codeslick-cli 1.0.0

package/dist/src/lib/analyzers/javascript-analyzer.js

@@ -0,0 +1,2141 @@
+"use strict";
+/**
+ * ⚠️ SHARED MODULE: JavaScript Security Analyzer
+ *
+ * CRITICAL: This module is used by BOTH WebTool and GitHub App
+ *
+ * WebTool uses this for:
+ * - /api/analyze endpoint - Interactive single-file analysis (<3s target)
+ * - Real-time vulnerability detection for individual developers
+ *
+ * GitHub App uses this for:
+ * - /api/github/webhook - Batch PR analysis (10-30s OK)
+ * - Automated security checks for professional teams
+ *
+ * ⚠️ BEFORE MODIFYING THIS FILE:
+ * 1. Run all 96 analyzer tests: npm test analyzers
+ * 2. Test WebTool: Paste code at /analyze → Verify results appear
+ * 3. Test GitHub: Open PR → Verify webhook comment appears
+ * 4. Verify performance: Analysis must complete in <2s per file
+ * 5. Check detection rate: All test cases must still be detected
+ *
+ * CRITICAL OUTPUT FORMAT (DO NOT CHANGE):
+ * - result.security.vulnerabilities - Used by both systems
+ * - Each vulnerability has: line, message, severity, cvssScore, owasp, cwe
+ * - Changing this structure breaks BOTH WebTool and GitHub UI parsing
+ *
+ * PROVEN INTERFERENCE:
+ * - Version 20251117.14:30: Phase 7 GitHub work broke WebTool
+ * - Root cause: Shared module modified without cross-system testing
+ *
+ * See: docs/technical/WEBTOOL_GITHUB_SEPARATION.md
+ *
+ * Last modified: 2025-11-18
+ * Last verified (both systems): 2025-11-18
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JavaScriptAnalyzer = void 0;
+const acorn = __importStar(require("acorn"));
+const references_1 = require("../standards/references");
+const severity_scoring_1 = require("../security/severity-scoring");
+const compliance_mapping_1 = require("../security/compliance-mapping");
+const code_cleaner_1 = require("../utils/code-cleaner");
+const jsx_helpers_1 = require("./helpers/jsx-helpers");
+const variable_tracker_1 = require("./helpers/variable-tracker");
+const react_security_1 = require("./security-checks/react-security");
+const es6_security_1 = require("./security-checks/es6-security");
+const security_misconfiguration_1 = require("./javascript/security-checks/security-misconfiguration");
+const exception_handling_1 = require("./javascript/security-checks/exception-handling");
+const enhanced_supply_chain_1 = require("./javascript/security-checks/enhanced-supply-chain");
+const access_control_1 = require("./javascript/security-checks/access-control");
+const authentication_failures_1 = require("./javascript/security-checks/authentication-failures");
+const insecure_design_1 = require("./javascript/security-checks/insecure-design");
+const software_integrity_1 = require("./javascript/security-checks/software-integrity");
+const ai_generated_code_1 = require("./javascript/security-checks/ai-generated-code");
+// Modular JavaScript Analyzer - Extracted modules (Week 2)
+// Syntax helpers
+const syntax_helpers_1 = require("./javascript/syntax/syntax-helpers");
+const typescript_syntax_1 = require("./javascript/syntax/typescript-syntax");
+// Quality checks
+const ai_hallucinations_1 = require("./javascript/quality-checks/ai-hallucinations");
+const reference_errors_1 = require("./javascript/quality-checks/reference-errors");
+const comparison_issues_1 = require("./javascript/quality-checks/comparison-issues");
+const async_patterns_1 = require("./javascript/quality-checks/async-patterns");
+const code_patterns_1 = require("./javascript/quality-checks/code-patterns");
+// Security checks
+const injection_attacks_1 = require("./javascript/security-checks/injection-attacks");
+const xss_dom_security_1 = require("./javascript/security-checks/xss-dom-security");
+const credential_crypto_1 = require("./javascript/security-checks/credential-crypto");
+const storage_security_1 = require("./javascript/security-checks/storage-security");
+const secrets_analyzer_1 = require("./secrets/secrets-analyzer");
+// Utils
+const metrics_calculator_1 = require("./javascript/utils/metrics-calculator");
+const performance_analyzer_1 = require("./javascript/utils/performance-analyzer");
+const createVulnerability_1 = require("./javascript/utils/createVulnerability");
+class JavaScriptAnalyzer {
+    constructor() {
+        this.language = 'javascript';
+    }
+    async analyze(input) {
+        const result = {
+            syntax: { valid: true, errors: [], lineErrors: [] },
+            quality: { score: 100, issues: [] },
+            performance: { score: 100, suggestions: [] },
+            security: { vulnerabilities: [] },
+            metrics: { complexity: 1, maintainability: 100, lines: 0, functions: 0 }
+        };
+        try {
+            await this.analyzeSyntax(input.code, result);
+            // Quality-check modules (extracted)
+            result.syntax.lineErrors.push(...(0, ai_hallucinations_1.detectAIHallucinations)(input.code, syntax_helpers_1.isInsideTemplateLiteral));
+            result.syntax.lineErrors.push(...(0, reference_errors_1.detectReferenceErrors)(input.code, syntax_helpers_1.removeStringLiterals, syntax_helpers_1.isInsideTemplateLiteral));
+            result.syntax.lineErrors.push(...(0, comparison_issues_1.detectComparisonIssues)(input.code, syntax_helpers_1.isInsideTemplateLiteral));
+            result.syntax.lineErrors.push(...(0, async_patterns_1.detectUnhandledPromises)(input.code, syntax_helpers_1.isInsideTemplateLiteral));
+            result.syntax.lineErrors.push(...(0, async_patterns_1.detectThisContextIssues)(input.code, syntax_helpers_1.isInsideTemplateLiteral));
+            result.syntax.lineErrors.push(...(0, async_patterns_1.detectCallbackHell)(input.code, syntax_helpers_1.isInsideTemplateLiteral));
+            result.syntax.lineErrors.push(...(0, code_patterns_1.detectArrayMutations)(input.code, syntax_helpers_1.isInsideTemplateLiteral));
+            result.syntax.lineErrors.push(...(0, code_patterns_1.detectDOMNullChecks)(input.code, syntax_helpers_1.isInsideTemplateLiteral));
+            result.syntax.lineErrors.push(...(0, code_patterns_1.detectBlockingOperations)(input.code, syntax_helpers_1.isInsideTemplateLiteral));
+            this.analyzeQuality(input.code, result);
+            // Performance module (extracted)
+            const performanceAnalysis = (0, performance_analyzer_1.analyzePerformance)(input.code);
+            result.performance.score = performanceAnalysis.score;
+            result.performance.suggestions = performanceAnalysis.suggestions;
+            // Security-check modules (extracted)
+            result.security.vulnerabilities.push(...(0, injection_attacks_1.checkInjectionAttacks)(input.code, createVulnerability_1.createJavaScriptSecurityVulnerability));
+            result.security.vulnerabilities.push(...(0, xss_dom_security_1.checkXSSDOMSecurity)(input.code, createVulnerability_1.createJavaScriptSecurityVulnerability));
+            result.security.vulnerabilities.push(...(0, credential_crypto_1.checkCredentialCrypto)(input.code, createVulnerability_1.createJavaScriptSecurityVulnerability));
+            result.security.vulnerabilities.push(...(0, storage_security_1.checkStorageSecurity)(input.code, createVulnerability_1.createJavaScriptSecurityVulnerability));
+            // Secrets Detection (Phase 1.5, Week 1)
+            const secretsAnalyzer = (0, secrets_analyzer_1.createSecretsAnalyzer)();
+            result.security.vulnerabilities.push(...secretsAnalyzer.analyzeCode(input.code, input.filename || 'unknown.js', 'javascript'));
+            // AI-Generated Code Detection (Phase 1.5, Week 5-7)
+            result.security.vulnerabilities.push(...(0, ai_generated_code_1.checkAIGeneratedCode)(input.code.split('\n'), input.filename));
+            // Additional security checks (React, ES6, Node.js, OWASP 2025)
+            this.analyzeSecurity(input.code, result);
+            // Metrics module (extracted)
+            const metrics = (0, metrics_calculator_1.calculateMetrics)(input.code, typescript_syntax_1.isTypeScriptCode);
+            result.metrics.lines = metrics.lines;
+            result.metrics.functions = metrics.functions;
+            result.metrics.complexity = metrics.complexity;
+            result.metrics.maintainability = metrics.maintainability;
+            // Re-validate syntax.valid after all error detections (Phase 1 adds errors after initial validation)
+            const errorCount = result.syntax.lineErrors?.filter(e => e.severity === 'error').length || 0;
+            if (errorCount > 0 || result.syntax.errors.length > 0) {
+                result.syntax.valid = false;
+            }
+        }
+        catch (error) {
+            const errorMessage = error instanceof Error ? error.message : 'Unknown Error';
+            result.syntax.valid = false;
+            result.syntax.errors.push(`Analysis error: ${errorMessage}`);
+        }
+        return result;
+    }
+    async validateSyntax(code) {
+        try {
+            acorn.parse(code, {
+                ecmaVersion: 2022,
+                sourceType: 'module',
+                allowReturnOutsideFunction: true
+            });
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    getLanguageInfo() {
+        return {
+            name: 'JavaScript',
+            extensions: ['.js', '.jsx', '.ts', '.tsx', '.mjs'],
+            description: 'Language for web development and Node.js'
+        };
+    }
+    isTypeScriptCode(code) {
+        // Detect common TypeScript syntax
+        const typeScriptPatterns = [
+            /interface\s+\w+/, // Interface declarations
+            /type\s+\w+\s*=/, // type aliases
+            /:\s*\w+(\[\])?/, // type annotations
+            /export\s+interface/, // exported interfaces
+            /export\s+type/, // exported types
+            /<.*>/, // generic types
+            /as\s+\w+/, // type assertions
+            /enum\s+\w+/, // enum declarations
+            /namespace\s+\w+/, // namespace declarations
+            /declare\s+/, // declare statements
+            /readonly\s+/, // readonly modifier
+            /public\s+|private\s+|protected\s+/, // access modifiers
+        ];
+        return typeScriptPatterns.some(pattern => pattern.test(code));
+    }
+    checkBasicTypeScriptSyntax(code, errors, lineErrors) {
+        const lines = code.split('\n');
+        // Track template literal state across lines
+        // Template literals can span multiple lines: const str = `line1
+        //                                                          line2`;
+        let insideTemplateLiteral = false;
+        // First pass: basic line-by-line checks
+        lines.forEach((line, index) => {
+            const lineNumber = index + 1;
+            const trimmed = line.trim();
+            // Count backticks on this line to track template literal state
+            const backtickCount = (line.match(/`/g) || []).length;
+            // Toggle state for each backtick found
+            if (backtickCount > 0) {
+                for (let i = 0; i < backtickCount; i++) {
+                    insideTemplateLiteral = !insideTemplateLiteral;
+                }
+            }
+            // Skip ALL checks if we're inside a template literal
+            // Template literals contain arbitrary text (Python, SQL, HTML, etc.)
+            // This line is BETWEEN opening and closing backticks = it's a string!
+            if (insideTemplateLiteral && backtickCount === 0) {
+                return;
+            }
+            // Skip empty lines and comments completely
+            if (!trimmed || trimmed.startsWith('//') || trimmed.startsWith('/*') || trimmed.startsWith('*')) {
+                return;
+            }
+            // AI Hallucination: Check for .push() on strings (Python/list confusion)
+            // Strings in JS are immutable, use += or array methods
+            // IMPORTANT: This is a SEMANTIC error (runtime TypeError), not syntax error
+            // The code IS valid JavaScript - it will parse successfully but fail at runtime
+            if (trimmed.match(/(['"`].*['"`]|String\(|\.toString\(\)|\.toLowerCase\(\)|\.toUpperCase\(\)).*\.push\(/) ||
+                trimmed.match(/\w+\.push\(/) && (trimmed.includes("''") || trimmed.includes('""') || trimmed.includes('``') ||
+                    trimmed.match(/=\s*['"`]/))) {
+                lineErrors.push({
+                    line: lineNumber,
+                    error: 'Strings don\'t have .push() method (common AI hallucination)',
+                    suggestion: 'Strings are immutable in JS. Use: str += value, str = str + value, or convert to array first',
+                    severity: 'warning' // Changed from 'error' - this is semantic, not syntax
+                });
+            }
+            // Check for missing semicolons in property definitions
+            if ((0, typescript_syntax_1.shouldHaveSemicolon)(trimmed)) {
+                lineErrors.push({
+                    line: lineNumber,
+                    error: 'Missing semicolon',
+                    suggestion: `Add ; at the end: ${trimmed};`,
+                    severity: 'error'
+                });
+            }
+            // Check for unclosed strings
+            if ((0, typescript_syntax_1.hasUnclosedString)(trimmed)) {
+                lineErrors.push({
+                    line: lineNumber,
+                    error: 'Unclosed string',
+                    suggestion: 'Check the quotes on this line',
+                    severity: 'error'
+                });
+            }
+        });
+        // Second pass: structural validation
+        this.validateTypeScriptStructure(code, errors, lineErrors);
+    }
+    validateTypeScriptStructure(code, errors, lineErrors) {
+        const lines = code.split('\n');
+        // Track Interface blocks
+        let insideInterface = false;
+        let interfaceStartLine = 0;
+        let braceCount = 0;
+        let expectedProperties = [];
+        lines.forEach((line, index) => {
+            const lineNumber = index + 1;
+            const trimmed = line.trim();
+            // Skip comments and empty lines
+            if (!trimmed || trimmed.startsWith('//') || trimmed.startsWith('/*')) {
+                return;
+            }
+            // Detect Interface start
+            if (trimmed.startsWith('export Interface') || trimmed.startsWith('Interface')) {
+                insideInterface = true;
+                interfaceStartLine = lineNumber;
+                braceCount = 0;
+            }
+            if (insideInterface) {
+                // Count braces
+                braceCount += (line.match(/\{/g) || []).length;
+                braceCount -= (line.match(/\}/g) || []).length;
+                // Check for malformed property definitions
+                if (trimmed.includes(':') && !trimmed.startsWith('export') && !trimmed.startsWith('Interface')) {
+                    // This should be a property definition
+                    if (!(0, typescript_syntax_1.isValidPropertyDefinition)(trimmed)) {
+                        const propertyName = trimmed.split(':')[0].trim();
+                        const typePart = trimmed.split(':')[1]?.trim() || '';
+                        lineErrors.push({
+                            line: lineNumber,
+                            error: `Property "${propertyName}" has incorrect syntax`,
+                            suggestion: `Fix to: ${propertyName}: correctType;`,
+                            severity: 'error'
+                        });
+                    }
+                }
+                // Check for orphaned closing braces
+                if (trimmed === '}' && braceCount === 0) {
+                    insideInterface = false;
+                }
+                // Detect incomplete property lines
+                if ((0, typescript_syntax_1.isIncompleteProperty)(trimmed)) {
+                    const propertyName = trimmed.includes(':') ? trimmed.split(':')[0].trim() : 'Property';
+                    lineErrors.push({
+                        line: lineNumber,
+                        error: `Property "${propertyName}" is incomplete`,
+                        suggestion: `Complete the definition: ${propertyName}: string; (for example)`,
+                        severity: 'error'
+                    });
+                }
+            }
+        });
+        // Check for unclosed interfaces
+        if (insideInterface && braceCount > 0) {
+            errors.push(`Interface started on line ${interfaceStartLine} was not closed`);
+        }
+    }
+    isValidPropertyDefinition(line) {
+        const trimmed = line.trim();
+        // Simple check: if it has a colon and doesn't start with comment, it should be a valid property
+        if (!trimmed.includes(':')) {
+            return true; // Not a property line
+        }
+        // Skip Interface declarations and other non-property lines
+        if (trimmed.startsWith('Interface') || trimmed.startsWith('export') ||
+            trimmed.includes('{') || trimmed.includes('}')) {
+            return true;
+        }
+        // Skip valid TypeScript patterns
+        if (trimmed.includes('[') && trimmed.includes(']')) {
+            // Index signatures like [key: string]: string; are always valid
+            return true;
+        }
+        if (trimmed.includes('(') && trimmed.includes(')')) {
+            // Function signatures like method(): void; are always valid
+            return true;
+        }
+        // For commented properties, they are invalid if they would have been properties
+        if (trimmed.startsWith('//')) {
+            return false; // Commented property is invalid
+        }
+        // Very basic pattern: word : something
+        const basicPattern = /^\s*(readonly\s+)?\w+\s*\??\s*:\s*.+$/;
+        return basicPattern.test(trimmed);
+    }
+    isIncompleteProperty(line) {
+        const trimmed = line.trim();
+        // Check for commented properties that should be active
+        if (trimmed.startsWith('//') && trimmed.includes(':')) {
+            // This is a commented property - flag as issue
+            return true;
+        }
+        // Check for incomplete property syntax
+        if (trimmed.includes(':')) {
+            // Skip Interface/export lines
+            if (trimmed.startsWith('Interface') || trimmed.startsWith('export') ||
+                trimmed.includes('{') || trimmed.includes('}')) {
+                return false;
+            }
+            // Skip valid TypeScript patterns
+            if (trimmed.includes('[') && trimmed.includes(']')) {
+                // Index signatures like [key: string]: string; are always valid
+                return false;
+            }
+            if (trimmed.includes('(') && trimmed.includes(')')) {
+                // Function signatures like method(): void; are always valid
+                return false;
+            }
+            // Check if it's missing type or has wrong syntax
+            const hasValidType = /:\s*.+/.test(trimmed);
+            if (!hasValidType) {
+                return true;
+            }
+        }
+        return false;
+    }
+    shouldHaveSemicolon(line) {
+        // Lines that should end with semicolon in TypeScript
+        const trimmed = line.trim();
+        // CRITICAL FIX: Strip comments before checking line endings
+        // This prevents false positives like: return x;  // comment ending with )
+        const commentIndex = trimmed.indexOf('//');
+        const codeOnly = commentIndex > 0
+            ? trimmed.substring(0, commentIndex).trimEnd()
+            : trimmed;
+        // Skip if already has semicolon, or ends with special characters
+        if (codeOnly.endsWith(';') || codeOnly.endsWith('{') || codeOnly.endsWith('}') ||
+            codeOnly.endsWith(',') || codeOnly.endsWith('(') || codeOnly.endsWith(')')) {
+            return false;
+        }
+        // Skip Interface/type property definitions (they use different syntax)
+        if (codeOnly.includes(':') && !codeOnly.includes('=') && !codeOnly.includes('(')) {
+            return false;
+        }
+        // Skip control structures, declarations, etc.
+        if (codeOnly.startsWith('if') || codeOnly.startsWith('for') || codeOnly.startsWith('while') ||
+            codeOnly.startsWith('Interface') || codeOnly.startsWith('type') || codeOnly.startsWith('export') ||
+            codeOnly.startsWith('import') || codeOnly.startsWith('class') || codeOnly.startsWith('function') ||
+            codeOnly.startsWith('const') || codeOnly.startsWith('let') || codeOnly.startsWith('var')) {
+            return false;
+        }
+        // Lines that likely need semicolons (check code only, not comments)
+        return codeOnly.includes('=') || codeOnly.includes('return') || codeOnly.includes('throw') ||
+            codeOnly.includes('break') || codeOnly.includes('continue') ||
+            /\w+\(.*\)$/.test(codeOnly); // function calls
+    }
+    hasUnclosedString(line) {
+        // CRITICAL FIX: Remove comments before checking quotes
+        // Problem: Quotes in comments were triggering false positives
+        // Example: str.push(char);  // ERROR: Strings don't have .push() method'
+        //                                                                      ^ This quote was counted!
+        const lineWithoutComments = code_cleaner_1.CodeCleaner.removeLineComments(line, 'javascript');
+        const singleQuotes = (lineWithoutComments.match(/'/g) || []).length;
+        const doubleQuotes = (lineWithoutComments.match(/"/g) || []).length;
+        // CRITICAL FIX (2025-11-18): Do NOT check backticks line-by-line
+        // Template literals (backticks) are DESIGNED to span multiple lines in JavaScript
+        // Example: const str = `line 1
+        //                       line 2`;  <- This is VALID JavaScript!
+        //
+        // Checking backticks % 2 on individual lines creates FALSE POSITIVES
+        // User bug report: const pythonTestCode = `def process_data(data):
+        //                  ^ One backtick is VALID here (template literal continues below)
+        //
+        // ONLY check single and double quotes (they don't span multiple lines normally)
+        return (singleQuotes % 2 !== 0) || (doubleQuotes % 2 !== 0);
+    }
+    hasTypeScriptTypeError(line) {
+        const trimmed = line.trim();
+        // Skip non-property lines
+        if (!trimmed.includes(':') || trimmed.startsWith('Interface') || trimmed.startsWith('export') ||
+            trimmed.includes('{') || trimmed.includes('}')) {
+            return false;
+        }
+        // Skip valid TypeScript patterns
+        if (trimmed.includes('[') && trimmed.includes(']')) {
+            // Index signatures like [key: string]: string;
+            return false;
+        }
+        // Check for function signatures - but ONLY skip if it's a method signature (no 'function' keyword)
+        // We want to check function declarations like: function foo(): boolen {
+        if (trimmed.includes('(') && trimmed.includes(')') && !trimmed.startsWith('function')) {
+            // Method signatures like method(): void; (inside interfaces)
+            return false;
+        }
+        // Extract the type part after the colon
+        // For function declarations, we want the return type (after closing paren)
+        // For properties, we want the type after the property name
+        let colonIndex = trimmed.indexOf(':');
+        if (colonIndex === -1)
+            return false;
+        // If this is a function declaration, find the colon AFTER the closing paren
+        if (trimmed.startsWith('function') && trimmed.includes(')')) {
+            const closingParenIndex = trimmed.lastIndexOf(')');
+            const colonAfterParen = trimmed.indexOf(':', closingParenIndex);
+            if (colonAfterParen !== -1) {
+                colonIndex = colonAfterParen;
+            }
+        }
+        const typePart = trimmed.substring(colonIndex + 1).trim();
+        // Remove semicolon, comments, opening brace, and any trailing characters
+        const typeWithoutSemicolon = typePart
+            .split(';')[0] // Remove semicolon and everything after
+            .split('//')[0] // Remove line comments
+            .split('/*')[0] // Remove block comments
+            .split('{')[0] // Remove opening brace (for function bodies)
+            .trim();
+        // Common TypeScript type typos
+        const commonTypos = {
+            'strng': 'string',
+            'strig': 'string',
+            'stirng': 'string',
+            'numbr': 'number',
+            'numebr': 'number',
+            'bolean': 'boolean',
+            'boolea': 'boolean',
+            'boolen': 'boolean',
+            'undefind': 'undefined',
+            'nul': 'null',
+            'voic': 'void',
+            'aray': 'array',
+            'Array': 'Array', // This one is correct but often confused
+            'dat': 'Date',
+            'Dat': 'Date',
+            'objec': 'object',
+            'Object': 'Object'
+        };
+        // Check if the type matches any known typos
+        for (const typo in commonTypos) {
+            if (typeWithoutSemicolon === typo) {
+                return true;
+            }
+        }
+        // Check for other common patterns that suggest typos
+        if (typeWithoutSemicolon.length > 2 && typeWithoutSemicolon.length < 8) {
+            // Basic heuristics for detecting potential type typos
+            const validPrimitiveTypes = ['string', 'number', 'boolean', 'undefined', 'null', 'void', 'any', 'unknown', 'never'];
+            const validComplexTypes = ['Date', 'Array', 'Object', 'Function', 'Promise'];
+            // If it looks like it could be a primitive type but isn't exact match
+            if (!validPrimitiveTypes.includes(typeWithoutSemicolon) &&
+                !validComplexTypes.includes(typeWithoutSemicolon) &&
+                !/^[A-Z]/.test(typeWithoutSemicolon) && // Not starting with capital (custom type)
+                !typeWithoutSemicolon.includes('[]') && // Not array type
+                !typeWithoutSemicolon.includes('|') && // Not union type
+                !typeWithoutSemicolon.includes('&') && // Not intersection type
+                !typeWithoutSemicolon.includes('<') && // Not generic type
+                !/^\w+$/.test(typeWithoutSemicolon)) { // Not a simple word
+                return true;
+            }
+        }
+        return false;
+    }
+    suggestTypeCorrection(line) {
+        const trimmed = line.trim();
+        let colonIndex = trimmed.indexOf(':');
+        // If this is a function declaration, find the colon AFTER the closing paren
+        if (trimmed.startsWith('function') && trimmed.includes(')')) {
+            const closingParenIndex = trimmed.lastIndexOf(')');
+            const colonAfterParen = trimmed.indexOf(':', closingParenIndex);
+            if (colonAfterParen !== -1) {
+                colonIndex = colonAfterParen;
+            }
+        }
+        const typePart = trimmed.substring(colonIndex + 1).trim();
+        // Remove semicolon, comments, opening brace, and any trailing characters
+        const typeWithoutSemicolon = typePart
+            .split(';')[0] // Remove semicolon and everything after
+            .split('//')[0] // Remove line comments
+            .split('/*')[0] // Remove block comments
+            .split('{')[0] // Remove opening brace (for function bodies)
+            .trim();
+        const commonTypos = {
+            'strng': 'string',
+            'strig': 'string',
+            'stirng': 'string',
+            'numbr': 'number',
+            'numebr': 'number',
+            'bolean': 'boolean',
+            'boolea': 'boolean',
+            'boolen': 'boolean',
+            'undefind': 'undefined',
+            'nul': 'null',
+            'voic': 'void',
+            'aray': 'array',
+            'dat': 'Date',
+            'Dat': 'Date',
+            'objec': 'object'
+        };
+        if (commonTypos[typeWithoutSemicolon]) {
+            const correctedType = commonTypos[typeWithoutSemicolon];
+            const correctedLine = trimmed.replace(typeWithoutSemicolon, correctedType);
+            return `Possible typo. Suggestion: ${correctedLine}`;
+        }
+        return `Check type "${typeWithoutSemicolon}". Common types: string, number, boolean, Date`;
+    }
+    isMissingComma(currentLine, nextLine) {
+        // Skip empty lines, comments, and structural characters
+        if (!currentLine || !nextLine)
+            return false;
+        if (currentLine.startsWith('//') || nextLine.startsWith('//'))
+            return false;
+        if (currentLine.startsWith('/*') || nextLine.startsWith('/*'))
+            return false;
+        // Skip if current line already ends with comma, semicolon, opening/closing braces
+        const lastChar = currentLine.trimEnd().slice(-1);
+        if ([',', ';', '{', '}', '[', ']'].includes(lastChar))
+            return false;
+        // Skip if next line is a closing brace or bracket
+        if (['}', ']', ')'].includes(nextLine[0]))
+            return false;
+        // Check if current line looks like an object property: "key: value"
+        const hasColon = currentLine.includes(':');
+        if (!hasColon)
+            return false;
+        // Check if next line looks like another property (has colon and is not a URL)
+        const nextHasColon = nextLine.includes(':');
+        if (!nextHasColon)
+            return false;
+        // Exclude URLs and other false positives
+        if (currentLine.includes('://') || nextLine.includes('://'))
+            return false;
+        if (currentLine.includes('?') && currentLine.includes(':'))
+            return false; // Ternary operator
+        // Check if lines look like property definitions
+        const propertyPattern = /^\s*[\w$]+\s*:\s*.+/;
+        if (!propertyPattern.test(currentLine))
+            return false;
+        if (!propertyPattern.test(nextLine))
+            return false;
+        return true;
+    }
+    async analyzeSyntax(code, result) {
+        const errors = [];
+        const lineErrors = [];
+        // Line by line analysis
+        const lines = code.split('\n');
+        lines.forEach((line, index) => {
+            const lineNumber = index + 1;
+            // BUG FIX (2025-11-18): Remove string content before syntax checks
+            // Previous bug: 'Language...' (ellipsis in string) flagged as "double dots" error
+            // CRITICAL FIX (2025-11-21): Also remove comments before syntax checks
+            // Previous bug: Comments with ".." in attack examples flagged as syntax errors
+            const lineWithoutComments = code_cleaner_1.CodeCleaner.removeLineComments(line, 'javascript');
+            const lineWithoutStrings = (0, syntax_helpers_1.removeStringLiterals)(lineWithoutComments);
+            // Check for double dots (but not triple dots which is spread operator)
+            // FIXED: Now checks cleaned line without string content AND comments
+            if (lineWithoutStrings.includes('..') && !lineWithoutStrings.includes('...')) {
+                const position = lineWithoutStrings.indexOf('..');
+                lineErrors.push({
+                    line: lineNumber,
+                    error: `Double dots found at position ${position + 1}`,
+                    suggestion: 'Remove the extra dot. Example: console.log() instead of console.log..()',
+                    severity: 'error'
+                });
+            }
+            // Check for dot before parentheses (console.log.() etc)
+            // FIXED: Now checks cleaned line without string content
+            const dotParenMatch = lineWithoutStrings.match(/(\w+)\.(\w+)\.(\()/);
+            if (dotParenMatch) {
+                const [fullMatch, object, method] = dotParenMatch;
+                lineErrors.push({
+                    line: lineNumber,
+                    error: `Syntax error: extra dot before parentheses in "${object}.${method}.("`,
+                    suggestion: `Fix: ${object}.${method}(`,
+                    severity: 'error'
+                });
+            }
+            // Check for use of var
+            // FIXED: Use cleaned line to avoid flagging "var" inside strings
+            if (lineWithoutStrings.match(/\bvar\s+/)) {
+                lineErrors.push({
+                    line: lineNumber,
+                    error: 'Use of var detected',
+                    suggestion: 'Use const for constant values or let for variables that change',
+                    severity: 'warning'
+                });
+            }
+            // Note: .length caching moved to performance suggestions section
+            // Not flagged as a line error to avoid cluttering the editor
+            // Check for unclosed quotes (must use raw line to detect quote issues)
+            // BUG FIX (2025-11-18): Use CodeCleaner.removeLineComments() instead of split('//')
+            // Previous bug: split('//') also splits URLs like http://localhost
+            // Example: 'http://localhost:3000' → 'http:' (loses everything after //)
+            const codeWithoutComments = code_cleaner_1.CodeCleaner.removeLineComments(line, 'javascript');
+            const singleQuotes = (codeWithoutComments.match(/'/g) || []).length;
+            const doubleQuotes = (codeWithoutComments.match(/"/g) || []).length;
+            if (singleQuotes % 2 !== 0) {
+                lineErrors.push({
+                    line: lineNumber,
+                    error: 'Unclosed single quotes',
+                    suggestion: 'Check that all \' quotes are closed correctly',
+                    severity: 'error'
+                });
+            }
+            if (doubleQuotes % 2 !== 0) {
+                lineErrors.push({
+                    line: lineNumber,
+                    error: 'Unclosed double quotes',
+                    suggestion: 'Check that all " quotes are closed correctly',
+                    severity: 'error'
+                });
+            }
+            // Check for common semantic errors: .push() on strings (Python/Java confusion)
+            // FIXED: Use cleaned line to avoid flagging .push() inside string literals
+            if (lineWithoutStrings.match(/\b(str|string|text|name|msg|message|word|title)\s*\.\s*push\s*\(/i)) {
+                lineErrors.push({
+                    line: lineNumber,
+                    error: 'Strings don\'t have .push() method',
+                    suggestion: 'Use string concatenation (+=) or convert to array with .split("") first',
+                    severity: 'error'
+                });
+            }
+        });
+        // Check balanced parentheses (ignore comments) - version with line tracking
+        let parenBalance = 0;
+        let braceBalance = 0;
+        let bracketBalance = 0;
+        let inLineComment = false;
+        let inBlockComment = false;
+        let inString = false;
+        let stringChar = '';
+        let currentLine = 1;
+        // Track opening positions for better error reporting
+        const openBraces = [];
+        const missingClosures = [];
+        for (let i = 0; i < code.length; i++) {
+            const char = code[i];
+            const nextChar = code[i + 1];
+            // Track line numbers
+            if (char === '\n') {
+                currentLine++;
+            }
+            // Handle line comments
+            if (!inBlockComment && !inString && char === '/' && nextChar === '/') {
+                inLineComment = true;
+                i++; // Skip next char
+                continue;
+            }
+            // End line comment
+            if (inLineComment && char === '\n') {
+                inLineComment = false;
+                continue;
+            }
+            // Handle block comments
+            if (!inLineComment && !inString && char === '/' && nextChar === '*') {
+                inBlockComment = true;
+                i++; // Skip next char
+                continue;
+            }
+            if (inBlockComment && char === '*' && nextChar === '/') {
+                inBlockComment = false;
+                i++; // Skip next char
+                continue;
+            }
+            // Handle strings
+            if (!inLineComment && !inBlockComment && (char === '"' || char === "'")) {
+                if (!inString) {
+                    inString = true;
+                    stringChar = char;
+                }
+                else if (char === stringChar && code[i - 1] !== '\\') {
+                    inString = false;
+                    stringChar = '';
+                }
+                continue;
+            }
+            // Only count braces outside comments and strings
+            if (!inLineComment && !inBlockComment && !inString) {
+                if (char === '(') {
+                    parenBalance++;
+                    openBraces.push({ line: currentLine, char: '(' });
+                }
+                else if (char === ')') {
+                    parenBalance--;
+                    // Find matching opening parenthesis
+                    for (let j = openBraces.length - 1; j >= 0; j--) {
+                        if (openBraces[j].char === '(') {
+                            openBraces.splice(j, 1);
+                            break;
+                        }
+                    }
+                }
+                else if (char === '{') {
+                    braceBalance++;
+                    openBraces.push({ line: currentLine, char: '{' });
+                }
+                else if (char === '}') {
+                    braceBalance--;
+                    // Find matching opening brace
+                    for (let j = openBraces.length - 1; j >= 0; j--) {
+                        if (openBraces[j].char === '{') {
+                            openBraces.splice(j, 1);
+                            break;
+                        }
+                    }
+                }
+                else if (char === '[') {
+                    bracketBalance++;
+                    openBraces.push({ line: currentLine, char: '[' });
+                }
+                else if (char === ']') {
+                    bracketBalance--;
+                    // Find matching opening bracket
+                    for (let j = openBraces.length - 1; j >= 0; j--) {
+                        if (openBraces[j].char === '[') {
+                            openBraces.splice(j, 1);
+                            break;
+                        }
+                    }
+                }
+            }
+        }
+        // Create line-specific errors for unmatched braces
+        const hasParenErrors = openBraces.some(b => b.char === '(');
+        const hasBraceErrors = openBraces.some(b => b.char === '{');
+        const hasBracketErrors = openBraces.some(b => b.char === '[');
+        openBraces.forEach(brace => {
+            const closingChar = brace.char === '{' ? '}' : brace.char === '(' ? ')' : ']';
+            const typeName = brace.char === '{' ? 'brace' : brace.char === '(' ? 'parenthesis' : 'bracket';
+            lineErrors.push({
+                line: brace.line,
+                error: `${typeName.charAt(0).toUpperCase() + typeName.slice(1)} "${brace.char}" was not closed`,
+                suggestion: `Add "${closingChar}" to close the ${typeName} opened on line ${brace.line}`,
+                severity: 'error'
+            });
+        });
+        // DON'T add general balance errors - we now have specific line errors above
+        // This prevents "phantom" errors without line numbers that can't use Auto-Fix
+        // Check basic syntax (for all files)
+        const isTypeScript = (0, typescript_syntax_1.isTypeScriptCode)(code);
+        if (!isTypeScript) {
+            // Pure JavaScript - use acorn parser
+            try {
+                acorn.parse(code, {
+                    ecmaVersion: 2022,
+                    sourceType: 'module',
+                    allowReturnOutsideFunction: true,
+                    locations: true // Enable line/column tracking
+                });
+            }
+            catch (error) {
+                const errorMessage = error.message || 'Syntax error';
+                // Extract line number from Acorn error
+                const lineNumber = error.loc?.line || (0, syntax_helpers_1.findErrorLine)(code, error.pos);
+                if (lineNumber) {
+                    // Create specific line error
+                    const suggestion = (0, syntax_helpers_1.getSuggestionForSyntaxError)(errorMessage);
+                    lineErrors.push({
+                        line: lineNumber,
+                        error: errorMessage,
+                        suggestion: suggestion,
+                        severity: 'error'
+                    });
+                }
+                else {
+                    // Fallback to general error
+                    errors.push(`Syntax error: ${errorMessage}`);
+                }
+            }
+        }
+        else {
+            // TypeScript - do basic checks without full parser
+            this.checkBasicTypeScriptSyntax(code, errors, lineErrors);
+        }
+        result.syntax.errors = errors;
+        result.syntax.lineErrors = lineErrors;
+        result.syntax.valid = errors.length === 0 && lineErrors.filter(e => e.severity === 'error').length === 0;
+        // Penalize score based on severity
+        const errorCount = lineErrors.filter(e => e.severity === 'error').length;
+        const warningCount = lineErrors.filter(e => e.severity === 'warning').length;
+        if (errorCount > 0) {
+            result.quality.score -= errorCount * 20;
+        }
+        if (warningCount > 0) {
+            result.quality.score -= warningCount * 10;
+        }
+    }
+    // Helper to find line number from character position
+    findErrorLine(code, pos) {
+        if (!pos)
+            return null;
+        const lines = code.substring(0, pos).split('\n');
+        return lines.length;
+    }
+    // Helper to provide suggestions for common syntax errors
+    getSuggestionForSyntaxError(errorMessage) {
+        if (errorMessage.includes('Unexpected token')) {
+            if (errorMessage.includes('}')) {
+                return 'Check if there is a missing closing parenthesis or brace before this line';
+            }
+            if (errorMessage.includes(')')) {
+                return 'Add the missing closing parenthesis \")\"';
+            }
+            return 'Check the code syntax and fix the identified errors';
+        }
+        if (errorMessage.includes('Unterminated string')) {
+            return 'Close the string with matching quotes';
+        }
+        if (errorMessage.includes('Missing comma')) {
+            return 'Add a comma between object properties';
+        }
+        return 'Fix the identified syntax error';
+    }
+    // Option B: Detect AI hallucinations (non-existent methods, typos)
+    detectAIHallucinations(code, result) {
+        const lines = code.split('\n');
+        const lineErrors = result.syntax.lineErrors || [];
+        let inMultiLineComment = false;
+        // Common AI hallucinations: method names that don't exist
+        // Optimized: Combine all patterns into a single regex for better performance
+        const hallucinationMap = new Map([
+            ['append', { correct: '.push(', description: 'Arrays do not have .append() method in JavaScript, use .push()' }],
+            ['remove', { correct: '.splice() or .filter()', description: 'Arrays do not have .remove() method in JavaScript' }],
+            ['toUppercase', { correct: '.toUpperCase(', description: 'Correct method is .toUpperCase() (with capital C)' }],
+            ['toLowercase', { correct: '.toLowerCase(', description: 'Correct method is .toLowerCase() (with capital C)' }],
+            ['contains', { correct: '.includes(', description: 'Arrays/Strings use .includes() in JavaScript, not .contains()' }],
+            ['length()', { correct: '.length', description: '.length is a property, not a method (no parentheses)' }],
+            ['size', { correct: '.length or .size', description: 'Arrays use .length; Map/Set use .size (no parentheses)' }],
+        ]);
+        // Combined regex pattern for all hallucinations (single pass)
+        const combinedPattern = /\.(append|remove|toUppercase|toLowercase|contains|length\(\)|size)\(/g;
+        lines.forEach((line, index) => {
+            const lineNumber = index + 1;
+            const trimmed = line.trim();
+            // Track multi-line comments
+            if (trimmed.includes('/*'))
+                inMultiLineComment = true;
+            if (trimmed.includes('*/')) {
+                inMultiLineComment = false;
+                return;
+            }
+            // Skip comments and empty lines
+            if (!trimmed || inMultiLineComment || trimmed.startsWith('//') || trimmed.startsWith('*')) {
+                return;
+            }
+            // Skip lines inside template literals (they contain arbitrary text, not JavaScript)
+            if ((0, syntax_helpers_1.isInsideTemplateLiteral)(code, lineNumber)) {
+                return;
+            }
+            // Single regex test for all patterns - much faster
+            const matches = line.matchAll(combinedPattern);
+            for (const match of matches) {
+                const method = match[1];
+                const details = hallucinationMap.get(method);
+                if (details) {
+                    // Get references for method-specific issues
+                    let references = references_1.javascriptStandards['syntax-errors'] || [];
+                    // Add specific references for string/array methods (without category field)
+                    if (method === 'toUppercase' || method === 'toLowercase') {
+                        references = [
+                            {
+                                title: 'MDN: String.prototype.toUpperCase()',
+                                url: 'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/toUpperCase',
+                                description: 'Correct method name and usage for converting strings to uppercase'
+                            },
+                            {
+                                title: 'MDN: String.prototype.toLowerCase()',
+                                url: 'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/toLowerCase',
+                                description: 'Correct method name and usage for converting strings to lowercase'
+                            }
+                        ];
+                    }
+                    else if (method === 'append' || method === 'remove') {
+                        references = [
+                            {
+                                title: 'MDN: Array.prototype.push()',
+                                url: 'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/push',
+                                description: 'Add elements to the end of an array'
+                            },
+                            {
+                                title: 'MDN: Array.prototype.splice()',
+                                url: 'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/splice',
+                                description: 'Remove or replace elements from an array'
+                            }
+                        ];
+                    }
+                    else if (method === 'contains') {
+                        references = [
+                            {
+                                title: 'MDN: Array.prototype.includes()',
+                                url: 'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/includes',
+                                description: 'Check if an array includes a certain value'
+                            },
+                            {
+                                title: 'MDN: String.prototype.includes()',
+                                url: 'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/includes',
+                                description: 'Check if a string contains a substring'
+                            }
+                        ];
+                    }
+                    lineErrors.push({
+                        line: lineNumber,
+                        error: `AI Hallucination: ${details.description}`,
+                        suggestion: `Replace with: ${details.correct}`,
+                        severity: 'error',
+                        references
+                    });
+                }
+            }
+        });
+        result.syntax.lineErrors = lineErrors;
+    }
+    // Phase 1.1: Detect ReferenceError - Undeclared variables (Optimized single-pass)
+    detectReferenceErrors(code, result) {
+        const lines = code.split('\n');
+        const lineErrors = result.syntax.lineErrors || [];
+        // Get built-in globals and skip patterns
+        const builtIns = (0, variable_tracker_1.getBuiltIns)();
+        const skipPatterns = (0, variable_tracker_1.getSkipPatterns)();
+        // Find all variable declarations
+        const declaredVars = (0, variable_tracker_1.findDeclarations)(lines, code, syntax_helpers_1.isInsideTemplateLiteral);
+        // Find all variable usages
+        const usages = (0, variable_tracker_1.findUsages)(lines, code, builtIns, skipPatterns, syntax_helpers_1.removeStringLiterals, syntax_helpers_1.isInsideTemplateLiteral);
+        // Detect JSX in code to filter out JSX element false positives
+        const hasJSX = (0, jsx_helpers_1.detectJSX)(code);
+        // Check for undeclared variables and add to line errors
+        const undeclaredErrors = (0, variable_tracker_1.checkUndeclaredVariables)(usages, declaredVars, lines, hasJSX);
+        lineErrors.push(...undeclaredErrors);
+        result.syntax.lineErrors = lineErrors;
+    }
+    // Phase 1.2: Detect == vs === comparison issues
+    detectComparisonIssues(code, result) {
+        const lines = code.split('\n');
+        const lineErrors = result.syntax.lineErrors || [];
+        let inMultiLineComment = false;
+        lines.forEach((line, index) => {
+            const lineNumber = index + 1;
+            const trimmed = line.trim();
+            // Track multi-line comments
+            if (trimmed.includes('/*'))
+                inMultiLineComment = true;
+            if (trimmed.includes('*/')) {
+                inMultiLineComment = false;
+                return;
+            }
+            // Skip comments
+            if (!trimmed || inMultiLineComment || trimmed.startsWith('//') || trimmed.startsWith('*')) {
+                return;
+            }
+            // Skip lines inside template literals (they contain arbitrary text, not JavaScript)
+            if ((0, syntax_helpers_1.isInsideTemplateLiteral)(code, lineNumber)) {
+                return;
+            }
+            // Detect == (but not ===)
+            const looseEqualityMatch = line.match(/[^=!<>]==(=?)[^=]/);
+            if (looseEqualityMatch && !looseEqualityMatch[1]) { // Not ===
+                lineErrors.push({
+                    line: lineNumber,
+                    error: 'Non-strict comparison (==) detected',
+                    suggestion: 'Use === for strict comparison (avoids type coercion)',
+                    severity: 'warning'
+                });
+            }
+            // Detect != (but not !==)
+            const looseInequalityMatch = line.match(/!=(=?)[^=]/);
+            if (looseInequalityMatch && !looseInequalityMatch[1]) { // Not !==
+                lineErrors.push({
+                    line: lineNumber,
+                    error: 'Non-strict comparison (!=) detected',
+                    suggestion: 'Use !== for strict comparison (avoids type coercion)',
+                    severity: 'warning'
+                });
+            }
+            // FIX (2025-11-18): Detect assignment in condition (= instead of == or ===)
+            // Pattern: if (variable = value) or while (variable = value)
+            // This is a critical bug where = (assignment) is used instead of === (comparison)
+            const assignmentInCondition = line.match(/\b(if|while|for)\s*\([^)]*[^=!<>]=[^=][^)]*\)/);
+            if (assignmentInCondition) {
+                // Verify it's not part of an arrow function or initialization (for loops)
+                const isForLoopInit = assignmentInCondition[1] === 'for' && (line.includes('let ') || line.includes('var ') || line.includes('const '));
+                const isArrowFunction = line.includes('=>');
+                if (!isForLoopInit && !isArrowFunction) {
+                    lineErrors.push({
+                        line: lineNumber,
+                        error: 'Assignment in condition - did you mean === or == ?',
+                        suggestion: 'Use === for comparison. If assignment is intentional, wrap in parentheses: if ((x = getValue()))',
+                        severity: 'error'
+                    });
+                }
+            }
+        });
+        result.syntax.lineErrors = lineErrors;
+    }
+    // Phase 1.3: Detect unhandled Promises
+    detectUnhandledPromises(code, result) {
+        const lines = code.split('\n');
+        const lineErrors = result.syntax.lineErrors || [];
+        let inMultiLineComment = false;
+        // Track Promise chains to find missing .catch()
+        let inPromiseChain = false;
+        let promiseChainStartLine = 0;
+        let hasCatch = false;
+        lines.forEach((line, index) => {
+            const lineNumber = index + 1;
+            const trimmed = line.trim();
+            // Track multi-line comments
+            if (trimmed.includes('/*'))
+                inMultiLineComment = true;
+            if (trimmed.includes('*/')) {
+                inMultiLineComment = false;
+                return;
+            }
+            // Skip comments
+            if (!trimmed || inMultiLineComment || trimmed.startsWith('//') || trimmed.startsWith('*')) {
+                return;
+            }
+            // Skip lines inside template literals (they contain arbitrary text, not JavaScript)
+            if ((0, syntax_helpers_1.isInsideTemplateLiteral)(code, lineNumber)) {
+                return;
+            }
+            // Detect start of Promise chain (fetch, new Promise, or return promise)
+            if (!inPromiseChain && (trimmed.includes('.then(') || trimmed.match(/\b(fetch|axios|Promise\.)\(/))) {
+                inPromiseChain = true;
+                promiseChainStartLine = lineNumber;
+                hasCatch = false;
+            }
+            // Detect .catch( in the chain
+            if (inPromiseChain && trimmed.includes('.catch(')) {
+                hasCatch = true;
+            }
+            // End of Promise chain (line ends with ; and doesn't start with .)
+            if (inPromiseChain && trimmed.endsWith(';') && !trimmed.startsWith('.')) {
+                if (!hasCatch) {
+                    lineErrors.push({
+                        line: promiseChainStartLine,
+                        error: 'Promise without error handling (.catch)',
+                        suggestion: 'Add .catch(err => console.error(err)) at the end of the Promise chain',
+                        severity: 'warning'
+                    });
+                }
+                inPromiseChain = false;
+                hasCatch = false;
+            }
+            // Continue chain if line starts with . (method chaining)
+            if (inPromiseChain && trimmed.startsWith('.') && !trimmed.endsWith(';')) {
+                // Chain continues, don't reset
+            }
+        });
+        // Check async functions without try/catch
+        lines.forEach((line, index) => {
+            const lineNumber = index + 1;
+            const trimmed = line.trim();
+            if (trimmed.startsWith('//') || trimmed.startsWith('/*') || trimmed.startsWith('*')) {
+                return;
+            }
+            // Detect async function without try/catch in the vicinity
+            if (trimmed.includes('async ') && trimmed.includes('await ')) {
+                // Check if there's a try block nearby (simple heuristic)
+                const nextLines = lines.slice(index, Math.min(index + 5, lines.length)).join(' ');
+                if (!nextLines.includes('try') && !nextLines.includes('.catch(')) {
+                    lineErrors.push({
+                        line: lineNumber,
+                        error: 'async/await without error handling',
+                        suggestion: 'Wrap the code in try/catch or add .catch() to the Promise',
+                        severity: 'warning'
+                    });
+                }
+            }
+        });
+        result.syntax.lineErrors = lineErrors;
+    }
+    // Phase 1.4: Detect 'this' context issues
+    detectThisContextIssues(code, result) {
+        const lines = code.split('\n');
+        const lineErrors = result.syntax.lineErrors || [];
+        let inMultiLineComment = false;
+        lines.forEach((line, index) => {
+            const lineNumber = index + 1;
+            const trimmed = line.trim();
+            // Track multi-line comments
+            if (trimmed.includes('/*'))
+                inMultiLineComment = true;
+            if (trimmed.includes('*/')) {
+                inMultiLineComment = false;
+                return;
+            }
+            // Skip comments
+            if (!trimmed || inMultiLineComment || trimmed.startsWith('//') || trimmed.startsWith('*')) {
+                return;
+            }
+            // Skip lines inside template literals (they contain arbitrary text, not JavaScript)
+            if ((0, syntax_helpers_1.isInsideTemplateLiteral)(code, lineNumber)) {
+                return;
+            }
+            // Detect regular function inside callback that uses 'this'
+            // Pattern: .then(function() { ... this. ... })
+            const callbackWithThisMatch = line.match(/\.(then|forEach|map|filter|reduce|some|every|find)\s*\(\s*function\s*\([^)]*\)\s*\{[^}]*this\./);
+            if (callbackWithThisMatch) {
+                lineErrors.push({
+                    line: lineNumber,
+                    error: 'Use of "this" in regular function may cause context error',
+                    suggestion: 'Use arrow function (() => {}) to preserve "this" context',
+                    severity: 'warning'
+                });
+            }
+            // Detect 'this' in regular function passed to array methods
+            if (trimmed.includes('function(') && trimmed.match(/\.(map|filter|forEach|reduce|some|every|find)\(/)) {
+                // Look ahead to see if 'this' is used in following lines
+                const nextLines = lines.slice(index, Math.min(index + 3, lines.length));
+                const hasThis = nextLines.some(l => l.includes('this.'));
+                if (hasThis) {
+                    lineErrors.push({
+                        line: lineNumber,
+                        error: 'Function callback with "this" may lose context',
+                        suggestion: 'Use arrow function or .bind(this) to maintain context',
+                        severity: 'warning'
+                    });
+                }
+            }
+        });
+        result.syntax.lineErrors = lineErrors;
+    }
+    // Phase 2.1: Detect callback hell (excessive nesting)
+    detectCallbackHell(code, result) {
+        const lines = code.split('\n');
+        const lineErrors = result.syntax.lineErrors || [];
+        let inMultiLineComment = false;
+        let currentNesting = 0;
+        let maxNesting = 0;
+        let nestingStartLine = 0;
+        lines.forEach((line, index) => {
+            const lineNumber = index + 1;
+            const trimmed = line.trim();
+            // Track multi-line comments
+            if (trimmed.includes('/*'))
+                inMultiLineComment = true;
+            if (trimmed.includes('*/')) {
+                inMultiLineComment = false;
+                return;
+            }
+            // Skip comments
+            if (!trimmed || inMultiLineComment || trimmed.startsWith('//') || trimmed.startsWith('*')) {
+                return;
+            }
+            // Skip lines inside template literals (they contain arbitrary text, not JavaScript)
+            if ((0, syntax_helpers_1.isInsideTemplateLiteral)(code, lineNumber)) {
+                return;
+            }
+            // Count opening braces in callbacks
+            if (trimmed.includes('function(') || trimmed.includes('function (') ||
+                trimmed.includes('=>') && trimmed.includes('{')) {
+                if (currentNesting === 0) {
+                    nestingStartLine = lineNumber;
+                }
+                currentNesting++;
+                if (currentNesting > maxNesting) {
+                    maxNesting = currentNesting;
+                }
+                // Warn if nesting exceeds 3 levels
+                if (currentNesting > 3) {
+                    lineErrors.push({
+                        line: nestingStartLine,
+                        error: `Callback Hell: ${currentNesting} levels of nested callbacks`,
+                        suggestion: 'Refactor using Promises, async/await, or extract named functions',
+                        severity: 'warning'
+                    });
+                }
+            }
+            // Count closing braces
+            const openBraces = (trimmed.match(/\{/g) || []).length;
+            const closeBraces = (trimmed.match(/\}/g) || []).length;
+            currentNesting += openBraces - closeBraces;
+            // Reset if we're back to level 0
+            if (currentNesting <= 0) {
+                currentNesting = 0;
+            }
+        });
+        result.syntax.lineErrors = lineErrors;
+    }
+    // Phase 2.2: Detect unintentional array mutations
+    detectArrayMutations(code, result) {
+        const lines = code.split('\n');
+        const lineErrors = result.syntax.lineErrors || [];
+        let inMultiLineComment = false;
+        const mutatingMethods = [
+            { method: '.sort(', message: '.sort() modifies the original array', suggestion: 'Use [...array].sort() or array.toSorted()' },
+            { method: '.reverse(', message: '.reverse() modifies the original array', suggestion: 'Use [...array].reverse() or array.toReversed()' },
+            { method: '.splice(', message: '.splice() modifies the original array', suggestion: 'Use .slice() or .toSpliced() if you do not want to mutate' },
+            { method: '.fill(', message: '.fill() modifies the original array', suggestion: 'Create a copy first: [...array].fill()' }
+        ];
+        lines.forEach((line, index) => {
+            const lineNumber = index + 1;
+            const trimmed = line.trim();
+            // Track multi-line comments
+            if (trimmed.includes('/*'))
+                inMultiLineComment = true;
+            if (trimmed.includes('*/')) {
+                inMultiLineComment = false;
+                return;
+            }
+            // Skip comments
+            if (!trimmed || inMultiLineComment || trimmed.startsWith('//') || trimmed.startsWith('*')) {
+                return;
+            }
+            // Skip lines inside template literals (they contain arbitrary text, not JavaScript)
+            if ((0, syntax_helpers_1.isInsideTemplateLiteral)(code, lineNumber)) {
+                return;
+            }
+            mutatingMethods.forEach(({ method, message, suggestion }) => {
+                if (line.includes(method)) {
+                    // Check if result is being used (assigned or chained)
+                    const beforeMethod = line.substring(0, line.indexOf(method));
+                    const afterMethod = line.substring(line.indexOf(method) + method.length);
+                    // If method is not assigned and not chained with dot, likely unintentional mutation
+                    const isAssigned = beforeMethod.includes('=') || beforeMethod.includes('const ') ||
+                        beforeMethod.includes('let ') || beforeMethod.includes('var ');
+                    const isChained = afterMethod.trim().startsWith('.');
+                    if (!isAssigned && !isChained) {
+                        lineErrors.push({
+                            line: lineNumber,
+                            error: `Unintentional mutation: ${message}`,
+                            suggestion,
+                            severity: 'warning'
+                        });
+                    }
+                }
+            });
+        });
+        result.syntax.lineErrors = lineErrors;
+    }
+    // Phase 2.3: Detect DOM queries without null checks
+    detectDOMNullChecks(code, result) {
+        const lines = code.split('\n');
+        const lineErrors = result.syntax.lineErrors || [];
+        let inMultiLineComment = false;
+        const domMethods = [
+            'getElementById(',
+            'querySelector(',
+            'getElementsByClassName(',
+            'getElementsByTagName(',
+            'getElementsByName('
+        ];
+        lines.forEach((line, index) => {
+            const lineNumber = index + 1;
+            const trimmed = line.trim();
+            // Track multi-line comments
+            if (trimmed.includes('/*'))
+                inMultiLineComment = true;
+            if (trimmed.includes('*/')) {
+                inMultiLineComment = false;
+                return;
+            }
+            // Skip comments
+            if (!trimmed || inMultiLineComment || trimmed.startsWith('//') || trimmed.startsWith('*')) {
+                return;
+            }
+            // Skip lines inside template literals (they contain arbitrary text, not JavaScript)
+            if ((0, syntax_helpers_1.isInsideTemplateLiteral)(code, lineNumber)) {
+                return;
+            }
+            domMethods.forEach(method => {
+                if (line.includes(method)) {
+                    // Check if there's a null check in the next few lines
+                    const nextLines = lines.slice(index, Math.min(index + 3, lines.length));
+                    const hasNullCheck = nextLines.some(l => l.includes('if (') && (l.includes('!== null') || l.includes('!= null') || l.includes('&&') || l.includes('?.')));
+                    if (!hasNullCheck) {
+                        lineErrors.push({
+                            line: lineNumber,
+                            error: `DOM query without null check: ${method}`,
+                            suggestion: 'Add check: if (element !== null) { ... } or use optional chaining (?.))',
+                            severity: 'warning'
+                        });
+                    }
+                }
+            });
+        });
+        result.syntax.lineErrors = lineErrors;
+    }
+    /**
+     * Option B: Detect blocking operations that can impact performance
+     * - JSON.parse() in loops
+     * - Heavy synchronous operations in loops
+     * - Large string operations in loops
+     * - Regex operations in loops
+     * - DOM manipulation in loops
+     */
+    detectBlockingOperations(code, result) {
+        const lines = code.split('\n');
+        const lineErrors = result.syntax.lineErrors || [];
+        let inMultiLineComment = false;
+        let loopNesting = 0;
+        let loopStartLines = [];
+        let braceDepth = 0;
+        const loopBraceDepths = [];
+        lines.forEach((line, index) => {
+            const trimmed = line.trim();
+            const lineNumber = index + 1;
+            // Track multi-line comments
+            if (trimmed.includes('/*'))
+                inMultiLineComment = true;
+            if (trimmed.includes('*/')) {
+                inMultiLineComment = false;
+                return;
+            }
+            // Skip comments
+            if (!trimmed || inMultiLineComment || trimmed.startsWith('//') || trimmed.startsWith('*')) {
+                return;
+            }
+            // Skip lines inside template literals (they contain arbitrary text, not JavaScript)
+            if ((0, syntax_helpers_1.isInsideTemplateLiteral)(code, lineNumber)) {
+                return;
+            }
+            // Track brace depth for all code
+            const openBraces = (line.match(/\{/g) || []).length;
+            const closeBraces = (line.match(/\}/g) || []).length;
+            braceDepth += openBraces - closeBraces;
+            // Detect loop start
+            const isForLoop = /\b(for|while)\s*\(/.test(trimmed);
+            const isArrayMethod = /\.(forEach|map|filter|reduce|some|every|find)\s*\(/.test(trimmed);
+            if (isForLoop || isArrayMethod) {
+                loopNesting++;
+                loopStartLines.push(lineNumber);
+                loopBraceDepths.push(braceDepth);
+            }
+            // Check for blocking operations inside loops
+            if (loopNesting > 0) {
+                // 1. JSON.parse() in loops
+                if (trimmed.includes('JSON.parse(') && !trimmed.includes('//')) {
+                    lineErrors.push({
+                        line: lineNumber,
+                        error: 'Blocking operation: JSON.parse() inside loop',
+                        suggestion: 'Move JSON.parse() outside the loop or process the data before iteration',
+                        severity: 'warning'
+                    });
+                }
+                // 2. JSON.stringify() in loops
+                if (trimmed.includes('JSON.stringify(') && !trimmed.includes('//')) {
+                    lineErrors.push({
+                        line: lineNumber,
+                        error: 'Blocking operation: JSON.stringify() inside loop',
+                        suggestion: 'Move JSON.stringify() outside the loop to avoid repeated serialization',
+                        severity: 'warning'
+                    });
+                }
+                // 3. Complex regex operations in loops (only inline regex literals, not variables)
+                // Match: /pattern/.test() or new RegExp() but NOT: variable.test()
+                // Remove comments to avoid false positives from comments containing /
+                const withoutComments = trimmed.split('//')[0];
+                const hasNewRegExp = /new\s+RegExp\(/.test(withoutComments);
+                // Only flag if .test( is immediately preceded by a regex literal ending (/ or flag)
+                // This checks the character RIGHT before .test( is / or g,i,m,u,y
+                const testIndex = withoutComments.indexOf('.test(');
+                let hasInlineRegexLiteral = false;
+                if (testIndex > 0) {
+                    const charBeforeTest = withoutComments.charAt(testIndex - 1);
+                    // Check if it's a regex literal ending: / or a flag (g, i, m, u, y)
+                    hasInlineRegexLiteral = charBeforeTest === '/' || /[gimuy]/.test(charBeforeTest);
+                }
+                if (hasInlineRegexLiteral || hasNewRegExp) {
+                    lineErrors.push({
+                        line: lineNumber,
+                        error: 'Blocking operation: Complex regex inside loop',
+                        suggestion: 'Define the regex outside the loop: const regex = /pattern/; before the loop',
+                        severity: 'warning'
+                    });
+                }
+                // 4. DOM manipulation in loops
+                const domMethods = [
+                    'getElementById', 'getElementsByClassName', 'getElementsByTagName',
+                    'querySelector', 'querySelectorAll', 'createElement',
+                    'appendChild', 'removeChild', 'insertBefore'
+                ];
+                const hasDOMManipulation = domMethods.some(method => trimmed.includes(method + '(') || trimmed.includes('.' + method + '('));
+                if (hasDOMManipulation && !trimmed.includes('//')) {
+                    lineErrors.push({
+                        line: lineNumber,
+                        error: 'Blocking operation: DOM manipulation inside loop',
+                        suggestion: 'Accumulate changes and manipulate DOM once after the loop (Document Fragment)',
+                        severity: 'warning'
+                    });
+                }
+                // 5. Large string concatenation in loops
+                if (/\+=\s*['"`]/.test(trimmed) && !trimmed.includes('//')) {
+                    lineErrors.push({
+                        line: lineNumber,
+                        error: 'Blocking operation: String concatenation with += inside loop',
+                        suggestion: 'Use array.push() inside the loop and array.join() at the end',
+                        severity: 'warning'
+                    });
+                }
+                // 6. Synchronous file operations (Node.js)
+                if (/fs\.(readFileSync|writeFileSync|existsSync)/.test(trimmed) && !trimmed.includes('//')) {
+                    lineErrors.push({
+                        line: lineNumber,
+                        error: 'Blocking operation: Synchronous file operation inside loop',
+                        suggestion: 'Use async versions (readFile, writeFile) or move outside the loop',
+                        severity: 'warning'
+                    });
+                }
+                // 7. localStorage/sessionStorage access in loops
+                if (/(localStorage|sessionStorage)\.(getItem|setItem|removeItem)/.test(trimmed) && !trimmed.includes('//')) {
+                    lineErrors.push({
+                        line: lineNumber,
+                        error: 'Blocking operation: Storage access inside loop',
+                        suggestion: 'Accumulate the data and perform a single storage operation after the loop',
+                        severity: 'warning'
+                    });
+                }
+                // 8. Nested loops (performance warning)
+                if (loopNesting > 2) {
+                    if (isForLoop || isArrayMethod) {
+                        lineErrors.push({
+                            line: lineNumber,
+                            error: `Performance: ${loopNesting} levels of nested loops`,
+                            suggestion: 'Consider refactoring with optimized data structures (Map, Set) or more efficient algorithms',
+                            severity: 'warning'
+                        });
+                    }
+                }
+            }
+            // Detect loop end by tracking brace depth
+            if (loopNesting > 0 && loopBraceDepths.length > 0) {
+                if (braceDepth < loopBraceDepths[loopBraceDepths.length - 1]) {
+                    loopNesting--;
+                    loopStartLines.pop();
+                    loopBraceDepths.pop();
+                }
+            }
+        });
+        result.syntax.lineErrors = lineErrors;
+    }
+    analyzeQuality(code, result) {
+        const issues = [];
+        // Check for use of var
+        const varUsage = code.match(/\bvar\s+/g);
+        if (varUsage) {
+            issues.push({
+                type: 'warning',
+                message: `Use const/let instead of var (${varUsage.length} occurrences)`,
+                severity: 'medium'
+            });
+            result.quality.score -= varUsage.length * 5;
+        }
+        // Check for anonymous functions that could be arrow functions
+        const anonymousFunctions = code.match(/function\s*\(/g);
+        if (anonymousFunctions) {
+            issues.push({
+                type: 'info',
+                message: 'Consider using arrow functions for anonymous functions',
+                severity: 'low'
+            });
+            result.quality.score -= 3;
+        }
+        // Check for console.log in production
+        const consoleLogs = code.match(/console\.log/g);
+        if (consoleLogs && consoleLogs.length > 2) {
+            issues.push({
+                type: 'warning',
+                message: `Too many console.log found (${consoleLogs.length}) - remove in production`,
+                severity: 'medium'
+            });
+            result.quality.score -= 5;
+        }
+        // Check for single-letter variable names
+        const singleLetterVars = code.match(/\b[a-z]\s*=/g);
+        if (singleLetterVars) {
+            issues.push({
+                type: 'info',
+                message: 'Use more descriptive variable names',
+                severity: 'low'
+            });
+            result.quality.score -= 3;
+        }
+        result.quality.issues = issues;
+        result.quality.score = Math.max(0, result.quality.score);
+    }
+    analyzePerformance(code, result) {
+        const suggestions = [];
+        // Check for loops with uncached .length
+        if (code.includes('.length') && code.includes('for')) {
+            if (!code.includes('len =') && !code.includes('length =')) {
+                suggestions.push('Cache array .length in loops for better performance');
+                result.performance.score -= 8;
+            }
+        }
+        // Check for string concatenation in loops
+        if (code.match(/for.*\{[\s\S]*?\+\s*=.*string|string.*\+\s*=/)) {
+            suggestions.push('Avoid string concatenation in loops - use array.join()');
+            result.performance.score -= 15;
+        }
+        // Check for repeated DOM queries
+        const domQueries = (code.match(/document\.(getElementById|querySelector)/g) || []).length;
+        if (domQueries > 2) {
+            suggestions.push('Cache DOM references to avoid repeated queries');
+            result.performance.score -= 10;
+        }
+        // Check for setTimeout(0)
+        if (code.includes('setTimeout') && code.includes('0')) {
+            suggestions.push('Use requestAnimationFrame instead of setTimeout(0)');
+            result.performance.score -= 5;
+        }
+        result.performance.suggestions = suggestions;
+        result.performance.score = Math.max(0, result.performance.score);
+    }
+    createSecurityVulnerability(vulnerabilityType, message, suggestion, lineNumber, attackDescription, exploitExample, realWorldImpact, remediationBefore, remediationAfter, remediationExplanation) {
+        const scoring = (0, severity_scoring_1.calculateSeverityScore)(vulnerabilityType);
+        const compliance = (0, compliance_mapping_1.getComplianceMapping)(vulnerabilityType);
+        return {
+            severity: scoring.severity,
+            message,
+            suggestion,
+            line: lineNumber,
+            category: vulnerabilityType, // PHASE 6 (2025-11-21): Added category for test compatibility
+            cvssScore: scoring.cvssScore,
+            exploitLikelihood: scoring.exploitLikelihood,
+            impact: scoring.impact,
+            owasp: compliance.owasp,
+            cwe: compliance.cwe,
+            pciDss: compliance.pciDss,
+            attackVector: {
+                description: attackDescription,
+                exploitExample,
+                realWorldImpact
+            },
+            remediation: {
+                before: remediationBefore,
+                after: remediationAfter,
+                explanation: remediationExplanation
+            }
+        };
+    }
+    analyzeSecurity(code, result) {
+        const vulnerabilities = [];
+        const lines = code.split('\n');
+        let inMultiLineComment = false;
+        lines.forEach((line, index) => {
+            const lineNumber = index + 1;
+            const trimmed = line.trim();
+            // CRITICAL: Track multi-line comment blocks (/* ... */)
+            // FIX (Dec 6, 2025): Added proper multi-line comment tracking like Java analyzer
+            if (trimmed.includes('/*')) {
+                inMultiLineComment = true;
+            }
+            if (trimmed.includes('*/')) {
+                inMultiLineComment = false;
+                return; // Skip the line with */
+            }
+            // Skip all lines inside multi-line comments and single-line comments
+            if (!trimmed || inMultiLineComment || trimmed.startsWith('//') || trimmed.startsWith('*')) {
+                return;
+            }
+            // OWASP A03:2021 - Injection
+            // 1. eval() - CRITICAL
+            // FIX (Dec 9, 2025): Skip eval() inside string literals (e.g., "This uses eval()")
+            const lineWithoutStrings = (0, syntax_helpers_1.removeStringLiterals)(trimmed);
+            if (lineWithoutStrings.includes('eval(')) {
+                vulnerabilities.push(this.createSecurityVulnerability('eval-usage', 'eval() allows arbitrary code execution', 'Use JSON.parse() for data or refactor code to avoid dynamic execution', lineNumber, 'An attacker can inject malicious code through any input that reaches eval(), enabling complete control over the application\'s execution context.', 'eval(userInput) where userInput = "require(\'child_process\').exec(\'rm -rf /\')"', [
+                    'Remote Code Execution (RCE)',
+                    'Complete system compromise',
+                    'Data theft and exfiltration',
+                    'Malware installation'
+                ], 'const result = eval(userInput);', 'const result = JSON.parse(userInput); // For data only', 'Replace eval() with JSON.parse() for data parsing, or refactor code to avoid dynamic execution entirely'));
+            }
+            // 2. Function constructor - HIGH
+            if (trimmed.match(/new\s+Function\s*\(/)) {
+                vulnerabilities.push(this.createSecurityVulnerability('function-constructor', 'Function constructor allows code injection similar to eval()', 'Avoid creating functions dynamically from strings', lineNumber, 'The Function constructor creates functions from strings at runtime, allowing arbitrary code execution if the input is attacker-controlled.', 'new Function(userInput)() where userInput = "return process.env"', [
+                    'Code injection',
+                    'Access to sensitive data',
+                    'Bypass of security restrictions',
+                    'Remote code execution in certain contexts'
+                ], 'const fn = new Function(userCode); fn();', '// Refactor to avoid dynamic code generation\n// Use predefined functions or safer alternatives', 'Eliminate dynamic function creation. Use predefined functions, configuration objects, or refactor the architecture'));
+            }
+            // 3. setTimeout/setInterval with strings or variables - MEDIUM
+            // Detects: setTimeout("code", 1000) OR setTimeout(code, 1000) where code is a variable
+            if (trimmed.match(/set(Timeout|Interval)\s*\(\s*['"]/) ||
+                trimmed.match(/set(Timeout|Interval)\s*\(\s*[a-zA-Z_$][a-zA-Z0-9_$]*\s*,/)) {
+                vulnerabilities.push(this.createSecurityVulnerability('settimeout-string', 'setTimeout/setInterval with string or code variable executes code like eval()', 'Use function reference or arrow function instead', lineNumber, 'Passing a string or variable containing code to setTimeout/setInterval causes it to be evaluated as code, similar to eval().', 'setTimeout("alert(userInput)", 1000) or setTimeout(code, 1000) where code/userInput is attacker-controlled', [
+                    'Code injection via timing functions',
+                    'XSS attacks',
+                    'Bypass of CSP (Content Security Policy)'
+                ], 'setTimeout("doSomething()", 1000); // or setTimeout(code, 1000);', 'setTimeout(() => doSomething(), 1000);', 'Always pass a function reference or arrow function to setTimeout/setInterval, never a string or variable containing code'));
+            }
+            // OWASP A03:2021 - XSS (Cross-Site Scripting)
+            // 4. innerHTML with variables - HIGH
+            if (trimmed.match(/\.innerHTML\s*=/) && (trimmed.includes('+') || trimmed.includes('${'))) {
+                vulnerabilities.push(this.createSecurityVulnerability('xss', 'XSS: innerHTML with unsanitized user content', 'Use textContent, DOMPurify.sanitize(), or createElement()', lineNumber, 'An attacker can inject malicious JavaScript code through user input, stealing session cookies, credentials, or performing actions on behalf of the user.', 'element.innerHTML = "<div>" + userInput + "</div>" where userInput = "<img src=x onerror=alert(document.cookie)>"', [
+                    'Session hijacking (cookie theft)',
+                    'Credential theft (keylogging)',
+                    'Phishing attacks',
+                    'Malware distribution',
+                    'Defacement'
+                ], 'element.innerHTML = "<div>" + userContent + "</div>";', 'element.textContent = userContent; // Safe for plain text\n// Or: element.innerHTML = DOMPurify.sanitize(userContent);', 'Use textContent for plain text, or sanitize HTML with DOMPurify before setting innerHTML'));
+            }
+            // 5. outerHTML - HIGH
+            if (trimmed.match(/\.outerHTML\s*=/) && (trimmed.includes('+') || trimmed.includes('${'))) {
+                vulnerabilities.push(this.createSecurityVulnerability('xss', 'XSS: outerHTML with unsanitized variables', 'Use safe DOM methods or DOMPurify.sanitize()', lineNumber, 'Setting outerHTML with user content allows XSS attacks by replacing the entire element with malicious HTML.', 'element.outerHTML = userHTML where userHTML contains <img src=x onerror=alert(1)>', [
+                    'Cross-site scripting (XSS)',
+                    'Session hijacking',
+                    'Credential theft',
+                    'Malware distribution'
+                ], 'element.outerHTML = "<div>" + userContent + "</div>";', 'const div = document.createElement("div");\ndiv.textContent = userContent;\nelement.replaceWith(div);', 'Create elements using createElement() and set content with textContent, or sanitize HTML with DOMPurify'));
+            }
+            // 6. document.write - MEDIUM
+            if (trimmed.includes('document.write')) {
+                vulnerabilities.push(this.createSecurityVulnerability('document-write', 'document.write is deprecated and can cause XSS', 'Use createElement() and appendChild() instead', lineNumber, 'document.write() is synchronous, deprecated, and can be exploited for XSS if used with untrusted data.', 'document.write("<div>" + userInput + "</div>")', [
+                    'XSS vulnerability',
+                    'Performance issues (parser-blocking)',
+                    'Overwrites page content if called after page load'
+                ], 'document.write("<h1>" + title + "</h1>");', 'const h1 = document.createElement("h1");\nh1.textContent = title;\ndocument.body.appendChild(h1);', 'Use modern DOM APIs: createElement(), textContent, and appendChild()'));
+            }
+            // 7. dangerouslySetInnerHTML (React) - HIGH
+            const dangerousHTML = (0, react_security_1.detectDangerouslySetInnerHTML)(trimmed, lineNumber, this.createSecurityVulnerability.bind(this));
+            if (dangerousHTML)
+                vulnerabilities.push(dangerousHTML);
+            // 8. Missing key prop in React lists - MEDIUM
+            const missingKey = (0, react_security_1.detectMissingKeyProp)(trimmed, lineNumber, lines, index, this.createSecurityVulnerability.bind(this));
+            if (missingKey)
+                vulnerabilities.push(missingKey);
+            // 9. Unsafe href with user input (React XSS) - HIGH
+            const unsafeHref = (0, react_security_1.detectUnsafeHref)(trimmed, lineNumber, this.createSecurityVulnerability.bind(this));
+            if (unsafeHref)
+                vulnerabilities.push(unsafeHref);
+            // 10. Direct state mutation in React - MEDIUM
+            const stateMutation = (0, react_security_1.detectStateMutation)(trimmed, lineNumber, this.createSecurityVulnerability.bind(this));
+            if (stateMutation)
+                vulnerabilities.push(stateMutation);
+            // ES6+ Security Patterns
+            // 11. Object.assign() prototype pollution - HIGH
+            const prototypePollution = (0, es6_security_1.detectPrototypePollution)(trimmed, lineNumber, this.createSecurityVulnerability.bind(this));
+            if (prototypePollution)
+                vulnerabilities.push(prototypePollution);
+            // 12. Unsafe URL() constructor with user input - MEDIUM
+            const urlInjection = (0, es6_security_1.detectURLInjection)(trimmed, lineNumber, this.createSecurityVulnerability.bind(this));
+            if (urlInjection)
+                vulnerabilities.push(urlInjection);
+            // 13. Template literal injection - HIGH
+            const templateInjection = (0, es6_security_1.detectTemplateLiteralInjection)(trimmed, lineNumber, this.createSecurityVulnerability.bind(this));
+            if (templateInjection)
+                vulnerabilities.push(templateInjection);
+            // NOTE: OWASP 2025 checks (A02, A10, A03) moved outside forEach loop for efficiency
+            // They are now called once with all lines after line-by-line analysis completes
+            // See lines after forEach loop closes
+            // OWASP A07:2021 - Authentication & Identification Failures
+            // 8. Hardcoded credentials - CRITICAL
+            // Enhanced to support TypeScript type annotations: const API_SECRET: string = 'value'
+            // Matches: variable names containing secret/password/token/key followed by = and a string
+            if (trimmed.match(/(password|passwd|pwd|secret|token|api[-_]?key|private[-_]?key|auth|encryption[-_]?key)/i) &&
+                trimmed.match(/[:=]\s*['"`]/) &&
+                !trimmed.includes('process.env') &&
+                !trimmed.includes('config.') &&
+                !trimmed.startsWith('//')) {
+                vulnerabilities.push(this.createSecurityVulnerability('hardcoded-credentials', 'Hardcoded credentials exposed in source code', 'Use environment variables (process.env) or secret management services', lineNumber, 'Hardcoded credentials in source code are visible to anyone with access to the repository, including attackers who gain access to the codebase.', 'const password = "MySecretPass123" // Visible in Git history forever', [
+                    'Unauthorized access to systems',
+                    'Account takeover',
+                    'Data breach',
+                    'Lateral movement in infrastructure',
+                    'Cannot be rotated without code changes'
+                ], 'const apiKey = "sk-1234567890abcdef";', 'const apiKey = process.env.API_KEY; // Store in .env file (add to .gitignore)', 'Store secrets in environment variables or secret management services (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault)'));
+            }
+            // OWASP A02:2021 - Cryptographic Failures
+            // 9. Math.random() for security - MEDIUM
+            if (trimmed.match(/Math\.random\(\)/)) {
+                vulnerabilities.push(this.createSecurityVulnerability('weak-random', 'Math.random() is cryptographically weak and predictable', 'Use crypto.randomBytes() (Node.js) or crypto.getRandomValues() (Browser)', lineNumber, 'Math.random() uses a pseudorandom number generator that is predictable and unsuitable for security purposes like token generation.', 'const token = Math.random().toString(36) // Predictable, can be brute-forced', [
+                    'Predictable tokens/session IDs',
+                    'Session hijacking',
+                    'Authentication bypass',
+                    'Weak cryptographic keys'
+                ], 'const token = Math.random().toString(36).substr(2);', '// Node.js:\nconst token = require("crypto").randomBytes(32).toString("hex");\n// Browser:\nconst token = crypto.getRandomValues(new Uint8Array(32));', 'Use cryptographically secure random number generators for all security-sensitive operations'));
+            }
+            // 9b. Weak cryptographic algorithms (MD5, SHA1) - HIGH
+            // FIX (Dec 9, 2025): Added detection for weak hash algorithms vulnerable to collision attacks
+            if (trimmed.match(/createHash\s*\(\s*['"](?:md5|sha1)['"]\s*\)/i) ||
+                trimmed.match(/crypto\.(?:md5|sha1)/i) ||
+                trimmed.match(/\.(?:md5|sha1)\s*\(/i)) {
+                vulnerabilities.push(this.createSecurityVulnerability('weak-cryptographic-algorithm', 'Weak cryptographic algorithm (MD5/SHA1) vulnerable to collision attacks', 'Use SHA-256 or stronger (SHA-384, SHA-512, SHA-3)', lineNumber, 'MD5 and SHA-1 are cryptographically broken and vulnerable to collision attacks. Attackers can generate different inputs that produce the same hash, compromising data integrity and digital signatures.', 'crypto.createHash("md5").update(password).digest("hex") // Attacker can generate collisions', [
+                    'Hash collision attacks',
+                    'Password cracking (rainbow tables)',
+                    'Digital signature forgery',
+                    'Data integrity compromise',
+                    'Compliance violations (PCI-DSS, FIPS)'
+                ], 'const hash = crypto.createHash("md5").update(data).digest("hex");', 'const hash = crypto.createHash("sha256").update(data).digest("hex"); // Use SHA-256 or stronger', 'Replace MD5/SHA-1 with SHA-256, SHA-384, SHA-512, or SHA-3. For password hashing, use bcrypt, scrypt, or Argon2'));
+            }
+            // 10. localStorage for sensitive data - MEDIUM
+            if (trimmed.match(/localStorage\.(setItem|set)\([^)]*(?:token|password|key|secret)/i)) {
+                vulnerabilities.push(this.createSecurityVulnerability('insecure-storage', 'localStorage is not secure for sensitive data', 'Use httpOnly cookies or server-side sessions', lineNumber, 'localStorage is accessible to any JavaScript on the page, making it vulnerable to XSS attacks. Stored data persists indefinitely.', 'localStorage.setItem("authToken", token) // Accessible to any script, vulnerable to XSS', [
+                    'Token theft via XSS',
+                    'Credential exposure',
+                    'No protection from malicious scripts',
+                    'Data persists across sessions (privacy issue)'
+                ], 'localStorage.setItem("authToken", jwtToken);', '// Server-side: Set httpOnly cookie (not accessible to JavaScript)\nres.cookie("authToken", jwtToken, { httpOnly: true, secure: true, sameSite: "strict" });', 'Store sensitive data server-side or in httpOnly cookies. Use sessionStorage for temporary data, but never for sensitive information'));
+            }
+            // 10b. Insecure cookie configuration - HIGH
+            // FIX (Dec 9, 2025): Added detection for cookies without security flags (httpOnly, secure, sameSite)
+            if (trimmed.match(/\.cookie\s*\([^)]*\)/) && trimmed.match(/res\.|response\./)) {
+                // Check if security flags are missing
+                const hasHttpOnly = trimmed.match(/httpOnly\s*:\s*true/i);
+                const hasSecure = trimmed.match(/secure\s*:\s*true/i);
+                const hasSameSite = trimmed.match(/sameSite/i);
+                if (!hasHttpOnly || !hasSecure || !hasSameSite) {
+                    vulnerabilities.push(this.createSecurityVulnerability('insecure-cookie', 'Cookie set without security flags (httpOnly, secure, sameSite)', 'Add httpOnly: true, secure: true, sameSite: "strict" to cookie options', lineNumber, 'Cookies without security flags are vulnerable to XSS attacks (JavaScript access), man-in-the-middle attacks (transmitted over HTTP), and CSRF attacks (cross-site request forgery).', 'res.cookie("sessionId", token) // No httpOnly = XSS can steal, no secure = transmitted over HTTP', [
+                        'Session hijacking via XSS (cookie theft)',
+                        'Man-in-the-middle attacks (HTTP transmission)',
+                        'CSRF attacks (cross-site requests)',
+                        'Session fixation attacks'
+                    ], 'res.cookie("sessionId", sessionId);', 'res.cookie("sessionId", sessionId, {\n  httpOnly: true,  // Not accessible to JavaScript\n  secure: true,    // Only sent over HTTPS\n  sameSite: "strict" // Prevents CSRF attacks\n});', 'Always set httpOnly (prevents XSS), secure (HTTPS only), and sameSite (prevents CSRF) flags on session cookies'));
+                }
+            }
+            // OWASP A01:2021 - Broken Access Control
+            // 10c. Open redirect vulnerability - MEDIUM
+            // FIX (Dec 9, 2025): Added detection for unvalidated URL redirects
+            if (trimmed.match(/\.redirect\s*\(/) || trimmed.match(/location\.href\s*=/) || trimmed.match(/window\.location\s*=/)) {
+                // Check if user input is used in redirect (query params, user data)
+                const hasUserInput = trimmed.match(/req\.query|req\.body|req\.params|params\.|query\.|body\./) ||
+                    trimmed.match(/\$\{.*\}/) || // Template literals
+                    trimmed.match(/\+\s*[\w.]+/); // Concatenation with variables
+                if (hasUserInput) {
+                    vulnerabilities.push(this.createSecurityVulnerability('open-redirect', 'Open redirect vulnerability - unvalidated URL redirect', 'Validate redirect URLs against a whitelist of allowed domains', lineNumber, 'Unvalidated redirects allow attackers to redirect users to phishing sites or malicious domains. Users trust the legitimate domain in the URL bar, making phishing attacks more effective.', 'res.redirect(req.query.returnUrl) where returnUrl = "http://evil.com/phishing" // User redirected to attacker site', [
+                        'Phishing attacks (credential theft)',
+                        'Malware distribution',
+                        'OAuth token theft',
+                        'User trust exploitation',
+                        'SEO poisoning'
+                    ], 'res.redirect(req.query.returnUrl);', 'const allowedDomains = ["example.com", "app.example.com"];\nconst url = new URL(req.query.returnUrl);\nif (allowedDomains.includes(url.hostname)) {\n  res.redirect(req.query.returnUrl);\n} else {\n  res.redirect("/"); // Safe default\n}', 'Always validate redirect URLs against a whitelist of allowed domains. Never redirect to arbitrary user-supplied URLs'));
+                }
+            }
+            // OWASP A08:2021 - Software and Data Integrity Failures
+            // 11. Prototype pollution - HIGH
+            // Detects: Literal __proto__ OR generic bracket notation assignment with variables (common in object merging)
+            const hasLiteralProto = trimmed.match(/__proto__|constructor\[.*\]|prototype\[/);
+            const hasBracketAssignment = trimmed.match(/\[[a-zA-Z_$][a-zA-Z0-9_$]*\]\s*=/) && // obj[variable] =
+                !trimmed.match(/\[['"`]/) && // NOT obj["literal"]
+                !trimmed.match(/\[\d+\]/) && // NOT obj[0]
+                !trimmed.includes('Object.create') && // Skip safe patterns
+                !trimmed.includes('Map') && // Skip Map usage
+                !trimmed.includes('Set'); // Skip Set usage
+            // Check if current or previous lines have filtering for __proto__/constructor/prototype (safe pattern)
+            const hasKeyFiltering = (trimmed.includes('__proto__') && trimmed.includes('!==')) || // Current line
+                (index > 0 && lines[index - 1].includes('__proto__') && lines[index - 1].includes('!==')) ||
+                (index > 1 && lines[index - 2].includes('__proto__') && lines[index - 2].includes('!==')) ||
+                (index > 2 && lines[index - 3].includes('__proto__') && lines[index - 3].includes('!=='));
+            if ((hasLiteralProto || hasBracketAssignment) && !hasKeyFiltering) {
+                vulnerabilities.push(this.createSecurityVulnerability('prototype-pollution', 'Prototype pollution vulnerability detected', 'Validate object keys before assignment, use Object.create(null), or use Map instead', lineNumber, 'Prototype pollution allows attackers to inject properties into Object.prototype, affecting all objects and potentially leading to privilege escalation or code execution.', 'obj[key] = value where key = "__proto__" injects properties into all objects', [
+                    'Privilege escalation',
+                    'Authentication bypass',
+                    'Denial of Service',
+                    'Remote code execution (in specific contexts)',
+                    'Bypass of security checks'
+                ], 'const obj = {}; obj[userKey] = userValue; // If userKey = "__proto__", pollutes all objects', 'const obj = Object.create(null); // No prototype\n// Or validate keys:\nif (!["__proto__", "constructor", "prototype"].includes(userKey)) {\n  obj[userKey] = userValue;\n}', 'Always validate object keys before assignment. Use Object.create(null) for objects without prototype, or use Map instead'));
+            }
+            // 12. SQL Injection patterns - CRITICAL
+            // Fixed: Exclude safe parameterized query placeholders ($1, $2, etc.)
+            if ((trimmed.match(/SELECT.*FROM.*WHERE.*[+`]/i) || trimmed.match(/SELECT.*FROM.*WHERE.*\$\{/i)) ||
+                trimmed.match(/query\s*=\s*[`'"].*\+/) ||
+                trimmed.match(/execute\(.*\+/)) {
+                vulnerabilities.push(this.createSecurityVulnerability('sql-injection', 'SQL Injection vulnerability detected', 'Use parameterized queries or prepared statements', lineNumber, 'An attacker can inject malicious SQL code through user input, bypassing authentication and accessing/modifying the entire database.', 'username = "admin\' OR \'1\'=\'1" results in: SELECT * FROM users WHERE username = \'admin\' OR \'1\'=\'1\'', [
+                    'Full database access (read/write/delete)',
+                    'Authentication bypass',
+                    'Data exfiltration (passwords, credit cards, PII)',
+                    'Data destruction (DROP TABLE attacks)',
+                    'Privilege escalation'
+                ], 'const query = "SELECT * FROM users WHERE id = " + userId;', 'const query = "SELECT * FROM users WHERE id = ?";   \ndb.query(query, [userId]);', 'Use parameterized queries where inputs are passed as separate parameters, never concatenated into the SQL string'));
+            }
+            // 13. Command Injection - CRITICAL
+            if (trimmed.match(/exec\(|spawn\(|execFile\(/) && (trimmed.includes('+') || trimmed.includes('${'))) {
+                vulnerabilities.push(this.createSecurityVulnerability('command-injection', 'Command Injection vulnerability detected', 'Use execFile() with array arguments, validate/sanitize all inputs', lineNumber, 'Concatenating user input into shell commands allows attackers to execute arbitrary system commands with the application\'s privileges.', 'exec("ls " + userInput) where userInput = "; rm -rf /" executes malicious command', [
+                    'Remote Code Execution (RCE)',
+                    'Complete system compromise',
+                    'Data deletion',
+                    'Privilege escalation',
+                    'Backdoor installation'
+                ], 'const { exec } = require("child_process");\nexec("ls " + userDir);', 'const { execFile } = require("child_process");\nexecFile("ls", [userDir]); // Arguments passed safely as array', 'Use execFile() with array of arguments, never concatenate strings. Validate all inputs against whitelist'));
+            }
+            // 14. Path Traversal - HIGH
+            // FIX (Dec 9, 2025): Improved detection to catch direct user input in file operations
+            if (trimmed.match(/readFile|writeFile|unlink|rmdir|createReadStream|createWriteStream/)) {
+                // Check for traversal patterns OR user input
+                const hasTraversalPattern = trimmed.match(/\.\.\/|\.\.\\|\+.*path/);
+                const hasUserInput = trimmed.match(/req\.query|req\.body|req\.params|params\.|query\.|body\./);
+                if (hasTraversalPattern || hasUserInput) {
+                    vulnerabilities.push(this.createSecurityVulnerability('path-traversal', 'Path Traversal vulnerability - unrestricted file access', 'Use path.resolve(), validate against whitelist, restrict to safe directories', lineNumber, 'Path traversal allows attackers to access files outside intended directories using "../" sequences or by directly passing malicious paths, potentially reading sensitive files like /etc/passwd, configuration files, or source code.', 'fs.readFile(req.query.filePath) where filePath = "../../../etc/passwd" // Attacker can read any file', [
+                        'Unauthorized file access',
+                        'Sensitive data exposure (passwords, keys, source code)',
+                        'Configuration file theft',
+                        'Potential for code execution if writable files accessed'
+                    ], 'const content = fs.readFileSync(req.query.filePath);', 'const path = require("path");\nconst baseDir = "/safe/upload/directory";\nconst safePath = path.resolve(baseDir, req.query.filePath);\nif (!safePath.startsWith(baseDir)) {\n  throw new Error("Invalid path - traversal detected");\n}\nconst content = fs.readFileSync(safePath);', 'Always resolve and validate paths using path.resolve(). Verify the resolved path starts with your allowed base directory. Never trust user input directly in file operations'));
+                }
+            }
+            // 15. Regex DoS (ReDoS) - MEDIUM
+            // FIX (Dec 12, 2025): Enhanced to detect more ReDoS patterns
+            // Pattern 1: (something)+ or (something)* where 'something' contains quantifiers
+            // Pattern 2: ([...])+ or ([...])* - redundant quantifier on character class
+            // Pattern 3: (nested(group)+)+ - nested groups with quantifiers
+            if (trimmed.match(/new\s+RegExp|\/.*\(.*\)/)) {
+                // Check for dangerous nested quantifier patterns:
+                // 1. (...+...)+ or (...*...)+ - quantifier inside group, quantifier outside
+                const nestedQuantInside = trimmed.match(/\([^)]*[+*][^)]*\)[+*]/);
+                // 2. ([...])+ or ([...])* - redundant quantifier on character class (inefficient pattern)
+                const redundantQuantifier = trimmed.match(/\(\[[^\]]+\]\)[+*]/);
+                // 3. (...)+ where ... is complex (multiple chars/groups)
+                const complexGroupQuant = trimmed.match(/\([^)]{3,}\)[+*]/);
+                if (nestedQuantInside || redundantQuantifier || (complexGroupQuant && nestedQuantInside)) {
+                    vulnerabilities.push(this.createSecurityVulnerability('regex-dos', 'Regular expression with nested/redundant quantifiers can cause ReDoS', 'Simplify regex pattern: use [a-z]+ instead of ([a-z])+, or use timeout/safe-regex libraries', lineNumber, 'Regular expressions with nested quantifiers can have exponential time complexity, allowing attackers to cause Denial of Service with carefully crafted input. Patterns like ([a-z])+ are redundant and should be simplified to [a-z]+.', 'const regex = /^([a-z0-9_])+@/; // Redundant - testing "aaa...aX" causes backtracking', [
+                        'Denial of Service (DoS)',
+                        'Application freeze/timeout',
+                        'CPU exhaustion',
+                        'Service unavailability'
+                    ], 'const regex = /^([a-zA-Z0-9_\\.-])+@/; // Nested quantifiers', 'const regex = /^[a-zA-Z0-9_\\.-]+@/; // Simplified - remove outer parentheses and quantifier\n// Or use timeout:\nconst { match } = require("regex-with-timeout");\nmatch(input, pattern, { timeout: 100 });', 'Avoid nested quantifiers in regex. Simplify ([...])+ to [...]+ for character classes. Use tools like safe-regex to detect vulnerable patterns, or implement timeouts'));
+                }
+            }
+            // 16. Missing error handling - LOW
+            if ((trimmed.includes('fetch(') || trimmed.includes('await ')) &&
+                !code.includes('try') && !code.includes('.catch')) {
+                vulnerabilities.push(this.createSecurityVulnerability('missing-error-handling', 'Async operation without error handling', 'Add try/catch block or .catch() handler', lineNumber, 'Unhandled promise rejections can crash Node.js applications or leak sensitive error details to users.', 'await fetch(url); // If fails, crashes application or exposes stack trace', [
+                    'Application crashes',
+                    'Stack trace information disclosure',
+                    'Poor user experience',
+                    'Potential security information leakage'
+                ], 'const data = await fetch(url).then(r => r.json());', 'try {\n  const data = await fetch(url).then(r => r.json());\n} catch (error) {\n  console.error("Fetch failed:", error.message);\n  // Handle error appropriately\n}', 'Always wrap async operations in try/catch or use .catch(). Never expose error details to users in production'));
+            }
+            // 17. console.log in production - LOW
+            // RESTORED (Dec 6, 2025): This check is needed for JavaScript files
+            // TypeScript analyzer handles .ts files, JavaScript analyzer handles .js files
+            // The duplicate detection issue was for .ts files analyzed by BOTH analyzers
+            // This check should run for pure JavaScript files only
+            if (trimmed.includes('console.log')) {
+                vulnerabilities.push(this.createSecurityVulnerability('console-log-production', 'console.log found - remove in production code', 'Use a proper logging library (winston, pino) with appropriate log levels', lineNumber, 'console.log statements can expose sensitive data in production logs and impact performance.', 'console.log("User password:", password); // Exposes secrets in logs', [
+                    'Sensitive data exposure in logs',
+                    'Performance impact (synchronous I/O)',
+                    'No log level control',
+                    'Difficult to filter in production'
+                ], 'console.log("Debug:", sensitiveData);', 'logger.debug("Processing request"); // Use proper logging library', 'Replace console.log with a logging library that supports log levels and can be disabled in production'));
+            }
+            // 18. Insecure cookie - MEDIUM
+            // Detects: document.cookie = ... without httpOnly, secure, and sameSite flags
+            if (trimmed.includes('document.cookie') && trimmed.includes('=') &&
+                !trimmed.includes('httpOnly') && !trimmed.includes('secure') &&
+                !trimmed.startsWith('//')) {
+                vulnerabilities.push(this.createSecurityVulnerability('insecure-cookie', 'Cookie set without security flags (httpOnly, secure, sameSite)', 'Set cookies server-side with httpOnly, secure, and sameSite flags', lineNumber, 'Cookies set via document.cookie are vulnerable to XSS attacks and can be stolen by malicious scripts. They lack security flags and persist insecurely.', 'document.cookie = "token=" + authToken; // Accessible to JavaScript, vulnerable to XSS theft', [
+                    'Cookie theft via XSS',
+                    'Session hijacking',
+                    'CSRF attacks (without sameSite)',
+                    'Man-in-the-middle attacks (without secure flag)',
+                    'No HttpOnly protection'
+                ], 'document.cookie = `token=${token}; path=/`;', '// Server-side (Node.js/Express):\nres.cookie("token", token, {\n  httpOnly: true,  // Not accessible to JavaScript\n  secure: true,    // Only sent over HTTPS\n  sameSite: "strict" // CSRF protection\n});', 'Always set sensitive cookies server-side with httpOnly, secure, and sameSite flags. Never use document.cookie for authentication tokens'));
+            }
+            // PHASE 6 WEEK 1 DAY 2: Node.js-Specific Security Checks
+            // 1. Code Injection via require() - CRITICAL
+            // PHASE 6 FIX (2025-11-21): Enhanced detection for string concatenation and property access
+            // Detects: require(variable), require('path' + variable), require(req.params.x)
+            const hasRequireWithVariable = trimmed.match(/require\s*\(\s*[a-zA-Z_$][a-zA-Z0-9_$]*\s*[\),]/) &&
+                !trimmed.match(/require\s*\(\s*['"`]/);
+            const hasRequireWithConcatenation = trimmed.match(/require\s*\(/) &&
+                (trimmed.match(/['"`][^'"]*['"]\s*\+/) ||
+                    trimmed.match(/\+\s*['"`]/) ||
+                    trimmed.match(/\$\{[^}]*\}/)); // Template literals
+            // req.params.x or obj.prop - but NOT string literals like "socket.io"
+            const hasRequireWithPropertyAccess = trimmed.match(/require\s*\([^)]*\.[^)]+\)/) &&
+                !trimmed.match(/require\s*\(\s*['"`]/); // Exclude string literals
+            if (hasRequireWithVariable || hasRequireWithConcatenation || hasRequireWithPropertyAccess) {
+                vulnerabilities.push(this.createSecurityVulnerability('nodejs-require-injection', 'Node.js: Dynamic require() with user input allows arbitrary code execution', 'Use a whitelist of allowed modules or avoid dynamic require() entirely', lineNumber, 'An attacker can load arbitrary modules by controlling the require() argument, leading to remote code execution and complete server compromise.', 'require(req.query.module) where query.module = "child_process" allows executing system commands', [
+                    'Remote Code Execution (RCE)',
+                    'Complete server compromise',
+                    'Data exfiltration',
+                    'Malware installation',
+                    'Denial of Service'
+                ], 'const module = require(userInput);', 'const ALLOWED_MODULES = { "fs": "fs", "path": "path" };\nconst moduleName = ALLOWED_MODULES[userInput];\nif (!moduleName) throw new Error("Invalid module");\nconst module = require(moduleName);', 'Never use user input directly in require(). Use a whitelist of allowed modules or refactor to avoid dynamic loading'));
+            }
+            // 2. Path Traversal in require() - HIGH
+            if (trimmed.match(/require\s*\(\s*['"`]\.\.\//) ||
+                (trimmed.match(/require\s*\(/) && trimmed.match(/[+\$\{]/) && trimmed.includes('../'))) {
+                vulnerabilities.push(this.createSecurityVulnerability('nodejs-path-traversal', 'Node.js: Path traversal in require() allows loading arbitrary files', 'Validate and sanitize file paths, use path.resolve() and check if result is within allowed directory', lineNumber, 'An attacker can traverse directories and load sensitive files or execute unauthorized code by manipulating the file path.', 'require("../controllers/" + req.params.file) where params.file = "../../../../etc/passwd" (if cached by require)', [
+                    'Unauthorized file access',
+                    'Sensitive data exposure',
+                    'Code execution via loading malicious files',
+                    'Directory traversal attacks'
+                ], 'const file = require("../controllers/" + filename);', 'const path = require("path");\nconst basePath = path.resolve(__dirname, "../controllers");\nconst fullPath = path.resolve(basePath, filename);\nif (!fullPath.startsWith(basePath)) throw new Error("Invalid path");\nconst file = require(fullPath);', 'Always validate file paths, use path.resolve() to normalize, and verify the result is within the allowed directory'));
+            }
+            // 3. Missing Security Headers (helmet) - MEDIUM
+            // RESTORED (Dec 6, 2025): Detects Express apps without helmet() middleware
+            // Now checks for: 1) Express app exists, 2) helmet is NOT actually used
+            // FIX: Check for actual helmet usage patterns, not just the word in comments
+            // Patterns that indicate helmet IS being used:
+            // - require('helmet') or require("helmet") - helmet is imported
+            // - app.use(helmet - helmet middleware is applied
+            // FIX (Dec 6, 2025): Strip comments before checking for helmet import/usage
+            // This prevents false negatives when comments mention helmet
+            const codeWithoutComments = code.replace(/\/\/.*$/gm, '').replace(/\/\*[\s\S]*?\*\//g, '');
+            const hasHelmetImport = codeWithoutComments.includes("require('helmet')") || codeWithoutComments.includes('require("helmet")') ||
+                codeWithoutComments.includes("from 'helmet'") || codeWithoutComments.includes('from "helmet"');
+            const hasHelmetUsage = codeWithoutComments.match(/app\.use\s*\(\s*helmet/);
+            const isExpressApp = trimmed.includes('express()') || trimmed.match(/=\s*express\s*\(/);
+            if (isExpressApp && !hasHelmetImport && !hasHelmetUsage) {
+                vulnerabilities.push(this.createSecurityVulnerability('nodejs-missing-helmet', 'Express app without helmet() security headers middleware', 'Add app.use(helmet()) to set secure HTTP headers (CSP, HSTS, X-Frame-Options)', lineNumber, 'Express applications without helmet() are vulnerable to common web attacks. Helmet sets security headers that protect against XSS, clickjacking, and other attacks.', 'Express app serves responses without Content-Security-Policy, X-Frame-Options, or HSTS headers', [
+                    'Cross-Site Scripting (XSS)',
+                    'Clickjacking attacks',
+                    'MIME type sniffing attacks',
+                    'Missing HTTPS enforcement (HSTS)',
+                    'Information disclosure via headers'
+                ], 'const app = express();\napp.get("/", (req, res) => res.send("Hello"));', 'const helmet = require("helmet");\nconst app = express();\napp.use(helmet()); // Secure headers\napp.get("/", (req, res) => res.send("Hello"));', 'Install and use helmet: npm install helmet, then add app.use(helmet()) before route definitions'));
+            }
+            // 4. Unsafe Request Handling (req.query/req.params/req.body without validation) - HIGH
+            // PHASE 6 FIX (2025-11-21): Added detection for whole-object assignment
+            // Detects: req.body.prop, req.body["prop"], AND const x = req.body;
+            if ((trimmed.match(/req\.(query|params|body)\[['"]\w+['"]\]/) ||
+                trimmed.match(/req\.(query|params|body)\.\w+/) ||
+                trimmed.match(/=\s*req\.(query|params|body)\s*[;,\)]/) // NEW: whole-object assignment
+            ) &&
+                !trimmed.includes('validate') && !trimmed.includes('sanitize') &&
+                !trimmed.includes('parseInt') && !trimmed.includes('Number(')) {
+                vulnerabilities.push(this.createSecurityVulnerability('nodejs-unsafe-request-params', 'Node.js: Unvalidated req.query/req.params/req.body used in sensitive operations', 'Validate and sanitize all user input before use, especially in database queries or system commands', lineNumber, 'User input from req.query, req.params, or req.body is used directly without validation, enabling SQL injection, command injection, or other attacks.', 'db.query(`SELECT * FROM users WHERE id = ${req.query.id}`) where query.id = "1 OR 1=1" (SQL injection)', [
+                    'SQL Injection',
+                    'NoSQL Injection',
+                    'Command Injection',
+                    'Path Traversal',
+                    'XSS via reflected input'
+                ], 'const userId = req.query.id;\ndb.query(`SELECT * FROM users WHERE id = ${userId}`);', 'const userId = parseInt(req.query.id, 10);\nif (!userId || userId < 1) throw new Error("Invalid ID");\ndb.query("SELECT * FROM users WHERE id = ?\", [userId]);', 'Always validate and sanitize user input. Use parameterized queries for databases, whitelists for file paths, and type checking for numbers'));
+            }
+            // 5. Command Injection (child_process.exec) - CRITICAL
+            if (trimmed.match(/exec\s*\(/) &&
+                (trimmed.match(/[+\$\{`]/) ||
+                    trimmed.match(/exec\s*\(\s*[a-zA-Z_$][a-zA-Z0-9_$]*\s*[\),]/))) {
+                vulnerabilities.push(this.createSecurityVulnerability('nodejs-command-injection', 'Node.js: Command injection via child_process.exec() with unsanitized user input', 'Use child_process.execFile() with argument array, or validate/sanitize input with strict whitelist', lineNumber, 'An attacker can execute arbitrary system commands by injecting shell metacharacters (;, |, &, $(), etc.) into user input passed to exec().', 'exec("ping " + req.body.host) where body.host = "google.com; rm -rf /" executes both commands', [
+                    'Remote Code Execution (RCE)',
+                    'Complete server compromise',
+                    'Data deletion (rm -rf)',
+                    'Backdoor installation',
+                    'Lateral movement in network'
+                ], 'exec("ping " + userInput);', 'const { execFile } = require("child_process");\nexecFile("ping", ["-c", "4", userInput], (err, stdout) => {\n  // execFile doesn\'t use shell, preventing injection\n});', 'Never use exec() with user input. Use execFile() with argument array to prevent shell injection, or use strict whitelist validation'));
+            }
+        });
+        // OWASP 2025 Checks (Phase 7B) - Called once with all lines for efficiency
+        // These modules handle line-by-line iteration internally and return properly formatted vulnerabilities
+        // OWASP A02:2025 - Security Misconfiguration (8 checks)
+        // Debug mode, error exposure, CORS, headers, sessions, default creds, admin interfaces, HTTP methods
+        vulnerabilities.push(...(0, security_misconfiguration_1.checkSecurityMisconfiguration)(lines));
+        // OWASP A10:2025 - Mishandling of Exceptional Conditions (5 checks)
+        // Empty catch, promise rejections, missing error logging, swallowed errors, missing finally
+        vulnerabilities.push(...(0, exception_handling_1.checkExceptionHandling)(lines));
+        // OWASP A03:2025 - Software Supply Chain Failures (5 checks)
+        // Package integrity, dependency verification, update mechanisms, vendored deps, build chain
+        vulnerabilities.push(...(0, enhanced_supply_chain_1.checkEnhancedSupplyChain)(lines));
+        // OWASP A01:2025 - Broken Access Control (2 checks) - Phase 7B Day 11
+        // Missing authentication middleware, client-side only authorization
+        vulnerabilities.push(...(0, access_control_1.checkAccessControl)(lines));
+        // OWASP A07:2025 - Authentication Failures (2 checks) - Phase 7B Day 11
+        // Missing MFA/2FA, no rate limiting on login
+        vulnerabilities.push(...(0, authentication_failures_1.checkAuthenticationFailures)(lines));
+        // OWASP A04:2025 - Insecure Design (4 checks) - NEW Dec 30, 2025
+        // Client-controlled pricing, quantity limits, race conditions, idempotency
+        vulnerabilities.push(...(0, insecure_design_1.checkInsecureDesign)(lines));
+        // OWASP A08:2025 - Software and Data Integrity Failures (6 checks) - NEW Dec 30, 2025
+        // Dynamic script loading, SRI, code download verification, HTTPS, package integrity
+        vulnerabilities.push(...(0, software_integrity_1.checkSoftwareIntegrity)(lines));
+        // =============================================================================
+        // DEDUPLICATION: Remove duplicate vulnerabilities on same line
+        // =============================================================================
+        // Fix for Beta Testing Issue: Command injection reported twice, Callback hell reported 7 times
+        // MERGE with vulnerabilities from extracted modules (added before this method was called)
+        const allVulnerabilities = [...result.security.vulnerabilities, ...vulnerabilities];
+        result.security.vulnerabilities = this.deduplicateVulnerabilities(allVulnerabilities);
+    }
+    calculateMetrics(code, result) {
+        const lines = code.split('\n');
+        result.metrics.lines = lines.length;
+        // Count functions
+        const functions = (code.match(/function\s+\w+|const\s+\w+\s*=.*=>/g) || []).length;
+        result.metrics.functions = functions;
+        // Calculate cyclomatic complexity
+        let complexity = 1;
+        const safeKeywords = ['if', 'else', 'for', 'while', 'switch', 'case', 'catch'];
+        safeKeywords.forEach(keyword => {
+            const matches = code.match(new RegExp(`\\b${keyword}\\b`, 'g'));
+            if (matches)
+                complexity += matches.length;
+        });
+        // Logical operators (exclude TypeScript syntax)
+        const isTypeScript = (0, typescript_syntax_1.isTypeScriptCode)(code);
+        if (!isTypeScript) {
+            // Only in pure JavaScript, count logical operators
+            const andOperators = code.match(/&&/g);
+            const orOperators = code.match(/\|\|/g);
+            const ternaryOperators = code.match(/\?[^:]*:/g);
+            if (andOperators)
+                complexity += andOperators.length;
+            if (orOperators)
+                complexity += orOperators.length;
+            if (ternaryOperators)
+                complexity += ternaryOperators.length;
+        }
+        else {
+            // In TypeScript, be more conservative with complexity
+            // Only count logical operators in code context, not types
+            const logicalAnd = code.match(/\s&&\s/g); // With spaces = probably logic
+            const logicalOr = code.match(/\s\|\|\s/g); // With spaces = probably logic
+            if (logicalAnd)
+                complexity += logicalAnd.length;
+            if (logicalOr)
+                complexity += logicalOr.length;
+        }
+        result.metrics.complexity = complexity;
+        result.metrics.maintainability = Math.max(0, 100 - complexity * 3);
+    }
+    /**
+     * Deduplicate vulnerabilities on the same line
+     *
+     * P1-5: Generic deduplication for ALL vulnerability types (Dec 30, 2025)
+     * Previous: Only handled command injection and callback hell
+     * Now: Handles all duplicates (hardcoded credentials, XSS, SQL injection, etc.)
+     *
+     * Strategy: Use line + category as unique key, keep highest CVSS score
+     *
+     * @param vulnerabilities - Array of vulnerabilities to deduplicate
+     * @returns Deduplicated array with one vulnerability per line+category
+     */
+    deduplicateVulnerabilities(vulnerabilities) {
+        // P1-5: Generic deduplication using line + category as unique key
+        // Extract category from message (first significant keyword)
+        const getCategory = (message) => {
+            const lower = message.toLowerCase();
+            // Extract main vulnerability type from message
+            if (lower.includes('hardcoded credential'))
+                return 'hardcoded-credential';
+            if (lower.includes('command injection'))
+                return 'command-injection';
+            if (lower.includes('callback hell'))
+                return 'callback-hell';
+            if (lower.includes('sql injection'))
+                return 'sql-injection';
+            if (lower.includes('nosql injection'))
+                return 'nosql-injection';
+            if (lower.includes('xss') || lower.includes('cross-site scripting'))
+                return 'xss';
+            if (lower.includes('ssrf'))
+                return 'ssrf';
+            if (lower.includes('xxe'))
+                return 'xxe';
+            if (lower.includes('insecure random'))
+                return 'insecure-random';
+            if (lower.includes('weak hash'))
+                return 'weak-hash';
+            if (lower.includes('missing helmet'))
+                return 'missing-helmet';
+            if (lower.includes('missing csrf'))
+                return 'missing-csrf';
+            if (lower.includes('eval'))
+                return 'eval';
+            if (lower.includes('prototype pollution'))
+                return 'prototype-pollution';
+            if (lower.includes('deserialization'))
+                return 'deserialization';
+            if (lower.includes('path traversal'))
+                return 'path-traversal';
+            if (lower.includes('open redirect'))
+                return 'open-redirect';
+            // Fallback: use first 30 chars of message as category
+            return message.substring(0, 30);
+        };
+        const uniqueMap = new Map();
+        vulnerabilities.forEach(vuln => {
+            const line = vuln.line || 0;
+            const category = getCategory(vuln.message || '');
+            const key = `${line}:${category}`;
+            const existing = uniqueMap.get(key);
+            if (!existing) {
+                // First occurrence of this line + category
+                uniqueMap.set(key, vuln);
+            }
+            else {
+                // Duplicate detected - keep higher CVSS score
+                const existingScore = existing.cvssScore || 0;
+                const currentScore = vuln.cvssScore || 0;
+                if (currentScore > existingScore) {
+                    uniqueMap.set(key, vuln);
+                }
+            }
+        });
+        return Array.from(uniqueMap.values());
+    }
+}
+exports.JavaScriptAnalyzer = JavaScriptAnalyzer;
+//# sourceMappingURL=javascript-analyzer.js.map