npm - circle-ir-ai - Versions diffs - 1.1.0 - Mend

circle-ir-ai 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (420) hide show

package/CHANGELOG.md +105 -0
package/LICENSE +15 -0
package/README.md +336 -0
package/dist/action-queue/aggregator.d.ts +40 -0
package/dist/action-queue/aggregator.d.ts.map +1 -0
package/dist/action-queue/aggregator.js +375 -0
package/dist/action-queue/aggregator.js.map +1 -0
package/dist/action-queue/index.d.ts +14 -0
package/dist/action-queue/index.d.ts.map +1 -0
package/dist/action-queue/index.js +17 -0
package/dist/action-queue/index.js.map +1 -0
package/dist/action-queue/queue.d.ts +74 -0
package/dist/action-queue/queue.d.ts.map +1 -0
package/dist/action-queue/queue.js +433 -0
package/dist/action-queue/queue.js.map +1 -0
package/dist/action-queue/types.d.ts +162 -0
package/dist/action-queue/types.d.ts.map +1 -0
package/dist/action-queue/types.js +44 -0
package/dist/action-queue/types.js.map +1 -0
package/dist/agents/enrichment-agent.d.ts +16 -0
package/dist/agents/enrichment-agent.d.ts.map +1 -0
package/dist/agents/enrichment-agent.js +102 -0
package/dist/agents/enrichment-agent.js.map +1 -0
package/dist/agents/index.d.ts +12 -0
package/dist/agents/index.d.ts.map +1 -0
package/dist/agents/index.js +15 -0
package/dist/agents/index.js.map +1 -0
package/dist/agents/mastra/agents.d.ts +373 -0
package/dist/agents/mastra/agents.d.ts.map +1 -0
package/dist/agents/mastra/agents.js +347 -0
package/dist/agents/mastra/agents.js.map +1 -0
package/dist/agents/mastra/index.d.ts +12 -0
package/dist/agents/mastra/index.d.ts.map +1 -0
package/dist/agents/mastra/index.js +17 -0
package/dist/agents/mastra/index.js.map +1 -0
package/dist/agents/mastra/instance.d.ts +383 -0
package/dist/agents/mastra/instance.d.ts.map +1 -0
package/dist/agents/mastra/instance.js +37 -0
package/dist/agents/mastra/instance.js.map +1 -0
package/dist/agents/mastra/steps.d.ts +300 -0
package/dist/agents/mastra/steps.d.ts.map +1 -0
package/dist/agents/mastra/steps.js +468 -0
package/dist/agents/mastra/steps.js.map +1 -0
package/dist/agents/mastra/swarm.d.ts +106 -0
package/dist/agents/mastra/swarm.d.ts.map +1 -0
package/dist/agents/mastra/swarm.js +501 -0
package/dist/agents/mastra/swarm.js.map +1 -0
package/dist/agents/mastra/workflow.d.ts +81 -0
package/dist/agents/mastra/workflow.d.ts.map +1 -0
package/dist/agents/mastra/workflow.js +460 -0
package/dist/agents/mastra/workflow.js.map +1 -0
package/dist/agents/multi/agents/security.d.ts +29 -0
package/dist/agents/multi/agents/security.d.ts.map +1 -0
package/dist/agents/multi/agents/security.js +830 -0
package/dist/agents/multi/agents/security.js.map +1 -0
package/dist/agents/multi/extractor.d.ts +21 -0
package/dist/agents/multi/extractor.d.ts.map +1 -0
package/dist/agents/multi/extractor.js +483 -0
package/dist/agents/multi/extractor.js.map +1 -0
package/dist/agents/multi/index.d.ts +32 -0
package/dist/agents/multi/index.d.ts.map +1 -0
package/dist/agents/multi/index.js +34 -0
package/dist/agents/multi/index.js.map +1 -0
package/dist/agents/multi/runner.d.ts +79 -0
package/dist/agents/multi/runner.d.ts.map +1 -0
package/dist/agents/multi/runner.js +323 -0
package/dist/agents/multi/runner.js.map +1 -0
package/dist/agents/security-agent.d.ts +16 -0
package/dist/agents/security-agent.d.ts.map +1 -0
package/dist/agents/security-agent.js +299 -0
package/dist/agents/security-agent.js.map +1 -0
package/dist/agents/types.d.ts +373 -0
package/dist/agents/types.d.ts.map +1 -0
package/dist/agents/types.js +14 -0
package/dist/agents/types.js.map +1 -0
package/dist/agents/verification-agent.d.ts +23 -0
package/dist/agents/verification-agent.d.ts.map +1 -0
package/dist/agents/verification-agent.js +217 -0
package/dist/agents/verification-agent.js.map +1 -0
package/dist/agents/workflow.d.ts +30 -0
package/dist/agents/workflow.d.ts.map +1 -0
package/dist/agents/workflow.js +79 -0
package/dist/agents/workflow.js.map +1 -0
package/dist/analysis/enriched.d.ts +16 -0
package/dist/analysis/enriched.d.ts.map +1 -0
package/dist/analysis/enriched.js +297 -0
package/dist/analysis/enriched.js.map +1 -0
package/dist/analysis/llm-correlated-predicates.d.ts +80 -0
package/dist/analysis/llm-correlated-predicates.d.ts.map +1 -0
package/dist/analysis/llm-correlated-predicates.js +255 -0
package/dist/analysis/llm-correlated-predicates.js.map +1 -0
package/dist/analysis/llm-cross-file-taint.d.ts +86 -0
package/dist/analysis/llm-cross-file-taint.d.ts.map +1 -0
package/dist/analysis/llm-cross-file-taint.js +264 -0
package/dist/analysis/llm-cross-file-taint.js.map +1 -0
package/dist/analysis/pattern-discovery.d.ts +79 -0
package/dist/analysis/pattern-discovery.d.ts.map +1 -0
package/dist/analysis/pattern-discovery.js +447 -0
package/dist/analysis/pattern-discovery.js.map +1 -0
package/dist/cache/file-cache.d.ts +89 -0
package/dist/cache/file-cache.d.ts.map +1 -0
package/dist/cache/file-cache.js +208 -0
package/dist/cache/file-cache.js.map +1 -0
package/dist/cache/index.d.ts +6 -0
package/dist/cache/index.d.ts.map +1 -0
package/dist/cache/index.js +5 -0
package/dist/cache/index.js.map +1 -0
package/dist/cli/args.d.ts +52 -0
package/dist/cli/args.d.ts.map +1 -0
package/dist/cli/args.js +422 -0
package/dist/cli/args.js.map +1 -0
package/dist/cli/colors.d.ts +31 -0
package/dist/cli/colors.d.ts.map +1 -0
package/dist/cli/colors.js +80 -0
package/dist/cli/colors.js.map +1 -0
package/dist/cli/commands/analyze-skill.d.ts +33 -0
package/dist/cli/commands/analyze-skill.d.ts.map +1 -0
package/dist/cli/commands/analyze-skill.js +217 -0
package/dist/cli/commands/analyze-skill.js.map +1 -0
package/dist/cli/commands/analyze.d.ts +18 -0
package/dist/cli/commands/analyze.d.ts.map +1 -0
package/dist/cli/commands/analyze.js +30 -0
package/dist/cli/commands/analyze.js.map +1 -0
package/dist/cli/commands/benchmark-runner.d.ts +42 -0
package/dist/cli/commands/benchmark-runner.d.ts.map +1 -0
package/dist/cli/commands/benchmark-runner.js +18 -0
package/dist/cli/commands/benchmark-runner.js.map +1 -0
package/dist/cli/commands/benchmark.d.ts +11 -0
package/dist/cli/commands/benchmark.d.ts.map +1 -0
package/dist/cli/commands/benchmark.js +90 -0
package/dist/cli/commands/benchmark.js.map +1 -0
package/dist/cli/commands/dead-code.d.ts +11 -0
package/dist/cli/commands/dead-code.d.ts.map +1 -0
package/dist/cli/commands/dead-code.js +65 -0
package/dist/cli/commands/dead-code.js.map +1 -0
package/dist/cli/commands/generate-spec.d.ts +11 -0
package/dist/cli/commands/generate-spec.d.ts.map +1 -0
package/dist/cli/commands/generate-spec.js +67 -0
package/dist/cli/commands/generate-spec.js.map +1 -0
package/dist/cli/commands/health.d.ts +11 -0
package/dist/cli/commands/health.d.ts.map +1 -0
package/dist/cli/commands/health.js +67 -0
package/dist/cli/commands/health.js.map +1 -0
package/dist/cli/commands/project.d.ts +21 -0
package/dist/cli/commands/project.d.ts.map +1 -0
package/dist/cli/commands/project.js +92 -0
package/dist/cli/commands/project.js.map +1 -0
package/dist/cli/commands/scan.d.ts +11 -0
package/dist/cli/commands/scan.d.ts.map +1 -0
package/dist/cli/commands/scan.js +68 -0
package/dist/cli/commands/scan.js.map +1 -0
package/dist/cli/commands/secrets.d.ts +11 -0
package/dist/cli/commands/secrets.d.ts.map +1 -0
package/dist/cli/commands/secrets.js +71 -0
package/dist/cli/commands/secrets.js.map +1 -0
package/dist/cli/commands/swarm.d.ts +20 -0
package/dist/cli/commands/swarm.d.ts.map +1 -0
package/dist/cli/commands/swarm.js +174 -0
package/dist/cli/commands/swarm.js.map +1 -0
package/dist/cli/config.d.ts +103 -0
package/dist/cli/config.d.ts.map +1 -0
package/dist/cli/config.js +307 -0
package/dist/cli/config.js.map +1 -0
package/dist/cli/discovery.d.ts +31 -0
package/dist/cli/discovery.d.ts.map +1 -0
package/dist/cli/discovery.js +212 -0
package/dist/cli/discovery.js.map +1 -0
package/dist/cli/formatters/index.d.ts +15 -0
package/dist/cli/formatters/index.d.ts.map +1 -0
package/dist/cli/formatters/index.js +51 -0
package/dist/cli/formatters/index.js.map +1 -0
package/dist/cli/formatters/json.d.ts +11 -0
package/dist/cli/formatters/json.d.ts.map +1 -0
package/dist/cli/formatters/json.js +12 -0
package/dist/cli/formatters/json.js.map +1 -0
package/dist/cli/formatters/project-json.d.ts +11 -0
package/dist/cli/formatters/project-json.d.ts.map +1 -0
package/dist/cli/formatters/project-json.js +12 -0
package/dist/cli/formatters/project-json.js.map +1 -0
package/dist/cli/formatters/project-sarif.d.ts +11 -0
package/dist/cli/formatters/project-sarif.d.ts.map +1 -0
package/dist/cli/formatters/project-sarif.js +127 -0
package/dist/cli/formatters/project-sarif.js.map +1 -0
package/dist/cli/formatters/project-summary.d.ts +11 -0
package/dist/cli/formatters/project-summary.d.ts.map +1 -0
package/dist/cli/formatters/project-summary.js +202 -0
package/dist/cli/formatters/project-summary.js.map +1 -0
package/dist/cli/formatters/sarif-shared.d.ts +101 -0
package/dist/cli/formatters/sarif-shared.d.ts.map +1 -0
package/dist/cli/formatters/sarif-shared.js +57 -0
package/dist/cli/formatters/sarif-shared.js.map +1 -0
package/dist/cli/formatters/sarif.d.ts +12 -0
package/dist/cli/formatters/sarif.d.ts.map +1 -0
package/dist/cli/formatters/sarif.js +92 -0
package/dist/cli/formatters/sarif.js.map +1 -0
package/dist/cli/formatters/summary.d.ts +11 -0
package/dist/cli/formatters/summary.d.ts.map +1 -0
package/dist/cli/formatters/summary.js +240 -0
package/dist/cli/formatters/summary.js.map +1 -0
package/dist/cli/formatters/two-phase-summary.d.ts +11 -0
package/dist/cli/formatters/two-phase-summary.d.ts.map +1 -0
package/dist/cli/formatters/two-phase-summary.js +188 -0
package/dist/cli/formatters/two-phase-summary.js.map +1 -0
package/dist/cli/index.d.ts +15 -0
package/dist/cli/index.d.ts.map +1 -0
package/dist/cli/index.js +555 -0
package/dist/cli/index.js.map +1 -0
package/dist/components/clustering.d.ts +60 -0
package/dist/components/clustering.d.ts.map +1 -0
package/dist/components/clustering.js +129 -0
package/dist/components/clustering.js.map +1 -0
package/dist/components/enrichment.d.ts +45 -0
package/dist/components/enrichment.d.ts.map +1 -0
package/dist/components/enrichment.js +193 -0
package/dist/components/enrichment.js.map +1 -0
package/dist/components/index.d.ts +29 -0
package/dist/components/index.d.ts.map +1 -0
package/dist/components/index.js +56 -0
package/dist/components/index.js.map +1 -0
package/dist/dead-code/detector.d.ts +200 -0
package/dist/dead-code/detector.d.ts.map +1 -0
package/dist/dead-code/detector.js +1003 -0
package/dist/dead-code/detector.js.map +1 -0
package/dist/dead-code/index.d.ts +7 -0
package/dist/dead-code/index.d.ts.map +1 -0
package/dist/dead-code/index.js +7 -0
package/dist/dead-code/index.js.map +1 -0
package/dist/extractors/index.d.ts +15 -0
package/dist/extractors/index.d.ts.map +1 -0
package/dist/extractors/index.js +14 -0
package/dist/extractors/index.js.map +1 -0
package/dist/extractors/natural-language.d.ts +46 -0
package/dist/extractors/natural-language.d.ts.map +1 -0
package/dist/extractors/natural-language.js +228 -0
package/dist/extractors/natural-language.js.map +1 -0
package/dist/extractors/tree-sitter.d.ts +33 -0
package/dist/extractors/tree-sitter.d.ts.map +1 -0
package/dist/extractors/tree-sitter.js +69 -0
package/dist/extractors/tree-sitter.js.map +1 -0
package/dist/extractors/types.d.ts +62 -0
package/dist/extractors/types.d.ts.map +1 -0
package/dist/extractors/types.js +54 -0
package/dist/extractors/types.js.map +1 -0
package/dist/health-score/calculator.d.ts +123 -0
package/dist/health-score/calculator.d.ts.map +1 -0
package/dist/health-score/calculator.js +444 -0
package/dist/health-score/calculator.js.map +1 -0
package/dist/health-score/index.d.ts +12 -0
package/dist/health-score/index.d.ts.map +1 -0
package/dist/health-score/index.js +14 -0
package/dist/health-score/index.js.map +1 -0
package/dist/health-score/metrics.d.ts +142 -0
package/dist/health-score/metrics.d.ts.map +1 -0
package/dist/health-score/metrics.js +332 -0
package/dist/health-score/metrics.js.map +1 -0
package/dist/index.d.ts +26 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +43 -0
package/dist/index.js.map +1 -0
package/dist/llm/ax-client.d.ts +477 -0
package/dist/llm/ax-client.d.ts.map +1 -0
package/dist/llm/ax-client.js +1641 -0
package/dist/llm/ax-client.js.map +1 -0
package/dist/llm/config.d.ts +58 -0
package/dist/llm/config.d.ts.map +1 -0
package/dist/llm/config.js +97 -0
package/dist/llm/config.js.map +1 -0
package/dist/llm/discovery.d.ts +123 -0
package/dist/llm/discovery.d.ts.map +1 -0
package/dist/llm/discovery.js +505 -0
package/dist/llm/discovery.js.map +1 -0
package/dist/llm/enrichment.d.ts +108 -0
package/dist/llm/enrichment.d.ts.map +1 -0
package/dist/llm/enrichment.js +312 -0
package/dist/llm/enrichment.js.map +1 -0
package/dist/llm/index.d.ts +13 -0
package/dist/llm/index.d.ts.map +1 -0
package/dist/llm/index.js +22 -0
package/dist/llm/index.js.map +1 -0
package/dist/llm/language-context.d.ts +64 -0
package/dist/llm/language-context.d.ts.map +1 -0
package/dist/llm/language-context.js +492 -0
package/dist/llm/language-context.js.map +1 -0
package/dist/llm/pattern-verification.d.ts +39 -0
package/dist/llm/pattern-verification.d.ts.map +1 -0
package/dist/llm/pattern-verification.js +127 -0
package/dist/llm/pattern-verification.js.map +1 -0
package/dist/llm/prompt-security.d.ts +120 -0
package/dist/llm/prompt-security.d.ts.map +1 -0
package/dist/llm/prompt-security.js +301 -0
package/dist/llm/prompt-security.js.map +1 -0
package/dist/llm/prompts/index.d.ts +31 -0
package/dist/llm/prompts/index.d.ts.map +1 -0
package/dist/llm/prompts/index.js +92 -0
package/dist/llm/prompts/index.js.map +1 -0
package/dist/llm/prompts/rust.d.ts +30 -0
package/dist/llm/prompts/rust.d.ts.map +1 -0
package/dist/llm/prompts/rust.js +121 -0
package/dist/llm/prompts/rust.js.map +1 -0
package/dist/llm/schemas.d.ts +892 -0
package/dist/llm/schemas.d.ts.map +1 -0
package/dist/llm/schemas.js +258 -0
package/dist/llm/schemas.js.map +1 -0
package/dist/llm/verification.d.ts +127 -0
package/dist/llm/verification.d.ts.map +1 -0
package/dist/llm/verification.js +394 -0
package/dist/llm/verification.js.map +1 -0
package/dist/project/analyzer.d.ts +30 -0
package/dist/project/analyzer.d.ts.map +1 -0
package/dist/project/analyzer.js +358 -0
package/dist/project/analyzer.js.map +1 -0
package/dist/project/call-graph.d.ts +22 -0
package/dist/project/call-graph.d.ts.map +1 -0
package/dist/project/call-graph.js +246 -0
package/dist/project/call-graph.js.map +1 -0
package/dist/project/index.d.ts +18 -0
package/dist/project/index.d.ts.map +1 -0
package/dist/project/index.js +20 -0
package/dist/project/index.js.map +1 -0
package/dist/project/taint-paths.d.ts +22 -0
package/dist/project/taint-paths.d.ts.map +1 -0
package/dist/project/taint-paths.js +265 -0
package/dist/project/taint-paths.js.map +1 -0
package/dist/project/two-phase-analyzer.d.ts +143 -0
package/dist/project/two-phase-analyzer.d.ts.map +1 -0
package/dist/project/two-phase-analyzer.js +646 -0
package/dist/project/two-phase-analyzer.js.map +1 -0
package/dist/project/type-hierarchy.d.ts +28 -0
package/dist/project/type-hierarchy.d.ts.map +1 -0
package/dist/project/type-hierarchy.js +218 -0
package/dist/project/type-hierarchy.js.map +1 -0
package/dist/secret-scan/index.d.ts +12 -0
package/dist/secret-scan/index.d.ts.map +1 -0
package/dist/secret-scan/index.js +14 -0
package/dist/secret-scan/index.js.map +1 -0
package/dist/secret-scan/patterns.d.ts +38 -0
package/dist/secret-scan/patterns.d.ts.map +1 -0
package/dist/secret-scan/patterns.js +473 -0
package/dist/secret-scan/patterns.js.map +1 -0
package/dist/secret-scan/scanner.d.ts +162 -0
package/dist/secret-scan/scanner.d.ts.map +1 -0
package/dist/secret-scan/scanner.js +511 -0
package/dist/secret-scan/scanner.js.map +1 -0
package/dist/security-scan/index.d.ts +12 -0
package/dist/security-scan/index.d.ts.map +1 -0
package/dist/security-scan/index.js +15 -0
package/dist/security-scan/index.js.map +1 -0
package/dist/security-scan/owasp-mapping.d.ts +29 -0
package/dist/security-scan/owasp-mapping.d.ts.map +1 -0
package/dist/security-scan/owasp-mapping.js +246 -0
package/dist/security-scan/owasp-mapping.js.map +1 -0
package/dist/security-scan/scanner.d.ts +204 -0
package/dist/security-scan/scanner.d.ts.map +1 -0
package/dist/security-scan/scanner.js +693 -0
package/dist/security-scan/scanner.js.map +1 -0
package/dist/security-scan/trend-tracker.d.ts +150 -0
package/dist/security-scan/trend-tracker.d.ts.map +1 -0
package/dist/security-scan/trend-tracker.js +299 -0
package/dist/security-scan/trend-tracker.js.map +1 -0
package/dist/skills/bundle-loader.d.ts +26 -0
package/dist/skills/bundle-loader.d.ts.map +1 -0
package/dist/skills/bundle-loader.js +284 -0
package/dist/skills/bundle-loader.js.map +1 -0
package/dist/skills/capability-mismatch.d.ts +21 -0
package/dist/skills/capability-mismatch.d.ts.map +1 -0
package/dist/skills/capability-mismatch.js +188 -0
package/dist/skills/capability-mismatch.js.map +1 -0
package/dist/skills/index.d.ts +10 -0
package/dist/skills/index.d.ts.map +1 -0
package/dist/skills/index.js +9 -0
package/dist/skills/index.js.map +1 -0
package/dist/skills/skill-analyzer.d.ts +16 -0
package/dist/skills/skill-analyzer.d.ts.map +1 -0
package/dist/skills/skill-analyzer.js +361 -0
package/dist/skills/skill-analyzer.js.map +1 -0
package/dist/skills/types.d.ts +195 -0
package/dist/skills/types.d.ts.map +1 -0
package/dist/skills/types.js +7 -0
package/dist/skills/types.js.map +1 -0
package/dist/specifica/conflict-resolver.d.ts +23 -0
package/dist/specifica/conflict-resolver.d.ts.map +1 -0
package/dist/specifica/conflict-resolver.js +129 -0
package/dist/specifica/conflict-resolver.js.map +1 -0
package/dist/specifica/evidence-aggregator.d.ts +33 -0
package/dist/specifica/evidence-aggregator.d.ts.map +1 -0
package/dist/specifica/evidence-aggregator.js +236 -0
package/dist/specifica/evidence-aggregator.js.map +1 -0
package/dist/specifica/evidence-extractor.d.ts +13 -0
package/dist/specifica/evidence-extractor.d.ts.map +1 -0
package/dist/specifica/evidence-extractor.js +431 -0
package/dist/specifica/evidence-extractor.js.map +1 -0
package/dist/specifica/feature-clustering.d.ts +19 -0
package/dist/specifica/feature-clustering.d.ts.map +1 -0
package/dist/specifica/feature-clustering.js +231 -0
package/dist/specifica/feature-clustering.js.map +1 -0
package/dist/specifica/generator.d.ts +16 -0
package/dist/specifica/generator.d.ts.map +1 -0
package/dist/specifica/generator.js +277 -0
package/dist/specifica/generator.js.map +1 -0
package/dist/specifica/index.d.ts +15 -0
package/dist/specifica/index.d.ts.map +1 -0
package/dist/specifica/index.js +18 -0
package/dist/specifica/index.js.map +1 -0
package/dist/specifica/prompts.d.ts +21 -0
package/dist/specifica/prompts.d.ts.map +1 -0
package/dist/specifica/prompts.js +196 -0
package/dist/specifica/prompts.js.map +1 -0
package/dist/specifica/spec-generator.d.ts +22 -0
package/dist/specifica/spec-generator.d.ts.map +1 -0
package/dist/specifica/spec-generator.js +229 -0
package/dist/specifica/spec-generator.js.map +1 -0
package/dist/specifica/types.d.ts +213 -0
package/dist/specifica/types.d.ts.map +1 -0
package/dist/specifica/types.js +7 -0
package/dist/specifica/types.js.map +1 -0
package/dist/utils/logger.d.ts +17 -0
package/dist/utils/logger.d.ts.map +1 -0
package/dist/utils/logger.js +51 -0
package/dist/utils/logger.js.map +1 -0
package/package.json +99 -0

package/dist/analysis/enriched.js ADDED Viewed

@@ -0,0 +1,297 @@
+/**
+ * Enriched section builder
+ *
+ * Provides structure for LLM-enhanced metadata:
+ * - Function roles (controller, service, repository)
+ * - Risk levels
+ * - Trust boundaries
+ * - Additional sources/sinks discovered by analysis
+ */
+/**
+ * Build the enriched section with heuristic-based analysis.
+ * This provides a baseline that LLM can enhance.
+ */
+export function buildEnriched(types, calls, existingSources, existingSinks) {
+    const functions = analyzeMethodRoles(types);
+    const additionalSources = findAdditionalSources(calls, existingSources);
+    const additionalSinks = findAdditionalSinks(calls, existingSinks);
+    const resolvedCalls = suggestCallResolutions(calls);
+    return {
+        functions: functions.length > 0 ? functions : undefined,
+        additional_sources: additionalSources.length > 0 ? additionalSources : undefined,
+        additional_sinks: additionalSinks.length > 0 ? additionalSinks : undefined,
+        resolved_calls: resolvedCalls.length > 0 ? resolvedCalls : undefined,
+    };
+}
+/**
+ * Analyze method roles based on naming conventions and annotations.
+ */
+function analyzeMethodRoles(types) {
+    const functions = [];
+    for (const type of types) {
+        const classRole = inferClassRole(type);
+        for (const method of type.methods) {
+            const role = inferMethodRole(method.name, type, classRole);
+            const risk = assessMethodRisk(method, type);
+            const trustBoundary = determineTrustBoundary(method, type);
+            // Only include if we have meaningful analysis
+            if (role !== 'utility' || risk !== 'low' || trustBoundary !== 'internal') {
+                functions.push({
+                    method_name: `${type.name}.${method.name}`,
+                    role,
+                    risk,
+                    trust_boundary: trustBoundary,
+                    summary: generateMethodSummary(method.name, role, type.name),
+                });
+            }
+        }
+    }
+    return functions;
+}
+/**
+ * Infer the role of a class based on naming and annotations.
+ */
+function inferClassRole(type) {
+    const name = type.name.toLowerCase();
+    const annotations = type.annotations.map(a => a.toLowerCase());
+    // Check annotations first
+    if (annotations.some(a => a.includes('controller') || a.includes('restcontroller'))) {
+        return 'controller';
+    }
+    if (annotations.some(a => a.includes('service'))) {
+        return 'service';
+    }
+    if (annotations.some(a => a.includes('repository'))) {
+        return 'repository';
+    }
+    // Check naming conventions
+    if (name.includes('controller') || name.includes('resource') || name.includes('endpoint')) {
+        return 'controller';
+    }
+    if (name.includes('service') || name.includes('manager') || name.includes('handler')) {
+        return 'service';
+    }
+    if (name.includes('repository') || name.includes('dao') || name.includes('store')) {
+        return 'repository';
+    }
+    return 'utility';
+}
+/**
+ * Infer method role based on naming and context.
+ */
+function inferMethodRole(methodName, type, classRole) {
+    const name = methodName.toLowerCase();
+    // HTTP handler methods in controllers
+    if (classRole === 'controller') {
+        const httpMethods = ['get', 'post', 'put', 'delete', 'patch', 'handle', 'do'];
+        if (httpMethods.some(m => name.startsWith(m))) {
+            return 'controller';
+        }
+    }
+    // Data access methods
+    if (classRole === 'repository' || name.startsWith('find') || name.startsWith('save') ||
+        name.startsWith('delete') || name.startsWith('update') || name.startsWith('query')) {
+        return 'repository';
+    }
+    // Business logic methods
+    if (classRole === 'service' || name.includes('process') || name.includes('validate') ||
+        name.includes('calculate') || name.includes('compute')) {
+        return 'service';
+    }
+    return classRole;
+}
+/**
+ * Assess risk level of a method.
+ */
+function assessMethodRisk(method, type) {
+    const methodName = method.name.toLowerCase();
+    const annotations = [...method.annotations, ...type.annotations].map(a => a.toLowerCase());
+    // High risk: authentication, authorization, crypto
+    const highRiskPatterns = [
+        'auth', 'login', 'password', 'credential', 'token',
+        'encrypt', 'decrypt', 'hash', 'sign', 'verify',
+        'admin', 'privilege', 'permission', 'role',
+    ];
+    if (highRiskPatterns.some(p => methodName.includes(p))) {
+        return 'high';
+    }
+    // High risk: SQL/command execution
+    const dangerousPatterns = ['execute', 'query', 'eval', 'exec', 'run'];
+    if (dangerousPatterns.some(p => methodName.includes(p))) {
+        return 'high';
+    }
+    // Medium risk: data processing with user input
+    if (annotations.some(a => a.includes('requestparam') || a.includes('requestbody') ||
+        a.includes('pathvariable'))) {
+        return 'medium';
+    }
+    // Medium risk: file operations
+    const filePatterns = ['file', 'read', 'write', 'upload', 'download', 'stream'];
+    if (filePatterns.some(p => methodName.includes(p))) {
+        return 'medium';
+    }
+    return 'low';
+}
+/**
+ * Determine trust boundary for a method.
+ */
+function determineTrustBoundary(method, type) {
+    const annotations = [...method.annotations, ...type.annotations];
+    // Entry points: HTTP endpoints
+    const entryPointAnnotations = [
+        'GetMapping', 'PostMapping', 'PutMapping', 'DeleteMapping', 'PatchMapping',
+        'RequestMapping', 'GET', 'POST', 'PUT', 'DELETE',
+        'Path', 'Consumes', 'Produces',
+    ];
+    if (entryPointAnnotations.some(a => annotations.some(ann => ann.includes(a)))) {
+        return 'entry_point';
+    }
+    // External: calls to external services
+    const externalPatterns = ['client', 'remote', 'external', 'api', 'http', 'rest'];
+    if (externalPatterns.some(p => method.name.toLowerCase().includes(p))) {
+        return 'external';
+    }
+    // Check if class is a controller (all public methods are entry points)
+    if (type.annotations.some(a => a.includes('Controller') || a.includes('RestController'))) {
+        if (method.modifiers.includes('public')) {
+            return 'entry_point';
+        }
+    }
+    return 'internal';
+}
+/**
+ * Generate a summary for a method.
+ */
+function generateMethodSummary(methodName, role, className) {
+    const summaries = {
+        controller: `HTTP endpoint handler in ${className}`,
+        service: `Business logic method in ${className}`,
+        repository: `Data access method in ${className}`,
+        utility: `Utility method in ${className}`,
+    };
+    return summaries[role] || `Method ${methodName} in ${className}`;
+}
+/**
+ * Find additional sources that heuristics might have missed.
+ */
+function findAdditionalSources(calls, existingSources) {
+    const additional = [];
+    const existingLines = new Set(existingSources.map(s => s.line));
+    // Patterns that might indicate sources
+    const sourcePatterns = [
+        { pattern: /read/i, type: 'io_input' },
+        { pattern: /input/i, type: 'io_input' },
+        { pattern: /parse/i, type: 'io_input' },
+        { pattern: /deserialize/i, type: 'io_input' },
+        { pattern: /decode/i, type: 'io_input' },
+        { pattern: /fetch/i, type: 'network_input' },
+        { pattern: /download/i, type: 'network_input' },
+        { pattern: /receive/i, type: 'network_input' },
+    ];
+    for (const call of calls) {
+        // Skip if already identified
+        if (existingLines.has(call.location.line))
+            continue;
+        for (const { pattern, type } of sourcePatterns) {
+            if (pattern.test(call.method_name)) {
+                additional.push({
+                    type,
+                    location: `${call.receiver ? call.receiver + '.' : ''}${call.method_name}() in ${call.in_method || 'unknown'}`,
+                    severity: 'medium',
+                    line: call.location.line,
+                    confidence: 0.6, // Lower confidence for heuristic matches
+                });
+                break;
+            }
+        }
+    }
+    return additional;
+}
+/**
+ * Find additional sinks that heuristics might have missed.
+ */
+function findAdditionalSinks(calls, existingSinks) {
+    const additional = [];
+    const existingLines = new Set(existingSinks.map(s => s.line));
+    // Patterns that might indicate sinks
+    const sinkPatterns = [
+        { pattern: /write/i, type: 'xss', cwe: 'CWE-79' },
+        { pattern: /print/i, type: 'xss', cwe: 'CWE-79' },
+        { pattern: /render/i, type: 'xss', cwe: 'CWE-79' },
+        { pattern: /redirect/i, type: 'ssrf', cwe: 'CWE-918' },
+        { pattern: /forward/i, type: 'ssrf', cwe: 'CWE-918' },
+        { pattern: /send/i, type: 'ssrf', cwe: 'CWE-918' },
+        { pattern: /log/i, type: 'xss', cwe: 'CWE-117' }, // Log injection
+    ];
+    for (const call of calls) {
+        // Skip if already identified
+        if (existingLines.has(call.location.line))
+            continue;
+        // Only consider calls with arguments (potential data flow)
+        if (call.arguments.length === 0)
+            continue;
+        for (const { pattern, type, cwe } of sinkPatterns) {
+            if (pattern.test(call.method_name)) {
+                additional.push({
+                    type,
+                    cwe,
+                    location: `${call.receiver ? call.receiver + '.' : ''}${call.method_name}() in ${call.in_method || 'unknown'}`,
+                    line: call.location.line,
+                    confidence: 0.5, // Lower confidence for heuristic matches
+                });
+                break;
+            }
+        }
+    }
+    return additional;
+}
+/**
+ * Suggest resolutions for unresolved calls based on heuristics.
+ */
+function suggestCallResolutions(calls) {
+    const resolved = [];
+    for (let i = 0; i < calls.length; i++) {
+        const call = calls[i];
+        // Skip already resolved calls
+        if (call.resolved)
+            continue;
+        // Try to resolve based on common patterns
+        const suggestion = suggestResolution(call);
+        if (suggestion) {
+            resolved.push({
+                call_id: i,
+                resolved_to: suggestion.target,
+                confidence: suggestion.confidence,
+                reason: suggestion.reason,
+            });
+        }
+    }
+    return resolved;
+}
+/**
+ * Suggest a resolution for an unresolved call.
+ */
+function suggestResolution(call) {
+    // Common Spring/Java patterns
+    const commonResolutions = {
+        save: { suffix: 'Impl', confidence: 0.7, reason: 'Common repository pattern' },
+        find: { suffix: 'Impl', confidence: 0.7, reason: 'Common repository pattern' },
+        delete: { suffix: 'Impl', confidence: 0.7, reason: 'Common repository pattern' },
+        update: { suffix: 'Impl', confidence: 0.7, reason: 'Common repository pattern' },
+        process: { suffix: 'Impl', confidence: 0.6, reason: 'Common service pattern' },
+        handle: { suffix: 'Impl', confidence: 0.6, reason: 'Common handler pattern' },
+        execute: { suffix: 'Impl', confidence: 0.6, reason: 'Common command pattern' },
+    };
+    const methodLower = call.method_name.toLowerCase();
+    for (const [pattern, resolution] of Object.entries(commonResolutions)) {
+        if (methodLower.startsWith(pattern) && call.receiver) {
+            return {
+                target: `${call.receiver}${resolution.suffix}.${call.method_name}`,
+                confidence: resolution.confidence,
+                reason: resolution.reason,
+            };
+        }
+    }
+    return null;
+}
+//# sourceMappingURL=enriched.js.map

package/dist/analysis/enriched.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"enriched.js","sourceRoot":"","sources":["../../src/analysis/enriched.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAaH;;;GAGG;AACH,MAAM,UAAU,aAAa,CAC3B,KAAiB,EACjB,KAAiB,EACjB,eAA8B,EAC9B,aAA0B;IAE1B,MAAM,SAAS,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;IAC5C,MAAM,iBAAiB,GAAG,qBAAqB,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IACxE,MAAM,eAAe,GAAG,mBAAmB,CAAC,KAAK,EAAE,aAAa,CAAC,CAAC;IAClE,MAAM,aAAa,GAAG,sBAAsB,CAAC,KAAK,CAAC,CAAC;IAEpD,OAAO;QACL,SAAS,EAAE,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;QACvD,kBAAkB,EAAE,iBAAiB,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,SAAS;QAChF,gBAAgB,EAAE,eAAe,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,SAAS;QAC1E,cAAc,EAAE,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS;KACrE,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,KAAiB;IAC3C,MAAM,SAAS,GAAuB,EAAE,CAAC;IAEzC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,SAAS,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;QAEvC,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YAClC,MAAM,IAAI,GAAG,eAAe,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,SAAS,CAAC,CAAC;YAC3D,MAAM,IAAI,GAAG,gBAAgB,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;YAC5C,MAAM,aAAa,GAAG,sBAAsB,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;YAE3D,8CAA8C;YAC9C,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,KAAK,KAAK,IAAI,aAAa,KAAK,UAAU,EAAE,CAAC;gBACzE,SAAS,CAAC,IAAI,CAAC;oBACb,WAAW,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,EAAE;oBAC1C,IAAI;oBACJ,IAAI;oBACJ,cAAc,EAAE,aAAa;oBAC7B,OAAO,EAAE,qBAAqB,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC;iBAC7D,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,IAAc;IACpC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;IACrC,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IAE/D,0BAA0B;IAC1B,IAAI,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC,EAAE,CAAC;QACpF,OAAO,YAAY,CAAC;IACtB,CAAC;IACD,IAAI,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;QACjD,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,IAAI,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC;QACpD,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,2BAA2B;IAC3B,IAAI,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QAC1F,OAAO,YAAY,CAAC;IACtB,CAAC;IACD,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACrF,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,IAAI,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAClF,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CACtB,UAAkB,EAClB,IAAc,EACd,SAAiB;IAEjB,MAAM,IAAI,GAAG,UAAU,CAAC,WAAW,EAAE,CAAC;IAEtC,sCAAsC;IACtC,IAAI,SAAS,KAAK,YAAY,EAAE,CAAC;QAC/B,MAAM,WAAW,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;QAC9E,IAAI,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC9C,OAAO,YAAY,CAAC;QACtB,CAAC;IACH,CAAC;IAED,sBAAsB;IACtB,IAAI,SAAS,KAAK,YAAY,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;QAChF,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QACvF,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,yBAAyB;IACzB,IAAI,SAAS,KAAK,SAAS,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC;QAChF,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QAC3D,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO,SAAgE,CAAC;AAC1E,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CACvB,MAA8B,EAC9B,IAAc;IAEd,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;IAC7C,MAAM,WAAW,GAAG,CAAC,GAAG,MAAM,CAAC,WAAW,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IAE3F,mDAAmD;IACnD,MAAM,gBAAgB,GAAG;QACvB,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,OAAO;QAClD,SAAS,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ;QAC9C,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM;KAC3C,CAAC;IACF,IAAI,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACvD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,mCAAmC;IACnC,MAAM,iBAAiB,GAAG,CAAC,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;IACtE,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACxD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,+CAA+C;IAC/C,IAAI,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC;QAC7E,CAAC,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,EAAE,CAAC;QAChC,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,+BAA+B;IAC/B,MAAM,YAAY,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;IAC/E,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACnD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAC7B,MAA8B,EAC9B,IAAc;IAEd,MAAM,WAAW,GAAG,CAAC,GAAG,MAAM,CAAC,WAAW,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,CAAC;IAEjE,+BAA+B;IAC/B,MAAM,qBAAqB,GAAG;QAC5B,YAAY,EAAE,aAAa,EAAE,YAAY,EAAE,eAAe,EAAE,cAAc;QAC1E,gBAAgB,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ;QAChD,MAAM,EAAE,UAAU,EAAE,UAAU;KAC/B,CAAC;IAEF,IAAI,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAC9E,OAAO,aAAa,CAAC;IACvB,CAAC;IAED,uCAAuC;IACvC,MAAM,gBAAgB,GAAG,CAAC,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;IACjF,IAAI,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACtE,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,uEAAuE;IACvE,IAAI,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC,EAAE,CAAC;QACzF,IAAI,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YACxC,OAAO,aAAa,CAAC;QACvB,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAAC,UAAkB,EAAE,IAAY,EAAE,SAAiB;IAChF,MAAM,SAAS,GAA2B;QACxC,UAAU,EAAE,4BAA4B,SAAS,EAAE;QACnD,OAAO,EAAE,4BAA4B,SAAS,EAAE;QAChD,UAAU,EAAE,yBAAyB,SAAS,EAAE;QAChD,OAAO,EAAE,qBAAqB,SAAS,EAAE;KAC1C,CAAC;IAEF,OAAO,SAAS,CAAC,IAAI,CAAC,IAAI,UAAU,UAAU,OAAO,SAAS,EAAE,CAAC;AACnE,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAAC,KAAiB,EAAE,eAA8B;IAC9E,MAAM,UAAU,GAAkB,EAAE,CAAC;IACrC,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IAEhE,uCAAuC;IACvC,MAAM,cAAc,GAAG;QACrB,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,UAAmB,EAAE;QAC/C,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAmB,EAAE;QAChD,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAmB,EAAE;QAChD,EAAE,OAAO,EAAE,cAAc,EAAE,IAAI,EAAE,UAAmB,EAAE;QACtD,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,UAAmB,EAAE;QACjD,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,eAAwB,EAAE;QACrD,EAAE,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,eAAwB,EAAE;QACxD,EAAE,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,eAAwB,EAAE;KACxD,CAAC;IAEF,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,6BAA6B;QAC7B,IAAI,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YAAE,SAAS;QAEpD,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,cAAc,EAAE,CAAC;YAC/C,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;gBACnC,UAAU,CAAC,IAAI,CAAC;oBACd,IAAI;oBACJ,QAAQ,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,GAAG,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,IAAI,CAAC,WAAW,SAAS,IAAI,CAAC,SAAS,IAAI,SAAS,EAAE;oBAC9G,QAAQ,EAAE,QAAQ;oBAClB,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI;oBACxB,UAAU,EAAE,GAAG,EAAE,yCAAyC;iBAC3D,CAAC,CAAC;gBACH,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,KAAiB,EAAE,aAA0B;IACxE,MAAM,UAAU,GAAgB,EAAE,CAAC;IACnC,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IAE9D,qCAAqC;IACrC,MAAM,YAAY,GAAG;QACnB,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAc,EAAE,GAAG,EAAE,QAAQ,EAAE;QAC1D,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAc,EAAE,GAAG,EAAE,QAAQ,EAAE;QAC1D,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,KAAc,EAAE,GAAG,EAAE,QAAQ,EAAE;QAC3D,EAAE,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,MAAe,EAAE,GAAG,EAAE,SAAS,EAAE;QAC/D,EAAE,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,MAAe,EAAE,GAAG,EAAE,SAAS,EAAE;QAC9D,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAe,EAAE,GAAG,EAAE,SAAS,EAAE;QAC3D,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,KAAc,EAAE,GAAG,EAAE,SAAS,EAAE,EAAE,gBAAgB;KAC5E,CAAC;IAEF,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,6BAA6B;QAC7B,IAAI,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YAAE,SAAS;QAEpD,2DAA2D;QAC3D,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QAE1C,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,YAAY,EAAE,CAAC;YAClD,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;gBACnC,UAAU,CAAC,IAAI,CAAC;oBACd,IAAI;oBACJ,GAAG;oBACH,QAAQ,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,GAAG,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,IAAI,CAAC,WAAW,SAAS,IAAI,CAAC,SAAS,IAAI,SAAS,EAAE;oBAC9G,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI;oBACxB,UAAU,EAAE,GAAG,EAAE,yCAAyC;iBAC3D,CAAC,CAAC;gBACH,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAAC,KAAiB;IAC/C,MAAM,QAAQ,GAAmB,EAAE,CAAC;IAEpC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAEtB,8BAA8B;QAC9B,IAAI,IAAI,CAAC,QAAQ;YAAE,SAAS;QAE5B,0CAA0C;QAC1C,MAAM,UAAU,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;QAC3C,IAAI,UAAU,EAAE,CAAC;YACf,QAAQ,CAAC,IAAI,CAAC;gBACZ,OAAO,EAAE,CAAC;gBACV,WAAW,EAAE,UAAU,CAAC,MAAM;gBAC9B,UAAU,EAAE,UAAU,CAAC,UAAU;gBACjC,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,IAAc;IACvC,8BAA8B;IAC9B,MAAM,iBAAiB,GAA2E;QAChG,IAAI,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,EAAE,MAAM,EAAE,2BAA2B,EAAE;QAC9E,IAAI,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,EAAE,MAAM,EAAE,2BAA2B,EAAE;QAC9E,MAAM,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,EAAE,MAAM,EAAE,2BAA2B,EAAE;QAChF,MAAM,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,EAAE,MAAM,EAAE,2BAA2B,EAAE;QAChF,OAAO,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,EAAE,MAAM,EAAE,wBAAwB,EAAE;QAC9E,MAAM,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,EAAE,MAAM,EAAE,wBAAwB,EAAE;QAC7E,OAAO,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,EAAE,MAAM,EAAE,wBAAwB,EAAE;KAC/E,CAAC;IAEF,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC;IACnD,KAAK,MAAM,CAAC,OAAO,EAAE,UAAU,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,iBAAiB,CAAC,EAAE,CAAC;QACtE,IAAI,WAAW,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACrD,OAAO;gBACL,MAAM,EAAE,GAAG,IAAI,CAAC,QAAQ,GAAG,UAAU,CAAC,MAAM,IAAI,IAAI,CAAC,WAAW,EAAE;gBAClE,UAAU,EAAE,UAAU,CAAC,UAAU;gBACjC,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/analysis/llm-correlated-predicates.d.ts ADDED Viewed

@@ -0,0 +1,80 @@
+/**
+ * LLM-based Correlated Predicate Analysis
+ *
+ * Detects when predicates (conditions) are correlated, meaning:
+ * - They use the same variable
+ * - One implies the other
+ * - They are logically opposite
+ *
+ * Example:
+ *   if (choice) { name = getParameter(); }  // taint source
+ *   if (choice) { println(name); }          // taint sink
+ *
+ * Since both conditions use the same 'choice' variable,
+ * if choice=true, BOTH branches execute (vulnerable)
+ * if choice=false, NEITHER branch executes (safe)
+ *
+ * A naive analyzer might think name could be tainted when reaching the sink,
+ * but correlated predicate analysis reveals the true dataflow.
+ */
+import type { CFG } from 'circle-ir';
+import { type AxLLMClient } from '../llm/ax-client.js';
+/**
+ * Predicate location with its condition
+ */
+export interface PredicateLocation {
+    line: number;
+    condition: string;
+    blockId: number;
+    trueTargets: number[];
+    falseTargets: number[];
+}
+/**
+ * Correlation type between predicates
+ */
+export type CorrelationType = 'same_variable' | 'opposite' | 'implies' | 'mutual_exclusive' | 'independent' | 'unknown';
+/**
+ * Correlated predicate group
+ */
+export interface CorrelatedGroup {
+    predicates: PredicateLocation[];
+    correlation: CorrelationType;
+    confidence: number;
+    reasoning: string;
+    bothTrueReachable: boolean;
+    bothFalseReachable: boolean;
+    mixedReachable: boolean;
+}
+/**
+ * Result of correlated predicate analysis
+ */
+export interface CorrelatedPredicateResult {
+    predicates: PredicateLocation[];
+    groups: CorrelatedGroup[];
+    unreachableLines: Set<number>;
+    unreachablePairs: Array<{
+        sourceLine: number;
+        sinkLine: number;
+        reason: string;
+    }>;
+}
+/**
+ * Extract predicates from CFG
+ */
+export declare function extractPredicates(cfg: CFG, code: string): PredicateLocation[];
+/**
+ * Find obviously correlated predicates using simple pattern matching
+ */
+export declare function findSimpleCorrelations(predicates: PredicateLocation[]): CorrelatedGroup[];
+/**
+ * Analyze correlated predicates using LLM
+ */
+export declare function analyzeCorrelatedPredicates(code: string, predicates: PredicateLocation[], llmClient?: AxLLMClient): Promise<CorrelatedPredicateResult>;
+/**
+ * Check if a source-sink pair is unreachable due to correlated predicates
+ */
+export declare function isPairUnreachableDueToCorrelation(sourceLine: number, sinkLine: number, analysisResult: CorrelatedPredicateResult): {
+    unreachable: boolean;
+    reason?: string;
+};
+//# sourceMappingURL=llm-correlated-predicates.d.ts.map

package/dist/analysis/llm-correlated-predicates.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"llm-correlated-predicates.d.ts","sourceRoot":"","sources":["../../src/analysis/llm-correlated-predicates.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,KAAK,EAAE,GAAG,EAAY,MAAM,WAAW,CAAC;AAC/C,OAAO,EAAkB,KAAK,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAEvE;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,YAAY,EAAE,MAAM,EAAE,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,MAAM,eAAe,GACvB,eAAe,GACf,UAAU,GACV,SAAS,GACT,kBAAkB,GAClB,aAAa,GACb,SAAS,CAAC;AAEd;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,UAAU,EAAE,iBAAiB,EAAE,CAAC;IAChC,WAAW,EAAE,eAAe,CAAC;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAElB,iBAAiB,EAAE,OAAO,CAAC;IAC3B,kBAAkB,EAAE,OAAO,CAAC;IAC5B,cAAc,EAAE,OAAO,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,UAAU,EAAE,iBAAiB,EAAE,CAAC;IAChC,MAAM,EAAE,eAAe,EAAE,CAAC;IAE1B,gBAAgB,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAE9B,gBAAgB,EAAE,KAAK,CAAC;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACnF;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,GAAG,iBAAiB,EAAE,CAwC7E;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,iBAAiB,EAAE,GAAG,eAAe,EAAE,CA2DzF;AAiBD;;GAEG;AACH,wBAAsB,2BAA2B,CAC/C,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,iBAAiB,EAAE,EAC/B,SAAS,CAAC,EAAE,WAAW,GACtB,OAAO,CAAC,yBAAyB,CAAC,CAsGpC;AAED;;GAEG;AACH,wBAAgB,iCAAiC,CAC/C,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,MAAM,EAChB,cAAc,EAAE,yBAAyB,GACxC;IAAE,WAAW,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAkC3C"}

package/dist/analysis/llm-correlated-predicates.js ADDED Viewed

@@ -0,0 +1,255 @@
+/**
+ * LLM-based Correlated Predicate Analysis
+ *
+ * Detects when predicates (conditions) are correlated, meaning:
+ * - They use the same variable
+ * - One implies the other
+ * - They are logically opposite
+ *
+ * Example:
+ *   if (choice) { name = getParameter(); }  // taint source
+ *   if (choice) { println(name); }          // taint sink
+ *
+ * Since both conditions use the same 'choice' variable,
+ * if choice=true, BOTH branches execute (vulnerable)
+ * if choice=false, NEITHER branch executes (safe)
+ *
+ * A naive analyzer might think name could be tainted when reaching the sink,
+ * but correlated predicate analysis reveals the true dataflow.
+ */
+import { getAxLLMClient } from '../llm/ax-client.js';
+/**
+ * Extract predicates from CFG
+ */
+export function extractPredicates(cfg, code) {
+    const predicates = [];
+    const lines = code.split('\n');
+    for (const block of cfg.blocks) {
+        if (block.type === 'conditional') {
+            // Find the condition in the code
+            const startLine = block.start_line;
+            const endLine = block.end_line || startLine;
+            // Extract condition text
+            let condition = '';
+            for (let i = startLine - 1; i < endLine && i < lines.length; i++) {
+                const line = lines[i];
+                // Look for if/while/for conditions
+                const match = line.match(/(?:if|while|for)\s*\(([^)]+)\)/);
+                if (match) {
+                    condition = match[1].trim();
+                    break;
+                }
+            }
+            if (condition) {
+                // Find edges from this block
+                const edges = cfg.edges.filter(e => e.from === block.id);
+                const trueTargets = edges.filter(e => e.type === 'true').map(e => e.to);
+                const falseTargets = edges.filter(e => e.type === 'false').map(e => e.to);
+                predicates.push({
+                    line: startLine,
+                    condition,
+                    blockId: block.id,
+                    trueTargets,
+                    falseTargets,
+                });
+            }
+        }
+    }
+    return predicates;
+}
+/**
+ * Find obviously correlated predicates using simple pattern matching
+ */
+export function findSimpleCorrelations(predicates) {
+    const groups = [];
+    for (let i = 0; i < predicates.length; i++) {
+        for (let j = i + 1; j < predicates.length; j++) {
+            const p1 = predicates[i];
+            const p2 = predicates[j];
+            // Check for same condition
+            if (p1.condition === p2.condition) {
+                groups.push({
+                    predicates: [p1, p2],
+                    correlation: 'same_variable',
+                    confidence: 1.0,
+                    reasoning: `Both conditions are identical: "${p1.condition}"`,
+                    bothTrueReachable: true,
+                    bothFalseReachable: true,
+                    mixedReachable: false,
+                });
+                continue;
+            }
+            // Check for negation
+            if (p1.condition === `!${p2.condition}` ||
+                `!${p1.condition}` === p2.condition ||
+                p1.condition === `!(${p2.condition})` ||
+                `!(${p1.condition})` === p2.condition) {
+                groups.push({
+                    predicates: [p1, p2],
+                    correlation: 'opposite',
+                    confidence: 1.0,
+                    reasoning: `Conditions are negations: "${p1.condition}" vs "${p2.condition}"`,
+                    bothTrueReachable: false,
+                    bothFalseReachable: false,
+                    mixedReachable: true,
+                });
+                continue;
+            }
+            // Check for same variable in condition (basic check)
+            const vars1 = extractVariables(p1.condition);
+            const vars2 = extractVariables(p2.condition);
+            const commonVars = vars1.filter(v => vars2.includes(v));
+            if (commonVars.length > 0) {
+                groups.push({
+                    predicates: [p1, p2],
+                    correlation: 'same_variable',
+                    confidence: 0.7,
+                    reasoning: `Both conditions use variable(s): ${commonVars.join(', ')}`,
+                    bothTrueReachable: true, // Conservative: assume both can be true
+                    bothFalseReachable: true,
+                    mixedReachable: true,
+                });
+            }
+        }
+    }
+    return groups;
+}
+/**
+ * Extract variable names from a condition string
+ */
+function extractVariables(condition) {
+    // Remove string literals
+    const withoutStrings = condition.replace(/"[^"]*"/g, '').replace(/'[^']*'/g, '');
+    // Remove numbers
+    const withoutNumbers = withoutStrings.replace(/\b\d+\b/g, '');
+    // Extract identifiers
+    const matches = withoutNumbers.match(/\b[a-zA-Z_][a-zA-Z0-9_]*\b/g) || [];
+    // Filter out keywords
+    const keywords = new Set(['if', 'else', 'while', 'for', 'true', 'false', 'null', 'new', 'instanceof', 'return']);
+    return matches.filter(m => !keywords.has(m));
+}
+/**
+ * Analyze correlated predicates using LLM
+ */
+export async function analyzeCorrelatedPredicates(code, predicates, llmClient) {
+    // First, find simple correlations
+    const simpleGroups = findSimpleCorrelations(predicates);
+    // If we have predicates that might need deeper analysis
+    const needsLLMAnalysis = predicates.length > 1 &&
+        simpleGroups.length < (predicates.length * (predicates.length - 1)) / 2;
+    let llmGroups = [];
+    if (needsLLMAnalysis) {
+        try {
+            const client = llmClient || getAxLLMClient();
+            const result = await client.analyzeCorrelatedPredicates({
+                code,
+                predicateLocations: predicates.map(p => ({
+                    line: p.line,
+                    condition: p.condition,
+                })),
+            });
+            // Convert LLM results to our format
+            for (const group of result.correlatedGroups) {
+                const predIndices = group.predicates || [];
+                const groupPredicates = predIndices
+                    .map(idx => predicates[idx])
+                    .filter(p => p !== undefined);
+                if (groupPredicates.length >= 2) {
+                    const correlation = group.correlation || 'independent';
+                    llmGroups.push({
+                        predicates: groupPredicates,
+                        correlation,
+                        confidence: typeof group.confidence === 'number' ? group.confidence : 0.5,
+                        reasoning: result.reasoning || '',
+                        bothTrueReachable: correlation !== 'opposite' && correlation !== 'mutual_exclusive',
+                        bothFalseReachable: correlation !== 'opposite' && correlation !== 'mutual_exclusive',
+                        mixedReachable: correlation === 'opposite' || correlation === 'independent',
+                    });
+                }
+            }
+        }
+        catch (error) {
+            // Fall back to simple analysis only
+            console.warn('LLM correlated predicate analysis failed, using simple analysis');
+        }
+    }
+    // Merge simple and LLM groups (prefer LLM if available)
+    const allGroups = [...simpleGroups];
+    for (const llmGroup of llmGroups) {
+        // Check if this group already exists in simple groups
+        const exists = allGroups.some(g => g.predicates.length === llmGroup.predicates.length &&
+            g.predicates.every(p => llmGroup.predicates.some(lp => lp.line === p.line)));
+        if (!exists) {
+            allGroups.push(llmGroup);
+        }
+        else {
+            // Update existing group with LLM analysis
+            const existing = allGroups.find(g => g.predicates.length === llmGroup.predicates.length &&
+                g.predicates.every(p => llmGroup.predicates.some(lp => lp.line === p.line)));
+            if (existing && llmGroup.confidence > existing.confidence) {
+                Object.assign(existing, llmGroup);
+            }
+        }
+    }
+    // Determine unreachable lines and pairs
+    const unreachableLines = new Set();
+    const unreachablePairs = [];
+    for (const group of allGroups) {
+        if (group.correlation === 'opposite' && group.confidence > 0.8) {
+            // If predicates are opposite, code in one true branch can't reach code in other true branch
+            const [p1, p2] = group.predicates;
+            // Add unreachable pair
+            unreachablePairs.push({
+                sourceLine: p1.line,
+                sinkLine: p2.line,
+                reason: `Predicates at lines ${p1.line} and ${p2.line} are opposite: ${p1.condition} vs ${p2.condition}`,
+            });
+        }
+        if (group.correlation === 'mutual_exclusive' && group.confidence > 0.8) {
+            const [p1, p2] = group.predicates;
+            unreachablePairs.push({
+                sourceLine: p1.line,
+                sinkLine: p2.line,
+                reason: `Predicates at lines ${p1.line} and ${p2.line} are mutually exclusive`,
+            });
+        }
+    }
+    return {
+        predicates,
+        groups: allGroups,
+        unreachableLines,
+        unreachablePairs,
+    };
+}
+/**
+ * Check if a source-sink pair is unreachable due to correlated predicates
+ */
+export function isPairUnreachableDueToCorrelation(sourceLine, sinkLine, analysisResult) {
+    // Check direct unreachable pairs
+    const pair = analysisResult.unreachablePairs.find(p => (p.sourceLine <= sourceLine && p.sinkLine >= sinkLine) ||
+        (p.sourceLine <= sinkLine && p.sinkLine >= sourceLine));
+    if (pair) {
+        return { unreachable: true, reason: pair.reason };
+    }
+    // Check if source and sink are in mutually exclusive branches
+    for (const group of analysisResult.groups) {
+        if (group.correlation !== 'same_variable' && group.correlation !== 'implies') {
+            continue;
+        }
+        // Find predicates that guard source and sink
+        // (This is a simplified check - full implementation would need CFG traversal)
+        const [p1, p2] = group.predicates;
+        // If both predicates guard both source and sink with same condition,
+        // they are reachable together (either both execute or neither)
+        if (p1.line < sourceLine && p2.line < sinkLine) {
+            // Source is after p1, sink is after p2
+            // If same_variable correlation, they execute together
+            if (group.correlation === 'same_variable' && group.confidence > 0.9) {
+                // This is actually reachable together!
+                return { unreachable: false };
+            }
+        }
+    }
+    return { unreachable: false };
+}
+//# sourceMappingURL=llm-correlated-predicates.js.map