circle-ir 3.69.0 → 3.71.0

package/dist/analysis/passes/cache-no-vary-pass.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Pass: cache-no-vary (CWE-524, category: security)
+ *
+ * Pattern pass — flags HTTP handlers that set a *shared-cacheable*
+ * `Cache-Control` directive (`public` or implicit-public + positive `max-age`)
+ * **AND** read authenticated or user-scoped state (cookies / Authorization
+ * header / session), **AND** do not set `Vary: Cookie` / `Vary: Authorization`.
+ *
+ * In that configuration a shared cache (CDN, reverse proxy, ISP cache) keys
+ * the response by URL only and is free to serve user A's body to user B —
+ * the canonical CWE-524 leak.
+ *
+ * Languages: JavaScript / TypeScript (Express-style `res.setHeader` etc.),
+ * Python (Flask / Django / FastAPI), Go (`net/http`, gin), Java (Servlet /
+ * Spring).
+ *
+ * Trigger mode: strict + auth-qualifier. Skips:
+ *   - `Cache-Control: private` / `no-store` / `no-cache`
+ *   - `max-age=0` (effectively non-cacheable)
+ *   - Handlers with no auth/session/cookie read
+ *   - Handlers that set `Vary: Cookie|Authorization|*`
+ *   - Test files (`*.test.*`, `*.spec.*`, `__tests__/`, `tests/`)
+ *
+ * Closes: cognium-dev #96 L91.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface CacheNoVaryResult {
+    findings: Array<{
+        line: number;
+        language: string;
+        handler: string | null;
+        cacheValue: string;
+    }>;
+}
+export declare class CacheNoVaryPass implements AnalysisPass<CacheNoVaryResult> {
+    readonly name = "cache-no-vary";
+    readonly category: "security";
+    run(ctx: PassContext): CacheNoVaryResult;
+}
+//# sourceMappingURL=cache-no-vary-pass.d.ts.map

package/dist/analysis/passes/cache-no-vary-pass.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cache-no-vary-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/cache-no-vary-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAmD9E,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;QACvB,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC,CAAC;CACJ;AA2ND,qBAAa,eAAgB,YAAW,YAAY,CAAC,iBAAiB,CAAC;IACrE,QAAQ,CAAC,IAAI,mBAAmB;IAChC,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,iBAAiB;CAkHzC"}

package/dist/analysis/passes/cache-no-vary-pass.js

@@ -0,0 +1,347 @@
+/**
+ * Pass: cache-no-vary (CWE-524, category: security)
+ *
+ * Pattern pass — flags HTTP handlers that set a *shared-cacheable*
+ * `Cache-Control` directive (`public` or implicit-public + positive `max-age`)
+ * **AND** read authenticated or user-scoped state (cookies / Authorization
+ * header / session), **AND** do not set `Vary: Cookie` / `Vary: Authorization`.
+ *
+ * In that configuration a shared cache (CDN, reverse proxy, ISP cache) keys
+ * the response by URL only and is free to serve user A's body to user B —
+ * the canonical CWE-524 leak.
+ *
+ * Languages: JavaScript / TypeScript (Express-style `res.setHeader` etc.),
+ * Python (Flask / Django / FastAPI), Go (`net/http`, gin), Java (Servlet /
+ * Spring).
+ *
+ * Trigger mode: strict + auth-qualifier. Skips:
+ *   - `Cache-Control: private` / `no-store` / `no-cache`
+ *   - `max-age=0` (effectively non-cacheable)
+ *   - Handlers with no auth/session/cookie read
+ *   - Handlers that set `Vary: Cookie|Authorization|*`
+ *   - Test files (`*.test.*`, `*.spec.*`, `__tests__/`, `tests/`)
+ *
+ * Closes: cognium-dev #96 L91.
+ */
+// Header value parsing -------------------------------------------------------
+function isSharedCacheable(value) {
+    const v = value.toLowerCase();
+    if (/\b(private|no-store|no-cache)\b/.test(v))
+        return false;
+    const pub = /\bpublic\b/.test(v);
+    const maxMatch = /\b(?:s-maxage|max-age)\s*=\s*(\d+)/.exec(v);
+    const positiveMax = maxMatch ? Number(maxMatch[1]) > 0 : false;
+    return pub || positiveMax;
+}
+function isVaryCovering(value) {
+    const v = value.toLowerCase();
+    return /\b(cookie|authorization|\*)\b/.test(v);
+}
+// Source-text auth-signal regexes (per-language) -----------------------------
+const JS_AUTH_SIGNAL_RE = /\b(?:req|request)\s*\.\s*(?:cookies|session|user(?:Id|Name)?)\b|\b(?:req|request)\s*\.\s*headers\s*\.\s*(?:cookie|authorization)\b|\bres(?:ponse)?\s*\.\s*cookie\s*\(/i;
+const PY_AUTH_SIGNAL_RE = /\brequest\s*\.\s*cookies\b|\brequest\s*\.\s*headers\s*\.\s*get\s*\(\s*['"]Authorization['"]|\brequest\s*\.\s*authorization\b|\bsession\s*\[|\b(?:g\.user|current_user)\b|\bset_cookie\s*\(/i;
+const GO_AUTH_SIGNAL_RE = /\br\s*\.\s*Cookie\s*\(|\br\s*\.\s*Header\s*(?:\(\)|\.)\s*\.?\s*Get\s*\(\s*"(?:Cookie|Authorization)"|\br\s*\.\s*BasicAuth\s*\(|\bhttp\s*\.\s*SetCookie\s*\(|\bc\s*\.\s*(?:GetHeader|Cookie|SetCookie)\s*\(/;
+const JAVA_AUTH_SIGNAL_RE = /@CookieValue\b|@RequestHeader\s*\(\s*"(?:Cookie|Authorization)"|\brequest\s*\.\s*getCookies\s*\(|\brequest\s*\.\s*getHeader\s*\(\s*"(?:Cookie|Authorization)"|\bresponse\s*\.\s*addCookie\s*\(|\bSecurityContextHolder\b|\bPrincipal\s+\w+|\bAuthentication\s+\w+/;
+// Source-text cache/vary patterns (for shapes that are not extracted as IR
+// calls — Python subscript assignments + decorators).
+const PY_CACHE_HEADER_ASSIGN_RE = /\w+(?:\s*\.\s*\w+)*\s*\.\s*headers\s*\[\s*['"]Cache-Control['"]\s*\]\s*=\s*(['"])([^'"]*)\1/i;
+const PY_VARY_HEADER_ASSIGN_RE = /\w+(?:\s*\.\s*\w+)*\s*\.\s*headers\s*\[\s*['"]Vary['"]\s*\]\s*=\s*(['"])([^'"]*)\1/i;
+const PY_VARY_DECORATOR_RE = /^\s*@\s*(?:vary_on_cookie|vary_on_headers)\b/;
+const PY_CACHE_CONTROL_DECORATOR_RE = /^\s*@\s*cache_control\s*\(([^)]*)\)/;
+// Per-language header-setting method tables ----------------------------------
+const JS_HEADER_METHODS = new Set(['setHeader', 'set', 'header']);
+const GO_HEADER_METHODS = new Set(['Set', 'Add']);
+const JAVA_HEADER_METHODS = new Set(['setHeader', 'addHeader']);
+// JS receivers we treat as response objects.
+const JS_RES_RECEIVERS = new Set(['res', 'response', 'ctx']);
+function classifyCall(call, language) {
+    const method = call.method_name;
+    const receiver = (call.receiver ?? '').trim();
+    const arg0 = call.arguments[0]?.literal ?? null;
+    const arg1 = call.arguments[1]?.literal ?? null;
+    if (language === 'javascript' || language === 'typescript') {
+        if (JS_RES_RECEIVERS.has(receiver) && JS_HEADER_METHODS.has(method)) {
+            const header = (arg0 ?? '').toLowerCase();
+            if (header === 'cache-control' && arg1 && isSharedCacheable(arg1)) {
+                return { kind: 'cache-public', value: arg1 };
+            }
+            if (header === 'vary' && arg1 && isVaryCovering(arg1)) {
+                return { kind: 'vary' };
+            }
+        }
+        if (JS_RES_RECEIVERS.has(receiver) && method === 'vary') {
+            const v = arg0 ?? '';
+            if (isVaryCovering(v) || v === '')
+                return { kind: 'vary' };
+        }
+        if (JS_RES_RECEIVERS.has(receiver) && method === 'cookie') {
+            // Set-Cookie — auth-bearing response.
+            return { kind: 'auth' };
+        }
+        return null;
+    }
+    if (language === 'python') {
+        // Auth signals via call.
+        if (receiver === 'request.cookies' || receiver === 'request.session') {
+            return { kind: 'auth' };
+        }
+        if (receiver === 'request.headers' && method === 'get') {
+            const v = (arg0 ?? '').toLowerCase();
+            if (v === 'authorization' || v === 'cookie')
+                return { kind: 'auth' };
+        }
+        if ((receiver === 'response' || receiver === 'resp') &&
+            method === 'set_cookie') {
+            return { kind: 'auth' };
+        }
+        // Vary / cache via call.
+        if (method === 'patch_vary_headers')
+            return { kind: 'vary' };
+        if (method === 'patch_cache_control') {
+            const argTxt = call.arguments.map((a) => a.expression ?? '').join(',');
+            if (/\bpublic\s*=\s*True\b/.test(argTxt)) {
+                return { kind: 'cache-public', value: argTxt };
+            }
+        }
+        return null;
+    }
+    if (language === 'go') {
+        // Cache / Vary header via w.Header().Set/Add or c.Header (gin).
+        if ((receiver === 'w.Header()' || receiver === 'rw.Header()') &&
+            GO_HEADER_METHODS.has(method)) {
+            const header = (arg0 ?? '').toLowerCase();
+            if (header === 'cache-control' && arg1 && isSharedCacheable(arg1)) {
+                return { kind: 'cache-public', value: arg1 };
+            }
+            if (header === 'vary' && arg1 && isVaryCovering(arg1)) {
+                return { kind: 'vary' };
+            }
+        }
+        if (receiver === 'c' && method === 'Header') {
+            const header = (arg0 ?? '').toLowerCase();
+            if (header === 'cache-control' && arg1 && isSharedCacheable(arg1)) {
+                return { kind: 'cache-public', value: arg1 };
+            }
+            if (header === 'vary' && arg1 && isVaryCovering(arg1)) {
+                return { kind: 'vary' };
+            }
+        }
+        // Auth signals.
+        if (receiver === 'r' && (method === 'Cookie' || method === 'BasicAuth')) {
+            return { kind: 'auth' };
+        }
+        if ((receiver === 'r.Header' || receiver === 'r.Header()') &&
+            method === 'Get') {
+            const v = (arg0 ?? '').toLowerCase();
+            if (v === 'cookie' || v === 'authorization')
+                return { kind: 'auth' };
+        }
+        if (receiver === 'http' && method === 'SetCookie')
+            return { kind: 'auth' };
+        if (receiver === 'c' &&
+            (method === 'Cookie' || method === 'GetHeader' || method === 'SetCookie')) {
+            return { kind: 'auth' };
+        }
+        return null;
+    }
+    if (language === 'java') {
+        if ((receiver === 'response' || receiver === 'resp') &&
+            JAVA_HEADER_METHODS.has(method)) {
+            const header = (arg0 ?? '').toLowerCase();
+            if (header === 'cache-control' && arg1 && isSharedCacheable(arg1)) {
+                return { kind: 'cache-public', value: arg1 };
+            }
+            if (header === 'vary' && arg1 && isVaryCovering(arg1)) {
+                return { kind: 'vary' };
+            }
+        }
+        if ((receiver === 'headers' || receiver === 'httpHeaders') &&
+            method === 'setCacheControl') {
+            return { kind: 'cache-public', value: 'HttpHeaders.setCacheControl(...)' };
+        }
+        if ((receiver === 'headers' || receiver === 'httpHeaders') &&
+            method === 'setVary') {
+            return { kind: 'vary' };
+        }
+        // Auth signals.
+        if (receiver === 'request' && method === 'getCookies') {
+            return { kind: 'auth' };
+        }
+        if (receiver === 'request' && method === 'getHeader') {
+            const v = (arg0 ?? '').toLowerCase();
+            if (v === 'cookie' || v === 'authorization')
+                return { kind: 'auth' };
+        }
+        if ((receiver === 'response' || receiver === 'resp') &&
+            method === 'addCookie') {
+            return { kind: 'auth' };
+        }
+        return null;
+    }
+    return null;
+}
+function authSignalRegex(language) {
+    switch (language) {
+        case 'javascript':
+        case 'typescript':
+            return JS_AUTH_SIGNAL_RE;
+        case 'python':
+            return PY_AUTH_SIGNAL_RE;
+        case 'go':
+            return GO_AUTH_SIGNAL_RE;
+        case 'java':
+            return JAVA_AUTH_SIGNAL_RE;
+        default:
+            return null;
+    }
+}
+function scanWindow(code, language, startLine, endLine) {
+    const lines = code.split('\n');
+    const lo = Math.max(0, startLine - 1);
+    const hi = Math.min(lines.length, endLine);
+    const out = { vary: false, auth: false };
+    const authRe = authSignalRegex(language);
+    for (let i = lo; i < hi; i++) {
+        const ln = lines[i];
+        if (authRe && authRe.test(ln))
+            out.auth = true;
+        if (language === 'python') {
+            if (!out.cachePublic) {
+                const mc = PY_CACHE_HEADER_ASSIGN_RE.exec(ln);
+                if (mc && isSharedCacheable(mc[2])) {
+                    out.cachePublic = { line: i + 1, value: mc[2] };
+                }
+            }
+            if (!out.cachePublic) {
+                const md = PY_CACHE_CONTROL_DECORATOR_RE.exec(ln);
+                if (md) {
+                    const argTxt = md[1];
+                    if (/\bpublic\s*=\s*True\b/.test(argTxt) &&
+                        (/\bmax_age\s*=\s*[1-9]\d*\b/.test(argTxt) || !/max_age/.test(argTxt))) {
+                        out.cachePublic = { line: i + 1, value: argTxt };
+                    }
+                }
+            }
+            if (!out.vary) {
+                const mv = PY_VARY_HEADER_ASSIGN_RE.exec(ln);
+                if (mv && isVaryCovering(mv[2]))
+                    out.vary = true;
+                if (PY_VARY_DECORATOR_RE.test(ln))
+                    out.vary = true;
+            }
+        }
+    }
+    return out;
+}
+export class CacheNoVaryPass {
+    name = 'cache-no-vary';
+    category = 'security';
+    run(ctx) {
+        const { graph, language, code } = ctx;
+        const file = graph.ir.meta.file;
+        const findings = [];
+        const isSupported = language === 'javascript' ||
+            language === 'typescript' ||
+            language === 'python' ||
+            language === 'go' ||
+            language === 'java';
+        if (!isSupported)
+            return { findings };
+        // Skip test / spec files — low-FP guardrail.
+        if (/(?:\.test|\.spec)\.[jt]sx?$/i.test(file) ||
+            /__tests__\/|\/tests?\//i.test(file)) {
+            return { findings };
+        }
+        // Group calls by handler.
+        const callsByHandler = new Map();
+        for (const call of graph.ir.calls) {
+            const key = call.in_method ?? '<top>';
+            let arr = callsByHandler.get(key);
+            if (!arr) {
+                arr = [];
+                callsByHandler.set(key, arr);
+            }
+            arr.push(call);
+        }
+        const emit = (line, handler, cacheValue) => {
+            if (findings.some((f) => f.line === line && f.handler === handler))
+                return;
+            findings.push({ line, language, handler, cacheValue });
+            ctx.addFinding({
+                id: `${this.name}-${file}-${line}`,
+                pass: this.name,
+                category: this.category,
+                rule_id: this.name,
+                cwe: 'CWE-524',
+                severity: 'medium',
+                level: 'warning',
+                message: `Response sets a shared-cacheable Cache-Control ('${cacheValue}') in ` +
+                    `a handler that reads authenticated or user-scoped state, but does ` +
+                    `not set 'Vary: Cookie' or 'Vary: Authorization'. A shared cache ` +
+                    `(CDN, reverse proxy, ISP cache) keys the response by URL only and ` +
+                    `may serve one user's body to another. (CWE-524)`,
+                file,
+                line,
+                fix: `Either add 'Vary: Cookie' (or 'Vary: Authorization') so caches key ` +
+                    `on the user identity, or change the directive to 'private' / ` +
+                    `'no-store' so the response is never shared-cached.`,
+                evidence: {
+                    language,
+                    handler: handler ?? '<top>',
+                    cacheValue,
+                },
+            });
+        };
+        for (const [handlerKey, calls] of callsByHandler) {
+            const handler = handlerKey === '<top>' ? null : handlerKey;
+            const cachePublicHits = [];
+            let varyFromCalls = false;
+            let authFromCalls = false;
+            for (const call of calls) {
+                const cls = classifyCall(call, language);
+                if (!cls)
+                    continue;
+                if (cls.kind === 'cache-public') {
+                    cachePublicHits.push({
+                        line: call.location.line,
+                        value: cls.value ?? '',
+                    });
+                }
+                else if (cls.kind === 'vary') {
+                    varyFromCalls = true;
+                }
+                else if (cls.kind === 'auth') {
+                    authFromCalls = true;
+                }
+            }
+            // Compute a widened source-text window around this handler's calls.
+            let minLine = Infinity;
+            let maxLine = -Infinity;
+            for (const c of calls) {
+                if (c.location?.line) {
+                    minLine = Math.min(minLine, c.location.line);
+                    maxLine = Math.max(maxLine, c.location.line);
+                }
+            }
+            if (minLine === Infinity)
+                continue;
+            const winStart = Math.max(1, minLine - 5);
+            const winEnd = maxLine + 5;
+            const winScan = scanWindow(code, language, winStart, winEnd);
+            if (winScan.cachePublic)
+                cachePublicHits.push(winScan.cachePublic);
+            const vary = varyFromCalls || winScan.vary;
+            const auth = authFromCalls || winScan.auth;
+            if (cachePublicHits.length === 0)
+                continue;
+            if (vary)
+                continue;
+            if (!auth)
+                continue;
+            // Emit one finding per handler (use first cache-public location).
+            emit(cachePublicHits[0].line, handler, cachePublicHits[0].value);
+        }
+        return { findings };
+    }
+}
+//# sourceMappingURL=cache-no-vary-pass.js.map

package/dist/analysis/passes/cache-no-vary-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cache-no-vary-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/cache-no-vary-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAKH,+EAA+E;AAE/E,SAAS,iBAAiB,CAAC,KAAa;IACtC,MAAM,CAAC,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;IAC9B,IAAI,iCAAiC,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5D,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACjC,MAAM,QAAQ,GAAG,oCAAoC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC9D,MAAM,WAAW,GAAG,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;IAC/D,OAAO,GAAG,IAAI,WAAW,CAAC;AAC5B,CAAC;AAED,SAAS,cAAc,CAAC,KAAa;IACnC,MAAM,CAAC,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;IAC9B,OAAO,+BAA+B,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACjD,CAAC;AAED,+EAA+E;AAE/E,MAAM,iBAAiB,GACrB,wKAAwK,CAAC;AAC3K,MAAM,iBAAiB,GACrB,6LAA6L,CAAC;AAChM,MAAM,iBAAiB,GACrB,4MAA4M,CAAC;AAC/M,MAAM,mBAAmB,GACvB,mQAAmQ,CAAC;AAEtQ,2EAA2E;AAC3E,sDAAsD;AAEtD,MAAM,yBAAyB,GAC7B,8FAA8F,CAAC;AACjG,MAAM,wBAAwB,GAC5B,qFAAqF,CAAC;AACxF,MAAM,oBAAoB,GAAG,8CAA8C,CAAC;AAC5E,MAAM,6BAA6B,GAAG,qCAAqC,CAAC;AAE5E,+EAA+E;AAE/E,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC,CAAC,WAAW,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC;AAClE,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;AAClD,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,CAAC;AAEhE,6CAA6C;AAC7C,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,UAAU,EAAE,KAAK,CAAC,CAAC,CAAC;AAoB7D,SAAS,YAAY,CACnB,IAAc,EACd,QAAgB;IAEhB,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC;IAChC,MAAM,QAAQ,GAAG,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAC9C,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,IAAI,IAAI,CAAC;IAChD,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,IAAI,IAAI,CAAC;IAEhD,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;QAC3D,IAAI,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,iBAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YACpE,MAAM,MAAM,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;YAC1C,IAAI,MAAM,KAAK,eAAe,IAAI,IAAI,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;gBAClE,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;YAC/C,CAAC;YACD,IAAI,MAAM,KAAK,MAAM,IAAI,IAAI,IAAI,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC;gBACtD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;YAC1B,CAAC;QACH,CAAC;QACD,IAAI,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YACxD,MAAM,CAAC,GAAG,IAAI,IAAI,EAAE,CAAC;YACrB,IAAI,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE;gBAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QAC7D,CAAC;QACD,IAAI,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC1D,sCAAsC;YACtC,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QAC1B,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,yBAAyB;QACzB,IAAI,QAAQ,KAAK,iBAAiB,IAAI,QAAQ,KAAK,iBAAiB,EAAE,CAAC;YACrE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QAC1B,CAAC;QACD,IAAI,QAAQ,KAAK,iBAAiB,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;YACvD,MAAM,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;YACrC,IAAI,CAAC,KAAK,eAAe,IAAI,CAAC,KAAK,QAAQ;gBAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QACvE,CAAC;QACD,IACE,CAAC,QAAQ,KAAK,UAAU,IAAI,QAAQ,KAAK,MAAM,CAAC;YAChD,MAAM,KAAK,YAAY,EACvB,CAAC;YACD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QAC1B,CAAC;QACD,yBAAyB;QACzB,IAAI,MAAM,KAAK,oBAAoB;YAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QAC7D,IAAI,MAAM,KAAK,qBAAqB,EAAE,CAAC;YACrC,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACvE,IAAI,uBAAuB,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;gBACzC,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;YACjD,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QACtB,gEAAgE;QAChE,IACE,CAAC,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,aAAa,CAAC;YACzD,iBAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,EAC7B,CAAC;YACD,MAAM,MAAM,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;YAC1C,IAAI,MAAM,KAAK,eAAe,IAAI,IAAI,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;gBAClE,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;YAC/C,CAAC;YACD,IAAI,MAAM,KAAK,MAAM,IAAI,IAAI,IAAI,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC;gBACtD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;YAC1B,CAAC;QACH,CAAC;QACD,IAAI,QAAQ,KAAK,GAAG,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC5C,MAAM,MAAM,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;YAC1C,IAAI,MAAM,KAAK,eAAe,IAAI,IAAI,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;gBAClE,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;YAC/C,CAAC;YACD,IAAI,MAAM,KAAK,MAAM,IAAI,IAAI,IAAI,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC;gBACtD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;YAC1B,CAAC;QACH,CAAC;QACD,gBAAgB;QAChB,IAAI,QAAQ,KAAK,GAAG,IAAI,CAAC,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,WAAW,CAAC,EAAE,CAAC;YACxE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QAC1B,CAAC;QACD,IACE,CAAC,QAAQ,KAAK,UAAU,IAAI,QAAQ,KAAK,YAAY,CAAC;YACtD,MAAM,KAAK,KAAK,EAChB,CAAC;YACD,MAAM,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;YACrC,IAAI,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,eAAe;gBAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QACvE,CAAC;QACD,IAAI,QAAQ,KAAK,MAAM,IAAI,MAAM,KAAK,WAAW;YAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QAC3E,IACE,QAAQ,KAAK,GAAG;YAChB,CAAC,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,WAAW,IAAI,MAAM,KAAK,WAAW,CAAC,EACzE,CAAC;YACD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QAC1B,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;QACxB,IACE,CAAC,QAAQ,KAAK,UAAU,IAAI,QAAQ,KAAK,MAAM,CAAC;YAChD,mBAAmB,CAAC,GAAG,CAAC,MAAM,CAAC,EAC/B,CAAC;YACD,MAAM,MAAM,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;YAC1C,IAAI,MAAM,KAAK,eAAe,IAAI,IAAI,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;gBAClE,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;YAC/C,CAAC;YACD,IAAI,MAAM,KAAK,MAAM,IAAI,IAAI,IAAI,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC;gBACtD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;YAC1B,CAAC;QACH,CAAC;QACD,IACE,CAAC,QAAQ,KAAK,SAAS,IAAI,QAAQ,KAAK,aAAa,CAAC;YACtD,MAAM,KAAK,iBAAiB,EAC5B,CAAC;YACD,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,kCAAkC,EAAE,CAAC;QAC7E,CAAC;QACD,IACE,CAAC,QAAQ,KAAK,SAAS,IAAI,QAAQ,KAAK,aAAa,CAAC;YACtD,MAAM,KAAK,SAAS,EACpB,CAAC;YACD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QAC1B,CAAC;QACD,gBAAgB;QAChB,IAAI,QAAQ,KAAK,SAAS,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;YACtD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QAC1B,CAAC;QACD,IAAI,QAAQ,KAAK,SAAS,IAAI,MAAM,KAAK,WAAW,EAAE,CAAC;YACrD,MAAM,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;YACrC,IAAI,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,eAAe;gBAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QACvE,CAAC;QACD,IACE,CAAC,QAAQ,KAAK,UAAU,IAAI,QAAQ,KAAK,MAAM,CAAC;YAChD,MAAM,KAAK,WAAW,EACtB,CAAC;YACD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QAC1B,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,eAAe,CAAC,QAAgB;IACvC,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,YAAY,CAAC;QAClB,KAAK,YAAY;YACf,OAAO,iBAAiB,CAAC;QAC3B,KAAK,QAAQ;YACX,OAAO,iBAAiB,CAAC;QAC3B,KAAK,IAAI;YACP,OAAO,iBAAiB,CAAC;QAC3B,KAAK,MAAM;YACT,OAAO,mBAAmB,CAAC;QAC7B;YACE,OAAO,IAAI,CAAC;IAChB,CAAC;AACH,CAAC;AAQD,SAAS,UAAU,CACjB,IAAY,EACZ,QAAgB,EAChB,SAAiB,EACjB,OAAe;IAEf,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,GAAG,CAAC,CAAC,CAAC;IACtC,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAe,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;IACrD,MAAM,MAAM,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;IACzC,KAAK,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7B,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACpB,IAAI,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;YAAE,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC;QAC/C,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;gBACrB,MAAM,EAAE,GAAG,yBAAyB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBAC9C,IAAI,EAAE,IAAI,iBAAiB,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBACnC,GAAG,CAAC,WAAW,GAAG,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,EAAE,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAClD,CAAC;YACH,CAAC;YACD,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;gBACrB,MAAM,EAAE,GAAG,6BAA6B,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBAClD,IAAI,EAAE,EAAE,CAAC;oBACP,MAAM,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC;oBACrB,IACE,uBAAuB,CAAC,IAAI,CAAC,MAAM,CAAC;wBACpC,CAAC,4BAA4B,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,EACtE,CAAC;wBACD,GAAG,CAAC,WAAW,GAAG,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;oBACnD,CAAC;gBACH,CAAC;YACH,CAAC;YACD,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;gBACd,MAAM,EAAE,GAAG,wBAAwB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBAC7C,IAAI,EAAE,IAAI,cAAc,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;oBAAE,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC;gBACjD,IAAI,oBAAoB,CAAC,IAAI,CAAC,EAAE,CAAC;oBAAE,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC;YACrD,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,OAAO,eAAe;IACjB,IAAI,GAAG,eAAe,CAAC;IACvB,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,QAAQ,GAAkC,EAAE,CAAC;QAEnD,MAAM,WAAW,GACf,QAAQ,KAAK,YAAY;YACzB,QAAQ,KAAK,YAAY;YACzB,QAAQ,KAAK,QAAQ;YACrB,QAAQ,KAAK,IAAI;YACjB,QAAQ,KAAK,MAAM,CAAC;QACtB,IAAI,CAAC,WAAW;YAAE,OAAO,EAAE,QAAQ,EAAE,CAAC;QAEtC,6CAA6C;QAC7C,IACE,8BAA8B,CAAC,IAAI,CAAC,IAAI,CAAC;YACzC,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC,EACpC,CAAC;YACD,OAAO,EAAE,QAAQ,EAAE,CAAC;QACtB,CAAC;QAED,0BAA0B;QAC1B,MAAM,cAAc,GAAG,IAAI,GAAG,EAAsB,CAAC;QACrD,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,IAAI,OAAO,CAAC;YACtC,IAAI,GAAG,GAAG,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAClC,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,GAAG,GAAG,EAAE,CAAC;gBACT,cAAc,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;YAC/B,CAAC;YACD,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjB,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,IAAY,EAAE,OAAsB,EAAE,UAAkB,EAAE,EAAE;YACxE,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,IAAI,CAAC,CAAC,OAAO,KAAK,OAAO,CAAC;gBAAE,OAAO;YAC3E,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC,CAAC;YACvD,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,EAAE;gBAClC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,SAAS;gBAChB,OAAO,EACL,oDAAoD,UAAU,QAAQ;oBACtE,oEAAoE;oBACpE,kEAAkE;oBAClE,oEAAoE;oBACpE,iDAAiD;gBACnD,IAAI;gBACJ,IAAI;gBACJ,GAAG,EACD,qEAAqE;oBACrE,+DAA+D;oBAC/D,oDAAoD;gBACtD,QAAQ,EAAE;oBACR,QAAQ;oBACR,OAAO,EAAE,OAAO,IAAI,OAAO;oBAC3B,UAAU;iBACX;aACF,CAAC,CAAC;QACL,CAAC,CAAC;QAEF,KAAK,MAAM,CAAC,UAAU,EAAE,KAAK,CAAC,IAAI,cAAc,EAAE,CAAC;YACjD,MAAM,OAAO,GAAG,UAAU,KAAK,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC;YAE3D,MAAM,eAAe,GAA2C,EAAE,CAAC;YACnE,IAAI,aAAa,GAAG,KAAK,CAAC;YAC1B,IAAI,aAAa,GAAG,KAAK,CAAC;YAE1B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;gBACzC,IAAI,CAAC,GAAG;oBAAE,SAAS;gBACnB,IAAI,GAAG,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;oBAChC,eAAe,CAAC,IAAI,CAAC;wBACnB,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI;wBACxB,KAAK,EAAE,GAAG,CAAC,KAAK,IAAI,EAAE;qBACvB,CAAC,CAAC;gBACL,CAAC;qBAAM,IAAI,GAAG,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;oBAC/B,aAAa,GAAG,IAAI,CAAC;gBACvB,CAAC;qBAAM,IAAI,GAAG,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;oBAC/B,aAAa,GAAG,IAAI,CAAC;gBACvB,CAAC;YACH,CAAC;YAED,oEAAoE;YACpE,IAAI,OAAO,GAAG,QAAQ,CAAC;YACvB,IAAI,OAAO,GAAG,CAAC,QAAQ,CAAC;YACxB,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;gBACtB,IAAI,CAAC,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC;oBACrB,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;oBAC7C,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;gBAC/C,CAAC;YACH,CAAC;YACD,IAAI,OAAO,KAAK,QAAQ;gBAAE,SAAS;YACnC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC;YAC1C,MAAM,MAAM,GAAG,OAAO,GAAG,CAAC,CAAC;YAE3B,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;YAC7D,IAAI,OAAO,CAAC,WAAW;gBAAE,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;YACnE,MAAM,IAAI,GAAG,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC;YAC3C,MAAM,IAAI,GAAG,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC;YAE3C,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YAC3C,IAAI,IAAI;gBAAE,SAAS;YACnB,IAAI,CAAC,IAAI;gBAAE,SAAS;YAEpB,kEAAkE;YAClE,IAAI,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,OAAO,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QACnE,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,CAAC;IACtB,CAAC;CACF"}

package/dist/analysis/passes/language-sources-pass.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"language-sources-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/language-sources-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,SAAS,EAAE,cAAc,EAAwB,WAAW,EAAO,MAAM,sBAAsB,CAAC;AAC3H,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAqB9E,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;IA0C/B,CAAC;AA4BF,MAAM,WAAW,qBAAqB;IACpC,iBAAiB,EAAE,WAAW,EAAE,CAAC;IACjC,eAAe,EAAE,SAAS,EAAE,CAAC;IAC7B;;;;OAIG;IACH,oBAAoB,EAAE,cAAc,EAAE,CAAC;IACvC;;;OAGG;IACH,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnC;;;OAGG;IACH,eAAe,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAC7B;;;OAGG;IACH,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACpC;AAMD,qBAAa,mBAAoB,YAAW,YAAY,CAAC,qBAAqB,CAAC;IAC7E,QAAQ,CAAC,IAAI,sBAAsB;IACnC,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,qBAAqB;CAoG7C;AAkgBD,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAkG9E;AAED,wBAAgB,wBAAwB,CAAC,UAAU,EAAE,MAAM,EAAE,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,CAwC5G;AAED,wBAAgB,iCAAiC,CAC/C,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAC/B,KAAK,CAAC;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC,CAoBjD;AA6DD,wBAAgB,0BAA0B,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAmBpG;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,oBAAoB,CAClC,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,GAAG,CAAC,MAAM,CAAC,GACpB,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAmCrB;AAmKD,wBAAgB,uBAAuB,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,WAAW,EAAE,CA0GvF"}
+{"version":3,"file":"language-sources-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/language-sources-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,SAAS,EAAE,cAAc,EAAwB,WAAW,EAAO,MAAM,sBAAsB,CAAC;AAC3H,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAqB9E,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;IA0C/B,CAAC;AA4BF,MAAM,WAAW,qBAAqB;IACpC,iBAAiB,EAAE,WAAW,EAAE,CAAC;IACjC,eAAe,EAAE,SAAS,EAAE,CAAC;IAC7B;;;;OAIG;IACH,oBAAoB,EAAE,cAAc,EAAE,CAAC;IACvC;;;OAGG;IACH,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnC;;;OAGG;IACH,eAAe,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAC7B;;;OAGG;IACH,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACpC;AAMD,qBAAa,mBAAoB,YAAW,YAAY,CAAC,qBAAqB,CAAC;IAC7E,QAAQ,CAAC,IAAI,sBAAsB;IACnC,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,qBAAqB;CAoG7C;AA8hBD,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAkG9E;AAED,wBAAgB,wBAAwB,CAAC,UAAU,EAAE,MAAM,EAAE,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,CAwC5G;AAED,wBAAgB,iCAAiC,CAC/C,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAC/B,KAAK,CAAC;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC,CAoBjD;AA6DD,wBAAgB,0BAA0B,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAmBpG;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,oBAAoB,CAClC,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,GAAG,CAAC,MAAM,CAAC,GACpB,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAmCrB;AAmKD,wBAAgB,uBAAuB,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,WAAW,EAAE,CA0GvF"}

package/dist/analysis/passes/language-sources-pass.js

@@ -359,6 +359,26 @@ function findOopFieldReadSources(types, sourceCode, language) {
             // both single-line Java getters (`public String getName() { return this.name; }`)
             // and multi-line getters / @property bodies.
             const returnRe = new RegExp(`\\breturn\\s+${SELF}\\.([A-Za-z_]\\w*)\\s*[;}]?`);
+            // cognium-dev #105 (Sprint 21 B.1) — recognise allowlist-style
+            // guards inside the getter body. When the getter contains an
+            // `if <ref> (not in|in) <UPPER_CONST>:` membership check followed
+            // within ≤2 lines by `raise` / `abort` / `return None` / `return ""`,
+            // treat the getter as a sanitizer rather than a taint source: the
+            // unmatched-host branch raises, so the value that flows past the
+            // guard is constrained to the allowlist. Conventional UPPER_SNAKE
+            // constant naming distinguishes a true allowlist from an incidental
+            // cache lookup (e.g. `if x in self.CACHE: return self.url` — the
+            // GUARD.1-noisy fixture).
+            // Python:  `if [self.]url not in self.ALLOWED:` + `raise`/`abort`/`return None`
+            // Java/JS: `if (!ALLOWED.contains(x))` / `!ALLOWED.includes(x)`/`!ALLOWED.has(x)`
+            //          + `throw`/`return null`
+            const guardRePy = /\bif\s+[\w.]+\s+(?:not\s+)?in\s+(?:self\.)?[A-Z_][A-Z0-9_]*\s*:/;
+            const guardThrowRePy = /^\s*(?:raise\b|abort\b|return\s+(?:None\b|''|""|\)?$))/;
+            const guardReJv = /\bif\s*\(\s*!\s*(?:this\.)?[A-Z_][A-Z0-9_]*\s*\.\s*(?:contains|includes|has|matches)\s*\(/;
+            const guardThrowReJv = /^\s*(?:throw\b|return\s+null\b)/;
+            const guardRe = isPython ? guardRePy : guardReJv;
+            const guardThrowRe = isPython ? guardThrowRePy : guardThrowReJv;
+            let hasAllowlistGuard = false;
             for (let i = mStart - 1; i < Math.min(mEnd, lines.length); i++) {
                 const raw = lines[i] ?? '';
                 const trimmed = raw.trim();
@@ -376,8 +396,18 @@ function findOopFieldReadSources(types, sourceCode, language) {
                     returnStatementCount = 99;
                     break;
                 }
+                // Allowlist guard detection — look ahead ≤2 lines for the throw/raise.
+                if (guardRe.test(trimmed)) {
+                    for (let j = i + 1; j < Math.min(i + 4, mEnd, lines.length); j++) {
+                        const next = (lines[j] ?? '');
+                        if (guardThrowRe.test(next)) {
+                            hasAllowlistGuard = true;
+                            break;
+                        }
+                    }
+                }
             }
-            if (returnStatementCount === 1 && returnedField && fieldTaint.has(returnedField)) {
+            if (returnStatementCount === 1 && returnedField && fieldTaint.has(returnedField) && !hasAllowlistGuard) {
                 const fieldInfo = fieldTaint.get(returnedField);
                 // Java: caller writes `getName()` / `this.getName()` / `obj.getName()`.
                 //   → match `\bgetName\b`.