@oculum/scanner 1.0.14 → 1.0.15

package/src/model/import-resolver.ts

@@ -67,6 +67,12 @@ export function buildFileIndex(files: ScanFile[]): Map<string, ScanFile> {
     if (indexMatch) {
       index.set(indexMatch[1], file)
     }
+
+    // Index __init__.py as directory package
+    const initMatch = file.path.match(/^(.+)\/__init__\.py$/)
+    if (initMatch) {
+      index.set(initMatch[1], file)
+    }
   }
   return index
 }
@@ -392,6 +398,11 @@ export function resolveImportPath(
   fromFilePath: string,
   fileIndex: Map<string, ScanFile>
 ): ScanFile | null {
+  // Python module paths: dot-separated, no slashes
+  if (isPythonModulePath(importPath)) {
+    return resolvePythonModulePath(importPath, fromFilePath, fileIndex)
+  }
+
   // Node modules — don't resolve
   if (!isLocalImport(importPath)) return null
 
@@ -451,3 +462,96 @@ function resolvePath(fromDir: string, relativePath: string): string {
   }
   return parts.join('/')
 }
+
+/**
+ * Check if an import path looks like a Python module path.
+ * Python module paths use dots (not slashes) and have no quotes or special chars.
+ * Matches: '.utils', '..db', 'utils', 'os.path', '.models.db'
+ * Rejects: './utils', '../db', '@/lib', '~/lib' (JS-style)
+ */
+function isPythonModulePath(importPath: string): boolean {
+  // Must not contain slashes (those are JS/TS-style paths)
+  if (importPath.includes('/')) return false
+  // Must not start with @/ or ~/ (JS aliases)
+  if (importPath.startsWith('@') || importPath.startsWith('~')) return false
+  // Python relative: starts with dots then word chars
+  // Python absolute: word chars and dots only
+  return /^\.{0,3}[\w.]*$/.test(importPath)
+}
+
+/**
+ * Resolve a Python module path to a ScanFile.
+ *
+ * - Relative (starts with '.'): Count dots for depth, convert remaining dots to '/'
+ * - Non-relative ('utils', 'db.models'): Try same-directory, then project root
+ */
+function resolvePythonModulePath(
+  importPath: string,
+  fromFilePath: string,
+  fileIndex: Map<string, ScanFile>
+): ScanFile | null {
+  const fromDir = fromFilePath.substring(0, fromFilePath.lastIndexOf('/'))
+
+  if (importPath.startsWith('.')) {
+    // Relative import: count leading dots
+    let dots = 0
+    while (dots < importPath.length && importPath[dots] === '.') dots++
+    const remainder = importPath.slice(dots)
+
+    // Navigate up: 1 dot = current dir, 2 dots = parent, etc.
+    const dirParts = fromDir.split('/').filter(p => p.length > 0)
+    for (let i = 1; i < dots; i++) dirParts.pop()
+    const baseDir = dirParts.join('/')
+
+    // Convert remaining dots to path separators
+    const subPath = remainder ? remainder.replace(/\./g, '/') : ''
+    const searchPath = subPath ? (baseDir ? `${baseDir}/${subPath}` : subPath) : baseDir
+
+    return tryResolvePythonFile(searchPath, fileIndex)
+  }
+
+  // Non-relative: convert dots to path separators
+  const asPath = importPath.replace(/\./g, '/')
+
+  // Try same-directory first
+  if (fromDir) {
+    const sameDirPath = `${fromDir}/${asPath}`
+    const result = tryResolvePythonFile(sameDirPath, fileIndex)
+    if (result) return result
+  }
+
+  // Try project root
+  const rootResult = tryResolvePythonFile(asPath, fileIndex)
+  if (rootResult) return rootResult
+
+  // Fallback: suffix match across all files
+  for (const [path, file] of fileIndex) {
+    if (path.endsWith('/' + asPath + '.py') || path === asPath + '.py') return file
+    if (path.endsWith('/' + asPath + '/__init__.py') || path === asPath + '/__init__.py') return file
+  }
+
+  return null
+}
+
+/**
+ * Try to resolve a Python file path, checking .py extension and __init__.py package.
+ */
+function tryResolvePythonFile(searchPath: string, fileIndex: Map<string, ScanFile>): ScanFile | null {
+  // Exact match (already has extension)
+  const exact = fileIndex.get(searchPath)
+  if (exact) return exact
+
+  // Try .py extension
+  const withPy = fileIndex.get(searchPath + '.py')
+  if (withPy) return withPy
+
+  // Try __init__.py (package)
+  const initPy = fileIndex.get(searchPath + '/__init__.py')
+  if (initPy) return initPy
+
+  // Try without extension (indexed without ext in buildFileIndex)
+  const noExt = fileIndex.get(searchPath)
+  if (noExt) return noExt
+
+  return null
+}

package/src/model/imported-auth-detector.ts

@@ -11,7 +11,7 @@
 import type { ScanFile } from '../shared/types'
 import { extractAllImports } from './import-resolver'
 import type { ParsedImport } from './import-resolver'
-import { escapeRegex } from './sink-patterns'
+import { escapeRegex } from '../shared/regex-utils'
 
 // ============================================================================
 // Types

package/src/model/index.ts

@@ -18,18 +18,18 @@ import {
   isToolingDirectory,
 } from '../parse/file-classifier'
 import type { FileTaintAnalysis, ContextEngineResult } from './taint-types'
-import { discoverSources } from './source-discovery'
-import { detectSanitisers } from './sanitiser-detection'
-import { propagateTaint } from './taint-tracker'
-import { matchSinks } from './sink-matcher'
 import { discoverRoutes } from './route-discovery'
 import type { RouteMap } from './route-discovery'
 import { resolveRouteAuth } from './route-auth-resolver'
 import { buildModuleGraph } from './module-graph'
 import type { ModuleGraphStats } from './module-graph'
-import { buildFunctionProfiles } from './function-classifier'
-import { analyzeCrossFileTaint } from './cross-file-taint'
 import { analyzeFrameworkPatterns } from './framework-models'
+import { parseFiles } from '../parse/ast'
+import { analyzeTaintsForProject } from '../taint/cross-file-analyzer'
+import type { TaintFinding } from '../taint/propagation-types'
+import type { TaintKind, TaintSourceType, TaintSinkType } from '../taint/types'
+import type { ModuleGraph } from './module-graph'
+import type { UserInputSourceType, TaintPropagationType, SinkType, SanitiserTarget } from './taint-types'
 
 // ============================================================================
 // Types
@@ -52,6 +52,10 @@ export interface ProjectModel {
   taintStats: TaintAnalysisStats
   routeStats: RouteDiscoveryStats
   moduleGraphStats?: ModuleGraphStats
+  /** Pre-parsed ASTs from model build (reused by detection stage) */
+  parsedASTs: Map<string, import('../parse/ast').ParsedAST>
+  /** Raw v2 taint findings from cross-file analysis (reused by detection stage) */
+  v2ProjectFindings: TaintFinding[]
 }
 
 // ============================================================================
@@ -67,14 +71,12 @@ export function buildProjectModel(files: ScanFile[]): ProjectModel {
   const fileAuthImports = buildFileAuthImports(files)
   const projectContext = buildProjectContext(files)
   const detectorContext = buildDetectorContext(projectContext, middlewareConfig)
-  const { analyses: fileTaintAnalyses, stats: taintStats } = buildFileTaintAnalyses(files)
 
-  // CE Phase 4: Module Graph & Cross-File Analysis
+  // CE Phase 4: Module Graph (moved up for cross-file taint analysis)
   const moduleGraph = buildModuleGraph(files)
-  const functionProfiles = buildFunctionProfiles(files, moduleGraph)
-  const crossFileTaintPaths = analyzeCrossFileTaint(
-    files, moduleGraph, functionProfiles, fileTaintAnalyses
-  )
+
+  // V2 AST+CFG taint analysis (replaces retired v1 regex taint entirely)
+  const v2Result = buildV2TaintAnalyses(files, moduleGraph)
 
   // CE Phase 2: Route Discovery (uses module graph for cross-file auth)
   const routeStart = Date.now()
@@ -89,11 +91,9 @@ export function buildProjectModel(files: ScanFile[]): ProjectModel {
 
   const contextEngine: ContextEngineResult = {
     projectContext,
-    fileTaintAnalyses,
+    fileTaintAnalyses: v2Result.analyses,
     routeMap,
     moduleGraph,
-    crossFileTaintPaths,
-    functionProfiles,
     frameworkAnalyses,
   }
 
@@ -102,9 +102,11 @@ export function buildProjectModel(files: ScanFile[]): ProjectModel {
     middlewareConfig,
     fileAuthImports,
     detectorContext,
-    taintStats,
+    taintStats: v2Result.stats,
     routeStats,
     moduleGraphStats: moduleGraph.stats,
+    parsedASTs: v2Result.asts,
+    v2ProjectFindings: v2Result.findings,
   }
 }
 
@@ -133,24 +135,6 @@ function buildRouteStats(routeMap: RouteMap, duration: number): RouteDiscoverySt
 // Taint Analysis (Context Engine Phase 1)
 // ============================================================================
 
-const CODE_EXTENSIONS = new Set(['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs', '.py', '.rb', '.php', '.go', '.java', '.cs'])
-
-function isCodeFile(filePath: string): boolean {
-  const ext = filePath.substring(filePath.lastIndexOf('.'))
-  return CODE_EXTENSIONS.has(ext.toLowerCase())
-}
-
-function analyzeFileTaint(content: string, filePath: string): FileTaintAnalysis {
-  const sources = discoverSources(content, filePath)
-  if (sources.length === 0) {
-    return { filePath, sources: [], taintedVariables: [], taintPaths: [], sanitisers: [] }
-  }
-  const sanitisers = detectSanitisers(content, filePath)
-  const taintedVariables = propagateTaint(content, filePath, sources, sanitisers)
-  const taintPaths = matchSinks(content, filePath, taintedVariables, sanitisers)
-  return { filePath, sources, taintedVariables, taintPaths, sanitisers }
-}
-
 export interface TaintAnalysisStats {
   filesAnalyzed: number
   filesWithSources: number
@@ -164,62 +148,238 @@ export interface TaintAnalysisStats {
   sourceTypeBreakdown: Record<string, number>
   sinkTypeBreakdown: Record<string, number>
   duration: number
+  // v2 taint engine stats
+  v2FilesAnalyzed?: number
+  v2FindingsTotal?: number
+  v2FindingsPerKind?: Record<string, number>
 }
 
-function buildFileTaintAnalyses(files: ScanFile[]): { analyses: Map<string, FileTaintAnalysis>; stats: TaintAnalysisStats } {
-  const startTime = Date.now()
-  const analyses = new Map<string, FileTaintAnalysis>()
-  const sourceTypeBreakdown: Record<string, number> = {}
-  const sinkTypeBreakdown: Record<string, number> = {}
-  let filesAnalyzed = 0
-  let totalSources = 0
-  let totalTaintedVars = 0
-  let totalTaintPaths = 0
-  let unsanitisedPaths = 0
-  let sanitisedPaths = 0
-  let totalSanitisers = 0
-
-  for (const file of files) {
-    if (!isCodeFile(file.path) || isTestOrMockFile(file.path)) continue
-    filesAnalyzed++
-    const analysis = analyzeFileTaint(file.content, file.path)
-    if (analysis.sources.length > 0 || analysis.taintPaths.length > 0) {
-      analyses.set(file.path, analysis)
+// ============================================================================
+// V2 Taint Analysis (AST + CFG based — sole authority)
+// ============================================================================
+
+const JS_TS_EXTENSIONS = new Set(['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'])
+
+function isJsTsFile(filePath: string): boolean {
+  const ext = filePath.substring(filePath.lastIndexOf('.'))
+  return JS_TS_EXTENSIONS.has(ext.toLowerCase())
+}
+
+/** Map v2 TaintSourceType → v1 UserInputSourceType (subset that overlaps) */
+function mapSourceType(v2Type: TaintSourceType): UserInputSourceType {
+  // Most types match directly between v1 and v2
+  const directMap: Partial<Record<TaintSourceType, UserInputSourceType>> = {
+    http_body: 'http_body',
+    http_query: 'http_query',
+    http_params: 'http_params',
+    http_headers: 'http_headers',
+    url_search_params: 'url_search_params',
+    form_data: 'form_data',
+    file_upload: 'file_upload',
+    websocket_message: 'websocket_message',
+    cli_args: 'cli_args',
+    env_var: 'env_var',
+    database_result: 'database_result',
+    external_api: 'external_api',
+  }
+  return directMap[v2Type] ?? 'external_api'
+}
+
+/** Map v2 TaintSinkType → v1 SinkType */
+function mapSinkType(v2Type: TaintSinkType): SinkType {
+  const directMap: Partial<Record<TaintSinkType, SinkType>> = {
+    sql_query: 'sql_query',
+    nosql_query: 'sql_query',
+    eval: 'eval',
+    exec: 'exec',
+    inner_html: 'inner_html',
+    response_body: 'inner_html',
+    http_request: 'http_request',
+    header_injection: 'http_request',
+    redirect: 'redirect',
+    file_write: 'file_write',
+    path_access: 'path_access',
+    template_render: 'template_render',
+    command_exec: 'command_exec',
+    regex_constructor: 'regex_constructor',
+    dynamic_import: 'dynamic_import',
+    deserialization: 'deserialization',
+    prompt_construction: 'eval',
+    system_prompt: 'eval',
+  }
+  return directMap[v2Type] ?? 'exec'
+}
+
+/** Map v2 TaintKind → v1 SanitiserTarget */
+function mapKindToSanitiserTarget(kind: TaintKind): SanitiserTarget {
+  const map: Record<TaintKind, SanitiserTarget> = {
+    sql: 'sql',
+    xss: 'html',
+    command: 'command',
+    ssrf: 'url',
+    prompt: 'all',
+    path: 'path',
+  }
+  return map[kind]
+}
+
+/** Convert v2 TaintFinding[] → v1 FileTaintAnalysis */
+function convertV2ToV1Analysis(findings: TaintFinding[], filePath: string): FileTaintAnalysis {
+  const sources: FileTaintAnalysis['sources'] = []
+  const taintedVariables: FileTaintAnalysis['taintedVariables'] = []
+  const taintPaths: FileTaintAnalysis['taintPaths'] = []
+  const sanitisers: FileTaintAnalysis['sanitisers'] = []
+
+  const seenSources = new Set<string>()
+  const seenSanitisers = new Set<string>()
+
+  for (const finding of findings) {
+    // Convert source (deduplicate by variable+line)
+    const srcKey = `${finding.source.variable}:${finding.source.line}`
+    if (!seenSources.has(srcKey)) {
+      seenSources.add(srcKey)
+      sources.push({
+        line: finding.source.line,
+        expression: finding.source.expression,
+        variable: finding.source.variable,
+        sourceType: mapSourceType(finding.source.sourceType),
+        confidence: finding.source.confidence,
+      })
     }
 
-    // Accumulate stats
-    totalSources += analysis.sources.length
-    totalTaintedVars += analysis.taintedVariables.length
-    totalTaintPaths += analysis.taintPaths.length
-    totalSanitisers += analysis.sanitisers.length
+    // Convert path steps to tainted variables chain
+    const chain: FileTaintAnalysis['taintedVariables'][0][] = []
+    for (const step of finding.path) {
+      if (step.stepType === 'propagation' || step.stepType === 'source') {
+        const isSanitized = step.stepType === 'propagation' &&
+          finding.path.some(s => s.stepType === 'sanitizer' && s.line <= step.line)
+
+        const taintedVar = {
+          name: step.variable,
+          taintedAt: step.line,
+          source: {
+            line: finding.source.line,
+            expression: finding.source.expression,
+            variable: finding.source.variable,
+            sourceType: mapSourceType(finding.source.sourceType),
+            confidence: finding.source.confidence,
+          },
+          propagation: 'direct_assignment' as TaintPropagationType,
+          sanitised: isSanitized,
+          scopeDepth: 0,
+        }
+        chain.push(taintedVar)
+        taintedVariables.push(taintedVar)
+      }
+
+      // Collect sanitizers from path steps
+      if (step.stepType === 'sanitizer' && !seenSanitisers.has(`${step.variable}:${step.line}`)) {
+        seenSanitisers.add(`${step.variable}:${step.line}`)
+        const firstKind = [...finding.matchingKinds][0] ?? 'xss'
+        sanitisers.push({
+          name: step.description,
+          line: step.line,
+          sanitises: mapKindToSanitiserTarget(firstKind),
+          detection: 'known_library',
+        })
+      }
+    }
+
+    // Convert to taint path
+    // Note: hasSanitizer is currently always false — the propagation engine removes
+    // taint from state rather than emitting sanitizer steps. Kept as defensive code
+    // for potential future sanitizer-step emission.
+    const hasSanitizer = false
+    taintPaths.push({
+      source: {
+        line: finding.source.line,
+        expression: finding.source.expression,
+        variable: finding.source.variable,
+        sourceType: mapSourceType(finding.source.sourceType),
+        confidence: finding.source.confidence,
+      },
+      chain,
+      sink: {
+        line: finding.sink.line,
+        expression: finding.sink.expression,
+        sinkType: mapSinkType(finding.sink.sinkType),
+      },
+      sanitised: hasSanitizer,
+      confidence: finding.source.confidence,
+    })
+  }
+
+  return { filePath, sources, taintedVariables, taintPaths, sanitisers }
+}
 
-    for (const src of analysis.sources) {
-      sourceTypeBreakdown[src.sourceType] = (sourceTypeBreakdown[src.sourceType] || 0) + 1
+/**
+ * Run v2 AST+CFG taint engine on JS/TS/Python files (sole taint authority).
+ * Builds FileTaintAnalysis map via convertV2ToV1Analysis for scoring/validation compat.
+ */
+function buildV2TaintAnalyses(
+  files: ScanFile[],
+  moduleGraph: ModuleGraph,
+): { analyses: Map<string, FileTaintAnalysis>; stats: TaintAnalysisStats; asts: Map<string, import('../parse/ast').ParsedAST>; findings: TaintFinding[] } {
+  const startTime = Date.now()
+  const v2FindingsPerKind: Record<string, number> = {}
+
+  // Parse all JS/TS files
+  const jstsFiles = files.filter(f => isJsTsFile(f.path) && !isTestOrMockFile(f.path))
+  const asts = parseFiles(jstsFiles.map(f => ({ path: f.path, content: f.content })))
+
+  // Parse Python files and add to ASTs map
+  const pyFiles = files.filter(f => f.path.endsWith('.py') && !isTestOrMockFile(f.path))
+  if (pyFiles.length > 0) {
+    const pyAsts = parseFiles(pyFiles.map(f => ({ path: f.path, content: f.content })))
+    for (const [path, ast] of pyAsts) {
+      asts.set(path, ast)
     }
-    for (const tp of analysis.taintPaths) {
-      if (tp.sanitised) sanitisedPaths++
-      else unsanitisedPaths++
-      sinkTypeBreakdown[tp.sink.sinkType] = (sinkTypeBreakdown[tp.sink.sinkType] || 0) + 1
+  }
+
+  // Run project-level cross-file taint analysis on all parseable files
+  const taintFiles = [...jstsFiles, ...pyFiles]
+  const allFindings = analyzeTaintsForProject(taintFiles, asts, moduleGraph)
+
+  // Group findings by file path
+  const findingsByFile = new Map<string, TaintFinding[]>()
+  for (const f of allFindings) {
+    const existing = findingsByFile.get(f.filePath) ?? []
+    existing.push(f)
+    findingsByFile.set(f.filePath, existing)
+  }
+
+  // Count stats
+  for (const f of allFindings) {
+    for (const kind of f.matchingKinds) {
+      v2FindingsPerKind[kind] = (v2FindingsPerKind[kind] || 0) + 1
     }
   }
 
-  return {
-    analyses,
-    stats: {
-      filesAnalyzed,
-      filesWithSources: Array.from(analyses.values()).filter(a => a.sources.length > 0).length,
-      filesWithTaintPaths: Array.from(analyses.values()).filter(a => a.taintPaths.length > 0).length,
-      totalSources,
-      totalTaintedVars,
-      totalTaintPaths,
-      unsanitisedPaths,
-      sanitisedPaths,
-      totalSanitisers,
-      sourceTypeBreakdown,
-      sinkTypeBreakdown,
-      duration: Date.now() - startTime,
-    },
+  // Build analyses map from v2 findings
+  const analyses = new Map<string, FileTaintAnalysis>()
+  for (const [filePath, findings] of findingsByFile) {
+    analyses.set(filePath, convertV2ToV1Analysis(findings, filePath))
   }
+
+  const stats: TaintAnalysisStats = {
+    filesAnalyzed: taintFiles.length,
+    filesWithSources: 0,
+    filesWithTaintPaths: analyses.size,
+    totalSources: 0,
+    totalTaintedVars: 0,
+    totalTaintPaths: allFindings.length,
+    unsanitisedPaths: allFindings.length,
+    sanitisedPaths: 0,
+    totalSanitisers: 0,
+    sourceTypeBreakdown: {},
+    sinkTypeBreakdown: {},
+    duration: Date.now() - startTime,
+    v2FilesAnalyzed: asts.size,
+    v2FindingsTotal: allFindings.length,
+    v2FindingsPerKind,
+  }
+
+  return { analyses, stats, asts, findings: allFindings }
 }
 
 // ============================================================================

package/src/model/module-graph.ts

@@ -74,15 +74,27 @@ export function buildModuleGraph(files: ScanFile[]): ModuleGraph {
     const imports = extractAllImports(file.content, file.path)
     const fileExports = extractExports(file.content, file.path)
 
-    const resolvedImports: ResolvedImport[] = imports
-      .filter(imp => imp.isLocal)
-      .map(imp => {
+    const isPythonFile = file.path.endsWith('.py')
+    const resolvedImports: ResolvedImport[] = []
+    for (const imp of imports) {
+      if (imp.isLocal) {
         const resolved = resolveImportPath(imp.importPath, file.path, fileIndex)
-        return {
+        resolvedImports.push({
           ...imp,
           resolvedPath: resolved?.path ?? null,
+        })
+      } else if (isPythonFile) {
+        // Python non-relative imports: try to resolve as local project files
+        const resolved = resolveImportPath(imp.importPath, file.path, fileIndex)
+        if (resolved) {
+          resolvedImports.push({
+            ...imp,
+            resolvedPath: resolved.path,
+            isLocal: true,
+          })
         }
-      })
+      }
+    }
 
     const dependsOn = new Set<string>()
     for (const ri of resolvedImports) {

package/src/model/project-context.ts

@@ -100,7 +100,7 @@ export interface SecretsContext {
 
 export interface FrameworkContext {
   /** Primary framework */
-  primary?: 'nextjs' | 'express' | 'fastify' | 'nestjs' | 'django' | 'flask' | 'rails' | 'unknown'
+  primary?: 'nextjs' | 'express' | 'fastify' | 'nestjs' | 'django' | 'flask' | 'fastapi' | 'rails' | 'unknown'
   /** Frontend framework */
   frontend?: 'react' | 'vue' | 'svelte' | 'angular' | 'unknown'
   /** Is this a monorepo? */
@@ -436,6 +436,33 @@ function buildFrameworkContext(files: ScanFile[]): FrameworkContext {
     }
   }
   
+  // Python framework detection: requirements.txt, pyproject.toml, or imports
+  if (!primary) {
+    const reqsTxt = files.find(f => f.path === 'requirements.txt' || f.path.endsWith('/requirements.txt'))
+    const pyproject = files.find(f => f.path === 'pyproject.toml' || f.path.endsWith('/pyproject.toml'))
+    const depContent = (reqsTxt?.content || '') + '\n' + (pyproject?.content || '')
+    if (/fastapi/i.test(depContent)) {
+      primary = 'fastapi'
+    } else if (/\bflask\b/i.test(depContent)) {
+      primary = 'flask'
+    } else if (/\bdjango\b/i.test(depContent)) {
+      primary = 'django'
+    }
+    // Fallback: scan Python file imports
+    if (!primary) {
+      for (const file of files) {
+        if (!file.path.endsWith('.py')) continue
+        if (/from\s+fastapi\b|import\s+fastapi\b/.test(file.content)) {
+          primary = 'fastapi'; break
+        } else if (/from\s+flask\b|import\s+flask\b/.test(file.content)) {
+          primary = 'flask'; break
+        } else if (/from\s+django\b|import\s+django\b/.test(file.content)) {
+          primary = 'django'; break
+        }
+      }
+    }
+  }
+
   // Check for TypeScript
   usesTypeScript = files.some(f => f.path.endsWith('.ts') || f.path.endsWith('.tsx'))
   

package/src/model/route-auth-resolver.ts

@@ -11,7 +11,7 @@ import type { RouteMap, RouteDefinition, MountPoint } from './route-discovery'
 import type { MiddlewareAuthConfig } from './middleware-detector'
 import { isRouteProtectedByMiddleware } from './middleware-detector'
 import { getRouteProtectionContext } from './route-hierarchy'
-import { extractBlock } from './route-discovery/utils'
+import { extractBlock, extractPythonBlock } from './route-discovery/utils'
 import type { ModuleGraph } from './module-graph'
 
 // ============================================================================
@@ -37,6 +37,17 @@ const THROWING_AUTH_PATTERNS = [
   /getSession\s*\(/,
   /assertAuthenticated\s*\(/,
   /ensureAuth\s*\(/,
+  // Python: Flask
+  /abort\s*\(\s*40[13]\s*\)/,
+  // Python: FastAPI
+  /raise\s+HTTPException\s*\(\s*status_code\s*=\s*40[13]/,
+  // Python: Django / DRF
+  /raise\s+PermissionDenied/,
+  /raise\s+NotAuthenticated/,
+  // Python: Django template check
+  /request\.user\.is_authenticated/,
+  // Python: Flask-Login
+  /current_user\.is_authenticated/,
 ]
 
 // ============================================================================
@@ -119,7 +130,7 @@ export function resolveRouteAuth(
     // 6. Throwing auth helpers in handler body
     const content = fileContentMap.get(route.filePath)
     if (content && resolved.authMiddleware.length === 0) {
-      const handlerContent = extractHandlerContent(content, route.handlerLine)
+      const handlerContent = extractHandlerContent(content, route.handlerLine, route.filePath)
       if (hasThrowingAuthHelper(handlerContent)) {
         resolved.authMiddleware.push('throwing_auth_helper')
       }
@@ -205,9 +216,13 @@ function findGlobalAuth(mountPoints: MountPoint[]): string[] {
   return authMiddleware
 }
 
-function extractHandlerContent(content: string, handlerLine: number): string {
+function extractHandlerContent(content: string, handlerLine: number, filePath?: string): string {
   const lines = content.split('\n')
   const start = Math.max(0, handlerLine - 1)
+  // Use indentation-based extraction for Python files
+  if (filePath && filePath.endsWith('.py')) {
+    return extractPythonBlock(lines, start)
+  }
   return extractBlock(lines, start)
 }
 

package/src/model/route-discovery/index.ts

@@ -37,7 +37,7 @@ export function discoverRoutes(
     const mounts = extractMountPoints(file.content, file.path)
     allMountPoints.push(...mounts)
 
-    // Python (Flask/Django)
+    // Python (Flask/Django/FastAPI)
     const pythonRoutes = extractPythonRoutes(file.content, file.path)
     allRoutes.push(...pythonRoutes)
   }

package/src/model/route-discovery/nextjs.ts

@@ -172,7 +172,7 @@ function extractExportedMethods(content: string): ExportedMethod[] {
   const lines = content.split('\n')
 
   for (let i = 0; i < lines.length; i++) {
-    const match = lines[i].match(/export\s+(?:async\s+)?function\s+(GET|POST|PUT|PATCH|DELETE|HEAD|OPTIONS)\s*\(/)
+    const match = lines[i].match(/export\s+(?:async\s+)?function\s+(GET|POST|PUT|PATCH|DELETE|HEAD)\s*\(/)
     if (match) {
       methods.push({ name: match[1], line: i + 1 })
     }