circle-ir 3.12.1 → 3.15.0

package/dist/analysis/passes/god-class-pass.js

@@ -0,0 +1,197 @@
+/**
+ * Pass #86: god-class (CWE-1060, category: architecture)
+ *
+ * Detects "God Class" anti-pattern: a class that does too much, is poorly
+ * cohesive, and is heavily coupled to external types. These classes are hard
+ * to test, maintain, and evolve.
+ *
+ * Three CK metrics are computed inline (the metrics pipeline runs separately
+ * and its results are not available here):
+ *
+ *   WMC  — Weighted Methods per Class: Σ v(G) per method, where v(G) is
+ *           McCabe cyclomatic complexity = CFG edges − nodes + 2.
+ *           Fallback = 1 per method when CFG data is absent.
+ *
+ *   LCOM2 — Lack of Cohesion of Methods (0–1 scale):
+ *           (P − Q) / max(1, m*(m−1)/2)
+ *           P = method pairs sharing no fields, Q = pairs sharing ≥1 field.
+ *           Field access is inferred from DFG defs/uses whose variable name
+ *           matches a declared field name (name-match heuristic).
+ *
+ *   CBO  — Coupling Between Objects: count of distinct external type names
+ *           referenced in parameter types, field types, or call receiver_type
+ *           within the class, excluding primitives and same-class references.
+ *
+ * A finding is emitted when at least 2 of the 3 thresholds are exceeded:
+ *   WMC > 47   (SonarQube default)
+ *   LCOM2 > 0.8
+ *   CBO > 14   (SATD threshold)
+ *
+ * Languages: Java, TypeScript, Python. Bash / Rust — skipped.
+ */
+const WMC_THRESHOLD = 47;
+const LCOM2_THRESHOLD = 0.8;
+const CBO_THRESHOLD = 14;
+/** Java / TypeScript primitive type names to exclude from CBO. */
+const PRIMITIVES = new Set([
+    'void', 'boolean', 'byte', 'short', 'int', 'long', 'float', 'double', 'char',
+    'string', 'number', 'boolean', 'object', 'any', 'never', 'unknown',
+    'String', 'Integer', 'Long', 'Double', 'Boolean', 'Object', 'Number',
+    'null', 'undefined',
+]);
+export class GodClassPass {
+    name = 'god-class';
+    category = 'architecture';
+    run(ctx) {
+        const { graph, language } = ctx;
+        if (language === 'bash' || language === 'rust') {
+            return { godClasses: [] };
+        }
+        const file = graph.ir.meta.file;
+        const godClasses = [];
+        for (const type of graph.ir.types) {
+            if (type.kind !== 'class')
+                continue;
+            if (type.methods.length < 2)
+                continue;
+            const wmc = this.computeWMC(graph.ir.cfg.blocks, graph.ir.cfg.edges, type);
+            const lcom2 = this.computeLCOM2(graph.ir.dfg, type);
+            const cbo = this.computeCBO(graph.ir.calls, type);
+            const violations = [
+                wmc > WMC_THRESHOLD,
+                lcom2 > LCOM2_THRESHOLD,
+                cbo > CBO_THRESHOLD,
+            ].filter(Boolean).length;
+            if (violations < 2)
+                continue;
+            godClasses.push({ className: type.name, line: type.start_line, wmc, lcom2, cbo });
+            const lcom2Str = lcom2.toFixed(2);
+            ctx.addFinding({
+                id: `god-class-${file}-${type.start_line}`,
+                pass: this.name,
+                category: this.category,
+                rule_id: this.name,
+                cwe: 'CWE-1060',
+                severity: 'medium',
+                level: 'warning',
+                message: `God class detected: \`${type.name}\` exceeds ${violations}/3 thresholds ` +
+                    `(WMC=${wmc}, LCOM2=${lcom2Str}, CBO=${cbo})`,
+                file,
+                line: type.start_line,
+                fix: 'Break into focused classes: extract cohesive method groups into separate types. ' +
+                    'Apply Single Responsibility Principle.',
+                evidence: { wmc, lcom2: parseFloat(lcom2Str), cbo },
+            });
+        }
+        return { godClasses };
+    }
+    /** Compute WMC = Σ v(G) for all methods. v(G) = edges − nodes + 2. */
+    computeWMC(blocks, edges, type) {
+        let wmc = 0;
+        for (const method of type.methods) {
+            // Find CFG blocks within this method's line range
+            const methodBlockIds = new Set(blocks
+                .filter(b => b.start_line >= method.start_line && b.end_line <= method.end_line)
+                .map(b => b.id));
+            if (methodBlockIds.size === 0) {
+                // No CFG data — fallback complexity of 1
+                wmc += 1;
+                continue;
+            }
+            // Count edges between blocks within this method
+            const methodEdges = edges.filter(e => methodBlockIds.has(e.from) && methodBlockIds.has(e.to));
+            const n = methodBlockIds.size;
+            const e = methodEdges.length;
+            const vG = Math.max(1, e - n + 2);
+            wmc += vG;
+        }
+        return wmc;
+    }
+    /**
+     * Compute LCOM2 = (P − Q) / max(1, m*(m−1)/2) clamped to [0, 1].
+     * Uses DFG variable names intersected with declared field names.
+     */
+    computeLCOM2(dfg, type) {
+        const m = type.methods.length;
+        if (m < 2)
+            return 0;
+        const fieldNames = new Set(type.fields.map(f => f.name));
+        if (fieldNames.size === 0)
+            return 0;
+        // For each method, collect the set of field names it accesses (def or use)
+        const methodFields = type.methods.map(method => {
+            const accessed = new Set();
+            const start = method.start_line;
+            const end = method.end_line;
+            for (const def of dfg.defs) {
+                if (def.line >= start && def.line <= end && fieldNames.has(def.variable)) {
+                    accessed.add(def.variable);
+                }
+            }
+            for (const use of dfg.uses) {
+                if (use.line >= start && use.line <= end && fieldNames.has(use.variable)) {
+                    accessed.add(use.variable);
+                }
+            }
+            return accessed;
+        });
+        let P = 0; // pairs with no shared fields
+        let Q = 0; // pairs with >= 1 shared field
+        for (let i = 0; i < m; i++) {
+            for (let j = i + 1; j < m; j++) {
+                const shared = [...methodFields[i]].some(f => methodFields[j].has(f));
+                if (shared) {
+                    Q++;
+                }
+                else {
+                    P++;
+                }
+            }
+        }
+        const total = (m * (m - 1)) / 2;
+        const raw = (P - Q) / Math.max(1, total);
+        return Math.min(1, Math.max(0, raw));
+    }
+    /**
+     * Compute CBO = count of distinct external type names referenced in the class.
+     * Sources: call receiver_type, method parameter types, field types.
+     */
+    computeCBO(calls, type) {
+        const externalTypes = new Set();
+        const ownName = type.name.toLowerCase();
+        const addType = (t) => {
+            if (!t)
+                return;
+            // Strip generic parameters: List<String> → List
+            const base = t.replace(/<.*>/, '').replace(/\[\]/g, '').replace(/\?/g, '').trim();
+            if (!base)
+                return;
+            if (PRIMITIVES.has(base))
+                return;
+            if (base.toLowerCase() === ownName)
+                return;
+            externalTypes.add(base);
+        };
+        // Field types
+        for (const field of type.fields) {
+            addType(field.type);
+        }
+        // Method parameter types
+        for (const method of type.methods) {
+            for (const param of method.parameters) {
+                addType(param.type);
+            }
+        }
+        // Call receiver types within this class's line range
+        const classStart = type.methods.reduce((mn, m) => Math.min(mn, m.start_line), Infinity);
+        const classEnd = type.methods.reduce((mx, m) => Math.max(mx, m.end_line), 0);
+        for (const call of calls) {
+            const ln = call.location.line;
+            if (ln >= classStart && ln <= classEnd) {
+                addType(call.receiver_type ?? null);
+            }
+        }
+        return externalTypes.size;
+    }
+}
+//# sourceMappingURL=god-class-pass.js.map

package/dist/analysis/passes/god-class-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"god-class-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/god-class-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAIH,MAAM,aAAa,GAAI,EAAE,CAAC;AAC1B,MAAM,eAAe,GAAG,GAAG,CAAC;AAC5B,MAAM,aAAa,GAAI,EAAE,CAAC;AAE1B,kEAAkE;AAClE,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC;IACzB,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM;IAC5E,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS;IAClE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ;IACpE,MAAM,EAAE,WAAW;CACpB,CAAC,CAAC;AAYH,MAAM,OAAO,YAAY;IACd,IAAI,GAAG,WAAW,CAAC;IACnB,QAAQ,GAAG,cAAuB,CAAC;IAE5C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAEhC,IAAI,QAAQ,KAAK,MAAM,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YAC/C,OAAO,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;QAC5B,CAAC;QAED,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,UAAU,GAAiC,EAAE,CAAC;QAEpD,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO;gBAAE,SAAS;YACpC,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC;gBAAE,SAAS;YAEtC,MAAM,GAAG,GAAI,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;YAC5E,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;YACpD,MAAM,GAAG,GAAK,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;YAEpD,MAAM,UAAU,GAAG;gBACjB,GAAG,GAAI,aAAa;gBACpB,KAAK,GAAG,eAAe;gBACvB,GAAG,GAAI,aAAa;aACrB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;YAEzB,IAAI,UAAU,GAAG,CAAC;gBAAE,SAAS;YAE7B,UAAU,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,UAAU,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;YAElF,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;YAClC,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,aAAa,IAAI,IAAI,IAAI,CAAC,UAAU,EAAE;gBAC1C,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,GAAG,EAAE,UAAU;gBACf,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,SAAS;gBAChB,OAAO,EACL,yBAAyB,IAAI,CAAC,IAAI,cAAc,UAAU,gBAAgB;oBAC1E,QAAQ,GAAG,WAAW,QAAQ,SAAS,GAAG,GAAG;gBAC/C,IAAI;gBACJ,IAAI,EAAE,IAAI,CAAC,UAAU;gBACrB,GAAG,EACD,kFAAkF;oBAClF,wCAAwC;gBAC1C,QAAQ,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,UAAU,CAAC,QAAQ,CAAC,EAAE,GAAG,EAAE;aACpD,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,UAAU,EAAE,CAAC;IACxB,CAAC;IAED,sEAAsE;IAC9D,UAAU,CAChB,MAAmE,EACnE,KAA0C,EAC1C,IAAkE;QAElE,IAAI,GAAG,GAAG,CAAC,CAAC;QAEZ,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YAClC,kDAAkD;YAClD,MAAM,cAAc,GAAG,IAAI,GAAG,CAC5B,MAAM;iBACH,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,IAAI,MAAM,CAAC,UAAU,IAAI,CAAC,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC;iBAC/E,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAClB,CAAC;YAEF,IAAI,cAAc,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;gBAC9B,yCAAyC;gBACzC,GAAG,IAAI,CAAC,CAAC;gBACT,SAAS;YACX,CAAC;YAED,gDAAgD;YAChD,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,CAC9B,CAAC,CAAC,EAAE,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAC5D,CAAC;YAEF,MAAM,CAAC,GAAG,cAAc,CAAC,IAAI,CAAC;YAC9B,MAAM,CAAC,GAAG,WAAW,CAAC,MAAM,CAAC;YAC7B,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;YAClC,GAAG,IAAI,EAAE,CAAC;QACZ,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;IAED;;;OAGG;IACK,YAAY,CAClB,GAAyG,EACzG,IAGC;QAED,MAAM,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;QAC9B,IAAI,CAAC,GAAG,CAAC;YAAE,OAAO,CAAC,CAAC;QAEpB,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;QACzD,IAAI,UAAU,CAAC,IAAI,KAAK,CAAC;YAAE,OAAO,CAAC,CAAC;QAEpC,2EAA2E;QAC3E,MAAM,YAAY,GAAkB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE;YAC5D,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;YACnC,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,CAAC;YAChC,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC;YAE5B,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;gBAC3B,IAAI,GAAG,CAAC,IAAI,IAAI,KAAK,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACzE,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBAC7B,CAAC;YACH,CAAC;YACD,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;gBAC3B,IAAI,GAAG,CAAC,IAAI,IAAI,KAAK,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACzE,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBAC7B,CAAC;YACH,CAAC;YACD,OAAO,QAAQ,CAAC;QAClB,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,8BAA8B;QACzC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,+BAA+B;QAE1C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YAC3B,KAAK,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC/B,MAAM,MAAM,GAAG,CAAC,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;gBACtE,IAAI,MAAM,EAAE,CAAC;oBACX,CAAC,EAAE,CAAC;gBACN,CAAC;qBAAM,CAAC;oBACN,CAAC,EAAE,CAAC;gBACN,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QAChC,MAAM,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;QACzC,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;IACvC,CAAC;IAED;;;OAGG;IACK,UAAU,CAChB,KAA2E,EAC3E,IAIC;QAED,MAAM,aAAa,GAAG,IAAI,GAAG,EAAU,CAAC;QACxC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;QAExC,MAAM,OAAO,GAAG,CAAC,CAA4B,EAAE,EAAE;YAC/C,IAAI,CAAC,CAAC;gBAAE,OAAO;YACf,gDAAgD;YAChD,MAAM,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YAClF,IAAI,CAAC,IAAI;gBAAE,OAAO;YAClB,IAAI,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,OAAO;YACjC,IAAI,IAAI,CAAC,WAAW,EAAE,KAAK,OAAO;gBAAE,OAAO;YAC3C,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC1B,CAAC,CAAC;QAEF,cAAc;QACd,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACtB,CAAC;QAED,yBAAyB;QACzB,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YAClC,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;gBACtC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACtB,CAAC;QACH,CAAC;QAED,qDAAqD;QACrD,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CACpC,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,UAAU,CAAC,EAAE,QAAQ,CAChD,CAAC;QACF,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAClC,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CACvC,CAAC;QAEF,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YAC9B,IAAI,EAAE,IAAI,UAAU,IAAI,EAAE,IAAI,QAAQ,EAAE,CAAC;gBACvC,OAAO,CAAC,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,CAAC;YACtC,CAAC;QACH,CAAC;QAED,OAAO,aAAa,CAAC,IAAI,CAAC;IAC5B,CAAC;CACF"}

package/dist/analysis/passes/missing-guard-dom-pass.d.ts

@@ -1,6 +1,24 @@
 /**
  * Pass: missing-guard-dom (#53, CWE-285)
  *
+ * @deprecated NOT REGISTERED IN THE DEFAULT PIPELINE
+ *
+ * This pass was removed from the default AnalysisPipeline in v3.14.0 because
+ * its hardcoded auth-method list (12 names) produces high-severity false
+ * positives in any codebase that uses framework-level authorization (Spring
+ * Security annotations, filter chains, middleware) — those guards never appear
+ * as intra-method call nodes in the CFG, so every sensitive operation looks
+ * unguarded.
+ *
+ * The raw signals this pass relies on are already present in CircleIR:
+ *   • ir.calls  — all call sites with method_name; filter AUTH_METHODS /
+ *                 SENSITIVE_METHODS to identify candidates.
+ *   • ir.cfg    — full CFG (blocks + edges); build DominatorGraph from it.
+ *
+ * This file is retained so that circle-ir-ai can reconstruct the dominator
+ * analysis on top of LLM-identified auth guards (which correctly handle
+ * annotations, middleware, and framework-specific patterns).
+ *
  * Detects sensitive operations that are not dominated by an authentication
  * or authorization check on all control-flow paths within the same method.
  *

package/dist/analysis/passes/missing-guard-dom-pass.js

@@ -1,6 +1,24 @@
 /**
  * Pass: missing-guard-dom (#53, CWE-285)
  *
+ * @deprecated NOT REGISTERED IN THE DEFAULT PIPELINE
+ *
+ * This pass was removed from the default AnalysisPipeline in v3.14.0 because
+ * its hardcoded auth-method list (12 names) produces high-severity false
+ * positives in any codebase that uses framework-level authorization (Spring
+ * Security annotations, filter chains, middleware) — those guards never appear
+ * as intra-method call nodes in the CFG, so every sensitive operation looks
+ * unguarded.
+ *
+ * The raw signals this pass relies on are already present in CircleIR:
+ *   • ir.calls  — all call sites with method_name; filter AUTH_METHODS /
+ *                 SENSITIVE_METHODS to identify candidates.
+ *   • ir.cfg    — full CFG (blocks + edges); build DominatorGraph from it.
+ *
+ * This file is retained so that circle-ir-ai can reconstruct the dominator
+ * analysis on top of LLM-identified auth guards (which correctly handle
+ * annotations, middleware, and framework-specific patterns).
+ *
  * Detects sensitive operations that are not dominated by an authentication
  * or authorization check on all control-flow paths within the same method.
  *

package/dist/analysis/passes/missing-guard-dom-pass.js.map

@@ -1 +1 @@
-{"version":3,"file":"missing-guard-dom-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/missing-guard-dom-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAGH,OAAO,EAAE,cAAc,EAAE,MAAM,gCAAgC,CAAC;AAEhE,MAAM,YAAY,GAAwB,IAAI,GAAG,CAAC;IAChD,cAAc,EAAE,iBAAiB,EAAE,cAAc,EAAE,SAAS;IAC5D,WAAW,EAAE,eAAe,EAAE,cAAc,EAAE,aAAa;IAC3D,eAAe,EAAE,WAAW,EAAE,WAAW,EAAE,YAAY;CACxD,CAAC,CAAC;AAEH,MAAM,iBAAiB,GAAwB,IAAI,GAAG,CAAC;IACrD,QAAQ,EAAE,YAAY,EAAE,MAAM,EAAE,UAAU,EAAE,eAAe;IAC3D,YAAY,EAAE,aAAa,EAAE,kBAAkB,EAAE,WAAW;IAC5D,UAAU,EAAE,kBAAkB;CAC/B,CAAC,CAAC;AAMH,MAAM,OAAO,mBAAmB;IACrB,IAAI,GAAG,mBAAmB,CAAC;IAC3B,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAEhC,IAAI,QAAQ,KAAK,MAAM;YAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QAEhD,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC,EAAE,CAAC;QAChC,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QAE9E,MAAM,GAAG,GAAG,IAAI,cAAc,CAAC,GAAG,CAAC,CAAC;QACpC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAEhC,6DAA6D;QAC7D,MAAM,aAAa,GAAa,EAAE,CAAC;QACnC,MAAM,YAAY,GAA4C,EAAE,CAAC;QAEjE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;gBACvC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACzC,CAAC;YACD,IAAI,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;gBAC5C,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;YAC5E,CAAC;QACH,CAAC;QAED,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QAEtD,gFAAgF;QAChF,MAAM,mBAAmB,GAAG,CAAC,IAAY,EAAE,EAAE,CAC3C,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,IAAI,IAAI,IAAI,IAAI,IAAI,CAAC,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC;QAE3E,qDAAqD;QACrD,MAAM,eAAe,GAAG,IAAI,GAAG,EAAU,CAAC;QAC1C,IAAI,KAAK,GAAG,CAAC,CAAC;QAEd,KAAK,MAAM,EAAE,IAAI,YAAY,EAAE,CAAC;YAC9B,MAAM,OAAO,GAAG,mBAAmB,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;YAC7C,IAAI,CAAC,OAAO;gBAAE,SAAS;YAEvB,MAAM,UAAU,GAAG,KAAK,CAAC,YAAY,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;YAC/C,IAAI,CAAC,UAAU;gBAAE,SAAS;YAE1B,MAAM,SAAS,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,KAAK,UAAU,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YACvE,IAAI,eAAe,CAAC,GAAG,CAAC,SAAS,CAAC;gBAAE,SAAS;YAE7C,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,UAAU,CAAC,MAAM,CAAC;YAEnD,uDAAuD;YACvD,MAAM,YAAY,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,UAAU,IAAI,CAAC,IAAI,QAAQ,CAAC,CAAC;YAEjF,sEAAsE;YACtE,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE;gBAC7C,MAAM,SAAS,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAC;gBAChD,OAAO,SAAS,KAAK,IAAI,IAAI,GAAG,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;YACvE,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,eAAe,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;gBAC/B,KAAK,EAAE,CAAC;gBACR,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,qBAAqB,IAAI,IAAI,EAAE,CAAC,IAAI,EAAE;oBAC1C,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,mBAAmB;oBAC5B,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,OAAO;oBACd,OAAO,EACL,yBAAyB,EAAE,CAAC,MAAM,gBAAgB,EAAE,CAAC,IAAI,oBAAoB;wBAC7E,4BAA4B;oBAC9B,IAAI;oBACJ,IAAI,EAAE,EAAE,CAAC,IAAI;oBACb,GAAG,EAAE,uEAAuE,EAAE,CAAC,IAAI,EAAE;oBACrF,QAAQ,EAAE,EAAE,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE;iBAChC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;IAC7B,CAAC;CACF"}
+{"version":3,"file":"missing-guard-dom-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/missing-guard-dom-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AAGH,OAAO,EAAE,cAAc,EAAE,MAAM,gCAAgC,CAAC;AAEhE,MAAM,YAAY,GAAwB,IAAI,GAAG,CAAC;IAChD,cAAc,EAAE,iBAAiB,EAAE,cAAc,EAAE,SAAS;IAC5D,WAAW,EAAE,eAAe,EAAE,cAAc,EAAE,aAAa;IAC3D,eAAe,EAAE,WAAW,EAAE,WAAW,EAAE,YAAY;CACxD,CAAC,CAAC;AAEH,MAAM,iBAAiB,GAAwB,IAAI,GAAG,CAAC;IACrD,QAAQ,EAAE,YAAY,EAAE,MAAM,EAAE,UAAU,EAAE,eAAe;IAC3D,YAAY,EAAE,aAAa,EAAE,kBAAkB,EAAE,WAAW;IAC5D,UAAU,EAAE,kBAAkB;CAC/B,CAAC,CAAC;AAMH,MAAM,OAAO,mBAAmB;IACrB,IAAI,GAAG,mBAAmB,CAAC;IAC3B,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAEhC,IAAI,QAAQ,KAAK,MAAM;YAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QAEhD,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC,EAAE,CAAC;QAChC,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QAE9E,MAAM,GAAG,GAAG,IAAI,cAAc,CAAC,GAAG,CAAC,CAAC;QACpC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAEhC,6DAA6D;QAC7D,MAAM,aAAa,GAAa,EAAE,CAAC;QACnC,MAAM,YAAY,GAA4C,EAAE,CAAC;QAEjE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;gBACvC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACzC,CAAC;YACD,IAAI,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;gBAC5C,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;YAC5E,CAAC;QACH,CAAC;QAED,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QAEtD,gFAAgF;QAChF,MAAM,mBAAmB,GAAG,CAAC,IAAY,EAAE,EAAE,CAC3C,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,IAAI,IAAI,IAAI,IAAI,IAAI,CAAC,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC;QAE3E,qDAAqD;QACrD,MAAM,eAAe,GAAG,IAAI,GAAG,EAAU,CAAC;QAC1C,IAAI,KAAK,GAAG,CAAC,CAAC;QAEd,KAAK,MAAM,EAAE,IAAI,YAAY,EAAE,CAAC;YAC9B,MAAM,OAAO,GAAG,mBAAmB,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;YAC7C,IAAI,CAAC,OAAO;gBAAE,SAAS;YAEvB,MAAM,UAAU,GAAG,KAAK,CAAC,YAAY,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;YAC/C,IAAI,CAAC,UAAU;gBAAE,SAAS;YAE1B,MAAM,SAAS,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,KAAK,UAAU,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YACvE,IAAI,eAAe,CAAC,GAAG,CAAC,SAAS,CAAC;gBAAE,SAAS;YAE7C,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,UAAU,CAAC,MAAM,CAAC;YAEnD,uDAAuD;YACvD,MAAM,YAAY,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,UAAU,IAAI,CAAC,IAAI,QAAQ,CAAC,CAAC;YAEjF,sEAAsE;YACtE,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE;gBAC7C,MAAM,SAAS,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAC;gBAChD,OAAO,SAAS,KAAK,IAAI,IAAI,GAAG,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;YACvE,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,eAAe,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;gBAC/B,KAAK,EAAE,CAAC;gBACR,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,qBAAqB,IAAI,IAAI,EAAE,CAAC,IAAI,EAAE;oBAC1C,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,mBAAmB;oBAC5B,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,OAAO;oBACd,OAAO,EACL,yBAAyB,EAAE,CAAC,MAAM,gBAAgB,EAAE,CAAC,IAAI,oBAAoB;wBAC7E,4BAA4B;oBAC9B,IAAI;oBACJ,IAAI,EAAE,EAAE,CAAC,IAAI;oBACb,GAAG,EAAE,uEAAuE,EAAE,CAAC,IAAI,EAAE;oBACrF,QAAQ,EAAE,EAAE,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE;iBAChC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;IAC7B,CAAC;CACF"}

package/dist/analysis/passes/missing-stream-pass.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Pass #85: missing-stream (category: performance)
+ *
+ * Detects whole-file / whole-response reads that load the entire payload into
+ * memory when a streaming approach would be more memory-efficient.
+ *
+ * Detection strategy (source-text heuristics):
+ *   JS/TS  — fs.readFile / fs.readFileSync / response.text() / response.json()
+ *            in a method body that has no adjacent streaming indicator
+ *            (.pipe / for-await-of / createReadStream).
+ *   Java   — Files.readAllBytes / Files.readAllLines / Files.readString or a
+ *            new BufferedReader constructor.
+ *   Python — file_handle.read() (whole-file read).
+ *
+ * Languages: JavaScript, TypeScript, Java, Python. Bash / Rust — skipped.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface MissingStreamResult {
+    wholeFileReads: Array<{
+        line: number;
+        method: string;
+    }>;
+}
+export declare class MissingStreamPass implements AnalysisPass<MissingStreamResult> {
+    readonly name = "missing-stream";
+    readonly category: "performance";
+    run(ctx: PassContext): MissingStreamResult;
+}

package/dist/analysis/passes/missing-stream-pass.js

@@ -0,0 +1,173 @@
+/**
+ * Pass #85: missing-stream (category: performance)
+ *
+ * Detects whole-file / whole-response reads that load the entire payload into
+ * memory when a streaming approach would be more memory-efficient.
+ *
+ * Detection strategy (source-text heuristics):
+ *   JS/TS  — fs.readFile / fs.readFileSync / response.text() / response.json()
+ *            in a method body that has no adjacent streaming indicator
+ *            (.pipe / for-await-of / createReadStream).
+ *   Java   — Files.readAllBytes / Files.readAllLines / Files.readString or a
+ *            new BufferedReader constructor.
+ *   Python — file_handle.read() (whole-file read).
+ *
+ * Languages: JavaScript, TypeScript, Java, Python. Bash / Rust — skipped.
+ */
+/** JS/TS calls that read an entire file or HTTP response into memory. */
+const JS_WHOLE_LOAD_RE = /\b(?:readFileSync|fs\.readFile\b|response\.text\b|response\.json\b|res\.text\b|res\.json\b|body\.text\b|body\.json\b)\s*\(/;
+/** Indicators that the method already uses streaming in JS/TS. */
+const JS_STREAM_RE = /\.pipe\s*\(|\.on\s*\(\s*['"]data['"]|for\s+await\s*\(|\bcreateReadStream\b|\bstream\b/i;
+/** Java patterns that load an entire file eagerly. */
+const JAVA_WHOLE_READ_RE = /\bFiles\.readAllBytes\s*\(|\bFiles\.readAllLines\s*\(|\bFiles\.readString\s*\(|\bnew\s+BufferedReader\s*\(|\bFileInputStream\b/;
+/** Python: calling .read() with no arguments loads the whole file. */
+const PYTHON_WHOLE_READ_RE = /\.\s*read\s*\(\s*\)/;
+export class MissingStreamPass {
+    name = 'missing-stream';
+    category = 'performance';
+    run(ctx) {
+        const { graph, code, language } = ctx;
+        if (language === 'bash' || language === 'rust') {
+            return { wholeFileReads: [] };
+        }
+        const file = graph.ir.meta.file;
+        const codeLines = code.split('\n');
+        const wholeFileReads = [];
+        const reported = new Set();
+        if (language === 'javascript' || language === 'typescript') {
+            // Check per method: only flag if the method body has no streaming indicator
+            for (const type of graph.ir.types) {
+                for (const method of type.methods) {
+                    const start = method.start_line;
+                    const end = method.end_line;
+                    const methodSrc = codeLines.slice(start - 1, end).join('\n');
+                    // Skip methods that already use streaming
+                    if (JS_STREAM_RE.test(methodSrc))
+                        continue;
+                    for (let i = start - 1; i < end && i < codeLines.length; i++) {
+                        const ln = i + 1;
+                        if (reported.has(ln))
+                            continue;
+                        const src = codeLines[i];
+                        const match = JS_WHOLE_LOAD_RE.exec(src);
+                        if (!match)
+                            continue;
+                        const methodName = match[0].replace(/\s*\(.*/, '').trim();
+                        wholeFileReads.push({ line: ln, method: methodName });
+                        reported.add(ln);
+                        ctx.addFinding({
+                            id: `missing-stream-${file}-${ln}`,
+                            pass: this.name,
+                            category: this.category,
+                            rule_id: this.name,
+                            severity: 'low',
+                            level: 'note',
+                            message: `\`${methodName}()\` loads the entire file/response into memory. ` +
+                                `Use a streaming API for large payloads.`,
+                            file,
+                            line: ln,
+                            snippet: src.trim(),
+                            fix: 'Replace with fs.createReadStream / response.body (async iterator) ' +
+                                'to process data in chunks',
+                            evidence: { method: methodName },
+                        });
+                    }
+                }
+            }
+            // Also check top-level code (outside any class/method) in loose JS files
+            if (graph.ir.types.length === 0) {
+                if (!JS_STREAM_RE.test(code)) {
+                    for (let i = 0; i < codeLines.length; i++) {
+                        const ln = i + 1;
+                        if (reported.has(ln))
+                            continue;
+                        const src = codeLines[i];
+                        const match = JS_WHOLE_LOAD_RE.exec(src);
+                        if (!match)
+                            continue;
+                        const methodName = match[0].replace(/\s*\(.*/, '').trim();
+                        wholeFileReads.push({ line: ln, method: methodName });
+                        reported.add(ln);
+                        ctx.addFinding({
+                            id: `missing-stream-${file}-${ln}`,
+                            pass: this.name,
+                            category: this.category,
+                            rule_id: this.name,
+                            severity: 'low',
+                            level: 'note',
+                            message: `\`${methodName}()\` loads the entire file/response into memory. ` +
+                                `Use a streaming API for large payloads.`,
+                            file,
+                            line: ln,
+                            snippet: src.trim(),
+                            fix: 'Replace with fs.createReadStream / response.body (async iterator) ' +
+                                'to process data in chunks',
+                            evidence: { method: methodName },
+                        });
+                    }
+                }
+            }
+        }
+        else if (language === 'java') {
+            for (let i = 0; i < codeLines.length; i++) {
+                const ln = i + 1;
+                if (reported.has(ln))
+                    continue;
+                const src = codeLines[i];
+                const match = JAVA_WHOLE_READ_RE.exec(src);
+                if (!match)
+                    continue;
+                const matchText = match[0].replace(/\s*\(.*/, '').trim();
+                wholeFileReads.push({ line: ln, method: matchText });
+                reported.add(ln);
+                ctx.addFinding({
+                    id: `missing-stream-${file}-${ln}`,
+                    pass: this.name,
+                    category: this.category,
+                    rule_id: this.name,
+                    severity: 'low',
+                    level: 'note',
+                    message: `Whole-file read at line ${ln}: \`${matchText}\` loads the entire file into memory. ` +
+                        `Consider NIO Channels or InputStream for large files.`,
+                    file,
+                    line: ln,
+                    snippet: src.trim(),
+                    fix: 'Use Files.lines() for line streaming, or InputStream / NIO channels for byte streaming',
+                    evidence: { method: matchText },
+                });
+            }
+        }
+        else if (language === 'python') {
+            for (let i = 0; i < codeLines.length; i++) {
+                const ln = i + 1;
+                if (reported.has(ln))
+                    continue;
+                const src = codeLines[i];
+                if (!PYTHON_WHOLE_READ_RE.test(src))
+                    continue;
+                // Skip comment lines
+                if (/^\s*#/.test(src))
+                    continue;
+                wholeFileReads.push({ line: ln, method: 'read' });
+                reported.add(ln);
+                ctx.addFinding({
+                    id: `missing-stream-${file}-${ln}`,
+                    pass: this.name,
+                    category: this.category,
+                    rule_id: this.name,
+                    severity: 'low',
+                    level: 'note',
+                    message: `\`.read()\` loads the entire file into memory. ` +
+                        `Iterate over the file object instead for line-by-line streaming.`,
+                    file,
+                    line: ln,
+                    snippet: src.trim(),
+                    fix: "Iterate the file object: `for line in f:` instead of `data = f.read()`",
+                    evidence: { method: 'read' },
+                });
+            }
+        }
+        return { wholeFileReads };
+    }
+}
+//# sourceMappingURL=missing-stream-pass.js.map

package/dist/analysis/passes/missing-stream-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"missing-stream-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/missing-stream-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAIH,yEAAyE;AACzE,MAAM,gBAAgB,GACpB,4HAA4H,CAAC;AAE/H,kEAAkE;AAClE,MAAM,YAAY,GAChB,wFAAwF,CAAC;AAE3F,sDAAsD;AACtD,MAAM,kBAAkB,GACtB,gIAAgI,CAAC;AAEnI,sEAAsE;AACtE,MAAM,oBAAoB,GAAG,qBAAqB,CAAC;AAMnD,MAAM,OAAO,iBAAiB;IACnB,IAAI,GAAG,gBAAgB,CAAC;IACxB,QAAQ,GAAG,aAAsB,CAAC;IAE3C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAEtC,IAAI,QAAQ,KAAK,MAAM,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YAC/C,OAAO,EAAE,cAAc,EAAE,EAAE,EAAE,CAAC;QAChC,CAAC;QAED,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,cAAc,GAA0C,EAAE,CAAC;QACjE,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;QAEnC,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC3D,4EAA4E;YAC5E,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;gBAClC,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;oBAClC,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,CAAC;oBAChC,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC;oBAC5B,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBAE7D,0CAA0C;oBAC1C,IAAI,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC;wBAAE,SAAS;oBAE3C,KAAK,IAAI,CAAC,GAAG,KAAK,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;wBAC7D,MAAM,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC;wBACjB,IAAI,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;4BAAE,SAAS;wBAC/B,MAAM,GAAG,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;wBACzB,MAAM,KAAK,GAAG,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;wBACzC,IAAI,CAAC,KAAK;4BAAE,SAAS;wBAErB,MAAM,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;wBAC1D,cAAc,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC;wBACtD,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;wBAEjB,GAAG,CAAC,UAAU,CAAC;4BACb,EAAE,EAAE,kBAAkB,IAAI,IAAI,EAAE,EAAE;4BAClC,IAAI,EAAE,IAAI,CAAC,IAAI;4BACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;4BACvB,OAAO,EAAE,IAAI,CAAC,IAAI;4BAClB,QAAQ,EAAE,KAAK;4BACf,KAAK,EAAE,MAAM;4BACb,OAAO,EACL,KAAK,UAAU,mDAAmD;gCAClE,yCAAyC;4BAC3C,IAAI;4BACJ,IAAI,EAAE,EAAE;4BACR,OAAO,EAAE,GAAG,CAAC,IAAI,EAAE;4BACnB,GAAG,EACD,oEAAoE;gCACpE,2BAA2B;4BAC7B,QAAQ,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE;yBACjC,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;YAED,yEAAyE;YACzE,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAChC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC7B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;wBAC1C,MAAM,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC;wBACjB,IAAI,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;4BAAE,SAAS;wBAC/B,MAAM,GAAG,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;wBACzB,MAAM,KAAK,GAAG,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;wBACzC,IAAI,CAAC,KAAK;4BAAE,SAAS;wBAErB,MAAM,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;wBAC1D,cAAc,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC;wBACtD,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;wBAEjB,GAAG,CAAC,UAAU,CAAC;4BACb,EAAE,EAAE,kBAAkB,IAAI,IAAI,EAAE,EAAE;4BAClC,IAAI,EAAE,IAAI,CAAC,IAAI;4BACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;4BACvB,OAAO,EAAE,IAAI,CAAC,IAAI;4BAClB,QAAQ,EAAE,KAAK;4BACf,KAAK,EAAE,MAAM;4BACb,OAAO,EACL,KAAK,UAAU,mDAAmD;gCAClE,yCAAyC;4BAC3C,IAAI;4BACJ,IAAI,EAAE,EAAE;4BACR,OAAO,EAAE,GAAG,CAAC,IAAI,EAAE;4BACnB,GAAG,EACD,oEAAoE;gCACpE,2BAA2B;4BAC7B,QAAQ,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE;yBACjC,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;aAAM,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YAC/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC1C,MAAM,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC;gBACjB,IAAI,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;oBAAE,SAAS;gBAC/B,MAAM,GAAG,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;gBACzB,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAC3C,IAAI,CAAC,KAAK;oBAAE,SAAS;gBAErB,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBACzD,cAAc,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;gBACrD,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAEjB,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,kBAAkB,IAAI,IAAI,EAAE,EAAE;oBAClC,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,MAAM;oBACb,OAAO,EACL,2BAA2B,EAAE,OAAO,SAAS,wCAAwC;wBACrF,uDAAuD;oBACzD,IAAI;oBACJ,IAAI,EAAE,EAAE;oBACR,OAAO,EAAE,GAAG,CAAC,IAAI,EAAE;oBACnB,GAAG,EACD,wFAAwF;oBAC1F,QAAQ,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE;iBAChC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;aAAM,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC1C,MAAM,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC;gBACjB,IAAI,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;oBAAE,SAAS;gBAC/B,MAAM,GAAG,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;gBACzB,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,GAAG,CAAC;oBAAE,SAAS;gBAE9C,qBAAqB;gBACrB,IAAI,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC;oBAAE,SAAS;gBAEhC,cAAc,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;gBAClD,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAEjB,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,kBAAkB,IAAI,IAAI,EAAE,EAAE;oBAClC,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,MAAM;oBACb,OAAO,EACL,iDAAiD;wBACjD,kEAAkE;oBACpE,IAAI;oBACJ,IAAI,EAAE,EAAE;oBACR,OAAO,EAAE,GAAG,CAAC,IAAI,EAAE;oBACnB,GAAG,EAAE,wEAAwE;oBAC7E,QAAQ,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE;iBAC7B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,cAAc,EAAE,CAAC;IAC5B,CAAC;CACF"}

package/dist/analysis/passes/n-plus-one-pass.js

@@ -46,13 +46,28 @@ const MEDIUM_CONFIDENCE_DB_METHODS = new Set([
     'get', 'post', 'put', 'patch', 'request',
     'load', 'lookup',
 ]);
-/** Receiver names that indicate a DB or HTTP client. */
-const DB_OR_HTTP_RECEIVER = /^(db|conn|connection|pool|client|repo|repository|orm|em|entityManager|sequelize|mongoose|prisma|axios|http|https|api|svc|service|dao|store|cache|gql|graphql)/i;
+/**
+ * Receiver patterns that indicate a DB or HTTP client.
+ *
+ * Two-tier matching:
+ *   1. Prefix match: names starting with db, conn, pool, repo, etc.
+ *   2. Suffix match: names ending with Repository, Repo, Dao, Service, Client, etc.
+ *
+ * This catches both `dbConnection.query()` and `userRepository.find()`.
+ */
+const DB_OR_HTTP_RECEIVER_PREFIX = /^(db|conn|connection|pool|client|repo|repository|orm|em|entityManager|sequelize|mongoose|prisma|axios|http|https|api|svc|service|dao|store|cache|gql|graphql|mongo|redis|sql|pg|mysql|sqlite|dynamo|cosmos|elastic|es|solr|neo4j|cassandra|couchbase|firestore|supabase|drizzle|knex|typeorm|mikro)/i;
+const DB_OR_HTTP_RECEIVER_SUFFIX = /(?:Repository|Repo|Dao|DataSource|DbContext|Client|Service|Store|Cache|Gateway|Adapter|Provider|Manager|Handler|Proxy|Facade|Connection|Pool|Session|Template|Mapper|Access|Query|Command|Storage|Bucket|Table|Collection|Index)$/;
+/**
+ * Check if a receiver name indicates a DB or HTTP client.
+ */
+function isDbOrHttpReceiver(receiver) {
+    return DB_OR_HTTP_RECEIVER_PREFIX.test(receiver) || DB_OR_HTTP_RECEIVER_SUFFIX.test(receiver);
+}
 function isDbOrApiCall(call) {
     if (HIGH_CONFIDENCE_DB_METHODS.has(call.method_name))
         return true;
     if (MEDIUM_CONFIDENCE_DB_METHODS.has(call.method_name)) {
-        return call.receiver != null && DB_OR_HTTP_RECEIVER.test(call.receiver);
+        return call.receiver != null && isDbOrHttpReceiver(call.receiver);
     }
     return false;
 }

package/dist/analysis/passes/n-plus-one-pass.js.map

@@ -1 +1 @@
-{"version":3,"file":"n-plus-one-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/n-plus-one-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAKH;;;GAGG;AACH,MAAM,0BAA0B,GAAwB,IAAI,GAAG,CAAC;IAC9D,iBAAiB;IACjB,cAAc,EAAE,eAAe,EAAE,kBAAkB,EAAE,aAAa;IAClE,oBAAoB;IACpB,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,YAAY;IAC5D,WAAW;IACX,mBAAmB,EAAE,mBAAmB;IACxC,kBAAkB,EAAE,kBAAkB;IACtC,gBAAgB,EAAE,WAAW,EAAE,UAAU;IACzC,YAAY;IACZ,UAAU,EAAE,iBAAiB,EAAE,YAAY,EAAE,YAAY;IACzD,SAAS;IACT,WAAW,EAAE,YAAY,EAAE,UAAU,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY;IAC/E,UAAU;IACV,OAAO;CACR,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,4BAA4B,GAAwB,IAAI,GAAG,CAAC;IAChE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS;IACrC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ;IAClE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS;IACxC,MAAM,EAAE,QAAQ;CACjB,CAAC,CAAC;AAEH,wDAAwD;AACxD,MAAM,mBAAmB,GAAG,gKAAgK,CAAC;AAE7L,SAAS,aAAa,CAAC,IAAc;IACnC,IAAI,0BAA0B,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC;QAAE,OAAO,IAAI,CAAC;IAClE,IAAI,4BAA4B,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;QACvD,OAAO,IAAI,CAAC,QAAQ,IAAI,IAAI,IAAI,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC1E,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAOD,MAAM,OAAO,YAAY;IACd,IAAI,GAAG,YAAY,CAAC;IACpB,QAAQ,GAAG,aAAsB,CAAC;IAE3C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC;QACtB,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAEhC,MAAM,KAAK,GAAG,KAAK,CAAC,UAAU,EAAE,CAAC;QACjC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC;QAEnD,MAAM,WAAW,GAAe,EAAE,CAAC;QAEnC,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC;gBAAE,SAAS;YAEnC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YAChC,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,UAAU,IAAI,IAAI,IAAI,CAAC,CAAC,QAAQ,CAAC,CAAC;YACzE,IAAI,CAAC,IAAI;gBAAE,SAAS;YAEpB,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAEvB,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,cAAc,IAAI,IAAI,IAAI,EAAE;gBAChC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,GAAG,EAAE,UAAU;gBACf,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,SAAS;gBAChB,OAAO,EACL,gBAAgB,IAAI,CAAC,WAAW,+BAA+B;oBAC/D,eAAe,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,QAAQ,uBAAuB;gBACxE,IAAI;gBACJ,IAAI;gBACJ,GAAG,EAAE,UAAU,IAAI,CAAC,WAAW,+CAA+C;gBAC9E,QAAQ,EAAE;oBACR,UAAU,EAAE,IAAI,CAAC,UAAU;oBAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,SAAS;iBACrC;aACF,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,WAAW,EAAE,CAAC;IACzB,CAAC;CACF"}
+{"version":3,"file":"n-plus-one-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/n-plus-one-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAKH;;;GAGG;AACH,MAAM,0BAA0B,GAAwB,IAAI,GAAG,CAAC;IAC9D,iBAAiB;IACjB,cAAc,EAAE,eAAe,EAAE,kBAAkB,EAAE,aAAa;IAClE,oBAAoB;IACpB,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,YAAY;IAC5D,WAAW;IACX,mBAAmB,EAAE,mBAAmB;IACxC,kBAAkB,EAAE,kBAAkB;IACtC,gBAAgB,EAAE,WAAW,EAAE,UAAU;IACzC,YAAY;IACZ,UAAU,EAAE,iBAAiB,EAAE,YAAY,EAAE,YAAY;IACzD,SAAS;IACT,WAAW,EAAE,YAAY,EAAE,UAAU,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY;IAC/E,UAAU;IACV,OAAO;CACR,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,4BAA4B,GAAwB,IAAI,GAAG,CAAC;IAChE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS;IACrC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ;IAClE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS;IACxC,MAAM,EAAE,QAAQ;CACjB,CAAC,CAAC;AAEH;;;;;;;;GAQG;AACH,MAAM,0BAA0B,GAAG,sSAAsS,CAAC;AAE1U,MAAM,0BAA0B,GAAG,mOAAmO,CAAC;AAEvQ;;GAEG;AACH,SAAS,kBAAkB,CAAC,QAAgB;IAC1C,OAAO,0BAA0B,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,0BAA0B,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AAChG,CAAC;AAED,SAAS,aAAa,CAAC,IAAc;IACnC,IAAI,0BAA0B,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC;QAAE,OAAO,IAAI,CAAC;IAClE,IAAI,4BAA4B,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;QACvD,OAAO,IAAI,CAAC,QAAQ,IAAI,IAAI,IAAI,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACpE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAOD,MAAM,OAAO,YAAY;IACd,IAAI,GAAG,YAAY,CAAC;IACpB,QAAQ,GAAG,aAAsB,CAAC;IAE3C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC;QACtB,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAEhC,MAAM,KAAK,GAAG,KAAK,CAAC,UAAU,EAAE,CAAC;QACjC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC;QAEnD,MAAM,WAAW,GAAe,EAAE,CAAC;QAEnC,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC;gBAAE,SAAS;YAEnC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YAChC,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,UAAU,IAAI,IAAI,IAAI,CAAC,CAAC,QAAQ,CAAC,CAAC;YACzE,IAAI,CAAC,IAAI;gBAAE,SAAS;YAEpB,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAEvB,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,cAAc,IAAI,IAAI,IAAI,EAAE;gBAChC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,GAAG,EAAE,UAAU;gBACf,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,SAAS;gBAChB,OAAO,EACL,gBAAgB,IAAI,CAAC,WAAW,+BAA+B;oBAC/D,eAAe,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,QAAQ,uBAAuB;gBACxE,IAAI;gBACJ,IAAI;gBACJ,GAAG,EAAE,UAAU,IAAI,CAAC,WAAW,+CAA+C;gBAC9E,QAAQ,EAAE;oBACR,UAAU,EAAE,IAAI,CAAC,UAAU;oBAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,SAAS;iBACrC;aACF,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,WAAW,EAAE,CAAC;IACzB,CAAC;CACF"}

package/dist/analysis/passes/naming-convention-pass.d.ts

@@ -0,0 +1,62 @@
+/**
+ * Pass #88: naming-convention (category: maintainability)
+ *
+ * Checks that class, interface, method, and field names follow the
+ * established conventions for each language. Violations are purely
+ * structural — no corpus statistics or LLM required.
+ *
+ * Conventions enforced:
+ *   Java / TypeScript
+ *     • Class name     → PascalCase  (`^[A-Z][A-Za-z0-9]*$`)
+ *     • Interface name → PascalCase; the `I`-prefix anti-pattern is
+ *       configurable (opt-in, off by default — many codebases use it
+ *       intentionally; enable via `passOptions.namingConvention.enforceIPrefix`)
+ *     • Method name    → camelCase   (`^[a-z][a-zA-Z0-9]*$`)
+ *     • Constant field → UPPER_SNAKE_CASE  (field with final/static/const modifier)
+ *
+ *   Python
+ *     • Class name     → PascalCase  (`^[A-Z][A-Za-z0-9]*$`)
+ *     • Method name    → snake_case  (`^[a-z_][a-z0-9_]*$`)
+ *
+ *   Bash / Rust
+ *     • Function name  → snake_case  (`^[a-z_][a-z0-9_]*$`)
+ *
+ * Skip rules (to reduce false positives):
+ *   • Names ≤ 2 characters
+ *   • Names starting with `_` (private convention)
+ *   • Names starting with `$` (JS framework injections)
+ *   • Dunder methods: `__init__`, `__str__`, etc.
+ *   • Common single-letter generics: T, K, V, E
+ *   • Java/TS main entry: `main`
+ *
+ * Capped at 20 findings per file to avoid noise.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+/**
+ * Per-pass options for NamingConventionPass.
+ * Pass via `AnalyzerOptions.passOptions.namingConvention`.
+ */
+export interface NamingConventionOptions {
+    /**
+     * When true, flag TypeScript/Java interfaces whose names begin with `I`
+     * followed by an uppercase letter (e.g. `IUserRepository`).
+     * Default: false — the I-prefix is used intentionally in many codebases.
+     */
+    enforceIPrefix?: boolean;
+}
+export interface NamingConventionResult {
+    violations: Array<{
+        entity: 'class' | 'interface' | 'method' | 'field';
+        name: string;
+        line: number;
+        expected: string;
+        actual: string;
+    }>;
+}
+export declare class NamingConventionPass implements AnalysisPass<NamingConventionResult> {
+    readonly name = "naming-convention";
+    readonly category: "maintainability";
+    private readonly enforceIPrefix;
+    constructor(options?: NamingConventionOptions);
+    run(ctx: PassContext): NamingConventionResult;
+}