codeslick-cli 1.0.0

package/dist/src/lib/analyzers/python-analyzer.js

@@ -0,0 +1,1600 @@
+"use strict";
+/**
+ * ⚠️ SHARED MODULE: Python Security Analyzer
+ *
+ * CRITICAL: This module is used by BOTH WebTool and GitHub App
+ *
+ * WebTool uses this for:
+ * - /api/analyze endpoint - Interactive single-file analysis (<3s target)
+ * - Real-time vulnerability detection for individual developers
+ *
+ * GitHub App uses this for:
+ * - /api/github/webhook - Batch PR analysis (10-30s OK)
+ * - Automated security checks for professional teams
+ *
+ * ⚠️ BEFORE MODIFYING THIS FILE:
+ * 1. Run all 96 analyzer tests: npm test analyzers
+ * 2. Test WebTool: Paste Python code at /analyze → Verify results
+ * 3. Test GitHub: Open PR with Python → Verify webhook comment
+ * 4. Verify performance: Analysis must complete in <2s per file
+ * 5. Check detection rate: All 19 Python checks must still detect
+ *
+ * CRITICAL OUTPUT FORMAT (DO NOT CHANGE):
+ * - result.security.vulnerabilities - Used by both systems
+ * - Each vulnerability has: line, message, severity, cvssScore, owasp, cwe
+ * - Changing this structure breaks BOTH WebTool and GitHub UI parsing
+ *
+ * See: docs/technical/WEBTOOL_GITHUB_SEPARATION.md
+ *
+ * Last modified: 2025-11-18
+ * Last verified (both systems): 2025-11-18
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PythonAnalyzer = void 0;
+const references_1 = require("../standards/references");
+const severity_scoring_1 = require("../security/severity-scoring");
+const compliance_mapping_1 = require("../security/compliance-mapping");
+const code_cleaner_1 = require("../utils/code-cleaner");
+const PythonAsyncSecurity = __importStar(require("./security-checks/python-async-security"));
+const injection_attacks_1 = require("./python/security-checks/injection-attacks");
+const credentials_crypto_1 = require("./python/security-checks/credentials-crypto");
+const deserialization_1 = require("./python/security-checks/deserialization");
+const web_security_1 = require("./python/security-checks/web-security");
+const code_quality_1 = require("./python/security-checks/code-quality");
+const django_security_1 = require("./python/security-checks/django-security");
+const flask_security_1 = require("./python/security-checks/flask-security");
+const security_misconfiguration_1 = require("./python/security-checks/security-misconfiguration");
+const exception_handling_1 = require("./python/security-checks/exception-handling");
+const enhanced_supply_chain_1 = require("./python/security-checks/enhanced-supply-chain");
+const access_control_1 = require("./python/security-checks/access-control");
+const crypto_failures_1 = require("./python/security-checks/crypto-failures");
+const insecure_design_1 = require("./python/security-checks/insecure-design");
+const logging_failures_1 = require("./python/security-checks/logging-failures");
+const data_integrity_1 = require("./python/security-checks/data-integrity");
+const nosql_injection_1 = require("./python/security-checks/nosql-injection");
+const ssrf_detection_1 = require("./python/security-checks/ssrf-detection");
+const authentication_flaws_1 = require("./python/security-checks/authentication-flaws");
+const secrets_analyzer_1 = require("./secrets/secrets-analyzer");
+const ai_generated_code_1 = require("./python/security-checks/ai-generated-code");
+class PythonAnalyzer {
+    constructor() {
+        this.language = 'python';
+    }
+    async analyze(input) {
+        const result = {
+            syntax: { valid: true, errors: [], lineErrors: [] },
+            quality: { score: 100, issues: [] },
+            performance: { score: 100, suggestions: [] },
+            security: { vulnerabilities: [] },
+            metrics: { complexity: 1, maintainability: 100, lines: 0, functions: 0 }
+        };
+        try {
+            this.analyzeSyntax(input.code, result);
+            this.analyzeQuality(input.code, result);
+            this.analyzePerformance(input.code, result);
+            this.analyzeSecurity(input.code, result);
+            this.calculateMetrics(input.code, result);
+            // AI-Generated Code Detection (Phase 1.5, Week 5-7)
+            const lines = input.code.split('\n');
+            result.security.vulnerabilities.push(...(0, ai_generated_code_1.checkAIGeneratedCode)(lines, input.filename));
+        }
+        catch (error) {
+            const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+            result.syntax.valid = false;
+            result.syntax.errors.push(`Python analysis error: ${errorMessage}`);
+        }
+        return result;
+    }
+    async validateSyntax(code) {
+        // Basic Python syntax checks
+        const lines = code.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i].trim();
+            if (!line || line.startsWith('#'))
+                continue;
+            // Verificar estruturas que devem terminar com :
+            if (line.match(/^(if|for|while|def|class|try|except|finally|with|elif)\s/) && !line.endsWith(':')) {
+                return false;
+            }
+            // Verificar comentários JavaScript em código Python
+            if (line.includes('//')) {
+                return false;
+            }
+        }
+        return true;
+    }
+    getLanguageInfo() {
+        return {
+            name: 'Python',
+            extensions: ['.py', '.pyw', '.pyc', '.pyo', '.pyd'],
+            description: 'Language for data science, web, and automation'
+        };
+    }
+    analyzeSyntax(code, result) {
+        const errors = [];
+        const lineErrors = [];
+        const processedLines = new Set(); // Track lines that already have errors
+        const lines = code.split('\n');
+        let inMultilineString = false; // Track if we're inside a triple-quoted string
+        // First pass: Priority syntax errors (critical issues first)
+        lines.forEach((line, index) => {
+            const lineNumber = index + 1;
+            const trimmed = line.trim();
+            // CRITICAL: Track Python triple-quote strings (""" ... """ or ''' ... ''')
+            const hasTripleQuote = trimmed.includes('"""') || trimmed.includes("'''");
+            if (hasTripleQuote) {
+                if (!inMultilineString) {
+                    // Start of multi-line string
+                    inMultilineString = true;
+                    // Check if it closes on the same line (single-line docstring)
+                    const tripleQuoteCount = (trimmed.match(/"""/g) || []).length + (trimmed.match(/'''/g) || []).length;
+                    if (tripleQuoteCount >= 2) {
+                        // Opens and closes on same line, reset flag
+                        inMultilineString = false;
+                    }
+                    return; // Skip this line
+                }
+                else {
+                    // End of multi-line string
+                    inMultilineString = false;
+                    return; // Skip this line
+                }
+            }
+            // Skip lines inside multi-line strings, empty lines, and comments
+            if (inMultilineString || !trimmed || trimmed.startsWith('#'))
+                return;
+            // Priority 1: Check for unclosed strings (general detection)
+            // CRITICAL FIX: Remove comments to prevent false positives
+            // Example: message = "Hello World  # Missing closing quote
+            const lineWithoutComments = code_cleaner_1.CodeCleaner.removeLineComments(line, 'python');
+            // Detect unclosed strings: count unescaped quotes
+            const checkUnclosedString = (text, quoteChar) => {
+                let count = 0;
+                let escaped = false;
+                for (let i = 0; i < text.length; i++) {
+                    if (escaped) {
+                        escaped = false;
+                        continue;
+                    }
+                    if (text[i] === '\\') {
+                        escaped = true;
+                        continue;
+                    }
+                    if (text[i] === quoteChar) {
+                        count++;
+                    }
+                }
+                // Odd count means unclosed string
+                return count % 2 !== 0;
+            };
+            // Check for unclosed double quotes
+            if (checkUnclosedString(lineWithoutComments, '"')) {
+                lineErrors.push({
+                    line: lineNumber,
+                    error: 'Unclosed string - missing closing double quote (")',
+                    suggestion: 'Add " to close the string',
+                    severity: 'error'
+                });
+                // Don't return - continue checking for other errors
+            }
+            // Check for unclosed single quotes
+            if (checkUnclosedString(lineWithoutComments, "'")) {
+                lineErrors.push({
+                    line: lineNumber,
+                    error: "Unclosed string - missing closing single quote (')",
+                    suggestion: "Add ' to close the string",
+                    severity: 'error'
+                });
+                // Don't return - continue checking for other errors
+            }
+            // Priority 2: Check for unclosed f-strings (improved pattern)
+            const fStringMatches = lineWithoutComments.match(/f["'][^"']*\{[^}]*$/);
+            if (fStringMatches) {
+                lineErrors.push({
+                    line: lineNumber,
+                    error: 'f-string with unclosed brace',
+                    suggestion: 'Add } to close the expression in the f-string',
+                    severity: 'error'
+                });
+                // Don't return - continue checking for other errors
+            }
+            // Priority 3: Check for format string argument mismatch (improved logic)
+            // Use cleaned line to avoid false positives from comments
+            const formatMatch = lineWithoutComments.match(/\"([^\"]*)\"\s*\.format\s*\(([^)]*)\)/);
+            if (formatMatch) {
+                const formatStr = formatMatch[1];
+                const argsStr = formatMatch[2];
+                // Count placeholders in the format string
+                const placeholders = (formatStr.match(/\{\}/g) || []).length;
+                // Count arguments more accurately
+                let argsCount = 0;
+                if (argsStr.trim()) {
+                    // Split by comma, but be careful with nested structures
+                    const args = argsStr.split(',').map(arg => arg.trim()).filter(arg => arg.length > 0);
+                    argsCount = args.length;
+                }
+                if (argsCount > placeholders) {
+                    lineErrors.push({
+                        line: lineNumber,
+                        error: 'Extra arguments in .format()',
+                        suggestion: `Has ${argsCount} arguments but only ${placeholders} placeholder(s) {}`,
+                        severity: 'error'
+                    });
+                    // Continue checking for other errors
+                }
+            }
+            // Priority 4: JavaScript-style comments in Python
+            // CRITICAL FIX: Check in original line (before comment removal) BUT avoid strings
+            // We want to detect: const x = 5; // JavaScript comment
+            // But not detect: url = "https://example.com"
+            if (line.includes('//') && !line.match(/["'].*\/\/.*["']/)) {
+                lineErrors.push({
+                    line: lineNumber,
+                    error: 'Python uses # for comments, not //',
+                    suggestion: 'Change // to # at the beginning of the comment',
+                    severity: 'error'
+                });
+                // Continue checking
+            }
+            // Priority 5: Missing colons in control structures
+            // CRITICAL FIX: Check lineWithoutComments (not trimmed) to avoid false positives from comments
+            // Example: def foo():  # comment <- This should NOT trigger error!
+            if ((trimmed.startsWith('if ') ||
+                trimmed.startsWith('for ') ||
+                trimmed.startsWith('while ') ||
+                trimmed.startsWith('def ') ||
+                trimmed.startsWith('class ') ||
+                trimmed.startsWith('try') ||
+                trimmed.startsWith('except') ||
+                trimmed.startsWith('finally') ||
+                trimmed.startsWith('with ') ||
+                trimmed.startsWith('elif ')) &&
+                !lineWithoutComments.trimEnd().endsWith(':')) {
+                lineErrors.push({
+                    line: lineNumber,
+                    error: 'Missing colon at the end of statement',
+                    suggestion: `Add : at the end: ${lineWithoutComments.trimEnd()}:`,
+                    severity: 'error'
+                });
+                // Continue checking
+            }
+            // Priority 6: Assignment in conditional (if x = 10: instead of if x == 10:)
+            // CRITICAL: Detect single = in if/while/elif but allow := (walrus operator)
+            // Use cleaned line to avoid false positives from comments
+            if ((trimmed.startsWith('if ') || trimmed.startsWith('elif ') || trimmed.startsWith('while ')) &&
+                lineWithoutComments.match(/\s+\w+\s*=\s*[^=]/) &&
+                !lineWithoutComments.includes(':=')) {
+                lineErrors.push({
+                    line: lineNumber,
+                    error: 'Assignment (=) in conditional statement - should use comparison (==)',
+                    suggestion: 'Change = to == for comparison, or use := for assignment (walrus operator)',
+                    severity: 'error'
+                });
+                // Continue checking
+            }
+            // Priority 6: Python 3 print syntax
+            // Use cleaned line to avoid false positives from comments
+            if (lineWithoutComments.match(/\bprint\s+[^(]/)) {
+                lineErrors.push({
+                    line: lineNumber,
+                    error: 'print in Python 3 requires parentheses',
+                    suggestion: 'Use print("message") instead of print "message"',
+                    severity: 'error'
+                });
+                // Continue checking
+            }
+            // Priority 7: Invalid escape sequences in strings
+            // Python only recognizes specific escape sequences: \n, \t, \r, \\, \', \", etc.
+            // Common error: "C:\new\folder" has invalid \n and \f (should be raw string or escaped)
+            // Use cleaned line to avoid false positives from comments
+            // Check for invalid escape sequences in double-quoted strings
+            const doubleQuotedMatches = lineWithoutComments.matchAll(/"([^"]*)"/g);
+            for (const match of doubleQuotedMatches) {
+                const stringContent = match[1];
+                // Check for invalid escape sequences (backslash followed by character that's not a valid escape)
+                // Valid escapes: \n, \t, \r, \\, \', \", \a, \b, \f, \v, \0, \x, \u, \N, and octal
+                const invalidEscapes = stringContent.match(/\\([^ntr\\'\"abfv0xuN0-7])/g);
+                if (invalidEscapes) {
+                    lineErrors.push({
+                        line: lineNumber,
+                        error: `Invalid escape sequence(s): ${invalidEscapes.join(', ')}`,
+                        suggestion: 'Use raw string (r"...") for paths or escape the backslash (\\\\)',
+                        severity: 'error'
+                    });
+                    break; // Only report once per line
+                }
+            }
+            // Check for invalid escape sequences in single-quoted strings
+            const singleQuotedMatches = lineWithoutComments.matchAll(/'([^']*)'/g);
+            for (const match of singleQuotedMatches) {
+                const stringContent = match[1];
+                const invalidEscapes = stringContent.match(/\\([^ntr\\'\"abfv0xuN0-7])/g);
+                if (invalidEscapes) {
+                    lineErrors.push({
+                        line: lineNumber,
+                        error: `Invalid escape sequence(s): ${invalidEscapes.join(', ')}`,
+                        suggestion: 'Use raw string (r"...") for paths or escape the backslash (\\\\)',
+                        severity: 'error'
+                    });
+                    break; // Only report once per line
+                }
+            }
+            // Priority 8: Malformed f-strings (missing opening quote)
+            // Pattern: print(f{...} or similar where f is followed by { without quotes
+            // Use cleaned line to avoid false positives from comments
+            if (lineWithoutComments.match(/\bf\s*\{[^}]*\}/)) {
+                lineErrors.push({
+                    line: lineNumber,
+                    error: 'Malformed f-string - missing quotes',
+                    suggestion: 'f-strings must start with quotes: f"{...}" or f\'{...}\'',
+                    severity: 'error'
+                });
+                // Continue checking
+            }
+            // Priority 9: Missing parentheses on method calls
+            // Pattern: .date > or .date < or .date = (should be .date())
+            // Use cleaned line to avoid false positives from comments
+            if (lineWithoutComments.match(/\.\w+\s*[><=!]/)) {
+                const match = lineWithoutComments.match(/\.(\w+)\s*([><=!])/);
+                if (match) {
+                    const methodName = match[1];
+                    // Common Python methods that require parentheses
+                    const methodsRequiringParens = ['date', 'time', 'now', 'today', 'strip', 'lower', 'upper', 'count', 'copy'];
+                    if (methodsRequiringParens.includes(methodName)) {
+                        lineErrors.push({
+                            line: lineNumber,
+                            error: `Method .${methodName} requires parentheses`,
+                            suggestion: `Add parentheses: .${methodName}()`,
+                            severity: 'error'
+                        });
+                    }
+                }
+                // Continue checking
+            }
+            // Priority 10: Trailing comma in assignments (not in lists/tuples)
+            // Pattern: self.var = value, at end of line
+            // Use cleaned line to avoid false positives from comments
+            if (lineWithoutComments.match(/=\s*[^,\[\{]+,\s*$/) && !lineWithoutComments.includes('[') && !lineWithoutComments.includes('{')) {
+                lineErrors.push({
+                    line: lineNumber,
+                    error: 'Extra comma at the end of assignment',
+                    suggestion: 'Remove the trailing comma (or were you trying to create a tuple?)',
+                    severity: 'error'
+                });
+                // Continue checking
+            }
+            // Priority 11: Incomplete ternary operator (missing value after else)
+            // Pattern: var = "value" if condition else (missing value)
+            // Use cleaned line to avoid false positives from comments
+            if (lineWithoutComments.match(/=.*\bif\b.*\belse\s*$/)) {
+                lineErrors.push({
+                    line: lineNumber,
+                    error: 'Incomplete ternary operator - missing value after "else"',
+                    suggestion: 'Complete: variable = value_if_true if condition else value_if_false',
+                    severity: 'error'
+                });
+                // Continue checking
+            }
+            // Priority 12: AI Hallucination - .push() instead of .append()
+            // JavaScript method being used in Python
+            // Use cleaned line to avoid false positives from comments
+            if (lineWithoutComments.match(/\.\s*push\s*\(/)) {
+                lineErrors.push({
+                    line: lineNumber,
+                    error: 'Method .push() does not exist in Python - use .append()',
+                    suggestion: 'In Python, lists use .append() instead of .push()',
+                    severity: 'error'
+                });
+                // Continue checking
+            }
+            // Priority 13: Empty parentheses in class definition (not inheriting)
+            // Pattern: class ClassName(): (should be class ClassName:)
+            // Use cleaned line to avoid false positives from comments
+            if (lineWithoutComments.match(/^\s*class\s+\w+\s*\(\s*\)\s*:/)) {
+                lineErrors.push({
+                    line: lineNumber,
+                    error: 'Unnecessary empty parentheses in class definition',
+                    suggestion: 'Remove empty parentheses: class ClassName: (or add base class if inheriting)',
+                    severity: 'warning'
+                });
+                // Continue checking
+            }
+            // Priority 14: Check for missing commas in dictionaries
+            // Pattern: key: value followed by a new key (without comma)
+            // Example: 'age': int(record.get('age', 0))
+            //          'active': ... <- missing comma before 'active'
+            if (trimmed.match(/['"].*['"]\s*:\s*/) && !trimmed.includes('#')) {
+                // This line starts a dict key
+                const nextLineIndex = index + 1;
+                if (nextLineIndex < lines.length) {
+                    const nextLine = lines[nextLineIndex].trim();
+                    // Check if next line also has a dict key and current line doesn't end with comma or opening brace
+                    if (nextLine.match(/^['"].*['"]\s*:/) &&
+                        !trimmed.endsWith(',') &&
+                        !trimmed.endsWith('{') &&
+                        !nextLine.startsWith('}')) {
+                        lineErrors.push({
+                            line: lineNumber,
+                            error: 'Missing comma in dictionary',
+                            suggestion: 'Add comma at the end of this line before the next key',
+                            severity: 'error'
+                        });
+                        // Continue checking
+                    }
+                }
+            }
+            // Priority 15: Check for trailing commas before comments
+            // Example: float(record['amount'],  # comment
+            // CRITICAL FIX: Exclude list/tuple items (trailing commas are valid in Python)
+            // Valid: "item",  # comment  (in a list)
+            // Invalid: float(x,  # missing closing paren
+            if (trimmed.match(/,\s*#/)) {
+                const beforeComment = trimmed.split('#')[0].trim();
+                // Check if this is a valid list/tuple/dict item with trailing comma
+                const isListItem = beforeComment.match(/^["'][^"']*["']\s*,\s*$/) || // String with trailing comma
+                    beforeComment.match(/^[^=()]+,\s*$/); // Expression with trailing comma
+                // Check if line has unmatched opening bracket (likely a function call issue)
+                const hasOpenParen = trimmed.includes('(') && !trimmed.includes(')');
+                // Only flag if it's likely a function call with missing argument, not a list item
+                if (beforeComment.endsWith(',') && hasOpenParen && !isListItem) {
+                    lineErrors.push({
+                        line: lineNumber,
+                        error: 'Extra comma before comment',
+                        suggestion: 'Remove the extra comma or add another argument',
+                        severity: 'error'
+                    });
+                    // Continue checking
+                }
+            }
+        });
+        // NEW: Check for missing imports (scan whole code)
+        this.checkMissingImports(code, lineErrors);
+        // NEW: Check for unclosed function/method calls across multiple lines
+        this.checkUnbalancedParentheses(code, lineErrors);
+        // Advanced detections (similar to JavaScript analyzer)
+        this.detectAIHallucinations(code, lineErrors);
+        this.detectIndentationErrors(code, lineErrors);
+        this.detectTypeErrors(code, lineErrors);
+        this.detectNameErrors(code, lineErrors);
+        this.detectAttributeErrors(code, lineErrors);
+        this.detectIndexErrors(code, lineErrors);
+        this.detectKeyErrors(code, lineErrors);
+        this.detectMutableDefaults(code, lineErrors);
+        this.detectLoopModification(code, lineErrors);
+        this.detectScopeIssues(code, lineErrors);
+        // Second pass: Bracket/parentheses checking (only if no critical errors found)
+        if (lineErrors.filter(e => e.severity === 'error').length === 0) {
+            this.checkBracketBalance(code, errors, lineErrors);
+        }
+        // Third pass: Indentation warnings (ALWAYS run - helps identify root cause of syntax errors)
+        lines.forEach((line, index) => {
+            const lineNumber = index + 1;
+            const trimmed = line.trim();
+            // Only check indentation for non-empty, non-comment lines that are indented
+            if (trimmed && !trimmed.startsWith('#') && line.startsWith(' ') && lineNumber > 1) {
+                const indentation = line.search(/\S/);
+                // Skip indentation check for definition lines
+                const isDefinitionLine = trimmed.startsWith('def ') || trimmed.startsWith('class ') ||
+                    trimmed.startsWith('if ') || trimmed.startsWith('for ') ||
+                    trimmed.startsWith('while ') || trimmed.startsWith('try:') ||
+                    trimmed.startsWith('except') || trimmed.startsWith('finally');
+                if (!isDefinitionLine && indentation % 4 !== 0) {
+                    lineErrors.push({
+                        line: lineNumber,
+                        error: `Incorrect indentation (${indentation} spaces)`,
+                        suggestion: 'Use multiples of 4 spaces for indentation in Python',
+                        severity: 'warning'
+                    });
+                }
+            }
+        });
+        result.syntax.errors = errors;
+        result.syntax.lineErrors = lineErrors;
+        result.syntax.valid = errors.length === 0 && lineErrors.filter(e => e.severity === 'error').length === 0;
+        if (!result.syntax.valid || lineErrors.length > 0) {
+            result.quality.score -= lineErrors.length * 15;
+        }
+    }
+    checkBracketBalance(code, errors, lineErrors) {
+        let parenBalance = 0;
+        let braceBalance = 0;
+        let bracketBalance = 0;
+        let inLineComment = false;
+        let inString = false;
+        let inMultilineString = false;
+        let stringChar = '';
+        let currentLine = 1;
+        // Track opening positions for better error reporting
+        const openBraces = [];
+        for (let i = 0; i < code.length; i++) {
+            const char = code[i];
+            const nextChar = code[i + 1];
+            const nextNextChar = code[i + 2];
+            // Track line numbers
+            if (char === '\n') {
+                currentLine++;
+                inLineComment = false; // End line comment
+            }
+            // Handle line comments
+            if (!inString && !inMultilineString && char === '#') {
+                inLineComment = true;
+                continue;
+            }
+            // Skip if in comment
+            if (inLineComment)
+                continue;
+            // Handle multiline strings (triple quotes)
+            if (!inString && (char === '"' || char === "'")) {
+                if (nextChar === char && nextNextChar === char) {
+                    if (!inMultilineString) {
+                        inMultilineString = true;
+                        stringChar = char;
+                    }
+                    else if (char === stringChar) {
+                        inMultilineString = false;
+                        stringChar = '';
+                    }
+                    i += 2; // Skip next two chars
+                    continue;
+                }
+            }
+            // Handle single line strings
+            if (!inMultilineString && (char === '"' || char === "'")) {
+                if (!inString) {
+                    inString = true;
+                    stringChar = char;
+                }
+                else if (char === stringChar && code[i - 1] !== '\\') {
+                    inString = false;
+                    stringChar = '';
+                }
+                continue;
+            }
+            // Only count brackets outside comments and strings
+            if (!inLineComment && !inString && !inMultilineString) {
+                if (char === '(') {
+                    parenBalance++;
+                    openBraces.push({ line: currentLine, char: '(' });
+                }
+                else if (char === ')') {
+                    parenBalance--;
+                    // Find matching opening parenthesis
+                    for (let j = openBraces.length - 1; j >= 0; j--) {
+                        if (openBraces[j].char === '(') {
+                            openBraces.splice(j, 1);
+                            break;
+                        }
+                    }
+                }
+                else if (char === '{') {
+                    braceBalance++;
+                    openBraces.push({ line: currentLine, char: '{' });
+                }
+                else if (char === '}') {
+                    braceBalance--;
+                    // Find matching opening brace
+                    for (let j = openBraces.length - 1; j >= 0; j--) {
+                        if (openBraces[j].char === '{') {
+                            openBraces.splice(j, 1);
+                            break;
+                        }
+                    }
+                }
+                else if (char === '[') {
+                    bracketBalance++;
+                    openBraces.push({ line: currentLine, char: '[' });
+                }
+                else if (char === ']') {
+                    bracketBalance--;
+                    // Find matching opening bracket
+                    for (let j = openBraces.length - 1; j >= 0; j--) {
+                        if (openBraces[j].char === '[') {
+                            openBraces.splice(j, 1);
+                            break;
+                        }
+                    }
+                }
+            }
+        }
+        // Create line-specific errors for unmatched brackets
+        openBraces.forEach(brace => {
+            const closingChar = brace.char === '{' ? '}' : brace.char === '(' ? ')' : ']';
+            const typeName = brace.char === '{' ? 'brace' : brace.char === '(' ? 'parenthesis' : 'bracket';
+            lineErrors.push({
+                line: brace.line,
+                error: `${typeName.charAt(0).toUpperCase() + typeName.slice(1)} "${brace.char}" was not closed`,
+                suggestion: `Add "${closingChar}" to close the ${typeName} opened on line ${brace.line}`,
+                severity: 'error'
+            });
+        });
+        // DON'T add general balance errors - the code above already adds specific line errors
+        // with proper line numbers, enabling Auto-Fix functionality
+    }
+    analyzeQuality(code, result) {
+        const issues = [];
+        // Check for snake_case variable names
+        const camelCaseVars = code.match(/\b[a-z]+[A-Z][a-zA-Z]*\s*=/g);
+        if (camelCaseVars) {
+            issues.push({
+                type: 'warning',
+                message: 'Use snake_case for variable names in Python',
+                severity: 'medium'
+            });
+            result.quality.score -= 5;
+        }
+        // Check for unused imports
+        const imports = code.match(/import\s+(\w+)/g);
+        if (imports) {
+            imports.forEach(imp => {
+                const moduleName = imp.split(' ')[1];
+                if (!code.includes(moduleName + '.') && !code.includes(moduleName + '(')) {
+                    issues.push({
+                        type: 'warning',
+                        message: `Import '${moduleName}' is unused`,
+                        severity: 'low'
+                    });
+                    result.quality.score -= 3;
+                }
+            });
+        }
+        // Check for lines that are too long (PEP 8)
+        const lines = code.split('\n');
+        lines.forEach((line, index) => {
+            if (line.length > 79) {
+                issues.push({
+                    type: 'info',
+                    message: `Line ${index + 1} exceeds 79 characters (PEP 8)`,
+                    line: index + 1,
+                    severity: 'low'
+                });
+                result.quality.score -= 1;
+            }
+        });
+        // Check for multiple statements on one line
+        const multipleStatements = code.match(/;[^#\n]*\w/g);
+        if (multipleStatements) {
+            issues.push({
+                type: 'warning',
+                message: 'Avoid multiple statements on one line (PEP 8)',
+                severity: 'medium'
+            });
+            result.quality.score -= 5;
+        }
+        result.quality.issues = issues;
+        result.quality.score = Math.max(0, result.quality.score);
+    }
+    analyzePerformance(code, result) {
+        const suggestions = [];
+        // Check for loops with range(len())
+        if (code.includes('range(len(')) {
+            suggestions.push('Use enumerate() instead of range(len())');
+            result.performance.score -= 8;
+        }
+        // Check for string concatenation in loops
+        if (code.match(/for.*:[\s\S]*?\+\s*=.*str/)) {
+            suggestions.push('Use join() instead of concatenation in loops');
+            result.performance.score -= 12;
+        }
+        // Check for append usage in loops to create lists
+        if (code.match(/for.*:[\s\S]*?\.append\(/)) {
+            suggestions.push('Consider using list comprehension for better performance');
+            result.performance.score -= 5;
+        }
+        // Check for global usage
+        if (code.includes('global ')) {
+            suggestions.push('Avoid excessive use of global variables');
+            result.performance.score -= 8;
+        }
+        result.performance.suggestions = suggestions;
+        result.performance.score = Math.max(0, result.performance.score);
+    }
+    createSecurityVulnerability(vulnerabilityType, message, suggestion, lineNumber, attackDescription, exploitExample, realWorldImpact, remediationBefore, remediationAfter, remediationExplanation) {
+        const scoring = (0, severity_scoring_1.calculateSeverityScore)(vulnerabilityType);
+        const compliance = (0, compliance_mapping_1.getComplianceMapping)(vulnerabilityType);
+        return {
+            severity: scoring.severity,
+            message,
+            suggestion,
+            line: lineNumber,
+            cvssScore: scoring.cvssScore,
+            exploitLikelihood: scoring.exploitLikelihood,
+            impact: scoring.impact,
+            owasp: compliance.owasp,
+            cwe: compliance.cwe,
+            pciDss: compliance.pciDss,
+            attackVector: {
+                description: attackDescription,
+                exploitExample,
+                realWorldImpact
+            },
+            remediation: {
+                before: remediationBefore,
+                after: remediationAfter,
+                explanation: remediationExplanation
+            }
+        };
+    }
+    analyzeSecurity(code, result) {
+        const vulnerabilities = [];
+        const lines = code.split('\n');
+        // PHASE 6 ENHANCEMENT (2025-11-21): Data flow analysis for SQL injection
+        // Track variables assigned with unsafe SQL string formatting
+        const unsafeSqlVariables = new Map(); // variable name -> line number
+        // PHASE 6 FIX (2025-11-22): Data flow analysis for Markup() XSS
+        // Track variables assigned from user input (request.args, request.form, etc.)
+        const userInputVariables = new Map(); // variable name -> line number
+        // Async/await context tracking
+        let inAsyncContext = false;
+        let asyncFunctionIndent = 0;
+        // =============================================================================
+        // ASYNC/AWAIT CHECKS (Using Modular Security Checks)
+        // =============================================================================
+        // Helper functions extracted to: ./security-checks/python-async-security.ts
+        // This improves maintainability and follows the same pattern as JavaScript analyzer
+        // First pass: Identify unsafe SQL query construction and user input variables
+        lines.forEach((line, index) => {
+            const lineNumber = index + 1;
+            const trimmed = line.trim();
+            // Skip comments and empty lines
+            if (!trimmed || trimmed.startsWith('#'))
+                return;
+            // Track user input variables: variable = request.args.get(...) or similar
+            // Patterns:
+            // - request.args.get('key'), request.form.get('field')
+            // - request.json(), request.get_json()
+            // - request.args['key'], request.form['field']
+            const userInputMatch = trimmed.match(/^(\w+)\s*=\s*request\.(args|form|data|json|values|params|get_json|cookies)(?:\.get\([^)]*\)|\[[^\]]+\]|\(\))?/);
+            if (userInputMatch) {
+                const variableName = userInputMatch[1];
+                userInputVariables.set(variableName, lineNumber);
+            }
+            // Detect SQL string formatting: variable = "SQL..." with formatting
+            // Patterns: %, .format(), f-strings, string concatenation with +
+            const hasSqlKeywords = /\b(SELECT|INSERT|UPDATE|DELETE|FROM|WHERE|JOIN|UNION)\b/i.test(trimmed);
+            const hasStringFormatting = trimmed.includes('%') || // % formatting
+                trimmed.includes('.format(') || // .format() method
+                /f["']/.test(trimmed) || // f-strings
+                /["'][^"']*\+/.test(trimmed); // string concatenation with +
+            // Check for variable assignment: variable_name = "SQL query"
+            const assignmentMatch = trimmed.match(/^(\w+)\s*=\s*["'f]/);
+            if (assignmentMatch && hasSqlKeywords && hasStringFormatting) {
+                const variableName = assignmentMatch[1];
+                unsafeSqlVariables.set(variableName, lineNumber);
+            }
+        });
+        // =============================================================================
+        // MODULAR SECURITY CHECKS (Refactored 2025-12-01)
+        // =============================================================================
+        // Checks #1-31: Extracted to dedicated modules for better maintainability
+        // 2,547 lines →  8 focused modules (~200-300 lines each)
+        // Injection Attacks (Checks #1-6): eval, exec, compile, SQL injection, command injection
+        vulnerabilities.push(...(0, injection_attacks_1.checkInjectionAttacks)(lines, unsafeSqlVariables));
+        // Credentials & Crypto (Checks #7-8): Hardcoded credentials, weak crypto, random module
+        vulnerabilities.push(...(0, credentials_crypto_1.checkCredentialsAndCrypto)(lines));
+        // Deserialization (Checks #9-10): pickle.load(), yaml.load() without SafeLoader
+        vulnerabilities.push(...(0, deserialization_1.checkDeserialization)(lines));
+        // Web Security (Checks #11-12): Path traversal, XSS
+        vulnerabilities.push(...(0, web_security_1.checkWebSecurity)(lines, userInputVariables));
+        // Code Quality (Checks #13-21): assert, input(), ReDoS, tempfile.mktemp, imports
+        vulnerabilities.push(...(0, code_quality_1.checkCodeQuality)(lines));
+        // Django Framework (Checks #22-27): CSRF, DEBUG, mark_safe, ORM, login_required, SECRET_KEY
+        vulnerabilities.push(...(0, django_security_1.checkDjangoSecurity)(lines, unsafeSqlVariables));
+        // Flask Framework (Checks #28-31): Debug mode, CSRF, SSTI, Markup, SECRET_KEY
+        vulnerabilities.push(...(0, flask_security_1.checkFlaskSecurity)(lines, userInputVariables));
+        // OWASP A02:2025 - Security Misconfiguration (NEW - Phase 7B) 
+        // Security Misconfiguration (Checks #32-39): Django/Flask debug, AWS credentials, database config
+        vulnerabilities.push(...(0, security_misconfiguration_1.checkSecurityMisconfiguration)(lines));
+        // OWASP A10:2025 - Mishandling of Exceptional Conditions (NEW - Phase 7B)
+        // Exception Handling (Checks #40-44): Bare except, exposed details, silent suppression, resource cleanup
+        vulnerabilities.push(...(0, exception_handling_1.checkExceptionHandling)(lines));
+        // OWASP A03:2025 - Software Supply Chain Failures (Enhanced - Phase 7B)
+        // Enhanced Supply Chain (Checks #45-49): Dynamic imports, runtime installation, typosquatting, untrusted sources
+        vulnerabilities.push(...(0, enhanced_supply_chain_1.checkEnhancedSupplyChain)(lines));
+        // OWASP A01:2025 - Broken Access Control (NEW - Phase 7B Day 3)
+        // Access Control (Checks #50-51): Missing authentication decorators, IDOR
+        vulnerabilities.push(...(0, access_control_1.checkAccessControl)(lines));
+        // OWASP A04:2025 - Cryptographic Failures (NEW - Phase 7B Day 3)
+        // Crypto Failures (Checks #52-53): Weak algorithms (MD5/SHA1/DES), insecure random
+        vulnerabilities.push(...(0, crypto_failures_1.checkCryptoFailures)(lines));
+        // OWASP A06:2025 - Insecure Design (NEW - Phase 7B Day 4)
+        // Insecure Design (Checks #54-55): Missing rate limiting, mass assignment
+        vulnerabilities.push(...(0, insecure_design_1.checkInsecureDesign)(lines));
+        // OWASP A09:2025 - Logging Failures (NEW - Phase 7B Day 4)
+        // Logging Failures (Checks #56-57): Missing security logging, sensitive data logging
+        vulnerabilities.push(...(0, logging_failures_1.checkLoggingFailures)(lines));
+        // OWASP A08:2025 - Software and Data Integrity Failures (NEW - Phase 7B Day 5)
+        // Data Integrity (Check #58): Insecure deserialization (pickle)
+        vulnerabilities.push(...(0, data_integrity_1.checkDataIntegrity)(lines));
+        // OWASP A03:2021 - Injection (NoSQL) - Phase 0 Priority 0 (CRITICAL)
+        // NoSQL Injection (Checks #35-39): MongoDB, Cassandra, Redis, $where JavaScript injection
+        vulnerabilities.push(...(0, nosql_injection_1.checkNoSQLInjection)(lines, userInputVariables));
+        // OWASP A10:2021 - Server-Side Request Forgery - Phase 0 Priority 0 (CRITICAL)
+        // SSRF (Checks #40-44): requests, urllib, httplib, URL validation, internal IPs
+        vulnerabilities.push(...(0, ssrf_detection_1.checkSSRF)(lines, userInputVariables));
+        // OWASP A07:2021 - Identification and Authentication Failures - Phase 0 Priority 0 (CRITICAL)
+        // Authentication Logic Flaws (Checks #45-48): Plaintext passwords, weak tokens, master password backdoors, fail-open authorization
+        vulnerabilities.push(...(0, authentication_flaws_1.checkAuthenticationFlaws)(lines));
+        // =============================================================================
+        // ASYNC/AWAIT CHECKS (Modular - Using PythonAsyncSecurity helpers)
+        // =============================================================================
+        lines.forEach((line, index) => {
+            const lineNumber = index + 1;
+            const trimmed = line.trim();
+            // Skip comments and empty lines
+            if (!trimmed || trimmed.startsWith('#')) {
+                return;
+            }
+            // =============================================================================
+            // NOTE: Legacy inline checks #1-31 were REMOVED on Dec 7, 2025
+            // All security checks are now handled by modular functions (lines 848-878)
+            // This eliminated 1107 lines of duplicate code
+            // =============================================================================
+            // =============================================================================
+            // ASYNC/AWAIT CHECKS (Using Modular Helpers)
+            // =============================================================================
+            // Track async function context
+            if (PythonAsyncSecurity.isAsyncFunctionStart(line)) {
+                inAsyncContext = true;
+                // CRITICAL FIX: Track indent of FUNCTION BODY (not the def line)
+                // Function body is typically +4 spaces from def line
+                asyncFunctionIndent = (line.length - line.trimStart().length) + 4;
+            }
+            // Check for async/await issues
+            const missingAwaitVuln = PythonAsyncSecurity.detectMissingAwait(line, lineNumber, inAsyncContext, this.createSecurityVulnerability.bind(this));
+            if (missingAwaitVuln) {
+                vulnerabilities.push(missingAwaitVuln);
+            }
+            const asyncioRunVuln = PythonAsyncSecurity.detectAsyncioRunMisuse(line, lineNumber, inAsyncContext, this.createSecurityVulnerability.bind(this));
+            if (asyncioRunVuln) {
+                vulnerabilities.push(asyncioRunVuln);
+            }
+            // End async context when dedenting back to module level
+            if (inAsyncContext && PythonAsyncSecurity.isAsyncFunctionEnd(line, asyncFunctionIndent)) {
+                inAsyncContext = false;
+            }
+            // =============================================================================
+            // END ASYNC/AWAIT CHECKS
+            // =============================================================================
+        });
+        // Secrets Detection (Phase 1.5, Week 1)
+        const secretsAnalyzer = (0, secrets_analyzer_1.createSecretsAnalyzer)();
+        vulnerabilities.push(...secretsAnalyzer.analyzeCode(code, 'unknown.py', 'python'));
+        // =============================================================================
+        // DEDUPLICATION: Remove duplicate vulnerabilities on same line
+        // =============================================================================
+        // Fix for Beta Testing Issue: Line 48 reported twice (hardcoded credentials)
+        // Multiple checks can flag the same line (e.g., credentials-crypto.ts + security-misconfiguration.ts)
+        // Solution: Keep only the vulnerability with highest CVSS score per line
+        result.security.vulnerabilities = this.deduplicateVulnerabilities(vulnerabilities);
+    }
+    /**
+     * Deduplicate vulnerabilities by line number
+     * When multiple checks flag the same line, keep only the one with highest CVSS score
+     *
+     * Common duplicates:
+     * - Hardcoded credentials detected by both credentials-crypto.ts and security-misconfiguration.ts
+     * - Flask debug mode detected by both flask-security.ts and security-misconfiguration.ts
+     * - Random module detected by credentials-crypto.ts, crypto-failures.ts, and authentication-flaws.ts
+     * - Pickle detected by deserialization.ts and data-integrity.ts
+     * - MD5 detected by crypto-failures.ts and credentials-crypto.ts
+     */
+    deduplicateVulnerabilities(vulnerabilities) {
+        // Define groups of related vulnerability types that should be deduplicated
+        // When multiple vulnerabilities from the same group appear on the same line, keep only the highest CVSS
+        const similarityGroups = [
+            // Weak random/crypto randomness (all detect random.random(), random.randint(), etc.)
+            ['weak-random', 'insecure-random', 'insecure-random-number-generator', 'weak-token-generation'],
+            // Pickle deserialization (both detect pickle.load/loads)
+            ['unsafe-pickle', 'insecure-pickle', 'pickle-deserialization', 'insecure-deserialization'],
+            // Weak hashing (MD5, SHA1)
+            ['weak-crypto', 'weak-crypto-algorithm', 'weak-hash-md5', 'weak-hash-sha1', 'md5-sha1-password-hashing', 'weak-cryptographic-hash'],
+            // Hardcoded credentials
+            ['hardcoded-credentials', 'flask-weak-secret-key', 'django-weak-secret-key'],
+            // Debug mode
+            ['flask-debug-mode', 'django-debug-mode'],
+        ];
+        const lineMap = new Map();
+        // Group vulnerabilities by line number
+        vulnerabilities.forEach(vuln => {
+            if (!vuln.line)
+                return;
+            const existing = lineMap.get(vuln.line) || [];
+            existing.push(vuln);
+            lineMap.set(vuln.line, existing);
+        });
+        const deduplicated = [];
+        // For each line, check if there are duplicates
+        lineMap.forEach((vulns, line) => {
+            if (vulns.length === 1) {
+                // No duplicates, keep as-is
+                deduplicated.push(vulns[0]);
+                return;
+            }
+            // Multiple vulnerabilities on same line - group by similarity
+            const processed = new Set();
+            vulns.forEach(vuln => {
+                if (processed.has(vuln))
+                    return;
+                const category = vuln.category || vuln.message || 'unknown';
+                // Find which similarity group this vulnerability belongs to
+                const similarityGroup = similarityGroups.find(group => group.some(cat => category.toLowerCase().includes(cat.toLowerCase())));
+                if (similarityGroup) {
+                    // Find all vulnerabilities in this line that belong to the same similarity group
+                    const relatedVulns = vulns.filter(v => {
+                        const vCat = v.category || v.message || 'unknown';
+                        return similarityGroup.some(cat => vCat.toLowerCase().includes(cat.toLowerCase()));
+                    });
+                    if (relatedVulns.length > 1) {
+                        // Multiple related vulnerabilities - keep only the highest CVSS
+                        const highest = relatedVulns.reduce((prev, current) => (current.cvssScore || 0) > (prev.cvssScore || 0) ? current : prev);
+                        deduplicated.push(highest);
+                        relatedVulns.forEach(v => processed.add(v));
+                    }
+                    else {
+                        // Only one vulnerability in this group
+                        deduplicated.push(vuln);
+                        processed.add(vuln);
+                    }
+                }
+                else {
+                    // Not in any similarity group - keep as unique vulnerability
+                    deduplicated.push(vuln);
+                    processed.add(vuln);
+                }
+            });
+            return; // Skip the old message-based deduplication logic below
+            // OLD LOGIC (now skipped by return above):
+            // Group by similarity
+            const credentialVulns = vulns.filter(v => v.message?.toLowerCase().includes('credential') ||
+                v.message?.toLowerCase().includes('password') ||
+                v.message?.toLowerCase().includes('secret') ||
+                v.message?.toLowerCase().includes('api') && v.message?.toLowerCase().includes('key'));
+            const debugVulns = vulns.filter(v => v.message?.toLowerCase().includes('debug') ||
+                v.message?.toLowerCase().includes('flask') && v.message?.toLowerCase().includes('debug'));
+            // Deduplicate credential-related vulnerabilities (keep highest CVSS)
+            if (credentialVulns.length > 1) {
+                const highest = credentialVulns.reduce((prev, current) => (current.cvssScore || 0) > (prev.cvssScore || 0) ? current : prev);
+                deduplicated.push(highest);
+                // Add any non-credential vulnerabilities from this line
+                vulns.forEach(v => {
+                    if (!credentialVulns.includes(v)) {
+                        deduplicated.push(v);
+                    }
+                });
+            }
+            // Deduplicate debug-related vulnerabilities (keep highest CVSS)
+            else if (debugVulns.length > 1) {
+                const highest = debugVulns.reduce((prev, current) => (current.cvssScore || 0) > (prev.cvssScore || 0) ? current : prev);
+                deduplicated.push(highest);
+                // Add any non-debug vulnerabilities from this line
+                vulns.forEach(v => {
+                    if (!debugVulns.includes(v)) {
+                        deduplicated.push(v);
+                    }
+                });
+            }
+            // No similar duplicates, keep all
+            else {
+                deduplicated.push(...vulns);
+            }
+        });
+        return deduplicated;
+    }
+    calculateMetrics(code, result) {
+        const lines = code.split('\n');
+        result.metrics.lines = lines.length;
+        const functions = (code.match(/def\s+\w+/g) || []).length;
+        result.metrics.functions = functions;
+        // Calcular complexidade ciclomática - Python
+        let complexity = 1;
+        const pythonKeywords = ['if', 'elif', 'for', 'while', 'except', 'and', 'or'];
+        pythonKeywords.forEach(keyword => {
+            const matches = code.match(new RegExp(`\\b${keyword}\\b`, 'g'));
+            if (matches)
+                complexity += matches.length;
+        });
+        result.metrics.complexity = complexity;
+        result.metrics.maintainability = Math.max(0, 100 - complexity * 3);
+    }
+    /**
+     * Check for missing imports - detects usage of common modules without imports
+     */
+    checkMissingImports(code, lineErrors) {
+        const lines = code.split('\n');
+        const imports = new Set();
+        const usages = new Map();
+        // Common Python modules/functions that require imports
+        const requiresImport = {
+            'defaultdict': 'from collections import defaultdict',
+            'Counter': 'from collections import Counter',
+            'OrderedDict': 'from collections import OrderedDict',
+            'datetime': 'from datetime import datetime',
+            'timedelta': 'from datetime import timedelta',
+            'json': 'import json',
+            'os': 'import os',
+            're': 'import re',
+            'sys': 'import sys',
+            'math': 'import math',
+            'random': 'import random',
+            'pandas': 'import pandas as pd',
+            'numpy': 'import numpy as np'
+        };
+        // First pass: collect all imports
+        lines.forEach((line) => {
+            const trimmed = line.trim();
+            if (trimmed.startsWith('import ') || trimmed.startsWith('from ')) {
+                // Extract module names from imports
+                Object.keys(requiresImport).forEach(moduleName => {
+                    if (trimmed.includes(moduleName)) {
+                        imports.add(moduleName);
+                    }
+                });
+            }
+        });
+        // Second pass: find usages
+        lines.forEach((line, index) => {
+            const trimmed = line.trim();
+            if (trimmed.startsWith('#') || trimmed.startsWith('import ') || trimmed.startsWith('from ')) {
+                return;
+            }
+            Object.keys(requiresImport).forEach(moduleName => {
+                // Check for usage (function call, class instantiation, or attribute access)
+                const usagePattern = new RegExp(`\\b${moduleName}\\s*[\\(\\.]`);
+                if (usagePattern.test(line) && !imports.has(moduleName)) {
+                    if (!usages.has(moduleName)) {
+                        usages.set(moduleName, []);
+                    }
+                    usages.get(moduleName)?.push(index + 1);
+                }
+            });
+        });
+        // Report missing imports
+        usages.forEach((lineNumbers, moduleName) => {
+            if (!imports.has(moduleName)) {
+                lineErrors.push({
+                    line: lineNumbers[0],
+                    error: `'${moduleName}' used without import`,
+                    suggestion: `Add: ${requiresImport[moduleName]}`,
+                    severity: 'error'
+                });
+            }
+        });
+    }
+    /**
+     * Check for unbalanced parentheses in function/method calls
+     */
+    checkUnbalancedParentheses(code, lineErrors) {
+        const lines = code.split('\n');
+        let parenBalance = 0;
+        const unclosedLines = [];
+        let inString = false;
+        let stringChar = '';
+        lines.forEach((line, index) => {
+            const lineNumber = index + 1;
+            const trimmed = line.trim();
+            // Skip comments and empty lines
+            if (!trimmed || trimmed.startsWith('#'))
+                return;
+            let lineOpenCount = 0;
+            let lineCloseCount = 0;
+            // Simple string detection (not perfect but catches most cases)
+            for (let i = 0; i < line.length; i++) {
+                const char = line[i];
+                // Toggle string state
+                if ((char === '"' || char === "'") && (i === 0 || line[i - 1] !== '\\')) {
+                    if (!inString) {
+                        inString = true;
+                        stringChar = char;
+                    }
+                    else if (char === stringChar) {
+                        inString = false;
+                        stringChar = '';
+                    }
+                }
+                // Count parentheses outside of strings
+                if (!inString) {
+                    if (char === '(') {
+                        lineOpenCount++;
+                        parenBalance++;
+                    }
+                    else if (char === ')') {
+                        lineCloseCount++;
+                        parenBalance--;
+                    }
+                }
+            }
+            // Track lines that open parentheses without closing them
+            if (lineOpenCount > lineCloseCount) {
+                unclosedLines.push(lineNumber);
+            }
+        });
+        // Report unclosed parentheses
+        if (parenBalance > 0 && unclosedLines.length > 0) {
+            // Report the last line that opened parentheses
+            const lastUnclosedLine = unclosedLines[unclosedLines.length - 1];
+            lineErrors.push({
+                line: lastUnclosedLine,
+                error: `Unclosed parenthesis (${parenBalance} open parenthesis/parentheses)`,
+                suggestion: 'Add ) to close the open parenthesis/parentheses',
+                severity: 'error'
+            });
+        }
+        else if (parenBalance < 0) {
+            lineErrors.push({
+                line: lines.length,
+                error: `Extra closing parenthesis (${Math.abs(parenBalance)} too many)`,
+                suggestion: 'Remove extra ) or add opening (',
+                severity: 'error'
+            });
+        }
+    }
+    /**
+     * Detect AI Hallucinations - Common method name errors
+     * Similar to JavaScript analyzer but for Python-specific methods
+     */
+    detectAIHallucinations(code, lineErrors) {
+        const lines = code.split('\n');
+        // Python AI hallucination patterns
+        const hallucinationMap = new Map([
+            // String method hallucinations
+            ['toUpper', { description: 'Non-existent method in Python', correct: '.upper()' }],
+            ['toLower', { description: 'Non-existent method in Python', correct: '.lower()' }],
+            ['toUpperCase', { description: 'Non-existent method (JavaScript influence)', correct: '.upper()' }],
+            ['toLowerCase', { description: 'Non-existent method (JavaScript influence)', correct: '.lower()' }],
+            ['substring', { description: 'Non-existent method (use slicing)', correct: '[start:end]' }],
+            ['charAt', { description: 'Non-existent method (use indexing)', correct: '[index]' }],
+            ['indexOf', { description: 'Non-existent method', correct: '.find() or .index()' }],
+            // List method hallucinations
+            ['push', { description: 'Non-existent method (JavaScript influence)', correct: '.append()' }],
+            ['pop_front', { description: 'Non-existent method', correct: '.pop(0)' }],
+            ['add', { description: 'Use .append() for lists', correct: '.append()' }],
+            ['remove_at', { description: 'Non-existent method', correct: '.pop(index) or del list[index]' }],
+            ['size', { description: 'Non-existent method', correct: 'len()' }],
+            ['length', { description: 'Non-existent property', correct: 'len()' }],
+            // Dict method hallucinations
+            ['hasKey', { description: 'Non-existent method', correct: 'key in dict' }],
+            ['contains', { description: 'Non-existent method', correct: 'in operator' }],
+            ['containsKey', { description: 'Non-existent method', correct: 'key in dict' }],
+        ]);
+        lines.forEach((line, index) => {
+            const lineNumber = index + 1;
+            if (line.trim().startsWith('#'))
+                return;
+            // CRITICAL FIX: Remove comments before pattern matching to prevent false positives
+            // Example: list.append(x)  # ERROR: Don't use .push() here
+            //                                              ^^^^^ This would trigger false positive!
+            const lineWithoutComments = code_cleaner_1.CodeCleaner.removeLineComments(line, 'python');
+            // Detect method hallucinations with pattern: .method(
+            const methodMatches = lineWithoutComments.matchAll(/\.(\w+)\s*\(/g);
+            for (const match of methodMatches) {
+                const method = match[1];
+                const details = hallucinationMap.get(method);
+                if (details) {
+                    let references = references_1.pythonStandards['ai-hallucination'] || [];
+                    // Add specific references based on method type
+                    if (method.includes('Upper') || method.includes('Lower')) {
+                        references = [
+                            {
+                                title: 'Python String Methods',
+                                url: 'https://docs.python.org/3/library/stdtypes.html#string-methods',
+                                description: 'String case conversion: use .upper() and .lower()'
+                            },
+                            {
+                                title: 'Python str.upper()',
+                                url: 'https://docs.python.org/3/library/stdtypes.html#str.upper',
+                                description: 'Convert string to uppercase'
+                            }
+                        ];
+                    }
+                    else if (method === 'push' || method === 'add') {
+                        references = [
+                            {
+                                title: 'Python List Methods',
+                                url: 'https://docs.python.org/3/tutorial/datastructures.html#more-on-lists',
+                                description: 'Use .append() to add elements to a list'
+                            },
+                            {
+                                title: 'Python list.append()',
+                                url: 'https://docs.python.org/3/tutorial/datastructures.html',
+                                description: 'Add an item to the end of the list'
+                            }
+                        ];
+                    }
+                    lineErrors.push({
+                        line: lineNumber,
+                        error: ` AI Hallucination: ${details.description}`,
+                        suggestion: `Replace with: ${details.correct}`,
+                        severity: 'error',
+                        references
+                    });
+                }
+            }
+        });
+    }
+    /**
+     * Detect indentation errors (IndentationError, TabError)
+     */
+    detectIndentationErrors(code, lineErrors) {
+        const lines = code.split('\n');
+        let hasTabs = false;
+        let hasSpaces = false;
+        lines.forEach((line, index) => {
+            const lineNumber = index + 1;
+            if (!line.trim() || line.trim().startsWith('#'))
+                return;
+            // Check for tab/space mixing
+            if (line.startsWith('\t'))
+                hasTabs = true;
+            if (line.startsWith(' '))
+                hasSpaces = true;
+            // Detect TabError - mixing tabs and spaces
+            if (hasTabs && hasSpaces) {
+                lineErrors.push({
+                    line: lineNumber,
+                    error: 'TabError: Inconsistent use of tabs and spaces',
+                    suggestion: 'Use only spaces (4 spaces per indentation level - PEP 8)',
+                    severity: 'error',
+                    references: references_1.pythonStandards['indentation'] || []
+                });
+            }
+        });
+    }
+    /**
+     * Detect TypeError patterns
+     */
+    detectTypeErrors(code, lineErrors) {
+        const lines = code.split('\n');
+        lines.forEach((line, index) => {
+            const lineNumber = index + 1;
+            if (line.trim().startsWith('#'))
+                return;
+            // Detect string concatenation with non-strings
+            if (line.match(/["'].*["']\s*\+\s*\d+/) || line.match(/\d+\s*\+\s*["'].*["']/)) {
+                lineErrors.push({
+                    line: lineNumber,
+                    error: 'Potential TypeError: String concatenation with number',
+                    suggestion: 'Use str() to convert number to string or use f-string: f"{number}"',
+                    severity: 'warning',
+                    references: references_1.pythonStandards['type-errors'] || []
+                });
+            }
+            // Detect calling non-callable objects
+            if (line.match(/\b(str|int|list|dict)\s*=\s*/) && line.match(/\(\)/)) {
+                lineErrors.push({
+                    line: lineNumber,
+                    error: 'Potential TypeError: Attempting to call non-callable object',
+                    suggestion: 'Don\'t override built-in types (str, int, list, dict)',
+                    severity: 'error',
+                    references: references_1.pythonStandards['type-errors'] || []
+                });
+            }
+        });
+    }
+    /**
+     * Detect NameError - undefined variables
+     */
+    detectNameErrors(code, lineErrors) {
+        const lines = code.split('\n');
+        const definedVars = new Set();
+        const imports = new Set();
+        const conditionalVars = new Map();
+        // Helper to get indentation level
+        const getIndent = (line) => {
+            const match = line.match(/^(\s*)/);
+            return match ? match[1].length : 0;
+        };
+        // Track function-level base indentation
+        let functionBaseIndent = 0;
+        let inFunction = false;
+        lines.forEach((line, index) => {
+            const lineNumber = index + 1;
+            const trimmed = line.trim();
+            if (trimmed.startsWith('#'))
+                return;
+            const indent = getIndent(line);
+            // Track function definitions
+            const funcMatch = trimmed.match(/^def\s+(\w+)/);
+            if (funcMatch) {
+                definedVars.add(funcMatch[1]);
+                functionBaseIndent = indent;
+                inFunction = true;
+                return;
+            }
+            // Track imports
+            if (trimmed.startsWith('import ') || trimmed.startsWith('from ')) {
+                const importMatch = trimmed.match(/(?:import|from)\s+(\w+)/);
+                if (importMatch)
+                    imports.add(importMatch[1]);
+                return;
+            }
+            // Track variable assignments
+            const assignMatch = trimmed.match(/^(\w+)\s*=/);
+            if (assignMatch && inFunction) {
+                const varName = assignMatch[1];
+                // Check if this assignment is inside a conditional block (higher indentation than function base)
+                if (indent > functionBaseIndent + 4) {
+                    // Variable assigned inside conditional block (if/for/while/try)
+                    conditionalVars.set(varName, { line: lineNumber, indent });
+                }
+                else {
+                    // Variable assigned at function level (safe)
+                    definedVars.add(varName);
+                    conditionalVars.delete(varName); // Remove from conditional tracking
+                }
+            }
+            // Check for variable usage (return statements, expressions)
+            if (trimmed.startsWith('return ') && inFunction) {
+                // Match variable name in return statement (handle various patterns)
+                const returnMatch = trimmed.match(/^return\s+(\w+)/);
+                if (returnMatch) {
+                    const varName = returnMatch[1];
+                    // Check if variable is only defined conditionally
+                    if (conditionalVars.has(varName) && !definedVars.has(varName) && !imports.has(varName)) {
+                        const defInfo = conditionalVars.get(varName);
+                        // Flag if return is at lower indentation than where var was defined (outside the conditional block)
+                        // Example: var defined at indent 8 (inside if), return at indent 4 (outside if)
+                        if (indent < defInfo.indent) {
+                            lineErrors.push({
+                                line: lineNumber,
+                                error: `NameError: '${varName}' might not be defined`,
+                                suggestion: `Variable '${varName}' was assigned inside a conditional block (line ${defInfo.line}) but used outside it. Initialize '${varName}' before the block or ensure it's always defined.`,
+                                severity: 'error',
+                                references: references_1.pythonStandards['name-errors'] || []
+                            });
+                        }
+                    }
+                }
+            }
+            // Check for common undefined variable patterns
+            const commonUndefined = ['undefined', 'NULL', 'nil', 'null'];
+            commonUndefined.forEach(undef => {
+                if (line.includes(undef) && !line.includes('#') && !line.includes('"') && !line.includes("'")) {
+                    lineErrors.push({
+                        line: lineNumber,
+                        error: `NameError: '${undef}' does not exist in Python`,
+                        suggestion: undef === 'undefined' || undef === 'null' ? 'Use None in Python' : 'Use None',
+                        severity: 'error',
+                        references: references_1.pythonStandards['name-errors'] || []
+                    });
+                }
+            });
+        });
+    }
+    /**
+     * Detect AttributeError - accessing non-existent attributes
+     */
+    detectAttributeErrors(code, lineErrors) {
+        const lines = code.split('\n');
+        lines.forEach((line, index) => {
+            const lineNumber = index + 1;
+            if (line.trim().startsWith('#'))
+                return;
+            // Detect common attribute errors with string methods
+            const stringAttrErrors = [
+                { pattern: /\.toUpperCase\(\)/, correct: '.upper()', wrong: 'toUpperCase' },
+                { pattern: /\.toLowerCase\(\)/, correct: '.lower()', wrong: 'toLowerCase' },
+                { pattern: /\.trim\(\)/, correct: '.strip()', wrong: 'trim' },
+                { pattern: /\.substring\(/, correct: '[start:end]', wrong: 'substring' },
+            ];
+            stringAttrErrors.forEach(({ pattern, correct, wrong }) => {
+                if (pattern.test(line)) {
+                    lineErrors.push({
+                        line: lineNumber,
+                        error: `AttributeError: Strings don't have method '${wrong}'`,
+                        suggestion: `Use ${correct}`,
+                        severity: 'error',
+                        references: references_1.pythonStandards['attribute-errors'] || []
+                    });
+                }
+            });
+            // Detect common list attribute errors
+            if (line.match(/\.push\(/)) {
+                lineErrors.push({
+                    line: lineNumber,
+                    error: 'AttributeError: Lists don\'t have method push',
+                    suggestion: 'Use .append() to add elements',
+                    severity: 'error',
+                    references: references_1.pythonStandards['attribute-errors'] || []
+                });
+            }
+        });
+    }
+    /**
+     * Detect IndexError - list index out of range
+     */
+    detectIndexErrors(code, lineErrors) {
+        const lines = code.split('\n');
+        lines.forEach((line, index) => {
+            const lineNumber = index + 1;
+            if (line.trim().startsWith('#'))
+                return;
+            // Detect potential IndexError: accessing list[len(list)]
+            if (line.match(/\[\s*len\([^)]+\)\s*\]/)) {
+                lineErrors.push({
+                    line: lineNumber,
+                    error: 'Potential IndexError: index len(list) is out of range',
+                    suggestion: 'Use len(list)-1 for the last element or list[-1]',
+                    severity: 'warning',
+                    references: references_1.pythonStandards['index-errors'] || []
+                });
+            }
+            // Detect hardcoded index access without length check
+            const indexMatch = line.match(/(\w+)\[(\d+)\]/);
+            if (indexMatch) {
+                const [, varName, indexStr] = indexMatch;
+                const indexNum = parseInt(indexStr);
+                if (indexNum > 10) { // Flag suspiciously high indices
+                    lineErrors.push({
+                        line: lineNumber,
+                        error: `Potential IndexError: index ${indexNum} may be out of range`,
+                        suggestion: `Check if the index is within bounds before accessing ${varName}[${indexNum}]`,
+                        severity: 'info',
+                        references: references_1.pythonStandards['index-errors'] || []
+                    });
+                }
+            }
+        });
+    }
+    /**
+     * Detect KeyError - dictionary key access without checking
+     */
+    detectKeyErrors(code, lineErrors) {
+        const lines = code.split('\n');
+        lines.forEach((line, index) => {
+            const lineNumber = index + 1;
+            if (line.trim().startsWith('#'))
+                return;
+            // Detect dict[key] access pattern (potentially unsafe)
+            const dictAccessMatch = line.match(/(\w+)\[['"](\w+)['"]\]/);
+            if (dictAccessMatch && !line.includes('.get(')) {
+                const [, dictName, key] = dictAccessMatch;
+                // Check if there's a prior 'if key in dict' check
+                const checkExists = lines.slice(Math.max(0, index - 3), index).some(prevLine => prevLine.includes(`${key}`) && prevLine.includes('in') && prevLine.includes(dictName));
+                if (!checkExists) {
+                    lineErrors.push({
+                        line: lineNumber,
+                        error: `Potential KeyError: key '${key}' may not exist in ${dictName}`,
+                        suggestion: `Use ${dictName}.get('${key}', default) or check with 'if '${key}' in ${dictName}'`,
+                        severity: 'warning',
+                        references: references_1.pythonStandards['key-errors'] || []
+                    });
+                }
+            }
+        });
+    }
+    /**
+     * Detect mutable default arguments
+     */
+    detectMutableDefaults(code, lineErrors) {
+        const lines = code.split('\n');
+        lines.forEach((line, index) => {
+            const lineNumber = index + 1;
+            if (!line.trim().startsWith('def '))
+                return;
+            // Detect mutable default arguments: def func(arg=[]) or def func(arg={})
+            if (line.match(/def\s+\w+\s*\([^)]*=\s*[\[{]/)) {
+                lineErrors.push({
+                    line: lineNumber,
+                    error: 'Mutable default argument detected (list or dictionary)',
+                    suggestion: 'Use None as default and initialize inside function: if arg is None: arg = []',
+                    severity: 'warning',
+                    references: references_1.pythonStandards['mutable-defaults'] || []
+                });
+            }
+        });
+    }
+    /**
+     * Detect loop modification - modifying list/dict while iterating
+     */
+    detectLoopModification(code, lineErrors) {
+        const lines = code.split('\n');
+        lines.forEach((line, index) => {
+            const lineNumber = index + 1;
+            const trimmed = line.trim();
+            // Check if we're in a for loop
+            const forMatch = trimmed.match(/for\s+\w+\s+in\s+(\w+)/);
+            if (forMatch) {
+                const iterVar = forMatch[1];
+                // Check next few lines for modifications to the iterated variable
+                const nextLines = lines.slice(index + 1, Math.min(index + 5, lines.length));
+                nextLines.forEach((nextLine) => {
+                    // Detect append, remove, pop, del on the same variable
+                    if (nextLine.includes(`${iterVar}.append`) ||
+                        nextLine.includes(`${iterVar}.remove`) ||
+                        nextLine.includes(`${iterVar}.pop`) ||
+                        nextLine.includes(`del ${iterVar}`)) {
+                        lineErrors.push({
+                            line: lineNumber,
+                            error: `Modification of '${iterVar}' during iteration`,
+                            suggestion: `Create a copy of the list before iterating: for item in ${iterVar}.copy():`,
+                            severity: 'error',
+                            references: references_1.pythonStandards['loop-modification'] || []
+                        });
+                    }
+                });
+            }
+        });
+    }
+    /**
+     * Detect scope issues - global/nonlocal misuse
+     */
+    detectScopeIssues(code, lineErrors) {
+        const lines = code.split('\n');
+        const globalVars = new Set();
+        lines.forEach((line, index) => {
+            const lineNumber = index + 1;
+            const trimmed = line.trim();
+            if (trimmed.startsWith('#'))
+                return;
+            // Track global declarations
+            const globalMatch = trimmed.match(/global\s+(\w+)/);
+            if (globalMatch) {
+                const varName = globalMatch[1];
+                // Warn about excessive global usage
+                if (globalVars.has(varName)) {
+                    lineErrors.push({
+                        line: lineNumber,
+                        error: `Excessive use of 'global ${varName}'`,
+                        suggestion: 'Consider using classes or passing variables as parameters',
+                        severity: 'warning',
+                        references: references_1.pythonStandards['scope-issues'] || []
+                    });
+                }
+                globalVars.add(varName);
+            }
+            // Detect assignment to variable that might need global/nonlocal
+            const funcMatch = lines.slice(Math.max(0, index - 10), index).some(l => l.trim().startsWith('def '));
+            if (funcMatch) {
+                const assignMatch = trimmed.match(/^(\w+)\s*=/);
+                if (assignMatch && globalVars.has(assignMatch[1])) {
+                    // Check if global declaration exists
+                    const hasGlobal = lines.slice(Math.max(0, index - 5), index).some(l => l.includes(`global ${assignMatch[1]}`));
+                    if (!hasGlobal) {
+                        lineErrors.push({
+                            line: lineNumber,
+                            error: `Possible scope error: assignment to '${assignMatch[1]}' without 'global'`,
+                            suggestion: `Add 'global ${assignMatch[1]}' or use function parameter`,
+                            severity: 'info',
+                            references: references_1.pythonStandards['scope-issues'] || []
+                        });
+                    }
+                }
+            }
+        });
+    }
+}
+exports.PythonAnalyzer = PythonAnalyzer;
+//# sourceMappingURL=python-analyzer.js.map