npm - @neurcode-ai/cli - Versions diffs - 0.9.64 → 0.9.66 - Mend

@neurcode-ai/cli 0.9.64 → 0.9.66

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (323) hide show

package/dist/structural-rules/python/PY003-broad-except-clause.js ADDED Viewed

@@ -0,0 +1,277 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PY003BroadExceptClause = void 0;
+exports.stripCommentsAndStrings = stripCommentsAndStrings;
+exports.classifyExceptionFlow = classifyExceptionFlow;
+// Matches: except Exception: or except Exception as e:
+const BROAD_EXCEPT_RE = /^(\s*)except\s+Exception(\s+as\s+\w+)?\s*:/;
+// Logging/reporting call patterns — only checked AFTER stripping comments
+const LOGGING_RE = /\b(?:log|logger|logging|error|warn|warning|report|track|capture|sentry|bugsnag|rollbar|print)\s*[\.(]/i;
+/**
+ * Strip Python comment lines and string literal regions from source lines.
+ *
+ * Algorithm (deterministic state machine):
+ *   - Track whether we are inside a triple-quoted string (""" or ''')
+ *   - Track whether we are inside a single-quoted string (" or ')
+ *   - If a line starts with # (after stripping indent) → replace with empty string
+ *   - Content inside string regions is neutralized (replaced with spaces of same length)
+ *
+ * This is NOT a full Python tokenizer — it handles the common cases that enable
+ * bypass of governance checks while remaining O(n) and dependency-free.
+ */
+function stripCommentsAndStrings(lines) {
+    const result = [];
+    let inTripleDouble = false; // inside """..."""
+    let inTripleSingle = false; // inside '''...'''
+    for (const line of lines) {
+        const trimmed = line.trimStart();
+        // If we are inside a triple-quoted block, look for the closing delimiter
+        if (inTripleDouble) {
+            const closeIdx = line.indexOf('"""');
+            if (closeIdx !== -1) {
+                inTripleDouble = false;
+                // Neutralize up to and including the closing delimiter
+                result.push(' '.repeat(line.length));
+            }
+            else {
+                result.push(' '.repeat(line.length));
+            }
+            continue;
+        }
+        if (inTripleSingle) {
+            const closeIdx = line.indexOf("'''");
+            if (closeIdx !== -1) {
+                inTripleSingle = false;
+                result.push(' '.repeat(line.length));
+            }
+            else {
+                result.push(' '.repeat(line.length));
+            }
+            continue;
+        }
+        // Full-line comment — blank it entirely
+        if (trimmed.startsWith('#')) {
+            result.push('');
+            continue;
+        }
+        // Scan for string/comment delimiters character by character
+        let out = '';
+        let i = 0;
+        let inSingleQ = false;
+        let inDoubleQ = false;
+        while (i < line.length) {
+            const ch = line[i];
+            const remaining = line.slice(i);
+            if (!inSingleQ && !inDoubleQ) {
+                // Check for triple-quote opening
+                if (remaining.startsWith('"""')) {
+                    const rest = line.slice(i + 3);
+                    const closeInSameLine = rest.indexOf('"""');
+                    if (closeInSameLine !== -1) {
+                        // Triple-quote opens and closes on same line — neutralize it
+                        out += ' '.repeat(3 + closeInSameLine + 3);
+                        i += 3 + closeInSameLine + 3;
+                        continue;
+                    }
+                    else {
+                        inTripleDouble = true;
+                        // Neutralize rest of line
+                        out += ' '.repeat(line.length - i);
+                        break;
+                    }
+                }
+                if (remaining.startsWith("'''")) {
+                    const rest = line.slice(i + 3);
+                    const closeInSameLine = rest.indexOf("'''");
+                    if (closeInSameLine !== -1) {
+                        out += ' '.repeat(3 + closeInSameLine + 3);
+                        i += 3 + closeInSameLine + 3;
+                        continue;
+                    }
+                    else {
+                        inTripleSingle = true;
+                        out += ' '.repeat(line.length - i);
+                        break;
+                    }
+                }
+                // Start of single-line string
+                if (ch === '"') {
+                    inDoubleQ = true;
+                    out += ' ';
+                    i++;
+                    continue;
+                }
+                if (ch === "'") {
+                    inSingleQ = true;
+                    out += ' ';
+                    i++;
+                    continue;
+                }
+                // Inline comment
+                if (ch === '#') {
+                    // Rest of line is comment — stop
+                    break;
+                }
+                out += ch;
+            }
+            else if (inDoubleQ) {
+                if (ch === '\\') {
+                    out += '  ';
+                    i += 2;
+                    continue;
+                } // escape
+                if (ch === '"') {
+                    inDoubleQ = false;
+                }
+                out += ' ';
+            }
+            else if (inSingleQ) {
+                if (ch === '\\') {
+                    out += '  ';
+                    i += 2;
+                    continue;
+                }
+                if (ch === "'") {
+                    inSingleQ = false;
+                }
+                out += ' ';
+            }
+            i++;
+        }
+        result.push(out);
+    }
+    return result;
+}
+/**
+ * Classify the exception-handling flow of an except block body.
+ *
+ * Input: stripped lines (comments and strings already neutralized).
+ * Returns the strictest applicable classification.
+ */
+function classifyExceptionFlow(strippedBodyLines, exceptIndent) {
+    // Only consider lines that are within the except block's indentation scope
+    const blockLines = strippedBodyLines.filter(l => {
+        const t = l.trimStart();
+        if (t.length === 0)
+            return false;
+        const indent = l.length - t.length;
+        return indent > exceptIndent;
+    });
+    if (blockLines.length === 0)
+        return 'swallow';
+    const bodyText = blockLines.join('\n');
+    // Detect raise statements — only real Python raise keywords at statement level
+    // (not inside strings or comments, already stripped above)
+    const RAISE_STMT_RE = /^\s*raise\b/m;
+    const hasRaise = RAISE_STMT_RE.test(bodyText);
+    // Detect "raise X from e" or "raise NewException(" — transformed rethrow
+    const TRANSFORM_RAISE_RE = /^\s*raise\s+\w+\s*(?:\(|from)/m;
+    const hasTransformRaise = TRANSFORM_RAISE_RE.test(bodyText);
+    // Detect bare "raise" (re-raises current exception)
+    const BARE_RAISE_RE = /^\s*raise\s*$/m;
+    const hasBareRaise = BARE_RAISE_RE.test(bodyText);
+    // Detect conditional raise (raise inside if block at deeper indent)
+    const CONDITIONAL_RAISE_RE = /^\s+raise\b/m;
+    const hasConditionalRaise = !hasBareRaise && !hasTransformRaise && CONDITIONAL_RAISE_RE.test(bodyText);
+    const hasLogging = LOGGING_RE.test(bodyText);
+    if (hasBareRaise) {
+        // Clean re-raise — not a violation
+        return 'partial-rethrow'; // partial because could be log+reraise
+    }
+    if (hasTransformRaise)
+        return 'transformed-rethrow';
+    if (hasConditionalRaise)
+        return 'partial-rethrow';
+    if (!hasRaise && hasLogging)
+        return 'log-only';
+    if (!hasRaise && !hasLogging)
+        return 'swallow';
+    // raise present but not bare/transform/conditional — treat as partial
+    return 'partial-rethrow';
+}
+class PY003BroadExceptClause {
+    id = 'PY003';
+    name = 'Broad except clause swallowing errors';
+    policyRef = 'P017';
+    severity = 'BLOCKING';
+    languages = ['python'];
+    description = 'except Exception: blocks that neither re-raise nor log silently swallow all exceptions including system errors.';
+    check(filePath, sourceText) {
+        try {
+            const violations = [];
+            const lines = sourceText.split('\n');
+            for (let i = 0; i < lines.length; i++) {
+                const line = lines[i];
+                const match = BROAD_EXCEPT_RE.exec(line);
+                if (!match)
+                    continue;
+                const exceptIndent = match[1].length;
+                // Collect the raw except block body lines (indented deeper than the except)
+                const rawBodyLines = [];
+                let j = i + 1;
+                while (j < lines.length) {
+                    const bodyLine = lines[j];
+                    const bodyTrimmed = bodyLine.trimStart();
+                    // Empty line — continue collecting
+                    if (bodyTrimmed.length === 0) {
+                        rawBodyLines.push(bodyLine);
+                        j++;
+                        continue;
+                    }
+                    const bodyIndent = bodyLine.length - bodyTrimmed.length;
+                    // If indent is less than or equal to the except indent, block ended
+                    if (bodyIndent <= exceptIndent)
+                        break;
+                    rawBodyLines.push(bodyLine);
+                    j++;
+                }
+                if (rawBodyLines.length === 0)
+                    continue;
+                // ── AST-level analysis: strip comments and strings before checking ──
+                const strippedLines = stripCommentsAndStrings(rawBodyLines);
+                const flowClass = classifyExceptionFlow(strippedLines, exceptIndent);
+                // Only violations: swallow and log-only (log without re-raise)
+                // transformed-rethrow and partial-rethrow are handled by the engineer
+                if (flowClass === 'partial-rethrow' || flowClass === 'transformed-rethrow') {
+                    continue;
+                }
+                // Bare re-raise check: if bare raise exists in RAW lines (before stripping)
+                // this is not a swallow — the stripCommentsAndStrings already handles
+                // comment stripping, so we just trust classifyExceptionFlow here.
+                if (flowClass !== 'swallow' && flowClass !== 'log-only')
+                    continue;
+                const nonEmptyNonPass = strippedLines
+                    .map(l => l.trim())
+                    .filter(l => l.length > 0 && l !== 'pass');
+                const confidence = flowClass === 'swallow'
+                    ? (nonEmptyNonPass.length === 0 ? 0.97 : 0.88)
+                    : 0.82; // log-only
+                const evidence = line.slice(0, 120);
+                violations.push({
+                    ruleId: this.id,
+                    ruleName: this.name,
+                    policyRef: this.policyRef,
+                    severity: this.severity,
+                    filePath,
+                    line: i + 1,
+                    column: exceptIndent + 1,
+                    evidence: `${evidence} [flow:${flowClass}]`,
+                    operationalRisk: `except Exception: block classified as '${flowClass}'. ` +
+                        'Catches ALL exceptions (including SystemExit, KeyboardInterrupt, MemoryError) without ' +
+                        're-raising. Silent failures make debugging impossible and hide operational issues.',
+                    remediation: 'Either re-raise after handling: `except Exception as e: logger.error(e); raise` ' +
+                        'or narrow the exception type. Avoid bare `except Exception` without at minimum logging.',
+                    determinism: 'deterministic-structural',
+                    confidence,
+                    language: 'python',
+                });
+            }
+            return violations;
+        }
+        catch {
+            return [];
+        }
+    }
+}
+exports.PY003BroadExceptClause = PY003BroadExceptClause;
+//# sourceMappingURL=PY003-broad-except-clause.js.map

package/dist/structural-rules/python/PY003-broad-except-clause.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"PY003-broad-except-clause.js","sourceRoot":"","sources":["../../../src/structural-rules/python/PY003-broad-except-clause.ts"],"names":[],"mappings":";;;AA4BA,0DAsGC;AAQD,sDAgDC;AAxLD,uDAAuD;AACvD,MAAM,eAAe,GAAG,4CAA4C,CAAC;AAErE,0EAA0E;AAC1E,MAAM,UAAU,GAAG,wGAAwG,CAAC;AAU5H;;;;;;;;;;;GAWG;AACH,SAAgB,uBAAuB,CAAC,KAAe;IACrD,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,cAAc,GAAG,KAAK,CAAC,CAAC,mBAAmB;IAC/C,IAAI,cAAc,GAAG,KAAK,CAAC,CAAC,mBAAmB;IAE/C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;QAEjC,yEAAyE;QACzE,IAAI,cAAc,EAAE,CAAC;YACnB,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YACrC,IAAI,QAAQ,KAAK,CAAC,CAAC,EAAE,CAAC;gBACpB,cAAc,GAAG,KAAK,CAAC;gBACvB,uDAAuD;gBACvD,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;YACvC,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;YACvC,CAAC;YACD,SAAS;QACX,CAAC;QACD,IAAI,cAAc,EAAE,CAAC;YACnB,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YACrC,IAAI,QAAQ,KAAK,CAAC,CAAC,EAAE,CAAC;gBACpB,cAAc,GAAG,KAAK,CAAC;gBACvB,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;YACvC,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;YACvC,CAAC;YACD,SAAS;QACX,CAAC;QAED,wCAAwC;QACxC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC5B,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAChB,SAAS;QACX,CAAC;QAED,4DAA4D;QAC5D,IAAI,GAAG,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,GAAG,CAAC,CAAC;QACV,IAAI,SAAS,GAAG,KAAK,CAAC;QACtB,IAAI,SAAS,GAAG,KAAK,CAAC;QAEtB,OAAO,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;YACvB,MAAM,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;YACnB,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAEhC,IAAI,CAAC,SAAS,IAAI,CAAC,SAAS,EAAE,CAAC;gBAC7B,iCAAiC;gBACjC,IAAI,SAAS,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;oBAChC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;oBAC/B,MAAM,eAAe,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;oBAC5C,IAAI,eAAe,KAAK,CAAC,CAAC,EAAE,CAAC;wBAC3B,6DAA6D;wBAC7D,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,eAAe,GAAG,CAAC,CAAC,CAAC;wBAC3C,CAAC,IAAI,CAAC,GAAG,eAAe,GAAG,CAAC,CAAC;wBAC7B,SAAS;oBACX,CAAC;yBAAM,CAAC;wBACN,cAAc,GAAG,IAAI,CAAC;wBACtB,0BAA0B;wBAC1B,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;wBACnC,MAAM;oBACR,CAAC;gBACH,CAAC;gBACD,IAAI,SAAS,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;oBAChC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;oBAC/B,MAAM,eAAe,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;oBAC5C,IAAI,eAAe,KAAK,CAAC,CAAC,EAAE,CAAC;wBAC3B,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,eAAe,GAAG,CAAC,CAAC,CAAC;wBAC3C,CAAC,IAAI,CAAC,GAAG,eAAe,GAAG,CAAC,CAAC;wBAC7B,SAAS;oBACX,CAAC;yBAAM,CAAC;wBACN,cAAc,GAAG,IAAI,CAAC;wBACtB,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;wBACnC,MAAM;oBACR,CAAC;gBACH,CAAC;gBACD,8BAA8B;gBAC9B,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;oBAAC,SAAS,GAAG,IAAI,CAAC;oBAAC,GAAG,IAAI,GAAG,CAAC;oBAAC,CAAC,EAAE,CAAC;oBAAC,SAAS;gBAAC,CAAC;gBAChE,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;oBAAC,SAAS,GAAG,IAAI,CAAC;oBAAC,GAAG,IAAI,GAAG,CAAC;oBAAC,CAAC,EAAE,CAAC;oBAAC,SAAS;gBAAC,CAAC;gBAChE,iBAAiB;gBACjB,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;oBACf,iCAAiC;oBACjC,MAAM;gBACR,CAAC;gBACD,GAAG,IAAI,EAAE,CAAC;YACZ,CAAC;iBAAM,IAAI,SAAS,EAAE,CAAC;gBACrB,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;oBAAC,GAAG,IAAI,IAAI,CAAC;oBAAC,CAAC,IAAI,CAAC,CAAC;oBAAC,SAAS;gBAAC,CAAC,CAAC,SAAS;gBAC7D,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;oBAAC,SAAS,GAAG,KAAK,CAAC;gBAAC,CAAC;gBACtC,GAAG,IAAI,GAAG,CAAC;YACb,CAAC;iBAAM,IAAI,SAAS,EAAE,CAAC;gBACrB,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;oBAAC,GAAG,IAAI,IAAI,CAAC;oBAAC,CAAC,IAAI,CAAC,CAAC;oBAAC,SAAS;gBAAC,CAAC;gBACnD,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;oBAAC,SAAS,GAAG,KAAK,CAAC;gBAAC,CAAC;gBACtC,GAAG,IAAI,GAAG,CAAC;YACb,CAAC;YACD,CAAC,EAAE,CAAC;QACN,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;GAKG;AACH,SAAgB,qBAAqB,CACnC,iBAA2B,EAC3B,YAAoB;IAEpB,2EAA2E;IAC3E,MAAM,UAAU,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE;QAC9C,MAAM,CAAC,GAAG,CAAC,CAAC,SAAS,EAAE,CAAC;QACxB,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QACjC,MAAM,MAAM,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC;QACnC,OAAO,MAAM,GAAG,YAAY,CAAC;IAC/B,CAAC,CAAC,CAAC;IAEH,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IAE9C,MAAM,QAAQ,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEvC,+EAA+E;IAC/E,2DAA2D;IAC3D,MAAM,aAAa,GAAG,cAAc,CAAC;IACrC,MAAM,QAAQ,GAAG,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAE9C,yEAAyE;IACzE,MAAM,kBAAkB,GAAG,gCAAgC,CAAC;IAC5D,MAAM,iBAAiB,GAAG,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAE5D,oDAAoD;IACpD,MAAM,aAAa,GAAG,gBAAgB,CAAC;IACvC,MAAM,YAAY,GAAG,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAElD,oEAAoE;IACpE,MAAM,oBAAoB,GAAG,cAAc,CAAC;IAC5C,MAAM,mBAAmB,GAAG,CAAC,YAAY,IAAI,CAAC,iBAAiB,IAAI,oBAAoB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAEvG,MAAM,UAAU,GAAG,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAE7C,IAAI,YAAY,EAAE,CAAC;QACjB,mCAAmC;QACnC,OAAO,iBAAiB,CAAC,CAAC,uCAAuC;IACnE,CAAC;IAED,IAAI,iBAAiB;QAAE,OAAO,qBAAqB,CAAC;IACpD,IAAI,mBAAmB;QAAE,OAAO,iBAAiB,CAAC;IAElD,IAAI,CAAC,QAAQ,IAAI,UAAU;QAAE,OAAO,UAAU,CAAC;IAC/C,IAAI,CAAC,QAAQ,IAAI,CAAC,UAAU;QAAE,OAAO,SAAS,CAAC;IAE/C,sEAAsE;IACtE,OAAO,iBAAiB,CAAC;AAC3B,CAAC;AAED,MAAa,sBAAsB;IACjC,EAAE,GAAG,OAAO,CAAC;IACb,IAAI,GAAG,uCAAuC,CAAC;IAC/C,SAAS,GAAG,MAAM,CAAC;IACnB,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAmB,CAAC,QAAQ,CAAC,CAAC;IACvC,WAAW,GACT,iHAAiH,CAAC;IAEpH,KAAK,CAAC,QAAgB,EAAE,UAAkB;QACxC,IAAI,CAAC;YACH,MAAM,UAAU,GAA0B,EAAE,CAAC;YAC7C,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAErC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,MAAM,KAAK,GAAG,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACzC,IAAI,CAAC,KAAK;oBAAE,SAAS;gBAErB,MAAM,YAAY,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;gBAErC,4EAA4E;gBAC5E,MAAM,YAAY,GAAa,EAAE,CAAC;gBAClC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBACd,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;oBACxB,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBAC1B,MAAM,WAAW,GAAG,QAAQ,CAAC,SAAS,EAAE,CAAC;oBAEzC,mCAAmC;oBACnC,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;wBAC7B,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;wBAC5B,CAAC,EAAE,CAAC;wBACJ,SAAS;oBACX,CAAC;oBAED,MAAM,UAAU,GAAG,QAAQ,CAAC,MAAM,GAAG,WAAW,CAAC,MAAM,CAAC;oBACxD,oEAAoE;oBACpE,IAAI,UAAU,IAAI,YAAY;wBAAE,MAAM;oBAEtC,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;oBAC5B,CAAC,EAAE,CAAC;gBACN,CAAC;gBAED,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;oBAAE,SAAS;gBAExC,uEAAuE;gBACvE,MAAM,aAAa,GAAG,uBAAuB,CAAC,YAAY,CAAC,CAAC;gBAC5D,MAAM,SAAS,GAAG,qBAAqB,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;gBAErE,+DAA+D;gBAC/D,sEAAsE;gBACtE,IAAI,SAAS,KAAK,iBAAiB,IAAI,SAAS,KAAK,qBAAqB,EAAE,CAAC;oBAC3E,SAAS;gBACX,CAAC;gBAED,4EAA4E;gBAC5E,sEAAsE;gBACtE,kEAAkE;gBAClE,IAAI,SAAS,KAAK,SAAS,IAAI,SAAS,KAAK,UAAU;oBAAE,SAAS;gBAElE,MAAM,eAAe,GAAG,aAAa;qBAClC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;qBAClB,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,KAAK,MAAM,CAAC,CAAC;gBAE7C,MAAM,UAAU,GAAG,SAAS,KAAK,SAAS;oBACxC,CAAC,CAAC,CAAC,eAAe,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;oBAC9C,CAAC,CAAC,IAAI,CAAC,CAAC,WAAW;gBAErB,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;gBAEpC,UAAU,CAAC,IAAI,CAAC;oBACd,MAAM,EAAE,IAAI,CAAC,EAAE;oBACf,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,SAAS,EAAE,IAAI,CAAC,SAAS;oBACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,QAAQ;oBACR,IAAI,EAAE,CAAC,GAAG,CAAC;oBACX,MAAM,EAAE,YAAY,GAAG,CAAC;oBACxB,QAAQ,EAAE,GAAG,QAAQ,UAAU,SAAS,GAAG;oBAC3C,eAAe,EACb,0CAA0C,SAAS,KAAK;wBACxD,wFAAwF;wBACxF,oFAAoF;oBACtF,WAAW,EACT,kFAAkF;wBAClF,yFAAyF;oBAC3F,WAAW,EAAE,0BAA0B;oBACvC,UAAU;oBACV,QAAQ,EAAE,QAAQ;iBACnB,CAAC,CAAC;YACL,CAAC;YAED,OAAO,UAAU,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;CACF;AAjGD,wDAiGC"}

package/dist/structural-rules/python/PY004-swallowed-async-exception.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import { StructuralRule, StructuralViolation, RuleLanguage } from '../types';
+export declare class PY004SwallowedAsyncException implements StructuralRule {
+    id: string;
+    name: string;
+    policyRef: string;
+    severity: "ADVISORY";
+    languages: RuleLanguage[];
+    description: string;
+    check(filePath: string, sourceText: string): StructuralViolation[];
+}
+//# sourceMappingURL=PY004-swallowed-async-exception.d.ts.map

package/dist/structural-rules/python/PY004-swallowed-async-exception.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"PY004-swallowed-async-exception.d.ts","sourceRoot":"","sources":["../../../src/structural-rules/python/PY004-swallowed-async-exception.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAc7E,qBAAa,4BAA6B,YAAW,cAAc;IACjE,EAAE,SAAW;IACb,IAAI,SAAiC;IACrC,SAAS,SAAU;IACnB,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,YAAY,EAAE,CAAc;IACvC,WAAW,SAEsE;IAEjF,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,mBAAmB,EAAE;CAkJnE"}

package/dist/structural-rules/python/PY004-swallowed-async-exception.js ADDED Viewed

@@ -0,0 +1,167 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PY004SwallowedAsyncException = void 0;
+// Detect asyncio.gather( calls
+const GATHER_RE = /asyncio\.gather\s*\(/g;
+// return_exceptions=True present
+const RETURN_EXCEPTIONS_RE = /return_exceptions\s*=\s*True/;
+// Detect: await task inside try blocks where except only logs (no re-raise)
+const AWAIT_IN_TRY_RE = /\bawait\s+\w+/;
+const EXCEPT_RE = /^\s*except\b/;
+const RERAISE_RE = /\braise\b/;
+const LOGGING_RE = /\b(?:log|logger|logging|error|warn|report|track|capture|print)\s*[\.(]/i;
+class PY004SwallowedAsyncException {
+    id = 'PY004';
+    name = 'Swallowed asyncio exception';
+    policyRef = 'P018';
+    severity = 'ADVISORY';
+    languages = ['python'];
+    description = 'asyncio.gather() without return_exceptions=True raises on first failure, silently cancelling other tasks. ' +
+        'Also detects try/await blocks where the except only logs without re-raising.';
+    check(filePath, sourceText) {
+        try {
+            const violations = [];
+            const lines = sourceText.split('\n');
+            // --- Pattern 1: asyncio.gather( without return_exceptions=True ---
+            for (let i = 0; i < lines.length; i++) {
+                const line = lines[i];
+                if (!line.includes('asyncio.gather('))
+                    continue;
+                // Collect the full gather call (may span multiple lines)
+                let gatherCall = line;
+                let j = i + 1;
+                // Scan up to 10 lines ahead to find closing )
+                while (j < Math.min(i + 10, lines.length) && !gatherCall.includes(')')) {
+                    gatherCall += '\n' + lines[j];
+                    j++;
+                }
+                if (RETURN_EXCEPTIONS_RE.test(gatherCall))
+                    continue;
+                // Check if it's wrapped in a try block (look backwards up to 5 lines)
+                let insideTry = false;
+                for (let k = Math.max(0, i - 5); k < i; k++) {
+                    if (/^\s*try\s*:/.test(lines[k])) {
+                        insideTry = true;
+                        break;
+                    }
+                }
+                if (insideTry)
+                    continue;
+                const evidence = line.slice(0, 120);
+                violations.push({
+                    ruleId: this.id,
+                    ruleName: this.name,
+                    policyRef: this.policyRef,
+                    severity: this.severity,
+                    filePath,
+                    line: i + 1,
+                    column: line.indexOf('asyncio.gather') + 1,
+                    evidence,
+                    operationalRisk: 'asyncio.gather() without return_exceptions=True raises on the first task failure, ' +
+                        'but remaining tasks continue running as orphans. Their results and exceptions are lost, ' +
+                        'and resources they hold remain locked.',
+                    remediation: 'Use `results = await asyncio.gather(*tasks, return_exceptions=True)` then inspect ' +
+                        'results: `errors = [r for r in results if isinstance(r, BaseException)]`.',
+                    determinism: 'deterministic-structural',
+                    confidence: 0.75,
+                    language: 'python',
+                });
+            }
+            // --- Pattern 2: await inside try/except where except only logs, no re-raise ---
+            let i = 0;
+            while (i < lines.length) {
+                const line = lines[i];
+                const trimmed = line.trimStart();
+                if (!/^\s*try\s*:/.test(line)) {
+                    i++;
+                    continue;
+                }
+                const tryIndent = line.length - trimmed.length;
+                // Collect try body
+                const tryBody = [];
+                let j = i + 1;
+                while (j < lines.length) {
+                    const bl = lines[j];
+                    const bt = bl.trimStart();
+                    if (bt.length === 0) {
+                        j++;
+                        continue;
+                    }
+                    const bi = bl.length - bt.length;
+                    if (bi <= tryIndent && bt.length > 0)
+                        break;
+                    tryBody.push(bl);
+                    j++;
+                }
+                // Does the try body contain an await?
+                if (!AWAIT_IN_TRY_RE.test(tryBody.join('\n'))) {
+                    i = j;
+                    continue;
+                }
+                // Now look for except block
+                while (j < lines.length) {
+                    const el = lines[j];
+                    const et = el.trimStart();
+                    if (et.length === 0) {
+                        j++;
+                        continue;
+                    }
+                    const ei = el.length - et.length;
+                    if (ei < tryIndent)
+                        break;
+                    if (!EXCEPT_RE.test(el)) {
+                        j++;
+                        continue;
+                    }
+                    // Found an except — collect its body
+                    const exceptBody = [];
+                    let k = j + 1;
+                    while (k < lines.length) {
+                        const kb = lines[k];
+                        const kt = kb.trimStart();
+                        if (kt.length === 0) {
+                            k++;
+                            continue;
+                        }
+                        const ki = kb.length - kt.length;
+                        if (ki <= ei && kt.length > 0)
+                            break;
+                        exceptBody.push(kb);
+                        k++;
+                    }
+                    const exceptText = exceptBody.join('\n');
+                    if (!RERAISE_RE.test(exceptText) && LOGGING_RE.test(exceptText)) {
+                        // Only logs, no re-raise — flag it
+                        const evidence = el.slice(0, 120);
+                        violations.push({
+                            ruleId: this.id,
+                            ruleName: this.name,
+                            policyRef: this.policyRef,
+                            severity: this.severity,
+                            filePath,
+                            line: j + 1,
+                            column: ei + 1,
+                            evidence,
+                            operationalRisk: 'Exception from an awaited task is caught, logged, but not re-raised. ' +
+                                'The caller receives a successful return instead of an error, ' +
+                                'causing silent data inconsistency.',
+                            remediation: 'Re-raise after logging: `except Exception as e: logger.error(e); raise` ' +
+                                'or let the exception propagate to a top-level handler.',
+                            determinism: 'heuristic-advisory',
+                            confidence: 0.75,
+                            language: 'python',
+                        });
+                    }
+                    j = k;
+                }
+                i = j;
+            }
+            return violations;
+        }
+        catch {
+            return [];
+        }
+    }
+}
+exports.PY004SwallowedAsyncException = PY004SwallowedAsyncException;
+//# sourceMappingURL=PY004-swallowed-async-exception.js.map

package/dist/structural-rules/python/PY004-swallowed-async-exception.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"PY004-swallowed-async-exception.js","sourceRoot":"","sources":["../../../src/structural-rules/python/PY004-swallowed-async-exception.ts"],"names":[],"mappings":";;;AAEA,+BAA+B;AAC/B,MAAM,SAAS,GAAG,uBAAuB,CAAC;AAE1C,iCAAiC;AACjC,MAAM,oBAAoB,GAAG,8BAA8B,CAAC;AAE5D,4EAA4E;AAC5E,MAAM,eAAe,GAAG,eAAe,CAAC;AACxC,MAAM,SAAS,GAAG,cAAc,CAAC;AACjC,MAAM,UAAU,GAAG,WAAW,CAAC;AAC/B,MAAM,UAAU,GAAG,yEAAyE,CAAC;AAE7F,MAAa,4BAA4B;IACvC,EAAE,GAAG,OAAO,CAAC;IACb,IAAI,GAAG,6BAA6B,CAAC;IACrC,SAAS,GAAG,MAAM,CAAC;IACnB,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAmB,CAAC,QAAQ,CAAC,CAAC;IACvC,WAAW,GACT,4GAA4G;QAC5G,8EAA8E,CAAC;IAEjF,KAAK,CAAC,QAAgB,EAAE,UAAkB;QACxC,IAAI,CAAC;YACH,MAAM,UAAU,GAA0B,EAAE,CAAC;YAC7C,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAErC,oEAAoE;YACpE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,iBAAiB,CAAC;oBAAE,SAAS;gBAEhD,yDAAyD;gBACzD,IAAI,UAAU,GAAG,IAAI,CAAC;gBACtB,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBACd,8CAA8C;gBAC9C,OAAO,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;oBACvE,UAAU,IAAI,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBAC9B,CAAC,EAAE,CAAC;gBACN,CAAC;gBAED,IAAI,oBAAoB,CAAC,IAAI,CAAC,UAAU,CAAC;oBAAE,SAAS;gBAEpD,sEAAsE;gBACtE,IAAI,SAAS,GAAG,KAAK,CAAC;gBACtB,KAAK,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;oBAC5C,IAAI,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;wBACjC,SAAS,GAAG,IAAI,CAAC;wBACjB,MAAM;oBACR,CAAC;gBACH,CAAC;gBAED,IAAI,SAAS;oBAAE,SAAS;gBAExB,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;gBACpC,UAAU,CAAC,IAAI,CAAC;oBACd,MAAM,EAAE,IAAI,CAAC,EAAE;oBACf,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,SAAS,EAAE,IAAI,CAAC,SAAS;oBACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,QAAQ;oBACR,IAAI,EAAE,CAAC,GAAG,CAAC;oBACX,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC;oBAC1C,QAAQ;oBACR,eAAe,EACb,oFAAoF;wBACpF,0FAA0F;wBAC1F,wCAAwC;oBAC1C,WAAW,EACT,oFAAoF;wBACpF,2EAA2E;oBAC7E,WAAW,EAAE,0BAA0B;oBACvC,UAAU,EAAE,IAAI;oBAChB,QAAQ,EAAE,QAAQ;iBACnB,CAAC,CAAC;YACL,CAAC;YAED,iFAAiF;YACjF,IAAI,CAAC,GAAG,CAAC,CAAC;YACV,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;gBACxB,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;gBAEjC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC9B,CAAC,EAAE,CAAC;oBACJ,SAAS;gBACX,CAAC;gBAED,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;gBAE/C,mBAAmB;gBACnB,MAAM,OAAO,GAAa,EAAE,CAAC;gBAC7B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBACd,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;oBACxB,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBACpB,MAAM,EAAE,GAAG,EAAE,CAAC,SAAS,EAAE,CAAC;oBAC1B,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;wBAAC,CAAC,EAAE,CAAC;wBAAC,SAAS;oBAAC,CAAC;oBACvC,MAAM,EAAE,GAAG,EAAE,CAAC,MAAM,GAAG,EAAE,CAAC,MAAM,CAAC;oBACjC,IAAI,EAAE,IAAI,SAAS,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC;wBAAE,MAAM;oBAC5C,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;oBACjB,CAAC,EAAE,CAAC;gBACN,CAAC;gBAED,sCAAsC;gBACtC,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;oBAC9C,CAAC,GAAG,CAAC,CAAC;oBACN,SAAS;gBACX,CAAC;gBAED,4BAA4B;gBAC5B,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;oBACxB,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBACpB,MAAM,EAAE,GAAG,EAAE,CAAC,SAAS,EAAE,CAAC;oBAC1B,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;wBAAC,CAAC,EAAE,CAAC;wBAAC,SAAS;oBAAC,CAAC;oBACvC,MAAM,EAAE,GAAG,EAAE,CAAC,MAAM,GAAG,EAAE,CAAC,MAAM,CAAC;oBACjC,IAAI,EAAE,GAAG,SAAS;wBAAE,MAAM;oBAC1B,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;wBAAC,CAAC,EAAE,CAAC;wBAAC,SAAS;oBAAC,CAAC;oBAE3C,qCAAqC;oBACrC,MAAM,UAAU,GAAa,EAAE,CAAC;oBAChC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;oBACd,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;wBACxB,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;wBACpB,MAAM,EAAE,GAAG,EAAE,CAAC,SAAS,EAAE,CAAC;wBAC1B,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;4BAAC,CAAC,EAAE,CAAC;4BAAC,SAAS;wBAAC,CAAC;wBACvC,MAAM,EAAE,GAAG,EAAE,CAAC,MAAM,GAAG,EAAE,CAAC,MAAM,CAAC;wBACjC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC;4BAAE,MAAM;wBACrC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;wBACpB,CAAC,EAAE,CAAC;oBACN,CAAC;oBAED,MAAM,UAAU,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBACzC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;wBAChE,mCAAmC;wBACnC,MAAM,QAAQ,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;wBAClC,UAAU,CAAC,IAAI,CAAC;4BACd,MAAM,EAAE,IAAI,CAAC,EAAE;4BACf,QAAQ,EAAE,IAAI,CAAC,IAAI;4BACnB,SAAS,EAAE,IAAI,CAAC,SAAS;4BACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;4BACvB,QAAQ;4BACR,IAAI,EAAE,CAAC,GAAG,CAAC;4BACX,MAAM,EAAE,EAAE,GAAG,CAAC;4BACd,QAAQ;4BACR,eAAe,EACb,uEAAuE;gCACvE,+DAA+D;gCAC/D,oCAAoC;4BACtC,WAAW,EACT,0EAA0E;gCAC1E,wDAAwD;4BAC1D,WAAW,EAAE,oBAAoB;4BACjC,UAAU,EAAE,IAAI;4BAChB,QAAQ,EAAE,QAAQ;yBACnB,CAAC,CAAC;oBACL,CAAC;oBAED,CAAC,GAAG,CAAC,CAAC;gBACR,CAAC;gBAED,CAAC,GAAG,CAAC,CAAC;YACR,CAAC;YAED,OAAO,UAAU,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;CACF;AA5JD,oEA4JC"}

package/dist/structural-rules/python/PY005-fastapi-without-pydantic.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import { StructuralRule, StructuralViolation, RuleLanguage } from '../types';
+export declare class PY005FastAPIWithoutPydantic implements StructuralRule {
+    id: string;
+    name: string;
+    policyRef: string;
+    severity: "BLOCKING";
+    languages: RuleLanguage[];
+    description: string;
+    check(filePath: string, sourceText: string): StructuralViolation[];
+}
+//# sourceMappingURL=PY005-fastapi-without-pydantic.d.ts.map

package/dist/structural-rules/python/PY005-fastapi-without-pydantic.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"PY005-fastapi-without-pydantic.d.ts","sourceRoot":"","sources":["../../../src/structural-rules/python/PY005-fastapi-without-pydantic.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AA0D7E,qBAAa,2BAA4B,YAAW,cAAc;IAChE,EAAE,SAAW;IACb,IAAI,SAAuE;IAC3E,SAAS,SAAU;IACnB,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,YAAY,EAAE,CAAc;IACvC,WAAW,SACmH;IAE9H,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,mBAAmB,EAAE;CAiGnE"}

package/dist/structural-rules/python/PY005-fastapi-without-pydantic.js ADDED Viewed

@@ -0,0 +1,154 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PY005FastAPIWithoutPydantic = void 0;
+// FastAPI route decorator patterns
+const ROUTE_DECORATOR_RE = /^\s*@(?:app|router|api_router)\.(get|post|put|patch|delete|head|options|trace)\s*\(/;
+// Detect request.body() or request.json() or await request.body() / await request.json()
+const RAW_REQUEST_RE = /\b(?:request|req)\s*\.\s*(?:body|json)\s*\(\)/;
+// Detect Pydantic model usage in function signature: param: ModelName
+// where ModelName starts with uppercase and isn't Request/Response/BackgroundTasks
+const PYDANTIC_PARAM_RE = /\w+\s*:\s*([A-Z][A-Za-z0-9]+)(?!\s*=\s*(?:None|True|False|\d))/;
+// Common non-Pydantic FastAPI types to exclude
+const NON_PYDANTIC_TYPES = new Set([
+    'Request',
+    'Response',
+    'BackgroundTasks',
+    'HTTPException',
+    'Depends',
+    'Optional',
+    'List',
+    'Dict',
+    'Any',
+    'str',
+    'int',
+    'float',
+    'bool',
+    'bytes',
+]);
+function extractFunctionSignature(lines, startIdx) {
+    // Collect function definition until the colon is found
+    let sig = '';
+    let depth = 0;
+    for (let i = startIdx; i < Math.min(startIdx + 10, lines.length); i++) {
+        sig += lines[i] + '\n';
+        for (const ch of lines[i]) {
+            if (ch === '(')
+                depth++;
+            else if (ch === ')')
+                depth--;
+        }
+        if (depth <= 0 && sig.includes('('))
+            break;
+    }
+    return sig;
+}
+function hasPydanticModelParam(sig) {
+    // Find all type annotations in the signature
+    const paramRegex = /\w+\s*:\s*([A-Z][A-Za-z0-9_]*)/g;
+    let match;
+    while ((match = paramRegex.exec(sig)) !== null) {
+        const typeName = match[1];
+        if (!NON_PYDANTIC_TYPES.has(typeName)) {
+            return true;
+        }
+    }
+    return false;
+}
+class PY005FastAPIWithoutPydantic {
+    id = 'PY005';
+    name = 'FastAPI route handler accessing raw request body without Pydantic';
+    policyRef = 'P019';
+    severity = 'BLOCKING';
+    languages = ['python'];
+    description = 'FastAPI route handlers that access request.body() or request.json() without a Pydantic model parameter bypass validation.';
+    check(filePath, sourceText) {
+        try {
+            const violations = [];
+            const lines = sourceText.split('\n');
+            let i = 0;
+            while (i < lines.length) {
+                const line = lines[i];
+                // Look for route decorator
+                if (!ROUTE_DECORATOR_RE.test(line)) {
+                    i++;
+                    continue;
+                }
+                const decoratorLine = i;
+                // Find the function definition (next def after decorator, skip other decorators)
+                let funcDefLine = -1;
+                let j = i + 1;
+                while (j < Math.min(i + 10, lines.length)) {
+                    const l = lines[j].trimStart();
+                    if (/^(?:async\s+)?def\s+\w+\s*\(/.test(l)) {
+                        funcDefLine = j;
+                        break;
+                    }
+                    if (l.length > 0 && !l.startsWith('@') && !l.startsWith('#'))
+                        break;
+                    j++;
+                }
+                if (funcDefLine === -1) {
+                    i = j + 1;
+                    continue;
+                }
+                // Extract function signature
+                const sig = extractFunctionSignature(lines, funcDefLine);
+                // If signature has a Pydantic model param, no violation
+                if (hasPydanticModelParam(sig)) {
+                    i = funcDefLine + 1;
+                    continue;
+                }
+                // Find function body (collect until next function/class at same or lower indent)
+                const funcIndent = lines[funcDefLine].length - lines[funcDefLine].trimStart().length;
+                const bodyLines = [];
+                let k = funcDefLine + 1;
+                while (k < lines.length) {
+                    const bl = lines[k];
+                    const bt = bl.trimStart();
+                    if (bt.length === 0) {
+                        k++;
+                        continue;
+                    }
+                    const bi = bl.length - bt.length;
+                    if (bi <= funcIndent && bt.length > 0)
+                        break;
+                    bodyLines.push(bl);
+                    k++;
+                }
+                const bodyText = bodyLines.join('\n');
+                // Check if body accesses request.body() or request.json()
+                if (!RAW_REQUEST_RE.test(bodyText)) {
+                    i = k;
+                    continue;
+                }
+                const evidence = lines[funcDefLine].slice(0, 120);
+                violations.push({
+                    ruleId: this.id,
+                    ruleName: this.name,
+                    policyRef: this.policyRef,
+                    severity: this.severity,
+                    filePath,
+                    line: funcDefLine + 1,
+                    column: (lines[funcDefLine].match(/^\s*/)?.[0].length ?? 0) + 1,
+                    evidence,
+                    operationalRisk: 'Raw request body is accessed without Pydantic validation. ' +
+                        'Malformed, oversized, or malicious payloads reach business logic directly, ' +
+                        'causing runtime errors, type confusion, or injection vulnerabilities.',
+                    remediation: 'Add a Pydantic model parameter to the route handler: ' +
+                        '`async def handler(data: MyRequestModel)` and let FastAPI validate and parse the body automatically. ' +
+                        'Remove the manual `request.body()` / `request.json()` call.',
+                    determinism: 'deterministic-structural',
+                    confidence: 0.80,
+                    language: 'python',
+                });
+                i = k;
+            }
+            return violations;
+        }
+        catch {
+            return [];
+        }
+    }
+}
+exports.PY005FastAPIWithoutPydantic = PY005FastAPIWithoutPydantic;
+//# sourceMappingURL=PY005-fastapi-without-pydantic.js.map