npm - @neurcode-ai/cli - Versions diffs - 0.9.64 → 0.9.66 - Mend

@neurcode-ai/cli 0.9.64 → 0.9.66

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (323) hide show

package/dist/structural-rules/python/PY005-fastapi-without-pydantic.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"PY005-fastapi-without-pydantic.js","sourceRoot":"","sources":["../../../src/structural-rules/python/PY005-fastapi-without-pydantic.ts"],"names":[],"mappings":";;;AAEA,mCAAmC;AACnC,MAAM,kBAAkB,GAAG,qFAAqF,CAAC;AAEjH,yFAAyF;AACzF,MAAM,cAAc,GAAG,+CAA+C,CAAC;AAEvE,sEAAsE;AACtE,mFAAmF;AACnF,MAAM,iBAAiB,GAAG,gEAAgE,CAAC;AAE3F,+CAA+C;AAC/C,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACjC,SAAS;IACT,UAAU;IACV,iBAAiB;IACjB,eAAe;IACf,SAAS;IACT,UAAU;IACV,MAAM;IACN,MAAM;IACN,KAAK;IACL,KAAK;IACL,KAAK;IACL,OAAO;IACP,MAAM;IACN,OAAO;CACR,CAAC,CAAC;AAEH,SAAS,wBAAwB,CAAC,KAAe,EAAE,QAAgB;IACjE,uDAAuD;IACvD,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,KAAK,IAAI,CAAC,GAAG,QAAQ,EAAE,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QACtE,GAAG,IAAI,KAAK,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;QACvB,KAAK,MAAM,EAAE,IAAI,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;YAC1B,IAAI,EAAE,KAAK,GAAG;gBAAE,KAAK,EAAE,CAAC;iBACnB,IAAI,EAAE,KAAK,GAAG;gBAAE,KAAK,EAAE,CAAC;QAC/B,CAAC;QACD,IAAI,KAAK,IAAI,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,MAAM;IAC7C,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,qBAAqB,CAAC,GAAW;IACxC,6CAA6C;IAC7C,MAAM,UAAU,GAAG,iCAAiC,CAAC;IACrD,IAAI,KAAK,CAAC;IACV,OAAO,CAAC,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC/C,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAC1B,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YACtC,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAa,2BAA2B;IACtC,EAAE,GAAG,OAAO,CAAC;IACb,IAAI,GAAG,mEAAmE,CAAC;IAC3E,SAAS,GAAG,MAAM,CAAC;IACnB,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAmB,CAAC,QAAQ,CAAC,CAAC;IACvC,WAAW,GACT,2HAA2H,CAAC;IAE9H,KAAK,CAAC,QAAgB,EAAE,UAAkB;QACxC,IAAI,CAAC;YACH,MAAM,UAAU,GAA0B,EAAE,CAAC;YAC7C,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAErC,IAAI,CAAC,GAAG,CAAC,CAAC;YACV,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;gBACxB,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBAEtB,2BAA2B;gBAC3B,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACnC,CAAC,EAAE,CAAC;oBACJ,SAAS;gBACX,CAAC;gBAED,MAAM,aAAa,GAAG,CAAC,CAAC;gBAExB,iFAAiF;gBACjF,IAAI,WAAW,GAAG,CAAC,CAAC,CAAC;gBACrB,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBACd,OAAO,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;oBAC1C,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC;oBAC/B,IAAI,8BAA8B,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;wBAC3C,WAAW,GAAG,CAAC,CAAC;wBAChB,MAAM;oBACR,CAAC;oBACD,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC;wBAAE,MAAM;oBACpE,CAAC,EAAE,CAAC;gBACN,CAAC;gBAED,IAAI,WAAW,KAAK,CAAC,CAAC,EAAE,CAAC;oBACvB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;oBACV,SAAS;gBACX,CAAC;gBAED,6BAA6B;gBAC7B,MAAM,GAAG,GAAG,wBAAwB,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;gBAEzD,wDAAwD;gBACxD,IAAI,qBAAqB,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC/B,CAAC,GAAG,WAAW,GAAG,CAAC,CAAC;oBACpB,SAAS;gBACX,CAAC;gBAED,iFAAiF;gBACjF,MAAM,UAAU,GAAG,KAAK,CAAC,WAAW,CAAC,CAAC,MAAM,GAAG,KAAK,CAAC,WAAW,CAAC,CAAC,SAAS,EAAE,CAAC,MAAM,CAAC;gBACrF,MAAM,SAAS,GAAa,EAAE,CAAC;gBAC/B,IAAI,CAAC,GAAG,WAAW,GAAG,CAAC,CAAC;gBACxB,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;oBACxB,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBACpB,MAAM,EAAE,GAAG,EAAE,CAAC,SAAS,EAAE,CAAC;oBAC1B,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;wBAAC,CAAC,EAAE,CAAC;wBAAC,SAAS;oBAAC,CAAC;oBACvC,MAAM,EAAE,GAAG,EAAE,CAAC,MAAM,GAAG,EAAE,CAAC,MAAM,CAAC;oBACjC,IAAI,EAAE,IAAI,UAAU,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC;wBAAE,MAAM;oBAC7C,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;oBACnB,CAAC,EAAE,CAAC;gBACN,CAAC;gBAED,MAAM,QAAQ,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAEtC,0DAA0D;gBAC1D,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACnC,CAAC,GAAG,CAAC,CAAC;oBACN,SAAS;gBACX,CAAC;gBAED,MAAM,QAAQ,GAAG,KAAK,CAAC,WAAW,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;gBAClD,UAAU,CAAC,IAAI,CAAC;oBACd,MAAM,EAAE,IAAI,CAAC,EAAE;oBACf,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,SAAS,EAAE,IAAI,CAAC,SAAS;oBACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,QAAQ;oBACR,IAAI,EAAE,WAAW,GAAG,CAAC;oBACrB,MAAM,EAAE,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC;oBAC/D,QAAQ;oBACR,eAAe,EACb,4DAA4D;wBAC5D,6EAA6E;wBAC7E,uEAAuE;oBACzE,WAAW,EACT,uDAAuD;wBACvD,uGAAuG;wBACvG,6DAA6D;oBAC/D,WAAW,EAAE,0BAA0B;oBACvC,UAAU,EAAE,IAAI;oBAChB,QAAQ,EAAE,QAAQ;iBACnB,CAAC,CAAC;gBAEH,CAAC,GAAG,CAAC,CAAC;YACR,CAAC;YAED,OAAO,UAAU,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;CACF;AA1GD,kEA0GC"}

package/dist/structural-rules/python/PY006-blocking-io-in-async.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import { StructuralRule, StructuralViolation, RuleLanguage } from '../types';
+export declare class PY006BlockingIOInAsync implements StructuralRule {
+    id: string;
+    name: string;
+    policyRef: string;
+    severity: "BLOCKING";
+    languages: RuleLanguage[];
+    description: string;
+    check(filePath: string, sourceText: string): StructuralViolation[];
+}
+//# sourceMappingURL=PY006-blocking-io-in-async.d.ts.map

package/dist/structural-rules/python/PY006-blocking-io-in-async.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"PY006-blocking-io-in-async.d.ts","sourceRoot":"","sources":["../../../src/structural-rules/python/PY006-blocking-io-in-async.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAwB7E,qBAAa,sBAAuB,YAAW,cAAc;IAC3D,EAAE,SAAW;IACb,IAAI,SAAwC;IAC5C,SAAS,SAAW;IACpB,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,YAAY,EAAE,CAAc;IACvC,WAAW,SACoG;IAE/G,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,mBAAmB,EAAE;CA8GnE"}

package/dist/structural-rules/python/PY006-blocking-io-in-async.js ADDED Viewed

@@ -0,0 +1,130 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PY006BlockingIOInAsync = void 0;
+// Matches `async def funcname(`
+const ASYNC_DEF_RE = /^(\s*)async\s+def\s+\w+\s*\(/;
+// Matches nested sync `def` (not async def)
+const SYNC_DEF_RE = /^\s+def\s+\w+\s*\(/;
+// Blocking patterns to detect inside async function bodies
+const BLOCKING_PATTERNS = [
+    { re: /\btime\.sleep\s*\(/, label: 'time.sleep()' },
+    { re: /\brequests\.get\s*\(/, label: 'requests.get()' },
+    { re: /\brequests\.post\s*\(/, label: 'requests.post()' },
+    { re: /\brequests\.request\s*\(/, label: 'requests.request()' },
+    { re: /\bsubprocess\.run\s*\(/, label: 'subprocess.run()' },
+    { re: /\bsubprocess\.call\s*\(/, label: 'subprocess.call()' },
+    // open( not preceded by aiofiles.open or async with
+    { re: /(?<!aiofiles\.)(?<!\bwith\s)\bopen\s*\(/, label: 'open()' },
+];
+function getIndent(line) {
+    return line.length - line.trimStart().length;
+}
+class PY006BlockingIOInAsync {
+    id = 'PY006';
+    name = 'Blocking I/O call inside async def';
+    policyRef = 'PY006';
+    severity = 'BLOCKING';
+    languages = ['python'];
+    description = 'Blocking I/O (time.sleep, requests, open, subprocess) inside an async def function freezes the event loop.';
+    check(filePath, sourceText) {
+        try {
+            const violations = [];
+            // Normalize line endings
+            const lines = sourceText.replace(/\r\n/g, '\n').replace(/\r/g, '\n').split('\n');
+            // Does the file import aiofiles?
+            const importsAiofiles = /\baiofiles\b/.test(sourceText);
+            let i = 0;
+            while (i < lines.length) {
+                const line = lines[i];
+                const asyncMatch = ASYNC_DEF_RE.exec(line);
+                if (!asyncMatch) {
+                    i++;
+                    continue;
+                }
+                const funcIndent = asyncMatch[1].length;
+                const bodyStart = i + 1;
+                i++;
+                // Collect the function body: lines with indent > funcIndent
+                while (i < lines.length) {
+                    const bl = lines[i];
+                    const trimmed = bl.trimStart();
+                    // Blank lines are part of the body
+                    if (trimmed.length === 0) {
+                        i++;
+                        continue;
+                    }
+                    const lineIndent = getIndent(bl);
+                    // If we're back at or before the function's indent, we've left the body
+                    if (lineIndent <= funcIndent)
+                        break;
+                    // Skip comment lines
+                    if (trimmed.startsWith('#')) {
+                        i++;
+                        continue;
+                    }
+                    // Skip lines with noqa
+                    if (/\bnoqa\b/.test(bl)) {
+                        i++;
+                        continue;
+                    }
+                    // Skip lines that are inside a nested sync def
+                    // (we only care about the top-level async body, not nested sync helpers)
+                    if (SYNC_DEF_RE.test(bl)) {
+                        // Skip the entire nested sync function body
+                        const nestedIndent = lineIndent;
+                        i++;
+                        while (i < lines.length) {
+                            const nb = lines[i];
+                            const nt = nb.trimStart();
+                            if (nt.length === 0) {
+                                i++;
+                                continue;
+                            }
+                            if (getIndent(nb) <= nestedIndent)
+                                break;
+                            i++;
+                        }
+                        continue;
+                    }
+                    // Check blocking patterns
+                    for (const { re, label } of BLOCKING_PATTERNS) {
+                        // If it's an open() hit and aiofiles is imported, skip
+                        if (label === 'open()' && importsAiofiles)
+                            continue;
+                        if (re.test(bl)) {
+                            violations.push({
+                                ruleId: this.id,
+                                ruleName: this.name,
+                                policyRef: this.policyRef,
+                                severity: this.severity,
+                                filePath,
+                                line: i + 1,
+                                column: 1,
+                                evidence: bl.slice(0, 120),
+                                operationalRisk: `\`${label}\` inside an async function blocks the entire event loop thread. ` +
+                                    'All other coroutines are frozen for the duration of the call. ' +
+                                    'Under load, a single blocking call can cause 100ms+ latency spikes across all concurrent requests.',
+                                remediation: 'Replace time.sleep(n) with `await asyncio.sleep(n)`, ' +
+                                    'requests.get() with `await aiohttp.ClientSession().get()`, ' +
+                                    'open() with `async with aiofiles.open()`, ' +
+                                    'subprocess.run() with `await asyncio.create_subprocess_exec()`.',
+                                determinism: 'heuristic-advisory',
+                                confidence: 0.82,
+                                language: 'python',
+                            });
+                            break; // one violation per line
+                        }
+                    }
+                    i++;
+                }
+                void bodyStart; // suppress unused warning
+            }
+            return violations;
+        }
+        catch {
+            return [];
+        }
+    }
+}
+exports.PY006BlockingIOInAsync = PY006BlockingIOInAsync;
+//# sourceMappingURL=PY006-blocking-io-in-async.js.map

package/dist/structural-rules/python/PY006-blocking-io-in-async.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"PY006-blocking-io-in-async.js","sourceRoot":"","sources":["../../../src/structural-rules/python/PY006-blocking-io-in-async.ts"],"names":[],"mappings":";;;AAEA,gCAAgC;AAChC,MAAM,YAAY,GAAG,8BAA8B,CAAC;AAEpD,4CAA4C;AAC5C,MAAM,WAAW,GAAG,oBAAoB,CAAC;AAEzC,2DAA2D;AAC3D,MAAM,iBAAiB,GAAyC;IAC9D,EAAE,EAAE,EAAE,oBAAoB,EAAE,KAAK,EAAE,cAAc,EAAE;IACnD,EAAE,EAAE,EAAE,sBAAsB,EAAE,KAAK,EAAE,gBAAgB,EAAE;IACvD,EAAE,EAAE,EAAE,uBAAuB,EAAE,KAAK,EAAE,iBAAiB,EAAE;IACzD,EAAE,EAAE,EAAE,0BAA0B,EAAE,KAAK,EAAE,oBAAoB,EAAE;IAC/D,EAAE,EAAE,EAAE,wBAAwB,EAAE,KAAK,EAAE,kBAAkB,EAAE;IAC3D,EAAE,EAAE,EAAE,yBAAyB,EAAE,KAAK,EAAE,mBAAmB,EAAE;IAC7D,oDAAoD;IACpD,EAAE,EAAE,EAAE,yCAAyC,EAAE,KAAK,EAAE,QAAQ,EAAE;CACnE,CAAC;AAEF,SAAS,SAAS,CAAC,IAAY;IAC7B,OAAO,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC,MAAM,CAAC;AAC/C,CAAC;AAED,MAAa,sBAAsB;IACjC,EAAE,GAAG,OAAO,CAAC;IACb,IAAI,GAAG,oCAAoC,CAAC;IAC5C,SAAS,GAAG,OAAO,CAAC;IACpB,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAmB,CAAC,QAAQ,CAAC,CAAC;IACvC,WAAW,GACT,4GAA4G,CAAC;IAE/G,KAAK,CAAC,QAAgB,EAAE,UAAkB;QACxC,IAAI,CAAC;YACH,MAAM,UAAU,GAA0B,EAAE,CAAC;YAC7C,yBAAyB;YACzB,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAEjF,iCAAiC;YACjC,MAAM,eAAe,GAAG,cAAc,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAExD,IAAI,CAAC,GAAG,CAAC,CAAC;YACV,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;gBACxB,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAE3C,IAAI,CAAC,UAAU,EAAE,CAAC;oBAChB,CAAC,EAAE,CAAC;oBACJ,SAAS;gBACX,CAAC;gBAED,MAAM,UAAU,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;gBACxC,MAAM,SAAS,GAAG,CAAC,GAAG,CAAC,CAAC;gBACxB,CAAC,EAAE,CAAC;gBAEJ,4DAA4D;gBAC5D,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;oBACxB,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBACpB,MAAM,OAAO,GAAG,EAAE,CAAC,SAAS,EAAE,CAAC;oBAE/B,mCAAmC;oBACnC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;wBACzB,CAAC,EAAE,CAAC;wBACJ,SAAS;oBACX,CAAC;oBAED,MAAM,UAAU,GAAG,SAAS,CAAC,EAAE,CAAC,CAAC;oBAEjC,wEAAwE;oBACxE,IAAI,UAAU,IAAI,UAAU;wBAAE,MAAM;oBAEpC,qBAAqB;oBACrB,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;wBAC5B,CAAC,EAAE,CAAC;wBACJ,SAAS;oBACX,CAAC;oBAED,uBAAuB;oBACvB,IAAI,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;wBACxB,CAAC,EAAE,CAAC;wBACJ,SAAS;oBACX,CAAC;oBAED,+CAA+C;oBAC/C,yEAAyE;oBACzE,IAAI,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;wBACzB,4CAA4C;wBAC5C,MAAM,YAAY,GAAG,UAAU,CAAC;wBAChC,CAAC,EAAE,CAAC;wBACJ,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;4BACxB,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;4BACpB,MAAM,EAAE,GAAG,EAAE,CAAC,SAAS,EAAE,CAAC;4BAC1B,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gCAAC,CAAC,EAAE,CAAC;gCAAC,SAAS;4BAAC,CAAC;4BACvC,IAAI,SAAS,CAAC,EAAE,CAAC,IAAI,YAAY;gCAAE,MAAM;4BACzC,CAAC,EAAE,CAAC;wBACN,CAAC;wBACD,SAAS;oBACX,CAAC;oBAED,0BAA0B;oBAC1B,KAAK,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,iBAAiB,EAAE,CAAC;wBAC9C,uDAAuD;wBACvD,IAAI,KAAK,KAAK,QAAQ,IAAI,eAAe;4BAAE,SAAS;wBAEpD,IAAI,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;4BAChB,UAAU,CAAC,IAAI,CAAC;gCACd,MAAM,EAAE,IAAI,CAAC,EAAE;gCACf,QAAQ,EAAE,IAAI,CAAC,IAAI;gCACnB,SAAS,EAAE,IAAI,CAAC,SAAS;gCACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;gCACvB,QAAQ;gCACR,IAAI,EAAE,CAAC,GAAG,CAAC;gCACX,MAAM,EAAE,CAAC;gCACT,QAAQ,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;gCAC1B,eAAe,EACb,KAAK,KAAK,mEAAmE;oCAC7E,gEAAgE;oCAChE,oGAAoG;gCACtG,WAAW,EACT,uDAAuD;oCACvD,6DAA6D;oCAC7D,4CAA4C;oCAC5C,iEAAiE;gCACnE,WAAW,EAAE,oBAAoB;gCACjC,UAAU,EAAE,IAAI;gCAChB,QAAQ,EAAE,QAAQ;6BACnB,CAAC,CAAC;4BACH,MAAM,CAAC,yBAAyB;wBAClC,CAAC;oBACH,CAAC;oBAED,CAAC,EAAE,CAAC;gBACN,CAAC;gBAED,KAAK,SAAS,CAAC,CAAC,0BAA0B;YAC5C,CAAC;YAED,OAAO,UAAU,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;CACF;AAvHD,wDAuHC"}

package/dist/structural-rules/python/PY007-sqlalchemy-session-leak.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import { StructuralRule, StructuralViolation, RuleLanguage } from '../types';
+export declare class PY007SQLAlchemySessionLeak implements StructuralRule {
+    id: string;
+    name: string;
+    policyRef: string;
+    severity: "BLOCKING";
+    languages: RuleLanguage[];
+    description: string;
+    check(filePath: string, sourceText: string): StructuralViolation[];
+}
+//# sourceMappingURL=PY007-sqlalchemy-session-leak.d.ts.map

package/dist/structural-rules/python/PY007-sqlalchemy-session-leak.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"PY007-sqlalchemy-session-leak.d.ts","sourceRoot":"","sources":["../../../src/structural-rules/python/PY007-sqlalchemy-session-leak.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAmB7E,qBAAa,0BAA2B,YAAW,cAAc;IAC/D,EAAE,SAAW;IACb,IAAI,SAAwD;IAC5D,SAAS,SAAW;IACpB,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,YAAY,EAAE,CAAc;IACvC,WAAW,SACwG;IAEnH,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,mBAAmB,EAAE;CA6EnE"}

package/dist/structural-rules/python/PY007-sqlalchemy-session-leak.js ADDED Viewed

@@ -0,0 +1,93 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PY007SQLAlchemySessionLeak = void 0;
+// Matches bare session assignment: session = Session() / session = SessionLocal() etc.
+// Captures the variable name and the constructor call
+const SESSION_ASSIGN_RE = /^(\s*)(\w+)\s*=\s*(Session|SessionLocal|AsyncSession|get_session|ScopedSession|sessionmaker\(\))\s*\(/;
+// Matches a `with` or `async with` block opening with Session
+const WITH_SESSION_RE = /^\s*(?:async\s+)?with\s+.*Session/;
+// Matches session.close() in a finally block vicinity
+const SESSION_CLOSE_RE = /\bsession\s*\.\s*close\s*\(\)/;
+// Matches a `finally:` block
+const FINALLY_RE = /^\s*finally\s*:/;
+function getIndent(line) {
+    return line.length - line.trimStart().length;
+}
+class PY007SQLAlchemySessionLeak {
+    id = 'PY007';
+    name = 'SQLAlchemy session created outside context manager';
+    policyRef = 'PY007';
+    severity = 'BLOCKING';
+    languages = ['python'];
+    description = 'SQLAlchemy session assigned without a context manager or try/finally close() risks connection pool exhaustion.';
+    check(filePath, sourceText) {
+        try {
+            const violations = [];
+            // Normalize line endings
+            const lines = sourceText.replace(/\r\n/g, '\n').replace(/\r/g, '\n').split('\n');
+            for (let i = 0; i < lines.length; i++) {
+                const line = lines[i];
+                // Skip if this line is a `with Session()` — safe usage
+                if (WITH_SESSION_RE.test(line))
+                    continue;
+                const match = SESSION_ASSIGN_RE.exec(line);
+                if (!match)
+                    continue;
+                const varName = match[2];
+                const assignIndent = match[1].length;
+                // Look ahead: find if there is a try/finally with session.close()
+                // Search up to 60 lines ahead within the same or deeper indentation scope
+                let hasFinallyClose = false;
+                let inFinally = false;
+                for (let j = i + 1; j < Math.min(i + 60, lines.length); j++) {
+                    const jl = lines[j];
+                    const jt = jl.trimStart();
+                    if (jt.length === 0)
+                        continue;
+                    const jIndent = getIndent(jl);
+                    // If we've gone back to a shallower indent than the assignment, stop
+                    if (jIndent < assignIndent)
+                        break;
+                    if (FINALLY_RE.test(jl)) {
+                        inFinally = true;
+                        continue;
+                    }
+                    if (inFinally) {
+                        // Check for varName.close() or generic session.close()
+                        const closeRe = new RegExp(`\\b${varName}\\s*\\.\\s*close\\s*\\(\\)`);
+                        if (closeRe.test(jl) || SESSION_CLOSE_RE.test(jl)) {
+                            hasFinallyClose = true;
+                            break;
+                        }
+                    }
+                }
+                if (!hasFinallyClose) {
+                    violations.push({
+                        ruleId: this.id,
+                        ruleName: this.name,
+                        policyRef: this.policyRef,
+                        severity: this.severity,
+                        filePath,
+                        line: i + 1,
+                        column: 1,
+                        evidence: line.slice(0, 120),
+                        operationalRisk: 'Unclosed SQLAlchemy sessions hold database connections open indefinitely. ' +
+                            'Connection pools exhaust under load, causing `TimeoutError: QueuePool limit of size X overflow Y reached` ' +
+                            'in production within hours of deployment.',
+                        remediation: 'Use `with Session() as session:` or `async with AsyncSession() as session:` for automatic cleanup. ' +
+                            'Never use bare `session = Session()` without a corresponding `finally: session.close()`.',
+                        determinism: 'heuristic-advisory',
+                        confidence: 0.78,
+                        language: 'python',
+                    });
+                }
+            }
+            return violations;
+        }
+        catch {
+            return [];
+        }
+    }
+}
+exports.PY007SQLAlchemySessionLeak = PY007SQLAlchemySessionLeak;
+//# sourceMappingURL=PY007-sqlalchemy-session-leak.js.map

package/dist/structural-rules/python/PY007-sqlalchemy-session-leak.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"PY007-sqlalchemy-session-leak.js","sourceRoot":"","sources":["../../../src/structural-rules/python/PY007-sqlalchemy-session-leak.ts"],"names":[],"mappings":";;;AAEA,uFAAuF;AACvF,sDAAsD;AACtD,MAAM,iBAAiB,GAAG,uGAAuG,CAAC;AAElI,8DAA8D;AAC9D,MAAM,eAAe,GAAG,mCAAmC,CAAC;AAE5D,sDAAsD;AACtD,MAAM,gBAAgB,GAAG,+BAA+B,CAAC;AAEzD,6BAA6B;AAC7B,MAAM,UAAU,GAAG,iBAAiB,CAAC;AAErC,SAAS,SAAS,CAAC,IAAY;IAC7B,OAAO,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC,MAAM,CAAC;AAC/C,CAAC;AAED,MAAa,0BAA0B;IACrC,EAAE,GAAG,OAAO,CAAC;IACb,IAAI,GAAG,oDAAoD,CAAC;IAC5D,SAAS,GAAG,OAAO,CAAC;IACpB,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAmB,CAAC,QAAQ,CAAC,CAAC;IACvC,WAAW,GACT,gHAAgH,CAAC;IAEnH,KAAK,CAAC,QAAgB,EAAE,UAAkB;QACxC,IAAI,CAAC;YACH,MAAM,UAAU,GAA0B,EAAE,CAAC;YAC7C,yBAAyB;YACzB,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAEjF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBAEtB,uDAAuD;gBACvD,IAAI,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC;oBAAE,SAAS;gBAEzC,MAAM,KAAK,GAAG,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAC3C,IAAI,CAAC,KAAK;oBAAE,SAAS;gBAErB,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACzB,MAAM,YAAY,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;gBAErC,kEAAkE;gBAClE,0EAA0E;gBAC1E,IAAI,eAAe,GAAG,KAAK,CAAC;gBAC5B,IAAI,SAAS,GAAG,KAAK,CAAC;gBAEtB,KAAK,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;oBAC5D,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBACpB,MAAM,EAAE,GAAG,EAAE,CAAC,SAAS,EAAE,CAAC;oBAC1B,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC;wBAAE,SAAS;oBAE9B,MAAM,OAAO,GAAG,SAAS,CAAC,EAAE,CAAC,CAAC;oBAE9B,qEAAqE;oBACrE,IAAI,OAAO,GAAG,YAAY;wBAAE,MAAM;oBAElC,IAAI,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;wBACxB,SAAS,GAAG,IAAI,CAAC;wBACjB,SAAS;oBACX,CAAC;oBAED,IAAI,SAAS,EAAE,CAAC;wBACd,uDAAuD;wBACvD,MAAM,OAAO,GAAG,IAAI,MAAM,CAAC,MAAM,OAAO,4BAA4B,CAAC,CAAC;wBACtE,IAAI,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;4BAClD,eAAe,GAAG,IAAI,CAAC;4BACvB,MAAM;wBACR,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,IAAI,CAAC,eAAe,EAAE,CAAC;oBACrB,UAAU,CAAC,IAAI,CAAC;wBACd,MAAM,EAAE,IAAI,CAAC,EAAE;wBACf,QAAQ,EAAE,IAAI,CAAC,IAAI;wBACnB,SAAS,EAAE,IAAI,CAAC,SAAS;wBACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;wBACvB,QAAQ;wBACR,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,MAAM,EAAE,CAAC;wBACT,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;wBAC5B,eAAe,EACb,4EAA4E;4BAC5E,4GAA4G;4BAC5G,2CAA2C;wBAC7C,WAAW,EACT,qGAAqG;4BACrG,0FAA0F;wBAC5F,WAAW,EAAE,oBAAoB;wBACjC,UAAU,EAAE,IAAI;wBAChB,QAAQ,EAAE,QAAQ;qBACnB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,OAAO,UAAU,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;CACF;AAtFD,gEAsFC"}

package/dist/structural-rules/python/PY008-celery-task-without-retry.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import { StructuralRule, StructuralViolation, RuleLanguage } from '../types';
+export declare class PY008CeleryTaskWithoutRetry implements StructuralRule {
+    id: string;
+    name: string;
+    policyRef: string;
+    severity: "ADVISORY";
+    languages: RuleLanguage[];
+    description: string;
+    check(filePath: string, sourceText: string): StructuralViolation[];
+}
+//# sourceMappingURL=PY008-celery-task-without-retry.d.ts.map

package/dist/structural-rules/python/PY008-celery-task-without-retry.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"PY008-celery-task-without-retry.d.ts","sourceRoot":"","sources":["../../../src/structural-rules/python/PY008-celery-task-without-retry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AA8C7E,qBAAa,2BAA4B,YAAW,cAAc;IAChE,EAAE,SAAW;IACb,IAAI,SAA6C;IACjD,SAAS,SAAW;IACpB,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,YAAY,EAAE,CAAc;IACvC,WAAW,SACmH;IAE9H,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,mBAAmB,EAAE;CAiHnE"}

package/dist/structural-rules/python/PY008-celery-task-without-retry.js ADDED Viewed

@@ -0,0 +1,154 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PY008CeleryTaskWithoutRetry = void 0;
+// Matches Celery task decorators
+const CELERY_DECORATOR_RE = /^\s*@(?:\w+\.)?(?:app\.task|celery\.task|shared_task)\s*[\(\n]/;
+const CELERY_DECORATOR_INLINE_RE = /^\s*@(?:\w+\.)?(?:app\.task|celery\.task|shared_task)\s*\(/;
+// Retry configuration keywords inside the decorator
+const RETRY_CONFIG_RE = /(?:max_retries|retry_backoff|autoretry_for|bind\s*=\s*True)/;
+// ignore_result=True — fire-and-forget, valid without retry
+const IGNORE_RESULT_RE = /ignore_result\s*=\s*True/;
+// A raise statement inside the function body
+const RAISE_RE = /\braise\b/;
+// self.retry( call — manual retry in bind=True task
+const SELF_RETRY_RE = /\bself\.retry\s*\(/;
+function getIndent(line) {
+    return line.length - line.trimStart().length;
+}
+/**
+ * Collect the decorator text (potentially multi-line) starting at decoratorLine.
+ * Returns the full decorator string and the line index where the decorator ends.
+ */
+function collectDecorator(lines, decoratorLine) {
+    let text = lines[decoratorLine];
+    let depth = 0;
+    for (const ch of lines[decoratorLine]) {
+        if (ch === '(')
+            depth++;
+        else if (ch === ')')
+            depth--;
+    }
+    let j = decoratorLine + 1;
+    while (depth > 0 && j < lines.length) {
+        text += '\n' + lines[j];
+        for (const ch of lines[j]) {
+            if (ch === '(')
+                depth++;
+            else if (ch === ')')
+                depth--;
+        }
+        j++;
+    }
+    return { text, endLine: j - 1 };
+}
+class PY008CeleryTaskWithoutRetry {
+    id = 'PY008';
+    name = 'Celery task without retry configuration';
+    policyRef = 'PY008';
+    severity = 'ADVISORY';
+    languages = ['python'];
+    description = 'Celery task functions that can raise exceptions but have no retry configuration silently drop jobs on transient failures.';
+    check(filePath, sourceText) {
+        try {
+            const violations = [];
+            // Normalize line endings
+            const lines = sourceText.replace(/\r\n/g, '\n').replace(/\r/g, '\n').split('\n');
+            let i = 0;
+            while (i < lines.length) {
+                const line = lines[i];
+                // Detect Celery decorator
+                const isDecorator = CELERY_DECORATOR_RE.test(line) || CELERY_DECORATOR_INLINE_RE.test(line);
+                if (!isDecorator) {
+                    i++;
+                    continue;
+                }
+                const decoratorStartLine = i;
+                // Collect full decorator text (handles multi-line)
+                const { text: decoratorText, endLine: decoratorEnd } = collectDecorator(lines, i);
+                // Check for retry config
+                const hasRetryConfig = RETRY_CONFIG_RE.test(decoratorText);
+                const hasIgnoreResult = IGNORE_RESULT_RE.test(decoratorText);
+                // Find the function definition line after decorator
+                let funcDefLine = -1;
+                let j = decoratorEnd + 1;
+                while (j < Math.min(decoratorEnd + 6, lines.length)) {
+                    const l = lines[j].trimStart();
+                    if (/^(?:async\s+)?def\s+\w+\s*\(/.test(l)) {
+                        funcDefLine = j;
+                        break;
+                    }
+                    if (l.length > 0 && !l.startsWith('@') && !l.startsWith('#'))
+                        break;
+                    j++;
+                }
+                if (funcDefLine === -1) {
+                    i = j;
+                    continue;
+                }
+                if (hasRetryConfig) {
+                    // Already has retry config — no violation
+                    i = funcDefLine + 1;
+                    continue;
+                }
+                // Collect function body
+                const funcIndent = getIndent(lines[funcDefLine]);
+                let bodyHasRaise = false;
+                let bodyHasSelfRetry = false;
+                let k = funcDefLine + 1;
+                while (k < lines.length) {
+                    const bl = lines[k];
+                    const bt = bl.trimStart();
+                    if (bt.length === 0) {
+                        k++;
+                        continue;
+                    }
+                    const bi = getIndent(bl);
+                    if (bi <= funcIndent)
+                        break;
+                    if (RAISE_RE.test(bl))
+                        bodyHasRaise = true;
+                    if (SELF_RETRY_RE.test(bl))
+                        bodyHasSelfRetry = true;
+                    k++;
+                }
+                // If fire-and-forget (ignore_result=True) and no raise → no violation
+                if (hasIgnoreResult && !bodyHasRaise) {
+                    i = k;
+                    continue;
+                }
+                // If uses self.retry() manually → no violation
+                if (bodyHasSelfRetry) {
+                    i = k;
+                    continue;
+                }
+                // If function has potential raises and no retry config → flag it
+                if (bodyHasRaise) {
+                    violations.push({
+                        ruleId: this.id,
+                        ruleName: this.name,
+                        policyRef: this.policyRef,
+                        severity: this.severity,
+                        filePath,
+                        line: decoratorStartLine + 1,
+                        column: 1,
+                        evidence: lines[decoratorStartLine].slice(0, 120),
+                        operationalRisk: 'A transient failure (network timeout, DB connection error) in a Celery task without retry configuration ' +
+                            'permanently drops the job. The message is lost without processing, causing data loss or inconsistent state.',
+                        remediation: 'Add `autoretry_for=(Exception,), max_retries=3, retry_backoff=True` to the decorator, ' +
+                            'or use `self.retry(exc=exc, countdown=2**self.request.retries)` in the exception handler.',
+                        determinism: 'heuristic-advisory',
+                        confidence: 0.75,
+                        language: 'python',
+                    });
+                }
+                i = k;
+            }
+            return violations;
+        }
+        catch {
+            return [];
+        }
+    }
+}
+exports.PY008CeleryTaskWithoutRetry = PY008CeleryTaskWithoutRetry;
+//# sourceMappingURL=PY008-celery-task-without-retry.js.map

package/dist/structural-rules/python/PY008-celery-task-without-retry.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"PY008-celery-task-without-retry.js","sourceRoot":"","sources":["../../../src/structural-rules/python/PY008-celery-task-without-retry.ts"],"names":[],"mappings":";;;AAEA,iCAAiC;AACjC,MAAM,mBAAmB,GAAG,gEAAgE,CAAC;AAC7F,MAAM,0BAA0B,GAAG,4DAA4D,CAAC;AAEhG,oDAAoD;AACpD,MAAM,eAAe,GAAG,6DAA6D,CAAC;AAEtF,4DAA4D;AAC5D,MAAM,gBAAgB,GAAG,0BAA0B,CAAC;AAEpD,6CAA6C;AAC7C,MAAM,QAAQ,GAAG,WAAW,CAAC;AAE7B,oDAAoD;AACpD,MAAM,aAAa,GAAG,oBAAoB,CAAC;AAE3C,SAAS,SAAS,CAAC,IAAY;IAC7B,OAAO,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC,MAAM,CAAC;AAC/C,CAAC;AAED;;;GAGG;AACH,SAAS,gBAAgB,CAAC,KAAe,EAAE,aAAqB;IAC9D,IAAI,IAAI,GAAG,KAAK,CAAC,aAAa,CAAC,CAAC;IAChC,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,KAAK,MAAM,EAAE,IAAI,KAAK,CAAC,aAAa,CAAC,EAAE,CAAC;QACtC,IAAI,EAAE,KAAK,GAAG;YAAE,KAAK,EAAE,CAAC;aACnB,IAAI,EAAE,KAAK,GAAG;YAAE,KAAK,EAAE,CAAC;IAC/B,CAAC;IAED,IAAI,CAAC,GAAG,aAAa,GAAG,CAAC,CAAC;IAC1B,OAAO,KAAK,GAAG,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;QACrC,IAAI,IAAI,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACxB,KAAK,MAAM,EAAE,IAAI,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;YAC1B,IAAI,EAAE,KAAK,GAAG;gBAAE,KAAK,EAAE,CAAC;iBACnB,IAAI,EAAE,KAAK,GAAG;gBAAE,KAAK,EAAE,CAAC;QAC/B,CAAC;QACD,CAAC,EAAE,CAAC;IACN,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC;AAClC,CAAC;AAED,MAAa,2BAA2B;IACtC,EAAE,GAAG,OAAO,CAAC;IACb,IAAI,GAAG,yCAAyC,CAAC;IACjD,SAAS,GAAG,OAAO,CAAC;IACpB,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAmB,CAAC,QAAQ,CAAC,CAAC;IACvC,WAAW,GACT,2HAA2H,CAAC;IAE9H,KAAK,CAAC,QAAgB,EAAE,UAAkB;QACxC,IAAI,CAAC;YACH,MAAM,UAAU,GAA0B,EAAE,CAAC;YAC7C,yBAAyB;YACzB,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAEjF,IAAI,CAAC,GAAG,CAAC,CAAC;YACV,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;gBACxB,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBAEtB,0BAA0B;gBAC1B,MAAM,WAAW,GACf,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,0BAA0B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAE1E,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,CAAC,EAAE,CAAC;oBACJ,SAAS;gBACX,CAAC;gBAED,MAAM,kBAAkB,GAAG,CAAC,CAAC;gBAE7B,mDAAmD;gBACnD,MAAM,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,YAAY,EAAE,GAAG,gBAAgB,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;gBAElF,yBAAyB;gBACzB,MAAM,cAAc,GAAG,eAAe,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;gBAC3D,MAAM,eAAe,GAAG,gBAAgB,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;gBAE7D,oDAAoD;gBACpD,IAAI,WAAW,GAAG,CAAC,CAAC,CAAC;gBACrB,IAAI,CAAC,GAAG,YAAY,GAAG,CAAC,CAAC;gBACzB,OAAO,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,YAAY,GAAG,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;oBACpD,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC;oBAC/B,IAAI,8BAA8B,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;wBAC3C,WAAW,GAAG,CAAC,CAAC;wBAChB,MAAM;oBACR,CAAC;oBACD,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC;wBAAE,MAAM;oBACpE,CAAC,EAAE,CAAC;gBACN,CAAC;gBAED,IAAI,WAAW,KAAK,CAAC,CAAC,EAAE,CAAC;oBACvB,CAAC,GAAG,CAAC,CAAC;oBACN,SAAS;gBACX,CAAC;gBAED,IAAI,cAAc,EAAE,CAAC;oBACnB,0CAA0C;oBAC1C,CAAC,GAAG,WAAW,GAAG,CAAC,CAAC;oBACpB,SAAS;gBACX,CAAC;gBAED,wBAAwB;gBACxB,MAAM,UAAU,GAAG,SAAS,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC;gBACjD,IAAI,YAAY,GAAG,KAAK,CAAC;gBACzB,IAAI,gBAAgB,GAAG,KAAK,CAAC;gBAC7B,IAAI,CAAC,GAAG,WAAW,GAAG,CAAC,CAAC;gBAExB,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;oBACxB,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBACpB,MAAM,EAAE,GAAG,EAAE,CAAC,SAAS,EAAE,CAAC;oBAC1B,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;wBAAC,CAAC,EAAE,CAAC;wBAAC,SAAS;oBAAC,CAAC;oBACvC,MAAM,EAAE,GAAG,SAAS,CAAC,EAAE,CAAC,CAAC;oBACzB,IAAI,EAAE,IAAI,UAAU;wBAAE,MAAM;oBAE5B,IAAI,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;wBAAE,YAAY,GAAG,IAAI,CAAC;oBAC3C,IAAI,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC;wBAAE,gBAAgB,GAAG,IAAI,CAAC;oBACpD,CAAC,EAAE,CAAC;gBACN,CAAC;gBAED,sEAAsE;gBACtE,IAAI,eAAe,IAAI,CAAC,YAAY,EAAE,CAAC;oBACrC,CAAC,GAAG,CAAC,CAAC;oBACN,SAAS;gBACX,CAAC;gBAED,+CAA+C;gBAC/C,IAAI,gBAAgB,EAAE,CAAC;oBACrB,CAAC,GAAG,CAAC,CAAC;oBACN,SAAS;gBACX,CAAC;gBAED,iEAAiE;gBACjE,IAAI,YAAY,EAAE,CAAC;oBACjB,UAAU,CAAC,IAAI,CAAC;wBACd,MAAM,EAAE,IAAI,CAAC,EAAE;wBACf,QAAQ,EAAE,IAAI,CAAC,IAAI;wBACnB,SAAS,EAAE,IAAI,CAAC,SAAS;wBACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;wBACvB,QAAQ;wBACR,IAAI,EAAE,kBAAkB,GAAG,CAAC;wBAC5B,MAAM,EAAE,CAAC;wBACT,QAAQ,EAAE,KAAK,CAAC,kBAAkB,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;wBACjD,eAAe,EACb,0GAA0G;4BAC1G,6GAA6G;wBAC/G,WAAW,EACT,wFAAwF;4BACxF,2FAA2F;wBAC7F,WAAW,EAAE,oBAAoB;wBACjC,UAAU,EAAE,IAAI;wBAChB,QAAQ,EAAE,QAAQ;qBACnB,CAAC,CAAC;gBACL,CAAC;gBAED,CAAC,GAAG,CAAC,CAAC;YACR,CAAC;YAED,OAAO,UAAU,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;CACF;AA1HD,kEA0HC"}

package/dist/structural-rules/python/PY009-unsafe-pickle-deserialization.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import { StructuralRule, StructuralViolation, RuleLanguage } from '../types';
+export declare class PY009UnsafePickleDeserialization implements StructuralRule {
+    id: string;
+    name: string;
+    policyRef: string;
+    severity: "BLOCKING";
+    languages: RuleLanguage[];
+    description: string;
+    check(filePath: string, sourceText: string): StructuralViolation[];
+}
+//# sourceMappingURL=PY009-unsafe-pickle-deserialization.d.ts.map

package/dist/structural-rules/python/PY009-unsafe-pickle-deserialization.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"PY009-unsafe-pickle-deserialization.d.ts","sourceRoot":"","sources":["../../../src/structural-rules/python/PY009-unsafe-pickle-deserialization.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAmB7E,qBAAa,gCAAiC,YAAW,cAAc;IACrE,EAAE,SAAW;IACb,IAAI,SAAmC;IACvC,SAAS,SAAW;IACpB,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,YAAY,EAAE,CAAc;IACvC,WAAW,SAEsD;IAEjE,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,mBAAmB,EAAE;CAoHnE"}

package/dist/structural-rules/python/PY009-unsafe-pickle-deserialization.js ADDED Viewed

@@ -0,0 +1,133 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PY009UnsafePickleDeserialization = void 0;
+// Matches pickle.loads( or pickle.load(
+const PICKLE_LOAD_RE = /\bpickle\.loads?\s*\(/;
+// Matches joblib.load(
+const JOBLIB_LOAD_RE = /\bjoblib\.load\s*\(/;
+// Matches torch.load( without weights_only=True
+const TORCH_LOAD_RE = /\btorch\.load\s*\(/;
+const TORCH_WEIGHTS_ONLY_RE = /weights_only\s*=\s*True/;
+// Detects if this appears to be a test file
+const TEST_FILE_RE = /(?:^|[\\/])(?:test_|_test|tests[\\/])/;
+// Detects if the pickle input looks like a literal bytes value in a test
+// e.g. pickle.loads(b'\x80\x04...')  or pickle.loads(b"...")
+const LITERAL_BYTES_ARG_RE = /\bpickle\.loads?\s*\(\s*b['"]|pickle\.loads?\s*\(\s*b"""|\bpickle\.loads?\s*\(\s*b'''/;
+class PY009UnsafePickleDeserialization {
+    id = 'PY009';
+    name = 'Unsafe pickle deserialization';
+    policyRef = 'PY009';
+    severity = 'BLOCKING';
+    languages = ['python'];
+    description = 'pickle.loads() / pickle.load() executes arbitrary Python code during deserialization. ' +
+        'torch.load() without weights_only=True is equally dangerous.';
+    check(filePath, sourceText) {
+        try {
+            const violations = [];
+            // Normalize line endings
+            const lines = sourceText.replace(/\r\n/g, '\n').replace(/\r/g, '\n').split('\n');
+            const isTestFile = TEST_FILE_RE.test(filePath);
+            for (let i = 0; i < lines.length; i++) {
+                const line = lines[i];
+                const trimmed = line.trimStart();
+                // Skip comment lines
+                if (trimmed.startsWith('#'))
+                    continue;
+                // Skip noqa lines
+                if (/\bnoqa\b/.test(line))
+                    continue;
+                // Check pickle.loads / pickle.load
+                if (PICKLE_LOAD_RE.test(line)) {
+                    // Exclude: test file with literal bytes argument
+                    if (isTestFile && LITERAL_BYTES_ARG_RE.test(line)) {
+                        continue;
+                    }
+                    violations.push({
+                        ruleId: this.id,
+                        ruleName: this.name,
+                        policyRef: this.policyRef,
+                        severity: this.severity,
+                        filePath,
+                        line: i + 1,
+                        column: 1,
+                        evidence: line.slice(0, 120),
+                        operationalRisk: '`pickle.loads()` executes arbitrary Python code during deserialization. ' +
+                            'A single compromised or malformed pickle payload from any source achieves remote code execution ' +
+                            'on the deserializing machine. This is a critical supply-chain attack vector in ML systems that share model artifacts.',
+                        remediation: 'Replace `pickle` with `json`, `msgpack`, or `protobuf` for data serialization. ' +
+                            'For ML models, use `safetensors` format. If pickle is truly required, validate the HMAC signature ' +
+                            'before deserializing and only accept pickles from trusted, authenticated internal sources.',
+                        determinism: 'heuristic-advisory',
+                        confidence: 0.95,
+                        language: 'python',
+                    });
+                    continue;
+                }
+                // Check joblib.load(
+                if (JOBLIB_LOAD_RE.test(line)) {
+                    violations.push({
+                        ruleId: this.id,
+                        ruleName: this.name,
+                        policyRef: this.policyRef,
+                        severity: this.severity,
+                        filePath,
+                        line: i + 1,
+                        column: 1,
+                        evidence: line.slice(0, 120),
+                        operationalRisk: '`joblib.load()` uses pickle internally and executes arbitrary Python code during deserialization. ' +
+                            'Malicious or tampered model artifacts can achieve remote code execution.',
+                        remediation: 'Use `safetensors` format for model artifacts, or validate the HMAC signature of the joblib file before loading.',
+                        determinism: 'heuristic-advisory',
+                        confidence: 0.95,
+                        language: 'python',
+                    });
+                    continue;
+                }
+                // Check torch.load( — flag if weights_only=True is NOT on the same line
+                // Also check the next 2 lines for multi-line calls
+                if (TORCH_LOAD_RE.test(line)) {
+                    // Collect the call: check current line + next 2 for weights_only=True
+                    let callText = line;
+                    for (let k = 1; k <= 2 && i + k < lines.length; k++) {
+                        callText += '\n' + lines[i + k];
+                        // Stop if we've closed the parens
+                        let depth = 0;
+                        for (const ch of callText) {
+                            if (ch === '(')
+                                depth++;
+                            else if (ch === ')')
+                                depth--;
+                        }
+                        if (depth <= 0)
+                            break;
+                    }
+                    if (!TORCH_WEIGHTS_ONLY_RE.test(callText)) {
+                        violations.push({
+                            ruleId: this.id,
+                            ruleName: this.name,
+                            policyRef: this.policyRef,
+                            severity: this.severity,
+                            filePath,
+                            line: i + 1,
+                            column: 1,
+                            evidence: line.slice(0, 120),
+                            operationalRisk: '`torch.load()` without `weights_only=True` uses pickle and executes arbitrary Python code. ' +
+                                'PyTorch 2.0+ requires `weights_only=True` for safe model loading from untrusted sources.',
+                            remediation: 'Add `weights_only=True`: `torch.load(path, weights_only=True)`. ' +
+                                'For full model loading you trust internally, at minimum validate the source integrity before loading.',
+                            determinism: 'heuristic-advisory',
+                            confidence: 0.95,
+                            language: 'python',
+                        });
+                    }
+                }
+            }
+            return violations;
+        }
+        catch {
+            return [];
+        }
+    }
+}
+exports.PY009UnsafePickleDeserialization = PY009UnsafePickleDeserialization;
+//# sourceMappingURL=PY009-unsafe-pickle-deserialization.js.map

package/dist/structural-rules/python/PY009-unsafe-pickle-deserialization.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"PY009-unsafe-pickle-deserialization.js","sourceRoot":"","sources":["../../../src/structural-rules/python/PY009-unsafe-pickle-deserialization.ts"],"names":[],"mappings":";;;AAEA,wCAAwC;AACxC,MAAM,cAAc,GAAG,uBAAuB,CAAC;AAE/C,uBAAuB;AACvB,MAAM,cAAc,GAAG,qBAAqB,CAAC;AAE7C,gDAAgD;AAChD,MAAM,aAAa,GAAG,oBAAoB,CAAC;AAC3C,MAAM,qBAAqB,GAAG,yBAAyB,CAAC;AAExD,4CAA4C;AAC5C,MAAM,YAAY,GAAG,uCAAuC,CAAC;AAE7D,yEAAyE;AACzE,6DAA6D;AAC7D,MAAM,oBAAoB,GAAG,uFAAuF,CAAC;AAErH,MAAa,gCAAgC;IAC3C,EAAE,GAAG,OAAO,CAAC;IACb,IAAI,GAAG,+BAA+B,CAAC;IACvC,SAAS,GAAG,OAAO,CAAC;IACpB,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAmB,CAAC,QAAQ,CAAC,CAAC;IACvC,WAAW,GACT,wFAAwF;QACxF,8DAA8D,CAAC;IAEjE,KAAK,CAAC,QAAgB,EAAE,UAAkB;QACxC,IAAI,CAAC;YACH,MAAM,UAAU,GAA0B,EAAE,CAAC;YAC7C,yBAAyB;YACzB,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAEjF,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAE/C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;gBAEjC,qBAAqB;gBACrB,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;oBAAE,SAAS;gBACtC,kBAAkB;gBAClB,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;oBAAE,SAAS;gBAEpC,mCAAmC;gBACnC,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC9B,iDAAiD;oBACjD,IAAI,UAAU,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAClD,SAAS;oBACX,CAAC;oBAED,UAAU,CAAC,IAAI,CAAC;wBACd,MAAM,EAAE,IAAI,CAAC,EAAE;wBACf,QAAQ,EAAE,IAAI,CAAC,IAAI;wBACnB,SAAS,EAAE,IAAI,CAAC,SAAS;wBACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;wBACvB,QAAQ;wBACR,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,MAAM,EAAE,CAAC;wBACT,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;wBAC5B,eAAe,EACb,0EAA0E;4BAC1E,kGAAkG;4BAClG,uHAAuH;wBACzH,WAAW,EACT,iFAAiF;4BACjF,oGAAoG;4BACpG,4FAA4F;wBAC9F,WAAW,EAAE,oBAAoB;wBACjC,UAAU,EAAE,IAAI;wBAChB,QAAQ,EAAE,QAAQ;qBACnB,CAAC,CAAC;oBACH,SAAS;gBACX,CAAC;gBAED,qBAAqB;gBACrB,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC9B,UAAU,CAAC,IAAI,CAAC;wBACd,MAAM,EAAE,IAAI,CAAC,EAAE;wBACf,QAAQ,EAAE,IAAI,CAAC,IAAI;wBACnB,SAAS,EAAE,IAAI,CAAC,SAAS;wBACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;wBACvB,QAAQ;wBACR,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,MAAM,EAAE,CAAC;wBACT,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;wBAC5B,eAAe,EACb,oGAAoG;4BACpG,0EAA0E;wBAC5E,WAAW,EACT,iHAAiH;wBACnH,WAAW,EAAE,oBAAoB;wBACjC,UAAU,EAAE,IAAI;wBAChB,QAAQ,EAAE,QAAQ;qBACnB,CAAC,CAAC;oBACH,SAAS;gBACX,CAAC;gBAED,wEAAwE;gBACxE,mDAAmD;gBACnD,IAAI,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC7B,sEAAsE;oBACtE,IAAI,QAAQ,GAAG,IAAI,CAAC;oBACpB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;wBACpD,QAAQ,IAAI,IAAI,GAAG,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;wBAChC,kCAAkC;wBAClC,IAAI,KAAK,GAAG,CAAC,CAAC;wBACd,KAAK,MAAM,EAAE,IAAI,QAAQ,EAAE,CAAC;4BAC1B,IAAI,EAAE,KAAK,GAAG;gCAAE,KAAK,EAAE,CAAC;iCACnB,IAAI,EAAE,KAAK,GAAG;gCAAE,KAAK,EAAE,CAAC;wBAC/B,CAAC;wBACD,IAAI,KAAK,IAAI,CAAC;4BAAE,MAAM;oBACxB,CAAC;oBAED,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;wBAC1C,UAAU,CAAC,IAAI,CAAC;4BACd,MAAM,EAAE,IAAI,CAAC,EAAE;4BACf,QAAQ,EAAE,IAAI,CAAC,IAAI;4BACnB,SAAS,EAAE,IAAI,CAAC,SAAS;4BACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;4BACvB,QAAQ;4BACR,IAAI,EAAE,CAAC,GAAG,CAAC;4BACX,MAAM,EAAE,CAAC;4BACT,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;4BAC5B,eAAe,EACb,6FAA6F;gCAC7F,0FAA0F;4BAC5F,WAAW,EACT,kEAAkE;gCAClE,uGAAuG;4BACzG,WAAW,EAAE,oBAAoB;4BACjC,UAAU,EAAE,IAAI;4BAChB,QAAQ,EAAE,QAAQ;yBACnB,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;YAED,OAAO,UAAU,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;CACF;AA9HD,4EA8HC"}

package/dist/structural-rules/python/PY010-leaked-aiohttp-session.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import { StructuralRule, StructuralViolation, RuleLanguage } from '../types';
+export declare class PY010LeakedAiohttpSession implements StructuralRule {
+    id: string;
+    name: string;
+    policyRef: string;
+    severity: "BLOCKING";
+    languages: RuleLanguage[];
+    description: string;
+    check(filePath: string, sourceText: string): StructuralViolation[];
+}
+//# sourceMappingURL=PY010-leaked-aiohttp-session.d.ts.map

package/dist/structural-rules/python/PY010-leaked-aiohttp-session.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"PY010-leaked-aiohttp-session.d.ts","sourceRoot":"","sources":["../../../src/structural-rules/python/PY010-leaked-aiohttp-session.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAY7E,qBAAa,yBAA0B,YAAW,cAAc;IAC9D,EAAE,SAAW;IACb,IAAI,SAA2D;IAC/D,SAAS,SAAW;IACpB,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,YAAY,EAAE,CAAc;IACvC,WAAW,SAC8G;IAEzH,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,mBAAmB,EAAE;CAiEnE"}