circle-ir 3.23.5 → 3.27.1

package/dist/browser/circle-ir.js

@@ -4045,8 +4045,7 @@ async function loadLanguage(language, wasmPath) {
   if (loading) {
     return loading;
   }
-  const grammarName = language === "typescript" ? "javascript" : language;
-  const wasmModule = configuredLanguageModules[language] ?? configuredLanguageModules[grammarName];
+  const wasmModule = configuredLanguageModules[language];
   if (wasmModule) {
     const loadPromise2 = (async () => {
       const lang = await Language.load(wasmModule);
@@ -4145,20 +4144,19 @@ async function getDefaultWasmPath() {
   return "node_modules/web-tree-sitter/web-tree-sitter.wasm";
 }
 async function getDefaultLanguagePath(language) {
-  const grammarName = language === "typescript" ? "javascript" : language;
   const mods = await getNodeModules();
   if (mods && moduleDir) {
     const packageRoot = mods.join(moduleDir, "..", "..");
-    const distWasmPath = mods.join(packageRoot, "dist", "wasm", `tree-sitter-${grammarName}.wasm`);
+    const distWasmPath = mods.join(packageRoot, "dist", "wasm", `tree-sitter-${language}.wasm`);
     if (mods.existsSync(distWasmPath)) {
       return distWasmPath;
     }
-    const packageWasmPath = mods.join(packageRoot, "wasm", `tree-sitter-${grammarName}.wasm`);
+    const packageWasmPath = mods.join(packageRoot, "wasm", `tree-sitter-${language}.wasm`);
     if (mods.existsSync(packageWasmPath)) {
       return packageWasmPath;
     }
   }
-  return `wasm/tree-sitter-${grammarName}.wasm`;
+  return `wasm/tree-sitter-${language}.wasm`;
 }
 
 // src/core/extractors/meta.ts
@@ -4856,6 +4854,30 @@ function extractJSParameters(params) {
         annotations: [],
         line: child.startPosition.row + 1
       });
+    } else if (child.type === "required_parameter" || child.type === "optional_parameter") {
+      const patternNode = child.childForFieldName("pattern");
+      if (!patternNode) continue;
+      let paramName;
+      if (patternNode.type === "identifier") {
+        paramName = getNodeText(patternNode);
+      } else if (patternNode.type === "rest_pattern" || patternNode.type === "rest_element") {
+        const inner = patternNode.namedChildCount > 0 ? patternNode.namedChild(0) : null;
+        if (!inner) continue;
+        paramName = "..." + getNodeText(inner);
+      } else {
+        paramName = getNodeText(patternNode);
+      }
+      const typeNode = child.childForFieldName("type");
+      let paramType = null;
+      if (typeNode) {
+        paramType = getNodeText(typeNode).replace(/^:\s*/, "");
+      }
+      parameters.push({
+        name: paramName,
+        type: paramType,
+        annotations: [],
+        line: child.startPosition.row + 1
+      });
     }
   }
   return parameters;
@@ -13280,6 +13302,9 @@ var AnalysisPipeline = class {
       },
       addFinding(finding) {
         findings.push(finding);
+      },
+      getFindings() {
+        return findings;
       }
     };
     for (const pass of this.passes) {
@@ -24991,6 +25016,271 @@ function detectHandler(graph, calls) {
   return false;
 }
 
+// src/analysis/passes/scan-secrets-pass.ts
+var TEST_PATH_RE3 = /(?:^|[\\/])(?:test|tests|spec|specs|__tests?__|__mocks?__|fixtures?|testdata)(?:[\\/]|$)/i;
+var TEST_FILENAME_RE = /(?:\.(?:test|spec)\.[cm]?[jt]sx?|_test\.go|_test\.py|Test\.java|Tests\.java)$/i;
+function isTestFile(file) {
+  return TEST_PATH_RE3.test(file) || TEST_FILENAME_RE.test(file);
+}
+var PROVIDER_PATTERNS = [
+  {
+    name: "AWS access key",
+    regex: /\bAKIA[0-9A-Z]{16}\b/,
+    severity: "critical",
+    level: "error",
+    fix: "Rotate the AWS access key immediately and move it to an environment variable or AWS Secrets Manager."
+  },
+  {
+    name: "GitHub personal access token",
+    regex: /\bghp_[A-Za-z0-9]{36}\b/,
+    severity: "critical",
+    level: "error",
+    fix: "Revoke the token at https://github.com/settings/tokens and store secrets in CI/CD secrets, not source."
+  },
+  {
+    name: "GitHub OAuth token",
+    regex: /\bgho_[A-Za-z0-9]{36}\b/,
+    severity: "critical",
+    level: "error",
+    fix: "Revoke the OAuth token and store secrets outside source control."
+  },
+  {
+    name: "GitHub user-to-server token",
+    regex: /\bghu_[A-Za-z0-9]{36}\b/,
+    severity: "critical",
+    level: "error",
+    fix: "Revoke the GitHub user-to-server token and store secrets outside source control."
+  },
+  {
+    name: "GitHub server-to-server token",
+    regex: /\bghs_[A-Za-z0-9]{36}\b/,
+    severity: "critical",
+    level: "error",
+    fix: "Revoke the GitHub server-to-server token and store secrets outside source control."
+  },
+  {
+    name: "GitHub refresh token",
+    regex: /\bghr_[A-Za-z0-9]{36}\b/,
+    severity: "critical",
+    level: "error",
+    fix: "Revoke the GitHub refresh token and store secrets outside source control."
+  },
+  {
+    name: "Stripe live secret key",
+    regex: /\bsk_live_[A-Za-z0-9]{24,}\b/,
+    severity: "critical",
+    level: "error",
+    fix: "Rotate the Stripe secret key in the Stripe Dashboard and load it from a secrets manager."
+  },
+  {
+    name: "Stripe live publishable key",
+    regex: /\bpk_live_[A-Za-z0-9]{24,}\b/,
+    severity: "high",
+    level: "warning",
+    fix: "Publishable keys are not secret but should still not be checked in to back-end source files; verify front-end vs back-end context."
+  },
+  {
+    name: "OpenAI API key",
+    regex: /\bsk-[A-Za-z0-9]{48}\b/,
+    severity: "critical",
+    level: "error",
+    fix: "Revoke the OpenAI key at https://platform.openai.com/api-keys and load from environment."
+  },
+  {
+    name: "Anthropic API key",
+    regex: /\bsk-ant-[A-Za-z0-9_-]{90,}\b/,
+    severity: "critical",
+    level: "error",
+    fix: "Revoke the Anthropic key in the Console and load from environment."
+  },
+  {
+    name: "Slack token",
+    regex: /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/,
+    severity: "critical",
+    level: "error",
+    fix: "Revoke the Slack token and load from environment."
+  },
+  {
+    name: "Google API key",
+    regex: /\bAIza[0-9A-Za-z_-]{35}\b/,
+    severity: "critical",
+    level: "error",
+    fix: "Restrict the Google API key by referrer / IP in the GCP console or revoke it."
+  },
+  {
+    name: "JSON Web Token",
+    regex: /\beyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/,
+    severity: "critical",
+    level: "error",
+    fix: "JWTs in source carry whatever scope they were minted with; rotate signing keys and remove the token."
+  },
+  {
+    name: "PEM private key",
+    regex: /-----BEGIN (?:RSA |EC |DSA |OPENSSH |PGP )?PRIVATE KEY-----/,
+    severity: "critical",
+    level: "error",
+    fix: "Remove the private key from source control immediately, rotate the corresponding public key, and store keys outside the repository."
+  },
+  {
+    name: "npm access token",
+    regex: /\bnpm_[A-Za-z0-9]{36}\b/,
+    severity: "critical",
+    level: "error",
+    fix: "Revoke the npm token at https://www.npmjs.com/settings/<user>/tokens and load from environment."
+  }
+];
+var STRING_LITERAL_RE = /(["'`])((?:\\.|(?!\1).){8,200})\1/g;
+var BASE64ISH_RE = /^[A-Za-z0-9+/=_-]+$/;
+var HEXISH_RE = /^[a-fA-F0-9]+$/;
+var UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+var PLACEHOLDER_RE = /(?:changeme|your[-_]?(?:key|secret|token|password)(?:[-_]?here)?|replace[-_]?me|example[-_]?(?:key|secret|token)?|placeholder|todo|fixme|test[-_]?(?:key|secret|token)|fake[-_]?(?:key|secret|token)|dummy|sample|insert[-_]?your)/i;
+function isBareHashShape(s) {
+  const n = s.length;
+  if (n !== 32 && n !== 40 && n !== 64) return false;
+  return HEXISH_RE.test(s);
+}
+function isAllSameChar(s) {
+  if (s.length < 2) return false;
+  const c = s.charAt(0);
+  for (let i2 = 1; i2 < s.length; i2++) if (s.charAt(i2) !== c) return false;
+  return true;
+}
+function tryBase64Decode(s) {
+  if (s.length % 4 !== 0 && !/=+$/.test(s)) return null;
+  try {
+    return globalThis.atob(s);
+  } catch {
+    return null;
+  }
+}
+function looksLikeBase64Json(s) {
+  const decoded = tryBase64Decode(s);
+  if (!decoded) return false;
+  const trimmed = decoded.trimStart();
+  return trimmed.startsWith("{") || trimmed.startsWith("[");
+}
+function shannonEntropy(s) {
+  const freq = /* @__PURE__ */ new Map();
+  for (const ch of s) freq.set(ch, (freq.get(ch) ?? 0) + 1);
+  const len = s.length;
+  let h = 0;
+  for (const n of freq.values()) {
+    const p = n / len;
+    h -= p * Math.log2(p);
+  }
+  return h;
+}
+var CREDENTIAL_NAME_RE = /(?:key|secret|token|password|passwd|credential|api[_-]?key)/i;
+var TEST_CALL_RE = /\b(?:expect|assert|describe|it|test)\s*\(/;
+var COMMENT_EXAMPLE_RE = /(?:\/\/|#)\s*(?:example|sample|test|fixture)/i;
+var ScanSecretsPass = class {
+  name = "scan-secrets";
+  category = "security";
+  run(ctx) {
+    const file = ctx.graph.ir.meta.file;
+    if (isTestFile(file)) {
+      return { providerFindings: 0, entropyFindings: 0 };
+    }
+    const lines = ctx.code.split("\n");
+    const prior = ctx.getFindings?.() ?? [];
+    const seen = /* @__PURE__ */ new Set();
+    for (const f of prior) {
+      if (f.file !== file) continue;
+      if (f.rule_id === "hardcoded-credential" || f.rule_id === "hardcoded-credential-entropy") {
+        seen.add(`${f.line}:${f.rule_id}`);
+      }
+    }
+    let providerFindings = 0;
+    let entropyFindings = 0;
+    for (let i2 = 0; i2 < lines.length; i2++) {
+      const lineText = lines[i2];
+      const lineNum = i2 + 1;
+      for (const pattern of PROVIDER_PATTERNS) {
+        const m = pattern.regex.exec(lineText);
+        if (!m) continue;
+        const key = `${lineNum}:hardcoded-credential`;
+        if (seen.has(key)) continue;
+        seen.add(key);
+        ctx.addFinding({
+          id: `hardcoded-credential-${file}-${lineNum}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: "hardcoded-credential",
+          cwe: "CWE-798",
+          severity: pattern.severity,
+          level: pattern.level,
+          message: `Hardcoded credential: ${pattern.name} detected`,
+          file,
+          line: lineNum,
+          snippet: lineText.trim().substring(0, 120),
+          fix: pattern.fix,
+          evidence: { provider: pattern.name, match: m[0].substring(0, 40) }
+        });
+        providerFindings += 1;
+        break;
+      }
+    }
+    for (let i2 = 0; i2 < lines.length; i2++) {
+      const lineText = lines[i2];
+      const lineNum = i2 + 1;
+      if (TEST_CALL_RE.test(lineText)) continue;
+      if (COMMENT_EXAMPLE_RE.test(lineText)) continue;
+      STRING_LITERAL_RE.lastIndex = 0;
+      let match;
+      while ((match = STRING_LITERAL_RE.exec(lineText)) !== null) {
+        const value = match[2];
+        if (!this.isCandidate(value)) continue;
+        if (!this.passesEntropyGate(value, lineText)) continue;
+        const key = `${lineNum}:hardcoded-credential-entropy`;
+        if (seen.has(key)) continue;
+        if (seen.has(`${lineNum}:hardcoded-credential`)) continue;
+        seen.add(key);
+        ctx.addFinding({
+          id: `hardcoded-credential-entropy-${file}-${lineNum}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: "hardcoded-credential-entropy",
+          cwe: "CWE-798",
+          severity: "high",
+          level: "warning",
+          message: `Possible hardcoded secret: high-entropy string literal (${value.length} chars)`,
+          file,
+          line: lineNum,
+          snippet: lineText.trim().substring(0, 120),
+          fix: "If this is a credential, move it to environment / secrets manager. If it is sample data, add an `example` / `test` marker or disable this pass via `disabledPasses: ['scan-secrets']`.",
+          evidence: { kind: "entropy", length: value.length }
+        });
+        entropyFindings += 1;
+      }
+    }
+    return { providerFindings, entropyFindings };
+  }
+  /** Length + shape + denylist filter before entropy is computed. */
+  isCandidate(s) {
+    if (s.length < 20 || s.length > 200) return false;
+    if (!BASE64ISH_RE.test(s) && !HEXISH_RE.test(s)) return false;
+    if (UUID_RE.test(s)) return false;
+    if (isBareHashShape(s)) return false;
+    if (isAllSameChar(s)) return false;
+    if (PLACEHOLDER_RE.test(s)) return false;
+    if (looksLikeBase64Json(s)) return false;
+    return true;
+  }
+  /**
+   * Shannon-entropy gate. Base64-shaped strings need higher entropy than
+   * hex-shaped (hex alphabet is 4 bits/char by construction). When the
+   * surrounding line contains a credential-shaped variable name, both
+   * thresholds drop by 0.2 bits/char.
+   */
+  passesEntropyGate(value, lineText) {
+    const isHex = HEXISH_RE.test(value);
+    const boost = CREDENTIAL_NAME_RE.test(lineText) ? 0.2 : 0;
+    const threshold = isHex ? 3.5 - boost : 4.3 - boost;
+    const h = shannonEntropy(value);
+    return h >= threshold;
+  }
+};
+
 // src/analysis/metrics/passes/size-metrics-pass.ts
 var SizeMetricsPass = class {
   name = "size-metrics";
@@ -25835,6 +26125,7 @@ async function analyze(code, filePath, language, options = {}) {
   pipeline.add(new SinkFilterPass());
   pipeline.add(new TaintPropagationPass());
   pipeline.add(new InterproceduralPass());
+  if (!disabledPasses.has("scan-secrets")) pipeline.add(new ScanSecretsPass());
   if (!disabledPasses.has("dead-code")) pipeline.add(new DeadCodePass());
   if (!disabledPasses.has("missing-await")) pipeline.add(new MissingAwaitPass());
   if (!disabledPasses.has("n-plus-one")) pipeline.add(new NPlusOnePass());

package/dist/core/circle-ir-core.cjs

@@ -4110,8 +4110,7 @@ async function loadLanguage(language, wasmPath) {
   if (loading) {
     return loading;
   }
-  const grammarName = language === "typescript" ? "javascript" : language;
-  const wasmModule = configuredLanguageModules[language] ?? configuredLanguageModules[grammarName];
+  const wasmModule = configuredLanguageModules[language];
   if (wasmModule) {
     const loadPromise2 = (async () => {
       const lang = await Language.load(wasmModule);
@@ -4210,20 +4209,19 @@ async function getDefaultWasmPath() {
   return "node_modules/web-tree-sitter/web-tree-sitter.wasm";
 }
 async function getDefaultLanguagePath(language) {
-  const grammarName = language === "typescript" ? "javascript" : language;
   const mods = await getNodeModules();
   if (mods && moduleDir) {
     const packageRoot = mods.join(moduleDir, "..", "..");
-    const distWasmPath = mods.join(packageRoot, "dist", "wasm", `tree-sitter-${grammarName}.wasm`);
+    const distWasmPath = mods.join(packageRoot, "dist", "wasm", `tree-sitter-${language}.wasm`);
     if (mods.existsSync(distWasmPath)) {
       return distWasmPath;
     }
-    const packageWasmPath = mods.join(packageRoot, "wasm", `tree-sitter-${grammarName}.wasm`);
+    const packageWasmPath = mods.join(packageRoot, "wasm", `tree-sitter-${language}.wasm`);
     if (mods.existsSync(packageWasmPath)) {
       return packageWasmPath;
     }
   }
-  return `wasm/tree-sitter-${grammarName}.wasm`;
+  return `wasm/tree-sitter-${language}.wasm`;
 }
 function isInitialized() {
   return parserInitialized;
@@ -4932,6 +4930,30 @@ function extractJSParameters(params) {
         annotations: [],
         line: child.startPosition.row + 1
       });
+    } else if (child.type === "required_parameter" || child.type === "optional_parameter") {
+      const patternNode = child.childForFieldName("pattern");
+      if (!patternNode) continue;
+      let paramName;
+      if (patternNode.type === "identifier") {
+        paramName = getNodeText(patternNode);
+      } else if (patternNode.type === "rest_pattern" || patternNode.type === "rest_element") {
+        const inner = patternNode.namedChildCount > 0 ? patternNode.namedChild(0) : null;
+        if (!inner) continue;
+        paramName = "..." + getNodeText(inner);
+      } else {
+        paramName = getNodeText(patternNode);
+      }
+      const typeNode = child.childForFieldName("type");
+      let paramType = null;
+      if (typeNode) {
+        paramType = getNodeText(typeNode).replace(/^:\s*/, "");
+      }
+      parameters.push({
+        name: paramName,
+        type: paramType,
+        annotations: [],
+        line: child.startPosition.row + 1
+      });
     }
   }
   return parameters;

package/dist/core/circle-ir-core.js

@@ -4045,8 +4045,7 @@ async function loadLanguage(language, wasmPath) {
   if (loading) {
     return loading;
   }
-  const grammarName = language === "typescript" ? "javascript" : language;
-  const wasmModule = configuredLanguageModules[language] ?? configuredLanguageModules[grammarName];
+  const wasmModule = configuredLanguageModules[language];
   if (wasmModule) {
     const loadPromise2 = (async () => {
       const lang = await Language.load(wasmModule);
@@ -4145,20 +4144,19 @@ async function getDefaultWasmPath() {
   return "node_modules/web-tree-sitter/web-tree-sitter.wasm";
 }
 async function getDefaultLanguagePath(language) {
-  const grammarName = language === "typescript" ? "javascript" : language;
   const mods = await getNodeModules();
   if (mods && moduleDir) {
     const packageRoot = mods.join(moduleDir, "..", "..");
-    const distWasmPath = mods.join(packageRoot, "dist", "wasm", `tree-sitter-${grammarName}.wasm`);
+    const distWasmPath = mods.join(packageRoot, "dist", "wasm", `tree-sitter-${language}.wasm`);
     if (mods.existsSync(distWasmPath)) {
       return distWasmPath;
     }
-    const packageWasmPath = mods.join(packageRoot, "wasm", `tree-sitter-${grammarName}.wasm`);
+    const packageWasmPath = mods.join(packageRoot, "wasm", `tree-sitter-${language}.wasm`);
     if (mods.existsSync(packageWasmPath)) {
       return packageWasmPath;
     }
   }
-  return `wasm/tree-sitter-${grammarName}.wasm`;
+  return `wasm/tree-sitter-${language}.wasm`;
 }
 function isInitialized() {
   return parserInitialized;
@@ -4867,6 +4865,30 @@ function extractJSParameters(params) {
         annotations: [],
         line: child.startPosition.row + 1
       });
+    } else if (child.type === "required_parameter" || child.type === "optional_parameter") {
+      const patternNode = child.childForFieldName("pattern");
+      if (!patternNode) continue;
+      let paramName;
+      if (patternNode.type === "identifier") {
+        paramName = getNodeText(patternNode);
+      } else if (patternNode.type === "rest_pattern" || patternNode.type === "rest_element") {
+        const inner = patternNode.namedChildCount > 0 ? patternNode.namedChild(0) : null;
+        if (!inner) continue;
+        paramName = "..." + getNodeText(inner);
+      } else {
+        paramName = getNodeText(patternNode);
+      }
+      const typeNode = child.childForFieldName("type");
+      let paramType = null;
+      if (typeNode) {
+        paramType = getNodeText(typeNode).replace(/^:\s*/, "");
+      }
+      parameters.push({
+        name: paramName,
+        type: paramType,
+        annotations: [],
+        line: child.startPosition.row + 1
+      });
     }
   }
   return parameters;

package/dist/core/extractors/types.js

@@ -751,6 +751,38 @@ function extractJSParameters(params) {
                 line: child.startPosition.row + 1,
             });
         }
+        else if (child.type === 'required_parameter' || child.type === 'optional_parameter') {
+            // TypeScript-grammar parameter: pattern (identifier or destructuring) + optional type_annotation
+            const patternNode = child.childForFieldName('pattern');
+            if (!patternNode)
+                continue;
+            let paramName;
+            if (patternNode.type === 'identifier') {
+                paramName = getNodeText(patternNode);
+            }
+            else if (patternNode.type === 'rest_pattern' || patternNode.type === 'rest_element') {
+                const inner = patternNode.namedChildCount > 0 ? patternNode.namedChild(0) : null;
+                if (!inner)
+                    continue;
+                paramName = '...' + getNodeText(inner);
+            }
+            else {
+                // object_pattern, array_pattern, or assignment_pattern with default
+                paramName = getNodeText(patternNode);
+            }
+            const typeNode = child.childForFieldName('type');
+            let paramType = null;
+            if (typeNode) {
+                // type_annotation includes the leading ':'; strip it for storage parity with other languages
+                paramType = getNodeText(typeNode).replace(/^:\s*/, '');
+            }
+            parameters.push({
+                name: paramName,
+                type: paramType,
+                annotations: [],
+                line: child.startPosition.row + 1,
+            });
+        }
     }
     return parameters;
 }