@rigour-labs/core 5.0.1 → 5.1.0

package/dist/gates/phantom-apis.js

@@ -16,12 +16,11 @@
  *   C#     — Common .NET hallucinated APIs (LINQ, File I/O, string methods)
  *   Java   — Common hallucinated JDK APIs (Collections, String, Stream, Files)
  *
- * @since v3.0.0
- * @since v3.0.3 — Go, C#, Java pattern-based detection added
  */
 import { Gate } from './base.js';
 import { FileScanner } from '../utils/scanner.js';
 import { Logger } from '../utils/logger.js';
+import { languageAdapters } from './language-adapters/index.js';
 import fs from 'fs-extra';
 import path from 'path';
 import { GO_PHANTOM_RULES, CSHARP_PHANTOM_RULES, JAVA_PHANTOM_RULES, NODE_STDLIB_METHODS, PYTHON_STDLIB_METHODS } from './phantom-apis-data.js';
@@ -63,23 +62,41 @@ export class PhantomApisGate extends Gate {
                 const fullPath = path.join(context.cwd, file);
                 const content = await fs.readFile(fullPath, 'utf-8');
                 const ext = path.extname(file);
-                if (['.ts', '.js', '.tsx', '.jsx'].includes(ext) && this.config.check_node) {
-                    this.checkNodePhantomApis(content, file, phantoms);
-                }
-                else if (ext === '.py' && this.config.check_python) {
-                    this.checkPythonPhantomApis(content, file, phantoms);
-                }
-                else if (ext === '.go' && this.config.check_go) {
-                    this.checkGoPhantomApis(content, file, phantoms);
-                }
-                else if (ext === '.cs' && this.config.check_csharp) {
-                    this.checkCSharpPhantomApis(content, file, phantoms);
-                }
-                else if (ext === '.java' && this.config.check_java) {
-                    this.checkJavaPhantomApis(content, file, phantoms);
-                }
-                else if (ext === '.kt' && this.config.check_java) {
-                    this.checkKotlinPhantomApis(content, file, phantoms);
+                const adapter = languageAdapters.getAdapter(file);
+                if (!adapter)
+                    continue;
+                /** Map adapter IDs to config flags */
+                const configCheck = {
+                    js: this.config.check_node,
+                    python: this.config.check_python,
+                    go: this.config.check_go,
+                    csharp: this.config.check_csharp,
+                    java: this.config.check_java,
+                };
+                if (configCheck[adapter.id] === false)
+                    continue;
+                switch (adapter.id) {
+                    case 'js':
+                        this.checkNodePhantomApis(content, file, phantoms);
+                        break;
+                    case 'python':
+                        this.checkPythonPhantomApis(content, file, phantoms);
+                        break;
+                    case 'go':
+                        this.checkGoPhantomApis(content, file, phantoms);
+                        break;
+                    case 'csharp':
+                        this.checkCSharpPhantomApis(content, file, phantoms);
+                        break;
+                    case 'java':
+                        // Java adapter handles both .java and .kt via extensions
+                        if (ext === '.kt') {
+                            this.checkKotlinPhantomApis(content, file, phantoms);
+                        }
+                        else {
+                            this.checkJavaPhantomApis(content, file, phantoms);
+                        }
+                        break;
                 }
             }
             catch { /* skip unreadable files */ }
@@ -152,6 +169,14 @@ export class PhantomApisGate extends Gate {
             const requireImport = line.match(/(?:const|let|var)\s+(\w+)\s*=\s*require\s*\(\s*['"](?:node:)?(fs|path|crypto|os|child_process|http|https|url|util|stream|events|buffer|querystring|net|dns|tls|zlib|readline|cluster|worker_threads|timers|perf_hooks|assert)['"]\s*\)/);
             if (requireImport) {
                 moduleAliases.set(requireImport[1], requireImport[2]);
+                continue;
+            }
+            // import { readFile, writeFile } from 'fs' — destructured imports are NOT phantom API candidates
+            // since they reference individual exports, not module.method() calls
+            // import fs/promises or fs.promises patterns
+            const promisesImport = line.match(/import\s+(?:\*\s+as\s+)?(\w+)\s+from\s+['"](?:node:)?(fs)\/promises['"]/);
+            if (promisesImport) {
+                moduleAliases.set(promisesImport[1], 'fs/promises');
             }
         }
         if (moduleAliases.size === 0)
@@ -249,7 +274,11 @@ export class PhantomApisGate extends Gate {
     }
     findClosest(target, candidates) {
         let best = null;
-        let bestDist = 4; // max distance threshold
+        // Adaptive threshold: short names (< 6 chars) get max distance 1,
+        // medium names (6-10) get 2, long names get 3.
+        // This prevents false suggestions like "read" → "readdir" for short phantoms.
+        const maxDist = target.length < 6 ? 2 : target.length <= 10 ? 3 : 4;
+        let bestDist = maxDist;
         for (const c of candidates) {
             const dist = this.levenshtein(target.toLowerCase(), c.toLowerCase());
             if (dist < bestDist) {

package/dist/gates/promise-safety.d.ts

@@ -4,7 +4,6 @@
  * Detects unsafe async/promise/error patterns that AI code generators commonly produce.
  * Supports: JS/TS, Python, Go, Ruby, C#/.NET
  *
- * @since v2.17.0
  */
 import { Gate, GateContext } from './base.js';
 import { Failure, Provenance } from '../types/index.js';

package/dist/gates/promise-safety.js

@@ -4,7 +4,6 @@
  * Detects unsafe async/promise/error patterns that AI code generators commonly produce.
  * Supports: JS/TS, Python, Go, Ruby, C#/.NET
  *
- * @since v2.17.0
  */
 import { Gate } from './base.js';
 import { FileScanner } from '../utils/scanner.js';
@@ -88,12 +87,25 @@ export class PromiseSafetyGate extends Gate {
             if (!/\.then\s*\(/.test(line))
                 continue;
             let hasCatch = false;
-            for (let j = i; j < Math.min(i + 50, lines.length); j++) {
+            // Scan ahead until we hit a statement boundary (no arbitrary limit).
+            // A "statement boundary" is a new declaration, function, class, or blank line after content.
+            let braceDepth = 0;
+            for (let j = i; j < lines.length; j++) {
                 const lookahead = this.sanitizeLine(lines[j]);
+                // Track brace depth to stay within the same scope
+                for (const ch of lookahead) {
+                    if (ch === '{')
+                        braceDepth++;
+                    if (ch === '}')
+                        braceDepth--;
+                }
                 if (/\.catch\s*\(/.test(lookahead)) {
                     hasCatch = true;
                     break;
                 }
+                // Also count .then().then().catch() chains — the catch at the end covers all
+                if (j > i && braceDepth < 0)
+                    break; // Exited enclosing scope
                 if (j > i && /^(?:const|let|var|function|class|export|import|if|for|while|return)\b/.test(lookahead.trim()))
                     break;
             }

package/dist/gates/runner.js

@@ -17,15 +17,15 @@ import { AgentTeamGate } from './agent-team.js';
 import { CheckpointGate } from './checkpoint.js';
 import { SecurityPatternsGate } from './security-patterns.js';
 import { FrontendSecretExposureGate } from './frontend-secret-exposure.js';
-import { DuplicationDriftGate } from './duplication-drift.js';
-import { HallucinatedImportsGate } from './hallucinated-imports.js';
+import { DuplicationDriftGate } from './duplication-drift/index.js';
+import { HallucinatedImportsGate } from './hallucinated-imports/index.js';
 import { InconsistentErrorHandlingGate } from './inconsistent-error-handling.js';
 import { ContextWindowArtifactsGate } from './context-window-artifacts.js';
 import { PromiseSafetyGate } from './promise-safety.js';
 import { PhantomApisGate } from './phantom-apis.js';
 import { DeprecatedApisGate } from './deprecated-apis.js';
 import { TestQualityGate } from './test-quality.js';
-import { SideEffectAnalysisGate } from './side-effect-analysis.js';
+import { SideEffectAnalysisGate } from './side-effect-analysis/index.js';
 import { StyleDriftGate } from './style-drift.js';
 import { LogicDriftGate } from './logic-drift.js';
 import { execa } from 'execa';
@@ -233,22 +233,45 @@ export class GateRunner {
             }
         }
         const status = failures.length > 0 ? 'FAIL' : 'PASS';
-        // Severity-weighted scoring: each failure deducts based on its severity
+        // Severity-weighted scoring with per-gate cap and deduplication
+        // Step 1: Deduplicate — same file + line + gate should not stack
+        const deduped = [];
+        const seen = new Set();
+        for (const f of failures) {
+            const key = `${f.id}:${(f.files || []).join(',')}:${f.line || 0}`;
+            if (!seen.has(key)) {
+                seen.add(key);
+                deduped.push(f);
+            }
+        }
+        // Replace failures array with deduplicated version
+        failures.length = 0;
+        failures.push(...deduped);
+        // Step 2: Calculate per-gate deductions with cap
+        const PER_GATE_CAP = 30; // No single gate can deduct more than 30 points
         const severityBreakdown = {};
-        let totalDeduction = 0;
+        const gateDeductions = new Map();
         for (const f of failures) {
             const sev = (f.severity || 'medium');
             severityBreakdown[sev] = (severityBreakdown[sev] || 0) + 1;
-            totalDeduction += SEVERITY_WEIGHTS[sev] ?? 5;
+            const weight = SEVERITY_WEIGHTS[sev] ?? 5;
+            const gateId = f.id || 'unknown';
+            gateDeductions.set(gateId, (gateDeductions.get(gateId) || 0) + weight);
+        }
+        // Step 3: Apply cap per gate and sum
+        let totalDeduction = 0;
+        for (const [_gateId, deduction] of gateDeductions) {
+            totalDeduction += Math.min(deduction, PER_GATE_CAP);
         }
         const score = Math.max(0, 100 - totalDeduction);
         // Two-score system: separate AI health from structural quality
         // IMPORTANT: Only ai-drift affects ai_health_score, only traditional affects structural_score.
         // Security and governance affect the overall score but NOT the sub-scores,
         // preventing security criticals from incorrectly zeroing structural_score.
-        let aiDeduction = 0;
-        let structuralDeduction = 0;
-        let deepDeduction = 0;
+        // Per-gate caps applied to sub-scores too for fairness.
+        const aiGateDeductions = new Map();
+        const structuralGateDeductions = new Map();
+        const deepGateDeductions = new Map();
         const provenanceCounts = {
             'ai-drift': 0,
             'traditional': 0,
@@ -260,24 +283,33 @@ export class GateRunner {
             const sev = (f.severity || 'medium');
             const weight = SEVERITY_WEIGHTS[sev] ?? 5;
             const prov = f.provenance || 'traditional';
+            const gateId = f.id || 'unknown';
             provenanceCounts[prov] = (provenanceCounts[prov] || 0) + 1;
             switch (prov) {
                 case 'ai-drift':
-                    aiDeduction += weight;
+                    aiGateDeductions.set(gateId, (aiGateDeductions.get(gateId) || 0) + weight);
                     break;
                 case 'traditional':
-                    structuralDeduction += weight;
+                    structuralGateDeductions.set(gateId, (structuralGateDeductions.get(gateId) || 0) + weight);
                     break;
                 case 'deep-analysis':
-                    deepDeduction += weight;
+                    deepGateDeductions.set(gateId, (deepGateDeductions.get(gateId) || 0) + weight);
                     break;
-                // security and governance contribute to overall score (totalDeduction)
-                // but do NOT pollute the sub-scores
                 case 'security':
                 case 'governance':
                     break;
             }
         }
+        // Apply per-gate cap to sub-scores
+        let aiDeduction = 0;
+        for (const [, d] of aiGateDeductions)
+            aiDeduction += Math.min(d, PER_GATE_CAP);
+        let structuralDeduction = 0;
+        for (const [, d] of structuralGateDeductions)
+            structuralDeduction += Math.min(d, PER_GATE_CAP);
+        let deepDeduction = 0;
+        for (const [, d] of deepGateDeductions)
+            deepDeduction += Math.min(d, PER_GATE_CAP);
         // Persist findings + reinforce patterns in local SQLite (fire-and-forget)
         const report = {
             status,
@@ -295,15 +327,12 @@ export class GateRunner {
             },
         };
         // Store findings + reinforce patterns in local SQLite (non-blocking)
-        try {
-            persistAndReinforce(cwd, report, deepStats ? {
-                deepTier: deepStats.tier,
-                deepModel: deepStats.model,
-            } : undefined);
-        }
-        catch {
+        persistAndReinforce(cwd, report, deepStats ? {
+            deepTier: deepStats.tier,
+            deepModel: deepStats.model,
+        } : undefined).catch(() => {
             // Silent — local memory is advisory, never blocks scans
-        }
+        });
         // v5: Record per-provenance data for adaptive thresholds + temporal drift
         try {
             const passedCount = Object.values(summary).filter(s => s === 'PASS').length;

package/dist/gates/security-patterns-data.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Security Patterns Gate — Vulnerability Pattern Definitions
+ *
+ * Contains OWASP rule definitions, regex pattern arrays, and
+ * language-specific vulnerability patterns.
+ */
+export declare const VULNERABILITY_PATTERNS: {
+    type: string;
+    regex: RegExp;
+    severity: 'critical' | 'high' | 'medium' | 'low';
+    description: string;
+    cwe: string;
+    languages: string[];
+}[];

package/dist/gates/security-patterns-data.js

@@ -0,0 +1,235 @@
+/**
+ * Security Patterns Gate — Vulnerability Pattern Definitions
+ *
+ * Contains OWASP rule definitions, regex pattern arrays, and
+ * language-specific vulnerability patterns.
+ */
+export const VULNERABILITY_PATTERNS = [
+    // SQL Injection
+    {
+        type: 'sql_injection',
+        regex: /(?:execute|query|raw|exec)\s*\(\s*`[^`]*(?:SELECT|INSERT|UPDATE|DELETE|DROP|ALTER|CREATE|WITH)[^`]*\$\{[^}]+\}[^`]*`/gi,
+        severity: 'critical',
+        description: 'Potential SQL injection: User input concatenated into SQL query',
+        cwe: 'CWE-89',
+        languages: ['ts', 'js', 'py']
+    },
+    {
+        type: 'sql_injection',
+        regex: /(?:execute|query|raw|exec)\s*\(\s*['"`][^'"`]*(?:SELECT|INSERT|UPDATE|DELETE|DROP|ALTER|CREATE|WITH)[^'"`]*['"`]\s*\+\s*[^)]+\)/gi,
+        severity: 'critical',
+        description: 'SQL query built with string concatenation',
+        cwe: 'CWE-89',
+        languages: ['ts', 'js']
+    },
+    // XSS
+    {
+        type: 'xss',
+        regex: /innerHTML\s*=\s*(?!\s*['"`]\s*['"`])[^;]+/g,
+        severity: 'high',
+        description: 'Potential XSS: innerHTML assignment with dynamic content',
+        cwe: 'CWE-79',
+        languages: ['ts', 'js', 'tsx', 'jsx']
+    },
+    {
+        type: 'xss',
+        regex: /dangerouslySetInnerHTML\s*=\s*\{/g,
+        severity: 'high',
+        description: 'dangerouslySetInnerHTML usage (ensure content is sanitized)',
+        cwe: 'CWE-79',
+        languages: ['tsx', 'jsx']
+    },
+    {
+        type: 'xss',
+        regex: /document\.write\s*\(/g,
+        severity: 'high',
+        description: 'document.write is dangerous for XSS',
+        cwe: 'CWE-79',
+        languages: ['ts', 'js']
+    },
+    // Path Traversal
+    {
+        type: 'path_traversal',
+        regex: /(?:readFile|writeFile|readdir|unlink|rmdir)\s*\([^)]*(?:req\.(?:params|query|body)|\.\.\/)/g,
+        severity: 'high',
+        description: 'Potential path traversal: File operation with user input',
+        cwe: 'CWE-22',
+        languages: ['ts', 'js']
+    },
+    {
+        type: 'path_traversal',
+        regex: /path\.join\s*\([^)]*req\./g,
+        severity: 'medium',
+        description: 'path.join with request data (verify input sanitization)',
+        cwe: 'CWE-22',
+        languages: ['ts', 'js']
+    },
+    // Hardcoded Secrets
+    {
+        type: 'hardcoded_secrets',
+        regex: /(?:password|secret|api_key|apikey|auth_token|access_token|private_key)\s*[:=]\s*['"][^'"]{8,}['"]/gi,
+        severity: 'critical',
+        description: 'Hardcoded secret detected in code',
+        cwe: 'CWE-798',
+        languages: ['ts', 'js', 'py', 'java', 'go']
+    },
+    {
+        type: 'hardcoded_secrets',
+        regex: /(?:sk-|pk-|rk-|ghp_|gho_|ghu_|ghs_|ghr_)[a-zA-Z0-9]{20,}/g,
+        severity: 'critical',
+        description: 'API key pattern detected (OpenAI, GitHub, etc.)',
+        cwe: 'CWE-798',
+        languages: ['*']
+    },
+    {
+        type: 'hardcoded_secrets',
+        regex: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g,
+        severity: 'critical',
+        description: 'Private key embedded in source code',
+        cwe: 'CWE-798',
+        languages: ['*']
+    },
+    // Insecure Randomness
+    {
+        type: 'insecure_randomness',
+        regex: /Math\.random\s*\(\s*\)/g,
+        severity: 'medium',
+        description: 'Math.random() is not cryptographically secure',
+        cwe: 'CWE-338',
+        languages: ['ts', 'js', 'tsx', 'jsx']
+    },
+    // Command Injection
+    {
+        type: 'command_injection',
+        regex: /(?:exec|execSync|spawn|spawnSync)\s*\(\s*(?:`[^`]*\$\{[^}]*(?:req\.|query|params|body|input|user|argv|process\.env)[^}]*\}[^`]*`|[^)]*(?:req\.|query|params|body|input|user|argv|process\.env)[^)]*)\)/g,
+        severity: 'critical',
+        description: 'Potential command injection: shell execution with user input',
+        cwe: 'CWE-78',
+        languages: ['ts', 'js']
+    },
+    {
+        type: 'command_injection',
+        regex: /child_process.*\s*\.\s*(?:exec|spawn)\s*\([^)]*(?:req\.|query|params|body|input|user|argv|process\.env)/g,
+        severity: 'high',
+        description: 'child_process usage detected (verify input sanitization)',
+        cwe: 'CWE-78',
+        languages: ['ts', 'js']
+    },
+    // Python subprocess command injection
+    {
+        type: 'command_injection',
+        regex: /subprocess\.(?:run|call|Popen|check_output|check_call)\s*\([^)]*shell\s*=\s*True/g,
+        severity: 'critical',
+        description: 'Python subprocess with shell=True — potential command injection',
+        cwe: 'CWE-78',
+        languages: ['py']
+    },
+    {
+        type: 'command_injection',
+        regex: /subprocess\.(?:run|call|Popen|check_output|check_call)\s*\(\s*f["'][^"']*\{[^}]+\}/g,
+        severity: 'critical',
+        description: 'Python subprocess with f-string interpolation — potential command injection',
+        cwe: 'CWE-78',
+        languages: ['py']
+    },
+    {
+        type: 'command_injection',
+        regex: /os\.(?:system|popen)\s*\(\s*(?:f["']|[^"']*\.format\(|[^"']*%\s)/g,
+        severity: 'critical',
+        description: 'Python os.system/os.popen with dynamic string — command injection risk',
+        cwe: 'CWE-78',
+        languages: ['py']
+    },
+    // ReDoS — Denial of Service via regex (OWASP #7)
+    {
+        type: 'redos',
+        regex: /new RegExp\s*\([^)]*(?:req\.|params|query|body|input|user)/g,
+        severity: 'high',
+        description: 'Dynamic regex from user input — potential ReDoS',
+        cwe: 'CWE-1333',
+        languages: ['ts', 'js']
+    },
+    {
+        type: 'redos',
+        regex: /\(\?:[^)]*\+[^)]*\)\+|\([^)]*\*[^)]*\)\+|\(\.\*\)\{/g,
+        severity: 'medium',
+        description: 'Regex with nested quantifiers — potential ReDoS',
+        cwe: 'CWE-1333',
+        languages: ['ts', 'js', 'py']
+    },
+    // Overly Permissive Code (OWASP #9)
+    {
+        type: 'overly_permissive',
+        regex: /cors\s*\(\s*\{[^}]*origin\s*:\s*(?:true|['"`]\*['"`])/g,
+        severity: 'high',
+        description: 'CORS wildcard origin — allows any domain',
+        cwe: 'CWE-942',
+        languages: ['ts', 'js']
+    },
+    {
+        type: 'overly_permissive',
+        regex: /(?:listen|bind)\s*\(\s*(?:\d+\s*,\s*)?['"`]0\.0\.0\.0['"`]/g,
+        severity: 'medium',
+        description: 'Binding to 0.0.0.0 exposes service to all interfaces',
+        cwe: 'CWE-668',
+        languages: ['ts', 'js', 'py', 'go']
+    },
+    {
+        type: 'overly_permissive',
+        regex: /chmod\s*\(\s*[^,]*,\s*['"`]?(?:0o?)?777['"`]?\s*\)/g,
+        severity: 'high',
+        description: 'chmod 777 — world-readable/writable permissions',
+        cwe: 'CWE-732',
+        languages: ['ts', 'js', 'py']
+    },
+    {
+        type: 'overly_permissive',
+        regex: /(?:Access-Control-Allow-Origin|x-powered-by)['"`,\s:]+\*/gi,
+        severity: 'high',
+        description: 'Wildcard Access-Control-Allow-Origin header',
+        cwe: 'CWE-942',
+        languages: ['ts', 'js', 'py']
+    },
+    // Unsafe Output Handling (OWASP #6)
+    {
+        type: 'unsafe_output',
+        regex: /res\.(?:send|write|end)\s*\(\s*(?:req\.|params|query|body|input|user)/g,
+        severity: 'high',
+        description: 'Reflecting user input in response without sanitization',
+        cwe: 'CWE-79',
+        languages: ['ts', 'js']
+    },
+    {
+        type: 'unsafe_output',
+        regex: /\$\{[^}]*(?:req\.|params|query|body|input|user)[^}]*\}.*(?:html|template|render)/gi,
+        severity: 'high',
+        description: 'User input interpolated into template/HTML output',
+        cwe: 'CWE-79',
+        languages: ['ts', 'js', 'py']
+    },
+    {
+        type: 'unsafe_output',
+        regex: /eval\s*\(\s*(?:req\.|params|query|body|input|user)/g,
+        severity: 'critical',
+        description: 'eval() with user input — code injection',
+        cwe: 'CWE-94',
+        languages: ['ts', 'js', 'py']
+    },
+    // Missing Input Validation (OWASP #8)
+    {
+        type: 'missing_input_validation',
+        regex: /JSON\.parse\s*\(\s*(?:req\.body|request\.body|body|data|input)\s*\)/g,
+        severity: 'medium',
+        description: 'JSON.parse on raw input without schema validation',
+        cwe: 'CWE-20',
+        languages: ['ts', 'js']
+    },
+    {
+        type: 'missing_input_validation',
+        regex: /(?:as\s+any|:\s*any)\s*(?:[;,)\]}])/g,
+        severity: 'medium',
+        description: 'Type assertion to "any" bypasses type safety',
+        cwe: 'CWE-20',
+        languages: ['ts']
+    },
+];

package/dist/gates/security-patterns.d.ts

@@ -11,8 +11,6 @@
  * - Hardcoded Secrets
  * - Insecure Randomness
  * - Command Injection
- *
- * @since v2.14.0
  */
 import { Gate, GateContext } from './base.js';
 import { Failure, Provenance } from '../types/index.js';
@@ -49,9 +47,25 @@ export declare class SecurityPatternsGate extends Gate {
     private scanFileForVulnerabilities;
     /**
      * Check if a hardcoded secret match is actually a dummy/placeholder value.
-     * Filters out test values, placeholder defaults, and env-var-name assignments.
+     * Filters out test values, placeholder defaults, env-var-name assignments,
+     * store action types, and low-entropy constants.
      */
     private isDummySecretValue;
+    /**
+     * Calculate Shannon entropy (bits per character) of a string.
+     * Real secrets have high entropy (>4.5); constants/names have low entropy (<3.0).
+     */
+    private shannonEntropy;
+    /**
+     * Check if an innerHTML or dangerouslySetInnerHTML assignment is wrapped in a sanitizer.
+     * Known sanitizers: DOMPurify.sanitize(), sanitize(), xss(), escapeHtml(), htmlEncode().
+     */
+    private isSanitizedAssignment;
+    /**
+     * Check if a shell execution call is using { shell: false } option (safe pattern).
+     * Also, spawn() without { shell: true } is safe by default — don't flag it.
+     */
+    private isSafeShellCall;
 }
 /**
  * Quick helper to check a single file for security issues