npm - @neurcode-ai/cli - Versions diffs - 0.9.63 → 0.9.65 - Mend

@neurcode-ai/cli 0.9.63 → 0.9.65

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (308) hide show

package/dist/structural-rules/python/PY004-swallowed-async-exception.js ADDED Viewed

@@ -0,0 +1,167 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PY004SwallowedAsyncException = void 0;
+// Detect asyncio.gather( calls
+const GATHER_RE = /asyncio\.gather\s*\(/g;
+// return_exceptions=True present
+const RETURN_EXCEPTIONS_RE = /return_exceptions\s*=\s*True/;
+// Detect: await task inside try blocks where except only logs (no re-raise)
+const AWAIT_IN_TRY_RE = /\bawait\s+\w+/;
+const EXCEPT_RE = /^\s*except\b/;
+const RERAISE_RE = /\braise\b/;
+const LOGGING_RE = /\b(?:log|logger|logging|error|warn|report|track|capture|print)\s*[\.(]/i;
+class PY004SwallowedAsyncException {
+    id = 'PY004';
+    name = 'Swallowed asyncio exception';
+    policyRef = 'P018';
+    severity = 'ADVISORY';
+    languages = ['python'];
+    description = 'asyncio.gather() without return_exceptions=True raises on first failure, silently cancelling other tasks. ' +
+        'Also detects try/await blocks where the except only logs without re-raising.';
+    check(filePath, sourceText) {
+        try {
+            const violations = [];
+            const lines = sourceText.split('\n');
+            // --- Pattern 1: asyncio.gather( without return_exceptions=True ---
+            for (let i = 0; i < lines.length; i++) {
+                const line = lines[i];
+                if (!line.includes('asyncio.gather('))
+                    continue;
+                // Collect the full gather call (may span multiple lines)
+                let gatherCall = line;
+                let j = i + 1;
+                // Scan up to 10 lines ahead to find closing )
+                while (j < Math.min(i + 10, lines.length) && !gatherCall.includes(')')) {
+                    gatherCall += '\n' + lines[j];
+                    j++;
+                }
+                if (RETURN_EXCEPTIONS_RE.test(gatherCall))
+                    continue;
+                // Check if it's wrapped in a try block (look backwards up to 5 lines)
+                let insideTry = false;
+                for (let k = Math.max(0, i - 5); k < i; k++) {
+                    if (/^\s*try\s*:/.test(lines[k])) {
+                        insideTry = true;
+                        break;
+                    }
+                }
+                if (insideTry)
+                    continue;
+                const evidence = line.slice(0, 120);
+                violations.push({
+                    ruleId: this.id,
+                    ruleName: this.name,
+                    policyRef: this.policyRef,
+                    severity: this.severity,
+                    filePath,
+                    line: i + 1,
+                    column: line.indexOf('asyncio.gather') + 1,
+                    evidence,
+                    operationalRisk: 'asyncio.gather() without return_exceptions=True raises on the first task failure, ' +
+                        'but remaining tasks continue running as orphans. Their results and exceptions are lost, ' +
+                        'and resources they hold remain locked.',
+                    remediation: 'Use `results = await asyncio.gather(*tasks, return_exceptions=True)` then inspect ' +
+                        'results: `errors = [r for r in results if isinstance(r, BaseException)]`.',
+                    determinism: 'deterministic-structural',
+                    confidence: 0.75,
+                    language: 'python',
+                });
+            }
+            // --- Pattern 2: await inside try/except where except only logs, no re-raise ---
+            let i = 0;
+            while (i < lines.length) {
+                const line = lines[i];
+                const trimmed = line.trimStart();
+                if (!/^\s*try\s*:/.test(line)) {
+                    i++;
+                    continue;
+                }
+                const tryIndent = line.length - trimmed.length;
+                // Collect try body
+                const tryBody = [];
+                let j = i + 1;
+                while (j < lines.length) {
+                    const bl = lines[j];
+                    const bt = bl.trimStart();
+                    if (bt.length === 0) {
+                        j++;
+                        continue;
+                    }
+                    const bi = bl.length - bt.length;
+                    if (bi <= tryIndent && bt.length > 0)
+                        break;
+                    tryBody.push(bl);
+                    j++;
+                }
+                // Does the try body contain an await?
+                if (!AWAIT_IN_TRY_RE.test(tryBody.join('\n'))) {
+                    i = j;
+                    continue;
+                }
+                // Now look for except block
+                while (j < lines.length) {
+                    const el = lines[j];
+                    const et = el.trimStart();
+                    if (et.length === 0) {
+                        j++;
+                        continue;
+                    }
+                    const ei = el.length - et.length;
+                    if (ei < tryIndent)
+                        break;
+                    if (!EXCEPT_RE.test(el)) {
+                        j++;
+                        continue;
+                    }
+                    // Found an except — collect its body
+                    const exceptBody = [];
+                    let k = j + 1;
+                    while (k < lines.length) {
+                        const kb = lines[k];
+                        const kt = kb.trimStart();
+                        if (kt.length === 0) {
+                            k++;
+                            continue;
+                        }
+                        const ki = kb.length - kt.length;
+                        if (ki <= ei && kt.length > 0)
+                            break;
+                        exceptBody.push(kb);
+                        k++;
+                    }
+                    const exceptText = exceptBody.join('\n');
+                    if (!RERAISE_RE.test(exceptText) && LOGGING_RE.test(exceptText)) {
+                        // Only logs, no re-raise — flag it
+                        const evidence = el.slice(0, 120);
+                        violations.push({
+                            ruleId: this.id,
+                            ruleName: this.name,
+                            policyRef: this.policyRef,
+                            severity: this.severity,
+                            filePath,
+                            line: j + 1,
+                            column: ei + 1,
+                            evidence,
+                            operationalRisk: 'Exception from an awaited task is caught, logged, but not re-raised. ' +
+                                'The caller receives a successful return instead of an error, ' +
+                                'causing silent data inconsistency.',
+                            remediation: 'Re-raise after logging: `except Exception as e: logger.error(e); raise` ' +
+                                'or let the exception propagate to a top-level handler.',
+                            determinism: 'heuristic-advisory',
+                            confidence: 0.75,
+                            language: 'python',
+                        });
+                    }
+                    j = k;
+                }
+                i = j;
+            }
+            return violations;
+        }
+        catch {
+            return [];
+        }
+    }
+}
+exports.PY004SwallowedAsyncException = PY004SwallowedAsyncException;
+//# sourceMappingURL=PY004-swallowed-async-exception.js.map

package/dist/structural-rules/python/PY004-swallowed-async-exception.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"PY004-swallowed-async-exception.js","sourceRoot":"","sources":["../../../src/structural-rules/python/PY004-swallowed-async-exception.ts"],"names":[],"mappings":";;;AAEA,+BAA+B;AAC/B,MAAM,SAAS,GAAG,uBAAuB,CAAC;AAE1C,iCAAiC;AACjC,MAAM,oBAAoB,GAAG,8BAA8B,CAAC;AAE5D,4EAA4E;AAC5E,MAAM,eAAe,GAAG,eAAe,CAAC;AACxC,MAAM,SAAS,GAAG,cAAc,CAAC;AACjC,MAAM,UAAU,GAAG,WAAW,CAAC;AAC/B,MAAM,UAAU,GAAG,yEAAyE,CAAC;AAE7F,MAAa,4BAA4B;IACvC,EAAE,GAAG,OAAO,CAAC;IACb,IAAI,GAAG,6BAA6B,CAAC;IACrC,SAAS,GAAG,MAAM,CAAC;IACnB,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAmB,CAAC,QAAQ,CAAC,CAAC;IACvC,WAAW,GACT,4GAA4G;QAC5G,8EAA8E,CAAC;IAEjF,KAAK,CAAC,QAAgB,EAAE,UAAkB;QACxC,IAAI,CAAC;YACH,MAAM,UAAU,GAA0B,EAAE,CAAC;YAC7C,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAErC,oEAAoE;YACpE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,iBAAiB,CAAC;oBAAE,SAAS;gBAEhD,yDAAyD;gBACzD,IAAI,UAAU,GAAG,IAAI,CAAC;gBACtB,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBACd,8CAA8C;gBAC9C,OAAO,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;oBACvE,UAAU,IAAI,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBAC9B,CAAC,EAAE,CAAC;gBACN,CAAC;gBAED,IAAI,oBAAoB,CAAC,IAAI,CAAC,UAAU,CAAC;oBAAE,SAAS;gBAEpD,sEAAsE;gBACtE,IAAI,SAAS,GAAG,KAAK,CAAC;gBACtB,KAAK,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;oBAC5C,IAAI,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;wBACjC,SAAS,GAAG,IAAI,CAAC;wBACjB,MAAM;oBACR,CAAC;gBACH,CAAC;gBAED,IAAI,SAAS;oBAAE,SAAS;gBAExB,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;gBACpC,UAAU,CAAC,IAAI,CAAC;oBACd,MAAM,EAAE,IAAI,CAAC,EAAE;oBACf,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,SAAS,EAAE,IAAI,CAAC,SAAS;oBACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,QAAQ;oBACR,IAAI,EAAE,CAAC,GAAG,CAAC;oBACX,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC;oBAC1C,QAAQ;oBACR,eAAe,EACb,oFAAoF;wBACpF,0FAA0F;wBAC1F,wCAAwC;oBAC1C,WAAW,EACT,oFAAoF;wBACpF,2EAA2E;oBAC7E,WAAW,EAAE,0BAA0B;oBACvC,UAAU,EAAE,IAAI;oBAChB,QAAQ,EAAE,QAAQ;iBACnB,CAAC,CAAC;YACL,CAAC;YAED,iFAAiF;YACjF,IAAI,CAAC,GAAG,CAAC,CAAC;YACV,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;gBACxB,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;gBAEjC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC9B,CAAC,EAAE,CAAC;oBACJ,SAAS;gBACX,CAAC;gBAED,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;gBAE/C,mBAAmB;gBACnB,MAAM,OAAO,GAAa,EAAE,CAAC;gBAC7B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBACd,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;oBACxB,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBACpB,MAAM,EAAE,GAAG,EAAE,CAAC,SAAS,EAAE,CAAC;oBAC1B,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;wBAAC,CAAC,EAAE,CAAC;wBAAC,SAAS;oBAAC,CAAC;oBACvC,MAAM,EAAE,GAAG,EAAE,CAAC,MAAM,GAAG,EAAE,CAAC,MAAM,CAAC;oBACjC,IAAI,EAAE,IAAI,SAAS,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC;wBAAE,MAAM;oBAC5C,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;oBACjB,CAAC,EAAE,CAAC;gBACN,CAAC;gBAED,sCAAsC;gBACtC,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;oBAC9C,CAAC,GAAG,CAAC,CAAC;oBACN,SAAS;gBACX,CAAC;gBAED,4BAA4B;gBAC5B,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;oBACxB,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBACpB,MAAM,EAAE,GAAG,EAAE,CAAC,SAAS,EAAE,CAAC;oBAC1B,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;wBAAC,CAAC,EAAE,CAAC;wBAAC,SAAS;oBAAC,CAAC;oBACvC,MAAM,EAAE,GAAG,EAAE,CAAC,MAAM,GAAG,EAAE,CAAC,MAAM,CAAC;oBACjC,IAAI,EAAE,GAAG,SAAS;wBAAE,MAAM;oBAC1B,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;wBAAC,CAAC,EAAE,CAAC;wBAAC,SAAS;oBAAC,CAAC;oBAE3C,qCAAqC;oBACrC,MAAM,UAAU,GAAa,EAAE,CAAC;oBAChC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;oBACd,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;wBACxB,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;wBACpB,MAAM,EAAE,GAAG,EAAE,CAAC,SAAS,EAAE,CAAC;wBAC1B,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;4BAAC,CAAC,EAAE,CAAC;4BAAC,SAAS;wBAAC,CAAC;wBACvC,MAAM,EAAE,GAAG,EAAE,CAAC,MAAM,GAAG,EAAE,CAAC,MAAM,CAAC;wBACjC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC;4BAAE,MAAM;wBACrC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;wBACpB,CAAC,EAAE,CAAC;oBACN,CAAC;oBAED,MAAM,UAAU,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBACzC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;wBAChE,mCAAmC;wBACnC,MAAM,QAAQ,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;wBAClC,UAAU,CAAC,IAAI,CAAC;4BACd,MAAM,EAAE,IAAI,CAAC,EAAE;4BACf,QAAQ,EAAE,IAAI,CAAC,IAAI;4BACnB,SAAS,EAAE,IAAI,CAAC,SAAS;4BACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;4BACvB,QAAQ;4BACR,IAAI,EAAE,CAAC,GAAG,CAAC;4BACX,MAAM,EAAE,EAAE,GAAG,CAAC;4BACd,QAAQ;4BACR,eAAe,EACb,uEAAuE;gCACvE,+DAA+D;gCAC/D,oCAAoC;4BACtC,WAAW,EACT,0EAA0E;gCAC1E,wDAAwD;4BAC1D,WAAW,EAAE,oBAAoB;4BACjC,UAAU,EAAE,IAAI;4BAChB,QAAQ,EAAE,QAAQ;yBACnB,CAAC,CAAC;oBACL,CAAC;oBAED,CAAC,GAAG,CAAC,CAAC;gBACR,CAAC;gBAED,CAAC,GAAG,CAAC,CAAC;YACR,CAAC;YAED,OAAO,UAAU,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;CACF;AA5JD,oEA4JC"}

package/dist/structural-rules/python/PY005-fastapi-without-pydantic.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import { StructuralRule, StructuralViolation, RuleLanguage } from '../types';
+export declare class PY005FastAPIWithoutPydantic implements StructuralRule {
+    id: string;
+    name: string;
+    policyRef: string;
+    severity: "BLOCKING";
+    languages: RuleLanguage[];
+    description: string;
+    check(filePath: string, sourceText: string): StructuralViolation[];
+}
+//# sourceMappingURL=PY005-fastapi-without-pydantic.d.ts.map

package/dist/structural-rules/python/PY005-fastapi-without-pydantic.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"PY005-fastapi-without-pydantic.d.ts","sourceRoot":"","sources":["../../../src/structural-rules/python/PY005-fastapi-without-pydantic.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AA0D7E,qBAAa,2BAA4B,YAAW,cAAc;IAChE,EAAE,SAAW;IACb,IAAI,SAAuE;IAC3E,SAAS,SAAU;IACnB,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,YAAY,EAAE,CAAc;IACvC,WAAW,SACmH;IAE9H,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,mBAAmB,EAAE;CAiGnE"}

package/dist/structural-rules/python/PY005-fastapi-without-pydantic.js ADDED Viewed

@@ -0,0 +1,154 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PY005FastAPIWithoutPydantic = void 0;
+// FastAPI route decorator patterns
+const ROUTE_DECORATOR_RE = /^\s*@(?:app|router|api_router)\.(get|post|put|patch|delete|head|options|trace)\s*\(/;
+// Detect request.body() or request.json() or await request.body() / await request.json()
+const RAW_REQUEST_RE = /\b(?:request|req)\s*\.\s*(?:body|json)\s*\(\)/;
+// Detect Pydantic model usage in function signature: param: ModelName
+// where ModelName starts with uppercase and isn't Request/Response/BackgroundTasks
+const PYDANTIC_PARAM_RE = /\w+\s*:\s*([A-Z][A-Za-z0-9]+)(?!\s*=\s*(?:None|True|False|\d))/;
+// Common non-Pydantic FastAPI types to exclude
+const NON_PYDANTIC_TYPES = new Set([
+    'Request',
+    'Response',
+    'BackgroundTasks',
+    'HTTPException',
+    'Depends',
+    'Optional',
+    'List',
+    'Dict',
+    'Any',
+    'str',
+    'int',
+    'float',
+    'bool',
+    'bytes',
+]);
+function extractFunctionSignature(lines, startIdx) {
+    // Collect function definition until the colon is found
+    let sig = '';
+    let depth = 0;
+    for (let i = startIdx; i < Math.min(startIdx + 10, lines.length); i++) {
+        sig += lines[i] + '\n';
+        for (const ch of lines[i]) {
+            if (ch === '(')
+                depth++;
+            else if (ch === ')')
+                depth--;
+        }
+        if (depth <= 0 && sig.includes('('))
+            break;
+    }
+    return sig;
+}
+function hasPydanticModelParam(sig) {
+    // Find all type annotations in the signature
+    const paramRegex = /\w+\s*:\s*([A-Z][A-Za-z0-9_]*)/g;
+    let match;
+    while ((match = paramRegex.exec(sig)) !== null) {
+        const typeName = match[1];
+        if (!NON_PYDANTIC_TYPES.has(typeName)) {
+            return true;
+        }
+    }
+    return false;
+}
+class PY005FastAPIWithoutPydantic {
+    id = 'PY005';
+    name = 'FastAPI route handler accessing raw request body without Pydantic';
+    policyRef = 'P019';
+    severity = 'BLOCKING';
+    languages = ['python'];
+    description = 'FastAPI route handlers that access request.body() or request.json() without a Pydantic model parameter bypass validation.';
+    check(filePath, sourceText) {
+        try {
+            const violations = [];
+            const lines = sourceText.split('\n');
+            let i = 0;
+            while (i < lines.length) {
+                const line = lines[i];
+                // Look for route decorator
+                if (!ROUTE_DECORATOR_RE.test(line)) {
+                    i++;
+                    continue;
+                }
+                const decoratorLine = i;
+                // Find the function definition (next def after decorator, skip other decorators)
+                let funcDefLine = -1;
+                let j = i + 1;
+                while (j < Math.min(i + 10, lines.length)) {
+                    const l = lines[j].trimStart();
+                    if (/^(?:async\s+)?def\s+\w+\s*\(/.test(l)) {
+                        funcDefLine = j;
+                        break;
+                    }
+                    if (l.length > 0 && !l.startsWith('@') && !l.startsWith('#'))
+                        break;
+                    j++;
+                }
+                if (funcDefLine === -1) {
+                    i = j + 1;
+                    continue;
+                }
+                // Extract function signature
+                const sig = extractFunctionSignature(lines, funcDefLine);
+                // If signature has a Pydantic model param, no violation
+                if (hasPydanticModelParam(sig)) {
+                    i = funcDefLine + 1;
+                    continue;
+                }
+                // Find function body (collect until next function/class at same or lower indent)
+                const funcIndent = lines[funcDefLine].length - lines[funcDefLine].trimStart().length;
+                const bodyLines = [];
+                let k = funcDefLine + 1;
+                while (k < lines.length) {
+                    const bl = lines[k];
+                    const bt = bl.trimStart();
+                    if (bt.length === 0) {
+                        k++;
+                        continue;
+                    }
+                    const bi = bl.length - bt.length;
+                    if (bi <= funcIndent && bt.length > 0)
+                        break;
+                    bodyLines.push(bl);
+                    k++;
+                }
+                const bodyText = bodyLines.join('\n');
+                // Check if body accesses request.body() or request.json()
+                if (!RAW_REQUEST_RE.test(bodyText)) {
+                    i = k;
+                    continue;
+                }
+                const evidence = lines[funcDefLine].slice(0, 120);
+                violations.push({
+                    ruleId: this.id,
+                    ruleName: this.name,
+                    policyRef: this.policyRef,
+                    severity: this.severity,
+                    filePath,
+                    line: funcDefLine + 1,
+                    column: (lines[funcDefLine].match(/^\s*/)?.[0].length ?? 0) + 1,
+                    evidence,
+                    operationalRisk: 'Raw request body is accessed without Pydantic validation. ' +
+                        'Malformed, oversized, or malicious payloads reach business logic directly, ' +
+                        'causing runtime errors, type confusion, or injection vulnerabilities.',
+                    remediation: 'Add a Pydantic model parameter to the route handler: ' +
+                        '`async def handler(data: MyRequestModel)` and let FastAPI validate and parse the body automatically. ' +
+                        'Remove the manual `request.body()` / `request.json()` call.',
+                    determinism: 'deterministic-structural',
+                    confidence: 0.80,
+                    language: 'python',
+                });
+                i = k;
+            }
+            return violations;
+        }
+        catch {
+            return [];
+        }
+    }
+}
+exports.PY005FastAPIWithoutPydantic = PY005FastAPIWithoutPydantic;
+//# sourceMappingURL=PY005-fastapi-without-pydantic.js.map

package/dist/structural-rules/python/PY005-fastapi-without-pydantic.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"PY005-fastapi-without-pydantic.js","sourceRoot":"","sources":["../../../src/structural-rules/python/PY005-fastapi-without-pydantic.ts"],"names":[],"mappings":";;;AAEA,mCAAmC;AACnC,MAAM,kBAAkB,GAAG,qFAAqF,CAAC;AAEjH,yFAAyF;AACzF,MAAM,cAAc,GAAG,+CAA+C,CAAC;AAEvE,sEAAsE;AACtE,mFAAmF;AACnF,MAAM,iBAAiB,GAAG,gEAAgE,CAAC;AAE3F,+CAA+C;AAC/C,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACjC,SAAS;IACT,UAAU;IACV,iBAAiB;IACjB,eAAe;IACf,SAAS;IACT,UAAU;IACV,MAAM;IACN,MAAM;IACN,KAAK;IACL,KAAK;IACL,KAAK;IACL,OAAO;IACP,MAAM;IACN,OAAO;CACR,CAAC,CAAC;AAEH,SAAS,wBAAwB,CAAC,KAAe,EAAE,QAAgB;IACjE,uDAAuD;IACvD,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,KAAK,IAAI,CAAC,GAAG,QAAQ,EAAE,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QACtE,GAAG,IAAI,KAAK,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;QACvB,KAAK,MAAM,EAAE,IAAI,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;YAC1B,IAAI,EAAE,KAAK,GAAG;gBAAE,KAAK,EAAE,CAAC;iBACnB,IAAI,EAAE,KAAK,GAAG;gBAAE,KAAK,EAAE,CAAC;QAC/B,CAAC;QACD,IAAI,KAAK,IAAI,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,MAAM;IAC7C,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,qBAAqB,CAAC,GAAW;IACxC,6CAA6C;IAC7C,MAAM,UAAU,GAAG,iCAAiC,CAAC;IACrD,IAAI,KAAK,CAAC;IACV,OAAO,CAAC,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC/C,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAC1B,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YACtC,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAa,2BAA2B;IACtC,EAAE,GAAG,OAAO,CAAC;IACb,IAAI,GAAG,mEAAmE,CAAC;IAC3E,SAAS,GAAG,MAAM,CAAC;IACnB,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAmB,CAAC,QAAQ,CAAC,CAAC;IACvC,WAAW,GACT,2HAA2H,CAAC;IAE9H,KAAK,CAAC,QAAgB,EAAE,UAAkB;QACxC,IAAI,CAAC;YACH,MAAM,UAAU,GAA0B,EAAE,CAAC;YAC7C,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAErC,IAAI,CAAC,GAAG,CAAC,CAAC;YACV,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;gBACxB,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBAEtB,2BAA2B;gBAC3B,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACnC,CAAC,EAAE,CAAC;oBACJ,SAAS;gBACX,CAAC;gBAED,MAAM,aAAa,GAAG,CAAC,CAAC;gBAExB,iFAAiF;gBACjF,IAAI,WAAW,GAAG,CAAC,CAAC,CAAC;gBACrB,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBACd,OAAO,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;oBAC1C,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC;oBAC/B,IAAI,8BAA8B,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;wBAC3C,WAAW,GAAG,CAAC,CAAC;wBAChB,MAAM;oBACR,CAAC;oBACD,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC;wBAAE,MAAM;oBACpE,CAAC,EAAE,CAAC;gBACN,CAAC;gBAED,IAAI,WAAW,KAAK,CAAC,CAAC,EAAE,CAAC;oBACvB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;oBACV,SAAS;gBACX,CAAC;gBAED,6BAA6B;gBAC7B,MAAM,GAAG,GAAG,wBAAwB,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;gBAEzD,wDAAwD;gBACxD,IAAI,qBAAqB,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC/B,CAAC,GAAG,WAAW,GAAG,CAAC,CAAC;oBACpB,SAAS;gBACX,CAAC;gBAED,iFAAiF;gBACjF,MAAM,UAAU,GAAG,KAAK,CAAC,WAAW,CAAC,CAAC,MAAM,GAAG,KAAK,CAAC,WAAW,CAAC,CAAC,SAAS,EAAE,CAAC,MAAM,CAAC;gBACrF,MAAM,SAAS,GAAa,EAAE,CAAC;gBAC/B,IAAI,CAAC,GAAG,WAAW,GAAG,CAAC,CAAC;gBACxB,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;oBACxB,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBACpB,MAAM,EAAE,GAAG,EAAE,CAAC,SAAS,EAAE,CAAC;oBAC1B,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;wBAAC,CAAC,EAAE,CAAC;wBAAC,SAAS;oBAAC,CAAC;oBACvC,MAAM,EAAE,GAAG,EAAE,CAAC,MAAM,GAAG,EAAE,CAAC,MAAM,CAAC;oBACjC,IAAI,EAAE,IAAI,UAAU,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC;wBAAE,MAAM;oBAC7C,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;oBACnB,CAAC,EAAE,CAAC;gBACN,CAAC;gBAED,MAAM,QAAQ,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAEtC,0DAA0D;gBAC1D,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACnC,CAAC,GAAG,CAAC,CAAC;oBACN,SAAS;gBACX,CAAC;gBAED,MAAM,QAAQ,GAAG,KAAK,CAAC,WAAW,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;gBAClD,UAAU,CAAC,IAAI,CAAC;oBACd,MAAM,EAAE,IAAI,CAAC,EAAE;oBACf,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,SAAS,EAAE,IAAI,CAAC,SAAS;oBACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,QAAQ;oBACR,IAAI,EAAE,WAAW,GAAG,CAAC;oBACrB,MAAM,EAAE,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC;oBAC/D,QAAQ;oBACR,eAAe,EACb,4DAA4D;wBAC5D,6EAA6E;wBAC7E,uEAAuE;oBACzE,WAAW,EACT,uDAAuD;wBACvD,uGAAuG;wBACvG,6DAA6D;oBAC/D,WAAW,EAAE,0BAA0B;oBACvC,UAAU,EAAE,IAAI;oBAChB,QAAQ,EAAE,QAAQ;iBACnB,CAAC,CAAC;gBAEH,CAAC,GAAG,CAAC,CAAC;YACR,CAAC;YAED,OAAO,UAAU,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;CACF;AA1GD,kEA0GC"}

package/dist/structural-rules/python/PY006-blocking-io-in-async.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import { StructuralRule, StructuralViolation, RuleLanguage } from '../types';
+export declare class PY006BlockingIOInAsync implements StructuralRule {
+    id: string;
+    name: string;
+    policyRef: string;
+    severity: "BLOCKING";
+    languages: RuleLanguage[];
+    description: string;
+    check(filePath: string, sourceText: string): StructuralViolation[];
+}
+//# sourceMappingURL=PY006-blocking-io-in-async.d.ts.map

package/dist/structural-rules/python/PY006-blocking-io-in-async.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"PY006-blocking-io-in-async.d.ts","sourceRoot":"","sources":["../../../src/structural-rules/python/PY006-blocking-io-in-async.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAwB7E,qBAAa,sBAAuB,YAAW,cAAc;IAC3D,EAAE,SAAW;IACb,IAAI,SAAwC;IAC5C,SAAS,SAAW;IACpB,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,YAAY,EAAE,CAAc;IACvC,WAAW,SACoG;IAE/G,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,mBAAmB,EAAE;CA8GnE"}

package/dist/structural-rules/python/PY006-blocking-io-in-async.js ADDED Viewed

@@ -0,0 +1,130 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PY006BlockingIOInAsync = void 0;
+// Matches `async def funcname(`
+const ASYNC_DEF_RE = /^(\s*)async\s+def\s+\w+\s*\(/;
+// Matches nested sync `def` (not async def)
+const SYNC_DEF_RE = /^\s+def\s+\w+\s*\(/;
+// Blocking patterns to detect inside async function bodies
+const BLOCKING_PATTERNS = [
+    { re: /\btime\.sleep\s*\(/, label: 'time.sleep()' },
+    { re: /\brequests\.get\s*\(/, label: 'requests.get()' },
+    { re: /\brequests\.post\s*\(/, label: 'requests.post()' },
+    { re: /\brequests\.request\s*\(/, label: 'requests.request()' },
+    { re: /\bsubprocess\.run\s*\(/, label: 'subprocess.run()' },
+    { re: /\bsubprocess\.call\s*\(/, label: 'subprocess.call()' },
+    // open( not preceded by aiofiles.open or async with
+    { re: /(?<!aiofiles\.)(?<!\bwith\s)\bopen\s*\(/, label: 'open()' },
+];
+function getIndent(line) {
+    return line.length - line.trimStart().length;
+}
+class PY006BlockingIOInAsync {
+    id = 'PY006';
+    name = 'Blocking I/O call inside async def';
+    policyRef = 'PY006';
+    severity = 'BLOCKING';
+    languages = ['python'];
+    description = 'Blocking I/O (time.sleep, requests, open, subprocess) inside an async def function freezes the event loop.';
+    check(filePath, sourceText) {
+        try {
+            const violations = [];
+            // Normalize line endings
+            const lines = sourceText.replace(/\r\n/g, '\n').replace(/\r/g, '\n').split('\n');
+            // Does the file import aiofiles?
+            const importsAiofiles = /\baiofiles\b/.test(sourceText);
+            let i = 0;
+            while (i < lines.length) {
+                const line = lines[i];
+                const asyncMatch = ASYNC_DEF_RE.exec(line);
+                if (!asyncMatch) {
+                    i++;
+                    continue;
+                }
+                const funcIndent = asyncMatch[1].length;
+                const bodyStart = i + 1;
+                i++;
+                // Collect the function body: lines with indent > funcIndent
+                while (i < lines.length) {
+                    const bl = lines[i];
+                    const trimmed = bl.trimStart();
+                    // Blank lines are part of the body
+                    if (trimmed.length === 0) {
+                        i++;
+                        continue;
+                    }
+                    const lineIndent = getIndent(bl);
+                    // If we're back at or before the function's indent, we've left the body
+                    if (lineIndent <= funcIndent)
+                        break;
+                    // Skip comment lines
+                    if (trimmed.startsWith('#')) {
+                        i++;
+                        continue;
+                    }
+                    // Skip lines with noqa
+                    if (/\bnoqa\b/.test(bl)) {
+                        i++;
+                        continue;
+                    }
+                    // Skip lines that are inside a nested sync def
+                    // (we only care about the top-level async body, not nested sync helpers)
+                    if (SYNC_DEF_RE.test(bl)) {
+                        // Skip the entire nested sync function body
+                        const nestedIndent = lineIndent;
+                        i++;
+                        while (i < lines.length) {
+                            const nb = lines[i];
+                            const nt = nb.trimStart();
+                            if (nt.length === 0) {
+                                i++;
+                                continue;
+                            }
+                            if (getIndent(nb) <= nestedIndent)
+                                break;
+                            i++;
+                        }
+                        continue;
+                    }
+                    // Check blocking patterns
+                    for (const { re, label } of BLOCKING_PATTERNS) {
+                        // If it's an open() hit and aiofiles is imported, skip
+                        if (label === 'open()' && importsAiofiles)
+                            continue;
+                        if (re.test(bl)) {
+                            violations.push({
+                                ruleId: this.id,
+                                ruleName: this.name,
+                                policyRef: this.policyRef,
+                                severity: this.severity,
+                                filePath,
+                                line: i + 1,
+                                column: 1,
+                                evidence: bl.slice(0, 120),
+                                operationalRisk: `\`${label}\` inside an async function blocks the entire event loop thread. ` +
+                                    'All other coroutines are frozen for the duration of the call. ' +
+                                    'Under load, a single blocking call can cause 100ms+ latency spikes across all concurrent requests.',
+                                remediation: 'Replace time.sleep(n) with `await asyncio.sleep(n)`, ' +
+                                    'requests.get() with `await aiohttp.ClientSession().get()`, ' +
+                                    'open() with `async with aiofiles.open()`, ' +
+                                    'subprocess.run() with `await asyncio.create_subprocess_exec()`.',
+                                determinism: 'heuristic-advisory',
+                                confidence: 0.82,
+                                language: 'python',
+                            });
+                            break; // one violation per line
+                        }
+                    }
+                    i++;
+                }
+                void bodyStart; // suppress unused warning
+            }
+            return violations;
+        }
+        catch {
+            return [];
+        }
+    }
+}
+exports.PY006BlockingIOInAsync = PY006BlockingIOInAsync;
+//# sourceMappingURL=PY006-blocking-io-in-async.js.map

package/dist/structural-rules/python/PY006-blocking-io-in-async.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"PY006-blocking-io-in-async.js","sourceRoot":"","sources":["../../../src/structural-rules/python/PY006-blocking-io-in-async.ts"],"names":[],"mappings":";;;AAEA,gCAAgC;AAChC,MAAM,YAAY,GAAG,8BAA8B,CAAC;AAEpD,4CAA4C;AAC5C,MAAM,WAAW,GAAG,oBAAoB,CAAC;AAEzC,2DAA2D;AAC3D,MAAM,iBAAiB,GAAyC;IAC9D,EAAE,EAAE,EAAE,oBAAoB,EAAE,KAAK,EAAE,cAAc,EAAE;IACnD,EAAE,EAAE,EAAE,sBAAsB,EAAE,KAAK,EAAE,gBAAgB,EAAE;IACvD,EAAE,EAAE,EAAE,uBAAuB,EAAE,KAAK,EAAE,iBAAiB,EAAE;IACzD,EAAE,EAAE,EAAE,0BAA0B,EAAE,KAAK,EAAE,oBAAoB,EAAE;IAC/D,EAAE,EAAE,EAAE,wBAAwB,EAAE,KAAK,EAAE,kBAAkB,EAAE;IAC3D,EAAE,EAAE,EAAE,yBAAyB,EAAE,KAAK,EAAE,mBAAmB,EAAE;IAC7D,oDAAoD;IACpD,EAAE,EAAE,EAAE,yCAAyC,EAAE,KAAK,EAAE,QAAQ,EAAE;CACnE,CAAC;AAEF,SAAS,SAAS,CAAC,IAAY;IAC7B,OAAO,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC,MAAM,CAAC;AAC/C,CAAC;AAED,MAAa,sBAAsB;IACjC,EAAE,GAAG,OAAO,CAAC;IACb,IAAI,GAAG,oCAAoC,CAAC;IAC5C,SAAS,GAAG,OAAO,CAAC;IACpB,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAmB,CAAC,QAAQ,CAAC,CAAC;IACvC,WAAW,GACT,4GAA4G,CAAC;IAE/G,KAAK,CAAC,QAAgB,EAAE,UAAkB;QACxC,IAAI,CAAC;YACH,MAAM,UAAU,GAA0B,EAAE,CAAC;YAC7C,yBAAyB;YACzB,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAEjF,iCAAiC;YACjC,MAAM,eAAe,GAAG,cAAc,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAExD,IAAI,CAAC,GAAG,CAAC,CAAC;YACV,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;gBACxB,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAE3C,IAAI,CAAC,UAAU,EAAE,CAAC;oBAChB,CAAC,EAAE,CAAC;oBACJ,SAAS;gBACX,CAAC;gBAED,MAAM,UAAU,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;gBACxC,MAAM,SAAS,GAAG,CAAC,GAAG,CAAC,CAAC;gBACxB,CAAC,EAAE,CAAC;gBAEJ,4DAA4D;gBAC5D,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;oBACxB,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBACpB,MAAM,OAAO,GAAG,EAAE,CAAC,SAAS,EAAE,CAAC;oBAE/B,mCAAmC;oBACnC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;wBACzB,CAAC,EAAE,CAAC;wBACJ,SAAS;oBACX,CAAC;oBAED,MAAM,UAAU,GAAG,SAAS,CAAC,EAAE,CAAC,CAAC;oBAEjC,wEAAwE;oBACxE,IAAI,UAAU,IAAI,UAAU;wBAAE,MAAM;oBAEpC,qBAAqB;oBACrB,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;wBAC5B,CAAC,EAAE,CAAC;wBACJ,SAAS;oBACX,CAAC;oBAED,uBAAuB;oBACvB,IAAI,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;wBACxB,CAAC,EAAE,CAAC;wBACJ,SAAS;oBACX,CAAC;oBAED,+CAA+C;oBAC/C,yEAAyE;oBACzE,IAAI,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;wBACzB,4CAA4C;wBAC5C,MAAM,YAAY,GAAG,UAAU,CAAC;wBAChC,CAAC,EAAE,CAAC;wBACJ,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;4BACxB,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;4BACpB,MAAM,EAAE,GAAG,EAAE,CAAC,SAAS,EAAE,CAAC;4BAC1B,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gCAAC,CAAC,EAAE,CAAC;gCAAC,SAAS;4BAAC,CAAC;4BACvC,IAAI,SAAS,CAAC,EAAE,CAAC,IAAI,YAAY;gCAAE,MAAM;4BACzC,CAAC,EAAE,CAAC;wBACN,CAAC;wBACD,SAAS;oBACX,CAAC;oBAED,0BAA0B;oBAC1B,KAAK,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,iBAAiB,EAAE,CAAC;wBAC9C,uDAAuD;wBACvD,IAAI,KAAK,KAAK,QAAQ,IAAI,eAAe;4BAAE,SAAS;wBAEpD,IAAI,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;4BAChB,UAAU,CAAC,IAAI,CAAC;gCACd,MAAM,EAAE,IAAI,CAAC,EAAE;gCACf,QAAQ,EAAE,IAAI,CAAC,IAAI;gCACnB,SAAS,EAAE,IAAI,CAAC,SAAS;gCACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;gCACvB,QAAQ;gCACR,IAAI,EAAE,CAAC,GAAG,CAAC;gCACX,MAAM,EAAE,CAAC;gCACT,QAAQ,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;gCAC1B,eAAe,EACb,KAAK,KAAK,mEAAmE;oCAC7E,gEAAgE;oCAChE,oGAAoG;gCACtG,WAAW,EACT,uDAAuD;oCACvD,6DAA6D;oCAC7D,4CAA4C;oCAC5C,iEAAiE;gCACnE,WAAW,EAAE,oBAAoB;gCACjC,UAAU,EAAE,IAAI;gCAChB,QAAQ,EAAE,QAAQ;6BACnB,CAAC,CAAC;4BACH,MAAM,CAAC,yBAAyB;wBAClC,CAAC;oBACH,CAAC;oBAED,CAAC,EAAE,CAAC;gBACN,CAAC;gBAED,KAAK,SAAS,CAAC,CAAC,0BAA0B;YAC5C,CAAC;YAED,OAAO,UAAU,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;CACF;AAvHD,wDAuHC"}

package/dist/structural-rules/python/PY007-sqlalchemy-session-leak.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import { StructuralRule, StructuralViolation, RuleLanguage } from '../types';
+export declare class PY007SQLAlchemySessionLeak implements StructuralRule {
+    id: string;
+    name: string;
+    policyRef: string;
+    severity: "BLOCKING";
+    languages: RuleLanguage[];
+    description: string;
+    check(filePath: string, sourceText: string): StructuralViolation[];
+}
+//# sourceMappingURL=PY007-sqlalchemy-session-leak.d.ts.map

package/dist/structural-rules/python/PY007-sqlalchemy-session-leak.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"PY007-sqlalchemy-session-leak.d.ts","sourceRoot":"","sources":["../../../src/structural-rules/python/PY007-sqlalchemy-session-leak.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAmB7E,qBAAa,0BAA2B,YAAW,cAAc;IAC/D,EAAE,SAAW;IACb,IAAI,SAAwD;IAC5D,SAAS,SAAW;IACpB,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,YAAY,EAAE,CAAc;IACvC,WAAW,SACwG;IAEnH,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,mBAAmB,EAAE;CA6EnE"}

package/dist/structural-rules/python/PY007-sqlalchemy-session-leak.js ADDED Viewed

@@ -0,0 +1,93 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PY007SQLAlchemySessionLeak = void 0;
+// Matches bare session assignment: session = Session() / session = SessionLocal() etc.
+// Captures the variable name and the constructor call
+const SESSION_ASSIGN_RE = /^(\s*)(\w+)\s*=\s*(Session|SessionLocal|AsyncSession|get_session|ScopedSession|sessionmaker\(\))\s*\(/;
+// Matches a `with` or `async with` block opening with Session
+const WITH_SESSION_RE = /^\s*(?:async\s+)?with\s+.*Session/;
+// Matches session.close() in a finally block vicinity
+const SESSION_CLOSE_RE = /\bsession\s*\.\s*close\s*\(\)/;
+// Matches a `finally:` block
+const FINALLY_RE = /^\s*finally\s*:/;
+function getIndent(line) {
+    return line.length - line.trimStart().length;
+}
+class PY007SQLAlchemySessionLeak {
+    id = 'PY007';
+    name = 'SQLAlchemy session created outside context manager';
+    policyRef = 'PY007';
+    severity = 'BLOCKING';
+    languages = ['python'];
+    description = 'SQLAlchemy session assigned without a context manager or try/finally close() risks connection pool exhaustion.';
+    check(filePath, sourceText) {
+        try {
+            const violations = [];
+            // Normalize line endings
+            const lines = sourceText.replace(/\r\n/g, '\n').replace(/\r/g, '\n').split('\n');
+            for (let i = 0; i < lines.length; i++) {
+                const line = lines[i];
+                // Skip if this line is a `with Session()` — safe usage
+                if (WITH_SESSION_RE.test(line))
+                    continue;
+                const match = SESSION_ASSIGN_RE.exec(line);
+                if (!match)
+                    continue;
+                const varName = match[2];
+                const assignIndent = match[1].length;
+                // Look ahead: find if there is a try/finally with session.close()
+                // Search up to 60 lines ahead within the same or deeper indentation scope
+                let hasFinallyClose = false;
+                let inFinally = false;
+                for (let j = i + 1; j < Math.min(i + 60, lines.length); j++) {
+                    const jl = lines[j];
+                    const jt = jl.trimStart();
+                    if (jt.length === 0)
+                        continue;
+                    const jIndent = getIndent(jl);
+                    // If we've gone back to a shallower indent than the assignment, stop
+                    if (jIndent < assignIndent)
+                        break;
+                    if (FINALLY_RE.test(jl)) {
+                        inFinally = true;
+                        continue;
+                    }
+                    if (inFinally) {
+                        // Check for varName.close() or generic session.close()
+                        const closeRe = new RegExp(`\\b${varName}\\s*\\.\\s*close\\s*\\(\\)`);
+                        if (closeRe.test(jl) || SESSION_CLOSE_RE.test(jl)) {
+                            hasFinallyClose = true;
+                            break;
+                        }
+                    }
+                }
+                if (!hasFinallyClose) {
+                    violations.push({
+                        ruleId: this.id,
+                        ruleName: this.name,
+                        policyRef: this.policyRef,
+                        severity: this.severity,
+                        filePath,
+                        line: i + 1,
+                        column: 1,
+                        evidence: line.slice(0, 120),
+                        operationalRisk: 'Unclosed SQLAlchemy sessions hold database connections open indefinitely. ' +
+                            'Connection pools exhaust under load, causing `TimeoutError: QueuePool limit of size X overflow Y reached` ' +
+                            'in production within hours of deployment.',
+                        remediation: 'Use `with Session() as session:` or `async with AsyncSession() as session:` for automatic cleanup. ' +
+                            'Never use bare `session = Session()` without a corresponding `finally: session.close()`.',
+                        determinism: 'heuristic-advisory',
+                        confidence: 0.78,
+                        language: 'python',
+                    });
+                }
+            }
+            return violations;
+        }
+        catch {
+            return [];
+        }
+    }
+}
+exports.PY007SQLAlchemySessionLeak = PY007SQLAlchemySessionLeak;
+//# sourceMappingURL=PY007-sqlalchemy-session-leak.js.map

package/dist/structural-rules/python/PY007-sqlalchemy-session-leak.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"PY007-sqlalchemy-session-leak.js","sourceRoot":"","sources":["../../../src/structural-rules/python/PY007-sqlalchemy-session-leak.ts"],"names":[],"mappings":";;;AAEA,uFAAuF;AACvF,sDAAsD;AACtD,MAAM,iBAAiB,GAAG,uGAAuG,CAAC;AAElI,8DAA8D;AAC9D,MAAM,eAAe,GAAG,mCAAmC,CAAC;AAE5D,sDAAsD;AACtD,MAAM,gBAAgB,GAAG,+BAA+B,CAAC;AAEzD,6BAA6B;AAC7B,MAAM,UAAU,GAAG,iBAAiB,CAAC;AAErC,SAAS,SAAS,CAAC,IAAY;IAC7B,OAAO,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC,MAAM,CAAC;AAC/C,CAAC;AAED,MAAa,0BAA0B;IACrC,EAAE,GAAG,OAAO,CAAC;IACb,IAAI,GAAG,oDAAoD,CAAC;IAC5D,SAAS,GAAG,OAAO,CAAC;IACpB,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAmB,CAAC,QAAQ,CAAC,CAAC;IACvC,WAAW,GACT,gHAAgH,CAAC;IAEnH,KAAK,CAAC,QAAgB,EAAE,UAAkB;QACxC,IAAI,CAAC;YACH,MAAM,UAAU,GAA0B,EAAE,CAAC;YAC7C,yBAAyB;YACzB,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAEjF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBAEtB,uDAAuD;gBACvD,IAAI,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC;oBAAE,SAAS;gBAEzC,MAAM,KAAK,GAAG,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAC3C,IAAI,CAAC,KAAK;oBAAE,SAAS;gBAErB,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACzB,MAAM,YAAY,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;gBAErC,kEAAkE;gBAClE,0EAA0E;gBAC1E,IAAI,eAAe,GAAG,KAAK,CAAC;gBAC5B,IAAI,SAAS,GAAG,KAAK,CAAC;gBAEtB,KAAK,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;oBAC5D,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBACpB,MAAM,EAAE,GAAG,EAAE,CAAC,SAAS,EAAE,CAAC;oBAC1B,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC;wBAAE,SAAS;oBAE9B,MAAM,OAAO,GAAG,SAAS,CAAC,EAAE,CAAC,CAAC;oBAE9B,qEAAqE;oBACrE,IAAI,OAAO,GAAG,YAAY;wBAAE,MAAM;oBAElC,IAAI,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;wBACxB,SAAS,GAAG,IAAI,CAAC;wBACjB,SAAS;oBACX,CAAC;oBAED,IAAI,SAAS,EAAE,CAAC;wBACd,uDAAuD;wBACvD,MAAM,OAAO,GAAG,IAAI,MAAM,CAAC,MAAM,OAAO,4BAA4B,CAAC,CAAC;wBACtE,IAAI,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;4BAClD,eAAe,GAAG,IAAI,CAAC;4BACvB,MAAM;wBACR,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,IAAI,CAAC,eAAe,EAAE,CAAC;oBACrB,UAAU,CAAC,IAAI,CAAC;wBACd,MAAM,EAAE,IAAI,CAAC,EAAE;wBACf,QAAQ,EAAE,IAAI,CAAC,IAAI;wBACnB,SAAS,EAAE,IAAI,CAAC,SAAS;wBACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;wBACvB,QAAQ;wBACR,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,MAAM,EAAE,CAAC;wBACT,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;wBAC5B,eAAe,EACb,4EAA4E;4BAC5E,4GAA4G;4BAC5G,2CAA2C;wBAC7C,WAAW,EACT,qGAAqG;4BACrG,0FAA0F;wBAC5F,WAAW,EAAE,oBAAoB;wBACjC,UAAU,EAAE,IAAI;wBAChB,QAAQ,EAAE,QAAQ;qBACnB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,OAAO,UAAU,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;CACF;AAtFD,gEAsFC"}

package/dist/structural-rules/python/PY008-celery-task-without-retry.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import { StructuralRule, StructuralViolation, RuleLanguage } from '../types';
+export declare class PY008CeleryTaskWithoutRetry implements StructuralRule {
+    id: string;
+    name: string;
+    policyRef: string;
+    severity: "ADVISORY";
+    languages: RuleLanguage[];
+    description: string;
+    check(filePath: string, sourceText: string): StructuralViolation[];
+}
+//# sourceMappingURL=PY008-celery-task-without-retry.d.ts.map

package/dist/structural-rules/python/PY008-celery-task-without-retry.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"PY008-celery-task-without-retry.d.ts","sourceRoot":"","sources":["../../../src/structural-rules/python/PY008-celery-task-without-retry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AA8C7E,qBAAa,2BAA4B,YAAW,cAAc;IAChE,EAAE,SAAW;IACb,IAAI,SAA6C;IACjD,SAAS,SAAW;IACpB,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,YAAY,EAAE,CAAc;IACvC,WAAW,SACmH;IAE9H,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,mBAAmB,EAAE;CAiHnE"}