Expand description
Module extraction types: exports, imports, re-exports, and member info. Module extraction types.
Structs§
- Class
Heritage Info - Additional heritage metadata for an exported class.
- Complexity
Contribution - A single complexity increment, located at its source line/column.
- Dynamic
Import Info - A dynamic
import()call. - Dynamic
Import Pattern - A dynamic import with a partially resolved pattern.
- Export
Info - An export declaration.
- FlagUse
- A feature flag use site.
- Function
Complexity - Complexity metrics for a single function/method/arrow.
- Import
Info - An import declaration.
- Local
Type Declaration - A module-scope declaration that can be used as a TypeScript type.
- Member
Access - A static member access expression (e.g.,
Status.Active,MyClass.create()). - Member
Info - A member of an enum, class, or namespace.
- Module
Info - Extracted module information from a single file.
- Namespace
Object Alias - One alias entry tying an exported object’s dotted property path to a namespace import.
- Parse
Result - Result of parsing all files, including incremental cache statistics.
- Public
Signature Type Reference - A reference from an exported symbol’s public signature to a type name.
- ReExport
Info - A re-export declaration.
- Require
Call Info - A
require()call. - Sanitized
Sink Arg - A captured sink argument that is itself a recognized sanitizer call.
- Security
Control Site - A known defensive control call site.
- Sink
Object Property - Static object-literal property metadata attached to a captured sink argument. Nested object paths are flattened with dot-separated keys.
- Sink
Site - A captured sink site. The visitor records every existing non-literal call / member-assign / member-call / tagged-template / jsx-attr sink site, and a small allowlist of literal-aware sites where the literal value is the signal. It knows nothing about CWE categories.
- Tainted
Binding - A local binding tied to the flattened member-access path it was initialized
from. The analyze layer matches
source_pathagainst the data-driven source catalogue; when it matches,localis treated as carrying untrusted input.
Enums§
- Complexity
Contribution Kind - The syntactic construct that produced a single complexity increment.
- Complexity
Metric - Which complexity metric a
ComplexityContributionadds to. - Export
Name - Export identifier.
- Flag
UseKind - The kind of feature flag pattern detected.
- Imported
Name - How a symbol is imported.
- Member
Kind - The kind of member.
- Sanitizer
Scope - Sanitizer output domain. Kept intentionally narrow so a sanitizer for one domain cannot suppress a different sink family.
- Security
Control Kind - Defensive control family detected on a source to sink path.
- Sink
ArgKind - The shape of the argument captured at a sink site. Category-blind like
SinkShape, but finer-grained: it lets the catalogue matcher require or exclude specific argument shapes. The discriminator is what distinguishes an unsafe SQL string concatenation or template-into-.execute()from a safely-parameterizedsql`${x}`tagged template, an object-literal.execute({ sql, args })argument, or a literal-aware sink argument. - Sink
Literal Value - Literal values attached to literal-aware security sink captures.
- Sink
Shape - The syntactic shape of a captured security sink site. Category-blind: the
extractor records the shape and the dotted/bare callee path; the analyze
layer matches it against the data-driven catalogue. See
crates/core/data/security_matchers.toml. - Visibility
Tag - Visibility tag from JSDoc/TSDoc comments that suppresses unused-export detection.
Constants§
- PUBLIC_
ENV_ EXACT - Exact env var names that are public by convention (no prefix).
- PUBLIC_
ENV_ PREFIXES - Env var-name prefixes that frameworks inline into the client bundle by
convention. A read of one of these is normal and safe, so it does NOT count
as a secret source (issue #890). Shared by the extract layer (so public env
vars never become source signals) and the bespoke
client-server-leakrule.
Functions§
- byte_
offset_ to_ line_ col - Convert a byte offset to a 1-based line number and 0-based byte column.
- compute_
line_ offsets - Compute a table of line-start byte offsets from source text.
- is_
public_ env_ path - Whether a flattened member path is a PUBLIC env-secret read
(
process.env.NEXT_PUBLIC_X,import.meta.env.VITE_Y), which must not be recorded as a secret source. Non-env paths (req.query.id) are never public. - is_
public_ env_ var - Whether an env var name is public-by-convention (build-inlined into the client bundle), and therefore not a secret.