@rigour-labs/core 3.0.5 → 4.0.0

package/dist/gates/deep-analysis.js

@@ -0,0 +1,302 @@
+/**
+ * Deep Analysis Gate — LLM-powered code quality analysis.
+ *
+ * Three-step pipeline:
+ * 1. AST extracts facts → "UserService has 8 public methods touching 4 domains"
+ * 2. LLM interprets facts → "UserService violates Single Responsibility"
+ * 3. AST verifies LLM → Does UserService actually have those methods? ✓
+ *
+ * AST grounds LLM. LLM interprets AST. Neither works alone.
+ */
+import { Gate } from './base.js';
+import { createProvider } from '../inference/index.js';
+import { extractFacts, factsToPromptString, chunkFacts, buildAnalysisPrompt, buildCrossFilePrompt, verifyFindings } from '../deep/index.js';
+import { Logger } from '../utils/logger.js';
+/** Max files to analyze before truncating (prevents OOM on huge repos) */
+const MAX_ANALYZABLE_FILES = 500;
+/** Setup timeout: 120s for model download, 30s for API connection */
+const SETUP_TIMEOUT_MS = 120_000;
+export class DeepAnalysisGate extends Gate {
+    config;
+    provider = null;
+    constructor(config) {
+        super('deep-analysis', 'Deep Code Quality Analysis');
+        this.config = config;
+    }
+    get provenance() {
+        return 'deep-analysis';
+    }
+    async run(context) {
+        const { onProgress } = this.config;
+        const failures = [];
+        const startTime = Date.now();
+        try {
+            // Step 0: Initialize inference provider (with timeout)
+            onProgress?.('\n  Setting up Rigour Brain...\n');
+            this.provider = createProvider(this.config.options);
+            await Promise.race([
+                this.provider.setup(onProgress),
+                new Promise((_, reject) => setTimeout(() => reject(new Error('Setup timed out. Check network or model availability.')), SETUP_TIMEOUT_MS)),
+            ]);
+            const isLocal = !this.config.options.apiKey || this.config.options.provider === 'local';
+            if (isLocal) {
+                onProgress?.('\n  🔒 100% local analysis. Your code never leaves this machine.\n');
+            }
+            else {
+                onProgress?.(`\n  ☁️  Using ${this.config.options.provider} API. Code is sent to cloud.\n`);
+            }
+            // Step 1: AST extracts facts
+            onProgress?.('  Extracting code facts...');
+            let allFacts = await extractFacts(context.cwd, context.ignore);
+            if (allFacts.length === 0) {
+                onProgress?.('  No analyzable files found. Check ignore patterns and file extensions.');
+                return [];
+            }
+            // Cap file count to prevent OOM on huge repos
+            if (allFacts.length > MAX_ANALYZABLE_FILES) {
+                onProgress?.(`  ⚠ Found ${allFacts.length} files, capping at ${MAX_ANALYZABLE_FILES} (largest files prioritized).`);
+                // Sort by line count descending — analyze the biggest files first
+                allFacts.sort((a, b) => b.lineCount - a.lineCount);
+                allFacts = allFacts.slice(0, MAX_ANALYZABLE_FILES);
+            }
+            const agentCount = this.config.options.agents || 1;
+            const isCloud = !!this.config.options.apiKey;
+            onProgress?.(`  Found ${allFacts.length} files to analyze${agentCount > 1 ? ` with ${agentCount} parallel agents` : ''}.`);
+            // Step 2: LLM interprets facts (in chunks)
+            const chunks = chunkFacts(allFacts);
+            const allFindings = [];
+            let failedChunks = 0;
+            if (agentCount > 1 && isCloud) {
+                // ── Multi-agent mode: partition chunks across N agents, analyze in parallel ──
+                // Each agent gets its own provider instance for true parallelism.
+                // Local mode stays sequential (single sidecar process).
+                onProgress?.(`  Spawning ${agentCount} parallel agents...`);
+                const agentBuckets = Array.from({ length: agentCount }, () => []);
+                chunks.forEach((chunk, i) => agentBuckets[i % agentCount].push(chunk));
+                // Create N independent provider instances
+                const agentProviders = [];
+                for (let a = 0; a < agentCount; a++) {
+                    if (agentBuckets[a].length === 0)
+                        continue;
+                    const p = createProvider(this.config.options);
+                    await p.setup(); // Already connected — cloud setup is instant after first
+                    agentProviders.push(p);
+                }
+                // Run all agents in parallel
+                const agentResults = await Promise.allSettled(agentProviders.map(async (provider, agentIdx) => {
+                    const bucket = agentBuckets[agentIdx];
+                    const findings = [];
+                    let failed = 0;
+                    for (let ci = 0; ci < bucket.length; ci++) {
+                        const globalIdx = agentIdx + ci * agentCount + 1;
+                        onProgress?.(`  Agent ${agentIdx + 1}: batch ${ci + 1}/${bucket.length} (global ${globalIdx}/${chunks.length})`);
+                        const factsStr = factsToPromptString(bucket[ci]);
+                        const prompt = buildAnalysisPrompt(factsStr, this.config.checks);
+                        try {
+                            const response = await provider.analyze(prompt, {
+                                maxTokens: this.config.maxTokens || 8192,
+                                temperature: this.config.temperature || 0.1,
+                                timeout: this.config.timeoutMs || 120000,
+                                jsonMode: true,
+                            });
+                            findings.push(...parseFindings(response));
+                        }
+                        catch (error) {
+                            failed++;
+                            Logger.warn(`Agent ${agentIdx + 1} chunk ${ci + 1} failed: ${error.message}`);
+                        }
+                    }
+                    return { findings, failed };
+                }));
+                // Merge results and dispose extra providers
+                for (let i = 0; i < agentResults.length; i++) {
+                    const result = agentResults[i];
+                    if (result.status === 'fulfilled') {
+                        allFindings.push(...result.value.findings);
+                        failedChunks += result.value.failed;
+                    }
+                    else {
+                        failedChunks += agentBuckets[i].length;
+                        Logger.warn(`Agent ${i + 1} failed entirely: ${result.reason?.message || 'unknown'}`);
+                    }
+                    agentProviders[i]?.dispose();
+                }
+                onProgress?.(`  All ${agentCount} agents completed.`);
+            }
+            else {
+                // ── Single-agent mode: sequential chunk processing ──
+                let chunkIndex = 0;
+                for (const chunk of chunks) {
+                    chunkIndex++;
+                    onProgress?.(`  Analyzing batch ${chunkIndex}/${chunks.length}...`);
+                    const factsStr = factsToPromptString(chunk);
+                    const prompt = buildAnalysisPrompt(factsStr, this.config.checks);
+                    try {
+                        const response = await this.provider.analyze(prompt, {
+                            maxTokens: this.config.maxTokens || (isCloud ? 4096 : 512),
+                            temperature: this.config.temperature || 0.1,
+                            timeout: this.config.timeoutMs || (isCloud ? 120000 : 60000),
+                            jsonMode: true,
+                        });
+                        const findings = parseFindings(response);
+                        allFindings.push(...findings);
+                    }
+                    catch (error) {
+                        failedChunks++;
+                        Logger.warn(`Chunk ${chunkIndex} inference failed: ${error.message}`);
+                        onProgress?.(`  ⚠ Batch ${chunkIndex} failed: ${error.message}`);
+                    }
+                }
+            }
+            // Cross-file analysis (if we have enough files and at least some chunks succeeded)
+            if (allFacts.length >= 3 && failedChunks < chunks.length) {
+                onProgress?.('  Running cross-file analysis...');
+                try {
+                    const crossPrompt = buildCrossFilePrompt(allFacts);
+                    const crossResponse = await this.provider.analyze(crossPrompt, {
+                        maxTokens: this.config.maxTokens || (isCloud ? 4096 : 512),
+                        temperature: this.config.temperature || 0.1,
+                        timeout: this.config.timeoutMs || (isCloud ? 120000 : 60000),
+                        jsonMode: true,
+                    });
+                    const crossFindings = parseFindings(crossResponse);
+                    allFindings.push(...crossFindings);
+                }
+                catch (error) {
+                    Logger.warn(`Cross-file analysis failed: ${error.message}`);
+                }
+            }
+            // Step 3: AST verifies LLM
+            onProgress?.('  Verifying findings...');
+            const verified = verifyFindings(allFindings, allFacts);
+            const durationMs = Date.now() - startTime;
+            onProgress?.(`  ✓ ${verified.length} verified findings (${allFindings.length - verified.length} dropped) in ${(durationMs / 1000).toFixed(1)}s`);
+            if (failedChunks > 0) {
+                onProgress?.(`  ⚠ ${failedChunks}/${chunks.length} batches failed — results may be incomplete.`);
+            }
+            // Convert to Failure format
+            for (const finding of verified) {
+                const failure = this.createFailure(finding.description, [finding.file], finding.suggestion, `[${finding.category}] ${finding.description.substring(0, 80)}`, finding.line, undefined, finding.severity);
+                // Tag with deep analysis metadata
+                failure.confidence = finding.confidence;
+                failure.source = 'llm';
+                failure.category = finding.category;
+                failure.verified = finding.verified;
+                failures.push(failure);
+            }
+        }
+        catch (error) {
+            Logger.error(`Deep analysis failed: ${error.message}`);
+            onProgress?.(`  ⚠ Deep analysis error: ${error.message}`);
+            // Don't fail the whole check — deep is advisory
+        }
+        finally {
+            this.provider?.dispose();
+        }
+        return failures;
+    }
+}
+/**
+ * Parse LLM response into structured findings.
+ * Handles various response formats (raw JSON, markdown-wrapped JSON, etc.)
+ */
+function parseFindings(response) {
+    if (!response || response.trim().length === 0) {
+        Logger.warn('Empty LLM response received');
+        return [];
+    }
+    try {
+        // Try direct JSON parse first
+        const parsed = JSON.parse(response);
+        if (Array.isArray(parsed.findings))
+            return validateFindings(parsed.findings);
+        if (Array.isArray(parsed))
+            return validateFindings(parsed);
+        return [];
+    }
+    catch {
+        // Try extracting JSON from markdown code blocks
+        const jsonMatch = response.match(/```(?:json)?\s*([\s\S]*?)```/);
+        if (jsonMatch) {
+            try {
+                const parsed = JSON.parse(jsonMatch[1]);
+                if (Array.isArray(parsed.findings))
+                    return validateFindings(parsed.findings);
+                if (Array.isArray(parsed))
+                    return validateFindings(parsed);
+            }
+            catch {
+                // Fall through
+            }
+        }
+        // Try finding JSON object in response
+        const objectMatch = response.match(/\{[\s\S]*"findings"[\s\S]*\}/);
+        if (objectMatch) {
+            try {
+                const parsed = JSON.parse(objectMatch[0]);
+                if (Array.isArray(parsed.findings))
+                    return validateFindings(parsed.findings);
+            }
+            catch {
+                // Give up
+            }
+        }
+        // Last resort: try to recover truncated JSON arrays
+        // LLMs sometimes exceed token limits, truncating the response mid-JSON
+        const recovered = recoverTruncatedFindings(response);
+        if (recovered.length > 0) {
+            Logger.info(`Recovered ${recovered.length} findings from truncated response`);
+            return recovered;
+        }
+        Logger.warn(`Could not parse LLM response as findings JSON. First 200 chars: ${response.substring(0, 200)}`);
+        return [];
+    }
+}
+/**
+ * Attempt to recover individual finding objects from a truncated JSON response.
+ * Extracts complete JSON objects from partial arrays.
+ */
+function recoverTruncatedFindings(response) {
+    const findings = [];
+    // Match individual complete objects within the response
+    const objectRegex = /\{\s*"category"\s*:\s*"[^"]+"\s*,[\s\S]*?"description"\s*:\s*"[^"]*"[^}]*\}/g;
+    let match;
+    while ((match = objectRegex.exec(response)) !== null) {
+        try {
+            const obj = JSON.parse(match[0]);
+            if (obj.category && obj.file && obj.description) {
+                findings.push(obj);
+            }
+        }
+        catch {
+            // Individual object was itself truncated — skip
+        }
+    }
+    return validateFindings(findings);
+}
+/**
+ * Validate and sanitize findings from LLM response.
+ * Drops malformed entries that lack required fields.
+ */
+function validateFindings(raw) {
+    return raw.filter(f => {
+        if (!f || typeof f !== 'object')
+            return false;
+        if (!f.category || typeof f.category !== 'string')
+            return false;
+        if (!f.file || typeof f.file !== 'string')
+            return false;
+        if (!f.description || typeof f.description !== 'string')
+            return false;
+        // Normalize confidence
+        if (typeof f.confidence !== 'number' || f.confidence < 0 || f.confidence > 1) {
+            f.confidence = 0.5;
+        }
+        // Normalize severity
+        const validSeverities = ['critical', 'high', 'medium', 'low', 'info'];
+        if (!validSeverities.includes(f.severity)) {
+            f.severity = 'medium';
+        }
+        return true;
+    });
+}

package/dist/gates/deprecated-apis-rules-lang.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Language-specific deprecated APIs: Python, Go, C#, Java
+ * Extracted to keep deprecated-apis.ts under 500 lines.
+ */
+import { DeprecatedRule } from './deprecated-apis-rules-node.js';
+/**
+ * Python deprecated APIs — sourced from Python 3.12+ deprecation notices
+ */
+export declare const PYTHON_DEPRECATED_RULES: DeprecatedRule[];
+/**
+ * Go deprecated APIs — sourced from Go official deprecation notices
+ */
+export declare const GO_DEPRECATED_RULES: DeprecatedRule[];
+/**
+ * C# deprecated APIs — sourced from .NET deprecation notices
+ */
+export declare const CSHARP_DEPRECATED_RULES: DeprecatedRule[];
+/**
+ * Java deprecated APIs — sourced from JDK deprecation notices
+ */
+export declare const JAVA_DEPRECATED_RULES: DeprecatedRule[];

package/dist/gates/deprecated-apis-rules-lang.js

@@ -0,0 +1,311 @@
+/**
+ * Language-specific deprecated APIs: Python, Go, C#, Java
+ * Extracted to keep deprecated-apis.ts under 500 lines.
+ */
+/**
+ * Python deprecated APIs — sourced from Python 3.12+ deprecation notices
+ */
+export const PYTHON_DEPRECATED_RULES = [
+    // Security-deprecated
+    {
+        pattern: /\bmd5\s*\(|\.md5\s*\(/,
+        api: 'hashlib.md5() for passwords',
+        reason: 'MD5 is cryptographically broken — collision attacks proven since 2004',
+        replacement: 'hashlib.sha256(), hashlib.blake2b(), or bcrypt/argon2 for passwords',
+        category: 'security',
+    },
+    {
+        pattern: /\bsha1\s*\(|\.sha1\s*\(/,
+        api: 'hashlib.sha1() for security',
+        reason: 'SHA-1 is cryptographically broken — SHAttered attack (2017)',
+        replacement: 'hashlib.sha256() or hashlib.sha3_256()',
+        category: 'security',
+    },
+    {
+        pattern: /\bpickle\.loads?\s*\(/,
+        api: 'pickle.load()/loads()',
+        reason: 'Arbitrary code execution vulnerability when loading untrusted data',
+        replacement: 'json.loads() for data, or use restricted_loads with allowlists',
+        category: 'security',
+    },
+    {
+        pattern: /\byaml\.load\s*\([^)]*(?!\bLoader\b)[^)]*\)/,
+        api: 'yaml.load() without Loader',
+        reason: 'Arbitrary code execution when loading untrusted YAML',
+        replacement: 'yaml.safe_load() or yaml.load(data, Loader=yaml.SafeLoader)',
+        category: 'security',
+    },
+    {
+        pattern: /\bexec\s*\(\s*(?:input|request|f['"])/,
+        api: 'exec() with user input',
+        reason: 'Code injection vulnerability',
+        replacement: 'ast.literal_eval() for data, structured parsing for expressions',
+        category: 'security',
+    },
+    {
+        pattern: /\bos\.system\s*\(/,
+        api: 'os.system()',
+        reason: 'Shell injection vulnerability, no output capture',
+        replacement: 'subprocess.run() with shell=False',
+        category: 'security',
+    },
+    {
+        pattern: /subprocess\.(?:call|run|Popen)\s*\([^)]*shell\s*=\s*True/,
+        api: 'subprocess with shell=True',
+        reason: 'Shell injection vulnerability when args contain user input',
+        replacement: 'subprocess.run() with shell=False and list args',
+        category: 'security',
+    },
+    // Removed modules (Python 3.12+)
+    {
+        pattern: /\bimport\s+imp\b/,
+        api: 'import imp',
+        reason: 'Removed in Python 3.12 (PEP 594)',
+        replacement: 'importlib',
+        category: 'removed',
+    },
+    {
+        pattern: /\bimport\s+(?:aifc|audioop|cgi|cgitb|chunk|crypt|imghdr|mailcap|msilib|nis|nntplib|ossaudiodev|pipes|sndhdr|spwd|sunau|telnetlib|uu|xdrlib)\b/,
+        api: 'Dead batteries module',
+        reason: 'Removed in Python 3.13 (PEP 594 — dead batteries)',
+        replacement: 'PyPI equivalents (see PEP 594 for specific replacements)',
+        category: 'removed',
+    },
+    {
+        pattern: /\bfrom\s+distutils\b/,
+        api: 'distutils',
+        reason: 'Removed in Python 3.12 (PEP 632)',
+        replacement: 'setuptools or build',
+        category: 'removed',
+    },
+    {
+        pattern: /\bimport\s+formatter\b/,
+        api: 'import formatter',
+        reason: 'Removed in Python 3.10',
+        replacement: 'No direct replacement — use string formatting',
+        category: 'removed',
+    },
+    // Superseded
+    {
+        pattern: /\bfrom\s+collections\s+import\s+(?:Mapping|MutableMapping|Sequence|MutableSequence|Set|MutableSet|Callable|Iterable|Iterator|Generator|Coroutine|Awaitable|AsyncIterable|AsyncIterator|AsyncGenerator|Hashable|Sized|Container|Collection|Reversible|MappingView|KeysView|ItemsView|ValuesView|ByteString)\b/,
+        api: 'collections ABCs',
+        reason: 'Removed in Python 3.10 — moved to collections.abc',
+        replacement: 'from collections.abc import ...',
+        category: 'removed',
+    },
+    {
+        pattern: /\boptparse\b/,
+        api: 'optparse',
+        reason: 'Superseded since Python 3.2',
+        replacement: 'argparse',
+        category: 'superseded',
+    },
+    {
+        pattern: /\bfrom\s+typing\s+import\s+(?:Dict|List|Set|Tuple|FrozenSet|Type|Deque|DefaultDict|OrderedDict|Counter|ChainMap|Awaitable|Coroutine|AsyncIterable|AsyncIterator|AsyncGenerator|Iterable|Iterator|Generator|Reversible|Container|Collection|Callable|AbstractSet|MutableSet|Mapping|MutableMapping|Sequence|MutableSequence|ByteString|MappingView|KeysView|ItemsView|ValuesView|ContextManager|AsyncContextManager|Pattern|Match)\b/,
+        api: 'typing generics (Dict, List, etc.)',
+        reason: 'Deprecated since Python 3.9 — use built-in generics (PEP 585)',
+        replacement: 'dict[], list[], set[], tuple[] (lowercase built-in types)',
+        category: 'superseded',
+    },
+    {
+        pattern: /\bfrom\s+typing\s+import\s+(?:Optional|Union)\b/,
+        api: 'typing.Optional / typing.Union',
+        reason: 'Superseded in Python 3.10 — use X | Y syntax (PEP 604)',
+        replacement: 'X | None instead of Optional[X], X | Y instead of Union[X, Y]',
+        category: 'superseded',
+    },
+    {
+        pattern: /\basyncio\.get_event_loop\s*\(\s*\)/,
+        api: 'asyncio.get_event_loop()',
+        reason: 'Deprecated in Python 3.10 — may create new loop unexpectedly',
+        replacement: 'asyncio.get_running_loop() or asyncio.run()',
+        category: 'superseded',
+    },
+    {
+        pattern: /\bsetup\s*\(\s*[^)]*\buse_2to3\s*=/,
+        api: 'setup(use_2to3=True)',
+        reason: 'Removed in setuptools 58+ — Python 2 support dropped',
+        replacement: 'Write Python 3 only code',
+        category: 'removed',
+    },
+];
+/**
+ * Go deprecated APIs — sourced from Go official deprecation notices
+ */
+export const GO_DEPRECATED_RULES = [
+    {
+        pattern: /\bioutil\.ReadFile\s*\(/,
+        api: 'ioutil.ReadFile()', reason: 'Deprecated since Go 1.16 — io/ioutil package deprecated',
+        replacement: 'os.ReadFile()', category: 'superseded',
+    },
+    {
+        pattern: /\bioutil\.WriteFile\s*\(/,
+        api: 'ioutil.WriteFile()', reason: 'Deprecated since Go 1.16',
+        replacement: 'os.WriteFile()', category: 'superseded',
+    },
+    {
+        pattern: /\bioutil\.ReadAll\s*\(/,
+        api: 'ioutil.ReadAll()', reason: 'Deprecated since Go 1.16',
+        replacement: 'io.ReadAll()', category: 'superseded',
+    },
+    {
+        pattern: /\bioutil\.ReadDir\s*\(/,
+        api: 'ioutil.ReadDir()', reason: 'Deprecated since Go 1.16',
+        replacement: 'os.ReadDir()', category: 'superseded',
+    },
+    {
+        pattern: /\bioutil\.TempDir\s*\(/,
+        api: 'ioutil.TempDir()', reason: 'Deprecated since Go 1.17',
+        replacement: 'os.MkdirTemp()', category: 'superseded',
+    },
+    {
+        pattern: /\bioutil\.TempFile\s*\(/,
+        api: 'ioutil.TempFile()', reason: 'Deprecated since Go 1.17',
+        replacement: 'os.CreateTemp()', category: 'superseded',
+    },
+    {
+        pattern: /\bioutil\.NopCloser\s*\(/,
+        api: 'ioutil.NopCloser()', reason: 'Deprecated since Go 1.16',
+        replacement: 'io.NopCloser()', category: 'superseded',
+    },
+    {
+        pattern: /\b"io\/ioutil"/,
+        api: 'import "io/ioutil"', reason: 'Entire io/ioutil package deprecated since Go 1.16',
+        replacement: 'Use os and io packages instead', category: 'superseded',
+    },
+    {
+        pattern: /\bsort\.IntSlice\b|sort\.Float64Slice\b|sort\.StringSlice\b/,
+        api: 'sort.*Slice types', reason: 'Superseded since Go 1.21',
+        replacement: 'slices.Sort() or sort.Slice()', category: 'superseded',
+    },
+    {
+        pattern: /\bmath\/rand"[\s\S]*?rand\.(Seed|Read)\s*\(/,
+        api: 'rand.Seed() / rand.Read()', reason: 'Deprecated in Go 1.20+',
+        replacement: 'Auto-seeded in Go 1.20+; use crypto/rand.Read()', category: 'superseded',
+    },
+    {
+        pattern: /\bstrings\.Title\s*\(/,
+        api: 'strings.Title()', reason: 'Deprecated since Go 1.18 — broken for Unicode',
+        replacement: 'golang.org/x/text/cases.Title()', category: 'superseded',
+    },
+];
+/**
+ * C# deprecated APIs — sourced from .NET deprecation notices
+ */
+export const CSHARP_DEPRECATED_RULES = [
+    {
+        pattern: /\bnew\s+WebClient\s*\(/,
+        api: 'WebClient', reason: 'Deprecated in .NET 6+ — poor async support',
+        replacement: 'HttpClient', category: 'superseded',
+    },
+    {
+        pattern: /\bBinaryFormatter\b/,
+        api: 'BinaryFormatter', reason: 'Security vulnerability — arbitrary code execution on deserialization',
+        replacement: 'System.Text.Json or JsonSerializer', category: 'security',
+    },
+    {
+        pattern: /\bJavaScriptSerializer\b/,
+        api: 'JavaScriptSerializer', reason: 'Deprecated — poor performance and limited features',
+        replacement: 'System.Text.Json.JsonSerializer', category: 'superseded',
+    },
+    {
+        pattern: /\bThread\.Abort\s*\(/,
+        api: 'Thread.Abort()', reason: 'Throws PlatformNotSupportedException in .NET 5+',
+        replacement: 'CancellationToken for cooperative cancellation', category: 'removed',
+    },
+    {
+        pattern: /\bThread\.Suspend\s*\(|Thread\.Resume\s*\(/,
+        api: 'Thread.Suspend/Resume()', reason: 'Deprecated — causes deadlocks',
+        replacement: 'ManualResetEvent or SemaphoreSlim', category: 'removed',
+    },
+    {
+        pattern: /\bAppDomain\.CreateDomain\s*\(/,
+        api: 'AppDomain.CreateDomain()', reason: 'Not supported in .NET Core/5+',
+        replacement: 'AssemblyLoadContext', category: 'removed',
+    },
+    {
+        pattern: /\bRemoting\b.*\bChannel\b/,
+        api: '.NET Remoting', reason: 'Removed in .NET Core/5+',
+        replacement: 'gRPC, REST APIs, or SignalR', category: 'removed',
+    },
+    {
+        pattern: /\bnew\s+SHA1(?:Managed|CryptoServiceProvider)\s*\(/,
+        api: 'SHA1Managed/CryptoServiceProvider', reason: 'SHA-1 cryptographically broken',
+        replacement: 'SHA256.Create() or SHA512.Create()', category: 'security',
+    },
+    {
+        pattern: /\bnew\s+MD5CryptoServiceProvider\s*\(/,
+        api: 'MD5CryptoServiceProvider', reason: 'MD5 cryptographically broken',
+        replacement: 'SHA256.Create() or SHA512.Create()', category: 'security',
+    },
+    {
+        pattern: /\bnew\s+(?:RijndaelManaged|DESCryptoServiceProvider|RC2CryptoServiceProvider|TripleDESCryptoServiceProvider)\s*\(/,
+        api: 'Legacy crypto providers', reason: 'Weak encryption algorithms',
+        replacement: 'Aes.Create()', category: 'security',
+    },
+];
+/**
+ * Java deprecated APIs — sourced from JDK deprecation notices
+ */
+export const JAVA_DEPRECATED_RULES = [
+    {
+        pattern: /\bnew\s+Date\s*\(\s*\d/,
+        api: 'new Date(year, month, ...)', reason: 'Deprecated since JDK 1.1',
+        replacement: 'java.time.LocalDate, LocalDateTime, ZonedDateTime', category: 'superseded',
+    },
+    {
+        pattern: /\bnew\s+Vector\s*[<(]/,
+        api: 'Vector', reason: 'Legacy synchronized collection — poor performance',
+        replacement: 'ArrayList (or Collections.synchronizedList())', category: 'superseded',
+    },
+    {
+        pattern: /\bnew\s+Hashtable\s*[<(]/,
+        api: 'Hashtable', reason: 'Legacy synchronized map — poor performance',
+        replacement: 'HashMap (or ConcurrentHashMap)', category: 'superseded',
+    },
+    {
+        pattern: /\bnew\s+Stack\s*[<(]/,
+        api: 'Stack', reason: 'Legacy class — extends Vector unnecessarily',
+        replacement: 'Deque<> (ArrayDeque) with push/pop', category: 'superseded',
+    },
+    {
+        pattern: /\bnew\s+StringBuffer\s*\(/,
+        api: 'StringBuffer', reason: 'Unnecessarily synchronized — slower than StringBuilder',
+        replacement: 'StringBuilder (unless thread safety needed)', category: 'superseded',
+    },
+    {
+        pattern: /\.getYear\s*\(\s*\)(?!.*java\.time)/,
+        api: 'Date.getYear()', reason: 'Deprecated since JDK 1.1 — returns year - 1900',
+        replacement: 'LocalDate.now().getYear()', category: 'superseded',
+    },
+    {
+        pattern: /Thread\.stop\s*\(/i,
+        api: 'Thread.stop()', reason: 'Deprecated — unsafe, can corrupt objects',
+        replacement: 'Thread.interrupt() with cooperative checking', category: 'security',
+    },
+    {
+        pattern: /Thread\.destroy\s*\(|Thread\.suspend\s*\(|Thread\.resume\s*\(/,
+        api: 'Thread.destroy/suspend/resume()', reason: 'Deprecated — deadlock-prone',
+        replacement: 'Thread.interrupt() and wait/notify', category: 'removed',
+    },
+    {
+        pattern: /Runtime\.runFinalizersOnExit\s*\(/,
+        api: 'Runtime.runFinalizersOnExit()', reason: 'Deprecated — inherently unsafe',
+        replacement: 'Runtime shutdown hooks or try-with-resources', category: 'removed',
+    },
+    {
+        pattern: /\bfinalize\s*\(\s*\)\s*(?:throws|\{)/,
+        api: 'finalize()', reason: 'Deprecated since Java 9 (JEP 421) — for removal',
+        replacement: 'Cleaner or try-with-resources (AutoCloseable)', category: 'superseded',
+    },
+    {
+        pattern: /\bnew\s+Integer\s*\(|new\s+Long\s*\(|new\s+Double\s*\(|new\s+Boolean\s*\(|new\s+Float\s*\(/,
+        api: 'new Integer/Long/Double/Boolean/Float()', reason: 'Deprecated since Java 9 — valueOf preferred',
+        replacement: 'Integer.valueOf(), autoboxing, or parse methods', category: 'superseded',
+    },
+    {
+        pattern: /\bSecurityManager\b/,
+        api: 'SecurityManager', reason: 'Deprecated for removal since Java 17 (JEP 411)',
+        replacement: 'No direct replacement — use OS-level security', category: 'removed',
+    },
+];

package/dist/gates/deprecated-apis-rules-node.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Rule data for deprecated-apis gate.
+ * Node.js and Web API deprecation rules extracted to keep deprecated-apis.ts under 500 lines.
+ */
+export interface DeprecatedRule {
+    pattern: RegExp;
+    api: string;
+    reason: string;
+    replacement: string;
+    category: 'security' | 'removed' | 'superseded';
+}
+/**
+ * Node.js deprecated APIs — sourced from official Node.js deprecation list
+ */
+export declare const NODE_DEPRECATED_RULES: DeprecatedRule[];
+/**
+ * Web API deprecated patterns
+ */
+export declare const WEB_DEPRECATED_RULES: DeprecatedRule[];