circle-ir-ai 2.14.1 → 2.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/CHANGELOG.md +51 -0
  2. package/package.json +2 -2
package/CHANGELOG.md CHANGED
@@ -5,6 +5,57 @@ All notable changes to this project will be documented in this file.
5
5
  The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
6
6
  and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
7
7
 
8
+ ## [2.15.0] - 2026-06-22
9
+
10
+ ### Dependencies
11
+
12
+ - Bump `circle-ir` `3.88.1` → `3.89.1` (skips 3.89.0 publish; 3.89.1
13
+ is the first published `3.89.x` on the registry).
14
+
15
+ ### What 3.89.x brings (inherited, no source-side changes)
16
+
17
+ 1. **Cross-file pre-index perf (circle-ir@3.89.0, cognium-dev#141)** —
18
+ `findCrossFileTaintFlows`, `findInterproceduralTaintPaths`, and
19
+ `findFieldBindingTaintPaths` now use an O(1) per-IR `FileIndex`
20
+ (6 lookup maps, WeakMap-memoised on the resolver) in place of 11
21
+ `Array.filter` scans. **sa-token-core: 35+ CPU-min hang → 27ms
22
+ wall.** Byte-equivalent semantics for produced taint paths.
23
+ 2. **Cross-file budget breaker (circle-ir@3.89.0)** — new opt-in
24
+ `AnalyzerOptions.crossFileBudgetMs` (default `300_000`, `0`
25
+ disables) enforced between cross-file phases. On exceed: remaining
26
+ sub-phases skipped, partial `taintPaths` preserved, warning logged,
27
+ `ProjectAnalysis.cross_file_budget_exceeded === true` surfaced. The
28
+ engine wraps `analyze()` without exposing the option in
29
+ circle-ir-ai's public surface; downstream wrappers (cognium-ai
30
+ CLI, circle-pack REST/MCP) opt in via the `AnalyzerOptions` they
31
+ already pass.
32
+ 3. **Phase markers (circle-ir@3.89.0)** — each of the 4 cross-file
33
+ phases now emits DI-logger `info`/`debug` markers with
34
+ `paths`/`flows` + `elapsedMs` counts. Useful for triaging
35
+ per-phase regressions; routed to whatever logger the host
36
+ installs via `setLogger()`.
37
+ 4. **Finding schema (circle-ir@3.87.0, cognium-dev#134)** — `Finding`
38
+ now carries optional `source.type`/`sink.type` plus required
39
+ `line` (already absorbed in 2.14.1's type-break fix). Restated
40
+ here for clarity; no additional engine change.
41
+ 5. **Logger routing (circle-ir@3.89.1)** — `info` now routes to
42
+ stderr by default with silent default; consumers see no change
43
+ unless they previously parsed stdout for `info` lines.
44
+
45
+ ### Verification
46
+
47
+ - `npm install --prefer-online` — clean resolution; `npm ls
48
+ circle-ir` shows `3.89.1`.
49
+ - `npm run build` — clean.
50
+ - `npm test` — **898 / 898 pass** (3 skipped).
51
+
52
+ ### Why minor (`2.14.1 → 2.15.0`)
53
+
54
+ Engine surface gains a new opt-in option (`crossFileBudgetMs`) and a
55
+ new output field (`ProjectAnalysis.cross_file_budget_exceeded`). Both
56
+ are additive; no consumer breaks. Bumping minor to signal the
57
+ observable surface delta.
58
+
8
59
  ## [2.14.1] - 2026-06-22
9
60
 
10
61
  Dep bump: `circle-ir` 3.86.0 → 3.88.1. Picks up the type-axis dedup
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "circle-ir-ai",
3
- "version": "2.14.1",
3
+ "version": "2.15.0",
4
4
  "description": "LLM-enhanced SAST analysis built on circle-ir",
5
5
  "main": "dist/index.js",
6
6
  "module": "dist/index.js",
@@ -95,7 +95,7 @@
95
95
  "dependencies": {
96
96
  "@ax-llm/ax": "^20.0.0",
97
97
  "@mastra/core": "^1.18.0",
98
- "circle-ir": "3.88.1",
98
+ "circle-ir": "3.89.1",
99
99
  "minimatch": "^10.2.5",
100
100
  "p-queue": "^9.1.0"
101
101
  },