@rigour-labs/core 3.0.5 → 4.0.0

package/dist/gates/promise-safety.d.ts

@@ -2,15 +2,7 @@
  * Async & Error Safety Gate (Multi-Language)
  *
  * Detects unsafe async/promise/error patterns that AI code generators commonly produce.
- * LLMs understand synchronous control flow well but frequently produce incomplete
- * async and error-handling patterns across all languages.
- *
- * Supported languages:
- *   - JS/TS: .then() without .catch(), JSON.parse without try/catch, async without await, fetch without error handling
- *   - Python: json.loads without try/except, async def without await, requests/httpx without error handling, bare except
- *   - Go: ignored error returns (_, err pattern), json.Unmarshal without error check, http calls without error check
- *   - Ruby: JSON.parse without begin/rescue, Net::HTTP without begin/rescue
- *   - C#/.NET: JsonSerializer without try/catch, HttpClient without try/catch, async without await, .Result/.Wait() deadlocks
+ * Supports: JS/TS, Python, Go, Ruby, C#/.NET
  *
  * @since v2.17.0
  */
@@ -52,17 +44,5 @@ export declare class PromiseSafetyGate extends Gate {
     private detectUnsafeFetchCSharp;
     private detectAsyncWithoutAwaitCSharp;
     private detectDeadlockRiskCSharp;
-    private extractBraceBody;
-    /** Extract Python indented body after a colon */
-    private extractIndentedBody;
-    /** Check if line is inside try block (JS/TS/C# — brace-based) */
-    private isInsideTryBlock;
-    /** Check if line is inside Python try block (indent-based) */
-    private isInsidePythonTry;
-    /** Check if line is inside Ruby begin/rescue block */
-    private isInsideRubyRescue;
-    private hasCatchAhead;
-    private hasStatusCheckAhead;
-    private stripStrings;
     private buildFailures;
 }

package/dist/gates/promise-safety.js

@@ -2,39 +2,17 @@
  * Async & Error Safety Gate (Multi-Language)
  *
  * Detects unsafe async/promise/error patterns that AI code generators commonly produce.
- * LLMs understand synchronous control flow well but frequently produce incomplete
- * async and error-handling patterns across all languages.
- *
- * Supported languages:
- *   - JS/TS: .then() without .catch(), JSON.parse without try/catch, async without await, fetch without error handling
- *   - Python: json.loads without try/except, async def without await, requests/httpx without error handling, bare except
- *   - Go: ignored error returns (_, err pattern), json.Unmarshal without error check, http calls without error check
- *   - Ruby: JSON.parse without begin/rescue, Net::HTTP without begin/rescue
- *   - C#/.NET: JsonSerializer without try/catch, HttpClient without try/catch, async without await, .Result/.Wait() deadlocks
+ * Supports: JS/TS, Python, Go, Ruby, C#/.NET
  *
  * @since v2.17.0
  */
 import { Gate } from './base.js';
 import { FileScanner } from '../utils/scanner.js';
 import { Logger } from '../utils/logger.js';
+import { LANG_EXTENSIONS, LANG_GLOBS } from './promise-safety-rules.js';
+import { extractBraceBody, extractIndentedBody, isInsideTryBlock, isInsidePythonTry, isInsideRubyRescue, hasCatchAhead, hasStatusCheckAhead } from './promise-safety-helpers.js';
 import fs from 'fs-extra';
 import path from 'path';
-// ─── Language Detection ───────────────────────────────────────────
-const LANG_EXTENSIONS = {
-    '.ts': 'js', '.tsx': 'js', '.js': 'js', '.jsx': 'js', '.mjs': 'js', '.cjs': 'js',
-    '.py': 'python', '.pyw': 'python',
-    '.go': 'go',
-    '.rb': 'ruby', '.rake': 'ruby',
-    '.cs': 'csharp',
-};
-const LANG_GLOBS = {
-    js: ['**/*.{ts,js,tsx,jsx,mjs,cjs}'],
-    python: ['**/*.py'],
-    go: ['**/*.go'],
-    ruby: ['**/*.rb'],
-    csharp: ['**/*.cs'],
-    unknown: [],
-};
 function detectLang(filePath) {
     const ext = path.extname(filePath).toLowerCase();
     return LANG_EXTENSIONS[ext] || 'unknown';
@@ -57,7 +35,6 @@ export class PromiseSafetyGate extends Gate {
         if (!this.config.enabled)
             return [];
         const violations = [];
-        // Scan all supported languages
         const allPatterns = Object.values(LANG_GLOBS).flat();
         const files = await FileScanner.findFiles({
             cwd: context.cwd,
@@ -79,33 +56,19 @@ export class PromiseSafetyGate extends Gate {
                 const lines = content.split('\n');
                 this.scanFile(lang, lines, content, file, violations);
             }
-            catch { /* skip unreadable files */ }
+            catch { /* skip */ }
         }
         return this.buildFailures(violations);
     }
-    // ─── Multi-Language Dispatcher ────────────────────────
     scanFile(lang, lines, content, file, violations) {
         switch (lang) {
-            case 'js':
-                this.scanJS(lines, content, file, violations);
-                break;
-            case 'python':
-                this.scanPython(lines, content, file, violations);
-                break;
-            case 'go':
-                this.scanGo(lines, content, file, violations);
-                break;
-            case 'ruby':
-                this.scanRuby(lines, content, file, violations);
-                break;
-            case 'csharp':
-                this.scanCSharp(lines, content, file, violations);
-                break;
+            case 'js': return this.scanJS(lines, content, file, violations);
+            case 'python': return this.scanPython(lines, content, file, violations);
+            case 'go': return this.scanGo(lines, content, file, violations);
+            case 'ruby': return this.scanRuby(lines, content, file, violations);
+            case 'csharp': return this.scanCSharp(lines, content, file, violations);
         }
     }
-    // ═══════════════════════════════════════════════════════
-    // JS/TS Checks
-    // ═══════════════════════════════════════════════════════
     scanJS(lines, content, file, violations) {
         if (this.config.check_unhandled_then)
             this.detectUnhandledThen(lines, file, violations);
@@ -129,36 +92,29 @@ export class PromiseSafetyGate extends Gate {
                 if (j > i && /^(?:const|let|var|function|class|export|import|if|for|while|return)\b/.test(lines[j].trim()))
                     break;
             }
-            if (!hasCatch)
-                hasCatch = this.isInsideTryBlock(lines, i);
-            const isStored = /(?:const|let|var)\s+\w+\s*=/.test(lines[i]);
-            if (!hasCatch && !isStored) {
+            if (!hasCatch && !isInsideTryBlock(lines, i) && !/(?:const|let|var)\s+\w+\s*=/.test(lines[i])) {
                 violations.push({ file, line: i + 1, type: 'unhandled-then', code: lines[i].trim().substring(0, 80), reason: `.then() chain without .catch() — unhandled promise rejection` });
             }
         }
     }
     detectUnsafeParseJS(lines, file, violations) {
         for (let i = 0; i < lines.length; i++) {
-            if (/JSON\.parse\s*\(/.test(lines[i]) && !this.isInsideTryBlock(lines, i)) {
+            if (/JSON\.parse\s*\(/.test(lines[i]) && !isInsideTryBlock(lines, i)) {
                 violations.push({ file, line: i + 1, type: 'unsafe-parse', code: lines[i].trim().substring(0, 80), reason: `JSON.parse() without try/catch — crashes on malformed input` });
             }
         }
     }
     detectAsyncWithoutAwaitJS(content, file, violations) {
-        const patterns = [
-            /async\s+function\s+(\w+)\s*\([^)]*\)\s*\{/g,
-            /(?:const|let|var)\s+(\w+)\s*=\s*async\s+(?:\([^)]*\)|[a-zA-Z_$]\w*)\s*=>\s*\{/g,
-            /async\s+(\w+)\s*\([^)]*\)\s*(?::\s*[^{]+)?\s*\{/g,
-        ];
+        const patterns = [/async\s+function\s+(\w+)\s*\([^)]*\)\s*\{/g, /(?:const|let|var)\s+(\w+)\s*=\s*async\s+(?:\([^)]*\)|[a-zA-Z_$]\w*)\s*=>\s*\{/g];
         for (const pattern of patterns) {
             pattern.lastIndex = 0;
             let match;
             while ((match = pattern.exec(content)) !== null) {
                 const funcName = match[1];
-                const body = this.extractBraceBody(content, match.index + match[0].length);
+                const body = extractBraceBody(content, match.index + match[0].length);
                 if (body && !/\bawait\b/.test(body) && body.trim().split('\n').length > 2) {
                     const lineNum = content.substring(0, match.index).split('\n').length;
-                    violations.push({ file, line: lineNum, type: 'async-no-await', code: `async ${funcName}()`, reason: `async function '${funcName}' never uses await — unnecessary async or missing await` });
+                    violations.push({ file, line: lineNum, type: 'async-no-await', code: `async ${funcName}()`, reason: `async function never uses await — unnecessary async or missing await` });
                 }
             }
         }
@@ -167,16 +123,11 @@ export class PromiseSafetyGate extends Gate {
         for (let i = 0; i < lines.length; i++) {
             if (!/\bfetch\s*\(/.test(lines[i]) && !/\baxios\.\w+\s*\(/.test(lines[i]))
                 continue;
-            if (this.isInsideTryBlock(lines, i))
-                continue;
-            if (this.hasCatchAhead(lines, i) || this.hasStatusCheckAhead(lines, i))
+            if (isInsideTryBlock(lines, i) || hasCatchAhead(lines, i) || hasStatusCheckAhead(lines, i))
                 continue;
-            violations.push({ file, line: i + 1, type: 'unsafe-fetch', code: lines[i].trim().substring(0, 80), reason: `HTTP call without error handling (no try/catch, no .catch(), no .ok check)` });
+            violations.push({ file, line: i + 1, type: 'unsafe-fetch', code: lines[i].trim().substring(0, 80), reason: `HTTP call without error handling` });
         }
     }
-    // ═══════════════════════════════════════════════════════
-    // Python Checks
-    // ═══════════════════════════════════════════════════════
     scanPython(lines, content, file, violations) {
         if (this.config.check_unsafe_parse)
             this.detectUnsafeParsePython(lines, file, violations);
@@ -188,11 +139,8 @@ export class PromiseSafetyGate extends Gate {
     }
     detectUnsafeParsePython(lines, file, violations) {
         for (let i = 0; i < lines.length; i++) {
-            if (/json\.loads?\s*\(/.test(lines[i]) && !this.isInsidePythonTry(lines, i)) {
-                violations.push({ file, line: i + 1, type: 'unsafe-parse', code: lines[i].trim().substring(0, 80), reason: `json.loads() without try/except — crashes on malformed input` });
-            }
-            if (/yaml\.safe_load\s*\(/.test(lines[i]) && !this.isInsidePythonTry(lines, i)) {
-                violations.push({ file, line: i + 1, type: 'unsafe-parse', code: lines[i].trim().substring(0, 80), reason: `yaml.safe_load() without try/except — crashes on malformed input` });
+            if (/json\.loads?\s*\(/.test(lines[i]) && !isInsidePythonTry(lines, i)) {
+                violations.push({ file, line: i + 1, type: 'unsafe-parse', code: lines[i].trim().substring(0, 80), reason: `json.loads() without try/except` });
             }
         }
     }
@@ -201,30 +149,27 @@ export class PromiseSafetyGate extends Gate {
         let match;
         while ((match = pattern.exec(content)) !== null) {
             const funcName = match[1];
-            const body = this.extractIndentedBody(content, match.index + match[0].length);
+            const body = extractIndentedBody(content, match.index + match[0].length);
             if (body && !/\bawait\b/.test(body) && body.trim().split('\n').length > 2) {
                 const lineNum = content.substring(0, match.index).split('\n').length;
-                violations.push({ file, line: lineNum, type: 'async-no-await', code: `async def ${funcName}()`, reason: `async def '${funcName}' never uses await — unnecessary async or missing await` });
+                violations.push({ file, line: lineNum, type: 'async-no-await', code: `async def ${funcName}()`, reason: `async def never uses await` });
             }
         }
     }
     detectUnsafeFetchPython(lines, file, violations) {
-        const httpPatterns = /\b(?:requests\.(?:get|post|put|patch|delete)|httpx\.(?:get|post|put|patch|delete)|aiohttp\.ClientSession|urllib\.request\.urlopen)\s*\(/;
+        const httpPatterns = /\b(?:requests|httpx|aiohttp|urllib)\.(?:get|post|ClientSession|urlopen)\s*\(/;
         for (let i = 0; i < lines.length; i++) {
-            if (!httpPatterns.test(lines[i]))
+            if (!httpPatterns.test(lines[i]) || isInsidePythonTry(lines, i))
                 continue;
-            if (this.isInsidePythonTry(lines, i))
-                continue;
-            // Check for raise_for_status() within 10 lines
             let hasCheck = false;
             for (let j = i; j < Math.min(i + 10, lines.length); j++) {
-                if (/raise_for_status\s*\(/.test(lines[j]) || /\.status_code\b/.test(lines[j])) {
+                if (/raise_for_status|status_code/.test(lines[j])) {
                     hasCheck = true;
                     break;
                 }
             }
             if (!hasCheck) {
-                violations.push({ file, line: i + 1, type: 'unsafe-fetch', code: lines[i].trim().substring(0, 80), reason: `HTTP call without error handling (no try/except, no raise_for_status)` });
+                violations.push({ file, line: i + 1, type: 'unsafe-fetch', code: lines[i].trim().substring(0, 80), reason: `HTTP call without error handling` });
             }
         }
     }
@@ -232,17 +177,13 @@ export class PromiseSafetyGate extends Gate {
         for (let i = 0; i < lines.length; i++) {
             const trimmed = lines[i].trim();
             if (/^except\s*:/.test(trimmed) || /^except\s+Exception\s*:/.test(trimmed)) {
-                // Check if the except block just passes (swallows errors silently)
                 const nextLine = i + 1 < lines.length ? lines[i + 1].trim() : '';
                 if (nextLine === 'pass' || nextLine === '...') {
-                    violations.push({ file, line: i + 1, type: 'bare-except', code: trimmed, reason: `Bare except with pass — silently swallows all errors` });
+                    violations.push({ file, line: i + 1, type: 'bare-except', code: trimmed, reason: `Bare except with pass — silently swallows errors` });
                 }
             }
         }
     }
-    // ═══════════════════════════════════════════════════════
-    // Go Checks
-    // ═══════════════════════════════════════════════════════
     scanGo(lines, content, file, violations) {
         if (this.config.check_unsafe_parse)
             this.detectUnsafeParseGo(lines, file, violations);
@@ -252,52 +193,26 @@ export class PromiseSafetyGate extends Gate {
     }
     detectUnsafeParseGo(lines, file, violations) {
         for (let i = 0; i < lines.length; i++) {
-            // json.Unmarshal returns error — check if error is ignored
-            if (/json\.(?:Unmarshal|NewDecoder)/.test(lines[i])) {
-                if (/\b_\s*(?:=|:=)/.test(lines[i]) || !/\berr\b/.test(lines[i])) {
-                    violations.push({ file, line: i + 1, type: 'unsafe-parse', code: lines[i].trim().substring(0, 80), reason: `JSON decode with ignored error return — crashes on malformed input` });
-                }
+            if (/json\.(?:Unmarshal|NewDecoder)/.test(lines[i]) && (/\b_\s*(?:=|:=)/.test(lines[i]) || !/\berr\b/.test(lines[i]))) {
+                violations.push({ file, line: i + 1, type: 'unsafe-parse', code: lines[i].trim().substring(0, 80), reason: `JSON decode with ignored error` });
             }
         }
     }
     detectUnsafeFetchGo(lines, file, violations) {
         for (let i = 0; i < lines.length; i++) {
-            if (/http\.(?:Get|Post|Do|Head)\s*\(/.test(lines[i])) {
-                if (/\b_\s*(?:=|:=)/.test(lines[i]) || !/\berr\b/.test(lines[i])) {
-                    violations.push({ file, line: i + 1, type: 'unsafe-fetch', code: lines[i].trim().substring(0, 80), reason: `HTTP call with ignored error return — unhandled network errors` });
-                }
-                // Also check if resp.Body is closed (defer resp.Body.Close())
-                let hasClose = false;
-                for (let j = i + 1; j < Math.min(i + 5, lines.length); j++) {
-                    if (/defer\s+.*\.Body\.Close\(\)/.test(lines[j]) || /\.Body\.Close\(\)/.test(lines[j])) {
-                        hasClose = true;
-                        break;
-                    }
-                }
-                if (!hasClose && /\berr\b/.test(lines[i])) {
-                    // Don't flag if error IS checked — only flag missing Body.Close
-                    // This is a softer check, skip for now to reduce noise
-                }
+            if (/http\.(?:Get|Post|Do|Head)\s*\(/.test(lines[i]) && (/\b_\s*(?:=|:=)/.test(lines[i]) || !/\berr\b/.test(lines[i]))) {
+                violations.push({ file, line: i + 1, type: 'unsafe-fetch', code: lines[i].trim().substring(0, 80), reason: `HTTP call with ignored error` });
             }
         }
     }
     detectIgnoredErrorsGo(lines, file, violations) {
         for (let i = 0; i < lines.length; i++) {
-            // Detect: result, _ := someFunc() or _ = someFunc()
-            // Only flag when the ignored return is likely an error
             const match = lines[i].match(/(\w+)\s*,\s*_\s*(?::=|=)\s*(\w+)\./);
-            if (match) {
-                const funcCall = lines[i].trim();
-                // Common error-returning functions
-                if (/\b(?:os\.|io\.|ioutil\.|bufio\.|sql\.|net\.|http\.|json\.|xml\.|yaml\.|strconv\.)/.test(funcCall)) {
-                    violations.push({ file, line: i + 1, type: 'ignored-error', code: funcCall.substring(0, 80), reason: `Error return ignored with _ — unhandled error can cause silent failures` });
-                }
+            if (match && /\b(?:os|io|ioutil|bufio|sql|net|http|json|xml|yaml|strconv)\./.test(lines[i].trim())) {
+                violations.push({ file, line: i + 1, type: 'ignored-error', code: lines[i].trim().substring(0, 80), reason: `Error return ignored with _` });
             }
         }
     }
-    // ═══════════════════════════════════════════════════════
-    // Ruby Checks
-    // ═══════════════════════════════════════════════════════
     scanRuby(lines, content, file, violations) {
         if (this.config.check_unsafe_parse)
             this.detectUnsafeParseRuby(lines, file, violations);
@@ -306,26 +221,18 @@ export class PromiseSafetyGate extends Gate {
     }
     detectUnsafeParseRuby(lines, file, violations) {
         for (let i = 0; i < lines.length; i++) {
-            if (/JSON\.parse\s*\(/.test(lines[i]) && !this.isInsideRubyRescue(lines, i)) {
-                violations.push({ file, line: i + 1, type: 'unsafe-parse', code: lines[i].trim().substring(0, 80), reason: `JSON.parse without begin/rescue — crashes on malformed input` });
-            }
-            if (/YAML\.(?:safe_)?load\s*\(/.test(lines[i]) && !this.isInsideRubyRescue(lines, i)) {
-                violations.push({ file, line: i + 1, type: 'unsafe-parse', code: lines[i].trim().substring(0, 80), reason: `YAML.load without begin/rescue — crashes on malformed input` });
+            if (/JSON\.parse\s*\(/.test(lines[i]) && !isInsideRubyRescue(lines, i)) {
+                violations.push({ file, line: i + 1, type: 'unsafe-parse', code: lines[i].trim().substring(0, 80), reason: `JSON.parse without begin/rescue` });
             }
         }
     }
     detectUnsafeFetchRuby(lines, file, violations) {
         for (let i = 0; i < lines.length; i++) {
-            if (/Net::HTTP\.(?:get|post|start)\s*\(/.test(lines[i]) || /HTTParty\.(?:get|post)\s*\(/.test(lines[i]) || /Faraday\.(?:get|post)\s*\(/.test(lines[i])) {
-                if (!this.isInsideRubyRescue(lines, i)) {
-                    violations.push({ file, line: i + 1, type: 'unsafe-fetch', code: lines[i].trim().substring(0, 80), reason: `HTTP call without begin/rescue — unhandled network errors` });
-                }
+            if (/(?:Net::HTTP|HTTParty|Faraday)\.(?:get|post|start)\s*\(/.test(lines[i]) && !isInsideRubyRescue(lines, i)) {
+                violations.push({ file, line: i + 1, type: 'unsafe-fetch', code: lines[i].trim().substring(0, 80), reason: `HTTP call without begin/rescue` });
             }
         }
     }
-    // ═══════════════════════════════════════════════════════
-    // C# / .NET Checks
-    // ═══════════════════════════════════════════════════════
     scanCSharp(lines, content, file, violations) {
         if (this.config.check_unsafe_parse)
             this.detectUnsafeParseCSharp(lines, file, violations);
@@ -337,28 +244,24 @@ export class PromiseSafetyGate extends Gate {
     }
     detectUnsafeParseCSharp(lines, file, violations) {
         for (let i = 0; i < lines.length; i++) {
-            if (/JsonSerializer\.Deserialize/.test(lines[i]) || /JsonConvert\.DeserializeObject/.test(lines[i]) || /JObject\.Parse/.test(lines[i])) {
-                if (!this.isInsideTryBlock(lines, i)) {
-                    violations.push({ file, line: i + 1, type: 'unsafe-parse', code: lines[i].trim().substring(0, 80), reason: `JSON deserialization without try/catch — crashes on malformed input` });
-                }
+            if (/JsonSerializer|JsonConvert|JObject/.test(lines[i]) && !isInsideTryBlock(lines, i)) {
+                violations.push({ file, line: i + 1, type: 'unsafe-parse', code: lines[i].trim().substring(0, 80), reason: `JSON deserialization without try/catch` });
             }
         }
     }
     detectUnsafeFetchCSharp(lines, file, violations) {
         for (let i = 0; i < lines.length; i++) {
-            if (/\.GetAsync\s*\(/.test(lines[i]) || /\.PostAsync\s*\(/.test(lines[i]) || /\.SendAsync\s*\(/.test(lines[i]) || /HttpClient\.\w+Async/.test(lines[i])) {
-                if (!this.isInsideTryBlock(lines, i)) {
-                    let hasCheck = false;
-                    for (let j = i; j < Math.min(i + 10, lines.length); j++) {
-                        if (/EnsureSuccessStatusCode/.test(lines[j]) || /\.IsSuccessStatusCode/.test(lines[j]) || /\.StatusCode/.test(lines[j])) {
-                            hasCheck = true;
-                            break;
-                        }
-                    }
-                    if (!hasCheck) {
-                        violations.push({ file, line: i + 1, type: 'unsafe-fetch', code: lines[i].trim().substring(0, 80), reason: `HTTP call without error handling (no try/catch, no status check)` });
+            if (/\.(?:GetAsync|PostAsync|SendAsync)\s*\(/.test(lines[i]) && !isInsideTryBlock(lines, i)) {
+                let hasCheck = false;
+                for (let j = i; j < Math.min(i + 10, lines.length); j++) {
+                    if (/EnsureSuccess|IsSuccessStatusCode|StatusCode/.test(lines[j])) {
+                        hasCheck = true;
+                        break;
                     }
                 }
+                if (!hasCheck) {
+                    violations.push({ file, line: i + 1, type: 'unsafe-fetch', code: lines[i].trim().substring(0, 80), reason: `HTTP call without error handling` });
+                }
             }
         }
     }
@@ -367,127 +270,20 @@ export class PromiseSafetyGate extends Gate {
         let match;
         while ((match = pattern.exec(content)) !== null) {
             const funcName = match[1];
-            const body = this.extractBraceBody(content, match.index + match[0].length);
+            const body = extractBraceBody(content, match.index + match[0].length);
             if (body && !/\bawait\b/.test(body) && body.trim().split('\n').length > 2) {
                 const lineNum = content.substring(0, match.index).split('\n').length;
-                violations.push({ file, line: lineNum, type: 'async-no-await', code: `async Task ${funcName}()`, reason: `async method '${funcName}' never uses await — unnecessary async or missing await` });
+                violations.push({ file, line: lineNum, type: 'async-no-await', code: `async Task ${funcName}()`, reason: `async method never uses await` });
             }
         }
     }
     detectDeadlockRiskCSharp(lines, file, violations) {
         for (let i = 0; i < lines.length; i++) {
-            if (/\.Result\b/.test(lines[i]) || /\.Wait\(\)/.test(lines[i]) || /\.GetAwaiter\(\)\.GetResult\(\)/.test(lines[i])) {
-                // Common AI mistake: using .Result or .Wait() on async tasks causes deadlocks
-                violations.push({ file, line: i + 1, type: 'deadlock-risk', code: lines[i].trim().substring(0, 80), reason: `.Result/.Wait() on async task — deadlock risk in synchronous context` });
-            }
-        }
-    }
-    // ═══════════════════════════════════════════════════════
-    // Shared Helpers
-    // ═══════════════════════════════════════════════════════
-    extractBraceBody(content, startIdx) {
-        let depth = 1;
-        let idx = startIdx;
-        while (depth > 0 && idx < content.length) {
-            if (content[idx] === '{')
-                depth++;
-            if (content[idx] === '}')
-                depth--;
-            idx++;
-        }
-        return depth === 0 ? content.substring(startIdx, idx - 1) : null;
-    }
-    /** Extract Python indented body after a colon */
-    extractIndentedBody(content, startIdx) {
-        const rest = content.substring(startIdx);
-        const lines = rest.split('\n');
-        if (lines.length < 2)
-            return null;
-        // Find indent level of first non-empty line after the def
-        let bodyIndent = -1;
-        const bodyLines = [];
-        for (let i = 1; i < lines.length; i++) {
-            const line = lines[i];
-            if (line.trim() === '' || line.trim().startsWith('#')) {
-                bodyLines.push(line);
-                continue;
-            }
-            const indent = line.length - line.trimStart().length;
-            if (bodyIndent === -1) {
-                bodyIndent = indent;
+            if (/\.Result\b|\.Wait\(\)|\.GetAwaiter\(\)\.GetResult\(\)/.test(lines[i])) {
+                violations.push({ file, line: i + 1, type: 'deadlock-risk', code: lines[i].trim().substring(0, 80), reason: `.Result/.Wait() on async task — deadlock risk` });
             }
-            if (indent < bodyIndent)
-                break;
-            bodyLines.push(line);
         }
-        return bodyLines.join('\n');
     }
-    /** Check if line is inside try block (JS/TS/C# — brace-based) */
-    isInsideTryBlock(lines, lineIdx) {
-        let braceDepth = 0;
-        for (let j = lineIdx - 1; j >= Math.max(0, lineIdx - 30); j--) {
-            const prevLine = this.stripStrings(lines[j]);
-            for (const ch of prevLine) {
-                if (ch === '}')
-                    braceDepth++;
-                if (ch === '{')
-                    braceDepth--;
-            }
-            if (/\btry\s*\{/.test(prevLine) && braceDepth <= 0)
-                return true;
-            if (/\}\s*catch\s*\(/.test(prevLine))
-                return false;
-        }
-        return false;
-    }
-    /** Check if line is inside Python try block (indent-based) */
-    isInsidePythonTry(lines, lineIdx) {
-        const lineIndent = lines[lineIdx].length - lines[lineIdx].trimStart().length;
-        for (let j = lineIdx - 1; j >= Math.max(0, lineIdx - 30); j--) {
-            const trimmed = lines[j].trim();
-            if (trimmed === '')
-                continue;
-            const indent = lines[j].length - lines[j].trimStart().length;
-            if (indent < lineIndent && /^\s*try\s*:/.test(lines[j]))
-                return true;
-            if (indent < lineIndent && /^\s*(?:except|finally)\s*/.test(lines[j]))
-                return false;
-            if (indent === 0 && /^(?:def|class|async\s+def)\s/.test(trimmed))
-                break;
-        }
-        return false;
-    }
-    /** Check if line is inside Ruby begin/rescue block */
-    isInsideRubyRescue(lines, lineIdx) {
-        for (let j = lineIdx - 1; j >= Math.max(0, lineIdx - 30); j--) {
-            const trimmed = lines[j].trim();
-            if (trimmed === 'begin')
-                return true;
-            if (/^rescue\b/.test(trimmed))
-                return false;
-            if (/^(?:def|class|module)\s/.test(trimmed))
-                break;
-        }
-        return false;
-    }
-    hasCatchAhead(lines, idx) {
-        for (let j = idx; j < Math.min(idx + 10, lines.length); j++) {
-            if (/\.catch\s*\(/.test(lines[j]))
-                return true;
-        }
-        return false;
-    }
-    hasStatusCheckAhead(lines, idx) {
-        for (let j = idx; j < Math.min(idx + 10, lines.length); j++) {
-            if (/\.\s*ok\b/.test(lines[j]) || /\.status(?:Text)?\b/.test(lines[j]))
-                return true;
-        }
-        return false;
-    }
-    stripStrings(line) {
-        return line.replace(/`[^`]*`/g, '""').replace(/"[^"]*"/g, '""').replace(/'[^']*'/g, '""');
-    }
-    // ─── Failure Aggregation ──────────────────────────────
     buildFailures(violations) {
         const byFile = new Map();
         for (const v of violations) {
@@ -500,9 +296,7 @@ export class PromiseSafetyGate extends Gate {
             const details = fileViolations.map(v => `  L${v.line}: [${v.type}] ${v.reason}`).join('\n');
             const hasHighSev = fileViolations.some(v => v.type !== 'async-no-await');
             const severity = hasHighSev ? 'high' : 'medium';
-            const lang = detectLang(file);
-            const langLabel = lang === 'js' ? 'JS/TS' : lang === 'csharp' ? 'C#' : lang.charAt(0).toUpperCase() + lang.slice(1);
-            failures.push(this.createFailure(`Unsafe async/error patterns in ${file}:\n${details}`, [file], `AI code generators often produce incomplete error handling in ${langLabel}. Ensure all parse operations are wrapped in error handling, async functions use await, and HTTP calls check for errors.`, 'Async & Error Safety Violation', fileViolations[0].line, undefined, severity));
+            failures.push(this.createFailure(`Unsafe async/error patterns in ${file}:\n${details}`, [file], `Review and fix async/error handling patterns.`, 'Async & Error Safety Violation', fileViolations[0].line, undefined, severity));
         }
         return failures;
     }

package/dist/gates/runner.d.ts

@@ -1,5 +1,5 @@
 import { Gate } from './base.js';
-import { Config, Report } from '../types/index.js';
+import { Config, Report, DeepOptions } from '../types/index.js';
 export declare class GateRunner {
     private config;
     private gates;
@@ -9,5 +9,7 @@ export declare class GateRunner {
      * Allows adding custom gates dynamically (SOLID - Open/Closed Principle)
      */
     addGate(gate: Gate): void;
-    run(cwd: string, patterns?: string[]): Promise<Report>;
+    run(cwd: string, patterns?: string[], deepOptions?: DeepOptions & {
+        onProgress?: (msg: string) => void;
+    }): Promise<Report>;
 }

package/dist/gates/runner.js

@@ -1,4 +1,5 @@
 import { SEVERITY_WEIGHTS } from '../types/index.js';
+import { DeepAnalysisGate } from './deep-analysis.js';
 import { FileGate } from './file.js';
 import { ContentGate } from './content.js';
 import { StructureGate } from './structure.js';
@@ -102,7 +103,7 @@ export class GateRunner {
     addGate(gate) {
         this.gates.push(gate);
     }
-    async run(cwd, patterns) {
+    async run(cwd, patterns, deepOptions) {
         const start = Date.now();
         const failures = [];
         const summary = {};
@@ -164,6 +165,43 @@ export class GateRunner {
                 }
             }
         }
+        // 3. Run Deep Analysis (if enabled)
+        let deepStats = undefined;
+        if (deepOptions?.enabled) {
+            const deepSetupStart = Date.now();
+            const deepGate = new DeepAnalysisGate({
+                options: deepOptions,
+                checks: this.config.gates.deep?.checks,
+                threads: this.config.gates.deep?.threads,
+                maxTokens: this.config.gates.deep?.max_tokens,
+                temperature: this.config.gates.deep?.temperature,
+                timeoutMs: this.config.gates.deep?.timeout_ms,
+                onProgress: deepOptions.onProgress,
+            });
+            try {
+                const deepFailures = await deepGate.run({ cwd, ignore, patterns });
+                if (deepFailures.length > 0) {
+                    failures.push(...deepFailures);
+                    summary['deep-analysis'] = 'FAIL';
+                }
+                else {
+                    summary['deep-analysis'] = 'PASS';
+                }
+                deepStats = {
+                    enabled: true,
+                    tier: deepOptions.apiKey ? 'cloud' : (deepOptions.pro ? 'pro' : 'deep'),
+                    model: deepOptions.apiKey ? (deepOptions.provider || 'cloud') : (deepOptions.pro ? 'Qwen2.5-Coder-1.5B' : 'Qwen2.5-Coder-0.5B'),
+                    total_ms: Date.now() - deepSetupStart,
+                    findings_count: deepFailures.length,
+                    findings_verified: deepFailures.filter((f) => f.verified).length,
+                };
+            }
+            catch (error) {
+                Logger.error(`Deep analysis failed: ${error.message}`);
+                summary['deep-analysis'] = 'ERROR';
+                deepStats = { enabled: true };
+            }
+        }
         const status = failures.length > 0 ? 'FAIL' : 'PASS';
         // Severity-weighted scoring: each failure deducts based on its severity
         const severityBreakdown = {};
@@ -180,11 +218,13 @@ export class GateRunner {
         // preventing security criticals from incorrectly zeroing structural_score.
         let aiDeduction = 0;
         let structuralDeduction = 0;
+        let deepDeduction = 0;
         const provenanceCounts = {
             'ai-drift': 0,
             'traditional': 0,
             'security': 0,
             'governance': 0,
+            'deep-analysis': 0,
         };
         for (const f of failures) {
             const sev = (f.severity || 'medium');
@@ -198,6 +238,9 @@ export class GateRunner {
                 case 'traditional':
                     structuralDeduction += weight;
                     break;
+                case 'deep-analysis':
+                    deepDeduction += weight;
+                    break;
                 // security and governance contribute to overall score (totalDeduction)
                 // but do NOT pollute the sub-scores
                 case 'security':
@@ -214,8 +257,10 @@ export class GateRunner {
                 score,
                 ai_health_score: Math.max(0, 100 - aiDeduction),
                 structural_score: Math.max(0, 100 - structuralDeduction),
+                ...(deepOptions?.enabled ? { code_quality_score: Math.max(0, 100 - deepDeduction) } : {}),
                 severity_breakdown: severityBreakdown,
                 provenance_breakdown: provenanceCounts,
+                ...(deepStats ? { deep: deepStats } : {}),
             },
         };
     }