tryassay 0.34.0 → 0.35.1

package/dist/lib/formal-verifier.js

@@ -175,7 +175,8 @@ function preprocessCode(code) {
 const KNOWN_BAD_APIS = {
     // JavaScript/TypeScript — non-existent array methods
     '.flatten(': { languages: ['js', 'ts', 'jsx', 'tsx', 'javascript', 'typescript'], correct: '.flat(' },
-    '.contains(': { languages: ['js', 'ts', 'jsx', 'tsx', 'javascript', 'typescript'], correct: '.includes(' },
+    // NOTE: .contains() is NOT a bad API — it exists on Node, DOMTokenList, DOMStringList,
+    // and Supabase query builders. Removed after real-world audit showed 100% false positive rate.
     // Non-existent Object methods
     'Object.fromPairs(': { languages: ['js', 'ts', 'jsx', 'tsx', 'javascript', 'typescript'], correct: 'Object.fromEntries(' },
     'Object.pairs(': { languages: ['js', 'ts', 'jsx', 'tsx', 'javascript', 'typescript'], correct: 'Object.entries(' },
@@ -223,7 +224,7 @@ const PY_BUILTINS = new Set([
     'functools', 'itertools', 'typing', 'pathlib', 'unittest', 'pytest',
 ]);
 // ── Claim Classification ─────────────────────────────────────
-function classifyClaim(claim) {
+export function classifyClaim(claim) {
     const text = `${claim.description} ${claim.assertion}`.toLowerCase();
     const originalText = `${claim.description} ${claim.assertion}`;
     const funcExistsMatch = originalText.match(/(?:function|method|class|constructor)\s+['"`]?(\w+)['"`]?\s+(?:exists?|is\s+defined|is\s+declared|should\s+exist)/i);
@@ -254,30 +255,43 @@ function classifyClaim(claim) {
     if (/(?:parameter|argument)\s+['"`]?(\w+)['"`]?\s+(?:is|of\s+type)/i.test(text)) {
         return { claim, formallyVerifiable: true, checkType: 'parameter_check' };
     }
-    if (claim.category === 'error-handling' &&
-        /(?:handles?\s+(?:errors?|exceptions?|failures?)|try[\s-]catch|error\s+handling|catches?\s+(?:errors?|exceptions?)|wraps?\s+in\s+try)/i.test(text)) {
+    if (/(?:handles?\s+(?:errors?|exceptions?|failures?)|try[\s-]catch|error\s+handling|catches?\s+(?:errors?|exceptions?)|wraps?\s+in\s+try)/i.test(text) ||
+        /(?:catch(?:es)?\s+rejected\s+promises?|network\s+failures?\s+(?:are\s+)?caught)/i.test(text) ||
+        /(?:graceful(?:ly)?\s+(?:handle|fail|degrade|recover))/i.test(text)) {
         return { claim, formallyVerifiable: true, checkType: 'error_handling' };
     }
     if (/(?:null|undefined|nil|none)\s+(?:check|guard|validation|handling|safety)/i.test(text) ||
         /(?:checks?\s+(?:for\s+)?(?:null|undefined|nil|none))|(?:handles?\s+(?:null|undefined|nil|none))/i.test(text) ||
-        /(?:validates?\s+(?:that\s+)?(?:input|parameter|argument)\s+(?:is\s+not\s+)?(?:null|undefined|nil|none))/i.test(text)) {
+        /(?:validates?\s+(?:that\s+)?(?:input|parameter|argument)\s+(?:is\s+not\s+)?(?:null|undefined|nil|none))/i.test(text) ||
+        /(?:undefined|null)\s+(?:\w+\s+){0,3}(?:handled|checked|guarded|safe)/i.test(text) ||
+        /returns?\s+null\b/i.test(text)) {
         return { claim, formallyVerifiable: true, checkType: 'null_check' };
     }
-    if (claim.category === 'type-safety' &&
-        /(?:type\s+annot|typed\s+(?:as|return)|return\s+type|type-safe|strongly\s+typed)/i.test(text)) {
+    if (/(?:type\s+annot|typed\s+(?:as|return)|return\s+type|type-safe|strongly\s+typed)/i.test(text) ||
+        /(?:typescript\s+type|have\s+(?:typescript\s+)?type\s+annotations?)/i.test(text) ||
+        /(?:return\s+types?\s+(?:are\s+)?(?:explicitly\s+)?declared)/i.test(text)) {
         return { claim, formallyVerifiable: true, checkType: 'type_annotation' };
     }
-    if (claim.category === 'security' &&
-        /(?:sql\s+injection|parameterized\s+quer|prepared\s+statement|sql\s+sanitiz|query\s+parameteriz)/i.test(text)) {
+    if (/(?:sql\s+injection|parameterized\s+quer|prepared\s+statement|sql\s+sanitiz|query\s+parameteriz)/i.test(text)) {
         return { claim, formallyVerifiable: true, checkType: 'sql_parameterized' };
     }
-    if (/(?:validates?\s+(?:user\s+)?input|input\s+validation|sanitizes?\s+input|validates?\s+(?:before|prior))/i.test(text)) {
+    if (/(?:validates?\s+(?:user\s+)?input|input\s+validation|sanitizes?\s+input|validates?\s+(?:before|prior))/i.test(text) ||
+        /(?:(?:email|phone|url|format|field|body|parameter)\s+(?:is\s+)?(?:validated?|sanitized?|checked))/i.test(text) ||
+        /(?:(?:validated?|sanitized?|checked)\s+(?:on\s+the\s+)?(?:server|backend|api))/i.test(text) ||
+        /(?:request\s+body\s+(?:fields?\s+)?(?:are\s+)?(?:validated?|sanitized?|checked))/i.test(text)) {
         return { claim, formallyVerifiable: true, checkType: 'input_validation' };
     }
+    // Undefined reference checks — must come before arithmetic to avoid "for calculations" matching arithmetic
+    if (/(?:references?|uses?|accesses?)\s+(?:variable|function|import|module|identifier)\s+['"`]?(\w+)['"`]?/i.test(text) ||
+        /(?:variable|function|import)\s+['"`]?(\w+)['"`]?\s+(?:is\s+)?(?:defined|declared|imported|available)/i.test(text)) {
+        return { claim, formallyVerifiable: true, checkType: 'undefined_reference' };
+    }
     // Arithmetic correctness checks
-    if (/(?:calculates?|computes?|evaluates?\s+to|sums?|totals?|multiplies?|divides?|averages?|rounds?)/i.test(text) ||
+    if (/(?:calculates?|calculation|computes?|computation|evaluates?\s+to|sums?|totals?|multiplies?|divides?|averages?|rounds?)/i.test(text) ||
         /(?:returns?\s+(?:the\s+)?(?:sum|product|average|total|difference|ratio|percentage|remainder|quotient))/i.test(text) ||
-        /(?:result\s+(?:is|equals?|should\s+be)\s+\d)/i.test(text)) {
+        /(?:result\s+(?:is|equals?|should\s+be)\s+\d)/i.test(text) ||
+        /(?:\d+\s*[+\-*/]\s*\d+\s*=\s*\d)/i.test(text) ||
+        /(?:percentage|percent|ratio)\s*:\s*\d/i.test(text)) {
         return { claim, formallyVerifiable: true, checkType: 'arithmetic_correctness' };
     }
     // API misuse checks
@@ -285,10 +299,100 @@ function classifyClaim(claim) {
         /(?:calls?\s+\w+\.\w+)|(?:uses?\s+\w+\.\w+\s*\()/i.test(originalText)) {
         return { claim, formallyVerifiable: true, checkType: 'api_misuse' };
     }
-    // Undefined reference checks
-    if (/(?:references?|uses?|accesses?)\s+(?:variable|function|import|module|identifier)\s+['"`]?(\w+)['"`]?/i.test(text) ||
-        /(?:variable|function|import)\s+['"`]?(\w+)['"`]?\s+(?:is\s+)?(?:defined|declared|imported|available)/i.test(text)) {
-        return { claim, formallyVerifiable: true, checkType: 'undefined_reference' };
+    // Capacity/limit checks — "supports up to N", "limit of N", "maximum N"
+    if (/(?:supports?\s+up\s+to|limit\s+(?:of\s+)?\d|maximum\s+(?:of\s+)?\d|up\s+to\s+\d|capacity\s+(?:of\s+)?\d)/i.test(text) ||
+        /(?:allows?\s+up\s+to|can\s+(?:hold|handle|store)\s+up\s+to)\s+\d/i.test(text)) {
+        return { claim, formallyVerifiable: true, checkType: 'capacity_limit' };
+    }
+    // Security control checks — encryption, authentication, authorization
+    if (/(?:encrypt|decrypt|hashing|hash(?:ed|es|ing)?|ssl|tls|https|cipher)/i.test(text) ||
+        /(?:authenticat|two-factor|2fa|mfa|multi-factor|single\s+sign|sso|oauth|saml|jwt)/i.test(text) ||
+        /(?:authoriz|access\s+control|permission|role-based|rbac|acl)/i.test(text) ||
+        /(?:api\s+key|token|credential|secret|certificate)/i.test(text)) {
+        return { claim, formallyVerifiable: true, checkType: 'security_control' };
+    }
+    // Compliance checks — regulatory compliance references
+    if (/(?:compl(?:y|ies|iant|iance)\s+with|gdpr|ccpa|hipaa|soc\s*2|pci[\s-]dss|iso\s*2700|ferpa|coppa)/i.test(text) ||
+        /(?:data\s+(?:protection|privacy|retention|deletion)|right\s+to\s+(?:be\s+forgotten|erasure|delete))/i.test(text)) {
+        return { claim, formallyVerifiable: true, checkType: 'compliance_check' };
+    }
+    // Connectivity checks — connections, integrations, webhooks
+    if (/(?:connects?\s+(?:to|via|using|with)|websocket|persistent\s+connection|real-time\s+(?:connection|communication))/i.test(text) ||
+        /(?:webhook|callback\s+(?:url|endpoint)|event[\s-]driven|pub[\s/]?sub|message\s+(?:queue|broker))/i.test(text) ||
+        /(?:integrat(?:es?|ion)\s+with|third[\s-]party\s+(?:api|service|integration))/i.test(text)) {
+        return { claim, formallyVerifiable: true, checkType: 'connectivity_check' };
+    }
+    // Configuration checks — configurable, customizable, settings
+    if (/(?:configur(?:able|ation|ed)|customiz(?:able|ation|ed|e)|setting|preference|option(?:al|s)?)/i.test(text) ||
+        /(?:adjustable|tuneable|parameteriz|user[\s-]defined|admin[\s-]defined)/i.test(text)) {
+        return { claim, formallyVerifiable: true, checkType: 'configuration_check' };
+    }
+    // Data handling checks — stores, processes, handles, manages data
+    if (/(?:stores?|storage|persist(?:s|ed|ent|ence)?|saves?|cach(?:es?|ing|ed))/i.test(text) ||
+        /(?:process(?:es|ed|ing)?|transform(?:s|ed|ing)?|convert(?:s|ed|ing)?|pars(?:es?|ing|ed))/i.test(text) ||
+        /(?:handles?\s+(?:data|files?|upload|download|request|response|message|event))/i.test(text) ||
+        /(?:manages?\s+(?:data|files?|state|session|queue|pool|connection))/i.test(text) ||
+        /(?:back(?:up|ed\s+up)|replicate[sd]?|mirror(?:s|ed|ing)?|(?:daily|hourly|weekly)\s+(?:backup|snapshot))/i.test(text) ||
+        /(?:retain(?:ed|s)?|retention|ttl|expir(?:es?|ation|y)|purg(?:es?|ing|ed))/i.test(text) ||
+        /(?:export(?:able|ed|s)?|delet(?:able|ed?|ion|ing)|remov(?:able|ed?|al|ing))/i.test(text)) {
+        return { claim, formallyVerifiable: true, checkType: 'data_handling' };
+    }
+    // Role/access checks — user roles, permissions, access levels
+    // Must come before pricing_billing to avoid "billing" in "excluding billing" matching pricing
+    if (/(?:(?:owner|admin|moderator|viewer|editor|manager|operator|developer)\s+role)/i.test(text) ||
+        /(?:role\s+(?:has|provides?|grants?|allows?|restricts?))/i.test(text) ||
+        /(?:full\s+access|read[\s-]?only\s+(?:access|dashboard)|restricted?\s+(?:to|access))/i.test(text) ||
+        /(?:permission|privilege|authorization|access\s+level|scoped?\s+to)/i.test(text)) {
+        return { claim, formallyVerifiable: true, checkType: 'role_access' };
+    }
+    // Pricing/billing checks — costs, prices, subscriptions, billing, refunds
+    if (/(?:costs?\s+\$|price[sd]?\s+(?:at|is|are)?\s*\$|\$\d|per\s+month|per\s+year|\/month|\/year|monthly|annually)/i.test(text) ||
+        /(?:billed?|billing|subscription|invoice|payment|refund|pro[\s-]rata|trial|free\s+trial)/i.test(text) ||
+        /(?:credit\s+card|debit\s+card|ach\s+transfer|usd|dollars?)/i.test(text) ||
+        /(?:cancel(?:lation)?|terminate|downgrade|upgrade)\s+(?:their\s+)?(?:subscription|plan|account)/i.test(text)) {
+        return { claim, formallyVerifiable: true, checkType: 'pricing_billing' };
+    }
+    // Media processing checks — image/video/photo processing, resizing, optimization
+    if (/(?:resiz(?:e[sd]?|ing)|optimiz(?:e[sd]?|ing|ation)|compress(?:ed|ion|ing)?|thumbnail)/i.test(text) ||
+        /(?:exif|gps\s+(?:data|coordinates?)|metadata|orientation|resolution|1080p|4k|hdr)/i.test(text) ||
+        /(?:(?:photo|image|video|media)\s+(?:process|analyz|transform|convert|generat|strip))/i.test(text) ||
+        /(?:ai\s+(?:moderation|analysis|detection|recognition)|content\s+(?:moderation|analysis|detection|filter))/i.test(text) ||
+        /(?:nudity|violence|hate\s+symbols?|inappropriate|offensive)\s+(?:detection|content|categor)/i.test(text) ||
+        /(?:confidence\s+score|false\s+positive|false\s+negative|sensitivity\s+threshold)/i.test(text)) {
+        return { claim, formallyVerifiable: true, checkType: 'media_processing' };
+    }
+    // Subjective quality checks — vague/subjective claims about code quality, UX
+    if (/(?:highly\s+(?:performant|available|reliable|scalable|secure))/i.test(text) ||
+        /(?:intuitive|user[\s-]?friendly|well[\s-]?(?:tested|documented|structured|designed))/i.test(text) ||
+        /(?:best\s+practices?|clean\s+code|maintainable|readable)/i.test(text) ||
+        /(?:correctly\s+handles?\s+all\s+(?:edge\s+)?cases?|reliable\s+(?:and|under))/i.test(text)) {
+        return { claim, formallyVerifiable: true, checkType: 'subjective_quality' };
+    }
+    // Requirement/constraint checks — must, requires, limited to, within N days
+    if (/(?:must\s+(?:be|have|create|meet|complete|provide|verify|include|use))/i.test(text) ||
+        /(?:requires?\s+(?:a\s+)?(?:valid|proof|minimum|at\s+least))/i.test(text) ||
+        /(?:limited\s+to|restricted\s+to|capped\s+at|within\s+\d+\s+(?:days?|hours?|minutes?|seconds?|months?))/i.test(text) ||
+        /(?:(?:is|are)\s+not\s+(?:eligible|allowed|permitted|available))/i.test(text) ||
+        /(?:do\s+not\s+require|no\s+(?:credit\s+card|account|login|installation)\s+(?:is\s+)?required)/i.test(text) ||
+        /(?:requires?\s+no\s+(?:app|account|login|installation|registration|download))/i.test(text) ||
+        /(?:(?:is|are)\s+not\s+(?:sold|shared|distributed|disclosed|transferred))/i.test(text) ||
+        /(?:will\s+be\s+(?:disconnected|disabled|suspended|terminated|revoked|removed))/i.test(text) ||
+        /(?:after\s+(?:the\s+)?(?:grace|trial|billing)\s+period)/i.test(text)) {
+        return { claim, formallyVerifiable: true, checkType: 'requirement_constraint' };
+    }
+    // Feature presence checks — broadest category, catch-all for "provides", "supports", "includes"
+    if (/(?:provides?|supports?|includes?|offers?|enables?|delivers?|features?)/i.test(text) ||
+        /(?:allows?\s+(?:users?|customers?|clients?|admins?|operators?)?\s*(?:to\s+)?)/i.test(text) ||
+        /(?:(?:users?|customers?|clients?|playlists?|devices?|events?|accounts?)\s+(?:\w+\s+){0,4}(?:may|can|are\s+able\s+to|have\s+the\s+ability|(?:may\s+)?be\s+(?:assigned|created|managed|configured|organized)))/i.test(text) ||
+        /(?:accessible|available|capable\s+of|equipped\s+with)/i.test(text) ||
+        /(?:receive[sd]?\s+(?:real[\s-]?time|push|email|sms|notification))/i.test(text) ||
+        /(?:display[sd]?\s+(?:content|data|information|photos?|images?|video))/i.test(text) ||
+        /(?:branded?\s+with|customiz(?:ed?|able)\s+with)/i.test(text) ||
+        /(?:have\s+(?:unique|dedicated|custom)\s+(?:\w+\s+)?(?:urls?|qr|codes?|links?|endpoints?))/i.test(text) ||
+        /(?:(?:is|are)\s+(?:a\s+)?(?:cloud|web|mobile|desktop|saas|platform))/i.test(text) ||
+        /(?:recurring|automatic(?:ally)?|real[\s-]?time|continuous)/i.test(text) ||
+        /(?:(?:may|can)\s+(?:submit|manage|restrict|access|control|create|modify|delete|view|export))/i.test(text)) {
+        return { claim, formallyVerifiable: true, checkType: 'feature_presence' };
     }
     return { claim, formallyVerifiable: false };
 }
@@ -355,9 +459,28 @@ function checkErrorHandling(code, language) {
             evidence = 'Error handling found: try/except block';
     }
     else if (['go', 'golang'].includes(language)) {
-        hasErrorHandling = /if\s+err\s*!=\s*nil/.test(clean);
-        if (hasErrorHandling)
-            evidence = 'Error handling found: if err != nil check';
+        const goPatterns = [
+            /if\s+err\s*!=\s*nil/.test(clean),
+            /errors\.(?:New|Wrap|Is|As|Unwrap)\s*\(/.test(clean),
+            /fmt\.Errorf\s*\(/.test(clean),
+            /panic\s*\(/.test(clean),
+            /recover\s*\(/.test(clean),
+        ];
+        hasErrorHandling = goPatterns.some(Boolean);
+        if (hasErrorHandling) {
+            const mechanisms = [];
+            if (goPatterns[0])
+                mechanisms.push('if err != nil');
+            if (goPatterns[1])
+                mechanisms.push('errors package');
+            if (goPatterns[2])
+                mechanisms.push('fmt.Errorf');
+            if (goPatterns[3])
+                mechanisms.push('panic');
+            if (goPatterns[4])
+                mechanisms.push('recover');
+            evidence = `Error handling found: ${mechanisms.join(', ')}`;
+        }
     }
     else if (['java', 'kotlin', 'scala'].includes(language)) {
         hasErrorHandling = /try\s*\{/.test(clean) && /catch\s*\(/.test(clean);
@@ -365,9 +488,34 @@ function checkErrorHandling(code, language) {
             evidence = 'Error handling found: try/catch block';
     }
     else if (['rust', 'rs'].includes(language)) {
-        hasErrorHandling = /\?\s*;/.test(clean) || /\.unwrap_or/.test(clean) || /match\s+.*\{[^}]*Err/.test(clean);
-        if (hasErrorHandling)
-            evidence = 'Error handling found: Result/? operator or match on Err';
+        const rustPatterns = [
+            /\?\s*[;,)]/.test(clean),
+            /\.unwrap_or(?:_else|_default)?\s*\(/.test(clean),
+            /match\s+.*\{[^}]*Err/.test(clean),
+            /\.map_err\s*\(/.test(clean),
+            /\.ok\(\)\s*\?/.test(clean),
+            /\.expect\s*\(/.test(clean),
+            /if\s+let\s+(?:Ok|Err|Some|None)\s*\(/.test(clean),
+        ];
+        hasErrorHandling = rustPatterns.some(Boolean);
+        if (hasErrorHandling) {
+            const mechanisms = [];
+            if (rustPatterns[0])
+                mechanisms.push('? operator');
+            if (rustPatterns[1])
+                mechanisms.push('.unwrap_or*()');
+            if (rustPatterns[2])
+                mechanisms.push('match on Err');
+            if (rustPatterns[3])
+                mechanisms.push('.map_err()');
+            if (rustPatterns[4])
+                mechanisms.push('.ok()?');
+            if (rustPatterns[5])
+                mechanisms.push('.expect()');
+            if (rustPatterns[6])
+                mechanisms.push('if let Ok/Err/Some/None');
+            evidence = `Error handling found: ${mechanisms.join(', ')}`;
+        }
     }
     else {
         hasErrorHandling = /try\s*[{:]/.test(clean) && /catch|except|rescue/.test(clean);
@@ -421,6 +569,36 @@ function checkNullHandling(code, language) {
         if (hasNullCheck)
             evidence = 'Null handling found: nil check';
     }
+    else if (['rust', 'rs'].includes(language)) {
+        const rustPatterns = [
+            /\.is_some\(\)/.test(clean),
+            /\.is_none\(\)/.test(clean),
+            /\.unwrap_or/.test(clean),
+            /if\s+let\s+Some\s*\(/.test(clean),
+            /match\s+.*\{[^}]*None/.test(clean),
+            /\.map\s*\(/.test(clean) && /Option/.test(clean),
+            /\.ok_or/.test(clean),
+        ];
+        hasNullCheck = rustPatterns.some(Boolean);
+        if (hasNullCheck) {
+            const mechanisms = [];
+            if (rustPatterns[0])
+                mechanisms.push('.is_some()');
+            if (rustPatterns[1])
+                mechanisms.push('.is_none()');
+            if (rustPatterns[2])
+                mechanisms.push('.unwrap_or*()');
+            if (rustPatterns[3])
+                mechanisms.push('if let Some');
+            if (rustPatterns[4])
+                mechanisms.push('match on None');
+            if (rustPatterns[5])
+                mechanisms.push('Option.map()');
+            if (rustPatterns[6])
+                mechanisms.push('.ok_or*()');
+            evidence = `Null handling found: ${mechanisms.join(', ')}`;
+        }
+    }
     else {
         hasNullCheck = /(?:null|nil|None|undefined|NULL)\s*[!=]/.test(clean) || /[!=]\s*(?:null|nil|None|undefined|NULL)/.test(clean);
         if (hasNullCheck)
@@ -467,6 +645,60 @@ function checkTypeAnnotations(code, language) {
             evidence = `Type safety found: ${details.join(', ')}`;
         }
     }
+    else if (['go', 'golang'].includes(language)) {
+        const funcTypes = /func\s+\w+\s*\([^)]*\w+\s+\w+/.test(clean);
+        const returnTypes = /\)\s*(?:\(.*\)|[\w*]+)\s*\{/.test(clean);
+        const structFields = /\w+\s+(?:string|int|float|bool|byte|error|interface|map|func|chan|\[\]|\*\w)/.test(clean);
+        hasTypes = funcTypes || returnTypes || structFields;
+        if (hasTypes) {
+            const details = [];
+            if (funcTypes)
+                details.push('typed function parameters');
+            if (returnTypes)
+                details.push('return type declarations');
+            if (structFields)
+                details.push('typed struct fields');
+            evidence = `Type safety found: ${details.join(', ')}`;
+        }
+    }
+    else if (['rust', 'rs'].includes(language)) {
+        const fnTypes = /fn\s+\w+\s*[(<].*->/.test(clean);
+        const letTypes = /let\s+(?:mut\s+)?\w+\s*:\s*\w+/.test(clean);
+        const structTypes = /struct\s+\w+/.test(clean);
+        const traitTypes = /(?:trait|impl)\s+\w+/.test(clean);
+        const genericTypes = /<\w+(?:\s*:\s*\w+)?>/.test(clean);
+        hasTypes = fnTypes || letTypes || structTypes || traitTypes || genericTypes;
+        if (hasTypes) {
+            const details = [];
+            if (fnTypes)
+                details.push('typed function signatures');
+            if (letTypes)
+                details.push('typed let bindings');
+            if (structTypes)
+                details.push('struct definitions');
+            if (traitTypes)
+                details.push('trait/impl definitions');
+            if (genericTypes)
+                details.push('generic types');
+            evidence = `Type safety found: ${details.join(', ')}`;
+        }
+    }
+    else if (['java', 'kotlin', 'scala'].includes(language)) {
+        const classTypes = /class\s+\w+/.test(clean);
+        const methodTypes = /(?:public|private|protected|static)\s+\w+\s+\w+\s*\(/.test(clean);
+        const varTypes = /(?:int|long|double|float|boolean|String|List|Map|Set|char|byte|void)\s+\w+/.test(clean);
+        hasTypes = classTypes || methodTypes || varTypes;
+        if (hasTypes) {
+            const details = [];
+            if (classTypes)
+                details.push('class definitions');
+            if (methodTypes)
+                details.push('typed method signatures');
+            if (varTypes)
+                details.push('typed variable declarations');
+            evidence = `Type safety found: ${details.join(', ')}`;
+        }
+    }
     else {
         hasTypes = /:\s*\w+/.test(clean) || /\w+\s+\w+\s*[=(]/.test(clean);
         evidence = hasTypes ? 'Type annotations detected' : 'No type annotations found';
@@ -553,8 +785,18 @@ function checkSQLParameterized(code, language) {
             confidence: 1,
         };
     }
+    // Tagged template SQL libraries (postgres.js, slonik, pglite, sql-template-strings/tag)
+    // use ${} as parameterization — not string concatenation. Suppress template literal checks.
+    const usesTaggedTemplateSql = /from\s+['"]postgres['"]/.test(codeForSQL) ||
+        /require\s*\(\s*['"]postgres['"]\s*\)/.test(codeForSQL) ||
+        /from\s+['"]slonik['"]/.test(codeForSQL) ||
+        /from\s+['"]@electric-sql\/pglite['"]/.test(codeForSQL) ||
+        /from\s+['"]sql-template-strings['"]/.test(codeForSQL) ||
+        /from\s+['"]sql-template-tag['"]/.test(codeForSQL) ||
+        /postgres\.Sql\b/.test(codeForSQL);
+    const templateLiteralConcat = /`[^`]*(?:SELECT|INSERT|UPDATE|DELETE)[^`]*\$\{(?![\d])/i.test(codeForSQL);
     const stringConcat = /(?:SELECT|INSERT|UPDATE|DELETE)[^'"]*\+\s*\w+/i.test(codeForSQL) ||
-        /`[^`]*(?:SELECT|INSERT|UPDATE|DELETE)[^`]*\$\{(?![\d])/i.test(codeForSQL) ||
+        (templateLiteralConcat && !usesTaggedTemplateSql) || // suppress if tagged template lib
         /(?:SELECT|INSERT|UPDATE|DELETE)[^'"]*%s/i.test(codeForSQL) ||
         /(?:SELECT|INSERT|UPDATE|DELETE)[^'"]*\.format\s*\(/i.test(codeForSQL) ||
         /f['"][^'"]*(?:SELECT|INSERT|UPDATE|DELETE)/i.test(codeForSQL);
@@ -564,7 +806,8 @@ function checkSQLParameterized(code, language) {
         /:\w+/.test(codeForSQL) ||
         /\.prepare\s*\(/.test(clean) ||
         /(?:prisma|drizzle|typeorm|sequelize)\./i.test(clean) ||
-        /\.query\s*\([^,]+,\s*\[/.test(clean);
+        /\.query\s*\([^,]+,\s*\[/.test(clean) ||
+        usesTaggedTemplateSql; // tagged template libs ARE parameterized
     const safe = parameterized && !stringConcat;
     return {
         claimId: '',
@@ -589,6 +832,8 @@ function checkInputValidation(code, language) {
         /if\s*\(\s*!?\s*\w+\s*\|\|\s*typeof/.test(clean),
         /throw\s+new\s+(?:Error|TypeError|ValidationError|BadRequest)/i.test(clean),
         /(?:required|minLength|maxLength|min|max|pattern|regex)\s*[:(=]/i.test(clean),
+        /\.test\s*\(\s*\w+\s*\)/.test(clean),
+        /\.match\s*\(\s*\//.test(clean),
     ];
     const hasValidation = patterns.some(Boolean);
     const mechanisms = [];
@@ -606,6 +851,10 @@ function checkInputValidation(code, language) {
         mechanisms.push('validation error throwing');
     if (patterns[7])
         mechanisms.push('constraint definitions');
+    if (patterns[8])
+        mechanisms.push('regex .test() validation');
+    if (patterns[9])
+        mechanisms.push('regex .match() validation');
     return {
         claimId: '',
         checkType: 'input_validation',
@@ -844,6 +1093,299 @@ function checkUndefinedReference(code, language, claim) {
         confidence: 1,
     };
 }
+// ── Behavioral Claim Verifiers ───────────────────────────────
+// These verify claims about system behavior by checking code for evidence
+// of the described functionality. They look for structural patterns that
+// indicate whether the claimed behavior is implemented.
+function checkFeaturePresence(code, language, claim) {
+    const clean = preprocessCode(code);
+    const text = `${claim.description} ${claim.assertion}`.toLowerCase();
+    // Extract key nouns/features from the claim text
+    const featureWords = text
+        .replace(/(?:provides?|supports?|includes?|offers?|enables?|delivers?|features?|allows?|may|can|the|a|an|is|are|with|for|to|of|and|or|in|on|by|via|from|has|have|be|been|that|this|their|its|each|all|any|users?|customers?|clients?|service|system|application|platform|app)\b/gi, '')
+        .trim()
+        .split(/\s+/)
+        .filter(w => w.length > 3);
+    // Check if at least some of the feature-related words appear in the code
+    // Use substring match (not word boundary) to catch camelCase like getAnalytics
+    const matchCount = featureWords.filter(w => {
+        try {
+            return new RegExp(w.replace(/[-\/\\^$*+?.()|[\]{}]/g, '\\$&'), 'i').test(clean);
+        }
+        catch {
+            return false;
+        }
+    }).length;
+    const matchRatio = featureWords.length > 0 ? matchCount / featureWords.length : 0;
+    // If we find enough related terms in the code, the feature is likely present
+    const hasEvidence = matchRatio >= 0.3 || matchCount >= 2;
+    return {
+        claimId: claim.id,
+        checkType: 'feature_presence',
+        verdict: hasEvidence ? 'PASS' : 'FAIL',
+        evidence: hasEvidence
+            ? `Feature-related terms found in source (${matchCount}/${featureWords.length} terms match)`
+            : `Feature-related terms not found in source (${matchCount}/${featureWords.length} terms match)`,
+        confidence: 1,
+    };
+}
+function checkDataHandling(code, language, claim) {
+    const clean = preprocessCode(code);
+    const text = `${claim.description} ${claim.assertion}`.toLowerCase();
+    const patterns = [
+        { test: /(?:fs\.|readFile|writeFile|createReadStream|createWriteStream)/i.test(clean), label: 'file I/O operations' },
+        { test: /(?:localStorage|sessionStorage|indexedDB|\.setItem|\.getItem)/i.test(clean), label: 'browser storage' },
+        { test: /(?:database|db\.|\.query|\.insert|\.update|\.delete|\.find|\.save|mongoose|prisma|drizzle|knex|sequelize)/i.test(clean), label: 'database operations' },
+        { test: /(?:cache|redis|memcache|lru|\.set\s*\(|\.get\s*\()/i.test(clean), label: 'caching layer' },
+        { test: /(?:upload|download|multer|formidable|busboy|multipart)/i.test(clean), label: 'file upload/download' },
+        { test: /(?:JSON\.parse|JSON\.stringify|serialize|deserialize|marshal|unmarshal)/i.test(clean), label: 'data serialization' },
+        { test: /(?:transform|convert|map|reduce|filter|pipe|stream)/i.test(clean), label: 'data transformation' },
+        { test: /(?:backup|snapshot|replicate|mirror|clone|copy)/i.test(clean), label: 'data backup/replication' },
+        { test: /(?:encrypt|decrypt|hash|hmac|cipher)/i.test(clean), label: 'data encryption' },
+        { test: /(?:queue|worker|job|task|bull|agenda|rabbitmq|kafka)/i.test(clean), label: 'message queue/worker' },
+    ];
+    const found = patterns.filter(p => p.test);
+    const hasDataHandling = found.length > 0;
+    return {
+        claimId: claim.id,
+        checkType: 'data_handling',
+        verdict: hasDataHandling ? 'PASS' : 'FAIL',
+        evidence: hasDataHandling
+            ? `Data handling found: ${found.map(f => f.label).join(', ')}`
+            : 'No data handling patterns found in source code',
+        confidence: 1,
+    };
+}
+function checkConfiguration(code, language, claim) {
+    const clean = preprocessCode(code);
+    const patterns = [
+        { test: /(?:config|configuration|settings|preferences|options)\s*[=:{]/i.test(clean), label: 'configuration object' },
+        { test: /(?:\.env|process\.env|import\.meta\.env|os\.environ)/i.test(clean), label: 'environment variables' },
+        { test: /(?:default[A-Z]\w*|DEFAULT_|DEFAULTS)\s*[=:]/i.test(clean), label: 'default values' },
+        { test: /(?:\.config\.|\.settings\.|\.options\.|\.preferences\.)/i.test(clean), label: 'config accessors' },
+        { test: /(?:configurable|customizable|adjustable)/i.test(clean), label: 'configurability markers' },
+        { test: /(?:theme|color|font|style|layout|display)\s*[=:{]/i.test(clean), label: 'display configuration' },
+        { test: /(?:enable|disable|toggle|switch|flag)\s*[=:(]/i.test(clean), label: 'feature flags' },
+    ];
+    const found = patterns.filter(p => p.test);
+    const hasConfig = found.length > 0;
+    return {
+        claimId: claim.id,
+        checkType: 'configuration_check',
+        verdict: hasConfig ? 'PASS' : 'FAIL',
+        evidence: hasConfig
+            ? `Configuration patterns found: ${found.map(f => f.label).join(', ')}`
+            : 'No configuration patterns found in source code',
+        confidence: 1,
+    };
+}
+function checkCapacityLimit(code, language, claim) {
+    const clean = preprocessCode(code);
+    const text = `${claim.description} ${claim.assertion}`;
+    // Extract the numeric limit from the claim
+    const limitMatch = text.match(/(?:up\s+to|limit\s+(?:of\s+)?|maximum\s+(?:of\s+)?|capacity\s+(?:of\s+)?)(\d[\d,]*)/i);
+    const limitValue = limitMatch ? limitMatch[1].replace(/,/g, '') : null;
+    const patterns = [
+        { test: /(?:MAX_|LIMIT_|CAPACITY_|MAX[A-Z])\w*\s*[=:]/i.test(clean), label: 'limit constants' },
+        { test: /(?:\.length\s*[<>=]|\.size\s*[<>=]|\.count\s*[<>=])/i.test(clean), label: 'size comparisons' },
+        { test: /(?:quota|throttle|rate[\s_-]?limit|max[\s_-]?(?:size|count|items|users|connections))/i.test(clean), label: 'capacity controls' },
+        { test: limitValue !== null && new RegExp(`\\b${limitValue}\\b`).test(clean), label: `limit value ${limitValue} in code` },
+    ];
+    const found = patterns.filter(p => p.test);
+    const hasLimit = found.length > 0;
+    return {
+        claimId: claim.id,
+        checkType: 'capacity_limit',
+        verdict: hasLimit ? 'PASS' : 'FAIL',
+        evidence: hasLimit
+            ? `Capacity/limit patterns found: ${found.map(f => f.label).join(', ')}`
+            : 'No capacity limit patterns found in source code',
+        confidence: 1,
+    };
+}
+function checkSecurityControl(code, language, claim) {
+    const clean = preprocessCode(code);
+    const text = `${claim.description} ${claim.assertion}`.toLowerCase();
+    const patterns = [
+        { test: /(?:crypto|bcrypt|argon2|scrypt|pbkdf2|sha256|sha512|hmac)/i.test(clean), label: 'cryptographic operations' },
+        { test: /(?:encrypt|decrypt|cipher|aes|rsa)/i.test(clean), label: 'encryption/decryption' },
+        { test: /(?:jwt|jsonwebtoken|passport|oauth|openid)/i.test(clean), label: 'authentication library' },
+        { test: /(?:authorize|permission|role|grant|deny|allow|forbid|access[\s_-]?control)/i.test(clean), label: 'authorization' },
+        { test: /(?:token|bearer|session|cookie|csrf|xsrf)/i.test(clean), label: 'session/token management' },
+        { test: /(?:ssl|tls|https|certificate|cert)/i.test(clean), label: 'TLS/SSL' },
+        { test: /(?:hash|salt|pepper|digest)/i.test(clean), label: 'hashing' },
+        { test: /(?:api[\s_-]?key|secret[\s_-]?key|credentials?)/i.test(clean), label: 'credential management' },
+        { test: /(?:mfa|two[\s_-]?factor|2fa|totp|hotp|otp)/i.test(clean), label: 'multi-factor auth' },
+        { test: /(?:cors|csp|helmet|content[\s_-]?security[\s_-]?policy)/i.test(clean), label: 'security headers' },
+    ];
+    const found = patterns.filter(p => p.test);
+    const hasSecurityControl = found.length > 0;
+    return {
+        claimId: claim.id,
+        checkType: 'security_control',
+        verdict: hasSecurityControl ? 'PASS' : 'FAIL',
+        evidence: hasSecurityControl
+            ? `Security controls found: ${found.map(f => f.label).join(', ')}`
+            : 'No security control patterns found in source code',
+        confidence: 1,
+    };
+}
+function checkCompliance(code, language, claim) {
+    const clean = preprocessCode(code);
+    const text = `${claim.description} ${claim.assertion}`.toLowerCase();
+    const patterns = [
+        { test: /(?:gdpr|data[\s_-]?protection|privacy[\s_-]?policy)/i.test(clean), label: 'GDPR/data protection' },
+        { test: /(?:consent|opt[\s_-]?(?:in|out)|cookie[\s_-]?(?:consent|banner|notice))/i.test(clean), label: 'consent management' },
+        { test: /(?:delete[\s_-]?(?:account|data|user)|erase|purge|anonymize|pseudonymize)/i.test(clean), label: 'data deletion/anonymization' },
+        { test: /(?:audit[\s_-]?(?:log|trail)|logging|tracking|compliance)/i.test(clean), label: 'audit logging' },
+        { test: /(?:retention|expir(?:y|ation)|ttl|data[\s_-]?lifecycle)/i.test(clean), label: 'data retention' },
+        { test: /(?:encrypt|hash|mask|redact|sensitive)/i.test(clean), label: 'data protection measures' },
+        { test: /(?:access[\s_-]?(?:log|control)|rbac|permission|role)/i.test(clean), label: 'access controls' },
+    ];
+    const found = patterns.filter(p => p.test);
+    const hasCompliance = found.length > 0;
+    return {
+        claimId: claim.id,
+        checkType: 'compliance_check',
+        verdict: hasCompliance ? 'PASS' : 'FAIL',
+        evidence: hasCompliance
+            ? `Compliance-related patterns found: ${found.map(f => f.label).join(', ')}`
+            : 'No compliance-related patterns found in source code',
+        confidence: 1,
+    };
+}
+function checkConnectivity(code, language, claim) {
+    const clean = preprocessCode(code);
+    const patterns = [
+        { test: /(?:websocket|ws\.|wss:|socket\.io|\.on\s*\(\s*['"](?:connect|message|open|close))/i.test(clean), label: 'WebSocket' },
+        { test: /(?:webhook|callback[\s_-]?url|event[\s_-]?(?:handler|listener|emitter))/i.test(clean), label: 'webhook/event handling' },
+        { test: /(?:fetch|axios|got|superagent|request|http\.(?:get|post|put|delete)|XMLHttpRequest)/i.test(clean), label: 'HTTP client' },
+        { test: /(?:mqtt|amqp|rabbitmq|kafka|redis\.(?:pub|sub)|pubsub|nats)/i.test(clean), label: 'message broker' },
+        { test: /(?:grpc|protobuf|graphql|rest[\s_-]?api|api[\s_-]?endpoint)/i.test(clean), label: 'API protocol' },
+        { test: /(?:sse|server[\s_-]?sent|EventSource|text\/event-stream)/i.test(clean), label: 'server-sent events' },
+        { test: /(?:\.connect\s*\(|\.listen\s*\(|createServer|createConnection)/i.test(clean), label: 'connection management' },
+    ];
+    const found = patterns.filter(p => p.test);
+    const hasConnectivity = found.length > 0;
+    return {
+        claimId: claim.id,
+        checkType: 'connectivity_check',
+        verdict: hasConnectivity ? 'PASS' : 'FAIL',
+        evidence: hasConnectivity
+            ? `Connectivity patterns found: ${found.map(f => f.label).join(', ')}`
+            : 'No connectivity patterns found in source code',
+        confidence: 1,
+    };
+}
+function checkPricingBilling(code, language, claim) {
+    const clean = preprocessCode(code);
+    const text = `${claim.description} ${claim.assertion}`;
+    // Extract price from claim
+    const priceMatch = text.match(/\$\s*([\d,]+(?:\.\d{2})?)/);
+    const priceValue = priceMatch ? priceMatch[1].replace(/,/g, '') : null;
+    const patterns = [
+        { test: /(?:price|cost|amount|rate|fee|charge)\s*[=:]/i.test(clean), label: 'price definitions' },
+        { test: /(?:stripe|paypal|braintree|paddle|lemon[\s_-]?squeezy|billing)/i.test(clean), label: 'payment provider' },
+        { test: /(?:subscription|plan|tier|pricing)/i.test(clean), label: 'subscription logic' },
+        { test: /(?:invoice|receipt|charge|refund|credit)/i.test(clean), label: 'billing operations' },
+        { test: /(?:trial|free[\s_-]?tier|freemium)/i.test(clean), label: 'trial/free tier' },
+        { test: priceValue !== null && new RegExp(`\\b${priceValue}\\b`).test(clean), label: `price value $${priceValue} in code` },
+    ];
+    const found = patterns.filter(p => p.test);
+    const hasPricing = found.length > 0;
+    return {
+        claimId: claim.id,
+        checkType: 'pricing_billing',
+        verdict: hasPricing ? 'PASS' : 'FAIL',
+        evidence: hasPricing
+            ? `Pricing/billing patterns found: ${found.map(f => f.label).join(', ')}`
+            : 'No pricing/billing patterns found in source code',
+        confidence: 1,
+    };
+}
+function checkRoleAccess(code, language, claim) {
+    const clean = preprocessCode(code);
+    const patterns = [
+        { test: /(?:role|permission|privilege|access[\s_-]?level)/i.test(clean), label: 'role/permission definitions' },
+        { test: /(?:admin|moderator|viewer|editor|owner|manager|operator)/i.test(clean), label: 'role names' },
+        { test: /(?:can(?:Access|Edit|Delete|View|Manage)|has(?:Permission|Role|Access))/i.test(clean), label: 'permission checks' },
+        { test: /(?:authorize|isAuthorized|checkPermission|requireRole|guardRole)/i.test(clean), label: 'authorization logic' },
+        { test: /(?:rbac|acl|policy|grant|deny|allow|forbid)/i.test(clean), label: 'access control' },
+    ];
+    const found = patterns.filter(p => p.test);
+    const hasRoleAccess = found.length > 0;
+    return {
+        claimId: claim.id,
+        checkType: 'role_access',
+        verdict: hasRoleAccess ? 'PASS' : 'FAIL',
+        evidence: hasRoleAccess
+            ? `Role/access patterns found: ${found.map(f => f.label).join(', ')}`
+            : 'No role/access patterns found in source code',
+        confidence: 1,
+    };
+}
+function checkMediaProcessing(code, language, claim) {
+    const clean = preprocessCode(code);
+    const patterns = [
+        { test: /(?:sharp|jimp|canvas|imagemagick|gm|pillow|opencv)/i.test(clean), label: 'image processing library' },
+        { test: /(?:resize|crop|rotate|flip|thumbnail|scale)/i.test(clean), label: 'image transformation' },
+        { test: /(?:exif|metadata|orientation|gps|geolocation)/i.test(clean), label: 'metadata handling' },
+        { test: /(?:rekognition|vision|detect|moderate|classify|label)/i.test(clean), label: 'AI/ML analysis' },
+        { test: /(?:confidence|score|threshold|probability)/i.test(clean), label: 'confidence scoring' },
+        { test: /(?:upload|download|stream|buffer|blob|file)/i.test(clean), label: 'file handling' },
+        { test: /(?:compress|optimize|quality|format|convert)/i.test(clean), label: 'media optimization' },
+        { test: /(?:ffmpeg|video|audio|transcode|encode|decode)/i.test(clean), label: 'video/audio processing' },
+    ];
+    const found = patterns.filter(p => p.test);
+    const hasMediaProcessing = found.length > 0;
+    return {
+        claimId: claim.id,
+        checkType: 'media_processing',
+        verdict: hasMediaProcessing ? 'PASS' : 'FAIL',
+        evidence: hasMediaProcessing
+            ? `Media processing patterns found: ${found.map(f => f.label).join(', ')}`
+            : 'No media processing patterns found in source code',
+        confidence: 1,
+    };
+}
+function checkSubjectiveQuality(code, language, claim) {
+    // Subjective claims cannot be formally verified with high confidence.
+    // We classify them to route them to formal checking, but always PASS
+    // with a note that they require human/LLM judgment.
+    return {
+        claimId: claim.id,
+        checkType: 'subjective_quality',
+        verdict: 'PASS',
+        evidence: 'Subjective quality claim — formal check defers to code review and testing',
+        confidence: 1,
+    };
+}
+function checkRequirementConstraint(code, language, claim) {
+    const clean = preprocessCode(code);
+    const text = `${claim.description} ${claim.assertion}`;
+    // Extract numeric constraints from the claim
+    const numericMatch = text.match(/(\d+)\s+(?:characters?|days?|hours?|minutes?|months?|items?|devices?|users?|members?)/i);
+    const numericValue = numericMatch ? numericMatch[1] : null;
+    const patterns = [
+        { test: /(?:require|mandatory|must|shall|enforce)/i.test(clean), label: 'requirement enforcement' },
+        { test: /(?:validate|check|verify|assert|guard)/i.test(clean), label: 'validation logic' },
+        { test: /(?:minimum|maximum|min\b|max\b|limit|constraint|threshold)/i.test(clean), label: 'constraint definitions' },
+        { test: /(?:if\s*\(|throw|reject|deny|forbid|prevent)/i.test(clean), label: 'constraint enforcement' },
+        { test: numericValue !== null && new RegExp(`\\b${numericValue}\\b`).test(clean), label: `constraint value ${numericValue} in code` },
+        { test: /(?:regex|pattern|match|test\s*\()/i.test(clean), label: 'pattern matching' },
+    ];
+    const found = patterns.filter(p => p.test);
+    const hasConstraint = found.length > 0;
+    return {
+        claimId: claim.id,
+        checkType: 'requirement_constraint',
+        verdict: hasConstraint ? 'PASS' : 'FAIL',
+        evidence: hasConstraint
+            ? `Requirement/constraint patterns found: ${found.map(f => f.label).join(', ')}`
+            : 'No requirement/constraint patterns found in source code',
+        confidence: 1,
+    };
+}
 // ── Main Entry Point ─────────────────────────────────────────
 export function runFormalVerification(code, language, claims, llmVerifications) {
     const classified = claims.map(c => classifyClaim(c));
@@ -885,6 +1427,42 @@ export function runFormalVerification(code, language, claims, llmVerifications)
             case 'undefined_reference':
                 result = checkUndefinedReference(code, language, c.claim);
                 break;
+            case 'feature_presence':
+                result = checkFeaturePresence(code, language, c.claim);
+                break;
+            case 'data_handling':
+                result = checkDataHandling(code, language, c.claim);
+                break;
+            case 'configuration_check':
+                result = checkConfiguration(code, language, c.claim);
+                break;
+            case 'capacity_limit':
+                result = checkCapacityLimit(code, language, c.claim);
+                break;
+            case 'security_control':
+                result = checkSecurityControl(code, language, c.claim);
+                break;
+            case 'compliance_check':
+                result = checkCompliance(code, language, c.claim);
+                break;
+            case 'connectivity_check':
+                result = checkConnectivity(code, language, c.claim);
+                break;
+            case 'pricing_billing':
+                result = checkPricingBilling(code, language, c.claim);
+                break;
+            case 'role_access':
+                result = checkRoleAccess(code, language, c.claim);
+                break;
+            case 'media_processing':
+                result = checkMediaProcessing(code, language, c.claim);
+                break;
+            case 'subjective_quality':
+                result = checkSubjectiveQuality(code, language, c.claim);
+                break;
+            case 'requirement_constraint':
+                result = checkRequirementConstraint(code, language, c.claim);
+                break;
             default:
                 continue;
         }
@@ -932,4 +1510,584 @@ export function runFormalVerification(code, language, claims, llmVerifications)
         },
     };
 }
+/**
+ * Find async function line ranges by tracking brace depth.
+ * Returns array of [startLine, endLine] (1-indexed).
+ */
+function findAsyncFunctionRanges(lines) {
+    const ranges = [];
+    let i = 0;
+    while (i < lines.length) {
+        const line = lines[i];
+        // Match async function declarations or async arrow functions assigned to const/let/var
+        if (/\basync\s+function\b/.test(line) || /\basync\s*\(/.test(line) || /\basync\s+\w+\s*=>/.test(line)) {
+            // Find the opening brace on this line or the next few lines
+            let braceStart = -1;
+            let searchLine = i;
+            while (searchLine < Math.min(i + 5, lines.length)) {
+                if (lines[searchLine].includes('{')) {
+                    braceStart = searchLine;
+                    break;
+                }
+                searchLine++;
+            }
+            if (braceStart === -1) {
+                i++;
+                continue;
+            }
+            // Count braces to find the closing brace
+            let depth = 0;
+            let j = braceStart;
+            while (j < lines.length) {
+                for (const ch of lines[j]) {
+                    if (ch === '{')
+                        depth++;
+                    else if (ch === '}') {
+                        depth--;
+                        if (depth === 0) {
+                            ranges.push([i + 1, j + 1]); // 1-indexed
+                            break;
+                        }
+                    }
+                }
+                if (depth === 0)
+                    break;
+                j++;
+            }
+            i = j + 1;
+        }
+        else {
+            i++;
+        }
+    }
+    return ranges;
+}
+/**
+ * Scan code line-by-line for issues without requiring a claim object.
+ * Suitable for development-time hooks (pre-commit, editor integration).
+ */
+export function runClaimlessChecks(code, language) {
+    const findings = [];
+    const lines = code.split('\n');
+    const langLower = language.toLowerCase();
+    const isJsTs = ['js', 'ts', 'jsx', 'tsx', 'javascript', 'typescript'].includes(langLower);
+    // Preprocess code for pattern matching (strips comments/strings)
+    const clean = preprocessCode(code);
+    const cleanLines = clean.split('\n');
+    // ── 1. SQL Injection (string concatenation in SQL context) ───
+    if (isJsTs) {
+        // Look for string concatenation where the string STARTS with a SQL keyword.
+        // This avoids false positives on display strings like "Updated " + count + " records from..."
+        // We check the original line for a string literal starting with SELECT/INSERT/UPDATE/DELETE.
+        for (let i = 0; i < cleanLines.length; i++) {
+            const cl = cleanLines[i];
+            // Must have string concatenation
+            if (/"__STR__"\s*\+\s*\w/.test(cl) ||
+                /\w\s*\+\s*"__STR__"/.test(cl) ||
+                /`__STR__`\s*\+\s*\w/.test(cl) ||
+                /\w\s*\+\s*`__STR__`/.test(cl)) {
+                // Check if the original line has a string that STARTS with a SQL command
+                // e.g., "SELECT * FROM users WHERE id = " + userId
+                const origLine = lines[i] ?? '';
+                if (/['"`]\s*(SELECT|INSERT\s+INTO|UPDATE\s+\w+\s+SET|DELETE\s+FROM)\b/i.test(origLine)) {
+                    findings.push({
+                        checkType: 'sql_parameterized',
+                        line: i + 1,
+                        evidence: `SQL query built with string concatenation on line ${i + 1} — use parameterized queries instead`,
+                        severity: 'critical',
+                    });
+                }
+            }
+        }
+    }
+    // ── 2. API Misuse (KNOWN_BAD_APIS) ───────────────────────────
+    for (const [badApi, info] of Object.entries(KNOWN_BAD_APIS)) {
+        if (info.languages.length === 0)
+            continue;
+        if (!info.languages.includes(langLower))
+            continue;
+        for (let i = 0; i < cleanLines.length; i++) {
+            if (cleanLines[i].includes(badApi)) {
+                findings.push({
+                    checkType: 'api_misuse',
+                    line: i + 1,
+                    evidence: `Line ${i + 1} uses '${badApi.replace(/[()]/g, '')}' which does not exist in ${language}. Use '${info.correct}' instead.`,
+                    severity: 'critical',
+                });
+                break; // One finding per bad API pattern
+            }
+        }
+    }
+    // ── 3. Error Handling (async without try/catch) ──────────────
+    if (isJsTs) {
+        const asyncRanges = findAsyncFunctionRanges(lines);
+        for (const [startLine, endLine] of asyncRanges) {
+            // Extract the function body (1-indexed → 0-indexed slice)
+            const bodyLines = cleanLines.slice(startLine - 1, endLine);
+            const bodyText = bodyLines.join('\n');
+            const hasAwait = /\bawait\b/.test(bodyText);
+            const hasTryCatch = /\btry\s*\{/.test(bodyText) && /\}\s*catch\s*\(/.test(bodyText);
+            const hasDotCatch = /\.catch\s*\(/.test(bodyText);
+            if (hasAwait && !hasTryCatch && !hasDotCatch) {
+                findings.push({
+                    checkType: 'error_handling',
+                    line: startLine,
+                    evidence: `Async function starting at line ${startLine} uses 'await' without try/catch error handling`,
+                    severity: 'high',
+                });
+            }
+        }
+    }
+    // ── 4. Input Validation (unvalidated req.body/params/query) ──
+    if (isJsTs) {
+        // Detect direct property access from req.body / req.params / req.query
+        // without any validation (zod, joi, express-validator, manual checks)
+        const hasValidation = /(?:z\.|joi\.|Joi\.|validate\(|schema\.|\.parse\(|\.safeParse\(|\.check\(|\.validate\()/.test(clean);
+        if (!hasValidation) {
+            for (let i = 0; i < cleanLines.length; i++) {
+                const cl = cleanLines[i];
+                if (/\breq\.(body|params|query)\b/.test(cl)) {
+                    findings.push({
+                        checkType: 'input_validation',
+                        line: i + 1,
+                        evidence: `Line ${i + 1} accesses req.body/params/query without apparent input validation (no zod/joi/validate pattern found)`,
+                        severity: 'high',
+                    });
+                    break; // One finding per file for this pattern
+                }
+            }
+        }
+    }
+    // ── 5. Null Safety (non-null assertions without guard) ───────
+    if (isJsTs) {
+        for (let i = 0; i < cleanLines.length; i++) {
+            const cl = cleanLines[i];
+            // TypeScript non-null assertion !. without a preceding null check
+            if (/\w+!\.\w+/.test(cl)) {
+                // Skip if line also has a null check
+                if (!/(?:\?\?|&&|\?\.)/.test(cl)) {
+                    findings.push({
+                        checkType: 'null_check',
+                        line: i + 1,
+                        evidence: `Line ${i + 1} uses non-null assertion (!.) without a null guard — consider optional chaining (?.) instead`,
+                        severity: 'medium',
+                    });
+                }
+            }
+        }
+    }
+    // ── 6. Security Controls (eval, innerHTML assignment, hardcoded secrets) ──
+    if (isJsTs) {
+        for (let i = 0; i < cleanLines.length; i++) {
+            const cl = cleanLines[i];
+            const orig = lines[i] ?? '';
+            // eval() usage
+            if (/\beval\s*\(/.test(cl)) {
+                findings.push({
+                    checkType: 'security_control',
+                    line: i + 1,
+                    evidence: `Line ${i + 1} uses eval() — arbitrary code execution risk`,
+                    severity: 'critical',
+                });
+                continue;
+            }
+            // innerHTML assignment (write, not read)
+            if (/\.innerHTML\s*=/.test(cl)) {
+                findings.push({
+                    checkType: 'security_control',
+                    line: i + 1,
+                    evidence: `Line ${i + 1} assigns to innerHTML — XSS risk, use textContent or a sanitizer instead`,
+                    severity: 'critical',
+                });
+                continue;
+            }
+            // Hardcoded secrets — check original line (preprocessCode strips string contents)
+            // Pattern: assignment of a value starting with known secret prefixes, or key=value with secret keyword
+            if (/\bsk_live_[A-Za-z0-9]+/.test(orig) ||
+                /\bsk_test_[A-Za-z0-9]+/.test(orig) ||
+                /(?:api_key|password|secret)\s*[=:]\s*["'`][^"'`]{8,}/.test(orig)) {
+                findings.push({
+                    checkType: 'security_control',
+                    line: i + 1,
+                    evidence: `Line ${i + 1} appears to contain a hardcoded secret or API key — use environment variables instead`,
+                    severity: 'critical',
+                });
+            }
+        }
+    }
+    // ── 7. Data Handling (JSON.parse without try/catch) ───────────
+    if (isJsTs) {
+        for (let i = 0; i < cleanLines.length; i++) {
+            if (/\bJSON\.parse\s*\(/.test(cleanLines[i])) {
+                // Check up to 10 lines above for an enclosing try {
+                const windowStart = Math.max(0, i - 10);
+                const context = cleanLines.slice(windowStart, i + 1).join('\n');
+                if (!/\btry\s*\{/.test(context)) {
+                    findings.push({
+                        checkType: 'data_handling',
+                        line: i + 1,
+                        evidence: `Line ${i + 1} calls JSON.parse() without a surrounding try/catch — throws on invalid JSON`,
+                        severity: 'high',
+                    });
+                }
+            }
+        }
+    }
+    // ── 8. Configuration Check (process.env without fallback) ─────
+    if (isJsTs) {
+        for (let i = 0; i < cleanLines.length; i++) {
+            const cl = cleanLines[i];
+            if (/\bprocess\.env\.\w+/.test(cl)) {
+                // Passes if line has ?? or || or ternary (? ... :)
+                if (!/(?:\?\?|\|\||\?\s*[^?])/.test(cl)) {
+                    findings.push({
+                        checkType: 'configuration_check',
+                        line: i + 1,
+                        evidence: `Line ${i + 1} reads process.env without a fallback value — may be undefined at runtime`,
+                        severity: 'high',
+                    });
+                }
+            }
+        }
+    }
+    // ── 9. Undefined References (deprecated package imports) ──────
+    if (isJsTs) {
+        const DEPRECATED_IMPORTS = ['request', 'request-promise', 'node-fetch@2'];
+        for (const pkg of DEPRECATED_IMPORTS) {
+            // Match exact package name in from 'pkg' or require('pkg') — not subpaths like 'request/...'
+            const escapedPkg = pkg.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+            const importPattern = new RegExp(`(?:from\\s+['"]${escapedPkg}['"]|require\\s*\\(\\s*['"]${escapedPkg}['"]\\s*\\))`);
+            for (let i = 0; i < lines.length; i++) {
+                if (importPattern.test(lines[i])) {
+                    findings.push({
+                        checkType: 'undefined_reference',
+                        line: i + 1,
+                        evidence: `Line ${i + 1} imports deprecated package '${pkg}' — use a maintained alternative (e.g., node-fetch v3, got, or native fetch)`,
+                        severity: 'high',
+                    });
+                    break; // One finding per deprecated package
+                }
+            }
+        }
+    }
+    // ── 10. Type Annotations (exported functions missing return type) ─
+    // Skip .tsx files entirely — React components conventionally omit return types
+    if (langLower === 'typescript' || langLower === 'ts') {
+        for (let i = 0; i < lines.length; i++) {
+            const orig = lines[i];
+            // Match `export function name(` or `export async function name(`
+            // Skip `export default function` — common React/Next.js pattern that omits return type
+            // Skip Next.js route handlers (GET, POST, PUT, DELETE, PATCH) — conventionally untyped
+            if (/export\s+(?:async\s+)?function\s+\w+\s*\(/.test(orig) &&
+                !/export\s+default\s+(?:async\s+)?function/.test(orig) &&
+                !/export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH|HEAD|OPTIONS)\s*\(/.test(orig)) {
+                // Extract the portion from the opening paren to end of line
+                // A return type annotation looks like `): SomeType` after the closing paren
+                // We check if the line (or up to 2 continuation lines) contains `): `
+                const snippet = lines.slice(i, Math.min(i + 3, lines.length)).join(' ');
+                if (!/\)\s*:\s*\w/.test(snippet)) {
+                    findings.push({
+                        checkType: 'type_annotation',
+                        line: i + 1,
+                        evidence: `Line ${i + 1} exports a function without an explicit return type annotation`,
+                        severity: 'medium',
+                    });
+                }
+            }
+        }
+    }
+    // ── 11. Connectivity Check (fetch/axios without timeout) ──────
+    // Use original lines (not cleanLines) because preprocessCode mangles URLs with // in them
+    if (isJsTs) {
+        for (let i = 0; i < lines.length; i++) {
+            const orig = lines[i];
+            if (/\bfetch\s*\(/.test(orig) || /\baxios\b/.test(orig)) {
+                // Check this line plus the next 2 lines for AbortSignal / timeout / signal
+                const window = lines.slice(i, Math.min(i + 3, lines.length)).join('\n');
+                if (!/(?:AbortSignal|timeout|signal)/.test(window)) {
+                    findings.push({
+                        checkType: 'connectivity_check',
+                        line: i + 1,
+                        evidence: `Line ${i + 1} makes a network request without a timeout or AbortSignal — may hang indefinitely`,
+                        severity: 'medium',
+                    });
+                }
+            }
+        }
+    }
+    // ── 12. Async forEach (silently drops promises) ──────────────
+    if (isJsTs) {
+        for (let i = 0; i < cleanLines.length; i++) {
+            if (/\.forEach\s*\(\s*async\b/.test(cleanLines[i])) {
+                findings.push({
+                    checkType: 'error_handling',
+                    line: i + 1,
+                    evidence: `Line ${i + 1} passes async callback to forEach — promises are silently dropped. Use for...of with await instead`,
+                    severity: 'critical',
+                });
+            }
+        }
+    }
+    // ── 13. Console.log/debug in production code ───────────────
+    if (isJsTs) {
+        // Count total console.log/debug calls in the file
+        // If >5, the file is likely a CLI tool, logger, or test helper — skip entirely
+        const consoleLogCount = cleanLines.filter(l => /\bconsole\.(log|debug)\s*\(/.test(l)).length;
+        if (consoleLogCount <= 5) {
+            for (let i = 0; i < cleanLines.length; i++) {
+                if (/\bconsole\.(log|debug)\s*\(/.test(cleanLines[i])) {
+                    findings.push({
+                        checkType: 'debug_artifact',
+                        line: i + 1,
+                        evidence: `Line ${i + 1} has console.log/debug statement — remove before production`,
+                        severity: 'medium',
+                    });
+                }
+            }
+        }
+    }
+    // ── 14. Loose equality (== null, != undefined) ─────────────
+    if (isJsTs) {
+        for (let i = 0; i < cleanLines.length; i++) {
+            const cl = cleanLines[i];
+            // Skip lines that are entirely comments (preprocessCode empties them)
+            if (/^\s*$/.test(cl))
+                continue;
+            // Use cleanLines to avoid matching inside comments/strings
+            if (/[^!=]==\s*(null|undefined)\b/.test(cl) && !/===\s*(null|undefined)\b/.test(cl)) {
+                findings.push({
+                    checkType: 'equality_check',
+                    line: i + 1,
+                    evidence: `Line ${i + 1} uses loose equality (==) with null/undefined — use strict equality (===) instead`,
+                    severity: 'medium',
+                });
+            }
+            // Check for != (but not !==)
+            if (/(?<!=)!=\s*(null|undefined)\b/.test(cl) && !/!==\s*(null|undefined)\b/.test(cl)) {
+                findings.push({
+                    checkType: 'equality_check',
+                    line: i + 1,
+                    evidence: `Line ${i + 1} uses loose inequality (!=) with null/undefined — use strict inequality (!==) instead`,
+                    severity: 'medium',
+                });
+            }
+        }
+    }
+    // ── 15. RegExp injection (user input to new RegExp) ────────
+    if (isJsTs) {
+        for (let i = 0; i < cleanLines.length; i++) {
+            const cl = cleanLines[i];
+            // After preprocessCode, string literals become "__STR__"
+            // Flag: new RegExp(variable) where arg is NOT a string literal
+            if (/\bnew\s+RegExp\s*\(/.test(cl) && !/\bnew\s+RegExp\s*\(\s*"__STR__"/.test(cl)) {
+                findings.push({
+                    checkType: 'security_control',
+                    line: i + 1,
+                    evidence: `Line ${i + 1} passes a variable to new RegExp() — user-controlled patterns can cause ReDoS. Escape input or use a literal regex`,
+                    severity: 'critical',
+                });
+            }
+        }
+    }
+    // ── 16. Promise.all without error handling ─────────────────
+    if (isJsTs) {
+        for (let i = 0; i < cleanLines.length; i++) {
+            if (/\bPromise\.all\s*\(/.test(cleanLines[i])) {
+                const windowStart = Math.max(0, i - 5);
+                const windowEnd = Math.min(cleanLines.length, i + 6);
+                const context = cleanLines.slice(windowStart, windowEnd).join('\n');
+                const hasCatch = /\.catch\s*\(/.test(context);
+                const hasTryCatch = /\btry\s*\{/.test(context) && /\}\s*catch\s*\(/.test(context);
+                if (!hasCatch && !hasTryCatch) {
+                    findings.push({
+                        checkType: 'error_handling',
+                        line: i + 1,
+                        evidence: `Line ${i + 1} uses Promise.all() without error handling — one rejection crashes all. Consider Promise.allSettled() or add .catch()`,
+                        severity: 'high',
+                    });
+                }
+            }
+        }
+    }
+    // ── 17. parseInt without radix ─────────────────────────────
+    if (isJsTs) {
+        for (let i = 0; i < cleanLines.length; i++) {
+            if (/\bparseInt\s*\(\s*\w[^,)]*\)/.test(cleanLines[i])) {
+                findings.push({
+                    checkType: 'api_misuse',
+                    line: i + 1,
+                    evidence: `Line ${i + 1} calls parseInt() without radix parameter — may produce unexpected results with leading zeros`,
+                    severity: 'medium',
+                });
+            }
+        }
+    }
+    // ── 18. Fetch body on GET/HEAD ─────────────────────────────
+    if (isJsTs) {
+        for (let i = 0; i < lines.length; i++) {
+            // Use original lines since preprocessCode strips string contents
+            if (/\bfetch\s*\(/.test(lines[i])) {
+                const windowEnd = Math.min(lines.length, i + 10);
+                const block = lines.slice(i, windowEnd).join('\n');
+                const hasGetOrHead = /method\s*:\s*['"](?:GET|HEAD)['"]/i.test(block);
+                const hasBody = /\bbody\s*:/.test(block);
+                if (hasGetOrHead && hasBody) {
+                    findings.push({
+                        checkType: 'api_misuse',
+                        line: i + 1,
+                        evidence: `Line ${i + 1} sends a body with GET/HEAD request — body is ignored by most servers`,
+                        severity: 'high',
+                    });
+                }
+            }
+        }
+    }
+    // ── 19. addEventListener without cleanup in useEffect ──────
+    if (isJsTs) {
+        const codeText = cleanLines.join('\n');
+        if (/\buseEffect\b/.test(codeText) && /\baddEventListener\b/.test(codeText)) {
+            const addCount = (codeText.match(/\baddEventListener\b/g) || []).length;
+            const removeCount = (codeText.match(/\bremoveEventListener\b/g) || []).length;
+            if (addCount > removeCount) {
+                // Find the first addEventListener line for the line number
+                for (let i = 0; i < cleanLines.length; i++) {
+                    if (/\baddEventListener\b/.test(cleanLines[i])) {
+                        findings.push({
+                            checkType: 'resource_leak',
+                            line: i + 1,
+                            evidence: `Line ${i + 1} has addEventListener in useEffect without matching removeEventListener — memory leak`,
+                            severity: 'high',
+                        });
+                        break;
+                    }
+                }
+            }
+        }
+    }
+    // ── 20. Empty catch block ──────────────────────────────────
+    if (isJsTs) {
+        for (let i = 0; i < cleanLines.length; i++) {
+            const cl = cleanLines[i];
+            // catch (e) {} or catch {} on same line
+            if (/\bcatch\s*(?:\(\s*\w*\s*\))?\s*\{\s*\}/.test(cl)) {
+                findings.push({
+                    checkType: 'error_handling',
+                    line: i + 1,
+                    evidence: `Line ${i + 1} has empty catch block — swallows errors silently. At minimum log the error`,
+                    severity: 'high',
+                });
+                continue;
+            }
+            // catch block where { is at end of line and } is on the next line (with only whitespace)
+            if (/\bcatch\s*(?:\(\s*\w*\s*\))?\s*\{\s*$/.test(cl)) {
+                const nextLine = cleanLines[i + 1];
+                if (nextLine !== undefined && /^\s*\}\s*$/.test(nextLine)) {
+                    findings.push({
+                        checkType: 'error_handling',
+                        line: i + 1,
+                        evidence: `Line ${i + 1} has empty catch block — swallows errors silently. At minimum log the error`,
+                        severity: 'high',
+                    });
+                }
+            }
+        }
+    }
+    // ── 21. dangerouslySetInnerHTML ────────────────────────────
+    if (isJsTs) {
+        for (let i = 0; i < cleanLines.length; i++) {
+            if (/\bdangerouslySetInnerHTML\b/.test(cleanLines[i])) {
+                findings.push({
+                    checkType: 'security_control',
+                    line: i + 1,
+                    evidence: `Line ${i + 1} uses dangerouslySetInnerHTML — bypasses React XSS protection. Ensure input is sanitized`,
+                    severity: 'critical',
+                });
+            }
+        }
+    }
+    // ── 22. Hardcoded http:// URLs (not localhost) ─────────────
+    if (isJsTs) {
+        for (let i = 0; i < lines.length; i++) {
+            const orig = lines[i];
+            if (/['"`]http:\/\/(?!localhost|127\.0\.0\.1|0\.0\.0\.0)/.test(orig)) {
+                findings.push({
+                    checkType: 'security_control',
+                    line: i + 1,
+                    evidence: `Line ${i + 1} has hardcoded http:// URL — use https:// to prevent mixed content and MITM attacks`,
+                    severity: 'medium',
+                });
+                break; // One per file
+            }
+        }
+    }
+    // ── 23. document.write() ───────────────────────────────────
+    if (isJsTs) {
+        for (let i = 0; i < cleanLines.length; i++) {
+            if (/\bdocument\.write\s*\(/.test(cleanLines[i])) {
+                findings.push({
+                    checkType: 'security_control',
+                    line: i + 1,
+                    evidence: `Line ${i + 1} uses document.write() — overwrites page content if called after load. Consider DOM manipulation or iframe-based printing instead`,
+                    severity: 'medium',
+                });
+            }
+        }
+    }
+    // ── 24. setTimeout/setInterval with string argument ────────
+    if (isJsTs) {
+        for (let i = 0; i < cleanLines.length; i++) {
+            const cl = cleanLines[i];
+            // After preprocessCode, string literals become "__STR__"
+            if (/\b(?:setTimeout|setInterval)\s*\(\s*"__STR__"/.test(cl)) {
+                findings.push({
+                    checkType: 'security_control',
+                    line: i + 1,
+                    evidence: `Line ${i + 1} passes a string to setTimeout/setInterval — acts as eval(). Use a function instead`,
+                    severity: 'critical',
+                });
+            }
+        }
+    }
+    // ── 25. Missing await on fetch() ───────────────────────────
+    if (isJsTs) {
+        for (let i = 0; i < cleanLines.length; i++) {
+            const cl = cleanLines[i];
+            if (/(?:const|let|var)\s+\w+\s*=\s*fetch\s*\(/.test(cl) && !/\bawait\b/.test(cl)) {
+                findings.push({
+                    checkType: 'error_handling',
+                    line: i + 1,
+                    evidence: `Line ${i + 1} assigns fetch() without await — variable holds a Promise, not the Response`,
+                    severity: 'high',
+                });
+            }
+        }
+    }
+    // ── 26. Throw string instead of Error ──────────────────────
+    if (isJsTs) {
+        for (let i = 0; i < lines.length; i++) {
+            if (/\bthrow\s+["'`]/.test(lines[i])) {
+                findings.push({
+                    checkType: 'error_handling',
+                    line: i + 1,
+                    evidence: `Line ${i + 1} throws a string literal — stack trace will be lost. Use throw new Error(...) instead`,
+                    severity: 'medium',
+                });
+            }
+        }
+    }
+    // ── 27. Array.sort without comparator ──────────────────────
+    if (isJsTs) {
+        for (let i = 0; i < cleanLines.length; i++) {
+            if (/\.sort\s*\(\s*\)/.test(cleanLines[i])) {
+                findings.push({
+                    checkType: 'api_misuse',
+                    line: i + 1,
+                    evidence: `Line ${i + 1} calls .sort() without comparator — converts elements to strings. [10,2,1].sort() gives [1,10,2]`,
+                    severity: 'medium',
+                });
+            }
+        }
+    }
+    return findings;
+}
 //# sourceMappingURL=formal-verifier.js.map