repotoire 0.8.2

//! Cleartext Credentials Detector
//!
//! Detects credentials passed to logging APIs in cleartext.
//! CWE-312: Cleartext Storage of Sensitive Information.
//!
//! # Architecture
//!
//! Two scan paths, picked by file language (mirrors `secrets.rs`):
//!
//! 1. **AST path** (Python, JS/TS, Rust, Go, Java, C#, C, C++): walks the
//!    tree-sitter parse tree looking for **call expressions** whose CALLEE
//!    matches a logging-API name (`logger.info`, `console.log`,
//!    `fmt.Println`, `println!`, `System.out.println`, ...). For each
//!    matched call, every ARGUMENT is examined:
//!
//!      - **Identifier or member access** (`apiKey`, `user.password`,
//!        `self._secret`): the rightmost name is matched against the
//!        credential keyword set; a hit fires.
//!      - **Keyword argument** (Python `password=user.pwd`): the keyword
//!        name is matched directly.
//!      - **Interpolation-bearing literal** (Python f-string,
//!        JS template_string): the inner expressions are walked for
//!        credential identifiers; matches fire.
//!      - **Plain string literal**: the literal text is *data*, not a
//!        variable; it never fires by itself. (This is the
//!        "credentials only in static message" FP that the line-based
//!        scanner needed `credential_only_in_string_literal` to handle
//!        with 90 LOC of byte-level string-literal-vs-interpolation
//!        tracking.)
//!      - **Concatenation** (`"prefix " + apiKey`): the non-literal
//!        operands are recursively examined.
//!
//!    Name-side FP filters (e.g. `password_hash`, `password_field`,
//!    `tokenizer`, `_path`, `_file`, `password_reset`) are applied
//!    against the extracted credential identifier, not against
//!    surrounding line text.
//!
//! 2. **Line path** (Ruby, PHP, Kotlin, Swift, ...): for languages
//!    without a tree-sitter grammar in our dispatch list, the legacy
//!    `LOG_PATTERN` regex + `is_false_positive_line` filter remains.
//!    Those formats have no AST, so reverse-engineering line shape is
//!    the only option.
//!
//! This is the structural counterpart of the SecretDetector AST
//! migration (commit 4381002a / fe2626c6): the previous detector
//! ran a single mega-regex against raw lines and then needed 144 LOC
//! of byte-level string-literal-vs-interpolation tracking to suppress
//! "credential keyword inside a static log message" FPs. With the AST,
//! "is this a literal or an expression" is a free piece of information
//! and the 144-LOC heuristic disappears.

use crate::detectors::ast_fingerprint::parse_root_ext;
use crate::detectors::ast_walk::AstWalkCtx;
use crate::detectors::base::{Detector, DetectorConfig};
use crate::detectors::security::ast_helpers::{
    collect_named_args, node_text, receiver_chain_label as receiver_chain_label_shared,
};
use crate::detectors::security::scan_inputs::{ScanAstInputs, ScanInputs};
use crate::graph::GraphQueryExt;
use crate::models::{Finding, Severity};
use crate::parsers::lightweight::Language;
use anyhow::Result;
use regex::Regex;
use std::path::{Path, PathBuf};
use std::sync::LazyLock;
use tracing::info;

// ---------------------------------------------------------------------------
// Credential keyword vocabulary
// ---------------------------------------------------------------------------

/// Identifier-name regex for "this variable holds a credential".
///
/// Applied to the rightmost identifier of any AST argument expression:
///
///   - `apiKey`              -> `apikey`            -> match
///   - `user.password`       -> `password`          -> match
///   - `auth_token_value`    -> `auth_token_value`  -> match (token boundary)
///   - `password_hash`       -> rejected by `is_credential_name_fp`
///   - `password_field`      -> rejected by `is_credential_name_fp`
///   - `username`            -> no match
///
/// The match is case-insensitive and word-boundary aware so that
/// `passwords` (plural) does NOT match — a list of passwords is a data
/// structure, not the secret itself.
static CRED_NAME_REGEX: LazyLock<Regex> = LazyLock::new(|| {
    Regex::new(r"(?i)(^|_)(password|passwd|pwd|secret|api[_-]?key|apikey|auth[_-]?token|access[_-]?token|private[_-]?key|credential)($|_)")
        .expect("valid regex")
});

/// Substrings that, when present in the credential identifier name,
/// indicate it is NOT a real credential value.
///
/// These map to the line-text skip list the legacy `is_false_positive`
/// used (`_path`, `_file`, `password_hash`, `password_reset`, ...).
/// Operating on the identifier text rather than the line is more
/// precise: `logger.info("Password reset email sent")` is rejected
/// by the literal-only rule below; `logger.info(password_hash)` is
/// rejected here because the variable name itself is a hash field.
const NAME_FP_SUBSTRINGS: &[&str] = &[
    "_path",
    "_file",
    "_dir",
    "tokenizer",
    "token_path",
    "password_field",
    "password_input",
    "password_hash",
    "password_reset",
    "no_password",
    "without_password",
    "hide_password",
    "mask_password",
];

fn is_credential_name(name: &str) -> bool {
    let lower = name.to_lowercase();
    if is_credential_name_fp(&lower) {
        return false;
    }
    CRED_NAME_REGEX.is_match(&lower)
}

fn is_credential_name_fp(name_lower: &str) -> bool {
    NAME_FP_SUBSTRINGS.iter().any(|s| name_lower.contains(s))
}

/// Categorize a credential variable name. Operates on the EXTRACTED
/// identifier (e.g. `apiKey`, `user.password`), not on the surrounding
/// line — much less ambiguous than the legacy whole-line categorize.
fn categorize_credential_name(name_lower: &str) -> (&'static str, &'static str) {
    if name_lower.contains("api_key")
        || name_lower.contains("apikey")
        || name_lower.contains("api-key")
    {
        return ("API Key", "🔑");
    }
    if name_lower.contains("auth_token")
        || name_lower.contains("access_token")
        || name_lower.contains("authtoken")
        || name_lower.contains("accesstoken")
    {
        return ("Auth Token", "🎫");
    }
    if name_lower.contains("private_key") || name_lower.contains("privatekey") {
        return ("Private Key", "🔐");
    }
    if name_lower.contains("password")
        || name_lower.contains("passwd")
        || name_lower.contains("pwd")
    {
        return ("Password", "🔒");
    }
    if name_lower.contains("secret") {
        return ("Secret", "🤫");
    }
    if name_lower.contains("credential") {
        return ("Credentials", "👤");
    }
    if name_lower.contains("token") {
        return ("Auth Token", "🎫");
    }
    ("Sensitive Data", "⚠️")
}

// ---------------------------------------------------------------------------
// Legacy line scanner (non-AST languages: Ruby, PHP, Kotlin, Swift, ...)
// ---------------------------------------------------------------------------

/// Whole-line regex used by the legacy line scanner.
///
/// **Not used on AST-eligible languages** (Python, JS/TS, Rust, Go,
/// Java, C#, C, C++) — those go through `scan_file_ast`. The line
/// scanner remains for grammars we don't have a tree-sitter parser
/// for; for those formats reverse-engineering line shape is the only
/// option.
static LOG_PATTERN: LazyLock<Regex> = LazyLock::new(|| {
    Regex::new(
        r"(?i)\b(console\.(log|warn|error|info|debug)|print[fl]?n?|logger\.(log|warn|error|info|debug|trace)|logging\.(log|warn|error|info|debug)|log\.(debug|info|warn|error|trace)|System\.out\.print|fmt\.Print|puts|p\s)\s*[\.(]\s*[^;\n]*\b(password|passwd|secret|api_key|apikey|auth_token|access_token|private_key|credentials?)\b"
    ).expect("valid regex")
});

/// Line-based FP filter for the legacy line scanner.
///
/// **Path used by**: `.rb`, `.php`, `.kt`, `.swift`, `.scala`, and any
/// other extension that does NOT have a tree-sitter grammar in our
/// dispatch list (see `scan_file_ast` for the AST path which
/// covers Python, JS/TS, Rust, Go, Java, C#, C, C++).
///
/// AST-eligible languages do **not** flow through this function; for
/// them the parse tree natively distinguishes literal-vs-interpolation,
/// so the heuristic isn't needed.
///
/// Rejects when the credential keyword on the line is part of a benign
/// substring (`password_hash`, `_path`, ...) OR appears purely inside a
/// static string literal with no interpolation. This is the intentional
/// concession to languages we don't parse.
///
/// (Mirrors fe2626c6's `try_match_line` doc-comment style — call out
/// what languages, what the heuristic does, why it's concession.)
fn is_false_positive_line(line: &str) -> bool {
    let lower = line.to_lowercase();
    if NAME_FP_SUBSTRINGS.iter().any(|s| lower.contains(s)) {
        return true;
    }
    credential_only_in_string_literal(line)
}

/// Check if ALL credential keywords on this line appear only inside
/// string literals (and not inside f-string / template-literal
/// interpolation braces).
///
/// This is the byte-level string-literal-vs-interpolation tracker the
/// legacy line path needs. It is **not** invoked on AST-eligible
/// languages — see `scan_file_ast` for the AST-native equivalent.
fn credential_only_in_string_literal(line: &str) -> bool {
    static CRED_KEYWORDS: &[&str] = &[
        "password",
        "passwd",
        "secret",
        "api_key",
        "apikey",
        "auth_token",
        "access_token",
        "private_key",
        "credential",
    ];

    let lower = line.to_lowercase();

    let mut cred_positions: Vec<(usize, usize)> = Vec::new();
    for keyword in CRED_KEYWORDS {
        let mut start = 0;
        while let Some(pos) = lower[start..].find(keyword) {
            let abs_pos = start + pos;
            cred_positions.push((abs_pos, abs_pos + keyword.len()));
            start = abs_pos + keyword.len();
        }
    }

    if cred_positions.is_empty() {
        return false;
    }

    let bytes = line.as_bytes();
    let mut in_string = vec![false; bytes.len()];
    let mut i = 0;
    while i < bytes.len() {
        let ch = bytes[i];
        if ch == b'"' || ch == b'\'' || ch == b'`' {
            let is_fstring = {
                let prev1 = if i >= 1 { bytes[i - 1] } else { 0 };
                let prev2 = if i >= 2 { bytes[i - 2] } else { 0 };
                prev1 == b'f' || prev1 == b'F' || prev2 == b'f' || prev2 == b'F'
            };
            let is_template_literal = ch == b'`';
            let quote = ch;
            i += 1;
            let mut brace_depth: u32 = 0;
            while i < bytes.len() {
                if bytes[i] == b'\\' {
                    i += 2;
                    continue;
                }
                if bytes[i] == quote && brace_depth == 0 {
                    break;
                }
                if (is_fstring || is_template_literal) && bytes[i] == b'{' {
                    // Audit B3: original code asked `bytes[i] == b'$'`
                    // INSIDE a branch that already proved `bytes[i] == b'{'`,
                    // making the `${...}` detection unreachable. Compare
                    // the PRECEDING byte to detect template-literal
                    // interpolation instead.
                    if is_template_literal && i >= 1 && bytes[i - 1] == b'$' {
                        brace_depth += 1;
                        i += 1;
                        continue;
                    }
                    if is_fstring {
                        brace_depth += 1;
                        i += 1;
                        continue;
                    }
                }
                if (is_fstring || is_template_literal) && bytes[i] == b'}' && brace_depth > 0 {
                    brace_depth -= 1;
                    i += 1;
                    continue;
                }
                if brace_depth == 0 {
                    in_string[i] = true;
                }
                i += 1;
            }
        }
        i += 1;
    }

    cred_positions
        .iter()
        .all(|&(start, end)| (start..end).all(|pos| pos < in_string.len() && in_string[pos]))
}

// ---------------------------------------------------------------------------
// Detector
// ---------------------------------------------------------------------------

/// Single source of truth for the file extensions this detector
/// processes. Used by both `file_extensions()` and `detect()` to avoid
/// the drift that the audit (Tier 3 nit #8) flagged: previously the
/// trait method advertised one set and the iteration used another.
///
/// AST-eligible extensions (Python, JS/TS, Rust, Go, Java, C#, C, C++)
/// flow through `scan_file_ast`; the rest fall through to the legacy
/// line scanner.
const SUPPORTED_EXTS: &[&str] = &[
    // AST path
    "py", "js", "ts", "jsx", "tsx", "java", "go", "cs", "rs", "c", "cpp", "h", "hpp", "cc", "cxx",
    "hh", // Line path
    "rb", "php", "kt", "swift", "scala",
];

pub struct CleartextCredentialsDetector {
    #[allow(dead_code)] // Part of detector pattern
    config: DetectorConfig,
    #[allow(dead_code)] // Part of detector pattern, used for file scanning
    repository_path: PathBuf,
    max_findings: usize,
}

impl CleartextCredentialsDetector {
    pub fn new(repository_path: impl Into<PathBuf>) -> Self {
        Self {
            config: DetectorConfig::default(),
            repository_path: repository_path.into(),
            max_findings: 50,
        }
    }

    /// Find containing function and get context.
    fn find_function_context(
        graph: &dyn crate::graph::GraphQuery,
        file_path: &str,
        line: u32,
    ) -> Option<(String, usize, bool)> {
        let i = graph.interner();
        graph.find_function_at(file_path, line).map(|f| {
            let callers = graph.get_callers(f.qn(i));
            let name_lower = f.node_name(i).to_lowercase();
            let is_auth_related = name_lower.contains("auth")
                || name_lower.contains("login")
                || name_lower.contains("signin")
                || name_lower.contains("register")
                || name_lower.contains("password")
                || name_lower.contains("credential")
                || name_lower.contains("token")
                || name_lower.contains("session");
            (f.node_name(i).to_string(), callers.len(), is_auth_related)
        })
    }

    /// True if a logging callee name represents a production-level log
    /// (error / warn). Used to boost severity to Critical.
    fn is_production_log_method(method_name: &str) -> bool {
        let lower = method_name.to_lowercase();
        lower == "error" || lower == "warn" || lower == "warning"
    }

    /// Legacy line scanner for non-AST languages.
    fn scan_file_line(&self, inputs: &ScanInputs<'_>) -> Vec<Finding> {
        let path = inputs.path;
        let content = inputs.content;
        let ext = inputs.ext;
        let mut findings = vec![];
        let lines: Vec<&str> = content.lines().collect();
        for (i, line) in lines.iter().enumerate() {
            if findings.len() >= self.max_findings {
                break;
            }
            let prev_line = if i > 0 { Some(lines[i - 1]) } else { None };
            if crate::detectors::is_line_suppressed(line, prev_line) {
                continue;
            }
            if LOG_PATTERN.is_match(line) && !is_false_positive_line(line) {
                let line_num = (i + 1) as u32;
                let (cred_type, emoji) = categorize_credential_line(line);
                let is_prod_log = {
                    let lower = line.to_lowercase();
                    lower.contains(".error")
                        || lower.contains(".warn")
                        || lower.contains(".warning")
                };
                findings.push(self.build_finding(
                    path,
                    line_num,
                    cred_type,
                    emoji,
                    is_prod_log,
                    ext,
                ));
            }
        }
        findings
    }

    /// AST-first scanner.
    ///
    /// Walks the tree once. For every call expression whose callee is a
    /// known logging API, examines each argument using the rules in the
    /// module-level docs. Returns at most one finding per call-site.
    fn scan_file_ast(&self, inputs: &ScanAstInputs<'_>) -> Vec<Finding> {
        let path = inputs.path();
        let content = inputs.content();
        let ext = inputs.ext();
        let lang = inputs.lang;
        let cached_tree = inputs.cached_tree;
        let mut findings = vec![];

        if content.contains('\0') {
            return findings;
        }

        let owned;
        let root = match cached_tree {
            Some(tree) => tree.root_node(),
            None => match parse_root_ext(content, lang, ext) {
                Some(t) => {
                    owned = t;
                    owned.root_node()
                }
                None => return findings,
            },
        };

        let bytes = content.as_bytes();
        let lines: Vec<&str> = content.lines().collect();
        let mut log_calls: Vec<LogCall> = Vec::new();
        let ctx = AstWalkCtx {
            lang,
            source: bytes,
        };
        collect_log_calls(&ctx, root, &mut log_calls);

        for call in log_calls {
            if findings.len() >= self.max_findings {
                break;
            }
            // Per-line suppression markers still apply on the AST path.
            let line_idx = call.call_node.start_position().row;
            if let Some(line) = lines.get(line_idx) {
                let prev = if line_idx > 0 {
                    Some(lines[line_idx - 1])
                } else {
                    None
                };
                if crate::detectors::is_line_suppressed(line, prev) {
                    continue;
                }
            }

            // Find a credential argument.
            let mut hit: Option<CredentialHit> = None;
            for arg in &call.args {
                if let Some(h) = examine_argument(*arg, bytes) {
                    hit = Some(h);
                    break;
                }
            }
            let hit = match hit {
                Some(h) => h,
                None => continue,
            };

            let (cred_type, emoji) = categorize_credential_name(&hit.name_lower);
            let line_num = (line_idx + 1) as u32;
            let is_prod_log = Self::is_production_log_method(&call.method_name);

            findings.push(self.build_finding(path, line_num, cred_type, emoji, is_prod_log, ext));
        }

        findings
    }

    fn build_finding(
        &self,
        path: &Path,
        line_num: u32,
        cred_type: &str,
        emoji: &str,
        is_prod_log: bool,
        ext: &str,
    ) -> Finding {
        // Severity defaults to High; production log methods boost to
        // Critical. Auth-context boost is applied at enrichment time
        // because we don't have the graph here.
        let mut severity = Severity::High;
        if is_prod_log {
            severity = Severity::Critical;
        }

        let mut notes = Vec::new();
        notes.push(format!("{} Credential type: {}", emoji, cred_type));
        if is_prod_log {
            notes.push("🚨 Production log level (error/warn)".to_string());
        }
        let context_notes = format!("\n\n**Analysis:**\n{}", notes.join("\n"));

        let suggestion = match ext {
            "py" => "Mask or remove credentials from logs:\n\
                 ```python\n\
                 # Instead of:\n\
                 logger.info(f\"Login attempt with password: {password}\")\n\
                 \n\
                 # Use:\n\
                 logger.info(f\"Login attempt for user: {username}\")\n\
                 # Or mask:\n\
                 logger.debug(f\"Password length: {len(password)}\")\n\
                 ```"
            .to_string(),
            "js" | "ts" | "jsx" | "tsx" => "Mask or remove credentials from logs:\n\
                 ```javascript\n\
                 // Instead of:\n\
                 console.log('API Key:', apiKey);\n\
                 \n\
                 // Use:\n\
                 console.log('API Key set:', !!apiKey);\n\
                 // Or redact:\n\
                 console.log('API Key:', apiKey.slice(0, 4) + '****');\n\
                 ```"
            .to_string(),
            _ => "Remove sensitive data from logs or use masking.".to_string(),
        };

        Finding {
            id: String::new(),
            detector: "CleartextCredentialsDetector".to_string(),
            severity,
            title: format!("{} may be logged in cleartext", cred_type),
            description: format!(
                "Sensitive data ({}) appears in logging statement.{}",
                cred_type, context_notes
            ),
            affected_files: vec![path.to_path_buf()],
            line_start: Some(line_num),
            line_end: Some(line_num),
            suggested_fix: Some(suggestion),
            estimated_effort: Some("10 minutes".to_string()),
            category: Some("security".to_string()),
            cwe_id: Some("CWE-312".to_string()),
            why_it_matters: Some(
                "Credentials logged in cleartext can be:\n\
                 • Exposed in log files accessible to attackers\n\
                 • Sent to centralized logging systems\n\
                 • Visible in monitoring dashboards\n\
                 • Captured in crash reports"
                    .to_string(),
            ),
            ..Default::default()
        }
    }
}

/// Whole-line categorization for the legacy line scanner.
///
/// Audit B11: previously this was an independent keyword-table lookup
/// that diverged from `categorize_credential_name` (it didn't check
/// `pwd`, ordered `apikey` before `auth_token`, etc.). The line path
/// now scans the line for the FIRST credential keyword from a unified
/// table and delegates classification to `categorize_credential_name`,
/// so AST and line paths share a single source of truth.
fn categorize_credential_line(line: &str) -> (&'static str, &'static str) {
    static LINE_KEYWORDS: &[&str] = &[
        "private_key",
        "privatekey",
        "auth_token",
        "access_token",
        "authtoken",
        "accesstoken",
        "api_key",
        "apikey",
        "api-key",
        "credential",
        "password",
        "passwd",
        "pwd",
        "secret",
        "token",
    ];
    let lower = line.to_lowercase();
    if let Some(kw) = LINE_KEYWORDS.iter().find(|k| lower.contains(*k)) {
        return categorize_credential_name(kw);
    }
    ("Sensitive Data", "⚠️")
}

// ---------------------------------------------------------------------------
// AST walking
// ---------------------------------------------------------------------------

/// One log-call site we want to examine.
struct LogCall<'a> {
    /// The call/macro_invocation node — used for line lookup.
    call_node: tree_sitter::Node<'a>,
    /// Lowercased method/macro name (`info`, `error`, `println`, ...).
    /// Used for production-log severity boost.
    method_name: String,
    /// Argument expressions to scan (already drilled past `argument_list`
    /// / `arguments` / `token_tree`).
    args: Vec<tree_sitter::Node<'a>>,
}

/// What we found inside an argument that makes the call worth flagging.
struct CredentialHit {
    /// Lowercased credential variable name (e.g. `password`, `apikey`).
    name_lower: String,
}

/// Walk the tree and emit a `LogCall` for every call expression whose
/// callee matches a known logging API for the given language.
fn collect_log_calls<'a>(
    ctx: &AstWalkCtx<'a>,
    node: tree_sitter::Node<'a>,
    out: &mut Vec<LogCall<'a>>,
) {
    if let Some(call) = match_log_call(node, ctx.source, ctx.lang) {
        out.push(call);
        // Keep recursing — nested log calls (rare) should still be picked up,
        // and arguments may contain non-log expressions worth ignoring.
    }
    let mut cursor = node.walk();
    for child in node.children(&mut cursor) {
        collect_log_calls(ctx, child, out);
    }
}

/// If `node` is a call/macro that names a logging API, return a `LogCall`
/// describing it. Returns `None` otherwise.
fn match_log_call<'a>(
    node: tree_sitter::Node<'a>,
    source: &'a [u8],
    lang: Language,
) -> Option<LogCall<'a>> {
    match node.kind() {
        // Python: `logger.info(...)`, `print(...)`.
        // tree-sitter-python uses `call` with `function` field.
        "call" => {
            let func = node.child_by_field_name("function")?;
            let (object, method) = decompose_callee(func, source);
            if !is_log_callee(object.as_deref(), &method, lang) {
                return None;
            }
            let arg_list = node.child_by_field_name("arguments")?;
            let args = collect_named_args(arg_list);
            Some(LogCall {
                call_node: node,
                method_name: method,
                args,
            })
        }
        // JS/TS: `call_expression` with `function` field.
        // Go: same node kind in tree-sitter-go.
        // C/C++: tree-sitter-c emits `call_expression` with `function`
        //   + `arguments` fields, so this same arm covers `printf(...)`,
        //   `fprintf(...)`, `syslog(...)`, `printk(...)`. (Audit Tier 2:
        //   wires C/C++ logging detection that was deferred from
        //   commit 4c656b2f's migration.)
        "call_expression" => {
            let func = node.child_by_field_name("function")?;
            let (object, method) = decompose_callee(func, source);
            if !is_log_callee(object.as_deref(), &method, lang) {
                return None;
            }
            let arg_list = node.child_by_field_name("arguments")?;
            let args = collect_named_args(arg_list);
            Some(LogCall {
                call_node: node,
                method_name: method,
                args,
            })
        }
        // Java: `method_invocation` with `object` + `name` fields.
        "method_invocation" => {
            let name_node = node.child_by_field_name("name")?;
            let method = node_text(name_node, source)?.to_lowercase();
            let object = node
                .child_by_field_name("object")
                .map(|o| receiver_chain_label(o, source))
                .or_else(|| {
                    node.child_by_field_name("object")
                        .and_then(|o| node_text(o, source))
                        .map(|s| s.to_lowercase())
                });
            if !is_log_callee(object.as_deref(), &method, lang) {
                return None;
            }
            let arg_list = node.child_by_field_name("arguments")?;
            let args = collect_named_args(arg_list);
            Some(LogCall {
                call_node: node,
                method_name: method,
                args,
            })
        }
        // C#: tree-sitter-c-sharp uses `invocation_expression` with
        // `function` + `arguments` fields. Callee is a
        // `member_access_expression` whose fields are `expression` +
        // `name` (note: `name`, not `attribute`/`property`/`field`).
        // Arguments are wrapped in an `argument_list` of `argument`
        // nodes. Audit B1: this entire shape was missing — every C# log
        // call was silently dropped.
        "invocation_expression" => {
            let func = node.child_by_field_name("function")?;
            let (object, method) = decompose_callee(func, source);
            if !is_log_callee(object.as_deref(), &method, lang) {
                return None;
            }
            let arg_list = node.child_by_field_name("arguments")?;
            let args = collect_named_args(arg_list);
            Some(LogCall {
                call_node: node,
                method_name: method,
                args,
            })
        }
        // Rust: `macro_invocation { macro: identifier, !, token_tree }`.
        // Common log macros: `println!`, `eprintln!`, `info!`, `warn!`,
        // `error!`, `debug!`, `trace!`, plus `log::info!` style scoped paths.
        "macro_invocation" => {
            let macro_node = node.child_by_field_name("macro")?;
            let macro_name = node_text(macro_node, source)?.to_lowercase();
            // Scoped paths come through as `scoped_identifier`; take the
            // last segment.
            let last_segment = macro_name.rsplit("::").next().unwrap_or(&macro_name);
            if !is_log_callee(None, last_segment, lang) {
                return None;
            }
            let token_tree = match node.child_by_field_name("arguments") {
                Some(t) => t,
                None => {
                    // Some grammar versions don't tag the field — fall
                    // back to looking for the token_tree child.
                    let mut cursor = node.walk();
                    let found = node
                        .children(&mut cursor)
                        .find(|c| c.kind() == "token_tree");
                    found?
                }
            };
            let args = collect_named_args(token_tree);
            Some(LogCall {
                call_node: node,
                method_name: last_segment.to_string(),
                args,
            })
        }
        _ => None,
    }
}

/// Pull `(object_name_lowercased, method_name_lowercased)` out of a callee
/// expression. Returns `(None, "name")` for bare identifier callees
/// (`print(...)`, `puts(...)`, `printf(...)`).
///
/// For member-of-member receivers (`this.logger`, `self._logger`,
/// `obj.foo.logger`), the object slot is the LAST segment of the
/// receiver chain (here: `logger`, `_logger`, `logger`) — see
/// `receiver_chain_label`. This handles audit B2 (`this.logger.info`
/// and `self.logger.info` were silently missed because the original
/// code lower-cased the entire receiver text).
fn decompose_callee(node: tree_sitter::Node, source: &[u8]) -> (Option<String>, String) {
    match node.kind() {
        // Python `attribute`, JS `member_expression`.
        "attribute" | "member_expression" => {
            let object = node
                .child_by_field_name("object")
                .map(|o| receiver_chain_label(o, source));
            let attr = node
                .child_by_field_name("attribute")
                .or_else(|| node.child_by_field_name("property"))
                .and_then(|a| node_text(a, source))
                .unwrap_or("")
                .to_lowercase();
            (object, attr)
        }
        "selector_expression" => {
            // Go: operand + field
            let operand = node
                .child_by_field_name("operand")
                .map(|o| receiver_chain_label(o, source));
            let field = node
                .child_by_field_name("field")
                .and_then(|a| node_text(a, source))
                .unwrap_or("")
                .to_lowercase();
            (operand, field)
        }
        // C#: member_access_expression { expression: ..., name: ... }
        "member_access_expression" => {
            let object = node
                .child_by_field_name("expression")
                .map(|o| receiver_chain_label(o, source));
            let name = node
                .child_by_field_name("name")
                .and_then(|a| node_text(a, source))
                .unwrap_or("")
                .to_lowercase();
            (object, name)
        }
        // Bare identifier callee: `print(...)`, `puts(...)`, `p(...)`,
        // `printf(...)`, `fprintf(...)`, `syslog(...)`.
        "identifier" => (None, node_text(node, source).unwrap_or("").to_lowercase()),
        _ => {
            // Catch-all: take the trailing identifier text.
            let txt = node_text(node, source).unwrap_or("").to_lowercase();
            (None, txt)
        }
    }
}

/// Return a single lowercased "object label" for a receiver expression.
///
/// For bare identifiers (`logger`), returns `"logger"`. For member-of-
/// member chains (`this.logger`, `self._logger`, `obj.foo.logger`,
/// `os.Stdout`), returns the LAST segment lowercased (`"logger"`,
/// `"_logger"`, `"logger"`, `"stdout"`).
///
/// This is the audit B2 fix: callees of the shape `this.logger.info`
/// and `self.logger.info` are common in JS classes and Python classes
/// respectively. The previous decomposer flattened the entire receiver
/// text to lowercase (`this.logger` / `self.logger`) and looked it up
/// in a flat object set, so the call was rejected.
///
/// Implementation: delegate to the shared
/// [`receiver_chain_label`](crate::detectors::security::ast_helpers::receiver_chain_label).
/// `cleartext_credentials` does not use the call-expression module
/// resolver (no `require('logger').info`-style check), so we pass `None`.
fn receiver_chain_label(node: tree_sitter::Node, source: &[u8]) -> String {
    receiver_chain_label_shared(node, source, None)
}

/// True if `(object, method)` names a logging API call we care about.
///
/// The object check is intentionally permissive: `console.log`,
/// `logger.info`, `log.warn`, `logging.info`, `slog.Info`, `fmt.Println`
/// and friends all share the well-known method names — accepting the
/// well-known method names alone catches dozens of logger libraries in
/// each language without enumerating them.
///
/// `object` is already the LAST segment of the receiver chain
/// (see `receiver_chain_label`), so `this.logger.info` arrives here
/// as `("logger", "info")`.
fn is_log_callee(object: Option<&str>, method: &str, lang: Language) -> bool {
    let method = method.trim();

    // Per-language well-known free-function callees (no object).
    if object.is_none() {
        match lang {
            Language::Python => {
                if matches!(method, "print" | "pprint") {
                    return true;
                }
            }
            Language::JavaScript | Language::TypeScript => {
                // No widely-used object-less console function in JS, but
                // some codebases alias `const log = console.log`. We keep
                // this conservative — only a small set of names.
                if matches!(method, "log" | "info" | "warn" | "error" | "debug") {
                    // Only fire for object-less if name is unambiguous.
                    return false;
                }
            }
            Language::Go => {
                // Free functions: `fmt.Println` etc. always have an object.
                // No bare logging functions worth flagging.
            }
            Language::Rust => {
                // Macros: `println!`, `eprintln!`, `info!`, `warn!`,
                // `error!`, `debug!`, `trace!`. Also `print!`/`eprint!`,
                // and `dbg!` (audit Tier 2 coverage gap).
                if matches!(
                    method,
                    "println"
                        | "eprintln"
                        | "print"
                        | "eprint"
                        | "info"
                        | "warn"
                        | "error"
                        | "debug"
                        | "trace"
                        | "log"
                        | "dbg"
                ) {
                    return true;
                }
            }
            Language::Java | Language::CSharp => {
                // No bare logging functions of interest in Java/C#.
            }
            Language::C | Language::Cpp => {
                // C/C++ free functions — audit Tier 2: this entire
                // wiring was deferred from commit 4c656b2f. The C
                // logging vocabulary is `printf`, `fprintf`, `syslog`,
                // `printk` (Linux kernel), `vprintf`, `vfprintf`,
                // `perror`, `puts`. Inspect from the second positional
                // argument onward (first is the format string for
                // printf-family, stream/priority for fprintf/syslog),
                // but `examine_argument` will reject string literals on
                // its own so passing all args is safe.
                if matches!(
                    method,
                    "printf"
                        | "fprintf"
                        | "sprintf"
                        | "snprintf"
                        | "vprintf"
                        | "vfprintf"
                        | "syslog"
                        | "vsyslog"
                        | "printk"
                        | "perror"
                        | "puts"
                ) {
                    return true;
                }
            }
            _ => {}
        }
        return false;
    }

    let object = object.expect("checked is_some on the line above");

    // Object-and-method patterns common across languages. We accept the
    // well-known method names from any object whose name suggests a
    // logger (`log`, `logger`, `logging`, `console`, `fmt`, `slog`,
    // `system.out`, `system.err`).
    //
    // Audit B2: `object` is already the trailing receiver segment, so
    // `this.logger.info(...)` arrives here as `("logger", "info")`.
    // Audit Tier 2 (Go): also accept any object that ENDS in `logger`
    // (e.g. `myLogger`, `appLogger`, `_logger`) — the standard
    // user-defined logger naming convention.
    let is_log_object = matches!(
        object,
        "console"
            | "log"
            | "logger"
            | "_logger"
            | "ilogger"
            | "logging"
            | "fmt"
            | "slog"
            | "klog"
            | "zap"
            | "logrus"
            | "winston"
            | "pino"
            | "bunyan"
            | "out"   // System.out (last segment)
            | "err"   // System.err (last segment)
            | "tracing"
    ) || object.ends_with("logger")
        || object.ends_with("_log");

    if !is_log_object {
        return false;
    }

    // Accepted method names. Keep this set deliberately small — these
    // are the canonical logging method names in every language we
    // support.
    //
    // Audit B1 / Tier 2: include the C# `Microsoft.Extensions.Logging`
    // extension methods: `LogTrace`, `LogDebug`, `LogInformation`,
    // `LogWarning`, `LogError`, `LogCritical`. Also `Errorf`
    // (Go `fmt.Errorf` / `log.Errorf` / `slog.Errorf`).
    matches!(
        method,
        "log"
            | "info"
            | "warn"
            | "warning"
            | "error"
            | "errorf"
            | "debug"
            | "trace"
            | "fatal"
            | "println"
            | "printf"
            | "print"
            | "printline"
            | "write"
            | "writeline"
            | "logtrace"
            | "logdebug"
            | "loginformation"
            | "logwarning"
            | "logerror"
            | "logcritical"
    )
}

// `collect_named_args` (formerly local `collect_call_args` here, name
// changed during the `ast_helpers` consolidation since the two were
// functionally identical) lives in `ast_helpers`; imported above.

/// Inspect one argument and return a `CredentialHit` if it represents
/// (or contains, transitively) a credential variable being passed to
/// the log call. Otherwise `None`.
///
/// Argument shapes handled:
///
///   - Identifier: `apiKey` -> hit if `is_credential_name("apiKey")`.
///   - Member access (`user.password`, `self._secret`): take rightmost.
///   - Keyword argument (`password=user.pwd`): the keyword NAME is
///     itself a credential keyword -> hit.
///   - Interpolation-bearing literal (Python f-string,
///     JS template_string, C# `interpolated_string_expression`): walk
///     the interpolated expressions.
///   - Concatenation (`"k:" + apiKey`): recurse into the operands.
///   - Plain string literal: never a hit by itself, EXCEPT for Rust
///     where format-string capture syntax `println!("{password}")` is
///     handled by `walk_rust_format_captures` because tree-sitter-rust
///     0.24 does not parse capture syntax (the entire string content is
///     a single `string_content` chunk).
///   - C# `argument` wrapper: drill into the inner expression.
fn examine_argument(node: tree_sitter::Node, source: &[u8]) -> Option<CredentialHit> {
    match node.kind() {
        "identifier" | "property_identifier" | "field_identifier" => {
            check_identifier_name(node_text(node, source)?)
        }
        "attribute"
        | "member_expression"
        | "field_expression"
        | "selector_expression"
        | "member_access_expression" => {
            let last = rightmost_name(node, source)?;
            check_identifier_name(&last)
        }
        // Python keyword argument: `password=user.pwd`. The keyword name
        // itself is the credential signal.
        "keyword_argument" => {
            let name_node = node.child_by_field_name("name")?;
            let name = node_text(name_node, source)?;
            if let Some(hit) = check_identifier_name(name) {
                return Some(hit);
            }
            // Audit B8: skip Python `print` kwargs whose VALUE side
            // recursion would mis-fire on benign callee-control args
            // (`file=`, `sep=`, `end=`, `flush=`). The keyword name is
            // not credential-shaped so we'd otherwise fall through to
            // recursing into the value. For these specific keys the
            // value is plumbing, not a logged credential.
            if matches!(name, "file" | "sep" | "end" | "flush" | "stream") {
                return None;
            }
            // Fall through to value if the name itself wasn't a
            // credential keyword — the value might still be one.
            let value = node.child_by_field_name("value")?;
            examine_argument(value, source)
        }
        // C# `argument` is a wrapper around the actual expression. Audit
        // B1: `examine_argument` had no `argument` arm, so even with the
        // C# AST shape wired everything would have returned None.
        "argument" => {
            for i in 0..node.named_child_count() {
                if let Some(c) = node.named_child(i) {
                    if let Some(h) = examine_argument(c, source) {
                        return Some(h);
                    }
                }
            }
            None
        }
        // Python f-string / JS template / Rust string literal.
        // For Rust strings we additionally parse format-string capture
        // syntax (`{var}`) because the grammar doesn't.
        "string" | "interpreted_string_literal" | "interpreted_string_literal_content" => {
            walk_interpolations(node, source)
        }
        "string_literal" | "raw_string_literal" => {
            if let Some(h) = walk_interpolations(node, source) {
                return Some(h);
            }
            // Audit B5: Rust capture-syntax (`println!("{password}")`).
            // tree-sitter-rust 0.24 does not parse `{var}` capture
            // syntax — the entire content is one `string_content`
            // chunk. Fall back to a regex-based harvest.
            walk_rust_format_captures(node, source)
        }
        // C# interpolated string: `$"login {password}"`.
        "interpolated_string_expression" | "interpolated_verbatim_string_expression" => {
            walk_interpolations(node, source)
        }
        // JS template literal: `template_string` -> `template_substitution` -> expression.
        "template_string" => walk_interpolations(node, source),
        // Concatenation / binary expression: walk operands.
        "binary_expression" | "binary_operator" => {
            let left = node.child_by_field_name("left");
            let right = node.child_by_field_name("right");
            if let Some(l) = left {
                if let Some(h) = examine_argument(l, source) {
                    return Some(h);
                }
            }
            if let Some(r) = right {
                if let Some(h) = examine_argument(r, source) {
                    return Some(h);
                }
            }
            None
        }
        // Parenthesized / grouping wrappers — drill in.
        "parenthesized_expression" | "expression" | "primary_expression" => {
            for i in 0..node.named_child_count() {
                if let Some(c) = node.named_child(i) {
                    if let Some(h) = examine_argument(c, source) {
                        return Some(h);
                    }
                }
            }
            None
        }
        // Function call as argument: `getPassword()`. The CALLEE name
        // could match a credential keyword, but that's a function, not
        // a value of the credential — current behavior is to NOT flag.
        // This is the audit fix for the "function call returning
        // credential not distinguished from variable" case.
        "call" | "call_expression" | "method_invocation" | "invocation_expression" => None,
        _ => None,
    }
}

/// Walk all interpolation / template_substitution descendants of a
/// string node, looking inside each interpolation expression for a
/// credential identifier.
fn walk_interpolations(node: tree_sitter::Node, source: &[u8]) -> Option<CredentialHit> {
    let mut cursor = node.walk();
    for child in node.children(&mut cursor) {
        match child.kind() {
            // Python f-string interpolation, C# `interpolation` node
            // inside `interpolated_string_expression`.
            "interpolation" => {
                // The interpolated expression: try the `expression`
                // field first (Python), fall back to the first NAMED
                // child that is not the syntactic brace (C#:
                // `interpolation_brace` / `{` / `}` are the wrappers).
                let expr = child.child_by_field_name("expression").or_else(|| {
                    // Fall back to the first NAMED child that is not a
                    // syntactic brace (C#: `interpolation_brace` /
                    // `interpolation_format_clause` /
                    // `interpolation_alignment_clause`).
                    (0..child.named_child_count())
                        .filter_map(|i| child.named_child(i))
                        .find(|n| {
                            !matches!(
                                n.kind(),
                                "interpolation_brace"
                                    | "interpolation_format_clause"
                                    | "interpolation_alignment_clause"
                            )
                        })
                });
                if let Some(e) = expr {
                    if let Some(h) = examine_argument(e, source) {
                        return Some(h);
                    }
                }
            }
            // JS/TS template literal substitution.
            "template_substitution" => {
                if let Some(e) = child.named_child(0) {
                    if let Some(h) = examine_argument(e, source) {
                        return Some(h);
                    }
                }
            }
            _ => {}
        }
    }
    None
}

/// Harvest Rust format-string capture identifiers (`{var}`,
/// `{var:?}`, `{var:#?}`) from a `string_literal` and check each against
/// `is_credential_name`.
///
/// Audit B5: tree-sitter-rust 0.24 does not parse Rust format-string
/// capture syntax — the entire content of `"login {password}"` is a
/// single `string_content` chunk with no `interpolation` /
/// `template_substitution` nodes to walk. The migration noted this as
/// out-of-scope; we now harvest via regex over the literal text.
///
/// Pattern: `\{([A-Za-z_][A-Za-z0-9_]*)([:}])` — a capture name
/// terminated by `:` (format spec) or `}`. Skips escaped `{{`.
fn walk_rust_format_captures(node: tree_sitter::Node, source: &[u8]) -> Option<CredentialHit> {
    static CAPTURE_REGEX: LazyLock<Regex> =
        LazyLock::new(|| Regex::new(r"\{([A-Za-z_][A-Za-z0-9_]*)[:}]").expect("valid regex"));
    let text = node_text(node, source)?;
    // Strip escaped `{{` / `}}` to avoid false matches like `{{var}}`.
    let cleaned = text.replace("{{", "  ").replace("}}", "  ");
    for cap in CAPTURE_REGEX.captures_iter(&cleaned) {
        if let Some(m) = cap.get(1) {
            if let Some(hit) = check_identifier_name(m.as_str()) {
                return Some(hit);
            }
        }
    }
    None
}

/// Return the rightmost identifier name from a member-access / attribute
/// chain (`a.b.c.d` -> `d`).
fn rightmost_name(node: tree_sitter::Node, source: &[u8]) -> Option<String> {
    let count = node.named_child_count();
    if count == 0 {
        return node_text(node, source).map(|s| s.to_string());
    }
    let last = node.named_child(count - 1)?;
    match last.kind() {
        "identifier" | "property_identifier" | "field_identifier" => {
            node_text(last, source).map(|s| s.to_string())
        }
        // Recurse into nested member chains.
        _ => rightmost_name(last, source),
    }
}

fn check_identifier_name(name: &str) -> Option<CredentialHit> {
    if !is_credential_name(name) {
        return None;
    }
    Some(CredentialHit {
        name_lower: name.to_lowercase(),
    })
}

// `node_text` lives in `ast_helpers`; imported above.

// ---------------------------------------------------------------------------
// Detector trait impl
// ---------------------------------------------------------------------------

impl Detector for CleartextCredentialsDetector {
    fn name(&self) -> &'static str {
        "cleartext-credentials"
    }
    fn description(&self) -> &'static str {
        "Detects credentials in logs"
    }

    fn bypass_postprocessor(&self) -> bool {
        true
    }

    fn file_extensions(&self) -> &'static [&'static str] {
        // Audit Tier 3 nit #8: must match the extension list iterated in
        // `detect()`. Both lists derive from the single `SUPPORTED_EXTS`
        // table below.
        SUPPORTED_EXTS
    }

    fn content_requirements(&self) -> crate::detectors::detector_context::ContentFlags {
        crate::detectors::detector_context::ContentFlags::HAS_SECRET_PATTERN
    }

    fn detect(
        &self,
        ctx: &crate::detectors::analysis_context::AnalysisContext,
    ) -> Result<Vec<Finding>> {
        let graph = ctx.graph;
        let files = &ctx.as_file_provider();
        let mut findings = vec![];

        for path in files.files_with_extensions(SUPPORTED_EXTS) {
            if findings.len() >= self.max_findings {
                break;
            }

            let path_str = path.to_string_lossy().to_string();

            if crate::detectors::base::is_test_path(&path_str) || path_str.contains("spec") {
                continue;
            }

            let ext = path.extension().and_then(|e| e.to_str()).unwrap_or("");
            let content = match files.content(path) {
                Some(c) => c,
                None => continue,
            };

            let lang = Language::from_path(path);
            let has_ast_grammar = matches!(
                lang,
                Language::Python
                    | Language::JavaScript
                    | Language::TypeScript
                    | Language::Rust
                    | Language::Go
                    | Language::Java
                    | Language::CSharp
                    | Language::C
                    | Language::Cpp
            );

            let scan = ScanInputs::new(path, &content, ext);
            let new_findings = if has_ast_grammar {
                let cached = files.tree(path);
                let ast_inputs = ScanAstInputs::new(scan, lang, cached.as_deref());
                self.scan_file_ast(&ast_inputs)
            } else {
                self.scan_file_line(&scan)
            };
            findings.extend(new_findings);
        }

        // Graph enrichment: severity boost when in auth-related code.
        for finding in &mut findings {
            if let (Some(file_path), Some(line)) =
                (finding.affected_files.first(), finding.line_start)
            {
                let path_str = file_path.to_string_lossy().to_string();
                if let Some((func_name, callers, is_auth)) =
                    Self::find_function_context(graph, &path_str, line)
                {
                    let mut extra_notes = Vec::new();
                    extra_notes.push(format!(
                        "📦 In function: `{}` ({} callers)",
                        func_name, callers
                    ));
                    if is_auth {
                        extra_notes.push("🔐 In authentication-related code".to_string());
                        if finding.severity != Severity::Critical {
                            finding.severity = Severity::Critical;
                        }
                    }
                    finding.description =
                        format!("{}\n{}", finding.description, extra_notes.join("\n"));
                }
            }
        }

        info!(
            "CleartextCredentialsDetector found {} findings (graph-aware)",
            findings.len()
        );
        Ok(findings)
    }
}

impl crate::detectors::RegisteredDetector for CleartextCredentialsDetector {
    fn create(init: &crate::detectors::DetectorInit) -> std::sync::Arc<dyn Detector> {
        std::sync::Arc::new(Self::new(init.repo_path))
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::graph::builder::GraphBuilder;

    #[test]
    fn test_detects_password_in_log() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(&store, vec![
            ("app.py", "def login(user, password):\n    logger.info(f\"Authenticating with password: {password}\")\n    return authenticate(user, password)\n"),
        ]);
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert!(
            !findings.is_empty(),
            "Should detect password logged in cleartext"
        );
        assert!(
            findings.iter().any(|f| f.title.contains("Password")),
            "Finding should mention Password. Titles: {:?}",
            findings.iter().map(|f| &f.title).collect::<Vec<_>>()
        );
    }

    #[test]
    fn test_no_finding_for_safe_code() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(&store, vec![
            ("app.py", "def login(user, password):\n    result = authenticate(user, password)\n    logger.info(f\"User {user} logged in successfully\")\n    return result\n"),
        ]);
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert!(
            findings.is_empty(),
            "Should not detect anything in safe code. Found: {:?}",
            findings.iter().map(|f| &f.title).collect::<Vec<_>>()
        );
    }

    // -----------------------------------------------------------------
    // Audit / regression tests for the AST-first migration.
    //
    // Tests prefixed `test_audit_repro_` were originally `#[ignore]`
    // with `audit-pending:` reasons because the line-based scanner
    // could not handle them. The AST migration unblocked them; they
    // now run as part of the standard suite.
    // -----------------------------------------------------------------

    /// Multi-line Python `logger.info(...)` call. The line scanner
    /// could not see across the line break; the AST treats the call
    /// as a single node regardless of whitespace.
    #[test]
    fn test_audit_repro_multiline_python_log() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(
            &store,
            vec![(
                "app.py",
                "def login(user, password):\n    logger.info(\n        f\"Login attempt with password: {password}\"\n    )\n",
            )],
        );
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert!(
            !findings.is_empty(),
            "Should detect the multi-line logger.info call referencing `password`"
        );
    }

    #[test]
    fn test_detects_python_password_in_logger_info() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(
            &store,
            vec![(
                "app.py",
                "def login(user, password):\n    logger.info(f\"pwd: {password}\")\n",
            )],
        );
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert!(
            !findings.is_empty(),
            "Expected a finding for f-string log of `password`"
        );
    }

    #[test]
    fn test_skips_string_literal_only_message() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(
            &store,
            vec![(
                "app.py",
                "def boot():\n    logger.error(\"Using credentials from ~/.config/app\")\n",
            )],
        );
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert!(
            findings.is_empty(),
            "Static descriptive message should not trigger; got: {:?}",
            findings.iter().map(|f| &f.title).collect::<Vec<_>>()
        );
    }

    #[test]
    fn test_skips_password_reset_keyword() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(
            &store,
            vec![(
                "app.py",
                "def notify(user):\n    logger.info(\"Password reset email sent\")\n",
            )],
        );
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert!(
            findings.is_empty(),
            "`password reset` skip-word should suppress; got: {:?}",
            findings.iter().map(|f| &f.title).collect::<Vec<_>>()
        );
    }

    /// JS template literal with interpolated `apiKey`. The line scanner
    /// could not distinguish the interpolation from the surrounding
    /// literal text; the AST inspects each `template_substitution`
    /// expression directly.
    #[test]
    fn test_detects_js_template_literal_with_interpolated_secret() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(
            &store,
            vec![(
                "app.js",
                "function debug(apiKey) {\n    console.log(`API key is ${apiKey}`);\n}\n",
            )],
        );
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert!(
            !findings.is_empty(),
            "Interpolated apiKey in template literal should fire"
        );
    }

    #[test]
    fn test_categorize_correctly_when_multiple_credential_words() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(
            &store,
            vec![(
                "app.js",
                "function fail(apiKey) {\n    console.error(\"auth_token failure for api_key:\", apiKey);\n}\n",
            )],
        );
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert!(
            !findings.is_empty(),
            "Expected at least one finding for multi-keyword log"
        );
        let title_blob = findings
            .iter()
            .map(|f| f.title.to_lowercase())
            .collect::<Vec<_>>()
            .join(" | ");
        assert!(
            title_blob.contains("token")
                || title_blob.contains("key")
                || title_blob.contains("password")
                || title_blob.contains("secret")
                || title_blob.contains("credential"),
            "Title should reference some credential word; got: {}",
            title_blob
        );
    }

    /// `logger.info(getPassword())`: `getPassword` is a function call,
    /// not a variable. The AST distinguishes them; the line scanner
    /// could not.
    #[test]
    fn test_skips_when_credential_word_is_a_function_name() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(
            &store,
            vec![(
                "app.js",
                "function start() {\n    logger.info(getPassword());\n}\n",
            )],
        );
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert!(
            findings.is_empty(),
            "Bare getPassword() call should not be treated as a credential log; got: {:?}",
            findings.iter().map(|f| &f.title).collect::<Vec<_>>()
        );
    }

    #[test]
    fn test_severity_critical_in_auth_function() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(
            &store,
            vec![(
                "app.py",
                "def login(user, password):\n    logger.info(f\"login with {password}\")\n",
            )],
        );
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert!(!findings.is_empty(), "Expected a finding inside login()");
        let max_sev = findings
            .iter()
            .map(|f| f.severity)
            .max_by_key(|s| match s {
                Severity::Critical => 4,
                Severity::High => 3,
                Severity::Medium => 2,
                Severity::Low => 1,
                _ => 0,
            })
            .expect("at least one finding");
        assert!(
            matches!(max_sev, Severity::Critical | Severity::High),
            "Severity should be Critical (auth context) or at least High; got {:?}",
            max_sev
        );
    }

    #[test]
    fn test_does_not_double_count_password_kwargs() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(
            &store,
            vec![(
                "app.py",
                "def go(user):\n    logger.info(\"login\", password=user.password)\n",
            )],
        );
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert_eq!(
            findings.len(),
            1,
            "Expected exactly 1 finding for kwarg-form credential log; got {}: {:?}",
            findings.len(),
            findings.iter().map(|f| &f.title).collect::<Vec<_>>()
        );
    }

    #[test]
    fn test_audit_repro_password_in_unrelated_string() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(
            &store,
            vec![(
                "app.js",
                "function save() {\n    console.log(\"Saved to /etc/password.conf\");\n}\n",
            )],
        );
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert!(
            findings.is_empty(),
            "Path-like literal containing `password` should not fire; got: {:?}",
            findings.iter().map(|f| &f.title).collect::<Vec<_>>()
        );
    }

    // -----------------------------------------------------------------
    // Audit fix regression tests.
    //
    // Each test below pins down one finding from the
    // CleartextCredentialsDetector self-audit. Test names map directly
    // to the audit finding identifiers (B1-B12) plus the Tier 2
    // coverage gaps. See `/tmp/cleartext_audit_report.md` for context.
    // -----------------------------------------------------------------

    /// **Audit B1**: tree-sitter-c-sharp uses `invocation_expression`,
    /// `member_access_expression { expression, name }`, and an
    /// `argument` wrapper — none of which were wired in commit 4c656b2f.
    /// Every C# log call was silently dropped.
    #[test]
    fn test_csharp_ilogger_extension_method_detected() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(
            &store,
            vec![(
                "app.cs",
                "class C { void M(string password) { _logger.LogInformation($\"login with password: {password}\"); } }\n",
            )],
        );
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert!(
            !findings.is_empty(),
            "C# `_logger.LogInformation` with interpolated password should fire"
        );
    }

    #[test]
    fn test_csharp_logerror_with_identifier_arg() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(
            &store,
            vec![(
                "app.cs",
                "class C { void M(string password) { _logger.LogError(password); } }\n",
            )],
        );
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert!(
            !findings.is_empty(),
            "C# `_logger.LogError(password)` should fire"
        );
    }

    /// **Audit B2 (Python)**: `self.logger.info(...)` — receiver chain
    /// `self.logger` was previously lower-cased to `"self.logger"` and
    /// looked up in a flat object set. Fix: use the LAST segment of the
    /// receiver chain. See `receiver_chain_label`.
    #[test]
    fn test_python_self_logger_member_chain_detected() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(
            &store,
            vec![(
                "app.py",
                "class C:\n    def m(self, password):\n        self.logger.info(f\"login {password}\")\n",
            )],
        );
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert!(
            !findings.is_empty(),
            "Python `self.logger.info(...)` member chain should fire"
        );
    }

    /// **Audit B2 (JS)**: `this.logger.info(...)` — same root cause.
    #[test]
    fn test_js_this_logger_member_chain_detected() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(
            &store,
            vec![(
                "app.js",
                "class C { m(password){ this.logger.info(`login ${password}`); } }\n",
            )],
        );
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert!(
            !findings.is_empty(),
            "JS `this.logger.info(...)` member chain should fire"
        );
    }

    /// Underscore-prefixed `_logger` (ASP.NET / ESLint convention).
    #[test]
    fn test_python_self_underscore_logger_member_chain_detected() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(
            &store,
            vec![(
                "app.py",
                "class C:\n    def m(self, password):\n        self._logger.info(f\"login {password}\")\n",
            )],
        );
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert!(
            !findings.is_empty(),
            "Python `self._logger.info(...)` should fire (underscore-prefixed)"
        );
    }

    /// **Audit B3**: legacy line-path template-literal tracker had a
    /// tautological condition (`bytes[i] == b'$'` inside a branch that
    /// already proved `bytes[i] == b'{'`), so `${...}` interpolation
    /// detection was unreachable. Kotlin/Swift template-string `${pw}`
    /// would be (incorrectly) treated as inside a static literal and
    /// the finding suppressed.
    ///
    /// `.kt` is line-path (no AST grammar in our dispatch list). The
    /// Kotlin call here uses `${password}` interpolation; the AST path
    /// would never reach this, but the line path's `is_false_positive`
    /// SHOULD now correctly recognise the interpolation and let the
    /// finding through.
    #[test]
    fn test_line_path_kotlin_template_literal_dollar_brace_does_not_suppress() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(
            &store,
            vec![(
                "app.kt",
                "fun login(password: String) { logger.error(\"login with password: ${password}\") }\n",
            )],
        );
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert!(
            !findings.is_empty(),
            "Kotlin template-string `${{password}}` should NOT be suppressed by `credential_only_in_string_literal`"
        );
    }

    /// **Audit B4**: pre-filter `HAS_SECRET_PATTERN` previously did not
    /// include `passwd`/`pwd`/`apikey`/`credential`, so files whose only
    /// credential reference used those forms would be gated out before
    /// the AST scan ran. The fix is in `detector_context.rs`. Here we
    /// directly verify the AST scan succeeds on a file containing only
    /// `pwd` — whether the gate is short-circuited depends on the test
    /// harness; the detector should fire when `detect()` is reached.
    #[test]
    fn test_pre_filter_admits_pwd_only_file() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(
            &store,
            vec![(
                "app.py",
                "def f(pwd):\n    logger.info(f\"login: {pwd}\")\n",
            )],
        );
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert!(
            !findings.is_empty(),
            "Pre-filter must admit files containing only `pwd`; AST should fire"
        );
    }

    #[test]
    fn test_pre_filter_admits_apikey_only_file() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(
            &store,
            vec![(
                "app.py",
                "def f(apikey):\n    logger.info(f\"key: {apikey}\")\n",
            )],
        );
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert!(
            !findings.is_empty(),
            "Pre-filter must admit files containing only `apikey` (no underscore)"
        );
    }

    #[test]
    fn test_pre_filter_admits_credential_only_file() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(
            &store,
            vec![(
                "app.py",
                "def f(credential):\n    logger.info(f\"creds: {credential}\")\n",
            )],
        );
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert!(
            !findings.is_empty(),
            "Pre-filter must admit files containing only `credential`"
        );
    }

    /// Direct content-flag verification: a file containing ONLY
    /// `passwd`/`pwd`/`apikey`/`credential` and no `password`/`secret`/
    /// `api_key`/`token`/`private_key` must set HAS_SECRET_PATTERN.
    #[test]
    fn test_content_flags_has_secret_pattern_for_audit_b4_keywords() {
        use crate::detectors::detector_context::{compute_content_flags, ContentFlags};
        for kw in ["passwd", "pwd", "apikey", "credential"] {
            let flags = compute_content_flags(&format!("let {} = 1;", kw));
            assert!(
                flags.has(ContentFlags::HAS_SECRET_PATTERN),
                "ContentFlags should set HAS_SECRET_PATTERN for keyword `{}`",
                kw
            );
        }
    }

    /// **Audit B5 (positional)**: `println!("{}", password)` — the
    /// password is a separate positional argument. This already worked
    /// (token_tree contains the identifier as a named child) but was
    /// not asserted as a regression test.
    #[test]
    fn test_rust_println_positional_password_detected() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(
            &store,
            vec![(
                "app.rs",
                "fn f(password: &str){ println!(\"login: {}\", password); }\n",
            )],
        );
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert!(
            !findings.is_empty(),
            "Rust positional `println!(\"{{}}\", password)` should fire"
        );
    }

    /// **Audit B5 (capture)**: `println!("{password}")` — the password
    /// is captured INSIDE the format string. tree-sitter-rust 0.24 does
    /// not parse capture syntax; the format-string regex fallback in
    /// `walk_rust_format_captures` handles it.
    #[test]
    fn test_rust_println_captured_identifier_detected() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(
            &store,
            vec![(
                "app.rs",
                "fn f(password: &str){ println!(\"login: {password}\"); }\n",
            )],
        );
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert!(
            !findings.is_empty(),
            "Rust captured-identifier `println!(\"{{password}}\")` should fire"
        );
    }

    // -----------------------------------------------------------------
    // Tier 2 coverage gap regression tests.
    // -----------------------------------------------------------------

    /// **Tier 2 (Python)**: `loguru.logger.info(...)` — member-of-member.
    #[test]
    fn test_python_loguru_logger_member_chain_detected() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(
            &store,
            vec![(
                "app.py",
                "from loguru import logger\ndef f(password):\n    loguru.logger.info(f\"login {password}\")\n",
            )],
        );
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert!(
            !findings.is_empty(),
            "Python `loguru.logger.info(...)` should fire"
        );
    }

    /// **Tier 2 (Rust)**: `dbg!(password)`.
    #[test]
    fn test_rust_dbg_macro_detected() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(
            &store,
            vec![("app.rs", "fn f(password: &str){ dbg!(password); }\n")],
        );
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert!(!findings.is_empty(), "Rust `dbg!(password)` should fire");
    }

    /// **Tier 2 (Go)**: `fmt.Errorf` family.
    #[test]
    fn test_go_fmt_errorf_detected() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(
            &store,
            vec![(
                "app.go",
                "package main\nfunc f(password string){ fmt.Errorf(\"auth failed: %v\", password) }\n",
            )],
        );
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert!(
            !findings.is_empty(),
            "Go `fmt.Errorf(\"...\", password)` should fire"
        );
    }

    /// **Tier 2 (Go)**: user-defined logger receivers ending in `Logger`.
    #[test]
    fn test_go_user_defined_logger_receiver_detected() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(
            &store,
            vec![(
                "app.go",
                "package main\nfunc f(password string){ myLogger.Info(password) }\n",
            )],
        );
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert!(
            !findings.is_empty(),
            "Go `myLogger.Info(password)` (user-defined receiver) should fire"
        );
    }

    /// **Tier 2 (C#)**: every standard `Microsoft.Extensions.Logging`
    /// extension method.
    #[test]
    fn test_csharp_all_log_extension_methods_detected() {
        for method in [
            "LogTrace",
            "LogDebug",
            "LogInformation",
            "LogWarning",
            "LogError",
            "LogCritical",
        ] {
            let store = GraphBuilder::new().freeze();
            let detector = CleartextCredentialsDetector::new("/mock/repo");
            let src = format!(
                "class C {{ void M(string password) {{ _logger.{}(password); }} }}\n",
                method
            );
            let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(
                &store,
                vec![("app.cs", src.as_str())],
            );
            let findings = detector.detect(&ctx).expect("detection should succeed");
            assert!(
                !findings.is_empty(),
                "C# `_logger.{}(password)` should fire",
                method
            );
        }
    }

    /// **Tier 2 (C)**: `printf(fmt, password)` — variadic. Audit Tier 2
    /// wires C/C++ logging detection that was deferred from
    /// commit 4c656b2f.
    #[test]
    fn test_c_printf_password_argument_detected() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(
            &store,
            vec![(
                "app.c",
                "#include <stdio.h>\nvoid f(const char* password) {\n    printf(\"login: %s\\n\", password);\n}\n",
            )],
        );
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert!(
            !findings.is_empty(),
            "C `printf(\"%s\", password)` should fire"
        );
    }

    /// **Tier 2 (C)**: `fprintf(stream, fmt, password)` — second arg
    /// onward is variadic.
    #[test]
    fn test_c_fprintf_password_argument_detected() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(
            &store,
            vec![(
                "app.c",
                "#include <stdio.h>\nvoid f(const char* password) {\n    fprintf(stderr, \"x%s\", password);\n}\n",
            )],
        );
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert!(
            !findings.is_empty(),
            "C `fprintf(stderr, \"%s\", password)` should fire"
        );
    }

    /// **Tier 2 (C)**: `syslog(priority, fmt, password)`.
    #[test]
    fn test_c_syslog_password_argument_detected() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(
            &store,
            vec![(
                "app.c",
                "#include <syslog.h>\nvoid f(const char* password) {\n    syslog(0, \"x%s\", password);\n}\n",
            )],
        );
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert!(
            !findings.is_empty(),
            "C `syslog(LOG_INFO, \"%s\", password)` should fire"
        );
    }

    /// **Tier 2 (C++)**: same `call_expression` shape as C.
    #[test]
    fn test_cpp_printf_password_argument_detected() {
        let store = GraphBuilder::new().freeze();
        let detector = CleartextCredentialsDetector::new("/mock/repo");
        let ctx = crate::detectors::analysis_context::AnalysisContext::test_with_mock_files(
            &store,
            vec![(
                "app.cpp",
                "#include <cstdio>\nvoid f(const char* password) {\n    printf(\"login: %s\\n\", password);\n}\n",
            )],
        );
        let findings = detector.detect(&ctx).expect("detection should succeed");
        assert!(
            !findings.is_empty(),
            "C++ `printf(\"%s\", password)` should fire"
        );
    }

    /// **Audit B11**: `categorize_credential_line` and
    /// `categorize_credential_name` were duplicate state with subtle
    /// divergences. The line path now extracts the matched keyword via
    /// `CRED_NAME_REGEX` and delegates to `categorize_credential_name`,
    /// so a `pwd` reference on the line path categorises as Password
    /// (previously: "Sensitive Data" because the line-path table
    /// didn't include `pwd`).
    #[test]
    fn test_line_path_categorize_pwd_returns_password() {
        let (cat, _) = super::categorize_credential_line("logger.info(pwd)");
        assert_eq!(
            cat, "Password",
            "Line-path categorise of `pwd` should match AST-path category"
        );
    }
}