@graphpilot-oss/graphpilot 0.0.1

package/tests/provenance.test.ts

@@ -0,0 +1,132 @@
+import { describe, it, expect } from 'vitest';
+import {
+  symbolProvenance,
+  edgeProvenance,
+  formatProvenance,
+  formatEvidenceTag,
+} from '../src/provenance.js';
+import type { SymbolRecord } from '../src/symbols.js';
+import type { CallEdge } from '../src/edges.js';
+
+const SAMPLE_SYMBOL: SymbolRecord = {
+  id: 'src/auth.ts#parseToken@42',
+  name: 'parseToken',
+  kind: 'function',
+  file: 'src/auth.ts',
+  line: 42,
+  column: 1,
+  endLine: 58,
+  signature: 'function parseToken(token: string): Claims {',
+  exported: true,
+};
+
+const SAMPLE_EDGE: CallEdge = {
+  fromId: 'src/api.ts#handleLogin@10',
+  toId: 'src/auth.ts#parseToken@42',
+  toName: 'parseToken',
+  file: 'src/api.ts',
+  line: 17,
+  column: 12,
+};
+
+describe('symbolProvenance', () => {
+  it('captures the symbol location + signature excerpt + sha', () => {
+    const p = symbolProvenance(SAMPLE_SYMBOL, 'abc1234');
+    expect(p).toMatchObject({
+      file: 'src/auth.ts',
+      line: 42,
+      column: 1,
+      endLine: 58,
+      sha: 'abc1234',
+    });
+    expect(p.excerpt).toMatch(/parseToken/);
+  });
+
+  it('sets sha to null when no git sha is available', () => {
+    const p = symbolProvenance(SAMPLE_SYMBOL, null);
+    expect(p.sha).toBeNull();
+  });
+
+  it('clips a long excerpt with an ellipsis', () => {
+    const long = 'function ' + 'x'.repeat(500);
+    const p = symbolProvenance({ ...SAMPLE_SYMBOL, signature: long }, null);
+    expect(p.excerpt!.length).toBeLessThanOrEqual(200);
+    expect(p.excerpt!.endsWith('…')).toBe(true);
+  });
+
+  it('drops the excerpt when the signature is empty', () => {
+    const p = symbolProvenance({ ...SAMPLE_SYMBOL, signature: '' }, null);
+    expect(p.excerpt).toBeUndefined();
+  });
+});
+
+describe('edgeProvenance', () => {
+  it('captures the call-site location + sha (no excerpt — v0.1)', () => {
+    const p = edgeProvenance(SAMPLE_EDGE, 'def5678');
+    expect(p).toMatchObject({
+      file: 'src/api.ts',
+      line: 17,
+      column: 12,
+      sha: 'def5678',
+    });
+    expect(p.excerpt).toBeUndefined();
+  });
+
+  it('sets sha to null when not in a git repo', () => {
+    const p = edgeProvenance(SAMPLE_EDGE, null);
+    expect(p.sha).toBeNull();
+  });
+});
+
+describe('formatProvenance', () => {
+  it('formats a minimal provenance as file:line', () => {
+    expect(
+      formatProvenance({
+        file: 'src/auth.ts',
+        line: 42,
+      }),
+    ).toBe('src/auth.ts:42');
+  });
+
+  it('includes column when present', () => {
+    expect(
+      formatProvenance({
+        file: 'src/auth.ts',
+        line: 42,
+        column: 5,
+      }),
+    ).toBe('src/auth.ts:42:5');
+  });
+
+  it('appends sha when present', () => {
+    expect(
+      formatProvenance({
+        file: 'src/auth.ts',
+        line: 42,
+        sha: 'abc1234',
+      }),
+    ).toBe('src/auth.ts:42 @ abc1234');
+  });
+
+  it('omits sha when null or undefined', () => {
+    expect(
+      formatProvenance({
+        file: 'src/auth.ts',
+        line: 42,
+        sha: null,
+      }),
+    ).toBe('src/auth.ts:42');
+  });
+});
+
+describe('formatEvidenceTag', () => {
+  it('wraps the provenance in [evidence: ...]', () => {
+    expect(
+      formatEvidenceTag({
+        file: 'src/auth.ts',
+        line: 42,
+        sha: 'abc1234',
+      }),
+    ).toBe('[evidence: src/auth.ts:42 @ abc1234]');
+  });
+});

package/tests/query.test.ts

@@ -0,0 +1,160 @@
+import { describe, it, expect } from 'vitest';
+import { GraphIndex } from '../src/query.js';
+import type { Graph } from '../src/storage.js';
+import type { SymbolRecord } from '../src/symbols.js';
+import type { CallEdge } from '../src/edges.js';
+
+// Tiny hand-built fixture so we exercise the index without parsing real code.
+function sym(id: string, name: string, file: string, line: number): SymbolRecord {
+  return {
+    id,
+    name,
+    kind: 'function',
+    file,
+    line,
+    column: 1,
+    endLine: line + 2,
+    signature: `function ${name}() {}`,
+    exported: false,
+  };
+}
+
+function edge(fromId: string, toName: string, toId: string | null, file: string): CallEdge {
+  return { fromId, toName, toId, file, line: 1, column: 1 };
+}
+
+function buildGraph(): Graph {
+  const symbols: SymbolRecord[] = [
+    sym('a.ts#parseToken@1', 'parseToken', 'a.ts', 1),
+    sym('a.ts#validateJwt@10', 'validateJwt', 'a.ts', 10),
+    sym('b.ts#authenticate@5', 'authenticate', 'b.ts', 5),
+    sym('b.ts#parseToken@20', 'parseToken', 'b.ts', 20),
+    sym('c.ts#ParseTokenAsync@1', 'ParseTokenAsync', 'c.ts', 1),
+  ];
+  const edges: CallEdge[] = [
+    edge('b.ts#authenticate@5', 'parseToken', 'a.ts#parseToken@1', 'b.ts'),
+    edge('b.ts#authenticate@5', 'validateJwt', 'a.ts#validateJwt@10', 'b.ts'),
+    edge('b.ts#authenticate@5', 'unknownExternal', null, 'b.ts'),
+    edge('a.ts#parseToken@1', 'trim', null, 'a.ts'),
+  ];
+  return {
+    version: 1,
+    repoId: 'test',
+    rootPath: '/fake',
+    indexedAt: new Date().toISOString(),
+    filesIndexed: 3,
+    symbolCount: symbols.length,
+    edgeCount: edges.length,
+    symbols,
+    edges,
+  };
+}
+
+describe('GraphIndex.findByName', () => {
+  const idx = new GraphIndex(buildGraph());
+
+  it('exact match is case-insensitive by default', () => {
+    const r = idx.findByName('parsetoken');
+    expect(r.map((s) => s.id)).toEqual(['a.ts#parseToken@1', 'b.ts#parseToken@20']);
+  });
+
+  it('exact-case match ranks above case-folded matches', () => {
+    const r = idx.findByName('parseToken');
+    // Both `parseToken` (exact case) entries should come before any case-folded
+    // hits. Here both candidates are exact-case so order is just insertion.
+    expect(r.map((s) => s.name)).toEqual(['parseToken', 'parseToken']);
+  });
+
+  it('substring mode finds partial matches', () => {
+    const r = idx.findByName('parse', { substring: true });
+    const names = r.map((s) => s.name);
+    expect(names).toContain('parseToken');
+    expect(names).toContain('ParseTokenAsync');
+  });
+
+  it('respects limit', () => {
+    const r = idx.findByName('parse', { substring: true, limit: 1 });
+    expect(r.length).toBe(1);
+  });
+
+  it('caps limit at the hard ceiling', () => {
+    const r = idx.findByName('parse', { substring: true, limit: 10_000 });
+    // We only have 3 substring matches anyway, but verify no throw.
+    expect(r.length).toBeLessThanOrEqual(100);
+  });
+
+  it('returns [] for empty query', () => {
+    expect(idx.findByName('')).toEqual([]);
+  });
+
+  it('returns [] when nothing matches', () => {
+    expect(idx.findByName('definitelyNotHere')).toEqual([]);
+  });
+});
+
+describe('GraphIndex.findById / resolveSymbol', () => {
+  const idx = new GraphIndex(buildGraph());
+
+  it('findById returns the exact symbol', () => {
+    expect(idx.findById('a.ts#parseToken@1')?.name).toBe('parseToken');
+  });
+
+  it('findById returns null for unknown id', () => {
+    expect(idx.findById('nope')).toBeNull();
+  });
+
+  it('resolveSymbol accepts a full id', () => {
+    expect(idx.resolveSymbol('b.ts#authenticate@5')?.name).toBe('authenticate');
+  });
+
+  it('resolveSymbol accepts a bare name', () => {
+    expect(idx.resolveSymbol('authenticate')?.id).toBe('b.ts#authenticate@5');
+  });
+
+  it('resolveSymbol returns first match for ambiguous names', () => {
+    const s = idx.resolveSymbol('parseToken');
+    expect(s).not.toBeNull();
+    expect(s!.name).toBe('parseToken');
+  });
+});
+
+describe('GraphIndex.callers', () => {
+  const idx = new GraphIndex(buildGraph());
+
+  it('returns callers of a symbol', () => {
+    const c = idx.callers('a.ts#parseToken@1');
+    expect(c.length).toBe(1);
+    expect(c[0].fromId).toBe('b.ts#authenticate@5');
+  });
+
+  it('returns [] when nothing calls the symbol', () => {
+    expect(idx.callers('c.ts#ParseTokenAsync@1')).toEqual([]);
+  });
+
+  it('returns [] for unknown id', () => {
+    expect(idx.callers('not-a-real-id')).toEqual([]);
+  });
+});
+
+describe('GraphIndex.callees', () => {
+  const idx = new GraphIndex(buildGraph());
+
+  it('returns everything a symbol calls', () => {
+    const c = idx.callees('b.ts#authenticate@5');
+    const names = c.map((e) => e.toName).sort();
+    expect(names).toEqual(['parseToken', 'unknownExternal', 'validateJwt']);
+  });
+
+  it('can hide unresolved edges', () => {
+    const c = idx.callees('b.ts#authenticate@5', { includeUnresolved: false });
+    const names = c.map((e) => e.toName).sort();
+    expect(names).toEqual(['parseToken', 'validateJwt']);
+  });
+});
+
+describe('GraphIndex.stats', () => {
+  it('reports counts including resolved-edges total', () => {
+    const idx = new GraphIndex(buildGraph());
+    expect(idx.stats).toEqual({ symbols: 5, edges: 4, resolvedEdges: 2 });
+  });
+});

package/tests/redact.test.ts

@@ -0,0 +1,167 @@
+import { describe, it, expect } from 'vitest';
+import { redactSecrets, detectSecrets } from '../src/redact.js';
+import { parseFile } from '../src/parser.js';
+import { extractSymbols } from '../src/symbols.js';
+import { writeFileSync, mkdtempSync, rmSync, existsSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+
+// ---------------------------------------------------------------------------
+// Unit tests — direct redactor
+// ---------------------------------------------------------------------------
+
+describe('redactSecrets — known patterns', () => {
+  it('redacts OpenAI / Anthropic sk- keys', () => {
+    const out = redactSecrets('const API_KEY = "sk-abcdefghij1234567890ABCDEF";');
+    expect(out).toContain('sk-***REDACTED***');
+    expect(out).not.toContain('abcdefghij1234567890');
+  });
+
+  it('redacts sk-ant- prefix variant', () => {
+    const out = redactSecrets('const k = "sk-ant-api03-abc123XYZ_thisIsAFakeKey-1234567890";');
+    expect(out).toContain('sk-***REDACTED***');
+    expect(out).not.toContain('api03-abc123');
+  });
+
+  it('redacts GitHub PATs', () => {
+    const out = redactSecrets('TOKEN = "ghp_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";');
+    expect(out).toContain('ghp_***REDACTED***');
+  });
+
+  it('redacts AWS access key IDs (AKIA)', () => {
+    const out = redactSecrets('const aws = "AKIAIOSFODNN7EXAMPLE";');
+    expect(out).toContain('AKIA***REDACTED***');
+    expect(out).not.toContain('IOSFODNN7');
+  });
+
+  it('redacts JWT tokens (three base64url segments)', () => {
+    const jwt =
+      'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9' +
+      '.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4ifQ' +
+      '.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c';
+    const out = redactSecrets(`const auth = "${jwt}";`);
+    expect(out).toContain('***JWT-REDACTED***');
+    expect(out).not.toContain(jwt);
+  });
+
+  it('redacts PEM private-key headers', () => {
+    const out = redactSecrets('"-----BEGIN RSA PRIVATE KEY-----\\n..."');
+    expect(out).toContain('***REDACTED***');
+    expect(out).toContain('PRIVATE KEY');
+  });
+
+  it('redacts Slack bot tokens (xoxb-...)', () => {
+    const out = redactSecrets('"xoxb-12345-67890-abcdefghij"');
+    expect(out).toContain('xox*-***REDACTED***');
+  });
+
+  it('redacts Stripe sk_live keys', () => {
+    const out = redactSecrets('"sk_live_abcdefghijklmnopqrstuv1234"');
+    expect(out).toContain('sk_live_***REDACTED***');
+  });
+
+  it('redacts a generic long high-entropy token inside quotes', () => {
+    const out = redactSecrets('const s = "X9aZ8bC7dE6fG5hI4jK3lM2nO1pQ0rS9tU8vW7xY6zA";');
+    expect(out).toContain('***REDACTED-LONG-TOKEN***');
+    expect(out).not.toContain('X9aZ8bC7dE6fG5hI4jK3lM2nO1pQ0rS9tU8vW7xY6zA');
+  });
+});
+
+describe('redactSecrets — preserves non-secret content', () => {
+  it('leaves function signatures untouched', () => {
+    const sig = 'function parseToken(token: string): Claims {';
+    expect(redactSecrets(sig)).toBe(sig);
+  });
+
+  it('leaves short identifiers untouched (no false positive on short alphanumerics)', () => {
+    const sig = 'const apiKey = config.apiKey;';
+    expect(redactSecrets(sig)).toBe(sig);
+  });
+
+  it('leaves a normal-length string literal untouched', () => {
+    const sig = 'const greeting = "hello, world";';
+    expect(redactSecrets(sig)).toBe(sig);
+  });
+
+  it('returns the input unchanged for empty / null-ish strings', () => {
+    expect(redactSecrets('')).toBe('');
+    // @ts-expect-error: function tolerates non-strings defensively
+    expect(redactSecrets(undefined)).toBe(undefined);
+  });
+});
+
+describe('detectSecrets — diagnostics', () => {
+  it('returns matching labels', () => {
+    const labels = detectSecrets('"sk-abcdefghij1234567890ABCDEF"');
+    expect(labels).toContain('sk-token');
+  });
+
+  it('returns empty list for clean input', () => {
+    expect(detectSecrets('function foo(x) { return x + 1; }')).toEqual([]);
+  });
+
+  it('does not mutate state between calls (regex .lastIndex hygiene)', () => {
+    const sample = '"AKIAIOSFODNN7EXAMPLE"';
+    // Run twice — should give same result.
+    expect(detectSecrets(sample)).toEqual(detectSecrets(sample));
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Integration — secrets in real source code DO NOT leak into the index
+// ---------------------------------------------------------------------------
+
+describe('integration: secrets in signatures get redacted at extraction', () => {
+  let workDir: string;
+
+  beforeEach(() => {
+    workDir = mkdtempSync(join(tmpdir(), 'graphpilot-redact-'));
+  });
+
+  afterEach(() => {
+    if (existsSync(workDir)) rmSync(workDir, { recursive: true, force: true });
+  });
+
+  it('redacts secrets in arrow-const initializers', () => {
+    const filePath = join(workDir, 'secrets.ts');
+    writeFileSync(
+      filePath,
+      `export const API_KEY = "sk-abcdefghij1234567890ABCDEFGHIJ";\n` +
+        `export const TOKEN = "ghp_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";\n`,
+    );
+    const parsed = parseFile(filePath)!;
+    const syms = extractSymbols(parsed);
+    const apiKeySym = syms.find((s) => s.name === 'API_KEY');
+    const tokenSym = syms.find((s) => s.name === 'TOKEN');
+    // These are variable initializers, not function expressions — they are
+    // NOT extracted as SymbolRecords in v1 (we only emit function-like
+    // const initializers). So this test mainly proves the integration plumbing
+    // doesn't crash on secret-y source.
+    // What we CAN check: parseFile + extractSymbols don't throw on a file
+    // that contains a real-looking secret literal.
+    expect(syms).toBeDefined();
+    // If we ever broaden extractor to emit non-function consts, the redaction
+    // path is wired and these would already be safe.
+    if (apiKeySym) expect(apiKeySym.signature).not.toContain('abcdefghij1234567890');
+    if (tokenSym) expect(tokenSym.signature).not.toContain('aaaaaaaaaaaaaaaa');
+  });
+
+  it('redacts secrets in arrow-function defaults / bodies (signature first line)', () => {
+    const filePath = join(workDir, 'arrowfn.ts');
+    writeFileSync(
+      filePath,
+      `export const buildAuth = (token = "sk-abcdefghij1234567890ABCDEFGHIJ") => {\n` +
+        `  return token;\n` +
+        `};\n`,
+    );
+    const parsed = parseFile(filePath)!;
+    const syms = extractSymbols(parsed);
+    const sym = syms.find((s) => s.name === 'buildAuth');
+    expect(sym).toBeDefined();
+    expect(sym!.signature).toContain('sk-***REDACTED***');
+    expect(sym!.signature).not.toContain('abcdefghij1234567890');
+  });
+});
+
+// Imports for beforeEach/afterEach used in the integration block
+import { beforeEach, afterEach } from 'vitest';

package/tests/security.test.ts

@@ -0,0 +1,144 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import {
+  writeFileSync,
+  mkdtempSync,
+  mkdirSync,
+  symlinkSync,
+  rmSync,
+  statSync,
+  existsSync,
+} from 'node:fs';
+import { tmpdir, homedir } from 'node:os';
+import { join } from 'node:path';
+import { parseFile } from '../src/parser.js';
+import { indexDirectory } from '../src/indexer.js';
+import { saveGraph, type Graph } from '../src/storage.js';
+import { validateRootPath, MAX_FILE_BYTES, MAX_FILES_PER_INDEX } from '../src/validation.js';
+
+const isWindows = process.platform === 'win32';
+
+let workDir: string;
+
+beforeEach(() => {
+  workDir = mkdtempSync(join(tmpdir(), 'graphpilot-sec-'));
+});
+
+afterEach(() => {
+  if (existsSync(workDir)) rmSync(workDir, { recursive: true, force: true });
+});
+
+// ---------------------------------------------------------------------------
+// T1 — file size cap
+// ---------------------------------------------------------------------------
+
+describe('T1: file size cap', () => {
+  it('skips files larger than MAX_FILE_BYTES', () => {
+    const bigFile = join(workDir, 'huge.ts');
+    // Write MAX_FILE_BYTES + 1KB of harmless TypeScript.
+    const oversize = 'export const x = 1;\n'.repeat(Math.ceil(MAX_FILE_BYTES / 20)) + '\n';
+    writeFileSync(bigFile, oversize);
+    expect(statSync(bigFile).size).toBeGreaterThan(MAX_FILE_BYTES);
+
+    const result = parseFile(bigFile);
+    expect(result).toBeNull();
+  });
+
+  it('parses files just under MAX_FILE_BYTES', () => {
+    const smallFile = join(workDir, 'small.ts');
+    writeFileSync(smallFile, 'export function ok() { return 1; }');
+    const result = parseFile(smallFile);
+    expect(result).not.toBeNull();
+  });
+});
+
+// ---------------------------------------------------------------------------
+// T2 — symlink escape
+// ---------------------------------------------------------------------------
+
+describe.skipIf(isWindows)('T2: symlink escape protection', () => {
+  it('does not follow a symlink that escapes the indexed root', async () => {
+    // Layout:
+    //   workDir/
+    //     project/
+    //       good.ts            <- legit file inside the project
+    //     outside/
+    //       secret.ts          <- a file the attacker wants to leak
+    //     project/escape -> ../outside  <- malicious symlink inside project
+    const project = join(workDir, 'project');
+    const outside = join(workDir, 'outside');
+    mkdirSync(project);
+    mkdirSync(outside);
+    writeFileSync(join(project, 'good.ts'), 'export function good() {}');
+    writeFileSync(join(outside, 'secret.ts'), 'export function leakedSecret() {}');
+    symlinkSync(outside, join(project, 'escape'));
+
+    const result = await indexDirectory(project);
+
+    const names = result.symbols.map((s) => s.name);
+    expect(names).toContain('good');
+    expect(names).not.toContain('leakedSecret');
+  });
+});
+
+// ---------------------------------------------------------------------------
+// T7 — index file permissions
+// ---------------------------------------------------------------------------
+
+describe.skipIf(isWindows)('T7: restrictive permissions on saved graph', () => {
+  it('writes graph.json with mode 0600 and parent dir 0700', () => {
+    const fakeRoot = join(workDir, 'pretend-repo');
+    mkdirSync(fakeRoot);
+    const graph: Graph = {
+      version: 1,
+      repoId: 'testrepo000000',
+      rootPath: fakeRoot,
+      indexedAt: new Date().toISOString(),
+      filesIndexed: 0,
+      symbolCount: 0,
+      symbols: [],
+    };
+    const savedPath = saveGraph(graph);
+    expect(existsSync(savedPath)).toBe(true);
+
+    const fileMode = statSync(savedPath).mode & 0o777;
+    expect(fileMode).toBe(0o600);
+
+    const dirMode = statSync(savedPath.replace(/\/graph\.json$/, '')).mode & 0o777;
+    expect(dirMode).toBe(0o700);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// T10 — refuse dangerous paths + max-files cap
+// ---------------------------------------------------------------------------
+
+describe('T10: dangerous path rejection', () => {
+  it('refuses to index / (root)', () => {
+    expect(validateRootPath('/')).toMatch(/system path/i);
+  });
+
+  it.skipIf(isWindows)('refuses to index /etc', () => {
+    expect(validateRootPath('/etc')).toMatch(/system path/i);
+  });
+
+  it('refuses to index the home directory directly', () => {
+    expect(validateRootPath(homedir())).toMatch(/home directory/i);
+  });
+
+  it('allows a normal project path', () => {
+    expect(validateRootPath(workDir)).toBeNull();
+  });
+
+  it('returns an error for a path that does not exist', () => {
+    expect(validateRootPath(join(workDir, 'definitely-not-here'))).toMatch(
+      /does not exist|not accessible/i,
+    );
+  });
+});
+
+describe('T10: max-files cap is set sanely', () => {
+  it('MAX_FILES_PER_INDEX is a reasonable ceiling', () => {
+    expect(MAX_FILES_PER_INDEX).toBeGreaterThanOrEqual(10_000);
+    expect(MAX_FILES_PER_INDEX).toBeLessThanOrEqual(1_000_000);
+  });
+});

package/tests/symbols.test.ts

@@ -0,0 +1,78 @@
+import { describe, it, expect } from 'vitest';
+import { parseFile } from '../src/parser.js';
+import { extractSymbols, type SymbolRecord } from '../src/symbols.js';
+import { fileURLToPath } from 'node:url';
+import { dirname, join } from 'node:path';
+
+const here = dirname(fileURLToPath(import.meta.url));
+const fixture = (name: string) => join(here, 'fixtures', name);
+
+function symbolsOf(filename: string): SymbolRecord[] {
+  const parsed = parseFile(fixture(filename));
+  if (!parsed) throw new Error('parse failed');
+  return extractSymbols(parsed);
+}
+
+function findOne(syms: SymbolRecord[], name: string, kind?: string) {
+  const matches = syms.filter((s) => s.name === name && (!kind || s.kind === kind));
+  if (matches.length !== 1) {
+    throw new Error(`expected 1 match for ${name}/${kind ?? '*'}, got ${matches.length}`);
+  }
+  return matches[0];
+}
+
+describe('extractSymbols', () => {
+  const syms = symbolsOf('sample.ts');
+
+  it('finds top-level functions', () => {
+    const s = findOne(syms, 'parseToken', 'function');
+    expect(s.exported).toBe(true);
+    expect(s.line).toBe(1);
+    expect(s.signature).toContain('parseToken');
+  });
+
+  it('finds arrow-function consts as variables', () => {
+    const s = findOne(syms, 'validateJwt', 'variable');
+    expect(s.exported).toBe(true);
+    expect(s.signature).toContain('validateJwt');
+  });
+
+  it('finds non-exported function expressions', () => {
+    const s = findOne(syms, 'internalHelper', 'variable');
+    expect(s.exported).toBe(false);
+  });
+
+  it('finds classes', () => {
+    const s = findOne(syms, 'AuthService', 'class');
+    expect(s.exported).toBe(true);
+  });
+
+  it('finds class methods with parent set', () => {
+    const auth = findOne(syms, 'authenticate', 'method');
+    expect(auth.parent).toBe('AuthService');
+    const fetch = findOne(syms, 'fetchUser', 'method');
+    expect(fetch.parent).toBe('AuthService');
+  });
+
+  it('finds interfaces', () => {
+    const s = findOne(syms, 'Repository', 'interface');
+    expect(s.exported).toBe(true);
+  });
+
+  it('finds type aliases', () => {
+    const s = findOne(syms, 'UserId', 'type');
+    expect(s.exported).toBe(true);
+  });
+
+  it('finds enums (non-exported)', () => {
+    const s = findOne(syms, 'Role', 'enum');
+    expect(s.exported).toBe(false);
+  });
+
+  it('assigns stable ids', () => {
+    const s = findOne(syms, 'parseToken', 'function');
+    expect(s.id).toBe(`${s.file}#parseToken@1`);
+    const m = findOne(syms, 'authenticate', 'method');
+    expect(m.id).toBe(`${m.file}#AuthService.authenticate@${m.line}`);
+  });
+});