@archrad/deterministic 0.1.3 → 0.1.5

package/dist/mcp-server.d.ts

@@ -0,0 +1,7 @@
+#!/usr/bin/env node
+/**
+ * archrad-mcp — Model Context Protocol server (stdio) for deterministic IR validation,
+ * architecture lint, policy packs, and drift checks. Uses the same engine as `archrad` CLI.
+ */
+export {};
+//# sourceMappingURL=mcp-server.d.ts.map

package/dist/mcp-server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp-server.d.ts","sourceRoot":"","sources":["../src/mcp-server.ts"],"names":[],"mappings":";AACA;;;GAGG"}

package/dist/mcp-server.js

@@ -0,0 +1,236 @@
+#!/usr/bin/env node
+/**
+ * archrad-mcp — Model Context Protocol server (stdio) for deterministic IR validation,
+ * architecture lint, policy packs, and drift checks. Uses the same engine as `archrad` CLI.
+ */
+import { readFile, stat } from 'node:fs/promises';
+import { resolve } from 'node:path';
+import { z } from 'zod';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import { normalizeIrGraph, validateIrStructural, validateIrLint, runValidateDrift, sortFindings, loadPolicyPacksFromDirectory, loadPolicyPacksFromFiles, } from './index.js';
+import { getStaticRuleGuidance, listStaticRuleCodes } from './static-rule-guidance.js';
+const VERSION = '0.1.5';
+/** Hard cap for `irPath` reads (see docs/MCP.md). */
+const MAX_IR_FILE_BYTES = 25 * 1024 * 1024;
+const irSourceSchema = {
+    ir: z.unknown().optional(),
+    irPath: z.string().optional(),
+};
+function jsonResult(payload) {
+    return {
+        content: [{ type: 'text', text: JSON.stringify(payload, null, 2) }],
+    };
+}
+async function loadIrFromArgs(args) {
+    const hasInline = args.ir !== undefined;
+    const hasPath = args.irPath != null && String(args.irPath).trim() !== '';
+    if (hasInline && hasPath) {
+        return { ok: false, error: 'Provide only one of `ir` or `irPath`.' };
+    }
+    if (hasPath) {
+        const p = resolve(args.irPath);
+        let st;
+        try {
+            st = await stat(p);
+        }
+        catch (e) {
+            return { ok: false, error: `irPath not readable: ${e instanceof Error ? e.message : String(e)}` };
+        }
+        if (!st.isFile()) {
+            return { ok: false, error: `irPath is not a file: ${p}` };
+        }
+        if (st.size > MAX_IR_FILE_BYTES) {
+            return {
+                ok: false,
+                error: `IR file is ${st.size} bytes (max ${MAX_IR_FILE_BYTES}). Split the graph, trim fixtures, or validate smaller subgraphs.`,
+            };
+        }
+        const raw = await readFile(p, 'utf8');
+        try {
+            return { ok: true, ir: JSON.parse(raw) };
+        }
+        catch (e) {
+            return { ok: false, error: `Invalid JSON in irPath: ${e instanceof Error ? e.message : String(e)}` };
+        }
+    }
+    if (hasInline) {
+        return { ok: true, ir: args.ir };
+    }
+    return { ok: false, error: 'Provide `ir` (inline JSON) or `irPath` (path to IR JSON file).' };
+}
+async function main() {
+    const server = new McpServer({
+        name: 'archrad-deterministic',
+        version: VERSION,
+    });
+    server.registerTool('archrad_suggest_fix', {
+        title: 'Static remediation for a finding code',
+        description: 'Deterministic title, remediation text, and canonical docs URL for a built-in IR-STRUCT / IR-LINT / DRIFT code. Does not generate patches or IR edits.',
+        inputSchema: {
+            findingCode: z.string().min(1),
+        },
+    }, async (args) => {
+        const g = getStaticRuleGuidance(args.findingCode);
+        if (!g) {
+            return jsonResult({
+                ok: false,
+                findingCode: args.findingCode,
+                error: 'Unknown built-in code. PolicyPack and org rules use custom rule ids in YAML — see your pack. Use archrad_list_rule_codes for built-in codes.',
+            });
+        }
+        return jsonResult({ ok: true, ...g });
+    });
+    server.registerTool('archrad_list_rule_codes', {
+        title: 'List built-in rule codes',
+        description: 'Sorted list of IR-STRUCT-*, IR-LINT-*, and DRIFT-* codes that have static guidance via archrad_suggest_fix.',
+        inputSchema: {},
+    }, async () => jsonResult({ codes: listStaticRuleCodes() }));
+    server.registerTool('archrad_validate_ir', {
+        title: 'Validate IR (structural + IR-LINT)',
+        description: 'Run deterministic structural validation (IR-STRUCT-*) and architecture lint (IR-LINT-*). Pass `ir` inline or `irPath` to a JSON file (recommended for large graphs). Optional local PolicyPack directory.',
+        inputSchema: {
+            ...irSourceSchema,
+            policiesDirectory: z.string().optional(),
+        },
+    }, async (args) => {
+        const loaded = await loadIrFromArgs(args);
+        if (!loaded.ok)
+            return jsonResult({ ok: false, phase: 'input', error: loaded.error });
+        const irRaw = loaded.ir;
+        const norm = normalizeIrGraph(irRaw);
+        if ('findings' in norm) {
+            return jsonResult({ ok: false, phase: 'normalize', findings: norm.findings });
+        }
+        const structural = validateIrStructural(irRaw);
+        let policyRuleVisitors;
+        if (args.policiesDirectory) {
+            const dir = resolve(args.policiesDirectory);
+            const packLoaded = await loadPolicyPacksFromDirectory(dir);
+            if (!packLoaded.ok) {
+                return jsonResult({ ok: false, phase: 'policy_packs', errors: packLoaded.errors });
+            }
+            policyRuleVisitors = packLoaded.visitors;
+        }
+        const irLintFindings = validateIrLint(irRaw, { policyRuleVisitors });
+        const combined = sortFindings([...structural, ...irLintFindings]);
+        return jsonResult({
+            ok: combined.every((f) => f.severity !== 'error'),
+            irStructuralFindings: structural,
+            irLintFindings,
+            combined,
+        });
+    });
+    server.registerTool('archrad_lint_summary', {
+        title: 'Lint summary',
+        description: 'Short text summary of IR structural + lint findings. Use `ir` or `irPath` (see archrad_validate_ir).',
+        inputSchema: {
+            ...irSourceSchema,
+            policiesDirectory: z.string().optional(),
+        },
+    }, async (args) => {
+        const loaded = await loadIrFromArgs(args);
+        if (!loaded.ok)
+            return jsonResult({ summary: loaded.error });
+        const irRaw = loaded.ir;
+        const norm = normalizeIrGraph(irRaw);
+        if ('findings' in norm) {
+            return jsonResult({ summary: `Normalize failed: ${norm.findings.map((f) => f.message).join('; ')}` });
+        }
+        const structural = validateIrStructural(irRaw);
+        let policyRuleVisitors;
+        if (args.policiesDirectory) {
+            const packLoaded = await loadPolicyPacksFromDirectory(resolve(args.policiesDirectory));
+            if (!packLoaded.ok) {
+                return jsonResult({ summary: `Policy packs failed: ${packLoaded.errors.join('; ')}` });
+            }
+            policyRuleVisitors = packLoaded.visitors;
+        }
+        const irLintFindings = validateIrLint(irRaw, { policyRuleVisitors });
+        const combined = sortFindings([...structural, ...irLintFindings]);
+        const errors = combined.filter((f) => f.severity === 'error');
+        const warnings = combined.filter((f) => f.severity === 'warning');
+        const lines = [
+            `Findings: ${combined.length} (${errors.length} errors, ${warnings.length} warnings).`,
+            ...combined.slice(0, 20).map((f) => `- [${f.code}] ${f.message}`),
+        ];
+        if (combined.length > 20)
+            lines.push(`… and ${combined.length - 20} more.`);
+        return jsonResult({ summary: lines.join('\n'), counts: { total: combined.length, errors: errors.length, warnings: warnings.length } });
+    });
+    server.registerTool('archrad_validate_drift', {
+        title: 'Validate drift',
+        description: 'Compare on-disk export to a fresh deterministic export. Pass `ir` or `irPath` (JSON file).',
+        inputSchema: {
+            ...irSourceSchema,
+            target: z.enum(['python', 'node', 'nodejs']),
+            exportDir: z.string(),
+            policiesDirectory: z.string().optional(),
+            skipIrLint: z.boolean().optional(),
+        },
+    }, async (args) => {
+        const loaded = await loadIrFromArgs(args);
+        if (!loaded.ok)
+            return jsonResult({ ok: false, phase: 'input', error: loaded.error });
+        const irRaw = loaded.ir;
+        const norm = normalizeIrGraph(irRaw);
+        if ('findings' in norm) {
+            return jsonResult({ ok: false, phase: 'normalize', findings: norm.findings });
+        }
+        const actualIR = irRaw && typeof irRaw === 'object' && irRaw !== null && 'graph' in irRaw
+            ? irRaw
+            : { graph: norm.graph };
+        let policyRuleVisitors;
+        if (args.policiesDirectory) {
+            const packLoaded = await loadPolicyPacksFromDirectory(resolve(args.policiesDirectory));
+            if (!packLoaded.ok) {
+                return jsonResult({ ok: false, phase: 'policy_packs', errors: packLoaded.errors });
+            }
+            policyRuleVisitors = packLoaded.visitors;
+        }
+        const outDir = resolve(args.exportDir);
+        const result = await runValidateDrift(actualIR, args.target, outDir, {
+            skipIrLint: args.skipIrLint ?? false,
+            policyRuleVisitors,
+        });
+        return jsonResult({
+            ok: result.ok,
+            driftFindings: result.driftFindings,
+            extraBlocking: result.extraBlocking,
+            irStructuralFindings: result.exportResult.irStructuralFindings,
+            irLintFindings: result.exportResult.irLintFindings,
+        });
+    });
+    server.registerTool('archrad_policy_packs_load', {
+        title: 'Load policy packs',
+        description: 'Compile PolicyPack YAML/JSON from a directory or from in-memory file list.',
+        inputSchema: {
+            directory: z.string().optional(),
+            files: z
+                .array(z.object({ name: z.string(), content: z.string() }))
+                .optional(),
+        },
+    }, async (args) => {
+        if (args.files && args.files.length > 0) {
+            const loaded = loadPolicyPacksFromFiles(args.files.map((f) => ({ name: f.name, content: f.content })));
+            if (!loaded.ok) {
+                return jsonResult({ ok: false, errors: loaded.errors });
+            }
+            return jsonResult({ ok: true, ruleCount: loaded.ruleCount });
+        }
+        if (args.directory) {
+            const loaded = await loadPolicyPacksFromDirectory(resolve(args.directory));
+            if (!loaded.ok) {
+                return jsonResult({ ok: false, errors: loaded.errors });
+            }
+            return jsonResult({ ok: true, ruleCount: loaded.ruleCount });
+        }
+        return jsonResult({ ok: false, error: 'Provide `directory` or `files`.' });
+    });
+    const transport = new StdioServerTransport();
+    await server.connect(transport);
+}
+main().catch((err) => {
+    console.error('archrad-mcp:', err);
+    process.exitCode = 1;
+});

package/dist/nodeExpress.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"nodeExpress.d.ts","sourceRoot":"","sources":["../src/nodeExpress.ts"],"names":[],"mappings":"AAIA,wBAA8B,wBAAwB,CAAC,QAAQ,EAAE,GAAG,EAAE,IAAI,GAAE,GAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAC,MAAM,CAAC,CAAC,CAuapH"}
+{"version":3,"file":"nodeExpress.d.ts","sourceRoot":"","sources":["../src/nodeExpress.ts"],"names":[],"mappings":"AAKA,wBAA8B,wBAAwB,CAAC,QAAQ,EAAE,GAAG,EAAE,IAAI,GAAE,GAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAC,MAAM,CAAC,CAAC,CA0apH"}

package/dist/nodeExpress.js

@@ -1,6 +1,7 @@
 // Deterministic Node Express exporter (skeleton)
 // Exports a map of filename -> content for a generated Express app.
 import { getEdgeConfig, generateRetryCode, generateCircuitBreakerCode } from './edgeConfigCodeGenerator.js';
+import { MAX_UNTRUSTED_STRING_LEN, stripLeadingTrailingHyphens } from './stringEdgeStrip.js';
 export default async function generateNodeExpressFiles(actualIR, opts = {}) {
     const files = {};
     const graph = (actualIR && actualIR.graph) ? actualIR.graph : (actualIR || {});
@@ -12,7 +13,10 @@ export default async function generateNodeExpressFiles(actualIR, opts = {}) {
     const nonHttpNodes = [];
     // Track edge config utilities (retry, circuit breaker) to include once
     const edgeUtilityCode = new Set();
-    function safeId(id) { return String(id || '').replace(/[^A-Za-z0-9_\-]/g, '-').replace(/^-+|-+$/g, '').toLowerCase() || 'node'; }
+    function safeId(id) {
+        const raw = String(id || '').slice(0, MAX_UNTRUSTED_STRING_LEN);
+        return stripLeadingTrailingHyphens(raw.replace(/[^A-Za-z0-9_\-]/g, '-')).toLowerCase() || 'node';
+    }
     function handlerName(n) { return `handler_${safeId(n && (n.id || n.name))}`.replace(/-/g, '_'); }
     /**
      * Generate code for inner nodes (support nodes) that are embedded within a key node

package/dist/openapi-to-ir.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"openapi-to-ir.d.ts","sourceRoot":"","sources":["../src/openapi-to-ir.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,qBAAa,kBAAmB,SAAQ,KAAK;gBAC/B,OAAO,EAAE,MAAM;CAI5B;AAuBD,MAAM,MAAM,eAAe,GAAG;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjC,CAAC;AAEF;;GAEG;AACH,wBAAgB,0BAA0B,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,eAAe,EAAE,CAqD1F;AAyDD;;GAEG;AACH,wBAAgB,4BAA4B,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAgClG;AAED,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAMnF;AAED,wBAAgB,2BAA2B,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAQnF"}
+{"version":3,"file":"openapi-to-ir.d.ts","sourceRoot":"","sources":["../src/openapi-to-ir.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH,qBAAa,kBAAmB,SAAQ,KAAK;gBAC/B,OAAO,EAAE,MAAM;CAI5B;AA0BD,MAAM,MAAM,eAAe,GAAG;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjC,CAAC;AAEF;;GAEG;AACH,wBAAgB,0BAA0B,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,eAAe,EAAE,CAqD1F;AAyDD;;GAEG;AACH,wBAAgB,4BAA4B,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAgClG;AAED,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAMnF;AAED,wBAAgB,2BAA2B,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAQnF"}

package/dist/openapi-to-ir.js

@@ -4,6 +4,7 @@
  * This is not semantic architecture truth — only operations under `paths` become `http` nodes.
  */
 import { parseOpenApiString, validateOpenApiStructural } from './openapi-structural.js';
+import { MAX_UNTRUSTED_STRING_LEN, stripLeadingTrailingHyphens, stripLeadingTrailingUnderscores } from './stringEdgeStrip.js';
 export class OpenApiIngestError extends Error {
     constructor(message) {
         super(message);
@@ -16,15 +17,16 @@ function normalizeOpenApiPath(pathKey) {
     return s.startsWith('/') ? s : `/${s}`;
 }
 function safeServiceName(title) {
-    const t = String(title || 'openapi-service')
+    const t = stripLeadingTrailingHyphens(String(title || 'openapi-service')
         .trim()
-        .replace(/[^a-zA-Z0-9_-]+/g, '-')
-        .replace(/^-+|-+$/g, '')
+        .slice(0, 256)
+        .replace(/[^a-zA-Z0-9_-]+/g, '-'))
         .toLowerCase();
     return t.slice(0, 63) || 'openapi-service';
 }
 function safeNodeId(path, method) {
-    const slug = `${method}_${path}`.replace(/[^a-zA-Z0-9]+/g, '_').replace(/^_|_$/g, '').toLowerCase();
+    const combined = `${method}_${path}`.slice(0, MAX_UNTRUSTED_STRING_LEN);
+    const slug = stripLeadingTrailingUnderscores(combined.replace(/[^a-zA-Z0-9]+/g, '_')).toLowerCase();
     return `openapi_${slug || 'route'}`.slice(0, 80);
 }
 /**

package/dist/policy-pack.d.ts

@@ -0,0 +1,62 @@
+/**
+ * Declarative org policy packs (YAML/JSON) — deterministic graph matchers on ParsedLintGraph.
+ * Codes should use a stable prefix (e.g. ORG-*, ACME-*) to avoid colliding with IR-LINT-* / IR-STRUCT-*.
+ */
+import type { ParsedLintGraph } from './lint-graph.js';
+import type { IrStructuralFinding } from './ir-structural.js';
+export type PolicySeverity = 'error' | 'warning' | 'info';
+/** Single-node selector: all provided predicates must match (AND). */
+export type PolicyNodeSelectorV1 = {
+    id?: string;
+    type?: string | string[];
+    /** All listed tags must appear on `node.metadata.tags` (array of strings). */
+    tags?: string[];
+};
+export type PolicyEdgeMatchV1 = {
+    from: PolicyNodeSelectorV1;
+    to: PolicyNodeSelectorV1;
+};
+export type PolicyRuleV1 = {
+    id: string;
+    severity: PolicySeverity;
+    message: string;
+    fixHint?: string;
+    match: {
+        node?: PolicyNodeSelectorV1;
+        edge?: PolicyEdgeMatchV1;
+    };
+};
+export type PolicyPackMetadataV1 = {
+    name?: string;
+    org?: string;
+};
+export type PolicyPackDocumentV1 = {
+    apiVersion: 'archrad/v1';
+    kind: 'PolicyPack';
+    metadata?: PolicyPackMetadataV1;
+    rules: PolicyRuleV1[];
+};
+export type LoadPolicyPacksResult = {
+    ok: true;
+    visitors: ReadonlyArray<(g: ParsedLintGraph) => IrStructuralFinding[]>;
+    ruleCount: number;
+} | {
+    ok: false;
+    errors: string[];
+};
+export type PolicyPackFileSource = {
+    /** Virtual filename (must end with .yaml, .yml, or .json for parse rules). */
+    name: string;
+    content: string;
+};
+/**
+ * Load policy packs from in-memory file sources (same semantics as {@link loadPolicyPacksFromDirectory}).
+ * Use for ArchRad Cloud, tests, and API bodies — no filesystem required.
+ */
+export declare function loadPolicyPacksFromFiles(sources: ReadonlyArray<PolicyPackFileSource>): LoadPolicyPacksResult;
+/**
+ * Load and compile all policy YAML/JSON files in a directory into lint visitors.
+ * Filenames: `*.yaml`, `*.yml`, `*.json` (other files ignored).
+ */
+export declare function loadPolicyPacksFromDirectory(dir: string): Promise<LoadPolicyPacksResult>;
+//# sourceMappingURL=policy-pack.d.ts.map

package/dist/policy-pack.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-pack.d.ts","sourceRoot":"","sources":["../src/policy-pack.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAEvD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAE9D,MAAM,MAAM,cAAc,GAAG,OAAO,GAAG,SAAS,GAAG,MAAM,CAAC;AAE1D,sEAAsE;AACtE,MAAM,MAAM,oBAAoB,GAAG;IACjC,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACzB,8EAA8E;IAC9E,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;CACjB,CAAC;AAEF,MAAM,MAAM,iBAAiB,GAAG;IAC9B,IAAI,EAAE,oBAAoB,CAAC;IAC3B,EAAE,EAAE,oBAAoB,CAAC;CAC1B,CAAC;AAEF,MAAM,MAAM,YAAY,GAAG;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,cAAc,CAAC;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE;QACL,IAAI,CAAC,EAAE,oBAAoB,CAAC;QAC5B,IAAI,CAAC,EAAE,iBAAiB,CAAC;KAC1B,CAAC;CACH,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,GAAG,CAAC,EAAE,MAAM,CAAC;CACd,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,UAAU,EAAE,YAAY,CAAC;IACzB,IAAI,EAAE,YAAY,CAAC;IACnB,QAAQ,CAAC,EAAE,oBAAoB,CAAC;IAChC,KAAK,EAAE,YAAY,EAAE,CAAC;CACvB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAC7B;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,QAAQ,EAAE,aAAa,CAAC,CAAC,CAAC,EAAE,eAAe,KAAK,mBAAmB,EAAE,CAAC,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,GACvG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC;AAgHpC,MAAM,MAAM,oBAAoB,GAAG;IACjC,8EAA8E;IAC9E,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AAEF;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,aAAa,CAAC,oBAAoB,CAAC,GAAG,qBAAqB,CAkC5G;AA4BD;;;GAGG;AACH,wBAAsB,4BAA4B,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAmC9F"}

package/dist/policy-pack.js

@@ -0,0 +1,220 @@
+/**
+ * Declarative org policy packs (YAML/JSON) — deterministic graph matchers on ParsedLintGraph.
+ * Codes should use a stable prefix (e.g. ORG-*, ACME-*) to avoid colliding with IR-LINT-* / IR-STRUCT-*.
+ */
+import { readFile, readdir } from 'node:fs/promises';
+import { join, resolve } from 'node:path';
+import yaml from 'js-yaml';
+import { edgeEndpoints, nodeType } from './lint-graph.js';
+function isNonEmptyRecord(x) {
+    return x != null && typeof x === 'object' && !Array.isArray(x);
+}
+function normalizeTypes(t) {
+    if (t == null)
+        return null;
+    const arr = Array.isArray(t) ? t : [t];
+    return arr.map((s) => String(s).trim().toLowerCase()).filter(Boolean);
+}
+/** True if selector has at least one predicate (empty match-all forbidden for v1). */
+function selectorHasPredicate(sel) {
+    if (sel.id != null && String(sel.id).trim() !== '')
+        return true;
+    if (sel.type != null) {
+        const n = normalizeTypes(sel.type);
+        if (n && n.length > 0)
+            return true;
+    }
+    if (sel.tags != null && Array.isArray(sel.tags) && sel.tags.length > 0)
+        return true;
+    return false;
+}
+function nodeMatchesSelector(n, sel) {
+    if (sel.id != null && String(n.id ?? '') !== String(sel.id))
+        return false;
+    const types = normalizeTypes(sel.type);
+    if (types && types.length > 0) {
+        const nt = nodeType(n);
+        if (!types.includes(nt))
+            return false;
+    }
+    if (sel.tags != null && sel.tags.length > 0) {
+        const meta = n.metadata ?? {};
+        const raw = meta.tags;
+        if (!Array.isArray(raw))
+            return false;
+        const have = new Set(raw.map((x) => String(x).toLowerCase()));
+        for (const t of sel.tags) {
+            if (!have.has(String(t).toLowerCase()))
+                return false;
+        }
+    }
+    return true;
+}
+function compileRule(rule, source) {
+    if (!rule.id || typeof rule.id !== 'string' || !/^[A-Za-z0-9_.-]+$/.test(rule.id)) {
+        throw new Error(`[${source}] invalid rule.id`);
+    }
+    if (!['error', 'warning', 'info'].includes(rule.severity)) {
+        throw new Error(`[${source}] rule "${rule.id}": severity must be error | warning | info`);
+    }
+    if (!rule.message || typeof rule.message !== 'string') {
+        throw new Error(`[${source}] rule "${rule.id}": message is required`);
+    }
+    const hasNode = rule.match?.node != null;
+    const hasEdge = rule.match?.edge != null;
+    if (hasNode === hasEdge) {
+        throw new Error(`[${source}] rule "${rule.id}": specify exactly one of match.node or match.edge`);
+    }
+    if (hasNode) {
+        const sel = rule.match.node;
+        if (!selectorHasPredicate(sel)) {
+            throw new Error(`[${source}] rule "${rule.id}": match.node must include id, type, and/or tags`);
+        }
+        return (g) => {
+            const findings = [];
+            for (const [id, n] of g.nodeById) {
+                if (nodeMatchesSelector(n, sel)) {
+                    findings.push({
+                        code: rule.id,
+                        severity: rule.severity,
+                        message: rule.message,
+                        nodeId: id,
+                        layer: 'lint',
+                        fixHint: rule.fixHint,
+                    });
+                }
+            }
+            return findings;
+        };
+    }
+    const edge = rule.match.edge;
+    if (!selectorHasPredicate(edge.from) || !selectorHasPredicate(edge.to)) {
+        throw new Error(`[${source}] rule "${rule.id}": match.edge.from and match.edge.to must each include id, type, and/or tags`);
+    }
+    return (g) => {
+        const findings = [];
+        for (let edgeIndex = 0; edgeIndex < g.edges.length; edgeIndex++) {
+            const e = g.edges[edgeIndex];
+            if (!e || typeof e !== 'object')
+                continue;
+            const { from, to } = edgeEndpoints(e);
+            if (!from || !to)
+                continue;
+            const a = g.nodeById.get(from);
+            const b = g.nodeById.get(to);
+            if (!a || !b)
+                continue;
+            if (nodeMatchesSelector(a, edge.from) && nodeMatchesSelector(b, edge.to)) {
+                findings.push({
+                    code: rule.id,
+                    severity: rule.severity,
+                    message: rule.message,
+                    nodeId: to,
+                    edgeIndex,
+                    layer: 'lint',
+                    fixHint: rule.fixHint,
+                });
+            }
+        }
+        return findings;
+    };
+}
+/**
+ * Load policy packs from in-memory file sources (same semantics as {@link loadPolicyPacksFromDirectory}).
+ * Use for ArchRad Cloud, tests, and API bodies — no filesystem required.
+ */
+export function loadPolicyPacksFromFiles(sources) {
+    const errors = [];
+    const visitors = [];
+    const seenIds = new Set();
+    let ruleCount = 0;
+    const sorted = [...sources].sort((a, b) => a.name.localeCompare(b.name));
+    if (sorted.length === 0) {
+        return { ok: false, errors: ['no policy sources provided'] };
+    }
+    for (const src of sorted) {
+        const name = src.name?.trim() || 'unnamed';
+        try {
+            const doc = parseDocument(src.content, name);
+            for (const rule of doc.rules) {
+                if (seenIds.has(rule.id)) {
+                    errors.push(`duplicate rule id "${rule.id}" (file ${name})`);
+                    continue;
+                }
+                seenIds.add(rule.id);
+                visitors.push(compileRule(rule, name));
+                ruleCount += 1;
+            }
+        }
+        catch (e) {
+            errors.push(`${name}: ${e instanceof Error ? e.message : String(e)}`);
+        }
+    }
+    if (errors.length > 0) {
+        return { ok: false, errors };
+    }
+    return { ok: true, visitors, ruleCount };
+}
+function parseDocument(text, filename) {
+    const ext = filename.toLowerCase();
+    let data;
+    if (ext.endsWith('.json')) {
+        data = JSON.parse(text);
+    }
+    else if (ext.endsWith('.yaml') || ext.endsWith('.yml')) {
+        data = yaml.load(text);
+    }
+    else {
+        throw new Error(`unsupported policy file extension: ${filename}`);
+    }
+    if (!isNonEmptyRecord(data)) {
+        throw new Error('policy document must be a JSON object');
+    }
+    const doc = data;
+    if (doc.apiVersion !== 'archrad/v1') {
+        throw new Error(`apiVersion must be "archrad/v1" (got ${String(doc.apiVersion)})`);
+    }
+    if (doc.kind !== 'PolicyPack') {
+        throw new Error(`kind must be PolicyPack (got ${String(doc.kind)})`);
+    }
+    if (!Array.isArray(doc.rules) || doc.rules.length === 0) {
+        throw new Error('rules must be a non-empty array');
+    }
+    return doc;
+}
+/**
+ * Load and compile all policy YAML/JSON files in a directory into lint visitors.
+ * Filenames: `*.yaml`, `*.yml`, `*.json` (other files ignored).
+ */
+export async function loadPolicyPacksFromDirectory(dir) {
+    const root = resolve(dir);
+    const errors = [];
+    let names;
+    try {
+        names = await readdir(root);
+    }
+    catch (e) {
+        const err = e;
+        return { ok: false, errors: [`cannot read policies directory ${root}: ${err.message}`] };
+    }
+    const policyFiles = names.filter((n) => /\.(yaml|yml|json)$/i.test(n)).sort();
+    if (policyFiles.length === 0) {
+        return { ok: false, errors: [`no policy files (*.yaml, *.yml, *.json) in ${root}`] };
+    }
+    const sources = [];
+    for (const name of policyFiles) {
+        const full = join(root, name);
+        try {
+            const text = await readFile(full, 'utf8');
+            sources.push({ name, content: text });
+        }
+        catch (e) {
+            const err = e;
+            errors.push(`${full}: ${err.message}`);
+        }
+    }
+    if (errors.length > 0) {
+        return { ok: false, errors };
+    }
+    return loadPolicyPacksFromFiles(sources);
+}

package/dist/pythonFastAPI.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"pythonFastAPI.d.ts","sourceRoot":"","sources":["../src/pythonFastAPI.ts"],"names":[],"mappings":"AA4OA,wBAA8B,0BAA0B,CAAC,QAAQ,EAAE,GAAG,EAAE,IAAI,GAAE,GAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAC,MAAM,CAAC,CAAC,CA2ctH"}
+{"version":3,"file":"pythonFastAPI.d.ts","sourceRoot":"","sources":["../src/pythonFastAPI.ts"],"names":[],"mappings":"AA8OA,wBAA8B,0BAA0B,CAAC,QAAQ,EAAE,GAAG,EAAE,IAAI,GAAE,GAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAC,MAAM,CAAC,CAAC,CA2ctH"}

package/dist/pythonFastAPI.js

@@ -1,8 +1,10 @@
 // Deterministic Python FastAPI exporter
 // Produces a map of filename -> content given an IR (plan graph) and options.
 import { getEdgeConfig, generateRetryCode, generateCircuitBreakerCode } from './edgeConfigCodeGenerator.js';
+import { MAX_UNTRUSTED_STRING_LEN, stripLeadingTrailingHyphens } from './stringEdgeStrip.js';
 function safeId(id) {
-    return String(id || '').replace(/[^A-Za-z0-9_\-]/g, '-').replace(/^-+|-+$/g, '').toLowerCase() || 'node';
+    const raw = String(id || '').slice(0, MAX_UNTRUSTED_STRING_LEN);
+    return stripLeadingTrailingHyphens(raw.replace(/[^A-Za-z0-9_\-]/g, '-')).toLowerCase() || 'node';
 }
 function handlerNameFor(n) {
     if (n && n.config && n.config.name)

package/dist/static-rule-guidance.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Static, deterministic remediation text for built-in finding codes (IR-STRUCT-*, IR-LINT-*, DRIFT-*).
+ * Used by MCP `archrad_suggest_fix` — not generated architecture; same hints the engine documents in findings.
+ */
+export type StaticRuleGuidance = {
+    findingCode: string;
+    title: string;
+    remediation: string;
+    /** Canonical docs path (no analytics/query params). */
+    docsUrl: string;
+};
+/** Public OSS repo (subtree); `docs/` is at repo root in arch-deterministic. */
+export declare const RULE_CODES_DOC_BASE = "https://github.com/archradhq/arch-deterministic/blob/main/docs/RULE_CODES.md";
+/** GitHub heading anchor (must match markdown `## CODE` in docs/RULE_CODES.md). */
+export declare function githubRuleCodeAnchor(code: string): string;
+export declare function docsUrlForFindingCode(code: string): string;
+export declare function listStaticRuleCodes(): string[];
+export declare function getStaticRuleGuidance(findingCode: string): StaticRuleGuidance | null;
+//# sourceMappingURL=static-rule-guidance.d.ts.map

package/dist/static-rule-guidance.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"static-rule-guidance.d.ts","sourceRoot":"","sources":["../src/static-rule-guidance.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,MAAM,kBAAkB,GAAG;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,uDAAuD;IACvD,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AAEF,gFAAgF;AAChF,eAAO,MAAM,mBAAmB,iFACgD,CAAC;AAEjF,mFAAmF;AACnF,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAKzD;AAED,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAE1D;AA2KD,wBAAgB,mBAAmB,IAAI,MAAM,EAAE,CAE9C;AAED,wBAAgB,qBAAqB,CAAC,WAAW,EAAE,MAAM,GAAG,kBAAkB,GAAG,IAAI,CASpF"}