@rigour-labs/core 4.2.0 → 4.2.2

package/dist/gates/phantom-apis.js

@@ -73,9 +73,12 @@ export class PhantomApisGate extends Gate {
                 else if (ext === '.cs' && this.config.check_csharp) {
                     this.checkCSharpPhantomApis(content, file, phantoms);
                 }
-                else if ((ext === '.java' || ext === '.kt') && this.config.check_java) {
+                else if (ext === '.java' && this.config.check_java) {
                     this.checkJavaPhantomApis(content, file, phantoms);
                 }
+                else if (ext === '.kt' && this.config.check_java) {
+                    this.checkKotlinPhantomApis(content, file, phantoms);
+                }
             }
             catch { /* skip unreadable files */ }
         }
@@ -99,7 +102,33 @@ export class PhantomApisGate extends Gate {
             normalized.includes('/__tests__/') ||
             normalized.endsWith('/phantom-apis-data.ts') ||
             /\.test\.[^.]+$/i.test(normalized) ||
-            /\.spec\.[^.]+$/i.test(normalized));
+            /\.spec\.[^.]+$/i.test(normalized) ||
+            // Additional test file patterns (Python, Go, Java)
+            /\/tests\//.test(`/${normalized}`) ||
+            /\/test\//.test(`/${normalized}`) ||
+            /_test\.go$/i.test(normalized) ||
+            /(?:^|\/)test_[^/]+\.py$/i.test(normalized) ||
+            /(?:^|\/)conftest\.py$/i.test(normalized) ||
+            /\/e2e\//.test(`/${normalized}`) ||
+            /E2E/i.test(path.basename(normalized)));
+    }
+    /**
+     * Strip string literal contents from a line to prevent matching code-in-strings.
+     * Replaces the content inside quotes with spaces, preserving the quotes themselves.
+     * This prevents false positives when e.g. a Java test passes Python code as a string
+     * to a code interpreter sandbox.
+     */
+    stripStringLiterals(line) {
+        // Replace content inside triple-quoted strings (Python/Kotlin)
+        let result = line.replace(/"""[\s\S]*?"""/g, '""""""');
+        result = result.replace(/'''[\s\S]*?'''/g, "''''''");
+        // Replace content inside regular double-quoted strings (handles escaped quotes)
+        result = result.replace(/"(?:\\.|[^"\\])*"/g, '""');
+        // Replace content inside single-quoted strings
+        result = result.replace(/'(?:\\.|[^'\\])*'/g, "''");
+        // Replace content inside backtick strings (JS/TS template literals)
+        result = result.replace(/`(?:\\.|[^`\\])*`/g, '``');
+        return result;
     }
     /**
      * Node.js stdlib method verification.
@@ -127,7 +156,7 @@ export class PhantomApisGate extends Gate {
             return;
         // Scan for method calls on imported modules
         for (let i = 0; i < lines.length; i++) {
-            const line = this.stripJsCommentLine(lines[i]);
+            const line = this.stripStringLiterals(this.stripJsCommentLine(lines[i]));
             if (!line)
                 continue;
             for (const [alias, moduleName] of moduleAliases) {
@@ -185,7 +214,7 @@ export class PhantomApisGate extends Gate {
         if (moduleAliases.size === 0)
             return;
         for (let i = 0; i < lines.length; i++) {
-            const line = lines[i];
+            const line = this.stripStringLiterals(lines[i]);
             for (const [alias, moduleName] of moduleAliases) {
                 const callPattern = new RegExp(`\\b${this.escapeRegex(alias)}\\.(\\w+)\\s*\\(`, 'g');
                 let match;
@@ -252,7 +281,7 @@ export class PhantomApisGate extends Gate {
     checkGoPhantomApis(content, file, phantoms) {
         const lines = content.split('\n');
         for (let i = 0; i < lines.length; i++) {
-            const line = lines[i];
+            const line = this.stripStringLiterals(lines[i]);
             for (const rule of GO_PHANTOM_RULES) {
                 if (rule.pattern.test(line)) {
                     phantoms.push({
@@ -271,7 +300,7 @@ export class PhantomApisGate extends Gate {
     checkCSharpPhantomApis(content, file, phantoms) {
         const lines = content.split('\n');
         for (let i = 0; i < lines.length; i++) {
-            const line = lines[i];
+            const line = this.stripStringLiterals(lines[i]);
             for (const rule of CSHARP_PHANTOM_RULES) {
                 if (rule.pattern.test(line)) {
                     phantoms.push({
@@ -284,13 +313,15 @@ export class PhantomApisGate extends Gate {
         }
     }
     /**
-     * Java/Kotlin phantom API detection — pattern-based.
+     * Java phantom API detection — pattern-based.
      * AI hallucinates Python/JS-style APIs on JDK classes.
+     * Strips string literal contents to avoid matching code-in-strings
+     * (e.g. Java test passing Python code `print('hello')` to a sandbox).
      */
     checkJavaPhantomApis(content, file, phantoms) {
         const lines = content.split('\n');
         for (let i = 0; i < lines.length; i++) {
-            const line = lines[i];
+            const line = this.stripStringLiterals(lines[i]);
             for (const rule of JAVA_PHANTOM_RULES) {
                 if (rule.pattern.test(line)) {
                     phantoms.push({
@@ -302,6 +333,35 @@ export class PhantomApisGate extends Gate {
             }
         }
     }
+    /**
+     * Kotlin phantom API detection — uses a SUBSET of Java rules.
+     * Kotlin has different syntax than Java, so rules must be filtered:
+     *   - print() IS valid Kotlin (kotlin.io.print)
+     *   - var x: Type = IS valid Kotlin syntax
+     *   - Most other Java patterns (includes, slice, arrow syntax) still apply
+     */
+    checkKotlinPhantomApis(content, file, phantoms) {
+        // Rules that are NOT applicable to Kotlin (valid Kotlin syntax)
+        const kotlinExclude = new Set([
+            'print()', // kotlin.io.print() is real
+            'var x: Type =', // Kotlin explicitly supports typed var/val declarations
+        ]);
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+            const line = this.stripStringLiterals(lines[i]);
+            for (const rule of JAVA_PHANTOM_RULES) {
+                if (kotlinExclude.has(rule.phantom))
+                    continue;
+                if (rule.pattern.test(line)) {
+                    phantoms.push({
+                        file, line: i + 1,
+                        module: rule.module, method: rule.phantom,
+                        reason: `'${rule.phantom}' does not exist in Kotlin. ${rule.suggestion}`,
+                    });
+                }
+            }
+        }
+    }
     escapeRegex(s) {
         return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
     }

package/dist/gates/promise-safety.js

@@ -157,6 +157,47 @@ export class PromiseSafetyGate extends Gate {
             const funcName = match[1];
             const body = extractIndentedBody(content, match.index + match[0].length);
             if (body && !/\bawait\b/.test(body) && body.trim().split('\n').length > 2) {
+                // Check for framework decorators that require async def without await.
+                // FastAPI, Starlette, Django, pytest, and other frameworks use async handlers
+                // that legitimately don't need await (e.g. exception handlers, simple endpoints).
+                const linesBefore = content.substring(0, match.index);
+                const precedingLines = linesBefore.split('\n');
+                let hasFrameworkDecorator = false;
+                // Walk backwards to find decorators (immediately preceding lines starting with @)
+                for (let j = precedingLines.length - 1; j >= 0 && j >= precedingLines.length - 5; j--) {
+                    const trimmedLine = precedingLines[j].trim();
+                    if (!trimmedLine || trimmedLine.startsWith('#'))
+                        continue;
+                    if (!trimmedLine.startsWith('@'))
+                        break; // Non-decorator, non-empty line — stop
+                    // FastAPI/Starlette: @app.*, @router.*, @exception_handler
+                    if (/^@(?:app|router)\.\w+/.test(trimmedLine)) {
+                        hasFrameworkDecorator = true;
+                        break;
+                    }
+                    // pytest: @pytest.fixture, @pytest.mark.asyncio
+                    if (/^@pytest\.\w+/.test(trimmedLine)) {
+                        hasFrameworkDecorator = true;
+                        break;
+                    }
+                    // Django: @api_view, @action, @admin.*
+                    if (/^@(?:api_view|action|admin\.)/.test(trimmedLine)) {
+                        hasFrameworkDecorator = true;
+                        break;
+                    }
+                    // Generic: @override, @abstractmethod, @staticmethod, @classmethod, @property
+                    if (/^@(?:override|abstractmethod|staticmethod|classmethod|property)\b/.test(trimmedLine)) {
+                        hasFrameworkDecorator = true;
+                        break;
+                    }
+                    // Any decorator with 'handler', 'endpoint', 'route', 'hook', 'middleware', 'listener' in name
+                    if (/^@\w*(?:handler|endpoint|route|hook|middleware|listener|callback|event)/i.test(trimmedLine)) {
+                        hasFrameworkDecorator = true;
+                        break;
+                    }
+                }
+                if (hasFrameworkDecorator)
+                    continue;
                 const lineNum = content.substring(0, match.index).split('\n').length;
                 violations.push({ file, line: lineNum, type: 'async-no-await', code: `async def ${funcName}()`, reason: `async def never uses await` });
             }
@@ -212,9 +253,26 @@ export class PromiseSafetyGate extends Gate {
         }
     }
     detectIgnoredErrorsGo(lines, file, violations) {
+        // Functions where ignoring the error is idiomatic/safe in Go:
+        // - json.Marshal/MarshalIndent on simple types (cannot fail on []string, map[string]string, etc.)
+        // - fmt.Sprintf/Fprintf/Fprint (format functions almost never fail)
+        // - strconv.Itoa (infallible)
+        // - strings.* functions (pure string operations)
+        const safeToIgnorePatterns = [
+            /\bjson\.Marshal\s*\(/, // json.Marshal on simple types
+            /\bjson\.MarshalIndent\s*\(/, // json.MarshalIndent on simple types
+            /\bfmt\.(?:Sprintf|Fprintf|Fprint|Sprint|Sprintln|Fprintln)\s*\(/,
+            /\bstrconv\.(?:Itoa|FormatBool|FormatInt|FormatUint|FormatFloat)\s*\(/,
+            /\bstrings\.(?:Join|Replace|ToLower|ToUpper|TrimSpace|Trim|Split)\s*\(/,
+            /\bbytes\.(?:Join|Replace)\s*\(/,
+        ];
         for (let i = 0; i < lines.length; i++) {
             const match = lines[i].match(/(\w+)\s*,\s*_\s*(?::=|=)\s*(\w+)\./);
             if (match && /\b(?:os|io|ioutil|bufio|sql|net|http|json|xml|yaml|strconv)\./.test(lines[i].trim())) {
+                // Check if this is an infallible operation where _ is idiomatic
+                const isSafeToIgnore = safeToIgnorePatterns.some(p => p.test(lines[i]));
+                if (isSafeToIgnore)
+                    continue;
                 violations.push({ file, line: i + 1, type: 'ignored-error', code: lines[i].trim().substring(0, 80), reason: `Error return ignored with _` });
             }
         }
@@ -310,7 +368,9 @@ export class PromiseSafetyGate extends Gate {
         const normalized = file.replace(/\\/g, '/');
         return (normalized.includes('/examples/') ||
             /\/commands\/demo(?:-|\/)/.test(`/${normalized}`) ||
-            /\/gates\/(?:promise-safety|deprecated-apis-rules(?:-node|-lang)?)\.ts$/i.test(normalized));
+            /\/gates\/(?:promise-safety|deprecated-apis-rules(?:-node|-lang)?)\.ts$/i.test(normalized) ||
+            // Skip conftest.py (pytest fixtures, not application code)
+            /(?:^|\/)conftest\.py$/i.test(normalized));
     }
     sanitizeLine(line) {
         // Remove obvious comments and quoted literals to avoid matching detector text/examples.

package/dist/gates/security-patterns.d.ts

@@ -47,6 +47,11 @@ export declare class SecurityPatternsGate extends Gate {
     run(context: GateContext): Promise<Failure[]>;
     private shouldSkipSecurityFile;
     private scanFileForVulnerabilities;
+    /**
+     * Check if a hardcoded secret match is actually a dummy/placeholder value.
+     * Filters out test values, placeholder defaults, and env-var-name assignments.
+     */
+    private isDummySecretValue;
 }
 /**
  * Quick helper to check a single file for security issues

package/dist/gates/security-patterns.js

@@ -300,16 +300,35 @@ export class SecurityPatternsGate extends Gate {
     }
     shouldSkipSecurityFile(file) {
         const normalized = file.replace(/\\/g, '/');
+        // Skip common non-source directories
         if (/\/(?:examples|studio-dist|dist|build|coverage|target|out)\//.test(`/${normalized}`))
             return true;
-        if (/\/__tests__\//.test(`/${normalized}`))
+        // Skip test directories: __tests__/, tests/, test/, __test__/, e2e/, fixtures/, mocks/
+        if (/\/(?:__tests__|tests|test|__test__|e2e|fixtures|mocks)\//.test(`/${normalized}`))
             return true;
         if (/\/commands\/demo(?:-|\/)/.test(`/${normalized}`))
             return true;
         if (/\/gates\/deprecated-apis-rules(?:-node|-lang)?\.ts$/i.test(normalized))
             return true;
+        // Skip test files: *.test.ts, *.spec.ts (JS/TS/Java)
         if (/\.(test|spec)\.(?:ts|tsx|js|jsx|py|java|go)$/i.test(normalized))
             return true;
+        // Skip Go test files: *_test.go
+        if (/_test\.go$/i.test(normalized))
+            return true;
+        // Skip Python test files: test_*.py, *_test.py, conftest.py
+        if (/(?:^|\/)test_[^/]+\.py$/i.test(normalized))
+            return true;
+        if (/_test\.py$/i.test(normalized))
+            return true;
+        if (/(?:^|\/)conftest\.py$/i.test(normalized))
+            return true;
+        // Skip Java/Kotlin test files in src/test/ directories
+        if (/\/src\/test\//.test(`/${normalized}`))
+            return true;
+        // Skip E2E test files by naming convention
+        if (/[._-]e2e[._-]/i.test(normalized) || /E2E/i.test(path.basename(normalized)))
+            return true;
         return false;
     }
     scanFileForVulnerabilities(content, file, ext, vulnerabilities) {
@@ -323,6 +342,10 @@ export class SecurityPatternsGate extends Gate {
             pattern.regex.lastIndex = 0;
             let match;
             while ((match = pattern.regex.exec(content)) !== null) {
+                // For hardcoded_secrets: filter out placeholder/dummy values and env var names
+                if (pattern.type === 'hardcoded_secrets' && this.isDummySecretValue(match[0])) {
+                    continue;
+                }
                 // Find line number
                 const beforeMatch = content.slice(0, match.index);
                 const lineNumber = beforeMatch.split('\n').length;
@@ -338,6 +361,33 @@ export class SecurityPatternsGate extends Gate {
             }
         }
     }
+    /**
+     * Check if a hardcoded secret match is actually a dummy/placeholder value.
+     * Filters out test values, placeholder defaults, and env-var-name assignments.
+     */
+    isDummySecretValue(matchText) {
+        // Extract the quoted value from the match (e.g., api_key="test-api-key" → test-api-key)
+        const valueMatch = matchText.match(/[:=]\s*['"]([^'"]+)['"]/);
+        if (!valueMatch)
+            return false;
+        const value = valueMatch[1];
+        // Placeholder/example patterns
+        if (/^(?:your[_-]|my[_-]|example[_-]|placeholder|changeme|replace[_-]me|xxx+|dummy|fake|sample)/i.test(value))
+            return true;
+        // Test-specific dummy values
+        if (/^(?:test[_-]|e2e[_-]|mock[_-]|stub[_-]|dev[_-])/i.test(value))
+            return true;
+        if (/^testpass(?:word)?$/i.test(value))
+            return true;
+        // All-caps with underscores = env var names, not actual secrets
+        // e.g., API_KEY = "OPEN_SANDBOX_API_KEY" is referencing a var name, not a real key
+        if (/^[A-Z][A-Z0-9_]{7,}$/.test(value))
+            return true;
+        // Common documentation/tutorial dummy values
+        if (/^(?:sk_test_|pk_test_|sk_live_xxx|password123|secret123|abcdef|abc123)/i.test(value))
+            return true;
+        return false;
+    }
 }
 /**
  * Quick helper to check a single file for security issues

package/dist/gates/test-quality.js

@@ -236,18 +236,38 @@ export class TestQualityGate extends Gate {
     }
     checkPythonTestQuality(content, file, issues) {
         const lines = content.split('\n');
+        const basename = path.basename(file);
+        // Skip conftest.py entirely — these contain fixtures, not tests
+        if (basename === 'conftest.py')
+            return;
         let inTestFunc = false;
         let testStartLine = 0;
         let testIndent = 0;
         let hasAssertion = false;
         let mockCount = 0;
         let testContent = '';
+        let hasFixtureDecorator = false;
         for (let i = 0; i < lines.length; i++) {
             const line = lines[i];
             const trimmed = line.trim();
             // Detect test function start
             const testFuncMatch = line.match(/^(\s*)(?:def|async\s+def)\s+(test_\w+)\s*\(/);
             if (testFuncMatch) {
+                // Check if this function has a @pytest.fixture decorator (not a real test)
+                hasFixtureDecorator = false;
+                for (let j = i - 1; j >= 0 && j >= i - 5; j--) {
+                    const prevLine = lines[j].trim();
+                    if (!prevLine || prevLine.startsWith('#'))
+                        continue;
+                    if (!prevLine.startsWith('@'))
+                        break;
+                    if (/^@pytest\.fixture/.test(prevLine)) {
+                        hasFixtureDecorator = true;
+                        break;
+                    }
+                }
+                if (hasFixtureDecorator)
+                    continue; // Skip — this is a fixture, not a test
                 // If we were in a previous test, analyze it
                 if (inTestFunc) {
                     this.analyzePythonTestBlock(testContent, file, testStartLine, hasAssertion, mockCount, issues);

package/dist/inference/model-manager.js

@@ -137,7 +137,16 @@ export async function downloadModel(tier, onProgress) {
         });
         const actualSha256 = hash.digest('hex');
         if (expectedSha256 && actualSha256 !== expectedSha256) {
-            throw new Error(`Model checksum mismatch for ${model.name}: expected ${expectedSha256}, got ${actualSha256}`);
+            // HuggingFace ETags for LFS files may contain the Git LFS OID (pointer hash)
+            // rather than the SHA256 of the actual served bytes. This is common when
+            // CDN/Cloudfront serves the file. Only hard-fail if the download is also
+            // suspiciously small (likely corrupt). Otherwise warn and proceed — the
+            // actual content hash is still recorded in metadata for future verification.
+            const tolerance = model.sizeBytes * 0.1;
+            if (downloaded < model.sizeBytes - tolerance) {
+                throw new Error(`Model checksum mismatch for ${model.name}: expected ${expectedSha256}, got ${actualSha256} (download also undersized: ${downloaded} bytes)`);
+            }
+            // Download size is reasonable — ETag likely a Git LFS OID, not content SHA256
         }
         // Atomic rename
         fs.renameSync(tempPath, destPath);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rigour-labs/core",
-  "version": "4.2.0",
+  "version": "4.2.2",
   "description": "Deterministic quality gate engine for AI-generated code. AST analysis, drift detection, and Fix Packet generation across TypeScript, JavaScript, Python, Go, Ruby, and C#.",
   "license": "MIT",
   "homepage": "https://rigour.run",
@@ -59,11 +59,11 @@
     "@xenova/transformers": "^2.17.2",
     "better-sqlite3": "^11.0.0",
     "openai": "^4.104.0",
-    "@rigour-labs/brain-darwin-arm64": "4.2.0",
-    "@rigour-labs/brain-linux-arm64": "4.2.0",
-    "@rigour-labs/brain-linux-x64": "4.2.0",
-    "@rigour-labs/brain-win-x64": "4.2.0",
-    "@rigour-labs/brain-darwin-x64": "4.2.0"
+    "@rigour-labs/brain-darwin-arm64": "4.2.2",
+    "@rigour-labs/brain-linux-arm64": "4.2.2",
+    "@rigour-labs/brain-linux-x64": "4.2.2",
+    "@rigour-labs/brain-win-x64": "4.2.2",
+    "@rigour-labs/brain-darwin-x64": "4.2.2"
   },
   "devDependencies": {
     "@types/better-sqlite3": "^7.6.12",