circle-ir 3.9.7 → 3.9.10

package/dist/browser/circle-ir.js

@@ -10483,7 +10483,8 @@ function findSinks(calls, patterns) {
             cwe: pattern.cwe,
             location,
             line: call.location.line,
-            confidence
+            confidence,
+            method: call.method_name
           });
         }
       }
@@ -11278,6 +11279,71 @@ var CodeGraph = class {
   }
 };
 
+// src/graph/exception-flow-graph.ts
+var ExceptionFlowGraph = class {
+  /** All try/catch pairs found in the CFG. */
+  pairs;
+  /** Block IDs that are catch-handler entry blocks. */
+  catchEntryIds;
+  /** Block IDs that are try-body entry blocks. */
+  tryEntryIds;
+  tryCatchMap;
+  // tryEntryId → [catchEntryId, …]
+  catchTryMap;
+  // catchEntryId → tryEntryId
+  constructor(cfg, blockById) {
+    this.pairs = [];
+    this.catchEntryIds = /* @__PURE__ */ new Set();
+    this.tryEntryIds = /* @__PURE__ */ new Set();
+    this.tryCatchMap = /* @__PURE__ */ new Map();
+    this.catchTryMap = /* @__PURE__ */ new Map();
+    for (const edge of cfg.edges) {
+      if (edge.type !== "exception") continue;
+      const tryBlock = blockById.get(edge.from);
+      const catchBlock = blockById.get(edge.to);
+      if (!tryBlock || !catchBlock) continue;
+      this.tryEntryIds.add(edge.from);
+      this.catchEntryIds.add(edge.to);
+      const catches = this.tryCatchMap.get(edge.from) ?? [];
+      catches.push(edge.to);
+      this.tryCatchMap.set(edge.from, catches);
+      this.catchTryMap.set(edge.to, edge.from);
+      this.pairs.push({
+        tryEntryId: edge.from,
+        catchEntryId: edge.to,
+        tryBlock,
+        catchBlock
+      });
+    }
+  }
+  /** True if at least one try/catch pair was found. */
+  get hasTryCatch() {
+    return this.pairs.length > 0;
+  }
+  /** True if the given block ID is a catch-handler entry block. */
+  isCatchEntry(blockId) {
+    return this.catchEntryIds.has(blockId);
+  }
+  /** True if the given block ID is a try-body entry block. */
+  isTryEntry(blockId) {
+    return this.tryEntryIds.has(blockId);
+  }
+  /**
+   * Returns the catch-entry block IDs for the given try-entry block.
+   * Multiple values mean multiple catch clauses for the same try.
+   */
+  catchBlocksFor(tryEntryId) {
+    return this.tryCatchMap.get(tryEntryId) ?? [];
+  }
+  /**
+   * Returns the try-entry block ID corresponding to a catch-entry block,
+   * or `undefined` if the block is not a catch entry.
+   */
+  tryBlockFor(catchEntryId) {
+    return this.catchTryMap.get(catchEntryId);
+  }
+};
+
 // src/graph/analysis-pass.ts
 var AnalysisPipeline = class {
   passes = [];
@@ -17422,7 +17488,8 @@ function filterCleanVariableSinks(sinks, calls, taintedVars, symbols, dfg, sanit
   return sinks.filter((sink) => {
     const callsAtSink = callsByLine.get(sink.line) ?? [];
     const isInSynchronizedBlock = synchronizedLines?.has(sink.line) ?? false;
-    for (const call of callsAtSink) {
+    const relevantCalls = sink.method ? callsAtSink.filter((c) => c.method_name === sink.method) : callsAtSink;
+    for (const call of relevantCalls) {
       let allArgsAreClean = true;
       const methodName = call.in_method;
       for (const arg of call.arguments) {
@@ -19150,6 +19217,971 @@ var StaleDocRefPass = class {
   }
 };
 
+// src/analysis/passes/infinite-loop-pass.ts
+var EXIT_KEYWORDS = /\b(return|throw|raise|break|System\.exit|process\.exit|os\._exit|exit!\()\b/;
+var InfiniteLoopPass = class {
+  name = "infinite-loop";
+  category = "reliability";
+  run(ctx) {
+    const { graph, code, language } = ctx;
+    if (language === "bash") {
+      return { potentialInfiniteLoops: [] };
+    }
+    const { blocks, edges } = graph.ir.cfg;
+    if (blocks.length === 0) return { potentialInfiniteLoops: [] };
+    const file = graph.ir.meta.file;
+    const codeLines = code.split("\n");
+    const outgoing = /* @__PURE__ */ new Map();
+    for (const edge of edges) {
+      const list = outgoing.get(edge.from) ?? [];
+      list.push({ to: edge.to, type: edge.type });
+      outgoing.set(edge.from, list);
+    }
+    const backEdges = edges.filter((e) => e.type === "back");
+    const potentialInfiniteLoops = [];
+    const reportedHeaders = /* @__PURE__ */ new Set();
+    for (const backEdge of backEdges) {
+      const headerId = backEdge.to;
+      const tailId = backEdge.from;
+      const header = graph.blockById.get(headerId);
+      const tail = graph.blockById.get(tailId);
+      if (!header || !tail) continue;
+      if (reportedHeaders.has(headerId)) continue;
+      const bodyIds = /* @__PURE__ */ new Set();
+      const queue = [headerId];
+      bodyIds.add(headerId);
+      while (queue.length > 0) {
+        const cur = queue.shift();
+        for (const { to, type } of outgoing.get(cur) ?? []) {
+          if (type === "back") continue;
+          if (!bodyIds.has(to)) {
+            bodyIds.add(to);
+            queue.push(to);
+          }
+        }
+        if (cur === tailId) break;
+      }
+      let hasExit = false;
+      for (const bodyId of bodyIds) {
+        for (const { to, type } of outgoing.get(bodyId) ?? []) {
+          if (type === "back") continue;
+          if (!bodyIds.has(to)) {
+            hasExit = true;
+            break;
+          }
+        }
+        if (hasExit) break;
+      }
+      if (hasExit) continue;
+      const bodyStart = header.start_line;
+      const bodyEnd = tail.end_line;
+      let hasKeywordExit = false;
+      for (let ln = bodyStart; ln <= bodyEnd && ln <= codeLines.length; ln++) {
+        if (EXIT_KEYWORDS.test(codeLines[ln - 1] ?? "")) {
+          hasKeywordExit = true;
+          break;
+        }
+      }
+      if (hasKeywordExit) continue;
+      reportedHeaders.add(headerId);
+      potentialInfiniteLoops.push({ headerLine: header.start_line, bodyEndLine: bodyEnd });
+      const loc = bodyStart === bodyEnd ? `line ${bodyStart}` : `lines ${bodyStart}\u2013${bodyEnd}`;
+      ctx.addFinding({
+        id: `infinite-loop-${file}-${header.start_line}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-835",
+        severity: "medium",
+        level: "warning",
+        message: `Potential infinite loop: no reachable break, return, or throw found in loop body (${loc})`,
+        file,
+        line: header.start_line,
+        end_line: bodyEnd > header.start_line ? bodyEnd : void 0,
+        fix: "Ensure the loop has a reachable exit condition (break, return, or throw) on all paths"
+      });
+    }
+    return { potentialInfiniteLoops };
+  }
+};
+
+// src/analysis/passes/deep-inheritance-pass.ts
+var DEPTH_THRESHOLD = 5;
+var CYCLE_GUARD = 20;
+var DeepInheritancePass = class {
+  name = "deep-inheritance";
+  category = "architecture";
+  run(ctx) {
+    const { graph, language } = ctx;
+    if (language === "rust" || language === "bash") {
+      return { deepClasses: [] };
+    }
+    const file = graph.ir.meta.file;
+    const types = graph.ir.types;
+    if (types.length === 0) return { deepClasses: [] };
+    const parentMap = /* @__PURE__ */ new Map();
+    for (const typeInfo of types) {
+      if (typeInfo.extends) {
+        const parentName = typeInfo.extends.replace(/<.*>/, "").trim();
+        if (parentName) {
+          parentMap.set(typeInfo.name, parentName);
+        }
+      }
+    }
+    const deepClasses = [];
+    for (const typeInfo of types) {
+      if (typeInfo.kind !== "class") continue;
+      if (typeInfo.start_line <= 0) continue;
+      let depth = 0;
+      let current = parentMap.get(typeInfo.name);
+      const visited = /* @__PURE__ */ new Set([typeInfo.name]);
+      while (current !== void 0 && depth < CYCLE_GUARD) {
+        depth++;
+        if (visited.has(current)) break;
+        visited.add(current);
+        current = parentMap.get(current);
+      }
+      if (depth > DEPTH_THRESHOLD) {
+        deepClasses.push({ className: typeInfo.name, depth, line: typeInfo.start_line });
+        ctx.addFinding({
+          id: `deep-inheritance-${file}-${typeInfo.start_line}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: "CWE-1086",
+          severity: "low",
+          level: "warning",
+          message: `Deep inheritance: class \`${typeInfo.name}\` has inheritance depth ${depth} (threshold: ${DEPTH_THRESHOLD})`,
+          file,
+          line: typeInfo.start_line,
+          fix: `Refactor to prefer composition over inheritance. Consider extracting shared behaviour into interfaces or mixins.`,
+          evidence: { depth, threshold: DEPTH_THRESHOLD }
+        });
+      }
+    }
+    return { deepClasses };
+  }
+};
+
+// src/analysis/passes/redundant-loop-pass.ts
+var LENGTH_PATTERN = /\b([A-Za-z_$][A-Za-z0-9_$]*)\s*\.\s*(?:length|size\(\)|count\(\))/g;
+var OBJECT_STATIC_PATTERN = /\bObject\s*\.\s*(?:keys|values|entries)\s*\(\s*([A-Za-z_$][A-Za-z0-9_$]*)\s*\)/g;
+var MATH_PATTERN = /\bMath\s*\.\s*(?:sqrt|pow|abs|floor|ceil|round|log|log2|log10)\s*\(\s*([A-Za-z_$][A-Za-z0-9_$]*)\s*[,)]/g;
+var RedundantLoopPass = class {
+  name = "redundant-loop-computation";
+  category = "performance";
+  run(ctx) {
+    const { graph, code, language } = ctx;
+    if (language === "bash") {
+      return { invariants: [] };
+    }
+    const file = graph.ir.meta.file;
+    const codeLines = code.split("\n");
+    const loops = graph.loopBodies();
+    if (loops.length === 0) return { invariants: [] };
+    const invariants = [];
+    const reported = /* @__PURE__ */ new Set();
+    for (const loop of loops) {
+      const { start_line, end_line } = loop;
+      const modifiedVars = /* @__PURE__ */ new Set();
+      for (const def of graph.ir.dfg.defs) {
+        if (def.line >= start_line && def.line <= end_line) {
+          modifiedVars.add(def.variable);
+        }
+      }
+      for (let ln = start_line; ln <= end_line && ln <= codeLines.length; ln++) {
+        const lineText = codeLines[ln - 1] ?? "";
+        if (lineText.trim() === "") continue;
+        LENGTH_PATTERN.lastIndex = 0;
+        let m;
+        while ((m = LENGTH_PATTERN.exec(lineText)) !== null) {
+          const varName = m[1];
+          if (modifiedVars.has(varName)) continue;
+          const expr = m[0];
+          const key = `${ln}-${expr}`;
+          if (reported.has(key)) continue;
+          reported.add(key);
+          invariants.push({ line: ln, expression: expr, variable: varName });
+          ctx.addFinding({
+            id: `redundant-loop-computation-${file}-${ln}`,
+            pass: this.name,
+            category: this.category,
+            rule_id: this.name,
+            cwe: "CWE-1050",
+            severity: "low",
+            level: "note",
+            message: `Loop-invariant computation: \`${expr}\` is recomputed on every iteration; hoist outside loop`,
+            file,
+            line: ln,
+            snippet: lineText.trim(),
+            fix: `Compute \`${expr}\` once before the loop and use the cached value inside.`,
+            evidence: { variable: varName, loop_start: start_line, loop_end: end_line }
+          });
+        }
+        OBJECT_STATIC_PATTERN.lastIndex = 0;
+        while ((m = OBJECT_STATIC_PATTERN.exec(lineText)) !== null) {
+          const varName = m[1];
+          if (modifiedVars.has(varName)) continue;
+          const expr = m[0];
+          const key = `${ln}-${expr}`;
+          if (reported.has(key)) continue;
+          reported.add(key);
+          invariants.push({ line: ln, expression: expr, variable: varName });
+          ctx.addFinding({
+            id: `redundant-loop-computation-${file}-${ln}-obj`,
+            pass: this.name,
+            category: this.category,
+            rule_id: this.name,
+            cwe: "CWE-1050",
+            severity: "low",
+            level: "note",
+            message: `Loop-invariant computation: \`${expr}\` allocates a new array on every iteration; hoist outside loop`,
+            file,
+            line: ln,
+            snippet: lineText.trim(),
+            fix: `Compute \`${expr}\` once before the loop.`,
+            evidence: { variable: varName, loop_start: start_line, loop_end: end_line }
+          });
+        }
+        MATH_PATTERN.lastIndex = 0;
+        while ((m = MATH_PATTERN.exec(lineText)) !== null) {
+          const varName = m[1];
+          if (modifiedVars.has(varName)) continue;
+          const expr = m[0].replace(/[,)]?\s*$/, ")");
+          const key = `${ln}-${expr}`;
+          if (reported.has(key)) continue;
+          reported.add(key);
+          invariants.push({ line: ln, expression: expr, variable: varName });
+          ctx.addFinding({
+            id: `redundant-loop-computation-${file}-${ln}-math`,
+            pass: this.name,
+            category: this.category,
+            rule_id: this.name,
+            cwe: "CWE-1050",
+            severity: "low",
+            level: "note",
+            message: `Loop-invariant computation: \`${expr}\` is recomputed on every iteration; hoist outside loop`,
+            file,
+            line: ln,
+            snippet: lineText.trim(),
+            fix: `Compute \`${expr}\` once before the loop.`,
+            evidence: { variable: varName, loop_start: start_line, loop_end: end_line }
+          });
+        }
+      }
+    }
+    return { invariants };
+  }
+};
+
+// src/analysis/passes/unbounded-collection-pass.ts
+var GROW_METHODS = {
+  java: /* @__PURE__ */ new Set(["add", "put", "offer", "push", "addAll", "addFirst", "addLast", "enqueue", "insert"]),
+  javascript: /* @__PURE__ */ new Set(["push", "set", "add", "unshift", "append", "prepend"]),
+  typescript: /* @__PURE__ */ new Set(["push", "set", "add", "unshift", "append", "prepend"]),
+  python: /* @__PURE__ */ new Set(["append", "extend", "update", "add", "insert"]),
+  rust: /* @__PURE__ */ new Set(["push", "insert", "push_back", "push_front"])
+};
+var SHRINK_METHODS = /* @__PURE__ */ new Set([
+  "clear",
+  "remove",
+  "delete",
+  "shift",
+  "pop",
+  "removeFirst",
+  "removeLast",
+  "poll",
+  "pollFirst",
+  "pollLast",
+  "dequeue",
+  "discard",
+  "drain"
+]);
+var SIZE_LIMIT_RE = /\b(?:size|length|count|len)\s*\(\)?\s*[<>]=?\s*\d|\b(?:MAX|LIMIT|CAPACITY|MAX_SIZE)\b/i;
+var UnboundedCollectionPass = class {
+  name = "unbounded-collection";
+  category = "performance";
+  run(ctx) {
+    const { graph, code, language } = ctx;
+    if (language === "bash") {
+      return { unboundedCollections: [] };
+    }
+    const growMethods = GROW_METHODS[language] ?? GROW_METHODS["javascript"];
+    const file = graph.ir.meta.file;
+    const codeLines = code.split("\n");
+    const loops = graph.loopBodies();
+    if (loops.length === 0) return { unboundedCollections: [] };
+    const unboundedCollections = [];
+    const reported = /* @__PURE__ */ new Set();
+    for (const loop of loops) {
+      const { start_line, end_line } = loop;
+      const loopSource = codeLines.slice(start_line - 1, end_line).join("\n");
+      const growCalls = [];
+      for (const call of graph.ir.calls) {
+        const ln = call.location.line;
+        if (ln < start_line || ln > end_line) continue;
+        if (!growMethods.has(call.method_name)) continue;
+        if (!call.receiver) continue;
+        if (call.receiver === "this" || call.receiver === "self") continue;
+        growCalls.push({ receiver: call.receiver, line: ln });
+      }
+      if (growCalls.length === 0) continue;
+      const receiverLines = /* @__PURE__ */ new Map();
+      for (const { receiver, line } of growCalls) {
+        if (!receiverLines.has(receiver)) {
+          receiverLines.set(receiver, line);
+        }
+      }
+      for (const [receiver, firstGrowLine] of receiverLines.entries()) {
+        let hasShrink = false;
+        for (const call of graph.ir.calls) {
+          const ln = call.location.line;
+          if (ln < start_line || ln > end_line) continue;
+          if (call.receiver !== receiver) continue;
+          if (SHRINK_METHODS.has(call.method_name)) {
+            hasShrink = true;
+            break;
+          }
+        }
+        if (hasShrink) continue;
+        if (SIZE_LIMIT_RE.test(loopSource)) continue;
+        const key = `${receiver}-${start_line}`;
+        if (reported.has(key)) continue;
+        reported.add(key);
+        unboundedCollections.push({
+          receiver,
+          line: firstGrowLine,
+          loopStart: start_line,
+          loopEnd: end_line
+        });
+        ctx.addFinding({
+          id: `unbounded-collection-${file}-${firstGrowLine}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: "CWE-770",
+          severity: "medium",
+          level: "warning",
+          message: `Unbounded collection: \`${receiver}\` grows inside a loop (lines ${start_line}\u2013${end_line}) with no size limit or clear`,
+          file,
+          line: firstGrowLine,
+          fix: `Add a size limit check (e.g., \`if (${receiver}.size() >= MAX) break;\`) or periodically clear/drain \`${receiver}\`.`,
+          evidence: { receiver, loop_start: start_line, loop_end: end_line }
+        });
+      }
+    }
+    return { unboundedCollections };
+  }
+};
+
+// src/analysis/passes/serial-await-pass.ts
+var AWAIT_ASSIGN_RE = /(?:const|let|var)?\s*(\w+)\s*=\s*await\s/;
+var AWAIT_RE = /\bawait\s/;
+var SerialAwaitPass = class {
+  name = "serial-await";
+  category = "performance";
+  run(ctx) {
+    const { graph, code, language } = ctx;
+    if (language !== "javascript" && language !== "typescript") {
+      return { serialAwaits: [] };
+    }
+    const file = graph.ir.meta.file;
+    const codeLines = code.split("\n");
+    const totalLines = codeLines.length;
+    const serialAwaits = [];
+    const reportedFunctions = /* @__PURE__ */ new Set();
+    const awaitLines = [];
+    for (let i2 = 0; i2 < totalLines; i2++) {
+      const lineText = codeLines[i2];
+      if (!AWAIT_RE.test(lineText)) continue;
+      const m = AWAIT_ASSIGN_RE.exec(lineText);
+      const boundVar = m ? m[1] : null;
+      awaitLines.push({ line: i2 + 1, boundVar });
+    }
+    if (awaitLines.length < 2) return { serialAwaits: [] };
+    for (let i2 = 0; i2 + 1 < awaitLines.length; i2++) {
+      const a1 = awaitLines[i2];
+      const a2 = awaitLines[i2 + 1];
+      const method1 = graph.methodAtLine(a1.line);
+      const method2 = graph.methodAtLine(a2.line);
+      const methodKey1 = method1 ? `${method1.type.name}.${method1.method.name}.${method1.method.start_line}` : `top.${a1.line}`;
+      const methodKey2 = method2 ? `${method2.type.name}.${method2.method.name}.${method2.method.start_line}` : `top.${a2.line}`;
+      if (methodKey1 !== methodKey2) continue;
+      if (a2.line - a1.line > 4) continue;
+      const line2Text = codeLines[a2.line - 1] ?? "";
+      const line1Text = codeLines[a1.line - 1] ?? "";
+      let dependent = false;
+      if (a1.boundVar && new RegExp(`\\b${a1.boundVar}\\b`).test(line2Text)) {
+        dependent = true;
+      }
+      if (!dependent && a2.boundVar && new RegExp(`\\b${a2.boundVar}\\b`).test(line1Text)) {
+        dependent = true;
+      }
+      if (!dependent) {
+        const defs1 = graph.defsAtLine(a1.line);
+        const defs2 = graph.defsAtLine(a2.line);
+        for (const d1 of defs1) {
+          for (const d2 of defs2) {
+            if (d1.variable === d2.variable) {
+              dependent = true;
+              break;
+            }
+          }
+          if (dependent) break;
+        }
+      }
+      if (dependent) continue;
+      if (reportedFunctions.has(methodKey1)) continue;
+      reportedFunctions.add(methodKey1);
+      const funcLine = method1?.method.start_line ?? a1.line;
+      serialAwaits.push({ functionLine: funcLine, firstAwaitLine: a1.line, secondAwaitLine: a2.line });
+      const expr1 = line1Text.trim().replace(/^(?:const|let|var)\s+/, "");
+      const expr2 = line2Text.trim().replace(/^(?:const|let|var)\s+/, "");
+      ctx.addFinding({
+        id: `serial-await-${file}-${a1.line}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: void 0,
+        severity: "low",
+        level: "note",
+        message: `Serial awaits: \`${expr1}\` (line ${a1.line}) and \`${expr2}\` (line ${a2.line}) have no data dependency; consider using Promise.all()`,
+        file,
+        line: a1.line,
+        end_line: a2.line,
+        fix: `const [result1, result2] = await Promise.all([operation1, operation2]);`,
+        evidence: {
+          first_await_line: a1.line,
+          second_await_line: a2.line,
+          function_line: funcLine
+        }
+      });
+    }
+    return { serialAwaits };
+  }
+};
+
+// src/analysis/passes/react-inline-jsx-pass.ts
+var JSX_COMPONENT_RE = /<[A-Z][A-Za-z0-9]*/;
+var INLINE_OBJECT_RE = /\s([A-Za-z][A-Za-z0-9_]*)=\{\{/g;
+var INLINE_ARROW_RE = /\s([A-Za-z][A-Za-z0-9_]*)=\{(?:\(|[A-Za-z_$]).*?=>/g;
+var INLINE_FUNCTION_RE = /\s([A-Za-z][A-Za-z0-9_]*)=\{function\s*\(/g;
+var SKIP_PROPS = /* @__PURE__ */ new Set(["style", "key", "ref", "className", "id"]);
+var ReactInlineJsxPass = class {
+  name = "react-inline-jsx";
+  category = "performance";
+  run(ctx) {
+    const { graph, code, language } = ctx;
+    if (language !== "javascript" && language !== "typescript") {
+      return { inlineProps: [] };
+    }
+    if (!JSX_COMPONENT_RE.test(code)) {
+      return { inlineProps: [] };
+    }
+    const file = graph.ir.meta.file;
+    const codeLines = code.split("\n");
+    const inlineProps = [];
+    for (let i2 = 0; i2 < codeLines.length; i2++) {
+      const lineText = codeLines[i2];
+      const ln = i2 + 1;
+      const trimmed = lineText.trimStart();
+      if (trimmed.startsWith("//") || trimmed.startsWith("*") || trimmed.startsWith("/*")) {
+        continue;
+      }
+      INLINE_OBJECT_RE.lastIndex = 0;
+      let m;
+      while ((m = INLINE_OBJECT_RE.exec(lineText)) !== null) {
+        const propName = m[1];
+        if (SKIP_PROPS.has(propName)) continue;
+        if (propName.startsWith("data-")) continue;
+        inlineProps.push({ line: ln, propName, kind: "object" });
+        ctx.addFinding({
+          id: `react-inline-jsx-obj-${file}-${ln}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: void 0,
+          severity: "low",
+          level: "note",
+          message: `Inline object in JSX prop \`${propName}\` creates a new reference on every render, defeating memoization`,
+          file,
+          line: ln,
+          snippet: lineText.trim(),
+          fix: `Extract the object literal into a \`useMemo\` hook or a module-level constant, then pass the reference: \`${propName}={myConstObject}\`.`
+        });
+      }
+      INLINE_ARROW_RE.lastIndex = 0;
+      while ((m = INLINE_ARROW_RE.exec(lineText)) !== null) {
+        const propName = m[1];
+        if (SKIP_PROPS.has(propName)) continue;
+        if (propName.startsWith("data")) continue;
+        inlineProps.push({ line: ln, propName, kind: "arrow" });
+        ctx.addFinding({
+          id: `react-inline-jsx-arrow-${file}-${ln}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: void 0,
+          severity: "low",
+          level: "note",
+          message: `Inline arrow function in JSX prop \`${propName}\` creates a new function reference on every render, defeating memoization`,
+          file,
+          line: ln,
+          snippet: lineText.trim(),
+          fix: `Wrap the handler with \`useCallback\` or define it outside the component: \`const handle${propName.charAt(0).toUpperCase()}${propName.slice(1)} = useCallback(...)\`.`
+        });
+      }
+      INLINE_FUNCTION_RE.lastIndex = 0;
+      while ((m = INLINE_FUNCTION_RE.exec(lineText)) !== null) {
+        const propName = m[1];
+        if (SKIP_PROPS.has(propName)) continue;
+        if (propName.startsWith("data")) continue;
+        inlineProps.push({ line: ln, propName, kind: "function" });
+        ctx.addFinding({
+          id: `react-inline-jsx-fn-${file}-${ln}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: void 0,
+          severity: "low",
+          level: "note",
+          message: `Inline function expression in JSX prop \`${propName}\` creates a new function reference on every render, defeating memoization`,
+          file,
+          line: ln,
+          snippet: lineText.trim(),
+          fix: `Wrap the handler with \`useCallback\` or define it outside the component: \`const handle${propName.charAt(0).toUpperCase()}${propName.slice(1)} = useCallback(...)\`.`
+        });
+      }
+    }
+    return { inlineProps };
+  }
+};
+
+// src/analysis/passes/swallowed-exception-pass.ts
+var MEANINGFUL_ACTION_RE = /\b(throw|raise|log|logger|console\.(error|warn|log|debug|info)|System\.(out|err)\.|print(?:ln|f)?|warn|error|debug|info|fatal|LOGGER|LOG|logging\.(warning|error|debug|info|critical))\b|\breturn\s+\S/;
+var SwallowedExceptionPass = class {
+  name = "swallowed-exception";
+  category = "reliability";
+  run(ctx) {
+    const { graph, code, language } = ctx;
+    if (language === "rust" || language === "bash") {
+      return { swallowed: [] };
+    }
+    const { cfg } = graph.ir;
+    if (cfg.blocks.length === 0) return { swallowed: [] };
+    const exGraph = new ExceptionFlowGraph(cfg, graph.blockById);
+    if (!exGraph.hasTryCatch) return { swallowed: [] };
+    const file = graph.ir.meta.file;
+    const codeLines = code.split("\n");
+    const swallowed = [];
+    const reported = /* @__PURE__ */ new Set();
+    for (const pair of exGraph.pairs) {
+      const catchLine = pair.catchBlock.start_line;
+      if (reported.has(catchLine)) continue;
+      const methodInfo = graph.methodAtLine(catchLine);
+      const scanEnd = methodInfo ? methodInfo.method.end_line : codeLines.length;
+      const catchBodyEnd = this.findCatchBodyEnd(codeLines, catchLine, scanEnd);
+      let hasAction = false;
+      for (let ln = catchLine; ln <= catchBodyEnd && ln <= codeLines.length; ln++) {
+        if (MEANINGFUL_ACTION_RE.test(codeLines[ln - 1] ?? "")) {
+          hasAction = true;
+          break;
+        }
+      }
+      if (!hasAction) {
+        reported.add(catchLine);
+        swallowed.push({ line: catchLine });
+        const snippet = (codeLines[catchLine - 1] ?? "").trim();
+        ctx.addFinding({
+          id: `swallowed-exception-${file}-${catchLine}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: "CWE-390",
+          severity: "medium",
+          level: "warning",
+          message: `Swallowed exception: catch block at line ${catchLine} has no throw, log, or return \u2014 the exception is silently discarded`,
+          file,
+          line: catchLine,
+          snippet,
+          fix: "At minimum log the exception, or re-throw it; never silently discard exceptions"
+        });
+      }
+    }
+    return { swallowed };
+  }
+  /**
+   * Walks source lines starting at `startLine` counting brace depth.
+   * Returns the line where the brace depth first returns to zero after
+   * the opening brace (i.e., the closing brace of the catch block).
+   * Capped at `maxLine`.
+   */
+  findCatchBodyEnd(lines, startLine, maxLine) {
+    let depth = 0;
+    let started = false;
+    for (let ln = startLine; ln <= maxLine && ln <= lines.length; ln++) {
+      const text = lines[ln - 1] ?? "";
+      for (const ch of text) {
+        if (ch === "{") {
+          depth++;
+          started = true;
+        } else if (ch === "}" && started) {
+          depth--;
+        }
+      }
+      if (started && depth <= 0) return ln;
+    }
+    return maxLine;
+  }
+};
+
+// src/analysis/passes/broad-catch-pass.ts
+var JAVA_BROAD_RE = /catch\s*\(\s*(Exception|Throwable|RuntimeException|Error)\s/;
+var PYTHON_BROAD_RE = /^\s*except\s*:|except\s+(Exception|BaseException)\b/;
+var BroadCatchPass = class {
+  name = "broad-catch";
+  category = "reliability";
+  run(ctx) {
+    const { graph, code, language } = ctx;
+    if (language !== "java" && language !== "python") {
+      return { broadCatches: [] };
+    }
+    const { cfg } = graph.ir;
+    if (cfg.blocks.length === 0) return { broadCatches: [] };
+    const exGraph = new ExceptionFlowGraph(cfg, graph.blockById);
+    if (!exGraph.hasTryCatch) return { broadCatches: [] };
+    const file = graph.ir.meta.file;
+    const codeLines = code.split("\n");
+    const broadCatches = [];
+    const reported = /* @__PURE__ */ new Set();
+    const pattern = language === "java" ? JAVA_BROAD_RE : PYTHON_BROAD_RE;
+    for (const pair of exGraph.pairs) {
+      const catchLine = pair.catchBlock.start_line;
+      if (reported.has(catchLine)) continue;
+      const lineText = codeLines[catchLine - 1] ?? "";
+      const match = pattern.exec(lineText);
+      if (!match) continue;
+      const caughtType = match[1] ?? "Exception";
+      reported.add(catchLine);
+      broadCatches.push({ line: catchLine, type: caughtType });
+      const snippet = lineText.trim();
+      ctx.addFinding({
+        id: `broad-catch-${file}-${catchLine}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-396",
+        severity: "low",
+        level: "warning",
+        message: `Broad catch: catching \`${caughtType}\` at line ${catchLine} suppresses unexpected errors and hides bugs`,
+        file,
+        line: catchLine,
+        snippet,
+        fix: language === "java" ? `Catch the specific exception types your code can handle (e.g., \`IOException\`, \`SQLException\`)` : `Catch the specific exception types your code can handle (e.g., \`ValueError\`, \`KeyError\`)`,
+        evidence: { caughtType }
+      });
+    }
+    return { broadCatches };
+  }
+};
+
+// src/analysis/passes/unhandled-exception-pass.ts
+var JS_THROW_RE = /^\s*throw\s+/;
+var PYTHON_RAISE_RE = /^\s*raise\b/;
+var UnhandledExceptionPass = class {
+  name = "unhandled-exception";
+  category = "reliability";
+  run(ctx) {
+    const { graph, code, language } = ctx;
+    if (language !== "javascript" && language !== "typescript" && language !== "python") {
+      return { unhandled: [] };
+    }
+    const { cfg } = graph.ir;
+    const file = graph.ir.meta.file;
+    const codeLines = code.split("\n");
+    const exGraph = new ExceptionFlowGraph(cfg, graph.blockById);
+    const coveredRanges = [];
+    for (const pair of exGraph.pairs) {
+      if (pair.catchBlock.start_line > pair.tryBlock.start_line) {
+        coveredRanges.push({
+          start: pair.tryBlock.start_line,
+          end: pair.catchBlock.start_line - 1
+        });
+      }
+    }
+    const catchStarts = new Set(
+      exGraph.pairs.map((p) => p.catchBlock.start_line)
+    );
+    const throwRe = language === "python" ? PYTHON_RAISE_RE : JS_THROW_RE;
+    const unhandled = [];
+    const reportedMethods = /* @__PURE__ */ new Set();
+    for (let ln = 1; ln <= codeLines.length; ln++) {
+      const lineText = codeLines[ln - 1] ?? "";
+      if (!throwRe.test(lineText)) continue;
+      let inCatch = false;
+      for (const cs of catchStarts) {
+        if (ln >= cs) {
+          inCatch = true;
+          break;
+        }
+      }
+      inCatch = false;
+      for (const pair of exGraph.pairs) {
+        if (ln >= pair.catchBlock.start_line) {
+          const mThrow = graph.methodAtLine(ln);
+          const mCatch = graph.methodAtLine(pair.catchBlock.start_line);
+          if (mThrow && mCatch && mThrow.method.start_line === mCatch.method.start_line) {
+            inCatch = true;
+            break;
+          }
+        }
+      }
+      if (inCatch) continue;
+      const isCovered = coveredRanges.some((r) => ln >= r.start && ln <= r.end);
+      if (isCovered) continue;
+      const methodInfo = graph.methodAtLine(ln);
+      const methodKey = methodInfo ? `${methodInfo.method.start_line}-${methodInfo.method.end_line}` : `global-${ln}`;
+      if (reportedMethods.has(methodKey)) continue;
+      reportedMethods.add(methodKey);
+      const methodName = methodInfo?.method.name ?? "<anonymous>";
+      unhandled.push({ line: ln, method: methodName });
+      const snippet = lineText.trim();
+      ctx.addFinding({
+        id: `unhandled-exception-${file}-${ln}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-390",
+        severity: "medium",
+        level: "warning",
+        message: `Unhandled exception: \`throw\` at line ${ln} in \`${methodName}\` is not inside a try/catch \u2014 callers receive an unexpected exception`,
+        file,
+        line: ln,
+        snippet,
+        fix: "Wrap throwing code in a try/catch, or document the exception in the function signature",
+        evidence: { method: methodName }
+      });
+    }
+    return { unhandled };
+  }
+};
+
+// src/analysis/passes/double-close-pass.ts
+var RESOURCE_CTORS2 = /* @__PURE__ */ new Set([
+  "FileInputStream",
+  "FileOutputStream",
+  "FileReader",
+  "FileWriter",
+  "BufferedReader",
+  "BufferedWriter",
+  "PrintWriter",
+  "InputStreamReader",
+  "OutputStreamWriter",
+  "RandomAccessFile",
+  "DataInputStream",
+  "DataOutputStream",
+  "ObjectInputStream",
+  "ObjectOutputStream",
+  "ZipInputStream",
+  "ZipOutputStream",
+  "JarInputStream",
+  "JarOutputStream",
+  "GZIPInputStream",
+  "GZIPOutputStream",
+  "FileChannel",
+  "Socket",
+  "ServerSocket",
+  "DatagramSocket"
+]);
+var RESOURCE_FACTORY_METHODS2 = /* @__PURE__ */ new Set([
+  "openConnection",
+  "openStream",
+  "newInputStream",
+  "newOutputStream",
+  "newBufferedReader",
+  "newBufferedWriter",
+  "newByteChannel",
+  "open",
+  "createReadStream",
+  "createWriteStream",
+  "createConnection"
+]);
+var CLOSE_METHODS2 = /* @__PURE__ */ new Set([
+  "close",
+  "dispose",
+  "shutdown",
+  "disconnect",
+  "release",
+  "destroy",
+  "free",
+  "shutdownNow",
+  "terminate"
+]);
+var DoubleClosePass = class {
+  name = "double-close";
+  category = "reliability";
+  run(ctx) {
+    const { graph, code } = ctx;
+    if (ctx.language === "bash") return { doubleCloses: [] };
+    const file = graph.ir.meta.file;
+    const codeLines = code.split("\n");
+    const doubleCloses = [];
+    for (const call of graph.ir.calls) {
+      const name2 = call.method_name;
+      const isConstructor = call.is_constructor === true && RESOURCE_CTORS2.has(name2);
+      const isFactory = !call.is_constructor && RESOURCE_FACTORY_METHODS2.has(name2);
+      if (!isConstructor && !isFactory) continue;
+      const openLine = call.location.line;
+      const defs = graph.defsAtLine(openLine);
+      if (defs.length === 0) continue;
+      const resourceVar = defs[0].variable;
+      const methodInfo = graph.methodAtLine(openLine);
+      if (!methodInfo) continue;
+      const { start_line: methodStart, end_line: methodEnd } = methodInfo.method;
+      const closeCalls = graph.ir.calls.filter(
+        (c) => CLOSE_METHODS2.has(c.method_name) && c.receiver === resourceVar && c.location.line > openLine && c.location.line <= methodEnd
+      );
+      if (closeCalls.length < 2) continue;
+      const closeLines = closeCalls.map((c) => c.location.line);
+      const allInFinally = closeLines.every(
+        (cl) => this.isInFinallyBlock(codeLines, cl, methodStart, methodEnd)
+      );
+      if (allInFinally) continue;
+      doubleCloses.push({ openLine, closeLines, variable: resourceVar });
+      const snippet = (codeLines[openLine - 1] ?? "").trim();
+      const linesStr = closeLines.join(" and ");
+      ctx.addFinding({
+        id: `double-close-${file}-${openLine}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-675",
+        severity: "medium",
+        level: "warning",
+        message: `Double close: \`${resourceVar}\` is closed at lines ${linesStr} \u2014 closing an already-closed resource may throw`,
+        file,
+        line: openLine,
+        snippet,
+        fix: `Close the resource exactly once in a finally block; add a null/isClosed guard before the second close if closing on multiple paths`,
+        evidence: { variable: resourceVar, close_lines: closeLines }
+      });
+    }
+    return { doubleCloses };
+  }
+  /** True if the given line is inside a `finally` block in the method. */
+  isInFinallyBlock(lines, targetLine, methodStart, methodEnd) {
+    for (let ln = methodStart; ln <= targetLine && ln <= methodEnd && ln <= lines.length; ln++) {
+      if (/\bfinally\b/.test(lines[ln - 1] ?? "")) return true;
+    }
+    return false;
+  }
+};
+
+// src/analysis/passes/use-after-close-pass.ts
+var RESOURCE_CTORS3 = /* @__PURE__ */ new Set([
+  "FileInputStream",
+  "FileOutputStream",
+  "FileReader",
+  "FileWriter",
+  "BufferedReader",
+  "BufferedWriter",
+  "PrintWriter",
+  "InputStreamReader",
+  "OutputStreamWriter",
+  "RandomAccessFile",
+  "DataInputStream",
+  "DataOutputStream",
+  "ObjectInputStream",
+  "ObjectOutputStream",
+  "ZipInputStream",
+  "ZipOutputStream",
+  "JarInputStream",
+  "JarOutputStream",
+  "GZIPInputStream",
+  "GZIPOutputStream",
+  "FileChannel",
+  "Socket",
+  "ServerSocket",
+  "DatagramSocket"
+]);
+var RESOURCE_FACTORY_METHODS3 = /* @__PURE__ */ new Set([
+  "openConnection",
+  "openStream",
+  "newInputStream",
+  "newOutputStream",
+  "newBufferedReader",
+  "newBufferedWriter",
+  "newByteChannel",
+  "open",
+  "createReadStream",
+  "createWriteStream",
+  "createConnection"
+]);
+var CLOSE_METHODS3 = /* @__PURE__ */ new Set([
+  "close",
+  "dispose",
+  "shutdown",
+  "disconnect",
+  "release",
+  "destroy",
+  "free",
+  "shutdownNow",
+  "terminate"
+]);
+var UseAfterClosePass = class {
+  name = "use-after-close";
+  category = "reliability";
+  run(ctx) {
+    const { graph, code } = ctx;
+    if (ctx.language === "bash") return { useAfterCloses: [] };
+    const file = graph.ir.meta.file;
+    const codeLines = code.split("\n");
+    const useAfterCloses = [];
+    for (const call of graph.ir.calls) {
+      const name2 = call.method_name;
+      const isConstructor = call.is_constructor === true && RESOURCE_CTORS3.has(name2);
+      const isFactory = !call.is_constructor && RESOURCE_FACTORY_METHODS3.has(name2);
+      if (!isConstructor && !isFactory) continue;
+      const openLine = call.location.line;
+      const defs = graph.defsAtLine(openLine);
+      if (defs.length === 0) continue;
+      const resourceVar = defs[0].variable;
+      const methodInfo = graph.methodAtLine(openLine);
+      if (!methodInfo) continue;
+      const methodEnd = methodInfo.method.end_line;
+      const firstClose = graph.ir.calls.filter(
+        (c) => CLOSE_METHODS3.has(c.method_name) && c.receiver === resourceVar && c.location.line > openLine && c.location.line <= methodEnd
+      ).sort((a, b) => a.location.line - b.location.line)[0];
+      if (!firstClose) continue;
+      const closeLine = firstClose.location.line;
+      const usesAfterClose = graph.ir.calls.filter(
+        (c) => c.receiver === resourceVar && c.location.line > closeLine && c.location.line <= methodEnd && !CLOSE_METHODS3.has(c.method_name)
+      );
+      for (const use of usesAfterClose) {
+        const useLine = use.location.line;
+        useAfterCloses.push({ openLine, closeLine, useLine, variable: resourceVar });
+        const snippet = (codeLines[useLine - 1] ?? "").trim();
+        ctx.addFinding({
+          id: `use-after-close-${file}-${useLine}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: "CWE-672",
+          severity: "high",
+          level: "error",
+          message: `Use after close: \`${resourceVar}.${use.method_name}()\` at line ${useLine} is called after \`${resourceVar}.close()\` at line ${closeLine}`,
+          file,
+          line: useLine,
+          snippet,
+          fix: `Do not use a resource after closing it; keep \`${resourceVar}\` open until all uses are complete`,
+          evidence: { variable: resourceVar, close_line: closeLine, open_line: openLine }
+        });
+      }
+    }
+    return { useAfterCloses };
+  }
+};
+
 // src/analysis/metrics/passes/size-metrics-pass.ts
 var SizeMetricsPass = class {
   name = "size-metrics";
@@ -19949,7 +20981,7 @@ async function analyze(code, filePath, language, options = {}) {
     enriched: {}
   });
   const config = options.taintConfig ?? getDefaultConfig();
-  const { results, findings } = new AnalysisPipeline().add(new TaintMatcherPass()).add(new ConstantPropagationPass(tree)).add(new LanguageSourcesPass()).add(new SinkFilterPass()).add(new TaintPropagationPass()).add(new InterproceduralPass()).add(new DeadCodePass()).add(new MissingAwaitPass()).add(new NPlusOnePass()).add(new MissingPublicDocPass()).add(new TodoInProdPass()).add(new StringConcatLoopPass()).add(new SyncIoAsyncPass()).add(new UncheckedReturnPass()).add(new NullDerefPass()).add(new ResourceLeakPass()).add(new VariableShadowingPass()).add(new LeakedGlobalPass()).add(new UnusedVariablePass()).add(new DependencyFanOutPass()).add(new StaleDocRefPass()).run(graph, code, language, config);
+  const { results, findings } = new AnalysisPipeline().add(new TaintMatcherPass()).add(new ConstantPropagationPass(tree)).add(new LanguageSourcesPass()).add(new SinkFilterPass()).add(new TaintPropagationPass()).add(new InterproceduralPass()).add(new DeadCodePass()).add(new MissingAwaitPass()).add(new NPlusOnePass()).add(new MissingPublicDocPass()).add(new TodoInProdPass()).add(new StringConcatLoopPass()).add(new SyncIoAsyncPass()).add(new UncheckedReturnPass()).add(new NullDerefPass()).add(new ResourceLeakPass()).add(new VariableShadowingPass()).add(new LeakedGlobalPass()).add(new UnusedVariablePass()).add(new DependencyFanOutPass()).add(new StaleDocRefPass()).add(new InfiniteLoopPass()).add(new DeepInheritancePass()).add(new RedundantLoopPass()).add(new UnboundedCollectionPass()).add(new SerialAwaitPass()).add(new ReactInlineJsxPass()).add(new SwallowedExceptionPass()).add(new BroadCatchPass()).add(new UnhandledExceptionPass()).add(new DoubleClosePass()).add(new UseAfterClosePass()).run(graph, code, language, config);
   const sinkFilter = results.get("sink-filter");
   const interProc = results.get("interprocedural");
   const taint = {