@oddessentials/odd-ai-reviewers 1.7.4 → 1.8.0

package/dist/agents/control_flow/safe-source-patterns.js

@@ -0,0 +1,137 @@
+/**
+ * Safe-Source Pattern Definitions
+ *
+ * Declarative registry of patterns for recognizing provably non-tainted data sources.
+ * Safe sources are excluded from taint tracking to prevent false positives.
+ *
+ * Per contract: safe-source-patterns.md v1.0
+ * Per FR-001 through FR-004: Each pattern matches a specific, provable AST shape.
+ */
+// =============================================================================
+// Registry Constants
+// =============================================================================
+export const SAFE_SOURCE_REGISTRY_VERSION = '1.0';
+export const EXPECTED_PATTERN_COUNT = 9;
+/**
+ * All vulnerability types for patterns that prevent taint universally.
+ */
+export const ALL_VULN_TYPES = [
+    'injection',
+    'null_deref',
+    'auth_bypass',
+    'xss',
+    'path_traversal',
+    'prototype_pollution',
+    'ssrf',
+];
+// =============================================================================
+// Pattern Registry
+// =============================================================================
+export const SAFE_SOURCE_PATTERNS = [
+    // Pattern 1: Constant Literal Declarations (FR-001)
+    {
+        id: 'constant-literal-string',
+        name: 'Constant String Literal',
+        description: 'Module-scope const with string literal initializer',
+        preventsTaintFor: ALL_VULN_TYPES,
+        match: {
+            type: 'constant_declaration',
+            requireModuleScope: true,
+            requireLiteralInitializer: true,
+        },
+        confidence: 'high',
+    },
+    {
+        id: 'constant-literal-number',
+        name: 'Constant Number Literal',
+        description: 'Module-scope const with numeric literal initializer',
+        preventsTaintFor: ALL_VULN_TYPES,
+        match: {
+            type: 'constant_declaration',
+            requireModuleScope: true,
+            requireLiteralInitializer: true,
+        },
+        confidence: 'high',
+    },
+    {
+        id: 'constant-literal-array',
+        name: 'Constant Literal Array',
+        description: 'Module-scope const with array of literal values',
+        preventsTaintFor: ALL_VULN_TYPES,
+        match: {
+            type: 'constant_declaration',
+            requireModuleScope: true,
+            requireLiteralInitializer: true,
+        },
+        confidence: 'high',
+    },
+    // Pattern 2: Built-in Directory References (FR-002)
+    {
+        id: 'builtin-dirname',
+        name: 'Built-in __dirname',
+        description: 'Node.js __dirname built-in reference',
+        preventsTaintFor: ['path_traversal'],
+        match: {
+            type: 'builtin_reference',
+            identifiers: ['__dirname'],
+        },
+        confidence: 'high',
+    },
+    {
+        id: 'builtin-filename',
+        name: 'Built-in __filename',
+        description: 'Node.js __filename built-in reference',
+        preventsTaintFor: ['path_traversal'],
+        match: {
+            type: 'builtin_reference',
+            identifiers: ['__filename'],
+        },
+        confidence: 'high',
+    },
+    {
+        id: 'builtin-import-meta-dirname',
+        name: 'import.meta.dirname',
+        description: 'ESM import.meta.dirname reference',
+        preventsTaintFor: ['path_traversal'],
+        match: {
+            type: 'builtin_reference',
+            identifiers: ['import.meta.dirname'],
+        },
+        confidence: 'high',
+    },
+    {
+        id: 'builtin-import-meta-url',
+        name: 'import.meta.url',
+        description: 'ESM import.meta.url reference',
+        preventsTaintFor: ['path_traversal'],
+        match: {
+            type: 'builtin_reference',
+            identifiers: ['import.meta.url'],
+        },
+        confidence: 'high',
+    },
+    // Pattern 3: Safe Directory Listing Returns (FR-003)
+    {
+        id: 'safe-readdir',
+        name: 'Safe Directory Listing',
+        description: 'fs.readdirSync/readdir with provably safe argument',
+        preventsTaintFor: ['path_traversal'],
+        match: {
+            type: 'safe_function_return',
+            callTargets: ['readdirSync', 'readdir'],
+        },
+        confidence: 'medium',
+    },
+    // Pattern 4: Constant Array Element Access (FR-004)
+    {
+        id: 'constant-element-access',
+        name: 'Constant Array Element Access',
+        description: 'Element access on a module-scope const literal array',
+        preventsTaintFor: ['injection', 'xss'],
+        match: {
+            type: 'constant_element_access',
+        },
+        confidence: 'high',
+    },
+];
+//# sourceMappingURL=safe-source-patterns.js.map

package/dist/agents/control_flow/safe-source-patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"safe-source-patterns.js","sourceRoot":"","sources":["../../../src/agents/control_flow/safe-source-patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAwDH,gFAAgF;AAChF,qBAAqB;AACrB,gFAAgF;AAEhF,MAAM,CAAC,MAAM,4BAA4B,GAAG,KAAK,CAAC;AAClD,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,CAAC;AAExC;;GAEG;AACH,MAAM,CAAC,MAAM,cAAc,GAAwB;IACjD,WAAW;IACX,YAAY;IACZ,aAAa;IACb,KAAK;IACL,gBAAgB;IAChB,qBAAqB;IACrB,MAAM;CACP,CAAC;AAEF,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF,MAAM,CAAC,MAAM,oBAAoB,GAAwB;IACvD,oDAAoD;IACpD;QACE,EAAE,EAAE,yBAAyB;QAC7B,IAAI,EAAE,yBAAyB;QAC/B,WAAW,EAAE,oDAAoD;QACjE,gBAAgB,EAAE,cAAc;QAChC,KAAK,EAAE;YACL,IAAI,EAAE,sBAAsB;YAC5B,kBAAkB,EAAE,IAAI;YACxB,yBAAyB,EAAE,IAAI;SAChC;QACD,UAAU,EAAE,MAAM;KACnB;IACD;QACE,EAAE,EAAE,yBAAyB;QAC7B,IAAI,EAAE,yBAAyB;QAC/B,WAAW,EAAE,qDAAqD;QAClE,gBAAgB,EAAE,cAAc;QAChC,KAAK,EAAE;YACL,IAAI,EAAE,sBAAsB;YAC5B,kBAAkB,EAAE,IAAI;YACxB,yBAAyB,EAAE,IAAI;SAChC;QACD,UAAU,EAAE,MAAM;KACnB;IACD;QACE,EAAE,EAAE,wBAAwB;QAC5B,IAAI,EAAE,wBAAwB;QAC9B,WAAW,EAAE,iDAAiD;QAC9D,gBAAgB,EAAE,cAAc;QAChC,KAAK,EAAE;YACL,IAAI,EAAE,sBAAsB;YAC5B,kBAAkB,EAAE,IAAI;YACxB,yBAAyB,EAAE,IAAI;SAChC;QACD,UAAU,EAAE,MAAM;KACnB;IAED,oDAAoD;IACpD;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,oBAAoB;QAC1B,WAAW,EAAE,sCAAsC;QACnD,gBAAgB,EAAE,CAAC,gBAAgB,CAAC;QACpC,KAAK,EAAE;YACL,IAAI,EAAE,mBAAmB;YACzB,WAAW,EAAE,CAAC,WAAW,CAAC;SAC3B;QACD,UAAU,EAAE,MAAM;KACnB;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,qBAAqB;QAC3B,WAAW,EAAE,uCAAuC;QACpD,gBAAgB,EAAE,CAAC,gBAAgB,CAAC;QACpC,KAAK,EAAE;YACL,IAAI,EAAE,mBAAmB;YACzB,WAAW,EAAE,CAAC,YAAY,CAAC;SAC5B;QACD,UAAU,EAAE,MAAM;KACnB;IACD;QACE,EAAE,EAAE,6BAA6B;QACjC,IAAI,EAAE,qBAAqB;QAC3B,WAAW,EAAE,mCAAmC;QAChD,gBAAgB,EAAE,CAAC,gBAAgB,CAAC;QACpC,KAAK,EAAE;YACL,IAAI,EAAE,mBAAmB;YACzB,WAAW,EAAE,CAAC,qBAAqB,CAAC;SACrC;QACD,UAAU,EAAE,MAAM;KACnB;IACD;QACE,EAAE,EAAE,yBAAyB;QAC7B,IAAI,EAAE,iBAAiB;QACvB,WAAW,EAAE,+BAA+B;QAC5C,gBAAgB,EAAE,CAAC,gBAAgB,CAAC;QACpC,KAAK,EAAE;YACL,IAAI,EAAE,mBAAmB;YACzB,WAAW,EAAE,CAAC,iBAAiB,CAAC;SACjC;QACD,UAAU,EAAE,MAAM;KACnB;IAED,qDAAqD;IACrD;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,wBAAwB;QAC9B,WAAW,EAAE,oDAAoD;QACjE,gBAAgB,EAAE,CAAC,gBAAgB,CAAC;QACpC,KAAK,EAAE;YACL,IAAI,EAAE,sBAAsB;YAC5B,WAAW,EAAE,CAAC,aAAa,EAAE,SAAS,CAAC;SACxC;QACD,UAAU,EAAE,QAAQ;KACrB;IAED,oDAAoD;IACpD;QACE,EAAE,EAAE,yBAAyB;QAC7B,IAAI,EAAE,+BAA+B;QACrC,WAAW,EAAE,sDAAsD;QACnE,gBAAgB,EAAE,CAAC,WAAW,EAAE,KAAK,CAAC;QACtC,KAAK,EAAE;YACL,IAAI,EAAE,yBAAyB;SAChC;QACD,UAAU,EAAE,MAAM;KACnB;CACF,CAAC"}

package/dist/agents/control_flow/scope-stack.d.ts

@@ -0,0 +1,113 @@
+/**
+ * Scope Stack — Lexical scope tracking for declaration-identity resolution.
+ *
+ * Provides a scope stack that maps variable names to their declaring AST nodes,
+ * enabling scope-aware variable resolution without a full TypeChecker.
+ *
+ * Used by safe-source-detector and vulnerability-detector to replace name-based
+ * tracking with declaration-identity tracking.
+ */
+import ts from 'typescript';
+/**
+ * Produce a deterministic identity string for an AST node.
+ * Format: `file:line:col` (1-based line, 0-based column).
+ *
+ * IMPORTANT: Never embed ts.Node references in serializable data structures.
+ * Use this helper to produce a stable key for maps, sets, and stored state.
+ */
+export declare function nodeIdentityKey(node: ts.Node, sourceFile: ts.SourceFile): string;
+/**
+ * Returns true if `node` introduces a new lexical scope.
+ */
+export declare function isScopeNode(node: ts.Node): boolean;
+/**
+ * Returns true if `node` introduces a function-level scope (not block-level).
+ * Used to determine the correct scope for `var` declarations, which are hoisted
+ * to the enclosing function (or source file) rather than the enclosing block.
+ */
+export declare function isFunctionScopeNode(node: ts.Node): boolean;
+/**
+ * Extract all binding identifiers from a BindingName (handles destructuring).
+ *
+ * For simple identifiers: `const x = 1` -> ['x']
+ * For object destructuring: `const { a, b: c } = obj` -> ['a', 'c']
+ * For array destructuring: `const [a, , b] = arr` -> ['a', 'b']
+ * For nested: `const { a: [b, c] } = obj` -> ['b', 'c']
+ */
+export declare function extractBindingNames(name: ts.BindingName): {
+    name: string;
+    node: ts.Node;
+}[];
+/**
+ * A lexical scope stack for resolving identifier names to declaration nodes.
+ *
+ * Usage:
+ * 1. Walk the AST. On entering a scope-creating node, call `enterScope(node)`.
+ * 2. For each variable/const/let declaration, call `addDeclaration(name, declNode)`.
+ * 3. To resolve an identifier, call `resolveDeclaration(name)` — returns the
+ *    innermost declaration node for that name, or undefined if not found.
+ * 4. On leaving a scope-creating node, call `leaveScope()`.
+ */
+export declare class ScopeStack {
+    private stack;
+    /** Current nesting depth (0 when no scope is entered). */
+    get depth(): number;
+    /** Enter a new lexical scope. */
+    enterScope(node: ts.Node): void;
+    /** Leave the innermost scope. */
+    leaveScope(): void;
+    /** Register a declaration in the current (innermost) scope. */
+    addDeclaration(name: string, node: ts.Node): void;
+    /**
+     * Register a `var` declaration in the nearest function-level scope.
+     * `var` is hoisted to the enclosing function (or source file), not
+     * the enclosing block.
+     */
+    addVarDeclaration(name: string, node: ts.Node): void;
+    /**
+     * Resolve a name to its declaring node by walking the stack from innermost
+     * scope outward. Returns the declaring node, or undefined if the name is
+     * not declared in any enclosing scope.
+     */
+    resolveDeclaration(name: string): ts.Node | undefined;
+    /** Check whether a given declaration node is visible in the current scope chain. */
+    isInScope(declarationNode: ts.Node): boolean;
+}
+/**
+ * Register a variable declaration in the scope stack, handling:
+ * - Simple identifiers (`const x`)
+ * - Destructuring patterns (`const { a, b } = obj`, `const [a, b] = arr`)
+ * - `var` hoisting (registers in the nearest function scope, not block scope)
+ * - Catch clause variable binding
+ */
+export declare function registerDeclaration(node: ts.VariableDeclaration, scope: ScopeStack, sourceFile?: ts.SourceFile, declarationsByKey?: Map<string, ts.Node>): void;
+/**
+ * Register all declaration types for a given node in the scope stack.
+ * This is the canonical helper used by all scope-walking code.
+ */
+export declare function registerNodeDeclarations(node: ts.Node, scope: ScopeStack, sourceFile?: ts.SourceFile, declarationsByKey?: Map<string, ts.Node>): void;
+/**
+ * Build a ScopeStack that is populated with all declarations in `sourceFile`.
+ * This performs a full AST walk and registers every variable/const/let/var
+ * declaration, function parameter, catch variable, and function declaration name.
+ *
+ * Returns a Map from each AST node to the ScopeStack state at that point,
+ * keyed by node identity string. This is used for point-in-time resolution.
+ *
+ * For simpler use cases, use `walkWithScope()` instead.
+ */
+export declare function buildDeclarationMap(sourceFile: ts.SourceFile): Map<string, ts.Node>;
+/**
+ * Walk an AST with scope tracking, invoking a callback for each node.
+ * The callback receives the current ScopeStack, which can be used to
+ * resolve identifiers at any point during the walk.
+ *
+ * Declarations are registered automatically for:
+ * - Variable declarations (`const x`, `let y`, `var z` with hoisting)
+ * - Destructuring patterns (`const { a } = obj`, `const [a] = arr`)
+ * - Function declaration names
+ * - Function/method/arrow parameters (including destructured)
+ * - Catch clause variables
+ */
+export declare function walkWithScope(sourceFile: ts.SourceFile, callback: (node: ts.Node, scope: ScopeStack, sourceFile: ts.SourceFile) => void): void;
+//# sourceMappingURL=scope-stack.d.ts.map

package/dist/agents/control_flow/scope-stack.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scope-stack.d.ts","sourceRoot":"","sources":["../../../src/agents/control_flow/scope-stack.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,MAAM,YAAY,CAAC;AAM5B;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,EAAE,UAAU,EAAE,EAAE,CAAC,UAAU,GAAG,MAAM,CAGhF;AAmBD;;GAEG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,GAAG,OAAO,CAelD;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,GAAG,OAAO,CAQ1D;AAED;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,EAAE,CAAC,WAAW,GAAG;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAA;CAAE,EAAE,CAmB3F;AAMD;;;;;;;;;GASG;AACH,qBAAa,UAAU;IACrB,OAAO,CAAC,KAAK,CAAoB;IAEjC,0DAA0D;IAC1D,IAAI,KAAK,IAAI,MAAM,CAElB;IAED,iCAAiC;IACjC,UAAU,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,GAAG,IAAI;IAQ/B,iCAAiC;IACjC,UAAU,IAAI,IAAI;IAIlB,+DAA+D;IAC/D,cAAc,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,CAAC,IAAI,GAAG,IAAI;IAOjD;;;;OAIG;IACH,iBAAiB,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,CAAC,IAAI,GAAG,IAAI;IAgBpD;;;;OAIG;IACH,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,EAAE,CAAC,IAAI,GAAG,SAAS;IAYrD,oFAAoF;IACpF,SAAS,CAAC,eAAe,EAAE,EAAE,CAAC,IAAI,GAAG,OAAO;CAY7C;AAgBD;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CACjC,IAAI,EAAE,EAAE,CAAC,mBAAmB,EAC5B,KAAK,EAAE,UAAU,EACjB,UAAU,CAAC,EAAE,EAAE,CAAC,UAAU,EAC1B,iBAAiB,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,GACvC,IAAI,CAeN;AAmCD;;;GAGG;AACH,wBAAgB,wBAAwB,CACtC,IAAI,EAAE,EAAE,CAAC,IAAI,EACb,KAAK,EAAE,UAAU,EACjB,UAAU,CAAC,EAAE,EAAE,CAAC,UAAU,EAC1B,iBAAiB,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,GACvC,IAAI,CAyBN;AAED;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,EAAE,CAAC,UAAU,GAAG,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,CAqBnF;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,aAAa,CAC3B,UAAU,EAAE,EAAE,CAAC,UAAU,EACzB,QAAQ,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,EAAE,KAAK,EAAE,UAAU,EAAE,UAAU,EAAE,EAAE,CAAC,UAAU,KAAK,IAAI,GAC9E,IAAI,CAuBN"}

package/dist/agents/control_flow/scope-stack.js

@@ -0,0 +1,320 @@
+/**
+ * Scope Stack — Lexical scope tracking for declaration-identity resolution.
+ *
+ * Provides a scope stack that maps variable names to their declaring AST nodes,
+ * enabling scope-aware variable resolution without a full TypeChecker.
+ *
+ * Used by safe-source-detector and vulnerability-detector to replace name-based
+ * tracking with declaration-identity tracking.
+ */
+import ts from 'typescript';
+// =============================================================================
+// Identity Key Helper
+// =============================================================================
+/**
+ * Produce a deterministic identity string for an AST node.
+ * Format: `file:line:col` (1-based line, 0-based column).
+ *
+ * IMPORTANT: Never embed ts.Node references in serializable data structures.
+ * Use this helper to produce a stable key for maps, sets, and stored state.
+ */
+export function nodeIdentityKey(node, sourceFile) {
+    const { line, character } = sourceFile.getLineAndCharacterOfPosition(node.getStart(sourceFile));
+    return `${sourceFile.fileName}:${line + 1}:${character}`;
+}
+// =============================================================================
+// Scope-Creating Node Detection
+// =============================================================================
+/**
+ * Returns true if `node` introduces a new lexical scope.
+ */
+export function isScopeNode(node) {
+    return (ts.isSourceFile(node) ||
+        ts.isBlock(node) ||
+        ts.isFunctionDeclaration(node) ||
+        ts.isFunctionExpression(node) ||
+        ts.isArrowFunction(node) ||
+        ts.isMethodDeclaration(node) ||
+        ts.isClassDeclaration(node) ||
+        ts.isClassExpression(node) ||
+        ts.isForStatement(node) ||
+        ts.isForOfStatement(node) ||
+        ts.isForInStatement(node) ||
+        ts.isCatchClause(node));
+}
+/**
+ * Returns true if `node` introduces a function-level scope (not block-level).
+ * Used to determine the correct scope for `var` declarations, which are hoisted
+ * to the enclosing function (or source file) rather than the enclosing block.
+ */
+export function isFunctionScopeNode(node) {
+    return (ts.isSourceFile(node) ||
+        ts.isFunctionDeclaration(node) ||
+        ts.isFunctionExpression(node) ||
+        ts.isArrowFunction(node) ||
+        ts.isMethodDeclaration(node));
+}
+/**
+ * Extract all binding identifiers from a BindingName (handles destructuring).
+ *
+ * For simple identifiers: `const x = 1` -> ['x']
+ * For object destructuring: `const { a, b: c } = obj` -> ['a', 'c']
+ * For array destructuring: `const [a, , b] = arr` -> ['a', 'b']
+ * For nested: `const { a: [b, c] } = obj` -> ['b', 'c']
+ */
+export function extractBindingNames(name) {
+    const result = [];
+    if (ts.isIdentifier(name)) {
+        result.push({ name: name.text, node: name });
+    }
+    else if (ts.isObjectBindingPattern(name)) {
+        for (const element of name.elements) {
+            result.push(...extractBindingNames(element.name));
+        }
+    }
+    else if (ts.isArrayBindingPattern(name)) {
+        for (const element of name.elements) {
+            if (ts.isBindingElement(element)) {
+                result.push(...extractBindingNames(element.name));
+            }
+            // OmittedExpression (holes like `[, , x]`) are skipped
+        }
+    }
+    return result;
+}
+// =============================================================================
+// ScopeStack Class
+// =============================================================================
+/**
+ * A lexical scope stack for resolving identifier names to declaration nodes.
+ *
+ * Usage:
+ * 1. Walk the AST. On entering a scope-creating node, call `enterScope(node)`.
+ * 2. For each variable/const/let declaration, call `addDeclaration(name, declNode)`.
+ * 3. To resolve an identifier, call `resolveDeclaration(name)` — returns the
+ *    innermost declaration node for that name, or undefined if not found.
+ * 4. On leaving a scope-creating node, call `leaveScope()`.
+ */
+export class ScopeStack {
+    stack = [];
+    /** Current nesting depth (0 when no scope is entered). */
+    get depth() {
+        return this.stack.length;
+    }
+    /** Enter a new lexical scope. */
+    enterScope(node) {
+        this.stack.push({
+            node,
+            declarations: new Map(),
+            depth: this.stack.length,
+        });
+    }
+    /** Leave the innermost scope. */
+    leaveScope() {
+        this.stack.pop();
+    }
+    /** Register a declaration in the current (innermost) scope. */
+    addDeclaration(name, node) {
+        const top = this.stack[this.stack.length - 1];
+        if (top) {
+            top.declarations.set(name, node);
+        }
+    }
+    /**
+     * Register a `var` declaration in the nearest function-level scope.
+     * `var` is hoisted to the enclosing function (or source file), not
+     * the enclosing block.
+     */
+    addVarDeclaration(name, node) {
+        for (let i = this.stack.length - 1; i >= 0; i--) {
+            const frame = this.stack[i];
+            if (!frame)
+                continue;
+            if (isFunctionScopeNode(frame.node)) {
+                frame.declarations.set(name, node);
+                return;
+            }
+        }
+        // Fallback: if no function scope found, use the outermost scope
+        const outermost = this.stack[0];
+        if (outermost) {
+            outermost.declarations.set(name, node);
+        }
+    }
+    /**
+     * Resolve a name to its declaring node by walking the stack from innermost
+     * scope outward. Returns the declaring node, or undefined if the name is
+     * not declared in any enclosing scope.
+     */
+    resolveDeclaration(name) {
+        for (let i = this.stack.length - 1; i >= 0; i--) {
+            const frame = this.stack[i];
+            if (!frame)
+                continue;
+            const decl = frame.declarations.get(name);
+            if (decl !== undefined) {
+                return decl;
+            }
+        }
+        return undefined;
+    }
+    /** Check whether a given declaration node is visible in the current scope chain. */
+    isInScope(declarationNode) {
+        for (let i = this.stack.length - 1; i >= 0; i--) {
+            const frame = this.stack[i];
+            if (!frame)
+                continue;
+            for (const node of frame.declarations.values()) {
+                if (node === declarationNode) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+}
+// =============================================================================
+// Scope-Walking Helpers
+// =============================================================================
+/**
+ * Determine if a variable declaration uses `var` (function-scoped hoisting).
+ */
+function isVarDeclaration(node) {
+    const declList = node.parent;
+    if (!ts.isVariableDeclarationList(declList))
+        return false;
+    // Neither Const nor Let flag means `var`
+    return !(declList.flags & ts.NodeFlags.Const) && !(declList.flags & ts.NodeFlags.Let);
+}
+/**
+ * Register a variable declaration in the scope stack, handling:
+ * - Simple identifiers (`const x`)
+ * - Destructuring patterns (`const { a, b } = obj`, `const [a, b] = arr`)
+ * - `var` hoisting (registers in the nearest function scope, not block scope)
+ * - Catch clause variable binding
+ */
+export function registerDeclaration(node, scope, sourceFile, declarationsByKey) {
+    const isVar = isVarDeclaration(node);
+    const bindings = extractBindingNames(node.name);
+    for (const { name, node: _bindingNode } of bindings) {
+        if (isVar) {
+            scope.addVarDeclaration(name, node);
+        }
+        else {
+            scope.addDeclaration(name, node);
+        }
+        if (sourceFile && declarationsByKey) {
+            const key = nodeIdentityKey(node, sourceFile);
+            declarationsByKey.set(key, node);
+        }
+    }
+}
+/**
+ * Register function parameters (including destructured) in the scope stack.
+ */
+function registerParams(node, scope, sourceFile, declarationsByKey) {
+    for (const param of node.parameters) {
+        const bindings = extractBindingNames(param.name);
+        for (const { name } of bindings) {
+            scope.addDeclaration(name, param);
+            if (sourceFile && declarationsByKey) {
+                const key = nodeIdentityKey(param, sourceFile);
+                declarationsByKey.set(key, param);
+            }
+        }
+    }
+}
+/**
+ * Register a catch clause variable in the scope stack.
+ */
+function registerCatchBinding(node, scope) {
+    if (node.variableDeclaration) {
+        const bindings = extractBindingNames(node.variableDeclaration.name);
+        for (const { name } of bindings) {
+            scope.addDeclaration(name, node.variableDeclaration);
+        }
+    }
+}
+/**
+ * Register all declaration types for a given node in the scope stack.
+ * This is the canonical helper used by all scope-walking code.
+ */
+export function registerNodeDeclarations(node, scope, sourceFile, declarationsByKey) {
+    if (ts.isVariableDeclaration(node)) {
+        registerDeclaration(node, scope, sourceFile, declarationsByKey);
+    }
+    if (ts.isFunctionDeclaration(node) && node.name) {
+        scope.addDeclaration(node.name.text, node);
+        if (sourceFile && declarationsByKey) {
+            const key = nodeIdentityKey(node, sourceFile);
+            declarationsByKey.set(key, node);
+        }
+    }
+    if (ts.isFunctionDeclaration(node) ||
+        ts.isFunctionExpression(node) ||
+        ts.isArrowFunction(node) ||
+        ts.isMethodDeclaration(node)) {
+        registerParams(node, scope, sourceFile, declarationsByKey);
+    }
+    if (ts.isCatchClause(node)) {
+        registerCatchBinding(node, scope);
+    }
+}
+/**
+ * Build a ScopeStack that is populated with all declarations in `sourceFile`.
+ * This performs a full AST walk and registers every variable/const/let/var
+ * declaration, function parameter, catch variable, and function declaration name.
+ *
+ * Returns a Map from each AST node to the ScopeStack state at that point,
+ * keyed by node identity string. This is used for point-in-time resolution.
+ *
+ * For simpler use cases, use `walkWithScope()` instead.
+ */
+export function buildDeclarationMap(sourceFile) {
+    const declarationsByKey = new Map();
+    const scope = new ScopeStack();
+    const visit = (node) => {
+        const isScope = isScopeNode(node);
+        if (isScope) {
+            scope.enterScope(node);
+        }
+        registerNodeDeclarations(node, scope, sourceFile, declarationsByKey);
+        ts.forEachChild(node, visit);
+        if (isScope) {
+            scope.leaveScope();
+        }
+    };
+    visit(sourceFile);
+    return declarationsByKey;
+}
+/**
+ * Walk an AST with scope tracking, invoking a callback for each node.
+ * The callback receives the current ScopeStack, which can be used to
+ * resolve identifiers at any point during the walk.
+ *
+ * Declarations are registered automatically for:
+ * - Variable declarations (`const x`, `let y`, `var z` with hoisting)
+ * - Destructuring patterns (`const { a } = obj`, `const [a] = arr`)
+ * - Function declaration names
+ * - Function/method/arrow parameters (including destructured)
+ * - Catch clause variables
+ */
+export function walkWithScope(sourceFile, callback) {
+    const scope = new ScopeStack();
+    const visit = (node) => {
+        const isScope = isScopeNode(node);
+        if (isScope) {
+            scope.enterScope(node);
+        }
+        registerNodeDeclarations(node, scope);
+        // Invoke user callback
+        callback(node, scope, sourceFile);
+        // Visit children
+        ts.forEachChild(node, visit);
+        if (isScope) {
+            scope.leaveScope();
+        }
+    };
+    visit(sourceFile);
+}
+//# sourceMappingURL=scope-stack.js.map

package/dist/agents/control_flow/scope-stack.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scope-stack.js","sourceRoot":"","sources":["../../../src/agents/control_flow/scope-stack.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,MAAM,YAAY,CAAC;AAE5B,gFAAgF;AAChF,sBAAsB;AACtB,gFAAgF;AAEhF;;;;;;GAMG;AACH,MAAM,UAAU,eAAe,CAAC,IAAa,EAAE,UAAyB;IACtE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,UAAU,CAAC,6BAA6B,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC;IAChG,OAAO,GAAG,UAAU,CAAC,QAAQ,IAAI,IAAI,GAAG,CAAC,IAAI,SAAS,EAAE,CAAC;AAC3D,CAAC;AAeD,gFAAgF;AAChF,gCAAgC;AAChC,gFAAgF;AAEhF;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,IAAa;IACvC,OAAO,CACL,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC;QACrB,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;QAChB,EAAE,CAAC,qBAAqB,CAAC,IAAI,CAAC;QAC9B,EAAE,CAAC,oBAAoB,CAAC,IAAI,CAAC;QAC7B,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC;QACxB,EAAE,CAAC,mBAAmB,CAAC,IAAI,CAAC;QAC5B,EAAE,CAAC,kBAAkB,CAAC,IAAI,CAAC;QAC3B,EAAE,CAAC,iBAAiB,CAAC,IAAI,CAAC;QAC1B,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC;QACvB,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC;QACzB,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC;QACzB,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,CACvB,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CAAC,IAAa;IAC/C,OAAO,CACL,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC;QACrB,EAAE,CAAC,qBAAqB,CAAC,IAAI,CAAC;QAC9B,EAAE,CAAC,oBAAoB,CAAC,IAAI,CAAC;QAC7B,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC;QACxB,EAAE,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAC7B,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,mBAAmB,CAAC,IAAoB;IACtD,MAAM,MAAM,GAAsC,EAAE,CAAC;IAErD,IAAI,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1B,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;IAC/C,CAAC;SAAM,IAAI,EAAE,CAAC,sBAAsB,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3C,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpC,MAAM,CAAC,IAAI,CAAC,GAAG,mBAAmB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;SAAM,IAAI,EAAE,CAAC,qBAAqB,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1C,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpC,IAAI,EAAE,CAAC,gBAAgB,CAAC,OAAO,CAAC,EAAE,CAAC;gBACjC,MAAM,CAAC,IAAI,CAAC,GAAG,mBAAmB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;YACpD,CAAC;YACD,uDAAuD;QACzD,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF;;;;;;;;;GASG;AACH,MAAM,OAAO,UAAU;IACb,KAAK,GAAiB,EAAE,CAAC;IAEjC,0DAA0D;IAC1D,IAAI,KAAK;QACP,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC;IAC3B,CAAC;IAED,iCAAiC;IACjC,UAAU,CAAC,IAAa;QACtB,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;YACd,IAAI;YACJ,YAAY,EAAE,IAAI,GAAG,EAAE;YACvB,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,MAAM;SACzB,CAAC,CAAC;IACL,CAAC;IAED,iCAAiC;IACjC,UAAU;QACR,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;IACnB,CAAC;IAED,+DAA+D;IAC/D,cAAc,CAAC,IAAY,EAAE,IAAa;QACxC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAC9C,IAAI,GAAG,EAAE,CAAC;YACR,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,iBAAiB,CAAC,IAAY,EAAE,IAAa;QAC3C,KAAK,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YAChD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAC5B,IAAI,CAAC,KAAK;gBAAE,SAAS;YACrB,IAAI,mBAAmB,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;gBACpC,KAAK,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;gBACnC,OAAO;YACT,CAAC;QACH,CAAC;QACD,gEAAgE;QAChE,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAChC,IAAI,SAAS,EAAE,CAAC;YACd,SAAS,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QACzC,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,kBAAkB,CAAC,IAAY;QAC7B,KAAK,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YAChD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAC5B,IAAI,CAAC,KAAK;gBAAE,SAAS;YACrB,MAAM,IAAI,GAAG,KAAK,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC1C,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;gBACvB,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,oFAAoF;IACpF,SAAS,CAAC,eAAwB;QAChC,KAAK,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YAChD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAC5B,IAAI,CAAC,KAAK;gBAAE,SAAS;YACrB,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,YAAY,CAAC,MAAM,EAAE,EAAE,CAAC;gBAC/C,IAAI,IAAI,KAAK,eAAe,EAAE,CAAC;oBAC7B,OAAO,IAAI,CAAC;gBACd,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;CACF;AAED,gFAAgF;AAChF,wBAAwB;AACxB,gFAAgF;AAEhF;;GAEG;AACH,SAAS,gBAAgB,CAAC,IAA4B;IACpD,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC;IAC7B,IAAI,CAAC,EAAE,CAAC,yBAAyB,CAAC,QAAQ,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1D,yCAAyC;IACzC,OAAO,CAAC,CAAC,QAAQ,CAAC,KAAK,GAAG,EAAE,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,KAAK,GAAG,EAAE,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;AACxF,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,mBAAmB,CACjC,IAA4B,EAC5B,KAAiB,EACjB,UAA0B,EAC1B,iBAAwC;IAExC,MAAM,KAAK,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;IACrC,MAAM,QAAQ,GAAG,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEhD,KAAK,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,QAAQ,EAAE,CAAC;QACpD,IAAI,KAAK,EAAE,CAAC;YACV,KAAK,CAAC,iBAAiB,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QACtC,CAAC;aAAM,CAAC;YACN,KAAK,CAAC,cAAc,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QACnC,CAAC;QACD,IAAI,UAAU,IAAI,iBAAiB,EAAE,CAAC;YACpC,MAAM,GAAG,GAAG,eAAe,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;YAC9C,iBAAiB,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CACrB,IAA8F,EAC9F,KAAiB,EACjB,UAA0B,EAC1B,iBAAwC;IAExC,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;QACpC,MAAM,QAAQ,GAAG,mBAAmB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACjD,KAAK,MAAM,EAAE,IAAI,EAAE,IAAI,QAAQ,EAAE,CAAC;YAChC,KAAK,CAAC,cAAc,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;YAClC,IAAI,UAAU,IAAI,iBAAiB,EAAE,CAAC;gBACpC,MAAM,GAAG,GAAG,eAAe,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;gBAC/C,iBAAiB,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YACpC,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAAC,IAAoB,EAAE,KAAiB;IACnE,IAAI,IAAI,CAAC,mBAAmB,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,mBAAmB,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC;QACpE,KAAK,MAAM,EAAE,IAAI,EAAE,IAAI,QAAQ,EAAE,CAAC;YAChC,KAAK,CAAC,cAAc,CAAC,IAAI,EAAE,IAAI,CAAC,mBAAmB,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,wBAAwB,CACtC,IAAa,EACb,KAAiB,EACjB,UAA0B,EAC1B,iBAAwC;IAExC,IAAI,EAAE,CAAC,qBAAqB,CAAC,IAAI,CAAC,EAAE,CAAC;QACnC,mBAAmB,CAAC,IAAI,EAAE,KAAK,EAAE,UAAU,EAAE,iBAAiB,CAAC,CAAC;IAClE,CAAC;IAED,IAAI,EAAE,CAAC,qBAAqB,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QAChD,KAAK,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QAC3C,IAAI,UAAU,IAAI,iBAAiB,EAAE,CAAC;YACpC,MAAM,GAAG,GAAG,eAAe,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;YAC9C,iBAAiB,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IAED,IACE,EAAE,CAAC,qBAAqB,CAAC,IAAI,CAAC;QAC9B,EAAE,CAAC,oBAAoB,CAAC,IAAI,CAAC;QAC7B,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC;QACxB,EAAE,CAAC,mBAAmB,CAAC,IAAI,CAAC,EAC5B,CAAC;QACD,cAAc,CAAC,IAAI,EAAE,KAAK,EAAE,UAAU,EAAE,iBAAiB,CAAC,CAAC;IAC7D,CAAC;IAED,IAAI,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3B,oBAAoB,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACpC,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,mBAAmB,CAAC,UAAyB;IAC3D,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAAmB,CAAC;IACrD,MAAM,KAAK,GAAG,IAAI,UAAU,EAAE,CAAC;IAE/B,MAAM,KAAK,GAAG,CAAC,IAAa,EAAQ,EAAE;QACpC,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;QAClC,IAAI,OAAO,EAAE,CAAC;YACZ,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QACzB,CAAC;QAED,wBAAwB,CAAC,IAAI,EAAE,KAAK,EAAE,UAAU,EAAE,iBAAiB,CAAC,CAAC;QAErE,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAE7B,IAAI,OAAO,EAAE,CAAC;YACZ,KAAK,CAAC,UAAU,EAAE,CAAC;QACrB,CAAC;IACH,CAAC,CAAC;IAEF,KAAK,CAAC,UAAU,CAAC,CAAC;IAClB,OAAO,iBAAiB,CAAC;AAC3B,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,aAAa,CAC3B,UAAyB,EACzB,QAA+E;IAE/E,MAAM,KAAK,GAAG,IAAI,UAAU,EAAE,CAAC;IAE/B,MAAM,KAAK,GAAG,CAAC,IAAa,EAAQ,EAAE;QACpC,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;QAClC,IAAI,OAAO,EAAE,CAAC;YACZ,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QACzB,CAAC;QAED,wBAAwB,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAEtC,uBAAuB;QACvB,QAAQ,CAAC,IAAI,EAAE,KAAK,EAAE,UAAU,CAAC,CAAC;QAElC,iBAAiB;QACjB,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAE7B,IAAI,OAAO,EAAE,CAAC;YACZ,KAAK,CAAC,UAAU,EAAE,CAAC;QACrB,CAAC;IACH,CAAC,CAAC;IAEF,KAAK,CAAC,UAAU,CAAC,CAAC;AACpB,CAAC"}

package/dist/agents/control_flow/vulnerability-detector.d.ts

@@ -57,16 +57,29 @@ export declare class VulnerabilityDetector {
      * Find the variable a source is assigned to.
      */
     private findAssignedVariable;
+    private findAssignedBinding;
+    private nodeLocation;
     /**
      * Track taint propagation through variable assignments.
+     * Uses a scope stack to resolve identifiers to their declaring nodes,
+     * keying taint entries by declaration identity instead of raw name.
      */
     private trackTaint;
     /**
      * Find if an expression uses a tainted variable.
+     * Resolves identifiers to their declaring nodes via the scope stack,
+     * then matches by declaration identity key rather than raw name.
+     * Falls back to name-based matching for taint entries without a declaration key
+     * (e.g., initial source entries that weren't resolved during the walk).
      */
     private findTaintInExpression;
     /**
      * Find the affected variable for a sink.
+     *
+     * Parses the sink's AST sub-tree to find identifiers, resolves each to its
+     * declaration via the scope stack, and matches against tainted entries by
+     * declaration identity key. Falls back to name-based matching for taint
+     * entries without a declaration key.
      */
     private findAffectedVariable;
     /**

package/dist/agents/control_flow/vulnerability-detector.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"vulnerability-detector.d.ts","sourceRoot":"","sources":["../../../src/agents/control_flow/vulnerability-detector.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,MAAM,YAAY,CAAC;AAC5B,OAAO,KAAK,EAAqB,sBAAsB,EAAkB,MAAM,YAAY,CAAC;AAC5F,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,gBAAgB,CAAC;AAC9D,OAAO,EAAa,KAAK,cAAc,EAAE,MAAM,aAAa,CAAC;AAoK7D;;;GAGG;AACH,qBAAa,qBAAqB;IAChC,OAAO,CAAC,MAAM,CAAiB;IAC/B,OAAO,CAAC,YAAY,CAAgB;IACpC,OAAO,CAAC,cAAc,CAAkB;gBAE5B,MAAM,CAAC,EAAE,cAAc;IAMnC;;;;OAIG;IACH,YAAY,CACV,UAAU,EAAE,EAAE,CAAC,UAAU,EACzB,QAAQ,EAAE,MAAM,EAChB,GAAG,CAAC,EAAE,uBAAuB,GAC5B,sBAAsB,EAAE;IAoC3B;;OAEG;IACH,OAAO,CAAC,SAAS;IAuBjB;;OAEG;IACH,OAAO,CAAC,0BAA0B;IA4ClC;;OAEG;IACH,OAAO,CAAC,sBAAsB;IA+B9B;;OAEG;IACH,OAAO,CAAC,0BAA0B;IA+BlC;;OAEG;IACH,OAAO,CAAC,WAAW;IAsBnB;;OAEG;IACH,OAAO,CAAC,4BAA4B;IAoCpC;;OAEG;IACH,OAAO,CAAC,2BAA2B;IAsCnC;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAoB5B;;OAEG;IACH,OAAO,CAAC,UAAU;IAuDlB;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAmB7B;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAiC5B;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAuB7B;;OAEG;IACH,OAAO,CAAC,mBAAmB;CAkB5B;AAMD;;GAEG;AACH,wBAAgB,2BAA2B,CAAC,MAAM,CAAC,EAAE,cAAc,GAAG,qBAAqB,CAE1F"}
+{"version":3,"file":"vulnerability-detector.d.ts","sourceRoot":"","sources":["../../../src/agents/control_flow/vulnerability-detector.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,MAAM,YAAY,CAAC;AAC5B,OAAO,KAAK,EAAqB,sBAAsB,EAAkB,MAAM,YAAY,CAAC;AAC5F,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,gBAAgB,CAAC;AAC9D,OAAO,EAAa,KAAK,cAAc,EAAE,MAAM,aAAa,CAAC;AAqM7D;;;GAGG;AACH,qBAAa,qBAAqB;IAChC,OAAO,CAAC,MAAM,CAAiB;IAC/B,OAAO,CAAC,YAAY,CAAgB;IACpC,OAAO,CAAC,cAAc,CAAkB;gBAE5B,MAAM,CAAC,EAAE,cAAc;IAMnC;;;;OAIG;IACH,YAAY,CACV,UAAU,EAAE,EAAE,CAAC,UAAU,EACzB,QAAQ,EAAE,MAAM,EAChB,GAAG,CAAC,EAAE,uBAAuB,GAC5B,sBAAsB,EAAE;IAiD3B;;OAEG;IACH,OAAO,CAAC,SAAS;IAuBjB;;OAEG;IACH,OAAO,CAAC,0BAA0B;IA4ClC;;OAEG;IACH,OAAO,CAAC,sBAAsB;IA+B9B;;OAEG;IACH,OAAO,CAAC,0BAA0B;IA+BlC;;OAEG;IACH,OAAO,CAAC,WAAW;IA+BnB;;OAEG;IACH,OAAO,CAAC,4BAA4B;IAmCpC;;OAEG;IACH,OAAO,CAAC,2BAA2B;IAqCnC;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAoB5B,OAAO,CAAC,mBAAmB;IAsC3B,OAAO,CAAC,YAAY;IASpB;;;;OAIG;IACH,OAAO,CAAC,UAAU;IAuJlB;;;;;;OAMG;IACH,OAAO,CAAC,qBAAqB;IAgC7B;;;;;;;OAOG;IACH,OAAO,CAAC,oBAAoB;IAgG5B;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAuB7B;;OAEG;IACH,OAAO,CAAC,mBAAmB;CAkB5B;AAMD;;GAEG;AACH,wBAAgB,2BAA2B,CAAC,MAAM,CAAC,EAAE,cAAc,GAAG,qBAAqB,CAE1F"}