@archrad/deterministic 0.1.1 → 0.1.3

package/CHANGELOG.md

@@ -7,10 +7,39 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-### Added
+## [0.1.3] - 2026-04-04
+
+### Fixed
+
+- **CLI** (`validate`, `export`, `validate-drift`): a missing **`--ir`** file now reports **`archrad: --ir file not found: <path>`** instead of **`invalid JSON`**.
 
 ### Changed
 
+- **`IR-LINT-MISSING-AUTH-010`** — HTTP entry detection uses **`ParsedLintGraph.inDegree`** (same counts as `buildParsedLintGraph`) instead of a separate scan; reverse adjacency for auth-as-gateway only includes edges whose endpoints exist in **`nodeById`**.
+- **Docs:** README documents **OpenAPI security → IR → `IR-LINT-MISSING-AUTH-010`** for the spec-to-compliance workflow.
+- **`graphPredicates.ts`:** clarified comments for **`isHttpEndpointType`** vs **`isHttpLikeType`** (`graphql` vs `gateway` / `bff` / `grpc`).
+
+### Added
+
+- **Tests:** structural **`IR-STRUCT-HTTP_*`** coverage for **`graphql`** (validated) vs **`gateway`** (excluded); regression tests locking lint message substrings for **`IR-LINT-DEAD-NODE-011`**, **`IR-LINT-DIRECT-DB-ACCESS-002`**, **`IR-LINT-SYNC-CHAIN-001`** (terminal copy / Show HN).
+- **Fixture** **`fixtures/e2e-no-security-openapi.yaml`** (OpenAPI with **no** `security` / `securitySchemes`) + test asserting **`openApiStringToCanonicalIr` → `validateIrLint` → `IR-LINT-MISSING-AUTH-010`** — same pipeline as **`archrad ingest openapi`** + **`archrad validate`**.
+
+## [0.1.2] - 2026-03-28
+
+### Fixed
+
+- **`IR-STRUCT-HTTP_PATH` / `IR-STRUCT-HTTP_METHOD` false positives on `gateway`, `grpc`, `bff`** — structural validation previously used `isHttpLikeType` (correct for lint) for the url/method check. A `gateway` node with no `config.url` produced a spurious error; a `grpc` node with `config.method: "GetUser"` produced two. Introduced `isHttpEndpointType` (narrow: `http`, `https`, `rest`, `api`, `graphql`) for the structural check only. `isHttpLikeType` is unchanged for lint.
+- **`IR-STRUCT-CYCLE` path lost** — extracted `detectCycles(adj: Map<string, string[]>): string[] | null` from the inline `dfs` closure in `validateIrStructural`. Returns the full ordered cycle path; findings now read `Directed cycle detected: a → b → c → a`. Exported from package root.
+- **`IR-STRUCT-NODE_INVALID_CONFIG` (warning)** — `emptyRecord()` previously coerced `"config": ["wrong"]` or `"config": null` silently to `{}`. Structural validation now emits a warning when `config` is present but is not a plain object, including the actual type in the message.
+
+### Added
+
+- **`IR-LINT-MISSING-AUTH-010` (warning)** — fires on HTTP-like entry nodes (no incoming edges, including `gateway`, `bff`, `grpc`) with no auth coverage. A node is covered when: (1) an immediate outgoing neighbour is auth-like (`auth`, `middleware`, `oauth`, `jwt`, `saml`, `keycloak`, `okta`, `cognito`, `auth0`, `ldap`, `iam`, `sso`, etc.), (2) an auth-like node has a direct edge to the entry (auth-as-gateway pattern), or (3) `config` carries any of `auth`, `authRequired`, `authentication`, `authorization`, `security`. Explicit opt-out: `config.authRequired: false` for intentionally public endpoints (health, signup, public assets). Maps directly to PCI-DSS and HIPAA requirements.
+- **`IR-LINT-DEAD-NODE-011` (warning)** — fires on nodes with incoming edges but no outgoing edges that are not a recognised sink type (datastore-like, queue-like, or HTTP-like). HTTP nodes are excluded because they return responses to callers. Complements `IR-LINT-ISOLATED-NODE-005` which catches fully disconnected nodes.
+- **OpenAPI ingestion — security definitions** — `archrad ingest openapi` now extracts security scheme names into node config following OpenAPI 3.x precedence: global `doc.security` propagates to all operations as `config.security: ["SchemeName"]` (sorted); operation-level `security` overrides global; explicit `security: []` sets `config.authRequired: false`. Nodes with no security at either level produce no security config and are flagged by `IR-LINT-MISSING-AUTH-010` in CI.
+- **New predicate exports** — `isHttpEndpointType`, `isAuthLikeNodeType` added to `graphPredicates.ts` and exported from the package root alongside the existing predicates, for consumers building custom lint rules.
+- **`detectCycles` exported from package root** — useful for consumers building custom structural validators or tooling on top of the IR adjacency graph.
+
 ## [0.1.1] - 2026-03-28
 
 ### Added
@@ -59,6 +88,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Documented **codegen vs validation** for retry/timeout IR fields and **InkByte vs OSS** scope in README and structural/semantic doc.
 - README positioning: **deterministic compiler and linter for system architecture**; validation layers table (OSS vs Cloud); **`validate-drift`**, drift GIF / trust-loop recording docs, library **`runValidateDrift`** example.
 
-[Unreleased]: https://github.com/archradhq/arch-deterministic/compare/v0.1.1...HEAD
+[Unreleased]: https://github.com/archradhq/arch-deterministic/compare/v0.1.3...HEAD
+[0.1.3]: https://github.com/archradhq/arch-deterministic/releases/tag/v0.1.3
+[0.1.2]: https://github.com/archradhq/arch-deterministic/releases/tag/v0.1.2
 [0.1.1]: https://github.com/archradhq/arch-deterministic/releases/tag/v0.1.1
 [0.1.0]: https://github.com/archradhq/arch-deterministic/releases/tag/v0.1.0

package/README.md

@@ -105,6 +105,8 @@ archrad validate --ir ./graph.json
 archrad export --ir ./graph.json --target python --out ./out
 ```
 
+**OpenAPI security → IR → lint:** ingestion copies **global** and **per-operation** `security` requirement names onto each HTTP node as `config.security` (sorted, deterministic). An operation with explicit `security: []` becomes `config.authRequired: false` (intentionally public). If the spec declares **no** security at any level, nodes are left without those fields — then **`archrad validate`** can surface **`IR-LINT-MISSING-AUTH-010`** on HTTP-like entry nodes (compliance gap from the spec artifact alone).
+
 **YAML → JSON (lighter authoring):** edit **`fixtures/minimal-graph.yaml`** (or your own file) and compile to IR JSON, then validate or export:
 
 ```bash

package/dist/cli.js

@@ -21,6 +21,30 @@ async function writeTree(baseDir, files) {
         await writeFile(dest, content, 'utf8');
     }
 }
+/** Read and parse IR JSON; distinguish missing file from invalid JSON. */
+async function readIrJsonFromPath(irPath) {
+    let raw;
+    try {
+        raw = await readFile(irPath, 'utf8');
+    }
+    catch (e) {
+        const err = e;
+        if (err?.code === 'ENOENT') {
+            console.error(`archrad: --ir file not found: ${irPath}`);
+        }
+        else {
+            console.error(`archrad: could not read --ir file: ${irPath} (${err?.message ?? String(e)})`);
+        }
+        return null;
+    }
+    try {
+        return JSON.parse(raw);
+    }
+    catch {
+        console.error('archrad: invalid JSON in --ir file');
+        return null;
+    }
+}
 function parseMaxWarnings(v) {
     if (v == null || v === '')
         return undefined;
@@ -48,12 +72,8 @@ program
     .option('--max-warnings <n>', 'Exit with error if warning count is greater than n (e.g. 0 allows no warnings)')
     .action(async (cmdOpts) => {
     const irPath = resolve(cmdOpts.ir);
-    let ir;
-    try {
-        ir = JSON.parse(await readFile(irPath, 'utf8'));
-    }
-    catch {
-        console.error('archrad: invalid JSON in --ir file');
+    const ir = await readIrJsonFromPath(irPath);
+    if (ir == null) {
         process.exitCode = 1;
         return;
     }
@@ -182,16 +202,12 @@ program
     .action(async (cmdOpts) => {
     const irPath = resolve(cmdOpts.ir);
     const outDir = resolve(cmdOpts.out);
-    const raw = await readFile(irPath, 'utf8');
-    let ir;
-    try {
-        ir = JSON.parse(raw);
-    }
-    catch {
-        console.error('archrad: invalid JSON in --ir file');
+    const parsed = await readIrJsonFromPath(irPath);
+    if (parsed == null) {
         process.exitCode = 1;
         return;
     }
+    const ir = parsed;
     const actualIR = ir.graph ? ir : { graph: ir };
     const hostPort = normalizeGoldenHostPort(cmdOpts.hostPort ?? process.env.ARCHRAD_HOST_PORT);
     if (!cmdOpts.skipHostPortCheck) {
@@ -266,15 +282,12 @@ program
     .action(async (cmdOpts) => {
     const irPath = resolve(cmdOpts.ir);
     const outDir = resolve(cmdOpts.out);
-    let ir;
-    try {
-        ir = JSON.parse(await readFile(irPath, 'utf8'));
-    }
-    catch {
-        console.error('archrad: invalid JSON in --ir file');
+    const parsed = await readIrJsonFromPath(irPath);
+    if (parsed == null) {
         process.exitCode = 1;
         return;
     }
+    const ir = parsed;
     const actualIR = ir.graph ? ir : { graph: ir };
     const hostPort = normalizeGoldenHostPort(cmdOpts.hostPort ?? process.env.ARCHRAD_HOST_PORT);
     if (!cmdOpts.skipHostPortCheck) {

package/dist/graphPredicates.d.ts

@@ -1,10 +1,28 @@
 /**
  * Shared graph predicates for structural validation and architecture lint (no imports from lint-graph / ir-structural).
  */
-/** Node types treated as HTTP-like for path/method checks and lint (aligned structural + IR-LINT). */
+/**
+ * Narrow predicate: node types that carry a single HTTP endpoint (`config.url` + HTTP method).
+ * Used by **structural validation** for `IR-STRUCT-HTTP_PATH` / `IR-STRUCT-HTTP_METHOD` checks.
+ * **`http` / `https` / `rest` / `api` / `graphql`** share this contract in the IR (GraphQL is one route + method in the IR model).
+ * **`gateway`**, **`grpc`**, and **`bff`** are intentionally **excluded** — they use different config shapes
+ * (upstream routing, proto service/method, multi-route aggregation) and must not be required
+ * to supply a REST-style `url` + HTTP method; they remain **`isHttpLikeType`** for lint (entries, health, sync chain, etc.).
+ */
+export declare function isHttpEndpointType(t: string): boolean;
+/**
+ * Broad predicate: all HTTP-like node types for lint purposes (healthcheck detection,
+ * sync-chain analysis, missing-name checks, multiple-entry detection).
+ * Superset of `isHttpEndpointType`.
+ */
 export declare function isHttpLikeType(t: string): boolean;
 /** Datastore-like (unchanged semantics; kept adjacent for docs). */
 export declare function isDbLikeType(t: string): boolean;
+/**
+ * Auth-like node types: dedicated identity/auth/middleware nodes.
+ * Used by IR-LINT-MISSING-AUTH-010 to detect HTTP entry nodes with no auth coverage.
+ */
+export declare function isAuthLikeNodeType(t: string): boolean;
 /** Queue / topic / stream node types → treat incoming edges as async boundaries when edge metadata is absent. */
 export declare function isQueueLikeNodeType(t: string): boolean;
 //# sourceMappingURL=graphPredicates.d.ts.map

package/dist/graphPredicates.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"graphPredicates.d.ts","sourceRoot":"","sources":["../src/graphPredicates.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,sGAAsG;AACtG,wBAAgB,cAAc,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAQjD;AAED,oEAAoE;AACpE,wBAAgB,YAAY,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAM/C;AAED,iHAAiH;AACjH,wBAAgB,mBAAmB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAStD"}
+{"version":3,"file":"graphPredicates.d.ts","sourceRoot":"","sources":["../src/graphPredicates.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAMrD;AAED;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAQjD;AAED,oEAAoE;AACpE,wBAAgB,YAAY,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAM/C;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CASrD;AAED,iHAAiH;AACjH,wBAAgB,mBAAmB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAStD"}

package/dist/graphPredicates.js

@@ -1,16 +1,36 @@
 /**
  * Shared graph predicates for structural validation and architecture lint (no imports from lint-graph / ir-structural).
  */
-/** Node types treated as HTTP-like for path/method checks and lint (aligned structural + IR-LINT). */
+/**
+ * Narrow predicate: node types that carry a single HTTP endpoint (`config.url` + HTTP method).
+ * Used by **structural validation** for `IR-STRUCT-HTTP_PATH` / `IR-STRUCT-HTTP_METHOD` checks.
+ * **`http` / `https` / `rest` / `api` / `graphql`** share this contract in the IR (GraphQL is one route + method in the IR model).
+ * **`gateway`**, **`grpc`**, and **`bff`** are intentionally **excluded** — they use different config shapes
+ * (upstream routing, proto service/method, multi-route aggregation) and must not be required
+ * to supply a REST-style `url` + HTTP method; they remain **`isHttpLikeType`** for lint (entries, health, sync chain, etc.).
+ */
+export function isHttpEndpointType(t) {
+    const s = String(t ?? '')
+        .trim()
+        .toLowerCase();
+    if (!s)
+        return false;
+    return s === 'http' || s === 'https' || s === 'rest' || s === 'api' || s === 'graphql';
+}
+/**
+ * Broad predicate: all HTTP-like node types for lint purposes (healthcheck detection,
+ * sync-chain analysis, missing-name checks, multiple-entry detection).
+ * Superset of `isHttpEndpointType`.
+ */
 export function isHttpLikeType(t) {
     const s = String(t ?? '')
         .trim()
         .toLowerCase();
     if (!s)
         return false;
-    if (s === 'http' || s === 'https' || s === 'rest' || s === 'api')
+    if (isHttpEndpointType(s))
         return true;
-    if (s === 'gateway' || s === 'bff' || s === 'graphql' || s === 'grpc')
+    if (s === 'gateway' || s === 'bff' || s === 'grpc')
         return true;
     return /\b(api|gateway|bff|graphql|grpc)\b/.test(s);
 }
@@ -21,6 +41,19 @@ export function isDbLikeType(t) {
     return (/\b(db|database|datastore)\b/.test(t) ||
         /postgres|mongodb|mysql|sqlite|redis|cassandra|dynamo|sql|nosql|warehouse|s3/.test(t));
 }
+/**
+ * Auth-like node types: dedicated identity/auth/middleware nodes.
+ * Used by IR-LINT-MISSING-AUTH-010 to detect HTTP entry nodes with no auth coverage.
+ */
+export function isAuthLikeNodeType(t) {
+    const s = String(t ?? '')
+        .trim()
+        .toLowerCase();
+    if (!s)
+        return false;
+    return (/\b(auth|authentication|authorization|middleware|security|iam|idp|identity)\b/.test(s) ||
+        /oauth|jwt|saml|keycloak|okta|cognito|auth0|ldap|sso/.test(s));
+}
 /** Queue / topic / stream node types → treat incoming edges as async boundaries when edge metadata is absent. */
 export function isQueueLikeNodeType(t) {
     const s = String(t ?? '')

package/dist/index.d.ts

@@ -10,12 +10,12 @@ export { default as generatePythonFastAPIFiles } from './pythonFastAPI.js';
 export { default as generateNodeExpressFiles } from './nodeExpress.js';
 export { runDeterministicExport, type DeterministicExportResult } from './exportPipeline.js';
 export { diffExpectedExportAgainstFiles, diffExpectedExportAgainstDirectory, readDirectoryAsExportMap, runValidateDrift, runDriftCheckAgainstFiles, normalizeExportFileContent, type DriftFinding, type DriftCode, type ValidateDriftResult, type DriftCheckFilesResult, } from './validate-drift.js';
-export { normalizeIrGraph, validateIrStructural, hasIrStructuralErrors, type IrStructuralFinding, type IrStructuralSeverity, type IrFindingLayer, } from './ir-structural.js';
+export { normalizeIrGraph, validateIrStructural, hasIrStructuralErrors, detectCycles, type IrStructuralFinding, type IrStructuralSeverity, type IrFindingLayer, } from './ir-structural.js';
 export { materializeNormalizedGraph, normalizeNodeSlot, normalizeEdgeSlot, type NormalizedGraph, type NormalizedNode, type NormalizedEdge, type MaterializeResult, } from './ir-normalize.js';
 export { validateIrLint } from './ir-lint.js';
 export { runArchitectureLinting, LINT_RULE_REGISTRY } from './lint-rules.js';
 export { buildParsedLintGraph, isParsedLintGraph, type ParsedLintGraph, type BuildParsedLintGraphResult, } from './lint-graph.js';
-export { isHttpLikeType, isDbLikeType, isQueueLikeNodeType } from './graphPredicates.js';
+export { isHttpLikeType, isHttpEndpointType, isDbLikeType, isQueueLikeNodeType, isAuthLikeNodeType } from './graphPredicates.js';
 export { sortFindings, shouldFailFromFindings, type ValidationExitPolicy } from './cli-findings.js';
 export { parseYamlToCanonicalIr, canonicalIrToJsonString, YamlGraphParseError, } from './yamlToIr.js';
 export { openApiDocumentToHttpNodes, openApiDocumentToCanonicalIr, openApiStringToCanonicalIr, openApiUnknownToCanonicalIr, OpenApiIngestError, type OpenApiHttpNode, } from './openapi-to-ir.js';

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,mBAAmB,EACnB,kBAAkB,EAClB,yBAAyB,EACzB,mBAAmB,EACnB,iCAAiC,GAClC,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,uBAAuB,EACvB,2BAA2B,EAC3B,mBAAmB,EACnB,yBAAyB,EACzB,uBAAuB,EACvB,KAAK,WAAW,EAChB,KAAK,kBAAkB,GACxB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,wBAAwB,EACxB,uBAAuB,EACvB,mBAAmB,GACpB,MAAM,eAAe,CAAC;AAEvB,cAAc,8BAA8B,CAAC;AAE7C,OAAO,EAAE,OAAO,IAAI,0BAA0B,EAAE,MAAM,oBAAoB,CAAC;AAC3E,OAAO,EAAE,OAAO,IAAI,wBAAwB,EAAE,MAAM,kBAAkB,CAAC;AAEvE,OAAO,EAAE,sBAAsB,EAAE,KAAK,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AAE7F,OAAO,EACL,8BAA8B,EAC9B,kCAAkC,EAClC,wBAAwB,EACxB,gBAAgB,EAChB,yBAAyB,EACzB,0BAA0B,EAC1B,KAAK,YAAY,EACjB,KAAK,SAAS,EACd,KAAK,mBAAmB,EACxB,KAAK,qBAAqB,GAC3B,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,gBAAgB,EAChB,oBAAoB,EACpB,qBAAqB,EACrB,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EACzB,KAAK,cAAc,GACpB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,0BAA0B,EAC1B,iBAAiB,EACjB,iBAAiB,EACjB,KAAK,eAAe,EACpB,KAAK,cAAc,EACnB,KAAK,cAAc,EACnB,KAAK,iBAAiB,GACvB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,EAAE,sBAAsB,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAC7E,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,KAAK,eAAe,EACpB,KAAK,0BAA0B,GAChC,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAEzF,OAAO,EAAE,YAAY,EAAE,sBAAsB,EAAE,KAAK,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAEpG,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,mBAAmB,GACpB,MAAM,eAAe,CAAC;AAEvB,OAAO,EACL,0BAA0B,EAC1B,4BAA4B,EAC5B,0BAA0B,EAC1B,2BAA2B,EAC3B,kBAAkB,EAClB,KAAK,eAAe,GACrB,MAAM,oBAAoB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,mBAAmB,EACnB,kBAAkB,EAClB,yBAAyB,EACzB,mBAAmB,EACnB,iCAAiC,GAClC,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,uBAAuB,EACvB,2BAA2B,EAC3B,mBAAmB,EACnB,yBAAyB,EACzB,uBAAuB,EACvB,KAAK,WAAW,EAChB,KAAK,kBAAkB,GACxB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,wBAAwB,EACxB,uBAAuB,EACvB,mBAAmB,GACpB,MAAM,eAAe,CAAC;AAEvB,cAAc,8BAA8B,CAAC;AAE7C,OAAO,EAAE,OAAO,IAAI,0BAA0B,EAAE,MAAM,oBAAoB,CAAC;AAC3E,OAAO,EAAE,OAAO,IAAI,wBAAwB,EAAE,MAAM,kBAAkB,CAAC;AAEvE,OAAO,EAAE,sBAAsB,EAAE,KAAK,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AAE7F,OAAO,EACL,8BAA8B,EAC9B,kCAAkC,EAClC,wBAAwB,EACxB,gBAAgB,EAChB,yBAAyB,EACzB,0BAA0B,EAC1B,KAAK,YAAY,EACjB,KAAK,SAAS,EACd,KAAK,mBAAmB,EACxB,KAAK,qBAAqB,GAC3B,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,gBAAgB,EAChB,oBAAoB,EACpB,qBAAqB,EACrB,YAAY,EACZ,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EACzB,KAAK,cAAc,GACpB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,0BAA0B,EAC1B,iBAAiB,EACjB,iBAAiB,EACjB,KAAK,eAAe,EACpB,KAAK,cAAc,EACnB,KAAK,cAAc,EACnB,KAAK,iBAAiB,GACvB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,EAAE,sBAAsB,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAC7E,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,KAAK,eAAe,EACpB,KAAK,0BAA0B,GAChC,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,YAAY,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAEjI,OAAO,EAAE,YAAY,EAAE,sBAAsB,EAAE,KAAK,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAEpG,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,mBAAmB,GACpB,MAAM,eAAe,CAAC;AAEvB,OAAO,EACL,0BAA0B,EAC1B,4BAA4B,EAC5B,0BAA0B,EAC1B,2BAA2B,EAC3B,kBAAkB,EAClB,KAAK,eAAe,GACrB,MAAM,oBAAoB,CAAC"}

package/dist/index.js

@@ -10,12 +10,12 @@ export { default as generatePythonFastAPIFiles } from './pythonFastAPI.js';
 export { default as generateNodeExpressFiles } from './nodeExpress.js';
 export { runDeterministicExport } from './exportPipeline.js';
 export { diffExpectedExportAgainstFiles, diffExpectedExportAgainstDirectory, readDirectoryAsExportMap, runValidateDrift, runDriftCheckAgainstFiles, normalizeExportFileContent, } from './validate-drift.js';
-export { normalizeIrGraph, validateIrStructural, hasIrStructuralErrors, } from './ir-structural.js';
+export { normalizeIrGraph, validateIrStructural, hasIrStructuralErrors, detectCycles, } from './ir-structural.js';
 export { materializeNormalizedGraph, normalizeNodeSlot, normalizeEdgeSlot, } from './ir-normalize.js';
 export { validateIrLint } from './ir-lint.js';
 export { runArchitectureLinting, LINT_RULE_REGISTRY } from './lint-rules.js';
 export { buildParsedLintGraph, isParsedLintGraph, } from './lint-graph.js';
-export { isHttpLikeType, isDbLikeType, isQueueLikeNodeType } from './graphPredicates.js';
+export { isHttpLikeType, isHttpEndpointType, isDbLikeType, isQueueLikeNodeType, isAuthLikeNodeType } from './graphPredicates.js';
 export { sortFindings, shouldFailFromFindings } from './cli-findings.js';
 export { parseYamlToCanonicalIr, canonicalIrToJsonString, YamlGraphParseError, } from './yamlToIr.js';
 export { openApiDocumentToHttpNodes, openApiDocumentToCanonicalIr, openApiStringToCanonicalIr, openApiUnknownToCanonicalIr, OpenApiIngestError, } from './openapi-to-ir.js';

package/dist/ir-structural.d.ts

@@ -31,6 +31,11 @@ export declare function normalizeIrGraph(ir: unknown): {
 } | {
     findings: IrStructuralFinding[];
 };
+/**
+ * DFS cycle detector. Returns the cycle as an ordered node-id array (the repeated node is first)
+ * or `null` if the graph is acyclic. Extracted for testability and to avoid closure over mutable state.
+ */
+export declare function detectCycles(adj: Map<string, string[]>): string[] | null;
 /**
  * Structural validation only: well-formed graph, edge references, directed cycles, HTTP node config.
  * Same input → same findings (deterministic).

package/dist/ir-structural.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ir-structural.d.ts","sourceRoot":"","sources":["../src/ir-structural.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,MAAM,MAAM,oBAAoB,GAAG,OAAO,GAAG,SAAS,GAAG,MAAM,CAAC;AAEhE,uFAAuF;AACvF,MAAM,MAAM,cAAc,GAAG,YAAY,GAAG,MAAM,CAAC;AAEnD,MAAM,MAAM,mBAAmB,GAAG;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,oBAAoB,CAAC;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,oCAAoC;IACpC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,6BAA6B;IAC7B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,qGAAqG;IACrG,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,iCAAiC;IACjC,KAAK,CAAC,EAAE,cAAc,CAAC;IACvB,+CAA+C;IAC/C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,wCAAwC;IACxC,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,CAAC;AAIF;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,EAAE,EAAE,OAAO,GAAG;IAAE,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,GAAG;IAAE,QAAQ,EAAE,mBAAmB,EAAE,CAAA;CAAE,CA8BtH;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,EAAE,EAAE,OAAO,GAAG,mBAAmB,EAAE,CAgOvE;AAED,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,mBAAmB,EAAE,GAAG,OAAO,CAE9E"}
+{"version":3,"file":"ir-structural.d.ts","sourceRoot":"","sources":["../src/ir-structural.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,MAAM,MAAM,oBAAoB,GAAG,OAAO,GAAG,SAAS,GAAG,MAAM,CAAC;AAEhE,uFAAuF;AACvF,MAAM,MAAM,cAAc,GAAG,YAAY,GAAG,MAAM,CAAC;AAEnD,MAAM,MAAM,mBAAmB,GAAG;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,oBAAoB,CAAC;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,oCAAoC;IACpC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,6BAA6B;IAC7B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,qGAAqG;IACrG,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,iCAAiC;IACjC,KAAK,CAAC,EAAE,cAAc,CAAC;IACvB,+CAA+C;IAC/C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,wCAAwC;IACxC,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,CAAC;AAIF;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,EAAE,EAAE,OAAO,GAAG;IAAE,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,GAAG;IAAE,QAAQ,EAAE,mBAAmB,EAAE,CAAA;CAAE,CA8BtH;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,GAAG,MAAM,EAAE,GAAG,IAAI,CA2BxE;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,EAAE,EAAE,OAAO,GAAG,mBAAmB,EAAE,CAkNvE;AAED,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,mBAAmB,EAAE,GAAG,OAAO,CAE9E"}

package/dist/ir-structural.js

@@ -2,7 +2,7 @@
  * Deterministic structural validation of blueprint IR (graph JSON).
  * OSS boundary: shape, references, cycles — not security/compliance semantics (ArchRad Cloud).
  */
-import { isHttpLikeType } from './graphPredicates.js';
+import { isHttpEndpointType } from './graphPredicates.js';
 import { materializeNormalizedGraph } from './ir-normalize.js';
 const HTTP_METHODS = new Set(['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS']);
 /**
@@ -40,6 +40,40 @@ export function normalizeIrGraph(ir) {
         ],
     };
 }
+/**
+ * DFS cycle detector. Returns the cycle as an ordered node-id array (the repeated node is first)
+ * or `null` if the graph is acyclic. Extracted for testability and to avoid closure over mutable state.
+ */
+export function detectCycles(adj) {
+    const visiting = new Map(); // node → index in path when first entered
+    const path = [];
+    const done = new Set();
+    function dfs(u) {
+        if (visiting.has(u))
+            return path.slice(visiting.get(u));
+        if (done.has(u))
+            return null;
+        visiting.set(u, path.length);
+        path.push(u);
+        for (const v of adj.get(u) ?? []) {
+            const cycle = dfs(v);
+            if (cycle)
+                return cycle;
+        }
+        path.pop();
+        visiting.delete(u);
+        done.add(u);
+        return null;
+    }
+    for (const id of adj.keys()) {
+        if (!done.has(id)) {
+            const cycle = dfs(id);
+            if (cycle)
+                return cycle;
+        }
+    }
+    return null;
+}
 /**
  * Structural validation only: well-formed graph, edge references, directed cycles, HTTP node config.
  * Same input → same findings (deterministic).
@@ -118,7 +152,21 @@ export function validateIrStructural(ir) {
         else {
             seenIds.add(id);
         }
-        if (isHttpLikeType(nn.type)) {
+        const rawCfg = n.config;
+        if (rawCfg !== undefined) {
+            const cfgInvalid = rawCfg === null || Array.isArray(rawCfg) || typeof rawCfg !== 'object';
+            if (cfgInvalid) {
+                const got = rawCfg === null ? 'null' : Array.isArray(rawCfg) ? 'array' : typeof rawCfg;
+                findings.push({
+                    code: 'IR-STRUCT-NODE_INVALID_CONFIG',
+                    severity: 'warning',
+                    message: `Node "${id}" has a non-object \`config\` (got ${got}); treated as {}`,
+                    nodeId: id,
+                    fixHint: 'Set `config` to a plain object, e.g. { "url": "/foo", "method": "GET" }.',
+                });
+            }
+        }
+        if (isHttpEndpointType(nn.type)) {
             const cfg = nn.config;
             /** Generators accept `route` or `url`; structural checks align so OpenAPI merge + ingest both validate. */
             const url = String(cfg.url ?? cfg.route ?? '').trim();
@@ -128,7 +176,7 @@ export function validateIrStructural(ir) {
                 findings.push({
                     code: 'IR-STRUCT-HTTP_PATH',
                     severity: 'error',
-                    message: `HTTP-like node "${id}" has invalid path: config.url must be a non-empty string starting with /`,
+                    message: `HTTP endpoint node "${id}" has invalid path: config.url must be a non-empty string starting with /`,
                     nodeId: id,
                     fixHint: 'Set config.url (or config.route) to e.g. "/signup".',
                 });
@@ -138,7 +186,7 @@ export function validateIrStructural(ir) {
                 findings.push({
                     code: 'IR-STRUCT-HTTP_METHOD',
                     severity: 'error',
-                    message: `HTTP-like node "${id}" has unsupported method "${method}"`,
+                    message: `HTTP endpoint node "${id}" has unsupported method "${method}"`,
                     nodeId: id,
                     fixHint: 'Use GET, POST, PUT, PATCH, DELETE, HEAD, or OPTIONS.',
                 });
@@ -220,43 +268,15 @@ export function validateIrStructural(ir) {
             adj.set(from, []);
         adj.get(from).push(to);
     }
-    const visiting = new Set();
-    const done = new Set();
-    let cycleExampleNode;
-    function dfs(u) {
-        if (visiting.has(u)) {
-            cycleExampleNode = u;
-            return true;
-        }
-        if (done.has(u))
-            return false;
-        visiting.add(u);
-        for (const v of adj.get(u) || []) {
-            if (dfs(v))
-                return true;
-        }
-        visiting.delete(u);
-        done.add(u);
-        return false;
-    }
-    let hasCycle = false;
-    for (const id of seenIds) {
-        if (duplicateIds.has(id))
-            continue;
-        if (!done.has(id) && dfs(id)) {
-            hasCycle = true;
-            break;
-        }
-    }
-    if (hasCycle) {
-        const hint = cycleExampleNode != null
-            ? `Directed cycle detected (node "${cycleExampleNode}" was reached again while traversing dependencies).`
-            : 'Dependency graph contains a directed cycle';
+    const cyclePath = detectCycles(adj);
+    if (cyclePath !== null) {
+        const nodeId = cyclePath[0];
+        const pathStr = [...cyclePath, cyclePath[0]].join(' → ');
         findings.push({
             code: 'IR-STRUCT-CYCLE',
             severity: 'error',
-            message: hint,
-            nodeId: cycleExampleNode,
+            message: `Directed cycle detected: ${pathStr}`,
+            nodeId,
             fixHint: 'Remove or break cyclic edges unless your tooling explicitly allows execution loops.',
         });
     }

package/dist/lint-rules.d.ts

@@ -31,6 +31,28 @@ export declare function ruleHttpMissingName(g: ParsedLintGraph): IrStructuralFin
 export declare function ruleDatastoreNoIncoming(g: ParsedLintGraph): IrStructuralFinding[];
 /** IR-LINT-MULTIPLE-HTTP-ENTRIES-009 — more than one HTTP node with no incoming edges (multiple public entry surfaces). */
 export declare function ruleMultipleHttpEntries(g: ParsedLintGraph): IrStructuralFinding[];
+/**
+ * IR-LINT-MISSING-AUTH-010 — HTTP entry node (no incoming sync edges) with no auth coverage.
+ *
+ * A node is considered auth-covered when ANY of:
+ *   1. One of its immediate outgoing neighbours is an auth-like node type.
+ *   2. An auth-like node has a direct edge TO it (auth-as-gateway pattern).
+ *   3. Its own `config` carries an auth-signal key: `auth`, `authRequired`,
+ *      `authentication`, `authorization`, or `security`.
+ *
+ * Escape hatch: set `config.authRequired: false` (explicit opt-out) to silence the rule
+ * for intentionally public endpoints (health, public assets, etc.).
+ */
+export declare function ruleHttpMissingAuth(g: ParsedLintGraph): IrStructuralFinding[];
+/**
+ * IR-LINT-DEAD-NODE-011 — non-sink node with incoming edges but no outgoing edges.
+ *
+ * Datastore-like and queue-like nodes are valid sinks and are excluded.
+ * Nodes with no incident edges at all are already caught by IR-LINT-ISOLATED-NODE-005.
+ * This rule targets nodes that receive data but forward it nowhere — likely a missing
+ * edge, an incomplete integration step, or a stale component.
+ */
+export declare function ruleDeadNode(g: ParsedLintGraph): IrStructuralFinding[];
 /**
  * Ordered registry: add a new rule by implementing `(g) => findings` and appending here.
  */

package/dist/lint-rules.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"lint-rules.d.ts","sourceRoot":"","sources":["../src/lint-rules.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAavD,8HAA8H;AAC9H,wBAAgB,kBAAkB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CA6B5E;AAED,8BAA8B;AAC9B,wBAAgB,cAAc,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAkBxE;AAED;;;;;;;GAOG;AACH,wBAAgB,0BAA0B,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAwDpF;AAED,iCAAiC;AACjC,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAsB3E;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAoB1E;AAED,6EAA6E;AAC7E,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CA0B3E;AAED,oCAAoC;AACpC,wBAAgB,mBAAmB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAmB7E;AAED,wCAAwC;AACxC,wBAAgB,uBAAuB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAkBjF;AAED,2HAA2H;AAC3H,wBAAgB,uBAAuB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAkBjF;AAED;;GAEG;AACH,eAAO,MAAM,kBAAkB,EAAE,aAAa,CAAC,CAAC,CAAC,EAAE,eAAe,KAAK,mBAAmB,EAAE,CAU3F,CAAC;AAEF,gGAAgG;AAChG,wBAAgB,sBAAsB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAEhF"}
+{"version":3,"file":"lint-rules.d.ts","sourceRoot":"","sources":["../src/lint-rules.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAcvD,8HAA8H;AAC9H,wBAAgB,kBAAkB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CA6B5E;AAED,8BAA8B;AAC9B,wBAAgB,cAAc,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAkBxE;AAED;;;;;;;GAOG;AACH,wBAAgB,0BAA0B,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAwDpF;AAED,iCAAiC;AACjC,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAsB3E;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAoB1E;AAED,6EAA6E;AAC7E,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CA0B3E;AAED,oCAAoC;AACpC,wBAAgB,mBAAmB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAmB7E;AAED,wCAAwC;AACxC,wBAAgB,uBAAuB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAkBjF;AAED,2HAA2H;AAC3H,wBAAgB,uBAAuB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAkBjF;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,mBAAmB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAoD7E;AAED;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAsBtE;AAED;;GAEG;AACH,eAAO,MAAM,kBAAkB,EAAE,aAAa,CAAC,CAAC,CAAC,EAAE,eAAe,KAAK,mBAAmB,EAAE,CAY3F,CAAC;AAEF,gGAAgG;AAChG,wBAAgB,sBAAsB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAEhF"}

package/dist/lint-rules.js

@@ -3,6 +3,7 @@
  * and returns IrStructuralFinding[] (layer: lint). Deterministic, no AI, no cloud.
  */
 import { edgeEndpoints, nodeType, isDbLikeType, isHttpLikeType, looksLikeHealthUrl, buildSyncAdjacencyForLint, edgeRepresentsAsyncBoundary, } from './lint-graph.js';
+import { isAuthLikeNodeType, isQueueLikeNodeType } from './graphPredicates.js';
 const LAYER = 'lint';
 /** IR-LINT-DIRECT-DB-ACCESS-002 — HTTP-like → datastore-like in one hop (broader than strict api/gateway + database enum). */
 export function ruleDirectDbAccess(g) {
@@ -270,6 +271,100 @@ export function ruleMultipleHttpEntries(g) {
         },
     ];
 }
+/**
+ * IR-LINT-MISSING-AUTH-010 — HTTP entry node (no incoming sync edges) with no auth coverage.
+ *
+ * A node is considered auth-covered when ANY of:
+ *   1. One of its immediate outgoing neighbours is an auth-like node type.
+ *   2. An auth-like node has a direct edge TO it (auth-as-gateway pattern).
+ *   3. Its own `config` carries an auth-signal key: `auth`, `authRequired`,
+ *      `authentication`, `authorization`, or `security`.
+ *
+ * Escape hatch: set `config.authRequired: false` (explicit opt-out) to silence the rule
+ * for intentionally public endpoints (health, public assets, etc.).
+ */
+export function ruleHttpMissingAuth(g) {
+    const { edges, nodeById, adj, inDegree } = g;
+    // Entry = no valid incoming edge (same counts as buildParsedLintGraph.inDegree)
+    // Build reverse adjacency: to → [from] for auth-coverage check #2 (valid endpoints only, same as adj)
+    const reverseAdj = new Map();
+    for (const e of edges) {
+        if (!e || typeof e !== 'object')
+            continue;
+        const { from, to } = edgeEndpoints(e);
+        if (!from || !to || !nodeById.has(from) || !nodeById.has(to))
+            continue;
+        if (!reverseAdj.has(to))
+            reverseAdj.set(to, []);
+        reverseAdj.get(to).push(from);
+    }
+    const findings = [];
+    for (const [id, n] of nodeById) {
+        if (!isHttpLikeType(nodeType(n)))
+            continue;
+        if ((inDegree.get(id) ?? 0) > 0)
+            continue; // not an entry node
+        const cfg = (n.config ?? {});
+        // Explicit opt-out: config.authRequired === false marks an intentionally public endpoint
+        if (cfg.authRequired === false)
+            continue;
+        // Coverage check 1: outgoing neighbour is auth-like
+        const outNeighbours = adj.get(id) ?? [];
+        if (outNeighbours.some((v) => isAuthLikeNodeType(nodeType(nodeById.get(v) ?? {}))))
+            continue;
+        // Coverage check 2: an auth-like node points directly to this entry node
+        const inNeighbours = reverseAdj.get(id) ?? [];
+        if (inNeighbours.some((v) => isAuthLikeNodeType(nodeType(nodeById.get(v) ?? {}))))
+            continue;
+        // Coverage check 3: node config carries an auth signal
+        const authConfigKeys = ['auth', 'authrequired', 'authentication', 'authorization', 'security'];
+        const cfgKeys = Object.keys(cfg).map((k) => k.toLowerCase());
+        if (authConfigKeys.some((k) => cfgKeys.includes(k)))
+            continue;
+        findings.push({
+            code: 'IR-LINT-MISSING-AUTH-010',
+            severity: 'warning',
+            layer: LAYER,
+            message: `HTTP entry node "${id}" has no auth node or auth config in its immediate graph neighbourhood`,
+            nodeId: id,
+            fixHint: 'Add an auth/middleware node with an edge to or from this entry, or set config.authRequired: false for intentionally public endpoints.',
+            suggestion: 'Connect an auth, oauth, jwt, or middleware node. For PCI-DSS / HIPAA systems, every HTTP entry must have a documented auth boundary.',
+            impact: 'Unauthenticated HTTP entry points are a compliance gap in regulated environments and a common attack surface.',
+        });
+    }
+    return findings;
+}
+/**
+ * IR-LINT-DEAD-NODE-011 — non-sink node with incoming edges but no outgoing edges.
+ *
+ * Datastore-like and queue-like nodes are valid sinks and are excluded.
+ * Nodes with no incident edges at all are already caught by IR-LINT-ISOLATED-NODE-005.
+ * This rule targets nodes that receive data but forward it nowhere — likely a missing
+ * edge, an incomplete integration step, or a stale component.
+ */
+export function ruleDeadNode(g) {
+    const findings = [];
+    for (const [id, n] of g.nodeById) {
+        const out = g.outDegree.get(id) ?? 0;
+        const inn = g.inDegree.get(id) ?? 0;
+        if (out > 0 || inn === 0)
+            continue; // has outgoing, or truly isolated (caught elsewhere)
+        const t = nodeType(n);
+        if (isDbLikeType(t) || isQueueLikeNodeType(t) || isHttpLikeType(t))
+            continue; // valid sinks
+        findings.push({
+            code: 'IR-LINT-DEAD-NODE-011',
+            severity: 'warning',
+            layer: LAYER,
+            message: `Node "${id}" (type: ${t || 'unknown'}) receives edges but has no outgoing edges — possible missing integration or dead component`,
+            nodeId: id,
+            fixHint: 'Add an outgoing edge to a downstream node, or remove this node if it is no longer active.',
+            suggestion: 'Dead-end non-sink nodes often represent incomplete migrations, dropped integrations, or copy-paste errors in the IR.',
+            impact: 'Data entering this node has no documented path forward, which misrepresents runtime behaviour.',
+        });
+    }
+    return findings;
+}
 /**
  * Ordered registry: add a new rule by implementing `(g) => findings` and appending here.
  */
@@ -283,6 +378,8 @@ export const LINT_RULE_REGISTRY = [
     ruleHttpMissingName,
     ruleDatastoreNoIncoming,
     ruleMultipleHttpEntries,
+    ruleHttpMissingAuth,
+    ruleDeadNode,
 ];
 /** Run all registered architecture lint visitors (same as legacy `validateIrLint` behavior). */
 export function runArchitectureLinting(g) {

package/dist/openapi-to-ir.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"openapi-to-ir.d.ts","sourceRoot":"","sources":["../src/openapi-to-ir.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,qBAAa,kBAAmB,SAAQ,KAAK;gBAC/B,OAAO,EAAE,MAAM;CAI5B;AAuBD,MAAM,MAAM,eAAe,GAAG;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjC,CAAC;AAEF;;GAEG;AACH,wBAAgB,0BAA0B,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,eAAe,EAAE,CAgD1F;AAaD;;GAEG;AACH,wBAAgB,4BAA4B,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAgClG;AAED,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAMnF;AAED,wBAAgB,2BAA2B,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAQnF"}
+{"version":3,"file":"openapi-to-ir.d.ts","sourceRoot":"","sources":["../src/openapi-to-ir.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,qBAAa,kBAAmB,SAAQ,KAAK;gBAC/B,OAAO,EAAE,MAAM;CAI5B;AAuBD,MAAM,MAAM,eAAe,GAAG;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjC,CAAC;AAEF;;GAEG;AACH,wBAAgB,0BAA0B,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,eAAe,EAAE,CAqD1F;AAyDD;;GAEG;AACH,wBAAgB,4BAA4B,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAgClG;AAED,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAMnF;AAED,wBAAgB,2BAA2B,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAQnF"}

package/dist/openapi-to-ir.js

@@ -35,6 +35,7 @@ export function openApiDocumentToHttpNodes(doc) {
     if (!paths || typeof paths !== 'object' || Array.isArray(paths)) {
         return [];
     }
+    const globalSecurity = doc.security;
     const nodes = [];
     const usedIds = new Set();
     for (const [pathKey, pathItem] of Object.entries(paths)) {
@@ -45,17 +46,19 @@ export function openApiDocumentToHttpNodes(doc) {
             const op = pathItem[m];
             if (!op || typeof op !== 'object' || Array.isArray(op))
                 continue;
-            const summary = typeof op.summary === 'string'
-                ? String(op.summary)
-                : typeof op.operationId === 'string'
-                    ? String(op.operationId)
+            const opRec = op;
+            const summary = typeof opRec.summary === 'string'
+                ? String(opRec.summary)
+                : typeof opRec.operationId === 'string'
+                    ? String(opRec.operationId)
                     : '';
             let id = safeNodeId(url, m);
             while (usedIds.has(id)) {
                 id = `${id}_${Math.random().toString(36).slice(2, 7)}`;
             }
             usedIds.add(id);
-            const operationId = op.operationId;
+            const operationId = opRec.operationId;
+            const securityConfig = resolveOperationSecurity(opRec, globalSecurity);
             nodes.push({
                 id,
                 type: 'http',
@@ -67,12 +70,53 @@ export function openApiDocumentToHttpNodes(doc) {
                     method: m.toUpperCase(),
                     openApiIngest: true,
                     ...(typeof operationId === 'string' && operationId.trim() ? { operationId } : {}),
+                    ...securityConfig,
                 },
             });
         }
     }
     return nodes;
 }
+/**
+ * Extract unique scheme names from a security requirement array.
+ * Each entry is an object whose keys are scheme names, e.g. `[{ "BearerAuth": [] }]`.
+ * Returns sorted names for determinism.
+ */
+function extractSecuritySchemeNames(securityArray) {
+    if (!Array.isArray(securityArray))
+        return [];
+    const names = new Set();
+    for (const req of securityArray) {
+        if (req && typeof req === 'object' && !Array.isArray(req)) {
+            for (const name of Object.keys(req)) {
+                if (name.trim())
+                    names.add(name.trim());
+            }
+        }
+    }
+    return [...names].sort();
+}
+/**
+ * Resolve effective security for a single operation, respecting OpenAPI 3.x precedence:
+ * operation-level `security` overrides the global spec-level `security`.
+ * An explicit empty array `[]` means intentionally no auth (public endpoint).
+ *
+ * Returns:
+ *   - `{ authRequired: false }` when the effective security is explicitly empty `[]`
+ *   - `{ security: string[] }` when scheme names are present
+ *   - `{}` when no security is declared at either level
+ */
+function resolveOperationSecurity(op, globalSecurity) {
+    const hasOperationSecurity = 'security' in op;
+    const effective = hasOperationSecurity ? op.security : globalSecurity;
+    if (!Array.isArray(effective))
+        return {};
+    // Explicit empty array → intentionally public
+    if (effective.length === 0)
+        return { authRequired: false };
+    const names = extractSecuritySchemeNames(effective);
+    return names.length > 0 ? { security: names } : {};
+}
 function provenanceBlock(doc) {
     const ver = doc.openapi != null ? String(doc.openapi) : doc.swagger != null ? String(doc.swagger) : '';
     const info = (doc.info && typeof doc.info === 'object' ? doc.info : {});

package/fixtures/demo-direct-db-layered.json

@@ -9,7 +9,7 @@
         "id": "orders-api",
         "type": "http",
         "name": "Orders API",
-        "config": { "url": "/orders", "method": "GET" }
+        "config": { "url": "/orders", "method": "GET", "auth": "bearer" }
       },
       {
         "id": "health",

package/fixtures/e2e-no-security-openapi.yaml

@@ -0,0 +1,11 @@
+openapi: 3.0.0
+info:
+  title: Test API
+  version: 1.0.0
+paths:
+  /payments:
+    post:
+      operationId: createPayment
+      responses:
+        '200':
+          description: OK

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@archrad/deterministic",
-  "version": "0.1.1",
+  "version": "0.1.3",
   "description": "A deterministic compiler and linter for system architecture. Validate your architecture before you write code. OSS: structural validation + basic architecture lint (rule-based); FastAPI/Express export; OpenAPI document-shape; golden Docker/Makefile — no LLM.",
   "keywords": [
     "archrad",