truecourse 0.5.7 → 0.5.8-windows.2

package/cli.mjs

@@ -3976,7 +3976,7 @@ var init_paths = __esm({
   "packages/core/dist/config/paths.js"() {
     "use strict";
     TRUECOURSE_DIR = ".truecourse";
-    GITIGNORE_CONTENTS = "analyses/\nLATEST.json\nhistory.json\ndiff.json\nui-state.json\nlogs/\n.analyze.lock\n";
+    GITIGNORE_CONTENTS = "analyses/\nhistory.json\ndiff.json\nui-state.json\nlogs/\n.analyze.lock\n";
   }
 });
 
@@ -4077,15 +4077,17 @@ __export(helpers_exports, {
   requireRegisteredRepo: () => requireRegisteredRepo,
   severityColor: () => severityColor,
   severityIcon: () => severityIcon,
+  syncShippedSkills: () => syncShippedSkills,
   writeConfig: () => writeConfig
 });
 import { exec as exec2 } from "node:child_process";
-import { cpSync, existsSync, mkdirSync, readdirSync } from "node:fs";
+import { cpSync, existsSync, mkdirSync, readdirSync, readFileSync, rmSync, writeFileSync } from "node:fs";
 import fs3 from "node:fs";
 import os2 from "node:os";
 import path3 from "node:path";
 import { dirname, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
+import { createHash } from "node:crypto";
 function getConfigPath() {
   return path3.join(os2.homedir(), ".truecourse", "config.json");
 }
@@ -4352,6 +4354,31 @@ function computeMissingSkills(repoPath) {
 function hasInstalledSkills(repoPath) {
   return computeMissingSkills(repoPath).length === 0;
 }
+function skillFilePath(parent, name) {
+  return resolve(parent, name, "SKILL.md");
+}
+function sha256OfFile(filePath) {
+  if (!existsSync(filePath)) return null;
+  return createHash("sha256").update(readFileSync(filePath)).digest("hex");
+}
+function skillsLockPath(repoPath) {
+  return resolve(skillsParentDir(repoPath), SKILLS_LOCKFILE_NAME);
+}
+function readSkillsLock(repoPath) {
+  const lockPath2 = skillsLockPath(repoPath);
+  if (!existsSync(lockPath2)) return {};
+  try {
+    const parsed = JSON.parse(readFileSync(lockPath2, "utf-8"));
+    return parsed && typeof parsed === "object" ? parsed : {};
+  } catch {
+    return {};
+  }
+}
+function writeSkillsLock(repoPath, lock) {
+  const lockPath2 = skillsLockPath(repoPath);
+  mkdirSync(dirname(lockPath2), { recursive: true });
+  writeFileSync(lockPath2, JSON.stringify(lock, null, 2) + "\n");
+}
 function copySkills(repoPath, skillNames) {
   const src = resolveSkillsSrcDir();
   if (!src) {
@@ -4360,25 +4387,97 @@ function copySkills(repoPath, skillNames) {
   }
   const parent = skillsParentDir(repoPath);
   mkdirSync(parent, { recursive: true });
+  const lock = readSkillsLock(repoPath);
   for (const name of skillNames) {
     const skillSrc = resolve(src, name);
     const skillDest = resolve(parent, name);
     if (existsSync(skillDest)) continue;
     cpSync(skillSrc, skillDest, { recursive: true });
+    const sha = sha256OfFile(skillFilePath(parent, name));
+    if (sha) lock[name] = sha;
   }
+  writeSkillsLock(repoPath, lock);
   O2.success(
     `Installed ${skillNames.length} Claude Code skill${skillNames.length === 1 ? "" : "s"}:`
   );
   for (const name of skillNames) O2.message(`  - ${name}`);
 }
+function syncShippedSkills(repoPath, srcDirOverride) {
+  const src = srcDirOverride ?? resolveSkillsSrcDir();
+  if (!src) return;
+  const parent = skillsParentDir(repoPath);
+  if (!existsSync(parent)) return;
+  const shipped = listSkillDirs(src);
+  const lock = readSkillsLock(repoPath);
+  const updated = [];
+  const migrated = [];
+  const customized = [];
+  let lockChanged = false;
+  const overwriteWithShipped = (name, shippedSha) => {
+    const skillSrc = resolve(src, name);
+    const skillDest = resolve(parent, name);
+    rmSync(skillDest, { recursive: true, force: true });
+    cpSync(skillSrc, skillDest, { recursive: true });
+    lock[name] = shippedSha;
+    lockChanged = true;
+  };
+  for (const name of shipped) {
+    const skillSrcFile = skillFilePath(src, name);
+    const skillDestFile = skillFilePath(parent, name);
+    if (!existsSync(skillDestFile)) continue;
+    const shippedSha = sha256OfFile(skillSrcFile);
+    const installedSha = sha256OfFile(skillDestFile);
+    if (!shippedSha || !installedSha) continue;
+    if (shippedSha === installedSha) {
+      if (lock[name] !== shippedSha) {
+        lock[name] = shippedSha;
+        lockChanged = true;
+      }
+      continue;
+    }
+    const recordedSha = lock[name];
+    if (!recordedSha) {
+      overwriteWithShipped(name, shippedSha);
+      migrated.push(name);
+      continue;
+    }
+    if (installedSha === recordedSha) {
+      overwriteWithShipped(name, shippedSha);
+      updated.push(name);
+    } else {
+      customized.push(name);
+    }
+  }
+  if (lockChanged) writeSkillsLock(repoPath, lock);
+  if (updated.length > 0) {
+    O2.info(
+      `Updated ${updated.length} Claude Code skill${updated.length === 1 ? "" : "s"} to the current version: ${updated.join(", ")}`
+    );
+  }
+  if (migrated.length > 0) {
+    const word = migrated.length === 1 ? "skill" : "skills";
+    O2.info(
+      `Migrated ${migrated.length} pre-existing Claude Code ${word} to the current shipped version: ${migrated.join(", ")}.
+If you had local edits, they're recoverable from git history. Future upgrades will preserve customizations automatically.`
+    );
+  }
+  if (customized.length > 0) {
+    const word = customized.length === 1 ? "skill has" : "skills have";
+    O2.warn(
+      `Claude Code ${word} local edits and a newer version is available \u2014 keeping yours: ${customized.join(", ")}.
+To take the new version, delete the skill folder under .claude/skills/ and re-run truecourse.`
+    );
+  }
+}
 async function promptInstallSkills(repoPath, { install } = {}) {
+  if (install === false) return;
+  syncShippedSkills(repoPath);
   const missing = computeMissingSkills(repoPath);
   if (missing.length === 0) return;
   if (install === true) {
     copySkills(repoPath, missing);
     return;
   }
-  if (install === false) return;
   if (!isInteractive()) return;
   const src = resolveSkillsSrcDir();
   const shipped = src ? listSkillDirs(src) : [];
@@ -4389,7 +4488,7 @@ async function promptInstallSkills(repoPath, { install } = {}) {
   if (q(answer) || !answer) return;
   copySkills(repoPath, missing);
 }
-var DEFAULT_PORT, DEFAULT_CONFIG;
+var DEFAULT_PORT, DEFAULT_CONFIG, SKILLS_LOCKFILE_NAME;
 var init_helpers = __esm({
   "tools/cli/src/commands/helpers.ts"() {
     "use strict";
@@ -4398,6 +4497,7 @@ var init_helpers = __esm({
     init_registry();
     DEFAULT_PORT = 3001;
     DEFAULT_CONFIG = { runMode: "console" };
+    SKILLS_LOCKFILE_NAME = ".truecourse-skills.json";
   }
 });
 
@@ -10542,7 +10642,12 @@ var init_language_config = __esm({
       classQuery: `
     (class_declaration) @class
     (class) @class
-  `
+  `,
+      // Skip pre-built/minified bundles. They have no analytical value (build
+      // artifacts of source already in the repo or vendored libs) and a single
+      // ~1MB minified line can blow past V8's max string length when the LLM
+      // context router extracts thousands of arrow_function bodies from it.
+      ignorePatterns: ["**/*.min.js", "**/*.min.cjs", "**/*.min.mjs"]
     };
     PYTHON_CONFIG = {
       name: "python",
@@ -10585,9 +10690,55 @@ var init_language_config = __esm({
 });
 
 // packages/analyzer/dist/file-discovery.js
-import { existsSync as existsSync2, readFileSync, readdirSync as readdirSync2, statSync } from "fs";
+import { existsSync as existsSync2, openSync, readFileSync as readFileSync2, readSync, readdirSync as readdirSync2, statSync, closeSync } from "fs";
 import { execFileSync } from "child_process";
 import { join, relative, resolve as resolve2 } from "path";
+function looksLikeBuildArtifact(absPath) {
+  const slash = absPath.lastIndexOf("/");
+  const basename2 = slash >= 0 ? absPath.slice(slash + 1) : absPath;
+  return /\.(bundle|production|development)\.(js|cjs|mjs|jsx|ts|tsx|mts|cts)$/i.test(basename2);
+}
+function looksMinified(absPath) {
+  const dotIdx = absPath.lastIndexOf(".");
+  if (dotIdx < 0)
+    return false;
+  const ext2 = absPath.slice(dotIdx);
+  if (!SNIFFED_EXTS.has(ext2))
+    return false;
+  if (looksLikeBuildArtifact(absPath))
+    return true;
+  let size;
+  try {
+    size = statSync(absPath).size;
+  } catch {
+    return false;
+  }
+  if (size < MIN_SIZE_FOR_SNIFF)
+    return false;
+  let fd = null;
+  try {
+    fd = openSync(absPath, "r");
+    const buf = Buffer.alloc(SNIFF_BYTES);
+    const read = readSync(fd, buf, 0, SNIFF_BYTES, 0);
+    let newlines = 0;
+    for (let i = 0; i < read; i++) {
+      if (buf[i] === 10)
+        newlines++;
+      if (newlines >= MIN_NEWLINES)
+        return false;
+    }
+    return true;
+  } catch {
+    return false;
+  } finally {
+    if (fd !== null) {
+      try {
+        closeSync(fd);
+      } catch {
+      }
+    }
+  }
+}
 function isInsideGitWorkTree(dir) {
   try {
     const out = execFileSync("git", ["-C", dir, "rev-parse", "--is-inside-work-tree"], {
@@ -10602,7 +10753,7 @@ function buildPostGitFilter(dir) {
   const ig = (0, import_ignore.default)();
   const tcPath = join(dir, ".truecourseignore");
   if (existsSync2(tcPath))
-    ig.add(readFileSync(tcPath, "utf8"));
+    ig.add(readFileSync2(tcPath, "utf8"));
   ig.add(".git");
   for (const p2 of getAllTestPatterns())
     ig.add(p2);
@@ -10635,8 +10786,11 @@ function discoverFilesViaGit(dir) {
     }
     if (!isFile)
       continue;
-    if (detectLanguage(abs))
-      out.push(abs);
+    if (!detectLanguage(abs))
+      continue;
+    if (looksMinified(abs))
+      continue;
+    out.push(abs);
   }
   return out;
 }
@@ -10694,11 +10848,11 @@ function loadIgnorePatterns(baseDir) {
   const gitignores = findAllGitignores(baseDir);
   const rootDir = gitignores.length > 0 && gitignores[0] ? gitignores[0].dir : baseDir;
   for (const { path: gitignorePath } of gitignores) {
-    ig.add(readFileSync(gitignorePath, "utf8"));
+    ig.add(readFileSync2(gitignorePath, "utf8"));
   }
   const truecourseignorePath = join(baseDir, ".truecourseignore");
   if (existsSync2(truecourseignorePath)) {
-    const content = readFileSync(truecourseignorePath, "utf8");
+    const content = readFileSync2(truecourseignorePath, "utf8");
     const prefix = relative(rootDir, baseDir).replace(/\\/g, "/");
     ig.add(reanchorTruecourseignore(content, prefix));
   }
@@ -10725,8 +10879,11 @@ function discoverFilesViaWalker(dir) {
         if (stat.isDirectory()) {
           traverse(fullPath);
         } else if (stat.isFile()) {
-          if (detectLanguage(fullPath))
-            files.push(fullPath);
+          if (!detectLanguage(fullPath))
+            continue;
+          if (looksMinified(fullPath))
+            continue;
+          files.push(fullPath);
         }
       }
     } catch {
@@ -10741,12 +10898,16 @@ function discoverFiles(dir) {
     return viaGit;
   return discoverFilesViaWalker(dir);
 }
-var import_ignore;
+var import_ignore, SNIFFED_EXTS, MIN_SIZE_FOR_SNIFF, SNIFF_BYTES, MIN_NEWLINES;
 var init_file_discovery = __esm({
   "packages/analyzer/dist/file-discovery.js"() {
     "use strict";
     import_ignore = __toESM(require_ignore(), 1);
     init_language_config();
+    SNIFFED_EXTS = /* @__PURE__ */ new Set([".js", ".jsx", ".cjs", ".mjs", ".ts", ".tsx", ".mts", ".cts"]);
+    MIN_SIZE_FOR_SNIFF = 15 * 1024;
+    SNIFF_BYTES = 8 * 1024;
+    MIN_NEWLINES = 4;
   }
 });
 
@@ -12516,6 +12677,15 @@ var init_typescript = __esm({
 
 // packages/analyzer/dist/extractors/languages/javascript.js
 import { Query as Query3 } from "web-tree-sitter";
+function isNestedInFunction2(node) {
+  let current = node.parent;
+  while (current) {
+    if (FUNCTION_NODE_TYPES2.has(current.type))
+      return true;
+    current = current.parent;
+  }
+  return false;
+}
 function extractFunctionName2(node) {
   const nameNode = node.childForFieldName("name");
   if (nameNode?.text)
@@ -12523,6 +12693,8 @@ function extractFunctionName2(node) {
   const parent = node.parent;
   if (!parent)
     return "anonymous";
+  if (isNestedInFunction2(node))
+    return "anonymous";
   if (parent.type === "variable_declarator") {
     const varName = parent.childForFieldName("name");
     if (varName?.text)
@@ -12541,25 +12713,15 @@ function extractFunctionName2(node) {
         return prop.text;
     }
   }
-  if (parent.type === "arguments") {
-    const callNode = parent.parent;
-    if (callNode?.type === "call_expression") {
-      const callee = callNode.childForFieldName("function");
-      if (callee?.type === "member_expression") {
-        const method = callee.childForFieldName("property");
-        if (method?.text)
-          return `${method.text}_handler`;
-      }
-    }
-  }
   return "anonymous";
 }
 function isExported2(node) {
   let current = node.parent;
   while (current) {
-    if (current.type === "export_statement") {
+    if (current.type === "export_statement")
       return true;
-    }
+    if (FUNCTION_NODE_TYPES2.has(current.type))
+      return false;
     current = current.parent;
   }
   return false;
@@ -12904,12 +13066,22 @@ function extractJavaScriptExports(tree, _filePath) {
   }
   return exports;
 }
+var FUNCTION_NODE_TYPES2;
 var init_javascript = __esm({
   "packages/analyzer/dist/extractors/languages/javascript.js"() {
     "use strict";
     init_language_config();
     init_parser();
     init_common();
+    FUNCTION_NODE_TYPES2 = /* @__PURE__ */ new Set([
+      "function_declaration",
+      "function",
+      "function_expression",
+      "arrow_function",
+      "generator_function_declaration",
+      "generator_function",
+      "method_definition"
+    ]);
   }
 });
 
@@ -12942,7 +13114,7 @@ function computePythonFunctionMetrics(node) {
   walkNesting(bodyNode, 0);
   return { lineCount, statementCount, maxNestingDepth: maxNestingDepth2 };
 }
-function isNestedInFunction2(node) {
+function isNestedInFunction3(node) {
   let current = node.parent;
   while (current) {
     if (current.type === "function_definition")
@@ -13009,7 +13181,7 @@ function extractPythonFunctions(tree, filePath) {
       const name = node.childForFieldName("name")?.text;
       if (!name)
         return;
-      if (isNestedInFunction2(node))
+      if (isNestedInFunction3(node))
         return;
       const paramsNode = node.childForFieldName("parameters");
       const params = extractPythonParameters(paramsNode);
@@ -13645,7 +13817,7 @@ var init_registry2 = __esm({
 
 // packages/analyzer/dist/dependency-graph.js
 import { resolve as resolve4, dirname as dirname4, join as join3 } from "path";
-import { existsSync as existsSync4, readFileSync as readFileSync2, readdirSync as readdirSync4, realpathSync, statSync as statSync3 } from "fs";
+import { existsSync as existsSync4, readFileSync as readFileSync3, readdirSync as readdirSync4, realpathSync, statSync as statSync3 } from "fs";
 function resolveRelativeFallback(importSource, containingFile, analyzedFiles, extensions, indexFiles) {
   const fromDir = dirname4(containingFile);
   const basePath = resolve4(fromDir, importSource);
@@ -13679,7 +13851,7 @@ function buildWorkspacePackageMap(rootPath) {
         if (!existsSync4(pkgJsonPath))
           continue;
         try {
-          const pkg = JSON.parse(readFileSync2(pkgJsonPath, "utf-8"));
+          const pkg = JSON.parse(readFileSync3(pkgJsonPath, "utf-8"));
           if (pkg.name)
             packageMap.set(pkg.name, pkgDir);
         } catch {
@@ -13710,7 +13882,7 @@ function resolveWorkspaceFallback(importSource, workspacePackages, analyzedFiles
   const pkgJsonPath = join3(pkgDir, "package.json");
   if (existsSync4(pkgJsonPath)) {
     try {
-      const pkg = JSON.parse(readFileSync2(pkgJsonPath, "utf-8"));
+      const pkg = JSON.parse(readFileSync3(pkgJsonPath, "utf-8"));
       const mainField = pkg.main || pkg.module;
       if (mainField) {
         const mainPath = resolve4(pkgDir, mainField);
@@ -16247,7 +16419,7 @@ var init_layer_detector = __esm({
 });
 
 // packages/analyzer/dist/service-detectors/javascript.js
-import { existsSync as existsSync5, readFileSync as readFileSync3 } from "fs";
+import { existsSync as existsSync5, readFileSync as readFileSync4 } from "fs";
 import { join as join4 } from "path";
 var jsServiceDetector;
 var init_javascript2 = __esm({
@@ -16259,7 +16431,7 @@ var init_javascript2 = __esm({
         if (!existsSync5(packageJsonPath))
           return [];
         try {
-          const pkg = JSON.parse(readFileSync3(packageJsonPath, "utf-8"));
+          const pkg = JSON.parse(readFileSync4(packageJsonPath, "utf-8"));
           return Object.keys({ ...pkg.dependencies, ...pkg.devDependencies });
         } catch {
           return [];
@@ -16270,7 +16442,7 @@ var init_javascript2 = __esm({
         if (!existsSync5(packageJsonPath))
           return false;
         try {
-          const pkg = JSON.parse(readFileSync3(packageJsonPath, "utf-8"));
+          const pkg = JSON.parse(readFileSync4(packageJsonPath, "utf-8"));
           const libraryIndicators = ["main", "module", "exports", "types", "typings"];
           return libraryIndicators.some((indicator) => pkg[indicator]);
         } catch {
@@ -16282,7 +16454,7 @@ var init_javascript2 = __esm({
 });
 
 // packages/analyzer/dist/service-detectors/python.js
-import { existsSync as existsSync6, readFileSync as readFileSync4 } from "fs";
+import { existsSync as existsSync6, readFileSync as readFileSync5 } from "fs";
 import { join as join5 } from "path";
 var pythonServiceDetector;
 var init_python4 = __esm({
@@ -16294,7 +16466,7 @@ var init_python4 = __esm({
         const reqPath = join5(servicePath, "requirements.txt");
         if (existsSync6(reqPath)) {
           try {
-            const content = readFileSync4(reqPath, "utf-8");
+            const content = readFileSync5(reqPath, "utf-8");
             for (const line of content.split("\n")) {
               const trimmed2 = line.trim();
               if (!trimmed2 || trimmed2.startsWith("#") || trimmed2.startsWith("-"))
@@ -16309,7 +16481,7 @@ var init_python4 = __esm({
         const pyprojectPath = join5(servicePath, "pyproject.toml");
         if (existsSync6(pyprojectPath)) {
           try {
-            const content = readFileSync4(pyprojectPath, "utf-8");
+            const content = readFileSync5(pyprojectPath, "utf-8");
             const depsMatch = content.match(/dependencies\s*=\s*\[([\s\S]*?)\]/m);
             if (depsMatch) {
               const depMatches = depsMatch[1].matchAll(/"([^"]+)"|'([^']+)'/g);
@@ -16361,7 +16533,7 @@ var init_registry3 = __esm({
 });
 
 // packages/analyzer/dist/service-detector.js
-import { existsSync as existsSync7, readFileSync as readFileSync5, readdirSync as readdirSync5, statSync as statSync4 } from "fs";
+import { existsSync as existsSync7, readFileSync as readFileSync6, readdirSync as readdirSync5, statSync as statSync4 } from "fs";
 import { join as join6, basename, dirname as dirname5 } from "path";
 function detectServices(rootPath, allFiles) {
   const monorepoServices = detectMonorepoServices(rootPath, allFiles);
@@ -16495,7 +16667,7 @@ function detectDockerComposeServices(rootPath, allFiles) {
     return [];
   }
   try {
-    const content = readFileSync5(composePath2, "utf-8");
+    const content = readFileSync6(composePath2, "utf-8");
     const services = [];
     const lines = content.split("\n");
     let inServices = false;
@@ -16533,7 +16705,7 @@ function detectServiceType(servicePath, files) {
   const hasPackageJson = existsSync7(join6(servicePath, "package.json"));
   if (hasPackageJson) {
     try {
-      const pkg = JSON.parse(readFileSync5(join6(servicePath, "package.json"), "utf-8"));
+      const pkg = JSON.parse(readFileSync6(join6(servicePath, "package.json"), "utf-8"));
       const deps = { ...pkg.dependencies, ...pkg.devDependencies };
       const isFrontend = patterns.frontend.frameworks.some((fw) => deps[fw]);
       if (isFrontend) {
@@ -16562,7 +16734,7 @@ function detectFramework(servicePath) {
   const packageJsonPath = join6(servicePath, "package.json");
   if (existsSync7(packageJsonPath)) {
     try {
-      const pkg = JSON.parse(readFileSync5(packageJsonPath, "utf-8"));
+      const pkg = JSON.parse(readFileSync6(packageJsonPath, "utf-8"));
       const deps2 = { ...pkg.dependencies, ...pkg.devDependencies };
       for (const fw of patterns.metaFrameworks) {
         if (deps2[fw]) {
@@ -16600,7 +16772,7 @@ function getServiceName(servicePath) {
   const packageJsonPath = join6(servicePath, "package.json");
   if (existsSync7(packageJsonPath)) {
     try {
-      const pkg = JSON.parse(readFileSync5(packageJsonPath, "utf-8"));
+      const pkg = JSON.parse(readFileSync6(packageJsonPath, "utf-8"));
       if (pkg.name) {
         return pkg.name;
       }
@@ -17162,7 +17334,7 @@ var init_registry4 = __esm({
 });
 
 // packages/analyzer/dist/database-detector.js
-import { existsSync as existsSync8, readFileSync as readFileSync6, readdirSync as readdirSync6 } from "fs";
+import { existsSync as existsSync8, readFileSync as readFileSync7, readdirSync as readdirSync6 } from "fs";
 import { join as join7, resolve as resolve5 } from "path";
 function detectDatabases(rootPath, analyses, services) {
   const detections = [];
@@ -17199,7 +17371,7 @@ function detectDatabases(rootPath, analyses, services) {
   const schemaResults = /* @__PURE__ */ new Map();
   const prismaFiles = findFiles(rootPath, "schema.prisma", ["node_modules", ".git", "dist"]);
   for (const prismaFile of prismaFiles) {
-    const content = readFileSync6(prismaFile, "utf-8");
+    const content = readFileSync7(prismaFile, "utf-8");
     const result = parsePrismaSchema(content);
     let dbType = "postgres";
     const providerMatch = content.match(/provider\s*=\s*"(\w+)"/);
@@ -17237,7 +17409,7 @@ function detectDatabases(rootPath, analyses, services) {
       if (!parser4.matchesImport(analysis))
         continue;
       try {
-        const content = readFileSync6(resolve5(analysis.filePath), "utf-8");
+        const content = readFileSync7(resolve5(analysis.filePath), "utf-8");
         if (parser4.validateContent && !parser4.validateContent(content))
           continue;
         const result = parser4.parse(content);
@@ -17287,7 +17459,7 @@ function parseDockerCompose(rootPath) {
   for (const file of composeFiles) {
     const filePath = join7(rootPath, file);
     if (existsSync8(filePath)) {
-      composeContent = readFileSync6(filePath, "utf-8");
+      composeContent = readFileSync7(filePath, "utf-8");
       break;
     }
   }
@@ -18548,7 +18720,7 @@ var init_entities = __esm({
 
 // packages/analyzer/dist/lsp-client.js
 import { spawn as spawn2 } from "child_process";
-import { readFileSync as readFileSync7 } from "fs";
+import { readFileSync as readFileSync8 } from "fs";
 import { resolve as resolve6 } from "path";
 import { pathToFileURL, fileURLToPath as fileURLToPath3 } from "url";
 function encodeMessage(msg) {
@@ -18663,7 +18835,7 @@ var init_lsp_client = __esm({
       // -------------------------------------------------------------------------
       openFile(filePath) {
         const absPath = resolve6(this.rootPath, filePath);
-        const content = readFileSync7(absPath, "utf-8");
+        const content = readFileSync8(absPath, "utf-8");
         this.sendNotification("textDocument/didOpen", {
           textDocument: {
             uri: pathToFileURL(absPath).href,
@@ -18775,7 +18947,7 @@ var init_lsp_client = __esm({
         const moduleMap = /* @__PURE__ */ new Map();
         for (const fa of fileAnalyses) {
           const absPath = resolve6(this.rootPath, fa.filePath);
-          const fileContent = readFileSync7(absPath, "utf-8");
+          const fileContent = readFileSync8(absPath, "utf-8");
           const lines = fileContent.split("\n");
           const fileResolutions = /* @__PURE__ */ new Map();
           for (const imp of fa.imports) {
@@ -32874,6 +33046,19 @@ function isPropertyAccess(node) {
   }
   if (parent.type === "keyword_argument" && parent.childForFieldName("name")?.id === node.id)
     return true;
+  if (parent.type === "jsx_attribute" && parent.namedChild(0)?.id === node.id)
+    return true;
+  if (parent.type === "jsx_opening_element" || parent.type === "jsx_closing_element" || parent.type === "jsx_self_closing_element") {
+    const tagName = parent.childForFieldName("name");
+    if (tagName?.id === node.id) {
+      const text = node.text;
+      if (text.length > 0) {
+        const first2 = text[0];
+        if (first2 === first2.toLowerCase() || text.includes("-"))
+          return true;
+      }
+    }
+  }
   return false;
 }
 function isJsDeclarationPosition(node) {
@@ -32907,6 +33092,10 @@ function isJsDeclarationPosition(node) {
   }
   if (parent.type === "catch_clause")
     return true;
+  if (parent.type === "for_in_statement" && parent.childForFieldName("left")?.id === node.id)
+    return true;
+  if (parent.type === "arrow_function" && parent.childForFieldName("parameter")?.id === node.id)
+    return true;
   return false;
 }
 function isPyDeclarationPosition(node) {
@@ -33046,9 +33235,9 @@ function buildScopeTree(rootNode, language) {
       return;
     }
     if ((parent.type === "function_declaration" || parent.type === "generator_function_declaration") && parent.childForFieldName("name")?.id === node.id) {
-      const targetScope = findFunctionScope(scope);
-      if (!targetScope.variables.has(node.text)) {
-        createVariable(node.text, "function", node, targetScope, false);
+      const enclosing = scope.parent ? findFunctionScope(scope.parent) : scope;
+      if (!enclosing.variables.has(node.text)) {
+        createVariable(node.text, "function", node, enclosing, false);
       }
       return;
     }
@@ -33068,6 +33257,13 @@ function buildScopeTree(rootNode, language) {
       }
       return;
     }
+    if (parent.type === "arrow_function" && parent.childForFieldName("parameter")?.id === node.id) {
+      const funcScope = nodeToScope.get(parent.id);
+      if (funcScope && !funcScope.variables.has(node.text)) {
+        createVariable(node.text, "parameter", node, funcScope, false);
+      }
+      return;
+    }
     if (parent.type === "rest_pattern" || parent.type === "rest_element") {
       const funcNode = findFunctionAncestor(node);
       if (funcNode) {
@@ -33090,6 +33286,68 @@ function buildScopeTree(rootNode, language) {
         return;
       }
     }
+    if (parent.type === "array_pattern" || parent.type === "object_pattern") {
+      if (isInFormalParameters(node)) {
+        const funcNode = findFunctionAncestor(node);
+        if (funcNode) {
+          const funcScope = nodeToScope.get(funcNode.id);
+          if (funcScope && !funcScope.variables.has(node.text)) {
+            createVariable(node.text, "parameter", node, funcScope, false);
+          }
+        }
+        return;
+      }
+      let ancestor = parent.parent;
+      let declarator = null;
+      let forIn = null;
+      while (ancestor) {
+        if (ancestor.type === "variable_declarator") {
+          declarator = ancestor;
+          break;
+        }
+        if (ancestor.type === "for_in_statement" && ancestor.childForFieldName("left")?.id === parent.id) {
+          forIn = ancestor;
+          break;
+        }
+        if (ancestor.type === "function_declaration" || ancestor.type === "function_expression" || ancestor.type === "arrow_function" || ancestor.type === "method_definition" || ancestor.type === "program")
+          break;
+        ancestor = ancestor.parent;
+      }
+      if (declarator) {
+        const grandparent = declarator.parent;
+        if (grandparent?.type === "variable_declaration") {
+          const targetScope = findFunctionScope(scope);
+          if (!targetScope.variables.has(node.text)) {
+            createVariable(node.text, "var", node, targetScope, false);
+          }
+        } else if (grandparent?.type === "lexical_declaration") {
+          const keyword = grandparent.child(0)?.text;
+          const kind = keyword === "const" ? "const" : "let";
+          if (!scope.variables.has(node.text)) {
+            createVariable(node.text, kind, node, scope, false);
+          }
+        }
+        return;
+      }
+      if (forIn) {
+        const kindText = forIn.childForFieldName("kind")?.text;
+        const kind = kindText === "var" ? "var" : kindText === "const" ? "const" : kindText === "let" ? "let" : "for-variable";
+        const targetScope = kind === "var" ? findFunctionScope(scope) : scope;
+        if (!targetScope.variables.has(node.text)) {
+          createVariable(node.text, kind, node, targetScope, false);
+        }
+        return;
+      }
+    }
+    if (parent.type === "for_in_statement" && parent.childForFieldName("left")?.id === node.id) {
+      const kindText = parent.childForFieldName("kind")?.text;
+      const kind = kindText === "var" ? "var" : kindText === "const" ? "const" : kindText === "let" ? "let" : "for-variable";
+      const targetScope = kind === "var" ? findFunctionScope(scope) : scope;
+      if (!targetScope.variables.has(node.text)) {
+        createVariable(node.text, kind, node, targetScope, false);
+      }
+      return;
+    }
     if (parent.type === "shorthand_property_identifier_pattern") {
       if (isInFormalParameters(node)) {
         const funcNode = findFunctionAncestor(node);
@@ -33430,16 +33688,27 @@ function buildScopeTree(rootNode, language) {
     if (isJs && node.type === "shorthand_property_identifier_pattern") {
       let ancestor = node.parent;
       let declarator = null;
+      let isParam = false;
+      let funcNode = null;
       while (ancestor) {
         if (ancestor.type === "variable_declarator") {
           declarator = ancestor;
           break;
         }
-        if (ancestor.type === "formal_parameters" || ancestor.type === "function_declaration" || ancestor.type === "arrow_function" || ancestor.type === "method_definition") {
+        if (ancestor.type === "formal_parameters" || ancestor.type === "function_declaration" || ancestor.type === "function_expression" || ancestor.type === "arrow_function" || ancestor.type === "method_definition" || ancestor.type === "generator_function_declaration" || ancestor.type === "generator_function") {
+          isParam = true;
+          funcNode = ancestor.type === "formal_parameters" ? ancestor.parent : ancestor;
           break;
         }
         ancestor = ancestor.parent;
       }
+      if (isParam && funcNode) {
+        const funcScope = nodeToScope.get(funcNode.id);
+        const name = node.text;
+        if (funcScope && !funcScope.variables.has(name)) {
+          createVariable(name, "parameter", node, funcScope, false);
+        }
+      }
       if (declarator) {
         const grandparent = declarator.parent;
         const name = node.text;
@@ -33509,7 +33778,7 @@ var init_known_globals = __esm({
   "packages/analyzer/dist/data-flow/known-globals.js"() {
     "use strict";
     JS_GLOBALS = /* @__PURE__ */ new Set([
-      // Browser
+      // Browser — global namespaces
       "window",
       "document",
       "navigator",
@@ -33517,19 +33786,109 @@ var init_known_globals = __esm({
       "history",
       "localStorage",
       "sessionStorage",
+      "screen",
+      "performance",
+      "crypto",
+      "caches",
+      "indexedDB",
+      "matchMedia",
+      // Browser — networking / fetch
       "fetch",
       "XMLHttpRequest",
       "WebSocket",
+      "EventSource",
       "URL",
       "URLSearchParams",
+      "Headers",
+      "Request",
+      "Response",
+      "FormData",
+      "Blob",
+      "File",
+      "FileReader",
+      "FileList",
+      "AbortController",
+      "AbortSignal",
+      "ReadableStream",
+      "WritableStream",
+      "TransformStream",
+      // Browser — events
+      "Event",
+      "CustomEvent",
+      "EventTarget",
+      "MessageEvent",
+      "ErrorEvent",
+      "CloseEvent",
+      "ProgressEvent",
+      "PointerEvent",
+      "KeyboardEvent",
+      "MouseEvent",
+      "TouchEvent",
+      "DragEvent",
+      "WheelEvent",
+      "FocusEvent",
+      "InputEvent",
+      "StorageEvent",
+      "PopStateEvent",
+      "HashChangeEvent",
+      "BeforeUnloadEvent",
+      // Browser — DOM
+      "Node",
+      "Element",
+      "HTMLElement",
+      "HTMLInputElement",
+      "HTMLButtonElement",
+      "HTMLFormElement",
+      "HTMLSelectElement",
+      "HTMLTextAreaElement",
+      "HTMLAnchorElement",
+      "HTMLImageElement",
+      "HTMLCanvasElement",
+      "HTMLVideoElement",
+      "HTMLAudioElement",
+      "HTMLDivElement",
+      "HTMLSpanElement",
+      "HTMLScriptElement",
+      "HTMLStyleElement",
+      "HTMLTemplateElement",
+      "HTMLIFrameElement",
+      "HTMLDialogElement",
+      "DocumentFragment",
+      "ShadowRoot",
+      "Text",
+      "Comment",
+      "Range",
+      "Selection",
+      "MutationObserver",
+      "IntersectionObserver",
+      "ResizeObserver",
+      "PerformanceObserver",
+      "NodeList",
+      "HTMLCollection",
+      "DOMTokenList",
+      "CanvasRenderingContext2D",
+      "OffscreenCanvas",
+      // Browser — timers / scheduling
       "setTimeout",
       "setInterval",
       "clearTimeout",
       "clearInterval",
       "requestAnimationFrame",
+      "cancelAnimationFrame",
+      "requestIdleCallback",
+      "cancelIdleCallback",
+      // Browser — dialogs
       "alert",
       "confirm",
       "prompt",
+      // Browser — workers / messaging
+      "Worker",
+      "SharedWorker",
+      "ServiceWorker",
+      "BroadcastChannel",
+      "MessageChannel",
+      "MessagePort",
+      "postMessage",
       // Node.js
       "process",
       "global",
@@ -33903,8 +34262,13 @@ function buildDataFlowContext(rootNode, language) {
         continue;
       if (v.useSites.length === 0)
         continue;
+      if (v.declarationNode.parent?.type === "named_expression")
+        continue;
+      const directUseSites = v.useSites.filter((u2) => !isInNestedFunctionScope(u2.scope, v.scope));
+      if (directUseSites.length === 0)
+        continue;
       const declPos = v.declarationNode.startIndex;
-      const earliestUse = Math.min(...v.useSites.map((u2) => u2.node.startIndex));
+      const earliestUse = Math.min(...directUseSites.map((u2) => u2.node.startIndex));
       if (earliestUse < declPos) {
         result.push(v);
       }
@@ -33912,6 +34276,17 @@ function buildDataFlowContext(rootNode, language) {
     cachedUsedBeforeDefined = result;
     return result;
   }
+  function isInNestedFunctionScope(useScope, declScope) {
+    if (useScope === declScope)
+      return false;
+    let cursor = useScope;
+    while (cursor && cursor !== declScope) {
+      if (cursor.kind === "function")
+        return true;
+      cursor = cursor.parent;
+    }
+    return false;
+  }
   function unusedVariables() {
     if (cachedUnused)
       return cachedUnused;
@@ -34495,7 +34870,72 @@ var init_insecure_cookie = __esm({
 });
 
 // packages/analyzer/dist/rules/security/visitors/javascript/disabled-auto-escaping.js
-var disabledAutoEscapingVisitor;
+function isStaticStringLiteral(node) {
+  if (node.type === "string")
+    return true;
+  if (node.type === "template_string") {
+    for (let i = 0; i < node.namedChildCount; i++) {
+      const child = node.namedChild(i);
+      if (child?.type === "template_substitution")
+        return false;
+    }
+    return true;
+  }
+  return false;
+}
+function isEscapeCall(node) {
+  if (node.type !== "call_expression")
+    return false;
+  const fn = node.childForFieldName("function");
+  if (!fn)
+    return false;
+  if (fn.type === "identifier")
+    return ESCAPE_HELPER_NAMES.has(fn.text);
+  if (fn.type === "member_expression") {
+    const prop = fn.childForFieldName("property");
+    if (prop && ESCAPE_HELPER_NAMES.has(prop.text))
+      return true;
+    const obj = fn.childForFieldName("object");
+    if (obj?.type === "identifier" && /purify/i.test(obj.text))
+      return true;
+  }
+  return false;
+}
+function isFullyEscapedRhs(node) {
+  if (node.type === "string")
+    return true;
+  if (node.type === "number")
+    return true;
+  if (node.type === "true" || node.type === "false" || node.type === "null" || node.type === "undefined")
+    return true;
+  if (isEscapeCall(node))
+    return true;
+  if (node.type === "template_string") {
+    for (let i = 0; i < node.namedChildCount; i++) {
+      const child = node.namedChild(i);
+      if (!child)
+        continue;
+      if (child.type === "template_substitution") {
+        const inner = child.namedChild(0);
+        if (!inner || !isFullyEscapedRhs(inner))
+          return false;
+      }
+    }
+    return true;
+  }
+  if (node.type === "binary_expression") {
+    const op = node.children.find((c2) => c2.text === "+");
+    if (!op)
+      return false;
+    const lhs = node.childForFieldName("left");
+    const rhs = node.childForFieldName("right");
+    if (!lhs || !rhs)
+      return false;
+    return isFullyEscapedRhs(lhs) && isFullyEscapedRhs(rhs);
+  }
+  return false;
+}
+var disabledAutoEscapingVisitor, ESCAPE_HELPER_NAMES;
 var init_disabled_auto_escaping = __esm({
   "packages/analyzer/dist/rules/security/visitors/javascript/disabled-auto-escaping.js"() {
     "use strict";
@@ -34516,6 +34956,11 @@ var init_disabled_auto_escaping = __esm({
           if (left?.type === "member_expression") {
             const prop = left.childForFieldName("property");
             if (prop?.text === "innerHTML") {
+              const right = node.childForFieldName("right");
+              if (right && isStaticStringLiteral(right))
+                return null;
+              if (right && isFullyEscapedRhs(right))
+                return null;
               return makeViolation(this.ruleKey, node, filePath, "high", "Disabled auto-escaping", "Direct innerHTML assignment can lead to XSS vulnerabilities.", sourceCode, "Use textContent instead of innerHTML, or sanitize input with DOMPurify.");
             }
           }
@@ -34523,6 +34968,19 @@ var init_disabled_auto_escaping = __esm({
         return null;
       }
     };
+    ESCAPE_HELPER_NAMES = /* @__PURE__ */ new Set([
+      "esc",
+      "escape",
+      "escapeHtml",
+      "escapeHTML",
+      "escapeHtmlEntities",
+      "htmlEscape",
+      "htmlEntities",
+      "sanitize",
+      "sanitizeHtml",
+      "sanitizeHTML",
+      "purify"
+    ]);
   }
 });
 
@@ -38137,6 +38595,18 @@ var init_javascript3 = __esm({
 });
 
 // packages/analyzer/dist/rules/security/visitors/python/sql-injection.js
+function hasStringOperand(binNode) {
+  for (let i = 0; i < binNode.namedChildCount; i++) {
+    const child = binNode.namedChild(i);
+    if (!child)
+      continue;
+    if (child.type === "string")
+      return true;
+    if (child.type === "binary_operator" && hasStringOperand(child))
+      return true;
+  }
+  return false;
+}
 var PYTHON_QUERY_METHODS, pythonSqlInjectionVisitor;
 var init_sql_injection2 = __esm({
   "packages/analyzer/dist/rules/security/visitors/python/sql-injection.js"() {
@@ -38190,7 +38660,9 @@ var init_sql_injection2 = __esm({
         if (firstArg.type === "binary_operator") {
           const op = firstArg.children.find((c2) => c2.text === "+");
           if (op) {
-            return makeViolation(this.ruleKey, node, filePath, "high", "Potential SQL injection", `String concatenation passed to ${methodName}(). Use parameterized queries instead.`, sourceCode, "Use parameterized queries (e.g., %s or :param) instead of string concatenation in SQL.");
+            if (hasStringOperand(firstArg)) {
+              return makeViolation(this.ruleKey, node, filePath, "high", "Potential SQL injection", `String concatenation passed to ${methodName}(). Use parameterized queries instead.`, sourceCode, "Use parameterized queries (e.g., %s or :param) instead of string concatenation in SQL.");
+            }
           }
         }
         return null;
@@ -40142,6 +40614,40 @@ var init_paramiko_call = __esm({
 });
 
 // packages/analyzer/dist/rules/security/visitors/python/suspicious-url-open.js
+function isConfigSourcedVar(node, varName) {
+  let func = node.parent;
+  while (func) {
+    if (func.type === "function_definition")
+      break;
+    func = func.parent;
+  }
+  let scope = func ? func.childForFieldName("body") : node.tree.rootNode;
+  if (!scope)
+    return false;
+  let found = false;
+  function walk(n) {
+    if (found)
+      return;
+    if (n.type === "assignment") {
+      const lhs = n.childForFieldName("left");
+      const rhs = n.childForFieldName("right");
+      if (lhs?.type === "identifier" && lhs.text === varName && rhs) {
+        const text = rhs.text;
+        if (/\bos\.getenv\b|\bos\.environ\b|\bconfig\.|\bsettings\.|\bSettings\(\)|\bConfig\(\)/.test(text)) {
+          found = true;
+          return;
+        }
+      }
+    }
+    for (let i = 0; i < n.childCount; i++) {
+      const ch = n.child(i);
+      if (ch)
+        walk(ch);
+    }
+  }
+  walk(scope);
+  return found;
+}
 var pythonSuspiciousUrlOpenVisitor;
 var init_suspicious_url_open = __esm({
   "packages/analyzer/dist/rules/security/visitors/python/suspicious-url-open.js"() {
@@ -40175,10 +40681,11 @@ var init_suspicious_url_open = __esm({
         const firstArg = args.namedChildren[0];
         if (!firstArg)
           return null;
-        if (firstArg.type !== "string" || firstArg.text.startsWith("f")) {
-          return makeViolation(this.ruleKey, node, filePath, "high", "urlopen with user-controlled URL", `${objectName ? objectName + "." : ""}urlopen() called with a non-literal URL. User-controlled URLs enable SSRF.`, sourceCode, "Validate and allowlist URLs before passing them to urlopen().");
-        }
-        return null;
+        if (firstArg.type === "string" && !firstArg.text.startsWith("f"))
+          return null;
+        if (firstArg.type === "identifier" && isConfigSourcedVar(node, firstArg.text))
+          return null;
+        return makeViolation(this.ruleKey, node, filePath, "high", "urlopen with user-controlled URL", `${objectName ? objectName + "." : ""}urlopen() called with a non-literal URL. User-controlled URLs enable SSRF.`, sourceCode, "Validate and allowlist URLs before passing them to urlopen().");
       }
     };
   }
@@ -42636,8 +43143,15 @@ var init_exclusions = __esm({
       // All asterisks (masked values)
       /^x+$/i,
       // All x's (placeholder)
-      /^\.{3,}$/
+      /^\.{3,}$/,
       // Ellipsis placeholders
+      // Filenames with a recognized document / media / archive / data
+      // extension. Composed object keys like `<hash>__<date>__<batch>.pdf`
+      // look like high-entropy tokens to pattern detectors, but the
+      // trailing extension makes them clearly filenames. The optional
+      // trailing slash matches S3 path prefixes that act as directories
+      // (`processed/.../<file>.pdf/source_pdfs/...`).
+      /\.(pdf|csv|tsv|json|jsonl|ndjson|parquet|xml|html?|md|rst|txt|log|zip|tar|gz|tgz|bz2|7z|rar|png|jpe?g|gif|webp|svg|ico|bmp|tiff?|mp[34]|wav|flac|ogg|webm|avi|mov|mkv|docx?|xlsx?|pptx?|odt|ods|odp|rtf|epub|yaml|yml|toml|ini|cfg|conf|sql)\/?$/i
     ];
   }
 });
@@ -44442,7 +44956,7 @@ var init_secret_scanner = __esm({
 function stripCommentMarkers(text) {
   return text.replace(/^\/\/\s?/, "").replace(/^\/\*\s?/, "").replace(/\s?\*\/$/, "").replace(/^\s*\*\s?/gm, "").replace(/^#\s?/gm, "").trim();
 }
-var hardcodedSecretVisitor, IPV4_REGEX, EXCLUDED_IPS, hardcodedIpVisitor, CLEARTEXT_PROTOCOLS, LOCALHOST_PREFIXES, clearTextProtocolVisitor, BIP39_COMMON_WORDS, hardcodedBlockchainMnemonicVisitor, DB_CONNECTION_PATTERNS, hardcodedDatabasePasswordVisitor, ldapUnauthenticatedVisitor, passwordStoredPlaintextVisitor, HASH_FUNCTIONS_NEEDING_SALT, unpredictableSaltMissingVisitor, sensitiveFileVisitor, hardcodedSecretInCommentVisitor, SECURITY_UNIVERSAL_VISITORS;
+var hardcodedSecretVisitor, IPV4_REGEX, EXCLUDED_IPS, hardcodedIpVisitor, CLEARTEXT_PROTOCOLS, LOCALHOST_PREFIXES, clearTextProtocolVisitor, BIP39_COMMON_WORDS, hardcodedBlockchainMnemonicVisitor, DB_URL_PATTERN, DB_PASSWORD_KV_PATTERNS, NON_LITERAL_PASSWORD_SEGMENT, hardcodedDatabasePasswordVisitor, ldapUnauthenticatedVisitor, passwordStoredPlaintextVisitor, HASH_FUNCTIONS_NEEDING_SALT, unpredictableSaltMissingVisitor, sensitiveFileVisitor, hardcodedSecretInCommentVisitor, SECURITY_UNIVERSAL_VISITORS;
 var init_universal = __esm({
   "packages/analyzer/dist/rules/security/visitors/universal.js"() {
     "use strict";
@@ -44460,6 +44974,15 @@ var init_universal = __esm({
         if (parent?.type === "pair" && parent.childForFieldName("key")?.id === node.id) {
           return null;
         }
+        if (parent?.type === "expression_statement") {
+          const grandParent = parent.parent;
+          if (grandParent && (grandParent.type === "module" || grandParent.type === "block")) {
+            const firstChild = grandParent.namedChild(0);
+            if (firstChild && firstChild.id === parent.id) {
+              return null;
+            }
+          }
+        }
         const match2 = scanForSecrets(stripped);
         if (match2) {
           return makeViolation(this.ruleKey, node, filePath, "critical", `Hardcoded secret detected (${match2.patternId})`, `This string matches a known secret pattern: ${match2.description}. Use environment variables instead.`, sourceCode, "Move this secret to an environment variable.");
@@ -44474,7 +44997,11 @@ var init_universal = __esm({
             const secretNames = ["password", "passwd", "secret", "apikey", "api_key", "token", "auth_token", "access_token", "private_key"];
             const isNonSecretName = /(?:uri|url|endpoint|type|scope|name|header|grant|method)/.test(name);
             const isNonSecretValue = /https?:\/\//.test(stripped) || /^(true|false|null|undefined|localhost|None|True|False|Bearer)$/i.test(stripped) || /[[\]<>{}()#.=\s]/.test(stripped);
-            if (secretNames.some((s) => name.includes(s)) && stripped.length >= 8 && !isNonSecretName && !isNonSecretValue) {
+            const nameClean = name.replace(/^['"`]+|['"`]+$/g, "");
+            const valueClean = stripped.toLowerCase();
+            const isPlainAlphaSnake = /^[a-z_]+$/.test(valueClean);
+            const isVocabularyTag = isPlainAlphaSnake && nameClean.length >= 4 && (valueClean === nameClean || valueClean.includes(nameClean));
+            if (secretNames.some((s) => name.includes(s)) && stripped.length >= 8 && !isNonSecretName && !isNonSecretValue && !isVocabularyTag) {
               return makeViolation(this.ruleKey, node, filePath, "critical", "Hardcoded secret detected", `Variable "${nameNode.text}" contains what appears to be a hardcoded secret. Use environment variables instead.`, sourceCode, "Move this secret to an environment variable.");
             }
           }
@@ -45488,21 +46015,28 @@ var init_universal = __esm({
         return null;
       }
     };
-    DB_CONNECTION_PATTERNS = [
-      /(?:mysql|postgresql|postgres|mongodb|sqlite|mssql|oracle):\/\/[^:]+:([^@]+)@/i,
+    DB_URL_PATTERN = /(?:mysql|postgresql|postgres|mongodb|sqlite|mssql|oracle):\/\/[^:]+:([^@]+)@/i;
+    DB_PASSWORD_KV_PATTERNS = [
       /password\s*=\s*['"][^'"]{4,}['"]/i,
       /pwd\s*=\s*['"][^'"]{4,}['"]/i
     ];
+    NON_LITERAL_PASSWORD_SEGMENT = /^\{[^{}]*\}$|^\$\{[^}]*\}$|^%s$|^%\([^)]+\)s$|^<[^>]+>$|^\$\([^)]*\)$|^\$[A-Z_][A-Z0-9_]*$|process\.env/i;
     hardcodedDatabasePasswordVisitor = {
       ruleKey: "security/deterministic/hardcoded-database-password",
       nodeTypes: ["string", "template_string"],
       visit(node, filePath, sourceCode) {
         const text = node.text;
         const stripped = text.replace(/^[fFbBrRuU]*['"`]{1,3}|['"`]{1,3}$/g, "");
-        for (const pattern of DB_CONNECTION_PATTERNS) {
+        if (/\$\{|%s|<password>|\$\(|process\.env/i.test(stripped))
+          return null;
+        const urlMatch = DB_URL_PATTERN.exec(stripped);
+        if (urlMatch) {
+          if (NON_LITERAL_PASSWORD_SEGMENT.test(urlMatch[1]))
+            return null;
+          return makeViolation(this.ruleKey, node, filePath, "critical", "Hardcoded database password", "Database connection string contains a hardcoded password.", sourceCode, "Load database credentials from environment variables.");
+        }
+        for (const pattern of DB_PASSWORD_KV_PATTERNS) {
           if (pattern.test(stripped)) {
-            if (/\$\{|%s|<password>|\$\(|process\.env/i.test(stripped))
-              return null;
             return makeViolation(this.ruleKey, node, filePath, "critical", "Hardcoded database password", "Database connection string contains a hardcoded password.", sourceCode, "Load database credentials from environment variables.");
           }
         }
@@ -47478,6 +48012,78 @@ function isKeyFromControlledIteration(assignmentNode, keyName) {
   }
   return false;
 }
+function isKeyFromForOfLoopVarMember(assignmentNode, keyName) {
+  let scope = assignmentNode.parent;
+  while (scope) {
+    if (scope.type === "function_declaration" || scope.type === "function_expression" || scope.type === "arrow_function" || scope.type === "method_definition" || scope.type === "program")
+      break;
+    scope = scope.parent;
+  }
+  if (!scope)
+    return false;
+  const forVarNames = /* @__PURE__ */ new Set();
+  function collectForVars(n) {
+    if (n.type === "for_in_statement") {
+      const left = n.childForFieldName("left");
+      if (left?.type === "identifier")
+        forVarNames.add(left.text);
+    }
+    if (n !== scope && (n.type === "function_declaration" || n.type === "function_expression" || n.type === "arrow_function" || n.type === "method_definition"))
+      return;
+    for (let i = 0; i < n.childCount; i++) {
+      const ch = n.child(i);
+      if (ch)
+        collectForVars(ch);
+    }
+  }
+  collectForVars(scope);
+  if (forVarNames.size === 0)
+    return false;
+  let found = false;
+  function findAssignment(n) {
+    if (found)
+      return;
+    if (n.type === "variable_declarator") {
+      const name = n.childForFieldName("name");
+      const value = n.childForFieldName("value");
+      if (name?.type === "identifier" && name.text === keyName && value?.type === "member_expression") {
+        const obj = value.childForFieldName("object");
+        if (obj?.type === "identifier" && forVarNames.has(obj.text)) {
+          found = true;
+          return;
+        }
+      }
+    }
+    if (n !== scope && (n.type === "function_declaration" || n.type === "function_expression" || n.type === "arrow_function" || n.type === "method_definition"))
+      return;
+    for (let i = 0; i < n.childCount; i++) {
+      const ch = n.child(i);
+      if (ch)
+        findAssignment(ch);
+    }
+  }
+  findAssignment(scope);
+  return found;
+}
+function isAssignmentGuardedByKeyInObject(assignmentNode, keyName, objText) {
+  let cursor = assignmentNode.parent;
+  while (cursor) {
+    if (cursor.type === "if_statement") {
+      const cond = cursor.childForFieldName("condition");
+      if (cond) {
+        const condText = cond.text;
+        const pattern = new RegExp(`\\b${escapeRegExp(keyName)}\\s+in\\s+${escapeRegExp(objText)}\\b`);
+        if (pattern.test(condText))
+          return true;
+      }
+    }
+    cursor = cursor.parent;
+  }
+  return false;
+}
+function escapeRegExp(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
 function isObjectEntriesOrKeys(node) {
   if (node.type === "call_expression") {
     const fn = node.childForFieldName("function");
@@ -47491,6 +48097,77 @@ function isObjectEntriesOrKeys(node) {
   }
   return false;
 }
+function isKeyDestructuredParam(assignmentNode, keyName) {
+  let scope = assignmentNode.parent;
+  while (scope) {
+    if (scope.type === "function_declaration" || scope.type === "function_expression" || scope.type === "arrow_function" || scope.type === "method_definition") {
+      const params = scope.childForFieldName("parameters") ?? scope.childForFieldName("parameter");
+      if (params && containsDestructuredName(params, keyName))
+        return true;
+    }
+    if (scope.type === "program")
+      break;
+    scope = scope.parent;
+  }
+  return false;
+}
+function containsDestructuredName(params, keyName) {
+  let found = false;
+  function walk(n) {
+    if (found)
+      return;
+    if (n.type === "identifier" && n.text === keyName) {
+      const parent = n.parent;
+      if (parent?.type === "array_pattern" || parent?.type === "object_pattern") {
+        found = true;
+        return;
+      }
+      if (parent?.type === "shorthand_property_identifier_pattern" && n.text === keyName) {
+        found = true;
+        return;
+      }
+    }
+    for (let i = 0; i < n.childCount; i++) {
+      const child = n.child(i);
+      if (child)
+        walk(child);
+    }
+  }
+  walk(params);
+  return found;
+}
+function isKeyAssignedFromLocalCall(assignmentNode, keyName) {
+  let scope = assignmentNode.parent;
+  while (scope) {
+    if (scope.type === "function_declaration" || scope.type === "function_expression" || scope.type === "arrow_function" || scope.type === "method_definition" || scope.type === "program")
+      break;
+    scope = scope.parent;
+  }
+  if (!scope)
+    return false;
+  let found = false;
+  function walk(n) {
+    if (found)
+      return;
+    if (n.type === "variable_declarator") {
+      const name = n.childForFieldName("name");
+      const value = n.childForFieldName("value");
+      if (name?.type === "identifier" && name.text === keyName && value?.type === "call_expression") {
+        found = true;
+        return;
+      }
+    }
+    if (n !== scope && (n.type === "function_declaration" || n.type === "function_expression" || n.type === "arrow_function" || n.type === "method_definition"))
+      return;
+    for (let i = 0; i < n.childCount; i++) {
+      const child = n.child(i);
+      if (child)
+        walk(child);
+    }
+  }
+  walk(scope);
+  return found;
+}
 var prototypePollutionVisitor;
 var init_prototype_pollution = __esm({
   "packages/analyzer/dist/rules/bugs/visitors/javascript/prototype-pollution.js"() {
@@ -47521,6 +48198,14 @@ var init_prototype_pollution = __esm({
         const keyName = index.text;
         if (isKeyFromControlledIteration(node, keyName))
           return null;
+        if (isKeyAssignedFromLocalCall(node, keyName))
+          return null;
+        if (isKeyDestructuredParam(node, keyName))
+          return null;
+        if (isKeyFromForOfLoopVarMember(node, keyName))
+          return null;
+        if (isAssignmentGuardedByKeyInObject(node, keyName, obj.text))
+          return null;
         return makeViolation(this.ruleKey, node, filePath, "high", "Prototype pollution", `\`${left.text}\` uses a dynamic key for property assignment \u2014 if \`${index.text}\` is \`"__proto__"\` or \`"constructor"\`, this enables prototype pollution.`, sourceCode, `Validate that \`${index.text}\` is not "__proto__", "constructor", or "prototype" before assignment, or use Map instead.`);
       }
     };
@@ -51444,8 +52129,10 @@ var init_useeffect_missing_deps = __esm({
         }
         const suspiciousIds = [...usedIds].filter((id) => /^[a-z]/.test(id) && !id.startsWith("set") && id.length > 1 && !EXCLUDED_IDENTIFIERS.has(id) && !refAccessedIds.has(id) && !stableFunctions.has(id) && !componentBodyFunctions.has(id));
         const nodeStartLine = node.startPosition.row;
-        const linesAbove = sourceCode.split("\n").slice(Math.max(0, nodeStartLine - 2), nodeStartLine + 1);
-        if (linesAbove.some((line) => line.includes("eslint-disable")))
+        const nodeEndLine = node.endPosition.row;
+        const sourceLines = sourceCode.split("\n");
+        const windowLines = sourceLines.slice(Math.max(0, nodeStartLine - 2), nodeEndLine + 2);
+        if (windowLines.some((line) => line.includes("eslint-disable")))
           return null;
         if (suspiciousIds.length > 0) {
           return makeViolation(this.ruleKey, depsArg, filePath, "high", "useEffect with empty deps may have stale closure", `\`useEffect\` has an empty dependency array but references \`${suspiciousIds.slice(0, 3).join("`, `")}\` \u2014 these will be stale closures if they change.`, sourceCode, `Add the referenced variables to the dependency array: \`[${suspiciousIds.slice(0, 3).join(", ")}]\`.`);
@@ -52909,7 +53596,7 @@ var init_empty_catch2 = __esm({
         if (!body)
           return null;
         const statements = body.namedChildren.filter((c2) => c2.type !== "comment");
-        if (statements.length === 0 || statements.length === 1 && statements[0].type === "pass_statement") {
+        if (statements.length === 0) {
           return makeViolation(this.ruleKey, node, filePath, "medium", "Empty except block", "This except block swallows errors silently. Add error handling or at least log the error.", sourceCode, "Add error logging or re-raise the exception in this except block.");
         }
         return null;
@@ -52951,6 +53638,15 @@ var init_bare_except = __esm({
 });
 
 // packages/analyzer/dist/rules/bugs/visitors/python/_helpers.js
+function isFStringWithInterpolation(node) {
+  if (node.type !== "string")
+    return false;
+  for (const child of node.namedChildren) {
+    if (child && child.type === "interpolation")
+      return true;
+  }
+  return false;
+}
 var MUTABLE_DEFAULTS, PY_TERMINAL_TYPES, SAFE_DEFAULT_CALLS, VALID_OPEN_MODES, DUNDER_PARAM_COUNTS, CANCELLATION_EXCEPTIONS, BROAD_EXCEPTIONS, MUTATING_METHODS, SPECIAL_METHOD_RETURN_CONSTRAINTS, PYTHON_BUILTIN_NON_EXCEPTIONS, BIDI_CHARS, VALID_FORMAT_CHARS, FORMAT_SPEC_RE;
 var init_helpers3 = __esm({
   "packages/analyzer/dist/rules/bugs/visitors/python/_helpers.js"() {
@@ -53753,17 +54449,25 @@ var init_loop_variable_overrides_iterator = __esm({
         if (loopVar.type !== "identifier")
           return null;
         const varName = loopVar.text;
-        function containsIdentifier(n, name) {
-          if (n.type === "identifier" && n.text === name)
+        function hasFreeUse(n, name) {
+          if (n.type === "identifier" && n.text === name) {
+            const parent = n.parent;
+            if (parent?.type === "attribute" && parent.childForFieldName("attribute")?.id === n.id) {
+              return false;
+            }
+            if (parent?.type === "keyword_argument" && parent.childForFieldName("name")?.id === n.id) {
+              return false;
+            }
             return true;
+          }
           for (let i = 0; i < n.childCount; i++) {
             const child = n.child(i);
-            if (child && containsIdentifier(child, name))
+            if (child && hasFreeUse(child, name))
               return true;
           }
           return false;
         }
-        if (containsIdentifier(iterExpr, varName)) {
+        if (hasFreeUse(iterExpr, varName)) {
           return makeViolation(this.ruleKey, loopVar, filePath, "high", "Loop variable overrides iterator", `Loop variable \`${varName}\` has the same name as the iterable \`${iterExpr.text}\` \u2014 after the first iteration \`${varName}\` no longer references the original iterable.`, sourceCode, `Rename the loop variable to something different from \`${iterExpr.text}\`.`);
         }
         return null;
@@ -55353,6 +56057,7 @@ var init_static_key_dict_comprehension = __esm({
   "packages/analyzer/dist/rules/bugs/visitors/python/static-key-dict-comprehension.js"() {
     "use strict";
     init_types();
+    init_helpers3();
     pythonStaticKeyDictComprehensionVisitor = {
       ruleKey: "bugs/deterministic/static-key-dict-comprehension",
       languages: ["python"],
@@ -55365,7 +56070,7 @@ var init_static_key_dict_comprehension = __esm({
         if (!keyNode)
           return null;
         const LITERAL_TYPES5 = /* @__PURE__ */ new Set(["string", "integer", "float", "true", "false", "none"]);
-        if (LITERAL_TYPES5.has(keyNode.type)) {
+        if (LITERAL_TYPES5.has(keyNode.type) && !isFStringWithInterpolation(keyNode)) {
           return makeViolation(this.ruleKey, keyNode, filePath, "high", "Static key in dict comprehension", `Dict comprehension with constant key \`${keyNode.text}\` \u2014 every iteration overwrites the same key, leaving only the last value.`, sourceCode, "Use a variable as the key, or use a list comprehension if you only need the values.");
         }
         return null;
@@ -56570,6 +57275,7 @@ var init_duplicate_dict_key = __esm({
   "packages/analyzer/dist/rules/bugs/visitors/python/duplicate-dict-key.js"() {
     "use strict";
     init_types();
+    init_helpers3();
     pythonDuplicateDictKeyVisitor = {
       ruleKey: "bugs/deterministic/duplicate-dict-key",
       languages: ["python"],
@@ -56585,7 +57291,8 @@ var init_duplicate_dict_key = __esm({
         const leftNode = forInClause?.childForFieldName("left");
         const loopVarNames = leftNode ? collectLoopVarNames(leftNode) : /* @__PURE__ */ new Set();
         const LITERAL_TYPES5 = /* @__PURE__ */ new Set(["string", "integer", "float", "true", "false", "none"]);
-        const isConstantKey = LITERAL_TYPES5.has(keyNode.type) || keyNode.type === "identifier" && loopVarNames.size > 0 && !loopVarNames.has(keyNode.text);
+        const isStaticLiteral = LITERAL_TYPES5.has(keyNode.type) && !isFStringWithInterpolation(keyNode);
+        const isConstantKey = isStaticLiteral || keyNode.type === "identifier" && loopVarNames.size > 0 && !loopVarNames.has(keyNode.text);
         if (isConstantKey) {
           return makeViolation(this.ruleKey, keyNode, filePath, "high", "Constant key in dict comprehension", `Dict comprehension with constant key \`${keyNode.text}\` \u2014 each iteration overwrites the same key, leaving only the last value.`, sourceCode, "Use a key expression that depends on the loop variable, or use a list comprehension instead.");
         }
@@ -56992,9 +57699,8 @@ var init_warnings_no_stacklevel = __esm({
         const funcText = func.text;
         if (funcText !== "warnings.warn" && funcText !== "warn")
           return null;
-        if (funcText === "warn") {
+        if (funcText === "warn")
           return null;
-        }
         const args = node.childForFieldName("arguments");
         if (!args)
           return null;
@@ -58213,6 +58919,27 @@ function isMutableInit2(node) {
 function isConstantName(name) {
   return name === name.toUpperCase();
 }
+function moduleHasLockGuard(moduleNode) {
+  for (let i = 0; i < moduleNode.namedChildCount; i++) {
+    const stmt = moduleNode.namedChild(i);
+    if (!stmt)
+      continue;
+    const inner = stmt.type === "expression_statement" ? stmt.namedChild(0) : stmt;
+    if (inner?.type !== "assignment")
+      continue;
+    const rhs = inner.childForFieldName("right");
+    if (rhs?.type !== "call")
+      continue;
+    const fn = rhs.childForFieldName("function");
+    if (!fn)
+      continue;
+    const text = fn.text;
+    if (text === "threading.Lock" || text === "threading.RLock" || text === "threading.Semaphore" || text === "threading.BoundedSemaphore" || text === "asyncio.Lock" || text === "multiprocessing.Lock" || text === "multiprocessing.RLock" || text === "Lock" || text === "RLock") {
+      return true;
+    }
+  }
+  return false;
+}
 var pythonSharedMutableModuleStateVisitor;
 var init_shared_mutable_module_state2 = __esm({
   "packages/analyzer/dist/rules/bugs/visitors/python/shared-mutable-module-state.js"() {
@@ -58236,6 +58963,11 @@ var init_shared_mutable_module_state2 = __esm({
           return null;
         if (varName === "__all__")
           return null;
+        let moduleNode = node.parent;
+        while (moduleNode && moduleNode.type !== "module")
+          moduleNode = moduleNode.parent;
+        if (moduleNode && moduleHasLockGuard(moduleNode))
+          return null;
         return makeViolation(this.ruleKey, node, filePath, "high", "Shared mutable state in module scope", `\`${varName}\` is a mutable ${right.type} at module level \u2014 in server environments this state is shared across all requests, causing race conditions and data leaks.`, sourceCode, "Move mutable state inside request handlers or use immutable data structures.");
       }
     };
@@ -59653,9 +60385,31 @@ function extractStringContent(node) {
   }
   return null;
 }
+function pythonRegexToJs(pattern) {
+  let flags = "";
+  const collectFlag = (f) => {
+    if ("imsu".includes(f) && !flags.includes(f))
+      flags += f;
+  };
+  const prefix = pattern.match(/^\(\?([aiLmsux]+)\)/);
+  if (prefix) {
+    for (const f of prefix[1])
+      collectFlag(f);
+    pattern = pattern.slice(prefix[0].length);
+  }
+  pattern = pattern.replace(/\(\?([aiLmsux]+):/g, (_, flagSet) => {
+    for (const f of flagSet)
+      collectFlag(f);
+    return "(?:";
+  });
+  pattern = pattern.replace(/\(\?P</g, "(?<");
+  pattern = pattern.replace(/\(\?P=([^)]+)\)/g, "\\k<$1>");
+  return { pattern, flags };
+}
 function isValidRegex(pattern) {
   try {
-    new RegExp(pattern);
+    const normalized = pythonRegexToJs(pattern);
+    new RegExp(normalized.pattern, normalized.flags);
     return true;
   } catch {
     return false;
@@ -61398,6 +62152,25 @@ var init_confusing_implicit_concat = __esm({
             }
             if (hasFormatString)
               continue;
+            const isMultiLine = child.startPosition.row !== child.endPosition.row;
+            if (isMultiLine) {
+              const parts = child.namedChildren;
+              let allButLastEndWithSpace = parts.length > 1;
+              for (let i = 0; i < parts.length - 1; i++) {
+                const t2 = parts[i].text;
+                const stripped = t2.replace(/['"]+$/, "");
+                const lastChar = stripped.charAt(stripped.length - 1);
+                if (lastChar !== " " && lastChar !== "\\" && lastChar !== "	") {
+                  allButLastEndWithSpace = false;
+                  break;
+                }
+              }
+              if (allButLastEndWithSpace)
+                continue;
+              const totalLen = parts.reduce((sum, p2) => sum + p2.text.length, 0);
+              if (totalLen > 60)
+                continue;
+            }
             return makeViolation(this.ruleKey, child, filePath, "medium", "Confusing implicit string concatenation", `Implicit string concatenation \`${child.text.slice(0, 50)}${child.text.length > 50 ? "..." : ""}\` inside a ${node.type.replace(/_/g, " ")} \u2014 adjacent string literals are joined at compile time. If two separate strings were intended, add a comma between them.`, sourceCode, "If you meant two separate strings, add a comma. If intentional concatenation, use explicit `+` or join into a single string.");
           }
         }
@@ -61881,6 +62654,7 @@ var init_static_key_dict_comprehension_ruff = __esm({
   "packages/analyzer/dist/rules/bugs/visitors/python/static-key-dict-comprehension-ruff.js"() {
     "use strict";
     init_types();
+    init_helpers3();
     LITERAL_TYPES2 = /* @__PURE__ */ new Set(["string", "integer", "float", "true", "false", "none"]);
     pythonStaticKeyDictComprehensionRuffVisitor = {
       ruleKey: "bugs/deterministic/static-key-dict-comprehension-ruff",
@@ -61893,7 +62667,7 @@ var init_static_key_dict_comprehension_ruff = __esm({
         const keyNode = pairNode.childForFieldName("key");
         if (!keyNode)
           return null;
-        if (LITERAL_TYPES2.has(keyNode.type)) {
+        if (LITERAL_TYPES2.has(keyNode.type) && !isFStringWithInterpolation(keyNode)) {
           return makeViolation(this.ruleKey, keyNode, filePath, "high", "Static key in dict comprehension", `Dict comprehension with constant key \`${keyNode.text}\` \u2014 every iteration overwrites the same key, resulting in a single-entry dict with only the last value.`, sourceCode, "Use a variable expression as the key. If you only need values, use a list comprehension instead.");
         }
         return null;
@@ -63496,7 +64270,16 @@ function findFunctionDefs(root) {
             hasVarArgs = true;
             continue;
           }
-          if (p2.type === "identifier" || p2.type === "typed_parameter") {
+          if (p2.type === "typed_parameter") {
+            const inner = p2.namedChild(0);
+            if (inner && (inner.type === "list_splat_pattern" || inner.type === "dictionary_splat_pattern")) {
+              hasVarArgs = true;
+              continue;
+            }
+            required++;
+            continue;
+          }
+          if (p2.type === "identifier") {
             required++;
           } else if (p2.type === "default_parameter" || p2.type === "typed_default_parameter") {
             optional++;
@@ -65482,14 +66265,25 @@ var init_expression_complexity = __esm({
           return null;
         let operatorCount = 0;
         const BINARY_TYPES = /* @__PURE__ */ new Set(["binary_expression", "logical_expression"]);
+        const FUNCTION_BOUNDARY_TYPES = /* @__PURE__ */ new Set([
+          "function_declaration",
+          "function_expression",
+          "arrow_function",
+          "method_definition",
+          "generator_function_declaration",
+          "generator_function"
+        ]);
         function countOps(n) {
           if (BINARY_TYPES.has(n.type)) {
             operatorCount++;
           }
           for (let i = 0; i < n.childCount; i++) {
             const child = n.child(i);
-            if (child)
-              countOps(child);
+            if (!child)
+              continue;
+            if (FUNCTION_BOUNDARY_TYPES.has(child.type))
+              continue;
+            countOps(child);
           }
         }
         countOps(expr);
@@ -75716,26 +76510,6 @@ var init_and_or_ternary = __esm({
   }
 });
 
-// packages/analyzer/dist/rules/code-quality/visitors/python/any-type-hint.js
-var pythonAnyTypeHintVisitor;
-var init_any_type_hint = __esm({
-  "packages/analyzer/dist/rules/code-quality/visitors/python/any-type-hint.js"() {
-    "use strict";
-    init_types();
-    pythonAnyTypeHintVisitor = {
-      ruleKey: "code-quality/deterministic/any-type-hint",
-      languages: ["python"],
-      nodeTypes: ["type"],
-      visit(node, filePath, sourceCode) {
-        const text = node.text.trim();
-        if (text !== "Any")
-          return null;
-        return makeViolation(this.ruleKey, node, filePath, "medium", "Any used as type hint", "Using `Any` as a type hint defeats type checking \u2014 use a more specific type.", sourceCode, "Replace `Any` with a specific type annotation, or use `object` if truly any type is acceptable.");
-      }
-    };
-  }
-});
-
 // packages/analyzer/dist/rules/code-quality/visitors/python/assert-in-production.js
 var pythonAssertInProductionVisitor;
 var init_assert_in_production = __esm({
@@ -78272,6 +79046,24 @@ var init_implicit_string_concatenation = __esm({
         const grandparent = parent.parent;
         if (!isCollection(parent) && !isCollection(grandparent ?? { type: "" }))
           return null;
+        if (node.startPosition.row !== node.endPosition.row) {
+          const parts = node.namedChildren;
+          let allButLastEndWithSpace = parts.length > 1;
+          for (let i = 0; i < parts.length - 1; i++) {
+            const t2 = parts[i].text;
+            const inner = t2.replace(/['"]+$/, "");
+            const lastChar = inner.charAt(inner.length - 1);
+            if (lastChar !== " " && lastChar !== "\\" && lastChar !== "	") {
+              allButLastEndWithSpace = false;
+              break;
+            }
+          }
+          if (allButLastEndWithSpace)
+            return null;
+          const totalLen = parts.reduce((sum, p2) => sum + p2.text.length, 0);
+          if (totalLen > 60)
+            return null;
+        }
         return makeViolation(this.ruleKey, node, filePath, "high", "Implicit string concatenation in collection", "Adjacent string literals in a collection are implicitly concatenated \u2014 this may be a missing comma.", sourceCode, "Add a comma between the strings, or use explicit `+` concatenation if intentional.");
       }
     };
@@ -82015,6 +82807,14 @@ var init_try_except_continue = __esm({
           return null;
         if (stmts[0].type !== "continue_statement")
           return null;
+        const exprChildren = node.namedChildren.filter((c2) => c2.type !== "block" && c2.type !== "comment");
+        if (exprChildren.length > 0) {
+          const exceptionType = exprChildren[0];
+          const typeText = exceptionType.type === "as_pattern" ? exceptionType.namedChildren[0]?.text : exceptionType.text;
+          if (typeText && typeText !== "Exception" && typeText !== "BaseException") {
+            return null;
+          }
+        }
         return makeViolation(this.ruleKey, node, filePath, "medium", "Silent exception with continue", "`except` block with only `continue` silently ignores errors in loops.", sourceCode, "Add logging or error handling before `continue`, or use `contextlib.suppress()` for intentional suppression.");
       }
     };
@@ -84386,34 +85186,56 @@ var init_ambiguous_unicode_character = __esm({
     "use strict";
     init_types();
     CONFUSABLE_MAP = {
-      "\xB4": "'",
-      // acute accent → apostrophe
-      "\u2018": "'",
-      // left single quote → apostrophe
-      "\u2019": "'",
-      // right single quote → apostrophe
-      "\u201C": '"',
-      // left double quote → double quote
-      "\u201D": '"',
-      // right double quote → double quote
-      "\u2013": "-",
-      // en dash → hyphen
-      "\u2014": "--",
-      // em dash → double hyphen
-      "\xAD": "-",
-      // soft hyphen
-      "\u2212": "-",
-      // minus sign
-      "\xD7": "x",
-      // multiplication sign
       "\u03BF": "o",
       // Greek small letter omicron
       "\u0430": "a",
       // Cyrillic small a
       "\u0435": "e",
       // Cyrillic small e
-      "\u043E": "o"
+      "\u043E": "o",
       // Cyrillic small o
+      "\u0440": "p",
+      // Cyrillic small er
+      "\u0441": "c",
+      // Cyrillic small es
+      "\u0445": "x",
+      // Cyrillic small ha
+      "\u0455": "s",
+      // Cyrillic small dze
+      "\u0456": "i",
+      // Cyrillic small Byelorussian-Ukrainian I
+      "\u0501": "d",
+      // Cyrillic small komi de
+      "\u051B": "q",
+      // Cyrillic small qa
+      "\u051D": "w",
+      // Cyrillic small we
+      "\u0399": "I",
+      // Greek capital iota
+      "\u0396": "Z",
+      // Greek capital zeta
+      "\u039F": "O",
+      // Greek capital omicron
+      "\u0410": "A",
+      // Cyrillic capital A
+      "\u0415": "E",
+      // Cyrillic capital E
+      "\u041A": "K",
+      // Cyrillic capital Ka
+      "\u041C": "M",
+      // Cyrillic capital Em
+      "\u041D": "H",
+      // Cyrillic capital En (renders as H)
+      "\u041E": "O",
+      // Cyrillic capital O
+      "\u0420": "P",
+      // Cyrillic capital er
+      "\u0421": "C",
+      // Cyrillic capital es
+      "\u0422": "T",
+      // Cyrillic capital te
+      "\u0425": "X"
+      // Cyrillic capital ha
     };
     pythonAmbiguousUnicodeCharacterVisitor = {
       ruleKey: "code-quality/deterministic/ambiguous-unicode-character",
@@ -84661,6 +85483,8 @@ var init_regex_char_class_preferred = __esm({
         if (!isReCall4)
           return null;
         const pattern = node.text.slice(1, -1);
+        if (/\(\?[aiLmux]*s[aiLmux]*[):]/.test(pattern))
+          return null;
         if (/\..+?\?/.test(pattern) || /\.\*\?/.test(pattern)) {
           return makeViolation(this.ruleKey, node, filePath, "low", "Reluctant quantifier where character class preferred", "Using `.+?` or `.*?` \u2014 a character class like `[^x]*` is more explicit and efficient than a reluctant quantifier.", sourceCode, "Replace the reluctant quantifier with an explicit character class.");
         }
@@ -85388,6 +86212,62 @@ var init_lambda_reserved_env_var = __esm({
 });
 
 // packages/analyzer/dist/rules/code-quality/visitors/python/boto3-client-error.js
+function findAwsClientVarNames(root) {
+  const names = /* @__PURE__ */ new Set();
+  function walk(n) {
+    if (n.type === "assignment") {
+      const lhs = n.childForFieldName("left");
+      const rhs = n.childForFieldName("right");
+      if (lhs?.type === "identifier" && rhs?.type === "call") {
+        const fn = rhs.childForFieldName("function");
+        if (fn?.type === "attribute") {
+          const obj = fn.childForFieldName("object");
+          const attr = fn.childForFieldName("attribute");
+          if ((obj?.text === "boto3" || obj?.text === "aiobotocore") && (attr?.text === "client" || attr?.text === "resource")) {
+            names.add(lhs.text);
+          }
+        }
+      }
+    }
+    for (let i = 0; i < n.childCount; i++) {
+      const child = n.child(i);
+      if (child)
+        walk(child);
+    }
+  }
+  walk(root);
+  return names;
+}
+function bodyHasAwsCall(body, awsVarNames) {
+  let found = false;
+  function walk(n) {
+    if (found)
+      return;
+    if (n.type === "call") {
+      const fn = n.childForFieldName("function");
+      if (fn?.type === "attribute") {
+        let receiver = fn.childForFieldName("object");
+        while (receiver?.type === "attribute") {
+          receiver = receiver.childForFieldName("object");
+        }
+        if (receiver?.type === "identifier") {
+          const id = receiver.text;
+          if (id === "boto3" || id === "botocore" || id === "aiobotocore" || awsVarNames.has(id)) {
+            found = true;
+            return;
+          }
+        }
+      }
+    }
+    for (let i = 0; i < n.childCount; i++) {
+      const child = n.child(i);
+      if (child)
+        walk(child);
+    }
+  }
+  walk(body);
+  return found;
+}
 var pythonBoto3ClientErrorVisitor;
 var init_boto3_client_error = __esm({
   "packages/analyzer/dist/rules/code-quality/visitors/python/boto3-client-error.js"() {
@@ -85425,6 +86305,9 @@ var init_boto3_client_error = __esm({
         });
         if (!hasBareOrGeneric)
           return null;
+        const awsVarNames = findAwsClientVarNames(node.tree.rootNode);
+        if (!bodyHasAwsCall(body, awsVarNames))
+          return null;
         return makeViolation(this.ruleKey, node, filePath, "medium", "Uncaught botocore ClientError", "boto3/botocore calls inside try block but `ClientError` is not explicitly caught \u2014 generic `except` hides AWS API errors.", sourceCode, "Add explicit `except botocore.exceptions.ClientError as e:` to handle AWS API errors.");
       }
     };
@@ -86289,7 +87172,6 @@ var init_python7 = __esm({
     init_commented_out_code2();
     init_abstract_class_without_abstract_method();
     init_and_or_ternary();
-    init_any_type_hint();
     init_assert_in_production();
     init_async_long_sleep();
     init_async_unused_async();
@@ -86544,7 +87426,6 @@ var init_python7 = __esm({
       pythonCommentedOutCodeVisitor,
       pythonAbstractClassWithoutAbstractMethodVisitor,
       pythonAndOrTernaryVisitor,
-      pythonAnyTypeHintVisitor,
       pythonAssertInProductionVisitor,
       pythonAsyncLongSleepVisitor,
       pythonAsyncUnusedAsyncVisitor,
@@ -88925,6 +89806,22 @@ var init_incorrect_dict_iterator = __esm({
 });
 
 // packages/analyzer/dist/rules/performance/visitors/python/try-except-in-loop.js
+function isTypedSkipOnlyHandler(exceptClause) {
+  const block = exceptClause.namedChildren.find((c2) => c2.type === "block");
+  if (!block)
+    return false;
+  const stmts = block.namedChildren.filter((c2) => c2.type !== "comment");
+  if (stmts.length !== 1)
+    return false;
+  if (stmts[0].type !== "continue_statement" && stmts[0].type !== "pass_statement")
+    return false;
+  const exprChildren = exceptClause.namedChildren.filter((c2) => c2.type !== "block" && c2.type !== "comment");
+  if (exprChildren.length === 0)
+    return false;
+  const exceptionType = exprChildren[0];
+  const typeText = exceptionType.type === "as_pattern" ? exceptionType.namedChildren[0]?.text : exceptionType.text;
+  return typeText !== void 0 && typeText !== "Exception" && typeText !== "BaseException";
+}
 var tryExceptInLoopVisitor;
 var init_try_except_in_loop = __esm({
   "packages/analyzer/dist/rules/performance/visitors/python/try-except-in-loop.js"() {
@@ -88938,6 +89835,10 @@ var init_try_except_in_loop = __esm({
       visit(node, filePath, sourceCode) {
         if (!isInsidePythonLoop(node))
           return null;
+        const exceptClauses = node.namedChildren.filter((c2) => c2.type === "except_clause");
+        if (exceptClauses.length > 0 && exceptClauses.every(isTypedSkipOnlyHandler)) {
+          return null;
+        }
         return makeViolation(this.ruleKey, node, filePath, "low", "try/except inside loop", "try/except inside a loop adds overhead per iteration. Move the try/except outside the loop if possible.", sourceCode, "Wrap the entire loop in a try/except, or use a conditional check instead of exception handling.");
       }
     };
@@ -89311,6 +90212,9 @@ var init_catch_without_error_type = __esm({
         const hasTypeAnnotation = node.childForFieldName("type") !== null;
         if (hasTypeAnnotation)
           return null;
+        const stmts = body.namedChildren.filter((c2) => c2.type !== "comment");
+        if (stmts.length <= 1)
+          return null;
         return makeViolation(this.ruleKey, node, filePath, "medium", "Catch without error type discrimination", "Catch block does not check or narrow the error type. Different error types may need different handling.", sourceCode, "Use instanceof checks or type guards in the catch block to handle specific error types.");
       }
     };
@@ -89378,6 +90282,28 @@ function isInsidePromiseConstructor(node) {
   }
   return false;
 }
+function looksLikeAwsLambda(sourceCode) {
+  if (/\baws-lambda\b/.test(sourceCode))
+    return true;
+  if (/\bAPIGatewayProxy(Event|Result|Handler)/.test(sourceCode))
+    return true;
+  if (/\bLambda(Event|Result|Context|Handler)\b/.test(sourceCode))
+    return true;
+  if (/export\s+const\s+handler\s*[:=]\s*async\s*\(/.test(sourceCode))
+    return true;
+  return false;
+}
+function looksLikeAwsCdkScript(sourceCode) {
+  if (/\baws-cdk-lib\b/.test(sourceCode))
+    return true;
+  if (/@aws-cdk\//.test(sourceCode))
+    return true;
+  if (/\bnew\s+cdk\.(App|Stack)\b/.test(sourceCode))
+    return true;
+  if (/\bapp\.synth\(\)/.test(sourceCode))
+    return true;
+  return false;
+}
 var init_helpers7 = __esm({
   "packages/analyzer/dist/rules/reliability/visitors/javascript/_helpers.js"() {
     "use strict";
@@ -89664,7 +90590,11 @@ var init_unchecked_array_access = __esm({
     init_helpers7();
     uncheckedArrayAccessVisitor = {
       ruleKey: "reliability/deterministic/unchecked-array-access",
-      languages: ["typescript", "tsx", "javascript"],
+      // TS/TSX only. The rule is meaningful when the project opts into
+      // `noUncheckedIndexedAccess`, which only exists in TypeScript. Plain
+      // JS / JSX has no static type system to opt into - every index access
+      // is implicitly `T | undefined` and flagging it is pure noise.
+      languages: ["typescript", "tsx"],
       nodeTypes: ["subscript_expression"],
       visit(node, filePath, sourceCode) {
         const object = node.childForFieldName("object");
@@ -89960,6 +90890,7 @@ var init_uncaught_exception_no_handler = __esm({
   "packages/analyzer/dist/rules/reliability/visitors/javascript/uncaught-exception-no-handler.js"() {
     "use strict";
     init_types();
+    init_helpers7();
     uncaughtExceptionNoHandlerVisitor = {
       ruleKey: "reliability/deterministic/uncaught-exception-no-handler",
       languages: ["typescript", "tsx", "javascript"],
@@ -89972,6 +90903,10 @@ var init_uncaught_exception_no_handler = __esm({
         if (!lowerPath.includes("index.") && !lowerPath.includes("main.") && !lowerPath.includes("server.") && !lowerPath.includes("app.") && !lowerPath.endsWith("/worker.ts") && !lowerPath.endsWith("/worker.js") && !lowerPath.includes("bin/")) {
           return null;
         }
+        if (looksLikeAwsLambda(sourceCode))
+          return null;
+        if (looksLikeAwsCdkScript(sourceCode))
+          return null;
         const text = sourceCode.replace(/\/\/.*$/gm, "");
         if (text.includes("'uncaughtException'") || text.includes('"uncaughtException"') || text.includes("`uncaughtException`")) {
           return null;
@@ -90024,6 +90959,7 @@ var init_unhandled_rejection_no_handler = __esm({
   "packages/analyzer/dist/rules/reliability/visitors/javascript/unhandled-rejection-no-handler.js"() {
     "use strict";
     init_types();
+    init_helpers7();
     unhandledRejectionNoHandlerVisitor = {
       ruleKey: "reliability/deterministic/unhandled-rejection-no-handler",
       languages: ["typescript", "tsx", "javascript"],
@@ -90036,6 +90972,10 @@ var init_unhandled_rejection_no_handler = __esm({
         if (!lowerPath.includes("index.") && !lowerPath.includes("main.") && !lowerPath.includes("server.") && !lowerPath.includes("app.") && !lowerPath.endsWith("/worker.ts") && !lowerPath.endsWith("/worker.js") && !lowerPath.includes("bin/")) {
           return null;
         }
+        if (looksLikeAwsLambda(sourceCode))
+          return null;
+        if (looksLikeAwsCdkScript(sourceCode))
+          return null;
         const text = sourceCode.replace(/\/\/.*$/gm, "");
         if (text.includes("'unhandledRejection'") || text.includes('"unhandledRejection"') || text.includes("`unhandledRejection`")) {
           return null;
@@ -91352,6 +92292,21 @@ var init_duplicate_import4 = __esm({
 });
 
 // packages/analyzer/dist/rules/architecture/visitors/python/declarations-in-global-scope.js
+function isTypingConstruct(node) {
+  if (node.type !== "subscript")
+    return false;
+  const value = node.childForFieldName("value");
+  if (!value)
+    return false;
+  if (value.type === "identifier")
+    return TYPING_NAMES.has(value.text);
+  if (value.type === "attribute") {
+    const attr = value.childForFieldName("attribute");
+    if (attr && TYPING_NAMES.has(attr.text))
+      return true;
+  }
+  return false;
+}
 function rootIsCall(node) {
   if (node.type === "call")
     return true;
@@ -91367,11 +92322,46 @@ function rootIsCall(node) {
   }
   return false;
 }
-var pythonDeclarationsInGlobalScopeVisitor;
+var TYPING_NAMES, pythonDeclarationsInGlobalScopeVisitor;
 var init_declarations_in_global_scope2 = __esm({
   "packages/analyzer/dist/rules/architecture/visitors/python/declarations-in-global-scope.js"() {
     "use strict";
     init_types();
+    TYPING_NAMES = /* @__PURE__ */ new Set([
+      "Callable",
+      "Optional",
+      "Union",
+      "Literal",
+      "Annotated",
+      "Final",
+      "List",
+      "Tuple",
+      "Dict",
+      "Set",
+      "FrozenSet",
+      "Type",
+      "ClassVar",
+      "Sequence",
+      "Mapping",
+      "MutableMapping",
+      "Iterable",
+      "Iterator",
+      "Generator",
+      "Coroutine",
+      "Awaitable",
+      "AsyncIterable",
+      "AsyncIterator",
+      "Protocol",
+      "TypedDict",
+      "NamedTuple",
+      // Built-in generics (PEP 585)
+      "list",
+      "tuple",
+      "dict",
+      "set",
+      "frozenset",
+      "type"
+    ]);
     pythonDeclarationsInGlobalScopeVisitor = {
       ruleKey: "architecture/deterministic/declarations-in-global-scope",
       languages: ["python"],
@@ -91433,6 +92423,8 @@ var init_declarations_in_global_scope2 = __esm({
           return null;
         if (right?.type === "attribute" && rootIsCall(right))
           return null;
+        if (right?.type === "subscript" && isTypingConstruct(right))
+          return null;
         return makeViolation(this.ruleKey, node, filePath, "medium", "Mutable variable in global scope", `Module-level mutable variable '${name}' creates shared state that is hard to test.`, sourceCode, "Move into a function, class, or use UPPER_CASE for intended constants.");
       }
     };
@@ -91897,13 +92889,47 @@ var init_missing_transaction = __esm({
 });
 
 // packages/analyzer/dist/rules/database/visitors/javascript/unvalidated-external-data.js
-var unvalidatedExternalDataVisitor;
+function hasOrmLikeReceiver(node) {
+  const fn = node.childForFieldName("function");
+  if (fn?.type !== "member_expression")
+    return false;
+  let receiver = fn.childForFieldName("object");
+  while (receiver?.type === "member_expression") {
+    receiver = receiver.childForFieldName("object");
+  }
+  if (receiver?.type !== "identifier")
+    return false;
+  const name = receiver.text.toLowerCase();
+  return ORM_RECEIVER_NAMES2.has(name);
+}
+var AMBIGUOUS_ORM_METHODS, ORM_RECEIVER_NAMES2, unvalidatedExternalDataVisitor;
 var init_unvalidated_external_data = __esm({
   "packages/analyzer/dist/rules/database/visitors/javascript/unvalidated-external-data.js"() {
     "use strict";
     init_types();
     init_helpers9();
     init_javascript_helpers();
+    AMBIGUOUS_ORM_METHODS = /* @__PURE__ */ new Set(["add", "delete"]);
+    ORM_RECEIVER_NAMES2 = /* @__PURE__ */ new Set([
+      "session",
+      "db",
+      "conn",
+      "connection",
+      "cursor",
+      "engine",
+      "database",
+      "manager",
+      "repo",
+      "repository",
+      "orm",
+      "em",
+      "tx",
+      "trx",
+      "knex",
+      "prisma",
+      "sequelize",
+      "mongoose"
+    ]);
     unvalidatedExternalDataVisitor = {
       ruleKey: "database/deterministic/unvalidated-external-data",
       languages: ["typescript", "tsx", "javascript"],
@@ -91913,6 +92939,8 @@ var init_unvalidated_external_data = __esm({
         const methodName = getMethodName(node);
         if (!ORM_WRITE_METHODS2.has(methodName) && !SQL_WRITE_METHODS.has(methodName))
           return null;
+        if (AMBIGUOUS_ORM_METHODS.has(methodName) && !hasOrmLikeReceiver(node))
+          return null;
         const args = node.childForFieldName("arguments");
         if (!args)
           return null;
@@ -92298,6 +93326,9 @@ var init_missing_migration2 = __esm({
         if (!/alter\s+table|create\s+table|drop\s+table|create\s+index|drop\s+index/.test(sqlText)) {
           return null;
         }
+        if (/if\s+(not\s+)?exists/.test(sqlText)) {
+          return null;
+        }
         return makeViolation(this.ruleKey, node, filePath, "high", "Schema change outside migration file", `DDL statement found outside a migration file. Schema changes should be tracked in migrations.`, sourceCode, "Move this schema change into a versioned migration file.");
       }
     };
@@ -92305,6 +93336,122 @@ var init_missing_migration2 = __esm({
 });
 
 // packages/analyzer/dist/rules/database/visitors/python/connection-not-released.js
+function escapeRegExp2(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function isFactoryReturn(node) {
+  let current = node.parent;
+  while (current) {
+    if (current.type === "return_statement")
+      return true;
+    if (current.type === "expression_statement")
+      return false;
+    if (current.type === "function_definition")
+      return false;
+    current = current.parent;
+  }
+  return false;
+}
+function isModuleLevelCache(node) {
+  let assign = node.parent;
+  while (assign) {
+    if (assign.type === "assignment")
+      break;
+    if (assign.type === "expression_statement")
+      return false;
+    if (assign.type === "function_definition")
+      return false;
+    if (assign.type === "class_definition")
+      return false;
+    assign = assign.parent;
+  }
+  if (!assign)
+    return false;
+  const stmt = assign.parent;
+  if (!(stmt?.type === "expression_statement" && stmt.parent?.type === "module"))
+    return false;
+  const lhs = assign.childForFieldName("left");
+  const nameNode = lhs?.type === "identifier" ? lhs : null;
+  if (!nameNode)
+    return false;
+  const name = nameNode.text;
+  return /^[A-Z_][A-Z0-9_]*$/.test(name) || name.startsWith("_");
+}
+function isInstanceAttributeAssignmentInPrivateClass(node) {
+  let assign = node.parent;
+  while (assign) {
+    if (assign.type === "assignment")
+      break;
+    if (assign.type === "expression_statement")
+      return false;
+    if (assign.type === "function_definition")
+      return false;
+    assign = assign.parent;
+  }
+  if (!assign)
+    return false;
+  const lhs = assign.childForFieldName("left");
+  if (lhs?.type !== "attribute")
+    return false;
+  const obj = lhs.childForFieldName("object");
+  if (!(obj?.type === "identifier" && (obj.text === "self" || obj.text === "cls")))
+    return false;
+  let cls = assign.parent;
+  while (cls) {
+    if (cls.type === "class_definition") {
+      const name = cls.childForFieldName("name");
+      return name?.type === "identifier" && name.text.startsWith("_");
+    }
+    cls = cls.parent;
+  }
+  return false;
+}
+function isClosedInFinally(node) {
+  let assignmentParent = node.parent;
+  while (assignmentParent) {
+    if (assignmentParent.type === "assignment")
+      break;
+    if (assignmentParent.type === "expression_statement")
+      return false;
+    if (assignmentParent.type === "function_definition")
+      return false;
+    assignmentParent = assignmentParent.parent;
+  }
+  if (!assignmentParent)
+    return false;
+  const lhs = assignmentParent.childForFieldName("left");
+  if (!lhs || lhs.type !== "identifier")
+    return false;
+  const varName = lhs.text;
+  let func = assignmentParent.parent;
+  while (func) {
+    if (func.type === "function_definition")
+      break;
+    func = func.parent;
+  }
+  if (!func)
+    return false;
+  const body = func.childForFieldName("body");
+  if (!body)
+    return false;
+  const closePattern2 = new RegExp(`\\b${escapeRegExp2(varName)}\\.(?:close|dispose|release)\\s*\\(`);
+  let found = false;
+  function walk(n) {
+    if (found)
+      return;
+    if (n.type === "finally_clause" && closePattern2.test(n.text)) {
+      found = true;
+      return;
+    }
+    for (let i = 0; i < n.childCount; i++) {
+      const ch = n.child(i);
+      if (ch)
+        walk(ch);
+    }
+  }
+  walk(body);
+  return found;
+}
 var pythonConnectionNotReleasedVisitor;
 var init_connection_not_released2 = __esm({
   "packages/analyzer/dist/rules/database/visitors/python/connection-not-released.js"() {
@@ -92352,6 +93499,14 @@ var init_connection_not_released2 = __esm({
             break;
           current = current.parent;
         }
+        if (isFactoryReturn(node))
+          return null;
+        if (isClosedInFinally(node))
+          return null;
+        if (isModuleLevelCache(node))
+          return null;
+        if (isInstanceAttributeAssignmentInPrivateClass(node))
+          return null;
         return makeViolation(this.ruleKey, node, filePath, "high", "Database connection not released", `${methodName}() acquires a connection but it may not be released on error. Use a context manager (with statement) or try/finally to guarantee the connection is released.`, sourceCode, "Use `with connection:` or a try/finally block to ensure the connection is always released.");
       }
     };
@@ -92435,6 +93590,23 @@ var init_orm_lazy_load_in_loop2 = __esm({
 });
 
 // packages/analyzer/dist/rules/database/visitors/python/missing-transaction.js
+function hasCursorLikeParam(params) {
+  for (let i = 0; i < params.namedChildCount; i++) {
+    const p2 = params.namedChild(i);
+    if (!p2)
+      continue;
+    let nameNode = null;
+    if (p2.type === "identifier") {
+      nameNode = p2;
+    } else if (p2.type === "typed_parameter" || p2.type === "default_parameter" || p2.type === "typed_default_parameter") {
+      nameNode = p2.childForFieldName("name") ?? p2.namedChild(0);
+    }
+    if (nameNode && nameNode.type === "identifier" && CURSOR_PARAM_NAMES.has(nameNode.text)) {
+      return true;
+    }
+  }
+  return false;
+}
 function isOrmWriteCall(n) {
   const name = getPythonMethodName(n);
   if (name === "execute" || name === "executemany") {
@@ -92442,7 +93614,7 @@ function isOrmWriteCall(n) {
     const firstArg = args?.namedChildren[0];
     if (firstArg?.type === "string") {
       const sql = firstArg.text.toLowerCase();
-      if (/insert|update|delete|alter|create|drop/.test(sql))
+      if (/\b(insert|update|delete|alter|create|drop)\b/.test(sql))
         return true;
     }
     return false;
@@ -92455,26 +93627,26 @@ function isOrmWriteCall(n) {
   if (fn?.type === "attribute") {
     const receiver = fn.childForFieldName("object");
     if (receiver?.type === "identifier") {
-      return ORM_RECEIVER_NAMES2.has(receiver.text);
+      return ORM_RECEIVER_NAMES3.has(receiver.text);
     }
     if (receiver?.type === "attribute") {
       const attrText = receiver.childForFieldName("attribute")?.text;
-      if (attrText && ORM_RECEIVER_NAMES2.has(attrText))
+      if (attrText && ORM_RECEIVER_NAMES3.has(attrText))
         return true;
       const rootObj = receiver.childForFieldName("object");
-      if (rootObj?.type === "identifier" && ORM_RECEIVER_NAMES2.has(rootObj.text))
+      if (rootObj?.type === "identifier" && ORM_RECEIVER_NAMES3.has(rootObj.text))
         return true;
     }
   }
   return false;
 }
-var ORM_RECEIVER_NAMES2, UNAMBIGUOUS_DB_WRITES, pythonMissingTransactionVisitor;
+var ORM_RECEIVER_NAMES3, UNAMBIGUOUS_DB_WRITES, CURSOR_PARAM_NAMES, pythonMissingTransactionVisitor;
 var init_missing_transaction2 = __esm({
   "packages/analyzer/dist/rules/database/visitors/python/missing-transaction.js"() {
     "use strict";
     init_types();
     init_helpers10();
-    ORM_RECEIVER_NAMES2 = /* @__PURE__ */ new Set([
+    ORM_RECEIVER_NAMES3 = /* @__PURE__ */ new Set([
       "session",
       "db",
       "conn",
@@ -92494,6 +93666,17 @@ var init_missing_transaction2 = __esm({
       "bulk_update",
       "executemany"
     ]);
+    CURSOR_PARAM_NAMES = /* @__PURE__ */ new Set([
+      "cur",
+      "cursor",
+      "conn",
+      "connection",
+      "session",
+      "db",
+      "tx",
+      "trans",
+      "transaction"
+    ]);
     pythonMissingTransactionVisitor = {
       ruleKey: "database/deterministic/missing-transaction",
       languages: ["python"],
@@ -92505,8 +93688,18 @@ var init_missing_transaction2 = __esm({
         if (!body)
           return null;
         const bodyText = body.text.toLowerCase();
-        if (/transaction|atomic|begin\b/.test(bodyText))
+        if (/transaction|atomic|begin\b|autocommit\s*=\s*false/.test(bodyText))
           return null;
+        if (/\bwith\s+[^:]*\bas\s+(conn|connection|cursor|cur|session|engine|tx|trans)\b[^:]*:/.test(bodyText))
+          return null;
+        const funcDef = body.parent;
+        if (funcDef?.type === "function_definition") {
+          const nameNode = funcDef.childForFieldName("name");
+          const params = funcDef.childForFieldName("parameters");
+          if (nameNode?.text.startsWith("_") && params && hasCursorLikeParam(params)) {
+            return null;
+          }
+        }
         let writeCount = 0;
         let seenSelf = false;
         let isSecondOccurrence = false;
@@ -99283,6 +100476,503 @@ var init_rules_service = __esm({
   }
 });
 
+// node_modules/.pnpm/isexe@2.0.0/node_modules/isexe/windows.js
+var require_windows = __commonJS({
+  "node_modules/.pnpm/isexe@2.0.0/node_modules/isexe/windows.js"(exports, module) {
+    module.exports = isexe;
+    isexe.sync = sync;
+    var fs17 = __require("fs");
+    function checkPathExt(path22, options) {
+      var pathext = options.pathExt !== void 0 ? options.pathExt : process.env.PATHEXT;
+      if (!pathext) {
+        return true;
+      }
+      pathext = pathext.split(";");
+      if (pathext.indexOf("") !== -1) {
+        return true;
+      }
+      for (var i = 0; i < pathext.length; i++) {
+        var p2 = pathext[i].toLowerCase();
+        if (p2 && path22.substr(-p2.length).toLowerCase() === p2) {
+          return true;
+        }
+      }
+      return false;
+    }
+    function checkStat(stat, path22, options) {
+      if (!stat.isSymbolicLink() && !stat.isFile()) {
+        return false;
+      }
+      return checkPathExt(path22, options);
+    }
+    function isexe(path22, options, cb) {
+      fs17.stat(path22, function(er, stat) {
+        cb(er, er ? false : checkStat(stat, path22, options));
+      });
+    }
+    function sync(path22, options) {
+      return checkStat(fs17.statSync(path22), path22, options);
+    }
+  }
+});
+
+// node_modules/.pnpm/isexe@2.0.0/node_modules/isexe/mode.js
+var require_mode = __commonJS({
+  "node_modules/.pnpm/isexe@2.0.0/node_modules/isexe/mode.js"(exports, module) {
+    module.exports = isexe;
+    isexe.sync = sync;
+    var fs17 = __require("fs");
+    function isexe(path22, options, cb) {
+      fs17.stat(path22, function(er, stat) {
+        cb(er, er ? false : checkStat(stat, options));
+      });
+    }
+    function sync(path22, options) {
+      return checkStat(fs17.statSync(path22), options);
+    }
+    function checkStat(stat, options) {
+      return stat.isFile() && checkMode(stat, options);
+    }
+    function checkMode(stat, options) {
+      var mod = stat.mode;
+      var uid = stat.uid;
+      var gid = stat.gid;
+      var myUid = options.uid !== void 0 ? options.uid : process.getuid && process.getuid();
+      var myGid = options.gid !== void 0 ? options.gid : process.getgid && process.getgid();
+      var u2 = parseInt("100", 8);
+      var g = parseInt("010", 8);
+      var o = parseInt("001", 8);
+      var ug = u2 | g;
+      var ret = mod & o || mod & g && gid === myGid || mod & u2 && uid === myUid || mod & ug && myUid === 0;
+      return ret;
+    }
+  }
+});
+
+// node_modules/.pnpm/isexe@2.0.0/node_modules/isexe/index.js
+var require_isexe = __commonJS({
+  "node_modules/.pnpm/isexe@2.0.0/node_modules/isexe/index.js"(exports, module) {
+    var fs17 = __require("fs");
+    var core2;
+    if (process.platform === "win32" || global.TESTING_WINDOWS) {
+      core2 = require_windows();
+    } else {
+      core2 = require_mode();
+    }
+    module.exports = isexe;
+    isexe.sync = sync;
+    function isexe(path22, options, cb) {
+      if (typeof options === "function") {
+        cb = options;
+        options = {};
+      }
+      if (!cb) {
+        if (typeof Promise !== "function") {
+          throw new TypeError("callback not provided");
+        }
+        return new Promise(function(resolve8, reject) {
+          isexe(path22, options || {}, function(er, is) {
+            if (er) {
+              reject(er);
+            } else {
+              resolve8(is);
+            }
+          });
+        });
+      }
+      core2(path22, options || {}, function(er, is) {
+        if (er) {
+          if (er.code === "EACCES" || options && options.ignoreErrors) {
+            er = null;
+            is = false;
+          }
+        }
+        cb(er, is);
+      });
+    }
+    function sync(path22, options) {
+      try {
+        return core2.sync(path22, options || {});
+      } catch (er) {
+        if (options && options.ignoreErrors || er.code === "EACCES") {
+          return false;
+        } else {
+          throw er;
+        }
+      }
+    }
+  }
+});
+
+// node_modules/.pnpm/which@2.0.2/node_modules/which/which.js
+var require_which = __commonJS({
+  "node_modules/.pnpm/which@2.0.2/node_modules/which/which.js"(exports, module) {
+    var isWindows = process.platform === "win32" || process.env.OSTYPE === "cygwin" || process.env.OSTYPE === "msys";
+    var path22 = __require("path");
+    var COLON = isWindows ? ";" : ":";
+    var isexe = require_isexe();
+    var getNotFoundError = (cmd) => Object.assign(new Error(`not found: ${cmd}`), { code: "ENOENT" });
+    var getPathInfo = (cmd, opt) => {
+      const colon = opt.colon || COLON;
+      const pathEnv = cmd.match(/\//) || isWindows && cmd.match(/\\/) ? [""] : [
+        // windows always checks the cwd first
+        ...isWindows ? [process.cwd()] : [],
+        ...(opt.path || process.env.PATH || /* istanbul ignore next: very unusual */
+        "").split(colon)
+      ];
+      const pathExtExe = isWindows ? opt.pathExt || process.env.PATHEXT || ".EXE;.CMD;.BAT;.COM" : "";
+      const pathExt = isWindows ? pathExtExe.split(colon) : [""];
+      if (isWindows) {
+        if (cmd.indexOf(".") !== -1 && pathExt[0] !== "")
+          pathExt.unshift("");
+      }
+      return {
+        pathEnv,
+        pathExt,
+        pathExtExe
+      };
+    };
+    var which = (cmd, opt, cb) => {
+      if (typeof opt === "function") {
+        cb = opt;
+        opt = {};
+      }
+      if (!opt)
+        opt = {};
+      const { pathEnv, pathExt, pathExtExe } = getPathInfo(cmd, opt);
+      const found = [];
+      const step = (i) => new Promise((resolve8, reject) => {
+        if (i === pathEnv.length)
+          return opt.all && found.length ? resolve8(found) : reject(getNotFoundError(cmd));
+        const ppRaw = pathEnv[i];
+        const pathPart = /^".*"$/.test(ppRaw) ? ppRaw.slice(1, -1) : ppRaw;
+        const pCmd = path22.join(pathPart, cmd);
+        const p2 = !pathPart && /^\.[\\\/]/.test(cmd) ? cmd.slice(0, 2) + pCmd : pCmd;
+        resolve8(subStep(p2, i, 0));
+      });
+      const subStep = (p2, i, ii) => new Promise((resolve8, reject) => {
+        if (ii === pathExt.length)
+          return resolve8(step(i + 1));
+        const ext2 = pathExt[ii];
+        isexe(p2 + ext2, { pathExt: pathExtExe }, (er, is) => {
+          if (!er && is) {
+            if (opt.all)
+              found.push(p2 + ext2);
+            else
+              return resolve8(p2 + ext2);
+          }
+          return resolve8(subStep(p2, i, ii + 1));
+        });
+      });
+      return cb ? step(0).then((res) => cb(null, res), cb) : step(0);
+    };
+    var whichSync = (cmd, opt) => {
+      opt = opt || {};
+      const { pathEnv, pathExt, pathExtExe } = getPathInfo(cmd, opt);
+      const found = [];
+      for (let i = 0; i < pathEnv.length; i++) {
+        const ppRaw = pathEnv[i];
+        const pathPart = /^".*"$/.test(ppRaw) ? ppRaw.slice(1, -1) : ppRaw;
+        const pCmd = path22.join(pathPart, cmd);
+        const p2 = !pathPart && /^\.[\\\/]/.test(cmd) ? cmd.slice(0, 2) + pCmd : pCmd;
+        for (let j2 = 0; j2 < pathExt.length; j2++) {
+          const cur = p2 + pathExt[j2];
+          try {
+            const is = isexe.sync(cur, { pathExt: pathExtExe });
+            if (is) {
+              if (opt.all)
+                found.push(cur);
+              else
+                return cur;
+            }
+          } catch (ex) {
+          }
+        }
+      }
+      if (opt.all && found.length)
+        return found;
+      if (opt.nothrow)
+        return null;
+      throw getNotFoundError(cmd);
+    };
+    module.exports = which;
+    which.sync = whichSync;
+  }
+});
+
+// node_modules/.pnpm/path-key@3.1.1/node_modules/path-key/index.js
+var require_path_key = __commonJS({
+  "node_modules/.pnpm/path-key@3.1.1/node_modules/path-key/index.js"(exports, module) {
+    "use strict";
+    var pathKey = (options = {}) => {
+      const environment = options.env || process.env;
+      const platform = options.platform || process.platform;
+      if (platform !== "win32") {
+        return "PATH";
+      }
+      return Object.keys(environment).reverse().find((key) => key.toUpperCase() === "PATH") || "Path";
+    };
+    module.exports = pathKey;
+    module.exports.default = pathKey;
+  }
+});
+
+// node_modules/.pnpm/cross-spawn@7.0.6/node_modules/cross-spawn/lib/util/resolveCommand.js
+var require_resolveCommand = __commonJS({
+  "node_modules/.pnpm/cross-spawn@7.0.6/node_modules/cross-spawn/lib/util/resolveCommand.js"(exports, module) {
+    "use strict";
+    var path22 = __require("path");
+    var which = require_which();
+    var getPathKey = require_path_key();
+    function resolveCommandAttempt(parsed, withoutPathExt) {
+      const env = parsed.options.env || process.env;
+      const cwd = process.cwd();
+      const hasCustomCwd = parsed.options.cwd != null;
+      const shouldSwitchCwd = hasCustomCwd && process.chdir !== void 0 && !process.chdir.disabled;
+      if (shouldSwitchCwd) {
+        try {
+          process.chdir(parsed.options.cwd);
+        } catch (err) {
+        }
+      }
+      let resolved;
+      try {
+        resolved = which.sync(parsed.command, {
+          path: env[getPathKey({ env })],
+          pathExt: withoutPathExt ? path22.delimiter : void 0
+        });
+      } catch (e) {
+      } finally {
+        if (shouldSwitchCwd) {
+          process.chdir(cwd);
+        }
+      }
+      if (resolved) {
+        resolved = path22.resolve(hasCustomCwd ? parsed.options.cwd : "", resolved);
+      }
+      return resolved;
+    }
+    function resolveCommand(parsed) {
+      return resolveCommandAttempt(parsed) || resolveCommandAttempt(parsed, true);
+    }
+    module.exports = resolveCommand;
+  }
+});
+
+// node_modules/.pnpm/cross-spawn@7.0.6/node_modules/cross-spawn/lib/util/escape.js
+var require_escape = __commonJS({
+  "node_modules/.pnpm/cross-spawn@7.0.6/node_modules/cross-spawn/lib/util/escape.js"(exports, module) {
+    "use strict";
+    var metaCharsRegExp = /([()\][%!^"`<>&|;, *?])/g;
+    function escapeCommand(arg) {
+      arg = arg.replace(metaCharsRegExp, "^$1");
+      return arg;
+    }
+    function escapeArgument(arg, doubleEscapeMetaChars) {
+      arg = `${arg}`;
+      arg = arg.replace(/(?=(\\+?)?)\1"/g, '$1$1\\"');
+      arg = arg.replace(/(?=(\\+?)?)\1$/, "$1$1");
+      arg = `"${arg}"`;
+      arg = arg.replace(metaCharsRegExp, "^$1");
+      if (doubleEscapeMetaChars) {
+        arg = arg.replace(metaCharsRegExp, "^$1");
+      }
+      return arg;
+    }
+    module.exports.command = escapeCommand;
+    module.exports.argument = escapeArgument;
+  }
+});
+
+// node_modules/.pnpm/shebang-regex@3.0.0/node_modules/shebang-regex/index.js
+var require_shebang_regex = __commonJS({
+  "node_modules/.pnpm/shebang-regex@3.0.0/node_modules/shebang-regex/index.js"(exports, module) {
+    "use strict";
+    module.exports = /^#!(.*)/;
+  }
+});
+
+// node_modules/.pnpm/shebang-command@2.0.0/node_modules/shebang-command/index.js
+var require_shebang_command = __commonJS({
+  "node_modules/.pnpm/shebang-command@2.0.0/node_modules/shebang-command/index.js"(exports, module) {
+    "use strict";
+    var shebangRegex = require_shebang_regex();
+    module.exports = (string = "") => {
+      const match2 = string.match(shebangRegex);
+      if (!match2) {
+        return null;
+      }
+      const [path22, argument] = match2[0].replace(/#! ?/, "").split(" ");
+      const binary2 = path22.split("/").pop();
+      if (binary2 === "env") {
+        return argument;
+      }
+      return argument ? `${binary2} ${argument}` : binary2;
+    };
+  }
+});
+
+// node_modules/.pnpm/cross-spawn@7.0.6/node_modules/cross-spawn/lib/util/readShebang.js
+var require_readShebang = __commonJS({
+  "node_modules/.pnpm/cross-spawn@7.0.6/node_modules/cross-spawn/lib/util/readShebang.js"(exports, module) {
+    "use strict";
+    var fs17 = __require("fs");
+    var shebangCommand = require_shebang_command();
+    function readShebang(command) {
+      const size = 150;
+      const buffer = Buffer.alloc(size);
+      let fd;
+      try {
+        fd = fs17.openSync(command, "r");
+        fs17.readSync(fd, buffer, 0, size, 0);
+        fs17.closeSync(fd);
+      } catch (e) {
+      }
+      return shebangCommand(buffer.toString());
+    }
+    module.exports = readShebang;
+  }
+});
+
+// node_modules/.pnpm/cross-spawn@7.0.6/node_modules/cross-spawn/lib/parse.js
+var require_parse = __commonJS({
+  "node_modules/.pnpm/cross-spawn@7.0.6/node_modules/cross-spawn/lib/parse.js"(exports, module) {
+    "use strict";
+    var path22 = __require("path");
+    var resolveCommand = require_resolveCommand();
+    var escape2 = require_escape();
+    var readShebang = require_readShebang();
+    var isWin = process.platform === "win32";
+    var isExecutableRegExp = /\.(?:com|exe)$/i;
+    var isCmdShimRegExp = /node_modules[\\/].bin[\\/][^\\/]+\.cmd$/i;
+    function detectShebang(parsed) {
+      parsed.file = resolveCommand(parsed);
+      const shebang = parsed.file && readShebang(parsed.file);
+      if (shebang) {
+        parsed.args.unshift(parsed.file);
+        parsed.command = shebang;
+        return resolveCommand(parsed);
+      }
+      return parsed.file;
+    }
+    function parseNonShell(parsed) {
+      if (!isWin) {
+        return parsed;
+      }
+      const commandFile = detectShebang(parsed);
+      const needsShell = !isExecutableRegExp.test(commandFile);
+      if (parsed.options.forceShell || needsShell) {
+        const needsDoubleEscapeMetaChars = isCmdShimRegExp.test(commandFile);
+        parsed.command = path22.normalize(parsed.command);
+        parsed.command = escape2.command(parsed.command);
+        parsed.args = parsed.args.map((arg) => escape2.argument(arg, needsDoubleEscapeMetaChars));
+        const shellCommand = [parsed.command].concat(parsed.args).join(" ");
+        parsed.args = ["/d", "/s", "/c", `"${shellCommand}"`];
+        parsed.command = process.env.comspec || "cmd.exe";
+        parsed.options.windowsVerbatimArguments = true;
+      }
+      return parsed;
+    }
+    function parse2(command, args, options) {
+      if (args && !Array.isArray(args)) {
+        options = args;
+        args = null;
+      }
+      args = args ? args.slice(0) : [];
+      options = Object.assign({}, options);
+      const parsed = {
+        command,
+        args,
+        options,
+        file: void 0,
+        original: {
+          command,
+          args
+        }
+      };
+      return options.shell ? parsed : parseNonShell(parsed);
+    }
+    module.exports = parse2;
+  }
+});
+
+// node_modules/.pnpm/cross-spawn@7.0.6/node_modules/cross-spawn/lib/enoent.js
+var require_enoent = __commonJS({
+  "node_modules/.pnpm/cross-spawn@7.0.6/node_modules/cross-spawn/lib/enoent.js"(exports, module) {
+    "use strict";
+    var isWin = process.platform === "win32";
+    function notFoundError(original, syscall) {
+      return Object.assign(new Error(`${syscall} ${original.command} ENOENT`), {
+        code: "ENOENT",
+        errno: "ENOENT",
+        syscall: `${syscall} ${original.command}`,
+        path: original.command,
+        spawnargs: original.args
+      });
+    }
+    function hookChildProcess(cp, parsed) {
+      if (!isWin) {
+        return;
+      }
+      const originalEmit = cp.emit;
+      cp.emit = function(name, arg1) {
+        if (name === "exit") {
+          const err = verifyENOENT(arg1, parsed);
+          if (err) {
+            return originalEmit.call(cp, "error", err);
+          }
+        }
+        return originalEmit.apply(cp, arguments);
+      };
+    }
+    function verifyENOENT(status, parsed) {
+      if (isWin && status === 1 && !parsed.file) {
+        return notFoundError(parsed.original, "spawn");
+      }
+      return null;
+    }
+    function verifyENOENTSync(status, parsed) {
+      if (isWin && status === 1 && !parsed.file) {
+        return notFoundError(parsed.original, "spawnSync");
+      }
+      return null;
+    }
+    module.exports = {
+      hookChildProcess,
+      verifyENOENT,
+      verifyENOENTSync,
+      notFoundError
+    };
+  }
+});
+
+// node_modules/.pnpm/cross-spawn@7.0.6/node_modules/cross-spawn/index.js
+var require_cross_spawn = __commonJS({
+  "node_modules/.pnpm/cross-spawn@7.0.6/node_modules/cross-spawn/index.js"(exports, module) {
+    "use strict";
+    var cp = __require("child_process");
+    var parse2 = require_parse();
+    var enoent = require_enoent();
+    function spawn6(command, args, options) {
+      const parsed = parse2(command, args, options);
+      const spawned = cp.spawn(parsed.command, parsed.args, parsed.options);
+      enoent.hookChildProcess(spawned, parsed);
+      return spawned;
+    }
+    function spawnSync2(command, args, options) {
+      const parsed = parse2(command, args, options);
+      const result = cp.spawnSync(parsed.command, parsed.args, parsed.options);
+      result.error = result.error || enoent.verifyENOENTSync(result.status, parsed);
+      return result;
+    }
+    module.exports = spawn6;
+    module.exports.spawn = spawn6;
+    module.exports.sync = spawnSync2;
+    module.exports._parse = parse2;
+    module.exports._enoent = enoent;
+  }
+});
+
 // node_modules/.pnpm/yocto-queue@1.2.2/node_modules/yocto-queue/index.js
 var Node, Queue;
 var init_yocto_queue = __esm({
@@ -102102,15 +103792,15 @@ var init_schemas2 = __esm({
 });
 
 // packages/core/dist/services/llm/cli-provider.js
-import { spawn as spawn3 } from "node:child_process";
-import { mkdirSync as mkdirSync2, writeFileSync } from "node:fs";
+import { mkdirSync as mkdirSync2, writeFileSync as writeFileSync2 } from "node:fs";
 import { join as join8 } from "node:path";
 import { tmpdir } from "node:os";
 import { randomUUID as randomUUID3 } from "node:crypto";
-var BaseCLIProvider, ClaudeCodeProvider;
+var import_cross_spawn, BaseCLIProvider, ClaudeCodeProvider;
 var init_cli_provider = __esm({
   "packages/core/dist/services/llm/cli-provider.js"() {
     "use strict";
+    import_cross_spawn = __toESM(require_cross_spawn(), 1);
     init_logger();
     init_p_limit();
     init_analysis_registry();
@@ -102178,10 +103868,10 @@ var init_cli_provider = __esm({
           return;
         const n = String(++this.callCounter).padStart(2, "0");
         const prefix = join8(this.debugDir, `${n}-${label}`);
-        writeFileSync(`${prefix}-input.txt`, prompt, "utf-8");
-        writeFileSync(`${prefix}-output.json`, rawOutput, "utf-8");
+        writeFileSync2(`${prefix}-input.txt`, prompt, "utf-8");
+        writeFileSync2(`${prefix}-output.json`, rawOutput, "utf-8");
         if (jsonSchema)
-          writeFileSync(`${prefix}-schema.json`, jsonSchema, "utf-8");
+          writeFileSync2(`${prefix}-schema.json`, jsonSchema, "utf-8");
       }
       /** Strip nesting guard env vars so subprocess doesn't detect parent Claude Code. */
       getCleanEnv() {
@@ -102213,7 +103903,7 @@ var init_cli_provider = __esm({
           ...opts?.extraArgs ?? []
         ];
         return new Promise((resolve8, reject) => {
-          const child = spawn3(this.binaryName, args, {
+          const child = (0, import_cross_spawn.default)(this.binaryName, args, {
             env: this.getCleanEnv(),
             stdio: ["pipe", "pipe", "pipe"],
             ...this._repoPath ? { cwd: this._repoPath } : {}
@@ -103120,7 +104810,38 @@ function splitIntoBatches(tier, rules, content, fileCount, functionCount, filePa
   }
   return batches;
 }
+function translateContextRangeError(err, fileContents) {
+  if (!(err instanceof RangeError) || !err.message.includes("Invalid string length")) {
+    throw err;
+  }
+  const sized = [...fileContents.entries()].map(([filePath, fc]) => ({
+    filePath,
+    sizeKb: Math.round(fc.content.length / 1024),
+    lineCount: fc.lineCount,
+    // long single lines are a strong minified-bundle signal
+    maxLineLength: fc.lineCount > 0 ? Math.round(fc.content.length / fc.lineCount) : 0
+  })).sort((a, b) => b.sizeKb - a.sizeKb).slice(0, 5);
+  const list = sized.map((f) => {
+    const minHint = f.maxLineLength > 5e3 ? " [likely minified]" : "";
+    return `  - ${f.filePath} (${f.sizeKb} KB, ${f.lineCount} lines)${minHint}`;
+  }).join("\n");
+  const suggestions = sized.slice(0, 3).map((f) => `  ${f.filePath}`).join("\n");
+  throw new Error(`LLM context exceeded V8's max string length (~512 MB) while preparing rule batches. This is almost always caused by minified bundles, vendored libraries, or generated files.
+
+Largest files in scope:
+${list}
+
+Add the offending paths to \`.truecourseignore\` at the repo root, e.g.:
+${suggestions}`);
+}
 function estimateContext(rules, fileAnalyses, fileContents, options) {
+  try {
+    return estimateContextInner(rules, fileAnalyses, fileContents, options);
+  } catch (err) {
+    translateContextRangeError(err, fileContents);
+  }
+}
+function estimateContextInner(rules, fileAnalyses, fileContents, options) {
   const grouped = groupRulesByContext(rules);
   const tiers = [];
   const useFilePaths = options?.useFilePaths ?? false;
@@ -103179,6 +104900,13 @@ function estimateContext(rules, fileAnalyses, fileContents, options) {
   };
 }
 function routeContext(rules, fileAnalyses, fileContents) {
+  try {
+    return routeContextInner(rules, fileAnalyses, fileContents);
+  } catch (err) {
+    translateContextRangeError(err, fileContents);
+  }
+}
+function routeContextInner(rules, fileAnalyses, fileContents) {
   const grouped = groupRulesByContext(rules);
   const batches = [];
   const faByPath = /* @__PURE__ */ new Map();
@@ -103794,24 +105522,39 @@ async function runViolationPipeline(input) {
     tracker?.start(stepKey);
     if (domain === "architecture") {
       tracker?.detail(stepKey, "Service checks...");
+      await new Promise((r) => setImmediate(r));
+      throwIfAborted(signal);
       serviceViolationResults.push(...runDeterministicServiceChecks(result, domainRules));
       tracker?.detail(stepKey, "Module checks...");
+      await new Promise((r) => setImmediate(r));
+      throwIfAborted(signal);
       moduleViolationResults.push(...runDeterministicModuleChecks(result, domainRules));
       tracker?.detail(stepKey, "Method checks...");
+      await new Promise((r) => setImmediate(r));
+      throwIfAborted(signal);
       methodViolationResults.push(...runDeterministicMethodChecks(result, domainRules));
       tracker?.detail(stepKey, "Deterministic checks done");
     }
   }
   const allCodeViolations = [];
   if (enabledCodeRules.length > 0 && filesToScan.length > 0) {
+    const activeCodeDomains = [];
     for (const domain of DOMAIN_ORDER) {
       if (domain === "architecture")
         continue;
       const domainRules = enabledDeterministic.filter((r) => (r.domain ?? "").startsWith(domain));
-      if (domainRules.length > 0)
+      if (domainRules.length > 0) {
         tracker?.start(`${domain}`);
+        activeCodeDomains.push(domain);
+      }
     }
     await new Promise((r) => setImmediate(r));
+    const totalFiles = filesToScan.length;
+    let processed = 0;
+    const SPINNER_YIELD_MS = 25;
+    const DETAIL_UPDATE_MS = 100;
+    let lastYieldMs = Date.now();
+    let lastDetailMs = lastYieldMs;
     for (const { filePath, resolve: resolve8 } of filesToScan) {
       try {
         const lang = detectLanguage(filePath);
@@ -103827,6 +105570,23 @@ async function runViolationPipeline(input) {
         allCodeViolations.push(...codeRuleViolations);
       } catch {
       }
+      processed++;
+      if (signal?.aborted)
+        throw new DOMException("Analysis cancelled", "AbortError");
+      const now2 = Date.now();
+      const isLast = processed === totalFiles;
+      if (isLast || now2 - lastDetailMs >= DETAIL_UPDATE_MS) {
+        const detail = `${processed}/${totalFiles} files`;
+        for (const domain of activeCodeDomains)
+          tracker?.detail(domain, detail);
+        lastDetailMs = now2;
+      }
+      if (isLast || now2 - lastYieldMs >= SPINNER_YIELD_MS) {
+        await new Promise((r) => setImmediate(r));
+        lastYieldMs = Date.now();
+        if (signal?.aborted)
+          throw new DOMException("Analysis cancelled", "AbortError");
+      }
     }
   }
   log.info(`[Pipeline] Code scan: ${allCodeViolations.length} violations from ${filesToScan.length} files (${enabledCodeRules.length} det rules, ${enabledLlmCodeRules.length} LLM rules)`);
@@ -105212,7 +106972,6 @@ async function runAdd(options = {}) {
 
 // tools/cli/src/commands/analyze.ts
 init_dist4();
-import { execSync } from "node:child_process";
 import path16 from "node:path";
 
 // packages/core/dist/commands/analyze-in-process.js
@@ -105235,6 +106994,19 @@ init_registry();
 init_project_config();
 init_git();
 init_logger();
+
+// packages/core/dist/lib/cli-binary.js
+var import_cross_spawn2 = __toESM(require_cross_spawn(), 1);
+function isCliBinaryAvailable(binary2) {
+  const result = (0, import_cross_spawn2.sync)(binary2, ["--version"], {
+    stdio: "ignore",
+    timeout: 5e3
+  });
+  return result.status === 0;
+}
+
+// tools/cli/src/commands/analyze.ts
+init_config2();
 init_helpers();
 
 // tools/cli/src/commands/llm-prompt.ts
@@ -105322,14 +107094,13 @@ function showFirstRunNotice() {
 
 // tools/cli/src/commands/analyze.ts
 function ensureClaudeCli() {
-  try {
-    execSync("which claude", { stdio: "ignore" });
-  } catch {
-    O2.error(
-      "Claude Code CLI not found on PATH. TrueCourse requires the `claude` binary to run analysis.\nInstall it from https://docs.anthropic.com/en/docs/claude-code and try again."
-    );
-    process.exit(1);
-  }
+  const binary2 = config.claudeCodeBinary;
+  if (isCliBinaryAvailable(binary2)) return;
+  O2.error(
+    `Claude Code CLI not found (tried \`${binary2}\`). TrueCourse requires the Claude Code binary to run analysis.
+Install it from https://docs.anthropic.com/en/docs/claude-code, or set CLAUDE_CODE_BINARY to its name or absolute path if it's installed elsewhere.`
+  );
+  process.exit(1);
 }
 function resolveOrInitProject() {
   const repoDir = resolveRepoDir(process.cwd()) ?? process.cwd();
@@ -105479,7 +107250,16 @@ async function runAnalyze(options = {}) {
     if (payload.steps) renderSteps(payload.steps);
   }, stepDefs);
   const abortController = new AbortController();
-  const onSigint = () => abortController.abort();
+  let sigintRequested = false;
+  const onSigint = () => {
+    if (sigintRequested) {
+      process.stderr.write("\nForce quit.\n");
+      process.exit(130);
+    }
+    sigintRequested = true;
+    abortController.abort();
+    process.stderr.write("\nCancelling\u2026 (press Ctrl+C again to force quit)\n");
+  };
   process.on("SIGINT", onSigint);
   try {
     const result = await analyzeInProcess(project, {
@@ -105536,7 +107316,16 @@ async function runAnalyzeDiff(options = {}) {
     if (payload.steps) renderSteps(payload.steps);
   }, stepDefs);
   const abortController = new AbortController();
-  const onSigint = () => abortController.abort();
+  let sigintRequested = false;
+  const onSigint = () => {
+    if (sigintRequested) {
+      process.stderr.write("\nForce quit.\n");
+      process.exit(130);
+    }
+    sigintRequested = true;
+    abortController.abort();
+    process.stderr.write("\nCancelling\u2026 (press Ctrl+C again to force quit)\n");
+  };
   process.on("SIGINT", onSigint);
   try {
     const { diff } = await diffInProcess2(project, {
@@ -105591,7 +107380,7 @@ import { fileURLToPath as fileURLToPath5 } from "node:url";
 import fs12 from "node:fs";
 import path17 from "node:path";
 import os5 from "node:os";
-import { execSync as execSync2 } from "node:child_process";
+import { execSync } from "node:child_process";
 
 // tools/cli/src/commands/service/env.ts
 import fs11 from "node:fs";
@@ -105672,11 +107461,11 @@ var MacOSService = class {
     fs12.mkdirSync(path17.dirname(logPath), { recursive: true });
     const plist = buildPlist(serverPath, logPath, envVars);
     fs12.writeFileSync(PLIST_PATH, plist, "utf-8");
-    execSync2(`launchctl load -w "${PLIST_PATH}"`, { stdio: "pipe" });
+    execSync(`launchctl load -w "${PLIST_PATH}"`, { stdio: "pipe" });
   }
   async uninstall() {
     try {
-      execSync2(`launchctl unload "${PLIST_PATH}"`, { stdio: "pipe" });
+      execSync(`launchctl unload "${PLIST_PATH}"`, { stdio: "pipe" });
     } catch {
     }
     if (fs12.existsSync(PLIST_PATH)) {
@@ -105687,17 +107476,17 @@ var MacOSService = class {
     if (!fs12.existsSync(PLIST_PATH)) {
       throw new Error("Service is not installed. Run 'truecourse service install' first.");
     }
-    execSync2(`launchctl load -w "${PLIST_PATH}"`, { stdio: "pipe" });
+    execSync(`launchctl load -w "${PLIST_PATH}"`, { stdio: "pipe" });
   }
   async stop() {
     try {
-      execSync2(`launchctl unload "${PLIST_PATH}"`, { stdio: "pipe" });
+      execSync(`launchctl unload "${PLIST_PATH}"`, { stdio: "pipe" });
     } catch {
     }
   }
   async status() {
     try {
-      const output = execSync2(`launchctl list ${SERVICE_LABEL}`, {
+      const output = execSync(`launchctl list ${SERVICE_LABEL}`, {
         stdio: ["pipe", "pipe", "pipe"],
         encoding: "utf-8"
       });
@@ -105722,7 +107511,7 @@ var MacOSService = class {
 import fs13 from "node:fs";
 import path18 from "node:path";
 import os6 from "node:os";
-import { execSync as execSync3 } from "node:child_process";
+import { execSync as execSync2 } from "node:child_process";
 var SERVICE_NAME = "truecourse";
 var UNIT_DIR = path18.join(os6.homedir(), ".config", "systemd", "user");
 var UNIT_PATH = path18.join(UNIT_DIR, `${SERVICE_NAME}.service`);
@@ -105752,35 +107541,35 @@ var LinuxService = class {
     fs13.mkdirSync(path18.dirname(logPath), { recursive: true });
     const unit = buildUnitFile(serverPath, logPath);
     fs13.writeFileSync(UNIT_PATH, unit, "utf-8");
-    execSync3("systemctl --user daemon-reload", { stdio: "pipe" });
-    execSync3(`systemctl --user enable ${SERVICE_NAME}`, { stdio: "pipe" });
+    execSync2("systemctl --user daemon-reload", { stdio: "pipe" });
+    execSync2(`systemctl --user enable ${SERVICE_NAME}`, { stdio: "pipe" });
   }
   async uninstall() {
     try {
-      execSync3(`systemctl --user stop ${SERVICE_NAME}`, { stdio: "pipe" });
+      execSync2(`systemctl --user stop ${SERVICE_NAME}`, { stdio: "pipe" });
     } catch {
     }
     try {
-      execSync3(`systemctl --user disable ${SERVICE_NAME}`, { stdio: "pipe" });
+      execSync2(`systemctl --user disable ${SERVICE_NAME}`, { stdio: "pipe" });
     } catch {
     }
     if (fs13.existsSync(UNIT_PATH)) {
       fs13.unlinkSync(UNIT_PATH);
     }
     try {
-      execSync3("systemctl --user daemon-reload", { stdio: "pipe" });
+      execSync2("systemctl --user daemon-reload", { stdio: "pipe" });
     } catch {
     }
   }
   async start() {
-    execSync3(`systemctl --user start ${SERVICE_NAME}`, { stdio: "pipe" });
+    execSync2(`systemctl --user start ${SERVICE_NAME}`, { stdio: "pipe" });
   }
   async stop() {
-    execSync3(`systemctl --user stop ${SERVICE_NAME}`, { stdio: "pipe" });
+    execSync2(`systemctl --user stop ${SERVICE_NAME}`, { stdio: "pipe" });
   }
   async status() {
     try {
-      const output = execSync3(
+      const output = execSync2(
         `systemctl --user show ${SERVICE_NAME} --property=ActiveState,MainPID`,
         { stdio: ["pipe", "pipe", "pipe"], encoding: "utf-8" }
       );
@@ -105799,7 +107588,7 @@ var LinuxService = class {
 };
 
 // tools/cli/src/commands/service/windows.ts
-import { execSync as execSync4 } from "node:child_process";
+import { execSync as execSync3 } from "node:child_process";
 var SERVICE_NAME2 = "TrueCourse";
 var WindowsService = class {
   svc;
@@ -105849,14 +107638,14 @@ var WindowsService = class {
     });
   }
   async start() {
-    execSync4(`sc.exe start ${SERVICE_NAME2}`, { stdio: "pipe" });
+    execSync3(`sc.exe start ${SERVICE_NAME2}`, { stdio: "pipe" });
   }
   async stop() {
-    execSync4(`sc.exe stop ${SERVICE_NAME2}`, { stdio: "pipe" });
+    execSync3(`sc.exe stop ${SERVICE_NAME2}`, { stdio: "pipe" });
   }
   async status() {
     try {
-      const output = execSync4(`sc.exe query ${SERVICE_NAME2}`, {
+      const output = execSync3(`sc.exe query ${SERVICE_NAME2}`, {
         stdio: ["pipe", "pipe", "pipe"],
         encoding: "utf-8"
       });
@@ -105872,7 +107661,7 @@ var WindowsService = class {
   }
   async isInstalled() {
     try {
-      execSync4(`sc.exe query ${SERVICE_NAME2}`, { stdio: "pipe" });
+      execSync3(`sc.exe query ${SERVICE_NAME2}`, { stdio: "pipe" });
       return true;
     } catch {
       return false;
@@ -106462,7 +108251,7 @@ async function runRulesLlm(options) {
 }
 
 // tools/cli/src/commands/hooks.ts
-import { execSync as execSync5 } from "node:child_process";
+import { execSync as execSync4 } from "node:child_process";
 import fs16 from "node:fs";
 import path21 from "node:path";
 
@@ -109290,7 +111079,7 @@ async function runHooksRun() {
   }
   let hasStaged = false;
   try {
-    const output = execSync5("git diff --cached --name-only --diff-filter=ACM", {
+    const output = execSync4("git diff --cached --name-only --diff-filter=ACM", {
       encoding: "utf-8",
       cwd: projectRoot
     }).trim();
@@ -109367,7 +111156,7 @@ async function runHooksRun() {
 
 // tools/cli/src/index.ts
 var program2 = new Command();
-program2.name("truecourse").version("0.5.7").description("TrueCourse CLI \u2014 analyze your repository and open the dashboard");
+program2.name("truecourse").version("0.5.8-windows.2").description("TrueCourse CLI \u2014 analyze your repository and open the dashboard");
 var dashboardCmd = program2.command("dashboard").description("Start the TrueCourse dashboard and open it in your browser").option("--reconfigure", "Re-prompt for console vs background service mode").option("--service", "Run as a background service (skips mode prompt)").option("--console", "Run in this terminal (skips mode prompt)").action(async (options) => {
   if (options.service && options.console) {
     console.error("error: --service and --console are mutually exclusive");