Module security 

Security engine — a deterministic candidate producer (bandit-style). It emits syntactic candidates; it never decides exploitability (the candidate/verifier split — RESEARCH.md §2.11). Maps parser SecurityHits to findings with per-rule confidence.

Functions

analyze

analyze_parsed

Security findings for a single parsed module (also used by the live LSP path).