npm - @neurcode-ai/cli - Versions diffs - 0.9.63 → 0.9.65 - Mend

@neurcode-ai/cli 0.9.63 → 0.9.65

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (308) hide show

package/dist/structural-rules/rules/SR015-dangling-abort-controller.js ADDED Viewed

@@ -0,0 +1,190 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SR015DanglingAbortController = void 0;
+const ts = __importStar(require("typescript"));
+function getLineAndCol(sf, pos) {
+    const lc = sf.getLineAndCharacterOfPosition(pos);
+    return { line: lc.line + 1, column: lc.character + 1 };
+}
+function getEvidenceLines(sourceText, line, extra = 1) {
+    const lines = sourceText.split('\n');
+    return lines.slice(line - 1, Math.min(line - 1 + extra, lines.length)).map(l => l.slice(0, 120)).join('\n');
+}
+/**
+ * Collect `new AbortController()` variable names in a function body block,
+ * returning a map from variable name -> VariableDeclaration node.
+ */
+function collectAbortControllerVars(block) {
+    const controllers = new Map();
+    function visit(node) {
+        if (ts.isVariableDeclaration(node) &&
+            ts.isIdentifier(node.name) &&
+            node.initializer &&
+            ts.isNewExpression(node.initializer) &&
+            ts.isIdentifier(node.initializer.expression) &&
+            node.initializer.expression.text === 'AbortController') {
+            controllers.set(node.name.text, node);
+        }
+        ts.forEachChild(node, visit);
+    }
+    ts.forEachChild(block, visit);
+    return controllers;
+}
+/**
+ * Check if varName.abort() is called anywhere within the given node subtree.
+ */
+function hasAbortCall(node, varName) {
+    let found = false;
+    function visit(n) {
+        if (found)
+            return;
+        if (ts.isCallExpression(n) &&
+            ts.isPropertyAccessExpression(n.expression) &&
+            ts.isIdentifier(n.expression.expression) &&
+            n.expression.expression.text === varName &&
+            n.expression.name.text === 'abort') {
+            found = true;
+            return;
+        }
+        ts.forEachChild(n, visit);
+    }
+    visit(node);
+    return found;
+}
+/**
+ * Check if the controller variable is passed to another function as an argument
+ * (meaning the caller manages lifecycle).
+ */
+function isPassedAsArgument(block, varName) {
+    let passed = false;
+    function visit(node) {
+        if (passed)
+            return;
+        if (ts.isCallExpression(node)) {
+            for (const arg of node.arguments) {
+                if (ts.isIdentifier(arg) && arg.text === varName) {
+                    passed = true;
+                    return;
+                }
+                // Also covers spread: func(...args) — skip for simplicity
+            }
+        }
+        ts.forEachChild(node, visit);
+    }
+    ts.forEachChild(block, visit);
+    return passed;
+}
+class SR015DanglingAbortController {
+    id = 'SR015';
+    name = 'Dangling AbortController (abort() never called)';
+    policyRef = 'SR015';
+    severity = 'ADVISORY';
+    languages = ['typescript', 'javascript'];
+    description = '`new AbortController()` created in a function but `.abort()` never called — ' +
+        'signal listeners are never released, preventing GC of the associated closure.';
+    check(filePath, sourceText) {
+        try {
+            const violations = [];
+            const ext = filePath.endsWith('.tsx')
+                ? ts.ScriptKind.TSX
+                : filePath.endsWith('.jsx')
+                    ? ts.ScriptKind.JSX
+                    : filePath.endsWith('.js')
+                        ? ts.ScriptKind.JS
+                        : ts.ScriptKind.TS;
+            const sf = ts.createSourceFile(filePath, sourceText, ts.ScriptTarget.Latest, true, ext);
+            const visit = (node) => {
+                const isFuncLike = ts.isFunctionDeclaration(node) ||
+                    ts.isFunctionExpression(node) ||
+                    ts.isArrowFunction(node) ||
+                    ts.isMethodDeclaration(node) ||
+                    ts.isConstructorDeclaration(node);
+                if (isFuncLike && ts.isFunctionLike(node) && node.body && ts.isBlock(node.body)) {
+                    const block = node.body;
+                    const controllers = collectAbortControllerVars(block);
+                    for (const [varName, decl] of controllers) {
+                        // Exclude: controller passed as argument to another function (caller manages lifecycle)
+                        if (isPassedAsArgument(block, varName)) {
+                            continue;
+                        }
+                        // Check: is .abort() called anywhere in this function body?
+                        if (!hasAbortCall(block, varName)) {
+                            // Also check the enclosing class for abort calls (dispose/cleanup methods)
+                            let foundInClass = false;
+                            let classNode = node.parent;
+                            while (classNode) {
+                                if (ts.isClassDeclaration(classNode) || ts.isClassExpression(classNode)) {
+                                    foundInClass = hasAbortCall(classNode, varName);
+                                    break;
+                                }
+                                classNode = classNode.parent;
+                            }
+                            if (!foundInClass) {
+                                const { line, column } = getLineAndCol(sf, decl.getStart(sf));
+                                const evidence = getEvidenceLines(sourceText, line, 2);
+                                violations.push({
+                                    ruleId: this.id,
+                                    ruleName: this.name,
+                                    policyRef: this.policyRef,
+                                    severity: this.severity,
+                                    filePath,
+                                    line,
+                                    column,
+                                    evidence,
+                                    operationalRisk: 'AbortController instances that are never aborted do not release the associated signal ' +
+                                        'listeners, which hold references to the operation and its closure — preventing GC.',
+                                    remediation: 'Ensure every AbortController has a corresponding `.abort()` call in finally blocks, ' +
+                                        'dispose methods, or signal listeners.',
+                                    determinism: 'heuristic-advisory',
+                                    confidence: 0.75,
+                                    language: filePath.match(/\.(js|jsx)$/) ? 'javascript' : 'typescript',
+                                });
+                            }
+                        }
+                    }
+                }
+                ts.forEachChild(node, visit);
+            };
+            ts.forEachChild(sf, visit);
+            return violations;
+        }
+        catch {
+            return [];
+        }
+    }
+}
+exports.SR015DanglingAbortController = SR015DanglingAbortController;
+//# sourceMappingURL=SR015-dangling-abort-controller.js.map

package/dist/structural-rules/rules/SR015-dangling-abort-controller.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"SR015-dangling-abort-controller.js","sourceRoot":"","sources":["../../../src/structural-rules/rules/SR015-dangling-abort-controller.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,+CAAiC;AAGjC,SAAS,aAAa,CAAC,EAAiB,EAAE,GAAW;IACnD,MAAM,EAAE,GAAG,EAAE,CAAC,6BAA6B,CAAC,GAAG,CAAC,CAAC;IACjD,OAAO,EAAE,IAAI,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC,EAAE,MAAM,EAAE,EAAE,CAAC,SAAS,GAAG,CAAC,EAAE,CAAC;AACzD,CAAC;AAED,SAAS,gBAAgB,CAAC,UAAkB,EAAE,IAAY,EAAE,KAAK,GAAG,CAAC;IACnE,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACrC,OAAO,KAAK,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,GAAG,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC9G,CAAC;AAED;;;GAGG;AACH,SAAS,0BAA0B,CACjC,KAAe;IAEf,MAAM,WAAW,GAAG,IAAI,GAAG,EAAkC,CAAC;IAE9D,SAAS,KAAK,CAAC,IAAa;QAC1B,IACE,EAAE,CAAC,qBAAqB,CAAC,IAAI,CAAC;YAC9B,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC;YAC1B,IAAI,CAAC,WAAW;YAChB,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,WAAW,CAAC;YACpC,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC;YAC5C,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,IAAI,KAAK,iBAAiB,EACtD,CAAC;YACD,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QACxC,CAAC;QACD,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAC/B,CAAC;IAED,EAAE,CAAC,YAAY,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC9B,OAAO,WAAW,CAAC;AACrB,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,IAAa,EAAE,OAAe;IAClD,IAAI,KAAK,GAAG,KAAK,CAAC;IAElB,SAAS,KAAK,CAAC,CAAU;QACvB,IAAI,KAAK;YAAE,OAAO;QAClB,IACE,EAAE,CAAC,gBAAgB,CAAC,CAAC,CAAC;YACtB,EAAE,CAAC,0BAA0B,CAAC,CAAC,CAAC,UAAU,CAAC;YAC3C,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC;YACxC,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,KAAK,OAAO;YACxC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,KAAK,OAAO,EAClC,CAAC;YACD,KAAK,GAAG,IAAI,CAAC;YACb,OAAO;QACT,CAAC;QACD,EAAE,CAAC,YAAY,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IAC5B,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,CAAC;IACZ,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,SAAS,kBAAkB,CAAC,KAAe,EAAE,OAAe;IAC1D,IAAI,MAAM,GAAG,KAAK,CAAC;IAEnB,SAAS,KAAK,CAAC,IAAa;QAC1B,IAAI,MAAM;YAAE,OAAO;QACnB,IAAI,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9B,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACjC,IAAI,EAAE,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;oBACjD,MAAM,GAAG,IAAI,CAAC;oBACd,OAAO;gBACT,CAAC;gBACD,0DAA0D;YAC5D,CAAC;QACH,CAAC;QACD,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAC/B,CAAC;IAED,EAAE,CAAC,YAAY,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC9B,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAa,4BAA4B;IACvC,EAAE,GAAG,OAAO,CAAC;IACb,IAAI,GAAG,iDAAiD,CAAC;IACzD,SAAS,GAAG,OAAO,CAAC;IACpB,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAmB,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC;IACzD,WAAW,GACT,8EAA8E;QAC9E,+EAA+E,CAAC;IAElF,KAAK,CAAC,QAAgB,EAAE,UAAkB;QACxC,IAAI,CAAC;YACH,MAAM,UAAU,GAA0B,EAAE,CAAC;YAC7C,MAAM,GAAG,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC;gBACnC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG;gBACnB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC;oBAC3B,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG;oBACnB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC;wBAC1B,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,EAAE;wBAClB,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC;YAErB,MAAM,EAAE,GAAG,EAAE,CAAC,gBAAgB,CAAC,QAAQ,EAAE,UAAU,EAAE,EAAE,CAAC,YAAY,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YAExF,MAAM,KAAK,GAAG,CAAC,IAAa,EAAQ,EAAE;gBACpC,MAAM,UAAU,GACd,EAAE,CAAC,qBAAqB,CAAC,IAAI,CAAC;oBAC9B,EAAE,CAAC,oBAAoB,CAAC,IAAI,CAAC;oBAC7B,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC;oBACxB,EAAE,CAAC,mBAAmB,CAAC,IAAI,CAAC;oBAC5B,EAAE,CAAC,wBAAwB,CAAC,IAAI,CAAC,CAAC;gBAEpC,IAAI,UAAU,IAAI,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAChF,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC;oBACxB,MAAM,WAAW,GAAG,0BAA0B,CAAC,KAAK,CAAC,CAAC;oBAEtD,KAAK,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,WAAW,EAAE,CAAC;wBAC1C,wFAAwF;wBACxF,IAAI,kBAAkB,CAAC,KAAK,EAAE,OAAO,CAAC,EAAE,CAAC;4BACvC,SAAS;wBACX,CAAC;wBAED,4DAA4D;wBAC5D,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,OAAO,CAAC,EAAE,CAAC;4BAClC,2EAA2E;4BAC3E,IAAI,YAAY,GAAG,KAAK,CAAC;4BACzB,IAAI,SAAS,GAAwB,IAAI,CAAC,MAAM,CAAC;4BACjD,OAAO,SAAS,EAAE,CAAC;gCACjB,IAAI,EAAE,CAAC,kBAAkB,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,iBAAiB,CAAC,SAAS,CAAC,EAAE,CAAC;oCACxE,YAAY,GAAG,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;oCAChD,MAAM;gCACR,CAAC;gCACD,SAAS,GAAG,SAAS,CAAC,MAAM,CAAC;4BAC/B,CAAC;4BAED,IAAI,CAAC,YAAY,EAAE,CAAC;gCAClB,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,aAAa,CAAC,EAAE,EAAE,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;gCAC9D,MAAM,QAAQ,GAAG,gBAAgB,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;gCACvD,UAAU,CAAC,IAAI,CAAC;oCACd,MAAM,EAAE,IAAI,CAAC,EAAE;oCACf,QAAQ,EAAE,IAAI,CAAC,IAAI;oCACnB,SAAS,EAAE,IAAI,CAAC,SAAS;oCACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;oCACvB,QAAQ;oCACR,IAAI;oCACJ,MAAM;oCACN,QAAQ;oCACR,eAAe,EACb,wFAAwF;wCACxF,oFAAoF;oCACtF,WAAW,EACT,sFAAsF;wCACtF,uCAAuC;oCACzC,WAAW,EAAE,oBAAoB;oCACjC,UAAU,EAAE,IAAI;oCAChB,QAAQ,EAAE,QAAQ,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,YAAY;iCACtE,CAAC,CAAC;4BACL,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;YAC/B,CAAC,CAAC;YAEF,EAAE,CAAC,YAAY,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;YAC3B,OAAO,UAAU,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;CACF;AA1FD,oEA0FC"}

package/dist/structural-rules/rules/SR016-unsafe-json-parse.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import { StructuralRule, StructuralViolation, RuleLanguage } from '../types';
+export declare class SR016UnsafeJSONParse implements StructuralRule {
+    id: string;
+    name: string;
+    policyRef: string;
+    severity: "BLOCKING";
+    languages: RuleLanguage[];
+    description: string;
+    check(filePath: string, sourceText: string): StructuralViolation[];
+}
+//# sourceMappingURL=SR016-unsafe-json-parse.d.ts.map

package/dist/structural-rules/rules/SR016-unsafe-json-parse.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"SR016-unsafe-json-parse.d.ts","sourceRoot":"","sources":["../../../src/structural-rules/rules/SR016-unsafe-json-parse.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AA2F7E,qBAAa,oBAAqB,YAAW,cAAc;IACzD,EAAE,SAAW;IACb,IAAI,SAAsC;IAC1C,SAAS,SAAW;IACpB,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,YAAY,EAAE,CAAgC;IACzD,WAAW,SAEuE;IAElF,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,mBAAmB,EAAE;CAuEnE"}

package/dist/structural-rules/rules/SR016-unsafe-json-parse.js ADDED Viewed

@@ -0,0 +1,187 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SR016UnsafeJSONParse = void 0;
+const ts = __importStar(require("typescript"));
+function getLineAndCol(sf, pos) {
+    const lc = sf.getLineAndCharacterOfPosition(pos);
+    return { line: lc.line + 1, column: lc.character + 1 };
+}
+function getEvidenceLines(sourceText, line, extra = 1) {
+    const lines = sourceText.split('\n');
+    return lines.slice(line - 1, Math.min(line - 1 + extra, lines.length)).map(l => l.slice(0, 120)).join('\n');
+}
+function isTestFile(filePath) {
+    return filePath.includes('.test.') || filePath.includes('.spec.');
+}
+/**
+ * Walk up the AST from a node to find the nearest try/catch statement.
+ * Returns true if a try block is found before reaching the function boundary.
+ */
+function isWrappedInTryCatch(node) {
+    let current = node.parent;
+    while (current) {
+        // Stop at function boundaries — the try/catch must be within the same function
+        if (ts.isFunctionDeclaration(current) ||
+            ts.isFunctionExpression(current) ||
+            ts.isArrowFunction(current) ||
+            ts.isMethodDeclaration(current) ||
+            ts.isConstructorDeclaration(current) ||
+            ts.isGetAccessorDeclaration(current) ||
+            ts.isSetAccessorDeclaration(current)) {
+            return false;
+        }
+        if (ts.isTryStatement(current)) {
+            // The node must be inside the try block (not the catch/finally)
+            if (isDescendantOf(node, current.tryBlock)) {
+                return true;
+            }
+        }
+        current = current.parent;
+    }
+    return false;
+}
+/** Returns true if `node` is a descendant of `ancestor`. */
+function isDescendantOf(node, ancestor) {
+    let current = node.parent;
+    while (current) {
+        if (current === ancestor)
+            return true;
+        current = current.parent;
+    }
+    return false;
+}
+/**
+ * Check if the JSON.parse call is inside a catch block.
+ * Error-handling context — acceptable to not double-wrap.
+ */
+function isInsideCatchClause(node) {
+    let current = node.parent;
+    while (current) {
+        if (ts.isCatchClause(current))
+            return true;
+        // Stop at function boundaries
+        if (ts.isFunctionDeclaration(current) ||
+            ts.isFunctionExpression(current) ||
+            ts.isArrowFunction(current) ||
+            ts.isMethodDeclaration(current)) {
+            return false;
+        }
+        current = current.parent;
+    }
+    return false;
+}
+/**
+ * Check if the argument to JSON.parse is a string literal (compile-time safe).
+ */
+function isStringLiteralArg(callNode) {
+    if (callNode.arguments.length === 0)
+        return false;
+    const firstArg = callNode.arguments[0];
+    return ts.isStringLiteral(firstArg) || ts.isNoSubstitutionTemplateLiteral(firstArg);
+}
+class SR016UnsafeJSONParse {
+    id = 'SR016';
+    name = 'Unsafe JSON.parse (no try/catch)';
+    policyRef = 'SR016';
+    severity = 'BLOCKING';
+    languages = ['typescript', 'javascript'];
+    description = 'JSON.parse() calls not wrapped in a try/catch — SyntaxError on malformed input crashes the ' +
+        'handler and, in Node.js, kills all in-flight requests sharing the event loop.';
+    check(filePath, sourceText) {
+        try {
+            if (isTestFile(filePath))
+                return [];
+            const violations = [];
+            const ext = filePath.endsWith('.tsx')
+                ? ts.ScriptKind.TSX
+                : filePath.endsWith('.jsx')
+                    ? ts.ScriptKind.JSX
+                    : filePath.endsWith('.js')
+                        ? ts.ScriptKind.JS
+                        : ts.ScriptKind.TS;
+            const sf = ts.createSourceFile(filePath, sourceText, ts.ScriptTarget.Latest, true, ext);
+            const visit = (node) => {
+                // Looking for: JSON.parse(...)
+                if (ts.isCallExpression(node) &&
+                    ts.isPropertyAccessExpression(node.expression) &&
+                    ts.isIdentifier(node.expression.expression) &&
+                    node.expression.expression.text === 'JSON' &&
+                    node.expression.name.text === 'parse') {
+                    // Exclude: argument is a string literal (compile-time safe)
+                    if (isStringLiteralArg(node)) {
+                        ts.forEachChild(node, visit);
+                        return;
+                    }
+                    // Exclude: inside a catch clause (already error-handling context)
+                    if (isInsideCatchClause(node)) {
+                        ts.forEachChild(node, visit);
+                        return;
+                    }
+                    // Flag if not wrapped in try/catch
+                    if (!isWrappedInTryCatch(node)) {
+                        const { line, column } = getLineAndCol(sf, node.expression.name.getStart(sf));
+                        const evidence = getEvidenceLines(sourceText, line, 2);
+                        violations.push({
+                            ruleId: this.id,
+                            ruleName: this.name,
+                            policyRef: this.policyRef,
+                            severity: this.severity,
+                            filePath,
+                            line,
+                            column,
+                            evidence,
+                            operationalRisk: 'A single malformed JSON payload in a webhook, event stream, or IPC message crashes the ' +
+                                'handler. In a shared event loop (Node.js), this kills all in-flight requests.',
+                            remediation: 'Wrap in try/catch: `try { const data = JSON.parse(raw); } catch (e) { ' +
+                                "throw new TRPCError({ code: 'BAD_REQUEST', message: 'Invalid JSON payload' }); }`",
+                            determinism: 'deterministic-structural',
+                            confidence: 0.90,
+                            language: filePath.match(/\.(js|jsx)$/) ? 'javascript' : 'typescript',
+                        });
+                    }
+                }
+                ts.forEachChild(node, visit);
+            };
+            ts.forEachChild(sf, visit);
+            return violations;
+        }
+        catch {
+            return [];
+        }
+    }
+}
+exports.SR016UnsafeJSONParse = SR016UnsafeJSONParse;
+//# sourceMappingURL=SR016-unsafe-json-parse.js.map

package/dist/structural-rules/rules/SR016-unsafe-json-parse.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"SR016-unsafe-json-parse.js","sourceRoot":"","sources":["../../../src/structural-rules/rules/SR016-unsafe-json-parse.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,+CAAiC;AAGjC,SAAS,aAAa,CAAC,EAAiB,EAAE,GAAW;IACnD,MAAM,EAAE,GAAG,EAAE,CAAC,6BAA6B,CAAC,GAAG,CAAC,CAAC;IACjD,OAAO,EAAE,IAAI,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC,EAAE,MAAM,EAAE,EAAE,CAAC,SAAS,GAAG,CAAC,EAAE,CAAC;AACzD,CAAC;AAED,SAAS,gBAAgB,CAAC,UAAkB,EAAE,IAAY,EAAE,KAAK,GAAG,CAAC;IACnE,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACrC,OAAO,KAAK,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,GAAG,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC9G,CAAC;AAED,SAAS,UAAU,CAAC,QAAgB;IAClC,OAAO,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AACpE,CAAC;AAED;;;GAGG;AACH,SAAS,mBAAmB,CAAC,IAAa;IACxC,IAAI,OAAO,GAAwB,IAAI,CAAC,MAAM,CAAC;IAE/C,OAAO,OAAO,EAAE,CAAC;QACf,+EAA+E;QAC/E,IACE,EAAE,CAAC,qBAAqB,CAAC,OAAO,CAAC;YACjC,EAAE,CAAC,oBAAoB,CAAC,OAAO,CAAC;YAChC,EAAE,CAAC,eAAe,CAAC,OAAO,CAAC;YAC3B,EAAE,CAAC,mBAAmB,CAAC,OAAO,CAAC;YAC/B,EAAE,CAAC,wBAAwB,CAAC,OAAO,CAAC;YACpC,EAAE,CAAC,wBAAwB,CAAC,OAAO,CAAC;YACpC,EAAE,CAAC,wBAAwB,CAAC,OAAO,CAAC,EACpC,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,EAAE,CAAC,cAAc,CAAC,OAAO,CAAC,EAAE,CAAC;YAC/B,gEAAgE;YAChE,IAAI,cAAc,CAAC,IAAI,EAAE,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC3C,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC;IAC3B,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,4DAA4D;AAC5D,SAAS,cAAc,CAAC,IAAa,EAAE,QAAiB;IACtD,IAAI,OAAO,GAAwB,IAAI,CAAC,MAAM,CAAC;IAC/C,OAAO,OAAO,EAAE,CAAC;QACf,IAAI,OAAO,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QACtC,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC;IAC3B,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,SAAS,mBAAmB,CAAC,IAAa;IACxC,IAAI,OAAO,GAAwB,IAAI,CAAC,MAAM,CAAC;IAC/C,OAAO,OAAO,EAAE,CAAC;QACf,IAAI,EAAE,CAAC,aAAa,CAAC,OAAO,CAAC;YAAE,OAAO,IAAI,CAAC;QAC3C,8BAA8B;QAC9B,IACE,EAAE,CAAC,qBAAqB,CAAC,OAAO,CAAC;YACjC,EAAE,CAAC,oBAAoB,CAAC,OAAO,CAAC;YAChC,EAAE,CAAC,eAAe,CAAC,OAAO,CAAC;YAC3B,EAAE,CAAC,mBAAmB,CAAC,OAAO,CAAC,EAC/B,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC;IAC3B,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,QAA2B;IACrD,IAAI,QAAQ,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAClD,MAAM,QAAQ,GAAG,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IACvC,OAAO,EAAE,CAAC,eAAe,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,+BAA+B,CAAC,QAAQ,CAAC,CAAC;AACtF,CAAC;AAED,MAAa,oBAAoB;IAC/B,EAAE,GAAG,OAAO,CAAC;IACb,IAAI,GAAG,kCAAkC,CAAC;IAC1C,SAAS,GAAG,OAAO,CAAC;IACpB,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAmB,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC;IACzD,WAAW,GACT,6FAA6F;QAC7F,+EAA+E,CAAC;IAElF,KAAK,CAAC,QAAgB,EAAE,UAAkB;QACxC,IAAI,CAAC;YACH,IAAI,UAAU,CAAC,QAAQ,CAAC;gBAAE,OAAO,EAAE,CAAC;YAEpC,MAAM,UAAU,GAA0B,EAAE,CAAC;YAC7C,MAAM,GAAG,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC;gBACnC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG;gBACnB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC;oBAC3B,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG;oBACnB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC;wBAC1B,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,EAAE;wBAClB,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC;YAErB,MAAM,EAAE,GAAG,EAAE,CAAC,gBAAgB,CAAC,QAAQ,EAAE,UAAU,EAAE,EAAE,CAAC,YAAY,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YAExF,MAAM,KAAK,GAAG,CAAC,IAAa,EAAQ,EAAE;gBACpC,+BAA+B;gBAC/B,IACE,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC;oBACzB,EAAE,CAAC,0BAA0B,CAAC,IAAI,CAAC,UAAU,CAAC;oBAC9C,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;oBAC3C,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,KAAK,MAAM;oBAC1C,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,KAAK,OAAO,EACrC,CAAC;oBACD,4DAA4D;oBAC5D,IAAI,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC7B,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;wBAC7B,OAAO;oBACT,CAAC;oBAED,kEAAkE;oBAClE,IAAI,mBAAmB,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC9B,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;wBAC7B,OAAO;oBACT,CAAC;oBAED,mCAAmC;oBACnC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC/B,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,aAAa,CAAC,EAAE,EAAE,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;wBAC9E,MAAM,QAAQ,GAAG,gBAAgB,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;wBACvD,UAAU,CAAC,IAAI,CAAC;4BACd,MAAM,EAAE,IAAI,CAAC,EAAE;4BACf,QAAQ,EAAE,IAAI,CAAC,IAAI;4BACnB,SAAS,EAAE,IAAI,CAAC,SAAS;4BACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;4BACvB,QAAQ;4BACR,IAAI;4BACJ,MAAM;4BACN,QAAQ;4BACR,eAAe,EACb,yFAAyF;gCACzF,+EAA+E;4BACjF,WAAW,EACT,wEAAwE;gCACxE,mFAAmF;4BACrF,WAAW,EAAE,0BAA0B;4BACvC,UAAU,EAAE,IAAI;4BAChB,QAAQ,EAAE,QAAQ,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,YAAY;yBACtE,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;gBAED,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;YAC/B,CAAC,CAAC;YAEF,EAAE,CAAC,YAAY,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;YAC3B,OAAO,UAAU,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;CACF;AAjFD,oDAiFC"}

package/dist/structural-rules/suppressions.d.ts ADDED Viewed

@@ -0,0 +1,43 @@
+/**
+ * Inline suppression annotations for structural rules.
+ *
+ * Supported formats:
+ *   // neurcode-ignore: SR003
+ *   // neurcode-ignore: SR003, SR007
+ *   // neurcode-ignore-next-line: SR003
+ *   // neurcode-ignore-file: SR003
+ *   // neurcode-ignore-file: SR003 — reason: timer is cleaned up in test teardown
+ *
+ * Every suppression is preserved in the audit trail as a SuppressedViolation.
+ * Suppressions never silently drop findings — they reclassify them as suppressed.
+ */
+import type { StructuralViolation } from './types';
+export interface SuppressionDirective {
+    type: 'line' | 'next-line' | 'file';
+    ruleIds: string[];
+    line: number;
+    reason: string | null;
+    raw: string;
+}
+export interface SuppressedViolation {
+    violation: StructuralViolation;
+    directive: SuppressionDirective;
+    suppressedAt: string;
+}
+/**
+ * Parse all neurcode-ignore directives from source text.
+ * Returns directives sorted by line number.
+ */
+export declare function parseSuppressionDirectives(sourceText: string): SuppressionDirective[];
+/**
+ * Apply suppression directives to a set of violations.
+ *
+ * Returns:
+ *  - active: violations NOT suppressed (to be reported normally)
+ *  - suppressed: violations that matched a directive (audit trail)
+ */
+export declare function applySuppressions(violations: StructuralViolation[], directives: SuppressionDirective[], _filePath: string): {
+    active: StructuralViolation[];
+    suppressed: SuppressedViolation[];
+};
+//# sourceMappingURL=suppressions.d.ts.map

package/dist/structural-rules/suppressions.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"suppressions.d.ts","sourceRoot":"","sources":["../../src/structural-rules/suppressions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;AAEnD,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAK,MAAM,GAAG,WAAW,GAAG,MAAM,CAAC;IACvC,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,IAAI,EAAK,MAAM,CAAC;IAChB,MAAM,EAAG,MAAM,GAAG,IAAI,CAAC;IACvB,GAAG,EAAM,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAK,mBAAmB,CAAC;IAClC,SAAS,EAAK,oBAAoB,CAAC;IACnC,YAAY,EAAE,MAAM,CAAC;CACtB;AASD;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,UAAU,EAAE,MAAM,GAAG,oBAAoB,EAAE,CA4CrF;AAUD;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAC/B,UAAU,EAAE,mBAAmB,EAAE,EACjC,UAAU,EAAE,oBAAoB,EAAE,EAClC,SAAS,EAAE,MAAM,GAChB;IAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC;IAAC,UAAU,EAAE,mBAAmB,EAAE,CAAA;CAAE,CAwCtE"}

package/dist/structural-rules/suppressions.js ADDED Viewed

@@ -0,0 +1,115 @@
+"use strict";
+/**
+ * Inline suppression annotations for structural rules.
+ *
+ * Supported formats:
+ *   // neurcode-ignore: SR003
+ *   // neurcode-ignore: SR003, SR007
+ *   // neurcode-ignore-next-line: SR003
+ *   // neurcode-ignore-file: SR003
+ *   // neurcode-ignore-file: SR003 — reason: timer is cleaned up in test teardown
+ *
+ * Every suppression is preserved in the audit trail as a SuppressedViolation.
+ * Suppressions never silently drop findings — they reclassify them as suppressed.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseSuppressionDirectives = parseSuppressionDirectives;
+exports.applySuppressions = applySuppressions;
+// Matches: // neurcode-ignore[-next-line|-file][: SR001, SR002] [— reason: ...]
+// Group 1: variant suffix ('-next-line', '-file', or empty)
+// Group 2: rule list (may be absent)
+// Group 3: reason text (may be absent)
+const DIRECTIVE_RE = /\/\/\s*neurcode-ignore(-next-line|-file)?(?:\s*:\s*([^—\n]+?))?(?:\s*[—–-]\s*reason:\s*(.+?))?[\s]*$/;
+/**
+ * Parse all neurcode-ignore directives from source text.
+ * Returns directives sorted by line number.
+ */
+function parseSuppressionDirectives(sourceText) {
+    const lines = sourceText.split('\n');
+    const directives = [];
+    for (let i = 0; i < lines.length; i++) {
+        const lineText = lines[i];
+        const lineNumber = i + 1; // 1-based
+        // Quick bail — must contain the marker
+        if (!lineText.includes('neurcode-ignore'))
+            continue;
+        const match = DIRECTIVE_RE.exec(lineText);
+        if (!match)
+            continue;
+        const variantSuffix = match[1] ?? ''; // '-next-line', '-file', or ''
+        const ruleListRaw = match[2] ?? '';
+        const reasonRaw = match[3] ?? '';
+        let type;
+        if (variantSuffix === '-next-line') {
+            type = 'next-line';
+        }
+        else if (variantSuffix === '-file') {
+            type = 'file';
+        }
+        else {
+            type = 'line';
+        }
+        // Parse comma-separated rule IDs, stripping whitespace
+        const ruleIds = ruleListRaw
+            .split(',')
+            .map(r => r.trim())
+            .filter(r => r.length > 0);
+        const reason = reasonRaw.trim() || null;
+        // Capture the original comment text (trimmed)
+        const raw = lineText.replace(/^.*?\/\//, '//').trim();
+        directives.push({ type, ruleIds, line: lineNumber, reason, raw });
+    }
+    // Stable sort by line number (already in order, but be explicit)
+    directives.sort((a, b) => a.line - b.line);
+    return directives;
+}
+/**
+ * Return true if the directive covers the given ruleId.
+ * An empty ruleIds list means "suppress everything".
+ */
+function directiveMatchesRule(directive, ruleId) {
+    return directive.ruleIds.length === 0 || directive.ruleIds.includes(ruleId);
+}
+/**
+ * Apply suppression directives to a set of violations.
+ *
+ * Returns:
+ *  - active: violations NOT suppressed (to be reported normally)
+ *  - suppressed: violations that matched a directive (audit trail)
+ */
+function applySuppressions(violations, directives, _filePath) {
+    const active = [];
+    const suppressed = [];
+    const now = new Date().toISOString();
+    for (const violation of violations) {
+        let matchedDirective = null;
+        for (const directive of directives) {
+            if (!directiveMatchesRule(directive, violation.ruleId))
+                continue;
+            if (directive.type === 'file') {
+                matchedDirective = directive;
+                break;
+            }
+            if (directive.type === 'line' && directive.line === violation.line) {
+                matchedDirective = directive;
+                break;
+            }
+            if (directive.type === 'next-line' && directive.line + 1 === violation.line) {
+                matchedDirective = directive;
+                break;
+            }
+        }
+        if (matchedDirective) {
+            suppressed.push({
+                violation,
+                directive: matchedDirective,
+                suppressedAt: now,
+            });
+        }
+        else {
+            active.push(violation);
+        }
+    }
+    return { active, suppressed };
+}
+//# sourceMappingURL=suppressions.js.map

package/dist/structural-rules/suppressions.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"suppressions.js","sourceRoot":"","sources":["../../src/structural-rules/suppressions.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;AA6BH,gEA4CC;AAiBD,8CA4CC;AApHD,gFAAgF;AAChF,4DAA4D;AAC5D,qCAAqC;AACrC,uCAAuC;AACvC,MAAM,YAAY,GAChB,sGAAsG,CAAC;AAEzG;;;GAGG;AACH,SAAgB,0BAA0B,CAAC,UAAkB;IAC3D,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACrC,MAAM,UAAU,GAA2B,EAAE,CAAC;IAE9C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAC1B,MAAM,UAAU,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,UAAU;QAEpC,uCAAuC;QACvC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,iBAAiB,CAAC;YAAE,SAAS;QAEpD,MAAM,KAAK,GAAG,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC1C,IAAI,CAAC,KAAK;YAAE,SAAS;QAErB,MAAM,aAAa,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,+BAA+B;QACrE,MAAM,WAAW,GAAK,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACrC,MAAM,SAAS,GAAO,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAErC,IAAI,IAAkC,CAAC;QACvC,IAAI,aAAa,KAAK,YAAY,EAAE,CAAC;YACnC,IAAI,GAAG,WAAW,CAAC;QACrB,CAAC;aAAM,IAAI,aAAa,KAAK,OAAO,EAAE,CAAC;YACrC,IAAI,GAAG,MAAM,CAAC;QAChB,CAAC;aAAM,CAAC;YACN,IAAI,GAAG,MAAM,CAAC;QAChB,CAAC;QAED,uDAAuD;QACvD,MAAM,OAAO,GAAG,WAAW;aACxB,KAAK,CAAC,GAAG,CAAC;aACV,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;aAClB,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAE7B,MAAM,MAAM,GAAG,SAAS,CAAC,IAAI,EAAE,IAAI,IAAI,CAAC;QAExC,8CAA8C;QAC9C,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;QAEtD,UAAU,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;IACpE,CAAC;IAED,iEAAiE;IACjE,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC;IAC3C,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;;GAGG;AACH,SAAS,oBAAoB,CAAC,SAA+B,EAAE,MAAc;IAC3E,OAAO,SAAS,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,IAAI,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AAC9E,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,iBAAiB,CAC/B,UAAiC,EACjC,UAAkC,EAClC,SAAiB;IAEjB,MAAM,MAAM,GAA0B,EAAE,CAAC;IACzC,MAAM,UAAU,GAA0B,EAAE,CAAC;IAE7C,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAErC,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,IAAI,gBAAgB,GAAgC,IAAI,CAAC;QAEzD,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;YACnC,IAAI,CAAC,oBAAoB,CAAC,SAAS,EAAE,SAAS,CAAC,MAAM,CAAC;gBAAE,SAAS;YAEjE,IAAI,SAAS,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;gBAC9B,gBAAgB,GAAG,SAAS,CAAC;gBAC7B,MAAM;YACR,CAAC;YAED,IAAI,SAAS,CAAC,IAAI,KAAK,MAAM,IAAI,SAAS,CAAC,IAAI,KAAK,SAAS,CAAC,IAAI,EAAE,CAAC;gBACnE,gBAAgB,GAAG,SAAS,CAAC;gBAC7B,MAAM;YACR,CAAC;YAED,IAAI,SAAS,CAAC,IAAI,KAAK,WAAW,IAAI,SAAS,CAAC,IAAI,GAAG,CAAC,KAAK,SAAS,CAAC,IAAI,EAAE,CAAC;gBAC5E,gBAAgB,GAAG,SAAS,CAAC;gBAC7B,MAAM;YACR,CAAC;QACH,CAAC;QAED,IAAI,gBAAgB,EAAE,CAAC;YACrB,UAAU,CAAC,IAAI,CAAC;gBACd,SAAS;gBACT,SAAS,EAAE,gBAAgB;gBAC3B,YAAY,EAAE,GAAG;aAClB,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;AAChC,CAAC"}

package/dist/structural-rules/types.d.ts ADDED Viewed

@@ -0,0 +1,43 @@
+import type { SuppressedViolation } from './suppressions';
+import type { SeverityAdjustment } from './context-severity';
+export type { SuppressedViolation } from './suppressions';
+export type { SeverityAdjustment } from './context-severity';
+export type DeterminismLevel = 'deterministic-structural' | 'deterministic-semantic' | 'heuristic-advisory' | 'llm-assisted-planning';
+export type RuleSeverity = 'BLOCKING' | 'ADVISORY';
+export type RuleLanguage = 'typescript' | 'python' | 'javascript';
+export interface StructuralViolation {
+    ruleId: string;
+    ruleName: string;
+    policyRef: string;
+    severity: RuleSeverity;
+    filePath: string;
+    line: number;
+    column: number;
+    evidence: string;
+    operationalRisk: string;
+    remediation: string;
+    determinism: DeterminismLevel;
+    confidence: number;
+    language: RuleLanguage;
+}
+export interface StructuralRuleResult {
+    violations: StructuralViolation[];
+    filesAnalyzed: number;
+    analysisMs: number;
+    rulesApplied: string[];
+    skippedFiles: string[];
+    suppressedCount: number;
+    suppressedViolations: SuppressedViolation[];
+    severityAdjustments: SeverityAdjustment[];
+}
+export interface StructuralRule {
+    id: string;
+    name: string;
+    policyRef: string;
+    severity: RuleSeverity;
+    languages: RuleLanguage[];
+    description: string;
+    /** Check a single file's source text. Returns violations found. */
+    check(filePath: string, sourceText: string): StructuralViolation[];
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/structural-rules/types.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/structural-rules/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAC1D,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAE7D,YAAY,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAC1D,YAAY,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAE7D,MAAM,MAAM,gBAAgB,GACxB,0BAA0B,GAC1B,wBAAwB,GACxB,oBAAoB,GACpB,uBAAuB,CAAC;AAE5B,MAAM,MAAM,YAAY,GAAG,UAAU,GAAG,UAAU,CAAC;AACnD,MAAM,MAAM,YAAY,GAAG,YAAY,GAAG,QAAQ,GAAG,YAAY,CAAC;AAElE,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAY,MAAM,CAAC;IACzB,QAAQ,EAAU,MAAM,CAAC;IACzB,SAAS,EAAS,MAAM,CAAC;IACzB,QAAQ,EAAU,YAAY,CAAC;IAC/B,QAAQ,EAAU,MAAM,CAAC;IACzB,IAAI,EAAc,MAAM,CAAC;IACzB,MAAM,EAAY,MAAM,CAAC;IACzB,QAAQ,EAAU,MAAM,CAAC;IACzB,eAAe,EAAG,MAAM,CAAC;IACzB,WAAW,EAAO,MAAM,CAAC;IACzB,WAAW,EAAO,gBAAgB,CAAC;IACnC,UAAU,EAAQ,MAAM,CAAC;IACzB,QAAQ,EAAU,YAAY,CAAC;CAChC;AAED,MAAM,WAAW,oBAAoB;IACnC,UAAU,EAAY,mBAAmB,EAAE,CAAC;IAC5C,aAAa,EAAS,MAAM,CAAC;IAC7B,UAAU,EAAY,MAAM,CAAC;IAC7B,YAAY,EAAU,MAAM,EAAE,CAAC;IAC/B,YAAY,EAAU,MAAM,EAAE,CAAC;IAC/B,eAAe,EAAO,MAAM,CAAC;IAC7B,oBAAoB,EAAE,mBAAmB,EAAE,CAAC;IAC5C,mBAAmB,EAAG,kBAAkB,EAAE,CAAC;CAC5C;AAED,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAS,MAAM,CAAC;IAClB,IAAI,EAAO,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAG,YAAY,CAAC;IACxB,SAAS,EAAE,YAAY,EAAE,CAAC;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,mEAAmE;IACnE,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,mBAAmB,EAAE,CAAC;CACpE"}

package/dist/structural-rules/types.js ADDED Viewed

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/dist/structural-rules/types.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/structural-rules/types.ts"],"names":[],"mappings":""}

package/dist/utils/advisory-signals.d.ts CHANGED Viewed

@@ -6,6 +6,11 @@ export interface AdvisorySignal {
     title: string;
     detail: string;
     files: string[];
+    advisoryOnly: true;
+    confidence: 'low' | 'medium';
+    evidence: string[];
+    uncertainty: string;
+    structuralCoverageGap: string;
 }
 interface AdvisoryInput {
     diffFiles: DiffFile[];