tova 0.7.0 → 0.9.4

package/src/analyzer/analyzer.js

@@ -98,6 +98,11 @@ function levenshtein(a, b) {
 const _TOVA_RUNTIME = new Set([
   'Ok', 'Err', 'Some', 'None', 'Result', 'Option',
   'db', 'server', 'browser', 'client', 'shared',
+  // Router globals (injected by browser-codegen when routing is used)
+  'createRouter', 'navigate', 'getCurrentRoute', 'getParams', 'getPath',
+  'getQuery', 'getMeta', 'defineRoutes', 'onRouteChange',
+  'beforeNavigate', 'afterNavigate', 'getRouter', 'resetRouter',
+  'Router', 'Outlet', 'Link', 'Redirect', 'lazy',
 ]);
 
 // Pre-built static candidate set for Levenshtein suggestions (N1 optimization)
@@ -121,6 +126,7 @@ export class Analyzer {
     this.warnings = [];
     this.tolerant = options.tolerant || false;
     this.strict = options.strict || false;
+    this.strictSecurity = options.strictSecurity || false;
     this.globalScope = new Scope(null, 'module');
     this.currentScope = this.globalScope;
     this._allScopes = []; // Track all scopes for unused variable checking
@@ -173,6 +179,17 @@ export class Analyzer {
       'table_union', 'table_drop_duplicates', 'table_rename',
       // Table aggregation helpers
       'agg_sum', 'agg_count', 'agg_mean', 'agg_median', 'agg_min', 'agg_max',
+      // Table window functions
+      'table_window',
+      'win_row_number', 'win_rank', 'win_dense_rank', 'win_percent_rank', 'win_ntile',
+      'win_lag', 'win_lead', 'win_first_value', 'win_last_value',
+      'win_running_sum', 'win_running_count', 'win_running_avg', 'win_running_min', 'win_running_max',
+      'win_moving_avg',
+      // Window function short names (used inside window() calls, codegen adds win_ prefix)
+      'row_number', 'rank', 'dense_rank', 'percent_rank', 'ntile',
+      'lag', 'lead', 'first_value', 'last_value',
+      'running_sum', 'running_count', 'running_avg', 'running_min', 'running_max',
+      'moving_avg',
       // Data exploration
       'peek', 'describe', 'schema_of',
       // Data cleaning
@@ -184,7 +201,7 @@ export class Analyzer {
       // Table operation aliases (short names)
       'where', 'select', 'derive', 'agg', 'sort_by', 'limit',
       'pivot', 'unpivot', 'explode', 'union', 'drop_duplicates', 'rename',
-      'mean', 'median',
+      'mean', 'median', 'window',
       // Strings (new)
       'index_of', 'last_index_of', 'count_of', 'reverse_str', 'substr',
       'is_empty', 'kebab_case', 'center',
@@ -261,6 +278,7 @@ export class Analyzer {
     if (opts.code) w.code = opts.code;
     if (opts.length) w.length = opts.length;
     if (opts.fix) w.fix = opts.fix;
+    if (opts.category) w.category = opts.category;
     this.warnings.push(w);
   }
 
@@ -338,6 +356,15 @@ export class Analyzer {
       if (plugin.analyzer?.crossBlockValidate) plugin.analyzer.crossBlockValidate(this);
     }
 
+    // --strict-security: promote security warnings to errors
+    if (this.strictSecurity) {
+      const securityWarnings = this.warnings.filter(w => w.category === 'security');
+      this.warnings = this.warnings.filter(w => w.category !== 'security');
+      for (const w of securityWarnings) {
+        this.errors.push(w);
+      }
+    }
+
     // Check for unused variables/imports (#9)
     this._collectAllScopes(this.globalScope);
     this._checkUnusedSymbols();
@@ -353,7 +380,7 @@ export class Analyzer {
       throw err;
     }
 
-    return { warnings: this.warnings, scope: this.globalScope, typeRegistry: this.typeRegistry };
+    return { warnings: this.warnings, errors: this.errors, scope: this.globalScope, typeRegistry: this.typeRegistry };
   }
 
   _checkUnusedSymbols() {
@@ -759,7 +786,11 @@ export class Analyzer {
       case 'GuardStatement': return this.visitGuardStatement(node);
       case 'InterfaceDeclaration': return this.visitInterfaceDeclaration(node);
       case 'RefinementType': return;
-      case 'ComponentStyleBlock': return; // raw CSS — no analysis needed
+      case 'ComponentStyleBlock':
+        this._validateStyleTokens(node.css, node.loc);
+        this._validateResponsiveBreakpoints(node.css, node.loc);
+        this._validateVariantProps(node.css, this._currentComponentProps, node.loc);
+        return;
       case 'ImplDeclaration': return this.visitImplDeclaration(node);
       case 'TraitDeclaration': return this.visitTraitDeclaration(node);
       case 'TypeAlias': return this.visitTypeAlias(node);
@@ -818,6 +849,19 @@ export class Analyzer {
         this.visitExpression(node.collection);
         return;
       case 'CallExpression':
+        // W_DANGEROUS_API: detect setTimeout/setInterval with string args
+        if (node.callee.type === 'Identifier') {
+          const calleeName = node.callee.name;
+          if ((calleeName === 'setTimeout' || calleeName === 'setInterval') &&
+              node.arguments.length > 0 && node.arguments[0].type === 'StringLiteral') {
+            this.warn(
+              `Passing strings to ${calleeName}() executes code dynamically — use a function instead`,
+              node.loc,
+              'Replace the string argument with a function',
+              { code: 'W_DANGEROUS_API', category: 'security' }
+            );
+          }
+        }
         // Validate inter-server RPC calls: peerName.functionName()
         if (this._currentServerBlockName && node.callee.type === 'MemberExpression' &&
             node.callee.object.type === 'Identifier' && !node.callee.computed) {
@@ -832,9 +876,27 @@ export class Analyzer {
             }
           }
         }
+        // Validate named constructor args (before count/type checks)
+        this._checkNamedConstructorArgs(node);
         // Argument count and type validation for known functions
         this._checkCallArgCount(node);
         this._checkCallArgTypes(node);
+        // W_UNSAFE_INTERPOLATION: detect template literals in database calls
+        if (node.callee.type === 'MemberExpression' && !node.callee.computed) {
+          const prop = node.callee.property;
+          const dbMethods = new Set(['query', 'run', 'exec', 'execute', 'prepare']);
+          if (dbMethods.has(prop) && node.arguments.length > 0) {
+            const firstArg = node.arguments[0];
+            if (firstArg.type === 'TemplateLiteral' && firstArg.parts && firstArg.parts.some(p => p.type === 'expr')) {
+              this.warn(
+                'Template literal with expressions in database query — use parameterized queries (?) to prevent SQL injection',
+                node.loc,
+                'Replace interpolated expressions with ? and pass values as parameters',
+                { code: 'W_UNSAFE_INTERPOLATION', category: 'security' }
+              );
+            }
+          }
+        }
         this.visitExpression(node.callee);
         for (const arg of node.arguments) {
           if (arg.type === 'NamedArgument') {
@@ -900,6 +962,19 @@ export class Analyzer {
         }
         this.visitExpression(node.argument);
         return;
+      case 'SpawnExpression':
+        if (!this._concurrentDepth) {
+          this.warn("'spawn' should be used inside a 'concurrent' block", node.loc, null, {
+            code: 'W_SPAWN_OUTSIDE_CONCURRENT',
+          });
+        }
+        if (node.callee) this.visitExpression(node.callee);
+        if (node.arguments) {
+          for (const arg of node.arguments) {
+            this.visitExpression(arg);
+          }
+        }
+        return;
       case 'YieldExpression':
         if (node.argument) this.visitExpression(node.argument);
         return;
@@ -950,6 +1025,210 @@ export class Analyzer {
     }
   }
 
+  visitThemeBlock(node) {
+    const VALID_THEME_SECTIONS = new Set([
+      'colors', 'spacing', 'radius', 'shadow', 'font', 'breakpoints', 'transition'
+    ]);
+
+    // Check for multiple theme blocks
+    if (!this._themeBlockSeen) {
+      this._themeBlockSeen = true;
+    } else {
+      this.warnings.push({
+        message: 'Multiple theme blocks found — only one theme block is allowed per project',
+        loc: node.loc,
+        code: 'W_MULTIPLE_THEME_BLOCKS',
+      });
+    }
+
+    const CATEGORY_MAP = {
+      colors: 'color', spacing: 'spacing', radius: 'radius',
+      shadow: 'shadow', font: 'font', breakpoints: 'breakpoint', transition: 'transition'
+    };
+
+    // Store tokens for $token validation (used in Task 5)
+    if (!this._themeTokens) this._themeTokens = new Map();
+    this._hasThemeBlock = true;
+
+    const sectionNames = new Set();
+    for (const section of node.sections) {
+      if (!VALID_THEME_SECTIONS.has(section.name)) {
+        this.warnings.push({
+          message: `Unknown theme section '${section.name}' — valid sections are: ${[...VALID_THEME_SECTIONS].join(', ')}`,
+          loc: section.loc,
+          code: 'W_UNKNOWN_THEME_SECTION',
+        });
+      }
+
+      if (sectionNames.has(section.name)) {
+        this.warnings.push({
+          message: `Duplicate theme section '${section.name}'`,
+          loc: section.loc,
+          code: 'W_DUPLICATE_THEME_SECTION',
+        });
+      }
+      sectionNames.add(section.name);
+
+      // Store tokens for later $token validation
+      const category = CATEGORY_MAP[section.name] || section.name;
+      if (!this._themeTokens.has(category)) this._themeTokens.set(category, new Set());
+
+      const tokenNames = new Set();
+      for (const token of section.tokens) {
+        if (tokenNames.has(token.name)) {
+          this.warnings.push({
+            message: `Duplicate theme token '${token.name}' in section '${section.name}'`,
+            loc: token.loc,
+            code: 'W_DUPLICATE_THEME_TOKEN',
+          });
+        }
+        tokenNames.add(token.name);
+        this._themeTokens.get(category).add(token.name);
+      }
+    }
+
+    // Validate dark overrides
+    for (const override of node.darkOverrides) {
+      const dotIdx = override.name.indexOf('.');
+      if (dotIdx === -1) continue;
+      const sectionName = override.name.slice(0, dotIdx);
+      if (!sectionNames.has(sectionName)) {
+        this.warnings.push({
+          message: `Dark override '${override.name}' references unknown section '${sectionName}'`,
+          loc: override.loc,
+          code: 'W_DARK_OVERRIDE_UNKNOWN_SECTION',
+        });
+      }
+    }
+  }
+
+  _validateStyleTokens(css, loc) {
+    if (!this._hasThemeBlock) return;
+    const VALID_CATEGORIES = new Set(['color', 'spacing', 'radius', 'shadow', 'font', 'transition', 'breakpoint']);
+    const tokenRegex = /\$(\w+)\.([\w.]+)/g;
+    let m;
+    while ((m = tokenRegex.exec(css)) !== null) {
+      const category = m[1];
+      const name = m[2];
+      if (!VALID_CATEGORIES.has(category)) {
+        this.warnings.push({
+          message: `Unknown theme category '$${category}' — valid categories are: ${[...VALID_CATEGORIES].join(', ')}`,
+          loc,
+          code: 'W_UNKNOWN_THEME_CATEGORY',
+        });
+        continue;
+      }
+      const tokenSet = this._themeTokens ? this._themeTokens.get(category) : null;
+      if (!tokenSet || !tokenSet.has(name)) {
+        const available = tokenSet ? [...tokenSet] : [];
+        let suggestion = '';
+        if (available.length > 0) {
+          const closest = this._findClosestThemeMatch(name, available);
+          if (closest) suggestion = ` — did you mean '$${category}.${closest}'?`;
+        }
+        this.warnings.push({
+          message: `Unknown theme token '$${category}.${name}'${suggestion}`,
+          loc,
+          code: 'W_UNKNOWN_THEME_TOKEN',
+        });
+      }
+    }
+  }
+
+  _validateResponsiveBreakpoints(css, loc) {
+    // Find responsive { ... } in raw CSS
+    const responsiveMatch = css.match(/responsive\s*\{/);
+    if (!responsiveMatch) return;
+
+    // Get available breakpoints
+    let availableBreakpoints;
+    if (this._hasThemeBlock && this._themeTokens && this._themeTokens.has('breakpoint')) {
+      availableBreakpoints = this._themeTokens.get('breakpoint');
+    } else if (this._hasThemeBlock) {
+      // Theme exists but no breakpoints section — no defaults
+      availableBreakpoints = new Set();
+    } else {
+      // No theme block — use defaults, skip validation
+      return;
+    }
+
+    // Extract breakpoint names from responsive block
+    const startIdx = responsiveMatch.index + responsiveMatch[0].length;
+    let depth = 1;
+    let i = startIdx;
+    while (i < css.length && depth > 0) {
+      if (css[i] === '{') depth++;
+      else if (css[i] === '}') depth--;
+      i++;
+    }
+    const content = css.slice(startIdx, i - 1);
+
+    // Parse top-level identifiers (breakpoint names) before { at depth 0
+    const bpNames = [];
+    let pos = 0;
+    let bpDepth = 0;
+    while (pos < content.length) {
+      if (content[pos] === '{') {
+        bpDepth++;
+        pos++;
+      } else if (content[pos] === '}') {
+        bpDepth--;
+        pos++;
+      } else if (bpDepth === 0 && /[a-zA-Z_]/.test(content[pos])) {
+        let name = '';
+        while (pos < content.length && /\w/.test(content[pos])) {
+          name += content[pos];
+          pos++;
+        }
+        bpNames.push(name);
+      } else {
+        pos++;
+      }
+    }
+
+    for (const name of bpNames) {
+      if (!availableBreakpoints.has(name)) {
+        this.warnings.push({
+          message: `Unknown breakpoint '${name}' in responsive block — available breakpoints: ${[...availableBreakpoints].join(', ')}`,
+          loc,
+          code: 'W_UNKNOWN_BREAKPOINT',
+        });
+      }
+    }
+  }
+
+  _validateVariantProps(css, componentProps, loc) {
+    if (!componentProps || componentProps.length === 0) return;
+    const variantRegex = /variant\(([^)]+)\)/g;
+    let m;
+    while ((m = variantRegex.exec(css)) !== null) {
+      const rawProps = m[1];
+      // Split by + for compound variants
+      const propNames = rawProps.split('+').map(s => s.trim());
+      for (const propName of propNames) {
+        if (!propName) continue;
+        if (!componentProps.includes(propName)) {
+          this.warn(
+            `variant() references unknown prop '${propName}'. Component has props: [${componentProps.join(', ')}]`,
+            loc,
+            null,
+            { code: 'W_VARIANT_UNKNOWN_PROP' }
+          );
+        }
+      }
+    }
+  }
+
+  _findClosestThemeMatch(input, candidates) {
+    let best = null;
+    let bestDist = Infinity;
+    for (const c of candidates) {
+      const d = levenshtein(input, c);
+      if (d < bestDist && d <= 3) { bestDist = d; best = c; }
+    }
+    return best;
+  }
+
   visitSecurityBlock(node) {
     // Per-block: only check for duplicate role names within this block
     const localRoles = new Set();
@@ -960,6 +1239,7 @@ export class Analyzer {
             message: `Duplicate role definition: '${stmt.name}'`,
             loc: stmt.loc,
             code: 'W_DUPLICATE_ROLE',
+            category: 'security',
           });
         }
         localRoles.add(stmt.name);
@@ -1019,6 +1299,123 @@ export class Analyzer {
     }
   }
 
+  visitConcurrentBlock(node) {
+    // Validate mode
+    const validModes = new Set(['all', 'cancel_on_error', 'first', 'timeout']);
+    if (!validModes.has(node.mode)) {
+      this.warn(`Unknown concurrent block mode '${node.mode}'`, node.loc, null, {
+        code: 'W_UNKNOWN_CONCURRENT_MODE',
+      });
+    }
+
+    // Validate timeout
+    if (node.mode === 'timeout' && !node.timeout) {
+      this.warn("concurrent timeout mode requires a timeout value", node.loc, null, {
+        code: 'W_MISSING_TIMEOUT',
+      });
+    }
+
+    // Warn on empty block
+    if (node.body.length === 0) {
+      this.warn("Empty concurrent block", node.loc, null, {
+        code: 'W_EMPTY_CONCURRENT',
+      });
+    }
+
+    // Track concurrent depth for spawn validation
+    this._concurrentDepth = (this._concurrentDepth || 0) + 1;
+
+    // Visit body statements (concurrent block does NOT create a new scope —
+    // variables assigned inside should be visible after the block)
+    for (const stmt of node.body) {
+      this.visitNode(stmt);
+    }
+
+    // Check spawned functions for WASM compatibility — warn if mixed WASM/non-WASM
+    let hasWasm = false;
+    let hasNonWasm = false;
+    for (const stmt of node.body) {
+      const spawn = (stmt.type === 'Assignment' && stmt.values && stmt.values[0] && stmt.values[0].type === 'SpawnExpression')
+        ? stmt.values[0]
+        : (stmt.type === 'ExpressionStatement' && stmt.expression && stmt.expression.type === 'SpawnExpression')
+          ? stmt.expression
+          : null;
+      if (!spawn) continue;
+      const calleeName = spawn.callee && spawn.callee.type === 'Identifier' ? spawn.callee.name : null;
+      if (calleeName) {
+        const sym = this.currentScope.lookup(calleeName);
+        if (sym && sym.isWasm) {
+          hasWasm = true;
+        } else {
+          hasNonWasm = true;
+        }
+      } else {
+        // Lambda or complex expression — always non-WASM
+        hasNonWasm = true;
+      }
+    }
+    if (hasWasm && hasNonWasm) {
+      this.warn(
+        "concurrent block mixes @wasm and non-WASM tasks — non-WASM tasks will fall back to async JS execution",
+        node.loc, null, { code: 'W_SPAWN_WASM_FALLBACK' }
+      );
+    }
+
+    this._concurrentDepth--;
+  }
+
+  visitSelectStatement(node) {
+    if (node.cases.length === 0) {
+      this.warn("Empty select block", node.loc, null, {
+        code: 'W_EMPTY_SELECT',
+      });
+    }
+
+    let defaultCount = 0;
+    let timeoutCount = 0;
+    for (const c of node.cases) {
+      if (c.kind === 'default') defaultCount++;
+      if (c.kind === 'timeout') timeoutCount++;
+    }
+
+    if (defaultCount > 1) {
+      this.warn("select block has multiple default cases", node.loc, null, {
+        code: 'W_DUPLICATE_SELECT_DEFAULT',
+      });
+    }
+    if (timeoutCount > 1) {
+      this.warn("select block has multiple timeout cases", node.loc, null, {
+        code: 'W_DUPLICATE_SELECT_TIMEOUT',
+      });
+    }
+    if (defaultCount > 0 && timeoutCount > 0) {
+      this.warn("select block has both default and timeout — default makes timeout unreachable", node.loc, null, {
+        code: 'W_SELECT_DEFAULT_TIMEOUT',
+      });
+    }
+
+    // Visit each case's expressions and body
+    for (const c of node.cases) {
+      if (c.channel) this.visitNode(c.channel);
+      if (c.value) this.visitNode(c.value);
+
+      if (c.kind === 'receive' && c.binding) {
+        // Create scope for the binding variable
+        this.pushScope('select-case');
+        this.currentScope.define(c.binding,
+          new Symbol(c.binding, 'variable', null, false, c.loc));
+        for (const stmt of c.body) {
+          this.visitNode(stmt);
+        }
+        this.popScope();
+      } else {
+        for (const stmt of c.body) {
+          this.visitNode(stmt);
+        }
+      }
+    }
+  }
+
   _validateCliCrossBlock() {
     const cliBlocks = this.ast.body.filter(n => n.type === 'CliBlock');
     if (cliBlocks.length === 0) return;
@@ -1258,6 +1655,19 @@ export class Analyzer {
   }
 
   _validateSecurityCrossBlock() {
+    // W_NO_SECURITY_BLOCK: server/edge block without security block
+    const hasServerOrEdge = this.ast.body.some(n => n.type === 'ServerBlock' || n.type === 'EdgeBlock');
+    const hasSecurityBlock = this.ast.body.some(n => n.type === 'SecurityBlock');
+    if (hasServerOrEdge && !hasSecurityBlock) {
+      const block = this.ast.body.find(n => n.type === 'ServerBlock' || n.type === 'EdgeBlock');
+      this.warnings.push({
+        message: 'Server/edge block defined without a security block — consider adding security { ... } for auth, CORS, and CSRF protection',
+        loc: block.loc,
+        code: 'W_NO_SECURITY_BLOCK',
+        category: 'security',
+      });
+    }
+
     // Collect ALL security declarations across ALL security blocks in the AST
     const allRoles = new Set();
     const allProtects = [];
@@ -1308,6 +1718,7 @@ export class Analyzer {
             message: `Role '${decl.name}' is defined in multiple security blocks — later definition overwrites earlier one`,
             loc: decl.loc,
             code: 'W_DUPLICATE_ROLE',
+            category: 'security',
           });
         }
       }
@@ -1322,6 +1733,7 @@ export class Analyzer {
           message: `Unknown auth type '${authDecl.authType}' — supported types are: ${validAuthTypes.join(', ')}`,
           loc: authDecl.loc,
           code: 'W_UNKNOWN_AUTH_TYPE',
+          category: 'security',
         });
       }
     }
@@ -1334,6 +1746,7 @@ export class Analyzer {
           message: 'Auth secret is hardcoded as a string literal — use env("SECRET_NAME") instead',
           loc: authDecl.loc,
           code: 'W_HARDCODED_SECRET',
+          category: 'security',
         });
       }
     }
@@ -1348,6 +1761,7 @@ export class Analyzer {
               message: 'CORS origins contains wildcard "*" — consider restricting to specific origins',
               loc: corsDecl.loc,
               code: 'W_CORS_WILDCARD',
+              category: 'security',
             });
             break;
           }
@@ -1370,6 +1784,7 @@ export class Analyzer {
           message: `Rate limit max must be a positive number, got ${rlMaxVal}`,
           loc: rateLimitDecl.loc,
           code: 'W_INVALID_RATE_LIMIT',
+          category: 'security',
         });
       }
       if (rlWindowVal !== null && rlWindowVal <= 0) {
@@ -1377,6 +1792,7 @@ export class Analyzer {
           message: `Rate limit window must be a positive number, got ${rlWindowVal}`,
           loc: rateLimitDecl.loc,
           code: 'W_INVALID_RATE_LIMIT',
+          category: 'security',
         });
       }
     }
@@ -1390,6 +1806,7 @@ export class Analyzer {
           message: 'CSRF protection is explicitly disabled — this increases vulnerability to cross-site request forgery attacks',
           loc: csrfDecl.loc,
           code: 'W_CSRF_DISABLED',
+          category: 'security',
         });
       }
     }
@@ -1403,6 +1820,7 @@ export class Analyzer {
           message: 'Auth tokens stored in localStorage are vulnerable to XSS attacks — consider using storage: "cookie" for HttpOnly cookie storage',
           loc: authDecl.loc,
           code: 'W_LOCALSTORAGE_TOKEN',
+          category: 'security',
         });
       }
     }
@@ -1413,6 +1831,7 @@ export class Analyzer {
         message: 'Rate limiting uses in-memory storage — not shared across server instances. Consider an external store for production multi-instance deployments',
         loc: rateLimitDecl.loc,
         code: 'W_INMEMORY_RATELIMIT',
+        category: 'security',
       });
     }
 
@@ -1424,6 +1843,7 @@ export class Analyzer {
           message: 'Auth is configured without rate limiting — consider adding rate_limit to protect against brute-force attacks',
           loc: authDecl.loc,
           code: 'W_NO_AUTH_RATELIMIT',
+          category: 'security',
         });
       }
     }
@@ -1436,6 +1856,7 @@ export class Analyzer {
           message: `sensitive ${s.typeName}.${s.fieldName} declares hash: "${hashVal}" but hashing is not automatically enforced — use hash_password() in your write handlers`,
           loc: s.loc,
           code: 'W_HASH_NOT_ENFORCED',
+          category: 'security',
         });
       }
     }
@@ -1450,6 +1871,7 @@ export class Analyzer {
         message: 'Route protection rules exist but no auth is configured — all protected routes will be inaccessible',
         loc: allProtects[0].loc,
         code: 'W_PROTECT_WITHOUT_AUTH',
+        category: 'security',
       });
     }
 
@@ -1462,6 +1884,7 @@ export class Analyzer {
           message: `Protect rule for "${protect.pattern}" has no 'require' — route is unprotected`,
           loc: protect.loc,
           code: 'W_PROTECT_NO_REQUIRE',
+          category: 'security',
         });
         continue;
       }
@@ -1471,6 +1894,7 @@ export class Analyzer {
             message: `Protect rule references undefined role '${requireExpr.name}'`,
             loc: protect.loc,
             code: 'W_UNDEFINED_ROLE',
+            category: 'security',
           });
         }
       }
@@ -1487,6 +1911,7 @@ export class Analyzer {
                 message: `Sensitive field '${sensitive.typeName}.${sensitive.fieldName}' visible_to references undefined role '${elem.name}'`,
                 loc: sensitive.loc,
                 code: 'W_UNDEFINED_ROLE',
+                category: 'security',
               });
             }
           }
@@ -1532,6 +1957,15 @@ export class Analyzer {
       // Complex targets (e.g., arr[i] = val, obj.prop = val) — visit and skip declaration logic
       if (typeof target !== 'string') {
         this.visitExpression(target);
+        // W_DANGEROUS_API: detect innerHTML assignment
+        if (target.type === 'MemberExpression' && !target.computed && target.property === 'innerHTML') {
+          this.warn(
+            'Direct innerHTML assignment is an XSS risk — use textContent or escape_html()',
+            target.loc || node.loc,
+            'Use el.textContent for plain text, or escape_html(value) for safe HTML rendering',
+            { code: 'W_DANGEROUS_API', category: 'security' }
+          );
+        }
         continue;
       }
 
@@ -1614,9 +2048,10 @@ export class Analyzer {
     } else if (node.pattern.type === 'ArrayPattern' || node.pattern.type === 'TuplePattern') {
       for (const el of node.pattern.elements) {
         if (el) {
+          const varName = el.startsWith('...') ? el.slice(3) : el;
           try {
-            this.currentScope.define(el,
-              new Symbol(el, 'variable', null, false, node.loc));
+            this.currentScope.define(varName,
+              new Symbol(varName, 'variable', null, false, node.loc));
           } catch (e) {
             this.error(e.message);
           }
@@ -1634,6 +2069,7 @@ export class Analyzer {
       sym._paramTypes = node.params.map(p => p.typeAnnotation || null);
       sym._typeParams = node.typeParams || [];
       sym.isPublic = node.isPublic || false;
+      sym.isWasm = !!(node.decorators && node.decorators.some(d => d.name === 'wasm'));
       this.currentScope.define(node.name, sym);
     } catch (e) {
       this.error(e.message);
@@ -1785,6 +2221,19 @@ export class Analyzer {
       }
     }
 
+    // Register struct type metadata (non-variant types)
+    const hasVariants = node.variants.some(v => v.type === 'TypeVariant');
+    if (!hasVariants && node.variants.length > 0) {
+      const typeSym = this.currentScope.lookup(node.name);
+      if (typeSym) {
+        typeSym._params = node.variants.map(f => f.name);
+        typeSym._totalParamCount = node.variants.length;
+        typeSym._requiredParamCount = node.variants.length;
+        typeSym._paramTypes = node.variants.map(f => f.typeAnnotation || null);
+        typeSym._isStructConstructor = true;
+      }
+    }
+
     // Validate derive traits
     if (node.derive) {
       const builtinTraits = new Set(['Eq', 'Show', 'JSON']);
@@ -1878,7 +2327,7 @@ export class Analyzer {
       const sym = this.currentScope.lookup(narrowing.varName);
       if (sym) {
         // Store narrowed type info in the scope
-        const narrowedSym = new Symbol(narrowing.varName, sym.kind, null, false, sym.loc);
+        const narrowedSym = new Symbol(narrowing.varName, sym.kind, null, sym.mutable, sym.loc);
         narrowedSym.inferredType = narrowing.narrowedType;
         narrowedSym._narrowed = true;
         try { this.currentScope.define(narrowing.varName, narrowedSym); } catch (e) { /* already defined */ }
@@ -1903,7 +2352,7 @@ export class Analyzer {
         this.currentScope = this.currentScope.child('block');
         const sym = this.currentScope.lookup(narrowing.varName);
         if (sym) {
-          const narrowedSym = new Symbol(narrowing.varName, sym.kind, null, false, sym.loc);
+          const narrowedSym = new Symbol(narrowing.varName, sym.kind, null, sym.mutable, sym.loc);
           narrowedSym.inferredType = narrowing.inverseType;
           narrowedSym._narrowed = true;
           try { this.currentScope.define(narrowing.varName, narrowedSym); } catch (e) { /* already defined */ }
@@ -2683,7 +3132,19 @@ export class Analyzer {
       case 'BlockStatement':
         if (node.body.length === 0) return false;
         // Any statement that definitely returns makes the block definitely return
-        return node.body.some(stmt => this._definitelyReturns(stmt));
+        if (node.body.some(stmt => this._definitelyReturns(stmt))) return true;
+        // Last value-producing expression in a block is an implicit return (codegen adds `return`).
+        // Only treat simple value expressions as implicit returns — calls, match, and if
+        // require deeper analysis and are excluded to avoid false negatives.
+        const lastStmt = node.body[node.body.length - 1];
+        if (lastStmt && lastStmt.type === 'ExpressionStatement') {
+          const exprType = lastStmt.expression.type;
+          if (exprType !== 'CallExpression' && exprType !== 'MatchExpression' &&
+              exprType !== 'IfExpression' && exprType !== 'IfStatement') {
+            return true;
+          }
+        }
+        return false;
       case 'IfStatement':
         if (!node.elseBody) return false;
         const consequentReturns = this._definitelyReturns(node.consequent);
@@ -2731,11 +3192,16 @@ export class Analyzer {
     const hasSpread = node.arguments.some(a => a.type === 'SpreadExpression');
     if (hasSpread) return;
 
-    // Named arguments are collapsed into a single object at codegen
+    // Named arguments: for type constructors, each named arg = one field;
+    // for regular functions, named args are collapsed into a single object
     const hasNamedArgs = node.arguments.some(a => a.type === 'NamedArgument');
     if (hasNamedArgs) {
-      const positionalCount = node.arguments.filter(a => a.type !== 'NamedArgument').length;
-      var actualCount = positionalCount + 1; // named args become one object
+      if (fnSym._variantOf || fnSym._isStructConstructor) {
+        var actualCount = node.arguments.length; // each arg = one field
+      } else {
+        const positionalCount = node.arguments.filter(a => a.type !== 'NamedArgument').length;
+        var actualCount = positionalCount + 1; // named args become one object
+      }
     } else {
       var actualCount = node.arguments.length;
     }
@@ -2789,6 +3255,68 @@ export class Analyzer {
         this.error(`Type mismatch: '${paramName}' expects ${expectedType}, but got ${actualType}`, arg.loc || node.loc, this._conversionHint(expectedType, actualType));
       }
     }
+
+    // Type-check named args for type/variant constructors
+    if ((fnSym._variantOf || fnSym._isStructConstructor) && fnSym._params && fnSym._paramTypes) {
+      for (const arg of node.arguments) {
+        if (arg.type !== 'NamedArgument') continue;
+        const idx = fnSym._params.indexOf(arg.name);
+        if (idx === -1 || !fnSym._paramTypes[idx]) continue;
+        let expectedType = this._typeAnnotationToString(fnSym._paramTypes[idx]);
+        if (typeParamBindings.size > 0) {
+          expectedType = this._substituteTypeParams(expectedType, typeParamBindings);
+        }
+        if (fnSym._typeParams && fnSym._typeParams.includes(expectedType)) continue;
+        const actualType = this._inferType(arg.value);
+        if (!this._typesCompatible(expectedType, actualType)) {
+          this.error(`Type mismatch: '${arg.name}' expects ${expectedType}, but got ${actualType}`, arg.loc || node.loc, this._conversionHint(expectedType, actualType));
+        }
+      }
+    }
+  }
+
+  _checkNamedConstructorArgs(node) {
+    if (node.callee.type !== 'Identifier') return;
+    const hasNamedArgs = node.arguments.some(a => a.type === 'NamedArgument');
+    if (!hasNamedArgs) return;
+
+    const fnSym = this.currentScope.lookup(node.callee.name);
+    if (!fnSym) return;
+    if (!fnSym._variantOf && !fnSym._isStructConstructor) return;
+    if (!fnSym._params) return;
+
+    // Check for duplicate field names in the type definition (would make named args ambiguous)
+    const uniqueParams = new Set(fnSym._params);
+    if (uniqueParams.size !== fnSym._params.length) {
+      this.error(`Cannot use named arguments with ${node.callee.name}: duplicate field names`, node.loc);
+      return;
+    }
+
+    const positionalCount = node.arguments.filter(a => a.type !== 'NamedArgument').length;
+    const seenNames = new Set();
+
+    for (const arg of node.arguments) {
+      if (arg.type !== 'NamedArgument') continue;
+
+      // Unknown field
+      if (!fnSym._params.includes(arg.name)) {
+        this.error(`Unknown field '${arg.name}' in ${node.callee.name} constructor`, arg.loc || node.loc);
+        continue;
+      }
+
+      // Duplicate named arg
+      if (seenNames.has(arg.name)) {
+        this.error(`Duplicate named argument '${arg.name}'`, arg.loc || node.loc);
+        continue;
+      }
+      seenNames.add(arg.name);
+
+      // Overlaps with positional slot
+      const fieldIdx = fnSym._params.indexOf(arg.name);
+      if (fieldIdx < positionalCount) {
+        this.error(`Field '${arg.name}' already provided positionally`, arg.loc || node.loc);
+      }
+    }
   }
 
   /**