npm - @neurcode-ai/cli - Versions diffs - 0.9.64 → 0.9.66 - Mend

@neurcode-ai/cli 0.9.64 → 0.9.66

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (323) hide show

package/dist/structural-rules/rules/SR010-retry-storm.js ADDED Viewed

@@ -0,0 +1,181 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SR010RetryStorm = void 0;
+const ts = __importStar(require("typescript"));
+function getLineAndCol(sf, pos) {
+    const lc = sf.getLineAndCharacterOfPosition(pos);
+    return { line: lc.line + 1, column: lc.character + 1 };
+}
+function getEvidenceLines(sourceText, line) {
+    const lines = sourceText.split('\n');
+    return (lines[line - 1] || '').slice(0, 120);
+}
+function hasRateLimitOrCircuitBreaker(sourceText) {
+    return (/\bcircuitBreaker\b/i.test(sourceText) ||
+        /\brateLimit\b/i.test(sourceText) ||
+        /\brate_limit\b/i.test(sourceText) ||
+        /\bthrottle\b/i.test(sourceText) ||
+        /\bTokenBucket\b/.test(sourceText) ||
+        /\bLeakyBucket\b/.test(sourceText) ||
+        /\bBulkhead\b/.test(sourceText) ||
+        /\bp-limit\b/.test(sourceText) ||
+        /pLimit/.test(sourceText));
+}
+class SR010RetryStorm {
+    id = 'SR010';
+    name = 'Multiple independent retriers without rate limiting';
+    policyRef = 'P014';
+    severity = 'ADVISORY';
+    languages = ['typescript', 'javascript'];
+    description = 'Three or more independent retry patterns in one file without shared rate limiting create multiplicative retry storms.';
+    check(filePath, sourceText) {
+        try {
+            const violations = [];
+            const ext = filePath.endsWith('.tsx')
+                ? ts.ScriptKind.TSX
+                : filePath.endsWith('.jsx')
+                    ? ts.ScriptKind.JSX
+                    : filePath.endsWith('.js')
+                        ? ts.ScriptKind.JS
+                        : ts.ScriptKind.TS;
+            const sf = ts.createSourceFile(filePath, sourceText, ts.ScriptTarget.Latest, true, ext);
+            // If there's already a shared rate limiter or circuit breaker, don't flag
+            if (hasRateLimitOrCircuitBreaker(sourceText))
+                return [];
+            const retryPatterns = [];
+            const visit = (node) => {
+                // Pattern 1: while/for loop with retry variable and await
+                const isLoop = ts.isWhileStatement(node) ||
+                    ts.isForStatement(node) ||
+                    ts.isDoStatement(node);
+                if (isLoop) {
+                    const nodeText = node.getText(sf);
+                    if (/\b(retry|retries|attempt|maxRetry|MAX_RETRY)\b/i.test(nodeText) &&
+                        /\bawait\b/.test(nodeText)) {
+                        const { line, column } = getLineAndCol(sf, node.getStart(sf));
+                        retryPatterns.push({
+                            line,
+                            column,
+                            evidence: getEvidenceLines(sourceText, line),
+                            kind: 'retry loop',
+                        });
+                    }
+                }
+                // Pattern 2: function named with 'retry' or 'withRetry' or 'retryable'
+                if (ts.isFunctionDeclaration(node) ||
+                    ts.isFunctionExpression(node) ||
+                    ts.isMethodDeclaration(node) ||
+                    ts.isArrowFunction(node)) {
+                    let funcName = '';
+                    if ((ts.isFunctionDeclaration(node) || ts.isMethodDeclaration(node)) &&
+                        node.name &&
+                        ts.isIdentifier(node.name)) {
+                        funcName = node.name.text;
+                    }
+                    if (/retry|withRetry|retryable|retriable/i.test(funcName)) {
+                        const { line, column } = getLineAndCol(sf, node.getStart(sf));
+                        retryPatterns.push({
+                            line,
+                            column,
+                            evidence: getEvidenceLines(sourceText, line),
+                            kind: 'retry function',
+                        });
+                    }
+                }
+                // Pattern 3: catch-and-retry: recursive call inside catch
+                if (ts.isCallExpression(node) &&
+                    ts.isPropertyAccessExpression(node.expression) &&
+                    node.expression.name.text === 'catch') {
+                    const bodyText = node.getText(sf);
+                    // catch body calls the parent function recursively (retry pattern)
+                    if (/\bretry\b/i.test(bodyText) || /\battempt\b/i.test(bodyText)) {
+                        const { line, column } = getLineAndCol(sf, node.getStart(sf));
+                        retryPatterns.push({
+                            line,
+                            column,
+                            evidence: getEvidenceLines(sourceText, line),
+                            kind: 'catch-and-retry',
+                        });
+                    }
+                }
+                ts.forEachChild(node, visit);
+            };
+            ts.forEachChild(sf, visit);
+            // Only flag when 3+ retry patterns found
+            if (retryPatterns.length < 3)
+                return [];
+            // Deduplicate by line
+            const seen = new Set();
+            const unique = retryPatterns.filter(p => {
+                if (seen.has(p.line))
+                    return false;
+                seen.add(p.line);
+                return true;
+            });
+            if (unique.length < 3)
+                return [];
+            // Report on the first pattern, with evidence listing all found locations
+            const allLocations = unique
+                .map(p => `  line ${p.line}: ${p.evidence.trim()} [${p.kind}]`)
+                .join('\n');
+            violations.push({
+                ruleId: this.id,
+                ruleName: this.name,
+                policyRef: this.policyRef,
+                severity: this.severity,
+                filePath,
+                line: unique[0].line,
+                column: unique[0].column,
+                evidence: `${unique.length} retry patterns found:\n${allLocations}`.slice(0, 600),
+                operationalRisk: `${unique.length} independent retry patterns exist in this file without shared rate limiting. ` +
+                    'Under a single downstream failure, each retrier fires independently, creating up to ' +
+                    `${unique.length}x the expected load on the failing service, delaying its recovery.`,
+                remediation: 'Introduce a shared circuit breaker or rate limiter (e.g. `p-limit`, `opossum`) that all ' +
+                    'retry patterns respect. Alternatively, consolidate retries into a single shared utility ' +
+                    'function with a centrally-configured retry policy.',
+                determinism: 'heuristic-advisory',
+                confidence: 0.60,
+                language: filePath.match(/\.(js|jsx)$/) ? 'javascript' : 'typescript',
+            });
+            return violations;
+        }
+        catch {
+            return [];
+        }
+    }
+}
+exports.SR010RetryStorm = SR010RetryStorm;
+//# sourceMappingURL=SR010-retry-storm.js.map

package/dist/structural-rules/rules/SR010-retry-storm.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"SR010-retry-storm.js","sourceRoot":"","sources":["../../../src/structural-rules/rules/SR010-retry-storm.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,+CAAiC;AAGjC,SAAS,aAAa,CAAC,EAAiB,EAAE,GAAW;IACnD,MAAM,EAAE,GAAG,EAAE,CAAC,6BAA6B,CAAC,GAAG,CAAC,CAAC;IACjD,OAAO,EAAE,IAAI,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC,EAAE,MAAM,EAAE,EAAE,CAAC,SAAS,GAAG,CAAC,EAAE,CAAC;AACzD,CAAC;AAED,SAAS,gBAAgB,CAAC,UAAkB,EAAE,IAAY;IACxD,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACrC,OAAO,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;AAC/C,CAAC;AASD,SAAS,4BAA4B,CAAC,UAAkB;IACtD,OAAO,CACL,qBAAqB,CAAC,IAAI,CAAC,UAAU,CAAC;QACtC,gBAAgB,CAAC,IAAI,CAAC,UAAU,CAAC;QACjC,iBAAiB,CAAC,IAAI,CAAC,UAAU,CAAC;QAClC,eAAe,CAAC,IAAI,CAAC,UAAU,CAAC;QAChC,iBAAiB,CAAC,IAAI,CAAC,UAAU,CAAC;QAClC,iBAAiB,CAAC,IAAI,CAAC,UAAU,CAAC;QAClC,cAAc,CAAC,IAAI,CAAC,UAAU,CAAC;QAC/B,aAAa,CAAC,IAAI,CAAC,UAAU,CAAC;QAC9B,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,CAC1B,CAAC;AACJ,CAAC;AAED,MAAa,eAAe;IAC1B,EAAE,GAAG,OAAO,CAAC;IACb,IAAI,GAAG,qDAAqD,CAAC;IAC7D,SAAS,GAAG,MAAM,CAAC;IACnB,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAmB,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC;IACzD,WAAW,GACT,uHAAuH,CAAC;IAE1H,KAAK,CAAC,QAAgB,EAAE,UAAkB;QACxC,IAAI,CAAC;YACH,MAAM,UAAU,GAA0B,EAAE,CAAC;YAC7C,MAAM,GAAG,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC;gBACnC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG;gBACnB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC;oBAC3B,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG;oBACnB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC;wBAC1B,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,EAAE;wBAClB,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC;YAErB,MAAM,EAAE,GAAG,EAAE,CAAC,gBAAgB,CAAC,QAAQ,EAAE,UAAU,EAAE,EAAE,CAAC,YAAY,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YAExF,0EAA0E;YAC1E,IAAI,4BAA4B,CAAC,UAAU,CAAC;gBAAE,OAAO,EAAE,CAAC;YAExD,MAAM,aAAa,GAAmB,EAAE,CAAC;YAEzC,MAAM,KAAK,GAAG,CAAC,IAAa,EAAQ,EAAE;gBACpC,0DAA0D;gBAC1D,MAAM,MAAM,GACV,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC;oBACzB,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC;oBACvB,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;gBAEzB,IAAI,MAAM,EAAE,CAAC;oBACX,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;oBAClC,IACE,iDAAiD,CAAC,IAAI,CAAC,QAAQ,CAAC;wBAChE,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,EAC1B,CAAC;wBACD,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,aAAa,CAAC,EAAE,EAAE,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;wBAC9D,aAAa,CAAC,IAAI,CAAC;4BACjB,IAAI;4BACJ,MAAM;4BACN,QAAQ,EAAE,gBAAgB,CAAC,UAAU,EAAE,IAAI,CAAC;4BAC5C,IAAI,EAAE,YAAY;yBACnB,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;gBAED,uEAAuE;gBACvE,IACE,EAAE,CAAC,qBAAqB,CAAC,IAAI,CAAC;oBAC9B,EAAE,CAAC,oBAAoB,CAAC,IAAI,CAAC;oBAC7B,EAAE,CAAC,mBAAmB,CAAC,IAAI,CAAC;oBAC5B,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,EACxB,CAAC;oBACD,IAAI,QAAQ,GAAG,EAAE,CAAC;oBAClB,IACE,CAAC,EAAE,CAAC,qBAAqB,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC;wBAChE,IAAI,CAAC,IAAI;wBACT,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAC1B,CAAC;wBACD,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;oBAC5B,CAAC;oBAED,IAAI,sCAAsC,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;wBAC1D,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,aAAa,CAAC,EAAE,EAAE,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;wBAC9D,aAAa,CAAC,IAAI,CAAC;4BACjB,IAAI;4BACJ,MAAM;4BACN,QAAQ,EAAE,gBAAgB,CAAC,UAAU,EAAE,IAAI,CAAC;4BAC5C,IAAI,EAAE,gBAAgB;yBACvB,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;gBAED,0DAA0D;gBAC1D,IACE,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC;oBACzB,EAAE,CAAC,0BAA0B,CAAC,IAAI,CAAC,UAAU,CAAC;oBAC9C,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,KAAK,OAAO,EACrC,CAAC;oBACD,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;oBAClC,mEAAmE;oBACnE,IAAI,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;wBACjE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,aAAa,CAAC,EAAE,EAAE,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;wBAC9D,aAAa,CAAC,IAAI,CAAC;4BACjB,IAAI;4BACJ,MAAM;4BACN,QAAQ,EAAE,gBAAgB,CAAC,UAAU,EAAE,IAAI,CAAC;4BAC5C,IAAI,EAAE,iBAAiB;yBACxB,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;gBAED,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;YAC/B,CAAC,CAAC;YAEF,EAAE,CAAC,YAAY,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;YAE3B,yCAAyC;YACzC,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC;gBAAE,OAAO,EAAE,CAAC;YAExC,sBAAsB;YACtB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;YAC/B,MAAM,MAAM,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE;gBACtC,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;oBAAE,OAAO,KAAK,CAAC;gBACnC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;gBACjB,OAAO,IAAI,CAAC;YACd,CAAC,CAAC,CAAC;YAEH,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC;gBAAE,OAAO,EAAE,CAAC;YAEjC,yEAAyE;YACzE,MAAM,YAAY,GAAG,MAAM;iBACxB,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,QAAQ,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,IAAI,GAAG,CAAC;iBAC9D,IAAI,CAAC,IAAI,CAAC,CAAC;YAEd,UAAU,CAAC,IAAI,CAAC;gBACd,MAAM,EAAE,IAAI,CAAC,EAAE;gBACf,QAAQ,EAAE,IAAI,CAAC,IAAI;gBACnB,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,QAAQ;gBACR,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI;gBACpB,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM;gBACxB,QAAQ,EAAE,GAAG,MAAM,CAAC,MAAM,2BAA2B,YAAY,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;gBACjF,eAAe,EACb,GAAG,MAAM,CAAC,MAAM,+EAA+E;oBAC/F,sFAAsF;oBACtF,GAAG,MAAM,CAAC,MAAM,oEAAoE;gBACtF,WAAW,EACT,0FAA0F;oBAC1F,0FAA0F;oBAC1F,oDAAoD;gBACtD,WAAW,EAAE,oBAAoB;gBACjC,UAAU,EAAE,IAAI;gBAChB,QAAQ,EAAE,QAAQ,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,YAAY;aACtE,CAAC,CAAC;YAEH,OAAO,UAAU,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;CACF;AAlJD,0CAkJC"}

package/dist/structural-rules/rules/SR011-event-listener-leak.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import { StructuralRule, StructuralViolation, RuleLanguage } from '../types';
+export declare class SR011EventListenerLeak implements StructuralRule {
+    id: string;
+    name: string;
+    policyRef: string;
+    severity: "BLOCKING";
+    languages: RuleLanguage[];
+    description: string;
+    check(filePath: string, sourceText: string): StructuralViolation[];
+}
+//# sourceMappingURL=SR011-event-listener-leak.d.ts.map

package/dist/structural-rules/rules/SR011-event-listener-leak.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"SR011-event-listener-leak.d.ts","sourceRoot":"","sources":["../../../src/structural-rules/rules/SR011-event-listener-leak.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AA2G7E,qBAAa,sBAAuB,YAAW,cAAc;IAC3D,EAAE,SAAW;IACb,IAAI,SAA2C;IAC/C,SAAS,SAAW;IACpB,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,YAAY,EAAE,CAAgC;IACzD,WAAW,SAEkF;IAE7F,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,mBAAmB,EAAE;CA8EnE"}

package/dist/structural-rules/rules/SR011-event-listener-leak.js ADDED Viewed

@@ -0,0 +1,208 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SR011EventListenerLeak = void 0;
+const ts = __importStar(require("typescript"));
+function getLineAndCol(sf, pos) {
+    const lc = sf.getLineAndCharacterOfPosition(pos);
+    return { line: lc.line + 1, column: lc.character + 1 };
+}
+function getEvidenceLines(sourceText, line, extra = 1) {
+    const lines = sourceText.split('\n');
+    return lines.slice(line - 1, Math.min(line - 1 + extra, lines.length)).map(l => l.slice(0, 120)).join('\n');
+}
+/** Walk up AST to find the nearest containing class declaration/expression. */
+function getEnclosingClass(node) {
+    let current = node.parent;
+    while (current) {
+        if (ts.isClassDeclaration(current) || ts.isClassExpression(current)) {
+            return current;
+        }
+        current = current.parent;
+    }
+    return undefined;
+}
+/** Check if the node is directly inside an arrow function that is NOT a class method. */
+function isInsideNonMethodArrowFunction(node) {
+    let current = node.parent;
+    while (current) {
+        if (ts.isArrowFunction(current)) {
+            // If the arrow function is a method body, it's OK
+            const parent = current.parent;
+            if (ts.isMethodDeclaration(parent) || ts.isPropertyDeclaration(parent)) {
+                return false;
+            }
+            // Arrow function that is NOT a class method
+            const enclosingClass = getEnclosingClass(current);
+            if (!enclosingClass) {
+                return true;
+            }
+        }
+        if (ts.isClassDeclaration(current) || ts.isClassExpression(current)) {
+            break;
+        }
+        current = current.parent;
+    }
+    return false;
+}
+/** Extract the event string literal from addEventListener/on call (first arg). */
+function extractEventName(args) {
+    if (args.length < 2)
+        return undefined;
+    const firstArg = args[0];
+    if (ts.isStringLiteral(firstArg)) {
+        return firstArg.text;
+    }
+    return undefined;
+}
+/** Check if the third arg is { once: true }. */
+function hasOnceOption(args) {
+    if (args.length < 3)
+        return false;
+    const optArg = args[2];
+    if (ts.isObjectLiteralExpression(optArg)) {
+        for (const prop of optArg.properties) {
+            if (ts.isPropertyAssignment(prop) &&
+                ts.isIdentifier(prop.name) &&
+                prop.name.text === 'once' &&
+                prop.initializer.kind === ts.SyntaxKind.TrueKeyword) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+/** Collect the text of a class body to search for removal calls. */
+function getClassBodyText(classNode) {
+    return classNode.members.map(m => m.getText()).join('\n');
+}
+/** Check if there's a removeEventListener or .off( call in the class body text for the given event. */
+function hasRemovalInClass(classNode, eventName) {
+    const bodyText = getClassBodyText(classNode);
+    const hasRemoveEventListener = bodyText.includes('removeEventListener');
+    const hasOff = bodyText.includes('.off(');
+    if (!eventName) {
+        // Without a known event name, check if any removal exists
+        return hasRemoveEventListener || hasOff;
+    }
+    // Check if the event name is referenced near the removal call
+    if (hasRemoveEventListener && bodyText.includes(eventName)) {
+        // crude but effective: if both the removal method and the event name appear, accept it
+        return true;
+    }
+    if (hasOff && bodyText.includes(eventName)) {
+        return true;
+    }
+    return false;
+}
+class SR011EventListenerLeak {
+    id = 'SR011';
+    name = 'Event listener leak (missing removal)';
+    policyRef = 'SR011';
+    severity = 'BLOCKING';
+    languages = ['typescript', 'javascript'];
+    description = 'addEventListener() or .on() calls inside a class with no corresponding removeEventListener()/.off() ' +
+        'for the same event — leaked listeners accumulate and prevent GC of the enclosing object.';
+    check(filePath, sourceText) {
+        try {
+            const violations = [];
+            const ext = filePath.endsWith('.tsx')
+                ? ts.ScriptKind.TSX
+                : filePath.endsWith('.jsx')
+                    ? ts.ScriptKind.JSX
+                    : filePath.endsWith('.js')
+                        ? ts.ScriptKind.JS
+                        : ts.ScriptKind.TS;
+            const sf = ts.createSourceFile(filePath, sourceText, ts.ScriptTarget.Latest, true, ext);
+            const visit = (node) => {
+                if (ts.isCallExpression(node) && ts.isPropertyAccessExpression(node.expression)) {
+                    const methodName = node.expression.name.text;
+                    const isAddEventListener = methodName === 'addEventListener';
+                    const isOnCall = methodName === 'on';
+                    if (isAddEventListener || isOnCall) {
+                        // Exclude arrow function bodies that are not class methods
+                        if (isInsideNonMethodArrowFunction(node)) {
+                            ts.forEachChild(node, visit);
+                            return;
+                        }
+                        // Must be inside a class
+                        const enclosingClass = getEnclosingClass(node);
+                        if (!enclosingClass) {
+                            ts.forEachChild(node, visit);
+                            return;
+                        }
+                        // Exclude { once: true } option
+                        if (isAddEventListener && hasOnceOption(node.arguments)) {
+                            ts.forEachChild(node, visit);
+                            return;
+                        }
+                        const eventName = extractEventName(node.arguments);
+                        // Check if removal exists in the class
+                        if (!hasRemovalInClass(enclosingClass, eventName)) {
+                            const { line, column } = getLineAndCol(sf, node.expression.name.getStart(sf));
+                            const evidence = getEvidenceLines(sourceText, line, 2);
+                            violations.push({
+                                ruleId: this.id,
+                                ruleName: this.name,
+                                policyRef: this.policyRef,
+                                severity: this.severity,
+                                filePath,
+                                line,
+                                column,
+                                evidence,
+                                operationalRisk: 'Every listener registration without a paired removal leaks memory proportional to ' +
+                                    'listener count × retained closure size. Common in WebSocket handlers, Node.js ' +
+                                    'EventEmitters, and browser DOM events in long-lived objects.',
+                                remediation: 'Store the handler reference and call `emitter.off(event, handler)` in a ' +
+                                    'dispose/cleanup method, or use `{ once: true }` for one-shot listeners.',
+                                determinism: 'deterministic-structural',
+                                confidence: 0.88,
+                                language: filePath.match(/\.(js|jsx)$/) ? 'javascript' : 'typescript',
+                            });
+                        }
+                    }
+                }
+                ts.forEachChild(node, visit);
+            };
+            ts.forEachChild(sf, visit);
+            return violations;
+        }
+        catch {
+            return [];
+        }
+    }
+}
+exports.SR011EventListenerLeak = SR011EventListenerLeak;
+//# sourceMappingURL=SR011-event-listener-leak.js.map

package/dist/structural-rules/rules/SR011-event-listener-leak.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"SR011-event-listener-leak.js","sourceRoot":"","sources":["../../../src/structural-rules/rules/SR011-event-listener-leak.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,+CAAiC;AAGjC,SAAS,aAAa,CAAC,EAAiB,EAAE,GAAW;IACnD,MAAM,EAAE,GAAG,EAAE,CAAC,6BAA6B,CAAC,GAAG,CAAC,CAAC;IACjD,OAAO,EAAE,IAAI,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC,EAAE,MAAM,EAAE,EAAE,CAAC,SAAS,GAAG,CAAC,EAAE,CAAC;AACzD,CAAC;AAED,SAAS,gBAAgB,CAAC,UAAkB,EAAE,IAAY,EAAE,KAAK,GAAG,CAAC;IACnE,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACrC,OAAO,KAAK,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,GAAG,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC9G,CAAC;AAED,+EAA+E;AAC/E,SAAS,iBAAiB,CAAC,IAAa;IACtC,IAAI,OAAO,GAAwB,IAAI,CAAC,MAAM,CAAC;IAC/C,OAAO,OAAO,EAAE,CAAC;QACf,IAAI,EAAE,CAAC,kBAAkB,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,iBAAiB,CAAC,OAAO,CAAC,EAAE,CAAC;YACpE,OAAO,OAAO,CAAC;QACjB,CAAC;QACD,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC;IAC3B,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,yFAAyF;AACzF,SAAS,8BAA8B,CAAC,IAAa;IACnD,IAAI,OAAO,GAAwB,IAAI,CAAC,MAAM,CAAC;IAC/C,OAAO,OAAO,EAAE,CAAC;QACf,IAAI,EAAE,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC;YAChC,kDAAkD;YAClD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;YAC9B,IAAI,EAAE,CAAC,mBAAmB,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,qBAAqB,CAAC,MAAM,CAAC,EAAE,CAAC;gBACvE,OAAO,KAAK,CAAC;YACf,CAAC;YACD,4CAA4C;YAC5C,MAAM,cAAc,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;YAClD,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpB,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QACD,IAAI,EAAE,CAAC,kBAAkB,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,iBAAiB,CAAC,OAAO,CAAC,EAAE,CAAC;YACpE,MAAM;QACR,CAAC;QACD,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC;IAC3B,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,kFAAkF;AAClF,SAAS,gBAAgB,CAAC,IAAiC;IACzD,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,SAAS,CAAC;IACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;IACzB,IAAI,EAAE,CAAC,eAAe,CAAC,QAAQ,CAAC,EAAE,CAAC;QACjC,OAAO,QAAQ,CAAC,IAAI,CAAC;IACvB,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,gDAAgD;AAChD,SAAS,aAAa,CAAC,IAAiC;IACtD,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAClC,MAAM,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;IACvB,IAAI,EAAE,CAAC,yBAAyB,CAAC,MAAM,CAAC,EAAE,CAAC;QACzC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;YACrC,IACE,EAAE,CAAC,oBAAoB,CAAC,IAAI,CAAC;gBAC7B,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC;gBAC1B,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,MAAM;gBACzB,IAAI,CAAC,WAAW,CAAC,IAAI,KAAK,EAAE,CAAC,UAAU,CAAC,WAAW,EACnD,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,oEAAoE;AACpE,SAAS,gBAAgB,CAAC,SAAmD;IAC3E,OAAO,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC5D,CAAC;AAED,uGAAuG;AACvG,SAAS,iBAAiB,CACxB,SAAmD,EACnD,SAA6B;IAE7B,MAAM,QAAQ,GAAG,gBAAgB,CAAC,SAAS,CAAC,CAAC;IAC7C,MAAM,sBAAsB,GAAG,QAAQ,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAAC;IACxE,MAAM,MAAM,GAAG,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAE1C,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,0DAA0D;QAC1D,OAAO,sBAAsB,IAAI,MAAM,CAAC;IAC1C,CAAC;IAED,8DAA8D;IAC9D,IAAI,sBAAsB,IAAI,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QAC3D,uFAAuF;QACvF,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,MAAM,IAAI,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAa,sBAAsB;IACjC,EAAE,GAAG,OAAO,CAAC;IACb,IAAI,GAAG,uCAAuC,CAAC;IAC/C,SAAS,GAAG,OAAO,CAAC;IACpB,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAmB,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC;IACzD,WAAW,GACT,sGAAsG;QACtG,0FAA0F,CAAC;IAE7F,KAAK,CAAC,QAAgB,EAAE,UAAkB;QACxC,IAAI,CAAC;YACH,MAAM,UAAU,GAA0B,EAAE,CAAC;YAC7C,MAAM,GAAG,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC;gBACnC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG;gBACnB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC;oBAC3B,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG;oBACnB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC;wBAC1B,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,EAAE;wBAClB,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC;YAErB,MAAM,EAAE,GAAG,EAAE,CAAC,gBAAgB,CAAC,QAAQ,EAAE,UAAU,EAAE,EAAE,CAAC,YAAY,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YAExF,MAAM,KAAK,GAAG,CAAC,IAAa,EAAQ,EAAE;gBACpC,IAAI,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,0BAA0B,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;oBAChF,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;oBAC7C,MAAM,kBAAkB,GAAG,UAAU,KAAK,kBAAkB,CAAC;oBAC7D,MAAM,QAAQ,GAAG,UAAU,KAAK,IAAI,CAAC;oBAErC,IAAI,kBAAkB,IAAI,QAAQ,EAAE,CAAC;wBACnC,2DAA2D;wBAC3D,IAAI,8BAA8B,CAAC,IAAI,CAAC,EAAE,CAAC;4BACzC,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;4BAC7B,OAAO;wBACT,CAAC;wBAED,yBAAyB;wBACzB,MAAM,cAAc,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;wBAC/C,IAAI,CAAC,cAAc,EAAE,CAAC;4BACpB,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;4BAC7B,OAAO;wBACT,CAAC;wBAED,gCAAgC;wBAChC,IAAI,kBAAkB,IAAI,aAAa,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;4BACxD,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;4BAC7B,OAAO;wBACT,CAAC;wBAED,MAAM,SAAS,GAAG,gBAAgB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;wBAEnD,uCAAuC;wBACvC,IAAI,CAAC,iBAAiB,CAAC,cAAc,EAAE,SAAS,CAAC,EAAE,CAAC;4BAClD,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,aAAa,CAAC,EAAE,EAAE,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;4BAC9E,MAAM,QAAQ,GAAG,gBAAgB,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;4BACvD,UAAU,CAAC,IAAI,CAAC;gCACd,MAAM,EAAE,IAAI,CAAC,EAAE;gCACf,QAAQ,EAAE,IAAI,CAAC,IAAI;gCACnB,SAAS,EAAE,IAAI,CAAC,SAAS;gCACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;gCACvB,QAAQ;gCACR,IAAI;gCACJ,MAAM;gCACN,QAAQ;gCACR,eAAe,EACb,oFAAoF;oCACpF,gFAAgF;oCAChF,8DAA8D;gCAChE,WAAW,EACT,0EAA0E;oCAC1E,yEAAyE;gCAC3E,WAAW,EAAE,0BAA0B;gCACvC,UAAU,EAAE,IAAI;gCAChB,QAAQ,EAAE,QAAQ,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,YAAY;6BACtE,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;YAC/B,CAAC,CAAC;YAEF,EAAE,CAAC,YAAY,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;YAC3B,OAAO,UAAU,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;CACF;AAxFD,wDAwFC"}

package/dist/structural-rules/rules/SR012-promise-race-leak.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import { StructuralRule, StructuralViolation, RuleLanguage } from '../types';
+export declare class SR012PromiseRaceLeak implements StructuralRule {
+    id: string;
+    name: string;
+    policyRef: string;
+    severity: "ADVISORY";
+    languages: RuleLanguage[];
+    description: string;
+    check(filePath: string, sourceText: string): StructuralViolation[];
+}
+//# sourceMappingURL=SR012-promise-race-leak.d.ts.map

package/dist/structural-rules/rules/SR012-promise-race-leak.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"SR012-promise-race-leak.d.ts","sourceRoot":"","sources":["../../../src/structural-rules/rules/SR012-promise-race-leak.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAkE7E,qBAAa,oBAAqB,YAAW,cAAc;IACzD,EAAE,SAAW;IACb,IAAI,SAAkD;IACtD,SAAS,SAAW;IACpB,QAAQ,EAAG,UAAU,CAAU;IAC/B,SAAS,EAAE,YAAY,EAAE,CAAgC;IACzD,WAAW,SAEqF;IAEhG,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,mBAAmB,EAAE;CAmGnE"}

package/dist/structural-rules/rules/SR012-promise-race-leak.js ADDED Viewed

@@ -0,0 +1,191 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SR012PromiseRaceLeak = void 0;
+const ts = __importStar(require("typescript"));
+function getLineAndCol(sf, pos) {
+    const lc = sf.getLineAndCharacterOfPosition(pos);
+    return { line: lc.line + 1, column: lc.character + 1 };
+}
+function getEvidenceLines(sourceText, line, extra = 1) {
+    const lines = sourceText.split('\n');
+    return lines.slice(line - 1, Math.min(line - 1 + extra, lines.length)).map(l => l.slice(0, 120)).join('\n');
+}
+/**
+ * Check if an expression looks like a timeout promise:
+ * - `new Promise(resolve => setTimeout(...))`
+ * - an identifier whose name contains 'timeout' or 'Timeout'
+ */
+function looksLikeTimeout(node) {
+    // new Promise(resolve => setTimeout(...))
+    if (ts.isNewExpression(node) && ts.isIdentifier(node.expression) && node.expression.text === 'Promise') {
+        const args = node.arguments;
+        if (args && args.length > 0) {
+            const executor = args[0];
+            if (ts.isArrowFunction(executor) || ts.isFunctionExpression(executor)) {
+                let hasSetTimeout = false;
+                const scanForSetTimeout = (n) => {
+                    if (ts.isCallExpression(n) &&
+                        ts.isIdentifier(n.expression) &&
+                        n.expression.text === 'setTimeout') {
+                        hasSetTimeout = true;
+                    }
+                    if (!hasSetTimeout)
+                        ts.forEachChild(n, scanForSetTimeout);
+                };
+                scanForSetTimeout(executor);
+                if (hasSetTimeout)
+                    return true;
+            }
+        }
+    }
+    // identifier or property access with 'timeout' or 'Timeout' in the name
+    if (ts.isIdentifier(node)) {
+        const lower = node.text.toLowerCase();
+        if (lower.includes('timeout'))
+            return true;
+    }
+    if (ts.isPropertyAccessExpression(node) && ts.isIdentifier(node.name)) {
+        const lower = node.name.text.toLowerCase();
+        if (lower.includes('timeout'))
+            return true;
+    }
+    return false;
+}
+/** Check if text of a node or its subtree contains AbortController / .abort() / cleanup references. */
+function containsAbortOrCleanup(node, sf) {
+    const text = node.getText(sf);
+    return (text.includes('AbortController') ||
+        text.includes('.abort()') ||
+        text.includes('.abort(') ||
+        text.includes('cleanup') ||
+        text.includes('cancel'));
+}
+class SR012PromiseRaceLeak {
+    id = 'SR012';
+    name = 'Promise.race timeout leak (no abort/cleanup)';
+    policyRef = 'SR012';
+    severity = 'ADVISORY';
+    languages = ['typescript', 'javascript'];
+    description = 'Promise.race() with a timeout branch but no AbortController/.abort()/cleanup — ' +
+        'when the timeout wins, the losing promise(s) continue running, leaking connections and CPU.';
+    check(filePath, sourceText) {
+        try {
+            const violations = [];
+            const ext = filePath.endsWith('.tsx')
+                ? ts.ScriptKind.TSX
+                : filePath.endsWith('.jsx')
+                    ? ts.ScriptKind.JSX
+                    : filePath.endsWith('.js')
+                        ? ts.ScriptKind.JS
+                        : ts.ScriptKind.TS;
+            const sf = ts.createSourceFile(filePath, sourceText, ts.ScriptTarget.Latest, true, ext);
+            const visit = (node) => {
+                // Looking for: Promise.race([...])
+                if (ts.isCallExpression(node) &&
+                    ts.isPropertyAccessExpression(node.expression) &&
+                    ts.isIdentifier(node.expression.expression) &&
+                    node.expression.expression.text === 'Promise' &&
+                    node.expression.name.text === 'race') {
+                    const args = node.arguments;
+                    if (args.length !== 1) {
+                        ts.forEachChild(node, visit);
+                        return;
+                    }
+                    const arrayArg = args[0];
+                    if (!ts.isArrayLiteralExpression(arrayArg)) {
+                        ts.forEachChild(node, visit);
+                        return;
+                    }
+                    // Check if one element is clearly a timeout
+                    const hasTimeout = arrayArg.elements.some(el => looksLikeTimeout(el));
+                    if (!hasTimeout) {
+                        ts.forEachChild(node, visit);
+                        return;
+                    }
+                    // Check if any array element references AbortController or cleanup
+                    const hasCleanup = arrayArg.elements.some(el => containsAbortOrCleanup(el, sf));
+                    // Also check a .finally() chained on the race call
+                    let hasFinallyAbort = false;
+                    const parent = node.parent;
+                    if (ts.isPropertyAccessExpression(parent) && parent.name.text === 'finally') {
+                        const grandParent = parent.parent;
+                        if (ts.isCallExpression(grandParent)) {
+                            hasFinallyAbort = containsAbortOrCleanup(grandParent, sf);
+                        }
+                    }
+                    // Also look in the enclosing statement for abort references
+                    let enclosingStatement = node;
+                    while (enclosingStatement.parent && !ts.isBlock(enclosingStatement.parent)) {
+                        enclosingStatement = enclosingStatement.parent;
+                    }
+                    const statementText = enclosingStatement.getText(sf);
+                    const nearbyHasAbort = statementText.includes('.abort(') ||
+                        statementText.includes('AbortController');
+                    if (!hasCleanup && !hasFinallyAbort && !nearbyHasAbort) {
+                        const { line, column } = getLineAndCol(sf, node.expression.name.getStart(sf));
+                        const evidence = getEvidenceLines(sourceText, line, 2);
+                        violations.push({
+                            ruleId: this.id,
+                            ruleName: this.name,
+                            policyRef: this.policyRef,
+                            severity: this.severity,
+                            filePath,
+                            line,
+                            column,
+                            evidence,
+                            operationalRisk: 'When the timeout wins the race, the original operations continue running in the background, ' +
+                                'consuming connections, CPU, and memory. In high-traffic systems this creates phantom load ' +
+                                'that grows until process restart.',
+                            remediation: 'Use AbortController: `const ac = new AbortController(); ' +
+                                'Promise.race([fetchWithSignal(ac.signal), timeout]).finally(() => ac.abort())`.',
+                            determinism: 'heuristic-advisory',
+                            confidence: 0.80,
+                            language: filePath.match(/\.(js|jsx)$/) ? 'javascript' : 'typescript',
+                        });
+                    }
+                }
+                ts.forEachChild(node, visit);
+            };
+            ts.forEachChild(sf, visit);
+            return violations;
+        }
+        catch {
+            return [];
+        }
+    }
+}
+exports.SR012PromiseRaceLeak = SR012PromiseRaceLeak;
+//# sourceMappingURL=SR012-promise-race-leak.js.map

package/dist/structural-rules/rules/SR012-promise-race-leak.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"SR012-promise-race-leak.js","sourceRoot":"","sources":["../../../src/structural-rules/rules/SR012-promise-race-leak.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,+CAAiC;AAGjC,SAAS,aAAa,CAAC,EAAiB,EAAE,GAAW;IACnD,MAAM,EAAE,GAAG,EAAE,CAAC,6BAA6B,CAAC,GAAG,CAAC,CAAC;IACjD,OAAO,EAAE,IAAI,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC,EAAE,MAAM,EAAE,EAAE,CAAC,SAAS,GAAG,CAAC,EAAE,CAAC;AACzD,CAAC;AAED,SAAS,gBAAgB,CAAC,UAAkB,EAAE,IAAY,EAAE,KAAK,GAAG,CAAC;IACnE,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACrC,OAAO,KAAK,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,GAAG,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC9G,CAAC;AAED;;;;GAIG;AACH,SAAS,gBAAgB,CAAC,IAAmB;IAC3C,0CAA0C;IAC1C,IAAI,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QACvG,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC;QAC5B,IAAI,IAAI,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;YACzB,IAAI,EAAE,CAAC,eAAe,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,oBAAoB,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACtE,IAAI,aAAa,GAAG,KAAK,CAAC;gBAC1B,MAAM,iBAAiB,GAAG,CAAC,CAAU,EAAQ,EAAE;oBAC7C,IACE,EAAE,CAAC,gBAAgB,CAAC,CAAC,CAAC;wBACtB,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC,UAAU,CAAC;wBAC7B,CAAC,CAAC,UAAU,CAAC,IAAI,KAAK,YAAY,EAClC,CAAC;wBACD,aAAa,GAAG,IAAI,CAAC;oBACvB,CAAC;oBACD,IAAI,CAAC,aAAa;wBAAE,EAAE,CAAC,YAAY,CAAC,CAAC,EAAE,iBAAiB,CAAC,CAAC;gBAC5D,CAAC,CAAC;gBACF,iBAAiB,CAAC,QAAQ,CAAC,CAAC;gBAC5B,IAAI,aAAa;oBAAE,OAAO,IAAI,CAAC;YACjC,CAAC;QACH,CAAC;IACH,CAAC;IAED,wEAAwE;IACxE,IAAI,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1B,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;QACtC,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC;YAAE,OAAO,IAAI,CAAC;IAC7C,CAAC;IACD,IAAI,EAAE,CAAC,0BAA0B,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACtE,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;QAC3C,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC;YAAE,OAAO,IAAI,CAAC;IAC7C,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,uGAAuG;AACvG,SAAS,sBAAsB,CAAC,IAAa,EAAE,EAAiB;IAC9D,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAC9B,OAAO,CACL,IAAI,CAAC,QAAQ,CAAC,iBAAiB,CAAC;QAChC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC;QACzB,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC;QACxB,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC;QACxB,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CACxB,CAAC;AACJ,CAAC;AAED,MAAa,oBAAoB;IAC/B,EAAE,GAAG,OAAO,CAAC;IACb,IAAI,GAAG,8CAA8C,CAAC;IACtD,SAAS,GAAG,OAAO,CAAC;IACpB,QAAQ,GAAG,UAAmB,CAAC;IAC/B,SAAS,GAAmB,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC;IACzD,WAAW,GACT,iFAAiF;QACjF,6FAA6F,CAAC;IAEhG,KAAK,CAAC,QAAgB,EAAE,UAAkB;QACxC,IAAI,CAAC;YACH,MAAM,UAAU,GAA0B,EAAE,CAAC;YAC7C,MAAM,GAAG,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC;gBACnC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG;gBACnB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC;oBAC3B,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG;oBACnB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC;wBAC1B,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,EAAE;wBAClB,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC;YAErB,MAAM,EAAE,GAAG,EAAE,CAAC,gBAAgB,CAAC,QAAQ,EAAE,UAAU,EAAE,EAAE,CAAC,YAAY,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YAExF,MAAM,KAAK,GAAG,CAAC,IAAa,EAAQ,EAAE;gBACpC,mCAAmC;gBACnC,IACE,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC;oBACzB,EAAE,CAAC,0BAA0B,CAAC,IAAI,CAAC,UAAU,CAAC;oBAC9C,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;oBAC3C,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,KAAK,SAAS;oBAC7C,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,KAAK,MAAM,EACpC,CAAC;oBACD,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC;oBAC5B,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;wBACtB,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;wBAC7B,OAAO;oBACT,CAAC;oBAED,MAAM,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;oBACzB,IAAI,CAAC,EAAE,CAAC,wBAAwB,CAAC,QAAQ,CAAC,EAAE,CAAC;wBAC3C,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;wBAC7B,OAAO;oBACT,CAAC;oBAED,4CAA4C;oBAC5C,MAAM,UAAU,GAAG,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,gBAAgB,CAAC,EAAE,CAAC,CAAC,CAAC;oBACtE,IAAI,CAAC,UAAU,EAAE,CAAC;wBAChB,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;wBAC7B,OAAO;oBACT,CAAC;oBAED,mEAAmE;oBACnE,MAAM,UAAU,GAAG,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,sBAAsB,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;oBAEhF,mDAAmD;oBACnD,IAAI,eAAe,GAAG,KAAK,CAAC;oBAC5B,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;oBAC3B,IAAI,EAAE,CAAC,0BAA0B,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;wBAC5E,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC;wBAClC,IAAI,EAAE,CAAC,gBAAgB,CAAC,WAAW,CAAC,EAAE,CAAC;4BACrC,eAAe,GAAG,sBAAsB,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;wBAC5D,CAAC;oBACH,CAAC;oBAED,4DAA4D;oBAC5D,IAAI,kBAAkB,GAAY,IAAI,CAAC;oBACvC,OAAO,kBAAkB,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAAC;wBAC3E,kBAAkB,GAAG,kBAAkB,CAAC,MAAM,CAAC;oBACjD,CAAC;oBACD,MAAM,aAAa,GAAG,kBAAkB,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;oBACrD,MAAM,cAAc,GAClB,aAAa,CAAC,QAAQ,CAAC,SAAS,CAAC;wBACjC,aAAa,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC;oBAE5C,IAAI,CAAC,UAAU,IAAI,CAAC,eAAe,IAAI,CAAC,cAAc,EAAE,CAAC;wBACvD,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,aAAa,CAAC,EAAE,EAAE,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;wBAC9E,MAAM,QAAQ,GAAG,gBAAgB,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;wBACvD,UAAU,CAAC,IAAI,CAAC;4BACd,MAAM,EAAE,IAAI,CAAC,EAAE;4BACf,QAAQ,EAAE,IAAI,CAAC,IAAI;4BACnB,SAAS,EAAE,IAAI,CAAC,SAAS;4BACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;4BACvB,QAAQ;4BACR,IAAI;4BACJ,MAAM;4BACN,QAAQ;4BACR,eAAe,EACb,8FAA8F;gCAC9F,4FAA4F;gCAC5F,mCAAmC;4BACrC,WAAW,EACT,0DAA0D;gCAC1D,iFAAiF;4BACnF,WAAW,EAAE,oBAAoB;4BACjC,UAAU,EAAE,IAAI;4BAChB,QAAQ,EAAE,QAAQ,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,YAAY;yBACtE,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;gBAED,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;YAC/B,CAAC,CAAC;YAEF,EAAE,CAAC,YAAY,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;YAC3B,OAAO,UAAU,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;CACF;AA7GD,oDA6GC"}