circle-ir-ai 2.7.1 → 2.7.2

package/CHANGELOG.md

@@ -5,6 +5,27 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.7.2] - 2026-05-08
+
+### Changed
+
+- **circle-ir dep upgraded `^3.20.0` → `^3.21.0`.** Brings positional-
+  argument taint sources for Bash (`$1`–`$9`, `$@`, `$*`, `${1}`,
+  etc.) — closes the highest-priority residual from #33. Verified
+  end-to-end: `eval "echo $1"` and `cat "/etc/app/$2"` now produce
+  CWE-94 / CWE-22 findings on `--no-llm` runs, where 3.20.0 produced
+  zero.
+
+  The release also added detection logic for command substitution
+  (`VAR=$(curl ...)`) and untrusted env vars (`USER_INPUT`, `HTTP_*`,
+  `REQUEST_*`, etc.) but those sources don't yet reach `eval` /
+  code-injection sinks — likely a source-type ↔ sink-type mapping
+  in circle-ir's findings generator (`io_input`/`network_input`/
+  `env_input` not yet wired to `code_injection`). Refined ask
+  posted on #33.
+
+  No circle-ir-ai source changes — pure dep bump. 478 tests pass.
+
 ## [2.7.1] - 2026-05-07
 
 ### Fixed

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "circle-ir-ai",
-  "version": "2.7.1",
+  "version": "2.7.2",
   "description": "LLM-enhanced SAST analysis built on circle-ir",
   "main": "dist/index.js",
   "module": "dist/index.js",
@@ -92,7 +92,7 @@
   "dependencies": {
     "@ax-llm/ax": "^20.0.0",
     "@mastra/core": "^1.18.0",
-    "circle-ir": "^3.20.0",
+    "circle-ir": "^3.21.0",
     "minimatch": "^10.2.5",
     "p-queue": "^9.1.0"
   },

package/dist/cli/args.d.ts

@@ -1,86 +0,0 @@
-/**
- * CLI Argument Parser
- */
-export type OutputFormat = 'json' | 'summary' | 'sarif' | 'markdown' | 'csv';
-export type Command = 'analyze' | 'benchmark' | 'scan' | 'health' | 'secrets' | 'dead-code' | 'generate-spec' | 'analyze-skill' | 'metrics' | 'trust' | 'compare' | 'quality' | 'understand' | 'spec-diff' | 'cluster';
-export type LogLevel = 'trace' | 'debug' | 'info' | 'warn' | 'error' | 'silent';
-export type BundleType = 'jr-dev' | 'sr-dev' | 'architect' | 'security-review' | 'full-review';
-export interface CliArgs {
-    command: Command;
-    file: string | null;
-    directory: string | null;
-    format: OutputFormat;
-    output: string | null;
-    config: string | null;
-    include: string[];
-    exclude: string[];
-    exitCode: boolean;
-    quiet: boolean;
-    help: boolean;
-    version: boolean;
-    logLevel: LogLevel | null;
-    discoverPatterns: boolean;
-    patternThreshold: number;
-    noLlm: boolean;
-    llmEnrich: boolean;
-    llmVerify: boolean;
-    llmBaseUrl: string | null;
-    llmApiKey: string | null;
-    llmModel: string | null;
-    language: string | null;
-    threads: number;
-    bundle: BundleType | null;
-    expectedResults: string | null;
-    limit: number | null;
-    categories: string[];
-    parallel: number | null;
-    cache: boolean;
-    cacheDir: string | null;
-    clearCache: boolean;
-    streamOutput: string | null;
-    memoryEfficient: boolean;
-    specModel: string | null;
-    specOverwrite: boolean;
-    specSkip: boolean;
-    specNoBackup: boolean;
-    specDesign: boolean;
-    specPrinciples: boolean;
-    specTasks: boolean;
-    specDesignLLM: boolean;
-    specPrinciplesLLM: boolean;
-    specTasksLLM: boolean;
-    specDir: string | null;
-    crossArtifact?: boolean;
-    verification?: boolean;
-    minConfidence?: number;
-    minSeverity?: 'critical' | 'high' | 'medium' | 'low' | 'info';
-    severity: 'critical' | 'high' | 'medium' | 'low' | null;
-    excludeTests: boolean;
-    llmDiscovery: boolean;
-    disablePass: string[];
-    fileTimeout: number;
-    maxFiles: number | null;
-    pathB: string | null;
-    history: boolean;
-    maxCommits: number;
-    includeCategory: string[];
-    excludeCategory: string[];
-    includeTests: boolean;
-    publicAsEntry: boolean;
-    top: number | null;
-    full: boolean;
-    metricCategory: string[];
-    role: string[];
-    securityOnly: boolean;
-    healthSecurity: boolean;
-    healthSecrets: boolean;
-    healthDeadCode: boolean;
-    healthQuality: boolean;
-    healthPerformance: boolean;
-    threshold: number;
-}
-/**
- * Parse command-line arguments.
- */
-export declare function parseArgs(argv: string[]): CliArgs;
-//# sourceMappingURL=args.d.ts.map

package/dist/cli/args.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"args.d.ts","sourceRoot":"","sources":["../../src/cli/args.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,SAAS,GAAG,OAAO,GAAG,UAAU,GAAG,KAAK,CAAC;AAC7E,MAAM,MAAM,OAAO,GAAG,SAAS,GAAG,WAAW,GAAG,MAAM,GAAG,QAAQ,GAAG,SAAS,GAAG,WAAW,GAAG,eAAe,GAAG,eAAe,GAAG,SAAS,GAAG,OAAO,GAAG,SAAS,GAAG,SAAS,GAAG,YAAY,GAAG,WAAW,GAAG,SAAS,CAAC;AACvN,MAAM,MAAM,QAAQ,GAAG,OAAO,GAAG,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,QAAQ,CAAC;AAEhF,MAAM,MAAM,UAAU,GAAG,QAAQ,GAAG,QAAQ,GAAG,WAAW,GAAG,iBAAiB,GAAG,aAAa,CAAC;AAE/F,MAAM,WAAW,OAAO;IACtB,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,MAAM,EAAE,YAAY,CAAC;IACrB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,QAAQ,EAAE,OAAO,CAAC;IAClB,KAAK,EAAE,OAAO,CAAC;IACf,IAAI,EAAE,OAAO,CAAC;IACd,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAC;IAE1B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,gBAAgB,EAAE,MAAM,CAAC;IAEzB,KAAK,EAAE,OAAO,CAAC;IACf,SAAS,EAAE,OAAO,CAAC;IACnB,SAAS,EAAE,OAAO,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IAExB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IAExB,OAAO,EAAE,MAAM,CAAC;IAEhB,MAAM,EAAE,UAAU,GAAG,IAAI,CAAC;IAE1B,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IAExB,KAAK,EAAE,OAAO,CAAC;IACf,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,OAAO,CAAC;IAEpB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,eAAe,EAAE,OAAO,CAAC;IAEzB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,aAAa,EAAE,OAAO,CAAC;IACvB,QAAQ,EAAE,OAAO,CAAC;IAClB,YAAY,EAAE,OAAO,CAAC;IACtB,UAAU,EAAE,OAAO,CAAC;IACpB,cAAc,EAAE,OAAO,CAAC;IACxB,SAAS,EAAE,OAAO,CAAC;IACnB,aAAa,EAAE,OAAO,CAAC;IACvB,iBAAiB,EAAE,OAAO,CAAC;IAC3B,YAAY,EAAE,OAAO,CAAC;IAEtB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IAEvB,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,CAAC,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;IAE9D,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,IAAI,CAAC;IAExD,YAAY,EAAE,OAAO,CAAC;IAEtB,YAAY,EAAE,OAAO,CAAC;IAEtB,WAAW,EAAE,MAAM,EAAE,CAAC;IAEtB,WAAW,EAAE,MAAM,CAAC;IAEpB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IAExB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IAErB,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,eAAe,EAAE,MAAM,EAAE,CAAC;IAE1B,YAAY,EAAE,OAAO,CAAC;IACtB,aAAa,EAAE,OAAO,CAAC;IACvB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,IAAI,EAAE,OAAO,CAAC;IAEd,cAAc,EAAE,MAAM,EAAE,CAAC;IAEzB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,YAAY,EAAE,OAAO,CAAC;IAEtB,cAAc,EAAE,OAAO,CAAC;IACxB,aAAa,EAAE,OAAO,CAAC;IACvB,cAAc,EAAE,OAAO,CAAC;IACxB,aAAa,EAAE,OAAO,CAAC;IACvB,iBAAiB,EAAE,OAAO,CAAC;IAC3B,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAypBjD"}