circle-ir 3.9.7 → 3.9.10

package/dist/analysis/passes/broad-catch-pass.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Pass #29: broad-catch (CWE-396, category: reliability)
+ *
+ * Detects catch clauses that catch a base exception type (Exception,
+ * Throwable, BaseException) rather than the specific subtypes the code
+ * can handle.  Broad catches suppress unexpected errors, make bugs harder
+ * to find, and can inadvertently catch serious errors (OutOfMemoryError,
+ * StackOverflowError) that should not be swallowed.
+ *
+ * Detection strategy:
+ *   1. Build an ExceptionFlowGraph to locate catch handler entry lines.
+ *   2. Check the source text of each catch line for broad-catch patterns.
+ *
+ * Languages: Java, Python only.
+ *   - JS/TS: no typed catch clauses; not applicable.
+ *   - Rust/Bash: no traditional exceptions; skip.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface BroadCatchResult {
+    broadCatches: Array<{
+        line: number;
+        type: string;
+    }>;
+}
+export declare class BroadCatchPass implements AnalysisPass<BroadCatchResult> {
+    readonly name = "broad-catch";
+    readonly category: "reliability";
+    run(ctx: PassContext): BroadCatchResult;
+}

package/dist/analysis/passes/broad-catch-pass.js

@@ -0,0 +1,79 @@
+/**
+ * Pass #29: broad-catch (CWE-396, category: reliability)
+ *
+ * Detects catch clauses that catch a base exception type (Exception,
+ * Throwable, BaseException) rather than the specific subtypes the code
+ * can handle.  Broad catches suppress unexpected errors, make bugs harder
+ * to find, and can inadvertently catch serious errors (OutOfMemoryError,
+ * StackOverflowError) that should not be swallowed.
+ *
+ * Detection strategy:
+ *   1. Build an ExceptionFlowGraph to locate catch handler entry lines.
+ *   2. Check the source text of each catch line for broad-catch patterns.
+ *
+ * Languages: Java, Python only.
+ *   - JS/TS: no typed catch clauses; not applicable.
+ *   - Rust/Bash: no traditional exceptions; skip.
+ */
+import { ExceptionFlowGraph } from '../../graph/exception-flow-graph.js';
+/** Java: catch(Exception|Throwable|RuntimeException|Error ...) */
+const JAVA_BROAD_RE = /catch\s*\(\s*(Exception|Throwable|RuntimeException|Error)\s/;
+/**
+ * Python: bare `except:` or `except Exception[/BaseException][:]`
+ * Also matches `except (Exception, ...):` patterns.
+ */
+const PYTHON_BROAD_RE = /^\s*except\s*:|except\s+(Exception|BaseException)\b/;
+export class BroadCatchPass {
+    name = 'broad-catch';
+    category = 'reliability';
+    run(ctx) {
+        const { graph, code, language } = ctx;
+        if (language !== 'java' && language !== 'python') {
+            return { broadCatches: [] };
+        }
+        const { cfg } = graph.ir;
+        if (cfg.blocks.length === 0)
+            return { broadCatches: [] };
+        const exGraph = new ExceptionFlowGraph(cfg, graph.blockById);
+        if (!exGraph.hasTryCatch)
+            return { broadCatches: [] };
+        const file = graph.ir.meta.file;
+        const codeLines = code.split('\n');
+        const broadCatches = [];
+        const reported = new Set();
+        const pattern = language === 'java' ? JAVA_BROAD_RE : PYTHON_BROAD_RE;
+        for (const pair of exGraph.pairs) {
+            const catchLine = pair.catchBlock.start_line;
+            if (reported.has(catchLine))
+                continue;
+            const lineText = codeLines[catchLine - 1] ?? '';
+            const match = pattern.exec(lineText);
+            if (!match)
+                continue;
+            const caughtType = match[1] ?? 'Exception';
+            reported.add(catchLine);
+            broadCatches.push({ line: catchLine, type: caughtType });
+            const snippet = lineText.trim();
+            ctx.addFinding({
+                id: `broad-catch-${file}-${catchLine}`,
+                pass: this.name,
+                category: this.category,
+                rule_id: this.name,
+                cwe: 'CWE-396',
+                severity: 'low',
+                level: 'warning',
+                message: `Broad catch: catching \`${caughtType}\` at line ${catchLine} suppresses ` +
+                    `unexpected errors and hides bugs`,
+                file,
+                line: catchLine,
+                snippet,
+                fix: language === 'java'
+                    ? `Catch the specific exception types your code can handle (e.g., \`IOException\`, \`SQLException\`)`
+                    : `Catch the specific exception types your code can handle (e.g., \`ValueError\`, \`KeyError\`)`,
+                evidence: { caughtType },
+            });
+        }
+        return { broadCatches };
+    }
+}
+//# sourceMappingURL=broad-catch-pass.js.map

package/dist/analysis/passes/broad-catch-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"broad-catch-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/broad-catch-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAGH,OAAO,EAAE,kBAAkB,EAAE,MAAM,qCAAqC,CAAC;AAEzE,kEAAkE;AAClE,MAAM,aAAa,GAAG,6DAA6D,CAAC;AAEpF;;;GAGG;AACH,MAAM,eAAe,GAAG,qDAAqD,CAAC;AAM9E,MAAM,OAAO,cAAc;IAChB,IAAI,GAAG,aAAa,CAAC;IACrB,QAAQ,GAAG,aAAsB,CAAC;IAE3C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAEtC,IAAI,QAAQ,KAAK,MAAM,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACjD,OAAO,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC;QAC9B,CAAC;QAED,MAAM,EAAE,GAAG,EAAE,GAAG,KAAK,CAAC,EAAE,CAAC;QACzB,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC;QAEzD,MAAM,OAAO,GAAG,IAAI,kBAAkB,CAAC,GAAG,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;QAC7D,IAAI,CAAC,OAAO,CAAC,WAAW;YAAE,OAAO,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC;QAEtD,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,YAAY,GAAqC,EAAE,CAAC;QAC1D,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;QAEnC,MAAM,OAAO,GAAG,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,eAAe,CAAC;QAEtE,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YACjC,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;YAC7C,IAAI,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC;gBAAE,SAAS;YAEtC,MAAM,QAAQ,GAAG,SAAS,CAAC,SAAS,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YAChD,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACrC,IAAI,CAAC,KAAK;gBAAE,SAAS;YAErB,MAAM,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,WAAW,CAAC;YAC3C,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YACxB,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC;YAEzD,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC;YAChC,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,eAAe,IAAI,IAAI,SAAS,EAAE;gBACtC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,KAAK;gBACf,KAAK,EAAE,SAAS;gBAChB,OAAO,EACL,2BAA2B,UAAU,cAAc,SAAS,cAAc;oBAC1E,kCAAkC;gBACpC,IAAI;gBACJ,IAAI,EAAE,SAAS;gBACf,OAAO;gBACP,GAAG,EACD,QAAQ,KAAK,MAAM;oBACjB,CAAC,CAAC,mGAAmG;oBACrG,CAAC,CAAC,8FAA8F;gBACpG,QAAQ,EAAE,EAAE,UAAU,EAAE;aACzB,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,YAAY,EAAE,CAAC;IAC1B,CAAC;CACF"}

package/dist/analysis/passes/deep-inheritance-pass.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Pass #29: deep-inheritance (CWE-1086, category: architecture)
+ *
+ * Detects class inheritance chains deeper than the configured threshold
+ * (default: 5). Deep inheritance hierarchies increase coupling, make code
+ * harder to understand, and indicate a design smell (violation of composition
+ * over inheritance).
+ *
+ * Detection strategy:
+ *   1. Build a parentMap: className → parentName from `ir.types[*].extends`.
+ *   2. For each class with a known `start_line`, walk up the parentMap
+ *      counting depth. Stop at depth 20 to defend against cycles.
+ *   3. If depth > THRESHOLD, emit a finding at the class `start_line`.
+ *
+ * Languages: Java, JavaScript/TypeScript, Python. Rust/Bash do not have
+ * class inheritance — skipped.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface DeepInheritanceResult {
+    deepClasses: Array<{
+        className: string;
+        depth: number;
+        line: number;
+    }>;
+}
+export declare class DeepInheritancePass implements AnalysisPass<DeepInheritanceResult> {
+    readonly name = "deep-inheritance";
+    readonly category: "architecture";
+    run(ctx: PassContext): DeepInheritanceResult;
+}

package/dist/analysis/passes/deep-inheritance-pass.js

@@ -0,0 +1,82 @@
+/**
+ * Pass #29: deep-inheritance (CWE-1086, category: architecture)
+ *
+ * Detects class inheritance chains deeper than the configured threshold
+ * (default: 5). Deep inheritance hierarchies increase coupling, make code
+ * harder to understand, and indicate a design smell (violation of composition
+ * over inheritance).
+ *
+ * Detection strategy:
+ *   1. Build a parentMap: className → parentName from `ir.types[*].extends`.
+ *   2. For each class with a known `start_line`, walk up the parentMap
+ *      counting depth. Stop at depth 20 to defend against cycles.
+ *   3. If depth > THRESHOLD, emit a finding at the class `start_line`.
+ *
+ * Languages: Java, JavaScript/TypeScript, Python. Rust/Bash do not have
+ * class inheritance — skipped.
+ */
+const DEPTH_THRESHOLD = 5;
+const CYCLE_GUARD = 20;
+export class DeepInheritancePass {
+    name = 'deep-inheritance';
+    category = 'architecture';
+    run(ctx) {
+        const { graph, language } = ctx;
+        if (language === 'rust' || language === 'bash') {
+            return { deepClasses: [] };
+        }
+        const file = graph.ir.meta.file;
+        const types = graph.ir.types;
+        if (types.length === 0)
+            return { deepClasses: [] };
+        // Build parentMap: class name → parent class name
+        const parentMap = new Map();
+        for (const typeInfo of types) {
+            if (typeInfo.extends) {
+                // Strip generic parameters (e.g., "BaseRepo<User>" → "BaseRepo")
+                const parentName = typeInfo.extends.replace(/<.*>/, '').trim();
+                if (parentName) {
+                    parentMap.set(typeInfo.name, parentName);
+                }
+            }
+        }
+        const deepClasses = [];
+        for (const typeInfo of types) {
+            if (typeInfo.kind !== 'class')
+                continue;
+            if (typeInfo.start_line <= 0)
+                continue;
+            // Walk up the inheritance chain
+            let depth = 0;
+            let current = parentMap.get(typeInfo.name);
+            const visited = new Set([typeInfo.name]);
+            while (current !== undefined && depth < CYCLE_GUARD) {
+                depth++;
+                if (visited.has(current))
+                    break; // cycle guard
+                visited.add(current);
+                current = parentMap.get(current);
+            }
+            if (depth > DEPTH_THRESHOLD) {
+                deepClasses.push({ className: typeInfo.name, depth, line: typeInfo.start_line });
+                ctx.addFinding({
+                    id: `deep-inheritance-${file}-${typeInfo.start_line}`,
+                    pass: this.name,
+                    category: this.category,
+                    rule_id: this.name,
+                    cwe: 'CWE-1086',
+                    severity: 'low',
+                    level: 'warning',
+                    message: `Deep inheritance: class \`${typeInfo.name}\` has inheritance depth ${depth} (threshold: ${DEPTH_THRESHOLD})`,
+                    file,
+                    line: typeInfo.start_line,
+                    fix: `Refactor to prefer composition over inheritance. ` +
+                        `Consider extracting shared behaviour into interfaces or mixins.`,
+                    evidence: { depth, threshold: DEPTH_THRESHOLD },
+                });
+            }
+        }
+        return { deepClasses };
+    }
+}
+//# sourceMappingURL=deep-inheritance-pass.js.map

package/dist/analysis/passes/deep-inheritance-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"deep-inheritance-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/deep-inheritance-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAIH,MAAM,eAAe,GAAG,CAAC,CAAC;AAC1B,MAAM,WAAW,GAAG,EAAE,CAAC;AAMvB,MAAM,OAAO,mBAAmB;IACrB,IAAI,GAAG,kBAAkB,CAAC;IAC1B,QAAQ,GAAG,cAAuB,CAAC;IAE5C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAEhC,IAAI,QAAQ,KAAK,MAAM,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YAC/C,OAAO,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC;QAC7B,CAAC;QAED,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,KAAK,GAAG,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC;QAE7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC;QAEnD,kDAAkD;QAClD,MAAM,SAAS,GAAG,IAAI,GAAG,EAAkB,CAAC;QAC5C,KAAK,MAAM,QAAQ,IAAI,KAAK,EAAE,CAAC;YAC7B,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;gBACrB,iEAAiE;gBACjE,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC/D,IAAI,UAAU,EAAE,CAAC;oBACf,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;gBAC3C,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,WAAW,GAAyC,EAAE,CAAC;QAE7D,KAAK,MAAM,QAAQ,IAAI,KAAK,EAAE,CAAC;YAC7B,IAAI,QAAQ,CAAC,IAAI,KAAK,OAAO;gBAAE,SAAS;YACxC,IAAI,QAAQ,CAAC,UAAU,IAAI,CAAC;gBAAE,SAAS;YAEvC,gCAAgC;YAChC,IAAI,KAAK,GAAG,CAAC,CAAC;YACd,IAAI,OAAO,GAAuB,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAC/D,MAAM,OAAO,GAAG,IAAI,GAAG,CAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;YAEjD,OAAO,OAAO,KAAK,SAAS,IAAI,KAAK,GAAG,WAAW,EAAE,CAAC;gBACpD,KAAK,EAAE,CAAC;gBACR,IAAI,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC;oBAAE,MAAM,CAAC,cAAc;gBAC/C,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBACrB,OAAO,GAAG,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YACnC,CAAC;YAED,IAAI,KAAK,GAAG,eAAe,EAAE,CAAC;gBAC5B,WAAW,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,QAAQ,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;gBAEjF,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,oBAAoB,IAAI,IAAI,QAAQ,CAAC,UAAU,EAAE;oBACrD,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,GAAG,EAAE,UAAU;oBACf,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,SAAS;oBAChB,OAAO,EACL,6BAA6B,QAAQ,CAAC,IAAI,4BAA4B,KAAK,gBAAgB,eAAe,GAAG;oBAC/G,IAAI;oBACJ,IAAI,EAAE,QAAQ,CAAC,UAAU;oBACzB,GAAG,EACD,mDAAmD;wBACnD,iEAAiE;oBACnE,QAAQ,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,eAAe,EAAE;iBAChD,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,WAAW,EAAE,CAAC;IACzB,CAAC;CACF"}

package/dist/analysis/passes/double-close-pass.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Pass #31: double-close (CWE-675, category: reliability)
+ *
+ * Detects I/O resources that are closed more than once within the same
+ * method.  Calling close() on an already-closed stream (e.g., Java's
+ * FileInputStream, Node.js streams) typically throws an exception and
+ * indicates a resource-management bug.
+ *
+ * Detection strategy:
+ *   1. Find resource-opening calls (same patterns as resource-leak-pass).
+ *   2. Collect the bound variable from DFG defs at the open line.
+ *   3. Find ALL close() calls on that variable within the enclosing method.
+ *   4. If two or more close calls exist:
+ *      a. Skip if both are inside a finally block (benign idiomatic pattern).
+ *      b. Otherwise emit a finding.
+ *
+ * Languages: Java, JavaScript, TypeScript, Python, Rust (skip Bash).
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface DoubleCloseResult {
+    doubleCloses: Array<{
+        openLine: number;
+        closeLines: number[];
+        variable: string;
+    }>;
+}
+export declare class DoubleClosePass implements AnalysisPass<DoubleCloseResult> {
+    readonly name = "double-close";
+    readonly category: "reliability";
+    run(ctx: PassContext): DoubleCloseResult;
+    /** True if the given line is inside a `finally` block in the method. */
+    private isInFinallyBlock;
+}

package/dist/analysis/passes/double-close-pass.js

@@ -0,0 +1,109 @@
+/**
+ * Pass #31: double-close (CWE-675, category: reliability)
+ *
+ * Detects I/O resources that are closed more than once within the same
+ * method.  Calling close() on an already-closed stream (e.g., Java's
+ * FileInputStream, Node.js streams) typically throws an exception and
+ * indicates a resource-management bug.
+ *
+ * Detection strategy:
+ *   1. Find resource-opening calls (same patterns as resource-leak-pass).
+ *   2. Collect the bound variable from DFG defs at the open line.
+ *   3. Find ALL close() calls on that variable within the enclosing method.
+ *   4. If two or more close calls exist:
+ *      a. Skip if both are inside a finally block (benign idiomatic pattern).
+ *      b. Otherwise emit a finding.
+ *
+ * Languages: Java, JavaScript, TypeScript, Python, Rust (skip Bash).
+ */
+/** Constructors that produce closeable resources. */
+const RESOURCE_CTORS = new Set([
+    'FileInputStream', 'FileOutputStream', 'FileReader', 'FileWriter',
+    'BufferedReader', 'BufferedWriter', 'PrintWriter', 'InputStreamReader',
+    'OutputStreamWriter', 'RandomAccessFile', 'DataInputStream', 'DataOutputStream',
+    'ObjectInputStream', 'ObjectOutputStream', 'ZipInputStream', 'ZipOutputStream',
+    'JarInputStream', 'JarOutputStream', 'GZIPInputStream', 'GZIPOutputStream',
+    'FileChannel', 'Socket', 'ServerSocket', 'DatagramSocket',
+]);
+/** Factory / open methods that return closeable resources. */
+const RESOURCE_FACTORY_METHODS = new Set([
+    'openConnection', 'openStream', 'newInputStream', 'newOutputStream',
+    'newBufferedReader', 'newBufferedWriter', 'newByteChannel',
+    'open', 'createReadStream', 'createWriteStream', 'createConnection',
+]);
+/** Methods that release a resource. */
+const CLOSE_METHODS = new Set([
+    'close', 'dispose', 'shutdown', 'disconnect', 'release', 'destroy', 'free',
+    'shutdownNow', 'terminate',
+]);
+export class DoubleClosePass {
+    name = 'double-close';
+    category = 'reliability';
+    run(ctx) {
+        const { graph, code } = ctx;
+        if (ctx.language === 'bash')
+            return { doubleCloses: [] };
+        const file = graph.ir.meta.file;
+        const codeLines = code.split('\n');
+        const doubleCloses = [];
+        for (const call of graph.ir.calls) {
+            const name = call.method_name;
+            const isConstructor = call.is_constructor === true && RESOURCE_CTORS.has(name);
+            const isFactory = !call.is_constructor && RESOURCE_FACTORY_METHODS.has(name);
+            if (!isConstructor && !isFactory)
+                continue;
+            const openLine = call.location.line;
+            const defs = graph.defsAtLine(openLine);
+            if (defs.length === 0)
+                continue;
+            const resourceVar = defs[0].variable;
+            const methodInfo = graph.methodAtLine(openLine);
+            if (!methodInfo)
+                continue;
+            const { start_line: methodStart, end_line: methodEnd } = methodInfo.method;
+            // Collect all close calls on resourceVar within the method
+            const closeCalls = graph.ir.calls.filter(c => CLOSE_METHODS.has(c.method_name) &&
+                c.receiver === resourceVar &&
+                c.location.line > openLine &&
+                c.location.line <= methodEnd);
+            if (closeCalls.length < 2)
+                continue;
+            const closeLines = closeCalls.map(c => c.location.line);
+            // Benign check: skip if all closes are guarded by finally
+            // (common idiom: try { ... } finally { res.close(); } + catch { res.close(); })
+            const allInFinally = closeLines.every(cl => this.isInFinallyBlock(codeLines, cl, methodStart, methodEnd));
+            if (allInFinally)
+                continue;
+            doubleCloses.push({ openLine, closeLines, variable: resourceVar });
+            const snippet = (codeLines[openLine - 1] ?? '').trim();
+            const linesStr = closeLines.join(' and ');
+            ctx.addFinding({
+                id: `double-close-${file}-${openLine}`,
+                pass: this.name,
+                category: this.category,
+                rule_id: this.name,
+                cwe: 'CWE-675',
+                severity: 'medium',
+                level: 'warning',
+                message: `Double close: \`${resourceVar}\` is closed at lines ${linesStr} — ` +
+                    `closing an already-closed resource may throw`,
+                file,
+                line: openLine,
+                snippet,
+                fix: `Close the resource exactly once in a finally block; ` +
+                    `add a null/isClosed guard before the second close if closing on multiple paths`,
+                evidence: { variable: resourceVar, close_lines: closeLines },
+            });
+        }
+        return { doubleCloses };
+    }
+    /** True if the given line is inside a `finally` block in the method. */
+    isInFinallyBlock(lines, targetLine, methodStart, methodEnd) {
+        for (let ln = methodStart; ln <= targetLine && ln <= methodEnd && ln <= lines.length; ln++) {
+            if (/\bfinally\b/.test(lines[ln - 1] ?? ''))
+                return true;
+        }
+        return false;
+    }
+}
+//# sourceMappingURL=double-close-pass.js.map

package/dist/analysis/passes/double-close-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"double-close-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/double-close-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAIH,qDAAqD;AACrD,MAAM,cAAc,GAAwB,IAAI,GAAG,CAAC;IAClD,iBAAiB,EAAE,kBAAkB,EAAE,YAAY,EAAE,YAAY;IACjE,gBAAgB,EAAE,gBAAgB,EAAE,aAAa,EAAE,mBAAmB;IACtE,oBAAoB,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,kBAAkB;IAC/E,mBAAmB,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,iBAAiB;IAC9E,gBAAgB,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,kBAAkB;IAC1E,aAAa,EAAE,QAAQ,EAAE,cAAc,EAAE,gBAAgB;CAC1D,CAAC,CAAC;AAEH,8DAA8D;AAC9D,MAAM,wBAAwB,GAAwB,IAAI,GAAG,CAAC;IAC5D,gBAAgB,EAAE,YAAY,EAAE,gBAAgB,EAAE,iBAAiB;IACnE,mBAAmB,EAAE,mBAAmB,EAAE,gBAAgB;IAC1D,MAAM,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,kBAAkB;CACpE,CAAC,CAAC;AAEH,uCAAuC;AACvC,MAAM,aAAa,GAAwB,IAAI,GAAG,CAAC;IACjD,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM;IAC1E,aAAa,EAAE,WAAW;CAC3B,CAAC,CAAC;AAMH,MAAM,OAAO,eAAe;IACjB,IAAI,GAAG,cAAc,CAAC;IACtB,QAAQ,GAAG,aAAsB,CAAC;IAE3C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC;QAE5B,IAAI,GAAG,CAAC,QAAQ,KAAK,MAAM;YAAE,OAAO,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC;QAEzD,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,YAAY,GAAsC,EAAE,CAAC;QAE3D,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC;YAC9B,MAAM,aAAa,GAAG,IAAI,CAAC,cAAc,KAAK,IAAI,IAAI,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC/E,MAAM,SAAS,GAAG,CAAC,IAAI,CAAC,cAAc,IAAI,wBAAwB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC7E,IAAI,CAAC,aAAa,IAAI,CAAC,SAAS;gBAAE,SAAS;YAE3C,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YACpC,MAAM,IAAI,GAAG,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YACxC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YAChC,MAAM,WAAW,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;YAErC,MAAM,UAAU,GAAG,KAAK,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;YAChD,IAAI,CAAC,UAAU;gBAAE,SAAS;YAC1B,MAAM,EAAE,UAAU,EAAE,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,UAAU,CAAC,MAAM,CAAC;YAE3E,2DAA2D;YAC3D,MAAM,UAAU,GAAG,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,MAAM,CACtC,CAAC,CAAC,EAAE,CACF,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC;gBAChC,CAAC,CAAC,QAAQ,KAAK,WAAW;gBAC1B,CAAC,CAAC,QAAQ,CAAC,IAAI,GAAG,QAAQ;gBAC1B,CAAC,CAAC,QAAQ,CAAC,IAAI,IAAI,SAAS,CAC/B,CAAC;YAEF,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC;gBAAE,SAAS;YAEpC,MAAM,UAAU,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAExD,0DAA0D;YAC1D,gFAAgF;YAChF,MAAM,YAAY,GAAG,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,CACzC,IAAI,CAAC,gBAAgB,CAAC,SAAS,EAAE,EAAE,EAAE,WAAW,EAAE,SAAS,CAAC,CAC7D,CAAC;YACF,IAAI,YAAY;gBAAE,SAAS;YAE3B,YAAY,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC,CAAC;YAEnE,MAAM,OAAO,GAAG,CAAC,SAAS,CAAC,QAAQ,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YACvD,MAAM,QAAQ,GAAG,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC1C,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,gBAAgB,IAAI,IAAI,QAAQ,EAAE;gBACtC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,SAAS;gBAChB,OAAO,EACL,mBAAmB,WAAW,yBAAyB,QAAQ,KAAK;oBACpE,8CAA8C;gBAChD,IAAI;gBACJ,IAAI,EAAE,QAAQ;gBACd,OAAO;gBACP,GAAG,EACD,sDAAsD;oBACtD,gFAAgF;gBAClF,QAAQ,EAAE,EAAE,QAAQ,EAAE,WAAW,EAAE,WAAW,EAAE,UAAU,EAAE;aAC7D,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,YAAY,EAAE,CAAC;IAC1B,CAAC;IAED,wEAAwE;IAChE,gBAAgB,CACtB,KAAe,EACf,UAAkB,EAClB,WAAmB,EACnB,SAAiB;QAEjB,KAAK,IAAI,EAAE,GAAG,WAAW,EAAE,EAAE,IAAI,UAAU,IAAI,EAAE,IAAI,SAAS,IAAI,EAAE,IAAI,KAAK,CAAC,MAAM,EAAE,EAAE,EAAE,EAAE,CAAC;YAC3F,IAAI,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;gBAAE,OAAO,IAAI,CAAC;QAC3D,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;CACF"}

package/dist/analysis/passes/infinite-loop-pass.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Pass #28: infinite-loop (CWE-835, category: reliability)
+ *
+ * Detects loops with no reachable exit edge — i.e., loops that can run
+ * forever because every execution path through the loop body leads back to
+ * the loop header without a break, return, throw, or continue-to-outer.
+ *
+ * Detection strategy:
+ *   1. Identify loop headers: back-edge targets in the CFG (`edge.type === 'back'`).
+ *   2. For each loop, collect the loop body blocks via BFS from the header,
+ *      stopping at back-edge sources (the "tail" blocks).
+ *   3. Check whether any block in the body has an outgoing edge that exits
+ *      the loop (target not in body set and not back to header).
+ *   4. As a text-level fallback, scan source lines in the loop body for
+ *      `return`, `throw`/`raise`, `break`, `System.exit` keywords.
+ *   5. Emit a finding at the loop header's start_line if no exit is found.
+ *
+ * Languages: Java, JavaScript, TypeScript, Python, Rust. Skip Bash.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface InfiniteLoopResult {
+    potentialInfiniteLoops: Array<{
+        headerLine: number;
+        bodyEndLine: number;
+    }>;
+}
+export declare class InfiniteLoopPass implements AnalysisPass<InfiniteLoopResult> {
+    readonly name = "infinite-loop";
+    readonly category: "reliability";
+    run(ctx: PassContext): InfiniteLoopResult;
+}

package/dist/analysis/passes/infinite-loop-pass.js

@@ -0,0 +1,126 @@
+/**
+ * Pass #28: infinite-loop (CWE-835, category: reliability)
+ *
+ * Detects loops with no reachable exit edge — i.e., loops that can run
+ * forever because every execution path through the loop body leads back to
+ * the loop header without a break, return, throw, or continue-to-outer.
+ *
+ * Detection strategy:
+ *   1. Identify loop headers: back-edge targets in the CFG (`edge.type === 'back'`).
+ *   2. For each loop, collect the loop body blocks via BFS from the header,
+ *      stopping at back-edge sources (the "tail" blocks).
+ *   3. Check whether any block in the body has an outgoing edge that exits
+ *      the loop (target not in body set and not back to header).
+ *   4. As a text-level fallback, scan source lines in the loop body for
+ *      `return`, `throw`/`raise`, `break`, `System.exit` keywords.
+ *   5. Emit a finding at the loop header's start_line if no exit is found.
+ *
+ * Languages: Java, JavaScript, TypeScript, Python, Rust. Skip Bash.
+ */
+/** Exit keywords to scan for as a text-level fallback. */
+const EXIT_KEYWORDS = /\b(return|throw|raise|break|System\.exit|process\.exit|os\._exit|exit!\()\b/;
+export class InfiniteLoopPass {
+    name = 'infinite-loop';
+    category = 'reliability';
+    run(ctx) {
+        const { graph, code, language } = ctx;
+        if (language === 'bash') {
+            return { potentialInfiniteLoops: [] };
+        }
+        const { blocks, edges } = graph.ir.cfg;
+        if (blocks.length === 0)
+            return { potentialInfiniteLoops: [] };
+        const file = graph.ir.meta.file;
+        const codeLines = code.split('\n');
+        // Build adjacency maps
+        const outgoing = new Map();
+        for (const edge of edges) {
+            const list = outgoing.get(edge.from) ?? [];
+            list.push({ to: edge.to, type: edge.type });
+            outgoing.set(edge.from, list);
+        }
+        // Find back-edges: each back-edge defines a loop
+        const backEdges = edges.filter(e => e.type === 'back');
+        const potentialInfiniteLoops = [];
+        const reportedHeaders = new Set();
+        for (const backEdge of backEdges) {
+            const headerId = backEdge.to;
+            const tailId = backEdge.from;
+            const header = graph.blockById.get(headerId);
+            const tail = graph.blockById.get(tailId);
+            if (!header || !tail)
+                continue;
+            // Deduplicate: one finding per header
+            if (reportedHeaders.has(headerId))
+                continue;
+            // Collect loop body blocks via BFS from header, stopping at tail
+            const bodyIds = new Set();
+            const queue = [headerId];
+            bodyIds.add(headerId);
+            while (queue.length > 0) {
+                const cur = queue.shift();
+                for (const { to, type } of outgoing.get(cur) ?? []) {
+                    // Don't follow back edges (stay inside the loop)
+                    if (type === 'back')
+                        continue;
+                    if (!bodyIds.has(to)) {
+                        bodyIds.add(to);
+                        queue.push(to);
+                    }
+                }
+                // Stop expanding from tail (the back-edge source)
+                if (cur === tailId)
+                    break;
+            }
+            // Check for any exit edge: an edge from a body block to a non-body block
+            let hasExit = false;
+            for (const bodyId of bodyIds) {
+                for (const { to, type } of outgoing.get(bodyId) ?? []) {
+                    if (type === 'back')
+                        continue;
+                    if (!bodyIds.has(to)) {
+                        hasExit = true;
+                        break;
+                    }
+                }
+                if (hasExit)
+                    break;
+            }
+            if (hasExit)
+                continue;
+            // Text-level fallback: scan source lines for exit keywords
+            const bodyStart = header.start_line;
+            const bodyEnd = tail.end_line;
+            let hasKeywordExit = false;
+            for (let ln = bodyStart; ln <= bodyEnd && ln <= codeLines.length; ln++) {
+                if (EXIT_KEYWORDS.test(codeLines[ln - 1] ?? '')) {
+                    hasKeywordExit = true;
+                    break;
+                }
+            }
+            if (hasKeywordExit)
+                continue;
+            reportedHeaders.add(headerId);
+            potentialInfiniteLoops.push({ headerLine: header.start_line, bodyEndLine: bodyEnd });
+            const loc = bodyStart === bodyEnd
+                ? `line ${bodyStart}`
+                : `lines ${bodyStart}–${bodyEnd}`;
+            ctx.addFinding({
+                id: `infinite-loop-${file}-${header.start_line}`,
+                pass: this.name,
+                category: this.category,
+                rule_id: this.name,
+                cwe: 'CWE-835',
+                severity: 'medium',
+                level: 'warning',
+                message: `Potential infinite loop: no reachable break, return, or throw found in loop body (${loc})`,
+                file,
+                line: header.start_line,
+                end_line: bodyEnd > header.start_line ? bodyEnd : undefined,
+                fix: 'Ensure the loop has a reachable exit condition (break, return, or throw) on all paths',
+            });
+        }
+        return { potentialInfiniteLoops };
+    }
+}
+//# sourceMappingURL=infinite-loop-pass.js.map

package/dist/analysis/passes/infinite-loop-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"infinite-loop-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/infinite-loop-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAIH,0DAA0D;AAC1D,MAAM,aAAa,GAAG,6EAA6E,CAAC;AAMpG,MAAM,OAAO,gBAAgB;IAClB,IAAI,GAAG,eAAe,CAAC;IACvB,QAAQ,GAAG,aAAsB,CAAC;IAE3C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAEtC,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,OAAO,EAAE,sBAAsB,EAAE,EAAE,EAAE,CAAC;QACxC,CAAC;QAED,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC;QACvC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,sBAAsB,EAAE,EAAE,EAAE,CAAC;QAE/D,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAEnC,uBAAuB;QACvB,MAAM,QAAQ,GAAG,IAAI,GAAG,EAA+C,CAAC;QACxE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,IAAI,GAAG,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YAC3C,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;YAC5C,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QAChC,CAAC;QAED,iDAAiD;QACjD,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC;QAEvD,MAAM,sBAAsB,GAAiD,EAAE,CAAC;QAChF,MAAM,eAAe,GAAG,IAAI,GAAG,EAAU,CAAC;QAE1C,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;YACjC,MAAM,QAAQ,GAAG,QAAQ,CAAC,EAAE,CAAC;YAC7B,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,CAAC;YAE7B,MAAM,MAAM,GAAG,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAC7C,MAAM,IAAI,GAAG,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YACzC,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI;gBAAE,SAAS;YAE/B,sCAAsC;YACtC,IAAI,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC;gBAAE,SAAS;YAE5C,iEAAiE;YACjE,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;YAClC,MAAM,KAAK,GAAa,CAAC,QAAQ,CAAC,CAAC;YACnC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAEtB,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxB,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,EAAG,CAAC;gBAC3B,KAAK,MAAM,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC;oBACnD,iDAAiD;oBACjD,IAAI,IAAI,KAAK,MAAM;wBAAE,SAAS;oBAC9B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;wBACrB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;wBAChB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;oBACjB,CAAC;gBACH,CAAC;gBACD,kDAAkD;gBAClD,IAAI,GAAG,KAAK,MAAM;oBAAE,MAAM;YAC5B,CAAC;YAED,yEAAyE;YACzE,IAAI,OAAO,GAAG,KAAK,CAAC;YACpB,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;gBAC7B,KAAK,MAAM,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC;oBACtD,IAAI,IAAI,KAAK,MAAM;wBAAE,SAAS;oBAC9B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;wBACrB,OAAO,GAAG,IAAI,CAAC;wBACf,MAAM;oBACR,CAAC;gBACH,CAAC;gBACD,IAAI,OAAO;oBAAE,MAAM;YACrB,CAAC;YAED,IAAI,OAAO;gBAAE,SAAS;YAEtB,2DAA2D;YAC3D,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC;YACpC,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC;YAC9B,IAAI,cAAc,GAAG,KAAK,CAAC;YAC3B,KAAK,IAAI,EAAE,GAAG,SAAS,EAAE,EAAE,IAAI,OAAO,IAAI,EAAE,IAAI,SAAS,CAAC,MAAM,EAAE,EAAE,EAAE,EAAE,CAAC;gBACvE,IAAI,aAAa,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;oBAChD,cAAc,GAAG,IAAI,CAAC;oBACtB,MAAM;gBACR,CAAC;YACH,CAAC;YAED,IAAI,cAAc;gBAAE,SAAS;YAE7B,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAC9B,sBAAsB,CAAC,IAAI,CAAC,EAAE,UAAU,EAAE,MAAM,CAAC,UAAU,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;YAErF,MAAM,GAAG,GAAG,SAAS,KAAK,OAAO;gBAC/B,CAAC,CAAC,QAAQ,SAAS,EAAE;gBACrB,CAAC,CAAC,SAAS,SAAS,IAAI,OAAO,EAAE,CAAC;YAEpC,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,iBAAiB,IAAI,IAAI,MAAM,CAAC,UAAU,EAAE;gBAChD,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,SAAS;gBAChB,OAAO,EACL,qFAAqF,GAAG,GAAG;gBAC7F,IAAI;gBACJ,IAAI,EAAE,MAAM,CAAC,UAAU;gBACvB,QAAQ,EAAE,OAAO,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;gBAC3D,GAAG,EAAE,uFAAuF;aAC7F,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,sBAAsB,EAAE,CAAC;IACpC,CAAC;CACF"}

package/dist/analysis/passes/react-inline-jsx-pass.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Pass #33: react-inline-jsx (category: performance)
+ *
+ * Detects inline object literals or arrow functions passed as JSX props.
+ * These create a new reference on every render, defeating React.memo /
+ * shouldComponentUpdate optimisations and causing unnecessary re-renders.
+ *
+ * Detection strategy:
+ *   1. Only runs on JavaScript/TypeScript files that appear to contain JSX
+ *      (quick check: source contains a `<UpperCase` JSX component pattern).
+ *   2. Scans each source line for:
+ *      a. Inline object prop:  propName={{   (double-brace)
+ *      b. Inline arrow prop:   propName={(...) =>   or   propName={identifier =>
+ *      c. Inline function prop: propName={function(
+ *   3. Skips:
+ *      - `style={{` — idiomatic and near-impossible to hoist statically
+ *      - `key=` — must be inline
+ *      - `data-*` attribute names
+ *      - Lines that are comments
+ *   4. Emits one finding per matched line.
+ *
+ * Languages: JavaScript and TypeScript only.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface ReactInlineJsxResult {
+    inlineProps: Array<{
+        line: number;
+        propName: string;
+        kind: 'object' | 'arrow' | 'function';
+    }>;
+}
+export declare class ReactInlineJsxPass implements AnalysisPass<ReactInlineJsxResult> {
+    readonly name = "react-inline-jsx";
+    readonly category: "performance";
+    run(ctx: PassContext): ReactInlineJsxResult;
+}