET_ADMIN
-         ```
+To adhere to Docker Compose best practices:
 
-      6. **Define resource limits**: Prevent services from consuming excessive resources.
-         ```yaml
-         services:
-           web:
-             image: nginx
-             deploy:
-               resources:
-                 limits:
-                   cpus: '0.50'
-                   memory: '512M'
-         ```
+1. **Omit the 'version' field**: Compose files are version-less by default.
+   ```yaml
+   services:
+     web:
+       image: nginx
+   ```
+
+2. **Use consistent indentation**: Use 2 spaces for indentation.
+   ```yaml
+   services:
+     web:
+       image: nginx
+   ```
+
+3. **Avoid 'links' key**: Use networks and service names for service communication.
+   ```yaml
+   services:
+     web:
+       image: nginx
+       networks:
+         - my-network
+     db:
+       image: mysql
+       networks:
+         - my-network
+   networks:
+     my-network:
+   ```
+
+4. **Specify explicit image tags**: Prevent unintended updates by defining image tags.
+   ```yaml
+   services:
+     web:
+       image: nginx:1.21.0
+   ```
+
+5. **Avoid privileged mode**: Do not use 'privileged: true'. Grant specific capabilities if necessary.
+   ```yaml
+   services:
+     web:
+       image: nginx
+       cap_add:
+         - NET_ADMIN
+   ```
+
+6. **Define resource limits**: Prevent services from consuming excessive resources.
+   ```yaml
+   services:
+     web:
+       image: nginx
+       deploy:
+         resources:
+           limits:
+             cpus: '0.50'
+             memory: '512M'
+   ```
+
+Implementing these practices ensures secure, maintainable, and consistent Docker Compose configurations.
+
+## Examples
+### Example 1
+```
+version: '3'
+services:
+  web:
+    image: nginx
+    links:
+      - db
+    privileged: true
+  db:
+    image: mysql
+```
+Outcome: services:
+  web:
+    image: nginx:1.21.0
+    networks:
+      - my-network
+    deploy:
+      resources:
+        limits:
+          cpus: '0.50'
+          memory: '512M'
+  db:
+    image: mysql:5.7
+    networks:
+      - my-network
+networks:
+  my-network:
 
-      Implementing these practices ensures secure, maintainable, and consistent Docker Compose configurations.
-examples:
-  - input: |
-      version: '3'
-      services:
-        web:
-          image: nginx
-          links:
-            - db
-          privileged: true
-        db:
-          image: mysql
-    output: |
-      services:
-        web:
-          image: nginx:1.21.0
-          networks:
-            - my-network
-          deploy:
-            resources:
-              limits:
-                cpus: '0.50'
-                memory: '512M'
-        db:
-          image: mysql:5.7
-          networks:
-            - my-network
-      networks:
-        my-network:
-metadata:
-  priority: high
-  version: 1.0
-</rule>
\ No newline at end of file
diff --git a/.cursor/rules/drupal-authentication-failures.mdc b/.cursor/rules/drupal-authentication-failures.mdc
index c0ba535..7ea11b3 100644
--- a/.cursor/rules/drupal-authentication-failures.mdc
+++ b/.cursor/rules/drupal-authentication-failures.mdc
@@ -7,133 +7,75 @@ alwaysApply: false
 
 This rule enforces security best practices to prevent identification and authentication failures in Drupal applications, as defined in OWASP Top 10:2021-A07.
 
-<rule>
-name: drupal_authentication_failures
-description: Detect and prevent identification and authentication failures in Drupal as defined in OWASP Top 10:2021-A07
-filters:
-  - type: file_extension
-    pattern: "\\.(php|inc|module|install|theme|yml)$"
-  - type: file_path
-    pattern: ".*"
+> Priority: high · Version: 1.0
+
+## Applies To
+- `*.php`
+- `*.inc`
+- `*.module`
+- `*.install`
+- `*.info.yml`
+- `*.theme`
+
+## Trigger Conditions
+- Files matching pattern `\.(php|inc|module|install|theme|yml)$`
+- Paths matching `.*`
+
+## Required Checks
+
+- Ensure strong password policies are configured to require complexity, length, and prevent common passwords.
+- Custom authentication functions should implement proper validation and not return TRUE without checks.
+- Avoid direct password comparison. Use Drupal's built-in password verification services.
+- Hardcoded credentials detected. Store credentials securely outside of code.
+- Ensure proper CSRF protection is implemented for all authenticated actions.
+- Use Drupal's session management. If custom code is required, ensure secure session handling practices.
+- Ensure proper account lockout and flood control mechanisms are configured to prevent brute force attacks.
+- Verify password reset functionality uses secure tokens with proper expiration and validation.
+- Consider implementing multi-factor authentication for sensitive operations or user roles.
+- Avoid creating default administrator accounts or test users in production code.
+
+## Recommendations
+
+**Drupal Authentication Security Best Practices:**
+
+1. **Password Policies:**
+   - Use Drupal's Password Policy module for enforcing strong passwords
+   - Configure minimum password length (12+ characters recommended)
+   - Require complexity (uppercase, lowercase, numbers, special characters)
+   - Implement password rotation for sensitive roles
+   - Check passwords against known breached password databases
+
+2. **Authentication Infrastructure:**
+   - Use Drupal's core authentication mechanisms rather than custom solutions
+   - Implement proper account lockout after failed login attempts
+   - Consider multi-factor authentication (TFA module) for privileged accounts
+   - Implement session timeout for inactivity
+   - Use HTTPS for all authentication traffic
+
+3. **Session Management:**
+   - Use Drupal's session management system rather than PHP's session functions
+   - Configure secure session cookie settings in settings.php
+   - Implement proper session regeneration on privilege changes
+   - Consider using the Session Limit module to restrict concurrent sessions
+   - Properly destroy sessions on logout
 
-actions:
-  - type: enforce
-    conditions:
-      # Pattern 1: Weak or missing password policies
-      - pattern: "UserPasswordConstraint|PasswordPolicy|user\\.settings\\.yml"
-        message: "Ensure strong password policies are configured to require complexity, length, and prevent common passwords."
-        
-      # Pattern 2: Custom authentication without proper validation
-      - pattern: "(authenticate|login|auth).*function[^}]*return\\s+(TRUE|true|1)\\s*;"
-        message: "Custom authentication functions should implement proper validation and not return TRUE without checks."
-        
-      # Pattern 3: Improper password comparison
-      - pattern: "==\\s*\\$password|===\\s*\\$password|strcmp\\(|password_verify\\([^,]+,[^,]+\\$plainTextPassword"
-        message: "Avoid direct password comparison. Use Drupal's built-in password verification services."
-        
-      # Pattern 4: Credentials in code
-      - pattern: "(username|user|pass|password|pwd)\\s*=\\s*['\"][^'\"]+['\"]"
-        message: "Hardcoded credentials detected. Store credentials securely outside of code."
-        
-      # Pattern 5: Missing or weak CSRF protection
-      - pattern: "drupal_get_token\\(|form_token|\\$form\\[['\"]#token['\"]\\]\\s*=|drupal_valid_token\\("
-        message: "Ensure proper CSRF protection is implemented for all authenticated actions."
-        
-      # Pattern 6: Insecure session management
-      - pattern: "setcookie\\(|session_regenerate_id\\(false\\)|session_regenerate_id\\([^\\)]*"
-        message: "Use Drupal's session management. If custom code is required, ensure secure session handling practices."
-        
-      # Pattern 7: Missing account lockout protection
-      - pattern: "user\\.flood\\.yml|flood_control|UserFloodControl|user_failed_login_"
-        message: "Ensure proper account lockout and flood control mechanisms are configured to prevent brute force attacks."
-        
-      # Pattern 8: Insecure password reset implementation
-      - pattern: "user_pass_reset|password_reset|reset.*token"
-        message: "Verify password reset functionality uses secure tokens with proper expiration and validation."
-        
-      # Pattern 9: Lack of multi-factor authentication
-      - pattern: "tfa|two_factor|multi_factor|2fa"
-        message: "Consider implementing multi-factor authentication for sensitive operations or user roles."
-        
-      # Pattern 10: Default or test accounts
-      - pattern: "\\$user->name\\s*=\\s*['\"]admin['\"]|\\$name\\s*=\\s*['\"]admin['\"]|->values\\(['\"](mdc:name|mail)['\"]\\)\\s*->\\s*set\\(['\"][^\\'\"]+['\"]\\)"
-        message: "Avoid creating default administrator accounts or test users in production code."
+4. **Account Management:**
+   - Implement proper account provisioning and deprovisioning processes
+   - Use email verification for new account registration
+   - Implement secure password reset mechanisms with limited-time tokens
+   - Apply the principle of least privilege for user roles
+   - Regularly audit user accounts and permissions
 
-  - type: suggest
-    message: |
-      **Drupal Authentication Security Best Practices:**
-      
-      1. **Password Policies:**
-         - Use Drupal's Password Policy module for enforcing strong passwords
-         - Configure minimum password length (12+ characters recommended)
-         - Require complexity (uppercase, lowercase, numbers, special characters)
-         - Implement password rotation for sensitive roles
-         - Check passwords against known breached password databases
-      
-      2. **Authentication Infrastructure:**
-         - Use Drupal's core authentication mechanisms rather than custom solutions
-         - Implement proper account lockout after failed login attempts
-         - Consider multi-factor authentication (TFA module) for privileged accounts
-         - Implement session timeout for inactivity
-         - Use HTTPS for all authentication traffic
-      
-      3. **Session Management:**
-         - Use Drupal's session management system rather than PHP's session functions
-         - Configure secure session cookie settings in settings.php
-         - Implement proper session regeneration on privilege changes
-         - Consider using the Session Limit module to restrict concurrent sessions
-         - Properly destroy sessions on logout
-      
-      4. **Account Management:**
-         - Implement proper account provisioning and deprovisioning processes
-         - Use email verification for new account registration
-         - Implement secure password reset mechanisms with limited-time tokens
-         - Apply the principle of least privilege for user roles
-         - Regularly audit user accounts and permissions
-      
-      5. **Authentication Hardening:**
-         - Monitor for authentication failures and suspicious patterns
-         - Implement IP-based and username-based flood control
-         - Log authentication events for security monitoring
-         - Consider CAPTCHA or reCAPTCHA for login forms
-         - Use OAuth or SAML for single sign-on where appropriate
+5. **Authentication Hardening:**
+   - Monitor for authentication failures and suspicious patterns
+   - Implement IP-based and username-based flood control
+   - Log authentication events for security monitoring
+   - Consider CAPTCHA or reCAPTCHA for login forms
+   - Use OAuth or SAML for single sign-on where appropriate
 
-  - type: validate
-    conditions:
-      # Check 1: Proper password handling
-      - pattern: "password_verify\\(|UserPassword|\\\\Drupal::service\\(['\"]password['\"]\\)"
-        message: "Using Drupal's password services correctly."
-      
-      # Check 2: CSRF token implementation
-      - pattern: "\\$form\\[['\"]#token['\"]\\]\\s*=\\s*['\"][^'\"]+['\"]"
-        message: "Form includes CSRF protection token."
-      
-      # Check 3: Proper session management
-      - pattern: "\\$request->getSession\\(\\)|\\\\Drupal::service\\(['\"]session['\"]\\)"
-        message: "Using Drupal's session management services."
-      
-      # Check 4: User flood control
-      - pattern: "user\\.flood\\.yml|flood|user_login_final_validate"
-        message: "Implementing user flood protection."
+## Validation
 
-metadata:
-  priority: high
-  version: 1.0
-  tags:
-    - security
-    - drupal
-    - authentication
-    - identification
-    - owasp
-    - language:php
-    - framework:drupal
-    - category:security
-    - subcategory:authentication
-    - standard:owasp-top10
-    - risk:a07-authentication-failures
-  references:
-    - "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/"
-    - "https://www.drupal.org/docs/security-in-drupal/drupal-security-best-practices"
-    - "https://www.drupal.org/project/tfa"
-    - "https://www.drupal.org/project/password_policy"
-</rule> 
\ No newline at end of file
+- Using Drupal's password services correctly.
+- Form includes CSRF protection token.
+- Using Drupal's session management services.
+- Implementing user flood protection.
diff --git a/.cursor/rules/drupal-broken-access-control.mdc b/.cursor/rules/drupal-broken-access-control.mdc
index 4166475..d5c618a 100644
--- a/.cursor/rules/drupal-broken-access-control.mdc
+++ b/.cursor/rules/drupal-broken-access-control.mdc
@@ -3,126 +3,38 @@ description: Detect and prevent broken access control vulnerabilities in Drupal
 globs: *.php, *.install, *.module, *.inc, *.theme
 alwaysApply: false
 ---
-# Drupal Broken Access Control Security Standards (OWASP A01:2021)
+# Drupal Broken Access Control Standards (OWASP A01:2021)
 
-This rule enforces security best practices to prevent broken access control vulnerabilities in Drupal applications, as defined in OWASP Top 10:2021-A01.
+Use this checklist to keep Drupal custom code aligned with Drupal's access control APIs and caching rules.
 
-<rule>
-name: drupal_broken_access_control
-description: Detect and prevent broken access control vulnerabilities in Drupal as defined in OWASP Top 10:2021-A01
-filters:
-  - type: file_extension
-    pattern: "\\.(php|inc|module|install|theme)$"
-  - type: file_path
-    pattern: "(modules|themes|profiles)/custom"
+> Priority: high · Version: 1.0 · Tags: security, drupal, access-control, permissions
+
+## Applies To
+- `*.php`, `*.module`, `*.install`, `*.inc`, `*.theme`
+- Custom modules, themes, and profiles under `modules/`, `themes/`, or `profiles/`
 
-actions:
-  - type: enforce
-    conditions:
-      # Pattern 1: Missing access checks in routes
-      - pattern: "\\s*\\$routes\\['[^']*'\\]\\s*=\\s*.*(?!_access|access_callback|requirements)"
-        message: "Route definition is missing access control. Add '_permission', '_role', '_access', or custom access check in requirements."
-        
-      # Pattern 2: Using user_access() instead of more secure methods
-      - pattern: "user_access\\("
-        message: "user_access() is deprecated. Use $account->hasPermission() or proper dependency injection with AccessResult methods."
-        
-      # Pattern 3: Hard-coded user ID checks
-      - pattern: "(\\$user->id\\(\\)|\\$user->uid)\\s*===?\\s*1"
-        message: "Avoid hardcoded checks against user ID 1. Use role-based permissions or proper access control services."
-        
-      # Pattern 4: Missing access check on entity operations
-      - pattern: "\\$entity->(?!access)(save|delete|update)\\(\\)"
-        message: "Entity operation without prior access check. Use \$entity->access('operation') before performing operations."
-        
-      # Pattern 5: Using Drupal::currentUser() directly in services
-      - pattern: "\\\\Drupal::currentUser\\(\\)"
-        message: "Avoid using \\Drupal::currentUser() directly. Inject the current_user service for better testability and security."
-        
-      # Pattern 6: Missing access checks in controllers
-      - pattern: "class [A-Za-z0-9_]+Controller.+extends ControllerBase[^}]+public function [a-zA-Z0-9_]+\\([^{]*\\)\\s*\\{(?![^}]*access)"
-        message: "Controller method lacks explicit access checking. Add checks via route requirements or within the controller method."
-        
-      # Pattern 7: Direct field value manipulation without access check
-      - pattern: "\\$entity->set\\([^)]+\\)\\s*;(?![^;]*access)"
-        message: "Direct field value manipulation without access check. Verify entity field access before manipulation."
-        
-      # Pattern 8: Unprotected REST endpoints
-      - pattern: "@RestResource\\([^)]*\\)(?![^{]*_access|access_callback)"
-        message: "REST resource lacks access controls. Add access checks via annotations or in methods."
-        
-      # Pattern 9: Insecure access check by client IP
-      - pattern: "\\$_SERVER\\['REMOTE_ADDR'\\]\\s*===?\\s*"
-        message: "IP-based access control is insufficient. Use proper Drupal permission system instead."
-        
-      # Pattern 10: Allow bypassing cache for authenticated users without proper checks
-      - pattern: "#cache\\['contexts'\\]\\s*=\\s*\\[[^\\]]*'user'[^\\]]*\\]"
-        message: "Using 'user' cache context without proper access checks may expose content to unauthorized users."
+## Trigger Conditions
+- Defining routes, controllers, REST resources, or entity operations.
+- Manipulating entity fields, files, or configuration values based on user input.
+- Calling static helpers such as `\Drupal::currentUser()`, `user_access()`, or bypassing dependency injection.
 
-  - type: suggest
-    message: |
-      **Drupal Access Control Best Practices:**
-      
-      1. **Route Access Controls:**
-         - Always define access requirements in route definitions
-         - Use permission-based access checks: '_permission', '_role', '_entity_access'
-         - Implement custom access checkers implementing AccessInterface
-      
-      2. **Entity Access Controls:**
-         - Always check entity access: $entity->access('view'|'update'|'delete') 
-         - Use EntityAccessControlHandler for consistent access control
-         - Respect entity field access with $entity->get('field')->access('view'|'edit')
-      
-      3. **Controller Security:**
-         - Inject and use proper services rather than \Drupal static calls
-         - Add explicit access checks within controller methods
-         - Use AccessResult methods (allowed, forbidden, neutral) with proper caching metadata
-      
-      4. **Service Security:**
-         - Inject AccountProxyInterface rather than calling currentUser() directly
-         - Use dependency injection for access-related services
-         - Implement session-based CSRF protection with form tokens
-      
-      5. **REST/API Security:**
-         - Implement OAuth or proper authentication
-         - Define specific permissions for REST operations
-         - Never rely solely on client-side access control
+## Required Checks
+- Every route definition must declare access requirements (`_permission`, `_role`, `_entity_access`, or `_custom_access`).
+- Controllers and REST resources should return `AccessResult` objects or delegate to access services; never rely on implicit access.
+- Use `$account->hasPermission()` or injected `AccountInterface` instead of deprecated `user_access()` or UID checks.
+- Before updating or deleting entities, call `$entity->access('<operation>', $account)` and handle forbidden responses explicitly.
+- Inject `current_user` and related services instead of calling `\Drupal::currentUser()` statically for better testability and caching.
+- Avoid IP-based or static UID bypasses; rely on roles, permissions, and access policies.
 
-  - type: validate
-    conditions:
-      # Check 1: Ensuring proper access check implementation
-      - pattern: "AccessResult::(allowed|forbidden|neutral)\\(\\)(?=.*addCacheContexts)"
-        message: "Access check is properly implemented with cache metadata."
-      
-      # Check 2: Proper hook_entity_access implementation
-      - pattern: "function hook_entity_access\\([^)]*\\)\\s*\\{[^}]*return AccessResult"
-        message: "Entity access hook is correctly returning AccessResult."
-      
-      # Check 3: Properly secured route access
-      - pattern: "_permission|_role|_access|_entity_access|_custom_access"
-        message: "Route has proper access controls defined."
-      
-      # Check 4: Secure REST implementation
-      - pattern: "@RestResource\\(.*,\\s*authentication\\s*=\\s*\\{[^}]+\\}"
-        message: "REST Resource has authentication configured."
+## Recommendations
+- Implement custom access checkers by extending `AccessCheckInterface` when business rules are complex.
+- Ensure access results add cacheability metadata (`addCacheContexts`, `addCacheTags`, `addCacheableDependency`).
+- Use `hook_entity_access()` or entity access handlers to centralise policy decisions.
+- Document route permissions in README or module docs to aid security reviews.
+- Include Behat/Kernel tests that verify unauthorized users cannot reach protected endpoints.
 
-metadata:
-  priority: high
-  version: 1.0
-  tags:
-    - security
-    - drupal
-    - access-control
-    - permissions
-    - owasp
-    - language:php
-    - framework:drupal
-    - category:security
-    - subcategory:access-control
-    - standard:owasp-top10
-    - risk:a01-broken-access-control
-  references:
-    - "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
-    - "https://www.drupal.org/docs/8/api/routing-system/access-checking-on-routes"
-    - "https://www.drupal.org/docs/8/api/entity-api/entity-access-api"
-</rule>
\ No newline at end of file
+## Positive Signals
+- Presence of `AccessResult::allowed()`/`forbidden()` with cache metadata.
+- Routes referencing `_entity_access`, `_custom_access`, or `_role` requirements.
+- Services injecting `AccountProxyInterface`, `AccessManagerInterface`, or custom checkers.
+- Test coverage exercising both success and failure paths for access checks.
diff --git a/.cursor/rules/drupal-cryptographic-failures.mdc b/.cursor/rules/drupal-cryptographic-failures.mdc
index a116255..19df364 100644
--- a/.cursor/rules/drupal-cryptographic-failures.mdc
+++ b/.cursor/rules/drupal-cryptographic-failures.mdc
@@ -7,128 +7,69 @@ alwaysApply: false
 
 This rule enforces security best practices to prevent cryptographic failures in Drupal applications, as defined in OWASP Top 10:2021-A02.
 
-<rule>
-name: drupal_cryptographic_failures
-description: Detect and prevent cryptographic failures in Drupal as defined in OWASP Top 10:2021-A02
-filters:
-  - type: file_extension
-    pattern: "\\.(php|inc|module|install|theme)$"
-  - type: file_path
-    pattern: "(modules|themes|profiles|core)/.*"
+> Priority: high · Version: 1.0
+
+## Applies To
+- `*.php`
+- `*.install`
+- `*.module`
+- `*.inc`
+- `*.theme`
+
+## Trigger Conditions
+- Files matching pattern `\.(php|inc|module|install|theme)$`
+- Paths matching `(modules|themes|profiles|core)/.*`
+
+## Required Checks
+
+- Weak hash algorithm detected. Use password_hash() for passwords or hash('sha256'/'sha512') for other data.
+- Hardcoded credentials or sensitive keys detected. Use Drupal's State API, key module, or environment variables.
+- Never store plaintext passwords. Drupal handles password hashing internally.
+- Consider encrypting sensitive file contents using Drupal's encryption API or PHP's openssl functions.
+- Sensitive data in settings.php should be moved to environment variables or settings.local.php.
+- Insecure random number generation. Use random_bytes() or random_int() for cryptographic purposes.
+- Ensure HTTPS is enforced for cached pages containing sensitive information.
+- Consider using field encryption for sensitive data fields.
+- Avoid custom session handling. Use Drupal's session management services.
+- API tokens should include expiration time or rotation mechanism.
+
+## Recommendations
+
+**Drupal Cryptographic Security Best Practices:**
+
+1. **Secure Data Storage:**
+   - Use Drupal's Key module for storing encryption keys
+   - Store sensitive configuration in environment variables or settings.local.php
+   - Use Drupal's State API for non-configuration sensitive data
+   - Never store plaintext sensitive information in the database
+
+2. **Encryption and Hashing:**
+   - Use Drupal's password hashing system, which uses password_hash() internally
+   - For non-password data hashing, use SHA-256 or SHA-512
+   - Use the Encrypt module or PHP's openssl_encrypt() with proper algorithms (AES-256-GCM)
+   - Always use proper salting techniques
+
+3. **Communication Security:**
+   - Enforce HTTPS site-wide using settings.php configuration
+   - Use secure cookies (secure, HttpOnly, SameSite)
+   - Implement proper Content-Security-Policy headers
+   - Use TLS 1.2+ for all connections
 
-actions:
-  - type: enforce
-    conditions:
-      # Pattern 1: Use of weak hash algorithms
-      - pattern: "(md5|sha1)\\([^)]*\\)"
-        message: "Weak hash algorithm detected. Use password_hash() for passwords or hash('sha256'/'sha512') for other data."
-        
-      # Pattern 2: Hardcoded credentials or keys
-      - pattern: "(password|key|token|secret|credentials|pwd)\\s*=\\s*['\"][^'\"]+['\"]"
-        message: "Hardcoded credentials or sensitive keys detected. Use Drupal's State API, key module, or environment variables."
-        
-      # Pattern 3: Plaintext password storage
-      - pattern: "\\$user->setPassword\\((?!password_hash|\\$hash)[^)]+\\)"
-        message: "Never store plaintext passwords. Drupal handles password hashing internally."
-        
-      # Pattern 4: Improper file encryption
-      - pattern: "file_(get|put)_contents\\([^,]+,\\s*[^,]+\\)"
-        message: "Consider encrypting sensitive file contents using Drupal's encryption API or PHP's openssl functions."
-        
-      # Pattern 5: Unprotected sensitive data in settings
-      - pattern: "\\$settings\\[['\"](mdc:?!hash_salt|update_free_access)[^]]+\\]\\s*=\\s*['\"][^\"']+['\"]"
-        message: "Sensitive data in settings.php should be moved to environment variables or settings.local.php."
-        
-      # Pattern 6: Insecure random number generation
-      - pattern: "(rand|mt_rand|array_rand)\\("
-        message: "Insecure random number generation. Use random_bytes() or random_int() for cryptographic purposes."
-        
-      # Pattern 7: Missing HTTPS enforcement
-      - pattern: "'#cache'|'cache'"
-        message: "Ensure HTTPS is enforced for cached pages containing sensitive information."
-        
-      # Pattern 8: Missing encryption for content with private information
-      - pattern: "(->set|->get)\\('field_[^']*(?:password|ssn|credit|card|secret|key|token|credentials|pwd)[^']*'\\)"
-        message: "Consider using field encryption for sensitive data fields."
-        
-      # Pattern 9: Custom session handling without proper security
-      - pattern: "session_(start|regenerate_id)"
-        message: "Avoid custom session handling. Use Drupal's session management services."
-        
-      # Pattern 10: API tokens without expiration or rotation
-      - pattern: "\\$token\\s*=\\s*.*?\\$[^;]+;(?![^;]*expir|[^;]*valid)"
-        message: "API tokens should include expiration time or rotation mechanism."
+4. **API Security:**
+   - Use OAuth or JWT with proper signature verification
+   - Implement token expiration and rotation
+   - Use HMAC for API request signatures when appropriate
+   - Never expose internal encryption keys through APIs
 
-  - type: suggest
-    message: |
-      **Drupal Cryptographic Security Best Practices:**
-      
-      1. **Secure Data Storage:**
-         - Use Drupal's Key module for storing encryption keys
-         - Store sensitive configuration in environment variables or settings.local.php
-         - Use Drupal's State API for non-configuration sensitive data
-         - Never store plaintext sensitive information in the database
-      
-      2. **Encryption and Hashing:**
-         - Use Drupal's password hashing system, which uses password_hash() internally
-         - For non-password data hashing, use SHA-256 or SHA-512
-         - Use the Encrypt module or PHP's openssl_encrypt() with proper algorithms (AES-256-GCM)
-         - Always use proper salting techniques
-      
-      3. **Communication Security:**
-         - Enforce HTTPS site-wide using settings.php configuration
-         - Use secure cookies (secure, HttpOnly, SameSite)
-         - Implement proper Content-Security-Policy headers
-         - Use TLS 1.2+ for all connections
-      
-      4. **API Security:**
-         - Use OAuth or JWT with proper signature verification
-         - Implement token expiration and rotation
-         - Use HMAC for API request signatures when appropriate
-         - Never expose internal encryption keys through APIs
-      
-      5. **Configuration Best Practices:**
-         - Regularly rotate encryption keys and credentials
-         - Implement secure key storage using key management services
-         - Monitor and log cryptographic operations 
-         - Maintain an inventory of cryptographic algorithms in use
+5. **Configuration Best Practices:**
+   - Regularly rotate encryption keys and credentials
+   - Implement secure key storage using key management services
+   - Monitor and log cryptographic operations 
+   - Maintain an inventory of cryptographic algorithms in use
 
-  - type: validate
-    conditions:
-      # Check 1: Proper password handling
-      - pattern: "UserInterface::PASSWORD_|password_hash\\("
-        message: "Using Drupal's password system correctly."
-      
-      # Check 2: Proper random generation
-      - pattern: "random_bytes|random_int|\\\\Drupal::service\\('random'\\)"
-        message: "Using secure random generation methods."
-      
-      # Check 3: Secure settings
-      - pattern: "getenv\\('|\\$_ENV\\['|\\$_SERVER\\['|settings\\.local\\.php"
-        message: "Using environment variables or local settings correctly."
-      
-      # Check 4: Proper encryption usage
-      - pattern: "openssl_encrypt\\(|\\\\Drupal::service\\('encryption'\\)"
-        message: "Using proper encryption methods."
+## Validation
 
-metadata:
-  priority: high
-  version: 1.0
-  tags:
-    - security
-    - drupal
-    - cryptography
-    - encryption
-    - owasp
-    - language:php
-    - framework:drupal
-    - category:security
-    - subcategory:cryptography
-    - standard:owasp-top10
-    - risk:a02-cryptographic-failures
-  references:
-    - "https://owasp.org/Top10/A02_2021-Cryptographic_Failures/"
-    - "https://www.drupal.org/docs/security-in-drupal"
-    - "https://www.drupal.org/project/key"
-    - "https://www.drupal.org/project/encrypt"
-</rule> 
\ No newline at end of file
+- Using Drupal's password system correctly.
+- Using secure random generation methods.
+- Using environment variables or local settings correctly.
+- Using proper encryption methods.
diff --git a/.cursor/rules/drupal-database-standards.mdc b/.cursor/rules/drupal-database-standards.mdc
index d325295..dba0740 100644
--- a/.cursor/rules/drupal-database-standards.mdc
+++ b/.cursor/rules/drupal-database-standards.mdc
@@ -6,35 +6,27 @@ globs: *.php, *.install, *.module
 
 Ensures proper database handling in Drupal applications.
 
-<rule>
-name: drupal_database_standards
-description: Enforce Drupal database best practices and standards
-filters:
-  - type: file_extension
-    pattern: "\\.(php|install|module)$"
-
-actions:
-  - type: enforce
-    conditions:
-      - pattern: "db_query"
-        message: "Use Database API instead of db_query"
-
-      - pattern: "hook_update_N.*\\{\\s*[^}]*\\}"
-        message: "Ensure hook_update_N includes proper schema changes"
-
-      - pattern: "\\$query->execute\\(\\)"
-        message: "Consider using try-catch block for database operations"
-
-  - type: suggest
-    message: |
-      Database Best Practices:
-      - Use Schema API for table definitions
-      - Implement proper error handling
-      - Use update hooks for schema changes
-      - Follow Drupal's database abstraction layer
-      - Implement proper indexing strategies
-
-metadata:
-  priority: critical
-  version: 1.0
-</rule> 
\ No newline at end of file
+> Priority: critical · Version: 1.0
+
+## Applies To
+- `*.php`
+- `*.install`
+- `*.module`
+
+## Trigger Conditions
+- Files matching pattern `\.(php|install|module)$`
+
+## Required Checks
+
+- Use Database API instead of db_query
+- Ensure hook_update_N includes proper schema changes
+- Consider using try-catch block for database operations
+
+## Recommendations
+
+Database Best Practices:
+- Use Schema API for table definitions
+- Implement proper error handling
+- Use update hooks for schema changes
+- Follow Drupal's database abstraction layer
+- Implement proper indexing strategies
diff --git a/.cursor/rules/drupal-file-permissions.mdc b/.cursor/rules/drupal-file-permissions.mdc
index ac45a4b..9d18c11 100644
--- a/.cursor/rules/drupal-file-permissions.mdc
+++ b/.cursor/rules/drupal-file-permissions.mdc
@@ -6,129 +6,118 @@ globs: *.dockerfile, *.sh, docker-compose.yml, Dockerfile
 
 Standards for securing Drupal file permissions in Docker environments and production servers, ensuring proper security while maintaining functionality.
 
-<rule>
-name: drupal_file_permissions
-description: Enforce secure file permissions for Drupal sites/default directory and critical files
-filters:
-  - type: file_extension
-    pattern: "\\.(dockerfile|sh|yml)$"
-  - type: file_name
-    pattern: "^Dockerfile$|^docker-compose\\.yml$"
-  - type: content
-    pattern: "(?i)chmod|chown|drupal|settings\\.php|services\\.yml"
-
-actions:
-  - type: enforce
-    conditions:
-      - pattern: "chmod\\s+(?!755)\\d+\\s+[^\\n]*sites\\/default(?![^\\n]*files)"
-        message: "sites/default directory should have 755 permissions (read-only for group/others)"
-
-      - pattern: "chmod\\s+(?!444)\\d+\\s+[^\\n]*settings\\.php"
-        message: "settings.php should have 444 permissions (read-only for everyone)"
-
-      - pattern: "chmod\\s+(?!444)\\d+\\s+[^\\n]*services\\.yml"
-        message: "services.yml should have 444 permissions (read-only for everyone)"
-        
-      - pattern: "chmod\\s+(?!755)\\d+\\s+[^\\n]*sites\\/default\\/files"
-        message: "sites/default/files directory should have 755 permissions with proper ownership"
-        
-      - pattern: "chown\\s+(?!www-data:www-data)[^\\s]+\\s+[^\\n]*sites\\/default\\/files"
-        message: "sites/default/files should be owned by the web server user (www-data:www-data)"
-
-  - type: suggest
-    message: |
-      ## Drupal File Permissions Security Best Practices
-
-      ### 1. Critical File Permissions
-      - **sites/default directory**: 755 (drwxr-xr-x)
-      - **settings.php**: 444 (r--r--r--)
-      - **services.yml**: 444 (r--r--r--)
-      - **settings.local.php**: 444 (r--r--r--)
-      - **sites/default/files**: 755 (drwxr-xr-x)
-      - **sites/default/files/** (contents): 644 (rw-r--r--) for files, 755 (drwxr-xr-x) for directories
-
-      ### 2. Ownership Configuration
-      - **Web root**: application user (varies by environment)
-      - **sites/default/files**: web server user (www-data:www-data)
-      
-      ### 3. Implementation in Dockerfile
-      ```dockerfile
-      # Set proper permissions for Drupal
-      RUN mkdir -p /app/${WEBROOT}/sites/default/files && \
-          chown www-data:www-data /app/${WEBROOT}/sites/default/files && \
-          chmod 755 /app/${WEBROOT}/sites/default && \
-          chmod 444 /app/${WEBROOT}/sites/default/settings.php && \
-          chmod 444 /app/${WEBROOT}/sites/default/services.yml && \
-          find /app/${WEBROOT}/sites/default/files -type d -exec chmod 755 {} \\; && \
-          find /app/${WEBROOT}/sites/default/files -type f -exec chmod 644 {} \\;
-      ```
-
-      ### 4. Permission Fix Script
-      Create a script at `/app/scripts/custom/fix-drupal-permissions.sh`:
-      ```bash
-      #!/bin/bash
-      
-      # Exit on error
-      set -e
-      
-      WEBROOT=${WEBROOT:-web}
-      
-      echo "Setting Drupal file permissions..."
-      
-      # Ensure directories exist
-      mkdir -p /app/${WEBROOT}/sites/default/files
-      
-      # Set ownership
-      chown www-data:www-data /app/${WEBROOT}/sites/default/files
-      
-      # Set directory permissions
-      chmod 755 /app/${WEBROOT}/sites/default
-      chmod 755 /app/${WEBROOT}/sites/default/files
-      find /app/${WEBROOT}/sites/default/files -type d -exec chmod 755 {} \;
-      
-      # Set file permissions
-      chmod 444 /app/${WEBROOT}/sites/default/settings.php
-      [ -f /app/${WEBROOT}/sites/default/services.yml ] && chmod 444 /app/${WEBROOT}/sites/default/services.yml
-      [ -f /app/${WEBROOT}/sites/default/settings.local.php ] && chmod 444 /app/${WEBROOT}/sites/default/settings.local.php
-      find /app/${WEBROOT}/sites/default/files -type f -exec chmod 644 {} \;
-      
-      echo "Drupal file permissions set successfully."
-      ```
-
-      ### 5. Verify Permissions
-      ```bash
-      # Check file permissions
-      ahoy cli "ls -la /app/${WEBROOT}/sites/default"
-      ahoy cli "ls -la /app/${WEBROOT}/sites/default/files"
-      
-      # Check Drupal status
-      ahoy drush status-report | grep -i "protected"
-      ```
-
-      ### 6. Security Considerations
-      - Never set 777 permissions on any Drupal files or directories
-      - Temporary files should be stored in private file system when possible
-      - Use Drupal's private file system for sensitive uploads
-      - Implement file access controls through Drupal's permission system
-      - Consider using file encryption for highly sensitive data
-
-examples:
-  - input: |
-      # Bad: Insecure permissions
-      RUN chmod 777 /app/${WEBROOT}/sites/default
-      RUN chmod 666 /app/${WEBROOT}/sites/default/settings.php
-      RUN chmod -R 777 /app/${WEBROOT}/sites/default/files
-
-      # Good: Secure permissions
-      RUN chmod 755 /app/${WEBROOT}/sites/default
-      RUN chmod 444 /app/${WEBROOT}/sites/default/settings.php
-      RUN chmod 444 /app/${WEBROOT}/sites/default/services.yml
-      RUN chown www-data:www-data /app/${WEBROOT}/sites/default/files
-      RUN find /app/${WEBROOT}/sites/default/files -type d -exec chmod 755 {} \;
-      RUN find /app/${WEBROOT}/sites/default/files -type f -exec chmod 644 {} \;
-    output: "Correctly set Drupal file permissions with proper security"
-
-metadata:
-  priority: high
-  version: 1.1
-</rule> 
+> Priority: high · Version: 1.1
+
+## Applies To
+- `*.dockerfile`
+- `*.sh`
+- `docker-compose.yml`
+- `Dockerfile`
+
+## Trigger Conditions
+- Files matching pattern `\.(dockerfile|sh|yml)$`
+- Filter `file_name` matching `^Dockerfile$|^docker-compose\.yml$`
+- Files containing `(?i)chmod|chown|drupal|settings\.php|services\.yml`
+
+## Required Checks
+
+- sites/default directory should have 755 permissions (read-only for group/others)
+- settings.php should have 444 permissions (read-only for everyone)
+- services.yml should have 444 permissions (read-only for everyone)
+- sites/default/files directory should have 755 permissions with proper ownership
+- sites/default/files should be owned by the web server user (www-data:www-data)
+
+## Recommendations
+
+## Drupal File Permissions Security Best Practices
+
+### 1. Critical File Permissions
+- **sites/default directory**: 755 (drwxr-xr-x)
+- **settings.php**: 444 (r--r--r--)
+- **services.yml**: 444 (r--r--r--)
+- **settings.local.php**: 444 (r--r--r--)
+- **sites/default/files**: 755 (drwxr-xr-x)
+- **sites/default/files/** (contents): 644 (rw-r--r--) for files, 755 (drwxr-xr-x) for directories
+
+### 2. Ownership Configuration
+- **Web root**: application user (varies by environment)
+- **sites/default/files**: web server user (www-data:www-data)
+
+### 3. Implementation in Dockerfile
+```dockerfile
+# Set proper permissions for Drupal
+RUN mkdir -p /app/${WEBROOT}/sites/default/files && \
+    chown www-data:www-data /app/${WEBROOT}/sites/default/files && \
+    chmod 755 /app/${WEBROOT}/sites/default && \
+    chmod 444 /app/${WEBROOT}/sites/default/settings.php && \
+    chmod 444 /app/${WEBROOT}/sites/default/services.yml && \
+    find /app/${WEBROOT}/sites/default/files -type d -exec chmod 755 {} \\; && \
+    find /app/${WEBROOT}/sites/default/files -type f -exec chmod 644 {} \\;
+```
+
+### 4. Permission Fix Script
+Create a script at `/app/scripts/custom/fix-drupal-permissions.sh`:
+```bash
+#!/bin/bash
+
+# Exit on error
+set -e
+
+WEBROOT=${WEBROOT:-web}
+
+echo "Setting Drupal file permissions..."
+
+# Ensure directories exist
+mkdir -p /app/${WEBROOT}/sites/default/files
+
+# Set ownership
+chown www-data:www-data /app/${WEBROOT}/sites/default/files
+
+# Set directory permissions
+chmod 755 /app/${WEBROOT}/sites/default
+chmod 755 /app/${WEBROOT}/sites/default/files
+find /app/${WEBROOT}/sites/default/files -type d -exec chmod 755 {} \;
+
+# Set file permissions
+chmod 444 /app/${WEBROOT}/sites/default/settings.php
+[ -f /app/${WEBROOT}/sites/default/services.yml ] && chmod 444 /app/${WEBROOT}/sites/default/services.yml
+[ -f /app/${WEBROOT}/sites/default/settings.local.php ] && chmod 444 /app/${WEBROOT}/sites/default/settings.local.php
+find /app/${WEBROOT}/sites/default/files -type f -exec chmod 644 {} \;
+
+echo "Drupal file permissions set successfully."
+```
+
+### 5. Verify Permissions
+```bash
+# Check file permissions
+ahoy cli "ls -la /app/${WEBROOT}/sites/default"
+ahoy cli "ls -la /app/${WEBROOT}/sites/default/files"
+
+# Check Drupal status
+ahoy drush status-report | grep -i "protected"
+```
+
+### 6. Security Considerations
+- Never set 777 permissions on any Drupal files or directories
+- Temporary files should be stored in private file system when possible
+- Use Drupal's private file system for sensitive uploads
+- Implement file access controls through Drupal's permission system
+- Consider using file encryption for highly sensitive data
+
+## Examples
+### Example 1
+```
+# Bad: Insecure permissions
+RUN chmod 777 /app/${WEBROOT}/sites/default
+RUN chmod 666 /app/${WEBROOT}/sites/default/settings.php
+RUN chmod -R 777 /app/${WEBROOT}/sites/default/files
+
+# Good: Secure permissions
+RUN chmod 755 /app/${WEBROOT}/sites/default
+RUN chmod 444 /app/${WEBROOT}/sites/default/settings.php
+RUN chmod 444 /app/${WEBROOT}/sites/default/services.yml
+RUN chown www-data:www-data /app/${WEBROOT}/sites/default/files
+RUN find /app/${WEBROOT}/sites/default/files -type d -exec chmod 755 {} \;
+RUN find /app/${WEBROOT}/sites/default/files -type f -exec chmod 644 {} \;
+```
+Outcome: Correctly set Drupal file permissions with proper security
diff --git a/.cursor/rules/drupal-injection.mdc b/.cursor/rules/drupal-injection.mdc
index 3d8a502..a4af6e6 100644
--- a/.cursor/rules/drupal-injection.mdc
+++ b/.cursor/rules/drupal-injection.mdc
@@ -3,133 +3,39 @@ description: Detect and prevent injection vulnerabilities in Drupal as defined i
 globs: *.php, *.inc, *.module, *.install, *.info.yml, *.theme, **/modules/**, **/themes/**, **/profiles/**
 alwaysApply: false
 ---
-# Drupal Injection Security Standards (OWASP A03:2021)
+# Drupal Injection Prevention Standards (OWASP A03:2021)
 
-This rule enforces security best practices to prevent injection vulnerabilities in Drupal applications, as defined in OWASP Top 10:2021-A03.
+Reference this guide when reviewing Drupal code for SQL, XSS, command, or file injection risks.
 
-<rule>
-name: drupal_injection
-description: Detect and prevent injection vulnerabilities in Drupal as defined in OWASP Top 10:2021-A03
-filters:
-  - type: file_extension
-    pattern: "\\.(php|inc|module|install|theme)$"
-  - type: file_path
-    pattern: "(modules|themes|profiles|core)/.*"
+> Priority: high · Version: 1.0 · Tags: security, drupal, injection
+
+## Applies To
+- PHP source under custom modules, themes, or profiles (`modules/`, `themes/`, `profiles/`, `core/`).
+- Twig templates and configuration defining markup or executable code.
 
-actions:
-  - type: enforce
-    conditions:
-      # Pattern 1: Raw SQL queries without placeholders
-      - pattern: "db_query\\(['\"][^'\"]*\\$[^'\"]*['\"]"
-        message: "Direct variables in SQL queries are vulnerable to SQL injection. Use parameterized queries with placeholders."
-        
-      # Pattern 2: Modern DB API without placeholders
-      - pattern: "->query\\(['\"][^'\"]*\\$[^'\"]*['\"]"
-        message: "Use parameterized queries with placeholders to prevent SQL injection: ->query($sql, [$param1, $param2])."
-        
-      # Pattern 3: Unescaped output
-      - pattern: "<?=|<?php\\s+echo\\s+(?!(t|\\\\t|\\$this->t))[^;]*;"
-        message: "Direct output may lead to XSS. Use t(), escaped variables with Html::escape(), or Twig templates."
-        
-      # Pattern 4: Unfiltered user input in render arrays
-      - pattern: "[\"']#markup[\"']\\s*=>\\s*(?!t\\(|\\\\t\\(|Xss::filterAdmin|Html::escape)\\$"
-        message: "Never use unfiltered variables in #markup. Use t(), Xss::filterAdmin(), or Html::escape()."
-        
-      # Pattern 5: Unescaped variables in JavaScript settings
-      - pattern: "->addJsSettings\\(\\[(?![^\\]]*(Xss::filter|Json::encode))\\$"
-        message: "Filter variables before adding to JavaScript settings using Xss::filter() or properly encode with Json::encode()."
-        
-      # Pattern 6: Direct command execution
-      - pattern: "exec\\(|shell_exec\\(|system\\(|passthru\\(|proc_open\\(|popen\\(|`"
-        message: "Command execution functions can lead to command injection. Use Symfony\Component\Process\Process if necessary."
-        
-      # Pattern 7: Unvalidated redirect
-      - pattern: "->redirect\\(\\s*\\$(?!(this->|allowed_destinations|config))"
-        message: "Unvalidated redirects can lead to open redirect vulnerabilities. Whitelist allowed destinations."
-        
-      # Pattern 8: Raw user input in conditions
-      - pattern: "->condition\\([^,]*,\\s*\\$(?!(this->|config|entity|storage))[^,]*,"
-        message: "Use proper input validation before using variables in database conditions to prevent SQL injection."
-        
-      # Pattern 9: Missing CSRF protection in forms
-      - pattern: "(?<!buildForm|getFormId)\\s*function\\s+[a-zA-Z0-9_]+Form\\s*\\([^{]*\\{[^}]*return\\s+\\$form;(?![^}]*FormBuilderInterface|[^}]*::TOKEN|[^}]*#token)"
-        message: "Form submissions must include CSRF protection with $form['#token']."
-        
-      # Pattern 10: Unvalidated file operations
-      - pattern: "file_get_contents\\(\\s*\\$(?!(this->|allowed_paths|config))"
-        message: "Validate file paths before operations to prevent path traversal attacks."
+## Trigger Conditions
+- Database queries constructed from request data or dynamic strings.
+- Output rendering via `#markup`, controllers, Twig, or JavaScript settings.
+- Use of command execution functions, file system access, or redirects influenced by user input.
 
-  - type: suggest
-    message: |
-      **Drupal Injection Prevention Best Practices:**
-      
-      1. **SQL Injection Prevention:**
-         - Always use parameterized queries with placeholders
-         - Use the Database API's condition methods: ->condition(), ->where()
-         - Properly escape table and field names with {}
-         - Consider using EntityQuery for entity operations
-      
-      2. **XSS Prevention:**
-         - Use Drupal's t() function for user-visible strings
-         - Apply appropriate filtering: Html::escape(), Xss::filter(), Xss::filterAdmin()
-         - Use #plain_text instead of #markup when displaying user input
-         - Utilize Twig's automatic escaping in templates
-         - For admin UIs, be careful with Xss::filterAdmin() as it allows some tags
-      
-      3. **CSRF Protection:**
-         - Always include form tokens with $form['#token']
-         - Validate form tokens with FormState->validateToken()
-         - For AJAX requests, utilize Drupal's ajax framework
-         - Use drupal_valid_token() for custom validation
-      
-      4. **Command Injection Prevention:**
-         - Avoid command execution functions entirely
-         - Use Symfony\Component\Process\Process with escaped arguments
-         - Validate and whitelist any input used in command contexts
-      
-      5. **Path Traversal Prevention:**
-         - Validate file paths with FileSystem::validatedLocalFileSystem()
-         - Use stream wrappers (public://, private://) instead of direct paths
-         - Implement strict input validation for any path components
+## Required Checks
+- Use parameterized queries with placeholders (`db_query($sql, $args)`, `$connection->query($sql, $args)`, or EntityQuery) instead of string concatenation.
+- Escape or sanitise all rendered output using `t()`, `Html::escape()`, `Xss::filter()`, or `#plain_text` as appropriate.
+- Validate `#markup` assignments and JavaScript settings before passing user-controlled values.
+- Add CSRF tokens to custom forms (`$form['#token']`) and validate with Form API utilities.
+- Avoid command execution helpers (`exec`, `shell_exec`, `system`, backticks) unless wrapped with `Symfony\Component\Process\Process` and strict allowlists.
+- Validate and whitelist file paths before calling `file_get_contents`, `file_unmanaged_copy`, or similar helpers.
+- Guard redirects (`->redirect()`, `Url::fromUserInput()`) with destination allowlists via `UrlHelper::isExternal()` or `UrlHelper::externalIsAllowed()`.
 
-  - type: validate
-    conditions:
-      # Check 1: Proper SQL query usage
-      - pattern: "->query\\(['\"][^'\"]*\\?[^'\"]*['\"],\\s*\\[[^\\]]*\\]\\)"
-        message: "Properly using parameterized queries with placeholders."
-      
-      # Check 2: Proper XSS prevention
-      - pattern: "(t\\(|Xss::filter|Html::escape|#plain_text)"
-        message: "Using proper XSS prevention techniques."
-      
-      # Check 3: Proper CSRF protection
-      - pattern: "#token|FormBuilderInterface::TOKEN|drupal_valid_token"
-        message: "Implementing CSRF protection correctly."
-      
-      # Check 4: Safe file operations
-      - pattern: "FileSystem::validatedLocalFileSystem|file_exists\\(\\s*DRUPAL_ROOT"
-        message: "Using safe file operation practices."
+## Recommendations
+- Prefer Drupal's Database API condition builders (`->condition()`, `->where()`) and `Database::getConnection()->select()` for complex queries.
+- Use Twig templates (auto-escaping) rather than printing raw PHP variables.
+- Centralise dangerous operations in services that perform validation and logging.
+- Leverage Symfony's Process component or queue workers for long-running external commands with controlled environments.
+- Add functional tests covering malicious payloads (SQL injection strings, `<script>` tags, command sequences, traversal paths).
 
-metadata:
-  priority: high
-  version: 1.0
-  tags:
-    - security
-    - drupal
-    - injection
-    - sql
-    - xss
-    - csrf
-    - owasp
-    - language:php
-    - framework:drupal
-    - category:security
-    - subcategory:injection
-    - standard:owasp-top10
-    - risk:a03-injection
-  references:
-    - "https://owasp.org/Top10/A03_2021-Injection/"
-    - "https://www.drupal.org/docs/security-in-drupal/writing-secure-code-for-drupal"
-    - "https://www.drupal.org/docs/8/security/drupal-8-sanitizing-output"
-    - "https://api.drupal.org/api/drupal/core%21lib%21Drupal%21Component%21Utility%21Xss.php/class/Xss/9"
-</rule> 
\ No newline at end of file
+## Positive Signals
+- Queries using placeholders with array arguments or EntityQuery builders.
+- Output sanitised with `t()`, `Xss::filter()`, `Html::escape()`, or `#plain_text`.
+- Forms including CSRF tokens and `FormStateInterface::validateToken()` checks.
+- Usage of `UrlHelper::isValid()`, `UrlHelper::externalIsAllowed()`, or destination allowlists in redirect logic.
diff --git a/.cursor/rules/drupal-insecure-design.mdc b/.cursor/rules/drupal-insecure-design.mdc
index 1402dc6..7527d74 100644
--- a/.cursor/rules/drupal-insecure-design.mdc
+++ b/.cursor/rules/drupal-insecure-design.mdc
@@ -7,133 +7,76 @@ alwaysApply: false
 
 This rule enforces security best practices to prevent insecure design vulnerabilities in Drupal applications, as defined in OWASP Top 10:2021-A04.
 
-<rule>
-name: drupal_insecure_design
-description: Detect and prevent insecure design patterns in Drupal as defined in OWASP Top 10:2021-A04
-filters:
-  - type: file_extension
-    pattern: "\\.(php|inc|module|install|theme|info\\.yml)$"
-  - type: file_path
-    pattern: "(modules|themes|profiles)/custom"
+> Priority: high · Version: 1.0
+
+## Applies To
+- `*.php`
+- `*.install`
+- `*.module`
+- `*.inc`
+- `*.theme`
+- `*.yml`
+- `*.info`
+
+## Trigger Conditions
+- Files matching pattern `\.(php|inc|module|install|theme|info\.yml)$`
+- Paths matching `(modules|themes|profiles)/custom`
+
+## Required Checks
+
+- Permissions should follow Drupal naming patterns (verb + object) and be specific. Avoid overly broad permissions.
+- Consider moving business logic rules to configuration to allow for proper adjustment without code changes.
+- Avoid ad hoc sanitization. Use Drupal's built-in sanitization tools: t(), Xss::filter(), etc.
+- Follow separation of concerns. Move database logic to services or repositories, not in controllers.
+- Avoid unconditional access grants. Implement proper conditional checks based on roles, permissions, or entity ownership.
+- Avoid custom session management. Use Drupal's session handling system and services.
+- Excessive static service calls indicate poor dependency injection. Use proper service injection.
+- Avoid custom authentication. Use Drupal's built-in authentication system and services.
+- Database schemas should enforce data integrity with proper constraints (NOT NULL, length, etc.).
+- Security-related configuration should default to secure settings (opt-in for potentially insecure features).
+
+## Recommendations
+
+**Drupal Secure Design Best Practices:**
+
+1. **Secure Architecture Principles:**
+   - Follow the principle of least privilege for all user roles and permissions
+   - Implement defense in depth with multiple security layers
+   - Use Drupal's entity/field API for structured data instead of custom tables
+   - Employ service-oriented architecture with proper dependency injection
+   - Follow Drupal coding standards to leverage community security expertise
+
+2. **Permission System Design:**
+   - Design granular permissions following the verb+object pattern
+   - Avoid creating omnipotent permissions that grant excessive access
+   - Use context-aware access systems like Entity Access or Node Grants
+   - Consider record-based and field-based access for better control
+   - Document permission architecture and security implications
+
+3. **Module Architecture:**
+   - Separate concerns into appropriate services
+   - Use hooks judiciously and document security implications
+   - Implement proper validation and sanitization layers
+   - Design APIs with security in mind from the start
+   - Provide secure default configurations
 
-actions:
-  - type: enforce
-    conditions:
-      # Pattern 1: Insecure permission design
-      - pattern: "\\$permissions\\[['\"][^'\"]+['\"]\\]\\s*=\\s*array\\((?![^)]*(administer|manage|edit|delete)[^)]*(content|configuration|users)).*?\\);"
-        message: "Permissions should follow Drupal naming patterns (verb + object) and be specific. Avoid overly broad permissions."
-        
-      # Pattern 2: Hard-coded business logic values
-      - pattern: "if\\s*\\([^\\)]*===?\\s*['\"][a-zA-Z0-9_]+['\"]\\s*\\)"
-        message: "Consider moving business logic rules to configuration to allow for proper adjustment without code changes."
-        
-      # Pattern 3: Ad hoc input sanitization
-      - pattern: "preg_replace|str_replace|strip_tags"
-        message: "Avoid ad hoc sanitization. Use Drupal's built-in sanitization tools: t(), Xss::filter(), etc."
-        
-      # Pattern 4: Database logic in controllers
-      - pattern: "class\\s+[a-zA-Z0-9_]+Controller.+\\{[^}]*->query\\("
-        message: "Follow separation of concerns. Move database logic to services or repositories, not in controllers."
-        
-      # Pattern 5: Weak entity access policy
-      - pattern: "function\\s+[a-zA-Z0-9_]+_entity_access\\([^)]*\\)\\s*\\{[^}]*return\\s+AccessResult::allowed\\(\\);"
-        message: "Avoid unconditional access grants. Implement proper conditional checks based on roles, permissions, or entity ownership."
-        
-      # Pattern 6: Custom session management 
-      - pattern: "session_start|session_set_cookie_params"
-        message: "Avoid custom session management. Use Drupal's session handling system and services."
-        
-      # Pattern 7: Excessive global state dependency
-      - pattern: "(?:\\\\Drupal::[a-zA-Z_]+\\(\\).*){3,}"
-        message: "Excessive static service calls indicate poor dependency injection. Use proper service injection."
-        
-      # Pattern 8: Custom user authentication
-      - pattern: "password_verify\\(|password_hash\\("
-        message: "Avoid custom authentication. Use Drupal's built-in authentication system and services."
-        
-      # Pattern 9: Missing schema definitions
-      - pattern: "function\\s+[a-zA-Z0-9_]+_schema\\(\\)[^{]*\\{[^}]*return\\s+\\$schema;(?![^}]*validate_utf8|[^}]*'not null')"
-        message: "Database schemas should enforce data integrity with proper constraints (NOT NULL, length, etc.)."
-        
-      # Pattern 10: Insecure defaults
-      - pattern: "\\$config\\[['\"](mdc:?!secure_|security_|private_)[^'\"]+['\"]\\]\\s*=\\s*(?:FALSE|0|'0'|\"0\");"
-        message: "Security-related configuration should default to secure settings (opt-in for potentially insecure features)."
+4. **Data Modeling Security:**
+   - Implement appropriate validation constraints on entity fields
+   - Design schema definitions with integrity constraints
+   - Use appropriate field types for sensitive data
+   - Implement field-level access control when needed
+   - Consider encryption for sensitive stored data
 
-  - type: suggest
-    message: |
-      **Drupal Secure Design Best Practices:**
-      
-      1. **Secure Architecture Principles:**
-         - Follow the principle of least privilege for all user roles and permissions
-         - Implement defense in depth with multiple security layers
-         - Use Drupal's entity/field API for structured data instead of custom tables
-         - Employ service-oriented architecture with proper dependency injection
-         - Follow Drupal coding standards to leverage community security expertise
-      
-      2. **Permission System Design:**
-         - Design granular permissions following the verb+object pattern
-         - Avoid creating omnipotent permissions that grant excessive access
-         - Use context-aware access systems like Entity Access or Node Grants
-         - Consider record-based and field-based access for better control
-         - Document permission architecture and security implications
-      
-      3. **Module Architecture:**
-         - Separate concerns into appropriate services
-         - Use hooks judiciously and document security implications
-         - Implement proper validation and sanitization layers
-         - Design APIs with security in mind from the start
-         - Provide secure default configurations
-      
-      4. **Data Modeling Security:**
-         - Implement appropriate validation constraints on entity fields
-         - Design schema definitions with integrity constraints
-         - Use appropriate field types for sensitive data
-         - Implement field-level access control when needed
-         - Consider encryption for sensitive stored data
-      
-      5. **Error Handling and Logging:**
-         - Design contextual error messages (detailed for admins, general for users)
-         - Implement appropriate logging for security events
-         - Avoid exposing sensitive data in error messages
-         - Design fault-tolerant systems that fail securely
-         - Include appropriate transaction management
+5. **Error Handling and Logging:**
+   - Design contextual error messages (detailed for admins, general for users)
+   - Implement appropriate logging for security events
+   - Avoid exposing sensitive data in error messages
+   - Design fault-tolerant systems that fail securely
+   - Include appropriate transaction management
 
-  - type: validate
-    conditions:
-      # Check 1: Proper dependency injection
-      - pattern: "protected\\s+\\$[a-zA-Z0-9_]+;[^}]*public\\s+function\\s+__construct\\([^\\)]*\\)"
-        message: "Using proper dependency injection pattern."
-      
-      # Check 2: Configuration schema usage
-      - pattern: "config\\/schema\\/[a-zA-Z0-9_]+\\.schema\\.yml"
-        message: "Providing configuration schema for validation."
-      
-      # Check 3: Proper permission definition
-      - pattern: "\\$permissions\\[['\"][a-z\\s]+[a-z0-9\\s]+['\"]\\]\\s*=\\s*\\["
-        message: "Following permission naming conventions."
-      
-      # Check 4: Entity access handlers
-      - pattern: "@EntityAccessControl\\(|class\\s+[a-zA-Z0-9_]+AccessControlHandler\\s+extends\\s+"
-        message: "Using dedicated access control handlers for entities."
+## Validation
 
-metadata:
-  priority: high
-  version: 1.0
-  tags:
-    - security
-    - drupal
-    - design
-    - architecture
-    - owasp
-    - language:php
-    - framework:drupal
-    - category:security
-    - subcategory:design
-    - standard:owasp-top10
-    - risk:a04-insecure-design
-  references:
-    - "https://owasp.org/Top10/A04_2021-Insecure_Design/"
-    - "https://www.drupal.org/docs/develop/security-in-drupal"
-    - "https://www.drupal.org/docs/8/api/entity-api/access-control-for-entities"
-    - "https://www.drupal.org/docs/8/api/configuration-api/configuration-schemametadata"
-</rule> 
\ No newline at end of file
+- Using proper dependency injection pattern.
+- Providing configuration schema for validation.
+- Following permission naming conventions.
+- Using dedicated access control handlers for entities.
diff --git a/.cursor/rules/drupal-integrity-failures.mdc b/.cursor/rules/drupal-integrity-failures.mdc
index 2af8004..5a18b60 100644
--- a/.cursor/rules/drupal-integrity-failures.mdc
+++ b/.cursor/rules/drupal-integrity-failures.mdc
@@ -7,133 +7,76 @@ alwaysApply: false
 
 This rule enforces security best practices to prevent software and data integrity failures in Drupal applications, as defined in OWASP Top 10:2021-A08.
 
-<rule>
-name: drupal_integrity_failures
-description: Detect and prevent software and data integrity failures in Drupal as defined in OWASP Top 10:2021-A08
-filters:
-  - type: file_extension
-    pattern: "\\.(php|inc|module|install|theme|yml|json)$"
-  - type: file_path
-    pattern: ".*"
+> Priority: high · Version: 1.0
+
+## Applies To
+- `*.php`
+- `*.install`
+- `*.module`
+- `*.inc`
+- `*.theme`
+- `*.yml`
+- `*.json`
+
+## Trigger Conditions
+- Files matching pattern `\.(php|inc|module|install|theme|yml|json)$`
+- Paths matching `.*`
+
+## Required Checks
+
+- Insecure PHP deserialization detected. Use safer alternatives like JSON for data interchange or implement proper validation before deserialization.
+- Potentially dangerous code execution function detected. Avoid dynamic code execution whenever possible.
+- Dynamic inclusion of files based on user input is dangerous. Use validated, allowlisted paths only.
+- Ensure update hooks validate the integrity of updates and data transformations to prevent unauthorized modifications.
+- Validate configuration before import to ensure integrity and detect potentially malicious changes.
+- Always validate data from remote sources before processing or storing it. Implement integrity checks for remote content.
+- Verify you're using secure Composer practices: validate package signatures, pin dependencies, and use composer.lock.
+- Direct database modifications should implement validation to preserve data integrity. Prefer using entity API.
+- Implement file integrity checking for uploaded or manipulated files to prevent malicious content.
+- Validate all input used to create entity objects to maintain data integrity and prevent creating malicious entities.
+
+## Recommendations
+
+**Drupal Data & Software Integrity Best Practices:**
+
+1. **Secure Deserialization:**
+   - Avoid PHP's unserialize() with untrusted data entirely
+   - Use JSON or other structured formats for data interchange
+   - When deserialization is necessary, implement allowlists and validation
+   - Consider using Drupal's typed data API for structured data handling
+   - Avoid serializing sensitive data that could be tampered with
+
+2. **Update & Configuration Integrity:**
+   - Validate data before and after migrations/updates
+   - Implement checksums/hashing for critical configuration
+   - Use Drupal's Configuration Management system properly
+   - Monitor configuration changes for unauthorized modifications
+   - Implement proper workflow for configuration management
+
+3. **Dependency & Plugin Security:**
+   - Verify the integrity of downloaded modules and themes
+   - Use Composer with package signature verification
+   - Pin dependencies to specific versions in production
+   - Maintain awareness of security advisories
+   - Implement proper validation for plugin/module loading
 
-actions:
-  - type: enforce
-    conditions:
-      # Pattern 1: Insecure deserialization
-      - pattern: "unserialize\\(\\$|unserialize\\([^,]+\\$|php_unserialize\\(\\$"
-        message: "Insecure PHP deserialization detected. Use safer alternatives like JSON for data interchange or implement proper validation before deserialization."
-        
-      # Pattern 2: Unsafe use of eval or similar functions
-      - pattern: "eval\\(|assert\\(|create_function\\("
-        message: "Potentially dangerous code execution function detected. Avoid dynamic code execution whenever possible."
-        
-      # Pattern 3: Insecure plugin/module loading
-      - pattern: "module_load_include\\(\\$|require(_once)?\\s*\\(\\s*\\$|include(_once)?\\s*\\(\\s*\\$"
-        message: "Dynamic inclusion of files based on user input is dangerous. Use validated, allowlisted paths only."
-        
-      # Pattern 4: Missing update verification
-      - pattern: "update\\.settings\\.yml|function [a-zA-Z0-9_]+_update_[0-9]+\\(\\)"
-        message: "Ensure update hooks validate the integrity of updates and data transformations to prevent unauthorized modifications."
-        
-      # Pattern 5: Unsafe configuration imports
-      - pattern: "ConfigImporter|\\$config_importer|config_import|cmci"
-        message: "Validate configuration before import to ensure integrity and detect potentially malicious changes."
-        
-      # Pattern 6: Unchecked remote data
-      - pattern: "drupal_http_request\\(|\\\\Drupal::httpClient\\(\\)->get\\(|curl_exec\\("
-        message: "Always validate data from remote sources before processing or storing it. Implement integrity checks for remote content."
-        
-      # Pattern 7: Insecure Composer usage
-      - pattern: "composer\\.json"
-        message: "Verify you're using secure Composer practices: validate package signatures, pin dependencies, and use composer.lock."
-        
-      # Pattern 8: Direct database modifications
-      - pattern: "INSERT\\s+INTO|UPDATE\\s+[a-zA-Z0-9_]+\\s+SET|db_update\\(|->update\\(|->insert\\("
-        message: "Direct database modifications should implement validation to preserve data integrity. Prefer using entity API."
-        
-      # Pattern 9: Missing file integrity verification
-      - pattern: "file_save_data\\(|file_save_upload\\(|file_copy\\(|file_move\\("
-        message: "Implement file integrity checking for uploaded or manipulated files to prevent malicious content."
-        
-      # Pattern 10: Unsafe entity creation
-      - pattern: "\\$entity\\s*=\\s*new\\s+[A-Za-z]+\\(|::create\\(\\$"
-        message: "Validate all input used to create entity objects to maintain data integrity and prevent creating malicious entities."
+4. **CI/CD Pipeline Security:**
+   - Sign build artifacts
+   - Verify signatures during deployment
+   - Implement proper secrets management
+   - Control access to build and deployment systems
+   - Validate code changes through code reviews
 
-  - type: suggest
-    message: |
-      **Drupal Data & Software Integrity Best Practices:**
-      
-      1. **Secure Deserialization:**
-         - Avoid PHP's unserialize() with untrusted data entirely
-         - Use JSON or other structured formats for data interchange
-         - When deserialization is necessary, implement allowlists and validation
-         - Consider using Drupal's typed data API for structured data handling
-         - Avoid serializing sensitive data that could be tampered with
-      
-      2. **Update & Configuration Integrity:**
-         - Validate data before and after migrations/updates
-         - Implement checksums/hashing for critical configuration
-         - Use Drupal's Configuration Management system properly
-         - Monitor configuration changes for unauthorized modifications
-         - Implement proper workflow for configuration management
-      
-      3. **Dependency & Plugin Security:**
-         - Verify the integrity of downloaded modules and themes
-         - Use Composer with package signature verification
-         - Pin dependencies to specific versions in production
-         - Maintain awareness of security advisories
-         - Implement proper validation for plugin/module loading
-      
-      4. **CI/CD Pipeline Security:**
-         - Sign build artifacts
-         - Verify signatures during deployment
-         - Implement proper secrets management
-         - Control access to build and deployment systems
-         - Validate code changes through code reviews
-      
-      5. **Data Integrity Validation:**
-         - Use database constraints to enforce data integrity
-         - Implement validation at every layer of the application
-         - Add integrity checks for critical data flows
-         - Maintain audit logs for data modifications
-         - Regularly verify data consistency
+5. **Data Integrity Validation:**
+   - Use database constraints to enforce data integrity
+   - Implement validation at every layer of the application
+   - Add integrity checks for critical data flows
+   - Maintain audit logs for data modifications
+   - Regularly verify data consistency
 
-  - type: validate
-    conditions:
-      # Check 1: Secure serialization alternatives
-      - pattern: "json_encode|json_decode|\\\\Drupal::service\\('serialization\\.|->toArray\\(\\)"
-        message: "Using safer serialization alternatives."
-      
-      # Check 2: Proper entity validation
-      - pattern: "\\$entity->validate\\(\\)|\\$violations\\s*=\\s*\\$entity->validate\\(\\)"
-        message: "Properly validating entity data."
-      
-      # Check 3: Config verification
-      - pattern: "::validateSyncedConfig\\(|ConfigImporter::validate|->getUnprocessedConfiguration\\(\\)"
-        message: "Implementing configuration validation."
-      
-      # Check 4: Safe file handling
-      - pattern: "file_validate_|FileValidatorInterface|\\$validators"
-        message: "Using file validation mechanisms."
+## Validation
 
-metadata:
-  priority: high
-  version: 1.0
-  tags:
-    - security
-    - drupal
-    - integrity
-    - deserialization
-    - owasp
-    - language:php
-    - framework:drupal
-    - category:security
-    - subcategory:integrity
-    - standard:owasp-top10
-    - risk:a08-integrity-failures
-  references:
-    - "https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/"
-    - "https://www.drupal.org/docs/develop/security-in-drupal/drupal-8-sanitizing-output"
-    - "https://www.drupal.org/docs/8/api/configuration-api/configuration-api-overview"
-    - "https://www.drupal.org/docs/develop/using-composer"
-</rule> 
\ No newline at end of file
+- Using safer serialization alternatives.
+- Properly validating entity data.
+- Implementing configuration validation.
+- Using file validation mechanisms.
diff --git a/.cursor/rules/drupal-logging-failures.mdc b/.cursor/rules/drupal-logging-failures.mdc
index 6ce9692..eb2b0fe 100644
--- a/.cursor/rules/drupal-logging-failures.mdc
+++ b/.cursor/rules/drupal-logging-failures.mdc
@@ -7,135 +7,77 @@ alwaysApply: false
 
 This rule enforces security best practices to prevent logging and monitoring failures in Drupal applications, as defined in OWASP Top 10:2021-A09.
 
-<rule>
-name: drupal_logging_failures
-description: Detect and prevent security logging and monitoring failures in Drupal as defined in OWASP Top 10:2021-A09
-filters:
-  - type: file_extension
-    pattern: "\\.(php|inc|module|install|theme|yml)$"
-  - type: file_path
-    pattern: ".*"
+> Priority: high · Version: 1.0
+
+## Applies To
+- `*.php`
+- `*.install`
+- `*.module`
+- `*.inc`
+- `*.theme`
+- `*.yml`
+
+## Trigger Conditions
+- Files matching pattern `\.(php|inc|module|install|theme|yml)$`
+- Paths matching `.*`
+
+## Required Checks
+
+- Critical operations should include logging. Implement proper logging for security-relevant actions.
+- Avoid suppressing errors and warnings. Implement proper error handling and logging instead.
+- Exceptions should be properly logged, especially in security-critical sections.
+- Ensure logging is properly configured and not disabled. Verify log verbosity and retention policies.
+- Authentication events should always be logged for security monitoring and auditing.
+- Consider logging significant access control decisions, especially denials, for security monitoring.
+- File operations should be logged, especially for security-sensitive files.
+- Log messages should include sufficient context and detail for effective security monitoring.
+- Configuration changes should be logged to maintain an audit trail and detect unauthorized changes.
+- API endpoint access should be logged for security monitoring, especially for sensitive operations.
+
+## Recommendations
+
+**Drupal Security Logging & Monitoring Best Practices:**
+
+1. **Comprehensive Logging Implementation:**
+   - Use Drupal's Logger Factory service: `\Drupal::logger('module_name')`
+   - Implement proper log levels: emergency, alert, critical, error, warning, notice, info, debug
+   - Include context in log messages with relevant identifiers and information
+   - Log security-relevant events consistently across the application
+   - Structure log messages to facilitate automated analysis
+
+2. **Critical Events to Log:**
+   - Authentication events (login attempts, failures, logouts)
+   - Access control decisions (particularly denials)
+   - All administrative actions
+   - Data modification operations on sensitive information
+   - Configuration and settings changes
+   - File operations (uploads, downloads of sensitive content)
+   - API access and usage
+
+3. **Logging Configuration:**
+   - Configure appropriate log retention periods based on security requirements
+   - Implement log rotation to maintain performance
+   - Consider using syslog for centralized logging
+   - Protect log files from unauthorized access and modification
+   - Configure appropriate verbosity for different environments
 
-actions:
-  - type: enforce
-    conditions:
-      # Pattern 1: Missing critical event logging
-      - pattern: "(delete|update|create|execute|grant|revoke|config|schema).*function[^}]*\\{(?![^}]*(log|watchdog|logger))"
-        message: "Critical operations should include logging. Implement proper logging for security-relevant actions."
-        
-      # Pattern 2: Suppressed error logging
-      - pattern: "@include|@require|@eval|error_reporting\\(0\\)|ini_set\\(['\"](mdc:display_errors|log_errors)['\"],\\s*['\"]0['\"]\\)"
-        message: "Avoid suppressing errors and warnings. Implement proper error handling and logging instead."
-        
-      # Pattern 3: Improper exception handling without logging
-      - pattern: "catch\\s*\\([^{]*\\)\\s*\\{(?![^}]*log|[^}]*watchdog|[^}]*logger)"
-        message: "Exceptions should be properly logged, especially in security-critical sections."
-        
-      # Pattern 4: Disabled watchdog
-      - pattern: "dblog\\.settings\\.yml|syslog\\.settings\\.yml|logging\\.settings\\.yml"
-        message: "Ensure logging is properly configured and not disabled. Verify log verbosity and retention policies."
-        
-      # Pattern 5: Missing authentication event logging
-      - pattern: "(login|authenticate|logout|password).*function[^}]*\\{(?![^}]*(log|watchdog|logger))"
-        message: "Authentication events should always be logged for security monitoring and auditing."
-        
-      # Pattern 6: Failure to log access control decisions
-      - pattern: "AccessResult::(allowed|forbidden|neutral)\\([^)]*\\)(?![^;]*(log|watchdog|logger))"
-        message: "Consider logging significant access control decisions, especially denials, for security monitoring."
-        
-      # Pattern 7: Missing logging in file operations
-      - pattern: "(file_save|file_delete|file_move|file_copy)[^;]*;(?![^;]*(log|watchdog|logger))"
-        message: "File operations should be logged, especially for security-sensitive files."
-        
-      # Pattern 8: Insufficient detail in log messages
-      - pattern: "(\\->log|watchdog)\\([^,)]*,[^,)]*\\)"
-        message: "Log messages should include sufficient context and detail for effective security monitoring."
-        
-      # Pattern 9: Failure to log configuration changes
-      - pattern: "\\$config->set\\([^;]*;(?![^;]*(log|watchdog|logger))"
-        message: "Configuration changes should be logged to maintain an audit trail and detect unauthorized changes."
-        
-      # Pattern 10: Missing logs for API access
-      - pattern: "class\\s+[a-zA-Z0-9_]+Resource.+\\{[^}]*function\\s+[a-zA-Z0-9_]+\\([^{]*\\)\\s*\\{(?![^}]*(log|watchdog|logger))"
-        message: "API endpoint access should be logged for security monitoring, especially for sensitive operations."
+4. **Monitoring Implementation:**
+   - Define security-relevant log patterns to monitor
+   - Implement log aggregation and analysis
+   - Set up alerts for suspicious activity patterns
+   - Establish response procedures for security events
+   - Consider integration with SIEM solutions
 
-  - type: suggest
-    message: |
-      **Drupal Security Logging & Monitoring Best Practices:**
-      
-      1. **Comprehensive Logging Implementation:**
-         - Use Drupal's Logger Factory service: `\Drupal::logger('module_name')`
-         - Implement proper log levels: emergency, alert, critical, error, warning, notice, info, debug
-         - Include context in log messages with relevant identifiers and information
-         - Log security-relevant events consistently across the application
-         - Structure log messages to facilitate automated analysis
-      
-      2. **Critical Events to Log:**
-         - Authentication events (login attempts, failures, logouts)
-         - Access control decisions (particularly denials)
-         - All administrative actions
-         - Data modification operations on sensitive information
-         - Configuration and settings changes
-         - File operations (uploads, downloads of sensitive content)
-         - API access and usage
-      
-      3. **Logging Configuration:**
-         - Configure appropriate log retention periods based on security requirements
-         - Implement log rotation to maintain performance
-         - Consider using syslog for centralized logging
-         - Protect log files from unauthorized access and modification
-         - Configure appropriate verbosity for different environments
-      
-      4. **Monitoring Implementation:**
-         - Define security-relevant log patterns to monitor
-         - Implement log aggregation and analysis
-         - Set up alerts for suspicious activity patterns
-         - Establish response procedures for security events
-         - Consider integration with SIEM solutions
-      
-      5. **Error Handling:**
-         - Log exceptions with appropriate error levels
-         - Include stack traces in development but not production
-         - Implement custom error handlers that ensure proper logging
-         - Avoid suppressing errors that might indicate security issues
-         - Monitor for patterns in error logs that could indicate attacks
+5. **Error Handling:**
+   - Log exceptions with appropriate error levels
+   - Include stack traces in development but not production
+   - Implement custom error handlers that ensure proper logging
+   - Avoid suppressing errors that might indicate security issues
+   - Monitor for patterns in error logs that could indicate attacks
 
-  - type: validate
-    conditions:
-      # Check 1: Proper logger usage
-      - pattern: "\\\\Drupal::logger\\([^)]+\\)->\\w+\\(|\\$this->logger->\\w+\\("
-        message: "Using Drupal's logger service correctly."
-      
-      # Check 2: Context in log messages
-      - pattern: "->\\w+\\([^,]+,\\s*[^,]+,\\s*\\["
-        message: "Including context information in log messages."
-      
-      # Check 3: Logging configuration
-      - pattern: "dblog\\.settings|syslog\\.settings|logging\\.yml"
-        message: "Configuring logging appropriately."
-      
-      # Check 4: Exception logging
-      - pattern: "catch[^{]*\\{[^}]*logger|catch[^{]*\\{[^}]*watchdog|catch[^{]*\\{[^}]*log"
-        message: "Properly logging exceptions."
+## Validation
 
-metadata:
-  priority: high
-  version: 1.0
-  tags:
-    - security
-    - drupal
-    - logging
-    - monitoring
-    - owasp
-    - language:php
-    - framework:drupal
-    - category:security
-    - subcategory:logging
-    - standard:owasp-top10
-    - risk:a09-logging-monitoring
-  references:
-    - "https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/"
-    - "https://www.drupal.org/docs/8/api/logging-api/overview"
-    - "https://www.drupal.org/docs/develop/security-in-drupal/writing-secure-code-for-drupal"
-    - "https://www.drupal.org/docs/8/modules/syslog"
-</rule> 
\ No newline at end of file
+- Using Drupal's logger service correctly.
+- Including context information in log messages.
+- Configuring logging appropriately.
+- Properly logging exceptions.
diff --git a/.cursor/rules/drupal-security-misconfiguration.mdc b/.cursor/rules/drupal-security-misconfiguration.mdc
index a51b6e8..9ff9e69 100644
--- a/.cursor/rules/drupal-security-misconfiguration.mdc
+++ b/.cursor/rules/drupal-security-misconfiguration.mdc
@@ -7,128 +7,71 @@ alwaysApply: false
 
 This rule enforces security best practices to prevent misconfiguration vulnerabilities in Drupal applications, as defined in OWASP Top 10:2021-A05.
 
-<rule>
-name: drupal_security_misconfiguration
-description: Detect and prevent security misconfigurations in Drupal as defined in OWASP Top 10:2021-A05
-filters:
-  - type: file_extension
-    pattern: "\\.(php|inc|module|install|theme|yml|info\\.yml)$"
-  - type: file_path
-    pattern: ".*"
+> Priority: high · Version: 1.0
+
+## Applies To
+- `*.php`
+- `*.install`
+- `*.module`
+- `*.inc`
+- `*.theme`
+- `*.yml`
+- `*.info`
+
+## Trigger Conditions
+- Files matching pattern `\.(php|inc|module|install|theme|yml|info\.yml)$`
+- Paths matching `.*`
+
+## Required Checks
+
+- Development settings detected in production code. Ensure these settings are only enabled in development environments.
+- Verify that $settings['trusted_host_patterns'] is properly configured to prevent HTTP Host header attacks.
+- Error display should be disabled in production. Use 'hide' for error_level in production.
+- Excessively permissive file permissions detected. Use more restrictive permissions.
+- Ensure Content-Security-Policy headers are properly configured to prevent XSS attacks.
+- Session cookies should be secure and HTTP-only in production environments.
+- Ensure $settings['file_private_path'] is properly configured for storing sensitive files.
+- Check for development modules (devel, webprofiler, etc.) that should not be enabled in production.
+- Remove or secure default/demo content and users in production environments.
+- Verify X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, and Referrer-Policy headers are properly configured.
+
+## Recommendations
+
+**Drupal Security Configuration Best Practices:**
+
+1. **Environment-Specific Configurations:**
+   - Use `settings.local.php` for environment-specific settings
+   - Maintain separate development, staging, and production configurations
+   - Never enable development settings in production: update_free_access, rebuild_access, etc.
+   - Use environment variables or secrets management for sensitive information
+
+2. **Essential Security Settings:**
+   - Configure trusted_host_patterns to prevent HTTP Host header attacks
+   - Set secure file permissions (e.g., 0755 for directories, 0644 for files)
+   - Configure private file path for sensitive uploads
+   - Set file_scan_ignore_directories to prevent public access to sensitive directories
+   - Implement secure session cookie settings (HTTPOnly, Secure, SameSite)
+
+3. **Error Handling:**
+   - Disable verbose error reporting in production with $config['system.logging']['error_level'] = 'hide'
+   - Configure custom error pages that don't leak system information
+   - Implement appropriate logging without exposing sensitive data
 
-actions:
-  - type: enforce
-    conditions:
-      # Pattern 1: Development settings in production code
-      - pattern: "\\$settings\\['update_free_access'\\]\\s*=\\s*TRUE|\\$settings\\['cache'\\]\\s*=\\s*FALSE|\\$settings\\['rebuild_access'\\]\\s*=\\s*TRUE|\\$config\\['system\\.performance'\\]\\['cache'\\]\\s*=\\s*FALSE"
-        message: "Development settings detected in production code. Ensure these settings are only enabled in development environments."
-        
-      # Pattern 2: Missing or weak trusted host patterns
-      - pattern: "settings\\.php|settings\\.local\\.php"
-        message: "Verify that $settings['trusted_host_patterns'] is properly configured to prevent HTTP Host header attacks."
-        
-      # Pattern 3: Debugging/error display enabled
-      - pattern: "\\$config\\['system\\.logging'\\]\\['error_level'\\]\\s*=\\s*'verbose'|ini_set\\('display_errors'\\s*,\\s*'1'\\)|error_reporting\\(E_ALL\\)"
-        message: "Error display should be disabled in production. Use 'hide' for error_level in production."
-        
-      # Pattern 4: Insecure file permissions settings
-      - pattern: "\\$settings\\['file_chmod_directory'\\]\\s*=\\s*0777|\\$settings\\['file_chmod_file'\\]\\s*=\\s*0666"
-        message: "Excessively permissive file permissions detected. Use more restrictive permissions."
-        
-      # Pattern 5: Disabled or misconfigured CSP headers
-      - pattern: "\\.htaccess|sites/default/default\\.settings\\.php"
-        message: "Ensure Content-Security-Policy headers are properly configured to prevent XSS attacks."
-        
-      # Pattern 6: Insecure session cookie settings
-      - pattern: "session\\.cookie_secure\\s*=\\s*0|session\\.cookie_httponly\\s*=\\s*0|\\$settings\\['cookie_secure_only'\\]\\s*=\\s*FALSE"
-        message: "Session cookies should be secure and HTTP-only in production environments."
-        
-      # Pattern 7: Missing or misconfigured private file path
-      - pattern: "settings\\.php"
-        message: "Ensure $settings['file_private_path'] is properly configured for storing sensitive files."
-        
-      # Pattern 8: Development modules enabled in production
-      - pattern: "core\\.extension\\.yml"
-        message: "Check for development modules (devel, webprofiler, etc.) that should not be enabled in production."
-        
-      # Pattern 9: Default or demo content in production
-      - pattern: "function\\s+[a-zA-Z0-9_]+_install\\(\\)"
-        message: "Remove or secure default/demo content and users in production environments."
-        
-      # Pattern 10: Missing or misconfigured security headers
-      - pattern: "\\.htaccess|nginx\\.conf"
-        message: "Verify X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, and Referrer-Policy headers are properly configured."
+4. **Security Headers:**
+   - Set Content-Security-Policy to restrict resource origins
+   - Configure X-Frame-Options to prevent clickjacking
+   - Enable X-Content-Type-Options to prevent MIME-type sniffing
+   - Set Referrer-Policy to control information in HTTP referers
 
-  - type: suggest
-    message: |
-      **Drupal Security Configuration Best Practices:**
-      
-      1. **Environment-Specific Configurations:**
-         - Use `settings.local.php` for environment-specific settings
-         - Maintain separate development, staging, and production configurations
-         - Never enable development settings in production: update_free_access, rebuild_access, etc.
-         - Use environment variables or secrets management for sensitive information
-      
-      2. **Essential Security Settings:**
-         - Configure trusted_host_patterns to prevent HTTP Host header attacks
-         - Set secure file permissions (e.g., 0755 for directories, 0644 for files)
-         - Configure private file path for sensitive uploads
-         - Set file_scan_ignore_directories to prevent public access to sensitive directories
-         - Implement secure session cookie settings (HTTPOnly, Secure, SameSite)
-      
-      3. **Error Handling:**
-         - Disable verbose error reporting in production with $config['system.logging']['error_level'] = 'hide'
-         - Configure custom error pages that don't leak system information
-         - Implement appropriate logging without exposing sensitive data
-      
-      4. **Security Headers:**
-         - Set Content-Security-Policy to restrict resource origins
-         - Configure X-Frame-Options to prevent clickjacking
-         - Enable X-Content-Type-Options to prevent MIME-type sniffing
-         - Set Referrer-Policy to control information in HTTP referers
-      
-      5. **Module & Extension Security:**
-         - Disable and uninstall unnecessary modules in production
-         - Keep core and contributed modules updated
-         - Remove development modules from production (devel, webprofiler, etc.)
-         - Implement proper configuration management workflows
+5. **Module & Extension Security:**
+   - Disable and uninstall unnecessary modules in production
+   - Keep core and contributed modules updated
+   - Remove development modules from production (devel, webprofiler, etc.)
+   - Implement proper configuration management workflows
 
-  - type: validate
-    conditions:
-      # Check 1: Proper trusted host patterns
-      - pattern: "\\$settings\\['trusted_host_patterns'\\]\\s*=\\s*\\[\\s*['\"][^\"']+['\"]"
-        message: "Trusted host patterns are properly configured."
-      
-      # Check 2: Secure session cookie settings
-      - pattern: "\\$settings\\['cookie_secure_only'\\]\\s*=\\s*TRUE|session\\.cookie_secure\\s*=\\s*1"
-        message: "Secure cookie settings are properly configured."
-      
-      # Check 3: Private file path configuration
-      - pattern: "\\$settings\\['file_private_path'\\]\\s*=\\s*(\"|')[^\"']+(\"|')"
-        message: "Private file path is configured for sensitive files."
-      
-      # Check 4: Production error settings
-      - pattern: "\\$config\\['system\\.logging'\\]\\['error_level'\\]\\s*=\\s*'hide'"
-        message: "Error reporting is properly configured for production."
+## Validation
 
-metadata:
-  priority: high
-  version: 1.0
-  tags:
-    - security
-    - drupal
-    - configuration
-    - misconfiguration
-    - owasp
-    - language:php
-    - framework:drupal
-    - category:security
-    - subcategory:configuration
-    - standard:owasp-top10
-    - risk:a05-misconfiguration
-  references:
-    - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
-    - "https://www.drupal.org/docs/security-in-drupal/securing-your-site"
-    - "https://www.drupal.org/docs/security-in-drupal/drupal-security-best-practices"
-    - "https://www.drupal.org/docs/8/security/writing-secure-code-for-drupal-8"
-</rule> 
\ No newline at end of file
+- Trusted host patterns are properly configured.
+- Secure cookie settings are properly configured.
+- Private file path is configured for sensitive files.
+- Error reporting is properly configured for production.
diff --git a/.cursor/rules/drupal-ssrf.mdc b/.cursor/rules/drupal-ssrf.mdc
index c48453d..ead6268 100644
--- a/.cursor/rules/drupal-ssrf.mdc
+++ b/.cursor/rules/drupal-ssrf.mdc
@@ -7,130 +7,71 @@ alwaysApply: false
 
 This rule enforces security best practices to prevent Server-Side Request Forgery (SSRF) vulnerabilities in Drupal applications, as defined in OWASP Top 10:2021-A10.
 
-<rule>
-name: drupal_ssrf
-description: Detect and prevent Server-Side Request Forgery (SSRF) vulnerabilities in Drupal applications as defined in OWASP Top 10:2021-A10
-filters:
-  - type: file_extension
-    pattern: "\\.(php|inc|module|install|theme)$"
-  - type: file_path
-    pattern: ".*"
+> Priority: high · Version: 1.0
+
+## Applies To
+- `*.php`
+- `*.inc`
+- `*.module`
+- `*.install`
+- `*.theme`
+
+## Trigger Conditions
+- Files matching pattern `\.(php|inc|module|install|theme)$`
+- Paths matching `.*`
+
+## Required Checks
+
+- Potential SSRF vulnerability: URL constructed with user input. Validate and sanitize user-supplied URL parameters before making requests.
+- Validate and restrict URLs before making HTTP requests with Guzzle to prevent SSRF attacks.
+- HTTP requests should validate URLs with \Drupal\Component\Utility\UrlHelper::isValid() before execution to prevent SSRF.
+- Potential SSRF vulnerability: URL being constructed with variable concatenation. Use URL validation and allowlisting.
+- Avoid using PHP wrappers with file operations that could lead to SSRF vulnerabilities.
+- Bypassing proxy settings can lead to SSRF vulnerabilities. Maintain proper proxy configurations.
+- XML processing without disabling external entities can lead to XXE and SSRF. Use libxml_disable_entity_loader(true).
+- Hardcoded internal IP addresses or localhost may facilitate SSRF attacks if exposed to user manipulation.
+- Always validate URLs with UrlHelper::isValid() before making HTTP requests with Drupal's HTTP client.
+- Potential SSRF vulnerability: Restrict allowed ports for outbound HTTP requests to prevent service probing.
+
+## Recommendations
 
-actions:
-  - type: enforce
-    conditions:
-      # Pattern 1: Unsafe URL construction with user input
-      - pattern: "(file_get_contents|fopen|curl_exec|drupal_http_request|\\$client->request|\\$client->get|Drupal::httpClient\\(\\)->get)\\s*\\([^)]*\\$_(GET|POST|REQUEST|COOKIE|SERVER|FILES)[^)]*\\)"
-        message: "Potential SSRF vulnerability: URL constructed with user input. Validate and sanitize user-supplied URL parameters before making requests."
-        
-      # Pattern 2: Unsafe Guzzle HTTP client usage
-      - pattern: "GuzzleHttp\\\\Client[^;]*;[^;]*->request\\s*\\([^;]*\\$[^;]*"
-        message: "Validate and restrict URLs before making HTTP requests with Guzzle to prevent SSRF attacks."
-        
-      # Pattern 3: Missing URL validation before making HTTP requests
-      - pattern: "(Http(Client|Request)|curl_exec|file_get_contents)\\s*\\([^)]*(http|\\$[a-zA-Z0-9_]+)[^)]*\\)[^;]*;(?![^;]*(valid|check|sanitize|UrlHelper))"
-        message: "HTTP requests should validate URLs with \\Drupal\\Component\\Utility\\UrlHelper::isValid() before execution to prevent SSRF."
-        
-      # Pattern 4: Unsafe URL construction with variable input
-      - pattern: "(https?:?//|www\\.)\\s*\\.\\s*\\$[a-zA-Z0-9_]+"
-        message: "Potential SSRF vulnerability: URL being constructed with variable concatenation. Use URL validation and allowlisting."
-        
-      # Pattern 5: Using file system wrappers which can lead to SSRF
-      - pattern: "file_get_contents\\([\"'](mdc:?:http|https|ftp|php|data|expect|zip|phar)://"
-        message: "Avoid using PHP wrappers with file operations that could lead to SSRF vulnerabilities."
-        
-      # Pattern 6: Bypassing local proxy settings
-      - pattern: "CURLOPT_PROXY[^;]*none|CURLOPT_PROXY[^;]*null"
-        message: "Bypassing proxy settings can lead to SSRF vulnerabilities. Maintain proper proxy configurations."
-        
-      # Pattern 7: Unsafe processing of XML with external entities
-      - pattern: "simplexml_load_|DOMDocument|SimpleXMLElement|xml_parse"
-        message: "XML processing without disabling external entities can lead to XXE and SSRF. Use libxml_disable_entity_loader(true)."
-        
-      # Pattern 8: Accessing or using internal network IPs
-      - pattern: "(127\\.0\\.0\\.1|10\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}|172\\.(1[6-9]|2[0-9]|3[0-1])\\.[0-9]{1,3}\\.[0-9]{1,3}|192\\.168\\.[0-9]{1,3}\\.[0-9]{1,3}|169\\.254\\.[0-9]{1,3}\\.[0-9]{1,3}|localhost)"
-        message: "Hardcoded internal IP addresses or localhost may facilitate SSRF attacks if exposed to user manipulation."
-        
-      # Pattern 9: Custom Drupal HTTP client usage without validation
-      - pattern: "\\\\Drupal::httpClient\\(\\)(?!.*[^;]*UrlHelper::isValid)"
-        message: "Always validate URLs with UrlHelper::isValid() before making HTTP requests with Drupal's HTTP client."
-        
-      # Pattern 10: Allowing unrestricted ports in HTTP requests
-      - pattern: "curl_setopt\\([^,]+,\\s*CURLOPT_PORT,\\s*\\$[a-zA-Z0-9_]+"
-        message: "Potential SSRF vulnerability: Restrict allowed ports for outbound HTTP requests to prevent service probing."
+**Drupal SSRF Prevention Best Practices:**
 
-  - type: suggest
-    message: |
-      **Drupal SSRF Prevention Best Practices:**
-      
-      1. **Input Validation for URLs:**
-         - Always validate any user-supplied URL or URL components
-         - Use `\Drupal\Component\Utility\UrlHelper::isValid()` to validate URLs
-         - Implement allowlists rather than blocklists for domains/IPs
-         - Parse URLs and validate each component (protocol, domain, port, path)
-         
-      2. **Network-Level Controls:**
-         - Implement network-level access controls for internal services
-         - Use application firewalls to restrict outbound connections
-         - Configure proxies to control and monitor outbound requests
-         - Segment sensitive internal services from public-facing applications
-         
-      3. **Request Handling:**
-         - Avoid passing raw user input to HTTP clients
-         - Set reasonable timeouts for all HTTP requests
-         - Disable HTTP redirects or limit redirect chains
-         - Validate response types match expected formats
-         - Use dedicated service accounts with minimal privileges for API calls
-         
-      4. **Drupal-Specific Controls:**
-         - Utilize Drupal's built-in UrlHelper class for URL validation
-         - Configure Guzzle HTTP client with appropriate security options
-         - Consider using middleware to enforce URL validation
-         - Use Drupal's logging system to record suspicious outbound requests
-         - Implement specific content security policies
-         
-      5. **Authentication and Access Controls:**
-         - Implement proper authentication for internal service calls
-         - Use context-specific API tokens with limited privileges
-         - Avoid exposing service credentials in code or configurations
-         - Implement rate limiting for outbound requests
+1. **Input Validation for URLs:**
+   - Always validate any user-supplied URL or URL components
+   - Use `\Drupal\Component\Utility\UrlHelper::isValid()` to validate URLs
+   - Implement allowlists rather than blocklists for domains/IPs
+   - Parse URLs and validate each component (protocol, domain, port, path)
+   
+2. **Network-Level Controls:**
+   - Implement network-level access controls for internal services
+   - Use application firewalls to restrict outbound connections
+   - Configure proxies to control and monitor outbound requests
+   - Segment sensitive internal services from public-facing applications
+   
+3. **Request Handling:**
+   - Avoid passing raw user input to HTTP clients
+   - Set reasonable timeouts for all HTTP requests
+   - Disable HTTP redirects or limit redirect chains
+   - Validate response types match expected formats
+   - Use dedicated service accounts with minimal privileges for API calls
+   
+4. **Drupal-Specific Controls:**
+   - Utilize Drupal's built-in UrlHelper class for URL validation
+   - Configure Guzzle HTTP client with appropriate security options
+   - Consider using middleware to enforce URL validation
+   - Use Drupal's logging system to record suspicious outbound requests
+   - Implement specific content security policies
+   
+5. **Authentication and Access Controls:**
+   - Implement proper authentication for internal service calls
+   - Use context-specific API tokens with limited privileges
+   - Avoid exposing service credentials in code or configurations
+   - Implement rate limiting for outbound requests
 
-  - type: validate
-    conditions:
-      # Check 1: Proper URL validation
-      - pattern: "UrlHelper::isValid\\([^)]+\\)"
-        message: "Using proper URL validation with UrlHelper."
-      
-      # Check 2: Allowlisting domains
-      - pattern: "array_intersect|in_array|allowlist|whitelist"
-        message: "Implementing domain/URL allowlisting for outbound requests."
-      
-      # Check 3: Safe XML processing
-      - pattern: "libxml_disable_entity_loader\\(true\\)"
-        message: "Properly disabling XML external entities."
-      
-      # Check 4: Using Drupal's HTTP client safely
-      - pattern: "\\\\Drupal::httpClient\\(\\)[^;]*\\$options"
-        message: "Using Drupal's HTTP client with explicit options."
+## Validation
 
-metadata:
-  priority: high
-  version: 1.0
-  tags:
-    - security
-    - drupal
-    - ssrf
-    - owasp
-    - language:php
-    - framework:drupal
-    - category:security
-    - subcategory:ssrf
-    - standard:owasp-top10
-    - risk:a10-ssrf
-  references:
-    - "https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/"
-    - "https://cwe.mitre.org/data/definitions/918.html"
-    - "https://www.drupal.org/docs/develop/security-in-drupal/writing-secure-code-for-drupal"
-    - "https://portswigger.net/web-security/ssrf"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"
-</rule> 
+- Using proper URL validation with UrlHelper.
+- Implementing domain/URL allowlisting for outbound requests.
+- Properly disabling XML external entities.
+- Using Drupal's HTTP client with explicit options.
diff --git a/.cursor/rules/drupal-vulnerable-components.mdc b/.cursor/rules/drupal-vulnerable-components.mdc
index 96975a7..24aa929 100644
--- a/.cursor/rules/drupal-vulnerable-components.mdc
+++ b/.cursor/rules/drupal-vulnerable-components.mdc
@@ -7,133 +7,76 @@ alwaysApply: false
 
 This rule enforces security best practices to prevent vulnerabilities related to outdated or vulnerable components in Drupal applications, as defined in OWASP Top 10:2021-A06.
 
-<rule>
-name: drupal_vulnerable_components
-description: Detect and prevent vulnerabilities related to outdated or vulnerable components in Drupal as defined in OWASP Top 10:2021-A06
-filters:
-  - type: file_extension
-    pattern: "\\.(php|inc|module|install|info\\.yml|json)$"
-  - type: file_path
-    pattern: ".*"
+> Priority: high · Version: 1.0
+
+## Applies To
+- `*.php`
+- `*.install`
+- `*.module`
+- `*.inc`
+- `*.theme`
+- `*.yml`
+- `*.info`
+
+## Trigger Conditions
+- Files matching pattern `\.(php|inc|module|install|info\.yml|json)$`
+- Paths matching `.*`
+
+## Required Checks
+
+- Potentially outdated Drupal core version detected. Consider upgrading to the latest secure version of Drupal 9 or 10.
+- Deprecated function detected. Use modern replacements to ensure compatibility and security updates.
+- Potentially vulnerable JavaScript library version detected. Update to the latest secure version.
+- External scripts or stylesheets without Subresource Integrity (SRI) checks detected. Add integrity and crossorigin attributes.
+- Potentially vulnerable or deprecated module detected. Consider using more secure alternatives.
+- Hard-coded specific version detected in composer.json. Consider using version ranges to receive security updates.
+- Deprecated or insecure PHP function detected. Use modern alternatives for better security.
+- Ensure your module specifies core_version_requirement to prevent installation on unsupported Drupal versions.
+- Consider adding drupal/core-security-advisories as a dev dependency to detect known vulnerable packages.
+- Legacy text sanitization function detected. Use Html::escape() or Xss::filter() instead.
+
+## Recommendations
+
+**Drupal Component Security Best Practices:**
+
+1. **Update Management:**
+   - Keep Drupal core updated to the latest secure version
+   - Subscribe to the Drupal Security Newsletter
+   - Implement a regular update schedule (monthly at minimum)
+   - Use security advisories checking in your development workflow
+   - Implement Composer's security-advisories metadata
+
+2. **Dependency Management:**
+   - Use Composer for managing all dependencies
+   - Specify version constraints that allow security updates
+   - Add drupal/core-security-advisories as a dev dependency
+   - Regularly run `composer update --with-dependencies`
+   - Use `composer outdated` to identify outdated packages
+
+3. **API Usage:**
+   - Use modern Drupal APIs rather than deprecated functions
+   - Migrate away from jQuery to modern JavaScript where possible
+   - Implement Subresource Integrity (SRI) for external resources
+   - Update custom code to use current best practices
+   - Follow the Drupal API deprecation policies
 
-actions:
-  - type: enforce
-    conditions:
-      # Pattern 1: Outdated Drupal core version declaration
-      - pattern: "core:\\s*('|\")8\\.[0-6](mdc:'|\")|core_version_requirement:\\s*('|\")[^9].+('|\")"
-        message: "Potentially outdated Drupal core version detected. Consider upgrading to the latest secure version of Drupal 9 or 10."
-        
-      # Pattern 2: Usage of deprecated functions
-      - pattern: "drupal_set_message\\(|format_date\\(|drupal_render\\(|entity_load\\(|variable_get\\(|variable_set\\("
-        message: "Deprecated function detected. Use modern replacements to ensure compatibility and security updates."
-        
-      # Pattern 3: Known vulnerable libraries referenced
-      - pattern: "jquery\\.min\\.js\\?v=1\\.|jquery-1\\.|jquery-2\\.|ckeditor/|tinymce/|angular\\.js@1\\."
-        message: "Potentially vulnerable JavaScript library version detected. Update to the latest secure version."
-        
-      # Pattern 4: Direct inclusion of external scripts without SRI
-      - pattern: "<script\\s+src=['\"]http|<script\\s+src=['\"]//|<link\\s+[^>]*href=['\"]http"
-        message: "External scripts or stylesheets without Subresource Integrity (SRI) checks detected. Add integrity and crossorigin attributes."
-        
-      # Pattern 5: Use of obsolete or removed modules
-      - pattern: "module:\\s*('[^']*captcha'|'recaptcha'|'xmlrpc'|'openid'|'php')"
-        message: "Potentially vulnerable or deprecated module detected. Consider using more secure alternatives."
-        
-      # Pattern 6: Hard-coded versions in composer.json
-      - pattern: "\"drupal/[^\"]+\":\\s*\"(~|\\^)?[0-9]\\.[0-9]\\.[0-9]\"" 
-        message: "Hard-coded specific version detected in composer.json. Consider using version ranges to receive security updates."
-        
-      # Pattern 7: Outdated or insecure PHP API usage
-      - pattern: "mysql_|split\\(|ereg\\(|eregi\\(|create_function\\(|each\\("
-        message: "Deprecated or insecure PHP function detected. Use modern alternatives for better security."
-        
-      # Pattern 8: Usage of contrib modules without version constraints
-      - pattern: "type:\\s*module\\s*\\nname:"
-        message: "Ensure your module specifies core_version_requirement to prevent installation on unsupported Drupal versions."
-        
-      # Pattern 9: Missing security advisories handling in composer.json
-      - pattern: "composer\\.json"
-        message: "Consider adding drupal/core-security-advisories as a dev dependency to detect known vulnerable packages."
-        
-      # Pattern 10: Direct usage of vulnerable sanitization functions
-      - pattern: "check_plain\\(|filter_xss\\(|filter_xss_admin\\("
-        message: "Legacy text sanitization function detected. Use Html::escape() or Xss::filter() instead."
+4. **Security Monitoring:**
+   - Implement automated vulnerability scanning in CI/CD
+   - Use tools like Drupal Check or Upgrade Status module
+   - Monitor the Drupal security advisories page
+   - Implement automated updates for non-critical dependencies
+   - Set up alerts for security issues in used components
 
-  - type: suggest
-    message: |
-      **Drupal Component Security Best Practices:**
-      
-      1. **Update Management:**
-         - Keep Drupal core updated to the latest secure version
-         - Subscribe to the Drupal Security Newsletter
-         - Implement a regular update schedule (monthly at minimum)
-         - Use security advisories checking in your development workflow
-         - Implement Composer's security-advisories metadata
-      
-      2. **Dependency Management:**
-         - Use Composer for managing all dependencies
-         - Specify version constraints that allow security updates
-         - Add drupal/core-security-advisories as a dev dependency
-         - Regularly run `composer update --with-dependencies`
-         - Use `composer outdated` to identify outdated packages
-      
-      3. **API Usage:**
-         - Use modern Drupal APIs rather than deprecated functions
-         - Migrate away from jQuery to modern JavaScript where possible
-         - Implement Subresource Integrity (SRI) for external resources
-         - Update custom code to use current best practices
-         - Follow the Drupal API deprecation policies
-      
-      4. **Security Monitoring:**
-         - Implement automated vulnerability scanning in CI/CD
-         - Use tools like Drupal Check or Upgrade Status module
-         - Monitor the Drupal security advisories page
-         - Implement automated updates for non-critical dependencies
-         - Set up alerts for security issues in used components
-      
-      5. **Module Management:**
-         - Remove unused modules from your codebase
-         - Prefer well-maintained modules with security teams
-         - Implement proper version constraints in module info files
-         - Consider the security impact before adding new dependencies
-         - Document your dependency management practices
+5. **Module Management:**
+   - Remove unused modules from your codebase
+   - Prefer well-maintained modules with security teams
+   - Implement proper version constraints in module info files
+   - Consider the security impact before adding new dependencies
+   - Document your dependency management practices
 
-  - type: validate
-    conditions:
-      # Check 1: Proper core version requirement
-      - pattern: "core_version_requirement:\\s*[\"']\\^(8\\.8|8\\.9|9|10)\\.[0-9]+[\"']"
-        message: "Using proper core version requirements."
-      
-      # Check 2: Use of modern APIs
-      - pattern: "\\\\Drupal::messenger\\(\\)|->messenger\\(\\)|\\\\Drupal::service\\('messenger'\\)"
-        message: "Using modern message API instead of deprecated functions."
-      
-      # Check 3: Proper composer usage
-      - pattern: "\"require\":\\s*\\{[^}]*\"drupal/core(-recommended)?\":\\s*\"\\^[0-9]+\\.[0-9]+\""
-        message: "Using proper version constraints in Composer."
-      
-      # Check 4: SRI implementation
-      - pattern: "integrity=[\"'][a-zA-Z0-9\\+/=\\-_]+[\"']\\s+crossorigin=[\"']anonymous[\"']"
-        message: "Properly implementing Subresource Integrity."
+## Validation
 
-metadata:
-  priority: high
-  version: 1.0
-  tags:
-    - security
-    - drupal
-    - dependencies
-    - vulnerable-components
-    - owasp
-    - language:php
-    - framework:drupal
-    - category:security
-    - subcategory:dependencies
-    - standard:owasp-top10
-    - risk:a06-vulnerable-components
-  references:
-    - "https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/"
-    - "https://www.drupal.org/docs/security-in-drupal/staying-up-to-date"
-    - "https://www.drupal.org/docs/upgrading-drupal"
-    - "https://www.drupal.org/docs/develop/using-composer/managing-dependencies-for-a-drupal-project"
-</rule> 
\ No newline at end of file
+- Using proper core version requirements.
+- Using modern message API instead of deprecated functions.
+- Using proper version constraints in Composer.
+- Properly implementing Subresource Integrity.
diff --git a/.cursor/rules/generic_bash_style.mdc b/.cursor/rules/generic_bash_style.mdc
index 45f08a8..e1be5c3 100644
--- a/.cursor/rules/generic_bash_style.mdc
+++ b/.cursor/rules/generic_bash_style.mdc
@@ -6,66 +6,38 @@ globs:
 
 This rule enforces best practices for writing Bash scripts, with an emphasis on using colorized logging for better output readability.
 
-<rule>
-name: enhanced_bash_style
-description: Enforce Bash scripting standards with colorized logging
-filters:
-  - type: file_extension
-    pattern: "\\.sh$"
-
-actions:
-  - type: enforce
-    conditions:
-      - pattern: "^#!/usr/bin/env bash$"
-        message: "All scripts should start with the shebang '#!/usr/bin/env bash'."
-
-      - pattern: "^set -eu$"
-        message: "Enable 'set -eu' for script robustness."
-
-      - pattern: "^set -x$"
-        pattern_negate: "^\\[ \"\\${DEBUG-}\" = \"1\" ] && set -x$"
-        message: "Use conditional 'set -x' based on debug flag."
-
-      - pattern: "^# @formatter:off$"
-        message: "Start of formatting block for log functions."
-
-      - pattern: "note\\(\\) { printf \"       %s\\n\" \"\\${1}\"; }$"
-        message: "Include 'note' function for plain messages."
-
-      - pattern: "info\\(\\) { \\[ \"\\${TERM:-}\" != \"dumb\" ] && tput colors >/dev/null 2>&1 && printf \"\\\\033\\[34m\\[INFO] %s\\\\033\\[0m\\n\" \"\\${1}\" || printf \"\\[INFO] %s\\n\" \"\\${1}\"; }$"
-        message: "Include 'info' function for blue informational messages."
-
-      - pattern: "pass\\(\\) { \\[ \"\\${TERM:-}\" != \"dumb\" ] && tput colors >/dev/null 2>&1 && printf \"\\\\033\\[32m\\[ OK ] %s\\\\033\\[0m\\n\" \"\\${1}\" || printf \"\\[ OK ] %s\\n\" \"\\${1}\"; }$"
-        message: "Include 'pass' function for green success messages."
-
-      - pattern: "fail\\(\\) { \\[ \"\\${TERM:-}\" != \"dumb\" ] && tput colors >/dev/null 2>&1 && printf \"\\\\033\\[31m\\[FAIL] %s\\\\033\\[0m\\n\" \"\\${1}\" || printf \"\\[FAIL] %s\\n\" \"\\${1}\"; }$"
-        message: "Include 'fail' function for red error messages."
-
-      - pattern: "warn\\(\\) { \\[ \"\\${TERM:-}\" != \"dumb\" ] && tput colors >/dev/null 2>&1 && printf \"\\\\033\\[33m\\[WARN] %s\\\\033\\[0m\\n\" \"\\${1}\" || printf \"\\[WARN] %s\\n\" \"\\${1}\"; }$"
-        message: "Include 'warn' function for yellow warning messages."
-
-      - pattern: "^# @formatter:on$"
-        message: "End of formatting block for log functions."
-
-  - type: suggest
-    message: |
-      **Bash Scripting Best Practices:**
-      - **Error Handling:** Use `set -eu` to catch errors and undefined variables early.
-      - **Debugging:** Implement conditional debugging with `set -x` using a DEBUG variable.
-      - **Logging Functions:** Use colorized logging for better script output readability:
-        - `note()` for plain notes
-        - `info()` for blue informational messages
-        - `pass()` for green success messages
-        - `fail()` for red error messages
-        - `warn()` for yellow warnings, ensuring users can distinguish different types of messages easily
-      - **Security:** Avoid using `eval` or similar constructs; use safe alternatives.
-      - **Documentation:** Include descriptive comments, especially for complex logic.
-      - **Portability:** Use `/usr/bin/env bash` for the shebang to ensure script runs with bash on any system.
-      - **Variable Checks:** Ensure necessary variables are set, enhancing script reliability.
-      - **Exit Codes:** Use explicit exit codes for different failure scenarios.
-      - **Color Support:** Ensure logging functions check for terminal color support before applying colors.
-
-metadata:
-  priority: medium
-  version: 1.1
-</rule>
\ No newline at end of file
+> Priority: medium · Version: 1.1
+
+## Trigger Conditions
+- Files matching pattern `\.sh$`
+
+## Required Checks
+
+- All scripts should start with the shebang '#!/usr/bin/env bash'.
+- Enable 'set -eu' for script robustness.
+- Use conditional 'set -x' based on debug flag.
+- Start of formatting block for log functions.
+- Include 'note' function for plain messages.
+- Include 'info' function for blue informational messages.
+- Include 'pass' function for green success messages.
+- Include 'fail' function for red error messages.
+- Include 'warn' function for yellow warning messages.
+- End of formatting block for log functions.
+
+## Recommendations
+
+**Bash Scripting Best Practices:**
+- **Error Handling:** Use `set -eu` to catch errors and undefined variables early.
+- **Debugging:** Implement conditional debugging with `set -x` using a DEBUG variable.
+- **Logging Functions:** Use colorized logging for better script output readability:
+  - `note()` for plain notes
+  - `info()` for blue informational messages
+  - `pass()` for green success messages
+  - `fail()` for red error messages
+  - `warn()` for yellow warnings, ensuring users can distinguish different types of messages easily
+- **Security:** Avoid using `eval` or similar constructs; use safe alternatives.
+- **Documentation:** Include descriptive comments, especially for complex logic.
+- **Portability:** Use `/usr/bin/env bash` for the shebang to ensure script runs with bash on any system.
+- **Variable Checks:** Ensure necessary variables are set, enhancing script reliability.
+- **Exit Codes:** Use explicit exit codes for different failure scenarios.
+- **Color Support:** Ensure logging functions check for terminal color support before applying colors.
diff --git a/.cursor/rules/git-commit-standards.mdc b/.cursor/rules/git-commit-standards.mdc
index ace1472..70e561b 100644
--- a/.cursor/rules/git-commit-standards.mdc
+++ b/.cursor/rules/git-commit-standards.mdc
@@ -6,45 +6,29 @@ globs: .git/*
 
 Ensures consistent Git commit messages.
 
-<rule>
-name: git_commit_standards
-description: Enforce structured Git commit messages.
-filters:
-  - type: file_extension
-    pattern: "\\.git/.*"
-
-actions:
-  - type: enforce
-    conditions:
-      # More precise regex to ensure prefix is followed by colon and space
-      - pattern: "^(?!fix|feat|perf|docs|style|refactor|test|chore): "
-        message: "Use a commit message prefix followed by colon and space (fix:, feat:, etc.)."
-
-      # Check for uppercase after the prefix
-      - pattern: "^(fix|feat|perf|docs|style|refactor|test|chore): [A-Z]"
-        message: "First word after prefix should be lowercase."
-
-      # More precise length check that excludes the prefix from the count
-      - pattern: "^(fix|feat|perf|docs|style|refactor|test|chore): .{46,}"
-        message: "Keep commit message content (excluding prefix) under 46 characters."
-
-      # Ensure there's a space after the colon
-      - pattern: "^(fix|feat|perf|docs|style|refactor|test|chore):(?! )"
-        message: "Include a space after the colon in prefix."
-
-  - type: suggest
-    message: |
-      Recommended commit format:
-      - "fix: resolved bug in user authentication"
-      - "feat: added new search functionality"
-      - "docs: updated installation guide"
-      - "style: fixed button alignment"
-      - "refactor: simplified login logic"
-      - "test: added unit tests for auth"
-      - "chore: updated dependencies"
-      - "perf: optimized database queries"
-
-metadata:
-  priority: high
-  version: 1.1
-</rule>
+> Priority: high · Version: 1.1
+
+## Applies To
+- `.git/*`
+
+## Trigger Conditions
+- Files matching pattern `\.git/.*`
+
+## Required Checks
+
+- Use a commit message prefix followed by colon and space (fix:, feat:, etc.).
+- First word after prefix should be lowercase.
+- Keep commit message content (excluding prefix) under 46 characters.
+- Include a space after the colon in prefix.
+
+## Recommendations
+
+Recommended commit format:
+- "fix: resolved bug in user authentication"
+- "feat: added new search functionality"
+- "docs: updated installation guide"
+- "style: fixed button alignment"
+- "refactor: simplified login logic"
+- "test: added unit tests for auth"
+- "chore: updated dependencies"
+- "perf: optimized database queries"
diff --git a/.cursor/rules/github-actions-standards.mdc b/.cursor/rules/github-actions-standards.mdc
index 37abb6e..8beee36 100644
--- a/.cursor/rules/github-actions-standards.mdc
+++ b/.cursor/rules/github-actions-standards.mdc
@@ -3,63 +3,43 @@ description:
 globs: .github/workflows/*.yml
 alwaysApply: false
 ---
- # GitHub Actions Standards
+# GitHub Actions Standards
 
 Ensures GitHub Actions workflows follow best practices and use the latest action versions.
 
-<rule>
-name: github_actions_standards
-description: Enforce standards for GitHub Actions workflows
-filters:
-  - type: file_extension
-    pattern: "\\.ya?ml$"
-  - type: file_path
-    pattern: "\\.github/workflows/"
+> Priority: high · Version: 1.0
 
-actions:
-  - type: enforce
-    conditions:
-      - pattern: "uses:\\s*actions/upload-artifact@v[123]"
-        message: "Use actions/upload-artifact@v4 instead of older versions. Version 3 is deprecated: https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/"
+## Applies To
+- `.github/workflows/*.yml`
 
-      - pattern: "uses:\\s*actions/download-artifact@v[123]"
-        message: "Use actions/download-artifact@v4 instead of older versions."
+## Trigger Conditions
+- Files matching pattern `\.ya?ml$`
+- Paths matching `\.github/workflows/`
 
-      - pattern: "uses:\\s*actions/checkout@v[12]"
-        message: "Consider using actions/checkout@v4 for the latest features and security updates."
+## Required Checks
 
-  - type: suggest
-    message: |
-      **GitHub Actions Best Practices:**
-      - **Latest Action Versions:** Always use the latest stable versions of GitHub Actions.
-        - `actions/checkout@v4`
-        - `actions/upload-artifact@v4`
-        - `actions/download-artifact@v4`
-        - `actions/setup-node@v4`
-        - `actions/setup-python@v5`
-      - **Workflow Structure:** Organize workflows with clear job names and step descriptions.
-      - **Caching:** Implement caching for dependencies to speed up workflows.
-      - **Security:** Use `GITHUB_TOKEN` with minimum required permissions.
-      - **Artifacts:** Use descriptive names for artifacts and set appropriate retention periods.
-      - **Matrix Strategy:** Use matrix builds for testing across multiple environments.
-      - **Timeouts:** Set appropriate timeouts for jobs to prevent hanging workflows.
+- Use actions/upload-artifact@v4 instead of older versions. Version 3 is deprecated: https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/
+- Use actions/download-artifact@v4 instead of older versions.
+- Consider using actions/checkout@v4 for the latest features and security updates.
 
-  - type: validate
-    conditions:
-      - pattern: "uses:\\s*actions/upload-artifact@v4"
-        message: "Good job using the latest version of actions/upload-artifact!"
+## Recommendations
 
-      - pattern: "uses:\\s*actions/download-artifact@v4"
-        message: "Good job using the latest version of actions/download-artifact!"
+**GitHub Actions Best Practices:**
+- **Latest Action Versions:** Always use the latest stable versions of GitHub Actions.
+  - `actions/checkout@v4`
+  - `actions/upload-artifact@v4`
+  - `actions/download-artifact@v4`
+  - `actions/setup-node@v4`
+  - `actions/setup-python@v5`
+- **Workflow Structure:** Organize workflows with clear job names and step descriptions.
+- **Caching:** Implement caching for dependencies to speed up workflows.
+- **Security:** Use `GITHUB_TOKEN` with minimum required permissions.
+- **Artifacts:** Use descriptive names for artifacts and set appropriate retention periods.
+- **Matrix Strategy:** Use matrix builds for testing across multiple environments.
+- **Timeouts:** Set appropriate timeouts for jobs to prevent hanging workflows.
 
-      - pattern: "uses:\\s*actions/checkout@v[34]"
-        message: "Good job using a recent version of actions/checkout!"
+## Validation
 
-metadata:
-  priority: high
-  version: 1.0
-  tags:
-    - ci/cd
-    - github
-    - automation
-</rule>
\ No newline at end of file
+- Good job using the latest version of actions/upload-artifact!
+- Good job using the latest version of actions/download-artifact!
+- Good job using a recent version of actions/checkout!
diff --git a/.cursor/rules/improve-cursorrules-efficiency.mdc b/.cursor/rules/improve-cursorrules-efficiency.mdc
index b182364..c851dc1 100644
--- a/.cursor/rules/improve-cursorrules-efficiency.mdc
+++ b/.cursor/rules/improve-cursorrules-efficiency.mdc
@@ -6,109 +6,80 @@ globs: *.mdc
 
 Ensures Cursor analyzes AI query efficiency, detects repeated requests, and automatically updates relevant rules to improve response quality and reduce redundancy.
 
-<rule>
-name: ai_query_efficiency_optimization
-description: Analyze AI query efficiency, optimize rules, and prevent repeated requests.
-filters:
-  # Match AI query interactions in supported files
-  - type: file_extension
-    pattern: "\\.(md|mdc|txt|json|py|js|ts|php|yaml|yml|cursorrules)$"
-  # Match AI communication patterns indicating inefficiency or repetition
-  - type: content
-    pattern: "(?i)(retry|again|didn't work|not what I expected|try another way|improve|fix this|optimize|rewrite|regenerate)"
-
-actions:
-  - type: analyze
-    conditions:
-      - pattern: "(?i)(retry|again|fix this|not what I expected|didn't work|rewrite|regenerate)"
-        message: "Detected inefficiencies or repeated requests. Initiating efficiency analysis..."
-    execute: |
-      - **Identify inefficiencies** in AI responses by comparing previous queries and results.
-      - **Suggest improvements** in query structure or Cursor usage based on analysis:
-        - Use more specific or detailed prompts.
-        - Implement structured queries for complex tasks.
-        - Provide feedback on past responses for better contextual understanding.
-        - Break down complex tasks into smaller, more manageable steps.
-        - Use specific technical terminology for clearer communication.
-      - **Automatically update** relevant Cursor rules:
-        - Enhance pattern recognition for similar future queries.
-        - Adjust rule priorities or conditions to prevent repeat inefficiencies.
-        - Update rule suggestions to guide users towards more effective interactions.
-        - Create new rules for frequently encountered patterns.
-
-  - type: suggest
-    message: |
-      ## Query Optimization Recommendations
-
-      I notice you're making multiple requests for similar tasks. Here's how to optimize your AI interactions:
-
-      ### 1. Refine Your Prompts
-      - **Be more specific:** Include technical details, file paths, and exact requirements
-      - **Use structured formats:** For complex requests, use bullet points or numbered lists
-      - **Include context:** Mention relevant technologies, frameworks, or standards
-      - **Set clear expectations:** Specify the format and level of detail you need
-
-      ### 2. Break Down Complex Tasks
-      - Split large tasks into smaller, focused requests
-      - Ask for step-by-step approaches for complex problems
-      - Request specific examples for unclear concepts
-
-      ### 3. Provide Feedback
-      - Tell the AI what worked and what didn't in previous responses
-      - Clarify misunderstandings explicitly
-      - Highlight successful parts of previous responses
-
-      ### 4. Use Technical Terminology
-      - Use precise technical terms for your domain (Drupal, Lagoon, etc.)
-      - Reference specific functions, methods, or patterns
-      - Mention relevant standards or best practices
-
-      ### 5. Leverage Cursor Features
-      - Use file references when discussing specific code
-      - Reference line numbers for targeted changes
-      - Utilize code blocks for examples
-
-      The system will now optimize rules based on this interaction pattern to improve future responses.
-
-  - type: auto_update
-    target: ".cursor/rules/ai-optimization.mdc"
-    conditions:
-      - pattern: "(?i)(retry|again|fix this|not what I expected|not what I meant|didn't work|rewrite|regenerate)"
-    message: "Updating AI efficiency rules based on detected inefficiencies or repeated queries."
-
-  - type: log
-    message: "AI Query Efficiency Analysis: [{{query_count}} queries in {{time_period}} detected inefficiency.]"
-    conditions:
-      - pattern: "(?i)(retry|again|fix this|not what I expected|didn't work|rewrite|regenerate)"
-
-examples:
-  - input: |
-      "This Drupal module is not working, let's try again."
-      "That didn't work, let's refine the approach."
-      "Please rewrite this code to be more efficient."
-    output: |
-      Cursor detects inefficiency in queries and suggests:
-      
-      "I notice you're making multiple attempts. To get better results:
-      1. Specify which part of the module isn't working
-      2. Include any error messages you're seeing
-      3. Mention the Drupal version and relevant modules
-      4. Describe what you've already tried"
-
-  - input: |
-      "Generate a Lagoon configuration file."
-      "This doesn't look right, regenerate it."
-      "Try again with better practices."
-    output: |
-      Cursor detects repetition and suggests:
-      
-      "For better Lagoon configuration results:
-      1. Specify which services you need (nginx, php, mariadb, etc.)
-      2. Mention your project type (Drupal, WordPress, etc.)
-      3. Include any specific environment requirements
-      4. Reference any existing configuration you want to maintain"
-
-metadata:
-  priority: critical
-  version: 1.2
-</rule>
+> Priority: critical · Version: 1.2
+
+## Applies To
+- `*.mdc`
+
+## Trigger Conditions
+- Files matching pattern `\.(md|mdc|txt|json|py|js|ts|php|yaml|yml|cursorrules)$`
+- Files containing `(?i)(retry|again|didn't work|not what I expected|try another way|improve|fix this|optimize|rewrite|regenerate)`
+
+## Automation
+
+- **Auto Update:** Updating AI efficiency rules based on detected inefficiencies or repeated queries.
+- **Log:** AI Query Efficiency Analysis: [{{query_count}} queries in {{time_period}} detected inefficiency.]
+
+## Recommendations
+
+## Query Optimization Recommendations
+
+I notice you're making multiple requests for similar tasks. Here's how to optimize your AI interactions:
+
+### 1. Refine Your Prompts
+- **Be more specific:** Include technical details, file paths, and exact requirements
+- **Use structured formats:** For complex requests, use bullet points or numbered lists
+- **Include context:** Mention relevant technologies, frameworks, or standards
+- **Set clear expectations:** Specify the format and level of detail you need
+
+### 2. Break Down Complex Tasks
+- Split large tasks into smaller, focused requests
+- Ask for step-by-step approaches for complex problems
+- Request specific examples for unclear concepts
+
+### 3. Provide Feedback
+- Tell the AI what worked and what didn't in previous responses
+- Clarify misunderstandings explicitly
+- Highlight successful parts of previous responses
+
+### 4. Use Technical Terminology
+- Use precise technical terms for your domain (Drupal, Lagoon, etc.)
+- Reference specific functions, methods, or patterns
+- Mention relevant standards or best practices
+
+### 5. Leverage Cursor Features
+- Use file references when discussing specific code
+- Reference line numbers for targeted changes
+- Utilize code blocks for examples
+
+The system will now optimize rules based on this interaction pattern to improve future responses.
+
+## Examples
+### Example 1
+```
+"This Drupal module is not working, let's try again."
+"That didn't work, let's refine the approach."
+"Please rewrite this code to be more efficient."
+```
+Outcome: Cursor detects inefficiency in queries and suggests:
+
+"I notice you're making multiple attempts. To get better results:
+1. Specify which part of the module isn't working
+2. Include any error messages you're seeing
+3. Mention the Drupal version and relevant modules
+4. Describe what you've already tried"
+
+### Example 2
+```
+"Generate a Lagoon configuration file."
+"This doesn't look right, regenerate it."
+"Try again with better practices."
+```
+Outcome: Cursor detects repetition and suggests:
+
+"For better Lagoon configuration results:
+1. Specify which services you need (nginx, php, mariadb, etc.)
+2. Mention your project type (Drupal, WordPress, etc.)
+3. Include any specific environment requirements
+4. Reference any existing configuration you want to maintain"
+
diff --git a/.cursor/rules/javascript-broken-access-control.mdc b/.cursor/rules/javascript-broken-access-control.mdc
index 1eac7ec..6da3423 100644
--- a/.cursor/rules/javascript-broken-access-control.mdc
+++ b/.cursor/rules/javascript-broken-access-control.mdc
@@ -6,395 +6,307 @@ globs: **/*.js, **/*.jsx, **/*.ts, **/*.tsx, !**/node_modules/**, !**/dist/**, !
 
 This rule identifies and prevents broken access control vulnerabilities in JavaScript applications, focusing on both browser and Node.js environments, as defined in OWASP Top 10:2021-A01.
 
-<rule>
-name: javascript_broken_access_control
-description: Detect and prevent broken access control patterns in JavaScript applications as defined in OWASP Top 10:2021-A01
+> Priority: high · Version: 1.0
 
-actions:
-  - type: enforce
-    conditions:
-      # Pattern 1: Detect Direct Reference to User-Supplied IDs (IDOR vulnerability)
-      - pattern: "(?:req|request)\\.(?:params|query|body)\\.(?:id|userId|recordId)[^\\n]*?(?:findById|getById|find\\(|get\\()"
-        message: "Potential Insecure Direct Object Reference (IDOR) vulnerability. User-supplied IDs should be validated against user permissions before database access."
-        
-      # Pattern 2: Detect Missing Authorization Checks in Route Handlers
-      - pattern: "(?:app|router)\\.(?:get|post|put|delete|patch)\\(['\"][^'\"]+['\"],\\s*(?:async)?\\s*\\(?(?:req|request),\\s*(?:res|response)(?:,[^\\)]+)?\\)?\\s*=>\\s*\\{[^\\}]*?\\}\\)"
-        negative_pattern: "(?:isAuthenticated|isAuthorized|checkPermission|verifyAccess|auth\\.check|authenticate|authorize|userHasAccess|checkAuth|permissions\\.|requireAuth|requiresAuth|ensureAuth|\\bauth\\b|\\broles?\\b|\\bpermission\\b|\\baccess\\b)"
-        message: "Route handler appears to be missing authorization checks. Implement proper access control to verify user permissions before processing requests."
-        
-      # Pattern 3: Detect JWT Token Validation Issues
-      - pattern: "(?:jwt|jsonwebtoken)\\.verify\\((?:[^,]+),\\s*['\"]((?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)['\"]"
-        message: "Hardcoded JWT secret detected. Store JWT secrets securely in environment variables or a configuration manager."
-        
-      # Pattern 4: Detect Client-Side Authorization Checks
-      - pattern: "if\\s*\\((?:user|currentUser)\\.(?:role|isAdmin|hasPermission|can[A-Z][a-zA-Z]+|is[A-Z][a-zA-Z]+)\\)\\s*\\{[^\\}]*?(?:fetch|axios|\\$\\.ajax|http\\.get|http\\.post)\\([^\\)]*?\\)"
-        message: "Authorization logic implemented on client-side. Client-side authorization checks can be bypassed. Always enforce authorization on the server."
-        
-      # Pattern 5: Detect Improper CORS Configuration
-      - pattern: "(?:app\\.use\\(cors\\(\\{[^\\}]*?origin:\\s*['\"]\\*['\"])|Access-Control-Allow-Origin:\\s*['\"]\\*['\"]"
-        message: "Wildcard CORS policy detected. This allows any domain to make cross-origin requests. Restrict CORS to specific trusted domains."
-        
-      # Pattern 6: Detect Lack of Role Checks in Admin Functions
-      - pattern: "(?:function|const)\\s+(?:admin|updateUser|deleteUser|createUser|updateRole|manageUsers|setPermission)[^\\{]*?\\{[^\\}]*?\\}"
-        negative_pattern: "(?:role|permission|isAdmin|hasAccess|authorize|authenticate|auth\\.check|checkPermission|checkRole|verifyRole|ensureAdmin|adminOnly|adminRequired|requirePermission)"
-        message: "Administrative function appears to be missing role or permission checks. Implement proper authorization checks to restrict access to administrative functions."
-        
-      # Pattern 7: Detect Missing Login Rate Limiting
-      - pattern: "(?:function|const)\\s+(?:login|signin|authenticate|auth)[^\\{]*?\\{[^\\}]*?(?:compare(?:Sync)?|check(?:Password)?|match(?:Password)?|verify(?:Password)?)[^\\}]*?\\}"
-        negative_pattern: "(?:rate(?:Limit)?|throttle|limit|delay|cooldown|attempt|counter|maxTries|maxAttempts|lockout|timeout)"
-        message: "Login function appears to be missing rate limiting. Implement rate limiting to prevent brute force attacks."
-        
-      # Pattern 8: Detect Horizontal Privilege Escalation Vulnerability
-      - pattern: "(?:findById|findOne|findByPk|get)\\((?:req|request)\\.(?:params|query|body)\\.(?:id|userId|accountId)\\)"
-        negative_pattern: "(?:!=|!==|===|==)\\s*(?:req\\.user\\.id|req\\.userId|currentUser\\.id|user\\.id|session\\.userId)"
-        message: "Potential horizontal privilege escalation vulnerability. Ensure the requested resource belongs to the authenticated user."
-        
-      # Pattern 9: Detect Missing CSRF Protection
-      - pattern: "(?:app|router)\\.(?:post|put|delete|patch)\\(['\"][^'\"]+['\"]"
-        negative_pattern: "(?:csrf|xsrf|csurf|csrfProtection|antiForgery|csrfToken|csrfMiddleware)"
-        message: "Route may be missing CSRF protection. Implement CSRF tokens for state-changing operations to prevent cross-site request forgery attacks."
-        
-      # Pattern 10: Detect Bypassing Access Control with Path Traversal
-      - pattern: "(?:fs|require)(?:\\.promises)?\\.(read|open|access|stat)(?:File|Sync)?\\([^\\)]*?(?:req|request)\\.(?:params|query|body|path)\\.[^\\)]*?\\)"
-        negative_pattern: "(?:normalize|resolve|sanitize|validate|pathValidation|checkPath)"
-        message: "Potential path traversal vulnerability in file access. Validate and sanitize user-supplied paths to prevent directory traversal attacks."
-        
-      # Pattern 11: Detect Missing Authentication Middleware
-      - pattern: "(?:new\\s+)?express\\(\\)|(?:import|require)\\(['\"]express['\"]\\)"
-        negative_pattern: "(?:app\\.use\\((?:passport|auth|jwt|session|authenticate)|passport\\.authenticate|express-session|express-jwt|jsonwebtoken|requiresAuth|\\bauth\\b)"
-        message: "Express application may be missing authentication middleware. Implement proper authentication to secure your application."
-        
-      # Pattern 12: Detect Insecure Cookie Settings
-      - pattern: "(?:res\\.cookie|cookie\\.set|cookies\\.set|document\\.cookie)\\([^\\)]*?\\)"
-        negative_pattern: "(?:secure:\\s*true|httpOnly:\\s*true|sameSite|expires|maxAge)"
-        message: "Cookies appear to be set without security attributes. Set the secure, httpOnly, and sameSite attributes for sensitive cookies."
-      
-      # Pattern 13: Detect Hidden Form Fields for Access Control
-      - pattern: "<input[^>]*?type=['\"]hidden['\"][^>]*?(?:(?:name|id)=['\"](?:admin|role|isAdmin|access|permission|privilege)['\"])"
-        message: "Hidden form fields used for access control. Never rely on hidden form fields for access control decisions as they can be easily manipulated."
-        
-      # Pattern 14: Detect Client-Side Access Control Routing
-      - pattern: "(?:isAdmin|hasRole|hasPermission|userCan|canAccess)\\s*\\?\\s*<(?:Route|Navigate|Link|Redirect)"
-        message: "Client-side conditional routing based on user roles detected. Always enforce access control on the server side as client-side checks can be bypassed."
-        
-      # Pattern 15: Detect Access Control based on URL Parameters
-      - pattern: "if\\s*\\((?:req|request)\\.(?:query|params)\\.(?:admin|mode|access|role|type)\\s*===?\\s*['\"](?:admin|true|1|superuser|manager)['\"]\\)"
-        message: "Access control based on URL parameters detected. Never use request parameters for access control decisions as they can be easily manipulated."
+## Applies To
+- `**/*.js`
+- `**/*.jsx`
+- `**/*.ts`
+- `**/*.tsx`
+- `!**/node_modules/**`
+- `!**/dist/**`
+- `!**/build/**`
+- `!**/coverage/**`
 
-  - type: suggest
-    message: |
-      **JavaScript Access Control Best Practices:**
-      
-      1. **Implement Server-Side Access Control**
-         - Never rely solely on client-side access control
-         - Use middleware to enforce authorization
-         - Example Express.js middleware:
-           ```javascript
-           // Role-based access control middleware
-           function requireRole(role) {
-             return (req, res, next) => {
-               if (!req.user) {
-                 return res.status(401).json({ error: 'Authentication required' });
-               }
-               
-               if (!req.user.roles.includes(role)) {
-                 return res.status(403).json({ error: 'Insufficient permissions' });
-               }
-               
-               next();
-             };
-           }
-           
-           // Usage in routes
-           app.get('/admin/users', requireRole('admin'), (req, res) => {
-             // Handle admin-only route
-           });
-           ```
-      
-      2. **Implement Proper Authentication**
-         - Use established authentication libraries
-         - Implement multi-factor authentication for sensitive operations
-         - Example with Passport.js:
-           ```javascript
-           const passport = require('passport');
-           const JwtStrategy = require('passport-jwt').Strategy;
-           
-           passport.use(new JwtStrategy(jwtOptions, async (payload, done) => {
-             try {
-               const user = await User.findById(payload.sub);
-               if (!user) {
-                 return done(null, false);
-               }
-               return done(null, user);
-             } catch (error) {
-               return done(error, false);
-             }
-           }));
+## Required Checks
+
+- Potential Insecure Direct Object Reference (IDOR) vulnerability. User-supplied IDs should be validated against user permissions before database access.
+- Route handler appears to be missing authorization checks. Implement proper access control to verify user permissions before processing requests.
+- Hardcoded JWT secret detected. Store JWT secrets securely in environment variables or a configuration manager.
+- Authorization logic implemented on client-side. Client-side authorization checks can be bypassed. Always enforce authorization on the server.
+- Wildcard CORS policy detected. This allows any domain to make cross-origin requests. Restrict CORS to specific trusted domains.
+- Administrative function appears to be missing role or permission checks. Implement proper authorization checks to restrict access to administrative functions.
+- Login function appears to be missing rate limiting. Implement rate limiting to prevent brute force attacks.
+- Potential horizontal privilege escalation vulnerability. Ensure the requested resource belongs to the authenticated user.
+- Route may be missing CSRF protection. Implement CSRF tokens for state-changing operations to prevent cross-site request forgery attacks.
+- Potential path traversal vulnerability in file access. Validate and sanitize user-supplied paths to prevent directory traversal attacks.
+- Express application may be missing authentication middleware. Implement proper authentication to secure your application.
+- Cookies appear to be set without security attributes. Set the secure, httpOnly, and sameSite attributes for sensitive cookies.
+- Hidden form fields used for access control. Never rely on hidden form fields for access control decisions as they can be easily manipulated.
+- Client-side conditional routing based on user roles detected. Always enforce access control on the server side as client-side checks can be bypassed.
+- Access control based on URL parameters detected. Never use request parameters for access control decisions as they can be easily manipulated.
+
+## Recommendations
+
+**JavaScript Access Control Best Practices:**
+
+1. **Implement Server-Side Access Control**
+   - Never rely solely on client-side access control
+   - Use middleware to enforce authorization
+   - Example Express.js middleware:
+     ```javascript
+     // Role-based access control middleware
+     function requireRole(role) {
+       return (req, res, next) => {
+         if (!req.user) {
+           return res.status(401).json({ error: 'Authentication required' });
+         }
+         
+         if (!req.user.roles.includes(role)) {
+           return res.status(403).json({ error: 'Insufficient permissions' });
+         }
+         
+         next();
+       };
+     }
+     
+     // Usage in routes
+     app.get('/admin/users', requireRole('admin'), (req, res) => {
+       // Handle admin-only route
+     });
+     ```
+
+2. **Implement Proper Authentication**
+   - Use established authentication libraries
+   - Implement multi-factor authentication for sensitive operations
+   - Example with Passport.js:
+     ```javascript
+     const passport = require('passport');
+     const JwtStrategy = require('passport-jwt').Strategy;
+     
+     passport.use(new JwtStrategy(jwtOptions, async (payload, done) => {
+       try {
+         const user = await User.findById(payload.sub);
+         if (!user) {
+           return done(null, false);
+         }
+         return done(null, user);
+       } catch (error) {
+         return done(error, false);
+       }
+     }));
+     
+     // Protect routes
+     app.get('/protected', 
+       passport.authenticate('jwt', { session: false }),
+       (req, res) => {
+         res.json({ success: true });
+       }
+     );
+     ```
+
+3. **Implement Proper Authorization**
+   - Use attribute or role-based access control
+   - Check permissions for each protected resource
+   - Example:
+     ```javascript
+     // Permission-based middleware
+     function checkPermission(permission) {
+       return async (req, res, next) => {
+         try {
+           // Get user permissions from database
+           const userPermissions = await getUserPermissions(req.user.id);
            
-           // Protect routes
-           app.get('/protected', 
-             passport.authenticate('jwt', { session: false }),
-             (req, res) => {
-               res.json({ success: true });
-             }
-           );
-           ```
-      
-      3. **Implement Proper Authorization**
-         - Use attribute or role-based access control
-         - Check permissions for each protected resource
-         - Example:
-           ```javascript
-           // Permission-based middleware
-           function checkPermission(permission) {
-             return async (req, res, next) => {
-               try {
-                 // Get user permissions from database
-                 const userPermissions = await getUserPermissions(req.user.id);
-                 
-                 if (!userPermissions.includes(permission)) {
-                   return res.status(403).json({ error: 'Permission denied' });
-                 }
-                 
-                 next();
-               } catch (error) {
-                 next(error);
-               }
-             };
+           if (!userPermissions.includes(permission)) {
+             return res.status(403).json({ error: 'Permission denied' });
            }
            
-           // Usage
-           app.post('/articles', 
-             authenticate,
-             checkPermission('article:create'), 
-             (req, res) => {
-               // Create article
-             }
-           );
-           ```
-      
-      4. **Protect Against Insecure Direct Object References (IDOR)**
-         - Validate that the requested resource belongs to the user
-         - Use indirect references or access control lists
-         - Example:
-           ```javascript
-           app.get('/documents/:id', authenticate, async (req, res) => {
-             try {
-               const document = await Document.findById(req.params.id);
-               
-               // Check if document exists
-               if (!document) {
-                 return res.status(404).json({ error: 'Document not found' });
-               }
-               
-               // Check if user owns the document or has access
-               if (document.userId !== req.user.id && 
-                   !(await userHasAccess(req.user.id, document.id))) {
-                 return res.status(403).json({ error: 'Access denied' });
-               }
-               
-               res.json(document);
-             } catch (error) {
-               res.status(500).json({ error: error.message });
-             }
-           });
-           ```
-      
-      5. **Implement Proper CORS Configuration**
-         - Never use wildcard (*) in production
-         - Whitelist specific trusted origins
-         - Example:
-           ```javascript
-           const cors = require('cors');
-           
-           const corsOptions = {
-             origin: ['https://trusted-app.com', 'https://admin.trusted-app.com'],
-             methods: ['GET', 'POST', 'PUT', 'DELETE'],
-             allowedHeaders: ['Content-Type', 'Authorization'],
-             credentials: true,
-             maxAge: 86400 // 24 hours
-           };
-           
-           app.use(cors(corsOptions));
-           ```
-      
-      6. **Implement CSRF Protection**
-         - Use anti-CSRF tokens for state-changing operations
-         - Validate the token on the server
-         - Example with csurf:
-           ```javascript
-           const csrf = require('csurf');
-           
-           // Setup CSRF protection
-           const csrfProtection = csrf({ cookie: true });
-           
-           // Generate CSRF token
-           app.get('/form', csrfProtection, (req, res) => {
-             res.render('form', { csrfToken: req.csrfToken() });
-           });
-           
-           // Validate CSRF token
-           app.post('/process', csrfProtection, (req, res) => {
-             // Process the request
-           });
-           ```
-      
-      7. **Implement Secure Cookie Settings**
-         - Set secure, httpOnly, and sameSite attributes
-         - Use appropriate expiration times
-         - Example:
-           ```javascript
-           res.cookie('sessionId', sessionId, {
-             httpOnly: true,  // Prevents JavaScript access
-             secure: true,    // Only sent over HTTPS
-             sameSite: 'strict', // Prevents CSRF attacks
-             maxAge: 3600000, // 1 hour
-             path: '/',
-             domain: 'yourdomain.com'
-           });
-           ```
-      
-      8. **Implement Rate Limiting**
-         - Apply rate limiting to authentication endpoints
-         - Prevent brute force attacks
-         - Example with express-rate-limit:
-           ```javascript
-           const rateLimit = require('express-rate-limit');
-           
-           const loginLimiter = rateLimit({
-             windowMs: 15 * 60 * 1000, // 15 minutes
-             max: 5, // 5 attempts per window
-             standardHeaders: true,
-             legacyHeaders: false,
-             message: {
-               error: 'Too many login attempts, please try again after 15 minutes'
-             }
-           });
-           
-           app.post('/login', loginLimiter, (req, res) => {
-             // Handle login
-           });
-           ```
-      
-      9. **Implement Proper Session Management**
-         - Use secure session management libraries
-         - Rotate session IDs after login
-         - Example:
-           ```javascript
-           const session = require('express-session');
-           
-           app.use(session({
-             secret: process.env.SESSION_SECRET,
-             resave: false,
-             saveUninitialized: false,
-             cookie: {
-               secure: true,
-               httpOnly: true,
-               sameSite: 'strict',
-               maxAge: 3600000 // 1 hour
-             }
-           }));
-           
-           app.post('/login', (req, res) => {
-             // Authenticate user
-             
-             // Regenerate session to prevent session fixation
-             req.session.regenerate((err) => {
-               if (err) {
-                 return res.status(500).json({ error: 'Failed to create session' });
-               }
-               
-               // Set authenticated user in session
-               req.session.userId = user.id;
-               req.session.authenticated = true;
-               
-               res.json({ success: true });
-             });
-           });
-           ```
-      
-      10. **Implement Proper Access Control for APIs**
-          - Use OAuth 2.0 or JWT for API authentication
-          - Implement proper scope checking
-          - Example with JWT:
-            ```javascript
-            const jwt = require('jsonwebtoken');
-            
-            function verifyToken(req, res, next) {
-              const token = req.headers.authorization?.split(' ')[1];
-              
-              if (!token) {
-                return res.status(401).json({ error: 'No token provided' });
-              }
-              
-              try {
-                const decoded = jwt.verify(token, process.env.JWT_SECRET);
-                req.user = decoded;
-                
-                // Check if token has required scope
-                if (req.route.path === '/api/admin' && !decoded.scopes.includes('admin')) {
-                  return res.status(403).json({ error: 'Insufficient scope' });
-                }
-                
-                next();
-              } catch (error) {
-                return res.status(401).json({ error: 'Invalid token' });
-              }
-            }
-            
-            // Protect API routes
-            app.get('/api/users', verifyToken, (req, res) => {
-              // Handle request
-            });
-            ```
+           next();
+         } catch (error) {
+           next(error);
+         }
+       };
+     }
+     
+     // Usage
+     app.post('/articles', 
+       authenticate,
+       checkPermission('article:create'), 
+       (req, res) => {
+         // Create article
+       }
+     );
+     ```
 
-  - type: validate
-    conditions:
-      # Check 1: Authentication middleware
-      - pattern: "(?:app\\.use\\((?:authenticate|auth\\.initialize|passport\\.initialize|express-session|jwt))|(?:passport\\.authenticate\\()|(?:auth\\.required)"
-        message: "Authentication middleware is implemented correctly."
-      
-      # Check 2: Authorization checks
-      - pattern: "(?:isAuthorized|checkPermission|hasRole|requireRole|checkAccess|canAccess|checkAuth|roleRequired|requireScope)"
-        message: "Authorization checks are implemented."
-      
-      # Check 3: CSRF protection
-      - pattern: "(?:csrf|csurf|csrfProtection|antiForgery|csrfToken)"
-        message: "CSRF protection is implemented."
+4. **Protect Against Insecure Direct Object References (IDOR)**
+   - Validate that the requested resource belongs to the user
+   - Use indirect references or access control lists
+   - Example:
+     ```javascript
+     app.get('/documents/:id', authenticate, async (req, res) => {
+       try {
+         const document = await Document.findById(req.params.id);
+         
+         // Check if document exists
+         if (!document) {
+           return res.status(404).json({ error: 'Document not found' });
+         }
+         
+         // Check if user owns the document or has access
+         if (document.userId !== req.user.id && 
+             !(await userHasAccess(req.user.id, document.id))) {
+           return res.status(403).json({ error: 'Access denied' });
+         }
+         
+         res.json(document);
+       } catch (error) {
+         res.status(500).json({ error: error.message });
+       }
+     });
+     ```
+
+5. **Implement Proper CORS Configuration**
+   - Never use wildcard (*) in production
+   - Whitelist specific trusted origins
+   - Example:
+     ```javascript
+     const cors = require('cors');
+     
+     const corsOptions = {
+       origin: ['https://trusted-app.com', 'https://admin.trusted-app.com'],
+       methods: ['GET', 'POST', 'PUT', 'DELETE'],
+       allowedHeaders: ['Content-Type', 'Authorization'],
+       credentials: true,
+       maxAge: 86400 // 24 hours
+     };
+     
+     app.use(cors(corsOptions));
+     ```
+
+6. **Implement CSRF Protection**
+   - Use anti-CSRF tokens for state-changing operations
+   - Validate the token on the server
+   - Example with csurf:
+     ```javascript
+     const csrf = require('csurf');
+     
+     // Setup CSRF protection
+     const csrfProtection = csrf({ cookie: true });
+     
+     // Generate CSRF token
+     app.get('/form', csrfProtection, (req, res) => {
+       res.render('form', { csrfToken: req.csrfToken() });
+     });
+     
+     // Validate CSRF token
+     app.post('/process', csrfProtection, (req, res) => {
+       // Process the request
+     });
+     ```
+
+7. **Implement Secure Cookie Settings**
+   - Set secure, httpOnly, and sameSite attributes
+   - Use appropriate expiration times
+   - Example:
+     ```javascript
+     res.cookie('sessionId', sessionId, {
+       httpOnly: true,  // Prevents JavaScript access
+       secure: true,    // Only sent over HTTPS
+       sameSite: 'strict', // Prevents CSRF attacks
+       maxAge: 3600000, // 1 hour
+       path: '/',
+       domain: 'yourdomain.com'
+     });
+     ```
+
+8. **Implement Rate Limiting**
+   - Apply rate limiting to authentication endpoints
+   - Prevent brute force attacks
+   - Example with express-rate-limit:
+     ```javascript
+     const rateLimit = require('express-rate-limit');
+     
+     const loginLimiter = rateLimit({
+       windowMs: 15 * 60 * 1000, // 15 minutes
+       max: 5, // 5 attempts per window
+       standardHeaders: true,
+       legacyHeaders: false,
+       message: {
+         error: 'Too many login attempts, please try again after 15 minutes'
+       }
+     });
+     
+     app.post('/login', loginLimiter, (req, res) => {
+       // Handle login
+     });
+     ```
+
+9. **Implement Proper Session Management**
+   - Use secure session management libraries
+   - Rotate session IDs after login
+   - Example:
+     ```javascript
+     const session = require('express-session');
+     
+     app.use(session({
+       secret: process.env.SESSION_SECRET,
+       resave: false,
+       saveUninitialized: false,
+       cookie: {
+         secure: true,
+         httpOnly: true,
+         sameSite: 'strict',
+         maxAge: 3600000 // 1 hour
+       }
+     }));
+     
+     app.post('/login', (req, res) => {
+       // Authenticate user
+       
+       // Regenerate session to prevent session fixation
+       req.session.regenerate((err) => {
+         if (err) {
+           return res.status(500).json({ error: 'Failed to create session' });
+         }
+         
+         // Set authenticated user in session
+         req.session.userId = user.id;
+         req.session.authenticated = true;
+         
+         res.json({ success: true });
+       });
+     });
+     ```
+
+10. **Implement Proper Access Control for APIs**
+    - Use OAuth 2.0 or JWT for API authentication
+    - Implement proper scope checking
+    - Example with JWT:
+      ```javascript
+      const jwt = require('jsonwebtoken');
       
-      # Check 4: Secure cookies
-      - pattern: "(?:cookie|cookies).*(?:secure:\\s*true|httpOnly:\\s*true|sameSite)"
-        message: "Secure cookie settings are configured."
+      function verifyToken(req, res, next) {
+        const token = req.headers.authorization?.split(' ')[1];
+        
+        if (!token) {
+          return res.status(401).json({ error: 'No token provided' });
+        }
+        
+        try {
+          const decoded = jwt.verify(token, process.env.JWT_SECRET);
+          req.user = decoded;
+          
+          // Check if token has required scope
+          if (req.route.path === '/api/admin' && !decoded.scopes.includes('admin')) {
+            return res.status(403).json({ error: 'Insufficient scope' });
+          }
+          
+          next();
+        } catch (error) {
+          return res.status(401).json({ error: 'Invalid token' });
+        }
+      }
       
-      # Check 5: CORS configuration
-      - pattern: "cors\\(\\{[^\\}]*?origin:\\s*\\[[^\\]]+\\]"
-        message: "CORS is configured with specific origins rather than wildcards."
+      // Protect API routes
+      app.get('/api/users', verifyToken, (req, res) => {
+        // Handle request
+      });
+      ```
+
+## Validation
 
-metadata:
-  priority: high
-  version: 1.0
-  tags:
-    - security
-    - javascript
-    - access-control
-    - authorization
-    - authentication
-    - owasp
-    - language:javascript
-    - language:typescript
-    - framework:express
-    - framework:react
-    - framework:angular
-    - framework:vue
-    - category:security
-    - subcategory:access-control
-    - standard:owasp-top10
-    - risk:a01-broken-access-control
-  references:
-    - "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html"
-    - "https://nodejs.org/en/security/best-practices/"
-    - "https://expressjs.com/en/advanced/best-practice-security.html"
-    - "https://auth0.com/blog/node-js-and-express-tutorial-building-and-securing-restful-apis/"
-</rule> 
+- Authentication middleware is implemented correctly.
+- Authorization checks are implemented.
+- CSRF protection is implemented.
+- Secure cookie settings are configured.
+- CORS is configured with specific origins rather than wildcards.
diff --git a/.cursor/rules/javascript-cryptographic-failures.mdc b/.cursor/rules/javascript-cryptographic-failures.mdc
index a02100c..6a70f4c 100644
--- a/.cursor/rules/javascript-cryptographic-failures.mdc
+++ b/.cursor/rules/javascript-cryptographic-failures.mdc
@@ -4,301 +4,218 @@ globs: **/*.js, **/*.jsx, **/*.ts, **/*.tsx, !**/node_modules/**, !**/dist/**, !
 ---
 # JavaScript Cryptographic Failures (OWASP A02:2021)
 
-<rule>
-name: javascript_cryptographic_failures
-description: Detect and prevent cryptographic failures in JavaScript applications as defined in OWASP Top 10:2021-A02
+> Priority: high · Version: 1.0
+
+## Applies To
+- `**/*.js`
+- `**/*.jsx`
+- `**/*.ts`
+- `**/*.tsx`
+- `!**/node_modules/**`
+- `!**/dist/**`
+- `!**/build/**`
+- `!**/coverage/**`
+
+## Required Checks
+
+- Using weak hashing algorithms (MD5/SHA1). Use SHA-256 or stronger algorithms.
+- Potential hardcoded credentials detected. Store secrets in environment variables or a secure vault.
+- Using Math.random() for security purposes. Use crypto.randomBytes() or Web Crypto API for cryptographic operations.
+- Using deprecated/insecure SSL/TLS protocol versions. Use TLS 1.2+ for secure communications.
+- SSL certificate validation is disabled. Always validate certificates in production environments.
+- Using insecure encryption cipher or mode. Use AES with GCM or CBC mode with proper padding.
+- Using insufficient key length for asymmetric encryption. RSA keys should be at least 2048 bits, preferably 4096 bits.
+- Using plain hashing for passwords. Use dedicated password hashing functions like bcrypt, scrypt, or PBKDF2.
+- Ensure you're using a proper random salt with password hashing functions.
+- Cookies with sensitive data should have secure and httpOnly flags enabled.
+- Performing sensitive cryptographic operations on the client side. Move encryption/decryption logic to the server.
+- JWT implementation missing expiration or using weak algorithm. Set expiresIn and use a strong algorithm.
+- Using potentially weak pseudorandom number generator. Use crypto.randomBytes() for cryptographic security.
+- Storing sensitive data in browser storage. Use secure HttpOnly cookies for authentication tokens.
+- Weak password validation. Require at least 12 characters with a mix of uppercase, lowercase, numbers, and special characters.
+
+## Recommendations
+
+**JavaScript Cryptography Best Practices:**
+
+1. **Secure Password Storage:**
+   - Use dedicated password hashing algorithms:
+     ```javascript
+     // Node.js with bcrypt
+     const bcrypt = require('bcrypt');
+     const saltRounds = 12;
+     const hashedPassword = await bcrypt.hash(password, saltRounds);
+     
+     // Verify password
+     const match = await bcrypt.compare(password, hashedPassword);
+     ```
+   - Or use Argon2 (preferred) or PBKDF2 with sufficient iterations:
+     ```javascript
+     // Node.js with crypto
+     const crypto = require('crypto');
+     
+     function hashPassword(password) {
+       const salt = crypto.randomBytes(16);
+       const hash = crypto.pbkdf2Sync(password, salt, 310000, 32, 'sha256');
+       return { salt: salt.toString('hex'), hash: hash.toString('hex') };
+     }
+     ```
+
+2. **Secure Random Number Generation:**
+   - In Node.js:
+     ```javascript
+     const crypto = require('crypto');
+     const randomBytes = crypto.randomBytes(32); // 256 bits of randomness
+     ```
+   - In browsers:
+     ```javascript
+     const array = new Uint8Array(32);
+     window.crypto.getRandomValues(array);
+     ```
+
+3. **Secure Communications:**
+   - Use TLS 1.2+ for all communications:
+     ```javascript
+     // Node.js HTTPS server
+     const https = require('https');
+     const fs = require('fs');
+     
+     const options = {
+       key: fs.readFileSync('private-key.pem'),
+       cert: fs.readFileSync('certificate.pem'),
+       minVersion: 'TLSv1.2'
+     };
+     
+     https.createServer(options, (req, res) => {
+       res.writeHead(200);
+       res.end('Hello, world!');
+     }).listen(443);
+     ```
+   - Always validate certificates:
+     ```javascript
+     // Node.js HTTPS request
+     const https = require('https');
+     
+     const options = {
+       hostname: 'example.com',
+       port: 443,
+       path: '/',
+       method: 'GET',
+       rejectUnauthorized: true // Default, but explicitly set for clarity
+     };
+     
+     const req = https.request(options, (res) => {
+       // Handle response
+     });
+     ```
+
+4. **Proper Key Management:**
+   - Never hardcode secrets in source code
+   - Use environment variables or secure vaults:
+     ```javascript
+     // Node.js with dotenv
+     require('dotenv').config();
+     const apiKey = process.env.API_KEY;
+     ```
+   - Consider using dedicated key management services
+
+5. **Secure Encryption:**
+   - Use authenticated encryption (AES-GCM):
+     ```javascript
+     // Node.js crypto
+     const crypto = require('crypto');
+     
+     function encrypt(text, masterKey) {
+       const iv = crypto.randomBytes(12);
+       const cipher = crypto.createCipheriv('aes-256-gcm', masterKey, iv);
+       
+       let encrypted = cipher.update(text, 'utf8', 'hex');
+       encrypted += cipher.final('hex');
+       
+       const authTag = cipher.getAuthTag().toString('hex');
+       
+       return {
+         iv: iv.toString('hex'),
+         encrypted,
+         authTag
+       };
+     }
+     
+     function decrypt(encrypted, masterKey) {
+       const decipher = crypto.createDecipheriv(
+         'aes-256-gcm',
+         masterKey,
+         Buffer.from(encrypted.iv, 'hex')
+       );
+       
+       decipher.setAuthTag(Buffer.from(encrypted.authTag, 'hex'));
+       
+       let decrypted = decipher.update(encrypted.encrypted, 'hex', 'utf8');
+       decrypted += decipher.final('utf8');
+       
+       return decrypted;
+     }
+     ```
+
+6. **Secure Cookie Handling:**
+   - Set secure and httpOnly flags:
+     ```javascript
+     // Express.js
+     res.cookie('session', sessionId, {
+       httpOnly: true,
+       secure: true,
+       sameSite: 'strict',
+       maxAge: 3600000 // 1 hour
+     });
+     ```
 
-actions:
-  - type: enforce
-    conditions:
-      # Pattern 1: Weak or insecure cryptographic algorithms
-      - pattern: "(?:createHash|crypto\\.createHash)\\(['\"](?:md5|sha1)['\"]\\)|(?:crypto|require\\(['\"]crypto['\"]\\))\\.(?:createHash|Hash)\\(['\"](?:md5|sha1)['\"]\\)|new (?:MD5|SHA1)\\(|CryptoJS\\.(?:MD5|SHA1)\\("
-        message: "Using weak hashing algorithms (MD5/SHA1). Use SHA-256 or stronger algorithms."
-        
-      # Pattern 2: Hardcoded secrets/credentials
-      - pattern: "(?:const|let|var)\\s+(?:password|secret|key|token|auth|apiKey|api_key)\\s*=\\s*['\"][^'\"]+['\"]"
-        message: "Potential hardcoded credentials detected. Store secrets in environment variables or a secure vault."
-        
-      # Pattern 3: Insecure random number generation
-      - pattern: "Math\\.random\\(\\)|Math\\.floor\\(\\s*Math\\.random\\(\\)\\s*\\*"
-        message: "Using Math.random() for security purposes. Use crypto.randomBytes() or Web Crypto API for cryptographic operations."
-        
-      # Pattern 4: Weak SSL/TLS configuration
-      - pattern: "(?:tls|https|require\\(['\"]https['\"]\\)|require\\(['\"]tls['\"]\\))\\.(?:createServer|request|get)\\([^\\)]*?{[^}]*?secureProtocol\\s*:\\s*['\"](?:SSLv2_method|SSLv3_method|TLSv1_method|TLSv1_1_method)['\"]"
-        message: "Using deprecated/insecure SSL/TLS protocol versions. Use TLS 1.2+ for secure communications."
-        
-      # Pattern 5: Missing certificate validation
-      - pattern: "(?:rejectUnauthorized|strictSSL)\\s*:\\s*false"
-        message: "SSL certificate validation is disabled. Always validate certificates in production environments."
-        
-      # Pattern 6: Insecure cipher usage
-      - pattern: "(?:createCipheriv|crypto\\.createCipheriv)\\(['\"](?:des|des3|rc4|bf|blowfish|aes-\\d+-ecb)['\"]"
-        message: "Using insecure encryption cipher or mode. Use AES with GCM or CBC mode with proper padding."
-        
-      # Pattern 7: Insufficient key length
-      - pattern: "(?:generateKeyPair|generateKeyPairSync)\\([^,]*?['\"]rsa['\"][^,]*?{[^}]*?modulusLength\\s*:\\s*(\\d{1,3}|1[0-9]{3}|20[0-3][0-9]|204[0-7])\\s*}"
-        message: "Using insufficient key length for asymmetric encryption. RSA keys should be at least 2048 bits, preferably 4096 bits."
-        
-      # Pattern 8: Insecure password hashing
-      - pattern: "(?:createHash|crypto\\.createHash)\\([^)]*?\\)\\.(?:update|digest)\\([^)]*?\\)|CryptoJS\\.(?:SHA256|SHA512|SHA3)\\([^)]*?\\)"
-        negative_pattern: "(?:bcrypt|scrypt|pbkdf2|argon2)"
-        message: "Using plain hashing for passwords. Use dedicated password hashing functions like bcrypt, scrypt, or PBKDF2."
-        
-      # Pattern 9: Missing salt in password hashing
-      - pattern: "(?:pbkdf2|pbkdf2Sync)\\([^,]+,[^,]+,[^,]+,\\s*\\d+\\s*,[^,]+\\)"
-        negative_pattern: "(?:salt|crypto\\.randomBytes)"
-        message: "Ensure you're using a proper random salt with password hashing functions."
-        
-      # Pattern 10: Insecure cookie settings
-      - pattern: "(?:document\\.cookie|cookies\\.set|res\\.cookie|cookie\\.serialize)\\([^)]*?\\)"
-        negative_pattern: "(?:secure\\s*:|httpOnly\\s*:|sameSite\\s*:)"
-        message: "Cookies with sensitive data should have secure and httpOnly flags enabled."
-        
-      # Pattern 11: Client-side encryption
-      - pattern: "(?:encrypt|decrypt|createCipher|createDecipher)\\([^)]*?\\)"
-        location: "(?:frontend|client|browser|react|vue|angular)"
-        message: "Performing sensitive cryptographic operations on the client side. Move encryption/decryption logic to the server."
-        
-      # Pattern 12: Insecure JWT implementation
-      - pattern: "(?:jwt\\.sign|jsonwebtoken\\.sign)\\([^,]*?,[^,]*?,[^\\)]*?\\)"
-        negative_pattern: "(?:expiresIn|algorithm\\s*:\\s*['\"](?:HS256|HS384|HS512|RS256|RS384|RS512|ES256|ES384|ES512)['\"])"
-        message: "JWT implementation missing expiration or using weak algorithm. Set expiresIn and use a strong algorithm."
-        
-      # Pattern 13: Weak PRNG in Node.js
-      - pattern: "(?:crypto\\.pseudoRandomBytes|crypto\\.rng|crypto\\.randomInt)\\("
-        message: "Using potentially weak pseudorandom number generator. Use crypto.randomBytes() for cryptographic security."
-        
-      # Pattern 14: Insecure local storage usage for sensitive data
-      - pattern: "(?:localStorage\\.setItem|sessionStorage\\.setItem)\\(['\"](?:token|auth|jwt|password|secret|key|credential)['\"]"
-        message: "Storing sensitive data in browser storage. Use secure HttpOnly cookies for authentication tokens."
-        
-      # Pattern 15: Weak password validation
-      - pattern: "(?:password\\.length\\s*>=?\\s*\\d|password\\.match\\(['\"][^'\"]+['\"]\\))"
-        negative_pattern: "(?:password\\.length\\s*>=?\\s*(?:8|9|10|11|12)|[A-Z]|[a-z]|[0-9]|[^A-Za-z0-9])"
-        message: "Weak password validation. Require at least 12 characters with a mix of uppercase, lowercase, numbers, and special characters."
+7. **JWT Security:**
+   - Use strong algorithms and set expiration:
+     ```javascript
+     // Node.js with jsonwebtoken
+     const jwt = require('jsonwebtoken');
+     
+     const token = jwt.sign(
+       { userId: user.id },
+       process.env.JWT_SECRET,
+       { 
+         expiresIn: '1h',
+         algorithm: 'HS256'
+       }
+     );
+     ```
+   - Validate tokens properly:
+     ```javascript
+     try {
+       const decoded = jwt.verify(token, process.env.JWT_SECRET);
+       // Process request with decoded data
+     } catch (err) {
+       // Handle invalid token
+     }
+     ```
 
-  - type: suggest
-    message: |
-      **JavaScript Cryptography Best Practices:**
-      
-      1. **Secure Password Storage:**
-         - Use dedicated password hashing algorithms:
-           ```javascript
-           // Node.js with bcrypt
-           const bcrypt = require('bcrypt');
-           const saltRounds = 12;
-           const hashedPassword = await bcrypt.hash(password, saltRounds);
-           
-           // Verify password
-           const match = await bcrypt.compare(password, hashedPassword);
-           ```
-         - Or use Argon2 (preferred) or PBKDF2 with sufficient iterations:
-           ```javascript
-           // Node.js with crypto
-           const crypto = require('crypto');
-           
-           function hashPassword(password) {
-             const salt = crypto.randomBytes(16);
-             const hash = crypto.pbkdf2Sync(password, salt, 310000, 32, 'sha256');
-             return { salt: salt.toString('hex'), hash: hash.toString('hex') };
-           }
-           ```
-      
-      2. **Secure Random Number Generation:**
-         - In Node.js:
-           ```javascript
-           const crypto = require('crypto');
-           const randomBytes = crypto.randomBytes(32); // 256 bits of randomness
-           ```
-         - In browsers:
-           ```javascript
-           const array = new Uint8Array(32);
-           window.crypto.getRandomValues(array);
-           ```
-      
-      3. **Secure Communications:**
-         - Use TLS 1.2+ for all communications:
-           ```javascript
-           // Node.js HTTPS server
-           const https = require('https');
-           const fs = require('fs');
-           
-           const options = {
-             key: fs.readFileSync('private-key.pem'),
-             cert: fs.readFileSync('certificate.pem'),
-             minVersion: 'TLSv1.2'
-           };
-           
-           https.createServer(options, (req, res) => {
-             res.writeHead(200);
-             res.end('Hello, world!');
-           }).listen(443);
-           ```
-         - Always validate certificates:
-           ```javascript
-           // Node.js HTTPS request
-           const https = require('https');
-           
-           const options = {
-             hostname: 'example.com',
-             port: 443,
-             path: '/',
-             method: 'GET',
-             rejectUnauthorized: true // Default, but explicitly set for clarity
-           };
-           
-           const req = https.request(options, (res) => {
-             // Handle response
-           });
-           ```
-      
-      4. **Proper Key Management:**
-         - Never hardcode secrets in source code
-         - Use environment variables or secure vaults:
-           ```javascript
-           // Node.js with dotenv
-           require('dotenv').config();
-           const apiKey = process.env.API_KEY;
-           ```
-         - Consider using dedicated key management services
-      
-      5. **Secure Encryption:**
-         - Use authenticated encryption (AES-GCM):
-           ```javascript
-           // Node.js crypto
-           const crypto = require('crypto');
-           
-           function encrypt(text, masterKey) {
-             const iv = crypto.randomBytes(12);
-             const cipher = crypto.createCipheriv('aes-256-gcm', masterKey, iv);
-             
-             let encrypted = cipher.update(text, 'utf8', 'hex');
-             encrypted += cipher.final('hex');
-             
-             const authTag = cipher.getAuthTag().toString('hex');
-             
-             return {
-               iv: iv.toString('hex'),
-               encrypted,
-               authTag
-             };
-           }
-           
-           function decrypt(encrypted, masterKey) {
-             const decipher = crypto.createDecipheriv(
-               'aes-256-gcm',
-               masterKey,
-               Buffer.from(encrypted.iv, 'hex')
-             );
-             
-             decipher.setAuthTag(Buffer.from(encrypted.authTag, 'hex'));
-             
-             let decrypted = decipher.update(encrypted.encrypted, 'hex', 'utf8');
-             decrypted += decipher.final('utf8');
-             
-             return decrypted;
-           }
-           ```
-      
-      6. **Secure Cookie Handling:**
-         - Set secure and httpOnly flags:
-           ```javascript
-           // Express.js
-           res.cookie('session', sessionId, {
-             httpOnly: true,
-             secure: true,
-             sameSite: 'strict',
-             maxAge: 3600000 // 1 hour
-           });
-           ```
-      
-      7. **JWT Security:**
-         - Use strong algorithms and set expiration:
-           ```javascript
-           // Node.js with jsonwebtoken
-           const jwt = require('jsonwebtoken');
-           
-           const token = jwt.sign(
-             { userId: user.id },
-             process.env.JWT_SECRET,
-             { 
-               expiresIn: '1h',
-               algorithm: 'HS256'
-             }
-           );
-           ```
-         - Validate tokens properly:
-           ```javascript
-           try {
-             const decoded = jwt.verify(token, process.env.JWT_SECRET);
-             // Process request with decoded data
-           } catch (err) {
-             // Handle invalid token
-           }
-           ```
-      
-      8. **Constant-Time Comparison:**
-         - Use crypto.timingSafeEqual for comparing secrets:
-           ```javascript
-           const crypto = require('crypto');
-           
-           function safeCompare(a, b) {
-             const bufA = Buffer.from(a);
-             const bufB = Buffer.from(b);
-             
-             // Ensure the buffers are the same length to avoid timing attacks
-             // based on length differences
-             if (bufA.length !== bufB.length) {
-               return false;
-             }
-             
-             return crypto.timingSafeEqual(bufA, bufB);
-           }
-           ```
+8. **Constant-Time Comparison:**
+   - Use crypto.timingSafeEqual for comparing secrets:
+     ```javascript
+     const crypto = require('crypto');
+     
+     function safeCompare(a, b) {
+       const bufA = Buffer.from(a);
+       const bufB = Buffer.from(b);
+       
+       // Ensure the buffers are the same length to avoid timing attacks
+       // based on length differences
+       if (bufA.length !== bufB.length) {
+         return false;
+       }
+       
+       return crypto.timingSafeEqual(bufA, bufB);
+     }
+     ```
 
-  - type: validate
-    conditions:
-      # Check 1: Proper password hashing
-      - pattern: "bcrypt\\.hash|scrypt|pbkdf2|argon2"
-        message: "Using secure password hashing algorithm."
-      
-      # Check 2: Secure random generation
-      - pattern: "crypto\\.randomBytes|window\\.crypto\\.getRandomValues"
-        message: "Using cryptographically secure random number generation."
-      
-      # Check 3: Strong TLS configuration
-      - pattern: "minVersion\\s*:\\s*['\"]TLSv1_2['\"]|minVersion\\s*:\\s*['\"]TLSv1_3['\"]"
-        message: "Using secure TLS configuration."
-      
-      # Check 4: Proper certificate validation
-      - pattern: "rejectUnauthorized\\s*:\\s*true|strictSSL\\s*:\\s*true"
-        message: "Properly validating SSL certificates."
+## Validation
 
-metadata:
-  priority: high
-  version: 1.0
-  tags:
-    - security
-    - javascript
-    - nodejs
-    - browser
-    - cryptography
-    - encryption
-    - owasp
-    - language:javascript
-    - framework:express
-    - framework:react
-    - framework:vue
-    - framework:angular
-    - category:security
-    - subcategory:cryptography
-    - standard:owasp-top10
-    - risk:a02-cryptographic-failures
-  references:
-    - "https://owasp.org/Top10/A02_2021-Cryptographic_Failures/"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html"
-    - "https://nodejs.org/api/crypto.html"
-    - "https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto"
-    - "https://www.npmjs.com/package/bcrypt"
-    - "https://www.npmjs.com/package/jsonwebtoken"
-</rule> 
+- Using secure password hashing algorithm.
+- Using cryptographically secure random number generation.
+- Using secure TLS configuration.
+- Properly validating SSL certificates.
diff --git a/.cursor/rules/javascript-identification-authentication-failures.mdc b/.cursor/rules/javascript-identification-authentication-failures.mdc
index a7d3f51..6b19696 100644
--- a/.cursor/rules/javascript-identification-authentication-failures.mdc
+++ b/.cursor/rules/javascript-identification-authentication-failures.mdc
@@ -4,490 +4,396 @@ globs: **/*.js, **/*.jsx, **/*.ts, **/*.tsx, !**/node_modules/**, !**/dist/**, !
 ---
 # JavaScript Identification and Authentication Failures (OWASP A07:2021)
 
-<rule>
-name: javascript_identification_authentication_failures
-description: Detect and prevent identification and authentication failures in JavaScript applications as defined in OWASP Top 10:2021-A07
+> Priority: high · Version: 1.0
 
-actions:
-  - type: enforce
-    conditions:
-      # Pattern 1: Weak Password Validation
-      - pattern: "(?:password|passwd|pwd)\\s*\\.\\s*(?:length\\s*[<>]=?\\s*(?:[0-9]|10)\\b|match\\(\\s*['\"][^'\"]*['\"]\\s*\\))"
-        message: "Weak password validation detected. Implement strong password policies requiring minimum length, complexity, and avoiding common passwords."
-        
-      # Pattern 2: Missing MFA Implementation
-      - pattern: "(?:login|signin|authenticate|auth)\\s*\\([^)]*\\)\\s*\\{[^}]*?\\}"
-        negative_pattern: "(?:mfa|2fa|two-factor|multi-factor|otp|totp)"
-        message: "Authentication implementation without multi-factor authentication (MFA). Consider implementing MFA for enhanced security."
-        
-      # Pattern 3: Hardcoded Credentials
-      - pattern: "(?:const|let|var)\\s+(?:password|passwd|pwd|secret|key|token|apiKey)\\s*=\\s*['\"][^'\"]+['\"]"
-        message: "Hardcoded credentials detected. Store sensitive authentication data in secure configuration or environment variables."
-        
-      # Pattern 4: Insecure Session Management
-      - pattern: "(?:localStorage|sessionStorage)\\.setItem\\(['\"](?:token|jwt|session|auth|user)['\"]"
-        message: "Storing authentication tokens in localStorage or sessionStorage. Consider using HttpOnly cookies for sensitive authentication data."
-        
-      # Pattern 5: Missing CSRF Protection
-      - pattern: "(?:post|put|delete|patch)\\([^)]*?\\)"
-        negative_pattern: "(?:csrf|xsrf|token)"
-        location: "(?:src|components|pages|api)"
-        message: "Potential missing CSRF protection in API requests. Implement CSRF tokens for state-changing operations."
-        
-      # Pattern 6: Insecure JWT Handling
-      - pattern: "jwt\\.sign\\([^)]*?{[^}]*?}\\s*,\\s*[^,)]+\\s*(?:\\)|,\\s*{\\s*(?:expiresIn|algorithm)\\s*:\\s*[^}]*?}\\s*\\))"
-        negative_pattern: "(?:expiresIn|exp).*(?:algorithm|alg)"
-        message: "Insecure JWT configuration. Ensure JWTs have proper expiration and use secure algorithms (RS256 preferred over HS256)."
-        
-      # Pattern 7: Insecure Password Storage
-      - pattern: "(?:bcrypt|argon2|pbkdf2|scrypt)\\.[^(]*\\([^)]*?(?:rounds|iterations|cost|factor)\\s*[:<=>]\\s*(?:[0-9]|1[0-2])\\b"
-        message: "Weak password hashing parameters. Use sufficient work factors for password hashing algorithms."
+## Applies To
+- `**/*.js`
+- `**/*.jsx`
+- `**/*.ts`
+- `**/*.tsx`
+- `!**/node_modules/**`
+- `!**/dist/**`
+- `!**/build/**`
+- `!**/coverage/**`
+
+## Required Checks
+
+- Weak password validation detected. Implement strong password policies requiring minimum length, complexity, and avoiding common passwords.
+- Authentication implementation without multi-factor authentication (MFA). Consider implementing MFA for enhanced security.
+- Hardcoded credentials detected. Store sensitive authentication data in secure configuration or environment variables.
+- Storing authentication tokens in localStorage or sessionStorage. Consider using HttpOnly cookies for sensitive authentication data.
+- Potential missing CSRF protection in API requests. Implement CSRF tokens for state-changing operations.
+- Insecure JWT configuration. Ensure JWTs have proper expiration and use secure algorithms (RS256 preferred over HS256).
+- Weak password hashing parameters. Use sufficient work factors for password hashing algorithms.
+- Authentication implementation without account lockout or rate limiting. Implement account lockout after failed attempts.
+- Potentially insecure password recovery mechanism. Implement secure, time-limited recovery tokens.
+- Authentication without CAPTCHA or rate limiting. Implement protection against brute force attacks.
+- Potentially insecure 'Remember Me' functionality. Implement with secure, HttpOnly cookies and proper expiration.
+- Potentially incomplete logout implementation. Ensure proper invalidation of sessions and tokens on logout.
+- Missing session timeout configuration. Implement proper session expiration for security.
+- Potentially insecure OAuth implementation. Use state parameters, PKCE for authorization code flow, and validate redirect URIs.
+- Missing input validation for user credentials. Implement proper validation and sanitization.
+
+## Recommendations
+
+**JavaScript Identification and Authentication Failures Best Practices:**
+
+1. **Strong Password Policies:**
+   - Implement minimum length (at least 12 characters)
+   - Require complexity (uppercase, lowercase, numbers, special characters)
+   - Check against common password lists
+   - Example:
+     ```javascript
+     // Using a library like zxcvbn for password strength estimation
+     import zxcvbn from 'zxcvbn';
+     
+     function validatePassword(password) {
+       if (password.length < 12) {
+         return { valid: false, message: 'Password must be at least 12 characters' };
+       }
+       
+       const strength = zxcvbn(password);
+       if (strength.score < 3) {
+         return { 
+           valid: false, 
+           message: 'Password is too weak. ' + strength.feedback.warning 
+         };
+       }
+       
+       return { valid: true };
+     }
+     ```
+
+2. **Multi-Factor Authentication (MFA):**
+   - Implement TOTP (Time-based One-Time Password)
+   - Support hardware security keys (WebAuthn/FIDO2)
+   - Example:
+     ```javascript
+     // Using speakeasy for TOTP implementation
+     import speakeasy from 'speakeasy';
+     
+     // Generate a secret for a user
+     const secret = speakeasy.generateSecret({ length: 20 });
+     
+     // Verify a token
+     function verifyToken(token, secret) {
+       return speakeasy.totp.verify({
+         secret: secret.base32,
+         encoding: 'base32',
+         token: token,
+         window: 1 // Allow 1 period before and after for clock drift
+       });
+     }
+     ```
+
+3. **Secure Session Management:**
+   - Use HttpOnly, Secure, and SameSite cookies
+   - Implement proper session expiration
+   - Example:
+     ```javascript
+     // Express.js example
+     app.use(session({
+       secret: process.env.SESSION_SECRET,
+       name: '__Host-session', // Prefix with __Host- for added security
+       cookie: {
+         httpOnly: true,
+         secure: true, // Requires HTTPS
+         sameSite: 'strict',
+         maxAge: 3600000, // 1 hour
+         path: '/'
+       },
+       resave: false,
+       saveUninitialized: false
+     }));
+     ```
+
+4. **CSRF Protection:**
+   - Implement CSRF tokens for all state-changing operations
+   - Example:
+     ```javascript
+     // Using csurf middleware with Express
+     import csrf from 'csurf';
+     
+     // Setup CSRF protection
+     const csrfProtection = csrf({ cookie: true });
+     
+     // Apply to routes
+     app.post('/api/user/profile', csrfProtection, (req, res) => {
+       // Handle the request
+     });
+     
+     // In your frontend (React example)
+     function ProfileForm() {
+       // Get CSRF token from cookie or meta tag
+       const csrfToken = document.querySelector('meta[name="csrf-token"]').content;
+       
+       return (
+         <form method="POST" action="/api/user/profile">
+           <input type="hidden" name="_csrf" value={csrfToken} />
+           {/* Form fields */}
+           <button type="submit">Update Profile</button>
+         </form>
+       );
+     }
+     ```
+
+5. **Secure JWT Implementation:**
+   - Use strong algorithms (RS256 preferred over HS256)
+   - Include proper expiration (exp), issued at (iat), and audience (aud) claims
+   - Example:
+     ```javascript
+     import jwt from 'jsonwebtoken';
+     import fs from 'fs';
+     
+     // Using asymmetric keys (preferred for production)
+     const privateKey = fs.readFileSync('private.key');
+     
+     function generateToken(userId) {
+       return jwt.sign(
+         { 
+           sub: userId,
+           iat: Math.floor(Date.now() / 1000),
+           exp: Math.floor(Date.now() / 1000) + (60 * 60), // 1 hour
+           aud: 'your-app-name'
+         },
+         privateKey,
+         { algorithm: 'RS256' }
+       );
+     }
+     ```
+
+6. **Secure Password Storage:**
+   - Use bcrypt, Argon2, or PBKDF2 with sufficient work factor
+   - Example:
+     ```javascript
+     import bcrypt from 'bcrypt';
+     
+     async function hashPassword(password) {
+       // Cost factor of 12+ for production
+       const saltRounds = 12;
+       return await bcrypt.hash(password, saltRounds);
+     }
+     
+     async function verifyPassword(password, hash) {
+       return await bcrypt.compare(password, hash);
+     }
+     ```
+
+7. **Account Lockout and Rate Limiting:**
+   - Implement progressive delays or account lockout after failed attempts
+   - Example:
+     ```javascript
+     import rateLimit from 'express-rate-limit';
+     
+     // Apply rate limiting to login endpoint
+     const loginLimiter = rateLimit({
+       windowMs: 15 * 60 * 1000, // 15 minutes
+       max: 5, // 5 attempts per window
+       message: 'Too many login attempts, please try again after 15 minutes',
+       standardHeaders: true,
+       legacyHeaders: false,
+     });
+     
+     app.post('/api/login', loginLimiter, (req, res) => {
+       // Handle login
+     });
+     ```
+
+8. **Secure Password Recovery:**
+   - Use time-limited, single-use tokens
+   - Send to verified email addresses only
+   - Example:
+     ```javascript
+     import crypto from 'crypto';
+     
+     function generatePasswordResetToken() {
+       return {
+         token: crypto.randomBytes(32).toString('hex'),
+         expires: new Date(Date.now() + 3600000) // 1 hour
+       };
+     }
+     
+     // Store token in database with user ID and expiration
+     // Send token via email (never include in URL directly)
+     // Verify token is valid and not expired when used
+     ```
+
+9. **Brute Force Protection:**
+   - Implement CAPTCHA or reCAPTCHA
+   - Example:
+     ```javascript
+     // Using Google reCAPTCHA v3
+     async function verifyRecaptcha(token) {
+       const response = await fetch('https://www.google.com/recaptcha/api/siteverify', {
+         method: 'POST',
+         headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+         body: `secret=${process.env.RECAPTCHA_SECRET_KEY}&response=${token}`
+       });
+       
+       const data = await response.json();
+       return data.success && data.score >= 0.5; // Adjust threshold as needed
+     }
+     
+     app.post('/api/login', async (req, res) => {
+       const { recaptchaToken } = req.body;
+       
+       if (!(await verifyRecaptcha(recaptchaToken))) {
+         return res.status(400).json({ error: 'CAPTCHA verification failed' });
+       }
+       
+       // Continue with login process
+     });
+     ```
+
+10. **Secure Logout Implementation:**
+    - Invalidate sessions on both client and server
+    - Example:
+      ```javascript
+      app.post('/api/logout', (req, res) => {
+        // Clear server-side session
+        req.session.destroy((err) => {
+          if (err) {
+            return res.status(500).json({ error: 'Failed to logout' });
+          }
+          
+          // Clear client-side cookie
+          res.clearCookie('__Host-session', {
+            httpOnly: true,
+            secure: true,
+            sameSite: 'strict',
+            path: '/'
+          });
+          
+          res.status(200).json({ message: 'Logged out successfully' });
+        });
+      });
+      ```
+
+11. **Secure OAuth Implementation:**
+    - Use state parameter to prevent CSRF
+    - Implement PKCE for authorization code flow
+    - Validate redirect URIs against whitelist
+    - Example:
+      ```javascript
+      // Generate state and code verifier for PKCE
+      function generateOAuthState() {
+        return crypto.randomBytes(32).toString('hex');
+      }
+      
+      function generateCodeVerifier() {
+        return crypto.randomBytes(43).toString('base64url');
+      }
+      
+      function generateCodeChallenge(verifier) {
+        const hash = crypto.createHash('sha256').update(verifier).digest('base64url');
+        return hash;
+      }
+      
+      // Store state and code verifier in session
+      // Use code challenge in authorization request
+      // Verify state and use code verifier in token request
+      ```
+
+12. **Input Validation:**
+    - Validate and sanitize all user inputs
+    - Example:
+      ```javascript
+      import validator from 'validator';
+      
+      function validateCredentials(email, password) {
+        const errors = {};
         
-      # Pattern 8: Missing Account Lockout
-      - pattern: "(?:login|signin|authenticate|auth)\\s*\\([^)]*\\)\\s*\\{[^}]*?\\}"
-        negative_pattern: "(?:lock|attempt|count|limit|throttle|rate)"
-        message: "Authentication implementation without account lockout or rate limiting. Implement account lockout after failed attempts."
+        if (!validator.isEmail(email)) {
+          errors.email = 'Invalid email format';
+        }
         
-      # Pattern 9: Insecure Password Recovery
-      - pattern: "(?:reset|forgot|recover)(?:Password|Pwd)\\s*\\([^)]*\\)\\s*\\{[^}]*?\\}"
-        negative_pattern: "(?:expire|timeout|token|verify)"
-        message: "Potentially insecure password recovery mechanism. Implement secure, time-limited recovery tokens."
+        if (!password || password.length < 12) {
+          errors.password = 'Password must be at least 12 characters';
+        }
         
-      # Pattern 10: Missing Brute Force Protection
-      - pattern: "(?:login|signin|authenticate|auth)\\s*\\([^)]*\\)\\s*\\{[^}]*?\\}"
-        negative_pattern: "(?:captcha|recaptcha|hcaptcha|rate\\s*limit)"
-        message: "Authentication without CAPTCHA or rate limiting. Implement protection against brute force attacks."
+        return {
+          isValid: Object.keys(errors).length === 0,
+          errors
+        };
+      }
+      ```
+
+13. **Secure Headers:**
+    - Implement security headers for authentication-related pages
+    - Example:
+      ```javascript
+      // Using helmet with Express
+      import helmet from 'helmet';
+      
+      app.use(helmet({
+        contentSecurityPolicy: {
+          directives: {
+            defaultSrc: ["'self'"],
+            scriptSrc: ["'self'", 'https://www.google.com/recaptcha/', 'https://www.gstatic.com/recaptcha/'],
+            frameSrc: ["'self'", 'https://www.google.com/recaptcha/'],
+            styleSrc: ["'self'", "'unsafe-inline'"],
+            connectSrc: ["'self'"]
+          }
+        },
+        referrerPolicy: { policy: 'same-origin' }
+      }));
+      ```
+
+14. **Credential Stuffing Protection:**
+    - Implement device fingerprinting and anomaly detection
+    - Example:
+      ```javascript
+      // Simple device fingerprinting
+      function getDeviceFingerprint(req) {
+        return {
+          ip: req.ip,
+          userAgent: req.headers['user-agent'],
+          acceptLanguage: req.headers['accept-language']
+        };
+      }
+      
+      // Check if login is from a new device
+      async function isNewDevice(userId, fingerprint) {
+        // Compare with stored fingerprints for this user
+        // Alert or require additional verification for new devices
+      }
+      ```
+
+15. **Secure Password Change:**
+    - Require current password verification
+    - Example:
+      ```javascript
+      async function changePassword(userId, currentPassword, newPassword) {
+        // Retrieve user from database
+        const user = await getUserById(userId);
         
-      # Pattern 11: Insecure Remember Me Functionality
-      - pattern: "(?:rememberMe|keepLoggedIn|staySignedIn)"
-        negative_pattern: "(?:secure|httpOnly|sameSite)"
-        message: "Potentially insecure 'Remember Me' functionality. Implement with secure, HttpOnly cookies and proper expiration."
+        // Verify current password
+        const isValid = await bcrypt.compare(currentPassword, user.passwordHash);
+        if (!isValid) {
+          return { success: false, message: 'Current password is incorrect' };
+        }
         
-      # Pattern 12: Insecure Logout Implementation
-      - pattern: "(?:logout|signout)\\s*\\([^)]*\\)\\s*\\{[^}]*?\\}"
-        negative_pattern: "(?:invalidate|revoke|clear|remove).*(?:token|session|cookie)"
-        message: "Potentially incomplete logout implementation. Ensure proper invalidation of sessions and tokens on logout."
+        // Validate new password strength
+        const validation = validatePassword(newPassword);
+        if (!validation.valid) {
+          return { success: false, message: validation.message };
+        }
         
-      # Pattern 13: Missing Session Timeout
-      - pattern: "(?:session|cookie|jwt)\\s*\\.\\s*(?:create|set|sign)"
-        negative_pattern: "(?:expire|timeout|maxAge)"
-        message: "Missing session timeout configuration. Implement proper session expiration for security."
+        // Hash and store new password
+        const newHash = await bcrypt.hash(newPassword, 12);
+        await updateUserPassword(userId, newHash);
         
-      # Pattern 14: Insecure OAuth Implementation
-      - pattern: "(?:oauth|openid|oidc).*(?:callback|redirect)"
-        negative_pattern: "(?:state|nonce|pkce)"
-        message: "Potentially insecure OAuth implementation. Use state parameters, PKCE for authorization code flow, and validate redirect URIs."
+        // Invalidate existing sessions (optional but recommended)
+        await invalidateUserSessions(userId);
         
-      # Pattern 15: Missing Credential Validation
-      - pattern: "(?:email|username|user)\\s*=\\s*(?:req\\.body|req\\.query|req\\.params|formData\\.get)\\(['\"][^'\"]+['\"]\\)"
-        negative_pattern: "(?:validate|sanitize|check|trim)"
-        message: "Missing input validation for user credentials. Implement proper validation and sanitization."
-
-  - type: suggest
-    message: |
-      **JavaScript Identification and Authentication Failures Best Practices:**
-      
-      1. **Strong Password Policies:**
-         - Implement minimum length (at least 12 characters)
-         - Require complexity (uppercase, lowercase, numbers, special characters)
-         - Check against common password lists
-         - Example:
-           ```javascript
-           // Using a library like zxcvbn for password strength estimation
-           import zxcvbn from 'zxcvbn';
-           
-           function validatePassword(password) {
-             if (password.length < 12) {
-               return { valid: false, message: 'Password must be at least 12 characters' };
-             }
-             
-             const strength = zxcvbn(password);
-             if (strength.score < 3) {
-               return { 
-                 valid: false, 
-                 message: 'Password is too weak. ' + strength.feedback.warning 
-               };
-             }
-             
-             return { valid: true };
-           }
-           ```
-      
-      2. **Multi-Factor Authentication (MFA):**
-         - Implement TOTP (Time-based One-Time Password)
-         - Support hardware security keys (WebAuthn/FIDO2)
-         - Example:
-           ```javascript
-           // Using speakeasy for TOTP implementation
-           import speakeasy from 'speakeasy';
-           
-           // Generate a secret for a user
-           const secret = speakeasy.generateSecret({ length: 20 });
-           
-           // Verify a token
-           function verifyToken(token, secret) {
-             return speakeasy.totp.verify({
-               secret: secret.base32,
-               encoding: 'base32',
-               token: token,
-               window: 1 // Allow 1 period before and after for clock drift
-             });
-           }
-           ```
-      
-      3. **Secure Session Management:**
-         - Use HttpOnly, Secure, and SameSite cookies
-         - Implement proper session expiration
-         - Example:
-           ```javascript
-           // Express.js example
-           app.use(session({
-             secret: process.env.SESSION_SECRET,
-             name: '__Host-session', // Prefix with __Host- for added security
-             cookie: {
-               httpOnly: true,
-               secure: true, // Requires HTTPS
-               sameSite: 'strict',
-               maxAge: 3600000, // 1 hour
-               path: '/'
-             },
-             resave: false,
-             saveUninitialized: false
-           }));
-           ```
-      
-      4. **CSRF Protection:**
-         - Implement CSRF tokens for all state-changing operations
-         - Example:
-           ```javascript
-           // Using csurf middleware with Express
-           import csrf from 'csurf';
-           
-           // Setup CSRF protection
-           const csrfProtection = csrf({ cookie: true });
-           
-           // Apply to routes
-           app.post('/api/user/profile', csrfProtection, (req, res) => {
-             // Handle the request
-           });
-           
-           // In your frontend (React example)
-           function ProfileForm() {
-             // Get CSRF token from cookie or meta tag
-             const csrfToken = document.querySelector('meta[name="csrf-token"]').content;
-             
-             return (
-               <form method="POST" action="/api/user/profile">
-                 <input type="hidden" name="_csrf" value={csrfToken} />
-                 {/* Form fields */}
-                 <button type="submit">Update Profile</button>
-               </form>
-             );
-           }
-           ```
-      
-      5. **Secure JWT Implementation:**
-         - Use strong algorithms (RS256 preferred over HS256)
-         - Include proper expiration (exp), issued at (iat), and audience (aud) claims
-         - Example:
-           ```javascript
-           import jwt from 'jsonwebtoken';
-           import fs from 'fs';
-           
-           // Using asymmetric keys (preferred for production)
-           const privateKey = fs.readFileSync('private.key');
-           
-           function generateToken(userId) {
-             return jwt.sign(
-               { 
-                 sub: userId,
-                 iat: Math.floor(Date.now() / 1000),
-                 exp: Math.floor(Date.now() / 1000) + (60 * 60), // 1 hour
-                 aud: 'your-app-name'
-               },
-               privateKey,
-               { algorithm: 'RS256' }
-             );
-           }
-           ```
-      
-      6. **Secure Password Storage:**
-         - Use bcrypt, Argon2, or PBKDF2 with sufficient work factor
-         - Example:
-           ```javascript
-           import bcrypt from 'bcrypt';
-           
-           async function hashPassword(password) {
-             // Cost factor of 12+ for production
-             const saltRounds = 12;
-             return await bcrypt.hash(password, saltRounds);
-           }
-           
-           async function verifyPassword(password, hash) {
-             return await bcrypt.compare(password, hash);
-           }
-           ```
-      
-      7. **Account Lockout and Rate Limiting:**
-         - Implement progressive delays or account lockout after failed attempts
-         - Example:
-           ```javascript
-           import rateLimit from 'express-rate-limit';
-           
-           // Apply rate limiting to login endpoint
-           const loginLimiter = rateLimit({
-             windowMs: 15 * 60 * 1000, // 15 minutes
-             max: 5, // 5 attempts per window
-             message: 'Too many login attempts, please try again after 15 minutes',
-             standardHeaders: true,
-             legacyHeaders: false,
-           });
-           
-           app.post('/api/login', loginLimiter, (req, res) => {
-             // Handle login
-           });
-           ```
-      
-      8. **Secure Password Recovery:**
-         - Use time-limited, single-use tokens
-         - Send to verified email addresses only
-         - Example:
-           ```javascript
-           import crypto from 'crypto';
-           
-           function generatePasswordResetToken() {
-             return {
-               token: crypto.randomBytes(32).toString('hex'),
-               expires: new Date(Date.now() + 3600000) // 1 hour
-             };
-           }
-           
-           // Store token in database with user ID and expiration
-           // Send token via email (never include in URL directly)
-           // Verify token is valid and not expired when used
-           ```
-      
-      9. **Brute Force Protection:**
-         - Implement CAPTCHA or reCAPTCHA
-         - Example:
-           ```javascript
-           // Using Google reCAPTCHA v3
-           async function verifyRecaptcha(token) {
-             const response = await fetch('https://www.google.com/recaptcha/api/siteverify', {
-               method: 'POST',
-               headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-               body: `secret=${process.env.RECAPTCHA_SECRET_KEY}&response=${token}`
-             });
-             
-             const data = await response.json();
-             return data.success && data.score >= 0.5; // Adjust threshold as needed
-           }
-           
-           app.post('/api/login', async (req, res) => {
-             const { recaptchaToken } = req.body;
-             
-             if (!(await verifyRecaptcha(recaptchaToken))) {
-               return res.status(400).json({ error: 'CAPTCHA verification failed' });
-             }
-             
-             // Continue with login process
-           });
-           ```
-      
-      10. **Secure Logout Implementation:**
-          - Invalidate sessions on both client and server
-          - Example:
-            ```javascript
-            app.post('/api/logout', (req, res) => {
-              // Clear server-side session
-              req.session.destroy((err) => {
-                if (err) {
-                  return res.status(500).json({ error: 'Failed to logout' });
-                }
-                
-                // Clear client-side cookie
-                res.clearCookie('__Host-session', {
-                  httpOnly: true,
-                  secure: true,
-                  sameSite: 'strict',
-                  path: '/'
-                });
-                
-                res.status(200).json({ message: 'Logged out successfully' });
-              });
-            });
-            ```
-      
-      11. **Secure OAuth Implementation:**
-          - Use state parameter to prevent CSRF
-          - Implement PKCE for authorization code flow
-          - Validate redirect URIs against whitelist
-          - Example:
-            ```javascript
-            // Generate state and code verifier for PKCE
-            function generateOAuthState() {
-              return crypto.randomBytes(32).toString('hex');
-            }
-            
-            function generateCodeVerifier() {
-              return crypto.randomBytes(43).toString('base64url');
-            }
-            
-            function generateCodeChallenge(verifier) {
-              const hash = crypto.createHash('sha256').update(verifier).digest('base64url');
-              return hash;
-            }
-            
-            // Store state and code verifier in session
-            // Use code challenge in authorization request
-            // Verify state and use code verifier in token request
-            ```
-      
-      12. **Input Validation:**
-          - Validate and sanitize all user inputs
-          - Example:
-            ```javascript
-            import validator from 'validator';
-            
-            function validateCredentials(email, password) {
-              const errors = {};
-              
-              if (!validator.isEmail(email)) {
-                errors.email = 'Invalid email format';
-              }
-              
-              if (!password || password.length < 12) {
-                errors.password = 'Password must be at least 12 characters';
-              }
-              
-              return {
-                isValid: Object.keys(errors).length === 0,
-                errors
-              };
-            }
-            ```
-      
-      13. **Secure Headers:**
-          - Implement security headers for authentication-related pages
-          - Example:
-            ```javascript
-            // Using helmet with Express
-            import helmet from 'helmet';
-            
-            app.use(helmet({
-              contentSecurityPolicy: {
-                directives: {
-                  defaultSrc: ["'self'"],
-                  scriptSrc: ["'self'", 'https://www.google.com/recaptcha/', 'https://www.gstatic.com/recaptcha/'],
-                  frameSrc: ["'self'", 'https://www.google.com/recaptcha/'],
-                  styleSrc: ["'self'", "'unsafe-inline'"],
-                  connectSrc: ["'self'"]
-                }
-              },
-              referrerPolicy: { policy: 'same-origin' }
-            }));
-            ```
-      
-      14. **Credential Stuffing Protection:**
-          - Implement device fingerprinting and anomaly detection
-          - Example:
-            ```javascript
-            // Simple device fingerprinting
-            function getDeviceFingerprint(req) {
-              return {
-                ip: req.ip,
-                userAgent: req.headers['user-agent'],
-                acceptLanguage: req.headers['accept-language']
-              };
-            }
-            
-            // Check if login is from a new device
-            async function isNewDevice(userId, fingerprint) {
-              // Compare with stored fingerprints for this user
-              // Alert or require additional verification for new devices
-            }
-            ```
-      
-      15. **Secure Password Change:**
-          - Require current password verification
-          - Example:
-            ```javascript
-            async function changePassword(userId, currentPassword, newPassword) {
-              // Retrieve user from database
-              const user = await getUserById(userId);
-              
-              // Verify current password
-              const isValid = await bcrypt.compare(currentPassword, user.passwordHash);
-              if (!isValid) {
-                return { success: false, message: 'Current password is incorrect' };
-              }
-              
-              // Validate new password strength
-              const validation = validatePassword(newPassword);
-              if (!validation.valid) {
-                return { success: false, message: validation.message };
-              }
-              
-              // Hash and store new password
-              const newHash = await bcrypt.hash(newPassword, 12);
-              await updateUserPassword(userId, newHash);
-              
-              // Invalidate existing sessions (optional but recommended)
-              await invalidateUserSessions(userId);
-              
-              return { success: true };
-            }
-            ```
+        return { success: true };
+      }
+      ```
 
-  - type: validate
-    conditions:
-      # Check 1: Strong Password Validation
-      - pattern: "(?:password|pwd).*(?:length\\s*>=\\s*(?:1[2-9]|[2-9][0-9]))"
-        message: "Implementing strong password length requirements (12+ characters)."
-      
-      # Check 2: Secure Password Storage
-      - pattern: "(?:bcrypt|argon2|pbkdf2|scrypt)\\.[^(]*\\([^)]*?(?:rounds|iterations|cost|factor)\\s*[:<=>]\\s*(?:1[2-9]|[2-9][0-9])"
-        message: "Using secure password hashing with appropriate work factor."
-      
-      # Check 3: CSRF Protection
-      - pattern: "(?:csrf|xsrf).*(?:token|middleware|protection)"
-        message: "Implementing CSRF protection for state-changing operations."
-      
-      # Check 4: Secure Cookie Configuration
-      - pattern: "(?:cookie|session).*(?:httpOnly|secure|sameSite)"
-        message: "Using secure cookie configuration for sessions."
-      
-      # Check 5: Rate Limiting
-      - pattern: "(?:rate|limit|throttle).*(?:login|signin|auth)"
-        message: "Implementing rate limiting for authentication endpoints."
+## Validation
 
-metadata:
-  priority: high
-  version: 1.0
-  tags:
-    - security
-    - javascript
-    - nodejs
-    - browser
-    - authentication
-    - owasp
-    - language:javascript
-    - framework:express
-    - framework:react
-    - framework:vue
-    - framework:angular
-    - category:security
-    - subcategory:authentication
-    - standard:owasp-top10
-    - risk:a07-identification-authentication-failures
-  references:
-    - "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html"
-    - "https://auth0.com/blog/a-look-at-the-latest-draft-for-jwt-bcp/"
-    - "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md"
-    - "https://www.nist.gov/itl/applied-cybersecurity/tig/back-basics-multi-factor-authentication"
-</rule> 
+- Implementing strong password length requirements (12+ characters).
+- Using secure password hashing with appropriate work factor.
+- Implementing CSRF protection for state-changing operations.
+- Using secure cookie configuration for sessions.
+- Implementing rate limiting for authentication endpoints.
diff --git a/.cursor/rules/javascript-injection.mdc b/.cursor/rules/javascript-injection.mdc
index 00e33cc..dbadd9d 100644
--- a/.cursor/rules/javascript-injection.mdc
+++ b/.cursor/rules/javascript-injection.mdc
@@ -4,213 +4,169 @@ globs: **/*.js, **/*.jsx, **/*.ts, **/*.tsx, !**/node_modules/**, !**/dist/**, !
 ---
 # JavaScript Injection Security Rule
 
-<rule>
-name: javascript_injection
-description: Identifies and helps prevent injection vulnerabilities in JavaScript applications, as defined in OWASP Top 10:2021-A03.
+> Priority: critical · Version: 1.1
+
+## Applies To
+- `**/*.js`
+- `**/*.jsx`
+- `**/*.ts`
+- `**/*.tsx`
+- `!**/node_modules/**`
+- `!**/dist/**`
+- `!**/build/**`
+- `!**/coverage/**`
+
+## Required Checks
+
+- 🔴 CRITICAL: Potential code injection vulnerability detected.
+  
+  Impact: Attackers can execute arbitrary code in your application context.
+  CWE Reference: CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code)
+  
+  ❌ Insecure:
+  eval(req.body.data)
+  
+  ✅ Secure Alternative:
+  // Use safer alternatives like JSON.parse for JSON data
+  try {
+    const data = JSON.parse(req.body.data);
+    // Process data safely
+  } catch (error) {
+    // Handle parsing errors
+  }
+- 🟠 HIGH: jQuery HTML injection vulnerability detected.
+  
+  Impact: This can lead to Cross-Site Scripting (XSS) attacks.
+  CWE Reference: CWE-79 (Improper Neutralization of Input During Web Page Generation)
+  
+  ❌ Insecure:
+  $("<div>" + userProvidedData + "</div>")
+  
+  ✅ Secure Alternative:
+  // Create element safely, then set text content
+  const div = $("<div></div>");
+  div.text(userProvidedData);
+- 🟠 HIGH: Potential DOM-based XSS vulnerability.
+  
+  Impact: Attackers can inject malicious HTML/JavaScript into your page.
+  CWE Reference: CWE-79 (Improper Neutralization of Input During Web Page Generation)
+  
+  ❌ Insecure:
+  document.write("<h1>" + userGeneratedContent + "</h1>");
+  
+  ✅ Secure Alternative:
+  // Use safer DOM manipulation methods
+  const h1 = document.createElement("h1");
+  h1.textContent = userGeneratedContent;
+  document.body.appendChild(h1);
+- 🟠 HIGH: Potential DOM-based XSS through innerHTML/outerHTML.
+  
+  Impact: Setting HTML content directly can allow script injection.
+  CWE Reference: CWE-79 (Improper Neutralization of Input During Web Page Generation)
+  
+  ❌ Insecure:
+  element.innerHTML = userProvidedData;
+  
+  ✅ Secure Alternative:
+  // Option 1: Use textContent instead for text
+  element.textContent = userProvidedData;
+  
+  // Option 2: Sanitize if HTML is required
+  import DOMPurify from 'dompurify';
+  element.innerHTML = DOMPurify.sanitize(userProvidedData);
+- 🟠 HIGH: jQuery HTML injection risk detected.
+  
+  Impact: Setting HTML content can lead to XSS vulnerabilities.
+  CWE Reference: CWE-79 (Improper Neutralization of Input During Web Page Generation)
+  
+  ❌ Insecure:
+  $("#element").html(userProvidedData);
+  
+  ✅ Secure Alternative:
+  // Option 1: Use text() instead for text
+  $("#element").text(userProvidedData);
+  
+  // Option 2: Sanitize if HTML is required
+  import DOMPurify from 'dompurify';
+  $("#element").html(DOMPurify.sanitize(userProvidedData));
+- 🔴 CRITICAL: Dynamic require() can lead to remote code execution.
+  
+  Impact: Attackers can load arbitrary modules or access sensitive files.
+  CWE Reference: CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code)
+  
+  ❌ Insecure:
+  const module = require(req.query.module);
+  
+  ✅ Secure Alternative:
+  // Use a whitelisproach
+  const allowedModules = {
+    'user': './modules/user',
+    'product': './modules/product'
+  };
+  
+  const moduleName = req.query.module;
+  if (allowedModules[moduleName]) {
+    const module = require(allowedModules[moduleName]);
+    // Use module safely
+  } else {
+    // Handle invalid module request
+  }
+- 🔴 CRITICAL: Command injection vulnerability detected.
+  
+  Impact: Attackers can execute arbitrary system commands.
+  CWE Reference: CWE-78 (Improper Neutralization of Special Elements used in an OS Command)
+  
+  ❌ Insecure:
+  exec('ls ' + userInput, (error, stdout, stderr) => {
+    // Process output
+  });
+  
+  ✅ Secure Alternative:
+  // Use child_process.execFile with separate arguments
+  import { execFile } from 'child_process';
+  
+  execFile('ls', [safeDirectory], (error, stdout, stderr) => {
+    // Process output safely
+  });
+  
+  // Or use a validation library to sanitize inputs
+  import validator from 'validator';
+  if (validator.isAlphanumeric(userInput)) {
+    exec('ls ' + userInput, (error, stdout, stderr) => {
+      // Process output
+    });
+  }
+
+## Recommendations
+
+**JavaScript Injection Prevention Best Practices:**
+
+1. **Input Validation:**
+   - Validate all user inputs both client-side and server-side
+   - Use allowlists instead of blocklists
+   - Apply strict type checking and schema validation
+
+2. **Output Encoding:**
+   - Always encode/escape output in the correct context (HTML, JavaScript, CSS, URL)
+   - Use libraries like DOMPurify for HTML sanitization
+   - Avoid building HTML, JavaScript, SQL dynamically from user inputs
+
+3. **Content Security Policy (CSP):**
+   - Implement a strict CSP to prevent execution of malicious scripts
+   - Use nonce-based or hash-based CSP to allow only specific scripts
+
+4. **Structured Data Formats:**
+   - Use structured data formats like JSON, XML with proper parsers
+   - Avoid manually parsing or constructing these formats
 
-actions:
-  - type: enforce
-    conditions:
-      - pattern: "eval\\(([^)]*(req|request|query|param|user|input)[^)]*)\\)"
-        severity: "critical"
-        message: |
-          🔴 CRITICAL: Potential code injection vulnerability detected.
-          
-          Impact: Attackers can execute arbitrary code in your application context.
-          CWE Reference: CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code)
-          
-          ❌ Insecure:
-          eval(req.body.data)
-          
-          ✅ Secure Alternative:
-          // Use safer alternatives like JSON.parse for JSON data
-          try {
-            const data = JSON.parse(req.body.data);
-            // Process data safely
-          } catch (error) {
-            // Handle parsing errors
-          }
-        learn_more_url: "https://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval_Injection"
-      
-      - pattern: "\\$\\(\\s*(['\"])<[^>]+>\\1\\s*\\)"
-        severity: "high"
-        message: |
-          🟠 HIGH: jQuery HTML injection vulnerability detected.
-          
-          Impact: This can lead to Cross-Site Scripting (XSS) attacks.
-          CWE Reference: CWE-79 (Improper Neutralization of Input During Web Page Generation)
-          
-          ❌ Insecure:
-          $("<div>" + userProvidedData + "</div>")
-          
-          ✅ Secure Alternative:
-          // Create element safely, then set text content
-          const div = $("<div></div>");
-          div.text(userProvidedData);
-        learn_more_url: "https://cheatsheetseries.owasp.org/cheatsheets/jQuery_Security_Cheat_Sheet.html"
-      
-      - pattern: "document\\.write\\(|document\\.writeln\\("
-        severity: "high"
-        message: |
-          🟠 HIGH: Potential DOM-based XSS vulnerability.
-          
-          Impact: Attackers can inject malicious HTML/JavaScript into your page.
-          CWE Reference: CWE-79 (Improper Neutralization of Input During Web Page Generation)
-          
-          ❌ Insecure:
-          document.write("<h1>" + userGeneratedContent + "</h1>");
-          
-          ✅ Secure Alternative:
-          // Use safer DOM manipulation methods
-          const h1 = document.createElement("h1");
-          h1.textContent = userGeneratedContent;
-          document.body.appendChild(h1);
-        learn_more_url: "https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html"
-      
-      - pattern: "innerHTML\\s*=|outerHTML\\s*="
-        pattern_negate: "sanitize|DOMPurify|escapeHTML"
-        severity: "high"
-        message: |
-          🟠 HIGH: Potential DOM-based XSS through innerHTML/outerHTML.
-          
-          Impact: Setting HTML content directly can allow script injection.
-          CWE Reference: CWE-79 (Improper Neutralization of Input During Web Page Generation)
-          
-          ❌ Insecure:
-          element.innerHTML = userProvidedData;
-          
-          ✅ Secure Alternative:
-          // Option 1: Use textContent instead for text
-          element.textContent = userProvidedData;
-          
-          // Option 2: Sanitize if HTML is required
-          import DOMPurify from 'dompurify';
-          element.innerHTML = DOMPurify.sanitize(userProvidedData);
-        learn_more_url: "https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html"
-      
-      - pattern: "\\$\\(.*\\)\\.html\\("
-        pattern_negate: "sanitize|DOMPurify|escapeHTML"
-        severity: "high"
-        message: |
-          🟠 HIGH: jQuery HTML injection risk detected.
-          
-          Impact: Setting HTML content can lead to XSS vulnerabilities.
-          CWE Reference: CWE-79 (Improper Neutralization of Input During Web Page Generation)
-          
-          ❌ Insecure:
-          $("#element").html(userProvidedData);
-          
-          ✅ Secure Alternative:
-          // Option 1: Use text() instead for text
-          $("#element").text(userProvidedData);
-          
-          // Option 2: Sanitize if HTML is required
-          import DOMPurify from 'dompurify';
-          $("#element").html(DOMPurify.sanitize(userProvidedData));
-        learn_more_url: "https://cheatsheetseries.owasp.org/cheatsheets/jQuery_Security_Cheat_Sheet.html"
-      
-      - pattern: "require\\(([^)]*(req|request|query|param|user|input)[^)]*)\\)"
-        severity: "critical"
-        message: |
-          🔴 CRITICAL: Dynamic require() can lead to remote code execution.
-          
-          Impact: Attackers can load arbitrary modules or access sensitive files.
-          CWE Reference: CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code)
-          
-          ❌ Insecure:
-          const module = require(req.query.module);
-          
-          ✅ Secure Alternative:
-          // Use a whitelisproach
-          const allowedModules = {
-            'user': './modules/user',
-            'product': './modules/product'
-          };
-          
-          const moduleName = req.query.module;
-          if (allowedModules[moduleName]) {
-            const module = require(allowedModules[moduleName]);
-            // Use module safely
-          } else {
-            // Handle invalid module request
-          }
-        learn_more_url: "https://owasp.org/www-project-top-ten/2017/A1_2017-Injection"
-      
-      - pattern: "exec\\(([^)]*(req|request|query|param|user|input)[^)]*)\\)"
-        severity: "critical"
-        message: |
-          🔴 CRITICAL: Command injection vulnerability detected.
-          
-          Impact: Attackers can execute arbitrary system commands.
-          CWE Reference: CWE-78 (Improper Neutralization of Special Elements used in an OS Command)
-          
-          ❌ Insecure:
-          exec('ls ' + userInput, (error, stdout, stderr) => {
-            // Process output
-          });
-          
-          ✅ Secure Alternative:
-          // Use child_process.execFile with separate arguments
-          import { execFile } from 'child_process';
-          
-          execFile('ls', [safeDirectory], (error, stdout, stderr) => {
-            // Process output safely
-          });
-          
-          // Or use a validation library to sanitize inputs
-          import validator from 'validator';
-          if (validator.isAlphanumeric(userInput)) {
-            exec('ls ' + userInput, (error, stdout, stderr) => {
-              // Process output
-            });
-          }
-        learn_more_url: "https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html"
+5. **Parameterized APIs:**
+   - Use parameterized APIs for database queries, OS commands
+   - Separate code from data to prevent injection
 
-  - type: suggest
-    message: |
-      **JavaScript Injection Prevention Best Practices:**
-      
-      1. **Input Validation:**
-         - Validate all user inputs both client-side and server-side
-         - Use allowlists instead of blocklists
-         - Apply strict type checking and schema validation
-      
-      2. **Output Encoding:**
-         - Always encode/escape output in the correct context (HTML, JavaScript, CSS, URL)
-         - Use libraries like DOMPurify for HTML sanitization
-         - Avoid building HTML, JavaScript, SQL dynamically from user inputs
-      
-      3. **Content Security Policy (CSP):**
-         - Implement a strict CSP to prevent execution of malicious scripts
-         - Use nonce-based or hash-based CSP to allow only specific scripts
-      
-      4. **Structured Data Formats:**
-         - Use structured data formats like JSON, XML with proper parsers
-         - Avoid manually parsing or constructing these formats
-      
-      5. **Parameterized APIs:**
-         - Use parameterized APIs for database queries, OS commands
-         - Separate code from data to prevent injection
-      
-      6. **DOM Manipulation:**
-         - Prefer .textContent over .innerHTML when displaying user content
-         - Use document.createElement() and node methods instead of directly setting HTML
-      
-      7. **Frameworks and Libraries:**
-         - Keep frameworks and libraries updated to latest secure versions
-         - Many modern frameworks offer built-in protections against common injection attacks
+6. **DOM Manipulation:**
+   - Prefer .textContent over .innerHTML when displaying user content
+   - Use document.createElement() and node methods instead of directly setting HTML
 
-metadata:
-  priority: critical
-  version: 1.1
-  tags: 
-    - language:javascript
-    - category:security
-    - standard:owasp-top10
-    - risk:a03-injection
-  references:
-    - "https://owasp.org/Top10/A03_2021-Injection/"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html"
-    - "https://nodegoat.herokuapp.com/tutorial/a1"
-    - "https://github.com/OWASP/NodeGoat"
-</rule>
+7. **Frameworks and Libraries:**
+   - Keep frameworks and libraries updated to latest secure versions
+   - Many modern frameworks offer built-in protections against common injection attacks
diff --git a/.cursor/rules/javascript-insecure-design.mdc b/.cursor/rules/javascript-insecure-design.mdc
index 2a1ccb4..98c2861 100644
--- a/.cursor/rules/javascript-insecure-design.mdc
+++ b/.cursor/rules/javascript-insecure-design.mdc
@@ -4,488 +4,398 @@ globs: **/*.js, **/*.jsx, **/*.ts, **/*.tsx, !**/node_modules/**, !**/dist/**, !
 ---
 # JavaScript Insecure Design (OWASP A04:2021)
 
-<rule>
-name: javascript_insecure_design
-description: Detect and prevent insecure design patterns in JavaScript applications as defined in OWASP Top 10:2021-A04
+> Priority: high · Version: 1.0
 
-actions:
-  - type: enforce
-    conditions:
-      # Pattern 1: Lack of Rate Limiting
-      - pattern: "app\\.(?:get|post|put|delete|patch)\\([^)]*?\\)\\s*(?!.*(?:rateLimiter|limiter|throttle|rateLimit))"
-        location: "(?:routes|api|controllers)"
-        message: "Potential lack of rate limiting in API endpoint. Consider implementing rate limiting to prevent abuse."
-        
-      # Pattern 2: Insecure Direct Object Reference (IDOR)
-      - pattern: "(?:findById|getById|findOne)\\([^)]*?(?:req\\.|request\\.|params\\.|query\\.|body\\.|user\\.|input\\.|form\\.)[^)]*?\\)\\s*(?!.*(?:authorization|permission|access|canAccess|isAuthorized|checkPermission))"
-        location: "(?:routes|api|controllers)"
-        message: "Potential Insecure Direct Object Reference (IDOR) vulnerability. Implement proper authorization checks before accessing objects by ID."
-        
-      # Pattern 3: Lack of Input Validation
-      - pattern: "(?:req\\.|request\\.|params\\.|query\\.|body\\.|user\\.|input\\.|form\\.)[a-zA-Z0-9_]+\\s*(?!.*(?:validate|sanitize|check|schema|joi|yup|zod|validator|isValid))"
-        location: "(?:routes|api|controllers)"
-        message: "Potential lack of input validation. Implement proper validation for all user inputs."
-        
-      # Pattern 4: Hardcoded Business Logic
-      - pattern: "if\\s*\\([^)]*?(?:role\\s*===\\s*['\"]admin['\"]|isAdmin\\s*===\\s*true|user\\.role\\s*===\\s*['\"]admin['\"])\\s*\\)"
-        message: "Hardcoded business logic for authorization. Consider using a more flexible role-based access control system."
-        
-      # Pattern 5: Lack of Proper Error Handling
-      - pattern: "catch\\s*\\([^)]*?\\)\\s*\\{[^}]*?(?:console\\.(?:log|error))[^}]*?\\}"
-        negative_pattern: "(?:res\\.status|next\\(err|next\\(error|errorHandler)"
-        message: "Improper error handling. Avoid only logging errors without proper handling or user feedback."
-        
-      # Pattern 6: Insecure Authentication Design
-      - pattern: "(?:password|token|secret|key)\\s*===\\s*(?:req\\.|request\\.|params\\.|query\\.|body\\.|user\\.|input\\.|form\\.)"
-        message: "Insecure authentication design. Avoid direct string comparison for passwords or tokens."
-        
-      # Pattern 7: Lack of Proper Logging
-      - pattern: "app\\.(?:get|post|put|delete|patch)\\([^)]*?\\)\\s*(?!.*(?:log|logger|winston|bunyan|morgan|audit))"
-        location: "(?:routes|api|controllers)"
-        message: "Lack of proper logging in API endpoint. Implement logging for security-relevant events."
-        
-      # Pattern 8: Insecure Defaults
-      - pattern: "new\\s+(?:Session|Cookie|JWT)\\([^)]*?\\{[^}]*?(?:secure\\s*:\\s*false|httpOnly\\s*:\\s*false|sameSite\\s*:\\s*['\"]none['\"])"
-        message: "Insecure default configuration. Avoid setting secure:false, httpOnly:false, or sameSite:'none' for cookies or sessions."
-        
-      # Pattern 9: Lack of Proper Access Control
-      - pattern: "router\\.(?:get|post|put|delete|patch)\\([^)]*?\\)\\s*(?!.*(?:authenticate|authorize|requireAuth|isAuthenticated|checkAuth|verifyToken|passport\\.authenticate))"
-        location: "(?:routes|api|controllers)"
-        message: "Potential lack of access control in route definition. Implement proper authentication and authorization middleware."
-        
-      # Pattern 10: Insecure File Operations
-      - pattern: "(?:fs\\.(?:readFile|writeFile|appendFile|readdir|stat|access|open|unlink)|require)\\([^)]*?(?:(?:\\+|\\$\\{|\\`)[^)]*?(?:__dirname|__filename|process\\.cwd\\(\\)|path\\.(?:resolve|join)))"
-        negative_pattern: "path\\.normalize|path\\.resolve|path\\.join"
-        message: "Insecure file operations. Use path.normalize() and validate file paths to prevent directory traversal attacks."
-        
-      # Pattern 11: Lack of Proper Secrets Management
-      - pattern: "(?:apiKey|secret|password|token|credentials)\\s*=\\s*(?:process\\.env\\.[A-Z_]+|config\\.[a-zA-Z0-9_]+|['\"][^'\"]+['\"])"
-        negative_pattern: "(?:vault|secretsManager|keyVault|secretClient)"
-        message: "Insecure secrets management. Consider using a dedicated secrets management solution instead of environment variables or configuration files."
-        
-      # Pattern 12: Insecure Randomness
-      - pattern: "Math\\.random\\(\\)"
-        location: "(?:auth|security|token|password|key|iv|nonce|salt)"
-        message: "Insecure randomness. Use crypto.randomBytes() or a similar cryptographically secure random number generator for security-sensitive operations."
-        
-      # Pattern 13: Lack of Proper Input Sanitization for Templates
-      - pattern: "(?:template|render|compile|ejs\\.render|handlebars\\.compile|pug\\.render)\\([^)]*?(?:(?:\\+|\\$\\{|\\`)[^)]*?(?:req\\.|request\\.|params\\.|query\\.|body\\.|user\\.|input\\.|form\\.))"
-        message: "Potential template injection vulnerability. Sanitize user input before using in templates."
-        
-      # Pattern 14: Insecure WebSocket Implementation
-      - pattern: "new\\s+WebSocket\\([^)]*?\\)|io\\.on\\(['\"]connection['\"]"
-        negative_pattern: "(?:authenticate|authorize|verifyClient|beforeConnect)"
-        message: "Potentially insecure WebSocket implementation. Implement proper authentication and authorization for WebSocket connections."
-        
-      # Pattern 15: Insecure Cross-Origin Resource Sharing (CORS)
-      - pattern: "(?:cors\\(\\{[^}]*?origin\\s*:\\s*['\"]\\*['\"]|app\\.use\\(cors\\(\\{[^}]*?origin\\s*:\\s*['\"]\\*['\"])"
-        message: "Insecure CORS configuration. Avoid using wildcard (*) for CORS origin in production environments."
+## Applies To
+- `**/*.js`
+- `**/*.jsx`
+- `**/*.ts`
+- `**/*.tsx`
+- `!**/node_modules/**`
+- `!**/dist/**`
+- `!**/build/**`
+- `!**/coverage/**`
 
-  - type: suggest
-    message: |
-      **JavaScript Secure Design Best Practices:**
-      
-      1. **Defense in Depth Strategy:**
-         - Implement multiple layers of security controls
-         - Don't rely on a single security mechanism
-         - Example:
-           ```javascript
-           // Multiple layers of protection
-           app.use(helmet()); // HTTP security headers
-           app.use(rateLimit()); // Rate limiting
-           app.use(cors({ origin: allowedOrigins })); // Restricted CORS
-           app.use(express.json({ limit: '10kb' })); // Request size limiting
-           app.use(sanitize()); // Input sanitization
-           ```
-      
-      2. **Proper Access Control:**
-         - Implement role-based access control (RBAC)
-         - Use middleware for authorization checks
-         - Example:
-           ```javascript
-           // Role-based middleware
-           const requireRole = (role) => {
-             return (req, res, next) => {
-               if (!req.user) {
-                 return res.status(401).json({ error: 'Unauthorized' });
-               }
-               
-               if (req.user.role !== role) {
-                 return res.status(403).json({ error: 'Forbidden' });
-               }
-               
-               next();
-             };
-           };
-           
-           // Apply to routes
-           router.get('/admin/users', 
-             authenticate, 
-             requireRole('admin'), 
-             adminController.listUsers
-           );
-           ```
-      
-      3. **Rate Limiting:**
-         - Implement rate limiting for all API endpoints
-         - Use different limits for different endpoints based on sensitivity
-         - Example:
-           ```javascript
-           const rateLimit = require('express-rate-limit');
-           
-           // General API rate limit
-           const apiLimiter = rateLimit({
-             windowMs: 15 * 60 * 1000, // 15 minutes
-             max: 100, // limit each IP to 100 requests per windowMs
-             standardHeaders: true,
-             legacyHeaders: false,
-           });
-           
-           // More strict limit for authentication endpoints
-           const authLimiter = rateLimit({
-             windowMs: 15 * 60 * 1000,
-             max: 5, // limit each IP to 5 login attempts per windowMs
-             standardHeaders: true,
-             legacyHeaders: false,
-           });
-           
-           // Apply rate limiters
-           app.use('/api/', apiLimiter);
-           app.use('/api/auth/', authLimiter);
-           ```
-      
-      4. **Input Validation:**
-         - Validate all user inputs using schema validation
-         - Implement both client and server-side validation
-         - Example:
-           ```javascript
-           const Joi = require('joi');
-           
-           // Define validation schema
-           const userSchema = Joi.object({
-             username: Joi.string().alphanum().min(3).max(30).required(),
-             email: Joi.string().email().required(),
-             password: Joi.string().pattern(new RegExp('^[a-zA-Z0-9]{8,30}$')).required(),
-             role: Joi.string().valid('user', 'admin').default('user')
-           });
-           
-           // Validation middleware
-           const validateUser = (req, res, next) => {
-             const { error } = userSchema.validate(req.body);
-             if (error) {
-               return res.status(400).json({ error: error.details[0].message });
-             }
-             next();
-           };
-           
-           // Apply validation
-           router.post('/users', validateUser, userController.create);
-           ```
-      
-      5. **Proper Error Handling:**
-         - Implement centralized error handling
-         - Avoid exposing sensitive information in error messages
-         - Example:
-           ```javascript
-           // Centralized error handler
-           app.use((err, req, res, next) => {
-             // Log error for internal use
-             console.error(err.stack);
-             
-             // Send appropriate response to client
-             const statusCode = err.statusCode || 500;
-             res.status(statusCode).json({
-               status: 'error',
-               message: statusCode === 500 ? 'Internal server error' : err.message
-             });
-           });
-           
-           // Custom error class
-           class AppError extends Error {
-             constructor(message, statusCode) {
-               super(message);
-               this.statusCode = statusCode;
-               this.status = `${statusCode}`.startsWith('4') ? 'fail' : 'error';
-               this.isOperational = true;
-               
-               Error.captureStackTrace(this, this.constructor);
-             }
-           }
-           
-           // Usage in controllers
-           if (!user) {
-             return next(new AppError('User not found', 404));
-           }
-           ```
-      
-      6. **Secure Authentication Design:**
-         - Use secure password hashing (bcrypt, Argon2)
-         - Implement proper session management
-         - Use secure token validation
-         - Example:
-           ```javascript
-           const bcrypt = require('bcrypt');
-           const jwt = require('jsonwebtoken');
-           
-           // Password hashing
-           const hashPassword = async (password) => {
-             const salt = await bcrypt.genSalt(12);
-             return bcrypt.hash(password, salt);
-           };
-           
-           // Password verification
-           const verifyPassword = async (password, hashedPassword) => {
-             return await bcrypt.compare(password, hashedPassword);
-           };
-           
-           // Token generation
-           const generateToken = (userId) => {
-             return jwt.sign(
-               { id: userId },
-               process.env.JWT_SECRET,
-               { expiresIn: '1h' }
-             );
-           };
-           
-           // Token verification middleware
-           const verifyToken = (req, res, next) => {
-             const token = req.headers.authorization?.split(' ')[1];
-             
-             if (!token) {
-               return res.status(401).json({ error: 'No token provided' });
-             }
-             
-             try {
-               const decoded = jwt.verify(token, process.env.JWT_SECRET);
-               req.userId = decoded.id;
-               next();
-             } catch (error) {
-               return res.status(401).json({ error: 'Invalid token' });
-             }
-           };
-           ```
-      
-      7. **Comprehensive Logging:**
-         - Log security-relevant events
-         - Include necessary context but avoid sensitive data
-         - Use structured logging
-         - Example:
-           ```javascript
-           const winston = require('winston');
-           
-           // Create logger
-           const logger = winston.createLogger({
-             level: 'info',
-             format: winston.format.json(),
-             defaultMeta: { service: 'user-service' },
-             transports: [
-               new winston.transports.File({ filename: 'error.log', level: 'error' }),
-               new winston.transports.File({ filename: 'combined.log' })
-             ]
-           });
-           
-           // Logging middleware
-           app.use((req, res, next) => {
-             const start = Date.now();
-             
-             res.on('finish', () => {
-               const duration = Date.now() - start;
-               logger.info({
-                 method: req.method,
-                 path: req.path,
-                 statusCode: res.statusCode,
-                 duration,
-                 ip: req.ip,
-                 userId: req.user?.id || 'anonymous'
-               });
-             });
-             
-             next();
-           });
-           
-           // Security event logging
-           logger.warn({
-             event: 'failed_login',
-             username: req.body.username,
-             ip: req.ip,
-             timestamp: new Date().toISOString()
-           });
-           ```
-      
-      8. **Secure Configuration Management:**
-         - Use environment-specific configurations
-         - Validate configuration at startup
-         - Example:
-           ```javascript
-           const Joi = require('joi');
-           
-           // Define environment variables schema
-           const envSchema = Joi.object({
-             NODE_ENV: Joi.string().valid('development', 'production', 'test').required(),
-             PORT: Joi.number().default(3000),
-             DATABASE_URL: Joi.string().required(),
-             JWT_SECRET: Joi.string().min(32).required(),
-             JWT_EXPIRES_IN: Joi.string().default('1h'),
-             CORS_ORIGIN: Joi.string().required()
-           }).unknown();
-           
-           // Validate environment variables
-           const { error, value } = envSchema.validate(process.env);
-           
-           if (error) {
-             throw new Error(`Configuration validation error: ${error.message}`);
-           }
-           
-           // Use validated config
-           const config = {
-             env: value.NODE_ENV,
-             port: value.PORT,
-             db: {
-               url: value.DATABASE_URL
-             },
-             jwt: {
-               secret: value.JWT_SECRET,
-               expiresIn: value.JWT_EXPIRES_IN
-             },
-             cors: {
-               origin: value.CORS_ORIGIN.split(',')
-             }
-           };
-           
-           module.exports = config;
-           ```
-      
-      9. **Secure File Operations:**
-         - Validate and sanitize file paths
-         - Use content-type validation for uploads
-         - Implement file size limits
-         - Example:
-           ```javascript
-           const path = require('path');
-           const fs = require('fs');
-           
-           // Secure file access function
-           const getSecureFilePath = (userInput) => {
-             // Define allowed directory
-             const baseDir = path.resolve(__dirname, '../public/files');
-             
-             // Normalize and resolve full path
-             const normalizedPath = path.normalize(userInput);
-             const fullPath = path.join(baseDir, normalizedPath);
-             
-             // Ensure path is within allowed directory
-             if (!fullPath.startsWith(baseDir)) {
-               throw new Error('Invalid file path');
-             }
-             
-             return fullPath;
-           };
-           
-           // Usage
-           try {
-             const filePath = getSecureFilePath(req.params.filename);
-             const fileContent = fs.readFileSync(filePath, 'utf8');
-             res.send(fileContent);
-           } catch (error) {
-             next(error);
-           }
-           ```
-      
-      10. **Secure WebSocket Implementation:**
-          - Implement authentication for WebSocket connections
-          - Validate and sanitize WebSocket messages
-          - Example:
-            ```javascript
-            const http = require('http');
-            const socketIo = require('socket.io');
-            const jwt = require('jsonwebtoken');
-            
-            const server = http.createServer(app);
-            const io = socketIo(server);
-            
-            // WebSocket authentication middleware
-            io.use((socket, next) => {
-              const token = socket.handshake.auth.token;
-              
-              if (!token) {
-                return next(new Error('Authentication error'));
-              }
-              
-              try {
-                const decoded = jwt.verify(token, process.env.JWT_SECRET);
-                socket.userId = decoded.id;
-                next();
-              } catch (error) {
-                return next(new Error('Authentication error'));
-              }
-            });
-            
-            io.on('connection', (socket) => {
-              console.log(`User ${socket.userId} connected`);
-              
-              // Join user to their own room for private messages
-              socket.join(`user:${socket.userId}`);
-              
-              // Message validation
-              socket.on('message', (data) => {
-                // Validate message data
-                if (!data || !data.content || typeof data.content !== 'string') {
-                  return socket.emit('error', { message: 'Invalid message format' });
-                }
-                
-                // Process message
-                // ...
-              });
-            });
-            ```
+## Required Checks
 
-  - type: validate
-    conditions:
-      # Check 1: Rate limiting implementation
-      - pattern: "(?:rateLimit|rateLimiter|limiter|throttle)\\([^)]*?\\)"
-        message: "Implementing rate limiting for API protection."
-      
-      # Check 2: Input validation
-      - pattern: "(?:validate|sanitize|check|schema|joi|yup|zod|validator|isValid)"
-        message: "Using input validation or schema validation."
+- Potential lack of rate limiting in API endpoint. Consider implementing rate limiting to prevent abuse.
+- Potential Insecure Direct Object Reference (IDOR) vulnerability. Implement proper authorization checks before accessing objects by ID.
+- Potential lack of input validation. Implement proper validation for all user inputs.
+- Hardcoded business logic for authorization. Consider using a more flexible role-based access control system.
+- Improper error handling. Avoid only logging errors without proper handling or user feedback.
+- Insecure authentication design. Avoid direct string comparison for passwords or tokens.
+- Lack of proper logging in API endpoint. Implement logging for security-relevant events.
+- Insecure default configuration. Avoid setting secure:false, httpOnly:false, or sameSite:'none' for cookies or sessions.
+- Potential lack of access control in route definition. Implement proper authentication and authorization middleware.
+- Insecure file operations. Use path.normalize() and validate file paths to prevent directory traversal attacks.
+- Insecure secrets management. Consider using a dedicated secrets management solution instead of environment variables or configuration files.
+- Insecure randomness. Use crypto.randomBytes() or a similar cryptographically secure random number generator for security-sensitive operations.
+- Potential template injection vulnerability. Sanitize user input before using in templates.
+- Potentially insecure WebSocket implementation. Implement proper authentication and authorization for WebSocket connections.
+- Insecure CORS configuration. Avoid using wildcard (*) for CORS origin in production environments.
+
+## Recommendations
+
+**JavaScript Secure Design Best Practices:**
+
+1. **Defense in Depth Strategy:**
+   - Implement multiple layers of security controls
+   - Don't rely on a single security mechanism
+   - Example:
+     ```javascript
+     // Multiple layers of protection
+     app.use(helmet()); // HTTP security headers
+     app.use(rateLimit()); // Rate limiting
+     app.use(cors({ origin: allowedOrigins })); // Restricted CORS
+     app.use(express.json({ limit: '10kb' })); // Request size limiting
+     app.use(sanitize()); // Input sanitization
+     ```
+
+2. **Proper Access Control:**
+   - Implement role-based access control (RBAC)
+   - Use middleware for authorization checks
+   - Example:
+     ```javascript
+     // Role-based middleware
+     const requireRole = (role) => {
+       return (req, res, next) => {
+         if (!req.user) {
+           return res.status(401).json({ error: 'Unauthorized' });
+         }
+         
+         if (req.user.role !== role) {
+           return res.status(403).json({ error: 'Forbidden' });
+         }
+         
+         next();
+       };
+     };
+     
+     // Apply to routes
+     router.get('/admin/users', 
+       authenticate, 
+       requireRole('admin'), 
+       adminController.listUsers
+     );
+     ```
+
+3. **Rate Limiting:**
+   - Implement rate limiting for all API endpoints
+   - Use different limits for different endpoints based on sensitivity
+   - Example:
+     ```javascript
+     const rateLimit = require('express-rate-limit');
+     
+     // General API rate limit
+     const apiLimiter = rateLimit({
+       windowMs: 15 * 60 * 1000, // 15 minutes
+       max: 100, // limit each IP to 100 requests per windowMs
+       standardHeaders: true,
+       legacyHeaders: false,
+     });
+     
+     // More strict limit for authentication endpoints
+     const authLimiter = rateLimit({
+       windowMs: 15 * 60 * 1000,
+       max: 5, // limit each IP to 5 login attempts per windowMs
+       standardHeaders: true,
+       legacyHeaders: false,
+     });
+     
+     // Apply rate limiters
+     app.use('/api/', apiLimiter);
+     app.use('/api/auth/', authLimiter);
+     ```
+
+4. **Input Validation:**
+   - Validate all user inputs using schema validation
+   - Implement both client and server-side validation
+   - Example:
+     ```javascript
+     const Joi = require('joi');
+     
+     // Define validation schema
+     const userSchema = Joi.object({
+       username: Joi.string().alphanum().min(3).max(30).required(),
+       email: Joi.string().email().required(),
+       password: Joi.string().pattern(new RegExp('^[a-zA-Z0-9]{8,30}$')).required(),
+       role: Joi.string().valid('user', 'admin').default('user')
+     });
+     
+     // Validation middleware
+     const validateUser = (req, res, next) => {
+       const { error } = userSchema.validate(req.body);
+       if (error) {
+         return res.status(400).json({ error: error.details[0].message });
+       }
+       next();
+     };
+     
+     // Apply validation
+     router.post('/users', validateUser, userController.create);
+     ```
+
+5. **Proper Error Handling:**
+   - Implement centralized error handling
+   - Avoid exposing sensitive information in error messages
+   - Example:
+     ```javascript
+     // Centralized error handler
+     app.use((err, req, res, next) => {
+       // Log error for internal use
+       console.error(err.stack);
+       
+       // Send appropriate response to client
+       const statusCode = err.statusCode || 500;
+       res.status(statusCode).json({
+         status: 'error',
+         message: statusCode === 500 ? 'Internal server error' : err.message
+       });
+     });
+     
+     // Custom error class
+     class AppError extends Error {
+       constructor(message, statusCode) {
+         super(message);
+         this.statusCode = statusCode;
+         this.status = `${statusCode}`.startsWith('4') ? 'fail' : 'error';
+         this.isOperational = true;
+         
+         Error.captureStackTrace(this, this.constructor);
+       }
+     }
+     
+     // Usage in controllers
+     if (!user) {
+       return next(new AppError('User not found', 404));
+     }
+     ```
+
+6. **Secure Authentication Design:**
+   - Use secure password hashing (bcrypt, Argon2)
+   - Implement proper session management
+   - Use secure token validation
+   - Example:
+     ```javascript
+     const bcrypt = require('bcrypt');
+     const jwt = require('jsonwebtoken');
+     
+     // Password hashing
+     const hashPassword = async (password) => {
+       const salt = await bcrypt.genSalt(12);
+       return bcrypt.hash(password, salt);
+     };
+     
+     // Password verification
+     const verifyPassword = async (password, hashedPassword) => {
+       return await bcrypt.compare(password, hashedPassword);
+     };
+     
+     // Token generation
+     const generateToken = (userId) => {
+       return jwt.sign(
+         { id: userId },
+         process.env.JWT_SECRET,
+         { expiresIn: '1h' }
+       );
+     };
+     
+     // Token verification middleware
+     const verifyToken = (req, res, next) => {
+       const token = req.headers.authorization?.split(' ')[1];
+       
+       if (!token) {
+         return res.status(401).json({ error: 'No token provided' });
+       }
+       
+       try {
+         const decoded = jwt.verify(token, process.env.JWT_SECRET);
+         req.userId = decoded.id;
+         next();
+       } catch (error) {
+         return res.status(401).json({ error: 'Invalid token' });
+       }
+     };
+     ```
+
+7. **Comprehensive Logging:**
+   - Log security-relevant events
+   - Include necessary context but avoid sensitive data
+   - Use structured logging
+   - Example:
+     ```javascript
+     const winston = require('winston');
+     
+     // Create logger
+     const logger = winston.createLogger({
+       level: 'info',
+       format: winston.format.json(),
+       defaultMeta: { service: 'user-service' },
+       transports: [
+         new winston.transports.File({ filename: 'error.log', level: 'error' }),
+         new winston.transports.File({ filename: 'combined.log' })
+       ]
+     });
+     
+     // Logging middleware
+     app.use((req, res, next) => {
+       const start = Date.now();
+       
+       res.on('finish', () => {
+         const duration = Date.now() - start;
+         logger.info({
+           method: req.method,
+           path: req.path,
+           statusCode: res.statusCode,
+           duration,
+           ip: req.ip,
+           userId: req.user?.id || 'anonymous'
+         });
+       });
+       
+       next();
+     });
+     
+     // Security event logging
+     logger.warn({
+       event: 'failed_login',
+       username: req.body.username,
+       ip: req.ip,
+       timestamp: new Date().toISOString()
+     });
+     ```
+
+8. **Secure Configuration Management:**
+   - Use environment-specific configurations
+   - Validate configuration at startup
+   - Example:
+     ```javascript
+     const Joi = require('joi');
+     
+     // Define environment variables schema
+     const envSchema = Joi.object({
+       NODE_ENV: Joi.string().valid('development', 'production', 'test').required(),
+       PORT: Joi.number().default(3000),
+       DATABASE_URL: Joi.string().required(),
+       JWT_SECRET: Joi.string().min(32).required(),
+       JWT_EXPIRES_IN: Joi.string().default('1h'),
+       CORS_ORIGIN: Joi.string().required()
+     }).unknown();
+     
+     // Validate environment variables
+     const { error, value } = envSchema.validate(process.env);
+     
+     if (error) {
+       throw new Error(`Configuration validation error: ${error.message}`);
+     }
+     
+     // Use validated config
+     const config = {
+       env: value.NODE_ENV,
+       port: value.PORT,
+       db: {
+         url: value.DATABASE_URL
+       },
+       jwt: {
+         secret: value.JWT_SECRET,
+         expiresIn: value.JWT_EXPIRES_IN
+       },
+       cors: {
+         origin: value.CORS_ORIGIN.split(',')
+       }
+     };
+     
+     module.exports = config;
+     ```
+
+9. **Secure File Operations:**
+   - Validate and sanitize file paths
+   - Use content-type validation for uploads
+   - Implement file size limits
+   - Example:
+     ```javascript
+     const path = require('path');
+     const fs = require('fs');
+     
+     // Secure file access function
+     const getSecureFilePath = (userInput) => {
+       // Define allowed directory
+       const baseDir = path.resolve(__dirname, '../public/files');
+       
+       // Normalize and resolve full path
+       const normalizedPath = path.normalize(userInput);
+       const fullPath = path.join(baseDir, normalizedPath);
+       
+       // Ensure path is within allowed directory
+       if (!fullPath.startsWith(baseDir)) {
+         throw new Error('Invalid file path');
+       }
+       
+       return fullPath;
+     };
+     
+     // Usage
+     try {
+       const filePath = getSecureFilePath(req.params.filename);
+       const fileContent = fs.readFileSync(filePath, 'utf8');
+       res.send(fileContent);
+     } catch (error) {
+       next(error);
+     }
+     ```
+
+10. **Secure WebSocket Implementation:**
+    - Implement authentication for WebSocket connections
+    - Validate and sanitize WebSocket messages
+    - Example:
+      ```javascript
+      const http = require('http');
+      const socketIo = require('socket.io');
+      const jwt = require('jsonwebtoken');
       
-      # Check 3: Proper error handling
-      - pattern: "(?:try\\s*\\{[^}]*?\\}\\s*catch\\s*\\([^)]*?\\)\\s*\\{[^}]*?(?:res\\.status|next\\(err|next\\(error|errorHandler))"
-        message: "Implementing proper error handling."
+      const server = http.createServer(app);
+      const io = socketIo(server);
       
-      # Check 4: Authentication middleware
-      - pattern: "(?:authenticate|authorize|requireAuth|isAuthenticated|checkAuth|verifyToken|passport\\.authenticate)"
-        message: "Using authentication middleware for routes."
+      // WebSocket authentication middleware
+      io.use((socket, next) => {
+        const token = socket.handshake.auth.token;
+        
+        if (!token) {
+          return next(new Error('Authentication error'));
+        }
+        
+        try {
+          const decoded = jwt.verify(token, process.env.JWT_SECRET);
+          socket.userId = decoded.id;
+          next();
+        } catch (error) {
+          return next(new Error('Authentication error'));
+        }
+      });
       
-      # Check 5: Secure configuration
-      - pattern: "(?:helmet|cors\\(\\{[^}]*?origin\\s*:\\s*(?!['\"]*\\*)['\"])"
-        message: "Using secure HTTP headers and CORS configuration."
+      io.on('connection', (socket) => {
+        console.log(`User ${socket.userId} connected`);
+        
+        // Join user to their own room for private messages
+        socket.join(`user:${socket.userId}`);
+        
+        // Message validation
+        socket.on('message', (data) => {
+          // Validate message data
+          if (!data || !data.content || typeof data.content !== 'string') {
+            return socket.emit('error', { message: 'Invalid message format' });
+          }
+          
+          // Process message
+          // ...
+        });
+      });
+      ```
+
+## Validation
 
-metadata:
-  priority: high
-  version: 1.0
-  tags:
-    - security
-    - javascript
-    - nodejs
-    - browser
-    - design
-    - owasp
-    - language:javascript
-    - framework:express
-    - framework:react
-    - framework:vue
-    - framework:angular
-    - category:security
-    - subcategory:insecure-design
-    - standard:owasp-top10
-    - risk:a04-insecure-design
-  references:
-    - "https://owasp.org/Top10/A04_2021-Insecure_Design/"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html"
-    - "https://github.com/OWASP/NodeGoat"
-</rule> 
+- Implementing rate limiting for API protection.
+- Using input validation or schema validation.
+- Implementing proper error handling.
+- Using authentication middleware for routes.
+- Using secure HTTP headers and CORS configuration.
diff --git a/.cursor/rules/javascript-performance.mdc b/.cursor/rules/javascript-performance.mdc
index 059ccc4..f21538a 100644
--- a/.cursor/rules/javascript-performance.mdc
+++ b/.cursor/rules/javascript-performance.mdc
@@ -4,30 +4,21 @@ globs: *.js, *.ts
 ---
 # JavaScript Performance Optimization
 
-<rule>
-name: javascript_performance_optimization
-description: Enforce best practices for optimizing JavaScript performance.
+> Priority: high · Version: 1.0
 
-actions:
-  - type: enforce
-    conditions:
-      - pattern: "\\buseState\\(([^)]*)\\)"
-        message: "Avoid unnecessary state updates."
+## Applies To
+- `*.js`
+- `*.ts`
 
-      - pattern: "React\\.memo\\("
-        message: "Consider using React.memo() to optimize component re-renders."
+## Required Checks
 
-      - pattern: "\\b\\(\\)\\s*=>\\s*{"
-        message: "Avoid using anonymous functions in render methods."
+- Avoid unnecessary state updates.
+- Consider using React.memo() to optimize component re-renders.
+- Avoid using anonymous functions in render methods.
 
-  - type: suggest
-    message: |
-      Performance tips:
-      - Use memoization for expensive calculations.
-      - Optimize FlatList with performance props.
-      - Minimize unnecessary re-renders.
+## Recommendations
 
-metadata:
-  priority: high
-  version: 1.0
-</rule>
+Performance tips:
+- Use memoization for expensive calculations.
+- Optimize FlatList with performance props.
+- Minimize unnecessary re-renders.
diff --git a/.cursor/rules/javascript-security-logging-monitoring-failures.mdc b/.cursor/rules/javascript-security-logging-monitoring-failures.mdc
index 8fc33ed..5367f1d 100644
--- a/.cursor/rules/javascript-security-logging-monitoring-failures.mdc
+++ b/.cursor/rules/javascript-security-logging-monitoring-failures.mdc
@@ -4,798 +4,701 @@ globs: **/*.js, **/*.jsx, **/*.ts, **/*.tsx, !**/node_modules/**, !**/dist/**, !
 ---
 # JavaScript Security Logging and Monitoring Failures (OWASP A09:2021)
 
-<rule>
-name: javascript_security_logging_monitoring_failures
-description: Detect and prevent security logging and monitoring failures in JavaScript applications as defined in OWASP Top 10:2021-A09
+> Priority: high · Version: 1.0
 
-actions:
-  - type: enforce
-    conditions:
-      # Pattern 1: Missing Error Logging
-      - pattern: "(?:try\\s*{[^}]*}\\s*catch\\s*\\([^)]*\\)\\s*{[^}]*})(?![^;{]*(?:console\\.(?:error|warn|log)|logger?\\.(?:error|warn|log)|captureException))"
-        message: "Error caught without proper logging. Implement structured error logging for security events."
-        
-      # Pattern 2: Sensitive Data in Logs
-      - pattern: "console\\.(?:log|warn|error|info|debug)\\s*\\([^)]*(?:password|token|secret|key|credential|auth|jwt|session|cookie)"
-        negative_pattern: "\\*\\*\\*|redact|mask|sanitize"
-        message: "Potential sensitive data in logs. Ensure sensitive information is redacted before logging."
-        
-      # Pattern 3: Missing Authentication Logging
-      - pattern: "(?:login|signin|authenticate|auth)\\s*\\([^)]*\\)\\s*{[^}]*}"
-        negative_pattern: "(?:log|audit|record|track)\\s*\\("
-        message: "Authentication function without logging. Log authentication attempts, successes, and failures."
-        
-      # Pattern 4: Missing Authorization Logging
-      - pattern: "(?:authorize|checkPermission|hasAccess|isAuthorized|can)\\s*\\([^)]*\\)\\s*{[^}]*}"
-        negative_pattern: "(?:log|audit|record|track)\\s*\\("
-        message: "Authorization check without logging. Log access control decisions, especially denials."
-        
-      # Pattern 5: Insufficient Error Detail
-      - pattern: "(?:console\\.error|logger?\\.error)\\s*\\([^)]*(?:error|err|exception)\\s*\\)"
-        negative_pattern: "(?:error\\.(?:message|stack|code|name)|JSON\\.stringify\\(error\\)|serialize)"
-        message: "Error logging with insufficient detail. Include error type, message, stack trace, and context."
-        
-      # Pattern 6: Missing Security Event Logging
-      - pattern: "(?:bruteForce|rateLimit|block|blacklist|suspicious|anomaly|threat|attack|intrusion|malicious)"
-        negative_pattern: "(?:log|audit|record|track|monitor|alert|notify)"
-        message: "Security event detection without logging. Implement logging for all security-relevant events."
-        
-      # Pattern 7: Inconsistent Log Formats
-      - pattern: "console\\.(?:log|warn|error|info|debug)\\s*\\("
-        negative_pattern: "JSON\\.stringify|structured|format"
-        message: "Inconsistent log format. Use structured logging with consistent formats for easier analysis."
-        
-      # Pattern 8: Missing Log Correlation ID
-      - pattern: "(?:api|http|fetch|axios|request)\\s*\\([^)]*\\)"
-        negative_pattern: "(?:correlationId|requestId|traceId|spanId|context)"
-        message: "API request without correlation ID. Include correlation IDs in logs for request tracing."
-        
-      # Pattern 9: Missing High-Value Transaction Logging
-      - pattern: "(?:payment|transaction|order|purchase|transfer|withdraw|deposit)\\s*\\([^)]*\\)"
-        negative_pattern: "(?:log|audit|record|track)"
-        message: "High-value transaction without audit logging. Implement comprehensive logging for all transactions."
-        
-      # Pattern 10: Client-Side Logging Issues
-      - pattern: "(?:window\\.onerror|window\\.addEventListener\\s*\\(\\s*['\"]error['\"])"
-        negative_pattern: "(?:send|report|log|capture|track)"
-        message: "Client-side error handler without reporting. Implement error reporting to backend services."
-        
-      # Pattern 11: Missing Log Levels
-      - pattern: "console\\.log\\s*\\("
-        negative_pattern: "logger?\\.(?:error|warn|info|debug|trace)"
-        message: "Using console.log without proper log levels. Implement a logging library with appropriate log levels."
-        
-      # Pattern 12: Missing Monitoring Integration
-      - pattern: "package\\.json"
-        negative_pattern: "(?:sentry|newrelic|datadog|appinsights|loggly|splunk|elasticsearch|winston|bunyan|pino|loglevel)"
-        file_pattern: "package\\.json$"
-        message: "No logging or monitoring dependencies detected. Consider adding a proper logging library and monitoring integration."
-        
-      # Pattern 13: Missing Log Aggregation
-      - pattern: "(?:docker-compose\\.ya?ml|\\.env|\\.env\\.example|Dockerfile)"
-        negative_pattern: "(?:sentry|newrelic|datadog|appinsights|loggly|splunk|elasticsearch|logstash|fluentd|kibana)"
-        file_pattern: "(?:docker-compose\\.ya?ml|\\.env|\\.env\\.example|Dockerfile)$"
-        message: "No log aggregation service configured. Implement centralized log collection and analysis."
-        
-      # Pattern 14: Missing Health Checks
-      - pattern: "(?:express|koa|fastify|hapi|http\\.createServer)"
-        negative_pattern: "(?:health|status|heartbeat|alive|ready)"
-        message: "Server without health check endpoint. Implement health checks for monitoring service status."
-        
-      # Pattern 15: Missing Rate Limiting Logs
-      - pattern: "(?:rateLimit|throttle|limiter)"
-        negative_pattern: "(?:log|record|track|monitor|alert|notify)"
-        message: "Rate limiting without logging. Log rate limit events to detect potential attacks."
+## Applies To
+- `**/*.js`
+- `**/*.jsx`
+- `**/*.ts`
+- `**/*.tsx`
+- `!**/node_modules/**`
+- `!**/dist/**`
+- `!**/build/**`
+- `!**/coverage/**`
 
-  - type: suggest
-    message: |
-      **JavaScript Security Logging and Monitoring Best Practices:**
-      
-      1. **Structured Error Logging:**
-         - Use structured logging formats (JSON)
-         - Include contextual information with errors
-         - Example:
-           ```javascript
-           try {
-             // Operation that might fail
-             processUserData(userData);
-           } catch (error) {
-             logger.error({
-               message: 'Failed to process user data',
-               error: {
-                 name: error.name,
-                 message: error.message,
-                 stack: error.stack
-               },
-               userId: userData.id,
-               context: 'user-processing',
-               timestamp: new Date().toISOString()
-             });
-             // Handle the error appropriately
-           }
-           ```
-      
-      2. **Sensitive Data Redaction:**
-         - Redact sensitive information before logging
-         - Use dedicated functions for sanitization
-         - Example:
-           ```javascript
-           function redactSensitiveData(obj) {
-             const sensitiveFields = ['password', 'token', 'secret', 'creditCard', 'ssn'];
-             const redacted = { ...obj };
-             
-             for (const field of sensitiveFields) {
-               if (field in redacted) {
-                 redacted[field] = '***REDACTED***';
-               }
-             }
-             
-             return redacted;
-           }
-           
-           // Usage
-           logger.info({
-             message: 'User login attempt',
-             user: redactSensitiveData(userData),
+## Required Checks
+
+- Error caught without proper logging. Implement structured error logging for security events.
+- Potential sensitive data in logs. Ensure sensitive information is redacted before logging.
+- Authentication function without logging. Log authentication attempts, successes, and failures.
+- Authorization check without logging. Log access control decisions, especially denials.
+- Error logging with insufficient detail. Include error type, message, stack trace, and context.
+- Security event detection without logging. Implement logging for all security-relevant events.
+- Inconsistent log format. Use structured logging with consistent formats for easier analysis.
+- API request without correlation ID. Include correlation IDs in logs for request tracing.
+- High-value transaction without audit logging. Implement comprehensive logging for all transactions.
+- Client-side error handler without reporting. Implement error reporting to backend services.
+- Using console.log without proper log levels. Implement a logging library with appropriate log levels.
+- No logging or monitoring dependencies detected. Consider adding a proper logging library and monitoring integration.
+- No log aggregation service configured. Implement centralized log collection and analysis.
+- Server without health check endpoint. Implement health checks for monitoring service status.
+- Rate limiting without logging. Log rate limit events to detect potential attacks.
+
+## Recommendations
+
+**JavaScript Security Logging and Monitoring Best Practices:**
+
+1. **Structured Error Logging:**
+   - Use structured logging formats (JSON)
+   - Include contextual information with errors
+   - Example:
+     ```javascript
+     try {
+       // Operation that might fail
+       processUserData(userData);
+     } catch (error) {
+       logger.error({
+         message: 'Failed to process user data',
+         error: {
+           name: error.name,
+           message: error.message,
+           stack: error.stack
+         },
+         userId: userData.id,
+         context: 'user-processing',
+         timestamp: new Date().toISOString()
+       });
+       // Handle the error appropriately
+     }
+     ```
+
+2. **Sensitive Data Redaction:**
+   - Redact sensitive information before logging
+   - Use dedicated functions for sanitization
+   - Example:
+     ```javascript
+     function redactSensitiveData(obj) {
+       const sensitiveFields = ['password', 'token', 'secret', 'creditCard', 'ssn'];
+       const redacted = { ...obj };
+       
+       for (const field of sensitiveFields) {
+         if (field in redacted) {
+           redacted[field] = '***REDACTED***';
+         }
+       }
+       
+       return redacted;
+     }
+     
+     // Usage
+     logger.info({
+       message: 'User login attempt',
+       user: redactSensitiveData(userData),
+       timestamp: new Date().toISOString()
+     });
+     ```
+
+3. **Authentication Logging:**
+   - Log all authentication events
+   - Include success/failure status
+   - Example:
+     ```javascript
+     async function authenticateUser(username, password) {
+       try {
+         const user = await User.findOne({ username });
+         
+         if (!user) {
+           logger.warn({
+             message: 'Authentication failed: user not found',
+             username,
+             ipAddress: req.ip,
+             userAgent: req.headers['user-agent'],
              timestamp: new Date().toISOString()
            });
-           ```
-      
-      3. **Authentication Logging:**
-         - Log all authentication events
-         - Include success/failure status
-         - Example:
-           ```javascript
-           async function authenticateUser(username, password) {
-             try {
-               const user = await User.findOne({ username });
-               
-               if (!user) {
-                 logger.warn({
-                   message: 'Authentication failed: user not found',
-                   username,
-                   ipAddress: req.ip,
-                   userAgent: req.headers['user-agent'],
-                   timestamp: new Date().toISOString()
-                 });
-                 return { success: false, reason: 'invalid_credentials' };
-               }
-               
-               const isValid = await bcrypt.compare(password, user.passwordHash);
-               
-               if (!isValid) {
-                 logger.warn({
-                   message: 'Authentication failed: invalid password',
-                   username,
-                   userId: user.id,
-                   ipAddress: req.ip,
-                   userAgent: req.headers['user-agent'],
-                   timestamp: new Date().toISOString()
-                 });
-                 return { success: false, reason: 'invalid_credentials' };
-               }
-               
-               logger.info({
-                 message: 'User authenticated successfully',
-                 username,
-                 userId: user.id,
-                 ipAddress: req.ip,
-                 userAgent: req.headers['user-agent'],
-                 timestamp: new Date().toISOString()
-               });
-               
-               return { success: true, user };
-             } catch (error) {
-               logger.error({
-                 message: 'Authentication error',
-                 username,
-                 error: {
-                   name: error.name,
-                   message: error.message,
-                   stack: error.stack
-                 },
-                 timestamp: new Date().toISOString()
-               });
-               return { success: false, reason: 'system_error' };
-             }
-           }
-           ```
-      
-      4. **Authorization Logging:**
-         - Log access control decisions
-         - Include user, resource, and action
-         - Example:
-           ```javascript
-           function checkPermission(user, resource, action) {
-             const hasPermission = user.permissions.some(p => 
-               p.resource === resource && p.actions.includes(action)
-             );
-             
-             logger.info({
-               message: `Authorization ${hasPermission ? 'granted' : 'denied'}`,
-               userId: user.id,
-               username: user.username,
-               resource,
-               action,
-               decision: hasPermission ? 'allow' : 'deny',
-               timestamp: new Date().toISOString()
-             });
-             
-             return hasPermission;
-           }
-           ```
-      
-      5. **Comprehensive Error Logging:**
-         - Include detailed error information
-         - Add context for troubleshooting
-         - Example:
-           ```javascript
-           // Using a logging library like Winston
-           const winston = require('winston');
-           
-           const logger = winston.createLogger({
-             level: process.env.LOG_LEVEL || 'info',
-             format: winston.format.combine(
-               winston.format.timestamp(),
-               winston.format.json()
-             ),
-             defaultMeta: { service: 'user-service' },
-             transports: [
-               new winston.transports.Console(),
-               new winston.transports.File({ filename: 'error.log', level: 'error' }),
-               new winston.transports.File({ filename: 'combined.log' })
-             ]
+           return { success: false, reason: 'invalid_credentials' };
+         }
+         
+         const isValid = await bcrypt.compare(password, user.passwordHash);
+         
+         if (!isValid) {
+           logger.warn({
+             message: 'Authentication failed: invalid password',
+             username,
+             userId: user.id,
+             ipAddress: req.ip,
+             userAgent: req.headers['user-agent'],
+             timestamp: new Date().toISOString()
            });
-           
-           // Usage
-           try {
-             // Operation that might fail
-           } catch (error) {
-             logger.error({
-               message: 'Operation failed',
-               operationName: 'processData',
-               error: {
-                 name: error.name,
-                 message: error.message,
-                 code: error.code,
-                 stack: error.stack
-               },
-               context: {
-                 userId: req.user?.id,
-                 requestId: req.id,
-                 path: req.path,
-                 method: req.method
-               }
-             });
-           }
-           ```
+           return { success: false, reason: 'invalid_credentials' };
+         }
+         
+         logger.info({
+           message: 'User authenticated successfully',
+           username,
+           userId: user.id,
+           ipAddress: req.ip,
+           userAgent: req.headers['user-agent'],
+           timestamp: new Date().toISOString()
+         });
+         
+         return { success: true, user };
+       } catch (error) {
+         logger.error({
+           message: 'Authentication error',
+           username,
+           error: {
+             name: error.name,
+             message: error.message,
+             stack: error.stack
+           },
+           timestamp: new Date().toISOString()
+         });
+         return { success: false, reason: 'system_error' };
+       }
+     }
+     ```
+
+4. **Authorization Logging:**
+   - Log access control decisions
+   - Include user, resource, and action
+   - Example:
+     ```javascript
+     function checkPermission(user, resource, action) {
+       const hasPermission = user.permissions.some(p => 
+         p.resource === resource && p.actions.includes(action)
+       );
+       
+       logger.info({
+         message: `Authorization ${hasPermission ? 'granted' : 'denied'}`,
+         userId: user.id,
+         username: user.username,
+         resource,
+         action,
+         decision: hasPermission ? 'allow' : 'deny',
+         timestamp: new Date().toISOString()
+       });
+       
+       return hasPermission;
+     }
+     ```
+
+5. **Comprehensive Error Logging:**
+   - Include detailed error information
+   - Add context for troubleshooting
+   - Example:
+     ```javascript
+     // Using a logging library like Winston
+     const winston = require('winston');
+     
+     const logger = winston.createLogger({
+       level: process.env.LOG_LEVEL || 'info',
+       format: winston.format.combine(
+         winston.format.timestamp(),
+         winston.format.json()
+       ),
+       defaultMeta: { service: 'user-service' },
+       transports: [
+         new winston.transports.Console(),
+         new winston.transports.File({ filename: 'error.log', level: 'error' }),
+         new winston.transports.File({ filename: 'combined.log' })
+       ]
+     });
+     
+     // Usage
+     try {
+       // Operation that might fail
+     } catch (error) {
+       logger.error({
+         message: 'Operation failed',
+         operationName: 'processData',
+         error: {
+           name: error.name,
+           message: error.message,
+           code: error.code,
+           stack: error.stack
+         },
+         context: {
+           userId: req.user?.id,
+           requestId: req.id,
+           path: req.path,
+           method: req.method
+         }
+       });
+     }
+     ```
+
+6. **Security Event Logging:**
+   - Log all security-relevant events
+   - Include detailed context
+   - Example:
+     ```javascript
+     function detectBruteForce(username, ipAddress) {
+       const attempts = getLoginAttempts(username, ipAddress);
+       
+       if (attempts > MAX_ATTEMPTS) {
+         logger.warn({
+           message: 'Possible brute force attack detected',
+           username,
+           ipAddress,
+           attempts,
+           threshold: MAX_ATTEMPTS,
+           action: 'account_temporarily_locked',
+           timestamp: new Date().toISOString()
+         });
+         
+         // Implement account lockout or IP blocking
+         lockAccount(username, LOCKOUT_DURATION);
+         return true;
+       }
+       
+       return false;
+     }
+     ```
+
+7. **Structured Logging Format:**
+   - Use JSON for machine-readable logs
+   - Maintain consistent field names
+   - Example:
+     ```javascript
+     // Using a structured logging library like Pino
+     const pino = require('pino');
+     
+     const logger = pino({
+       level: process.env.LOG_LEVEL || 'info',
+       base: { pid: process.pid, hostname: os.hostname() },
+       timestamp: pino.stdTimeFunctions.isoTime,
+       formatters: {
+         level: (label) => {
+           return { level: label };
+         }
+       }
+     });
+     
+     // Usage
+     logger.info({
+       msg: 'User profile updated',
+       userId: user.id,
+       changes: ['email', 'preferences'],
+       source: 'api'
+     });
+     ```
+
+8. **Request Correlation:**
+   - Use correlation IDs across services
+   - Track request flow through the system
+   - Example:
+     ```javascript
+     // Express middleware for adding correlation IDs
+     const { v4: uuidv4 } = require('uuid');
+     
+     function correlationMiddleware(req, res, next) {
+       // Use existing correlation ID from headers or generate a new one
+       const correlationId = req.headers['x-correlation-id'] || uuidv4();
+       req.correlationId = correlationId;
+       
+       // Add to response headers
+       res.setHeader('x-correlation-id', correlationId);
+       
+       // Add to logger context for this request
+       req.logger = logger.child({ correlationId });
+       
+       next();
+     }
+     
+     // Usage in route handlers
+     app.get('/api/users/:id', (req, res) => {
+       req.logger.info({
+         msg: 'User profile requested',
+         userId: req.params.id,
+         path: req.path,
+         method: req.method
+       });
+       
+       // Process request...
+     });
+     ```
+
+9. **Transaction Logging:**
+   - Log all high-value transactions
+   - Include before/after states
+   - Example:
+     ```javascript
+     async function processPayment(userId, amount, paymentMethod) {
+       logger.info({
+         message: 'Payment processing started',
+         userId,
+         amount,
+         paymentMethod: {
+           type: paymentMethod.type,
+           lastFour: paymentMethod.lastFour
+         },
+         transactionId: generateTransactionId(),
+         timestamp: new Date().toISOString()
+       });
+       
+       try {
+         const result = await paymentGateway.charge({
+           amount,
+           source: paymentMethod.token
+         });
+         
+         logger.info({
+           message: 'Payment processed successfully',
+           userId,
+           amount,
+           transactionId: result.transactionId,
+           gatewayReference: result.reference,
+           status: 'success',
+           timestamp: new Date().toISOString()
+         });
+         
+         return { success: true, transactionId: result.transactionId };
+       } catch (error) {
+         logger.error({
+           message: 'Payment processing failed',
+           userId,
+           amount,
+           error: {
+             name: error.name,
+             message: error.message,
+             code: error.code
+           },
+           status: 'failed',
+           timestamp: new Date().toISOString()
+         });
+         
+         return { success: false, error: error.message };
+       }
+     }
+     ```
+
+10. **Client-Side Error Reporting:**
+    - Send client errors to the backend
+    - Include browser and user context
+    - Example:
+      ```javascript
+      // Client-side error tracking
+      window.addEventListener('error', function(event) {
+        const errorDetails = {
+          message: event.message,
+          source: event.filename,
+          lineno: event.lineno,
+          colno: event.colno,
+          error: {
+            stack: event.error?.stack
+          },
+          url: window.location.href,
+          userAgent: navigator.userAgent,
+          timestamp: new Date().toISOString(),
+          // Add user context if available
+          userId: window.currentUser?.id
+        };
+        
+        // Send to backend logging endpoint
+        fetch('/api/log/client-error', {
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/json'
+          },
+          body: JSON.stringify(errorDetails),
+          // Use keepalive to ensure the request completes even if the page is unloading
+          keepalive: true
+        }).catch(err => {
+          // Fallback if the logging endpoint fails
+          console.error('Failed to send error report:', err);
+        });
+      });
+      ```
+
+11. **Proper Log Levels:**
+    - Use appropriate log levels
+    - Configure based on environment
+    - Example:
+      ```javascript
+      // Using Winston with proper log levels
+      const winston = require('winston');
       
-      6. **Security Event Logging:**
-         - Log all security-relevant events
-         - Include detailed context
-         - Example:
-           ```javascript
-           function detectBruteForce(username, ipAddress) {
-             const attempts = getLoginAttempts(username, ipAddress);
-             
-             if (attempts > MAX_ATTEMPTS) {
-               logger.warn({
-                 message: 'Possible brute force attack detected',
-                 username,
-                 ipAddress,
-                 attempts,
-                 threshold: MAX_ATTEMPTS,
-                 action: 'account_temporarily_locked',
-                 timestamp: new Date().toISOString()
-               });
-               
-               // Implement account lockout or IP blocking
-               lockAccount(username, LOCKOUT_DURATION);
-               return true;
-             }
-             
-             return false;
-           }
-           ```
+      const logger = winston.createLogger({
+        level: process.env.NODE_ENV === 'production' ? 'info' : 'debug',
+        levels: winston.config.npm.levels,
+        format: winston.format.combine(
+          winston.format.timestamp(),
+          winston.format.json()
+        ),
+        transports: [
+          new winston.transports.Console({
+            format: winston.format.combine(
+              winston.format.colorize(),
+              winston.format.simple()
+            )
+          })
+        ]
+      });
       
-      7. **Structured Logging Format:**
-         - Use JSON for machine-readable logs
-         - Maintain consistent field names
-         - Example:
-           ```javascript
-           // Using a structured logging library like Pino
-           const pino = require('pino');
-           
-           const logger = pino({
-             level: process.env.LOG_LEVEL || 'info',
-             base: { pid: process.pid, hostname: os.hostname() },
-             timestamp: pino.stdTimeFunctions.isoTime,
-             formatters: {
-               level: (label) => {
-                 return { level: label };
-               }
-             }
-           });
-           
-           // Usage
-           logger.info({
-             msg: 'User profile updated',
-             userId: user.id,
-             changes: ['email', 'preferences'],
-             source: 'api'
-           });
-           ```
+      // Usage with appropriate levels
+      logger.error('Critical application error'); // Always logged
+      logger.warn('Potential issue detected'); // Warning conditions
+      logger.info('Normal operational message'); // Normal but significant
+      logger.http('HTTP request received'); // HTTP request logging
+      logger.verbose('Detailed information'); // Detailed debug information
+      logger.debug('Debugging information'); // For developers
+      logger.silly('Extremely detailed tracing'); // Most granular
+      ```
+
+12. **Monitoring Integration:**
+    - Integrate with monitoring services
+    - Set up alerts for critical issues
+    - Example:
+      ```javascript
+      // Using Sentry for error monitoring
+      const Sentry = require('@sentry/node');
+      const Tracing = require('@sentry/tracing');
+      const express = require('express');
       
-      8. **Request Correlation:**
-         - Use correlation IDs across services
-         - Track request flow through the system
-         - Example:
-           ```javascript
-           // Express middleware for adding correlation IDs
-           const { v4: uuidv4 } = require('uuid');
-           
-           function correlationMiddleware(req, res, next) {
-             // Use existing correlation ID from headers or generate a new one
-             const correlationId = req.headers['x-correlation-id'] || uuidv4();
-             req.correlationId = correlationId;
-             
-             // Add to response headers
-             res.setHeader('x-correlation-id', correlationId);
-             
-             // Add to logger context for this request
-             req.logger = logger.child({ correlationId });
-             
-             next();
-           }
-           
-           // Usage in route handlers
-           app.get('/api/users/:id', (req, res) => {
-             req.logger.info({
-               msg: 'User profile requested',
-               userId: req.params.id,
-               path: req.path,
-               method: req.method
-             });
-             
-             // Process request...
-           });
-           ```
+      const app = express();
       
-      9. **Transaction Logging:**
-         - Log all high-value transactions
-         - Include before/after states
-         - Example:
-           ```javascript
-           async function processPayment(userId, amount, paymentMethod) {
-             logger.info({
-               message: 'Payment processing started',
-               userId,
-               amount,
-               paymentMethod: {
-                 type: paymentMethod.type,
-                 lastFour: paymentMethod.lastFour
-               },
-               transactionId: generateTransactionId(),
-               timestamp: new Date().toISOString()
-             });
-             
-             try {
-               const result = await paymentGateway.charge({
-                 amount,
-                 source: paymentMethod.token
-               });
-               
-               logger.info({
-                 message: 'Payment processed successfully',
-                 userId,
-                 amount,
-                 transactionId: result.transactionId,
-                 gatewayReference: result.reference,
-                 status: 'success',
-                 timestamp: new Date().toISOString()
-               });
-               
-               return { success: true, transactionId: result.transactionId };
-             } catch (error) {
-               logger.error({
-                 message: 'Payment processing failed',
-                 userId,
-                 amount,
-                 error: {
-                   name: error.name,
-                   message: error.message,
-                   code: error.code
-                 },
-                 status: 'failed',
-                 timestamp: new Date().toISOString()
-               });
-               
-               return { success: false, error: error.message };
-             }
-           }
-           ```
+      Sentry.init({
+        dsn: process.env.SENTRY_DSN,
+        integrations: [
+          new Sentry.Integrations.Http({ tracing: true }),
+          new Tracing.Integrations.Express({ app })
+        ],
+        tracesSampleRate: 1.0
+      });
       
-      10. **Client-Side Error Reporting:**
-          - Send client errors to the backend
-          - Include browser and user context
-          - Example:
-            ```javascript
-            // Client-side error tracking
-            window.addEventListener('error', function(event) {
-              const errorDetails = {
-                message: event.message,
-                source: event.filename,
-                lineno: event.lineno,
-                colno: event.colno,
-                error: {
-                  stack: event.error?.stack
-                },
-                url: window.location.href,
-                userAgent: navigator.userAgent,
-                timestamp: new Date().toISOString(),
-                // Add user context if available
-                userId: window.currentUser?.id
-              };
-              
-              // Send to backend logging endpoint
-              fetch('/api/log/client-error', {
-                method: 'POST',
-                headers: {
-                  'Content-Type': 'application/json'
-                },
-                body: JSON.stringify(errorDetails),
-                // Use keepalive to ensure the request completes even if the page is unloading
-                keepalive: true
-              }).catch(err => {
-                // Fallback if the logging endpoint fails
-                console.error('Failed to send error report:', err);
-              });
-            });
-            ```
+      // Use Sentry middleware
+      app.use(Sentry.Handlers.requestHandler());
+      app.use(Sentry.Handlers.tracingHandler());
       
-      11. **Proper Log Levels:**
-          - Use appropriate log levels
-          - Configure based on environment
-          - Example:
-            ```javascript
-            // Using Winston with proper log levels
-            const winston = require('winston');
-            
-            const logger = winston.createLogger({
-              level: process.env.NODE_ENV === 'production' ? 'info' : 'debug',
-              levels: winston.config.npm.levels,
-              format: winston.format.combine(
-                winston.format.timestamp(),
-                winston.format.json()
-              ),
-              transports: [
-                new winston.transports.Console({
-                  format: winston.format.combine(
-                    winston.format.colorize(),
-                    winston.format.simple()
-                  )
-                })
-              ]
-            });
-            
-            // Usage with appropriate levels
-            logger.error('Critical application error'); // Always logged
-            logger.warn('Potential issue detected'); // Warning conditions
-            logger.info('Normal operational message'); // Normal but significant
-            logger.http('HTTP request received'); // HTTP request logging
-            logger.verbose('Detailed information'); // Detailed debug information
-            logger.debug('Debugging information'); // For developers
-            logger.silly('Extremely detailed tracing'); // Most granular
-            ```
+      // Your routes here
       
-      12. **Monitoring Integration:**
-          - Integrate with monitoring services
-          - Set up alerts for critical issues
-          - Example:
-            ```javascript
-            // Using Sentry for error monitoring
-            const Sentry = require('@sentry/node');
-            const Tracing = require('@sentry/tracing');
-            const express = require('express');
-            
-            const app = express();
-            
-            Sentry.init({
-              dsn: process.env.SENTRY_DSN,
-              integrations: [
-                new Sentry.Integrations.Http({ tracing: true }),
-                new Tracing.Integrations.Express({ app })
-              ],
-              tracesSampleRate: 1.0
-            });
-            
-            // Use Sentry middleware
-            app.use(Sentry.Handlers.requestHandler());
-            app.use(Sentry.Handlers.tracingHandler());
-            
-            // Your routes here
-            
-            // Error handler
-            app.use(Sentry.Handlers.errorHandler());
-            app.use((err, req, res, next) => {
-              // Custom error handling
-              logger.error({
-                message: 'Express error',
-                error: {
-                  name: err.name,
-                  message: err.message,
-                  stack: err.stack
-                },
-                request: {
-                  path: req.path,
-                  method: req.method,
-                  correlationId: req.correlationId
-                }
-              });
-              
-              res.status(500).json({ error: 'Internal server error' });
-            });
-            ```
+      // Error handler
+      app.use(Sentry.Handlers.errorHandler());
+      app.use((err, req, res, next) => {
+        // Custom error handling
+        logger.error({
+          message: 'Express error',
+          error: {
+            name: err.name,
+            message: err.message,
+            stack: err.stack
+          },
+          request: {
+            path: req.path,
+            method: req.method,
+            correlationId: req.correlationId
+          }
+        });
+        
+        res.status(500).json({ error: 'Internal server error' });
+      });
+      ```
+
+13. **Log Aggregation:**
+    - Set up centralized log collection
+    - Configure log shipping
+    - Example:
+      ```javascript
+      // Using Winston with Elasticsearch transport
+      const winston = require('winston');
+      const { ElasticsearchTransport } = require('winston-elasticsearch');
       
-      13. **Log Aggregation:**
-          - Set up centralized log collection
-          - Configure log shipping
-          - Example:
-            ```javascript
-            // Using Winston with Elasticsearch transport
-            const winston = require('winston');
-            const { ElasticsearchTransport } = require('winston-elasticsearch');
-            
-            const esTransportOpts = {
-              level: 'info',
-              clientOpts: {
-                node: process.env.ELASTICSEARCH_URL,
-                auth: {
-                  username: process.env.ELASTICSEARCH_USERNAME,
-                  password: process.env.ELASTICSEARCH_PASSWORD
-                }
-              },
-              indexPrefix: 'app-logs'
-            };
-            
-            const logger = winston.createLogger({
-              transports: [
-                new winston.transports.Console(),
-                new ElasticsearchTransport(esTransportOpts)
-              ]
-            });
-            ```
-            
-            ```yaml
-            # docker-compose.yml example with ELK stack
-            version: '3'
-            services:
-              app:
-                build: .
-                environment:
-                  - NODE_ENV=production
-                  - ELASTICSEARCH_URL=http://elasticsearch:9200
-                depends_on:
-                  - elasticsearch
-              
-              elasticsearch:
-                image: docker.elastic.co/elasticsearch/elasticsearch:7.14.0
-                environment:
-                  - discovery.type=single-node
-                  - ES_JAVA_OPTS=-Xms512m -Xmx512m
-                volumes:
-                  - es_data:/usr/share/elasticsearch/data
-              
-              kibana:
-                image: docker.elastic.co/kibana/kibana:7.14.0
-                ports:
-                  - "5601:5601"
-                depends_on:
-                  - elasticsearch
-              
-              logstash:
-                image: docker.elastic.co/logstash/logstash:7.14.0
-                volumes:
-                  - ./logstash/pipeline:/usr/share/logstash/pipeline
-                depends_on:
-                  - elasticsearch
-            
-            volumes:
-              es_data:
-            ```
+      const esTransportOpts = {
+        level: 'info',
+        clientOpts: {
+          node: process.env.ELASTICSEARCH_URL,
+          auth: {
+            username: process.env.ELASTICSEARCH_USERNAME,
+            password: process.env.ELASTICSEARCH_PASSWORD
+          }
+        },
+        indexPrefix: 'app-logs'
+      };
       
-      14. **Health Checks and Monitoring:**
-          - Implement health check endpoints
-          - Monitor application status
-          - Example:
-            ```javascript
-            const express = require('express');
-            const app = express();
-            
-            // Basic health check endpoint
-            app.get('/health', (req, res) => {
-              const status = {
-                status: 'UP',
-                timestamp: new Date().toISOString(),
-                uptime: process.uptime(),
-                memoryUsage: process.memoryUsage(),
-                version: process.env.npm_package_version
-              };
-              
-              // Add database health check
-              try {
-                // Check database connection
-                status.database = { status: 'UP' };
-              } catch (error) {
-                status.database = { status: 'DOWN', error: error.message };
-                status.status = 'DEGRADED';
-              }
-              
-              // Add external service health checks
-              // ...
-              
-              // Log health check results
-              logger.debug({
-                message: 'Health check performed',
-                result: status
-              });
-              
-              const statusCode = status.status === 'UP' ? 200 : 
-                                status.status === 'DEGRADED' ? 200 : 503;
-              
-              res.status(statusCode).json(status);
-            });
-            
-            // Detailed readiness probe
-            app.get('/ready', async (req, res) => {
-              const checks = [];
-              let isReady = true;
-              
-              // Check database
-              try {
-                await db.ping();
-                checks.push({ component: 'database', status: 'ready' });
-              } catch (error) {
-                isReady = false;
-                checks.push({ 
-                  component: 'database', 
-                  status: 'not ready',
-                  error: error.message
-                });
-              }
-              
-              // Check cache
-              try {
-                await cache.ping();
-                checks.push({ component: 'cache', status: 'ready' });
-              } catch (error) {
-                isReady = false;
-                checks.push({ 
-                  component: 'cache', 
-                  status: 'not ready',
-                  error: error.message
-                });
-              }
-              
-              // Log readiness check
-              logger.debug({
-                message: 'Readiness check performed',
-                isReady,
-                checks
-              });
-              
-              res.status(isReady ? 200 : 503).json({
-                status: isReady ? 'ready' : 'not ready',
-                checks,
-                timestamp: new Date().toISOString()
-              });
-            });
-            ```
+      const logger = winston.createLogger({
+        transports: [
+          new winston.transports.Console(),
+          new ElasticsearchTransport(esTransportOpts)
+        ]
+      });
+      ```
       
-      15. **Rate Limiting with Logging:**
-          - Log rate limit events
-          - Track potential abuse
-          - Example:
-            ```javascript
-            const rateLimit = require('express-rate-limit');
-            
-            // Create rate limiter with logging
-            const apiLimiter = rateLimit({
-              windowMs: 15 * 60 * 1000, // 15 minutes
-              max: 100, // limit each IP to 100 requests per windowMs
-              standardHeaders: true,
-              legacyHeaders: false,
-              handler: (req, res, next, options) => {
-                // Log rate limit exceeded
-                logger.warn({
-                  message: 'Rate limit exceeded',
-                  ip: req.ip,
-                  path: req.path,
-                  method: req.method,
-                  userAgent: req.headers['user-agent'],
-                  currentLimit: options.max,
-                  windowMs: options.windowMs,
-                  correlationId: req.correlationId,
-                  userId: req.user?.id,
-                  timestamp: new Date().toISOString()
-                });
-                
-                res.status(options.statusCode).json({
-                  status: 'error',
-                  message: options.message
-                });
-              },
-              // Called on all requests to track usage
-              onLimitReached: (req, res, options) => {
-                // This is called when a client hits the rate limit
-                logger.warn({
-                  message: 'Client reached rate limit',
-                  ip: req.ip,
-                  path: req.path,
-                  method: req.method,
-                  userAgent: req.headers['user-agent'],
-                  correlationId: req.correlationId,
-                  userId: req.user?.id,
-                  timestamp: new Date().toISOString()
-                });
-                
-                // Consider additional actions like temporary IP ban
-                // or sending alerts for potential attacks
-              }
-            });
-            
-            // Apply to all API routes
-            app.use('/api/', apiLimiter);
-            ```
+      ```yaml
+      # docker-compose.yml example with ELK stack
+      version: '3'
+      services:
+        app:
+          build: .
+          environment:
+            - NODE_ENV=production
+            - ELASTICSEARCH_URL=http://elasticsearch:9200
+          depends_on:
+            - elasticsearch
+        
+        elasticsearch:
+          image: docker.elastic.co/elasticsearch/elasticsearch:7.14.0
+          environment:
+            - discovery.type=single-node
+            - ES_JAVA_OPTS=-Xms512m -Xmx512m
+          volumes:
+            - es_data:/usr/share/elasticsearch/data
+        
+        kibana:
+          image: docker.elastic.co/kibana/kibana:7.14.0
+          ports:
+            - "5601:5601"
+          depends_on:
+            - elasticsearch
+        
+        logstash:
+          image: docker.elastic.co/logstash/logstash:7.14.0
+          volumes:
+            - ./logstash/pipeline:/usr/share/logstash/pipeline
+          depends_on:
+            - elasticsearch
+      
+      volumes:
+        es_data:
+      ```
 
-  - type: validate
-    conditions:
-      # Check 1: Structured Logging
-      - pattern: "(?:winston|pino|bunyan|loglevel|morgan|log4js)"
-        message: "Using a structured logging library."
+14. **Health Checks and Monitoring:**
+    - Implement health check endpoints
+    - Monitor application status
+    - Example:
+      ```javascript
+      const express = require('express');
+      const app = express();
       
-      # Check 2: Error Logging
-      - pattern: "try\\s*{[^}]*}\\s*catch\\s*\\([^)]*\\)\\s*{[^}]*(?:logger?\\.error|captureException)\\s*\\([^)]*\\)"
-        message: "Implementing proper error logging in catch blocks."
+      // Basic health check endpoint
+      app.get('/health', (req, res) => {
+        const status = {
+          status: 'UP',
+          timestamp: new Date().toISOString(),
+          uptime: process.uptime(),
+          memoryUsage: process.memoryUsage(),
+          version: process.env.npm_package_version
+        };
+        
+        // Add database health check
+        try {
+          // Check database connection
+          status.database = { status: 'UP' };
+        } catch (error) {
+          status.database = { status: 'DOWN', error: error.message };
+          status.status = 'DEGRADED';
+        }
+        
+        // Add external service health checks
+        // ...
+        
+        // Log health check results
+        logger.debug({
+          message: 'Health check performed',
+          result: status
+        });
+        
+        const statusCode = status.status === 'UP' ? 200 : 
+                          status.status === 'DEGRADED' ? 200 : 503;
+        
+        res.status(statusCode).json(status);
+      });
       
-      # Check 3: Sensitive Data Handling
-      - pattern: "(?:redact|mask|sanitize|filter)\\s*\\([^)]*(?:password|token|secret|key|credential)"
-        message: "Implementing sensitive data redaction in logs."
+      // Detailed readiness probe
+      app.get('/ready', async (req, res) => {
+        const checks = [];
+        let isReady = true;
+        
+        // Check database
+        try {
+          await db.ping();
+          checks.push({ component: 'database', status: 'ready' });
+        } catch (error) {
+          isReady = false;
+          checks.push({ 
+            component: 'database', 
+            status: 'not ready',
+            error: error.message
+          });
+        }
+        
+        // Check cache
+        try {
+          await cache.ping();
+          checks.push({ component: 'cache', status: 'ready' });
+        } catch (error) {
+          isReady = false;
+          checks.push({ 
+            component: 'cache', 
+            status: 'not ready',
+            error: error.message
+          });
+        }
+        
+        // Log readiness check
+        logger.debug({
+          message: 'Readiness check performed',
+          isReady,
+          checks
+        });
+        
+        res.status(isReady ? 200 : 503).json({
+          status: isReady ? 'ready' : 'not ready',
+          checks,
+          timestamp: new Date().toISOString()
+        });
+      });
+      ```
+
+15. **Rate Limiting with Logging:**
+    - Log rate limit events
+    - Track potential abuse
+    - Example:
+      ```javascript
+      const rateLimit = require('express-rate-limit');
       
-      # Check 4: Correlation IDs
-      - pattern: "(?:correlationId|requestId|traceId)"
-        message: "Using correlation IDs for request tracing."
+      // Create rate limiter with logging
+      const apiLimiter = rateLimit({
+        windowMs: 15 * 60 * 1000, // 15 minutes
+        max: 100, // limit each IP to 100 requests per windowMs
+        standardHeaders: true,
+        legacyHeaders: false,
+        handler: (req, res, next, options) => {
+          // Log rate limit exceeded
+          logger.warn({
+            message: 'Rate limit exceeded',
+            ip: req.ip,
+            path: req.path,
+            method: req.method,
+            userAgent: req.headers['user-agent'],
+            currentLimit: options.max,
+            windowMs: options.windowMs,
+            correlationId: req.correlationId,
+            userId: req.user?.id,
+            timestamp: new Date().toISOString()
+          });
+          
+          res.status(options.statusCode).json({
+            status: 'error',
+            message: options.message
+          });
+        },
+        // Called on all requests to track usage
+        onLimitReached: (req, res, options) => {
+          // This is called when a client hits the rate limit
+          logger.warn({
+            message: 'Client reached rate limit',
+            ip: req.ip,
+            path: req.path,
+            method: req.method,
+            userAgent: req.headers['user-agent'],
+            correlationId: req.correlationId,
+            userId: req.user?.id,
+            timestamp: new Date().toISOString()
+          });
+          
+          // Consider additional actions like temporary IP ban
+          // or sending alerts for potential attacks
+        }
+      });
       
-      # Check 5: Monitoring Integration
-      - pattern: "(?:sentry|newrelic|datadog|appinsights|loggly|splunk|elasticsearch)"
-        message: "Integrating with monitoring or log aggregation services."
+      // Apply to all API routes
+      app.use('/api/', apiLimiter);
+      ```
+
+## Validation
 
-metadata:
-  priority: high
-  version: 1.0
-  tags:
-    - security
-    - javascript
-    - nodejs
-    - browser
-    - logging
-    - monitoring
-    - owasp
-    - language:javascript
-    - framework:express
-    - framework:react
-    - framework:vue
-    - framework:angular
-    - category:security
-    - subcategory:logging
-    - standard:owasp-top10
-    - risk:a09-security-logging-monitoring-failures
-  references:
-    - "https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html"
-    - "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/08-Test_for_Process_Timing"
-    - "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Logging_Vocabulary_Cheat_Sheet.md"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html#security-logging-monitoring"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Application_Logging_Vocabulary_Cheat_Sheet.html"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Transaction_Authorization_Cheat_Sheet.html#monitor-activity"
-</rule> 
+- Using a structured logging library.
+- Implementing proper error logging in catch blocks.
+- Implementing sensitive data redaction in logs.
+- Using correlation IDs for request tracing.
+- Integrating with monitoring or log aggregation services.
diff --git a/.cursor/rules/javascript-security-misconfiguration.mdc b/.cursor/rules/javascript-security-misconfiguration.mdc
index b6acbbb..fbcf69e 100644
--- a/.cursor/rules/javascript-security-misconfiguration.mdc
+++ b/.cursor/rules/javascript-security-misconfiguration.mdc
@@ -4,464 +4,374 @@ globs: **/*.js, **/*.jsx, **/*.ts, **/*.tsx, !**/node_modules/**, !**/dist/**, !
 ---
 # JavaScript Security Misconfiguration (OWASP A05:2021)
 
-<rule>
-name: javascript_security_misconfiguration
-description: Detect and prevent security misconfigurations in JavaScript applications as defined in OWASP Top 10:2021-A05
+> Priority: high · Version: 1.0
 
-actions:
-  - type: enforce
-    conditions:
-      # Pattern 1: Missing or Insecure HTTP Security Headers
-      - pattern: "app\\.use\\([^)]*?\\)\\s*(?!.*(?:helmet|frameguard|hsts|noSniff|xssFilter|contentSecurityPolicy))"
-        location: "(?:app|server|index)\\.(?:js|ts)$"
-        message: "Missing HTTP security headers. Consider using Helmet.js to set secure HTTP headers."
-        
-      # Pattern 2: Insecure CORS Configuration
-      - pattern: "app\\.use\\(cors\\(\\{[^}]*?origin\\s*:\\s*['\"]\\*['\"]\\s*\\}\\)\\)"
-        message: "Insecure CORS configuration. Avoid using wildcard (*) for CORS origin in production environments."
-        
-      # Pattern 3: Exposed Environment Variables in Client-Side Code
-      - pattern: "process\\.env\\.[A-Z_]+"
-        location: "(?:src|components|pages)"
-        message: "Exposing environment variables in client-side code. Only use environment variables with NEXT_PUBLIC_, REACT_APP_, or VITE_ prefixes for client-side code."
-        
-      # Pattern 4: Insecure Cookie Settings
-      - pattern: "(?:cookie|cookies|session)\\([^)]*?\\{[^}]*?(?:secure\\s*:\\s*false|httpOnly\\s*:\\s*false|sameSite\\s*:\\s*['\"]none['\"])"
-        message: "Insecure cookie configuration. Set secure:true, httpOnly:true, and appropriate sameSite value for cookies."
-        
-      # Pattern 5: Missing Content Security Policy
-      - pattern: "app\\.use\\([^)]*?helmet\\([^)]*?\\{[^}]*?contentSecurityPolicy\\s*:\\s*false"
-        message: "Content Security Policy (CSP) is disabled. Enable and configure CSP to prevent XSS attacks."
-        
-      # Pattern 6: Debug Information Exposure
-      - pattern: "app\\.use\\([^)]*?morgan\\(['\"]dev['\"]\\)|console\\.(?:log|debug|info|warn|error)\\("
-        location: "(?:app|server|index)\\.(?:js|ts)$"
-        message: "Debug information might be exposed in production. Ensure logging is properly configured based on the environment."
-        
-      # Pattern 7: Insecure Server Configuration
-      - pattern: "app\\.disable\\(['\"]x-powered-by['\"]\\)"
-        negative_pattern: true
-        location: "(?:app|server|index)\\.(?:js|ts)$"
-        message: "X-Powered-By header is not disabled. Use app.disable('x-powered-by') to hide technology information."
-        
-      # Pattern 8: Directory Listing Enabled
-      - pattern: "express\\.static\\([^)]*?\\{[^}]*?index\\s*:\\s*false"
-        message: "Directory listing might be enabled. Set index:true or provide an index file to prevent directory listing."
-        
-      # Pattern 9: Missing Rate Limiting
-      - pattern: "app\\.(?:get|post|put|delete|patch)\\([^)]*?['\"](?:/api|/login|/register|/auth)['\"]"
-        negative_pattern: "(?:rateLimit|rateLimiter|limiter|throttle)"
-        message: "Missing rate limiting for sensitive endpoints. Implement rate limiting to prevent brute force attacks."
-        
-      # Pattern 10: Insecure WebSocket Configuration
-      - pattern: "new\\s+WebSocket\\([^)]*?\\)|io\\.on\\(['\"]connection['\"]"
-        negative_pattern: "(?:wss://|https://)"
-        message: "Potentially insecure WebSocket connection. Use secure WebSocket (wss://) in production."
-        
-      # Pattern 11: Hardcoded Configuration Values
-      - pattern: "(?:apiKey|secret|password|token|credentials)\\s*=\\s*['\"][^'\"]+['\"]"
-        message: "Hardcoded configuration values. Use environment variables or a secure configuration management system."
-        
-      # Pattern 12: Insecure SSL/TLS Configuration
-      - pattern: "https\\.createServer\\([^)]*?\\{[^}]*?rejectUnauthorized\\s*:\\s*false"
-        message: "Insecure SSL/TLS configuration. Never set rejectUnauthorized:false in production."
-        
-      # Pattern 13: Missing Security Middleware
-      - pattern: "express\\(\\)|require\\(['\"]express['\"]\\)"
-        negative_pattern: "(?:helmet|cors|rateLimit|bodyParser\\.json\\(\\{\\s*limit|express\\.json\\(\\{\\s*limit)"
-        location: "(?:app|server|index)\\.(?:js|ts)$"
-        message: "Missing essential security middleware. Consider using helmet, cors, rate limiting, and request size limiting."
-        
-      # Pattern 14: Insecure Error Handling
-      - pattern: "app\\.use\\([^)]*?function\\s*\\([^)]*?err[^)]*?\\)\\s*\\{[^}]*?res\\.status[^}]*?err(?:\\.message|\\.stack)"
-        message: "Insecure error handling. Avoid exposing error details like stack traces to clients in production."
-        
-      # Pattern 15: Outdated Dependencies Warning
-      - pattern: "(?:\"dependencies\"|\"devDependencies\")\\s*:\\s*\\{[^}]*?['\"](?:express|react|vue|angular|next|nuxt|axios)['\"]\\s*:\\s*['\"]\\^?\\d+\\.\\d+\\.\\d+['\"]"
-        location: "package\\.json$"
-        message: "Check for outdated dependencies. Regularly update dependencies to avoid known vulnerabilities."
+## Applies To
+- `**/*.js`
+- `**/*.jsx`
+- `**/*.ts`
+- `**/*.tsx`
+- `!**/node_modules/**`
+- `!**/dist/**`
+- `!**/build/**`
+- `!**/coverage/**`
 
-  - type: suggest
-    message: |
-      **JavaScript Security Configuration Best Practices:**
-      
-      1. **HTTP Security Headers:**
-         - Use Helmet.js to set secure HTTP headers
-         - Configure Content Security Policy (CSP)
-         - Example:
-           ```javascript
-           const helmet = require('helmet');
-           
-           // Basic usage
-           app.use(helmet());
-           
-           // Custom CSP configuration
-           app.use(
-             helmet.contentSecurityPolicy({
-               directives: {
-                 defaultSrc: ["'self'"],
-                 scriptSrc: ["'self'", "'unsafe-inline'", 'trusted-cdn.com'],
-                 styleSrc: ["'self'", "'unsafe-inline'", 'trusted-cdn.com'],
-                 imgSrc: ["'self'", 'data:', 'trusted-cdn.com'],
-                 connectSrc: ["'self'", 'api.yourdomain.com'],
-                 fontSrc: ["'self'", 'trusted-cdn.com'],
-                 objectSrc: ["'none'"],
-                 mediaSrc: ["'self'"],
-                 frameSrc: ["'none'"],
-                 upgradeInsecureRequests: [],
-               },
-             })
-           );
-           ```
-      
-      2. **Secure CORS Configuration:**
-         - Specify allowed origins explicitly
-         - Configure appropriate CORS options
-         - Example:
-           ```javascript
-           const cors = require('cors');
-           
-           // Define allowed origins
-           const allowedOrigins = [
-             'https://yourdomain.com',
-             'https://app.yourdomain.com',
-             'https://admin.yourdomain.com'
-           ];
-           
-           // Configure CORS
-           app.use(cors({
-             origin: function(origin, callback) {
-               // Allow requests with no origin (like mobile apps, curl, etc.)
-               if (!origin) return callback(null, true);
-               
-               if (allowedOrigins.indexOf(origin) === -1) {
-                 const msg = 'The CORS policy for this site does not allow access from the specified Origin.';
-                 return callback(new Error(msg), false);
-               }
-               
-               return callback(null, true);
-             },
-             methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
-             credentials: true,
-             maxAge: 86400 // 24 hours
-           }));
-           ```
-      
-      3. **Environment-Based Configuration:**
-         - Use different configurations for development and production
-         - Validate configuration at startup
-         - Example:
-           ```javascript
-           const express = require('express');
-           const helmet = require('helmet');
-           const morgan = require('morgan');
-           
-           const app = express();
-           
-           // Environment-specific configuration
-           if (process.env.NODE_ENV === 'production') {
-             // Production settings
-             app.use(helmet());
-             app.use(morgan('combined'));
-             app.set('trust proxy', 1); // Trust first proxy
-             
-             // Disable X-Powered-By header
-             app.disable('x-powered-by');
-           } else {
-             // Development settings
-             app.use(morgan('dev'));
-           }
-           
-           // Validate required environment variables
-           const requiredEnvVars = ['DATABASE_URL', 'JWT_SECRET'];
-           for (const envVar of requiredEnvVars) {
-             if (!process.env[envVar]) {
-               console.error(`Error: Environment variable ${envVar} is required`);
-               process.exit(1);
-             }
-           }
-           ```
-      
-      4. **Secure Cookie Configuration:**
-         - Set secure, httpOnly, and sameSite attributes
-         - Use signed cookies when appropriate
-         - Example:
-           ```javascript
-           const session = require('express-session');
-           
-           app.use(session({
-             secret: process.env.SESSION_SECRET,
-             name: 'sessionId', // Custom cookie name instead of default
-             cookie: {
-               secure: process.env.NODE_ENV === 'production', // HTTPS only in production
-               httpOnly: true, // Prevents client-side JS from reading the cookie
-               sameSite: 'lax', // Controls when cookies are sent with cross-site requests
-               maxAge: 3600000, // 1 hour in milliseconds
-               domain: process.env.NODE_ENV === 'production' ? '.yourdomain.com' : undefined
-             },
-             resave: false,
-             saveUninitialized: false
-           }));
-           ```
-      
-      5. **Request Size Limiting:**
-         - Limit request body size to prevent DoS attacks
-         - Example:
-           ```javascript
-           // Using express built-in middleware
-           app.use(express.json({ limit: '10kb' }));
-           app.use(express.urlencoded({ extended: true, limit: '10kb' }));
-           
-           // Or using body-parser
-           const bodyParser = require('body-parser');
-           app.use(bodyParser.json({ limit: '10kb' }));
-           app.use(bodyParser.urlencoded({ extended: true, limit: '10kb' }));
-           ```
-      
-      6. **Proper Error Handling:**
-         - Use a centralized error handler
-         - Don't expose sensitive information in error responses
-         - Example:
-           ```javascript
-           // Custom error class
-           class AppError extends Error {
-             constructor(message, statusCode) {
-               super(message);
-               this.statusCode = statusCode;
-               this.status = `${statusCode}`.startsWith('4') ? 'fail' : 'error';
-               this.isOperational = true;
-               
-               Error.captureStackTrace(this, this.constructor);
-             }
-           }
-           
-           // Global error handling middleware
-           app.use((err, req, res, next) => {
-             err.statusCode = err.statusCode || 500;
-             err.status = err.status || 'error';
-             
-             // Different handling for development and production
-             if (process.env.NODE_ENV === 'development') {
-               res.status(err.statusCode).json({
-                 status: err.status,
-                 error: err,
-                 message: err.message,
-                 stack: err.stack
-               });
-             } else if (process.env.NODE_ENV === 'production') {
-               // Only send operational errors to the client
-               if (err.isOperational) {
-                 res.status(err.statusCode).json({
-                   status: err.status,
-                   message: err.message
-                 });
-               } else {
-                 // Log programming or unknown errors
-                 console.error('ERROR 💥', err);
-                 
-                 // Send generic message
-                 res.status(500).json({
-                   status: 'error',
-                   message: 'Something went wrong'
-                 });
-               }
-             }
-           });
-           ```
-      
-      7. **Rate Limiting:**
-         - Apply rate limiting to sensitive endpoints
-         - Use different limits for different endpoints
-         - Example:
-           ```javascript
-           const rateLimit = require('express-rate-limit');
-           
-           // Create a rate limiter for API endpoints
-           const apiLimiter = rateLimit({
-             windowMs: 15 * 60 * 1000, // 15 minutes
-             max: 100, // limit each IP to 100 requests per windowMs
-             standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
-             legacyHeaders: false, // Disable the `X-RateLimit-*` headers
-             message: 'Too many requests from this IP, please try again after 15 minutes'
-           });
-           
-           // Create a stricter rate limiter for authentication endpoints
-           const authLimiter = rateLimit({
-             windowMs: 15 * 60 * 1000, // 15 minutes
-             max: 5, // limit each IP to 5 login attempts per windowMs
-             standardHeaders: true,
-             legacyHeaders: false,
-             message: 'Too many login attempts from this IP, please try again after 15 minutes'
-           });
-           
-           // Apply rate limiters to routes
-           app.use('/api/', apiLimiter);
-           app.use('/api/auth/', authLimiter);
-           ```
-      
-      8. **Secure WebSocket Configuration:**
-         - Use secure WebSocket connections (wss://)
-         - Implement authentication for WebSocket connections
-         - Example:
-           ```javascript
-           const http = require('http');
-           const https = require('https');
-           const socketIo = require('socket.io');
-           const fs = require('fs');
-           
-           let server;
-           
-           // Create secure server in production
-           if (process.env.NODE_ENV === 'production') {
-             const options = {
-               key: fs.readFileSync('/path/to/private.key'),
-               cert: fs.readFileSync('/path/to/certificate.crt')
-             };
-             server = https.createServer(options, app);
-           } else {
-             server = http.createServer(app);
-           }
-           
-           const io = socketIo(server, {
-             cors: {
-               origin: process.env.NODE_ENV === 'production' 
-                 ? 'https://yourdomain.com' 
-                 : 'http://localhost:3000',
-               methods: ['GET', 'POST'],
-               credentials: true
-             }
+## Required Checks
+
+- Missing HTTP security headers. Consider using Helmet.js to set secure HTTP headers.
+- Insecure CORS configuration. Avoid using wildcard (*) for CORS origin in production environments.
+- Exposing environment variables in client-side code. Only use environment variables with NEXT_PUBLIC_, REACT_APP_, or VITE_ prefixes for client-side code.
+- Insecure cookie configuration. Set secure:true, httpOnly:true, and appropriate sameSite value for cookies.
+- Content Security Policy (CSP) is disabled. Enable and configure CSP to prevent XSS attacks.
+- Debug information might be exposed in production. Ensure logging is properly configured based on the environment.
+- X-Powered-By header is not disabled. Use app.disable('x-powered-by') to hide technology information.
+- Directory listing might be enabled. Set index:true or provide an index file to prevent directory listing.
+- Missing rate limiting for sensitive endpoints. Implement rate limiting to prevent brute force attacks.
+- Potentially insecure WebSocket connection. Use secure WebSocket (wss://) in production.
+- Hardcoded configuration values. Use environment variables or a secure configuration management system.
+- Insecure SSL/TLS configuration. Never set rejectUnauthorized:false in production.
+- Missing essential security middleware. Consider using helmet, cors, rate limiting, and request size limiting.
+- Insecure error handling. Avoid exposing error details like stack traces to clients in production.
+- Check for outdated dependencies. Regularly update dependencies to avoid known vulnerabilities.
+
+## Recommendations
+
+**JavaScript Security Configuration Best Practices:**
+
+1. **HTTP Security Headers:**
+   - Use Helmet.js to set secure HTTP headers
+   - Configure Content Security Policy (CSP)
+   - Example:
+     ```javascript
+     const helmet = require('helmet');
+     
+     // Basic usage
+     app.use(helmet());
+     
+     // Custom CSP configuration
+     app.use(
+       helmet.contentSecurityPolicy({
+         directives: {
+           defaultSrc: ["'self'"],
+           scriptSrc: ["'self'", "'unsafe-inline'", 'trusted-cdn.com'],
+           styleSrc: ["'self'", "'unsafe-inline'", 'trusted-cdn.com'],
+           imgSrc: ["'self'", 'data:', 'trusted-cdn.com'],
+           connectSrc: ["'self'", 'api.yourdomain.com'],
+           fontSrc: ["'self'", 'trusted-cdn.com'],
+           objectSrc: ["'none'"],
+           mediaSrc: ["'self'"],
+           frameSrc: ["'none'"],
+           upgradeInsecureRequests: [],
+         },
+       })
+     );
+     ```
+
+2. **Secure CORS Configuration:**
+   - Specify allowed origins explicitly
+   - Configure appropriate CORS options
+   - Example:
+     ```javascript
+     const cors = require('cors');
+     
+     // Define allowed origins
+     const allowedOrigins = [
+       'https://yourdomain.com',
+       'https://app.yourdomain.com',
+       'https://admin.yourdomain.com'
+     ];
+     
+     // Configure CORS
+     app.use(cors({
+       origin: function(origin, callback) {
+         // Allow requests with no origin (like mobile apps, curl, etc.)
+         if (!origin) return callback(null, true);
+         
+         if (allowedOrigins.indexOf(origin) === -1) {
+           const msg = 'The CORS policy for this site does not allow access from the specified Origin.';
+           return callback(new Error(msg), false);
+         }
+         
+         return callback(null, true);
+       },
+       methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
+       credentials: true,
+       maxAge: 86400 // 24 hours
+     }));
+     ```
+
+3. **Environment-Based Configuration:**
+   - Use different configurations for development and production
+   - Validate configuration at startup
+   - Example:
+     ```javascript
+     const express = require('express');
+     const helmet = require('helmet');
+     const morgan = require('morgan');
+     
+     const app = express();
+     
+     // Environment-specific configuration
+     if (process.env.NODE_ENV === 'production') {
+       // Production settings
+       app.use(helmet());
+       app.use(morgan('combined'));
+       app.set('trust proxy', 1); // Trust first proxy
+       
+       // Disable X-Powered-By header
+       app.disable('x-powered-by');
+     } else {
+       // Development settings
+       app.use(morgan('dev'));
+     }
+     
+     // Validate required environment variables
+     const requiredEnvVars = ['DATABASE_URL', 'JWT_SECRET'];
+     for (const envVar of requiredEnvVars) {
+       if (!process.env[envVar]) {
+         console.error(`Error: Environment variable ${envVar} is required`);
+         process.exit(1);
+       }
+     }
+     ```
+
+4. **Secure Cookie Configuration:**
+   - Set secure, httpOnly, and sameSite attributes
+   - Use signed cookies when appropriate
+   - Example:
+     ```javascript
+     const session = require('express-session');
+     
+     app.use(session({
+       secret: process.env.SESSION_SECRET,
+       name: 'sessionId', // Custom cookie name instead of default
+       cookie: {
+         secure: process.env.NODE_ENV === 'production', // HTTPS only in production
+         httpOnly: true, // Prevents client-side JS from reading the cookie
+         sameSite: 'lax', // Controls when cookies are sent with cross-site requests
+         maxAge: 3600000, // 1 hour in milliseconds
+         domain: process.env.NODE_ENV === 'production' ? '.yourdomain.com' : undefined
+       },
+       resave: false,
+       saveUninitialized: false
+     }));
+     ```
+
+5. **Request Size Limiting:**
+   - Limit request body size to prevent DoS attacks
+   - Example:
+     ```javascript
+     // Using express built-in middleware
+     app.use(express.json({ limit: '10kb' }));
+     app.use(express.urlencoded({ extended: true, limit: '10kb' }));
+     
+     // Or using body-parser
+     const bodyParser = require('body-parser');
+     app.use(bodyParser.json({ limit: '10kb' }));
+     app.use(bodyParser.urlencoded({ extended: true, limit: '10kb' }));
+     ```
+
+6. **Proper Error Handling:**
+   - Use a centralized error handler
+   - Don't expose sensitive information in error responses
+   - Example:
+     ```javascript
+     // Custom error class
+     class AppError extends Error {
+       constructor(message, statusCode) {
+         super(message);
+         this.statusCode = statusCode;
+         this.status = `${statusCode}`.startsWith('4') ? 'fail' : 'error';
+         this.isOperational = true;
+         
+         Error.captureStackTrace(this, this.constructor);
+       }
+     }
+     
+     // Global error handling middleware
+     app.use((err, req, res, next) => {
+       err.statusCode = err.statusCode || 500;
+       err.status = err.status || 'error';
+       
+       // Different handling for development and production
+       if (process.env.NODE_ENV === 'development') {
+         res.status(err.statusCode).json({
+           status: err.status,
+           error: err,
+           message: err.message,
+           stack: err.stack
+         });
+       } else if (process.env.NODE_ENV === 'production') {
+         // Only send operational errors to the client
+         if (err.isOperational) {
+           res.status(err.statusCode).json({
+             status: err.status,
+             message: err.message
            });
+         } else {
+           // Log programming or unknown errors
+           console.error('ERROR 💥', err);
            
-           // WebSocket authentication middleware
-           io.use((socket, next) => {
-             const token = socket.handshake.auth.token;
-             
-             if (!token) {
-               return next(new Error('Authentication error'));
-             }
-             
-             // Verify token
-             // ...
-             
-             next();
+           // Send generic message
+           res.status(500).json({
+             status: 'error',
+             message: 'Something went wrong'
            });
-           ```
+         }
+       }
+     });
+     ```
+
+7. **Rate Limiting:**
+   - Apply rate limiting to sensitive endpoints
+   - Use different limits for different endpoints
+   - Example:
+     ```javascript
+     const rateLimit = require('express-rate-limit');
+     
+     // Create a rate limiter for API endpoints
+     const apiLimiter = rateLimit({
+       windowMs: 15 * 60 * 1000, // 15 minutes
+       max: 100, // limit each IP to 100 requests per windowMs
+       standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
+       legacyHeaders: false, // Disable the `X-RateLimit-*` headers
+       message: 'Too many requests from this IP, please try again after 15 minutes'
+     });
+     
+     // Create a stricter rate limiter for authentication endpoints
+     const authLimiter = rateLimit({
+       windowMs: 15 * 60 * 1000, // 15 minutes
+       max: 5, // limit each IP to 5 login attempts per windowMs
+       standardHeaders: true,
+       legacyHeaders: false,
+       message: 'Too many login attempts from this IP, please try again after 15 minutes'
+     });
+     
+     // Apply rate limiters to routes
+     app.use('/api/', apiLimiter);
+     app.use('/api/auth/', authLimiter);
+     ```
+
+8. **Secure WebSocket Configuration:**
+   - Use secure WebSocket connections (wss://)
+   - Implement authentication for WebSocket connections
+   - Example:
+     ```javascript
+     const http = require('http');
+     const https = require('https');
+     const socketIo = require('socket.io');
+     const fs = require('fs');
+     
+     let server;
+     
+     // Create secure server in production
+     if (process.env.NODE_ENV === 'production') {
+       const options = {
+         key: fs.readFileSync('/path/to/private.key'),
+         cert: fs.readFileSync('/path/to/certificate.crt')
+       };
+       server = https.createServer(options, app);
+     } else {
+       server = http.createServer(app);
+     }
+     
+     const io = socketIo(server, {
+       cors: {
+         origin: process.env.NODE_ENV === 'production' 
+           ? 'https://yourdomain.com' 
+           : 'http://localhost:3000',
+         methods: ['GET', 'POST'],
+         credentials: true
+       }
+     });
+     
+     // WebSocket authentication middleware
+     io.use((socket, next) => {
+       const token = socket.handshake.auth.token;
+       
+       if (!token) {
+         return next(new Error('Authentication error'));
+       }
+       
+       // Verify token
+       // ...
+       
+       next();
+     });
+     ```
+
+9. **Security Dependency Management:**
+   - Regularly update dependencies
+   - Use tools like npm audit or Snyk
+   - Example:
+     ```javascript
+     // package.json scripts
+     {
+       "scripts": {
+         "audit": "npm audit",
+         "audit:fix": "npm audit fix",
+         "outdated": "npm outdated",
+         "update": "npm update",
+         "prestart": "npm audit --production"
+       }
+     }
+     ```
+
+10. **Secure Logging Configuration:**
+    - Configure logging based on environment
+    - Avoid logging sensitive information
+    - Example:
+      ```javascript
+      const winston = require('winston');
       
-      9. **Security Dependency Management:**
-         - Regularly update dependencies
-         - Use tools like npm audit or Snyk
-         - Example:
-           ```javascript
-           // package.json scripts
-           {
-             "scripts": {
-               "audit": "npm audit",
-               "audit:fix": "npm audit fix",
-               "outdated": "npm outdated",
-               "update": "npm update",
-               "prestart": "npm audit --production"
-             }
-           }
-           ```
+      // Define log levels
+      const levels = {
+        error: 0,
+        warn: 1,
+        info: 2,
+        http: 3,
+        debug: 4,
+      };
       
-      10. **Secure Logging Configuration:**
-          - Configure logging based on environment
-          - Avoid logging sensitive information
-          - Example:
-            ```javascript
-            const winston = require('winston');
-            
-            // Define log levels
-            const levels = {
-              error: 0,
-              warn: 1,
-              info: 2,
-              http: 3,
-              debug: 4,
-            };
-            
-            // Define log level based on environment
-            const level = () => {
-              const env = process.env.NODE_ENV || 'development';
-              return env === 'development' ? 'debug' : 'warn';
-            };
-            
-            // Define log format
-            const format = winston.format.combine(
-              winston.format.timestamp({ format: 'YYYY-MM-DD HH:mm:ss:ms' }),
-              winston.format.printf(
-                (info) => `${info.timestamp} ${info.level}: ${info.message}`
-              )
-            );
-            
-            // Define transports
-            const transports = [
-              new winston.transports.Console(),
-              new winston.transports.File({
-                filename: 'logs/error.log',
-                level: 'error',
-              }),
-              new winston.transports.File({ filename: 'logs/all.log' }),
-            ];
-            
-            // Create the logger
-            const logger = winston.createLogger({
-              level: level(),
-              levels,
-              format,
-              transports,
-            });
-            
-            module.exports = logger;
-            ```
-
-  - type: validate
-    conditions:
-      # Check 1: Helmet usage
-      - pattern: "helmet\\(\\)|frameguard\\(\\)|hsts\\(\\)|noSniff\\(\\)|xssFilter\\(\\)|contentSecurityPolicy\\(\\)"
-        message: "Using Helmet.js or individual HTTP security headers middleware."
+      // Define log level based on environment
+      const level = () => {
+        const env = process.env.NODE_ENV || 'development';
+        return env === 'development' ? 'debug' : 'warn';
+      };
       
-      # Check 2: Secure CORS configuration
-      - pattern: "cors\\(\\{[^}]*?origin\\s*:\\s*(?!['\"]*\\*)['\"]"
-        message: "Using secure CORS configuration with specific origins."
+      // Define log format
+      const format = winston.format.combine(
+        winston.format.timestamp({ format: 'YYYY-MM-DD HH:mm:ss:ms' }),
+        winston.format.printf(
+          (info) => `${info.timestamp} ${info.level}: ${info.message}`
+        )
+      );
       
-      # Check 3: Environment-based configuration
-      - pattern: "process\\.env\\.NODE_ENV\\s*===\\s*['\"]production['\"]"
-        message: "Implementing environment-specific configuration."
+      // Define transports
+      const transports = [
+        new winston.transports.Console(),
+        new winston.transports.File({
+          filename: 'logs/error.log',
+          level: 'error',
+        }),
+        new winston.transports.File({ filename: 'logs/all.log' }),
+      ];
       
-      # Check 4: Secure cookie settings
-      - pattern: "cookie\\s*:\\s*\\{[^}]*?secure\\s*:\\s*true[^}]*?httpOnly\\s*:\\s*true"
-        message: "Using secure cookie configuration."
+      // Create the logger
+      const logger = winston.createLogger({
+        level: level(),
+        levels,
+        format,
+        transports,
+      });
       
-      # Check 5: Request size limiting
-      - pattern: "(?:express|bodyParser)\\.json\\(\\{[^}]*?limit\\s*:"
-        message: "Implementing request size limiting."
+      module.exports = logger;
+      ```
+
+## Validation
 
-metadata:
-  priority: high
-  version: 1.0
-  tags:
-    - security
-    - javascript
-    - nodejs
-    - browser
-    - configuration
-    - owasp
-    - language:javascript
-    - framework:express
-    - framework:react
-    - framework:vue
-    - framework:angular
-    - category:security
-    - subcategory:misconfiguration
-    - standard:owasp-top10
-    - risk:a05-security-misconfiguration
-  references:
-    - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html"
-    - "https://expressjs.com/en/advanced/best-practice-security.html"
-    - "https://helmetjs.github.io/"
-    - "https://github.com/OWASP/NodeGoat"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html"
-</rule> 
+- Using Helmet.js or individual HTTP security headers middleware.
+- Using secure CORS configuration with specific origins.
+- Implementing environment-specific configuration.
+- Using secure cookie configuration.
+- Implementing request size limiting.
diff --git a/.cursor/rules/javascript-server-side-request-forgery.mdc b/.cursor/rules/javascript-server-side-request-forgery.mdc
index d50c835..a061660 100644
--- a/.cursor/rules/javascript-server-side-request-forgery.mdc
+++ b/.cursor/rules/javascript-server-side-request-forgery.mdc
@@ -4,847 +4,762 @@ globs: **/*.js, **/*.jsx, **/*.ts, **/*.tsx, !**/node_modules/**, !**/dist/**, !
 ---
 # JavaScript Server-Side Request Forgery (OWASP A10:2021)
 
-<rule>
-name: javascript_server_side_request_forgery
-description: Detect and prevent Server-Side Request Forgery (SSRF) vulnerabilities in JavaScript applications as defined in OWASP Top 10:2021-A10
+> Priority: high · Version: 1.0
 
-actions:
-  - type: enforce
-    conditions:
-      # Pattern 1: URL from User Input
-      - pattern: "(fetch|axios\\.get|axios\\.post|axios\\.put|axios\\.delete|axios\\.patch|http\\.get|http\\.request|https\\.get|https\\.request|\\$\\.ajax|XMLHttpRequest|got|request|superagent|needle)\\s*\\([^)]*(?:\\$_GET|\\$_POST|\\$_REQUEST|req\\.(?:body|query|params)|request\\.(?:body|query|params)|event\\.(?:body|queryStringParameters|pathParameters)|params|userInput|data\\["
-        message: "Potential SSRF vulnerability: URL constructed from user input. Implement URL validation, allowlisting, or use a URL parser library to validate and sanitize user-provided URLs."
-        
-      # Pattern 2: Dynamic URL in HTTP Request
-      - pattern: "(fetch|axios|http\\.get|http\\.request|https\\.get|https\\.request|\\$\\.ajax|XMLHttpRequest|got|request|superagent|needle)\\s*\\(\\s*['\"`]https?:\\/\\/[^'\"`]*['\"`]\\s*\\+\\s*"
-        message: "Potential SSRF vulnerability: Dynamic URL in HTTP request. Use URL parsing and validation before making the request."
+## Applies To
+- `**/*.js`
+- `**/*.jsx`
+- `**/*.ts`
+- `**/*.tsx`
+- `!**/node_modules/**`
+- `!**/dist/**`
+- `!**/build/**`
+- `!**/coverage/**`
+
+## Required Checks
+
+- Potential SSRF vulnerability: URL constructed from user input. Implement URL validation, allowlisting, or use a URL parser library to validate and sanitize user-provided URLs.
+- Potential SSRF vulnerability: Dynamic URL in HTTP request. Use URL parsing and validation before making the request.
+- URL redirection without proper validation may lead to SSRF. Implement strict validation for URLs before redirecting.
+- Direct use of IP addresses in requests may bypass hostname-based restrictions. Consider using allowlisted hostnames instead.
+- Request to internal network address detected. Restrict access to internal resources to prevent SSRF attacks.
+- Use of file:// protocol may lead to local file access. Block or restrict file:// protocol usage.
+- HTTP request without URL validation. Implement URL validation before making external requests.
+- User-defined HTTP request function without URL validation. Implement proper URL validation and sanitization.
+- Proxy or request forwarding functionality detected. Implement strict URL validation and allowlisting.
+- HTTP request with explicit method without URL validation. Implement URL validation for all HTTP methods.
+- Building URL with user input. Validate and sanitize all URL components and use an allowlist for base URLs.
+- Protocol-relative URL usage may lead to SSRF. Always specify the protocol and validate URLs.
+- Route with dynamic parameter that might be used in URL construction. Ensure proper validation before making any HTTP requests within this route handler.
+- URL parsing without validation or error handling. Implement proper error handling and validation for URL parsing.
+- Access to cloud service metadata endpoints detected. Restrict access to cloud metadata services to prevent server information disclosure.
+
+## Recommendations
+
+**JavaScript Server-Side Request Forgery (SSRF) Prevention Best Practices:**
+
+1. **Implement URL Validation and Sanitization:**
+   - Use built-in URL parsing libraries to validate URLs
+   - Validate both the URL format and components
+   - Example:
+     ```javascript
+     function isValidUrl(url) {
+       try {
+         const parsedUrl = new URL(url);
+         // Check protocol is http: or https:
+         if (!/^https?:$/.test(parsedUrl.protocol)) {
+           return false;
+         }
+         // Additional validation logic here
+         return true;
+       } catch (error) {
+         // Invalid URL format
+         return false;
+       }
+     }
+     
+     // Usage
+     const userProvidedUrl = req.body.targetUrl;
+     if (!isValidUrl(userProvidedUrl)) {
+       return res.status(400).json({ error: 'Invalid URL format or protocol' });
+     }
+     
+     // Now make the request with the validated URL
+     ```
+
+2. **Implement Strict Allowlisting:**
+   - Define allowlist of permitted domains and endpoints
+   - Reject requests to any domains not on the allowlist
+   - Example:
+     ```javascript
+     const ALLOWED_DOMAINS = [
+       'api.example.com',
+       'cdn.example.com',
+       'partner-api.trusted-domain.com'
+     ];
+     
+     function isAllowedDomain(url) {
+       try {
+         const parsedUrl = new URL(url);
+         return ALLOWED_DOMAINS.includes(parsedUrl.hostname);
+       } catch (error) {
+         return false;
+       }
+     }
+     
+     // Usage
+     const targetUrl = req.body.webhookUrl;
+     if (!isAllowedDomain(targetUrl)) {
+       logger.warn({
+         message: 'SSRF attempt blocked: domain not in allowlist',
+         url: targetUrl,
+         ip: req.ip,
+         userId: req.user?.id
+       });
+       return res.status(403).json({ error: 'Domain not allowed' });
+     }
+     ```
+
+3. **Block Access to Internal Networks:**
+   - Prevent requests to private IP ranges
+   - Block localhost and internal hostnames
+   - Example:
+     ```javascript
+     function isInternalHostname(hostname) {
+       // Check for localhost and common internal hostnames
+       if (hostname === 'localhost' || hostname.endsWith('.local') || hostname.endsWith('.internal')) {
+         return true;
+       }
+       return false;
+     }
+     
+     function isPrivateIP(ip) {
+       // Check for private IP ranges
+       const privateRanges = [
+         /^127\./,                     // 127.0.0.0/8
+         /^10\./,                      // 10.0.0.0/8
+         /^172\.(1[6-9]|2[0-9]|3[0-1])\./, // 172.16.0.0/12
+         /^192\.168\./,                // 192.168.0.0/16
+         /^169\.254\./,                // 169.254.0.0/16
+         /^::1$/,                      // localhost IPv6
+         /^f[cd][0-9a-f]{2}:/i,        // fc00::/7 unique local IPv6
+         /^fe80:/i                     // fe80::/10 link-local IPv6
+       ];
+       
+       return privateRanges.some(range => range.test(ip));
+     }
+     
+     function isUrlSafe(url) {
+       try {
+         const parsedUrl = new URL(url);
+         
+         // Block internal hostnames
+         if (isInternalHostname(parsedUrl.hostname)) {
+           return false;
+         }
+         
+         // Resolve hostname to IP (in real implementation, use async DNS resolution)
+         // This example is simplified - in production you would use DNS resolution
+         let ip;
+         try {
+           // Note: This is a pseudo-code example
+           // In real code, you'd use a DNS resolution library
+           ip = dnsResolve(parsedUrl.hostname);
+           
+           // Block private IPs
+           if (isPrivateIP(ip)) {
+             return false;
+           }
+         } catch (error) {
+           // If DNS resolution fails, err on the side of caution
+           return false;
+         }
+         
+         return true;
+       } catch (error) {
+         return false;
+       }
+     }
+     ```
+
+4. **Disable Dangerous URL Protocols:**
+   - Restrict allowed URL protocols to HTTP and HTTPS
+   - Block file://, ftp://, gopher://, etc.
+   - Example:
+     ```javascript
+     function hasAllowedProtocol(url) {
+       try {
+         const parsedUrl = new URL(url);
+         const allowedProtocols = ['http:', 'https:'];
+         return allowedProtocols.includes(parsedUrl.protocol);
+       } catch (error) {
+         return false;
+       }
+     }
+     
+     // Usage
+     const targetUrl = req.body.documentUrl;
+     if (!hasAllowedProtocol(targetUrl)) {
+       logger.warn({
+         message: 'SSRF attempt blocked: disallowed protocol',
+         url: targetUrl,
+         protocol: new URL(targetUrl).protocol,
+         ip: req.ip
+       });
+       return res.status(403).json({ error: 'URL protocol not allowed' });
+     }
+     ```
+
+5. **Implement Network-Level Protection:**
+   - Use firewall rules to block outbound requests to internal networks
+   - Configure proxy servers to restrict external requests
+   - Example:
+     ```javascript
+     // Using a proxy for outbound requests
+     const axios = require('axios');
+     const HttpsProxyAgent = require('https-proxy-agent');
+     
+     // Configure proxy with appropriate controls
+     const httpsAgent = new HttpsProxyAgent({
+       host: 'proxy.example.com',
+       port: 3128,
+       // This proxy should be configured to block access to internal networks
+     });
+     
+     // Make requests through the proxy
+     async function secureExternalRequest(url) {
+       try {
+         const response = await axios.get(url, {
+           httpsAgent,
+           timeout: 5000, // Set reasonable timeout
+           maxRedirects: 2 // Limit redirects
+         });
+         return response.data;
+       } catch (error) {
+         logger.error({
+           message: 'External request failed',
+           url,
+           error: error.message
+         });
+         throw new Error('Failed to fetch external resource');
+       }
+     }
+     ```
+
+6. **Use Service-Specific Endpoints:**
+   - Instead of passing full URLs, use service identifiers
+   - Map identifiers to URLs on the server side
+   - Example:
+     ```javascript
+     // Client makes request with service identifier, not raw URL
+     app.get('/proxy-service/:serviceId', async (req, res) => {
+       const { serviceId } = req.params;
+       
+       // Service mapping defined server-side
+       const serviceMap = {
+         'weather-api': 'https://api.weather.example.com/current',
+         'news-feed': 'https://api.news.example.com/feed',
+         'product-info': 'https://api.products.example.com/details'
+       };
+       
+       // Check if service is defined
+       if (!serviceMap[serviceId]) {
+         return res.status(404).json({ error: 'Service not found' });
+       }
+       
+       try {
+         // Make request to mapped URL (not user-controlled)
+         const response = await axios.get(serviceMap[serviceId]);
+         return res.json(response.data);
+       } catch (error) {
+         return res.status(500).json({ error: 'Service request failed' });
+       }
+     });
+     ```
+
+7. **Implement Context-Specific Encodings:**
+   - Use context-appropriate encoding for URL parameters
+   - Don't rely solely on standard URL encoding
+   - Example:
+     ```javascript
+     function safeUrl(baseUrl, params) {
+       // Start with a verified base URL
+       const url = new URL(baseUrl);
+       
+       // Add parameters safely
+       for (const [key, value] of Object.entries(params)) {
+         // Ensure values are strings and properly encoded
+         url.searchParams.append(key, String(value));
+       }
+       
+       // Verify the final URL is still valid
+       if (!isAllowedDomain(url.toString())) {
+         throw new Error('URL creation resulted in disallowed domain');
+       }
+       
+       return url.toString();
+     }
+     
+     // Usage
+     try {
+       const apiUrl = safeUrl('https://api.example.com/data', {
+         id: userId,
+         format: 'json'
+       });
+       const response = await axios.get(apiUrl);
+       // Process response
+     } catch (error) {
+       // Handle error
+     }
+     ```
+
+8. **Use Defense in Depth:**
+   - Combine multiple validation strategies
+   - Don't rely on a single protection measure
+   - Example:
+     ```javascript
+     async function secureExternalRequest(url, options = {}) {
+       // 1. Validate URL format
+       if (!isValidUrl(url)) {
+         throw new Error('Invalid URL format');
+       }
+       
+       // 2. Check against allowlist
+       if (!isAllowedDomain(url)) {
+         throw new Error('Domain not in allowlist');
+       }
+       
+       // 3. Verify not internal network
+       const parsedUrl = new URL(url);
+       if (await isInternalNetwork(parsedUrl.hostname)) {
+         throw new Error('Access to internal networks not allowed');
+       }
+       
+       // 4. Validate protocol
+       if (!hasAllowedProtocol(url)) {
+         throw new Error('Protocol not allowed');
+       }
+       
+       // 5. Set additional security headers and options
+       const secureOptions = {
+         ...options,
+         timeout: options.timeout || 5000,
+         maxRedirects: options.maxRedirects || 2,
+         headers: {
+           ...options.headers,
+           'User-Agent': 'SecureApp/1.0'
+         }
+       };
+       
+       // 6. Make request with all validations passed
+       try {
+         return await axios(url, secureOptions);
+       } catch (error) {
+         logger.error({
+           message: 'Secure external request failed',
+           url,
+           error: error.message
+         });
+         throw new Error('External request failed');
+       }
+     }
+     ```
+
+9. **Validate and Sanitize Request Parameters:**
+   - Don't trust any user-supplied input for URL construction
+   - Validate all components used in URL building
+   - Example:
+     ```javascript
+     // API that fetches weather data for a city
+     app.get('/api/weather', async (req, res) => {
+       const { city } = req.query;
+       
+       // 1. Validate parameter exists and is valid
+       if (!city || typeof city !== 'string' || city.length > 100) {
+         return res.status(400).json({ error: 'Invalid city parameter' });
+       }
+       
+       // 2. Sanitize the parameter
+       const sanitizedCity = encodeURIComponent(city.trim());
+       
+       // 3. Construct URL with validated parameter
+       const weatherApiUrl = `https://api.weather.example.com/current?city=${sanitizedCity}`;
+       
+       // 4. Additional validation of the final URL
+       if (!isValidUrl(weatherApiUrl)) {
+         return res.status(400).json({ error: 'Invalid URL construction' });
+       }
+       
+       try {
+         const response = await axios.get(weatherApiUrl);
+         return res.json(response.data);
+       } catch (error) {
+         logger.error({
+           message: 'Weather API request failed',
+           city,
+           error: error.message
+         });
+         return res.status(500).json({ error: 'Failed to fetch weather data' });
+       }
+     });
+     ```
+
+10. **Implement Request Timeouts:**
+    - Set appropriate timeouts for all HTTP requests
+    - Prevent long-running SSRF probes
+    - Example:
+      ```javascript
+      async function fetchWithTimeout(url, options = {}) {
+        // Default timeout of 5 seconds
+        const timeout = options.timeout || 5000;
         
-      # Pattern 3: URL Redirection Without Validation
-      - pattern: "(res\\.redirect|res\\.location|window\\.location|location\\.href|location\\.replace|location\\.assign|location\\.port|history\\.pushState|history\\.replaceState)\\s*\\([^)]*(?:req\\.(?:query|body|params)|request\\.(?:query|body|params)|userInput)"
-        message: "URL redirection without proper validation may lead to SSRF. Implement strict validation for URLs before redirecting."
+        // Create an abort controller to handle timeout
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => controller.abort(), timeout);
         
-      # Pattern 4: Direct IP Address Usage
-      - pattern: "(fetch|axios\\.get|axios\\.post|axios\\.put|axios\\.delete|axios\\.patch|http\\.get|http\\.request|https\\.get|https\\.request)\\s*\\(\\s*['\"`]https?:\\/\\/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}"
-        message: "Direct use of IP addresses in requests may bypass hostname-based restrictions. Consider using allowlisted hostnames instead."
+        try {
+          const response = await fetch(url, {
+            ...options,
+            signal: controller.signal
+          });
+          
+          clearTimeout(timeoutId);
+          return response;
+        } catch (error) {
+          clearTimeout(timeoutId);
+          if (error.name === 'AbortError') {
+            throw new Error(`Request timed out after ${timeout}ms`);
+          }
+          throw error;
+        }
+      }
+      
+      // Usage
+      try {
+        const response = await fetchWithTimeout('https://api.example.com/data', {
+          timeout: 3000, // 3 seconds timeout
+          headers: { 'Content-Type': 'application/json' }
+        });
+        const data = await response.json();
+        // Process data
+      } catch (error) {
+        console.error('Request failed:', error.message);
+      }
+      ```
+
+11. **Rate Limit External Requests:**
+    - Implement rate limiting for outbound requests
+    - Prevent SSRF probing and DoS attacks
+    - Example:
+      ```javascript
+      const { RateLimiter } = require('limiter');
+      
+      // Create a rate limiter: 100 requests per minute
+      const externalRequestLimiter = new RateLimiter({
+        tokensPerInterval: 100,
+        interval: 'minute'
+      });
+      
+      async function rateLimitedRequest(url, options = {}) {
+        // Check if we have tokens available
+        const remainingRequests = await externalRequestLimiter.removeTokens(1);
         
-      # Pattern 5: Local Network Access
-      - pattern: "(fetch|axios\\.get|axios\\.post|axios\\.put|axios\\.delete|axios\\.patch|http\\.get|http\\.request|https\\.get|https\\.request)\\s*\\(\\s*['\"`]https?:\\/\\/(?:localhost|127\\.0\\.0\\.1|0\\.0\\.0\\.0|192\\.168\\.|10\\.|172\\.(?:1[6-9]|2[0-9]|3[0-1])\\.|::1)"
-        message: "Request to internal network address detected. Restrict access to internal resources to prevent SSRF attacks."
+        if (remainingRequests < 0) {
+          throw new Error('Rate limit exceeded for external requests');
+        }
         
-      # Pattern 6: File Protocol Usage
-      - pattern: "(fetch|axios\\.get|axios\\.post|axios\\.put|axios\\.delete|axios\\.patch|http\\.get|http\\.request|https\\.get|https\\.request)\\s*\\(\\s*['\"`]file:\\/\\/"
-        message: "Use of file:// protocol may lead to local file access. Block or restrict file:// protocol usage."
+        // Proceed with the request
+        return axios(url, options);
+      }
+      
+      // Usage
+      app.get('/api/external-data', async (req, res) => {
+        const { url } = req.query;
         
-      # Pattern 7: Missing URL Validation
-      - pattern: "(fetch|axios\\.get|axios\\.post|axios\\.put|axios\\.delete|axios\\.patch|http\\.get|http\\.request|https\\.get|https\\.request)\\s*\\([^)]*\\burl\\b[^)]*\\)"
-        negative_pattern: "(validat|sanitiz|check|parse).*\\burl\\b|allowlist|whitelist|URL\\.(parse|canParse)|new URL\\(|isValidURL"
-        message: "HTTP request without URL validation. Implement URL validation before making external requests."
+        if (!isValidUrl(url) || !isAllowedDomain(url)) {
+          return res.status(403).json({ error: 'URL not allowed' });
+        }
         
-      # Pattern 8: HTTP Request in User-Defined Function
-      - pattern: "function\\s+[a-zA-Z0-9_]*(?:request|fetch|get|http|curl)\\s*\\([^)]*\\)\\s*\\{[^}]*(?:fetch|axios|http\\.get|http\\.request|https\\.get|https\\.request)"
-        negative_pattern: "(validat|sanitiz|check|parse).*\\burl\\b|allowlist|whitelist|new URL\\(|isValidURL"
-        message: "User-defined HTTP request function without URL validation. Implement proper URL validation and sanitization."
+        try {
+          const response = await rateLimitedRequest(url);
+          return res.json(response.data);
+        } catch (error) {
+          if (error.message === 'Rate limit exceeded for external requests') {
+            return res.status(429).json({ error: 'Too many requests' });
+          }
+          return res.status(500).json({ error: 'Failed to fetch data' });
+        }
+      });
+      ```
+
+12. **Use Web Application Firewalls (WAF):**
+    - Configure WAF rules to detect and block SSRF patterns
+    - Implement server-side firewall rules
+    - Example:
+      ```javascript
+      // Middleware to detect SSRF attack patterns
+      function ssrfProtectionMiddleware(req, res, next) {
+        const url = req.query.url || req.body.url;
         
-      # Pattern 9: Proxy Functionality
-      - pattern: "(?:proxy|forward|relay).*(?:req\\.(?:url|path)|request\\.(?:url|path))"
-        negative_pattern: "(validat|sanitiz|check|parse).*\\burl\\b|allowlist|whitelist"
-        message: "Proxy or request forwarding functionality detected. Implement strict URL validation and allowlisting."
+        if (!url) {
+          return next();
+        }
         
-      # Pattern 10: Alternative HTTP Methods
-      - pattern: "(fetch|axios)\\s*\\([^)]*method\\s*:\\s*['\"`](?:GET|POST|PUT|DELETE|PATCH|OPTIONS|HEAD)['\"`]"
-        negative_pattern: "(validat|sanitiz|check|parse).*\\burl\\b|allowlist|whitelist|new URL\\(|isValidURL"
-        message: "HTTP request with explicit method without URL validation. Implement URL validation for all HTTP methods."
+        // Check for suspicious URL patterns
+        const ssrfPatterns = [
+          /file:\/\//i,
+          /^(ftps?|gopher|data|dict):\/\//i,
+          /^\/\/\//,
+          /(localhost|127\.0\.0\.1|0\.0\.0\.0|::1)/i,
+          /^(10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.)/
+        ];
         
-      # Pattern 11: URL Building from Parts
-      - pattern: "new URL\\s*\\((?:[^,)]+,\\s*){1,}(?:req\\.(?:body|query|params)|request\\.(?:body|query|params)|userinput)"
-        message: "Building URL with user input. Validate and sanitize all URL components and use an allowlist for base URLs."
+        if (ssrfPatterns.some(pattern => pattern.test(url))) {
+          logger.warn({
+            message: 'Potential SSRF attack detected',
+            url,
+            ip: req.ip,
+            path: req.path,
+            method: req.method,
+            userId: req.user?.id
+          });
+          
+          return res.status(403).json({
+            error: 'Access denied - suspicious URL detected'
+          });
+        }
         
-      # Pattern 12: Protocol-Relative URLs
-      - pattern: "(fetch|axios)\\s*\\(['\"`]\\/\\/[^'\"`]+['\"`]"
-        message: "Protocol-relative URL usage may lead to SSRF. Always specify the protocol and validate URLs."
+        next();
+      }
+      
+      // Apply middleware to all routes
+      app.use(ssrfProtectionMiddleware);
+      ```
+
+13. **Implement Centralized Request Services:**
+    - Create a dedicated service for external requests
+    - Implement all security controls in one place
+    - Example:
+      ```javascript
+      // externalRequestService.js
+      const axios = require('axios');
+      
+      class ExternalRequestService {
+        constructor(options = {}) {
+          this.allowedDomains = options.allowedDomains || [];
+          this.maxRedirects = options.maxRedirects || 2;
+          this.timeout = options.timeout || 5000;
+          this.logger = options.logger || console;
+        }
         
-      # Pattern 13: Express-like Route with URL Parameter
-      - pattern: "app\\.(?:get|post|put|delete|patch)\\s*\\(['\"`][^'\"`]*\\/:[a-zA-Z0-9_]+(?:\\/|['\"`])"
-        negative_pattern: "(validat|sanitiz|check|parse).*\\burl\\b|allowlist|whitelist|new URL\\(|isValidURL"
-        message: "Route with dynamic parameter that might be used in URL construction. Ensure proper validation before making any HTTP requests within this route handler."
+        async request(url, options = {}) {
+          // Validate URL
+          if (!this._isValidUrl(url)) {
+            throw new Error('Invalid URL format');
+          }
+          
+          // Check allowlist
+          if (!this._isAllowedDomain(url)) {
+            throw new Error('Domain not in allowlist');
+          }
+          
+          // Configure request options
+          const requestOptions = {
+            ...options,
+            timeout: options.timeout || this.timeout,
+            maxRedirects: options.maxRedirects || this.maxRedirects,
+            validateStatus: status => status >= 200 && status < 300
+          };
+          
+          try {
+            const response = await axios(url, requestOptions);
+            return response.data;
+          } catch (error) {
+            this.logger.error({
+              message: 'External request failed',
+              url,
+              error: error.message
+            });
+            throw new Error(`External request failed: ${error.message}`);
+          }
+        }
         
-      # Pattern 14: URL Parsing without Validation
-      - pattern: "URL\\.parse\\s*\\(|new URL\\s*\\("
-        negative_pattern: "try\\s*\\{|catch\\s*\\(|validat|sanitiz|check"
-        message: "URL parsing without validation or error handling. Implement proper error handling and validation for URL parsing."
+        _isValidUrl(url) {
+          try {
+            const parsedUrl = new URL(url);
+            return parsedUrl.protocol === 'http:' || parsedUrl.protocol === 'https:';
+          } catch (error) {
+            return false;
+          }
+        }
         
-      # Pattern 15: Service Discovery / Cloud Metadata Access
-      - pattern: "(fetch|axios\\.get|http\\.get)\\s*\\(['\"`]https?:\\/\\/(?:169\\.254\\.169\\.254|fd00:ec2|metadata\\.google|metadata\\.azure|169\\.254\\.169\\.254\\/latest\\/meta-data)"
-        message: "Access to cloud service metadata endpoints detected. Restrict access to cloud metadata services to prevent server information disclosure."
-
-  - type: suggest
-    message: |
-      **JavaScript Server-Side Request Forgery (SSRF) Prevention Best Practices:**
-      
-      1. **Implement URL Validation and Sanitization:**
-         - Use built-in URL parsing libraries to validate URLs
-         - Validate both the URL format and components
-         - Example:
-           ```javascript
-           function isValidUrl(url) {
-             try {
-               const parsedUrl = new URL(url);
-               // Check protocol is http: or https:
-               if (!/^https?:$/.test(parsedUrl.protocol)) {
-                 return false;
-               }
-               // Additional validation logic here
-               return true;
-             } catch (error) {
-               // Invalid URL format
-               return false;
-             }
-           }
-           
-           // Usage
-           const userProvidedUrl = req.body.targetUrl;
-           if (!isValidUrl(userProvidedUrl)) {
-             return res.status(400).json({ error: 'Invalid URL format or protocol' });
-           }
-           
-           // Now make the request with the validated URL
-           ```
-      
-      2. **Implement Strict Allowlisting:**
-         - Define allowlist of permitted domains and endpoints
-         - Reject requests to any domains not on the allowlist
-         - Example:
-           ```javascript
-           const ALLOWED_DOMAINS = [
-             'api.example.com',
-             'cdn.example.com',
-             'partner-api.trusted-domain.com'
-           ];
-           
-           function isAllowedDomain(url) {
-             try {
-               const parsedUrl = new URL(url);
-               return ALLOWED_DOMAINS.includes(parsedUrl.hostname);
-             } catch (error) {
-               return false;
-             }
-           }
-           
-           // Usage
-           const targetUrl = req.body.webhookUrl;
-           if (!isAllowedDomain(targetUrl)) {
-             logger.warn({
-               message: 'SSRF attempt blocked: domain not in allowlist',
-               url: targetUrl,
-               ip: req.ip,
-               userId: req.user?.id
-             });
-             return res.status(403).json({ error: 'Domain not allowed' });
-           }
-           ```
-      
-      3. **Block Access to Internal Networks:**
-         - Prevent requests to private IP ranges
-         - Block localhost and internal hostnames
-         - Example:
-           ```javascript
-           function isInternalHostname(hostname) {
-             // Check for localhost and common internal hostnames
-             if (hostname === 'localhost' || hostname.endsWith('.local') || hostname.endsWith('.internal')) {
-               return true;
-             }
-             return false;
-           }
-           
-           function isPrivateIP(ip) {
-             // Check for private IP ranges
-             const privateRanges = [
-               /^127\./,                     // 127.0.0.0/8
-               /^10\./,                      // 10.0.0.0/8
-               /^172\.(1[6-9]|2[0-9]|3[0-1])\./, // 172.16.0.0/12
-               /^192\.168\./,                // 192.168.0.0/16
-               /^169\.254\./,                // 169.254.0.0/16
-               /^::1$/,                      // localhost IPv6
-               /^f[cd][0-9a-f]{2}:/i,        // fc00::/7 unique local IPv6
-               /^fe80:/i                     // fe80::/10 link-local IPv6
-             ];
-             
-             return privateRanges.some(range => range.test(ip));
-           }
-           
-           function isUrlSafe(url) {
-             try {
-               const parsedUrl = new URL(url);
-               
-               // Block internal hostnames
-               if (isInternalHostname(parsedUrl.hostname)) {
-                 return false;
-               }
-               
-               // Resolve hostname to IP (in real implementation, use async DNS resolution)
-               // This example is simplified - in production you would use DNS resolution
-               let ip;
-               try {
-                 // Note: This is a pseudo-code example
-                 // In real code, you'd use a DNS resolution library
-                 ip = dnsResolve(parsedUrl.hostname);
-                 
-                 // Block private IPs
-                 if (isPrivateIP(ip)) {
-                   return false;
-                 }
-               } catch (error) {
-                 // If DNS resolution fails, err on the side of caution
-                 return false;
-               }
-               
-               return true;
-             } catch (error) {
-               return false;
-             }
-           }
-           ```
-      
-      4. **Disable Dangerous URL Protocols:**
-         - Restrict allowed URL protocols to HTTP and HTTPS
-         - Block file://, ftp://, gopher://, etc.
-         - Example:
-           ```javascript
-           function hasAllowedProtocol(url) {
-             try {
-               const parsedUrl = new URL(url);
-               const allowedProtocols = ['http:', 'https:'];
-               return allowedProtocols.includes(parsedUrl.protocol);
-             } catch (error) {
-               return false;
-             }
-           }
-           
-           // Usage
-           const targetUrl = req.body.documentUrl;
-           if (!hasAllowedProtocol(targetUrl)) {
-             logger.warn({
-               message: 'SSRF attempt blocked: disallowed protocol',
-               url: targetUrl,
-               protocol: new URL(targetUrl).protocol,
-               ip: req.ip
-             });
-             return res.status(403).json({ error: 'URL protocol not allowed' });
-           }
-           ```
+        _isAllowedDomain(url) {
+          try {
+            const parsedUrl = new URL(url);
+            return this.allowedDomains.includes(parsedUrl.hostname);
+          } catch (error) {
+            return false;
+          }
+        }
+      }
       
-      5. **Implement Network-Level Protection:**
-         - Use firewall rules to block outbound requests to internal networks
-         - Configure proxy servers to restrict external requests
-         - Example:
-           ```javascript
-           // Using a proxy for outbound requests
-           const axios = require('axios');
-           const HttpsProxyAgent = require('https-proxy-agent');
-           
-           // Configure proxy with appropriate controls
-           const httpsAgent = new HttpsProxyAgent({
-             host: 'proxy.example.com',
-             port: 3128,
-             // This proxy should be configured to block access to internal networks
-           });
-           
-           // Make requests through the proxy
-           async function secureExternalRequest(url) {
-             try {
-               const response = await axios.get(url, {
-                 httpsAgent,
-                 timeout: 5000, // Set reasonable timeout
-                 maxRedirects: 2 // Limit redirects
-               });
-               return response.data;
-             } catch (error) {
-               logger.error({
-                 message: 'External request failed',
-                 url,
-                 error: error.message
-               });
-               throw new Error('Failed to fetch external resource');
-             }
-           }
-           ```
+      module.exports = ExternalRequestService;
       
-      6. **Use Service-Specific Endpoints:**
-         - Instead of passing full URLs, use service identifiers
-         - Map identifiers to URLs on the server side
-         - Example:
-           ```javascript
-           // Client makes request with service identifier, not raw URL
-           app.get('/proxy-service/:serviceId', async (req, res) => {
-             const { serviceId } = req.params;
-             
-             // Service mapping defined server-side
-             const serviceMap = {
-               'weather-api': 'https://api.weather.example.com/current',
-               'news-feed': 'https://api.news.example.com/feed',
-               'product-info': 'https://api.products.example.com/details'
-             };
-             
-             // Check if service is defined
-             if (!serviceMap[serviceId]) {
-               return res.status(404).json({ error: 'Service not found' });
-             }
-             
-             try {
-               // Make request to mapped URL (not user-controlled)
-               const response = await axios.get(serviceMap[serviceId]);
-               return res.json(response.data);
-             } catch (error) {
-               return res.status(500).json({ error: 'Service request failed' });
-             }
-           });
-           ```
+      // Usage in application
+      const ExternalRequestService = require('./externalRequestService');
       
-      7. **Implement Context-Specific Encodings:**
-         - Use context-appropriate encoding for URL parameters
-         - Don't rely solely on standard URL encoding
-         - Example:
-           ```javascript
-           function safeUrl(baseUrl, params) {
-             // Start with a verified base URL
-             const url = new URL(baseUrl);
-             
-             // Add parameters safely
-             for (const [key, value] of Object.entries(params)) {
-               // Ensure values are strings and properly encoded
-               url.searchParams.append(key, String(value));
-             }
-             
-             // Verify the final URL is still valid
-             if (!isAllowedDomain(url.toString())) {
-               throw new Error('URL creation resulted in disallowed domain');
-             }
-             
-             return url.toString();
-           }
-           
-           // Usage
-           try {
-             const apiUrl = safeUrl('https://api.example.com/data', {
-               id: userId,
-               format: 'json'
-             });
-             const response = await axios.get(apiUrl);
-             // Process response
-           } catch (error) {
-             // Handle error
-           }
-           ```
-      
-      8. **Use Defense in Depth:**
-         - Combine multiple validation strategies
-         - Don't rely on a single protection measure
-         - Example:
-           ```javascript
-           async function secureExternalRequest(url, options = {}) {
-             // 1. Validate URL format
-             if (!isValidUrl(url)) {
-               throw new Error('Invalid URL format');
-             }
-             
-             // 2. Check against allowlist
-             if (!isAllowedDomain(url)) {
-               throw new Error('Domain not in allowlist');
-             }
-             
-             // 3. Verify not internal network
-             const parsedUrl = new URL(url);
-             if (await isInternalNetwork(parsedUrl.hostname)) {
-               throw new Error('Access to internal networks not allowed');
-             }
-             
-             // 4. Validate protocol
-             if (!hasAllowedProtocol(url)) {
-               throw new Error('Protocol not allowed');
-             }
-             
-             // 5. Set additional security headers and options
-             const secureOptions = {
-               ...options,
-               timeout: options.timeout || 5000,
-               maxRedirects: options.maxRedirects || 2,
-               headers: {
-                 ...options.headers,
-                 'User-Agent': 'SecureApp/1.0'
-               }
-             };
-             
-             // 6. Make request with all validations passed
-             try {
-               return await axios(url, secureOptions);
-             } catch (error) {
-               logger.error({
-                 message: 'Secure external request failed',
-                 url,
-                 error: error.message
-               });
-               throw new Error('External request failed');
-             }
-           }
-           ```
-      
-      9. **Validate and Sanitize Request Parameters:**
-         - Don't trust any user-supplied input for URL construction
-         - Validate all components used in URL building
-         - Example:
-           ```javascript
-           // API that fetches weather data for a city
-           app.get('/api/weather', async (req, res) => {
-             const { city } = req.query;
-             
-             // 1. Validate parameter exists and is valid
-             if (!city || typeof city !== 'string' || city.length > 100) {
-               return res.status(400).json({ error: 'Invalid city parameter' });
-             }
-             
-             // 2. Sanitize the parameter
-             const sanitizedCity = encodeURIComponent(city.trim());
-             
-             // 3. Construct URL with validated parameter
-             const weatherApiUrl = `https://api.weather.example.com/current?city=${sanitizedCity}`;
-             
-             // 4. Additional validation of the final URL
-             if (!isValidUrl(weatherApiUrl)) {
-               return res.status(400).json({ error: 'Invalid URL construction' });
-             }
-             
-             try {
-               const response = await axios.get(weatherApiUrl);
-               return res.json(response.data);
-             } catch (error) {
-               logger.error({
-                 message: 'Weather API request failed',
-                 city,
-                 error: error.message
-               });
-               return res.status(500).json({ error: 'Failed to fetch weather data' });
-             }
-           });
-           ```
-      
-      10. **Implement Request Timeouts:**
-          - Set appropriate timeouts for all HTTP requests
-          - Prevent long-running SSRF probes
-          - Example:
-            ```javascript
-            async function fetchWithTimeout(url, options = {}) {
-              // Default timeout of 5 seconds
-              const timeout = options.timeout || 5000;
-              
-              // Create an abort controller to handle timeout
-              const controller = new AbortController();
-              const timeoutId = setTimeout(() => controller.abort(), timeout);
-              
-              try {
-                const response = await fetch(url, {
-                  ...options,
-                  signal: controller.signal
-                });
-                
-                clearTimeout(timeoutId);
-                return response;
-              } catch (error) {
-                clearTimeout(timeoutId);
-                if (error.name === 'AbortError') {
-                  throw new Error(`Request timed out after ${timeout}ms`);
-                }
-                throw error;
-              }
-            }
-            
-            // Usage
-            try {
-              const response = await fetchWithTimeout('https://api.example.com/data', {
-                timeout: 3000, // 3 seconds timeout
-                headers: { 'Content-Type': 'application/json' }
-              });
-              const data = await response.json();
-              // Process data
-            } catch (error) {
-              console.error('Request failed:', error.message);
-            }
-            ```
-      
-      11. **Rate Limit External Requests:**
-          - Implement rate limiting for outbound requests
-          - Prevent SSRF probing and DoS attacks
-          - Example:
-            ```javascript
-            const { RateLimiter } = require('limiter');
-            
-            // Create a rate limiter: 100 requests per minute
-            const externalRequestLimiter = new RateLimiter({
-              tokensPerInterval: 100,
-              interval: 'minute'
-            });
-            
-            async function rateLimitedRequest(url, options = {}) {
-              // Check if we have tokens available
-              const remainingRequests = await externalRequestLimiter.removeTokens(1);
-              
-              if (remainingRequests < 0) {
-                throw new Error('Rate limit exceeded for external requests');
-              }
-              
-              // Proceed with the request
-              return axios(url, options);
-            }
-            
-            // Usage
-            app.get('/api/external-data', async (req, res) => {
-              const { url } = req.query;
-              
-              if (!isValidUrl(url) || !isAllowedDomain(url)) {
-                return res.status(403).json({ error: 'URL not allowed' });
-              }
-              
-              try {
-                const response = await rateLimitedRequest(url);
-                return res.json(response.data);
-              } catch (error) {
-                if (error.message === 'Rate limit exceeded for external requests') {
-                  return res.status(429).json({ error: 'Too many requests' });
-                }
-                return res.status(500).json({ error: 'Failed to fetch data' });
-              }
-            });
-            ```
+      const requestService = new ExternalRequestService({
+        allowedDomains: [
+          'api.example.com',
+          'cdn.example.com',
+          'partner.trusted-domain.com'
+        ],
+        logger: appLogger,
+        timeout: 3000
+      });
       
-      12. **Use Web Application Firewalls (WAF):**
-          - Configure WAF rules to detect and block SSRF patterns
-          - Implement server-side firewall rules
-          - Example:
-            ```javascript
-            // Middleware to detect SSRF attack patterns
-            function ssrfProtectionMiddleware(req, res, next) {
-              const url = req.query.url || req.body.url;
-              
-              if (!url) {
-                return next();
-              }
-              
-              // Check for suspicious URL patterns
-              const ssrfPatterns = [
-                /file:\/\//i,
-                /^(ftps?|gopher|data|dict):\/\//i,
-                /^\/\/\//,
-                /(localhost|127\.0\.0\.1|0\.0\.0\.0|::1)/i,
-                /^(10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.)/
-              ];
-              
-              if (ssrfPatterns.some(pattern => pattern.test(url))) {
-                logger.warn({
-                  message: 'Potential SSRF attack detected',
-                  url,
-                  ip: req.ip,
-                  path: req.path,
-                  method: req.method,
-                  userId: req.user?.id
-                });
-                
-                return res.status(403).json({
-                  error: 'Access denied - suspicious URL detected'
-                });
-              }
-              
-              next();
-            }
-            
-            // Apply middleware to all routes
-            app.use(ssrfProtectionMiddleware);
-            ```
-      
-      13. **Implement Centralized Request Services:**
-          - Create a dedicated service for external requests
-          - Implement all security controls in one place
-          - Example:
-            ```javascript
-            // externalRequestService.js
-            const axios = require('axios');
-            
-            class ExternalRequestService {
-              constructor(options = {}) {
-                this.allowedDomains = options.allowedDomains || [];
-                this.maxRedirects = options.maxRedirects || 2;
-                this.timeout = options.timeout || 5000;
-                this.logger = options.logger || console;
-              }
-              
-              async request(url, options = {}) {
-                // Validate URL
-                if (!this._isValidUrl(url)) {
-                  throw new Error('Invalid URL format');
-                }
-                
-                // Check allowlist
-                if (!this._isAllowedDomain(url)) {
-                  throw new Error('Domain not in allowlist');
-                }
-                
-                // Configure request options
-                const requestOptions = {
-                  ...options,
-                  timeout: options.timeout || this.timeout,
-                  maxRedirects: options.maxRedirects || this.maxRedirects,
-                  validateStatus: status => status >= 200 && status < 300
-                };
-                
-                try {
-                  const response = await axios(url, requestOptions);
-                  return response.data;
-                } catch (error) {
-                  this.logger.error({
-                    message: 'External request failed',
-                    url,
-                    error: error.message
-                  });
-                  throw new Error(`External request failed: ${error.message}`);
-                }
-              }
-              
-              _isValidUrl(url) {
-                try {
-                  const parsedUrl = new URL(url);
-                  return parsedUrl.protocol === 'http:' || parsedUrl.protocol === 'https:';
-                } catch (error) {
-                  return false;
-                }
-              }
-              
-              _isAllowedDomain(url) {
-                try {
-                  const parsedUrl = new URL(url);
-                  return this.allowedDomains.includes(parsedUrl.hostname);
-                } catch (error) {
-                  return false;
-                }
-              }
-            }
-            
-            module.exports = ExternalRequestService;
-            
-            // Usage in application
-            const ExternalRequestService = require('./externalRequestService');
+      app.get('/api/external-data', async (req, res) => {
+        try {
+          // Use the service for all external requests
+          const data = await requestService.request('https://api.example.com/data');
+          return res.json(data);
+        } catch (error) {
+          return res.status(500).json({ error: error.message });
+        }
+      });
+      ```
+
+14. **Monitor and Audit External Requests:**
+    - Log all external requests for audit purposes
+    - Implement anomaly detection
+    - Example:
+      ```javascript
+      // Middleware to log and monitor all external requests
+      function requestMonitoringMiddleware(req, res, next) {
+        // Only intercept routes that might make external requests
+        if (!req.path.startsWith('/api/proxy') && !req.path.startsWith('/api/external')) {
+          return next();
+        }
+        
+        // Store original fetch/http.request methods
+        const originalFetch = global.fetch;
+        const originalHttpRequest = require('http').request;
+        const originalHttpsRequest = require('https').request;
+        
+        // Override fetch
+        global.fetch = async function monitoredFetch(url, options) {
+          const requestId = uuid.v4();
+          const startTime = Date.now();
+          
+          logger.info({
+            message: 'External request initiated',
+            requestId,
+            url,
+            method: options?.method || 'GET',
+            userContext: {
+              userId: req.user?.id,
+              ip: req.ip,
+              userAgent: req.headers['user-agent']
+            },
+            timestamp: new Date().toISOString()
+          });
+          
+          try {
+            const response = await originalFetch(url, options);
             
-            const requestService = new ExternalRequestService({
-              allowedDomains: [
-                'api.example.com',
-                'cdn.example.com',
-                'partner.trusted-domain.com'
-              ],
-              logger: appLogger,
-              timeout: 3000
+            // Log successful request
+            logger.info({
+              message: 'External request completed',
+              requestId,
+              url,
+              statusCode: response.status,
+              duration: Date.now() - startTime,
+              timestamp: new Date().toISOString()
             });
             
-            app.get('/api/external-data', async (req, res) => {
-              try {
-                // Use the service for all external requests
-                const data = await requestService.request('https://api.example.com/data');
-                return res.json(data);
-              } catch (error) {
-                return res.status(500).json({ error: error.message });
-              }
+            return response;
+          } catch (error) {
+            // Log failed request
+            logger.error({
+              message: 'External request failed',
+              requestId,
+              url,
+              error: error.message,
+              duration: Date.now() - startTime,
+              timestamp: new Date().toISOString()
             });
-            ```
-      
-      14. **Monitor and Audit External Requests:**
-          - Log all external requests for audit purposes
-          - Implement anomaly detection
-          - Example:
-            ```javascript
-            // Middleware to log and monitor all external requests
-            function requestMonitoringMiddleware(req, res, next) {
-              // Only intercept routes that might make external requests
-              if (!req.path.startsWith('/api/proxy') && !req.path.startsWith('/api/external')) {
-                return next();
-              }
-              
-              // Store original fetch/http.request methods
-              const originalFetch = global.fetch;
-              const originalHttpRequest = require('http').request;
-              const originalHttpsRequest = require('https').request;
-              
-              // Override fetch
-              global.fetch = async function monitoredFetch(url, options) {
-                const requestId = uuid.v4();
-                const startTime = Date.now();
-                
-                logger.info({
-                  message: 'External request initiated',
-                  requestId,
-                  url,
-                  method: options?.method || 'GET',
-                  userContext: {
-                    userId: req.user?.id,
-                    ip: req.ip,
-                    userAgent: req.headers['user-agent']
-                  },
-                  timestamp: new Date().toISOString()
-                });
-                
-                try {
-                  const response = await originalFetch(url, options);
-                  
-                  // Log successful request
-                  logger.info({
-                    message: 'External request completed',
-                    requestId,
-                    url,
-                    statusCode: response.status,
-                    duration: Date.now() - startTime,
-                    timestamp: new Date().toISOString()
-                  });
-                  
-                  return response;
-                } catch (error) {
-                  // Log failed request
-                  logger.error({
-                    message: 'External request failed',
-                    requestId,
-                    url,
-                    error: error.message,
-                    duration: Date.now() - startTime,
-                    timestamp: new Date().toISOString()
-                  });
-                  
-                  throw error;
-                }
-              };
-              
-              // Similar overrides for http.request and https.request
-              // ...
-              
-              // Continue with the request
-              res.on('finish', () => {
-                // Restore original methods after request completes
-                global.fetch = originalFetch;
-                require('http').request = originalHttpRequest;
-                require('https').request = originalHttpsRequest;
-              });
-              
-              next();
-            }
             
-            // Apply middleware
-            app.use(requestMonitoringMiddleware);
-            ```
+            throw error;
+          }
+        };
+        
+        // Similar overrides for http.request and https.request
+        // ...
+        
+        // Continue with the request
+        res.on('finish', () => {
+          // Restore original methods after request completes
+          global.fetch = originalFetch;
+          require('http').request = originalHttpRequest;
+          require('https').request = originalHttpsRequest;
+        });
+        
+        next();
+      }
       
-      15. **Implement Output Validation:**
-          - Validate responses from external services
-          - Use schema validation for expected formats
-          - Example:
-            ```javascript
-            const Joi = require('joi');
-            
-            // Define expected schemas for external APIs
-            const apiSchemas = {
-              weatherApi: Joi.object({
-                location: Joi.string().required(),
-                temperature: Joi.number().required(),
-                conditions: Joi.string().required(),
-                forecast: Joi.array().items(Joi.object())
-              }),
-              
-              userApi: Joi.object({
-                id: Joi.string().required(),
-                name: Joi.string().required(),
-                email: Joi.string().email().required()
-              })
-            };
-            
-            async function validateExternalResponse(data, schemaName) {
-              const schema = apiSchemas[schemaName];
-              
-              if (!schema) {
-                throw new Error(`Schema not found: ${schemaName}`);
-              }
-              
-              try {
-                const result = await schema.validateAsync(data);
-                return result;
-              } catch (error) {
-                logger.error({
-                  message: 'External API response validation failed',
-                  schemaName,
-                  error: error.message,
-                  data: JSON.stringify(data).substring(0, 200) // Log partial data for debugging
-                });
-                
-                throw new Error(`Invalid response format from external API: ${error.message}`);
-              }
-            }
-            
-            // Usage
-            app.get('/api/weather/:city', async (req, res) => {
-              const { city } = req.params;
-              
-              try {
-                // Fetch data from external API
-                const apiUrl = `https://api.weather.example.com/current?city=${encodeURIComponent(city)}`;
-                const response = await axios.get(apiUrl);
-                
-                // Validate the response against the expected schema
-                const validatedData = await validateExternalResponse(response.data, 'weatherApi');
-                
-                // Return the validated data
-                return res.json(validatedData);
-              } catch (error) {
-                return res.status(500).json({ error: error.message });
-              }
-            });
-            ```
+      // Apply middleware
+      app.use(requestMonitoringMiddleware);
+      ```
 
-  - type: validate
-    conditions:
-      # Check 1: URL validation
-      - pattern: "function\\s+(?:isValidUrl|validateUrl|checkUrl)\\s*\\([^)]*\\)\\s*\\{[^}]*new URL\\([^)]*\\)"
-        message: "Using URL validation function with proper parsing."
-      
-      # Check 2: Domain allowlisting
-      - pattern: "(?:allowlist|whitelist|allowed(?:Domain|Host))\\s*=\\s*\\["
-        message: "Implementing domain allowlisting for outbound requests."
+15. **Implement Output Validation:**
+    - Validate responses from external services
+    - Use schema validation for expected formats
+    - Example:
+      ```javascript
+      const Joi = require('joi');
       
-      # Check 3: Private IP filtering
-      - pattern: "(?:isPrivateIP|isInternalNetwork|blockInternalAddresses)"
-        message: "Checking for and blocking private IP addresses."
+      // Define expected schemas for external APIs
+      const apiSchemas = {
+        weatherApi: Joi.object({
+          location: Joi.string().required(),
+          temperature: Joi.number().required(),
+          conditions: Joi.string().required(),
+          forecast: Joi.array().items(Joi.object())
+        }),
+        
+        userApi: Joi.object({
+          id: Joi.string().required(),
+          name: Joi.string().required(),
+          email: Joi.string().email().required()
+        })
+      };
       
-      # Check 4: Protocol restriction
-      - pattern: "(?:allowedProtocols|validProtocols)\\s*=\\s*\\[\\s*['\"]https?:['\"]"
-        message: "Restricting URL protocols to HTTP/HTTPS only."
+      async function validateExternalResponse(data, schemaName) {
+        const schema = apiSchemas[schemaName];
+        
+        if (!schema) {
+          throw new Error(`Schema not found: ${schemaName}`);
+        }
+        
+        try {
+          const result = await schema.validateAsync(data);
+          return result;
+        } catch (error) {
+          logger.error({
+            message: 'External API response validation failed',
+            schemaName,
+            error: error.message,
+            data: JSON.stringify(data).substring(0, 200) // Log partial data for debugging
+          });
+          
+          throw new Error(`Invalid response format from external API: ${error.message}`);
+        }
+      }
       
-      # Check 5: Request timeout implementation
-      - pattern: "timeout:\\s*\\d+"
-        message: "Setting timeouts for outbound HTTP requests."
+      // Usage
+      app.get('/api/weather/:city', async (req, res) => {
+        const { city } = req.params;
+        
+        try {
+          // Fetch data from external API
+          const apiUrl = `https://api.weather.example.com/current?city=${encodeURIComponent(city)}`;
+          const response = await axios.get(apiUrl);
+          
+          // Validate the response against the expected schema
+          const validatedData = await validateExternalResponse(response.data, 'weatherApi');
+          
+          // Return the validated data
+          return res.json(validatedData);
+        } catch (error) {
+          return res.status(500).json({ error: error.message });
+        }
+      });
+      ```
+
+## Validation
 
-metadata:
-  priority: high
-  version: 1.0
-  tags:
-    - security
-    - javascript
-    - nodejs
-    - browser
-    - ssrf
-    - owasp
-    - language:javascript
-    - framework:express
-    - framework:react
-    - framework:vue
-    - framework:angular
-    - category:security
-    - subcategory:ssrf
-    - standard:owasp-top10
-    - risk:a10-server-side-request-forgery
-  references:
-    - "https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"
-    - "https://portswigger.net/web-security/ssrf"
-    - "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.md"
-    - "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/19-Server-Side_Request_Forgery"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html#ssrf-protection"
-</rule> 
+- Using URL validation function with proper parsing.
+- Implementing domain allowlisting for outbound requests.
+- Checking for and blocking private IP addresses.
+- Restricting URL protocols to HTTP/HTTPS only.
+- Setting timeouts for outbound HTTP requests.
diff --git a/.cursor/rules/javascript-software-data-integrity-failures.mdc b/.cursor/rules/javascript-software-data-integrity-failures.mdc
index 054508f..3d404c6 100644
--- a/.cursor/rules/javascript-software-data-integrity-failures.mdc
+++ b/.cursor/rules/javascript-software-data-integrity-failures.mdc
@@ -4,659 +4,561 @@ globs: **/*.js, **/*.jsx, **/*.ts, **/*.tsx, !**/node_modules/**, !**/dist/**, !
 ---
 # JavaScript Software and Data Integrity Failures (OWASP A08:2021)
 
-<rule>
-name: javascript_software_data_integrity_failures
-description: Detect and prevent software and data integrity failures in JavaScript applications as defined in OWASP Top 10:2021-A08
+> Priority: high · Version: 1.0
 
-actions:
-  - type: enforce
-    conditions:
-      # Pattern 1: Insecure Deserialization
-      - pattern: "(?:JSON\\.parse|eval)\\s*\\((?:[^)]|\\n)*(?:localStorage|sessionStorage|document\\.cookie|location|window\\.name|fetch|axios|\\$\\.(?:get|post)|XMLHttpRequest)"
-        message: "Insecure deserialization of user-controlled data detected. Validate and sanitize data before parsing JSON or using eval."
-        
-      # Pattern 2: Missing Subresource Integrity
-      - pattern: "<script\\s+src=['\"][^'\"]+['\"]\\s*>"
-        negative_pattern: "integrity=['\"]sha(?:256|384|512)-[a-zA-Z0-9+/=]+"
-        message: "Script tag without Subresource Integrity (SRI) hash. Add integrity and crossorigin attributes for third-party scripts."
-        
-      # Pattern 3: Insecure Package Installation
-      - pattern: "(?:npm|yarn)\\s+(?:install|add)\\s+(?:[\\w@\\-\\.\\/:]+\\s+)*--no-(?:verify|integrity|signature)"
-        message: "Package installation with integrity checks disabled. Always verify package integrity during installation."
-        
-      # Pattern 4: Insecure Object Deserialization
-      - pattern: "(?:require|import)\\s+['\"](?:serialize-javascript|node-serialize|serialize|unserialize|deserialize)['\"]"
-        message: "Using potentially unsafe serialization/deserialization libraries. Ensure proper validation and sanitization of serialized data."
-        
-      # Pattern 5: Missing Dependency Verification
-      - pattern: "package\\.json"
-        negative_pattern: "\"(?:scripts|devDependencies)\":\\s*{[^}]*\"(?:audit|verify|check)\":\\s*\"(?:npm|yarn)\\s+audit"
-        file_pattern: "package\\.json$"
-        message: "Missing dependency verification in package.json. Add npm/yarn audit to your scripts section."
-        
-      # Pattern 6: Insecure Dynamic Imports
-      - pattern: "(?:import|require)\\s*\\(\\s*(?:variable|[a-zA-Z_$][a-zA-Z0-9_$]*|`[^`]*`|'[^']*'|\"[^\"]*\")\\s*\\)"
-        negative_pattern: "(?:allowlist|whitelist|validate)"
-        message: "Potentially insecure dynamic imports. Validate or restrict the modules that can be dynamically imported."
-        
-      # Pattern 7: Prototype Pollution
-      - pattern: "Object\\.assign\\(\\s*(?:[^,]+)\\s*,\\s*(?:JSON\\.parse|req\\.body|req\\.query|req\\.params|formData\\.get)"
-        message: "Potential prototype pollution vulnerability. Use Object.create(null) or sanitize objects before merging."
-        
-      # Pattern 8: Missing CI/CD Pipeline Integrity Checks
-      - pattern: "(?:\\.github\\/workflows\\/|\\.gitlab-ci\\.yml|azure-pipelines\\.yml|Jenkinsfile)"
-        negative_pattern: "(?:npm\\s+audit|yarn\\s+audit|checksum|integrity|verify|signature)"
-        file_pattern: "(?:\\.github\\/workflows\\/.*\\.ya?ml|\\.gitlab-ci\\.yml|azure-pipelines\\.yml|Jenkinsfile)$"
-        message: "Missing security checks in CI/CD pipeline. Add dependency scanning, integrity verification, and signature validation."
-        
-      # Pattern 9: Insecure Update Mechanism
-      - pattern: "(?:update|upgrade|install)\\s*\\([^)]*\\)\\s*\\{[^}]*?\\}"
-        negative_pattern: "(?:verify|checksum|hash|signature|integrity)"
-        message: "Potentially insecure update mechanism. Implement integrity verification for all updates."
-        
-      # Pattern 10: Insecure Plugin Loading
-      - pattern: "(?:plugin|addon|extension)\\.(?:load|register|install|add)\\s*\\([^)]*\\)"
-        negative_pattern: "(?:verify|validate|checksum|hash|signature|integrity)"
-        message: "Insecure plugin loading mechanism. Implement integrity verification for all plugins."
-        
-      # Pattern 11: Insecure Data Binding
-      - pattern: "(?:eval|new\\s+Function|setTimeout|setInterval)\\s*\\(\\s*(?:[^,)]+\\.(?:value|innerHTML|innerText|textContent)|[^,)]+\\[[^\\]]+\\])"
-        message: "Insecure data binding using eval or Function constructor. Use safer alternatives like JSON.parse or template literals."
-        
-      # Pattern 12: Insecure Object Property Assignment
-      - pattern: "(?:Object\\.assign|\\{\\s*\\.\\.\\.)"
-        negative_pattern: "Object\\.create\\(null\\)"
-        message: "Potential prototype pollution in object assignment. Use Object.create(null) as the target object or sanitize inputs."
-        
-      # Pattern 13: Missing Lock File
-      - pattern: "package\\.json"
-        negative_pattern: "package-lock\\.json|yarn\\.lock"
-        file_pattern: "package\\.json$"
-        message: "Missing lock file for dependency management. Include package-lock.json or yarn.lock in version control."
-        
-      # Pattern 14: Insecure Webpack Configuration
-      - pattern: "webpack\\.config\\.js"
-        negative_pattern: "(?:integrity|sri|subresource|hash|checksum)"
-        file_pattern: "webpack\\.config\\.js$"
-        message: "Webpack configuration without integrity checks. Consider enabling SRI for generated assets."
-        
-      # Pattern 15: Insecure npm/yarn Configuration
-      - pattern: "\\.npmrc|\\.yarnrc"
-        negative_pattern: "(?:verify-store|integrity|signature)"
-        file_pattern: "(?:\\.npmrc|\\.yarnrc)$"
-        message: "npm/yarn configuration with potentially disabled security features. Ensure integrity checks are enabled."
+## Applies To
+- `**/*.js`
+- `**/*.jsx`
+- `**/*.ts`
+- `**/*.tsx`
+- `!**/node_modules/**`
+- `!**/dist/**`
+- `!**/build/**`
+- `!**/coverage/**`
 
-  - type: suggest
-    message: |
-      **JavaScript Software and Data Integrity Failures Best Practices:**
-      
-      1. **Secure Deserialization:**
-         - Validate and sanitize data before deserialization
-         - Use schema validation for JSON data
-         - Example:
-           ```javascript
-           import Ajv from 'ajv';
-           
-           // Define a schema for expected data
-           const schema = {
-             type: 'object',
-             properties: {
-               id: { type: 'integer' },
-               name: { type: 'string' },
-               role: { type: 'string', enum: ['user', 'admin'] }
-             },
-             required: ['id', 'name', 'role'],
-             additionalProperties: false
-           };
-           
-           // Validate data before parsing
-           function safelyParseJSON(data) {
-             try {
-               const parsed = JSON.parse(data);
-               const ajv = new Ajv();
-               const validate = ajv.compile(schema);
-               
-               if (validate(parsed)) {
-                 return { valid: true, data: parsed };
-               } else {
-                 return { valid: false, errors: validate.errors };
-               }
-             } catch (error) {
-               return { valid: false, errors: [error.message] };
-             }
-           }
-           ```
-      
-      2. **Subresource Integrity (SRI):**
-         - Add integrity hashes to external scripts and stylesheets
-         - Example:
-           ```html
-           <script 
-             src="https://cdn.example.com/library.js" 
-             integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" 
-             crossorigin="anonymous">
-           </script>
-           ```
-           
-           ```javascript
-           // Programmatically adding a script with SRI
-           function addScriptWithIntegrity(url, integrity) {
-             const script = document.createElement('script');
-             script.src = url;
-             script.integrity = integrity;
-             script.crossOrigin = 'anonymous';
-             document.head.appendChild(script);
-           }
-           ```
-      
-      3. **Dependency Verification:**
-         - Use npm/yarn audit regularly
-         - Implement lockfiles and version pinning
-         - Example:
-           ```json
-           // package.json
-           {
-             "scripts": {
-               "audit": "npm audit --production",
-               "preinstall": "npm audit",
-               "verify": "npm audit && npm outdated"
-             }
-           }
-           ```
-           
-           ```javascript
-           // Automated dependency verification in CI/CD
-           // .github/workflows/security.yml
-           // name: Security Checks
-           // on: [push, pull_request]
-           // jobs:
-           //   security:
-           //     runs-on: ubuntu-latest
-           //     steps:
-           //       - uses: actions/checkout@v3
-           //       - uses: actions/setup-node@v3
-           //         with:
-           //           node-version: '16'
-           //       - run: npm audit
-           ```
-      
-      4. **Secure Object Handling:**
-         - Prevent prototype pollution
-         - Use Object.create(null) for empty objects
-         - Example:
-           ```javascript
-           // Prevent prototype pollution
-           function safeObjectMerge(target, source) {
-             // Start with a null prototype object
-             const result = Object.create(null);
-             
-             // Copy properties from target
-             for (const key in target) {
-               if (Object.prototype.hasOwnProperty.call(target, key) && 
-                   key !== '__proto__' && 
-                   key !== 'constructor' && 
-                   key !== 'prototype') {
-                 result[key] = target[key];
-               }
-             }
-             
-             // Copy properties from source
-             for (const key in source) {
-               if (Object.prototype.hasOwnProperty.call(source, key) && 
-                   key !== '__proto__' && 
-                   key !== 'constructor' && 
-                   key !== 'prototype') {
-                 result[key] = source[key];
-               }
-             }
-             
-             return result;
-           }
-           ```
-      
-      5. **Secure Dynamic Imports:**
-         - Validate module paths before importing
-         - Use allowlists for dynamic imports
-         - Example:
-           ```javascript
-           // Allowlist-based dynamic imports
-           const ALLOWED_MODULES = [
-             './components/header',
-             './components/footer',
-             './components/sidebar'
-           ];
-           
-           async function safeImport(modulePath) {
-             if (!ALLOWED_MODULES.includes(modulePath)) {
-               throw new Error(`Module ${modulePath} is not in the allowlist`);
-             }
-             
-             try {
-               return await import(modulePath);
-             } catch (error) {
-               console.error(`Failed to import ${modulePath}:`, error);
-               throw error;
-             }
-           }
-           ```
-      
-      6. **CI/CD Pipeline Security:**
-         - Implement integrity checks in build pipelines
-         - Verify dependencies and artifacts
-         - Example:
-           ```yaml
-           # .github/workflows/build.yml
-           name: Build and Verify
-           on: [push, pull_request]
-           jobs:
-             build:
-               runs-on: ubuntu-latest
-               steps:
-                 - uses: actions/checkout@v3
-                 - uses: actions/setup-node@v3
-                   with:
-                     node-version: '16'
-                 - name: Install dependencies
-                   run: npm ci
-                 - name: Security audit
-                   run: npm audit
-                 - name: Build
-                   run: npm run build
-                 - name: Generate integrity hashes
-                   run: |
-                     cd dist
-                     find . -type f -name "*.js" -exec sh -c 'echo "{}" $(sha384sum "{}" | cut -d " " -f 1)' \; > integrity.txt
-                 - name: Upload artifacts with integrity manifest
-                   uses: actions/upload-artifact@v3
-                   with:
-                     name: build-artifacts
-                     path: |
-                       dist
-                       dist/integrity.txt
-           ```
-      
-      7. **Secure Update Mechanisms:**
-         - Verify integrity of updates before applying
-         - Use digital signatures when possible
-         - Example:
-           ```javascript
-           import crypto from 'crypto';
-           import fs from 'fs';
-           
-           async function verifyUpdate(updateFile, signatureFile, publicKeyFile) {
-             try {
-               const updateData = fs.readFileSync(updateFile);
-               const signature = fs.readFileSync(signatureFile);
-               const publicKey = fs.readFileSync(publicKeyFile);
-               
-               const verify = crypto.createVerify('SHA256');
-               verify.update(updateData);
-               
-               const isValid = verify.verify(publicKey, signature);
-               
-               if (!isValid) {
-                 throw new Error('Update signature verification failed');
-               }
-               
-               return { valid: true, data: updateData };
-             } catch (error) {
-               console.error('Update verification failed:', error);
-               return { valid: false, error: error.message };
-             }
+## Required Checks
+
+- Insecure deserialization of user-controlled data detected. Validate and sanitize data before parsing JSON or using eval.
+- Script tag without Subresource Integrity (SRI) hash. Add integrity and crossorigin attributes for third-party scripts.
+- Package installation with integrity checks disabled. Always verify package integrity during installation.
+- Using potentially unsafe serialization/deserialization libraries. Ensure proper validation and sanitization of serialized data.
+- Missing dependency verification in package.json. Add npm/yarn audit to your scripts section.
+- Potentially insecure dynamic imports. Validate or restrict the modules that can be dynamically imported.
+- Potential prototype pollution vulnerability. Use Object.create(null) or sanitize objects before merging.
+- Missing security checks in CI/CD pipeline. Add dependency scanning, integrity verification, and signature validation.
+- Potentially insecure update mechanism. Implement integrity verification for all updates.
+- Insecure plugin loading mechanism. Implement integrity verification for all plugins.
+- Insecure data binding using eval or Function constructor. Use safer alternatives like JSON.parse or template literals.
+- Potential prototype pollution in object assignment. Use Object.create(null) as the target object or sanitize inputs.
+- Missing lock file for dependency management. Include package-lock.json or yarn.lock in version control.
+- Webpack configuration without integrity checks. Consider enabling SRI for generated assets.
+- npm/yarn configuration with potentially disabled security features. Ensure integrity checks are enabled.
+
+## Recommendations
+
+**JavaScript Software and Data Integrity Failures Best Practices:**
+
+1. **Secure Deserialization:**
+   - Validate and sanitize data before deserialization
+   - Use schema validation for JSON data
+   - Example:
+     ```javascript
+     import Ajv from 'ajv';
+     
+     // Define a schema for expected data
+     const schema = {
+       type: 'object',
+       properties: {
+         id: { type: 'integer' },
+         name: { type: 'string' },
+         role: { type: 'string', enum: ['user', 'admin'] }
+       },
+       required: ['id', 'name', 'role'],
+       additionalProperties: false
+     };
+     
+     // Validate data before parsing
+     function safelyParseJSON(data) {
+       try {
+         const parsed = JSON.parse(data);
+         const ajv = new Ajv();
+         const validate = ajv.compile(schema);
+         
+         if (validate(parsed)) {
+           return { valid: true, data: parsed };
+         } else {
+           return { valid: false, errors: validate.errors };
+         }
+       } catch (error) {
+         return { valid: false, errors: [error.message] };
+       }
+     }
+     ```
+
+2. **Subresource Integrity (SRI):**
+   - Add integrity hashes to external scripts and stylesheets
+   - Example:
+     ```html
+     <script 
+       src="https://cdn.example.com/library.js" 
+       integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" 
+       crossorigin="anonymous">
+     </script>
+     ```
+     
+     ```javascript
+     // Programmatically adding a script with SRI
+     function addScriptWithIntegrity(url, integrity) {
+       const script = document.createElement('script');
+       script.src = url;
+       script.integrity = integrity;
+       script.crossOrigin = 'anonymous';
+       document.head.appendChild(script);
+     }
+     ```
+
+3. **Dependency Verification:**
+   - Use npm/yarn audit regularly
+   - Implement lockfiles and version pinning
+   - Example:
+     ```json
+     // package.json
+     {
+       "scripts": {
+         "audit": "npm audit --production",
+         "preinstall": "npm audit",
+         "verify": "npm audit && npm outdated"
+       }
+     }
+     ```
+     
+     ```javascript
+     // Automated dependency verification in CI/CD
+     // .github/workflows/security.yml
+     // name: Security Checks
+     // on: [push, pull_request]
+     // jobs:
+     //   security:
+     //     runs-on: ubuntu-latest
+     //     steps:
+     //       - uses: actions/checkout@v3
+     //       - uses: actions/setup-node@v3
+     //         with:
+     //           node-version: '16'
+     //       - run: npm audit
+     ```
+
+4. **Secure Object Handling:**
+   - Prevent prototype pollution
+   - Use Object.create(null) for empty objects
+   - Example:
+     ```javascript
+     // Prevent prototype pollution
+     function safeObjectMerge(target, source) {
+       // Start with a null prototype object
+       const result = Object.create(null);
+       
+       // Copy properties from target
+       for (const key in target) {
+         if (Object.prototype.hasOwnProperty.call(target, key) && 
+             key !== '__proto__' && 
+             key !== 'constructor' && 
+             key !== 'prototype') {
+           result[key] = target[key];
+         }
+       }
+       
+       // Copy properties from source
+       for (const key in source) {
+         if (Object.prototype.hasOwnProperty.call(source, key) && 
+             key !== '__proto__' && 
+             key !== 'constructor' && 
+             key !== 'prototype') {
+           result[key] = source[key];
+         }
+       }
+       
+       return result;
+     }
+     ```
+
+5. **Secure Dynamic Imports:**
+   - Validate module paths before importing
+   - Use allowlists for dynamic imports
+   - Example:
+     ```javascript
+     // Allowlist-based dynamic imports
+     const ALLOWED_MODULES = [
+       './components/header',
+       './components/footer',
+       './components/sidebar'
+     ];
+     
+     async function safeImport(modulePath) {
+       if (!ALLOWED_MODULES.includes(modulePath)) {
+         throw new Error(`Module ${modulePath} is not in the allowlist`);
+       }
+       
+       try {
+         return await import(modulePath);
+       } catch (error) {
+         console.error(`Failed to import ${modulePath}:`, error);
+         throw error;
+       }
+     }
+     ```
+
+6. **CI/CD Pipeline Security:**
+   - Implement integrity checks in build pipelines
+   - Verify dependencies and artifacts
+   - Example:
+     ```yaml
+     # .github/workflows/build.yml
+     name: Build and Verify
+     on: [push, pull_request]
+     jobs:
+       build:
+         runs-on: ubuntu-latest
+         steps:
+           - uses: actions/checkout@v3
+           - uses: actions/setup-node@v3
+             with:
+               node-version: '16'
+           - name: Install dependencies
+             run: npm ci
+           - name: Security audit
+             run: npm audit
+           - name: Build
+             run: npm run build
+           - name: Generate integrity hashes
+             run: |
+               cd dist
+               find . -type f -name "*.js" -exec sh -c 'echo "{}" $(sha384sum "{}" | cut -d " " -f 1)' \; > integrity.txt
+           - name: Upload artifacts with integrity manifest
+             uses: actions/upload-artifact@v3
+             with:
+               name: build-artifacts
+               path: |
+                 dist
+                 dist/integrity.txt
+     ```
+
+7. **Secure Update Mechanisms:**
+   - Verify integrity of updates before applying
+   - Use digital signatures when possible
+   - Example:
+     ```javascript
+     import crypto from 'crypto';
+     import fs from 'fs';
+     
+     async function verifyUpdate(updateFile, signatureFile, publicKeyFile) {
+       try {
+         const updateData = fs.readFileSync(updateFile);
+         const signature = fs.readFileSync(signatureFile);
+         const publicKey = fs.readFileSync(publicKeyFile);
+         
+         const verify = crypto.createVerify('SHA256');
+         verify.update(updateData);
+         
+         const isValid = verify.verify(publicKey, signature);
+         
+         if (!isValid) {
+           throw new Error('Update signature verification failed');
+         }
+         
+         return { valid: true, data: updateData };
+       } catch (error) {
+         console.error('Update verification failed:', error);
+         return { valid: false, error: error.message };
+       }
+     }
+     ```
+
+8. **Plugin/Extension Security:**
+   - Implement allowlists for plugins
+   - Verify plugin integrity before loading
+   - Example:
+     ```javascript
+     class PluginManager {
+       constructor() {
+         this.plugins = new Map();
+         this.allowedPlugins = new Set(['logger', 'analytics', 'theme']);
+       }
+       
+       async registerPlugin(name, pluginPath, expectedHash) {
+         if (!this.allowedPlugins.has(name)) {
+           throw new Error(`Plugin ${name} is not in the allowlist`);
+         }
+         
+         // Verify plugin integrity
+         const pluginCode = await fetch(pluginPath).then(r => r.text());
+         const hash = crypto.createHash('sha256').update(pluginCode).digest('hex');
+         
+         if (hash !== expectedHash) {
+           throw new Error(`Plugin integrity check failed for ${name}`);
+         }
+         
+         // Safe loading using Function constructor instead of eval
+         // Still has security implications but better than direct eval
+         const sandboxedPlugin = new Function('exports', 'require', pluginCode);
+         const exports = {};
+         const safeRequire = (module) => {
+           // Implement a restricted require function
+           const allowedModules = ['lodash', 'dayjs'];
+           if (!allowedModules.includes(module)) {
+             throw new Error(`Module ${module} is not allowed in plugins`);
            }
-           ```
+           return require(module);
+         };
+         
+         sandboxedPlugin(exports, safeRequire);
+         this.plugins.set(name, exports);
+         return exports;
+       }
+     }
+     ```
+
+9. **Secure Data Binding:**
+   - Avoid eval() and new Function()
+   - Use template literals or frameworks with safe binding
+   - Example:
+     ```javascript
+     // Unsafe:
+     // function updateElement(id, data) {
+     //   const element = document.getElementById(id);
+     //   element.innerHTML = eval('`' + template + '`'); // DANGEROUS!
+     // }
+     
+     // Safe alternative:
+     function updateElement(id, data) {
+       const element = document.getElementById(id);
+       
+       // Use a template literal with explicit interpolation
+       const template = `<div class="user-card">
+         <h2>${escapeHTML(data.name)}</h2>
+         <p>${escapeHTML(data.bio)}</p>
+       </div>`;
+       
+       element.innerHTML = template;
+     }
+     
+     function escapeHTML(str) {
+       return str
+         .replace(/&/g, '&amp;')
+         .replace(/</g, '&lt;')
+         .replace(/>/g, '&gt;')
+         .replace(/"/g, '&quot;')
+         .replace(/'/g, '&#039;');
+     }
+     ```
+
+10. **Secure Configuration Management:**
+    - Validate configurations before use
+    - Use schema validation for config files
+    - Example:
+      ```javascript
+      import Ajv from 'ajv';
+      import fs from 'fs';
       
-      8. **Plugin/Extension Security:**
-         - Implement allowlists for plugins
-         - Verify plugin integrity before loading
-         - Example:
-           ```javascript
-           class PluginManager {
-             constructor() {
-               this.plugins = new Map();
-               this.allowedPlugins = new Set(['logger', 'analytics', 'theme']);
-             }
-             
-             async registerPlugin(name, pluginPath, expectedHash) {
-               if (!this.allowedPlugins.has(name)) {
-                 throw new Error(`Plugin ${name} is not in the allowlist`);
-               }
-               
-               // Verify plugin integrity
-               const pluginCode = await fetch(pluginPath).then(r => r.text());
-               const hash = crypto.createHash('sha256').update(pluginCode).digest('hex');
-               
-               if (hash !== expectedHash) {
-                 throw new Error(`Plugin integrity check failed for ${name}`);
-               }
-               
-               // Safe loading using Function constructor instead of eval
-               // Still has security implications but better than direct eval
-               const sandboxedPlugin = new Function('exports', 'require', pluginCode);
-               const exports = {};
-               const safeRequire = (module) => {
-                 // Implement a restricted require function
-                 const allowedModules = ['lodash', 'dayjs'];
-                 if (!allowedModules.includes(module)) {
-                   throw new Error(`Module ${module} is not allowed in plugins`);
-                 }
-                 return require(module);
-               };
-               
-               sandboxedPlugin(exports, safeRequire);
-               this.plugins.set(name, exports);
-               return exports;
-             }
-           }
-           ```
+      function loadAndValidateConfig(configPath) {
+        // Define schema for configuration
+        const configSchema = {
+          type: 'object',
+          properties: {
+            server: {
+              type: 'object',
+              properties: {
+                port: { type: 'integer', minimum: 1024, maximum: 65535 },
+                host: { type: 'string', format: 'hostname' }
+              },
+              required: ['port', 'host']
+            },
+            database: {
+              type: 'object',
+              properties: {
+                url: { type: 'string' },
+                maxConnections: { type: 'integer', minimum: 1 }
+              },
+              required: ['url']
+            }
+          },
+          required: ['server', 'database'],
+          additionalProperties: false
+        };
+        
+        try {
+          const configData = fs.readFileSync(configPath, 'utf8');
+          const config = JSON.parse(configData);
+          
+          const ajv = new Ajv({ allErrors: true });
+          const validate = ajv.compile(configSchema);
+          
+          if (validate(config)) {
+            return { valid: true, config };
+          } else {
+            return { valid: false, errors: validate.errors };
+          }
+        } catch (error) {
+          return { valid: false, errors: [error.message] };
+        }
+      }
+      ```
+
+11. **Secure Webpack Configuration:**
+    - Enable SRI in webpack
+    - Use content hashing for cache busting
+    - Example:
+      ```javascript
+      // webpack.config.js
+      const SubresourceIntegrityPlugin = require('webpack-subresource-integrity');
       
-      9. **Secure Data Binding:**
-         - Avoid eval() and new Function()
-         - Use template literals or frameworks with safe binding
-         - Example:
-           ```javascript
-           // Unsafe:
-           // function updateElement(id, data) {
-           //   const element = document.getElementById(id);
-           //   element.innerHTML = eval('`' + template + '`'); // DANGEROUS!
-           // }
-           
-           // Safe alternative:
-           function updateElement(id, data) {
-             const element = document.getElementById(id);
-             
-             // Use a template literal with explicit interpolation
-             const template = `<div class="user-card">
-               <h2>${escapeHTML(data.name)}</h2>
-               <p>${escapeHTML(data.bio)}</p>
-             </div>`;
-             
-             element.innerHTML = template;
-           }
-           
-           function escapeHTML(str) {
-             return str
-               .replace(/&/g, '&amp;')
-               .replace(/</g, '&lt;')
-               .replace(/>/g, '&gt;')
-               .replace(/"/g, '&quot;')
-               .replace(/'/g, '&#039;');
-           }
-           ```
+      module.exports = {
+        output: {
+          filename: '[name].[contenthash].js',
+          crossOriginLoading: 'anonymous' // Required for SRI
+        },
+        plugins: [
+          new SubresourceIntegrityPlugin({
+            hashFuncNames: ['sha384'],
+            enabled: process.env.NODE_ENV === 'production'
+          })
+        ]
+      };
+      ```
+
+12. **Secure npm/yarn Configuration:**
+    - Enable integrity checks
+    - Use lockfiles and exact versions
+    - Example:
+      ```
+      # .npmrc
+      audit=true
+      audit-level=moderate
+      save-exact=true
+      verify-store=true
       
-      10. **Secure Configuration Management:**
-          - Validate configurations before use
-          - Use schema validation for config files
-          - Example:
-            ```javascript
-            import Ajv from 'ajv';
-            import fs from 'fs';
-            
-            function loadAndValidateConfig(configPath) {
-              // Define schema for configuration
-              const configSchema = {
-                type: 'object',
-                properties: {
-                  server: {
-                    type: 'object',
-                    properties: {
-                      port: { type: 'integer', minimum: 1024, maximum: 65535 },
-                      host: { type: 'string', format: 'hostname' }
-                    },
-                    required: ['port', 'host']
-                  },
-                  database: {
-                    type: 'object',
-                    properties: {
-                      url: { type: 'string' },
-                      maxConnections: { type: 'integer', minimum: 1 }
-                    },
-                    required: ['url']
-                  }
-                },
-                required: ['server', 'database'],
-                additionalProperties: false
-              };
-              
-              try {
-                const configData = fs.readFileSync(configPath, 'utf8');
-                const config = JSON.parse(configData);
-                
-                const ajv = new Ajv({ allErrors: true });
-                const validate = ajv.compile(configSchema);
-                
-                if (validate(config)) {
-                  return { valid: true, config };
-                } else {
-                  return { valid: false, errors: validate.errors };
-                }
-              } catch (error) {
-                return { valid: false, errors: [error.message] };
-              }
-            }
-            ```
+      # .yarnrc.yml
+      enableStrictSsl: true
+      enableImmutableInstalls: true
+      checksumBehavior: "throw"
+      ```
+
+13. **Secure JSON Parsing:**
+    - Use reviver functions with JSON.parse
+    - Example:
+      ```javascript
+      function parseUserData(data) {
+        return JSON.parse(data, (key, value) => {
+          // Sanitize specific fields
+          if (key === 'role' && !['user', 'admin', 'editor'].includes(value)) {
+            return 'user'; // Default to safe value
+          }
+          
+          // Prevent Date objects from being reconstructed from strings
+          if (typeof value === 'string' && 
+              /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z$/.test(value)) {
+            // Return as string, not Date object
+            return value;
+          }
+          
+          return value;
+        });
+      }
+      ```
+
+14. **Content Security Policy (CSP):**
+    - Implement strict CSP headers
+    - Use nonce-based CSP for inline scripts
+    - Example:
+      ```javascript
+      // Express.js example
+      import crypto from 'crypto';
+      import helmet from 'helmet';
       
-      11. **Secure Webpack Configuration:**
-          - Enable SRI in webpack
-          - Use content hashing for cache busting
-          - Example:
-            ```javascript
-            // webpack.config.js
-            const SubresourceIntegrityPlugin = require('webpack-subresource-integrity');
-            
-            module.exports = {
-              output: {
-                filename: '[name].[contenthash].js',
-                crossOriginLoading: 'anonymous' // Required for SRI
-              },
-              plugins: [
-                new SubresourceIntegrityPlugin({
-                  hashFuncNames: ['sha384'],
-                  enabled: process.env.NODE_ENV === 'production'
-                })
-              ]
-            };
-            ```
+      app.use((req, res, next) => {
+        // Generate a new nonce for each request
+        res.locals.cspNonce = crypto.randomBytes(16).toString('base64');
+        next();
+      });
       
-      12. **Secure npm/yarn Configuration:**
-          - Enable integrity checks
-          - Use lockfiles and exact versions
-          - Example:
-            ```
-            # .npmrc
-            audit=true
-            audit-level=moderate
-            save-exact=true
-            verify-store=true
-            
-            # .yarnrc.yml
-            enableStrictSsl: true
-            enableImmutableInstalls: true
-            checksumBehavior: "throw"
-            ```
+      app.use(helmet.contentSecurityPolicy({
+        directives: {
+          defaultSrc: ["'self'"],
+          scriptSrc: [
+            "'self'",
+            (req, res) => `'nonce-${res.locals.cspNonce}'`,
+            'https://cdn.jsdelivr.net'
+          ],
+          styleSrc: ["'self'", 'https://cdn.jsdelivr.net'],
+          // Add other directives as needed
+        }
+      }));
       
-      13. **Secure JSON Parsing:**
-          - Use reviver functions with JSON.parse
-          - Example:
-            ```javascript
-            function parseUserData(data) {
-              return JSON.parse(data, (key, value) => {
-                // Sanitize specific fields
-                if (key === 'role' && !['user', 'admin', 'editor'].includes(value)) {
-                  return 'user'; // Default to safe value
-                }
-                
-                // Prevent Date objects from being reconstructed from strings
-                if (typeof value === 'string' && 
-                    /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z$/.test(value)) {
-                  // Return as string, not Date object
-                  return value;
-                }
-                
-                return value;
-              });
+      // In your template engine, use the nonce:
+      // <script nonce="<%= cspNonce %>">
+      //   // Inline JavaScript
+      // </script>
+      ```
+
+15. **Secure Local Storage:**
+    - Validate data before storing and after retrieving
+    - Consider encryption for sensitive data
+    - Example:
+      ```javascript
+      // Simple encryption/decryption for localStorage
+      // Note: This is still client-side and not fully secure
+      class SecureStorage {
+        constructor(secret) {
+          this.secret = secret;
+        }
+        
+        // Set item with validation and encryption
+        setItem(key, value, schema) {
+          // Validate with schema if provided
+          if (schema) {
+            const ajv = new Ajv();
+            const validate = ajv.compile(schema);
+            if (!validate(value)) {
+              throw new Error(`Invalid data for ${key}: ${ajv.errorsText(validate.errors)}`);
             }
-            ```
-      
-      14. **Content Security Policy (CSP):**
-          - Implement strict CSP headers
-          - Use nonce-based CSP for inline scripts
-          - Example:
-            ```javascript
-            // Express.js example
-            import crypto from 'crypto';
-            import helmet from 'helmet';
-            
-            app.use((req, res, next) => {
-              // Generate a new nonce for each request
-              res.locals.cspNonce = crypto.randomBytes(16).toString('base64');
-              next();
-            });
-            
-            app.use(helmet.contentSecurityPolicy({
-              directives: {
-                defaultSrc: ["'self'"],
-                scriptSrc: [
-                  "'self'",
-                  (req, res) => `'nonce-${res.locals.cspNonce}'`,
-                  'https://cdn.jsdelivr.net'
-                ],
-                styleSrc: ["'self'", 'https://cdn.jsdelivr.net'],
-                // Add other directives as needed
-              }
-            }));
+          }
+          
+          // Simple encryption (not for truly sensitive data)
+          const valueStr = JSON.stringify(value);
+          const encrypted = this.encrypt(valueStr);
+          localStorage.setItem(key, encrypted);
+        }
+        
+        // Get item with decryption and validation
+        getItem(key, schema) {
+          const encrypted = localStorage.getItem(key);
+          if (!encrypted) return null;
+          
+          try {
+            const decrypted = this.decrypt(encrypted);
+            const value = JSON.parse(decrypted);
             
-            // In your template engine, use the nonce:
-            // <script nonce="<%= cspNonce %>">
-            //   // Inline JavaScript
-            // </script>
-            ```
-      
-      15. **Secure Local Storage:**
-          - Validate data before storing and after retrieving
-          - Consider encryption for sensitive data
-          - Example:
-            ```javascript
-            // Simple encryption/decryption for localStorage
-            // Note: This is still client-side and not fully secure
-            class SecureStorage {
-              constructor(secret) {
-                this.secret = secret;
-              }
-              
-              // Set item with validation and encryption
-              setItem(key, value, schema) {
-                // Validate with schema if provided
-                if (schema) {
-                  const ajv = new Ajv();
-                  const validate = ajv.compile(schema);
-                  if (!validate(value)) {
-                    throw new Error(`Invalid data for ${key}: ${ajv.errorsText(validate.errors)}`);
-                  }
-                }
-                
-                // Simple encryption (not for truly sensitive data)
-                const valueStr = JSON.stringify(value);
-                const encrypted = this.encrypt(valueStr);
-                localStorage.setItem(key, encrypted);
-              }
-              
-              // Get item with decryption and validation
-              getItem(key, schema) {
-                const encrypted = localStorage.getItem(key);
-                if (!encrypted) return null;
-                
-                try {
-                  const decrypted = this.decrypt(encrypted);
-                  const value = JSON.parse(decrypted);
-                  
-                  // Validate with schema if provided
-                  if (schema) {
-                    const ajv = new Ajv();
-                    const validate = ajv.compile(schema);
-                    if (!validate(value)) {
-                      console.error(`Retrieved invalid data for ${key}`);
-                      return null;
-                    }
-                  }
-                  
-                  return value;
-                } catch (error) {
-                  console.error(`Failed to retrieve ${key}:`, error);
-                  return null;
-                }
-              }
-              
-              // Simple XOR encryption (not for production use with sensitive data)
-              encrypt(text) {
-                let result = '';
-                for (let i = 0; i < text.length; i++) {
-                  result += String.fromCharCode(text.charCodeAt(i) ^ this.secret.charCodeAt(i % this.secret.length));
-                }
-                return btoa(result);
-              }
-              
-              decrypt(encoded) {
-                const text = atob(encoded);
-                let result = '';
-                for (let i = 0; i < text.length; i++) {
-                  result += String.fromCharCode(text.charCodeAt(i) ^ this.secret.charCodeAt(i % this.secret.length));
-                }
-                return result;
+            // Validate with schema if provided
+            if (schema) {
+              const ajv = new Ajv();
+              const validate = ajv.compile(schema);
+              if (!validate(value)) {
+                console.error(`Retrieved invalid data for ${key}`);
+                return null;
               }
             }
-            ```
+            
+            return value;
+          } catch (error) {
+            console.error(`Failed to retrieve ${key}:`, error);
+            return null;
+          }
+        }
+        
+        // Simple XOR encryption (not for production use with sensitive data)
+        encrypt(text) {
+          let result = '';
+          for (let i = 0; i < text.length; i++) {
+            result += String.fromCharCode(text.charCodeAt(i) ^ this.secret.charCodeAt(i % this.secret.length));
+          }
+          return btoa(result);
+        }
+        
+        decrypt(encoded) {
+          const text = atob(encoded);
+          let result = '';
+          for (let i = 0; i < text.length; i++) {
+            result += String.fromCharCode(text.charCodeAt(i) ^ this.secret.charCodeAt(i % this.secret.length));
+          }
+          return result;
+        }
+      }
+      ```
 
-  - type: validate
-    conditions:
-      # Check 1: Subresource Integrity
-      - pattern: "<script\\s+[^>]*?integrity=['\"]sha(?:256|384|512)-[a-zA-Z0-9+/=]+['\"][^>]*?>"
-        message: "Using Subresource Integrity (SRI) for external scripts."
-      
-      # Check 2: Dependency Verification
-      - pattern: "\"scripts\":\\s*{[^}]*\"(?:audit|verify|check)\":\\s*\"(?:npm|yarn)\\s+audit"
-        message: "Implementing dependency verification in package.json scripts."
-      
-      # Check 3: Lock File Usage
-      - pattern: "(?:package-lock\\.json|yarn\\.lock)"
-        file_pattern: "(?:package-lock\\.json|yarn\\.lock)$"
-        message: "Using lock files for dependency management."
-      
-      # Check 4: Safe Object Creation
-      - pattern: "Object\\.create\\(null\\)"
-        message: "Using Object.create(null) to prevent prototype pollution."
-      
-      # Check 5: Schema Validation
-      - pattern: "(?:ajv|joi|yup|zod|jsonschema|validate)"
-        message: "Implementing schema validation for data integrity."
+## Validation
 
-metadata:
-  priority: high
-  version: 1.0
-  tags:
-    - security
-    - javascript
-    - nodejs
-    - browser
-    - integrity
-    - owasp
-    - language:javascript
-    - framework:express
-    - framework:react
-    - framework:vue
-    - framework:angular
-    - category:security
-    - subcategory:integrity
-    - standard:owasp-top10
-    - risk:a08-software-data-integrity-failures
-  references:
-    - "https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Third_Party_Javascript_Management_Cheat_Sheet.html"
-    - "https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity"
-    - "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/13-Testing_for_Subresource_Integrity"
-    - "https://snyk.io/blog/prototype-pollution-javascript/"
-    - "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/NPM_Security_Cheat_Sheet.md"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html"
-    - "https://owasp.org/www-community/attacks/Prototype_pollution"
-</rule> 
+- Using Subresource Integrity (SRI) for external scripts.
+- Implementing dependency verification in package.json scripts.
+- Using lock files for dependency management.
+- Using Object.create(null) to prevent prototype pollution.
+- Implementing schema validation for data integrity.
diff --git a/.cursor/rules/javascript-standards.mdc b/.cursor/rules/javascript-standards.mdc
index d5899fe..c2169bf 100644
--- a/.cursor/rules/javascript-standards.mdc
+++ b/.cursor/rules/javascript-standards.mdc
@@ -4,48 +4,33 @@ globs: *.js
 ---
 # JavaScript Development Standards
 
-<rule>
-name: javascript_standards
-description: Enforce JavaScript development standards for Drupal
-
-actions:
-  - type: enforce
-    conditions:
-      - pattern: "\\(function\\s*\\(\\$\\)\\s*\\{[^}]*\\}\\)\\s*\\(jQuery\\)"
-        message: "Use Drupal behaviors instead of IIFE"
-
-      - pattern: "\\$\\('[^']*'\\)"
-        message: "Cache jQuery selectors for better performance"
-
-      - pattern: "\\.ajax\\(\\{[^}]*success:"
-        message: "Implement proper error handling for AJAX calls"
-
-      - pattern: "var\\s+"
-        message: "Use const or let instead of var (ES6+)"
-
-  - type: suggest
-    message: |
-      JavaScript Best Practices:
-      - Use Drupal behaviors for all JavaScript
-      - Implement proper error handling for AJAX
-      - Cache jQuery selectors
-      - Use ES6+ features
-      - Add proper documentation
-      - Follow Drupal JavaScript coding standards
-      - Use proper event delegation
-      - Implement proper error handling
-      - Use async/await for asynchronous operations
-      - Follow proper module pattern
-
-  - type: validate
-    conditions:
-      - pattern: "Drupal\\.behaviors\\.\\w+"
-        message: "Implement JavaScript functionality using Drupal behaviors"
-
-      - pattern: "/\\*\\*[^*]*\\*/"
-        message: "Add JSDoc documentation for JavaScript functions"
-
-metadata:
-  priority: high
-  version: 1.0
-</rule>
+> Priority: high · Version: 1.0
+
+## Applies To
+- `*.js`
+
+## Required Checks
+
+- Use Drupal behaviors instead of IIFE
+- Cache jQuery selectors for better performance
+- Implement proper error handling for AJAX calls
+- Use const or let instead of var (ES6+)
+
+## Recommendations
+
+JavaScript Best Practices:
+- Use Drupal behaviors for all JavaScript
+- Implement proper error handling for AJAX
+- Cache jQuery selectors
+- Use ES6+ features
+- Add proper documentation
+- Follow Drupal JavaScript coding standards
+- Use proper event delegation
+- Implement proper error handling
+- Use async/await for asynchronous operations
+- Follow proper module pattern
+
+## Validation
+
+- Implement JavaScript functionality using Drupal behaviors
+- Add JSDoc documentation for JavaScript functions
diff --git a/.cursor/rules/javascript-vulnerable-outdated-components.mdc b/.cursor/rules/javascript-vulnerable-outdated-components.mdc
index 381e90b..4a9edc9 100644
--- a/.cursor/rules/javascript-vulnerable-outdated-components.mdc
+++ b/.cursor/rules/javascript-vulnerable-outdated-components.mdc
@@ -4,333 +4,237 @@ globs: **/*.js, **/*.jsx, **/*.ts, **/*.tsx, !**/node_modules/**, !**/dist/**, !
 ---
 # JavaScript Vulnerable and Outdated Components (OWASP A06:2021)
 
-<rule>
-name: javascript_vulnerable_outdated_components
-description: Detect and prevent the use of vulnerable and outdated components in JavaScript applications as defined in OWASP Top 10:2021-A06
+> Priority: high · Version: 1.0
 
-actions:
-  - type: enforce
-    conditions:
-      # Pattern 1: Outdated Package Versions in package.json
-      - pattern: "\"(dependencies|devDependencies)\"\\s*:\\s*\\{[^}]*?\"([^\"]+)\"\\s*:\\s*\"\\^?([0-9]+\\.[0-9]+\\.[0-9]+)\""
-        location: "package\\.json$"
-        message: "Check for outdated dependencies in package.json. Regularly update dependencies to avoid known vulnerabilities."
-        
-      # Pattern 2: Direct CDN Links Without Integrity Hashes
-      - pattern: "<script\\s+src=['\"]https?://(?:cdn|unpkg|jsdelivr)[^'\"]*['\"][^>]*(?!integrity=)"
-        location: "\\.(html|js|jsx|ts|tsx)$"
-        message: "CDN resources without integrity hashes. Add integrity and crossorigin attributes to script tags loading external resources."
-        
-      # Pattern 3: Hardcoded Library Versions in HTML
-      - pattern: "<script\\s+src=['\"][^'\"]*(?:jquery|bootstrap|react|vue|angular|lodash|moment)[@-][0-9]+\\.[0-9]+\\.[0-9]+[^'\"]*['\"]"
-        location: "\\.html$"
-        message: "Hardcoded library versions in HTML. Consider using a package manager to manage dependencies."
-        
-      # Pattern 4: Deprecated Node.js APIs
-      - pattern: "(?:new Buffer\\(|require\\(['\"]crypto['\"]\\)\\.createCipher\\(|require\\(['\"]crypto['\"]\\)\\.randomBytes\\([^,)]+\\)|require\\(['\"]fs['\"]\\)\\.exists\\()"
-        message: "Using deprecated Node.js APIs. Replace with modern alternatives to avoid security and maintenance issues."
-        
-      # Pattern 5: Deprecated Browser APIs
-      - pattern: "document\\.write\\(|document\\.execCommand\\(|escape\\(|unescape\\(|showModalDialog\\(|localStorage\\.clear\\(\\)|sessionStorage\\.clear\\(\\)"
-        location: "(?:src|components|pages)"
-        message: "Using deprecated browser APIs. Replace with modern alternatives to avoid compatibility and security issues."
-        
-      # Pattern 6: Insecure Dependency Loading
-      - pattern: "require\\([^)]*?\\+\\s*[^)]+\\)|import\\([^)]*?\\+\\s*[^)]+\\)"
-        message: "Dynamic dependency loading with variable concatenation. This can lead to dependency confusion attacks."
-        
-      # Pattern 7: Vulnerable Regular Expression Patterns (ReDoS)
-      - pattern: "new RegExp\\([^)]*?(?:\\(.*\\)\\*|\\*\\+|\\+\\*|\\{\\d+,\\})"
-        message: "Potentially vulnerable regular expression pattern that could lead to ReDoS attacks. Review and optimize the regex pattern."
-        
-      # Pattern 8: Insecure Package Installation
-      - pattern: "npm\\s+install\\s+(?:--no-save|--no-audit|--no-fund|--force)"
-        location: "(?:scripts|Dockerfile|docker-compose\\.yml|\\.github/workflows)"
-        message: "Insecure package installation flags. Avoid using --no-audit, --no-save, or --force flags when installing packages."
-        
-      # Pattern 9: Missing Lock Files
-      - pattern: "package\\.json"
-        location: "package\\.json$"
-        negative_pattern: "package-lock\\.json|yarn\\.lock|pnpm-lock\\.yaml"
-        message: "Missing lock file. Use package-lock.json, yarn.lock, or pnpm-lock.yaml to ensure dependency consistency."
-        
-      # Pattern 10: Insecure Webpack Configuration
-      - pattern: "webpack\\.config\\.js"
-        location: "webpack\\.config\\.js$"
-        negative_pattern: "(?:noEmitOnErrors|optimization\\.minimize)"
-        message: "Potentially insecure webpack configuration. Consider enabling noEmitOnErrors and optimization.minimize."
-        
-      # Pattern 11: Outdated TypeScript Configuration
-      - pattern: "\"compilerOptions\"\\s*:\\s*\\{[^}]*?\"target\"\\s*:\\s*\"ES5\""
-        location: "tsconfig\\.json$"
-        message: "Outdated TypeScript target. Consider using a more modern target like ES2020 for better security features."
-        
-      # Pattern 12: Insecure Package Sources
-      - pattern: "registry\\s*=\\s*(?!https://registry\\.npmjs\\.org)"
-        location: "\\.npmrc$"
-        message: "Using a non-standard npm registry. Ensure you trust the source of your packages."
-        
-      # Pattern 13: Missing npm audit in CI/CD
-      - pattern: "(?:ci|test|build)\\s*:\\s*\"[^\"]*?\""
-        location: "package\\.json$"
-        negative_pattern: "npm\\s+audit"
-        message: "Missing npm audit in CI/CD scripts. Add 'npm audit' to your CI/CD pipeline to detect vulnerabilities."
-        
-      # Pattern 14: Insecure Import Maps
-      - pattern: "<script\\s+type=['\"]importmap['\"][^>]*>[^<]*?\"imports\"\\s*:\\s*\\{[^}]*?\"[^\"]+\"\\s*:\\s*\"https?://[^\"]+\""
-        negative_pattern: "integrity="
-        message: "Insecure import maps without integrity checks. Add integrity hashes to import map entries."
+## Applies To
+- `**/*.js`
+- `**/*.jsx`
+- `**/*.ts`
+- `**/*.tsx`
+- `!**/node_modules/**`
+- `!**/dist/**`
+- `!**/build/**`
+- `!**/coverage/**`
+
+## Required Checks
+
+- Check for outdated dependencies in package.json. Regularly update dependencies to avoid known vulnerabilities.
+- CDN resources without integrity hashes. Add integrity and crossorigin attributes to script tags loading external resources.
+- Hardcoded library versions in HTML. Consider using a package manager to manage dependencies.
+- Using deprecated Node.js APIs. Replace with modern alternatives to avoid security and maintenance issues.
+- Using deprecated browser APIs. Replace with modern alternatives to avoid compatibility and security issues.
+- Dynamic dependency loading with variable concatenation. This can lead to dependency confusion attacks.
+- Potentially vulnerable regular expression pattern that could lead to ReDoS attacks. Review and optimize the regex pattern.
+- Insecure package installation flags. Avoid using --no-audit, --no-save, or --force flags when installing packages.
+- Missing lock file. Use package-lock.json, yarn.lock, or pnpm-lock.yaml to ensure dependency consistency.
+- Potentially insecure webpack configuration. Consider enabling noEmitOnErrors and optimization.minimize.
+- Outdated TypeScript target. Consider using a more modern target like ES2020 for better security features.
+- Using a non-standard npm registry. Ensure you trust the source of your packages.
+- Missing npm audit in CI/CD scripts. Add 'npm audit' to your CI/CD pipeline to detect vulnerabilities.
+- Insecure import maps without integrity checks. Add integrity hashes to import map entries.
+- Using potentially outdated polyfills. Consider using modern alternatives or feature detection.
+
+## Recommendations
+
+**JavaScript Vulnerable and Outdated Components Best Practices:**
+
+1. **Dependency Management:**
+   - Regularly update dependencies to their latest secure versions
+   - Use tools like npm audit, Snyk, or Dependabot to detect vulnerabilities
+   - Example:
+     ```javascript
+     // Add these scripts to package.json
+     {
+       "scripts": {
+         "audit": "npm audit",
+         "audit:fix": "npm audit fix",
+         "outdated": "npm outdated",
+         "update": "npm update",
+         "prestart": "npm audit --production"
+       }
+     }
+     ```
+
+2. **Lock Files:**
+   - Always use lock files (package-lock.json, yarn.lock, or pnpm-lock.yaml)
+   - Commit lock files to version control
+   - Example:
+     ```bash
+     # Generate a lock file if it doesn't exist
+     npm install
+     
+     # Or for Yarn
+     yarn
+     
+     # Or for pnpm
+     pnpm install
+     ```
+
+3. **Subresource Integrity:**
+   - Use integrity hashes when loading resources from CDNs
+   - Example:
+     ```html
+     <script 
+       src="https://cdn.jsdelivr.net/npm/react@18.2.0/umd/react.production.min.js" 
+       integrity="sha384-tMH8h3BGESGckSAVGZ82T9n90ztNepwCjSPJ0A7g2vdY8M0oKtDaDGg0G53cysJA" 
+       crossorigin="anonymous">
+     </script>
+     ```
+
+4. **Automated Security Scanning:**
+   - Integrate security scanning into your CI/CD pipeline
+   - Example GitHub Actions workflow:
+     ```yaml
+     name: Security Scan
+     
+     on:
+       push:
+         branches: [ main ]
+       pull_request:
+         branches: [ main ]
+       schedule:
+         - cron: '0 0 * * 0'  # Run weekly
+     
+     jobs:
+       security:
+         runs-on: ubuntu-latest
+         steps:
+           - uses: actions/checkout@v3
+           - name: Setup Node.js
+             uses: actions/setup-node@v3
+             with:
+               node-version: '18'
+               cache: 'npm'
+           - name: Install dependencies
+             run: npm ci
+           - name: Run security audit
+             run: npm audit --audit-level=high
+           - name: Run Snyk to check for vulnerabilities
+             uses: snyk/actions/node@master
+             env:
+               SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+     ```
+
+5. **Dependency Pinning:**
+   - Pin dependencies to specific versions to prevent unexpected updates
+   - Example:
+     ```json
+     {
+       "dependencies": {
+         "express": "4.18.2",
+         "react": "18.2.0",
+         "lodash": "4.17.21"
+       }
+     }
+     ```
+
+6. **Deprecated API Replacement:**
+   - Replace deprecated Node.js APIs with modern alternatives
+   - Example:
+     ```javascript
+     // INSECURE: Using deprecated Buffer constructor
+     const buffer = new Buffer(data);
+     
+     // SECURE: Using Buffer.from()
+     const buffer = Buffer.from(data);
+     
+     // INSECURE: Using deprecated crypto methods
+     const crypto = require('crypto');
+     const cipher = crypto.createCipher('aes-256-cbc', key);
+     
+     // SECURE: Using modern crypto methods
+     const crypto = require('crypto');
+     const iv = crypto.randomBytes(16);
+     const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);
+     ```
+
+7. **Browser API Modernization:**
+   - Replace deprecated browser APIs with modern alternatives
+   - Example:
+     ```javascript
+     // INSECURE: Using document.write
+     document.write('<h1>Hello World</h1>');
+     
+     // SECURE: Using DOM manipulation
+     document.getElementById('content').innerHTML = '<h1>Hello World</h1>';
+     
+     // INSECURE: Using escape/unescape
+     const encoded = escape(data);
+     
+     // SECURE: Using encodeURIComponent
+     const encoded = encodeURIComponent(data);
+     ```
+
+8. **Safe Dynamic Imports:**
+   - Avoid dynamic imports with variable concatenation
+   - Example:
+     ```javascript
+     // INSECURE: Dynamic import with concatenation
+     const moduleName = userInput;
+     import('./' + moduleName + '.js');
+     
+     // SECURE: Validate input against a whitelist
+     const validModules = ['module1', 'module2', 'module3'];
+     if (validModules.includes(moduleName)) {
+       import(`./${moduleName}.js`);
+     }
+     ```
+
+9. **Regular Expression Safety:**
+   - Avoid vulnerable regex patterns that could lead to ReDoS attacks
+   - Example:
+     ```javascript
+     // INSECURE: Vulnerable regex pattern
+     const regex = /^(a+)+$/;
+     
+     // SECURE: Optimized regex pattern
+     const regex = /^a+$/;
+     ```
+
+10. **Vendor Management:**
+    - Evaluate the security posture of third-party libraries before use
+    - Prefer libraries with active maintenance and security focus
+    - Example evaluation criteria:
+      - When was the last commit?
+      - How quickly are security issues addressed?
+      - Does the project have a security policy?
+      - Is there a responsible disclosure process?
+      - How many open issues and pull requests exist?
+      - What is the download count and GitHub stars?
+
+11. **Runtime Dependency Checking:**
+    - Implement runtime checks for critical dependencies
+    - Example:
+      ```javascript
+      // Check package version at runtime for critical dependencies
+      try {
+        const packageJson = require('some-critical-package/package.json');
+        const semver = require('semver');
         
-      # Pattern 15: Outdated Polyfills
-      - pattern: "(?:core-js|@babel/polyfill|es6-promise|whatwg-fetch)"
-        message: "Using potentially outdated polyfills. Consider using modern alternatives or feature detection."
+        if (semver.lt(packageJson.version, '2.0.0')) {
+          console.warn('Warning: Using a potentially vulnerable version of some-critical-package');
+        }
+      } catch (err) {
+        console.error('Error checking package version:', err);
+      }
+      ```
 
-  - type: suggest
-    message: |
-      **JavaScript Vulnerable and Outdated Components Best Practices:**
-      
-      1. **Dependency Management:**
-         - Regularly update dependencies to their latest secure versions
-         - Use tools like npm audit, Snyk, or Dependabot to detect vulnerabilities
-         - Example:
-           ```javascript
-           // Add these scripts to package.json
-           {
-             "scripts": {
-               "audit": "npm audit",
-               "audit:fix": "npm audit fix",
-               "outdated": "npm outdated",
-               "update": "npm update",
-               "prestart": "npm audit --production"
-             }
-           }
-           ```
-      
-      2. **Lock Files:**
-         - Always use lock files (package-lock.json, yarn.lock, or pnpm-lock.yaml)
-         - Commit lock files to version control
-         - Example:
-           ```bash
-           # Generate a lock file if it doesn't exist
-           npm install
-           
-           # Or for Yarn
-           yarn
-           
-           # Or for pnpm
-           pnpm install
-           ```
-      
-      3. **Subresource Integrity:**
-         - Use integrity hashes when loading resources from CDNs
-         - Example:
-           ```html
-           <script 
-             src="https://cdn.jsdelivr.net/npm/react@18.2.0/umd/react.production.min.js" 
-             integrity="sha384-tMH8h3BGESGckSAVGZ82T9n90ztNepwCjSPJ0A7g2vdY8M0oKtDaDGg0G53cysJA" 
-             crossorigin="anonymous">
-           </script>
-           ```
-      
-      4. **Automated Security Scanning:**
-         - Integrate security scanning into your CI/CD pipeline
-         - Example GitHub Actions workflow:
-           ```yaml
-           name: Security Scan
-           
-           on:
-             push:
-               branches: [ main ]
-             pull_request:
-               branches: [ main ]
-             schedule:
-               - cron: '0 0 * * 0'  # Run weekly
-           
-           jobs:
-             security:
-               runs-on: ubuntu-latest
-               steps:
-                 - uses: actions/checkout@v3
-                 - name: Setup Node.js
-                   uses: actions/setup-node@v3
-                   with:
-                     node-version: '18'
-                     cache: 'npm'
-                 - name: Install dependencies
-                   run: npm ci
-                 - name: Run security audit
-                   run: npm audit --audit-level=high
-                 - name: Run Snyk to check for vulnerabilities
-                   uses: snyk/actions/node@master
-                   env:
-                     SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-           ```
-      
-      5. **Dependency Pinning:**
-         - Pin dependencies to specific versions to prevent unexpected updates
-         - Example:
-           ```json
-           {
-             "dependencies": {
-               "express": "4.18.2",
-               "react": "18.2.0",
-               "lodash": "4.17.21"
-             }
-           }
-           ```
-      
-      6. **Deprecated API Replacement:**
-         - Replace deprecated Node.js APIs with modern alternatives
-         - Example:
-           ```javascript
-           // INSECURE: Using deprecated Buffer constructor
-           const buffer = new Buffer(data);
-           
-           // SECURE: Using Buffer.from()
-           const buffer = Buffer.from(data);
-           
-           // INSECURE: Using deprecated crypto methods
-           const crypto = require('crypto');
-           const cipher = crypto.createCipher('aes-256-cbc', key);
-           
-           // SECURE: Using modern crypto methods
-           const crypto = require('crypto');
-           const iv = crypto.randomBytes(16);
-           const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);
-           ```
-      
-      7. **Browser API Modernization:**
-         - Replace deprecated browser APIs with modern alternatives
-         - Example:
-           ```javascript
-           // INSECURE: Using document.write
-           document.write('<h1>Hello World</h1>');
-           
-           // SECURE: Using DOM manipulation
-           document.getElementById('content').innerHTML = '<h1>Hello World</h1>';
-           
-           // INSECURE: Using escape/unescape
-           const encoded = escape(data);
-           
-           // SECURE: Using encodeURIComponent
-           const encoded = encodeURIComponent(data);
-           ```
-      
-      8. **Safe Dynamic Imports:**
-         - Avoid dynamic imports with variable concatenation
-         - Example:
-           ```javascript
-           // INSECURE: Dynamic import with concatenation
-           const moduleName = userInput;
-           import('./' + moduleName + '.js');
-           
-           // SECURE: Validate input against a whitelist
-           const validModules = ['module1', 'module2', 'module3'];
-           if (validModules.includes(moduleName)) {
-             import(`./${moduleName}.js`);
-           }
-           ```
-      
-      9. **Regular Expression Safety:**
-         - Avoid vulnerable regex patterns that could lead to ReDoS attacks
-         - Example:
-           ```javascript
-           // INSECURE: Vulnerable regex pattern
-           const regex = /^(a+)+$/;
-           
-           // SECURE: Optimized regex pattern
-           const regex = /^a+$/;
-           ```
-      
-      10. **Vendor Management:**
-          - Evaluate the security posture of third-party libraries before use
-          - Prefer libraries with active maintenance and security focus
-          - Example evaluation criteria:
-            - When was the last commit?
-            - How quickly are security issues addressed?
-            - Does the project have a security policy?
-            - Is there a responsible disclosure process?
-            - How many open issues and pull requests exist?
-            - What is the download count and GitHub stars?
-      
-      11. **Runtime Dependency Checking:**
-          - Implement runtime checks for critical dependencies
-          - Example:
-            ```javascript
-            // Check package version at runtime for critical dependencies
-            try {
-              const packageJson = require('some-critical-package/package.json');
-              const semver = require('semver');
-              
-              if (semver.lt(packageJson.version, '2.0.0')) {
-                console.warn('Warning: Using a potentially vulnerable version of some-critical-package');
-              }
-            } catch (err) {
-              console.error('Error checking package version:', err);
-            }
-            ```
-      
-      12. **Minimal Dependencies:**
-          - Minimize the number of dependencies to reduce attack surface
-          - Regularly audit and remove unused dependencies
-          - Example:
-            ```bash
-            # Find unused dependencies
-            npx depcheck
-            
-            # Analyze your bundle size
-            npx webpack-bundle-analyzer
-            ```
+12. **Minimal Dependencies:**
+    - Minimize the number of dependencies to reduce attack surface
+    - Regularly audit and remove unused dependencies
+    - Example:
+      ```bash
+      # Find unused dependencies
+      npx depcheck
+      
+      # Analyze your bundle size
+      npx webpack-bundle-analyzer
+      ```
 
-  - type: validate
-    conditions:
-      # Check 1: Using npm audit
-      - pattern: "\"scripts\"\\s*:\\s*\\{[^}]*?\"audit\"\\s*:\\s*\"npm audit"
-        message: "Using npm audit to check for vulnerabilities."
-      
-      # Check 2: Using lock files
-      - pattern: "package-lock\\.json|yarn\\.lock|pnpm-lock\\.yaml"
-        message: "Using lock files to ensure dependency consistency."
-      
-      # Check 3: Using integrity hashes
-      - pattern: "integrity=['\"]sha\\d+-[A-Za-z0-9+/=]+['\"]"
-        message: "Using subresource integrity hashes for external resources."
-      
-      # Check 4: Using modern Buffer API
-      - pattern: "Buffer\\.(?:from|alloc|allocUnsafe)"
-        message: "Using modern Buffer API instead of deprecated constructor."
-      
-      # Check 5: Using dependency scanning in CI
-      - pattern: "npm\\s+audit|snyk\\s+test|yarn\\s+audit"
-        location: "(?:\\.github/workflows|\\.gitlab-ci\\.yml|Jenkinsfile|azure-pipelines\\.yml)"
-        message: "Integrating dependency scanning in CI/CD pipeline."
+## Validation
 
-metadata:
-  priority: high
-  version: 1.0
-  tags:
-    - security
-    - javascript
-    - nodejs
-    - browser
-    - dependencies
-    - owasp
-    - language:javascript
-    - framework:express
-    - framework:react
-    - framework:vue
-    - framework:angular
-    - category:security
-    - subcategory:dependencies
-    - standard:owasp-top10
-    - risk:a06-vulnerable-outdated-components
-  references:
-    - "https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/NPM_Security_Cheat_Sheet.html"
-    - "https://docs.npmjs.com/cli/v8/commands/npm-audit"
-    - "https://snyk.io/learn/npm-security/"
-    - "https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity"
-    - "https://github.com/OWASP/NodeGoat"
-    - "https://owasp.org/www-project-dependency-check/"
-</rule> 
+- Using npm audit to check for vulnerabilities.
+- Using lock files to ensure dependency consistency.
+- Using subresource integrity hashes for external resources.
+- Using modern Buffer API instead of deprecated constructor.
+- Integrating dependency scanning in CI/CD pipeline.
diff --git a/.cursor/rules/lagoon-docker-compose-standards.mdc b/.cursor/rules/lagoon-docker-compose-standards.mdc
index dfb5a29..0bbf6b5 100644
--- a/.cursor/rules/lagoon-docker-compose-standards.mdc
+++ b/.cursor/rules/lagoon-docker-compose-standards.mdc
@@ -6,87 +6,67 @@ globs: docker-compose.yml, docker-compose.*.yml
 
 Ensures proper Docker Compose configuration for Lagoon deployments, following best practices and Lagoon-specific requirements.
 
-<rule>
-name: lagoon_docker_compose_standards
-description: Enforce standards for Lagoon Docker Compose files
-filters:
-  - type: file_name
-    pattern: "^docker-compose(\\.\\w+)?\\.yml$"
+> Priority: high · Version: 1.1
 
-actions:
-  - type: enforce
-    conditions:
-      - pattern: "services:\\s+\\w+:\\s+(?!.*labels:[\\s\\S]*lagoon)"
-        message: "Add Lagoon labels to service definitions for proper Lagoon integration"
+## Applies To
+- `docker-compose.yml`
+- `docker-compose.*.yml`
 
-      - pattern: "version:\\s*['\"]*2"
-        message: "Use Docker Compose format version 3 or higher for compatibility with modern Docker features"
+## Trigger Conditions
+- Filter `file_name` matching `^docker-compose(\.\w+)?\.yml$`
 
-      - pattern: "volumes:\\s+[^:]+:\\s+(?!.*delegated)"
-        message: "Use 'delegated' mount consistency for better performance on macOS development environments"
-        
-      - pattern: "services:\\s+\\w+:\\s+(?!.*restart:)"
-        message: "Define restart policy for services to ensure proper behavior during deployment"
+## Required Checks
 
-  - type: suggest
-    message: |
-      ## Lagoon Docker Compose Best Practices:
-      
-      ### Service Configuration
-      - Define service types via labels (e.g., `lagoon.type: nginx`)
-      - Use proper image naming conventions (e.g., `amazeeio/nginx-drupal:latest`)
-      - Set appropriate environment variables using Lagoon variables
-      - Define health checks for critical services
-      - Configure proper networking with Lagoon defaults
-      - Set resource constraints appropriate for each environment
-      
-      ### Volume Configuration
-      - Use named volumes for persistent data
-      - Configure appropriate volume mounts with correct permissions
-      - Use 'delegated' mount consistency for macOS performance
-      - Avoid mounting the entire codebase when possible
-      
-      ### Build Configuration
-      - Use build arguments appropriately
-      - Define proper Dockerfile paths
-      - Use multi-stage builds for smaller images
-      
-      ### Example Service Configuration:
-      ```yaml
-      services:
-        nginx:
-          build:
-            context: .
-            dockerfile: nginx.dockerfile
-          labels:
-            lagoon.type: nginx
-            lagoon.persistent: /app/web/sites/default/files/
-          volumes:
-            - app:/app:delegated
-          depends_on:
-            - php
-          environment:
-            LAGOON_ROUTE: ${LAGOON_ROUTE:-http://project.docker.amazee.io}
-      ```
+- Add Lagoon labels to service definitions for proper Lagoon integration
+- Use Docker Compose format version 3 or higher for compatibility with modern Docker features
+- Use 'delegated' mount consistency for better performance on macOS development environments
+- Define restart policy for services to ensure proper behavior during deployment
 
-  - type: validate
-    conditions:
-      - pattern: "services:\\s+cli:\\s+(?!.*build:)"
-        message: "CLI service should have proper build configuration for Lagoon compatibility"
+## Recommendations
 
-      - pattern: "services:\\s+\\w+:\\s+(?!.*depends_on:)"
-        message: "Define service dependencies for proper startup order and container relationships"
+## Lagoon Docker Compose Best Practices:
 
-      - pattern: "networks:\\s+(?!.*default:)"
-        message: "Configure proper network settings for Lagoon compatibility and service communication"
-        
-      - pattern: "services:\\s+mariadb:\\s+(?!.*image:\\s+amazeeio\\/mariadb)"
-        message: "Use Lagoon-provided MariaDB image for compatibility with Lagoon environment"
-        
-      - pattern: "services:\\s+\\w+:\\s+environment:\\s+(?!.*\\$\\{LAGOON)"
-        message: "Use Lagoon environment variables with fallbacks for local development"
+### Service Configuration
+- Define service types via labels (e.g., `lagoon.type: nginx`)
+- Use proper image naming conventions (e.g., `amazeeio/nginx-drupal:latest`)
+- Set appropriate environment variables using Lagoon variables
+- Define health checks for critical services
+- Configure proper networking with Lagoon defaults
+- Set resource constraints appropriate for each environment
 
-metadata:
-  priority: high
-  version: 1.1
-</rule> 
\ No newline at end of file
+### Volume Configuration
+- Use named volumes for persistent data
+- Configure appropriate volume mounts with correct permissions
+- Use 'delegated' mount consistency for macOS performance
+- Avoid mounting the entire codebase when possible
+
+### Build Configuration
+- Use build arguments appropriately
+- Define proper Dockerfile paths
+- Use multi-stage builds for smaller images
+
+### Example Service Configuration:
+```yaml
+services:
+  nginx:
+    build:
+      context: .
+      dockerfile: nginx.dockerfile
+    labels:
+      lagoon.type: nginx
+      lagoon.persistent: /app/web/sites/default/files/
+    volumes:
+      - app:/app:delegated
+    depends_on:
+      - php
+    environment:
+      LAGOON_ROUTE: ${LAGOON_ROUTE:-http://project.docker.amazee.io}
+```
+
+## Validation
+
+- CLI service should have proper build configuration for Lagoon compatibility
+- Define service dependencies for proper startup order and container relationships
+- Configure proper network settings for Lagoon compatibility and service communication
+- Use Lagoon-provided MariaDB image for compatibility with Lagoon environment
+- Use Lagoon environment variables with fallbacks for local development
diff --git a/.cursor/rules/lagoon-yml-standards.mdc b/.cursor/rules/lagoon-yml-standards.mdc
index 0daa2ac..2a50f36 100644
--- a/.cursor/rules/lagoon-yml-standards.mdc
+++ b/.cursor/rules/lagoon-yml-standards.mdc
@@ -6,116 +6,93 @@ globs: .lagoon.yml, .lagoon.*.yml
 
 Ensures proper configuration and best practices for Lagoon deployment files, focusing on environment configuration, routes, tasks, and deployment workflows.
 
-<rule>
-name: lagoon_yml_standards
-description: Enforce standards for Lagoon configuration files
-filters:
-  - type: file_extension
-    pattern: "\\.(yml|yaml)$"
-  - type: file_name
-    pattern: "^\\.lagoon(\\.\\w+)?\\.yml$"
+> Priority: critical · Version: 1.1
 
-actions:
-  - type: enforce
-    conditions:
-      - pattern: "environments:\\s*[\\w-]+:\\s*routes:\\s*-\\s*\\w+:\\s*-[^:]+:\\s*tls-acme:\\s*true"
-        message: "Ensure tls-acme is set to 'false' until DNS points to Lagoon to prevent certificate issuance failures"
+## Applies To
+- `.lagoon.yml`
+- `.lagoon.*.yml`
 
-      - pattern: "post-rollout:\\s*-\\s*run:\\s*command:\\s*drush(?!.*\\|\\|)"
-        message: "Wrap Drush commands in proper error handling using '|| exit 1' to ensure deployment fails on command errors"
+## Trigger Conditions
+- Files matching pattern `\.(yml|yaml)$`
+- Filter `file_name` matching `^\.lagoon(\.\w+)?\.yml$`
 
-      - pattern: "pre-rollout:\\s*-\\s*run:\\s*command:\\s*(?!.*if)"
-        message: "Add conditional checks for pre-rollout tasks to ensure they only run when necessary"
+## Required Checks
 
-      - pattern: "cronjobs:\\s*-\\s*name:[^\\n]*\\n\\s*schedule:\\s*'\\*\\s*\\*'"
-        message: "Use 'M' or 'H' notation for randomized cron scheduling to prevent server load spikes"
-        
-      - pattern: "routes:\\s*-\\s*\\w+:\\s*-[^:]+:\\s*(?!.*redirects:)"
-        message: "Consider configuring redirects for routes to handle legacy URLs or domain migrations"
+- Ensure tls-acme is set to 'false' until DNS points to Lagoon to prevent certificate issuance failures
+- Wrap Drush commands in proper error handling using '|| exit 1' to ensure deployment fails on command errors
+- Add conditional checks for pre-rollout tasks to ensure they only run when necessary
+- Use 'M' or 'H' notation for randomized cron scheduling to prevent server load spikes
+- Consider configuring redirects for routes to handle legacy URLs or domain migrations
 
-  - type: suggest
-    message: |
-      ## Lagoon Configuration Best Practices:
-      
-      ### Environment Configuration
-      - Use environment-specific configurations for different deployment targets
-      - Define environment types for proper resource allocation
-      - Configure environment variables specific to each environment
-      - Use environment-specific routes and domains
-      
-      ### Routes Configuration
-      - Configure routes with appropriate SSL settings
-      - Set up redirects for legacy URLs
-      - Configure proper insecure traffic handling (Allow or Redirect)
-      - Use wildcard domains for feature branch environments
-      
-      ### Tasks Configuration
-      - Implement proper pre-rollout tasks with error handling
-      - Configure post-rollout tasks with appropriate conditions
-      - Use conditional task execution based on environment
-      - Include database sync in PR environments
-      - Implement proper backup strategies before major changes
-      
-      ### Cron Configuration
-      - Use randomized cron schedules with 'M' and 'H' notation
-      - Set appropriate frequency for different tasks
-      - Ensure cron jobs have proper error handling
-      - Use descriptive names for cron jobs
-      
-      ### Example Configuration:
-      ```yaml
-      environments:
-        main:
-          cronjobs:
-            - name: drush-cron
-              schedule: '*/15 * * * *'
-              command: drush cron
-              service: cli
-          routes:
-            - nginx:
-              - example.com:
-                  tls-acme: true
-                  insecure: Redirect
-                  redirects:
-                    - www.example.com
-          tasks:
-            pre-rollout:
-              - run:
-                  name: Drush pre-update
-                  command: |
-                    if drush status --fields=bootstrap | grep -q "Successful"; then
-                      drush state:set system.maintenance_mode 1 -y
-                      drush cr
-                    fi
-                  service: cli
-            post-rollout:
-              - run:
-                  name: Drush post-update
-                  command: |
-                    drush updb -y || exit 1
-                    drush cr
-                    drush state:set system.maintenance_mode 0 -y
-                  service: cli
-      ```
+## Recommendations
 
-  - type: validate
-    conditions:
-      - pattern: "environments:\\s*[\\w-]+:\\s*types:\\s*[^\\n]*"
-        message: "Define environment types for proper resource allocation and environment-specific configuration"
+## Lagoon Configuration Best Practices:
 
-      - pattern: "tasks:\\s*(pre|post)-rollout:"
-        message: "Include both pre and post rollout tasks for robust deployments and proper application state management"
+### Environment Configuration
+- Use environment-specific configurations for different deployment targets
+- Define environment types for proper resource allocation
+- Configure environment variables specific to each environment
+- Use environment-specific routes and domains
 
-      - pattern: "routes:\\s*-\\s*\\w+:\\s*-[^:]+:\\s*insecure:\\s*(Allow|Redirect)"
-        message: "Configure proper insecure traffic handling to ensure secure access to your application"
-        
-      - pattern: "(?!.*backup-strategy:)"
-        message: "Consider implementing a backup strategy for critical environments to prevent data loss"
-        
-      - pattern: "cronjobs:\\s*-\\s*name:[^\\n]*\\n\\s*schedule:[^\\n]*\\n\\s*(?!.*service:)"
-        message: "Specify the service for cron jobs to ensure they run in the correct container"
+### Routes Configuration
+- Configure routes with appropriate SSL settings
+- Set up redirects for legacy URLs
+- Configure proper insecure traffic handling (Allow or Redirect)
+- Use wildcard domains for feature branch environments
 
-metadata:
-  priority: critical
-  version: 1.1
-</rule> 
\ No newline at end of file
+### Tasks Configuration
+- Implement proper pre-rollout tasks with error handling
+- Configure post-rollout tasks with appropriate conditions
+- Use conditional task execution based on environment
+- Include database sync in PR environments
+- Implement proper backup strategies before major changes
+
+### Cron Configuration
+- Use randomized cron schedules with 'M' and 'H' notation
+- Set appropriate frequency for different tasks
+- Ensure cron jobs have proper error handling
+- Use descriptive names for cron jobs
+
+### Example Configuration:
+```yaml
+environments:
+  main:
+    cronjobs:
+      - name: drush-cron
+        schedule: '*/15 * * * *'
+        command: drush cron
+        service: cli
+    routes:
+      - nginx:
+        - example.com:
+            tls-acme: true
+            insecure: Redirect
+            redirects:
+              - www.example.com
+    tasks:
+      pre-rollout:
+        - run:
+            name: Drush pre-update
+            command: |
+              if drush status --fields=bootstrap | grep -q "Successful"; then
+                drush state:set system.maintenance_mode 1 -y
+                drush cr
+              fi
+            service: cli
+      post-rollout:
+        - run:
+            name: Drush post-update
+            command: |
+              drush updb -y || exit 1
+              drush cr
+              drush state:set system.maintenance_mode 0 -y
+            service: cli
+```
+
+## Validation
+
+- Define environment types for proper resource allocation and environment-specific configuration
+- Include both pre and post rollout tasks for robust deployments and proper application state management
+- Configure proper insecure traffic handling to ensure secure access to your application
+- Consider implementing a backup strategy for critical environments to prevent data loss
+- Specify the service for cron jobs to ensure they run in the correct container
diff --git a/.cursor/rules/multi-agent-coordination.mdc b/.cursor/rules/multi-agent-coordination.mdc
index 7ba3a9f..13562ea 100644
--- a/.cursor/rules/multi-agent-coordination.mdc
+++ b/.cursor/rules/multi-agent-coordination.mdc
@@ -6,40 +6,35 @@ globs: *.php, *.js, *.ts, *.vue, *.jsx, *.tsx
 
 Ensures consistent coordination between different AI agents and roles.
 
-<rule>
-name: multi_agent_coordination
-description: Enforce standards for multi-agent coordination and workflow
-filters:
-  - type: file_extension
-    pattern: "\\.(php|js|ts|vue|jsx|tsx)$"
-
-actions:
-  - type: enforce
-    conditions:
-      - pattern: "// TODO:|#\\s*TODO:"
-        message: "Convert TODO comments into structured task breakdowns for multi-agent coordination"
-
-      - pattern: "function\\s+[a-zA-Z]+Agent\\s*\\([^)]*\\)"
-        message: "Implement proper agent role separation and communication"
-
-      - pattern: "// FIXME:|#\\s*FIXME:"
-        message: "Convert FIXME into specific tasks with acceptance criteria"
-
-  - type: suggest
-    message: |
-      Multi-Agent Coordination Best Practices:
-      - Separate Planner and Executor roles
-      - Document task breakdowns and success criteria
-      - Track progress in structured format
-      - Use proper inter-agent communication
-      - Maintain clear role boundaries
-      - Focus on immediate, actionable solutions
-      - Provide context for complex tasks
-      - Use natural language for requirements
-      - Break down complex workflows
-      - Document dependencies between tasks
-
-metadata:
-  priority: high
-  version: 1.0
-</rule> 
\ No newline at end of file
+> Priority: high · Version: 1.0
+
+## Applies To
+- `*.php`
+- `*.js`
+- `*.ts`
+- `*.vue`
+- `*.jsx`
+- `*.tsx`
+
+## Trigger Conditions
+- Files matching pattern `\.(php|js|ts|vue|jsx|tsx)$`
+
+## Required Checks
+
+- Convert TODO comments into structured task breakdowns for multi-agent coordination
+- Implement proper agent role separation and communication
+- Convert FIXME into specific tasks with acceptance criteria
+
+## Recommendations
+
+Multi-Agent Coordination Best Practices:
+- Separate Planner and Executor roles
+- Document task breakdowns and success criteria
+- Track progress in structured format
+- Use proper inter-agent communication
+- Maintain clear role boundaries
+- Focus on immediate, actionable solutions
+- Provide context for complex tasks
+- Use natural language for requirements
+- Break down complex workflows
+- Document dependencies between tasks
diff --git a/.cursor/rules/node-dependencies.mdc b/.cursor/rules/node-dependencies.mdc
index 07c2e63..b4e2904 100644
--- a/.cursor/rules/node-dependencies.mdc
+++ b/.cursor/rules/node-dependencies.mdc
@@ -6,30 +6,23 @@ globs: package.json, .nvmrc
 
 Ensures correct Node.js versions and package management.
 
-<rule>
-name: node_dependency_management
-description: Enforce Node.js versioning and package management best practices.
-filters:
-  - type: file_extension
-    pattern: "package.json|\\.nvmrc"
-
-actions:
-  - type: enforce
-    conditions:
-      - pattern: '"engines":\\s*{[^}]*}'
-        message: "Ensure package.json specifies required Node.js version."
-
-      - pattern: "(?<!\\.)nvmrc"
-        message: "Ensure an .nvmrc file exists in the root directory."
-
-  - type: suggest
-    message: |
-      Best practices:
-      - Include an .nvmrc file specifying Node.js version.
-      - Use latest stable Node.js version for Drupal projects.
-      - Use Composer for dependency management.
-
-metadata:
-  priority: medium
-  version: 1.0
-</rule>
+> Priority: medium · Version: 1.0
+
+## Applies To
+- `package.json`
+- `.nvmrc`
+
+## Trigger Conditions
+- Files matching pattern `package.json|\.nvmrc`
+
+## Required Checks
+
+- Ensure package.json specifies required Node.js version.
+- Ensure an .nvmrc file exists in the root directory.
+
+## Recommendations
+
+Best practices:
+- Include an .nvmrc file specifying Node.js version.
+- Use latest stable Node.js version for Drupal projects.
+- Use Composer for dependency management.
diff --git a/.cursor/rules/php-drupal-best-practices.mdc b/.cursor/rules/php-drupal-best-practices.mdc
index 0627e1b..0ee67b0 100644
--- a/.cursor/rules/php-drupal-best-practices.mdc
+++ b/.cursor/rules/php-drupal-best-practices.mdc
@@ -6,496 +6,369 @@ globs: *.php, *.module, *.theme, *.inc, *.info, *.install
 
 Defines comprehensive coding standards and best practices for PHP and Drupal development, with a focus on modern PHP features, Drupal 10+ standards, and modularity.
 
-<rule>
-name: enhanced_php_drupal_best_practices
-description: Enforce PHP 8.3+ features, Drupal 10+ coding standards, and modularity
-filters:
-  - type: file_extension
-    pattern: "\\.(php|module|inc|install|theme)$"
-  - type: file_path
-    pattern: "web/modules/custom/|web/themes/custom/"
-
-actions:
-  - type: enforce
-    conditions:
-      - pattern: "^(?!declare\\(strict_types=1\\);)"
-        message: "Add 'declare(strict_types=1);' at the beginning of PHP files for type safety."
-
-      - pattern: "(?<!\\bTRUE\\b)\\btrue\\b|(?<!\\bFALSE\\b)\\bfalse\\b|(?<!\\bNULL\\b)\\bnull\\b"
-        message: "Use uppercase for TRUE, FALSE, and NULL constants."
-
-      - pattern: "(?i)\\/\\/\\s[a-z]"
-        message: "Ensure inline comments begin with a capital letter and end with a period."
-
-      - pattern: "class\\s+\\w+\\s*(?!\\{[^}]*readonly\\s+\\$)"
-        message: "Consider using readonly properties where immutability is required."
-
-      - pattern: "public\\s+function\\s+\\w+\\([^)]*\\)\\s*(?!:)"
-        message: "Add return type declarations for all methods to ensure type safety."
-
-      - pattern: "extends\\s+\\w+\\s*\\{[^}]*public\\s+function\\s+\\w+\\([^)]*\\)\\s*(?!#\\[Override\\])"
-        message: "Add #[Override] attribute for overridden methods for clarity."
-
-      - pattern: "\\$\\w+\\s*(?!:)"
-        message: "Use typed properties with proper nullability for better code maintainability."
-
-      - pattern: "function\\s+hook_\\w+\\([^)]*\\)\\s*(?!:)"
-        message: "Add type hints and return types for all hooks to leverage PHP's type system."
-
-      - pattern: "new\\s+\\w+\\([^)]*\\)\\s*(?!;\\s*//\\s*@inject)"
-        message: "Use proper dependency injection with services for better testability and modularity."
-
-      - pattern: "extends\\s+FormBase\\s*\\{[^}]*validate"
-        message: "Implement proper form validation in FormBase classes for security."
-
-      - pattern: "function\\s+\\w+\\s*\\([^)]*\\)\\s*\\{[^}]*\\$this->t\\("
-        message: "Use Drupal's t() function for strings that need translation."
-
-      - pattern: "\\$this->config\\('\\w+'\\)"
-        message: "Use ConfigFactory for configuration management."
-      
-      - pattern: "array\\s*\\("
-        message: "Use short array syntax ([]) instead of array() for consistent code style."
-      
-      - pattern: "(?<!\\()\\s+\\(int\\)\\s*\\$"
-        message: "Put a space between the (type) and the $variable in a cast: (int) $mynumber."
-      
-      - pattern: "\\n[\\t ]+\\n"
-        message: "Remove whitespace from empty lines."
-      
-      - pattern: "\\s+$"
-        message: "Remove trailing whitespace at the end of lines."
-      
-      - pattern: "^(?!.*\\n$)"
-        message: "Ensure files end with a single newline character."
-      
-      - pattern: "if\\s*\\([^)]*\\)\\s*\\{[^{]*\\}\\s*else\\s*\\{"
-        message: "Place the opening brace on the same line as the statement for control structures."
-      
-      - pattern: "\\$_GET|\\$_POST|\\$_REQUEST"
-        message: "Never use superglobals directly; use Drupal's input methods."
-      
-      - pattern: "mysql_|mysqli_"
-        message: "Use Drupal's database API instead of direct MySQL functions."
-      
-      - pattern: "\\t+"
-        message: "Use 2 spaces for indentation, not tabs."
-      
-      - pattern: "function\\s+\\w+\\s*\\([^)]*\\)\\s*\\{[^}]*\\becho\\b"
-        message: "Don't use echo; use return values or Drupal's messenger service."
-      
-      - pattern: "(?<!\\/\\*\\*)\\s*\\*\\s+@"
-        message: "Use proper DocBlock formatting for documentation."
-      
-      - pattern: "\\bdie\\b|\\bexit\\b"
-        message: "Don't use die() or exit(); throw exceptions instead."
-      
-      - pattern: "\\$entity->get\\([^)]+\\)->getValue\\(\\)"
-        message: "Use $entity->get('field_name')->value instead of getValue() when possible."
-      
-      - pattern: "\\bvar_dump\\b|\\bprint_r\\b|\\bdump\\b"
-        message: "Don't use debug functions in production code; use Drupal's logger instead."
-      
-      - pattern: "\\bnew\\s+DateTime\\b"
-        message: "Use Drupal's DateTimeInterface and DrupalDateTime instead of PHP's DateTime."
-      
-      - pattern: "\\beval\\b"
-        message: "Never use eval() as it poses security risks."
-      
-      - pattern: "function\\s+\\w+_menu_callback\\("
-        message: "Use controller classes with route definitions instead of hook_menu() callbacks."
-      
-      - pattern: "\\/\\*\\*(?:[^*]|\\*[^/])*?@file(?:[^*]|\\*[^/])*?\\*\\/"
-        message: "All PHP files must include proper @file documentation in the docblock."
-      
-      - pattern: "function\\s+\\w+\\s*\\((?:[^)]|\\([^)]*\\))*\\)\\s*\\{(?:[^}]|\\{[^}]*\\})*\\$_SESSION"
-        message: "Use Drupal's user session handling instead of $_SESSION."
-      
-      - pattern: "function\\s+theme_\\w+\\("
-        message: "Theme functions should be replaced with Twig templates in Drupal 8+."
-      
-      - pattern: "drupal_add_js|drupal_add_css"
-        message: "Use #attached in render arrays instead of drupal_add_js() or drupal_add_css()."
-      
-      - pattern: "function\\s+\\w+_implements_hook_\\w+\\("
-        message: "Use proper hook implementation format: module_name_hook_name()."
-        
-      - pattern: "use\\s+[^;]+,\\s*[^;]+"
-        message: "Specify a single class per use statement. Do not specify multiple classes in a single use statement."
-        
-      - pattern: "use\\s+\\\\[A-Za-z]"
-        message: "When importing a class with 'use', do not include a leading backslash (\\)."
-        
-      - pattern: "\\bnew\\s+\\\\DateTime\\(\\)"
-        message: "Non-namespaced global classes (like Exception) must be fully qualified with a leading backslash (\\) when used in a namespaced file."
-        
-      - pattern: "(?<!namespace )Drupal\\\\(?!\\w+\\\\)"
-        message: "Modules should place classes inside a custom namespace: Drupal\\module_name\\..."
-        
-      - pattern: "class\\s+\\w+\\s*(?:extends|implements)(?:[^{]+)\\{\\s*[^\\s]"
-        message: "Leave an empty line between start of class/interface definition and property/method definition."
-        
-      - pattern: "Drupal\\\\(?!Core|Component)[A-Z]"
-        message: "Module namespaces should be Drupal\\module_name, not Drupal\\ModuleName (camelCase not PascalCase)."
-        
-      - pattern: "\\\\Drupal::request\\(\\)->attributes->set\\('([^_][^']*)',"
-        message: "Request attributes added by modules should be prefixed with underscore (e.g., '_context_value')."
-        
-      - pattern: "\\\\Drupal::request\\(\\)->attributes->get\\('(_(system_path|title|route|route_object|controller|content|account))'\\)"
-        message: "Avoid overwriting reserved Symfony or Drupal core request attributes."
-        
-      - pattern: "(?<!service provider)\\s+class\\s+\\w+Provider(?!Interface)"
-        message: "Classes that provide services should use the 'Provider' suffix (e.g., MyServiceProvider)."
-        
-      - pattern: "\\.services\\.yml[^}]*\\s+class:\\s+[^\\n]+\\s+arguments:"
-        message: "Services should use dependency injection through constructor arguments defined in services.yml."
-
-  - type: suggest
-    message: |
-      **PHP/Drupal Development Best Practices:**
-      
-      ### General Code Structure
-      - **File Structure:** Each PHP file should have the proper structures: <?php tag, namespace declaration (if applicable), use statements, docblock, and implementation.
-      - **Line Length:** Keep lines under 80 characters whenever possible.
-      - **Indentation:** Use 2 spaces for indentation, never tabs.
-      - **Empty Lines:** Use empty lines to separate logical blocks of code, but avoid multiple empty lines.
-      - **File Endings:** All files must end with a single newline character.
-      
-      ### PHP Language Features
-      - **PHP Version:** Use PHP 8.3+ features where appropriate.
-      - **Strict Types:** Use declare(strict_types=1) at the top of files to enforce type safety.
-      - **Type Hints:** Always use parameter and return type hints.
-      - **Named Arguments:** Use named arguments for clarity in complex function calls.
-      - **Attributes:** Use PHP 8 attributes like #[Override] for better code comprehension.
-      - **Match Expressions:** Prefer match over switch for cleaner conditionals.
-      - **Null Coalescing:** Use ?? and ??= operators where appropriate.
-      
-      ### Drupal-Specific Standards
-      - **Fields API:** Use hasField(), get(), and value() methods when working with entity fields.
-      - **Exception Handling:** Use try/catch for exception handling with proper logging.
-      - **Database Layer:** Use Drupal's database abstraction layer for all queries.
-      - **Schema Updates:** Implement hook_update_N() for schema changes during updates.
-      - **Dependency Injection:** Use services.yml and proper container injection.
-      - **Routing:** Define routes in routing.yml with proper access checks.
-      - **Forms:** Extend FormBase or ConfigFormBase with proper validation and submission handling.
-      - **Entity API:** Follow entity API best practices for loading, creating, and editing entities.
-      - **Plugins:** Use plugin system appropriately with proper annotations.
-      
-      ### Service & Request Standards
-      - **Service Naming:** Use descriptive service names and appropriate naming patterns (Provider suffix for service providers).
-      - **Service Definition:** Define services in the module's *.services.yml file with appropriate tags and arguments.
-      - **Request Attributes:** When adding attributes to the Request object, prefix custom attributes with underscore (e.g., `_context_value`).
-      - **Reserved Attributes:** Avoid overwriting core-reserved request attributes like `_system_path`, `_title`, `_account`, `_route`, `_route_object`, `_controller`, `_content`.
-      - **Service Container:** Use dependency injection rather than the service container directly.
-      - **Factory Services:** Use factory methods for complex service instantiation.
-      
-      ### Namespace Standards
-      - **Module Namespace:** Use Drupal\\module_name\\... for all custom module code.
-      - **PSR-4 Autoloading:** Class in folder module/src/SubFolder should use namespace Drupal\\module_name\\SubFolder.
-      - **Use Statements:** Each class should have its own use statement; don't combine multiple classes in one use.
-      - **No Leading Backslash:** Don't add a leading backslash (\\) in use statements.
-      - **Global Classes:** Global classes (like Exception) must be fully qualified with a leading backslash (\\) when used in a namespaced file.
-      - **Class Aliasing:** Only alias classes to avoid name collisions, using meaningful names like BarBaz and ThingBaz.
-      - **String Class Names:** When specifying a class name in a string, use full name including namespace without leading backslash. Prefer single quotes.
-      - **Class Placement:** A class named Drupal\\module_name\\Foo should be in file module_name/src/Foo.php.
-      
-      ### Security Practices
-      - **Input Validation:** Always validate and sanitize user input.
-      - **Access Checks:** Implement proper access checks for all routes and content.
-      - **CSRF Protection:** Use Form API with proper form tokens for all forms.
-      - **SQL Injection:** Use parameterized queries with placeholders.
-      - **XSS Prevention:** Use Xss::filter() or t() with appropriate placeholders.
-      - **File Security:** Validate uploaded files and restrict access properly.
-      
-      ### Documentation and Comments
-      - **PHPDoc Blocks:** Document all classes, methods, and properties with proper PHPDoc.
-      - **Function Comments:** Describe parameters, return values, and exceptions.
-      - **Inline Comments:** Use meaningful comments for complex logic.
-      - **Comment Format:** Begin comments with a capital letter and end with a period.
-      - **API Documentation:** Follow Drupal's API documentation standards.
-      
-      ### Performance
-      - **Caching:** Implement proper cache tags, contexts, and max-age.
-      - **Database Queries:** Optimize queries with proper indices and JOINs.
-      - **Lazy Loading:** Use lazy loading for expensive operations.
-      - **Batch Processing:** Use batch API for long-running operations.
-      - **Static Caching:** Implement static caching for repeated operations.
-      
-      ### Testing
-      - **Unit Tests:** Write PHPUnit tests for business logic.
-      - **Kernel Tests:** Use kernel tests for integration with Drupal subsystems.
-      - **Functional Tests:** Implement functional tests for user interactions.
-      - **Mocking:** Use proper mocking techniques for dependencies.
-      - **Test Coverage:** Aim for high test coverage of critical functionality.
-      
-      ### API Documentation Examples
-      
-      #### File Documentation
-      
-      **Module Files (.module)**
-      ```php
-      <?php
-      
-      /**
-       * @file
-       * Provides [module functionality description].
-       */
-      ```
-      
-      **Install Files (.install)**
-      ```php
-      <?php
-      
-      /**
-       * @file
-       * Install, update and uninstall functions for the [module name] module.
-       */
-      ```
-      
-      **Include Files (.inc)**
-      ```php
-      <?php
-      
-      /**
-       * @file
-       * [Specific functionality] for the [module name] module.
-       */
-      ```
-      
-      **Class Files (in namespaced directories)**
-      ```php
-      <?php
-      
-      namespace Drupal\module_name\ClassName;
-      
-      use Drupal\Core\SomeClass;
-      
-      /**
-       * Provides [class functionality description].
-       *
-       * [Extended description if needed]
-       */
-      class ClassName implements InterfaceName {
-      ```
-      
-      #### Function Documentation
-      
-      **Standard Function**
-      ```php
-      /**
-       * Returns [what the function returns or does].
-       *
-       * [Additional explanation if needed]
-       *
-       * @param string $param1
-       *   Description of parameter.
-       * @param int $param2
-       *   Description of parameter.
-       *
-       * @return array
-       *   Description of returned data.
-       *
-       * @throws \Exception
-       *   Exception thrown when [condition].
-       *
-       * @see related_function()
-       */
-      function module_function_name($param1, $param2) {
-      ```
-      
-      **Hook Implementation**
-      ```php
-      /**
-       * Implements hook_form_alter().
-       */
-      function module_name_form_alter(&$form, \Drupal\Core\Form\FormStateInterface $form_state, $form_id) {
-      ```
-      
-      **Update Hook**
-      ```php
-      /**
-       * Implements hook_update_N().
-       *
-       * [Description of what the update does].
-       */
-      function module_name_update_8001() {
-      ```
-      
-      #### Class Documentation
-      
-      **Class Properties**
-      ```php
-      /**
-       * The entity type manager.
-       *
-       * @var \Drupal\Core\Entity\EntityTypeManagerInterface
-       */
-      protected $entityTypeManager;
-      ```
-      
-      **Method Documentation**
-      ```php
-      /**
-       * Gets entities of a specific type.
-       *
-       * @param string $entity_type
-       *   The entity type ID.
-       * @param array $conditions
-       *   (optional) An array of conditions to match. Defaults to an empty array.
-       *
-       * @return \Drupal\Core\Entity\EntityInterface[]
-       *   An array of entity objects indexed by their IDs.
-       *
-       * @throws \Drupal\Component\Plugin\Exception\PluginNotFoundException
-       *   Thrown if the entity type doesn't exist.
-       * @throws \Drupal\Component\Plugin\Exception\InvalidPluginDefinitionException
-       *   Thrown if the storage handler couldn't be loaded.
-       */
-      public function getEntities(string $entity_type, array $conditions = []): array {
-      ```
-      
-      **Interface Method**
-      ```php
-      /**
-       * Implements \SomeInterface::methodName().
-       */
-      public function methodName() {
-      ```
-      
-      #### Namespace Examples
-      
-      **Using Classes From Other Namespaces**
-      ```php
-      namespace Drupal\mymodule\Tests\Foo;
-      
-      use Drupal\simpletest\WebTestBase;
-      
-      /**
-       * Tests that the foo bars.
-       */
-      class BarTest extends WebTestBase {
-      ```
-      
-      **Class Aliasing for Name Collisions**
-      ```php
-      use Foo\Bar\Baz as BarBaz;
-      use Stuff\Thing\Baz as ThingBaz;
-      
-      /**
-       * Tests stuff for the whichever.
-       */
-      function test() {
-        $a = new BarBaz(); // This will be Foo\Bar\Baz
-        $b = new ThingBaz(); // This will be Stuff\Thing\Baz
-      }
-      ```
-      
-      **Using Global Classes in Namespaced Files**
-      ```php
-      namespace Drupal\Subsystem;
-      
-      // Bar is a class in the Drupal\Subsystem namespace in another file.
-      // It is already available without any importing.
-      
-      /**
-       * Defines a Foo.
-       */
-      class Foo {
-      
-        /**
-         * Constructs a new Foo object.
-         */
-        public function __construct(Bar $b) {
-          // Global classes must be prefixed with a \ character.
-          $d = new \DateTime();
-        }
-      }
-      ```
-      
-      #### Service Definition Example
-      
-      **services.yml File**
-      ```yaml
-      services:
-        mymodule.my_service:
-          class: Drupal\mymodule\MyService
-          arguments: ['@entity_type.manager', '@current_user']
-          tags:
-            - { name: cache.context }
-      ```
-      
-      **Request Attribute Handling**
-      ```php
-      // Correctly adding a request attribute (with underscore prefix)
-      \Drupal::request()->attributes->set('_context_value', $myvalue);
-      
-      // Correctly retrieving a request attribute
-      $contextValue = \Drupal::request()->attributes->get('_context_value');
-      ```
-
-  - type: validate
-    conditions:
-      - pattern: "web/modules/custom/[^/]+/\\.info\\.yml$"
-        message: "Ensure each custom module has a required .info.yml file."
-
-      - pattern: "web/modules/custom/[^/]+/\\.module$"
-        message: "Ensure module has .module file if hooks are implemented."
-
-      - pattern: "web/modules/custom/[^/]+/src/Form/\\w+Form\\.php$"
-        message: "Place form classes in the Form directory for organization."
-
-      - pattern: "try\\s*\\{[^}]*\\}\\s*catch\\s*\\([^)]*\\)\\s*\\{\\s*\\}"
-        message: "Implement proper exception handling in catch blocks."
-      
-      - pattern: "namespace\\s+Drupal\\\\(?!\\w+\\\\)"
-        message: "Namespace should be Drupal\\ModuleName\\..."
-      
-      - pattern: "class\\s+[^\\s]+\\s+implements\\s+[^\\s]+Interface"
-        message: "Follow PSR-4 for class naming and organization."
-      
-      - pattern: "\\*\\s+@return\\s+[a-z]+\\|null"
-        message: "Use nullable return types (e.g., ?string) instead of type|null in docblocks."
-      
-      - pattern: "function\\s+__construct\\([^)]*\\)\\s*\\{[^}]*parent::"
-        message: "Call parent::__construct() if extending a class with a constructor."
-      
-      - pattern: "function\\s+[gs]et[A-Z]\\w+\\("
-        message: "Use camelCase for method names (e.g., getId instead of get_id)."
-      
-      - pattern: "\\/\\*\\*(?:(?!\\@file).)*?\\*\\/"
-        message: "Add proper @file docblock for PHP files."
-      
-      - pattern: "function\\s+hook_[a-z0-9_]+\\("
-        message: "Replace 'hook_' prefix with your module name in hook implementations."
-      
-      - pattern: "(?<!\\s\\*)\\s+@(?:param|return|throws)\\b"
-        message: "DocBlock tags should be properly aligned with leading asterisks."
-      
-      - pattern: "@param\\s+(?!(?:array|bool|callable|float|int|mixed|object|resource|string|void|null|\\\\)[\\s|])"
-        message: "Use proper data types in @param tags (array, bool, int, string, etc.)."
-      
-      - pattern: "@return\\s+(?!(?:array|bool|callable|float|int|mixed|object|resource|string|void|null|\\\\)[\\s|])"
-        message: "Use proper data types in @return tags (array, bool, int, string, etc.)."
-      
-      - pattern: "\\*\\s*@param[^\\n]*?(?:(?!\\s{3,})[^\\n])*$"
-        message: "Parameter description should be separated by at least 3 spaces from the param type/name."
-      
-      - pattern: "function\\s+theme\\w+\\([^)]*\\)\\s*\\{[^}]*?(?!\\@ingroup\\s+themeable)"
-        message: "Theme functions should include @ingroup themeable in their docblock."
-      
-      - pattern: "\\*\\s*@code(?!\\s+[a-z]+\\s+)"
-        message: "@code blocks should specify the language (e.g., @code php)."
-      
-      - pattern: "namespace\\s+(?!Drupal\\\\)"
-        message: "Namespaces should start with 'Drupal\\'."
-        
-      - pattern: "web/modules/custom/[^/]+/\\.services\\.yml$"
-        message: "Every module using services should have a services.yml file."
-      
-      - pattern: "web/modules/custom/[^/]+/src/[^/]+Provider\\.php$"
-        message: "Service providers should be in the module's root namespace (src/ directory)."
-
-metadata:
-  priority: critical
-  version: 1.5
-</rule>
\ No newline at end of file
+> Priority: critical · Version: 1.5
+
+## Applies To
+- `*.php`
+- `*.module`
+- `*.theme`
+- `*.inc`
+- `*.info`
+- `*.install`
+
+## Trigger Conditions
+- Files matching pattern `\.(php|module|inc|install|theme)$`
+- Paths matching `web/modules/custom/|web/themes/custom/`
+
+## Required Checks
+
+- Add 'declare(strict_types=1);' at the beginning of PHP files for type safety.
+- Use uppercase for TRUE, FALSE, and NULL constants.
+- Ensure inline comments begin with a capital letter and end with a period.
+- Consider using readonly properties where immutability is required.
+- Add return type declarations for all methods to ensure type safety.
+- Add #[Override] attribute for overridden methods for clarity.
+- Use typed properties with proper nullability for better code maintainability.
+- Add type hints and return types for all hooks to leverage PHP's type system.
+- Use proper dependency injection with services for better testability and modularity.
+- Implement proper form validation in FormBase classes for security.
+- Use Drupal's t() function for strings that need translation.
+- Use ConfigFactory for configuration management.
+- Use short array syntax ([]) instead of array() for consistent code style.
+- Put a space between the (type) and the $variable in a cast: (int) $mynumber.
+- Remove whitespace from empty lines.
+- Remove trailing whitespace at the end of lines.
+- Ensure files end with a single newline character.
+- Place the opening brace on the same line as the statement for control structures.
+- Never use superglobals directly; use Drupal's input methods.
+- Use Drupal's database API instead of direct MySQL functions.
+- Use 2 spaces for indentation, not tabs.
+- Don't use echo; use return values or Drupal's messenger service.
+- Use proper DocBlock formatting for documentation.
+- Don't use die() or exit(); throw exceptions instead.
+- Use $entity->get('field_name')->value instead of getValue() when possible.
+- Don't use debug functions in production code; use Drupal's logger instead.
+- Use Drupal's DateTimeInterface and DrupalDateTime instead of PHP's DateTime.
+- Never use eval() as it poses security risks.
+- Use controller classes with route definitions instead of hook_menu() callbacks.
+- All PHP files must include proper @file documentation in the docblock.
+- Use Drupal's user session handling instead of $_SESSION.
+- Theme functions should be replaced with Twig templates in Drupal 8+.
+- Use #attached in render arrays instead of drupal_add_js() or drupal_add_css().
+- Use proper hook implementation format: module_name_hook_name().
+- Specify a single class per use statement. Do not specify multiple classes in a single use statement.
+- When importing a class with 'use', do not include a leading backslash (\).
+- Non-namespaced global classes (like Exception) must be fully qualified with a leading backslash (\) when used in a namespaced file.
+- Modules should place classes inside a custom namespace: Drupal\module_name\...
+- Leave an empty line between start of class/interface definition and property/method definition.
+- Module namespaces should be Drupal\module_name, not Drupal\ModuleName (camelCase not PascalCase).
+- Request attributes added by modules should be prefixed with underscore (e.g., '_context_value').
+- Avoid overwriting reserved Symfony or Drupal core request attributes.
+- Classes that provide services should use the 'Provider' suffix (e.g., MyServiceProvider).
+- Services should use dependency injection through constructor arguments defined in services.yml.
+
+## Recommendations
+
+**PHP/Drupal Development Best Practices:**
+
+### General Code Structure
+- **File Structure:** Each PHP file should have the proper structures: <?php tag, namespace declaration (if applicable), use statements, docblock, and implementation.
+- **Line Length:** Keep lines under 80 characters whenever possible.
+- **Indentation:** Use 2 spaces for indentation, never tabs.
+- **Empty Lines:** Use empty lines to separate logical blocks of code, but avoid multiple empty lines.
+- **File Endings:** All files must end with a single newline character.
+
+### PHP Language Features
+- **PHP Version:** Use PHP 8.3+ features where appropriate.
+- **Strict Types:** Use declare(strict_types=1) at the top of files to enforce type safety.
+- **Type Hints:** Always use parameter and return type hints.
+- **Named Arguments:** Use named arguments for clarity in complex function calls.
+- **Attributes:** Use PHP 8 attributes like #[Override] for better code comprehension.
+- **Match Expressions:** Prefer match over switch for cleaner conditionals.
+- **Null Coalescing:** Use ?? and ??= operators where appropriate.
+
+### Drupal-Specific Standards
+- **Fields API:** Use hasField(), get(), and value() methods when working with entity fields.
+- **Exception Handling:** Use try/catch for exception handling with proper logging.
+- **Database Layer:** Use Drupal's database abstraction layer for all queries.
+- **Schema Updates:** Implement hook_update_N() for schema changes during updates.
+- **Dependency Injection:** Use services.yml and proper container injection.
+- **Routing:** Define routes in routing.yml with proper access checks.
+- **Forms:** Extend FormBase or ConfigFormBase with proper validation and submission handling.
+- **Entity API:** Follow entity API best practices for loading, creating, and editing entities.
+- **Plugins:** Use plugin system appropriately with proper annotations.
+
+### Service & Request Standards
+- **Service Naming:** Use descriptive service names and appropriate naming patterns (Provider suffix for service providers).
+- **Service Definition:** Define services in the module's *.services.yml file with appropriate tags and arguments.
+- **Request Attributes:** When adding attributes to the Request object, prefix custom attributes with underscore (e.g., `_context_value`).
+- **Reserved Attributes:** Avoid overwriting core-reserved request attributes like `_system_path`, `_title`, `_account`, `_route`, `_route_object`, `_controller`, `_content`.
+- **Service Container:** Use dependency injection rather than the service container directly.
+- **Factory Services:** Use factory methods for complex service instantiation.
+
+### Namespace Standards
+- **Module Namespace:** Use Drupal\\module_name\\... for all custom module code.
+- **PSR-4 Autoloading:** Class in folder module/src/SubFolder should use namespace Drupal\\module_name\\SubFolder.
+- **Use Statements:** Each class should have its own use statement; don't combine multiple classes in one use.
+- **No Leading Backslash:** Don't add a leading backslash (\\) in use statements.
+- **Global Classes:** Global classes (like Exception) must be fully qualified with a leading backslash (\\) when used in a namespaced file.
+- **Class Aliasing:** Only alias classes to avoid name collisions, using meaningful names like BarBaz and ThingBaz.
+- **String Class Names:** When specifying a class name in a string, use full name including namespace without leading backslash. Prefer single quotes.
+- **Class Placement:** A class named Drupal\\module_name\\Foo should be in file module_name/src/Foo.php.
+
+### Security Practices
+- **Input Validation:** Always validate and sanitize user input.
+- **Access Checks:** Implement proper access checks for all routes and content.
+- **CSRF Protection:** Use Form API with proper form tokens for all forms.
+- **SQL Injection:** Use parameterized queries with placeholders.
+- **XSS Prevention:** Use Xss::filter() or t() with appropriate placeholders.
+- **File Security:** Validate uploaded files and restrict access properly.
+
+### Documentation and Comments
+- **PHPDoc Blocks:** Document all classes, methods, and properties with proper PHPDoc.
+- **Function Comments:** Describe parameters, return values, and exceptions.
+- **Inline Comments:** Use meaningful comments for complex logic.
+- **Comment Format:** Begin comments with a capital letter and end with a period.
+- **API Documentation:** Follow Drupal's API documentation standards.
+
+### Performance
+- **Caching:** Implement proper cache tags, contexts, and max-age.
+- **Database Queries:** Optimize queries with proper indices and JOINs.
+- **Lazy Loading:** Use lazy loading for expensive operations.
+- **Batch Processing:** Use batch API for long-running operations.
+- **Static Caching:** Implement static caching for repeated operations.
+
+### Testing
+- **Unit Tests:** Write PHPUnit tests for business logic.
+- **Kernel Tests:** Use kernel tests for integration with Drupal subsystems.
+- **Functional Tests:** Implement functional tests for user interactions.
+- **Mocking:** Use proper mocking techniques for dependencies.
+- **Test Coverage:** Aim for high test coverage of critical functionality.
+
+### API Documentation Examples
+
+#### File Documentation
+
+**Module Files (.module)**
+```php
+<?php
+
+/**
+ * @file
+ * Provides [module functionality description].
+ */
+```
+
+**Install Files (.install)**
+```php
+<?php
+
+/**
+ * @file
+ * Install, update and uninstall functions for the [module name] module.
+ */
+```
+
+**Include Files (.inc)**
+```php
+<?php
+
+/**
+ * @file
+ * [Specific functionality] for the [module name] module.
+ */
+```
+
+**Class Files (in namespaced directories)**
+```php
+<?php
+
+namespace Drupal\module_name\ClassName;
+
+use Drupal\Core\SomeClass;
+
+/**
+ * Provides [class functionality description].
+ *
+ * [Extended description if needed]
+ */
+class ClassName implements InterfaceName {
+```
+
+#### Function Documentation
+
+**Standard Function**
+```php
+/**
+ * Returns [what the function returns or does].
+ *
+ * [Additional explanation if needed]
+ *
+ * @param string $param1
+ *   Description of parameter.
+ * @param int $param2
+ *   Description of parameter.
+ *
+ * @return array
+ *   Description of returned data.
+ *
+ * @throws \Exception
+ *   Exception thrown when [condition].
+ *
+ * @see related_function()
+ */
+function module_function_name($param1, $param2) {
+```
+
+**Hook Implementation**
+```php
+/**
+ * Implements hook_form_alter().
+ */
+function module_name_form_alter(&$form, \Drupal\Core\Form\FormStateInterface $form_state, $form_id) {
+```
+
+**Update Hook**
+```php
+/**
+ * Implements hook_update_N().
+ *
+ * [Description of what the update does].
+ */
+function module_name_update_8001() {
+```
+
+#### Class Documentation
+
+**Class Properties**
+```php
+/**
+ * The entity type manager.
+ *
+ * @var \Drupal\Core\Entity\EntityTypeManagerInterface
+ */
+protected $entityTypeManager;
+```
+
+**Method Documentation**
+```php
+/**
+ * Gets entities of a specific type.
+ *
+ * @param string $entity_type
+ *   The entity type ID.
+ * @param array $conditions
+ *   (optional) An array of conditions to match. Defaults to an empty array.
+ *
+ * @return \Drupal\Core\Entity\EntityInterface[]
+ *   An array of entity objects indexed by their IDs.
+ *
+ * @throws \Drupal\Component\Plugin\Exception\PluginNotFoundException
+ *   Thrown if the entity type doesn't exist.
+ * @throws \Drupal\Component\Plugin\Exception\InvalidPluginDefinitionException
+ *   Thrown if the storage handler couldn't be loaded.
+ */
+public function getEntities(string $entity_type, array $conditions = []): array {
+```
+
+**Interface Method**
+```php
+/**
+ * Implements \SomeInterface::methodName().
+ */
+public function methodName() {
+```
+
+#### Namespace Examples
+
+**Using Classes From Other Namespaces**
+```php
+namespace Drupal\mymodule\Tests\Foo;
+
+use Drupal\simpletest\WebTestBase;
+
+/**
+ * Tests that the foo bars.
+ */
+class BarTest extends WebTestBase {
+```
+
+**Class Aliasing for Name Collisions**
+```php
+use Foo\Bar\Baz as BarBaz;
+use Stuff\Thing\Baz as ThingBaz;
+
+/**
+ * Tests stuff for the whichever.
+ */
+function test() {
+  $a = new BarBaz(); // This will be Foo\Bar\Baz
+  $b = new ThingBaz(); // This will be Stuff\Thing\Baz
+}
+```
+
+**Using Global Classes in Namespaced Files**
+```php
+namespace Drupal\Subsystem;
+
+// Bar is a class in the Drupal\Subsystem namespace in another file.
+// It is already available without any importing.
+
+/**
+ * Defines a Foo.
+ */
+class Foo {
+
+  /**
+   * Constructs a new Foo object.
+   */
+  public function __construct(Bar $b) {
+    // Global classes must be prefixed with a \ character.
+    $d = new \DateTime();
+  }
+}
+```
+
+#### Service Definition Example
+
+**services.yml File**
+```yaml
+services:
+  mymodule.my_service:
+    class: Drupal\mymodule\MyService
+    arguments: ['@entity_type.manager', '@current_user']
+    tags:
+      - { name: cache.context }
+```
+
+**Request Attribute Handling**
+```php
+// Correctly adding a request attribute (with underscore prefix)
+\Drupal::request()->attributes->set('_context_value', $myvalue);
+
+// Correctly retrieving a request attribute
+$contextValue = \Drupal::request()->attributes->get('_context_value');
+```
+
+## Validation
+
+- Ensure each custom module has a required .info.yml file.
+- Ensure module has .module file if hooks are implemented.
+- Place form classes in the Form directory for organization.
+- Implement proper exception handling in catch blocks.
+- Namespace should be Drupal\ModuleName\...
+- Follow PSR-4 for class naming and organization.
+- Use nullable return types (e.g., ?string) instead of type|null in docblocks.
+- Call parent::__construct() if extending a class with a constructor.
+- Use camelCase for method names (e.g., getId instead of get_id).
+- Add proper @file docblock for PHP files.
+- Replace 'hook_' prefix with your module name in hook implementations.
+- DocBlock tags should be properly aligned with leading asterisks.
+- Use proper data types in @param tags (array, bool, int, string, etc.).
+- Use proper data types in @return tags (array, bool, int, string, etc.).
+- Parameter description should be separated by at least 3 spaces from the param type/name.
+- Theme functions should include @ingroup themeable in their docblock.
+- @code blocks should specify the language (e.g., @code php).
+- Namespaces should start with 'Drupal\'.
+- Every module using services should have a services.yml file.
+- Service providers should be in the module's root namespace (src/ directory).
diff --git a/.cursor/rules/php-drupal-development-standards.mdc b/.cursor/rules/php-drupal-development-standards.mdc
index 3d600f6..6820a2e 100644
--- a/.cursor/rules/php-drupal-development-standards.mdc
+++ b/.cursor/rules/php-drupal-development-standards.mdc
@@ -6,82 +6,52 @@ globs: *.php, *.module, *.inc, *.install, *.theme
 
 Ensures adherence to PHP 8.3+ features and Drupal development best practices for improved code quality, security, and maintainability.
 
-<rule>
-name: enhanced_php_drupal_development_standards
-description: Enforce PHP 8.3+ and Drupal development standards
-filters:
-  - type: file_extension
-    pattern: "\\.(php|module|inc|install|theme)$"
-  - type: file_path
-    pattern: "web/modules/custom/|web/themes/custom/"
-
-actions:
-  - type: enforce
-    conditions:
-      - pattern: "^(?!declare\\(strict_types=1\\);)"
-        message: "Add 'declare(strict_types=1);' at the beginning of PHP files for type safety."
-
-      - pattern: "class\\s+\\w+\\s*(?!\\{[^}]*readonly\\s+\\$)"
-        message: "Consider using readonly properties where immutability is required for better code safety."
-
-      - pattern: "public\\s+function\\s+\\w+\\([^)]*\\)\\s*(?!:)"
-        message: "Add return type declarations for all methods to enhance type safety."
-
-      - pattern: "extends\\s+\\w+\\s*\\{[^}]*public\\s+function\\s+\\w+\\([^)]*\\)\\s*(?!#\\[Override\\])"
-        message: "Add #[Override] attribute for overridden methods for clear intent."
-
-      - pattern: "\\$\\w+\\s*(?!:)"
-        message: "Use typed properties with proper nullability to improve code readability and prevent errors."
-
-      - pattern: "function\\s+hook_\\w+\\([^)]*\\)\\s*(?!:)"
-        message: "Add type hints and return types for all hooks to leverage PHP's type system."
-
-      - pattern: "new\\s+\\w+\\([^)]*\\)\\s*(?!;\\s*//\\s*@inject)"
-        message: "Use proper dependency injection with services for better testability and modularity."
-
-      - pattern: "extends\\s+FormBase\\s*\\{[^}]*validate"
-        message: "Implement proper form validation in FormBase classes for security."
-
-      - pattern: "(?<!\\bTRUE\\b)\\btrue\\b|(?<!\\bFALSE\\b)\\bfalse\\b|(?<!\\bNULL\\b)\\bnull\\b"
-        message: "Use uppercase for TRUE, FALSE, and NULL constants for consistency."
-
-      - pattern: "(?i)\\/\\/\\s[a-z]"
-        message: "Ensure inline comments begin with a capital letter and end with a period for readability."
-
-      - pattern: "\\$this->config\\('\\w+'\\)"
-        message: "Use ConfigFactory for configuration management to ensure proper dependency injection."
-
-  - type: suggest
-    message: |
-      **PHP/Drupal Development Best Practices:**
-      - **File Structure:** Place module files in `web/modules/custom/[module_name]/` for organization.
-      - **Module Files:** Ensure modules include .info.yml, .module, .libraries.yml, .services.yml where applicable.
-      - **Dependencies:** Use hook_requirements() to manage external dependencies.
-      - **Forms:** Use FormBase or ConfigFormBase for creating forms, always include CSRF protection.
-      - **Caching:** Apply proper cache tags and contexts for performance optimization.
-      - **Error Handling & Logging:** Implement robust error handling and logging using Drupal's mechanisms.
-      - **Type Safety:** Leverage type safety in form methods and throughout your code.
-      - **Dependency Injection:** Follow Drupal's dependency injection patterns for better maintainability.
-      - **Service Container:** Use Drupal's service container to manage dependencies.
-      - **Security:** Validate all user inputs, use Drupal's security practices like sanitization and escaping.
-      - **Schema Updates:** Implement hook_update_N() for database schema changes.
-      - **Translation:** Use Drupal's t() function for all user-facing strings.
-
-  - type: validate
-    conditions:
-      - pattern: "web/modules/custom/[^/]+/\\.info\\.yml$"
-        message: "Ensure each custom module has a required .info.yml file."
-
-      - pattern: "web/modules/custom/[^/]+/\\.module$"
-        message: "Ensure module has .module file if hooks are implemented."
-
-      - pattern: "web/modules/custom/[^/]+/src/Form/\\w+Form\\.php$"
-        message: "Place form classes in the Form directory for consistency."
-
-      - pattern: "try\\s*\\{[^}]*\\}\\s*catch\\s*\\([^)]*\\)\\s*\\{\\s*\\}"
-        message: "Implement proper exception handling in catch blocks for robustness."
-
-metadata:
-  priority: critical
-  version: 1.1
-</rule>
\ No newline at end of file
+> Priority: critical · Version: 1.1
+
+## Applies To
+- `*.php`
+- `*.module`
+- `*.inc`
+- `*.install`
+- `*.theme`
+
+## Trigger Conditions
+- Files matching pattern `\.(php|module|inc|install|theme)$`
+- Paths matching `web/modules/custom/|web/themes/custom/`
+
+## Required Checks
+
+- Add 'declare(strict_types=1);' at the beginning of PHP files for type safety.
+- Consider using readonly properties where immutability is required for better code safety.
+- Add return type declarations for all methods to enhance type safety.
+- Add #[Override] attribute for overridden methods for clear intent.
+- Use typed properties with proper nullability to improve code readability and prevent errors.
+- Add type hints and return types for all hooks to leverage PHP's type system.
+- Use proper dependency injection with services for better testability and modularity.
+- Implement proper form validation in FormBase classes for security.
+- Use uppercase for TRUE, FALSE, and NULL constants for consistency.
+- Ensure inline comments begin with a capital letter and end with a period for readability.
+- Use ConfigFactory for configuration management to ensure proper dependency injection.
+
+## Recommendations
+
+**PHP/Drupal Development Best Practices:**
+- **File Structure:** Place module files in `web/modules/custom/[module_name]/` for organization.
+- **Module Files:** Ensure modules include .info.yml, .module, .libraries.yml, .services.yml where applicable.
+- **Dependencies:** Use hook_requirements() to manage external dependencies.
+- **Forms:** Use FormBase or ConfigFormBase for creating forms, always include CSRF protection.
+- **Caching:** Apply proper cache tags and contexts for performance optimization.
+- **Error Handling & Logging:** Implement robust error handling and logging using Drupal's mechanisms.
+- **Type Safety:** Leverage type safety in form methods and throughout your code.
+- **Dependency Injection:** Follow Drupal's dependency injection patterns for better maintainability.
+- **Service Container:** Use Drupal's service container to manage dependencies.
+- **Security:** Validate all user inputs, use Drupal's security practices like sanitization and escaping.
+- **Schema Updates:** Implement hook_update_N() for database schema changes.
+- **Translation:** Use Drupal's t() function for all user-facing strings.
+
+## Validation
+
+- Ensure each custom module has a required .info.yml file.
+- Ensure module has .module file if hooks are implemented.
+- Place form classes in the Form directory for consistency.
+- Implement proper exception handling in catch blocks for robustness.
diff --git a/.cursor/rules/php-memory-optimisation.mdc b/.cursor/rules/php-memory-optimisation.mdc
index 6c55571..782eea7 100644
--- a/.cursor/rules/php-memory-optimisation.mdc
+++ b/.cursor/rules/php-memory-optimisation.mdc
@@ -4,82 +4,39 @@ globs: *.php, *.ini
 ---
 # PHP Memory Optimisation Standards
 
-Guidance and automated checks to reduce peak memory usage in PHP applications. Based on widely accepted practices and the article "PHP Memory Optimization Tips" by Khouloud Haddad.
-
-<rule>
-name: php_memory_optimisation
-description: Detect memory-heavy patterns and suggest streaming, generators, and better data handling
-filters:
-  - type: file_extension
-    pattern: "\\.php$"
-
-actions:
-  - type: enforce
-    conditions:
-      # Avoid loading entire DB result sets into memory.
-      - pattern: "->fetchAll\\("
-        message: "Avoid fetchAll() on large result sets; iterate with fetch() in a loop or wrap with a generator (yield)."
-
-      - pattern: "\\bmysqli_fetch_all\\("
-        message: "Avoid mysqli_fetch_all() for large queries; prefer streaming fetch (e.g., mysqli_fetch_assoc in a loop)."
-
-      # Avoid repeated full-file loads inside loops.
-      - pattern: "foreach\\s*\\([^)]*\\)\\s*\\{[^}]*file_get_contents\\("
-        message: "Avoid file_get_contents() inside loops; stream with SplFileObject or read once and reuse."
-
-      # Avoid array_merge in tight loops as it copies arrays.
-      - pattern: "foreach\\s*\\([^)]*\\)\\s*\\{[^}]*=\\s*array_merge\\("
-        message: "Avoid array_merge() inside loops; append elements directly or preallocate arrays."
-
-      # Use caution with range() on large ranges (allocates full array).
-      - pattern: "\\brange\\s*\\("
-        message: "range() allocates full arrays; for large ranges consider generators (yield) to avoid high memory."
-
-  - type: suggest
-    message: |
-      **PHP memory optimisation recommendations:**
-
-      - **Stream database results:** Prefer `$stmt->fetch(PDO::FETCH_ASSOC)` in a `while` loop or use generators instead of `fetchAll()`.
-      - **Use generators (yield):** Iterate large datasets without allocating full arrays.
-      - **Stream files:** Use `SplFileObject` or chunked reads instead of `file_get_contents()` for large files.
-      - **Minimise array copying:** Avoid `array_merge()` in loops; push items directly or pre-size with known capacity (e.g., `SplFixedArray`).
-      - **Free memory explicitly:** `unset($var)` after large data is no longer needed; consider `gc_collect_cycles()` for long-running scripts.
-      - **Profile memory:** Use `memory_get_usage()` and tools like Xdebug/Blackfire to spot peaks.
-      - **OPcache:** Ensure OPcache is enabled and sized appropriately in production.
-
-  - type: validate
-    conditions:
-      # Detect full-file reads that likely could be streamed.
-      - pattern: "\\bfile\\s*\\("
-        message: "file() reads entire files into memory; prefer SplFileObject for line-by-line streaming."
-
-metadata:
-  priority: high
-  version: 1.0
-</rule>
-
-<rule>
-name: php_ini_opcache_recommendations
-description: Recommend enabling OPcache for lower memory and better performance when editing php.ini
-filters:
-  - type: file_extension
-    pattern: "\\.ini$"
-
-actions:
-  - type: suggest
-    message: |
-      **OPcache recommendations (php.ini):**
-      - Set `opcache.enable=1` and `opcache.enable_cli=1` for CLI scripts that process large datasets.
-      - Size memory pool appropriately, e.g., `opcache.memory_consumption=128` (adjust to your project).
-      - Consider `opcache.interned_strings_buffer` and `opcache.max_accelerated_files` for larger codebases.
-
-  - type: enforce
-    conditions:
-      - pattern: "(?mi)^opcache\\.enable\\s*=\\s*0"
-        message: "Enable OPcache in production (set opcache.enable=1) to reduce memory and CPU overhead."
-
-metadata:
-  priority: medium
-  version: 1.0
-</rule>
-
+Actionable guidance for reducing peak memory usage in PHP code and configuration across heterogeneous projects.
+
+> Priority: high · Version: 1.0 (PHP code) · Version: 1.0 (php.ini guidance)
+
+## Applies To
+- `*.php`
+- `*.ini`
+
+## Trigger Conditions
+- Data access layers loading large result sets or files.
+- Loops performing expensive array operations or repeated merges.
+- php.ini or runtime configuration controlling OPcache and garbage collection.
+
+## Required Checks (PHP Code)
+- Replace `fetchAll()`/`mysqli_fetch_all()` on large queries with streaming loops (`fetch()` while loops, generators, iterators).
+- Avoid `file_get_contents()`/`file()` inside loops when processing large files; stream with `SplFileObject`, chunked reads, or generators.
+- Minimise array copies (e.g., prefer `$array[] =` over `array_merge()` inside loops, preallocate when possible).
+- Review uses of `range()` that may allocate huge arrays; consider generators or iterators for large ranges.
+- Release references to large structures (`unset`, `gc_collect_cycles`) in long-running scripts once data is no longer needed.
+
+## Required Checks (PHP Configuration)
+- Ensure OPcache is enabled in production (`opcache.enable=1`, `opcache.enable_cli=1` for CLI heavy workloads).
+- Size OPcache memory and interned string buffers to match project footprint (`opcache.memory_consumption`, `opcache.interned_strings_buffer`, `opcache.max_accelerated_files`).
+- Confirm CLI workers or batch scripts inherit the same OPcache settings when appropriate.
+
+## Recommendations
+- Wrap data streaming patterns in reusable helpers to keep teams from reintroducing memory-heavy approaches.
+- Use generators (`yield`) for pipelines that transform large datasets.
+- Profile using `memory_get_usage()`, Blackfire, Xdebug, or similar tools to quantify improvements.
+- Monitor OPcache hit ratios and memory consumption to adjust configuration before saturation.
+- Consider using `Symfony\Component\Process\Process` for external commands to control memory usage of child processes.
+
+## Positive Signals
+- Presence of iterators (`Generator`, `Yield`, `SplFileObject`) instead of bulk array loading.
+- Data access layers using limit/offset pagination or chunked processing.
+- Configuration files enabling OPcache with tuned cache sizes committed alongside application code.
diff --git a/.cursor/rules/project-definition-template.mdc b/.cursor/rules/project-definition-template.mdc
index 2d6eddb..52ec6f1 100644
--- a/.cursor/rules/project-definition-template.mdc
+++ b/.cursor/rules/project-definition-template.mdc
@@ -6,74 +6,45 @@ globs: README.md, /docs/*
 
 This rule enforces best practices for documenting project context, ensuring clarity and maintainability through well-documented README files and documentation.
 
-<rule>
-name: comprehensive_project_definition
-description: Enforce comprehensive project context definition for CursorAI
-filters:
-  - type: file_extension
-    pattern: "\\.md$"
-  - type: file_path
-    pattern: "README.md|/docs/"
-
-actions:
-  - type: enforce
-    conditions:
-      - pattern: "## Project Purpose"
-        message: "Define the purpose of the project in the README file, including its goals and objectives."
-
-      - pattern: "## Technical Stack"
-        message: "List the technical stack used in the project in the README file, including language versions and frameworks."
-
-      - pattern: "## Folder Structure"
-        message: "Document the folder structure in the README file with a brief explanation for each significant directory."
-
-      - pattern: "## Customizations"
-        message: "Include any custom themes, modules, or libraries in the README file, explaining their functionality."
-
-      - pattern: "## Libraries"
-        message: "List any third-party libraries used in the project in the README file, including versions for reproducibility."
-
-      - pattern: "## Setup Instructions"
-        message: "Provide clear setup instructions in the README to help new contributors or users get started."
-
-      - pattern: "## Contribution Guidelines"
-        message: "Document contribution guidelines if the project is open-source or team-based."
-
-  - type: suggest
-    message: |
-      **Project Definition Best Practices:**
-      - **README and Docs:** Use both README.md for an overview and /docs/ for detailed documentation.
-      - **Project Purpose:** Clearly articulate why the project exists, its objectives, and who it serves.
-      - **Technical Stack:** Include all technologies, versions, and possibly why each was chosen.
-      - **Folder Structure:** Use tree diagrams or simple bullet points to describe the project's layout.
-      - **Customizations:** Explain any custom code, including its purpose and how it integrates with the project.
-      - **Libraries:** Detail external dependencies, why they're used, and how to manage them (e.g., npm, composer).
-      - **Setup Instructions:** Provide step-by-step guidance for setting up the project environment.
-      - **Contribution Guidelines:** Outline how to contribute, including coding standards, branch management, and pull request process.
-      - **License:** Include information about the project's licensing for legal clarity.
-      - **Roadmap:** Optionally, add a roadmap section to discuss future plans or features.
-
-  - type: validate
-    conditions:
-      - pattern: "## Project Purpose"
-        message: "Ensure the project purpose is clearly defined for understanding the project's intent."
-
-      - pattern: "## Technical Stack"
-        message: "Ensure the technical stack is documented to aid in tech stack comprehension."
-
-      - pattern: "## Folder Structure"
-        message: "Ensure the folder structure is outlined for navigation ease."
-
-      - pattern: "## Customizations"
-        message: "Ensure customizations are documented for understanding unique project elements."
-
-      - pattern: "## Libraries"
-        message: "Ensure libraries are listed for dependency management."
-
-      - pattern: "## Setup Instructions"
-        message: "Ensure setup instructions are included to facilitate onboarding."
-
-metadata:
-  priority: medium
-  version: 1.1
-</rule>
\ No newline at end of file
+> Priority: medium · Version: 1.1
+
+## Applies To
+- `README.md`
+- `/docs/*`
+
+## Trigger Conditions
+- Files matching pattern `\.md$`
+- Paths matching `README.md|/docs/`
+
+## Required Checks
+
+- Define the purpose of the project in the README file, including its goals and objectives.
+- List the technical stack used in the project in the README file, including language versions and frameworks.
+- Document the folder structure in the README file with a brief explanation for each significant directory.
+- Include any custom themes, modules, or libraries in the README file, explaining their functionality.
+- List any third-party libraries used in the project in the README file, including versions for reproducibility.
+- Provide clear setup instructions in the README to help new contributors or users get started.
+- Document contribution guidelines if the project is open-source or team-based.
+
+## Recommendations
+
+**Project Definition Best Practices:**
+- **README and Docs:** Use both README.md for an overview and /docs/ for detailed documentation.
+- **Project Purpose:** Clearly articulate why the project exists, its objectives, and who it serves.
+- **Technical Stack:** Include all technologies, versions, and possibly why each was chosen.
+- **Folder Structure:** Use tree diagrams or simple bullet points to describe the project's layout.
+- **Customizations:** Explain any custom code, including its purpose and how it integrates with the project.
+- **Libraries:** Detail external dependencies, why they're used, and how to manage them (e.g., npm, composer).
+- **Setup Instructions:** Provide step-by-step guidance for setting up the project environment.
+- **Contribution Guidelines:** Outline how to contribute, including coding standards, branch management, and pull request process.
+- **License:** Include information about the project's licensing for legal clarity.
+- **Roadmap:** Optionally, add a roadmap section to discuss future plans or features.
+
+## Validation
+
+- Ensure the project purpose is clearly defined for understanding the project's intent.
+- Ensure the technical stack is documented to aid in tech stack comprehension.
+- Ensure the folder structure is outlined for navigation ease.
+- Ensure customizations are documented for understanding unique project elements.
+- Ensure libraries are listed for dependency management.
+- Ensure setup instructions are included to facilitate onboarding.
diff --git a/.cursor/rules/pull-request-changelist-instructions.mdc b/.cursor/rules/pull-request-changelist-instructions.mdc
index 42590e2..b8fd2b9 100644
--- a/.cursor/rules/pull-request-changelist-instructions.mdc
+++ b/.cursor/rules/pull-request-changelist-instructions.mdc
@@ -12,108 +12,100 @@ alwaysApply: false
 
 This document outlines strict standards for creating and formatting pull request changelists in markdown. Following these guidelines ensures that the output remains as raw markdown (unrendered) and prevents any issues with Cursor’s markdown rendering.
 
-<rule>
-name: pull_request_changelist_format
-description: Updated guidelines for creating consistent pull request changelists in markdown with strict code block handling and structured formatting.
-filters:
-  - type: file_extension
-    pattern: "\\.md$"
-  - type: content
-    pattern: "(?i)(pull request|pr|changelist|changelog)"
-
-actions:
-  - type: suggest
-    message: |
-      ## Updated Pull Request Changelist Guidelines
-
-      To guarantee clarity and consistency, please adhere to the following time-tested, unambiguous guidelines when requesting a PR changelist from Cursor:
-
-      ### 1. Request Format
-      **Always explicitly request raw markdown output in a code block** using one of these exact phrases:
-      - "Return markdown as code"
-      - "Return as code inside markdown as code (one block)"
-      - "Provide the markdown in a code block"
-      - "Return the content as a markdown code block, not as formatted text"
-      - "Generate the PR changelist in a markdown code block"
-
-      Avoid ambiguous wording that could lead to a rendered (formatted) output.
-
-      ### 2. Expected Response Format
-      Cursor should always respond with a raw markdown code block that looks like:
-      ```
-      ```markdown
-      # Summary of Changes
-
-      ## Category Name
-      - Change item
-      ```
-      ```
-
-      ### 3. Handling Incorrect Format
-      If the response is rendered markdown rather than a raw code block, prompt with one of the following:
-      - "Please provide the exact markdown in a code block using triple backticks, not as formatted text."
-      - "I require the raw markdown syntax; reformat your response with triple backticks."
-      - "Reformat your output as a code block enclosed in triple backticks."
-
-      ### 4. Changelist Structure
-      - **Main Heading:** Must begin with `# Summary of Changes`
-      - **Categories:** Use `##` headings to group related changes.
-      - **Changes:** List each change with a bullet (`-`), starting with a past tense verb (e.g., Added, Updated, Removed).
-      - **Code/Variables:** Enclose module names or configuration settings in backticks (e.g., `module_name`).
-
-      ### 5. Content Requirements
-      - Be specific about what changed and why.
-      - Group similar changes under the appropriate category headings.
-      - For configuration changes, include both the setting name and its new value.
-      - Keep each entry concise but descriptive.
-
-      ### 6. Example Command
-      To request a changelist from Cursor, try:
-      ```
-      Prepare a PR changelist based on these changes. Return the markdown in a code block with triple backticks.
-      ```
-
-      Adhering to these traditional, time-tested formatting guidelines not only prevents ambiguity but also paves the way for future improvements in automated changelist generation.
-      
-  - type: validate
-    conditions:
-      - pattern: "^```\\s*markdown\\s*\\n#\\s+Summary\\s+of\\s+Changes"
-        message: "The changelist must be a raw markdown code block starting with '# Summary of Changes'. Ensure the use of triple backticks and correct heading structure."
-      - pattern: "-\\s+(Added|Updated|Removed)\\b"
-        message: "Each bullet point must begin with a past tense verb: 'Added', 'Updated', or 'Removed'."
-      
-examples:
-  - input: |
-      Request: "Create a PR changelist for my changes. Return markdown code as code."
-      
-      Good Response from Cursor:
-      ```markdown
-      # Summary of Changes
-
-      ## Environment Configuration
-      - Updated `STAGE_FILE_PROXY_URL` to data.safeworkaustralia.gov.au
-      - Updated `LOCALDEV_URL` to dataswa.docker.amazee.io
-
-      ## Module Changes
-      - Removed `page_cache` module
-      - Added `stage_file_proxy` module
-      ```
-    output: |
-      This is the correct format for Cursor to return a changelist – as a raw markdown code block enclosed in triple backticks.
-      
-  - input: |
-      Request: "Create a PR changelist for my changes."
-      
-      Bad Response from Cursor (rendered markdown instead of a code block):
-      # Summary of Changes
-
-      ## Environment Configuration
-      - Updated `STAGE_FILE_PROXY_URL` to data.safeworkaustralia.gov.au
-      - Updated `LOCALDEV_URL` to dataswa.docker.amazee.io
-    output: |
-      This response is incorrectly formatted as rendered markdown. Please ask Cursor to provide the output as a raw markdown code block with triple backticks.
-
-metadata:
-  priority: medium
-  version: 1.2
-</rule>
\ No newline at end of file
+> Priority: medium · Version: 1.2
+
+## Trigger Conditions
+- Files matching pattern `\.md$`
+- Files containing `(?i)(pull request|pr|changelist|changelog)`
+
+## Recommendations
+
+## Updated Pull Request Changelist Guidelines
+
+To guarantee clarity and consistency, please adhere to the following time-tested, unambiguous guidelines when requesting a PR changelist from Cursor:
+
+### 1. Request Format
+**Always explicitly request raw markdown output in a code block** using one of these exact phrases:
+- "Return markdown as code"
+- "Return as code inside markdown as code (one block)"
+- "Provide the markdown in a code block"
+- "Return the content as a markdown code block, not as formatted text"
+- "Generate the PR changelist in a markdown code block"
+
+Avoid ambiguous wording that could lead to a rendered (formatted) output.
+
+### 2. Expected Response Format
+Cursor should always respond with a raw markdown code block that looks like:
+```
+```markdown
+# Summary of Changes
+
+## Category Name
+- Change item
+```
+```
+
+### 3. Handling Incorrect Format
+If the response is rendered markdown rather than a raw code block, prompt with one of the following:
+- "Please provide the exact markdown in a code block using triple backticks, not as formatted text."
+- "I require the raw markdown syntax; reformat your response with triple backticks."
+- "Reformat your output as a code block enclosed in triple backticks."
+
+### 4. Changelist Structure
+- **Main Heading:** Must begin with `# Summary of Changes`
+- **Categories:** Use `##` headings to group related changes.
+- **Changes:** List each change with a bullet (`-`), starting with a past tense verb (e.g., Added, Updated, Removed).
+- **Code/Variables:** Enclose module names or configuration settings in backticks (e.g., `module_name`).
+
+### 5. Content Requirements
+- Be specific about what changed and why.
+- Group similar changes under the appropriate category headings.
+- For configuration changes, include both the setting name and its new value.
+- Keep each entry concise but descriptive.
+
+### 6. Example Command
+To request a changelist from Cursor, try:
+```
+Prepare a PR changelist based on these changes. Return the markdown in a code block with triple backticks.
+```
+
+Adhering to these traditional, time-tested formatting guidelines not only prevents ambiguity but also paves the way for future improvements in automated changelist generation.
+
+## Validation
+
+- The changelist must be a raw markdown code block starting with '# Summary of Changes'. Ensure the use of triple backticks and correct heading structure.
+- Each bullet point must begin with a past tense verb: 'Added', 'Updated', or 'Removed'.
+
+## Examples
+### Example 1
+```
+Request: "Create a PR changelist for my changes. Return markdown code as code."
+
+Good Response from Cursor:
+```markdown
+# Summary of Changes
+
+## Environment Configuration
+- Updated `STAGE_FILE_PROXY_URL` to data.safeworkaustralia.gov.au
+- Updated `LOCALDEV_URL` to dataswa.docker.amazee.io
+
+## Module Changes
+- Removed `page_cache` module
+- Added `stage_file_proxy` module
+```
+```
+Outcome: This is the correct format for Cursor to return a changelist – as a raw markdown code block enclosed in triple backticks.
+
+### Example 2
+```
+Request: "Create a PR changelist for my changes."
+
+Bad Response from Cursor (rendered markdown instead of a code block):
+# Summary of Changes
+
+## Environment Configuration
+- Updated `STAGE_FILE_PROXY_URL` to data.safeworkaustralia.gov.au
+- Updated `LOCALDEV_URL` to dataswa.docker.amazee.io
+```
+Outcome: This response is incorrectly formatted as rendered markdown. Please ask Cursor to provide the output as a raw markdown code block with triple backticks.
+
diff --git a/.cursor/rules/python-authentication-failures.mdc b/.cursor/rules/python-authentication-failures.mdc
index b59062f..3aaa2a1 100644
--- a/.cursor/rules/python-authentication-failures.mdc
+++ b/.cursor/rules/python-authentication-failures.mdc
@@ -3,336 +3,259 @@ description: Detect and prevent identification and authentication failures in Py
 globs: *.py, *.ini, *.cfg, *.yml, *.yaml, *.json, *.toml
 alwaysApply: false
 ---
- # Python Identification and Authentication Failures Standards (OWASP A07:2021)
+# Python Identification and Authentication Failures Standards (OWASP A07:2021)
 
 This rule enforces security best practices to prevent identification and authentication failures in Python applications, as defined in OWASP Top 10:2021-A07.
 
-<rule>
-name: python_authentication_failures
-description: Detect and prevent identification and authentication failures in Python applications as defined in OWASP Top 10:2021-A07
-filters:
-  - type: file_extension
-    pattern: "\\.(py|ini|cfg|yml|yaml|json|toml)$"
-  - type: file_path
-    pattern: ".*"
+> Priority: high · Version: 1.0
 
-actions:
-  - type: enforce
-    conditions:
-      # Pattern 1: Weak password validation
-      - pattern: "password\\s*=\\s*['\"][^'\"]{1,7}['\"]|min_length\\s*=\\s*[1-7]"
-        message: "Weak password policy detected. Passwords should be at least 8 characters long and include complexity requirements."
-        
-      # Pattern 2: Hardcoded credentials
-      - pattern: "(username|user|login|password|passwd|pwd|secret|api_key|apikey|token)\\s*=\\s*['\"][^'\"]+['\"]"
-        message: "Hardcoded credentials detected. Store sensitive credentials in environment variables or a secure vault."
-        
-      # Pattern 3: Missing password hashing
-      - pattern: "password\\s*=\\s*request\\.form\\[\\'password\\'\\]|password\\s*=\\s*request\\.POST\\.get\\(\\'password\\'\\)"
-        message: "Storing or comparing plain text passwords detected. Always hash passwords before storage or comparison."
-        
-      # Pattern 4: Insecure password hashing
-      - pattern: "hashlib\\.md5\\(|hashlib\\.sha1\\(|hashlib\\.sha224\\("
-        message: "Insecure hashing algorithm detected. Use strong hashing algorithms like bcrypt, Argon2, or PBKDF2."
-        
-      # Pattern 5: Missing brute force protection
-      - pattern: "@app\\.route\\(['\"]\\/(login|signin|authenticate)['\"]"
-        message: "Authentication endpoint detected without rate limiting or brute force protection. Implement account lockout or rate limiting."
-        
-      # Pattern 6: Insecure session management
-      - pattern: "session\\[\\'user_id\\'\\]\\s*=|session\\[\\'authenticated\\'\\]\\s*=\\s*True"
-        message: "Session management detected. Ensure proper session security with secure cookies, proper expiration, and rotation."
-        
-      # Pattern 7: Missing CSRF protection in authentication
-      - pattern: "form\\s*=\\s*FlaskForm|class\\s+\\w+Form\\(\\s*FlaskForm\\s*\\)|class\\s+\\w+Form\\(\\s*Form\\s*\\)"
-        message: "Form handling detected. Ensure CSRF protection is enabled for all authentication forms."
-        
-      # Pattern 8: Insecure remember me functionality
-      - pattern: "remember_me|remember_token|stay_logged_in"
-        message: "Remember me functionality detected. Ensure secure implementation with proper expiration and refresh mechanisms."
-        
-      # Pattern 9: Insecure password reset
-      - pattern: "@app\\.route\\(['\"]\\/(reset-password|forgot-password|recover)['\"]"
-        message: "Password reset functionality detected. Ensure secure implementation with time-limited tokens and proper user verification."
-        
-      # Pattern 10: Missing multi-factor authentication
-      - pattern: "def\\s+login|def\\s+authenticate|def\\s+signin"
-        message: "Authentication function detected. Consider implementing multi-factor authentication for sensitive operations."
-        
-      # Pattern 11: Insecure direct object reference in user management
-      - pattern: "User\\.objects\\.get\\(id=|User\\.query\\.get\\(|get_user_by_id\\("
-        message: "Direct user lookup detected. Ensure proper authorization checks before accessing user data."
-        
-      # Pattern 12: Insecure JWT implementation
-      - pattern: "jwt\\.encode\\(|jwt\\.decode\\("
-        message: "JWT usage detected. Ensure proper signing, validation, expiration, and refresh mechanisms for JWTs."
-        
-      # Pattern 13: Missing secure flag in cookies
-      - pattern: "set_cookie\\([^,]+,[^,]+,[^,]*secure=False|set_cookie\\([^,]+,[^,]+(?!,\\s*secure=True)"
-        message: "Cookie setting without secure flag detected. Set secure=True for all authentication cookies."
-        
-      # Pattern 14: Missing HTTP-only flag in cookies
-      - pattern: "set_cookie\\([^,]+,[^,]+,[^,]*httponly=False|set_cookie\\([^,]+,[^,]+(?!,\\s*httponly=True)"
-        message: "Cookie setting without httponly flag detected. Set httponly=True for all authentication cookies."
-        
-      # Pattern 15: Insecure default credentials
-      - pattern: "DEFAULT_USERNAME|DEFAULT_PASSWORD|ADMIN_USERNAME|ADMIN_PASSWORD"
-        message: "Default credential configuration detected. Remove default credentials from production code."
+## Applies To
+- `*.py`
+- `*.ini`
+- `*.cfg`
+- `*.yml`
+- `*.yaml`
+- `*.json`
+- `*.toml`
 
-  - type: suggest
-    message: |
-      **Python Authentication Security Best Practices:**
-      
-      1. **Password Storage:**
-         - Use strong hashing algorithms with salting
-         - Implement proper work factors
-         - Example with passlib:
-           ```python
-           from passlib.hash import argon2
-           
-           # Hash a password
-           hashed_password = argon2.hash("user_password")
-           
-           # Verify a password
-           is_valid = argon2.verify("user_password", hashed_password)
-           ```
-         - Example with Django:
-           ```python
-           from django.contrib.auth.hashers import make_password, check_password
-           
-           # Hash a password
-           hashed_password = make_password("user_password")
-           
-           # Verify a password
-           is_valid = check_password("user_password", hashed_password)
-           ```
-      
-      2. **Password Policies:**
-         - Enforce minimum length (at least 8 characters)
-         - Require complexity (uppercase, lowercase, numbers, special characters)
-         - Check against common passwords
-         - Example with Django:
-           ```python
-           # settings.py
-           AUTH_PASSWORD_VALIDATORS = [
-               {
-                   'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
-                   'OPTIONS': {'min_length': 12}
-               },
-               {
-                   'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
-               },
-               {
-                   'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
-               },
-               {
-                   'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
-               },
-           ]
-           ```
-      
-      3. **Brute Force Protection:**
-         - Implement account lockout after failed attempts
-         - Use rate limiting for authentication endpoints
-         - Example with Flask and Flask-Limiter:
-           ```python
-           from flask import Flask
-           from flask_limiter import Limiter
-           from flask_limiter.util import get_remote_address
-           
-           app = Flask(__name__)
-           limiter = Limiter(
-               app,
-               key_func=get_remote_address,
-               default_limits=["200 per day", "50 per hour"]
-           )
-           
-           @app.route("/login", methods=["POST"])
-           @limiter.limit("5 per minute")
-           def login():
-               # Login logic here
-               pass
-           ```
-      
-      4. **Multi-Factor Authentication:**
-         - Implement MFA for sensitive operations
-         - Use time-based one-time passwords (TOTP)
-         - Example with pyotp:
-           ```python
-           import pyotp
-           
-           # Generate a secret key for the user
-           secret = pyotp.random_base32()
-           
-           # Create a TOTP object
-           totp = pyotp.TOTP(secret)
-           
-           # Verify a token
-           is_valid = totp.verify(user_provided_token)
-           ```
-      
-      5. **Secure Session Management:**
-         - Use secure, HTTP-only cookies
-         - Implement proper session expiration
-         - Rotate session IDs after login
-         - Example with Flask:
-           ```python
-           from flask import Flask, session
-           
-           app = Flask(__name__)
-           app.config.update(
-               SECRET_KEY='your-secret-key',
-               SESSION_COOKIE_SECURE=True,
-               SESSION_COOKIE_HTTPONLY=True,
-               SESSION_COOKIE_SAMESITE='Lax',
-               PERMANENT_SESSION_LIFETIME=timedelta(hours=1)
-           )
-           ```
-      
-      6. **CSRF Protection:**
-         - Implement CSRF tokens for all forms
-         - Validate tokens on form submission
-         - Example with Flask-WTF:
-           ```python
-           from flask_wtf import FlaskForm, CSRFProtect
-           from wtforms import StringField, PasswordField, SubmitField
-           
-           csrf = CSRFProtect(app)
-           
-           class LoginForm(FlaskForm):
-               username = StringField('Username')
-               password = PasswordField('Password')
-               submit = SubmitField('Login')
-           ```
-      
-      7. **Secure Password Reset:**
-         - Use time-limited, single-use tokens
-         - Send reset links to verified email addresses
-         - Example implementation:
-           ```python
-           import secrets
-           from datetime import datetime, timedelta
-           
-           def generate_reset_token(user_id):
-               token = secrets.token_urlsafe(32)
-               expiry = datetime.utcnow() + timedelta(hours=1)
-               # Store token and expiry in database with user_id
-               return token
-           
-           def verify_reset_token(token):
-               # Retrieve token from database
-               # Check if token exists and is not expired
-               # If valid, return user_id
-               pass
-           ```
-      
-      8. **Secure JWT Implementation:**
-         - Use strong signing keys
-         - Include expiration claims
-         - Validate all claims
-         - Example with PyJWT:
-           ```python
-           import jwt
-           from datetime import datetime, timedelta
-           
-           # Create a JWT
-           payload = {
-               'user_id': user.id,
-               'exp': datetime.utcnow() + timedelta(hours=1),
-               'iat': datetime.utcnow()
-           }
-           token = jwt.encode(payload, SECRET_KEY, algorithm='HS256')
-           
-           # Verify a JWT
-           try:
-               payload = jwt.decode(token, SECRET_KEY, algorithms=['HS256'])
-               user_id = payload['user_id']
-           except jwt.ExpiredSignatureError:
-               # Token has expired
-               pass
-           except jwt.InvalidTokenError:
-               # Invalid token
-               pass
-           ```
-      
-      9. **Secure Cookie Configuration:**
-         - Set secure, HTTP-only, and SameSite flags
-         - Example with Flask:
-           ```python
-           from flask import Flask, make_response
-           
-           app = Flask(__name__)
-           
-           @app.route('/set_cookie')
-           def set_cookie():
-               resp = make_response('Cookie set')
-               resp.set_cookie(
-                   'session_id', 
-                   'value', 
-                   secure=True, 
-                   httponly=True, 
-                   samesite='Lax',
-                   max_age=3600
-               )
-               return resp
-           ```
-      
-      10. **Credential Storage:**
-          - Use environment variables or secure vaults
-          - Never hardcode credentials
-          - Example with python-dotenv:
-            ```python
-            import os
-            from dotenv import load_dotenv
-            
-            load_dotenv()
-            
-            # Access credentials from environment variables
-            db_user = os.environ.get('DB_USER')
-            db_password = os.environ.get('DB_PASSWORD')
-            ```
+## Trigger Conditions
+- Files matching pattern `\.(py|ini|cfg|yml|yaml|json|toml)$`
+- Paths matching `.*`
 
-  - type: validate
-    conditions:
-      # Check 1: Proper password hashing
-      - pattern: "argon2|bcrypt|pbkdf2|make_password|generate_password_hash"
-        message: "Using secure password hashing algorithms."
-      
-      # Check 2: CSRF protection
-      - pattern: "csrf|CSRFProtect|csrf_token|csrftoken"
-        message: "CSRF protection is implemented."
+## Required Checks
+
+- Weak password policy detected. Passwords should be at least 8 characters long and include complexity requirements.
+- Hardcoded credentials detected. Store sensitive credentials in environment variables or a secure vault.
+- Storing or comparing plain text passwords detected. Always hash passwords before storage or comparison.
+- Insecure hashing algorithm detected. Use strong hashing algorithms like bcrypt, Argon2, or PBKDF2.
+- Authentication endpoint detected without rate limiting or brute force protection. Implement account lockout or rate limiting.
+- Session management detected. Ensure proper session security with secure cookies, proper expiration, and rotation.
+- Form handling detected. Ensure CSRF protection is enabled for all authentication forms.
+- Remember me functionality detected. Ensure secure implementation with proper expiration and refresh mechanisms.
+- Password reset functionality detected. Ensure secure implementation with time-limited tokens and proper user verification.
+- Authentication function detected. Consider implementing multi-factor authentication for sensitive operations.
+- Direct user lookup detected. Ensure proper authorization checks before accessing user data.
+- JWT usage detected. Ensure proper signing, validation, expiration, and refresh mechanisms for JWTs.
+- Cookie setting without secure flag detected. Set secure=True for all authentication cookies.
+- Cookie setting without httponly flag detected. Set httponly=True for all authentication cookies.
+- Default credential configuration detected. Remove default credentials from production code.
+
+## Recommendations
+
+**Python Authentication Security Best Practices:**
+
+1. **Password Storage:**
+   - Use strong hashing algorithms with salting
+   - Implement proper work factors
+   - Example with passlib:
+     ```python
+     from passlib.hash import argon2
+     
+     # Hash a password
+     hashed_password = argon2.hash("user_password")
+     
+     # Verify a password
+     is_valid = argon2.verify("user_password", hashed_password)
+     ```
+   - Example with Django:
+     ```python
+     from django.contrib.auth.hashers import make_password, check_password
+     
+     # Hash a password
+     hashed_password = make_password("user_password")
+     
+     # Verify a password
+     is_valid = check_password("user_password", hashed_password)
+     ```
+
+2. **Password Policies:**
+   - Enforce minimum length (at least 8 characters)
+   - Require complexity (uppercase, lowercase, numbers, special characters)
+   - Check against common passwords
+   - Example with Django:
+     ```python
+     # settings.py
+     AUTH_PASSWORD_VALIDATORS = [
+         {
+             'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
+             'OPTIONS': {'min_length': 12}
+         },
+         {
+             'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
+         },
+         {
+             'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
+         },
+         {
+             'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
+         },
+     ]
+     ```
+
+3. **Brute Force Protection:**
+   - Implement account lockout after failed attempts
+   - Use rate limiting for authentication endpoints
+   - Example with Flask and Flask-Limiter:
+     ```python
+     from flask import Flask
+     from flask_limiter import Limiter
+     from flask_limiter.util import get_remote_address
+     
+     app = Flask(__name__)
+     limiter = Limiter(
+         app,
+         key_func=get_remote_address,
+         default_limits=["200 per day", "50 per hour"]
+     )
+     
+     @app.route("/login", methods=["POST"])
+     @limiter.limit("5 per minute")
+     def login():
+         # Login logic here
+         pass
+     ```
+
+4. **Multi-Factor Authentication:**
+   - Implement MFA for sensitive operations
+   - Use time-based one-time passwords (TOTP)
+   - Example with pyotp:
+     ```python
+     import pyotp
+     
+     # Generate a secret key for the user
+     secret = pyotp.random_base32()
+     
+     # Create a TOTP object
+     totp = pyotp.TOTP(secret)
+     
+     # Verify a token
+     is_valid = totp.verify(user_provided_token)
+     ```
+
+5. **Secure Session Management:**
+   - Use secure, HTTP-only cookies
+   - Implement proper session expiration
+   - Rotate session IDs after login
+   - Example with Flask:
+     ```python
+     from flask import Flask, session
+     
+     app = Flask(__name__)
+     app.config.update(
+         SECRET_KEY='your-secret-key',
+         SESSION_COOKIE_SECURE=True,
+         SESSION_COOKIE_HTTPONLY=True,
+         SESSION_COOKIE_SAMESITE='Lax',
+         PERMANENT_SESSION_LIFETIME=timedelta(hours=1)
+     )
+     ```
+
+6. **CSRF Protection:**
+   - Implement CSRF tokens for all forms
+   - Validate tokens on form submission
+   - Example with Flask-WTF:
+     ```python
+     from flask_wtf import FlaskForm, CSRFProtect
+     from wtforms import StringField, PasswordField, SubmitField
+     
+     csrf = CSRFProtect(app)
+     
+     class LoginForm(FlaskForm):
+         username = StringField('Username')
+         password = PasswordField('Password')
+         submit = SubmitField('Login')
+     ```
+
+7. **Secure Password Reset:**
+   - Use time-limited, single-use tokens
+   - Send reset links to verified email addresses
+   - Example implementation:
+     ```python
+     import secrets
+     from datetime import datetime, timedelta
+     
+     def generate_reset_token(user_id):
+         token = secrets.token_urlsafe(32)
+         expiry = datetime.utcnow() + timedelta(hours=1)
+         # Store token and expiry in database with user_id
+         return token
+     
+     def verify_reset_token(token):
+         # Retrieve token from database
+         # Check if token exists and is not expired
+         # If valid, return user_id
+         pass
+     ```
+
+8. **Secure JWT Implementation:**
+   - Use strong signing keys
+   - Include expiration claims
+   - Validate all claims
+   - Example with PyJWT:
+     ```python
+     import jwt
+     from datetime import datetime, timedelta
+     
+     # Create a JWT
+     payload = {
+         'user_id': user.id,
+         'exp': datetime.utcnow() + timedelta(hours=1),
+         'iat': datetime.utcnow()
+     }
+     token = jwt.encode(payload, SECRET_KEY, algorithm='HS256')
+     
+     # Verify a JWT
+     try:
+         payload = jwt.decode(token, SECRET_KEY, algorithms=['HS256'])
+         user_id = payload['user_id']
+     except jwt.ExpiredSignatureError:
+         # Token has expired
+         pass
+     except jwt.InvalidTokenError:
+         # Invalid token
+         pass
+     ```
+
+9. **Secure Cookie Configuration:**
+   - Set secure, HTTP-only, and SameSite flags
+   - Example with Flask:
+     ```python
+     from flask import Flask, make_response
+     
+     app = Flask(__name__)
+     
+     @app.route('/set_cookie')
+     def set_cookie():
+         resp = make_response('Cookie set')
+         resp.set_cookie(
+             'session_id', 
+             'value', 
+             secure=True, 
+             httponly=True, 
+             samesite='Lax',
+             max_age=3600
+         )
+         return resp
+     ```
+
+10. **Credential Storage:**
+    - Use environment variables or secure vaults
+    - Never hardcode credentials
+    - Example with python-dotenv:
+      ```python
+      import os
+      from dotenv import load_dotenv
       
-      # Check 3: Secure cookie settings
-      - pattern: "SESSION_COOKIE_SECURE\\s*=\\s*True|secure=True|httponly=True|samesite"
-        message: "Secure cookie settings are configured."
+      load_dotenv()
       
-      # Check 4: Rate limiting
-      - pattern: "limiter\\.limit|RateLimitExceeded|rate_limit|throttle"
-        message: "Rate limiting is implemented for authentication endpoints."
+      # Access credentials from environment variables
+      db_user = os.environ.get('DB_USER')
+      db_password = os.environ.get('DB_PASSWORD')
+      ```
+
+## Validation
 
-metadata:
-  priority: high
-  version: 1.0
-  tags:
-    - security
-    - python
-    - authentication
-    - identity
-    - owasp
-    - language:python
-    - framework:django
-    - framework:flask
-    - framework:fastapi
-    - category:security
-    - subcategory:authentication
-    - standard:owasp-top10
-    - risk:a07-identification-authentication-failures
-  references:
-    - "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html"
-    - "https://docs.djangoproject.com/en/stable/topics/auth/passwords/"
-    - "https://flask-login.readthedocs.io/en/latest/"
-    - "https://fastapi.tiangolo.com/tutorial/security/"
-</rule>
\ No newline at end of file
+- Using secure password hashing algorithms.
+- CSRF protection is implemented.
+- Secure cookie settings are configured.
+- Rate limiting is implemented for authentication endpoints.
diff --git a/.cursor/rules/python-broken-access-control.mdc b/.cursor/rules/python-broken-access-control.mdc
index 2ed05c7..d7e2e21 100644
--- a/.cursor/rules/python-broken-access-control.mdc
+++ b/.cursor/rules/python-broken-access-control.mdc
@@ -7,143 +7,75 @@ alwaysApply: false
 
 This rule enforces security best practices to prevent broken access control vulnerabilities in Python applications, as defined in OWASP Top 10:2021-A01.
 
-<rule>
-name: python_broken_access_control
-description: Detect and prevent broken access control vulnerabilities in Python applications as defined in OWASP Top 10:2021-A01
-filters:
-  - type: file_extension
-    pattern: "\\.(py)$"
-  - type: file_path
-    pattern: ".*"
+> Priority: 90 · Version: 1.0
+
+## Applies To
+- `*.py`
+
+## Trigger Conditions
+- Files matching pattern `\.(py)$`
+- Paths matching `.*`
+
+## Required Checks
+
+- Flask route lacks access control. Consider using @login_required or checking user permissions within the function.
+- Django class-based view lacks access control mixins. Consider using LoginRequiredMixin, PermissionRequiredMixin, or UserPassesTestMixin.
+- Potential insecure direct object reference (IDOR). Validate that the current user has permission to access this object.
+- Hardcoded role checks can be fragile. Consider using a permission system or role-based access control framework.
+- FastAPI endpoint lacks security dependencies. Consider using Depends(get_current_user) or similar security dependencies.
+- Dangerous admin/debug flags in request parameters could bypass access control. Remove or secure these backdoors.
+- Extremely dangerous use of eval() or exec() with user input can lead to code execution. Avoid these functions entirely.
+- API endpoint may lack access control. Ensure proper authentication and authorization checks are implemented.
+- Setting session variables directly from request data without validation can lead to session-based access control bypasses.
+- Form or view appears to be missing CSRF protection. Ensure CSRF tokens are properly implemented.
+
+## Recommendations
+
+**Python Access Control Best Practices:**
+
+1. **Framework-Specific Controls:**
+   - **Django**: Use built-in authentication and permission decorators/mixins
+     - `@login_required`, `LoginRequiredMixin`
+     - `@permission_required`, `PermissionRequiredMixin`
+     - `UserPassesTestMixin` for custom permission logic
+   - **Flask**: Use Flask-Login or similar extensions
+     - `@login_required` decorator
+     - `current_user.is_authenticated` checks
+     - Role-based access control with Flask-Principal
+   - **FastAPI**: Use dependency injection for security
+     - `Depends(get_current_user)` pattern
+     - OAuth2 with `Security(oauth2_scheme)`
+     - JWT validation middleware
+
+2. **General Access Control Principles:**
+   - Implement access control at the server side, never rely on client-side checks
+   - Use deny-by-default approach (whitelist vs blacklist)
+   - Implement proper session management
+   - Apply principle of least privilege
+   - Use contextual access control (time, location, device-based restrictions when appropriate)
+
+3. **Object-Level Authorization:**
+   - Validate user has permission to access specific resources
+   - Implement row-level security for database access
+   - Use UUIDs instead of sequential IDs when possible
+   - Always verify ownership or permission before allowing operations on objects
 
-actions:
-  - type: enforce
-    conditions:
-      # Pattern 1: Missing access control in Flask routes
-      - pattern: "@(app|blueprint)\\.route\\([^)]*\\)\\s*\\n\\s*def\\s+[a-zA-Z0-9_]+\\([^)]*\\):\\s*(?![^#]*@login_required|[^#]*current_user\\.|[^#]*session\\[)"
-        message: "Flask route lacks access control. Consider using @login_required or checking user permissions within the function."
-        
-      # Pattern 2: Missing access control in Django views
-      - pattern: "class\\s+[A-Za-z0-9_]+View\\((?!LoginRequiredMixin|PermissionRequiredMixin|UserPassesTestMixin)[^)]*\\):"
-        message: "Django class-based view lacks access control mixins. Consider using LoginRequiredMixin, PermissionRequiredMixin, or UserPassesTestMixin."
-        
-      # Pattern 3: Insecure direct object reference
-      - pattern: "(get|filter|find)_by_id\\(\\s*request\\.(GET|POST|args|form|json)\\[['\"][^'\"]+['\"]\\]\\s*\\)"
-        message: "Potential insecure direct object reference (IDOR). Validate that the current user has permission to access this object."
-        
-      # Pattern 4: Hardcoded role checks
-      - pattern: "if\\s+user\\.role\\s*==\\s*['\"]admin['\"]|if\\s+user\\.(is_staff|is_superuser)\\s*:"
-        message: "Hardcoded role checks can be fragile. Consider using a permission system or role-based access control framework."
-        
-      # Pattern 5: Missing authorization in FastAPI
-      - pattern: "@(app|router)\\.([a-z]+)\\([^)]*\\)\\s*\\n\\s*(?:async\\s+)?def\\s+[a-zA-Z0-9_]+\\([^)]*\\):\\s*(?![^#]*Depends\\(|[^#]*Security\\(|[^#]*HTTPBearer\\()"
-        message: "FastAPI endpoint lacks security dependencies. Consider using Depends(get_current_user) or similar security dependencies."
-        
-      # Pattern 6: Bypassing access control with admin flags
-      - pattern: "if\\s+request\\.(GET|POST|args|form|json)\\[['\"]admin['\"]\\]|if\\s+request\\.(GET|POST|args|form|json)\\[['\"]debug['\"]\\]"
-        message: "Dangerous admin/debug flags in request parameters could bypass access control. Remove or secure these backdoors."
-        
-      # Pattern 7: Insecure use of eval or exec with user input
-      - pattern: "eval\\(|exec\\(.*request\\."
-        message: "Extremely dangerous use of eval() or exec() with user input can lead to code execution. Avoid these functions entirely."
-        
-      # Pattern 8: Missing access control in API endpoints
-      - pattern: "@api_view\\(|@api\\.route\\(|@app\\.api_route\\("
-        message: "API endpoint may lack access control. Ensure proper authentication and authorization checks are implemented."
-        
-      # Pattern 9: Insecure Flask session usage
-      - pattern: "session\\[['\"][^'\"]+['\"]\\]\\s*=\\s*request\\."
-        message: "Setting session variables directly from request data without validation can lead to session-based access control bypasses."
-        
-      # Pattern 10: Missing CSRF protection
-      - pattern: "class\\s+[A-Za-z0-9_]+Form\\((?!.*csrf).*\\):|@csrf_exempt"
-        message: "Form or view appears to be missing CSRF protection. Ensure CSRF tokens are properly implemented."
+4. **API Security:**
+   - Implement proper authentication for all API endpoints
+   - Use token-based authentication with proper validation
+   - Apply rate limiting to prevent brute force attacks
+   - Implement proper CORS configuration
+   - Log and monitor access control failures
 
-  - type: suggest
-    message: |
-      **Python Access Control Best Practices:**
-      
-      1. **Framework-Specific Controls:**
-         - **Django**: Use built-in authentication and permission decorators/mixins
-           - `@login_required`, `LoginRequiredMixin`
-           - `@permission_required`, `PermissionRequiredMixin`
-           - `UserPassesTestMixin` for custom permission logic
-         - **Flask**: Use Flask-Login or similar extensions
-           - `@login_required` decorator
-           - `current_user.is_authenticated` checks
-           - Role-based access control with Flask-Principal
-         - **FastAPI**: Use dependency injection for security
-           - `Depends(get_current_user)` pattern
-           - OAuth2 with `Security(oauth2_scheme)`
-           - JWT validation middleware
-      
-      2. **General Access Control Principles:**
-         - Implement access control at the server side, never rely on client-side checks
-         - Use deny-by-default approach (whitelist vs blacklist)
-         - Implement proper session management
-         - Apply principle of least privilege
-         - Use contextual access control (time, location, device-based restrictions when appropriate)
-      
-      3. **Object-Level Authorization:**
-         - Validate user has permission to access specific resources
-         - Implement row-level security for database access
-         - Use UUIDs instead of sequential IDs when possible
-         - Always verify ownership or permission before allowing operations on objects
-      
-      4. **API Security:**
-         - Implement proper authentication for all API endpoints
-         - Use token-based authentication with proper validation
-         - Apply rate limiting to prevent brute force attacks
-         - Implement proper CORS configuration
-         - Log and monitor access control failures
-      
-      5. **Testing Access Control:**
-         - Write tests specifically for authorization logic
-         - Test vertical access control (different permission levels)
-         - Test horizontal access control (same permission level, different users)
-         - Verify access control works after session timeout/expiration
+5. **Testing Access Control:**
+   - Write tests specifically for authorization logic
+   - Test vertical access control (different permission levels)
+   - Test horizontal access control (same permission level, different users)
+   - Verify access control works after session timeout/expiration
 
-  - type: validate
-    conditions:
-      # Check 1: Proper Django permission usage
-      - pattern: "@login_required|@permission_required|LoginRequiredMixin|PermissionRequiredMixin"
-        message: "Using Django's built-in access control mechanisms."
-      
-      # Check 2: Proper Flask authentication
-      - pattern: "@login_required|current_user\\.is_authenticated|@auth\\.login_required"
-        message: "Implementing proper Flask authentication checks."
-      
-      # Check 3: Object-level permission checks
-      - pattern: "\\.has_permission\\(|has_object_permission\\(|can_view\\(|can_edit\\("
-        message: "Implementing object-level permission checks."
-      
-      # Check 4: FastAPI security dependencies
-      - pattern: "Depends\\(get_current_user\\)|Security\\(|HTTPBearer\\("
-        message: "Using FastAPI's security dependency injection."
+## Validation
 
-metadata:
-  priority: 90
-  version: "1.0"
-  tags:
-    - python
-    - security
-    - access_control
-    - owasp
-    - language:python
-    - category:security
-    - subcategory:authorisation
-    - subcategory:access-control
-    - standard:owasp-top10
-    - risk:a01-broken-access-control
-    - framework:django
-    - framework:flask
-    - framework:fastapi
-  references:
-    - https://owasp.org/Top10/A01_2021-Broken_Access_Control/
-    - https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
-    - https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html
-    - https://docs.djangoproject.com/en/stable/topics/auth/default/
-    - https://flask-login.readthedocs.io/en/latest/
-    - https://fastapi.tiangolo.com/tutorial/security/
-    - https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html
-</rule> 
\ No newline at end of file
+- Using Django's built-in access control mechanisms.
+- Implementing proper Flask authentication checks.
+- Implementing object-level permission checks.
+- Using FastAPI's security dependency injection.
diff --git a/.cursor/rules/python-cryptographic-failures.mdc b/.cursor/rules/python-cryptographic-failures.mdc
index c486193..4ce8d98 100644
--- a/.cursor/rules/python-cryptographic-failures.mdc
+++ b/.cursor/rules/python-cryptographic-failures.mdc
@@ -7,187 +7,120 @@ alwaysApply: false
 
 This rule enforces security best practices to prevent cryptographic failures in Python applications, as defined in OWASP Top 10:2021-A02.
 
-<rule>
-name: python_cryptographic_failures
-description: Detect and prevent cryptographic failures in Python applications as defined in OWASP Top 10:2021-A02
-filters:
-  - type: file_extension
-    pattern: "\\.(py)$"
-  - type: file_path
-    pattern: ".*"
-
-actions:
-  - type: enforce
-    conditions:
-      # Pattern 1: Weak or insecure cryptographic algorithms
-      - pattern: "import\\s+(md5|sha1)|hashlib\\.(md5|sha1)\\(|Crypto\\.Hash\\.(MD5|SHA1)|cryptography\\.hazmat\\.primitives\\.hashes\\.(MD5|SHA1)"
-        message: "Using weak hashing algorithms (MD5/SHA1). Use SHA-256 or stronger algorithms from the hashlib or cryptography packages."
-        
-      # Pattern 2: Hardcoded secrets/credentials
-      - pattern: "(password|secret|key|token|auth)\\s*=\\s*['\"][^'\"]+['\"]"
-        message: "Potential hardcoded credentials detected. Store secrets in environment variables or a secure vault."
-        
-      # Pattern 3: Insecure random number generation
-      - pattern: "random\\.(random|randint|choice|sample)|import random"
-        message: "Using Python's standard random module for security purposes. Use secrets module or cryptography.hazmat.primitives.asymmetric for cryptographic operations."
-        
-      # Pattern 4: Weak SSL/TLS configuration
-      - pattern: "ssl\\.PROTOCOL_(SSLv2|SSLv3|TLSv1|TLSv1_1)|SSLContext\\(\\s*ssl\\.PROTOCOL_(SSLv2|SSLv3|TLSv1|TLSv1_1)\\)"
-        message: "Using deprecated/insecure SSL/TLS protocol versions. Use TLS 1.2+ (ssl.PROTOCOL_TLS_CLIENT with minimum version set)."
-        
-      # Pattern 5: Missing certificate validation
-      - pattern: "verify\\s*=\\s*False|check_hostname\\s*=\\s*False|CERT_NONE"
-        message: "SSL certificate validation is disabled. Always validate certificates in production environments."
-        
-      # Pattern 6: Insecure cipher usage
-      - pattern: "DES|RC4|Blowfish|ECB"
-        message: "Using insecure encryption cipher or mode. Use AES with GCM or CBC mode with proper padding."
-        
-      # Pattern 7: Insufficient key length
-      - pattern: "RSA\\([^,]+,\\s*[0-9]+\\s*\\)|key_size\\s*=\\s*([0-9]|10[0-9][0-9]|11[0-9][0-9]|12[0-4][0-9])"
-        message: "Using insufficient key length for asymmetric encryption. RSA keys should be at least 2048 bits, preferably 4096 bits."
-        
-      # Pattern 8: Insecure password hashing
-      - pattern: "\\.encode\\(['\"]utf-?8['\"]\\)\\.(digest|hexdigest)\\(\\)|hashlib\\.[a-zA-Z0-9]+\\([^)]*\\)\\.(digest|hexdigest)\\(\\)"
-        message: "Using plain hashing for passwords. Use dedicated password hashing functions like bcrypt, Argon2, or PBKDF2."
-        
-      # Pattern 9: Missing salt in password hashing
-      - pattern: "pbkdf2_hmac\\([^,]+,[^,]+,[^,]+,\\s*[0-9]+\\s*\\)"
-        message: "Ensure you're using a proper random salt with password hashing functions."
-        
-      # Pattern 10: Insecure cookie settings
-      - pattern: "set_cookie\\([^)]*secure\\s*=\\s*False|set_cookie\\([^)]*httponly\\s*=\\s*False"
-        message: "Cookies with sensitive data should have secure and httponly flags enabled."
-
-  - type: suggest
-    message: |
-      **Python Cryptography Best Practices:**
-      
-      1. **Secure Password Storage:**
-         - Use dedicated password hashing algorithms:
-           ```python
-           import bcrypt
-           hashed = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt(rounds=12))
-           ```
-         - Or use Argon2 (preferred) or PBKDF2 with sufficient iterations:
-           ```python
-           from argon2 import PasswordHasher
-           ph = PasswordHasher()
-           hash = ph.hash(password)
-           ```
-      
-      2. **Secure Random Number Generation:**
-         - Use the `secrets` module for cryptographic operations:
-           ```python
-           import secrets
-           token = secrets.token_hex(32)  # 256 bits of randomness
-           ```
-         - For cryptographic keys, use proper key generation functions:
-           ```python
-           from cryptography.hazmat.primitives.asymmetric import rsa
-           private_key = rsa.generate_private_key(public_exponent=65537, key_size=4096)
-           ```
-      
-      3. **Secure Communications:**
-         - Use TLS 1.2+ for all communications:
-           ```python
-           import ssl
-           context = ssl.create_default_context()
-           context.minimum_version = ssl.TLSVersion.TLSv1_2
-           ```
-         - Always validate certificates:
-           ```python
-           import requests
-           response = requests.get('https://example.com', verify=True)
-           ```
-      
-      4. **Proper Key Management:**
-         - Never hardcode secrets in source code
-         - Use environment variables or secure vaults:
-           ```python
-           import os
-           api_key = os.environ.get('API_KEY')
-           ```
-         - Consider using dedicated key management services
-      
-      5. **Secure Encryption:**
-         - Use high-level libraries like `cryptography`:
-           ```python
-           from cryptography.fernet import Fernet
-           key = Fernet.generate_key()
-           f = Fernet(key)
-           encrypted = f.encrypt(data)
-           ```
-         - For lower-level needs, use authenticated encryption (AES-GCM):
-           ```python
-           from cryptography.hazmat.primitives.ciphers.aead import AESGCM
-           key = AESGCM.generate_key(bit_length=256)
-           aesgcm = AESGCM(key)
-           nonce = os.urandom(12)
-           encrypted = aesgcm.encrypt(nonce, data, associated_data)
-           ```
-      
-      6. **Secure Cookie Handling:**
-         - Set secure and httponly flags:
-           ```python
-           # Flask example
-           response.set_cookie('session', session_id, httponly=True, secure=True, samesite='Lax')
-           ```
-         - Use signed cookies or tokens:
-           ```python
-           # Django example - uses signed cookies by default
-           request.session['user_id'] = user.id
-           ```
-      
-      7. **Input Validation:**
-         - Validate all cryptographic inputs
-         - Use constant-time comparison for secrets:
-           ```python
-           import hmac
-           def constant_time_compare(a, b):
-               return hmac.compare_digest(a, b)
-           ```
-
-  - type: validate
-    conditions:
-      # Check 1: Proper password hashing
-      - pattern: "bcrypt\\.hashpw|argon2|PasswordHasher|pbkdf2_hmac\\([^,]+,[^,]+,[^,]+,\\s*[0-9]{4,}\\s*\\)"
-        message: "Using secure password hashing algorithm."
-      
-      # Check 2: Secure random generation
-      - pattern: "secrets\\.|urandom|cryptography\\.hazmat\\.primitives\\.asymmetric"
-        message: "Using cryptographically secure random number generation."
-      
-      # Check 3: Strong TLS configuration
-      - pattern: "ssl\\.PROTOCOL_TLS|minimum_version\\s*=\\s*ssl\\.TLSVersion\\.TLSv1_2|create_default_context"
-        message: "Using secure TLS configuration."
-      
-      # Check 4: Proper certificate validation
-      - pattern: "verify\\s*=\\s*True|check_hostname\\s*=\\s*True|CERT_REQUIRED"
-        message: "Properly validating SSL certificates."
-
-metadata:
-  priority: high
-  version: 1.0
-  tags:
-    - security
-    - python
-    - cryptography
-    - encryption
-    - owasp
-    - language:python
-    - framework:django
-    - framework:flask
-    - framework:fastapi
-    - category:security
-    - subcategory:cryptography
-    - standard:owasp-top10
-    - risk:a02-cryptographic-failures
-  references:
-    - "https://owasp.org/Top10/A02_2021-Cryptographic_Failures/"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html"
-    - "https://docs.python.org/3/library/secrets.html"
-    - "https://cryptography.io/en/latest/"
-    - "https://pypi.org/project/bcrypt/"
-    - "https://pypi.org/project/argon2-cffi/"
-</rule> 
\ No newline at end of file
+> Priority: high · Version: 1.0
+
+## Applies To
+- `*.py`
+
+## Trigger Conditions
+- Files matching pattern `\.(py)$`
+- Paths matching `.*`
+
+## Required Checks
+
+- Using weak hashing algorithms (MD5/SHA1). Use SHA-256 or stronger algorithms from the hashlib or cryptography packages.
+- Potential hardcoded credentials detected. Store secrets in environment variables or a secure vault.
+- Using Python's standard random module for security purposes. Use secrets module or cryptography.hazmat.primitives.asymmetric for cryptographic operations.
+- Using deprecated/insecure SSL/TLS protocol versions. Use TLS 1.2+ (ssl.PROTOCOL_TLS_CLIENT with minimum version set).
+- SSL certificate validation is disabled. Always validate certificates in production environments.
+- Using insecure encryption cipher or mode. Use AES with GCM or CBC mode with proper padding.
+- Using insufficient key length for asymmetric encryption. RSA keys should be at least 2048 bits, preferably 4096 bits.
+- Using plain hashing for passwords. Use dedicated password hashing functions like bcrypt, Argon2, or PBKDF2.
+- Ensure you're using a proper random salt with password hashing functions.
+- Cookies with sensitive data should have secure and httponly flags enabled.
+
+## Recommendations
+
+**Python Cryptography Best Practices:**
+
+1. **Secure Password Storage:**
+   - Use dedicated password hashing algorithms:
+     ```python
+     import bcrypt
+     hashed = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt(rounds=12))
+     ```
+   - Or use Argon2 (preferred) or PBKDF2 with sufficient iterations:
+     ```python
+     from argon2 import PasswordHasher
+     ph = PasswordHasher()
+     hash = ph.hash(password)
+     ```
+
+2. **Secure Random Number Generation:**
+   - Use the `secrets` module for cryptographic operations:
+     ```python
+     import secrets
+     token = secrets.token_hex(32)  # 256 bits of randomness
+     ```
+   - For cryptographic keys, use proper key generation functions:
+     ```python
+     from cryptography.hazmat.primitives.asymmetric import rsa
+     private_key = rsa.generate_private_key(public_exponent=65537, key_size=4096)
+     ```
+
+3. **Secure Communications:**
+   - Use TLS 1.2+ for all communications:
+     ```python
+     import ssl
+     context = ssl.create_default_context()
+     context.minimum_version = ssl.TLSVersion.TLSv1_2
+     ```
+   - Always validate certificates:
+     ```python
+     import requests
+     response = requests.get('https://example.com', verify=True)
+     ```
+
+4. **Proper Key Management:**
+   - Never hardcode secrets in source code
+   - Use environment variables or secure vaults:
+     ```python
+     import os
+     api_key = os.environ.get('API_KEY')
+     ```
+   - Consider using dedicated key management services
+
+5. **Secure Encryption:**
+   - Use high-level libraries like `cryptography`:
+     ```python
+     from cryptography.fernet import Fernet
+     key = Fernet.generate_key()
+     f = Fernet(key)
+     encrypted = f.encrypt(data)
+     ```
+   - For lower-level needs, use authenticated encryption (AES-GCM):
+     ```python
+     from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+     key = AESGCM.generate_key(bit_length=256)
+     aesgcm = AESGCM(key)
+     nonce = os.urandom(12)
+     encrypted = aesgcm.encrypt(nonce, data, associated_data)
+     ```
+
+6. **Secure Cookie Handling:**
+   - Set secure and httponly flags:
+     ```python
+     # Flask example
+     response.set_cookie('session', session_id, httponly=True, secure=True, samesite='Lax')
+     ```
+   - Use signed cookies or tokens:
+     ```python
+     # Django example - uses signed cookies by default
+     request.session['user_id'] = user.id
+     ```
+
+7. **Input Validation:**
+   - Validate all cryptographic inputs
+   - Use constant-time comparison for secrets:
+     ```python
+     import hmac
+     def constant_time_compare(a, b):
+         return hmac.compare_digest(a, b)
+     ```
+
+## Validation
+
+- Using secure password hashing algorithm.
+- Using cryptographically secure random number generation.
+- Using secure TLS configuration.
+- Properly validating SSL certificates.
diff --git a/.cursor/rules/python-injection.mdc b/.cursor/rules/python-injection.mdc
index 8fc1e95..5954ecb 100644
--- a/.cursor/rules/python-injection.mdc
+++ b/.cursor/rules/python-injection.mdc
@@ -3,176 +3,112 @@ description: Detect and prevent injection vulnerabilities in Python applications
 globs: *.py, *.ini, *.cfg, *.yml, *.yaml, *.json, *.toml
 alwaysApply: false
 ---
- # Python Injection Security Standards (OWASP A03:2021)
+# Python Injection Security Standards (OWASP A03:2021)
 
 This rule enforces security best practices to prevent injection vulnerabilities in Python applications, as defined in OWASP Top 10:2021-A03.
 
-<rule>
-name: python_injection
-description: Detect and prevent injection vulnerabilities in Python applications as defined in OWASP Top 10:2021-A03
-filters:
-  - type: file_extension
-    pattern: "\\.(py)$"
-  - type: file_path
-    pattern: ".*"
-
-actions:
-  - type: enforce
-    conditions:
-      # Pattern 1: SQL Injection - String concatenation in SQL queries
-      - pattern: "cursor\\.(execute|executemany)\\([\"'][^\"']*\\s*[\\+%]|cursor\\.(execute|executemany)\\([^,]+\\+\\s*[a-zA-Z_][a-zA-Z0-9_]*"
-        message: "Potential SQL injection vulnerability. Use parameterized queries with placeholders instead of string concatenation."
-        
-      # Pattern 2: SQL Injection - String formatting in SQL queries
-      - pattern: "cursor\\.(execute|executemany)\\([\"'][^\"']*%[^\"']*[\"']\\s*%\\s*|cursor\\.(execute|executemany)\\([\"'][^\"']*{[^\"']*}[\"']\\.format"
-        message: "Potential SQL injection vulnerability. Use parameterized queries with placeholders instead of string formatting."
-        
-      # Pattern 3: Command Injection - Shell command execution with user input
-      - pattern: "(os\\.system|os\\.popen|subprocess\\.Popen|subprocess\\.call|subprocess\\.run|subprocess\\.check_output)\\([^)]*\\+\\s*[a-zA-Z_][a-zA-Z0-9_]*|\\b(os\\.system|os\\.popen|subprocess\\.Popen|subprocess\\.call|subprocess\\.run|subprocess\\.check_output)\\([^)]*format\\(|\\b(os\\.system|os\\.popen|subprocess\\.Popen|subprocess\\.call|subprocess\\.run|subprocess\\.check_output)\\([^)]*f['\"]"
-        message: "Potential command injection vulnerability. Never use string concatenation or formatting with shell commands. Use subprocess with shell=False and pass arguments as a list."
-        
-      # Pattern 4: Command Injection - Shell=True in subprocess
-      - pattern: "(subprocess\\.Popen|subprocess\\.call|subprocess\\.run|subprocess\\.check_output)\\([^)]*shell\\s*=\\s*True"
-        message: "Using shell=True with subprocess functions is dangerous and can lead to command injection. Use shell=False (default) and pass arguments as a list."
-        
-      # Pattern 5: XSS - Unescaped template variables
-      - pattern: "\\{\\{\\s*[^|]*\\s*\\}\\}|\\{\\%\\s*autoescape\\s+off\\s*\\%\\}"
-        message: "Potential XSS vulnerability. Ensure all template variables are properly escaped. Avoid using 'autoescape off' in templates."
-        
-      # Pattern 6: XSS - Unsafe HTML rendering in Flask/Django
-      - pattern: "render_template\\([^)]*\\)|render\\([^)]*\\)|mark_safe\\([^)]*\\)|safe\\s*\\|"
-        message: "Potential XSS vulnerability. Ensure all user-supplied data is properly escaped before rendering in templates."
-        
-      # Pattern 7: Path Traversal - Unsafe file operations
-      - pattern: "open\\([^)]*\\+|open\\([^)]*format\\(|open\\([^)]*f['\"]"
-        message: "Potential path traversal vulnerability. Validate and sanitize file paths before opening files. Consider using os.path.abspath and os.path.normpath."
-        
-      # Pattern 8: LDAP Injection - Unsafe LDAP queries
-      - pattern: "ldap\\.search\\([^)]*\\+|ldap\\.search\\([^)]*format\\(|ldap\\.search\\([^)]*f['\"]"
-        message: "Potential LDAP injection vulnerability. Use proper LDAP escaping for user-supplied input in LDAP queries."
-        
-      # Pattern 9: NoSQL Injection - Unsafe MongoDB queries
-      - pattern: "find\\(\\{[^}]*\\+|find\\(\\{[^}]*format\\(|find\\(\\{[^}]*f['\"]"
-        message: "Potential NoSQL injection vulnerability. Use parameterized queries or proper escaping for MongoDB queries."
-        
-      # Pattern 10: Template Injection - Unsafe template rendering
-      - pattern: "Template\\([^)]*\\)\\.(render|substitute)\\(|eval\\([^)]*\\)|exec\\([^)]*\\)"
-        message: "Potential template injection or code injection vulnerability. Avoid using eval() or exec() with user input, and ensure template variables are properly validated."
-
-  - type: suggest
-    message: |
-      **Python Injection Prevention Best Practices:**
-      
-      1. **SQL Injection Prevention:**
-         - Use parameterized queries (prepared statements) with placeholders:
-           ```python
-           # Safe SQL query with parameters
-           cursor.execute("SELECT * FROM users WHERE username = %s AND password = %s", (username, password))
-           
-           # Django ORM (safe by default)
-           User.objects.filter(username=username, password=password)
-           
-           # SQLAlchemy (safe by default)
-           session.query(User).filter(User.username == username, User.password == password)
-           ```
-         - Use ORM frameworks when possible (Django ORM, SQLAlchemy)
-         - Apply proper input validation and sanitization
-      
-      2. **Command Injection Prevention:**
-         - Never use shell=True with subprocess functions
-         - Pass command arguments as a list, not a string:
-           ```python
-           # Safe command execution
-           subprocess.run(["ls", "-l", user_dir], shell=False)
-           ```
-         - Use shlex.quote() if you must include user input in shell commands
-         - Consider using safer alternatives like Python libraries instead of shell commands
-      
-      3. **XSS Prevention:**
-         - Use template auto-escaping (enabled by default in modern frameworks)
-         - Explicitly escape user input before rendering:
-           ```python
-           # Django
-           from django.utils.html import escape
-           safe_data = escape(user_input)
-           
-           # Flask/Jinja2
-           from markupsafe import escape
-           safe_data = escape(user_input)
-           ```
-         - Use Content-Security-Policy headers
-         - Validate input against allowlists
-      
-      4. **Path Traversal Prevention:**
-         - Validate and sanitize file paths:
-           ```python
-           import os
-           safe_path = os.path.normpath(os.path.join(safe_base_dir, user_filename))
-           if not safe_path.startswith(safe_base_dir):
-               raise ValueError("Invalid path")
-           ```
-         - Use os.path.abspath() and os.path.normpath()
-         - Implement proper access controls
-         - Consider using libraries like Werkzeug's secure_filename()
-      
-      5. **NoSQL Injection Prevention:**
-         - Use parameterized queries or query builders
-         - Validate input against schemas
-         - Apply proper type checking
-           ```python
-           # Safe MongoDB query
-           collection.find({"username": username, "status": "active"})
-           ```
-      
-      6. **Template Injection Prevention:**
-         - Avoid using eval() or exec() with user input
-         - Use sandboxed template engines
-         - Limit template functionality to what's necessary
-         - Apply proper input validation
-
-  - type: validate
-    conditions:
-      # Check 1: Safe SQL queries
-      - pattern: "cursor\\.(execute|executemany)\\([\"'][^\"']*[\"']\\s*,\\s*\\(|cursor\\.(execute|executemany)\\([\"'][^\"']*[\"']\\s*,\\s*\\[|Model\\.objects\\.filter\\(|session\\.query\\("
-        message: "Using parameterized queries or ORM for database access."
-      
-      # Check 2: Safe command execution
-      - pattern: "(subprocess\\.Popen|subprocess\\.call|subprocess\\.run|subprocess\\.check_output)\\(\\[[^\\]]*\\]"
-        message: "Using subprocess with arguments as a list (safe pattern)."
-      
-      # Check 3: Proper input validation
-      - pattern: "validate|sanitize|clean|escape|is_valid\\(|validators\\."
-        message: "Implementing input validation or sanitization."
-      
-      # Check 4: Safe file operations
-      - pattern: "os\\.path\\.join|os\\.path\\.abspath|os\\.path\\.normpath|secure_filename"
-        message: "Using safe file path handling techniques."
-
-metadata:
-  priority: high
-  version: 1.0
-  tags:
-    - security
-    - python
-    - injection
-    - sql-injection
-    - xss
-    - command-injection
-    - owasp
-    - language:python
-    - framework:django
-    - framework:flask
-    - framework:fastapi
-    - category:security
-    - subcategory:injection
-    - standard:owasp-top10
-    - risk:a03-injection
-  references:
-    - "https://owasp.org/Top10/A03_2021-Injection/"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html"
-    - "https://docs.python.org/3/library/subprocess.html"
-    - "https://docs.djangoproject.com/en/stable/topics/security/"
-    - "https://flask.palletsprojects.com/en/latest/security/"
-</rule>
\ No newline at end of file
+> Priority: high · Version: 1.0
+
+## Applies To
+- `*.py`
+- `*.ini`
+- `*.cfg`
+- `*.yml`
+- `*.yaml`
+- `*.json`
+- `*.toml`
+
+## Trigger Conditions
+- Files matching pattern `\.(py)$`
+- Paths matching `.*`
+
+## Required Checks
+
+- Potential SQL injection vulnerability. Use parameterized queries with placeholders instead of string concatenation.
+- Potential SQL injection vulnerability. Use parameterized queries with placeholders instead of string formatting.
+- Potential command injection vulnerability. Never use string concatenation or formatting with shell commands. Use subprocess with shell=False and pass arguments as a list.
+- Using shell=True with subprocess functions is dangerous and can lead to command injection. Use shell=False (default) and pass arguments as a list.
+- Potential XSS vulnerability. Ensure all template variables are properly escaped. Avoid using 'autoescape off' in templates.
+- Potential XSS vulnerability. Ensure all user-supplied data is properly escaped before rendering in templates.
+- Potential path traversal vulnerability. Validate and sanitize file paths before opening files. Consider using os.path.abspath and os.path.normpath.
+- Potential LDAP injection vulnerability. Use proper LDAP escaping for user-supplied input in LDAP queries.
+- Potential NoSQL injection vulnerability. Use parameterized queries or proper escaping for MongoDB queries.
+- Potential template injection or code injection vulnerability. Avoid using eval() or exec() with user input, and ensure template variables are properly validated.
+
+## Recommendations
+
+**Python Injection Prevention Best Practices:**
+
+1. **SQL Injection Prevention:**
+   - Use parameterized queries (prepared statements) with placeholders:
+     ```python
+     # Safe SQL query with parameters
+     cursor.execute("SELECT * FROM users WHERE username = %s AND password = %s", (username, password))
+     
+     # Django ORM (safe by default)
+     User.objects.filter(username=username, password=password)
+     
+     # SQLAlchemy (safe by default)
+     session.query(User).filter(User.username == username, User.password == password)
+     ```
+   - Use ORM frameworks when possible (Django ORM, SQLAlchemy)
+   - Apply proper input validation and sanitization
+
+2. **Command Injection Prevention:**
+   - Never use shell=True with subprocess functions
+   - Pass command arguments as a list, not a string:
+     ```python
+     # Safe command execution
+     subprocess.run(["ls", "-l", user_dir], shell=False)
+     ```
+   - Use shlex.quote() if you must include user input in shell commands
+   - Consider using safer alternatives like Python libraries instead of shell commands
+
+3. **XSS Prevention:**
+   - Use template auto-escaping (enabled by default in modern frameworks)
+   - Explicitly escape user input before rendering:
+     ```python
+     # Django
+     from django.utils.html import escape
+     safe_data = escape(user_input)
+     
+     # Flask/Jinja2
+     from markupsafe import escape
+     safe_data = escape(user_input)
+     ```
+   - Use Content-Security-Policy headers
+   - Validate input against allowlists
+
+4. **Path Traversal Prevention:**
+   - Validate and sanitize file paths:
+     ```python
+     import os
+     safe_path = os.path.normpath(os.path.join(safe_base_dir, user_filename))
+     if not safe_path.startswith(safe_base_dir):
+         raise ValueError("Invalid path")
+     ```
+   - Use os.path.abspath() and os.path.normpath()
+   - Implement proper access controls
+   - Consider using libraries like Werkzeug's secure_filename()
+
+5. **NoSQL Injection Prevention:**
+   - Use parameterized queries or query builders
+   - Validate input against schemas
+   - Apply proper type checking
+     ```python
+     # Safe MongoDB query
+     collection.find({"username": username, "status": "active"})
+     ```
+
+6. **Template Injection Prevention:**
+   - Avoid using eval() or exec() with user input
+   - Use sandboxed template engines
+   - Limit template functionality to what's necessary
+   - Apply proper input validation
+
+## Validation
+
+- Using parameterized queries or ORM for database access.
+- Using subprocess with arguments as a list (safe pattern).
+- Implementing input validation or sanitization.
+- Using safe file path handling techniques.
diff --git a/.cursor/rules/python-insecure-design.mdc b/.cursor/rules/python-insecure-design.mdc
index c7fa352..1d7eb08 100644
--- a/.cursor/rules/python-insecure-design.mdc
+++ b/.cursor/rules/python-insecure-design.mdc
@@ -3,250 +3,189 @@ description: Detect and prevent insecure design patterns in Python applications
 globs: *.py, *.ini, *.cfg, *.yml, *.yaml, *.json, *.toml
 alwaysApply: false
 ---
- # Python Insecure Design Security Standards (OWASP A04:2021)
+# Python Insecure Design Security Standards (OWASP A04:2021)
 
 This rule enforces security best practices to prevent insecure design vulnerabilities in Python applications, as defined in OWASP Top 10:2021-A04.
 
-<rule>
-name: python_insecure_design
-description: Detect and prevent insecure design patterns in Python applications as defined in OWASP Top 10:2021-A04
-filters:
-  - type: file_extension
-    pattern: "\\.(py)$"
-  - type: file_path
-    pattern: ".*"
-
-actions:
-  - type: enforce
-    conditions:
-      # Pattern 1: Lack of input validation
-      - pattern: "def\\s+[a-zA-Z0-9_]+\\([^)]*\\):\\s*(?![^#]*validate|[^#]*clean|[^#]*sanitize|[^#]*check|[^#]*is_valid)"
-        message: "Function lacks input validation. Consider implementing validation for all user-supplied inputs."
-        
-      # Pattern 2: Hardcoded business rules
-      - pattern: "if\\s+[a-zA-Z0-9_]+\\s*(==|!=|>|<|>=|<=)\\s*['\"][^'\"]+['\"]:"
-        message: "Hardcoded business rules detected. Consider using configuration files or database-driven rules for better maintainability."
-        
-      # Pattern 3: Lack of rate limiting
-      - pattern: "@(app|api|route|blueprint)\\.(get|post|put|delete|patch)\\([^)]*\\)\\s*\\n\\s*(?![^#]*rate_limit|[^#]*throttle|[^#]*limiter)"
-        message: "API endpoint lacks rate limiting. Consider implementing rate limiting to prevent abuse."
-        
-      # Pattern 4: Insecure default configurations
-      - pattern: "DEBUG\\s*=\\s*True|DEVELOPMENT\\s*=\\s*True|TESTING\\s*=\\s*True"
-        message: "Insecure default configuration detected. Ensure debug/development modes are disabled in production."
-        
-      # Pattern 5: Lack of error handling
-      - pattern: "(?<!try:\\s*\\n)[^#]*\\n\\s*(?!except|finally)"
-        message: "Consider implementing proper error handling with try-except blocks for operations that might fail."
-        
-      # Pattern 6: Insecure direct object references
-      - pattern: "get_object_or_404\\(\\s*[^,]+,\\s*pk\\s*=\\s*request\\.(GET|POST|args|form|json)\\[['\"][^'\"]+['\"]\\]\\s*\\)|get\\(\\s*id\\s*=\\s*request\\.(GET|POST|args|form|json)"
-        message: "Potential insecure direct object reference. Validate user's permission to access the requested object."
-        
-      # Pattern 7: Missing authentication checks
-      - pattern: "@(app|api|route|blueprint)\\.(get|post|put|delete|patch)\\([^)]*\\)\\s*\\n\\s*(?!.*@login_required|.*@auth\\.login_required|.*@jwt_required|.*current_user|.*request\\.user)"
-        message: "Endpoint lacks authentication checks. Consider adding authentication requirements for sensitive operations."
-        
-      # Pattern 8: Lack of proper logging
-      - pattern: "except\\s+[a-zA-Z0-9_]+\\s*(?:as\\s+[a-zA-Z0-9_]+)?:\\s*(?!.*logger\\.|.*logging\\.|.*print)"
-        message: "Exception caught without proper logging. Implement proper logging for exceptions to aid in debugging and monitoring."
-        
-      # Pattern 9: Insecure file uploads
-      - pattern: "request\\.files\\[['\"][^'\"]+['\"]\\]|FileField\\(|FileStorage\\("
-        message: "File upload functionality detected. Ensure proper validation of file types, sizes, and implement virus scanning if applicable."
-        
-      # Pattern 10: Lack of security headers
-      - pattern: "response\\.(headers|set_header)\\([^)]*\\)|return\\s+Response\\([^)]*\\)|return\\s+make_response\\([^)]*\\)"
-        message: "Consider adding security headers (Content-Security-Policy, X-Content-Type-Options, etc.) to HTTP responses."
-
-  - type: suggest
-    message: |
-      **Python Secure Design Best Practices:**
-      
-      1. **Implement Defense in Depth:**
-         - Layer security controls throughout your application
-         - Don't rely on a single security mechanism
-         - Assume that each security layer can be bypassed
-      
-      2. **Use Secure Defaults:**
-         - Start with secure configurations by default
-         - Require explicit opt-in for less secure options
-         - Example for Flask:
-           ```python
-           app.config.update(
-               SESSION_COOKIE_SECURE=True,
-               SESSION_COOKIE_HTTPONLY=True,
-               SESSION_COOKIE_SAMESITE='Lax',
-               PERMANENT_SESSION_LIFETIME=timedelta(hours=1)
-           )
-           ```
-      
-      3. **Implement Proper Access Control:**
-         - Use role-based access control (RBAC)
-         - Implement principle of least privilege
-         - Validate access at the controller and service layers
-         - Example:
-           ```python
-           @app.route('/admin')
-           @roles_required('admin')  # Using Flask-Security
-           def admin_dashboard():
-               return render_template('admin/dashboard.html')
-           ```
-      
-      4. **Use Rate Limiting:**
-         - Protect against brute force and DoS attacks
-         - Example with Flask-Limiter:
-           ```python
-           from flask_limiter import Limiter
-           limiter = Limiter(app)
-           
-           @app.route('/login', methods=['POST'])
-           @limiter.limit("5 per minute")
-           def login():
-               # Login logic
-           ```
-      
-      5. **Implement Proper Error Handling:**
-         - Catch and log exceptions appropriately
-         - Return user-friendly error messages without exposing sensitive details
-         - Example:
-           ```python
-           try:
-               # Operation that might fail
-               result = perform_operation(user_input)
-           except ValidationError as e:
-               logger.warning(f"Validation error: {str(e)}")
-               return jsonify({"error": "Invalid input provided"}), 400
-           except Exception as e:
-               logger.error(f"Unexpected error: {str(e)}", exc_info=True)
-               return jsonify({"error": "An unexpected error occurred"}), 500
-           ```
-      
-      6. **Use Configuration Management:**
-         - Store configuration in environment variables or secure vaults
-         - Use different configurations for development and production
-         - Example:
-           ```python
-           import os
-           from dotenv import load_dotenv
-           
-           load_dotenv()
-           
-           DEBUG = os.getenv('DEBUG', 'False') == 'True'
-           SECRET_KEY = os.getenv('SECRET_KEY')
-           DATABASE_URL = os.getenv('DATABASE_URL')
-           ```
-      
-      7. **Implement Proper Logging:**
-         - Log security events and exceptions
-         - Include contextual information but avoid sensitive data
-         - Use structured logging
-         - Example:
-           ```python
-           import logging
-           
-           logger = logging.getLogger(__name__)
-           
-           def user_action(user_id, action):
-               logger.info("User action", extra={
-                   "user_id": user_id,
-                   "action": action,
-                   "timestamp": datetime.now().isoformat()
-               })
-           ```
-      
-      8. **Use Security Headers:**
-         - Implement Content-Security-Policy, X-Content-Type-Options, etc.
-         - Example with Flask:
-           ```python
-           from flask_talisman import Talisman
-           
-           talisman = Talisman(
-               app,
-               content_security_policy={
-                   'default-src': "'self'",
-                   'script-src': "'self'"
-               }
-           )
-           ```
-      
-      9. **Implement Secure File Handling:**
-         - Validate file types, sizes, and content
-         - Store files outside the web root
-         - Use secure file permissions
-         - Example:
-           ```python
-           import os
-           from werkzeug.utils import secure_filename
-           
-           ALLOWED_EXTENSIONS = {'txt', 'pdf', 'png', 'jpg'}
-           MAX_CONTENT_LENGTH = 1 * 1024 * 1024  # 1MB
-           
-           def allowed_file(filename):
-               return '.' in filename and filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS
-           
-           @app.route('/upload', methods=['POST'])
-           def upload_file():
-               if 'file' not in request.files:
-                   return jsonify({"error": "No file part"}), 400
-               
-               file = request.files['file']
-               if file.filename == '':
-                   return jsonify({"error": "No selected file"}), 400
-               
-               if file and allowed_file(file.filename):
-                   filename = secure_filename(file.filename)
-                   file.save(os.path.join(app.config['UPLOAD_FOLDER'], filename))
-                   return jsonify({"success": True}), 200
-               
-               return jsonify({"error": "File type not allowed"}), 400
-           ```
-      
-      10. **Use Threat Modeling:**
-          - Identify potential threats during design phase
-          - Implement controls to mitigate identified threats
-          - Regularly review and update threat models
-
-  - type: validate
-    conditions:
-      # Check 1: Proper input validation
-      - pattern: "validate|clean|sanitize|check|is_valid"
-        message: "Implementing input validation."
-      
-      # Check 2: Proper error handling
-      - pattern: "try:\\s*\\n[^#]*\\n\\s*(except|finally)"
-        message: "Using proper error handling with try-except blocks."
-      
-      # Check 3: Rate limiting implementation
-      - pattern: "rate_limit|throttle|limiter"
-        message: "Implementing rate limiting for API endpoints."
-      
-      # Check 4: Proper logging
-      - pattern: "logger\\.|logging\\."
-        message: "Using proper logging mechanisms."
-
-metadata:
-  priority: high
-  version: 1.0
-  tags:
-    - security
-    - python
-    - design
-    - architecture
-    - owasp
-    - language:python
-    - framework:django
-    - framework:flask
-    - framework:fastapi
-    - category:security
-    - subcategory:design
-    - standard:owasp-top10
-    - risk:a04-insecure-design
-  references:
-    - "https://owasp.org/Top10/A04_2021-Insecure_Design/"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Secure_Product_Design_Cheat_Sheet.html"
-    - "https://flask.palletsprojects.com/en/latest/security/"
-    - "https://docs.djangoproject.com/en/stable/topics/security/"
-    - "https://fastapi.tiangolo.com/advanced/security/"
-    - "https://owasp.org/www-project-proactive-controls/"
-</rule>
\ No newline at end of file
+> Priority: high · Version: 1.0
+
+## Applies To
+- `*.py`
+- `*.ini`
+- `*.cfg`
+- `*.yml`
+- `*.yaml`
+- `*.json`
+- `*.toml`
+
+## Trigger Conditions
+- Files matching pattern `\.(py)$`
+- Paths matching `.*`
+
+## Required Checks
+
+- Function lacks input validation. Consider implementing validation for all user-supplied inputs.
+- Hardcoded business rules detected. Consider using configuration files or database-driven rules for better maintainability.
+- API endpoint lacks rate limiting. Consider implementing rate limiting to prevent abuse.
+- Insecure default configuration detected. Ensure debug/development modes are disabled in production.
+- Consider implementing proper error handling with try-except blocks for operations that might fail.
+- Potential insecure direct object reference. Validate user's permission to access the requested object.
+- Endpoint lacks authentication checks. Consider adding authentication requirements for sensitive operations.
+- Exception caught without proper logging. Implement proper logging for exceptions to aid in debugging and monitoring.
+- File upload functionality detected. Ensure proper validation of file types, sizes, and implement virus scanning if applicable.
+- Consider adding security headers (Content-Security-Policy, X-Content-Type-Options, etc.) to HTTP responses.
+
+## Recommendations
+
+**Python Secure Design Best Practices:**
+
+1. **Implement Defense in Depth:**
+   - Layer security controls throughout your application
+   - Don't rely on a single security mechanism
+   - Assume that each security layer can be bypassed
+
+2. **Use Secure Defaults:**
+   - Start with secure configurations by default
+   - Require explicit opt-in for less secure options
+   - Example for Flask:
+     ```python
+     app.config.update(
+         SESSION_COOKIE_SECURE=True,
+         SESSION_COOKIE_HTTPONLY=True,
+         SESSION_COOKIE_SAMESITE='Lax',
+         PERMANENT_SESSION_LIFETIME=timedelta(hours=1)
+     )
+     ```
+
+3. **Implement Proper Access Control:**
+   - Use role-based access control (RBAC)
+   - Implement principle of least privilege
+   - Validate access at the controller and service layers
+   - Example:
+     ```python
+     @app.route('/admin')
+     @roles_required('admin')  # Using Flask-Security
+     def admin_dashboard():
+         return render_template('admin/dashboard.html')
+     ```
+
+4. **Use Rate Limiting:**
+   - Protect against brute force and DoS attacks
+   - Example with Flask-Limiter:
+     ```python
+     from flask_limiter import Limiter
+     limiter = Limiter(app)
+     
+     @app.route('/login', methods=['POST'])
+     @limiter.limit("5 per minute")
+     def login():
+         # Login logic
+     ```
+
+5. **Implement Proper Error Handling:**
+   - Catch and log exceptions appropriately
+   - Return user-friendly error messages without exposing sensitive details
+   - Example:
+     ```python
+     try:
+         # Operation that might fail
+         result = perform_operation(user_input)
+     except ValidationError as e:
+         logger.warning(f"Validation error: {str(e)}")
+         return jsonify({"error": "Invalid input provided"}), 400
+     except Exception as e:
+         logger.error(f"Unexpected error: {str(e)}", exc_info=True)
+         return jsonify({"error": "An unexpected error occurred"}), 500
+     ```
+
+6. **Use Configuration Management:**
+   - Store configuration in environment variables or secure vaults
+   - Use different configurations for development and production
+   - Example:
+     ```python
+     import os
+     from dotenv import load_dotenv
+     
+     load_dotenv()
+     
+     DEBUG = os.getenv('DEBUG', 'False') == 'True'
+     SECRET_KEY = os.getenv('SECRET_KEY')
+     DATABASE_URL = os.getenv('DATABASE_URL')
+     ```
+
+7. **Implement Proper Logging:**
+   - Log security events and exceptions
+   - Include contextual information but avoid sensitive data
+   - Use structured logging
+   - Example:
+     ```python
+     import logging
+     
+     logger = logging.getLogger(__name__)
+     
+     def user_action(user_id, action):
+         logger.info("User action", extra={
+             "user_id": user_id,
+             "action": action,
+             "timestamp": datetime.now().isoformat()
+         })
+     ```
+
+8. **Use Security Headers:**
+   - Implement Content-Security-Policy, X-Content-Type-Options, etc.
+   - Example with Flask:
+     ```python
+     from flask_talisman import Talisman
+     
+     talisman = Talisman(
+         app,
+         content_security_policy={
+             'default-src': "'self'",
+             'script-src': "'self'"
+         }
+     )
+     ```
+
+9. **Implement Secure File Handling:**
+   - Validate file types, sizes, and content
+   - Store files outside the web root
+   - Use secure file permissions
+   - Example:
+     ```python
+     import os
+     from werkzeug.utils import secure_filename
+     
+     ALLOWED_EXTENSIONS = {'txt', 'pdf', 'png', 'jpg'}
+     MAX_CONTENT_LENGTH = 1 * 1024 * 1024  # 1MB
+     
+     def allowed_file(filename):
+         return '.' in filename and filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS
+     
+     @app.route('/upload', methods=['POST'])
+     def upload_file():
+         if 'file' not in request.files:
+             return jsonify({"error": "No file part"}), 400
+         
+         file = request.files['file']
+         if file.filename == '':
+             return jsonify({"error": "No selected file"}), 400
+         
+         if file and allowed_file(file.filename):
+             filename = secure_filename(file.filename)
+             file.save(os.path.join(app.config['UPLOAD_FOLDER'], filename))
+             return jsonify({"success": True}), 200
+         
+         return jsonify({"error": "File type not allowed"}), 400
+     ```
+
+10. **Use Threat Modeling:**
+    - Identify potential threats during design phase
+    - Implement controls to mitigate identified threats
+    - Regularly review and update threat models
+
+## Validation
+
+- Implementing input validation.
+- Using proper error handling with try-except blocks.
+- Implementing rate limiting for API endpoints.
+- Using proper logging mechanisms.
diff --git a/.cursor/rules/python-integrity-failures.mdc b/.cursor/rules/python-integrity-failures.mdc
index 8294d12..9603225 100644
--- a/.cursor/rules/python-integrity-failures.mdc
+++ b/.cursor/rules/python-integrity-failures.mdc
@@ -7,355 +7,278 @@ alwaysApply: false
 
 This rule enforces security best practices to prevent software and data integrity failures in Python applications, as defined in OWASP Top 10:2021-A08.
 
-<rule>
-name: python_integrity_failures
-description: Detect and prevent software and data integrity failures in Python applications as defined in OWASP Top 10:2021-A08
-filters:
-  - type: file_extension
-    pattern: "\\.(py|ini|cfg|yml|yaml|json|toml)$"
-  - type: file_path
-    pattern: ".*"
+> Priority: high · Version: 1.0
 
-actions:
-  - type: enforce
-    conditions:
-      # Pattern 1: Insecure deserialization with pickle
-      - pattern: "pickle\\.loads\\(|pickle\\.load\\(|cPickle\\.loads\\(|cPickle\\.load\\("
-        message: "Insecure deserialization detected with pickle. Pickle is not secure against maliciously constructed data and should not be used with untrusted input."
-        
-      # Pattern 2: Insecure deserialization with yaml.load
-      - pattern: "yaml\\.load\\([^,)]+\\)|yaml\\.load\\([^,)]+,\\s*Loader=yaml\\.Loader\\)"
-        message: "Insecure deserialization detected with yaml.load(). Use yaml.safe_load() instead for untrusted input."
-        
-      # Pattern 3: Insecure deserialization with marshal
-      - pattern: "marshal\\.loads\\(|marshal\\.load\\("
-        message: "Insecure deserialization detected with marshal. Marshal is not secure against maliciously constructed data."
-        
-      # Pattern 4: Insecure deserialization with shelve
-      - pattern: "shelve\\.open\\("
-        message: "Potentially insecure deserialization with shelve detected. Shelve uses pickle internally and is not secure against malicious data."
-        
-      # Pattern 5: Insecure use of eval or exec
-      - pattern: "eval\\(|exec\\(|compile\\([^,]+,\\s*['\"][^'\"]+['\"]\\s*,\\s*['\"]exec['\"]\\)"
-        message: "Insecure use of eval() or exec() detected. These functions can execute arbitrary code and should never be used with untrusted input."
-        
-      # Pattern 6: Missing integrity verification for downloads
-      - pattern: "urllib\\.request\\.urlretrieve\\(|requests\\.get\\([^)]*\\.exe['\"]\\)|requests\\.get\\([^)]*\\.zip['\"]\\)|requests\\.get\\([^)]*\\.tar\\.gz['\"]\\)"
-        message: "File download without integrity verification detected. Always verify the integrity of downloaded files using checksums or digital signatures."
-        
-      # Pattern 7: Insecure package installation
-      - pattern: "pip\\s+install\\s+[^-]|subprocess\\.(?:call|run|Popen)\\(['\"]pip\\s+install"
-        message: "Insecure package installation detected. Specify package versions and consider using hash verification for pip installations."
-        
-      # Pattern 8: Missing integrity checks for configuration
-      - pattern: "config\\.read\\(|json\\.loads?\\(|yaml\\.safe_load\\(|toml\\.loads?\\("
-        message: "Configuration loading detected. Ensure integrity verification for configuration files, especially in production environments."
-        
-      # Pattern 9: Insecure temporary file creation
-      - pattern: "tempfile\\.mktemp\\(|os\\.tempnam\\(|os\\.tmpnam\\("
-        message: "Insecure temporary file creation detected. Use tempfile.mkstemp() or tempfile.TemporaryFile() instead to avoid race conditions."
-        
-      # Pattern 10: Insecure file operations with untrusted paths
-      - pattern: "open\\([^,)]+\\+\\s*request\\.|open\\([^,)]+\\+\\s*user_|open\\([^,)]+\\+\\s*input\\("
-        message: "Potentially insecure file operation with user-controlled path detected. Validate and sanitize file paths from untrusted sources."
-        
-      # Pattern 11: Missing integrity checks for updates
-      - pattern: "auto_update|self_update|check_for_updates"
-        message: "Update mechanism detected. Ensure proper integrity verification for software updates using digital signatures or secure checksums."
-        
-      # Pattern 12: Insecure plugin or extension loading
-      - pattern: "importlib\\.import_module\\(|__import__\\(|load_plugin|load_extension|load_module"
-        message: "Dynamic module loading detected. Implement integrity checks and validation before loading external modules or plugins."
-        
-      # Pattern 13: Insecure use of subprocess with shell=True
-      - pattern: "subprocess\\.(?:call|run|Popen)\\([^,)]*shell\\s*=\\s*True"
-        message: "Insecure subprocess execution with shell=True detected. This can lead to command injection if user input is involved."
-        
-      # Pattern 14: Missing integrity verification for serialized data
-      - pattern: "json\\.loads?\\([^,)]*request\\.|json\\.loads?\\([^,)]*user_|json\\.loads?\\([^,)]*input\\("
-        message: "Deserialization of user-controlled data detected. Implement schema validation or integrity checks before processing."
-        
-      # Pattern 15: Insecure use of globals or locals
-      - pattern: "globals\\(\\)\\[|locals\\(\\)\\["
-        message: "Potentially insecure modification of globals or locals detected. This can lead to unexpected behavior or security issues."
+## Applies To
+- `*.py`
+- `*.ini`
+- `*.cfg`
+- `*.yml`
+- `*.yaml`
+- `*.json`
+- `*.toml`
 
-  - type: suggest
-    message: |
-      **Python Software and Data Integrity Best Practices:**
-      
-      1. **Secure Deserialization:**
-         - Avoid using pickle, marshal, or shelve with untrusted data
-         - Use safer alternatives like JSON with schema validation
-         - Example with JSON schema validation:
-           ```python
-           import json
-           import jsonschema
-           
-           # Define a schema for validation
-           schema = {
-               "type": "object",
-               "properties": {
-                   "name": {"type": "string"},
-                   "age": {"type": "integer", "minimum": 0}
-               },
-               "required": ["name", "age"]
-           }
-           
-           # Validate data against schema
-           try:
-               data = json.loads(user_input)
-               jsonschema.validate(instance=data, schema=schema)
-               # Process data safely
-           except (json.JSONDecodeError, jsonschema.exceptions.ValidationError) as e:
-               # Handle validation error
-               print(f"Invalid data: {e}")
-           ```
-      
-      2. **YAML Safe Loading:**
-         - Always use yaml.safe_load() instead of yaml.load()
-         - Example:
-           ```python
-           import yaml
-           
-           # Safe way to load YAML
-           data = yaml.safe_load(yaml_string)
-           
-           # Avoid this:
-           # data = yaml.load(yaml_string)  # Insecure!
-           ```
-      
-      3. **Integrity Verification for Downloads:**
-         - Verify checksums or signatures for downloaded files
-         - Example:
-           ```python
-           import hashlib
-           import requests
-           
-           def download_with_integrity_check(url, expected_hash):
-               response = requests.get(url)
-               file_data = response.content
-               
-               # Calculate hash
-               calculated_hash = hashlib.sha256(file_data).hexdigest()
-               
-               # Verify integrity
-               if calculated_hash != expected_hash:
-                   raise ValueError("Integrity check failed: hash mismatch")
-                   
-               return file_data
-           ```
-      
-      4. **Secure Package Installation:**
-         - Pin dependencies to specific versions
-         - Use hash verification for pip installations
-         - Example requirements.txt with hashes:
-           ```
-           # requirements.txt
-           requests==2.31.0 --hash=sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1
-           ```
-      
-      5. **Secure Configuration Management:**
-         - Validate configuration file integrity
-         - Use environment-specific configurations
-         - Example:
-           ```python
-           import json
-           import hmac
-           import hashlib
-           
-           def load_config_with_integrity(config_file, secret_key):
-               with open(config_file, 'r') as f:
-                   content = f.read()
-                   
-               # Split content into data and signature
-               data, _, signature = content.rpartition('\n')
-               
-               # Verify integrity
-               expected_signature = hmac.new(
-                   secret_key.encode(), 
-                   data.encode(), 
-                   hashlib.sha256
-               ).hexdigest()
-               
-               if not hmac.compare_digest(signature, expected_signature):
-                   raise ValueError("Configuration integrity check failed")
-                   
-               return json.loads(data)
-           ```
-      
-      6. **Secure Temporary Files:**
-         - Use secure temporary file functions
-         - Example:
-           ```python
-           import tempfile
-           import os
-           
-           # Secure temporary file creation
-           fd, temp_path = tempfile.mkstemp()
-           try:
-               with os.fdopen(fd, 'w') as temp_file:
-                   temp_file.write('data')
-               # Process the file
-           finally:
-               os.unlink(temp_path)  # Clean up
-           
-           # Or use context manager
-           with tempfile.TemporaryFile() as temp_file:
-               temp_file.write(b'data')
-               temp_file.seek(0)
-               # Process the file
-           ```
-      
-      7. **Secure Update Mechanisms:**
-         - Verify signatures for updates
-         - Use HTTPS for update downloads
-         - Example:
-           ```python
-           import requests
-           import gnupg
-           
-           def secure_update(update_url, signature_url, gpg_key):
-               # Download update and signature
-               update_data = requests.get(update_url).content
-               signature = requests.get(signature_url).content
-               
-               # Verify signature
-               gpg = gnupg.GPG()
-               gpg.import_keys(gpg_key)
-               verified = gpg.verify_data(signature, update_data)
-               
-               if not verified:
-                   raise ValueError("Update signature verification failed")
-                   
-               return update_data
-           ```
-      
-      8. **Secure Plugin Loading:**
-         - Validate plugins before loading
-         - Implement allowlisting for plugins
-         - Example:
-           ```python
-           import importlib
-           import hashlib
-           
-           # Allowlist of approved plugins with their hashes
-           APPROVED_PLUGINS = {
-               'safe_plugin': 'sha256:1234567890abcdef',
-               'other_plugin': 'sha256:abcdef1234567890'
-           }
-           
-           def load_plugin_safely(plugin_name, plugin_path):
-               # Check if plugin is in allowlist
-               if plugin_name not in APPROVED_PLUGINS:
-                   raise ValueError(f"Plugin {plugin_name} is not approved")
-                   
-               # Calculate plugin file hash
-               with open(plugin_path, 'rb') as f:
-                   plugin_hash = 'sha256:' + hashlib.sha256(f.read()).hexdigest()
-                   
-               # Verify hash matches expected value
-               if plugin_hash != APPROVED_PLUGINS[plugin_name]:
-                   raise ValueError(f"Plugin {plugin_name} failed integrity check")
-                   
-               # Load plugin safely
-               return importlib.import_module(plugin_name)
-           ```
-      
-      9. **Secure Subprocess Execution:**
-         - Avoid shell=True
-         - Use allowlists for commands
-         - Example:
-           ```python
-           import subprocess
-           import shlex
-           
-           def run_command_safely(command, arguments):
-               # Allowlist of safe commands
-               SAFE_COMMANDS = {'ls', 'echo', 'cat'}
-               
-               if command not in SAFE_COMMANDS:
-                   raise ValueError(f"Command {command} is not allowed")
-                   
-               # Build command with arguments
-               cmd = [command] + arguments
-               
-               # Execute without shell
-               return subprocess.run(cmd, shell=False, capture_output=True, text=True)
-           ```
-      
-      10. **Input Validation and Sanitization:**
-          - Validate all inputs before processing
-          - Use schema validation for structured data
-          - Example with Pydantic:
-            ```python
-            from pydantic import BaseModel, validator
-            
-            class UserData(BaseModel):
-                username: str
-                age: int
-                
-                @validator('username')
-                def username_must_be_valid(cls, v):
-                    if not v.isalnum() or len(v) > 30:
-                        raise ValueError('Username must be alphanumeric and <= 30 chars')
-                    return v
-                    
-                @validator('age')
-                def age_must_be_reasonable(cls, v):
-                    if v < 0 or v > 120:
-                        raise ValueError('Age must be between 0 and 120')
-                    return v
-            
-            # Usage
-            try:
-                user = UserData(username=user_input_name, age=user_input_age)
-                # Process validated data
-            except ValueError as e:
-                # Handle validation error
-                print(f"Invalid data: {e}")
-            ```
+## Trigger Conditions
+- Files matching pattern `\.(py|ini|cfg|yml|yaml|json|toml)$`
+- Paths matching `.*`
 
-  - type: validate
-    conditions:
-      # Check 1: Safe YAML loading
-      - pattern: "yaml\\.safe_load\\("
-        message: "Using safe YAML loading."
-      
-      # Check 2: Secure temporary file usage
-      - pattern: "tempfile\\.mkstemp\\(|tempfile\\.TemporaryFile\\(|tempfile\\.NamedTemporaryFile\\("
-        message: "Using secure temporary file functions."
+## Required Checks
+
+- Insecure deserialization detected with pickle. Pickle is not secure against maliciously constructed data and should not be used with untrusted input.
+- Insecure deserialization detected with yaml.load(). Use yaml.safe_load() instead for untrusted input.
+- Insecure deserialization detected with marshal. Marshal is not secure against maliciously constructed data.
+- Potentially insecure deserialization with shelve detected. Shelve uses pickle internally and is not secure against malicious data.
+- Insecure use of eval() or exec() detected. These functions can execute arbitrary code and should never be used with untrusted input.
+- File download without integrity verification detected. Always verify the integrity of downloaded files using checksums or digital signatures.
+- Insecure package installation detected. Specify package versions and consider using hash verification for pip installations.
+- Configuration loading detected. Ensure integrity verification for configuration files, especially in production environments.
+- Insecure temporary file creation detected. Use tempfile.mkstemp() or tempfile.TemporaryFile() instead to avoid race conditions.
+- Potentially insecure file operation with user-controlled path detected. Validate and sanitize file paths from untrusted sources.
+- Update mechanism detected. Ensure proper integrity verification for software updates using digital signatures or secure checksums.
+- Dynamic module loading detected. Implement integrity checks and validation before loading external modules or plugins.
+- Insecure subprocess execution with shell=True detected. This can lead to command injection if user input is involved.
+- Deserialization of user-controlled data detected. Implement schema validation or integrity checks before processing.
+- Potentially insecure modification of globals or locals detected. This can lead to unexpected behavior or security issues.
+
+## Recommendations
+
+**Python Software and Data Integrity Best Practices:**
+
+1. **Secure Deserialization:**
+   - Avoid using pickle, marshal, or shelve with untrusted data
+   - Use safer alternatives like JSON with schema validation
+   - Example with JSON schema validation:
+     ```python
+     import json
+     import jsonschema
+     
+     # Define a schema for validation
+     schema = {
+         "type": "object",
+         "properties": {
+             "name": {"type": "string"},
+             "age": {"type": "integer", "minimum": 0}
+         },
+         "required": ["name", "age"]
+     }
+     
+     # Validate data against schema
+     try:
+         data = json.loads(user_input)
+         jsonschema.validate(instance=data, schema=schema)
+         # Process data safely
+     except (json.JSONDecodeError, jsonschema.exceptions.ValidationError) as e:
+         # Handle validation error
+         print(f"Invalid data: {e}")
+     ```
+
+2. **YAML Safe Loading:**
+   - Always use yaml.safe_load() instead of yaml.load()
+   - Example:
+     ```python
+     import yaml
+     
+     # Safe way to load YAML
+     data = yaml.safe_load(yaml_string)
+     
+     # Avoid this:
+     # data = yaml.load(yaml_string)  # Insecure!
+     ```
+
+3. **Integrity Verification for Downloads:**
+   - Verify checksums or signatures for downloaded files
+   - Example:
+     ```python
+     import hashlib
+     import requests
+     
+     def download_with_integrity_check(url, expected_hash):
+         response = requests.get(url)
+         file_data = response.content
+         
+         # Calculate hash
+         calculated_hash = hashlib.sha256(file_data).hexdigest()
+         
+         # Verify integrity
+         if calculated_hash != expected_hash:
+             raise ValueError("Integrity check failed: hash mismatch")
+             
+         return file_data
+     ```
+
+4. **Secure Package Installation:**
+   - Pin dependencies to specific versions
+   - Use hash verification for pip installations
+   - Example requirements.txt with hashes:
+     ```
+     # requirements.txt
+     requests==2.31.0 --hash=sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1
+     ```
+
+5. **Secure Configuration Management:**
+   - Validate configuration file integrity
+   - Use environment-specific configurations
+   - Example:
+     ```python
+     import json
+     import hmac
+     import hashlib
+     
+     def load_config_with_integrity(config_file, secret_key):
+         with open(config_file, 'r') as f:
+             content = f.read()
+             
+         # Split content into data and signature
+         data, _, signature = content.rpartition('\n')
+         
+         # Verify integrity
+         expected_signature = hmac.new(
+             secret_key.encode(), 
+             data.encode(), 
+             hashlib.sha256
+         ).hexdigest()
+         
+         if not hmac.compare_digest(signature, expected_signature):
+             raise ValueError("Configuration integrity check failed")
+             
+         return json.loads(data)
+     ```
+
+6. **Secure Temporary Files:**
+   - Use secure temporary file functions
+   - Example:
+     ```python
+     import tempfile
+     import os
+     
+     # Secure temporary file creation
+     fd, temp_path = tempfile.mkstemp()
+     try:
+         with os.fdopen(fd, 'w') as temp_file:
+             temp_file.write('data')
+         # Process the file
+     finally:
+         os.unlink(temp_path)  # Clean up
+     
+     # Or use context manager
+     with tempfile.TemporaryFile() as temp_file:
+         temp_file.write(b'data')
+         temp_file.seek(0)
+         # Process the file
+     ```
+
+7. **Secure Update Mechanisms:**
+   - Verify signatures for updates
+   - Use HTTPS for update downloads
+   - Example:
+     ```python
+     import requests
+     import gnupg
+     
+     def secure_update(update_url, signature_url, gpg_key):
+         # Download update and signature
+         update_data = requests.get(update_url).content
+         signature = requests.get(signature_url).content
+         
+         # Verify signature
+         gpg = gnupg.GPG()
+         gpg.import_keys(gpg_key)
+         verified = gpg.verify_data(signature, update_data)
+         
+         if not verified:
+             raise ValueError("Update signature verification failed")
+             
+         return update_data
+     ```
+
+8. **Secure Plugin Loading:**
+   - Validate plugins before loading
+   - Implement allowlisting for plugins
+   - Example:
+     ```python
+     import importlib
+     import hashlib
+     
+     # Allowlist of approved plugins with their hashes
+     APPROVED_PLUGINS = {
+         'safe_plugin': 'sha256:1234567890abcdef',
+         'other_plugin': 'sha256:abcdef1234567890'
+     }
+     
+     def load_plugin_safely(plugin_name, plugin_path):
+         # Check if plugin is in allowlist
+         if plugin_name not in APPROVED_PLUGINS:
+             raise ValueError(f"Plugin {plugin_name} is not approved")
+             
+         # Calculate plugin file hash
+         with open(plugin_path, 'rb') as f:
+             plugin_hash = 'sha256:' + hashlib.sha256(f.read()).hexdigest()
+             
+         # Verify hash matches expected value
+         if plugin_hash != APPROVED_PLUGINS[plugin_name]:
+             raise ValueError(f"Plugin {plugin_name} failed integrity check")
+             
+         # Load plugin safely
+         return importlib.import_module(plugin_name)
+     ```
+
+9. **Secure Subprocess Execution:**
+   - Avoid shell=True
+   - Use allowlists for commands
+   - Example:
+     ```python
+     import subprocess
+     import shlex
+     
+     def run_command_safely(command, arguments):
+         # Allowlist of safe commands
+         SAFE_COMMANDS = {'ls', 'echo', 'cat'}
+         
+         if command not in SAFE_COMMANDS:
+             raise ValueError(f"Command {command} is not allowed")
+             
+         # Build command with arguments
+         cmd = [command] + arguments
+         
+         # Execute without shell
+         return subprocess.run(cmd, shell=False, capture_output=True, text=True)
+     ```
+
+10. **Input Validation and Sanitization:**
+    - Validate all inputs before processing
+    - Use schema validation for structured data
+    - Example with Pydantic:
+      ```python
+      from pydantic import BaseModel, validator
       
-      # Check 3: Secure subprocess usage
-      - pattern: "subprocess\\.(?:call|run|Popen)\\([^,)]*shell\\s*=\\s*False"
-        message: "Using subprocess with shell=False."
+      class UserData(BaseModel):
+          username: str
+          age: int
+          
+          @validator('username')
+          def username_must_be_valid(cls, v):
+              if not v.isalnum() or len(v) > 30:
+                  raise ValueError('Username must be alphanumeric and <= 30 chars')
+              return v
+              
+          @validator('age')
+          def age_must_be_reasonable(cls, v):
+              if v < 0 or v > 120:
+                  raise ValueError('Age must be between 0 and 120')
+              return v
       
-      # Check 4: Input validation
-      - pattern: "jsonschema\\.validate|pydantic|dataclass|@validator"
-        message: "Implementing input validation."
+      # Usage
+      try:
+          user = UserData(username=user_input_name, age=user_input_age)
+          # Process validated data
+      except ValueError as e:
+          # Handle validation error
+          print(f"Invalid data: {e}")
+      ```
+
+## Validation
 
-metadata:
-  priority: high
-  version: 1.0
-  tags:
-    - security
-    - python
-    - integrity
-    - deserialization
-    - owasp
-    - language:python
-    - framework:django
-    - framework:flask
-    - framework:fastapi
-    - category:security
-    - subcategory:integrity
-    - standard:owasp-top10
-    - risk:a08-software-data-integrity-failures
-  references:
-    - "https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html"
-    - "https://docs.python.org/3/library/pickle.html#restricting-globals"
-    - "https://pyyaml.org/wiki/PyYAMLDocumentation"
-    - "https://python-security.readthedocs.io/packages.html"
-    - "https://docs.python.org/3/library/tempfile.html#security"
-</rule> 
\ No newline at end of file
+- Using safe YAML loading.
+- Using secure temporary file functions.
+- Using subprocess with shell=False.
+- Implementing input validation.
diff --git a/.cursor/rules/python-logging-monitoring-failures.mdc b/.cursor/rules/python-logging-monitoring-failures.mdc
index e9f1118..dff686e 100644
--- a/.cursor/rules/python-logging-monitoring-failures.mdc
+++ b/.cursor/rules/python-logging-monitoring-failures.mdc
@@ -3,442 +3,365 @@ description: Detect and prevent security logging and monitoring failures in Pyth
 globs: *.py, *.ini, *.cfg, *.yml, *.yaml, *.json, *.toml
 alwaysApply: false
 ---
- # Python Security Logging and Monitoring Failures Standards (OWASP A09:2021)
+# Python Security Logging and Monitoring Failures Standards (OWASP A09:2021)
 
 This rule enforces security best practices to prevent security logging and monitoring failures in Python applications, as defined in OWASP Top 10:2021-A09.
 
-<rule>
-name: python_logging_monitoring_failures
-description: Detect and prevent security logging and monitoring failures in Python applications as defined in OWASP Top 10:2021-A09
-filters:
-  - type: file_extension
-    pattern: "\\.(py|ini|cfg|yml|yaml|json|toml)$"
-  - type: file_path
-    pattern: ".*"
+> Priority: high · Version: 1.0
 
-actions:
-  - type: enforce
-    conditions:
-      # Pattern 1: Missing logging in authentication functions
-      - pattern: "def\\s+(login|authenticate|signin|logout|signout).*?:[^\\n]*?(?!.*logging\\.(info|warning|error|critical))"
-        message: "Authentication function without logging detected. Always log authentication events, especially failures, for security monitoring."
-        
-      # Pattern 2: Missing logging in authorization functions
-      - pattern: "def\\s+(authorize|check_permission|has_permission|is_authorized|require_permission).*?:[^\\n]*?(?!.*logging\\.(info|warning|error|critical))"
-        message: "Authorization function without logging detected. Always log authorization decisions, especially denials, for security monitoring."
-        
-      # Pattern 3: Missing logging in security-sensitive operations
-      - pattern: "def\\s+(create_user|update_user|delete_user|reset_password|change_password).*?:[^\\n]*?(?!.*logging\\.(info|warning|error|critical))"
-        message: "Security-sensitive user operation without logging detected. Always log security-sensitive operations for audit trails."
-        
-      # Pattern 4: Missing logging in exception handlers
-      - pattern: "except\\s+[^:]+:[^\\n]*?(?!.*logging\\.(warning|error|critical|exception))"
-        message: "Exception handler without logging detected. Always log exceptions, especially in security-sensitive code, for monitoring and debugging."
-        
-      # Pattern 5: Logging sensitive data
-      - pattern: "logging\\.(debug|info|warning|error|critical)\\([^)]*?(password|token|secret|key|credential|auth)"
-        message: "Potential sensitive data logging detected. Avoid logging sensitive information like passwords, tokens, or keys."
-        
-      # Pattern 6: Insufficient log level in security context
-      - pattern: "logging\\.debug\\([^)]*?(auth|login|permission|security|attack|hack|exploit|vulnerability)"
-        message: "Debug-level logging for security events detected. Use appropriate log levels (INFO, WARNING, ERROR) for security events."
-        
-      # Pattern 7: Missing logging configuration
-      - pattern: "import\\s+logging(?!.*logging\\.basicConfig|.*logging\\.config)"
-        message: "Logging import without configuration detected. Configure logging properly with appropriate handlers, formatters, and levels."
-        
-      # Pattern 8: Insecure logging configuration
-      - pattern: "logging\\.basicConfig\\([^)]*?level\\s*=\\s*logging\\.DEBUG"
-        message: "Debug-level logging configuration detected. Use appropriate log levels in production to avoid excessive logging."
-        
-      # Pattern 9: Missing request/response logging in web frameworks
-      - pattern: "@app\\.route\\(['\"][^'\"]+['\"]|@api_view\\(|class\\s+\\w+\\(APIView\\)|class\\s+\\w+\\(View\\)"
-        message: "Web endpoint without request logging detected. Consider logging requests and responses for security monitoring."
-        
-      # Pattern 10: Missing correlation IDs in logs
-      - pattern: "logging\\.(debug|info|warning|error|critical)\\([^)]*?(?!.*request_id|.*correlation_id|.*trace_id)"
-        message: "Logging without correlation ID detected. Include correlation IDs in logs to trace requests across systems."
-        
-      # Pattern 11: Missing error handling for logging failures
-      - pattern: "logging\\.(debug|info|warning|error|critical)\\([^)]*?\\)"
-        message: "Logging without error handling detected. Handle potential logging failures to ensure critical events are not missed."
-        
-      # Pattern 12: Missing logging for database operations
-      - pattern: "(execute|executemany|cursor\\.execute|session\\.execute|query)\\([^)]*?(?!.*logging\\.(debug|info|warning|error|critical))"
-        message: "Database operation without logging detected. Consider logging database operations for audit trails and security monitoring."
-        
-      # Pattern 13: Missing logging for file operations
-      - pattern: "open\\([^)]+,\\s*['\"]w['\"]|open\\([^)]+,\\s*['\"]a['\"]|write\\(|writelines\\("
-        message: "File write operation without logging detected. Consider logging file operations for audit trails."
-        
-      # Pattern 14: Missing logging for subprocess execution
-      - pattern: "subprocess\\.(call|run|Popen)\\([^)]*?(?!.*logging\\.(debug|info|warning|error|critical))"
-        message: "Subprocess execution without logging detected. Always log command execution for security monitoring."
-        
-      # Pattern 15: Missing centralized logging configuration
-      - pattern: "logging\\.basicConfig\\([^)]*?(?!.*filename|.*handlers)"
-        message: "Console-only logging configuration detected. Configure centralized logging with file handlers or external logging services."
+## Applies To
+- `*.py`
+- `*.ini`
+- `*.cfg`
+- `*.yml`
+- `*.yaml`
+- `*.json`
+- `*.toml`
 
-  - type: suggest
-    message: |
-      **Python Security Logging and Monitoring Best Practices:**
-      
-      1. **Structured Logging:**
-         - Use structured logging formats (JSON)
-         - Include contextual information
-         - Example with Python's standard logging:
-           ```python
-           import logging
-           import json
-           
-           class JsonFormatter(logging.Formatter):
-               def format(self, record):
-                   log_record = {
-                       "timestamp": self.formatTime(record),
-                       "level": record.levelname,
-                       "message": record.getMessage(),
-                       "logger": record.name,
-                       "path": record.pathname,
-                       "line": record.lineno
-                   }
-                   
-                   # Add extra attributes from record
-                   for key, value in record.__dict__.items():
-                       if key not in ["args", "asctime", "created", "exc_info", "exc_text", 
-                                     "filename", "funcName", "id", "levelname", "levelno",
-                                     "lineno", "module", "msecs", "message", "msg", "name", 
-                                     "pathname", "process", "processName", "relativeCreated", 
-                                     "stack_info", "thread", "threadName"]:
-                           log_record[key] = value
-                   
-                   return json.dumps(log_record)
-           
-           # Configure logger with JSON formatter
-           logger = logging.getLogger("security_logger")
-           handler = logging.StreamHandler()
-           handler.setFormatter(JsonFormatter())
-           logger.addHandler(handler)
-           logger.setLevel(logging.INFO)
-           
-           # Usage with context
-           logger.info("User login successful", extra={
-               "user_id": user.id,
-               "ip_address": request.remote_addr,
-               "request_id": request.headers.get("X-Request-ID")
-           })
-           ```
-      
-      2. **Security Event Logging:**
-         - Log all authentication events
-         - Log authorization decisions
-         - Log security-sensitive operations
-         - Example:
-           ```python
-           def login(request):
-               username = request.form.get("username")
-               password = request.form.get("password")
-               
-               try:
-                   user = authenticate(username, password)
-                   if user:
-                       # Log successful login
-                       logger.info("User login successful", extra={
-                           "user_id": user.id,
-                           "ip_address": request.remote_addr,
-                           "request_id": request.headers.get("X-Request-ID")
-                       })
-                       return success_response()
-                   else:
-                       # Log failed login
-                       logger.warning("User login failed: invalid credentials", extra={
-                           "username": username,  # Note: log username but never password
-                           "ip_address": request.remote_addr,
-                           "request_id": request.headers.get("X-Request-ID")
-                       })
-                       return error_response("Invalid credentials")
-               except Exception as e:
-                   # Log exceptions
-                   logger.error("Login error", extra={
-                       "error": str(e),
-                       "username": username,
-                       "ip_address": request.remote_addr,
-                       "request_id": request.headers.get("X-Request-ID")
-                   })
-                   return error_response("Login error")
-           ```
-      
-      3. **Correlation IDs:**
-         - Use request IDs to correlate logs
-         - Propagate IDs across services
-         - Example with Flask:
-           ```python
-           import uuid
-           from flask import Flask, request, g
-           
-           app = Flask(__name__)
-           
-           @app.before_request
-           def before_request():
-               request_id = request.headers.get("X-Request-ID")
-               if not request_id:
-                   request_id = str(uuid.uuid4())
-               g.request_id = request_id
-           
-           @app.after_request
-           def after_request(response):
-               response.headers["X-Request-ID"] = g.request_id
-               return response
-           
-           # In your view functions
-           @app.route("/api/resource")
-           def get_resource():
-               logger.info("Resource accessed", extra={"request_id": g.request_id})
-               return jsonify({"data": "resource"})
-           ```
-      
-      4. **Appropriate Log Levels:**
-         - DEBUG: Detailed information for debugging
-         - INFO: Confirmation of normal events
-         - WARNING: Potential issues that don't prevent operation
-         - ERROR: Errors that prevent specific operations
-         - CRITICAL: Critical errors that prevent application function
-         - Example:
-           ```python
-           # Normal operation
-           logger.info("User profile updated", extra={"user_id": user.id})
-           
-           # Potential security issue
-           logger.warning("Multiple failed login attempts", extra={
-               "username": username,
-               "attempt_count": attempts,
-               "ip_address": ip_address
-           })
-           
-           # Security violation
-           logger.error("Unauthorized access attempt", extra={
-               "user_id": user.id,
-               "resource": resource_id,
-               "ip_address": ip_address
-           })
-           
-           # Critical security breach
-           logger.critical("Possible data breach detected", extra={
-               "indicators": indicators,
-               "affected_resources": resources
-           })
-           ```
-      
-      5. **Centralized Logging:**
-         - Configure logging to centralized systems
-         - Use appropriate handlers
-         - Example with file rotation:
-           ```python
-           import logging
-           from logging.handlers import RotatingFileHandler
-           
-           logger = logging.getLogger("security_logger")
-           
-           # File handler with rotation
-           file_handler = RotatingFileHandler(
-               "security.log",
-               maxBytes=10485760,  # 10MB
-               backupCount=10
-           )
-           file_handler.setFormatter(logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s'))
-           logger.addHandler(file_handler)
-           
-           # Set level
-           logger.setLevel(logging.INFO)
-           ```
-      
-      6. **Sensitive Data Handling:**
-         - Never log sensitive data
-         - Implement data masking
-         - Example:
-           ```python
-           def mask_sensitive_data(data, fields_to_mask):
-               """Mask sensitive fields in data dictionary."""
-               masked_data = data.copy()
-               for field in fields_to_mask:
-                   if field in masked_data:
-                       masked_data[field] = "********"
-               return masked_data
-           
-           # Usage
-           user_data = {"username": "john", "password": "secret123", "email": "john@example.com"}
-           safe_data = mask_sensitive_data(user_data, ["password"])
-           logger.info("User data processed", extra={"user_data": safe_data})
-           ```
-      
-      7. **Exception Logging:**
-         - Always log exceptions
-         - Include stack traces for debugging
-         - Example:
-           ```python
-           try:
-               # Some operation
-               result = process_data(data)
-           except Exception as e:
-               logger.error(
-                   "Error processing data",
-                   exc_info=True,  # Include stack trace
-                   extra={
-                       "data_id": data.id,
-                       "error": str(e)
-                   }
-               )
-               raise  # Re-raise or handle appropriately
-           ```
-      
-      8. **Audit Logging:**
-         - Log all security-relevant changes
-         - Include before/after states
-         - Example:
-           ```python
-           def update_user_role(user_id, new_role, current_user):
-               user = User.get(user_id)
-               old_role = user.role
-               
-               # Update role
-               user.role = new_role
-               user.save()
-               
-               # Audit log
-               logger.info("User role changed", extra={
-                   "user_id": user_id,
-                   "old_role": old_role,
-                   "new_role": new_role,
-                   "changed_by": current_user.id,
-                   "timestamp": datetime.utcnow().isoformat()
-               })
-           ```
-      
-      9. **Log Monitoring Integration:**
-         - Configure alerts for security events
-         - Integrate with SIEM systems
-         - Example configuration for ELK stack:
-           ```python
-           import logging
-           from elasticsearch import Elasticsearch
-           from elasticsearch.helpers import bulk
-           
-           class ElasticsearchHandler(logging.Handler):
-               def __init__(self, es_host, index_name):
-                   super().__init__()
-                   self.es = Elasticsearch([es_host])
-                   self.index_name = index_name
-                   self.buffer = []
-                   
-               def emit(self, record):
-                   try:
-                       log_entry = {
-                           "_index": self.index_name,
-                           "_source": {
-                               "timestamp": self.formatter.formatTime(record),
-                               "level": record.levelname,
-                               "message": record.getMessage(),
-                               "logger": record.name
-                           }
-                       }
-                       
-                       # Add extra fields
-                       for key, value in record.__dict__.items():
-                           if key not in ["args", "asctime", "created", "exc_info", "exc_text", 
-                                         "filename", "funcName", "id", "levelname", "levelno",
-                                         "lineno", "module", "msecs", "message", "msg", "name", 
-                                         "pathname", "process", "processName", "relativeCreated", 
-                                         "stack_info", "thread", "threadName"]:
-                               log_entry["_source"][key] = value
-                               
-                       self.buffer.append(log_entry)
-                       
-                       # Bulk insert if buffer is full
-                       if len(self.buffer) >= 10:
-                           self.flush()
-                   except Exception:
-                       self.handleError(record)
-                       
-               def flush(self):
-                   if self.buffer:
-                       bulk(self.es, self.buffer)
-                       self.buffer = []
-           
-           # Usage
-           es_handler = ElasticsearchHandler("localhost:9200", "app-logs")
-           es_handler.setFormatter(logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s'))
-           logger.addHandler(es_handler)
-           ```
-      
-      10. **Logging Failure Handling:**
-          - Handle logging failures gracefully
-          - Implement fallback mechanisms
-          - Example:
-            ```python
-            class FallbackHandler(logging.Handler):
-                def __init__(self, primary_handler, fallback_handler):
-                    super().__init__()
-                    self.primary_handler = primary_handler
-                    self.fallback_handler = fallback_handler
-                    
-                def emit(self, record):
-                    try:
-                        self.primary_handler.emit(record)
-                    except Exception:
-                        try:
-                            self.fallback_handler.emit(record)
-                        except Exception:
-                            # Last resort: print to stderr
-                            import sys
-                            print(f"CRITICAL: Logging failure: {record.getMessage()}", file=sys.stderr)
-            
-            # Usage
-            primary = ElasticsearchHandler("localhost:9200", "app-logs")
-            fallback = logging.FileHandler("fallback.log")
-            handler = FallbackHandler(primary, fallback)
-            logger.addHandler(handler)
-            ```
+## Trigger Conditions
+- Files matching pattern `\.(py|ini|cfg|yml|yaml|json|toml)$`
+- Paths matching `.*`
 
-  - type: validate
-    conditions:
-      # Check 1: Proper logging configuration
-      - pattern: "logging\\.basicConfig\\(|logging\\.config\\.dictConfig\\(|logging\\.config\\.fileConfig\\("
-        message: "Logging is properly configured."
-      
-      # Check 2: Security event logging
-      - pattern: "logging\\.(info|warning|error|critical)\\([^)]*?(login|authenticate|authorize|permission)"
-        message: "Security events are being logged."
-      
-      # Check 3: Structured logging
-      - pattern: "logging\\.(info|warning|error|critical)\\([^)]*?extra\\s*="
-        message: "Structured logging with context is implemented."
+## Required Checks
+
+- Authentication function without logging detected. Always log authentication events, especially failures, for security monitoring.
+- Authorization function without logging detected. Always log authorization decisions, especially denials, for security monitoring.
+- Security-sensitive user operation without logging detected. Always log security-sensitive operations for audit trails.
+- Exception handler without logging detected. Always log exceptions, especially in security-sensitive code, for monitoring and debugging.
+- Potential sensitive data logging detected. Avoid logging sensitive information like passwords, tokens, or keys.
+- Debug-level logging for security events detected. Use appropriate log levels (INFO, WARNING, ERROR) for security events.
+- Logging import without configuration detected. Configure logging properly with appropriate handlers, formatters, and levels.
+- Debug-level logging configuration detected. Use appropriate log levels in production to avoid excessive logging.
+- Web endpoint without request logging detected. Consider logging requests and responses for security monitoring.
+- Logging without correlation ID detected. Include correlation IDs in logs to trace requests across systems.
+- Logging without error handling detected. Handle potential logging failures to ensure critical events are not missed.
+- Database operation without logging detected. Consider logging database operations for audit trails and security monitoring.
+- File write operation without logging detected. Consider logging file operations for audit trails.
+- Subprocess execution without logging detected. Always log command execution for security monitoring.
+- Console-only logging configuration detected. Configure centralized logging with file handlers or external logging services.
+
+## Recommendations
+
+**Python Security Logging and Monitoring Best Practices:**
+
+1. **Structured Logging:**
+   - Use structured logging formats (JSON)
+   - Include contextual information
+   - Example with Python's standard logging:
+     ```python
+     import logging
+     import json
+     
+     class JsonFormatter(logging.Formatter):
+         def format(self, record):
+             log_record = {
+                 "timestamp": self.formatTime(record),
+                 "level": record.levelname,
+                 "message": record.getMessage(),
+                 "logger": record.name,
+                 "path": record.pathname,
+                 "line": record.lineno
+             }
+             
+             # Add extra attributes from record
+             for key, value in record.__dict__.items():
+                 if key not in ["args", "asctime", "created", "exc_info", "exc_text", 
+                               "filename", "funcName", "id", "levelname", "levelno",
+                               "lineno", "module", "msecs", "message", "msg", "name", 
+                               "pathname", "process", "processName", "relativeCreated", 
+                               "stack_info", "thread", "threadName"]:
+                     log_record[key] = value
+             
+             return json.dumps(log_record)
+     
+     # Configure logger with JSON formatter
+     logger = logging.getLogger("security_logger")
+     handler = logging.StreamHandler()
+     handler.setFormatter(JsonFormatter())
+     logger.addHandler(handler)
+     logger.setLevel(logging.INFO)
+     
+     # Usage with context
+     logger.info("User login successful", extra={
+         "user_id": user.id,
+         "ip_address": request.remote_addr,
+         "request_id": request.headers.get("X-Request-ID")
+     })
+     ```
+
+2. **Security Event Logging:**
+   - Log all authentication events
+   - Log authorization decisions
+   - Log security-sensitive operations
+   - Example:
+     ```python
+     def login(request):
+         username = request.form.get("username")
+         password = request.form.get("password")
+         
+         try:
+             user = authenticate(username, password)
+             if user:
+                 # Log successful login
+                 logger.info("User login successful", extra={
+                     "user_id": user.id,
+                     "ip_address": request.remote_addr,
+                     "request_id": request.headers.get("X-Request-ID")
+                 })
+                 return success_response()
+             else:
+                 # Log failed login
+                 logger.warning("User login failed: invalid credentials", extra={
+                     "username": username,  # Note: log username but never password
+                     "ip_address": request.remote_addr,
+                     "request_id": request.headers.get("X-Request-ID")
+                 })
+                 return error_response("Invalid credentials")
+         except Exception as e:
+             # Log exceptions
+             logger.error("Login error", extra={
+                 "error": str(e),
+                 "username": username,
+                 "ip_address": request.remote_addr,
+                 "request_id": request.headers.get("X-Request-ID")
+             })
+             return error_response("Login error")
+     ```
+
+3. **Correlation IDs:**
+   - Use request IDs to correlate logs
+   - Propagate IDs across services
+   - Example with Flask:
+     ```python
+     import uuid
+     from flask import Flask, request, g
+     
+     app = Flask(__name__)
+     
+     @app.before_request
+     def before_request():
+         request_id = request.headers.get("X-Request-ID")
+         if not request_id:
+             request_id = str(uuid.uuid4())
+         g.request_id = request_id
+     
+     @app.after_request
+     def after_request(response):
+         response.headers["X-Request-ID"] = g.request_id
+         return response
+     
+     # In your view functions
+     @app.route("/api/resource")
+     def get_resource():
+         logger.info("Resource accessed", extra={"request_id": g.request_id})
+         return jsonify({"data": "resource"})
+     ```
+
+4. **Appropriate Log Levels:**
+   - DEBUG: Detailed information for debugging
+   - INFO: Confirmation of normal events
+   - WARNING: Potential issues that don't prevent operation
+   - ERROR: Errors that prevent specific operations
+   - CRITICAL: Critical errors that prevent application function
+   - Example:
+     ```python
+     # Normal operation
+     logger.info("User profile updated", extra={"user_id": user.id})
+     
+     # Potential security issue
+     logger.warning("Multiple failed login attempts", extra={
+         "username": username,
+         "attempt_count": attempts,
+         "ip_address": ip_address
+     })
+     
+     # Security violation
+     logger.error("Unauthorized access attempt", extra={
+         "user_id": user.id,
+         "resource": resource_id,
+         "ip_address": ip_address
+     })
+     
+     # Critical security breach
+     logger.critical("Possible data breach detected", extra={
+         "indicators": indicators,
+         "affected_resources": resources
+     })
+     ```
+
+5. **Centralized Logging:**
+   - Configure logging to centralized systems
+   - Use appropriate handlers
+   - Example with file rotation:
+     ```python
+     import logging
+     from logging.handlers import RotatingFileHandler
+     
+     logger = logging.getLogger("security_logger")
+     
+     # File handler with rotation
+     file_handler = RotatingFileHandler(
+         "security.log",
+         maxBytes=10485760,  # 10MB
+         backupCount=10
+     )
+     file_handler.setFormatter(logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s'))
+     logger.addHandler(file_handler)
+     
+     # Set level
+     logger.setLevel(logging.INFO)
+     ```
+
+6. **Sensitive Data Handling:**
+   - Never log sensitive data
+   - Implement data masking
+   - Example:
+     ```python
+     def mask_sensitive_data(data, fields_to_mask):
+         """Mask sensitive fields in data dictionary."""
+         masked_data = data.copy()
+         for field in fields_to_mask:
+             if field in masked_data:
+                 masked_data[field] = "********"
+         return masked_data
+     
+     # Usage
+     user_data = {"username": "john", "password": "secret123", "email": "john@example.com"}
+     safe_data = mask_sensitive_data(user_data, ["password"])
+     logger.info("User data processed", extra={"user_data": safe_data})
+     ```
+
+7. **Exception Logging:**
+   - Always log exceptions
+   - Include stack traces for debugging
+   - Example:
+     ```python
+     try:
+         # Some operation
+         result = process_data(data)
+     except Exception as e:
+         logger.error(
+             "Error processing data",
+             exc_info=True,  # Include stack trace
+             extra={
+                 "data_id": data.id,
+                 "error": str(e)
+             }
+         )
+         raise  # Re-raise or handle appropriately
+     ```
+
+8. **Audit Logging:**
+   - Log all security-relevant changes
+   - Include before/after states
+   - Example:
+     ```python
+     def update_user_role(user_id, new_role, current_user):
+         user = User.get(user_id)
+         old_role = user.role
+         
+         # Update role
+         user.role = new_role
+         user.save()
+         
+         # Audit log
+         logger.info("User role changed", extra={
+             "user_id": user_id,
+             "old_role": old_role,
+             "new_role": new_role,
+             "changed_by": current_user.id,
+             "timestamp": datetime.utcnow().isoformat()
+         })
+     ```
+
+9. **Log Monitoring Integration:**
+   - Configure alerts for security events
+   - Integrate with SIEM systems
+   - Example configuration for ELK stack:
+     ```python
+     import logging
+     from elasticsearch import Elasticsearch
+     from elasticsearch.helpers import bulk
+     
+     class ElasticsearchHandler(logging.Handler):
+         def __init__(self, es_host, index_name):
+             super().__init__()
+             self.es = Elasticsearch([es_host])
+             self.index_name = index_name
+             self.buffer = []
+             
+         def emit(self, record):
+             try:
+                 log_entry = {
+                     "_index": self.index_name,
+                     "_source": {
+                         "timestamp": self.formatter.formatTime(record),
+                         "level": record.levelname,
+                         "message": record.getMessage(),
+                         "logger": record.name
+                     }
+                 }
+                 
+                 # Add extra fields
+                 for key, value in record.__dict__.items():
+                     if key not in ["args", "asctime", "created", "exc_info", "exc_text", 
+                                   "filename", "funcName", "id", "levelname", "levelno",
+                                   "lineno", "module", "msecs", "message", "msg", "name", 
+                                   "pathname", "process", "processName", "relativeCreated", 
+                                   "stack_info", "thread", "threadName"]:
+                         log_entry["_source"][key] = value
+                         
+                 self.buffer.append(log_entry)
+                 
+                 # Bulk insert if buffer is full
+                 if len(self.buffer) >= 10:
+                     self.flush()
+             except Exception:
+                 self.handleError(record)
+                 
+         def flush(self):
+             if self.buffer:
+                 bulk(self.es, self.buffer)
+                 self.buffer = []
+     
+     # Usage
+     es_handler = ElasticsearchHandler("localhost:9200", "app-logs")
+     es_handler.setFormatter(logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s'))
+     logger.addHandler(es_handler)
+     ```
+
+10. **Logging Failure Handling:**
+    - Handle logging failures gracefully
+    - Implement fallback mechanisms
+    - Example:
+      ```python
+      class FallbackHandler(logging.Handler):
+          def __init__(self, primary_handler, fallback_handler):
+              super().__init__()
+              self.primary_handler = primary_handler
+              self.fallback_handler = fallback_handler
+              
+          def emit(self, record):
+              try:
+                  self.primary_handler.emit(record)
+              except Exception:
+                  try:
+                      self.fallback_handler.emit(record)
+                  except Exception:
+                      # Last resort: print to stderr
+                      import sys
+                      print(f"CRITICAL: Logging failure: {record.getMessage()}", file=sys.stderr)
       
-      # Check 4: Correlation ID usage
-      - pattern: "request_id|correlation_id|trace_id"
-        message: "Correlation IDs are used for request tracing."
+      # Usage
+      primary = ElasticsearchHandler("localhost:9200", "app-logs")
+      fallback = logging.FileHandler("fallback.log")
+      handler = FallbackHandler(primary, fallback)
+      logger.addHandler(handler)
+      ```
+
+## Validation
 
-metadata:
-  priority: high
-  version: 1.0
-  tags:
-    - security
-    - python
-    - logging
-    - monitoring
-    - owasp
-    - language:python
-    - framework:django
-    - framework:flask
-    - framework:fastapi
-    - category:security
-    - subcategory:logging
-    - standard:owasp-top10
-    - risk:a09-security-logging-monitoring-failures
-  references:
-    - "https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html"
-    - "https://docs.python.org/3/library/logging.html"
-    - "https://docs.python.org/3/howto/logging-cookbook.html"
-    - "https://docs.djangoproject.com/en/stable/topics/logging/"
-    - "https://flask.palletsprojects.com/en/latest/logging/"
-    - "https://fastapi.tiangolo.com/tutorial/handling-errors/#logging"
-</rule>
\ No newline at end of file
+- Logging is properly configured.
+- Security events are being logged.
+- Structured logging with context is implemented.
+- Correlation IDs are used for request tracing.
diff --git a/.cursor/rules/python-security-misconfiguration.mdc b/.cursor/rules/python-security-misconfiguration.mdc
index 5e9a2a2..cf79c7e 100644
--- a/.cursor/rules/python-security-misconfiguration.mdc
+++ b/.cursor/rules/python-security-misconfiguration.mdc
@@ -3,274 +3,198 @@ description: Detect and prevent security misconfigurations in Python application
 globs: *.py, *.ini, *.cfg, *.yml, *.yaml, *.json, *.toml
 alwaysApply: false
 ---
- # Python Security Misconfiguration Standards (OWASP A05:2021)
+# Python Security Misconfiguration Standards (OWASP A05:2021)
 
 This rule enforces security best practices to prevent security misconfigurations in Python applications, as defined in OWASP Top 10:2021-A05.
 
-<rule>
-name: python_security_misconfiguration
-description: Detect and prevent security misconfigurations in Python applications as defined in OWASP Top 10:2021-A05
-filters:
-  - type: file_extension
-    pattern: "\\.(py|ini|cfg|yml|yaml|json|toml)$"
-  - type: file_path
-    pattern: ".*"
+> Priority: high · Version: 1.0
 
-actions:
-  - type: enforce
-    conditions:
-      # Pattern 1: Debug mode enabled in production settings
-      - pattern: "DEBUG\\s*=\\s*True|debug\\s*=\\s*true|\"debug\"\\s*:\\s*true|debug:\\s*true"
-        message: "Debug mode appears to be enabled. This should be disabled in production environments as it can expose sensitive information."
-        
-      # Pattern 2: Insecure cookie settings
-      - pattern: "SESSION_COOKIE_SECURE\\s*=\\s*False|session_cookie_secure\\s*=\\s*false|\"session_cookie_secure\"\\s*:\\s*false|session_cookie_secure:\\s*false"
-        message: "Insecure cookie configuration detected. Set SESSION_COOKIE_SECURE to True in production environments."
-        
-      # Pattern 3: Missing CSRF protection
-      - pattern: "CSRF_ENABLED\\s*=\\s*False|csrf_enabled\\s*=\\s*false|\"csrf_enabled\"\\s*:\\s*false|csrf_enabled:\\s*false|WTF_CSRF_ENABLED\\s*=\\s*False"
-        message: "CSRF protection appears to be disabled. Enable CSRF protection to prevent cross-site request forgery attacks."
-        
-      # Pattern 4: Insecure CORS settings
-      - pattern: "CORS_ORIGIN_ALLOW_ALL\\s*=\\s*True|cors_origin_allow_all\\s*=\\s*true|\"cors_origin_allow_all\"\\s*:\\s*true|cors_origin_allow_all:\\s*true|Access-Control-Allow-Origin:\\s*\\*"
-        message: "Overly permissive CORS configuration detected. Restrict CORS to specific origins rather than allowing all origins."
-        
-      # Pattern 5: Default or weak secret keys
-      - pattern: "SECRET_KEY\\s*=\\s*['\"]default|SECRET_KEY\\s*=\\s*['\"][a-zA-Z0-9]{1,32}['\"]|secret_key\\s*=\\s*['\"]default|\"secret_key\"\\s*:\\s*\"default|secret_key:\\s*default"
-        message: "Default or potentially weak secret key detected. Use a strong, randomly generated secret key and store it securely."
-        
-      # Pattern 6: Exposed sensitive information in error messages
-      - pattern: "DEBUG_PROPAGATE_EXCEPTIONS\\s*=\\s*True|debug_propagate_exceptions\\s*=\\s*true|\"debug_propagate_exceptions\"\\s*:\\s*true|debug_propagate_exceptions:\\s*true"
-        message: "Exception propagation in debug mode is enabled. This can expose sensitive information in error messages."
-        
-      # Pattern 7: Insecure SSL/TLS configuration
-      - pattern: "SECURE_SSL_REDIRECT\\s*=\\s*False|secure_ssl_redirect\\s*=\\s*false|\"secure_ssl_redirect\"\\s*:\\s*false|secure_ssl_redirect:\\s*false"
-        message: "SSL redirection appears to be disabled. Enable SSL redirection to ensure secure communications."
-        
-      # Pattern 8: Missing security headers
-      - pattern: "SECURE_HSTS_SECONDS\\s*=\\s*0|secure_hsts_seconds\\s*=\\s*0|\"secure_hsts_seconds\"\\s*:\\s*0|secure_hsts_seconds:\\s*0"
-        message: "HTTP Strict Transport Security (HSTS) appears to be disabled. Enable HSTS to enforce secure communications."
-        
-      # Pattern 9: Exposed sensitive directories
-      - pattern: "@app\\.route\\(['\"]/(admin|console|management|config|settings|system)['\"]"
-        message: "Potentially sensitive endpoint exposed without access controls. Ensure proper authentication and authorization for administrative endpoints."
-        
-      # Pattern 10: Default accounts or credentials
-      - pattern: "username\\s*=\\s*['\"]admin['\"]|password\\s*=\\s*['\"]admin|password\\s*=\\s*['\"]password|password\\s*=\\s*['\"]123|user\\s*=\\s*['\"]root['\"]"
-        message: "Default or weak credentials detected. Never use default or easily guessable credentials in any environment."
-        
-      # Pattern 11: Insecure file permissions
-      - pattern: "os\\.chmod\\([^,]+,\\s*0o777\\)|os\\.chmod\\([^,]+,\\s*777\\)"
-        message: "Overly permissive file permissions detected. Use the principle of least privilege for file permissions."
-        
-      # Pattern 12: Exposed version information
-      - pattern: "@app\\.route\\(['\"]/(version|build|status|health)['\"]"
-        message: "Endpoints that may expose version information detected. Ensure these endpoints don't reveal sensitive details about your application."
-        
-      # Pattern 13: Insecure deserialization
-      - pattern: "pickle\\.loads|yaml\\.load\\([^,)]+\\)|json\\.loads\\([^,)]+,\\s*[^)]*object_hook"
-        message: "Potentially insecure deserialization detected. Use safer alternatives like yaml.safe_load() or validate input before deserialization."
-        
-      # Pattern 14: Missing timeout settings
-      - pattern: "requests\\.get\\([^,)]+\\)|requests\\.(post|put|delete|patch)\\([^,)]+\\)"
-        message: "HTTP request without timeout setting detected. Always set timeouts for HTTP requests to prevent denial of service."
-        
-      # Pattern 15: Insecure upload directory
-      - pattern: "UPLOAD_FOLDER\\s*=\\s*['\"][^'\"]*(/tmp|/var/tmp)[^'\"]*['\"]|upload_folder\\s*=\\s*['\"][^'\"]*(/tmp|/var/tmp)[^'\"]*['\"]"
-        message: "Insecure upload directory detected. Use a properly secured directory for file uploads, not temporary directories."
+## Applies To
+- `*.py`
+- `*.ini`
+- `*.cfg`
+- `*.yml`
+- `*.yaml`
+- `*.json`
+- `*.toml`
 
-  - type: suggest
-    message: |
-      **Python Security Configuration Best Practices:**
-      
-      1. **Environment-Specific Configuration:**
-         - Use different configurations for development, testing, and production
-         - Never enable debug mode in production
-         - Example with environment variables:
-           ```python
-           import os
-           
-           DEBUG = os.environ.get('DEBUG', 'False') == 'True'
-           SECRET_KEY = os.environ.get('SECRET_KEY')
-           ```
-      
-      2. **Secure Cookie Configuration:**
-         - Enable secure cookies in production
-         - Set appropriate cookie flags
-         - Example for Django:
-           ```python
-           SESSION_COOKIE_SECURE = True
-           SESSION_COOKIE_HTTPONLY = True
-           SESSION_COOKIE_SAMESITE = 'Lax'
-           CSRF_COOKIE_SECURE = True
-           CSRF_COOKIE_HTTPONLY = True
-           ```
-         - Example for Flask:
-           ```python
-           app.config.update(
-               SESSION_COOKIE_SECURE=True,
-               SESSION_COOKIE_HTTPONLY=True,
-               SESSION_COOKIE_SAMESITE='Lax',
-               PERMANENT_SESSION_LIFETIME=timedelta(hours=1)
-           )
-           ```
-      
-      3. **Security Headers:**
-         - Implement HTTP security headers
-         - Example with Flask-Talisman:
-           ```python
-           from flask_talisman import Talisman
-           
-           talisman = Talisman(
-               app,
-               content_security_policy={
-                   'default-src': "'self'",
-                   'script-src': "'self'"
-               },
-               strict_transport_security=True,
-               strict_transport_security_max_age=31536000,
-               frame_options='DENY'
-           )
-           ```
-         - Example for Django:
-           ```python
-           SECURE_HSTS_SECONDS = 31536000
-           SECURE_HSTS_INCLUDE_SUBDOMAINS = True
-           SECURE_HSTS_PRELOAD = True
-           SECURE_CONTENT_TYPE_NOSNIFF = True
-           SECURE_BROWSER_XSS_FILTER = True
-           X_FRAME_OPTIONS = 'DENY'
-           ```
-      
-      4. **CORS Configuration:**
-         - Restrict CORS to specific origins
-         - Example with Flask-CORS:
-           ```python
-           from flask_cors import CORS
-           
-           CORS(app, resources={r"/api/*": {"origins": "https://example.com"}})
-           ```
-         - Example for Django:
-           ```python
-           CORS_ALLOWED_ORIGINS = [
-               "https://example.com",
-               "https://sub.example.com",
-           ]
-           CORS_ALLOW_CREDENTIALS = True
-           ```
-      
-      5. **Secret Management:**
-         - Use environment variables or secure vaults for secrets
-         - Generate strong random secrets
-         - Example:
-           ```python
-           import secrets
-           
-           # Generate a secure random secret key
-           secret_key = secrets.token_hex(32)
-           ```
-      
-      6. **Error Handling:**
-         - Use custom error handlers to prevent information leakage
-         - Example for Flask:
-           ```python
-           @app.errorhandler(Exception)
-           def handle_exception(e):
-               # Log the error
-               app.logger.error(f"Unhandled exception: {str(e)}")
-               # Return a generic error message
-               return jsonify({"error": "An unexpected error occurred"}), 500
-           ```
-      
-      7. **Secure File Uploads:**
-         - Validate file types and sizes
-         - Store uploaded files outside the web root
-         - Use secure permissions
-         - Example:
-           ```python
-           import os
-           from werkzeug.utils import secure_filename
-           
-           UPLOAD_FOLDER = '/path/to/secure/location'
-           ALLOWED_EXTENSIONS = {'txt', 'pdf', 'png', 'jpg'}
-           
-           app.config['UPLOAD_FOLDER'] = UPLOAD_FOLDER
-           app.config['MAX_CONTENT_LENGTH'] = 16 * 1024 * 1024  # 16MB limit
-           
-           def allowed_file(filename):
-               return '.' in filename and filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS
-           ```
-      
-      8. **Dependency Management:**
-         - Regularly update dependencies
-         - Use tools like safety or dependabot
-         - Pin dependency versions
-         - Example requirements.txt:
-           ```
-           Flask==2.0.1
-           Werkzeug==2.0.1
-           ```
-      
-      9. **Timeout Configuration:**
-         - Set timeouts for all external service calls
-         - Example:
-           ```python
-           import requests
-           
-           response = requests.get('https://api.example.com', timeout=(3.05, 27))
-           ```
-      
-      10. **Secure Deserialization:**
-          - Use safe alternatives for deserialization
-          - Validate input before deserialization
-          - Example:
-            ```python
-            import yaml
-            
-            # Use safe_load instead of load
-            data = yaml.safe_load(yaml_string)
-            ```
+## Trigger Conditions
+- Files matching pattern `\.(py|ini|cfg|yml|yaml|json|toml)$`
+- Paths matching `.*`
 
-  - type: validate
-    conditions:
-      # Check 1: Proper debug configuration
-      - pattern: "DEBUG\\s*=\\s*os\\.environ\\.get\\(['\"]DEBUG['\"]|DEBUG\\s*=\\s*False"
-        message: "Using environment-specific or secure debug configuration."
-      
-      # Check 2: Secure cookie settings
-      - pattern: "SESSION_COOKIE_SECURE\\s*=\\s*True|session_cookie_secure\\s*=\\s*true"
-        message: "Using secure cookie configuration."
-      
-      # Check 3: Security headers implementation
-      - pattern: "SECURE_HSTS_SECONDS|X_FRAME_OPTIONS|Talisman\\(|CSP|Content-Security-Policy"
-        message: "Implementing security headers."
+## Required Checks
+
+- Debug mode appears to be enabled. This should be disabled in production environments as it can expose sensitive information.
+- Insecure cookie configuration detected. Set SESSION_COOKIE_SECURE to True in production environments.
+- CSRF protection appears to be disabled. Enable CSRF protection to prevent cross-site request forgery attacks.
+- Overly permissive CORS configuration detected. Restrict CORS to specific origins rather than allowing all origins.
+- Default or potentially weak secret key detected. Use a strong, randomly generated secret key and store it securely.
+- Exception propagation in debug mode is enabled. This can expose sensitive information in error messages.
+- SSL redirection appears to be disabled. Enable SSL redirection to ensure secure communications.
+- HTTP Strict Transport Security (HSTS) appears to be disabled. Enable HSTS to enforce secure communications.
+- Potentially sensitive endpoint exposed without access controls. Ensure proper authentication and authorization for administrative endpoints.
+- Default or weak credentials detected. Never use default or easily guessable credentials in any environment.
+- Overly permissive file permissions detected. Use the principle of least privilege for file permissions.
+- Endpoints that may expose version information detected. Ensure these endpoints don't reveal sensitive details about your application.
+- Potentially insecure deserialization detected. Use safer alternatives like yaml.safe_load() or validate input before deserialization.
+- HTTP request without timeout setting detected. Always set timeouts for HTTP requests to prevent denial of service.
+- Insecure upload directory detected. Use a properly secured directory for file uploads, not temporary directories.
+
+## Recommendations
+
+**Python Security Configuration Best Practices:**
+
+1. **Environment-Specific Configuration:**
+   - Use different configurations for development, testing, and production
+   - Never enable debug mode in production
+   - Example with environment variables:
+     ```python
+     import os
+     
+     DEBUG = os.environ.get('DEBUG', 'False') == 'True'
+     SECRET_KEY = os.environ.get('SECRET_KEY')
+     ```
+
+2. **Secure Cookie Configuration:**
+   - Enable secure cookies in production
+   - Set appropriate cookie flags
+   - Example for Django:
+     ```python
+     SESSION_COOKIE_SECURE = True
+     SESSION_COOKIE_HTTPONLY = True
+     SESSION_COOKIE_SAMESITE = 'Lax'
+     CSRF_COOKIE_SECURE = True
+     CSRF_COOKIE_HTTPONLY = True
+     ```
+   - Example for Flask:
+     ```python
+     app.config.update(
+         SESSION_COOKIE_SECURE=True,
+         SESSION_COOKIE_HTTPONLY=True,
+         SESSION_COOKIE_SAMESITE='Lax',
+         PERMANENT_SESSION_LIFETIME=timedelta(hours=1)
+     )
+     ```
+
+3. **Security Headers:**
+   - Implement HTTP security headers
+   - Example with Flask-Talisman:
+     ```python
+     from flask_talisman import Talisman
+     
+     talisman = Talisman(
+         app,
+         content_security_policy={
+             'default-src': "'self'",
+             'script-src': "'self'"
+         },
+         strict_transport_security=True,
+         strict_transport_security_max_age=31536000,
+         frame_options='DENY'
+     )
+     ```
+   - Example for Django:
+     ```python
+     SECURE_HSTS_SECONDS = 31536000
+     SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+     SECURE_HSTS_PRELOAD = True
+     SECURE_CONTENT_TYPE_NOSNIFF = True
+     SECURE_BROWSER_XSS_FILTER = True
+     X_FRAME_OPTIONS = 'DENY'
+     ```
+
+4. **CORS Configuration:**
+   - Restrict CORS to specific origins
+   - Example with Flask-CORS:
+     ```python
+     from flask_cors import CORS
+     
+     CORS(app, resources={r"/api/*": {"origins": "https://example.com"}})
+     ```
+   - Example for Django:
+     ```python
+     CORS_ALLOWED_ORIGINS = [
+         "https://example.com",
+         "https://sub.example.com",
+     ]
+     CORS_ALLOW_CREDENTIALS = True
+     ```
+
+5. **Secret Management:**
+   - Use environment variables or secure vaults for secrets
+   - Generate strong random secrets
+   - Example:
+     ```python
+     import secrets
+     
+     # Generate a secure random secret key
+     secret_key = secrets.token_hex(32)
+     ```
+
+6. **Error Handling:**
+   - Use custom error handlers to prevent information leakage
+   - Example for Flask:
+     ```python
+     @app.errorhandler(Exception)
+     def handle_exception(e):
+         # Log the error
+         app.logger.error(f"Unhandled exception: {str(e)}")
+         # Return a generic error message
+         return jsonify({"error": "An unexpected error occurred"}), 500
+     ```
+
+7. **Secure File Uploads:**
+   - Validate file types and sizes
+   - Store uploaded files outside the web root
+   - Use secure permissions
+   - Example:
+     ```python
+     import os
+     from werkzeug.utils import secure_filename
+     
+     UPLOAD_FOLDER = '/path/to/secure/location'
+     ALLOWED_EXTENSIONS = {'txt', 'pdf', 'png', 'jpg'}
+     
+     app.config['UPLOAD_FOLDER'] = UPLOAD_FOLDER
+     app.config['MAX_CONTENT_LENGTH'] = 16 * 1024 * 1024  # 16MB limit
+     
+     def allowed_file(filename):
+         return '.' in filename and filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS
+     ```
+
+8. **Dependency Management:**
+   - Regularly update dependencies
+   - Use tools like safety or dependabot
+   - Pin dependency versions
+   - Example requirements.txt:
+     ```
+     Flask==2.0.1
+     Werkzeug==2.0.1
+     ```
+
+9. **Timeout Configuration:**
+   - Set timeouts for all external service calls
+   - Example:
+     ```python
+     import requests
+     
+     response = requests.get('https://api.example.com', timeout=(3.05, 27))
+     ```
+
+10. **Secure Deserialization:**
+    - Use safe alternatives for deserialization
+    - Validate input before deserialization
+    - Example:
+      ```python
+      import yaml
       
-      # Check 4: Proper CORS configuration
-      - pattern: "CORS_ALLOWED_ORIGINS|CORS\\(app,\\s*resources"
-        message: "Using restricted CORS configuration."
+      # Use safe_load instead of load
+      data = yaml.safe_load(yaml_string)
+      ```
+
+## Validation
 
-metadata:
-  priority: high
-  version: 1.0
-  tags:
-    - security
-    - python
-    - configuration
-    - deployment
-    - owasp
-    - language:python
-    - framework:django
-    - framework:flask
-    - framework:fastapi
-    - category:security
-    - subcategory:configuration
-    - standard:owasp-top10
-    - risk:a05-security-misconfiguration
-  references:
-    - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Configuration_Security_Cheat_Sheet.html"
-    - "https://flask.palletsprojects.com/en/latest/security/"
-    - "https://docs.djangoproject.com/en/stable/topics/security/"
-    - "https://fastapi.tiangolo.com/advanced/security/https/"
-    - "https://owasp.org/www-project-secure-headers/"
-</rule>
\ No newline at end of file
+- Using environment-specific or secure debug configuration.
+- Using secure cookie configuration.
+- Implementing security headers.
+- Using restricted CORS configuration.
diff --git a/.cursor/rules/python-ssrf.mdc b/.cursor/rules/python-ssrf.mdc
index a8bba07..7352392 100644
--- a/.cursor/rules/python-ssrf.mdc
+++ b/.cursor/rules/python-ssrf.mdc
@@ -3,518 +3,42 @@ description: Detect and prevent Server-Side Request Forgery (SSRF) vulnerabiliti
 globs: *.py
 alwaysApply: false
 ---
- # Python Server-Side Request Forgery (SSRF) Standards (OWASP A10:2021)
+# Python Server-Side Request Forgery (SSRF) Safeguards
 
-This rule enforces security best practices to prevent Server-Side Request Forgery (SSRF) vulnerabilities in Python applications, as defined in OWASP Top 10:2021-A10.
+This rule provides review checkpoints to avoid SSRF vulnerabilities when Python code makes outbound network calls on behalf of a user or downstream system.
 
-<rule>
-name: python_ssrf
-description: Detect and prevent Server-Side Request Forgery (SSRF) vulnerabilities in Python applications as defined in OWASP Top 10:2021-A10
-filters:
-  - type: file_extension
-    pattern: "\\.py$"
-  - type: file_path
-    pattern: ".*"
+> Priority: high · Version: 1.0
+
+## Applies To
+- `*.py`
+
+## Trigger Conditions
+- HTTP clients such as `requests`, `urllib`, `aiohttp`, `httpx`, `boto3`, or custom fetch utilities.
+- Code paths that pass user-controlled URLs, hostnames, IP addresses, or protocols into outbound requests.
+- Services acting as proxies, webhooks, image fetchers, or metadata retrievers.
 
-actions:
-  - type: enforce
-    conditions:
-      # Pattern 1: Detect direct use of requests library with user input
-      - pattern: "requests\\.(get|post|put|delete|head|options|patch)\\([^)]*?\\b(request\\.\\w+|params\\[\\'[^\\']+\\'\\]|data\\[\\'[^\\']+\\'\\]|json\\[\\'[^\\']+\\'\\]|args\\.get|form\\.get)"
-        message: "Potential SSRF vulnerability detected. User-controlled input is being used directly in HTTP requests. Implement URL validation and allowlisting."
-        
-      # Pattern 2: Detect urllib usage with user input
-      - pattern: "urllib\\.(request|parse)\\.\\w+\\([^)]*?\\b(request\\.\\w+|params\\[\\'[^\\']+\\'\\]|data\\[\\'[^\\']+\\'\\]|json\\[\\'[^\\']+\\'\\]|args\\.get|form\\.get)"
-        message: "Potential SSRF vulnerability detected. User-controlled input is being used directly in urllib functions. Implement URL validation and allowlisting."
-        
-      # Pattern 3: Detect http.client usage with user input
-      - pattern: "http\\.client\\.\\w+\\([^)]*?\\b(request\\.\\w+|params\\[\\'[^\\']+\\'\\]|data\\[\\'[^\\']+\\'\\]|json\\[\\'[^\\']+\\'\\]|args\\.get|form\\.get)"
-        message: "Potential SSRF vulnerability detected. User-controlled input is being used directly in http.client functions. Implement URL validation and allowlisting."
-        
-      # Pattern 4: Detect aiohttp usage with user input
-      - pattern: "aiohttp\\.\\w+\\([^)]*?\\b(request\\.\\w+|params\\[\\'[^\\']+\\'\\]|data\\[\\'[^\\']+\\'\\]|json\\[\\'[^\\']+\\'\\]|args\\.get|form\\.get)"
-        message: "Potential SSRF vulnerability detected. User-controlled input is being used directly in aiohttp functions. Implement URL validation and allowlisting."
-        
-      # Pattern 5: Detect httpx usage with user input
-      - pattern: "httpx\\.\\w+\\([^)]*?\\b(request\\.\\w+|params\\[\\'[^\\']+\\'\\]|data\\[\\'[^\\']+\\'\\]|json\\[\\'[^\\']+\\'\\]|args\\.get|form\\.get)"
-        message: "Potential SSRF vulnerability detected. User-controlled input is being used directly in httpx functions. Implement URL validation and allowlisting."
-        
-      # Pattern 6: Detect pycurl usage with user input
-      - pattern: "pycurl\\.\\w+\\([^)]*?\\b(request\\.\\w+|params\\[\\'[^\\']+\\'\\]|data\\[\\'[^\\']+\\'\\]|json\\[\\'[^\\']+\\'\\]|args\\.get|form\\.get)"
-        message: "Potential SSRF vulnerability detected. User-controlled input is being used directly in pycurl functions. Implement URL validation and allowlisting."
-        
-      # Pattern 7: Detect subprocess calls with user input that might lead to SSRF
-      - pattern: "subprocess\\.(Popen|call|run|check_output|check_call)\\([^)]*?\\b(request\\.\\w+|params\\[\\'[^\\']+\\'\\]|data\\[\\'[^\\']+\\'\\]|json\\[\\'[^\\']+\\'\\]|args\\.get|form\\.get)"
-        message: "Potential SSRF vulnerability detected. User-controlled input is being used in subprocess calls, which might lead to SSRF. Validate and sanitize input."
-        
-      # Pattern 8: Detect os.system calls with user input that might lead to SSRF
-      - pattern: "os\\.(system|popen|spawn)\\([^)]*?\\b(request\\.\\w+|params\\[\\'[^\\']+\\'\\]|data\\[\\'[^\\']+\\'\\]|json\\[\\'[^\\']+\\'\\]|args\\.get|form\\.get)"
-        message: "Potential SSRF vulnerability detected. User-controlled input is being used in OS commands, which might lead to SSRF. Validate and sanitize input."
-        
-      # Pattern 9: Detect URL construction with user input
-      - pattern: "(f|r)[\"\']https?://[^\"\']*?\\{[^\\}]*?\\b(request\\.\\w+|params\\[\\'[^\\']+\\'\\]|data\\[\\'[^\\']+\\'\\]|json\\[\\'[^\\']+\\'\\]|args\\.get|form\\.get)"
-        message: "Potential SSRF vulnerability detected. User-controlled input is being used in URL construction. Implement URL validation and allowlisting."
-        
-      # Pattern 10: Detect URL joining with user input
-      - pattern: "urljoin\\([^,]+,[^)]*?\\b(request\\.\\w+|params\\[\\'[^\\']+\\'\\]|data\\[\\'[^\\']+\\'\\]|json\\[\\'[^\\']+\\'\\]|args\\.get|form\\.get)"
-        message: "Potential SSRF vulnerability detected. User-controlled input is being used in URL joining. Implement URL validation and allowlisting."
-        
-      # Pattern 11: Detect file opening with user input (potential local SSRF)
-      - pattern: "open\\([^,]*?\\b(request\\.\\w+|params\\[\\'[^\\']+\\'\\]|data\\[\\'[^\\']+\\'\\]|json\\[\\'[^\\']+\\'\\]|args\\.get|form\\.get)"
-        message: "Potential local SSRF vulnerability detected. User-controlled input is being used in file operations. Validate file paths and use path sanitization."
-        
-      # Pattern 12: Detect XML/YAML parsing with user input (potential XXE leading to SSRF)
-      - pattern: "(ET\\.fromstring|ET\\.parse|ET\\.XML|minidom\\.parse|parseString|yaml\\.load)\\([^)]*?\\b(request\\.\\w+|params\\[\\'[^\\']+\\'\\]|data\\[\\'[^\\']+\\'\\]|json\\[\\'[^\\']+\\'\\]|args\\.get|form\\.get)"
-        message: "Potential XXE vulnerability that could lead to SSRF detected. User-controlled input is being used in XML/YAML parsing. Use safe parsing methods and disable external entities."
-        
-      # Pattern 13: Detect socket connections with user input
-      - pattern: "socket\\.(socket|create_connection)\\([^)]*?\\b(request\\.\\w+|params\\[\\'[^\\']+\\'\\]|data\\[\\'[^\\']+\\'\\]|json\\[\\'[^\\']+\\'\\]|args\\.get|form\\.get)"
-        message: "Potential SSRF vulnerability detected. User-controlled input is being used in socket connections. Implement host/port validation and allowlisting."
-        
-      # Pattern 14: Detect FTP connections with user input
-      - pattern: "ftplib\\.FTP\\([^)]*?\\b(request\\.\\w+|params\\[\\'[^\\']+\\'\\]|data\\[\\'[^\\']+\\'\\]|json\\[\\'[^\\']+\\'\\]|args\\.get|form\\.get)"
-        message: "Potential SSRF vulnerability detected. User-controlled input is being used in FTP connections. Implement host validation and allowlisting."
-        
-      # Pattern 15: Detect missing URL validation before making requests
-      - pattern: "def\\s+\\w+\\([^)]*?\\):[^\\n]*?\\n(?:[^\\n]*?\\n)*?[^\\n]*?requests\\.(get|post|put|delete|head|options|patch)\\([^)]*?url\\s*=\\s*[^\\n]*?(?!.*?validate_url)"
-        message: "Missing URL validation before making HTTP requests. Implement URL validation with allowlisting to prevent SSRF attacks."
+## Required Checks
+- Validate destination schemes and hosts before executing outbound requests; prefer allowlists over blocklists.
+- Block or rewrite requests that resolve to loopback, link-local, or private network ranges (e.g. 127.0.0.0/8, ::1, 169.254.0.0/16, 10.0.0.0/8, 192.168.0.0/16).
+- Disable automatic redirects, or re-validate redirect targets, when relaying user-provided URLs.
+- Ensure headers such as `Host`, `X-Forwarded-For`, and authentication tokens cannot be overridden by external input.
+- Reject or sanitise non-HTTP schemes (`file://`, `ftp://`, `gopher://`, etc.) unless explicitly required.
 
-  - type: suggest
-    message: |
-      **Python Server-Side Request Forgery (SSRF) Prevention Best Practices:**
-      
-      1. **URL Validation and Allowlisting:**
-         - Implement strict URL validation
-         - Use allowlists for domains, IP ranges, and protocols
-         - Example implementation:
-           ```python
-           import re
-           import socket
-           import ipaddress
-           from urllib.parse import urlparse
-           
-           def is_valid_url(url, allowed_domains=None, allowed_protocols=None, block_private_ips=True):
-               """
-               Validate URLs against allowlists and block private IPs.
-               
-               Args:
-                   url (str): The URL to validate
-                   allowed_domains (list): List of allowed domains
-                   allowed_protocols (list): List of allowed protocols
-                   block_private_ips (bool): Whether to block private IPs
-                   
-               Returns:
-                   bool: True if URL is valid according to rules
-               """
-               if not url:
-                   return False
-                   
-               # Default allowlists if none provided
-               if allowed_domains is None:
-                   allowed_domains = ["example.com", "api.example.com"]
-               if allowed_protocols is None:
-                   allowed_protocols = ["https"]
-                   
-               try:
-                   # Parse URL
-                   parsed_url = urlparse(url)
-                   
-                   # Check protocol
-                   if parsed_url.scheme not in allowed_protocols:
-                       return False
-                       
-                   # Check domain against allowlist
-                   if parsed_url.netloc not in allowed_domains:
-                       return False
-                       
-                   # Block private IPs if enabled
-                   if block_private_ips:
-                       hostname = parsed_url.netloc.split(':')[0]
-                       try:
-                           ip_addresses = socket.getaddrinfo(
-                               hostname, None, socket.AF_INET, socket.SOCK_STREAM
-                           )
-                           for family, socktype, proto, canonname, sockaddr in ip_addresses:
-                               ip = sockaddr[0]
-                               ip_obj = ipaddress.ip_address(ip)
-                               if ip_obj.is_private or ip_obj.is_loopback or ip_obj.is_reserved:
-                                   return False
-                       except socket.gaierror:
-                           # DNS resolution failed
-                           return False
-                           
-                   return True
-               except Exception:
-                   return False
-           
-           # Usage example
-           def fetch_resource(resource_url):
-               if not is_valid_url(resource_url):
-                   raise ValueError("Invalid or disallowed URL")
-                   
-               # Proceed with request
-               import requests
-               return requests.get(resource_url)
-           ```
-      
-      2. **Implement Network-Level Controls:**
-         - Use network-level allowlists
-         - Configure firewalls to block outbound requests to internal resources
-         - Example with proxy configuration:
-           ```python
-           import requests
-           
-           def safe_request(url):
-               # Configure proxy that implements URL filtering
-               proxies = {
-                   'http': 'http://ssrf-protecting-proxy:8080',
-                   'https': 'http://ssrf-protecting-proxy:8080'
-               }
-               
-               # Set timeout to prevent long-running requests
-               timeout = 10
-               
-               try:
-                   return requests.get(url, proxies=proxies, timeout=timeout)
-               except requests.exceptions.RequestException as e:
-                   # Log the error and handle gracefully
-                   logging.error(f"Request failed: {e}")
-                   return None
-           ```
-      
-      3. **Use Safe Libraries and Wrappers:**
-         - Create wrapper functions for HTTP requests
-         - Implement consistent security controls
-         - Example wrapper:
-           ```python
-           import requests
-           from urllib.parse import urlparse
-           
-           class SafeRequestHandler:
-               def __init__(self, allowed_domains=None, allowed_protocols=None):
-                   self.allowed_domains = allowed_domains or ["api.example.com"]
-                   self.allowed_protocols = allowed_protocols or ["https"]
-                   
-               def validate_url(self, url):
-                   parsed_url = urlparse(url)
-                   
-                   # Validate protocol
-                   if parsed_url.scheme not in self.allowed_protocols:
-                       return False
-                       
-                   # Validate domain
-                   if parsed_url.netloc not in self.allowed_domains:
-                       return False
-                       
-                   return True
-                   
-               def request(self, method, url, **kwargs):
-                   if not self.validate_url(url):
-                       raise ValueError(f"URL validation failed for: {url}")
-                       
-                   # Set sensible defaults
-                   kwargs.setdefault('timeout', 10)
-                   
-                   # Make the request
-                   return requests.request(method, url, **kwargs)
-                   
-               def get(self, url, **kwargs):
-                   return self.request('GET', url, **kwargs)
-                   
-               def post(self, url, **kwargs):
-                   return self.request('POST', url, **kwargs)
-           
-           # Usage
-           safe_requests = SafeRequestHandler()
-           response = safe_requests.get('https://api.example.com/data')
-           ```
-      
-      4. **Disable Redirects or Implement Redirect Validation:**
-         - Disable automatic redirects
-         - Validate each redirect location
-         - Example:
-           ```python
-           import requests
-           
-           def safe_request_with_redirect_validation(url, allowed_domains):
-               # Disable automatic redirects
-               session = requests.Session()
-               response = session.get(url, allow_redirects=False)
-               
-               # Handle redirects manually with validation
-               redirect_count = 0
-               max_redirects = 5
-               
-               while 300 <= response.status_code < 400 and redirect_count < max_redirects:
-                   redirect_url = response.headers.get('Location')
-                   
-                   # Validate redirect URL
-                   parsed_url = urlparse(redirect_url)
-                   if parsed_url.netloc not in allowed_domains:
-                       raise ValueError(f"Redirect to disallowed domain: {parsed_url.netloc}")
-                       
-                   # Follow the redirect with validation
-                   redirect_count += 1
-                   response = session.get(redirect_url, allow_redirects=False)
-                   
-               return response
-           ```
-      
-      5. **Use Metadata Instead of Direct URLs:**
-         - Use resource identifiers instead of URLs
-         - Resolve identifiers server-side
-         - Example:
-           ```python
-           def fetch_resource_by_id(resource_id):
-               # Map of allowed resources
-               resource_map = {
-                   "user_profile": "https://api.example.com/profiles/",
-                   "product_data": "https://api.example.com/products/",
-                   "weather_info": "https://api.weather.com/forecast/"
-               }
-               
-               # Check if resource_id is in allowed list
-               if resource_id not in resource_map:
-                   raise ValueError(f"Unknown resource ID: {resource_id}")
-                   
-               # Construct URL from safe base + ID
-               base_url = resource_map[resource_id]
-               return requests.get(base_url)
-           ```
-      
-      6. **Implement Response Handling Controls:**
-         - Sanitize and validate responses
-         - Prevent response data from being used in further requests
-         - Example:
-           ```python
-           def safe_request_with_response_validation(url):
-               response = requests.get(url)
-               
-               # Check response size
-               if len(response.content) > MAX_RESPONSE_SIZE:
-                   raise ValueError("Response too large")
-                   
-               # Validate content type
-               content_type = response.headers.get('Content-Type', '')
-               if not content_type.startswith('application/json'):
-                   raise ValueError(f"Unexpected content type: {content_type}")
-                   
-               # Parse and validate JSON structure
-               try:
-                   data = response.json()
-                   # Validate expected structure
-                   if 'result' not in data:
-                       raise ValueError("Invalid response structure")
-                   return data
-               except ValueError:
-                   raise ValueError("Invalid JSON response")
-           ```
-      
-      7. **Use Timeouts and Circuit Breakers:**
-         - Set appropriate timeouts
-         - Implement circuit breakers for failing services
-         - Example:
-           ```python
-           import requests
-           from requests.exceptions import Timeout, ConnectionError
-           
-           def request_with_circuit_breaker(url, max_retries=3, timeout=5):
-               retries = 0
-               while retries < max_retries:
-                   try:
-                       return requests.get(url, timeout=timeout)
-                   except (Timeout, ConnectionError) as e:
-                       retries += 1
-                       if retries >= max_retries:
-                           # Circuit is now open
-                           raise ValueError(f"Circuit breaker open for {url}: {str(e)}")
-                       # Exponential backoff
-                       time.sleep(2 ** retries)
-           ```
-      
-      8. **Implement Proper Logging and Monitoring:**
-         - Log all outbound requests
-         - Monitor for unusual patterns
-         - Example:
-           ```python
-           import logging
-           import requests
-           
-           def logged_request(url, **kwargs):
-               # Log the outbound request
-               logging.info(f"Outbound request to: {url}")
-               
-               try:
-                   response = requests.get(url, **kwargs)
-                   # Log the response
-                   logging.info(f"Response from {url}: status={response.status_code}")
-                   return response
-               except Exception as e:
-                   # Log the error
-                   logging.error(f"Request to {url} failed: {str(e)}")
-                   raise
-           ```
-      
-      9. **Use DNS Resolution Controls:**
-         - Implement DNS resolution controls
-         - Block internal DNS names
-         - Example:
-           ```python
-           import socket
-           import ipaddress
-           
-           def is_safe_host(hostname):
-               try:
-                   # Resolve hostname to IP
-                   ip_addresses = socket.getaddrinfo(
-                       hostname, None, socket.AF_INET, socket.SOCK_STREAM
-                   )
-                   
-                   for family, socktype, proto, canonname, sockaddr in ip_addresses:
-                       ip = sockaddr[0]
-                       ip_obj = ipaddress.ip_address(ip)
-                       
-                       # Check if IP is private/internal
-                       if (ip_obj.is_private or ip_obj.is_loopback or 
-                           ip_obj.is_link_local or ip_obj.is_reserved):
-                           return False
-                           
-                   return True
-               except (socket.gaierror, ValueError):
-                   return False
-                   
-           def safe_request_with_dns_check(url):
-               parsed_url = urlparse(url)
-               hostname = parsed_url.netloc.split(':')[0]
-               
-               if not is_safe_host(hostname):
-                   raise ValueError(f"Hostname resolves to unsafe IP: {hostname}")
-                   
-               return requests.get(url)
-           ```
-      
-      10. **Implement Defense in Depth:**
-          - Combine multiple protection mechanisms
-          - Don't rely on a single control
-          - Example comprehensive approach:
-            ```python
-            class SSRFProtectedClient:
-                def __init__(self):
-                    self.allowed_domains = ["api.example.com", "cdn.example.com"]
-                    self.allowed_protocols = ["https"]
-                    self.max_redirects = 3
-                    self.timeout = 10
-                    
-                def is_safe_url(self, url):
-                    # URL validation
-                    parsed_url = urlparse(url)
-                    
-                    # Protocol check
-                    if parsed_url.scheme not in self.allowed_protocols:
-                        return False
-                        
-                    # Domain check
-                    if parsed_url.netloc not in self.allowed_domains:
-                        return False
-                        
-                    # DNS resolution check
-                    hostname = parsed_url.netloc.split(':')[0]
-                    try:
-                        ip_addresses = socket.getaddrinfo(
-                            hostname, None, socket.AF_INET, socket.SOCK_STREAM
-                        )
-                        for family, socktype, proto, canonname, sockaddr in ip_addresses:
-                            ip = sockaddr[0]
-                            ip_obj = ipaddress.ip_address(ip)
-                            if ip_obj.is_private or ip_obj.is_loopback or ip_obj.is_reserved:
-                                return False
-                    except socket.gaierror:
-                        return False
-                        
-                    return True
-                    
-                def request(self, method, url, **kwargs):
-                    # Validate URL
-                    if not self.is_safe_url(url):
-                        raise ValueError(f"URL failed security validation: {url}")
-                        
-                    # Set sensible defaults
-                    kwargs.setdefault('timeout', self.timeout)
-                    kwargs.setdefault('allow_redirects', False)
-                    
-                    # Make initial request
-                    session = requests.Session()
-                    response = session.request(method, url, **kwargs)
-                    
-                    # Handle redirects manually with validation
-                    redirect_count = 0
-                    
-                    while 300 <= response.status_code < 400 and redirect_count < self.max_redirects:
-                        redirect_url = response.headers.get('Location')
-                        
-                        # Validate redirect URL
-                        if not self.is_safe_url(redirect_url):
-                            raise ValueError(f"Redirect URL failed security validation: {redirect_url}")
-                            
-                        # Follow the redirect with validation
-                        redirect_count += 1
-                        response = session.request(method, redirect_url, **kwargs)
-                        
-                    # Log the request
-                    logging.info(f"{method} request to {url} completed with status {response.status_code}")
-                    
-                    return response
-                    
-                def get(self, url, **kwargs):
-                    return self.request('GET', url, **kwargs)
-                    
-                def post(self, url, **kwargs):
-                    return self.request('POST', url, **kwargs)
-            
-            # Usage
-            client = SSRFProtectedClient()
-            response = client.get('https://api.example.com/data')
-            ```
+## Recommendations
+- Normalize input with `urllib.parse`, `yarl.URL`, or equivalent helpers before validation.
+- Resolve hostnames with `socket.getaddrinfo` or `ipaddress.ip_address` to enforce subnet allowlists.
+- Wrap outbound calls behind shared helpers that centralise validation, logging, and timeout defaults.
+- Combine application checks with infrastructure controls (egress allowlists, VPC service controls, IMDSv2 tokens).
+- Record security telemetry for SSRF-prone endpoints (requested host, caller, decision outcome).
+- Add tests that cover malicious targets (internal IPs, metadata endpoints, protocol smuggling).
 
-  - type: validate
-    conditions:
-      # Check 1: URL validation implementation
-      - pattern: "def\\s+is_valid_url|def\\s+validate_url"
-        message: "URL validation function is implemented."
-      
-      # Check 2: Allowlist implementation
-      - pattern: "allowed_domains|allowed_urls|ALLOWED_HOSTS|whitelist"
-        message: "URL allowlisting is implemented."
-      
-      # Check 3: Safe request wrapper
-      - pattern: "class\\s+\\w+Request|def\\s+safe_request"
-        message: "Safe request wrapper is implemented."
-      
-      # Check 4: IP address validation
-      - pattern: "ipaddress\\.ip_address|is_private|is_loopback|is_reserved"
-        message: "IP address validation is implemented to prevent access to internal resources."
+## Positive Signals
+- Presence of helper functions such as `sanitize_url`, `validate_external_url`, or allowlisted hostname checks.
+- Use of CIDR comparisons or allowlist configuration before performing network requests.
+- Explicit configuration-driven lists of permitted domains or services.
+- Security unit tests or integration tests asserting blocked behaviour for sensitive hosts.
 
-metadata:
-  priority: high
-  version: 1.0
-  tags:
-    - security
-    - python
-    - ssrf
-    - owasp
-    - language:python
-    - framework:django
-    - framework:flask
-    - framework:fastapi
-    - category:security
-    - subcategory:ssrf
-    - standard:owasp-top10
-    - risk:a10-server-side-request-forgery
-  references:
-    - "https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"
-    - "https://portswigger.net/web-security/ssrf"
-    - "https://docs.python.org/3/library/urllib.request.html"
-    - "https://docs.python-requests.org/en/latest/user/advanced/#ssl-cert-verification"
-    - "https://docs.python.org/3/library/ipaddress.html"
-</rule>
\ No newline at end of file
+## References
+- OWASP SSRF Prevention Cheat Sheet
+- Python `ipaddress` and `urllib.parse` documentation
+- Cloud provider guidance for protecting metadata services
diff --git a/.cursor/rules/python-vulnerable-outdated-components.mdc b/.cursor/rules/python-vulnerable-outdated-components.mdc
index be3380d..93d02de 100644
--- a/.cursor/rules/python-vulnerable-outdated-components.mdc
+++ b/.cursor/rules/python-vulnerable-outdated-components.mdc
@@ -3,249 +3,170 @@ description: Detect and prevent vulnerabilities related to outdated dependencies
 globs: *.py, *.txt, *.ini, *.cfg, *.yml, *.yaml, *.json, *.toml
 alwaysApply: false
 ---
- # Python Vulnerable and Outdated Components Standards (OWASP A06:2021)
+# Python Vulnerable and Outdated Components Standards (OWASP A06:2021)
 
 This rule enforces security best practices to prevent vulnerabilities related to outdated dependencies and components in Python applications, as defined in OWASP Top 10:2021-A06.
 
-<rule>
-name: python_vulnerable_outdated_components
-description: Detect and prevent vulnerabilities related to outdated dependencies and components in Python applications as defined in OWASP Top 10:2021-A06
-filters:
-  - type: file_extension
-    pattern: "\\.(py|txt|ini|cfg|yml|yaml|json|toml)$"
-  - type: file_path
-    pattern: ".*"
-
-actions:
-  - type: enforce
-    conditions:
-      # Pattern 1: Unpinned dependencies in requirements files
-      - pattern: "^(django|flask|fastapi|requests|cryptography|pyyaml|sqlalchemy|celery|numpy|pandas|pillow|tensorflow|torch|boto3|psycopg2)\\s*$"
-        file_pattern: "requirements.*\\.txt$|setup\\.py$|pyproject\\.toml$"
-        message: "Unpinned dependency detected. Always pin dependencies to specific versions to prevent automatic updates to potentially vulnerable versions."
-        
-      # Pattern 2: Outdated/vulnerable Django versions
-      - pattern: "django([<>=]=|~=|==)\\s*[\"']?(1\\.|2\\.[0-2]\\.|3\\.[0-2]\\.|4\\.0\\.)[0-9]+[\"']?"
-        message: "Potentially outdated Django version detected. Consider upgrading to the latest stable version with security updates."
-        
-      # Pattern 3: Outdated/vulnerable Flask versions
-      - pattern: "flask([<>=]=|~=|==)\\s*[\"']?(0\\.|1\\.[0-3]\\.|2\\.0\\.[0-3])[0-9]*[\"']?"
-        message: "Potentially outdated Flask version detected. Consider upgrading to the latest stable version with security updates."
-        
-      # Pattern 4: Outdated/vulnerable Requests versions
-      - pattern: "requests([<>=]=|~=|==)\\s*[\"']?(0\\.|1\\.|2\\.[0-2][0-5]\\.[0-9]+)[\"']?"
-        message: "Potentially outdated Requests version detected. Consider upgrading to the latest stable version with security updates."
-        
-      # Pattern 5: Outdated/vulnerable Cryptography versions
-      - pattern: "cryptography([<>=]=|~=|==)\\s*[\"']?(0\\.|1\\.|2\\.|3\\.[0-3]\\.|3\\.4\\.[0-7])[0-9]*[\"']?"
-        message: "Potentially outdated Cryptography version detected. Consider upgrading to the latest stable version with security updates."
-        
-      # Pattern 6: Outdated/vulnerable PyYAML versions
-      - pattern: "pyyaml([<>=]=|~=|==)\\s*[\"']?(0\\.|1\\.|2\\.|3\\.|4\\.|5\\.[0-5]\\.[0-9]+)[\"']?"
-        message: "Potentially outdated PyYAML version detected. Consider upgrading to the latest stable version with security updates."
-        
-      # Pattern 7: Outdated/vulnerable Pillow versions
-      - pattern: "pillow([<>=]=|~=|==)\\s*[\"']?(0\\.|1\\.|2\\.|3\\.|4\\.|5\\.|6\\.|7\\.|8\\.[0-3]\\.[0-9]+)[\"']?"
-        message: "Potentially outdated Pillow version detected. Consider upgrading to the latest stable version with security updates."
-        
-      # Pattern 8: Direct imports of deprecated modules
-      - pattern: "from\\s+xml\\.etree\\.ElementTree\\s+import\\s+.*parse|from\\s+urllib2\\s+import|from\\s+urllib\\s+import\\s+urlopen|import\\s+cgi|import\\s+imp"
-        message: "Use of deprecated or insecure module detected. Consider using more secure alternatives."
-        
-      # Pattern 9: Use of deprecated functions
-      - pattern: "\\.set_password\\([^)]*\\)|hashlib\\.md5\\(|hashlib\\.sha1\\(|random\\.random\\(|random\\.randrange\\(|random\\.randint\\("
-        message: "Use of deprecated or insecure function detected. Consider using more secure alternatives."
-        
-      # Pattern 10: Insecure dependency loading
-      - pattern: "__import__\\(|importlib\\.import_module\\(|exec\\(|eval\\("
-        message: "Dynamic code execution or module loading detected. This can lead to code injection if user input is involved."
-        
-      # Pattern 11: Outdated TLS/SSL versions
-      - pattern: "ssl\\.PROTOCOL_TLSv1|ssl\\.PROTOCOL_TLSv1_1|ssl\\.PROTOCOL_SSLv2|ssl\\.PROTOCOL_SSLv3|ssl\\.PROTOCOL_TLSv1_2"
-        message: "Outdated TLS/SSL protocol version detected. Use ssl.PROTOCOL_TLS_CLIENT or ssl.PROTOCOL_TLS_SERVER instead."
-        
-      # Pattern 12: Insecure deserialization libraries
-      - pattern: "import\\s+pickle|import\\s+marshal|import\\s+shelve"
-        message: "Use of potentially insecure deserialization library detected. Ensure these are not used with untrusted data."
-        
-      # Pattern 13: Outdated/vulnerable SQLAlchemy versions
-      - pattern: "sqlalchemy([<>=]=|~=|==)\\s*[\"']?(0\\.|1\\.[0-3]\\.[0-9]+)[\"']?"
-        message: "Potentially outdated SQLAlchemy version detected. Consider upgrading to the latest stable version with security updates."
-        
-      # Pattern 14: Outdated/vulnerable Celery versions
-      - pattern: "celery([<>=]=|~=|==)\\s*[\"']?(0\\.|1\\.|2\\.|3\\.|4\\.[0-4]\\.[0-9]+)[\"']?"
-        message: "Potentially outdated Celery version detected. Consider upgrading to the latest stable version with security updates."
-        
-      # Pattern 15: Insecure package installation
-      - pattern: "pip\\s+install\\s+.*--no-deps|pip\\s+install\\s+.*--user|pip\\s+install\\s+.*--pre|pip\\s+install\\s+.*--index-url\\s+http://"
-        message: "Insecure pip installation options detected. Avoid using --no-deps, ensure HTTPS for index URLs, and be cautious with --pre and --user flags."
-
-  - type: suggest
-    message: |
-      **Python Dependency and Component Security Best Practices:**
-      
-      1. **Dependency Management:**
-         - Always pin dependencies to specific versions
-         - Use a lockfile (requirements.txt, Pipfile.lock, poetry.lock)
-         - Example requirements.txt:
-           ```
-           Django==4.2.7
-           requests==2.31.0
-           cryptography==41.0.5
-           ```
-      
-      2. **Vulnerability Scanning:**
-         - Regularly scan dependencies for vulnerabilities
-         - Use tools like safety, pip-audit, or dependabot
-         - Example safety check:
-           ```bash
-           pip install safety
-           safety check -r requirements.txt
-           ```
-      
-      3. **Dependency Updates:**
-         - Establish a regular update schedule
-         - Automate updates with tools like Renovate or Dependabot
-         - Test thoroughly after updates
-         - Example GitHub workflow:
-           ```yaml
-           name: Dependency Update
-           on:
-             schedule:
-               - cron: '0 0 * * 1'  # Weekly on Monday
-           jobs:
-             update-deps:
-               runs-on: ubuntu-latest
-               steps:
-                 - uses: actions/checkout@v3
-                 - name: Update dependencies
-                   run: |
-                     pip install pip-upgrader
-                     pip-upgrader -p requirements.txt
-           ```
-      
-      4. **Secure Package Installation:**
-         - Use trusted package sources
-         - Verify package integrity with hashes
-         - Example with pip and hashes:
-           ```
-           # requirements.txt
-           Django==4.2.7 --hash=sha256:8e0f1c2c2786b5c0e39fe1afce24c926040fad47c8ea8ad30aaa2c03b76293b8
-           ```
-      
-      5. **Minimal Dependencies:**
-         - Limit the number of dependencies
-         - Regularly audit and remove unused dependencies
-         - Consider security history when selecting packages
-         - Example dependency audit:
-           ```bash
-           pip install pipdeptree
-           pipdeptree --warn silence | grep -v "^\s"
-           ```
-      
-      6. **Virtual Environments:**
-         - Use isolated environments for each project
-         - Document environment setup
-         - Example:
-           ```bash
-           python -m venv venv
-           source venv/bin/activate  # On Windows: venv\Scripts\activate
-           pip install -r requirements.txt
-           ```
-      
-      7. **Container Security:**
-         - Use official base images
-         - Pin image versions
-         - Scan container images
-         - Example Dockerfile:
-           ```dockerfile
-           FROM python:3.11-slim@sha256:1234567890abcdef
-           
-           WORKDIR /app
-           COPY requirements.txt .
-           RUN pip install --no-cache-dir -r requirements.txt
-           
-           COPY . .
-           RUN pip install --no-cache-dir -e .
-           
-           USER nobody
-           CMD ["gunicorn", "myapp.wsgi:application"]
-           ```
-      
-      8. **Compile-time Dependencies:**
-         - Separate runtime and development dependencies
-         - Example with pip-tools:
-           ```
-           # requirements.in
-           Django>=4.2,<5.0
-           requests>=2.31.0
-           
-           # dev-requirements.in
-           -r requirements.in
-           pytest>=7.0.0
-           black>=23.0.0
-           ```
-      
-      9. **Deprecated API Usage:**
-         - Stay informed about deprecation notices
-         - Plan migrations away from deprecated APIs
-         - Example Django deprecation check:
-           ```bash
-           python manage.py check --deploy
-           ```
-      
-      10. **Supply Chain Security:**
-          - Use tools like pip-audit to check for supply chain attacks
-          - Consider using a private PyPI mirror
-          - Example:
-            ```bash
-            pip install pip-audit
-            pip-audit
-            ```
-
-  - type: validate
-    conditions:
-      # Check 1: Pinned dependencies
-      - pattern: "^[a-zA-Z0-9_-]+==\\d+\\.\\d+\\.\\d+"
-        file_pattern: "requirements.*\\.txt$"
-        message: "Dependencies are properly pinned to specific versions."
-      
-      # Check 2: Use of dependency scanning tools
-      - pattern: "safety|pip-audit|pyup|dependabot|renovate"
-        file_pattern: "\\.github/workflows/.*\\.ya?ml$|\\.gitlab-ci\\.ya?ml$|tox\\.ini$|setup\\.py$|pyproject\\.toml$"
-        message: "Dependency scanning tools are being used."
-      
-      # Check 3: Modern TLS usage
-      - pattern: "ssl\\.PROTOCOL_TLS_CLIENT|ssl\\.PROTOCOL_TLS_SERVER|ssl\\.create_default_context\\(\\)"
-        message: "Using secure TLS protocol versions."
-      
-      # Check 4: Secure random generation
-      - pattern: "secrets\\.token_|secrets\\.choice|cryptography\\.hazmat"
-        message: "Using secure random generation methods."
-
-metadata:
-  priority: high
-  version: 1.0
-  tags:
-    - security
-    - python
-    - dependencies
-    - supply-chain
-    - owasp
-    - language:python
-    - framework:django
-    - framework:flask
-    - framework:fastapi
-    - category:security
-    - subcategory:dependencies
-    - standard:owasp-top10
-    - risk:a06-vulnerable-outdated-components
-  references:
-    - "https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html"
-    - "https://pypi.org/project/safety/"
-    - "https://pypi.org/project/pip-audit/"
-    - "https://github.com/pyupio/safety-db"
-    - "https://github.com/pypa/advisory-database"
-    - "https://python-security.readthedocs.io/packages.html"
-</rule>
\ No newline at end of file
+> Priority: high · Version: 1.0
+
+## Applies To
+- `*.py`
+- `*.txt`
+- `*.ini`
+- `*.cfg`
+- `*.yml`
+- `*.yaml`
+- `*.json`
+- `*.toml`
+
+## Trigger Conditions
+- Files matching pattern `\.(py|txt|ini|cfg|yml|yaml|json|toml)$`
+- Paths matching `.*`
+
+## Required Checks
+
+- Unpinned dependency detected. Always pin dependencies to specific versions to prevent automatic updates to potentially vulnerable versions.
+- Potentially outdated Django version detected. Consider upgrading to the latest stable version with security updates.
+- Potentially outdated Flask version detected. Consider upgrading to the latest stable version with security updates.
+- Potentially outdated Requests version detected. Consider upgrading to the latest stable version with security updates.
+- Potentially outdated Cryptography version detected. Consider upgrading to the latest stable version with security updates.
+- Potentially outdated PyYAML version detected. Consider upgrading to the latest stable version with security updates.
+- Potentially outdated Pillow version detected. Consider upgrading to the latest stable version with security updates.
+- Use of deprecated or insecure module detected. Consider using more secure alternatives.
+- Use of deprecated or insecure function detected. Consider using more secure alternatives.
+- Dynamic code execution or module loading detected. This can lead to code injection if user input is involved.
+- Outdated TLS/SSL protocol version detected. Use ssl.PROTOCOL_TLS_CLIENT or ssl.PROTOCOL_TLS_SERVER instead.
+- Use of potentially insecure deserialization library detected. Ensure these are not used with untrusted data.
+- Potentially outdated SQLAlchemy version detected. Consider upgrading to the latest stable version with security updates.
+- Potentially outdated Celery version detected. Consider upgrading to the latest stable version with security updates.
+- Insecure pip installation options detected. Avoid using --no-deps, ensure HTTPS for index URLs, and be cautious with --pre and --user flags.
+
+## Recommendations
+
+**Python Dependency and Component Security Best Practices:**
+
+1. **Dependency Management:**
+   - Always pin dependencies to specific versions
+   - Use a lockfile (requirements.txt, Pipfile.lock, poetry.lock)
+   - Example requirements.txt:
+     ```
+     Django==4.2.7
+     requests==2.31.0
+     cryptography==41.0.5
+     ```
+
+2. **Vulnerability Scanning:**
+   - Regularly scan dependencies for vulnerabilities
+   - Use tools like safety, pip-audit, or dependabot
+   - Example safety check:
+     ```bash
+     pip install safety
+     safety check -r requirements.txt
+     ```
+
+3. **Dependency Updates:**
+   - Establish a regular update schedule
+   - Automate updates with tools like Renovate or Dependabot
+   - Test thoroughly after updates
+   - Example GitHub workflow:
+     ```yaml
+     name: Dependency Update
+     on:
+       schedule:
+         - cron: '0 0 * * 1'  # Weekly on Monday
+     jobs:
+       update-deps:
+         runs-on: ubuntu-latest
+         steps:
+           - uses: actions/checkout@v3
+           - name: Update dependencies
+             run: |
+               pip install pip-upgrader
+               pip-upgrader -p requirements.txt
+     ```
+
+4. **Secure Package Installation:**
+   - Use trusted package sources
+   - Verify package integrity with hashes
+   - Example with pip and hashes:
+     ```
+     # requirements.txt
+     Django==4.2.7 --hash=sha256:8e0f1c2c2786b5c0e39fe1afce24c926040fad47c8ea8ad30aaa2c03b76293b8
+     ```
+
+5. **Minimal Dependencies:**
+   - Limit the number of dependencies
+   - Regularly audit and remove unused dependencies
+   - Consider security history when selecting packages
+   - Example dependency audit:
+     ```bash
+     pip install pipdeptree
+     pipdeptree --warn silence | grep -v "^\s"
+     ```
+
+6. **Virtual Environments:**
+   - Use isolated environments for each project
+   - Document environment setup
+   - Example:
+     ```bash
+     python -m venv venv
+     source venv/bin/activate  # On Windows: venv\Scripts\activate
+     pip install -r requirements.txt
+     ```
+
+7. **Container Security:**
+   - Use official base images
+   - Pin image versions
+   - Scan container images
+   - Example Dockerfile:
+     ```dockerfile
+     FROM python:3.11-slim@sha256:1234567890abcdef
+     
+     WORKDIR /app
+     COPY requirements.txt .
+     RUN pip install --no-cache-dir -r requirements.txt
+     
+     COPY . .
+     RUN pip install --no-cache-dir -e .
+     
+     USER nobody
+     CMD ["gunicorn", "myapp.wsgi:application"]
+     ```
+
+8. **Compile-time Dependencies:**
+   - Separate runtime and development dependencies
+   - Example with pip-tools:
+     ```
+     # requirements.in
+     Django>=4.2,<5.0
+     requests>=2.31.0
+     
+     # dev-requirements.in
+     -r requirements.in
+     pytest>=7.0.0
+     black>=23.0.0
+     ```
+
+9. **Deprecated API Usage:**
+   - Stay informed about deprecation notices
+   - Plan migrations away from deprecated APIs
+   - Example Django deprecation check:
+     ```bash
+     python manage.py check --deploy
+     ```
+
+10. **Supply Chain Security:**
+    - Use tools like pip-audit to check for supply chain attacks
+    - Consider using a private PyPI mirror
+    - Example:
+      ```bash
+      pip install pip-audit
+      pip-audit
+      ```
+
+## Validation
+
+- Dependencies are properly pinned to specific versions.
+- Dependency scanning tools are being used.
+- Using secure TLS protocol versions.
+- Using secure random generation methods.
diff --git a/.cursor/rules/react-patterns.mdc b/.cursor/rules/react-patterns.mdc
index 3dcab70..1cbd488 100644
--- a/.cursor/rules/react-patterns.mdc
+++ b/.cursor/rules/react-patterns.mdc
@@ -6,35 +6,26 @@ globs: *.jsx, *.tsx
 
 Ensures React components follow recommended patterns and hook usage.
 
-<rule>
-name: react_patterns
-description: Enforce React component patterns and hooks best practices
-filters:
-  - type: file_extension
-    pattern: "\\.(jsx|tsx)$"
-
-actions:
-  - type: enforce
-    conditions:
-      - pattern: "useEffect\\([^,]+\\)"
-        message: "Specify dependencies array in useEffect"
-
-      - pattern: "useState\\([^)]*\\).*useState\\([^)]*\\)"
-        message: "Consider combining related state variables"
-
-      - pattern: "React\\.memo\\(.*\\)"
-        message: "Ensure React.memo is used appropriately for performance"
-
-  - type: suggest
-    message: |
-      React Best Practices:
-      - Use functional components with hooks
-      - Implement proper memoization
-      - Follow the Rules of Hooks
-      - Use TypeScript for prop types
-      - Consider custom hooks for reusable logic
-
-metadata:
-  priority: high
-  version: 1.0
-</rule> 
\ No newline at end of file
+> Priority: high · Version: 1.0
+
+## Applies To
+- `*.jsx`
+- `*.tsx`
+
+## Trigger Conditions
+- Files matching pattern `\.(jsx|tsx)$`
+
+## Required Checks
+
+- Specify dependencies array in useEffect
+- Consider combining related state variables
+- Ensure React.memo is used appropriately for performance
+
+## Recommendations
+
+React Best Practices:
+- Use functional components with hooks
+- Implement proper memoization
+- Follow the Rules of Hooks
+- Use TypeScript for prop types
+- Consider custom hooks for reusable logic
diff --git a/.cursor/rules/readme-maintenance-standards.mdc b/.cursor/rules/readme-maintenance-standards.mdc
index 3c198a7..1107191 100644
--- a/.cursor/rules/readme-maintenance-standards.mdc
+++ b/.cursor/rules/readme-maintenance-standards.mdc
@@ -7,64 +7,41 @@ alwaysApply: false
 
 Ensures that README files are consistently maintained, up-to-date, and informative.
 
-<rule>
-name: enhanced_readme_maintenance_standards
-description: Enforce standards for maintaining README documentation
-filters:
-  - type: file_extension
-    pattern: "\\.md$"
-  - type: file_name
-    pattern: "^README\\.md$"
-
-actions:
-  - type: enforce
-    conditions:
-      - pattern: "## (Available Rules|Features|Components)"
-        message: "Update the 'Available Rules/Features/Components' section whenever new elements are added."
-
-      - pattern: "\\[`[^`]+`\\]\\([^)]+\\)"
-        message: "Ensure all file references in the README are properly linked and point to existing files."
-
-      - pattern: "## (Installation|Usage|Configuration)"
-        message: "Keep setup, usage, and configuration sections current with the latest project changes."
-
-      - pattern: "## (Contributing|License)"
-        message: "Ensure contributing guidelines and license information are accurate and up-to-date."
-
-      - pattern: "\\[Version\\s*(\\d+\\.)?(\\d+\\.)?\\d+\\]"
-        message: "Update version information to reflect the current state of the project."
-
-      - pattern: "## (Changelog|Changes|Updates)"
-        message: "Maintain a changelog for significant updates, fixes, and features."
-
-  - type: suggest
-    message: |
-      **README Maintenance Best Practices:**
-      - **Rule Listings:** Automatically update or manually check if new rules or features are reflected in the README.
-      - **Installation & Configuration:** Regularly review and update installation and configuration instructions to match the latest project state.
-      - **Documentation of Changes:** Document new features, bug fixes, and changes in a changelog or dedicated section.
-      - **Section Hierarchy:** Maintain a logical structure with clear headings for easy navigation.
-      - **Examples:** Include or update examples for new or changed functionalities.
-      - **Version Information:** Keep version numbers and release notes current, linking to the changelog if applicable.
-      - **Table of Contents:** Ensure the table of contents reflects the current document structure, using auto-generated if possible.
-      - **Badges:** Update badges for CI/CD status, test coverage, or dependencies to reflect current project health.
-      - **Accessibility:** Write with accessibility in mind, using alt text for images and semantic markdown.
-
-  - type: validate
-    conditions:
-      - pattern: "^# [^\\n]+\\n\\n## "
-        message: "Ensure proper markdown heading hierarchy for readability."
-
-      - pattern: "\\|[^|]+\\|[^|]+\\|\\n\\|\\s*-+\\s*\\|"
-        message: "Use consistent table formatting throughout the document."
-
-      - pattern: "\\[(.*?)\\]\\((?!http|\\/)[^\\)]+\\)"
-        message: "All local links should point to existing files or sections within the project."
-
-      - pattern: "\\[Version\\s*(\\d+\\.)?(\\d+\\.)?\\*\\d+\\]"
-        message: "Check that version placeholders are updated to actual numbers before release."
-
-metadata:
-  priority: high
-  version: 1.1
-</rule>
\ No newline at end of file
+> Priority: high · Version: 1.1
+
+## Applies To
+- `README.md`
+- `*.md`
+
+## Trigger Conditions
+- Files matching pattern `\.md$`
+- Filter `file_name` matching `^README\.md$`
+
+## Required Checks
+
+- Update the 'Available Rules/Features/Components' section whenever new elements are added.
+- Ensure all file references in the README are properly linked and point to existing files.
+- Keep setup, usage, and configuration sections current with the latest project changes.
+- Ensure contributing guidelines and license information are accurate and up-to-date.
+- Update version information to reflect the current state of the project.
+- Maintain a changelog for significant updates, fixes, and features.
+
+## Recommendations
+
+**README Maintenance Best Practices:**
+- **Rule Listings:** Automatically update or manually check if new rules or features are reflected in the README.
+- **Installation & Configuration:** Regularly review and update installation and configuration instructions to match the latest project state.
+- **Documentation of Changes:** Document new features, bug fixes, and changes in a changelog or dedicated section.
+- **Section Hierarchy:** Maintain a logical structure with clear headings for easy navigation.
+- **Examples:** Include or update examples for new or changed functionalities.
+- **Version Information:** Keep version numbers and release notes current, linking to the changelog if applicable.
+- **Table of Contents:** Ensure the table of contents reflects the current document structure, using auto-generated if possible.
+- **Badges:** Update badges for CI/CD status, test coverage, or dependencies to reflect current project health.
+- **Accessibility:** Write with accessibility in mind, using alt text for images and semantic markdown.
+
+## Validation
+
+- Ensure proper markdown heading hierarchy for readability.
+- Use consistent table formatting throughout the document.
+- All local links should point to existing files or sections within the project.
+- Check that version placeholders are updated to actual numbers before release.
diff --git a/.cursor/rules/secret-detection.mdc b/.cursor/rules/secret-detection.mdc
index 8c414af..9bdfd64 100644
--- a/.cursor/rules/secret-detection.mdc
+++ b/.cursor/rules/secret-detection.mdc
@@ -1,168 +1,46 @@
-# Secret Detection and Warning Rule
-
-This rule helps identify potential secrets, credentials, and sensitive data in code files to prevent accidental exposure or leakage. It provides warnings when secrets are detected and suggests best practices for secure secret management.
-
-<rule>
-name: secret_detection_warning
-description: Detect and warn about potential secrets and sensitive data in code files
-filters:
-  - type: file_extension
-    pattern: "\\.(php|js|py|ts|jsx|tsx|java|rb|go|cs|c|cpp|h|hpp|ini|conf|yaml|yml|json|xml|properties|env|config|sh|bash|zsh)$"
-  - type: file_path
-    pattern: ".*"
-    exclude: "(node_modules|vendor|bower_components|.git|.yarn|dist|build|out|\\.bundle|cache)"
-
-actions:
-  - type: enforce
-    conditions:
-      # Generic API Keys, Tokens, and Credentials
-      - pattern: "(?i)(api[_-]?key|apikey|api[_-]?secret|apisecret|app[_-]?key|appkey|app[_-]?secret|access[_-]?key|accesskey|access[_-]?token|auth[_-]?key|authkey|client[_-]?secret|consumer[_-]?key|consumer[_-]?secret|oauth[_-]?token|token)[\\s]*[=:]\\s*['\\\"](\\w|[\\-]){16,}['\\\"]"
-        message: "Potential API key or secret detected. Consider using environment variables or a secure secrets manager instead of hardcoding sensitive values."
-
-      # AWS Keys and Tokens
-      - pattern: "(?i)(aws[_-]?access[_-]?key|aws[_-]?secret[_-]?key|aws[_-]?account[_-]?id)[\\s]*[=:]\\s*['\\\"](\\w|[\\-]){16,}['\\\"]"
-        message: "Potential AWS key detected. AWS credentials should be stored securely using AWS SDK credential providers, environment variables, or a secrets manager."
-
-      # Google Cloud and Firebase
-      - pattern: "(?i)(google[_-]?api[_-]?key|google[_-]?cloud[_-]?key|firebase[_-]?api[_-]?key)[\\s]*[=:]\\s*['\\\"](\\w|[\\-]){16,}['\\\"]"
-        message: "Potential Google Cloud or Firebase key detected. Use environment variables or a secure secrets manager to store these credentials."
-
-      # Azure and Microsoft
-      - pattern: "(?i)(azure[_-]?key|azure[_-]?connection[_-]?string|microsoft[_-]?key)[\\s]*[=:]\\s*['\\\"](\\w|[\\-]){16,}['\\\"]"
-        message: "Potential Azure or Microsoft key detected. Use Azure Key Vault, environment variables, or a secure secrets manager instead of hardcoding credentials."
-
-      # Database Connection Strings and Credentials
-      - pattern: "(?i)(jdbc:|mongodb[\\+]?://|postgres://|mysql://|database[_-]?url|connection[_-]?string)[^\\n]{10,}(password|pwd)[^\\n]{3,}"
-        message: "Potential database connection string with credentials detected. Use environment variables or a secure configuration manager for database connections."
-
-      # Database Credentials
-      - pattern: "(?i)(db[_-]?password|mysql[_-]?password|postgres[_-]?password|mongo[_-]?password|database[_-]?password)[\\s]*[=:]\\s*['\\\"][^\\s]{3,}['\\\"]"
-        message: "Potential database password detected. Store database credentials in environment variables or use a secure configuration manager."
-
-      # Private Keys and Certificates
-      - pattern: "(?i)-----(BEGIN|END) (RSA |DSA |EC )?(PRIVATE KEY|CERTIFICATE)-----"
-        message: "Private key or certificate material detected. Never include these directly in code - store them securely and reference them from protected locations."
-
-      # SSH Keys
-      - pattern: "(?i)ssh-rsa AAAA[0-9A-Za-z+/]+[=]{0,3}"
-        message: "SSH key detected. SSH keys should be managed securely and never included directly in code files."
-
-      # Passwords
-      - pattern: "(?i)(password|passwd|pwd|secret)[\\s]*[=:]\\s*['\\\"][^\\s]{3,}['\\\"]"
-        message: "Potential password detected. Never hardcode passwords in code files. Use environment variables or a secure secrets manager."
-
-      # OAuth Tokens
-      - pattern: "(?i)(bearer|oauth|access[_-]?token)[\\s]*[=:]\\s*['\\\"][\\w\\d\\-_.]{30,}['\\\"]"
-        message: "Potential OAuth token detected. Store tokens securely and consider implementing proper token rotation."
-
-      # JWT Tokens
-      - pattern: "(?i)ey[a-zA-Z0-9]{20,}\\.ey[a-zA-Z0-9\\-_]{20,}\\.[a-zA-Z0-9\\-_]{20,}"
-        message: "JWT token detected. Never hardcode JWT tokens directly in your code."
-
-      # GitHub Tokens
-      - pattern: "(?i)gh[pousr]_[a-zA-Z0-9]{20,}"
-        message: "GitHub token detected. GitHub tokens should be stored securely in environment variables or a secrets manager."
-
-      # Slack Tokens
-      - pattern: "(?i)(xox[pbar]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})"
-        message: "Slack token detected. Store Slack tokens securely using environment variables or a secrets manager."
-
-      # Stripe API Keys
-      - pattern: "(?i)(sk|pk)_(test|live)_[0-9a-zA-Z]{24,}"
-        message: "Stripe API key detected. Store Stripe keys securely in environment variables or a secrets manager."
-
-      # Generic Encryption Keys
-      - pattern: "(?i)(encryption[_-]?key|cipher[_-]?key|aes[_-]?key)[\\s]*[=:]\\s*['\\\"][\\w\\d\\-_.]{16,}['\\\"]"
-        message: "Potential encryption key detected. Encryption keys should be managed securely and never hardcoded."
-
-      # .env or config files with credentials
-      - pattern: "(?i)(DB_PASSWORD|API_KEY|SECRET_KEY|ADMIN_PASSWORD)[\\s]*=[\\s]*['\"]?[\\w\\d\\-_.]{3,}['\"]?"
-        message: "Environment variable with credential detected. Make sure .env files are included in .gitignore and .cursorignore."
-
-      # IP Addresses (if they appear with credentials)
-      - pattern: "(?i)(username|password|login|credential)[^\\n]{3,}(?:\\d{1,3}\\.){3}\\d{1,3}"
-        message: "IP address detected near potential credentials. Consider using DNS names and storing connection details securely."
-
-  - type: suggest
-    message: |
-      **Secure Secret Management Best Practices:**
-      
-      1. **Never hardcode secrets in source code**
-         - Secrets in code can be exposed via version control, logs, or screenshots
-         - Code is often shared, backed up, and stored in multiple locations
-      
-      2. **Use environment variables for configuration**
-         - Load secrets from environment variables at runtime
-         - Use libraries like dotenv, but ensure .env files are in .gitignore
-         - Example: `API_KEY=os.environ.get("API_KEY")`
-      
-      3. **Implement secret rotation**
-         - Regularly rotate credentials and keys
-         - Use short-lived tokens when possible
-         - Implement proper secret lifecycle management
-      
-      4. **Use secrets management solutions**
-         - AWS Secrets Manager, Azure Key Vault, HashiCorp Vault
-         - Platform-specific solutions like Kubernetes Secrets
-         - These provide encryption, access control, and audit trails
-      
-      5. **Implement access controls**
-         - Limit who can access secrets
-         - Use the principle of least privilege
-         - Implement proper authentication for secret access
-      
-      6. **Use .gitignore and .cursorignore**
-         - Add patterns for files that might contain secrets
-         - Example patterns: `.env`, `*.key`, `*secret*`, `*.pem`
-         - Verify these files are not committed to version control
-      
-      7. **Consider using secure by default libraries**
-         - Libraries that separate configuration from code
-         - Frameworks with built-in secrets management
-         - Encryption libraries with secure defaults
-      
-      8. **Implement detection tools**
-         - Use pre-commit hooks to prevent secret leakage
-         - Implement scanning in CI/CD pipelines
-         - Consider tools like git-secrets, trufflehog, or detect-secrets
-      
-      9. **Audit and monitor**
-         - Regularly audit code for leaked secrets
-         - Monitor for unauthorized access to secrets
-         - Implement alerts for potential compromises
-      
-      10. **Educate your team**
-          - Train developers on secure secret management
-          - Establish clear procedures for handling secrets
-          - Create a response plan for leaked credentials
-
-  - type: validate
-    conditions:
-      - pattern: "(?i)import\\s+os\\s*;?\\s*.*\\s+os\\.environ(\\.get)?"
-        message: "Environment variable usage detected, which is a good practice for managing secrets."
-      
-      - pattern: "(?i)process\\.env\\."
-        message: "Environment variable usage in JavaScript detected, which is a good practice for managing secrets."
-      
-      - pattern: "(?i)dotenv"
-        message: "Dotenv library usage detected, which can help with environment variable management."
-      
-      - pattern: "(?i)(secret[s]?[_-]?manager|key[_-]?vault|hashicorp|vault)"
-        message: "Secret management solution reference detected, which is a best practice for handling secrets."
-
-metadata:
-  priority: high
-  version: 1.0
-  tags:
-    - category:security
-    - subcategory:secrets
-    - subcategory:sensitive-data
-    - language:all
-    - priority:critical
-  references:
-    - "https://owasp.org/www-community/vulnerabilities/Hardcoded_credentials"
-    - "https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
-    - "https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning"
-    - "https://cloud.google.com/secret-manager/docs/best-practices"
-    - "https://aws.amazon.com/blogs/security/how-to-use-aws-secrets-manager-securely-store-rotate-deploy-database-credentials/"
-</rule>
\ No newline at end of file
+---
+description: Identify and prevent hardcoded secrets, tokens, and credentials across source files and configuration
+globs: "*"
+alwaysApply: true
+---
+# Secret Detection and Secure Handling
+
+Use this guidance whenever code, configuration, or infrastructure definitions might expose credentials or other sensitive values.
+
+> Priority: high · Version: 1.0 · Tags: security, secrets, sensitive-data, language:all
+
+## Applies To
+- Application source files, infrastructure code, build scripts, and generated configuration.
+- Environment files (`.env`, `.env.*`, `.ini`, `.cfg`, `.yml/.yaml`, `.json`, `.properties`).
+- Key material (`*.pem`, `*.key`, `*.crt`), API client files, and deployment manifests.
+
+## Trigger Indicators
+- High-entropy strings or provider-specific prefixes (AWS, GCP, Azure, GitHub, Stripe, Slack, Twilio, etc.).
+- Inline passwords, tokens, signing keys, or certificates.
+- Database connection strings containing credentials or host/IP pairs.
+- Environment variables committed to version control or CI artifacts.
+
+## Required Checks
+- Remove or refactor any discovered secrets immediately; revoke and rotate exposed credentials before closing the task.
+- Move secret values into managed storage (environment variables, secret managers, platform identity) and document the new source of truth.
+- Update `.gitignore`, `.cursorignore`, and CI artifact policies to prevent reintroduction of the leaked file type or pattern.
+- Capture incident details (secret owner, scope of exposure, rotation status) in the ticket or change log.
+
+## Recommendations
+- Adopt dedicated secret management services (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, HashiCorp Vault, Doppler, sealed secrets).
+- Prefer runtime injection via environment variables, service accounts, workload identity, or CI/CD vault integrations.
+- Add automated scanners (git-secrets, detect-secrets, trufflehog, Gitleaks) to pre-commit hooks and pipeline stages.
+- Limit log verbosity and scrub sensitive values from monitoring, tracing, and analytics exports.
+- Establish rotation cadences (e.g., 90-day maximum) with alerting when credentials near expiry or are reused.
+- Provide team training and playbooks covering discovery, rotation, and cleanup steps.
+
+## Positive Signals
+- Usage of `os.environ`, `process.env`, or secrets manager clients instead of literals.
+- Configuration referencing secret identifiers (`vault://`, `aws-secrets://`, `sops://`, `kubernetes.io/secret`) rather than raw values.
+- Repository policies or tests that enforce secret scanning and remediation.
+- Ignore rules preventing accidental commits of `.env`, `*.pem`, `*secret*`, or similar files.
+
+## Automation Tips
+- Maintain allowlists of known dummy keys to reduce false positives without suppressing alerts broadly.
+- Track recurring false positives centrally and share updates across projects installing this rule set.
+- Version control secret scanning baselines to ensure new matches are reviewed intentionally.
diff --git a/.cursor/rules/security-practices.mdc b/.cursor/rules/security-practices.mdc
index 0e012cc..2b93df4 100644
--- a/.cursor/rules/security-practices.mdc
+++ b/.cursor/rules/security-practices.mdc
@@ -7,37 +7,31 @@ alwaysApply: false
 
 Ensures application security standards are maintained.
 
-<rule>
-name: security_practices
-description: Enforce security best practices across the application
-filters:
-  - type: file_extension
-    pattern: "\\.(php|js|vue|jsx|tsx)$"
-
-actions:
-  - type: enforce
-    conditions:
-      - pattern: "eval\\("
-        message: "Avoid using eval() - security risk"
-
-      - pattern: "\\$_GET|\\$_POST|\\$_REQUEST"
-        message: "Use Drupal's input sanitization methods"
-
-      - pattern: "innerHTML"
-        message: "Use textContent or sanitize HTML content"
-
-  - type: suggest
-    message: |
-      Security Best Practices:
-      - Implement CSRF protection
-      - Use prepared statements for queries
-      - Sanitize user input
-      - Implement proper access controls
-      - Follow security updates protocol
-      - Ensure Drupal file permissions are secure (see drupal-file-permissions.mdc)
-      - Use ahoy cli commands instead of direct docker compose exec
-
-metadata:
-  priority: critical
-  version: 1.0
-</rule> 
\ No newline at end of file
+> Priority: critical · Version: 1.0
+
+## Applies To
+- `*.php`
+- `*.js`
+- `*.vue`
+- `*.jsx`
+- `*.tsx`
+
+## Trigger Conditions
+- Files matching pattern `\.(php|js|vue|jsx|tsx)$`
+
+## Required Checks
+
+- Avoid using eval() - security risk
+- Use Drupal's input sanitization methods
+- Use textContent or sanitize HTML content
+
+## Recommendations
+
+Security Best Practices:
+- Implement CSRF protection
+- Use prepared statements for queries
+- Sanitize user input
+- Implement proper access controls
+- Follow security updates protocol
+- Ensure Drupal file permissions are secure (see drupal-file-permissions.mdc)
+- Use ahoy cli commands instead of direct docker compose exec
diff --git a/.cursor/rules/tailwind-standards.mdc b/.cursor/rules/tailwind-standards.mdc
index cd41b93..212030d 100644
--- a/.cursor/rules/tailwind-standards.mdc
+++ b/.cursor/rules/tailwind-standards.mdc
@@ -6,32 +6,27 @@ globs: *.vue, *.jsx, *.tsx, *.html
 
 Ensures consistent and optimized usage of Tailwind CSS classes.
 
-<rule>
-name: tailwind_standards
-description: Enforce Tailwind CSS best practices and organization
-filters:
-  - type: file_extension
-    pattern: "\\.(vue|jsx|tsx|html)$"
-
-actions:
-  - type: enforce
-    conditions:
-      - pattern: "class=\"[^\"]*\\s{2,}"
-        message: "Remove multiple spaces between Tailwind classes"
-
-      - pattern: "class=\"[^\"]*(?:text-\\w+\\s+text-\\w+|bg-\\w+\\s+bg-\\w+)"
-        message: "Avoid conflicting utility classes"
-
-  - type: suggest
-    message: |
-      Tailwind Best Practices:
-      - Group related utilities together
-      - Use @apply for commonly repeated patterns
-      - Follow responsive design patterns
-      - Implement proper dark mode support
-      - Consider extracting components for repeated patterns
-
-metadata:
-  priority: medium
-  version: 1.0
-</rule> 
\ No newline at end of file
+> Priority: medium · Version: 1.0
+
+## Applies To
+- `*.vue`
+- `*.jsx`
+- `*.tsx`
+- `*.html`
+
+## Trigger Conditions
+- Files matching pattern `\.(vue|jsx|tsx|html)$`
+
+## Required Checks
+
+- Remove multiple spaces between Tailwind classes
+- Avoid conflicting utility classes
+
+## Recommendations
+
+Tailwind Best Practices:
+- Group related utilities together
+- Use @apply for commonly repeated patterns
+- Follow responsive design patterns
+- Implement proper dark mode support
+- Consider extracting components for repeated patterns
diff --git a/.cursor/rules/tests-documentation-maintenance.mdc b/.cursor/rules/tests-documentation-maintenance.mdc
index f5e4a1d..16019cf 100644
--- a/.cursor/rules/tests-documentation-maintenance.mdc
+++ b/.cursor/rules/tests-documentation-maintenance.mdc
@@ -6,37 +6,28 @@ globs: *.php, *.feature, README.md, *.md
 
 Ensures that tests are written and updated for Drupal modules and plugins, and that documentation remains current.
 
-<rule>
-name: tests_documentation_maintenance
-description: Require tests for new functionality and enforce documentation updates.
-filters:
-  - type: file_extension
-    pattern: "\\.(php|feature|md|theme|module|install|info|inc)$"
-
-actions:
-  - type: enforce
-    conditions:
-      - pattern: "class .*Test extends"
-        message: "Ensure all Drupal modules and plugins have unit tests."
-
-      - pattern: "Feature:.*"
-        message: "Ensure front-end affecting plugins have Behat tests."
-
-      - pattern: "function .*\\("
-        message: "When modifying existing functionality, check and update related tests."
-
-      - pattern: "# README"
-        message: "Ensure README.md exists in each module and is kept up to date."
-
-  - type: suggest
-    message: |
-      Keep tests and documentation updated:
-      - Write **unit tests** for Drupal modules and backend logic.
-      - Write **Behat tests** for plugins that affect front-end behavior.
-      - If functionality changes, **update corresponding tests**.
-      - Maintain a **README.md** file in each module and update it with relevant changes.
-
-metadata:
-  priority: high
-  version: 1.0
-</rule>
+> Priority: high · Version: 1.0
+
+## Applies To
+- `*.php`
+- `*.feature`
+- `README.md`
+- `*.md`
+
+## Trigger Conditions
+- Files matching pattern `\.(php|feature|md|theme|module|install|info|inc)$`
+
+## Required Checks
+
+- Ensure all Drupal modules and plugins have unit tests.
+- Ensure front-end affecting plugins have Behat tests.
+- When modifying existing functionality, check and update related tests.
+- Ensure README.md exists in each module and is kept up to date.
+
+## Recommendations
+
+Keep tests and documentation updated:
+- Write **unit tests** for Drupal modules and backend logic.
+- Write **Behat tests** for plugins that affect front-end behavior.
+- If functionality changes, **update corresponding tests**.
+- Maintain a **README.md** file in each module and update it with relevant changes.
diff --git a/.cursor/rules/third-party-integration.mdc b/.cursor/rules/third-party-integration.mdc
index f7fabcf..ad91db0 100644
--- a/.cursor/rules/third-party-integration.mdc
+++ b/.cursor/rules/third-party-integration.mdc
@@ -6,32 +6,26 @@ globs: *.php, *.js, *.ts
 
 Ensures consistent and secure third-party service integration.
 
-<rule>
-name: third_party_integration
-description: Enforce standards for external service integration
-filters:
-  - type: file_extension
-    pattern: "\\.(php|js|ts)$"
-
-actions:
-  - type: enforce
-    conditions:
-      - pattern: "new\\s+[A-Z][a-zA-Z]*Client\\("
-        message: "Implement proper error handling for external services"
-
-      - pattern: "process\\.env\\.|getenv\\("
-        message: "Use configuration management for API credentials"
-
-  - type: suggest
-    message: |
-      Integration Best Practices:
-      - Implement proper error handling
-      - Use environment variables
-      - Create service abstractions
-      - Implement retry mechanisms
-      - Monitor integration health
-
-metadata:
-  priority: high
-  version: 1.0
-</rule> 
\ No newline at end of file
+> Priority: high · Version: 1.0
+
+## Applies To
+- `*.php`
+- `*.js`
+- `*.ts`
+
+## Trigger Conditions
+- Files matching pattern `\.(php|js|ts)$`
+
+## Required Checks
+
+- Implement proper error handling for external services
+- Use configuration management for API credentials
+
+## Recommendations
+
+Integration Best Practices:
+- Implement proper error handling
+- Use environment variables
+- Create service abstractions
+- Implement retry mechanisms
+- Monitor integration health
diff --git a/.cursor/rules/vortex-cicd-standards.mdc b/.cursor/rules/vortex-cicd-standards.mdc
index d62afab..541309d 100644
--- a/.cursor/rules/vortex-cicd-standards.mdc
+++ b/.cursor/rules/vortex-cicd-standards.mdc
@@ -6,48 +6,35 @@ globs: .circleci/config.yml, renovate.json, .github/workflows/*.yml
 
 Ensures proper CI/CD and dependency management configuration.
 
-<rule>
-name: vortex_cicd_standards
-description: Enforce standards for Vortex CI/CD and Renovate configuration
-filters:
-  - type: file_name
-    pattern: "^config\\.yml$|^renovate\\.json$|\\.github/workflows/.*\\.yml$"
-
-actions:
-  - type: enforce
-    conditions:
-      - pattern: "workflows:\\s+version:\\s*2\\.1"
-        message: "Use Vortex's CircleCI configuration template"
-
-      - pattern: "\"extends\":\\s*\\[\\s*\"config:base\"\\s*\\]"
-        message: "Extend Vortex's Renovate configuration for Drupal projects"
-
-      - pattern: "steps:\\s+- run:\\s+name:\\s+Install dependencies"
-        message: "Use scripts/vortex/provision.sh for consistent provisioning"
-
-  - type: suggest
-    message: |
-      CI/CD Best Practices:
-      - Use dual schedules for Drupal updates
-      - Configure automated PR assignments
-      - Enable deployment notifications
-      - Use provided test scaffolds
-      - Implement proper caching strategy
-      - Configure branch protection rules
-      - Use standardized job naming
-
-  - type: validate
-    conditions:
-      - pattern: "\"packageRules\":\\s*\\[\\s*\\{\\s*\"matchPackagePatterns\":\\s*\\[\"^drupal/core"
-        message: "Configure separate update schedules for Drupal core and contrib"
-
-      - pattern: "jobs:\\s+build_test:"
-        message: "Include all required test jobs from Vortex template"
-
-      - pattern: "- store_test_results:"
-        message: "Enable test results storage for better CI visibility"
-
-metadata:
-  priority: critical
-  version: 1.0
-</rule> 
\ No newline at end of file
+> Priority: critical · Version: 1.0
+
+## Applies To
+- `.circleci/config.yml`
+- `renovate.json`
+- `.github/workflows/*.yml`
+
+## Trigger Conditions
+- Filter `file_name` matching `^config\.yml$|^renovate\.json$|\.github/workflows/.*\.yml$`
+
+## Required Checks
+
+- Use Vortex's CircleCI configuration template
+- Extend Vortex's Renovate configuration for Drupal projects
+- Use scripts/vortex/provision.sh for consistent provisioning
+
+## Recommendations
+
+CI/CD Best Practices:
+- Use dual schedules for Drupal updates
+- Configure automated PR assignments
+- Enable deployment notifications
+- Use provided test scaffolds
+- Implement proper caching strategy
+- Configure branch protection rules
+- Use standardized job naming
+
+## Validation
+
+- Configure separate update schedules for Drupal core and contrib
+- Include all required test jobs from Vortex template
+- Enable test results storage for better CI visibility
diff --git a/.cursor/rules/vortex-scaffold-standards.mdc b/.cursor/rules/vortex-scaffold-standards.mdc
index 897e5da..a08f3fd 100644
--- a/.cursor/rules/vortex-scaffold-standards.mdc
+++ b/.cursor/rules/vortex-scaffold-standards.mdc
@@ -6,52 +6,39 @@ globs: *.yml, *.sh, composer.json, README.md
 
 Ensures proper usage of Vortex/DrevOps scaffold features and workflows.
 
-<rule>
-name: vortex_scaffold_standards
-description: Enforce standards for Vortex/DrevOps scaffold usage
-filters:
-  - type: file_extension
-    pattern: "\\.(yml|yaml|sh|json|md)$"
-  - type: file_path
-    pattern: "scripts/(vortex|drevops)/"
-
-actions:
-  - type: enforce
-    conditions:
-      - pattern: "custom-download-db\\.sh"
-        message: "Use scripts/vortex/download-db.sh router script instead of custom implementation"
-
-      - pattern: "drush\\s+[a-z-]+\\s+--uri="
-        message: "Use DRUPAL_SITE_URL environment variable instead of hardcoded URI"
-
-      - pattern: "composer\\s+require\\s+[^-]"
-        message: "Use Vortex's composer.json template and Renovate for dependency management"
-
-      - pattern: "docker\\s+exec\\s+-it\\s+\\$\\(docker-compose"
-        message: "Use Ahoy commands for container interactions"
-
-  - type: suggest
-    message: |
-      Vortex/DrevOps Best Practices:
-      - Use centralized workflow scripts from scripts/vortex/
-      - Leverage environment variables for configuration
-      - Use Renovate for automated dependency updates
-      - Follow the router script pattern for customizations
-      - Implement proper CI/CD integration
-      - Use provided tool configurations (PHPCS, PHPStan, etc.)
-      - Maintain documentation structure
-      - Ensure CI/CD pipelines include testing and deployment steps
-      - Document CI/CD processes in the README for clarity
-
-  - type: validate
-    conditions:
-      - pattern: "^\\s*source\\s+\\.env"
-        message: "Use scripts/vortex/bootstrap.sh for environment setup"
-
-      - pattern: "docker-compose\\s+exec\\s+cli\\s+vendor/bin/"
-        message: "Use provided Ahoy commands for tool execution"
-
-metadata:
-  priority: high
-  version: 1.1
-</rule> 
\ No newline at end of file
+> Priority: high · Version: 1.1
+
+## Applies To
+- `*.yml`
+- `*.sh`
+- `composer.json`
+- `README.md`
+
+## Trigger Conditions
+- Files matching pattern `\.(yml|yaml|sh|json|md)$`
+- Paths matching `scripts/(vortex|drevops)/`
+
+## Required Checks
+
+- Use scripts/vortex/download-db.sh router script instead of custom implementation
+- Use DRUPAL_SITE_URL environment variable instead of hardcoded URI
+- Use Vortex's composer.json template and Renovate for dependency management
+- Use Ahoy commands for container interactions
+
+## Recommendations
+
+Vortex/DrevOps Best Practices:
+- Use centralized workflow scripts from scripts/vortex/
+- Leverage environment variables for configuration
+- Use Renovate for automated dependency updates
+- Follow the router script pattern for customizations
+- Implement proper CI/CD integration
+- Use provided tool configurations (PHPCS, PHPStan, etc.)
+- Maintain documentation structure
+- Ensure CI/CD pipelines include testing and deployment steps
+- Document CI/CD processes in the README for clarity
+
+## Validation
+
+- Use scripts/vortex/bootstrap.sh for environment setup
+- Use provided Ahoy commands for tool execution
diff --git a/.cursor/rules/vue-best-practices.mdc b/.cursor/rules/vue-best-practices.mdc
index f4da212..4d8d145 100644
--- a/.cursor/rules/vue-best-practices.mdc
+++ b/.cursor/rules/vue-best-practices.mdc
@@ -6,35 +6,27 @@ globs: *.vue, *.js, *.ts
 
 Ensures Vue 3 and NuxtJS code follows recommended patterns and optimizations.
 
-<rule>
-name: vue_nuxt_best_practices
-description: Enforce Vue 3 and NuxtJS coding standards and optimizations
-filters:
-  - type: file_extension
-    pattern: "\\.(vue|js|ts)$"
-
-actions:
-  - type: enforce
-    conditions:
-      - pattern: "(?<!defineProps|interface|type)\\{\\s*[a-zA-Z]+\\s*:\\s*[a-zA-Z]+\\s*\\}"
-        message: "Use TypeScript interfaces for prop definitions"
-
-      - pattern: "watch\\(.*,.*\\{\\s*immediate:\\s*true\\s*\\}"
-        message: "Consider using computed property instead of immediate watch"
-
-      - pattern: "v-if.*v-for"
-        message: "Avoid using v-if with v-for on the same element"
-
-  - type: suggest
-    message: |
-      Vue 3 Best Practices:
-      - Use Composition API for complex components
-      - Implement proper prop validation
-      - Use TypeScript for better type safety
-      - Leverage Vue 3's reactivity system effectively
-      - Consider using <script setup> syntax
-
-metadata:
-  priority: high
-  version: 1.0
-</rule> 
\ No newline at end of file
+> Priority: high · Version: 1.0
+
+## Applies To
+- `*.vue`
+- `*.js`
+- `*.ts`
+
+## Trigger Conditions
+- Files matching pattern `\.(vue|js|ts)$`
+
+## Required Checks
+
+- Use TypeScript interfaces for prop definitions
+- Consider using computed property instead of immediate watch
+- Avoid using v-if with v-for on the same element
+
+## Recommendations
+
+Vue 3 Best Practices:
+- Use Composition API for complex components
+- Implement proper prop validation
+- Use TypeScript for better type safety
+- Leverage Vue 3's reactivity system effectively
+- Consider using <script setup> syntax

From 78e78cd5fdb936bb744929488ae80548a62de416 Mon Sep 17 00:00:00 2001
From: Ivan Grynenko <ivan.grynenko@gmail.com>
Date: Fri, 24 Oct 2025 22:07:02 +1100
Subject: [PATCH 2/2] Convert Cursor rules to markdown fences

---
 .cursor/rules/accessibility-standards.mdc     |   84 +-
 .cursor/rules/api-standards.mdc               |   86 +-
 .cursor/rules/behat-ai-guide.mdc              |   24 +-
 .cursor/rules/build-optimization.mdc          |   86 +-
 .cursor/rules/code-generation-standards.mdc   |  115 +-
 .cursor/rules/cursor-rules.mdc                |  207 ++-
 .cursor/rules/debugging-standards.mdc         |   62 +-
 .cursor/rules/docker-compose-standards.mdc    |  226 ++-
 .../rules/drupal-authentication-failures.mdc  |  204 ++-
 .../rules/drupal-broken-access-control.mdc    |  159 +-
 .../rules/drupal-cryptographic-failures.mdc   |  193 +-
 .cursor/rules/drupal-database-standards.mdc   |   54 +-
 .cursor/rules/drupal-file-permissions.mdc     |  237 +--
 .cursor/rules/drupal-injection.mdc            |  168 +-
 .cursor/rules/drupal-insecure-design.mdc      |  205 ++-
 .cursor/rules/drupal-integrity-failures.mdc   |  205 ++-
 .cursor/rules/drupal-logging-failures.mdc     |  208 ++-
 .../drupal-security-misconfiguration.mdc      |  195 +-
 .cursor/rules/drupal-ssrf.mdc                 |  197 +-
 .../rules/drupal-vulnerable-components.mdc    |  205 ++-
 .cursor/rules/generic_bash_style.mdc          |  101 +-
 .cursor/rules/git-commit-standards.mdc        |   67 +-
 .cursor/rules/github-actions-standards.mdc    |   81 +-
 .../rules/improve-cursorrules-efficiency.mdc  |  180 +-
 .../javascript-broken-access-control.mdc      |  696 +++----
 .../javascript-cryptographic-failures.mdc     |  515 +++---
 ...identification-authentication-failures.mdc |  882 +++++----
 .cursor/rules/javascript-injection.mdc        |  377 ++--
 .cursor/rules/javascript-insecure-design.mdc  |  882 +++++----
 .cursor/rules/javascript-performance.mdc      |   36 +-
 ...t-security-logging-monitoring-failures.mdc | 1487 ++++++++-------
 .../javascript-security-misconfiguration.mdc  |  830 +++++----
 ...javascript-server-side-request-forgery.mdc | 1595 +++++++++--------
 ...cript-software-data-integrity-failures.mdc | 1206 +++++++------
 .cursor/rules/javascript-standards.mdc        |   74 +-
 ...ascript-vulnerable-outdated-components.mdc |  566 +++---
 .../rules/lagoon-docker-compose-standards.mdc |  124 +-
 .cursor/rules/lagoon-yml-standards.mdc        |  197 +-
 .cursor/rules/multi-agent-coordination.mdc    |   71 +-
 .cursor/rules/new-pull-request.mdc            |   14 +-
 .cursor/rules/node-dependencies.mdc           |   46 +-
 .cursor/rules/php-drupal-best-practices.mdc   |  806 +++++----
 .../php-drupal-development-standards.mdc      |  129 +-
 .cursor/rules/php-memory-optimisation.mdc     |  115 +-
 .cursor/rules/project-definition-template.mdc |  114 +-
 .../pull-request-changelist-instructions.mdc  |  201 ++-
 .../rules/python-authentication-failures.mdc  |  584 +++---
 .../rules/python-broken-access-control.mdc    |  214 ++-
 .../rules/python-cryptographic-failures.mdc   |  303 ++--
 .cursor/rules/python-injection.mdc            |  277 +--
 .cursor/rules/python-insecure-design.mdc      |  428 +++--
 .cursor/rules/python-integrity-failures.mdc   |  629 ++++---
 .../python-logging-monitoring-failures.mdc    |  796 ++++----
 .../python-security-misconfiguration.mdc      |  461 +++--
 .cursor/rules/python-ssrf.mdc                 |  555 +++++-
 .../python-vulnerable-outdated-components.mdc |  408 +++--
 .cursor/rules/react-patterns.mdc              |   53 +-
 .../rules/readme-maintenance-standards.mdc    |  100 +-
 .cursor/rules/secret-detection.mdc            |  215 ++-
 .cursor/rules/security-practices.mdc          |   64 +-
 .cursor/rules/tailwind-standards.mdc          |   51 +-
 .cursor/rules/testing-guidelines.mdc          |    4 +-
 .../rules/tests-documentation-maintenance.mdc |   58 +-
 .cursor/rules/third-party-integration.mdc     |   50 +-
 .cursor/rules/vortex-cicd-standards.mdc       |   75 +-
 .cursor/rules/vortex-scaffold-standards.mdc   |   87 +-
 .cursor/rules/vue-best-practices.mdc          |   54 +-
 67 files changed, 11748 insertions(+), 8230 deletions(-)

diff --git a/.cursor/rules/accessibility-standards.mdc b/.cursor/rules/accessibility-standards.mdc
index ecc2b96..27b0876 100644
--- a/.cursor/rules/accessibility-standards.mdc
+++ b/.cursor/rules/accessibility-standards.mdc
@@ -6,38 +6,52 @@ globs: *.vue, *.jsx, *.tsx, *.html, *.php
 
 Ensures WCAG compliance and accessibility best practices.
 
-> Priority: high · Version: 1.1
-
-## Applies To
-- `*.vue`
-- `*.jsx`
-- `*.tsx`
-- `*.html`
-- `*.php`
-
-## Trigger Conditions
-- Files matching pattern `\.(vue|jsx|tsx|html|php|css|scss|sass)$`
-
-## Required Checks
-
-- Images must have alt attributes for screen readers.
-- ARIA attributes should not be empty; provide meaningful values.
-- Buttons should have meaningful, descriptive content.
-- Links with href='#' should either be removed or have an aria-label for context.
-- Form inputs should include an aria-label or aria-labelledby attribute for better screen reader support.
-- Videos should include captions for accessibility.
-
-## Recommendations
-
-**Accessibility Best Practices:**
-- **Heading Hierarchy:** Use headings (h1 to h6) in a logical order to structure content.
-- **Keyboard Navigation:** Ensure all interactive elements are accessible via keyboard.
-- **Semantic HTML:** Favor semantic elements like <nav>, <article>, <section>, and <aside> for better structure comprehension.
-- **Color Contrast:** Check color contrast ratios meet WCAG guidelines (4.5:1 for normal text, 7:1 for large text).
-- **Skip Navigation Links:** Provide 'skip to main content' links for keyboard users to bypass repetitive navigation.
-- **Focus Management:** Ensure focus indicators are visible and manage focus for modal dialogs or dynamic content changes.
-- **Form Labels:** Associate labels with form controls using the 'for' attribute or wrap controls with <label>.
-- **Descriptive Links:** Use descriptive text for links, avoiding generic phrases like "click here."
-- **Touch Targets:** Ensure touch target sizes are large enough (at least 44x44 pixels) for mobile users.
-- **Timeouts:** Avoid or provide options to extend time limits where possible, or warn users before session expiry.
-- **Language Attribute:** Set the lang attribute on the <html> element to indicate the primary language of the page.
+```yaml
+name: accessibility_standards
+description: Enforce accessibility standards and WCAG compliance
+filters:
+  - type: file_extension
+    pattern: "\\.(vue|jsx|tsx|html|php|css|scss|sass)$" # Expanded to include CSS files
+
+actions:
+  - type: enforce
+    conditions:
+      - pattern: "<img[^>]+(?!alt=)[^>]*>"
+        message: "Images must have alt attributes for screen readers."
+
+      - pattern: "aria-[a-z]+=\"\""
+        message: "ARIA attributes should not be empty; provide meaningful values."
+
+      - pattern: "<button[^>]*>(?![^<]*[^\\s])[^<]*</button>"
+        message: "Buttons should have meaningful, descriptive content."
+
+      - pattern: "<a[^>]*href=\"#[^\"]*\"[^>]*>(?![^<]*<svg)[^<]*</a>"
+        message: "Links with href='#' should either be removed or have an aria-label for context."
+
+      - pattern: "<input[^>]+type=\"(text|email|password|search|tel|url)\"[^>]*>"
+        pattern_negate: "aria-label|aria-labelledby|title"
+        message: "Form inputs should include an aria-label or aria-labelledby attribute for better screen reader support."
+
+      - pattern: "<video[^>]*>(?!<track)[^<]*</video>"
+        message: "Videos should include captions for accessibility."
+
+  - type: suggest
+    message: |
+      **Accessibility Best Practices:**
+      - **Heading Hierarchy:** Use headings (h1 to h6) in a logical order to structure content.
+      - **Keyboard Navigation:** Ensure all interactive elements are accessible via keyboard.
+      - **Semantic HTML:** Favor semantic elements like <nav>, <article>, <section>, and <aside> for better structure comprehension.
+      - **Color Contrast:** Check color contrast ratios meet WCAG guidelines (4.5:1 for normal text, 7:1 for large text).
+      - **Skip Navigation Links:** Provide 'skip to main content' links for keyboard users to bypass repetitive navigation.
+      - **Focus Management:** Ensure focus indicators are visible and manage focus for modal dialogs or dynamic content changes.
+      - **Form Labels:** Associate labels with form controls using the 'for' attribute or wrap controls with <label>.
+      - **Descriptive Links:** Use descriptive text for links, avoiding generic phrases like "click here."
+      - **Touch Targets:** Ensure touch target sizes are large enough (at least 44x44 pixels) for mobile users.
+      - **Timeouts:** Avoid or provide options to extend time limits where possible, or warn users before session expiry.
+      - **Language Attribute:** Set the lang attribute on the <html> element to indicate the primary language of the page.
+
+metadata:
+  priority: high
+  version: 1.1
+```
+
diff --git a/.cursor/rules/api-standards.mdc b/.cursor/rules/api-standards.mdc
index bde14d1..ade6b9d 100644
--- a/.cursor/rules/api-standards.mdc
+++ b/.cursor/rules/api-standards.mdc
@@ -6,40 +6,52 @@ globs: *.php, *.js, *.ts
 
 Ensures consistent API design, documentation, and implementation best practices across PHP, JavaScript, and TypeScript files.
 
-> Priority: high · Version: 1.1
-
-## Applies To
-- `*.php`
-- `*.js`
-- `*.ts`
-
-## Trigger Conditions
-- Files matching pattern `\.(php|js|ts)$`
-
-## Required Checks
-
-- Use standard HTTP methods (GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD) for API endpoints.
-- Ensure API functions handle or return errors appropriately using exceptions or HTTP status codes.
-- HTTP methods should be prefixed with '@api' for documentation purposes.
-- Ensure all API responses are properly formatted, preferably as JSON.
-
-## Recommendations
-
-**API Best Practices:**
-- **HTTP Methods:** Use proper HTTP methods for operations (GET for retrieval, POST for creation, etc.).
-- **Status Codes:** Use appropriate HTTP status codes to communicate the result of the request.
-- **Versioning:** Implement API versioning to manage changes without breaking existing integrations.
-- **Documentation:** 
-  - **Swagger/OpenAPI:** Use tools like Swagger for comprehensive API documentation.
-  - **Endpoint Descriptions:** Clearly document all endpoints including path, methods, parameters, and possible responses.
-- **Authentication & Security:**
-  - Implement OAuth, JWT, or similar secure authentication methods.
-  - Use HTTPS for all API communications.
-- **Rate Limiting:** Implement rate limiting to prevent abuse and ensure fair usage.
-- **Error Handling:** 
-  - Provide clear, human-readable error messages with corresponding status codes.
-  - Implement error logging for debugging purposes.
-- **Pagination:** For list endpoints, implement pagination to manage large datasets.
-- **Validation:** Validate input data at the API level to ensure data integrity.
-- **CORS:** Configure CORS headers if your API is meant to be consumed by web applications from different domains.
-- **Monitoring:** Set up monitoring for API performance and usage statistics.
+```yaml
+name: enhanced_api_standards
+description: Enforce enhanced API design, implementation, and documentation standards
+filters:
+  - type: file_extension
+    pattern: "\\.(php|js|ts)$"
+
+actions:
+  - type: enforce
+    conditions:
+      - pattern: "@api\\s+(?!GET|POST|PUT|DELETE|PATCH|OPTIONS|HEAD)"
+        message: "Use standard HTTP methods (GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD) for API endpoints."
+
+      - pattern: "function\\s+[a-zA-Z]+Api\\s*\\([^)]*\\)\\s*\\{[^}]*\\}"
+        pattern_negate: "(?s)(throw new \\w+Exception|return\\s+(?:\\d{3}|4\\d\\d|5\\d\\d))"
+        message: "Ensure API functions handle or return errors appropriately using exceptions or HTTP status codes."
+
+      - pattern: "(?<!@api\\s+)(?<!\\s+returns\\s+)(?<!\\s+throws\\s+)[A-Z]{3,}(?!\\s+)"
+        message: "HTTP methods should be prefixed with '@api' for documentation purposes."
+
+      - pattern: "\\bresponse\\b(?![^;]*\\.json\\()"
+        message: "Ensure all API responses are properly formatted, preferably as JSON."
+
+  - type: suggest
+    message: |
+      **API Best Practices:**
+      - **HTTP Methods:** Use proper HTTP methods for operations (GET for retrieval, POST for creation, etc.).
+      - **Status Codes:** Use appropriate HTTP status codes to communicate the result of the request.
+      - **Versioning:** Implement API versioning to manage changes without breaking existing integrations.
+      - **Documentation:**
+        - **Swagger/OpenAPI:** Use tools like Swagger for comprehensive API documentation.
+        - **Endpoint Descriptions:** Clearly document all endpoints including path, methods, parameters, and possible responses.
+      - **Authentication & Security:**
+        - Implement OAuth, JWT, or similar secure authentication methods.
+        - Use HTTPS for all API communications.
+      - **Rate Limiting:** Implement rate limiting to prevent abuse and ensure fair usage.
+      - **Error Handling:**
+        - Provide clear, human-readable error messages with corresponding status codes.
+        - Implement error logging for debugging purposes.
+      - **Pagination:** For list endpoints, implement pagination to manage large datasets.
+      - **Validation:** Validate input data at the API level to ensure data integrity.
+      - **CORS:** Configure CORS headers if your API is meant to be consumed by web applications from different domains.
+      - **Monitoring:** Set up monitoring for API performance and usage statistics.
+
+metadata:
+  priority: high
+  version: 1.1
+```
+
diff --git a/.cursor/rules/behat-ai-guide.mdc b/.cursor/rules/behat-ai-guide.mdc
index bd76ddc..81cb14f 100644
--- a/.cursor/rules/behat-ai-guide.mdc
+++ b/.cursor/rules/behat-ai-guide.mdc
@@ -73,7 +73,7 @@ class FeatureContext extends DrupalContext {
     use PathTrait;
     use ResponseTrait;
     use WaitTrait;
-    
+
     // Drupal-specific traits
     use BlockTrait;
     use ContentTrait;
@@ -82,7 +82,7 @@ class FeatureContext extends DrupalContext {
     use MediaTrait;
     use TaxonomyTrait;
     use UserTrait;
-    
+
     // Only add custom methods when drevops/behat-steps doesn't provide the functionality
 }
 ```
@@ -212,9 +212,9 @@ The following is the complete reference from [drevops/behat-steps STEPS.md](http
 [Source](vendor/drevops/behat-steps/src/DateTrait.php)
 
 >  Convert relative date expressions into timestamps or formatted dates.
->  
+>
 >  Supports values and tables.
->  
+>
 >  Possible formats:
 >  - `[relative:OFFSET]`
 >  - `[relative:OFFSET#FORMAT]`
@@ -298,7 +298,7 @@ The following is the complete reference from [drevops/behat-steps STEPS.md](http
 >
 >  Skip processing with tags: `@behat-steps-skip:fileDownloadBeforeScenario` or
 >  `@behat-steps-skip:fileDownloadAfterScenario`
->  
+>
 >  Special tags:
 >  - `@download` - enable download handling
 
@@ -418,9 +418,9 @@ The following is the complete reference from [drevops/behat-steps STEPS.md](http
 [Source](vendor/drevops/behat-steps/src/Drupal/BigPipeTrait.php)
 
 >  Bypass Drupal BigPipe when rendering pages.
->  
+>
 >  Activated by adding `@big_pipe` tag to the scenario.
->  
+>
 >  Skip processing with tags: `@behat-steps-skip:bigPipeBeforeScenario` or
 >  `@behat-steps-skip:bigPipeBeforeStep`.
 
@@ -547,7 +547,7 @@ The following is the complete reference from [drevops/behat-steps STEPS.md](http
 >
 >  Skip processing with tags: `@behat-steps-skip:emailBeforeScenario` or
 >  `@behat-steps-skip:emailAfterScenario`
->  
+>
 >  Special tags:
 >  - `@email` - enable email tracking using a default handler
 >  - `@email:{type}` - enable email tracking using a `{type}` handler
@@ -756,10 +756,10 @@ Use `FileTrait` and `MediaTrait` from drevops/behat-steps along with built-in Dr
 [Source](vendor/drevops/behat-steps/src/Drupal/TestmodeTrait.php)
 
 >  Configure Drupal Testmode module for controlled testing scenarios.
->  
+>
 >  Skip processing with tags: `@behat-steps-skip:testmodeBeforeScenario` and
 >  `@behat-steps-skip:testmodeAfterScenario`.
->  
+>
 >  Special tags:
 >  - `@testmode` - enable for scenario
 
@@ -810,7 +810,7 @@ Use `FileTrait` and `MediaTrait` from drevops/behat-steps along with built-in Dr
 >
 >  Skip processing with tags: `@behat-steps-skip:watchdogSetScenario` or
 >  `@behat-steps-skip:watchdogAfterScenario`
->  
+>
 >  Special tags:
 >  - `@watchdog:{type}` - limit watchdog messages to specific types.
 >  - `@error` - add to scenarios that are expected to trigger an error.
@@ -828,7 +828,7 @@ class FeatureContext extends DrupalContext {
     use ContentTrait;  // For content management
     use UserTrait;     // For user operations
     use EmailTrait;    // For email testing
-    
+
     // Custom methods only when absolutely necessary
 }
 ```
diff --git a/.cursor/rules/build-optimization.mdc b/.cursor/rules/build-optimization.mdc
index af933f1..9a939a7 100644
--- a/.cursor/rules/build-optimization.mdc
+++ b/.cursor/rules/build-optimization.mdc
@@ -6,39 +6,53 @@ globs: webpack.config.js, vite.config.js, *.config.js
 
 Ensures optimal build configuration and process for better performance and maintainability.
 
-> Priority: high · Version: 1.1
-
-## Applies To
-- `webpack.config.js`
-- `vite.config.js`
-- `*.config.js`
-
-## Trigger Conditions
-- Files matching pattern `\.(js|ts|json)$`
-
-## Required Checks
-
-- Set 'mode' to 'production' for production builds unless dynamically set by NODE_ENV.
-- Use 'source-map' or 'hidden-source-map' for production builds to balance performance and debugging.
-- Enable code splitting for all chunks in optimization settings.
-- Enable tree shaking by setting 'usedExports' to true.
-- Use content hashing in filenames for better caching (e.g., '[name].[contenthash].js').
-
-## Recommendations
-
-**Build Optimization Best Practices:**
-- **Code Splitting:** Implement code splitting to load only what's necessary for each page or component.
-- **Tree Shaking:** Enable tree shaking to eliminate dead code, which reduces bundle size.
-- **Asset Optimization:**
-  - Compress images and use modern formats like WebP where supported.
-  - Use lazy loading for images and other media.
-- **Caching:**
-  - Configure proper caching strategies (e.g., HTTP headers, service workers for PWA).
-  - Use long-term caching for static assets with content hashing in filenames.
-- **Modern JavaScript:** 
-  - Use ES6+ features but ensure polyfills for older browsers if needed.
-  - Consider using features like module/nomodule for graceful degradation.
-- **Minification & Compression:** Ensure all JavaScript and CSS are minified and consider enabling gzip compression on the server.
-- **Performance Budgets:** Set performance budgets to keep bundle sizes in check.
-- **Environment Variables:** Use environment variables for configuration differentiation between development and production.
-- **CI/CD:** Integrate with CI/CD pipelines for automated builds and testing, ensuring only optimized code goes to production.
+```yaml
+name: enhanced_build_optimization
+description: Enforce standards for optimizing build processes
+filters:
+  - type: file_extension
+    pattern: "\\.(js|ts|json)$"  # Expanded to cover more config file types
+
+actions:
+  - type: enforce
+    conditions:
+      - pattern: "mode:\\s*['\"]development['\"]"
+        pattern_negate: "process\\.env\\.NODE_ENV === 'development'"
+        message: "Set 'mode' to 'production' for production builds unless dynamically set by NODE_ENV."
+
+      - pattern: "devtool:\\s*['\"]eval"
+        message: "Use 'source-map' or 'hidden-source-map' for production builds to balance performance and debugging."
+
+      - pattern: "optimization:\\s*{[^}]*?splitChunks:\\s*{[^}]*?chunks:\\s*(?!'all')"
+        message: "Enable code splitting for all chunks in optimization settings."
+
+      - pattern: "optimization:\\s*{[^}]*?usedExports:\\s*(?!true)"
+        message: "Enable tree shaking by setting 'usedExports' to true."
+
+      - pattern: "output\\s*:\\s*{[^}]*?filename:\\s*['\"][^\\[]+['\"]"
+        message: "Use content hashing in filenames for better caching (e.g., '[name].[contenthash].js')."
+
+  - type: suggest
+    message: |
+      **Build Optimization Best Practices:**
+      - **Code Splitting:** Implement code splitting to load only what's necessary for each page or component.
+      - **Tree Shaking:** Enable tree shaking to eliminate dead code, which reduces bundle size.
+      - **Asset Optimization:**
+        - Compress images and use modern formats like WebP where supported.
+        - Use lazy loading for images and other media.
+      - **Caching:**
+        - Configure proper caching strategies (e.g., HTTP headers, service workers for PWA).
+        - Use long-term caching for static assets with content hashing in filenames.
+      - **Modern JavaScript:**
+        - Use ES6+ features but ensure polyfills for older browsers if needed.
+        - Consider using features like module/nomodule for graceful degradation.
+      - **Minification & Compression:** Ensure all JavaScript and CSS are minified and consider enabling gzip compression on the server.
+      - **Performance Budgets:** Set performance budgets to keep bundle sizes in check.
+      - **Environment Variables:** Use environment variables for configuration differentiation between development and production.
+      - **CI/CD:** Integrate with CI/CD pipelines for automated builds and testing, ensuring only optimized code goes to production.
+
+metadata:
+  priority: high
+  version: 1.1
+```
+
diff --git a/.cursor/rules/code-generation-standards.mdc b/.cursor/rules/code-generation-standards.mdc
index 93690cc..898e132 100644
--- a/.cursor/rules/code-generation-standards.mdc
+++ b/.cursor/rules/code-generation-standards.mdc
@@ -6,55 +6,66 @@ globs: *.php, *.js, *.ts, *.vue, *.jsx, *.tsx, *.py
 
 Ensures high-quality, executable code generation adhering to best practices across multiple programming languages.
 
-> Priority: critical · Version: 1.1
-
-## Applies To
-- `*.php`
-- `*.js`
-- `*.ts`
-- `*.vue`
-- `*.jsx`
-- `*.tsx`
-- `*.py`
-
-## Trigger Conditions
-- Files matching pattern `\.(php|js|ts|vue|jsx|tsx|py|rb|java)$`
-
-## Required Checks
-
-- Replace TODOs with actual implementation - no placeholders allowed.
-- Implement full functionality - no stub methods.
-- Remove or replace conditional statements that are always false.
-- Remove debug logging unless it's conditional on a debug flag.
-- In Python, prefer type hints over comments for type annotations.
-
-## Recommendations
-
-**Code Generation Best Practices:**
-- **Executable Solutions:** Generate fully functional code, not just skeletons or stubs.
-- **Readability:** 
-  - Prioritize code readability, with clear naming conventions and logical structure.
-  - Use whitespace effectively to enhance code clarity.
-- **Error Handling:** 
-  - Implement comprehensive error handling with appropriate exceptions or error codes.
-  - Consider edge cases and provide meaningful error messages.
-- **Imports/Dependencies:** 
-  - Include all necessary imports or require statements at the beginning of the file.
-  - Manage dependencies to ensure the code is self-contained or clearly documented for setup.
-- **Integration:** 
-  - Code should be immediately usable within the project's existing framework or technology stack.
-  - Ensure compatibility with existing patterns or libraries used in the project.
-- **Formatting:** 
-  - Adhere to the project's coding style guide (e.g., Prettier, Black for Python, etc.).
-  - Use linters and formatters to maintain consistent code style.
-- **Testing:** 
-  - Include unit or integration tests where applicable to validate generated code.
-  - Encourage test-driven development if part of the project's culture.
-- **Documentation:** 
-  - Provide inline comments for complex logic or algorithms.
-  - Write docstrings or JSDoc for functions, classes, and modules to describe usage, parameters, and return values.
-  - Consider generating external documentation if the project uses tools like Swagger for APIs or Sphinx for Python.
-- **Security:** 
-  - Avoid hardcoded credentials or sensitive information.
-  - Follow security best practices for the language (e.g., SQL injection prevention in PHP, XSS in JavaScript).
-- **Performance:** While readability takes precedence, be mindful of performance implications of the generated code.
+```yaml
+name: enhanced_code_generation_standards
+description: Enforce standards for code generation ensuring high quality and integration readiness
+filters:
+  - type: file_extension
+    pattern: "\\.(php|js|ts|vue|jsx|tsx|py|rb|java)$"  # Expanded to include Ruby and Java
+
+actions:
+  - type: enforce
+    conditions:
+      - pattern: "// TODO:|#\\s*TODO:"
+        message: "Replace TODOs with actual implementation - no placeholders allowed."
+
+      - pattern: "function\\s+\\w+\\s*\\([^)]*\\)\\s*\\{\\s*(?:return\\s+null|throw\\s+new\\s+Error|console\\.log)\\s*\\}"
+        message: "Implement full functionality - no stub methods."
+
+      - pattern: "\\bif\\b\\s*\\(\\s*false\\s*\\)"
+        message: "Remove or replace conditional statements that are always false."
+
+      - pattern: "\\bconsole\\.[^(]+|print\\s*\\("
+        pattern_negate: "DEBUG|LOGGING"
+        message: "Remove debug logging unless it's conditional on a debug flag."
+
+      - pattern: "^\\s*#\\s*\\w+:\\s*\\w+\\s*$"
+        language: python
+        message: "In Python, prefer type hints over comments for type annotations."
+
+  - type: suggest
+    message: |
+      **Code Generation Best Practices:**
+      - **Executable Solutions:** Generate fully functional code, not just skeletons or stubs.
+      - **Readability:**
+        - Prioritize code readability, with clear naming conventions and logical structure.
+        - Use whitespace effectively to enhance code clarity.
+      - **Error Handling:**
+        - Implement comprehensive error handling with appropriate exceptions or error codes.
+        - Consider edge cases and provide meaningful error messages.
+      - **Imports/Dependencies:**
+        - Include all necessary imports or require statements at the beginning of the file.
+        - Manage dependencies to ensure the code is self-contained or clearly documented for setup.
+      - **Integration:**
+        - Code should be immediately usable within the project's existing framework or technology stack.
+        - Ensure compatibility with existing patterns or libraries used in the project.
+      - **Formatting:**
+        - Adhere to the project's coding style guide (e.g., Prettier, Black for Python, etc.).
+        - Use linters and formatters to maintain consistent code style.
+      - **Testing:**
+        - Include unit or integration tests where applicable to validate generated code.
+        - Encourage test-driven development if part of the project's culture.
+      - **Documentation:**
+        - Provide inline comments for complex logic or algorithms.
+        - Write docstrings or JSDoc for functions, classes, and modules to describe usage, parameters, and return values.
+        - Consider generating external documentation if the project uses tools like Swagger for APIs or Sphinx for Python.
+      - **Security:**
+        - Avoid hardcoded credentials or sensitive information.
+        - Follow security best practices for the language (e.g., SQL injection prevention in PHP, XSS in JavaScript).
+      - **Performance:** While readability takes precedence, be mindful of performance implications of the generated code.
+
+metadata:
+  priority: critical
+  version: 1.1
+```
+
diff --git a/.cursor/rules/cursor-rules.mdc b/.cursor/rules/cursor-rules.mdc
index d8f25a4..8d066cf 100644
--- a/.cursor/rules/cursor-rules.mdc
+++ b/.cursor/rules/cursor-rules.mdc
@@ -2,72 +2,145 @@
 description: Describes how and where to create Cursor Rules
 globs: *.mdc
 ---
-# Cursor Rule Authoring Standards
-
-Standards for storing and maintaining Cursor rule files so every project installs consistent guidance.
-
-> Priority: high · Version: 1.2
-
-## Applies To
-- `*.mdc`
-
-## Trigger Conditions
-- New or modified rule files within the repository.
-- Rule files created outside `.cursor/rules/`.
-- Rules that still use the legacy `<rule>` XML-style format.
-
-## Hard Stops
-
-- Cursor rule files must live under `.cursor/rules/` in the project root.
-- Migrate any legacy `<rule>...</rule>` blocks to front matter + Markdown content.
-
-## Recommended Structure
-```
----
-description: Short summary of what the rule enforces
-globs: *.ext, *.another
-alwaysApply: false
----
-# Rule Title
-
-Introductory paragraph that explains scope and intent.
-
-> Priority: <low|medium|high> · Version: <semver>
-
-## Applies To
-- `*.ext`
-
-## Trigger Conditions
-- Bulleted list describing when reviewers should reference the rule.
-
-## Required Checks / Recommendations / Positive Signals
-- Use headings that suit the rule's enforcement style.
-- Keep bullets short, actionable, and framework-agnostic.
-- Include validation or positive examples when useful.
-
-## References
-- Optional external documentation or internal playbooks.
+# Cursor Rules Location
+
+Standards for placing and organizing Cursor rule files in the repository, ensuring rules are always up-to-date and follow best practices.
+
+```yaml
+name: cursor_rules_location_and_maintenance
+description: Standards for placing and maintaining Cursor rule files in the correct directory
+filters:
+  # Match any .mdc files
+  - type: file_extension
+    pattern: "\\.mdc$"
+  # Match files that look like Cursor rules
+  - type: content
+    pattern: "(?s)<rule>.*?
 ```
 
-## Maintenance Checklist
-- Group related rules using consistent prefixes (e.g. `drupal-*`, `lagoon-*`).
-- Keep filenames kebab-cased with the `.mdc` extension.
-- Review neighbouring rules to avoid duplication or conflicting guidance.
-- Record significant rule updates (scope changes, removals) in commit messages or release notes.
-- Test rules against representative code snippets before distributing updates.
-- Refresh installer documentation and downstream repositories after introducing new rules.
-
-## Examples
-### Correct Placement
-```
-.cursor/rules/php-drupal-development-standards.mdc
-.cursor/rules/security-practices.mdc
-```
-Outcome: Rules are discoverable by Cursor and downstream tooling.
-
-### Incorrect Placement
-```
-rules/php-rule.mdc
-cursor-rules/drupal.mdc
-```
-Outcome: Rules outside `.cursor/rules/` will be ignored by Cursor installers.
+"
+  # Match file creation or modification events
+  - type: event
+    pattern: "file_create|file_modify"
+
+actions:
+  - type: reject
+    conditions:
+      - pattern: "^(?!\\.\\/\\.cursor\\/rules\\/.*\\.mdc$)"
+        message: "Cursor rule files (.mdc) must be placed in the .cursor/rules directory"
+
+  - type: suggest
+    message: |
+      ## Cursor Rules Best Practices
+
+      ### 1. Location and Structure
+      - **Location:** Always place rule files in **PROJECT_ROOT/.cursor/rules/**
+      - **Directory Structure:**
+        ```
+        PROJECT_ROOT/
+        ├── .cursor/
+        │   └── rules/
+        │       ├── your-rule-name.mdc
+        │       └── ...
+        └── ...
+        ```
+
+      ### 2. Naming Conventions
+      - Use **kebab-case** for filenames (e.g., `php-drupal-standards.mdc`)
+      - Always use the **.mdc** extension
+      - Make names descriptive of the rule's purpose
+      - Group related rules with common prefixes (e.g., `drupal-*`, `lagoon-*`)
+
+      ### 3. Rule File Structure
+      ```
+      ---
+      description: Brief description of the rule
+      globs: *.php, *.module, *.inc
+      alwaysApply: false
+      ---
+      # Rule Title
+
+      <rule>
+      name: rule_name_in_snake_case
+      description: Detailed description of what the rule enforces
+      filters:
+        - type: file_extension
+          pattern: "pattern_to_match"
+
+      actions:
+        - type: enforce|suggest|validate
+          conditions:
+            - pattern: "regex_pattern"
+              message: "Clear message explaining the issue"
+
+      metadata:
+        priority: high|medium|low
+        version: 1.0
+      </rule>
+      ```
+
+      ### 4. Rule Maintenance
+      - **When adding new rules:**
+        - Check for overlapping or conflicting rules
+        - Ensure patterns are efficient and specific
+        - Test rules against sample code
+      - **When modifying existing rules:**
+        - Update version number
+        - Document changes in commit messages
+        - Review and update related rules for consistency
+        - Consider backward compatibility
+
+      ### 5. Best Practices for Rule Content
+      - Use clear, specific regex patterns
+      - Provide helpful, actionable messages
+      - Include examples of good and bad code
+      - Set appropriate priority levels
+      - Use multiple conditions for complex rules
+      - Consider performance impact of complex patterns
+
+      ### 6. Rule Testing
+      - Test rules against both compliant and non-compliant code
+      - Verify that messages are clear and helpful
+      - Check for false positives and false negatives
+      - Ensure rules don't conflict with each other
+
+examples:
+  - input: |
+      # Bad: Rule file in wrong location
+      rules/my-rule.mdc
+      my-rule.mdc
+      .rules/my-rule.mdc
+
+      # Good: Rule file in correct location
+      .cursor/rules/my-rule.mdc
+    output: "Correctly placed Cursor rule file"
+
+  - input: |
+      # Bad: Poorly structured rule
+      <rule>
+      name: bad_rule
+      description: This rule does something
+      </rule>
+
+      # Good: Well-structured rule
+      <rule>
+      name: good_rule
+      description: This rule enforces proper error handling in PHP code
+      filters:
+        - type: file_extension
+          pattern: "\\.php$"
+      actions:
+        - type: enforce
+          conditions:
+            - pattern: "try\\s*{[^}]*}\\s*catch\\s*\\([^)]*\\)\\s*{\\s*}"
+              message: "Empty catch blocks should include at least error logging"
+      metadata:
+        priority: high
+        version: 1.0
+      </rule>
+    output: "Well-structured Cursor rule with proper components"
+
+metadata:
+  priority: high
+  version: 1.2
+</rule>
diff --git a/.cursor/rules/debugging-standards.mdc b/.cursor/rules/debugging-standards.mdc
index 13af290..e95a63d 100644
--- a/.cursor/rules/debugging-standards.mdc
+++ b/.cursor/rules/debugging-standards.mdc
@@ -6,32 +6,36 @@ globs: *.php, *.js, *.ts, *.vue, *.jsx, *.tsx, *.py
 
 Ensures proper debugging practices and error handling.
 
-> Priority: high · Version: 1.0
-
-## Applies To
-- `*.php`
-- `*.js`
-- `*.ts`
-- `*.vue`
-- `*.jsx`
-- `*.tsx`
-- `*.py`
-
-## Trigger Conditions
-- Files matching pattern `\.(php|js|ts|vue|jsx|tsx|py)$`
-
-## Required Checks
-
-- Replace debug statements with proper logging
-- Implement proper error handling in catch blocks
-
-## Recommendations
-
-Debugging Best Practices:
-- Address root causes, not symptoms
-- Add descriptive logging messages
-- Create isolated test functions
-- Implement comprehensive error handling
-- Use appropriate logging levels
-- Add context to error messages
-- Consider debugging tools integration
+```yaml
+name: debugging_standards
+description: Enforce standards for debugging and error handling
+filters:
+  - type: file_extension
+    pattern: "\\.(php|js|ts|vue|jsx|tsx|py)$"
+
+actions:
+  - type: enforce
+    conditions:
+      - pattern: "console\\.log\\(|print_r\\(|var_dump\\("
+        message: "Replace debug statements with proper logging"
+
+      - pattern: "catch\\s*\\([^)]*\\)\\s*\\{\\s*\\}"
+        message: "Implement proper error handling in catch blocks"
+
+  - type: suggest
+    message: |
+      Debugging Best Practices:
+      - Address root causes, not symptoms
+      - Add descriptive logging messages
+      - Create isolated test functions
+      - Implement comprehensive error handling
+      - Use appropriate logging levels
+      - Add context to error messages
+      - Consider debugging tools integration
+
+metadata:
+  priority: high
+  version: 1.0
+```
+
+
diff --git a/.cursor/rules/docker-compose-standards.mdc b/.cursor/rules/docker-compose-standards.mdc
index 4fb893e..697619a 100644
--- a/.cursor/rules/docker-compose-standards.mdc
+++ b/.cursor/rules/docker-compose-standards.mdc
@@ -1,113 +1,141 @@
 ---
 description: Docker Compose standards Rule
-globs: 
+globs:
 alwaysApply: false
 ---
-> Priority: high · Version: 1.0
 
-## Trigger Conditions
-- Filter `file_name` matching `docker-compose\.ya?ml$`
-- Events `(file_create|file_modify)`
+```yaml
+name: docker_compose_best_practices
+description: Enforces best practices in docker-compose files to ensure maintainability, security, and consistency
+filters:
+  - type: file_name
+    pattern: "docker-compose\\.ya?ml$"
+  - type: event
+    pattern: "(file_create|file_modify)"
+actions:
+  # 1. Prevent deprecated 'version' field
+  - type: reject
+    conditions:
+      - pattern: "^\\s*version\\s*:"
+        message: "The 'version' field is deprecated in Docker Compose files. Compose files are now version-less by default."
+  # 2. Enforce consistent indentation
+  - type: reject
+    conditions:
+      - pattern: "^(  |\t)"
+        message: "Inconsistent indentation detected. Use 2 spaces for indentation."
+  # 3. Prevent usage of deprecated 'links' key
+  - type: reject
+    conditions:
+      - pattern: "^\\s*links\\s*:"
+        message: "The 'links' key is deprecated. Use networks and service names for inter-service communication."
+  # 4. Enforce explicit image tags
+  - type: reject
+    conditions:
+      - pattern: "^\\s*image\\s*:\\s*[^:]+$"
+        message: "Specify an explicit image tag to ensure consistency."
+  # 5. Prevent services from running in privileged mode
+  - type: reject
+    conditions:
+      - pattern: "^\\s*privileged\\s*:\\s*true"
+        message: "Running services in privileged mode is discouraged for security reasons."
+  # 6. Enforce defining resource limits
+  - type: reject
+    conditions:
+      - pattern: "^\\s*services\\s*:\\s*[^\\n]+\\n(?!.*\\blimits\\b)"
+        message: "Define resource limits for each service to prevent resource exhaustion."
+  # Suggestions for best practices
+  - type: suggest
+    message: |
+      To adhere to Docker Compose best practices:
 
-## Hard Stops
+      1. **Omit the 'version' field**: Compose files are version-less by default.
+         ```yaml
+         services:
+           web:
+             image: nginx
+         ```
 
-- The 'version' field is deprecated in Docker Compose files. Compose files are now version-less by default.
-- Inconsistent indentation detected. Use 2 spaces for indentation.
-- The 'links' key is deprecated. Use networks and service names for inter-service communication.
-- Specify an explicit image tag to ensure consistency.
-- Running services in privileged mode is discouraged for security reasons.
-- Define resource limits for each service to prevent resource exhaustion.
+      2. **Use consistent indentation**: Use 2 spaces for indentation.
+         ```yaml
+         services:
+           web:
+             image: nginx
+         ```
 
-## Recommendations
+      3. **Avoid 'links' key**: Use networks and service names for service communication.
+         ```yaml
+         services:
+           web:
+             image: nginx
+             networks:
+               - my-network
+           db:
+             image: mysql
+             networks:
+               - my-network
+         networks:
+           my-network:
+         ```
 
-To adhere to Docker Compose best practices:
+      4. **Specify explicit image tags**: Prevent unintended updates by defining image tags.
+         ```yaml
+         services:
+           web:
+             image: nginx:1.21.0
+         ```
 
-1. **Omit the 'version' field**: Compose files are version-less by default.
-   ```yaml
-   services:
-     web:
-       image: nginx
-   ```
+      5. **Avoid privileged mode**: Do not use 'privileged: true'. Grant specific capabilities if necessary.
+         ```yaml
+         services:
+           web:
+             image: nginx
+             cap_add:
+               - NET_ADMIN
+         ```
 
-2. **Use consistent indentation**: Use 2 spaces for indentation.
-   ```yaml
-   services:
-     web:
-       image: nginx
-   ```
+      6. **Define resource limits**: Prevent services from consuming excessive resources.
+         ```yaml
+         services:
+           web:
+             image: nginx
+             deploy:
+               resources:
+                 limits:
+                   cpus: '0.50'
+                   memory: '512M'
+         ```
 
-3. **Avoid 'links' key**: Use networks and service names for service communication.
-   ```yaml
-   services:
-     web:
-       image: nginx
-       networks:
-         - my-network
-     db:
-       image: mysql
-       networks:
-         - my-network
-   networks:
-     my-network:
-   ```
-
-4. **Specify explicit image tags**: Prevent unintended updates by defining image tags.
-   ```yaml
-   services:
-     web:
-       image: nginx:1.21.0
-   ```
-
-5. **Avoid privileged mode**: Do not use 'privileged: true'. Grant specific capabilities if necessary.
-   ```yaml
-   services:
-     web:
-       image: nginx
-       cap_add:
-         - NET_ADMIN
-   ```
-
-6. **Define resource limits**: Prevent services from consuming excessive resources.
-   ```yaml
-   services:
-     web:
-       image: nginx
-       deploy:
-         resources:
-           limits:
-             cpus: '0.50'
-             memory: '512M'
-   ```
-
-Implementing these practices ensures secure, maintainable, and consistent Docker Compose configurations.
-
-## Examples
-### Example 1
-```
-version: '3'
-services:
-  web:
-    image: nginx
-    links:
-      - db
-    privileged: true
-  db:
-    image: mysql
+      Implementing these practices ensures secure, maintainable, and consistent Docker Compose configurations.
+examples:
+  - input: |
+      version: '3'
+      services:
+        web:
+          image: nginx
+          links:
+            - db
+          privileged: true
+        db:
+          image: mysql
+    output: |
+      services:
+        web:
+          image: nginx:1.21.0
+          networks:
+            - my-network
+          deploy:
+            resources:
+              limits:
+                cpus: '0.50'
+                memory: '512M'
+        db:
+          image: mysql:5.7
+          networks:
+            - my-network
+      networks:
+        my-network:
+metadata:
+  priority: high
+  version: 1.0
 ```
-Outcome: services:
-  web:
-    image: nginx:1.21.0
-    networks:
-      - my-network
-    deploy:
-      resources:
-        limits:
-          cpus: '0.50'
-          memory: '512M'
-  db:
-    image: mysql:5.7
-    networks:
-      - my-network
-networks:
-  my-network:
 
diff --git a/.cursor/rules/drupal-authentication-failures.mdc b/.cursor/rules/drupal-authentication-failures.mdc
index 7ea11b3..1ea37bd 100644
--- a/.cursor/rules/drupal-authentication-failures.mdc
+++ b/.cursor/rules/drupal-authentication-failures.mdc
@@ -7,75 +7,135 @@ alwaysApply: false
 
 This rule enforces security best practices to prevent identification and authentication failures in Drupal applications, as defined in OWASP Top 10:2021-A07.
 
-> Priority: high · Version: 1.0
-
-## Applies To
-- `*.php`
-- `*.inc`
-- `*.module`
-- `*.install`
-- `*.info.yml`
-- `*.theme`
-
-## Trigger Conditions
-- Files matching pattern `\.(php|inc|module|install|theme|yml)$`
-- Paths matching `.*`
-
-## Required Checks
-
-- Ensure strong password policies are configured to require complexity, length, and prevent common passwords.
-- Custom authentication functions should implement proper validation and not return TRUE without checks.
-- Avoid direct password comparison. Use Drupal's built-in password verification services.
-- Hardcoded credentials detected. Store credentials securely outside of code.
-- Ensure proper CSRF protection is implemented for all authenticated actions.
-- Use Drupal's session management. If custom code is required, ensure secure session handling practices.
-- Ensure proper account lockout and flood control mechanisms are configured to prevent brute force attacks.
-- Verify password reset functionality uses secure tokens with proper expiration and validation.
-- Consider implementing multi-factor authentication for sensitive operations or user roles.
-- Avoid creating default administrator accounts or test users in production code.
-
-## Recommendations
-
-**Drupal Authentication Security Best Practices:**
-
-1. **Password Policies:**
-   - Use Drupal's Password Policy module for enforcing strong passwords
-   - Configure minimum password length (12+ characters recommended)
-   - Require complexity (uppercase, lowercase, numbers, special characters)
-   - Implement password rotation for sensitive roles
-   - Check passwords against known breached password databases
-
-2. **Authentication Infrastructure:**
-   - Use Drupal's core authentication mechanisms rather than custom solutions
-   - Implement proper account lockout after failed login attempts
-   - Consider multi-factor authentication (TFA module) for privileged accounts
-   - Implement session timeout for inactivity
-   - Use HTTPS for all authentication traffic
-
-3. **Session Management:**
-   - Use Drupal's session management system rather than PHP's session functions
-   - Configure secure session cookie settings in settings.php
-   - Implement proper session regeneration on privilege changes
-   - Consider using the Session Limit module to restrict concurrent sessions
-   - Properly destroy sessions on logout
-
-4. **Account Management:**
-   - Implement proper account provisioning and deprovisioning processes
-   - Use email verification for new account registration
-   - Implement secure password reset mechanisms with limited-time tokens
-   - Apply the principle of least privilege for user roles
-   - Regularly audit user accounts and permissions
-
-5. **Authentication Hardening:**
-   - Monitor for authentication failures and suspicious patterns
-   - Implement IP-based and username-based flood control
-   - Log authentication events for security monitoring
-   - Consider CAPTCHA or reCAPTCHA for login forms
-   - Use OAuth or SAML for single sign-on where appropriate
-
-## Validation
-
-- Using Drupal's password services correctly.
-- Form includes CSRF protection token.
-- Using Drupal's session management services.
-- Implementing user flood protection.
+```yaml
+name: drupal_authentication_failures
+description: Detect and prevent identification and authentication failures in Drupal as defined in OWASP Top 10:2021-A07
+filters:
+  - type: file_extension
+    pattern: "\\.(php|inc|module|install|theme|yml)$"
+  - type: file_path
+    pattern: ".*"
+
+actions:
+  - type: enforce
+    conditions:
+      # Pattern 1: Weak or missing password policies
+      - pattern: "UserPasswordConstraint|PasswordPolicy|user\\.settings\\.yml"
+        message: "Ensure strong password policies are configured to require complexity, length, and prevent common passwords."
+
+      # Pattern 2: Custom authentication without proper validation
+      - pattern: "(authenticate|login|auth).*function[^}]*return\\s+(TRUE|true|1)\\s*;"
+        message: "Custom authentication functions should implement proper validation and not return TRUE without checks."
+
+      # Pattern 3: Improper password comparison
+      - pattern: "==\\s*\\$password|===\\s*\\$password|strcmp\\(|password_verify\\([^,]+,[^,]+\\$plainTextPassword"
+        message: "Avoid direct password comparison. Use Drupal's built-in password verification services."
+
+      # Pattern 4: Credentials in code
+      - pattern: "(username|user|pass|password|pwd)\\s*=\\s*['\"][^'\"]+['\"]"
+        message: "Hardcoded credentials detected. Store credentials securely outside of code."
+
+      # Pattern 5: Missing or weak CSRF protection
+      - pattern: "drupal_get_token\\(|form_token|\\$form\\[['\"]#token['\"]\\]\\s*=|drupal_valid_token\\("
+        message: "Ensure proper CSRF protection is implemented for all authenticated actions."
+
+      # Pattern 6: Insecure session management
+      - pattern: "setcookie\\(|session_regenerate_id\\(false\\)|session_regenerate_id\\([^\\)]*"
+        message: "Use Drupal's session management. If custom code is required, ensure secure session handling practices."
+
+      # Pattern 7: Missing account lockout protection
+      - pattern: "user\\.flood\\.yml|flood_control|UserFloodControl|user_failed_login_"
+        message: "Ensure proper account lockout and flood control mechanisms are configured to prevent brute force attacks."
+
+      # Pattern 8: Insecure password reset implementation
+      - pattern: "user_pass_reset|password_reset|reset.*token"
+        message: "Verify password reset functionality uses secure tokens with proper expiration and validation."
+
+      # Pattern 9: Lack of multi-factor authentication
+      - pattern: "tfa|two_factor|multi_factor|2fa"
+        message: "Consider implementing multi-factor authentication for sensitive operations or user roles."
+
+      # Pattern 10: Default or test accounts
+      - pattern: "\\$user->name\\s*=\\s*['\"]admin['\"]|\\$name\\s*=\\s*['\"]admin['\"]|->values\\(['\"](mdc:name|mail)['\"]\\)\\s*->\\s*set\\(['\"][^\\'\"]+['\"]\\)"
+        message: "Avoid creating default administrator accounts or test users in production code."
+
+  - type: suggest
+    message: |
+      **Drupal Authentication Security Best Practices:**
+
+      1. **Password Policies:**
+         - Use Drupal's Password Policy module for enforcing strong passwords
+         - Configure minimum password length (12+ characters recommended)
+         - Require complexity (uppercase, lowercase, numbers, special characters)
+         - Implement password rotation for sensitive roles
+         - Check passwords against known breached password databases
+
+      2. **Authentication Infrastructure:**
+         - Use Drupal's core authentication mechanisms rather than custom solutions
+         - Implement proper account lockout after failed login attempts
+         - Consider multi-factor authentication (TFA module) for privileged accounts
+         - Implement session timeout for inactivity
+         - Use HTTPS for all authentication traffic
+
+      3. **Session Management:**
+         - Use Drupal's session management system rather than PHP's session functions
+         - Configure secure session cookie settings in settings.php
+         - Implement proper session regeneration on privilege changes
+         - Consider using the Session Limit module to restrict concurrent sessions
+         - Properly destroy sessions on logout
+
+      4. **Account Management:**
+         - Implement proper account provisioning and deprovisioning processes
+         - Use email verification for new account registration
+         - Implement secure password reset mechanisms with limited-time tokens
+         - Apply the principle of least privilege for user roles
+         - Regularly audit user accounts and permissions
+
+      5. **Authentication Hardening:**
+         - Monitor for authentication failures and suspicious patterns
+         - Implement IP-based and username-based flood control
+         - Log authentication events for security monitoring
+         - Consider CAPTCHA or reCAPTCHA for login forms
+         - Use OAuth or SAML for single sign-on where appropriate
+
+  - type: validate
+    conditions:
+      # Check 1: Proper password handling
+      - pattern: "password_verify\\(|UserPassword|\\\\Drupal::service\\(['\"]password['\"]\\)"
+        message: "Using Drupal's password services correctly."
+
+      # Check 2: CSRF token implementation
+      - pattern: "\\$form\\[['\"]#token['\"]\\]\\s*=\\s*['\"][^'\"]+['\"]"
+        message: "Form includes CSRF protection token."
+
+      # Check 3: Proper session management
+      - pattern: "\\$request->getSession\\(\\)|\\\\Drupal::service\\(['\"]session['\"]\\)"
+        message: "Using Drupal's session management services."
+
+      # Check 4: User flood control
+      - pattern: "user\\.flood\\.yml|flood|user_login_final_validate"
+        message: "Implementing user flood protection."
+
+metadata:
+  priority: high
+  version: 1.0
+  tags:
+    - security
+    - drupal
+    - authentication
+    - identification
+    - owasp
+    - language:php
+    - framework:drupal
+    - category:security
+    - subcategory:authentication
+    - standard:owasp-top10
+    - risk:a07-authentication-failures
+  references:
+    - "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/"
+    - "https://www.drupal.org/docs/security-in-drupal/drupal-security-best-practices"
+    - "https://www.drupal.org/project/tfa"
+    - "https://www.drupal.org/project/password_policy"
+```
+
+
diff --git a/.cursor/rules/drupal-broken-access-control.mdc b/.cursor/rules/drupal-broken-access-control.mdc
index d5c618a..fa98f23 100644
--- a/.cursor/rules/drupal-broken-access-control.mdc
+++ b/.cursor/rules/drupal-broken-access-control.mdc
@@ -3,38 +3,127 @@ description: Detect and prevent broken access control vulnerabilities in Drupal
 globs: *.php, *.install, *.module, *.inc, *.theme
 alwaysApply: false
 ---
-# Drupal Broken Access Control Standards (OWASP A01:2021)
-
-Use this checklist to keep Drupal custom code aligned with Drupal's access control APIs and caching rules.
-
-> Priority: high · Version: 1.0 · Tags: security, drupal, access-control, permissions
-
-## Applies To
-- `*.php`, `*.module`, `*.install`, `*.inc`, `*.theme`
-- Custom modules, themes, and profiles under `modules/`, `themes/`, or `profiles/`
-
-## Trigger Conditions
-- Defining routes, controllers, REST resources, or entity operations.
-- Manipulating entity fields, files, or configuration values based on user input.
-- Calling static helpers such as `\Drupal::currentUser()`, `user_access()`, or bypassing dependency injection.
-
-## Required Checks
-- Every route definition must declare access requirements (`_permission`, `_role`, `_entity_access`, or `_custom_access`).
-- Controllers and REST resources should return `AccessResult` objects or delegate to access services; never rely on implicit access.
-- Use `$account->hasPermission()` or injected `AccountInterface` instead of deprecated `user_access()` or UID checks.
-- Before updating or deleting entities, call `$entity->access('<operation>', $account)` and handle forbidden responses explicitly.
-- Inject `current_user` and related services instead of calling `\Drupal::currentUser()` statically for better testability and caching.
-- Avoid IP-based or static UID bypasses; rely on roles, permissions, and access policies.
-
-## Recommendations
-- Implement custom access checkers by extending `AccessCheckInterface` when business rules are complex.
-- Ensure access results add cacheability metadata (`addCacheContexts`, `addCacheTags`, `addCacheableDependency`).
-- Use `hook_entity_access()` or entity access handlers to centralise policy decisions.
-- Document route permissions in README or module docs to aid security reviews.
-- Include Behat/Kernel tests that verify unauthorized users cannot reach protected endpoints.
-
-## Positive Signals
-- Presence of `AccessResult::allowed()`/`forbidden()` with cache metadata.
-- Routes referencing `_entity_access`, `_custom_access`, or `_role` requirements.
-- Services injecting `AccountProxyInterface`, `AccessManagerInterface`, or custom checkers.
-- Test coverage exercising both success and failure paths for access checks.
+# Drupal Broken Access Control Security Standards (OWASP A01:2021)
+
+This rule enforces security best practices to prevent broken access control vulnerabilities in Drupal applications, as defined in OWASP Top 10:2021-A01.
+
+```yaml
+name: drupal_broken_access_control
+description: Detect and prevent broken access control vulnerabilities in Drupal as defined in OWASP Top 10:2021-A01
+filters:
+  - type: file_extension
+    pattern: "\\.(php|inc|module|install|theme)$"
+  - type: file_path
+    pattern: "(modules|themes|profiles)/custom"
+
+actions:
+  - type: enforce
+    conditions:
+      # Pattern 1: Missing access checks in routes
+      - pattern: "\\s*\\$routes\\['[^']*'\\]\\s*=\\s*.*(?!_access|access_callback|requirements)"
+        message: "Route definition is missing access control. Add '_permission', '_role', '_access', or custom access check in requirements."
+
+      # Pattern 2: Using user_access() instead of more secure methods
+      - pattern: "user_access\\("
+        message: "user_access() is deprecated. Use $account->hasPermission() or proper dependency injection with AccessResult methods."
+
+      # Pattern 3: Hard-coded user ID checks
+      - pattern: "(\\$user->id\\(\\)|\\$user->uid)\\s*===?\\s*1"
+        message: "Avoid hardcoded checks against user ID 1. Use role-based permissions or proper access control services."
+
+      # Pattern 4: Missing access check on entity operations
+      - pattern: "\\$entity->(?!access)(save|delete|update)\\(\\)"
+        message: "Entity operation without prior access check. Use \$entity->access('operation') before performing operations."
+
+      # Pattern 5: Using Drupal::currentUser() directly in services
+      - pattern: "\\\\Drupal::currentUser\\(\\)"
+        message: "Avoid using \\Drupal::currentUser() directly. Inject the current_user service for better testability and security."
+
+      # Pattern 6: Missing access checks in controllers
+      - pattern: "class [A-Za-z0-9_]+Controller.+extends ControllerBase[^}]+public function [a-zA-Z0-9_]+\\([^{]*\\)\\s*\\{(?![^}]*access)"
+        message: "Controller method lacks explicit access checking. Add checks via route requirements or within the controller method."
+
+      # Pattern 7: Direct field value manipulation without access check
+      - pattern: "\\$entity->set\\([^)]+\\)\\s*;(?![^;]*access)"
+        message: "Direct field value manipulation without access check. Verify entity field access before manipulation."
+
+      # Pattern 8: Unprotected REST endpoints
+      - pattern: "@RestResource\\([^)]*\\)(?![^{]*_access|access_callback)"
+        message: "REST resource lacks access controls. Add access checks via annotations or in methods."
+
+      # Pattern 9: Insecure access check by client IP
+      - pattern: "\\$_SERVER\\['REMOTE_ADDR'\\]\\s*===?\\s*"
+        message: "IP-based access control is insufficient. Use proper Drupal permission system instead."
+
+      # Pattern 10: Allow bypassing cache for authenticated users without proper checks
+      - pattern: "#cache\\['contexts'\\]\\s*=\\s*\\[[^\\]]*'user'[^\\]]*\\]"
+        message: "Using 'user' cache context without proper access checks may expose content to unauthorized users."
+
+  - type: suggest
+    message: |
+      **Drupal Access Control Best Practices:**
+
+      1. **Route Access Controls:**
+         - Always define access requirements in route definitions
+         - Use permission-based access checks: '_permission', '_role', '_entity_access'
+         - Implement custom access checkers implementing AccessInterface
+
+      2. **Entity Access Controls:**
+         - Always check entity access: $entity->access('view'|'update'|'delete')
+         - Use EntityAccessControlHandler for consistent access control
+         - Respect entity field access with $entity->get('field')->access('view'|'edit')
+
+      3. **Controller Security:**
+         - Inject and use proper services rather than \Drupal static calls
+         - Add explicit access checks within controller methods
+         - Use AccessResult methods (allowed, forbidden, neutral) with proper caching metadata
+
+      4. **Service Security:**
+         - Inject AccountProxyInterface rather than calling currentUser() directly
+         - Use dependency injection for access-related services
+         - Implement session-based CSRF protection with form tokens
+
+      5. **REST/API Security:**
+         - Implement OAuth or proper authentication
+         - Define specific permissions for REST operations
+         - Never rely solely on client-side access control
+
+  - type: validate
+    conditions:
+      # Check 1: Ensuring proper access check implementation
+      - pattern: "AccessResult::(allowed|forbidden|neutral)\\(\\)(?=.*addCacheContexts)"
+        message: "Access check is properly implemented with cache metadata."
+
+      # Check 2: Proper hook_entity_access implementation
+      - pattern: "function hook_entity_access\\([^)]*\\)\\s*\\{[^}]*return AccessResult"
+        message: "Entity access hook is correctly returning AccessResult."
+
+      # Check 3: Properly secured route access
+      - pattern: "_permission|_role|_access|_entity_access|_custom_access"
+        message: "Route has proper access controls defined."
+
+      # Check 4: Secure REST implementation
+      - pattern: "@RestResource\\(.*,\\s*authentication\\s*=\\s*\\{[^}]+\\}"
+        message: "REST Resource has authentication configured."
+
+metadata:
+  priority: high
+  version: 1.0
+  tags:
+    - security
+    - drupal
+    - access-control
+    - permissions
+    - owasp
+    - language:php
+    - framework:drupal
+    - category:security
+    - subcategory:access-control
+    - standard:owasp-top10
+    - risk:a01-broken-access-control
+  references:
+    - "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
+    - "https://www.drupal.org/docs/8/api/routing-system/access-checking-on-routes"
+    - "https://www.drupal.org/docs/8/api/entity-api/entity-access-api"
+```
+
diff --git a/.cursor/rules/drupal-cryptographic-failures.mdc b/.cursor/rules/drupal-cryptographic-failures.mdc
index 19df364..6ffdd45 100644
--- a/.cursor/rules/drupal-cryptographic-failures.mdc
+++ b/.cursor/rules/drupal-cryptographic-failures.mdc
@@ -7,69 +7,130 @@ alwaysApply: false
 
 This rule enforces security best practices to prevent cryptographic failures in Drupal applications, as defined in OWASP Top 10:2021-A02.
 
-> Priority: high · Version: 1.0
-
-## Applies To
-- `*.php`
-- `*.install`
-- `*.module`
-- `*.inc`
-- `*.theme`
-
-## Trigger Conditions
-- Files matching pattern `\.(php|inc|module|install|theme)$`
-- Paths matching `(modules|themes|profiles|core)/.*`
-
-## Required Checks
-
-- Weak hash algorithm detected. Use password_hash() for passwords or hash('sha256'/'sha512') for other data.
-- Hardcoded credentials or sensitive keys detected. Use Drupal's State API, key module, or environment variables.
-- Never store plaintext passwords. Drupal handles password hashing internally.
-- Consider encrypting sensitive file contents using Drupal's encryption API or PHP's openssl functions.
-- Sensitive data in settings.php should be moved to environment variables or settings.local.php.
-- Insecure random number generation. Use random_bytes() or random_int() for cryptographic purposes.
-- Ensure HTTPS is enforced for cached pages containing sensitive information.
-- Consider using field encryption for sensitive data fields.
-- Avoid custom session handling. Use Drupal's session management services.
-- API tokens should include expiration time or rotation mechanism.
-
-## Recommendations
-
-**Drupal Cryptographic Security Best Practices:**
-
-1. **Secure Data Storage:**
-   - Use Drupal's Key module for storing encryption keys
-   - Store sensitive configuration in environment variables or settings.local.php
-   - Use Drupal's State API for non-configuration sensitive data
-   - Never store plaintext sensitive information in the database
-
-2. **Encryption and Hashing:**
-   - Use Drupal's password hashing system, which uses password_hash() internally
-   - For non-password data hashing, use SHA-256 or SHA-512
-   - Use the Encrypt module or PHP's openssl_encrypt() with proper algorithms (AES-256-GCM)
-   - Always use proper salting techniques
-
-3. **Communication Security:**
-   - Enforce HTTPS site-wide using settings.php configuration
-   - Use secure cookies (secure, HttpOnly, SameSite)
-   - Implement proper Content-Security-Policy headers
-   - Use TLS 1.2+ for all connections
-
-4. **API Security:**
-   - Use OAuth or JWT with proper signature verification
-   - Implement token expiration and rotation
-   - Use HMAC for API request signatures when appropriate
-   - Never expose internal encryption keys through APIs
-
-5. **Configuration Best Practices:**
-   - Regularly rotate encryption keys and credentials
-   - Implement secure key storage using key management services
-   - Monitor and log cryptographic operations 
-   - Maintain an inventory of cryptographic algorithms in use
-
-## Validation
-
-- Using Drupal's password system correctly.
-- Using secure random generation methods.
-- Using environment variables or local settings correctly.
-- Using proper encryption methods.
+```yaml
+name: drupal_cryptographic_failures
+description: Detect and prevent cryptographic failures in Drupal as defined in OWASP Top 10:2021-A02
+filters:
+  - type: file_extension
+    pattern: "\\.(php|inc|module|install|theme)$"
+  - type: file_path
+    pattern: "(modules|themes|profiles|core)/.*"
+
+actions:
+  - type: enforce
+    conditions:
+      # Pattern 1: Use of weak hash algorithms
+      - pattern: "(md5|sha1)\\([^)]*\\)"
+        message: "Weak hash algorithm detected. Use password_hash() for passwords or hash('sha256'/'sha512') for other data."
+
+      # Pattern 2: Hardcoded credentials or keys
+      - pattern: "(password|key|token|secret|credentials|pwd)\\s*=\\s*['\"][^'\"]+['\"]"
+        message: "Hardcoded credentials or sensitive keys detected. Use Drupal's State API, key module, or environment variables."
+
+      # Pattern 3: Plaintext password storage
+      - pattern: "\\$user->setPassword\\((?!password_hash|\\$hash)[^)]+\\)"
+        message: "Never store plaintext passwords. Drupal handles password hashing internally."
+
+      # Pattern 4: Improper file encryption
+      - pattern: "file_(get|put)_contents\\([^,]+,\\s*[^,]+\\)"
+        message: "Consider encrypting sensitive file contents using Drupal's encryption API or PHP's openssl functions."
+
+      # Pattern 5: Unprotected sensitive data in settings
+      - pattern: "\\$settings\\[['\"](mdc:?!hash_salt|update_free_access)[^]]+\\]\\s*=\\s*['\"][^\"']+['\"]"
+        message: "Sensitive data in settings.php should be moved to environment variables or settings.local.php."
+
+      # Pattern 6: Insecure random number generation
+      - pattern: "(rand|mt_rand|array_rand)\\("
+        message: "Insecure random number generation. Use random_bytes() or random_int() for cryptographic purposes."
+
+      # Pattern 7: Missing HTTPS enforcement
+      - pattern: "'#cache'|'cache'"
+        message: "Ensure HTTPS is enforced for cached pages containing sensitive information."
+
+      # Pattern 8: Missing encryption for content with private information
+      - pattern: "(->set|->get)\\('field_[^']*(?:password|ssn|credit|card|secret|key|token|credentials|pwd)[^']*'\\)"
+        message: "Consider using field encryption for sensitive data fields."
+
+      # Pattern 9: Custom session handling without proper security
+      - pattern: "session_(start|regenerate_id)"
+        message: "Avoid custom session handling. Use Drupal's session management services."
+
+      # Pattern 10: API tokens without expiration or rotation
+      - pattern: "\\$token\\s*=\\s*.*?\\$[^;]+;(?![^;]*expir|[^;]*valid)"
+        message: "API tokens should include expiration time or rotation mechanism."
+
+  - type: suggest
+    message: |
+      **Drupal Cryptographic Security Best Practices:**
+
+      1. **Secure Data Storage:**
+         - Use Drupal's Key module for storing encryption keys
+         - Store sensitive configuration in environment variables or settings.local.php
+         - Use Drupal's State API for non-configuration sensitive data
+         - Never store plaintext sensitive information in the database
+
+      2. **Encryption and Hashing:**
+         - Use Drupal's password hashing system, which uses password_hash() internally
+         - For non-password data hashing, use SHA-256 or SHA-512
+         - Use the Encrypt module or PHP's openssl_encrypt() with proper algorithms (AES-256-GCM)
+         - Always use proper salting techniques
+
+      3. **Communication Security:**
+         - Enforce HTTPS site-wide using settings.php configuration
+         - Use secure cookies (secure, HttpOnly, SameSite)
+         - Implement proper Content-Security-Policy headers
+         - Use TLS 1.2+ for all connections
+
+      4. **API Security:**
+         - Use OAuth or JWT with proper signature verification
+         - Implement token expiration and rotation
+         - Use HMAC for API request signatures when appropriate
+         - Never expose internal encryption keys through APIs
+
+      5. **Configuration Best Practices:**
+         - Regularly rotate encryption keys and credentials
+         - Implement secure key storage using key management services
+         - Monitor and log cryptographic operations
+         - Maintain an inventory of cryptographic algorithms in use
+
+  - type: validate
+    conditions:
+      # Check 1: Proper password handling
+      - pattern: "UserInterface::PASSWORD_|password_hash\\("
+        message: "Using Drupal's password system correctly."
+
+      # Check 2: Proper random generation
+      - pattern: "random_bytes|random_int|\\\\Drupal::service\\('random'\\)"
+        message: "Using secure random generation methods."
+
+      # Check 3: Secure settings
+      - pattern: "getenv\\('|\\$_ENV\\['|\\$_SERVER\\['|settings\\.local\\.php"
+        message: "Using environment variables or local settings correctly."
+
+      # Check 4: Proper encryption usage
+      - pattern: "openssl_encrypt\\(|\\\\Drupal::service\\('encryption'\\)"
+        message: "Using proper encryption methods."
+
+metadata:
+  priority: high
+  version: 1.0
+  tags:
+    - security
+    - drupal
+    - cryptography
+    - encryption
+    - owasp
+    - language:php
+    - framework:drupal
+    - category:security
+    - subcategory:cryptography
+    - standard:owasp-top10
+    - risk:a02-cryptographic-failures
+  references:
+    - "https://owasp.org/Top10/A02_2021-Cryptographic_Failures/"
+    - "https://www.drupal.org/docs/security-in-drupal"
+    - "https://www.drupal.org/project/key"
+    - "https://www.drupal.org/project/encrypt"
+```
+
+
diff --git a/.cursor/rules/drupal-database-standards.mdc b/.cursor/rules/drupal-database-standards.mdc
index dba0740..a3dc8ba 100644
--- a/.cursor/rules/drupal-database-standards.mdc
+++ b/.cursor/rules/drupal-database-standards.mdc
@@ -6,27 +6,37 @@ globs: *.php, *.install, *.module
 
 Ensures proper database handling in Drupal applications.
 
-> Priority: critical · Version: 1.0
+```yaml
+name: drupal_database_standards
+description: Enforce Drupal database best practices and standards
+filters:
+  - type: file_extension
+    pattern: "\\.(php|install|module)$"
+
+actions:
+  - type: enforce
+    conditions:
+      - pattern: "db_query"
+        message: "Use Database API instead of db_query"
+
+      - pattern: "hook_update_N.*\\{\\s*[^}]*\\}"
+        message: "Ensure hook_update_N includes proper schema changes"
+
+      - pattern: "\\$query->execute\\(\\)"
+        message: "Consider using try-catch block for database operations"
+
+  - type: suggest
+    message: |
+      Database Best Practices:
+      - Use Schema API for table definitions
+      - Implement proper error handling
+      - Use update hooks for schema changes
+      - Follow Drupal's database abstraction layer
+      - Implement proper indexing strategies
+
+metadata:
+  priority: critical
+  version: 1.0
+```
 
-## Applies To
-- `*.php`
-- `*.install`
-- `*.module`
 
-## Trigger Conditions
-- Files matching pattern `\.(php|install|module)$`
-
-## Required Checks
-
-- Use Database API instead of db_query
-- Ensure hook_update_N includes proper schema changes
-- Consider using try-catch block for database operations
-
-## Recommendations
-
-Database Best Practices:
-- Use Schema API for table definitions
-- Implement proper error handling
-- Use update hooks for schema changes
-- Follow Drupal's database abstraction layer
-- Implement proper indexing strategies
diff --git a/.cursor/rules/drupal-file-permissions.mdc b/.cursor/rules/drupal-file-permissions.mdc
index 9d18c11..5817632 100644
--- a/.cursor/rules/drupal-file-permissions.mdc
+++ b/.cursor/rules/drupal-file-permissions.mdc
@@ -6,118 +6,131 @@ globs: *.dockerfile, *.sh, docker-compose.yml, Dockerfile
 
 Standards for securing Drupal file permissions in Docker environments and production servers, ensuring proper security while maintaining functionality.
 
-> Priority: high · Version: 1.1
-
-## Applies To
-- `*.dockerfile`
-- `*.sh`
-- `docker-compose.yml`
-- `Dockerfile`
-
-## Trigger Conditions
-- Files matching pattern `\.(dockerfile|sh|yml)$`
-- Filter `file_name` matching `^Dockerfile$|^docker-compose\.yml$`
-- Files containing `(?i)chmod|chown|drupal|settings\.php|services\.yml`
-
-## Required Checks
-
-- sites/default directory should have 755 permissions (read-only for group/others)
-- settings.php should have 444 permissions (read-only for everyone)
-- services.yml should have 444 permissions (read-only for everyone)
-- sites/default/files directory should have 755 permissions with proper ownership
-- sites/default/files should be owned by the web server user (www-data:www-data)
-
-## Recommendations
-
-## Drupal File Permissions Security Best Practices
-
-### 1. Critical File Permissions
-- **sites/default directory**: 755 (drwxr-xr-x)
-- **settings.php**: 444 (r--r--r--)
-- **services.yml**: 444 (r--r--r--)
-- **settings.local.php**: 444 (r--r--r--)
-- **sites/default/files**: 755 (drwxr-xr-x)
-- **sites/default/files/** (contents): 644 (rw-r--r--) for files, 755 (drwxr-xr-x) for directories
-
-### 2. Ownership Configuration
-- **Web root**: application user (varies by environment)
-- **sites/default/files**: web server user (www-data:www-data)
-
-### 3. Implementation in Dockerfile
-```dockerfile
-# Set proper permissions for Drupal
-RUN mkdir -p /app/${WEBROOT}/sites/default/files && \
-    chown www-data:www-data /app/${WEBROOT}/sites/default/files && \
-    chmod 755 /app/${WEBROOT}/sites/default && \
-    chmod 444 /app/${WEBROOT}/sites/default/settings.php && \
-    chmod 444 /app/${WEBROOT}/sites/default/services.yml && \
-    find /app/${WEBROOT}/sites/default/files -type d -exec chmod 755 {} \\; && \
-    find /app/${WEBROOT}/sites/default/files -type f -exec chmod 644 {} \\;
+```yaml
+name: drupal_file_permissions
+description: Enforce secure file permissions for Drupal sites/default directory and critical files
+filters:
+  - type: file_extension
+    pattern: "\\.(dockerfile|sh|yml)$"
+  - type: file_name
+    pattern: "^Dockerfile$|^docker-compose\\.yml$"
+  - type: content
+    pattern: "(?i)chmod|chown|drupal|settings\\.php|services\\.yml"
+
+actions:
+  - type: enforce
+    conditions:
+      - pattern: "chmod\\s+(?!755)\\d+\\s+[^\\n]*sites\\/default(?![^\\n]*files)"
+        message: "sites/default directory should have 755 permissions (read-only for group/others)"
+
+      - pattern: "chmod\\s+(?!444)\\d+\\s+[^\\n]*settings\\.php"
+        message: "settings.php should have 444 permissions (read-only for everyone)"
+
+      - pattern: "chmod\\s+(?!444)\\d+\\s+[^\\n]*services\\.yml"
+        message: "services.yml should have 444 permissions (read-only for everyone)"
+
+      - pattern: "chmod\\s+(?!755)\\d+\\s+[^\\n]*sites\\/default\\/files"
+        message: "sites/default/files directory should have 755 permissions with proper ownership"
+
+      - pattern: "chown\\s+(?!www-data:www-data)[^\\s]+\\s+[^\\n]*sites\\/default\\/files"
+        message: "sites/default/files should be owned by the web server user (www-data:www-data)"
+
+  - type: suggest
+    message: |
+      ## Drupal File Permissions Security Best Practices
+
+      ### 1. Critical File Permissions
+      - **sites/default directory**: 755 (drwxr-xr-x)
+      - **settings.php**: 444 (r--r--r--)
+      - **services.yml**: 444 (r--r--r--)
+      - **settings.local.php**: 444 (r--r--r--)
+      - **sites/default/files**: 755 (drwxr-xr-x)
+      - **sites/default/files/** (contents): 644 (rw-r--r--) for files, 755 (drwxr-xr-x) for directories
+
+      ### 2. Ownership Configuration
+      - **Web root**: application user (varies by environment)
+      - **sites/default/files**: web server user (www-data:www-data)
+
+      ### 3. Implementation in Dockerfile
+      ```dockerfile
+      # Set proper permissions for Drupal
+      RUN mkdir -p /app/${WEBROOT}/sites/default/files && \
+          chown www-data:www-data /app/${WEBROOT}/sites/default/files && \
+          chmod 755 /app/${WEBROOT}/sites/default && \
+          chmod 444 /app/${WEBROOT}/sites/default/settings.php && \
+          chmod 444 /app/${WEBROOT}/sites/default/services.yml && \
+          find /app/${WEBROOT}/sites/default/files -type d -exec chmod 755 {} \\; && \
+          find /app/${WEBROOT}/sites/default/files -type f -exec chmod 644 {} \\;
+      ```
+
+      ### 4. Permission Fix Script
+      Create a script at `/app/scripts/custom/fix-drupal-permissions.sh`:
+      ```bash
+      #!/bin/bash
+
+      # Exit on error
+      set -e
+
+      WEBROOT=${WEBROOT:-web}
+
+      echo "Setting Drupal file permissions..."
+
+      # Ensure directories exist
+      mkdir -p /app/${WEBROOT}/sites/default/files
+
+      # Set ownership
+      chown www-data:www-data /app/${WEBROOT}/sites/default/files
+
+      # Set directory permissions
+      chmod 755 /app/${WEBROOT}/sites/default
+      chmod 755 /app/${WEBROOT}/sites/default/files
+      find /app/${WEBROOT}/sites/default/files -type d -exec chmod 755 {} \;
+
+      # Set file permissions
+      chmod 444 /app/${WEBROOT}/sites/default/settings.php
+      [ -f /app/${WEBROOT}/sites/default/services.yml ] && chmod 444 /app/${WEBROOT}/sites/default/services.yml
+      [ -f /app/${WEBROOT}/sites/default/settings.local.php ] && chmod 444 /app/${WEBROOT}/sites/default/settings.local.php
+      find /app/${WEBROOT}/sites/default/files -type f -exec chmod 644 {} \;
+
+      echo "Drupal file permissions set successfully."
+      ```
+
+      ### 5. Verify Permissions
+      ```bash
+      # Check file permissions
+      ahoy cli "ls -la /app/${WEBROOT}/sites/default"
+      ahoy cli "ls -la /app/${WEBROOT}/sites/default/files"
+
+      # Check Drupal status
+      ahoy drush status-report | grep -i "protected"
+      ```
+
+      ### 6. Security Considerations
+      - Never set 777 permissions on any Drupal files or directories
+      - Temporary files should be stored in private file system when possible
+      - Use Drupal's private file system for sensitive uploads
+      - Implement file access controls through Drupal's permission system
+      - Consider using file encryption for highly sensitive data
+
+examples:
+  - input: |
+      # Bad: Insecure permissions
+      RUN chmod 777 /app/${WEBROOT}/sites/default
+      RUN chmod 666 /app/${WEBROOT}/sites/default/settings.php
+      RUN chmod -R 777 /app/${WEBROOT}/sites/default/files
+
+      # Good: Secure permissions
+      RUN chmod 755 /app/${WEBROOT}/sites/default
+      RUN chmod 444 /app/${WEBROOT}/sites/default/settings.php
+      RUN chmod 444 /app/${WEBROOT}/sites/default/services.yml
+      RUN chown www-data:www-data /app/${WEBROOT}/sites/default/files
+      RUN find /app/${WEBROOT}/sites/default/files -type d -exec chmod 755 {} \;
+      RUN find /app/${WEBROOT}/sites/default/files -type f -exec chmod 644 {} \;
+    output: "Correctly set Drupal file permissions with proper security"
+
+metadata:
+  priority: high
+  version: 1.1
 ```
 
-### 4. Permission Fix Script
-Create a script at `/app/scripts/custom/fix-drupal-permissions.sh`:
-```bash
-#!/bin/bash
 
-# Exit on error
-set -e
-
-WEBROOT=${WEBROOT:-web}
-
-echo "Setting Drupal file permissions..."
-
-# Ensure directories exist
-mkdir -p /app/${WEBROOT}/sites/default/files
-
-# Set ownership
-chown www-data:www-data /app/${WEBROOT}/sites/default/files
-
-# Set directory permissions
-chmod 755 /app/${WEBROOT}/sites/default
-chmod 755 /app/${WEBROOT}/sites/default/files
-find /app/${WEBROOT}/sites/default/files -type d -exec chmod 755 {} \;
-
-# Set file permissions
-chmod 444 /app/${WEBROOT}/sites/default/settings.php
-[ -f /app/${WEBROOT}/sites/default/services.yml ] && chmod 444 /app/${WEBROOT}/sites/default/services.yml
-[ -f /app/${WEBROOT}/sites/default/settings.local.php ] && chmod 444 /app/${WEBROOT}/sites/default/settings.local.php
-find /app/${WEBROOT}/sites/default/files -type f -exec chmod 644 {} \;
-
-echo "Drupal file permissions set successfully."
-```
-
-### 5. Verify Permissions
-```bash
-# Check file permissions
-ahoy cli "ls -la /app/${WEBROOT}/sites/default"
-ahoy cli "ls -la /app/${WEBROOT}/sites/default/files"
-
-# Check Drupal status
-ahoy drush status-report | grep -i "protected"
-```
-
-### 6. Security Considerations
-- Never set 777 permissions on any Drupal files or directories
-- Temporary files should be stored in private file system when possible
-- Use Drupal's private file system for sensitive uploads
-- Implement file access controls through Drupal's permission system
-- Consider using file encryption for highly sensitive data
-
-## Examples
-### Example 1
-```
-# Bad: Insecure permissions
-RUN chmod 777 /app/${WEBROOT}/sites/default
-RUN chmod 666 /app/${WEBROOT}/sites/default/settings.php
-RUN chmod -R 777 /app/${WEBROOT}/sites/default/files
-
-# Good: Secure permissions
-RUN chmod 755 /app/${WEBROOT}/sites/default
-RUN chmod 444 /app/${WEBROOT}/sites/default/settings.php
-RUN chmod 444 /app/${WEBROOT}/sites/default/services.yml
-RUN chown www-data:www-data /app/${WEBROOT}/sites/default/files
-RUN find /app/${WEBROOT}/sites/default/files -type d -exec chmod 755 {} \;
-RUN find /app/${WEBROOT}/sites/default/files -type f -exec chmod 644 {} \;
-```
-Outcome: Correctly set Drupal file permissions with proper security
diff --git a/.cursor/rules/drupal-injection.mdc b/.cursor/rules/drupal-injection.mdc
index a4af6e6..0fe8f61 100644
--- a/.cursor/rules/drupal-injection.mdc
+++ b/.cursor/rules/drupal-injection.mdc
@@ -3,39 +3,135 @@ description: Detect and prevent injection vulnerabilities in Drupal as defined i
 globs: *.php, *.inc, *.module, *.install, *.info.yml, *.theme, **/modules/**, **/themes/**, **/profiles/**
 alwaysApply: false
 ---
-# Drupal Injection Prevention Standards (OWASP A03:2021)
-
-Reference this guide when reviewing Drupal code for SQL, XSS, command, or file injection risks.
-
-> Priority: high · Version: 1.0 · Tags: security, drupal, injection
-
-## Applies To
-- PHP source under custom modules, themes, or profiles (`modules/`, `themes/`, `profiles/`, `core/`).
-- Twig templates and configuration defining markup or executable code.
-
-## Trigger Conditions
-- Database queries constructed from request data or dynamic strings.
-- Output rendering via `#markup`, controllers, Twig, or JavaScript settings.
-- Use of command execution functions, file system access, or redirects influenced by user input.
-
-## Required Checks
-- Use parameterized queries with placeholders (`db_query($sql, $args)`, `$connection->query($sql, $args)`, or EntityQuery) instead of string concatenation.
-- Escape or sanitise all rendered output using `t()`, `Html::escape()`, `Xss::filter()`, or `#plain_text` as appropriate.
-- Validate `#markup` assignments and JavaScript settings before passing user-controlled values.
-- Add CSRF tokens to custom forms (`$form['#token']`) and validate with Form API utilities.
-- Avoid command execution helpers (`exec`, `shell_exec`, `system`, backticks) unless wrapped with `Symfony\Component\Process\Process` and strict allowlists.
-- Validate and whitelist file paths before calling `file_get_contents`, `file_unmanaged_copy`, or similar helpers.
-- Guard redirects (`->redirect()`, `Url::fromUserInput()`) with destination allowlists via `UrlHelper::isExternal()` or `UrlHelper::externalIsAllowed()`.
-
-## Recommendations
-- Prefer Drupal's Database API condition builders (`->condition()`, `->where()`) and `Database::getConnection()->select()` for complex queries.
-- Use Twig templates (auto-escaping) rather than printing raw PHP variables.
-- Centralise dangerous operations in services that perform validation and logging.
-- Leverage Symfony's Process component or queue workers for long-running external commands with controlled environments.
-- Add functional tests covering malicious payloads (SQL injection strings, `<script>` tags, command sequences, traversal paths).
-
-## Positive Signals
-- Queries using placeholders with array arguments or EntityQuery builders.
-- Output sanitised with `t()`, `Xss::filter()`, `Html::escape()`, or `#plain_text`.
-- Forms including CSRF tokens and `FormStateInterface::validateToken()` checks.
-- Usage of `UrlHelper::isValid()`, `UrlHelper::externalIsAllowed()`, or destination allowlists in redirect logic.
+# Drupal Injection Security Standards (OWASP A03:2021)
+
+This rule enforces security best practices to prevent injection vulnerabilities in Drupal applications, as defined in OWASP Top 10:2021-A03.
+
+```yaml
+name: drupal_injection
+description: Detect and prevent injection vulnerabilities in Drupal as defined in OWASP Top 10:2021-A03
+filters:
+  - type: file_extension
+    pattern: "\\.(php|inc|module|install|theme)$"
+  - type: file_path
+    pattern: "(modules|themes|profiles|core)/.*"
+
+actions:
+  - type: enforce
+    conditions:
+      # Pattern 1: Raw SQL queries without placeholders
+      - pattern: "db_query\\(['\"][^'\"]*\\$[^'\"]*['\"]"
+        message: "Direct variables in SQL queries are vulnerable to SQL injection. Use parameterized queries with placeholders."
+
+      # Pattern 2: Modern DB API without placeholders
+      - pattern: "->query\\(['\"][^'\"]*\\$[^'\"]*['\"]"
+        message: "Use parameterized queries with placeholders to prevent SQL injection: ->query($sql, [$param1, $param2])."
+
+      # Pattern 3: Unescaped output
+      - pattern: "<?=|<?php\\s+echo\\s+(?!(t|\\\\t|\\$this->t))[^;]*;"
+        message: "Direct output may lead to XSS. Use t(), escaped variables with Html::escape(), or Twig templates."
+
+      # Pattern 4: Unfiltered user input in render arrays
+      - pattern: "[\"']#markup[\"']\\s*=>\\s*(?!t\\(|\\\\t\\(|Xss::filterAdmin|Html::escape)\\$"
+        message: "Never use unfiltered variables in #markup. Use t(), Xss::filterAdmin(), or Html::escape()."
+
+      # Pattern 5: Unescaped variables in JavaScript settings
+      - pattern: "->addJsSettings\\(\\[(?![^\\]]*(Xss::filter|Json::encode))\\$"
+        message: "Filter variables before adding to JavaScript settings using Xss::filter() or properly encode with Json::encode()."
+
+      # Pattern 6: Direct command execution
+      - pattern: "exec\\(|shell_exec\\(|system\\(|passthru\\(|proc_open\\(|popen\\(|`"
+        message: "Command execution functions can lead to command injection. Use Symfony\Component\Process\Process if necessary."
+
+      # Pattern 7: Unvalidated redirect
+      - pattern: "->redirect\\(\\s*\\$(?!(this->|allowed_destinations|config))"
+        message: "Unvalidated redirects can lead to open redirect vulnerabilities. Whitelist allowed destinations."
+
+      # Pattern 8: Raw user input in conditions
+      - pattern: "->condition\\([^,]*,\\s*\\$(?!(this->|config|entity|storage))[^,]*,"
+        message: "Use proper input validation before using variables in database conditions to prevent SQL injection."
+
+      # Pattern 9: Missing CSRF protection in forms
+      - pattern: "(?<!buildForm|getFormId)\\s*function\\s+[a-zA-Z0-9_]+Form\\s*\\([^{]*\\{[^}]*return\\s+\\$form;(?![^}]*FormBuilderInterface|[^}]*::TOKEN|[^}]*#token)"
+        message: "Form submissions must include CSRF protection with $form['#token']."
+
+      # Pattern 10: Unvalidated file operations
+      - pattern: "file_get_contents\\(\\s*\\$(?!(this->|allowed_paths|config))"
+        message: "Validate file paths before operations to prevent path traversal attacks."
+
+  - type: suggest
+    message: |
+      **Drupal Injection Prevention Best Practices:**
+
+      1. **SQL Injection Prevention:**
+         - Always use parameterized queries with placeholders
+         - Use the Database API's condition methods: ->condition(), ->where()
+         - Properly escape table and field names with {}
+         - Consider using EntityQuery for entity operations
+
+      2. **XSS Prevention:**
+         - Use Drupal's t() function for user-visible strings
+         - Apply appropriate filtering: Html::escape(), Xss::filter(), Xss::filterAdmin()
+         - Use #plain_text instead of #markup when displaying user input
+         - Utilize Twig's automatic escaping in templates
+         - For admin UIs, be careful with Xss::filterAdmin() as it allows some tags
+
+      3. **CSRF Protection:**
+         - Always include form tokens with $form['#token']
+         - Validate form tokens with FormState->validateToken()
+         - For AJAX requests, utilize Drupal's ajax framework
+         - Use drupal_valid_token() for custom validation
+
+      4. **Command Injection Prevention:**
+         - Avoid command execution functions entirely
+         - Use Symfony\Component\Process\Process with escaped arguments
+         - Validate and whitelist any input used in command contexts
+
+      5. **Path Traversal Prevention:**
+         - Validate file paths with FileSystem::validatedLocalFileSystem()
+         - Use stream wrappers (public://, private://) instead of direct paths
+         - Implement strict input validation for any path components
+
+  - type: validate
+    conditions:
+      # Check 1: Proper SQL query usage
+      - pattern: "->query\\(['\"][^'\"]*\\?[^'\"]*['\"],\\s*\\[[^\\]]*\\]\\)"
+        message: "Properly using parameterized queries with placeholders."
+
+      # Check 2: Proper XSS prevention
+      - pattern: "(t\\(|Xss::filter|Html::escape|#plain_text)"
+        message: "Using proper XSS prevention techniques."
+
+      # Check 3: Proper CSRF protection
+      - pattern: "#token|FormBuilderInterface::TOKEN|drupal_valid_token"
+        message: "Implementing CSRF protection correctly."
+
+      # Check 4: Safe file operations
+      - pattern: "FileSystem::validatedLocalFileSystem|file_exists\\(\\s*DRUPAL_ROOT"
+        message: "Using safe file operation practices."
+
+metadata:
+  priority: high
+  version: 1.0
+  tags:
+    - security
+    - drupal
+    - injection
+    - sql
+    - xss
+    - csrf
+    - owasp
+    - language:php
+    - framework:drupal
+    - category:security
+    - subcategory:injection
+    - standard:owasp-top10
+    - risk:a03-injection
+  references:
+    - "https://owasp.org/Top10/A03_2021-Injection/"
+    - "https://www.drupal.org/docs/security-in-drupal/writing-secure-code-for-drupal"
+    - "https://www.drupal.org/docs/8/security/drupal-8-sanitizing-output"
+    - "https://api.drupal.org/api/drupal/core%21lib%21Drupal%21Component%21Utility%21Xss.php/class/Xss/9"
+```
+
+
diff --git a/.cursor/rules/drupal-insecure-design.mdc b/.cursor/rules/drupal-insecure-design.mdc
index 7527d74..76ae6a7 100644
--- a/.cursor/rules/drupal-insecure-design.mdc
+++ b/.cursor/rules/drupal-insecure-design.mdc
@@ -7,76 +7,135 @@ alwaysApply: false
 
 This rule enforces security best practices to prevent insecure design vulnerabilities in Drupal applications, as defined in OWASP Top 10:2021-A04.
 
-> Priority: high · Version: 1.0
-
-## Applies To
-- `*.php`
-- `*.install`
-- `*.module`
-- `*.inc`
-- `*.theme`
-- `*.yml`
-- `*.info`
-
-## Trigger Conditions
-- Files matching pattern `\.(php|inc|module|install|theme|info\.yml)$`
-- Paths matching `(modules|themes|profiles)/custom`
-
-## Required Checks
-
-- Permissions should follow Drupal naming patterns (verb + object) and be specific. Avoid overly broad permissions.
-- Consider moving business logic rules to configuration to allow for proper adjustment without code changes.
-- Avoid ad hoc sanitization. Use Drupal's built-in sanitization tools: t(), Xss::filter(), etc.
-- Follow separation of concerns. Move database logic to services or repositories, not in controllers.
-- Avoid unconditional access grants. Implement proper conditional checks based on roles, permissions, or entity ownership.
-- Avoid custom session management. Use Drupal's session handling system and services.
-- Excessive static service calls indicate poor dependency injection. Use proper service injection.
-- Avoid custom authentication. Use Drupal's built-in authentication system and services.
-- Database schemas should enforce data integrity with proper constraints (NOT NULL, length, etc.).
-- Security-related configuration should default to secure settings (opt-in for potentially insecure features).
-
-## Recommendations
-
-**Drupal Secure Design Best Practices:**
-
-1. **Secure Architecture Principles:**
-   - Follow the principle of least privilege for all user roles and permissions
-   - Implement defense in depth with multiple security layers
-   - Use Drupal's entity/field API for structured data instead of custom tables
-   - Employ service-oriented architecture with proper dependency injection
-   - Follow Drupal coding standards to leverage community security expertise
-
-2. **Permission System Design:**
-   - Design granular permissions following the verb+object pattern
-   - Avoid creating omnipotent permissions that grant excessive access
-   - Use context-aware access systems like Entity Access or Node Grants
-   - Consider record-based and field-based access for better control
-   - Document permission architecture and security implications
-
-3. **Module Architecture:**
-   - Separate concerns into appropriate services
-   - Use hooks judiciously and document security implications
-   - Implement proper validation and sanitization layers
-   - Design APIs with security in mind from the start
-   - Provide secure default configurations
-
-4. **Data Modeling Security:**
-   - Implement appropriate validation constraints on entity fields
-   - Design schema definitions with integrity constraints
-   - Use appropriate field types for sensitive data
-   - Implement field-level access control when needed
-   - Consider encryption for sensitive stored data
-
-5. **Error Handling and Logging:**
-   - Design contextual error messages (detailed for admins, general for users)
-   - Implement appropriate logging for security events
-   - Avoid exposing sensitive data in error messages
-   - Design fault-tolerant systems that fail securely
-   - Include appropriate transaction management
-
-## Validation
-
-- Using proper dependency injection pattern.
-- Providing configuration schema for validation.
-- Following permission naming conventions.
-- Using dedicated access control handlers for entities.
+```yaml
+name: drupal_insecure_design
+description: Detect and prevent insecure design patterns in Drupal as defined in OWASP Top 10:2021-A04
+filters:
+  - type: file_extension
+    pattern: "\\.(php|inc|module|install|theme|info\\.yml)$"
+  - type: file_path
+    pattern: "(modules|themes|profiles)/custom"
+
+actions:
+  - type: enforce
+    conditions:
+      # Pattern 1: Insecure permission design
+      - pattern: "\\$permissions\\[['\"][^'\"]+['\"]\\]\\s*=\\s*array\\((?![^)]*(administer|manage|edit|delete)[^)]*(content|configuration|users)).*?\\);"
+        message: "Permissions should follow Drupal naming patterns (verb + object) and be specific. Avoid overly broad permissions."
+
+      # Pattern 2: Hard-coded business logic values
+      - pattern: "if\\s*\\([^\\)]*===?\\s*['\"][a-zA-Z0-9_]+['\"]\\s*\\)"
+        message: "Consider moving business logic rules to configuration to allow for proper adjustment without code changes."
+
+      # Pattern 3: Ad hoc input sanitization
+      - pattern: "preg_replace|str_replace|strip_tags"
+        message: "Avoid ad hoc sanitization. Use Drupal's built-in sanitization tools: t(), Xss::filter(), etc."
+
+      # Pattern 4: Database logic in controllers
+      - pattern: "class\\s+[a-zA-Z0-9_]+Controller.+\\{[^}]*->query\\("
+        message: "Follow separation of concerns. Move database logic to services or repositories, not in controllers."
+
+      # Pattern 5: Weak entity access policy
+      - pattern: "function\\s+[a-zA-Z0-9_]+_entity_access\\([^)]*\\)\\s*\\{[^}]*return\\s+AccessResult::allowed\\(\\);"
+        message: "Avoid unconditional access grants. Implement proper conditional checks based on roles, permissions, or entity ownership."
+
+      # Pattern 6: Custom session management
+      - pattern: "session_start|session_set_cookie_params"
+        message: "Avoid custom session management. Use Drupal's session handling system and services."
+
+      # Pattern 7: Excessive global state dependency
+      - pattern: "(?:\\\\Drupal::[a-zA-Z_]+\\(\\).*){3,}"
+        message: "Excessive static service calls indicate poor dependency injection. Use proper service injection."
+
+      # Pattern 8: Custom user authentication
+      - pattern: "password_verify\\(|password_hash\\("
+        message: "Avoid custom authentication. Use Drupal's built-in authentication system and services."
+
+      # Pattern 9: Missing schema definitions
+      - pattern: "function\\s+[a-zA-Z0-9_]+_schema\\(\\)[^{]*\\{[^}]*return\\s+\\$schema;(?![^}]*validate_utf8|[^}]*'not null')"
+        message: "Database schemas should enforce data integrity with proper constraints (NOT NULL, length, etc.)."
+
+      # Pattern 10: Insecure defaults
+      - pattern: "\\$config\\[['\"](mdc:?!secure_|security_|private_)[^'\"]+['\"]\\]\\s*=\\s*(?:FALSE|0|'0'|\"0\");"
+        message: "Security-related configuration should default to secure settings (opt-in for potentially insecure features)."
+
+  - type: suggest
+    message: |
+      **Drupal Secure Design Best Practices:**
+
+      1. **Secure Architecture Principles:**
+         - Follow the principle of least privilege for all user roles and permissions
+         - Implement defense in depth with multiple security layers
+         - Use Drupal's entity/field API for structured data instead of custom tables
+         - Employ service-oriented architecture with proper dependency injection
+         - Follow Drupal coding standards to leverage community security expertise
+
+      2. **Permission System Design:**
+         - Design granular permissions following the verb+object pattern
+         - Avoid creating omnipotent permissions that grant excessive access
+         - Use context-aware access systems like Entity Access or Node Grants
+         - Consider record-based and field-based access for better control
+         - Document permission architecture and security implications
+
+      3. **Module Architecture:**
+         - Separate concerns into appropriate services
+         - Use hooks judiciously and document security implications
+         - Implement proper validation and sanitization layers
+         - Design APIs with security in mind from the start
+         - Provide secure default configurations
+
+      4. **Data Modeling Security:**
+         - Implement appropriate validation constraints on entity fields
+         - Design schema definitions with integrity constraints
+         - Use appropriate field types for sensitive data
+         - Implement field-level access control when needed
+         - Consider encryption for sensitive stored data
+
+      5. **Error Handling and Logging:**
+         - Design contextual error messages (detailed for admins, general for users)
+         - Implement appropriate logging for security events
+         - Avoid exposing sensitive data in error messages
+         - Design fault-tolerant systems that fail securely
+         - Include appropriate transaction management
+
+  - type: validate
+    conditions:
+      # Check 1: Proper dependency injection
+      - pattern: "protected\\s+\\$[a-zA-Z0-9_]+;[^}]*public\\s+function\\s+__construct\\([^\\)]*\\)"
+        message: "Using proper dependency injection pattern."
+
+      # Check 2: Configuration schema usage
+      - pattern: "config\\/schema\\/[a-zA-Z0-9_]+\\.schema\\.yml"
+        message: "Providing configuration schema for validation."
+
+      # Check 3: Proper permission definition
+      - pattern: "\\$permissions\\[['\"][a-z\\s]+[a-z0-9\\s]+['\"]\\]\\s*=\\s*\\["
+        message: "Following permission naming conventions."
+
+      # Check 4: Entity access handlers
+      - pattern: "@EntityAccessControl\\(|class\\s+[a-zA-Z0-9_]+AccessControlHandler\\s+extends\\s+"
+        message: "Using dedicated access control handlers for entities."
+
+metadata:
+  priority: high
+  version: 1.0
+  tags:
+    - security
+    - drupal
+    - design
+    - architecture
+    - owasp
+    - language:php
+    - framework:drupal
+    - category:security
+    - subcategory:design
+    - standard:owasp-top10
+    - risk:a04-insecure-design
+  references:
+    - "https://owasp.org/Top10/A04_2021-Insecure_Design/"
+    - "https://www.drupal.org/docs/develop/security-in-drupal"
+    - "https://www.drupal.org/docs/8/api/entity-api/access-control-for-entities"
+    - "https://www.drupal.org/docs/8/api/configuration-api/configuration-schemametadata"
+```
+
+
diff --git a/.cursor/rules/drupal-integrity-failures.mdc b/.cursor/rules/drupal-integrity-failures.mdc
index 5a18b60..80802d2 100644
--- a/.cursor/rules/drupal-integrity-failures.mdc
+++ b/.cursor/rules/drupal-integrity-failures.mdc
@@ -7,76 +7,135 @@ alwaysApply: false
 
 This rule enforces security best practices to prevent software and data integrity failures in Drupal applications, as defined in OWASP Top 10:2021-A08.
 
-> Priority: high · Version: 1.0
-
-## Applies To
-- `*.php`
-- `*.install`
-- `*.module`
-- `*.inc`
-- `*.theme`
-- `*.yml`
-- `*.json`
-
-## Trigger Conditions
-- Files matching pattern `\.(php|inc|module|install|theme|yml|json)$`
-- Paths matching `.*`
-
-## Required Checks
-
-- Insecure PHP deserialization detected. Use safer alternatives like JSON for data interchange or implement proper validation before deserialization.
-- Potentially dangerous code execution function detected. Avoid dynamic code execution whenever possible.
-- Dynamic inclusion of files based on user input is dangerous. Use validated, allowlisted paths only.
-- Ensure update hooks validate the integrity of updates and data transformations to prevent unauthorized modifications.
-- Validate configuration before import to ensure integrity and detect potentially malicious changes.
-- Always validate data from remote sources before processing or storing it. Implement integrity checks for remote content.
-- Verify you're using secure Composer practices: validate package signatures, pin dependencies, and use composer.lock.
-- Direct database modifications should implement validation to preserve data integrity. Prefer using entity API.
-- Implement file integrity checking for uploaded or manipulated files to prevent malicious content.
-- Validate all input used to create entity objects to maintain data integrity and prevent creating malicious entities.
-
-## Recommendations
-
-**Drupal Data & Software Integrity Best Practices:**
-
-1. **Secure Deserialization:**
-   - Avoid PHP's unserialize() with untrusted data entirely
-   - Use JSON or other structured formats for data interchange
-   - When deserialization is necessary, implement allowlists and validation
-   - Consider using Drupal's typed data API for structured data handling
-   - Avoid serializing sensitive data that could be tampered with
-
-2. **Update & Configuration Integrity:**
-   - Validate data before and after migrations/updates
-   - Implement checksums/hashing for critical configuration
-   - Use Drupal's Configuration Management system properly
-   - Monitor configuration changes for unauthorized modifications
-   - Implement proper workflow for configuration management
-
-3. **Dependency & Plugin Security:**
-   - Verify the integrity of downloaded modules and themes
-   - Use Composer with package signature verification
-   - Pin dependencies to specific versions in production
-   - Maintain awareness of security advisories
-   - Implement proper validation for plugin/module loading
-
-4. **CI/CD Pipeline Security:**
-   - Sign build artifacts
-   - Verify signatures during deployment
-   - Implement proper secrets management
-   - Control access to build and deployment systems
-   - Validate code changes through code reviews
-
-5. **Data Integrity Validation:**
-   - Use database constraints to enforce data integrity
-   - Implement validation at every layer of the application
-   - Add integrity checks for critical data flows
-   - Maintain audit logs for data modifications
-   - Regularly verify data consistency
-
-## Validation
-
-- Using safer serialization alternatives.
-- Properly validating entity data.
-- Implementing configuration validation.
-- Using file validation mechanisms.
+```yaml
+name: drupal_integrity_failures
+description: Detect and prevent software and data integrity failures in Drupal as defined in OWASP Top 10:2021-A08
+filters:
+  - type: file_extension
+    pattern: "\\.(php|inc|module|install|theme|yml|json)$"
+  - type: file_path
+    pattern: ".*"
+
+actions:
+  - type: enforce
+    conditions:
+      # Pattern 1: Insecure deserialization
+      - pattern: "unserialize\\(\\$|unserialize\\([^,]+\\$|php_unserialize\\(\\$"
+        message: "Insecure PHP deserialization detected. Use safer alternatives like JSON for data interchange or implement proper validation before deserialization."
+
+      # Pattern 2: Unsafe use of eval or similar functions
+      - pattern: "eval\\(|assert\\(|create_function\\("
+        message: "Potentially dangerous code execution function detected. Avoid dynamic code execution whenever possible."
+
+      # Pattern 3: Insecure plugin/module loading
+      - pattern: "module_load_include\\(\\$|require(_once)?\\s*\\(\\s*\\$|include(_once)?\\s*\\(\\s*\\$"
+        message: "Dynamic inclusion of files based on user input is dangerous. Use validated, allowlisted paths only."
+
+      # Pattern 4: Missing update verification
+      - pattern: "update\\.settings\\.yml|function [a-zA-Z0-9_]+_update_[0-9]+\\(\\)"
+        message: "Ensure update hooks validate the integrity of updates and data transformations to prevent unauthorized modifications."
+
+      # Pattern 5: Unsafe configuration imports
+      - pattern: "ConfigImporter|\\$config_importer|config_import|cmci"
+        message: "Validate configuration before import to ensure integrity and detect potentially malicious changes."
+
+      # Pattern 6: Unchecked remote data
+      - pattern: "drupal_http_request\\(|\\\\Drupal::httpClient\\(\\)->get\\(|curl_exec\\("
+        message: "Always validate data from remote sources before processing or storing it. Implement integrity checks for remote content."
+
+      # Pattern 7: Insecure Composer usage
+      - pattern: "composer\\.json"
+        message: "Verify you're using secure Composer practices: validate package signatures, pin dependencies, and use composer.lock."
+
+      # Pattern 8: Direct database modifications
+      - pattern: "INSERT\\s+INTO|UPDATE\\s+[a-zA-Z0-9_]+\\s+SET|db_update\\(|->update\\(|->insert\\("
+        message: "Direct database modifications should implement validation to preserve data integrity. Prefer using entity API."
+
+      # Pattern 9: Missing file integrity verification
+      - pattern: "file_save_data\\(|file_save_upload\\(|file_copy\\(|file_move\\("
+        message: "Implement file integrity checking for uploaded or manipulated files to prevent malicious content."
+
+      # Pattern 10: Unsafe entity creation
+      - pattern: "\\$entity\\s*=\\s*new\\s+[A-Za-z]+\\(|::create\\(\\$"
+        message: "Validate all input used to create entity objects to maintain data integrity and prevent creating malicious entities."
+
+  - type: suggest
+    message: |
+      **Drupal Data & Software Integrity Best Practices:**
+
+      1. **Secure Deserialization:**
+         - Avoid PHP's unserialize() with untrusted data entirely
+         - Use JSON or other structured formats for data interchange
+         - When deserialization is necessary, implement allowlists and validation
+         - Consider using Drupal's typed data API for structured data handling
+         - Avoid serializing sensitive data that could be tampered with
+
+      2. **Update & Configuration Integrity:**
+         - Validate data before and after migrations/updates
+         - Implement checksums/hashing for critical configuration
+         - Use Drupal's Configuration Management system properly
+         - Monitor configuration changes for unauthorized modifications
+         - Implement proper workflow for configuration management
+
+      3. **Dependency & Plugin Security:**
+         - Verify the integrity of downloaded modules and themes
+         - Use Composer with package signature verification
+         - Pin dependencies to specific versions in production
+         - Maintain awareness of security advisories
+         - Implement proper validation for plugin/module loading
+
+      4. **CI/CD Pipeline Security:**
+         - Sign build artifacts
+         - Verify signatures during deployment
+         - Implement proper secrets management
+         - Control access to build and deployment systems
+         - Validate code changes through code reviews
+
+      5. **Data Integrity Validation:**
+         - Use database constraints to enforce data integrity
+         - Implement validation at every layer of the application
+         - Add integrity checks for critical data flows
+         - Maintain audit logs for data modifications
+         - Regularly verify data consistency
+
+  - type: validate
+    conditions:
+      # Check 1: Secure serialization alternatives
+      - pattern: "json_encode|json_decode|\\\\Drupal::service\\('serialization\\.|->toArray\\(\\)"
+        message: "Using safer serialization alternatives."
+
+      # Check 2: Proper entity validation
+      - pattern: "\\$entity->validate\\(\\)|\\$violations\\s*=\\s*\\$entity->validate\\(\\)"
+        message: "Properly validating entity data."
+
+      # Check 3: Config verification
+      - pattern: "::validateSyncedConfig\\(|ConfigImporter::validate|->getUnprocessedConfiguration\\(\\)"
+        message: "Implementing configuration validation."
+
+      # Check 4: Safe file handling
+      - pattern: "file_validate_|FileValidatorInterface|\\$validators"
+        message: "Using file validation mechanisms."
+
+metadata:
+  priority: high
+  version: 1.0
+  tags:
+    - security
+    - drupal
+    - integrity
+    - deserialization
+    - owasp
+    - language:php
+    - framework:drupal
+    - category:security
+    - subcategory:integrity
+    - standard:owasp-top10
+    - risk:a08-integrity-failures
+  references:
+    - "https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/"
+    - "https://www.drupal.org/docs/develop/security-in-drupal/drupal-8-sanitizing-output"
+    - "https://www.drupal.org/docs/8/api/configuration-api/configuration-api-overview"
+    - "https://www.drupal.org/docs/develop/using-composer"
+```
+
+
diff --git a/.cursor/rules/drupal-logging-failures.mdc b/.cursor/rules/drupal-logging-failures.mdc
index eb2b0fe..95e7142 100644
--- a/.cursor/rules/drupal-logging-failures.mdc
+++ b/.cursor/rules/drupal-logging-failures.mdc
@@ -7,77 +7,137 @@ alwaysApply: false
 
 This rule enforces security best practices to prevent logging and monitoring failures in Drupal applications, as defined in OWASP Top 10:2021-A09.
 
-> Priority: high · Version: 1.0
-
-## Applies To
-- `*.php`
-- `*.install`
-- `*.module`
-- `*.inc`
-- `*.theme`
-- `*.yml`
-
-## Trigger Conditions
-- Files matching pattern `\.(php|inc|module|install|theme|yml)$`
-- Paths matching `.*`
-
-## Required Checks
-
-- Critical operations should include logging. Implement proper logging for security-relevant actions.
-- Avoid suppressing errors and warnings. Implement proper error handling and logging instead.
-- Exceptions should be properly logged, especially in security-critical sections.
-- Ensure logging is properly configured and not disabled. Verify log verbosity and retention policies.
-- Authentication events should always be logged for security monitoring and auditing.
-- Consider logging significant access control decisions, especially denials, for security monitoring.
-- File operations should be logged, especially for security-sensitive files.
-- Log messages should include sufficient context and detail for effective security monitoring.
-- Configuration changes should be logged to maintain an audit trail and detect unauthorized changes.
-- API endpoint access should be logged for security monitoring, especially for sensitive operations.
-
-## Recommendations
-
-**Drupal Security Logging & Monitoring Best Practices:**
-
-1. **Comprehensive Logging Implementation:**
-   - Use Drupal's Logger Factory service: `\Drupal::logger('module_name')`
-   - Implement proper log levels: emergency, alert, critical, error, warning, notice, info, debug
-   - Include context in log messages with relevant identifiers and information
-   - Log security-relevant events consistently across the application
-   - Structure log messages to facilitate automated analysis
-
-2. **Critical Events to Log:**
-   - Authentication events (login attempts, failures, logouts)
-   - Access control decisions (particularly denials)
-   - All administrative actions
-   - Data modification operations on sensitive information
-   - Configuration and settings changes
-   - File operations (uploads, downloads of sensitive content)
-   - API access and usage
-
-3. **Logging Configuration:**
-   - Configure appropriate log retention periods based on security requirements
-   - Implement log rotation to maintain performance
-   - Consider using syslog for centralized logging
-   - Protect log files from unauthorized access and modification
-   - Configure appropriate verbosity for different environments
-
-4. **Monitoring Implementation:**
-   - Define security-relevant log patterns to monitor
-   - Implement log aggregation and analysis
-   - Set up alerts for suspicious activity patterns
-   - Establish response procedures for security events
-   - Consider integration with SIEM solutions
-
-5. **Error Handling:**
-   - Log exceptions with appropriate error levels
-   - Include stack traces in development but not production
-   - Implement custom error handlers that ensure proper logging
-   - Avoid suppressing errors that might indicate security issues
-   - Monitor for patterns in error logs that could indicate attacks
-
-## Validation
-
-- Using Drupal's logger service correctly.
-- Including context information in log messages.
-- Configuring logging appropriately.
-- Properly logging exceptions.
+```yaml
+name: drupal_logging_failures
+description: Detect and prevent security logging and monitoring failures in Drupal as defined in OWASP Top 10:2021-A09
+filters:
+  - type: file_extension
+    pattern: "\\.(php|inc|module|install|theme|yml)$"
+  - type: file_path
+    pattern: ".*"
+
+actions:
+  - type: enforce
+    conditions:
+      # Pattern 1: Missing critical event logging
+      - pattern: "(delete|update|create|execute|grant|revoke|config|schema).*function[^}]*\\{(?![^}]*(log|watchdog|logger))"
+        message: "Critical operations should include logging. Implement proper logging for security-relevant actions."
+
+      # Pattern 2: Suppressed error logging
+      - pattern: "@include|@require|@eval|error_reporting\\(0\\)|ini_set\\(['\"](mdc:display_errors|log_errors)['\"],\\s*['\"]0['\"]\\)"
+        message: "Avoid suppressing errors and warnings. Implement proper error handling and logging instead."
+
+      # Pattern 3: Improper exception handling without logging
+      - pattern: "catch\\s*\\([^{]*\\)\\s*\\{(?![^}]*log|[^}]*watchdog|[^}]*logger)"
+        message: "Exceptions should be properly logged, especially in security-critical sections."
+
+      # Pattern 4: Disabled watchdog
+      - pattern: "dblog\\.settings\\.yml|syslog\\.settings\\.yml|logging\\.settings\\.yml"
+        message: "Ensure logging is properly configured and not disabled. Verify log verbosity and retention policies."
+
+      # Pattern 5: Missing authentication event logging
+      - pattern: "(login|authenticate|logout|password).*function[^}]*\\{(?![^}]*(log|watchdog|logger))"
+        message: "Authentication events should always be logged for security monitoring and auditing."
+
+      # Pattern 6: Failure to log access control decisions
+      - pattern: "AccessResult::(allowed|forbidden|neutral)\\([^)]*\\)(?![^;]*(log|watchdog|logger))"
+        message: "Consider logging significant access control decisions, especially denials, for security monitoring."
+
+      # Pattern 7: Missing logging in file operations
+      - pattern: "(file_save|file_delete|file_move|file_copy)[^;]*;(?![^;]*(log|watchdog|logger))"
+        message: "File operations should be logged, especially for security-sensitive files."
+
+      # Pattern 8: Insufficient detail in log messages
+      - pattern: "(\\->log|watchdog)\\([^,)]*,[^,)]*\\)"
+        message: "Log messages should include sufficient context and detail for effective security monitoring."
+
+      # Pattern 9: Failure to log configuration changes
+      - pattern: "\\$config->set\\([^;]*;(?![^;]*(log|watchdog|logger))"
+        message: "Configuration changes should be logged to maintain an audit trail and detect unauthorized changes."
+
+      # Pattern 10: Missing logs for API access
+      - pattern: "class\\s+[a-zA-Z0-9_]+Resource.+\\{[^}]*function\\s+[a-zA-Z0-9_]+\\([^{]*\\)\\s*\\{(?![^}]*(log|watchdog|logger))"
+        message: "API endpoint access should be logged for security monitoring, especially for sensitive operations."
+
+  - type: suggest
+    message: |
+      **Drupal Security Logging & Monitoring Best Practices:**
+
+      1. **Comprehensive Logging Implementation:**
+         - Use Drupal's Logger Factory service: `\Drupal::logger('module_name')`
+         - Implement proper log levels: emergency, alert, critical, error, warning, notice, info, debug
+         - Include context in log messages with relevant identifiers and information
+         - Log security-relevant events consistently across the application
+         - Structure log messages to facilitate automated analysis
+
+      2. **Critical Events to Log:**
+         - Authentication events (login attempts, failures, logouts)
+         - Access control decisions (particularly denials)
+         - All administrative actions
+         - Data modification operations on sensitive information
+         - Configuration and settings changes
+         - File operations (uploads, downloads of sensitive content)
+         - API access and usage
+
+      3. **Logging Configuration:**
+         - Configure appropriate log retention periods based on security requirements
+         - Implement log rotation to maintain performance
+         - Consider using syslog for centralized logging
+         - Protect log files from unauthorized access and modification
+         - Configure appropriate verbosity for different environments
+
+      4. **Monitoring Implementation:**
+         - Define security-relevant log patterns to monitor
+         - Implement log aggregation and analysis
+         - Set up alerts for suspicious activity patterns
+         - Establish response procedures for security events
+         - Consider integration with SIEM solutions
+
+      5. **Error Handling:**
+         - Log exceptions with appropriate error levels
+         - Include stack traces in development but not production
+         - Implement custom error handlers that ensure proper logging
+         - Avoid suppressing errors that might indicate security issues
+         - Monitor for patterns in error logs that could indicate attacks
+
+  - type: validate
+    conditions:
+      # Check 1: Proper logger usage
+      - pattern: "\\\\Drupal::logger\\([^)]+\\)->\\w+\\(|\\$this->logger->\\w+\\("
+        message: "Using Drupal's logger service correctly."
+
+      # Check 2: Context in log messages
+      - pattern: "->\\w+\\([^,]+,\\s*[^,]+,\\s*\\["
+        message: "Including context information in log messages."
+
+      # Check 3: Logging configuration
+      - pattern: "dblog\\.settings|syslog\\.settings|logging\\.yml"
+        message: "Configuring logging appropriately."
+
+      # Check 4: Exception logging
+      - pattern: "catch[^{]*\\{[^}]*logger|catch[^{]*\\{[^}]*watchdog|catch[^{]*\\{[^}]*log"
+        message: "Properly logging exceptions."
+
+metadata:
+  priority: high
+  version: 1.0
+  tags:
+    - security
+    - drupal
+    - logging
+    - monitoring
+    - owasp
+    - language:php
+    - framework:drupal
+    - category:security
+    - subcategory:logging
+    - standard:owasp-top10
+    - risk:a09-logging-monitoring
+  references:
+    - "https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/"
+    - "https://www.drupal.org/docs/8/api/logging-api/overview"
+    - "https://www.drupal.org/docs/develop/security-in-drupal/writing-secure-code-for-drupal"
+    - "https://www.drupal.org/docs/8/modules/syslog"
+```
+
+
diff --git a/.cursor/rules/drupal-security-misconfiguration.mdc b/.cursor/rules/drupal-security-misconfiguration.mdc
index 9ff9e69..4da66a9 100644
--- a/.cursor/rules/drupal-security-misconfiguration.mdc
+++ b/.cursor/rules/drupal-security-misconfiguration.mdc
@@ -7,71 +7,130 @@ alwaysApply: false
 
 This rule enforces security best practices to prevent misconfiguration vulnerabilities in Drupal applications, as defined in OWASP Top 10:2021-A05.
 
-> Priority: high · Version: 1.0
-
-## Applies To
-- `*.php`
-- `*.install`
-- `*.module`
-- `*.inc`
-- `*.theme`
-- `*.yml`
-- `*.info`
-
-## Trigger Conditions
-- Files matching pattern `\.(php|inc|module|install|theme|yml|info\.yml)$`
-- Paths matching `.*`
-
-## Required Checks
-
-- Development settings detected in production code. Ensure these settings are only enabled in development environments.
-- Verify that $settings['trusted_host_patterns'] is properly configured to prevent HTTP Host header attacks.
-- Error display should be disabled in production. Use 'hide' for error_level in production.
-- Excessively permissive file permissions detected. Use more restrictive permissions.
-- Ensure Content-Security-Policy headers are properly configured to prevent XSS attacks.
-- Session cookies should be secure and HTTP-only in production environments.
-- Ensure $settings['file_private_path'] is properly configured for storing sensitive files.
-- Check for development modules (devel, webprofiler, etc.) that should not be enabled in production.
-- Remove or secure default/demo content and users in production environments.
-- Verify X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, and Referrer-Policy headers are properly configured.
-
-## Recommendations
-
-**Drupal Security Configuration Best Practices:**
-
-1. **Environment-Specific Configurations:**
-   - Use `settings.local.php` for environment-specific settings
-   - Maintain separate development, staging, and production configurations
-   - Never enable development settings in production: update_free_access, rebuild_access, etc.
-   - Use environment variables or secrets management for sensitive information
-
-2. **Essential Security Settings:**
-   - Configure trusted_host_patterns to prevent HTTP Host header attacks
-   - Set secure file permissions (e.g., 0755 for directories, 0644 for files)
-   - Configure private file path for sensitive uploads
-   - Set file_scan_ignore_directories to prevent public access to sensitive directories
-   - Implement secure session cookie settings (HTTPOnly, Secure, SameSite)
-
-3. **Error Handling:**
-   - Disable verbose error reporting in production with $config['system.logging']['error_level'] = 'hide'
-   - Configure custom error pages that don't leak system information
-   - Implement appropriate logging without exposing sensitive data
-
-4. **Security Headers:**
-   - Set Content-Security-Policy to restrict resource origins
-   - Configure X-Frame-Options to prevent clickjacking
-   - Enable X-Content-Type-Options to prevent MIME-type sniffing
-   - Set Referrer-Policy to control information in HTTP referers
-
-5. **Module & Extension Security:**
-   - Disable and uninstall unnecessary modules in production
-   - Keep core and contributed modules updated
-   - Remove development modules from production (devel, webprofiler, etc.)
-   - Implement proper configuration management workflows
-
-## Validation
-
-- Trusted host patterns are properly configured.
-- Secure cookie settings are properly configured.
-- Private file path is configured for sensitive files.
-- Error reporting is properly configured for production.
+```yaml
+name: drupal_security_misconfiguration
+description: Detect and prevent security misconfigurations in Drupal as defined in OWASP Top 10:2021-A05
+filters:
+  - type: file_extension
+    pattern: "\\.(php|inc|module|install|theme|yml|info\\.yml)$"
+  - type: file_path
+    pattern: ".*"
+
+actions:
+  - type: enforce
+    conditions:
+      # Pattern 1: Development settings in production code
+      - pattern: "\\$settings\\['update_free_access'\\]\\s*=\\s*TRUE|\\$settings\\['cache'\\]\\s*=\\s*FALSE|\\$settings\\['rebuild_access'\\]\\s*=\\s*TRUE|\\$config\\['system\\.performance'\\]\\['cache'\\]\\s*=\\s*FALSE"
+        message: "Development settings detected in production code. Ensure these settings are only enabled in development environments."
+
+      # Pattern 2: Missing or weak trusted host patterns
+      - pattern: "settings\\.php|settings\\.local\\.php"
+        message: "Verify that $settings['trusted_host_patterns'] is properly configured to prevent HTTP Host header attacks."
+
+      # Pattern 3: Debugging/error display enabled
+      - pattern: "\\$config\\['system\\.logging'\\]\\['error_level'\\]\\s*=\\s*'verbose'|ini_set\\('display_errors'\\s*,\\s*'1'\\)|error_reporting\\(E_ALL\\)"
+        message: "Error display should be disabled in production. Use 'hide' for error_level in production."
+
+      # Pattern 4: Insecure file permissions settings
+      - pattern: "\\$settings\\['file_chmod_directory'\\]\\s*=\\s*0777|\\$settings\\['file_chmod_file'\\]\\s*=\\s*0666"
+        message: "Excessively permissive file permissions detected. Use more restrictive permissions."
+
+      # Pattern 5: Disabled or misconfigured CSP headers
+      - pattern: "\\.htaccess|sites/default/default\\.settings\\.php"
+        message: "Ensure Content-Security-Policy headers are properly configured to prevent XSS attacks."
+
+      # Pattern 6: Insecure session cookie settings
+      - pattern: "session\\.cookie_secure\\s*=\\s*0|session\\.cookie_httponly\\s*=\\s*0|\\$settings\\['cookie_secure_only'\\]\\s*=\\s*FALSE"
+        message: "Session cookies should be secure and HTTP-only in production environments."
+
+      # Pattern 7: Missing or misconfigured private file path
+      - pattern: "settings\\.php"
+        message: "Ensure $settings['file_private_path'] is properly configured for storing sensitive files."
+
+      # Pattern 8: Development modules enabled in production
+      - pattern: "core\\.extension\\.yml"
+        message: "Check for development modules (devel, webprofiler, etc.) that should not be enabled in production."
+
+      # Pattern 9: Default or demo content in production
+      - pattern: "function\\s+[a-zA-Z0-9_]+_install\\(\\)"
+        message: "Remove or secure default/demo content and users in production environments."
+
+      # Pattern 10: Missing or misconfigured security headers
+      - pattern: "\\.htaccess|nginx\\.conf"
+        message: "Verify X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, and Referrer-Policy headers are properly configured."
+
+  - type: suggest
+    message: |
+      **Drupal Security Configuration Best Practices:**
+
+      1. **Environment-Specific Configurations:**
+         - Use `settings.local.php` for environment-specific settings
+         - Maintain separate development, staging, and production configurations
+         - Never enable development settings in production: update_free_access, rebuild_access, etc.
+         - Use environment variables or secrets management for sensitive information
+
+      2. **Essential Security Settings:**
+         - Configure trusted_host_patterns to prevent HTTP Host header attacks
+         - Set secure file permissions (e.g., 0755 for directories, 0644 for files)
+         - Configure private file path for sensitive uploads
+         - Set file_scan_ignore_directories to prevent public access to sensitive directories
+         - Implement secure session cookie settings (HTTPOnly, Secure, SameSite)
+
+      3. **Error Handling:**
+         - Disable verbose error reporting in production with $config['system.logging']['error_level'] = 'hide'
+         - Configure custom error pages that don't leak system information
+         - Implement appropriate logging without exposing sensitive data
+
+      4. **Security Headers:**
+         - Set Content-Security-Policy to restrict resource origins
+         - Configure X-Frame-Options to prevent clickjacking
+         - Enable X-Content-Type-Options to prevent MIME-type sniffing
+         - Set Referrer-Policy to control information in HTTP referers
+
+      5. **Module & Extension Security:**
+         - Disable and uninstall unnecessary modules in production
+         - Keep core and contributed modules updated
+         - Remove development modules from production (devel, webprofiler, etc.)
+         - Implement proper configuration management workflows
+
+  - type: validate
+    conditions:
+      # Check 1: Proper trusted host patterns
+      - pattern: "\\$settings\\['trusted_host_patterns'\\]\\s*=\\s*\\[\\s*['\"][^\"']+['\"]"
+        message: "Trusted host patterns are properly configured."
+
+      # Check 2: Secure session cookie settings
+      - pattern: "\\$settings\\['cookie_secure_only'\\]\\s*=\\s*TRUE|session\\.cookie_secure\\s*=\\s*1"
+        message: "Secure cookie settings are properly configured."
+
+      # Check 3: Private file path configuration
+      - pattern: "\\$settings\\['file_private_path'\\]\\s*=\\s*(\"|')[^\"']+(\"|')"
+        message: "Private file path is configured for sensitive files."
+
+      # Check 4: Production error settings
+      - pattern: "\\$config\\['system\\.logging'\\]\\['error_level'\\]\\s*=\\s*'hide'"
+        message: "Error reporting is properly configured for production."
+
+metadata:
+  priority: high
+  version: 1.0
+  tags:
+    - security
+    - drupal
+    - configuration
+    - misconfiguration
+    - owasp
+    - language:php
+    - framework:drupal
+    - category:security
+    - subcategory:configuration
+    - standard:owasp-top10
+    - risk:a05-misconfiguration
+  references:
+    - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
+    - "https://www.drupal.org/docs/security-in-drupal/securing-your-site"
+    - "https://www.drupal.org/docs/security-in-drupal/drupal-security-best-practices"
+    - "https://www.drupal.org/docs/8/security/writing-secure-code-for-drupal-8"
+```
+
+
diff --git a/.cursor/rules/drupal-ssrf.mdc b/.cursor/rules/drupal-ssrf.mdc
index ead6268..be07286 100644
--- a/.cursor/rules/drupal-ssrf.mdc
+++ b/.cursor/rules/drupal-ssrf.mdc
@@ -7,71 +7,132 @@ alwaysApply: false
 
 This rule enforces security best practices to prevent Server-Side Request Forgery (SSRF) vulnerabilities in Drupal applications, as defined in OWASP Top 10:2021-A10.
 
-> Priority: high · Version: 1.0
-
-## Applies To
-- `*.php`
-- `*.inc`
-- `*.module`
-- `*.install`
-- `*.theme`
-
-## Trigger Conditions
-- Files matching pattern `\.(php|inc|module|install|theme)$`
-- Paths matching `.*`
-
-## Required Checks
-
-- Potential SSRF vulnerability: URL constructed with user input. Validate and sanitize user-supplied URL parameters before making requests.
-- Validate and restrict URLs before making HTTP requests with Guzzle to prevent SSRF attacks.
-- HTTP requests should validate URLs with \Drupal\Component\Utility\UrlHelper::isValid() before execution to prevent SSRF.
-- Potential SSRF vulnerability: URL being constructed with variable concatenation. Use URL validation and allowlisting.
-- Avoid using PHP wrappers with file operations that could lead to SSRF vulnerabilities.
-- Bypassing proxy settings can lead to SSRF vulnerabilities. Maintain proper proxy configurations.
-- XML processing without disabling external entities can lead to XXE and SSRF. Use libxml_disable_entity_loader(true).
-- Hardcoded internal IP addresses or localhost may facilitate SSRF attacks if exposed to user manipulation.
-- Always validate URLs with UrlHelper::isValid() before making HTTP requests with Drupal's HTTP client.
-- Potential SSRF vulnerability: Restrict allowed ports for outbound HTTP requests to prevent service probing.
-
-## Recommendations
-
-**Drupal SSRF Prevention Best Practices:**
-
-1. **Input Validation for URLs:**
-   - Always validate any user-supplied URL or URL components
-   - Use `\Drupal\Component\Utility\UrlHelper::isValid()` to validate URLs
-   - Implement allowlists rather than blocklists for domains/IPs
-   - Parse URLs and validate each component (protocol, domain, port, path)
-   
-2. **Network-Level Controls:**
-   - Implement network-level access controls for internal services
-   - Use application firewalls to restrict outbound connections
-   - Configure proxies to control and monitor outbound requests
-   - Segment sensitive internal services from public-facing applications
-   
-3. **Request Handling:**
-   - Avoid passing raw user input to HTTP clients
-   - Set reasonable timeouts for all HTTP requests
-   - Disable HTTP redirects or limit redirect chains
-   - Validate response types match expected formats
-   - Use dedicated service accounts with minimal privileges for API calls
-   
-4. **Drupal-Specific Controls:**
-   - Utilize Drupal's built-in UrlHelper class for URL validation
-   - Configure Guzzle HTTP client with appropriate security options
-   - Consider using middleware to enforce URL validation
-   - Use Drupal's logging system to record suspicious outbound requests
-   - Implement specific content security policies
-   
-5. **Authentication and Access Controls:**
-   - Implement proper authentication for internal service calls
-   - Use context-specific API tokens with limited privileges
-   - Avoid exposing service credentials in code or configurations
-   - Implement rate limiting for outbound requests
-
-## Validation
-
-- Using proper URL validation with UrlHelper.
-- Implementing domain/URL allowlisting for outbound requests.
-- Properly disabling XML external entities.
-- Using Drupal's HTTP client with explicit options.
+```yaml
+name: drupal_ssrf
+description: Detect and prevent Server-Side Request Forgery (SSRF) vulnerabilities in Drupal applications as defined in OWASP Top 10:2021-A10
+filters:
+  - type: file_extension
+    pattern: "\\.(php|inc|module|install|theme)$"
+  - type: file_path
+    pattern: ".*"
+
+actions:
+  - type: enforce
+    conditions:
+      # Pattern 1: Unsafe URL construction with user input
+      - pattern: "(file_get_contents|fopen|curl_exec|drupal_http_request|\\$client->request|\\$client->get|Drupal::httpClient\\(\\)->get)\\s*\\([^)]*\\$_(GET|POST|REQUEST|COOKIE|SERVER|FILES)[^)]*\\)"
+        message: "Potential SSRF vulnerability: URL constructed with user input. Validate and sanitize user-supplied URL parameters before making requests."
+
+      # Pattern 2: Unsafe Guzzle HTTP client usage
+      - pattern: "GuzzleHttp\\\\Client[^;]*;[^;]*->request\\s*\\([^;]*\\$[^;]*"
+        message: "Validate and restrict URLs before making HTTP requests with Guzzle to prevent SSRF attacks."
+
+      # Pattern 3: Missing URL validation before making HTTP requests
+      - pattern: "(Http(Client|Request)|curl_exec|file_get_contents)\\s*\\([^)]*(http|\\$[a-zA-Z0-9_]+)[^)]*\\)[^;]*;(?![^;]*(valid|check|sanitize|UrlHelper))"
+        message: "HTTP requests should validate URLs with \\Drupal\\Component\\Utility\\UrlHelper::isValid() before execution to prevent SSRF."
+
+      # Pattern 4: Unsafe URL construction with variable input
+      - pattern: "(https?:?//|www\\.)\\s*\\.\\s*\\$[a-zA-Z0-9_]+"
+        message: "Potential SSRF vulnerability: URL being constructed with variable concatenation. Use URL validation and allowlisting."
+
+      # Pattern 5: Using file system wrappers which can lead to SSRF
+      - pattern: "file_get_contents\\([\"'](mdc:?:http|https|ftp|php|data|expect|zip|phar)://"
+        message: "Avoid using PHP wrappers with file operations that could lead to SSRF vulnerabilities."
+
+      # Pattern 6: Bypassing local proxy settings
+      - pattern: "CURLOPT_PROXY[^;]*none|CURLOPT_PROXY[^;]*null"
+        message: "Bypassing proxy settings can lead to SSRF vulnerabilities. Maintain proper proxy configurations."
+
+      # Pattern 7: Unsafe processing of XML with external entities
+      - pattern: "simplexml_load_|DOMDocument|SimpleXMLElement|xml_parse"
+        message: "XML processing without disabling external entities can lead to XXE and SSRF. Use libxml_disable_entity_loader(true)."
+
+      # Pattern 8: Accessing or using internal network IPs
+      - pattern: "(127\\.0\\.0\\.1|10\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}|172\\.(1[6-9]|2[0-9]|3[0-1])\\.[0-9]{1,3}\\.[0-9]{1,3}|192\\.168\\.[0-9]{1,3}\\.[0-9]{1,3}|169\\.254\\.[0-9]{1,3}\\.[0-9]{1,3}|localhost)"
+        message: "Hardcoded internal IP addresses or localhost may facilitate SSRF attacks if exposed to user manipulation."
+
+      # Pattern 9: Custom Drupal HTTP client usage without validation
+      - pattern: "\\\\Drupal::httpClient\\(\\)(?!.*[^;]*UrlHelper::isValid)"
+        message: "Always validate URLs with UrlHelper::isValid() before making HTTP requests with Drupal's HTTP client."
+
+      # Pattern 10: Allowing unrestricted ports in HTTP requests
+      - pattern: "curl_setopt\\([^,]+,\\s*CURLOPT_PORT,\\s*\\$[a-zA-Z0-9_]+"
+        message: "Potential SSRF vulnerability: Restrict allowed ports for outbound HTTP requests to prevent service probing."
+
+  - type: suggest
+    message: |
+      **Drupal SSRF Prevention Best Practices:**
+
+      1. **Input Validation for URLs:**
+         - Always validate any user-supplied URL or URL components
+         - Use `\Drupal\Component\Utility\UrlHelper::isValid()` to validate URLs
+         - Implement allowlists rather than blocklists for domains/IPs
+         - Parse URLs and validate each component (protocol, domain, port, path)
+
+      2. **Network-Level Controls:**
+         - Implement network-level access controls for internal services
+         - Use application firewalls to restrict outbound connections
+         - Configure proxies to control and monitor outbound requests
+         - Segment sensitive internal services from public-facing applications
+
+      3. **Request Handling:**
+         - Avoid passing raw user input to HTTP clients
+         - Set reasonable timeouts for all HTTP requests
+         - Disable HTTP redirects or limit redirect chains
+         - Validate response types match expected formats
+         - Use dedicated service accounts with minimal privileges for API calls
+
+      4. **Drupal-Specific Controls:**
+         - Utilize Drupal's built-in UrlHelper class for URL validation
+         - Configure Guzzle HTTP client with appropriate security options
+         - Consider using middleware to enforce URL validation
+         - Use Drupal's logging system to record suspicious outbound requests
+         - Implement specific content security policies
+
+      5. **Authentication and Access Controls:**
+         - Implement proper authentication for internal service calls
+         - Use context-specific API tokens with limited privileges
+         - Avoid exposing service credentials in code or configurations
+         - Implement rate limiting for outbound requests
+
+  - type: validate
+    conditions:
+      # Check 1: Proper URL validation
+      - pattern: "UrlHelper::isValid\\([^)]+\\)"
+        message: "Using proper URL validation with UrlHelper."
+
+      # Check 2: Allowlisting domains
+      - pattern: "array_intersect|in_array|allowlist|whitelist"
+        message: "Implementing domain/URL allowlisting for outbound requests."
+
+      # Check 3: Safe XML processing
+      - pattern: "libxml_disable_entity_loader\\(true\\)"
+        message: "Properly disabling XML external entities."
+
+      # Check 4: Using Drupal's HTTP client safely
+      - pattern: "\\\\Drupal::httpClient\\(\\)[^;]*\\$options"
+        message: "Using Drupal's HTTP client with explicit options."
+
+metadata:
+  priority: high
+  version: 1.0
+  tags:
+    - security
+    - drupal
+    - ssrf
+    - owasp
+    - language:php
+    - framework:drupal
+    - category:security
+    - subcategory:ssrf
+    - standard:owasp-top10
+    - risk:a10-ssrf
+  references:
+    - "https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/"
+    - "https://cwe.mitre.org/data/definitions/918.html"
+    - "https://www.drupal.org/docs/develop/security-in-drupal/writing-secure-code-for-drupal"
+    - "https://portswigger.net/web-security/ssrf"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"
+```
+
+
diff --git a/.cursor/rules/drupal-vulnerable-components.mdc b/.cursor/rules/drupal-vulnerable-components.mdc
index 24aa929..0a47018 100644
--- a/.cursor/rules/drupal-vulnerable-components.mdc
+++ b/.cursor/rules/drupal-vulnerable-components.mdc
@@ -7,76 +7,135 @@ alwaysApply: false
 
 This rule enforces security best practices to prevent vulnerabilities related to outdated or vulnerable components in Drupal applications, as defined in OWASP Top 10:2021-A06.
 
-> Priority: high · Version: 1.0
-
-## Applies To
-- `*.php`
-- `*.install`
-- `*.module`
-- `*.inc`
-- `*.theme`
-- `*.yml`
-- `*.info`
-
-## Trigger Conditions
-- Files matching pattern `\.(php|inc|module|install|info\.yml|json)$`
-- Paths matching `.*`
-
-## Required Checks
-
-- Potentially outdated Drupal core version detected. Consider upgrading to the latest secure version of Drupal 9 or 10.
-- Deprecated function detected. Use modern replacements to ensure compatibility and security updates.
-- Potentially vulnerable JavaScript library version detected. Update to the latest secure version.
-- External scripts or stylesheets without Subresource Integrity (SRI) checks detected. Add integrity and crossorigin attributes.
-- Potentially vulnerable or deprecated module detected. Consider using more secure alternatives.
-- Hard-coded specific version detected in composer.json. Consider using version ranges to receive security updates.
-- Deprecated or insecure PHP function detected. Use modern alternatives for better security.
-- Ensure your module specifies core_version_requirement to prevent installation on unsupported Drupal versions.
-- Consider adding drupal/core-security-advisories as a dev dependency to detect known vulnerable packages.
-- Legacy text sanitization function detected. Use Html::escape() or Xss::filter() instead.
-
-## Recommendations
-
-**Drupal Component Security Best Practices:**
-
-1. **Update Management:**
-   - Keep Drupal core updated to the latest secure version
-   - Subscribe to the Drupal Security Newsletter
-   - Implement a regular update schedule (monthly at minimum)
-   - Use security advisories checking in your development workflow
-   - Implement Composer's security-advisories metadata
-
-2. **Dependency Management:**
-   - Use Composer for managing all dependencies
-   - Specify version constraints that allow security updates
-   - Add drupal/core-security-advisories as a dev dependency
-   - Regularly run `composer update --with-dependencies`
-   - Use `composer outdated` to identify outdated packages
-
-3. **API Usage:**
-   - Use modern Drupal APIs rather than deprecated functions
-   - Migrate away from jQuery to modern JavaScript where possible
-   - Implement Subresource Integrity (SRI) for external resources
-   - Update custom code to use current best practices
-   - Follow the Drupal API deprecation policies
-
-4. **Security Monitoring:**
-   - Implement automated vulnerability scanning in CI/CD
-   - Use tools like Drupal Check or Upgrade Status module
-   - Monitor the Drupal security advisories page
-   - Implement automated updates for non-critical dependencies
-   - Set up alerts for security issues in used components
-
-5. **Module Management:**
-   - Remove unused modules from your codebase
-   - Prefer well-maintained modules with security teams
-   - Implement proper version constraints in module info files
-   - Consider the security impact before adding new dependencies
-   - Document your dependency management practices
-
-## Validation
-
-- Using proper core version requirements.
-- Using modern message API instead of deprecated functions.
-- Using proper version constraints in Composer.
-- Properly implementing Subresource Integrity.
+```yaml
+name: drupal_vulnerable_components
+description: Detect and prevent vulnerabilities related to outdated or vulnerable components in Drupal as defined in OWASP Top 10:2021-A06
+filters:
+  - type: file_extension
+    pattern: "\\.(php|inc|module|install|info\\.yml|json)$"
+  - type: file_path
+    pattern: ".*"
+
+actions:
+  - type: enforce
+    conditions:
+      # Pattern 1: Outdated Drupal core version declaration
+      - pattern: "core:\\s*('|\")8\\.[0-6](mdc:'|\")|core_version_requirement:\\s*('|\")[^9].+('|\")"
+        message: "Potentially outdated Drupal core version detected. Consider upgrading to the latest secure version of Drupal 9 or 10."
+
+      # Pattern 2: Usage of deprecated functions
+      - pattern: "drupal_set_message\\(|format_date\\(|drupal_render\\(|entity_load\\(|variable_get\\(|variable_set\\("
+        message: "Deprecated function detected. Use modern replacements to ensure compatibility and security updates."
+
+      # Pattern 3: Known vulnerable libraries referenced
+      - pattern: "jquery\\.min\\.js\\?v=1\\.|jquery-1\\.|jquery-2\\.|ckeditor/|tinymce/|angular\\.js@1\\."
+        message: "Potentially vulnerable JavaScript library version detected. Update to the latest secure version."
+
+      # Pattern 4: Direct inclusion of external scripts without SRI
+      - pattern: "<script\\s+src=['\"]http|<script\\s+src=['\"]//|<link\\s+[^>]*href=['\"]http"
+        message: "External scripts or stylesheets without Subresource Integrity (SRI) checks detected. Add integrity and crossorigin attributes."
+
+      # Pattern 5: Use of obsolete or removed modules
+      - pattern: "module:\\s*('[^']*captcha'|'recaptcha'|'xmlrpc'|'openid'|'php')"
+        message: "Potentially vulnerable or deprecated module detected. Consider using more secure alternatives."
+
+      # Pattern 6: Hard-coded versions in composer.json
+      - pattern: "\"drupal/[^\"]+\":\\s*\"(~|\\^)?[0-9]\\.[0-9]\\.[0-9]\""
+        message: "Hard-coded specific version detected in composer.json. Consider using version ranges to receive security updates."
+
+      # Pattern 7: Outdated or insecure PHP API usage
+      - pattern: "mysql_|split\\(|ereg\\(|eregi\\(|create_function\\(|each\\("
+        message: "Deprecated or insecure PHP function detected. Use modern alternatives for better security."
+
+      # Pattern 8: Usage of contrib modules without version constraints
+      - pattern: "type:\\s*module\\s*\\nname:"
+        message: "Ensure your module specifies core_version_requirement to prevent installation on unsupported Drupal versions."
+
+      # Pattern 9: Missing security advisories handling in composer.json
+      - pattern: "composer\\.json"
+        message: "Consider adding drupal/core-security-advisories as a dev dependency to detect known vulnerable packages."
+
+      # Pattern 10: Direct usage of vulnerable sanitization functions
+      - pattern: "check_plain\\(|filter_xss\\(|filter_xss_admin\\("
+        message: "Legacy text sanitization function detected. Use Html::escape() or Xss::filter() instead."
+
+  - type: suggest
+    message: |
+      **Drupal Component Security Best Practices:**
+
+      1. **Update Management:**
+         - Keep Drupal core updated to the latest secure version
+         - Subscribe to the Drupal Security Newsletter
+         - Implement a regular update schedule (monthly at minimum)
+         - Use security advisories checking in your development workflow
+         - Implement Composer's security-advisories metadata
+
+      2. **Dependency Management:**
+         - Use Composer for managing all dependencies
+         - Specify version constraints that allow security updates
+         - Add drupal/core-security-advisories as a dev dependency
+         - Regularly run `composer update --with-dependencies`
+         - Use `composer outdated` to identify outdated packages
+
+      3. **API Usage:**
+         - Use modern Drupal APIs rather than deprecated functions
+         - Migrate away from jQuery to modern JavaScript where possible
+         - Implement Subresource Integrity (SRI) for external resources
+         - Update custom code to use current best practices
+         - Follow the Drupal API deprecation policies
+
+      4. **Security Monitoring:**
+         - Implement automated vulnerability scanning in CI/CD
+         - Use tools like Drupal Check or Upgrade Status module
+         - Monitor the Drupal security advisories page
+         - Implement automated updates for non-critical dependencies
+         - Set up alerts for security issues in used components
+
+      5. **Module Management:**
+         - Remove unused modules from your codebase
+         - Prefer well-maintained modules with security teams
+         - Implement proper version constraints in module info files
+         - Consider the security impact before adding new dependencies
+         - Document your dependency management practices
+
+  - type: validate
+    conditions:
+      # Check 1: Proper core version requirement
+      - pattern: "core_version_requirement:\\s*[\"']\\^(8\\.8|8\\.9|9|10)\\.[0-9]+[\"']"
+        message: "Using proper core version requirements."
+
+      # Check 2: Use of modern APIs
+      - pattern: "\\\\Drupal::messenger\\(\\)|->messenger\\(\\)|\\\\Drupal::service\\('messenger'\\)"
+        message: "Using modern message API instead of deprecated functions."
+
+      # Check 3: Proper composer usage
+      - pattern: "\"require\":\\s*\\{[^}]*\"drupal/core(-recommended)?\":\\s*\"\\^[0-9]+\\.[0-9]+\""
+        message: "Using proper version constraints in Composer."
+
+      # Check 4: SRI implementation
+      - pattern: "integrity=[\"'][a-zA-Z0-9\\+/=\\-_]+[\"']\\s+crossorigin=[\"']anonymous[\"']"
+        message: "Properly implementing Subresource Integrity."
+
+metadata:
+  priority: high
+  version: 1.0
+  tags:
+    - security
+    - drupal
+    - dependencies
+    - vulnerable-components
+    - owasp
+    - language:php
+    - framework:drupal
+    - category:security
+    - subcategory:dependencies
+    - standard:owasp-top10
+    - risk:a06-vulnerable-components
+  references:
+    - "https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/"
+    - "https://www.drupal.org/docs/security-in-drupal/staying-up-to-date"
+    - "https://www.drupal.org/docs/upgrading-drupal"
+    - "https://www.drupal.org/docs/develop/using-composer/managing-dependencies-for-a-drupal-project"
+```
+
+
diff --git a/.cursor/rules/generic_bash_style.mdc b/.cursor/rules/generic_bash_style.mdc
index e1be5c3..4745783 100644
--- a/.cursor/rules/generic_bash_style.mdc
+++ b/.cursor/rules/generic_bash_style.mdc
@@ -1,43 +1,72 @@
 ---
 description: Enforce general Bash scripting standards with enhanced logging
-globs: 
+globs:
 ---
 # Enhanced Bash Scripting Standard with Colorized Logging
 
 This rule enforces best practices for writing Bash scripts, with an emphasis on using colorized logging for better output readability.
 
-> Priority: medium · Version: 1.1
-
-## Trigger Conditions
-- Files matching pattern `\.sh$`
-
-## Required Checks
-
-- All scripts should start with the shebang '#!/usr/bin/env bash'.
-- Enable 'set -eu' for script robustness.
-- Use conditional 'set -x' based on debug flag.
-- Start of formatting block for log functions.
-- Include 'note' function for plain messages.
-- Include 'info' function for blue informational messages.
-- Include 'pass' function for green success messages.
-- Include 'fail' function for red error messages.
-- Include 'warn' function for yellow warning messages.
-- End of formatting block for log functions.
-
-## Recommendations
-
-**Bash Scripting Best Practices:**
-- **Error Handling:** Use `set -eu` to catch errors and undefined variables early.
-- **Debugging:** Implement conditional debugging with `set -x` using a DEBUG variable.
-- **Logging Functions:** Use colorized logging for better script output readability:
-  - `note()` for plain notes
-  - `info()` for blue informational messages
-  - `pass()` for green success messages
-  - `fail()` for red error messages
-  - `warn()` for yellow warnings, ensuring users can distinguish different types of messages easily
-- **Security:** Avoid using `eval` or similar constructs; use safe alternatives.
-- **Documentation:** Include descriptive comments, especially for complex logic.
-- **Portability:** Use `/usr/bin/env bash` for the shebang to ensure script runs with bash on any system.
-- **Variable Checks:** Ensure necessary variables are set, enhancing script reliability.
-- **Exit Codes:** Use explicit exit codes for different failure scenarios.
-- **Color Support:** Ensure logging functions check for terminal color support before applying colors.
+```yaml
+name: enhanced_bash_style
+description: Enforce Bash scripting standards with colorized logging
+filters:
+  - type: file_extension
+    pattern: "\\.sh$"
+
+actions:
+  - type: enforce
+    conditions:
+      - pattern: "^#!/usr/bin/env bash$"
+        message: "All scripts should start with the shebang '#!/usr/bin/env bash'."
+
+      - pattern: "^set -eu$"
+        message: "Enable 'set -eu' for script robustness."
+
+      - pattern: "^set -x$"
+        pattern_negate: "^\\[ \"\\${DEBUG-}\" = \"1\" ] && set -x$"
+        message: "Use conditional 'set -x' based on debug flag."
+
+      - pattern: "^# @formatter:off$"
+        message: "Start of formatting block for log functions."
+
+      - pattern: "note\\(\\) { printf \"       %s\\n\" \"\\${1}\"; }$"
+        message: "Include 'note' function for plain messages."
+
+      - pattern: "info\\(\\) { \\[ \"\\${TERM:-}\" != \"dumb\" ] && tput colors >/dev/null 2>&1 && printf \"\\\\033\\[34m\\[INFO] %s\\\\033\\[0m\\n\" \"\\${1}\" || printf \"\\[INFO] %s\\n\" \"\\${1}\"; }$"
+        message: "Include 'info' function for blue informational messages."
+
+      - pattern: "pass\\(\\) { \\[ \"\\${TERM:-}\" != \"dumb\" ] && tput colors >/dev/null 2>&1 && printf \"\\\\033\\[32m\\[ OK ] %s\\\\033\\[0m\\n\" \"\\${1}\" || printf \"\\[ OK ] %s\\n\" \"\\${1}\"; }$"
+        message: "Include 'pass' function for green success messages."
+
+      - pattern: "fail\\(\\) { \\[ \"\\${TERM:-}\" != \"dumb\" ] && tput colors >/dev/null 2>&1 && printf \"\\\\033\\[31m\\[FAIL] %s\\\\033\\[0m\\n\" \"\\${1}\" || printf \"\\[FAIL] %s\\n\" \"\\${1}\"; }$"
+        message: "Include 'fail' function for red error messages."
+
+      - pattern: "warn\\(\\) { \\[ \"\\${TERM:-}\" != \"dumb\" ] && tput colors >/dev/null 2>&1 && printf \"\\\\033\\[33m\\[WARN] %s\\\\033\\[0m\\n\" \"\\${1}\" || printf \"\\[WARN] %s\\n\" \"\\${1}\"; }$"
+        message: "Include 'warn' function for yellow warning messages."
+
+      - pattern: "^# @formatter:on$"
+        message: "End of formatting block for log functions."
+
+  - type: suggest
+    message: |
+      **Bash Scripting Best Practices:**
+      - **Error Handling:** Use `set -eu` to catch errors and undefined variables early.
+      - **Debugging:** Implement conditional debugging with `set -x` using a DEBUG variable.
+      - **Logging Functions:** Use colorized logging for better script output readability:
+        - `note()` for plain notes
+        - `info()` for blue informational messages
+        - `pass()` for green success messages
+        - `fail()` for red error messages
+        - `warn()` for yellow warnings, ensuring users can distinguish different types of messages easily
+      - **Security:** Avoid using `eval` or similar constructs; use safe alternatives.
+      - **Documentation:** Include descriptive comments, especially for complex logic.
+      - **Portability:** Use `/usr/bin/env bash` for the shebang to ensure script runs with bash on any system.
+      - **Variable Checks:** Ensure necessary variables are set, enhancing script reliability.
+      - **Exit Codes:** Use explicit exit codes for different failure scenarios.
+      - **Color Support:** Ensure logging functions check for terminal color support before applying colors.
+
+metadata:
+  priority: medium
+  version: 1.1
+```
+
diff --git a/.cursor/rules/git-commit-standards.mdc b/.cursor/rules/git-commit-standards.mdc
index 70e561b..f5eeac2 100644
--- a/.cursor/rules/git-commit-standards.mdc
+++ b/.cursor/rules/git-commit-standards.mdc
@@ -6,29 +6,46 @@ globs: .git/*
 
 Ensures consistent Git commit messages.
 
-> Priority: high · Version: 1.1
-
-## Applies To
-- `.git/*`
-
-## Trigger Conditions
-- Files matching pattern `\.git/.*`
-
-## Required Checks
-
-- Use a commit message prefix followed by colon and space (fix:, feat:, etc.).
-- First word after prefix should be lowercase.
-- Keep commit message content (excluding prefix) under 46 characters.
-- Include a space after the colon in prefix.
-
-## Recommendations
+```yaml
+name: git_commit_standards
+description: Enforce structured Git commit messages.
+filters:
+  - type: file_extension
+    pattern: "\\.git/.*"
+
+actions:
+  - type: enforce
+    conditions:
+      # More precise regex to ensure prefix is followed by colon and space
+      - pattern: "^(?!fix|feat|perf|docs|style|refactor|test|chore): "
+        message: "Use a commit message prefix followed by colon and space (fix:, feat:, etc.)."
+
+      # Check for uppercase after the prefix
+      - pattern: "^(fix|feat|perf|docs|style|refactor|test|chore): [A-Z]"
+        message: "First word after prefix should be lowercase."
+
+      # More precise length check that excludes the prefix from the count
+      - pattern: "^(fix|feat|perf|docs|style|refactor|test|chore): .{46,}"
+        message: "Keep commit message content (excluding prefix) under 46 characters."
+
+      # Ensure there's a space after the colon
+      - pattern: "^(fix|feat|perf|docs|style|refactor|test|chore):(?! )"
+        message: "Include a space after the colon in prefix."
+
+  - type: suggest
+    message: |
+      Recommended commit format:
+      - "fix: resolved bug in user authentication"
+      - "feat: added new search functionality"
+      - "docs: updated installation guide"
+      - "style: fixed button alignment"
+      - "refactor: simplified login logic"
+      - "test: added unit tests for auth"
+      - "chore: updated dependencies"
+      - "perf: optimized database queries"
+
+metadata:
+  priority: high
+  version: 1.1
+```
 
-Recommended commit format:
-- "fix: resolved bug in user authentication"
-- "feat: added new search functionality"
-- "docs: updated installation guide"
-- "style: fixed button alignment"
-- "refactor: simplified login logic"
-- "test: added unit tests for auth"
-- "chore: updated dependencies"
-- "perf: optimized database queries"
diff --git a/.cursor/rules/github-actions-standards.mdc b/.cursor/rules/github-actions-standards.mdc
index 8beee36..83d2a58 100644
--- a/.cursor/rules/github-actions-standards.mdc
+++ b/.cursor/rules/github-actions-standards.mdc
@@ -1,45 +1,66 @@
 ---
-description: 
+description:
 globs: .github/workflows/*.yml
 alwaysApply: false
 ---
-# GitHub Actions Standards
+ # GitHub Actions Standards
 
 Ensures GitHub Actions workflows follow best practices and use the latest action versions.
 
-> Priority: high · Version: 1.0
+```yaml
+name: github_actions_standards
+description: Enforce standards for GitHub Actions workflows
+filters:
+  - type: file_extension
+    pattern: "\\.ya?ml$"
+  - type: file_path
+    pattern: "\\.github/workflows/"
 
-## Applies To
-- `.github/workflows/*.yml`
+actions:
+  - type: enforce
+    conditions:
+      - pattern: "uses:\\s*actions/upload-artifact@v[123]"
+        message: "Use actions/upload-artifact@v4 instead of older versions. Version 3 is deprecated: https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/"
 
-## Trigger Conditions
-- Files matching pattern `\.ya?ml$`
-- Paths matching `\.github/workflows/`
+      - pattern: "uses:\\s*actions/download-artifact@v[123]"
+        message: "Use actions/download-artifact@v4 instead of older versions."
 
-## Required Checks
+      - pattern: "uses:\\s*actions/checkout@v[12]"
+        message: "Consider using actions/checkout@v4 for the latest features and security updates."
 
-- Use actions/upload-artifact@v4 instead of older versions. Version 3 is deprecated: https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/
-- Use actions/download-artifact@v4 instead of older versions.
-- Consider using actions/checkout@v4 for the latest features and security updates.
+  - type: suggest
+    message: |
+      **GitHub Actions Best Practices:**
+      - **Latest Action Versions:** Always use the latest stable versions of GitHub Actions.
+        - `actions/checkout@v4`
+        - `actions/upload-artifact@v4`
+        - `actions/download-artifact@v4`
+        - `actions/setup-node@v4`
+        - `actions/setup-python@v5`
+      - **Workflow Structure:** Organize workflows with clear job names and step descriptions.
+      - **Caching:** Implement caching for dependencies to speed up workflows.
+      - **Security:** Use `GITHUB_TOKEN` with minimum required permissions.
+      - **Artifacts:** Use descriptive names for artifacts and set appropriate retention periods.
+      - **Matrix Strategy:** Use matrix builds for testing across multiple environments.
+      - **Timeouts:** Set appropriate timeouts for jobs to prevent hanging workflows.
 
-## Recommendations
+  - type: validate
+    conditions:
+      - pattern: "uses:\\s*actions/upload-artifact@v4"
+        message: "Good job using the latest version of actions/upload-artifact!"
 
-**GitHub Actions Best Practices:**
-- **Latest Action Versions:** Always use the latest stable versions of GitHub Actions.
-  - `actions/checkout@v4`
-  - `actions/upload-artifact@v4`
-  - `actions/download-artifact@v4`
-  - `actions/setup-node@v4`
-  - `actions/setup-python@v5`
-- **Workflow Structure:** Organize workflows with clear job names and step descriptions.
-- **Caching:** Implement caching for dependencies to speed up workflows.
-- **Security:** Use `GITHUB_TOKEN` with minimum required permissions.
-- **Artifacts:** Use descriptive names for artifacts and set appropriate retention periods.
-- **Matrix Strategy:** Use matrix builds for testing across multiple environments.
-- **Timeouts:** Set appropriate timeouts for jobs to prevent hanging workflows.
+      - pattern: "uses:\\s*actions/download-artifact@v4"
+        message: "Good job using the latest version of actions/download-artifact!"
 
-## Validation
+      - pattern: "uses:\\s*actions/checkout@v[34]"
+        message: "Good job using a recent version of actions/checkout!"
+
+metadata:
+  priority: high
+  version: 1.0
+  tags:
+    - ci/cd
+    - github
+    - automation
+```
 
-- Good job using the latest version of actions/upload-artifact!
-- Good job using the latest version of actions/download-artifact!
-- Good job using a recent version of actions/checkout!
diff --git a/.cursor/rules/improve-cursorrules-efficiency.mdc b/.cursor/rules/improve-cursorrules-efficiency.mdc
index c851dc1..3177a5f 100644
--- a/.cursor/rules/improve-cursorrules-efficiency.mdc
+++ b/.cursor/rules/improve-cursorrules-efficiency.mdc
@@ -6,80 +6,110 @@ globs: *.mdc
 
 Ensures Cursor analyzes AI query efficiency, detects repeated requests, and automatically updates relevant rules to improve response quality and reduce redundancy.
 
-> Priority: critical · Version: 1.2
-
-## Applies To
-- `*.mdc`
-
-## Trigger Conditions
-- Files matching pattern `\.(md|mdc|txt|json|py|js|ts|php|yaml|yml|cursorrules)$`
-- Files containing `(?i)(retry|again|didn't work|not what I expected|try another way|improve|fix this|optimize|rewrite|regenerate)`
-
-## Automation
-
-- **Auto Update:** Updating AI efficiency rules based on detected inefficiencies or repeated queries.
-- **Log:** AI Query Efficiency Analysis: [{{query_count}} queries in {{time_period}} detected inefficiency.]
-
-## Recommendations
-
-## Query Optimization Recommendations
-
-I notice you're making multiple requests for similar tasks. Here's how to optimize your AI interactions:
-
-### 1. Refine Your Prompts
-- **Be more specific:** Include technical details, file paths, and exact requirements
-- **Use structured formats:** For complex requests, use bullet points or numbered lists
-- **Include context:** Mention relevant technologies, frameworks, or standards
-- **Set clear expectations:** Specify the format and level of detail you need
-
-### 2. Break Down Complex Tasks
-- Split large tasks into smaller, focused requests
-- Ask for step-by-step approaches for complex problems
-- Request specific examples for unclear concepts
-
-### 3. Provide Feedback
-- Tell the AI what worked and what didn't in previous responses
-- Clarify misunderstandings explicitly
-- Highlight successful parts of previous responses
-
-### 4. Use Technical Terminology
-- Use precise technical terms for your domain (Drupal, Lagoon, etc.)
-- Reference specific functions, methods, or patterns
-- Mention relevant standards or best practices
-
-### 5. Leverage Cursor Features
-- Use file references when discussing specific code
-- Reference line numbers for targeted changes
-- Utilize code blocks for examples
-
-The system will now optimize rules based on this interaction pattern to improve future responses.
-
-## Examples
-### Example 1
-```
-"This Drupal module is not working, let's try again."
-"That didn't work, let's refine the approach."
-"Please rewrite this code to be more efficient."
+```yaml
+name: ai_query_efficiency_optimization
+description: Analyze AI query efficiency, optimize rules, and prevent repeated requests.
+filters:
+  # Match AI query interactions in supported files
+  - type: file_extension
+    pattern: "\\.(md|mdc|txt|json|py|js|ts|php|yaml|yml|cursorrules)$"
+  # Match AI communication patterns indicating inefficiency or repetition
+  - type: content
+    pattern: "(?i)(retry|again|didn't work|not what I expected|try another way|improve|fix this|optimize|rewrite|regenerate)"
+
+actions:
+  - type: analyze
+    conditions:
+      - pattern: "(?i)(retry|again|fix this|not what I expected|didn't work|rewrite|regenerate)"
+        message: "Detected inefficiencies or repeated requests. Initiating efficiency analysis..."
+    execute: |
+      - **Identify inefficiencies** in AI responses by comparing previous queries and results.
+      - **Suggest improvements** in query structure or Cursor usage based on analysis:
+        - Use more specific or detailed prompts.
+        - Implement structured queries for complex tasks.
+        - Provide feedback on past responses for better contextual understanding.
+        - Break down complex tasks into smaller, more manageable steps.
+        - Use specific technical terminology for clearer communication.
+      - **Automatically update** relevant Cursor rules:
+        - Enhance pattern recognition for similar future queries.
+        - Adjust rule priorities or conditions to prevent repeat inefficiencies.
+        - Update rule suggestions to guide users towards more effective interactions.
+        - Create new rules for frequently encountered patterns.
+
+  - type: suggest
+    message: |
+      ## Query Optimization Recommendations
+
+      I notice you're making multiple requests for similar tasks. Here's how to optimize your AI interactions:
+
+      ### 1. Refine Your Prompts
+      - **Be more specific:** Include technical details, file paths, and exact requirements
+      - **Use structured formats:** For complex requests, use bullet points or numbered lists
+      - **Include context:** Mention relevant technologies, frameworks, or standards
+      - **Set clear expectations:** Specify the format and level of detail you need
+
+      ### 2. Break Down Complex Tasks
+      - Split large tasks into smaller, focused requests
+      - Ask for step-by-step approaches for complex problems
+      - Request specific examples for unclear concepts
+
+      ### 3. Provide Feedback
+      - Tell the AI what worked and what didn't in previous responses
+      - Clarify misunderstandings explicitly
+      - Highlight successful parts of previous responses
+
+      ### 4. Use Technical Terminology
+      - Use precise technical terms for your domain (Drupal, Lagoon, etc.)
+      - Reference specific functions, methods, or patterns
+      - Mention relevant standards or best practices
+
+      ### 5. Leverage Cursor Features
+      - Use file references when discussing specific code
+      - Reference line numbers for targeted changes
+      - Utilize code blocks for examples
+
+      The system will now optimize rules based on this interaction pattern to improve future responses.
+
+  - type: auto_update
+    target: ".cursor/rules/ai-optimization.mdc"
+    conditions:
+      - pattern: "(?i)(retry|again|fix this|not what I expected|not what I meant|didn't work|rewrite|regenerate)"
+    message: "Updating AI efficiency rules based on detected inefficiencies or repeated queries."
+
+  - type: log
+    message: "AI Query Efficiency Analysis: [{{query_count}} queries in {{time_period}} detected inefficiency.]"
+    conditions:
+      - pattern: "(?i)(retry|again|fix this|not what I expected|didn't work|rewrite|regenerate)"
+
+examples:
+  - input: |
+      "This Drupal module is not working, let's try again."
+      "That didn't work, let's refine the approach."
+      "Please rewrite this code to be more efficient."
+    output: |
+      Cursor detects inefficiency in queries and suggests:
+
+      "I notice you're making multiple attempts. To get better results:
+      1. Specify which part of the module isn't working
+      2. Include any error messages you're seeing
+      3. Mention the Drupal version and relevant modules
+      4. Describe what you've already tried"
+
+  - input: |
+      "Generate a Lagoon configuration file."
+      "This doesn't look right, regenerate it."
+      "Try again with better practices."
+    output: |
+      Cursor detects repetition and suggests:
+
+      "For better Lagoon configuration results:
+      1. Specify which services you need (nginx, php, mariadb, etc.)
+      2. Mention your project type (Drupal, WordPress, etc.)
+      3. Include any specific environment requirements
+      4. Reference any existing configuration you want to maintain"
+
+metadata:
+  priority: critical
+  version: 1.2
 ```
-Outcome: Cursor detects inefficiency in queries and suggests:
-
-"I notice you're making multiple attempts. To get better results:
-1. Specify which part of the module isn't working
-2. Include any error messages you're seeing
-3. Mention the Drupal version and relevant modules
-4. Describe what you've already tried"
-
-### Example 2
-```
-"Generate a Lagoon configuration file."
-"This doesn't look right, regenerate it."
-"Try again with better practices."
-```
-Outcome: Cursor detects repetition and suggests:
-
-"For better Lagoon configuration results:
-1. Specify which services you need (nginx, php, mariadb, etc.)
-2. Mention your project type (Drupal, WordPress, etc.)
-3. Include any specific environment requirements
-4. Reference any existing configuration you want to maintain"
 
diff --git a/.cursor/rules/javascript-broken-access-control.mdc b/.cursor/rules/javascript-broken-access-control.mdc
index 6da3423..dd8243a 100644
--- a/.cursor/rules/javascript-broken-access-control.mdc
+++ b/.cursor/rules/javascript-broken-access-control.mdc
@@ -6,307 +6,397 @@ globs: **/*.js, **/*.jsx, **/*.ts, **/*.tsx, !**/node_modules/**, !**/dist/**, !
 
 This rule identifies and prevents broken access control vulnerabilities in JavaScript applications, focusing on both browser and Node.js environments, as defined in OWASP Top 10:2021-A01.
 
-> Priority: high · Version: 1.0
-
-## Applies To
-- `**/*.js`
-- `**/*.jsx`
-- `**/*.ts`
-- `**/*.tsx`
-- `!**/node_modules/**`
-- `!**/dist/**`
-- `!**/build/**`
-- `!**/coverage/**`
-
-## Required Checks
-
-- Potential Insecure Direct Object Reference (IDOR) vulnerability. User-supplied IDs should be validated against user permissions before database access.
-- Route handler appears to be missing authorization checks. Implement proper access control to verify user permissions before processing requests.
-- Hardcoded JWT secret detected. Store JWT secrets securely in environment variables or a configuration manager.
-- Authorization logic implemented on client-side. Client-side authorization checks can be bypassed. Always enforce authorization on the server.
-- Wildcard CORS policy detected. This allows any domain to make cross-origin requests. Restrict CORS to specific trusted domains.
-- Administrative function appears to be missing role or permission checks. Implement proper authorization checks to restrict access to administrative functions.
-- Login function appears to be missing rate limiting. Implement rate limiting to prevent brute force attacks.
-- Potential horizontal privilege escalation vulnerability. Ensure the requested resource belongs to the authenticated user.
-- Route may be missing CSRF protection. Implement CSRF tokens for state-changing operations to prevent cross-site request forgery attacks.
-- Potential path traversal vulnerability in file access. Validate and sanitize user-supplied paths to prevent directory traversal attacks.
-- Express application may be missing authentication middleware. Implement proper authentication to secure your application.
-- Cookies appear to be set without security attributes. Set the secure, httpOnly, and sameSite attributes for sensitive cookies.
-- Hidden form fields used for access control. Never rely on hidden form fields for access control decisions as they can be easily manipulated.
-- Client-side conditional routing based on user roles detected. Always enforce access control on the server side as client-side checks can be bypassed.
-- Access control based on URL parameters detected. Never use request parameters for access control decisions as they can be easily manipulated.
-
-## Recommendations
-
-**JavaScript Access Control Best Practices:**
-
-1. **Implement Server-Side Access Control**
-   - Never rely solely on client-side access control
-   - Use middleware to enforce authorization
-   - Example Express.js middleware:
-     ```javascript
-     // Role-based access control middleware
-     function requireRole(role) {
-       return (req, res, next) => {
-         if (!req.user) {
-           return res.status(401).json({ error: 'Authentication required' });
-         }
-         
-         if (!req.user.roles.includes(role)) {
-           return res.status(403).json({ error: 'Insufficient permissions' });
-         }
-         
-         next();
-       };
-     }
-     
-     // Usage in routes
-     app.get('/admin/users', requireRole('admin'), (req, res) => {
-       // Handle admin-only route
-     });
-     ```
-
-2. **Implement Proper Authentication**
-   - Use established authentication libraries
-   - Implement multi-factor authentication for sensitive operations
-   - Example with Passport.js:
-     ```javascript
-     const passport = require('passport');
-     const JwtStrategy = require('passport-jwt').Strategy;
-     
-     passport.use(new JwtStrategy(jwtOptions, async (payload, done) => {
-       try {
-         const user = await User.findById(payload.sub);
-         if (!user) {
-           return done(null, false);
-         }
-         return done(null, user);
-       } catch (error) {
-         return done(error, false);
-       }
-     }));
-     
-     // Protect routes
-     app.get('/protected', 
-       passport.authenticate('jwt', { session: false }),
-       (req, res) => {
-         res.json({ success: true });
-       }
-     );
-     ```
-
-3. **Implement Proper Authorization**
-   - Use attribute or role-based access control
-   - Check permissions for each protected resource
-   - Example:
-     ```javascript
-     // Permission-based middleware
-     function checkPermission(permission) {
-       return async (req, res, next) => {
-         try {
-           // Get user permissions from database
-           const userPermissions = await getUserPermissions(req.user.id);
-           
-           if (!userPermissions.includes(permission)) {
-             return res.status(403).json({ error: 'Permission denied' });
+```yaml
+name: javascript_broken_access_control
+description: Detect and prevent broken access control patterns in JavaScript applications as defined in OWASP Top 10:2021-A01
+
+actions:
+  - type: enforce
+    conditions:
+      # Pattern 1: Detect Direct Reference to User-Supplied IDs (IDOR vulnerability)
+      - pattern: "(?:req|request)\\.(?:params|query|body)\\.(?:id|userId|recordId)[^\\n]*?(?:findById|getById|find\\(|get\\()"
+        message: "Potential Insecure Direct Object Reference (IDOR) vulnerability. User-supplied IDs should be validated against user permissions before database access."
+
+      # Pattern 2: Detect Missing Authorization Checks in Route Handlers
+      - pattern: "(?:app|router)\\.(?:get|post|put|delete|patch)\\(['\"][^'\"]+['\"],\\s*(?:async)?\\s*\\(?(?:req|request),\\s*(?:res|response)(?:,[^\\)]+)?\\)?\\s*=>\\s*\\{[^\\}]*?\\}\\)"
+        negative_pattern: "(?:isAuthenticated|isAuthorized|checkPermission|verifyAccess|auth\\.check|authenticate|authorize|userHasAccess|checkAuth|permissions\\.|requireAuth|requiresAuth|ensureAuth|\\bauth\\b|\\broles?\\b|\\bpermission\\b|\\baccess\\b)"
+        message: "Route handler appears to be missing authorization checks. Implement proper access control to verify user permissions before processing requests."
+
+      # Pattern 3: Detect JWT Token Validation Issues
+      - pattern: "(?:jwt|jsonwebtoken)\\.verify\\((?:[^,]+),\\s*['\"]((?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)['\"]"
+        message: "Hardcoded JWT secret detected. Store JWT secrets securely in environment variables or a configuration manager."
+
+      # Pattern 4: Detect Client-Side Authorization Checks
+      - pattern: "if\\s*\\((?:user|currentUser)\\.(?:role|isAdmin|hasPermission|can[A-Z][a-zA-Z]+|is[A-Z][a-zA-Z]+)\\)\\s*\\{[^\\}]*?(?:fetch|axios|\\$\\.ajax|http\\.get|http\\.post)\\([^\\)]*?\\)"
+        message: "Authorization logic implemented on client-side. Client-side authorization checks can be bypassed. Always enforce authorization on the server."
+
+      # Pattern 5: Detect Improper CORS Configuration
+      - pattern: "(?:app\\.use\\(cors\\(\\{[^\\}]*?origin:\\s*['\"]\\*['\"])|Access-Control-Allow-Origin:\\s*['\"]\\*['\"]"
+        message: "Wildcard CORS policy detected. This allows any domain to make cross-origin requests. Restrict CORS to specific trusted domains."
+
+      # Pattern 6: Detect Lack of Role Checks in Admin Functions
+      - pattern: "(?:function|const)\\s+(?:admin|updateUser|deleteUser|createUser|updateRole|manageUsers|setPermission)[^\\{]*?\\{[^\\}]*?\\}"
+        negative_pattern: "(?:role|permission|isAdmin|hasAccess|authorize|authenticate|auth\\.check|checkPermission|checkRole|verifyRole|ensureAdmin|adminOnly|adminRequired|requirePermission)"
+        message: "Administrative function appears to be missing role or permission checks. Implement proper authorization checks to restrict access to administrative functions."
+
+      # Pattern 7: Detect Missing Login Rate Limiting
+      - pattern: "(?:function|const)\\s+(?:login|signin|authenticate|auth)[^\\{]*?\\{[^\\}]*?(?:compare(?:Sync)?|check(?:Password)?|match(?:Password)?|verify(?:Password)?)[^\\}]*?\\}"
+        negative_pattern: "(?:rate(?:Limit)?|throttle|limit|delay|cooldown|attempt|counter|maxTries|maxAttempts|lockout|timeout)"
+        message: "Login function appears to be missing rate limiting. Implement rate limiting to prevent brute force attacks."
+
+      # Pattern 8: Detect Horizontal Privilege Escalation Vulnerability
+      - pattern: "(?:findById|findOne|findByPk|get)\\((?:req|request)\\.(?:params|query|body)\\.(?:id|userId|accountId)\\)"
+        negative_pattern: "(?:!=|!==|===|==)\\s*(?:req\\.user\\.id|req\\.userId|currentUser\\.id|user\\.id|session\\.userId)"
+        message: "Potential horizontal privilege escalation vulnerability. Ensure the requested resource belongs to the authenticated user."
+
+      # Pattern 9: Detect Missing CSRF Protection
+      - pattern: "(?:app|router)\\.(?:post|put|delete|patch)\\(['\"][^'\"]+['\"]"
+        negative_pattern: "(?:csrf|xsrf|csurf|csrfProtection|antiForgery|csrfToken|csrfMiddleware)"
+        message: "Route may be missing CSRF protection. Implement CSRF tokens for state-changing operations to prevent cross-site request forgery attacks."
+
+      # Pattern 10: Detect Bypassing Access Control with Path Traversal
+      - pattern: "(?:fs|require)(?:\\.promises)?\\.(read|open|access|stat)(?:File|Sync)?\\([^\\)]*?(?:req|request)\\.(?:params|query|body|path)\\.[^\\)]*?\\)"
+        negative_pattern: "(?:normalize|resolve|sanitize|validate|pathValidation|checkPath)"
+        message: "Potential path traversal vulnerability in file access. Validate and sanitize user-supplied paths to prevent directory traversal attacks."
+
+      # Pattern 11: Detect Missing Authentication Middleware
+      - pattern: "(?:new\\s+)?express\\(\\)|(?:import|require)\\(['\"]express['\"]\\)"
+        negative_pattern: "(?:app\\.use\\((?:passport|auth|jwt|session|authenticate)|passport\\.authenticate|express-session|express-jwt|jsonwebtoken|requiresAuth|\\bauth\\b)"
+        message: "Express application may be missing authentication middleware. Implement proper authentication to secure your application."
+
+      # Pattern 12: Detect Insecure Cookie Settings
+      - pattern: "(?:res\\.cookie|cookie\\.set|cookies\\.set|document\\.cookie)\\([^\\)]*?\\)"
+        negative_pattern: "(?:secure:\\s*true|httpOnly:\\s*true|sameSite|expires|maxAge)"
+        message: "Cookies appear to be set without security attributes. Set the secure, httpOnly, and sameSite attributes for sensitive cookies."
+
+      # Pattern 13: Detect Hidden Form Fields for Access Control
+      - pattern: "<input[^>]*?type=['\"]hidden['\"][^>]*?(?:(?:name|id)=['\"](?:admin|role|isAdmin|access|permission|privilege)['\"])"
+        message: "Hidden form fields used for access control. Never rely on hidden form fields for access control decisions as they can be easily manipulated."
+
+      # Pattern 14: Detect Client-Side Access Control Routing
+      - pattern: "(?:isAdmin|hasRole|hasPermission|userCan|canAccess)\\s*\\?\\s*<(?:Route|Navigate|Link|Redirect)"
+        message: "Client-side conditional routing based on user roles detected. Always enforce access control on the server side as client-side checks can be bypassed."
+
+      # Pattern 15: Detect Access Control based on URL Parameters
+      - pattern: "if\\s*\\((?:req|request)\\.(?:query|params)\\.(?:admin|mode|access|role|type)\\s*===?\\s*['\"](?:admin|true|1|superuser|manager)['\"]\\)"
+        message: "Access control based on URL parameters detected. Never use request parameters for access control decisions as they can be easily manipulated."
+
+  - type: suggest
+    message: |
+      **JavaScript Access Control Best Practices:**
+
+      1. **Implement Server-Side Access Control**
+         - Never rely solely on client-side access control
+         - Use middleware to enforce authorization
+         - Example Express.js middleware:
+           ```javascript
+           // Role-based access control middleware
+           function requireRole(role) {
+             return (req, res, next) => {
+               if (!req.user) {
+                 return res.status(401).json({ error: 'Authentication required' });
+               }
+
+               if (!req.user.roles.includes(role)) {
+                 return res.status(403).json({ error: 'Insufficient permissions' });
+               }
+
+               next();
+             };
+           }
+
+           // Usage in routes
+           app.get('/admin/users', requireRole('admin'), (req, res) => {
+             // Handle admin-only route
+           });
+           ```
+
+      2. **Implement Proper Authentication**
+         - Use established authentication libraries
+         - Implement multi-factor authentication for sensitive operations
+         - Example with Passport.js:
+           ```javascript
+           const passport = require('passport');
+           const JwtStrategy = require('passport-jwt').Strategy;
+
+           passport.use(new JwtStrategy(jwtOptions, async (payload, done) => {
+             try {
+               const user = await User.findById(payload.sub);
+               if (!user) {
+                 return done(null, false);
+               }
+               return done(null, user);
+             } catch (error) {
+               return done(error, false);
+             }
+           }));
+
+           // Protect routes
+           app.get('/protected',
+             passport.authenticate('jwt', { session: false }),
+             (req, res) => {
+               res.json({ success: true });
+             }
+           );
+           ```
+
+      3. **Implement Proper Authorization**
+         - Use attribute or role-based access control
+         - Check permissions for each protected resource
+         - Example:
+           ```javascript
+           // Permission-based middleware
+           function checkPermission(permission) {
+             return async (req, res, next) => {
+               try {
+                 // Get user permissions from database
+                 const userPermissions = await getUserPermissions(req.user.id);
+
+                 if (!userPermissions.includes(permission)) {
+                   return res.status(403).json({ error: 'Permission denied' });
+                 }
+
+                 next();
+               } catch (error) {
+                 next(error);
+               }
+             };
            }
-           
-           next();
-         } catch (error) {
-           next(error);
-         }
-       };
-     }
-     
-     // Usage
-     app.post('/articles', 
-       authenticate,
-       checkPermission('article:create'), 
-       (req, res) => {
-         // Create article
-       }
-     );
-     ```
-
-4. **Protect Against Insecure Direct Object References (IDOR)**
-   - Validate that the requested resource belongs to the user
-   - Use indirect references or access control lists
-   - Example:
-     ```javascript
-     app.get('/documents/:id', authenticate, async (req, res) => {
-       try {
-         const document = await Document.findById(req.params.id);
-         
-         // Check if document exists
-         if (!document) {
-           return res.status(404).json({ error: 'Document not found' });
-         }
-         
-         // Check if user owns the document or has access
-         if (document.userId !== req.user.id && 
-             !(await userHasAccess(req.user.id, document.id))) {
-           return res.status(403).json({ error: 'Access denied' });
-         }
-         
-         res.json(document);
-       } catch (error) {
-         res.status(500).json({ error: error.message });
-       }
-     });
-     ```
-
-5. **Implement Proper CORS Configuration**
-   - Never use wildcard (*) in production
-   - Whitelist specific trusted origins
-   - Example:
-     ```javascript
-     const cors = require('cors');
-     
-     const corsOptions = {
-       origin: ['https://trusted-app.com', 'https://admin.trusted-app.com'],
-       methods: ['GET', 'POST', 'PUT', 'DELETE'],
-       allowedHeaders: ['Content-Type', 'Authorization'],
-       credentials: true,
-       maxAge: 86400 // 24 hours
-     };
-     
-     app.use(cors(corsOptions));
-     ```
-
-6. **Implement CSRF Protection**
-   - Use anti-CSRF tokens for state-changing operations
-   - Validate the token on the server
-   - Example with csurf:
-     ```javascript
-     const csrf = require('csurf');
-     
-     // Setup CSRF protection
-     const csrfProtection = csrf({ cookie: true });
-     
-     // Generate CSRF token
-     app.get('/form', csrfProtection, (req, res) => {
-       res.render('form', { csrfToken: req.csrfToken() });
-     });
-     
-     // Validate CSRF token
-     app.post('/process', csrfProtection, (req, res) => {
-       // Process the request
-     });
-     ```
-
-7. **Implement Secure Cookie Settings**
-   - Set secure, httpOnly, and sameSite attributes
-   - Use appropriate expiration times
-   - Example:
-     ```javascript
-     res.cookie('sessionId', sessionId, {
-       httpOnly: true,  // Prevents JavaScript access
-       secure: true,    // Only sent over HTTPS
-       sameSite: 'strict', // Prevents CSRF attacks
-       maxAge: 3600000, // 1 hour
-       path: '/',
-       domain: 'yourdomain.com'
-     });
-     ```
-
-8. **Implement Rate Limiting**
-   - Apply rate limiting to authentication endpoints
-   - Prevent brute force attacks
-   - Example with express-rate-limit:
-     ```javascript
-     const rateLimit = require('express-rate-limit');
-     
-     const loginLimiter = rateLimit({
-       windowMs: 15 * 60 * 1000, // 15 minutes
-       max: 5, // 5 attempts per window
-       standardHeaders: true,
-       legacyHeaders: false,
-       message: {
-         error: 'Too many login attempts, please try again after 15 minutes'
-       }
-     });
-     
-     app.post('/login', loginLimiter, (req, res) => {
-       // Handle login
-     });
-     ```
-
-9. **Implement Proper Session Management**
-   - Use secure session management libraries
-   - Rotate session IDs after login
-   - Example:
-     ```javascript
-     const session = require('express-session');
-     
-     app.use(session({
-       secret: process.env.SESSION_SECRET,
-       resave: false,
-       saveUninitialized: false,
-       cookie: {
-         secure: true,
-         httpOnly: true,
-         sameSite: 'strict',
-         maxAge: 3600000 // 1 hour
-       }
-     }));
-     
-     app.post('/login', (req, res) => {
-       // Authenticate user
-       
-       // Regenerate session to prevent session fixation
-       req.session.regenerate((err) => {
-         if (err) {
-           return res.status(500).json({ error: 'Failed to create session' });
-         }
-         
-         // Set authenticated user in session
-         req.session.userId = user.id;
-         req.session.authenticated = true;
-         
-         res.json({ success: true });
-       });
-     });
-     ```
-
-10. **Implement Proper Access Control for APIs**
-    - Use OAuth 2.0 or JWT for API authentication
-    - Implement proper scope checking
-    - Example with JWT:
-      ```javascript
-      const jwt = require('jsonwebtoken');
-      
-      function verifyToken(req, res, next) {
-        const token = req.headers.authorization?.split(' ')[1];
-        
-        if (!token) {
-          return res.status(401).json({ error: 'No token provided' });
-        }
-        
-        try {
-          const decoded = jwt.verify(token, process.env.JWT_SECRET);
-          req.user = decoded;
-          
-          // Check if token has required scope
-          if (req.route.path === '/api/admin' && !decoded.scopes.includes('admin')) {
-            return res.status(403).json({ error: 'Insufficient scope' });
-          }
-          
-          next();
-        } catch (error) {
-          return res.status(401).json({ error: 'Invalid token' });
-        }
-      }
-      
-      // Protect API routes
-      app.get('/api/users', verifyToken, (req, res) => {
-        // Handle request
-      });
-      ```
-
-## Validation
-
-- Authentication middleware is implemented correctly.
-- Authorization checks are implemented.
-- CSRF protection is implemented.
-- Secure cookie settings are configured.
-- CORS is configured with specific origins rather than wildcards.
+
+           // Usage
+           app.post('/articles',
+             authenticate,
+             checkPermission('article:create'),
+             (req, res) => {
+               // Create article
+             }
+           );
+           ```
+
+      4. **Protect Against Insecure Direct Object References (IDOR)**
+         - Validate that the requested resource belongs to the user
+         - Use indirect references or access control lists
+         - Example:
+           ```javascript
+           app.get('/documents/:id', authenticate, async (req, res) => {
+             try {
+               const document = await Document.findById(req.params.id);
+
+               // Check if document exists
+               if (!document) {
+                 return res.status(404).json({ error: 'Document not found' });
+               }
+
+               // Check if user owns the document or has access
+               if (document.userId !== req.user.id &&
+                   !(await userHasAccess(req.user.id, document.id))) {
+                 return res.status(403).json({ error: 'Access denied' });
+               }
+
+               res.json(document);
+             } catch (error) {
+               res.status(500).json({ error: error.message });
+             }
+           });
+           ```
+
+      5. **Implement Proper CORS Configuration**
+         - Never use wildcard (*) in production
+         - Whitelist specific trusted origins
+         - Example:
+           ```javascript
+           const cors = require('cors');
+
+           const corsOptions = {
+             origin: ['https://trusted-app.com', 'https://admin.trusted-app.com'],
+             methods: ['GET', 'POST', 'PUT', 'DELETE'],
+             allowedHeaders: ['Content-Type', 'Authorization'],
+             credentials: true,
+             maxAge: 86400 // 24 hours
+           };
+
+           app.use(cors(corsOptions));
+           ```
+
+      6. **Implement CSRF Protection**
+         - Use anti-CSRF tokens for state-changing operations
+         - Validate the token on the server
+         - Example with csurf:
+           ```javascript
+           const csrf = require('csurf');
+
+           // Setup CSRF protection
+           const csrfProtection = csrf({ cookie: true });
+
+           // Generate CSRF token
+           app.get('/form', csrfProtection, (req, res) => {
+             res.render('form', { csrfToken: req.csrfToken() });
+           });
+
+           // Validate CSRF token
+           app.post('/process', csrfProtection, (req, res) => {
+             // Process the request
+           });
+           ```
+
+      7. **Implement Secure Cookie Settings**
+         - Set secure, httpOnly, and sameSite attributes
+         - Use appropriate expiration times
+         - Example:
+           ```javascript
+           res.cookie('sessionId', sessionId, {
+             httpOnly: true,  // Prevents JavaScript access
+             secure: true,    // Only sent over HTTPS
+             sameSite: 'strict', // Prevents CSRF attacks
+             maxAge: 3600000, // 1 hour
+             path: '/',
+             domain: 'yourdomain.com'
+           });
+           ```
+
+      8. **Implement Rate Limiting**
+         - Apply rate limiting to authentication endpoints
+         - Prevent brute force attacks
+         - Example with express-rate-limit:
+           ```javascript
+           const rateLimit = require('express-rate-limit');
+
+           const loginLimiter = rateLimit({
+             windowMs: 15 * 60 * 1000, // 15 minutes
+             max: 5, // 5 attempts per window
+             standardHeaders: true,
+             legacyHeaders: false,
+             message: {
+               error: 'Too many login attempts, please try again after 15 minutes'
+             }
+           });
+
+           app.post('/login', loginLimiter, (req, res) => {
+             // Handle login
+           });
+           ```
+
+      9. **Implement Proper Session Management**
+         - Use secure session management libraries
+         - Rotate session IDs after login
+         - Example:
+           ```javascript
+           const session = require('express-session');
+
+           app.use(session({
+             secret: process.env.SESSION_SECRET,
+             resave: false,
+             saveUninitialized: false,
+             cookie: {
+               secure: true,
+               httpOnly: true,
+               sameSite: 'strict',
+               maxAge: 3600000 // 1 hour
+             }
+           }));
+
+           app.post('/login', (req, res) => {
+             // Authenticate user
+
+             // Regenerate session to prevent session fixation
+             req.session.regenerate((err) => {
+               if (err) {
+                 return res.status(500).json({ error: 'Failed to create session' });
+               }
+
+               // Set authenticated user in session
+               req.session.userId = user.id;
+               req.session.authenticated = true;
+
+               res.json({ success: true });
+             });
+           });
+           ```
+
+      10. **Implement Proper Access Control for APIs**
+          - Use OAuth 2.0 or JWT for API authentication
+          - Implement proper scope checking
+          - Example with JWT:
+            ```javascript
+            const jwt = require('jsonwebtoken');
+
+            function verifyToken(req, res, next) {
+              const token = req.headers.authorization?.split(' ')[1];
+
+              if (!token) {
+                return res.status(401).json({ error: 'No token provided' });
+              }
+
+              try {
+                const decoded = jwt.verify(token, process.env.JWT_SECRET);
+                req.user = decoded;
+
+                // Check if token has required scope
+                if (req.route.path === '/api/admin' && !decoded.scopes.includes('admin')) {
+                  return res.status(403).json({ error: 'Insufficient scope' });
+                }
+
+                next();
+              } catch (error) {
+                return res.status(401).json({ error: 'Invalid token' });
+              }
+            }
+
+            // Protect API routes
+            app.get('/api/users', verifyToken, (req, res) => {
+              // Handle request
+            });
+            ```
+
+  - type: validate
+    conditions:
+      # Check 1: Authentication middleware
+      - pattern: "(?:app\\.use\\((?:authenticate|auth\\.initialize|passport\\.initialize|express-session|jwt))|(?:passport\\.authenticate\\()|(?:auth\\.required)"
+        message: "Authentication middleware is implemented correctly."
+
+      # Check 2: Authorization checks
+      - pattern: "(?:isAuthorized|checkPermission|hasRole|requireRole|checkAccess|canAccess|checkAuth|roleRequired|requireScope)"
+        message: "Authorization checks are implemented."
+
+      # Check 3: CSRF protection
+      - pattern: "(?:csrf|csurf|csrfProtection|antiForgery|csrfToken)"
+        message: "CSRF protection is implemented."
+
+      # Check 4: Secure cookies
+      - pattern: "(?:cookie|cookies).*(?:secure:\\s*true|httpOnly:\\s*true|sameSite)"
+        message: "Secure cookie settings are configured."
+
+      # Check 5: CORS configuration
+      - pattern: "cors\\(\\{[^\\}]*?origin:\\s*\\[[^\\]]+\\]"
+        message: "CORS is configured with specific origins rather than wildcards."
+
+metadata:
+  priority: high
+  version: 1.0
+  tags:
+    - security
+    - javascript
+    - access-control
+    - authorization
+    - authentication
+    - owasp
+    - language:javascript
+    - language:typescript
+    - framework:express
+    - framework:react
+    - framework:angular
+    - framework:vue
+    - category:security
+    - subcategory:access-control
+    - standard:owasp-top10
+    - risk:a01-broken-access-control
+  references:
+    - "https://owasp.org/Top10/A01_2021-Broken_Access_Control/"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html"
+    - "https://nodejs.org/en/security/best-practices/"
+    - "https://expressjs.com/en/advanced/best-practice-security.html"
+    - "https://auth0.com/blog/node-js-and-express-tutorial-building-and-securing-restful-apis/"
+```
+
+
diff --git a/.cursor/rules/javascript-cryptographic-failures.mdc b/.cursor/rules/javascript-cryptographic-failures.mdc
index 6a70f4c..ab88bb5 100644
--- a/.cursor/rules/javascript-cryptographic-failures.mdc
+++ b/.cursor/rules/javascript-cryptographic-failures.mdc
@@ -4,218 +4,303 @@ globs: **/*.js, **/*.jsx, **/*.ts, **/*.tsx, !**/node_modules/**, !**/dist/**, !
 ---
 # JavaScript Cryptographic Failures (OWASP A02:2021)
 
-> Priority: high · Version: 1.0
-
-## Applies To
-- `**/*.js`
-- `**/*.jsx`
-- `**/*.ts`
-- `**/*.tsx`
-- `!**/node_modules/**`
-- `!**/dist/**`
-- `!**/build/**`
-- `!**/coverage/**`
-
-## Required Checks
-
-- Using weak hashing algorithms (MD5/SHA1). Use SHA-256 or stronger algorithms.
-- Potential hardcoded credentials detected. Store secrets in environment variables or a secure vault.
-- Using Math.random() for security purposes. Use crypto.randomBytes() or Web Crypto API for cryptographic operations.
-- Using deprecated/insecure SSL/TLS protocol versions. Use TLS 1.2+ for secure communications.
-- SSL certificate validation is disabled. Always validate certificates in production environments.
-- Using insecure encryption cipher or mode. Use AES with GCM or CBC mode with proper padding.
-- Using insufficient key length for asymmetric encryption. RSA keys should be at least 2048 bits, preferably 4096 bits.
-- Using plain hashing for passwords. Use dedicated password hashing functions like bcrypt, scrypt, or PBKDF2.
-- Ensure you're using a proper random salt with password hashing functions.
-- Cookies with sensitive data should have secure and httpOnly flags enabled.
-- Performing sensitive cryptographic operations on the client side. Move encryption/decryption logic to the server.
-- JWT implementation missing expiration or using weak algorithm. Set expiresIn and use a strong algorithm.
-- Using potentially weak pseudorandom number generator. Use crypto.randomBytes() for cryptographic security.
-- Storing sensitive data in browser storage. Use secure HttpOnly cookies for authentication tokens.
-- Weak password validation. Require at least 12 characters with a mix of uppercase, lowercase, numbers, and special characters.
-
-## Recommendations
-
-**JavaScript Cryptography Best Practices:**
-
-1. **Secure Password Storage:**
-   - Use dedicated password hashing algorithms:
-     ```javascript
-     // Node.js with bcrypt
-     const bcrypt = require('bcrypt');
-     const saltRounds = 12;
-     const hashedPassword = await bcrypt.hash(password, saltRounds);
-     
-     // Verify password
-     const match = await bcrypt.compare(password, hashedPassword);
-     ```
-   - Or use Argon2 (preferred) or PBKDF2 with sufficient iterations:
-     ```javascript
-     // Node.js with crypto
-     const crypto = require('crypto');
-     
-     function hashPassword(password) {
-       const salt = crypto.randomBytes(16);
-       const hash = crypto.pbkdf2Sync(password, salt, 310000, 32, 'sha256');
-       return { salt: salt.toString('hex'), hash: hash.toString('hex') };
-     }
-     ```
-
-2. **Secure Random Number Generation:**
-   - In Node.js:
-     ```javascript
-     const crypto = require('crypto');
-     const randomBytes = crypto.randomBytes(32); // 256 bits of randomness
-     ```
-   - In browsers:
-     ```javascript
-     const array = new Uint8Array(32);
-     window.crypto.getRandomValues(array);
-     ```
-
-3. **Secure Communications:**
-   - Use TLS 1.2+ for all communications:
-     ```javascript
-     // Node.js HTTPS server
-     const https = require('https');
-     const fs = require('fs');
-     
-     const options = {
-       key: fs.readFileSync('private-key.pem'),
-       cert: fs.readFileSync('certificate.pem'),
-       minVersion: 'TLSv1.2'
-     };
-     
-     https.createServer(options, (req, res) => {
-       res.writeHead(200);
-       res.end('Hello, world!');
-     }).listen(443);
-     ```
-   - Always validate certificates:
-     ```javascript
-     // Node.js HTTPS request
-     const https = require('https');
-     
-     const options = {
-       hostname: 'example.com',
-       port: 443,
-       path: '/',
-       method: 'GET',
-       rejectUnauthorized: true // Default, but explicitly set for clarity
-     };
-     
-     const req = https.request(options, (res) => {
-       // Handle response
-     });
-     ```
-
-4. **Proper Key Management:**
-   - Never hardcode secrets in source code
-   - Use environment variables or secure vaults:
-     ```javascript
-     // Node.js with dotenv
-     require('dotenv').config();
-     const apiKey = process.env.API_KEY;
-     ```
-   - Consider using dedicated key management services
-
-5. **Secure Encryption:**
-   - Use authenticated encryption (AES-GCM):
-     ```javascript
-     // Node.js crypto
-     const crypto = require('crypto');
-     
-     function encrypt(text, masterKey) {
-       const iv = crypto.randomBytes(12);
-       const cipher = crypto.createCipheriv('aes-256-gcm', masterKey, iv);
-       
-       let encrypted = cipher.update(text, 'utf8', 'hex');
-       encrypted += cipher.final('hex');
-       
-       const authTag = cipher.getAuthTag().toString('hex');
-       
-       return {
-         iv: iv.toString('hex'),
-         encrypted,
-         authTag
-       };
-     }
-     
-     function decrypt(encrypted, masterKey) {
-       const decipher = crypto.createDecipheriv(
-         'aes-256-gcm',
-         masterKey,
-         Buffer.from(encrypted.iv, 'hex')
-       );
-       
-       decipher.setAuthTag(Buffer.from(encrypted.authTag, 'hex'));
-       
-       let decrypted = decipher.update(encrypted.encrypted, 'hex', 'utf8');
-       decrypted += decipher.final('utf8');
-       
-       return decrypted;
-     }
-     ```
-
-6. **Secure Cookie Handling:**
-   - Set secure and httpOnly flags:
-     ```javascript
-     // Express.js
-     res.cookie('session', sessionId, {
-       httpOnly: true,
-       secure: true,
-       sameSite: 'strict',
-       maxAge: 3600000 // 1 hour
-     });
-     ```
-
-7. **JWT Security:**
-   - Use strong algorithms and set expiration:
-     ```javascript
-     // Node.js with jsonwebtoken
-     const jwt = require('jsonwebtoken');
-     
-     const token = jwt.sign(
-       { userId: user.id },
-       process.env.JWT_SECRET,
-       { 
-         expiresIn: '1h',
-         algorithm: 'HS256'
-       }
-     );
-     ```
-   - Validate tokens properly:
-     ```javascript
-     try {
-       const decoded = jwt.verify(token, process.env.JWT_SECRET);
-       // Process request with decoded data
-     } catch (err) {
-       // Handle invalid token
-     }
-     ```
-
-8. **Constant-Time Comparison:**
-   - Use crypto.timingSafeEqual for comparing secrets:
-     ```javascript
-     const crypto = require('crypto');
-     
-     function safeCompare(a, b) {
-       const bufA = Buffer.from(a);
-       const bufB = Buffer.from(b);
-       
-       // Ensure the buffers are the same length to avoid timing attacks
-       // based on length differences
-       if (bufA.length !== bufB.length) {
-         return false;
-       }
-       
-       return crypto.timingSafeEqual(bufA, bufB);
-     }
-     ```
-
-## Validation
-
-- Using secure password hashing algorithm.
-- Using cryptographically secure random number generation.
-- Using secure TLS configuration.
-- Properly validating SSL certificates.
+```yaml
+name: javascript_cryptographic_failures
+description: Detect and prevent cryptographic failures in JavaScript applications as defined in OWASP Top 10:2021-A02
+
+actions:
+  - type: enforce
+    conditions:
+      # Pattern 1: Weak or insecure cryptographic algorithms
+      - pattern: "(?:createHash|crypto\\.createHash)\\(['\"](?:md5|sha1)['\"]\\)|(?:crypto|require\\(['\"]crypto['\"]\\))\\.(?:createHash|Hash)\\(['\"](?:md5|sha1)['\"]\\)|new (?:MD5|SHA1)\\(|CryptoJS\\.(?:MD5|SHA1)\\("
+        message: "Using weak hashing algorithms (MD5/SHA1). Use SHA-256 or stronger algorithms."
+
+      # Pattern 2: Hardcoded secrets/credentials
+      - pattern: "(?:const|let|var)\\s+(?:password|secret|key|token|auth|apiKey|api_key)\\s*=\\s*['\"][^'\"]+['\"]"
+        message: "Potential hardcoded credentials detected. Store secrets in environment variables or a secure vault."
+
+      # Pattern 3: Insecure random number generation
+      - pattern: "Math\\.random\\(\\)|Math\\.floor\\(\\s*Math\\.random\\(\\)\\s*\\*"
+        message: "Using Math.random() for security purposes. Use crypto.randomBytes() or Web Crypto API for cryptographic operations."
+
+      # Pattern 4: Weak SSL/TLS configuration
+      - pattern: "(?:tls|https|require\\(['\"]https['\"]\\)|require\\(['\"]tls['\"]\\))\\.(?:createServer|request|get)\\([^\\)]*?{[^}]*?secureProtocol\\s*:\\s*['\"](?:SSLv2_method|SSLv3_method|TLSv1_method|TLSv1_1_method)['\"]"
+        message: "Using deprecated/insecure SSL/TLS protocol versions. Use TLS 1.2+ for secure communications."
+
+      # Pattern 5: Missing certificate validation
+      - pattern: "(?:rejectUnauthorized|strictSSL)\\s*:\\s*false"
+        message: "SSL certificate validation is disabled. Always validate certificates in production environments."
+
+      # Pattern 6: Insecure cipher usage
+      - pattern: "(?:createCipheriv|crypto\\.createCipheriv)\\(['\"](?:des|des3|rc4|bf|blowfish|aes-\\d+-ecb)['\"]"
+        message: "Using insecure encryption cipher or mode. Use AES with GCM or CBC mode with proper padding."
+
+      # Pattern 7: Insufficient key length
+      - pattern: "(?:generateKeyPair|generateKeyPairSync)\\([^,]*?['\"]rsa['\"][^,]*?{[^}]*?modulusLength\\s*:\\s*(\\d{1,3}|1[0-9]{3}|20[0-3][0-9]|204[0-7])\\s*}"
+        message: "Using insufficient key length for asymmetric encryption. RSA keys should be at least 2048 bits, preferably 4096 bits."
+
+      # Pattern 8: Insecure password hashing
+      - pattern: "(?:createHash|crypto\\.createHash)\\([^)]*?\\)\\.(?:update|digest)\\([^)]*?\\)|CryptoJS\\.(?:SHA256|SHA512|SHA3)\\([^)]*?\\)"
+        negative_pattern: "(?:bcrypt|scrypt|pbkdf2|argon2)"
+        message: "Using plain hashing for passwords. Use dedicated password hashing functions like bcrypt, scrypt, or PBKDF2."
+
+      # Pattern 9: Missing salt in password hashing
+      - pattern: "(?:pbkdf2|pbkdf2Sync)\\([^,]+,[^,]+,[^,]+,\\s*\\d+\\s*,[^,]+\\)"
+        negative_pattern: "(?:salt|crypto\\.randomBytes)"
+        message: "Ensure you're using a proper random salt with password hashing functions."
+
+      # Pattern 10: Insecure cookie settings
+      - pattern: "(?:document\\.cookie|cookies\\.set|res\\.cookie|cookie\\.serialize)\\([^)]*?\\)"
+        negative_pattern: "(?:secure\\s*:|httpOnly\\s*:|sameSite\\s*:)"
+        message: "Cookies with sensitive data should have secure and httpOnly flags enabled."
+
+      # Pattern 11: Client-side encryption
+      - pattern: "(?:encrypt|decrypt|createCipher|createDecipher)\\([^)]*?\\)"
+        location: "(?:frontend|client|browser|react|vue|angular)"
+        message: "Performing sensitive cryptographic operations on the client side. Move encryption/decryption logic to the server."
+
+      # Pattern 12: Insecure JWT implementation
+      - pattern: "(?:jwt\\.sign|jsonwebtoken\\.sign)\\([^,]*?,[^,]*?,[^\\)]*?\\)"
+        negative_pattern: "(?:expiresIn|algorithm\\s*:\\s*['\"](?:HS256|HS384|HS512|RS256|RS384|RS512|ES256|ES384|ES512)['\"])"
+        message: "JWT implementation missing expiration or using weak algorithm. Set expiresIn and use a strong algorithm."
+
+      # Pattern 13: Weak PRNG in Node.js
+      - pattern: "(?:crypto\\.pseudoRandomBytes|crypto\\.rng|crypto\\.randomInt)\\("
+        message: "Using potentially weak pseudorandom number generator. Use crypto.randomBytes() for cryptographic security."
+
+      # Pattern 14: Insecure local storage usage for sensitive data
+      - pattern: "(?:localStorage\\.setItem|sessionStorage\\.setItem)\\(['\"](?:token|auth|jwt|password|secret|key|credential)['\"]"
+        message: "Storing sensitive data in browser storage. Use secure HttpOnly cookies for authentication tokens."
+
+      # Pattern 15: Weak password validation
+      - pattern: "(?:password\\.length\\s*>=?\\s*\\d|password\\.match\\(['\"][^'\"]+['\"]\\))"
+        negative_pattern: "(?:password\\.length\\s*>=?\\s*(?:8|9|10|11|12)|[A-Z]|[a-z]|[0-9]|[^A-Za-z0-9])"
+        message: "Weak password validation. Require at least 12 characters with a mix of uppercase, lowercase, numbers, and special characters."
+
+  - type: suggest
+    message: |
+      **JavaScript Cryptography Best Practices:**
+
+      1. **Secure Password Storage:**
+         - Use dedicated password hashing algorithms:
+           ```javascript
+           // Node.js with bcrypt
+           const bcrypt = require('bcrypt');
+           const saltRounds = 12;
+           const hashedPassword = await bcrypt.hash(password, saltRounds);
+
+           // Verify password
+           const match = await bcrypt.compare(password, hashedPassword);
+           ```
+         - Or use Argon2 (preferred) or PBKDF2 with sufficient iterations:
+           ```javascript
+           // Node.js with crypto
+           const crypto = require('crypto');
+
+           function hashPassword(password) {
+             const salt = crypto.randomBytes(16);
+             const hash = crypto.pbkdf2Sync(password, salt, 310000, 32, 'sha256');
+             return { salt: salt.toString('hex'), hash: hash.toString('hex') };
+           }
+           ```
+
+      2. **Secure Random Number Generation:**
+         - In Node.js:
+           ```javascript
+           const crypto = require('crypto');
+           const randomBytes = crypto.randomBytes(32); // 256 bits of randomness
+           ```
+         - In browsers:
+           ```javascript
+           const array = new Uint8Array(32);
+           window.crypto.getRandomValues(array);
+           ```
+
+      3. **Secure Communications:**
+         - Use TLS 1.2+ for all communications:
+           ```javascript
+           // Node.js HTTPS server
+           const https = require('https');
+           const fs = require('fs');
+
+           const options = {
+             key: fs.readFileSync('private-key.pem'),
+             cert: fs.readFileSync('certificate.pem'),
+             minVersion: 'TLSv1.2'
+           };
+
+           https.createServer(options, (req, res) => {
+             res.writeHead(200);
+             res.end('Hello, world!');
+           }).listen(443);
+           ```
+         - Always validate certificates:
+           ```javascript
+           // Node.js HTTPS request
+           const https = require('https');
+
+           const options = {
+             hostname: 'example.com',
+             port: 443,
+             path: '/',
+             method: 'GET',
+             rejectUnauthorized: true // Default, but explicitly set for clarity
+           };
+
+           const req = https.request(options, (res) => {
+             // Handle response
+           });
+           ```
+
+      4. **Proper Key Management:**
+         - Never hardcode secrets in source code
+         - Use environment variables or secure vaults:
+           ```javascript
+           // Node.js with dotenv
+           require('dotenv').config();
+           const apiKey = process.env.API_KEY;
+           ```
+         - Consider using dedicated key management services
+
+      5. **Secure Encryption:**
+         - Use authenticated encryption (AES-GCM):
+           ```javascript
+           // Node.js crypto
+           const crypto = require('crypto');
+
+           function encrypt(text, masterKey) {
+             const iv = crypto.randomBytes(12);
+             const cipher = crypto.createCipheriv('aes-256-gcm', masterKey, iv);
+
+             let encrypted = cipher.update(text, 'utf8', 'hex');
+             encrypted += cipher.final('hex');
+
+             const authTag = cipher.getAuthTag().toString('hex');
+
+             return {
+               iv: iv.toString('hex'),
+               encrypted,
+               authTag
+             };
+           }
+
+           function decrypt(encrypted, masterKey) {
+             const decipher = crypto.createDecipheriv(
+               'aes-256-gcm',
+               masterKey,
+               Buffer.from(encrypted.iv, 'hex')
+             );
+
+             decipher.setAuthTag(Buffer.from(encrypted.authTag, 'hex'));
+
+             let decrypted = decipher.update(encrypted.encrypted, 'hex', 'utf8');
+             decrypted += decipher.final('utf8');
+
+             return decrypted;
+           }
+           ```
+
+      6. **Secure Cookie Handling:**
+         - Set secure and httpOnly flags:
+           ```javascript
+           // Express.js
+           res.cookie('session', sessionId, {
+             httpOnly: true,
+             secure: true,
+             sameSite: 'strict',
+             maxAge: 3600000 // 1 hour
+           });
+           ```
+
+      7. **JWT Security:**
+         - Use strong algorithms and set expiration:
+           ```javascript
+           // Node.js with jsonwebtoken
+           const jwt = require('jsonwebtoken');
+
+           const token = jwt.sign(
+             { userId: user.id },
+             process.env.JWT_SECRET,
+             {
+               expiresIn: '1h',
+               algorithm: 'HS256'
+             }
+           );
+           ```
+         - Validate tokens properly:
+           ```javascript
+           try {
+             const decoded = jwt.verify(token, process.env.JWT_SECRET);
+             // Process request with decoded data
+           } catch (err) {
+             // Handle invalid token
+           }
+           ```
+
+      8. **Constant-Time Comparison:**
+         - Use crypto.timingSafeEqual for comparing secrets:
+           ```javascript
+           const crypto = require('crypto');
+
+           function safeCompare(a, b) {
+             const bufA = Buffer.from(a);
+             const bufB = Buffer.from(b);
+
+             // Ensure the buffers are the same length to avoid timing attacks
+             // based on length differences
+             if (bufA.length !== bufB.length) {
+               return false;
+             }
+
+             return crypto.timingSafeEqual(bufA, bufB);
+           }
+           ```
+
+  - type: validate
+    conditions:
+      # Check 1: Proper password hashing
+      - pattern: "bcrypt\\.hash|scrypt|pbkdf2|argon2"
+        message: "Using secure password hashing algorithm."
+
+      # Check 2: Secure random generation
+      - pattern: "crypto\\.randomBytes|window\\.crypto\\.getRandomValues"
+        message: "Using cryptographically secure random number generation."
+
+      # Check 3: Strong TLS configuration
+      - pattern: "minVersion\\s*:\\s*['\"]TLSv1_2['\"]|minVersion\\s*:\\s*['\"]TLSv1_3['\"]"
+        message: "Using secure TLS configuration."
+
+      # Check 4: Proper certificate validation
+      - pattern: "rejectUnauthorized\\s*:\\s*true|strictSSL\\s*:\\s*true"
+        message: "Properly validating SSL certificates."
+
+metadata:
+  priority: high
+  version: 1.0
+  tags:
+    - security
+    - javascript
+    - nodejs
+    - browser
+    - cryptography
+    - encryption
+    - owasp
+    - language:javascript
+    - framework:express
+    - framework:react
+    - framework:vue
+    - framework:angular
+    - category:security
+    - subcategory:cryptography
+    - standard:owasp-top10
+    - risk:a02-cryptographic-failures
+  references:
+    - "https://owasp.org/Top10/A02_2021-Cryptographic_Failures/"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html"
+    - "https://nodejs.org/api/crypto.html"
+    - "https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto"
+    - "https://www.npmjs.com/package/bcrypt"
+    - "https://www.npmjs.com/package/jsonwebtoken"
+```
+
+
diff --git a/.cursor/rules/javascript-identification-authentication-failures.mdc b/.cursor/rules/javascript-identification-authentication-failures.mdc
index 6b19696..2e0d55e 100644
--- a/.cursor/rules/javascript-identification-authentication-failures.mdc
+++ b/.cursor/rules/javascript-identification-authentication-failures.mdc
@@ -4,396 +4,492 @@ globs: **/*.js, **/*.jsx, **/*.ts, **/*.tsx, !**/node_modules/**, !**/dist/**, !
 ---
 # JavaScript Identification and Authentication Failures (OWASP A07:2021)
 
-> Priority: high · Version: 1.0
-
-## Applies To
-- `**/*.js`
-- `**/*.jsx`
-- `**/*.ts`
-- `**/*.tsx`
-- `!**/node_modules/**`
-- `!**/dist/**`
-- `!**/build/**`
-- `!**/coverage/**`
-
-## Required Checks
-
-- Weak password validation detected. Implement strong password policies requiring minimum length, complexity, and avoiding common passwords.
-- Authentication implementation without multi-factor authentication (MFA). Consider implementing MFA for enhanced security.
-- Hardcoded credentials detected. Store sensitive authentication data in secure configuration or environment variables.
-- Storing authentication tokens in localStorage or sessionStorage. Consider using HttpOnly cookies for sensitive authentication data.
-- Potential missing CSRF protection in API requests. Implement CSRF tokens for state-changing operations.
-- Insecure JWT configuration. Ensure JWTs have proper expiration and use secure algorithms (RS256 preferred over HS256).
-- Weak password hashing parameters. Use sufficient work factors for password hashing algorithms.
-- Authentication implementation without account lockout or rate limiting. Implement account lockout after failed attempts.
-- Potentially insecure password recovery mechanism. Implement secure, time-limited recovery tokens.
-- Authentication without CAPTCHA or rate limiting. Implement protection against brute force attacks.
-- Potentially insecure 'Remember Me' functionality. Implement with secure, HttpOnly cookies and proper expiration.
-- Potentially incomplete logout implementation. Ensure proper invalidation of sessions and tokens on logout.
-- Missing session timeout configuration. Implement proper session expiration for security.
-- Potentially insecure OAuth implementation. Use state parameters, PKCE for authorization code flow, and validate redirect URIs.
-- Missing input validation for user credentials. Implement proper validation and sanitization.
-
-## Recommendations
-
-**JavaScript Identification and Authentication Failures Best Practices:**
-
-1. **Strong Password Policies:**
-   - Implement minimum length (at least 12 characters)
-   - Require complexity (uppercase, lowercase, numbers, special characters)
-   - Check against common password lists
-   - Example:
-     ```javascript
-     // Using a library like zxcvbn for password strength estimation
-     import zxcvbn from 'zxcvbn';
-     
-     function validatePassword(password) {
-       if (password.length < 12) {
-         return { valid: false, message: 'Password must be at least 12 characters' };
-       }
-       
-       const strength = zxcvbn(password);
-       if (strength.score < 3) {
-         return { 
-           valid: false, 
-           message: 'Password is too weak. ' + strength.feedback.warning 
-         };
-       }
-       
-       return { valid: true };
-     }
-     ```
-
-2. **Multi-Factor Authentication (MFA):**
-   - Implement TOTP (Time-based One-Time Password)
-   - Support hardware security keys (WebAuthn/FIDO2)
-   - Example:
-     ```javascript
-     // Using speakeasy for TOTP implementation
-     import speakeasy from 'speakeasy';
-     
-     // Generate a secret for a user
-     const secret = speakeasy.generateSecret({ length: 20 });
-     
-     // Verify a token
-     function verifyToken(token, secret) {
-       return speakeasy.totp.verify({
-         secret: secret.base32,
-         encoding: 'base32',
-         token: token,
-         window: 1 // Allow 1 period before and after for clock drift
-       });
-     }
-     ```
-
-3. **Secure Session Management:**
-   - Use HttpOnly, Secure, and SameSite cookies
-   - Implement proper session expiration
-   - Example:
-     ```javascript
-     // Express.js example
-     app.use(session({
-       secret: process.env.SESSION_SECRET,
-       name: '__Host-session', // Prefix with __Host- for added security
-       cookie: {
-         httpOnly: true,
-         secure: true, // Requires HTTPS
-         sameSite: 'strict',
-         maxAge: 3600000, // 1 hour
-         path: '/'
-       },
-       resave: false,
-       saveUninitialized: false
-     }));
-     ```
-
-4. **CSRF Protection:**
-   - Implement CSRF tokens for all state-changing operations
-   - Example:
-     ```javascript
-     // Using csurf middleware with Express
-     import csrf from 'csurf';
-     
-     // Setup CSRF protection
-     const csrfProtection = csrf({ cookie: true });
-     
-     // Apply to routes
-     app.post('/api/user/profile', csrfProtection, (req, res) => {
-       // Handle the request
-     });
-     
-     // In your frontend (React example)
-     function ProfileForm() {
-       // Get CSRF token from cookie or meta tag
-       const csrfToken = document.querySelector('meta[name="csrf-token"]').content;
-       
-       return (
-         <form method="POST" action="/api/user/profile">
-           <input type="hidden" name="_csrf" value={csrfToken} />
-           {/* Form fields */}
-           <button type="submit">Update Profile</button>
-         </form>
-       );
-     }
-     ```
-
-5. **Secure JWT Implementation:**
-   - Use strong algorithms (RS256 preferred over HS256)
-   - Include proper expiration (exp), issued at (iat), and audience (aud) claims
-   - Example:
-     ```javascript
-     import jwt from 'jsonwebtoken';
-     import fs from 'fs';
-     
-     // Using asymmetric keys (preferred for production)
-     const privateKey = fs.readFileSync('private.key');
-     
-     function generateToken(userId) {
-       return jwt.sign(
-         { 
-           sub: userId,
-           iat: Math.floor(Date.now() / 1000),
-           exp: Math.floor(Date.now() / 1000) + (60 * 60), // 1 hour
-           aud: 'your-app-name'
-         },
-         privateKey,
-         { algorithm: 'RS256' }
-       );
-     }
-     ```
-
-6. **Secure Password Storage:**
-   - Use bcrypt, Argon2, or PBKDF2 with sufficient work factor
-   - Example:
-     ```javascript
-     import bcrypt from 'bcrypt';
-     
-     async function hashPassword(password) {
-       // Cost factor of 12+ for production
-       const saltRounds = 12;
-       return await bcrypt.hash(password, saltRounds);
-     }
-     
-     async function verifyPassword(password, hash) {
-       return await bcrypt.compare(password, hash);
-     }
-     ```
-
-7. **Account Lockout and Rate Limiting:**
-   - Implement progressive delays or account lockout after failed attempts
-   - Example:
-     ```javascript
-     import rateLimit from 'express-rate-limit';
-     
-     // Apply rate limiting to login endpoint
-     const loginLimiter = rateLimit({
-       windowMs: 15 * 60 * 1000, // 15 minutes
-       max: 5, // 5 attempts per window
-       message: 'Too many login attempts, please try again after 15 minutes',
-       standardHeaders: true,
-       legacyHeaders: false,
-     });
-     
-     app.post('/api/login', loginLimiter, (req, res) => {
-       // Handle login
-     });
-     ```
-
-8. **Secure Password Recovery:**
-   - Use time-limited, single-use tokens
-   - Send to verified email addresses only
-   - Example:
-     ```javascript
-     import crypto from 'crypto';
-     
-     function generatePasswordResetToken() {
-       return {
-         token: crypto.randomBytes(32).toString('hex'),
-         expires: new Date(Date.now() + 3600000) // 1 hour
-       };
-     }
-     
-     // Store token in database with user ID and expiration
-     // Send token via email (never include in URL directly)
-     // Verify token is valid and not expired when used
-     ```
-
-9. **Brute Force Protection:**
-   - Implement CAPTCHA or reCAPTCHA
-   - Example:
-     ```javascript
-     // Using Google reCAPTCHA v3
-     async function verifyRecaptcha(token) {
-       const response = await fetch('https://www.google.com/recaptcha/api/siteverify', {
-         method: 'POST',
-         headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-         body: `secret=${process.env.RECAPTCHA_SECRET_KEY}&response=${token}`
-       });
-       
-       const data = await response.json();
-       return data.success && data.score >= 0.5; // Adjust threshold as needed
-     }
-     
-     app.post('/api/login', async (req, res) => {
-       const { recaptchaToken } = req.body;
-       
-       if (!(await verifyRecaptcha(recaptchaToken))) {
-         return res.status(400).json({ error: 'CAPTCHA verification failed' });
-       }
-       
-       // Continue with login process
-     });
-     ```
-
-10. **Secure Logout Implementation:**
-    - Invalidate sessions on both client and server
-    - Example:
-      ```javascript
-      app.post('/api/logout', (req, res) => {
-        // Clear server-side session
-        req.session.destroy((err) => {
-          if (err) {
-            return res.status(500).json({ error: 'Failed to logout' });
-          }
-          
-          // Clear client-side cookie
-          res.clearCookie('__Host-session', {
-            httpOnly: true,
-            secure: true,
-            sameSite: 'strict',
-            path: '/'
-          });
-          
-          res.status(200).json({ message: 'Logged out successfully' });
-        });
-      });
-      ```
-
-11. **Secure OAuth Implementation:**
-    - Use state parameter to prevent CSRF
-    - Implement PKCE for authorization code flow
-    - Validate redirect URIs against whitelist
-    - Example:
-      ```javascript
-      // Generate state and code verifier for PKCE
-      function generateOAuthState() {
-        return crypto.randomBytes(32).toString('hex');
-      }
-      
-      function generateCodeVerifier() {
-        return crypto.randomBytes(43).toString('base64url');
-      }
-      
-      function generateCodeChallenge(verifier) {
-        const hash = crypto.createHash('sha256').update(verifier).digest('base64url');
-        return hash;
-      }
-      
-      // Store state and code verifier in session
-      // Use code challenge in authorization request
-      // Verify state and use code verifier in token request
-      ```
-
-12. **Input Validation:**
-    - Validate and sanitize all user inputs
-    - Example:
-      ```javascript
-      import validator from 'validator';
-      
-      function validateCredentials(email, password) {
-        const errors = {};
-        
-        if (!validator.isEmail(email)) {
-          errors.email = 'Invalid email format';
-        }
-        
-        if (!password || password.length < 12) {
-          errors.password = 'Password must be at least 12 characters';
-        }
-        
-        return {
-          isValid: Object.keys(errors).length === 0,
-          errors
-        };
-      }
-      ```
-
-13. **Secure Headers:**
-    - Implement security headers for authentication-related pages
-    - Example:
-      ```javascript
-      // Using helmet with Express
-      import helmet from 'helmet';
-      
-      app.use(helmet({
-        contentSecurityPolicy: {
-          directives: {
-            defaultSrc: ["'self'"],
-            scriptSrc: ["'self'", 'https://www.google.com/recaptcha/', 'https://www.gstatic.com/recaptcha/'],
-            frameSrc: ["'self'", 'https://www.google.com/recaptcha/'],
-            styleSrc: ["'self'", "'unsafe-inline'"],
-            connectSrc: ["'self'"]
-          }
-        },
-        referrerPolicy: { policy: 'same-origin' }
-      }));
-      ```
-
-14. **Credential Stuffing Protection:**
-    - Implement device fingerprinting and anomaly detection
-    - Example:
-      ```javascript
-      // Simple device fingerprinting
-      function getDeviceFingerprint(req) {
-        return {
-          ip: req.ip,
-          userAgent: req.headers['user-agent'],
-          acceptLanguage: req.headers['accept-language']
-        };
-      }
-      
-      // Check if login is from a new device
-      async function isNewDevice(userId, fingerprint) {
-        // Compare with stored fingerprints for this user
-        // Alert or require additional verification for new devices
-      }
-      ```
-
-15. **Secure Password Change:**
-    - Require current password verification
-    - Example:
-      ```javascript
-      async function changePassword(userId, currentPassword, newPassword) {
-        // Retrieve user from database
-        const user = await getUserById(userId);
-        
-        // Verify current password
-        const isValid = await bcrypt.compare(currentPassword, user.passwordHash);
-        if (!isValid) {
-          return { success: false, message: 'Current password is incorrect' };
-        }
-        
-        // Validate new password strength
-        const validation = validatePassword(newPassword);
-        if (!validation.valid) {
-          return { success: false, message: validation.message };
-        }
-        
-        // Hash and store new password
-        const newHash = await bcrypt.hash(newPassword, 12);
-        await updateUserPassword(userId, newHash);
-        
-        // Invalidate existing sessions (optional but recommended)
-        await invalidateUserSessions(userId);
-        
-        return { success: true };
-      }
-      ```
-
-## Validation
-
-- Implementing strong password length requirements (12+ characters).
-- Using secure password hashing with appropriate work factor.
-- Implementing CSRF protection for state-changing operations.
-- Using secure cookie configuration for sessions.
-- Implementing rate limiting for authentication endpoints.
+```yaml
+name: javascript_identification_authentication_failures
+description: Detect and prevent identification and authentication failures in JavaScript applications as defined in OWASP Top 10:2021-A07
+
+actions:
+  - type: enforce
+    conditions:
+      # Pattern 1: Weak Password Validation
+      - pattern: "(?:password|passwd|pwd)\\s*\\.\\s*(?:length\\s*[<>]=?\\s*(?:[0-9]|10)\\b|match\\(\\s*['\"][^'\"]*['\"]\\s*\\))"
+        message: "Weak password validation detected. Implement strong password policies requiring minimum length, complexity, and avoiding common passwords."
+
+      # Pattern 2: Missing MFA Implementation
+      - pattern: "(?:login|signin|authenticate|auth)\\s*\\([^)]*\\)\\s*\\{[^}]*?\\}"
+        negative_pattern: "(?:mfa|2fa|two-factor|multi-factor|otp|totp)"
+        message: "Authentication implementation without multi-factor authentication (MFA). Consider implementing MFA for enhanced security."
+
+      # Pattern 3: Hardcoded Credentials
+      - pattern: "(?:const|let|var)\\s+(?:password|passwd|pwd|secret|key|token|apiKey)\\s*=\\s*['\"][^'\"]+['\"]"
+        message: "Hardcoded credentials detected. Store sensitive authentication data in secure configuration or environment variables."
+
+      # Pattern 4: Insecure Session Management
+      - pattern: "(?:localStorage|sessionStorage)\\.setItem\\(['\"](?:token|jwt|session|auth|user)['\"]"
+        message: "Storing authentication tokens in localStorage or sessionStorage. Consider using HttpOnly cookies for sensitive authentication data."
+
+      # Pattern 5: Missing CSRF Protection
+      - pattern: "(?:post|put|delete|patch)\\([^)]*?\\)"
+        negative_pattern: "(?:csrf|xsrf|token)"
+        location: "(?:src|components|pages|api)"
+        message: "Potential missing CSRF protection in API requests. Implement CSRF tokens for state-changing operations."
+
+      # Pattern 6: Insecure JWT Handling
+      - pattern: "jwt\\.sign\\([^)]*?{[^}]*?}\\s*,\\s*[^,)]+\\s*(?:\\)|,\\s*{\\s*(?:expiresIn|algorithm)\\s*:\\s*[^}]*?}\\s*\\))"
+        negative_pattern: "(?:expiresIn|exp).*(?:algorithm|alg)"
+        message: "Insecure JWT configuration. Ensure JWTs have proper expiration and use secure algorithms (RS256 preferred over HS256)."
+
+      # Pattern 7: Insecure Password Storage
+      - pattern: "(?:bcrypt|argon2|pbkdf2|scrypt)\\.[^(]*\\([^)]*?(?:rounds|iterations|cost|factor)\\s*[:<=>]\\s*(?:[0-9]|1[0-2])\\b"
+        message: "Weak password hashing parameters. Use sufficient work factors for password hashing algorithms."
+
+      # Pattern 8: Missing Account Lockout
+      - pattern: "(?:login|signin|authenticate|auth)\\s*\\([^)]*\\)\\s*\\{[^}]*?\\}"
+        negative_pattern: "(?:lock|attempt|count|limit|throttle|rate)"
+        message: "Authentication implementation without account lockout or rate limiting. Implement account lockout after failed attempts."
+
+      # Pattern 9: Insecure Password Recovery
+      - pattern: "(?:reset|forgot|recover)(?:Password|Pwd)\\s*\\([^)]*\\)\\s*\\{[^}]*?\\}"
+        negative_pattern: "(?:expire|timeout|token|verify)"
+        message: "Potentially insecure password recovery mechanism. Implement secure, time-limited recovery tokens."
+
+      # Pattern 10: Missing Brute Force Protection
+      - pattern: "(?:login|signin|authenticate|auth)\\s*\\([^)]*\\)\\s*\\{[^}]*?\\}"
+        negative_pattern: "(?:captcha|recaptcha|hcaptcha|rate\\s*limit)"
+        message: "Authentication without CAPTCHA or rate limiting. Implement protection against brute force attacks."
+
+      # Pattern 11: Insecure Remember Me Functionality
+      - pattern: "(?:rememberMe|keepLoggedIn|staySignedIn)"
+        negative_pattern: "(?:secure|httpOnly|sameSite)"
+        message: "Potentially insecure 'Remember Me' functionality. Implement with secure, HttpOnly cookies and proper expiration."
+
+      # Pattern 12: Insecure Logout Implementation
+      - pattern: "(?:logout|signout)\\s*\\([^)]*\\)\\s*\\{[^}]*?\\}"
+        negative_pattern: "(?:invalidate|revoke|clear|remove).*(?:token|session|cookie)"
+        message: "Potentially incomplete logout implementation. Ensure proper invalidation of sessions and tokens on logout."
+
+      # Pattern 13: Missing Session Timeout
+      - pattern: "(?:session|cookie|jwt)\\s*\\.\\s*(?:create|set|sign)"
+        negative_pattern: "(?:expire|timeout|maxAge)"
+        message: "Missing session timeout configuration. Implement proper session expiration for security."
+
+      # Pattern 14: Insecure OAuth Implementation
+      - pattern: "(?:oauth|openid|oidc).*(?:callback|redirect)"
+        negative_pattern: "(?:state|nonce|pkce)"
+        message: "Potentially insecure OAuth implementation. Use state parameters, PKCE for authorization code flow, and validate redirect URIs."
+
+      # Pattern 15: Missing Credential Validation
+      - pattern: "(?:email|username|user)\\s*=\\s*(?:req\\.body|req\\.query|req\\.params|formData\\.get)\\(['\"][^'\"]+['\"]\\)"
+        negative_pattern: "(?:validate|sanitize|check|trim)"
+        message: "Missing input validation for user credentials. Implement proper validation and sanitization."
+
+  - type: suggest
+    message: |
+      **JavaScript Identification and Authentication Failures Best Practices:**
+
+      1. **Strong Password Policies:**
+         - Implement minimum length (at least 12 characters)
+         - Require complexity (uppercase, lowercase, numbers, special characters)
+         - Check against common password lists
+         - Example:
+           ```javascript
+           // Using a library like zxcvbn for password strength estimation
+           import zxcvbn from 'zxcvbn';
+
+           function validatePassword(password) {
+             if (password.length < 12) {
+               return { valid: false, message: 'Password must be at least 12 characters' };
+             }
+
+             const strength = zxcvbn(password);
+             if (strength.score < 3) {
+               return {
+                 valid: false,
+                 message: 'Password is too weak. ' + strength.feedback.warning
+               };
+             }
+
+             return { valid: true };
+           }
+           ```
+
+      2. **Multi-Factor Authentication (MFA):**
+         - Implement TOTP (Time-based One-Time Password)
+         - Support hardware security keys (WebAuthn/FIDO2)
+         - Example:
+           ```javascript
+           // Using speakeasy for TOTP implementation
+           import speakeasy from 'speakeasy';
+
+           // Generate a secret for a user
+           const secret = speakeasy.generateSecret({ length: 20 });
+
+           // Verify a token
+           function verifyToken(token, secret) {
+             return speakeasy.totp.verify({
+               secret: secret.base32,
+               encoding: 'base32',
+               token: token,
+               window: 1 // Allow 1 period before and after for clock drift
+             });
+           }
+           ```
+
+      3. **Secure Session Management:**
+         - Use HttpOnly, Secure, and SameSite cookies
+         - Implement proper session expiration
+         - Example:
+           ```javascript
+           // Express.js example
+           app.use(session({
+             secret: process.env.SESSION_SECRET,
+             name: '__Host-session', // Prefix with __Host- for added security
+             cookie: {
+               httpOnly: true,
+               secure: true, // Requires HTTPS
+               sameSite: 'strict',
+               maxAge: 3600000, // 1 hour
+               path: '/'
+             },
+             resave: false,
+             saveUninitialized: false
+           }));
+           ```
+
+      4. **CSRF Protection:**
+         - Implement CSRF tokens for all state-changing operations
+         - Example:
+           ```javascript
+           // Using csurf middleware with Express
+           import csrf from 'csurf';
+
+           // Setup CSRF protection
+           const csrfProtection = csrf({ cookie: true });
+
+           // Apply to routes
+           app.post('/api/user/profile', csrfProtection, (req, res) => {
+             // Handle the request
+           });
+
+           // In your frontend (React example)
+           function ProfileForm() {
+             // Get CSRF token from cookie or meta tag
+             const csrfToken = document.querySelector('meta[name="csrf-token"]').content;
+
+             return (
+               <form method="POST" action="/api/user/profile">
+                 <input type="hidden" name="_csrf" value={csrfToken} />
+                 {/* Form fields */}
+                 <button type="submit">Update Profile</button>
+               </form>
+             );
+           }
+           ```
+
+      5. **Secure JWT Implementation:**
+         - Use strong algorithms (RS256 preferred over HS256)
+         - Include proper expiration (exp), issued at (iat), and audience (aud) claims
+         - Example:
+           ```javascript
+           import jwt from 'jsonwebtoken';
+           import fs from 'fs';
+
+           // Using asymmetric keys (preferred for production)
+           const privateKey = fs.readFileSync('private.key');
+
+           function generateToken(userId) {
+             return jwt.sign(
+               {
+                 sub: userId,
+                 iat: Math.floor(Date.now() / 1000),
+                 exp: Math.floor(Date.now() / 1000) + (60 * 60), // 1 hour
+                 aud: 'your-app-name'
+               },
+               privateKey,
+               { algorithm: 'RS256' }
+             );
+           }
+           ```
+
+      6. **Secure Password Storage:**
+         - Use bcrypt, Argon2, or PBKDF2 with sufficient work factor
+         - Example:
+           ```javascript
+           import bcrypt from 'bcrypt';
+
+           async function hashPassword(password) {
+             // Cost factor of 12+ for production
+             const saltRounds = 12;
+             return await bcrypt.hash(password, saltRounds);
+           }
+
+           async function verifyPassword(password, hash) {
+             return await bcrypt.compare(password, hash);
+           }
+           ```
+
+      7. **Account Lockout and Rate Limiting:**
+         - Implement progressive delays or account lockout after failed attempts
+         - Example:
+           ```javascript
+           import rateLimit from 'express-rate-limit';
+
+           // Apply rate limiting to login endpoint
+           const loginLimiter = rateLimit({
+             windowMs: 15 * 60 * 1000, // 15 minutes
+             max: 5, // 5 attempts per window
+             message: 'Too many login attempts, please try again after 15 minutes',
+             standardHeaders: true,
+             legacyHeaders: false,
+           });
+
+           app.post('/api/login', loginLimiter, (req, res) => {
+             // Handle login
+           });
+           ```
+
+      8. **Secure Password Recovery:**
+         - Use time-limited, single-use tokens
+         - Send to verified email addresses only
+         - Example:
+           ```javascript
+           import crypto from 'crypto';
+
+           function generatePasswordResetToken() {
+             return {
+               token: crypto.randomBytes(32).toString('hex'),
+               expires: new Date(Date.now() + 3600000) // 1 hour
+             };
+           }
+
+           // Store token in database with user ID and expiration
+           // Send token via email (never include in URL directly)
+           // Verify token is valid and not expired when used
+           ```
+
+      9. **Brute Force Protection:**
+         - Implement CAPTCHA or reCAPTCHA
+         - Example:
+           ```javascript
+           // Using Google reCAPTCHA v3
+           async function verifyRecaptcha(token) {
+             const response = await fetch('https://www.google.com/recaptcha/api/siteverify', {
+               method: 'POST',
+               headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+               body: `secret=${process.env.RECAPTCHA_SECRET_KEY}&response=${token}`
+             });
+
+             const data = await response.json();
+             return data.success && data.score >= 0.5; // Adjust threshold as needed
+           }
+
+           app.post('/api/login', async (req, res) => {
+             const { recaptchaToken } = req.body;
+
+             if (!(await verifyRecaptcha(recaptchaToken))) {
+               return res.status(400).json({ error: 'CAPTCHA verification failed' });
+             }
+
+             // Continue with login process
+           });
+           ```
+
+      10. **Secure Logout Implementation:**
+          - Invalidate sessions on both client and server
+          - Example:
+            ```javascript
+            app.post('/api/logout', (req, res) => {
+              // Clear server-side session
+              req.session.destroy((err) => {
+                if (err) {
+                  return res.status(500).json({ error: 'Failed to logout' });
+                }
+
+                // Clear client-side cookie
+                res.clearCookie('__Host-session', {
+                  httpOnly: true,
+                  secure: true,
+                  sameSite: 'strict',
+                  path: '/'
+                });
+
+                res.status(200).json({ message: 'Logged out successfully' });
+              });
+            });
+            ```
+
+      11. **Secure OAuth Implementation:**
+          - Use state parameter to prevent CSRF
+          - Implement PKCE for authorization code flow
+          - Validate redirect URIs against whitelist
+          - Example:
+            ```javascript
+            // Generate state and code verifier for PKCE
+            function generateOAuthState() {
+              return crypto.randomBytes(32).toString('hex');
+            }
+
+            function generateCodeVerifier() {
+              return crypto.randomBytes(43).toString('base64url');
+            }
+
+            function generateCodeChallenge(verifier) {
+              const hash = crypto.createHash('sha256').update(verifier).digest('base64url');
+              return hash;
+            }
+
+            // Store state and code verifier in session
+            // Use code challenge in authorization request
+            // Verify state and use code verifier in token request
+            ```
+
+      12. **Input Validation:**
+          - Validate and sanitize all user inputs
+          - Example:
+            ```javascript
+            import validator from 'validator';
+
+            function validateCredentials(email, password) {
+              const errors = {};
+
+              if (!validator.isEmail(email)) {
+                errors.email = 'Invalid email format';
+              }
+
+              if (!password || password.length < 12) {
+                errors.password = 'Password must be at least 12 characters';
+              }
+
+              return {
+                isValid: Object.keys(errors).length === 0,
+                errors
+              };
+            }
+            ```
+
+      13. **Secure Headers:**
+          - Implement security headers for authentication-related pages
+          - Example:
+            ```javascript
+            // Using helmet with Express
+            import helmet from 'helmet';
+
+            app.use(helmet({
+              contentSecurityPolicy: {
+                directives: {
+                  defaultSrc: ["'self'"],
+                  scriptSrc: ["'self'", 'https://www.google.com/recaptcha/', 'https://www.gstatic.com/recaptcha/'],
+                  frameSrc: ["'self'", 'https://www.google.com/recaptcha/'],
+                  styleSrc: ["'self'", "'unsafe-inline'"],
+                  connectSrc: ["'self'"]
+                }
+              },
+              referrerPolicy: { policy: 'same-origin' }
+            }));
+            ```
+
+      14. **Credential Stuffing Protection:**
+          - Implement device fingerprinting and anomaly detection
+          - Example:
+            ```javascript
+            // Simple device fingerprinting
+            function getDeviceFingerprint(req) {
+              return {
+                ip: req.ip,
+                userAgent: req.headers['user-agent'],
+                acceptLanguage: req.headers['accept-language']
+              };
+            }
+
+            // Check if login is from a new device
+            async function isNewDevice(userId, fingerprint) {
+              // Compare with stored fingerprints for this user
+              // Alert or require additional verification for new devices
+            }
+            ```
+
+      15. **Secure Password Change:**
+          - Require current password verification
+          - Example:
+            ```javascript
+            async function changePassword(userId, currentPassword, newPassword) {
+              // Retrieve user from database
+              const user = await getUserById(userId);
+
+              // Verify current password
+              const isValid = await bcrypt.compare(currentPassword, user.passwordHash);
+              if (!isValid) {
+                return { success: false, message: 'Current password is incorrect' };
+              }
+
+              // Validate new password strength
+              const validation = validatePassword(newPassword);
+              if (!validation.valid) {
+                return { success: false, message: validation.message };
+              }
+
+              // Hash and store new password
+              const newHash = await bcrypt.hash(newPassword, 12);
+              await updateUserPassword(userId, newHash);
+
+              // Invalidate existing sessions (optional but recommended)
+              await invalidateUserSessions(userId);
+
+              return { success: true };
+            }
+            ```
+
+  - type: validate
+    conditions:
+      # Check 1: Strong Password Validation
+      - pattern: "(?:password|pwd).*(?:length\\s*>=\\s*(?:1[2-9]|[2-9][0-9]))"
+        message: "Implementing strong password length requirements (12+ characters)."
+
+      # Check 2: Secure Password Storage
+      - pattern: "(?:bcrypt|argon2|pbkdf2|scrypt)\\.[^(]*\\([^)]*?(?:rounds|iterations|cost|factor)\\s*[:<=>]\\s*(?:1[2-9]|[2-9][0-9])"
+        message: "Using secure password hashing with appropriate work factor."
+
+      # Check 3: CSRF Protection
+      - pattern: "(?:csrf|xsrf).*(?:token|middleware|protection)"
+        message: "Implementing CSRF protection for state-changing operations."
+
+      # Check 4: Secure Cookie Configuration
+      - pattern: "(?:cookie|session).*(?:httpOnly|secure|sameSite)"
+        message: "Using secure cookie configuration for sessions."
+
+      # Check 5: Rate Limiting
+      - pattern: "(?:rate|limit|throttle).*(?:login|signin|auth)"
+        message: "Implementing rate limiting for authentication endpoints."
+
+metadata:
+  priority: high
+  version: 1.0
+  tags:
+    - security
+    - javascript
+    - nodejs
+    - browser
+    - authentication
+    - owasp
+    - language:javascript
+    - framework:express
+    - framework:react
+    - framework:vue
+    - framework:angular
+    - category:security
+    - subcategory:authentication
+    - standard:owasp-top10
+    - risk:a07-identification-authentication-failures
+  references:
+    - "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html"
+    - "https://auth0.com/blog/a-look-at-the-latest-draft-for-jwt-bcp/"
+    - "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md"
+    - "https://www.nist.gov/itl/applied-cybersecurity/tig/back-basics-multi-factor-authentication"
+```
+
+
diff --git a/.cursor/rules/javascript-injection.mdc b/.cursor/rules/javascript-injection.mdc
index dbadd9d..d3ce1bd 100644
--- a/.cursor/rules/javascript-injection.mdc
+++ b/.cursor/rules/javascript-injection.mdc
@@ -4,169 +4,214 @@ globs: **/*.js, **/*.jsx, **/*.ts, **/*.tsx, !**/node_modules/**, !**/dist/**, !
 ---
 # JavaScript Injection Security Rule
 
-> Priority: critical · Version: 1.1
-
-## Applies To
-- `**/*.js`
-- `**/*.jsx`
-- `**/*.ts`
-- `**/*.tsx`
-- `!**/node_modules/**`
-- `!**/dist/**`
-- `!**/build/**`
-- `!**/coverage/**`
-
-## Required Checks
-
-- 🔴 CRITICAL: Potential code injection vulnerability detected.
-  
-  Impact: Attackers can execute arbitrary code in your application context.
-  CWE Reference: CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code)
-  
-  ❌ Insecure:
-  eval(req.body.data)
-  
-  ✅ Secure Alternative:
-  // Use safer alternatives like JSON.parse for JSON data
-  try {
-    const data = JSON.parse(req.body.data);
-    // Process data safely
-  } catch (error) {
-    // Handle parsing errors
-  }
-- 🟠 HIGH: jQuery HTML injection vulnerability detected.
-  
-  Impact: This can lead to Cross-Site Scripting (XSS) attacks.
-  CWE Reference: CWE-79 (Improper Neutralization of Input During Web Page Generation)
-  
-  ❌ Insecure:
-  $("<div>" + userProvidedData + "</div>")
-  
-  ✅ Secure Alternative:
-  // Create element safely, then set text content
-  const div = $("<div></div>");
-  div.text(userProvidedData);
-- 🟠 HIGH: Potential DOM-based XSS vulnerability.
-  
-  Impact: Attackers can inject malicious HTML/JavaScript into your page.
-  CWE Reference: CWE-79 (Improper Neutralization of Input During Web Page Generation)
-  
-  ❌ Insecure:
-  document.write("<h1>" + userGeneratedContent + "</h1>");
-  
-  ✅ Secure Alternative:
-  // Use safer DOM manipulation methods
-  const h1 = document.createElement("h1");
-  h1.textContent = userGeneratedContent;
-  document.body.appendChild(h1);
-- 🟠 HIGH: Potential DOM-based XSS through innerHTML/outerHTML.
-  
-  Impact: Setting HTML content directly can allow script injection.
-  CWE Reference: CWE-79 (Improper Neutralization of Input During Web Page Generation)
-  
-  ❌ Insecure:
-  element.innerHTML = userProvidedData;
-  
-  ✅ Secure Alternative:
-  // Option 1: Use textContent instead for text
-  element.textContent = userProvidedData;
-  
-  // Option 2: Sanitize if HTML is required
-  import DOMPurify from 'dompurify';
-  element.innerHTML = DOMPurify.sanitize(userProvidedData);
-- 🟠 HIGH: jQuery HTML injection risk detected.
-  
-  Impact: Setting HTML content can lead to XSS vulnerabilities.
-  CWE Reference: CWE-79 (Improper Neutralization of Input During Web Page Generation)
-  
-  ❌ Insecure:
-  $("#element").html(userProvidedData);
-  
-  ✅ Secure Alternative:
-  // Option 1: Use text() instead for text
-  $("#element").text(userProvidedData);
-  
-  // Option 2: Sanitize if HTML is required
-  import DOMPurify from 'dompurify';
-  $("#element").html(DOMPurify.sanitize(userProvidedData));
-- 🔴 CRITICAL: Dynamic require() can lead to remote code execution.
-  
-  Impact: Attackers can load arbitrary modules or access sensitive files.
-  CWE Reference: CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code)
-  
-  ❌ Insecure:
-  const module = require(req.query.module);
-  
-  ✅ Secure Alternative:
-  // Use a whitelisproach
-  const allowedModules = {
-    'user': './modules/user',
-    'product': './modules/product'
-  };
-  
-  const moduleName = req.query.module;
-  if (allowedModules[moduleName]) {
-    const module = require(allowedModules[moduleName]);
-    // Use module safely
-  } else {
-    // Handle invalid module request
-  }
-- 🔴 CRITICAL: Command injection vulnerability detected.
-  
-  Impact: Attackers can execute arbitrary system commands.
-  CWE Reference: CWE-78 (Improper Neutralization of Special Elements used in an OS Command)
-  
-  ❌ Insecure:
-  exec('ls ' + userInput, (error, stdout, stderr) => {
-    // Process output
-  });
-  
-  ✅ Secure Alternative:
-  // Use child_process.execFile with separate arguments
-  import { execFile } from 'child_process';
-  
-  execFile('ls', [safeDirectory], (error, stdout, stderr) => {
-    // Process output safely
-  });
-  
-  // Or use a validation library to sanitize inputs
-  import validator from 'validator';
-  if (validator.isAlphanumeric(userInput)) {
-    exec('ls ' + userInput, (error, stdout, stderr) => {
-      // Process output
-    });
-  }
-
-## Recommendations
-
-**JavaScript Injection Prevention Best Practices:**
-
-1. **Input Validation:**
-   - Validate all user inputs both client-side and server-side
-   - Use allowlists instead of blocklists
-   - Apply strict type checking and schema validation
-
-2. **Output Encoding:**
-   - Always encode/escape output in the correct context (HTML, JavaScript, CSS, URL)
-   - Use libraries like DOMPurify for HTML sanitization
-   - Avoid building HTML, JavaScript, SQL dynamically from user inputs
-
-3. **Content Security Policy (CSP):**
-   - Implement a strict CSP to prevent execution of malicious scripts
-   - Use nonce-based or hash-based CSP to allow only specific scripts
-
-4. **Structured Data Formats:**
-   - Use structured data formats like JSON, XML with proper parsers
-   - Avoid manually parsing or constructing these formats
-
-5. **Parameterized APIs:**
-   - Use parameterized APIs for database queries, OS commands
-   - Separate code from data to prevent injection
-
-6. **DOM Manipulation:**
-   - Prefer .textContent over .innerHTML when displaying user content
-   - Use document.createElement() and node methods instead of directly setting HTML
-
-7. **Frameworks and Libraries:**
-   - Keep frameworks and libraries updated to latest secure versions
-   - Many modern frameworks offer built-in protections against common injection attacks
+```yaml
+name: javascript_injection
+description: Identifies and helps prevent injection vulnerabilities in JavaScript applications, as defined in OWASP Top 10:2021-A03.
+
+actions:
+  - type: enforce
+    conditions:
+      - pattern: "eval\\(([^)]*(req|request|query|param|user|input)[^)]*)\\)"
+        severity: "critical"
+        message: |
+          🔴 CRITICAL: Potential code injection vulnerability detected.
+
+          Impact: Attackers can execute arbitrary code in your application context.
+          CWE Reference: CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code)
+
+          ❌ Insecure:
+          eval(req.body.data)
+
+          ✅ Secure Alternative:
+          // Use safer alternatives like JSON.parse for JSON data
+          try {
+            const data = JSON.parse(req.body.data);
+            // Process data safely
+          } catch (error) {
+            // Handle parsing errors
+          }
+        learn_more_url: "https://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval_Injection"
+
+      - pattern: "\\$\\(\\s*(['\"])<[^>]+>\\1\\s*\\)"
+        severity: "high"
+        message: |
+          🟠 HIGH: jQuery HTML injection vulnerability detected.
+
+          Impact: This can lead to Cross-Site Scripting (XSS) attacks.
+          CWE Reference: CWE-79 (Improper Neutralization of Input During Web Page Generation)
+
+          ❌ Insecure:
+          $("<div>" + userProvidedData + "</div>")
+
+          ✅ Secure Alternative:
+          // Create element safely, then set text content
+          const div = $("<div></div>");
+          div.text(userProvidedData);
+        learn_more_url: "https://cheatsheetseries.owasp.org/cheatsheets/jQuery_Security_Cheat_Sheet.html"
+
+      - pattern: "document\\.write\\(|document\\.writeln\\("
+        severity: "high"
+        message: |
+          🟠 HIGH: Potential DOM-based XSS vulnerability.
+
+          Impact: Attackers can inject malicious HTML/JavaScript into your page.
+          CWE Reference: CWE-79 (Improper Neutralization of Input During Web Page Generation)
+
+          ❌ Insecure:
+          document.write("<h1>" + userGeneratedContent + "</h1>");
+
+          ✅ Secure Alternative:
+          // Use safer DOM manipulation methods
+          const h1 = document.createElement("h1");
+          h1.textContent = userGeneratedContent;
+          document.body.appendChild(h1);
+        learn_more_url: "https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html"
+
+      - pattern: "innerHTML\\s*=|outerHTML\\s*="
+        pattern_negate: "sanitize|DOMPurify|escapeHTML"
+        severity: "high"
+        message: |
+          🟠 HIGH: Potential DOM-based XSS through innerHTML/outerHTML.
+
+          Impact: Setting HTML content directly can allow script injection.
+          CWE Reference: CWE-79 (Improper Neutralization of Input During Web Page Generation)
+
+          ❌ Insecure:
+          element.innerHTML = userProvidedData;
+
+          ✅ Secure Alternative:
+          // Option 1: Use textContent instead for text
+          element.textContent = userProvidedData;
+
+          // Option 2: Sanitize if HTML is required
+          import DOMPurify from 'dompurify';
+          element.innerHTML = DOMPurify.sanitize(userProvidedData);
+        learn_more_url: "https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html"
+
+      - pattern: "\\$\\(.*\\)\\.html\\("
+        pattern_negate: "sanitize|DOMPurify|escapeHTML"
+        severity: "high"
+        message: |
+          🟠 HIGH: jQuery HTML injection risk detected.
+
+          Impact: Setting HTML content can lead to XSS vulnerabilities.
+          CWE Reference: CWE-79 (Improper Neutralization of Input During Web Page Generation)
+
+          ❌ Insecure:
+          $("#element").html(userProvidedData);
+
+          ✅ Secure Alternative:
+          // Option 1: Use text() instead for text
+          $("#element").text(userProvidedData);
+
+          // Option 2: Sanitize if HTML is required
+          import DOMPurify from 'dompurify';
+          $("#element").html(DOMPurify.sanitize(userProvidedData));
+        learn_more_url: "https://cheatsheetseries.owasp.org/cheatsheets/jQuery_Security_Cheat_Sheet.html"
+
+      - pattern: "require\\(([^)]*(req|request|query|param|user|input)[^)]*)\\)"
+        severity: "critical"
+        message: |
+          🔴 CRITICAL: Dynamic require() can lead to remote code execution.
+
+          Impact: Attackers can load arbitrary modules or access sensitive files.
+          CWE Reference: CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code)
+
+          ❌ Insecure:
+          const module = require(req.query.module);
+
+          ✅ Secure Alternative:
+          // Use a whitelisproach
+          const allowedModules = {
+            'user': './modules/user',
+            'product': './modules/product'
+          };
+
+          const moduleName = req.query.module;
+          if (allowedModules[moduleName]) {
+            const module = require(allowedModules[moduleName]);
+            // Use module safely
+          } else {
+            // Handle invalid module request
+          }
+        learn_more_url: "https://owasp.org/www-project-top-ten/2017/A1_2017-Injection"
+
+      - pattern: "exec\\(([^)]*(req|request|query|param|user|input)[^)]*)\\)"
+        severity: "critical"
+        message: |
+          🔴 CRITICAL: Command injection vulnerability detected.
+
+          Impact: Attackers can execute arbitrary system commands.
+          CWE Reference: CWE-78 (Improper Neutralization of Special Elements used in an OS Command)
+
+          ❌ Insecure:
+          exec('ls ' + userInput, (error, stdout, stderr) => {
+            // Process output
+          });
+
+          ✅ Secure Alternative:
+          // Use child_process.execFile with separate arguments
+          import { execFile } from 'child_process';
+
+          execFile('ls', [safeDirectory], (error, stdout, stderr) => {
+            // Process output safely
+          });
+
+          // Or use a validation library to sanitize inputs
+          import validator from 'validator';
+          if (validator.isAlphanumeric(userInput)) {
+            exec('ls ' + userInput, (error, stdout, stderr) => {
+              // Process output
+            });
+          }
+        learn_more_url: "https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html"
+
+  - type: suggest
+    message: |
+      **JavaScript Injection Prevention Best Practices:**
+
+      1. **Input Validation:**
+         - Validate all user inputs both client-side and server-side
+         - Use allowlists instead of blocklists
+         - Apply strict type checking and schema validation
+
+      2. **Output Encoding:**
+         - Always encode/escape output in the correct context (HTML, JavaScript, CSS, URL)
+         - Use libraries like DOMPurify for HTML sanitization
+         - Avoid building HTML, JavaScript, SQL dynamically from user inputs
+
+      3. **Content Security Policy (CSP):**
+         - Implement a strict CSP to prevent execution of malicious scripts
+         - Use nonce-based or hash-based CSP to allow only specific scripts
+
+      4. **Structured Data Formats:**
+         - Use structured data formats like JSON, XML with proper parsers
+         - Avoid manually parsing or constructing these formats
+
+      5. **Parameterized APIs:**
+         - Use parameterized APIs for database queries, OS commands
+         - Separate code from data to prevent injection
+
+      6. **DOM Manipulation:**
+         - Prefer .textContent over .innerHTML when displaying user content
+         - Use document.createElement() and node methods instead of directly setting HTML
+
+      7. **Frameworks and Libraries:**
+         - Keep frameworks and libraries updated to latest secure versions
+         - Many modern frameworks offer built-in protections against common injection attacks
+
+metadata:
+  priority: critical
+  version: 1.1
+  tags:
+    - language:javascript
+    - category:security
+    - standard:owasp-top10
+    - risk:a03-injection
+  references:
+    - "https://owasp.org/Top10/A03_2021-Injection/"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html"
+    - "https://nodegoat.herokuapp.com/tutorial/a1"
+    - "https://github.com/OWASP/NodeGoat"
+```
+
diff --git a/.cursor/rules/javascript-insecure-design.mdc b/.cursor/rules/javascript-insecure-design.mdc
index 98c2861..f44ccd6 100644
--- a/.cursor/rules/javascript-insecure-design.mdc
+++ b/.cursor/rules/javascript-insecure-design.mdc
@@ -4,398 +4,490 @@ globs: **/*.js, **/*.jsx, **/*.ts, **/*.tsx, !**/node_modules/**, !**/dist/**, !
 ---
 # JavaScript Insecure Design (OWASP A04:2021)
 
-> Priority: high · Version: 1.0
-
-## Applies To
-- `**/*.js`
-- `**/*.jsx`
-- `**/*.ts`
-- `**/*.tsx`
-- `!**/node_modules/**`
-- `!**/dist/**`
-- `!**/build/**`
-- `!**/coverage/**`
-
-## Required Checks
-
-- Potential lack of rate limiting in API endpoint. Consider implementing rate limiting to prevent abuse.
-- Potential Insecure Direct Object Reference (IDOR) vulnerability. Implement proper authorization checks before accessing objects by ID.
-- Potential lack of input validation. Implement proper validation for all user inputs.
-- Hardcoded business logic for authorization. Consider using a more flexible role-based access control system.
-- Improper error handling. Avoid only logging errors without proper handling or user feedback.
-- Insecure authentication design. Avoid direct string comparison for passwords or tokens.
-- Lack of proper logging in API endpoint. Implement logging for security-relevant events.
-- Insecure default configuration. Avoid setting secure:false, httpOnly:false, or sameSite:'none' for cookies or sessions.
-- Potential lack of access control in route definition. Implement proper authentication and authorization middleware.
-- Insecure file operations. Use path.normalize() and validate file paths to prevent directory traversal attacks.
-- Insecure secrets management. Consider using a dedicated secrets management solution instead of environment variables or configuration files.
-- Insecure randomness. Use crypto.randomBytes() or a similar cryptographically secure random number generator for security-sensitive operations.
-- Potential template injection vulnerability. Sanitize user input before using in templates.
-- Potentially insecure WebSocket implementation. Implement proper authentication and authorization for WebSocket connections.
-- Insecure CORS configuration. Avoid using wildcard (*) for CORS origin in production environments.
-
-## Recommendations
-
-**JavaScript Secure Design Best Practices:**
-
-1. **Defense in Depth Strategy:**
-   - Implement multiple layers of security controls
-   - Don't rely on a single security mechanism
-   - Example:
-     ```javascript
-     // Multiple layers of protection
-     app.use(helmet()); // HTTP security headers
-     app.use(rateLimit()); // Rate limiting
-     app.use(cors({ origin: allowedOrigins })); // Restricted CORS
-     app.use(express.json({ limit: '10kb' })); // Request size limiting
-     app.use(sanitize()); // Input sanitization
-     ```
-
-2. **Proper Access Control:**
-   - Implement role-based access control (RBAC)
-   - Use middleware for authorization checks
-   - Example:
-     ```javascript
-     // Role-based middleware
-     const requireRole = (role) => {
-       return (req, res, next) => {
-         if (!req.user) {
-           return res.status(401).json({ error: 'Unauthorized' });
-         }
-         
-         if (req.user.role !== role) {
-           return res.status(403).json({ error: 'Forbidden' });
-         }
-         
-         next();
-       };
-     };
-     
-     // Apply to routes
-     router.get('/admin/users', 
-       authenticate, 
-       requireRole('admin'), 
-       adminController.listUsers
-     );
-     ```
-
-3. **Rate Limiting:**
-   - Implement rate limiting for all API endpoints
-   - Use different limits for different endpoints based on sensitivity
-   - Example:
-     ```javascript
-     const rateLimit = require('express-rate-limit');
-     
-     // General API rate limit
-     const apiLimiter = rateLimit({
-       windowMs: 15 * 60 * 1000, // 15 minutes
-       max: 100, // limit each IP to 100 requests per windowMs
-       standardHeaders: true,
-       legacyHeaders: false,
-     });
-     
-     // More strict limit for authentication endpoints
-     const authLimiter = rateLimit({
-       windowMs: 15 * 60 * 1000,
-       max: 5, // limit each IP to 5 login attempts per windowMs
-       standardHeaders: true,
-       legacyHeaders: false,
-     });
-     
-     // Apply rate limiters
-     app.use('/api/', apiLimiter);
-     app.use('/api/auth/', authLimiter);
-     ```
-
-4. **Input Validation:**
-   - Validate all user inputs using schema validation
-   - Implement both client and server-side validation
-   - Example:
-     ```javascript
-     const Joi = require('joi');
-     
-     // Define validation schema
-     const userSchema = Joi.object({
-       username: Joi.string().alphanum().min(3).max(30).required(),
-       email: Joi.string().email().required(),
-       password: Joi.string().pattern(new RegExp('^[a-zA-Z0-9]{8,30}$')).required(),
-       role: Joi.string().valid('user', 'admin').default('user')
-     });
-     
-     // Validation middleware
-     const validateUser = (req, res, next) => {
-       const { error } = userSchema.validate(req.body);
-       if (error) {
-         return res.status(400).json({ error: error.details[0].message });
-       }
-       next();
-     };
-     
-     // Apply validation
-     router.post('/users', validateUser, userController.create);
-     ```
-
-5. **Proper Error Handling:**
-   - Implement centralized error handling
-   - Avoid exposing sensitive information in error messages
-   - Example:
-     ```javascript
-     // Centralized error handler
-     app.use((err, req, res, next) => {
-       // Log error for internal use
-       console.error(err.stack);
-       
-       // Send appropriate response to client
-       const statusCode = err.statusCode || 500;
-       res.status(statusCode).json({
-         status: 'error',
-         message: statusCode === 500 ? 'Internal server error' : err.message
-       });
-     });
-     
-     // Custom error class
-     class AppError extends Error {
-       constructor(message, statusCode) {
-         super(message);
-         this.statusCode = statusCode;
-         this.status = `${statusCode}`.startsWith('4') ? 'fail' : 'error';
-         this.isOperational = true;
-         
-         Error.captureStackTrace(this, this.constructor);
-       }
-     }
-     
-     // Usage in controllers
-     if (!user) {
-       return next(new AppError('User not found', 404));
-     }
-     ```
-
-6. **Secure Authentication Design:**
-   - Use secure password hashing (bcrypt, Argon2)
-   - Implement proper session management
-   - Use secure token validation
-   - Example:
-     ```javascript
-     const bcrypt = require('bcrypt');
-     const jwt = require('jsonwebtoken');
-     
-     // Password hashing
-     const hashPassword = async (password) => {
-       const salt = await bcrypt.genSalt(12);
-       return bcrypt.hash(password, salt);
-     };
-     
-     // Password verification
-     const verifyPassword = async (password, hashedPassword) => {
-       return await bcrypt.compare(password, hashedPassword);
-     };
-     
-     // Token generation
-     const generateToken = (userId) => {
-       return jwt.sign(
-         { id: userId },
-         process.env.JWT_SECRET,
-         { expiresIn: '1h' }
-       );
-     };
-     
-     // Token verification middleware
-     const verifyToken = (req, res, next) => {
-       const token = req.headers.authorization?.split(' ')[1];
-       
-       if (!token) {
-         return res.status(401).json({ error: 'No token provided' });
-       }
-       
-       try {
-         const decoded = jwt.verify(token, process.env.JWT_SECRET);
-         req.userId = decoded.id;
-         next();
-       } catch (error) {
-         return res.status(401).json({ error: 'Invalid token' });
-       }
-     };
-     ```
-
-7. **Comprehensive Logging:**
-   - Log security-relevant events
-   - Include necessary context but avoid sensitive data
-   - Use structured logging
-   - Example:
-     ```javascript
-     const winston = require('winston');
-     
-     // Create logger
-     const logger = winston.createLogger({
-       level: 'info',
-       format: winston.format.json(),
-       defaultMeta: { service: 'user-service' },
-       transports: [
-         new winston.transports.File({ filename: 'error.log', level: 'error' }),
-         new winston.transports.File({ filename: 'combined.log' })
-       ]
-     });
-     
-     // Logging middleware
-     app.use((req, res, next) => {
-       const start = Date.now();
-       
-       res.on('finish', () => {
-         const duration = Date.now() - start;
-         logger.info({
-           method: req.method,
-           path: req.path,
-           statusCode: res.statusCode,
-           duration,
-           ip: req.ip,
-           userId: req.user?.id || 'anonymous'
-         });
-       });
-       
-       next();
-     });
-     
-     // Security event logging
-     logger.warn({
-       event: 'failed_login',
-       username: req.body.username,
-       ip: req.ip,
-       timestamp: new Date().toISOString()
-     });
-     ```
-
-8. **Secure Configuration Management:**
-   - Use environment-specific configurations
-   - Validate configuration at startup
-   - Example:
-     ```javascript
-     const Joi = require('joi');
-     
-     // Define environment variables schema
-     const envSchema = Joi.object({
-       NODE_ENV: Joi.string().valid('development', 'production', 'test').required(),
-       PORT: Joi.number().default(3000),
-       DATABASE_URL: Joi.string().required(),
-       JWT_SECRET: Joi.string().min(32).required(),
-       JWT_EXPIRES_IN: Joi.string().default('1h'),
-       CORS_ORIGIN: Joi.string().required()
-     }).unknown();
-     
-     // Validate environment variables
-     const { error, value } = envSchema.validate(process.env);
-     
-     if (error) {
-       throw new Error(`Configuration validation error: ${error.message}`);
-     }
-     
-     // Use validated config
-     const config = {
-       env: value.NODE_ENV,
-       port: value.PORT,
-       db: {
-         url: value.DATABASE_URL
-       },
-       jwt: {
-         secret: value.JWT_SECRET,
-         expiresIn: value.JWT_EXPIRES_IN
-       },
-       cors: {
-         origin: value.CORS_ORIGIN.split(',')
-       }
-     };
-     
-     module.exports = config;
-     ```
-
-9. **Secure File Operations:**
-   - Validate and sanitize file paths
-   - Use content-type validation for uploads
-   - Implement file size limits
-   - Example:
-     ```javascript
-     const path = require('path');
-     const fs = require('fs');
-     
-     // Secure file access function
-     const getSecureFilePath = (userInput) => {
-       // Define allowed directory
-       const baseDir = path.resolve(__dirname, '../public/files');
-       
-       // Normalize and resolve full path
-       const normalizedPath = path.normalize(userInput);
-       const fullPath = path.join(baseDir, normalizedPath);
-       
-       // Ensure path is within allowed directory
-       if (!fullPath.startsWith(baseDir)) {
-         throw new Error('Invalid file path');
-       }
-       
-       return fullPath;
-     };
-     
-     // Usage
-     try {
-       const filePath = getSecureFilePath(req.params.filename);
-       const fileContent = fs.readFileSync(filePath, 'utf8');
-       res.send(fileContent);
-     } catch (error) {
-       next(error);
-     }
-     ```
-
-10. **Secure WebSocket Implementation:**
-    - Implement authentication for WebSocket connections
-    - Validate and sanitize WebSocket messages
-    - Example:
-      ```javascript
-      const http = require('http');
-      const socketIo = require('socket.io');
-      const jwt = require('jsonwebtoken');
-      
-      const server = http.createServer(app);
-      const io = socketIo(server);
-      
-      // WebSocket authentication middleware
-      io.use((socket, next) => {
-        const token = socket.handshake.auth.token;
-        
-        if (!token) {
-          return next(new Error('Authentication error'));
-        }
-        
-        try {
-          const decoded = jwt.verify(token, process.env.JWT_SECRET);
-          socket.userId = decoded.id;
-          next();
-        } catch (error) {
-          return next(new Error('Authentication error'));
-        }
-      });
-      
-      io.on('connection', (socket) => {
-        console.log(`User ${socket.userId} connected`);
-        
-        // Join user to their own room for private messages
-        socket.join(`user:${socket.userId}`);
-        
-        // Message validation
-        socket.on('message', (data) => {
-          // Validate message data
-          if (!data || !data.content || typeof data.content !== 'string') {
-            return socket.emit('error', { message: 'Invalid message format' });
-          }
-          
-          // Process message
-          // ...
-        });
-      });
-      ```
-
-## Validation
-
-- Implementing rate limiting for API protection.
-- Using input validation or schema validation.
-- Implementing proper error handling.
-- Using authentication middleware for routes.
-- Using secure HTTP headers and CORS configuration.
+```yaml
+name: javascript_insecure_design
+description: Detect and prevent insecure design patterns in JavaScript applications as defined in OWASP Top 10:2021-A04
+
+actions:
+  - type: enforce
+    conditions:
+      # Pattern 1: Lack of Rate Limiting
+      - pattern: "app\\.(?:get|post|put|delete|patch)\\([^)]*?\\)\\s*(?!.*(?:rateLimiter|limiter|throttle|rateLimit))"
+        location: "(?:routes|api|controllers)"
+        message: "Potential lack of rate limiting in API endpoint. Consider implementing rate limiting to prevent abuse."
+
+      # Pattern 2: Insecure Direct Object Reference (IDOR)
+      - pattern: "(?:findById|getById|findOne)\\([^)]*?(?:req\\.|request\\.|params\\.|query\\.|body\\.|user\\.|input\\.|form\\.)[^)]*?\\)\\s*(?!.*(?:authorization|permission|access|canAccess|isAuthorized|checkPermission))"
+        location: "(?:routes|api|controllers)"
+        message: "Potential Insecure Direct Object Reference (IDOR) vulnerability. Implement proper authorization checks before accessing objects by ID."
+
+      # Pattern 3: Lack of Input Validation
+      - pattern: "(?:req\\.|request\\.|params\\.|query\\.|body\\.|user\\.|input\\.|form\\.)[a-zA-Z0-9_]+\\s*(?!.*(?:validate|sanitize|check|schema|joi|yup|zod|validator|isValid))"
+        location: "(?:routes|api|controllers)"
+        message: "Potential lack of input validation. Implement proper validation for all user inputs."
+
+      # Pattern 4: Hardcoded Business Logic
+      - pattern: "if\\s*\\([^)]*?(?:role\\s*===\\s*['\"]admin['\"]|isAdmin\\s*===\\s*true|user\\.role\\s*===\\s*['\"]admin['\"])\\s*\\)"
+        message: "Hardcoded business logic for authorization. Consider using a more flexible role-based access control system."
+
+      # Pattern 5: Lack of Proper Error Handling
+      - pattern: "catch\\s*\\([^)]*?\\)\\s*\\{[^}]*?(?:console\\.(?:log|error))[^}]*?\\}"
+        negative_pattern: "(?:res\\.status|next\\(err|next\\(error|errorHandler)"
+        message: "Improper error handling. Avoid only logging errors without proper handling or user feedback."
+
+      # Pattern 6: Insecure Authentication Design
+      - pattern: "(?:password|token|secret|key)\\s*===\\s*(?:req\\.|request\\.|params\\.|query\\.|body\\.|user\\.|input\\.|form\\.)"
+        message: "Insecure authentication design. Avoid direct string comparison for passwords or tokens."
+
+      # Pattern 7: Lack of Proper Logging
+      - pattern: "app\\.(?:get|post|put|delete|patch)\\([^)]*?\\)\\s*(?!.*(?:log|logger|winston|bunyan|morgan|audit))"
+        location: "(?:routes|api|controllers)"
+        message: "Lack of proper logging in API endpoint. Implement logging for security-relevant events."
+
+      # Pattern 8: Insecure Defaults
+      - pattern: "new\\s+(?:Session|Cookie|JWT)\\([^)]*?\\{[^}]*?(?:secure\\s*:\\s*false|httpOnly\\s*:\\s*false|sameSite\\s*:\\s*['\"]none['\"])"
+        message: "Insecure default configuration. Avoid setting secure:false, httpOnly:false, or sameSite:'none' for cookies or sessions."
+
+      # Pattern 9: Lack of Proper Access Control
+      - pattern: "router\\.(?:get|post|put|delete|patch)\\([^)]*?\\)\\s*(?!.*(?:authenticate|authorize|requireAuth|isAuthenticated|checkAuth|verifyToken|passport\\.authenticate))"
+        location: "(?:routes|api|controllers)"
+        message: "Potential lack of access control in route definition. Implement proper authentication and authorization middleware."
+
+      # Pattern 10: Insecure File Operations
+      - pattern: "(?:fs\\.(?:readFile|writeFile|appendFile|readdir|stat|access|open|unlink)|require)\\([^)]*?(?:(?:\\+|\\$\\{|\\`)[^)]*?(?:__dirname|__filename|process\\.cwd\\(\\)|path\\.(?:resolve|join)))"
+        negative_pattern: "path\\.normalize|path\\.resolve|path\\.join"
+        message: "Insecure file operations. Use path.normalize() and validate file paths to prevent directory traversal attacks."
+
+      # Pattern 11: Lack of Proper Secrets Management
+      - pattern: "(?:apiKey|secret|password|token|credentials)\\s*=\\s*(?:process\\.env\\.[A-Z_]+|config\\.[a-zA-Z0-9_]+|['\"][^'\"]+['\"])"
+        negative_pattern: "(?:vault|secretsManager|keyVault|secretClient)"
+        message: "Insecure secrets management. Consider using a dedicated secrets management solution instead of environment variables or configuration files."
+
+      # Pattern 12: Insecure Randomness
+      - pattern: "Math\\.random\\(\\)"
+        location: "(?:auth|security|token|password|key|iv|nonce|salt)"
+        message: "Insecure randomness. Use crypto.randomBytes() or a similar cryptographically secure random number generator for security-sensitive operations."
+
+      # Pattern 13: Lack of Proper Input Sanitization for Templates
+      - pattern: "(?:template|render|compile|ejs\\.render|handlebars\\.compile|pug\\.render)\\([^)]*?(?:(?:\\+|\\$\\{|\\`)[^)]*?(?:req\\.|request\\.|params\\.|query\\.|body\\.|user\\.|input\\.|form\\.))"
+        message: "Potential template injection vulnerability. Sanitize user input before using in templates."
+
+      # Pattern 14: Insecure WebSocket Implementation
+      - pattern: "new\\s+WebSocket\\([^)]*?\\)|io\\.on\\(['\"]connection['\"]"
+        negative_pattern: "(?:authenticate|authorize|verifyClient|beforeConnect)"
+        message: "Potentially insecure WebSocket implementation. Implement proper authentication and authorization for WebSocket connections."
+
+      # Pattern 15: Insecure Cross-Origin Resource Sharing (CORS)
+      - pattern: "(?:cors\\(\\{[^}]*?origin\\s*:\\s*['\"]\\*['\"]|app\\.use\\(cors\\(\\{[^}]*?origin\\s*:\\s*['\"]\\*['\"])"
+        message: "Insecure CORS configuration. Avoid using wildcard (*) for CORS origin in production environments."
+
+  - type: suggest
+    message: |
+      **JavaScript Secure Design Best Practices:**
+
+      1. **Defense in Depth Strategy:**
+         - Implement multiple layers of security controls
+         - Don't rely on a single security mechanism
+         - Example:
+           ```javascript
+           // Multiple layers of protection
+           app.use(helmet()); // HTTP security headers
+           app.use(rateLimit()); // Rate limiting
+           app.use(cors({ origin: allowedOrigins })); // Restricted CORS
+           app.use(express.json({ limit: '10kb' })); // Request size limiting
+           app.use(sanitize()); // Input sanitization
+           ```
+
+      2. **Proper Access Control:**
+         - Implement role-based access control (RBAC)
+         - Use middleware for authorization checks
+         - Example:
+           ```javascript
+           // Role-based middleware
+           const requireRole = (role) => {
+             return (req, res, next) => {
+               if (!req.user) {
+                 return res.status(401).json({ error: 'Unauthorized' });
+               }
+
+               if (req.user.role !== role) {
+                 return res.status(403).json({ error: 'Forbidden' });
+               }
+
+               next();
+             };
+           };
+
+           // Apply to routes
+           router.get('/admin/users',
+             authenticate,
+             requireRole('admin'),
+             adminController.listUsers
+           );
+           ```
+
+      3. **Rate Limiting:**
+         - Implement rate limiting for all API endpoints
+         - Use different limits for different endpoints based on sensitivity
+         - Example:
+           ```javascript
+           const rateLimit = require('express-rate-limit');
+
+           // General API rate limit
+           const apiLimiter = rateLimit({
+             windowMs: 15 * 60 * 1000, // 15 minutes
+             max: 100, // limit each IP to 100 requests per windowMs
+             standardHeaders: true,
+             legacyHeaders: false,
+           });
+
+           // More strict limit for authentication endpoints
+           const authLimiter = rateLimit({
+             windowMs: 15 * 60 * 1000,
+             max: 5, // limit each IP to 5 login attempts per windowMs
+             standardHeaders: true,
+             legacyHeaders: false,
+           });
+
+           // Apply rate limiters
+           app.use('/api/', apiLimiter);
+           app.use('/api/auth/', authLimiter);
+           ```
+
+      4. **Input Validation:**
+         - Validate all user inputs using schema validation
+         - Implement both client and server-side validation
+         - Example:
+           ```javascript
+           const Joi = require('joi');
+
+           // Define validation schema
+           const userSchema = Joi.object({
+             username: Joi.string().alphanum().min(3).max(30).required(),
+             email: Joi.string().email().required(),
+             password: Joi.string().pattern(new RegExp('^[a-zA-Z0-9]{8,30}$')).required(),
+             role: Joi.string().valid('user', 'admin').default('user')
+           });
+
+           // Validation middleware
+           const validateUser = (req, res, next) => {
+             const { error } = userSchema.validate(req.body);
+             if (error) {
+               return res.status(400).json({ error: error.details[0].message });
+             }
+             next();
+           };
+
+           // Apply validation
+           router.post('/users', validateUser, userController.create);
+           ```
+
+      5. **Proper Error Handling:**
+         - Implement centralized error handling
+         - Avoid exposing sensitive information in error messages
+         - Example:
+           ```javascript
+           // Centralized error handler
+           app.use((err, req, res, next) => {
+             // Log error for internal use
+             console.error(err.stack);
+
+             // Send appropriate response to client
+             const statusCode = err.statusCode || 500;
+             res.status(statusCode).json({
+               status: 'error',
+               message: statusCode === 500 ? 'Internal server error' : err.message
+             });
+           });
+
+           // Custom error class
+           class AppError extends Error {
+             constructor(message, statusCode) {
+               super(message);
+               this.statusCode = statusCode;
+               this.status = `${statusCode}`.startsWith('4') ? 'fail' : 'error';
+               this.isOperational = true;
+
+               Error.captureStackTrace(this, this.constructor);
+             }
+           }
+
+           // Usage in controllers
+           if (!user) {
+             return next(new AppError('User not found', 404));
+           }
+           ```
+
+      6. **Secure Authentication Design:**
+         - Use secure password hashing (bcrypt, Argon2)
+         - Implement proper session management
+         - Use secure token validation
+         - Example:
+           ```javascript
+           const bcrypt = require('bcrypt');
+           const jwt = require('jsonwebtoken');
+
+           // Password hashing
+           const hashPassword = async (password) => {
+             const salt = await bcrypt.genSalt(12);
+             return bcrypt.hash(password, salt);
+           };
+
+           // Password verification
+           const verifyPassword = async (password, hashedPassword) => {
+             return await bcrypt.compare(password, hashedPassword);
+           };
+
+           // Token generation
+           const generateToken = (userId) => {
+             return jwt.sign(
+               { id: userId },
+               process.env.JWT_SECRET,
+               { expiresIn: '1h' }
+             );
+           };
+
+           // Token verification middleware
+           const verifyToken = (req, res, next) => {
+             const token = req.headers.authorization?.split(' ')[1];
+
+             if (!token) {
+               return res.status(401).json({ error: 'No token provided' });
+             }
+
+             try {
+               const decoded = jwt.verify(token, process.env.JWT_SECRET);
+               req.userId = decoded.id;
+               next();
+             } catch (error) {
+               return res.status(401).json({ error: 'Invalid token' });
+             }
+           };
+           ```
+
+      7. **Comprehensive Logging:**
+         - Log security-relevant events
+         - Include necessary context but avoid sensitive data
+         - Use structured logging
+         - Example:
+           ```javascript
+           const winston = require('winston');
+
+           // Create logger
+           const logger = winston.createLogger({
+             level: 'info',
+             format: winston.format.json(),
+             defaultMeta: { service: 'user-service' },
+             transports: [
+               new winston.transports.File({ filename: 'error.log', level: 'error' }),
+               new winston.transports.File({ filename: 'combined.log' })
+             ]
+           });
+
+           // Logging middleware
+           app.use((req, res, next) => {
+             const start = Date.now();
+
+             res.on('finish', () => {
+               const duration = Date.now() - start;
+               logger.info({
+                 method: req.method,
+                 path: req.path,
+                 statusCode: res.statusCode,
+                 duration,
+                 ip: req.ip,
+                 userId: req.user?.id || 'anonymous'
+               });
+             });
+
+             next();
+           });
+
+           // Security event logging
+           logger.warn({
+             event: 'failed_login',
+             username: req.body.username,
+             ip: req.ip,
+             timestamp: new Date().toISOString()
+           });
+           ```
+
+      8. **Secure Configuration Management:**
+         - Use environment-specific configurations
+         - Validate configuration at startup
+         - Example:
+           ```javascript
+           const Joi = require('joi');
+
+           // Define environment variables schema
+           const envSchema = Joi.object({
+             NODE_ENV: Joi.string().valid('development', 'production', 'test').required(),
+             PORT: Joi.number().default(3000),
+             DATABASE_URL: Joi.string().required(),
+             JWT_SECRET: Joi.string().min(32).required(),
+             JWT_EXPIRES_IN: Joi.string().default('1h'),
+             CORS_ORIGIN: Joi.string().required()
+           }).unknown();
+
+           // Validate environment variables
+           const { error, value } = envSchema.validate(process.env);
+
+           if (error) {
+             throw new Error(`Configuration validation error: ${error.message}`);
+           }
+
+           // Use validated config
+           const config = {
+             env: value.NODE_ENV,
+             port: value.PORT,
+             db: {
+               url: value.DATABASE_URL
+             },
+             jwt: {
+               secret: value.JWT_SECRET,
+               expiresIn: value.JWT_EXPIRES_IN
+             },
+             cors: {
+               origin: value.CORS_ORIGIN.split(',')
+             }
+           };
+
+           module.exports = config;
+           ```
+
+      9. **Secure File Operations:**
+         - Validate and sanitize file paths
+         - Use content-type validation for uploads
+         - Implement file size limits
+         - Example:
+           ```javascript
+           const path = require('path');
+           const fs = require('fs');
+
+           // Secure file access function
+           const getSecureFilePath = (userInput) => {
+             // Define allowed directory
+             const baseDir = path.resolve(__dirname, '../public/files');
+
+             // Normalize and resolve full path
+             const normalizedPath = path.normalize(userInput);
+             const fullPath = path.join(baseDir, normalizedPath);
+
+             // Ensure path is within allowed directory
+             if (!fullPath.startsWith(baseDir)) {
+               throw new Error('Invalid file path');
+             }
+
+             return fullPath;
+           };
+
+           // Usage
+           try {
+             const filePath = getSecureFilePath(req.params.filename);
+             const fileContent = fs.readFileSync(filePath, 'utf8');
+             res.send(fileContent);
+           } catch (error) {
+             next(error);
+           }
+           ```
+
+      10. **Secure WebSocket Implementation:**
+          - Implement authentication for WebSocket connections
+          - Validate and sanitize WebSocket messages
+          - Example:
+            ```javascript
+            const http = require('http');
+            const socketIo = require('socket.io');
+            const jwt = require('jsonwebtoken');
+
+            const server = http.createServer(app);
+            const io = socketIo(server);
+
+            // WebSocket authentication middleware
+            io.use((socket, next) => {
+              const token = socket.handshake.auth.token;
+
+              if (!token) {
+                return next(new Error('Authentication error'));
+              }
+
+              try {
+                const decoded = jwt.verify(token, process.env.JWT_SECRET);
+                socket.userId = decoded.id;
+                next();
+              } catch (error) {
+                return next(new Error('Authentication error'));
+              }
+            });
+
+            io.on('connection', (socket) => {
+              console.log(`User ${socket.userId} connected`);
+
+              // Join user to their own room for private messages
+              socket.join(`user:${socket.userId}`);
+
+              // Message validation
+              socket.on('message', (data) => {
+                // Validate message data
+                if (!data || !data.content || typeof data.content !== 'string') {
+                  return socket.emit('error', { message: 'Invalid message format' });
+                }
+
+                // Process message
+                // ...
+              });
+            });
+            ```
+
+  - type: validate
+    conditions:
+      # Check 1: Rate limiting implementation
+      - pattern: "(?:rateLimit|rateLimiter|limiter|throttle)\\([^)]*?\\)"
+        message: "Implementing rate limiting for API protection."
+
+      # Check 2: Input validation
+      - pattern: "(?:validate|sanitize|check|schema|joi|yup|zod|validator|isValid)"
+        message: "Using input validation or schema validation."
+
+      # Check 3: Proper error handling
+      - pattern: "(?:try\\s*\\{[^}]*?\\}\\s*catch\\s*\\([^)]*?\\)\\s*\\{[^}]*?(?:res\\.status|next\\(err|next\\(error|errorHandler))"
+        message: "Implementing proper error handling."
+
+      # Check 4: Authentication middleware
+      - pattern: "(?:authenticate|authorize|requireAuth|isAuthenticated|checkAuth|verifyToken|passport\\.authenticate)"
+        message: "Using authentication middleware for routes."
+
+      # Check 5: Secure configuration
+      - pattern: "(?:helmet|cors\\(\\{[^}]*?origin\\s*:\\s*(?!['\"]*\\*)['\"])"
+        message: "Using secure HTTP headers and CORS configuration."
+
+metadata:
+  priority: high
+  version: 1.0
+  tags:
+    - security
+    - javascript
+    - nodejs
+    - browser
+    - design
+    - owasp
+    - language:javascript
+    - framework:express
+    - framework:react
+    - framework:vue
+    - framework:angular
+    - category:security
+    - subcategory:insecure-design
+    - standard:owasp-top10
+    - risk:a04-insecure-design
+  references:
+    - "https://owasp.org/Top10/A04_2021-Insecure_Design/"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html"
+    - "https://github.com/OWASP/NodeGoat"
+```
+
+
diff --git a/.cursor/rules/javascript-performance.mdc b/.cursor/rules/javascript-performance.mdc
index f21538a..b208f23 100644
--- a/.cursor/rules/javascript-performance.mdc
+++ b/.cursor/rules/javascript-performance.mdc
@@ -4,21 +4,31 @@ globs: *.js, *.ts
 ---
 # JavaScript Performance Optimization
 
-> Priority: high · Version: 1.0
+```yaml
+name: javascript_performance_optimization
+description: Enforce best practices for optimizing JavaScript performance.
 
-## Applies To
-- `*.js`
-- `*.ts`
+actions:
+  - type: enforce
+    conditions:
+      - pattern: "\\buseState\\(([^)]*)\\)"
+        message: "Avoid unnecessary state updates."
 
-## Required Checks
+      - pattern: "React\\.memo\\("
+        message: "Consider using React.memo() to optimize component re-renders."
 
-- Avoid unnecessary state updates.
-- Consider using React.memo() to optimize component re-renders.
-- Avoid using anonymous functions in render methods.
+      - pattern: "\\b\\(\\)\\s*=>\\s*{"
+        message: "Avoid using anonymous functions in render methods."
 
-## Recommendations
+  - type: suggest
+    message: |
+      Performance tips:
+      - Use memoization for expensive calculations.
+      - Optimize FlatList with performance props.
+      - Minimize unnecessary re-renders.
+
+metadata:
+  priority: high
+  version: 1.0
+```
 
-Performance tips:
-- Use memoization for expensive calculations.
-- Optimize FlatList with performance props.
-- Minimize unnecessary re-renders.
diff --git a/.cursor/rules/javascript-security-logging-monitoring-failures.mdc b/.cursor/rules/javascript-security-logging-monitoring-failures.mdc
index 5367f1d..cca7123 100644
--- a/.cursor/rules/javascript-security-logging-monitoring-failures.mdc
+++ b/.cursor/rules/javascript-security-logging-monitoring-failures.mdc
@@ -4,701 +4,800 @@ globs: **/*.js, **/*.jsx, **/*.ts, **/*.tsx, !**/node_modules/**, !**/dist/**, !
 ---
 # JavaScript Security Logging and Monitoring Failures (OWASP A09:2021)
 
-> Priority: high · Version: 1.0
-
-## Applies To
-- `**/*.js`
-- `**/*.jsx`
-- `**/*.ts`
-- `**/*.tsx`
-- `!**/node_modules/**`
-- `!**/dist/**`
-- `!**/build/**`
-- `!**/coverage/**`
-
-## Required Checks
-
-- Error caught without proper logging. Implement structured error logging for security events.
-- Potential sensitive data in logs. Ensure sensitive information is redacted before logging.
-- Authentication function without logging. Log authentication attempts, successes, and failures.
-- Authorization check without logging. Log access control decisions, especially denials.
-- Error logging with insufficient detail. Include error type, message, stack trace, and context.
-- Security event detection without logging. Implement logging for all security-relevant events.
-- Inconsistent log format. Use structured logging with consistent formats for easier analysis.
-- API request without correlation ID. Include correlation IDs in logs for request tracing.
-- High-value transaction without audit logging. Implement comprehensive logging for all transactions.
-- Client-side error handler without reporting. Implement error reporting to backend services.
-- Using console.log without proper log levels. Implement a logging library with appropriate log levels.
-- No logging or monitoring dependencies detected. Consider adding a proper logging library and monitoring integration.
-- No log aggregation service configured. Implement centralized log collection and analysis.
-- Server without health check endpoint. Implement health checks for monitoring service status.
-- Rate limiting without logging. Log rate limit events to detect potential attacks.
-
-## Recommendations
-
-**JavaScript Security Logging and Monitoring Best Practices:**
-
-1. **Structured Error Logging:**
-   - Use structured logging formats (JSON)
-   - Include contextual information with errors
-   - Example:
-     ```javascript
-     try {
-       // Operation that might fail
-       processUserData(userData);
-     } catch (error) {
-       logger.error({
-         message: 'Failed to process user data',
-         error: {
-           name: error.name,
-           message: error.message,
-           stack: error.stack
-         },
-         userId: userData.id,
-         context: 'user-processing',
-         timestamp: new Date().toISOString()
-       });
-       // Handle the error appropriately
-     }
-     ```
-
-2. **Sensitive Data Redaction:**
-   - Redact sensitive information before logging
-   - Use dedicated functions for sanitization
-   - Example:
-     ```javascript
-     function redactSensitiveData(obj) {
-       const sensitiveFields = ['password', 'token', 'secret', 'creditCard', 'ssn'];
-       const redacted = { ...obj };
-       
-       for (const field of sensitiveFields) {
-         if (field in redacted) {
-           redacted[field] = '***REDACTED***';
-         }
-       }
-       
-       return redacted;
-     }
-     
-     // Usage
-     logger.info({
-       message: 'User login attempt',
-       user: redactSensitiveData(userData),
-       timestamp: new Date().toISOString()
-     });
-     ```
-
-3. **Authentication Logging:**
-   - Log all authentication events
-   - Include success/failure status
-   - Example:
-     ```javascript
-     async function authenticateUser(username, password) {
-       try {
-         const user = await User.findOne({ username });
-         
-         if (!user) {
-           logger.warn({
-             message: 'Authentication failed: user not found',
-             username,
-             ipAddress: req.ip,
-             userAgent: req.headers['user-agent'],
+```yaml
+name: javascript_security_logging_monitoring_failures
+description: Detect and prevent security logging and monitoring failures in JavaScript applications as defined in OWASP Top 10:2021-A09
+
+actions:
+  - type: enforce
+    conditions:
+      # Pattern 1: Missing Error Logging
+      - pattern: "(?:try\\s*{[^}]*}\\s*catch\\s*\\([^)]*\\)\\s*{[^}]*})(?![^;{]*(?:console\\.(?:error|warn|log)|logger?\\.(?:error|warn|log)|captureException))"
+        message: "Error caught without proper logging. Implement structured error logging for security events."
+
+      # Pattern 2: Sensitive Data in Logs
+      - pattern: "console\\.(?:log|warn|error|info|debug)\\s*\\([^)]*(?:password|token|secret|key|credential|auth|jwt|session|cookie)"
+        negative_pattern: "\\*\\*\\*|redact|mask|sanitize"
+        message: "Potential sensitive data in logs. Ensure sensitive information is redacted before logging."
+
+      # Pattern 3: Missing Authentication Logging
+      - pattern: "(?:login|signin|authenticate|auth)\\s*\\([^)]*\\)\\s*{[^}]*}"
+        negative_pattern: "(?:log|audit|record|track)\\s*\\("
+        message: "Authentication function without logging. Log authentication attempts, successes, and failures."
+
+      # Pattern 4: Missing Authorization Logging
+      - pattern: "(?:authorize|checkPermission|hasAccess|isAuthorized|can)\\s*\\([^)]*\\)\\s*{[^}]*}"
+        negative_pattern: "(?:log|audit|record|track)\\s*\\("
+        message: "Authorization check without logging. Log access control decisions, especially denials."
+
+      # Pattern 5: Insufficient Error Detail
+      - pattern: "(?:console\\.error|logger?\\.error)\\s*\\([^)]*(?:error|err|exception)\\s*\\)"
+        negative_pattern: "(?:error\\.(?:message|stack|code|name)|JSON\\.stringify\\(error\\)|serialize)"
+        message: "Error logging with insufficient detail. Include error type, message, stack trace, and context."
+
+      # Pattern 6: Missing Security Event Logging
+      - pattern: "(?:bruteForce|rateLimit|block|blacklist|suspicious|anomaly|threat|attack|intrusion|malicious)"
+        negative_pattern: "(?:log|audit|record|track|monitor|alert|notify)"
+        message: "Security event detection without logging. Implement logging for all security-relevant events."
+
+      # Pattern 7: Inconsistent Log Formats
+      - pattern: "console\\.(?:log|warn|error|info|debug)\\s*\\("
+        negative_pattern: "JSON\\.stringify|structured|format"
+        message: "Inconsistent log format. Use structured logging with consistent formats for easier analysis."
+
+      # Pattern 8: Missing Log Correlation ID
+      - pattern: "(?:api|http|fetch|axios|request)\\s*\\([^)]*\\)"
+        negative_pattern: "(?:correlationId|requestId|traceId|spanId|context)"
+        message: "API request without correlation ID. Include correlation IDs in logs for request tracing."
+
+      # Pattern 9: Missing High-Value Transaction Logging
+      - pattern: "(?:payment|transaction|order|purchase|transfer|withdraw|deposit)\\s*\\([^)]*\\)"
+        negative_pattern: "(?:log|audit|record|track)"
+        message: "High-value transaction without audit logging. Implement comprehensive logging for all transactions."
+
+      # Pattern 10: Client-Side Logging Issues
+      - pattern: "(?:window\\.onerror|window\\.addEventListener\\s*\\(\\s*['\"]error['\"])"
+        negative_pattern: "(?:send|report|log|capture|track)"
+        message: "Client-side error handler without reporting. Implement error reporting to backend services."
+
+      # Pattern 11: Missing Log Levels
+      - pattern: "console\\.log\\s*\\("
+        negative_pattern: "logger?\\.(?:error|warn|info|debug|trace)"
+        message: "Using console.log without proper log levels. Implement a logging library with appropriate log levels."
+
+      # Pattern 12: Missing Monitoring Integration
+      - pattern: "package\\.json"
+        negative_pattern: "(?:sentry|newrelic|datadog|appinsights|loggly|splunk|elasticsearch|winston|bunyan|pino|loglevel)"
+        file_pattern: "package\\.json$"
+        message: "No logging or monitoring dependencies detected. Consider adding a proper logging library and monitoring integration."
+
+      # Pattern 13: Missing Log Aggregation
+      - pattern: "(?:docker-compose\\.ya?ml|\\.env|\\.env\\.example|Dockerfile)"
+        negative_pattern: "(?:sentry|newrelic|datadog|appinsights|loggly|splunk|elasticsearch|logstash|fluentd|kibana)"
+        file_pattern: "(?:docker-compose\\.ya?ml|\\.env|\\.env\\.example|Dockerfile)$"
+        message: "No log aggregation service configured. Implement centralized log collection and analysis."
+
+      # Pattern 14: Missing Health Checks
+      - pattern: "(?:express|koa|fastify|hapi|http\\.createServer)"
+        negative_pattern: "(?:health|status|heartbeat|alive|ready)"
+        message: "Server without health check endpoint. Implement health checks for monitoring service status."
+
+      # Pattern 15: Missing Rate Limiting Logs
+      - pattern: "(?:rateLimit|throttle|limiter)"
+        negative_pattern: "(?:log|record|track|monitor|alert|notify)"
+        message: "Rate limiting without logging. Log rate limit events to detect potential attacks."
+
+  - type: suggest
+    message: |
+      **JavaScript Security Logging and Monitoring Best Practices:**
+
+      1. **Structured Error Logging:**
+         - Use structured logging formats (JSON)
+         - Include contextual information with errors
+         - Example:
+           ```javascript
+           try {
+             // Operation that might fail
+             processUserData(userData);
+           } catch (error) {
+             logger.error({
+               message: 'Failed to process user data',
+               error: {
+                 name: error.name,
+                 message: error.message,
+                 stack: error.stack
+               },
+               userId: userData.id,
+               context: 'user-processing',
+               timestamp: new Date().toISOString()
+             });
+             // Handle the error appropriately
+           }
+           ```
+
+      2. **Sensitive Data Redaction:**
+         - Redact sensitive information before logging
+         - Use dedicated functions for sanitization
+         - Example:
+           ```javascript
+           function redactSensitiveData(obj) {
+             const sensitiveFields = ['password', 'token', 'secret', 'creditCard', 'ssn'];
+             const redacted = { ...obj };
+
+             for (const field of sensitiveFields) {
+               if (field in redacted) {
+                 redacted[field] = '***REDACTED***';
+               }
+             }
+
+             return redacted;
+           }
+
+           // Usage
+           logger.info({
+             message: 'User login attempt',
+             user: redactSensitiveData(userData),
              timestamp: new Date().toISOString()
            });
-           return { success: false, reason: 'invalid_credentials' };
-         }
-         
-         const isValid = await bcrypt.compare(password, user.passwordHash);
-         
-         if (!isValid) {
-           logger.warn({
-             message: 'Authentication failed: invalid password',
-             username,
+           ```
+
+      3. **Authentication Logging:**
+         - Log all authentication events
+         - Include success/failure status
+         - Example:
+           ```javascript
+           async function authenticateUser(username, password) {
+             try {
+               const user = await User.findOne({ username });
+
+               if (!user) {
+                 logger.warn({
+                   message: 'Authentication failed: user not found',
+                   username,
+                   ipAddress: req.ip,
+                   userAgent: req.headers['user-agent'],
+                   timestamp: new Date().toISOString()
+                 });
+                 return { success: false, reason: 'invalid_credentials' };
+               }
+
+               const isValid = await bcrypt.compare(password, user.passwordHash);
+
+               if (!isValid) {
+                 logger.warn({
+                   message: 'Authentication failed: invalid password',
+                   username,
+                   userId: user.id,
+                   ipAddress: req.ip,
+                   userAgent: req.headers['user-agent'],
+                   timestamp: new Date().toISOString()
+                 });
+                 return { success: false, reason: 'invalid_credentials' };
+               }
+
+               logger.info({
+                 message: 'User authenticated successfully',
+                 username,
+                 userId: user.id,
+                 ipAddress: req.ip,
+                 userAgent: req.headers['user-agent'],
+                 timestamp: new Date().toISOString()
+               });
+
+               return { success: true, user };
+             } catch (error) {
+               logger.error({
+                 message: 'Authentication error',
+                 username,
+                 error: {
+                   name: error.name,
+                   message: error.message,
+                   stack: error.stack
+                 },
+                 timestamp: new Date().toISOString()
+               });
+               return { success: false, reason: 'system_error' };
+             }
+           }
+           ```
+
+      4. **Authorization Logging:**
+         - Log access control decisions
+         - Include user, resource, and action
+         - Example:
+           ```javascript
+           function checkPermission(user, resource, action) {
+             const hasPermission = user.permissions.some(p =>
+               p.resource === resource && p.actions.includes(action)
+             );
+
+             logger.info({
+               message: `Authorization ${hasPermission ? 'granted' : 'denied'}`,
+               userId: user.id,
+               username: user.username,
+               resource,
+               action,
+               decision: hasPermission ? 'allow' : 'deny',
+               timestamp: new Date().toISOString()
+             });
+
+             return hasPermission;
+           }
+           ```
+
+      5. **Comprehensive Error Logging:**
+         - Include detailed error information
+         - Add context for troubleshooting
+         - Example:
+           ```javascript
+           // Using a logging library like Winston
+           const winston = require('winston');
+
+           const logger = winston.createLogger({
+             level: process.env.LOG_LEVEL || 'info',
+             format: winston.format.combine(
+               winston.format.timestamp(),
+               winston.format.json()
+             ),
+             defaultMeta: { service: 'user-service' },
+             transports: [
+               new winston.transports.Console(),
+               new winston.transports.File({ filename: 'error.log', level: 'error' }),
+               new winston.transports.File({ filename: 'combined.log' })
+             ]
+           });
+
+           // Usage
+           try {
+             // Operation that might fail
+           } catch (error) {
+             logger.error({
+               message: 'Operation failed',
+               operationName: 'processData',
+               error: {
+                 name: error.name,
+                 message: error.message,
+                 code: error.code,
+                 stack: error.stack
+               },
+               context: {
+                 userId: req.user?.id,
+                 requestId: req.id,
+                 path: req.path,
+                 method: req.method
+               }
+             });
+           }
+           ```
+
+      6. **Security Event Logging:**
+         - Log all security-relevant events
+         - Include detailed context
+         - Example:
+           ```javascript
+           function detectBruteForce(username, ipAddress) {
+             const attempts = getLoginAttempts(username, ipAddress);
+
+             if (attempts > MAX_ATTEMPTS) {
+               logger.warn({
+                 message: 'Possible brute force attack detected',
+                 username,
+                 ipAddress,
+                 attempts,
+                 threshold: MAX_ATTEMPTS,
+                 action: 'account_temporarily_locked',
+                 timestamp: new Date().toISOString()
+               });
+
+               // Implement account lockout or IP blocking
+               lockAccount(username, LOCKOUT_DURATION);
+               return true;
+             }
+
+             return false;
+           }
+           ```
+
+      7. **Structured Logging Format:**
+         - Use JSON for machine-readable logs
+         - Maintain consistent field names
+         - Example:
+           ```javascript
+           // Using a structured logging library like Pino
+           const pino = require('pino');
+
+           const logger = pino({
+             level: process.env.LOG_LEVEL || 'info',
+             base: { pid: process.pid, hostname: os.hostname() },
+             timestamp: pino.stdTimeFunctions.isoTime,
+             formatters: {
+               level: (label) => {
+                 return { level: label };
+               }
+             }
+           });
+
+           // Usage
+           logger.info({
+             msg: 'User profile updated',
              userId: user.id,
-             ipAddress: req.ip,
-             userAgent: req.headers['user-agent'],
-             timestamp: new Date().toISOString()
+             changes: ['email', 'preferences'],
+             source: 'api'
+           });
+           ```
+
+      8. **Request Correlation:**
+         - Use correlation IDs across services
+         - Track request flow through the system
+         - Example:
+           ```javascript
+           // Express middleware for adding correlation IDs
+           const { v4: uuidv4 } = require('uuid');
+
+           function correlationMiddleware(req, res, next) {
+             // Use existing correlation ID from headers or generate a new one
+             const correlationId = req.headers['x-correlation-id'] || uuidv4();
+             req.correlationId = correlationId;
+
+             // Add to response headers
+             res.setHeader('x-correlation-id', correlationId);
+
+             // Add to logger context for this request
+             req.logger = logger.child({ correlationId });
+
+             next();
+           }
+
+           // Usage in route handlers
+           app.get('/api/users/:id', (req, res) => {
+             req.logger.info({
+               msg: 'User profile requested',
+               userId: req.params.id,
+               path: req.path,
+               method: req.method
+             });
+
+             // Process request...
            });
-           return { success: false, reason: 'invalid_credentials' };
-         }
-         
-         logger.info({
-           message: 'User authenticated successfully',
-           username,
-           userId: user.id,
-           ipAddress: req.ip,
-           userAgent: req.headers['user-agent'],
-           timestamp: new Date().toISOString()
-         });
-         
-         return { success: true, user };
-       } catch (error) {
-         logger.error({
-           message: 'Authentication error',
-           username,
-           error: {
-             name: error.name,
-             message: error.message,
-             stack: error.stack
-           },
-           timestamp: new Date().toISOString()
-         });
-         return { success: false, reason: 'system_error' };
-       }
-     }
-     ```
-
-4. **Authorization Logging:**
-   - Log access control decisions
-   - Include user, resource, and action
-   - Example:
-     ```javascript
-     function checkPermission(user, resource, action) {
-       const hasPermission = user.permissions.some(p => 
-         p.resource === resource && p.actions.includes(action)
-       );
-       
-       logger.info({
-         message: `Authorization ${hasPermission ? 'granted' : 'denied'}`,
-         userId: user.id,
-         username: user.username,
-         resource,
-         action,
-         decision: hasPermission ? 'allow' : 'deny',
-         timestamp: new Date().toISOString()
-       });
-       
-       return hasPermission;
-     }
-     ```
-
-5. **Comprehensive Error Logging:**
-   - Include detailed error information
-   - Add context for troubleshooting
-   - Example:
-     ```javascript
-     // Using a logging library like Winston
-     const winston = require('winston');
-     
-     const logger = winston.createLogger({
-       level: process.env.LOG_LEVEL || 'info',
-       format: winston.format.combine(
-         winston.format.timestamp(),
-         winston.format.json()
-       ),
-       defaultMeta: { service: 'user-service' },
-       transports: [
-         new winston.transports.Console(),
-         new winston.transports.File({ filename: 'error.log', level: 'error' }),
-         new winston.transports.File({ filename: 'combined.log' })
-       ]
-     });
-     
-     // Usage
-     try {
-       // Operation that might fail
-     } catch (error) {
-       logger.error({
-         message: 'Operation failed',
-         operationName: 'processData',
-         error: {
-           name: error.name,
-           message: error.message,
-           code: error.code,
-           stack: error.stack
-         },
-         context: {
-           userId: req.user?.id,
-           requestId: req.id,
-           path: req.path,
-           method: req.method
-         }
-       });
-     }
-     ```
-
-6. **Security Event Logging:**
-   - Log all security-relevant events
-   - Include detailed context
-   - Example:
-     ```javascript
-     function detectBruteForce(username, ipAddress) {
-       const attempts = getLoginAttempts(username, ipAddress);
-       
-       if (attempts > MAX_ATTEMPTS) {
-         logger.warn({
-           message: 'Possible brute force attack detected',
-           username,
-           ipAddress,
-           attempts,
-           threshold: MAX_ATTEMPTS,
-           action: 'account_temporarily_locked',
-           timestamp: new Date().toISOString()
-         });
-         
-         // Implement account lockout or IP blocking
-         lockAccount(username, LOCKOUT_DURATION);
-         return true;
-       }
-       
-       return false;
-     }
-     ```
-
-7. **Structured Logging Format:**
-   - Use JSON for machine-readable logs
-   - Maintain consistent field names
-   - Example:
-     ```javascript
-     // Using a structured logging library like Pino
-     const pino = require('pino');
-     
-     const logger = pino({
-       level: process.env.LOG_LEVEL || 'info',
-       base: { pid: process.pid, hostname: os.hostname() },
-       timestamp: pino.stdTimeFunctions.isoTime,
-       formatters: {
-         level: (label) => {
-           return { level: label };
-         }
-       }
-     });
-     
-     // Usage
-     logger.info({
-       msg: 'User profile updated',
-       userId: user.id,
-       changes: ['email', 'preferences'],
-       source: 'api'
-     });
-     ```
-
-8. **Request Correlation:**
-   - Use correlation IDs across services
-   - Track request flow through the system
-   - Example:
-     ```javascript
-     // Express middleware for adding correlation IDs
-     const { v4: uuidv4 } = require('uuid');
-     
-     function correlationMiddleware(req, res, next) {
-       // Use existing correlation ID from headers or generate a new one
-       const correlationId = req.headers['x-correlation-id'] || uuidv4();
-       req.correlationId = correlationId;
-       
-       // Add to response headers
-       res.setHeader('x-correlation-id', correlationId);
-       
-       // Add to logger context for this request
-       req.logger = logger.child({ correlationId });
-       
-       next();
-     }
-     
-     // Usage in route handlers
-     app.get('/api/users/:id', (req, res) => {
-       req.logger.info({
-         msg: 'User profile requested',
-         userId: req.params.id,
-         path: req.path,
-         method: req.method
-       });
-       
-       // Process request...
-     });
-     ```
-
-9. **Transaction Logging:**
-   - Log all high-value transactions
-   - Include before/after states
-   - Example:
-     ```javascript
-     async function processPayment(userId, amount, paymentMethod) {
-       logger.info({
-         message: 'Payment processing started',
-         userId,
-         amount,
-         paymentMethod: {
-           type: paymentMethod.type,
-           lastFour: paymentMethod.lastFour
-         },
-         transactionId: generateTransactionId(),
-         timestamp: new Date().toISOString()
-       });
-       
-       try {
-         const result = await paymentGateway.charge({
-           amount,
-           source: paymentMethod.token
-         });
-         
-         logger.info({
-           message: 'Payment processed successfully',
-           userId,
-           amount,
-           transactionId: result.transactionId,
-           gatewayReference: result.reference,
-           status: 'success',
-           timestamp: new Date().toISOString()
-         });
-         
-         return { success: true, transactionId: result.transactionId };
-       } catch (error) {
-         logger.error({
-           message: 'Payment processing failed',
-           userId,
-           amount,
-           error: {
-             name: error.name,
-             message: error.message,
-             code: error.code
-           },
-           status: 'failed',
-           timestamp: new Date().toISOString()
-         });
-         
-         return { success: false, error: error.message };
-       }
-     }
-     ```
-
-10. **Client-Side Error Reporting:**
-    - Send client errors to the backend
-    - Include browser and user context
-    - Example:
-      ```javascript
-      // Client-side error tracking
-      window.addEventListener('error', function(event) {
-        const errorDetails = {
-          message: event.message,
-          source: event.filename,
-          lineno: event.lineno,
-          colno: event.colno,
-          error: {
-            stack: event.error?.stack
-          },
-          url: window.location.href,
-          userAgent: navigator.userAgent,
-          timestamp: new Date().toISOString(),
-          // Add user context if available
-          userId: window.currentUser?.id
-        };
-        
-        // Send to backend logging endpoint
-        fetch('/api/log/client-error', {
-          method: 'POST',
-          headers: {
-            'Content-Type': 'application/json'
-          },
-          body: JSON.stringify(errorDetails),
-          // Use keepalive to ensure the request completes even if the page is unloading
-          keepalive: true
-        }).catch(err => {
-          // Fallback if the logging endpoint fails
-          console.error('Failed to send error report:', err);
-        });
-      });
-      ```
-
-11. **Proper Log Levels:**
-    - Use appropriate log levels
-    - Configure based on environment
-    - Example:
-      ```javascript
-      // Using Winston with proper log levels
-      const winston = require('winston');
-      
-      const logger = winston.createLogger({
-        level: process.env.NODE_ENV === 'production' ? 'info' : 'debug',
-        levels: winston.config.npm.levels,
-        format: winston.format.combine(
-          winston.format.timestamp(),
-          winston.format.json()
-        ),
-        transports: [
-          new winston.transports.Console({
-            format: winston.format.combine(
-              winston.format.colorize(),
-              winston.format.simple()
-            )
-          })
-        ]
-      });
-      
-      // Usage with appropriate levels
-      logger.error('Critical application error'); // Always logged
-      logger.warn('Potential issue detected'); // Warning conditions
-      logger.info('Normal operational message'); // Normal but significant
-      logger.http('HTTP request received'); // HTTP request logging
-      logger.verbose('Detailed information'); // Detailed debug information
-      logger.debug('Debugging information'); // For developers
-      logger.silly('Extremely detailed tracing'); // Most granular
-      ```
-
-12. **Monitoring Integration:**
-    - Integrate with monitoring services
-    - Set up alerts for critical issues
-    - Example:
-      ```javascript
-      // Using Sentry for error monitoring
-      const Sentry = require('@sentry/node');
-      const Tracing = require('@sentry/tracing');
-      const express = require('express');
-      
-      const app = express();
-      
-      Sentry.init({
-        dsn: process.env.SENTRY_DSN,
-        integrations: [
-          new Sentry.Integrations.Http({ tracing: true }),
-          new Tracing.Integrations.Express({ app })
-        ],
-        tracesSampleRate: 1.0
-      });
-      
-      // Use Sentry middleware
-      app.use(Sentry.Handlers.requestHandler());
-      app.use(Sentry.Handlers.tracingHandler());
-      
-      // Your routes here
-      
-      // Error handler
-      app.use(Sentry.Handlers.errorHandler());
-      app.use((err, req, res, next) => {
-        // Custom error handling
-        logger.error({
-          message: 'Express error',
-          error: {
-            name: err.name,
-            message: err.message,
-            stack: err.stack
-          },
-          request: {
-            path: req.path,
-            method: req.method,
-            correlationId: req.correlationId
-          }
-        });
-        
-        res.status(500).json({ error: 'Internal server error' });
-      });
-      ```
-
-13. **Log Aggregation:**
-    - Set up centralized log collection
-    - Configure log shipping
-    - Example:
-      ```javascript
-      // Using Winston with Elasticsearch transport
-      const winston = require('winston');
-      const { ElasticsearchTransport } = require('winston-elasticsearch');
-      
-      const esTransportOpts = {
-        level: 'info',
-        clientOpts: {
-          node: process.env.ELASTICSEARCH_URL,
-          auth: {
-            username: process.env.ELASTICSEARCH_USERNAME,
-            password: process.env.ELASTICSEARCH_PASSWORD
-          }
-        },
-        indexPrefix: 'app-logs'
-      };
-      
-      const logger = winston.createLogger({
-        transports: [
-          new winston.transports.Console(),
-          new ElasticsearchTransport(esTransportOpts)
-        ]
-      });
-      ```
-      
-      ```yaml
-      # docker-compose.yml example with ELK stack
-      version: '3'
-      services:
-        app:
-          build: .
-          environment:
-            - NODE_ENV=production
-            - ELASTICSEARCH_URL=http://elasticsearch:9200
-          depends_on:
-            - elasticsearch
-        
-        elasticsearch:
-          image: docker.elastic.co/elasticsearch/elasticsearch:7.14.0
-          environment:
-            - discovery.type=single-node
-            - ES_JAVA_OPTS=-Xms512m -Xmx512m
-          volumes:
-            - es_data:/usr/share/elasticsearch/data
-        
-        kibana:
-          image: docker.elastic.co/kibana/kibana:7.14.0
-          ports:
-            - "5601:5601"
-          depends_on:
-            - elasticsearch
-        
-        logstash:
-          image: docker.elastic.co/logstash/logstash:7.14.0
-          volumes:
-            - ./logstash/pipeline:/usr/share/logstash/pipeline
-          depends_on:
-            - elasticsearch
-      
-      volumes:
-        es_data:
-      ```
-
-14. **Health Checks and Monitoring:**
-    - Implement health check endpoints
-    - Monitor application status
-    - Example:
-      ```javascript
-      const express = require('express');
-      const app = express();
-      
-      // Basic health check endpoint
-      app.get('/health', (req, res) => {
-        const status = {
-          status: 'UP',
-          timestamp: new Date().toISOString(),
-          uptime: process.uptime(),
-          memoryUsage: process.memoryUsage(),
-          version: process.env.npm_package_version
-        };
-        
-        // Add database health check
-        try {
-          // Check database connection
-          status.database = { status: 'UP' };
-        } catch (error) {
-          status.database = { status: 'DOWN', error: error.message };
-          status.status = 'DEGRADED';
-        }
-        
-        // Add external service health checks
-        // ...
-        
-        // Log health check results
-        logger.debug({
-          message: 'Health check performed',
-          result: status
-        });
-        
-        const statusCode = status.status === 'UP' ? 200 : 
-                          status.status === 'DEGRADED' ? 200 : 503;
-        
-        res.status(statusCode).json(status);
-      });
-      
-      // Detailed readiness probe
-      app.get('/ready', async (req, res) => {
-        const checks = [];
-        let isReady = true;
-        
-        // Check database
-        try {
-          await db.ping();
-          checks.push({ component: 'database', status: 'ready' });
-        } catch (error) {
-          isReady = false;
-          checks.push({ 
-            component: 'database', 
-            status: 'not ready',
-            error: error.message
-          });
-        }
-        
-        // Check cache
-        try {
-          await cache.ping();
-          checks.push({ component: 'cache', status: 'ready' });
-        } catch (error) {
-          isReady = false;
-          checks.push({ 
-            component: 'cache', 
-            status: 'not ready',
-            error: error.message
-          });
-        }
-        
-        // Log readiness check
-        logger.debug({
-          message: 'Readiness check performed',
-          isReady,
-          checks
-        });
-        
-        res.status(isReady ? 200 : 503).json({
-          status: isReady ? 'ready' : 'not ready',
-          checks,
-          timestamp: new Date().toISOString()
-        });
-      });
-      ```
-
-15. **Rate Limiting with Logging:**
-    - Log rate limit events
-    - Track potential abuse
-    - Example:
-      ```javascript
-      const rateLimit = require('express-rate-limit');
-      
-      // Create rate limiter with logging
-      const apiLimiter = rateLimit({
-        windowMs: 15 * 60 * 1000, // 15 minutes
-        max: 100, // limit each IP to 100 requests per windowMs
-        standardHeaders: true,
-        legacyHeaders: false,
-        handler: (req, res, next, options) => {
-          // Log rate limit exceeded
-          logger.warn({
-            message: 'Rate limit exceeded',
-            ip: req.ip,
-            path: req.path,
-            method: req.method,
-            userAgent: req.headers['user-agent'],
-            currentLimit: options.max,
-            windowMs: options.windowMs,
-            correlationId: req.correlationId,
-            userId: req.user?.id,
-            timestamp: new Date().toISOString()
-          });
-          
-          res.status(options.statusCode).json({
-            status: 'error',
-            message: options.message
-          });
-        },
-        // Called on all requests to track usage
-        onLimitReached: (req, res, options) => {
-          // This is called when a client hits the rate limit
-          logger.warn({
-            message: 'Client reached rate limit',
-            ip: req.ip,
-            path: req.path,
-            method: req.method,
-            userAgent: req.headers['user-agent'],
-            correlationId: req.correlationId,
-            userId: req.user?.id,
-            timestamp: new Date().toISOString()
-          });
-          
-          // Consider additional actions like temporary IP ban
-          // or sending alerts for potential attacks
-        }
-      });
-      
-      // Apply to all API routes
-      app.use('/api/', apiLimiter);
-      ```
-
-## Validation
-
-- Using a structured logging library.
-- Implementing proper error logging in catch blocks.
-- Implementing sensitive data redaction in logs.
-- Using correlation IDs for request tracing.
-- Integrating with monitoring or log aggregation services.
+           ```
+
+      9. **Transaction Logging:**
+         - Log all high-value transactions
+         - Include before/after states
+         - Example:
+           ```javascript
+           async function processPayment(userId, amount, paymentMethod) {
+             logger.info({
+               message: 'Payment processing started',
+               userId,
+               amount,
+               paymentMethod: {
+                 type: paymentMethod.type,
+                 lastFour: paymentMethod.lastFour
+               },
+               transactionId: generateTransactionId(),
+               timestamp: new Date().toISOString()
+             });
+
+             try {
+               const result = await paymentGateway.charge({
+                 amount,
+                 source: paymentMethod.token
+               });
+
+               logger.info({
+                 message: 'Payment processed successfully',
+                 userId,
+                 amount,
+                 transactionId: result.transactionId,
+                 gatewayReference: result.reference,
+                 status: 'success',
+                 timestamp: new Date().toISOString()
+               });
+
+               return { success: true, transactionId: result.transactionId };
+             } catch (error) {
+               logger.error({
+                 message: 'Payment processing failed',
+                 userId,
+                 amount,
+                 error: {
+                   name: error.name,
+                   message: error.message,
+                   code: error.code
+                 },
+                 status: 'failed',
+                 timestamp: new Date().toISOString()
+               });
+
+               return { success: false, error: error.message };
+             }
+           }
+           ```
+
+      10. **Client-Side Error Reporting:**
+          - Send client errors to the backend
+          - Include browser and user context
+          - Example:
+            ```javascript
+            // Client-side error tracking
+            window.addEventListener('error', function(event) {
+              const errorDetails = {
+                message: event.message,
+                source: event.filename,
+                lineno: event.lineno,
+                colno: event.colno,
+                error: {
+                  stack: event.error?.stack
+                },
+                url: window.location.href,
+                userAgent: navigator.userAgent,
+                timestamp: new Date().toISOString(),
+                // Add user context if available
+                userId: window.currentUser?.id
+              };
+
+              // Send to backend logging endpoint
+              fetch('/api/log/client-error', {
+                method: 'POST',
+                headers: {
+                  'Content-Type': 'application/json'
+                },
+                body: JSON.stringify(errorDetails),
+                // Use keepalive to ensure the request completes even if the page is unloading
+                keepalive: true
+              }).catch(err => {
+                // Fallback if the logging endpoint fails
+                console.error('Failed to send error report:', err);
+              });
+            });
+            ```
+
+      11. **Proper Log Levels:**
+          - Use appropriate log levels
+          - Configure based on environment
+          - Example:
+            ```javascript
+            // Using Winston with proper log levels
+            const winston = require('winston');
+
+            const logger = winston.createLogger({
+              level: process.env.NODE_ENV === 'production' ? 'info' : 'debug',
+              levels: winston.config.npm.levels,
+              format: winston.format.combine(
+                winston.format.timestamp(),
+                winston.format.json()
+              ),
+              transports: [
+                new winston.transports.Console({
+                  format: winston.format.combine(
+                    winston.format.colorize(),
+                    winston.format.simple()
+                  )
+                })
+              ]
+            });
+
+            // Usage with appropriate levels
+            logger.error('Critical application error'); // Always logged
+            logger.warn('Potential issue detected'); // Warning conditions
+            logger.info('Normal operational message'); // Normal but significant
+            logger.http('HTTP request received'); // HTTP request logging
+            logger.verbose('Detailed information'); // Detailed debug information
+            logger.debug('Debugging information'); // For developers
+            logger.silly('Extremely detailed tracing'); // Most granular
+            ```
+
+      12. **Monitoring Integration:**
+          - Integrate with monitoring services
+          - Set up alerts for critical issues
+          - Example:
+            ```javascript
+            // Using Sentry for error monitoring
+            const Sentry = require('@sentry/node');
+            const Tracing = require('@sentry/tracing');
+            const express = require('express');
+
+            const app = express();
+
+            Sentry.init({
+              dsn: process.env.SENTRY_DSN,
+              integrations: [
+                new Sentry.Integrations.Http({ tracing: true }),
+                new Tracing.Integrations.Express({ app })
+              ],
+              tracesSampleRate: 1.0
+            });
+
+            // Use Sentry middleware
+            app.use(Sentry.Handlers.requestHandler());
+            app.use(Sentry.Handlers.tracingHandler());
+
+            // Your routes here
+
+            // Error handler
+            app.use(Sentry.Handlers.errorHandler());
+            app.use((err, req, res, next) => {
+              // Custom error handling
+              logger.error({
+                message: 'Express error',
+                error: {
+                  name: err.name,
+                  message: err.message,
+                  stack: err.stack
+                },
+                request: {
+                  path: req.path,
+                  method: req.method,
+                  correlationId: req.correlationId
+                }
+              });
+
+              res.status(500).json({ error: 'Internal server error' });
+            });
+            ```
+
+      13. **Log Aggregation:**
+          - Set up centralized log collection
+          - Configure log shipping
+          - Example:
+            ```javascript
+            // Using Winston with Elasticsearch transport
+            const winston = require('winston');
+            const { ElasticsearchTransport } = require('winston-elasticsearch');
+
+            const esTransportOpts = {
+              level: 'info',
+              clientOpts: {
+                node: process.env.ELASTICSEARCH_URL,
+                auth: {
+                  username: process.env.ELASTICSEARCH_USERNAME,
+                  password: process.env.ELASTICSEARCH_PASSWORD
+                }
+              },
+              indexPrefix: 'app-logs'
+            };
+
+            const logger = winston.createLogger({
+              transports: [
+                new winston.transports.Console(),
+                new ElasticsearchTransport(esTransportOpts)
+              ]
+            });
+            ```
+
+            ```yaml
+            # docker-compose.yml example with ELK stack
+            version: '3'
+            services:
+              app:
+                build: .
+                environment:
+                  - NODE_ENV=production
+                  - ELASTICSEARCH_URL=http://elasticsearch:9200
+                depends_on:
+                  - elasticsearch
+
+              elasticsearch:
+                image: docker.elastic.co/elasticsearch/elasticsearch:7.14.0
+                environment:
+                  - discovery.type=single-node
+                  - ES_JAVA_OPTS=-Xms512m -Xmx512m
+                volumes:
+                  - es_data:/usr/share/elasticsearch/data
+
+              kibana:
+                image: docker.elastic.co/kibana/kibana:7.14.0
+                ports:
+                  - "5601:5601"
+                depends_on:
+                  - elasticsearch
+
+              logstash:
+                image: docker.elastic.co/logstash/logstash:7.14.0
+                volumes:
+                  - ./logstash/pipeline:/usr/share/logstash/pipeline
+                depends_on:
+                  - elasticsearch
+
+            volumes:
+              es_data:
+            ```
+
+      14. **Health Checks and Monitoring:**
+          - Implement health check endpoints
+          - Monitor application status
+          - Example:
+            ```javascript
+            const express = require('express');
+            const app = express();
+
+            // Basic health check endpoint
+            app.get('/health', (req, res) => {
+              const status = {
+                status: 'UP',
+                timestamp: new Date().toISOString(),
+                uptime: process.uptime(),
+                memoryUsage: process.memoryUsage(),
+                version: process.env.npm_package_version
+              };
+
+              // Add database health check
+              try {
+                // Check database connection
+                status.database = { status: 'UP' };
+              } catch (error) {
+                status.database = { status: 'DOWN', error: error.message };
+                status.status = 'DEGRADED';
+              }
+
+              // Add external service health checks
+              // ...
+
+              // Log health check results
+              logger.debug({
+                message: 'Health check performed',
+                result: status
+              });
+
+              const statusCode = status.status === 'UP' ? 200 :
+                                status.status === 'DEGRADED' ? 200 : 503;
+
+              res.status(statusCode).json(status);
+            });
+
+            // Detailed readiness probe
+            app.get('/ready', async (req, res) => {
+              const checks = [];
+              let isReady = true;
+
+              // Check database
+              try {
+                await db.ping();
+                checks.push({ component: 'database', status: 'ready' });
+              } catch (error) {
+                isReady = false;
+                checks.push({
+                  component: 'database',
+                  status: 'not ready',
+                  error: error.message
+                });
+              }
+
+              // Check cache
+              try {
+                await cache.ping();
+                checks.push({ component: 'cache', status: 'ready' });
+              } catch (error) {
+                isReady = false;
+                checks.push({
+                  component: 'cache',
+                  status: 'not ready',
+                  error: error.message
+                });
+              }
+
+              // Log readiness check
+              logger.debug({
+                message: 'Readiness check performed',
+                isReady,
+                checks
+              });
+
+              res.status(isReady ? 200 : 503).json({
+                status: isReady ? 'ready' : 'not ready',
+                checks,
+                timestamp: new Date().toISOString()
+              });
+            });
+            ```
+
+      15. **Rate Limiting with Logging:**
+          - Log rate limit events
+          - Track potential abuse
+          - Example:
+            ```javascript
+            const rateLimit = require('express-rate-limit');
+
+            // Create rate limiter with logging
+            const apiLimiter = rateLimit({
+              windowMs: 15 * 60 * 1000, // 15 minutes
+              max: 100, // limit each IP to 100 requests per windowMs
+              standardHeaders: true,
+              legacyHeaders: false,
+              handler: (req, res, next, options) => {
+                // Log rate limit exceeded
+                logger.warn({
+                  message: 'Rate limit exceeded',
+                  ip: req.ip,
+                  path: req.path,
+                  method: req.method,
+                  userAgent: req.headers['user-agent'],
+                  currentLimit: options.max,
+                  windowMs: options.windowMs,
+                  correlationId: req.correlationId,
+                  userId: req.user?.id,
+                  timestamp: new Date().toISOString()
+                });
+
+                res.status(options.statusCode).json({
+                  status: 'error',
+                  message: options.message
+                });
+              },
+              // Called on all requests to track usage
+              onLimitReached: (req, res, options) => {
+                // This is called when a client hits the rate limit
+                logger.warn({
+                  message: 'Client reached rate limit',
+                  ip: req.ip,
+                  path: req.path,
+                  method: req.method,
+                  userAgent: req.headers['user-agent'],
+                  correlationId: req.correlationId,
+                  userId: req.user?.id,
+                  timestamp: new Date().toISOString()
+                });
+
+                // Consider additional actions like temporary IP ban
+                // or sending alerts for potential attacks
+              }
+            });
+
+            // Apply to all API routes
+            app.use('/api/', apiLimiter);
+            ```
+
+  - type: validate
+    conditions:
+      # Check 1: Structured Logging
+      - pattern: "(?:winston|pino|bunyan|loglevel|morgan|log4js)"
+        message: "Using a structured logging library."
+
+      # Check 2: Error Logging
+      - pattern: "try\\s*{[^}]*}\\s*catch\\s*\\([^)]*\\)\\s*{[^}]*(?:logger?\\.error|captureException)\\s*\\([^)]*\\)"
+        message: "Implementing proper error logging in catch blocks."
+
+      # Check 3: Sensitive Data Handling
+      - pattern: "(?:redact|mask|sanitize|filter)\\s*\\([^)]*(?:password|token|secret|key|credential)"
+        message: "Implementing sensitive data redaction in logs."
+
+      # Check 4: Correlation IDs
+      - pattern: "(?:correlationId|requestId|traceId)"
+        message: "Using correlation IDs for request tracing."
+
+      # Check 5: Monitoring Integration
+      - pattern: "(?:sentry|newrelic|datadog|appinsights|loggly|splunk|elasticsearch)"
+        message: "Integrating with monitoring or log aggregation services."
+
+metadata:
+  priority: high
+  version: 1.0
+  tags:
+    - security
+    - javascript
+    - nodejs
+    - browser
+    - logging
+    - monitoring
+    - owasp
+    - language:javascript
+    - framework:express
+    - framework:react
+    - framework:vue
+    - framework:angular
+    - category:security
+    - subcategory:logging
+    - standard:owasp-top10
+    - risk:a09-security-logging-monitoring-failures
+  references:
+    - "https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html"
+    - "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/08-Test_for_Process_Timing"
+    - "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Logging_Vocabulary_Cheat_Sheet.md"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html#security-logging-monitoring"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Application_Logging_Vocabulary_Cheat_Sheet.html"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Transaction_Authorization_Cheat_Sheet.html#monitor-activity"
+```
+
+
diff --git a/.cursor/rules/javascript-security-misconfiguration.mdc b/.cursor/rules/javascript-security-misconfiguration.mdc
index fbcf69e..f4fbc7a 100644
--- a/.cursor/rules/javascript-security-misconfiguration.mdc
+++ b/.cursor/rules/javascript-security-misconfiguration.mdc
@@ -4,374 +4,466 @@ globs: **/*.js, **/*.jsx, **/*.ts, **/*.tsx, !**/node_modules/**, !**/dist/**, !
 ---
 # JavaScript Security Misconfiguration (OWASP A05:2021)
 
-> Priority: high · Version: 1.0
-
-## Applies To
-- `**/*.js`
-- `**/*.jsx`
-- `**/*.ts`
-- `**/*.tsx`
-- `!**/node_modules/**`
-- `!**/dist/**`
-- `!**/build/**`
-- `!**/coverage/**`
-
-## Required Checks
-
-- Missing HTTP security headers. Consider using Helmet.js to set secure HTTP headers.
-- Insecure CORS configuration. Avoid using wildcard (*) for CORS origin in production environments.
-- Exposing environment variables in client-side code. Only use environment variables with NEXT_PUBLIC_, REACT_APP_, or VITE_ prefixes for client-side code.
-- Insecure cookie configuration. Set secure:true, httpOnly:true, and appropriate sameSite value for cookies.
-- Content Security Policy (CSP) is disabled. Enable and configure CSP to prevent XSS attacks.
-- Debug information might be exposed in production. Ensure logging is properly configured based on the environment.
-- X-Powered-By header is not disabled. Use app.disable('x-powered-by') to hide technology information.
-- Directory listing might be enabled. Set index:true or provide an index file to prevent directory listing.
-- Missing rate limiting for sensitive endpoints. Implement rate limiting to prevent brute force attacks.
-- Potentially insecure WebSocket connection. Use secure WebSocket (wss://) in production.
-- Hardcoded configuration values. Use environment variables or a secure configuration management system.
-- Insecure SSL/TLS configuration. Never set rejectUnauthorized:false in production.
-- Missing essential security middleware. Consider using helmet, cors, rate limiting, and request size limiting.
-- Insecure error handling. Avoid exposing error details like stack traces to clients in production.
-- Check for outdated dependencies. Regularly update dependencies to avoid known vulnerabilities.
-
-## Recommendations
-
-**JavaScript Security Configuration Best Practices:**
-
-1. **HTTP Security Headers:**
-   - Use Helmet.js to set secure HTTP headers
-   - Configure Content Security Policy (CSP)
-   - Example:
-     ```javascript
-     const helmet = require('helmet');
-     
-     // Basic usage
-     app.use(helmet());
-     
-     // Custom CSP configuration
-     app.use(
-       helmet.contentSecurityPolicy({
-         directives: {
-           defaultSrc: ["'self'"],
-           scriptSrc: ["'self'", "'unsafe-inline'", 'trusted-cdn.com'],
-           styleSrc: ["'self'", "'unsafe-inline'", 'trusted-cdn.com'],
-           imgSrc: ["'self'", 'data:', 'trusted-cdn.com'],
-           connectSrc: ["'self'", 'api.yourdomain.com'],
-           fontSrc: ["'self'", 'trusted-cdn.com'],
-           objectSrc: ["'none'"],
-           mediaSrc: ["'self'"],
-           frameSrc: ["'none'"],
-           upgradeInsecureRequests: [],
-         },
-       })
-     );
-     ```
-
-2. **Secure CORS Configuration:**
-   - Specify allowed origins explicitly
-   - Configure appropriate CORS options
-   - Example:
-     ```javascript
-     const cors = require('cors');
-     
-     // Define allowed origins
-     const allowedOrigins = [
-       'https://yourdomain.com',
-       'https://app.yourdomain.com',
-       'https://admin.yourdomain.com'
-     ];
-     
-     // Configure CORS
-     app.use(cors({
-       origin: function(origin, callback) {
-         // Allow requests with no origin (like mobile apps, curl, etc.)
-         if (!origin) return callback(null, true);
-         
-         if (allowedOrigins.indexOf(origin) === -1) {
-           const msg = 'The CORS policy for this site does not allow access from the specified Origin.';
-           return callback(new Error(msg), false);
-         }
-         
-         return callback(null, true);
-       },
-       methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
-       credentials: true,
-       maxAge: 86400 // 24 hours
-     }));
-     ```
-
-3. **Environment-Based Configuration:**
-   - Use different configurations for development and production
-   - Validate configuration at startup
-   - Example:
-     ```javascript
-     const express = require('express');
-     const helmet = require('helmet');
-     const morgan = require('morgan');
-     
-     const app = express();
-     
-     // Environment-specific configuration
-     if (process.env.NODE_ENV === 'production') {
-       // Production settings
-       app.use(helmet());
-       app.use(morgan('combined'));
-       app.set('trust proxy', 1); // Trust first proxy
-       
-       // Disable X-Powered-By header
-       app.disable('x-powered-by');
-     } else {
-       // Development settings
-       app.use(morgan('dev'));
-     }
-     
-     // Validate required environment variables
-     const requiredEnvVars = ['DATABASE_URL', 'JWT_SECRET'];
-     for (const envVar of requiredEnvVars) {
-       if (!process.env[envVar]) {
-         console.error(`Error: Environment variable ${envVar} is required`);
-         process.exit(1);
-       }
-     }
-     ```
-
-4. **Secure Cookie Configuration:**
-   - Set secure, httpOnly, and sameSite attributes
-   - Use signed cookies when appropriate
-   - Example:
-     ```javascript
-     const session = require('express-session');
-     
-     app.use(session({
-       secret: process.env.SESSION_SECRET,
-       name: 'sessionId', // Custom cookie name instead of default
-       cookie: {
-         secure: process.env.NODE_ENV === 'production', // HTTPS only in production
-         httpOnly: true, // Prevents client-side JS from reading the cookie
-         sameSite: 'lax', // Controls when cookies are sent with cross-site requests
-         maxAge: 3600000, // 1 hour in milliseconds
-         domain: process.env.NODE_ENV === 'production' ? '.yourdomain.com' : undefined
-       },
-       resave: false,
-       saveUninitialized: false
-     }));
-     ```
-
-5. **Request Size Limiting:**
-   - Limit request body size to prevent DoS attacks
-   - Example:
-     ```javascript
-     // Using express built-in middleware
-     app.use(express.json({ limit: '10kb' }));
-     app.use(express.urlencoded({ extended: true, limit: '10kb' }));
-     
-     // Or using body-parser
-     const bodyParser = require('body-parser');
-     app.use(bodyParser.json({ limit: '10kb' }));
-     app.use(bodyParser.urlencoded({ extended: true, limit: '10kb' }));
-     ```
-
-6. **Proper Error Handling:**
-   - Use a centralized error handler
-   - Don't expose sensitive information in error responses
-   - Example:
-     ```javascript
-     // Custom error class
-     class AppError extends Error {
-       constructor(message, statusCode) {
-         super(message);
-         this.statusCode = statusCode;
-         this.status = `${statusCode}`.startsWith('4') ? 'fail' : 'error';
-         this.isOperational = true;
-         
-         Error.captureStackTrace(this, this.constructor);
-       }
-     }
-     
-     // Global error handling middleware
-     app.use((err, req, res, next) => {
-       err.statusCode = err.statusCode || 500;
-       err.status = err.status || 'error';
-       
-       // Different handling for development and production
-       if (process.env.NODE_ENV === 'development') {
-         res.status(err.statusCode).json({
-           status: err.status,
-           error: err,
-           message: err.message,
-           stack: err.stack
-         });
-       } else if (process.env.NODE_ENV === 'production') {
-         // Only send operational errors to the client
-         if (err.isOperational) {
-           res.status(err.statusCode).json({
-             status: err.status,
-             message: err.message
+```yaml
+name: javascript_security_misconfiguration
+description: Detect and prevent security misconfigurations in JavaScript applications as defined in OWASP Top 10:2021-A05
+
+actions:
+  - type: enforce
+    conditions:
+      # Pattern 1: Missing or Insecure HTTP Security Headers
+      - pattern: "app\\.use\\([^)]*?\\)\\s*(?!.*(?:helmet|frameguard|hsts|noSniff|xssFilter|contentSecurityPolicy))"
+        location: "(?:app|server|index)\\.(?:js|ts)$"
+        message: "Missing HTTP security headers. Consider using Helmet.js to set secure HTTP headers."
+
+      # Pattern 2: Insecure CORS Configuration
+      - pattern: "app\\.use\\(cors\\(\\{[^}]*?origin\\s*:\\s*['\"]\\*['\"]\\s*\\}\\)\\)"
+        message: "Insecure CORS configuration. Avoid using wildcard (*) for CORS origin in production environments."
+
+      # Pattern 3: Exposed Environment Variables in Client-Side Code
+      - pattern: "process\\.env\\.[A-Z_]+"
+        location: "(?:src|components|pages)"
+        message: "Exposing environment variables in client-side code. Only use environment variables with NEXT_PUBLIC_, REACT_APP_, or VITE_ prefixes for client-side code."
+
+      # Pattern 4: Insecure Cookie Settings
+      - pattern: "(?:cookie|cookies|session)\\([^)]*?\\{[^}]*?(?:secure\\s*:\\s*false|httpOnly\\s*:\\s*false|sameSite\\s*:\\s*['\"]none['\"])"
+        message: "Insecure cookie configuration. Set secure:true, httpOnly:true, and appropriate sameSite value for cookies."
+
+      # Pattern 5: Missing Content Security Policy
+      - pattern: "app\\.use\\([^)]*?helmet\\([^)]*?\\{[^}]*?contentSecurityPolicy\\s*:\\s*false"
+        message: "Content Security Policy (CSP) is disabled. Enable and configure CSP to prevent XSS attacks."
+
+      # Pattern 6: Debug Information Exposure
+      - pattern: "app\\.use\\([^)]*?morgan\\(['\"]dev['\"]\\)|console\\.(?:log|debug|info|warn|error)\\("
+        location: "(?:app|server|index)\\.(?:js|ts)$"
+        message: "Debug information might be exposed in production. Ensure logging is properly configured based on the environment."
+
+      # Pattern 7: Insecure Server Configuration
+      - pattern: "app\\.disable\\(['\"]x-powered-by['\"]\\)"
+        negative_pattern: true
+        location: "(?:app|server|index)\\.(?:js|ts)$"
+        message: "X-Powered-By header is not disabled. Use app.disable('x-powered-by') to hide technology information."
+
+      # Pattern 8: Directory Listing Enabled
+      - pattern: "express\\.static\\([^)]*?\\{[^}]*?index\\s*:\\s*false"
+        message: "Directory listing might be enabled. Set index:true or provide an index file to prevent directory listing."
+
+      # Pattern 9: Missing Rate Limiting
+      - pattern: "app\\.(?:get|post|put|delete|patch)\\([^)]*?['\"](?:/api|/login|/register|/auth)['\"]"
+        negative_pattern: "(?:rateLimit|rateLimiter|limiter|throttle)"
+        message: "Missing rate limiting for sensitive endpoints. Implement rate limiting to prevent brute force attacks."
+
+      # Pattern 10: Insecure WebSocket Configuration
+      - pattern: "new\\s+WebSocket\\([^)]*?\\)|io\\.on\\(['\"]connection['\"]"
+        negative_pattern: "(?:wss://|https://)"
+        message: "Potentially insecure WebSocket connection. Use secure WebSocket (wss://) in production."
+
+      # Pattern 11: Hardcoded Configuration Values
+      - pattern: "(?:apiKey|secret|password|token|credentials)\\s*=\\s*['\"][^'\"]+['\"]"
+        message: "Hardcoded configuration values. Use environment variables or a secure configuration management system."
+
+      # Pattern 12: Insecure SSL/TLS Configuration
+      - pattern: "https\\.createServer\\([^)]*?\\{[^}]*?rejectUnauthorized\\s*:\\s*false"
+        message: "Insecure SSL/TLS configuration. Never set rejectUnauthorized:false in production."
+
+      # Pattern 13: Missing Security Middleware
+      - pattern: "express\\(\\)|require\\(['\"]express['\"]\\)"
+        negative_pattern: "(?:helmet|cors|rateLimit|bodyParser\\.json\\(\\{\\s*limit|express\\.json\\(\\{\\s*limit)"
+        location: "(?:app|server|index)\\.(?:js|ts)$"
+        message: "Missing essential security middleware. Consider using helmet, cors, rate limiting, and request size limiting."
+
+      # Pattern 14: Insecure Error Handling
+      - pattern: "app\\.use\\([^)]*?function\\s*\\([^)]*?err[^)]*?\\)\\s*\\{[^}]*?res\\.status[^}]*?err(?:\\.message|\\.stack)"
+        message: "Insecure error handling. Avoid exposing error details like stack traces to clients in production."
+
+      # Pattern 15: Outdated Dependencies Warning
+      - pattern: "(?:\"dependencies\"|\"devDependencies\")\\s*:\\s*\\{[^}]*?['\"](?:express|react|vue|angular|next|nuxt|axios)['\"]\\s*:\\s*['\"]\\^?\\d+\\.\\d+\\.\\d+['\"]"
+        location: "package\\.json$"
+        message: "Check for outdated dependencies. Regularly update dependencies to avoid known vulnerabilities."
+
+  - type: suggest
+    message: |
+      **JavaScript Security Configuration Best Practices:**
+
+      1. **HTTP Security Headers:**
+         - Use Helmet.js to set secure HTTP headers
+         - Configure Content Security Policy (CSP)
+         - Example:
+           ```javascript
+           const helmet = require('helmet');
+
+           // Basic usage
+           app.use(helmet());
+
+           // Custom CSP configuration
+           app.use(
+             helmet.contentSecurityPolicy({
+               directives: {
+                 defaultSrc: ["'self'"],
+                 scriptSrc: ["'self'", "'unsafe-inline'", 'trusted-cdn.com'],
+                 styleSrc: ["'self'", "'unsafe-inline'", 'trusted-cdn.com'],
+                 imgSrc: ["'self'", 'data:', 'trusted-cdn.com'],
+                 connectSrc: ["'self'", 'api.yourdomain.com'],
+                 fontSrc: ["'self'", 'trusted-cdn.com'],
+                 objectSrc: ["'none'"],
+                 mediaSrc: ["'self'"],
+                 frameSrc: ["'none'"],
+                 upgradeInsecureRequests: [],
+               },
+             })
+           );
+           ```
+
+      2. **Secure CORS Configuration:**
+         - Specify allowed origins explicitly
+         - Configure appropriate CORS options
+         - Example:
+           ```javascript
+           const cors = require('cors');
+
+           // Define allowed origins
+           const allowedOrigins = [
+             'https://yourdomain.com',
+             'https://app.yourdomain.com',
+             'https://admin.yourdomain.com'
+           ];
+
+           // Configure CORS
+           app.use(cors({
+             origin: function(origin, callback) {
+               // Allow requests with no origin (like mobile apps, curl, etc.)
+               if (!origin) return callback(null, true);
+
+               if (allowedOrigins.indexOf(origin) === -1) {
+                 const msg = 'The CORS policy for this site does not allow access from the specified Origin.';
+                 return callback(new Error(msg), false);
+               }
+
+               return callback(null, true);
+             },
+             methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
+             credentials: true,
+             maxAge: 86400 // 24 hours
+           }));
+           ```
+
+      3. **Environment-Based Configuration:**
+         - Use different configurations for development and production
+         - Validate configuration at startup
+         - Example:
+           ```javascript
+           const express = require('express');
+           const helmet = require('helmet');
+           const morgan = require('morgan');
+
+           const app = express();
+
+           // Environment-specific configuration
+           if (process.env.NODE_ENV === 'production') {
+             // Production settings
+             app.use(helmet());
+             app.use(morgan('combined'));
+             app.set('trust proxy', 1); // Trust first proxy
+
+             // Disable X-Powered-By header
+             app.disable('x-powered-by');
+           } else {
+             // Development settings
+             app.use(morgan('dev'));
+           }
+
+           // Validate required environment variables
+           const requiredEnvVars = ['DATABASE_URL', 'JWT_SECRET'];
+           for (const envVar of requiredEnvVars) {
+             if (!process.env[envVar]) {
+               console.error(`Error: Environment variable ${envVar} is required`);
+               process.exit(1);
+             }
+           }
+           ```
+
+      4. **Secure Cookie Configuration:**
+         - Set secure, httpOnly, and sameSite attributes
+         - Use signed cookies when appropriate
+         - Example:
+           ```javascript
+           const session = require('express-session');
+
+           app.use(session({
+             secret: process.env.SESSION_SECRET,
+             name: 'sessionId', // Custom cookie name instead of default
+             cookie: {
+               secure: process.env.NODE_ENV === 'production', // HTTPS only in production
+               httpOnly: true, // Prevents client-side JS from reading the cookie
+               sameSite: 'lax', // Controls when cookies are sent with cross-site requests
+               maxAge: 3600000, // 1 hour in milliseconds
+               domain: process.env.NODE_ENV === 'production' ? '.yourdomain.com' : undefined
+             },
+             resave: false,
+             saveUninitialized: false
+           }));
+           ```
+
+      5. **Request Size Limiting:**
+         - Limit request body size to prevent DoS attacks
+         - Example:
+           ```javascript
+           // Using express built-in middleware
+           app.use(express.json({ limit: '10kb' }));
+           app.use(express.urlencoded({ extended: true, limit: '10kb' }));
+
+           // Or using body-parser
+           const bodyParser = require('body-parser');
+           app.use(bodyParser.json({ limit: '10kb' }));
+           app.use(bodyParser.urlencoded({ extended: true, limit: '10kb' }));
+           ```
+
+      6. **Proper Error Handling:**
+         - Use a centralized error handler
+         - Don't expose sensitive information in error responses
+         - Example:
+           ```javascript
+           // Custom error class
+           class AppError extends Error {
+             constructor(message, statusCode) {
+               super(message);
+               this.statusCode = statusCode;
+               this.status = `${statusCode}`.startsWith('4') ? 'fail' : 'error';
+               this.isOperational = true;
+
+               Error.captureStackTrace(this, this.constructor);
+             }
+           }
+
+           // Global error handling middleware
+           app.use((err, req, res, next) => {
+             err.statusCode = err.statusCode || 500;
+             err.status = err.status || 'error';
+
+             // Different handling for development and production
+             if (process.env.NODE_ENV === 'development') {
+               res.status(err.statusCode).json({
+                 status: err.status,
+                 error: err,
+                 message: err.message,
+                 stack: err.stack
+               });
+             } else if (process.env.NODE_ENV === 'production') {
+               // Only send operational errors to the client
+               if (err.isOperational) {
+                 res.status(err.statusCode).json({
+                   status: err.status,
+                   message: err.message
+                 });
+               } else {
+                 // Log programming or unknown errors
+                 console.error('ERROR 💥', err);
+
+                 // Send generic message
+                 res.status(500).json({
+                   status: 'error',
+                   message: 'Something went wrong'
+                 });
+               }
+             }
+           });
+           ```
+
+      7. **Rate Limiting:**
+         - Apply rate limiting to sensitive endpoints
+         - Use different limits for different endpoints
+         - Example:
+           ```javascript
+           const rateLimit = require('express-rate-limit');
+
+           // Create a rate limiter for API endpoints
+           const apiLimiter = rateLimit({
+             windowMs: 15 * 60 * 1000, // 15 minutes
+             max: 100, // limit each IP to 100 requests per windowMs
+             standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
+             legacyHeaders: false, // Disable the `X-RateLimit-*` headers
+             message: 'Too many requests from this IP, please try again after 15 minutes'
+           });
+
+           // Create a stricter rate limiter for authentication endpoints
+           const authLimiter = rateLimit({
+             windowMs: 15 * 60 * 1000, // 15 minutes
+             max: 5, // limit each IP to 5 login attempts per windowMs
+             standardHeaders: true,
+             legacyHeaders: false,
+             message: 'Too many login attempts from this IP, please try again after 15 minutes'
            });
-         } else {
-           // Log programming or unknown errors
-           console.error('ERROR 💥', err);
-           
-           // Send generic message
-           res.status(500).json({
-             status: 'error',
-             message: 'Something went wrong'
+
+           // Apply rate limiters to routes
+           app.use('/api/', apiLimiter);
+           app.use('/api/auth/', authLimiter);
+           ```
+
+      8. **Secure WebSocket Configuration:**
+         - Use secure WebSocket connections (wss://)
+         - Implement authentication for WebSocket connections
+         - Example:
+           ```javascript
+           const http = require('http');
+           const https = require('https');
+           const socketIo = require('socket.io');
+           const fs = require('fs');
+
+           let server;
+
+           // Create secure server in production
+           if (process.env.NODE_ENV === 'production') {
+             const options = {
+               key: fs.readFileSync('/path/to/private.key'),
+               cert: fs.readFileSync('/path/to/certificate.crt')
+             };
+             server = https.createServer(options, app);
+           } else {
+             server = http.createServer(app);
+           }
+
+           const io = socketIo(server, {
+             cors: {
+               origin: process.env.NODE_ENV === 'production'
+                 ? 'https://yourdomain.com'
+                 : 'http://localhost:3000',
+               methods: ['GET', 'POST'],
+               credentials: true
+             }
            });
-         }
-       }
-     });
-     ```
-
-7. **Rate Limiting:**
-   - Apply rate limiting to sensitive endpoints
-   - Use different limits for different endpoints
-   - Example:
-     ```javascript
-     const rateLimit = require('express-rate-limit');
-     
-     // Create a rate limiter for API endpoints
-     const apiLimiter = rateLimit({
-       windowMs: 15 * 60 * 1000, // 15 minutes
-       max: 100, // limit each IP to 100 requests per windowMs
-       standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
-       legacyHeaders: false, // Disable the `X-RateLimit-*` headers
-       message: 'Too many requests from this IP, please try again after 15 minutes'
-     });
-     
-     // Create a stricter rate limiter for authentication endpoints
-     const authLimiter = rateLimit({
-       windowMs: 15 * 60 * 1000, // 15 minutes
-       max: 5, // limit each IP to 5 login attempts per windowMs
-       standardHeaders: true,
-       legacyHeaders: false,
-       message: 'Too many login attempts from this IP, please try again after 15 minutes'
-     });
-     
-     // Apply rate limiters to routes
-     app.use('/api/', apiLimiter);
-     app.use('/api/auth/', authLimiter);
-     ```
-
-8. **Secure WebSocket Configuration:**
-   - Use secure WebSocket connections (wss://)
-   - Implement authentication for WebSocket connections
-   - Example:
-     ```javascript
-     const http = require('http');
-     const https = require('https');
-     const socketIo = require('socket.io');
-     const fs = require('fs');
-     
-     let server;
-     
-     // Create secure server in production
-     if (process.env.NODE_ENV === 'production') {
-       const options = {
-         key: fs.readFileSync('/path/to/private.key'),
-         cert: fs.readFileSync('/path/to/certificate.crt')
-       };
-       server = https.createServer(options, app);
-     } else {
-       server = http.createServer(app);
-     }
-     
-     const io = socketIo(server, {
-       cors: {
-         origin: process.env.NODE_ENV === 'production' 
-           ? 'https://yourdomain.com' 
-           : 'http://localhost:3000',
-         methods: ['GET', 'POST'],
-         credentials: true
-       }
-     });
-     
-     // WebSocket authentication middleware
-     io.use((socket, next) => {
-       const token = socket.handshake.auth.token;
-       
-       if (!token) {
-         return next(new Error('Authentication error'));
-       }
-       
-       // Verify token
-       // ...
-       
-       next();
-     });
-     ```
-
-9. **Security Dependency Management:**
-   - Regularly update dependencies
-   - Use tools like npm audit or Snyk
-   - Example:
-     ```javascript
-     // package.json scripts
-     {
-       "scripts": {
-         "audit": "npm audit",
-         "audit:fix": "npm audit fix",
-         "outdated": "npm outdated",
-         "update": "npm update",
-         "prestart": "npm audit --production"
-       }
-     }
-     ```
-
-10. **Secure Logging Configuration:**
-    - Configure logging based on environment
-    - Avoid logging sensitive information
-    - Example:
-      ```javascript
-      const winston = require('winston');
-      
-      // Define log levels
-      const levels = {
-        error: 0,
-        warn: 1,
-        info: 2,
-        http: 3,
-        debug: 4,
-      };
-      
-      // Define log level based on environment
-      const level = () => {
-        const env = process.env.NODE_ENV || 'development';
-        return env === 'development' ? 'debug' : 'warn';
-      };
-      
-      // Define log format
-      const format = winston.format.combine(
-        winston.format.timestamp({ format: 'YYYY-MM-DD HH:mm:ss:ms' }),
-        winston.format.printf(
-          (info) => `${info.timestamp} ${info.level}: ${info.message}`
-        )
-      );
-      
-      // Define transports
-      const transports = [
-        new winston.transports.Console(),
-        new winston.transports.File({
-          filename: 'logs/error.log',
-          level: 'error',
-        }),
-        new winston.transports.File({ filename: 'logs/all.log' }),
-      ];
-      
-      // Create the logger
-      const logger = winston.createLogger({
-        level: level(),
-        levels,
-        format,
-        transports,
-      });
-      
-      module.exports = logger;
-      ```
-
-## Validation
-
-- Using Helmet.js or individual HTTP security headers middleware.
-- Using secure CORS configuration with specific origins.
-- Implementing environment-specific configuration.
-- Using secure cookie configuration.
-- Implementing request size limiting.
+
+           // WebSocket authentication middleware
+           io.use((socket, next) => {
+             const token = socket.handshake.auth.token;
+
+             if (!token) {
+               return next(new Error('Authentication error'));
+             }
+
+             // Verify token
+             // ...
+
+             next();
+           });
+           ```
+
+      9. **Security Dependency Management:**
+         - Regularly update dependencies
+         - Use tools like npm audit or Snyk
+         - Example:
+           ```javascript
+           // package.json scripts
+           {
+             "scripts": {
+               "audit": "npm audit",
+               "audit:fix": "npm audit fix",
+               "outdated": "npm outdated",
+               "update": "npm update",
+               "prestart": "npm audit --production"
+             }
+           }
+           ```
+
+      10. **Secure Logging Configuration:**
+          - Configure logging based on environment
+          - Avoid logging sensitive information
+          - Example:
+            ```javascript
+            const winston = require('winston');
+
+            // Define log levels
+            const levels = {
+              error: 0,
+              warn: 1,
+              info: 2,
+              http: 3,
+              debug: 4,
+            };
+
+            // Define log level based on environment
+            const level = () => {
+              const env = process.env.NODE_ENV || 'development';
+              return env === 'development' ? 'debug' : 'warn';
+            };
+
+            // Define log format
+            const format = winston.format.combine(
+              winston.format.timestamp({ format: 'YYYY-MM-DD HH:mm:ss:ms' }),
+              winston.format.printf(
+                (info) => `${info.timestamp} ${info.level}: ${info.message}`
+              )
+            );
+
+            // Define transports
+            const transports = [
+              new winston.transports.Console(),
+              new winston.transports.File({
+                filename: 'logs/error.log',
+                level: 'error',
+              }),
+              new winston.transports.File({ filename: 'logs/all.log' }),
+            ];
+
+            // Create the logger
+            const logger = winston.createLogger({
+              level: level(),
+              levels,
+              format,
+              transports,
+            });
+
+            module.exports = logger;
+            ```
+
+  - type: validate
+    conditions:
+      # Check 1: Helmet usage
+      - pattern: "helmet\\(\\)|frameguard\\(\\)|hsts\\(\\)|noSniff\\(\\)|xssFilter\\(\\)|contentSecurityPolicy\\(\\)"
+        message: "Using Helmet.js or individual HTTP security headers middleware."
+
+      # Check 2: Secure CORS configuration
+      - pattern: "cors\\(\\{[^}]*?origin\\s*:\\s*(?!['\"]*\\*)['\"]"
+        message: "Using secure CORS configuration with specific origins."
+
+      # Check 3: Environment-based configuration
+      - pattern: "process\\.env\\.NODE_ENV\\s*===\\s*['\"]production['\"]"
+        message: "Implementing environment-specific configuration."
+
+      # Check 4: Secure cookie settings
+      - pattern: "cookie\\s*:\\s*\\{[^}]*?secure\\s*:\\s*true[^}]*?httpOnly\\s*:\\s*true"
+        message: "Using secure cookie configuration."
+
+      # Check 5: Request size limiting
+      - pattern: "(?:express|bodyParser)\\.json\\(\\{[^}]*?limit\\s*:"
+        message: "Implementing request size limiting."
+
+metadata:
+  priority: high
+  version: 1.0
+  tags:
+    - security
+    - javascript
+    - nodejs
+    - browser
+    - configuration
+    - owasp
+    - language:javascript
+    - framework:express
+    - framework:react
+    - framework:vue
+    - framework:angular
+    - category:security
+    - subcategory:misconfiguration
+    - standard:owasp-top10
+    - risk:a05-security-misconfiguration
+  references:
+    - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html"
+    - "https://expressjs.com/en/advanced/best-practice-security.html"
+    - "https://helmetjs.github.io/"
+    - "https://github.com/OWASP/NodeGoat"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html"
+```
+
+
diff --git a/.cursor/rules/javascript-server-side-request-forgery.mdc b/.cursor/rules/javascript-server-side-request-forgery.mdc
index a061660..88250fc 100644
--- a/.cursor/rules/javascript-server-side-request-forgery.mdc
+++ b/.cursor/rules/javascript-server-side-request-forgery.mdc
@@ -4,762 +4,849 @@ globs: **/*.js, **/*.jsx, **/*.ts, **/*.tsx, !**/node_modules/**, !**/dist/**, !
 ---
 # JavaScript Server-Side Request Forgery (OWASP A10:2021)
 
-> Priority: high · Version: 1.0
-
-## Applies To
-- `**/*.js`
-- `**/*.jsx`
-- `**/*.ts`
-- `**/*.tsx`
-- `!**/node_modules/**`
-- `!**/dist/**`
-- `!**/build/**`
-- `!**/coverage/**`
-
-## Required Checks
-
-- Potential SSRF vulnerability: URL constructed from user input. Implement URL validation, allowlisting, or use a URL parser library to validate and sanitize user-provided URLs.
-- Potential SSRF vulnerability: Dynamic URL in HTTP request. Use URL parsing and validation before making the request.
-- URL redirection without proper validation may lead to SSRF. Implement strict validation for URLs before redirecting.
-- Direct use of IP addresses in requests may bypass hostname-based restrictions. Consider using allowlisted hostnames instead.
-- Request to internal network address detected. Restrict access to internal resources to prevent SSRF attacks.
-- Use of file:// protocol may lead to local file access. Block or restrict file:// protocol usage.
-- HTTP request without URL validation. Implement URL validation before making external requests.
-- User-defined HTTP request function without URL validation. Implement proper URL validation and sanitization.
-- Proxy or request forwarding functionality detected. Implement strict URL validation and allowlisting.
-- HTTP request with explicit method without URL validation. Implement URL validation for all HTTP methods.
-- Building URL with user input. Validate and sanitize all URL components and use an allowlist for base URLs.
-- Protocol-relative URL usage may lead to SSRF. Always specify the protocol and validate URLs.
-- Route with dynamic parameter that might be used in URL construction. Ensure proper validation before making any HTTP requests within this route handler.
-- URL parsing without validation or error handling. Implement proper error handling and validation for URL parsing.
-- Access to cloud service metadata endpoints detected. Restrict access to cloud metadata services to prevent server information disclosure.
-
-## Recommendations
-
-**JavaScript Server-Side Request Forgery (SSRF) Prevention Best Practices:**
-
-1. **Implement URL Validation and Sanitization:**
-   - Use built-in URL parsing libraries to validate URLs
-   - Validate both the URL format and components
-   - Example:
-     ```javascript
-     function isValidUrl(url) {
-       try {
-         const parsedUrl = new URL(url);
-         // Check protocol is http: or https:
-         if (!/^https?:$/.test(parsedUrl.protocol)) {
-           return false;
-         }
-         // Additional validation logic here
-         return true;
-       } catch (error) {
-         // Invalid URL format
-         return false;
-       }
-     }
-     
-     // Usage
-     const userProvidedUrl = req.body.targetUrl;
-     if (!isValidUrl(userProvidedUrl)) {
-       return res.status(400).json({ error: 'Invalid URL format or protocol' });
-     }
-     
-     // Now make the request with the validated URL
-     ```
-
-2. **Implement Strict Allowlisting:**
-   - Define allowlist of permitted domains and endpoints
-   - Reject requests to any domains not on the allowlist
-   - Example:
-     ```javascript
-     const ALLOWED_DOMAINS = [
-       'api.example.com',
-       'cdn.example.com',
-       'partner-api.trusted-domain.com'
-     ];
-     
-     function isAllowedDomain(url) {
-       try {
-         const parsedUrl = new URL(url);
-         return ALLOWED_DOMAINS.includes(parsedUrl.hostname);
-       } catch (error) {
-         return false;
-       }
-     }
-     
-     // Usage
-     const targetUrl = req.body.webhookUrl;
-     if (!isAllowedDomain(targetUrl)) {
-       logger.warn({
-         message: 'SSRF attempt blocked: domain not in allowlist',
-         url: targetUrl,
-         ip: req.ip,
-         userId: req.user?.id
-       });
-       return res.status(403).json({ error: 'Domain not allowed' });
-     }
-     ```
-
-3. **Block Access to Internal Networks:**
-   - Prevent requests to private IP ranges
-   - Block localhost and internal hostnames
-   - Example:
-     ```javascript
-     function isInternalHostname(hostname) {
-       // Check for localhost and common internal hostnames
-       if (hostname === 'localhost' || hostname.endsWith('.local') || hostname.endsWith('.internal')) {
-         return true;
-       }
-       return false;
-     }
-     
-     function isPrivateIP(ip) {
-       // Check for private IP ranges
-       const privateRanges = [
-         /^127\./,                     // 127.0.0.0/8
-         /^10\./,                      // 10.0.0.0/8
-         /^172\.(1[6-9]|2[0-9]|3[0-1])\./, // 172.16.0.0/12
-         /^192\.168\./,                // 192.168.0.0/16
-         /^169\.254\./,                // 169.254.0.0/16
-         /^::1$/,                      // localhost IPv6
-         /^f[cd][0-9a-f]{2}:/i,        // fc00::/7 unique local IPv6
-         /^fe80:/i                     // fe80::/10 link-local IPv6
-       ];
-       
-       return privateRanges.some(range => range.test(ip));
-     }
-     
-     function isUrlSafe(url) {
-       try {
-         const parsedUrl = new URL(url);
-         
-         // Block internal hostnames
-         if (isInternalHostname(parsedUrl.hostname)) {
-           return false;
-         }
-         
-         // Resolve hostname to IP (in real implementation, use async DNS resolution)
-         // This example is simplified - in production you would use DNS resolution
-         let ip;
-         try {
-           // Note: This is a pseudo-code example
-           // In real code, you'd use a DNS resolution library
-           ip = dnsResolve(parsedUrl.hostname);
-           
-           // Block private IPs
-           if (isPrivateIP(ip)) {
+```yaml
+name: javascript_server_side_request_forgery
+description: Detect and prevent Server-Side Request Forgery (SSRF) vulnerabilities in JavaScript applications as defined in OWASP Top 10:2021-A10
+
+actions:
+  - type: enforce
+    conditions:
+      # Pattern 1: URL from User Input
+      - pattern: "(fetch|axios\\.get|axios\\.post|axios\\.put|axios\\.delete|axios\\.patch|http\\.get|http\\.request|https\\.get|https\\.request|\\$\\.ajax|XMLHttpRequest|got|request|superagent|needle)\\s*\\([^)]*(?:\\$_GET|\\$_POST|\\$_REQUEST|req\\.(?:body|query|params)|request\\.(?:body|query|params)|event\\.(?:body|queryStringParameters|pathParameters)|params|userInput|data\\["
+        message: "Potential SSRF vulnerability: URL constructed from user input. Implement URL validation, allowlisting, or use a URL parser library to validate and sanitize user-provided URLs."
+
+      # Pattern 2: Dynamic URL in HTTP Request
+      - pattern: "(fetch|axios|http\\.get|http\\.request|https\\.get|https\\.request|\\$\\.ajax|XMLHttpRequest|got|request|superagent|needle)\\s*\\(\\s*['\"`]https?:\\/\\/[^'\"`]*['\"`]\\s*\\+\\s*"
+        message: "Potential SSRF vulnerability: Dynamic URL in HTTP request. Use URL parsing and validation before making the request."
+
+      # Pattern 3: URL Redirection Without Validation
+      - pattern: "(res\\.redirect|res\\.location|window\\.location|location\\.href|location\\.replace|location\\.assign|location\\.port|history\\.pushState|history\\.replaceState)\\s*\\([^)]*(?:req\\.(?:query|body|params)|request\\.(?:query|body|params)|userInput)"
+        message: "URL redirection without proper validation may lead to SSRF. Implement strict validation for URLs before redirecting."
+
+      # Pattern 4: Direct IP Address Usage
+      - pattern: "(fetch|axios\\.get|axios\\.post|axios\\.put|axios\\.delete|axios\\.patch|http\\.get|http\\.request|https\\.get|https\\.request)\\s*\\(\\s*['\"`]https?:\\/\\/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}"
+        message: "Direct use of IP addresses in requests may bypass hostname-based restrictions. Consider using allowlisted hostnames instead."
+
+      # Pattern 5: Local Network Access
+      - pattern: "(fetch|axios\\.get|axios\\.post|axios\\.put|axios\\.delete|axios\\.patch|http\\.get|http\\.request|https\\.get|https\\.request)\\s*\\(\\s*['\"`]https?:\\/\\/(?:localhost|127\\.0\\.0\\.1|0\\.0\\.0\\.0|192\\.168\\.|10\\.|172\\.(?:1[6-9]|2[0-9]|3[0-1])\\.|::1)"
+        message: "Request to internal network address detected. Restrict access to internal resources to prevent SSRF attacks."
+
+      # Pattern 6: File Protocol Usage
+      - pattern: "(fetch|axios\\.get|axios\\.post|axios\\.put|axios\\.delete|axios\\.patch|http\\.get|http\\.request|https\\.get|https\\.request)\\s*\\(\\s*['\"`]file:\\/\\/"
+        message: "Use of file:// protocol may lead to local file access. Block or restrict file:// protocol usage."
+
+      # Pattern 7: Missing URL Validation
+      - pattern: "(fetch|axios\\.get|axios\\.post|axios\\.put|axios\\.delete|axios\\.patch|http\\.get|http\\.request|https\\.get|https\\.request)\\s*\\([^)]*\\burl\\b[^)]*\\)"
+        negative_pattern: "(validat|sanitiz|check|parse).*\\burl\\b|allowlist|whitelist|URL\\.(parse|canParse)|new URL\\(|isValidURL"
+        message: "HTTP request without URL validation. Implement URL validation before making external requests."
+
+      # Pattern 8: HTTP Request in User-Defined Function
+      - pattern: "function\\s+[a-zA-Z0-9_]*(?:request|fetch|get|http|curl)\\s*\\([^)]*\\)\\s*\\{[^}]*(?:fetch|axios|http\\.get|http\\.request|https\\.get|https\\.request)"
+        negative_pattern: "(validat|sanitiz|check|parse).*\\burl\\b|allowlist|whitelist|new URL\\(|isValidURL"
+        message: "User-defined HTTP request function without URL validation. Implement proper URL validation and sanitization."
+
+      # Pattern 9: Proxy Functionality
+      - pattern: "(?:proxy|forward|relay).*(?:req\\.(?:url|path)|request\\.(?:url|path))"
+        negative_pattern: "(validat|sanitiz|check|parse).*\\burl\\b|allowlist|whitelist"
+        message: "Proxy or request forwarding functionality detected. Implement strict URL validation and allowlisting."
+
+      # Pattern 10: Alternative HTTP Methods
+      - pattern: "(fetch|axios)\\s*\\([^)]*method\\s*:\\s*['\"`](?:GET|POST|PUT|DELETE|PATCH|OPTIONS|HEAD)['\"`]"
+        negative_pattern: "(validat|sanitiz|check|parse).*\\burl\\b|allowlist|whitelist|new URL\\(|isValidURL"
+        message: "HTTP request with explicit method without URL validation. Implement URL validation for all HTTP methods."
+
+      # Pattern 11: URL Building from Parts
+      - pattern: "new URL\\s*\\((?:[^,)]+,\\s*){1,}(?:req\\.(?:body|query|params)|request\\.(?:body|query|params)|userinput)"
+        message: "Building URL with user input. Validate and sanitize all URL components and use an allowlist for base URLs."
+
+      # Pattern 12: Protocol-Relative URLs
+      - pattern: "(fetch|axios)\\s*\\(['\"`]\\/\\/[^'\"`]+['\"`]"
+        message: "Protocol-relative URL usage may lead to SSRF. Always specify the protocol and validate URLs."
+
+      # Pattern 13: Express-like Route with URL Parameter
+      - pattern: "app\\.(?:get|post|put|delete|patch)\\s*\\(['\"`][^'\"`]*\\/:[a-zA-Z0-9_]+(?:\\/|['\"`])"
+        negative_pattern: "(validat|sanitiz|check|parse).*\\burl\\b|allowlist|whitelist|new URL\\(|isValidURL"
+        message: "Route with dynamic parameter that might be used in URL construction. Ensure proper validation before making any HTTP requests within this route handler."
+
+      # Pattern 14: URL Parsing without Validation
+      - pattern: "URL\\.parse\\s*\\(|new URL\\s*\\("
+        negative_pattern: "try\\s*\\{|catch\\s*\\(|validat|sanitiz|check"
+        message: "URL parsing without validation or error handling. Implement proper error handling and validation for URL parsing."
+
+      # Pattern 15: Service Discovery / Cloud Metadata Access
+      - pattern: "(fetch|axios\\.get|http\\.get)\\s*\\(['\"`]https?:\\/\\/(?:169\\.254\\.169\\.254|fd00:ec2|metadata\\.google|metadata\\.azure|169\\.254\\.169\\.254\\/latest\\/meta-data)"
+        message: "Access to cloud service metadata endpoints detected. Restrict access to cloud metadata services to prevent server information disclosure."
+
+  - type: suggest
+    message: |
+      **JavaScript Server-Side Request Forgery (SSRF) Prevention Best Practices:**
+
+      1. **Implement URL Validation and Sanitization:**
+         - Use built-in URL parsing libraries to validate URLs
+         - Validate both the URL format and components
+         - Example:
+           ```javascript
+           function isValidUrl(url) {
+             try {
+               const parsedUrl = new URL(url);
+               // Check protocol is http: or https:
+               if (!/^https?:$/.test(parsedUrl.protocol)) {
+                 return false;
+               }
+               // Additional validation logic here
+               return true;
+             } catch (error) {
+               // Invalid URL format
+               return false;
+             }
+           }
+
+           // Usage
+           const userProvidedUrl = req.body.targetUrl;
+           if (!isValidUrl(userProvidedUrl)) {
+             return res.status(400).json({ error: 'Invalid URL format or protocol' });
+           }
+
+           // Now make the request with the validated URL
+           ```
+
+      2. **Implement Strict Allowlisting:**
+         - Define allowlist of permitted domains and endpoints
+         - Reject requests to any domains not on the allowlist
+         - Example:
+           ```javascript
+           const ALLOWED_DOMAINS = [
+             'api.example.com',
+             'cdn.example.com',
+             'partner-api.trusted-domain.com'
+           ];
+
+           function isAllowedDomain(url) {
+             try {
+               const parsedUrl = new URL(url);
+               return ALLOWED_DOMAINS.includes(parsedUrl.hostname);
+             } catch (error) {
+               return false;
+             }
+           }
+
+           // Usage
+           const targetUrl = req.body.webhookUrl;
+           if (!isAllowedDomain(targetUrl)) {
+             logger.warn({
+               message: 'SSRF attempt blocked: domain not in allowlist',
+               url: targetUrl,
+               ip: req.ip,
+               userId: req.user?.id
+             });
+             return res.status(403).json({ error: 'Domain not allowed' });
+           }
+           ```
+
+      3. **Block Access to Internal Networks:**
+         - Prevent requests to private IP ranges
+         - Block localhost and internal hostnames
+         - Example:
+           ```javascript
+           function isInternalHostname(hostname) {
+             // Check for localhost and common internal hostnames
+             if (hostname === 'localhost' || hostname.endsWith('.local') || hostname.endsWith('.internal')) {
+               return true;
+             }
              return false;
            }
-         } catch (error) {
-           // If DNS resolution fails, err on the side of caution
-           return false;
-         }
-         
-         return true;
-       } catch (error) {
-         return false;
-       }
-     }
-     ```
-
-4. **Disable Dangerous URL Protocols:**
-   - Restrict allowed URL protocols to HTTP and HTTPS
-   - Block file://, ftp://, gopher://, etc.
-   - Example:
-     ```javascript
-     function hasAllowedProtocol(url) {
-       try {
-         const parsedUrl = new URL(url);
-         const allowedProtocols = ['http:', 'https:'];
-         return allowedProtocols.includes(parsedUrl.protocol);
-       } catch (error) {
-         return false;
-       }
-     }
-     
-     // Usage
-     const targetUrl = req.body.documentUrl;
-     if (!hasAllowedProtocol(targetUrl)) {
-       logger.warn({
-         message: 'SSRF attempt blocked: disallowed protocol',
-         url: targetUrl,
-         protocol: new URL(targetUrl).protocol,
-         ip: req.ip
-       });
-       return res.status(403).json({ error: 'URL protocol not allowed' });
-     }
-     ```
-
-5. **Implement Network-Level Protection:**
-   - Use firewall rules to block outbound requests to internal networks
-   - Configure proxy servers to restrict external requests
-   - Example:
-     ```javascript
-     // Using a proxy for outbound requests
-     const axios = require('axios');
-     const HttpsProxyAgent = require('https-proxy-agent');
-     
-     // Configure proxy with appropriate controls
-     const httpsAgent = new HttpsProxyAgent({
-       host: 'proxy.example.com',
-       port: 3128,
-       // This proxy should be configured to block access to internal networks
-     });
-     
-     // Make requests through the proxy
-     async function secureExternalRequest(url) {
-       try {
-         const response = await axios.get(url, {
-           httpsAgent,
-           timeout: 5000, // Set reasonable timeout
-           maxRedirects: 2 // Limit redirects
-         });
-         return response.data;
-       } catch (error) {
-         logger.error({
-           message: 'External request failed',
-           url,
-           error: error.message
-         });
-         throw new Error('Failed to fetch external resource');
-       }
-     }
-     ```
-
-6. **Use Service-Specific Endpoints:**
-   - Instead of passing full URLs, use service identifiers
-   - Map identifiers to URLs on the server side
-   - Example:
-     ```javascript
-     // Client makes request with service identifier, not raw URL
-     app.get('/proxy-service/:serviceId', async (req, res) => {
-       const { serviceId } = req.params;
-       
-       // Service mapping defined server-side
-       const serviceMap = {
-         'weather-api': 'https://api.weather.example.com/current',
-         'news-feed': 'https://api.news.example.com/feed',
-         'product-info': 'https://api.products.example.com/details'
-       };
-       
-       // Check if service is defined
-       if (!serviceMap[serviceId]) {
-         return res.status(404).json({ error: 'Service not found' });
-       }
-       
-       try {
-         // Make request to mapped URL (not user-controlled)
-         const response = await axios.get(serviceMap[serviceId]);
-         return res.json(response.data);
-       } catch (error) {
-         return res.status(500).json({ error: 'Service request failed' });
-       }
-     });
-     ```
-
-7. **Implement Context-Specific Encodings:**
-   - Use context-appropriate encoding for URL parameters
-   - Don't rely solely on standard URL encoding
-   - Example:
-     ```javascript
-     function safeUrl(baseUrl, params) {
-       // Start with a verified base URL
-       const url = new URL(baseUrl);
-       
-       // Add parameters safely
-       for (const [key, value] of Object.entries(params)) {
-         // Ensure values are strings and properly encoded
-         url.searchParams.append(key, String(value));
-       }
-       
-       // Verify the final URL is still valid
-       if (!isAllowedDomain(url.toString())) {
-         throw new Error('URL creation resulted in disallowed domain');
-       }
-       
-       return url.toString();
-     }
-     
-     // Usage
-     try {
-       const apiUrl = safeUrl('https://api.example.com/data', {
-         id: userId,
-         format: 'json'
-       });
-       const response = await axios.get(apiUrl);
-       // Process response
-     } catch (error) {
-       // Handle error
-     }
-     ```
-
-8. **Use Defense in Depth:**
-   - Combine multiple validation strategies
-   - Don't rely on a single protection measure
-   - Example:
-     ```javascript
-     async function secureExternalRequest(url, options = {}) {
-       // 1. Validate URL format
-       if (!isValidUrl(url)) {
-         throw new Error('Invalid URL format');
-       }
-       
-       // 2. Check against allowlist
-       if (!isAllowedDomain(url)) {
-         throw new Error('Domain not in allowlist');
-       }
-       
-       // 3. Verify not internal network
-       const parsedUrl = new URL(url);
-       if (await isInternalNetwork(parsedUrl.hostname)) {
-         throw new Error('Access to internal networks not allowed');
-       }
-       
-       // 4. Validate protocol
-       if (!hasAllowedProtocol(url)) {
-         throw new Error('Protocol not allowed');
-       }
-       
-       // 5. Set additional security headers and options
-       const secureOptions = {
-         ...options,
-         timeout: options.timeout || 5000,
-         maxRedirects: options.maxRedirects || 2,
-         headers: {
-           ...options.headers,
-           'User-Agent': 'SecureApp/1.0'
-         }
-       };
-       
-       // 6. Make request with all validations passed
-       try {
-         return await axios(url, secureOptions);
-       } catch (error) {
-         logger.error({
-           message: 'Secure external request failed',
-           url,
-           error: error.message
-         });
-         throw new Error('External request failed');
-       }
-     }
-     ```
-
-9. **Validate and Sanitize Request Parameters:**
-   - Don't trust any user-supplied input for URL construction
-   - Validate all components used in URL building
-   - Example:
-     ```javascript
-     // API that fetches weather data for a city
-     app.get('/api/weather', async (req, res) => {
-       const { city } = req.query;
-       
-       // 1. Validate parameter exists and is valid
-       if (!city || typeof city !== 'string' || city.length > 100) {
-         return res.status(400).json({ error: 'Invalid city parameter' });
-       }
-       
-       // 2. Sanitize the parameter
-       const sanitizedCity = encodeURIComponent(city.trim());
-       
-       // 3. Construct URL with validated parameter
-       const weatherApiUrl = `https://api.weather.example.com/current?city=${sanitizedCity}`;
-       
-       // 4. Additional validation of the final URL
-       if (!isValidUrl(weatherApiUrl)) {
-         return res.status(400).json({ error: 'Invalid URL construction' });
-       }
-       
-       try {
-         const response = await axios.get(weatherApiUrl);
-         return res.json(response.data);
-       } catch (error) {
-         logger.error({
-           message: 'Weather API request failed',
-           city,
-           error: error.message
-         });
-         return res.status(500).json({ error: 'Failed to fetch weather data' });
-       }
-     });
-     ```
-
-10. **Implement Request Timeouts:**
-    - Set appropriate timeouts for all HTTP requests
-    - Prevent long-running SSRF probes
-    - Example:
-      ```javascript
-      async function fetchWithTimeout(url, options = {}) {
-        // Default timeout of 5 seconds
-        const timeout = options.timeout || 5000;
-        
-        // Create an abort controller to handle timeout
-        const controller = new AbortController();
-        const timeoutId = setTimeout(() => controller.abort(), timeout);
-        
-        try {
-          const response = await fetch(url, {
-            ...options,
-            signal: controller.signal
-          });
-          
-          clearTimeout(timeoutId);
-          return response;
-        } catch (error) {
-          clearTimeout(timeoutId);
-          if (error.name === 'AbortError') {
-            throw new Error(`Request timed out after ${timeout}ms`);
-          }
-          throw error;
-        }
-      }
-      
-      // Usage
-      try {
-        const response = await fetchWithTimeout('https://api.example.com/data', {
-          timeout: 3000, // 3 seconds timeout
-          headers: { 'Content-Type': 'application/json' }
-        });
-        const data = await response.json();
-        // Process data
-      } catch (error) {
-        console.error('Request failed:', error.message);
-      }
-      ```
-
-11. **Rate Limit External Requests:**
-    - Implement rate limiting for outbound requests
-    - Prevent SSRF probing and DoS attacks
-    - Example:
-      ```javascript
-      const { RateLimiter } = require('limiter');
-      
-      // Create a rate limiter: 100 requests per minute
-      const externalRequestLimiter = new RateLimiter({
-        tokensPerInterval: 100,
-        interval: 'minute'
-      });
-      
-      async function rateLimitedRequest(url, options = {}) {
-        // Check if we have tokens available
-        const remainingRequests = await externalRequestLimiter.removeTokens(1);
-        
-        if (remainingRequests < 0) {
-          throw new Error('Rate limit exceeded for external requests');
-        }
-        
-        // Proceed with the request
-        return axios(url, options);
-      }
-      
-      // Usage
-      app.get('/api/external-data', async (req, res) => {
-        const { url } = req.query;
-        
-        if (!isValidUrl(url) || !isAllowedDomain(url)) {
-          return res.status(403).json({ error: 'URL not allowed' });
-        }
-        
-        try {
-          const response = await rateLimitedRequest(url);
-          return res.json(response.data);
-        } catch (error) {
-          if (error.message === 'Rate limit exceeded for external requests') {
-            return res.status(429).json({ error: 'Too many requests' });
-          }
-          return res.status(500).json({ error: 'Failed to fetch data' });
-        }
-      });
-      ```
-
-12. **Use Web Application Firewalls (WAF):**
-    - Configure WAF rules to detect and block SSRF patterns
-    - Implement server-side firewall rules
-    - Example:
-      ```javascript
-      // Middleware to detect SSRF attack patterns
-      function ssrfProtectionMiddleware(req, res, next) {
-        const url = req.query.url || req.body.url;
-        
-        if (!url) {
-          return next();
-        }
-        
-        // Check for suspicious URL patterns
-        const ssrfPatterns = [
-          /file:\/\//i,
-          /^(ftps?|gopher|data|dict):\/\//i,
-          /^\/\/\//,
-          /(localhost|127\.0\.0\.1|0\.0\.0\.0|::1)/i,
-          /^(10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.)/
-        ];
-        
-        if (ssrfPatterns.some(pattern => pattern.test(url))) {
-          logger.warn({
-            message: 'Potential SSRF attack detected',
-            url,
-            ip: req.ip,
-            path: req.path,
-            method: req.method,
-            userId: req.user?.id
-          });
-          
-          return res.status(403).json({
-            error: 'Access denied - suspicious URL detected'
-          });
-        }
-        
-        next();
-      }
-      
-      // Apply middleware to all routes
-      app.use(ssrfProtectionMiddleware);
-      ```
-
-13. **Implement Centralized Request Services:**
-    - Create a dedicated service for external requests
-    - Implement all security controls in one place
-    - Example:
-      ```javascript
-      // externalRequestService.js
-      const axios = require('axios');
-      
-      class ExternalRequestService {
-        constructor(options = {}) {
-          this.allowedDomains = options.allowedDomains || [];
-          this.maxRedirects = options.maxRedirects || 2;
-          this.timeout = options.timeout || 5000;
-          this.logger = options.logger || console;
-        }
-        
-        async request(url, options = {}) {
-          // Validate URL
-          if (!this._isValidUrl(url)) {
-            throw new Error('Invalid URL format');
-          }
-          
-          // Check allowlist
-          if (!this._isAllowedDomain(url)) {
-            throw new Error('Domain not in allowlist');
-          }
-          
-          // Configure request options
-          const requestOptions = {
-            ...options,
-            timeout: options.timeout || this.timeout,
-            maxRedirects: options.maxRedirects || this.maxRedirects,
-            validateStatus: status => status >= 200 && status < 300
-          };
-          
-          try {
-            const response = await axios(url, requestOptions);
-            return response.data;
-          } catch (error) {
-            this.logger.error({
-              message: 'External request failed',
-              url,
-              error: error.message
+
+           function isPrivateIP(ip) {
+             // Check for private IP ranges
+             const privateRanges = [
+               /^127\./,                     // 127.0.0.0/8
+               /^10\./,                      // 10.0.0.0/8
+               /^172\.(1[6-9]|2[0-9]|3[0-1])\./, // 172.16.0.0/12
+               /^192\.168\./,                // 192.168.0.0/16
+               /^169\.254\./,                // 169.254.0.0/16
+               /^::1$/,                      // localhost IPv6
+               /^f[cd][0-9a-f]{2}:/i,        // fc00::/7 unique local IPv6
+               /^fe80:/i                     // fe80::/10 link-local IPv6
+             ];
+
+             return privateRanges.some(range => range.test(ip));
+           }
+
+           function isUrlSafe(url) {
+             try {
+               const parsedUrl = new URL(url);
+
+               // Block internal hostnames
+               if (isInternalHostname(parsedUrl.hostname)) {
+                 return false;
+               }
+
+               // Resolve hostname to IP (in real implementation, use async DNS resolution)
+               // This example is simplified - in production you would use DNS resolution
+               let ip;
+               try {
+                 // Note: This is a pseudo-code example
+                 // In real code, you'd use a DNS resolution library
+                 ip = dnsResolve(parsedUrl.hostname);
+
+                 // Block private IPs
+                 if (isPrivateIP(ip)) {
+                   return false;
+                 }
+               } catch (error) {
+                 // If DNS resolution fails, err on the side of caution
+                 return false;
+               }
+
+               return true;
+             } catch (error) {
+               return false;
+             }
+           }
+           ```
+
+      4. **Disable Dangerous URL Protocols:**
+         - Restrict allowed URL protocols to HTTP and HTTPS
+         - Block file://, ftp://, gopher://, etc.
+         - Example:
+           ```javascript
+           function hasAllowedProtocol(url) {
+             try {
+               const parsedUrl = new URL(url);
+               const allowedProtocols = ['http:', 'https:'];
+               return allowedProtocols.includes(parsedUrl.protocol);
+             } catch (error) {
+               return false;
+             }
+           }
+
+           // Usage
+           const targetUrl = req.body.documentUrl;
+           if (!hasAllowedProtocol(targetUrl)) {
+             logger.warn({
+               message: 'SSRF attempt blocked: disallowed protocol',
+               url: targetUrl,
+               protocol: new URL(targetUrl).protocol,
+               ip: req.ip
+             });
+             return res.status(403).json({ error: 'URL protocol not allowed' });
+           }
+           ```
+
+      5. **Implement Network-Level Protection:**
+         - Use firewall rules to block outbound requests to internal networks
+         - Configure proxy servers to restrict external requests
+         - Example:
+           ```javascript
+           // Using a proxy for outbound requests
+           const axios = require('axios');
+           const HttpsProxyAgent = require('https-proxy-agent');
+
+           // Configure proxy with appropriate controls
+           const httpsAgent = new HttpsProxyAgent({
+             host: 'proxy.example.com',
+             port: 3128,
+             // This proxy should be configured to block access to internal networks
+           });
+
+           // Make requests through the proxy
+           async function secureExternalRequest(url) {
+             try {
+               const response = await axios.get(url, {
+                 httpsAgent,
+                 timeout: 5000, // Set reasonable timeout
+                 maxRedirects: 2 // Limit redirects
+               });
+               return response.data;
+             } catch (error) {
+               logger.error({
+                 message: 'External request failed',
+                 url,
+                 error: error.message
+               });
+               throw new Error('Failed to fetch external resource');
+             }
+           }
+           ```
+
+      6. **Use Service-Specific Endpoints:**
+         - Instead of passing full URLs, use service identifiers
+         - Map identifiers to URLs on the server side
+         - Example:
+           ```javascript
+           // Client makes request with service identifier, not raw URL
+           app.get('/proxy-service/:serviceId', async (req, res) => {
+             const { serviceId } = req.params;
+
+             // Service mapping defined server-side
+             const serviceMap = {
+               'weather-api': 'https://api.weather.example.com/current',
+               'news-feed': 'https://api.news.example.com/feed',
+               'product-info': 'https://api.products.example.com/details'
+             };
+
+             // Check if service is defined
+             if (!serviceMap[serviceId]) {
+               return res.status(404).json({ error: 'Service not found' });
+             }
+
+             try {
+               // Make request to mapped URL (not user-controlled)
+               const response = await axios.get(serviceMap[serviceId]);
+               return res.json(response.data);
+             } catch (error) {
+               return res.status(500).json({ error: 'Service request failed' });
+             }
+           });
+           ```
+
+      7. **Implement Context-Specific Encodings:**
+         - Use context-appropriate encoding for URL parameters
+         - Don't rely solely on standard URL encoding
+         - Example:
+           ```javascript
+           function safeUrl(baseUrl, params) {
+             // Start with a verified base URL
+             const url = new URL(baseUrl);
+
+             // Add parameters safely
+             for (const [key, value] of Object.entries(params)) {
+               // Ensure values are strings and properly encoded
+               url.searchParams.append(key, String(value));
+             }
+
+             // Verify the final URL is still valid
+             if (!isAllowedDomain(url.toString())) {
+               throw new Error('URL creation resulted in disallowed domain');
+             }
+
+             return url.toString();
+           }
+
+           // Usage
+           try {
+             const apiUrl = safeUrl('https://api.example.com/data', {
+               id: userId,
+               format: 'json'
+             });
+             const response = await axios.get(apiUrl);
+             // Process response
+           } catch (error) {
+             // Handle error
+           }
+           ```
+
+      8. **Use Defense in Depth:**
+         - Combine multiple validation strategies
+         - Don't rely on a single protection measure
+         - Example:
+           ```javascript
+           async function secureExternalRequest(url, options = {}) {
+             // 1. Validate URL format
+             if (!isValidUrl(url)) {
+               throw new Error('Invalid URL format');
+             }
+
+             // 2. Check against allowlist
+             if (!isAllowedDomain(url)) {
+               throw new Error('Domain not in allowlist');
+             }
+
+             // 3. Verify not internal network
+             const parsedUrl = new URL(url);
+             if (await isInternalNetwork(parsedUrl.hostname)) {
+               throw new Error('Access to internal networks not allowed');
+             }
+
+             // 4. Validate protocol
+             if (!hasAllowedProtocol(url)) {
+               throw new Error('Protocol not allowed');
+             }
+
+             // 5. Set additional security headers and options
+             const secureOptions = {
+               ...options,
+               timeout: options.timeout || 5000,
+               maxRedirects: options.maxRedirects || 2,
+               headers: {
+                 ...options.headers,
+                 'User-Agent': 'SecureApp/1.0'
+               }
+             };
+
+             // 6. Make request with all validations passed
+             try {
+               return await axios(url, secureOptions);
+             } catch (error) {
+               logger.error({
+                 message: 'Secure external request failed',
+                 url,
+                 error: error.message
+               });
+               throw new Error('External request failed');
+             }
+           }
+           ```
+
+      9. **Validate and Sanitize Request Parameters:**
+         - Don't trust any user-supplied input for URL construction
+         - Validate all components used in URL building
+         - Example:
+           ```javascript
+           // API that fetches weather data for a city
+           app.get('/api/weather', async (req, res) => {
+             const { city } = req.query;
+
+             // 1. Validate parameter exists and is valid
+             if (!city || typeof city !== 'string' || city.length > 100) {
+               return res.status(400).json({ error: 'Invalid city parameter' });
+             }
+
+             // 2. Sanitize the parameter
+             const sanitizedCity = encodeURIComponent(city.trim());
+
+             // 3. Construct URL with validated parameter
+             const weatherApiUrl = `https://api.weather.example.com/current?city=${sanitizedCity}`;
+
+             // 4. Additional validation of the final URL
+             if (!isValidUrl(weatherApiUrl)) {
+               return res.status(400).json({ error: 'Invalid URL construction' });
+             }
+
+             try {
+               const response = await axios.get(weatherApiUrl);
+               return res.json(response.data);
+             } catch (error) {
+               logger.error({
+                 message: 'Weather API request failed',
+                 city,
+                 error: error.message
+               });
+               return res.status(500).json({ error: 'Failed to fetch weather data' });
+             }
+           });
+           ```
+
+      10. **Implement Request Timeouts:**
+          - Set appropriate timeouts for all HTTP requests
+          - Prevent long-running SSRF probes
+          - Example:
+            ```javascript
+            async function fetchWithTimeout(url, options = {}) {
+              // Default timeout of 5 seconds
+              const timeout = options.timeout || 5000;
+
+              // Create an abort controller to handle timeout
+              const controller = new AbortController();
+              const timeoutId = setTimeout(() => controller.abort(), timeout);
+
+              try {
+                const response = await fetch(url, {
+                  ...options,
+                  signal: controller.signal
+                });
+
+                clearTimeout(timeoutId);
+                return response;
+              } catch (error) {
+                clearTimeout(timeoutId);
+                if (error.name === 'AbortError') {
+                  throw new Error(`Request timed out after ${timeout}ms`);
+                }
+                throw error;
+              }
+            }
+
+            // Usage
+            try {
+              const response = await fetchWithTimeout('https://api.example.com/data', {
+                timeout: 3000, // 3 seconds timeout
+                headers: { 'Content-Type': 'application/json' }
+              });
+              const data = await response.json();
+              // Process data
+            } catch (error) {
+              console.error('Request failed:', error.message);
+            }
+            ```
+
+      11. **Rate Limit External Requests:**
+          - Implement rate limiting for outbound requests
+          - Prevent SSRF probing and DoS attacks
+          - Example:
+            ```javascript
+            const { RateLimiter } = require('limiter');
+
+            // Create a rate limiter: 100 requests per minute
+            const externalRequestLimiter = new RateLimiter({
+              tokensPerInterval: 100,
+              interval: 'minute'
             });
-            throw new Error(`External request failed: ${error.message}`);
-          }
-        }
-        
-        _isValidUrl(url) {
-          try {
-            const parsedUrl = new URL(url);
-            return parsedUrl.protocol === 'http:' || parsedUrl.protocol === 'https:';
-          } catch (error) {
-            return false;
-          }
-        }
-        
-        _isAllowedDomain(url) {
-          try {
-            const parsedUrl = new URL(url);
-            return this.allowedDomains.includes(parsedUrl.hostname);
-          } catch (error) {
-            return false;
-          }
-        }
-      }
-      
-      module.exports = ExternalRequestService;
-      
-      // Usage in application
-      const ExternalRequestService = require('./externalRequestService');
-      
-      const requestService = new ExternalRequestService({
-        allowedDomains: [
-          'api.example.com',
-          'cdn.example.com',
-          'partner.trusted-domain.com'
-        ],
-        logger: appLogger,
-        timeout: 3000
-      });
-      
-      app.get('/api/external-data', async (req, res) => {
-        try {
-          // Use the service for all external requests
-          const data = await requestService.request('https://api.example.com/data');
-          return res.json(data);
-        } catch (error) {
-          return res.status(500).json({ error: error.message });
-        }
-      });
-      ```
-
-14. **Monitor and Audit External Requests:**
-    - Log all external requests for audit purposes
-    - Implement anomaly detection
-    - Example:
-      ```javascript
-      // Middleware to log and monitor all external requests
-      function requestMonitoringMiddleware(req, res, next) {
-        // Only intercept routes that might make external requests
-        if (!req.path.startsWith('/api/proxy') && !req.path.startsWith('/api/external')) {
-          return next();
-        }
-        
-        // Store original fetch/http.request methods
-        const originalFetch = global.fetch;
-        const originalHttpRequest = require('http').request;
-        const originalHttpsRequest = require('https').request;
-        
-        // Override fetch
-        global.fetch = async function monitoredFetch(url, options) {
-          const requestId = uuid.v4();
-          const startTime = Date.now();
-          
-          logger.info({
-            message: 'External request initiated',
-            requestId,
-            url,
-            method: options?.method || 'GET',
-            userContext: {
-              userId: req.user?.id,
-              ip: req.ip,
-              userAgent: req.headers['user-agent']
-            },
-            timestamp: new Date().toISOString()
-          });
-          
-          try {
-            const response = await originalFetch(url, options);
-            
-            // Log successful request
-            logger.info({
-              message: 'External request completed',
-              requestId,
-              url,
-              statusCode: response.status,
-              duration: Date.now() - startTime,
-              timestamp: new Date().toISOString()
+
+            async function rateLimitedRequest(url, options = {}) {
+              // Check if we have tokens available
+              const remainingRequests = await externalRequestLimiter.removeTokens(1);
+
+              if (remainingRequests < 0) {
+                throw new Error('Rate limit exceeded for external requests');
+              }
+
+              // Proceed with the request
+              return axios(url, options);
+            }
+
+            // Usage
+            app.get('/api/external-data', async (req, res) => {
+              const { url } = req.query;
+
+              if (!isValidUrl(url) || !isAllowedDomain(url)) {
+                return res.status(403).json({ error: 'URL not allowed' });
+              }
+
+              try {
+                const response = await rateLimitedRequest(url);
+                return res.json(response.data);
+              } catch (error) {
+                if (error.message === 'Rate limit exceeded for external requests') {
+                  return res.status(429).json({ error: 'Too many requests' });
+                }
+                return res.status(500).json({ error: 'Failed to fetch data' });
+              }
             });
-            
-            return response;
-          } catch (error) {
-            // Log failed request
-            logger.error({
-              message: 'External request failed',
-              requestId,
-              url,
-              error: error.message,
-              duration: Date.now() - startTime,
-              timestamp: new Date().toISOString()
+            ```
+
+      12. **Use Web Application Firewalls (WAF):**
+          - Configure WAF rules to detect and block SSRF patterns
+          - Implement server-side firewall rules
+          - Example:
+            ```javascript
+            // Middleware to detect SSRF attack patterns
+            function ssrfProtectionMiddleware(req, res, next) {
+              const url = req.query.url || req.body.url;
+
+              if (!url) {
+                return next();
+              }
+
+              // Check for suspicious URL patterns
+              const ssrfPatterns = [
+                /file:\/\//i,
+                /^(ftps?|gopher|data|dict):\/\//i,
+                /^\/\/\//,
+                /(localhost|127\.0\.0\.1|0\.0\.0\.0|::1)/i,
+                /^(10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.)/
+              ];
+
+              if (ssrfPatterns.some(pattern => pattern.test(url))) {
+                logger.warn({
+                  message: 'Potential SSRF attack detected',
+                  url,
+                  ip: req.ip,
+                  path: req.path,
+                  method: req.method,
+                  userId: req.user?.id
+                });
+
+                return res.status(403).json({
+                  error: 'Access denied - suspicious URL detected'
+                });
+              }
+
+              next();
+            }
+
+            // Apply middleware to all routes
+            app.use(ssrfProtectionMiddleware);
+            ```
+
+      13. **Implement Centralized Request Services:**
+          - Create a dedicated service for external requests
+          - Implement all security controls in one place
+          - Example:
+            ```javascript
+            // externalRequestService.js
+            const axios = require('axios');
+
+            class ExternalRequestService {
+              constructor(options = {}) {
+                this.allowedDomains = options.allowedDomains || [];
+                this.maxRedirects = options.maxRedirects || 2;
+                this.timeout = options.timeout || 5000;
+                this.logger = options.logger || console;
+              }
+
+              async request(url, options = {}) {
+                // Validate URL
+                if (!this._isValidUrl(url)) {
+                  throw new Error('Invalid URL format');
+                }
+
+                // Check allowlist
+                if (!this._isAllowedDomain(url)) {
+                  throw new Error('Domain not in allowlist');
+                }
+
+                // Configure request options
+                const requestOptions = {
+                  ...options,
+                  timeout: options.timeout || this.timeout,
+                  maxRedirects: options.maxRedirects || this.maxRedirects,
+                  validateStatus: status => status >= 200 && status < 300
+                };
+
+                try {
+                  const response = await axios(url, requestOptions);
+                  return response.data;
+                } catch (error) {
+                  this.logger.error({
+                    message: 'External request failed',
+                    url,
+                    error: error.message
+                  });
+                  throw new Error(`External request failed: ${error.message}`);
+                }
+              }
+
+              _isValidUrl(url) {
+                try {
+                  const parsedUrl = new URL(url);
+                  return parsedUrl.protocol === 'http:' || parsedUrl.protocol === 'https:';
+                } catch (error) {
+                  return false;
+                }
+              }
+
+              _isAllowedDomain(url) {
+                try {
+                  const parsedUrl = new URL(url);
+                  return this.allowedDomains.includes(parsedUrl.hostname);
+                } catch (error) {
+                  return false;
+                }
+              }
+            }
+
+            module.exports = ExternalRequestService;
+
+            // Usage in application
+            const ExternalRequestService = require('./externalRequestService');
+
+            const requestService = new ExternalRequestService({
+              allowedDomains: [
+                'api.example.com',
+                'cdn.example.com',
+                'partner.trusted-domain.com'
+              ],
+              logger: appLogger,
+              timeout: 3000
             });
-            
-            throw error;
-          }
-        };
-        
-        // Similar overrides for http.request and https.request
-        // ...
-        
-        // Continue with the request
-        res.on('finish', () => {
-          // Restore original methods after request completes
-          global.fetch = originalFetch;
-          require('http').request = originalHttpRequest;
-          require('https').request = originalHttpsRequest;
-        });
-        
-        next();
-      }
-      
-      // Apply middleware
-      app.use(requestMonitoringMiddleware);
-      ```
-
-15. **Implement Output Validation:**
-    - Validate responses from external services
-    - Use schema validation for expected formats
-    - Example:
-      ```javascript
-      const Joi = require('joi');
-      
-      // Define expected schemas for external APIs
-      const apiSchemas = {
-        weatherApi: Joi.object({
-          location: Joi.string().required(),
-          temperature: Joi.number().required(),
-          conditions: Joi.string().required(),
-          forecast: Joi.array().items(Joi.object())
-        }),
-        
-        userApi: Joi.object({
-          id: Joi.string().required(),
-          name: Joi.string().required(),
-          email: Joi.string().email().required()
-        })
-      };
-      
-      async function validateExternalResponse(data, schemaName) {
-        const schema = apiSchemas[schemaName];
-        
-        if (!schema) {
-          throw new Error(`Schema not found: ${schemaName}`);
-        }
-        
-        try {
-          const result = await schema.validateAsync(data);
-          return result;
-        } catch (error) {
-          logger.error({
-            message: 'External API response validation failed',
-            schemaName,
-            error: error.message,
-            data: JSON.stringify(data).substring(0, 200) // Log partial data for debugging
-          });
-          
-          throw new Error(`Invalid response format from external API: ${error.message}`);
-        }
-      }
-      
-      // Usage
-      app.get('/api/weather/:city', async (req, res) => {
-        const { city } = req.params;
-        
-        try {
-          // Fetch data from external API
-          const apiUrl = `https://api.weather.example.com/current?city=${encodeURIComponent(city)}`;
-          const response = await axios.get(apiUrl);
-          
-          // Validate the response against the expected schema
-          const validatedData = await validateExternalResponse(response.data, 'weatherApi');
-          
-          // Return the validated data
-          return res.json(validatedData);
-        } catch (error) {
-          return res.status(500).json({ error: error.message });
-        }
-      });
-      ```
-
-## Validation
-
-- Using URL validation function with proper parsing.
-- Implementing domain allowlisting for outbound requests.
-- Checking for and blocking private IP addresses.
-- Restricting URL protocols to HTTP/HTTPS only.
-- Setting timeouts for outbound HTTP requests.
+
+            app.get('/api/external-data', async (req, res) => {
+              try {
+                // Use the service for all external requests
+                const data = await requestService.request('https://api.example.com/data');
+                return res.json(data);
+              } catch (error) {
+                return res.status(500).json({ error: error.message });
+              }
+            });
+            ```
+
+      14. **Monitor and Audit External Requests:**
+          - Log all external requests for audit purposes
+          - Implement anomaly detection
+          - Example:
+            ```javascript
+            // Middleware to log and monitor all external requests
+            function requestMonitoringMiddleware(req, res, next) {
+              // Only intercept routes that might make external requests
+              if (!req.path.startsWith('/api/proxy') && !req.path.startsWith('/api/external')) {
+                return next();
+              }
+
+              // Store original fetch/http.request methods
+              const originalFetch = global.fetch;
+              const originalHttpRequest = require('http').request;
+              const originalHttpsRequest = require('https').request;
+
+              // Override fetch
+              global.fetch = async function monitoredFetch(url, options) {
+                const requestId = uuid.v4();
+                const startTime = Date.now();
+
+                logger.info({
+                  message: 'External request initiated',
+                  requestId,
+                  url,
+                  method: options?.method || 'GET',
+                  userContext: {
+                    userId: req.user?.id,
+                    ip: req.ip,
+                    userAgent: req.headers['user-agent']
+                  },
+                  timestamp: new Date().toISOString()
+                });
+
+                try {
+                  const response = await originalFetch(url, options);
+
+                  // Log successful request
+                  logger.info({
+                    message: 'External request completed',
+                    requestId,
+                    url,
+                    statusCode: response.status,
+                    duration: Date.now() - startTime,
+                    timestamp: new Date().toISOString()
+                  });
+
+                  return response;
+                } catch (error) {
+                  // Log failed request
+                  logger.error({
+                    message: 'External request failed',
+                    requestId,
+                    url,
+                    error: error.message,
+                    duration: Date.now() - startTime,
+                    timestamp: new Date().toISOString()
+                  });
+
+                  throw error;
+                }
+              };
+
+              // Similar overrides for http.request and https.request
+              // ...
+
+              // Continue with the request
+              res.on('finish', () => {
+                // Restore original methods after request completes
+                global.fetch = originalFetch;
+                require('http').request = originalHttpRequest;
+                require('https').request = originalHttpsRequest;
+              });
+
+              next();
+            }
+
+            // Apply middleware
+            app.use(requestMonitoringMiddleware);
+            ```
+
+      15. **Implement Output Validation:**
+          - Validate responses from external services
+          - Use schema validation for expected formats
+          - Example:
+            ```javascript
+            const Joi = require('joi');
+
+            // Define expected schemas for external APIs
+            const apiSchemas = {
+              weatherApi: Joi.object({
+                location: Joi.string().required(),
+                temperature: Joi.number().required(),
+                conditions: Joi.string().required(),
+                forecast: Joi.array().items(Joi.object())
+              }),
+
+              userApi: Joi.object({
+                id: Joi.string().required(),
+                name: Joi.string().required(),
+                email: Joi.string().email().required()
+              })
+            };
+
+            async function validateExternalResponse(data, schemaName) {
+              const schema = apiSchemas[schemaName];
+
+              if (!schema) {
+                throw new Error(`Schema not found: ${schemaName}`);
+              }
+
+              try {
+                const result = await schema.validateAsync(data);
+                return result;
+              } catch (error) {
+                logger.error({
+                  message: 'External API response validation failed',
+                  schemaName,
+                  error: error.message,
+                  data: JSON.stringify(data).substring(0, 200) // Log partial data for debugging
+                });
+
+                throw new Error(`Invalid response format from external API: ${error.message}`);
+              }
+            }
+
+            // Usage
+            app.get('/api/weather/:city', async (req, res) => {
+              const { city } = req.params;
+
+              try {
+                // Fetch data from external API
+                const apiUrl = `https://api.weather.example.com/current?city=${encodeURIComponent(city)}`;
+                const response = await axios.get(apiUrl);
+
+                // Validate the response against the expected schema
+                const validatedData = await validateExternalResponse(response.data, 'weatherApi');
+
+                // Return the validated data
+                return res.json(validatedData);
+              } catch (error) {
+                return res.status(500).json({ error: error.message });
+              }
+            });
+            ```
+
+  - type: validate
+    conditions:
+      # Check 1: URL validation
+      - pattern: "function\\s+(?:isValidUrl|validateUrl|checkUrl)\\s*\\([^)]*\\)\\s*\\{[^}]*new URL\\([^)]*\\)"
+        message: "Using URL validation function with proper parsing."
+
+      # Check 2: Domain allowlisting
+      - pattern: "(?:allowlist|whitelist|allowed(?:Domain|Host))\\s*=\\s*\\["
+        message: "Implementing domain allowlisting for outbound requests."
+
+      # Check 3: Private IP filtering
+      - pattern: "(?:isPrivateIP|isInternalNetwork|blockInternalAddresses)"
+        message: "Checking for and blocking private IP addresses."
+
+      # Check 4: Protocol restriction
+      - pattern: "(?:allowedProtocols|validProtocols)\\s*=\\s*\\[\\s*['\"]https?:['\"]"
+        message: "Restricting URL protocols to HTTP/HTTPS only."
+
+      # Check 5: Request timeout implementation
+      - pattern: "timeout:\\s*\\d+"
+        message: "Setting timeouts for outbound HTTP requests."
+
+metadata:
+  priority: high
+  version: 1.0
+  tags:
+    - security
+    - javascript
+    - nodejs
+    - browser
+    - ssrf
+    - owasp
+    - language:javascript
+    - framework:express
+    - framework:react
+    - framework:vue
+    - framework:angular
+    - category:security
+    - subcategory:ssrf
+    - standard:owasp-top10
+    - risk:a10-server-side-request-forgery
+  references:
+    - "https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"
+    - "https://portswigger.net/web-security/ssrf"
+    - "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.md"
+    - "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/19-Server-Side_Request_Forgery"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html#ssrf-protection"
+```
+
+
diff --git a/.cursor/rules/javascript-software-data-integrity-failures.mdc b/.cursor/rules/javascript-software-data-integrity-failures.mdc
index 3d404c6..c593e77 100644
--- a/.cursor/rules/javascript-software-data-integrity-failures.mdc
+++ b/.cursor/rules/javascript-software-data-integrity-failures.mdc
@@ -4,561 +4,661 @@ globs: **/*.js, **/*.jsx, **/*.ts, **/*.tsx, !**/node_modules/**, !**/dist/**, !
 ---
 # JavaScript Software and Data Integrity Failures (OWASP A08:2021)
 
-> Priority: high · Version: 1.0
-
-## Applies To
-- `**/*.js`
-- `**/*.jsx`
-- `**/*.ts`
-- `**/*.tsx`
-- `!**/node_modules/**`
-- `!**/dist/**`
-- `!**/build/**`
-- `!**/coverage/**`
-
-## Required Checks
-
-- Insecure deserialization of user-controlled data detected. Validate and sanitize data before parsing JSON or using eval.
-- Script tag without Subresource Integrity (SRI) hash. Add integrity and crossorigin attributes for third-party scripts.
-- Package installation with integrity checks disabled. Always verify package integrity during installation.
-- Using potentially unsafe serialization/deserialization libraries. Ensure proper validation and sanitization of serialized data.
-- Missing dependency verification in package.json. Add npm/yarn audit to your scripts section.
-- Potentially insecure dynamic imports. Validate or restrict the modules that can be dynamically imported.
-- Potential prototype pollution vulnerability. Use Object.create(null) or sanitize objects before merging.
-- Missing security checks in CI/CD pipeline. Add dependency scanning, integrity verification, and signature validation.
-- Potentially insecure update mechanism. Implement integrity verification for all updates.
-- Insecure plugin loading mechanism. Implement integrity verification for all plugins.
-- Insecure data binding using eval or Function constructor. Use safer alternatives like JSON.parse or template literals.
-- Potential prototype pollution in object assignment. Use Object.create(null) as the target object or sanitize inputs.
-- Missing lock file for dependency management. Include package-lock.json or yarn.lock in version control.
-- Webpack configuration without integrity checks. Consider enabling SRI for generated assets.
-- npm/yarn configuration with potentially disabled security features. Ensure integrity checks are enabled.
-
-## Recommendations
-
-**JavaScript Software and Data Integrity Failures Best Practices:**
-
-1. **Secure Deserialization:**
-   - Validate and sanitize data before deserialization
-   - Use schema validation for JSON data
-   - Example:
-     ```javascript
-     import Ajv from 'ajv';
-     
-     // Define a schema for expected data
-     const schema = {
-       type: 'object',
-       properties: {
-         id: { type: 'integer' },
-         name: { type: 'string' },
-         role: { type: 'string', enum: ['user', 'admin'] }
-       },
-       required: ['id', 'name', 'role'],
-       additionalProperties: false
-     };
-     
-     // Validate data before parsing
-     function safelyParseJSON(data) {
-       try {
-         const parsed = JSON.parse(data);
-         const ajv = new Ajv();
-         const validate = ajv.compile(schema);
-         
-         if (validate(parsed)) {
-           return { valid: true, data: parsed };
-         } else {
-           return { valid: false, errors: validate.errors };
-         }
-       } catch (error) {
-         return { valid: false, errors: [error.message] };
-       }
-     }
-     ```
-
-2. **Subresource Integrity (SRI):**
-   - Add integrity hashes to external scripts and stylesheets
-   - Example:
-     ```html
-     <script 
-       src="https://cdn.example.com/library.js" 
-       integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" 
-       crossorigin="anonymous">
-     </script>
-     ```
-     
-     ```javascript
-     // Programmatically adding a script with SRI
-     function addScriptWithIntegrity(url, integrity) {
-       const script = document.createElement('script');
-       script.src = url;
-       script.integrity = integrity;
-       script.crossOrigin = 'anonymous';
-       document.head.appendChild(script);
-     }
-     ```
-
-3. **Dependency Verification:**
-   - Use npm/yarn audit regularly
-   - Implement lockfiles and version pinning
-   - Example:
-     ```json
-     // package.json
-     {
-       "scripts": {
-         "audit": "npm audit --production",
-         "preinstall": "npm audit",
-         "verify": "npm audit && npm outdated"
-       }
-     }
-     ```
-     
-     ```javascript
-     // Automated dependency verification in CI/CD
-     // .github/workflows/security.yml
-     // name: Security Checks
-     // on: [push, pull_request]
-     // jobs:
-     //   security:
-     //     runs-on: ubuntu-latest
-     //     steps:
-     //       - uses: actions/checkout@v3
-     //       - uses: actions/setup-node@v3
-     //         with:
-     //           node-version: '16'
-     //       - run: npm audit
-     ```
-
-4. **Secure Object Handling:**
-   - Prevent prototype pollution
-   - Use Object.create(null) for empty objects
-   - Example:
-     ```javascript
-     // Prevent prototype pollution
-     function safeObjectMerge(target, source) {
-       // Start with a null prototype object
-       const result = Object.create(null);
-       
-       // Copy properties from target
-       for (const key in target) {
-         if (Object.prototype.hasOwnProperty.call(target, key) && 
-             key !== '__proto__' && 
-             key !== 'constructor' && 
-             key !== 'prototype') {
-           result[key] = target[key];
-         }
-       }
-       
-       // Copy properties from source
-       for (const key in source) {
-         if (Object.prototype.hasOwnProperty.call(source, key) && 
-             key !== '__proto__' && 
-             key !== 'constructor' && 
-             key !== 'prototype') {
-           result[key] = source[key];
-         }
-       }
-       
-       return result;
-     }
-     ```
-
-5. **Secure Dynamic Imports:**
-   - Validate module paths before importing
-   - Use allowlists for dynamic imports
-   - Example:
-     ```javascript
-     // Allowlist-based dynamic imports
-     const ALLOWED_MODULES = [
-       './components/header',
-       './components/footer',
-       './components/sidebar'
-     ];
-     
-     async function safeImport(modulePath) {
-       if (!ALLOWED_MODULES.includes(modulePath)) {
-         throw new Error(`Module ${modulePath} is not in the allowlist`);
-       }
-       
-       try {
-         return await import(modulePath);
-       } catch (error) {
-         console.error(`Failed to import ${modulePath}:`, error);
-         throw error;
-       }
-     }
-     ```
-
-6. **CI/CD Pipeline Security:**
-   - Implement integrity checks in build pipelines
-   - Verify dependencies and artifacts
-   - Example:
-     ```yaml
-     # .github/workflows/build.yml
-     name: Build and Verify
-     on: [push, pull_request]
-     jobs:
-       build:
-         runs-on: ubuntu-latest
-         steps:
-           - uses: actions/checkout@v3
-           - uses: actions/setup-node@v3
-             with:
-               node-version: '16'
-           - name: Install dependencies
-             run: npm ci
-           - name: Security audit
-             run: npm audit
-           - name: Build
-             run: npm run build
-           - name: Generate integrity hashes
-             run: |
-               cd dist
-               find . -type f -name "*.js" -exec sh -c 'echo "{}" $(sha384sum "{}" | cut -d " " -f 1)' \; > integrity.txt
-           - name: Upload artifacts with integrity manifest
-             uses: actions/upload-artifact@v3
-             with:
-               name: build-artifacts
-               path: |
-                 dist
-                 dist/integrity.txt
-     ```
-
-7. **Secure Update Mechanisms:**
-   - Verify integrity of updates before applying
-   - Use digital signatures when possible
-   - Example:
-     ```javascript
-     import crypto from 'crypto';
-     import fs from 'fs';
-     
-     async function verifyUpdate(updateFile, signatureFile, publicKeyFile) {
-       try {
-         const updateData = fs.readFileSync(updateFile);
-         const signature = fs.readFileSync(signatureFile);
-         const publicKey = fs.readFileSync(publicKeyFile);
-         
-         const verify = crypto.createVerify('SHA256');
-         verify.update(updateData);
-         
-         const isValid = verify.verify(publicKey, signature);
-         
-         if (!isValid) {
-           throw new Error('Update signature verification failed');
-         }
-         
-         return { valid: true, data: updateData };
-       } catch (error) {
-         console.error('Update verification failed:', error);
-         return { valid: false, error: error.message };
-       }
-     }
-     ```
-
-8. **Plugin/Extension Security:**
-   - Implement allowlists for plugins
-   - Verify plugin integrity before loading
-   - Example:
-     ```javascript
-     class PluginManager {
-       constructor() {
-         this.plugins = new Map();
-         this.allowedPlugins = new Set(['logger', 'analytics', 'theme']);
-       }
-       
-       async registerPlugin(name, pluginPath, expectedHash) {
-         if (!this.allowedPlugins.has(name)) {
-           throw new Error(`Plugin ${name} is not in the allowlist`);
-         }
-         
-         // Verify plugin integrity
-         const pluginCode = await fetch(pluginPath).then(r => r.text());
-         const hash = crypto.createHash('sha256').update(pluginCode).digest('hex');
-         
-         if (hash !== expectedHash) {
-           throw new Error(`Plugin integrity check failed for ${name}`);
-         }
-         
-         // Safe loading using Function constructor instead of eval
-         // Still has security implications but better than direct eval
-         const sandboxedPlugin = new Function('exports', 'require', pluginCode);
-         const exports = {};
-         const safeRequire = (module) => {
-           // Implement a restricted require function
-           const allowedModules = ['lodash', 'dayjs'];
-           if (!allowedModules.includes(module)) {
-             throw new Error(`Module ${module} is not allowed in plugins`);
+```yaml
+name: javascript_software_data_integrity_failures
+description: Detect and prevent software and data integrity failures in JavaScript applications as defined in OWASP Top 10:2021-A08
+
+actions:
+  - type: enforce
+    conditions:
+      # Pattern 1: Insecure Deserialization
+      - pattern: "(?:JSON\\.parse|eval)\\s*\\((?:[^)]|\\n)*(?:localStorage|sessionStorage|document\\.cookie|location|window\\.name|fetch|axios|\\$\\.(?:get|post)|XMLHttpRequest)"
+        message: "Insecure deserialization of user-controlled data detected. Validate and sanitize data before parsing JSON or using eval."
+
+      # Pattern 2: Missing Subresource Integrity
+      - pattern: "<script\\s+src=['\"][^'\"]+['\"]\\s*>"
+        negative_pattern: "integrity=['\"]sha(?:256|384|512)-[a-zA-Z0-9+/=]+"
+        message: "Script tag without Subresource Integrity (SRI) hash. Add integrity and crossorigin attributes for third-party scripts."
+
+      # Pattern 3: Insecure Package Installation
+      - pattern: "(?:npm|yarn)\\s+(?:install|add)\\s+(?:[\\w@\\-\\.\\/:]+\\s+)*--no-(?:verify|integrity|signature)"
+        message: "Package installation with integrity checks disabled. Always verify package integrity during installation."
+
+      # Pattern 4: Insecure Object Deserialization
+      - pattern: "(?:require|import)\\s+['\"](?:serialize-javascript|node-serialize|serialize|unserialize|deserialize)['\"]"
+        message: "Using potentially unsafe serialization/deserialization libraries. Ensure proper validation and sanitization of serialized data."
+
+      # Pattern 5: Missing Dependency Verification
+      - pattern: "package\\.json"
+        negative_pattern: "\"(?:scripts|devDependencies)\":\\s*{[^}]*\"(?:audit|verify|check)\":\\s*\"(?:npm|yarn)\\s+audit"
+        file_pattern: "package\\.json$"
+        message: "Missing dependency verification in package.json. Add npm/yarn audit to your scripts section."
+
+      # Pattern 6: Insecure Dynamic Imports
+      - pattern: "(?:import|require)\\s*\\(\\s*(?:variable|[a-zA-Z_$][a-zA-Z0-9_$]*|`[^`]*`|'[^']*'|\"[^\"]*\")\\s*\\)"
+        negative_pattern: "(?:allowlist|whitelist|validate)"
+        message: "Potentially insecure dynamic imports. Validate or restrict the modules that can be dynamically imported."
+
+      # Pattern 7: Prototype Pollution
+      - pattern: "Object\\.assign\\(\\s*(?:[^,]+)\\s*,\\s*(?:JSON\\.parse|req\\.body|req\\.query|req\\.params|formData\\.get)"
+        message: "Potential prototype pollution vulnerability. Use Object.create(null) or sanitize objects before merging."
+
+      # Pattern 8: Missing CI/CD Pipeline Integrity Checks
+      - pattern: "(?:\\.github\\/workflows\\/|\\.gitlab-ci\\.yml|azure-pipelines\\.yml|Jenkinsfile)"
+        negative_pattern: "(?:npm\\s+audit|yarn\\s+audit|checksum|integrity|verify|signature)"
+        file_pattern: "(?:\\.github\\/workflows\\/.*\\.ya?ml|\\.gitlab-ci\\.yml|azure-pipelines\\.yml|Jenkinsfile)$"
+        message: "Missing security checks in CI/CD pipeline. Add dependency scanning, integrity verification, and signature validation."
+
+      # Pattern 9: Insecure Update Mechanism
+      - pattern: "(?:update|upgrade|install)\\s*\\([^)]*\\)\\s*\\{[^}]*?\\}"
+        negative_pattern: "(?:verify|checksum|hash|signature|integrity)"
+        message: "Potentially insecure update mechanism. Implement integrity verification for all updates."
+
+      # Pattern 10: Insecure Plugin Loading
+      - pattern: "(?:plugin|addon|extension)\\.(?:load|register|install|add)\\s*\\([^)]*\\)"
+        negative_pattern: "(?:verify|validate|checksum|hash|signature|integrity)"
+        message: "Insecure plugin loading mechanism. Implement integrity verification for all plugins."
+
+      # Pattern 11: Insecure Data Binding
+      - pattern: "(?:eval|new\\s+Function|setTimeout|setInterval)\\s*\\(\\s*(?:[^,)]+\\.(?:value|innerHTML|innerText|textContent)|[^,)]+\\[[^\\]]+\\])"
+        message: "Insecure data binding using eval or Function constructor. Use safer alternatives like JSON.parse or template literals."
+
+      # Pattern 12: Insecure Object Property Assignment
+      - pattern: "(?:Object\\.assign|\\{\\s*\\.\\.\\.)"
+        negative_pattern: "Object\\.create\\(null\\)"
+        message: "Potential prototype pollution in object assignment. Use Object.create(null) as the target object or sanitize inputs."
+
+      # Pattern 13: Missing Lock File
+      - pattern: "package\\.json"
+        negative_pattern: "package-lock\\.json|yarn\\.lock"
+        file_pattern: "package\\.json$"
+        message: "Missing lock file for dependency management. Include package-lock.json or yarn.lock in version control."
+
+      # Pattern 14: Insecure Webpack Configuration
+      - pattern: "webpack\\.config\\.js"
+        negative_pattern: "(?:integrity|sri|subresource|hash|checksum)"
+        file_pattern: "webpack\\.config\\.js$"
+        message: "Webpack configuration without integrity checks. Consider enabling SRI for generated assets."
+
+      # Pattern 15: Insecure npm/yarn Configuration
+      - pattern: "\\.npmrc|\\.yarnrc"
+        negative_pattern: "(?:verify-store|integrity|signature)"
+        file_pattern: "(?:\\.npmrc|\\.yarnrc)$"
+        message: "npm/yarn configuration with potentially disabled security features. Ensure integrity checks are enabled."
+
+  - type: suggest
+    message: |
+      **JavaScript Software and Data Integrity Failures Best Practices:**
+
+      1. **Secure Deserialization:**
+         - Validate and sanitize data before deserialization
+         - Use schema validation for JSON data
+         - Example:
+           ```javascript
+           import Ajv from 'ajv';
+
+           // Define a schema for expected data
+           const schema = {
+             type: 'object',
+             properties: {
+               id: { type: 'integer' },
+               name: { type: 'string' },
+               role: { type: 'string', enum: ['user', 'admin'] }
+             },
+             required: ['id', 'name', 'role'],
+             additionalProperties: false
+           };
+
+           // Validate data before parsing
+           function safelyParseJSON(data) {
+             try {
+               const parsed = JSON.parse(data);
+               const ajv = new Ajv();
+               const validate = ajv.compile(schema);
+
+               if (validate(parsed)) {
+                 return { valid: true, data: parsed };
+               } else {
+                 return { valid: false, errors: validate.errors };
+               }
+             } catch (error) {
+               return { valid: false, errors: [error.message] };
+             }
            }
-           return require(module);
-         };
-         
-         sandboxedPlugin(exports, safeRequire);
-         this.plugins.set(name, exports);
-         return exports;
-       }
-     }
-     ```
-
-9. **Secure Data Binding:**
-   - Avoid eval() and new Function()
-   - Use template literals or frameworks with safe binding
-   - Example:
-     ```javascript
-     // Unsafe:
-     // function updateElement(id, data) {
-     //   const element = document.getElementById(id);
-     //   element.innerHTML = eval('`' + template + '`'); // DANGEROUS!
-     // }
-     
-     // Safe alternative:
-     function updateElement(id, data) {
-       const element = document.getElementById(id);
-       
-       // Use a template literal with explicit interpolation
-       const template = `<div class="user-card">
-         <h2>${escapeHTML(data.name)}</h2>
-         <p>${escapeHTML(data.bio)}</p>
-       </div>`;
-       
-       element.innerHTML = template;
-     }
-     
-     function escapeHTML(str) {
-       return str
-         .replace(/&/g, '&amp;')
-         .replace(/</g, '&lt;')
-         .replace(/>/g, '&gt;')
-         .replace(/"/g, '&quot;')
-         .replace(/'/g, '&#039;');
-     }
-     ```
-
-10. **Secure Configuration Management:**
-    - Validate configurations before use
-    - Use schema validation for config files
-    - Example:
-      ```javascript
-      import Ajv from 'ajv';
-      import fs from 'fs';
-      
-      function loadAndValidateConfig(configPath) {
-        // Define schema for configuration
-        const configSchema = {
-          type: 'object',
-          properties: {
-            server: {
-              type: 'object',
-              properties: {
-                port: { type: 'integer', minimum: 1024, maximum: 65535 },
-                host: { type: 'string', format: 'hostname' }
-              },
-              required: ['port', 'host']
-            },
-            database: {
-              type: 'object',
-              properties: {
-                url: { type: 'string' },
-                maxConnections: { type: 'integer', minimum: 1 }
-              },
-              required: ['url']
+           ```
+
+      2. **Subresource Integrity (SRI):**
+         - Add integrity hashes to external scripts and stylesheets
+         - Example:
+           ```html
+           <script
+             src="https://cdn.example.com/library.js"
+             integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
+             crossorigin="anonymous">
+           </script>
+           ```
+
+           ```javascript
+           // Programmatically adding a script with SRI
+           function addScriptWithIntegrity(url, integrity) {
+             const script = document.createElement('script');
+             script.src = url;
+             script.integrity = integrity;
+             script.crossOrigin = 'anonymous';
+             document.head.appendChild(script);
+           }
+           ```
+
+      3. **Dependency Verification:**
+         - Use npm/yarn audit regularly
+         - Implement lockfiles and version pinning
+         - Example:
+           ```json
+           // package.json
+           {
+             "scripts": {
+               "audit": "npm audit --production",
+               "preinstall": "npm audit",
+               "verify": "npm audit && npm outdated"
+             }
+           }
+           ```
+
+           ```javascript
+           // Automated dependency verification in CI/CD
+           // .github/workflows/security.yml
+           // name: Security Checks
+           // on: [push, pull_request]
+           // jobs:
+           //   security:
+           //     runs-on: ubuntu-latest
+           //     steps:
+           //       - uses: actions/checkout@v3
+           //       - uses: actions/setup-node@v3
+           //         with:
+           //           node-version: '16'
+           //       - run: npm audit
+           ```
+
+      4. **Secure Object Handling:**
+         - Prevent prototype pollution
+         - Use Object.create(null) for empty objects
+         - Example:
+           ```javascript
+           // Prevent prototype pollution
+           function safeObjectMerge(target, source) {
+             // Start with a null prototype object
+             const result = Object.create(null);
+
+             // Copy properties from target
+             for (const key in target) {
+               if (Object.prototype.hasOwnProperty.call(target, key) &&
+                   key !== '__proto__' &&
+                   key !== 'constructor' &&
+                   key !== 'prototype') {
+                 result[key] = target[key];
+               }
+             }
+
+             // Copy properties from source
+             for (const key in source) {
+               if (Object.prototype.hasOwnProperty.call(source, key) &&
+                   key !== '__proto__' &&
+                   key !== 'constructor' &&
+                   key !== 'prototype') {
+                 result[key] = source[key];
+               }
+             }
+
+             return result;
+           }
+           ```
+
+      5. **Secure Dynamic Imports:**
+         - Validate module paths before importing
+         - Use allowlists for dynamic imports
+         - Example:
+           ```javascript
+           // Allowlist-based dynamic imports
+           const ALLOWED_MODULES = [
+             './components/header',
+             './components/footer',
+             './components/sidebar'
+           ];
+
+           async function safeImport(modulePath) {
+             if (!ALLOWED_MODULES.includes(modulePath)) {
+               throw new Error(`Module ${modulePath} is not in the allowlist`);
+             }
+
+             try {
+               return await import(modulePath);
+             } catch (error) {
+               console.error(`Failed to import ${modulePath}:`, error);
+               throw error;
+             }
+           }
+           ```
+
+      6. **CI/CD Pipeline Security:**
+         - Implement integrity checks in build pipelines
+         - Verify dependencies and artifacts
+         - Example:
+           ```yaml
+           # .github/workflows/build.yml
+           name: Build and Verify
+           on: [push, pull_request]
+           jobs:
+             build:
+               runs-on: ubuntu-latest
+               steps:
+                 - uses: actions/checkout@v3
+                 - uses: actions/setup-node@v3
+                   with:
+                     node-version: '16'
+                 - name: Install dependencies
+                   run: npm ci
+                 - name: Security audit
+                   run: npm audit
+                 - name: Build
+                   run: npm run build
+                 - name: Generate integrity hashes
+                   run: |
+                     cd dist
+                     find . -type f -name "*.js" -exec sh -c 'echo "{}" $(sha384sum "{}" | cut -d " " -f 1)' \; > integrity.txt
+                 - name: Upload artifacts with integrity manifest
+                   uses: actions/upload-artifact@v3
+                   with:
+                     name: build-artifacts
+                     path: |
+                       dist
+                       dist/integrity.txt
+           ```
+
+      7. **Secure Update Mechanisms:**
+         - Verify integrity of updates before applying
+         - Use digital signatures when possible
+         - Example:
+           ```javascript
+           import crypto from 'crypto';
+           import fs from 'fs';
+
+           async function verifyUpdate(updateFile, signatureFile, publicKeyFile) {
+             try {
+               const updateData = fs.readFileSync(updateFile);
+               const signature = fs.readFileSync(signatureFile);
+               const publicKey = fs.readFileSync(publicKeyFile);
+
+               const verify = crypto.createVerify('SHA256');
+               verify.update(updateData);
+
+               const isValid = verify.verify(publicKey, signature);
+
+               if (!isValid) {
+                 throw new Error('Update signature verification failed');
+               }
+
+               return { valid: true, data: updateData };
+             } catch (error) {
+               console.error('Update verification failed:', error);
+               return { valid: false, error: error.message };
+             }
+           }
+           ```
+
+      8. **Plugin/Extension Security:**
+         - Implement allowlists for plugins
+         - Verify plugin integrity before loading
+         - Example:
+           ```javascript
+           class PluginManager {
+             constructor() {
+               this.plugins = new Map();
+               this.allowedPlugins = new Set(['logger', 'analytics', 'theme']);
+             }
+
+             async registerPlugin(name, pluginPath, expectedHash) {
+               if (!this.allowedPlugins.has(name)) {
+                 throw new Error(`Plugin ${name} is not in the allowlist`);
+               }
+
+               // Verify plugin integrity
+               const pluginCode = await fetch(pluginPath).then(r => r.text());
+               const hash = crypto.createHash('sha256').update(pluginCode).digest('hex');
+
+               if (hash !== expectedHash) {
+                 throw new Error(`Plugin integrity check failed for ${name}`);
+               }
+
+               // Safe loading using Function constructor instead of eval
+               // Still has security implications but better than direct eval
+               const sandboxedPlugin = new Function('exports', 'require', pluginCode);
+               const exports = {};
+               const safeRequire = (module) => {
+                 // Implement a restricted require function
+                 const allowedModules = ['lodash', 'dayjs'];
+                 if (!allowedModules.includes(module)) {
+                   throw new Error(`Module ${module} is not allowed in plugins`);
+                 }
+                 return require(module);
+               };
+
+               sandboxedPlugin(exports, safeRequire);
+               this.plugins.set(name, exports);
+               return exports;
+             }
+           }
+           ```
+
+      9. **Secure Data Binding:**
+         - Avoid eval() and new Function()
+         - Use template literals or frameworks with safe binding
+         - Example:
+           ```javascript
+           // Unsafe:
+           // function updateElement(id, data) {
+           //   const element = document.getElementById(id);
+           //   element.innerHTML = eval('`' + template + '`'); // DANGEROUS!
+           // }
+
+           // Safe alternative:
+           function updateElement(id, data) {
+             const element = document.getElementById(id);
+
+             // Use a template literal with explicit interpolation
+             const template = `<div class="user-card">
+               <h2>${escapeHTML(data.name)}</h2>
+               <p>${escapeHTML(data.bio)}</p>
+             </div>`;
+
+             element.innerHTML = template;
+           }
+
+           function escapeHTML(str) {
+             return str
+               .replace(/&/g, '&amp;')
+               .replace(/</g, '&lt;')
+               .replace(/>/g, '&gt;')
+               .replace(/"/g, '&quot;')
+               .replace(/'/g, '&#039;');
+           }
+           ```
+
+      10. **Secure Configuration Management:**
+          - Validate configurations before use
+          - Use schema validation for config files
+          - Example:
+            ```javascript
+            import Ajv from 'ajv';
+            import fs from 'fs';
+
+            function loadAndValidateConfig(configPath) {
+              // Define schema for configuration
+              const configSchema = {
+                type: 'object',
+                properties: {
+                  server: {
+                    type: 'object',
+                    properties: {
+                      port: { type: 'integer', minimum: 1024, maximum: 65535 },
+                      host: { type: 'string', format: 'hostname' }
+                    },
+                    required: ['port', 'host']
+                  },
+                  database: {
+                    type: 'object',
+                    properties: {
+                      url: { type: 'string' },
+                      maxConnections: { type: 'integer', minimum: 1 }
+                    },
+                    required: ['url']
+                  }
+                },
+                required: ['server', 'database'],
+                additionalProperties: false
+              };
+
+              try {
+                const configData = fs.readFileSync(configPath, 'utf8');
+                const config = JSON.parse(configData);
+
+                const ajv = new Ajv({ allErrors: true });
+                const validate = ajv.compile(configSchema);
+
+                if (validate(config)) {
+                  return { valid: true, config };
+                } else {
+                  return { valid: false, errors: validate.errors };
+                }
+              } catch (error) {
+                return { valid: false, errors: [error.message] };
+              }
             }
-          },
-          required: ['server', 'database'],
-          additionalProperties: false
-        };
-        
-        try {
-          const configData = fs.readFileSync(configPath, 'utf8');
-          const config = JSON.parse(configData);
-          
-          const ajv = new Ajv({ allErrors: true });
-          const validate = ajv.compile(configSchema);
-          
-          if (validate(config)) {
-            return { valid: true, config };
-          } else {
-            return { valid: false, errors: validate.errors };
-          }
-        } catch (error) {
-          return { valid: false, errors: [error.message] };
-        }
-      }
-      ```
-
-11. **Secure Webpack Configuration:**
-    - Enable SRI in webpack
-    - Use content hashing for cache busting
-    - Example:
-      ```javascript
-      // webpack.config.js
-      const SubresourceIntegrityPlugin = require('webpack-subresource-integrity');
-      
-      module.exports = {
-        output: {
-          filename: '[name].[contenthash].js',
-          crossOriginLoading: 'anonymous' // Required for SRI
-        },
-        plugins: [
-          new SubresourceIntegrityPlugin({
-            hashFuncNames: ['sha384'],
-            enabled: process.env.NODE_ENV === 'production'
-          })
-        ]
-      };
-      ```
-
-12. **Secure npm/yarn Configuration:**
-    - Enable integrity checks
-    - Use lockfiles and exact versions
-    - Example:
-      ```
-      # .npmrc
-      audit=true
-      audit-level=moderate
-      save-exact=true
-      verify-store=true
-      
-      # .yarnrc.yml
-      enableStrictSsl: true
-      enableImmutableInstalls: true
-      checksumBehavior: "throw"
-      ```
-
-13. **Secure JSON Parsing:**
-    - Use reviver functions with JSON.parse
-    - Example:
-      ```javascript
-      function parseUserData(data) {
-        return JSON.parse(data, (key, value) => {
-          // Sanitize specific fields
-          if (key === 'role' && !['user', 'admin', 'editor'].includes(value)) {
-            return 'user'; // Default to safe value
-          }
-          
-          // Prevent Date objects from being reconstructed from strings
-          if (typeof value === 'string' && 
-              /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z$/.test(value)) {
-            // Return as string, not Date object
-            return value;
-          }
-          
-          return value;
-        });
-      }
-      ```
-
-14. **Content Security Policy (CSP):**
-    - Implement strict CSP headers
-    - Use nonce-based CSP for inline scripts
-    - Example:
-      ```javascript
-      // Express.js example
-      import crypto from 'crypto';
-      import helmet from 'helmet';
-      
-      app.use((req, res, next) => {
-        // Generate a new nonce for each request
-        res.locals.cspNonce = crypto.randomBytes(16).toString('base64');
-        next();
-      });
-      
-      app.use(helmet.contentSecurityPolicy({
-        directives: {
-          defaultSrc: ["'self'"],
-          scriptSrc: [
-            "'self'",
-            (req, res) => `'nonce-${res.locals.cspNonce}'`,
-            'https://cdn.jsdelivr.net'
-          ],
-          styleSrc: ["'self'", 'https://cdn.jsdelivr.net'],
-          // Add other directives as needed
-        }
-      }));
-      
-      // In your template engine, use the nonce:
-      // <script nonce="<%= cspNonce %>">
-      //   // Inline JavaScript
-      // </script>
-      ```
-
-15. **Secure Local Storage:**
-    - Validate data before storing and after retrieving
-    - Consider encryption for sensitive data
-    - Example:
-      ```javascript
-      // Simple encryption/decryption for localStorage
-      // Note: This is still client-side and not fully secure
-      class SecureStorage {
-        constructor(secret) {
-          this.secret = secret;
-        }
-        
-        // Set item with validation and encryption
-        setItem(key, value, schema) {
-          // Validate with schema if provided
-          if (schema) {
-            const ajv = new Ajv();
-            const validate = ajv.compile(schema);
-            if (!validate(value)) {
-              throw new Error(`Invalid data for ${key}: ${ajv.errorsText(validate.errors)}`);
+            ```
+
+      11. **Secure Webpack Configuration:**
+          - Enable SRI in webpack
+          - Use content hashing for cache busting
+          - Example:
+            ```javascript
+            // webpack.config.js
+            const SubresourceIntegrityPlugin = require('webpack-subresource-integrity');
+
+            module.exports = {
+              output: {
+                filename: '[name].[contenthash].js',
+                crossOriginLoading: 'anonymous' // Required for SRI
+              },
+              plugins: [
+                new SubresourceIntegrityPlugin({
+                  hashFuncNames: ['sha384'],
+                  enabled: process.env.NODE_ENV === 'production'
+                })
+              ]
+            };
+            ```
+
+      12. **Secure npm/yarn Configuration:**
+          - Enable integrity checks
+          - Use lockfiles and exact versions
+          - Example:
+            ```
+            # .npmrc
+            audit=true
+            audit-level=moderate
+            save-exact=true
+            verify-store=true
+
+            # .yarnrc.yml
+            enableStrictSsl: true
+            enableImmutableInstalls: true
+            checksumBehavior: "throw"
+            ```
+
+      13. **Secure JSON Parsing:**
+          - Use reviver functions with JSON.parse
+          - Example:
+            ```javascript
+            function parseUserData(data) {
+              return JSON.parse(data, (key, value) => {
+                // Sanitize specific fields
+                if (key === 'role' && !['user', 'admin', 'editor'].includes(value)) {
+                  return 'user'; // Default to safe value
+                }
+
+                // Prevent Date objects from being reconstructed from strings
+                if (typeof value === 'string' &&
+                    /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z$/.test(value)) {
+                  // Return as string, not Date object
+                  return value;
+                }
+
+                return value;
+              });
             }
-          }
-          
-          // Simple encryption (not for truly sensitive data)
-          const valueStr = JSON.stringify(value);
-          const encrypted = this.encrypt(valueStr);
-          localStorage.setItem(key, encrypted);
-        }
-        
-        // Get item with decryption and validation
-        getItem(key, schema) {
-          const encrypted = localStorage.getItem(key);
-          if (!encrypted) return null;
-          
-          try {
-            const decrypted = this.decrypt(encrypted);
-            const value = JSON.parse(decrypted);
-            
-            // Validate with schema if provided
-            if (schema) {
-              const ajv = new Ajv();
-              const validate = ajv.compile(schema);
-              if (!validate(value)) {
-                console.error(`Retrieved invalid data for ${key}`);
-                return null;
+            ```
+
+      14. **Content Security Policy (CSP):**
+          - Implement strict CSP headers
+          - Use nonce-based CSP for inline scripts
+          - Example:
+            ```javascript
+            // Express.js example
+            import crypto from 'crypto';
+            import helmet from 'helmet';
+
+            app.use((req, res, next) => {
+              // Generate a new nonce for each request
+              res.locals.cspNonce = crypto.randomBytes(16).toString('base64');
+              next();
+            });
+
+            app.use(helmet.contentSecurityPolicy({
+              directives: {
+                defaultSrc: ["'self'"],
+                scriptSrc: [
+                  "'self'",
+                  (req, res) => `'nonce-${res.locals.cspNonce}'`,
+                  'https://cdn.jsdelivr.net'
+                ],
+                styleSrc: ["'self'", 'https://cdn.jsdelivr.net'],
+                // Add other directives as needed
+              }
+            }));
+
+            // In your template engine, use the nonce:
+            // <script nonce="<%= cspNonce %>">
+            //   // Inline JavaScript
+            // </script>
+            ```
+
+      15. **Secure Local Storage:**
+          - Validate data before storing and after retrieving
+          - Consider encryption for sensitive data
+          - Example:
+            ```javascript
+            // Simple encryption/decryption for localStorage
+            // Note: This is still client-side and not fully secure
+            class SecureStorage {
+              constructor(secret) {
+                this.secret = secret;
+              }
+
+              // Set item with validation and encryption
+              setItem(key, value, schema) {
+                // Validate with schema if provided
+                if (schema) {
+                  const ajv = new Ajv();
+                  const validate = ajv.compile(schema);
+                  if (!validate(value)) {
+                    throw new Error(`Invalid data for ${key}: ${ajv.errorsText(validate.errors)}`);
+                  }
+                }
+
+                // Simple encryption (not for truly sensitive data)
+                const valueStr = JSON.stringify(value);
+                const encrypted = this.encrypt(valueStr);
+                localStorage.setItem(key, encrypted);
+              }
+
+              // Get item with decryption and validation
+              getItem(key, schema) {
+                const encrypted = localStorage.getItem(key);
+                if (!encrypted) return null;
+
+                try {
+                  const decrypted = this.decrypt(encrypted);
+                  const value = JSON.parse(decrypted);
+
+                  // Validate with schema if provided
+                  if (schema) {
+                    const ajv = new Ajv();
+                    const validate = ajv.compile(schema);
+                    if (!validate(value)) {
+                      console.error(`Retrieved invalid data for ${key}`);
+                      return null;
+                    }
+                  }
+
+                  return value;
+                } catch (error) {
+                  console.error(`Failed to retrieve ${key}:`, error);
+                  return null;
+                }
+              }
+
+              // Simple XOR encryption (not for production use with sensitive data)
+              encrypt(text) {
+                let result = '';
+                for (let i = 0; i < text.length; i++) {
+                  result += String.fromCharCode(text.charCodeAt(i) ^ this.secret.charCodeAt(i % this.secret.length));
+                }
+                return btoa(result);
+              }
+
+              decrypt(encoded) {
+                const text = atob(encoded);
+                let result = '';
+                for (let i = 0; i < text.length; i++) {
+                  result += String.fromCharCode(text.charCodeAt(i) ^ this.secret.charCodeAt(i % this.secret.length));
+                }
+                return result;
               }
             }
-            
-            return value;
-          } catch (error) {
-            console.error(`Failed to retrieve ${key}:`, error);
-            return null;
-          }
-        }
-        
-        // Simple XOR encryption (not for production use with sensitive data)
-        encrypt(text) {
-          let result = '';
-          for (let i = 0; i < text.length; i++) {
-            result += String.fromCharCode(text.charCodeAt(i) ^ this.secret.charCodeAt(i % this.secret.length));
-          }
-          return btoa(result);
-        }
-        
-        decrypt(encoded) {
-          const text = atob(encoded);
-          let result = '';
-          for (let i = 0; i < text.length; i++) {
-            result += String.fromCharCode(text.charCodeAt(i) ^ this.secret.charCodeAt(i % this.secret.length));
-          }
-          return result;
-        }
-      }
-      ```
-
-## Validation
-
-- Using Subresource Integrity (SRI) for external scripts.
-- Implementing dependency verification in package.json scripts.
-- Using lock files for dependency management.
-- Using Object.create(null) to prevent prototype pollution.
-- Implementing schema validation for data integrity.
+            ```
+
+  - type: validate
+    conditions:
+      # Check 1: Subresource Integrity
+      - pattern: "<script\\s+[^>]*?integrity=['\"]sha(?:256|384|512)-[a-zA-Z0-9+/=]+['\"][^>]*?>"
+        message: "Using Subresource Integrity (SRI) for external scripts."
+
+      # Check 2: Dependency Verification
+      - pattern: "\"scripts\":\\s*{[^}]*\"(?:audit|verify|check)\":\\s*\"(?:npm|yarn)\\s+audit"
+        message: "Implementing dependency verification in package.json scripts."
+
+      # Check 3: Lock File Usage
+      - pattern: "(?:package-lock\\.json|yarn\\.lock)"
+        file_pattern: "(?:package-lock\\.json|yarn\\.lock)$"
+        message: "Using lock files for dependency management."
+
+      # Check 4: Safe Object Creation
+      - pattern: "Object\\.create\\(null\\)"
+        message: "Using Object.create(null) to prevent prototype pollution."
+
+      # Check 5: Schema Validation
+      - pattern: "(?:ajv|joi|yup|zod|jsonschema|validate)"
+        message: "Implementing schema validation for data integrity."
+
+metadata:
+  priority: high
+  version: 1.0
+  tags:
+    - security
+    - javascript
+    - nodejs
+    - browser
+    - integrity
+    - owasp
+    - language:javascript
+    - framework:express
+    - framework:react
+    - framework:vue
+    - framework:angular
+    - category:security
+    - subcategory:integrity
+    - standard:owasp-top10
+    - risk:a08-software-data-integrity-failures
+  references:
+    - "https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Third_Party_Javascript_Management_Cheat_Sheet.html"
+    - "https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity"
+    - "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/13-Testing_for_Subresource_Integrity"
+    - "https://snyk.io/blog/prototype-pollution-javascript/"
+    - "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/NPM_Security_Cheat_Sheet.md"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html"
+    - "https://owasp.org/www-community/attacks/Prototype_pollution"
+```
+
+
diff --git a/.cursor/rules/javascript-standards.mdc b/.cursor/rules/javascript-standards.mdc
index c2169bf..3238871 100644
--- a/.cursor/rules/javascript-standards.mdc
+++ b/.cursor/rules/javascript-standards.mdc
@@ -4,33 +4,49 @@ globs: *.js
 ---
 # JavaScript Development Standards
 
-> Priority: high · Version: 1.0
+```yaml
+name: javascript_standards
+description: Enforce JavaScript development standards for Drupal
+
+actions:
+  - type: enforce
+    conditions:
+      - pattern: "\\(function\\s*\\(\\$\\)\\s*\\{[^}]*\\}\\)\\s*\\(jQuery\\)"
+        message: "Use Drupal behaviors instead of IIFE"
+
+      - pattern: "\\$\\('[^']*'\\)"
+        message: "Cache jQuery selectors for better performance"
+
+      - pattern: "\\.ajax\\(\\{[^}]*success:"
+        message: "Implement proper error handling for AJAX calls"
+
+      - pattern: "var\\s+"
+        message: "Use const or let instead of var (ES6+)"
+
+  - type: suggest
+    message: |
+      JavaScript Best Practices:
+      - Use Drupal behaviors for all JavaScript
+      - Implement proper error handling for AJAX
+      - Cache jQuery selectors
+      - Use ES6+ features
+      - Add proper documentation
+      - Follow Drupal JavaScript coding standards
+      - Use proper event delegation
+      - Implement proper error handling
+      - Use async/await for asynchronous operations
+      - Follow proper module pattern
+
+  - type: validate
+    conditions:
+      - pattern: "Drupal\\.behaviors\\.\\w+"
+        message: "Implement JavaScript functionality using Drupal behaviors"
+
+      - pattern: "/\\*\\*[^*]*\\*/"
+        message: "Add JSDoc documentation for JavaScript functions"
+
+metadata:
+  priority: high
+  version: 1.0
+```
 
-## Applies To
-- `*.js`
-
-## Required Checks
-
-- Use Drupal behaviors instead of IIFE
-- Cache jQuery selectors for better performance
-- Implement proper error handling for AJAX calls
-- Use const or let instead of var (ES6+)
-
-## Recommendations
-
-JavaScript Best Practices:
-- Use Drupal behaviors for all JavaScript
-- Implement proper error handling for AJAX
-- Cache jQuery selectors
-- Use ES6+ features
-- Add proper documentation
-- Follow Drupal JavaScript coding standards
-- Use proper event delegation
-- Implement proper error handling
-- Use async/await for asynchronous operations
-- Follow proper module pattern
-
-## Validation
-
-- Implement JavaScript functionality using Drupal behaviors
-- Add JSDoc documentation for JavaScript functions
diff --git a/.cursor/rules/javascript-vulnerable-outdated-components.mdc b/.cursor/rules/javascript-vulnerable-outdated-components.mdc
index 4a9edc9..4434dc2 100644
--- a/.cursor/rules/javascript-vulnerable-outdated-components.mdc
+++ b/.cursor/rules/javascript-vulnerable-outdated-components.mdc
@@ -4,237 +4,335 @@ globs: **/*.js, **/*.jsx, **/*.ts, **/*.tsx, !**/node_modules/**, !**/dist/**, !
 ---
 # JavaScript Vulnerable and Outdated Components (OWASP A06:2021)
 
-> Priority: high · Version: 1.0
-
-## Applies To
-- `**/*.js`
-- `**/*.jsx`
-- `**/*.ts`
-- `**/*.tsx`
-- `!**/node_modules/**`
-- `!**/dist/**`
-- `!**/build/**`
-- `!**/coverage/**`
-
-## Required Checks
-
-- Check for outdated dependencies in package.json. Regularly update dependencies to avoid known vulnerabilities.
-- CDN resources without integrity hashes. Add integrity and crossorigin attributes to script tags loading external resources.
-- Hardcoded library versions in HTML. Consider using a package manager to manage dependencies.
-- Using deprecated Node.js APIs. Replace with modern alternatives to avoid security and maintenance issues.
-- Using deprecated browser APIs. Replace with modern alternatives to avoid compatibility and security issues.
-- Dynamic dependency loading with variable concatenation. This can lead to dependency confusion attacks.
-- Potentially vulnerable regular expression pattern that could lead to ReDoS attacks. Review and optimize the regex pattern.
-- Insecure package installation flags. Avoid using --no-audit, --no-save, or --force flags when installing packages.
-- Missing lock file. Use package-lock.json, yarn.lock, or pnpm-lock.yaml to ensure dependency consistency.
-- Potentially insecure webpack configuration. Consider enabling noEmitOnErrors and optimization.minimize.
-- Outdated TypeScript target. Consider using a more modern target like ES2020 for better security features.
-- Using a non-standard npm registry. Ensure you trust the source of your packages.
-- Missing npm audit in CI/CD scripts. Add 'npm audit' to your CI/CD pipeline to detect vulnerabilities.
-- Insecure import maps without integrity checks. Add integrity hashes to import map entries.
-- Using potentially outdated polyfills. Consider using modern alternatives or feature detection.
-
-## Recommendations
-
-**JavaScript Vulnerable and Outdated Components Best Practices:**
-
-1. **Dependency Management:**
-   - Regularly update dependencies to their latest secure versions
-   - Use tools like npm audit, Snyk, or Dependabot to detect vulnerabilities
-   - Example:
-     ```javascript
-     // Add these scripts to package.json
-     {
-       "scripts": {
-         "audit": "npm audit",
-         "audit:fix": "npm audit fix",
-         "outdated": "npm outdated",
-         "update": "npm update",
-         "prestart": "npm audit --production"
-       }
-     }
-     ```
-
-2. **Lock Files:**
-   - Always use lock files (package-lock.json, yarn.lock, or pnpm-lock.yaml)
-   - Commit lock files to version control
-   - Example:
-     ```bash
-     # Generate a lock file if it doesn't exist
-     npm install
-     
-     # Or for Yarn
-     yarn
-     
-     # Or for pnpm
-     pnpm install
-     ```
-
-3. **Subresource Integrity:**
-   - Use integrity hashes when loading resources from CDNs
-   - Example:
-     ```html
-     <script 
-       src="https://cdn.jsdelivr.net/npm/react@18.2.0/umd/react.production.min.js" 
-       integrity="sha384-tMH8h3BGESGckSAVGZ82T9n90ztNepwCjSPJ0A7g2vdY8M0oKtDaDGg0G53cysJA" 
-       crossorigin="anonymous">
-     </script>
-     ```
-
-4. **Automated Security Scanning:**
-   - Integrate security scanning into your CI/CD pipeline
-   - Example GitHub Actions workflow:
-     ```yaml
-     name: Security Scan
-     
-     on:
-       push:
-         branches: [ main ]
-       pull_request:
-         branches: [ main ]
-       schedule:
-         - cron: '0 0 * * 0'  # Run weekly
-     
-     jobs:
-       security:
-         runs-on: ubuntu-latest
-         steps:
-           - uses: actions/checkout@v3
-           - name: Setup Node.js
-             uses: actions/setup-node@v3
-             with:
-               node-version: '18'
-               cache: 'npm'
-           - name: Install dependencies
-             run: npm ci
-           - name: Run security audit
-             run: npm audit --audit-level=high
-           - name: Run Snyk to check for vulnerabilities
-             uses: snyk/actions/node@master
-             env:
-               SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-     ```
-
-5. **Dependency Pinning:**
-   - Pin dependencies to specific versions to prevent unexpected updates
-   - Example:
-     ```json
-     {
-       "dependencies": {
-         "express": "4.18.2",
-         "react": "18.2.0",
-         "lodash": "4.17.21"
-       }
-     }
-     ```
-
-6. **Deprecated API Replacement:**
-   - Replace deprecated Node.js APIs with modern alternatives
-   - Example:
-     ```javascript
-     // INSECURE: Using deprecated Buffer constructor
-     const buffer = new Buffer(data);
-     
-     // SECURE: Using Buffer.from()
-     const buffer = Buffer.from(data);
-     
-     // INSECURE: Using deprecated crypto methods
-     const crypto = require('crypto');
-     const cipher = crypto.createCipher('aes-256-cbc', key);
-     
-     // SECURE: Using modern crypto methods
-     const crypto = require('crypto');
-     const iv = crypto.randomBytes(16);
-     const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);
-     ```
-
-7. **Browser API Modernization:**
-   - Replace deprecated browser APIs with modern alternatives
-   - Example:
-     ```javascript
-     // INSECURE: Using document.write
-     document.write('<h1>Hello World</h1>');
-     
-     // SECURE: Using DOM manipulation
-     document.getElementById('content').innerHTML = '<h1>Hello World</h1>';
-     
-     // INSECURE: Using escape/unescape
-     const encoded = escape(data);
-     
-     // SECURE: Using encodeURIComponent
-     const encoded = encodeURIComponent(data);
-     ```
-
-8. **Safe Dynamic Imports:**
-   - Avoid dynamic imports with variable concatenation
-   - Example:
-     ```javascript
-     // INSECURE: Dynamic import with concatenation
-     const moduleName = userInput;
-     import('./' + moduleName + '.js');
-     
-     // SECURE: Validate input against a whitelist
-     const validModules = ['module1', 'module2', 'module3'];
-     if (validModules.includes(moduleName)) {
-       import(`./${moduleName}.js`);
-     }
-     ```
-
-9. **Regular Expression Safety:**
-   - Avoid vulnerable regex patterns that could lead to ReDoS attacks
-   - Example:
-     ```javascript
-     // INSECURE: Vulnerable regex pattern
-     const regex = /^(a+)+$/;
-     
-     // SECURE: Optimized regex pattern
-     const regex = /^a+$/;
-     ```
-
-10. **Vendor Management:**
-    - Evaluate the security posture of third-party libraries before use
-    - Prefer libraries with active maintenance and security focus
-    - Example evaluation criteria:
-      - When was the last commit?
-      - How quickly are security issues addressed?
-      - Does the project have a security policy?
-      - Is there a responsible disclosure process?
-      - How many open issues and pull requests exist?
-      - What is the download count and GitHub stars?
-
-11. **Runtime Dependency Checking:**
-    - Implement runtime checks for critical dependencies
-    - Example:
-      ```javascript
-      // Check package version at runtime for critical dependencies
-      try {
-        const packageJson = require('some-critical-package/package.json');
-        const semver = require('semver');
-        
-        if (semver.lt(packageJson.version, '2.0.0')) {
-          console.warn('Warning: Using a potentially vulnerable version of some-critical-package');
-        }
-      } catch (err) {
-        console.error('Error checking package version:', err);
-      }
-      ```
-
-12. **Minimal Dependencies:**
-    - Minimize the number of dependencies to reduce attack surface
-    - Regularly audit and remove unused dependencies
-    - Example:
-      ```bash
-      # Find unused dependencies
-      npx depcheck
-      
-      # Analyze your bundle size
-      npx webpack-bundle-analyzer
-      ```
-
-## Validation
-
-- Using npm audit to check for vulnerabilities.
-- Using lock files to ensure dependency consistency.
-- Using subresource integrity hashes for external resources.
-- Using modern Buffer API instead of deprecated constructor.
-- Integrating dependency scanning in CI/CD pipeline.
+```yaml
+name: javascript_vulnerable_outdated_components
+description: Detect and prevent the use of vulnerable and outdated components in JavaScript applications as defined in OWASP Top 10:2021-A06
+
+actions:
+  - type: enforce
+    conditions:
+      # Pattern 1: Outdated Package Versions in package.json
+      - pattern: "\"(dependencies|devDependencies)\"\\s*:\\s*\\{[^}]*?\"([^\"]+)\"\\s*:\\s*\"\\^?([0-9]+\\.[0-9]+\\.[0-9]+)\""
+        location: "package\\.json$"
+        message: "Check for outdated dependencies in package.json. Regularly update dependencies to avoid known vulnerabilities."
+
+      # Pattern 2: Direct CDN Links Without Integrity Hashes
+      - pattern: "<script\\s+src=['\"]https?://(?:cdn|unpkg|jsdelivr)[^'\"]*['\"][^>]*(?!integrity=)"
+        location: "\\.(html|js|jsx|ts|tsx)$"
+        message: "CDN resources without integrity hashes. Add integrity and crossorigin attributes to script tags loading external resources."
+
+      # Pattern 3: Hardcoded Library Versions in HTML
+      - pattern: "<script\\s+src=['\"][^'\"]*(?:jquery|bootstrap|react|vue|angular|lodash|moment)[@-][0-9]+\\.[0-9]+\\.[0-9]+[^'\"]*['\"]"
+        location: "\\.html$"
+        message: "Hardcoded library versions in HTML. Consider using a package manager to manage dependencies."
+
+      # Pattern 4: Deprecated Node.js APIs
+      - pattern: "(?:new Buffer\\(|require\\(['\"]crypto['\"]\\)\\.createCipher\\(|require\\(['\"]crypto['\"]\\)\\.randomBytes\\([^,)]+\\)|require\\(['\"]fs['\"]\\)\\.exists\\()"
+        message: "Using deprecated Node.js APIs. Replace with modern alternatives to avoid security and maintenance issues."
+
+      # Pattern 5: Deprecated Browser APIs
+      - pattern: "document\\.write\\(|document\\.execCommand\\(|escape\\(|unescape\\(|showModalDialog\\(|localStorage\\.clear\\(\\)|sessionStorage\\.clear\\(\\)"
+        location: "(?:src|components|pages)"
+        message: "Using deprecated browser APIs. Replace with modern alternatives to avoid compatibility and security issues."
+
+      # Pattern 6: Insecure Dependency Loading
+      - pattern: "require\\([^)]*?\\+\\s*[^)]+\\)|import\\([^)]*?\\+\\s*[^)]+\\)"
+        message: "Dynamic dependency loading with variable concatenation. This can lead to dependency confusion attacks."
+
+      # Pattern 7: Vulnerable Regular Expression Patterns (ReDoS)
+      - pattern: "new RegExp\\([^)]*?(?:\\(.*\\)\\*|\\*\\+|\\+\\*|\\{\\d+,\\})"
+        message: "Potentially vulnerable regular expression pattern that could lead to ReDoS attacks. Review and optimize the regex pattern."
+
+      # Pattern 8: Insecure Package Installation
+      - pattern: "npm\\s+install\\s+(?:--no-save|--no-audit|--no-fund|--force)"
+        location: "(?:scripts|Dockerfile|docker-compose\\.yml|\\.github/workflows)"
+        message: "Insecure package installation flags. Avoid using --no-audit, --no-save, or --force flags when installing packages."
+
+      # Pattern 9: Missing Lock Files
+      - pattern: "package\\.json"
+        location: "package\\.json$"
+        negative_pattern: "package-lock\\.json|yarn\\.lock|pnpm-lock\\.yaml"
+        message: "Missing lock file. Use package-lock.json, yarn.lock, or pnpm-lock.yaml to ensure dependency consistency."
+
+      # Pattern 10: Insecure Webpack Configuration
+      - pattern: "webpack\\.config\\.js"
+        location: "webpack\\.config\\.js$"
+        negative_pattern: "(?:noEmitOnErrors|optimization\\.minimize)"
+        message: "Potentially insecure webpack configuration. Consider enabling noEmitOnErrors and optimization.minimize."
+
+      # Pattern 11: Outdated TypeScript Configuration
+      - pattern: "\"compilerOptions\"\\s*:\\s*\\{[^}]*?\"target\"\\s*:\\s*\"ES5\""
+        location: "tsconfig\\.json$"
+        message: "Outdated TypeScript target. Consider using a more modern target like ES2020 for better security features."
+
+      # Pattern 12: Insecure Package Sources
+      - pattern: "registry\\s*=\\s*(?!https://registry\\.npmjs\\.org)"
+        location: "\\.npmrc$"
+        message: "Using a non-standard npm registry. Ensure you trust the source of your packages."
+
+      # Pattern 13: Missing npm audit in CI/CD
+      - pattern: "(?:ci|test|build)\\s*:\\s*\"[^\"]*?\""
+        location: "package\\.json$"
+        negative_pattern: "npm\\s+audit"
+        message: "Missing npm audit in CI/CD scripts. Add 'npm audit' to your CI/CD pipeline to detect vulnerabilities."
+
+      # Pattern 14: Insecure Import Maps
+      - pattern: "<script\\s+type=['\"]importmap['\"][^>]*>[^<]*?\"imports\"\\s*:\\s*\\{[^}]*?\"[^\"]+\"\\s*:\\s*\"https?://[^\"]+\""
+        negative_pattern: "integrity="
+        message: "Insecure import maps without integrity checks. Add integrity hashes to import map entries."
+
+      # Pattern 15: Outdated Polyfills
+      - pattern: "(?:core-js|@babel/polyfill|es6-promise|whatwg-fetch)"
+        message: "Using potentially outdated polyfills. Consider using modern alternatives or feature detection."
+
+  - type: suggest
+    message: |
+      **JavaScript Vulnerable and Outdated Components Best Practices:**
+
+      1. **Dependency Management:**
+         - Regularly update dependencies to their latest secure versions
+         - Use tools like npm audit, Snyk, or Dependabot to detect vulnerabilities
+         - Example:
+           ```javascript
+           // Add these scripts to package.json
+           {
+             "scripts": {
+               "audit": "npm audit",
+               "audit:fix": "npm audit fix",
+               "outdated": "npm outdated",
+               "update": "npm update",
+               "prestart": "npm audit --production"
+             }
+           }
+           ```
+
+      2. **Lock Files:**
+         - Always use lock files (package-lock.json, yarn.lock, or pnpm-lock.yaml)
+         - Commit lock files to version control
+         - Example:
+           ```bash
+           # Generate a lock file if it doesn't exist
+           npm install
+
+           # Or for Yarn
+           yarn
+
+           # Or for pnpm
+           pnpm install
+           ```
+
+      3. **Subresource Integrity:**
+         - Use integrity hashes when loading resources from CDNs
+         - Example:
+           ```html
+           <script
+             src="https://cdn.jsdelivr.net/npm/react@18.2.0/umd/react.production.min.js"
+             integrity="sha384-tMH8h3BGESGckSAVGZ82T9n90ztNepwCjSPJ0A7g2vdY8M0oKtDaDGg0G53cysJA"
+             crossorigin="anonymous">
+           </script>
+           ```
+
+      4. **Automated Security Scanning:**
+         - Integrate security scanning into your CI/CD pipeline
+         - Example GitHub Actions workflow:
+           ```yaml
+           name: Security Scan
+
+           on:
+             push:
+               branches: [ main ]
+             pull_request:
+               branches: [ main ]
+             schedule:
+               - cron: '0 0 * * 0'  # Run weekly
+
+           jobs:
+             security:
+               runs-on: ubuntu-latest
+               steps:
+                 - uses: actions/checkout@v3
+                 - name: Setup Node.js
+                   uses: actions/setup-node@v3
+                   with:
+                     node-version: '18'
+                     cache: 'npm'
+                 - name: Install dependencies
+                   run: npm ci
+                 - name: Run security audit
+                   run: npm audit --audit-level=high
+                 - name: Run Snyk to check for vulnerabilities
+                   uses: snyk/actions/node@master
+                   env:
+                     SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+           ```
+
+      5. **Dependency Pinning:**
+         - Pin dependencies to specific versions to prevent unexpected updates
+         - Example:
+           ```json
+           {
+             "dependencies": {
+               "express": "4.18.2",
+               "react": "18.2.0",
+               "lodash": "4.17.21"
+             }
+           }
+           ```
+
+      6. **Deprecated API Replacement:**
+         - Replace deprecated Node.js APIs with modern alternatives
+         - Example:
+           ```javascript
+           // INSECURE: Using deprecated Buffer constructor
+           const buffer = new Buffer(data);
+
+           // SECURE: Using Buffer.from()
+           const buffer = Buffer.from(data);
+
+           // INSECURE: Using deprecated crypto methods
+           const crypto = require('crypto');
+           const cipher = crypto.createCipher('aes-256-cbc', key);
+
+           // SECURE: Using modern crypto methods
+           const crypto = require('crypto');
+           const iv = crypto.randomBytes(16);
+           const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);
+           ```
+
+      7. **Browser API Modernization:**
+         - Replace deprecated browser APIs with modern alternatives
+         - Example:
+           ```javascript
+           // INSECURE: Using document.write
+           document.write('<h1>Hello World</h1>');
+
+           // SECURE: Using DOM manipulation
+           document.getElementById('content').innerHTML = '<h1>Hello World</h1>';
+
+           // INSECURE: Using escape/unescape
+           const encoded = escape(data);
+
+           // SECURE: Using encodeURIComponent
+           const encoded = encodeURIComponent(data);
+           ```
+
+      8. **Safe Dynamic Imports:**
+         - Avoid dynamic imports with variable concatenation
+         - Example:
+           ```javascript
+           // INSECURE: Dynamic import with concatenation
+           const moduleName = userInput;
+           import('./' + moduleName + '.js');
+
+           // SECURE: Validate input against a whitelist
+           const validModules = ['module1', 'module2', 'module3'];
+           if (validModules.includes(moduleName)) {
+             import(`./${moduleName}.js`);
+           }
+           ```
+
+      9. **Regular Expression Safety:**
+         - Avoid vulnerable regex patterns that could lead to ReDoS attacks
+         - Example:
+           ```javascript
+           // INSECURE: Vulnerable regex pattern
+           const regex = /^(a+)+$/;
+
+           // SECURE: Optimized regex pattern
+           const regex = /^a+$/;
+           ```
+
+      10. **Vendor Management:**
+          - Evaluate the security posture of third-party libraries before use
+          - Prefer libraries with active maintenance and security focus
+          - Example evaluation criteria:
+            - When was the last commit?
+            - How quickly are security issues addressed?
+            - Does the project have a security policy?
+            - Is there a responsible disclosure process?
+            - How many open issues and pull requests exist?
+            - What is the download count and GitHub stars?
+
+      11. **Runtime Dependency Checking:**
+          - Implement runtime checks for critical dependencies
+          - Example:
+            ```javascript
+            // Check package version at runtime for critical dependencies
+            try {
+              const packageJson = require('some-critical-package/package.json');
+              const semver = require('semver');
+
+              if (semver.lt(packageJson.version, '2.0.0')) {
+                console.warn('Warning: Using a potentially vulnerable version of some-critical-package');
+              }
+            } catch (err) {
+              console.error('Error checking package version:', err);
+            }
+            ```
+
+      12. **Minimal Dependencies:**
+          - Minimize the number of dependencies to reduce attack surface
+          - Regularly audit and remove unused dependencies
+          - Example:
+            ```bash
+            # Find unused dependencies
+            npx depcheck
+
+            # Analyze your bundle size
+            npx webpack-bundle-analyzer
+            ```
+
+  - type: validate
+    conditions:
+      # Check 1: Using npm audit
+      - pattern: "\"scripts\"\\s*:\\s*\\{[^}]*?\"audit\"\\s*:\\s*\"npm audit"
+        message: "Using npm audit to check for vulnerabilities."
+
+      # Check 2: Using lock files
+      - pattern: "package-lock\\.json|yarn\\.lock|pnpm-lock\\.yaml"
+        message: "Using lock files to ensure dependency consistency."
+
+      # Check 3: Using integrity hashes
+      - pattern: "integrity=['\"]sha\\d+-[A-Za-z0-9+/=]+['\"]"
+        message: "Using subresource integrity hashes for external resources."
+
+      # Check 4: Using modern Buffer API
+      - pattern: "Buffer\\.(?:from|alloc|allocUnsafe)"
+        message: "Using modern Buffer API instead of deprecated constructor."
+
+      # Check 5: Using dependency scanning in CI
+      - pattern: "npm\\s+audit|snyk\\s+test|yarn\\s+audit"
+        location: "(?:\\.github/workflows|\\.gitlab-ci\\.yml|Jenkinsfile|azure-pipelines\\.yml)"
+        message: "Integrating dependency scanning in CI/CD pipeline."
+
+metadata:
+  priority: high
+  version: 1.0
+  tags:
+    - security
+    - javascript
+    - nodejs
+    - browser
+    - dependencies
+    - owasp
+    - language:javascript
+    - framework:express
+    - framework:react
+    - framework:vue
+    - framework:angular
+    - category:security
+    - subcategory:dependencies
+    - standard:owasp-top10
+    - risk:a06-vulnerable-outdated-components
+  references:
+    - "https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/NPM_Security_Cheat_Sheet.html"
+    - "https://docs.npmjs.com/cli/v8/commands/npm-audit"
+    - "https://snyk.io/learn/npm-security/"
+    - "https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity"
+    - "https://github.com/OWASP/NodeGoat"
+    - "https://owasp.org/www-project-dependency-check/"
+```
+
+
diff --git a/.cursor/rules/lagoon-docker-compose-standards.mdc b/.cursor/rules/lagoon-docker-compose-standards.mdc
index 0bbf6b5..76c25b9 100644
--- a/.cursor/rules/lagoon-docker-compose-standards.mdc
+++ b/.cursor/rules/lagoon-docker-compose-standards.mdc
@@ -6,67 +6,89 @@ globs: docker-compose.yml, docker-compose.*.yml
 
 Ensures proper Docker Compose configuration for Lagoon deployments, following best practices and Lagoon-specific requirements.
 
-> Priority: high · Version: 1.1
+```yaml
+name: lagoon_docker_compose_standards
+description: Enforce standards for Lagoon Docker Compose files
+filters:
+  - type: file_name
+    pattern: "^docker-compose(\\.\\w+)?\\.yml$"
 
-## Applies To
-- `docker-compose.yml`
-- `docker-compose.*.yml`
+actions:
+  - type: enforce
+    conditions:
+      - pattern: "services:\\s+\\w+:\\s+(?!.*labels:[\\s\\S]*lagoon)"
+        message: "Add Lagoon labels to service definitions for proper Lagoon integration"
 
-## Trigger Conditions
-- Filter `file_name` matching `^docker-compose(\.\w+)?\.yml$`
+      - pattern: "version:\\s*['\"]*2"
+        message: "Use Docker Compose format version 3 or higher for compatibility with modern Docker features"
 
-## Required Checks
+      - pattern: "volumes:\\s+[^:]+:\\s+(?!.*delegated)"
+        message: "Use 'delegated' mount consistency for better performance on macOS development environments"
 
-- Add Lagoon labels to service definitions for proper Lagoon integration
-- Use Docker Compose format version 3 or higher for compatibility with modern Docker features
-- Use 'delegated' mount consistency for better performance on macOS development environments
-- Define restart policy for services to ensure proper behavior during deployment
+      - pattern: "services:\\s+\\w+:\\s+(?!.*restart:)"
+        message: "Define restart policy for services to ensure proper behavior during deployment"
 
-## Recommendations
+  - type: suggest
+    message: |
+      ## Lagoon Docker Compose Best Practices:
 
-## Lagoon Docker Compose Best Practices:
+      ### Service Configuration
+      - Define service types via labels (e.g., `lagoon.type: nginx`)
+      - Use proper image naming conventions (e.g., `amazeeio/nginx-drupal:latest`)
+      - Set appropriate environment variables using Lagoon variables
+      - Define health checks for critical services
+      - Configure proper networking with Lagoon defaults
+      - Set resource constraints appropriate for each environment
 
-### Service Configuration
-- Define service types via labels (e.g., `lagoon.type: nginx`)
-- Use proper image naming conventions (e.g., `amazeeio/nginx-drupal:latest`)
-- Set appropriate environment variables using Lagoon variables
-- Define health checks for critical services
-- Configure proper networking with Lagoon defaults
-- Set resource constraints appropriate for each environment
+      ### Volume Configuration
+      - Use named volumes for persistent data
+      - Configure appropriate volume mounts with correct permissions
+      - Use 'delegated' mount consistency for macOS performance
+      - Avoid mounting the entire codebase when possible
 
-### Volume Configuration
-- Use named volumes for persistent data
-- Configure appropriate volume mounts with correct permissions
-- Use 'delegated' mount consistency for macOS performance
-- Avoid mounting the entire codebase when possible
+      ### Build Configuration
+      - Use build arguments appropriately
+      - Define proper Dockerfile paths
+      - Use multi-stage builds for smaller images
 
-### Build Configuration
-- Use build arguments appropriately
-- Define proper Dockerfile paths
-- Use multi-stage builds for smaller images
+      ### Example Service Configuration:
+      ```yaml
+      services:
+        nginx:
+          build:
+            context: .
+            dockerfile: nginx.dockerfile
+          labels:
+            lagoon.type: nginx
+            lagoon.persistent: /app/web/sites/default/files/
+          volumes:
+            - app:/app:delegated
+          depends_on:
+            - php
+          environment:
+            LAGOON_ROUTE: ${LAGOON_ROUTE:-http://project.docker.amazee.io}
+      ```
 
-### Example Service Configuration:
-```yaml
-services:
-  nginx:
-    build:
-      context: .
-      dockerfile: nginx.dockerfile
-    labels:
-      lagoon.type: nginx
-      lagoon.persistent: /app/web/sites/default/files/
-    volumes:
-      - app:/app:delegated
-    depends_on:
-      - php
-    environment:
-      LAGOON_ROUTE: ${LAGOON_ROUTE:-http://project.docker.amazee.io}
+  - type: validate
+    conditions:
+      - pattern: "services:\\s+cli:\\s+(?!.*build:)"
+        message: "CLI service should have proper build configuration for Lagoon compatibility"
+
+      - pattern: "services:\\s+\\w+:\\s+(?!.*depends_on:)"
+        message: "Define service dependencies for proper startup order and container relationships"
+
+      - pattern: "networks:\\s+(?!.*default:)"
+        message: "Configure proper network settings for Lagoon compatibility and service communication"
+
+      - pattern: "services:\\s+mariadb:\\s+(?!.*image:\\s+amazeeio\\/mariadb)"
+        message: "Use Lagoon-provided MariaDB image for compatibility with Lagoon environment"
+
+      - pattern: "services:\\s+\\w+:\\s+environment:\\s+(?!.*\\$\\{LAGOON)"
+        message: "Use Lagoon environment variables with fallbacks for local development"
+
+metadata:
+  priority: high
+  version: 1.1
 ```
 
-## Validation
 
-- CLI service should have proper build configuration for Lagoon compatibility
-- Define service dependencies for proper startup order and container relationships
-- Configure proper network settings for Lagoon compatibility and service communication
-- Use Lagoon-provided MariaDB image for compatibility with Lagoon environment
-- Use Lagoon environment variables with fallbacks for local development
diff --git a/.cursor/rules/lagoon-yml-standards.mdc b/.cursor/rules/lagoon-yml-standards.mdc
index 2a50f36..e585673 100644
--- a/.cursor/rules/lagoon-yml-standards.mdc
+++ b/.cursor/rules/lagoon-yml-standards.mdc
@@ -6,93 +6,118 @@ globs: .lagoon.yml, .lagoon.*.yml
 
 Ensures proper configuration and best practices for Lagoon deployment files, focusing on environment configuration, routes, tasks, and deployment workflows.
 
-> Priority: critical · Version: 1.1
-
-## Applies To
-- `.lagoon.yml`
-- `.lagoon.*.yml`
-
-## Trigger Conditions
-- Files matching pattern `\.(yml|yaml)$`
-- Filter `file_name` matching `^\.lagoon(\.\w+)?\.yml$`
-
-## Required Checks
-
-- Ensure tls-acme is set to 'false' until DNS points to Lagoon to prevent certificate issuance failures
-- Wrap Drush commands in proper error handling using '|| exit 1' to ensure deployment fails on command errors
-- Add conditional checks for pre-rollout tasks to ensure they only run when necessary
-- Use 'M' or 'H' notation for randomized cron scheduling to prevent server load spikes
-- Consider configuring redirects for routes to handle legacy URLs or domain migrations
-
-## Recommendations
-
-## Lagoon Configuration Best Practices:
-
-### Environment Configuration
-- Use environment-specific configurations for different deployment targets
-- Define environment types for proper resource allocation
-- Configure environment variables specific to each environment
-- Use environment-specific routes and domains
-
-### Routes Configuration
-- Configure routes with appropriate SSL settings
-- Set up redirects for legacy URLs
-- Configure proper insecure traffic handling (Allow or Redirect)
-- Use wildcard domains for feature branch environments
-
-### Tasks Configuration
-- Implement proper pre-rollout tasks with error handling
-- Configure post-rollout tasks with appropriate conditions
-- Use conditional task execution based on environment
-- Include database sync in PR environments
-- Implement proper backup strategies before major changes
-
-### Cron Configuration
-- Use randomized cron schedules with 'M' and 'H' notation
-- Set appropriate frequency for different tasks
-- Ensure cron jobs have proper error handling
-- Use descriptive names for cron jobs
-
-### Example Configuration:
 ```yaml
-environments:
-  main:
-    cronjobs:
-      - name: drush-cron
-        schedule: '*/15 * * * *'
-        command: drush cron
-        service: cli
-    routes:
-      - nginx:
-        - example.com:
-            tls-acme: true
-            insecure: Redirect
-            redirects:
-              - www.example.com
-    tasks:
-      pre-rollout:
-        - run:
-            name: Drush pre-update
-            command: |
-              if drush status --fields=bootstrap | grep -q "Successful"; then
-                drush state:set system.maintenance_mode 1 -y
-                drush cr
-              fi
-            service: cli
-      post-rollout:
-        - run:
-            name: Drush post-update
-            command: |
-              drush updb -y || exit 1
-              drush cr
-              drush state:set system.maintenance_mode 0 -y
-            service: cli
+name: lagoon_yml_standards
+description: Enforce standards for Lagoon configuration files
+filters:
+  - type: file_extension
+    pattern: "\\.(yml|yaml)$"
+  - type: file_name
+    pattern: "^\\.lagoon(\\.\\w+)?\\.yml$"
+
+actions:
+  - type: enforce
+    conditions:
+      - pattern: "environments:\\s*[\\w-]+:\\s*routes:\\s*-\\s*\\w+:\\s*-[^:]+:\\s*tls-acme:\\s*true"
+        message: "Ensure tls-acme is set to 'false' until DNS points to Lagoon to prevent certificate issuance failures"
+
+      - pattern: "post-rollout:\\s*-\\s*run:\\s*command:\\s*drush(?!.*\\|\\|)"
+        message: "Wrap Drush commands in proper error handling using '|| exit 1' to ensure deployment fails on command errors"
+
+      - pattern: "pre-rollout:\\s*-\\s*run:\\s*command:\\s*(?!.*if)"
+        message: "Add conditional checks for pre-rollout tasks to ensure they only run when necessary"
+
+      - pattern: "cronjobs:\\s*-\\s*name:[^\\n]*\\n\\s*schedule:\\s*'\\*\\s*\\*'"
+        message: "Use 'M' or 'H' notation for randomized cron scheduling to prevent server load spikes"
+
+      - pattern: "routes:\\s*-\\s*\\w+:\\s*-[^:]+:\\s*(?!.*redirects:)"
+        message: "Consider configuring redirects for routes to handle legacy URLs or domain migrations"
+
+  - type: suggest
+    message: |
+      ## Lagoon Configuration Best Practices:
+
+      ### Environment Configuration
+      - Use environment-specific configurations for different deployment targets
+      - Define environment types for proper resource allocation
+      - Configure environment variables specific to each environment
+      - Use environment-specific routes and domains
+
+      ### Routes Configuration
+      - Configure routes with appropriate SSL settings
+      - Set up redirects for legacy URLs
+      - Configure proper insecure traffic handling (Allow or Redirect)
+      - Use wildcard domains for feature branch environments
+
+      ### Tasks Configuration
+      - Implement proper pre-rollout tasks with error handling
+      - Configure post-rollout tasks with appropriate conditions
+      - Use conditional task execution based on environment
+      - Include database sync in PR environments
+      - Implement proper backup strategies before major changes
+
+      ### Cron Configuration
+      - Use randomized cron schedules with 'M' and 'H' notation
+      - Set appropriate frequency for different tasks
+      - Ensure cron jobs have proper error handling
+      - Use descriptive names for cron jobs
+
+      ### Example Configuration:
+      ```yaml
+      environments:
+        main:
+          cronjobs:
+            - name: drush-cron
+              schedule: '*/15 * * * *'
+              command: drush cron
+              service: cli
+          routes:
+            - nginx:
+              - example.com:
+                  tls-acme: true
+                  insecure: Redirect
+                  redirects:
+                    - www.example.com
+          tasks:
+            pre-rollout:
+              - run:
+                  name: Drush pre-update
+                  command: |
+                    if drush status --fields=bootstrap | grep -q "Successful"; then
+                      drush state:set system.maintenance_mode 1 -y
+                      drush cr
+                    fi
+                  service: cli
+            post-rollout:
+              - run:
+                  name: Drush post-update
+                  command: |
+                    drush updb -y || exit 1
+                    drush cr
+                    drush state:set system.maintenance_mode 0 -y
+                  service: cli
+      ```
+
+  - type: validate
+    conditions:
+      - pattern: "environments:\\s*[\\w-]+:\\s*types:\\s*[^\\n]*"
+        message: "Define environment types for proper resource allocation and environment-specific configuration"
+
+      - pattern: "tasks:\\s*(pre|post)-rollout:"
+        message: "Include both pre and post rollout tasks for robust deployments and proper application state management"
+
+      - pattern: "routes:\\s*-\\s*\\w+:\\s*-[^:]+:\\s*insecure:\\s*(Allow|Redirect)"
+        message: "Configure proper insecure traffic handling to ensure secure access to your application"
+
+      - pattern: "(?!.*backup-strategy:)"
+        message: "Consider implementing a backup strategy for critical environments to prevent data loss"
+
+      - pattern: "cronjobs:\\s*-\\s*name:[^\\n]*\\n\\s*schedule:[^\\n]*\\n\\s*(?!.*service:)"
+        message: "Specify the service for cron jobs to ensure they run in the correct container"
+
+metadata:
+  priority: critical
+  version: 1.1
 ```
 
-## Validation
 
-- Define environment types for proper resource allocation and environment-specific configuration
-- Include both pre and post rollout tasks for robust deployments and proper application state management
-- Configure proper insecure traffic handling to ensure secure access to your application
-- Consider implementing a backup strategy for critical environments to prevent data loss
-- Specify the service for cron jobs to ensure they run in the correct container
diff --git a/.cursor/rules/multi-agent-coordination.mdc b/.cursor/rules/multi-agent-coordination.mdc
index 13562ea..334db34 100644
--- a/.cursor/rules/multi-agent-coordination.mdc
+++ b/.cursor/rules/multi-agent-coordination.mdc
@@ -6,35 +6,42 @@ globs: *.php, *.js, *.ts, *.vue, *.jsx, *.tsx
 
 Ensures consistent coordination between different AI agents and roles.
 
-> Priority: high · Version: 1.0
-
-## Applies To
-- `*.php`
-- `*.js`
-- `*.ts`
-- `*.vue`
-- `*.jsx`
-- `*.tsx`
-
-## Trigger Conditions
-- Files matching pattern `\.(php|js|ts|vue|jsx|tsx)$`
-
-## Required Checks
-
-- Convert TODO comments into structured task breakdowns for multi-agent coordination
-- Implement proper agent role separation and communication
-- Convert FIXME into specific tasks with acceptance criteria
-
-## Recommendations
-
-Multi-Agent Coordination Best Practices:
-- Separate Planner and Executor roles
-- Document task breakdowns and success criteria
-- Track progress in structured format
-- Use proper inter-agent communication
-- Maintain clear role boundaries
-- Focus on immediate, actionable solutions
-- Provide context for complex tasks
-- Use natural language for requirements
-- Break down complex workflows
-- Document dependencies between tasks
+```yaml
+name: multi_agent_coordination
+description: Enforce standards for multi-agent coordination and workflow
+filters:
+  - type: file_extension
+    pattern: "\\.(php|js|ts|vue|jsx|tsx)$"
+
+actions:
+  - type: enforce
+    conditions:
+      - pattern: "// TODO:|#\\s*TODO:"
+        message: "Convert TODO comments into structured task breakdowns for multi-agent coordination"
+
+      - pattern: "function\\s+[a-zA-Z]+Agent\\s*\\([^)]*\\)"
+        message: "Implement proper agent role separation and communication"
+
+      - pattern: "// FIXME:|#\\s*FIXME:"
+        message: "Convert FIXME into specific tasks with acceptance criteria"
+
+  - type: suggest
+    message: |
+      Multi-Agent Coordination Best Practices:
+      - Separate Planner and Executor roles
+      - Document task breakdowns and success criteria
+      - Track progress in structured format
+      - Use proper inter-agent communication
+      - Maintain clear role boundaries
+      - Focus on immediate, actionable solutions
+      - Provide context for complex tasks
+      - Use natural language for requirements
+      - Break down complex workflows
+      - Document dependencies between tasks
+
+metadata:
+  priority: high
+  version: 1.0
+```
+
+
diff --git a/.cursor/rules/new-pull-request.mdc b/.cursor/rules/new-pull-request.mdc
index 2953f8a..c04b07a 100644
--- a/.cursor/rules/new-pull-request.mdc
+++ b/.cursor/rules/new-pull-request.mdc
@@ -1,6 +1,6 @@
 ---
 description: Use this rule when requested to review a pull request
-globs: 
+globs:
 alwaysApply: false
 ---
 # Code Review Agent Instructions
@@ -10,7 +10,7 @@ You are a senior technical lead and architect conducting automated code reviews
 ## Primary Objectives
 
 1. **Requirement Fulfilment Analysis (50%)**: Verify code changes satisfy issue requirements
-2. **Code Standards Compliance (30%)**: Ensure adherence to technology-specific coding standards and best practices  
+2. **Code Standards Compliance (30%)**: Ensure adherence to technology-specific coding standards and best practices
 3. **Security Assessment (20%)**: Validate OWASP security standards and framework-specific security practices
 4. **Label Management**: Apply appropriate GitHub labels for workflow automation
 5. **Freshdesk Integration**: Update issues with structured review findings and log time entry
@@ -22,7 +22,7 @@ You are a senior technical lead and architect conducting automated code reviews
 - If not provided during the prompt, ask user to provide PR number or URL, extract and analyse:
 
 ### Pull Request Context
-- **PR Details**: Extract PR number 
+- **PR Details**: Extract PR number
 - **Repository Info**: Note owner, repo name, and branch information
 - **Change Statistics**: Review additions, deletions, and changed files count
 - **Use GitHub mcp tool**: Use github-mcp tool to connect to GitHub. If fails, Use gh cli.
@@ -33,7 +33,7 @@ You are a senior technical lead and architect conducting automated code reviews
 - **Acceptance Criteria**: Identify specific acceptance criteria from issue conversations
 - **Client Feedback**: Review conversation history for clarification and changes
 - **Technical Context**: Note technology stack, modules affected, and dependencies
-- **Extract issue information**: Check PR description and title to pull issue number. 
+- **Extract issue information**: Check PR description and title to pull issue number.
 	In most cases it will be a Freshdesk issue. Use freshdesk-mcp task get issue information,
 	conversations and issue summary to understand context of the issue.
 
@@ -213,7 +213,7 @@ Compare code changes against:
      ]
    }
    EOF
-   
+
    # Submit the review
    gh api repos/{owner}/{repo}/pulls/{pr_number}/reviews -X POST --input /tmp/review_comments.json
    ```
@@ -295,7 +295,7 @@ Compare code changes against:
 
 **Auto-Apply Labels Based On:**
 - **Score ≥ 80%**: Add `code-review-approved`
-- **Score < 80%**: Add `code-review-changes` 
+- **Score < 80%**: Add `code-review-changes`
 - **Security Issues**: Add `code-review-security`
 - **Standards Violations**: Add `drupal-standards`
 - **Requirement Score ≥ 80%**: Add `requirements-met`
@@ -366,7 +366,7 @@ After completing the code review, perform the following Freshdesk updates:
 
 **Status Colours:**
 - **Success/Approved**: `#1f7a1f` (dark green)
-- **Warning/Changes Needed**: `#cc8800` (dark orange) 
+- **Warning/Changes Needed**: `#cc8800` (dark orange)
 - **Critical/Failed**: `#dc3545` (red)
 - **Info/In Progress**: `#17a2b8` (blue)
 
diff --git a/.cursor/rules/node-dependencies.mdc b/.cursor/rules/node-dependencies.mdc
index b4e2904..ce5a14c 100644
--- a/.cursor/rules/node-dependencies.mdc
+++ b/.cursor/rules/node-dependencies.mdc
@@ -6,23 +6,31 @@ globs: package.json, .nvmrc
 
 Ensures correct Node.js versions and package management.
 
-> Priority: medium · Version: 1.0
-
-## Applies To
-- `package.json`
-- `.nvmrc`
-
-## Trigger Conditions
-- Files matching pattern `package.json|\.nvmrc`
-
-## Required Checks
-
-- Ensure package.json specifies required Node.js version.
-- Ensure an .nvmrc file exists in the root directory.
-
-## Recommendations
+```yaml
+name: node_dependency_management
+description: Enforce Node.js versioning and package management best practices.
+filters:
+  - type: file_extension
+    pattern: "package.json|\\.nvmrc"
+
+actions:
+  - type: enforce
+    conditions:
+      - pattern: '"engines":\\s*{[^}]*}'
+        message: "Ensure package.json specifies required Node.js version."
+
+      - pattern: "(?<!\\.)nvmrc"
+        message: "Ensure an .nvmrc file exists in the root directory."
+
+  - type: suggest
+    message: |
+      Best practices:
+      - Include an .nvmrc file specifying Node.js version.
+      - Use latest stable Node.js version for Drupal projects.
+      - Use Composer for dependency management.
+
+metadata:
+  priority: medium
+  version: 1.0
+```
 
-Best practices:
-- Include an .nvmrc file specifying Node.js version.
-- Use latest stable Node.js version for Drupal projects.
-- Use Composer for dependency management.
diff --git a/.cursor/rules/php-drupal-best-practices.mdc b/.cursor/rules/php-drupal-best-practices.mdc
index 0ee67b0..d3bc4a7 100644
--- a/.cursor/rules/php-drupal-best-practices.mdc
+++ b/.cursor/rules/php-drupal-best-practices.mdc
@@ -6,369 +6,497 @@ globs: *.php, *.module, *.theme, *.inc, *.info, *.install
 
 Defines comprehensive coding standards and best practices for PHP and Drupal development, with a focus on modern PHP features, Drupal 10+ standards, and modularity.
 
-> Priority: critical · Version: 1.5
-
-## Applies To
-- `*.php`
-- `*.module`
-- `*.theme`
-- `*.inc`
-- `*.info`
-- `*.install`
-
-## Trigger Conditions
-- Files matching pattern `\.(php|module|inc|install|theme)$`
-- Paths matching `web/modules/custom/|web/themes/custom/`
-
-## Required Checks
-
-- Add 'declare(strict_types=1);' at the beginning of PHP files for type safety.
-- Use uppercase for TRUE, FALSE, and NULL constants.
-- Ensure inline comments begin with a capital letter and end with a period.
-- Consider using readonly properties where immutability is required.
-- Add return type declarations for all methods to ensure type safety.
-- Add #[Override] attribute for overridden methods for clarity.
-- Use typed properties with proper nullability for better code maintainability.
-- Add type hints and return types for all hooks to leverage PHP's type system.
-- Use proper dependency injection with services for better testability and modularity.
-- Implement proper form validation in FormBase classes for security.
-- Use Drupal's t() function for strings that need translation.
-- Use ConfigFactory for configuration management.
-- Use short array syntax ([]) instead of array() for consistent code style.
-- Put a space between the (type) and the $variable in a cast: (int) $mynumber.
-- Remove whitespace from empty lines.
-- Remove trailing whitespace at the end of lines.
-- Ensure files end with a single newline character.
-- Place the opening brace on the same line as the statement for control structures.
-- Never use superglobals directly; use Drupal's input methods.
-- Use Drupal's database API instead of direct MySQL functions.
-- Use 2 spaces for indentation, not tabs.
-- Don't use echo; use return values or Drupal's messenger service.
-- Use proper DocBlock formatting for documentation.
-- Don't use die() or exit(); throw exceptions instead.
-- Use $entity->get('field_name')->value instead of getValue() when possible.
-- Don't use debug functions in production code; use Drupal's logger instead.
-- Use Drupal's DateTimeInterface and DrupalDateTime instead of PHP's DateTime.
-- Never use eval() as it poses security risks.
-- Use controller classes with route definitions instead of hook_menu() callbacks.
-- All PHP files must include proper @file documentation in the docblock.
-- Use Drupal's user session handling instead of $_SESSION.
-- Theme functions should be replaced with Twig templates in Drupal 8+.
-- Use #attached in render arrays instead of drupal_add_js() or drupal_add_css().
-- Use proper hook implementation format: module_name_hook_name().
-- Specify a single class per use statement. Do not specify multiple classes in a single use statement.
-- When importing a class with 'use', do not include a leading backslash (\).
-- Non-namespaced global classes (like Exception) must be fully qualified with a leading backslash (\) when used in a namespaced file.
-- Modules should place classes inside a custom namespace: Drupal\module_name\...
-- Leave an empty line between start of class/interface definition and property/method definition.
-- Module namespaces should be Drupal\module_name, not Drupal\ModuleName (camelCase not PascalCase).
-- Request attributes added by modules should be prefixed with underscore (e.g., '_context_value').
-- Avoid overwriting reserved Symfony or Drupal core request attributes.
-- Classes that provide services should use the 'Provider' suffix (e.g., MyServiceProvider).
-- Services should use dependency injection through constructor arguments defined in services.yml.
-
-## Recommendations
-
-**PHP/Drupal Development Best Practices:**
-
-### General Code Structure
-- **File Structure:** Each PHP file should have the proper structures: <?php tag, namespace declaration (if applicable), use statements, docblock, and implementation.
-- **Line Length:** Keep lines under 80 characters whenever possible.
-- **Indentation:** Use 2 spaces for indentation, never tabs.
-- **Empty Lines:** Use empty lines to separate logical blocks of code, but avoid multiple empty lines.
-- **File Endings:** All files must end with a single newline character.
-
-### PHP Language Features
-- **PHP Version:** Use PHP 8.3+ features where appropriate.
-- **Strict Types:** Use declare(strict_types=1) at the top of files to enforce type safety.
-- **Type Hints:** Always use parameter and return type hints.
-- **Named Arguments:** Use named arguments for clarity in complex function calls.
-- **Attributes:** Use PHP 8 attributes like #[Override] for better code comprehension.
-- **Match Expressions:** Prefer match over switch for cleaner conditionals.
-- **Null Coalescing:** Use ?? and ??= operators where appropriate.
-
-### Drupal-Specific Standards
-- **Fields API:** Use hasField(), get(), and value() methods when working with entity fields.
-- **Exception Handling:** Use try/catch for exception handling with proper logging.
-- **Database Layer:** Use Drupal's database abstraction layer for all queries.
-- **Schema Updates:** Implement hook_update_N() for schema changes during updates.
-- **Dependency Injection:** Use services.yml and proper container injection.
-- **Routing:** Define routes in routing.yml with proper access checks.
-- **Forms:** Extend FormBase or ConfigFormBase with proper validation and submission handling.
-- **Entity API:** Follow entity API best practices for loading, creating, and editing entities.
-- **Plugins:** Use plugin system appropriately with proper annotations.
-
-### Service & Request Standards
-- **Service Naming:** Use descriptive service names and appropriate naming patterns (Provider suffix for service providers).
-- **Service Definition:** Define services in the module's *.services.yml file with appropriate tags and arguments.
-- **Request Attributes:** When adding attributes to the Request object, prefix custom attributes with underscore (e.g., `_context_value`).
-- **Reserved Attributes:** Avoid overwriting core-reserved request attributes like `_system_path`, `_title`, `_account`, `_route`, `_route_object`, `_controller`, `_content`.
-- **Service Container:** Use dependency injection rather than the service container directly.
-- **Factory Services:** Use factory methods for complex service instantiation.
-
-### Namespace Standards
-- **Module Namespace:** Use Drupal\\module_name\\... for all custom module code.
-- **PSR-4 Autoloading:** Class in folder module/src/SubFolder should use namespace Drupal\\module_name\\SubFolder.
-- **Use Statements:** Each class should have its own use statement; don't combine multiple classes in one use.
-- **No Leading Backslash:** Don't add a leading backslash (\\) in use statements.
-- **Global Classes:** Global classes (like Exception) must be fully qualified with a leading backslash (\\) when used in a namespaced file.
-- **Class Aliasing:** Only alias classes to avoid name collisions, using meaningful names like BarBaz and ThingBaz.
-- **String Class Names:** When specifying a class name in a string, use full name including namespace without leading backslash. Prefer single quotes.
-- **Class Placement:** A class named Drupal\\module_name\\Foo should be in file module_name/src/Foo.php.
-
-### Security Practices
-- **Input Validation:** Always validate and sanitize user input.
-- **Access Checks:** Implement proper access checks for all routes and content.
-- **CSRF Protection:** Use Form API with proper form tokens for all forms.
-- **SQL Injection:** Use parameterized queries with placeholders.
-- **XSS Prevention:** Use Xss::filter() or t() with appropriate placeholders.
-- **File Security:** Validate uploaded files and restrict access properly.
-
-### Documentation and Comments
-- **PHPDoc Blocks:** Document all classes, methods, and properties with proper PHPDoc.
-- **Function Comments:** Describe parameters, return values, and exceptions.
-- **Inline Comments:** Use meaningful comments for complex logic.
-- **Comment Format:** Begin comments with a capital letter and end with a period.
-- **API Documentation:** Follow Drupal's API documentation standards.
-
-### Performance
-- **Caching:** Implement proper cache tags, contexts, and max-age.
-- **Database Queries:** Optimize queries with proper indices and JOINs.
-- **Lazy Loading:** Use lazy loading for expensive operations.
-- **Batch Processing:** Use batch API for long-running operations.
-- **Static Caching:** Implement static caching for repeated operations.
-
-### Testing
-- **Unit Tests:** Write PHPUnit tests for business logic.
-- **Kernel Tests:** Use kernel tests for integration with Drupal subsystems.
-- **Functional Tests:** Implement functional tests for user interactions.
-- **Mocking:** Use proper mocking techniques for dependencies.
-- **Test Coverage:** Aim for high test coverage of critical functionality.
-
-### API Documentation Examples
-
-#### File Documentation
-
-**Module Files (.module)**
-```php
-<?php
-
-/**
- * @file
- * Provides [module functionality description].
- */
-```
+```yaml
+name: enhanced_php_drupal_best_practices
+description: Enforce PHP 8.3+ features, Drupal 10+ coding standards, and modularity
+filters:
+  - type: file_extension
+    pattern: "\\.(php|module|inc|install|theme)$"
+  - type: file_path
+    pattern: "web/modules/custom/|web/themes/custom/"
 
-**Install Files (.install)**
-```php
-<?php
+actions:
+  - type: enforce
+    conditions:
+      - pattern: "^(?!declare\\(strict_types=1\\);)"
+        message: "Add 'declare(strict_types=1);' at the beginning of PHP files for type safety."
 
-/**
- * @file
- * Install, update and uninstall functions for the [module name] module.
- */
-```
+      - pattern: "(?<!\\bTRUE\\b)\\btrue\\b|(?<!\\bFALSE\\b)\\bfalse\\b|(?<!\\bNULL\\b)\\bnull\\b"
+        message: "Use uppercase for TRUE, FALSE, and NULL constants."
 
-**Include Files (.inc)**
-```php
-<?php
+      - pattern: "(?i)\\/\\/\\s[a-z]"
+        message: "Ensure inline comments begin with a capital letter and end with a period."
 
-/**
- * @file
- * [Specific functionality] for the [module name] module.
- */
-```
+      - pattern: "class\\s+\\w+\\s*(?!\\{[^}]*readonly\\s+\\$)"
+        message: "Consider using readonly properties where immutability is required."
 
-**Class Files (in namespaced directories)**
-```php
-<?php
+      - pattern: "public\\s+function\\s+\\w+\\([^)]*\\)\\s*(?!:)"
+        message: "Add return type declarations for all methods to ensure type safety."
 
-namespace Drupal\module_name\ClassName;
+      - pattern: "extends\\s+\\w+\\s*\\{[^}]*public\\s+function\\s+\\w+\\([^)]*\\)\\s*(?!#\\[Override\\])"
+        message: "Add #[Override] attribute for overridden methods for clarity."
 
-use Drupal\Core\SomeClass;
+      - pattern: "\\$\\w+\\s*(?!:)"
+        message: "Use typed properties with proper nullability for better code maintainability."
 
-/**
- * Provides [class functionality description].
- *
- * [Extended description if needed]
- */
-class ClassName implements InterfaceName {
-```
+      - pattern: "function\\s+hook_\\w+\\([^)]*\\)\\s*(?!:)"
+        message: "Add type hints and return types for all hooks to leverage PHP's type system."
 
-#### Function Documentation
-
-**Standard Function**
-```php
-/**
- * Returns [what the function returns or does].
- *
- * [Additional explanation if needed]
- *
- * @param string $param1
- *   Description of parameter.
- * @param int $param2
- *   Description of parameter.
- *
- * @return array
- *   Description of returned data.
- *
- * @throws \Exception
- *   Exception thrown when [condition].
- *
- * @see related_function()
- */
-function module_function_name($param1, $param2) {
-```
+      - pattern: "new\\s+\\w+\\([^)]*\\)\\s*(?!;\\s*//\\s*@inject)"
+        message: "Use proper dependency injection with services for better testability and modularity."
 
-**Hook Implementation**
-```php
-/**
- * Implements hook_form_alter().
- */
-function module_name_form_alter(&$form, \Drupal\Core\Form\FormStateInterface $form_state, $form_id) {
-```
+      - pattern: "extends\\s+FormBase\\s*\\{[^}]*validate"
+        message: "Implement proper form validation in FormBase classes for security."
 
-**Update Hook**
-```php
-/**
- * Implements hook_update_N().
- *
- * [Description of what the update does].
- */
-function module_name_update_8001() {
-```
+      - pattern: "function\\s+\\w+\\s*\\([^)]*\\)\\s*\\{[^}]*\\$this->t\\("
+        message: "Use Drupal's t() function for strings that need translation."
 
-#### Class Documentation
+      - pattern: "\\$this->config\\('\\w+'\\)"
+        message: "Use ConfigFactory for configuration management."
 
-**Class Properties**
-```php
-/**
- * The entity type manager.
- *
- * @var \Drupal\Core\Entity\EntityTypeManagerInterface
- */
-protected $entityTypeManager;
-```
+      - pattern: "array\\s*\\("
+        message: "Use short array syntax ([]) instead of array() for consistent code style."
 
-**Method Documentation**
-```php
-/**
- * Gets entities of a specific type.
- *
- * @param string $entity_type
- *   The entity type ID.
- * @param array $conditions
- *   (optional) An array of conditions to match. Defaults to an empty array.
- *
- * @return \Drupal\Core\Entity\EntityInterface[]
- *   An array of entity objects indexed by their IDs.
- *
- * @throws \Drupal\Component\Plugin\Exception\PluginNotFoundException
- *   Thrown if the entity type doesn't exist.
- * @throws \Drupal\Component\Plugin\Exception\InvalidPluginDefinitionException
- *   Thrown if the storage handler couldn't be loaded.
- */
-public function getEntities(string $entity_type, array $conditions = []): array {
-```
+      - pattern: "(?<!\\()\\s+\\(int\\)\\s*\\$"
+        message: "Put a space between the (type) and the $variable in a cast: (int) $mynumber."
 
-**Interface Method**
-```php
-/**
- * Implements \SomeInterface::methodName().
- */
-public function methodName() {
-```
+      - pattern: "\\n[\\t ]+\\n"
+        message: "Remove whitespace from empty lines."
 
-#### Namespace Examples
+      - pattern: "\\s+$"
+        message: "Remove trailing whitespace at the end of lines."
 
-**Using Classes From Other Namespaces**
-```php
-namespace Drupal\mymodule\Tests\Foo;
+      - pattern: "^(?!.*\\n$)"
+        message: "Ensure files end with a single newline character."
 
-use Drupal\simpletest\WebTestBase;
+      - pattern: "if\\s*\\([^)]*\\)\\s*\\{[^{]*\\}\\s*else\\s*\\{"
+        message: "Place the opening brace on the same line as the statement for control structures."
 
-/**
- * Tests that the foo bars.
- */
-class BarTest extends WebTestBase {
-```
+      - pattern: "\\$_GET|\\$_POST|\\$_REQUEST"
+        message: "Never use superglobals directly; use Drupal's input methods."
 
-**Class Aliasing for Name Collisions**
-```php
-use Foo\Bar\Baz as BarBaz;
-use Stuff\Thing\Baz as ThingBaz;
-
-/**
- * Tests stuff for the whichever.
- */
-function test() {
-  $a = new BarBaz(); // This will be Foo\Bar\Baz
-  $b = new ThingBaz(); // This will be Stuff\Thing\Baz
-}
-```
+      - pattern: "mysql_|mysqli_"
+        message: "Use Drupal's database API instead of direct MySQL functions."
 
-**Using Global Classes in Namespaced Files**
-```php
-namespace Drupal\Subsystem;
-
-// Bar is a class in the Drupal\Subsystem namespace in another file.
-// It is already available without any importing.
-
-/**
- * Defines a Foo.
- */
-class Foo {
-
-  /**
-   * Constructs a new Foo object.
-   */
-  public function __construct(Bar $b) {
-    // Global classes must be prefixed with a \ character.
-    $d = new \DateTime();
-  }
-}
-```
+      - pattern: "\\t+"
+        message: "Use 2 spaces for indentation, not tabs."
 
-#### Service Definition Example
+      - pattern: "function\\s+\\w+\\s*\\([^)]*\\)\\s*\\{[^}]*\\becho\\b"
+        message: "Don't use echo; use return values or Drupal's messenger service."
 
-**services.yml File**
-```yaml
-services:
-  mymodule.my_service:
-    class: Drupal\mymodule\MyService
-    arguments: ['@entity_type.manager', '@current_user']
-    tags:
-      - { name: cache.context }
-```
+      - pattern: "(?<!\\/\\*\\*)\\s*\\*\\s+@"
+        message: "Use proper DocBlock formatting for documentation."
+
+      - pattern: "\\bdie\\b|\\bexit\\b"
+        message: "Don't use die() or exit(); throw exceptions instead."
+
+      - pattern: "\\$entity->get\\([^)]+\\)->getValue\\(\\)"
+        message: "Use $entity->get('field_name')->value instead of getValue() when possible."
+
+      - pattern: "\\bvar_dump\\b|\\bprint_r\\b|\\bdump\\b"
+        message: "Don't use debug functions in production code; use Drupal's logger instead."
+
+      - pattern: "\\bnew\\s+DateTime\\b"
+        message: "Use Drupal's DateTimeInterface and DrupalDateTime instead of PHP's DateTime."
+
+      - pattern: "\\beval\\b"
+        message: "Never use eval() as it poses security risks."
+
+      - pattern: "function\\s+\\w+_menu_callback\\("
+        message: "Use controller classes with route definitions instead of hook_menu() callbacks."
+
+      - pattern: "\\/\\*\\*(?:[^*]|\\*[^/])*?@file(?:[^*]|\\*[^/])*?\\*\\/"
+        message: "All PHP files must include proper @file documentation in the docblock."
+
+      - pattern: "function\\s+\\w+\\s*\\((?:[^)]|\\([^)]*\\))*\\)\\s*\\{(?:[^}]|\\{[^}]*\\})*\\$_SESSION"
+        message: "Use Drupal's user session handling instead of $_SESSION."
+
+      - pattern: "function\\s+theme_\\w+\\("
+        message: "Theme functions should be replaced with Twig templates in Drupal 8+."
+
+      - pattern: "drupal_add_js|drupal_add_css"
+        message: "Use #attached in render arrays instead of drupal_add_js() or drupal_add_css()."
+
+      - pattern: "function\\s+\\w+_implements_hook_\\w+\\("
+        message: "Use proper hook implementation format: module_name_hook_name()."
+
+      - pattern: "use\\s+[^;]+,\\s*[^;]+"
+        message: "Specify a single class per use statement. Do not specify multiple classes in a single use statement."
+
+      - pattern: "use\\s+\\\\[A-Za-z]"
+        message: "When importing a class with 'use', do not include a leading backslash (\\)."
+
+      - pattern: "\\bnew\\s+\\\\DateTime\\(\\)"
+        message: "Non-namespaced global classes (like Exception) must be fully qualified with a leading backslash (\\) when used in a namespaced file."
+
+      - pattern: "(?<!namespace )Drupal\\\\(?!\\w+\\\\)"
+        message: "Modules should place classes inside a custom namespace: Drupal\\module_name\\..."
+
+      - pattern: "class\\s+\\w+\\s*(?:extends|implements)(?:[^{]+)\\{\\s*[^\\s]"
+        message: "Leave an empty line between start of class/interface definition and property/method definition."
+
+      - pattern: "Drupal\\\\(?!Core|Component)[A-Z]"
+        message: "Module namespaces should be Drupal\\module_name, not Drupal\\ModuleName (camelCase not PascalCase)."
+
+      - pattern: "\\\\Drupal::request\\(\\)->attributes->set\\('([^_][^']*)',"
+        message: "Request attributes added by modules should be prefixed with underscore (e.g., '_context_value')."
+
+      - pattern: "\\\\Drupal::request\\(\\)->attributes->get\\('(_(system_path|title|route|route_object|controller|content|account))'\\)"
+        message: "Avoid overwriting reserved Symfony or Drupal core request attributes."
+
+      - pattern: "(?<!service provider)\\s+class\\s+\\w+Provider(?!Interface)"
+        message: "Classes that provide services should use the 'Provider' suffix (e.g., MyServiceProvider)."
+
+      - pattern: "\\.services\\.yml[^}]*\\s+class:\\s+[^\\n]+\\s+arguments:"
+        message: "Services should use dependency injection through constructor arguments defined in services.yml."
+
+  - type: suggest
+    message: |
+      **PHP/Drupal Development Best Practices:**
+
+      ### General Code Structure
+      - **File Structure:** Each PHP file should have the proper structures: <?php tag, namespace declaration (if applicable), use statements, docblock, and implementation.
+      - **Line Length:** Keep lines under 80 characters whenever possible.
+      - **Indentation:** Use 2 spaces for indentation, never tabs.
+      - **Empty Lines:** Use empty lines to separate logical blocks of code, but avoid multiple empty lines.
+      - **File Endings:** All files must end with a single newline character.
+
+      ### PHP Language Features
+      - **PHP Version:** Use PHP 8.3+ features where appropriate.
+      - **Strict Types:** Use declare(strict_types=1) at the top of files to enforce type safety.
+      - **Type Hints:** Always use parameter and return type hints.
+      - **Named Arguments:** Use named arguments for clarity in complex function calls.
+      - **Attributes:** Use PHP 8 attributes like #[Override] for better code comprehension.
+      - **Match Expressions:** Prefer match over switch for cleaner conditionals.
+      - **Null Coalescing:** Use ?? and ??= operators where appropriate.
+
+      ### Drupal-Specific Standards
+      - **Fields API:** Use hasField(), get(), and value() methods when working with entity fields.
+      - **Exception Handling:** Use try/catch for exception handling with proper logging.
+      - **Database Layer:** Use Drupal's database abstraction layer for all queries.
+      - **Schema Updates:** Implement hook_update_N() for schema changes during updates.
+      - **Dependency Injection:** Use services.yml and proper container injection.
+      - **Routing:** Define routes in routing.yml with proper access checks.
+      - **Forms:** Extend FormBase or ConfigFormBase with proper validation and submission handling.
+      - **Entity API:** Follow entity API best practices for loading, creating, and editing entities.
+      - **Plugins:** Use plugin system appropriately with proper annotations.
+
+      ### Service & Request Standards
+      - **Service Naming:** Use descriptive service names and appropriate naming patterns (Provider suffix for service providers).
+      - **Service Definition:** Define services in the module's *.services.yml file with appropriate tags and arguments.
+      - **Request Attributes:** When adding attributes to the Request object, prefix custom attributes with underscore (e.g., `_context_value`).
+      - **Reserved Attributes:** Avoid overwriting core-reserved request attributes like `_system_path`, `_title`, `_account`, `_route`, `_route_object`, `_controller`, `_content`.
+      - **Service Container:** Use dependency injection rather than the service container directly.
+      - **Factory Services:** Use factory methods for complex service instantiation.
+
+      ### Namespace Standards
+      - **Module Namespace:** Use Drupal\\module_name\\... for all custom module code.
+      - **PSR-4 Autoloading:** Class in folder module/src/SubFolder should use namespace Drupal\\module_name\\SubFolder.
+      - **Use Statements:** Each class should have its own use statement; don't combine multiple classes in one use.
+      - **No Leading Backslash:** Don't add a leading backslash (\\) in use statements.
+      - **Global Classes:** Global classes (like Exception) must be fully qualified with a leading backslash (\\) when used in a namespaced file.
+      - **Class Aliasing:** Only alias classes to avoid name collisions, using meaningful names like BarBaz and ThingBaz.
+      - **String Class Names:** When specifying a class name in a string, use full name including namespace without leading backslash. Prefer single quotes.
+      - **Class Placement:** A class named Drupal\\module_name\\Foo should be in file module_name/src/Foo.php.
+
+      ### Security Practices
+      - **Input Validation:** Always validate and sanitize user input.
+      - **Access Checks:** Implement proper access checks for all routes and content.
+      - **CSRF Protection:** Use Form API with proper form tokens for all forms.
+      - **SQL Injection:** Use parameterized queries with placeholders.
+      - **XSS Prevention:** Use Xss::filter() or t() with appropriate placeholders.
+      - **File Security:** Validate uploaded files and restrict access properly.
+
+      ### Documentation and Comments
+      - **PHPDoc Blocks:** Document all classes, methods, and properties with proper PHPDoc.
+      - **Function Comments:** Describe parameters, return values, and exceptions.
+      - **Inline Comments:** Use meaningful comments for complex logic.
+      - **Comment Format:** Begin comments with a capital letter and end with a period.
+      - **API Documentation:** Follow Drupal's API documentation standards.
+
+      ### Performance
+      - **Caching:** Implement proper cache tags, contexts, and max-age.
+      - **Database Queries:** Optimize queries with proper indices and JOINs.
+      - **Lazy Loading:** Use lazy loading for expensive operations.
+      - **Batch Processing:** Use batch API for long-running operations.
+      - **Static Caching:** Implement static caching for repeated operations.
+
+      ### Testing
+      - **Unit Tests:** Write PHPUnit tests for business logic.
+      - **Kernel Tests:** Use kernel tests for integration with Drupal subsystems.
+      - **Functional Tests:** Implement functional tests for user interactions.
+      - **Mocking:** Use proper mocking techniques for dependencies.
+      - **Test Coverage:** Aim for high test coverage of critical functionality.
+
+      ### API Documentation Examples
+
+      #### File Documentation
+
+      **Module Files (.module)**
+      ```php
+      <?php
+
+      /**
+       * @file
+       * Provides [module functionality description].
+       */
+      ```
+
+      **Install Files (.install)**
+      ```php
+      <?php
+
+      /**
+       * @file
+       * Install, update and uninstall functions for the [module name] module.
+       */
+      ```
+
+      **Include Files (.inc)**
+      ```php
+      <?php
+
+      /**
+       * @file
+       * [Specific functionality] for the [module name] module.
+       */
+      ```
+
+      **Class Files (in namespaced directories)**
+      ```php
+      <?php
+
+      namespace Drupal\module_name\ClassName;
+
+      use Drupal\Core\SomeClass;
+
+      /**
+       * Provides [class functionality description].
+       *
+       * [Extended description if needed]
+       */
+      class ClassName implements InterfaceName {
+      ```
+
+      #### Function Documentation
+
+      **Standard Function**
+      ```php
+      /**
+       * Returns [what the function returns or does].
+       *
+       * [Additional explanation if needed]
+       *
+       * @param string $param1
+       *   Description of parameter.
+       * @param int $param2
+       *   Description of parameter.
+       *
+       * @return array
+       *   Description of returned data.
+       *
+       * @throws \Exception
+       *   Exception thrown when [condition].
+       *
+       * @see related_function()
+       */
+      function module_function_name($param1, $param2) {
+      ```
+
+      **Hook Implementation**
+      ```php
+      /**
+       * Implements hook_form_alter().
+       */
+      function module_name_form_alter(&$form, \Drupal\Core\Form\FormStateInterface $form_state, $form_id) {
+      ```
+
+      **Update Hook**
+      ```php
+      /**
+       * Implements hook_update_N().
+       *
+       * [Description of what the update does].
+       */
+      function module_name_update_8001() {
+      ```
+
+      #### Class Documentation
+
+      **Class Properties**
+      ```php
+      /**
+       * The entity type manager.
+       *
+       * @var \Drupal\Core\Entity\EntityTypeManagerInterface
+       */
+      protected $entityTypeManager;
+      ```
+
+      **Method Documentation**
+      ```php
+      /**
+       * Gets entities of a specific type.
+       *
+       * @param string $entity_type
+       *   The entity type ID.
+       * @param array $conditions
+       *   (optional) An array of conditions to match. Defaults to an empty array.
+       *
+       * @return \Drupal\Core\Entity\EntityInterface[]
+       *   An array of entity objects indexed by their IDs.
+       *
+       * @throws \Drupal\Component\Plugin\Exception\PluginNotFoundException
+       *   Thrown if the entity type doesn't exist.
+       * @throws \Drupal\Component\Plugin\Exception\InvalidPluginDefinitionException
+       *   Thrown if the storage handler couldn't be loaded.
+       */
+      public function getEntities(string $entity_type, array $conditions = []): array {
+      ```
+
+      **Interface Method**
+      ```php
+      /**
+       * Implements \SomeInterface::methodName().
+       */
+      public function methodName() {
+      ```
+
+      #### Namespace Examples
+
+      **Using Classes From Other Namespaces**
+      ```php
+      namespace Drupal\mymodule\Tests\Foo;
+
+      use Drupal\simpletest\WebTestBase;
+
+      /**
+       * Tests that the foo bars.
+       */
+      class BarTest extends WebTestBase {
+      ```
+
+      **Class Aliasing for Name Collisions**
+      ```php
+      use Foo\Bar\Baz as BarBaz;
+      use Stuff\Thing\Baz as ThingBaz;
+
+      /**
+       * Tests stuff for the whichever.
+       */
+      function test() {
+        $a = new BarBaz(); // This will be Foo\Bar\Baz
+        $b = new ThingBaz(); // This will be Stuff\Thing\Baz
+      }
+      ```
+
+      **Using Global Classes in Namespaced Files**
+      ```php
+      namespace Drupal\Subsystem;
+
+      // Bar is a class in the Drupal\Subsystem namespace in another file.
+      // It is already available without any importing.
+
+      /**
+       * Defines a Foo.
+       */
+      class Foo {
+
+        /**
+         * Constructs a new Foo object.
+         */
+        public function __construct(Bar $b) {
+          // Global classes must be prefixed with a \ character.
+          $d = new \DateTime();
+        }
+      }
+      ```
+
+      #### Service Definition Example
+
+      **services.yml File**
+      ```yaml
+      services:
+        mymodule.my_service:
+          class: Drupal\mymodule\MyService
+          arguments: ['@entity_type.manager', '@current_user']
+          tags:
+            - { name: cache.context }
+      ```
+
+      **Request Attribute Handling**
+      ```php
+      // Correctly adding a request attribute (with underscore prefix)
+      \Drupal::request()->attributes->set('_context_value', $myvalue);
+
+      // Correctly retrieving a request attribute
+      $contextValue = \Drupal::request()->attributes->get('_context_value');
+      ```
+
+  - type: validate
+    conditions:
+      - pattern: "web/modules/custom/[^/]+/\\.info\\.yml$"
+        message: "Ensure each custom module has a required .info.yml file."
+
+      - pattern: "web/modules/custom/[^/]+/\\.module$"
+        message: "Ensure module has .module file if hooks are implemented."
+
+      - pattern: "web/modules/custom/[^/]+/src/Form/\\w+Form\\.php$"
+        message: "Place form classes in the Form directory for organization."
+
+      - pattern: "try\\s*\\{[^}]*\\}\\s*catch\\s*\\([^)]*\\)\\s*\\{\\s*\\}"
+        message: "Implement proper exception handling in catch blocks."
+
+      - pattern: "namespace\\s+Drupal\\\\(?!\\w+\\\\)"
+        message: "Namespace should be Drupal\\ModuleName\\..."
+
+      - pattern: "class\\s+[^\\s]+\\s+implements\\s+[^\\s]+Interface"
+        message: "Follow PSR-4 for class naming and organization."
+
+      - pattern: "\\*\\s+@return\\s+[a-z]+\\|null"
+        message: "Use nullable return types (e.g., ?string) instead of type|null in docblocks."
+
+      - pattern: "function\\s+__construct\\([^)]*\\)\\s*\\{[^}]*parent::"
+        message: "Call parent::__construct() if extending a class with a constructor."
+
+      - pattern: "function\\s+[gs]et[A-Z]\\w+\\("
+        message: "Use camelCase for method names (e.g., getId instead of get_id)."
+
+      - pattern: "\\/\\*\\*(?:(?!\\@file).)*?\\*\\/"
+        message: "Add proper @file docblock for PHP files."
+
+      - pattern: "function\\s+hook_[a-z0-9_]+\\("
+        message: "Replace 'hook_' prefix with your module name in hook implementations."
+
+      - pattern: "(?<!\\s\\*)\\s+@(?:param|return|throws)\\b"
+        message: "DocBlock tags should be properly aligned with leading asterisks."
+
+      - pattern: "@param\\s+(?!(?:array|bool|callable|float|int|mixed|object|resource|string|void|null|\\\\)[\\s|])"
+        message: "Use proper data types in @param tags (array, bool, int, string, etc.)."
+
+      - pattern: "@return\\s+(?!(?:array|bool|callable|float|int|mixed|object|resource|string|void|null|\\\\)[\\s|])"
+        message: "Use proper data types in @return tags (array, bool, int, string, etc.)."
+
+      - pattern: "\\*\\s*@param[^\\n]*?(?:(?!\\s{3,})[^\\n])*$"
+        message: "Parameter description should be separated by at least 3 spaces from the param type/name."
+
+      - pattern: "function\\s+theme\\w+\\([^)]*\\)\\s*\\{[^}]*?(?!\\@ingroup\\s+themeable)"
+        message: "Theme functions should include @ingroup themeable in their docblock."
+
+      - pattern: "\\*\\s*@code(?!\\s+[a-z]+\\s+)"
+        message: "@code blocks should specify the language (e.g., @code php)."
+
+      - pattern: "namespace\\s+(?!Drupal\\\\)"
+        message: "Namespaces should start with 'Drupal\\'."
+
+      - pattern: "web/modules/custom/[^/]+/\\.services\\.yml$"
+        message: "Every module using services should have a services.yml file."
 
-**Request Attribute Handling**
-```php
-// Correctly adding a request attribute (with underscore prefix)
-\Drupal::request()->attributes->set('_context_value', $myvalue);
+      - pattern: "web/modules/custom/[^/]+/src/[^/]+Provider\\.php$"
+        message: "Service providers should be in the module's root namespace (src/ directory)."
 
-// Correctly retrieving a request attribute
-$contextValue = \Drupal::request()->attributes->get('_context_value');
+metadata:
+  priority: critical
+  version: 1.5
 ```
 
-## Validation
-
-- Ensure each custom module has a required .info.yml file.
-- Ensure module has .module file if hooks are implemented.
-- Place form classes in the Form directory for organization.
-- Implement proper exception handling in catch blocks.
-- Namespace should be Drupal\ModuleName\...
-- Follow PSR-4 for class naming and organization.
-- Use nullable return types (e.g., ?string) instead of type|null in docblocks.
-- Call parent::__construct() if extending a class with a constructor.
-- Use camelCase for method names (e.g., getId instead of get_id).
-- Add proper @file docblock for PHP files.
-- Replace 'hook_' prefix with your module name in hook implementations.
-- DocBlock tags should be properly aligned with leading asterisks.
-- Use proper data types in @param tags (array, bool, int, string, etc.).
-- Use proper data types in @return tags (array, bool, int, string, etc.).
-- Parameter description should be separated by at least 3 spaces from the param type/name.
-- Theme functions should include @ingroup themeable in their docblock.
-- @code blocks should specify the language (e.g., @code php).
-- Namespaces should start with 'Drupal\'.
-- Every module using services should have a services.yml file.
-- Service providers should be in the module's root namespace (src/ directory).
diff --git a/.cursor/rules/php-drupal-development-standards.mdc b/.cursor/rules/php-drupal-development-standards.mdc
index 6820a2e..16ababd 100644
--- a/.cursor/rules/php-drupal-development-standards.mdc
+++ b/.cursor/rules/php-drupal-development-standards.mdc
@@ -6,52 +6,83 @@ globs: *.php, *.module, *.inc, *.install, *.theme
 
 Ensures adherence to PHP 8.3+ features and Drupal development best practices for improved code quality, security, and maintainability.
 
-> Priority: critical · Version: 1.1
-
-## Applies To
-- `*.php`
-- `*.module`
-- `*.inc`
-- `*.install`
-- `*.theme`
-
-## Trigger Conditions
-- Files matching pattern `\.(php|module|inc|install|theme)$`
-- Paths matching `web/modules/custom/|web/themes/custom/`
-
-## Required Checks
-
-- Add 'declare(strict_types=1);' at the beginning of PHP files for type safety.
-- Consider using readonly properties where immutability is required for better code safety.
-- Add return type declarations for all methods to enhance type safety.
-- Add #[Override] attribute for overridden methods for clear intent.
-- Use typed properties with proper nullability to improve code readability and prevent errors.
-- Add type hints and return types for all hooks to leverage PHP's type system.
-- Use proper dependency injection with services for better testability and modularity.
-- Implement proper form validation in FormBase classes for security.
-- Use uppercase for TRUE, FALSE, and NULL constants for consistency.
-- Ensure inline comments begin with a capital letter and end with a period for readability.
-- Use ConfigFactory for configuration management to ensure proper dependency injection.
-
-## Recommendations
-
-**PHP/Drupal Development Best Practices:**
-- **File Structure:** Place module files in `web/modules/custom/[module_name]/` for organization.
-- **Module Files:** Ensure modules include .info.yml, .module, .libraries.yml, .services.yml where applicable.
-- **Dependencies:** Use hook_requirements() to manage external dependencies.
-- **Forms:** Use FormBase or ConfigFormBase for creating forms, always include CSRF protection.
-- **Caching:** Apply proper cache tags and contexts for performance optimization.
-- **Error Handling & Logging:** Implement robust error handling and logging using Drupal's mechanisms.
-- **Type Safety:** Leverage type safety in form methods and throughout your code.
-- **Dependency Injection:** Follow Drupal's dependency injection patterns for better maintainability.
-- **Service Container:** Use Drupal's service container to manage dependencies.
-- **Security:** Validate all user inputs, use Drupal's security practices like sanitization and escaping.
-- **Schema Updates:** Implement hook_update_N() for database schema changes.
-- **Translation:** Use Drupal's t() function for all user-facing strings.
-
-## Validation
-
-- Ensure each custom module has a required .info.yml file.
-- Ensure module has .module file if hooks are implemented.
-- Place form classes in the Form directory for consistency.
-- Implement proper exception handling in catch blocks for robustness.
+```yaml
+name: enhanced_php_drupal_development_standards
+description: Enforce PHP 8.3+ and Drupal development standards
+filters:
+  - type: file_extension
+    pattern: "\\.(php|module|inc|install|theme)$"
+  - type: file_path
+    pattern: "web/modules/custom/|web/themes/custom/"
+
+actions:
+  - type: enforce
+    conditions:
+      - pattern: "^(?!declare\\(strict_types=1\\);)"
+        message: "Add 'declare(strict_types=1);' at the beginning of PHP files for type safety."
+
+      - pattern: "class\\s+\\w+\\s*(?!\\{[^}]*readonly\\s+\\$)"
+        message: "Consider using readonly properties where immutability is required for better code safety."
+
+      - pattern: "public\\s+function\\s+\\w+\\([^)]*\\)\\s*(?!:)"
+        message: "Add return type declarations for all methods to enhance type safety."
+
+      - pattern: "extends\\s+\\w+\\s*\\{[^}]*public\\s+function\\s+\\w+\\([^)]*\\)\\s*(?!#\\[Override\\])"
+        message: "Add #[Override] attribute for overridden methods for clear intent."
+
+      - pattern: "\\$\\w+\\s*(?!:)"
+        message: "Use typed properties with proper nullability to improve code readability and prevent errors."
+
+      - pattern: "function\\s+hook_\\w+\\([^)]*\\)\\s*(?!:)"
+        message: "Add type hints and return types for all hooks to leverage PHP's type system."
+
+      - pattern: "new\\s+\\w+\\([^)]*\\)\\s*(?!;\\s*//\\s*@inject)"
+        message: "Use proper dependency injection with services for better testability and modularity."
+
+      - pattern: "extends\\s+FormBase\\s*\\{[^}]*validate"
+        message: "Implement proper form validation in FormBase classes for security."
+
+      - pattern: "(?<!\\bTRUE\\b)\\btrue\\b|(?<!\\bFALSE\\b)\\bfalse\\b|(?<!\\bNULL\\b)\\bnull\\b"
+        message: "Use uppercase for TRUE, FALSE, and NULL constants for consistency."
+
+      - pattern: "(?i)\\/\\/\\s[a-z]"
+        message: "Ensure inline comments begin with a capital letter and end with a period for readability."
+
+      - pattern: "\\$this->config\\('\\w+'\\)"
+        message: "Use ConfigFactory for configuration management to ensure proper dependency injection."
+
+  - type: suggest
+    message: |
+      **PHP/Drupal Development Best Practices:**
+      - **File Structure:** Place module files in `web/modules/custom/[module_name]/` for organization.
+      - **Module Files:** Ensure modules include .info.yml, .module, .libraries.yml, .services.yml where applicable.
+      - **Dependencies:** Use hook_requirements() to manage external dependencies.
+      - **Forms:** Use FormBase or ConfigFormBase for creating forms, always include CSRF protection.
+      - **Caching:** Apply proper cache tags and contexts for performance optimization.
+      - **Error Handling & Logging:** Implement robust error handling and logging using Drupal's mechanisms.
+      - **Type Safety:** Leverage type safety in form methods and throughout your code.
+      - **Dependency Injection:** Follow Drupal's dependency injection patterns for better maintainability.
+      - **Service Container:** Use Drupal's service container to manage dependencies.
+      - **Security:** Validate all user inputs, use Drupal's security practices like sanitization and escaping.
+      - **Schema Updates:** Implement hook_update_N() for database schema changes.
+      - **Translation:** Use Drupal's t() function for all user-facing strings.
+
+  - type: validate
+    conditions:
+      - pattern: "web/modules/custom/[^/]+/\\.info\\.yml$"
+        message: "Ensure each custom module has a required .info.yml file."
+
+      - pattern: "web/modules/custom/[^/]+/\\.module$"
+        message: "Ensure module has .module file if hooks are implemented."
+
+      - pattern: "web/modules/custom/[^/]+/src/Form/\\w+Form\\.php$"
+        message: "Place form classes in the Form directory for consistency."
+
+      - pattern: "try\\s*\\{[^}]*\\}\\s*catch\\s*\\([^)]*\\)\\s*\\{\\s*\\}"
+        message: "Implement proper exception handling in catch blocks for robustness."
+
+metadata:
+  priority: critical
+  version: 1.1
+```
+
diff --git a/.cursor/rules/php-memory-optimisation.mdc b/.cursor/rules/php-memory-optimisation.mdc
index 782eea7..ebf1dfa 100644
--- a/.cursor/rules/php-memory-optimisation.mdc
+++ b/.cursor/rules/php-memory-optimisation.mdc
@@ -4,39 +4,82 @@ globs: *.php, *.ini
 ---
 # PHP Memory Optimisation Standards
 
-Actionable guidance for reducing peak memory usage in PHP code and configuration across heterogeneous projects.
-
-> Priority: high · Version: 1.0 (PHP code) · Version: 1.0 (php.ini guidance)
-
-## Applies To
-- `*.php`
-- `*.ini`
-
-## Trigger Conditions
-- Data access layers loading large result sets or files.
-- Loops performing expensive array operations or repeated merges.
-- php.ini or runtime configuration controlling OPcache and garbage collection.
-
-## Required Checks (PHP Code)
-- Replace `fetchAll()`/`mysqli_fetch_all()` on large queries with streaming loops (`fetch()` while loops, generators, iterators).
-- Avoid `file_get_contents()`/`file()` inside loops when processing large files; stream with `SplFileObject`, chunked reads, or generators.
-- Minimise array copies (e.g., prefer `$array[] =` over `array_merge()` inside loops, preallocate when possible).
-- Review uses of `range()` that may allocate huge arrays; consider generators or iterators for large ranges.
-- Release references to large structures (`unset`, `gc_collect_cycles`) in long-running scripts once data is no longer needed.
-
-## Required Checks (PHP Configuration)
-- Ensure OPcache is enabled in production (`opcache.enable=1`, `opcache.enable_cli=1` for CLI heavy workloads).
-- Size OPcache memory and interned string buffers to match project footprint (`opcache.memory_consumption`, `opcache.interned_strings_buffer`, `opcache.max_accelerated_files`).
-- Confirm CLI workers or batch scripts inherit the same OPcache settings when appropriate.
-
-## Recommendations
-- Wrap data streaming patterns in reusable helpers to keep teams from reintroducing memory-heavy approaches.
-- Use generators (`yield`) for pipelines that transform large datasets.
-- Profile using `memory_get_usage()`, Blackfire, Xdebug, or similar tools to quantify improvements.
-- Monitor OPcache hit ratios and memory consumption to adjust configuration before saturation.
-- Consider using `Symfony\Component\Process\Process` for external commands to control memory usage of child processes.
-
-## Positive Signals
-- Presence of iterators (`Generator`, `Yield`, `SplFileObject`) instead of bulk array loading.
-- Data access layers using limit/offset pagination or chunked processing.
-- Configuration files enabling OPcache with tuned cache sizes committed alongside application code.
+Guidance and automated checks to reduce peak memory usage in PHP applications. Based on widely accepted practices and the article "PHP Memory Optimization Tips" by Khouloud Haddad.
+
+```yaml
+name: php_memory_optimisation
+description: Detect memory-heavy patterns and suggest streaming, generators, and better data handling
+filters:
+  - type: file_extension
+    pattern: "\\.php$"
+
+actions:
+  - type: enforce
+    conditions:
+      # Avoid loading entire DB result sets into memory.
+      - pattern: "->fetchAll\\("
+        message: "Avoid fetchAll() on large result sets; iterate with fetch() in a loop or wrap with a generator (yield)."
+
+      - pattern: "\\bmysqli_fetch_all\\("
+        message: "Avoid mysqli_fetch_all() for large queries; prefer streaming fetch (e.g., mysqli_fetch_assoc in a loop)."
+
+      # Avoid repeated full-file loads inside loops.
+      - pattern: "foreach\\s*\\([^)]*\\)\\s*\\{[^}]*file_get_contents\\("
+        message: "Avoid file_get_contents() inside loops; stream with SplFileObject or read once and reuse."
+
+      # Avoid array_merge in tight loops as it copies arrays.
+      - pattern: "foreach\\s*\\([^)]*\\)\\s*\\{[^}]*=\\s*array_merge\\("
+        message: "Avoid array_merge() inside loops; append elements directly or preallocate arrays."
+
+      # Use caution with range() on large ranges (allocates full array).
+      - pattern: "\\brange\\s*\\("
+        message: "range() allocates full arrays; for large ranges consider generators (yield) to avoid high memory."
+
+  - type: suggest
+    message: |
+      **PHP memory optimisation recommendations:**
+
+      - **Stream database results:** Prefer `$stmt->fetch(PDO::FETCH_ASSOC)` in a `while` loop or use generators instead of `fetchAll()`.
+      - **Use generators (yield):** Iterate large datasets without allocating full arrays.
+      - **Stream files:** Use `SplFileObject` or chunked reads instead of `file_get_contents()` for large files.
+      - **Minimise array copying:** Avoid `array_merge()` in loops; push items directly or pre-size with known capacity (e.g., `SplFixedArray`).
+      - **Free memory explicitly:** `unset($var)` after large data is no longer needed; consider `gc_collect_cycles()` for long-running scripts.
+      - **Profile memory:** Use `memory_get_usage()` and tools like Xdebug/Blackfire to spot peaks.
+      - **OPcache:** Ensure OPcache is enabled and sized appropriately in production.
+
+  - type: validate
+    conditions:
+      # Detect full-file reads that likely could be streamed.
+      - pattern: "\\bfile\\s*\\("
+        message: "file() reads entire files into memory; prefer SplFileObject for line-by-line streaming."
+
+metadata:
+  priority: high
+  version: 1.0
+```
+
+<rule>
+name: php_ini_opcache_recommendations
+description: Recommend enabling OPcache for lower memory and better performance when editing php.ini
+filters:
+  - type: file_extension
+    pattern: "\\.ini$"
+
+actions:
+  - type: suggest
+    message: |
+      **OPcache recommendations (php.ini):**
+      - Set `opcache.enable=1` and `opcache.enable_cli=1` for CLI scripts that process large datasets.
+      - Size memory pool appropriately, e.g., `opcache.memory_consumption=128` (adjust to your project).
+      - Consider `opcache.interned_strings_buffer` and `opcache.max_accelerated_files` for larger codebases.
+
+  - type: enforce
+    conditions:
+      - pattern: "(?mi)^opcache\\.enable\\s*=\\s*0"
+        message: "Enable OPcache in production (set opcache.enable=1) to reduce memory and CPU overhead."
+
+metadata:
+  priority: medium
+  version: 1.0
+</rule>
+
diff --git a/.cursor/rules/project-definition-template.mdc b/.cursor/rules/project-definition-template.mdc
index 52ec6f1..c93acae 100644
--- a/.cursor/rules/project-definition-template.mdc
+++ b/.cursor/rules/project-definition-template.mdc
@@ -6,45 +6,75 @@ globs: README.md, /docs/*
 
 This rule enforces best practices for documenting project context, ensuring clarity and maintainability through well-documented README files and documentation.
 
-> Priority: medium · Version: 1.1
-
-## Applies To
-- `README.md`
-- `/docs/*`
-
-## Trigger Conditions
-- Files matching pattern `\.md$`
-- Paths matching `README.md|/docs/`
-
-## Required Checks
-
-- Define the purpose of the project in the README file, including its goals and objectives.
-- List the technical stack used in the project in the README file, including language versions and frameworks.
-- Document the folder structure in the README file with a brief explanation for each significant directory.
-- Include any custom themes, modules, or libraries in the README file, explaining their functionality.
-- List any third-party libraries used in the project in the README file, including versions for reproducibility.
-- Provide clear setup instructions in the README to help new contributors or users get started.
-- Document contribution guidelines if the project is open-source or team-based.
-
-## Recommendations
-
-**Project Definition Best Practices:**
-- **README and Docs:** Use both README.md for an overview and /docs/ for detailed documentation.
-- **Project Purpose:** Clearly articulate why the project exists, its objectives, and who it serves.
-- **Technical Stack:** Include all technologies, versions, and possibly why each was chosen.
-- **Folder Structure:** Use tree diagrams or simple bullet points to describe the project's layout.
-- **Customizations:** Explain any custom code, including its purpose and how it integrates with the project.
-- **Libraries:** Detail external dependencies, why they're used, and how to manage them (e.g., npm, composer).
-- **Setup Instructions:** Provide step-by-step guidance for setting up the project environment.
-- **Contribution Guidelines:** Outline how to contribute, including coding standards, branch management, and pull request process.
-- **License:** Include information about the project's licensing for legal clarity.
-- **Roadmap:** Optionally, add a roadmap section to discuss future plans or features.
-
-## Validation
-
-- Ensure the project purpose is clearly defined for understanding the project's intent.
-- Ensure the technical stack is documented to aid in tech stack comprehension.
-- Ensure the folder structure is outlined for navigation ease.
-- Ensure customizations are documented for understanding unique project elements.
-- Ensure libraries are listed for dependency management.
-- Ensure setup instructions are included to facilitate onboarding.
+```yaml
+name: comprehensive_project_definition
+description: Enforce comprehensive project context definition for CursorAI
+filters:
+  - type: file_extension
+    pattern: "\\.md$"
+  - type: file_path
+    pattern: "README.md|/docs/"
+
+actions:
+  - type: enforce
+    conditions:
+      - pattern: "## Project Purpose"
+        message: "Define the purpose of the project in the README file, including its goals and objectives."
+
+      - pattern: "## Technical Stack"
+        message: "List the technical stack used in the project in the README file, including language versions and frameworks."
+
+      - pattern: "## Folder Structure"
+        message: "Document the folder structure in the README file with a brief explanation for each significant directory."
+
+      - pattern: "## Customizations"
+        message: "Include any custom themes, modules, or libraries in the README file, explaining their functionality."
+
+      - pattern: "## Libraries"
+        message: "List any third-party libraries used in the project in the README file, including versions for reproducibility."
+
+      - pattern: "## Setup Instructions"
+        message: "Provide clear setup instructions in the README to help new contributors or users get started."
+
+      - pattern: "## Contribution Guidelines"
+        message: "Document contribution guidelines if the project is open-source or team-based."
+
+  - type: suggest
+    message: |
+      **Project Definition Best Practices:**
+      - **README and Docs:** Use both README.md for an overview and /docs/ for detailed documentation.
+      - **Project Purpose:** Clearly articulate why the project exists, its objectives, and who it serves.
+      - **Technical Stack:** Include all technologies, versions, and possibly why each was chosen.
+      - **Folder Structure:** Use tree diagrams or simple bullet points to describe the project's layout.
+      - **Customizations:** Explain any custom code, including its purpose and how it integrates with the project.
+      - **Libraries:** Detail external dependencies, why they're used, and how to manage them (e.g., npm, composer).
+      - **Setup Instructions:** Provide step-by-step guidance for setting up the project environment.
+      - **Contribution Guidelines:** Outline how to contribute, including coding standards, branch management, and pull request process.
+      - **License:** Include information about the project's licensing for legal clarity.
+      - **Roadmap:** Optionally, add a roadmap section to discuss future plans or features.
+
+  - type: validate
+    conditions:
+      - pattern: "## Project Purpose"
+        message: "Ensure the project purpose is clearly defined for understanding the project's intent."
+
+      - pattern: "## Technical Stack"
+        message: "Ensure the technical stack is documented to aid in tech stack comprehension."
+
+      - pattern: "## Folder Structure"
+        message: "Ensure the folder structure is outlined for navigation ease."
+
+      - pattern: "## Customizations"
+        message: "Ensure customizations are documented for understanding unique project elements."
+
+      - pattern: "## Libraries"
+        message: "Ensure libraries are listed for dependency management."
+
+      - pattern: "## Setup Instructions"
+        message: "Ensure setup instructions are included to facilitate onboarding."
+
+metadata:
+  priority: medium
+  version: 1.1
+```
+
diff --git a/.cursor/rules/pull-request-changelist-instructions.mdc b/.cursor/rules/pull-request-changelist-instructions.mdc
index b8fd2b9..e2d645d 100644
--- a/.cursor/rules/pull-request-changelist-instructions.mdc
+++ b/.cursor/rules/pull-request-changelist-instructions.mdc
@@ -1,6 +1,6 @@
 ---
 description: Guidelines for creating consistent pull request changelists in markdown format with proper code block formatting
-globs: 
+globs:
 alwaysApply: false
 ---
 ---
@@ -12,100 +12,109 @@ alwaysApply: false
 
 This document outlines strict standards for creating and formatting pull request changelists in markdown. Following these guidelines ensures that the output remains as raw markdown (unrendered) and prevents any issues with Cursor’s markdown rendering.
 
-> Priority: medium · Version: 1.2
-
-## Trigger Conditions
-- Files matching pattern `\.md$`
-- Files containing `(?i)(pull request|pr|changelist|changelog)`
-
-## Recommendations
-
-## Updated Pull Request Changelist Guidelines
-
-To guarantee clarity and consistency, please adhere to the following time-tested, unambiguous guidelines when requesting a PR changelist from Cursor:
-
-### 1. Request Format
-**Always explicitly request raw markdown output in a code block** using one of these exact phrases:
-- "Return markdown as code"
-- "Return as code inside markdown as code (one block)"
-- "Provide the markdown in a code block"
-- "Return the content as a markdown code block, not as formatted text"
-- "Generate the PR changelist in a markdown code block"
-
-Avoid ambiguous wording that could lead to a rendered (formatted) output.
-
-### 2. Expected Response Format
-Cursor should always respond with a raw markdown code block that looks like:
-```
-```markdown
-# Summary of Changes
-
-## Category Name
-- Change item
-```
-```
-
-### 3. Handling Incorrect Format
-If the response is rendered markdown rather than a raw code block, prompt with one of the following:
-- "Please provide the exact markdown in a code block using triple backticks, not as formatted text."
-- "I require the raw markdown syntax; reformat your response with triple backticks."
-- "Reformat your output as a code block enclosed in triple backticks."
-
-### 4. Changelist Structure
-- **Main Heading:** Must begin with `# Summary of Changes`
-- **Categories:** Use `##` headings to group related changes.
-- **Changes:** List each change with a bullet (`-`), starting with a past tense verb (e.g., Added, Updated, Removed).
-- **Code/Variables:** Enclose module names or configuration settings in backticks (e.g., `module_name`).
-
-### 5. Content Requirements
-- Be specific about what changed and why.
-- Group similar changes under the appropriate category headings.
-- For configuration changes, include both the setting name and its new value.
-- Keep each entry concise but descriptive.
-
-### 6. Example Command
-To request a changelist from Cursor, try:
-```
-Prepare a PR changelist based on these changes. Return the markdown in a code block with triple backticks.
-```
-
-Adhering to these traditional, time-tested formatting guidelines not only prevents ambiguity but also paves the way for future improvements in automated changelist generation.
-
-## Validation
-
-- The changelist must be a raw markdown code block starting with '# Summary of Changes'. Ensure the use of triple backticks and correct heading structure.
-- Each bullet point must begin with a past tense verb: 'Added', 'Updated', or 'Removed'.
-
-## Examples
-### Example 1
-```
-Request: "Create a PR changelist for my changes. Return markdown code as code."
-
-Good Response from Cursor:
-```markdown
-# Summary of Changes
-
-## Environment Configuration
-- Updated `STAGE_FILE_PROXY_URL` to data.safeworkaustralia.gov.au
-- Updated `LOCALDEV_URL` to dataswa.docker.amazee.io
-
-## Module Changes
-- Removed `page_cache` module
-- Added `stage_file_proxy` module
-```
-```
-Outcome: This is the correct format for Cursor to return a changelist – as a raw markdown code block enclosed in triple backticks.
-
-### Example 2
-```
-Request: "Create a PR changelist for my changes."
-
-Bad Response from Cursor (rendered markdown instead of a code block):
-# Summary of Changes
-
-## Environment Configuration
-- Updated `STAGE_FILE_PROXY_URL` to data.safeworkaustralia.gov.au
-- Updated `LOCALDEV_URL` to dataswa.docker.amazee.io
+```yaml
+name: pull_request_changelist_format
+description: Updated guidelines for creating consistent pull request changelists in markdown with strict code block handling and structured formatting.
+filters:
+  - type: file_extension
+    pattern: "\\.md$"
+  - type: content
+    pattern: "(?i)(pull request|pr|changelist|changelog)"
+
+actions:
+  - type: suggest
+    message: |
+      ## Updated Pull Request Changelist Guidelines
+
+      To guarantee clarity and consistency, please adhere to the following time-tested, unambiguous guidelines when requesting a PR changelist from Cursor:
+
+      ### 1. Request Format
+      **Always explicitly request raw markdown output in a code block** using one of these exact phrases:
+      - "Return markdown as code"
+      - "Return as code inside markdown as code (one block)"
+      - "Provide the markdown in a code block"
+      - "Return the content as a markdown code block, not as formatted text"
+      - "Generate the PR changelist in a markdown code block"
+
+      Avoid ambiguous wording that could lead to a rendered (formatted) output.
+
+      ### 2. Expected Response Format
+      Cursor should always respond with a raw markdown code block that looks like:
+      ```
+      ```markdown
+      # Summary of Changes
+
+      ## Category Name
+      - Change item
+      ```
+      ```
+
+      ### 3. Handling Incorrect Format
+      If the response is rendered markdown rather than a raw code block, prompt with one of the following:
+      - "Please provide the exact markdown in a code block using triple backticks, not as formatted text."
+      - "I require the raw markdown syntax; reformat your response with triple backticks."
+      - "Reformat your output as a code block enclosed in triple backticks."
+
+      ### 4. Changelist Structure
+      - **Main Heading:** Must begin with `# Summary of Changes`
+      - **Categories:** Use `##` headings to group related changes.
+      - **Changes:** List each change with a bullet (`-`), starting with a past tense verb (e.g., Added, Updated, Removed).
+      - **Code/Variables:** Enclose module names or configuration settings in backticks (e.g., `module_name`).
+
+      ### 5. Content Requirements
+      - Be specific about what changed and why.
+      - Group similar changes under the appropriate category headings.
+      - For configuration changes, include both the setting name and its new value.
+      - Keep each entry concise but descriptive.
+
+      ### 6. Example Command
+      To request a changelist from Cursor, try:
+      ```
+      Prepare a PR changelist based on these changes. Return the markdown in a code block with triple backticks.
+      ```
+
+      Adhering to these traditional, time-tested formatting guidelines not only prevents ambiguity but also paves the way for future improvements in automated changelist generation.
+
+  - type: validate
+    conditions:
+      - pattern: "^```\\s*markdown\\s*\\n#\\s+Summary\\s+of\\s+Changes"
+        message: "The changelist must be a raw markdown code block starting with '# Summary of Changes'. Ensure the use of triple backticks and correct heading structure."
+      - pattern: "-\\s+(Added|Updated|Removed)\\b"
+        message: "Each bullet point must begin with a past tense verb: 'Added', 'Updated', or 'Removed'."
+
+examples:
+  - input: |
+      Request: "Create a PR changelist for my changes. Return markdown code as code."
+
+      Good Response from Cursor:
+      ```markdown
+      # Summary of Changes
+
+      ## Environment Configuration
+      - Updated `STAGE_FILE_PROXY_URL` to data.safeworkaustralia.gov.au
+      - Updated `LOCALDEV_URL` to dataswa.docker.amazee.io
+
+      ## Module Changes
+      - Removed `page_cache` module
+      - Added `stage_file_proxy` module
+      ```
+    output: |
+      This is the correct format for Cursor to return a changelist – as a raw markdown code block enclosed in triple backticks.
+
+  - input: |
+      Request: "Create a PR changelist for my changes."
+
+      Bad Response from Cursor (rendered markdown instead of a code block):
+      # Summary of Changes
+
+      ## Environment Configuration
+      - Updated `STAGE_FILE_PROXY_URL` to data.safeworkaustralia.gov.au
+      - Updated `LOCALDEV_URL` to dataswa.docker.amazee.io
+    output: |
+      This response is incorrectly formatted as rendered markdown. Please ask Cursor to provide the output as a raw markdown code block with triple backticks.
+
+metadata:
+  priority: medium
+  version: 1.2
 ```
-Outcome: This response is incorrectly formatted as rendered markdown. Please ask Cursor to provide the output as a raw markdown code block with triple backticks.
 
diff --git a/.cursor/rules/python-authentication-failures.mdc b/.cursor/rules/python-authentication-failures.mdc
index 3aaa2a1..0fe0818 100644
--- a/.cursor/rules/python-authentication-failures.mdc
+++ b/.cursor/rules/python-authentication-failures.mdc
@@ -3,259 +3,337 @@ description: Detect and prevent identification and authentication failures in Py
 globs: *.py, *.ini, *.cfg, *.yml, *.yaml, *.json, *.toml
 alwaysApply: false
 ---
-# Python Identification and Authentication Failures Standards (OWASP A07:2021)
+ # Python Identification and Authentication Failures Standards (OWASP A07:2021)
 
 This rule enforces security best practices to prevent identification and authentication failures in Python applications, as defined in OWASP Top 10:2021-A07.
 
-> Priority: high · Version: 1.0
-
-## Applies To
-- `*.py`
-- `*.ini`
-- `*.cfg`
-- `*.yml`
-- `*.yaml`
-- `*.json`
-- `*.toml`
-
-## Trigger Conditions
-- Files matching pattern `\.(py|ini|cfg|yml|yaml|json|toml)$`
-- Paths matching `.*`
-
-## Required Checks
-
-- Weak password policy detected. Passwords should be at least 8 characters long and include complexity requirements.
-- Hardcoded credentials detected. Store sensitive credentials in environment variables or a secure vault.
-- Storing or comparing plain text passwords detected. Always hash passwords before storage or comparison.
-- Insecure hashing algorithm detected. Use strong hashing algorithms like bcrypt, Argon2, or PBKDF2.
-- Authentication endpoint detected without rate limiting or brute force protection. Implement account lockout or rate limiting.
-- Session management detected. Ensure proper session security with secure cookies, proper expiration, and rotation.
-- Form handling detected. Ensure CSRF protection is enabled for all authentication forms.
-- Remember me functionality detected. Ensure secure implementation with proper expiration and refresh mechanisms.
-- Password reset functionality detected. Ensure secure implementation with time-limited tokens and proper user verification.
-- Authentication function detected. Consider implementing multi-factor authentication for sensitive operations.
-- Direct user lookup detected. Ensure proper authorization checks before accessing user data.
-- JWT usage detected. Ensure proper signing, validation, expiration, and refresh mechanisms for JWTs.
-- Cookie setting without secure flag detected. Set secure=True for all authentication cookies.
-- Cookie setting without httponly flag detected. Set httponly=True for all authentication cookies.
-- Default credential configuration detected. Remove default credentials from production code.
-
-## Recommendations
-
-**Python Authentication Security Best Practices:**
-
-1. **Password Storage:**
-   - Use strong hashing algorithms with salting
-   - Implement proper work factors
-   - Example with passlib:
-     ```python
-     from passlib.hash import argon2
-     
-     # Hash a password
-     hashed_password = argon2.hash("user_password")
-     
-     # Verify a password
-     is_valid = argon2.verify("user_password", hashed_password)
-     ```
-   - Example with Django:
-     ```python
-     from django.contrib.auth.hashers import make_password, check_password
-     
-     # Hash a password
-     hashed_password = make_password("user_password")
-     
-     # Verify a password
-     is_valid = check_password("user_password", hashed_password)
-     ```
-
-2. **Password Policies:**
-   - Enforce minimum length (at least 8 characters)
-   - Require complexity (uppercase, lowercase, numbers, special characters)
-   - Check against common passwords
-   - Example with Django:
-     ```python
-     # settings.py
-     AUTH_PASSWORD_VALIDATORS = [
-         {
-             'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
-             'OPTIONS': {'min_length': 12}
-         },
-         {
-             'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
-         },
-         {
-             'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
-         },
-         {
-             'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
-         },
-     ]
-     ```
-
-3. **Brute Force Protection:**
-   - Implement account lockout after failed attempts
-   - Use rate limiting for authentication endpoints
-   - Example with Flask and Flask-Limiter:
-     ```python
-     from flask import Flask
-     from flask_limiter import Limiter
-     from flask_limiter.util import get_remote_address
-     
-     app = Flask(__name__)
-     limiter = Limiter(
-         app,
-         key_func=get_remote_address,
-         default_limits=["200 per day", "50 per hour"]
-     )
-     
-     @app.route("/login", methods=["POST"])
-     @limiter.limit("5 per minute")
-     def login():
-         # Login logic here
-         pass
-     ```
-
-4. **Multi-Factor Authentication:**
-   - Implement MFA for sensitive operations
-   - Use time-based one-time passwords (TOTP)
-   - Example with pyotp:
-     ```python
-     import pyotp
-     
-     # Generate a secret key for the user
-     secret = pyotp.random_base32()
-     
-     # Create a TOTP object
-     totp = pyotp.TOTP(secret)
-     
-     # Verify a token
-     is_valid = totp.verify(user_provided_token)
-     ```
-
-5. **Secure Session Management:**
-   - Use secure, HTTP-only cookies
-   - Implement proper session expiration
-   - Rotate session IDs after login
-   - Example with Flask:
-     ```python
-     from flask import Flask, session
-     
-     app = Flask(__name__)
-     app.config.update(
-         SECRET_KEY='your-secret-key',
-         SESSION_COOKIE_SECURE=True,
-         SESSION_COOKIE_HTTPONLY=True,
-         SESSION_COOKIE_SAMESITE='Lax',
-         PERMANENT_SESSION_LIFETIME=timedelta(hours=1)
-     )
-     ```
-
-6. **CSRF Protection:**
-   - Implement CSRF tokens for all forms
-   - Validate tokens on form submission
-   - Example with Flask-WTF:
-     ```python
-     from flask_wtf import FlaskForm, CSRFProtect
-     from wtforms import StringField, PasswordField, SubmitField
-     
-     csrf = CSRFProtect(app)
-     
-     class LoginForm(FlaskForm):
-         username = StringField('Username')
-         password = PasswordField('Password')
-         submit = SubmitField('Login')
-     ```
-
-7. **Secure Password Reset:**
-   - Use time-limited, single-use tokens
-   - Send reset links to verified email addresses
-   - Example implementation:
-     ```python
-     import secrets
-     from datetime import datetime, timedelta
-     
-     def generate_reset_token(user_id):
-         token = secrets.token_urlsafe(32)
-         expiry = datetime.utcnow() + timedelta(hours=1)
-         # Store token and expiry in database with user_id
-         return token
-     
-     def verify_reset_token(token):
-         # Retrieve token from database
-         # Check if token exists and is not expired
-         # If valid, return user_id
-         pass
-     ```
-
-8. **Secure JWT Implementation:**
-   - Use strong signing keys
-   - Include expiration claims
-   - Validate all claims
-   - Example with PyJWT:
-     ```python
-     import jwt
-     from datetime import datetime, timedelta
-     
-     # Create a JWT
-     payload = {
-         'user_id': user.id,
-         'exp': datetime.utcnow() + timedelta(hours=1),
-         'iat': datetime.utcnow()
-     }
-     token = jwt.encode(payload, SECRET_KEY, algorithm='HS256')
-     
-     # Verify a JWT
-     try:
-         payload = jwt.decode(token, SECRET_KEY, algorithms=['HS256'])
-         user_id = payload['user_id']
-     except jwt.ExpiredSignatureError:
-         # Token has expired
-         pass
-     except jwt.InvalidTokenError:
-         # Invalid token
-         pass
-     ```
-
-9. **Secure Cookie Configuration:**
-   - Set secure, HTTP-only, and SameSite flags
-   - Example with Flask:
-     ```python
-     from flask import Flask, make_response
-     
-     app = Flask(__name__)
-     
-     @app.route('/set_cookie')
-     def set_cookie():
-         resp = make_response('Cookie set')
-         resp.set_cookie(
-             'session_id', 
-             'value', 
-             secure=True, 
-             httponly=True, 
-             samesite='Lax',
-             max_age=3600
-         )
-         return resp
-     ```
-
-10. **Credential Storage:**
-    - Use environment variables or secure vaults
-    - Never hardcode credentials
-    - Example with python-dotenv:
-      ```python
-      import os
-      from dotenv import load_dotenv
-      
-      load_dotenv()
-      
-      # Access credentials from environment variables
-      db_user = os.environ.get('DB_USER')
-      db_password = os.environ.get('DB_PASSWORD')
-      ```
-
-## Validation
-
-- Using secure password hashing algorithms.
-- CSRF protection is implemented.
-- Secure cookie settings are configured.
-- Rate limiting is implemented for authentication endpoints.
+```yaml
+name: python_authentication_failures
+description: Detect and prevent identification and authentication failures in Python applications as defined in OWASP Top 10:2021-A07
+filters:
+  - type: file_extension
+    pattern: "\\.(py|ini|cfg|yml|yaml|json|toml)$"
+  - type: file_path
+    pattern: ".*"
+
+actions:
+  - type: enforce
+    conditions:
+      # Pattern 1: Weak password validation
+      - pattern: "password\\s*=\\s*['\"][^'\"]{1,7}['\"]|min_length\\s*=\\s*[1-7]"
+        message: "Weak password policy detected. Passwords should be at least 8 characters long and include complexity requirements."
+
+      # Pattern 2: Hardcoded credentials
+      - pattern: "(username|user|login|password|passwd|pwd|secret|api_key|apikey|token)\\s*=\\s*['\"][^'\"]+['\"]"
+        message: "Hardcoded credentials detected. Store sensitive credentials in environment variables or a secure vault."
+
+      # Pattern 3: Missing password hashing
+      - pattern: "password\\s*=\\s*request\\.form\\[\\'password\\'\\]|password\\s*=\\s*request\\.POST\\.get\\(\\'password\\'\\)"
+        message: "Storing or comparing plain text passwords detected. Always hash passwords before storage or comparison."
+
+      # Pattern 4: Insecure password hashing
+      - pattern: "hashlib\\.md5\\(|hashlib\\.sha1\\(|hashlib\\.sha224\\("
+        message: "Insecure hashing algorithm detected. Use strong hashing algorithms like bcrypt, Argon2, or PBKDF2."
+
+      # Pattern 5: Missing brute force protection
+      - pattern: "@app\\.route\\(['\"]\\/(login|signin|authenticate)['\"]"
+        message: "Authentication endpoint detected without rate limiting or brute force protection. Implement account lockout or rate limiting."
+
+      # Pattern 6: Insecure session management
+      - pattern: "session\\[\\'user_id\\'\\]\\s*=|session\\[\\'authenticated\\'\\]\\s*=\\s*True"
+        message: "Session management detected. Ensure proper session security with secure cookies, proper expiration, and rotation."
+
+      # Pattern 7: Missing CSRF protection in authentication
+      - pattern: "form\\s*=\\s*FlaskForm|class\\s+\\w+Form\\(\\s*FlaskForm\\s*\\)|class\\s+\\w+Form\\(\\s*Form\\s*\\)"
+        message: "Form handling detected. Ensure CSRF protection is enabled for all authentication forms."
+
+      # Pattern 8: Insecure remember me functionality
+      - pattern: "remember_me|remember_token|stay_logged_in"
+        message: "Remember me functionality detected. Ensure secure implementation with proper expiration and refresh mechanisms."
+
+      # Pattern 9: Insecure password reset
+      - pattern: "@app\\.route\\(['\"]\\/(reset-password|forgot-password|recover)['\"]"
+        message: "Password reset functionality detected. Ensure secure implementation with time-limited tokens and proper user verification."
+
+      # Pattern 10: Missing multi-factor authentication
+      - pattern: "def\\s+login|def\\s+authenticate|def\\s+signin"
+        message: "Authentication function detected. Consider implementing multi-factor authentication for sensitive operations."
+
+      # Pattern 11: Insecure direct object reference in user management
+      - pattern: "User\\.objects\\.get\\(id=|User\\.query\\.get\\(|get_user_by_id\\("
+        message: "Direct user lookup detected. Ensure proper authorization checks before accessing user data."
+
+      # Pattern 12: Insecure JWT implementation
+      - pattern: "jwt\\.encode\\(|jwt\\.decode\\("
+        message: "JWT usage detected. Ensure proper signing, validation, expiration, and refresh mechanisms for JWTs."
+
+      # Pattern 13: Missing secure flag in cookies
+      - pattern: "set_cookie\\([^,]+,[^,]+,[^,]*secure=False|set_cookie\\([^,]+,[^,]+(?!,\\s*secure=True)"
+        message: "Cookie setting without secure flag detected. Set secure=True for all authentication cookies."
+
+      # Pattern 14: Missing HTTP-only flag in cookies
+      - pattern: "set_cookie\\([^,]+,[^,]+,[^,]*httponly=False|set_cookie\\([^,]+,[^,]+(?!,\\s*httponly=True)"
+        message: "Cookie setting without httponly flag detected. Set httponly=True for all authentication cookies."
+
+      # Pattern 15: Insecure default credentials
+      - pattern: "DEFAULT_USERNAME|DEFAULT_PASSWORD|ADMIN_USERNAME|ADMIN_PASSWORD"
+        message: "Default credential configuration detected. Remove default credentials from production code."
+
+  - type: suggest
+    message: |
+      **Python Authentication Security Best Practices:**
+
+      1. **Password Storage:**
+         - Use strong hashing algorithms with salting
+         - Implement proper work factors
+         - Example with passlib:
+           ```python
+           from passlib.hash import argon2
+
+           # Hash a password
+           hashed_password = argon2.hash("user_password")
+
+           # Verify a password
+           is_valid = argon2.verify("user_password", hashed_password)
+           ```
+         - Example with Django:
+           ```python
+           from django.contrib.auth.hashers import make_password, check_password
+
+           # Hash a password
+           hashed_password = make_password("user_password")
+
+           # Verify a password
+           is_valid = check_password("user_password", hashed_password)
+           ```
+
+      2. **Password Policies:**
+         - Enforce minimum length (at least 8 characters)
+         - Require complexity (uppercase, lowercase, numbers, special characters)
+         - Check against common passwords
+         - Example with Django:
+           ```python
+           # settings.py
+           AUTH_PASSWORD_VALIDATORS = [
+               {
+                   'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
+                   'OPTIONS': {'min_length': 12}
+               },
+               {
+                   'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
+               },
+               {
+                   'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
+               },
+               {
+                   'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
+               },
+           ]
+           ```
+
+      3. **Brute Force Protection:**
+         - Implement account lockout after failed attempts
+         - Use rate limiting for authentication endpoints
+         - Example with Flask and Flask-Limiter:
+           ```python
+           from flask import Flask
+           from flask_limiter import Limiter
+           from flask_limiter.util import get_remote_address
+
+           app = Flask(__name__)
+           limiter = Limiter(
+               app,
+               key_func=get_remote_address,
+               default_limits=["200 per day", "50 per hour"]
+           )
+
+           @app.route("/login", methods=["POST"])
+           @limiter.limit("5 per minute")
+           def login():
+               # Login logic here
+               pass
+           ```
+
+      4. **Multi-Factor Authentication:**
+         - Implement MFA for sensitive operations
+         - Use time-based one-time passwords (TOTP)
+         - Example with pyotp:
+           ```python
+           import pyotp
+
+           # Generate a secret key for the user
+           secret = pyotp.random_base32()
+
+           # Create a TOTP object
+           totp = pyotp.TOTP(secret)
+
+           # Verify a token
+           is_valid = totp.verify(user_provided_token)
+           ```
+
+      5. **Secure Session Management:**
+         - Use secure, HTTP-only cookies
+         - Implement proper session expiration
+         - Rotate session IDs after login
+         - Example with Flask:
+           ```python
+           from flask import Flask, session
+
+           app = Flask(__name__)
+           app.config.update(
+               SECRET_KEY='your-secret-key',
+               SESSION_COOKIE_SECURE=True,
+               SESSION_COOKIE_HTTPONLY=True,
+               SESSION_COOKIE_SAMESITE='Lax',
+               PERMANENT_SESSION_LIFETIME=timedelta(hours=1)
+           )
+           ```
+
+      6. **CSRF Protection:**
+         - Implement CSRF tokens for all forms
+         - Validate tokens on form submission
+         - Example with Flask-WTF:
+           ```python
+           from flask_wtf import FlaskForm, CSRFProtect
+           from wtforms import StringField, PasswordField, SubmitField
+
+           csrf = CSRFProtect(app)
+
+           class LoginForm(FlaskForm):
+               username = StringField('Username')
+               password = PasswordField('Password')
+               submit = SubmitField('Login')
+           ```
+
+      7. **Secure Password Reset:**
+         - Use time-limited, single-use tokens
+         - Send reset links to verified email addresses
+         - Example implementation:
+           ```python
+           import secrets
+           from datetime import datetime, timedelta
+
+           def generate_reset_token(user_id):
+               token = secrets.token_urlsafe(32)
+               expiry = datetime.utcnow() + timedelta(hours=1)
+               # Store token and expiry in database with user_id
+               return token
+
+           def verify_reset_token(token):
+               # Retrieve token from database
+               # Check if token exists and is not expired
+               # If valid, return user_id
+               pass
+           ```
+
+      8. **Secure JWT Implementation:**
+         - Use strong signing keys
+         - Include expiration claims
+         - Validate all claims
+         - Example with PyJWT:
+           ```python
+           import jwt
+           from datetime import datetime, timedelta
+
+           # Create a JWT
+           payload = {
+               'user_id': user.id,
+               'exp': datetime.utcnow() + timedelta(hours=1),
+               'iat': datetime.utcnow()
+           }
+           token = jwt.encode(payload, SECRET_KEY, algorithm='HS256')
+
+           # Verify a JWT
+           try:
+               payload = jwt.decode(token, SECRET_KEY, algorithms=['HS256'])
+               user_id = payload['user_id']
+           except jwt.ExpiredSignatureError:
+               # Token has expired
+               pass
+           except jwt.InvalidTokenError:
+               # Invalid token
+               pass
+           ```
+
+      9. **Secure Cookie Configuration:**
+         - Set secure, HTTP-only, and SameSite flags
+         - Example with Flask:
+           ```python
+           from flask import Flask, make_response
+
+           app = Flask(__name__)
+
+           @app.route('/set_cookie')
+           def set_cookie():
+               resp = make_response('Cookie set')
+               resp.set_cookie(
+                   'session_id',
+                   'value',
+                   secure=True,
+                   httponly=True,
+                   samesite='Lax',
+                   max_age=3600
+               )
+               return resp
+           ```
+
+      10. **Credential Storage:**
+          - Use environment variables or secure vaults
+          - Never hardcode credentials
+          - Example with python-dotenv:
+            ```python
+            import os
+            from dotenv import load_dotenv
+
+            load_dotenv()
+
+            # Access credentials from environment variables
+            db_user = os.environ.get('DB_USER')
+            db_password = os.environ.get('DB_PASSWORD')
+            ```
+
+  - type: validate
+    conditions:
+      # Check 1: Proper password hashing
+      - pattern: "argon2|bcrypt|pbkdf2|make_password|generate_password_hash"
+        message: "Using secure password hashing algorithms."
+
+      # Check 2: CSRF protection
+      - pattern: "csrf|CSRFProtect|csrf_token|csrftoken"
+        message: "CSRF protection is implemented."
+
+      # Check 3: Secure cookie settings
+      - pattern: "SESSION_COOKIE_SECURE\\s*=\\s*True|secure=True|httponly=True|samesite"
+        message: "Secure cookie settings are configured."
+
+      # Check 4: Rate limiting
+      - pattern: "limiter\\.limit|RateLimitExceeded|rate_limit|throttle"
+        message: "Rate limiting is implemented for authentication endpoints."
+
+metadata:
+  priority: high
+  version: 1.0
+  tags:
+    - security
+    - python
+    - authentication
+    - identity
+    - owasp
+    - language:python
+    - framework:django
+    - framework:flask
+    - framework:fastapi
+    - category:security
+    - subcategory:authentication
+    - standard:owasp-top10
+    - risk:a07-identification-authentication-failures
+  references:
+    - "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html"
+    - "https://docs.djangoproject.com/en/stable/topics/auth/passwords/"
+    - "https://flask-login.readthedocs.io/en/latest/"
+    - "https://fastapi.tiangolo.com/tutorial/security/"
+```
+
diff --git a/.cursor/rules/python-broken-access-control.mdc b/.cursor/rules/python-broken-access-control.mdc
index d7e2e21..69248b3 100644
--- a/.cursor/rules/python-broken-access-control.mdc
+++ b/.cursor/rules/python-broken-access-control.mdc
@@ -7,75 +7,145 @@ alwaysApply: false
 
 This rule enforces security best practices to prevent broken access control vulnerabilities in Python applications, as defined in OWASP Top 10:2021-A01.
 
-> Priority: 90 · Version: 1.0
-
-## Applies To
-- `*.py`
-
-## Trigger Conditions
-- Files matching pattern `\.(py)$`
-- Paths matching `.*`
-
-## Required Checks
-
-- Flask route lacks access control. Consider using @login_required or checking user permissions within the function.
-- Django class-based view lacks access control mixins. Consider using LoginRequiredMixin, PermissionRequiredMixin, or UserPassesTestMixin.
-- Potential insecure direct object reference (IDOR). Validate that the current user has permission to access this object.
-- Hardcoded role checks can be fragile. Consider using a permission system or role-based access control framework.
-- FastAPI endpoint lacks security dependencies. Consider using Depends(get_current_user) or similar security dependencies.
-- Dangerous admin/debug flags in request parameters could bypass access control. Remove or secure these backdoors.
-- Extremely dangerous use of eval() or exec() with user input can lead to code execution. Avoid these functions entirely.
-- API endpoint may lack access control. Ensure proper authentication and authorization checks are implemented.
-- Setting session variables directly from request data without validation can lead to session-based access control bypasses.
-- Form or view appears to be missing CSRF protection. Ensure CSRF tokens are properly implemented.
-
-## Recommendations
-
-**Python Access Control Best Practices:**
-
-1. **Framework-Specific Controls:**
-   - **Django**: Use built-in authentication and permission decorators/mixins
-     - `@login_required`, `LoginRequiredMixin`
-     - `@permission_required`, `PermissionRequiredMixin`
-     - `UserPassesTestMixin` for custom permission logic
-   - **Flask**: Use Flask-Login or similar extensions
-     - `@login_required` decorator
-     - `current_user.is_authenticated` checks
-     - Role-based access control with Flask-Principal
-   - **FastAPI**: Use dependency injection for security
-     - `Depends(get_current_user)` pattern
-     - OAuth2 with `Security(oauth2_scheme)`
-     - JWT validation middleware
-
-2. **General Access Control Principles:**
-   - Implement access control at the server side, never rely on client-side checks
-   - Use deny-by-default approach (whitelist vs blacklist)
-   - Implement proper session management
-   - Apply principle of least privilege
-   - Use contextual access control (time, location, device-based restrictions when appropriate)
-
-3. **Object-Level Authorization:**
-   - Validate user has permission to access specific resources
-   - Implement row-level security for database access
-   - Use UUIDs instead of sequential IDs when possible
-   - Always verify ownership or permission before allowing operations on objects
-
-4. **API Security:**
-   - Implement proper authentication for all API endpoints
-   - Use token-based authentication with proper validation
-   - Apply rate limiting to prevent brute force attacks
-   - Implement proper CORS configuration
-   - Log and monitor access control failures
-
-5. **Testing Access Control:**
-   - Write tests specifically for authorization logic
-   - Test vertical access control (different permission levels)
-   - Test horizontal access control (same permission level, different users)
-   - Verify access control works after session timeout/expiration
-
-## Validation
-
-- Using Django's built-in access control mechanisms.
-- Implementing proper Flask authentication checks.
-- Implementing object-level permission checks.
-- Using FastAPI's security dependency injection.
+```yaml
+name: python_broken_access_control
+description: Detect and prevent broken access control vulnerabilities in Python applications as defined in OWASP Top 10:2021-A01
+filters:
+  - type: file_extension
+    pattern: "\\.(py)$"
+  - type: file_path
+    pattern: ".*"
+
+actions:
+  - type: enforce
+    conditions:
+      # Pattern 1: Missing access control in Flask routes
+      - pattern: "@(app|blueprint)\\.route\\([^)]*\\)\\s*\\n\\s*def\\s+[a-zA-Z0-9_]+\\([^)]*\\):\\s*(?![^#]*@login_required|[^#]*current_user\\.|[^#]*session\\[)"
+        message: "Flask route lacks access control. Consider using @login_required or checking user permissions within the function."
+
+      # Pattern 2: Missing access control in Django views
+      - pattern: "class\\s+[A-Za-z0-9_]+View\\((?!LoginRequiredMixin|PermissionRequiredMixin|UserPassesTestMixin)[^)]*\\):"
+        message: "Django class-based view lacks access control mixins. Consider using LoginRequiredMixin, PermissionRequiredMixin, or UserPassesTestMixin."
+
+      # Pattern 3: Insecure direct object reference
+      - pattern: "(get|filter|find)_by_id\\(\\s*request\\.(GET|POST|args|form|json)\\[['\"][^'\"]+['\"]\\]\\s*\\)"
+        message: "Potential insecure direct object reference (IDOR). Validate that the current user has permission to access this object."
+
+      # Pattern 4: Hardcoded role checks
+      - pattern: "if\\s+user\\.role\\s*==\\s*['\"]admin['\"]|if\\s+user\\.(is_staff|is_superuser)\\s*:"
+        message: "Hardcoded role checks can be fragile. Consider using a permission system or role-based access control framework."
+
+      # Pattern 5: Missing authorization in FastAPI
+      - pattern: "@(app|router)\\.([a-z]+)\\([^)]*\\)\\s*\\n\\s*(?:async\\s+)?def\\s+[a-zA-Z0-9_]+\\([^)]*\\):\\s*(?![^#]*Depends\\(|[^#]*Security\\(|[^#]*HTTPBearer\\()"
+        message: "FastAPI endpoint lacks security dependencies. Consider using Depends(get_current_user) or similar security dependencies."
+
+      # Pattern 6: Bypassing access control with admin flags
+      - pattern: "if\\s+request\\.(GET|POST|args|form|json)\\[['\"]admin['\"]\\]|if\\s+request\\.(GET|POST|args|form|json)\\[['\"]debug['\"]\\]"
+        message: "Dangerous admin/debug flags in request parameters could bypass access control. Remove or secure these backdoors."
+
+      # Pattern 7: Insecure use of eval or exec with user input
+      - pattern: "eval\\(|exec\\(.*request\\."
+        message: "Extremely dangerous use of eval() or exec() with user input can lead to code execution. Avoid these functions entirely."
+
+      # Pattern 8: Missing access control in API endpoints
+      - pattern: "@api_view\\(|@api\\.route\\(|@app\\.api_route\\("
+        message: "API endpoint may lack access control. Ensure proper authentication and authorization checks are implemented."
+
+      # Pattern 9: Insecure Flask session usage
+      - pattern: "session\\[['\"][^'\"]+['\"]\\]\\s*=\\s*request\\."
+        message: "Setting session variables directly from request data without validation can lead to session-based access control bypasses."
+
+      # Pattern 10: Missing CSRF protection
+      - pattern: "class\\s+[A-Za-z0-9_]+Form\\((?!.*csrf).*\\):|@csrf_exempt"
+        message: "Form or view appears to be missing CSRF protection. Ensure CSRF tokens are properly implemented."
+
+  - type: suggest
+    message: |
+      **Python Access Control Best Practices:**
+
+      1. **Framework-Specific Controls:**
+         - **Django**: Use built-in authentication and permission decorators/mixins
+           - `@login_required`, `LoginRequiredMixin`
+           - `@permission_required`, `PermissionRequiredMixin`
+           - `UserPassesTestMixin` for custom permission logic
+         - **Flask**: Use Flask-Login or similar extensions
+           - `@login_required` decorator
+           - `current_user.is_authenticated` checks
+           - Role-based access control with Flask-Principal
+         - **FastAPI**: Use dependency injection for security
+           - `Depends(get_current_user)` pattern
+           - OAuth2 with `Security(oauth2_scheme)`
+           - JWT validation middleware
+
+      2. **General Access Control Principles:**
+         - Implement access control at the server side, never rely on client-side checks
+         - Use deny-by-default approach (whitelist vs blacklist)
+         - Implement proper session management
+         - Apply principle of least privilege
+         - Use contextual access control (time, location, device-based restrictions when appropriate)
+
+      3. **Object-Level Authorization:**
+         - Validate user has permission to access specific resources
+         - Implement row-level security for database access
+         - Use UUIDs instead of sequential IDs when possible
+         - Always verify ownership or permission before allowing operations on objects
+
+      4. **API Security:**
+         - Implement proper authentication for all API endpoints
+         - Use token-based authentication with proper validation
+         - Apply rate limiting to prevent brute force attacks
+         - Implement proper CORS configuration
+         - Log and monitor access control failures
+
+      5. **Testing Access Control:**
+         - Write tests specifically for authorization logic
+         - Test vertical access control (different permission levels)
+         - Test horizontal access control (same permission level, different users)
+         - Verify access control works after session timeout/expiration
+
+  - type: validate
+    conditions:
+      # Check 1: Proper Django permission usage
+      - pattern: "@login_required|@permission_required|LoginRequiredMixin|PermissionRequiredMixin"
+        message: "Using Django's built-in access control mechanisms."
+
+      # Check 2: Proper Flask authentication
+      - pattern: "@login_required|current_user\\.is_authenticated|@auth\\.login_required"
+        message: "Implementing proper Flask authentication checks."
+
+      # Check 3: Object-level permission checks
+      - pattern: "\\.has_permission\\(|has_object_permission\\(|can_view\\(|can_edit\\("
+        message: "Implementing object-level permission checks."
+
+      # Check 4: FastAPI security dependencies
+      - pattern: "Depends\\(get_current_user\\)|Security\\(|HTTPBearer\\("
+        message: "Using FastAPI's security dependency injection."
+
+metadata:
+  priority: 90
+  version: "1.0"
+  tags:
+    - python
+    - security
+    - access_control
+    - owasp
+    - language:python
+    - category:security
+    - subcategory:authorisation
+    - subcategory:access-control
+    - standard:owasp-top10
+    - risk:a01-broken-access-control
+    - framework:django
+    - framework:flask
+    - framework:fastapi
+  references:
+    - https://owasp.org/Top10/A01_2021-Broken_Access_Control/
+    - https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
+    - https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html
+    - https://docs.djangoproject.com/en/stable/topics/auth/default/
+    - https://flask-login.readthedocs.io/en/latest/
+    - https://fastapi.tiangolo.com/tutorial/security/
+    - https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html
+```
+
+
diff --git a/.cursor/rules/python-cryptographic-failures.mdc b/.cursor/rules/python-cryptographic-failures.mdc
index 4ce8d98..0113f2f 100644
--- a/.cursor/rules/python-cryptographic-failures.mdc
+++ b/.cursor/rules/python-cryptographic-failures.mdc
@@ -7,120 +7,189 @@ alwaysApply: false
 
 This rule enforces security best practices to prevent cryptographic failures in Python applications, as defined in OWASP Top 10:2021-A02.
 
-> Priority: high · Version: 1.0
-
-## Applies To
-- `*.py`
-
-## Trigger Conditions
-- Files matching pattern `\.(py)$`
-- Paths matching `.*`
-
-## Required Checks
-
-- Using weak hashing algorithms (MD5/SHA1). Use SHA-256 or stronger algorithms from the hashlib or cryptography packages.
-- Potential hardcoded credentials detected. Store secrets in environment variables or a secure vault.
-- Using Python's standard random module for security purposes. Use secrets module or cryptography.hazmat.primitives.asymmetric for cryptographic operations.
-- Using deprecated/insecure SSL/TLS protocol versions. Use TLS 1.2+ (ssl.PROTOCOL_TLS_CLIENT with minimum version set).
-- SSL certificate validation is disabled. Always validate certificates in production environments.
-- Using insecure encryption cipher or mode. Use AES with GCM or CBC mode with proper padding.
-- Using insufficient key length for asymmetric encryption. RSA keys should be at least 2048 bits, preferably 4096 bits.
-- Using plain hashing for passwords. Use dedicated password hashing functions like bcrypt, Argon2, or PBKDF2.
-- Ensure you're using a proper random salt with password hashing functions.
-- Cookies with sensitive data should have secure and httponly flags enabled.
-
-## Recommendations
-
-**Python Cryptography Best Practices:**
-
-1. **Secure Password Storage:**
-   - Use dedicated password hashing algorithms:
-     ```python
-     import bcrypt
-     hashed = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt(rounds=12))
-     ```
-   - Or use Argon2 (preferred) or PBKDF2 with sufficient iterations:
-     ```python
-     from argon2 import PasswordHasher
-     ph = PasswordHasher()
-     hash = ph.hash(password)
-     ```
-
-2. **Secure Random Number Generation:**
-   - Use the `secrets` module for cryptographic operations:
-     ```python
-     import secrets
-     token = secrets.token_hex(32)  # 256 bits of randomness
-     ```
-   - For cryptographic keys, use proper key generation functions:
-     ```python
-     from cryptography.hazmat.primitives.asymmetric import rsa
-     private_key = rsa.generate_private_key(public_exponent=65537, key_size=4096)
-     ```
-
-3. **Secure Communications:**
-   - Use TLS 1.2+ for all communications:
-     ```python
-     import ssl
-     context = ssl.create_default_context()
-     context.minimum_version = ssl.TLSVersion.TLSv1_2
-     ```
-   - Always validate certificates:
-     ```python
-     import requests
-     response = requests.get('https://example.com', verify=True)
-     ```
-
-4. **Proper Key Management:**
-   - Never hardcode secrets in source code
-   - Use environment variables or secure vaults:
-     ```python
-     import os
-     api_key = os.environ.get('API_KEY')
-     ```
-   - Consider using dedicated key management services
-
-5. **Secure Encryption:**
-   - Use high-level libraries like `cryptography`:
-     ```python
-     from cryptography.fernet import Fernet
-     key = Fernet.generate_key()
-     f = Fernet(key)
-     encrypted = f.encrypt(data)
-     ```
-   - For lower-level needs, use authenticated encryption (AES-GCM):
-     ```python
-     from cryptography.hazmat.primitives.ciphers.aead import AESGCM
-     key = AESGCM.generate_key(bit_length=256)
-     aesgcm = AESGCM(key)
-     nonce = os.urandom(12)
-     encrypted = aesgcm.encrypt(nonce, data, associated_data)
-     ```
-
-6. **Secure Cookie Handling:**
-   - Set secure and httponly flags:
-     ```python
-     # Flask example
-     response.set_cookie('session', session_id, httponly=True, secure=True, samesite='Lax')
-     ```
-   - Use signed cookies or tokens:
-     ```python
-     # Django example - uses signed cookies by default
-     request.session['user_id'] = user.id
-     ```
-
-7. **Input Validation:**
-   - Validate all cryptographic inputs
-   - Use constant-time comparison for secrets:
-     ```python
-     import hmac
-     def constant_time_compare(a, b):
-         return hmac.compare_digest(a, b)
-     ```
-
-## Validation
-
-- Using secure password hashing algorithm.
-- Using cryptographically secure random number generation.
-- Using secure TLS configuration.
-- Properly validating SSL certificates.
+```yaml
+name: python_cryptographic_failures
+description: Detect and prevent cryptographic failures in Python applications as defined in OWASP Top 10:2021-A02
+filters:
+  - type: file_extension
+    pattern: "\\.(py)$"
+  - type: file_path
+    pattern: ".*"
+
+actions:
+  - type: enforce
+    conditions:
+      # Pattern 1: Weak or insecure cryptographic algorithms
+      - pattern: "import\\s+(md5|sha1)|hashlib\\.(md5|sha1)\\(|Crypto\\.Hash\\.(MD5|SHA1)|cryptography\\.hazmat\\.primitives\\.hashes\\.(MD5|SHA1)"
+        message: "Using weak hashing algorithms (MD5/SHA1). Use SHA-256 or stronger algorithms from the hashlib or cryptography packages."
+
+      # Pattern 2: Hardcoded secrets/credentials
+      - pattern: "(password|secret|key|token|auth)\\s*=\\s*['\"][^'\"]+['\"]"
+        message: "Potential hardcoded credentials detected. Store secrets in environment variables or a secure vault."
+
+      # Pattern 3: Insecure random number generation
+      - pattern: "random\\.(random|randint|choice|sample)|import random"
+        message: "Using Python's standard random module for security purposes. Use secrets module or cryptography.hazmat.primitives.asymmetric for cryptographic operations."
+
+      # Pattern 4: Weak SSL/TLS configuration
+      - pattern: "ssl\\.PROTOCOL_(SSLv2|SSLv3|TLSv1|TLSv1_1)|SSLContext\\(\\s*ssl\\.PROTOCOL_(SSLv2|SSLv3|TLSv1|TLSv1_1)\\)"
+        message: "Using deprecated/insecure SSL/TLS protocol versions. Use TLS 1.2+ (ssl.PROTOCOL_TLS_CLIENT with minimum version set)."
+
+      # Pattern 5: Missing certificate validation
+      - pattern: "verify\\s*=\\s*False|check_hostname\\s*=\\s*False|CERT_NONE"
+        message: "SSL certificate validation is disabled. Always validate certificates in production environments."
+
+      # Pattern 6: Insecure cipher usage
+      - pattern: "DES|RC4|Blowfish|ECB"
+        message: "Using insecure encryption cipher or mode. Use AES with GCM or CBC mode with proper padding."
+
+      # Pattern 7: Insufficient key length
+      - pattern: "RSA\\([^,]+,\\s*[0-9]+\\s*\\)|key_size\\s*=\\s*([0-9]|10[0-9][0-9]|11[0-9][0-9]|12[0-4][0-9])"
+        message: "Using insufficient key length for asymmetric encryption. RSA keys should be at least 2048 bits, preferably 4096 bits."
+
+      # Pattern 8: Insecure password hashing
+      - pattern: "\\.encode\\(['\"]utf-?8['\"]\\)\\.(digest|hexdigest)\\(\\)|hashlib\\.[a-zA-Z0-9]+\\([^)]*\\)\\.(digest|hexdigest)\\(\\)"
+        message: "Using plain hashing for passwords. Use dedicated password hashing functions like bcrypt, Argon2, or PBKDF2."
+
+      # Pattern 9: Missing salt in password hashing
+      - pattern: "pbkdf2_hmac\\([^,]+,[^,]+,[^,]+,\\s*[0-9]+\\s*\\)"
+        message: "Ensure you're using a proper random salt with password hashing functions."
+
+      # Pattern 10: Insecure cookie settings
+      - pattern: "set_cookie\\([^)]*secure\\s*=\\s*False|set_cookie\\([^)]*httponly\\s*=\\s*False"
+        message: "Cookies with sensitive data should have secure and httponly flags enabled."
+
+  - type: suggest
+    message: |
+      **Python Cryptography Best Practices:**
+
+      1. **Secure Password Storage:**
+         - Use dedicated password hashing algorithms:
+           ```python
+           import bcrypt
+           hashed = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt(rounds=12))
+           ```
+         - Or use Argon2 (preferred) or PBKDF2 with sufficient iterations:
+           ```python
+           from argon2 import PasswordHasher
+           ph = PasswordHasher()
+           hash = ph.hash(password)
+           ```
+
+      2. **Secure Random Number Generation:**
+         - Use the `secrets` module for cryptographic operations:
+           ```python
+           import secrets
+           token = secrets.token_hex(32)  # 256 bits of randomness
+           ```
+         - For cryptographic keys, use proper key generation functions:
+           ```python
+           from cryptography.hazmat.primitives.asymmetric import rsa
+           private_key = rsa.generate_private_key(public_exponent=65537, key_size=4096)
+           ```
+
+      3. **Secure Communications:**
+         - Use TLS 1.2+ for all communications:
+           ```python
+           import ssl
+           context = ssl.create_default_context()
+           context.minimum_version = ssl.TLSVersion.TLSv1_2
+           ```
+         - Always validate certificates:
+           ```python
+           import requests
+           response = requests.get('https://example.com', verify=True)
+           ```
+
+      4. **Proper Key Management:**
+         - Never hardcode secrets in source code
+         - Use environment variables or secure vaults:
+           ```python
+           import os
+           api_key = os.environ.get('API_KEY')
+           ```
+         - Consider using dedicated key management services
+
+      5. **Secure Encryption:**
+         - Use high-level libraries like `cryptography`:
+           ```python
+           from cryptography.fernet import Fernet
+           key = Fernet.generate_key()
+           f = Fernet(key)
+           encrypted = f.encrypt(data)
+           ```
+         - For lower-level needs, use authenticated encryption (AES-GCM):
+           ```python
+           from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+           key = AESGCM.generate_key(bit_length=256)
+           aesgcm = AESGCM(key)
+           nonce = os.urandom(12)
+           encrypted = aesgcm.encrypt(nonce, data, associated_data)
+           ```
+
+      6. **Secure Cookie Handling:**
+         - Set secure and httponly flags:
+           ```python
+           # Flask example
+           response.set_cookie('session', session_id, httponly=True, secure=True, samesite='Lax')
+           ```
+         - Use signed cookies or tokens:
+           ```python
+           # Django example - uses signed cookies by default
+           request.session['user_id'] = user.id
+           ```
+
+      7. **Input Validation:**
+         - Validate all cryptographic inputs
+         - Use constant-time comparison for secrets:
+           ```python
+           import hmac
+           def constant_time_compare(a, b):
+               return hmac.compare_digest(a, b)
+           ```
+
+  - type: validate
+    conditions:
+      # Check 1: Proper password hashing
+      - pattern: "bcrypt\\.hashpw|argon2|PasswordHasher|pbkdf2_hmac\\([^,]+,[^,]+,[^,]+,\\s*[0-9]{4,}\\s*\\)"
+        message: "Using secure password hashing algorithm."
+
+      # Check 2: Secure random generation
+      - pattern: "secrets\\.|urandom|cryptography\\.hazmat\\.primitives\\.asymmetric"
+        message: "Using cryptographically secure random number generation."
+
+      # Check 3: Strong TLS configuration
+      - pattern: "ssl\\.PROTOCOL_TLS|minimum_version\\s*=\\s*ssl\\.TLSVersion\\.TLSv1_2|create_default_context"
+        message: "Using secure TLS configuration."
+
+      # Check 4: Proper certificate validation
+      - pattern: "verify\\s*=\\s*True|check_hostname\\s*=\\s*True|CERT_REQUIRED"
+        message: "Properly validating SSL certificates."
+
+metadata:
+  priority: high
+  version: 1.0
+  tags:
+    - security
+    - python
+    - cryptography
+    - encryption
+    - owasp
+    - language:python
+    - framework:django
+    - framework:flask
+    - framework:fastapi
+    - category:security
+    - subcategory:cryptography
+    - standard:owasp-top10
+    - risk:a02-cryptographic-failures
+  references:
+    - "https://owasp.org/Top10/A02_2021-Cryptographic_Failures/"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html"
+    - "https://docs.python.org/3/library/secrets.html"
+    - "https://cryptography.io/en/latest/"
+    - "https://pypi.org/project/bcrypt/"
+    - "https://pypi.org/project/argon2-cffi/"
+```
+
+
diff --git a/.cursor/rules/python-injection.mdc b/.cursor/rules/python-injection.mdc
index 5954ecb..40cb1d3 100644
--- a/.cursor/rules/python-injection.mdc
+++ b/.cursor/rules/python-injection.mdc
@@ -3,112 +3,177 @@ description: Detect and prevent injection vulnerabilities in Python applications
 globs: *.py, *.ini, *.cfg, *.yml, *.yaml, *.json, *.toml
 alwaysApply: false
 ---
-# Python Injection Security Standards (OWASP A03:2021)
+ # Python Injection Security Standards (OWASP A03:2021)
 
 This rule enforces security best practices to prevent injection vulnerabilities in Python applications, as defined in OWASP Top 10:2021-A03.
 
-> Priority: high · Version: 1.0
-
-## Applies To
-- `*.py`
-- `*.ini`
-- `*.cfg`
-- `*.yml`
-- `*.yaml`
-- `*.json`
-- `*.toml`
-
-## Trigger Conditions
-- Files matching pattern `\.(py)$`
-- Paths matching `.*`
-
-## Required Checks
-
-- Potential SQL injection vulnerability. Use parameterized queries with placeholders instead of string concatenation.
-- Potential SQL injection vulnerability. Use parameterized queries with placeholders instead of string formatting.
-- Potential command injection vulnerability. Never use string concatenation or formatting with shell commands. Use subprocess with shell=False and pass arguments as a list.
-- Using shell=True with subprocess functions is dangerous and can lead to command injection. Use shell=False (default) and pass arguments as a list.
-- Potential XSS vulnerability. Ensure all template variables are properly escaped. Avoid using 'autoescape off' in templates.
-- Potential XSS vulnerability. Ensure all user-supplied data is properly escaped before rendering in templates.
-- Potential path traversal vulnerability. Validate and sanitize file paths before opening files. Consider using os.path.abspath and os.path.normpath.
-- Potential LDAP injection vulnerability. Use proper LDAP escaping for user-supplied input in LDAP queries.
-- Potential NoSQL injection vulnerability. Use parameterized queries or proper escaping for MongoDB queries.
-- Potential template injection or code injection vulnerability. Avoid using eval() or exec() with user input, and ensure template variables are properly validated.
-
-## Recommendations
-
-**Python Injection Prevention Best Practices:**
-
-1. **SQL Injection Prevention:**
-   - Use parameterized queries (prepared statements) with placeholders:
-     ```python
-     # Safe SQL query with parameters
-     cursor.execute("SELECT * FROM users WHERE username = %s AND password = %s", (username, password))
-     
-     # Django ORM (safe by default)
-     User.objects.filter(username=username, password=password)
-     
-     # SQLAlchemy (safe by default)
-     session.query(User).filter(User.username == username, User.password == password)
-     ```
-   - Use ORM frameworks when possible (Django ORM, SQLAlchemy)
-   - Apply proper input validation and sanitization
-
-2. **Command Injection Prevention:**
-   - Never use shell=True with subprocess functions
-   - Pass command arguments as a list, not a string:
-     ```python
-     # Safe command execution
-     subprocess.run(["ls", "-l", user_dir], shell=False)
-     ```
-   - Use shlex.quote() if you must include user input in shell commands
-   - Consider using safer alternatives like Python libraries instead of shell commands
-
-3. **XSS Prevention:**
-   - Use template auto-escaping (enabled by default in modern frameworks)
-   - Explicitly escape user input before rendering:
-     ```python
-     # Django
-     from django.utils.html import escape
-     safe_data = escape(user_input)
-     
-     # Flask/Jinja2
-     from markupsafe import escape
-     safe_data = escape(user_input)
-     ```
-   - Use Content-Security-Policy headers
-   - Validate input against allowlists
-
-4. **Path Traversal Prevention:**
-   - Validate and sanitize file paths:
-     ```python
-     import os
-     safe_path = os.path.normpath(os.path.join(safe_base_dir, user_filename))
-     if not safe_path.startswith(safe_base_dir):
-         raise ValueError("Invalid path")
-     ```
-   - Use os.path.abspath() and os.path.normpath()
-   - Implement proper access controls
-   - Consider using libraries like Werkzeug's secure_filename()
-
-5. **NoSQL Injection Prevention:**
-   - Use parameterized queries or query builders
-   - Validate input against schemas
-   - Apply proper type checking
-     ```python
-     # Safe MongoDB query
-     collection.find({"username": username, "status": "active"})
-     ```
-
-6. **Template Injection Prevention:**
-   - Avoid using eval() or exec() with user input
-   - Use sandboxed template engines
-   - Limit template functionality to what's necessary
-   - Apply proper input validation
-
-## Validation
-
-- Using parameterized queries or ORM for database access.
-- Using subprocess with arguments as a list (safe pattern).
-- Implementing input validation or sanitization.
-- Using safe file path handling techniques.
+```yaml
+name: python_injection
+description: Detect and prevent injection vulnerabilities in Python applications as defined in OWASP Top 10:2021-A03
+filters:
+  - type: file_extension
+    pattern: "\\.(py)$"
+  - type: file_path
+    pattern: ".*"
+
+actions:
+  - type: enforce
+    conditions:
+      # Pattern 1: SQL Injection - String concatenation in SQL queries
+      - pattern: "cursor\\.(execute|executemany)\\([\"'][^\"']*\\s*[\\+%]|cursor\\.(execute|executemany)\\([^,]+\\+\\s*[a-zA-Z_][a-zA-Z0-9_]*"
+        message: "Potential SQL injection vulnerability. Use parameterized queries with placeholders instead of string concatenation."
+
+      # Pattern 2: SQL Injection - String formatting in SQL queries
+      - pattern: "cursor\\.(execute|executemany)\\([\"'][^\"']*%[^\"']*[\"']\\s*%\\s*|cursor\\.(execute|executemany)\\([\"'][^\"']*{[^\"']*}[\"']\\.format"
+        message: "Potential SQL injection vulnerability. Use parameterized queries with placeholders instead of string formatting."
+
+      # Pattern 3: Command Injection - Shell command execution with user input
+      - pattern: "(os\\.system|os\\.popen|subprocess\\.Popen|subprocess\\.call|subprocess\\.run|subprocess\\.check_output)\\([^)]*\\+\\s*[a-zA-Z_][a-zA-Z0-9_]*|\\b(os\\.system|os\\.popen|subprocess\\.Popen|subprocess\\.call|subprocess\\.run|subprocess\\.check_output)\\([^)]*format\\(|\\b(os\\.system|os\\.popen|subprocess\\.Popen|subprocess\\.call|subprocess\\.run|subprocess\\.check_output)\\([^)]*f['\"]"
+        message: "Potential command injection vulnerability. Never use string concatenation or formatting with shell commands. Use subprocess with shell=False and pass arguments as a list."
+
+      # Pattern 4: Command Injection - Shell=True in subprocess
+      - pattern: "(subprocess\\.Popen|subprocess\\.call|subprocess\\.run|subprocess\\.check_output)\\([^)]*shell\\s*=\\s*True"
+        message: "Using shell=True with subprocess functions is dangerous and can lead to command injection. Use shell=False (default) and pass arguments as a list."
+
+      # Pattern 5: XSS - Unescaped template variables
+      - pattern: "\\{\\{\\s*[^|]*\\s*\\}\\}|\\{\\%\\s*autoescape\\s+off\\s*\\%\\}"
+        message: "Potential XSS vulnerability. Ensure all template variables are properly escaped. Avoid using 'autoescape off' in templates."
+
+      # Pattern 6: XSS - Unsafe HTML rendering in Flask/Django
+      - pattern: "render_template\\([^)]*\\)|render\\([^)]*\\)|mark_safe\\([^)]*\\)|safe\\s*\\|"
+        message: "Potential XSS vulnerability. Ensure all user-supplied data is properly escaped before rendering in templates."
+
+      # Pattern 7: Path Traversal - Unsafe file operations
+      - pattern: "open\\([^)]*\\+|open\\([^)]*format\\(|open\\([^)]*f['\"]"
+        message: "Potential path traversal vulnerability. Validate and sanitize file paths before opening files. Consider using os.path.abspath and os.path.normpath."
+
+      # Pattern 8: LDAP Injection - Unsafe LDAP queries
+      - pattern: "ldap\\.search\\([^)]*\\+|ldap\\.search\\([^)]*format\\(|ldap\\.search\\([^)]*f['\"]"
+        message: "Potential LDAP injection vulnerability. Use proper LDAP escaping for user-supplied input in LDAP queries."
+
+      # Pattern 9: NoSQL Injection - Unsafe MongoDB queries
+      - pattern: "find\\(\\{[^}]*\\+|find\\(\\{[^}]*format\\(|find\\(\\{[^}]*f['\"]"
+        message: "Potential NoSQL injection vulnerability. Use parameterized queries or proper escaping for MongoDB queries."
+
+      # Pattern 10: Template Injection - Unsafe template rendering
+      - pattern: "Template\\([^)]*\\)\\.(render|substitute)\\(|eval\\([^)]*\\)|exec\\([^)]*\\)"
+        message: "Potential template injection or code injection vulnerability. Avoid using eval() or exec() with user input, and ensure template variables are properly validated."
+
+  - type: suggest
+    message: |
+      **Python Injection Prevention Best Practices:**
+
+      1. **SQL Injection Prevention:**
+         - Use parameterized queries (prepared statements) with placeholders:
+           ```python
+           # Safe SQL query with parameters
+           cursor.execute("SELECT * FROM users WHERE username = %s AND password = %s", (username, password))
+
+           # Django ORM (safe by default)
+           User.objects.filter(username=username, password=password)
+
+           # SQLAlchemy (safe by default)
+           session.query(User).filter(User.username == username, User.password == password)
+           ```
+         - Use ORM frameworks when possible (Django ORM, SQLAlchemy)
+         - Apply proper input validation and sanitization
+
+      2. **Command Injection Prevention:**
+         - Never use shell=True with subprocess functions
+         - Pass command arguments as a list, not a string:
+           ```python
+           # Safe command execution
+           subprocess.run(["ls", "-l", user_dir], shell=False)
+           ```
+         - Use shlex.quote() if you must include user input in shell commands
+         - Consider using safer alternatives like Python libraries instead of shell commands
+
+      3. **XSS Prevention:**
+         - Use template auto-escaping (enabled by default in modern frameworks)
+         - Explicitly escape user input before rendering:
+           ```python
+           # Django
+           from django.utils.html import escape
+           safe_data = escape(user_input)
+
+           # Flask/Jinja2
+           from markupsafe import escape
+           safe_data = escape(user_input)
+           ```
+         - Use Content-Security-Policy headers
+         - Validate input against allowlists
+
+      4. **Path Traversal Prevention:**
+         - Validate and sanitize file paths:
+           ```python
+           import os
+           safe_path = os.path.normpath(os.path.join(safe_base_dir, user_filename))
+           if not safe_path.startswith(safe_base_dir):
+               raise ValueError("Invalid path")
+           ```
+         - Use os.path.abspath() and os.path.normpath()
+         - Implement proper access controls
+         - Consider using libraries like Werkzeug's secure_filename()
+
+      5. **NoSQL Injection Prevention:**
+         - Use parameterized queries or query builders
+         - Validate input against schemas
+         - Apply proper type checking
+           ```python
+           # Safe MongoDB query
+           collection.find({"username": username, "status": "active"})
+           ```
+
+      6. **Template Injection Prevention:**
+         - Avoid using eval() or exec() with user input
+         - Use sandboxed template engines
+         - Limit template functionality to what's necessary
+         - Apply proper input validation
+
+  - type: validate
+    conditions:
+      # Check 1: Safe SQL queries
+      - pattern: "cursor\\.(execute|executemany)\\([\"'][^\"']*[\"']\\s*,\\s*\\(|cursor\\.(execute|executemany)\\([\"'][^\"']*[\"']\\s*,\\s*\\[|Model\\.objects\\.filter\\(|session\\.query\\("
+        message: "Using parameterized queries or ORM for database access."
+
+      # Check 2: Safe command execution
+      - pattern: "(subprocess\\.Popen|subprocess\\.call|subprocess\\.run|subprocess\\.check_output)\\(\\[[^\\]]*\\]"
+        message: "Using subprocess with arguments as a list (safe pattern)."
+
+      # Check 3: Proper input validation
+      - pattern: "validate|sanitize|clean|escape|is_valid\\(|validators\\."
+        message: "Implementing input validation or sanitization."
+
+      # Check 4: Safe file operations
+      - pattern: "os\\.path\\.join|os\\.path\\.abspath|os\\.path\\.normpath|secure_filename"
+        message: "Using safe file path handling techniques."
+
+metadata:
+  priority: high
+  version: 1.0
+  tags:
+    - security
+    - python
+    - injection
+    - sql-injection
+    - xss
+    - command-injection
+    - owasp
+    - language:python
+    - framework:django
+    - framework:flask
+    - framework:fastapi
+    - category:security
+    - subcategory:injection
+    - standard:owasp-top10
+    - risk:a03-injection
+  references:
+    - "https://owasp.org/Top10/A03_2021-Injection/"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html"
+    - "https://docs.python.org/3/library/subprocess.html"
+    - "https://docs.djangoproject.com/en/stable/topics/security/"
+    - "https://flask.palletsprojects.com/en/latest/security/"
+```
+
diff --git a/.cursor/rules/python-insecure-design.mdc b/.cursor/rules/python-insecure-design.mdc
index 1d7eb08..25cb177 100644
--- a/.cursor/rules/python-insecure-design.mdc
+++ b/.cursor/rules/python-insecure-design.mdc
@@ -3,189 +3,251 @@ description: Detect and prevent insecure design patterns in Python applications
 globs: *.py, *.ini, *.cfg, *.yml, *.yaml, *.json, *.toml
 alwaysApply: false
 ---
-# Python Insecure Design Security Standards (OWASP A04:2021)
+ # Python Insecure Design Security Standards (OWASP A04:2021)
 
 This rule enforces security best practices to prevent insecure design vulnerabilities in Python applications, as defined in OWASP Top 10:2021-A04.
 
-> Priority: high · Version: 1.0
-
-## Applies To
-- `*.py`
-- `*.ini`
-- `*.cfg`
-- `*.yml`
-- `*.yaml`
-- `*.json`
-- `*.toml`
-
-## Trigger Conditions
-- Files matching pattern `\.(py)$`
-- Paths matching `.*`
-
-## Required Checks
-
-- Function lacks input validation. Consider implementing validation for all user-supplied inputs.
-- Hardcoded business rules detected. Consider using configuration files or database-driven rules for better maintainability.
-- API endpoint lacks rate limiting. Consider implementing rate limiting to prevent abuse.
-- Insecure default configuration detected. Ensure debug/development modes are disabled in production.
-- Consider implementing proper error handling with try-except blocks for operations that might fail.
-- Potential insecure direct object reference. Validate user's permission to access the requested object.
-- Endpoint lacks authentication checks. Consider adding authentication requirements for sensitive operations.
-- Exception caught without proper logging. Implement proper logging for exceptions to aid in debugging and monitoring.
-- File upload functionality detected. Ensure proper validation of file types, sizes, and implement virus scanning if applicable.
-- Consider adding security headers (Content-Security-Policy, X-Content-Type-Options, etc.) to HTTP responses.
-
-## Recommendations
-
-**Python Secure Design Best Practices:**
-
-1. **Implement Defense in Depth:**
-   - Layer security controls throughout your application
-   - Don't rely on a single security mechanism
-   - Assume that each security layer can be bypassed
-
-2. **Use Secure Defaults:**
-   - Start with secure configurations by default
-   - Require explicit opt-in for less secure options
-   - Example for Flask:
-     ```python
-     app.config.update(
-         SESSION_COOKIE_SECURE=True,
-         SESSION_COOKIE_HTTPONLY=True,
-         SESSION_COOKIE_SAMESITE='Lax',
-         PERMANENT_SESSION_LIFETIME=timedelta(hours=1)
-     )
-     ```
-
-3. **Implement Proper Access Control:**
-   - Use role-based access control (RBAC)
-   - Implement principle of least privilege
-   - Validate access at the controller and service layers
-   - Example:
-     ```python
-     @app.route('/admin')
-     @roles_required('admin')  # Using Flask-Security
-     def admin_dashboard():
-         return render_template('admin/dashboard.html')
-     ```
-
-4. **Use Rate Limiting:**
-   - Protect against brute force and DoS attacks
-   - Example with Flask-Limiter:
-     ```python
-     from flask_limiter import Limiter
-     limiter = Limiter(app)
-     
-     @app.route('/login', methods=['POST'])
-     @limiter.limit("5 per minute")
-     def login():
-         # Login logic
-     ```
-
-5. **Implement Proper Error Handling:**
-   - Catch and log exceptions appropriately
-   - Return user-friendly error messages without exposing sensitive details
-   - Example:
-     ```python
-     try:
-         # Operation that might fail
-         result = perform_operation(user_input)
-     except ValidationError as e:
-         logger.warning(f"Validation error: {str(e)}")
-         return jsonify({"error": "Invalid input provided"}), 400
-     except Exception as e:
-         logger.error(f"Unexpected error: {str(e)}", exc_info=True)
-         return jsonify({"error": "An unexpected error occurred"}), 500
-     ```
-
-6. **Use Configuration Management:**
-   - Store configuration in environment variables or secure vaults
-   - Use different configurations for development and production
-   - Example:
-     ```python
-     import os
-     from dotenv import load_dotenv
-     
-     load_dotenv()
-     
-     DEBUG = os.getenv('DEBUG', 'False') == 'True'
-     SECRET_KEY = os.getenv('SECRET_KEY')
-     DATABASE_URL = os.getenv('DATABASE_URL')
-     ```
-
-7. **Implement Proper Logging:**
-   - Log security events and exceptions
-   - Include contextual information but avoid sensitive data
-   - Use structured logging
-   - Example:
-     ```python
-     import logging
-     
-     logger = logging.getLogger(__name__)
-     
-     def user_action(user_id, action):
-         logger.info("User action", extra={
-             "user_id": user_id,
-             "action": action,
-             "timestamp": datetime.now().isoformat()
-         })
-     ```
-
-8. **Use Security Headers:**
-   - Implement Content-Security-Policy, X-Content-Type-Options, etc.
-   - Example with Flask:
-     ```python
-     from flask_talisman import Talisman
-     
-     talisman = Talisman(
-         app,
-         content_security_policy={
-             'default-src': "'self'",
-             'script-src': "'self'"
-         }
-     )
-     ```
-
-9. **Implement Secure File Handling:**
-   - Validate file types, sizes, and content
-   - Store files outside the web root
-   - Use secure file permissions
-   - Example:
-     ```python
-     import os
-     from werkzeug.utils import secure_filename
-     
-     ALLOWED_EXTENSIONS = {'txt', 'pdf', 'png', 'jpg'}
-     MAX_CONTENT_LENGTH = 1 * 1024 * 1024  # 1MB
-     
-     def allowed_file(filename):
-         return '.' in filename and filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS
-     
-     @app.route('/upload', methods=['POST'])
-     def upload_file():
-         if 'file' not in request.files:
-             return jsonify({"error": "No file part"}), 400
-         
-         file = request.files['file']
-         if file.filename == '':
-             return jsonify({"error": "No selected file"}), 400
-         
-         if file and allowed_file(file.filename):
-             filename = secure_filename(file.filename)
-             file.save(os.path.join(app.config['UPLOAD_FOLDER'], filename))
-             return jsonify({"success": True}), 200
-         
-         return jsonify({"error": "File type not allowed"}), 400
-     ```
-
-10. **Use Threat Modeling:**
-    - Identify potential threats during design phase
-    - Implement controls to mitigate identified threats
-    - Regularly review and update threat models
-
-## Validation
-
-- Implementing input validation.
-- Using proper error handling with try-except blocks.
-- Implementing rate limiting for API endpoints.
-- Using proper logging mechanisms.
+```yaml
+name: python_insecure_design
+description: Detect and prevent insecure design patterns in Python applications as defined in OWASP Top 10:2021-A04
+filters:
+  - type: file_extension
+    pattern: "\\.(py)$"
+  - type: file_path
+    pattern: ".*"
+
+actions:
+  - type: enforce
+    conditions:
+      # Pattern 1: Lack of input validation
+      - pattern: "def\\s+[a-zA-Z0-9_]+\\([^)]*\\):\\s*(?![^#]*validate|[^#]*clean|[^#]*sanitize|[^#]*check|[^#]*is_valid)"
+        message: "Function lacks input validation. Consider implementing validation for all user-supplied inputs."
+
+      # Pattern 2: Hardcoded business rules
+      - pattern: "if\\s+[a-zA-Z0-9_]+\\s*(==|!=|>|<|>=|<=)\\s*['\"][^'\"]+['\"]:"
+        message: "Hardcoded business rules detected. Consider using configuration files or database-driven rules for better maintainability."
+
+      # Pattern 3: Lack of rate limiting
+      - pattern: "@(app|api|route|blueprint)\\.(get|post|put|delete|patch)\\([^)]*\\)\\s*\\n\\s*(?![^#]*rate_limit|[^#]*throttle|[^#]*limiter)"
+        message: "API endpoint lacks rate limiting. Consider implementing rate limiting to prevent abuse."
+
+      # Pattern 4: Insecure default configurations
+      - pattern: "DEBUG\\s*=\\s*True|DEVELOPMENT\\s*=\\s*True|TESTING\\s*=\\s*True"
+        message: "Insecure default configuration detected. Ensure debug/development modes are disabled in production."
+
+      # Pattern 5: Lack of error handling
+      - pattern: "(?<!try:\\s*\\n)[^#]*\\n\\s*(?!except|finally)"
+        message: "Consider implementing proper error handling with try-except blocks for operations that might fail."
+
+      # Pattern 6: Insecure direct object references
+      - pattern: "get_object_or_404\\(\\s*[^,]+,\\s*pk\\s*=\\s*request\\.(GET|POST|args|form|json)\\[['\"][^'\"]+['\"]\\]\\s*\\)|get\\(\\s*id\\s*=\\s*request\\.(GET|POST|args|form|json)"
+        message: "Potential insecure direct object reference. Validate user's permission to access the requested object."
+
+      # Pattern 7: Missing authentication checks
+      - pattern: "@(app|api|route|blueprint)\\.(get|post|put|delete|patch)\\([^)]*\\)\\s*\\n\\s*(?!.*@login_required|.*@auth\\.login_required|.*@jwt_required|.*current_user|.*request\\.user)"
+        message: "Endpoint lacks authentication checks. Consider adding authentication requirements for sensitive operations."
+
+      # Pattern 8: Lack of proper logging
+      - pattern: "except\\s+[a-zA-Z0-9_]+\\s*(?:as\\s+[a-zA-Z0-9_]+)?:\\s*(?!.*logger\\.|.*logging\\.|.*print)"
+        message: "Exception caught without proper logging. Implement proper logging for exceptions to aid in debugging and monitoring."
+
+      # Pattern 9: Insecure file uploads
+      - pattern: "request\\.files\\[['\"][^'\"]+['\"]\\]|FileField\\(|FileStorage\\("
+        message: "File upload functionality detected. Ensure proper validation of file types, sizes, and implement virus scanning if applicable."
+
+      # Pattern 10: Lack of security headers
+      - pattern: "response\\.(headers|set_header)\\([^)]*\\)|return\\s+Response\\([^)]*\\)|return\\s+make_response\\([^)]*\\)"
+        message: "Consider adding security headers (Content-Security-Policy, X-Content-Type-Options, etc.) to HTTP responses."
+
+  - type: suggest
+    message: |
+      **Python Secure Design Best Practices:**
+
+      1. **Implement Defense in Depth:**
+         - Layer security controls throughout your application
+         - Don't rely on a single security mechanism
+         - Assume that each security layer can be bypassed
+
+      2. **Use Secure Defaults:**
+         - Start with secure configurations by default
+         - Require explicit opt-in for less secure options
+         - Example for Flask:
+           ```python
+           app.config.update(
+               SESSION_COOKIE_SECURE=True,
+               SESSION_COOKIE_HTTPONLY=True,
+               SESSION_COOKIE_SAMESITE='Lax',
+               PERMANENT_SESSION_LIFETIME=timedelta(hours=1)
+           )
+           ```
+
+      3. **Implement Proper Access Control:**
+         - Use role-based access control (RBAC)
+         - Implement principle of least privilege
+         - Validate access at the controller and service layers
+         - Example:
+           ```python
+           @app.route('/admin')
+           @roles_required('admin')  # Using Flask-Security
+           def admin_dashboard():
+               return render_template('admin/dashboard.html')
+           ```
+
+      4. **Use Rate Limiting:**
+         - Protect against brute force and DoS attacks
+         - Example with Flask-Limiter:
+           ```python
+           from flask_limiter import Limiter
+           limiter = Limiter(app)
+
+           @app.route('/login', methods=['POST'])
+           @limiter.limit("5 per minute")
+           def login():
+               # Login logic
+           ```
+
+      5. **Implement Proper Error Handling:**
+         - Catch and log exceptions appropriately
+         - Return user-friendly error messages without exposing sensitive details
+         - Example:
+           ```python
+           try:
+               # Operation that might fail
+               result = perform_operation(user_input)
+           except ValidationError as e:
+               logger.warning(f"Validation error: {str(e)}")
+               return jsonify({"error": "Invalid input provided"}), 400
+           except Exception as e:
+               logger.error(f"Unexpected error: {str(e)}", exc_info=True)
+               return jsonify({"error": "An unexpected error occurred"}), 500
+           ```
+
+      6. **Use Configuration Management:**
+         - Store configuration in environment variables or secure vaults
+         - Use different configurations for development and production
+         - Example:
+           ```python
+           import os
+           from dotenv import load_dotenv
+
+           load_dotenv()
+
+           DEBUG = os.getenv('DEBUG', 'False') == 'True'
+           SECRET_KEY = os.getenv('SECRET_KEY')
+           DATABASE_URL = os.getenv('DATABASE_URL')
+           ```
+
+      7. **Implement Proper Logging:**
+         - Log security events and exceptions
+         - Include contextual information but avoid sensitive data
+         - Use structured logging
+         - Example:
+           ```python
+           import logging
+
+           logger = logging.getLogger(__name__)
+
+           def user_action(user_id, action):
+               logger.info("User action", extra={
+                   "user_id": user_id,
+                   "action": action,
+                   "timestamp": datetime.now().isoformat()
+               })
+           ```
+
+      8. **Use Security Headers:**
+         - Implement Content-Security-Policy, X-Content-Type-Options, etc.
+         - Example with Flask:
+           ```python
+           from flask_talisman import Talisman
+
+           talisman = Talisman(
+               app,
+               content_security_policy={
+                   'default-src': "'self'",
+                   'script-src': "'self'"
+               }
+           )
+           ```
+
+      9. **Implement Secure File Handling:**
+         - Validate file types, sizes, and content
+         - Store files outside the web root
+         - Use secure file permissions
+         - Example:
+           ```python
+           import os
+           from werkzeug.utils import secure_filename
+
+           ALLOWED_EXTENSIONS = {'txt', 'pdf', 'png', 'jpg'}
+           MAX_CONTENT_LENGTH = 1 * 1024 * 1024  # 1MB
+
+           def allowed_file(filename):
+               return '.' in filename and filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS
+
+           @app.route('/upload', methods=['POST'])
+           def upload_file():
+               if 'file' not in request.files:
+                   return jsonify({"error": "No file part"}), 400
+
+               file = request.files['file']
+               if file.filename == '':
+                   return jsonify({"error": "No selected file"}), 400
+
+               if file and allowed_file(file.filename):
+                   filename = secure_filename(file.filename)
+                   file.save(os.path.join(app.config['UPLOAD_FOLDER'], filename))
+                   return jsonify({"success": True}), 200
+
+               return jsonify({"error": "File type not allowed"}), 400
+           ```
+
+      10. **Use Threat Modeling:**
+          - Identify potential threats during design phase
+          - Implement controls to mitigate identified threats
+          - Regularly review and update threat models
+
+  - type: validate
+    conditions:
+      # Check 1: Proper input validation
+      - pattern: "validate|clean|sanitize|check|is_valid"
+        message: "Implementing input validation."
+
+      # Check 2: Proper error handling
+      - pattern: "try:\\s*\\n[^#]*\\n\\s*(except|finally)"
+        message: "Using proper error handling with try-except blocks."
+
+      # Check 3: Rate limiting implementation
+      - pattern: "rate_limit|throttle|limiter"
+        message: "Implementing rate limiting for API endpoints."
+
+      # Check 4: Proper logging
+      - pattern: "logger\\.|logging\\."
+        message: "Using proper logging mechanisms."
+
+metadata:
+  priority: high
+  version: 1.0
+  tags:
+    - security
+    - python
+    - design
+    - architecture
+    - owasp
+    - language:python
+    - framework:django
+    - framework:flask
+    - framework:fastapi
+    - category:security
+    - subcategory:design
+    - standard:owasp-top10
+    - risk:a04-insecure-design
+  references:
+    - "https://owasp.org/Top10/A04_2021-Insecure_Design/"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Secure_Product_Design_Cheat_Sheet.html"
+    - "https://flask.palletsprojects.com/en/latest/security/"
+    - "https://docs.djangoproject.com/en/stable/topics/security/"
+    - "https://fastapi.tiangolo.com/advanced/security/"
+    - "https://owasp.org/www-project-proactive-controls/"
+```
+
diff --git a/.cursor/rules/python-integrity-failures.mdc b/.cursor/rules/python-integrity-failures.mdc
index 9603225..162ee66 100644
--- a/.cursor/rules/python-integrity-failures.mdc
+++ b/.cursor/rules/python-integrity-failures.mdc
@@ -7,278 +7,357 @@ alwaysApply: false
 
 This rule enforces security best practices to prevent software and data integrity failures in Python applications, as defined in OWASP Top 10:2021-A08.
 
-> Priority: high · Version: 1.0
-
-## Applies To
-- `*.py`
-- `*.ini`
-- `*.cfg`
-- `*.yml`
-- `*.yaml`
-- `*.json`
-- `*.toml`
-
-## Trigger Conditions
-- Files matching pattern `\.(py|ini|cfg|yml|yaml|json|toml)$`
-- Paths matching `.*`
-
-## Required Checks
-
-- Insecure deserialization detected with pickle. Pickle is not secure against maliciously constructed data and should not be used with untrusted input.
-- Insecure deserialization detected with yaml.load(). Use yaml.safe_load() instead for untrusted input.
-- Insecure deserialization detected with marshal. Marshal is not secure against maliciously constructed data.
-- Potentially insecure deserialization with shelve detected. Shelve uses pickle internally and is not secure against malicious data.
-- Insecure use of eval() or exec() detected. These functions can execute arbitrary code and should never be used with untrusted input.
-- File download without integrity verification detected. Always verify the integrity of downloaded files using checksums or digital signatures.
-- Insecure package installation detected. Specify package versions and consider using hash verification for pip installations.
-- Configuration loading detected. Ensure integrity verification for configuration files, especially in production environments.
-- Insecure temporary file creation detected. Use tempfile.mkstemp() or tempfile.TemporaryFile() instead to avoid race conditions.
-- Potentially insecure file operation with user-controlled path detected. Validate and sanitize file paths from untrusted sources.
-- Update mechanism detected. Ensure proper integrity verification for software updates using digital signatures or secure checksums.
-- Dynamic module loading detected. Implement integrity checks and validation before loading external modules or plugins.
-- Insecure subprocess execution with shell=True detected. This can lead to command injection if user input is involved.
-- Deserialization of user-controlled data detected. Implement schema validation or integrity checks before processing.
-- Potentially insecure modification of globals or locals detected. This can lead to unexpected behavior or security issues.
-
-## Recommendations
-
-**Python Software and Data Integrity Best Practices:**
-
-1. **Secure Deserialization:**
-   - Avoid using pickle, marshal, or shelve with untrusted data
-   - Use safer alternatives like JSON with schema validation
-   - Example with JSON schema validation:
-     ```python
-     import json
-     import jsonschema
-     
-     # Define a schema for validation
-     schema = {
-         "type": "object",
-         "properties": {
-             "name": {"type": "string"},
-             "age": {"type": "integer", "minimum": 0}
-         },
-         "required": ["name", "age"]
-     }
-     
-     # Validate data against schema
-     try:
-         data = json.loads(user_input)
-         jsonschema.validate(instance=data, schema=schema)
-         # Process data safely
-     except (json.JSONDecodeError, jsonschema.exceptions.ValidationError) as e:
-         # Handle validation error
-         print(f"Invalid data: {e}")
-     ```
-
-2. **YAML Safe Loading:**
-   - Always use yaml.safe_load() instead of yaml.load()
-   - Example:
-     ```python
-     import yaml
-     
-     # Safe way to load YAML
-     data = yaml.safe_load(yaml_string)
-     
-     # Avoid this:
-     # data = yaml.load(yaml_string)  # Insecure!
-     ```
-
-3. **Integrity Verification for Downloads:**
-   - Verify checksums or signatures for downloaded files
-   - Example:
-     ```python
-     import hashlib
-     import requests
-     
-     def download_with_integrity_check(url, expected_hash):
-         response = requests.get(url)
-         file_data = response.content
-         
-         # Calculate hash
-         calculated_hash = hashlib.sha256(file_data).hexdigest()
-         
-         # Verify integrity
-         if calculated_hash != expected_hash:
-             raise ValueError("Integrity check failed: hash mismatch")
-             
-         return file_data
-     ```
-
-4. **Secure Package Installation:**
-   - Pin dependencies to specific versions
-   - Use hash verification for pip installations
-   - Example requirements.txt with hashes:
-     ```
-     # requirements.txt
-     requests==2.31.0 --hash=sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1
-     ```
-
-5. **Secure Configuration Management:**
-   - Validate configuration file integrity
-   - Use environment-specific configurations
-   - Example:
-     ```python
-     import json
-     import hmac
-     import hashlib
-     
-     def load_config_with_integrity(config_file, secret_key):
-         with open(config_file, 'r') as f:
-             content = f.read()
-             
-         # Split content into data and signature
-         data, _, signature = content.rpartition('\n')
-         
-         # Verify integrity
-         expected_signature = hmac.new(
-             secret_key.encode(), 
-             data.encode(), 
-             hashlib.sha256
-         ).hexdigest()
-         
-         if not hmac.compare_digest(signature, expected_signature):
-             raise ValueError("Configuration integrity check failed")
-             
-         return json.loads(data)
-     ```
-
-6. **Secure Temporary Files:**
-   - Use secure temporary file functions
-   - Example:
-     ```python
-     import tempfile
-     import os
-     
-     # Secure temporary file creation
-     fd, temp_path = tempfile.mkstemp()
-     try:
-         with os.fdopen(fd, 'w') as temp_file:
-             temp_file.write('data')
-         # Process the file
-     finally:
-         os.unlink(temp_path)  # Clean up
-     
-     # Or use context manager
-     with tempfile.TemporaryFile() as temp_file:
-         temp_file.write(b'data')
-         temp_file.seek(0)
-         # Process the file
-     ```
-
-7. **Secure Update Mechanisms:**
-   - Verify signatures for updates
-   - Use HTTPS for update downloads
-   - Example:
-     ```python
-     import requests
-     import gnupg
-     
-     def secure_update(update_url, signature_url, gpg_key):
-         # Download update and signature
-         update_data = requests.get(update_url).content
-         signature = requests.get(signature_url).content
-         
-         # Verify signature
-         gpg = gnupg.GPG()
-         gpg.import_keys(gpg_key)
-         verified = gpg.verify_data(signature, update_data)
-         
-         if not verified:
-             raise ValueError("Update signature verification failed")
-             
-         return update_data
-     ```
-
-8. **Secure Plugin Loading:**
-   - Validate plugins before loading
-   - Implement allowlisting for plugins
-   - Example:
-     ```python
-     import importlib
-     import hashlib
-     
-     # Allowlist of approved plugins with their hashes
-     APPROVED_PLUGINS = {
-         'safe_plugin': 'sha256:1234567890abcdef',
-         'other_plugin': 'sha256:abcdef1234567890'
-     }
-     
-     def load_plugin_safely(plugin_name, plugin_path):
-         # Check if plugin is in allowlist
-         if plugin_name not in APPROVED_PLUGINS:
-             raise ValueError(f"Plugin {plugin_name} is not approved")
-             
-         # Calculate plugin file hash
-         with open(plugin_path, 'rb') as f:
-             plugin_hash = 'sha256:' + hashlib.sha256(f.read()).hexdigest()
-             
-         # Verify hash matches expected value
-         if plugin_hash != APPROVED_PLUGINS[plugin_name]:
-             raise ValueError(f"Plugin {plugin_name} failed integrity check")
-             
-         # Load plugin safely
-         return importlib.import_module(plugin_name)
-     ```
-
-9. **Secure Subprocess Execution:**
-   - Avoid shell=True
-   - Use allowlists for commands
-   - Example:
-     ```python
-     import subprocess
-     import shlex
-     
-     def run_command_safely(command, arguments):
-         # Allowlist of safe commands
-         SAFE_COMMANDS = {'ls', 'echo', 'cat'}
-         
-         if command not in SAFE_COMMANDS:
-             raise ValueError(f"Command {command} is not allowed")
-             
-         # Build command with arguments
-         cmd = [command] + arguments
-         
-         # Execute without shell
-         return subprocess.run(cmd, shell=False, capture_output=True, text=True)
-     ```
-
-10. **Input Validation and Sanitization:**
-    - Validate all inputs before processing
-    - Use schema validation for structured data
-    - Example with Pydantic:
-      ```python
-      from pydantic import BaseModel, validator
-      
-      class UserData(BaseModel):
-          username: str
-          age: int
-          
-          @validator('username')
-          def username_must_be_valid(cls, v):
-              if not v.isalnum() or len(v) > 30:
-                  raise ValueError('Username must be alphanumeric and <= 30 chars')
-              return v
-              
-          @validator('age')
-          def age_must_be_reasonable(cls, v):
-              if v < 0 or v > 120:
-                  raise ValueError('Age must be between 0 and 120')
-              return v
-      
-      # Usage
-      try:
-          user = UserData(username=user_input_name, age=user_input_age)
-          # Process validated data
-      except ValueError as e:
-          # Handle validation error
-          print(f"Invalid data: {e}")
-      ```
-
-## Validation
-
-- Using safe YAML loading.
-- Using secure temporary file functions.
-- Using subprocess with shell=False.
-- Implementing input validation.
+```yaml
+name: python_integrity_failures
+description: Detect and prevent software and data integrity failures in Python applications as defined in OWASP Top 10:2021-A08
+filters:
+  - type: file_extension
+    pattern: "\\.(py|ini|cfg|yml|yaml|json|toml)$"
+  - type: file_path
+    pattern: ".*"
+
+actions:
+  - type: enforce
+    conditions:
+      # Pattern 1: Insecure deserialization with pickle
+      - pattern: "pickle\\.loads\\(|pickle\\.load\\(|cPickle\\.loads\\(|cPickle\\.load\\("
+        message: "Insecure deserialization detected with pickle. Pickle is not secure against maliciously constructed data and should not be used with untrusted input."
+
+      # Pattern 2: Insecure deserialization with yaml.load
+      - pattern: "yaml\\.load\\([^,)]+\\)|yaml\\.load\\([^,)]+,\\s*Loader=yaml\\.Loader\\)"
+        message: "Insecure deserialization detected with yaml.load(). Use yaml.safe_load() instead for untrusted input."
+
+      # Pattern 3: Insecure deserialization with marshal
+      - pattern: "marshal\\.loads\\(|marshal\\.load\\("
+        message: "Insecure deserialization detected with marshal. Marshal is not secure against maliciously constructed data."
+
+      # Pattern 4: Insecure deserialization with shelve
+      - pattern: "shelve\\.open\\("
+        message: "Potentially insecure deserialization with shelve detected. Shelve uses pickle internally and is not secure against malicious data."
+
+      # Pattern 5: Insecure use of eval or exec
+      - pattern: "eval\\(|exec\\(|compile\\([^,]+,\\s*['\"][^'\"]+['\"]\\s*,\\s*['\"]exec['\"]\\)"
+        message: "Insecure use of eval() or exec() detected. These functions can execute arbitrary code and should never be used with untrusted input."
+
+      # Pattern 6: Missing integrity verification for downloads
+      - pattern: "urllib\\.request\\.urlretrieve\\(|requests\\.get\\([^)]*\\.exe['\"]\\)|requests\\.get\\([^)]*\\.zip['\"]\\)|requests\\.get\\([^)]*\\.tar\\.gz['\"]\\)"
+        message: "File download without integrity verification detected. Always verify the integrity of downloaded files using checksums or digital signatures."
+
+      # Pattern 7: Insecure package installation
+      - pattern: "pip\\s+install\\s+[^-]|subprocess\\.(?:call|run|Popen)\\(['\"]pip\\s+install"
+        message: "Insecure package installation detected. Specify package versions and consider using hash verification for pip installations."
+
+      # Pattern 8: Missing integrity checks for configuration
+      - pattern: "config\\.read\\(|json\\.loads?\\(|yaml\\.safe_load\\(|toml\\.loads?\\("
+        message: "Configuration loading detected. Ensure integrity verification for configuration files, especially in production environments."
+
+      # Pattern 9: Insecure temporary file creation
+      - pattern: "tempfile\\.mktemp\\(|os\\.tempnam\\(|os\\.tmpnam\\("
+        message: "Insecure temporary file creation detected. Use tempfile.mkstemp() or tempfile.TemporaryFile() instead to avoid race conditions."
+
+      # Pattern 10: Insecure file operations with untrusted paths
+      - pattern: "open\\([^,)]+\\+\\s*request\\.|open\\([^,)]+\\+\\s*user_|open\\([^,)]+\\+\\s*input\\("
+        message: "Potentially insecure file operation with user-controlled path detected. Validate and sanitize file paths from untrusted sources."
+
+      # Pattern 11: Missing integrity checks for updates
+      - pattern: "auto_update|self_update|check_for_updates"
+        message: "Update mechanism detected. Ensure proper integrity verification for software updates using digital signatures or secure checksums."
+
+      # Pattern 12: Insecure plugin or extension loading
+      - pattern: "importlib\\.import_module\\(|__import__\\(|load_plugin|load_extension|load_module"
+        message: "Dynamic module loading detected. Implement integrity checks and validation before loading external modules or plugins."
+
+      # Pattern 13: Insecure use of subprocess with shell=True
+      - pattern: "subprocess\\.(?:call|run|Popen)\\([^,)]*shell\\s*=\\s*True"
+        message: "Insecure subprocess execution with shell=True detected. This can lead to command injection if user input is involved."
+
+      # Pattern 14: Missing integrity verification for serialized data
+      - pattern: "json\\.loads?\\([^,)]*request\\.|json\\.loads?\\([^,)]*user_|json\\.loads?\\([^,)]*input\\("
+        message: "Deserialization of user-controlled data detected. Implement schema validation or integrity checks before processing."
+
+      # Pattern 15: Insecure use of globals or locals
+      - pattern: "globals\\(\\)\\[|locals\\(\\)\\["
+        message: "Potentially insecure modification of globals or locals detected. This can lead to unexpected behavior or security issues."
+
+  - type: suggest
+    message: |
+      **Python Software and Data Integrity Best Practices:**
+
+      1. **Secure Deserialization:**
+         - Avoid using pickle, marshal, or shelve with untrusted data
+         - Use safer alternatives like JSON with schema validation
+         - Example with JSON schema validation:
+           ```python
+           import json
+           import jsonschema
+
+           # Define a schema for validation
+           schema = {
+               "type": "object",
+               "properties": {
+                   "name": {"type": "string"},
+                   "age": {"type": "integer", "minimum": 0}
+               },
+               "required": ["name", "age"]
+           }
+
+           # Validate data against schema
+           try:
+               data = json.loads(user_input)
+               jsonschema.validate(instance=data, schema=schema)
+               # Process data safely
+           except (json.JSONDecodeError, jsonschema.exceptions.ValidationError) as e:
+               # Handle validation error
+               print(f"Invalid data: {e}")
+           ```
+
+      2. **YAML Safe Loading:**
+         - Always use yaml.safe_load() instead of yaml.load()
+         - Example:
+           ```python
+           import yaml
+
+           # Safe way to load YAML
+           data = yaml.safe_load(yaml_string)
+
+           # Avoid this:
+           # data = yaml.load(yaml_string)  # Insecure!
+           ```
+
+      3. **Integrity Verification for Downloads:**
+         - Verify checksums or signatures for downloaded files
+         - Example:
+           ```python
+           import hashlib
+           import requests
+
+           def download_with_integrity_check(url, expected_hash):
+               response = requests.get(url)
+               file_data = response.content
+
+               # Calculate hash
+               calculated_hash = hashlib.sha256(file_data).hexdigest()
+
+               # Verify integrity
+               if calculated_hash != expected_hash:
+                   raise ValueError("Integrity check failed: hash mismatch")
+
+               return file_data
+           ```
+
+      4. **Secure Package Installation:**
+         - Pin dependencies to specific versions
+         - Use hash verification for pip installations
+         - Example requirements.txt with hashes:
+           ```
+           # requirements.txt
+           requests==2.31.0 --hash=sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1
+           ```
+
+      5. **Secure Configuration Management:**
+         - Validate configuration file integrity
+         - Use environment-specific configurations
+         - Example:
+           ```python
+           import json
+           import hmac
+           import hashlib
+
+           def load_config_with_integrity(config_file, secret_key):
+               with open(config_file, 'r') as f:
+                   content = f.read()
+
+               # Split content into data and signature
+               data, _, signature = content.rpartition('\n')
+
+               # Verify integrity
+               expected_signature = hmac.new(
+                   secret_key.encode(),
+                   data.encode(),
+                   hashlib.sha256
+               ).hexdigest()
+
+               if not hmac.compare_digest(signature, expected_signature):
+                   raise ValueError("Configuration integrity check failed")
+
+               return json.loads(data)
+           ```
+
+      6. **Secure Temporary Files:**
+         - Use secure temporary file functions
+         - Example:
+           ```python
+           import tempfile
+           import os
+
+           # Secure temporary file creation
+           fd, temp_path = tempfile.mkstemp()
+           try:
+               with os.fdopen(fd, 'w') as temp_file:
+                   temp_file.write('data')
+               # Process the file
+           finally:
+               os.unlink(temp_path)  # Clean up
+
+           # Or use context manager
+           with tempfile.TemporaryFile() as temp_file:
+               temp_file.write(b'data')
+               temp_file.seek(0)
+               # Process the file
+           ```
+
+      7. **Secure Update Mechanisms:**
+         - Verify signatures for updates
+         - Use HTTPS for update downloads
+         - Example:
+           ```python
+           import requests
+           import gnupg
+
+           def secure_update(update_url, signature_url, gpg_key):
+               # Download update and signature
+               update_data = requests.get(update_url).content
+               signature = requests.get(signature_url).content
+
+               # Verify signature
+               gpg = gnupg.GPG()
+               gpg.import_keys(gpg_key)
+               verified = gpg.verify_data(signature, update_data)
+
+               if not verified:
+                   raise ValueError("Update signature verification failed")
+
+               return update_data
+           ```
+
+      8. **Secure Plugin Loading:**
+         - Validate plugins before loading
+         - Implement allowlisting for plugins
+         - Example:
+           ```python
+           import importlib
+           import hashlib
+
+           # Allowlist of approved plugins with their hashes
+           APPROVED_PLUGINS = {
+               'safe_plugin': 'sha256:1234567890abcdef',
+               'other_plugin': 'sha256:abcdef1234567890'
+           }
+
+           def load_plugin_safely(plugin_name, plugin_path):
+               # Check if plugin is in allowlist
+               if plugin_name not in APPROVED_PLUGINS:
+                   raise ValueError(f"Plugin {plugin_name} is not approved")
+
+               # Calculate plugin file hash
+               with open(plugin_path, 'rb') as f:
+                   plugin_hash = 'sha256:' + hashlib.sha256(f.read()).hexdigest()
+
+               # Verify hash matches expected value
+               if plugin_hash != APPROVED_PLUGINS[plugin_name]:
+                   raise ValueError(f"Plugin {plugin_name} failed integrity check")
+
+               # Load plugin safely
+               return importlib.import_module(plugin_name)
+           ```
+
+      9. **Secure Subprocess Execution:**
+         - Avoid shell=True
+         - Use allowlists for commands
+         - Example:
+           ```python
+           import subprocess
+           import shlex
+
+           def run_command_safely(command, arguments):
+               # Allowlist of safe commands
+               SAFE_COMMANDS = {'ls', 'echo', 'cat'}
+
+               if command not in SAFE_COMMANDS:
+                   raise ValueError(f"Command {command} is not allowed")
+
+               # Build command with arguments
+               cmd = [command] + arguments
+
+               # Execute without shell
+               return subprocess.run(cmd, shell=False, capture_output=True, text=True)
+           ```
+
+      10. **Input Validation and Sanitization:**
+          - Validate all inputs before processing
+          - Use schema validation for structured data
+          - Example with Pydantic:
+            ```python
+            from pydantic import BaseModel, validator
+
+            class UserData(BaseModel):
+                username: str
+                age: int
+
+                @validator('username')
+                def username_must_be_valid(cls, v):
+                    if not v.isalnum() or len(v) > 30:
+                        raise ValueError('Username must be alphanumeric and <= 30 chars')
+                    return v
+
+                @validator('age')
+                def age_must_be_reasonable(cls, v):
+                    if v < 0 or v > 120:
+                        raise ValueError('Age must be between 0 and 120')
+                    return v
+
+            # Usage
+            try:
+                user = UserData(username=user_input_name, age=user_input_age)
+                # Process validated data
+            except ValueError as e:
+                # Handle validation error
+                print(f"Invalid data: {e}")
+            ```
+
+  - type: validate
+    conditions:
+      # Check 1: Safe YAML loading
+      - pattern: "yaml\\.safe_load\\("
+        message: "Using safe YAML loading."
+
+      # Check 2: Secure temporary file usage
+      - pattern: "tempfile\\.mkstemp\\(|tempfile\\.TemporaryFile\\(|tempfile\\.NamedTemporaryFile\\("
+        message: "Using secure temporary file functions."
+
+      # Check 3: Secure subprocess usage
+      - pattern: "subprocess\\.(?:call|run|Popen)\\([^,)]*shell\\s*=\\s*False"
+        message: "Using subprocess with shell=False."
+
+      # Check 4: Input validation
+      - pattern: "jsonschema\\.validate|pydantic|dataclass|@validator"
+        message: "Implementing input validation."
+
+metadata:
+  priority: high
+  version: 1.0
+  tags:
+    - security
+    - python
+    - integrity
+    - deserialization
+    - owasp
+    - language:python
+    - framework:django
+    - framework:flask
+    - framework:fastapi
+    - category:security
+    - subcategory:integrity
+    - standard:owasp-top10
+    - risk:a08-software-data-integrity-failures
+  references:
+    - "https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html"
+    - "https://docs.python.org/3/library/pickle.html#restricting-globals"
+    - "https://pyyaml.org/wiki/PyYAMLDocumentation"
+    - "https://python-security.readthedocs.io/packages.html"
+    - "https://docs.python.org/3/library/tempfile.html#security"
+```
+
+
diff --git a/.cursor/rules/python-logging-monitoring-failures.mdc b/.cursor/rules/python-logging-monitoring-failures.mdc
index dff686e..c559044 100644
--- a/.cursor/rules/python-logging-monitoring-failures.mdc
+++ b/.cursor/rules/python-logging-monitoring-failures.mdc
@@ -3,365 +3,443 @@ description: Detect and prevent security logging and monitoring failures in Pyth
 globs: *.py, *.ini, *.cfg, *.yml, *.yaml, *.json, *.toml
 alwaysApply: false
 ---
-# Python Security Logging and Monitoring Failures Standards (OWASP A09:2021)
+ # Python Security Logging and Monitoring Failures Standards (OWASP A09:2021)
 
 This rule enforces security best practices to prevent security logging and monitoring failures in Python applications, as defined in OWASP Top 10:2021-A09.
 
-> Priority: high · Version: 1.0
-
-## Applies To
-- `*.py`
-- `*.ini`
-- `*.cfg`
-- `*.yml`
-- `*.yaml`
-- `*.json`
-- `*.toml`
-
-## Trigger Conditions
-- Files matching pattern `\.(py|ini|cfg|yml|yaml|json|toml)$`
-- Paths matching `.*`
-
-## Required Checks
-
-- Authentication function without logging detected. Always log authentication events, especially failures, for security monitoring.
-- Authorization function without logging detected. Always log authorization decisions, especially denials, for security monitoring.
-- Security-sensitive user operation without logging detected. Always log security-sensitive operations for audit trails.
-- Exception handler without logging detected. Always log exceptions, especially in security-sensitive code, for monitoring and debugging.
-- Potential sensitive data logging detected. Avoid logging sensitive information like passwords, tokens, or keys.
-- Debug-level logging for security events detected. Use appropriate log levels (INFO, WARNING, ERROR) for security events.
-- Logging import without configuration detected. Configure logging properly with appropriate handlers, formatters, and levels.
-- Debug-level logging configuration detected. Use appropriate log levels in production to avoid excessive logging.
-- Web endpoint without request logging detected. Consider logging requests and responses for security monitoring.
-- Logging without correlation ID detected. Include correlation IDs in logs to trace requests across systems.
-- Logging without error handling detected. Handle potential logging failures to ensure critical events are not missed.
-- Database operation without logging detected. Consider logging database operations for audit trails and security monitoring.
-- File write operation without logging detected. Consider logging file operations for audit trails.
-- Subprocess execution without logging detected. Always log command execution for security monitoring.
-- Console-only logging configuration detected. Configure centralized logging with file handlers or external logging services.
-
-## Recommendations
-
-**Python Security Logging and Monitoring Best Practices:**
-
-1. **Structured Logging:**
-   - Use structured logging formats (JSON)
-   - Include contextual information
-   - Example with Python's standard logging:
-     ```python
-     import logging
-     import json
-     
-     class JsonFormatter(logging.Formatter):
-         def format(self, record):
-             log_record = {
-                 "timestamp": self.formatTime(record),
-                 "level": record.levelname,
-                 "message": record.getMessage(),
-                 "logger": record.name,
-                 "path": record.pathname,
-                 "line": record.lineno
-             }
-             
-             # Add extra attributes from record
-             for key, value in record.__dict__.items():
-                 if key not in ["args", "asctime", "created", "exc_info", "exc_text", 
-                               "filename", "funcName", "id", "levelname", "levelno",
-                               "lineno", "module", "msecs", "message", "msg", "name", 
-                               "pathname", "process", "processName", "relativeCreated", 
-                               "stack_info", "thread", "threadName"]:
-                     log_record[key] = value
-             
-             return json.dumps(log_record)
-     
-     # Configure logger with JSON formatter
-     logger = logging.getLogger("security_logger")
-     handler = logging.StreamHandler()
-     handler.setFormatter(JsonFormatter())
-     logger.addHandler(handler)
-     logger.setLevel(logging.INFO)
-     
-     # Usage with context
-     logger.info("User login successful", extra={
-         "user_id": user.id,
-         "ip_address": request.remote_addr,
-         "request_id": request.headers.get("X-Request-ID")
-     })
-     ```
-
-2. **Security Event Logging:**
-   - Log all authentication events
-   - Log authorization decisions
-   - Log security-sensitive operations
-   - Example:
-     ```python
-     def login(request):
-         username = request.form.get("username")
-         password = request.form.get("password")
-         
-         try:
-             user = authenticate(username, password)
-             if user:
-                 # Log successful login
-                 logger.info("User login successful", extra={
-                     "user_id": user.id,
-                     "ip_address": request.remote_addr,
-                     "request_id": request.headers.get("X-Request-ID")
-                 })
-                 return success_response()
-             else:
-                 # Log failed login
-                 logger.warning("User login failed: invalid credentials", extra={
-                     "username": username,  # Note: log username but never password
-                     "ip_address": request.remote_addr,
-                     "request_id": request.headers.get("X-Request-ID")
-                 })
-                 return error_response("Invalid credentials")
-         except Exception as e:
-             # Log exceptions
-             logger.error("Login error", extra={
-                 "error": str(e),
-                 "username": username,
-                 "ip_address": request.remote_addr,
-                 "request_id": request.headers.get("X-Request-ID")
-             })
-             return error_response("Login error")
-     ```
-
-3. **Correlation IDs:**
-   - Use request IDs to correlate logs
-   - Propagate IDs across services
-   - Example with Flask:
-     ```python
-     import uuid
-     from flask import Flask, request, g
-     
-     app = Flask(__name__)
-     
-     @app.before_request
-     def before_request():
-         request_id = request.headers.get("X-Request-ID")
-         if not request_id:
-             request_id = str(uuid.uuid4())
-         g.request_id = request_id
-     
-     @app.after_request
-     def after_request(response):
-         response.headers["X-Request-ID"] = g.request_id
-         return response
-     
-     # In your view functions
-     @app.route("/api/resource")
-     def get_resource():
-         logger.info("Resource accessed", extra={"request_id": g.request_id})
-         return jsonify({"data": "resource"})
-     ```
-
-4. **Appropriate Log Levels:**
-   - DEBUG: Detailed information for debugging
-   - INFO: Confirmation of normal events
-   - WARNING: Potential issues that don't prevent operation
-   - ERROR: Errors that prevent specific operations
-   - CRITICAL: Critical errors that prevent application function
-   - Example:
-     ```python
-     # Normal operation
-     logger.info("User profile updated", extra={"user_id": user.id})
-     
-     # Potential security issue
-     logger.warning("Multiple failed login attempts", extra={
-         "username": username,
-         "attempt_count": attempts,
-         "ip_address": ip_address
-     })
-     
-     # Security violation
-     logger.error("Unauthorized access attempt", extra={
-         "user_id": user.id,
-         "resource": resource_id,
-         "ip_address": ip_address
-     })
-     
-     # Critical security breach
-     logger.critical("Possible data breach detected", extra={
-         "indicators": indicators,
-         "affected_resources": resources
-     })
-     ```
-
-5. **Centralized Logging:**
-   - Configure logging to centralized systems
-   - Use appropriate handlers
-   - Example with file rotation:
-     ```python
-     import logging
-     from logging.handlers import RotatingFileHandler
-     
-     logger = logging.getLogger("security_logger")
-     
-     # File handler with rotation
-     file_handler = RotatingFileHandler(
-         "security.log",
-         maxBytes=10485760,  # 10MB
-         backupCount=10
-     )
-     file_handler.setFormatter(logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s'))
-     logger.addHandler(file_handler)
-     
-     # Set level
-     logger.setLevel(logging.INFO)
-     ```
-
-6. **Sensitive Data Handling:**
-   - Never log sensitive data
-   - Implement data masking
-   - Example:
-     ```python
-     def mask_sensitive_data(data, fields_to_mask):
-         """Mask sensitive fields in data dictionary."""
-         masked_data = data.copy()
-         for field in fields_to_mask:
-             if field in masked_data:
-                 masked_data[field] = "********"
-         return masked_data
-     
-     # Usage
-     user_data = {"username": "john", "password": "secret123", "email": "john@example.com"}
-     safe_data = mask_sensitive_data(user_data, ["password"])
-     logger.info("User data processed", extra={"user_data": safe_data})
-     ```
-
-7. **Exception Logging:**
-   - Always log exceptions
-   - Include stack traces for debugging
-   - Example:
-     ```python
-     try:
-         # Some operation
-         result = process_data(data)
-     except Exception as e:
-         logger.error(
-             "Error processing data",
-             exc_info=True,  # Include stack trace
-             extra={
-                 "data_id": data.id,
-                 "error": str(e)
-             }
-         )
-         raise  # Re-raise or handle appropriately
-     ```
-
-8. **Audit Logging:**
-   - Log all security-relevant changes
-   - Include before/after states
-   - Example:
-     ```python
-     def update_user_role(user_id, new_role, current_user):
-         user = User.get(user_id)
-         old_role = user.role
-         
-         # Update role
-         user.role = new_role
-         user.save()
-         
-         # Audit log
-         logger.info("User role changed", extra={
-             "user_id": user_id,
-             "old_role": old_role,
-             "new_role": new_role,
-             "changed_by": current_user.id,
-             "timestamp": datetime.utcnow().isoformat()
-         })
-     ```
-
-9. **Log Monitoring Integration:**
-   - Configure alerts for security events
-   - Integrate with SIEM systems
-   - Example configuration for ELK stack:
-     ```python
-     import logging
-     from elasticsearch import Elasticsearch
-     from elasticsearch.helpers import bulk
-     
-     class ElasticsearchHandler(logging.Handler):
-         def __init__(self, es_host, index_name):
-             super().__init__()
-             self.es = Elasticsearch([es_host])
-             self.index_name = index_name
-             self.buffer = []
-             
-         def emit(self, record):
-             try:
-                 log_entry = {
-                     "_index": self.index_name,
-                     "_source": {
-                         "timestamp": self.formatter.formatTime(record),
-                         "level": record.levelname,
-                         "message": record.getMessage(),
-                         "logger": record.name
-                     }
-                 }
-                 
-                 # Add extra fields
-                 for key, value in record.__dict__.items():
-                     if key not in ["args", "asctime", "created", "exc_info", "exc_text", 
-                                   "filename", "funcName", "id", "levelname", "levelno",
-                                   "lineno", "module", "msecs", "message", "msg", "name", 
-                                   "pathname", "process", "processName", "relativeCreated", 
-                                   "stack_info", "thread", "threadName"]:
-                         log_entry["_source"][key] = value
-                         
-                 self.buffer.append(log_entry)
-                 
-                 # Bulk insert if buffer is full
-                 if len(self.buffer) >= 10:
-                     self.flush()
-             except Exception:
-                 self.handleError(record)
-                 
-         def flush(self):
-             if self.buffer:
-                 bulk(self.es, self.buffer)
-                 self.buffer = []
-     
-     # Usage
-     es_handler = ElasticsearchHandler("localhost:9200", "app-logs")
-     es_handler.setFormatter(logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s'))
-     logger.addHandler(es_handler)
-     ```
-
-10. **Logging Failure Handling:**
-    - Handle logging failures gracefully
-    - Implement fallback mechanisms
-    - Example:
-      ```python
-      class FallbackHandler(logging.Handler):
-          def __init__(self, primary_handler, fallback_handler):
-              super().__init__()
-              self.primary_handler = primary_handler
-              self.fallback_handler = fallback_handler
-              
-          def emit(self, record):
-              try:
-                  self.primary_handler.emit(record)
-              except Exception:
-                  try:
-                      self.fallback_handler.emit(record)
-                  except Exception:
-                      # Last resort: print to stderr
-                      import sys
-                      print(f"CRITICAL: Logging failure: {record.getMessage()}", file=sys.stderr)
-      
-      # Usage
-      primary = ElasticsearchHandler("localhost:9200", "app-logs")
-      fallback = logging.FileHandler("fallback.log")
-      handler = FallbackHandler(primary, fallback)
-      logger.addHandler(handler)
-      ```
-
-## Validation
-
-- Logging is properly configured.
-- Security events are being logged.
-- Structured logging with context is implemented.
-- Correlation IDs are used for request tracing.
+```yaml
+name: python_logging_monitoring_failures
+description: Detect and prevent security logging and monitoring failures in Python applications as defined in OWASP Top 10:2021-A09
+filters:
+  - type: file_extension
+    pattern: "\\.(py|ini|cfg|yml|yaml|json|toml)$"
+  - type: file_path
+    pattern: ".*"
+
+actions:
+  - type: enforce
+    conditions:
+      # Pattern 1: Missing logging in authentication functions
+      - pattern: "def\\s+(login|authenticate|signin|logout|signout).*?:[^\\n]*?(?!.*logging\\.(info|warning|error|critical))"
+        message: "Authentication function without logging detected. Always log authentication events, especially failures, for security monitoring."
+
+      # Pattern 2: Missing logging in authorization functions
+      - pattern: "def\\s+(authorize|check_permission|has_permission|is_authorized|require_permission).*?:[^\\n]*?(?!.*logging\\.(info|warning|error|critical))"
+        message: "Authorization function without logging detected. Always log authorization decisions, especially denials, for security monitoring."
+
+      # Pattern 3: Missing logging in security-sensitive operations
+      - pattern: "def\\s+(create_user|update_user|delete_user|reset_password|change_password).*?:[^\\n]*?(?!.*logging\\.(info|warning|error|critical))"
+        message: "Security-sensitive user operation without logging detected. Always log security-sensitive operations for audit trails."
+
+      # Pattern 4: Missing logging in exception handlers
+      - pattern: "except\\s+[^:]+:[^\\n]*?(?!.*logging\\.(warning|error|critical|exception))"
+        message: "Exception handler without logging detected. Always log exceptions, especially in security-sensitive code, for monitoring and debugging."
+
+      # Pattern 5: Logging sensitive data
+      - pattern: "logging\\.(debug|info|warning|error|critical)\\([^)]*?(password|token|secret|key|credential|auth)"
+        message: "Potential sensitive data logging detected. Avoid logging sensitive information like passwords, tokens, or keys."
+
+      # Pattern 6: Insufficient log level in security context
+      - pattern: "logging\\.debug\\([^)]*?(auth|login|permission|security|attack|hack|exploit|vulnerability)"
+        message: "Debug-level logging for security events detected. Use appropriate log levels (INFO, WARNING, ERROR) for security events."
+
+      # Pattern 7: Missing logging configuration
+      - pattern: "import\\s+logging(?!.*logging\\.basicConfig|.*logging\\.config)"
+        message: "Logging import without configuration detected. Configure logging properly with appropriate handlers, formatters, and levels."
+
+      # Pattern 8: Insecure logging configuration
+      - pattern: "logging\\.basicConfig\\([^)]*?level\\s*=\\s*logging\\.DEBUG"
+        message: "Debug-level logging configuration detected. Use appropriate log levels in production to avoid excessive logging."
+
+      # Pattern 9: Missing request/response logging in web frameworks
+      - pattern: "@app\\.route\\(['\"][^'\"]+['\"]|@api_view\\(|class\\s+\\w+\\(APIView\\)|class\\s+\\w+\\(View\\)"
+        message: "Web endpoint without request logging detected. Consider logging requests and responses for security monitoring."
+
+      # Pattern 10: Missing correlation IDs in logs
+      - pattern: "logging\\.(debug|info|warning|error|critical)\\([^)]*?(?!.*request_id|.*correlation_id|.*trace_id)"
+        message: "Logging without correlation ID detected. Include correlation IDs in logs to trace requests across systems."
+
+      # Pattern 11: Missing error handling for logging failures
+      - pattern: "logging\\.(debug|info|warning|error|critical)\\([^)]*?\\)"
+        message: "Logging without error handling detected. Handle potential logging failures to ensure critical events are not missed."
+
+      # Pattern 12: Missing logging for database operations
+      - pattern: "(execute|executemany|cursor\\.execute|session\\.execute|query)\\([^)]*?(?!.*logging\\.(debug|info|warning|error|critical))"
+        message: "Database operation without logging detected. Consider logging database operations for audit trails and security monitoring."
+
+      # Pattern 13: Missing logging for file operations
+      - pattern: "open\\([^)]+,\\s*['\"]w['\"]|open\\([^)]+,\\s*['\"]a['\"]|write\\(|writelines\\("
+        message: "File write operation without logging detected. Consider logging file operations for audit trails."
+
+      # Pattern 14: Missing logging for subprocess execution
+      - pattern: "subprocess\\.(call|run|Popen)\\([^)]*?(?!.*logging\\.(debug|info|warning|error|critical))"
+        message: "Subprocess execution without logging detected. Always log command execution for security monitoring."
+
+      # Pattern 15: Missing centralized logging configuration
+      - pattern: "logging\\.basicConfig\\([^)]*?(?!.*filename|.*handlers)"
+        message: "Console-only logging configuration detected. Configure centralized logging with file handlers or external logging services."
+
+  - type: suggest
+    message: |
+      **Python Security Logging and Monitoring Best Practices:**
+
+      1. **Structured Logging:**
+         - Use structured logging formats (JSON)
+         - Include contextual information
+         - Example with Python's standard logging:
+           ```python
+           import logging
+           import json
+
+           class JsonFormatter(logging.Formatter):
+               def format(self, record):
+                   log_record = {
+                       "timestamp": self.formatTime(record),
+                       "level": record.levelname,
+                       "message": record.getMessage(),
+                       "logger": record.name,
+                       "path": record.pathname,
+                       "line": record.lineno
+                   }
+
+                   # Add extra attributes from record
+                   for key, value in record.__dict__.items():
+                       if key not in ["args", "asctime", "created", "exc_info", "exc_text",
+                                     "filename", "funcName", "id", "levelname", "levelno",
+                                     "lineno", "module", "msecs", "message", "msg", "name",
+                                     "pathname", "process", "processName", "relativeCreated",
+                                     "stack_info", "thread", "threadName"]:
+                           log_record[key] = value
+
+                   return json.dumps(log_record)
+
+           # Configure logger with JSON formatter
+           logger = logging.getLogger("security_logger")
+           handler = logging.StreamHandler()
+           handler.setFormatter(JsonFormatter())
+           logger.addHandler(handler)
+           logger.setLevel(logging.INFO)
+
+           # Usage with context
+           logger.info("User login successful", extra={
+               "user_id": user.id,
+               "ip_address": request.remote_addr,
+               "request_id": request.headers.get("X-Request-ID")
+           })
+           ```
+
+      2. **Security Event Logging:**
+         - Log all authentication events
+         - Log authorization decisions
+         - Log security-sensitive operations
+         - Example:
+           ```python
+           def login(request):
+               username = request.form.get("username")
+               password = request.form.get("password")
+
+               try:
+                   user = authenticate(username, password)
+                   if user:
+                       # Log successful login
+                       logger.info("User login successful", extra={
+                           "user_id": user.id,
+                           "ip_address": request.remote_addr,
+                           "request_id": request.headers.get("X-Request-ID")
+                       })
+                       return success_response()
+                   else:
+                       # Log failed login
+                       logger.warning("User login failed: invalid credentials", extra={
+                           "username": username,  # Note: log username but never password
+                           "ip_address": request.remote_addr,
+                           "request_id": request.headers.get("X-Request-ID")
+                       })
+                       return error_response("Invalid credentials")
+               except Exception as e:
+                   # Log exceptions
+                   logger.error("Login error", extra={
+                       "error": str(e),
+                       "username": username,
+                       "ip_address": request.remote_addr,
+                       "request_id": request.headers.get("X-Request-ID")
+                   })
+                   return error_response("Login error")
+           ```
+
+      3. **Correlation IDs:**
+         - Use request IDs to correlate logs
+         - Propagate IDs across services
+         - Example with Flask:
+           ```python
+           import uuid
+           from flask import Flask, request, g
+
+           app = Flask(__name__)
+
+           @app.before_request
+           def before_request():
+               request_id = request.headers.get("X-Request-ID")
+               if not request_id:
+                   request_id = str(uuid.uuid4())
+               g.request_id = request_id
+
+           @app.after_request
+           def after_request(response):
+               response.headers["X-Request-ID"] = g.request_id
+               return response
+
+           # In your view functions
+           @app.route("/api/resource")
+           def get_resource():
+               logger.info("Resource accessed", extra={"request_id": g.request_id})
+               return jsonify({"data": "resource"})
+           ```
+
+      4. **Appropriate Log Levels:**
+         - DEBUG: Detailed information for debugging
+         - INFO: Confirmation of normal events
+         - WARNING: Potential issues that don't prevent operation
+         - ERROR: Errors that prevent specific operations
+         - CRITICAL: Critical errors that prevent application function
+         - Example:
+           ```python
+           # Normal operation
+           logger.info("User profile updated", extra={"user_id": user.id})
+
+           # Potential security issue
+           logger.warning("Multiple failed login attempts", extra={
+               "username": username,
+               "attempt_count": attempts,
+               "ip_address": ip_address
+           })
+
+           # Security violation
+           logger.error("Unauthorized access attempt", extra={
+               "user_id": user.id,
+               "resource": resource_id,
+               "ip_address": ip_address
+           })
+
+           # Critical security breach
+           logger.critical("Possible data breach detected", extra={
+               "indicators": indicators,
+               "affected_resources": resources
+           })
+           ```
+
+      5. **Centralized Logging:**
+         - Configure logging to centralized systems
+         - Use appropriate handlers
+         - Example with file rotation:
+           ```python
+           import logging
+           from logging.handlers import RotatingFileHandler
+
+           logger = logging.getLogger("security_logger")
+
+           # File handler with rotation
+           file_handler = RotatingFileHandler(
+               "security.log",
+               maxBytes=10485760,  # 10MB
+               backupCount=10
+           )
+           file_handler.setFormatter(logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s'))
+           logger.addHandler(file_handler)
+
+           # Set level
+           logger.setLevel(logging.INFO)
+           ```
+
+      6. **Sensitive Data Handling:**
+         - Never log sensitive data
+         - Implement data masking
+         - Example:
+           ```python
+           def mask_sensitive_data(data, fields_to_mask):
+               """Mask sensitive fields in data dictionary."""
+               masked_data = data.copy()
+               for field in fields_to_mask:
+                   if field in masked_data:
+                       masked_data[field] = "********"
+               return masked_data
+
+           # Usage
+           user_data = {"username": "john", "password": "secret123", "email": "john@example.com"}
+           safe_data = mask_sensitive_data(user_data, ["password"])
+           logger.info("User data processed", extra={"user_data": safe_data})
+           ```
+
+      7. **Exception Logging:**
+         - Always log exceptions
+         - Include stack traces for debugging
+         - Example:
+           ```python
+           try:
+               # Some operation
+               result = process_data(data)
+           except Exception as e:
+               logger.error(
+                   "Error processing data",
+                   exc_info=True,  # Include stack trace
+                   extra={
+                       "data_id": data.id,
+                       "error": str(e)
+                   }
+               )
+               raise  # Re-raise or handle appropriately
+           ```
+
+      8. **Audit Logging:**
+         - Log all security-relevant changes
+         - Include before/after states
+         - Example:
+           ```python
+           def update_user_role(user_id, new_role, current_user):
+               user = User.get(user_id)
+               old_role = user.role
+
+               # Update role
+               user.role = new_role
+               user.save()
+
+               # Audit log
+               logger.info("User role changed", extra={
+                   "user_id": user_id,
+                   "old_role": old_role,
+                   "new_role": new_role,
+                   "changed_by": current_user.id,
+                   "timestamp": datetime.utcnow().isoformat()
+               })
+           ```
+
+      9. **Log Monitoring Integration:**
+         - Configure alerts for security events
+         - Integrate with SIEM systems
+         - Example configuration for ELK stack:
+           ```python
+           import logging
+           from elasticsearch import Elasticsearch
+           from elasticsearch.helpers import bulk
+
+           class ElasticsearchHandler(logging.Handler):
+               def __init__(self, es_host, index_name):
+                   super().__init__()
+                   self.es = Elasticsearch([es_host])
+                   self.index_name = index_name
+                   self.buffer = []
+
+               def emit(self, record):
+                   try:
+                       log_entry = {
+                           "_index": self.index_name,
+                           "_source": {
+                               "timestamp": self.formatter.formatTime(record),
+                               "level": record.levelname,
+                               "message": record.getMessage(),
+                               "logger": record.name
+                           }
+                       }
+
+                       # Add extra fields
+                       for key, value in record.__dict__.items():
+                           if key not in ["args", "asctime", "created", "exc_info", "exc_text",
+                                         "filename", "funcName", "id", "levelname", "levelno",
+                                         "lineno", "module", "msecs", "message", "msg", "name",
+                                         "pathname", "process", "processName", "relativeCreated",
+                                         "stack_info", "thread", "threadName"]:
+                               log_entry["_source"][key] = value
+
+                       self.buffer.append(log_entry)
+
+                       # Bulk insert if buffer is full
+                       if len(self.buffer) >= 10:
+                           self.flush()
+                   except Exception:
+                       self.handleError(record)
+
+               def flush(self):
+                   if self.buffer:
+                       bulk(self.es, self.buffer)
+                       self.buffer = []
+
+           # Usage
+           es_handler = ElasticsearchHandler("localhost:9200", "app-logs")
+           es_handler.setFormatter(logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s'))
+           logger.addHandler(es_handler)
+           ```
+
+      10. **Logging Failure Handling:**
+          - Handle logging failures gracefully
+          - Implement fallback mechanisms
+          - Example:
+            ```python
+            class FallbackHandler(logging.Handler):
+                def __init__(self, primary_handler, fallback_handler):
+                    super().__init__()
+                    self.primary_handler = primary_handler
+                    self.fallback_handler = fallback_handler
+
+                def emit(self, record):
+                    try:
+                        self.primary_handler.emit(record)
+                    except Exception:
+                        try:
+                            self.fallback_handler.emit(record)
+                        except Exception:
+                            # Last resort: print to stderr
+                            import sys
+                            print(f"CRITICAL: Logging failure: {record.getMessage()}", file=sys.stderr)
+
+            # Usage
+            primary = ElasticsearchHandler("localhost:9200", "app-logs")
+            fallback = logging.FileHandler("fallback.log")
+            handler = FallbackHandler(primary, fallback)
+            logger.addHandler(handler)
+            ```
+
+  - type: validate
+    conditions:
+      # Check 1: Proper logging configuration
+      - pattern: "logging\\.basicConfig\\(|logging\\.config\\.dictConfig\\(|logging\\.config\\.fileConfig\\("
+        message: "Logging is properly configured."
+
+      # Check 2: Security event logging
+      - pattern: "logging\\.(info|warning|error|critical)\\([^)]*?(login|authenticate|authorize|permission)"
+        message: "Security events are being logged."
+
+      # Check 3: Structured logging
+      - pattern: "logging\\.(info|warning|error|critical)\\([^)]*?extra\\s*="
+        message: "Structured logging with context is implemented."
+
+      # Check 4: Correlation ID usage
+      - pattern: "request_id|correlation_id|trace_id"
+        message: "Correlation IDs are used for request tracing."
+
+metadata:
+  priority: high
+  version: 1.0
+  tags:
+    - security
+    - python
+    - logging
+    - monitoring
+    - owasp
+    - language:python
+    - framework:django
+    - framework:flask
+    - framework:fastapi
+    - category:security
+    - subcategory:logging
+    - standard:owasp-top10
+    - risk:a09-security-logging-monitoring-failures
+  references:
+    - "https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html"
+    - "https://docs.python.org/3/library/logging.html"
+    - "https://docs.python.org/3/howto/logging-cookbook.html"
+    - "https://docs.djangoproject.com/en/stable/topics/logging/"
+    - "https://flask.palletsprojects.com/en/latest/logging/"
+    - "https://fastapi.tiangolo.com/tutorial/handling-errors/#logging"
+```
+
diff --git a/.cursor/rules/python-security-misconfiguration.mdc b/.cursor/rules/python-security-misconfiguration.mdc
index cf79c7e..fafc438 100644
--- a/.cursor/rules/python-security-misconfiguration.mdc
+++ b/.cursor/rules/python-security-misconfiguration.mdc
@@ -3,198 +3,275 @@ description: Detect and prevent security misconfigurations in Python application
 globs: *.py, *.ini, *.cfg, *.yml, *.yaml, *.json, *.toml
 alwaysApply: false
 ---
-# Python Security Misconfiguration Standards (OWASP A05:2021)
+ # Python Security Misconfiguration Standards (OWASP A05:2021)
 
 This rule enforces security best practices to prevent security misconfigurations in Python applications, as defined in OWASP Top 10:2021-A05.
 
-> Priority: high · Version: 1.0
-
-## Applies To
-- `*.py`
-- `*.ini`
-- `*.cfg`
-- `*.yml`
-- `*.yaml`
-- `*.json`
-- `*.toml`
-
-## Trigger Conditions
-- Files matching pattern `\.(py|ini|cfg|yml|yaml|json|toml)$`
-- Paths matching `.*`
-
-## Required Checks
-
-- Debug mode appears to be enabled. This should be disabled in production environments as it can expose sensitive information.
-- Insecure cookie configuration detected. Set SESSION_COOKIE_SECURE to True in production environments.
-- CSRF protection appears to be disabled. Enable CSRF protection to prevent cross-site request forgery attacks.
-- Overly permissive CORS configuration detected. Restrict CORS to specific origins rather than allowing all origins.
-- Default or potentially weak secret key detected. Use a strong, randomly generated secret key and store it securely.
-- Exception propagation in debug mode is enabled. This can expose sensitive information in error messages.
-- SSL redirection appears to be disabled. Enable SSL redirection to ensure secure communications.
-- HTTP Strict Transport Security (HSTS) appears to be disabled. Enable HSTS to enforce secure communications.
-- Potentially sensitive endpoint exposed without access controls. Ensure proper authentication and authorization for administrative endpoints.
-- Default or weak credentials detected. Never use default or easily guessable credentials in any environment.
-- Overly permissive file permissions detected. Use the principle of least privilege for file permissions.
-- Endpoints that may expose version information detected. Ensure these endpoints don't reveal sensitive details about your application.
-- Potentially insecure deserialization detected. Use safer alternatives like yaml.safe_load() or validate input before deserialization.
-- HTTP request without timeout setting detected. Always set timeouts for HTTP requests to prevent denial of service.
-- Insecure upload directory detected. Use a properly secured directory for file uploads, not temporary directories.
-
-## Recommendations
-
-**Python Security Configuration Best Practices:**
-
-1. **Environment-Specific Configuration:**
-   - Use different configurations for development, testing, and production
-   - Never enable debug mode in production
-   - Example with environment variables:
-     ```python
-     import os
-     
-     DEBUG = os.environ.get('DEBUG', 'False') == 'True'
-     SECRET_KEY = os.environ.get('SECRET_KEY')
-     ```
-
-2. **Secure Cookie Configuration:**
-   - Enable secure cookies in production
-   - Set appropriate cookie flags
-   - Example for Django:
-     ```python
-     SESSION_COOKIE_SECURE = True
-     SESSION_COOKIE_HTTPONLY = True
-     SESSION_COOKIE_SAMESITE = 'Lax'
-     CSRF_COOKIE_SECURE = True
-     CSRF_COOKIE_HTTPONLY = True
-     ```
-   - Example for Flask:
-     ```python
-     app.config.update(
-         SESSION_COOKIE_SECURE=True,
-         SESSION_COOKIE_HTTPONLY=True,
-         SESSION_COOKIE_SAMESITE='Lax',
-         PERMANENT_SESSION_LIFETIME=timedelta(hours=1)
-     )
-     ```
-
-3. **Security Headers:**
-   - Implement HTTP security headers
-   - Example with Flask-Talisman:
-     ```python
-     from flask_talisman import Talisman
-     
-     talisman = Talisman(
-         app,
-         content_security_policy={
-             'default-src': "'self'",
-             'script-src': "'self'"
-         },
-         strict_transport_security=True,
-         strict_transport_security_max_age=31536000,
-         frame_options='DENY'
-     )
-     ```
-   - Example for Django:
-     ```python
-     SECURE_HSTS_SECONDS = 31536000
-     SECURE_HSTS_INCLUDE_SUBDOMAINS = True
-     SECURE_HSTS_PRELOAD = True
-     SECURE_CONTENT_TYPE_NOSNIFF = True
-     SECURE_BROWSER_XSS_FILTER = True
-     X_FRAME_OPTIONS = 'DENY'
-     ```
-
-4. **CORS Configuration:**
-   - Restrict CORS to specific origins
-   - Example with Flask-CORS:
-     ```python
-     from flask_cors import CORS
-     
-     CORS(app, resources={r"/api/*": {"origins": "https://example.com"}})
-     ```
-   - Example for Django:
-     ```python
-     CORS_ALLOWED_ORIGINS = [
-         "https://example.com",
-         "https://sub.example.com",
-     ]
-     CORS_ALLOW_CREDENTIALS = True
-     ```
-
-5. **Secret Management:**
-   - Use environment variables or secure vaults for secrets
-   - Generate strong random secrets
-   - Example:
-     ```python
-     import secrets
-     
-     # Generate a secure random secret key
-     secret_key = secrets.token_hex(32)
-     ```
-
-6. **Error Handling:**
-   - Use custom error handlers to prevent information leakage
-   - Example for Flask:
-     ```python
-     @app.errorhandler(Exception)
-     def handle_exception(e):
-         # Log the error
-         app.logger.error(f"Unhandled exception: {str(e)}")
-         # Return a generic error message
-         return jsonify({"error": "An unexpected error occurred"}), 500
-     ```
-
-7. **Secure File Uploads:**
-   - Validate file types and sizes
-   - Store uploaded files outside the web root
-   - Use secure permissions
-   - Example:
-     ```python
-     import os
-     from werkzeug.utils import secure_filename
-     
-     UPLOAD_FOLDER = '/path/to/secure/location'
-     ALLOWED_EXTENSIONS = {'txt', 'pdf', 'png', 'jpg'}
-     
-     app.config['UPLOAD_FOLDER'] = UPLOAD_FOLDER
-     app.config['MAX_CONTENT_LENGTH'] = 16 * 1024 * 1024  # 16MB limit
-     
-     def allowed_file(filename):
-         return '.' in filename and filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS
-     ```
-
-8. **Dependency Management:**
-   - Regularly update dependencies
-   - Use tools like safety or dependabot
-   - Pin dependency versions
-   - Example requirements.txt:
-     ```
-     Flask==2.0.1
-     Werkzeug==2.0.1
-     ```
-
-9. **Timeout Configuration:**
-   - Set timeouts for all external service calls
-   - Example:
-     ```python
-     import requests
-     
-     response = requests.get('https://api.example.com', timeout=(3.05, 27))
-     ```
-
-10. **Secure Deserialization:**
-    - Use safe alternatives for deserialization
-    - Validate input before deserialization
-    - Example:
-      ```python
-      import yaml
-      
-      # Use safe_load instead of load
-      data = yaml.safe_load(yaml_string)
-      ```
-
-## Validation
-
-- Using environment-specific or secure debug configuration.
-- Using secure cookie configuration.
-- Implementing security headers.
-- Using restricted CORS configuration.
+```yaml
+name: python_security_misconfiguration
+description: Detect and prevent security misconfigurations in Python applications as defined in OWASP Top 10:2021-A05
+filters:
+  - type: file_extension
+    pattern: "\\.(py|ini|cfg|yml|yaml|json|toml)$"
+  - type: file_path
+    pattern: ".*"
+
+actions:
+  - type: enforce
+    conditions:
+      # Pattern 1: Debug mode enabled in production settings
+      - pattern: "DEBUG\\s*=\\s*True|debug\\s*=\\s*true|\"debug\"\\s*:\\s*true|debug:\\s*true"
+        message: "Debug mode appears to be enabled. This should be disabled in production environments as it can expose sensitive information."
+
+      # Pattern 2: Insecure cookie settings
+      - pattern: "SESSION_COOKIE_SECURE\\s*=\\s*False|session_cookie_secure\\s*=\\s*false|\"session_cookie_secure\"\\s*:\\s*false|session_cookie_secure:\\s*false"
+        message: "Insecure cookie configuration detected. Set SESSION_COOKIE_SECURE to True in production environments."
+
+      # Pattern 3: Missing CSRF protection
+      - pattern: "CSRF_ENABLED\\s*=\\s*False|csrf_enabled\\s*=\\s*false|\"csrf_enabled\"\\s*:\\s*false|csrf_enabled:\\s*false|WTF_CSRF_ENABLED\\s*=\\s*False"
+        message: "CSRF protection appears to be disabled. Enable CSRF protection to prevent cross-site request forgery attacks."
+
+      # Pattern 4: Insecure CORS settings
+      - pattern: "CORS_ORIGIN_ALLOW_ALL\\s*=\\s*True|cors_origin_allow_all\\s*=\\s*true|\"cors_origin_allow_all\"\\s*:\\s*true|cors_origin_allow_all:\\s*true|Access-Control-Allow-Origin:\\s*\\*"
+        message: "Overly permissive CORS configuration detected. Restrict CORS to specific origins rather than allowing all origins."
+
+      # Pattern 5: Default or weak secret keys
+      - pattern: "SECRET_KEY\\s*=\\s*['\"]default|SECRET_KEY\\s*=\\s*['\"][a-zA-Z0-9]{1,32}['\"]|secret_key\\s*=\\s*['\"]default|\"secret_key\"\\s*:\\s*\"default|secret_key:\\s*default"
+        message: "Default or potentially weak secret key detected. Use a strong, randomly generated secret key and store it securely."
+
+      # Pattern 6: Exposed sensitive information in error messages
+      - pattern: "DEBUG_PROPAGATE_EXCEPTIONS\\s*=\\s*True|debug_propagate_exceptions\\s*=\\s*true|\"debug_propagate_exceptions\"\\s*:\\s*true|debug_propagate_exceptions:\\s*true"
+        message: "Exception propagation in debug mode is enabled. This can expose sensitive information in error messages."
+
+      # Pattern 7: Insecure SSL/TLS configuration
+      - pattern: "SECURE_SSL_REDIRECT\\s*=\\s*False|secure_ssl_redirect\\s*=\\s*false|\"secure_ssl_redirect\"\\s*:\\s*false|secure_ssl_redirect:\\s*false"
+        message: "SSL redirection appears to be disabled. Enable SSL redirection to ensure secure communications."
+
+      # Pattern 8: Missing security headers
+      - pattern: "SECURE_HSTS_SECONDS\\s*=\\s*0|secure_hsts_seconds\\s*=\\s*0|\"secure_hsts_seconds\"\\s*:\\s*0|secure_hsts_seconds:\\s*0"
+        message: "HTTP Strict Transport Security (HSTS) appears to be disabled. Enable HSTS to enforce secure communications."
+
+      # Pattern 9: Exposed sensitive directories
+      - pattern: "@app\\.route\\(['\"]/(admin|console|management|config|settings|system)['\"]"
+        message: "Potentially sensitive endpoint exposed without access controls. Ensure proper authentication and authorization for administrative endpoints."
+
+      # Pattern 10: Default accounts or credentials
+      - pattern: "username\\s*=\\s*['\"]admin['\"]|password\\s*=\\s*['\"]admin|password\\s*=\\s*['\"]password|password\\s*=\\s*['\"]123|user\\s*=\\s*['\"]root['\"]"
+        message: "Default or weak credentials detected. Never use default or easily guessable credentials in any environment."
+
+      # Pattern 11: Insecure file permissions
+      - pattern: "os\\.chmod\\([^,]+,\\s*0o777\\)|os\\.chmod\\([^,]+,\\s*777\\)"
+        message: "Overly permissive file permissions detected. Use the principle of least privilege for file permissions."
+
+      # Pattern 12: Exposed version information
+      - pattern: "@app\\.route\\(['\"]/(version|build|status|health)['\"]"
+        message: "Endpoints that may expose version information detected. Ensure these endpoints don't reveal sensitive details about your application."
+
+      # Pattern 13: Insecure deserialization
+      - pattern: "pickle\\.loads|yaml\\.load\\([^,)]+\\)|json\\.loads\\([^,)]+,\\s*[^)]*object_hook"
+        message: "Potentially insecure deserialization detected. Use safer alternatives like yaml.safe_load() or validate input before deserialization."
+
+      # Pattern 14: Missing timeout settings
+      - pattern: "requests\\.get\\([^,)]+\\)|requests\\.(post|put|delete|patch)\\([^,)]+\\)"
+        message: "HTTP request without timeout setting detected. Always set timeouts for HTTP requests to prevent denial of service."
+
+      # Pattern 15: Insecure upload directory
+      - pattern: "UPLOAD_FOLDER\\s*=\\s*['\"][^'\"]*(/tmp|/var/tmp)[^'\"]*['\"]|upload_folder\\s*=\\s*['\"][^'\"]*(/tmp|/var/tmp)[^'\"]*['\"]"
+        message: "Insecure upload directory detected. Use a properly secured directory for file uploads, not temporary directories."
+
+  - type: suggest
+    message: |
+      **Python Security Configuration Best Practices:**
+
+      1. **Environment-Specific Configuration:**
+         - Use different configurations for development, testing, and production
+         - Never enable debug mode in production
+         - Example with environment variables:
+           ```python
+           import os
+
+           DEBUG = os.environ.get('DEBUG', 'False') == 'True'
+           SECRET_KEY = os.environ.get('SECRET_KEY')
+           ```
+
+      2. **Secure Cookie Configuration:**
+         - Enable secure cookies in production
+         - Set appropriate cookie flags
+         - Example for Django:
+           ```python
+           SESSION_COOKIE_SECURE = True
+           SESSION_COOKIE_HTTPONLY = True
+           SESSION_COOKIE_SAMESITE = 'Lax'
+           CSRF_COOKIE_SECURE = True
+           CSRF_COOKIE_HTTPONLY = True
+           ```
+         - Example for Flask:
+           ```python
+           app.config.update(
+               SESSION_COOKIE_SECURE=True,
+               SESSION_COOKIE_HTTPONLY=True,
+               SESSION_COOKIE_SAMESITE='Lax',
+               PERMANENT_SESSION_LIFETIME=timedelta(hours=1)
+           )
+           ```
+
+      3. **Security Headers:**
+         - Implement HTTP security headers
+         - Example with Flask-Talisman:
+           ```python
+           from flask_talisman import Talisman
+
+           talisman = Talisman(
+               app,
+               content_security_policy={
+                   'default-src': "'self'",
+                   'script-src': "'self'"
+               },
+               strict_transport_security=True,
+               strict_transport_security_max_age=31536000,
+               frame_options='DENY'
+           )
+           ```
+         - Example for Django:
+           ```python
+           SECURE_HSTS_SECONDS = 31536000
+           SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+           SECURE_HSTS_PRELOAD = True
+           SECURE_CONTENT_TYPE_NOSNIFF = True
+           SECURE_BROWSER_XSS_FILTER = True
+           X_FRAME_OPTIONS = 'DENY'
+           ```
+
+      4. **CORS Configuration:**
+         - Restrict CORS to specific origins
+         - Example with Flask-CORS:
+           ```python
+           from flask_cors import CORS
+
+           CORS(app, resources={r"/api/*": {"origins": "https://example.com"}})
+           ```
+         - Example for Django:
+           ```python
+           CORS_ALLOWED_ORIGINS = [
+               "https://example.com",
+               "https://sub.example.com",
+           ]
+           CORS_ALLOW_CREDENTIALS = True
+           ```
+
+      5. **Secret Management:**
+         - Use environment variables or secure vaults for secrets
+         - Generate strong random secrets
+         - Example:
+           ```python
+           import secrets
+
+           # Generate a secure random secret key
+           secret_key = secrets.token_hex(32)
+           ```
+
+      6. **Error Handling:**
+         - Use custom error handlers to prevent information leakage
+         - Example for Flask:
+           ```python
+           @app.errorhandler(Exception)
+           def handle_exception(e):
+               # Log the error
+               app.logger.error(f"Unhandled exception: {str(e)}")
+               # Return a generic error message
+               return jsonify({"error": "An unexpected error occurred"}), 500
+           ```
+
+      7. **Secure File Uploads:**
+         - Validate file types and sizes
+         - Store uploaded files outside the web root
+         - Use secure permissions
+         - Example:
+           ```python
+           import os
+           from werkzeug.utils import secure_filename
+
+           UPLOAD_FOLDER = '/path/to/secure/location'
+           ALLOWED_EXTENSIONS = {'txt', 'pdf', 'png', 'jpg'}
+
+           app.config['UPLOAD_FOLDER'] = UPLOAD_FOLDER
+           app.config['MAX_CONTENT_LENGTH'] = 16 * 1024 * 1024  # 16MB limit
+
+           def allowed_file(filename):
+               return '.' in filename and filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS
+           ```
+
+      8. **Dependency Management:**
+         - Regularly update dependencies
+         - Use tools like safety or dependabot
+         - Pin dependency versions
+         - Example requirements.txt:
+           ```
+           Flask==2.0.1
+           Werkzeug==2.0.1
+           ```
+
+      9. **Timeout Configuration:**
+         - Set timeouts for all external service calls
+         - Example:
+           ```python
+           import requests
+
+           response = requests.get('https://api.example.com', timeout=(3.05, 27))
+           ```
+
+      10. **Secure Deserialization:**
+          - Use safe alternatives for deserialization
+          - Validate input before deserialization
+          - Example:
+            ```python
+            import yaml
+
+            # Use safe_load instead of load
+            data = yaml.safe_load(yaml_string)
+            ```
+
+  - type: validate
+    conditions:
+      # Check 1: Proper debug configuration
+      - pattern: "DEBUG\\s*=\\s*os\\.environ\\.get\\(['\"]DEBUG['\"]|DEBUG\\s*=\\s*False"
+        message: "Using environment-specific or secure debug configuration."
+
+      # Check 2: Secure cookie settings
+      - pattern: "SESSION_COOKIE_SECURE\\s*=\\s*True|session_cookie_secure\\s*=\\s*true"
+        message: "Using secure cookie configuration."
+
+      # Check 3: Security headers implementation
+      - pattern: "SECURE_HSTS_SECONDS|X_FRAME_OPTIONS|Talisman\\(|CSP|Content-Security-Policy"
+        message: "Implementing security headers."
+
+      # Check 4: Proper CORS configuration
+      - pattern: "CORS_ALLOWED_ORIGINS|CORS\\(app,\\s*resources"
+        message: "Using restricted CORS configuration."
+
+metadata:
+  priority: high
+  version: 1.0
+  tags:
+    - security
+    - python
+    - configuration
+    - deployment
+    - owasp
+    - language:python
+    - framework:django
+    - framework:flask
+    - framework:fastapi
+    - category:security
+    - subcategory:configuration
+    - standard:owasp-top10
+    - risk:a05-security-misconfiguration
+  references:
+    - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Configuration_Security_Cheat_Sheet.html"
+    - "https://flask.palletsprojects.com/en/latest/security/"
+    - "https://docs.djangoproject.com/en/stable/topics/security/"
+    - "https://fastapi.tiangolo.com/advanced/security/https/"
+    - "https://owasp.org/www-project-secure-headers/"
+```
+
diff --git a/.cursor/rules/python-ssrf.mdc b/.cursor/rules/python-ssrf.mdc
index 7352392..9e0e498 100644
--- a/.cursor/rules/python-ssrf.mdc
+++ b/.cursor/rules/python-ssrf.mdc
@@ -3,42 +3,519 @@ description: Detect and prevent Server-Side Request Forgery (SSRF) vulnerabiliti
 globs: *.py
 alwaysApply: false
 ---
-# Python Server-Side Request Forgery (SSRF) Safeguards
-
-This rule provides review checkpoints to avoid SSRF vulnerabilities when Python code makes outbound network calls on behalf of a user or downstream system.
-
-> Priority: high · Version: 1.0
-
-## Applies To
-- `*.py`
-
-## Trigger Conditions
-- HTTP clients such as `requests`, `urllib`, `aiohttp`, `httpx`, `boto3`, or custom fetch utilities.
-- Code paths that pass user-controlled URLs, hostnames, IP addresses, or protocols into outbound requests.
-- Services acting as proxies, webhooks, image fetchers, or metadata retrievers.
-
-## Required Checks
-- Validate destination schemes and hosts before executing outbound requests; prefer allowlists over blocklists.
-- Block or rewrite requests that resolve to loopback, link-local, or private network ranges (e.g. 127.0.0.0/8, ::1, 169.254.0.0/16, 10.0.0.0/8, 192.168.0.0/16).
-- Disable automatic redirects, or re-validate redirect targets, when relaying user-provided URLs.
-- Ensure headers such as `Host`, `X-Forwarded-For`, and authentication tokens cannot be overridden by external input.
-- Reject or sanitise non-HTTP schemes (`file://`, `ftp://`, `gopher://`, etc.) unless explicitly required.
-
-## Recommendations
-- Normalize input with `urllib.parse`, `yarl.URL`, or equivalent helpers before validation.
-- Resolve hostnames with `socket.getaddrinfo` or `ipaddress.ip_address` to enforce subnet allowlists.
-- Wrap outbound calls behind shared helpers that centralise validation, logging, and timeout defaults.
-- Combine application checks with infrastructure controls (egress allowlists, VPC service controls, IMDSv2 tokens).
-- Record security telemetry for SSRF-prone endpoints (requested host, caller, decision outcome).
-- Add tests that cover malicious targets (internal IPs, metadata endpoints, protocol smuggling).
-
-## Positive Signals
-- Presence of helper functions such as `sanitize_url`, `validate_external_url`, or allowlisted hostname checks.
-- Use of CIDR comparisons or allowlist configuration before performing network requests.
-- Explicit configuration-driven lists of permitted domains or services.
-- Security unit tests or integration tests asserting blocked behaviour for sensitive hosts.
-
-## References
-- OWASP SSRF Prevention Cheat Sheet
-- Python `ipaddress` and `urllib.parse` documentation
-- Cloud provider guidance for protecting metadata services
+ # Python Server-Side Request Forgery (SSRF) Standards (OWASP A10:2021)
+
+This rule enforces security best practices to prevent Server-Side Request Forgery (SSRF) vulnerabilities in Python applications, as defined in OWASP Top 10:2021-A10.
+
+```yaml
+name: python_ssrf
+description: Detect and prevent Server-Side Request Forgery (SSRF) vulnerabilities in Python applications as defined in OWASP Top 10:2021-A10
+filters:
+  - type: file_extension
+    pattern: "\\.py$"
+  - type: file_path
+    pattern: ".*"
+
+actions:
+  - type: enforce
+    conditions:
+      # Pattern 1: Detect direct use of requests library with user input
+      - pattern: "requests\\.(get|post|put|delete|head|options|patch)\\([^)]*?\\b(request\\.\\w+|params\\[\\'[^\\']+\\'\\]|data\\[\\'[^\\']+\\'\\]|json\\[\\'[^\\']+\\'\\]|args\\.get|form\\.get)"
+        message: "Potential SSRF vulnerability detected. User-controlled input is being used directly in HTTP requests. Implement URL validation and allowlisting."
+
+      # Pattern 2: Detect urllib usage with user input
+      - pattern: "urllib\\.(request|parse)\\.\\w+\\([^)]*?\\b(request\\.\\w+|params\\[\\'[^\\']+\\'\\]|data\\[\\'[^\\']+\\'\\]|json\\[\\'[^\\']+\\'\\]|args\\.get|form\\.get)"
+        message: "Potential SSRF vulnerability detected. User-controlled input is being used directly in urllib functions. Implement URL validation and allowlisting."
+
+      # Pattern 3: Detect http.client usage with user input
+      - pattern: "http\\.client\\.\\w+\\([^)]*?\\b(request\\.\\w+|params\\[\\'[^\\']+\\'\\]|data\\[\\'[^\\']+\\'\\]|json\\[\\'[^\\']+\\'\\]|args\\.get|form\\.get)"
+        message: "Potential SSRF vulnerability detected. User-controlled input is being used directly in http.client functions. Implement URL validation and allowlisting."
+
+      # Pattern 4: Detect aiohttp usage with user input
+      - pattern: "aiohttp\\.\\w+\\([^)]*?\\b(request\\.\\w+|params\\[\\'[^\\']+\\'\\]|data\\[\\'[^\\']+\\'\\]|json\\[\\'[^\\']+\\'\\]|args\\.get|form\\.get)"
+        message: "Potential SSRF vulnerability detected. User-controlled input is being used directly in aiohttp functions. Implement URL validation and allowlisting."
+
+      # Pattern 5: Detect httpx usage with user input
+      - pattern: "httpx\\.\\w+\\([^)]*?\\b(request\\.\\w+|params\\[\\'[^\\']+\\'\\]|data\\[\\'[^\\']+\\'\\]|json\\[\\'[^\\']+\\'\\]|args\\.get|form\\.get)"
+        message: "Potential SSRF vulnerability detected. User-controlled input is being used directly in httpx functions. Implement URL validation and allowlisting."
+
+      # Pattern 6: Detect pycurl usage with user input
+      - pattern: "pycurl\\.\\w+\\([^)]*?\\b(request\\.\\w+|params\\[\\'[^\\']+\\'\\]|data\\[\\'[^\\']+\\'\\]|json\\[\\'[^\\']+\\'\\]|args\\.get|form\\.get)"
+        message: "Potential SSRF vulnerability detected. User-controlled input is being used directly in pycurl functions. Implement URL validation and allowlisting."
+
+      # Pattern 7: Detect subprocess calls with user input that might lead to SSRF
+      - pattern: "subprocess\\.(Popen|call|run|check_output|check_call)\\([^)]*?\\b(request\\.\\w+|params\\[\\'[^\\']+\\'\\]|data\\[\\'[^\\']+\\'\\]|json\\[\\'[^\\']+\\'\\]|args\\.get|form\\.get)"
+        message: "Potential SSRF vulnerability detected. User-controlled input is being used in subprocess calls, which might lead to SSRF. Validate and sanitize input."
+
+      # Pattern 8: Detect os.system calls with user input that might lead to SSRF
+      - pattern: "os\\.(system|popen|spawn)\\([^)]*?\\b(request\\.\\w+|params\\[\\'[^\\']+\\'\\]|data\\[\\'[^\\']+\\'\\]|json\\[\\'[^\\']+\\'\\]|args\\.get|form\\.get)"
+        message: "Potential SSRF vulnerability detected. User-controlled input is being used in OS commands, which might lead to SSRF. Validate and sanitize input."
+
+      # Pattern 9: Detect URL construction with user input
+      - pattern: "(f|r)[\"\']https?://[^\"\']*?\\{[^\\}]*?\\b(request\\.\\w+|params\\[\\'[^\\']+\\'\\]|data\\[\\'[^\\']+\\'\\]|json\\[\\'[^\\']+\\'\\]|args\\.get|form\\.get)"
+        message: "Potential SSRF vulnerability detected. User-controlled input is being used in URL construction. Implement URL validation and allowlisting."
+
+      # Pattern 10: Detect URL joining with user input
+      - pattern: "urljoin\\([^,]+,[^)]*?\\b(request\\.\\w+|params\\[\\'[^\\']+\\'\\]|data\\[\\'[^\\']+\\'\\]|json\\[\\'[^\\']+\\'\\]|args\\.get|form\\.get)"
+        message: "Potential SSRF vulnerability detected. User-controlled input is being used in URL joining. Implement URL validation and allowlisting."
+
+      # Pattern 11: Detect file opening with user input (potential local SSRF)
+      - pattern: "open\\([^,]*?\\b(request\\.\\w+|params\\[\\'[^\\']+\\'\\]|data\\[\\'[^\\']+\\'\\]|json\\[\\'[^\\']+\\'\\]|args\\.get|form\\.get)"
+        message: "Potential local SSRF vulnerability detected. User-controlled input is being used in file operations. Validate file paths and use path sanitization."
+
+      # Pattern 12: Detect XML/YAML parsing with user input (potential XXE leading to SSRF)
+      - pattern: "(ET\\.fromstring|ET\\.parse|ET\\.XML|minidom\\.parse|parseString|yaml\\.load)\\([^)]*?\\b(request\\.\\w+|params\\[\\'[^\\']+\\'\\]|data\\[\\'[^\\']+\\'\\]|json\\[\\'[^\\']+\\'\\]|args\\.get|form\\.get)"
+        message: "Potential XXE vulnerability that could lead to SSRF detected. User-controlled input is being used in XML/YAML parsing. Use safe parsing methods and disable external entities."
+
+      # Pattern 13: Detect socket connections with user input
+      - pattern: "socket\\.(socket|create_connection)\\([^)]*?\\b(request\\.\\w+|params\\[\\'[^\\']+\\'\\]|data\\[\\'[^\\']+\\'\\]|json\\[\\'[^\\']+\\'\\]|args\\.get|form\\.get)"
+        message: "Potential SSRF vulnerability detected. User-controlled input is being used in socket connections. Implement host/port validation and allowlisting."
+
+      # Pattern 14: Detect FTP connections with user input
+      - pattern: "ftplib\\.FTP\\([^)]*?\\b(request\\.\\w+|params\\[\\'[^\\']+\\'\\]|data\\[\\'[^\\']+\\'\\]|json\\[\\'[^\\']+\\'\\]|args\\.get|form\\.get)"
+        message: "Potential SSRF vulnerability detected. User-controlled input is being used in FTP connections. Implement host validation and allowlisting."
+
+      # Pattern 15: Detect missing URL validation before making requests
+      - pattern: "def\\s+\\w+\\([^)]*?\\):[^\\n]*?\\n(?:[^\\n]*?\\n)*?[^\\n]*?requests\\.(get|post|put|delete|head|options|patch)\\([^)]*?url\\s*=\\s*[^\\n]*?(?!.*?validate_url)"
+        message: "Missing URL validation before making HTTP requests. Implement URL validation with allowlisting to prevent SSRF attacks."
+
+  - type: suggest
+    message: |
+      **Python Server-Side Request Forgery (SSRF) Prevention Best Practices:**
+
+      1. **URL Validation and Allowlisting:**
+         - Implement strict URL validation
+         - Use allowlists for domains, IP ranges, and protocols
+         - Example implementation:
+           ```python
+           import re
+           import socket
+           import ipaddress
+           from urllib.parse import urlparse
+
+           def is_valid_url(url, allowed_domains=None, allowed_protocols=None, block_private_ips=True):
+               """
+               Validate URLs against allowlists and block private IPs.
+
+               Args:
+                   url (str): The URL to validate
+                   allowed_domains (list): List of allowed domains
+                   allowed_protocols (list): List of allowed protocols
+                   block_private_ips (bool): Whether to block private IPs
+
+               Returns:
+                   bool: True if URL is valid according to rules
+               """
+               if not url:
+                   return False
+
+               # Default allowlists if none provided
+               if allowed_domains is None:
+                   allowed_domains = ["example.com", "api.example.com"]
+               if allowed_protocols is None:
+                   allowed_protocols = ["https"]
+
+               try:
+                   # Parse URL
+                   parsed_url = urlparse(url)
+
+                   # Check protocol
+                   if parsed_url.scheme not in allowed_protocols:
+                       return False
+
+                   # Check domain against allowlist
+                   if parsed_url.netloc not in allowed_domains:
+                       return False
+
+                   # Block private IPs if enabled
+                   if block_private_ips:
+                       hostname = parsed_url.netloc.split(':')[0]
+                       try:
+                           ip_addresses = socket.getaddrinfo(
+                               hostname, None, socket.AF_INET, socket.SOCK_STREAM
+                           )
+                           for family, socktype, proto, canonname, sockaddr in ip_addresses:
+                               ip = sockaddr[0]
+                               ip_obj = ipaddress.ip_address(ip)
+                               if ip_obj.is_private or ip_obj.is_loopback or ip_obj.is_reserved:
+                                   return False
+                       except socket.gaierror:
+                           # DNS resolution failed
+                           return False
+
+                   return True
+               except Exception:
+                   return False
+
+           # Usage example
+           def fetch_resource(resource_url):
+               if not is_valid_url(resource_url):
+                   raise ValueError("Invalid or disallowed URL")
+
+               # Proceed with request
+               import requests
+               return requests.get(resource_url)
+           ```
+
+      2. **Implement Network-Level Controls:**
+         - Use network-level allowlists
+         - Configure firewalls to block outbound requests to internal resources
+         - Example with proxy configuration:
+           ```python
+           import requests
+
+           def safe_request(url):
+               # Configure proxy that implements URL filtering
+               proxies = {
+                   'http': 'http://ssrf-protecting-proxy:8080',
+                   'https': 'http://ssrf-protecting-proxy:8080'
+               }
+
+               # Set timeout to prevent long-running requests
+               timeout = 10
+
+               try:
+                   return requests.get(url, proxies=proxies, timeout=timeout)
+               except requests.exceptions.RequestException as e:
+                   # Log the error and handle gracefully
+                   logging.error(f"Request failed: {e}")
+                   return None
+           ```
+
+      3. **Use Safe Libraries and Wrappers:**
+         - Create wrapper functions for HTTP requests
+         - Implement consistent security controls
+         - Example wrapper:
+           ```python
+           import requests
+           from urllib.parse import urlparse
+
+           class SafeRequestHandler:
+               def __init__(self, allowed_domains=None, allowed_protocols=None):
+                   self.allowed_domains = allowed_domains or ["api.example.com"]
+                   self.allowed_protocols = allowed_protocols or ["https"]
+
+               def validate_url(self, url):
+                   parsed_url = urlparse(url)
+
+                   # Validate protocol
+                   if parsed_url.scheme not in self.allowed_protocols:
+                       return False
+
+                   # Validate domain
+                   if parsed_url.netloc not in self.allowed_domains:
+                       return False
+
+                   return True
+
+               def request(self, method, url, **kwargs):
+                   if not self.validate_url(url):
+                       raise ValueError(f"URL validation failed for: {url}")
+
+                   # Set sensible defaults
+                   kwargs.setdefault('timeout', 10)
+
+                   # Make the request
+                   return requests.request(method, url, **kwargs)
+
+               def get(self, url, **kwargs):
+                   return self.request('GET', url, **kwargs)
+
+               def post(self, url, **kwargs):
+                   return self.request('POST', url, **kwargs)
+
+           # Usage
+           safe_requests = SafeRequestHandler()
+           response = safe_requests.get('https://api.example.com/data')
+           ```
+
+      4. **Disable Redirects or Implement Redirect Validation:**
+         - Disable automatic redirects
+         - Validate each redirect location
+         - Example:
+           ```python
+           import requests
+
+           def safe_request_with_redirect_validation(url, allowed_domains):
+               # Disable automatic redirects
+               session = requests.Session()
+               response = session.get(url, allow_redirects=False)
+
+               # Handle redirects manually with validation
+               redirect_count = 0
+               max_redirects = 5
+
+               while 300 <= response.status_code < 400 and redirect_count < max_redirects:
+                   redirect_url = response.headers.get('Location')
+
+                   # Validate redirect URL
+                   parsed_url = urlparse(redirect_url)
+                   if parsed_url.netloc not in allowed_domains:
+                       raise ValueError(f"Redirect to disallowed domain: {parsed_url.netloc}")
+
+                   # Follow the redirect with validation
+                   redirect_count += 1
+                   response = session.get(redirect_url, allow_redirects=False)
+
+               return response
+           ```
+
+      5. **Use Metadata Instead of Direct URLs:**
+         - Use resource identifiers instead of URLs
+         - Resolve identifiers server-side
+         - Example:
+           ```python
+           def fetch_resource_by_id(resource_id):
+               # Map of allowed resources
+               resource_map = {
+                   "user_profile": "https://api.example.com/profiles/",
+                   "product_data": "https://api.example.com/products/",
+                   "weather_info": "https://api.weather.com/forecast/"
+               }
+
+               # Check if resource_id is in allowed list
+               if resource_id not in resource_map:
+                   raise ValueError(f"Unknown resource ID: {resource_id}")
+
+               # Construct URL from safe base + ID
+               base_url = resource_map[resource_id]
+               return requests.get(base_url)
+           ```
+
+      6. **Implement Response Handling Controls:**
+         - Sanitize and validate responses
+         - Prevent response data from being used in further requests
+         - Example:
+           ```python
+           def safe_request_with_response_validation(url):
+               response = requests.get(url)
+
+               # Check response size
+               if len(response.content) > MAX_RESPONSE_SIZE:
+                   raise ValueError("Response too large")
+
+               # Validate content type
+               content_type = response.headers.get('Content-Type', '')
+               if not content_type.startswith('application/json'):
+                   raise ValueError(f"Unexpected content type: {content_type}")
+
+               # Parse and validate JSON structure
+               try:
+                   data = response.json()
+                   # Validate expected structure
+                   if 'result' not in data:
+                       raise ValueError("Invalid response structure")
+                   return data
+               except ValueError:
+                   raise ValueError("Invalid JSON response")
+           ```
+
+      7. **Use Timeouts and Circuit Breakers:**
+         - Set appropriate timeouts
+         - Implement circuit breakers for failing services
+         - Example:
+           ```python
+           import requests
+           from requests.exceptions import Timeout, ConnectionError
+
+           def request_with_circuit_breaker(url, max_retries=3, timeout=5):
+               retries = 0
+               while retries < max_retries:
+                   try:
+                       return requests.get(url, timeout=timeout)
+                   except (Timeout, ConnectionError) as e:
+                       retries += 1
+                       if retries >= max_retries:
+                           # Circuit is now open
+                           raise ValueError(f"Circuit breaker open for {url}: {str(e)}")
+                       # Exponential backoff
+                       time.sleep(2 ** retries)
+           ```
+
+      8. **Implement Proper Logging and Monitoring:**
+         - Log all outbound requests
+         - Monitor for unusual patterns
+         - Example:
+           ```python
+           import logging
+           import requests
+
+           def logged_request(url, **kwargs):
+               # Log the outbound request
+               logging.info(f"Outbound request to: {url}")
+
+               try:
+                   response = requests.get(url, **kwargs)
+                   # Log the response
+                   logging.info(f"Response from {url}: status={response.status_code}")
+                   return response
+               except Exception as e:
+                   # Log the error
+                   logging.error(f"Request to {url} failed: {str(e)}")
+                   raise
+           ```
+
+      9. **Use DNS Resolution Controls:**
+         - Implement DNS resolution controls
+         - Block internal DNS names
+         - Example:
+           ```python
+           import socket
+           import ipaddress
+
+           def is_safe_host(hostname):
+               try:
+                   # Resolve hostname to IP
+                   ip_addresses = socket.getaddrinfo(
+                       hostname, None, socket.AF_INET, socket.SOCK_STREAM
+                   )
+
+                   for family, socktype, proto, canonname, sockaddr in ip_addresses:
+                       ip = sockaddr[0]
+                       ip_obj = ipaddress.ip_address(ip)
+
+                       # Check if IP is private/internal
+                       if (ip_obj.is_private or ip_obj.is_loopback or
+                           ip_obj.is_link_local or ip_obj.is_reserved):
+                           return False
+
+                   return True
+               except (socket.gaierror, ValueError):
+                   return False
+
+           def safe_request_with_dns_check(url):
+               parsed_url = urlparse(url)
+               hostname = parsed_url.netloc.split(':')[0]
+
+               if not is_safe_host(hostname):
+                   raise ValueError(f"Hostname resolves to unsafe IP: {hostname}")
+
+               return requests.get(url)
+           ```
+
+      10. **Implement Defense in Depth:**
+          - Combine multiple protection mechanisms
+          - Don't rely on a single control
+          - Example comprehensive approach:
+            ```python
+            class SSRFProtectedClient:
+                def __init__(self):
+                    self.allowed_domains = ["api.example.com", "cdn.example.com"]
+                    self.allowed_protocols = ["https"]
+                    self.max_redirects = 3
+                    self.timeout = 10
+
+                def is_safe_url(self, url):
+                    # URL validation
+                    parsed_url = urlparse(url)
+
+                    # Protocol check
+                    if parsed_url.scheme not in self.allowed_protocols:
+                        return False
+
+                    # Domain check
+                    if parsed_url.netloc not in self.allowed_domains:
+                        return False
+
+                    # DNS resolution check
+                    hostname = parsed_url.netloc.split(':')[0]
+                    try:
+                        ip_addresses = socket.getaddrinfo(
+                            hostname, None, socket.AF_INET, socket.SOCK_STREAM
+                        )
+                        for family, socktype, proto, canonname, sockaddr in ip_addresses:
+                            ip = sockaddr[0]
+                            ip_obj = ipaddress.ip_address(ip)
+                            if ip_obj.is_private or ip_obj.is_loopback or ip_obj.is_reserved:
+                                return False
+                    except socket.gaierror:
+                        return False
+
+                    return True
+
+                def request(self, method, url, **kwargs):
+                    # Validate URL
+                    if not self.is_safe_url(url):
+                        raise ValueError(f"URL failed security validation: {url}")
+
+                    # Set sensible defaults
+                    kwargs.setdefault('timeout', self.timeout)
+                    kwargs.setdefault('allow_redirects', False)
+
+                    # Make initial request
+                    session = requests.Session()
+                    response = session.request(method, url, **kwargs)
+
+                    # Handle redirects manually with validation
+                    redirect_count = 0
+
+                    while 300 <= response.status_code < 400 and redirect_count < self.max_redirects:
+                        redirect_url = response.headers.get('Location')
+
+                        # Validate redirect URL
+                        if not self.is_safe_url(redirect_url):
+                            raise ValueError(f"Redirect URL failed security validation: {redirect_url}")
+
+                        # Follow the redirect with validation
+                        redirect_count += 1
+                        response = session.request(method, redirect_url, **kwargs)
+
+                    # Log the request
+                    logging.info(f"{method} request to {url} completed with status {response.status_code}")
+
+                    return response
+
+                def get(self, url, **kwargs):
+                    return self.request('GET', url, **kwargs)
+
+                def post(self, url, **kwargs):
+                    return self.request('POST', url, **kwargs)
+
+            # Usage
+            client = SSRFProtectedClient()
+            response = client.get('https://api.example.com/data')
+            ```
+
+  - type: validate
+    conditions:
+      # Check 1: URL validation implementation
+      - pattern: "def\\s+is_valid_url|def\\s+validate_url"
+        message: "URL validation function is implemented."
+
+      # Check 2: Allowlist implementation
+      - pattern: "allowed_domains|allowed_urls|ALLOWED_HOSTS|whitelist"
+        message: "URL allowlisting is implemented."
+
+      # Check 3: Safe request wrapper
+      - pattern: "class\\s+\\w+Request|def\\s+safe_request"
+        message: "Safe request wrapper is implemented."
+
+      # Check 4: IP address validation
+      - pattern: "ipaddress\\.ip_address|is_private|is_loopback|is_reserved"
+        message: "IP address validation is implemented to prevent access to internal resources."
+
+metadata:
+  priority: high
+  version: 1.0
+  tags:
+    - security
+    - python
+    - ssrf
+    - owasp
+    - language:python
+    - framework:django
+    - framework:flask
+    - framework:fastapi
+    - category:security
+    - subcategory:ssrf
+    - standard:owasp-top10
+    - risk:a10-server-side-request-forgery
+  references:
+    - "https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"
+    - "https://portswigger.net/web-security/ssrf"
+    - "https://docs.python.org/3/library/urllib.request.html"
+    - "https://docs.python-requests.org/en/latest/user/advanced/#ssl-cert-verification"
+    - "https://docs.python.org/3/library/ipaddress.html"
+```
+
diff --git a/.cursor/rules/python-vulnerable-outdated-components.mdc b/.cursor/rules/python-vulnerable-outdated-components.mdc
index 93d02de..0e8efac 100644
--- a/.cursor/rules/python-vulnerable-outdated-components.mdc
+++ b/.cursor/rules/python-vulnerable-outdated-components.mdc
@@ -3,170 +3,250 @@ description: Detect and prevent vulnerabilities related to outdated dependencies
 globs: *.py, *.txt, *.ini, *.cfg, *.yml, *.yaml, *.json, *.toml
 alwaysApply: false
 ---
-# Python Vulnerable and Outdated Components Standards (OWASP A06:2021)
+ # Python Vulnerable and Outdated Components Standards (OWASP A06:2021)
 
 This rule enforces security best practices to prevent vulnerabilities related to outdated dependencies and components in Python applications, as defined in OWASP Top 10:2021-A06.
 
-> Priority: high · Version: 1.0
-
-## Applies To
-- `*.py`
-- `*.txt`
-- `*.ini`
-- `*.cfg`
-- `*.yml`
-- `*.yaml`
-- `*.json`
-- `*.toml`
-
-## Trigger Conditions
-- Files matching pattern `\.(py|txt|ini|cfg|yml|yaml|json|toml)$`
-- Paths matching `.*`
-
-## Required Checks
-
-- Unpinned dependency detected. Always pin dependencies to specific versions to prevent automatic updates to potentially vulnerable versions.
-- Potentially outdated Django version detected. Consider upgrading to the latest stable version with security updates.
-- Potentially outdated Flask version detected. Consider upgrading to the latest stable version with security updates.
-- Potentially outdated Requests version detected. Consider upgrading to the latest stable version with security updates.
-- Potentially outdated Cryptography version detected. Consider upgrading to the latest stable version with security updates.
-- Potentially outdated PyYAML version detected. Consider upgrading to the latest stable version with security updates.
-- Potentially outdated Pillow version detected. Consider upgrading to the latest stable version with security updates.
-- Use of deprecated or insecure module detected. Consider using more secure alternatives.
-- Use of deprecated or insecure function detected. Consider using more secure alternatives.
-- Dynamic code execution or module loading detected. This can lead to code injection if user input is involved.
-- Outdated TLS/SSL protocol version detected. Use ssl.PROTOCOL_TLS_CLIENT or ssl.PROTOCOL_TLS_SERVER instead.
-- Use of potentially insecure deserialization library detected. Ensure these are not used with untrusted data.
-- Potentially outdated SQLAlchemy version detected. Consider upgrading to the latest stable version with security updates.
-- Potentially outdated Celery version detected. Consider upgrading to the latest stable version with security updates.
-- Insecure pip installation options detected. Avoid using --no-deps, ensure HTTPS for index URLs, and be cautious with --pre and --user flags.
-
-## Recommendations
-
-**Python Dependency and Component Security Best Practices:**
-
-1. **Dependency Management:**
-   - Always pin dependencies to specific versions
-   - Use a lockfile (requirements.txt, Pipfile.lock, poetry.lock)
-   - Example requirements.txt:
-     ```
-     Django==4.2.7
-     requests==2.31.0
-     cryptography==41.0.5
-     ```
-
-2. **Vulnerability Scanning:**
-   - Regularly scan dependencies for vulnerabilities
-   - Use tools like safety, pip-audit, or dependabot
-   - Example safety check:
-     ```bash
-     pip install safety
-     safety check -r requirements.txt
-     ```
-
-3. **Dependency Updates:**
-   - Establish a regular update schedule
-   - Automate updates with tools like Renovate or Dependabot
-   - Test thoroughly after updates
-   - Example GitHub workflow:
-     ```yaml
-     name: Dependency Update
-     on:
-       schedule:
-         - cron: '0 0 * * 1'  # Weekly on Monday
-     jobs:
-       update-deps:
-         runs-on: ubuntu-latest
-         steps:
-           - uses: actions/checkout@v3
-           - name: Update dependencies
-             run: |
-               pip install pip-upgrader
-               pip-upgrader -p requirements.txt
-     ```
-
-4. **Secure Package Installation:**
-   - Use trusted package sources
-   - Verify package integrity with hashes
-   - Example with pip and hashes:
-     ```
-     # requirements.txt
-     Django==4.2.7 --hash=sha256:8e0f1c2c2786b5c0e39fe1afce24c926040fad47c8ea8ad30aaa2c03b76293b8
-     ```
-
-5. **Minimal Dependencies:**
-   - Limit the number of dependencies
-   - Regularly audit and remove unused dependencies
-   - Consider security history when selecting packages
-   - Example dependency audit:
-     ```bash
-     pip install pipdeptree
-     pipdeptree --warn silence | grep -v "^\s"
-     ```
-
-6. **Virtual Environments:**
-   - Use isolated environments for each project
-   - Document environment setup
-   - Example:
-     ```bash
-     python -m venv venv
-     source venv/bin/activate  # On Windows: venv\Scripts\activate
-     pip install -r requirements.txt
-     ```
-
-7. **Container Security:**
-   - Use official base images
-   - Pin image versions
-   - Scan container images
-   - Example Dockerfile:
-     ```dockerfile
-     FROM python:3.11-slim@sha256:1234567890abcdef
-     
-     WORKDIR /app
-     COPY requirements.txt .
-     RUN pip install --no-cache-dir -r requirements.txt
-     
-     COPY . .
-     RUN pip install --no-cache-dir -e .
-     
-     USER nobody
-     CMD ["gunicorn", "myapp.wsgi:application"]
-     ```
-
-8. **Compile-time Dependencies:**
-   - Separate runtime and development dependencies
-   - Example with pip-tools:
-     ```
-     # requirements.in
-     Django>=4.2,<5.0
-     requests>=2.31.0
-     
-     # dev-requirements.in
-     -r requirements.in
-     pytest>=7.0.0
-     black>=23.0.0
-     ```
-
-9. **Deprecated API Usage:**
-   - Stay informed about deprecation notices
-   - Plan migrations away from deprecated APIs
-   - Example Django deprecation check:
-     ```bash
-     python manage.py check --deploy
-     ```
-
-10. **Supply Chain Security:**
-    - Use tools like pip-audit to check for supply chain attacks
-    - Consider using a private PyPI mirror
-    - Example:
-      ```bash
-      pip install pip-audit
-      pip-audit
-      ```
-
-## Validation
-
-- Dependencies are properly pinned to specific versions.
-- Dependency scanning tools are being used.
-- Using secure TLS protocol versions.
-- Using secure random generation methods.
+```yaml
+name: python_vulnerable_outdated_components
+description: Detect and prevent vulnerabilities related to outdated dependencies and components in Python applications as defined in OWASP Top 10:2021-A06
+filters:
+  - type: file_extension
+    pattern: "\\.(py|txt|ini|cfg|yml|yaml|json|toml)$"
+  - type: file_path
+    pattern: ".*"
+
+actions:
+  - type: enforce
+    conditions:
+      # Pattern 1: Unpinned dependencies in requirements files
+      - pattern: "^(django|flask|fastapi|requests|cryptography|pyyaml|sqlalchemy|celery|numpy|pandas|pillow|tensorflow|torch|boto3|psycopg2)\\s*$"
+        file_pattern: "requirements.*\\.txt$|setup\\.py$|pyproject\\.toml$"
+        message: "Unpinned dependency detected. Always pin dependencies to specific versions to prevent automatic updates to potentially vulnerable versions."
+
+      # Pattern 2: Outdated/vulnerable Django versions
+      - pattern: "django([<>=]=|~=|==)\\s*[\"']?(1\\.|2\\.[0-2]\\.|3\\.[0-2]\\.|4\\.0\\.)[0-9]+[\"']?"
+        message: "Potentially outdated Django version detected. Consider upgrading to the latest stable version with security updates."
+
+      # Pattern 3: Outdated/vulnerable Flask versions
+      - pattern: "flask([<>=]=|~=|==)\\s*[\"']?(0\\.|1\\.[0-3]\\.|2\\.0\\.[0-3])[0-9]*[\"']?"
+        message: "Potentially outdated Flask version detected. Consider upgrading to the latest stable version with security updates."
+
+      # Pattern 4: Outdated/vulnerable Requests versions
+      - pattern: "requests([<>=]=|~=|==)\\s*[\"']?(0\\.|1\\.|2\\.[0-2][0-5]\\.[0-9]+)[\"']?"
+        message: "Potentially outdated Requests version detected. Consider upgrading to the latest stable version with security updates."
+
+      # Pattern 5: Outdated/vulnerable Cryptography versions
+      - pattern: "cryptography([<>=]=|~=|==)\\s*[\"']?(0\\.|1\\.|2\\.|3\\.[0-3]\\.|3\\.4\\.[0-7])[0-9]*[\"']?"
+        message: "Potentially outdated Cryptography version detected. Consider upgrading to the latest stable version with security updates."
+
+      # Pattern 6: Outdated/vulnerable PyYAML versions
+      - pattern: "pyyaml([<>=]=|~=|==)\\s*[\"']?(0\\.|1\\.|2\\.|3\\.|4\\.|5\\.[0-5]\\.[0-9]+)[\"']?"
+        message: "Potentially outdated PyYAML version detected. Consider upgrading to the latest stable version with security updates."
+
+      # Pattern 7: Outdated/vulnerable Pillow versions
+      - pattern: "pillow([<>=]=|~=|==)\\s*[\"']?(0\\.|1\\.|2\\.|3\\.|4\\.|5\\.|6\\.|7\\.|8\\.[0-3]\\.[0-9]+)[\"']?"
+        message: "Potentially outdated Pillow version detected. Consider upgrading to the latest stable version with security updates."
+
+      # Pattern 8: Direct imports of deprecated modules
+      - pattern: "from\\s+xml\\.etree\\.ElementTree\\s+import\\s+.*parse|from\\s+urllib2\\s+import|from\\s+urllib\\s+import\\s+urlopen|import\\s+cgi|import\\s+imp"
+        message: "Use of deprecated or insecure module detected. Consider using more secure alternatives."
+
+      # Pattern 9: Use of deprecated functions
+      - pattern: "\\.set_password\\([^)]*\\)|hashlib\\.md5\\(|hashlib\\.sha1\\(|random\\.random\\(|random\\.randrange\\(|random\\.randint\\("
+        message: "Use of deprecated or insecure function detected. Consider using more secure alternatives."
+
+      # Pattern 10: Insecure dependency loading
+      - pattern: "__import__\\(|importlib\\.import_module\\(|exec\\(|eval\\("
+        message: "Dynamic code execution or module loading detected. This can lead to code injection if user input is involved."
+
+      # Pattern 11: Outdated TLS/SSL versions
+      - pattern: "ssl\\.PROTOCOL_TLSv1|ssl\\.PROTOCOL_TLSv1_1|ssl\\.PROTOCOL_SSLv2|ssl\\.PROTOCOL_SSLv3|ssl\\.PROTOCOL_TLSv1_2"
+        message: "Outdated TLS/SSL protocol version detected. Use ssl.PROTOCOL_TLS_CLIENT or ssl.PROTOCOL_TLS_SERVER instead."
+
+      # Pattern 12: Insecure deserialization libraries
+      - pattern: "import\\s+pickle|import\\s+marshal|import\\s+shelve"
+        message: "Use of potentially insecure deserialization library detected. Ensure these are not used with untrusted data."
+
+      # Pattern 13: Outdated/vulnerable SQLAlchemy versions
+      - pattern: "sqlalchemy([<>=]=|~=|==)\\s*[\"']?(0\\.|1\\.[0-3]\\.[0-9]+)[\"']?"
+        message: "Potentially outdated SQLAlchemy version detected. Consider upgrading to the latest stable version with security updates."
+
+      # Pattern 14: Outdated/vulnerable Celery versions
+      - pattern: "celery([<>=]=|~=|==)\\s*[\"']?(0\\.|1\\.|2\\.|3\\.|4\\.[0-4]\\.[0-9]+)[\"']?"
+        message: "Potentially outdated Celery version detected. Consider upgrading to the latest stable version with security updates."
+
+      # Pattern 15: Insecure package installation
+      - pattern: "pip\\s+install\\s+.*--no-deps|pip\\s+install\\s+.*--user|pip\\s+install\\s+.*--pre|pip\\s+install\\s+.*--index-url\\s+http://"
+        message: "Insecure pip installation options detected. Avoid using --no-deps, ensure HTTPS for index URLs, and be cautious with --pre and --user flags."
+
+  - type: suggest
+    message: |
+      **Python Dependency and Component Security Best Practices:**
+
+      1. **Dependency Management:**
+         - Always pin dependencies to specific versions
+         - Use a lockfile (requirements.txt, Pipfile.lock, poetry.lock)
+         - Example requirements.txt:
+           ```
+           Django==4.2.7
+           requests==2.31.0
+           cryptography==41.0.5
+           ```
+
+      2. **Vulnerability Scanning:**
+         - Regularly scan dependencies for vulnerabilities
+         - Use tools like safety, pip-audit, or dependabot
+         - Example safety check:
+           ```bash
+           pip install safety
+           safety check -r requirements.txt
+           ```
+
+      3. **Dependency Updates:**
+         - Establish a regular update schedule
+         - Automate updates with tools like Renovate or Dependabot
+         - Test thoroughly after updates
+         - Example GitHub workflow:
+           ```yaml
+           name: Dependency Update
+           on:
+             schedule:
+               - cron: '0 0 * * 1'  # Weekly on Monday
+           jobs:
+             update-deps:
+               runs-on: ubuntu-latest
+               steps:
+                 - uses: actions/checkout@v3
+                 - name: Update dependencies
+                   run: |
+                     pip install pip-upgrader
+                     pip-upgrader -p requirements.txt
+           ```
+
+      4. **Secure Package Installation:**
+         - Use trusted package sources
+         - Verify package integrity with hashes
+         - Example with pip and hashes:
+           ```
+           # requirements.txt
+           Django==4.2.7 --hash=sha256:8e0f1c2c2786b5c0e39fe1afce24c926040fad47c8ea8ad30aaa2c03b76293b8
+           ```
+
+      5. **Minimal Dependencies:**
+         - Limit the number of dependencies
+         - Regularly audit and remove unused dependencies
+         - Consider security history when selecting packages
+         - Example dependency audit:
+           ```bash
+           pip install pipdeptree
+           pipdeptree --warn silence | grep -v "^\s"
+           ```
+
+      6. **Virtual Environments:**
+         - Use isolated environments for each project
+         - Document environment setup
+         - Example:
+           ```bash
+           python -m venv venv
+           source venv/bin/activate  # On Windows: venv\Scripts\activate
+           pip install -r requirements.txt
+           ```
+
+      7. **Container Security:**
+         - Use official base images
+         - Pin image versions
+         - Scan container images
+         - Example Dockerfile:
+           ```dockerfile
+           FROM python:3.11-slim@sha256:1234567890abcdef
+
+           WORKDIR /app
+           COPY requirements.txt .
+           RUN pip install --no-cache-dir -r requirements.txt
+
+           COPY . .
+           RUN pip install --no-cache-dir -e .
+
+           USER nobody
+           CMD ["gunicorn", "myapp.wsgi:application"]
+           ```
+
+      8. **Compile-time Dependencies:**
+         - Separate runtime and development dependencies
+         - Example with pip-tools:
+           ```
+           # requirements.in
+           Django>=4.2,<5.0
+           requests>=2.31.0
+
+           # dev-requirements.in
+           -r requirements.in
+           pytest>=7.0.0
+           black>=23.0.0
+           ```
+
+      9. **Deprecated API Usage:**
+         - Stay informed about deprecation notices
+         - Plan migrations away from deprecated APIs
+         - Example Django deprecation check:
+           ```bash
+           python manage.py check --deploy
+           ```
+
+      10. **Supply Chain Security:**
+          - Use tools like pip-audit to check for supply chain attacks
+          - Consider using a private PyPI mirror
+          - Example:
+            ```bash
+            pip install pip-audit
+            pip-audit
+            ```
+
+  - type: validate
+    conditions:
+      # Check 1: Pinned dependencies
+      - pattern: "^[a-zA-Z0-9_-]+==\\d+\\.\\d+\\.\\d+"
+        file_pattern: "requirements.*\\.txt$"
+        message: "Dependencies are properly pinned to specific versions."
+
+      # Check 2: Use of dependency scanning tools
+      - pattern: "safety|pip-audit|pyup|dependabot|renovate"
+        file_pattern: "\\.github/workflows/.*\\.ya?ml$|\\.gitlab-ci\\.ya?ml$|tox\\.ini$|setup\\.py$|pyproject\\.toml$"
+        message: "Dependency scanning tools are being used."
+
+      # Check 3: Modern TLS usage
+      - pattern: "ssl\\.PROTOCOL_TLS_CLIENT|ssl\\.PROTOCOL_TLS_SERVER|ssl\\.create_default_context\\(\\)"
+        message: "Using secure TLS protocol versions."
+
+      # Check 4: Secure random generation
+      - pattern: "secrets\\.token_|secrets\\.choice|cryptography\\.hazmat"
+        message: "Using secure random generation methods."
+
+metadata:
+  priority: high
+  version: 1.0
+  tags:
+    - security
+    - python
+    - dependencies
+    - supply-chain
+    - owasp
+    - language:python
+    - framework:django
+    - framework:flask
+    - framework:fastapi
+    - category:security
+    - subcategory:dependencies
+    - standard:owasp-top10
+    - risk:a06-vulnerable-outdated-components
+  references:
+    - "https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html"
+    - "https://pypi.org/project/safety/"
+    - "https://pypi.org/project/pip-audit/"
+    - "https://github.com/pyupio/safety-db"
+    - "https://github.com/pypa/advisory-database"
+    - "https://python-security.readthedocs.io/packages.html"
+```
+
diff --git a/.cursor/rules/react-patterns.mdc b/.cursor/rules/react-patterns.mdc
index 1cbd488..56af8a1 100644
--- a/.cursor/rules/react-patterns.mdc
+++ b/.cursor/rules/react-patterns.mdc
@@ -6,26 +6,37 @@ globs: *.jsx, *.tsx
 
 Ensures React components follow recommended patterns and hook usage.
 
-> Priority: high · Version: 1.0
+```yaml
+name: react_patterns
+description: Enforce React component patterns and hooks best practices
+filters:
+  - type: file_extension
+    pattern: "\\.(jsx|tsx)$"
+
+actions:
+  - type: enforce
+    conditions:
+      - pattern: "useEffect\\([^,]+\\)"
+        message: "Specify dependencies array in useEffect"
+
+      - pattern: "useState\\([^)]*\\).*useState\\([^)]*\\)"
+        message: "Consider combining related state variables"
+
+      - pattern: "React\\.memo\\(.*\\)"
+        message: "Ensure React.memo is used appropriately for performance"
+
+  - type: suggest
+    message: |
+      React Best Practices:
+      - Use functional components with hooks
+      - Implement proper memoization
+      - Follow the Rules of Hooks
+      - Use TypeScript for prop types
+      - Consider custom hooks for reusable logic
+
+metadata:
+  priority: high
+  version: 1.0
+```
 
-## Applies To
-- `*.jsx`
-- `*.tsx`
 
-## Trigger Conditions
-- Files matching pattern `\.(jsx|tsx)$`
-
-## Required Checks
-
-- Specify dependencies array in useEffect
-- Consider combining related state variables
-- Ensure React.memo is used appropriately for performance
-
-## Recommendations
-
-React Best Practices:
-- Use functional components with hooks
-- Implement proper memoization
-- Follow the Rules of Hooks
-- Use TypeScript for prop types
-- Consider custom hooks for reusable logic
diff --git a/.cursor/rules/readme-maintenance-standards.mdc b/.cursor/rules/readme-maintenance-standards.mdc
index 1107191..12a22f6 100644
--- a/.cursor/rules/readme-maintenance-standards.mdc
+++ b/.cursor/rules/readme-maintenance-standards.mdc
@@ -7,41 +7,65 @@ alwaysApply: false
 
 Ensures that README files are consistently maintained, up-to-date, and informative.
 
-> Priority: high · Version: 1.1
-
-## Applies To
-- `README.md`
-- `*.md`
-
-## Trigger Conditions
-- Files matching pattern `\.md$`
-- Filter `file_name` matching `^README\.md$`
-
-## Required Checks
-
-- Update the 'Available Rules/Features/Components' section whenever new elements are added.
-- Ensure all file references in the README are properly linked and point to existing files.
-- Keep setup, usage, and configuration sections current with the latest project changes.
-- Ensure contributing guidelines and license information are accurate and up-to-date.
-- Update version information to reflect the current state of the project.
-- Maintain a changelog for significant updates, fixes, and features.
-
-## Recommendations
-
-**README Maintenance Best Practices:**
-- **Rule Listings:** Automatically update or manually check if new rules or features are reflected in the README.
-- **Installation & Configuration:** Regularly review and update installation and configuration instructions to match the latest project state.
-- **Documentation of Changes:** Document new features, bug fixes, and changes in a changelog or dedicated section.
-- **Section Hierarchy:** Maintain a logical structure with clear headings for easy navigation.
-- **Examples:** Include or update examples for new or changed functionalities.
-- **Version Information:** Keep version numbers and release notes current, linking to the changelog if applicable.
-- **Table of Contents:** Ensure the table of contents reflects the current document structure, using auto-generated if possible.
-- **Badges:** Update badges for CI/CD status, test coverage, or dependencies to reflect current project health.
-- **Accessibility:** Write with accessibility in mind, using alt text for images and semantic markdown.
-
-## Validation
-
-- Ensure proper markdown heading hierarchy for readability.
-- Use consistent table formatting throughout the document.
-- All local links should point to existing files or sections within the project.
-- Check that version placeholders are updated to actual numbers before release.
+```yaml
+name: enhanced_readme_maintenance_standards
+description: Enforce standards for maintaining README documentation
+filters:
+  - type: file_extension
+    pattern: "\\.md$"
+  - type: file_name
+    pattern: "^README\\.md$"
+
+actions:
+  - type: enforce
+    conditions:
+      - pattern: "## (Available Rules|Features|Components)"
+        message: "Update the 'Available Rules/Features/Components' section whenever new elements are added."
+
+      - pattern: "\\[`[^`]+`\\]\\([^)]+\\)"
+        message: "Ensure all file references in the README are properly linked and point to existing files."
+
+      - pattern: "## (Installation|Usage|Configuration)"
+        message: "Keep setup, usage, and configuration sections current with the latest project changes."
+
+      - pattern: "## (Contributing|License)"
+        message: "Ensure contributing guidelines and license information are accurate and up-to-date."
+
+      - pattern: "\\[Version\\s*(\\d+\\.)?(\\d+\\.)?\\d+\\]"
+        message: "Update version information to reflect the current state of the project."
+
+      - pattern: "## (Changelog|Changes|Updates)"
+        message: "Maintain a changelog for significant updates, fixes, and features."
+
+  - type: suggest
+    message: |
+      **README Maintenance Best Practices:**
+      - **Rule Listings:** Automatically update or manually check if new rules or features are reflected in the README.
+      - **Installation & Configuration:** Regularly review and update installation and configuration instructions to match the latest project state.
+      - **Documentation of Changes:** Document new features, bug fixes, and changes in a changelog or dedicated section.
+      - **Section Hierarchy:** Maintain a logical structure with clear headings for easy navigation.
+      - **Examples:** Include or update examples for new or changed functionalities.
+      - **Version Information:** Keep version numbers and release notes current, linking to the changelog if applicable.
+      - **Table of Contents:** Ensure the table of contents reflects the current document structure, using auto-generated if possible.
+      - **Badges:** Update badges for CI/CD status, test coverage, or dependencies to reflect current project health.
+      - **Accessibility:** Write with accessibility in mind, using alt text for images and semantic markdown.
+
+  - type: validate
+    conditions:
+      - pattern: "^# [^\\n]+\\n\\n## "
+        message: "Ensure proper markdown heading hierarchy for readability."
+
+      - pattern: "\\|[^|]+\\|[^|]+\\|\\n\\|\\s*-+\\s*\\|"
+        message: "Use consistent table formatting throughout the document."
+
+      - pattern: "\\[(.*?)\\]\\((?!http|\\/)[^\\)]+\\)"
+        message: "All local links should point to existing files or sections within the project."
+
+      - pattern: "\\[Version\\s*(\\d+\\.)?(\\d+\\.)?\\*\\d+\\]"
+        message: "Check that version placeholders are updated to actual numbers before release."
+
+metadata:
+  priority: high
+  version: 1.1
+```
+
diff --git a/.cursor/rules/secret-detection.mdc b/.cursor/rules/secret-detection.mdc
index 9bdfd64..ac3e4ee 100644
--- a/.cursor/rules/secret-detection.mdc
+++ b/.cursor/rules/secret-detection.mdc
@@ -1,46 +1,169 @@
----
-description: Identify and prevent hardcoded secrets, tokens, and credentials across source files and configuration
-globs: "*"
-alwaysApply: true
----
-# Secret Detection and Secure Handling
-
-Use this guidance whenever code, configuration, or infrastructure definitions might expose credentials or other sensitive values.
-
-> Priority: high · Version: 1.0 · Tags: security, secrets, sensitive-data, language:all
-
-## Applies To
-- Application source files, infrastructure code, build scripts, and generated configuration.
-- Environment files (`.env`, `.env.*`, `.ini`, `.cfg`, `.yml/.yaml`, `.json`, `.properties`).
-- Key material (`*.pem`, `*.key`, `*.crt`), API client files, and deployment manifests.
-
-## Trigger Indicators
-- High-entropy strings or provider-specific prefixes (AWS, GCP, Azure, GitHub, Stripe, Slack, Twilio, etc.).
-- Inline passwords, tokens, signing keys, or certificates.
-- Database connection strings containing credentials or host/IP pairs.
-- Environment variables committed to version control or CI artifacts.
-
-## Required Checks
-- Remove or refactor any discovered secrets immediately; revoke and rotate exposed credentials before closing the task.
-- Move secret values into managed storage (environment variables, secret managers, platform identity) and document the new source of truth.
-- Update `.gitignore`, `.cursorignore`, and CI artifact policies to prevent reintroduction of the leaked file type or pattern.
-- Capture incident details (secret owner, scope of exposure, rotation status) in the ticket or change log.
-
-## Recommendations
-- Adopt dedicated secret management services (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, HashiCorp Vault, Doppler, sealed secrets).
-- Prefer runtime injection via environment variables, service accounts, workload identity, or CI/CD vault integrations.
-- Add automated scanners (git-secrets, detect-secrets, trufflehog, Gitleaks) to pre-commit hooks and pipeline stages.
-- Limit log verbosity and scrub sensitive values from monitoring, tracing, and analytics exports.
-- Establish rotation cadences (e.g., 90-day maximum) with alerting when credentials near expiry or are reused.
-- Provide team training and playbooks covering discovery, rotation, and cleanup steps.
-
-## Positive Signals
-- Usage of `os.environ`, `process.env`, or secrets manager clients instead of literals.
-- Configuration referencing secret identifiers (`vault://`, `aws-secrets://`, `sops://`, `kubernetes.io/secret`) rather than raw values.
-- Repository policies or tests that enforce secret scanning and remediation.
-- Ignore rules preventing accidental commits of `.env`, `*.pem`, `*secret*`, or similar files.
-
-## Automation Tips
-- Maintain allowlists of known dummy keys to reduce false positives without suppressing alerts broadly.
-- Track recurring false positives centrally and share updates across projects installing this rule set.
-- Version control secret scanning baselines to ensure new matches are reviewed intentionally.
+# Secret Detection and Warning Rule
+
+This rule helps identify potential secrets, credentials, and sensitive data in code files to prevent accidental exposure or leakage. It provides warnings when secrets are detected and suggests best practices for secure secret management.
+
+```yaml
+name: secret_detection_warning
+description: Detect and warn about potential secrets and sensitive data in code files
+filters:
+  - type: file_extension
+    pattern: "\\.(php|js|py|ts|jsx|tsx|java|rb|go|cs|c|cpp|h|hpp|ini|conf|yaml|yml|json|xml|properties|env|config|sh|bash|zsh)$"
+  - type: file_path
+    pattern: ".*"
+    exclude: "(node_modules|vendor|bower_components|.git|.yarn|dist|build|out|\\.bundle|cache)"
+
+actions:
+  - type: enforce
+    conditions:
+      # Generic API Keys, Tokens, and Credentials
+      - pattern: "(?i)(api[_-]?key|apikey|api[_-]?secret|apisecret|app[_-]?key|appkey|app[_-]?secret|access[_-]?key|accesskey|access[_-]?token|auth[_-]?key|authkey|client[_-]?secret|consumer[_-]?key|consumer[_-]?secret|oauth[_-]?token|token)[\\s]*[=:]\\s*['\\\"](\\w|[\\-]){16,}['\\\"]"
+        message: "Potential API key or secret detected. Consider using environment variables or a secure secrets manager instead of hardcoding sensitive values."
+
+      # AWS Keys and Tokens
+      - pattern: "(?i)(aws[_-]?access[_-]?key|aws[_-]?secret[_-]?key|aws[_-]?account[_-]?id)[\\s]*[=:]\\s*['\\\"](\\w|[\\-]){16,}['\\\"]"
+        message: "Potential AWS key detected. AWS credentials should be stored securely using AWS SDK credential providers, environment variables, or a secrets manager."
+
+      # Google Cloud and Firebase
+      - pattern: "(?i)(google[_-]?api[_-]?key|google[_-]?cloud[_-]?key|firebase[_-]?api[_-]?key)[\\s]*[=:]\\s*['\\\"](\\w|[\\-]){16,}['\\\"]"
+        message: "Potential Google Cloud or Firebase key detected. Use environment variables or a secure secrets manager to store these credentials."
+
+      # Azure and Microsoft
+      - pattern: "(?i)(azure[_-]?key|azure[_-]?connection[_-]?string|microsoft[_-]?key)[\\s]*[=:]\\s*['\\\"](\\w|[\\-]){16,}['\\\"]"
+        message: "Potential Azure or Microsoft key detected. Use Azure Key Vault, environment variables, or a secure secrets manager instead of hardcoding credentials."
+
+      # Database Connection Strings and Credentials
+      - pattern: "(?i)(jdbc:|mongodb[\\+]?://|postgres://|mysql://|database[_-]?url|connection[_-]?string)[^\\n]{10,}(password|pwd)[^\\n]{3,}"
+        message: "Potential database connection string with credentials detected. Use environment variables or a secure configuration manager for database connections."
+
+      # Database Credentials
+      - pattern: "(?i)(db[_-]?password|mysql[_-]?password|postgres[_-]?password|mongo[_-]?password|database[_-]?password)[\\s]*[=:]\\s*['\\\"][^\\s]{3,}['\\\"]"
+        message: "Potential database password detected. Store database credentials in environment variables or use a secure configuration manager."
+
+      # Private Keys and Certificates
+      - pattern: "(?i)-----(BEGIN|END) (RSA |DSA |EC )?(PRIVATE KEY|CERTIFICATE)-----"
+        message: "Private key or certificate material detected. Never include these directly in code - store them securely and reference them from protected locations."
+
+      # SSH Keys
+      - pattern: "(?i)ssh-rsa AAAA[0-9A-Za-z+/]+[=]{0,3}"
+        message: "SSH key detected. SSH keys should be managed securely and never included directly in code files."
+
+      # Passwords
+      - pattern: "(?i)(password|passwd|pwd|secret)[\\s]*[=:]\\s*['\\\"][^\\s]{3,}['\\\"]"
+        message: "Potential password detected. Never hardcode passwords in code files. Use environment variables or a secure secrets manager."
+
+      # OAuth Tokens
+      - pattern: "(?i)(bearer|oauth|access[_-]?token)[\\s]*[=:]\\s*['\\\"][\\w\\d\\-_.]{30,}['\\\"]"
+        message: "Potential OAuth token detected. Store tokens securely and consider implementing proper token rotation."
+
+      # JWT Tokens
+      - pattern: "(?i)ey[a-zA-Z0-9]{20,}\\.ey[a-zA-Z0-9\\-_]{20,}\\.[a-zA-Z0-9\\-_]{20,}"
+        message: "JWT token detected. Never hardcode JWT tokens directly in your code."
+
+      # GitHub Tokens
+      - pattern: "(?i)gh[pousr]_[a-zA-Z0-9]{20,}"
+        message: "GitHub token detected. GitHub tokens should be stored securely in environment variables or a secrets manager."
+
+      # Slack Tokens
+      - pattern: "(?i)(xox[pbar]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})"
+        message: "Slack token detected. Store Slack tokens securely using environment variables or a secrets manager."
+
+      # Stripe API Keys
+      - pattern: "(?i)(sk|pk)_(test|live)_[0-9a-zA-Z]{24,}"
+        message: "Stripe API key detected. Store Stripe keys securely in environment variables or a secrets manager."
+
+      # Generic Encryption Keys
+      - pattern: "(?i)(encryption[_-]?key|cipher[_-]?key|aes[_-]?key)[\\s]*[=:]\\s*['\\\"][\\w\\d\\-_.]{16,}['\\\"]"
+        message: "Potential encryption key detected. Encryption keys should be managed securely and never hardcoded."
+
+      # .env or config files with credentials
+      - pattern: "(?i)(DB_PASSWORD|API_KEY|SECRET_KEY|ADMIN_PASSWORD)[\\s]*=[\\s]*['\"]?[\\w\\d\\-_.]{3,}['\"]?"
+        message: "Environment variable with credential detected. Make sure .env files are included in .gitignore and .cursorignore."
+
+      # IP Addresses (if they appear with credentials)
+      - pattern: "(?i)(username|password|login|credential)[^\\n]{3,}(?:\\d{1,3}\\.){3}\\d{1,3}"
+        message: "IP address detected near potential credentials. Consider using DNS names and storing connection details securely."
+
+  - type: suggest
+    message: |
+      **Secure Secret Management Best Practices:**
+
+      1. **Never hardcode secrets in source code**
+         - Secrets in code can be exposed via version control, logs, or screenshots
+         - Code is often shared, backed up, and stored in multiple locations
+
+      2. **Use environment variables for configuration**
+         - Load secrets from environment variables at runtime
+         - Use libraries like dotenv, but ensure .env files are in .gitignore
+         - Example: `API_KEY=os.environ.get("API_KEY")`
+
+      3. **Implement secret rotation**
+         - Regularly rotate credentials and keys
+         - Use short-lived tokens when possible
+         - Implement proper secret lifecycle management
+
+      4. **Use secrets management solutions**
+         - AWS Secrets Manager, Azure Key Vault, HashiCorp Vault
+         - Platform-specific solutions like Kubernetes Secrets
+         - These provide encryption, access control, and audit trails
+
+      5. **Implement access controls**
+         - Limit who can access secrets
+         - Use the principle of least privilege
+         - Implement proper authentication for secret access
+
+      6. **Use .gitignore and .cursorignore**
+         - Add patterns for files that might contain secrets
+         - Example patterns: `.env`, `*.key`, `*secret*`, `*.pem`
+         - Verify these files are not committed to version control
+
+      7. **Consider using secure by default libraries**
+         - Libraries that separate configuration from code
+         - Frameworks with built-in secrets management
+         - Encryption libraries with secure defaults
+
+      8. **Implement detection tools**
+         - Use pre-commit hooks to prevent secret leakage
+         - Implement scanning in CI/CD pipelines
+         - Consider tools like git-secrets, trufflehog, or detect-secrets
+
+      9. **Audit and monitor**
+         - Regularly audit code for leaked secrets
+         - Monitor for unauthorized access to secrets
+         - Implement alerts for potential compromises
+
+      10. **Educate your team**
+          - Train developers on secure secret management
+          - Establish clear procedures for handling secrets
+          - Create a response plan for leaked credentials
+
+  - type: validate
+    conditions:
+      - pattern: "(?i)import\\s+os\\s*;?\\s*.*\\s+os\\.environ(\\.get)?"
+        message: "Environment variable usage detected, which is a good practice for managing secrets."
+
+      - pattern: "(?i)process\\.env\\."
+        message: "Environment variable usage in JavaScript detected, which is a good practice for managing secrets."
+
+      - pattern: "(?i)dotenv"
+        message: "Dotenv library usage detected, which can help with environment variable management."
+
+      - pattern: "(?i)(secret[s]?[_-]?manager|key[_-]?vault|hashicorp|vault)"
+        message: "Secret management solution reference detected, which is a best practice for handling secrets."
+
+metadata:
+  priority: high
+  version: 1.0
+  tags:
+    - category:security
+    - subcategory:secrets
+    - subcategory:sensitive-data
+    - language:all
+    - priority:critical
+  references:
+    - "https://owasp.org/www-community/vulnerabilities/Hardcoded_credentials"
+    - "https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
+    - "https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning"
+    - "https://cloud.google.com/secret-manager/docs/best-practices"
+    - "https://aws.amazon.com/blogs/security/how-to-use-aws-secrets-manager-securely-store-rotate-deploy-database-credentials/"
+```
+
diff --git a/.cursor/rules/security-practices.mdc b/.cursor/rules/security-practices.mdc
index 2b93df4..9b3003c 100644
--- a/.cursor/rules/security-practices.mdc
+++ b/.cursor/rules/security-practices.mdc
@@ -7,31 +7,39 @@ alwaysApply: false
 
 Ensures application security standards are maintained.
 
-> Priority: critical · Version: 1.0
-
-## Applies To
-- `*.php`
-- `*.js`
-- `*.vue`
-- `*.jsx`
-- `*.tsx`
-
-## Trigger Conditions
-- Files matching pattern `\.(php|js|vue|jsx|tsx)$`
-
-## Required Checks
-
-- Avoid using eval() - security risk
-- Use Drupal's input sanitization methods
-- Use textContent or sanitize HTML content
-
-## Recommendations
-
-Security Best Practices:
-- Implement CSRF protection
-- Use prepared statements for queries
-- Sanitize user input
-- Implement proper access controls
-- Follow security updates protocol
-- Ensure Drupal file permissions are secure (see drupal-file-permissions.mdc)
-- Use ahoy cli commands instead of direct docker compose exec
+```yaml
+name: security_practices
+description: Enforce security best practices across the application
+filters:
+  - type: file_extension
+    pattern: "\\.(php|js|vue|jsx|tsx)$"
+
+actions:
+  - type: enforce
+    conditions:
+      - pattern: "eval\\("
+        message: "Avoid using eval() - security risk"
+
+      - pattern: "\\$_GET|\\$_POST|\\$_REQUEST"
+        message: "Use Drupal's input sanitization methods"
+
+      - pattern: "innerHTML"
+        message: "Use textContent or sanitize HTML content"
+
+  - type: suggest
+    message: |
+      Security Best Practices:
+      - Implement CSRF protection
+      - Use prepared statements for queries
+      - Sanitize user input
+      - Implement proper access controls
+      - Follow security updates protocol
+      - Ensure Drupal file permissions are secure (see drupal-file-permissions.mdc)
+      - Use ahoy cli commands instead of direct docker compose exec
+
+metadata:
+  priority: critical
+  version: 1.0
+```
+
+
diff --git a/.cursor/rules/tailwind-standards.mdc b/.cursor/rules/tailwind-standards.mdc
index 212030d..82773d2 100644
--- a/.cursor/rules/tailwind-standards.mdc
+++ b/.cursor/rules/tailwind-standards.mdc
@@ -6,27 +6,34 @@ globs: *.vue, *.jsx, *.tsx, *.html
 
 Ensures consistent and optimized usage of Tailwind CSS classes.
 
-> Priority: medium · Version: 1.0
+```yaml
+name: tailwind_standards
+description: Enforce Tailwind CSS best practices and organization
+filters:
+  - type: file_extension
+    pattern: "\\.(vue|jsx|tsx|html)$"
+
+actions:
+  - type: enforce
+    conditions:
+      - pattern: "class=\"[^\"]*\\s{2,}"
+        message: "Remove multiple spaces between Tailwind classes"
+
+      - pattern: "class=\"[^\"]*(?:text-\\w+\\s+text-\\w+|bg-\\w+\\s+bg-\\w+)"
+        message: "Avoid conflicting utility classes"
+
+  - type: suggest
+    message: |
+      Tailwind Best Practices:
+      - Group related utilities together
+      - Use @apply for commonly repeated patterns
+      - Follow responsive design patterns
+      - Implement proper dark mode support
+      - Consider extracting components for repeated patterns
+
+metadata:
+  priority: medium
+  version: 1.0
+```
 
-## Applies To
-- `*.vue`
-- `*.jsx`
-- `*.tsx`
-- `*.html`
 
-## Trigger Conditions
-- Files matching pattern `\.(vue|jsx|tsx|html)$`
-
-## Required Checks
-
-- Remove multiple spaces between Tailwind classes
-- Avoid conflicting utility classes
-
-## Recommendations
-
-Tailwind Best Practices:
-- Group related utilities together
-- Use @apply for commonly repeated patterns
-- Follow responsive design patterns
-- Implement proper dark mode support
-- Consider extracting components for repeated patterns
diff --git a/.cursor/rules/testing-guidelines.mdc b/.cursor/rules/testing-guidelines.mdc
index 75a9772..31821cc 100644
--- a/.cursor/rules/testing-guidelines.mdc
+++ b/.cursor/rules/testing-guidelines.mdc
@@ -1,6 +1,6 @@
 ---
 description: Testing Guidelines
-globs: 
+globs:
 alwaysApply: false
 ---
 # Revised Cursor Rule File - Testing Guidelines (preserving functionality)
@@ -35,4 +35,4 @@ rules:
     guidelines:
       - "Clearly delineate test types (unit, integration, end-to-end) and ensure each is executed in appropriate environments."
       - "Isolate tests to avoid side effects, and clean up any test data or state after execution."
-      - "Integrate tests into continuous integration workflows to run automatically without requiring changes to production code."
\ No newline at end of file
+      - "Integrate tests into continuous integration workflows to run automatically without requiring changes to production code."
diff --git a/.cursor/rules/tests-documentation-maintenance.mdc b/.cursor/rules/tests-documentation-maintenance.mdc
index 16019cf..170a5a1 100644
--- a/.cursor/rules/tests-documentation-maintenance.mdc
+++ b/.cursor/rules/tests-documentation-maintenance.mdc
@@ -6,28 +6,38 @@ globs: *.php, *.feature, README.md, *.md
 
 Ensures that tests are written and updated for Drupal modules and plugins, and that documentation remains current.
 
-> Priority: high · Version: 1.0
-
-## Applies To
-- `*.php`
-- `*.feature`
-- `README.md`
-- `*.md`
-
-## Trigger Conditions
-- Files matching pattern `\.(php|feature|md|theme|module|install|info|inc)$`
-
-## Required Checks
-
-- Ensure all Drupal modules and plugins have unit tests.
-- Ensure front-end affecting plugins have Behat tests.
-- When modifying existing functionality, check and update related tests.
-- Ensure README.md exists in each module and is kept up to date.
-
-## Recommendations
+```yaml
+name: tests_documentation_maintenance
+description: Require tests for new functionality and enforce documentation updates.
+filters:
+  - type: file_extension
+    pattern: "\\.(php|feature|md|theme|module|install|info|inc)$"
+
+actions:
+  - type: enforce
+    conditions:
+      - pattern: "class .*Test extends"
+        message: "Ensure all Drupal modules and plugins have unit tests."
+
+      - pattern: "Feature:.*"
+        message: "Ensure front-end affecting plugins have Behat tests."
+
+      - pattern: "function .*\\("
+        message: "When modifying existing functionality, check and update related tests."
+
+      - pattern: "# README"
+        message: "Ensure README.md exists in each module and is kept up to date."
+
+  - type: suggest
+    message: |
+      Keep tests and documentation updated:
+      - Write **unit tests** for Drupal modules and backend logic.
+      - Write **Behat tests** for plugins that affect front-end behavior.
+      - If functionality changes, **update corresponding tests**.
+      - Maintain a **README.md** file in each module and update it with relevant changes.
+
+metadata:
+  priority: high
+  version: 1.0
+```
 
-Keep tests and documentation updated:
-- Write **unit tests** for Drupal modules and backend logic.
-- Write **Behat tests** for plugins that affect front-end behavior.
-- If functionality changes, **update corresponding tests**.
-- Maintain a **README.md** file in each module and update it with relevant changes.
diff --git a/.cursor/rules/third-party-integration.mdc b/.cursor/rules/third-party-integration.mdc
index ad91db0..7422ab4 100644
--- a/.cursor/rules/third-party-integration.mdc
+++ b/.cursor/rules/third-party-integration.mdc
@@ -6,26 +6,34 @@ globs: *.php, *.js, *.ts
 
 Ensures consistent and secure third-party service integration.
 
-> Priority: high · Version: 1.0
+```yaml
+name: third_party_integration
+description: Enforce standards for external service integration
+filters:
+  - type: file_extension
+    pattern: "\\.(php|js|ts)$"
+
+actions:
+  - type: enforce
+    conditions:
+      - pattern: "new\\s+[A-Z][a-zA-Z]*Client\\("
+        message: "Implement proper error handling for external services"
+
+      - pattern: "process\\.env\\.|getenv\\("
+        message: "Use configuration management for API credentials"
+
+  - type: suggest
+    message: |
+      Integration Best Practices:
+      - Implement proper error handling
+      - Use environment variables
+      - Create service abstractions
+      - Implement retry mechanisms
+      - Monitor integration health
+
+metadata:
+  priority: high
+  version: 1.0
+```
 
-## Applies To
-- `*.php`
-- `*.js`
-- `*.ts`
 
-## Trigger Conditions
-- Files matching pattern `\.(php|js|ts)$`
-
-## Required Checks
-
-- Implement proper error handling for external services
-- Use configuration management for API credentials
-
-## Recommendations
-
-Integration Best Practices:
-- Implement proper error handling
-- Use environment variables
-- Create service abstractions
-- Implement retry mechanisms
-- Monitor integration health
diff --git a/.cursor/rules/vortex-cicd-standards.mdc b/.cursor/rules/vortex-cicd-standards.mdc
index 541309d..b620da8 100644
--- a/.cursor/rules/vortex-cicd-standards.mdc
+++ b/.cursor/rules/vortex-cicd-standards.mdc
@@ -6,35 +6,50 @@ globs: .circleci/config.yml, renovate.json, .github/workflows/*.yml
 
 Ensures proper CI/CD and dependency management configuration.
 
-> Priority: critical · Version: 1.0
+```yaml
+name: vortex_cicd_standards
+description: Enforce standards for Vortex CI/CD and Renovate configuration
+filters:
+  - type: file_name
+    pattern: "^config\\.yml$|^renovate\\.json$|\\.github/workflows/.*\\.yml$"
+
+actions:
+  - type: enforce
+    conditions:
+      - pattern: "workflows:\\s+version:\\s*2\\.1"
+        message: "Use Vortex's CircleCI configuration template"
+
+      - pattern: "\"extends\":\\s*\\[\\s*\"config:base\"\\s*\\]"
+        message: "Extend Vortex's Renovate configuration for Drupal projects"
+
+      - pattern: "steps:\\s+- run:\\s+name:\\s+Install dependencies"
+        message: "Use scripts/vortex/provision.sh for consistent provisioning"
+
+  - type: suggest
+    message: |
+      CI/CD Best Practices:
+      - Use dual schedules for Drupal updates
+      - Configure automated PR assignments
+      - Enable deployment notifications
+      - Use provided test scaffolds
+      - Implement proper caching strategy
+      - Configure branch protection rules
+      - Use standardized job naming
+
+  - type: validate
+    conditions:
+      - pattern: "\"packageRules\":\\s*\\[\\s*\\{\\s*\"matchPackagePatterns\":\\s*\\[\"^drupal/core"
+        message: "Configure separate update schedules for Drupal core and contrib"
+
+      - pattern: "jobs:\\s+build_test:"
+        message: "Include all required test jobs from Vortex template"
+
+      - pattern: "- store_test_results:"
+        message: "Enable test results storage for better CI visibility"
+
+metadata:
+  priority: critical
+  version: 1.0
+```
 
-## Applies To
-- `.circleci/config.yml`
-- `renovate.json`
-- `.github/workflows/*.yml`
 
-## Trigger Conditions
-- Filter `file_name` matching `^config\.yml$|^renovate\.json$|\.github/workflows/.*\.yml$`
-
-## Required Checks
-
-- Use Vortex's CircleCI configuration template
-- Extend Vortex's Renovate configuration for Drupal projects
-- Use scripts/vortex/provision.sh for consistent provisioning
-
-## Recommendations
-
-CI/CD Best Practices:
-- Use dual schedules for Drupal updates
-- Configure automated PR assignments
-- Enable deployment notifications
-- Use provided test scaffolds
-- Implement proper caching strategy
-- Configure branch protection rules
-- Use standardized job naming
-
-## Validation
-
-- Configure separate update schedules for Drupal core and contrib
-- Include all required test jobs from Vortex template
-- Enable test results storage for better CI visibility
diff --git a/.cursor/rules/vortex-scaffold-standards.mdc b/.cursor/rules/vortex-scaffold-standards.mdc
index a08f3fd..7494623 100644
--- a/.cursor/rules/vortex-scaffold-standards.mdc
+++ b/.cursor/rules/vortex-scaffold-standards.mdc
@@ -6,39 +6,54 @@ globs: *.yml, *.sh, composer.json, README.md
 
 Ensures proper usage of Vortex/DrevOps scaffold features and workflows.
 
-> Priority: high · Version: 1.1
-
-## Applies To
-- `*.yml`
-- `*.sh`
-- `composer.json`
-- `README.md`
-
-## Trigger Conditions
-- Files matching pattern `\.(yml|yaml|sh|json|md)$`
-- Paths matching `scripts/(vortex|drevops)/`
-
-## Required Checks
-
-- Use scripts/vortex/download-db.sh router script instead of custom implementation
-- Use DRUPAL_SITE_URL environment variable instead of hardcoded URI
-- Use Vortex's composer.json template and Renovate for dependency management
-- Use Ahoy commands for container interactions
-
-## Recommendations
-
-Vortex/DrevOps Best Practices:
-- Use centralized workflow scripts from scripts/vortex/
-- Leverage environment variables for configuration
-- Use Renovate for automated dependency updates
-- Follow the router script pattern for customizations
-- Implement proper CI/CD integration
-- Use provided tool configurations (PHPCS, PHPStan, etc.)
-- Maintain documentation structure
-- Ensure CI/CD pipelines include testing and deployment steps
-- Document CI/CD processes in the README for clarity
-
-## Validation
-
-- Use scripts/vortex/bootstrap.sh for environment setup
-- Use provided Ahoy commands for tool execution
+```yaml
+name: vortex_scaffold_standards
+description: Enforce standards for Vortex/DrevOps scaffold usage
+filters:
+  - type: file_extension
+    pattern: "\\.(yml|yaml|sh|json|md)$"
+  - type: file_path
+    pattern: "scripts/(vortex|drevops)/"
+
+actions:
+  - type: enforce
+    conditions:
+      - pattern: "custom-download-db\\.sh"
+        message: "Use scripts/vortex/download-db.sh router script instead of custom implementation"
+
+      - pattern: "drush\\s+[a-z-]+\\s+--uri="
+        message: "Use DRUPAL_SITE_URL environment variable instead of hardcoded URI"
+
+      - pattern: "composer\\s+require\\s+[^-]"
+        message: "Use Vortex's composer.json template and Renovate for dependency management"
+
+      - pattern: "docker\\s+exec\\s+-it\\s+\\$\\(docker-compose"
+        message: "Use Ahoy commands for container interactions"
+
+  - type: suggest
+    message: |
+      Vortex/DrevOps Best Practices:
+      - Use centralized workflow scripts from scripts/vortex/
+      - Leverage environment variables for configuration
+      - Use Renovate for automated dependency updates
+      - Follow the router script pattern for customizations
+      - Implement proper CI/CD integration
+      - Use provided tool configurations (PHPCS, PHPStan, etc.)
+      - Maintain documentation structure
+      - Ensure CI/CD pipelines include testing and deployment steps
+      - Document CI/CD processes in the README for clarity
+
+  - type: validate
+    conditions:
+      - pattern: "^\\s*source\\s+\\.env"
+        message: "Use scripts/vortex/bootstrap.sh for environment setup"
+
+      - pattern: "docker-compose\\s+exec\\s+cli\\s+vendor/bin/"
+        message: "Use provided Ahoy commands for tool execution"
+
+metadata:
+  priority: high
+  version: 1.1
+```
+
+
diff --git a/.cursor/rules/vue-best-practices.mdc b/.cursor/rules/vue-best-practices.mdc
index 4d8d145..05e4651 100644
--- a/.cursor/rules/vue-best-practices.mdc
+++ b/.cursor/rules/vue-best-practices.mdc
@@ -6,27 +6,37 @@ globs: *.vue, *.js, *.ts
 
 Ensures Vue 3 and NuxtJS code follows recommended patterns and optimizations.
 
-> Priority: high · Version: 1.0
+```yaml
+name: vue_nuxt_best_practices
+description: Enforce Vue 3 and NuxtJS coding standards and optimizations
+filters:
+  - type: file_extension
+    pattern: "\\.(vue|js|ts)$"
+
+actions:
+  - type: enforce
+    conditions:
+      - pattern: "(?<!defineProps|interface|type)\\{\\s*[a-zA-Z]+\\s*:\\s*[a-zA-Z]+\\s*\\}"
+        message: "Use TypeScript interfaces for prop definitions"
+
+      - pattern: "watch\\(.*,.*\\{\\s*immediate:\\s*true\\s*\\}"
+        message: "Consider using computed property instead of immediate watch"
+
+      - pattern: "v-if.*v-for"
+        message: "Avoid using v-if with v-for on the same element"
+
+  - type: suggest
+    message: |
+      Vue 3 Best Practices:
+      - Use Composition API for complex components
+      - Implement proper prop validation
+      - Use TypeScript for better type safety
+      - Leverage Vue 3's reactivity system effectively
+      - Consider using <script setup> syntax
+
+metadata:
+  priority: high
+  version: 1.0
+```
 
-## Applies To
-- `*.vue`
-- `*.js`
-- `*.ts`
 
-## Trigger Conditions
-- Files matching pattern `\.(vue|js|ts)$`
-
-## Required Checks
-
-- Use TypeScript interfaces for prop definitions
-- Consider using computed property instead of immediate watch
-- Avoid using v-if with v-for on the same element
-
-## Recommendations
-
-Vue 3 Best Practices:
-- Use Composition API for complex components
-- Implement proper prop validation
-- Use TypeScript for better type safety
-- Leverage Vue 3's reactivity system effectively
-- Consider using <script setup> syntax