@rigour-labs/core 3.0.2 → 3.0.4

package/dist/gates/deprecated-apis.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/gates/deprecated-apis.test.js

@@ -0,0 +1,288 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+const mockFindFiles = vi.hoisted(() => vi.fn());
+const mockReadFile = vi.hoisted(() => vi.fn());
+vi.mock('../utils/scanner.js', () => ({
+    FileScanner: { findFiles: mockFindFiles },
+}));
+vi.mock('fs-extra', () => ({
+    default: {
+        readFile: mockReadFile,
+        pathExists: vi.fn().mockResolvedValue(false),
+        pathExistsSync: vi.fn().mockReturnValue(false),
+        readFileSync: vi.fn().mockReturnValue(''),
+        readJson: vi.fn().mockResolvedValue(null),
+        readdirSync: vi.fn().mockReturnValue([]),
+    },
+}));
+import { DeprecatedApisGate } from './deprecated-apis.js';
+describe('DeprecatedApisGate — Node.js Security', () => {
+    let gate;
+    beforeEach(() => {
+        gate = new DeprecatedApisGate();
+        vi.clearAllMocks();
+    });
+    it('should flag new Buffer() as security-critical', async () => {
+        mockFindFiles.mockResolvedValue(['src/handler.js']);
+        mockReadFile.mockResolvedValue(`
+const buf = new Buffer(100);
+const buf2 = new Buffer('hello');
+        `);
+        const failures = await gate.run({ cwd: '/project' });
+        expect(failures.length).toBeGreaterThanOrEqual(1);
+        const secFail = failures.find(f => f.title === 'Security-Deprecated APIs');
+        expect(secFail).toBeDefined();
+        expect(secFail.severity).toBe('critical');
+        expect(secFail.details).toContain('Buffer');
+    });
+    it('should flag crypto.createCipher as security-critical', async () => {
+        mockFindFiles.mockResolvedValue(['src/encrypt.ts']);
+        mockReadFile.mockResolvedValue(`
+import crypto from 'crypto';
+const cipher = crypto.createCipher('aes-256-cbc', 'password');
+        `);
+        const failures = await gate.run({ cwd: '/project' });
+        expect(failures.length).toBeGreaterThanOrEqual(1);
+        expect(failures[0].details).toContain('createCipher');
+    });
+    it('should flag document.write() as security risk', async () => {
+        mockFindFiles.mockResolvedValue(['src/page.tsx']);
+        mockReadFile.mockResolvedValue(`
+document.write('<script>alert("xss")</script>');
+        `);
+        const failures = await gate.run({ cwd: '/project' });
+        expect(failures.length).toBeGreaterThanOrEqual(1);
+        expect(failures[0].details).toContain('document.write');
+    });
+    it('should flag eval() as security risk', async () => {
+        mockFindFiles.mockResolvedValue(['src/dynamic.js']);
+        mockReadFile.mockResolvedValue(`
+const result = eval(userInput);
+        `);
+        const failures = await gate.run({ cwd: '/project' });
+        expect(failures.length).toBeGreaterThanOrEqual(1);
+        expect(failures[0].details).toContain('eval');
+    });
+});
+describe('DeprecatedApisGate — Node.js Superseded', () => {
+    let gate;
+    beforeEach(() => {
+        gate = new DeprecatedApisGate();
+        vi.clearAllMocks();
+    });
+    it('should flag url.parse() as superseded', async () => {
+        mockFindFiles.mockResolvedValue(['src/router.ts']);
+        mockReadFile.mockResolvedValue(`
+import url from 'url';
+const parsed = url.parse(req.url);
+        `);
+        const failures = await gate.run({ cwd: '/project' });
+        expect(failures.length).toBeGreaterThanOrEqual(1);
+        expect(failures[0].details).toContain('url.parse');
+    });
+    it('should flag fs.exists() as superseded', async () => {
+        mockFindFiles.mockResolvedValue(['src/checker.ts']);
+        mockReadFile.mockResolvedValue(`
+const fs = require('fs');
+fs.exists('/tmp/test', (exists) => {});
+        `);
+        const failures = await gate.run({ cwd: '/project' });
+        expect(failures.length).toBeGreaterThanOrEqual(1);
+        expect(failures[0].details).toContain('fs.exists');
+    });
+    it('should flag require("domain") as removed', async () => {
+        mockFindFiles.mockResolvedValue(['src/app.js']);
+        mockReadFile.mockResolvedValue(`
+const domain = require('domain');
+        `);
+        const failures = await gate.run({ cwd: '/project' });
+        expect(failures.length).toBeGreaterThanOrEqual(1);
+        expect(failures[0].details).toContain('domain');
+    });
+});
+describe('DeprecatedApisGate — Python', () => {
+    let gate;
+    beforeEach(() => {
+        gate = new DeprecatedApisGate();
+        vi.clearAllMocks();
+    });
+    it('should flag pickle.loads() as security risk', async () => {
+        mockFindFiles.mockResolvedValue(['handler.py']);
+        mockReadFile.mockResolvedValue(`
+import pickle
+data = pickle.loads(untrusted_input)
+        `);
+        const failures = await gate.run({ cwd: '/project' });
+        expect(failures.length).toBeGreaterThanOrEqual(1);
+        expect(failures[0].details).toContain('pickle');
+    });
+    it('should flag os.system() as security risk', async () => {
+        mockFindFiles.mockResolvedValue(['runner.py']);
+        mockReadFile.mockResolvedValue(`
+import os
+os.system(user_command)
+        `);
+        const failures = await gate.run({ cwd: '/project' });
+        expect(failures.length).toBeGreaterThanOrEqual(1);
+        expect(failures[0].details).toContain('os.system');
+    });
+    it('should flag subprocess with shell=True', async () => {
+        mockFindFiles.mockResolvedValue(['runner.py']);
+        mockReadFile.mockResolvedValue(`
+import subprocess
+subprocess.run(cmd, shell=True)
+        `);
+        const failures = await gate.run({ cwd: '/project' });
+        expect(failures.length).toBeGreaterThanOrEqual(1);
+        expect(failures[0].details).toContain('shell=True');
+    });
+    it('should flag import imp as removed', async () => {
+        mockFindFiles.mockResolvedValue(['loader.py']);
+        mockReadFile.mockResolvedValue(`
+import imp
+module = imp.load_source('name', 'path')
+        `);
+        const failures = await gate.run({ cwd: '/project' });
+        expect(failures.length).toBeGreaterThanOrEqual(1);
+        expect(failures[0].details).toContain('imp');
+    });
+    it('should flag from distutils as removed', async () => {
+        mockFindFiles.mockResolvedValue(['setup.py']);
+        mockReadFile.mockResolvedValue(`
+from distutils.core import setup
+        `);
+        const failures = await gate.run({ cwd: '/project' });
+        expect(failures.length).toBeGreaterThanOrEqual(1);
+        expect(failures[0].details).toContain('distutils');
+    });
+    it('should flag typing.Dict as superseded', async () => {
+        mockFindFiles.mockResolvedValue(['models.py']);
+        mockReadFile.mockResolvedValue(`
+from typing import Dict, List, Optional
+        `);
+        const failures = await gate.run({ cwd: '/project' });
+        expect(failures.length).toBeGreaterThanOrEqual(1);
+    });
+    it('should not flag when disabled', async () => {
+        const disabled = new DeprecatedApisGate({ enabled: false });
+        const failures = await disabled.run({ cwd: '/project' });
+        expect(failures).toHaveLength(0);
+    });
+});
+describe('DeprecatedApisGate — Go', () => {
+    let gate;
+    beforeEach(() => {
+        gate = new DeprecatedApisGate();
+        vi.clearAllMocks();
+    });
+    it('should flag ioutil usage as deprecated', async () => {
+        mockFindFiles.mockResolvedValue(['main.go']);
+        mockReadFile.mockResolvedValue(`
+package main
+import "io/ioutil"
+func main() {
+    data, _ := ioutil.ReadFile("test.txt")
+    ioutil.WriteFile("out.txt", data, 0644)
+}
+        `);
+        const failures = await gate.run({ cwd: '/project' });
+        expect(failures.length).toBeGreaterThanOrEqual(1);
+        expect(failures[0].details).toContain('ioutil');
+    });
+    it('should flag strings.Title as deprecated', async () => {
+        mockFindFiles.mockResolvedValue(['util.go']);
+        mockReadFile.mockResolvedValue(`
+package util
+import "strings"
+func Title(s string) string {
+    return strings.Title(s)
+}
+        `);
+        const failures = await gate.run({ cwd: '/project' });
+        expect(failures.length).toBeGreaterThanOrEqual(1);
+        expect(failures[0].details).toContain('strings.Title');
+    });
+});
+describe('DeprecatedApisGate — C#', () => {
+    let gate;
+    beforeEach(() => {
+        gate = new DeprecatedApisGate();
+        vi.clearAllMocks();
+    });
+    it('should flag BinaryFormatter as security-deprecated', async () => {
+        mockFindFiles.mockResolvedValue(['Serializer.cs']);
+        mockReadFile.mockResolvedValue(`
+using System.Runtime.Serialization.Formatters.Binary;
+var formatter = new BinaryFormatter();
+        `);
+        const failures = await gate.run({ cwd: '/project' });
+        expect(failures.length).toBeGreaterThanOrEqual(1);
+        expect(failures[0].details).toContain('BinaryFormatter');
+    });
+    it('should flag WebClient as deprecated', async () => {
+        mockFindFiles.mockResolvedValue(['HttpHelper.cs']);
+        mockReadFile.mockResolvedValue(`
+using System.Net;
+var client = new WebClient();
+        `);
+        const failures = await gate.run({ cwd: '/project' });
+        expect(failures.length).toBeGreaterThanOrEqual(1);
+        expect(failures[0].details).toContain('WebClient');
+    });
+    it('should flag Thread.Abort as removed', async () => {
+        mockFindFiles.mockResolvedValue(['Worker.cs']);
+        mockReadFile.mockResolvedValue(`
+using System.Threading;
+Thread.Abort();
+        `);
+        const failures = await gate.run({ cwd: '/project' });
+        expect(failures.length).toBeGreaterThanOrEqual(1);
+    });
+});
+describe('DeprecatedApisGate — Java', () => {
+    let gate;
+    beforeEach(() => {
+        gate = new DeprecatedApisGate();
+        vi.clearAllMocks();
+    });
+    it('should flag Vector and Hashtable as deprecated', async () => {
+        mockFindFiles.mockResolvedValue(['Legacy.java']);
+        mockReadFile.mockResolvedValue(`
+import java.util.*;
+Vector<String> v = new Vector<String>();
+Hashtable<String, Integer> ht = new Hashtable<String, Integer>();
+        `);
+        const failures = await gate.run({ cwd: '/project' });
+        expect(failures.length).toBeGreaterThanOrEqual(1);
+    });
+    it('should flag new Integer() as deprecated', async () => {
+        mockFindFiles.mockResolvedValue(['Boxing.java']);
+        mockReadFile.mockResolvedValue(`
+Integer x = new Integer(42);
+Long y = new Long(100L);
+        `);
+        const failures = await gate.run({ cwd: '/project' });
+        expect(failures.length).toBeGreaterThanOrEqual(1);
+        expect(failures[0].details).toMatch(/Integer|Long/);
+    });
+    it('should flag Thread.stop as security-deprecated', async () => {
+        mockFindFiles.mockResolvedValue(['ThreadManager.java']);
+        mockReadFile.mockResolvedValue(`
+thread.stop();
+        `);
+        const failures = await gate.run({ cwd: '/project' });
+        expect(failures.length).toBeGreaterThanOrEqual(1);
+    });
+    it('should flag finalize() as deprecated', async () => {
+        mockFindFiles.mockResolvedValue(['Resource.java']);
+        mockReadFile.mockResolvedValue(`
+class Resource {
+    protected void finalize() throws Throwable {
+        super.finalize();
+    }
+}
+        `);
+        const failures = await gate.run({ cwd: '/project' });
+        expect(failures.length).toBeGreaterThanOrEqual(1);
+        expect(failures[0].details).toContain('finalize');
+    });
+});

package/dist/gates/hallucinated-imports.d.ts

@@ -6,17 +6,18 @@
  * statements for packages, files, or modules that were never installed
  * or created.
  *
- * Detection strategy:
- * 1. Parse all import/require statements
- * 2. For relative imports: verify the target file exists
- * 3. For package imports: verify the package exists in node_modules or package.json
- * 4. For Python imports: verify the module exists in the project or site-packages
- * 5. For Go imports: verify relative package paths exist in the project
- * 6. For Ruby/C#: verify relative require/using paths exist
- *
- * Supported languages: JS/TS, Python, Go, Ruby, C#
+ * Supported languages (v3.0.1):
+ *   JS/TS  — package.json deps, node_modules fallback, Node.js builtins (22.x)
+ *   Python — stdlib whitelist (3.12+), relative imports, local module resolution
+ *   Go     — stdlib whitelist (1.22+), go.mod module path, aliased imports
+ *   Ruby   — stdlib whitelist (3.3+), Gemfile parsing, require + require_relative
+ *   C#     — .NET 8 framework namespaces, .csproj NuGet parsing, using directives
+ *   Rust   — std/core/alloc crates, Cargo.toml deps, use/extern crate statements
+ *   Java   — java/javax/jakarta stdlib, build.gradle + pom.xml deps, import statements
+ *   Kotlin — kotlin/kotlinx stdlib, Gradle deps, import statements
  *
  * @since v2.16.0
+ * @since v3.0.1 — Go stdlib fix, Ruby/C# strengthened, Rust/Java/Kotlin added
  */
 import { Gate, GateContext } from './base.js';
 import { Failure, Provenance } from '../types/index.js';
@@ -24,7 +25,7 @@ export interface HallucinatedImport {
     file: string;
     line: number;
     importPath: string;
-    type: 'relative' | 'package' | 'python' | 'go' | 'ruby' | 'csharp';
+    type: 'relative' | 'package' | 'python' | 'go' | 'ruby' | 'csharp' | 'rust' | 'java' | 'kotlin';
     reason: string;
 }
 export interface HallucinatedImportsConfig {
@@ -43,6 +44,10 @@ export declare class HallucinatedImportsGate extends Gate {
     private resolveRelativeImport;
     private extractPackageName;
     private shouldIgnore;
+    /**
+     * Node.js built-in modules — covers Node.js 18/20/22 LTS
+     * No third-party packages in this list (removed fs-extra hack).
+     */
     private isNodeBuiltin;
     private isPythonStdlib;
     /**
@@ -67,13 +72,74 @@ export declare class HallucinatedImportsGate extends Gate {
      */
     private isGoStdlib;
     /**
-     * Check Ruby imports — verify require_relative paths exist
+     * Check Ruby imports — require, require_relative, Gemfile verification
+     *
+     * Strategy:
+     *  1. require_relative: verify target .rb file exists in project
+     *  2. require: skip stdlib, skip gems from Gemfile/gemspec, flag unknown local requires
+     *
+     * @since v3.0.1 — strengthened with stdlib whitelist and Gemfile parsing
      */
     private checkRubyImports;
+    /** Load gem names from Gemfile */
+    private loadRubyGems;
     /**
-     * Check C# imports — verify relative using paths match project namespaces
-     * (C# uses namespaces, not file paths — we check for obviously wrong namespaces)
+     * Ruby standard library — covers Ruby 3.3+ (MRI)
+     * Includes both the default gems and bundled gems that ship with Ruby.
+     */
+    private isRubyStdlib;
+    /**
+     * Check C# imports — using directives against .NET framework, NuGet, and project
+     *
+     * Strategy:
+     *  1. Skip .NET framework namespaces (System.*, Microsoft.*, etc.)
+     *  2. Skip NuGet packages from .csproj PackageReference
+     *  3. Flag project-relative namespaces that don't resolve
+     *
+     * @since v3.0.1 — .csproj NuGet parsing, comprehensive framework namespace list
      */
     private checkCSharpImports;
+    /** Check if any .csproj file exists in the project root */
+    private hasCsprojFile;
+    /** Parse .csproj files for PackageReference names */
+    private loadNuGetPackages;
+    /**
+     * .NET 8 framework and common ecosystem namespaces
+     * Covers BCL, ASP.NET, EF Core, and major ecosystem packages
+     */
+    private isDotNetFramework;
+    /**
+     * Check Rust imports — use/extern crate against std/core/alloc and Cargo.toml
+     *
+     * Strategy:
+     *  1. Skip Rust std, core, alloc crates
+     *  2. Skip crates listed in Cargo.toml [dependencies]
+     *  3. Flag unknown extern crate and use statements for project modules that don't exist
+     *
+     * @since v3.0.1
+     */
+    private checkRustImports;
+    /** Load dependency names from Cargo.toml */
+    private loadCargoDeps;
+    /** Rust standard crates — std, core, alloc, proc_macro, and common test crates */
+    private isRustStdCrate;
+    /**
+     * Check Java/Kotlin imports — against stdlib and build dependencies
+     *
+     * Strategy:
+     *  1. Skip java.*, javax.*, jakarta.* (Java stdlib/EE)
+     *  2. Skip kotlin.*, kotlinx.* (Kotlin stdlib)
+     *  3. Skip deps from build.gradle or pom.xml
+     *  4. Flag project-relative imports that don't resolve
+     *
+     * @since v3.0.1
+     */
+    private checkJavaKotlinImports;
+    /** Load dependency group IDs from build.gradle or pom.xml */
+    private loadJavaDeps;
+    /** Java standard library and Jakarta EE namespaces */
+    private isJavaStdlib;
+    /** Kotlin standard library namespaces */
+    private isKotlinStdlib;
     private loadPackageJson;
 }