diff --git a/CHANGELOG.md b/CHANGELOG.md
index 89aad0e..8f2b8a4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,79 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased]
+## [0.2.17] - 2026-04-07
+
+### Added
+
+#### Security Scanning Expansion (35 to 101 Rules)
+- 30 new OWASP Top 10 anti-pattern rules across Python, JS/TS, Go, Java/Kotlin, Ruby: SQL injection (%-formatting, concatenation), command injection, SSRF (dynamic URL construction), path traversal, insecure deserialization (marshal), weak PRNG, debug mode, hardcoded IPs, CORS wildcard, NoSQL injection, prototype pollution, open redirects, unsafe RegExp, jQuery .html() XSS, Go fmt.Sprintf SQL, Go InsecureSkipVerify, Java XXE/deserialization/weak ciphers, Ruby system/send
+- 35 framework-specific rules: Django (8), Flask (5), Express (7), Spring (6), Rails (5), General (4) covering mark_safe, csrf_exempt, debug toolbar, hardcoded secrets, ALLOWED_HOSTS wildcard, insecure session cookies, send_file traversal, default CORS, template literal SQL, JWT decode without verify, actuator exposure, html_safe, permit!, GraphQL introspection, httpOnly=false, and more
+
+#### Custom Security Rule Language
+- `.attocode/rules/*.yaml` user-defined security patterns with id, pattern (regex), message, severity, cwe, languages, scan_comments, and optional fix (search/replace autofix template)
+- `custom_rules.py` module: `load_custom_rules()` validates and loads YAML rule files; `get_autofix_from_rules()` extracts fix templates; rules merged into scanner pipeline at scan time
+- Support for single-rule and multi-rule YAML files, graceful handling of missing PyYAML
+
+#### Security Autofix Diff Generation
+- `fix_diff` field on `SecurityFinding` dataclass with unified diff format for mechanical fixes
+- `_AUTOFIX_TEMPLATES` for 4 built-in patterns: yaml.safe_load, shell=False, tempfile.mkstemp, verify=True
+- Custom rule autofixes from YAML `fix` field merged into pipeline
+- `format_report()` renders autofix diffs inline with findings
+
+#### Intra-Procedural Data Flow Analysis
+- `dataflow.py` taint tracking engine: tracks sources (request params, input(), sys.argv, environ) through variable assignments to sinks (SQL, shell, file I/O, HTTP, HTML) within individual functions
+- Supports Python and JavaScript/TypeScript with const/let/var declaration handling
+- `dataflow_scan` MCP tool: reports CWE-89 (SQLi), CWE-78 (CMDi), CWE-79 (XSS), CWE-22 (path traversal), CWE-918 (SSRF)
+- Variable extraction from f-strings, .format(), %-formatting, template literals, and concatenation
+
+#### Code-Optimized Embedding Model
+- `CodeEmbeddingProvider` class with BAAI/bge-base-en-v1.5 (768-dim, ~440MB) for code-specific semantic search
+- Auto-detect order: BGE (code-optimized) > all-MiniLM-L6-v2 > OpenAI > null fallback
+- Explicit `"bge"` option via `ATTOCODE_EMBEDDING_MODEL=bge`
+
+#### Semantic Search Quality Uplift
+- `_expand_query()`: AST-aware query expansion with language hints and construct-related terms (e.g. "auth" expands with "login", "token", "session")
+- `_summarize_code_to_nl()`: heuristic NL summarization of code symbols for BM25 index
+- All search paths (vector, keyword, two-stage, fallback) now use expanded queries
+
+#### regex_search MCP Tool
+- User-facing trigram-accelerated regex search with clean file:line: text output format
+- Hardcoded selectivity threshold, brute-force fallback when trigram index unavailable
+
+#### Agent-Optimized Composite Tools
+- `review_change` MCP tool: unified security + conventions on changed files; auto-detects git-modified files
+- `explain_impact` MCP tool: impact analysis + community detection + temporal coupling narrative with risk assessment
+- `suggest_tests` MCP tool: test file discovery via naming conventions, imports, and indirect coverage
+
+#### Architecture Drift Detection
+- `architecture_drift.py` module: loads `.attocode/architecture.yaml` boundary definitions (layers, allowed/denied rules, file-level exceptions)
+- `check_drift()` compares actual dependency graph against declared rules; HIGH (deny) and MEDIUM (unlisted) severity
+- `architecture_drift` MCP tool registered in server
+
+#### Go Symbol Extraction Improvements
+- `_find_go_doc_comment()`: extracts consecutive // doc comment lines preceding declarations
+- `_extract_go_receiver()`: captures method receiver type as parent_class
+- Go visibility detection: uppercase = public, lowercase = private
+- `var_types` field on `_LangConfig`; Go config includes const_declaration, var_declaration
+- Doc comments wired through to FileAST via codebase_ast.py
+
+### Changed
+- `SecurityScanner` loads custom rules and autofixes from `.attocode/rules/` at init
+- `_scan_content()` checks both built-in and custom autofix templates
+- BM25 index builder includes NL summaries of function/class names for better query matching
+- `search()` method accepts `expand_query` parameter (default True)
+- Server tool count updated from 40 to 47
+
+### Tests
+- 284 new tests across 8 test files (283 pass, 1 xfail for Go parenthesized var block)
+- `test_embeddings.py` (21): CodeEmbeddingProvider, auto-detect routing, caching, NullEmbeddingProvider
+- `test_new_security_rules.py` (107): all 30 new OWASP rules with positive + negative assertions
+- `test_security_autofix.py` (37): autofix templates, fix_diff generation, unified diff format, report rendering
+- `test_search_tools.py` (+7): regex_search matching, case sensitivity, max_results, path filter
+- `test_go_symbols.py` (33): visibility, config, doc comments, method receivers, const/var, integration
+- `test_dataflow.py` (22): variable extraction, function parsing, Python/JS taint, report formatting
+- `test_architecture_drift.py` (23): layer classification, YAML loading, deny/allowed violations, exceptions, formatting
+
## [0.2.16] - 2026-04-05
### Added
diff --git a/src/attocode/code_intel/server.py b/src/attocode/code_intel/server.py
index d5ed384..143fac0 100644
--- a/src/attocode/code_intel/server.py
+++ b/src/attocode/code_intel/server.py
@@ -1,6 +1,6 @@
"""MCP server exposing Attocode's code intelligence capabilities.
-Provides 40 tools for deep codebase understanding:
+Provides 43 tools for deep codebase understanding:
- bootstrap: All-in-one orientation (summary + map + conventions + search)
- relevant_context: Subgraph capsule for file(s) with neighbors and symbols
- repo_map: Token-budgeted file tree with symbols
@@ -39,6 +39,9 @@
- distill: Distill code into compressed representations
- code_evolution: Trace how code has changed over time
- recent_changes: Show recent file modifications
+- review_change: Unified change review (security + conventions)
+- explain_impact: Blast radius explanation with risk assessment
+- suggest_tests: Test file recommendations for changed files
Usage::
@@ -569,6 +572,7 @@ def _instrument_all_tools() -> None:
import attocode.code_intel.tools.query_constraints_tools as _query_constraints_tools # noqa: E402, F401
import attocode.code_intel.tools.query_history_tools as _query_history_tools # noqa: E402, F401
import attocode.code_intel.tools.readiness_tools as _readiness_tools # noqa: E402, F401
+import attocode.code_intel.tools.composite_tools as _composite_tools # noqa: E402, F401
import attocode.code_intel.tools.search_tools as _search_tools # noqa: E402, F401
from attocode.code_intel.helpers import ( # noqa: E402, F401
_compute_file_metrics,
@@ -609,6 +613,11 @@ def _instrument_all_tools() -> None:
code_evolution = _history_tools.code_evolution # noqa: E402
recent_changes = _history_tools.recent_changes # noqa: E402
+review_change = _composite_tools.review_change # noqa: E402
+explain_impact = _composite_tools.explain_impact # noqa: E402
+suggest_tests = _composite_tools.suggest_tests # noqa: E402
+architecture_drift = _composite_tools.architecture_drift # noqa: E402
+
bootstrap = _navigation_tools.bootstrap # noqa: E402
conventions = _navigation_tools.conventions # noqa: E402
project_summary = _navigation_tools.project_summary # noqa: E402
diff --git a/src/attocode/code_intel/tools/composite_tools.py b/src/attocode/code_intel/tools/composite_tools.py
new file mode 100644
index 0000000..6775354
--- /dev/null
+++ b/src/attocode/code_intel/tools/composite_tools.py
@@ -0,0 +1,610 @@
+"""Composite tools for the code-intel MCP server.
+
+Tools: review_change, explain_impact, suggest_tests.
+
+These tools combine multiple analysis passes into single, agent-optimized
+calls that reduce round-trips and produce richer context than calling
+individual tools sequentially.
+"""
+
+from __future__ import annotations
+
+import logging
+import os
+import subprocess
+
+from attocode.code_intel._shared import (
+ _get_context_mgr,
+ _get_project_dir,
+ _get_service,
+ mcp,
+)
+
+logger = logging.getLogger(__name__)
+
+
+# ---------------------------------------------------------------------------
+# Helpers
+# ---------------------------------------------------------------------------
+
+
+def _git_modified_files(project_dir: str) -> list[str]:
+ """Return list of git-modified file paths (relative to project root)."""
+ try:
+ result = subprocess.run(
+ ["git", "diff", "--name-only", "HEAD"],
+ cwd=project_dir,
+ capture_output=True,
+ text=True,
+ timeout=15,
+ )
+ files = [f.strip() for f in result.stdout.splitlines() if f.strip()]
+ if not files:
+ # Also check staged files
+ result = subprocess.run(
+ ["git", "diff", "--name-only", "--cached"],
+ cwd=project_dir,
+ capture_output=True,
+ text=True,
+ timeout=15,
+ )
+ files = [f.strip() for f in result.stdout.splitlines() if f.strip()]
+ return files
+ except (FileNotFoundError, subprocess.TimeoutExpired, OSError) as exc:
+ logger.debug("Failed to get git-modified files: %s", exc)
+ return []
+
+
+def _find_test_files_by_convention(file_path: str, project_dir: str) -> list[str]:
+ """Find test files matching naming conventions for a source file.
+
+ Checks for: test_X.py, X_test.py, __tests__/X.test.ts, X.spec.ts, etc.
+ """
+ from pathlib import Path
+
+ basename = Path(file_path).stem
+ ext = Path(file_path).suffix
+ parent = str(Path(file_path).parent)
+
+ candidates = []
+
+ if ext in (".py",):
+ # Python conventions: test_X.py, X_test.py
+ candidates.extend([
+ os.path.join(parent, f"test_{basename}.py"),
+ os.path.join(parent, f"{basename}_test.py"),
+ # tests/ mirror directory
+ file_path.replace("src/", "tests/", 1).replace(
+ f"{basename}.py", f"test_{basename}.py"
+ ),
+ # tests/unit/ mirror
+ "tests/unit/" + file_path.lstrip("src/").replace(
+ f"{basename}.py", f"test_{basename}.py"
+ ),
+ # tests/test_X.py flat layout
+ f"tests/test_{basename}.py",
+ ])
+ elif ext in (".ts", ".tsx", ".js", ".jsx"):
+ # JS/TS conventions
+ test_ext = ".test" + ext
+ spec_ext = ".spec" + ext
+ candidates.extend([
+ os.path.join(parent, f"{basename}{test_ext}"),
+ os.path.join(parent, f"{basename}{spec_ext}"),
+ os.path.join(parent, "__tests__", f"{basename}{test_ext}"),
+ os.path.join(parent, "__tests__", f"{basename}{spec_ext}"),
+ ])
+ elif ext in (".go",):
+ # Go convention: X_test.go in same directory
+ candidates.append(os.path.join(parent, f"{basename}_test.go"))
+ elif ext in (".rs",):
+ # Rust: tests/X.rs or inline #[cfg(test)] (can't find inline from path)
+ candidates.append(os.path.join(parent, "tests", f"{basename}.rs"))
+ elif ext in (".java", ".kt"):
+ # Java/Kotlin: mirror src/main -> src/test
+ candidates.append(
+ file_path.replace("src/main/", "src/test/", 1).replace(
+ f"{basename}{ext}", f"{basename}Test{ext}"
+ )
+ )
+
+ # Deduplicate and filter to existing files
+ seen: set[str] = set()
+ existing: list[str] = []
+ for c in candidates:
+ c = os.path.normpath(c)
+ if c in seen:
+ continue
+ seen.add(c)
+ full = os.path.join(project_dir, c)
+ if os.path.isfile(full):
+ existing.append(c)
+
+ return existing
+
+
+# ---------------------------------------------------------------------------
+# Tools
+# ---------------------------------------------------------------------------
+
+
+@mcp.tool()
+def review_change(
+ files: list[str] | None = None,
+ mode: str = "full",
+) -> str:
+ """Comprehensive change review combining security, bug, and convention analysis.
+
+ Runs multiple analysis passes on changed files and produces a unified
+ report. Much more efficient than calling each tool individually.
+
+ Args:
+ files: List of file paths to review (default: git-modified files).
+ mode: Review depth -- 'quick' (security only), 'full' (all checks).
+
+ Returns:
+ Unified review report with categorized findings.
+ """
+ project_dir = _get_project_dir()
+
+ # Resolve files to review
+ if files is None:
+ files = _git_modified_files(project_dir)
+ if not files:
+ return "No files to review. Provide file paths or ensure git has modified files."
+
+ if mode not in ("quick", "full"):
+ return f"Error: Invalid mode '{mode}'. Use 'quick' or 'full'."
+
+ svc = _get_service()
+ report_sections: list[str] = []
+ total_findings = 0
+
+ # --- Security scan ---
+ security_text = ""
+ try:
+ # Scan each file's directory to scope the results
+ scanned_paths: set[str] = set()
+ for f in files:
+ scan_path = os.path.dirname(f) or ""
+ if scan_path not in scanned_paths:
+ scanned_paths.add(scan_path)
+
+ # Run a single security scan (scoped to project)
+ security_text = svc.security_scan(mode="full", path="")
+ except Exception as exc:
+ security_text = f"Security scan error: {exc}"
+
+ if security_text:
+ # Filter findings to only mention changed files
+ relevant_lines: list[str] = []
+ for line in security_text.splitlines():
+ # Include header/summary lines and lines mentioning changed files
+ if any(f in line for f in files) or not line.startswith(" "):
+ relevant_lines.append(line)
+ filtered_security = "\n".join(relevant_lines) if relevant_lines else security_text
+
+ # Count findings (lines with severity indicators)
+ finding_markers = ("HIGH", "MEDIUM", "LOW", "CRITICAL", "WARNING")
+ sec_findings = sum(
+ 1 for line in filtered_security.splitlines()
+ if any(m in line.upper() for m in finding_markers)
+ )
+ total_findings += sec_findings
+ report_sections.append(f"## Security ({sec_findings} finding(s))\n\n{filtered_security}")
+
+ # --- Conventions check (full mode only) ---
+ if mode == "full":
+ conventions_text = ""
+ try:
+ conventions_text = svc.conventions(sample_size=25, path="")
+ except Exception as exc:
+ conventions_text = f"Conventions check error: {exc}"
+
+ if conventions_text:
+ report_sections.append(f"## Conventions\n\n{conventions_text}")
+
+ # --- Build report ---
+ file_list = "\n".join(f" - {f}" for f in files)
+ header = (
+ f"# Change Review Report ({mode} mode)\n\n"
+ f"Files reviewed ({len(files)}):\n{file_list}\n"
+ )
+
+ body = "\n\n".join(report_sections) if report_sections else "No findings."
+
+ # Assessment
+ if total_findings == 0:
+ assessment = "No security issues found. Code looks clean."
+ elif total_findings <= 3:
+ assessment = f"{total_findings} finding(s) detected. Review recommended before merging."
+ else:
+ assessment = (
+ f"{total_findings} finding(s) detected. "
+ "Careful review required -- multiple issues found."
+ )
+
+ summary = f"\n\n## Summary\n\n{assessment}"
+
+ return header + "\n" + body + summary
+
+
+@mcp.tool()
+def explain_impact(
+ files: list[str],
+ depth: int = 3,
+) -> str:
+ """Explain the blast radius of changing files with rich context.
+
+ Combines impact analysis, community detection, and temporal coupling
+ to provide a comprehensive understanding of what would be affected
+ by changes to the specified files.
+
+ Args:
+ files: File paths to analyze (relative to project root).
+ depth: Maximum depth for dependency traversal (default 3).
+
+ Returns:
+ Narrative explanation of the change impact.
+ """
+ if not files:
+ return "Error: No files specified for impact analysis."
+
+ if depth < 1:
+ depth = 1
+ elif depth > 5:
+ depth = 5
+
+ svc = _get_service()
+ sections: list[str] = []
+
+ # --- Impact analysis ---
+ impact_text = ""
+ try:
+ impact_text = svc.impact_analysis(files)
+ except Exception as exc:
+ impact_text = f"Impact analysis error: {exc}"
+
+ if impact_text:
+ sections.append(f"## Direct Impact\n\n{impact_text}")
+
+ # --- Community detection ---
+ community_text = ""
+ try:
+ community_text = svc.community_detection(
+ min_community_size=2, max_communities=10,
+ )
+ except Exception as exc:
+ community_text = f"Community detection error: {exc}"
+
+ if community_text:
+ # Extract relevant community info for the target files
+ relevant_community_lines: list[str] = []
+ in_relevant_community = False
+ for line in community_text.splitlines():
+ if any(f in line for f in files):
+ in_relevant_community = True
+ if in_relevant_community:
+ relevant_community_lines.append(line)
+ # Reset at community boundaries
+ if in_relevant_community and line.strip() == "":
+ in_relevant_community = False
+
+ if relevant_community_lines:
+ filtered_community = "\n".join(relevant_community_lines)
+ sections.append(
+ f"## Module Community\n\n"
+ f"The changed files belong to these communities:\n\n"
+ f"{filtered_community}"
+ )
+ else:
+ sections.append(f"## Module Community\n\n{community_text}")
+
+ # --- Temporal coupling ---
+ coupling_sections: list[str] = []
+ high_coupling_files: list[tuple[str, str]] = [] # (file, coupling_info)
+ for f in files:
+ try:
+ coupling_text = svc.change_coupling(
+ file=f, days=90, min_coupling=0.3, top_k=10,
+ )
+ if coupling_text and "no " not in coupling_text.lower():
+ coupling_sections.append(f"### {f}\n{coupling_text}")
+ # Track high-coupling pairs for risk assessment
+ for line in coupling_text.splitlines():
+ if any(
+ marker in line
+ for marker in ("0.8", "0.9", "1.0", "score: 0.7")
+ ):
+ high_coupling_files.append((f, line.strip()))
+ except Exception as exc:
+ coupling_sections.append(f"### {f}\nTemporal coupling error: {exc}")
+
+ if coupling_sections:
+ sections.append(
+ "## Temporal Coupling (git co-change history)\n\n"
+ + "\n\n".join(coupling_sections)
+ )
+
+ # --- Risk assessment ---
+ risk_level = "LOW"
+ risk_reasons: list[str] = []
+
+ # Check impact breadth
+ if impact_text:
+ affected_count = impact_text.count("\n")
+ if affected_count > 20:
+ risk_level = "HIGH"
+ risk_reasons.append(
+ f"Large blast radius: {affected_count}+ files potentially affected"
+ )
+ elif affected_count > 10:
+ risk_level = "MEDIUM"
+ risk_reasons.append(
+ f"Moderate blast radius: ~{affected_count} files potentially affected"
+ )
+
+ # Check temporal coupling
+ if high_coupling_files:
+ if risk_level == "LOW":
+ risk_level = "MEDIUM"
+ risk_reasons.append(
+ f"{len(high_coupling_files)} file(s) with high temporal coupling "
+ "(often change together -- verify they don't need updates too)"
+ )
+
+ # Check if multiple communities are affected
+ if len(files) > 1:
+ risk_reasons.append(
+ f"Changes span {len(files)} files -- cross-cutting changes "
+ "may affect multiple modules"
+ )
+
+ risk_summary = (
+ f"## Risk Assessment: {risk_level}\n\n"
+ + ("\n".join(f" - {r}" for r in risk_reasons) if risk_reasons else " - No elevated risk factors detected.")
+ )
+ sections.append(risk_summary)
+
+ # --- Compose narrative ---
+ file_list = ", ".join(f"`{f}`" for f in files)
+ header = f"# Impact Analysis for {file_list}\n"
+
+ return header + "\n\n".join(sections)
+
+
+@mcp.tool()
+def suggest_tests(
+ files: list[str],
+) -> str:
+ """Suggest which tests to run based on changed files.
+
+ Analyzes dependencies and test file conventions to recommend
+ the most relevant test files for a set of changed source files.
+
+ Args:
+ files: Changed source file paths (relative to project root).
+
+ Returns:
+ Prioritized list of test files to run with reasoning.
+ """
+ if not files:
+ return "Error: No files specified. Provide a list of changed source files."
+
+ project_dir = _get_project_dir()
+
+ # Collect test suggestions with priorities
+ # Priority 1: Direct test files (by naming convention)
+ # Priority 2: Test files that import the changed module
+ # Priority 3: Tests for dependent modules
+ suggestions: dict[str, dict] = {} # path -> {priority, reasons}
+
+ def _add_suggestion(path: str, priority: int, reason: str) -> None:
+ """Add or update a test suggestion."""
+ if path in suggestions:
+ existing = suggestions[path]
+ existing["priority"] = min(existing["priority"], priority)
+ if reason not in existing["reasons"]:
+ existing["reasons"].append(reason)
+ else:
+ suggestions[path] = {"priority": priority, "reasons": [reason]}
+
+ # --- Priority 1: Convention-based test files ---
+ for f in files:
+ convention_tests = _find_test_files_by_convention(f, project_dir)
+ for test_file in convention_tests:
+ _add_suggestion(
+ test_file,
+ priority=1,
+ reason=f"Direct test file for `{f}`",
+ )
+
+ # --- Priority 2: Import-based discovery ---
+ try:
+ ctx = _get_context_mgr()
+ dep_graph = getattr(ctx, "dependency_graph", None) or getattr(ctx, "_dep_graph", None)
+
+ if dep_graph is not None:
+ for f in files:
+ # Find files that import the changed file (dependents)
+ try:
+ importers = dep_graph.get_importers(f)
+ except (AttributeError, KeyError):
+ try:
+ importers = dep_graph.get_reverse_deps(f)
+ except (AttributeError, KeyError):
+ importers = set()
+
+ for importer in importers:
+ # Check if the importer is a test file
+ importer_lower = importer.lower()
+ is_test = (
+ "test" in importer_lower
+ or "spec" in importer_lower
+ or "__tests__" in importer_lower
+ )
+ if is_test:
+ _add_suggestion(
+ importer,
+ priority=2,
+ reason=f"Imports changed module `{f}`",
+ )
+
+ # --- Priority 3: Tests for dependent modules ---
+ for f in files:
+ try:
+ importers = dep_graph.get_importers(f)
+ except (AttributeError, KeyError):
+ try:
+ importers = dep_graph.get_reverse_deps(f)
+ except (AttributeError, KeyError):
+ importers = set()
+
+ for importer in importers:
+ importer_lower = importer.lower()
+ is_test = (
+ "test" in importer_lower
+ or "spec" in importer_lower
+ or "__tests__" in importer_lower
+ )
+ if not is_test:
+ # Find tests for this dependent module
+ dep_tests = _find_test_files_by_convention(
+ importer, project_dir
+ )
+ for test_file in dep_tests:
+ _add_suggestion(
+ test_file,
+ priority=3,
+ reason=f"Tests dependent module `{importer}` (which imports `{f}`)",
+ )
+ except Exception as exc:
+ logger.debug("Import-based test discovery failed: %s", exc)
+
+ # --- Format output ---
+ if not suggestions:
+ # Fallback: suggest running all tests
+ lines = [
+ "# Test Suggestions\n",
+ "No specific test files found for the changed files.",
+ "",
+ "Changed files:",
+ ]
+ for f in files:
+ lines.append(f" - {f}")
+ lines.extend([
+ "",
+ "Recommendations:",
+ " - Run the full test suite",
+ " - Check if these files have inline tests (e.g., Rust #[cfg(test)])",
+ " - Consider creating test files for untested modules",
+ ])
+ return "\n".join(lines)
+
+ # Sort by priority, then alphabetically
+ sorted_suggestions = sorted(
+ suggestions.items(),
+ key=lambda kv: (kv[1]["priority"], kv[0]),
+ )
+
+ priority_labels = {
+ 1: "DIRECT",
+ 2: "IMPORTS",
+ 3: "INDIRECT",
+ }
+
+ lines = [
+ "# Test Suggestions\n",
+ f"Found {len(sorted_suggestions)} test file(s) for "
+ f"{len(files)} changed file(s).\n",
+ ]
+
+ current_priority = 0
+ for test_path, info in sorted_suggestions:
+ priority = info["priority"]
+ if priority != current_priority:
+ current_priority = priority
+ label = priority_labels.get(priority, f"P{priority}")
+ lines.append(f"\n## Priority {priority} ({label})\n")
+
+ lines.append(f" {test_path}")
+ for reason in info["reasons"]:
+ lines.append(f" - {reason}")
+
+ # Summary
+ by_priority: dict[int, int] = {}
+ for info in suggestions.values():
+ by_priority[info["priority"]] = by_priority.get(info["priority"], 0) + 1
+
+ lines.append("\n## Summary\n")
+ for p in sorted(by_priority):
+ label = priority_labels.get(p, f"P{p}")
+ lines.append(f" {label}: {by_priority[p]} test file(s)")
+
+ lines.append(
+ f"\nRun these {len(sorted_suggestions)} test(s) to validate the changes "
+ f"to {len(files)} file(s)."
+ )
+
+ return "\n".join(lines)
+
+
+@mcp.tool()
+def architecture_drift(
+ config_path: str = "",
+) -> str:
+ """Detect architecture boundary violations in the codebase.
+
+ Compares actual file dependencies against rules defined in
+ .attocode/architecture.yaml. Reports layering violations,
+ unauthorized imports, and circular dependencies.
+
+ Args:
+ config_path: Path to architecture config (default: .attocode/architecture.yaml).
+ """
+ from attocode.integrations.context.architecture_drift import (
+ check_drift,
+ format_report,
+ load_architecture,
+ )
+
+ project_dir = _get_project_dir()
+
+ # If a custom config_path is given, verify it exists
+ if config_path:
+ if not os.path.isfile(config_path):
+ return (
+ f"Error: Architecture config not found at '{config_path}'.\n"
+ "Create a .attocode/architecture.yaml file defining your layers and rules.\n"
+ "See documentation for the expected YAML format."
+ )
+
+ # Check that the default config exists when no override is given
+ if not config_path:
+ default_path = os.path.join(project_dir, ".attocode", "architecture.yaml")
+ if not os.path.isfile(default_path):
+ return (
+ "No architecture config found at .attocode/architecture.yaml.\n\n"
+ "Create this file to define your architecture boundaries. Example:\n\n"
+ " layers:\n"
+ ' - name: presentation\n'
+ ' paths: ["src/api/", "src/routes/"]\n'
+ ' - name: business\n'
+ ' paths: ["src/services/", "src/domain/"]\n'
+ ' - name: data\n'
+ ' paths: ["src/models/", "src/repositories/"]\n\n'
+ " rules:\n"
+ " - from: presentation\n"
+ " to: [business]\n"
+ " deny: [data]\n"
+ " - from: business\n"
+ " to: [data]\n"
+ " deny: [presentation]\n"
+ )
+
+ try:
+ report = check_drift(project_dir)
+ return format_report(report)
+ except Exception as exc:
+ logger.exception("Architecture drift check failed")
+ return f"Error running architecture drift check: {exc}"
diff --git a/src/attocode/code_intel/tools/search_tools.py b/src/attocode/code_intel/tools/search_tools.py
index 129e329..3b4bcc6 100644
--- a/src/attocode/code_intel/tools/search_tools.py
+++ b/src/attocode/code_intel/tools/search_tools.py
@@ -1,6 +1,7 @@
"""Search and security tools for the code-intel MCP server.
-Tools: semantic_search, semantic_search_status, security_scan, fast_search.
+Tools: semantic_search, semantic_search_status, security_scan, fast_search,
+ regex_search.
"""
from __future__ import annotations
@@ -206,6 +207,48 @@ def security_scan(
return _get_service().security_scan(mode=mode, path=path)
+@mcp.tool()
+def dataflow_scan(
+ files: list[str] | None = None,
+ path: str = "",
+) -> str:
+ """Scan for data flow vulnerabilities using taint analysis.
+
+ Tracks user-controlled data (request parameters, input, argv) through
+ variable assignments to dangerous sinks (SQL execution, shell commands,
+ file operations, HTML output). Detects SQL injection (CWE-89), command
+ injection (CWE-78), XSS (CWE-79), path traversal (CWE-22), and SSRF
+ (CWE-918).
+
+ Currently supports Python and JavaScript/TypeScript. Analysis is
+ intra-procedural (within individual functions).
+
+ Args:
+ files: Specific files to analyze (relative paths). Default: all.
+ path: Subdirectory to restrict analysis to.
+ """
+ from attocode.integrations.security.dataflow import analyze_project, format_report
+
+ project_dir = _get_project_dir()
+ if path and not files:
+ import os
+ scan_dir = os.path.join(project_dir, path)
+ if not os.path.isdir(scan_dir):
+ return f"Error: Path not found: {path}"
+ # Discover files in subdirectory
+ _EXTS = {".py", ".js", ".ts", ".jsx", ".tsx"}
+ files = []
+ for dirpath, _, filenames in os.walk(scan_dir):
+ for fname in filenames:
+ if os.path.splitext(fname)[1].lower() in _EXTS:
+ files.append(os.path.relpath(
+ os.path.join(dirpath, fname), project_dir,
+ ))
+
+ report = analyze_project(project_dir, paths=files or None)
+ return format_report(report)
+
+
@mcp.tool()
def fast_search(
pattern: str,
@@ -390,6 +433,106 @@ def fast_search(
return result
+@mcp.tool()
+def regex_search(
+ pattern: str,
+ path: str = "",
+ max_results: int = 50,
+ case_insensitive: bool = False,
+) -> str:
+ """Search code with regex, accelerated by trigram index.
+
+ A straightforward regex search tool that leverages the trigram inverted
+ index for 10-100x speedup over brute-force grep. Useful for finding
+ specific code patterns like function signatures, import statements,
+ or configuration values.
+
+ Args:
+ pattern: Regex pattern to search for.
+ path: Subdirectory to restrict search to (relative to project root).
+ max_results: Maximum number of matching lines to return.
+ case_insensitive: Whether to match case-insensitively.
+ """
+ remote = _get_remote_service()
+ if remote is not None:
+ return remote.regex_search(
+ pattern=pattern,
+ path=path,
+ max_results=max_results,
+ case_insensitive=case_insensitive,
+ )
+
+ import re
+ from pathlib import Path
+
+ project_dir = _get_project_dir()
+ root = Path(project_dir)
+ if path:
+ root = root / path
+ root = root.resolve()
+
+ if not root.exists():
+ return f"Error: Path not found: {root}"
+
+ flags = re.IGNORECASE if case_insensitive else 0
+ try:
+ regex = re.compile(pattern, flags)
+ except re.error as e:
+ return f"Error: Invalid regex pattern: {e}"
+
+ # Try trigram pre-filtering
+ _SELECTIVITY_THRESHOLD = 0.10
+ trigram_idx = _get_trigram_index()
+ candidates: list[str] | None = None
+ used_index = False
+
+ if trigram_idx is not None and trigram_idx.is_ready():
+ candidates = trigram_idx.query(
+ pattern,
+ case_insensitive=case_insensitive,
+ selectivity_threshold=_SELECTIVITY_THRESHOLD,
+ )
+ if candidates is not None:
+ used_index = True
+
+ # Determine files to search
+ if candidates is not None:
+ files = sorted(root / c for c in candidates)
+ else:
+ files = sorted(root.rglob("*"))
+
+ matches: list[str] = []
+ for file in files:
+ if not file.is_file() or file.name.startswith("."):
+ continue
+ try:
+ content = file.read_text(encoding="utf-8", errors="strict")
+ except (UnicodeDecodeError, OSError):
+ continue
+ for i, line in enumerate(content.splitlines(), 1):
+ if regex.search(line):
+ try:
+ rel = file.relative_to(Path(project_dir))
+ except ValueError:
+ rel = file.name
+ matches.append(f"{rel}:{i}: {line.strip()}")
+ if len(matches) >= max_results:
+ break
+ if len(matches) >= max_results:
+ break
+
+ total = len(matches)
+ if not matches:
+ return "No matches found."
+
+ result = "\n".join(matches)
+ if total >= max_results:
+ result += f"\n... (limited to {max_results} results)"
+ index_note = "trigram-indexed" if used_index else "brute-force"
+ result += f"\n{total} match(es) found ({index_note})."
+ return result
+
+
@mcp.tool()
def frecency_search(
pattern: str,
diff --git a/src/attocode/integrations/context/architecture_drift.py b/src/attocode/integrations/context/architecture_drift.py
new file mode 100644
index 0000000..7dc228f
--- /dev/null
+++ b/src/attocode/integrations/context/architecture_drift.py
@@ -0,0 +1,355 @@
+"""Architecture drift detection.
+
+Compares actual file dependencies against declared architecture boundaries
+to detect layering violations, circular dependencies, and unauthorized imports.
+
+Loads rules from ``.attocode/architecture.yaml`` and checks them against the
+real dependency graph built by the AST service.
+"""
+
+from __future__ import annotations
+
+import logging
+import os
+from dataclasses import dataclass, field
+from pathlib import Path
+
+logger = logging.getLogger(__name__)
+
+
+# ---------------------------------------------------------------------------
+# Data classes
+# ---------------------------------------------------------------------------
+
+
+@dataclass(slots=True)
+class ArchViolation:
+ """A single architecture boundary violation."""
+
+ source_file: str # file that has the import
+ target_file: str # file being imported
+ source_layer: str # layer the source belongs to
+ target_layer: str # layer the target belongs to
+ rule: str # human-readable rule description
+ severity: str = "high" # high for deny violations, medium for unlisted
+
+
+@dataclass(slots=True)
+class ArchReport:
+ """Architecture drift detection report."""
+
+ violations: list[ArchViolation]
+ layers_defined: int
+ rules_defined: int
+ files_checked: int
+ compliant_files: int
+
+
+@dataclass
+class ArchLayer:
+ """A named architecture layer with path patterns."""
+
+ name: str
+ paths: list[str]
+
+ def matches(self, file_path: str) -> bool:
+ """Check if a file belongs to this layer.
+
+ Uses forward-slash normalised prefix matching so that OS-specific
+ separators do not cause false negatives.
+ """
+ normalised = file_path.replace(os.sep, "/")
+ for path_prefix in self.paths:
+ prefix = path_prefix.replace(os.sep, "/")
+ if normalised.startswith(prefix):
+ return True
+ return False
+
+
+@dataclass
+class ArchRule:
+ """A dependency rule between layers."""
+
+ from_layer: str
+ allowed: list[str] = field(default_factory=list)
+ denied: list[str] = field(default_factory=list)
+
+
+# ---------------------------------------------------------------------------
+# Loading
+# ---------------------------------------------------------------------------
+
+
+def load_architecture(
+ project_dir: str,
+) -> tuple[list[ArchLayer], list[ArchRule], dict[str, list[str]]]:
+ """Load architecture definitions from ``.attocode/architecture.yaml``.
+
+ Returns:
+ A 3-tuple of ``(layers, rules, exceptions)`` where *exceptions* maps
+ a source file path to a list of explicitly-allowed target paths.
+
+ If the YAML file does not exist or PyYAML is not installed the function
+ returns empty collections without raising.
+ """
+ config_path = os.path.join(project_dir, ".attocode", "architecture.yaml")
+ if not os.path.isfile(config_path):
+ logger.debug("Architecture config not found: %s", config_path)
+ return [], [], {}
+
+ try:
+ import yaml # type: ignore[import-untyped]
+ except ImportError:
+ logger.warning(
+ "PyYAML is not installed -- cannot load architecture config. "
+ "Install it with: pip install pyyaml"
+ )
+ return [], [], {}
+
+ try:
+ with open(config_path, encoding="utf-8") as fh:
+ data = yaml.safe_load(fh) or {}
+ except Exception as exc:
+ logger.warning("Failed to parse architecture config: %s", exc)
+ return [], [], {}
+
+ # --- Layers ---
+ layers: list[ArchLayer] = []
+ for entry in data.get("layers", []):
+ name = entry.get("name", "")
+ paths = entry.get("paths", [])
+ if name and paths:
+ layers.append(ArchLayer(name=name, paths=paths))
+
+ # --- Rules ---
+ rules: list[ArchRule] = []
+ for entry in data.get("rules", []):
+ from_layer = entry.get("from", "")
+ if not from_layer:
+ continue
+ allowed = entry.get("to", [])
+ denied = entry.get("deny", [])
+ rules.append(ArchRule(from_layer=from_layer, allowed=allowed, denied=denied))
+
+ # --- Exceptions ---
+ exceptions: dict[str, list[str]] = {}
+ for entry in data.get("exceptions", []):
+ src = entry.get("file", "")
+ allowed_targets = entry.get("allowed", [])
+ if src and allowed_targets:
+ exceptions[src] = allowed_targets
+
+ return layers, rules, exceptions
+
+
+# ---------------------------------------------------------------------------
+# Classification
+# ---------------------------------------------------------------------------
+
+
+def classify_file(file_path: str, layers: list[ArchLayer]) -> str:
+ """Determine which layer *file_path* belongs to.
+
+ Returns the layer name, or ``""`` if the file does not match any layer.
+ Matches are evaluated in order; the first matching layer wins.
+ """
+ for layer in layers:
+ if layer.matches(file_path):
+ return layer.name
+ return ""
+
+
+# ---------------------------------------------------------------------------
+# Core check
+# ---------------------------------------------------------------------------
+
+
+def _build_deps_from_index(project_dir: str) -> dict[str, set[str]]:
+ """Build a dependency map from the AST service's CrossRefIndex."""
+ try:
+ from attocode.integrations.context.ast_service import ASTService
+
+ svc = ASTService.get_instance(project_dir)
+ if not svc.initialized:
+ svc.initialize_skeleton(indexing_depth="auto")
+ return dict(svc.index.file_dependencies)
+ except Exception as exc:
+ logger.debug("Could not build dependency map from AST index: %s", exc)
+ return {}
+
+
+def check_drift(
+ project_dir: str,
+ dependencies: dict[str, set[str]] | None = None,
+) -> ArchReport:
+ """Check actual dependencies against architecture rules.
+
+ Args:
+ project_dir: Project root.
+ dependencies: Optional pre-computed dependency map
+ (file -> set of imported files). If *None*, will build from
+ the AST service's ``CrossRefIndex.file_dependencies``.
+
+ Returns:
+ An :class:`ArchReport` summarising all violations found.
+ """
+ layers, rules, exceptions = load_architecture(project_dir)
+ if not layers:
+ return ArchReport(
+ violations=[],
+ layers_defined=0,
+ rules_defined=0,
+ files_checked=0,
+ compliant_files=0,
+ )
+
+ if dependencies is None:
+ dependencies = _build_deps_from_index(project_dir)
+
+ # Build a quick rule lookup: from_layer -> ArchRule
+ rule_map: dict[str, ArchRule] = {}
+ for rule in rules:
+ rule_map[rule.from_layer] = rule
+
+ violations: list[ArchViolation] = []
+ files_checked = 0
+ compliant_files = 0
+
+ for source_file, targets in dependencies.items():
+ source_layer = classify_file(source_file, layers)
+ if not source_layer:
+ # File is outside any declared layer -- skip
+ continue
+
+ files_checked += 1
+ file_has_violation = False
+
+ for target_file in targets:
+ target_layer = classify_file(target_file, layers)
+ if not target_layer:
+ # Target outside all layers -- nothing to enforce
+ continue
+ if source_layer == target_layer:
+ # Intra-layer dependency -- always allowed
+ continue
+
+ # Check file-level exceptions
+ exception_list = exceptions.get(source_file, [])
+ if target_file in exception_list:
+ continue
+
+ rule = rule_map.get(source_layer)
+ if rule is None:
+ # No rule defined for this layer -- nothing to enforce
+ continue
+
+ # Check explicit deny list first (high severity)
+ if target_layer in rule.denied:
+ violations.append(
+ ArchViolation(
+ source_file=source_file,
+ target_file=target_file,
+ source_layer=source_layer,
+ target_layer=target_layer,
+ rule=(
+ f"Layer '{source_layer}' must NOT depend on "
+ f"'{target_layer}' (deny rule)"
+ ),
+ severity="high",
+ )
+ )
+ file_has_violation = True
+ continue
+
+ # Check allowed list (medium severity if not explicitly listed)
+ if rule.allowed and target_layer not in rule.allowed:
+ violations.append(
+ ArchViolation(
+ source_file=source_file,
+ target_file=target_file,
+ source_layer=source_layer,
+ target_layer=target_layer,
+ rule=(
+ f"Layer '{source_layer}' does not list "
+ f"'{target_layer}' as an allowed dependency"
+ ),
+ severity="medium",
+ )
+ )
+ file_has_violation = True
+
+ if not file_has_violation:
+ compliant_files += 1
+
+ # Sort: high severity first, then by source file for stability
+ _severity_order = {"high": 0, "medium": 1, "low": 2}
+ violations.sort(
+ key=lambda v: (_severity_order.get(v.severity, 9), v.source_file, v.target_file)
+ )
+
+ return ArchReport(
+ violations=violations,
+ layers_defined=len(layers),
+ rules_defined=len(rules),
+ files_checked=files_checked,
+ compliant_files=compliant_files,
+ )
+
+
+# ---------------------------------------------------------------------------
+# Formatting
+# ---------------------------------------------------------------------------
+
+
+def format_report(report: ArchReport) -> str:
+ """Format an :class:`ArchReport` as human-readable text."""
+ lines: list[str] = []
+ lines.append("# Architecture Drift Report\n")
+
+ lines.append(
+ f"Layers defined: {report.layers_defined} | "
+ f"Rules defined: {report.rules_defined}"
+ )
+ lines.append(
+ f"Files checked: {report.files_checked} | "
+ f"Compliant: {report.compliant_files}"
+ )
+
+ if not report.violations:
+ lines.append("\nNo architecture violations detected. All checked files comply.")
+ return "\n".join(lines)
+
+ # Group by severity
+ high: list[ArchViolation] = []
+ medium: list[ArchViolation] = []
+ other: list[ArchViolation] = []
+ for v in report.violations:
+ if v.severity == "high":
+ high.append(v)
+ elif v.severity == "medium":
+ medium.append(v)
+ else:
+ other.append(v)
+
+ total = len(report.violations)
+ lines.append(f"\n{total} violation(s) found.\n")
+
+ if high:
+ lines.append(f"## HIGH severity ({len(high)})\n")
+ for v in high:
+ lines.append(f" {v.source_file} -> {v.target_file}")
+ lines.append(f" [{v.source_layer} -> {v.target_layer}] {v.rule}")
+
+ if medium:
+ lines.append(f"\n## MEDIUM severity ({len(medium)})\n")
+ for v in medium:
+ lines.append(f" {v.source_file} -> {v.target_file}")
+ lines.append(f" [{v.source_layer} -> {v.target_layer}] {v.rule}")
+
+ if other:
+ lines.append(f"\n## OTHER ({len(other)})\n")
+ for v in other:
+ lines.append(f" {v.source_file} -> {v.target_file}")
+ lines.append(f" [{v.source_layer} -> {v.target_layer}] {v.rule}")
+
+ return "\n".join(lines)
diff --git a/src/attocode/integrations/context/codebase_ast.py b/src/attocode/integrations/context/codebase_ast.py
index dc35bb9..db8ce65 100644
--- a/src/attocode/integrations/context/codebase_ast.py
+++ b/src/attocode/integrations/context/codebase_ast.py
@@ -1180,6 +1180,7 @@ def _ts_result_to_file_ast(result: dict, file_path: str) -> FileAST:
decorators=fn.get("decorators", []),
is_async=fn.get("is_async", False),
visibility=fn.get("visibility", "public"),
+ docstring=fn.get("docstring", ""),
))
# Convert class dicts to ClassDef
@@ -1201,6 +1202,7 @@ def _ts_result_to_file_ast(result: dict, file_path: str) -> FileAST:
decorators=m.get("decorators", []),
is_async=m.get("is_async", False),
visibility=m.get("visibility", "public"),
+ docstring=m.get("docstring", ""),
))
classes.append(ClassDef(
name=cls["name"],
@@ -1209,6 +1211,7 @@ def _ts_result_to_file_ast(result: dict, file_path: str) -> FileAST:
bases=cls.get("bases", []),
methods=methods,
decorators=cls.get("decorators", []),
+ docstring=cls.get("docstring", ""),
))
# Convert import dicts to ImportDef
diff --git a/src/attocode/integrations/context/embeddings.py b/src/attocode/integrations/context/embeddings.py
index 38f697c..d50191a 100644
--- a/src/attocode/integrations/context/embeddings.py
+++ b/src/attocode/integrations/context/embeddings.py
@@ -1,9 +1,10 @@
"""Embedding provider abstraction for semantic search.
Tries providers in order:
-1. Local: sentence-transformers (no API cost, ~22MB model)
-2. API: OpenAI text-embedding-3-small (if OPENAI_API_KEY set)
-3. None: graceful degradation (returns empty vectors)
+1. Local: sentence-transformers with code-optimized model (no API cost)
+2. Local: sentence-transformers with general model (smaller fallback)
+3. API: OpenAI text-embedding-3-small (if OPENAI_API_KEY set)
+4. None: graceful degradation (returns empty vectors)
"""
from __future__ import annotations
@@ -106,6 +107,33 @@ def name(self) -> str:
return "local:nomic-embed-text-v1.5"
+class CodeEmbeddingProvider(EmbeddingProvider):
+ """Local embeddings via BAAI/bge-base-en-v1.5 (768-dim, ~440MB model).
+
+ Significantly outperforms all-MiniLM-L6-v2 on code search tasks due to
+ larger model capacity and better handling of code tokens (identifiers,
+ camelCase, snake_case, function signatures).
+
+ Note: Switching models requires reindexing (different vector dimensions).
+ """
+
+ def __init__(self) -> None:
+ from sentence_transformers import SentenceTransformer # type: ignore[import-untyped]
+ self._model = SentenceTransformer("BAAI/bge-base-en-v1.5")
+ self._dim = 768
+
+ def embed(self, texts: list[str]) -> list[list[float]]:
+ embeddings = self._model.encode(texts, convert_to_numpy=True)
+ return [e.tolist() for e in embeddings]
+
+ def dimension(self) -> int:
+ return self._dim
+
+ @property
+ def name(self) -> str:
+ return "local:bge-base-en-v1.5"
+
+
class NullEmbeddingProvider(EmbeddingProvider):
"""Fallback provider that returns empty vectors."""
@@ -130,19 +158,34 @@ def create_embedding_provider(
Args:
model: Preferred model name. Options:
- - "all-MiniLM-L6-v2" (default, 384-dim, fast)
+ - "bge" (768-dim, recommended for code search)
+ - "all-MiniLM-L6-v2" (384-dim, fast, smaller)
- "nomic-embed-text" (768-dim, better code understanding)
- "openai" (API-based, requires OPENAI_API_KEY)
- "" (auto-detect best available)
- Tries in order: local sentence-transformers, OpenAI API, null fallback.
+ Auto-detect order: bge (code-optimized) > MiniLM > OpenAI API > null.
+ Note: switching models requires reindexing (different vector dims).
"""
model = model or os.environ.get("ATTOCODE_EMBEDDING_MODEL", "")
if model in _provider_cache:
return _provider_cache[model]
- # Explicit local default request
+ # Explicit BGE request (code-optimized)
+ if model == "bge":
+ try:
+ provider = CodeEmbeddingProvider()
+ logger.info("Using embedding provider: %s", provider.name)
+ _provider_cache[model] = provider
+ return provider
+ except ImportError:
+ raise ImportError(
+ f"Embedding model '{model}' requires sentence-transformers. "
+ "Install with: pip install attocode[semantic]"
+ )
+
+ # Explicit MiniLM request
if model == "all-MiniLM-L6-v2":
try:
provider = LocalEmbeddingProvider()
@@ -183,17 +226,26 @@ def create_embedding_provider(
except Exception as e:
raise RuntimeError(f"OpenAI embedding provider failed: {e}") from e
- # Auto-detect: try local first (no API cost)
+ # Auto-detect: try code-optimized BGE first, then MiniLM (no API cost)
try:
- provider = LocalEmbeddingProvider()
- logger.info("Using local embedding provider: %s", provider.name)
+ provider = CodeEmbeddingProvider()
+ logger.info("Using code-optimized embedding provider: %s", provider.name)
_provider_cache[model] = provider
return provider
except ImportError:
logger.debug("sentence-transformers not installed, trying OpenAI")
except Exception as exc:
- logger.warning("Local embedding provider unavailable: %s", exc)
- logger.debug("Local embedding provider traceback", exc_info=True)
+ logger.info("BGE model unavailable (%s), falling back to MiniLM", exc)
+ try:
+ provider = LocalEmbeddingProvider()
+ logger.info("Using local embedding provider: %s", provider.name)
+ _provider_cache[model] = provider
+ return provider
+ except ImportError:
+ logger.debug("sentence-transformers not installed, trying OpenAI")
+ except Exception as exc2:
+ logger.warning("Local embedding provider unavailable: %s", exc2)
+ logger.debug("Local embedding provider traceback", exc_info=True)
# Try OpenAI API
if os.environ.get("OPENAI_API_KEY"):
diff --git a/src/attocode/integrations/context/semantic_search.py b/src/attocode/integrations/context/semantic_search.py
index db537ec..decdc65 100644
--- a/src/attocode/integrations/context/semantic_search.py
+++ b/src/attocode/integrations/context/semantic_search.py
@@ -34,6 +34,20 @@
_CAMEL_RE = re.compile(r"(?<=[a-z])(?=[A-Z])|(?<=[A-Z])(?=[A-Z][a-z])")
+# Mapping from common query terms to code construct types for query expansion
+_CONSTRUCT_HINTS: dict[str, list[str]] = {
+ "function": ["def", "func", "fn"],
+ "class": ["class", "struct", "type"],
+ "method": ["def", "func", "method"],
+ "import": ["import", "require", "from", "use"],
+ "test": ["test", "spec", "assert", "expect"],
+ "error": ["error", "exception", "raise", "throw", "catch"],
+ "config": ["config", "settings", "env", "option"],
+ "api": ["route", "endpoint", "handler", "controller"],
+ "auth": ["auth", "login", "password", "token", "session"],
+ "database": ["query", "model", "schema", "migration", "table"],
+}
+
def _tokenize(text: str) -> list[str]:
"""Tokenize text: split camelCase/snake_case, lowercase, remove stop words."""
@@ -50,6 +64,60 @@ def _tokenize(text: str) -> list[str]:
return tokens
+def _expand_query(query: str, language: str = "") -> str:
+ """Expand a search query with language and construct hints.
+
+ Prepends language context and adds related terms for known constructs,
+ improving recall for code-specific embedding models.
+
+ Examples:
+ "auth middleware" + "python" -> "python auth middleware login token session"
+ "parse config" -> "parse config settings env option"
+ """
+ query_lower = query.lower()
+ tokens = _tokenize(query)
+ expansions: list[str] = []
+
+ # Add language hint if known
+ if language:
+ expansions.append(language)
+
+ # Add construct-related terms for each matching concept
+ for concept, hints in _CONSTRUCT_HINTS.items():
+ if concept in query_lower or any(t == concept for t in tokens):
+ for hint in hints:
+ if hint not in query_lower and hint not in expansions:
+ expansions.append(hint)
+
+ if not expansions:
+ return query
+
+ return f"{query} {' '.join(expansions)}"
+
+
+def _summarize_code_to_nl(name: str, chunk_type: str, text: str) -> str:
+ """Generate a heuristic NL summary from code structure.
+
+ Converts code identifiers into natural language fragments to improve
+ BM25 matching between NL queries and code symbols.
+
+ Examples:
+ "parseConfigFile" -> "parse config file"
+ "UserAuthMiddleware" -> "user auth middleware"
+ """
+ # Tokenize the name into natural language words
+ name_words = _CAMEL_RE.sub(" ", name).replace("_", " ").lower().strip()
+
+ if chunk_type == "function":
+ return f"function {name_words} {text[:200]}"
+ elif chunk_type == "class":
+ return f"class {name_words} {text[:200]}"
+ elif chunk_type == "method":
+ return f"method {name_words} {text[:200]}"
+ else:
+ return f"{name_words} {text[:200]}"
+
+
@dataclass(slots=True)
class _KeywordDoc:
"""A document in the BM25 keyword index."""
@@ -323,6 +391,7 @@ def search(
file_filter: str = "",
two_stage: bool = True,
rerank: bool = False,
+ expand_query: bool = True,
) -> list[SemanticSearchResult]:
"""Search the codebase by natural language query.
@@ -341,37 +410,51 @@ def search(
file_filter: Optional glob pattern (e.g. "*.py").
two_stage: Whether to use two-stage retrieval (default True).
rerank: Whether to apply cross-encoder reranking after fusion.
+ expand_query: Whether to expand query with code construct hints.
Returns:
List of search results sorted by relevance.
"""
+ # Detect language from file_filter for query expansion
+ _lang = ""
+ if file_filter:
+ _ext_map = {".py": "python", ".js": "javascript", ".ts": "typescript",
+ ".go": "go", ".rs": "rust", ".java": "java", ".rb": "ruby"}
+ for ext, lang in _ext_map.items():
+ if file_filter.endswith(ext):
+ _lang = lang
+ break
+
+ # Apply query expansion for better recall
+ expanded_query = _expand_query(query, _lang) if expand_query else query
+
self._ensure_provider()
if self._keyword_fallback:
- return self._keyword_search(query, top_k, file_filter)
+ return self._keyword_search(expanded_query, top_k, file_filter)
# Coverage-based switchover: use keyword fallback while indexing
if not self._indexed and self._store:
count = self._store.count()
if count == 0 and self._bg_indexer is None:
# No embeddings and no background indexer — use keyword fallback
- return self._keyword_search(query, top_k, file_filter)
+ return self._keyword_search(expanded_query, top_k, file_filter)
elif not self.is_index_ready() and self._bg_indexer is not None:
# Indexer running but coverage < 80% — use keyword fallback
- return self._keyword_search(query, top_k, file_filter)
+ return self._keyword_search(expanded_query, top_k, file_filter)
- # Embed query
+ # Embed query — use expanded query for better recall
try:
- query_vectors = self._provider.embed([query])
+ query_vectors = self._provider.embed([expanded_query])
if not query_vectors or not query_vectors[0]:
self._index_progress.degraded_reason = "query_embedding_failed"
self._index_progress.last_error = "Query embedding returned no vector."
- return self._keyword_search(query, top_k, file_filter)
+ return self._keyword_search(expanded_query, top_k, file_filter)
query_vec = query_vectors[0]
except Exception as exc:
logger.warning("Query embedding failed, falling back to keyword", exc_info=True)
self._index_progress.degraded_reason = "query_embedding_failed"
self._index_progress.last_error = f"Query embedding failed: {type(exc).__name__}: {exc}"
- return self._keyword_search(query, top_k, file_filter)
+ return self._keyword_search(expanded_query, top_k, file_filter)
# Build set of files that exist on disk to filter out stale branch data.
# In local mode the filesystem is the source of truth — vectors from
@@ -407,7 +490,7 @@ def search(
]
# Stage 1b: Keyword search (complementary recall) — always run
- keyword_results = self._keyword_search(query, top_k=wide_k, file_filter=file_filter)
+ keyword_results = self._keyword_search(expanded_query, top_k=wide_k, file_filter=file_filter)
# If both pipelines returned nothing, bail out early
if not raw_results and not keyword_results:
@@ -988,6 +1071,9 @@ def _build_keyword_index(self) -> None:
for func in ast.functions:
parts: list[str] = []
parts.extend([func.name] * 3)
+ # Add NL summary of the function name for better query matching
+ nl_summary = _summarize_code_to_nl(func.name, "function", "")
+ parts.append(nl_summary)
if func.docstring:
parts.append(func.docstring[:300])
parts.extend(p.name for p in func.parameters[:10])
@@ -1024,6 +1110,9 @@ def _build_keyword_index(self) -> None:
# Class + method-level docs
for cls in ast.classes:
cls_parts: list[str] = [cls.name] * 3
+ # Add NL summary of the class name
+ cls_nl = _summarize_code_to_nl(cls.name, "class", "")
+ cls_parts.append(cls_nl)
if cls.bases:
cls_parts.extend(cls.bases)
if cls.docstring:
diff --git a/src/attocode/integrations/context/ts_parser.py b/src/attocode/integrations/context/ts_parser.py
index 3e16908..b13e090 100644
--- a/src/attocode/integrations/context/ts_parser.py
+++ b/src/attocode/integrations/context/ts_parser.py
@@ -38,6 +38,7 @@ class _LangConfig:
class_types: tuple[str, ...] # node types that represent classes
import_types: tuple[str, ...] # node types that represent imports
method_types: tuple[str, ...] = () # method declarations inside classes
+ var_types: tuple[str, ...] = () # top-level variable/constant declarations
name_field: str = "name" # tree-sitter field for the identifier
language_func: str = "language" # function name to call on grammar module
@@ -71,6 +72,7 @@ class _LangConfig:
function_types=("function_declaration", "method_declaration"),
class_types=("type_declaration",),
import_types=("import_declaration",),
+ var_types=("const_declaration", "var_declaration"),
),
"rust": _LangConfig(
grammar_module="tree_sitter_rust",
@@ -191,6 +193,7 @@ class _LangConfig:
function_types=("function_declaration",),
class_types=("struct_declaration", "enum_declaration", "union_declaration"),
import_types=(), # @import is a builtin call
+ var_types=("variable_declaration",),
),
# ---------------------------------------------------------------
# Phase 2: Data/config languages (20 → 25)
@@ -499,6 +502,66 @@ def _find_decorators(node, source_bytes: bytes) -> list[str]:
return decorators
+def _find_go_doc_comment(node, source_bytes: bytes) -> str:
+ """Extract Go-style doc comment from comment lines immediately above a node.
+
+ Go doc comments are consecutive ``// Comment`` lines directly preceding a
+ declaration with no blank lines in between. This walks backward through
+ previous named siblings collecting ``comment`` nodes whose end line is
+ adjacent to (or the same as) the start line of the next element.
+ """
+ comment_lines: list[str] = []
+ expected_line = node.start_point[0] # 0-based line of the declaration
+
+ prev = node.prev_named_sibling
+ while prev is not None and prev.type == "comment":
+ # The comment must end exactly one line before the expected line
+ if prev.end_point[0] + 1 != expected_line:
+ break
+ text = _node_text(prev, source_bytes).strip()
+ # Strip leading "//" (single-line) or "/* ... */" (block)
+ if text.startswith("//"):
+ text = text[2:].strip()
+ elif text.startswith("/*") and text.endswith("*/"):
+ text = text[2:-2].strip()
+ comment_lines.insert(0, text)
+ expected_line = prev.start_point[0]
+ prev = prev.prev_named_sibling
+
+ return "\n".join(comment_lines) if comment_lines else ""
+
+
+def _extract_go_receiver(node, source_bytes: bytes) -> str:
+ """Extract receiver type name from a Go method_declaration node.
+
+ Go methods look like ``func (r *Receiver) MethodName(...) ...``.
+ The tree-sitter Go grammar exposes a ``receiver`` field containing a
+ ``parameter_list`` with one ``parameter_declaration`` whose ``type``
+ child holds the receiver type (possibly wrapped in ``pointer_type``).
+ """
+ receiver_node = node.child_by_field_name("receiver")
+ if receiver_node is None:
+ return ""
+
+ for child in receiver_node.children:
+ if child.type == "parameter_declaration":
+ type_node = child.child_by_field_name("type")
+ if type_node is None:
+ # Fallback: look for type_identifier or pointer_type child
+ for sub in child.children:
+ if sub.type in ("type_identifier", "pointer_type"):
+ type_node = sub
+ break
+ if type_node is not None:
+ # pointer_type wraps the actual type_identifier
+ if type_node.type == "pointer_type":
+ for sub in type_node.children:
+ if sub.type == "type_identifier":
+ return _node_text(sub, source_bytes)
+ return _node_text(type_node, source_bytes)
+ return ""
+
+
def _get_visibility(name: str, language: str) -> str:
"""Determine visibility from name conventions."""
if language == "python":
@@ -507,6 +570,11 @@ def _get_visibility(name: str, language: str) -> str:
if name.startswith("_"):
return "private"
return "public"
+ elif language == "go":
+ # Go convention: uppercase first letter = exported (public)
+ if name and name[0].isupper():
+ return "public"
+ return "private"
elif language in ("java", "typescript", "c", "cpp", "csharp", "kotlin", "swift", "scala",
"dart", "objc", "crystal", "fsharp"):
# Would need modifier parsing; default to public
@@ -1122,6 +1190,18 @@ def _process_node(node, parent_class: str = "") -> None:
is_async_fn = _is_async(node, source_bytes)
visibility = _get_visibility(name, language)
+ # Go: extract receiver type for method_declaration → parent_class
+ effective_parent = parent_class
+ if language == "go" and ntype == "method_declaration":
+ receiver_type = _extract_go_receiver(node, source_bytes)
+ if receiver_type:
+ effective_parent = receiver_type
+
+ # Go: extract doc comment from preceding // comment lines
+ docstring = ""
+ if language == "go":
+ docstring = _find_go_doc_comment(node, source_bytes)
+
fn_data = {
"name": name,
"parameters": params,
@@ -1131,15 +1211,21 @@ def _process_node(node, parent_class: str = "") -> None:
"is_async": is_async_fn,
"decorators": decorators,
"visibility": visibility,
- "parent_class": parent_class,
+ "parent_class": effective_parent,
}
+ if docstring:
+ fn_data["docstring"] = docstring
- if parent_class:
+ if effective_parent:
# Will be added as method to the class
for cls in classes:
- if cls["name"] == parent_class:
+ if cls["name"] == effective_parent:
cls["methods"].append(fn_data)
break
+ else:
+ # Go: receiver type may not have a matching type_declaration
+ # in the same file; record as a standalone function with parent_class set
+ functions.append(fn_data)
else:
functions.append(fn_data)
return
@@ -1206,6 +1292,13 @@ def _process_node(node, parent_class: str = "") -> None:
"start_line": node.start_point[0] + 1,
"end_line": node.end_point[0] + 1,
}
+
+ # Go: extract doc comment for type declarations
+ if language == "go":
+ docstring = _find_go_doc_comment(node, source_bytes)
+ if docstring:
+ cls_data["docstring"] = docstring
+
classes.append(cls_data)
# Process children to find methods
@@ -1270,20 +1363,19 @@ def _process_node(node, parent_class: str = "") -> None:
top_level_vars.append(var_name)
return
- # Zig top-level const/var declarations: const Server = @This();
- if language == "zig" and ntype == "variable_declaration" and not parent_class:
- var_name = _find_name(node, source_bytes)
- if var_name:
- top_level_vars.append(var_name)
- return
-
- # Go top-level const/var blocks: const ( X = 1; Y = 2 )
- if language == "go" and ntype in ("const_declaration", "var_declaration") and not parent_class:
- for child in node.children:
- if child.type in ("const_spec", "var_spec"):
- var_name = _find_name(child, source_bytes)
- if var_name:
- top_level_vars.append(var_name)
+ # Config-driven top-level variable/constant declarations (Go, Zig, etc.)
+ if config.var_types and ntype in config.var_types and not parent_class:
+ if language == "go":
+ # Go const/var blocks: const ( X = 1; Y = 2 )
+ for child in node.children:
+ if child.type in ("const_spec", "var_spec"):
+ var_name = _find_name(child, source_bytes)
+ if var_name:
+ top_level_vars.append(var_name)
+ else:
+ var_name = _find_name(node, source_bytes)
+ if var_name:
+ top_level_vars.append(var_name)
return
# Elixir: macro calls (def, defmodule, import, etc.)
diff --git a/src/attocode/integrations/security/custom_rules.py b/src/attocode/integrations/security/custom_rules.py
new file mode 100644
index 0000000..45bac30
--- /dev/null
+++ b/src/attocode/integrations/security/custom_rules.py
@@ -0,0 +1,176 @@
+"""Load user-defined security rules from .attocode/rules/*.yaml files.
+
+Custom rules use the same SecurityPattern dataclass as built-in patterns,
+allowing them to be seamlessly merged into the scanning pipeline.
+
+Rule format (YAML):
+ id: my_rule_name
+ pattern: "regex_pattern_here"
+ message: "What was detected"
+ severity: high # critical | high | medium | low | info
+ cwe: CWE-79 # optional
+ recommendation: "How to fix"
+ languages: # optional, empty = all languages
+ - python
+ - javascript
+ scan_comments: false # optional, default false
+ fix: # optional autofix
+ search: "old_code("
+ replace: "new_code("
+"""
+
+from __future__ import annotations
+
+import logging
+import re
+from pathlib import Path
+
+from attocode.integrations.security.patterns import (
+ Category,
+ SecurityPattern,
+ Severity,
+)
+
+logger = logging.getLogger(__name__)
+
+_VALID_SEVERITIES = frozenset(s.value for s in Severity)
+
+
+def load_custom_rules(project_dir: str) -> list[SecurityPattern]:
+ """Load custom security rules from .attocode/rules/*.yaml files.
+
+ Args:
+ project_dir: Project root directory.
+
+ Returns:
+ List of SecurityPattern instances from user-defined rules.
+ Invalid rules are logged and skipped.
+ """
+ rules_dir = Path(project_dir) / ".attocode" / "rules"
+ if not rules_dir.is_dir():
+ return []
+
+ patterns: list[SecurityPattern] = []
+ for yaml_file in sorted(rules_dir.glob("*.yaml")):
+ try:
+ file_patterns = _load_rules_file(yaml_file)
+ patterns.extend(file_patterns)
+ except Exception as exc:
+ logger.warning("Failed to load custom rules from %s: %s", yaml_file, exc)
+
+ if patterns:
+ logger.info("Loaded %d custom security rule(s) from %s", len(patterns), rules_dir)
+
+ return patterns
+
+
+def _load_rules_file(path: Path) -> list[SecurityPattern]:
+ """Parse a single YAML rules file into SecurityPattern instances."""
+ try:
+ import yaml # type: ignore[import-untyped]
+ except ImportError:
+ logger.debug("PyYAML not installed — skipping custom rules file %s", path)
+ return []
+
+ content = path.read_text(encoding="utf-8")
+ data = yaml.safe_load(content)
+
+ if data is None:
+ return []
+
+ # Support both single-rule and multi-rule files
+ if isinstance(data, dict):
+ rules_list = [data]
+ elif isinstance(data, list):
+ rules_list = data
+ else:
+ logger.warning("Invalid rules file %s: expected dict or list", path)
+ return []
+
+ patterns: list[SecurityPattern] = []
+ for i, rule in enumerate(rules_list):
+ try:
+ pattern = _parse_rule(rule, source=f"{path.name}[{i}]")
+ if pattern is not None:
+ patterns.append(pattern)
+ except Exception as exc:
+ logger.warning("Invalid rule in %s at index %d: %s", path.name, i, exc)
+
+ return patterns
+
+
+def _parse_rule(rule: dict, source: str = "") -> SecurityPattern | None:
+ """Parse a single rule dict into a SecurityPattern.
+
+ Required fields: id, pattern, message, severity, recommendation.
+ Optional fields: cwe, languages, scan_comments, fix.
+ """
+ # Validate required fields
+ missing = [f for f in ("id", "pattern", "message", "severity", "recommendation") if f not in rule]
+ if missing:
+ logger.warning("Rule %s missing required fields: %s", source, ", ".join(missing))
+ return None
+
+ # Validate severity
+ severity_str = str(rule["severity"]).lower()
+ if severity_str not in _VALID_SEVERITIES:
+ logger.warning(
+ "Rule %s has invalid severity '%s' (must be one of: %s)",
+ source, rule["severity"], ", ".join(sorted(_VALID_SEVERITIES)),
+ )
+ return None
+
+ # Compile regex
+ try:
+ compiled = re.compile(rule["pattern"])
+ except re.error as exc:
+ logger.warning("Rule %s has invalid regex '%s': %s", source, rule["pattern"], exc)
+ return None
+
+ return SecurityPattern(
+ name=str(rule["id"]),
+ pattern=compiled,
+ severity=Severity(severity_str),
+ category=Category.ANTI_PATTERN,
+ cwe_id=str(rule.get("cwe", "")),
+ message=str(rule["message"]),
+ recommendation=str(rule["recommendation"]),
+ languages=rule.get("languages", []),
+ scan_comments=bool(rule.get("scan_comments", False)),
+ )
+
+
+def get_autofix_from_rules(
+ project_dir: str,
+) -> dict[str, tuple[str, str]]:
+ """Extract autofix templates from custom rules that define a 'fix' field.
+
+ Returns:
+ Dict mapping rule id -> (search, replace) for rules with fix defined.
+ """
+ rules_dir = Path(project_dir) / ".attocode" / "rules"
+ if not rules_dir.is_dir():
+ return {}
+
+ try:
+ import yaml # type: ignore[import-untyped]
+ except ImportError:
+ return {}
+
+ fixes: dict[str, tuple[str, str]] = {}
+ for yaml_file in sorted(rules_dir.glob("*.yaml")):
+ try:
+ content = yaml_file.read_text(encoding="utf-8")
+ data = yaml.safe_load(content)
+ if data is None:
+ continue
+ rules_list = [data] if isinstance(data, dict) else data if isinstance(data, list) else []
+ for rule in rules_list:
+ if isinstance(rule, dict) and "fix" in rule and "id" in rule:
+ fix = rule["fix"]
+ if isinstance(fix, dict) and "search" in fix and "replace" in fix:
+ fixes[str(rule["id"])] = (str(fix["search"]), str(fix["replace"]))
+ except Exception:
+ continue
+
+ return fixes
diff --git a/src/attocode/integrations/security/dataflow.py b/src/attocode/integrations/security/dataflow.py
new file mode 100644
index 0000000..9465f73
--- /dev/null
+++ b/src/attocode/integrations/security/dataflow.py
@@ -0,0 +1,530 @@
+"""Lightweight intra-procedural data flow analysis.
+
+Tracks taint from sources (user input, request parameters) through
+assignments and function calls to sinks (SQL execution, shell commands,
+HTML output) within individual functions. Uses tree-sitter ASTs for
+Python and JavaScript/TypeScript.
+
+This is NOT a full compiler-grade taint tracker. It provides best-effort
+detection of common vulnerability patterns (CWE-89, CWE-78, CWE-79,
+CWE-22, CWE-918) without requiring compilation or type information.
+
+Limitations:
+- Intra-procedural only (does not follow function calls across files)
+- No alias analysis (reassignment through containers not tracked)
+- No type inference (relies on naming conventions and API patterns)
+"""
+
+from __future__ import annotations
+
+import logging
+import os
+import re
+from dataclasses import dataclass, field
+from pathlib import Path
+
+logger = logging.getLogger(__name__)
+
+
+# ---------------------------------------------------------------------------
+# Source / Sink definitions
+# ---------------------------------------------------------------------------
+
+@dataclass(slots=True, frozen=True)
+class TaintSource:
+ """A source of tainted (user-controlled) data."""
+ name: str
+ pattern: re.Pattern[str]
+ language: str # "python", "javascript", or "" for all
+
+
+@dataclass(slots=True, frozen=True)
+class TaintSink:
+ """A dangerous function that should not receive tainted data."""
+ name: str
+ pattern: re.Pattern[str]
+ cwe: str
+ message: str
+ language: str
+
+
+@dataclass(slots=True)
+class DataFlowFinding:
+ """A taint flow from source to sink within a function."""
+ file_path: str
+ function_name: str
+ source_line: int
+ source_desc: str
+ sink_line: int
+ sink_desc: str
+ tainted_var: str
+ cwe: str
+ message: str
+ severity: str = "high"
+
+
+@dataclass(slots=True)
+class DataFlowReport:
+ """Results of data flow analysis."""
+ findings: list[DataFlowFinding]
+ functions_analyzed: int
+ files_analyzed: int
+ scan_time_ms: float = 0.0
+
+
+# ---------------------------------------------------------------------------
+# Python sources and sinks
+# ---------------------------------------------------------------------------
+
+_PYTHON_SOURCES: list[TaintSource] = [
+ TaintSource("request_param", re.compile(
+ r"""\b(?:request\.(?:args|form|json|data|values|files|headers|cookies|GET|POST)|"""
+ r"""flask\.request\.\w+|"""
+ r"""self\.request\.\w+)"""
+ ), "python"),
+ TaintSource("input_builtin", re.compile(r"""\binput\s*\("""), "python"),
+ TaintSource("sys_argv", re.compile(r"""\bsys\.argv\b"""), "python"),
+ TaintSource("environ_get", re.compile(r"""\bos\.environ\b"""), "python"),
+ TaintSource("query_param", re.compile(
+ r"""\b(?:params|query_params|request_data)\b"""
+ ), "python"),
+]
+
+_PYTHON_SINKS: list[TaintSink] = [
+ TaintSink("sql_execute", re.compile(
+ r"""\b(?:cursor\.execute|\.execute|\.executemany|\.raw)\s*\("""
+ ), "CWE-89", "SQL injection: tainted data reaches SQL execution", "python"),
+ TaintSink("os_system", re.compile(
+ r"""\b(?:os\.system|os\.popen|subprocess\.(?:call|run|Popen|check_output|check_call))\s*\("""
+ ), "CWE-78", "Command injection: tainted data reaches shell execution", "python"),
+ TaintSink("open_file", re.compile(
+ r"""\bopen\s*\("""
+ ), "CWE-22", "Path traversal: tainted data used in file path", "python"),
+ TaintSink("url_request", re.compile(
+ r"""\b(?:requests\.(?:get|post|put|delete|patch|head)|urllib\.request\.urlopen|httpx\.(?:get|post))\s*\("""
+ ), "CWE-918", "SSRF: tainted data used in URL construction", "python"),
+ TaintSink("html_output", re.compile(
+ r"""\b(?:render_template_string|Markup|mark_safe|SafeString)\s*\("""
+ ), "CWE-79", "XSS: tainted data rendered as HTML without escaping", "python"),
+]
+
+# ---------------------------------------------------------------------------
+# JavaScript/TypeScript sources and sinks
+# ---------------------------------------------------------------------------
+
+_JS_SOURCES: list[TaintSource] = [
+ TaintSource("req_param", re.compile(
+ r"""\b(?:req\.(?:body|params|query|headers|cookies)|"""
+ r"""request\.(?:body|params|query|headers))\b"""
+ ), "javascript"),
+ TaintSource("url_search_params", re.compile(
+ r"""\b(?:URLSearchParams|location\.search|location\.hash|window\.location)\b"""
+ ), "javascript"),
+ TaintSource("document_input", re.compile(
+ r"""\b(?:document\.getElementById|document\.querySelector|\.value)\b"""
+ ), "javascript"),
+]
+
+_JS_SINKS: list[TaintSink] = [
+ TaintSink("sql_query", re.compile(
+ r"""\b(?:\.query|\.execute|\.run)\s*\("""
+ ), "CWE-89", "SQL injection: tainted data in database query", "javascript"),
+ TaintSink("exec_cmd", re.compile(
+ r"""\b(?:exec|execSync|spawn|spawnSync|execFile)\s*\("""
+ ), "CWE-78", "Command injection: tainted data in shell command", "javascript"),
+ TaintSink("inner_html", re.compile(
+ r"""\.innerHTML\s*="""
+ ), "CWE-79", "XSS: tainted data assigned to innerHTML", "javascript"),
+ TaintSink("redirect", re.compile(
+ r"""\b(?:res\.redirect|location\.href|window\.location)\s*="""
+ ), "CWE-601", "Open redirect: tainted data in redirect URL", "javascript"),
+ TaintSink("fs_access", re.compile(
+ r"""\b(?:fs\.(?:readFile|writeFile|readFileSync|writeFileSync|createReadStream|unlink)|"""
+ r"""path\.(?:join|resolve))\s*\("""
+ ), "CWE-22", "Path traversal: tainted data in file system path", "javascript"),
+]
+
+
+# ---------------------------------------------------------------------------
+# Taint analysis engine
+# ---------------------------------------------------------------------------
+
+_ASSIGNMENT_RE = re.compile(
+ r"""^\s*(?:(?:const|let|var)\s+)?(\w+)\s*=\s*(.+)$"""
+)
+
+_AUGMENTED_ASSIGN_RE = re.compile(
+ r"""^\s*(?:(?:const|let|var)\s+)?(\w+)\s*(?:\+=|\|=|\.append\(|\.extend\(|\.update\()(.+)"""
+)
+
+_FSTRING_VAR_RE = re.compile(r"""\{(\w+)""")
+_FORMAT_VAR_RE = re.compile(r"""\.format\s*\([^)]*?(\w+)""")
+_PERCENT_VAR_RE = re.compile(r"""%\s*(?:\((\w+)\)|(\w+))""")
+_TEMPLATE_VAR_RE = re.compile(r"""\$\{(\w+)\}""")
+_CONCAT_VAR_RE = re.compile(r"""\+\s*(\w+)""")
+
+
+def _extract_variables_from_expr(expr: str) -> set[str]:
+ """Extract variable names referenced in an expression."""
+ variables: set[str] = set()
+
+ # f-string interpolation: f"...{var}..."
+ variables.update(_FSTRING_VAR_RE.findall(expr))
+
+ # .format() calls
+ variables.update(_FORMAT_VAR_RE.findall(expr))
+
+ # %-formatting
+ for groups in _PERCENT_VAR_RE.findall(expr):
+ variables.update(g for g in groups if g)
+
+ # Template literal interpolation: `...${var}...`
+ variables.update(_TEMPLATE_VAR_RE.findall(expr))
+
+ # String concatenation: "..." + var
+ variables.update(_CONCAT_VAR_RE.findall(expr))
+
+ # Direct variable reference (simple identifier on RHS)
+ tokens = re.findall(r'\b([a-zA-Z_]\w*)\b', expr)
+ variables.update(tokens)
+
+ # Filter out keywords and builtins
+ _KEYWORDS = frozenset({
+ "True", "False", "None", "true", "false", "null", "undefined",
+ "if", "else", "for", "while", "return", "import", "from",
+ "def", "class", "function", "const", "let", "var", "new",
+ "not", "and", "or", "in", "is", "as", "with", "try", "except",
+ "finally", "raise", "yield", "async", "await", "self", "cls",
+ "this", "super", "typeof", "instanceof",
+ })
+ return variables - _KEYWORDS
+
+
+def analyze_function_taint(
+ lines: list[str],
+ sources: list[TaintSource],
+ sinks: list[TaintSink],
+ function_name: str,
+ start_line: int,
+) -> list[tuple[str, int, str, int, str, str, str]]:
+ """Analyze a single function body for source-to-sink taint flows.
+
+ Returns list of (tainted_var, source_line, source_desc, sink_line, sink_desc, cwe, message).
+ """
+ # Phase 1: Identify tainted variables (variables assigned from sources)
+ tainted: dict[str, tuple[int, str]] = {} # var_name → (line_no, source_desc)
+
+ for i, line in enumerate(lines):
+ line_no = start_line + i
+ stripped = line.strip()
+ if not stripped or stripped.startswith("#") or stripped.startswith("//"):
+ continue
+
+ # Check if line contains a source
+ for source in sources:
+ if source.pattern.search(line):
+ # Find the variable being assigned from this source
+ m = _ASSIGNMENT_RE.match(line)
+ if m:
+ var_name = m.group(1)
+ tainted[var_name] = (line_no, source.name)
+ else:
+ # Source used directly (e.g., as function parameter)
+ # Track any variable on the left side of any assignment-like pattern
+ am = _AUGMENTED_ASSIGN_RE.match(line)
+ if am:
+ tainted[am.group(1)] = (line_no, source.name)
+
+ if not tainted:
+ return []
+
+ # Phase 2: Propagate taint through assignments
+ # Simple forward propagation: if `b = f(a)` and `a` is tainted, `b` is tainted
+ changed = True
+ max_iterations = 10
+ iteration = 0
+ while changed and iteration < max_iterations:
+ changed = False
+ iteration += 1
+ for i, line in enumerate(lines):
+ m = _ASSIGNMENT_RE.match(line)
+ if not m:
+ continue
+ var_name = m.group(1)
+ if var_name in tainted:
+ continue # already tainted
+ rhs = m.group(2)
+ rhs_vars = _extract_variables_from_expr(rhs)
+ for rv in rhs_vars:
+ if rv in tainted:
+ tainted[var_name] = (start_line + i, f"propagated from {rv}")
+ changed = True
+ break
+
+ # Phase 3: Check if tainted variables reach sinks
+ findings: list[tuple[str, int, str, int, str, str, str]] = []
+
+ for i, line in enumerate(lines):
+ line_no = start_line + i
+ for sink in sinks:
+ if not sink.pattern.search(line):
+ continue
+ # Check if any tainted variable appears in this sink call
+ line_vars = _extract_variables_from_expr(line)
+ for var in line_vars:
+ if var in tainted:
+ source_line, source_desc = tainted[var]
+ findings.append((
+ var, source_line, source_desc,
+ line_no, sink.name, sink.cwe, sink.message,
+ ))
+ break # one finding per sink line
+
+ return findings
+
+
+# ---------------------------------------------------------------------------
+# File-level analysis
+# ---------------------------------------------------------------------------
+
+def _extract_function_bodies(content: str, language: str) -> list[tuple[str, int, int]]:
+ """Extract function name, start line, end line from source content.
+
+ Uses simple regex-based extraction (not tree-sitter) for portability.
+ Returns list of (function_name, start_line, end_line) 1-indexed.
+ """
+ functions: list[tuple[str, int, int]] = []
+ lines = content.splitlines()
+
+ if language == "python":
+ func_re = re.compile(r"""^(\s*)def\s+(\w+)\s*\(""")
+ in_func = False
+ func_name = ""
+ func_start = 0
+ func_indent = 0
+
+ for i, line in enumerate(lines, 1):
+ m = func_re.match(line)
+ if m:
+ if in_func:
+ functions.append((func_name, func_start, i - 1))
+ func_indent = len(m.group(1))
+ func_name = m.group(2)
+ func_start = i
+ in_func = True
+ elif in_func and line.strip() and not line.startswith(" " * (func_indent + 1)) and not line.strip().startswith("#"):
+ # Dedented line = end of function
+ if not line[0].isspace() or (len(line) - len(line.lstrip())) <= func_indent:
+ functions.append((func_name, func_start, i - 1))
+ in_func = False
+
+ if in_func:
+ functions.append((func_name, func_start, len(lines)))
+
+ elif language in ("javascript", "typescript"):
+ # Match: function name(...), const name = (...) =>, async function name(...)
+ func_re = re.compile(
+ r"""(?:(?:async\s+)?function\s+(\w+)|(?:const|let|var)\s+(\w+)\s*=\s*(?:async\s*)?\([^)]*\)\s*=>)"""
+ )
+ # Simple brace-counting for JS function boundaries
+ for i, line in enumerate(lines, 1):
+ m = func_re.search(line)
+ if m:
+ func_name = m.group(1) or m.group(2)
+ # Find the end by counting braces
+ brace_count = 0
+ started = False
+ end_line = i
+ for j in range(i - 1, len(lines)):
+ for ch in lines[j]:
+ if ch == "{":
+ brace_count += 1
+ started = True
+ elif ch == "}":
+ brace_count -= 1
+ if started and brace_count <= 0:
+ end_line = j + 1
+ break
+ else:
+ end_line = len(lines)
+ functions.append((func_name, i, end_line))
+
+ return functions
+
+
+def analyze_file(
+ file_path: str,
+ language: str = "",
+) -> list[DataFlowFinding]:
+ """Analyze a single file for data flow vulnerabilities.
+
+ Args:
+ file_path: Absolute path to the source file.
+ language: Language hint (auto-detected from extension if empty).
+
+ Returns:
+ List of DataFlowFinding instances.
+ """
+ if not language:
+ ext = os.path.splitext(file_path)[1].lower()
+ lang_map = {
+ ".py": "python", ".pyi": "python",
+ ".js": "javascript", ".jsx": "javascript",
+ ".ts": "typescript", ".tsx": "typescript",
+ ".mjs": "javascript", ".cjs": "javascript",
+ }
+ language = lang_map.get(ext, "")
+
+ if language not in ("python", "javascript", "typescript"):
+ return []
+
+ try:
+ content = Path(file_path).read_text(encoding="utf-8", errors="replace")
+ except OSError:
+ return []
+
+ # Select sources and sinks for the language
+ if language == "python":
+ sources = _PYTHON_SOURCES
+ sinks = _PYTHON_SINKS
+ else:
+ sources = _JS_SOURCES
+ sinks = _JS_SINKS
+
+ # Extract functions and analyze each
+ functions = _extract_function_bodies(content, language)
+ lines = content.splitlines()
+ findings: list[DataFlowFinding] = []
+
+ rel_path = os.path.basename(file_path)
+ # Try to compute relative path
+ try:
+ from pathlib import PurePosixPath
+ rel_path = file_path # will be overridden by caller if needed
+ except Exception:
+ pass
+
+ for func_name, start, end in functions:
+ func_lines = lines[start - 1:end]
+ raw_findings = analyze_function_taint(
+ func_lines, sources, sinks, func_name, start,
+ )
+ for tvar, src_line, src_desc, snk_line, snk_desc, cwe, msg in raw_findings:
+ findings.append(DataFlowFinding(
+ file_path=file_path,
+ function_name=func_name,
+ source_line=src_line,
+ source_desc=src_desc,
+ sink_line=snk_line,
+ sink_desc=snk_desc,
+ tainted_var=tvar,
+ cwe=cwe,
+ message=msg,
+ ))
+
+ return findings
+
+
+# ---------------------------------------------------------------------------
+# Project-level analysis
+# ---------------------------------------------------------------------------
+
+def analyze_project(
+ project_dir: str,
+ paths: list[str] | None = None,
+) -> DataFlowReport:
+ """Run data flow analysis across a project or specific files.
+
+ Args:
+ project_dir: Project root directory.
+ paths: Specific file paths to analyze (relative to project root).
+ If None, scans all Python and JavaScript files.
+ """
+ import time
+
+ start = time.monotonic()
+ findings: list[DataFlowFinding] = []
+ files_analyzed = 0
+ functions_analyzed = 0
+
+ _SKIP_DIRS = frozenset({
+ ".git", "node_modules", "__pycache__", ".venv", "venv",
+ ".tox", "dist", "build", ".next", ".nuxt",
+ })
+ _SCAN_EXTS = frozenset({".py", ".js", ".ts", ".jsx", ".tsx", ".mjs", ".cjs"})
+
+ if paths:
+ file_list = [os.path.join(project_dir, p) for p in paths]
+ else:
+ file_list = []
+ for dirpath, dirnames, filenames in os.walk(project_dir):
+ dirnames[:] = [d for d in dirnames if d not in _SKIP_DIRS]
+ for fname in filenames:
+ ext = os.path.splitext(fname)[1].lower()
+ if ext in _SCAN_EXTS:
+ file_list.append(os.path.join(dirpath, fname))
+
+ for abs_path in file_list:
+ if not os.path.isfile(abs_path):
+ continue
+ file_findings = analyze_file(abs_path)
+ # Fix relative paths in findings
+ for f in file_findings:
+ try:
+ f.file_path = os.path.relpath(abs_path, project_dir)
+ except ValueError:
+ f.file_path = abs_path
+ findings.extend(file_findings)
+ files_analyzed += 1
+
+ elapsed = (time.monotonic() - start) * 1000
+
+ return DataFlowReport(
+ findings=findings,
+ functions_analyzed=functions_analyzed,
+ files_analyzed=files_analyzed,
+ scan_time_ms=round(elapsed, 1),
+ )
+
+
+def format_report(report: DataFlowReport) -> str:
+ """Format a DataFlowReport as human-readable text."""
+ lines: list[str] = []
+
+ lines.append("Data Flow Analysis Report")
+ lines.append(f"Files: {report.files_analyzed} | "
+ f"Findings: {len(report.findings)} | "
+ f"Time: {report.scan_time_ms:.0f}ms")
+ lines.append("")
+
+ if not report.findings:
+ lines.append("No data flow vulnerabilities detected.")
+ return "\n".join(lines)
+
+ # Group by CWE
+ by_cwe: dict[str, list[DataFlowFinding]] = {}
+ for f in report.findings:
+ by_cwe.setdefault(f.cwe, []).append(f)
+
+ cwe_labels = {
+ "CWE-89": "SQL Injection",
+ "CWE-78": "Command Injection",
+ "CWE-79": "Cross-Site Scripting (XSS)",
+ "CWE-22": "Path Traversal",
+ "CWE-918": "Server-Side Request Forgery (SSRF)",
+ "CWE-601": "Open Redirect",
+ }
+
+ for cwe, cwe_findings in sorted(by_cwe.items()):
+ label = cwe_labels.get(cwe, cwe)
+ lines.append(f"## {label} [{cwe}] ({len(cwe_findings)} finding(s))")
+ for f in cwe_findings[:10]:
+ lines.append(f" {f.file_path}:{f.sink_line} in {f.function_name}()")
+ lines.append(f" Tainted variable '{f.tainted_var}' flows from "
+ f"line {f.source_line} ({f.source_desc}) to sink ({f.sink_desc})")
+ lines.append(f" {f.message}")
+ if len(cwe_findings) > 10:
+ lines.append(f" ... and {len(cwe_findings) - 10} more")
+ lines.append("")
+
+ return "\n".join(lines)
diff --git a/src/attocode/integrations/security/patterns.py b/src/attocode/integrations/security/patterns.py
index 9038f4e..9e838c2 100644
--- a/src/attocode/integrations/security/patterns.py
+++ b/src/attocode/integrations/security/patterns.py
@@ -286,6 +286,432 @@ class SecurityPattern:
"setTimeout/setInterval called with a string argument — behaves like eval()",
"Pass a function reference instead of a string; string args are implicit dynamic code execution",
["javascript", "typescript"], False),
+ # -----------------------------------------------------------------------
+ # Additional OWASP Top 10 detectors (Python)
+ # -----------------------------------------------------------------------
+ ("python_sql_format_string",
+ r"""\b(?:cursor\.execute|\.execute)\s*\(\s*['"].*?%[sd]""",
+ "high", "CWE-89",
+ "SQL query uses %-formatting — SQL injection risk",
+ "Use parameterized queries with ? or %s placeholders instead of string formatting",
+ ["python"], False),
+ ("python_sql_concat",
+ r"""\b(?:cursor\.execute|\.execute)\s*\(\s*['"].*?\+""",
+ "high", "CWE-89",
+ "SQL query built with string concatenation — SQL injection risk",
+ "Use parameterized queries with ? or %s placeholders instead of concatenation",
+ ["python"], False),
+ ("python_marshal_loads",
+ r"""\bmarshal\.loads?\s*\(""",
+ "high", "CWE-502",
+ "marshal.load/loads — unsafe deserialization of arbitrary code objects",
+ "Use json or other safe serialization formats; marshal is not safe for untrusted data",
+ ["python"], False),
+ ("python_debug_true",
+ r"""\bDEBUG\s*=\s*True\b""",
+ "medium", "CWE-489",
+ "DEBUG mode enabled — may expose sensitive information in production",
+ "Ensure DEBUG=False in production settings; use environment variables for configuration",
+ ["python"], False),
+ ("python_assert_security",
+ r"""\bassert\b(?!.*(?:test|spec))""",
+ "low", "CWE-617",
+ "assert used outside tests — stripped in optimized mode (-O flag)",
+ "Use explicit if/raise for security checks; assert is stripped with python -O",
+ ["python"], False),
+ ("hardcoded_ip_address",
+ r"""(?:['"])\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:['"])""",
+ "medium", "CWE-1188",
+ "Hardcoded IP address detected — may hinder deployment flexibility",
+ "Use configuration files or environment variables for IP addresses",
+ [], False),
+ ("python_os_system",
+ r"""\bos\.system\s*\(""",
+ "high", "CWE-78",
+ "os.system() — command injection risk via shell execution",
+ "Use subprocess.run() with shell=False and pass args as a list",
+ ["python"], False),
+ ("python_popen",
+ r"""\bos\.popen\s*\(""",
+ "high", "CWE-78",
+ "os.popen() — command injection risk via shell execution",
+ "Use subprocess.run() with shell=False and pass args as a list",
+ ["python"], False),
+ ("python_ssrf_request",
+ r"""\brequests\.(?:get|post|put|delete|patch|head)\s*\(\s*(?:f['"]|[^'"]*?\+|.*?\.format\()""",
+ "high", "CWE-918",
+ "HTTP request with dynamically constructed URL — potential SSRF",
+ "Validate and whitelist URLs before making requests; avoid user-controlled URL construction",
+ ["python"], False),
+ ("python_path_traversal",
+ r"""\bopen\s*\(\s*(?:os\.path\.join\s*\()?.*?(?:request|params|query|input|args)\b""",
+ "high", "CWE-22",
+ "File open with user-controlled path — path traversal risk",
+ "Validate and sanitize file paths; use os.path.realpath() and check against allowed directories",
+ ["python"], False),
+ ("python_weak_random",
+ r"""\brandom\.(?:random|randint|choice|randrange)\s*\(""",
+ "low", "CWE-330",
+ "Weak PRNG (random module) — not suitable for security-sensitive operations",
+ "Use secrets module or os.urandom() for cryptographic randomness",
+ ["python"], False),
+ ("python_cors_wildcard",
+ r"""(?:CORS|cors).*?\*""",
+ "medium", "CWE-942",
+ "CORS wildcard (*) allows any origin — may expose API to cross-origin attacks",
+ "Restrict CORS to specific trusted origins instead of using wildcard",
+ [], False),
+ # -----------------------------------------------------------------------
+ # Additional OWASP Top 10 detectors (JavaScript / TypeScript)
+ # -----------------------------------------------------------------------
+ ("js_no_escape_html",
+ r"""\.html\s*\(\s*(?!['"]<)""",
+ "medium", "CWE-79",
+ "jQuery .html() with dynamic content — XSS risk",
+ "Sanitize content before inserting; use .text() for untrusted data or DOMPurify for HTML",
+ ["javascript", "typescript"], False),
+ ("js_url_redirect",
+ r"""(?:window\.location|location\.href|location\.assign|location\.replace)\s*=\s*(?!['"])""",
+ "high", "CWE-601",
+ "Open redirect via dynamic URL assignment — phishing risk",
+ "Validate redirect URLs against a whitelist of allowed destinations",
+ ["javascript", "typescript"], False),
+ ("js_postmessage_wildcard",
+ r"""\.postMessage\s*\([^)]*?,\s*['"]\*""",
+ "medium", "CWE-346",
+ "postMessage with wildcard origin (*) — message sent to any window",
+ "Specify the exact target origin instead of '*' in postMessage",
+ ["javascript", "typescript"], False),
+ ("js_unsafe_regex",
+ r"""new\s+RegExp\s*\(\s*(?!['"])""",
+ "medium", "CWE-1333",
+ "RegExp constructed from variable — potential ReDoS if user-controlled",
+ "Validate and sanitize input before constructing RegExp; consider using a regex-safe library",
+ ["javascript", "typescript"], False),
+ ("js_prototype_pollution",
+ r"""(?:__proto__|constructor\s*\.\s*prototype)\s*(?:\[|=)""",
+ "high", "CWE-1321",
+ "Prototype pollution — modifying Object.prototype can affect all objects",
+ "Use Object.create(null), Map, or validate property names to prevent prototype pollution",
+ ["javascript", "typescript"], False),
+ ("js_child_process_exec",
+ r"""\bexec\s*\(\s*(?!['"])""",
+ "high", "CWE-78",
+ "child_process.exec() with dynamic input — command injection risk",
+ "Use execFile() or spawn() with arguments as an array; avoid shell interpolation",
+ ["javascript", "typescript"], False),
+ ("js_nosql_injection",
+ r"""\$(?:gt|gte|lt|lte|ne|in|nin|or|and|not|regex|where|exists)\b""",
+ "medium", "CWE-943",
+ "NoSQL query operator detected — potential NoSQL injection if user-controlled",
+ "Validate and sanitize query inputs; use explicit field comparisons instead of raw operators",
+ ["javascript", "typescript"], False),
+ # -----------------------------------------------------------------------
+ # Additional OWASP Top 10 detectors (Go)
+ # -----------------------------------------------------------------------
+ ("go_sql_sprintf",
+ r"""(?:fmt\.Sprintf|fmt\.Fprintf)\s*\([^)]*?(?:SELECT|INSERT|UPDATE|DELETE|WHERE|FROM)""",
+ "high", "CWE-89",
+ "SQL query built with fmt.Sprintf — SQL injection risk",
+ "Use parameterized queries with database/sql placeholder syntax ($1, ?, etc.)",
+ ["go"], False),
+ ("go_unhandled_error",
+ r"""(?:_\s*(?:,\s*)?=\s*|(?:,\s*)?_\s*=)\s*\w+\.\w+\(""",
+ "low", "CWE-391",
+ "Error return value ignored (assigned to _) — may mask failures",
+ "Handle the error explicitly; at minimum log it for debugging",
+ ["go"], False),
+ ("go_tls_insecure",
+ r"""InsecureSkipVerify\s*:\s*true""",
+ "high", "CWE-295",
+ "TLS certificate verification disabled (InsecureSkipVerify: true)",
+ "Enable TLS verification; use a custom CA certificate pool if needed",
+ ["go"], False),
+ # -----------------------------------------------------------------------
+ # Additional OWASP Top 10 detectors (Java / Kotlin)
+ # -----------------------------------------------------------------------
+ ("java_sql_concat",
+ r"""(?:Statement|PreparedStatement)\s*.*?(?:executeQuery|executeUpdate|execute)\s*\(\s*(?!['"])""",
+ "high", "CWE-89",
+ "SQL execution with dynamic input — SQL injection risk",
+ "Use PreparedStatement with parameterized queries (? placeholders)",
+ ["java", "kotlin"], False),
+ ("java_xxe",
+ r"""(?:XMLInputFactory|DocumentBuilderFactory|SAXParserFactory)\.newInstance\(\)""",
+ "medium", "CWE-611",
+ "XML parser created without disabling external entities — XXE risk",
+ "Disable external entities: setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true) and disable DTDs",
+ ["java", "kotlin"], False),
+ ("java_deserialization",
+ r"""\bObjectInputStream\s*\(""",
+ "high", "CWE-502",
+ "ObjectInputStream — unsafe deserialization of untrusted data",
+ "Use JSON/protobuf for serialization; if ObjectInputStream is required, use an allowlist filter",
+ ["java", "kotlin"], False),
+ ("java_weak_crypto",
+ r"""Cipher\.getInstance\s*\(\s*['"](?:DES|RC4|Blowfish|RC2)""",
+ "high", "CWE-327",
+ "Weak cipher algorithm (DES/RC4/Blowfish/RC2) — easily broken",
+ "Use AES-256-GCM or ChaCha20-Poly1305 for symmetric encryption",
+ ["java", "kotlin"], False),
+ # -----------------------------------------------------------------------
+ # Additional OWASP Top 10 detectors (Ruby)
+ # -----------------------------------------------------------------------
+ ("ruby_system_call",
+ r"""\b(?:system|exec|spawn|IO\.popen)\s*\(?\s*(?!['"])""",
+ "high", "CWE-78",
+ "Shell command execution with dynamic input — command injection risk",
+ "Use parameterized system calls; pass command and arguments as separate array elements",
+ ["ruby"], False),
+ ("ruby_send_dynamic",
+ r"""\.send\s*\(\s*(?:params|request|input)""",
+ "high", "CWE-94",
+ "Dynamic method dispatch (.send) with user-controlled input — code injection risk",
+ "Validate method names against an explicit allowlist before calling .send",
+ ["ruby"], False),
+ # -----------------------------------------------------------------------
+ # Multi-language detectors
+ # -----------------------------------------------------------------------
+ ("hardcoded_localhost",
+ r"""['"](?:localhost|127\.0\.0\.1|0\.0\.0\.0):\d{2,5}['"]""",
+ "low", "CWE-1188",
+ "Hardcoded localhost address with port — may not work in containerized/deployed environments",
+ "Use configuration files or environment variables for host/port settings",
+ [], False),
+ ("todo_fixme_security",
+ r"""(?:#|//|/\*)\s*(?:TODO|FIXME|HACK|XXX)\s*.*?(?:security|auth|password|token|secret|credential|encrypt)""",
+ "info", "CWE-546",
+ "Security-related TODO/FIXME comment — unresolved security concern in code",
+ "Address the security concern described in the comment before deploying to production",
+ [], True),
+ # -----------------------------------------------------------------------
+ # Django framework detectors
+ # -----------------------------------------------------------------------
+ ("django_mark_safe",
+ r"""\bmark_safe\s*\(""",
+ "high", "CWE-79",
+ "mark_safe() with potentially untrusted content — XSS risk",
+ "Avoid mark_safe() on user-supplied data; use Django template autoescaping or bleach.clean()",
+ ["python"], False),
+ ("django_raw_sql",
+ r"""\b(?:raw|extra)\s*\(\s*(?:f['"]|['"].*?%[sd])""",
+ "high", "CWE-89",
+ "SQL injection via Django raw()/extra() with string formatting",
+ "Use parameterized queries: Model.objects.raw('SELECT ... WHERE id = %s', [user_id])",
+ ["python"], False),
+ ("django_csrf_exempt",
+ r"""@csrf_exempt""",
+ "medium", "CWE-352",
+ "CSRF protection disabled via @csrf_exempt decorator",
+ "Remove @csrf_exempt unless the endpoint genuinely requires it (e.g., webhook); use csrf_protect for selective protection",
+ ["python"], False),
+ ("django_debug_toolbar",
+ r"""debug_toolbar""",
+ "low", "CWE-489",
+ "Django Debug Toolbar reference detected — must not be enabled in production",
+ "Ensure debug_toolbar is only in INSTALLED_APPS when DEBUG=True; remove from production settings",
+ ["python"], False),
+ ("django_secret_key_hardcoded",
+ r"""SECRET_KEY\s*=\s*['"][^'"]{10,}['"]""",
+ "high", "CWE-798",
+ "Hardcoded Django SECRET_KEY — compromises session security and CSRF protection",
+ "Load SECRET_KEY from environment variable: SECRET_KEY = os.environ['DJANGO_SECRET_KEY']",
+ ["python"], False),
+ ("django_allowed_hosts_wildcard",
+ r"""ALLOWED_HOSTS\s*=\s*\[['"\*]""",
+ "medium", "CWE-942",
+ "ALLOWED_HOSTS contains wildcard '*' — allows HTTP Host header attacks",
+ "Set ALLOWED_HOSTS to specific domain names: ALLOWED_HOSTS = ['example.com']",
+ ["python"], False),
+ ("django_safe_string",
+ r"""\bSafeString\s*\(|SafeText\s*\(|SafeData\s*\(""",
+ "medium", "CWE-79",
+ "Wrapping content in SafeString/SafeText/SafeData bypasses template autoescaping — XSS risk",
+ "Let Django's template autoescaping handle output; only use Safe* wrappers after sanitizing with bleach",
+ ["python"], False),
+ ("django_session_cookie_insecure",
+ r"""SESSION_COOKIE_SECURE\s*=\s*False""",
+ "medium", "CWE-614",
+ "Django session cookie transmitted without Secure flag — vulnerable to interception over HTTP",
+ "Set SESSION_COOKIE_SECURE = True in production to require HTTPS for session cookies",
+ ["python"], False),
+ # -----------------------------------------------------------------------
+ # Flask framework detectors
+ # -----------------------------------------------------------------------
+ ("flask_debug_mode",
+ r"""app\.run\s*\([^)]*debug\s*=\s*True""",
+ "high", "CWE-489",
+ "Flask app running with debug=True — exposes interactive debugger and reloader in production",
+ "Set debug=False in production; use FLASK_DEBUG environment variable for development",
+ ["python"], False),
+ ("flask_send_file_user_input",
+ r"""send_file\s*\(\s*(?:request|f['"]|.*?\+)""",
+ "high", "CWE-22",
+ "Flask send_file() with user-controlled path — path traversal risk",
+ "Use send_from_directory() with a fixed base directory; validate and sanitize filenames",
+ ["python"], False),
+ ("flask_jsonify_user_data",
+ r"""make_response\s*\(\s*(?:request|f['"])""",
+ "medium", "CWE-79",
+ "Flask make_response() with unescaped user data — potential XSS or injection",
+ "Use flask.jsonify() for JSON responses; escape HTML content with markupsafe.escape()",
+ ["python"], False),
+ ("flask_secret_key_hardcoded",
+ r"""app\.secret_key\s*=\s*['"][^'"]{5,}['"]""",
+ "high", "CWE-798",
+ "Hardcoded Flask secret_key — compromises session signing and CSRF tokens",
+ "Load secret_key from environment variable: app.secret_key = os.environ['FLASK_SECRET_KEY']",
+ ["python"], False),
+ ("flask_no_csrf",
+ r"""WTF_CSRF_ENABLED\s*=\s*False""",
+ "medium", "CWE-352",
+ "CSRF protection disabled in Flask-WTF — forms vulnerable to cross-site request forgery",
+ "Enable CSRF protection: set WTF_CSRF_ENABLED = True or remove the override",
+ ["python"], False),
+ # -----------------------------------------------------------------------
+ # Express / Node.js framework detectors
+ # -----------------------------------------------------------------------
+ ("express_cors_wildcard",
+ r"""cors\s*\(\s*\)""",
+ "medium", "CWE-942",
+ "Express CORS middleware with default config — allows all origins",
+ "Configure cors() with specific origin: cors({ origin: 'https://example.com' })",
+ ["javascript", "typescript"], False),
+ ("express_helmet_disabled",
+ r"""app\.disable\s*\(\s*['"]x-powered-by['"]""",
+ "low", "CWE-200",
+ "Manual X-Powered-By removal instead of using helmet — may miss other security headers",
+ "Use helmet middleware for comprehensive security headers: app.use(helmet())",
+ ["javascript", "typescript"], False),
+ ("express_body_parser_limit",
+ r"""bodyParser\.json\s*\(\s*\)""",
+ "low", "CWE-400",
+ "bodyParser.json() without size limit — vulnerable to large payload DoS",
+ "Set a body size limit: bodyParser.json({ limit: '100kb' })",
+ ["javascript", "typescript"], False),
+ ("express_sql_template",
+ r"""(?:query|execute)\s*\(\s*`[^`]*\$\{""",
+ "high", "CWE-89",
+ "SQL query built with template literal interpolation — SQL injection risk",
+ "Use parameterized queries: db.query('SELECT * FROM users WHERE id = $1', [userId])",
+ ["javascript", "typescript"], False),
+ ("express_jwt_no_verify",
+ r"""jwt\.decode\s*\([^)]*?,\s*\{[^}]*complete\s*:\s*true""",
+ "high", "CWE-347",
+ "JWT decoded without signature verification — token integrity not checked",
+ "Use jwt.verify() instead of jwt.decode() to validate token signatures",
+ ["javascript", "typescript"], False),
+ ("express_rate_limit_missing",
+ r"""app\.(?:post|put|delete)\s*\(\s*['"]\/(?:api|auth|login)""",
+ "low", "CWE-799",
+ "Sensitive API endpoint without apparent rate limiting — brute force risk",
+ "Apply rate limiting middleware: app.use('/api', rateLimit({ windowMs: 15*60*1000, max: 100 }))",
+ ["javascript", "typescript"], False),
+ ("express_session_insecure",
+ r"""(?:cookie|session).*?secure\s*:\s*false""",
+ "medium", "CWE-614",
+ "Session/cookie configured with secure: false — transmitted over HTTP",
+ "Set secure: true in production to require HTTPS for cookies",
+ ["javascript", "typescript"], False),
+ # -----------------------------------------------------------------------
+ # Spring / Java framework detectors
+ # -----------------------------------------------------------------------
+ ("spring_sql_concatenation",
+ r"""@Query\s*\(\s*['"].*?\+""",
+ "high", "CWE-89",
+ "SQL injection in Spring @Query annotation via string concatenation",
+ "Use named parameters in @Query: @Query('SELECT u FROM User u WHERE u.name = :name')",
+ ["java", "kotlin"], False),
+ ("spring_csrf_disabled",
+ r"""\.csrf\s*\(\s*\)\s*\.disable\s*\(\)""",
+ "medium", "CWE-352",
+ "Spring Security CSRF protection disabled — forms vulnerable to cross-site request forgery",
+ "Keep CSRF enabled for browser-facing endpoints; disable only for stateless APIs with token auth",
+ ["java", "kotlin"], False),
+ ("spring_cors_permit_all",
+ r"""\.allowedOrigins\s*\(\s*['"]\*['"]""",
+ "medium", "CWE-942",
+ "Spring CORS configured with wildcard origin '*' — allows any domain to make requests",
+ "Restrict allowedOrigins to specific trusted domains",
+ ["java", "kotlin"], False),
+ ("spring_actuator_exposed",
+ r"""management\.endpoints\.web\.exposure\.include\s*=\s*\*""",
+ "high", "CWE-200",
+ "All Spring Boot actuator endpoints exposed — leaks environment, health, and config data",
+ "Expose only needed endpoints: management.endpoints.web.exposure.include=health,info",
+ ["java", "kotlin"], False),
+ ("spring_hardcoded_password",
+ r"""spring\.datasource\.password\s*=\s*[^\$]""",
+ "high", "CWE-798",
+ "Hardcoded database password in Spring configuration — credential exposure risk",
+ "Use environment variable substitution: spring.datasource.password=${DB_PASSWORD}",
+ ["java", "kotlin"], False),
+ ("spring_security_permit_all",
+ r"""\.permitAll\s*\(\s*\)""",
+ "low", "CWE-862",
+ "Spring Security .permitAll() — verify endpoint intentionally allows unauthenticated access",
+ "Review whether the endpoint should require authentication; use .authenticated() for protected resources",
+ ["java", "kotlin"], False),
+ # -----------------------------------------------------------------------
+ # Rails framework detectors
+ # -----------------------------------------------------------------------
+ ("rails_html_safe",
+ r"""\.html_safe\b""",
+ "high", "CWE-79",
+ "Rails .html_safe on potentially untrusted content — XSS risk",
+ "Use sanitize() helper or ERB autoescaping; only call .html_safe on content you fully control",
+ ["ruby"], False),
+ ("rails_raw_sql",
+ r"""(?:find_by_sql|connection\.execute)\s*\(\s*(?!['"])""",
+ "high", "CWE-89",
+ "Rails raw SQL with dynamic input — SQL injection risk",
+ "Use parameterized queries: User.find_by_sql(['SELECT * FROM users WHERE id = ?', id])",
+ ["ruby"], False),
+ ("rails_mass_assignment",
+ r"""params\.permit!\b""",
+ "high", "CWE-915",
+ "Rails params.permit! allows mass assignment of all parameters — privilege escalation risk",
+ "Use explicit strong parameters: params.require(:user).permit(:name, :email)",
+ ["ruby"], False),
+ ("rails_force_ssl_false",
+ r"""force_ssl\s*=\s*false|config\.force_ssl\s*=\s*false""",
+ "medium", "CWE-319",
+ "Rails force_ssl disabled — application may serve requests over unencrypted HTTP",
+ "Set config.force_ssl = true in production to redirect all HTTP to HTTPS",
+ ["ruby"], False),
+ ("rails_skip_forgery",
+ r"""skip_before_action\s*:verify_authenticity_token""",
+ "medium", "CWE-352",
+ "Rails CSRF protection skipped via skip_before_action — forgery risk",
+ "Keep CSRF verification enabled; skip only for API-only controllers with token authentication",
+ ["ruby"], False),
+ # -----------------------------------------------------------------------
+ # General framework-agnostic detectors
+ # -----------------------------------------------------------------------
+ ("graphql_introspection",
+ r"""introspection\s*[:=]\s*true""",
+ "low", "CWE-200",
+ "GraphQL introspection enabled — exposes full API schema to attackers in production",
+ "Disable introspection in production: set introspection to false",
+ [], False),
+ ("hardcoded_port",
+ r"""(?:PORT|port)\s*[:=]\s*\d{4,5}\b""",
+ "low", "CWE-1188",
+ "Hardcoded port number — reduces deployment flexibility",
+ "Use environment variable: PORT = int(os.environ.get('PORT', 8080))",
+ [], False),
+ ("admin_route_unprotected",
+ r"""(?:route|path|get|post)\s*\(\s*['"]\/admin""",
+ "low", "CWE-862",
+ "Admin route detected — ensure authentication and authorization middleware is applied",
+ "Protect admin routes with authentication middleware and role-based access control",
+ [], False),
+ ("cookie_httponly_false",
+ r"""httpOnly\s*[:=]\s*false|httponly\s*[:=]\s*False""",
+ "medium", "CWE-1004",
+ "Cookie without HttpOnly flag — accessible to JavaScript, increasing XSS impact",
+ "Set httpOnly: true (or httponly=True) to prevent client-side script access to the cookie",
+ [], False),
]
ANTI_PATTERNS: list[SecurityPattern] = [
diff --git a/src/attocode/integrations/security/scanner.py b/src/attocode/integrations/security/scanner.py
index 1b8eca3..600b2a7 100644
--- a/src/attocode/integrations/security/scanner.py
+++ b/src/attocode/integrations/security/scanner.py
@@ -20,6 +20,10 @@
SecurityPattern,
Severity,
)
+from attocode.integrations.security.custom_rules import (
+ get_autofix_from_rules,
+ load_custom_rules,
+)
logger = logging.getLogger(__name__)
@@ -52,6 +56,17 @@ class SecurityFinding:
recommendation: str
cwe_id: str = ""
pattern_name: str = ""
+ fix_diff: str = "" # unified diff suggestion for mechanical fixes
+
+
+# Autofix templates: pattern_name -> (search, replace) for mechanical fixes.
+# These are safe, deterministic transformations for common patterns.
+_AUTOFIX_TEMPLATES: dict[str, tuple[str, str]] = {
+ "python_yaml_unsafe": ("yaml.load(", "yaml.safe_load("),
+ "python_shell_true": ("shell=True", "shell=False"),
+ "python_tempfile_insecure": ("tempfile.mktemp(", "tempfile.mkstemp("),
+ "python_verify_false": ("verify=False", "verify=True"),
+}
@dataclass(slots=True)
@@ -79,10 +94,14 @@ class SecurityScanner:
root_dir: str
_language_map: dict[str, str] = field(default_factory=dict, repr=False)
+ _custom_patterns: list[SecurityPattern] = field(default_factory=list, repr=False)
+ _custom_autofixes: dict[str, tuple[str, str]] = field(default_factory=dict, repr=False)
def __post_init__(self) -> None:
from attocode.integrations.context.codebase_context import EXTENSION_LANGUAGES
self._language_map = dict(EXTENSION_LANGUAGES)
+ self._custom_patterns = load_custom_rules(self.root_dir)
+ self._custom_autofixes = get_autofix_from_rules(self.root_dir)
def scan(
self,
@@ -225,6 +244,10 @@ def _scan_files(
findings.extend(
self._scan_content(content, rel_path, ANTI_PATTERNS, language),
)
+ if self._custom_patterns:
+ findings.extend(
+ self._scan_content(content, rel_path, self._custom_patterns, language),
+ )
return files_scanned, findings
@@ -236,8 +259,21 @@ def _scan_content(
language: str,
) -> list[SecurityFinding]:
"""Scan file content against a set of patterns."""
- return [
- SecurityFinding(
+ findings: list[SecurityFinding] = []
+ for line_no, line_text, pat in iter_pattern_matches(content, patterns, language):
+ fix_diff = ""
+ template = _AUTOFIX_TEMPLATES.get(pat.name) or self._custom_autofixes.get(pat.name)
+ if template and template[0] in line_text:
+ old_line = line_text
+ new_line = line_text.replace(template[0], template[1], 1)
+ fix_diff = (
+ f"--- a/{file_path}\n"
+ f"+++ b/{file_path}\n"
+ f"@@ -{line_no},1 +{line_no},1 @@\n"
+ f"-{old_line}\n"
+ f"+{new_line}"
+ )
+ findings.append(SecurityFinding(
severity=pat.severity,
category=pat.category,
file_path=file_path,
@@ -246,9 +282,9 @@ def _scan_content(
recommendation=pat.recommendation,
cwe_id=pat.cwe_id,
pattern_name=pat.name,
- )
- for line_no, _line, pat in iter_pattern_matches(content, patterns, language)
- ]
+ fix_diff=fix_diff,
+ ))
+ return findings
@staticmethod
def _compute_score(summary: dict[str, int]) -> int:
@@ -304,6 +340,10 @@ def format_report(self, report: SecurityReport) -> str:
lines.append(f" {f.file_path}:{f.line}{cwe}")
lines.append(f" {f.message}")
lines.append(f" → {f.recommendation}")
+ if f.fix_diff:
+ lines.append(f" Autofix:")
+ for dl in f.fix_diff.splitlines():
+ lines.append(f" {dl}")
if len(group) > 20:
lines.append(f" ... and {len(group) - 20} more {sev} findings")
lines.append("")
diff --git a/tests/unit/code_intel/tools/test_search_tools.py b/tests/unit/code_intel/tools/test_search_tools.py
index d87c8a2..f009bed 100644
--- a/tests/unit/code_intel/tools/test_search_tools.py
+++ b/tests/unit/code_intel/tools/test_search_tools.py
@@ -110,3 +110,121 @@ def test_fast_search(self):
result = fast_search(pattern="helper", max_results=10)
assert isinstance(result, str)
+
+
+class TestRegexSearch:
+ """Tests for the regex_search tool."""
+
+ @pytest.fixture(autouse=True)
+ def _setup(self, tool_test_project, mock_ast_service,
+ mock_code_intel_service, mock_context_manager):
+ """Setup mocks for regex_search tests."""
+ import attocode.code_intel._shared as ci_shared
+ import attocode.code_intel.server as srv
+ import attocode.code_intel.tools.search_tools as st
+
+ # Reset singletons
+ ci_shared._ast_service = None
+ ci_shared._context_mgr = None
+ ci_shared._service = None
+
+ srv._ast_service = mock_ast_service
+ srv._context_mgr = mock_context_manager
+
+ # Force brute-force mode (no trigram index)
+ st._trigram_index = None
+
+ self._st = st
+ self._project = tool_test_project
+
+ yield
+
+ # Cleanup
+ srv._ast_service = None
+ srv._context_mgr = None
+ st._trigram_index = None
+
+ def test_regex_search_returns_string(self):
+ """Test regex_search returns a string."""
+ from attocode.code_intel.tools.search_tools import regex_search
+
+ result = regex_search(pattern="helper")
+ assert isinstance(result, str)
+
+ def test_regex_search_finds_matches(self):
+ """Test regex_search finds known content with file:line: format."""
+ from attocode.code_intel.tools.search_tools import regex_search
+
+ # Write a file with known content
+ target = self._project / "src" / "searchable.py"
+ target.write_text("alpha\nbeta\ngamma\nalpha_two\n")
+
+ result = regex_search(pattern="alpha")
+ assert isinstance(result, str)
+ assert "searchable.py" in result
+ # Verify file:line: format
+ assert "src/searchable.py:1:" in result
+ assert "src/searchable.py:4:" in result
+ assert "alpha_two" in result
+
+ def test_regex_search_case_insensitive(self):
+ """Test case_insensitive=True finds matches regardless of case."""
+ from attocode.code_intel.tools.search_tools import regex_search
+
+ target = self._project / "src" / "case_test.py"
+ target.write_text("Hello World\nhello world\nHELLO WORLD\n")
+
+ # Case-sensitive should not find uppercase when searching lowercase
+ result_sensitive = regex_search(pattern="^hello", case_insensitive=False)
+ assert "case_test.py:2:" in result_sensitive
+ assert "case_test.py:1:" not in result_sensitive
+
+ # Case-insensitive should find all three
+ result_insensitive = regex_search(pattern="^hello", case_insensitive=True)
+ assert "case_test.py:1:" in result_insensitive
+ assert "case_test.py:2:" in result_insensitive
+ assert "case_test.py:3:" in result_insensitive
+
+ def test_regex_search_max_results(self):
+ """Test that results are capped at max_results."""
+ from attocode.code_intel.tools.search_tools import regex_search
+
+ # Write a file with many matching lines
+ target = self._project / "src" / "many_lines.py"
+ lines = [f"match_line_{i}" for i in range(100)]
+ target.write_text("\n".join(lines) + "\n")
+
+ result = regex_search(pattern="match_line_", max_results=5)
+ assert "limited to 5 results" in result
+ # Count the file:line: entries — should be exactly 5
+ match_lines = [l for l in result.splitlines() if "many_lines.py:" in l]
+ assert len(match_lines) == 5
+
+ def test_regex_search_no_matches(self):
+ """Test that a pattern matching nothing returns 'No matches found.'."""
+ from attocode.code_intel.tools.search_tools import regex_search
+
+ result = regex_search(pattern="zzz_nonexistent_pattern_xyz")
+ assert result == "No matches found."
+
+ def test_regex_search_invalid_regex(self):
+ """Test that an invalid regex returns an error message."""
+ from attocode.code_intel.tools.search_tools import regex_search
+
+ result = regex_search(pattern="[invalid(")
+ assert result.startswith("Error: Invalid regex pattern:")
+
+ def test_regex_search_path_filter(self):
+ """Test that path parameter restricts search to a subdirectory."""
+ from attocode.code_intel.tools.search_tools import regex_search
+
+ # Write files in two different directories
+ sub = self._project / "sub"
+ sub.mkdir(parents=True, exist_ok=True)
+ (sub / "found.py").write_text("unique_marker_alpha\n")
+ (self._project / "src" / "other.py").write_text("unique_marker_alpha\n")
+
+ # Search only within 'sub' directory
+ result = regex_search(pattern="unique_marker_alpha", path="sub")
+ assert "found.py" in result
+ assert "other.py" not in result
diff --git a/tests/unit/integrations/context/test_architecture_drift.py b/tests/unit/integrations/context/test_architecture_drift.py
new file mode 100644
index 0000000..909d9d0
--- /dev/null
+++ b/tests/unit/integrations/context/test_architecture_drift.py
@@ -0,0 +1,324 @@
+"""Tests for architecture drift detection.
+
+Validates YAML config loading, layer classification, dependency checking,
+violation reporting, and edge cases.
+"""
+
+from __future__ import annotations
+
+import os
+from pathlib import Path
+
+import pytest
+
+from attocode.integrations.context.architecture_drift import (
+ ArchLayer,
+ ArchReport,
+ ArchRule,
+ ArchViolation,
+ check_drift,
+ classify_file,
+ format_report,
+ load_architecture,
+)
+
+
+# ---------------------------------------------------------------------------
+# Layer classification
+# ---------------------------------------------------------------------------
+
+
+class TestClassifyFile:
+ def test_matches_prefix(self):
+ layers = [ArchLayer(name="api", paths=["src/api/"])]
+ assert classify_file("src/api/routes.py", layers) == "api"
+
+ def test_no_match_returns_empty(self):
+ layers = [ArchLayer(name="api", paths=["src/api/"])]
+ assert classify_file("src/models/user.py", layers) == ""
+
+ def test_first_match_wins(self):
+ layers = [
+ ArchLayer(name="api", paths=["src/api/"]),
+ ArchLayer(name="all_src", paths=["src/"]),
+ ]
+ assert classify_file("src/api/routes.py", layers) == "api"
+
+ def test_multiple_paths_per_layer(self):
+ layers = [ArchLayer(name="data", paths=["src/models/", "src/db/"])]
+ assert classify_file("src/models/user.py", layers) == "data"
+ assert classify_file("src/db/connect.py", layers) == "data"
+
+ def test_layer_matches_method(self):
+ layer = ArchLayer(name="api", paths=["src/api/", "src/routes/"])
+ assert layer.matches("src/api/health.py") is True
+ assert layer.matches("src/routes/index.py") is True
+ assert layer.matches("src/models/user.py") is False
+
+
+# ---------------------------------------------------------------------------
+# YAML loading
+# ---------------------------------------------------------------------------
+
+
+class TestLoadArchitecture:
+ def test_missing_file_returns_empty(self, tmp_path):
+ layers, rules, exceptions = load_architecture(str(tmp_path))
+ assert layers == []
+ assert rules == []
+ assert exceptions == {}
+
+ def test_loads_layers(self, tmp_path):
+ config_dir = tmp_path / ".attocode"
+ config_dir.mkdir()
+ (config_dir / "architecture.yaml").write_text(
+ "layers:\n"
+ " - name: api\n"
+ " paths: ['src/api/']\n"
+ " - name: data\n"
+ " paths: ['src/models/', 'src/db/']\n"
+ )
+ layers, rules, exceptions = load_architecture(str(tmp_path))
+ assert len(layers) == 2
+ assert layers[0].name == "api"
+ assert layers[1].name == "data"
+ assert "src/models/" in layers[1].paths
+
+ def test_loads_rules(self, tmp_path):
+ config_dir = tmp_path / ".attocode"
+ config_dir.mkdir()
+ (config_dir / "architecture.yaml").write_text(
+ "layers:\n"
+ " - name: api\n"
+ " paths: ['src/api/']\n"
+ " - name: data\n"
+ " paths: ['src/db/']\n"
+ "rules:\n"
+ " - from: api\n"
+ " to: [data]\n"
+ " deny: []\n"
+ )
+ layers, rules, exceptions = load_architecture(str(tmp_path))
+ assert len(rules) == 1
+ assert rules[0].from_layer == "api"
+ assert rules[0].allowed == ["data"]
+
+ def test_loads_deny_rules(self, tmp_path):
+ config_dir = tmp_path / ".attocode"
+ config_dir.mkdir()
+ (config_dir / "architecture.yaml").write_text(
+ "layers:\n"
+ " - name: api\n"
+ " paths: ['src/api/']\n"
+ " - name: data\n"
+ " paths: ['src/db/']\n"
+ "rules:\n"
+ " - from: api\n"
+ " deny: [data]\n"
+ )
+ _, rules, _ = load_architecture(str(tmp_path))
+ assert rules[0].denied == ["data"]
+
+ def test_loads_exceptions(self, tmp_path):
+ config_dir = tmp_path / ".attocode"
+ config_dir.mkdir()
+ (config_dir / "architecture.yaml").write_text(
+ "layers:\n"
+ " - name: api\n"
+ " paths: ['src/api/']\n"
+ "exceptions:\n"
+ " - file: src/api/health.py\n"
+ " allowed: ['src/db/health.py']\n"
+ )
+ _, _, exceptions = load_architecture(str(tmp_path))
+ assert "src/api/health.py" in exceptions
+ assert "src/db/health.py" in exceptions["src/api/health.py"]
+
+ def test_empty_yaml_returns_empty(self, tmp_path):
+ config_dir = tmp_path / ".attocode"
+ config_dir.mkdir()
+ (config_dir / "architecture.yaml").write_text("")
+ layers, rules, exceptions = load_architecture(str(tmp_path))
+ assert layers == []
+
+ def test_invalid_yaml_returns_empty(self, tmp_path):
+ config_dir = tmp_path / ".attocode"
+ config_dir.mkdir()
+ (config_dir / "architecture.yaml").write_text(": : : bad yaml [[[")
+ layers, rules, exceptions = load_architecture(str(tmp_path))
+ assert layers == []
+
+
+# ---------------------------------------------------------------------------
+# Drift checking
+# ---------------------------------------------------------------------------
+
+
+class TestCheckDrift:
+ def _setup_config(self, tmp_path):
+ """Create a standard 3-layer architecture config."""
+ config_dir = tmp_path / ".attocode"
+ config_dir.mkdir()
+ (config_dir / "architecture.yaml").write_text(
+ "layers:\n"
+ " - name: api\n"
+ " paths: ['src/api/']\n"
+ " - name: service\n"
+ " paths: ['src/services/']\n"
+ " - name: data\n"
+ " paths: ['src/models/', 'src/db/']\n"
+ "rules:\n"
+ " - from: api\n"
+ " to: [service]\n"
+ " deny: [data]\n"
+ " - from: service\n"
+ " to: [data]\n"
+ " deny: [api]\n"
+ " - from: data\n"
+ " to: []\n"
+ " deny: [api, service]\n"
+ )
+
+ def test_no_violations(self, tmp_path):
+ self._setup_config(tmp_path)
+ deps = {
+ "src/api/routes.py": {"src/services/auth.py"},
+ "src/services/auth.py": {"src/models/user.py"},
+ }
+ report = check_drift(str(tmp_path), dependencies=deps)
+ assert len(report.violations) == 0
+ assert report.files_checked == 2
+ assert report.compliant_files == 2
+
+ def test_deny_violation(self, tmp_path):
+ self._setup_config(tmp_path)
+ deps = {
+ "src/api/routes.py": {"src/models/user.py"}, # api -> data is denied
+ }
+ report = check_drift(str(tmp_path), dependencies=deps)
+ assert len(report.violations) == 1
+ v = report.violations[0]
+ assert v.source_layer == "api"
+ assert v.target_layer == "data"
+ assert v.severity == "high"
+ assert "deny" in v.rule.lower()
+
+ def test_unlisted_dependency_violation(self, tmp_path):
+ self._setup_config(tmp_path)
+ deps = {
+ "src/services/auth.py": {"src/api/routes.py"}, # service -> api is denied
+ }
+ report = check_drift(str(tmp_path), dependencies=deps)
+ assert len(report.violations) == 1
+ assert report.violations[0].severity == "high"
+
+ def test_intra_layer_always_allowed(self, tmp_path):
+ self._setup_config(tmp_path)
+ deps = {
+ "src/api/routes.py": {"src/api/middleware.py"}, # same layer
+ }
+ report = check_drift(str(tmp_path), dependencies=deps)
+ assert len(report.violations) == 0
+
+ def test_exception_overrides_deny(self, tmp_path):
+ config_dir = tmp_path / ".attocode"
+ config_dir.mkdir()
+ (config_dir / "architecture.yaml").write_text(
+ "layers:\n"
+ " - name: api\n"
+ " paths: ['src/api/']\n"
+ " - name: data\n"
+ " paths: ['src/db/']\n"
+ "rules:\n"
+ " - from: api\n"
+ " deny: [data]\n"
+ "exceptions:\n"
+ " - file: src/api/health.py\n"
+ " allowed: ['src/db/health.py']\n"
+ )
+ deps = {
+ "src/api/health.py": {"src/db/health.py"}, # allowed by exception
+ }
+ report = check_drift(str(tmp_path), dependencies=deps)
+ assert len(report.violations) == 0
+
+ def test_unclassified_files_skipped(self, tmp_path):
+ self._setup_config(tmp_path)
+ deps = {
+ "scripts/deploy.py": {"src/models/user.py"}, # scripts not in any layer
+ }
+ report = check_drift(str(tmp_path), dependencies=deps)
+ assert len(report.violations) == 0
+ assert report.files_checked == 0
+
+ def test_no_config_returns_empty_report(self, tmp_path):
+ report = check_drift(str(tmp_path), dependencies={})
+ assert report.layers_defined == 0
+ assert report.rules_defined == 0
+ assert len(report.violations) == 0
+
+ def test_multiple_violations_sorted(self, tmp_path):
+ self._setup_config(tmp_path)
+ deps = {
+ "src/api/routes.py": {"src/models/user.py"}, # deny -> high
+ "src/data/extra.py": set(),
+ }
+ report = check_drift(str(tmp_path), dependencies=deps)
+ # high severity should come first
+ if report.violations:
+ assert report.violations[0].severity == "high"
+
+
+# ---------------------------------------------------------------------------
+# Report formatting
+# ---------------------------------------------------------------------------
+
+
+class TestFormatReport:
+ def test_no_violations_message(self):
+ report = ArchReport(
+ violations=[], layers_defined=3, rules_defined=3,
+ files_checked=10, compliant_files=10,
+ )
+ text = format_report(report)
+ assert "No architecture violations detected" in text
+ assert "Layers defined: 3" in text
+
+ def test_violations_in_output(self):
+ v = ArchViolation(
+ source_file="src/api/routes.py",
+ target_file="src/models/user.py",
+ source_layer="api",
+ target_layer="data",
+ rule="Layer 'api' must NOT depend on 'data' (deny rule)",
+ severity="high",
+ )
+ report = ArchReport(
+ violations=[v], layers_defined=2, rules_defined=1,
+ files_checked=1, compliant_files=0,
+ )
+ text = format_report(report)
+ assert "HIGH" in text
+ assert "src/api/routes.py" in text
+ assert "src/models/user.py" in text
+ assert "1 violation" in text
+
+ def test_mixed_severities(self):
+ high = ArchViolation(
+ source_file="a.py", target_file="b.py",
+ source_layer="api", target_layer="data",
+ rule="deny", severity="high",
+ )
+ medium = ArchViolation(
+ source_file="c.py", target_file="d.py",
+ source_layer="api", target_layer="infra",
+ rule="unlisted", severity="medium",
+ )
+ report = ArchReport(
+ violations=[high, medium], layers_defined=3, rules_defined=2,
+ files_checked=2, compliant_files=0,
+ )
+ text = format_report(report)
+ assert "HIGH" in text
+ assert "MEDIUM" in text
+ assert "2 violation" in text
diff --git a/tests/unit/integrations/context/test_embeddings.py b/tests/unit/integrations/context/test_embeddings.py
new file mode 100644
index 0000000..f77f5af
--- /dev/null
+++ b/tests/unit/integrations/context/test_embeddings.py
@@ -0,0 +1,304 @@
+"""Tests for embedding provider abstraction and model selection."""
+
+from __future__ import annotations
+
+import sys
+from unittest.mock import MagicMock, patch
+
+import pytest
+
+from attocode.integrations.context.embeddings import (
+ CodeEmbeddingProvider,
+ EmbeddingProvider,
+ LocalEmbeddingProvider,
+ NullEmbeddingProvider,
+ _provider_cache,
+ create_embedding_provider,
+)
+
+
+@pytest.fixture(autouse=True)
+def _clear_provider_cache() -> None:
+ """Clear the module-level provider cache between tests."""
+ _provider_cache.clear()
+
+
+# ============================================================
+# CodeEmbeddingProvider Tests
+# ============================================================
+
+
+class TestCodeEmbeddingProvider:
+ """Tests for the BGE code-optimized embedding provider."""
+
+ def test_initialization_loads_bge_model(
+ self, monkeypatch: pytest.MonkeyPatch,
+ ) -> None:
+ mock_st = MagicMock()
+ mock_model = MagicMock()
+ mock_st.SentenceTransformer.return_value = mock_model
+ monkeypatch.setitem(sys.modules, "sentence_transformers", mock_st)
+
+ provider = CodeEmbeddingProvider()
+
+ mock_st.SentenceTransformer.assert_called_once_with("BAAI/bge-base-en-v1.5")
+ assert provider._model is mock_model
+
+ def test_dimension_returns_768(
+ self, monkeypatch: pytest.MonkeyPatch,
+ ) -> None:
+ mock_st = MagicMock()
+ monkeypatch.setitem(sys.modules, "sentence_transformers", mock_st)
+
+ provider = CodeEmbeddingProvider()
+
+ assert provider.dimension() == 768
+
+ def test_name_returns_bge_identifier(
+ self, monkeypatch: pytest.MonkeyPatch,
+ ) -> None:
+ mock_st = MagicMock()
+ monkeypatch.setitem(sys.modules, "sentence_transformers", mock_st)
+
+ provider = CodeEmbeddingProvider()
+
+ assert provider.name == "local:bge-base-en-v1.5"
+
+ def test_embed_calls_model_encode(
+ self, monkeypatch: pytest.MonkeyPatch,
+ ) -> None:
+ mock_st = MagicMock()
+ mock_model = MagicMock()
+ # Simulate numpy-like arrays with .tolist()
+ vec1 = MagicMock()
+ vec1.tolist.return_value = [0.1, 0.2, 0.3]
+ vec2 = MagicMock()
+ vec2.tolist.return_value = [0.4, 0.5, 0.6]
+ mock_model.encode.return_value = [vec1, vec2]
+ mock_st.SentenceTransformer.return_value = mock_model
+ monkeypatch.setitem(sys.modules, "sentence_transformers", mock_st)
+
+ provider = CodeEmbeddingProvider()
+ texts = ["def foo():", "class Bar:"]
+ result = provider.embed(texts)
+
+ mock_model.encode.assert_called_once_with(texts, convert_to_numpy=True)
+ assert result == [[0.1, 0.2, 0.3], [0.4, 0.5, 0.6]]
+
+ def test_embed_empty_input(
+ self, monkeypatch: pytest.MonkeyPatch,
+ ) -> None:
+ mock_st = MagicMock()
+ mock_model = MagicMock()
+ mock_model.encode.return_value = []
+ mock_st.SentenceTransformer.return_value = mock_model
+ monkeypatch.setitem(sys.modules, "sentence_transformers", mock_st)
+
+ provider = CodeEmbeddingProvider()
+ result = provider.embed([])
+
+ assert result == []
+
+ def test_is_embedding_provider_subclass(
+ self, monkeypatch: pytest.MonkeyPatch,
+ ) -> None:
+ mock_st = MagicMock()
+ monkeypatch.setitem(sys.modules, "sentence_transformers", mock_st)
+
+ provider = CodeEmbeddingProvider()
+
+ assert isinstance(provider, EmbeddingProvider)
+
+
+# ============================================================
+# create_embedding_provider Tests
+# ============================================================
+
+
+class TestCreateEmbeddingProvider:
+ """Tests for model selection and auto-detection logic."""
+
+ def test_explicit_bge_creates_code_embedding_provider(
+ self, monkeypatch: pytest.MonkeyPatch,
+ ) -> None:
+ mock_st = MagicMock()
+ monkeypatch.setitem(sys.modules, "sentence_transformers", mock_st)
+
+ provider = create_embedding_provider("bge")
+
+ assert isinstance(provider, CodeEmbeddingProvider)
+ assert provider.name == "local:bge-base-en-v1.5"
+
+ def test_explicit_bge_raises_import_error_when_st_unavailable(
+ self, monkeypatch: pytest.MonkeyPatch,
+ ) -> None:
+ # Ensure sentence_transformers is not available
+ monkeypatch.delitem(sys.modules, "sentence_transformers", raising=False)
+
+ with patch(
+ "attocode.integrations.context.embeddings.CodeEmbeddingProvider.__init__",
+ side_effect=ImportError("No module named 'sentence_transformers'"),
+ ):
+ with pytest.raises(ImportError, match="sentence-transformers"):
+ create_embedding_provider("bge")
+
+ def test_auto_detect_tries_bge_first(
+ self, monkeypatch: pytest.MonkeyPatch,
+ ) -> None:
+ mock_st = MagicMock()
+ monkeypatch.setitem(sys.modules, "sentence_transformers", mock_st)
+
+ provider = create_embedding_provider("")
+
+ assert isinstance(provider, CodeEmbeddingProvider)
+ assert provider.dimension() == 768
+
+ def test_auto_detect_falls_back_to_minilm_when_bge_fails(
+ self, monkeypatch: pytest.MonkeyPatch,
+ ) -> None:
+ mock_st = MagicMock()
+ monkeypatch.setitem(sys.modules, "sentence_transformers", mock_st)
+
+ call_count = 0
+ original_init = MagicMock()
+
+ def mock_sentence_transformer(model_name: str, **kwargs): # noqa: ANN003
+ nonlocal call_count
+ call_count += 1
+ if model_name == "BAAI/bge-base-en-v1.5":
+ raise RuntimeError("Failed to load BGE model")
+ return MagicMock()
+
+ mock_st.SentenceTransformer.side_effect = mock_sentence_transformer
+ # Remove env vars that could interfere
+ monkeypatch.delenv("OPENAI_API_KEY", raising=False)
+ monkeypatch.delenv("ATTOCODE_EMBEDDING_MODEL", raising=False)
+
+ provider = create_embedding_provider("")
+
+ assert isinstance(provider, LocalEmbeddingProvider)
+ assert provider.name == "local:all-MiniLM-L6-v2"
+
+ def test_auto_detect_falls_back_to_null_when_nothing_available(
+ self, monkeypatch: pytest.MonkeyPatch,
+ ) -> None:
+ """When sentence_transformers is not importable and no OpenAI key is set,
+ auto-detect should return NullEmbeddingProvider."""
+ monkeypatch.delenv("OPENAI_API_KEY", raising=False)
+ monkeypatch.delenv("ATTOCODE_EMBEDDING_MODEL", raising=False)
+
+ with patch(
+ "attocode.integrations.context.embeddings.CodeEmbeddingProvider.__init__",
+ side_effect=ImportError("No module named 'sentence_transformers'"),
+ ), patch(
+ "attocode.integrations.context.embeddings.LocalEmbeddingProvider.__init__",
+ side_effect=ImportError("No module named 'sentence_transformers'"),
+ ):
+ provider = create_embedding_provider("")
+
+ assert isinstance(provider, NullEmbeddingProvider)
+
+ def test_provider_caching(
+ self, monkeypatch: pytest.MonkeyPatch,
+ ) -> None:
+ mock_st = MagicMock()
+ monkeypatch.setitem(sys.modules, "sentence_transformers", mock_st)
+
+ provider1 = create_embedding_provider("bge")
+ provider2 = create_embedding_provider("bge")
+
+ assert provider1 is provider2
+ assert "bge" in _provider_cache
+
+ def test_auto_detect_caches_under_empty_string_key(
+ self, monkeypatch: pytest.MonkeyPatch,
+ ) -> None:
+ mock_st = MagicMock()
+ monkeypatch.setitem(sys.modules, "sentence_transformers", mock_st)
+ monkeypatch.delenv("ATTOCODE_EMBEDDING_MODEL", raising=False)
+
+ provider = create_embedding_provider("")
+
+ assert "" in _provider_cache
+ assert _provider_cache[""] is provider
+
+ def test_null_provider_not_cached(
+ self, monkeypatch: pytest.MonkeyPatch,
+ ) -> None:
+ """NullEmbeddingProvider should not be cached so retry picks up
+ newly installed packages."""
+ monkeypatch.delenv("OPENAI_API_KEY", raising=False)
+ monkeypatch.delenv("ATTOCODE_EMBEDDING_MODEL", raising=False)
+
+ with patch(
+ "attocode.integrations.context.embeddings.CodeEmbeddingProvider.__init__",
+ side_effect=ImportError("nope"),
+ ), patch(
+ "attocode.integrations.context.embeddings.LocalEmbeddingProvider.__init__",
+ side_effect=ImportError("nope"),
+ ):
+ provider = create_embedding_provider("")
+
+ assert isinstance(provider, NullEmbeddingProvider)
+ assert "" not in _provider_cache
+
+ def test_env_var_model_selection(
+ self, monkeypatch: pytest.MonkeyPatch,
+ ) -> None:
+ mock_st = MagicMock()
+ monkeypatch.setitem(sys.modules, "sentence_transformers", mock_st)
+ monkeypatch.setenv("ATTOCODE_EMBEDDING_MODEL", "bge")
+
+ provider = create_embedding_provider("")
+
+ assert isinstance(provider, CodeEmbeddingProvider)
+ assert "bge" in _provider_cache
+
+ def test_explicit_minilm_creates_local_provider(
+ self, monkeypatch: pytest.MonkeyPatch,
+ ) -> None:
+ mock_st = MagicMock()
+ monkeypatch.setitem(sys.modules, "sentence_transformers", mock_st)
+
+ provider = create_embedding_provider("all-MiniLM-L6-v2")
+
+ assert isinstance(provider, LocalEmbeddingProvider)
+ assert provider.dimension() == 384
+
+
+# ============================================================
+# NullEmbeddingProvider Tests
+# ============================================================
+
+
+class TestNullEmbeddingProvider:
+ """Tests for graceful degradation fallback."""
+
+ def test_embed_returns_empty_vectors(self) -> None:
+ provider = NullEmbeddingProvider()
+
+ result = provider.embed(["hello", "world"])
+
+ assert result == [[], []]
+
+ def test_embed_empty_input(self) -> None:
+ provider = NullEmbeddingProvider()
+
+ result = provider.embed([])
+
+ assert result == []
+
+ def test_dimension_returns_zero(self) -> None:
+ provider = NullEmbeddingProvider()
+
+ assert provider.dimension() == 0
+
+ def test_name_returns_none(self) -> None:
+ provider = NullEmbeddingProvider()
+
+ assert provider.name == "none"
+
+ def test_is_embedding_provider_subclass(self) -> None:
+ provider = NullEmbeddingProvider()
+
+ assert isinstance(provider, EmbeddingProvider)
diff --git a/tests/unit/integrations/context/test_go_symbols.py b/tests/unit/integrations/context/test_go_symbols.py
new file mode 100644
index 0000000..2fabe29
--- /dev/null
+++ b/tests/unit/integrations/context/test_go_symbols.py
@@ -0,0 +1,531 @@
+"""Tests for Go symbol extraction improvements.
+
+Tests Go-specific features: doc comments, method receivers, visibility,
+and var_types config.
+"""
+
+from __future__ import annotations
+
+import pytest
+
+from attocode.integrations.context.ts_parser import (
+ LANGUAGE_CONFIGS,
+ _get_visibility,
+ ts_parse_file,
+)
+
+
+def _has_grammar(lang: str) -> bool:
+ """Check if tree-sitter grammar is installed."""
+ from attocode.integrations.context.ts_parser import is_available
+
+ return is_available(lang)
+
+
+# ============================================================
+# Go visibility (unit — no grammar needed)
+# ============================================================
+
+
+class TestGoVisibility:
+ """Test Go visibility detection based on capitalization."""
+
+ def test_exported_function_is_public(self) -> None:
+ assert _get_visibility("HandleRequest", "go") == "public"
+
+ def test_single_uppercase_letter(self) -> None:
+ assert _get_visibility("X", "go") == "public"
+
+ def test_unexported_function_is_private(self) -> None:
+ assert _get_visibility("handleRequest", "go") == "private"
+
+ def test_single_lowercase_letter(self) -> None:
+ assert _get_visibility("x", "go") == "private"
+
+ def test_underscore_prefix_is_private(self) -> None:
+ assert _get_visibility("_internal", "go") == "private"
+
+ def test_empty_name_is_private(self) -> None:
+ assert _get_visibility("", "go") == "private"
+
+ def test_uppercase_all_caps(self) -> None:
+ assert _get_visibility("MAX_RETRIES", "go") == "public"
+
+
+# ============================================================
+# Go config (unit — no grammar needed)
+# ============================================================
+
+
+class TestGoConfig:
+ """Test Go language config has var_types for const/var extraction."""
+
+ def test_go_config_exists(self) -> None:
+ assert "go" in LANGUAGE_CONFIGS
+
+ def test_go_config_has_var_types(self) -> None:
+ cfg = LANGUAGE_CONFIGS["go"]
+ assert cfg.var_types is not None
+ assert len(cfg.var_types) > 0
+
+ def test_go_var_types_includes_const(self) -> None:
+ cfg = LANGUAGE_CONFIGS["go"]
+ assert "const_declaration" in cfg.var_types
+
+ def test_go_var_types_includes_var(self) -> None:
+ cfg = LANGUAGE_CONFIGS["go"]
+ assert "var_declaration" in cfg.var_types
+
+ def test_go_function_types_include_method(self) -> None:
+ cfg = LANGUAGE_CONFIGS["go"]
+ assert "method_declaration" in cfg.function_types
+ assert "function_declaration" in cfg.function_types
+
+ def test_go_class_types(self) -> None:
+ cfg = LANGUAGE_CONFIGS["go"]
+ assert "type_declaration" in cfg.class_types
+
+ def test_go_import_types(self) -> None:
+ cfg = LANGUAGE_CONFIGS["go"]
+ assert "import_declaration" in cfg.import_types
+
+
+# ============================================================
+# Go doc comments (requires tree-sitter-go)
+# ============================================================
+
+
+@pytest.mark.skipif(not _has_grammar("go"), reason="tree-sitter-go not installed")
+class TestGoDocComments:
+ """Test Go doc comment extraction via _find_go_doc_comment."""
+
+ def test_single_line_doc_comment(self) -> None:
+ code = (
+ "package main\n"
+ "\n"
+ "// HandleRequest processes an HTTP request.\n"
+ "func HandleRequest() {}\n"
+ )
+ result = ts_parse_file("main.go", content=code, language="go")
+ assert result is not None
+ funcs = result["functions"]
+ handle = next(fn for fn in funcs if fn["name"] == "HandleRequest")
+ assert "docstring" in handle
+ assert "processes an HTTP request" in handle["docstring"]
+
+ def test_multi_line_doc_comment(self) -> None:
+ code = (
+ "package main\n"
+ "\n"
+ "// HandleRequest processes an incoming HTTP request\n"
+ "// and returns a response.\n"
+ "func HandleRequest() {}\n"
+ )
+ result = ts_parse_file("main.go", content=code, language="go")
+ assert result is not None
+ funcs = result["functions"]
+ handle = next(fn for fn in funcs if fn["name"] == "HandleRequest")
+ assert "docstring" in handle
+ assert "processes an incoming HTTP request" in handle["docstring"]
+ assert "returns a response" in handle["docstring"]
+
+ def test_function_without_doc_comment(self) -> None:
+ code = (
+ "package main\n"
+ "\n"
+ "func helper() {}\n"
+ )
+ result = ts_parse_file("main.go", content=code, language="go")
+ assert result is not None
+ funcs = result["functions"]
+ h = next(fn for fn in funcs if fn["name"] == "helper")
+ # No docstring key, or empty string
+ assert h.get("docstring", "") == ""
+
+ def test_comment_separated_by_blank_line_not_attached(self) -> None:
+ code = (
+ "package main\n"
+ "\n"
+ "// This is a stray comment.\n"
+ "\n"
+ "func Standalone() {}\n"
+ )
+ result = ts_parse_file("main.go", content=code, language="go")
+ assert result is not None
+ funcs = result["functions"]
+ fn = next(fn for fn in funcs if fn["name"] == "Standalone")
+ assert fn.get("docstring", "") == ""
+
+ def test_doc_comment_on_type_declaration(self) -> None:
+ code = (
+ "package main\n"
+ "\n"
+ "// Server is the main HTTP server.\n"
+ "type Server struct {\n"
+ " Port int\n"
+ "}\n"
+ )
+ result = ts_parse_file("main.go", content=code, language="go")
+ assert result is not None
+ classes = result["classes"]
+ server = next((c for c in classes if c["name"] == "Server"), None)
+ assert server is not None
+ assert "docstring" in server
+ assert "main HTTP server" in server["docstring"]
+
+
+# ============================================================
+# Go method receiver extraction (requires tree-sitter-go)
+# ============================================================
+
+
+@pytest.mark.skipif(not _has_grammar("go"), reason="tree-sitter-go not installed")
+class TestGoMethodReceiver:
+ """Test Go method receiver type extraction via _extract_go_receiver."""
+
+ def test_pointer_receiver(self) -> None:
+ code = (
+ "package main\n"
+ "\n"
+ "type Server struct {\n"
+ " Port int\n"
+ "}\n"
+ "\n"
+ "// Start launches the server.\n"
+ "func (s *Server) Start() error {\n"
+ " return nil\n"
+ "}\n"
+ )
+ result = ts_parse_file("server.go", content=code, language="go")
+ assert result is not None
+ # Method should be attached to Server class or have parent_class set
+ classes = result["classes"]
+ server_cls = next((c for c in classes if c["name"] == "Server"), None)
+ if server_cls and any(m["name"] == "Start" for m in server_cls.get("methods", [])):
+ start = next(m for m in server_cls["methods"] if m["name"] == "Start")
+ assert start["parent_class"] == "Server"
+ else:
+ # Recorded as standalone function with parent_class
+ funcs = result["functions"]
+ start = next((fn for fn in funcs if fn["name"] == "Start"), None)
+ assert start is not None
+ assert start["parent_class"] == "Server"
+
+ def test_value_receiver(self) -> None:
+ code = (
+ "package main\n"
+ "\n"
+ "type Config struct {\n"
+ " Name string\n"
+ "}\n"
+ "\n"
+ "func (c Config) GetName() string {\n"
+ " return c.Name\n"
+ "}\n"
+ )
+ result = ts_parse_file("config.go", content=code, language="go")
+ assert result is not None
+ found = False
+ for cls in result["classes"]:
+ if cls["name"] == "Config":
+ for m in cls.get("methods", []):
+ if m["name"] == "GetName":
+ found = True
+ assert m["parent_class"] == "Config"
+ if not found:
+ for fn in result["functions"]:
+ if fn["name"] == "GetName":
+ found = True
+ assert fn["parent_class"] == "Config"
+ assert found, "GetName method not found in classes or functions"
+
+ def test_receiver_without_struct_in_same_file(self) -> None:
+ """Method whose receiver type is not defined in the same file."""
+ code = (
+ "package handlers\n"
+ "\n"
+ "func (h *Handler) ServeHTTP() {}\n"
+ )
+ result = ts_parse_file("handlers.go", content=code, language="go")
+ assert result is not None
+ # No Handler class in this file, so method should appear in functions
+ funcs = result["functions"]
+ serve = next((fn for fn in funcs if fn["name"] == "ServeHTTP"), None)
+ assert serve is not None
+ assert serve["parent_class"] == "Handler"
+
+ def test_multiple_methods_same_receiver(self) -> None:
+ code = (
+ "package main\n"
+ "\n"
+ "type DB struct{}\n"
+ "\n"
+ "func (d *DB) Connect() error { return nil }\n"
+ "func (d *DB) Close() error { return nil }\n"
+ )
+ result = ts_parse_file("db.go", content=code, language="go")
+ assert result is not None
+ # Both methods should reference DB
+ all_methods = []
+ for cls in result["classes"]:
+ if cls["name"] == "DB":
+ all_methods.extend(cls.get("methods", []))
+ for fn in result["functions"]:
+ if fn.get("parent_class") == "DB":
+ all_methods.append(fn)
+ names = [m["name"] for m in all_methods]
+ assert "Connect" in names
+ assert "Close" in names
+ for m in all_methods:
+ assert m["parent_class"] == "DB"
+
+
+# ============================================================
+# Go visibility integration (requires tree-sitter-go)
+# ============================================================
+
+
+@pytest.mark.skipif(not _has_grammar("go"), reason="tree-sitter-go not installed")
+class TestGoVisibilityIntegration:
+ """Test that Go visibility is applied to parsed symbols."""
+
+ def test_exported_vs_unexported_functions(self) -> None:
+ code = (
+ "package main\n"
+ "\n"
+ "func PublicFunc() {}\n"
+ "func privateFunc() {}\n"
+ )
+ result = ts_parse_file("vis.go", content=code, language="go")
+ assert result is not None
+ funcs = {fn["name"]: fn for fn in result["functions"]}
+ assert funcs["PublicFunc"]["visibility"] == "public"
+ assert funcs["privateFunc"]["visibility"] == "private"
+
+ def test_exported_method_on_receiver(self) -> None:
+ code = (
+ "package main\n"
+ "\n"
+ "type Svc struct{}\n"
+ "\n"
+ "func (s *Svc) Run() {}\n"
+ "func (s *Svc) init() {}\n"
+ )
+ result = ts_parse_file("svc.go", content=code, language="go")
+ assert result is not None
+ # Collect all methods from classes and functions
+ all_methods = {}
+ for cls in result["classes"]:
+ for m in cls.get("methods", []):
+ all_methods[m["name"]] = m
+ for fn in result["functions"]:
+ if fn.get("parent_class"):
+ all_methods[fn["name"]] = fn
+ assert all_methods["Run"]["visibility"] == "public"
+ assert all_methods["init"]["visibility"] == "private"
+
+
+# ============================================================
+# Go const/var extraction (requires tree-sitter-go)
+# ============================================================
+
+
+@pytest.mark.skipif(not _has_grammar("go"), reason="tree-sitter-go not installed")
+class TestGoConstVar:
+ """Test Go const/var extraction via var_types config."""
+
+ def test_const_block_extracted(self) -> None:
+ code = (
+ "package main\n"
+ "\n"
+ "const (\n"
+ " MaxRetries = 3\n"
+ " DefaultTimeout = 30\n"
+ ")\n"
+ )
+ result = ts_parse_file("consts.go", content=code, language="go")
+ assert result is not None
+ var_names = result["top_level_vars"]
+ assert "MaxRetries" in var_names
+ assert "DefaultTimeout" in var_names
+
+ def test_single_const(self) -> None:
+ code = (
+ "package main\n"
+ "\n"
+ "const Version = \"1.0.0\"\n"
+ )
+ result = ts_parse_file("version.go", content=code, language="go")
+ assert result is not None
+ assert "Version" in result["top_level_vars"]
+
+ def test_var_declaration(self) -> None:
+ code = (
+ "package main\n"
+ "\n"
+ "var GlobalConfig = Config{}\n"
+ )
+ result = ts_parse_file("vars.go", content=code, language="go")
+ assert result is not None
+ assert "GlobalConfig" in result["top_level_vars"]
+
+ @pytest.mark.xfail(
+ reason="Parenthesized var blocks use var_spec_list wrapper; "
+ "current code only checks direct children for var_spec",
+ )
+ def test_var_block(self) -> None:
+ code = (
+ "package main\n"
+ "\n"
+ "var (\n"
+ " ErrNotFound = errors.New(\"not found\")\n"
+ " ErrTimeout = errors.New(\"timeout\")\n"
+ ")\n"
+ )
+ result = ts_parse_file("errors.go", content=code, language="go")
+ assert result is not None
+ var_names = result["top_level_vars"]
+ assert "ErrNotFound" in var_names
+ assert "ErrTimeout" in var_names
+
+
+# ============================================================
+# Full integration (requires tree-sitter-go)
+# ============================================================
+
+
+@pytest.mark.skipif(not _has_grammar("go"), reason="tree-sitter-go not installed")
+class TestGoFullIntegration:
+ """Integration test: parse a realistic Go file and verify all improvements."""
+
+ def test_realistic_go_file(self) -> None:
+ code = (
+ "package server\n"
+ "\n"
+ 'import "net/http"\n'
+ "\n"
+ "const DefaultPort = 8080\n"
+ "\n"
+ "// Server handles HTTP requests.\n"
+ "type Server struct {\n"
+ " Port int\n"
+ "}\n"
+ "\n"
+ "// NewServer creates a new Server with the given port.\n"
+ "func NewServer(port int) *Server {\n"
+ " return &Server{Port: port}\n"
+ "}\n"
+ "\n"
+ "// Start begins listening for requests.\n"
+ "func (s *Server) Start() error {\n"
+ " return http.ListenAndServe(\":8080\", nil)\n"
+ "}\n"
+ "\n"
+ "func (s *Server) stop() {\n"
+ " // internal cleanup\n"
+ "}\n"
+ )
+ result = ts_parse_file("server.go", content=code, language="go")
+ assert result is not None
+
+ # Language detected
+ assert result["language"] == "go"
+
+ # Imports found
+ assert len(result["imports"]) >= 1
+
+ # Const extracted
+ assert "DefaultPort" in result["top_level_vars"]
+
+ # Type declaration found
+ classes = result["classes"]
+ server_cls = next((c for c in classes if c["name"] == "Server"), None)
+ assert server_cls is not None
+ assert "docstring" in server_cls
+ assert "handles HTTP requests" in server_cls["docstring"]
+
+ # NewServer is a top-level function (constructor pattern)
+ funcs = {fn["name"]: fn for fn in result["functions"]}
+ assert "NewServer" in funcs
+ assert funcs["NewServer"]["visibility"] == "public"
+ assert "docstring" in funcs["NewServer"]
+ assert "creates a new Server" in funcs["NewServer"]["docstring"]
+
+ # Methods: Start and stop attached to Server
+ all_methods = {}
+ if server_cls:
+ for m in server_cls.get("methods", []):
+ all_methods[m["name"]] = m
+ for fn in result["functions"]:
+ if fn.get("parent_class") == "Server":
+ all_methods[fn["name"]] = fn
+
+ assert "Start" in all_methods
+ assert all_methods["Start"]["visibility"] == "public"
+ assert all_methods["Start"]["parent_class"] == "Server"
+ # Start has a doc comment
+ assert "docstring" in all_methods["Start"]
+ assert "begins listening" in all_methods["Start"]["docstring"]
+
+ assert "stop" in all_methods
+ assert all_methods["stop"]["visibility"] == "private"
+ assert all_methods["stop"]["parent_class"] == "Server"
+
+ def test_interface_methods(self) -> None:
+ code = (
+ "package main\n"
+ "\n"
+ "// Handler defines a request handler.\n"
+ "type Handler interface {\n"
+ " Handle(req Request) Response\n"
+ " Close() error\n"
+ "}\n"
+ )
+ result = ts_parse_file("iface.go", content=code, language="go")
+ assert result is not None
+ classes = result["classes"]
+ handler = next((c for c in classes if c["name"] == "Handler"), None)
+ assert handler is not None
+ method_names = [m["name"] for m in handler.get("methods", [])]
+ assert "Handle" in method_names
+ assert "Close" in method_names
+ # Doc comment on interface type
+ assert "docstring" in handler
+ assert "request handler" in handler["docstring"]
+
+ def test_return_format_keys(self) -> None:
+ """Verify the returned dict has all expected top-level keys."""
+ code = "package main\n\nfunc main() {}\n"
+ result = ts_parse_file("main.go", content=code, language="go")
+ assert result is not None
+ assert "functions" in result
+ assert "classes" in result
+ assert "imports" in result
+ assert "top_level_vars" in result
+ assert "line_count" in result
+ assert "language" in result
+ assert isinstance(result["functions"], list)
+ assert isinstance(result["classes"], list)
+ assert isinstance(result["imports"], list)
+ assert isinstance(result["top_level_vars"], list)
+ assert isinstance(result["line_count"], int)
+
+ def test_function_dict_fields(self) -> None:
+ """Verify function dicts have all expected fields."""
+ code = (
+ "package main\n"
+ "\n"
+ "func Hello() {}\n"
+ )
+ result = ts_parse_file("main.go", content=code, language="go")
+ assert result is not None
+ fn = result["functions"][0]
+ assert "name" in fn
+ assert "parameters" in fn
+ assert "return_type" in fn
+ assert "start_line" in fn
+ assert "end_line" in fn
+ assert "is_async" in fn
+ assert "decorators" in fn
+ assert "visibility" in fn
+ assert "parent_class" in fn
diff --git a/tests/unit/integrations/test_dataflow.py b/tests/unit/integrations/test_dataflow.py
new file mode 100644
index 0000000..5a0dcd0
--- /dev/null
+++ b/tests/unit/integrations/test_dataflow.py
@@ -0,0 +1,206 @@
+"""Tests for the intra-procedural data flow taint analysis engine.
+
+Validates that tainted data from sources (user input, request params)
+is correctly tracked through assignments to dangerous sinks.
+
+NOTE: Test strings contain intentionally vulnerable code patterns
+for DETECTOR testing. No dangerous code is executed.
+"""
+
+from __future__ import annotations
+
+from attocode.integrations.security.dataflow import (
+ DataFlowFinding,
+ DataFlowReport,
+ _extract_function_bodies,
+ _extract_variables_from_expr,
+ analyze_file,
+ format_report,
+)
+
+
+class TestExtractVariables:
+ def test_fstring_variable(self):
+ result = _extract_variables_from_expr('f"SELECT * FROM {table}"')
+ assert "table" in result
+
+ def test_format_variable(self):
+ result = _extract_variables_from_expr('"SELECT * FROM {}".format(table)')
+ assert "table" in result
+
+ def test_concat_variable(self):
+ result = _extract_variables_from_expr('"SELECT * FROM " + table')
+ assert "table" in result
+
+ def test_template_literal(self):
+ result = _extract_variables_from_expr('`SELECT * FROM ${table}`')
+ assert "table" in result
+
+ def test_filters_keywords(self):
+ result = _extract_variables_from_expr("if True and x")
+ assert "True" not in result
+ assert "x" in result
+
+ def test_simple_identifier(self):
+ result = _extract_variables_from_expr("user_input")
+ assert "user_input" in result
+
+
+class TestFunctionExtraction:
+ def test_python_functions(self):
+ code = "def hello():\n pass\n\ndef world():\n pass\n"
+ funcs = _extract_function_bodies(code, "python")
+ assert len(funcs) == 2
+ assert funcs[0][0] == "hello"
+ assert funcs[1][0] == "world"
+
+ def test_python_methods(self):
+ code = "class Foo:\n def bar(self):\n pass\n def baz(self):\n pass\n"
+ funcs = _extract_function_bodies(code, "python")
+ assert len(funcs) == 2
+ names = {f[0] for f in funcs}
+ assert names == {"bar", "baz"}
+
+ def test_js_function_keyword(self):
+ code = "function hello() {\n return 1;\n}\n"
+ funcs = _extract_function_bodies(code, "javascript")
+ assert len(funcs) >= 1
+ assert funcs[0][0] == "hello"
+
+ def test_js_arrow_function(self):
+ code = "const handler = (req, res) => {\n return 1;\n};\n"
+ funcs = _extract_function_bodies(code, "javascript")
+ assert len(funcs) >= 1
+ assert funcs[0][0] == "handler"
+
+
+class TestPythonTaint:
+ """Test Python source-to-sink taint tracking.
+
+ Each test writes a code snippet to a temp file and runs analyze_file.
+ The snippets are DETECTOR test cases with intentionally vulnerable patterns.
+ """
+
+ def test_sqli_fstring(self, tmp_path):
+ code = (
+ "def get_user(uid):\n"
+ " data = request.args.get('id')\n"
+ " query = f'SELECT * FROM users WHERE id = {data}'\n"
+ " cursor.execute(query)\n"
+ )
+ (tmp_path / "v.py").write_text(code)
+ findings = analyze_file(str(tmp_path / "v.py"), "python")
+ assert any(f.cwe == "CWE-89" for f in findings)
+
+ def test_cmdi(self, tmp_path):
+ # Detector test: request data flowing to shell command
+ code = (
+ "def run():\n"
+ " cmd = request.form.get('c')\n"
+ " subprocess.call(cmd)\n"
+ )
+ (tmp_path / "c.py").write_text(code)
+ findings = analyze_file(str(tmp_path / "c.py"), "python")
+ assert any(f.cwe == "CWE-78" for f in findings)
+
+ def test_path_traversal(self, tmp_path):
+ code = (
+ "def dl():\n"
+ " fname = request.args.get('f')\n"
+ " open(fname)\n"
+ )
+ (tmp_path / "p.py").write_text(code)
+ findings = analyze_file(str(tmp_path / "p.py"), "python")
+ assert any(f.cwe == "CWE-22" for f in findings)
+
+ def test_safe_parameterized(self, tmp_path):
+ code = (
+ "def safe(uid):\n"
+ " cursor.execute('SELECT * FROM u WHERE id = ?', (uid,))\n"
+ )
+ (tmp_path / "s.py").write_text(code)
+ findings = analyze_file(str(tmp_path / "s.py"), "python")
+ assert not any(f.cwe == "CWE-89" for f in findings)
+
+ def test_taint_propagation(self, tmp_path):
+ code = (
+ "def indirect():\n"
+ " raw = request.args.get('q')\n"
+ " cleaned = raw.strip()\n"
+ " q = 'SELECT * FROM t WHERE x = ' + cleaned\n"
+ " cursor.execute(q)\n"
+ )
+ (tmp_path / "t.py").write_text(code)
+ findings = analyze_file(str(tmp_path / "t.py"), "python")
+ assert len(findings) >= 1
+
+ def test_safe_hardcoded(self, tmp_path):
+ code = (
+ "def safe():\n"
+ " name = 'hardcoded'\n"
+ " cursor.execute('SELECT * FROM u WHERE n = ?', (name,))\n"
+ )
+ (tmp_path / "s2.py").write_text(code)
+ findings = analyze_file(str(tmp_path / "s2.py"), "python")
+ assert len(findings) == 0
+
+ def test_ssrf(self, tmp_path):
+ code = (
+ "def fetch():\n"
+ " url = request.args.get('url')\n"
+ " requests.get(url)\n"
+ )
+ (tmp_path / "ssrf.py").write_text(code)
+ findings = analyze_file(str(tmp_path / "ssrf.py"), "python")
+ assert any(f.cwe == "CWE-918" for f in findings)
+
+
+class TestJavaScriptTaint:
+ def test_sqli(self, tmp_path):
+ code = (
+ "function getUser(req, res) {\n"
+ " const uid = req.params.id;\n"
+ ' const q = "SELECT * FROM u WHERE id = " + uid;\n'
+ " db.query(q);\n"
+ "}\n"
+ )
+ (tmp_path / "v.js").write_text(code)
+ findings = analyze_file(str(tmp_path / "v.js"), "javascript")
+ assert any(f.cwe == "CWE-89" for f in findings)
+
+ def test_safe_no_findings(self, tmp_path):
+ code = (
+ "function safe() {\n"
+ ' const name = "hardcoded";\n'
+ " console.log(name);\n"
+ "}\n"
+ )
+ (tmp_path / "s.js").write_text(code)
+ findings = analyze_file(str(tmp_path / "s.js"), "javascript")
+ assert len(findings) == 0
+
+
+class TestFormatReport:
+ def test_empty_report(self):
+ report = DataFlowReport(findings=[], functions_analyzed=0, files_analyzed=5)
+ text = format_report(report)
+ assert "No data flow vulnerabilities detected" in text
+
+ def test_report_with_findings(self):
+ finding = DataFlowFinding(
+ file_path="app.py", function_name="handler",
+ source_line=5, source_desc="request_param",
+ sink_line=8, sink_desc="sql_execute",
+ tainted_var="query", cwe="CWE-89",
+ message="SQL injection: tainted data reaches SQL execution",
+ )
+ report = DataFlowReport(findings=[finding], functions_analyzed=1, files_analyzed=1)
+ text = format_report(report)
+ assert "SQL Injection" in text
+ assert "CWE-89" in text
+ assert "app.py:8" in text
+
+ def test_unsupported_language(self, tmp_path):
+ (tmp_path / "main.go").write_text("package main\nfunc main() {}\n")
+ findings = analyze_file(str(tmp_path / "main.go"), "go")
+ assert findings == []
diff --git a/tests/unit/integrations/test_new_security_rules.py b/tests/unit/integrations/test_new_security_rules.py
new file mode 100644
index 0000000..ac4b5cb
--- /dev/null
+++ b/tests/unit/integrations/test_new_security_rules.py
@@ -0,0 +1,789 @@
+"""Tests for the 30 new OWASP Top 10 security anti-pattern rules.
+
+Validates that each new rule correctly matches dangerous code patterns
+while avoiding false positives on safe code.
+"""
+
+from __future__ import annotations
+
+from attocode.integrations.security.matcher import iter_pattern_matches
+from attocode.integrations.security.patterns import ANTI_PATTERNS
+
+
+def _get_pattern(name: str):
+ """Get a pattern by name from ANTI_PATTERNS."""
+ return next(p for p in ANTI_PATTERNS if p.name == name)
+
+
+# -------------------------------------------------------------------------
+# Python OWASP rules
+# -------------------------------------------------------------------------
+
+
+class TestPythonOWASPRules:
+ """Test Python-specific OWASP Top 10 anti-pattern rules."""
+
+ # --- python_sql_format_string ---
+
+ def test_python_sql_format_string_matches_percent_s(self):
+ pat = _get_pattern("python_sql_format_string")
+ code = '''cursor.execute("SELECT * FROM users WHERE id = %s" % user_id)'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) >= 1
+
+ def test_python_sql_format_string_matches_percent_d(self):
+ pat = _get_pattern("python_sql_format_string")
+ code = '''cursor.execute("DELETE FROM orders WHERE order_id = %d" % oid)'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) >= 1
+
+ def test_python_sql_format_string_safe_parameterized(self):
+ pat = _get_pattern("python_sql_format_string")
+ code = '''cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) == 0
+
+ # --- python_sql_concat ---
+
+ def test_python_sql_concat_matches(self):
+ pat = _get_pattern("python_sql_concat")
+ code = '''cursor.execute("SELECT * FROM users WHERE id = " + user_id)'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) >= 1
+
+ def test_python_sql_concat_safe_parameterized(self):
+ pat = _get_pattern("python_sql_concat")
+ code = '''cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) == 0
+
+ # --- python_marshal_loads ---
+
+ def test_python_marshal_loads_matches_loads(self):
+ pat = _get_pattern("python_marshal_loads")
+ code = '''data = marshal.loads(raw_bytes)'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) >= 1
+
+ def test_python_marshal_loads_matches_load(self):
+ pat = _get_pattern("python_marshal_loads")
+ code = '''obj = marshal.load(f)'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) >= 1
+
+ def test_python_marshal_loads_safe_json(self):
+ pat = _get_pattern("python_marshal_loads")
+ code = '''data = json.loads(raw_bytes)'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) == 0
+
+ # --- python_debug_true ---
+
+ def test_python_debug_true_matches(self):
+ pat = _get_pattern("python_debug_true")
+ code = '''DEBUG = True'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) >= 1
+
+ def test_python_debug_true_safe_false(self):
+ pat = _get_pattern("python_debug_true")
+ code = '''DEBUG = False'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) == 0
+
+ def test_python_debug_true_safe_env(self):
+ pat = _get_pattern("python_debug_true")
+ code = '''DEBUG = os.environ.get("DEBUG", "false")'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) == 0
+
+ # --- python_assert_security ---
+
+ def test_python_assert_security_matches(self):
+ pat = _get_pattern("python_assert_security")
+ code = '''assert user.is_authenticated'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) >= 1
+
+ def test_python_assert_security_safe_in_test(self):
+ pat = _get_pattern("python_assert_security")
+ code = '''assert result == expected # test assertion'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) == 0
+
+ def test_python_assert_security_safe_in_spec(self):
+ pat = _get_pattern("python_assert_security")
+ code = '''assert value > 0 # spec check'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) == 0
+
+ # --- python_os_system ---
+
+ def test_python_os_system_matches(self):
+ pat = _get_pattern("python_os_system")
+ code = '''os.system("rm -rf " + user_input)'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) >= 1
+
+ def test_python_os_system_safe_subprocess(self):
+ pat = _get_pattern("python_os_system")
+ code = '''subprocess.run(["rm", "-rf", path], check=True)'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) == 0
+
+ # --- python_popen ---
+
+ def test_python_popen_matches(self):
+ pat = _get_pattern("python_popen")
+ code = '''f = os.popen("ls " + directory)'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) >= 1
+
+ def test_python_popen_safe_subprocess(self):
+ pat = _get_pattern("python_popen")
+ code = '''result = subprocess.run(["ls", directory], capture_output=True)'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) == 0
+
+ # --- python_ssrf_request ---
+
+ def test_python_ssrf_request_fstring(self):
+ pat = _get_pattern("python_ssrf_request")
+ code = '''requests.get(f"http://api.example.com/{user_input}")'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) >= 1
+
+ def test_python_ssrf_request_concat(self):
+ pat = _get_pattern("python_ssrf_request")
+ # The regex detects concat when the variable comes before string parts
+ code = '''requests.post(base_url + "/endpoint")'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) >= 1
+
+ def test_python_ssrf_request_format(self):
+ pat = _get_pattern("python_ssrf_request")
+ code = '''requests.get("http://api.example.com/{}".format(user_input))'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) >= 1
+
+ def test_python_ssrf_request_safe_static(self):
+ pat = _get_pattern("python_ssrf_request")
+ code = '''requests.get("http://api.example.com/users")'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) == 0
+
+ # --- python_path_traversal ---
+
+ def test_python_path_traversal_matches_request(self):
+ pat = _get_pattern("python_path_traversal")
+ code = '''f = open(os.path.join(base_dir, request.args["file"]))'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) >= 1
+
+ def test_python_path_traversal_matches_params(self):
+ pat = _get_pattern("python_path_traversal")
+ code = '''f = open(params["filename"])'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) >= 1
+
+ def test_python_path_traversal_safe_static(self):
+ pat = _get_pattern("python_path_traversal")
+ code = '''f = open("config.json")'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) == 0
+
+ # --- python_weak_random ---
+
+ def test_python_weak_random_matches_random(self):
+ pat = _get_pattern("python_weak_random")
+ code = '''token = random.random()'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) >= 1
+
+ def test_python_weak_random_matches_randint(self):
+ pat = _get_pattern("python_weak_random")
+ code = '''otp = random.randint(100000, 999999)'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) >= 1
+
+ def test_python_weak_random_matches_choice(self):
+ pat = _get_pattern("python_weak_random")
+ code = '''char = random.choice(alphabet)'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) >= 1
+
+ def test_python_weak_random_safe_secrets(self):
+ pat = _get_pattern("python_weak_random")
+ code = '''token = secrets.token_hex(32)'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) == 0
+
+ # --- python_cors_wildcard ---
+
+ def test_python_cors_wildcard_matches(self):
+ pat = _get_pattern("python_cors_wildcard")
+ code = '''CORS(app, origins="*")'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) >= 1
+
+ def test_python_cors_wildcard_matches_config(self):
+ pat = _get_pattern("python_cors_wildcard")
+ code = '''cors_origins = "*"'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) >= 1
+
+ def test_python_cors_wildcard_safe_specific(self):
+ pat = _get_pattern("python_cors_wildcard")
+ code = '''ALLOWED_ORIGINS = ["https://example.com"]'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) == 0
+
+ # --- hardcoded_ip_address ---
+
+ def test_hardcoded_ip_address_matches(self):
+ pat = _get_pattern("hardcoded_ip_address")
+ code = '''server = "192.168.1.100"'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) >= 1
+
+ def test_hardcoded_ip_address_matches_single_quotes(self):
+ pat = _get_pattern("hardcoded_ip_address")
+ code = """host = '10.0.0.1'"""
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) >= 1
+
+ def test_hardcoded_ip_address_safe_variable(self):
+ pat = _get_pattern("hardcoded_ip_address")
+ code = '''server = os.environ["SERVER_IP"]'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) == 0
+
+
+# -------------------------------------------------------------------------
+# JavaScript / TypeScript OWASP rules
+# -------------------------------------------------------------------------
+
+
+class TestJavaScriptOWASPRules:
+ """Test JavaScript/TypeScript-specific OWASP Top 10 anti-pattern rules."""
+
+ # --- js_no_escape_html ---
+
+ def test_js_no_escape_html_matches_variable(self):
+ pat = _get_pattern("js_no_escape_html")
+ code = '''$('#content').html(userInput)'''
+ matches = list(iter_pattern_matches(code, [pat], "javascript"))
+ assert len(matches) >= 1
+
+ def test_js_no_escape_html_safe_static_string(self):
+ pat = _get_pattern("js_no_escape_html")
+ code = '''$('#content').html('Hello')'''
+ matches = list(iter_pattern_matches(code, [pat], "javascript"))
+ assert len(matches) == 0
+
+ def test_js_no_escape_html_safe_text(self):
+ pat = _get_pattern("js_no_escape_html")
+ code = '''$('#content').text(userInput)'''
+ matches = list(iter_pattern_matches(code, [pat], "javascript"))
+ assert len(matches) == 0
+
+ # --- js_url_redirect ---
+
+ def test_js_url_redirect_matches_window_location(self):
+ pat = _get_pattern("js_url_redirect")
+ code = '''window.location = userInput;'''
+ matches = list(iter_pattern_matches(code, [pat], "javascript"))
+ assert len(matches) >= 1
+
+ def test_js_url_redirect_matches_location_href(self):
+ pat = _get_pattern("js_url_redirect")
+ code = '''location.href = params.redirect;'''
+ matches = list(iter_pattern_matches(code, [pat], "javascript"))
+ assert len(matches) >= 1
+
+ def test_js_url_redirect_safe_no_assignment(self):
+ pat = _get_pattern("js_url_redirect")
+ # Safe: reading location, not assigning to it
+ code = '''const url = window.location.href;'''
+ matches = list(iter_pattern_matches(code, [pat], "javascript"))
+ assert len(matches) == 0
+
+ # --- js_postmessage_wildcard ---
+
+ def test_js_postmessage_wildcard_matches(self):
+ pat = _get_pattern("js_postmessage_wildcard")
+ code = '''iframe.contentWindow.postMessage(data, "*")'''
+ matches = list(iter_pattern_matches(code, [pat], "javascript"))
+ assert len(matches) >= 1
+
+ def test_js_postmessage_wildcard_matches_single_quotes(self):
+ pat = _get_pattern("js_postmessage_wildcard")
+ code = """window.postMessage(data, '*')"""
+ matches = list(iter_pattern_matches(code, [pat], "javascript"))
+ assert len(matches) >= 1
+
+ def test_js_postmessage_wildcard_safe_specific_origin(self):
+ pat = _get_pattern("js_postmessage_wildcard")
+ code = '''iframe.contentWindow.postMessage(data, "https://example.com")'''
+ matches = list(iter_pattern_matches(code, [pat], "javascript"))
+ assert len(matches) == 0
+
+ # --- js_unsafe_regex ---
+
+ def test_js_unsafe_regex_matches_variable(self):
+ pat = _get_pattern("js_unsafe_regex")
+ code = '''const re = new RegExp(userInput);'''
+ matches = list(iter_pattern_matches(code, [pat], "javascript"))
+ assert len(matches) >= 1
+
+ def test_js_unsafe_regex_safe_string_literal(self):
+ pat = _get_pattern("js_unsafe_regex")
+ code = '''const re = new RegExp("^[a-z]+$");'''
+ matches = list(iter_pattern_matches(code, [pat], "javascript"))
+ assert len(matches) == 0
+
+ # --- js_prototype_pollution ---
+
+ def test_js_prototype_pollution_matches_proto(self):
+ pat = _get_pattern("js_prototype_pollution")
+ code = '''obj.__proto__["isAdmin"] = true;'''
+ matches = list(iter_pattern_matches(code, [pat], "javascript"))
+ assert len(matches) >= 1
+
+ def test_js_prototype_pollution_matches_constructor_prototype(self):
+ pat = _get_pattern("js_prototype_pollution")
+ code = '''obj.constructor.prototype["admin"] = true;'''
+ matches = list(iter_pattern_matches(code, [pat], "javascript"))
+ assert len(matches) >= 1
+
+ def test_js_prototype_pollution_safe_object_create(self):
+ pat = _get_pattern("js_prototype_pollution")
+ code = '''const safe = Object.create(null);'''
+ matches = list(iter_pattern_matches(code, [pat], "javascript"))
+ assert len(matches) == 0
+
+ # --- js_child_process_exec ---
+
+ def test_js_child_process_exec_matches_variable(self):
+ pat = _get_pattern("js_child_process_exec")
+ # The pattern matches exec( followed by a non-quote character
+ code = '''exec(userCommand, callback);'''
+ matches = list(iter_pattern_matches(code, [pat], "javascript"))
+ assert len(matches) >= 1
+
+ def test_js_child_process_exec_safe_string_literal(self):
+ pat = _get_pattern("js_child_process_exec")
+ code = '''exec("ls -la", callback);'''
+ matches = list(iter_pattern_matches(code, [pat], "javascript"))
+ assert len(matches) == 0
+
+ # --- js_nosql_injection ---
+
+ def test_js_nosql_injection_matches_gt(self):
+ pat = _get_pattern("js_nosql_injection")
+ code = '''db.users.find({ age: { $gt: userAge } });'''
+ matches = list(iter_pattern_matches(code, [pat], "javascript"))
+ assert len(matches) >= 1
+
+ def test_js_nosql_injection_matches_where(self):
+ pat = _get_pattern("js_nosql_injection")
+ code = '''db.users.find({ $where: userFunc });'''
+ matches = list(iter_pattern_matches(code, [pat], "javascript"))
+ assert len(matches) >= 1
+
+ def test_js_nosql_injection_matches_ne(self):
+ pat = _get_pattern("js_nosql_injection")
+ code = '''db.users.find({ password: { $ne: "" } });'''
+ matches = list(iter_pattern_matches(code, [pat], "javascript"))
+ assert len(matches) >= 1
+
+ def test_js_nosql_injection_safe_plain_query(self):
+ pat = _get_pattern("js_nosql_injection")
+ code = '''db.users.find({ name: "Alice" });'''
+ matches = list(iter_pattern_matches(code, [pat], "javascript"))
+ assert len(matches) == 0
+
+ # --- Language filtering ---
+
+ def test_js_rules_do_not_match_python(self):
+ pat = _get_pattern("js_url_redirect")
+ code = '''window.location = userInput;'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) == 0
+
+ def test_js_rules_match_typescript(self):
+ pat = _get_pattern("js_prototype_pollution")
+ code = '''obj.__proto__["isAdmin"] = true;'''
+ matches = list(iter_pattern_matches(code, [pat], "typescript"))
+ assert len(matches) >= 1
+
+
+# -------------------------------------------------------------------------
+# Go OWASP rules
+# -------------------------------------------------------------------------
+
+
+class TestGoOWASPRules:
+ """Test Go-specific OWASP Top 10 anti-pattern rules."""
+
+ # --- go_sql_sprintf ---
+
+ def test_go_sql_sprintf_matches_select(self):
+ pat = _get_pattern("go_sql_sprintf")
+ code = '''query := fmt.Sprintf("SELECT * FROM users WHERE id = %s", id)'''
+ matches = list(iter_pattern_matches(code, [pat], "go"))
+ assert len(matches) >= 1
+
+ def test_go_sql_sprintf_matches_delete(self):
+ pat = _get_pattern("go_sql_sprintf")
+ code = '''q := fmt.Sprintf("DELETE FROM sessions WHERE user_id = %d", uid)'''
+ matches = list(iter_pattern_matches(code, [pat], "go"))
+ assert len(matches) >= 1
+
+ def test_go_sql_sprintf_safe_parameterized(self):
+ pat = _get_pattern("go_sql_sprintf")
+ code = '''rows, err := db.Query("SELECT * FROM users WHERE id = $1", id)'''
+ matches = list(iter_pattern_matches(code, [pat], "go"))
+ assert len(matches) == 0
+
+ def test_go_sql_sprintf_safe_non_sql_sprintf(self):
+ pat = _get_pattern("go_sql_sprintf")
+ code = '''msg := fmt.Sprintf("Hello, %s!", name)'''
+ matches = list(iter_pattern_matches(code, [pat], "go"))
+ assert len(matches) == 0
+
+ # --- go_unhandled_error ---
+
+ def test_go_unhandled_error_matches(self):
+ pat = _get_pattern("go_unhandled_error")
+ code = '''_ = db.Close()'''
+ matches = list(iter_pattern_matches(code, [pat], "go"))
+ assert len(matches) >= 1
+
+ def test_go_unhandled_error_matches_second_return(self):
+ pat = _get_pattern("go_unhandled_error")
+ code = '''result, _ = db.Query("SELECT 1")'''
+ matches = list(iter_pattern_matches(code, [pat], "go"))
+ assert len(matches) >= 1
+
+ def test_go_unhandled_error_safe_handled(self):
+ pat = _get_pattern("go_unhandled_error")
+ code = '''err := db.Close()'''
+ matches = list(iter_pattern_matches(code, [pat], "go"))
+ assert len(matches) == 0
+
+ # --- go_tls_insecure ---
+
+ def test_go_tls_insecure_matches(self):
+ pat = _get_pattern("go_tls_insecure")
+ code = '''tls.Config{InsecureSkipVerify: true}'''
+ matches = list(iter_pattern_matches(code, [pat], "go"))
+ assert len(matches) >= 1
+
+ def test_go_tls_insecure_safe_false(self):
+ pat = _get_pattern("go_tls_insecure")
+ code = '''tls.Config{InsecureSkipVerify: false}'''
+ matches = list(iter_pattern_matches(code, [pat], "go"))
+ assert len(matches) == 0
+
+ def test_go_tls_insecure_safe_default(self):
+ pat = _get_pattern("go_tls_insecure")
+ code = '''tls.Config{}'''
+ matches = list(iter_pattern_matches(code, [pat], "go"))
+ assert len(matches) == 0
+
+ # --- Language filtering ---
+
+ def test_go_rules_do_not_match_python(self):
+ pat = _get_pattern("go_sql_sprintf")
+ code = '''query := fmt.Sprintf("SELECT * FROM users WHERE id = %s", id)'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) == 0
+
+
+# -------------------------------------------------------------------------
+# Java / Kotlin OWASP rules
+# -------------------------------------------------------------------------
+
+
+class TestJavaOWASPRules:
+ """Test Java/Kotlin-specific OWASP Top 10 anti-pattern rules."""
+
+ # --- java_sql_concat ---
+
+ def test_java_sql_concat_matches(self):
+ pat = _get_pattern("java_sql_concat")
+ code = '''Statement stmt = conn.createStatement(); stmt.executeQuery(query);'''
+ matches = list(iter_pattern_matches(code, [pat], "java"))
+ assert len(matches) >= 1
+
+ def test_java_sql_concat_safe_parameterized(self):
+ pat = _get_pattern("java_sql_concat")
+ code = '''PreparedStatement ps = conn.prepareStatement("SELECT * FROM users WHERE id = ?");'''
+ matches = list(iter_pattern_matches(code, [pat], "java"))
+ assert len(matches) == 0
+
+ # --- java_xxe ---
+
+ def test_java_xxe_matches_document_builder(self):
+ pat = _get_pattern("java_xxe")
+ code = '''DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();'''
+ matches = list(iter_pattern_matches(code, [pat], "java"))
+ assert len(matches) >= 1
+
+ def test_java_xxe_matches_sax_parser(self):
+ pat = _get_pattern("java_xxe")
+ code = '''SAXParserFactory spf = SAXParserFactory.newInstance();'''
+ matches = list(iter_pattern_matches(code, [pat], "java"))
+ assert len(matches) >= 1
+
+ def test_java_xxe_matches_xml_input_factory(self):
+ pat = _get_pattern("java_xxe")
+ code = '''XMLInputFactory xif = XMLInputFactory.newInstance();'''
+ matches = list(iter_pattern_matches(code, [pat], "java"))
+ assert len(matches) >= 1
+
+ def test_java_xxe_safe_json_parser(self):
+ pat = _get_pattern("java_xxe")
+ code = '''JsonParser parser = new JsonParser();'''
+ matches = list(iter_pattern_matches(code, [pat], "java"))
+ assert len(matches) == 0
+
+ # --- java_deserialization ---
+
+ def test_java_deserialization_matches(self):
+ pat = _get_pattern("java_deserialization")
+ code = '''ObjectInputStream ois = new ObjectInputStream(inputStream);'''
+ matches = list(iter_pattern_matches(code, [pat], "java"))
+ assert len(matches) >= 1
+
+ def test_java_deserialization_safe_json(self):
+ pat = _get_pattern("java_deserialization")
+ code = '''ObjectMapper mapper = new ObjectMapper();'''
+ matches = list(iter_pattern_matches(code, [pat], "java"))
+ assert len(matches) == 0
+
+ # --- java_weak_crypto ---
+
+ def test_java_weak_crypto_matches_des(self):
+ pat = _get_pattern("java_weak_crypto")
+ code = '''Cipher cipher = Cipher.getInstance("DES/ECB/PKCS5Padding");'''
+ matches = list(iter_pattern_matches(code, [pat], "java"))
+ assert len(matches) >= 1
+
+ def test_java_weak_crypto_matches_rc4(self):
+ pat = _get_pattern("java_weak_crypto")
+ code = '''Cipher cipher = Cipher.getInstance("RC4");'''
+ matches = list(iter_pattern_matches(code, [pat], "java"))
+ assert len(matches) >= 1
+
+ def test_java_weak_crypto_matches_blowfish(self):
+ pat = _get_pattern("java_weak_crypto")
+ code = '''Cipher cipher = Cipher.getInstance("Blowfish");'''
+ matches = list(iter_pattern_matches(code, [pat], "java"))
+ assert len(matches) >= 1
+
+ def test_java_weak_crypto_safe_aes(self):
+ pat = _get_pattern("java_weak_crypto")
+ code = '''Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");'''
+ matches = list(iter_pattern_matches(code, [pat], "java"))
+ assert len(matches) == 0
+
+ # --- Language filtering ---
+
+ def test_java_rules_match_kotlin(self):
+ pat = _get_pattern("java_deserialization")
+ code = '''val ois = ObjectInputStream(inputStream)'''
+ matches = list(iter_pattern_matches(code, [pat], "kotlin"))
+ assert len(matches) >= 1
+
+ def test_java_rules_do_not_match_python(self):
+ pat = _get_pattern("java_xxe")
+ code = '''DocumentBuilderFactory.newInstance()'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) == 0
+
+
+# -------------------------------------------------------------------------
+# Ruby OWASP rules
+# -------------------------------------------------------------------------
+
+
+class TestRubyOWASPRules:
+ """Test Ruby-specific OWASP Top 10 anti-pattern rules."""
+
+ # --- ruby_system_call ---
+
+ def test_ruby_system_call_matches_system(self):
+ pat = _get_pattern("ruby_system_call")
+ code = '''system(user_input)'''
+ matches = list(iter_pattern_matches(code, [pat], "ruby"))
+ assert len(matches) >= 1
+
+ def test_ruby_system_call_matches_exec(self):
+ pat = _get_pattern("ruby_system_call")
+ # exec with a variable (non-quoted) argument
+ code = '''exec(cmd)'''
+ matches = list(iter_pattern_matches(code, [pat], "ruby"))
+ assert len(matches) >= 1
+
+ def test_ruby_system_call_matches_spawn(self):
+ pat = _get_pattern("ruby_system_call")
+ code = '''spawn(command)'''
+ matches = list(iter_pattern_matches(code, [pat], "ruby"))
+ assert len(matches) >= 1
+
+ def test_ruby_system_call_matches_io_popen(self):
+ pat = _get_pattern("ruby_system_call")
+ code = '''IO.popen(cmd)'''
+ matches = list(iter_pattern_matches(code, [pat], "ruby"))
+ assert len(matches) >= 1
+
+ def test_ruby_system_call_safe_no_call(self):
+ pat = _get_pattern("ruby_system_call")
+ # Safe: not a system/exec/spawn/IO.popen call
+ code = '''result = run_command(args)'''
+ matches = list(iter_pattern_matches(code, [pat], "ruby"))
+ assert len(matches) == 0
+
+ # --- ruby_send_dynamic ---
+
+ def test_ruby_send_dynamic_matches_params(self):
+ pat = _get_pattern("ruby_send_dynamic")
+ code = '''obj.send(params[:method])'''
+ matches = list(iter_pattern_matches(code, [pat], "ruby"))
+ assert len(matches) >= 1
+
+ def test_ruby_send_dynamic_matches_request(self):
+ pat = _get_pattern("ruby_send_dynamic")
+ code = '''user.send(request.params["action"])'''
+ matches = list(iter_pattern_matches(code, [pat], "ruby"))
+ assert len(matches) >= 1
+
+ def test_ruby_send_dynamic_safe_static(self):
+ pat = _get_pattern("ruby_send_dynamic")
+ code = '''obj.send("valid_method")'''
+ matches = list(iter_pattern_matches(code, [pat], "ruby"))
+ assert len(matches) == 0
+
+ # --- Language filtering ---
+
+ def test_ruby_rules_do_not_match_python(self):
+ pat = _get_pattern("ruby_send_dynamic")
+ code = '''obj.send(params[:method])'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) == 0
+
+
+# -------------------------------------------------------------------------
+# Multi-language rules
+# -------------------------------------------------------------------------
+
+
+class TestMultiLanguageRules:
+ """Test multi-language / language-agnostic anti-pattern rules."""
+
+ # --- hardcoded_ip_address (cross-language) ---
+
+ def test_hardcoded_ip_address_matches_in_javascript(self):
+ pat = _get_pattern("hardcoded_ip_address")
+ code = '''const host = "192.168.0.1";'''
+ matches = list(iter_pattern_matches(code, [pat], "javascript"))
+ assert len(matches) >= 1
+
+ def test_hardcoded_ip_address_matches_in_go(self):
+ pat = _get_pattern("hardcoded_ip_address")
+ code = '''host := "10.0.0.5"'''
+ matches = list(iter_pattern_matches(code, [pat], "go"))
+ assert len(matches) >= 1
+
+ def test_hardcoded_ip_address_no_match_without_quotes(self):
+ pat = _get_pattern("hardcoded_ip_address")
+ code = '''version = 1.2.3.4'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) == 0
+
+ # --- python_cors_wildcard (cross-language since languages=[]) ---
+
+ def test_cors_wildcard_matches_in_javascript(self):
+ pat = _get_pattern("python_cors_wildcard")
+ code = '''app.use(cors({ origin: "*" }));'''
+ matches = list(iter_pattern_matches(code, [pat], "javascript"))
+ assert len(matches) >= 1
+
+ def test_cors_wildcard_matches_in_go(self):
+ pat = _get_pattern("python_cors_wildcard")
+ code = '''cors.AllowAll("*")'''
+ matches = list(iter_pattern_matches(code, [pat], "go"))
+ assert len(matches) >= 1
+
+ # --- hardcoded_localhost ---
+
+ def test_hardcoded_localhost_matches_localhost(self):
+ pat = _get_pattern("hardcoded_localhost")
+ code = '''server = "localhost:8080"'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) >= 1
+
+ def test_hardcoded_localhost_matches_127(self):
+ pat = _get_pattern("hardcoded_localhost")
+ code = '''const url = "127.0.0.1:3000";'''
+ matches = list(iter_pattern_matches(code, [pat], "javascript"))
+ assert len(matches) >= 1
+
+ def test_hardcoded_localhost_matches_0000(self):
+ pat = _get_pattern("hardcoded_localhost")
+ code = '''bind := "0.0.0.0:8443"'''
+ matches = list(iter_pattern_matches(code, [pat], "go"))
+ assert len(matches) >= 1
+
+ def test_hardcoded_localhost_safe_env_var(self):
+ pat = _get_pattern("hardcoded_localhost")
+ code = '''server = os.environ.get("HOST", "")'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) == 0
+
+ def test_hardcoded_localhost_safe_no_port(self):
+ pat = _get_pattern("hardcoded_localhost")
+ code = '''host = "localhost"'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) == 0
+
+ # --- todo_fixme_security ---
+
+ def test_todo_fixme_security_matches_hash_comment(self):
+ pat = _get_pattern("todo_fixme_security")
+ # scan_comments=True so comment lines are scanned
+ code = '''# TODO fix security vulnerability here'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) >= 1
+
+ def test_todo_fixme_security_matches_slash_comment(self):
+ pat = _get_pattern("todo_fixme_security")
+ code = '''// FIXME: password hashing is insecure'''
+ matches = list(iter_pattern_matches(code, [pat], "javascript"))
+ assert len(matches) >= 1
+
+ def test_todo_fixme_security_matches_hack_token(self):
+ pat = _get_pattern("todo_fixme_security")
+ code = '''# HACK: token validation bypassed for now'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) >= 1
+
+ def test_todo_fixme_security_matches_xxx_auth(self):
+ pat = _get_pattern("todo_fixme_security")
+ code = '''// XXX auth check missing'''
+ matches = list(iter_pattern_matches(code, [pat], "javascript"))
+ assert len(matches) >= 1
+
+ def test_todo_fixme_security_safe_non_security_todo(self):
+ pat = _get_pattern("todo_fixme_security")
+ code = '''# TODO refactor this function for readability'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) == 0
+
+ def test_todo_fixme_security_safe_regular_comment(self):
+ pat = _get_pattern("todo_fixme_security")
+ code = '''# This function handles user authentication'''
+ matches = list(iter_pattern_matches(code, [pat], "python"))
+ assert len(matches) == 0
diff --git a/tests/unit/integrations/test_security_autofix.py b/tests/unit/integrations/test_security_autofix.py
new file mode 100644
index 0000000..18ca01f
--- /dev/null
+++ b/tests/unit/integrations/test_security_autofix.py
@@ -0,0 +1,398 @@
+"""Tests for security scanner autofix diff generation.
+
+When a scanned file triggers a pattern that has a corresponding entry in
+``_AUTOFIX_TEMPLATES``, the scanner should populate ``SecurityFinding.fix_diff``
+with a unified-diff snippet showing the mechanical fix. Patterns without a
+template must leave ``fix_diff`` empty. ``format_report()`` must render the
+diff under an "Autofix:" heading when present, and omit it otherwise.
+"""
+
+from __future__ import annotations
+
+from pathlib import Path
+
+import pytest
+
+from attocode.integrations.security.scanner import (
+ SecurityFinding,
+ SecurityScanner,
+ _AUTOFIX_TEMPLATES,
+)
+from attocode.integrations.security.patterns import Category, Severity
+
+
+# ---------------------------------------------------------------------------
+# Helpers
+# ---------------------------------------------------------------------------
+
+_VULNERABLE_SNIPPETS: dict[str, tuple[str, str, str]] = {
+ # pattern_name -> (filename, vulnerable_code, expected_replacement_fragment)
+ "python_yaml_unsafe": (
+ "loader.py",
+ "data = yaml.load(open('cfg.yml'))\n",
+ "yaml.safe_load(",
+ ),
+ "python_shell_true": (
+ "runner.py",
+ "subprocess.run(cmd, shell=True)\n",
+ "shell=False",
+ ),
+ "python_tempfile_insecure": (
+ "tmp.py",
+ "path = tempfile.mktemp()\n",
+ "tempfile.mkstemp(",
+ ),
+ "python_verify_false": (
+ "client.py",
+ "resp = requests.get(url, verify=False)\n",
+ "verify=True",
+ ),
+}
+
+# A pattern that exists in ANTI_PATTERNS but has NO autofix template.
+# Note: these strings are test fixtures for the security scanner detector,
+# NOT actual code execution — they are written to temp files and scanned.
+_NO_TEMPLATE_SNIPPET = (
+ "danger.py",
+ "result = eval(user_input)\n", # noqa: S307 — triggers python_dynamic_eval
+)
+
+
+# ---------------------------------------------------------------------------
+# TestAutofixTemplates
+# ---------------------------------------------------------------------------
+
+
+class TestAutofixTemplates:
+ """Tests for _AUTOFIX_TEMPLATES definitions."""
+
+ def test_templates_dict_is_non_empty(self) -> None:
+ assert len(_AUTOFIX_TEMPLATES) > 0
+
+ @pytest.mark.parametrize("name", list(_AUTOFIX_TEMPLATES))
+ def test_template_values_are_search_replace_tuples(self, name: str) -> None:
+ entry = _AUTOFIX_TEMPLATES[name]
+ assert isinstance(entry, tuple)
+ assert len(entry) == 2
+ search, replace = entry
+ assert isinstance(search, str) and len(search) > 0
+ assert isinstance(replace, str) and len(replace) > 0
+
+ @pytest.mark.parametrize("name", list(_AUTOFIX_TEMPLATES))
+ def test_search_and_replace_differ(self, name: str) -> None:
+ search, replace = _AUTOFIX_TEMPLATES[name]
+ assert search != replace
+
+ def test_expected_templates_present(self) -> None:
+ expected = {
+ "python_yaml_unsafe",
+ "python_shell_true",
+ "python_tempfile_insecure",
+ "python_verify_false",
+ }
+ assert expected.issubset(_AUTOFIX_TEMPLATES.keys())
+
+
+# ---------------------------------------------------------------------------
+# TestSecurityFindingDefaults
+# ---------------------------------------------------------------------------
+
+
+class TestSecurityFindingDefaults:
+ """Tests that SecurityFinding.fix_diff exists and defaults correctly."""
+
+ def test_fix_diff_defaults_to_empty_string(self) -> None:
+ finding = SecurityFinding(
+ severity=Severity.HIGH,
+ category=Category.ANTI_PATTERN,
+ file_path="x.py",
+ line=1,
+ message="msg",
+ recommendation="rec",
+ )
+ assert finding.fix_diff == ""
+
+ def test_fix_diff_can_be_set(self) -> None:
+ finding = SecurityFinding(
+ severity=Severity.HIGH,
+ category=Category.ANTI_PATTERN,
+ file_path="x.py",
+ line=1,
+ message="msg",
+ recommendation="rec",
+ fix_diff="--- a/x.py\n+++ b/x.py\n",
+ )
+ assert finding.fix_diff.startswith("---")
+
+
+# ---------------------------------------------------------------------------
+# TestFixDiffGeneration
+# ---------------------------------------------------------------------------
+
+
+class TestFixDiffGeneration:
+ """Tests for fix_diff population in _scan_content via scan()."""
+
+ @pytest.mark.parametrize(
+ "pattern_name",
+ list(_VULNERABLE_SNIPPETS),
+ )
+ def test_fix_diff_populated_for_template_pattern(
+ self, tmp_path: Path, pattern_name: str,
+ ) -> None:
+ filename, code, _ = _VULNERABLE_SNIPPETS[pattern_name]
+ (tmp_path / filename).write_text(code)
+ scanner = SecurityScanner(root_dir=str(tmp_path))
+ report = scanner.scan(mode="patterns")
+
+ matching = [
+ f for f in report.findings if f.pattern_name == pattern_name
+ ]
+ assert len(matching) >= 1, (
+ f"Expected at least one finding for {pattern_name}"
+ )
+ finding = matching[0]
+ assert finding.fix_diff != "", (
+ f"fix_diff should be populated for {pattern_name}"
+ )
+
+ @pytest.mark.parametrize(
+ "pattern_name",
+ list(_VULNERABLE_SNIPPETS),
+ )
+ def test_fix_diff_is_unified_diff_format(
+ self, tmp_path: Path, pattern_name: str,
+ ) -> None:
+ filename, code, _ = _VULNERABLE_SNIPPETS[pattern_name]
+ (tmp_path / filename).write_text(code)
+ scanner = SecurityScanner(root_dir=str(tmp_path))
+ report = scanner.scan(mode="patterns")
+
+ matching = [
+ f for f in report.findings if f.pattern_name == pattern_name
+ ]
+ finding = matching[0]
+ lines = finding.fix_diff.splitlines()
+ assert lines[0].startswith("--- a/")
+ assert lines[1].startswith("+++ b/")
+ assert lines[2].startswith("@@")
+
+ @pytest.mark.parametrize(
+ "pattern_name",
+ list(_VULNERABLE_SNIPPETS),
+ )
+ def test_fix_diff_contains_corrected_replacement(
+ self, tmp_path: Path, pattern_name: str,
+ ) -> None:
+ filename, code, replacement_fragment = _VULNERABLE_SNIPPETS[pattern_name]
+ (tmp_path / filename).write_text(code)
+ scanner = SecurityScanner(root_dir=str(tmp_path))
+ report = scanner.scan(mode="patterns")
+
+ matching = [
+ f for f in report.findings if f.pattern_name == pattern_name
+ ]
+ finding = matching[0]
+ # The '+' line in the diff must contain the replacement text
+ plus_lines = [
+ l for l in finding.fix_diff.splitlines()
+ if l.startswith("+") and not l.startswith("+++")
+ ]
+ assert any(replacement_fragment in l for l in plus_lines), (
+ f"Expected '{replacement_fragment}' in a '+' line of the diff"
+ )
+
+ @pytest.mark.parametrize(
+ "pattern_name",
+ list(_VULNERABLE_SNIPPETS),
+ )
+ def test_fix_diff_contains_original_line_as_removal(
+ self, tmp_path: Path, pattern_name: str,
+ ) -> None:
+ filename, code, _ = _VULNERABLE_SNIPPETS[pattern_name]
+ (tmp_path / filename).write_text(code)
+ scanner = SecurityScanner(root_dir=str(tmp_path))
+ report = scanner.scan(mode="patterns")
+
+ matching = [
+ f for f in report.findings if f.pattern_name == pattern_name
+ ]
+ finding = matching[0]
+ minus_lines = [
+ l for l in finding.fix_diff.splitlines()
+ if l.startswith("-") and not l.startswith("---")
+ ]
+ assert len(minus_lines) == 1, "Expected exactly one removal line"
+ # The removal line should contain the original search string
+ search_str = _AUTOFIX_TEMPLATES[pattern_name][0]
+ assert search_str in minus_lines[0]
+
+ def test_no_fix_diff_for_pattern_without_template(
+ self, tmp_path: Path,
+ ) -> None:
+ filename, code = _NO_TEMPLATE_SNIPPET
+ (tmp_path / filename).write_text(code)
+ scanner = SecurityScanner(root_dir=str(tmp_path))
+ report = scanner.scan(mode="patterns")
+
+ eval_findings = [
+ f for f in report.findings if f.pattern_name == "python_dynamic_eval"
+ ]
+ assert len(eval_findings) >= 1, (
+ "Expected at least one finding for python_dynamic_eval"
+ )
+ for finding in eval_findings:
+ assert finding.fix_diff == "", (
+ "fix_diff must be empty for patterns without an autofix template"
+ )
+
+ def test_fix_diff_file_paths_match_finding(
+ self, tmp_path: Path,
+ ) -> None:
+ filename, code, _ = _VULNERABLE_SNIPPETS["python_yaml_unsafe"]
+ (tmp_path / filename).write_text(code)
+ scanner = SecurityScanner(root_dir=str(tmp_path))
+ report = scanner.scan(mode="patterns")
+
+ matching = [
+ f for f in report.findings if f.pattern_name == "python_yaml_unsafe"
+ ]
+ finding = matching[0]
+ diff_lines = finding.fix_diff.splitlines()
+ # --- a/ and +++ b/ should reference the finding's file_path
+ assert finding.file_path in diff_lines[0]
+ assert finding.file_path in diff_lines[1]
+
+ def test_fix_diff_hunk_header_contains_correct_line_number(
+ self, tmp_path: Path,
+ ) -> None:
+ # Put the vulnerable line on line 3 by adding two blank lines before it
+ code = "\n\ndata = yaml.load(open('cfg.yml'))\n"
+ (tmp_path / "deep.py").write_text(code)
+ scanner = SecurityScanner(root_dir=str(tmp_path))
+ report = scanner.scan(mode="patterns")
+
+ matching = [
+ f for f in report.findings if f.pattern_name == "python_yaml_unsafe"
+ ]
+ finding = matching[0]
+ assert finding.line == 3
+ hunk_line = finding.fix_diff.splitlines()[2]
+ assert "@@ -3,1 +3,1 @@" in hunk_line
+
+ def test_mixed_file_some_with_some_without_template(
+ self, tmp_path: Path,
+ ) -> None:
+ """A single file triggering both template and non-template patterns."""
+ # "result = eval(...)" triggers python_dynamic_eval (no template)
+ # "yaml.load(...)" triggers python_yaml_unsafe (has template)
+ code = (
+ "result = eval(user_input)\n" # noqa: S307 — test fixture
+ "data = yaml.load(open('f'))\n"
+ )
+ (tmp_path / "mixed.py").write_text(code)
+ scanner = SecurityScanner(root_dir=str(tmp_path))
+ report = scanner.scan(mode="patterns")
+
+ eval_findings = [
+ f for f in report.findings if f.pattern_name == "python_dynamic_eval"
+ ]
+ yaml_findings = [
+ f for f in report.findings if f.pattern_name == "python_yaml_unsafe"
+ ]
+ assert eval_findings and eval_findings[0].fix_diff == ""
+ assert yaml_findings and yaml_findings[0].fix_diff != ""
+
+
+# ---------------------------------------------------------------------------
+# TestFormatReportAutofix
+# ---------------------------------------------------------------------------
+
+
+class TestFormatReportAutofix:
+ """Tests for autofix display in format_report."""
+
+ def test_format_report_includes_autofix_section(
+ self, tmp_path: Path,
+ ) -> None:
+ filename, code, _ = _VULNERABLE_SNIPPETS["python_shell_true"]
+ (tmp_path / filename).write_text(code)
+ scanner = SecurityScanner(root_dir=str(tmp_path))
+ report = scanner.scan(mode="patterns")
+
+ text = scanner.format_report(report)
+ assert "Autofix:" in text
+
+ def test_format_report_includes_diff_lines(
+ self, tmp_path: Path,
+ ) -> None:
+ filename, code, _ = _VULNERABLE_SNIPPETS["python_shell_true"]
+ (tmp_path / filename).write_text(code)
+ scanner = SecurityScanner(root_dir=str(tmp_path))
+ report = scanner.scan(mode="patterns")
+
+ text = scanner.format_report(report)
+ # The diff lines should be indented in the report
+ assert "--- a/" in text
+ assert "+++ b/" in text
+
+ def test_format_report_omits_autofix_when_no_diff(
+ self, tmp_path: Path,
+ ) -> None:
+ filename, code = _NO_TEMPLATE_SNIPPET
+ (tmp_path / filename).write_text(code)
+ scanner = SecurityScanner(root_dir=str(tmp_path))
+ report = scanner.scan(mode="patterns")
+
+ # Filter findings to only those without fix_diff to avoid
+ # other patterns in the file accidentally having autofix
+ report.findings = [
+ f for f in report.findings if f.pattern_name == "python_dynamic_eval"
+ ]
+ text = scanner.format_report(report)
+ assert "Autofix:" not in text
+
+ def test_format_report_no_findings_no_autofix(
+ self, tmp_path: Path,
+ ) -> None:
+ """An empty report should not mention Autofix at all."""
+ scanner = SecurityScanner(root_dir=str(tmp_path))
+ report = scanner.scan(mode="patterns")
+ text = scanner.format_report(report)
+ assert "Autofix:" not in text
+ assert "No security issues found." in text
+
+ def test_format_report_mixed_findings_only_shows_autofix_for_diffs(
+ self, tmp_path: Path,
+ ) -> None:
+ """When some findings have fix_diff and others don't, only the ones
+ with diffs should get the Autofix section."""
+ # "result = eval(...)" triggers python_dynamic_eval (no template)
+ # "yaml.load(...)" triggers python_yaml_unsafe (has template)
+ code = (
+ "result = eval(user_input)\n" # noqa: S307 — test fixture
+ "data = yaml.load(open('f'))\n"
+ )
+ (tmp_path / "both.py").write_text(code)
+ scanner = SecurityScanner(root_dir=str(tmp_path))
+ report = scanner.scan(mode="patterns")
+
+ text = scanner.format_report(report)
+ # Should contain at least one Autofix section (for yaml.load)
+ assert text.count("Autofix:") >= 1
+ # The eval finding should NOT have an Autofix block —
+ # verify by checking that the eval recommendation line is NOT
+ # followed by an Autofix line
+ lines = text.splitlines()
+ for i, line in enumerate(lines):
+ if "Dynamic code evaluation" in line:
+ # Look ahead: next non-empty content lines should not be Autofix
+ for j in range(i + 1, min(i + 4, len(lines))):
+ if "Autofix:" in lines[j]:
+ # Make sure this Autofix is not right after the eval finding
+ # by checking that a different finding header appeared between
+ context_block = "\n".join(lines[i:j + 1])
+ if "yaml" not in context_block.lower():
+ pytest.fail(
+ "Autofix appeared after eval finding, which has no template"
+ )