swynx-lite 1.0.0

package/src/shared/scanner/scan-dead-code.mjs

@@ -0,0 +1,316 @@
+// src/scanner/scan-dead-code.mjs
+// Standalone dead code scanning function — the unified entry point for dead code analysis.
+// Replaces both scanner-legacy/index.mjs and the inline scanDeadCodeOnly() in scan-repo-worker.mjs.
+
+import { availableParallelism } from 'os';
+import { Worker } from 'worker_threads';
+import { fileURLToPath } from 'url';
+import { dirname, join } from 'path';
+import { readFileSync } from 'fs';
+import { discoverFiles, categoriseFiles } from './discovery.mjs';
+import { parseJavaScript } from './parsers/javascript.mjs';
+import { parseFile } from './parsers/registry.mjs';
+import { analyseImports } from './analysers/imports.mjs';
+import { findDeadCode } from './analysers/deadcode.mjs';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const WORKER_PATH = join(__dirname, 'parse-worker.mjs');
+const DEFAULT_WORKER_COUNT = parseInt(process.env.SWYNX_WORKERS || '0') || Math.min(availableParallelism(), 8);
+
+const CHUNK_THRESHOLD = 10000;  // B3: chunk parsing when file count exceeds this
+const CHUNK_SIZE = 5000;        // B3: files per parse chunk
+
+function parallelParse(files, parserType) {
+  const maxWorkers = DEFAULT_WORKER_COUNT;
+  const workerCount = Math.min(maxWorkers, Math.ceil(files.length / 50));
+  if (workerCount <= 1 || files.length < 100) return null;
+
+  return new Promise((resolve) => {
+    const chunkSize = Math.ceil(files.length / workerCount);
+    let completed = 0;
+    const allResults = [];
+    let activeWorkers = 0;
+
+    for (let i = 0; i < workerCount; i++) {
+      const chunk = files.slice(i * chunkSize, (i + 1) * chunkSize);
+      if (chunk.length === 0) continue;
+      activeWorkers++;
+
+      const worker = new Worker(WORKER_PATH, {
+        workerData: { files: chunk, parserType }
+      });
+
+      worker.on('message', (msg) => {
+        if (msg.type === 'batch') {
+          // B1: Handle batch messages from worker (intermediate results)
+          allResults.push(...msg.results);
+        } else if (msg.type === 'done') {
+          allResults.push(...msg.results);
+          completed++;
+          if (completed === activeWorkers) resolve(allResults);
+        } else if (msg.type === 'error') {
+          completed++;
+          if (completed === activeWorkers) resolve(allResults);
+        }
+      });
+
+      worker.on('error', () => {
+        completed++;
+        if (completed === activeWorkers) resolve(allResults);
+      });
+    }
+  });
+}
+
+/**
+ * B3: Chunked parse pipeline — processes files in chunks to cap peak memory.
+ * Each chunk goes through parallelParse, results accumulated (without content),
+ * then next chunk starts. Previous chunk's worker memory is freed.
+ */
+async function chunkedParse(files, parserType, onProgress) {
+  const allResults = [];
+  const totalChunks = Math.ceil(files.length / CHUNK_SIZE);
+
+  for (let c = 0; c < totalChunks; c++) {
+    const start = c * CHUNK_SIZE;
+    const chunk = files.slice(start, start + CHUNK_SIZE);
+    onProgress({ phase: 'parse', message: `Parsing chunk ${c + 1}/${totalChunks} (${chunk.length} files)...` });
+
+    const chunkResults = parallelParse(chunk, parserType);
+    if (chunkResults) {
+      allResults.push(...await chunkResults);
+    } else {
+      // Fallback to sequential for small chunks
+      const parseFn = parserType === 'javascript' ? parseJavaScript : parseFile;
+      for (const file of chunk) {
+        try {
+          const result = await parseFn(file);
+          if (result) {
+            // Strip content like workers do (B2)
+            result.content = null;
+            allResults.push(result);
+          }
+        } catch { /* skip */ }
+      }
+    }
+  }
+  return allResults;
+}
+
+/**
+ * Detect language from file extension (for legacy-compatible summary)
+ */
+function detectLanguage(filePath) {
+  if (/\.[mc]?[jt]sx?$/.test(filePath)) return 'javascript';
+  if (/\.py$/.test(filePath)) return 'python';
+  if (/\.go$/.test(filePath)) return 'go';
+  if (/\.(java|kt)$/.test(filePath)) return 'java';
+  if (/\.php$/.test(filePath)) return 'php';
+  if (/\.rb$/.test(filePath)) return 'ruby';
+  if (/\.rs$/.test(filePath)) return 'rust';
+  if (/\.cs$/.test(filePath)) return 'csharp';
+  if (/\.dart$/.test(filePath)) return 'dart';
+  if (/\.swift$/.test(filePath)) return 'swift';
+  if (/\.scala$/.test(filePath)) return 'scala';
+  if (/\.ex$|\.exs$/.test(filePath)) return 'elixir';
+  return 'other';
+}
+
+const DEFAULT_EXCLUDE = [
+  '**/node_modules/**', '**/bower_components/**', '**/.git/**', '**/dist/**', '**/build/**',
+  '**/.swynx-quarantine/**', '**/coverage/**', '**/*.min.js', '**/*.min.css',
+  '**/logs/**', '**/log/**', '**/*.log',
+  '**/tmp/**', '**/temp/**', '**/.cache/**', '**/cache/**',
+  '**/__pycache__/**', '**/*.pyc', '**/*.pyo',
+  '**/.pytest_cache/**', '**/.mypy_cache/**',
+  '**/*.sql', '**/*.sqlite', '**/*.sqlite3', '**/*.db',
+  '**/tests/baselines/**', '**/test/baselines/**',
+  '**/__snapshots__/**', '**/snapshots/**',
+  '**/test-fixtures/**', '**/test_fixtures/**', '**/__fixtures__/**',
+  '**/fixtures/**', '**/fixture/**',
+  '**/testdata/**', '**/test-data/**',
+  '**/vendor/**',
+  '**/__mockdata__/**', '**/__mock__/**', '**/__for-testing__/**',
+  '**/pkg-tests-fixtures/**', '**/pkg-tests-specs/**',
+  '**/type-tests/**', '**/type-test/**',
+  // Test fixture / baseline directories (huge in compiler repos)
+  '**/TestData/**', '**/testData/**',
+  '**/test-cases/**', '**/test_cases/**',
+  '**/conformance/**',
+  '**/testcases/**',
+  // Compiler test input directories
+  '**/cases/**/*.ts',
+  '**/test/cases/**',
+  // IDE/editor test fixtures
+  '**/test-fixture/**',
+  // C# intermediate / compiled output
+  '**/obj/**',
+  '**/bin/Debug/**', '**/bin/Release/**',
+  // C# scaffolding baselines (test-generated output)
+  '**/Scaffolding/Baselines/**',
+  // Rust compiler test inputs (standalone files compiled by test harness, not source code)
+  '**/tests/ui/**', '**/tests/derive_ui/**', '**/tests/compile-fail/**',
+  '**/tests/run-pass/**', '**/tests/run-fail/**', '**/tests/ui-fulldeps/**',
+  '**/tests/pretty/**', '**/tests/mir-opt/**', '**/tests/assembly/**',
+  '**/tests/codegen/**', '**/tests/debuginfo/**', '**/tests/incremental/**',
+  '**/tests/codegen-llvm/**', '**/tests/rustdoc-html/**', '**/tests/crashes/**',
+  '**/tests/assembly-llvm/**', '**/tests/rustdoc-ui/**', '**/tests/rustdoc-js/**',
+  '**/tests/rustdoc-json/**', '**/tests/codegen-units/**', '**/tests/coverage-run-rustdoc/**',
+  // Cypress/E2E system test fixture projects (standalone apps used as test targets)
+  '**/system-tests/projects/**', '**/system-tests/project-fixtures/**',
+  // RustPython test snippet inputs
+  '**/extra_tests/snippets/**',
+  // Python stdlib copies (RustPython, cpython)
+  '**/Lib/encodings/**',
+  // Python vendored third-party code
+  '**/_vendor/**', '**/_distutils/**',
+  // Compiled/bundled static assets (Phoenix/Elixir)
+  '**/static/assets/**',
+  // Generated protobuf/gRPC output directories
+  '**/gen/proto/**',
+];
+
+/**
+ * Standalone dead code scan.
+ *
+ * @param {string} projectPath - Absolute path to the project root
+ * @param {Object} [options]
+ * @param {string[]} [options.exclude] - Glob patterns to exclude
+ * @param {number}  [options.workers] - Max parallel parse workers
+ * @param {Function} [options.onProgress] - Progress callback ({ phase, message })
+ * @returns {Promise<Object>} Result with both legacy-compatible and full-scanner fields
+ */
+export async function scanDeadCode(projectPath, options = {}) {
+  const { exclude = DEFAULT_EXCLUDE, onProgress = () => {} } = options;
+  const t0 = Date.now();
+
+  // Phase 1: Discover files
+  onProgress({ phase: 'discovery', message: 'Discovering files...' });
+  const files = await discoverFiles(projectPath, { exclude });
+  const categorised = categoriseFiles(files);
+  const totalFiles = files.length;
+  onProgress({ phase: 'discovery', message: `${totalFiles} files discovered` });
+
+  // Phase 2: Parse JS/TS — use chunked pipeline for large repos
+  onProgress({ phase: 'parse', message: `Parsing ${categorised.javascript.length} JS/TS files...` });
+  const jsFiles = categorised.javascript;
+  let jsAnalysis;
+  if (jsFiles.length > CHUNK_THRESHOLD) {
+    // B3: Chunked parse for truly massive repos
+    jsAnalysis = await chunkedParse(jsFiles, 'javascript', onProgress);
+  } else {
+    const jsParallel = parallelParse(jsFiles, 'javascript');
+    if (jsParallel) {
+      jsAnalysis = await jsParallel;
+    } else {
+      jsAnalysis = [];
+      for (const file of jsFiles) {
+        jsAnalysis.push(await parseJavaScript(file));
+      }
+    }
+  }
+  onProgress({ phase: 'parse', message: `Parsed ${jsAnalysis.length} JS/TS files` });
+
+  // Phase 3: Parse other languages
+  const otherLangFiles = [
+    ...categorised.python || [],
+    ...categorised.java || [],
+    ...categorised.kotlin || [],
+    ...categorised.csharp || [],
+    ...categorised.go || [],
+    ...categorised.rust || []
+  ];
+  const otherLangAnalysis = [];
+  if (otherLangFiles.length > 0) {
+    onProgress({ phase: 'parse', message: `Parsing ${otherLangFiles.length} other-language files...` });
+    if (otherLangFiles.length > CHUNK_THRESHOLD) {
+      // B3: Chunked parse for large non-JS repos
+      otherLangAnalysis.push(...await chunkedParse(otherLangFiles, 'other', onProgress));
+    } else {
+      const otherParallel = parallelParse(otherLangFiles, 'other');
+      if (otherParallel) {
+        otherLangAnalysis.push(...await otherParallel);
+      } else {
+        for (const file of otherLangFiles) {
+          try {
+            const parsed = await parseFile(file);
+            if (parsed) otherLangAnalysis.push(parsed);
+          } catch { /* skip */ }
+        }
+      }
+    }
+    onProgress({ phase: 'parse', message: `Parsed ${otherLangAnalysis.length} other-language files` });
+  }
+
+  // Phase 4: Build import graph
+  onProgress({ phase: 'graph', message: 'Building import graph...' });
+  const importGraph = await analyseImports(jsAnalysis);
+
+  // Phase 5: Find dead code
+  onProgress({ phase: 'detection', message: 'Detecting dead code...' });
+  let packageJson = {};
+  try {
+    packageJson = JSON.parse(readFileSync(join(projectPath, 'package.json'), 'utf-8'));
+  } catch { /* no package.json */ }
+
+  const allCodeAnalysis = [...jsAnalysis, ...otherLangAnalysis];
+  const deadCode = await findDeadCode(allCodeAnalysis, importGraph, projectPath, packageJson, {});
+
+  const elapsed = ((Date.now() - t0) / 1000).toFixed(1);
+  onProgress({ phase: 'done', message: `Done in ${elapsed}s` });
+
+  // Build legacy-compatible deadFiles array from fullyDeadFiles + partiallyDeadFiles
+  const deadFiles = [
+    ...(deadCode.fullyDeadFiles || []),
+    ...(deadCode.partiallyDeadFiles || [])
+  ].map(f => ({
+    file: f.file,
+    size: f.sizeBytes || f.size || 0,
+    lines: f.lineCount || f.lines || 0,
+    language: f.language || detectLanguage(f.file),
+    exports: (f.exports || []).map(e => typeof e === 'string' ? { name: e, type: 'unknown' } : e)
+  }));
+
+  // Sort by size descending
+  deadFiles.sort((a, b) => b.size - a.size);
+
+  // Build language counts from all discovered files
+  const languages = {};
+  for (const file of files) {
+    const rel = typeof file === 'string' ? file : file.relativePath || file;
+    const lang = detectLanguage(rel);
+    if (lang !== 'other') {
+      languages[lang] = (languages[lang] || 0) + 1;
+    }
+  }
+
+  const deadCount = deadFiles.length;
+  const deadRate = totalFiles > 0 ? ((deadCount / totalFiles) * 100).toFixed(2) : '0.00';
+  const totalDeadBytes = deadFiles.reduce((sum, f) => sum + f.size, 0);
+
+  return {
+    // Legacy-compatible fields (used by toReporterShape in cli.mjs and scan-all-repos.mjs)
+    deadFiles,
+    entryPoints: deadCode.entryPoints || [],
+    summary: {
+      totalFiles,
+      entryPoints: (deadCode.entryPoints || []).length,
+      reachableFiles: totalFiles - deadCount - (deadCode.entryPoints || []).length,
+      deadFiles: deadCount,
+      deadRate: `${deadRate}%`,
+      totalDeadBytes,
+      languages
+    },
+
+    // Full scanner fields (richer detail)
+    fullyDeadFiles: deadCode.fullyDeadFiles || [],
+    partiallyDeadFiles: deadCode.partiallyDeadFiles || [],
+    skippedDynamic: deadCode.skippedDynamic || [],
+    excludedGenerated: deadCode.excludedGenerated || [],
+
+    // Metadata
+    elapsed,
+    totalFiles
+  };
+}

package/src/shared/security/patterns.mjs

@@ -0,0 +1,349 @@
+// src/security/patterns.mjs
+// CWE pattern definitions for security analysis across all code
+
+/**
+ * CWE patterns for detecting dangerous code patterns.
+ * Each pattern has: id, cwe, cweName, severity, pattern (RegExp), description, risk, languages (empty = all)
+ */
+export const CWE_PATTERNS = [
+  // ═══════════════════════════════════════════════════════════════════════════
+  // CWE-78: OS Command Injection
+  // ═══════════════════════════════════════════════════════════════════════════
+  {
+    id: 'CWE-78-exec',
+    cwe: 'CWE-78',
+    cweName: 'OS Command Injection',
+    severity: 'CRITICAL',
+    pattern: /child_process\.(exec|execSync)\s*\(/,
+    description: 'child_process.exec() with potential command injection',
+    risk: 'Dead code with command execution could be revived without security review',
+    languages: ['js', 'ts']
+  },
+  {
+    id: 'CWE-78-spawn-shell',
+    cwe: 'CWE-78',
+    cweName: 'OS Command Injection',
+    severity: 'CRITICAL',
+    pattern: /child_process\.spawn\s*\([^)]*shell\s*:\s*true/,
+    description: 'child_process.spawn() with shell: true',
+    risk: 'Shell mode spawn in dead code enables injection if revived',
+    languages: ['js', 'ts']
+  },
+  {
+    id: 'CWE-78-os-system',
+    cwe: 'CWE-78',
+    cweName: 'OS Command Injection',
+    severity: 'CRITICAL',
+    pattern: /os\.system\s*\(|subprocess\.(Popen|call|run)\s*\(/,
+    description: 'Python OS command execution',
+    risk: 'Dead code with system calls could be revived without security review',
+    languages: ['py']
+  },
+  {
+    id: 'CWE-78-go-exec',
+    cwe: 'CWE-78',
+    cweName: 'OS Command Injection',
+    severity: 'CRITICAL',
+    pattern: /exec\.Command\s*\(/,
+    description: 'Go exec.Command() call',
+    risk: 'Dead code with command execution could be revived without security review',
+    languages: ['go']
+  },
+
+  // ═══════════════════════════════════════════════════════════════════════════
+  // CWE-94: Code Injection
+  // ═══════════════════════════════════════════════════════════════════════════
+  {
+    id: 'CWE-94-eval',
+    cwe: 'CWE-94',
+    cweName: 'Code Injection',
+    severity: 'CRITICAL',
+    pattern: /\beval\s*\(/,
+    description: 'eval() with dynamic code execution',
+    risk: 'Dead eval() could be exploited if code is revived or imported',
+    languages: ['js', 'ts', 'py']
+  },
+  {
+    id: 'CWE-94-new-function',
+    cwe: 'CWE-94',
+    cweName: 'Code Injection',
+    severity: 'CRITICAL',
+    pattern: /new\s+Function\s*\(/,
+    description: 'new Function() constructor for dynamic code',
+    risk: 'Dynamic function creation in dead code increases attack surface',
+    languages: ['js', 'ts']
+  },
+  {
+    id: 'CWE-94-vm-run',
+    cwe: 'CWE-94',
+    cweName: 'Code Injection',
+    severity: 'CRITICAL',
+    pattern: /vm\.(runInNewContext|runInThisContext|runInContext|compileFunction)\s*\(/,
+    description: 'Node.js vm module execution',
+    risk: 'VM context execution in dead code is a sandbox escape risk',
+    languages: ['js', 'ts']
+  },
+
+  // ═══════════════════════════════════════════════════════════════════════════
+  // CWE-798: Hardcoded Credentials
+  // ═══════════════════════════════════════════════════════════════════════════
+  {
+    id: 'CWE-798-password',
+    cwe: 'CWE-798',
+    cweName: 'Hardcoded Credentials',
+    severity: 'CRITICAL',
+    pattern: /(password|passwd|secret|api_key|apikey|api_secret)\s*[:=]\s*["'][^"']{4,}/i,
+    description: 'Hardcoded password or secret',
+    risk: 'Credentials in dead code are often forgotten and exposed in version control',
+    languages: []
+  },
+  {
+    id: 'CWE-798-aws-key',
+    cwe: 'CWE-798',
+    cweName: 'Hardcoded Credentials',
+    severity: 'CRITICAL',
+    pattern: /AKIA[0-9A-Z]{16}/,
+    description: 'AWS Access Key ID',
+    risk: 'AWS credentials in dead code may still be active',
+    languages: []
+  },
+  {
+    id: 'CWE-798-private-key',
+    cwe: 'CWE-798',
+    cweName: 'Hardcoded Credentials',
+    severity: 'CRITICAL',
+    pattern: /-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----/,
+    description: 'Embedded private key',
+    risk: 'Private keys in dead code are often overlooked during rotation',
+    languages: []
+  },
+  {
+    id: 'CWE-798-openai-key',
+    cwe: 'CWE-798',
+    cweName: 'Hardcoded Credentials',
+    severity: 'HIGH',
+    pattern: /sk-[a-zA-Z0-9]{20,}/,
+    description: 'Potential API key (sk-... pattern)',
+    risk: 'API keys in dead code may remain active and billable',
+    languages: []
+  },
+
+  // ═══════════════════════════════════════════════════════════════════════════
+  // CWE-22: Path Traversal
+  // ═══════════════════════════════════════════════════════════════════════════
+  {
+    id: 'CWE-22-path-join-params',
+    cwe: 'CWE-22',
+    cweName: 'Path Traversal',
+    severity: 'HIGH',
+    pattern: /path\.join\s*\([^)]*req\.(params|query|body)/,
+    description: 'path.join with user input from request',
+    risk: 'Path traversal in dead code could be revived as a file access vulnerability',
+    languages: ['js', 'ts']
+  },
+  {
+    id: 'CWE-22-readfile-params',
+    cwe: 'CWE-22',
+    cweName: 'Path Traversal',
+    severity: 'HIGH',
+    pattern: /(readFile|readFileSync|createReadStream)\s*\([^)]*req\.(params|query|body)/,
+    description: 'File read with user-controlled path',
+    risk: 'Unvalidated file read in dead code is a path traversal risk if revived',
+    languages: ['js', 'ts']
+  },
+
+  // ═══════════════════════════════════════════════════════════════════════════
+  // CWE-502: Unsafe Deserialization
+  // ═══════════════════════════════════════════════════════════════════════════
+  {
+    id: 'CWE-502-pickle',
+    cwe: 'CWE-502',
+    cweName: 'Unsafe Deserialization',
+    severity: 'HIGH',
+    pattern: /pickle\.(load|loads)\s*\(/,
+    description: 'Python pickle deserialization',
+    risk: 'pickle.load() in dead code can execute arbitrary code if revived',
+    languages: ['py']
+  },
+  {
+    id: 'CWE-502-yaml-load',
+    cwe: 'CWE-502',
+    cweName: 'Unsafe Deserialization',
+    severity: 'HIGH',
+    pattern: /yaml\.load\s*\([^)]*(?!Loader\s*=\s*yaml\.SafeLoader)/,
+    description: 'yaml.load() without SafeLoader',
+    risk: 'Unsafe YAML loading in dead code can execute arbitrary code',
+    languages: ['py']
+  },
+  {
+    id: 'CWE-502-unserialize',
+    cwe: 'CWE-502',
+    cweName: 'Unsafe Deserialization',
+    severity: 'HIGH',
+    pattern: /\bunserialize\s*\(/,
+    description: 'PHP unserialize() call',
+    risk: 'Unsafe deserialization in dead code enables object injection if revived',
+    languages: ['php']
+  },
+
+  // ═══════════════════════════════════════════════════════════════════════════
+  // CWE-79: Cross-Site Scripting (XSS)
+  // ═══════════════════════════════════════════════════════════════════════════
+  {
+    id: 'CWE-79-innerhtml',
+    cwe: 'CWE-79',
+    cweName: 'Cross-Site Scripting',
+    severity: 'HIGH',
+    pattern: /\.innerHTML\s*=/,
+    description: 'Direct innerHTML assignment',
+    risk: 'innerHTML in dead code could introduce XSS if component is re-enabled',
+    languages: ['js', 'ts']
+  },
+  {
+    id: 'CWE-79-dangerously',
+    cwe: 'CWE-79',
+    cweName: 'Cross-Site Scripting',
+    severity: 'HIGH',
+    pattern: /dangerouslySetInnerHTML/,
+    description: 'React dangerouslySetInnerHTML',
+    risk: 'Dangerous React prop in dead component could introduce XSS if revived',
+    languages: ['js', 'ts']
+  },
+  {
+    id: 'CWE-79-document-write',
+    cwe: 'CWE-79',
+    cweName: 'Cross-Site Scripting',
+    severity: 'HIGH',
+    pattern: /document\.write\s*\(/,
+    description: 'document.write() call',
+    risk: 'document.write in dead code bypasses CSP if revived',
+    languages: ['js', 'ts']
+  },
+
+  // ═══════════════════════════════════════════════════════════════════════════
+  // CWE-327: Broken Cryptography
+  // ═══════════════════════════════════════════════════════════════════════════
+  {
+    id: 'CWE-327-md5',
+    cwe: 'CWE-327',
+    cweName: 'Broken Cryptography',
+    severity: 'MEDIUM',
+    pattern: /createHash\s*\(\s*['"]md5['"]\s*\)/,
+    description: 'MD5 hash usage',
+    risk: 'Weak hash in dead code may be copied to new code without upgrading',
+    languages: ['js', 'ts']
+  },
+  {
+    id: 'CWE-327-sha1',
+    cwe: 'CWE-327',
+    cweName: 'Broken Cryptography',
+    severity: 'MEDIUM',
+    pattern: /hashlib\.(md5|sha1)\s*\(/,
+    description: 'Python weak hash algorithm',
+    risk: 'Weak hash in dead code may be copied to new code without upgrading',
+    languages: ['py']
+  },
+  {
+    id: 'CWE-327-des-rc4',
+    cwe: 'CWE-327',
+    cweName: 'Broken Cryptography',
+    severity: 'MEDIUM',
+    pattern: /createCipher(iv)?\s*\(\s*['"](des|rc4|des-ede|des-ede3)['"]/i,
+    description: 'Weak cipher algorithm (DES/RC4)',
+    risk: 'Broken cipher in dead code sets bad precedent if used as reference',
+    languages: ['js', 'ts']
+  },
+
+  // ═══════════════════════════════════════════════════════════════════════════
+  // CWE-918: Server-Side Request Forgery (SSRF)
+  // ═══════════════════════════════════════════════════════════════════════════
+  {
+    id: 'CWE-918-fetch-params',
+    cwe: 'CWE-918',
+    cweName: 'Server-Side Request Forgery',
+    severity: 'HIGH',
+    pattern: /fetch\s*\(\s*req\.(params|query|body)/,
+    description: 'fetch() with user-controlled URL',
+    risk: 'SSRF in dead code could be revived to access internal services',
+    languages: ['js', 'ts']
+  },
+  {
+    id: 'CWE-918-requests-dynamic',
+    cwe: 'CWE-918',
+    cweName: 'Server-Side Request Forgery',
+    severity: 'MEDIUM',
+    pattern: /requests\.(get|post|put|delete)\s*\(\s*f?["']/,
+    description: 'Python requests with potentially dynamic URL',
+    risk: 'Outbound requests in dead code may target internal services if revived',
+    languages: ['py']
+  },
+
+  // ═══════════════════════════════════════════════════════════════════════════
+  // CWE-200: Information Exposure
+  // ═══════════════════════════════════════════════════════════════════════════
+  {
+    id: 'CWE-200-console-sensitive',
+    cwe: 'CWE-200',
+    cweName: 'Information Exposure',
+    severity: 'LOW',
+    pattern: /console\.(log|debug|info)\s*\([^)]*\b(password|secret|token|key|credential)/i,
+    description: 'Logging potentially sensitive data',
+    risk: 'Sensitive data logging in dead code may leak if code is re-enabled',
+    languages: ['js', 'ts']
+  },
+  {
+    id: 'CWE-200-stack-trace',
+    cwe: 'CWE-200',
+    cweName: 'Information Exposure',
+    severity: 'LOW',
+    pattern: /res\.(send|json)\s*\(\s*(err|error)\.(stack|message)/,
+    description: 'Stack trace exposure in response',
+    risk: 'Error detail exposure in dead endpoint leaks info if route is re-enabled',
+    languages: ['js', 'ts']
+  }
+];
+
+/**
+ * Extension to language mapping
+ */
+const EXT_TO_LANG = {
+  '.js': 'js',
+  '.mjs': 'js',
+  '.cjs': 'js',
+  '.jsx': 'js',
+  '.ts': 'ts',
+  '.tsx': 'ts',
+  '.mts': 'ts',
+  '.cts': 'ts',
+  '.py': 'py',
+  '.go': 'go',
+  '.php': 'php',
+  '.rb': 'rb',
+  '.java': 'java',
+  '.kt': 'kt',
+  '.kts': 'kt',
+  '.cs': 'cs',
+  '.rs': 'rs',
+  '.c': 'c',
+  '.cpp': 'cpp',
+  '.h': 'c',
+  '.hpp': 'cpp'
+};
+
+/**
+ * Get CWE patterns applicable to a file extension.
+ * Returns all language-agnostic patterns plus language-specific ones.
+ */
+export function getPatternsForLanguage(ext) {
+  const lang = EXT_TO_LANG[ext];
+
+  return CWE_PATTERNS.filter(p => {
+    // Language-agnostic patterns apply to all files
+    if (p.languages.length === 0) return true;
+    // No mapping for this extension — only return language-agnostic
+    if (!lang) return false;
+    // JS and TS share patterns
+    if ((lang === 'js' || lang === 'ts') && (p.languages.includes('js') || p.languages.includes('ts'))) return true;
+    return p.languages.includes(lang);
+  });
+}