circle-ir 3.12.1 → 3.14.0

package/dist/browser/circle-ir.js

@@ -20377,11 +20377,11 @@ var SerialAwaitPass = class {
         cwe: void 0,
         severity: "low",
         level: "note",
-        message: `Serial awaits: \`${expr1}\` (line ${a1.line}) and \`${expr2}\` (line ${a2.line}) have no data dependency; consider using Promise.all()`,
+        message: `Serial awaits: \`${expr1}\` (line ${a1.line}) and \`${expr2}\` (line ${a2.line}) appear to have no data dependency \u2014 verify ordering requirements before parallelising`,
         file,
         line: a1.line,
         end_line: a2.line,
-        fix: `const [result1, result2] = await Promise.all([operation1, operation2]);`,
+        fix: `If the operations are truly independent and have no ordering constraints, consider: const [result1, result2] = await Promise.all([operation1, operation2]);`,
         evidence: {
           first_await_line: a1.line,
           second_await_line: a2.line,
@@ -20914,94 +20914,6 @@ var UseAfterClosePass = class {
   }
 };
 
-// src/analysis/passes/missing-guard-dom-pass.ts
-var AUTH_METHODS = /* @__PURE__ */ new Set([
-  "authenticate",
-  "isAuthenticated",
-  "isAuthorized",
-  "isAdmin",
-  "checkAuth",
-  "hasPermission",
-  "requiresAuth",
-  "verifyToken",
-  "validateToken",
-  "checkRole",
-  "authorize",
-  "isLoggedIn"
-]);
-var SENSITIVE_METHODS = /* @__PURE__ */ new Set([
-  "delete",
-  "deleteById",
-  "drop",
-  "truncate",
-  "executeUpdate",
-  "createUser",
-  "createAdmin",
-  "modifyPermission",
-  "grantRole",
-  "setAdmin",
-  "elevatePrivilege"
-]);
-var MissingGuardDomPass = class {
-  name = "missing-guard-dom";
-  category = "security";
-  run(ctx) {
-    const { graph, language } = ctx;
-    if (language !== "java") return { findings: 0 };
-    const { cfg, calls } = graph.ir;
-    if (cfg.blocks.length === 0 || cfg.edges.length === 0) return { findings: 0 };
-    const dom = new DominatorGraph(cfg);
-    const file = graph.ir.meta.file;
-    const authCallLines = [];
-    const sensitiveOps = [];
-    for (const call of calls) {
-      if (AUTH_METHODS.has(call.method_name)) {
-        authCallLines.push(call.location.line);
-      }
-      if (SENSITIVE_METHODS.has(call.method_name)) {
-        sensitiveOps.push({ line: call.location.line, method: call.method_name });
-      }
-    }
-    if (sensitiveOps.length === 0) return { findings: 0 };
-    const blockContainingLine = (line) => cfg.blocks.find((b) => b.start_line <= line && line <= b.end_line) ?? null;
-    const reportedMethods = /* @__PURE__ */ new Set();
-    let count = 0;
-    for (const op of sensitiveOps) {
-      const opBlock = blockContainingLine(op.line);
-      if (!opBlock) continue;
-      const methodInfo = graph.methodAtLine(op.line);
-      if (!methodInfo) continue;
-      const methodKey = `${methodInfo.type.name}::${methodInfo.method.name}`;
-      if (reportedMethods.has(methodKey)) continue;
-      const { start_line, end_line } = methodInfo.method;
-      const authInMethod = authCallLines.filter((l) => l >= start_line && l <= end_line);
-      const dominated = authInMethod.some((authLine) => {
-        const authBlock = blockContainingLine(authLine);
-        return authBlock !== null && dom.dominates(authBlock.id, opBlock.id);
-      });
-      if (!dominated) {
-        reportedMethods.add(methodKey);
-        count++;
-        ctx.addFinding({
-          id: `missing-guard-dom-${file}-${op.line}`,
-          pass: this.name,
-          category: this.category,
-          rule_id: "missing-guard-dom",
-          cwe: "CWE-285",
-          severity: "high",
-          level: "error",
-          message: `Sensitive operation \`${op.method}()\` at line ${op.line} is not dominated by an authentication check`,
-          file,
-          line: op.line,
-          fix: `Add authentication/authorization check on all paths leading to line ${op.line}`,
-          evidence: { method: op.method }
-        });
-      }
-    }
-    return { findings: count };
-  }
-};
-
 // src/analysis/passes/cleanup-verify-pass.ts
 var RESOURCE_CTORS4 = /* @__PURE__ */ new Set([
   "FileInputStream",
@@ -21233,6 +21145,638 @@ var UnusedInterfaceMethodPass = class {
   }
 };
 
+// src/analysis/passes/blocking-main-thread-pass.ts
+var HTTP_DECORATORS = /* @__PURE__ */ new Set([
+  "Get",
+  "Post",
+  "Put",
+  "Patch",
+  "Delete",
+  "All",
+  "Options",
+  "Head",
+  "Route",
+  "Handler"
+]);
+var HANDLER_PARAM_NAMES = /* @__PURE__ */ new Set([
+  "req",
+  "res",
+  "request",
+  "response",
+  "ctx",
+  "c",
+  "event"
+]);
+var HANDLER_METHOD_NAMES = /* @__PURE__ */ new Set([
+  "handle",
+  "handler",
+  "dispatch",
+  "invoke",
+  "serve"
+]);
+var CRYPTO_BLOCKING_METHODS = /* @__PURE__ */ new Set([
+  "createHash",
+  "hashSync",
+  "pbkdf2Sync",
+  "scryptSync",
+  "generateKeyPairSync",
+  "generateKeySync",
+  "deriveKeySync"
+]);
+var SYNC_SUFFIX_RE2 = /Sync$/;
+var BlockingMainThreadPass = class {
+  name = "blocking-main-thread";
+  category = "performance";
+  run(ctx) {
+    const { graph, language } = ctx;
+    if (language !== "javascript" && language !== "typescript") {
+      return { blockingInHandlers: [] };
+    }
+    const file = graph.ir.meta.file;
+    const handlerRanges = [];
+    for (const type of graph.ir.types) {
+      for (const method of type.methods) {
+        if (this.isRequestHandler(method)) {
+          handlerRanges.push({
+            start: method.start_line,
+            end: method.end_line,
+            name: method.name
+          });
+        }
+      }
+    }
+    if (handlerRanges.length === 0) return { blockingInHandlers: [] };
+    const blockingInHandlers = [];
+    for (const call of graph.ir.calls) {
+      const name2 = call.method_name;
+      const isCrypto = CRYPTO_BLOCKING_METHODS.has(name2);
+      const isSyncSuffix = SYNC_SUFFIX_RE2.test(name2);
+      if (!isCrypto && !isSyncSuffix) continue;
+      const line = call.location.line;
+      const range = handlerRanges.find((r) => line >= r.start && line <= r.end);
+      if (!range) continue;
+      const reason = isCrypto ? "crypto" : "sync-suffix";
+      blockingInHandlers.push({ line, method: name2, handler: range.name, reason });
+      ctx.addFinding({
+        id: `blocking-main-thread-${file}-${line}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-1050",
+        severity: "medium",
+        level: "warning",
+        message: `Blocking call \`${name2}()\` inside request handler '${range.name}' stalls the event loop under concurrent load`,
+        file,
+        line,
+        fix: "Move to an async equivalent or offload to a worker thread",
+        evidence: { handler: range.name, blocking_method: name2, reason }
+      });
+    }
+    return { blockingInHandlers };
+  }
+  isRequestHandler(method) {
+    if (method.annotations.some((a) => HTTP_DECORATORS.has(a))) return true;
+    if (HANDLER_METHOD_NAMES.has(method.name)) return true;
+    const paramNames = method.parameters.map((p) => p.name.toLowerCase());
+    return paramNames.some((n) => HANDLER_PARAM_NAMES.has(n));
+  }
+};
+
+// src/analysis/passes/excessive-allocation-pass.ts
+var ALLOC_PATTERNS = {
+  javascript: /\bnew\s+(Array|Map|Set|Object|WeakMap|WeakSet|Error|RegExp|Date|Buffer|Uint8Array|Int8Array|Float32Array|ArrayBuffer)\s*[(<]|\bArray\.from\s*\(|\bstructuredClone\s*\(|\bObject\.create\s*\(/,
+  typescript: /\bnew\s+(Array|Map|Set|Object|WeakMap|WeakSet|Error|RegExp|Date|Buffer|Uint8Array|Int8Array|Float32Array|ArrayBuffer)\s*[(<]|\bArray\.from\s*\(|\bstructuredClone\s*\(|\bObject\.create\s*\(/,
+  java: /\bnew\s+(ArrayList|HashMap|HashSet|LinkedList|TreeMap|TreeSet|PriorityQueue|ArrayDeque|StringBuilder|StringBuffer|CopyOnWriteArrayList|ConcurrentHashMap)\s*[(<]|\bnew\s+\w[\w.<>]*\[\s*[a-zA-Z]\w*/,
+  python: /\b(list|dict|set|tuple|bytearray|defaultdict|OrderedDict|Counter|deque)\s*\(\s*\)|\[\s*\]|\{\s*\}(?!\s*[}\]])/,
+  rust: /\b(Vec|HashMap|HashSet|BTreeMap|BTreeSet|VecDeque|LinkedList|String|Box|Rc|Arc)\s*::\s*new\s*\(/
+};
+var BENIGN_RE = /\bpool\b|\bcache\b|\breuse\b|\bpreallocat|\brecycl/i;
+var ExcessiveAllocationPass = class {
+  name = "excessive-allocation";
+  category = "performance";
+  run(ctx) {
+    const { graph, code, language } = ctx;
+    if (language === "bash") {
+      return { allocationsInLoops: [] };
+    }
+    const pattern = ALLOC_PATTERNS[language];
+    if (!pattern) return { allocationsInLoops: [] };
+    const loops = graph.loopBodies();
+    if (loops.length === 0) return { allocationsInLoops: [] };
+    const file = graph.ir.meta.file;
+    const codeLines = code.split("\n");
+    const allocationsInLoops = [];
+    const reported = /* @__PURE__ */ new Set();
+    for (const loop of loops) {
+      for (let ln = loop.start_line; ln <= loop.end_line; ln++) {
+        if (reported.has(ln)) continue;
+        const src = codeLines[ln - 1] ?? "";
+        const match = pattern.exec(src);
+        if (!match) continue;
+        if (BENIGN_RE.test(src)) continue;
+        const allocLabel = match[0].replace(/\s+/g, " ").trim();
+        allocationsInLoops.push({ line: ln, pattern: allocLabel });
+        reported.add(ln);
+        ctx.addFinding({
+          id: `excessive-allocation-${file}-${ln}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: "CWE-770",
+          severity: "medium",
+          level: "warning",
+          message: `Repeated allocation inside loop (lines ${loop.start_line}\u2013${loop.end_line}): \`${allocLabel}\` creates GC pressure on every iteration`,
+          file,
+          line: ln,
+          snippet: src.trim(),
+          fix: "Pre-allocate outside the loop and reset/reuse the collection each iteration",
+          evidence: {
+            allocation: allocLabel,
+            loop_start: loop.start_line,
+            loop_end: loop.end_line
+          }
+        });
+      }
+    }
+    return { allocationsInLoops };
+  }
+};
+
+// src/analysis/passes/missing-stream-pass.ts
+var JS_WHOLE_LOAD_RE = /\b(?:readFileSync|fs\.readFile\b|response\.text\b|response\.json\b|res\.text\b|res\.json\b|body\.text\b|body\.json\b)\s*\(/;
+var JS_STREAM_RE = /\.pipe\s*\(|\.on\s*\(\s*['"]data['"]|for\s+await\s*\(|\bcreateReadStream\b|\bstream\b/i;
+var JAVA_WHOLE_READ_RE = /\bFiles\.readAllBytes\s*\(|\bFiles\.readAllLines\s*\(|\bFiles\.readString\s*\(|\bnew\s+BufferedReader\s*\(|\bFileInputStream\b/;
+var PYTHON_WHOLE_READ_RE = /\.\s*read\s*\(\s*\)/;
+var MissingStreamPass = class {
+  name = "missing-stream";
+  category = "performance";
+  run(ctx) {
+    const { graph, code, language } = ctx;
+    if (language === "bash" || language === "rust") {
+      return { wholeFileReads: [] };
+    }
+    const file = graph.ir.meta.file;
+    const codeLines = code.split("\n");
+    const wholeFileReads = [];
+    const reported = /* @__PURE__ */ new Set();
+    if (language === "javascript" || language === "typescript") {
+      for (const type of graph.ir.types) {
+        for (const method of type.methods) {
+          const start2 = method.start_line;
+          const end = method.end_line;
+          const methodSrc = codeLines.slice(start2 - 1, end).join("\n");
+          if (JS_STREAM_RE.test(methodSrc)) continue;
+          for (let i2 = start2 - 1; i2 < end && i2 < codeLines.length; i2++) {
+            const ln = i2 + 1;
+            if (reported.has(ln)) continue;
+            const src = codeLines[i2];
+            const match = JS_WHOLE_LOAD_RE.exec(src);
+            if (!match) continue;
+            const methodName = match[0].replace(/\s*\(.*/, "").trim();
+            wholeFileReads.push({ line: ln, method: methodName });
+            reported.add(ln);
+            ctx.addFinding({
+              id: `missing-stream-${file}-${ln}`,
+              pass: this.name,
+              category: this.category,
+              rule_id: this.name,
+              severity: "low",
+              level: "note",
+              message: `\`${methodName}()\` loads the entire file/response into memory. Use a streaming API for large payloads.`,
+              file,
+              line: ln,
+              snippet: src.trim(),
+              fix: "Replace with fs.createReadStream / response.body (async iterator) to process data in chunks",
+              evidence: { method: methodName }
+            });
+          }
+        }
+      }
+      if (graph.ir.types.length === 0) {
+        if (!JS_STREAM_RE.test(code)) {
+          for (let i2 = 0; i2 < codeLines.length; i2++) {
+            const ln = i2 + 1;
+            if (reported.has(ln)) continue;
+            const src = codeLines[i2];
+            const match = JS_WHOLE_LOAD_RE.exec(src);
+            if (!match) continue;
+            const methodName = match[0].replace(/\s*\(.*/, "").trim();
+            wholeFileReads.push({ line: ln, method: methodName });
+            reported.add(ln);
+            ctx.addFinding({
+              id: `missing-stream-${file}-${ln}`,
+              pass: this.name,
+              category: this.category,
+              rule_id: this.name,
+              severity: "low",
+              level: "note",
+              message: `\`${methodName}()\` loads the entire file/response into memory. Use a streaming API for large payloads.`,
+              file,
+              line: ln,
+              snippet: src.trim(),
+              fix: "Replace with fs.createReadStream / response.body (async iterator) to process data in chunks",
+              evidence: { method: methodName }
+            });
+          }
+        }
+      }
+    } else if (language === "java") {
+      for (let i2 = 0; i2 < codeLines.length; i2++) {
+        const ln = i2 + 1;
+        if (reported.has(ln)) continue;
+        const src = codeLines[i2];
+        const match = JAVA_WHOLE_READ_RE.exec(src);
+        if (!match) continue;
+        const matchText = match[0].replace(/\s*\(.*/, "").trim();
+        wholeFileReads.push({ line: ln, method: matchText });
+        reported.add(ln);
+        ctx.addFinding({
+          id: `missing-stream-${file}-${ln}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          severity: "low",
+          level: "note",
+          message: `Whole-file read at line ${ln}: \`${matchText}\` loads the entire file into memory. Consider NIO Channels or InputStream for large files.`,
+          file,
+          line: ln,
+          snippet: src.trim(),
+          fix: "Use Files.lines() for line streaming, or InputStream / NIO channels for byte streaming",
+          evidence: { method: matchText }
+        });
+      }
+    } else if (language === "python") {
+      for (let i2 = 0; i2 < codeLines.length; i2++) {
+        const ln = i2 + 1;
+        if (reported.has(ln)) continue;
+        const src = codeLines[i2];
+        if (!PYTHON_WHOLE_READ_RE.test(src)) continue;
+        if (/^\s*#/.test(src)) continue;
+        wholeFileReads.push({ line: ln, method: "read" });
+        reported.add(ln);
+        ctx.addFinding({
+          id: `missing-stream-${file}-${ln}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          severity: "low",
+          level: "note",
+          message: `\`.read()\` loads the entire file into memory. Iterate over the file object instead for line-by-line streaming.`,
+          file,
+          line: ln,
+          snippet: src.trim(),
+          fix: "Iterate the file object: `for line in f:` instead of `data = f.read()`",
+          evidence: { method: "read" }
+        });
+      }
+    }
+    return { wholeFileReads };
+  }
+};
+
+// src/analysis/passes/god-class-pass.ts
+var WMC_THRESHOLD = 47;
+var LCOM2_THRESHOLD = 0.8;
+var CBO_THRESHOLD = 14;
+var PRIMITIVES = /* @__PURE__ */ new Set([
+  "void",
+  "boolean",
+  "byte",
+  "short",
+  "int",
+  "long",
+  "float",
+  "double",
+  "char",
+  "string",
+  "number",
+  "boolean",
+  "object",
+  "any",
+  "never",
+  "unknown",
+  "String",
+  "Integer",
+  "Long",
+  "Double",
+  "Boolean",
+  "Object",
+  "Number",
+  "null",
+  "undefined"
+]);
+var GodClassPass = class {
+  name = "god-class";
+  category = "architecture";
+  run(ctx) {
+    const { graph, language } = ctx;
+    if (language === "bash" || language === "rust") {
+      return { godClasses: [] };
+    }
+    const file = graph.ir.meta.file;
+    const godClasses = [];
+    for (const type of graph.ir.types) {
+      if (type.kind !== "class") continue;
+      if (type.methods.length < 2) continue;
+      const wmc = this.computeWMC(graph.ir.cfg.blocks, graph.ir.cfg.edges, type);
+      const lcom2 = this.computeLCOM2(graph.ir.dfg, type);
+      const cbo = this.computeCBO(graph.ir.calls, type);
+      const violations = [
+        wmc > WMC_THRESHOLD,
+        lcom2 > LCOM2_THRESHOLD,
+        cbo > CBO_THRESHOLD
+      ].filter(Boolean).length;
+      if (violations < 2) continue;
+      godClasses.push({ className: type.name, line: type.start_line, wmc, lcom2, cbo });
+      const lcom2Str = lcom2.toFixed(2);
+      ctx.addFinding({
+        id: `god-class-${file}-${type.start_line}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-1060",
+        severity: "medium",
+        level: "warning",
+        message: `God class detected: \`${type.name}\` exceeds ${violations}/3 thresholds (WMC=${wmc}, LCOM2=${lcom2Str}, CBO=${cbo})`,
+        file,
+        line: type.start_line,
+        fix: "Break into focused classes: extract cohesive method groups into separate types. Apply Single Responsibility Principle.",
+        evidence: { wmc, lcom2: parseFloat(lcom2Str), cbo }
+      });
+    }
+    return { godClasses };
+  }
+  /** Compute WMC = Σ v(G) for all methods. v(G) = edges − nodes + 2. */
+  computeWMC(blocks, edges, type) {
+    let wmc = 0;
+    for (const method of type.methods) {
+      const methodBlockIds = new Set(
+        blocks.filter((b) => b.start_line >= method.start_line && b.end_line <= method.end_line).map((b) => b.id)
+      );
+      if (methodBlockIds.size === 0) {
+        wmc += 1;
+        continue;
+      }
+      const methodEdges = edges.filter(
+        (e2) => methodBlockIds.has(e2.from) && methodBlockIds.has(e2.to)
+      );
+      const n = methodBlockIds.size;
+      const e = methodEdges.length;
+      const vG = Math.max(1, e - n + 2);
+      wmc += vG;
+    }
+    return wmc;
+  }
+  /**
+   * Compute LCOM2 = (P − Q) / max(1, m*(m−1)/2) clamped to [0, 1].
+   * Uses DFG variable names intersected with declared field names.
+   */
+  computeLCOM2(dfg, type) {
+    const m = type.methods.length;
+    if (m < 2) return 0;
+    const fieldNames = new Set(type.fields.map((f) => f.name));
+    if (fieldNames.size === 0) return 0;
+    const methodFields = type.methods.map((method) => {
+      const accessed = /* @__PURE__ */ new Set();
+      const start2 = method.start_line;
+      const end = method.end_line;
+      for (const def of dfg.defs) {
+        if (def.line >= start2 && def.line <= end && fieldNames.has(def.variable)) {
+          accessed.add(def.variable);
+        }
+      }
+      for (const use of dfg.uses) {
+        if (use.line >= start2 && use.line <= end && fieldNames.has(use.variable)) {
+          accessed.add(use.variable);
+        }
+      }
+      return accessed;
+    });
+    let P = 0;
+    let Q = 0;
+    for (let i2 = 0; i2 < m; i2++) {
+      for (let j = i2 + 1; j < m; j++) {
+        const shared = [...methodFields[i2]].some((f) => methodFields[j].has(f));
+        if (shared) {
+          Q++;
+        } else {
+          P++;
+        }
+      }
+    }
+    const total = m * (m - 1) / 2;
+    const raw = (P - Q) / Math.max(1, total);
+    return Math.min(1, Math.max(0, raw));
+  }
+  /**
+   * Compute CBO = count of distinct external type names referenced in the class.
+   * Sources: call receiver_type, method parameter types, field types.
+   */
+  computeCBO(calls, type) {
+    const externalTypes = /* @__PURE__ */ new Set();
+    const ownName = type.name.toLowerCase();
+    const addType = (t) => {
+      if (!t) return;
+      const base = t.replace(/<.*>/, "").replace(/\[\]/g, "").replace(/\?/g, "").trim();
+      if (!base) return;
+      if (PRIMITIVES.has(base)) return;
+      if (base.toLowerCase() === ownName) return;
+      externalTypes.add(base);
+    };
+    for (const field of type.fields) {
+      addType(field.type);
+    }
+    for (const method of type.methods) {
+      for (const param of method.parameters) {
+        addType(param.type);
+      }
+    }
+    const classStart = type.methods.reduce(
+      (mn, m) => Math.min(mn, m.start_line),
+      Infinity
+    );
+    const classEnd = type.methods.reduce(
+      (mx, m) => Math.max(mx, m.end_line),
+      0
+    );
+    for (const call of calls) {
+      const ln = call.location.line;
+      if (ln >= classStart && ln <= classEnd) {
+        addType(call.receiver_type ?? null);
+      }
+    }
+    return externalTypes.size;
+  }
+};
+
+// src/analysis/passes/naming-convention-pass.ts
+var PASCAL_CASE_RE = /^[A-Z][A-Za-z0-9]*$/;
+var CAMEL_CASE_RE = /^[a-z][a-zA-Z0-9]*$/;
+var SNAKE_CASE_RE = /^[a-z_][a-z0-9_]*$/;
+var UPPER_SNAKE_RE = /^[A-Z][A-Z0-9_]*$/;
+var I_PREFIX_RE = /^I[A-Z]/;
+var DUNDER_RE = /^__\w+__$/;
+var GENERIC_NAMES = /* @__PURE__ */ new Set(["T", "K", "V", "E", "R", "N", "S", "U", "W"]);
+var EXEMPT_METHODS = /* @__PURE__ */ new Set([
+  "main",
+  "toString",
+  "hashCode",
+  "equals",
+  "compareTo",
+  "valueOf",
+  "of",
+  "from",
+  "create",
+  "build",
+  "get",
+  "set",
+  "is",
+  "has"
+]);
+var MAX_FINDINGS = 20;
+function shouldSkipName(name2) {
+  if (name2.length <= 2) return true;
+  if (name2.startsWith("_") || name2.startsWith("$")) return true;
+  if (DUNDER_RE.test(name2)) return true;
+  if (GENERIC_NAMES.has(name2)) return true;
+  return false;
+}
+var NamingConventionPass = class {
+  name = "naming-convention";
+  category = "maintainability";
+  enforceIPrefix;
+  constructor(options = {}) {
+    this.enforceIPrefix = options.enforceIPrefix ?? false;
+  }
+  run(ctx) {
+    const { graph, language } = ctx;
+    const file = graph.ir.meta.file;
+    const violations = [];
+    let findingCount = 0;
+    const addViolation = (entity, name2, line, expected, message) => {
+      if (findingCount >= MAX_FINDINGS) return;
+      violations.push({ entity, name: name2, line, expected, actual: name2 });
+      findingCount++;
+      ctx.addFinding({
+        id: `naming-convention-${file}-${line}-${name2}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        severity: "low",
+        level: "note",
+        message,
+        file,
+        line,
+        fix: `Rename \`${name2}\` to follow ${expected} convention`,
+        evidence: { name: name2, expected_convention: expected }
+      });
+    };
+    for (const type of graph.ir.types) {
+      if (findingCount >= MAX_FINDINGS) break;
+      if (shouldSkipName(type.name)) continue;
+      if (language === "java" || language === "typescript" || language === "javascript") {
+        if (type.kind === "class" && !PASCAL_CASE_RE.test(type.name)) {
+          addViolation(
+            "class",
+            type.name,
+            type.start_line,
+            "PascalCase",
+            `Class \`${type.name}\` should be PascalCase`
+          );
+        }
+        if (type.kind === "interface") {
+          if (!PASCAL_CASE_RE.test(type.name)) {
+            addViolation(
+              "interface",
+              type.name,
+              type.start_line,
+              "PascalCase",
+              `Interface \`${type.name}\` should be PascalCase`
+            );
+          } else if (this.enforceIPrefix && I_PREFIX_RE.test(type.name)) {
+            addViolation(
+              "interface",
+              type.name,
+              type.start_line,
+              "PascalCase (no I-prefix)",
+              `Interface \`${type.name}\` uses I-prefix which is not idiomatic \u2014 prefer plain PascalCase`
+            );
+          }
+        }
+        for (const method of type.methods) {
+          if (findingCount >= MAX_FINDINGS) break;
+          if (shouldSkipName(method.name)) continue;
+          if (EXEMPT_METHODS.has(method.name)) continue;
+          if (!CAMEL_CASE_RE.test(method.name)) {
+            addViolation(
+              "method",
+              method.name,
+              method.start_line,
+              "camelCase",
+              `Method \`${type.name}.${method.name}()\` should be camelCase`
+            );
+          }
+        }
+        if (language === "java") {
+          for (const field of type.fields) {
+            if (findingCount >= MAX_FINDINGS) break;
+            if (shouldSkipName(field.name)) continue;
+            const isConstant = field.modifiers.includes("final") && field.modifiers.includes("static");
+            if (isConstant && !UPPER_SNAKE_RE.test(field.name)) {
+              addViolation(
+                "field",
+                field.name,
+                type.start_line,
+                "UPPER_SNAKE_CASE",
+                `Static final field \`${field.name}\` should be UPPER_SNAKE_CASE`
+              );
+            }
+          }
+        }
+      } else if (language === "python") {
+        if (type.kind === "class" && !PASCAL_CASE_RE.test(type.name)) {
+          addViolation(
+            "class",
+            type.name,
+            type.start_line,
+            "PascalCase",
+            `Class \`${type.name}\` should be PascalCase`
+          );
+        }
+        for (const method of type.methods) {
+          if (findingCount >= MAX_FINDINGS) break;
+          if (shouldSkipName(method.name)) continue;
+          if (DUNDER_RE.test(method.name)) continue;
+          if (!SNAKE_CASE_RE.test(method.name)) {
+            addViolation(
+              "method",
+              method.name,
+              method.start_line,
+              "snake_case",
+              `Method \`${type.name}.${method.name}()\` should be snake_case`
+            );
+          }
+        }
+      } else if (language === "bash" || language === "rust") {
+        for (const method of type.methods) {
+          if (findingCount >= MAX_FINDINGS) break;
+          if (shouldSkipName(method.name)) continue;
+          if (!SNAKE_CASE_RE.test(method.name)) {
+            addViolation(
+              "method",
+              method.name,
+              method.start_line,
+              "snake_case",
+              `Function \`${method.name}\` should be snake_case`
+            );
+          }
+        }
+      }
+    }
+    return { violations };
+  }
+};
+
 // src/analysis/metrics/passes/size-metrics-pass.ts
 var SizeMetricsPass = class {
   name = "size-metrics";
@@ -22032,7 +22576,7 @@ async function analyze(code, filePath, language, options = {}) {
     enriched: {}
   });
   const config = options.taintConfig ?? getDefaultConfig();
-  const { results, findings } = new AnalysisPipeline().add(new TaintMatcherPass()).add(new ConstantPropagationPass(tree)).add(new LanguageSourcesPass()).add(new SinkFilterPass()).add(new TaintPropagationPass()).add(new InterproceduralPass()).add(new DeadCodePass()).add(new MissingAwaitPass()).add(new NPlusOnePass()).add(new MissingPublicDocPass()).add(new TodoInProdPass()).add(new StringConcatLoopPass()).add(new SyncIoAsyncPass()).add(new UncheckedReturnPass()).add(new NullDerefPass()).add(new ResourceLeakPass()).add(new VariableShadowingPass()).add(new LeakedGlobalPass()).add(new UnusedVariablePass()).add(new DependencyFanOutPass()).add(new StaleDocRefPass()).add(new InfiniteLoopPass()).add(new DeepInheritancePass()).add(new RedundantLoopPass()).add(new UnboundedCollectionPass()).add(new SerialAwaitPass()).add(new ReactInlineJsxPass()).add(new SwallowedExceptionPass()).add(new BroadCatchPass()).add(new UnhandledExceptionPass()).add(new DoubleClosePass()).add(new UseAfterClosePass()).add(new MissingGuardDomPass()).add(new CleanupVerifyPass()).add(new MissingOverridePass()).add(new UnusedInterfaceMethodPass()).run(graph, code, language, config);
+  const { results, findings } = new AnalysisPipeline().add(new TaintMatcherPass()).add(new ConstantPropagationPass(tree)).add(new LanguageSourcesPass()).add(new SinkFilterPass()).add(new TaintPropagationPass()).add(new InterproceduralPass()).add(new DeadCodePass()).add(new MissingAwaitPass()).add(new NPlusOnePass()).add(new MissingPublicDocPass()).add(new TodoInProdPass()).add(new StringConcatLoopPass()).add(new SyncIoAsyncPass()).add(new UncheckedReturnPass()).add(new NullDerefPass()).add(new ResourceLeakPass()).add(new VariableShadowingPass()).add(new LeakedGlobalPass()).add(new UnusedVariablePass()).add(new DependencyFanOutPass()).add(new StaleDocRefPass()).add(new InfiniteLoopPass()).add(new DeepInheritancePass()).add(new RedundantLoopPass()).add(new UnboundedCollectionPass()).add(new SerialAwaitPass()).add(new ReactInlineJsxPass()).add(new SwallowedExceptionPass()).add(new BroadCatchPass()).add(new UnhandledExceptionPass()).add(new DoubleClosePass()).add(new UseAfterClosePass()).add(new CleanupVerifyPass()).add(new MissingOverridePass()).add(new UnusedInterfaceMethodPass()).add(new BlockingMainThreadPass()).add(new ExcessiveAllocationPass()).add(new MissingStreamPass()).add(new GodClassPass()).add(new NamingConventionPass(options.passOptions?.namingConvention)).run(graph, code, language, config);
   const sinkFilter = results.get("sink-filter");
   const interProc = results.get("interprocedural");
   const taint = {