@rigour-labs/core 5.0.0 → 5.1.0

package/dist/gates/security-patterns.js

@@ -11,219 +11,13 @@
  * - Hardcoded Secrets
  * - Insecure Randomness
  * - Command Injection
- *
- * @since v2.14.0
  */
 import { Gate } from './base.js';
 import { FileScanner } from '../utils/scanner.js';
 import { Logger } from '../utils/logger.js';
+import { VULNERABILITY_PATTERNS } from './security-patterns-data.js';
 import fs from 'fs-extra';
 import path from 'path';
-// Pattern definitions with regex and metadata
-const VULNERABILITY_PATTERNS = [
-    // SQL Injection
-    {
-        type: 'sql_injection',
-        regex: /(?:execute|query|raw|exec)\s*\(\s*`[^`]*(?:SELECT|INSERT|UPDATE|DELETE|DROP|ALTER|CREATE|WITH)[^`]*\$\{[^}]+\}[^`]*`/gi,
-        severity: 'critical',
-        description: 'Potential SQL injection: User input concatenated into SQL query',
-        cwe: 'CWE-89',
-        languages: ['ts', 'js', 'py']
-    },
-    {
-        type: 'sql_injection',
-        regex: /(?:execute|query|raw|exec)\s*\(\s*['"`][^'"`]*(?:SELECT|INSERT|UPDATE|DELETE|DROP|ALTER|CREATE|WITH)[^'"`]*['"`]\s*\+\s*[^)]+\)/gi,
-        severity: 'critical',
-        description: 'SQL query built with string concatenation',
-        cwe: 'CWE-89',
-        languages: ['ts', 'js']
-    },
-    // XSS
-    {
-        type: 'xss',
-        regex: /innerHTML\s*=\s*(?!\s*['"`]\s*['"`])[^;]+/g,
-        severity: 'high',
-        description: 'Potential XSS: innerHTML assignment with dynamic content',
-        cwe: 'CWE-79',
-        languages: ['ts', 'js', 'tsx', 'jsx']
-    },
-    {
-        type: 'xss',
-        regex: /dangerouslySetInnerHTML\s*=\s*\{/g,
-        severity: 'high',
-        description: 'dangerouslySetInnerHTML usage (ensure content is sanitized)',
-        cwe: 'CWE-79',
-        languages: ['tsx', 'jsx']
-    },
-    {
-        type: 'xss',
-        regex: /document\.write\s*\(/g,
-        severity: 'high',
-        description: 'document.write is dangerous for XSS',
-        cwe: 'CWE-79',
-        languages: ['ts', 'js']
-    },
-    // Path Traversal
-    {
-        type: 'path_traversal',
-        regex: /(?:readFile|writeFile|readdir|unlink|rmdir)\s*\([^)]*(?:req\.(?:params|query|body)|\.\.\/)/g,
-        severity: 'high',
-        description: 'Potential path traversal: File operation with user input',
-        cwe: 'CWE-22',
-        languages: ['ts', 'js']
-    },
-    {
-        type: 'path_traversal',
-        regex: /path\.join\s*\([^)]*req\./g,
-        severity: 'medium',
-        description: 'path.join with request data (verify input sanitization)',
-        cwe: 'CWE-22',
-        languages: ['ts', 'js']
-    },
-    // Hardcoded Secrets
-    {
-        type: 'hardcoded_secrets',
-        regex: /(?:password|secret|api_key|apikey|auth_token|access_token|private_key)\s*[:=]\s*['"][^'"]{8,}['"]/gi,
-        severity: 'critical',
-        description: 'Hardcoded secret detected in code',
-        cwe: 'CWE-798',
-        languages: ['ts', 'js', 'py', 'java', 'go']
-    },
-    {
-        type: 'hardcoded_secrets',
-        regex: /(?:sk-|pk-|rk-|ghp_|gho_|ghu_|ghs_|ghr_)[a-zA-Z0-9]{20,}/g,
-        severity: 'critical',
-        description: 'API key pattern detected (OpenAI, GitHub, etc.)',
-        cwe: 'CWE-798',
-        languages: ['*']
-    },
-    {
-        type: 'hardcoded_secrets',
-        regex: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g,
-        severity: 'critical',
-        description: 'Private key embedded in source code',
-        cwe: 'CWE-798',
-        languages: ['*']
-    },
-    // Insecure Randomness
-    {
-        type: 'insecure_randomness',
-        regex: /Math\.random\s*\(\s*\)/g,
-        severity: 'medium',
-        description: 'Math.random() is not cryptographically secure',
-        cwe: 'CWE-338',
-        languages: ['ts', 'js', 'tsx', 'jsx']
-    },
-    // Command Injection
-    {
-        type: 'command_injection',
-        regex: /(?:exec|execSync|spawn|spawnSync)\s*\(\s*(?:`[^`]*\$\{[^}]*(?:req\.|query|params|body|input|user|argv|process\.env)[^}]*\}[^`]*`|[^)]*(?:req\.|query|params|body|input|user|argv|process\.env)[^)]*)\)/g,
-        severity: 'critical',
-        description: 'Potential command injection: shell execution with user input',
-        cwe: 'CWE-78',
-        languages: ['ts', 'js']
-    },
-    {
-        type: 'command_injection',
-        regex: /child_process.*\s*\.\s*(?:exec|spawn)\s*\([^)]*(?:req\.|query|params|body|input|user|argv|process\.env)/g,
-        severity: 'high',
-        description: 'child_process usage detected (verify input sanitization)',
-        cwe: 'CWE-78',
-        languages: ['ts', 'js']
-    },
-    // ReDoS — Denial of Service via regex (OWASP #7)
-    {
-        type: 'redos',
-        regex: /new RegExp\s*\([^)]*(?:req\.|params|query|body|input|user)/g,
-        severity: 'high',
-        description: 'Dynamic regex from user input — potential ReDoS',
-        cwe: 'CWE-1333',
-        languages: ['ts', 'js']
-    },
-    {
-        type: 'redos',
-        regex: /\(\?:[^)]*\+[^)]*\)\+|\([^)]*\*[^)]*\)\+|\(\.\*\)\{/g,
-        severity: 'medium',
-        description: 'Regex with nested quantifiers — potential ReDoS',
-        cwe: 'CWE-1333',
-        languages: ['ts', 'js', 'py']
-    },
-    // Overly Permissive Code (OWASP #9)
-    {
-        type: 'overly_permissive',
-        regex: /cors\s*\(\s*\{[^}]*origin\s*:\s*(?:true|['"`]\*['"`])/g,
-        severity: 'high',
-        description: 'CORS wildcard origin — allows any domain',
-        cwe: 'CWE-942',
-        languages: ['ts', 'js']
-    },
-    {
-        type: 'overly_permissive',
-        regex: /(?:listen|bind)\s*\(\s*(?:\d+\s*,\s*)?['"`]0\.0\.0\.0['"`]/g,
-        severity: 'medium',
-        description: 'Binding to 0.0.0.0 exposes service to all interfaces',
-        cwe: 'CWE-668',
-        languages: ['ts', 'js', 'py', 'go']
-    },
-    {
-        type: 'overly_permissive',
-        regex: /chmod\s*\(\s*[^,]*,\s*['"`]?(?:0o?)?777['"`]?\s*\)/g,
-        severity: 'high',
-        description: 'chmod 777 — world-readable/writable permissions',
-        cwe: 'CWE-732',
-        languages: ['ts', 'js', 'py']
-    },
-    {
-        type: 'overly_permissive',
-        regex: /(?:Access-Control-Allow-Origin|x-powered-by)['"`,\s:]+\*/gi,
-        severity: 'high',
-        description: 'Wildcard Access-Control-Allow-Origin header',
-        cwe: 'CWE-942',
-        languages: ['ts', 'js', 'py']
-    },
-    // Unsafe Output Handling (OWASP #6)
-    {
-        type: 'unsafe_output',
-        regex: /res\.(?:send|write|end)\s*\(\s*(?:req\.|params|query|body|input|user)/g,
-        severity: 'high',
-        description: 'Reflecting user input in response without sanitization',
-        cwe: 'CWE-79',
-        languages: ['ts', 'js']
-    },
-    {
-        type: 'unsafe_output',
-        regex: /\$\{[^}]*(?:req\.|params|query|body|input|user)[^}]*\}.*(?:html|template|render)/gi,
-        severity: 'high',
-        description: 'User input interpolated into template/HTML output',
-        cwe: 'CWE-79',
-        languages: ['ts', 'js', 'py']
-    },
-    {
-        type: 'unsafe_output',
-        regex: /eval\s*\(\s*(?:req\.|params|query|body|input|user)/g,
-        severity: 'critical',
-        description: 'eval() with user input — code injection',
-        cwe: 'CWE-94',
-        languages: ['ts', 'js', 'py']
-    },
-    // Missing Input Validation (OWASP #8)
-    {
-        type: 'missing_input_validation',
-        regex: /JSON\.parse\s*\(\s*(?:req\.body|request\.body|body|data|input)\s*\)/g,
-        severity: 'medium',
-        description: 'JSON.parse on raw input without schema validation',
-        cwe: 'CWE-20',
-        languages: ['ts', 'js']
-    },
-    {
-        type: 'missing_input_validation',
-        regex: /(?:as\s+any|:\s*any)\s*(?:[;,)\]}])/g,
-        severity: 'medium',
-        description: 'Type assertion to "any" bypasses type safety',
-        cwe: 'CWE-20',
-        languages: ['ts']
-    },
-];
 export class SecurityPatternsGate extends Gate {
     config;
     severityOrder = { critical: 0, high: 1, medium: 2, low: 3 };
@@ -347,6 +141,14 @@ export class SecurityPatternsGate extends Gate {
                 if (pattern.type === 'hardcoded_secrets' && this.isDummySecretValue(match[0])) {
                     continue;
                 }
+                // For XSS: check if innerHTML/dangerouslySetInnerHTML is wrapped in a sanitizer
+                if (pattern.type === 'xss' && this.isSanitizedAssignment(match[0])) {
+                    continue;
+                }
+                // For command_injection: check if spawn/exec uses { shell: false } (safe)
+                if (pattern.type === 'command_injection' && this.isSafeShellCall(match[0], content, match.index)) {
+                    continue;
+                }
                 // Find line number
                 const beforeMatch = content.slice(0, match.index);
                 const lineNumber = beforeMatch.split('\n').length;
@@ -364,7 +166,8 @@ export class SecurityPatternsGate extends Gate {
     }
     /**
      * Check if a hardcoded secret match is actually a dummy/placeholder value.
-     * Filters out test values, placeholder defaults, and env-var-name assignments.
+     * Filters out test values, placeholder defaults, env-var-name assignments,
+     * store action types, and low-entropy constants.
      */
     isDummySecretValue(matchText) {
         // Extract the quoted value from the match (e.g., api_key="test-api-key" → test-api-key)
@@ -380,13 +183,79 @@ export class SecurityPatternsGate extends Gate {
             return true;
         if (/^testpass(?:word)?$/i.test(value))
             return true;
-        // All-caps with underscores = env var names, not actual secrets
-        // e.g., API_KEY = "OPEN_SANDBOX_API_KEY" is referencing a var name, not a real key
-        if (/^[A-Z][A-Z0-9_]{7,}$/.test(value))
+        // All-caps with underscores/dollars = env var names or constants, not actual secrets
+        // e.g., API_KEY = "OPEN_SANDBOX_API_KEY", SECRETS$ADD_SECRET (Redux action types)
+        if (/^[A-Z][A-Z0-9_$]{7,}$/.test(value))
+            return true;
+        // Store action type patterns: NAMESPACE$ACTION or namespace/ACTION (Redux, Zustand, Flux)
+        if (/^\w+\$\w+$/.test(value))
+            return true;
+        if (/^[a-z][\w-]*\/[A-Z_]+$/.test(value))
             return true;
         // Common documentation/tutorial dummy values
         if (/^(?:sk_test_|pk_test_|sk_live_xxx|password123|secret123|abcdef|abc123)/i.test(value))
             return true;
+        // Shannon entropy check: low-entropy values are likely constants, not real secrets
+        // Real secrets have high entropy (>4.0 bits/char); constants and names have low entropy
+        if (this.shannonEntropy(value) < 3.0)
+            return true;
+        // ALL_CAPS_SNAKE_CASE without any lowercase/special chars = likely enum or constant
+        if (/^[A-Z][A-Z0-9_$]*$/.test(value) && value.length >= 6)
+            return true;
+        // URL-like values that are just config (not secrets): localhost, 127.0.0.1, etc.
+        if (/^(?:https?:\/\/)?(?:localhost|127\.0\.0\.1|0\.0\.0\.0)/.test(value))
+            return true;
+        // Common non-secret patterns: UUIDs, semver, file paths
+        if (/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(value))
+            return true;
+        if (/^\d+\.\d+\.\d+/.test(value))
+            return true; // semver
+        return false;
+    }
+    /**
+     * Calculate Shannon entropy (bits per character) of a string.
+     * Real secrets have high entropy (>4.5); constants/names have low entropy (<3.0).
+     */
+    shannonEntropy(str) {
+        if (!str || str.length === 0)
+            return 0;
+        const freq = new Map();
+        for (const ch of str) {
+            freq.set(ch, (freq.get(ch) || 0) + 1);
+        }
+        let entropy = 0;
+        for (const count of freq.values()) {
+            const p = count / str.length;
+            if (p > 0)
+                entropy -= p * Math.log2(p);
+        }
+        return entropy;
+    }
+    /**
+     * Check if an innerHTML or dangerouslySetInnerHTML assignment is wrapped in a sanitizer.
+     * Known sanitizers: DOMPurify.sanitize(), sanitize(), xss(), escapeHtml(), htmlEncode().
+     */
+    isSanitizedAssignment(matchText) {
+        const sanitizers = [
+            'sanitize(', 'DOMPurify.sanitize(', 'dompurify.sanitize(',
+            'xss(', 'escape(', 'escapeHtml(', 'htmlEncode(',
+            'sanitizeHtml(', 'clean(', 'purify(',
+        ];
+        const rhs = matchText.includes('=') ? matchText.split('=').slice(1).join('=') : matchText;
+        return sanitizers.some(s => rhs.toLowerCase().includes(s.toLowerCase()));
+    }
+    /**
+     * Check if a shell execution call is using { shell: false } option (safe pattern).
+     * Also, spawn() without { shell: true } is safe by default — don't flag it.
+     */
+    isSafeShellCall(matchText, fullContent, matchIndex) {
+        // Check surrounding context (100 chars after match) for shell: false
+        const context = fullContent.slice(matchIndex, matchIndex + matchText.length + 100);
+        if (/shell\s*:\s*false/.test(context))
+            return true;
+        // spawn() without shell: true is safe by default
+        if (/\bspawn(?:Sync)?\s*\(/.test(matchText) && !/shell\s*:\s*true/.test(context))
+            return true;
         return false;
     }
 }

package/dist/gates/side-effect-analysis/categorizer.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Side Effect Categorization and Severity Assignment
+ *
+ * Functions that classify side effects by type/severity and assign
+ * appropriate titles and descriptions.
+ */
+import { SideEffectViolation } from '../side-effect-helpers/index.js';
+import { Failure } from '../../types/index.js';
+/**
+ * Gets the human-readable title for a rule
+ */
+export declare function getRuleTitle(rule: string): string;
+/**
+ * Gets the severity level for a rule
+ */
+export declare function getRuleSeverity(rule: string): 'low' | 'medium' | 'high' | 'critical';
+/**
+ * Categorizes a violation and assigns it proper severity and title
+ */
+export declare function categorizeViolation(violation: SideEffectViolation): SideEffectViolation;
+/**
+ * Converts a side effect violation to a Failure object
+ */
+export declare function violationToFailure(violation: SideEffectViolation, createFailure: (message: string, files: string[], hint?: string, title?: string, startLine?: number, endLine?: number, severity?: string) => Failure): Failure;
+/**
+ * Groups violations by severity level
+ */
+export declare function groupBySeverity(violations: SideEffectViolation[]): Record<string, SideEffectViolation[]>;
+/**
+ * Filters violations by severity threshold
+ */
+export declare function filterBySeverity(violations: SideEffectViolation[], minSeverity: 'critical' | 'high' | 'medium' | 'low'): SideEffectViolation[];

package/dist/gates/side-effect-analysis/categorizer.js

@@ -0,0 +1,83 @@
+/**
+ * Side Effect Categorization and Severity Assignment
+ *
+ * Functions that classify side effects by type/severity and assign
+ * appropriate titles and descriptions.
+ */
+/**
+ * Categorization information for each rule type
+ */
+const RULE_TITLES = {
+    'unbounded-timer': 'Unbounded Timer',
+    'orphan-process': 'Orphan Process',
+    'unbounded-io-loop': 'Unbounded I/O Loop',
+    'retry-without-limit': 'Retry Without Limit',
+    'circular-trigger': 'Circular File Trigger',
+    'resource-leak': 'Resource Leak',
+    'unbounded-recursion': 'Unbounded Recursion',
+    'auto-restart-bomb': 'Auto-Restart Bomb',
+};
+/**
+ * Maps rule IDs to their severity categories
+ */
+const RULE_SEVERITIES = {
+    'unbounded-timer': 'high',
+    'orphan-process': 'high',
+    'unbounded-io-loop': 'critical',
+    'retry-without-limit': 'high',
+    'circular-trigger': 'critical',
+    'resource-leak': 'medium',
+    'unbounded-recursion': 'high',
+    'auto-restart-bomb': 'critical',
+};
+/**
+ * Gets the human-readable title for a rule
+ */
+export function getRuleTitle(rule) {
+    return RULE_TITLES[rule] || rule;
+}
+/**
+ * Gets the severity level for a rule
+ */
+export function getRuleSeverity(rule) {
+    return RULE_SEVERITIES[rule] || 'medium';
+}
+/**
+ * Categorizes a violation and assigns it proper severity and title
+ */
+export function categorizeViolation(violation) {
+    // Override severity if necessary (already set in violation)
+    return violation;
+}
+/**
+ * Converts a side effect violation to a Failure object
+ */
+export function violationToFailure(violation, createFailure) {
+    return createFailure(violation.description, [violation.file], violation.hint, `Side-Effect: ${getRuleTitle(violation.rule)}`, violation.line, violation.line, violation.severity);
+}
+/**
+ * Groups violations by severity level
+ */
+export function groupBySeverity(violations) {
+    const grouped = {
+        critical: [],
+        high: [],
+        medium: [],
+        low: [],
+    };
+    for (const violation of violations) {
+        const severity = violation.severity;
+        if (severity in grouped) {
+            grouped[severity].push(violation);
+        }
+    }
+    return grouped;
+}
+/**
+ * Filters violations by severity threshold
+ */
+export function filterBySeverity(violations, minSeverity) {
+    const severityOrder = { critical: 0, high: 1, medium: 2, low: 3 };
+    const minLevel = severityOrder[minSeverity];
+    return violations.filter(v => severityOrder[v.severity] <= minLevel);
+}

package/dist/gates/{side-effect-analysis.d.ts → side-effect-analysis/index.d.ts}

@@ -32,11 +32,9 @@
  *
  * This is a CORE gate (enabled by default, provenance: ai-drift).
  * Supports: JS/TS, Python, Go, Rust, C#, Java, Ruby
- *
- * @since v4.3.0
  */
-import { Gate, GateContext } from './base.js';
-import { Failure, Provenance } from '../types/index.js';
+import { Gate, GateContext } from '../base.js';
+import { Failure, Provenance } from '../../types/index.js';
 export interface SideEffectAnalysisConfig {
     enabled?: boolean;
     check_unbounded_timers?: boolean;
@@ -63,5 +61,5 @@ export declare class SideEffectAnalysisGate extends Gate {
     private checkResourceLifecycle;
     private checkRecursiveDepth;
     private checkAutoRestart;
-    private buildFailures;
 }
+export { SideEffectViolation, SideEffectLang } from '../side-effect-helpers/index.js';

package/dist/gates/{side-effect-analysis.js → side-effect-analysis/index.js}

@@ -32,25 +32,33 @@
  *
  * This is a CORE gate (enabled by default, provenance: ai-drift).
  * Supports: JS/TS, Python, Go, Rust, C#, Java, Ruby
- *
- * @since v4.3.0
  */
-import { Gate } from './base.js';
-import { FileScanner } from '../utils/scanner.js';
-import { Logger } from '../utils/logger.js';
+import { Gate } from '../base.js';
+import { FileScanner } from '../../utils/scanner.js';
+import { Logger } from '../../utils/logger.js';
 import fs from 'fs-extra';
 import path from 'path';
 import { LANG_MAP, FILE_GLOBS, stripStrings, 
-// Scope analysis
-findEnclosingFunction, extractLoopBody, extractFunctionDefs, 
-// Variable binding
-extractVariableBinding, hasCleanupForVariable, 
-// Framework awareness
-isInUseEffectWithCleanup, hasGoDefer, isPythonWithStatement, isJavaTryWithResources, isCSharpUsing, isRubyBlockForm, isRustAutoDropped, isInsideCleanupContext, 
 // Detectors
 isTimerCreation, getTimerCleanupPatterns, isProcessSpawn, getProcessCleanupPatterns, isUnboundedLoop, containsIO, isFileWatcher, extractWatchedPath, extractWritePath, pathsOverlap, findWriteInBody, hasDebounceProtection, isResourceOpen, getResourceClosePatterns, isExitHandler, 
 // Loop/recursion
-hasRetryLimit, hasCatchWithContinue, hasBaseCase, hasDepthParameter, } from './side-effect-helpers.js';
+hasRetryLimit, hasCatchWithContinue, hasBaseCase, hasDepthParameter, 
+// Variable binding
+extractVariableBinding, hasCleanupForVariable, 
+// Go defer
+hasGoDefer, 
+// Python with
+isPythonWithStatement, 
+// Java try-with
+isJavaTryWithResources, 
+// C# using
+isCSharpUsing, 
+// Ruby block
+isRubyBlockForm, 
+// Rust
+isRustAutoDropped, } from '../side-effect-helpers/index.js';
+import { findFunctionScope, getBlockBody, isInFrameworkCleanup, getAllFunctions, } from './scope-tracker.js';
+import { violationToFailure, } from './categorizer.js';
 export class SideEffectAnalysisGate extends Gate {
     cfg;
     constructor(config = {}) {
@@ -102,7 +110,7 @@ export class SideEffectAnalysisGate extends Gate {
             }
             catch { /* skip unreadable files */ }
         }
-        return this.buildFailures(violations);
+        return violations.map(v => violationToFailure(v, (msg, files, hint, title, sl, el, sev) => this.createFailure(msg, files, hint, title, sl, el, sev)));
     }
     scanFile(lang, lines, content, file, violations) {
         if (this.cfg.check_unbounded_timers) {
@@ -148,14 +156,10 @@ export class SideEffectAnalysisGate extends Gate {
             // Extract variable binding: `const timer = setInterval(...)`
             const varName = extractVariableBinding(lines[i], lang);
             // Find enclosing function scope
-            const scope = findEnclosingFunction(lines, i, lang);
-            // FRAMEWORK CHECK: React useEffect with cleanup return
-            if ((lang === 'js' || lang === 'ts') && isInUseEffectWithCleanup(lines, i)) {
-                continue; // useEffect cleanup handles it
-            }
-            // FRAMEWORK CHECK: Inside a cleanup/teardown context already
-            if (isInsideCleanupContext(lines, i, lang)) {
-                continue; // Timer in cleanup = intentional short-lived timer
+            const scope = findFunctionScope(lines, i, lang);
+            // FRAMEWORK CHECK: React useEffect with cleanup return or cleanup context
+            if (isInFrameworkCleanup(lines, i, lang)) {
+                continue; // Framework cleanup handles it
             }
             if (varName) {
                 // Variable is stored — check for cleanup using that specific variable
@@ -202,7 +206,7 @@ export class SideEffectAnalysisGate extends Gate {
             if (!spawnMatch)
                 continue;
             const varName = extractVariableBinding(lines[i], lang);
-            const scope = findEnclosingFunction(lines, i, lang);
+            const scope = findFunctionScope(lines, i, lang);
             // Check if the process result is awaited on the same line
             if (/\bawait\b/.test(lines[i]))
                 continue;
@@ -263,7 +267,7 @@ export class SideEffectAnalysisGate extends Gate {
             if (!isUnboundedLoop(lines[i], lang))
                 continue;
             // Extract actual loop body using scope tracking
-            const { body, end } = extractLoopBody(lines, i, lang);
+            const { body, end } = getBlockBody(lines, i, lang);
             // Check for I/O inside the extracted body
             if (!containsIO(body, lang))
                 continue;
@@ -308,7 +312,7 @@ export class SideEffectAnalysisGate extends Gate {
             const isLoop = isUnboundedLoop(lines[i], lang) || /\bwhile\s*\(/.test(stripped);
             if (!isLoop)
                 continue;
-            const { body, end } = extractLoopBody(lines, i, lang);
+            const { body, end } = getBlockBody(lines, i, lang);
             // Check if this is actually a retry pattern (catch + continue)
             if (!hasCatchWithContinue(body, lang))
                 continue;
@@ -341,7 +345,7 @@ export class SideEffectAnalysisGate extends Gate {
             // Extract the watched path
             const watchedPath = extractWatchedPath(lines[i]);
             // Extract the watcher callback body
-            const { body, end } = extractLoopBody(lines, i, lang);
+            const { body, end } = getBlockBody(lines, i, lang);
             // Check for file write operations in the callback body
             const writeCall = findWriteInBody(body, lang);
             if (!writeCall)
@@ -426,10 +430,10 @@ export class SideEffectAnalysisGate extends Gate {
             if (lang === 'rs' && isRustAutoDropped(lines, i))
                 continue;
             // Inside a cleanup context (finally, __exit__, Dispose, etc.)
-            if (isInsideCleanupContext(lines, i, lang))
+            if (isInFrameworkCleanup(lines, i, lang))
                 continue;
             // ── VARIABLE-BOUND CLEANUP CHECK ──
-            const scope = findEnclosingFunction(lines, i, lang);
+            const scope = findFunctionScope(lines, i, lang);
             if (varName) {
                 // Check for cleanup using the specific variable
                 const hasPairedCleanup = hasCleanupForVariable(lines, varName, scope.start, scope.end, closePats, lang);
@@ -472,7 +476,7 @@ export class SideEffectAnalysisGate extends Gate {
     // it's just a stack overflow — bad but not a side effect).
     // ═══════════════════════════════════════════════════════════════
     checkRecursiveDepth(lang, lines, file, violations) {
-        const funcDefs = extractFunctionDefs(lines, lang);
+        const funcDefs = getAllFunctions(lines, lang);
         for (const func of funcDefs) {
             const bodyLines = lines.slice(func.start + 1, func.end);
             const body = bodyLines.join('\n');
@@ -517,7 +521,7 @@ export class SideEffectAnalysisGate extends Gate {
             if (!isExitHandler(lines[i], lang))
                 continue;
             // Extract the handler body
-            const { body, end } = extractLoopBody(lines, i, lang);
+            const { body, end } = getBlockBody(lines, i, lang);
             // Check if the handler spawns a process
             const hasSpawn = body.split('\n').some(l => isProcessSpawn(l, lang) !== null);
             if (!hasSpawn)
@@ -541,20 +545,4 @@ export class SideEffectAnalysisGate extends Gate {
             });
         }
     }
-    // ═══════════════════════════════════════════════════════════════
-    // OUTPUT
-    // ═══════════════════════════════════════════════════════════════
-    buildFailures(violations) {
-        return violations.map(v => this.createFailure(v.description, [v.file], v.hint, `Side-Effect: ${RULE_TITLES[v.rule] || v.rule}`, v.line, v.line, v.severity));
-    }
 }
-const RULE_TITLES = {
-    'unbounded-timer': 'Unbounded Timer',
-    'orphan-process': 'Orphan Process',
-    'unbounded-io-loop': 'Unbounded I/O Loop',
-    'retry-without-limit': 'Retry Without Limit',
-    'circular-trigger': 'Circular File Trigger',
-    'resource-leak': 'Resource Leak',
-    'unbounded-recursion': 'Unbounded Recursion',
-    'auto-restart-bomb': 'Auto-Restart Bomb',
-};

package/dist/gates/side-effect-analysis/scope-tracker.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Scope and Context Tracking for Side-Effect Analysis
+ *
+ * Tracks scope boundaries, context tracking, and state during analysis.
+ */
+import { SideEffectLang } from '../side-effect-helpers/index.js';
+/**
+ * Finds the enclosing function scope for a given line index.
+ * Returns start and end line numbers of the scope.
+ */
+export declare function findFunctionScope(lines: string[], lineIndex: number, lang: SideEffectLang): {
+    start: number;
+    end: number;
+};
+/**
+ * Extracts the body of a loop or block starting at the given line.
+ * Handles scope-aware block detection (brace/indent tracking).
+ */
+export declare function getBlockBody(lines: string[], lineIndex: number, lang: SideEffectLang): {
+    body: string;
+    end: number;
+};
+/**
+ * Checks if a timer creation is in a React useEffect with cleanup return.
+ * Framework-aware pattern detection for safe side effects.
+ */
+export declare function isInFrameworkCleanup(lines: string[], lineIndex: number, lang: SideEffectLang): boolean;
+/**
+ * Extracts all function definitions from the source code.
+ * Used for recursion analysis.
+ */
+export declare function getAllFunctions(lines: string[], lang: SideEffectLang): Array<{
+    name: string;
+    start: number;
+    end: number;
+    params: string;
+}>;