@getmikk/core 1.8.2 → 1.9.0

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@getmikk/core",
-    "version": "1.8.2",
+    "version": "1.9.0",
     "license": "Apache-2.0",
     "repository": {
         "type": "git",
@@ -24,6 +24,8 @@
         "@types/better-sqlite3": "^7.6.13",
         "better-sqlite3": "^12.6.2",
         "fast-glob": "^3.3.0",
+        "oxc-parser": "^0.121.0",
+        "oxc-resolver": "^11.19.1",
         "tree-sitter-wasms": "^0.1.13",
         "web-tree-sitter": "0.20.8",
         "zod": "^3.22.0"

package/src/constants.ts

@@ -0,0 +1,285 @@
+/**
+ * Centralized constants for the Mikk codebase
+ * 
+ * This file contains all magic numbers, thresholds, and configuration values
+ * that were previously scattered throughout the codebase.
+ */
+
+// ─── Memory Management ───────────────────────────────────────────────────────
+
+export const MEMORY_LIMITS = {
+    WARNING: 100 * 1024 * 1024,    // 100MB
+    CRITICAL: 200 * 1024 * 1024,   // 200MB
+    EMERGENCY: 400 * 1024 * 1024,  // 400MB
+} as const
+
+export const MEMORY_CONFIG = {
+    MAX_AGE: 30 * 60 * 1000,        // 30 minutes
+    MAX_NODES: 10000,               // Maximum nodes to keep in memory
+    GC_INTERVAL: 60 * 1000,         // GC check interval (1 minute)
+    LARGE_GRAPH_THRESHOLD: 5000,    // Nodes count to trigger memory monitoring
+    MEMORY_CHECK_INTERVAL: 1000,    // Check memory every N nodes processed
+    MEMORY_INCREASE_THRESHOLD: 100 * 1024 * 1024, // 100MB increase triggers GC
+} as const
+
+// ─── Token Budgeting ───────────────────────────────────────────────────────
+
+export const TOKEN_BUDGETS = {
+    DEFAULT_CLAUDE_MD: 12000,
+    DEFAULT_CONTEXT_QUERY: 6000,
+    MIN_TOKEN_BUDGET: 1000,
+    MAX_TOKEN_BUDGET: 50000,
+} as const
+
+export const TOKEN_ESTIMATION = {
+    CHARS_PER_TOKEN: 3.8,          // Average for GPT-4 tokenizer
+    MIN_CHARS_PER_TOKEN: 2.0,      // For dense code
+    MAX_CHARS_PER_TOKEN: 6.0,      // For sparse text
+    OVERFLOW_ALLOWANCE: 0.1,       // 10% buffer
+} as const
+
+// ─── Graph Traversal ─────────────────────────────────────────────────────────
+
+export const GRAPH_LIMITS = {
+    DEFAULT_MAX_HOPS: 4,
+    MAX_HOPS_HARD_LIMIT: 10,
+    MIN_HOPS: 1,
+    BREADTH_FIRST_QUEUE_SIZE: 1000,
+} as const
+
+export const RISK_SCORING = {
+    CRITICAL_THRESHOLD: 80,
+    HIGH_THRESHOLD: 60,
+    MEDIUM_THRESHOLD: 40,
+    MODULE_BOUNDARY_BOOST: 80,     // Risk boost for crossing module boundaries
+} as const
+
+export const CONFIDENCE_SCORING = {
+    DEFAULT_CONFIDENCE: 1.0,
+    MIN_CONFIDENCE: 0.0,
+    MAX_CONFIDENCE: 1.0,
+    DECIMAL_PLACES: 3,
+} as const
+
+// ─── File Processing ───────────────────────────────────────────────────────
+
+export const FILE_LIMITS = {
+    MAX_FILE_SIZE: 5 * 1024 * 1024,  // 5MB
+    MAX_FILE_SIZE_FOR_PROCESSING: 10 * 1024 * 1024, // 10MB
+    MAX_FILES_PER_DIRECTORY: 1000,
+} as const
+
+export const FILE_PATTERNS = {
+    IGNORED_DIRECTORIES: [
+        'node_modules',
+        '.git',
+        '.vscode',
+        '.idea',
+        'dist',
+        'build',
+        'coverage',
+        '.next',
+        '.nuxt',
+        '.cache',
+        'tmp',
+        'temp',
+    ],
+    SOURCE_EXTENSIONS: [
+        'ts', 'tsx', 'js', 'jsx', 'mjs', 'cjs',
+        'py', 'go', 'rs', 'java', 'kt', 'cs', 'swift',
+        'php', 'rb', 'dart', 'ex', 'exs',
+    ],
+    CONFIG_EXTENSIONS: [
+        'json', 'yaml', 'yml', 'toml', 'xml',
+        'md', 'txt', 'env', 'config',
+    ],
+} as const
+
+// ─── Benchmark Configuration ─────────────────────────────────────────────────
+
+export const BENCHMARK_CONFIG = {
+    DEFAULT_TIMEOUT: 10000,         // 10 seconds
+    COMMAND_TIMEOUT: 15000,         // 15 seconds for external commands
+    MAX_TEST_CASES: 100,
+    SCORING_PRECISION: 2,           // Decimal places for scores
+} as const
+
+export const BENCHMARK_THRESHOLDS = {
+    MIN_ACCURACY: 0,                // 0%
+    MAX_ACCURACY: 100,              // 100%
+    TOKEN_EFFICIENCY_MIN: 0.1,     // 10% efficiency
+    TOKEN_EFFICIENCY_MAX: 10.0,    // 1000% efficiency
+} as const
+
+// ─── Dead Code Detection ─────────────────────────────────────────────────────
+
+export const DEAD_CODE_PATTERNS = {
+    ENTRY_POINT_PATTERNS: [
+        /^(main|bootstrap|start|init|setup|configure|register|mount)$/i,
+        /^(app|server|index|mod|program)$/i,
+        /Handler$/i,
+        /Middleware$/i,
+        /Controller$/i,
+        /^use[A-Z]/,       // React hooks
+        /^handle[A-Z]/,    // Event handlers
+        /^on[A-Z]/,        // Event listeners
+    ],
+    TEST_PATTERNS: [
+        /^(it|describe|test|beforeAll|afterAll|beforeEach|afterEach)$/,
+        /\.test\./,
+        /\.spec\./,
+        /__test__/,
+    ],
+    DYNAMIC_USAGE_PATTERNS: [
+        /^addEventListener$/i,
+        /^removeEventListener$/i,
+        /^on[A-Z]/,
+        /(invoke|dispatch|emit|call|apply)/i,
+        /^ngOnInit$/i,
+        /^componentDidMount$/i,
+        /^componentWillUnmount$/i,
+    ],
+} as const
+
+export const DEAD_CODE_CONFIDENCE = {
+    HIGH_CONFIDENCE_RULES: 3,       // Number of rules to pass for high confidence
+    MEDIUM_CONFIDENCE_RULES: 2,     // Number of rules to pass for medium confidence
+} as const
+
+// ─── Error Handling ─────────────────────────────────────────────────────────
+
+export const ERROR_CODES = {
+    // File system errors
+    FILE_NOT_FOUND: 'FILE_NOT_FOUND',
+    FILE_TOO_LARGE: 'FILE_TOO_LARGE',
+    PERMISSION_DENIED: 'PERMISSION_DENIED',
+    DIRECTORY_NOT_FOUND: 'DIRECTORY_NOT_FOUND',
+    
+    // Module loading errors
+    MODULE_NOT_FOUND: 'MODULE_NOT_FOUND',
+    MODULE_LOAD_FAILED: 'MODULE_LOAD_FAILED',
+    
+    // Graph errors
+    GRAPH_BUILD_FAILED: 'GRAPH_BUILD_FAILED',
+    NODE_NOT_FOUND: 'NODE_NOT_FOUND',
+    CIRCULAR_DEPENDENCY: 'CIRCULAR_DEPENDENCY',
+    
+    // Token/budget errors
+    TOKEN_BUDGET_EXCEEDED: 'TOKEN_BUDGET_EXCEEDED',
+    INVALID_TOKEN_COUNT: 'INVALID_TOKEN_COUNT',
+    
+    // General errors
+    INVALID_INPUT: 'INVALID_INPUT',
+    OPERATION_TIMEOUT: 'OPERATION_TIMEOUT',
+    UNKNOWN_ERROR: 'UNKNOWN_ERROR',
+} as const
+
+export const ERROR_MESSAGES = {
+    [ERROR_CODES.FILE_NOT_FOUND]: 'Required file not found: {file}. Run \'mikk init\' first.',
+    [ERROR_CODES.FILE_TOO_LARGE]: 'File too large for processing: {file} ({size} bytes, limit: {limit} bytes)',
+    [ERROR_CODES.PERMISSION_DENIED]: 'Permission denied accessing: {path}',
+    [ERROR_CODES.DIRECTORY_NOT_FOUND]: 'Directory not found: {path}',
+    
+    [ERROR_CODES.MODULE_NOT_FOUND]: 'Required module not found: {module}',
+    [ERROR_CODES.MODULE_LOAD_FAILED]: 'Failed to load module: {module}. Ensure \'bun run build\' has been executed.',
+    
+    [ERROR_CODES.GRAPH_BUILD_FAILED]: 'Failed to build dependency graph: {reason}',
+    [ERROR_CODES.NODE_NOT_FOUND]: 'Node not found in graph: {nodeId}',
+    [ERROR_CODES.CIRCULAR_DEPENDENCY]: 'Circular dependency detected: {path}',
+    
+    [ERROR_CODES.TOKEN_BUDGET_EXCEEDED]: 'Token budget exceeded: {used} > {budget}',
+    [ERROR_CODES.INVALID_TOKEN_COUNT]: 'Invalid token count: {count}',
+    
+    [ERROR_CODES.INVALID_INPUT]: 'Invalid input: {reason}',
+    [ERROR_CODES.OPERATION_TIMEOUT]: 'Operation timed out after {timeout}ms',
+    [ERROR_CODES.UNKNOWN_ERROR]: 'Unexpected error: {message}',
+} as const
+
+// ─── Performance Tuning ─────────────────────────────────────────────────────
+
+export const PERFORMANCE_CONFIG = {
+    CACHE_SIZE_LIMIT: 10000,        // Maximum cache entries
+    CACHE_TTL: 30 * 60 * 1000,      // 30 minutes
+    BATCH_SIZE: 100,               // Operations per batch
+    CONCURRENT_LIMIT: 10,          // Maximum concurrent operations
+} as const
+
+// ─── Logging & Debugging ────────────────────────────────────────────────────
+
+export const LOG_LEVELS = {
+    ERROR: 0,
+    WARN: 1,
+    INFO: 2,
+    DEBUG: 3,
+    TRACE: 4,
+} as const
+
+export const DEBUG_CONFIG = {
+    ENABLE_MEMORY_LOGGING: false,
+    ENABLE_PERFORMANCE_LOGGING: false,
+    ENABLE_GRAPH_LOGGING: false,
+    LOG_SAMPLE_RATE: 0.1,          // Log 10% of operations
+} as const
+
+// ─── Validation Rules ───────────────────────────────────────────────────────
+
+export const VALIDATION_RULES = {
+    MIN_PROJECT_NAME_LENGTH: 1,
+    MAX_PROJECT_NAME_LENGTH: 100,
+    MIN_MODULE_NAME_LENGTH: 1,
+    MAX_MODULE_NAME_LENGTH: 50,
+    MIN_FUNCTION_NAME_LENGTH: 1,
+    MAX_FUNCTION_NAME_LENGTH: 100,
+    MAX_DESCRIPTION_LENGTH: 1000,
+} as const
+
+// ─── API Configuration ───────────────────────────────────────────────────────
+
+export const API_CONFIG = {
+    DEFAULT_PAGE_SIZE: 20,
+    MAX_PAGE_SIZE: 100,
+    MIN_PAGE_SIZE: 1,
+    RATE_LIMIT_WINDOW: 60 * 1000,  // 1 minute
+    RATE_LIMIT_MAX_REQUESTS: 1000,
+} as const
+
+// ─── Utility Functions ─────────────────────────────────────────────────────
+
+/**
+ * Format bytes to human readable string
+ */
+export function formatBytes(bytes: number): string {
+    const units = ['B', 'KB', 'MB', 'GB']
+    let size = bytes
+    let unitIndex = 0
+    
+    while (size >= 1024 && unitIndex < units.length - 1) {
+        size /= 1024
+        unitIndex++
+    }
+    
+    return `${size.toFixed(1)}${units[unitIndex]}`
+}
+
+/**
+ * Format milliseconds to human readable string
+ */
+export function formatDuration(ms: number): string {
+    if (ms < 1000) return `${ms}ms`
+    if (ms < 60000) return `${(ms / 1000).toFixed(1)}s`
+    return `${(ms / 60000).toFixed(1)}m`
+}
+
+/**
+ * Check if a value is within a range
+ */
+export function inRange(value: number, min: number, max: number): boolean {
+    return value >= min && value <= max
+}
+
+/**
+ * Clamp a value to a range
+ */
+export function clamp(value: number, min: number, max: number): number {
+    return Math.max(min, Math.min(max, value))
+}

package/src/contract/contract-generator.ts

@@ -76,6 +76,13 @@ export class ContractGenerator {
                 mode: 'never',
                 requireConfirmation: true,
             },
+            policies: {
+                maxRiskScore: 70,
+                maxImpactNodes: 10,
+                protectedModules: ['auth', 'security', 'billing'],
+                enforceStrictBoundaries: true,
+                requireReasoningForCritical: true,
+            },
         }
     }
 

package/src/contract/index.ts

@@ -1,8 +1,8 @@
 export {
     MikkContractSchema, MikkLockSchema,
-    MikkModuleSchema, MikkDecisionSchema, MikkOverwriteSchema,
+    MikkModuleSchema, MikkDecisionSchema, MikkOverwriteSchema, MikkPolicySchema,
     MikkLockFunctionSchema, MikkLockModuleSchema, MikkLockFileSchema,
-    type MikkContract, type MikkLock, type MikkModule, type MikkDecision,
+    type MikkContract, type MikkLock, type MikkModule, type MikkDecision, type MikkPolicy,
     type MikkLockFunction, type MikkLockModule, type MikkLockFile,
 } from './schema.js'
 export { LockCompiler } from './lock-compiler.js'
@@ -11,4 +11,3 @@ export { ContractReader } from './contract-reader.js'
 export { LockReader } from './lock-reader.js'
 export { ContractGenerator } from './contract-generator.js'
 export { AdrManager } from './adr-manager.js'
-

package/src/contract/lock-compiler.ts

@@ -4,6 +4,7 @@ import type { MikkContract, MikkLock } from './schema.js'
 import type { DependencyGraph } from '../graph/types.js'
 import type { ParsedFile } from '../parser/types.js'
 import type { ContextFile } from '../utils/fs.js'
+import * as nodePath from 'node:path'
 import { hashContent } from '../hash/file-hasher.js'
 import { computeModuleHash, computeRootHash } from '../hash/tree-hasher.js'
 import { minimatch } from '../utils/minimatch.js'
@@ -42,6 +43,17 @@ const GETTER_PREFIXES = ['get', 'fetch', 'load', 'find', 'query', 'retrieve', 'r
 const SETTER_PREFIXES = ['set', 'update', 'save', 'write', 'put', 'patch', 'create', 'delete', 'remove']
 const CHECKER_PREFIXES = ['is', 'has', 'can', 'should', 'check', 'validate']
 
+function getModuleMatchPath(filePath: string, projectRootPath: string | null): string {
+    const normalized = filePath.replace(/\\/g, '/')
+    if (!projectRootPath) return normalized
+    const relative = nodePath.relative(projectRootPath, filePath)
+    if (relative === '') return normalized
+    if (!relative.startsWith('..')) {
+        return relative.replace(/\\/g, '/')
+    }
+    return normalized
+}
+
 /** Infer a short purpose string from function metadata when JSDoc is missing */
 function inferPurpose(
     name: string,
@@ -111,6 +123,7 @@ function capitalise(s: string): string {
  * and compiles the complete mikk.lock.json.
  */
 export class LockCompiler {
+    private projectRootPath: string | null = null
     /** Main entry -- compile full lock from graph + contract + parsed files */
     compile(
         graph: DependencyGraph,
@@ -119,6 +132,7 @@ export class LockCompiler {
         contextFiles?: ContextFile[],
         projectRoot?: string
     ): MikkLock {
+        this.projectRootPath = projectRoot ? nodePath.resolve(projectRoot) : null
         const functions = this.compileFunctions(graph, contract)
         const classes = this.compileClasses(graph, contract)
         const generics = this.compileGenerics(graph, contract)
@@ -132,7 +146,7 @@ export class LockCompiler {
         }
 
         const lockData: MikkLock = {
-            version: '1.7.0',
+            version: '2.0.0',
             generatedAt: new Date().toISOString(),
             generatorVersion: VERSION,
             projectRoot: projectRoot ?? contract.project.name,
@@ -181,33 +195,35 @@ export class LockCompiler {
             if (node.type !== 'function') continue
 
             const moduleId = this.findModule(node.file, contract.declared.modules)
+            const displayName = node.name ?? ''
+            const metadata = node.metadata ?? {}
             const inEdges = graph.inEdges.get(id) || []
             const outEdges = graph.outEdges.get(id) || []
 
             result[id] = {
                 id,
-                name: node.label,
+                name: displayName,
                 file: node.file,
-                startLine: node.metadata.startLine ?? 0,
-                endLine: node.metadata.endLine ?? 0,
-                hash: node.metadata.hash ?? '',
-                calls: outEdges.filter(e => e.type === 'calls').map(e => e.target),
-                calledBy: inEdges.filter(e => e.type === 'calls').map(e => e.source),
+                startLine: metadata.startLine ?? 0,
+                endLine: metadata.endLine ?? 0,
+                hash: metadata.hash ?? '',
+                calls: outEdges.filter(e => e.type === 'calls').map(e => e.to),
+                calledBy: inEdges.filter(e => e.type === 'calls').map(e => e.from),
                 moduleId: moduleId || 'unknown',
-                ...(node.metadata.params && node.metadata.params.length > 0
-                    ? { params: node.metadata.params }
+                ...(metadata.params && metadata.params.length > 0
+                    ? { params: metadata.params }
                     : {}),
-                ...(node.metadata.returnType ? { returnType: node.metadata.returnType } : {}),
-                ...(node.metadata.isAsync ? { isAsync: true } : {}),
-                ...(node.metadata.isExported ? { isExported: true } : {}),
-                purpose: node.metadata.purpose || inferPurpose(
-                    node.label,
-                    node.metadata.params,
-                    node.metadata.returnType,
-                    node.metadata.isAsync,
+                ...(metadata.returnType ? { returnType: metadata.returnType } : {}),
+                ...(metadata.isAsync ? { isAsync: true } : {}),
+                ...(metadata.isExported ? { isExported: true } : {}),
+                purpose: metadata.purpose || inferPurpose(
+                    displayName,
+                    metadata.params,
+                    metadata.returnType,
+                    metadata.isAsync,
                 ),
-                edgeCasesHandled: node.metadata.edgeCasesHandled,
-                errorHandling: node.metadata.errorHandling,
+                edgeCasesHandled: metadata.edgeCasesHandled,
+                errorHandling: metadata.errorHandling,
             }
         }
 
@@ -222,17 +238,19 @@ export class LockCompiler {
         for (const [id, node] of graph.nodes) {
             if (node.type !== 'class') continue
             const moduleId = this.findModule(node.file, contract.declared.modules)
+            const className = node.name ?? ''
+            const metadata = node.metadata ?? {}
             result[id] = {
                 id,
-                name: node.label,
+                name: className,
                 file: node.file,
-                startLine: node.metadata.startLine ?? 0,
-                endLine: node.metadata.endLine ?? 0,
+                startLine: metadata.startLine ?? 0,
+                endLine: metadata.endLine ?? 0,
                 moduleId: moduleId || 'unknown',
-                isExported: node.metadata.isExported ?? false,
-                purpose: node.metadata.purpose || inferPurpose(node.label),
-                edgeCasesHandled: node.metadata.edgeCasesHandled,
-                errorHandling: node.metadata.errorHandling,
+                isExported: metadata.isExported ?? false,
+                purpose: metadata.purpose || inferPurpose(className),
+                edgeCasesHandled: metadata.edgeCasesHandled,
+                errorHandling: metadata.errorHandling,
             }
         }
         return result
@@ -247,18 +265,20 @@ export class LockCompiler {
             if (node.type !== 'generic') continue
             // Only include exported generics  non-exported types/interfaces are
             // internal implementation details that add noise without value.
-            if (!node.metadata.isExported) continue
+            if (!(node.metadata?.isExported)) continue
             const moduleId = this.findModule(node.file, contract.declared.modules)
+            const genericName = node.name ?? ''
+            const metadata = node.metadata ?? {}
             raw[id] = {
                 id,
-                name: node.label,
-                type: node.metadata.hash ?? 'generic', // we stored type name in hash
+                name: genericName,
+                type: metadata.hash ?? 'generic', // we stored type name in hash
                 file: node.file,
-                startLine: node.metadata.startLine ?? 0,
-                endLine: node.metadata.endLine ?? 0,
+                startLine: metadata.startLine ?? 0,
+                endLine: metadata.endLine ?? 0,
                 moduleId: moduleId || 'unknown',
-                isExported: node.metadata.isExported ?? false,
-                purpose: node.metadata.purpose || inferPurpose(node.label),
+                isExported: metadata.isExported ?? false,
+                purpose: metadata.purpose || inferPurpose(genericName),
             }
         }
 
@@ -325,18 +345,19 @@ export class LockCompiler {
         for (const file of parsedFiles) {
             const moduleId = this.findModule(file.path, contract.declared.modules)
 
-            // Collect file-level imports from the graph's import edges
-            const outEdges = graph.outEdges.get(file.path) || []
-            const importedFiles = outEdges
-                .filter(e => e.type === 'imports')
-                .map(e => e.target)
-
+            // Collect file-level imports from the parsed file info directly
+            // to include both source and resolvedPath for unresolved analysis.
+            const imports = file.imports.map(imp => ({
+                source: imp.source,
+                resolvedPath: imp.resolvedPath || undefined,
+            }))
+ 
             result[file.path] = {
                 path: file.path,
                 hash: file.hash,
                 moduleId: moduleId || 'unknown',
                 lastModified: new Date(file.parsedAt).toISOString(),
-                ...(importedFiles.length > 0 ? { imports: importedFiles } : {}),
+                ...(imports.length > 0 ? { imports } : {}),
             }
         }
 
@@ -378,9 +399,20 @@ export class LockCompiler {
 
     /** Check if a file path matches any of the module's path patterns */
     private fileMatchesModule(filePath: string, patterns: string[]): boolean {
-        const normalized = filePath.replace(/\\/g, '/')
+        const relativePath = getModuleMatchPath(filePath, this.projectRootPath)
+        const normalizedRelative = relativePath.replace(/\\/g, '/').toLowerCase()
+        const normalizedAbsolute = filePath.replace(/\\/g, '/').toLowerCase()
+        const normalizedProjectRoot = this.projectRootPath
+            ? this.projectRootPath.replace(/\\/g, '/').toLowerCase()
+            : null
+
         for (const pattern of patterns) {
-            if (minimatch(normalized, pattern)) {
+            const normalizedPattern = pattern.replace(/\\/g, '/').toLowerCase()
+            const relativePattern = normalizedProjectRoot && normalizedPattern.startsWith(`${normalizedProjectRoot}/`)
+                ? normalizedPattern.slice(normalizedProjectRoot.length + 1)
+                : normalizedPattern
+            if (minimatch(normalizedRelative, relativePattern) ||
+                minimatch(normalizedAbsolute, normalizedPattern)) {
                 return true
             }
         }

package/src/contract/lock-reader.ts

@@ -137,7 +137,9 @@ function compactifyLock(lock: MikkLock): any {
             lastModified: file.lastModified,
         }
         if (file.moduleId && file.moduleId !== 'unknown') c.moduleId = file.moduleId
-        if (file.imports && file.imports.length > 0) c.imports = file.imports
+        if (file.imports && file.imports.length > 0) {
+            c.imports = file.imports.map(normalizeImportEntry)
+        }
         out.files[key] = c
     }
 
@@ -180,7 +182,10 @@ function hydrateLock(raw: any): any {
     // P6: build file->moduleId map before function loop
     const fileModuleMap: Record<string, string> = {}
     for (const [key, c] of Object.entries(raw.files || {}) as [string, any][]) {
-        fileModuleMap[key] = c.moduleId || 'unknown'
+        const moduleId = c.moduleId || 'unknown'
+        const normalizedKey = normalizeFilePath(key)
+        fileModuleMap[key] = moduleId
+        fileModuleMap[normalizedKey] = moduleId
     }
 
     // Hydrate functions
@@ -194,6 +199,7 @@ function hydrateLock(raw: any): any {
         const calls = (c.calls || []).map((v: any) => typeof v === 'number' ? (fnIndex[v] ?? null) : v).filter(Boolean)
         const calledBy = (c.calledBy || []).map((v: any) => typeof v === 'number' ? (fnIndex[v] ?? null) : v).filter(Boolean)
 
+        const normalizedFile = normalizeFilePath(file)
         out.functions[fullId] = {
             id: fullId,
             name,
@@ -203,7 +209,7 @@ function hydrateLock(raw: any): any {
             hash: c.hash || '',  // P4: empty string when not stored
             calls,
             calledBy,
-            moduleId: fileModuleMap[file] || c.moduleId || 'unknown',  // P6: derive from file
+            moduleId: fileModuleMap[normalizedFile] || fileModuleMap[file] || c.moduleId || 'unknown',  // P6: derive from file
             ...(c.params ? { params: c.params } : {}),
             ...(c.returnType ? { returnType: c.returnType } : {}),
             ...(c.isAsync ? { isAsync: true } : {}),
@@ -276,7 +282,7 @@ function hydrateLock(raw: any): any {
             hash: c.hash || '',
             moduleId: c.moduleId || 'unknown',
             lastModified: c.lastModified || '',
-            ...(c.imports && c.imports.length > 0 ? { imports: c.imports } : {}),
+            ...(c.imports && c.imports.length > 0 ? { imports: c.imports.map(normalizeImportEntry) } : {}),
         }
     }
 
@@ -315,3 +321,17 @@ function parseEntityKeyFull(key: string): { prefix: string; file: string; name:
         name: rest.slice(lastColon + 1),
     }
 }
+
+function normalizeImportEntry(entry: any): { source: string; resolvedPath?: string; names?: string[] } {
+    if (!entry) return { source: '' }
+    if (typeof entry === 'string') return { source: entry }
+    return {
+        source: entry.source,
+        resolvedPath: entry.resolvedPath || undefined,
+        names: entry.names?.length ? entry.names : undefined,
+    }
+}
+
+function normalizeFilePath(p: string): string {
+    return (p || '').replace(/\\/g, '/').toLowerCase()
+}

package/src/contract/schema.ts

@@ -26,6 +26,20 @@ export const MikkOverwriteSchema = z.object({
     lastOverwrittenAt: z.string().optional(),
 }).default({ mode: 'never', requireConfirmation: true })
 
+export const MikkPolicySchema = z.object({
+    maxRiskScore: z.number().default(70),
+    maxImpactNodes: z.number().default(10),
+    protectedModules: z.array(z.string()).default(['auth', 'security', 'billing']),
+    enforceStrictBoundaries: z.boolean().default(true),
+    requireReasoningForCritical: z.boolean().default(true),
+}).default({
+    maxRiskScore: 70,
+    maxImpactNodes: 10,
+    protectedModules: ['auth', 'security', 'billing'],
+    enforceStrictBoundaries: true,
+    requireReasoningForCritical: true,
+})
+
 export const MikkContractSchema = z.object({
     version: z.string(),
     project: z.object({
@@ -41,11 +55,13 @@ export const MikkContractSchema = z.object({
         decisions: z.array(MikkDecisionSchema).default([]),
     }),
     overwrite: MikkOverwriteSchema,
+    policies: MikkPolicySchema,
 })
 
 export type MikkContract = z.infer<typeof MikkContractSchema>
 export type MikkModule = z.infer<typeof MikkModuleSchema>
 export type MikkDecision = z.infer<typeof MikkDecisionSchema>
+export type MikkPolicy = z.infer<typeof MikkPolicySchema>
 
 // ─── mikk.lock.json schema ──────────────────────────────
 
@@ -74,6 +90,8 @@ export const MikkLockFunctionSchema = z.object({
         type: z.enum(['try-catch', 'throw']),
         detail: z.string(),
     })).optional(),
+    confidence: z.number().optional(),
+    riskScore: z.number().optional(),
 })
 
 export const MikkLockModuleSchema = z.object({
@@ -83,12 +101,18 @@ export const MikkLockModuleSchema = z.object({
     fragmentPath: z.string(),
 })
 
+export const MikkLockImportSchema = z.object({
+    source: z.string(),
+    resolvedPath: z.string().optional(),
+    names: z.array(z.string()).optional(),
+})
+
 export const MikkLockFileSchema = z.object({
     path: z.string(),
     hash: z.string(),
     moduleId: z.string(),
     lastModified: z.string(),
-    imports: z.array(z.string()).optional(),
+    imports: z.array(MikkLockImportSchema).optional(),
 })
 
 export const MikkLockClassSchema = z.object({
@@ -106,6 +130,8 @@ export const MikkLockClassSchema = z.object({
         type: z.enum(['try-catch', 'throw']),
         detail: z.string(),
     })).optional(),
+    confidence: z.number().optional(),
+    riskScore: z.number().optional(),
 })
 
 export const MikkLockGenericSchema = z.object({