circle-ir 3.25.0 → 3.28.0

package/dist/browser/circle-ir.js

@@ -3997,6 +3997,7 @@ var parserInitialized = false;
 var parserInitializing = null;
 var loadedLanguages = /* @__PURE__ */ new Map();
 var loadingLanguages = /* @__PURE__ */ new Map();
+var cachedParsers = /* @__PURE__ */ new Map();
 var configuredLanguagePaths = {};
 var configuredLanguageModules = {};
 async function initParser(options = {}) {
@@ -4066,9 +4067,14 @@ async function loadLanguage(language, wasmPath) {
   return loadPromise;
 }
 async function createParser(language) {
+  const cached = cachedParsers.get(language);
+  if (cached) {
+    return cached;
+  }
   const lang = await loadLanguage(language);
   const parser = new Parser();
   parser.setLanguage(lang);
+  cachedParsers.set(language, parser);
   return parser;
 }
 async function parse(code, language) {
@@ -4079,6 +4085,13 @@ async function parse(code, language) {
   }
   return tree;
 }
+function disposeTree(tree) {
+  if (!tree) return;
+  try {
+    tree.delete();
+  } catch {
+  }
+}
 function walkTree(node, visitor) {
   visitor(node);
   for (let i2 = 0; i2 < node.childCount; i2++) {
@@ -13302,6 +13315,9 @@ var AnalysisPipeline = class {
       },
       addFinding(finding) {
         findings.push(finding);
+      },
+      getFindings() {
+        return findings;
       }
     };
     for (const pass of this.passes) {
@@ -25013,6 +25029,271 @@ function detectHandler(graph, calls) {
   return false;
 }
 
+// src/analysis/passes/scan-secrets-pass.ts
+var TEST_PATH_RE3 = /(?:^|[\\/])(?:test|tests|spec|specs|__tests?__|__mocks?__|fixtures?|testdata)(?:[\\/]|$)/i;
+var TEST_FILENAME_RE = /(?:\.(?:test|spec)\.[cm]?[jt]sx?|_test\.go|_test\.py|Test\.java|Tests\.java)$/i;
+function isTestFile(file) {
+  return TEST_PATH_RE3.test(file) || TEST_FILENAME_RE.test(file);
+}
+var PROVIDER_PATTERNS = [
+  {
+    name: "AWS access key",
+    regex: /\bAKIA[0-9A-Z]{16}\b/,
+    severity: "critical",
+    level: "error",
+    fix: "Rotate the AWS access key immediately and move it to an environment variable or AWS Secrets Manager."
+  },
+  {
+    name: "GitHub personal access token",
+    regex: /\bghp_[A-Za-z0-9]{36}\b/,
+    severity: "critical",
+    level: "error",
+    fix: "Revoke the token at https://github.com/settings/tokens and store secrets in CI/CD secrets, not source."
+  },
+  {
+    name: "GitHub OAuth token",
+    regex: /\bgho_[A-Za-z0-9]{36}\b/,
+    severity: "critical",
+    level: "error",
+    fix: "Revoke the OAuth token and store secrets outside source control."
+  },
+  {
+    name: "GitHub user-to-server token",
+    regex: /\bghu_[A-Za-z0-9]{36}\b/,
+    severity: "critical",
+    level: "error",
+    fix: "Revoke the GitHub user-to-server token and store secrets outside source control."
+  },
+  {
+    name: "GitHub server-to-server token",
+    regex: /\bghs_[A-Za-z0-9]{36}\b/,
+    severity: "critical",
+    level: "error",
+    fix: "Revoke the GitHub server-to-server token and store secrets outside source control."
+  },
+  {
+    name: "GitHub refresh token",
+    regex: /\bghr_[A-Za-z0-9]{36}\b/,
+    severity: "critical",
+    level: "error",
+    fix: "Revoke the GitHub refresh token and store secrets outside source control."
+  },
+  {
+    name: "Stripe live secret key",
+    regex: /\bsk_live_[A-Za-z0-9]{24,}\b/,
+    severity: "critical",
+    level: "error",
+    fix: "Rotate the Stripe secret key in the Stripe Dashboard and load it from a secrets manager."
+  },
+  {
+    name: "Stripe live publishable key",
+    regex: /\bpk_live_[A-Za-z0-9]{24,}\b/,
+    severity: "high",
+    level: "warning",
+    fix: "Publishable keys are not secret but should still not be checked in to back-end source files; verify front-end vs back-end context."
+  },
+  {
+    name: "OpenAI API key",
+    regex: /\bsk-[A-Za-z0-9]{48}\b/,
+    severity: "critical",
+    level: "error",
+    fix: "Revoke the OpenAI key at https://platform.openai.com/api-keys and load from environment."
+  },
+  {
+    name: "Anthropic API key",
+    regex: /\bsk-ant-[A-Za-z0-9_-]{90,}\b/,
+    severity: "critical",
+    level: "error",
+    fix: "Revoke the Anthropic key in the Console and load from environment."
+  },
+  {
+    name: "Slack token",
+    regex: /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/,
+    severity: "critical",
+    level: "error",
+    fix: "Revoke the Slack token and load from environment."
+  },
+  {
+    name: "Google API key",
+    regex: /\bAIza[0-9A-Za-z_-]{35}\b/,
+    severity: "critical",
+    level: "error",
+    fix: "Restrict the Google API key by referrer / IP in the GCP console or revoke it."
+  },
+  {
+    name: "JSON Web Token",
+    regex: /\beyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/,
+    severity: "critical",
+    level: "error",
+    fix: "JWTs in source carry whatever scope they were minted with; rotate signing keys and remove the token."
+  },
+  {
+    name: "PEM private key",
+    regex: /-----BEGIN (?:RSA |EC |DSA |OPENSSH |PGP )?PRIVATE KEY-----/,
+    severity: "critical",
+    level: "error",
+    fix: "Remove the private key from source control immediately, rotate the corresponding public key, and store keys outside the repository."
+  },
+  {
+    name: "npm access token",
+    regex: /\bnpm_[A-Za-z0-9]{36}\b/,
+    severity: "critical",
+    level: "error",
+    fix: "Revoke the npm token at https://www.npmjs.com/settings/<user>/tokens and load from environment."
+  }
+];
+var STRING_LITERAL_RE = /(["'`])((?:\\.|(?!\1).){8,200})\1/g;
+var BASE64ISH_RE = /^[A-Za-z0-9+/=_-]+$/;
+var HEXISH_RE = /^[a-fA-F0-9]+$/;
+var UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+var PLACEHOLDER_RE = /(?:changeme|your[-_]?(?:key|secret|token|password)(?:[-_]?here)?|replace[-_]?me|example[-_]?(?:key|secret|token)?|placeholder|todo|fixme|test[-_]?(?:key|secret|token)|fake[-_]?(?:key|secret|token)|dummy|sample|insert[-_]?your)/i;
+function isBareHashShape(s) {
+  const n = s.length;
+  if (n !== 32 && n !== 40 && n !== 64) return false;
+  return HEXISH_RE.test(s);
+}
+function isAllSameChar(s) {
+  if (s.length < 2) return false;
+  const c = s.charAt(0);
+  for (let i2 = 1; i2 < s.length; i2++) if (s.charAt(i2) !== c) return false;
+  return true;
+}
+function tryBase64Decode(s) {
+  if (s.length % 4 !== 0 && !/=+$/.test(s)) return null;
+  try {
+    return globalThis.atob(s);
+  } catch {
+    return null;
+  }
+}
+function looksLikeBase64Json(s) {
+  const decoded = tryBase64Decode(s);
+  if (!decoded) return false;
+  const trimmed = decoded.trimStart();
+  return trimmed.startsWith("{") || trimmed.startsWith("[");
+}
+function shannonEntropy(s) {
+  const freq = /* @__PURE__ */ new Map();
+  for (const ch of s) freq.set(ch, (freq.get(ch) ?? 0) + 1);
+  const len = s.length;
+  let h = 0;
+  for (const n of freq.values()) {
+    const p = n / len;
+    h -= p * Math.log2(p);
+  }
+  return h;
+}
+var CREDENTIAL_NAME_RE = /(?:key|secret|token|password|passwd|credential|api[_-]?key)/i;
+var TEST_CALL_RE = /\b(?:expect|assert|describe|it|test)\s*\(/;
+var COMMENT_EXAMPLE_RE = /(?:\/\/|#)\s*(?:example|sample|test|fixture)/i;
+var ScanSecretsPass = class {
+  name = "scan-secrets";
+  category = "security";
+  run(ctx) {
+    const file = ctx.graph.ir.meta.file;
+    if (isTestFile(file)) {
+      return { providerFindings: 0, entropyFindings: 0 };
+    }
+    const lines = ctx.code.split("\n");
+    const prior = ctx.getFindings?.() ?? [];
+    const seen = /* @__PURE__ */ new Set();
+    for (const f of prior) {
+      if (f.file !== file) continue;
+      if (f.rule_id === "hardcoded-credential" || f.rule_id === "hardcoded-credential-entropy") {
+        seen.add(`${f.line}:${f.rule_id}`);
+      }
+    }
+    let providerFindings = 0;
+    let entropyFindings = 0;
+    for (let i2 = 0; i2 < lines.length; i2++) {
+      const lineText = lines[i2];
+      const lineNum = i2 + 1;
+      for (const pattern of PROVIDER_PATTERNS) {
+        const m = pattern.regex.exec(lineText);
+        if (!m) continue;
+        const key = `${lineNum}:hardcoded-credential`;
+        if (seen.has(key)) continue;
+        seen.add(key);
+        ctx.addFinding({
+          id: `hardcoded-credential-${file}-${lineNum}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: "hardcoded-credential",
+          cwe: "CWE-798",
+          severity: pattern.severity,
+          level: pattern.level,
+          message: `Hardcoded credential: ${pattern.name} detected`,
+          file,
+          line: lineNum,
+          snippet: lineText.trim().substring(0, 120),
+          fix: pattern.fix,
+          evidence: { provider: pattern.name, match: m[0].substring(0, 40) }
+        });
+        providerFindings += 1;
+        break;
+      }
+    }
+    for (let i2 = 0; i2 < lines.length; i2++) {
+      const lineText = lines[i2];
+      const lineNum = i2 + 1;
+      if (TEST_CALL_RE.test(lineText)) continue;
+      if (COMMENT_EXAMPLE_RE.test(lineText)) continue;
+      STRING_LITERAL_RE.lastIndex = 0;
+      let match;
+      while ((match = STRING_LITERAL_RE.exec(lineText)) !== null) {
+        const value = match[2];
+        if (!this.isCandidate(value)) continue;
+        if (!this.passesEntropyGate(value, lineText)) continue;
+        const key = `${lineNum}:hardcoded-credential-entropy`;
+        if (seen.has(key)) continue;
+        if (seen.has(`${lineNum}:hardcoded-credential`)) continue;
+        seen.add(key);
+        ctx.addFinding({
+          id: `hardcoded-credential-entropy-${file}-${lineNum}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: "hardcoded-credential-entropy",
+          cwe: "CWE-798",
+          severity: "high",
+          level: "warning",
+          message: `Possible hardcoded secret: high-entropy string literal (${value.length} chars)`,
+          file,
+          line: lineNum,
+          snippet: lineText.trim().substring(0, 120),
+          fix: "If this is a credential, move it to environment / secrets manager. If it is sample data, add an `example` / `test` marker or disable this pass via `disabledPasses: ['scan-secrets']`.",
+          evidence: { kind: "entropy", length: value.length }
+        });
+        entropyFindings += 1;
+      }
+    }
+    return { providerFindings, entropyFindings };
+  }
+  /** Length + shape + denylist filter before entropy is computed. */
+  isCandidate(s) {
+    if (s.length < 20 || s.length > 200) return false;
+    if (!BASE64ISH_RE.test(s) && !HEXISH_RE.test(s)) return false;
+    if (UUID_RE.test(s)) return false;
+    if (isBareHashShape(s)) return false;
+    if (isAllSameChar(s)) return false;
+    if (PLACEHOLDER_RE.test(s)) return false;
+    if (looksLikeBase64Json(s)) return false;
+    return true;
+  }
+  /**
+   * Shannon-entropy gate. Base64-shaped strings need higher entropy than
+   * hex-shaped (hex alphabet is 4 bits/char by construction). When the
+   * surrounding line contains a credential-shaped variable name, both
+   * thresholds drop by 0.2 bits/char.
+   */
+  passesEntropyGate(value, lineText) {
+    const isHex = HEXISH_RE.test(value);
+    const boost = CREDENTIAL_NAME_RE.test(lineText) ? 0.2 : 0;
+    const threshold = isHex ? 3.5 - boost : 4.3 - boost;
+    const h = shannonEntropy(value);
+    return h >= threshold;
+  }
+};
+
 // src/analysis/metrics/passes/size-metrics-pass.ts
 var SizeMetricsPass = class {
   name = "size-metrics";
@@ -25826,160 +26107,169 @@ async function analyze(code, filePath, language, options = {}) {
   }
   logger.debug("Analyzing file", { filePath, language, codeLength: code.length });
   const tree = await parse(code, language);
-  logger.trace("Parsed AST", { rootNodeType: tree.rootNode.type });
-  const nodeCache = collectAllNodes(tree.rootNode, getNodeTypesForLanguage(language));
-  const meta = extractMeta(code, tree, filePath, language);
-  const types = extractTypes(tree, nodeCache, language);
-  const calls = extractCalls(tree, nodeCache, language);
-  const imports = extractImports(tree, language);
-  const exports = extractExports(types);
-  const cfg = buildCFG(tree, language);
-  const dfg = buildDFG(tree, nodeCache, language);
-  const graph = new CodeGraph({
-    meta,
-    types,
-    calls,
-    cfg,
-    dfg,
-    taint: { sources: [], sinks: [], sanitizers: [] },
-    imports,
-    exports,
-    unresolved: [],
-    enriched: {}
-  });
-  const config = options.taintConfig ?? getDefaultConfig();
-  const disabledPasses = new Set(options.disabledPasses ?? []);
-  const passOpts = options.passOptions ?? {};
-  const pipeline = new AnalysisPipeline();
-  pipeline.add(new TaintMatcherPass());
-  pipeline.add(new ConstantPropagationPass(tree));
-  pipeline.add(new LanguageSourcesPass());
-  pipeline.add(new SinkFilterPass());
-  pipeline.add(new TaintPropagationPass());
-  pipeline.add(new InterproceduralPass());
-  if (!disabledPasses.has("dead-code")) pipeline.add(new DeadCodePass());
-  if (!disabledPasses.has("missing-await")) pipeline.add(new MissingAwaitPass());
-  if (!disabledPasses.has("n-plus-one")) pipeline.add(new NPlusOnePass());
-  if (!disabledPasses.has("missing-public-doc")) pipeline.add(new MissingPublicDocPass());
-  if (!disabledPasses.has("todo-in-prod")) pipeline.add(new TodoInProdPass());
-  if (!disabledPasses.has("string-concat-loop")) pipeline.add(new StringConcatLoopPass());
-  if (!disabledPasses.has("sync-io-async")) pipeline.add(new SyncIoAsyncPass());
-  if (!disabledPasses.has("unchecked-return")) pipeline.add(new UncheckedReturnPass());
-  if (!disabledPasses.has("null-deref")) pipeline.add(new NullDerefPass());
-  if (!disabledPasses.has("resource-leak")) pipeline.add(new ResourceLeakPass());
-  if (!disabledPasses.has("variable-shadowing")) pipeline.add(new VariableShadowingPass());
-  if (!disabledPasses.has("leaked-global")) pipeline.add(new LeakedGlobalPass());
-  if (!disabledPasses.has("unused-variable")) pipeline.add(new UnusedVariablePass());
-  if (!disabledPasses.has("dependency-fan-out")) pipeline.add(new DependencyFanOutPass(passOpts.dependencyFanOut));
-  if (!disabledPasses.has("stale-doc-ref")) pipeline.add(new StaleDocRefPass());
-  if (!disabledPasses.has("infinite-loop")) pipeline.add(new InfiniteLoopPass());
-  if (!disabledPasses.has("deep-inheritance")) pipeline.add(new DeepInheritancePass());
-  if (!disabledPasses.has("redundant-loop-computation")) pipeline.add(new RedundantLoopPass());
-  if (!disabledPasses.has("unbounded-collection")) pipeline.add(new UnboundedCollectionPass(passOpts.unboundedCollection));
-  if (!disabledPasses.has("serial-await")) pipeline.add(new SerialAwaitPass());
-  if (!disabledPasses.has("react-inline-jsx")) pipeline.add(new ReactInlineJsxPass());
-  if (!disabledPasses.has("swallowed-exception")) pipeline.add(new SwallowedExceptionPass());
-  if (!disabledPasses.has("broad-catch")) pipeline.add(new BroadCatchPass());
-  if (!disabledPasses.has("unhandled-exception")) pipeline.add(new UnhandledExceptionPass());
-  if (!disabledPasses.has("double-close")) pipeline.add(new DoubleClosePass());
-  if (!disabledPasses.has("use-after-close")) pipeline.add(new UseAfterClosePass());
-  if (!disabledPasses.has("cleanup-verify")) pipeline.add(new CleanupVerifyPass());
-  if (!disabledPasses.has("missing-override")) pipeline.add(new MissingOverridePass());
-  if (!disabledPasses.has("unused-interface-method")) pipeline.add(new UnusedInterfaceMethodPass());
-  if (!disabledPasses.has("blocking-main-thread")) pipeline.add(new BlockingMainThreadPass());
-  if (!disabledPasses.has("excessive-allocation")) pipeline.add(new ExcessiveAllocationPass());
-  if (!disabledPasses.has("missing-stream")) pipeline.add(new MissingStreamPass());
-  if (!disabledPasses.has("god-class")) pipeline.add(new GodClassPass());
-  if (!disabledPasses.has("naming-convention")) pipeline.add(new NamingConventionPass(passOpts.namingConvention));
-  if (!disabledPasses.has("security-headers")) pipeline.add(new SecurityHeadersPass(passOpts.securityHeaders));
-  const { results, findings } = pipeline.run(graph, code, language, config);
-  const sinkFilter = results.get("sink-filter");
-  const interProc = results.get("interprocedural");
-  const taint = {
-    sources: sinkFilter.sources,
-    sinks: [...sinkFilter.sinks, ...interProc.additionalSinks],
-    sanitizers: sinkFilter.sanitizers,
-    flows: interProc.additionalFlows,
-    interprocedural: interProc.interprocedural
-  };
-  const unresolved = detectUnresolved(calls, types, dfg);
-  const enriched = buildEnriched(types, calls, taint.sources, taint.sinks);
-  const metricValues = new MetricRunner().run(
-    { meta, types, calls, cfg, dfg, taint, imports, exports, unresolved, enriched },
-    code,
-    language
-  );
-  logger.debug("Analysis complete", {
-    filePath,
-    finalSources: taint.sources.length,
-    finalSinks: taint.sinks.length,
-    flows: taint.flows?.length ?? 0,
-    unresolvedItems: unresolved.length
-  });
-  return {
-    meta,
-    types,
-    calls,
-    cfg,
-    dfg,
-    taint,
-    imports,
-    exports,
-    unresolved,
-    enriched,
-    findings: findings.length > 0 ? findings : void 0,
-    metrics: { file: filePath, metrics: metricValues }
-  };
+  try {
+    logger.trace("Parsed AST", { rootNodeType: tree.rootNode.type });
+    const nodeCache = collectAllNodes(tree.rootNode, getNodeTypesForLanguage(language));
+    const meta = extractMeta(code, tree, filePath, language);
+    const types = extractTypes(tree, nodeCache, language);
+    const calls = extractCalls(tree, nodeCache, language);
+    const imports = extractImports(tree, language);
+    const exports = extractExports(types);
+    const cfg = buildCFG(tree, language);
+    const dfg = buildDFG(tree, nodeCache, language);
+    const graph = new CodeGraph({
+      meta,
+      types,
+      calls,
+      cfg,
+      dfg,
+      taint: { sources: [], sinks: [], sanitizers: [] },
+      imports,
+      exports,
+      unresolved: [],
+      enriched: {}
+    });
+    const config = options.taintConfig ?? getDefaultConfig();
+    const disabledPasses = new Set(options.disabledPasses ?? []);
+    const passOpts = options.passOptions ?? {};
+    const pipeline = new AnalysisPipeline();
+    pipeline.add(new TaintMatcherPass());
+    pipeline.add(new ConstantPropagationPass(tree));
+    pipeline.add(new LanguageSourcesPass());
+    pipeline.add(new SinkFilterPass());
+    pipeline.add(new TaintPropagationPass());
+    pipeline.add(new InterproceduralPass());
+    if (!disabledPasses.has("scan-secrets")) pipeline.add(new ScanSecretsPass());
+    if (!disabledPasses.has("dead-code")) pipeline.add(new DeadCodePass());
+    if (!disabledPasses.has("missing-await")) pipeline.add(new MissingAwaitPass());
+    if (!disabledPasses.has("n-plus-one")) pipeline.add(new NPlusOnePass());
+    if (!disabledPasses.has("missing-public-doc")) pipeline.add(new MissingPublicDocPass());
+    if (!disabledPasses.has("todo-in-prod")) pipeline.add(new TodoInProdPass());
+    if (!disabledPasses.has("string-concat-loop")) pipeline.add(new StringConcatLoopPass());
+    if (!disabledPasses.has("sync-io-async")) pipeline.add(new SyncIoAsyncPass());
+    if (!disabledPasses.has("unchecked-return")) pipeline.add(new UncheckedReturnPass());
+    if (!disabledPasses.has("null-deref")) pipeline.add(new NullDerefPass());
+    if (!disabledPasses.has("resource-leak")) pipeline.add(new ResourceLeakPass());
+    if (!disabledPasses.has("variable-shadowing")) pipeline.add(new VariableShadowingPass());
+    if (!disabledPasses.has("leaked-global")) pipeline.add(new LeakedGlobalPass());
+    if (!disabledPasses.has("unused-variable")) pipeline.add(new UnusedVariablePass());
+    if (!disabledPasses.has("dependency-fan-out")) pipeline.add(new DependencyFanOutPass(passOpts.dependencyFanOut));
+    if (!disabledPasses.has("stale-doc-ref")) pipeline.add(new StaleDocRefPass());
+    if (!disabledPasses.has("infinite-loop")) pipeline.add(new InfiniteLoopPass());
+    if (!disabledPasses.has("deep-inheritance")) pipeline.add(new DeepInheritancePass());
+    if (!disabledPasses.has("redundant-loop-computation")) pipeline.add(new RedundantLoopPass());
+    if (!disabledPasses.has("unbounded-collection")) pipeline.add(new UnboundedCollectionPass(passOpts.unboundedCollection));
+    if (!disabledPasses.has("serial-await")) pipeline.add(new SerialAwaitPass());
+    if (!disabledPasses.has("react-inline-jsx")) pipeline.add(new ReactInlineJsxPass());
+    if (!disabledPasses.has("swallowed-exception")) pipeline.add(new SwallowedExceptionPass());
+    if (!disabledPasses.has("broad-catch")) pipeline.add(new BroadCatchPass());
+    if (!disabledPasses.has("unhandled-exception")) pipeline.add(new UnhandledExceptionPass());
+    if (!disabledPasses.has("double-close")) pipeline.add(new DoubleClosePass());
+    if (!disabledPasses.has("use-after-close")) pipeline.add(new UseAfterClosePass());
+    if (!disabledPasses.has("cleanup-verify")) pipeline.add(new CleanupVerifyPass());
+    if (!disabledPasses.has("missing-override")) pipeline.add(new MissingOverridePass());
+    if (!disabledPasses.has("unused-interface-method")) pipeline.add(new UnusedInterfaceMethodPass());
+    if (!disabledPasses.has("blocking-main-thread")) pipeline.add(new BlockingMainThreadPass());
+    if (!disabledPasses.has("excessive-allocation")) pipeline.add(new ExcessiveAllocationPass());
+    if (!disabledPasses.has("missing-stream")) pipeline.add(new MissingStreamPass());
+    if (!disabledPasses.has("god-class")) pipeline.add(new GodClassPass());
+    if (!disabledPasses.has("naming-convention")) pipeline.add(new NamingConventionPass(passOpts.namingConvention));
+    if (!disabledPasses.has("security-headers")) pipeline.add(new SecurityHeadersPass(passOpts.securityHeaders));
+    const { results, findings } = pipeline.run(graph, code, language, config);
+    const sinkFilter = results.get("sink-filter");
+    const interProc = results.get("interprocedural");
+    const taint = {
+      sources: sinkFilter.sources,
+      sinks: [...sinkFilter.sinks, ...interProc.additionalSinks],
+      sanitizers: sinkFilter.sanitizers,
+      flows: interProc.additionalFlows,
+      interprocedural: interProc.interprocedural
+    };
+    const unresolved = detectUnresolved(calls, types, dfg);
+    const enriched = buildEnriched(types, calls, taint.sources, taint.sinks);
+    const metricValues = new MetricRunner().run(
+      { meta, types, calls, cfg, dfg, taint, imports, exports, unresolved, enriched },
+      code,
+      language
+    );
+    logger.debug("Analysis complete", {
+      filePath,
+      finalSources: taint.sources.length,
+      finalSinks: taint.sinks.length,
+      flows: taint.flows?.length ?? 0,
+      unresolvedItems: unresolved.length
+    });
+    return {
+      meta,
+      types,
+      calls,
+      cfg,
+      dfg,
+      taint,
+      imports,
+      exports,
+      unresolved,
+      enriched,
+      findings: findings.length > 0 ? findings : void 0,
+      metrics: { file: filePath, metrics: metricValues }
+    };
+  } finally {
+    disposeTree(tree);
+  }
 }
 async function analyzeHtmlFile(code, filePath, options) {
   logger.debug("Analyzing HTML file", { filePath, codeLength: code.length });
   const tree = await parse(code, "html");
-  const meta = extractMeta(code, tree, filePath, "html");
-  const { scriptBlocks, eventHandlers } = extractHtmlContent(tree.rootNode);
-  logger.debug("HTML extraction", {
-    filePath,
-    inlineScripts: scriptBlocks.filter((b) => b.kind === "inline").length,
-    externalScripts: scriptBlocks.filter((b) => b.kind === "external-src").length,
-    eventHandlers: eventHandlers.length
-  });
-  const scriptResults = [];
-  for (const block of scriptBlocks) {
-    if (block.kind !== "inline" || !block.code.trim()) continue;
-    const scriptLang = block.scriptType === "ts" || block.scriptType === "typescript" || block.scriptType === "text/typescript" ? "typescript" : "javascript";
-    try {
-      const ir = await analyze(block.code, filePath, scriptLang, options);
-      scriptResults.push({ ir, lineOffset: block.lineOffset });
-    } catch (e) {
-      logger.warn("Failed to analyze script block", {
-        filePath,
-        lineOffset: block.lineOffset,
-        error: e instanceof Error ? e.message : String(e)
-      });
+  try {
+    const meta = extractMeta(code, tree, filePath, "html");
+    const { scriptBlocks, eventHandlers } = extractHtmlContent(tree.rootNode);
+    logger.debug("HTML extraction", {
+      filePath,
+      inlineScripts: scriptBlocks.filter((b) => b.kind === "inline").length,
+      externalScripts: scriptBlocks.filter((b) => b.kind === "external-src").length,
+      eventHandlers: eventHandlers.length
+    });
+    const scriptResults = [];
+    for (const block of scriptBlocks) {
+      if (block.kind !== "inline" || !block.code.trim()) continue;
+      const scriptLang = block.scriptType === "ts" || block.scriptType === "typescript" || block.scriptType === "text/typescript" ? "typescript" : "javascript";
+      try {
+        const ir = await analyze(block.code, filePath, scriptLang, options);
+        scriptResults.push({ ir, lineOffset: block.lineOffset });
+      } catch (e) {
+        logger.warn("Failed to analyze script block", {
+          filePath,
+          lineOffset: block.lineOffset,
+          error: e instanceof Error ? e.message : String(e)
+        });
+      }
     }
-  }
-  for (const handler of eventHandlers) {
-    const wrappedCode = `function __${handler.eventName}_handler() { ${handler.code} }`;
-    try {
-      const ir = await analyze(wrappedCode, filePath, "javascript", options);
-      scriptResults.push({ ir, lineOffset: handler.line });
-    } catch (e) {
-      logger.warn("Failed to analyze event handler", {
-        filePath,
-        eventName: handler.eventName,
-        line: handler.line,
-        error: e instanceof Error ? e.message : String(e)
-      });
+    for (const handler of eventHandlers) {
+      const wrappedCode = `function __${handler.eventName}_handler() { ${handler.code} }`;
+      try {
+        const ir = await analyze(wrappedCode, filePath, "javascript", options);
+        scriptResults.push({ ir, lineOffset: handler.line });
+      } catch (e) {
+        logger.warn("Failed to analyze event handler", {
+          filePath,
+          eventName: handler.eventName,
+          line: handler.line,
+          error: e instanceof Error ? e.message : String(e)
+        });
+      }
     }
+    const attributeFindings = runHtmlAttributeSecurityChecks(tree.rootNode, filePath);
+    const result = mergeHtmlResults(meta, scriptResults, attributeFindings);
+    logger.debug("HTML analysis complete", {
+      filePath,
+      scriptBlocks: scriptResults.length,
+      attributeFindings: attributeFindings.length,
+      totalFindings: result.findings?.length ?? 0
+    });
+    return result;
+  } finally {
+    disposeTree(tree);
   }
-  const attributeFindings = runHtmlAttributeSecurityChecks(tree.rootNode, filePath);
-  const result = mergeHtmlResults(meta, scriptResults, attributeFindings);
-  logger.debug("HTML analysis complete", {
-    filePath,
-    scriptBlocks: scriptResults.length,
-    attributeFindings: attributeFindings.length,
-    totalFindings: result.findings?.length ?? 0
-  });
-  return result;
 }
 async function analyzeForAPI(code, filePath, language, options = {}) {
   const startTime = performance.now();
@@ -25989,75 +26279,79 @@ async function analyzeForAPI(code, filePath, language, options = {}) {
   const parseStart = performance.now();
   const tree = await parse(code, language);
   const parseTime = performance.now() - parseStart;
-  const analysisStart = performance.now();
-  const nodeCache = collectAllNodes(tree.rootNode, getNodeTypesForLanguage(language));
-  const types = extractTypes(tree, nodeCache, language);
-  const calls = extractCalls(tree, nodeCache, language);
-  const constPropResult = analyzeConstantPropagation(tree, code);
-  const config = options.taintConfig ?? getDefaultConfig();
-  const taint = analyzeTaint(calls, types, config);
-  let filteredSinks = taint.sinks.filter((sink) => !constPropResult.unreachableLines.has(sink.line));
-  filteredSinks = filterCleanVariableSinks(
-    filteredSinks,
-    calls,
-    constPropResult.tainted,
-    constPropResult.symbols,
-    void 0,
-    constPropResult.sanitizedVars,
-    constPropResult.synchronizedLines
-  );
-  filteredSinks = filterSanitizedSinks(filteredSinks, taint.sanitizers ?? [], calls);
-  let pythonTaintedVars = /* @__PURE__ */ new Map();
-  if (language === "python") {
-    pythonTaintedVars = buildPythonTaintedVars(code);
-    const pythonSanitizedVars = buildPythonSanitizedVars(code, pythonTaintedVars);
-    const sourceLines = code.split("\n");
-    filteredSinks = filteredSinks.filter((sink) => {
-      if (sink.type !== "xpath_injection") return true;
-      const sinkLineText = sourceLines[sink.line - 1] ?? "";
-      const taintedVarOnLine = [...pythonTaintedVars.keys()].find(
-        (v) => new RegExp(`\\b${v}\\b`).test(sinkLineText)
-      );
-      if (!taintedVarOnLine) return false;
-      if (pythonSanitizedVars.has(taintedVarOnLine)) return false;
-      if (new RegExp(`\\.xpath\\s*\\([^)]*\\b\\w+\\s*=\\s*\\b${taintedVarOnLine}\\b`).test(sinkLineText)) return false;
-      return true;
-    });
-  }
-  const vulnerabilities = findVulnerabilities(taint.sources, filteredSinks, calls, constPropResult);
-  if (language === "python") {
-    const trustViolations = findPythonTrustBoundaryViolations(code, pythonTaintedVars);
-    for (const v of trustViolations) {
-      const alreadyReported = vulnerabilities.some(
-        (existing) => existing.sink.line === v.sinkLine && existing.type === "trust_boundary"
-      );
-      if (!alreadyReported) {
-        vulnerabilities.push({
-          type: "trust_boundary",
-          cwe: "CWE-501",
-          severity: "medium",
-          source: { line: v.sourceLine, type: "http_param" },
-          sink: { line: v.sinkLine, type: "trust_boundary" },
-          confidence: 0.85
-        });
+  try {
+    const analysisStart = performance.now();
+    const nodeCache = collectAllNodes(tree.rootNode, getNodeTypesForLanguage(language));
+    const types = extractTypes(tree, nodeCache, language);
+    const calls = extractCalls(tree, nodeCache, language);
+    const constPropResult = analyzeConstantPropagation(tree, code);
+    const config = options.taintConfig ?? getDefaultConfig();
+    const taint = analyzeTaint(calls, types, config);
+    let filteredSinks = taint.sinks.filter((sink) => !constPropResult.unreachableLines.has(sink.line));
+    filteredSinks = filterCleanVariableSinks(
+      filteredSinks,
+      calls,
+      constPropResult.tainted,
+      constPropResult.symbols,
+      void 0,
+      constPropResult.sanitizedVars,
+      constPropResult.synchronizedLines
+    );
+    filteredSinks = filterSanitizedSinks(filteredSinks, taint.sanitizers ?? [], calls);
+    let pythonTaintedVars = /* @__PURE__ */ new Map();
+    if (language === "python") {
+      pythonTaintedVars = buildPythonTaintedVars(code);
+      const pythonSanitizedVars = buildPythonSanitizedVars(code, pythonTaintedVars);
+      const sourceLines = code.split("\n");
+      filteredSinks = filteredSinks.filter((sink) => {
+        if (sink.type !== "xpath_injection") return true;
+        const sinkLineText = sourceLines[sink.line - 1] ?? "";
+        const taintedVarOnLine = [...pythonTaintedVars.keys()].find(
+          (v) => new RegExp(`\\b${v}\\b`).test(sinkLineText)
+        );
+        if (!taintedVarOnLine) return false;
+        if (pythonSanitizedVars.has(taintedVarOnLine)) return false;
+        if (new RegExp(`\\.xpath\\s*\\([^)]*\\b\\w+\\s*=\\s*\\b${taintedVarOnLine}\\b`).test(sinkLineText)) return false;
+        return true;
+      });
+    }
+    const vulnerabilities = findVulnerabilities(taint.sources, filteredSinks, calls, constPropResult);
+    if (language === "python") {
+      const trustViolations = findPythonTrustBoundaryViolations(code, pythonTaintedVars);
+      for (const v of trustViolations) {
+        const alreadyReported = vulnerabilities.some(
+          (existing) => existing.sink.line === v.sinkLine && existing.type === "trust_boundary"
+        );
+        if (!alreadyReported) {
+          vulnerabilities.push({
+            type: "trust_boundary",
+            cwe: "CWE-501",
+            severity: "medium",
+            source: { line: v.sourceLine, type: "http_param" },
+            sink: { line: v.sinkLine, type: "trust_boundary" },
+            confidence: 0.85
+          });
+        }
       }
     }
+    const analysisTime = performance.now() - analysisStart;
+    const totalTime = performance.now() - startTime;
+    return {
+      success: true,
+      analysis: {
+        sources: taint.sources,
+        sinks: filteredSinks,
+        vulnerabilities
+      },
+      meta: {
+        parseTimeMs: Math.round(parseTime),
+        analysisTimeMs: Math.round(analysisTime),
+        totalTimeMs: Math.round(totalTime)
+      }
+    };
+  } finally {
+    disposeTree(tree);
   }
-  const analysisTime = performance.now() - analysisStart;
-  const totalTime = performance.now() - startTime;
-  return {
-    success: true,
-    analysis: {
-      sources: taint.sources,
-      sinks: filteredSinks,
-      vulnerabilities
-    },
-    meta: {
-      parseTimeMs: Math.round(parseTime),
-      analysisTimeMs: Math.round(analysisTime),
-      totalTimeMs: Math.round(totalTime)
-    }
-  };
 }
 function findVulnerabilities(sources, sinks, calls, constPropResult) {
   const vulnerabilities = [];