circle-ir 3.8.4 → 3.9.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (178) hide show
  1. package/README.md +82 -5
  2. package/dist/analysis/dfg-verifier.d.ts +3 -14
  3. package/dist/analysis/dfg-verifier.js +43 -74
  4. package/dist/analysis/dfg-verifier.js.map +1 -1
  5. package/dist/analysis/interprocedural.d.ts +5 -1
  6. package/dist/analysis/interprocedural.js +62 -60
  7. package/dist/analysis/interprocedural.js.map +1 -1
  8. package/dist/analysis/metrics/index.d.ts +2 -0
  9. package/dist/analysis/metrics/index.js +2 -0
  10. package/dist/analysis/metrics/index.js.map +1 -0
  11. package/dist/analysis/metrics/metric-pass.d.ts +27 -0
  12. package/dist/analysis/metrics/metric-pass.js +2 -0
  13. package/dist/analysis/metrics/metric-pass.js.map +1 -0
  14. package/dist/analysis/metrics/metric-runner.d.ts +21 -0
  15. package/dist/analysis/metrics/metric-runner.js +47 -0
  16. package/dist/analysis/metrics/metric-runner.js.map +1 -0
  17. package/dist/analysis/metrics/passes/cohesion-metrics-pass.d.ts +21 -0
  18. package/dist/analysis/metrics/passes/cohesion-metrics-pass.js +100 -0
  19. package/dist/analysis/metrics/passes/cohesion-metrics-pass.js.map +1 -0
  20. package/dist/analysis/metrics/passes/complexity-metrics-pass.d.ts +15 -0
  21. package/dist/analysis/metrics/passes/complexity-metrics-pass.js +76 -0
  22. package/dist/analysis/metrics/passes/complexity-metrics-pass.js.map +1 -0
  23. package/dist/analysis/metrics/passes/composite-metrics-pass.d.ts +17 -0
  24. package/dist/analysis/metrics/passes/composite-metrics-pass.js +77 -0
  25. package/dist/analysis/metrics/passes/composite-metrics-pass.js.map +1 -0
  26. package/dist/analysis/metrics/passes/coupling-metrics-pass.d.ts +19 -0
  27. package/dist/analysis/metrics/passes/coupling-metrics-pass.js +94 -0
  28. package/dist/analysis/metrics/passes/coupling-metrics-pass.js.map +1 -0
  29. package/dist/analysis/metrics/passes/data-flow-metrics-pass.d.ts +14 -0
  30. package/dist/analysis/metrics/passes/data-flow-metrics-pass.js +25 -0
  31. package/dist/analysis/metrics/passes/data-flow-metrics-pass.js.map +1 -0
  32. package/dist/analysis/metrics/passes/documentation-metrics-pass.d.ts +15 -0
  33. package/dist/analysis/metrics/passes/documentation-metrics-pass.js +64 -0
  34. package/dist/analysis/metrics/passes/documentation-metrics-pass.js.map +1 -0
  35. package/dist/analysis/metrics/passes/halstead-metrics-pass.d.ts +16 -0
  36. package/dist/analysis/metrics/passes/halstead-metrics-pass.js +95 -0
  37. package/dist/analysis/metrics/passes/halstead-metrics-pass.js.map +1 -0
  38. package/dist/analysis/metrics/passes/inheritance-metrics-pass.d.ts +18 -0
  39. package/dist/analysis/metrics/passes/inheritance-metrics-pass.js +73 -0
  40. package/dist/analysis/metrics/passes/inheritance-metrics-pass.js.map +1 -0
  41. package/dist/analysis/metrics/passes/size-metrics-pass.d.ts +11 -0
  42. package/dist/analysis/metrics/passes/size-metrics-pass.js +64 -0
  43. package/dist/analysis/metrics/passes/size-metrics-pass.js.map +1 -0
  44. package/dist/analysis/passes/circular-dependency-pass.d.ts +18 -0
  45. package/dist/analysis/passes/circular-dependency-pass.js +39 -0
  46. package/dist/analysis/passes/circular-dependency-pass.js.map +1 -0
  47. package/dist/analysis/passes/constant-propagation-pass.d.ts +22 -0
  48. package/dist/analysis/passes/constant-propagation-pass.js +44 -0
  49. package/dist/analysis/passes/constant-propagation-pass.js.map +1 -0
  50. package/dist/analysis/passes/cross-file-pass.d.ts +27 -0
  51. package/dist/analysis/passes/cross-file-pass.js +102 -0
  52. package/dist/analysis/passes/cross-file-pass.js.map +1 -0
  53. package/dist/analysis/passes/dead-code-pass.d.ts +25 -0
  54. package/dist/analysis/passes/dead-code-pass.js +117 -0
  55. package/dist/analysis/passes/dead-code-pass.js.map +1 -0
  56. package/dist/analysis/passes/deep-inheritance-pass.d.ts +30 -0
  57. package/dist/analysis/passes/deep-inheritance-pass.js +82 -0
  58. package/dist/analysis/passes/deep-inheritance-pass.js.map +1 -0
  59. package/dist/analysis/passes/dependency-fan-out-pass.d.ts +19 -0
  60. package/dist/analysis/passes/dependency-fan-out-pass.js +35 -0
  61. package/dist/analysis/passes/dependency-fan-out-pass.js.map +1 -0
  62. package/dist/analysis/passes/infinite-loop-pass.d.ts +31 -0
  63. package/dist/analysis/passes/infinite-loop-pass.js +126 -0
  64. package/dist/analysis/passes/infinite-loop-pass.js.map +1 -0
  65. package/dist/analysis/passes/interprocedural-pass.d.ts +29 -0
  66. package/dist/analysis/passes/interprocedural-pass.js +169 -0
  67. package/dist/analysis/passes/interprocedural-pass.js.map +1 -0
  68. package/dist/analysis/passes/language-sources-pass.d.ts +76 -0
  69. package/dist/analysis/passes/language-sources-pass.js +491 -0
  70. package/dist/analysis/passes/language-sources-pass.js.map +1 -0
  71. package/dist/analysis/passes/leaked-global-pass.d.ts +34 -0
  72. package/dist/analysis/passes/leaked-global-pass.js +108 -0
  73. package/dist/analysis/passes/leaked-global-pass.js.map +1 -0
  74. package/dist/analysis/passes/missing-await-pass.d.ts +29 -0
  75. package/dist/analysis/passes/missing-await-pass.js +90 -0
  76. package/dist/analysis/passes/missing-await-pass.js.map +1 -0
  77. package/dist/analysis/passes/missing-public-doc-pass.d.ts +35 -0
  78. package/dist/analysis/passes/missing-public-doc-pass.js +148 -0
  79. package/dist/analysis/passes/missing-public-doc-pass.js.map +1 -0
  80. package/dist/analysis/passes/n-plus-one-pass.d.ts +29 -0
  81. package/dist/analysis/passes/n-plus-one-pass.js +100 -0
  82. package/dist/analysis/passes/n-plus-one-pass.js.map +1 -0
  83. package/dist/analysis/passes/null-deref-pass.d.ts +32 -0
  84. package/dist/analysis/passes/null-deref-pass.js +130 -0
  85. package/dist/analysis/passes/null-deref-pass.js.map +1 -0
  86. package/dist/analysis/passes/orphan-module-pass.d.ts +21 -0
  87. package/dist/analysis/passes/orphan-module-pass.js +38 -0
  88. package/dist/analysis/passes/orphan-module-pass.js.map +1 -0
  89. package/dist/analysis/passes/react-inline-jsx-pass.d.ts +36 -0
  90. package/dist/analysis/passes/react-inline-jsx-pass.js +140 -0
  91. package/dist/analysis/passes/react-inline-jsx-pass.js.map +1 -0
  92. package/dist/analysis/passes/redundant-loop-pass.d.ts +30 -0
  93. package/dist/analysis/passes/redundant-loop-pass.js +146 -0
  94. package/dist/analysis/passes/redundant-loop-pass.js.map +1 -0
  95. package/dist/analysis/passes/resource-leak-pass.d.ts +43 -0
  96. package/dist/analysis/passes/resource-leak-pass.js +156 -0
  97. package/dist/analysis/passes/resource-leak-pass.js.map +1 -0
  98. package/dist/analysis/passes/serial-await-pass.d.ts +36 -0
  99. package/dist/analysis/passes/serial-await-pass.js +132 -0
  100. package/dist/analysis/passes/serial-await-pass.js.map +1 -0
  101. package/dist/analysis/passes/sink-filter-pass.d.ts +39 -0
  102. package/dist/analysis/passes/sink-filter-pass.js +231 -0
  103. package/dist/analysis/passes/sink-filter-pass.js.map +1 -0
  104. package/dist/analysis/passes/stale-doc-ref-pass.d.ts +21 -0
  105. package/dist/analysis/passes/stale-doc-ref-pass.js +96 -0
  106. package/dist/analysis/passes/stale-doc-ref-pass.js.map +1 -0
  107. package/dist/analysis/passes/string-concat-loop-pass.d.ts +26 -0
  108. package/dist/analysis/passes/string-concat-loop-pass.js +87 -0
  109. package/dist/analysis/passes/string-concat-loop-pass.js.map +1 -0
  110. package/dist/analysis/passes/sync-io-async-pass.d.ts +28 -0
  111. package/dist/analysis/passes/sync-io-async-pass.js +80 -0
  112. package/dist/analysis/passes/sync-io-async-pass.js.map +1 -0
  113. package/dist/analysis/passes/taint-matcher-pass.d.ts +24 -0
  114. package/dist/analysis/passes/taint-matcher-pass.js +71 -0
  115. package/dist/analysis/passes/taint-matcher-pass.js.map +1 -0
  116. package/dist/analysis/passes/taint-propagation-pass.d.ts +22 -0
  117. package/dist/analysis/passes/taint-propagation-pass.js +266 -0
  118. package/dist/analysis/passes/taint-propagation-pass.js.map +1 -0
  119. package/dist/analysis/passes/todo-in-prod-pass.d.ts +28 -0
  120. package/dist/analysis/passes/todo-in-prod-pass.js +71 -0
  121. package/dist/analysis/passes/todo-in-prod-pass.js.map +1 -0
  122. package/dist/analysis/passes/unbounded-collection-pass.d.ts +32 -0
  123. package/dist/analysis/passes/unbounded-collection-pass.js +128 -0
  124. package/dist/analysis/passes/unbounded-collection-pass.js.map +1 -0
  125. package/dist/analysis/passes/unchecked-return-pass.d.ts +34 -0
  126. package/dist/analysis/passes/unchecked-return-pass.js +106 -0
  127. package/dist/analysis/passes/unchecked-return-pass.js.map +1 -0
  128. package/dist/analysis/passes/unused-variable-pass.d.ts +36 -0
  129. package/dist/analysis/passes/unused-variable-pass.js +150 -0
  130. package/dist/analysis/passes/unused-variable-pass.js.map +1 -0
  131. package/dist/analysis/passes/variable-shadowing-pass.d.ts +41 -0
  132. package/dist/analysis/passes/variable-shadowing-pass.js +211 -0
  133. package/dist/analysis/passes/variable-shadowing-pass.js.map +1 -0
  134. package/dist/analysis/path-finder.d.ts +3 -13
  135. package/dist/analysis/path-finder.js +48 -63
  136. package/dist/analysis/path-finder.js.map +1 -1
  137. package/dist/analysis/taint-matcher.js +8 -1
  138. package/dist/analysis/taint-matcher.js.map +1 -1
  139. package/dist/analysis/taint-propagation.d.ts +5 -1
  140. package/dist/analysis/taint-propagation.js +44 -41
  141. package/dist/analysis/taint-propagation.js.map +1 -1
  142. package/dist/analyzer.d.ts +48 -1
  143. package/dist/analyzer.js +252 -1476
  144. package/dist/analyzer.js.map +1 -1
  145. package/dist/browser/circle-ir.js +3952 -1270
  146. package/dist/core/circle-ir-core.cjs +360 -106
  147. package/dist/core/circle-ir-core.js +360 -106
  148. package/dist/core/extractors/imports.js +18 -0
  149. package/dist/core/extractors/imports.js.map +1 -1
  150. package/dist/graph/analysis-pass.d.ts +68 -0
  151. package/dist/graph/analysis-pass.js +51 -0
  152. package/dist/graph/analysis-pass.js.map +1 -0
  153. package/dist/graph/code-graph.d.ts +92 -0
  154. package/dist/graph/code-graph.js +262 -0
  155. package/dist/graph/code-graph.js.map +1 -0
  156. package/dist/graph/dominator-graph.d.ts +53 -0
  157. package/dist/graph/dominator-graph.js +256 -0
  158. package/dist/graph/dominator-graph.js.map +1 -0
  159. package/dist/graph/import-graph.d.ts +33 -0
  160. package/dist/graph/import-graph.js +170 -0
  161. package/dist/graph/import-graph.js.map +1 -0
  162. package/dist/graph/index.d.ts +5 -0
  163. package/dist/graph/index.js +6 -0
  164. package/dist/graph/index.js.map +1 -0
  165. package/dist/graph/project-graph.d.ts +43 -0
  166. package/dist/graph/project-graph.js +80 -0
  167. package/dist/graph/project-graph.js.map +1 -0
  168. package/dist/graph/scope-graph.d.ts +63 -0
  169. package/dist/graph/scope-graph.js +89 -0
  170. package/dist/graph/scope-graph.js.map +1 -0
  171. package/dist/index.d.ts +3 -2
  172. package/dist/index.js +3 -1
  173. package/dist/index.js.map +1 -1
  174. package/dist/resolution/cross-file.js +52 -19
  175. package/dist/resolution/cross-file.js.map +1 -1
  176. package/dist/types/index.d.ts +151 -0
  177. package/docs/SPEC.md +10 -6
  178. package/package.json +1 -1
package/dist/analyzer.d.ts CHANGED
@@ -3,10 +3,40 @@
3
3
  *
4
4
  * Main entry point for analyzing source code and producing Circle-IR output.
5
5
  * This is the core static analyzer. LLM-based verification and discovery are out of scope for this library.
6
+ *
7
+ * The analysis pipeline runs twenty-seven sequential passes over a shared CodeGraph:
8
+ * 1. TaintMatcherPass — config-based source/sink extraction
9
+ * 2. ConstantPropagationPass — dead-code detection, symbol table, field taint
10
+ * 3. LanguageSourcesPass — language-specific sources/sinks (JS, Python, getters)
11
+ * 4. SinkFilterPass — four-stage false-positive elimination
12
+ * 5. TaintPropagationPass — DFG-based flow verification
13
+ * 6. InterproceduralPass — cross-method taint propagation
14
+ * 7. DeadCodePass — CFG blocks unreachable from entry (CWE-561)
15
+ * 8. MissingAwaitPass — unawaited async calls in JS/TS (CWE-252)
16
+ * 9. NPlusOnePass — DB/HTTP calls inside loop bodies (CWE-1049)
17
+ * 10. MissingPublicDocPass — public methods/types without doc comments
18
+ * 11. TodoInProdPass — TODO/FIXME/HACK markers in production code
19
+ * 12. StringConcatLoopPass — string += inside loops, O(n²) allocations (CWE-1046)
20
+ * 13. SyncIoAsyncPass — blocking *Sync calls inside async functions (CWE-1050)
21
+ * 14. UncheckedReturnPass — ignored boolean return from File.delete etc. (CWE-252)
22
+ * 15. NullDerefPass — null-assigned var dereferenced without guard (CWE-476)
23
+ * 16. ResourceLeakPass — stream/connection opened but never closed (CWE-772)
24
+ * 17. VariableShadowingPass — inner scope re-declares outer name (CWE-1109)
25
+ * 18. LeakedGlobalPass — assignment without declaration in JS/TS (CWE-1109)
26
+ * 19. UnusedVariablePass — local variable declared but value never read (CWE-561)
27
+ * 20. DependencyFanOutPass — module imports 20+ other modules (architecture smell)
28
+ * 21. StaleDocRefPass — doc comment references unknown symbol (CWE: none)
29
+ * 22. InfiniteLoopPass — loops with no reachable exit edge (CWE-835)
30
+ * 23. DeepInheritancePass — class inheritance depth > 5 (CWE-1086)
31
+ * 24. RedundantLoopPass — loop-invariant .length/.size()/Math.* (CWE-1050)
32
+ * 25. UnboundedCollectionPass — collection grows in loop with no size limit (CWE-770)
33
+ * 26. SerialAwaitPass — independent sequential awaits in JS/TS (performance)
34
+ * 27. ReactInlineJsxPass — inline objects/functions in JSX props (performance)
6
35
  */
7
- import type { CircleIR, AnalysisResponse } from './types/index.js';
36
+ import type { CircleIR, AnalysisResponse, ProjectAnalysis } from './types/index.js';
8
37
  import type { TaintConfig } from './types/config.js';
9
38
  import { type SupportedLanguage } from './core/index.js';
39
+ import { isFalsePositive } from './analysis/index.js';
10
40
  export interface AnalyzerOptions {
11
41
  /**
12
42
  * Path to tree-sitter.wasm for parser initialization.
@@ -51,3 +81,20 @@ export declare function isAnalyzerInitialized(): boolean;
51
81
  * Reset the analyzer (mainly for testing).
52
82
  */
53
83
  export declare function resetAnalyzer(): void;
84
+ /**
85
+ * Analyze a set of files as a project, finding cross-file taint flows.
86
+ *
87
+ * Runs single-file `analyze()` on each file in order, then uses
88
+ * `ProjectGraph` + `CrossFileResolver` to surface flows that cross file
89
+ * boundaries. The per-file `CircleIR` outputs are preserved unchanged in
90
+ * `ProjectAnalysis.files`.
91
+ *
92
+ * `findings` is always empty — it requires LLM enrichment which is out of
93
+ * scope for this library (see CLAUDE.md and SPEC.md section 11).
94
+ */
95
+ export declare function analyzeProject(files: Array<{
96
+ code: string;
97
+ filePath: string;
98
+ language: SupportedLanguage;
99
+ }>, options?: AnalyzerOptions): Promise<ProjectAnalysis>;
100
+ export { isFalsePositive };