Release v0.30.0 (#1338)

* Release v0.30.0

* fix(scripts): satisfy ameba lint, formatter, and typos check

- Use max_of / compact_map per ameba SimilarSyntax rule
- Apply crystal tool format alignment to constants
- Rephrase changelog entry to avoid LEAFS spelling trigger

* feat(ai): add latest provider models and bump doc recommendations

Token limits:
- OpenAI: gpt-5.4, gpt-5.5 (and -mini / -codex-max variants)
- Anthropic: claude-sonnet-4-6, claude-opus-4-6, claude-opus-4-7
- xAI: grok-4.20, grok-4.20-fast
- Azure: gpt-5.4 / gpt-5.5 mirrored
- Google: gemini-2.5-flash, gemini-3-pro, gemini-3-flash
- Ollama: qwen3, qwen3-coder, deepseek-v3, deepseek-r1

Docs / examples now recommend gpt-5.5 (was gpt-5.4) and
claude-opus-4-7 in OpenRouter examples.

* feat(ai): add deepseek-v4 to ollama token limits

* feat(ai): add grok-4.30 to xai token limits and bump xai docs

* fix(ai): correct model IDs verified against provider docs

OpenAI (developers.openai.com):
- Drop fabricated gpt-5.4-codex-max, gpt-5.5-mini, gpt-5.5-codex-max
- Add gpt-5-pro, gpt-5-nano, gpt-5-codex, gpt-5.4-pro, gpt-5.4-nano,
  gpt-5.5-pro, gpt-5.1-codex, gpt-5.1-codex-mini, gpt-5.2-codex, gpt-5.3-codex

xAI (docs.x.ai):
- Drop grok-4.30 (real model is grok-4.3) and unsubstantiated *-fast variants
- Add grok-4.3 and grok-4.1-fast (the documented fast variant)
- Bump xai docs from grok-4.30 to grok-4.3

Google (ai.google.dev):
- gemini-3-pro-preview is deprecated; alias to gemini-3.1-pro-preview
- Use documented -preview suffix for gemini-3-flash-preview
- Add gemini-3.1-flash-lite-preview and gemini-2.5-flash-lite

Ollama (ollama.com/library):
- deepseek-v4 ships as deepseek-v4-pro and deepseek-v4-flash (1M ctx)
- Add deepseek-v3.1, deepseek-v3.2 variants

* feat(banner): refresh ASCII banner with NOIR wordmark and side info

Replace the small block-letter banner with a wider NOIR wordmark and
move the version + tagline to the right of the art.

Drop the duplicate tagline from base_help so --help no longer prints
"Hunt every Endpoint..." twice in a row.

Author: hahwul

CHANGELOG.md

@@ -2,6 +2,58 @@
 
 All notable changes to [Noir](https://github.com/owasp-noir/noir) will be documented in this file.
 
+## v0.30.0
+
+### Added
+- Tree-sitter foundation: vendored grammars for Java, Kotlin, JavaScript, and Python
+- Tree-sitter Query API for declarative detectors
+- ImportGraph module: unified Java/Kotlin cross-file resolution, relative-import support, Python half
+- 30+ new framework analyzers:
+  - Java/Kotlin: JAX-RS, Quarkus, Dropwizard, Micronaut, Javalin, Spark Java, http4k, Kotlin Gateway
+  - Node.js/JS/TS: Next.js, Hapi, Astro, SvelteKit, Remix, Fresh, Elysia, AdonisJS
+  - Python: Bottle, Falcon, Starlette, aiohttp, Pyramid, Litestar
+  - Ruby: Roda, Grape
+  - PHP: Slim, Yii2, CodeIgniter
+  - Go: Iris, Hertz
+  - Rust: Poem
+  - C++: Crow, Drogon
+  - Dart: Dart Frog
+- MCP endpoint tagger
+- `--exclude-path` flag to filter files by glob
+- Crystal 1.20 support
+- RPM, DEB, APK, and AUR package release workflows
+- Shared engine base classes for PHP, Ruby, Rust, Elixir, Swift, Crystal, Scala, JavaScript, Python, and Go analyzers
+- Analyzer architecture documentation
+
+### Changed
+- Migrated Spring, Armeria, Ktor, and Flask analyzers to tree-sitter; retired legacy Java/Kotlin miniparser/minilexer
+- Migrated Python and Go route extraction to tree-sitter
+- Switched builder to official `crystallang/crystal` (Alpine) image
+- Consolidated duplicate `Endpoint` initializers
+- AI provider docs and Ollama model token map updates (gemma3/4, llama4, phi4)
+
+### Performance
+- Cached file contents in `CodeLocator` for analyzer reuse
+- Parse-once Spring/Kotlin extractors with shared DTO sibling cache
+- Skip already-matched detectors in the per-file detect loop
+- Pruned ignored directories at walk time and deduped media stats
+- Passive scan early-out per matcher
+- Migrated unified_ai, example, fasthttp, phoenix, and Python analyzers to `file_map`
+- Skip non-`.rb` files in Sinatra analyzer
+
+### Fixed
+- Bounded recursion depth in tree-walker extractors (security)
+- Added boundary check to `ImportGraph.resolve_relative_import` (security)
+- Express config-array mount pattern resolution
+- JS miniparser: reject bare-identifier routes from `Promise.all`, accept wildcard/bare param routes
+- Go miniparser: accept grouped routes without leading slash, guarantee separator on single-match group prefix
+- OAS2 analyzer: merged duplicate form/formData branches and corrected `form` → `json` param-type mapping
+- Non-deterministic endpoint dedup in Nitro and Nuxt.js analyzers
+- Elevated regex compile failures from debug to warn in passive scan
+- GraphQL analyzer now uses `Log.debug` instead of `STDERR.puts`
+- Warn when falling back to default `max_tokens` for unknown models
+- Corrected `SKIPPED_LEAVES` constant spelling in Fresh analyzer
+
 ## v0.29.1
 
 ### Added

Dockerfile

@@ -11,7 +11,7 @@ RUN apk add --no-cache yaml-dev zstd-dev && \
 ##= RUNNER =##
 FROM debian:13-slim
 LABEL org.opencontainers.image.title="OWASP Noir"
-LABEL org.opencontainers.image.version="0.29.1"
+LABEL org.opencontainers.image.version="0.30.0"
 LABEL org.opencontainers.image.description="Hunt every Endpoint in your code, expose Shadow APIs, map the Attack Surface."
 LABEL org.opencontainers.image.authors="Noir Team (@hahwul, @ksg97031)"
 LABEL org.opencontainers.image.source=https://github.com/owasp-noir/noir

aur/PKGBUILD

@@ -1,6 +1,6 @@
 # Maintainer: HAHWUL <hahwul@gmail.com>
 pkgname=noir
-pkgver=0.29.1
+pkgver=0.30.0
 pkgrel=1
 pkgdesc="Attack surface detector that identifies endpoints by static analysis."
 arch=('x86_64')

docs/content/_index.ko.md

@@ -7,7 +7,7 @@ template = "landing"
   <div class="hero-split">
     <div class="hero-text">
       <div class="hero-eyebrow">
-        <span class="hero-badge">v0.29.1</span>
+        <span class="hero-badge">v0.30.0</span>
         <span class="hero-badge hero-badge-owasp">OWASP Project</span>
       </div>
       <h1 class="hero-title">

docs/content/_index.md

@@ -7,7 +7,7 @@ template = "landing"
   <div class="hero-split">
     <div class="hero-text">
       <div class="hero-eyebrow">
-        <span class="hero-badge">v0.29.1</span>
+        <span class="hero-badge">v0.30.0</span>
         <span class="hero-badge hero-badge-owasp">OWASP Project</span>
       </div>
       <h1 class="hero-title">

docs/content/development/how_to_release/index.ko.md

@@ -45,7 +45,7 @@ sort_by = "weight"
 
     ```bash
     brew bump-formula-pr --strict --version <VERSION> noir
-    # 예: brew bump-formula-pr --strict --version 0.29.1 noir
+    # 예: brew bump-formula-pr --strict --version 0.30.0 noir
     ```
 
 3.  **스타일 확인** (선택사항):

docs/content/development/how_to_release/index.md

@@ -45,7 +45,7 @@ Submit a PR to `homebrew-core`:
 
     ```bash
     brew bump-formula-pr --strict --version <VERSION> noir
-    # Example: brew bump-formula-pr --strict --version 0.29.1 noir
+    # Example: brew bump-formula-pr --strict --version 0.30.0 noir
     ```
 
 3.  **Style Check** (Optional):

docs/content/get_started/ai_power/index.ko.md

@@ -15,7 +15,7 @@ Noir를 대규모 언어 모델(LLM, 클라우드/로컬/ACP 에이전트)에 
 OpenAI로 스캔:
 
 ```bash
-noir -b . --ai-provider openai --ai-model gpt-5.4 --ai-key $OPENAI_API_KEY
+noir -b . --ai-provider openai --ai-model gpt-5.5 --ai-key $OPENAI_API_KEY
 ```
 
 로컬 Ollama로 스캔 (API 키 불필요):
@@ -49,7 +49,7 @@ noir -b . --ai-provider acp:codex
 | 플래그 | 설명 |
 |---|---|
 | `--ai-provider` | 제공업체 접두사 (예: `openai`, `ollama`, `acp:codex`) 또는 사용자 정의 API URL |
-| `--ai-model` | 모델 이름 (예: `gpt-5.4`), `acp:*`에서는 선택 사항 |
+| `--ai-model` | 모델 이름 (예: `gpt-5.5`), `acp:*`에서는 선택 사항 |
 | `--ai-key` | API 키 (`NOIR_AI_KEY` 환경 변수로도 설정 가능) |
 | `--ai-agent` | 에이전트 기반 AI 워크플로우 활성화 (반복적 도구 호출 루프) |
 | `--ai-agent-max-steps` | AI 에이전트 루프 최대 단계 수 (기본값: `20`) |

docs/content/get_started/ai_power/index.md

@@ -15,7 +15,7 @@ Connect Noir to Large Language Models (cloud-based, local, or ACP agent-based) f
 Scan with OpenAI:
 
 ```bash
-noir -b . --ai-provider openai --ai-model gpt-5.4 --ai-key $OPENAI_API_KEY
+noir -b . --ai-provider openai --ai-model gpt-5.5 --ai-key $OPENAI_API_KEY
 ```
 
 Scan with local Ollama (no API key needed):
@@ -49,7 +49,7 @@ noir -b . --ai-provider acp:codex
 | Flag | Description |
 |---|---|
 | `--ai-provider` | Provider prefix (e.g., `openai`, `ollama`, `acp:codex`) or custom API URL |
-| `--ai-model` | Model name (e.g., `gpt-5.4`), optional for `acp:*` |
+| `--ai-model` | Model name (e.g., `gpt-5.5`), optional for `acp:*` |
 | `--ai-key` | API key (or use `NOIR_AI_KEY` env var) |
 | `--ai-agent` | Enable agentic AI workflow (iterative tool-calling loop) |
 | `--ai-agent-max-steps` | Max steps for AI agent loop (default: `20`) |

docs/content/usage/ai_providers/github_marketplace/index.ko.md

@@ -20,7 +20,7 @@ sort_by = "weight"
 ```bash
 noir -b ./spec/functional_test/fixtures/hahwul \
      --ai-provider=github \
-     --ai-model=gpt-5.4 \
+     --ai-model=gpt-5.5 \
      --ai-key=github_pat_...
 ```
 
@@ -29,6 +29,6 @@ noir -b ./spec/functional_test/fixtures/hahwul \
 ```bash
 noir -b ./spec/functional_test/fixtures/hahwul \
      --ai-provider=azure \
-     --ai-model=gpt-5.4 \
+     --ai-model=gpt-5.5 \
      --ai-key=github_pat_...
 ```