npm - @neurcode-ai/cli - Versions diffs - 0.9.64 → 0.9.65 - Mend

@neurcode-ai/cli 0.9.64 → 0.9.65

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (252) hide show

package/dist/structural-rules/python/PY008-celery-task-without-retry.js ADDED Viewed

@@ -0,0 +1,154 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PY008CeleryTaskWithoutRetry = void 0;
+// Matches Celery task decorators
+const CELERY_DECORATOR_RE = /^\s*@(?:\w+\.)?(?:app\.task|celery\.task|shared_task)\s*[\(\n]/;
+const CELERY_DECORATOR_INLINE_RE = /^\s*@(?:\w+\.)?(?:app\.task|celery\.task|shared_task)\s*\(/;
+// Retry configuration keywords inside the decorator
+const RETRY_CONFIG_RE = /(?:max_retries|retry_backoff|autoretry_for|bind\s*=\s*True)/;
+// ignore_result=True — fire-and-forget, valid without retry
+const IGNORE_RESULT_RE = /ignore_result\s*=\s*True/;
+// A raise statement inside the function body
+const RAISE_RE = /\braise\b/;
+// self.retry( call — manual retry in bind=True task
+const SELF_RETRY_RE = /\bself\.retry\s*\(/;
+function getIndent(line) {
+    return line.length - line.trimStart().length;
+}
+/**
+ * Collect the decorator text (potentially multi-line) starting at decoratorLine.
+ * Returns the full decorator string and the line index where the decorator ends.
+ */
+function collectDecorator(lines, decoratorLine) {
+    let text = lines[decoratorLine];
+    let depth = 0;
+    for (const ch of lines[decoratorLine]) {
+        if (ch === '(')
+            depth++;
+        else if (ch === ')')
+            depth--;
+    }
+    let j = decoratorLine + 1;
+    while (depth > 0 && j < lines.length) {
+        text += '\n' + lines[j];
+        for (const ch of lines[j]) {
+            if (ch === '(')
+                depth++;
+            else if (ch === ')')
+                depth--;
+        }
+        j++;
+    }
+    return { text, endLine: j - 1 };
+}
+class PY008CeleryTaskWithoutRetry {
+    id = 'PY008';
+    name = 'Celery task without retry configuration';
+    policyRef = 'PY008';
+    severity = 'ADVISORY';
+    languages = ['python'];
+    description = 'Celery task functions that can raise exceptions but have no retry configuration silently drop jobs on transient failures.';
+    check(filePath, sourceText) {
+        try {
+            const violations = [];
+            // Normalize line endings
+            const lines = sourceText.replace(/\r\n/g, '\n').replace(/\r/g, '\n').split('\n');
+            let i = 0;
+            while (i < lines.length) {
+                const line = lines[i];
+                // Detect Celery decorator
+                const isDecorator = CELERY_DECORATOR_RE.test(line) || CELERY_DECORATOR_INLINE_RE.test(line);
+                if (!isDecorator) {
+                    i++;
+                    continue;
+                }
+                const decoratorStartLine = i;
+                // Collect full decorator text (handles multi-line)
+                const { text: decoratorText, endLine: decoratorEnd } = collectDecorator(lines, i);
+                // Check for retry config
+                const hasRetryConfig = RETRY_CONFIG_RE.test(decoratorText);
+                const hasIgnoreResult = IGNORE_RESULT_RE.test(decoratorText);
+                // Find the function definition line after decorator
+                let funcDefLine = -1;
+                let j = decoratorEnd + 1;
+                while (j < Math.min(decoratorEnd + 6, lines.length)) {
+                    const l = lines[j].trimStart();
+                    if (/^(?:async\s+)?def\s+\w+\s*\(/.test(l)) {
+                        funcDefLine = j;
+                        break;
+                    }
+                    if (l.length > 0 && !l.startsWith('@') && !l.startsWith('#'))
+                        break;
+                    j++;
+                }
+                if (funcDefLine === -1) {
+                    i = j;
+                    continue;
+                }
+                if (hasRetryConfig) {
+                    // Already has retry config — no violation
+                    i = funcDefLine + 1;
+                    continue;
+                }
+                // Collect function body
+                const funcIndent = getIndent(lines[funcDefLine]);
+                let bodyHasRaise = false;
+                let bodyHasSelfRetry = false;
+                let k = funcDefLine + 1;
+                while (k < lines.length) {
+                    const bl = lines[k];
+                    const bt = bl.trimStart();
+                    if (bt.length === 0) {
+                        k++;
+                        continue;
+                    }
+                    const bi = getIndent(bl);
+                    if (bi <= funcIndent)
+                        break;
+                    if (RAISE_RE.test(bl))
+                        bodyHasRaise = true;
+                    if (SELF_RETRY_RE.test(bl))
+                        bodyHasSelfRetry = true;
+                    k++;
+                }
+                // If fire-and-forget (ignore_result=True) and no raise → no violation
+                if (hasIgnoreResult && !bodyHasRaise) {
+                    i = k;
+                    continue;
+                }
+                // If uses self.retry() manually → no violation
+                if (bodyHasSelfRetry) {
+                    i = k;
+                    continue;
+                }
+                // If function has potential raises and no retry config → flag it
+                if (bodyHasRaise) {
+                    violations.push({
+                        ruleId: this.id,
+                        ruleName: this.name,
+                        policyRef: this.policyRef,
+                        severity: this.severity,
+                        filePath,
+                        line: decoratorStartLine + 1,
+                        column: 1,
+                        evidence: lines[decoratorStartLine].slice(0, 120),
+                        operationalRisk: 'A transient failure (network timeout, DB connection error) in a Celery task without retry configuration ' +
+                            'permanently drops the job. The message is lost without processing, causing data loss or inconsistent state.',
+                        remediation: 'Add `autoretry_for=(Exception,), max_retries=3, retry_backoff=True` to the decorator, ' +
+                            'or use `self.retry(exc=exc, countdown=2**self.request.retries)` in the exception handler.',
+                        determinism: 'heuristic-advisory',
+                        confidence: 0.75,
+                        language: 'python',
+                    });
+                }
+                i = k;
+            }
+            return violations;
+        }
+        catch {
+            return [];
+        }
+    }
+}
+exports.PY008CeleryTaskWithoutRetry = PY008CeleryTaskWithoutRetry;
+//# sourceMappingURL=PY008-celery-task-without-retry.js.map

package/dist/structural-rules/python/PY008-celery-task-without-retry.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"PY008-celery-task-without-retry.js","sourceRoot":"","sources":["../../../src/structural-rules/python/PY008-celery-task-without-retry.ts"],"names":[],"mappings":";;;AAEA,iCAAiC;AACjC,MAAM,mBAAmB,GAAG,gEAAgE,CAAC;AAC7F,MAAM,0BAA0B,GAAG,4DAA4D,CAAC;AAEhG,oDAAoD;AACpD,MAAM,eAAe,GAAG,6DAA6D,CAAC;AAEtF,4DAA4D;AAC5D,MAAM,gBAAgB,GAAG,0BAA0B,CAAC;AAEpD,6CAA6C;AAC7C,MAAM,QAAQ,GAAG,WAAW,CAAC;AAE7B,oDAAoD;AACpD,MAAM,aAAa,GAAG,oBAAoB,CAAC;AAE3C,SAAS,SAAS,CAAC,IAAY;IAC7B,OAAO,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC,MAAM,CAAC;AAC/C,CAAC;AAED;;;GAGG;AACH,SAAS,gBAAgB,CAAC,KAAe,EAAE,aAAqB;IAC9D,IAAI,IAAI,GAAG,KAAK,CAAC,aAAa,CAAC,CAAC;IAChC,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,KAAK,MAAM,EAAE,IAAI,KAAK,CAAC,aAAa,CAAC,EAAE,CAAC;QACtC,IAAI,EAAE,KAAK,GAAG;YAAE,KAAK,EAAE,CAAC;aACnB,IAAI,EAAE,KAAK,GAAG;YAAE,KAAK,EAAE,CAAC;IAC/B,CAAC;IAED,IAAI,CAAC,GAAG,aAAa,GAAG,CAAC,CAAC;IAC1B,OAAO,KAAK,GAAG,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;QACrC,IAAI,IAAI,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACxB,KAAK,MAAM,EAAE,IAAI,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;YAC1B,IAAI,EAAE,KAAK,GAAG;gBAAE,KAAK,EAAE,CAAC;iBACnB,IAAI,EAAE,KAAK,GAAG;gBAAE,KAAK,EAAE,CAAC;QAC/B,CAAC;QACD,CAAC,EAAE,CAAC;IACN,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC;AAClC,CAAC;AAED,MAAa,2BAA2B;IACtC,EAAE,GAAG,OAAO,CAAC;IACb,IAAI,GAAG,yCAAyC,CAAC;IACjD,SAAS,GAAG,OAAO,CAAC;IACpB,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAmB,CAAC,QAAQ,CAAC,CAAC;IACvC,WAAW,GACT,2HAA2H,CAAC;IAE9H,KAAK,CAAC,QAAgB,EAAE,UAAkB;QACxC,IAAI,CAAC;YACH,MAAM,UAAU,GAA0B,EAAE,CAAC;YAC7C,yBAAyB;YACzB,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAEjF,IAAI,CAAC,GAAG,CAAC,CAAC;YACV,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;gBACxB,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBAEtB,0BAA0B;gBAC1B,MAAM,WAAW,GACf,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,0BAA0B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAE1E,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,CAAC,EAAE,CAAC;oBACJ,SAAS;gBACX,CAAC;gBAED,MAAM,kBAAkB,GAAG,CAAC,CAAC;gBAE7B,mDAAmD;gBACnD,MAAM,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,YAAY,EAAE,GAAG,gBAAgB,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;gBAElF,yBAAyB;gBACzB,MAAM,cAAc,GAAG,eAAe,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;gBAC3D,MAAM,eAAe,GAAG,gBAAgB,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;gBAE7D,oDAAoD;gBACpD,IAAI,WAAW,GAAG,CAAC,CAAC,CAAC;gBACrB,IAAI,CAAC,GAAG,YAAY,GAAG,CAAC,CAAC;gBACzB,OAAO,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,YAAY,GAAG,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;oBACpD,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC;oBAC/B,IAAI,8BAA8B,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;wBAC3C,WAAW,GAAG,CAAC,CAAC;wBAChB,MAAM;oBACR,CAAC;oBACD,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC;wBAAE,MAAM;oBACpE,CAAC,EAAE,CAAC;gBACN,CAAC;gBAED,IAAI,WAAW,KAAK,CAAC,CAAC,EAAE,CAAC;oBACvB,CAAC,GAAG,CAAC,CAAC;oBACN,SAAS;gBACX,CAAC;gBAED,IAAI,cAAc,EAAE,CAAC;oBACnB,0CAA0C;oBAC1C,CAAC,GAAG,WAAW,GAAG,CAAC,CAAC;oBACpB,SAAS;gBACX,CAAC;gBAED,wBAAwB;gBACxB,MAAM,UAAU,GAAG,SAAS,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC;gBACjD,IAAI,YAAY,GAAG,KAAK,CAAC;gBACzB,IAAI,gBAAgB,GAAG,KAAK,CAAC;gBAC7B,IAAI,CAAC,GAAG,WAAW,GAAG,CAAC,CAAC;gBAExB,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;oBACxB,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBACpB,MAAM,EAAE,GAAG,EAAE,CAAC,SAAS,EAAE,CAAC;oBAC1B,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;wBAAC,CAAC,EAAE,CAAC;wBAAC,SAAS;oBAAC,CAAC;oBACvC,MAAM,EAAE,GAAG,SAAS,CAAC,EAAE,CAAC,CAAC;oBACzB,IAAI,EAAE,IAAI,UAAU;wBAAE,MAAM;oBAE5B,IAAI,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;wBAAE,YAAY,GAAG,IAAI,CAAC;oBAC3C,IAAI,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC;wBAAE,gBAAgB,GAAG,IAAI,CAAC;oBACpD,CAAC,EAAE,CAAC;gBACN,CAAC;gBAED,sEAAsE;gBACtE,IAAI,eAAe,IAAI,CAAC,YAAY,EAAE,CAAC;oBACrC,CAAC,GAAG,CAAC,CAAC;oBACN,SAAS;gBACX,CAAC;gBAED,+CAA+C;gBAC/C,IAAI,gBAAgB,EAAE,CAAC;oBACrB,CAAC,GAAG,CAAC,CAAC;oBACN,SAAS;gBACX,CAAC;gBAED,iEAAiE;gBACjE,IAAI,YAAY,EAAE,CAAC;oBACjB,UAAU,CAAC,IAAI,CAAC;wBACd,MAAM,EAAE,IAAI,CAAC,EAAE;wBACf,QAAQ,EAAE,IAAI,CAAC,IAAI;wBACnB,SAAS,EAAE,IAAI,CAAC,SAAS;wBACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;wBACvB,QAAQ;wBACR,IAAI,EAAE,kBAAkB,GAAG,CAAC;wBAC5B,MAAM,EAAE,CAAC;wBACT,QAAQ,EAAE,KAAK,CAAC,kBAAkB,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;wBACjD,eAAe,EACb,0GAA0G;4BAC1G,6GAA6G;wBAC/G,WAAW,EACT,wFAAwF;4BACxF,2FAA2F;wBAC7F,WAAW,EAAE,oBAAoB;wBACjC,UAAU,EAAE,IAAI;wBAChB,QAAQ,EAAE,QAAQ;qBACnB,CAAC,CAAC;gBACL,CAAC;gBAED,CAAC,GAAG,CAAC,CAAC;YACR,CAAC;YAED,OAAO,UAAU,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;CACF;AA1HD,kEA0HC"}

package/dist/structural-rules/python/PY009-unsafe-pickle-deserialization.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import { StructuralRule, StructuralViolation, RuleLanguage } from '../types';
+export declare class PY009UnsafePickleDeserialization implements StructuralRule {
+    id: string;
+    name: string;
+    policyRef: string;
+    severity: "BLOCKING";
+    languages: RuleLanguage[];
+    description: string;
+    check(filePath: string, sourceText: string): StructuralViolation[];
+}
+//# sourceMappingURL=PY009-unsafe-pickle-deserialization.d.ts.map

package/dist/structural-rules/python/PY009-unsafe-pickle-deserialization.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"PY009-unsafe-pickle-deserialization.d.ts","sourceRoot":"","sources":["../../../src/structural-rules/python/PY009-unsafe-pickle-deserialization.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAmB7E,qBAAa,gCAAiC,YAAW,cAAc;IACrE,EAAE,SAAW;IACb,IAAI,SAAmC;IACvC,SAAS,SAAW;IACpB,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,YAAY,EAAE,CAAc;IACvC,WAAW,SAEsD;IAEjE,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,mBAAmB,EAAE;CAoHnE"}

package/dist/structural-rules/python/PY009-unsafe-pickle-deserialization.js ADDED Viewed

@@ -0,0 +1,133 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PY009UnsafePickleDeserialization = void 0;
+// Matches pickle.loads( or pickle.load(
+const PICKLE_LOAD_RE = /\bpickle\.loads?\s*\(/;
+// Matches joblib.load(
+const JOBLIB_LOAD_RE = /\bjoblib\.load\s*\(/;
+// Matches torch.load( without weights_only=True
+const TORCH_LOAD_RE = /\btorch\.load\s*\(/;
+const TORCH_WEIGHTS_ONLY_RE = /weights_only\s*=\s*True/;
+// Detects if this appears to be a test file
+const TEST_FILE_RE = /(?:^|[\\/])(?:test_|_test|tests[\\/])/;
+// Detects if the pickle input looks like a literal bytes value in a test
+// e.g. pickle.loads(b'\x80\x04...')  or pickle.loads(b"...")
+const LITERAL_BYTES_ARG_RE = /\bpickle\.loads?\s*\(\s*b['"]|pickle\.loads?\s*\(\s*b"""|\bpickle\.loads?\s*\(\s*b'''/;
+class PY009UnsafePickleDeserialization {
+    id = 'PY009';
+    name = 'Unsafe pickle deserialization';
+    policyRef = 'PY009';
+    severity = 'BLOCKING';
+    languages = ['python'];
+    description = 'pickle.loads() / pickle.load() executes arbitrary Python code during deserialization. ' +
+        'torch.load() without weights_only=True is equally dangerous.';
+    check(filePath, sourceText) {
+        try {
+            const violations = [];
+            // Normalize line endings
+            const lines = sourceText.replace(/\r\n/g, '\n').replace(/\r/g, '\n').split('\n');
+            const isTestFile = TEST_FILE_RE.test(filePath);
+            for (let i = 0; i < lines.length; i++) {
+                const line = lines[i];
+                const trimmed = line.trimStart();
+                // Skip comment lines
+                if (trimmed.startsWith('#'))
+                    continue;
+                // Skip noqa lines
+                if (/\bnoqa\b/.test(line))
+                    continue;
+                // Check pickle.loads / pickle.load
+                if (PICKLE_LOAD_RE.test(line)) {
+                    // Exclude: test file with literal bytes argument
+                    if (isTestFile && LITERAL_BYTES_ARG_RE.test(line)) {
+                        continue;
+                    }
+                    violations.push({
+                        ruleId: this.id,
+                        ruleName: this.name,
+                        policyRef: this.policyRef,
+                        severity: this.severity,
+                        filePath,
+                        line: i + 1,
+                        column: 1,
+                        evidence: line.slice(0, 120),
+                        operationalRisk: '`pickle.loads()` executes arbitrary Python code during deserialization. ' +
+                            'A single compromised or malformed pickle payload from any source achieves remote code execution ' +
+                            'on the deserializing machine. This is a critical supply-chain attack vector in ML systems that share model artifacts.',
+                        remediation: 'Replace `pickle` with `json`, `msgpack`, or `protobuf` for data serialization. ' +
+                            'For ML models, use `safetensors` format. If pickle is truly required, validate the HMAC signature ' +
+                            'before deserializing and only accept pickles from trusted, authenticated internal sources.',
+                        determinism: 'heuristic-advisory',
+                        confidence: 0.95,
+                        language: 'python',
+                    });
+                    continue;
+                }
+                // Check joblib.load(
+                if (JOBLIB_LOAD_RE.test(line)) {
+                    violations.push({
+                        ruleId: this.id,
+                        ruleName: this.name,
+                        policyRef: this.policyRef,
+                        severity: this.severity,
+                        filePath,
+                        line: i + 1,
+                        column: 1,
+                        evidence: line.slice(0, 120),
+                        operationalRisk: '`joblib.load()` uses pickle internally and executes arbitrary Python code during deserialization. ' +
+                            'Malicious or tampered model artifacts can achieve remote code execution.',
+                        remediation: 'Use `safetensors` format for model artifacts, or validate the HMAC signature of the joblib file before loading.',
+                        determinism: 'heuristic-advisory',
+                        confidence: 0.95,
+                        language: 'python',
+                    });
+                    continue;
+                }
+                // Check torch.load( — flag if weights_only=True is NOT on the same line
+                // Also check the next 2 lines for multi-line calls
+                if (TORCH_LOAD_RE.test(line)) {
+                    // Collect the call: check current line + next 2 for weights_only=True
+                    let callText = line;
+                    for (let k = 1; k <= 2 && i + k < lines.length; k++) {
+                        callText += '\n' + lines[i + k];
+                        // Stop if we've closed the parens
+                        let depth = 0;
+                        for (const ch of callText) {
+                            if (ch === '(')
+                                depth++;
+                            else if (ch === ')')
+                                depth--;
+                        }
+                        if (depth <= 0)
+                            break;
+                    }
+                    if (!TORCH_WEIGHTS_ONLY_RE.test(callText)) {
+                        violations.push({
+                            ruleId: this.id,
+                            ruleName: this.name,
+                            policyRef: this.policyRef,
+                            severity: this.severity,
+                            filePath,
+                            line: i + 1,
+                            column: 1,
+                            evidence: line.slice(0, 120),
+                            operationalRisk: '`torch.load()` without `weights_only=True` uses pickle and executes arbitrary Python code. ' +
+                                'PyTorch 2.0+ requires `weights_only=True` for safe model loading from untrusted sources.',
+                            remediation: 'Add `weights_only=True`: `torch.load(path, weights_only=True)`. ' +
+                                'For full model loading you trust internally, at minimum validate the source integrity before loading.',
+                            determinism: 'heuristic-advisory',
+                            confidence: 0.95,
+                            language: 'python',
+                        });
+                    }
+                }
+            }
+            return violations;
+        }
+        catch {
+            return [];
+        }
+    }
+}
+exports.PY009UnsafePickleDeserialization = PY009UnsafePickleDeserialization;
+//# sourceMappingURL=PY009-unsafe-pickle-deserialization.js.map

package/dist/structural-rules/python/PY009-unsafe-pickle-deserialization.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"PY009-unsafe-pickle-deserialization.js","sourceRoot":"","sources":["../../../src/structural-rules/python/PY009-unsafe-pickle-deserialization.ts"],"names":[],"mappings":";;;AAEA,wCAAwC;AACxC,MAAM,cAAc,GAAG,uBAAuB,CAAC;AAE/C,uBAAuB;AACvB,MAAM,cAAc,GAAG,qBAAqB,CAAC;AAE7C,gDAAgD;AAChD,MAAM,aAAa,GAAG,oBAAoB,CAAC;AAC3C,MAAM,qBAAqB,GAAG,yBAAyB,CAAC;AAExD,4CAA4C;AAC5C,MAAM,YAAY,GAAG,uCAAuC,CAAC;AAE7D,yEAAyE;AACzE,6DAA6D;AAC7D,MAAM,oBAAoB,GAAG,uFAAuF,CAAC;AAErH,MAAa,gCAAgC;IAC3C,EAAE,GAAG,OAAO,CAAC;IACb,IAAI,GAAG,+BAA+B,CAAC;IACvC,SAAS,GAAG,OAAO,CAAC;IACpB,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAmB,CAAC,QAAQ,CAAC,CAAC;IACvC,WAAW,GACT,wFAAwF;QACxF,8DAA8D,CAAC;IAEjE,KAAK,CAAC,QAAgB,EAAE,UAAkB;QACxC,IAAI,CAAC;YACH,MAAM,UAAU,GAA0B,EAAE,CAAC;YAC7C,yBAAyB;YACzB,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAEjF,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAE/C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;gBAEjC,qBAAqB;gBACrB,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;oBAAE,SAAS;gBACtC,kBAAkB;gBAClB,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;oBAAE,SAAS;gBAEpC,mCAAmC;gBACnC,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC9B,iDAAiD;oBACjD,IAAI,UAAU,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAClD,SAAS;oBACX,CAAC;oBAED,UAAU,CAAC,IAAI,CAAC;wBACd,MAAM,EAAE,IAAI,CAAC,EAAE;wBACf,QAAQ,EAAE,IAAI,CAAC,IAAI;wBACnB,SAAS,EAAE,IAAI,CAAC,SAAS;wBACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;wBACvB,QAAQ;wBACR,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,MAAM,EAAE,CAAC;wBACT,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;wBAC5B,eAAe,EACb,0EAA0E;4BAC1E,kGAAkG;4BAClG,uHAAuH;wBACzH,WAAW,EACT,iFAAiF;4BACjF,oGAAoG;4BACpG,4FAA4F;wBAC9F,WAAW,EAAE,oBAAoB;wBACjC,UAAU,EAAE,IAAI;wBAChB,QAAQ,EAAE,QAAQ;qBACnB,CAAC,CAAC;oBACH,SAAS;gBACX,CAAC;gBAED,qBAAqB;gBACrB,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC9B,UAAU,CAAC,IAAI,CAAC;wBACd,MAAM,EAAE,IAAI,CAAC,EAAE;wBACf,QAAQ,EAAE,IAAI,CAAC,IAAI;wBACnB,SAAS,EAAE,IAAI,CAAC,SAAS;wBACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;wBACvB,QAAQ;wBACR,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,MAAM,EAAE,CAAC;wBACT,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;wBAC5B,eAAe,EACb,oGAAoG;4BACpG,0EAA0E;wBAC5E,WAAW,EACT,iHAAiH;wBACnH,WAAW,EAAE,oBAAoB;wBACjC,UAAU,EAAE,IAAI;wBAChB,QAAQ,EAAE,QAAQ;qBACnB,CAAC,CAAC;oBACH,SAAS;gBACX,CAAC;gBAED,wEAAwE;gBACxE,mDAAmD;gBACnD,IAAI,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC7B,sEAAsE;oBACtE,IAAI,QAAQ,GAAG,IAAI,CAAC;oBACpB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;wBACpD,QAAQ,IAAI,IAAI,GAAG,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;wBAChC,kCAAkC;wBAClC,IAAI,KAAK,GAAG,CAAC,CAAC;wBACd,KAAK,MAAM,EAAE,IAAI,QAAQ,EAAE,CAAC;4BAC1B,IAAI,EAAE,KAAK,GAAG;gCAAE,KAAK,EAAE,CAAC;iCACnB,IAAI,EAAE,KAAK,GAAG;gCAAE,KAAK,EAAE,CAAC;wBAC/B,CAAC;wBACD,IAAI,KAAK,IAAI,CAAC;4BAAE,MAAM;oBACxB,CAAC;oBAED,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;wBAC1C,UAAU,CAAC,IAAI,CAAC;4BACd,MAAM,EAAE,IAAI,CAAC,EAAE;4BACf,QAAQ,EAAE,IAAI,CAAC,IAAI;4BACnB,SAAS,EAAE,IAAI,CAAC,SAAS;4BACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;4BACvB,QAAQ;4BACR,IAAI,EAAE,CAAC,GAAG,CAAC;4BACX,MAAM,EAAE,CAAC;4BACT,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;4BAC5B,eAAe,EACb,6FAA6F;gCAC7F,0FAA0F;4BAC5F,WAAW,EACT,kEAAkE;gCAClE,uGAAuG;4BACzG,WAAW,EAAE,oBAAoB;4BACjC,UAAU,EAAE,IAAI;4BAChB,QAAQ,EAAE,QAAQ;yBACnB,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;YAED,OAAO,UAAU,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;CACF;AA9HD,4EA8HC"}

package/dist/structural-rules/python/PY010-leaked-aiohttp-session.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import { StructuralRule, StructuralViolation, RuleLanguage } from '../types';
+export declare class PY010LeakedAiohttpSession implements StructuralRule {
+    id: string;
+    name: string;
+    policyRef: string;
+    severity: "BLOCKING";
+    languages: RuleLanguage[];
+    description: string;
+    check(filePath: string, sourceText: string): StructuralViolation[];
+}
+//# sourceMappingURL=PY010-leaked-aiohttp-session.d.ts.map

package/dist/structural-rules/python/PY010-leaked-aiohttp-session.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"PY010-leaked-aiohttp-session.d.ts","sourceRoot":"","sources":["../../../src/structural-rules/python/PY010-leaked-aiohttp-session.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAY7E,qBAAa,yBAA0B,YAAW,cAAc;IAC9D,EAAE,SAAW;IACb,IAAI,SAA2D;IAC/D,SAAS,SAAW;IACpB,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,YAAY,EAAE,CAAc;IACvC,WAAW,SAC8G;IAEzH,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,mBAAmB,EAAE;CAiEnE"}

package/dist/structural-rules/python/PY010-leaked-aiohttp-session.js ADDED Viewed

@@ -0,0 +1,80 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PY010LeakedAiohttpSession = void 0;
+// Matches bare assignment: session = aiohttp.ClientSession() or session = ClientSession()
+// Captures variable name and whether it's aiohttp-qualified
+const SESSION_ASSIGN_RE = /^(\s*)(\w+)\s*=\s*(?:aiohttp\.)?ClientSession\s*\(/;
+// Matches correct async with usage
+const ASYNC_WITH_SESSION_RE = /^\s*async\s+with\s+(?:aiohttp\.)?ClientSession\s*\(/;
+// Matches await <varname>.close() — shutdown hook pattern
+const AWAIT_CLOSE_RE = /\bawait\s+\w+\s*\.\s*close\s*\(\)/;
+class PY010LeakedAiohttpSession {
+    id = 'PY010';
+    name = 'aiohttp.ClientSession created without context manager';
+    policyRef = 'PY010';
+    severity = 'BLOCKING';
+    languages = ['python'];
+    description = 'aiohttp.ClientSession() assigned to a variable without `async with` leaks TCP connection pools and file descriptors.';
+    check(filePath, sourceText) {
+        try {
+            const violations = [];
+            // Normalize line endings
+            const normalizedText = sourceText.replace(/\r\n/g, '\n').replace(/\r/g, '\n');
+            const lines = normalizedText.split('\n');
+            // Pre-scan: does the file contain await <something>.close() anywhere?
+            // This handles the module-level singleton pattern with a shutdown hook.
+            const fileHasAwaitClose = AWAIT_CLOSE_RE.test(normalizedText);
+            for (let i = 0; i < lines.length; i++) {
+                const line = lines[i];
+                const trimmed = line.trimStart();
+                // Skip comment lines
+                if (trimmed.startsWith('#'))
+                    continue;
+                // Skip noqa
+                if (/\bnoqa\b/.test(line))
+                    continue;
+                // Skip correct async with usage
+                if (ASYNC_WITH_SESSION_RE.test(line))
+                    continue;
+                const match = SESSION_ASSIGN_RE.exec(line);
+                if (!match)
+                    continue;
+                const varName = match[2];
+                // Check if the specific variable has a close() call anywhere in the file
+                const varCloseRe = new RegExp(`\\bawait\\s+${varName}\\s*\\.\\s*close\\s*\\(\\)`);
+                const varHasClose = varCloseRe.test(normalizedText);
+                // If this variable is closed somewhere (shutdown hook) — it's a managed singleton, skip
+                if (varHasClose)
+                    continue;
+                // If the file has generic await <x>.close() and this is likely a module-level singleton
+                // Heuristic: if the assignment is at module level (indent == 0) and file has await close → skip
+                const assignIndent = match[1].length;
+                if (assignIndent === 0 && fileHasAwaitClose)
+                    continue;
+                violations.push({
+                    ruleId: this.id,
+                    ruleName: this.name,
+                    policyRef: this.policyRef,
+                    severity: this.severity,
+                    filePath,
+                    line: i + 1,
+                    column: 1,
+                    evidence: line.slice(0, 120),
+                    operationalRisk: 'Each unclosed aiohttp session leaks a TCP connection pool and an underlying connector. ' +
+                        'In services that create sessions per-request, this exhausts file descriptors within minutes under load.',
+                    remediation: 'Use `async with aiohttp.ClientSession() as session:` for request-scoped sessions. ' +
+                        'For long-lived sessions, create once at startup and call `await session.close()` in the app shutdown handler.',
+                    determinism: 'heuristic-advisory',
+                    confidence: 0.85,
+                    language: 'python',
+                });
+            }
+            return violations;
+        }
+        catch {
+            return [];
+        }
+    }
+}
+exports.PY010LeakedAiohttpSession = PY010LeakedAiohttpSession;
+//# sourceMappingURL=PY010-leaked-aiohttp-session.js.map

package/dist/structural-rules/python/PY010-leaked-aiohttp-session.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"PY010-leaked-aiohttp-session.js","sourceRoot":"","sources":["../../../src/structural-rules/python/PY010-leaked-aiohttp-session.ts"],"names":[],"mappings":";;;AAEA,0FAA0F;AAC1F,4DAA4D;AAC5D,MAAM,iBAAiB,GAAG,oDAAoD,CAAC;AAE/E,mCAAmC;AACnC,MAAM,qBAAqB,GAAG,qDAAqD,CAAC;AAEpF,0DAA0D;AAC1D,MAAM,cAAc,GAAG,mCAAmC,CAAC;AAE3D,MAAa,yBAAyB;IACpC,EAAE,GAAG,OAAO,CAAC;IACb,IAAI,GAAG,uDAAuD,CAAC;IAC/D,SAAS,GAAG,OAAO,CAAC;IACpB,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAmB,CAAC,QAAQ,CAAC,CAAC;IACvC,WAAW,GACT,sHAAsH,CAAC;IAEzH,KAAK,CAAC,QAAgB,EAAE,UAAkB;QACxC,IAAI,CAAC;YACH,MAAM,UAAU,GAA0B,EAAE,CAAC;YAC7C,yBAAyB;YACzB,MAAM,cAAc,GAAG,UAAU,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;YAC9E,MAAM,KAAK,GAAG,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAEzC,sEAAsE;YACtE,wEAAwE;YACxE,MAAM,iBAAiB,GAAG,cAAc,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;YAE9D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;gBAEjC,qBAAqB;gBACrB,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;oBAAE,SAAS;gBACtC,YAAY;gBACZ,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;oBAAE,SAAS;gBACpC,gCAAgC;gBAChC,IAAI,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC;oBAAE,SAAS;gBAE/C,MAAM,KAAK,GAAG,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAC3C,IAAI,CAAC,KAAK;oBAAE,SAAS;gBAErB,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBAEzB,yEAAyE;gBACzE,MAAM,UAAU,GAAG,IAAI,MAAM,CAAC,eAAe,OAAO,4BAA4B,CAAC,CAAC;gBAClF,MAAM,WAAW,GAAG,UAAU,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;gBAEpD,wFAAwF;gBACxF,IAAI,WAAW;oBAAE,SAAS;gBAE1B,wFAAwF;gBACxF,gGAAgG;gBAChG,MAAM,YAAY,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;gBACrC,IAAI,YAAY,KAAK,CAAC,IAAI,iBAAiB;oBAAE,SAAS;gBAEtD,UAAU,CAAC,IAAI,CAAC;oBACd,MAAM,EAAE,IAAI,CAAC,EAAE;oBACf,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,SAAS,EAAE,IAAI,CAAC,SAAS;oBACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,QAAQ;oBACR,IAAI,EAAE,CAAC,GAAG,CAAC;oBACX,MAAM,EAAE,CAAC;oBACT,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;oBAC5B,eAAe,EACb,yFAAyF;wBACzF,yGAAyG;oBAC3G,WAAW,EACT,oFAAoF;wBACpF,+GAA+G;oBACjH,WAAW,EAAE,oBAAoB;oBACjC,UAAU,EAAE,IAAI;oBAChB,QAAQ,EAAE,QAAQ;iBACnB,CAAC,CAAC;YACL,CAAC;YAED,OAAO,UAAU,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;CACF;AA1ED,8DA0EC"}

package/dist/structural-rules/rules/SR001-swallowed-async-rejection.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import { StructuralRule, StructuralViolation, RuleLanguage } from '../types';
+export declare class SR001SwallowedAsyncRejection implements StructuralRule {
+    id: string;
+    name: string;
+    policyRef: string;
+    severity: "BLOCKING";
+    languages: RuleLanguage[];
+    description: string;
+    check(filePath: string, sourceText: string): StructuralViolation[];
+}
+//# sourceMappingURL=SR001-swallowed-async-rejection.d.ts.map

package/dist/structural-rules/rules/SR001-swallowed-async-rejection.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"SR001-swallowed-async-rejection.d.ts","sourceRoot":"","sources":["../../../src/structural-rules/rules/SR001-swallowed-async-rejection.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAiC7E,qBAAa,4BAA6B,YAAW,cAAc;IACjE,EAAE,SAAW;IACb,IAAI,SAA+B;IACnC,SAAS,SAAU;IACnB,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,YAAY,EAAE,CAAgC;IACzD,WAAW,SACgG;IAE3G,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,mBAAmB,EAAE;CAmFnE"}

package/dist/structural-rules/rules/SR001-swallowed-async-rejection.js ADDED Viewed

@@ -0,0 +1,145 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SR001SwallowedAsyncRejection = void 0;
+const ts = __importStar(require("typescript"));
+function containsThrowOrReject(node) {
+    if (ts.isThrowStatement(node))
+        return true;
+    if (ts.isCallExpression(node) &&
+        ts.isIdentifier(node.expression) &&
+        node.expression.text === 'reject') {
+        return true;
+    }
+    let found = false;
+    ts.forEachChild(node, child => {
+        if (!found)
+            found = containsThrowOrReject(child);
+    });
+    return found;
+}
+function getLineAndCol(sf, pos) {
+    const lc = sf.getLineAndCharacterOfPosition(pos);
+    return { line: lc.line + 1, column: lc.character + 1 };
+}
+function getEvidenceLines(sourceText, line, extra = 1) {
+    const lines = sourceText.split('\n');
+    const start = line - 1;
+    const end = Math.min(start + extra, lines.length);
+    return lines
+        .slice(start, end)
+        .map(l => l.slice(0, 120))
+        .join('\n');
+}
+class SR001SwallowedAsyncRejection {
+    id = 'SR001';
+    name = 'Swallowed async rejection';
+    policyRef = 'P005';
+    severity = 'BLOCKING';
+    languages = ['typescript', 'javascript'];
+    description = '.catch() callbacks that do not contain a throw statement or a call to reject() silently absorb errors.';
+    check(filePath, sourceText) {
+        try {
+            const violations = [];
+            const ext = filePath.endsWith('.tsx')
+                ? ts.ScriptKind.TSX
+                : filePath.endsWith('.jsx')
+                    ? ts.ScriptKind.JSX
+                    : filePath.endsWith('.js')
+                        ? ts.ScriptKind.JS
+                        : ts.ScriptKind.TS;
+            const sf = ts.createSourceFile(filePath, sourceText, ts.ScriptTarget.Latest, true, ext);
+            const visit = (node) => {
+                // Looking for: expr.catch(callback)
+                if (ts.isCallExpression(node) &&
+                    ts.isPropertyAccessExpression(node.expression) &&
+                    node.expression.name.text === 'catch') {
+                    const args = node.arguments;
+                    if (args.length !== 1) {
+                        ts.forEachChild(node, visit);
+                        return;
+                    }
+                    const callback = args[0];
+                    // Exclude shorthand: .catch(console.error) or .catch(logger.error)
+                    if (ts.isPropertyAccessExpression(callback) || ts.isIdentifier(callback)) {
+                        ts.forEachChild(node, visit);
+                        return;
+                    }
+                    // Must be arrow function or function expression
+                    if (!ts.isArrowFunction(callback) && !ts.isFunctionExpression(callback)) {
+                        ts.forEachChild(node, visit);
+                        return;
+                    }
+                    const body = callback.body;
+                    // Exclude empty body: .catch(() => {})
+                    if (ts.isBlock(body) && body.statements.length === 0) {
+                        ts.forEachChild(node, visit);
+                        return;
+                    }
+                    // Check if body contains throw or reject
+                    if (!containsThrowOrReject(body)) {
+                        const { line, column } = getLineAndCol(sf, node.expression.name.getStart(sf));
+                        const evidence = getEvidenceLines(sourceText, line, 2);
+                        violations.push({
+                            ruleId: this.id,
+                            ruleName: this.name,
+                            policyRef: this.policyRef,
+                            severity: this.severity,
+                            filePath,
+                            line,
+                            column,
+                            evidence,
+                            operationalRisk: 'Rejected promises are silently absorbed; errors never surface to callers or monitoring, ' +
+                                'leading to invisible failures and stale state in production.',
+                            remediation: 'Add `throw err` (or re-wrap: `throw new Error(err.message)`) inside the .catch() body, ' +
+                                'or replace with `.catch(err => { logger.error(err); throw err; })`.',
+                            determinism: 'deterministic-structural',
+                            confidence: 0.92,
+                            language: filePath.endsWith('.py') ? 'python' : filePath.match(/\.(js|jsx)$/) ? 'javascript' : 'typescript',
+                        });
+                    }
+                }
+                ts.forEachChild(node, visit);
+            };
+            ts.forEachChild(sf, visit);
+            return violations;
+        }
+        catch {
+            return [];
+        }
+    }
+}
+exports.SR001SwallowedAsyncRejection = SR001SwallowedAsyncRejection;
+//# sourceMappingURL=SR001-swallowed-async-rejection.js.map

package/dist/structural-rules/rules/SR001-swallowed-async-rejection.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"SR001-swallowed-async-rejection.js","sourceRoot":"","sources":["../../../src/structural-rules/rules/SR001-swallowed-async-rejection.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,+CAAiC;AAGjC,SAAS,qBAAqB,CAAC,IAAa;IAC1C,IAAI,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3C,IACE,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC;QACzB,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,UAAU,CAAC;QAChC,IAAI,CAAC,UAAU,CAAC,IAAI,KAAK,QAAQ,EACjC,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,KAAK,GAAG,KAAK,CAAC;IAClB,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE;QAC5B,IAAI,CAAC,KAAK;YAAE,KAAK,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IACH,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,aAAa,CAAC,EAAiB,EAAE,GAAW;IACnD,MAAM,EAAE,GAAG,EAAE,CAAC,6BAA6B,CAAC,GAAG,CAAC,CAAC;IACjD,OAAO,EAAE,IAAI,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC,EAAE,MAAM,EAAE,EAAE,CAAC,SAAS,GAAG,CAAC,EAAE,CAAC;AACzD,CAAC;AAED,SAAS,gBAAgB,CAAC,UAAkB,EAAE,IAAY,EAAE,KAAK,GAAG,CAAC;IACnE,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACrC,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,CAAC;IACvB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAClD,OAAO,KAAK;SACT,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC;SACjB,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SACzB,IAAI,CAAC,IAAI,CAAC,CAAC;AAChB,CAAC;AAED,MAAa,4BAA4B;IACvC,EAAE,GAAG,OAAO,CAAC;IACb,IAAI,GAAG,2BAA2B,CAAC;IACnC,SAAS,GAAG,MAAM,CAAC;IACnB,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAmB,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC;IACzD,WAAW,GACT,wGAAwG,CAAC;IAE3G,KAAK,CAAC,QAAgB,EAAE,UAAkB;QACxC,IAAI,CAAC;YACH,MAAM,UAAU,GAA0B,EAAE,CAAC;YAC7C,MAAM,GAAG,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC;gBACnC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG;gBACnB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC;oBAC3B,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG;oBACnB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC;wBAC1B,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,EAAE;wBAClB,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC;YAErB,MAAM,EAAE,GAAG,EAAE,CAAC,gBAAgB,CAAC,QAAQ,EAAE,UAAU,EAAE,EAAE,CAAC,YAAY,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YAExF,MAAM,KAAK,GAAG,CAAC,IAAa,EAAQ,EAAE;gBACpC,oCAAoC;gBACpC,IACE,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC;oBACzB,EAAE,CAAC,0BAA0B,CAAC,IAAI,CAAC,UAAU,CAAC;oBAC9C,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,KAAK,OAAO,EACrC,CAAC;oBACD,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC;oBAC5B,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;wBACtB,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;wBAC7B,OAAO;oBACT,CAAC;oBAED,MAAM,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;oBAEzB,mEAAmE;oBACnE,IAAI,EAAE,CAAC,0BAA0B,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC;wBACzE,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;wBAC7B,OAAO;oBACT,CAAC;oBAED,gDAAgD;oBAChD,IAAI,CAAC,EAAE,CAAC,eAAe,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,oBAAoB,CAAC,QAAQ,CAAC,EAAE,CAAC;wBACxE,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;wBAC7B,OAAO;oBACT,CAAC;oBAED,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC;oBAE3B,uCAAuC;oBACvC,IAAI,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;wBACrD,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;wBAC7B,OAAO;oBACT,CAAC;oBAED,yCAAyC;oBACzC,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,EAAE,CAAC;wBACjC,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,aAAa,CAAC,EAAE,EAAE,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;wBAC9E,MAAM,QAAQ,GAAG,gBAAgB,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;wBACvD,UAAU,CAAC,IAAI,CAAC;4BACd,MAAM,EAAE,IAAI,CAAC,EAAE;4BACf,QAAQ,EAAE,IAAI,CAAC,IAAI;4BACnB,SAAS,EAAE,IAAI,CAAC,SAAS;4BACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;4BACvB,QAAQ;4BACR,IAAI;4BACJ,MAAM;4BACN,QAAQ;4BACR,eAAe,EACb,0FAA0F;gCAC1F,8DAA8D;4BAChE,WAAW,EACT,yFAAyF;gCACzF,qEAAqE;4BACvE,WAAW,EAAE,0BAA0B;4BACvC,UAAU,EAAE,IAAI;4BAChB,QAAQ,EAAE,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,YAAY;yBAC5G,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;gBAED,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;YAC/B,CAAC,CAAC;YAEF,EAAE,CAAC,YAAY,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;YAC3B,OAAO,UAAU,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;CACF;AA5FD,oEA4FC"}

package/dist/structural-rules/rules/SR002-unbounded-collection.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import { StructuralRule, StructuralViolation, RuleLanguage } from '../types';
+export declare class SR002UnboundedCollection implements StructuralRule {
+    id: string;
+    name: string;
+    policyRef: string;
+    severity: "BLOCKING";
+    languages: RuleLanguage[];
+    description: string;
+    check(filePath: string, sourceText: string): StructuralViolation[];
+}
+//# sourceMappingURL=SR002-unbounded-collection.d.ts.map

package/dist/structural-rules/rules/SR002-unbounded-collection.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"SR002-unbounded-collection.d.ts","sourceRoot":"","sources":["../../../src/structural-rules/rules/SR002-unbounded-collection.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AA2E7E,qBAAa,wBAAyB,YAAW,cAAc;IAC7D,EAAE,SAAW;IACb,IAAI,SAA0B;IAC9B,SAAS,SAAU;IACnB,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,YAAY,EAAE,CAAgC;IACzD,WAAW,SAC+F;IAE1G,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,mBAAmB,EAAE;CAoGnE"}