@feiyoug/skill-lab 0.0.0 → 0.0.2

package/esm/analyzer/steps/003-risks/mod.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mod.d.ts","sourceRoot":"","sources":["../../../../src/analyzer/steps/003-risks/mod.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAMpE,wBAAgB,WAAW,CAAC,KAAK,EAAE,aAAa,GAAG,cAAc,CAKhE"}
+{"version":3,"file":"mod.d.ts","sourceRoot":"","sources":["../../../../src/analyzer/steps/003-risks/mod.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AACtD,OAAO,KAAK,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AASrE,wBAAsB,WAAW,CAC7B,KAAK,EAAE,aAAa,EACpB,OAAO,CAAC,EAAE,IAAI,CAAC,eAAe,EAAE,iBAAiB,GAAG,QAAQ,CAAC,GAC9D,OAAO,CAAC,mBAAmB,CAAC,CAuC9B"}

package/esm/analyzer/steps/003-risks/mod.js

@@ -1,11 +1,48 @@
-import { toAnalyzerResult } from "./output.js";
+import * as dntShim from "../../../_dnt.shims.js";
+import ProgressBar from "../../../deps/jsr.io/@deno-library/progress/1.5.1/mod.js";
+import { SkillAnalyzerResult } from "../../result.js";
+import { DEFAULT_ANALYZER_CONFIG, resolveConfig } from "../../config/mod.js";
+import { analyzeDependencyRisks } from "./dep-risks.js";
 import { analyzeRuleMappedRisks } from "./rule-mapped.js";
 const REMOTE_SCRIPT_WARNING = "Remote script content analysis is NOT_IMPLEMENTED";
-export function run003Risks(state) {
+const ANSI_SHOW_CURSOR = "\x1b[?25h";
+const ENCODER = new TextEncoder();
+export async function run003Risks(state, context) {
     let next = state;
-    next = analyzeRuleMappedRisks(next);
+    const resolvedConfig = context?.config ?? resolveConfig(DEFAULT_ANALYZER_CONFIG);
+    const shouldRenderProgress = (context?.showProgressBar ?? false) && dntShim.Deno.stderr.isTerminal();
+    const riskBar = shouldRenderProgress
+        ? new ProgressBar({
+            total: Math.max(1, next.findings.length),
+            clear: true,
+            output: dntShim.Deno.stderr,
+            display: "Finalizing [:bar] :completed/:total findings :percent",
+        })
+        : null;
+    let processed = 0;
+    try {
+        if (riskBar) {
+            await riskBar.render(processed);
+        }
+        const resolvedContext = { config: resolvedConfig };
+        next = analyzeDependencyRisks(next, resolvedContext);
+        next = analyzeRuleMappedRisks(next, resolvedContext, () => {
+            processed += 1;
+            if (riskBar) {
+                void riskBar.render(processed);
+            }
+        });
+    }
+    finally {
+        if (riskBar) {
+            await riskBar.end();
+        }
+        if (shouldRenderProgress && dntShim.Deno.stderr.isTerminal()) {
+            dntShim.Deno.stderr.writeSync(ENCODER.encode(ANSI_SHOW_CURSOR));
+        }
+    }
     next = addRemoteScriptWarningIfNeeded(next);
-    return toAnalyzerResult(dedupeRisks(next));
+    return new SkillAnalyzerResult(dedupeRisks(next), resolvedConfig);
 }
 function addRemoteScriptWarningIfNeeded(state) {
     const hasRemoteCodeExecution = state.risks.some((risk) => risk.type === "NETWORK:remote_code_execution");

package/esm/analyzer/steps/003-risks/policy.d.ts

@@ -0,0 +1,7 @@
+import type { TreesitterGrammar } from "../../treesitter/registry.js";
+import type { AnalyzerConfig } from "../../config/mod.js";
+export declare function isDenied(config: AnalyzerConfig, grammar: TreesitterGrammar, importName: string): boolean;
+export declare function isAllowed(config: AnalyzerConfig, grammar: TreesitterGrammar, importName: string): boolean;
+export declare function isNetworkDenied(config: AnalyzerConfig, host: string): boolean;
+export declare function isNetworkAllowed(config: AnalyzerConfig, host: string): boolean;
+//# sourceMappingURL=policy.d.ts.map

package/esm/analyzer/steps/003-risks/policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../../../src/analyzer/steps/003-risks/policy.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AACtE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAY1D,wBAAgB,QAAQ,CACpB,MAAM,EAAE,cAAc,EACtB,OAAO,EAAE,iBAAiB,EAC1B,UAAU,EAAE,MAAM,GACnB,OAAO,CAGT;AAED,wBAAgB,SAAS,CACrB,MAAM,EAAE,cAAc,EACtB,OAAO,EAAE,iBAAiB,EAC1B,UAAU,EAAE,MAAM,GACnB,OAAO,CAGT;AAED,wBAAgB,eAAe,CAAC,MAAM,EAAE,cAAc,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAE7E;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,cAAc,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAE9E"}

package/esm/analyzer/steps/003-risks/policy.js

@@ -0,0 +1,23 @@
+function normalizeEntry(value) {
+    return value.trim().toLowerCase();
+}
+function listHasValue(list, value) {
+    if (!value || !list || list.length === 0)
+        return false;
+    const normalized = normalizeEntry(value);
+    return list.some((entry) => normalizeEntry(entry) === normalized);
+}
+export function isDenied(config, grammar, importName) {
+    const imports = config.denylist?.languages?.[grammar]?.imports;
+    return listHasValue(imports, importName);
+}
+export function isAllowed(config, grammar, importName) {
+    const imports = config.allowlist?.languages?.[grammar]?.imports;
+    return listHasValue(imports, importName);
+}
+export function isNetworkDenied(config, host) {
+    return listHasValue(config.denylist?.network?.domains, host);
+}
+export function isNetworkAllowed(config, host) {
+    return listHasValue(config.allowlist?.network?.domains, host);
+}

package/esm/analyzer/steps/003-risks/rule-mapped.d.ts

@@ -1,3 +1,3 @@
-import type { AnalyzerState } from "../../types.js";
-export declare function analyzeRuleMappedRisks(state: AnalyzerState): AnalyzerState;
+import type { AnalyzerContext, AnalyzerState } from "../../types.js";
+export declare function analyzeRuleMappedRisks(state: AnalyzerState, context: Pick<AnalyzerContext, "config">, onFindingProcessed?: () => void): AnalyzerState;
 //# sourceMappingURL=rule-mapped.d.ts.map

package/esm/analyzer/steps/003-risks/rule-mapped.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"rule-mapped.d.ts","sourceRoot":"","sources":["../../../../src/analyzer/steps/003-risks/rule-mapped.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAUpD,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,aAAa,GAAG,aAAa,CA0B1E"}
+{"version":3,"file":"rule-mapped.d.ts","sourceRoot":"","sources":["../../../../src/analyzer/steps/003-risks/rule-mapped.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAarE,wBAAgB,sBAAsB,CAClC,KAAK,EAAE,aAAa,EACpB,OAAO,EAAE,IAAI,CAAC,eAAe,EAAE,QAAQ,CAAC,EACxC,kBAAkB,CAAC,EAAE,MAAM,IAAI,GAChC,aAAa,CAsCf"}

package/esm/analyzer/steps/003-risks/rule-mapped.js

@@ -1,11 +1,13 @@
 import { evalRuleRiskMappings, RULES_BY_ID } from "../../rules/mod.js";
 import { addRisk } from "./helpers.js";
+import { isAllowed, isDenied, isNetworkAllowed, isNetworkDenied } from "./policy.js";
+import { GRAMMAR_SPECS } from "../../treesitter/registry.js";
 const PROMPT_CATEGORY = "PROMPT";
 const INJECTION_CATEGORY = "INJECTION";
 const NETWORK_CATEGORY = "NETWORK";
 const SECRETS_CATEGORY = "SECRETS";
 const DESTRUCTIVE_CATEGORIES = new Set(["DESTRUCTIVE", "PRIVILEGE", "PERSISTENCE"]);
-export function analyzeRuleMappedRisks(state) {
+export function analyzeRuleMappedRisks(state, context, onFindingProcessed) {
     let next = state;
     for (const finding of next.findings) {
         const rule = RULES_BY_ID.get(finding.ruleId);
@@ -14,21 +16,100 @@ export function analyzeRuleMappedRisks(state) {
         const matchedPermission = resolvePermissionForFinding(next, finding);
         const mapped = evalRuleRiskMappings(rule, { permission: matchedPermission, finding });
         for (const risk of mapped) {
+            const policy = resolvePolicyForRisk({
+                context,
+                rule,
+                finding,
+                permission: matchedPermission,
+                risk,
+            });
+            if (policy.skip)
+                continue;
             const permissionIds = selectPermissionIds(next, finding, risk.code, matchedPermission);
             if (permissionIds.length === 0)
                 continue;
             next = addRisk(next, {
                 type: risk.code,
+                groupKey: matchedPermission ? `${risk.code}:${matchedPermission.tool}` : risk.code,
                 severity: risk.severity,
                 message: risk.message,
                 permissionIds,
                 reference: finding.reference,
-                metadata: risk.metadata ?? finding.extracted,
+                metadata: policy.metadata,
             });
         }
+        onFindingProcessed?.();
     }
     return next;
 }
+function resolvePolicyForRisk(input) {
+    const { context, rule, finding, permission, risk } = input;
+    const baseMetadata = (risk.metadata ?? finding.extracted);
+    const policyMetadata = {};
+    if (risk.code.startsWith("NETWORK:")) {
+        const host = resolveHost(baseMetadata);
+        if (host) {
+            if (isNetworkDenied(context.config, host)) {
+                policyMetadata.network = { host, source: "denylist" };
+            }
+            else if (isNetworkAllowed(context.config, host)) {
+                return { skip: true };
+            }
+        }
+    }
+    const grammar = resolveRuleGrammar(rule);
+    const importName = resolveImportName(finding, permission);
+    if (grammar && importName) {
+        if (isDenied(context.config, grammar, importName)) {
+            policyMetadata.language = { grammar, importName, source: "denylist" };
+        }
+        else if (isAllowed(context.config, grammar, importName)) {
+            return { skip: true };
+        }
+    }
+    const metadata = Object.keys(policyMetadata).length
+        ? { ...(baseMetadata ?? {}), policy: policyMetadata }
+        : baseMetadata;
+    return { skip: false, metadata };
+}
+function resolveRuleGrammar(rule) {
+    if (!rule)
+        return null;
+    if ("grammar" in rule && typeof rule.grammar === "string") {
+        return rule.grammar in GRAMMAR_SPECS ? rule.grammar : null;
+    }
+    return null;
+}
+function resolveImportName(finding, permission) {
+    const extracted = finding.extracted;
+    const candidates = [
+        extracted?.import,
+        extracted?.module,
+        extracted?.package,
+        extracted?.dependency,
+    ];
+    for (const value of candidates) {
+        if (typeof value === "string" && value.trim())
+            return value.trim();
+    }
+    if (permission?.metadata) {
+        const meta = permission.metadata;
+        const metaCandidates = [meta.import, meta.module, meta.package, meta.dependency];
+        for (const value of metaCandidates) {
+            if (typeof value === "string" && value.trim())
+                return value.trim();
+        }
+    }
+    return undefined;
+}
+function resolveHost(metadata) {
+    if (!metadata)
+        return undefined;
+    const raw = metadata.host;
+    if (typeof raw === "string" && raw.trim())
+        return raw.trim();
+    return undefined;
+}
 function resolvePermissionForFinding(state, finding) {
     return state.permissions.find((permission) => overlaps(permission, finding));
 }

package/esm/analyzer/steps/003-risks/scoring.d.ts

@@ -1,7 +1,15 @@
+import type { AnalyzerConfig } from "../../config/mod.js";
 import type { AnalyzerState } from "../../types.js";
+type RiskLevel = "safe" | "caution" | "attention" | "risky" | "avoid";
 export declare function scoreState(state: AnalyzerState): {
     score: number;
-    riskLevel: "safe" | "caution" | "attention" | "risky" | "avoid";
+    riskLevel: RiskLevel;
     summary: string;
 };
+export declare function scoreState(state: AnalyzerState, config: AnalyzerConfig): {
+    score: number;
+    riskLevel: RiskLevel;
+    summary: string;
+};
+export {};
 //# sourceMappingURL=scoring.d.ts.map

package/esm/analyzer/steps/003-risks/scoring.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"scoring.d.ts","sourceRoot":"","sources":["../../../../src/analyzer/steps/003-risks/scoring.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAEpD,wBAAgB,UAAU,CAAC,KAAK,EAAE,aAAa,GAAG;IAC9C,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,GAAG,SAAS,GAAG,WAAW,GAAG,OAAO,GAAG,OAAO,CAAC;IAChE,OAAO,EAAE,MAAM,CAAC;CACnB,CA0CA"}
+{"version":3,"file":"scoring.d.ts","sourceRoot":"","sources":["../../../../src/analyzer/steps/003-risks/scoring.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAEpD,KAAK,SAAS,GAAG,MAAM,GAAG,SAAS,GAAG,WAAW,GAAG,OAAO,GAAG,OAAO,CAAC;AAGtE,wBAAgB,UAAU,CAAC,KAAK,EAAE,aAAa,GAAG;IAC9C,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,SAAS,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;CACnB,CAAC;AACF,wBAAgB,UAAU,CACtB,KAAK,EAAE,aAAa,EACpB,MAAM,EAAE,cAAc,GACvB;IACC,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,SAAS,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;CACnB,CAAC"}

package/esm/analyzer/steps/003-risks/scoring.js

@@ -1,58 +1,71 @@
-import { SCORING } from "../../config.js";
-export function scoreState(state) {
-    const severityScore = Math.max(0, ...state.risks.map((risk) => SCORING.severity[risk.severity]));
-    const permissionScore = Math.max(0, ...state.permissions.map((perm) => {
-        const base = SCORING.permissions[`${perm.scope}:${perm.permission}`] ?? 0;
-        const wildcard = perm.args?.includes("*") ? SCORING.scopeWildcard : 0;
-        return base + wildcard;
-    }));
-    let uplift = 0;
-    const hasExternalPost = state.risks.some((risk) => risk.type === "NETWORK:data_exfiltration" &&
-        ["POST", "PUT", "PATCH"].includes(String(risk.metadata?.method ?? "GET").toUpperCase()));
-    if (hasExternalPost)
-        uplift += SCORING.uplift.externalPost;
-    const hasPipeToShell = state.risks.some((risk) => risk.type === "NETWORK:remote_code_execution");
-    if (hasPipeToShell)
-        uplift += SCORING.uplift.pipeToShell;
-    const criticalCount = state.risks.filter((risk) => risk.severity === "critical").length;
-    if (criticalCount >= 3)
-        uplift += SCORING.uplift.multipleCritical;
-    const hasSecretTransfer = state.risks.some((risk) => risk.type === "NETWORK:credential_leak" ||
-        risk.type === "NETWORK:localhost_secret_exposure");
-    if (hasSecretTransfer)
-        uplift += SCORING.uplift.secretsInRequest;
-    const score = severityScore + permissionScore + uplift;
-    const riskLevel = toRiskLevel(score);
+import { DEFAULT_ANALYZER_CONFIG, resolveConfig } from "../../config/mod.js";
+const SEVERITY_ORDER = { critical: 0, warning: 1, info: 2 };
+export function scoreState(state, config) {
+    const resolvedConfig = resolveConfig(config ?? DEFAULT_ANALYZER_CONFIG);
+    const baseScore = {
+        info: 0,
+        warning: 1,
+        critical: 5,
+        ...(resolvedConfig.riskReport?.baseScore ?? {}),
+    };
+    const upliftConfig = resolvedConfig.riskReport?.uplift ?? {};
+    const thresholds = {
+        safe: 0,
+        caution: 1,
+        attention: 3,
+        risky: 5,
+        avoid: 7,
+        ...(resolvedConfig.riskReport?.thresholds ?? {}),
+    };
+    const groupedSeverity = new Map();
+    const ungroupedSeverity = [];
+    for (const risk of state.risks) {
+        const score = baseScore[risk.severity] ?? 0;
+        if (risk.groupKey) {
+            groupedSeverity.set(risk.groupKey, Math.max(groupedSeverity.get(risk.groupKey) ?? 0, score));
+            continue;
+        }
+        ungroupedSeverity.push(score);
+    }
+    const severityScore = Math.max(0, ...ungroupedSeverity, ...groupedSeverity.values());
+    const riskTypes = new Set(state.risks.map((risk) => risk.type));
+    const upliftScore = Array.from(riskTypes).reduce((sum, riskType) => sum + (upliftConfig[riskType] ?? 0), 0);
+    const score = severityScore + upliftScore;
+    const riskLevel = toRiskLevel(score, thresholds);
     const summary = buildSummary(state, riskLevel);
     return { score, riskLevel, summary };
 }
-function toRiskLevel(score) {
-    if (score <= 0)
-        return "safe";
-    if (score <= 2)
-        return "caution";
-    if (score <= 4)
-        return "attention";
-    if (score <= 6)
+function toRiskLevel(score, thresholds) {
+    if (score >= thresholds.avoid)
+        return "avoid";
+    if (score >= thresholds.risky)
         return "risky";
-    return "avoid";
+    if (score >= thresholds.attention)
+        return "attention";
+    if (score >= thresholds.caution)
+        return "caution";
+    return "safe";
 }
 function buildSummary(state, riskLevel) {
-    const topRisk = state.risks[0]?.type ?? "no major risks";
-    const topPermission = state.permissions[0]
-        ? `${state.permissions[0].scope}:${state.permissions[0].permission}`
-        : "no permissions";
+    if (state.risks.length === 0)
+        return "No significant risk signals detected.";
+    const sorted = [...state.risks].sort((a, b) => SEVERITY_ORDER[a.severity] - SEVERITY_ORDER[b.severity]);
+    const topSeverity = sorted[0].severity;
+    const topTypes = [
+        ...new Set(sorted.filter((risk) => risk.severity === topSeverity).map((risk) => risk.type)),
+    ].slice(0, 3);
+    const typeList = topTypes.join(", ");
     if (riskLevel === "avoid") {
-        return `Critical risks detected (${topRisk}) with elevated capability (${topPermission}).`;
+        return `Severe risks detected: ${typeList}.`;
     }
     if (riskLevel === "risky") {
-        return `Elevated risk profile (${topRisk}) and broad access (${topPermission}).`;
+        return `Elevated risk: ${typeList}.`;
     }
     if (riskLevel === "attention") {
-        return `Moderate risk signal (${topRisk}) from detected capabilities.`;
+        return `Moderate risk: ${typeList}.`;
     }
     if (riskLevel === "caution") {
-        return `Low-risk profile with limited permissions (${topPermission}).`;
+        return `Low-risk signals: ${typeList}.`;
     }
     return "No significant risk signals detected.";
 }

package/esm/analyzer/treesitter/client.d.ts

@@ -0,0 +1,31 @@
+import { Parser, Query, Tree } from "web-tree-sitter";
+import type { TreesitterGrammar } from "./registry.js";
+import type { AnalyzerLogger } from "../types.js";
+export declare class TreesitterClient {
+    private readonly logger;
+    private readonly showProgressBar;
+    private PARSER_BY_GRAMMAR;
+    private LANG_BY_GRAMMAR;
+    private QUERY_CACHE;
+    private ROOT_NODE_CACHE_BY_CONTENT;
+    /** Parser.init() is idempotent but we avoid re-calling it. */
+    private parserInitialized;
+    constructor(logger?: AnalyzerLogger, showProgressBar?: boolean);
+    private ensureParserInit;
+    getParser(grammar: TreesitterGrammar): Promise<Parser>;
+    /**
+     * Creates (and caches) a tree-sitter Query for the given grammar and S-expression query string.
+     */
+    createQuery(grammar: TreesitterGrammar, queryString: string): Promise<Query>;
+    /**
+     * Parses content into a tree-sitter Tree with memoization.
+     *
+     * Cache key strategy:
+     * - first level: content length
+     * - second level: fast non-cryptographic hash of content
+     */
+    parse(grammar: TreesitterGrammar, content: string): Promise<Tree>;
+    private getTreeCache;
+    private hashContent;
+}
+//# sourceMappingURL=client.d.ts.map

package/esm/analyzer/treesitter/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../../src/analyzer/treesitter/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAY,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAC;AAEhE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AACvD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAGlD,qBAAa,gBAAgB;IAYrB,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,eAAe;IAZpC,OAAO,CAAC,iBAAiB,CAAkD;IAC3E,OAAO,CAAC,eAAe,CAAoD;IAC3E,OAAO,CAAC,WAAW,CAA4B;IAC/C,OAAO,CAAC,0BAA0B,CAG3B;IACP,8DAA8D;IAC9D,OAAO,CAAC,iBAAiB,CAAkB;gBAGtB,MAAM,GAAE,cAA6B,EACrC,eAAe,GAAE,OAAe;YAGvC,gBAAgB;IAOjB,SAAS,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,MAAM,CAAC;IAwBnE;;OAEG;IACU,WAAW,CAAC,OAAO,EAAE,iBAAiB,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC;IAazF;;;;;;OAMG;IACU,KAAK,CAAC,OAAO,EAAE,iBAAiB,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAwB9E,OAAO,CAAC,YAAY;IAUpB,OAAO,CAAC,WAAW;CAStB"}

package/esm/analyzer/{treesiter → treesitter}/client.js

@@ -1,10 +1,20 @@
-// export type TreesitterQuery = {
-//     matches: (
-//         node: unknown,
-//     ) => Array<{ captures: Array<{ name: string; node: unknown }> }>;
-// };
+import { Language, Parser, Query } from "web-tree-sitter";
+import { ensureGrammar } from "./registry.js";
+import { NO_OP_LOGGER } from "../logging.js";
 export class TreesitterClient {
-    constructor() {
+    constructor(logger = NO_OP_LOGGER, showProgressBar = false) {
+        Object.defineProperty(this, "logger", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: logger
+        });
+        Object.defineProperty(this, "showProgressBar", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: showProgressBar
+        });
         Object.defineProperty(this, "PARSER_BY_GRAMMAR", {
             enumerable: true,
             configurable: true,
@@ -23,50 +33,42 @@ export class TreesitterClient {
             writable: true,
             value: new Map()
         });
-        Object.defineProperty(this, "ROOT_NODE_CACHE_BY_GRAMMAR", {
+        Object.defineProperty(this, "ROOT_NODE_CACHE_BY_CONTENT", {
             enumerable: true,
             configurable: true,
             writable: true,
             value: {}
         });
-        Object.defineProperty(this, "GRAMMER_LIB_BY_LANGUAGE", {
+        /** Parser.init() is idempotent but we avoid re-calling it. */
+        Object.defineProperty(this, "parserInitialized", {
             enumerable: true,
             configurable: true,
             writable: true,
-            value: {
-                markdown: { lib: "@tree-sitter-grammars/tree-sitter-markdown" },
-                "markdown-inline": {
-                    lib: "@tree-sitter-grammars/tree-sitter-markdown",
-                    module: "inline",
-                },
-            }
+            value: false
         });
     }
+    async ensureParserInit() {
+        if (this.parserInitialized)
+            return;
+        await Parser.init();
+        this.parserInitialized = true;
+    }
     async getParser(grammar) {
         if (this.PARSER_BY_GRAMMAR[grammar]) {
             return this.PARSER_BY_GRAMMAR[grammar];
         }
-        const gramerLib = this.GRAMMER_LIB_BY_LANGUAGE[grammar];
-        if (!gramerLib) {
-            throw new Error(`Treesiter for ${grammar} is not configured`);
+        await this.ensureParserInit();
+        let lang = this.LANG_BY_GRAMMAR[grammar];
+        if (!lang) {
+            const wasmPath = await ensureGrammar(grammar, {
+                logger: this.logger,
+                showProgressBar: this.showProgressBar,
+            });
+            lang = await Language.load(wasmPath);
+            this.LANG_BY_GRAMMAR[grammar] = lang;
         }
-        const [{ default: Parser }, libModule] = await Promise.all([
-            import("tree-sitter"),
-            import(gramerLib.lib),
-        ]);
-        // The markdown npm package exposes sub-grammars via "module.exports":
-        // { default: ..., "module.exports": { name, language, inline, nodeTypeInfo } }
-        let grammarModule = libModule.default;
-        if (gramerLib.module) {
-            const moduleExports = libModule["module.exports"];
-            grammarModule = moduleExports?.[gramerLib.module];
-        }
-        if (!grammarModule) {
-            throw new Error(`Invalid tree-sitter grammar: "${gramerLib.module}" not found in ${gramerLib.lib}`);
-        }
-        this.LANG_BY_GRAMMAR[grammar] = grammarModule;
         const parser = new Parser();
-        parser.setLanguage(grammarModule);
+        parser.setLanguage(lang);
         this.PARSER_BY_GRAMMAR[grammar] = parser;
         return parser;
     }
@@ -79,9 +81,8 @@ export class TreesitterClient {
             return this.QUERY_CACHE.get(cacheKey);
         }
         await this.getParser(grammar); // ensures LANG_BY_GRAMMAR[grammar] is populated
-        const { default: Parser } = await import("tree-sitter");
         const lang = this.LANG_BY_GRAMMAR[grammar];
-        const query = new Parser.Query(lang, queryString);
+        const query = new Query(lang, queryString);
         this.QUERY_CACHE.set(cacheKey, query);
         return query;
     }
@@ -104,6 +105,9 @@ export class TreesitterClient {
         }
         const parser = await this.getParser(grammar);
         const tree = parser.parse(content);
+        if (!tree) {
+            throw new Error(`Failed to parse ${grammar} content`);
+        }
         const hash = this.hashContent(content);
         const bucket = treeCacheByLen.get(len) ?? new Map();
         bucket.set(hash, tree);
@@ -111,10 +115,10 @@ export class TreesitterClient {
         return tree;
     }
     getTreeCache(grammar) {
-        if (!this.ROOT_NODE_CACHE_BY_GRAMMAR[grammar]) {
-            this.ROOT_NODE_CACHE_BY_GRAMMAR[grammar] = new Map();
+        if (!this.ROOT_NODE_CACHE_BY_CONTENT[grammar]) {
+            this.ROOT_NODE_CACHE_BY_CONTENT[grammar] = new Map();
         }
-        return this.ROOT_NODE_CACHE_BY_GRAMMAR[grammar];
+        return this.ROOT_NODE_CACHE_BY_CONTENT[grammar];
     }
     hashContent(content) {
         // FNV-1a 32-bit (fast, non-cryptographic)

package/esm/analyzer/treesitter/registry.d.ts

@@ -0,0 +1,73 @@
+import type { AnalyzerLogger } from "../types.js";
+export type GrammarSpec = {
+    /** Local filename used in the cache directory. */
+    filename: string;
+    /** Exact, version-pinned URL to download the grammar .wasm from. */
+    url: string;
+};
+/**
+ * Grammar specifications. All URLs are exact version-pinned to ensure
+ * ABI compatibility with web-tree-sitter@0.25.4.
+ *
+ * Grammar .wasm files are compiled by the tree-sitter CLI against a specific
+ * WASM ABI. Mixing grammar versions with a different web-tree-sitter version
+ * causes silent parse failures, so both must be pinned together.
+ */
+export declare const GRAMMAR_SPECS: {
+    bash: {
+        filename: string;
+        url: string;
+    };
+    javascript: {
+        filename: string;
+        url: string;
+    };
+    python: {
+        filename: string;
+        url: string;
+    };
+    typescript: {
+        filename: string;
+        url: string;
+    };
+    tsx: {
+        filename: string;
+        url: string;
+    };
+    markdown: {
+        filename: string;
+        url: string;
+    };
+    "markdown-inline": {
+        filename: string;
+        url: string;
+    };
+};
+/** Available languages for tree-sitter grammars. */
+export type TreesitterGrammar = keyof typeof GRAMMAR_SPECS;
+/**
+ * Returns the skill-lab cache directory, following XDG conventions.
+ *
+ * Priority:
+ *   1. $SKILL_LAB_CACHE_DIR — explicit override
+ *   2. $XDG_CACHE_HOME/skill-lab — if XDG_CACHE_HOME is set
+ *   3. Platform default:
+ *        Linux/macOS: ~/.cache/skill-lab
+ *        Windows:     %LOCALAPPDATA%\skill-lab\Cache
+ */
+export declare function getCacheDir(): string;
+/**
+ * Ensures a grammar .wasm file is present in the local cache.
+ *
+ * On first call for a given language, downloads the file from the pinned URL
+ * in GRAMMAR_SPECS. Subsequent calls return immediately from cache.
+ *
+ * @param lang - Language key (e.g. "bash", "typescript", "markdown-inline")
+ * @param opts.logger - Optional logger for download events
+ * @returns Absolute path to the cached .wasm file
+ */
+export declare function ensureGrammar(lang: string, opts?: {
+    logger?: AnalyzerLogger;
+    showProgressBar?: boolean;
+}): Promise<string>;
+//# sourceMappingURL=registry.d.ts.map

package/esm/analyzer/treesitter/registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../../../src/analyzer/treesitter/registry.ts"],"names":[],"mappings":"AAiBA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAOlD,MAAM,MAAM,WAAW,GAAG;IACtB,kDAAkD;IAClD,QAAQ,EAAE,MAAM,CAAC;IACjB,oEAAoE;IACpE,GAAG,EAAE,MAAM,CAAC;CACf,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,aAAa;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA6Ba,CAAC;AAExC,oDAAoD;AACpD,MAAM,MAAM,iBAAiB,GAAG,MAAM,OAAO,aAAa,CAAC;AAE3D;;;;;;;;;GASG;AACH,wBAAgB,WAAW,IAAI,MAAM,CAgBpC;AAED;;;;;;;;;GASG;AACH,wBAAsB,aAAa,CAC/B,IAAI,EAAE,MAAM,EACZ,IAAI,CAAC,EAAE;IACH,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,eAAe,CAAC,EAAE,OAAO,CAAC;CAC7B,GACF,OAAO,CAAC,MAAM,CAAC,CAgFjB"}