@hookwarden/engine 0.0.1 → 0.1.0

package/dist/evaluator/matchers.js

@@ -0,0 +1,124 @@
+// D-28: declarative matcher implementations. Each returns Verdict | null.
+// null = matcher does not apply to this handler (engine emits no Finding for that rule).
+// Pure: WebhookHandler + ProjectModel + ProviderCatalog inputs only. No I/O.
+//
+// Issue #6 fix: argumentEquals is fully implemented. It walks the handler's source-file AST
+// for a CallExpression whose callee matches the rule's `call`, then compares args[arg_index]'s
+// literal value to `equals`.
+import { walkBabelAst } from "../parsers/walk.js";
+export function applyMatcher(input) {
+    const { matcher, handler, emits_state } = input;
+    const args = matcher.args;
+    switch (matcher.name) {
+        case "importMissing": {
+            const module = String(args["module"] ?? "");
+            const file = input.model.parsed_files.find((f) => f.file_path === handler.file_path);
+            const present = file?.imports.some((i) => i.to_module === module) ?? false;
+            return present ? null : emits_state;
+        }
+        case "callMatches": {
+            const qn = String(args["qualified_name"] ?? "");
+            const present = handler.reachable_symbols.some((s) => s.qualified_name === qn || s.qualified_name.endsWith(`.${qn}`));
+            return present ? emits_state : null;
+        }
+        case "secretLiteralPrefix": {
+            const prefix = String(args["prefix"] ?? "");
+            const present = handler.evidence.some((e) => e.kind === "secret_literal_match" && e.detail === prefix);
+            return present ? emits_state : null;
+        }
+        case "signatureHeaderRead": {
+            const header = String(args["header"] ?? "").toLowerCase();
+            const present = handler.evidence.some((e) => e.kind === "signature_header_read" && e.detail.toLowerCase() === header);
+            return present ? emits_state : null;
+        }
+        case "middlewareOrder": {
+            const before = String(args["before"] ?? "");
+            const after = String(args["after"] ?? "");
+            const chain = handler.middleware_chain;
+            const idxBefore = chain.findIndex((m) => m.name === before);
+            const idxAfter = chain.findIndex((m) => m.name === after);
+            if (idxBefore < 0 || idxAfter < 0)
+                return null;
+            return idxBefore < idxAfter ? emits_state : null;
+        }
+        case "argumentEquals": {
+            // Issue #6 fix — IMPLEMENTED. Walk the handler's source file AST for a CallExpression whose
+            // callee matches `call`; compare args[arg_index]'s literal value to `equals`.
+            const callName = String(args["call"] ?? "");
+            const argIndex = typeof args["arg_index"] === "number" ? args["arg_index"] : 0;
+            const equals = args["equals"];
+            // Quick reachability gate — if the call isn't even reachable, the matcher cannot apply.
+            const reachable = handler.reachable_symbols.some((s) => s.qualified_name === callName || s.qualified_name.endsWith(`.${callName}`));
+            if (!reachable)
+                return null;
+            const file = input.model.parsed_files.find((f) => f.file_path === handler.file_path);
+            if (!file || file.parse_error !== null || file.raw_ast === null)
+                return null;
+            if (file.dialect !== "babel") {
+                // Python AST argument inspection has a different tree-sitter shape. v1 supports Babel;
+                // Python rules that need argumentEquals can use a TS predicate (D-28 escape hatch).
+                return null;
+            }
+            const matched = findCallArgEquals(file.raw_ast, callName, argIndex, equals);
+            if (matched === null)
+                return null;
+            return matched ? emits_state : null;
+        }
+        default: {
+            // Exhaustiveness check — TS will error here if a new MatcherName is added without a case.
+            const exhaustiveCheck = matcher.name;
+            throw new Error(`unsupported matcher name: ${String(exhaustiveCheck)}`);
+        }
+    }
+}
+// Babel AST walker: returns true if any CallExpression with matching callee qname has its
+// argN literal === equals; false if a matching call exists but the arg differs; null if no
+// matching call exists at all (matcher does not apply).
+function findCallArgEquals(ast, callName, argIndex, equals) {
+    let foundAnyCall = false;
+    let foundMatch = false;
+    walkBabelAst(ast, (node) => {
+        if (node.type !== "CallExpression")
+            return;
+        const qn = qnameBabel(node.callee);
+        if (qn === null)
+            return;
+        if (qn !== callName && !qn.endsWith(`.${callName}`))
+            return;
+        foundAnyCall = true;
+        const arg = node.arguments[argIndex];
+        if (!arg)
+            return;
+        if (arg.type === "StringLiteral" && typeof equals === "string" && arg.value === equals) {
+            foundMatch = true;
+        }
+        else if (arg.type === "NumericLiteral" &&
+            typeof equals === "number" &&
+            arg.value === equals) {
+            foundMatch = true;
+        }
+        else if (typeof equals === "string" && equals === "") {
+            // Rule emits "" to mean "no value" — match against null/undefined args.
+            if (arg.type === "NullLiteral")
+                foundMatch = true;
+            else if (arg.type === "Identifier" && arg.name === "undefined")
+                foundMatch = true;
+        }
+    });
+    if (!foundAnyCall)
+        return null;
+    return foundMatch;
+}
+function qnameBabel(node) {
+    if (node.type === "Identifier")
+        return node.name;
+    if (node.type === "MemberExpression") {
+        const obj = qnameBabel(node.object);
+        if (!obj)
+            return null;
+        if (node.property.type === "Identifier")
+            return `${obj}.${node.property.name}`;
+    }
+    return null;
+}
+//# sourceMappingURL=matchers.js.map

package/dist/evaluator/matchers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"matchers.js","sourceRoot":"","sources":["../../src/evaluator/matchers.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,yFAAyF;AACzF,6EAA6E;AAC7E,EAAE;AACF,4FAA4F;AAC5F,+FAA+F;AAC/F,6BAA6B;AAG7B,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAclD,MAAM,UAAU,YAAY,CAAC,KAAwB;IACnD,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,GAAG,KAAK,CAAC;IAChD,MAAM,IAAI,GAAG,OAAO,CAAC,IAA+B,CAAC;IACrD,QAAQ,OAAO,CAAC,IAAI,EAAE,CAAC;QACrB,KAAK,eAAe,CAAC,CAAC,CAAC;YACrB,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;YAC5C,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,OAAO,CAAC,SAAS,CAAC,CAAC;YACrF,MAAM,OAAO,GAAG,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC;YAC3E,OAAO,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,WAAW,CAAC;QACtC,CAAC;QACD,KAAK,aAAa,CAAC,CAAC,CAAC;YACnB,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,IAAI,EAAE,CAAC,CAAC;YAChD,MAAM,OAAO,GAAG,OAAO,CAAC,iBAAiB,CAAC,IAAI,CAC5C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,EAAE,IAAI,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CACtE,CAAC;YACF,OAAO,OAAO,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC;QACtC,CAAC;QACD,KAAK,qBAAqB,CAAC,CAAC,CAAC;YAC3B,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;YAC5C,MAAM,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,IAAI,CACnC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,sBAAsB,IAAI,CAAC,CAAC,MAAM,KAAK,MAAM,CAChE,CAAC;YACF,OAAO,OAAO,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC;QACtC,CAAC;QACD,KAAK,qBAAqB,CAAC,CAAC,CAAC;YAC3B,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;YAC1D,MAAM,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,IAAI,CACnC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,uBAAuB,IAAI,CAAC,CAAC,MAAM,CAAC,WAAW,EAAE,KAAK,MAAM,CAC/E,CAAC;YACF,OAAO,OAAO,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC;QACtC,CAAC;QACD,KAAK,iBAAiB,CAAC,CAAC,CAAC;YACvB,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;YAC5C,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,OAAO,CAAC,gBAAgB,CAAC;YACvC,MAAM,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC;YAC5D,MAAM,QAAQ,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,KAAK,CAAC,CAAC;YAC1D,IAAI,SAAS,GAAG,CAAC,IAAI,QAAQ,GAAG,CAAC;gBAAE,OAAO,IAAI,CAAC;YAC/C,OAAO,SAAS,GAAG,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC;QACnD,CAAC;QACD,KAAK,gBAAgB,CAAC,CAAC,CAAC;YACtB,4FAA4F;YAC5F,8EAA8E;YAC9E,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;YAC5C,MAAM,QAAQ,GAAG,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC/E,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC9B,wFAAwF;YACxF,MAAM,SAAS,GAAG,OAAO,CAAC,iBAAiB,CAAC,IAAI,CAC9C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,QAAQ,IAAI,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,IAAI,QAAQ,EAAE,CAAC,CAClF,CAAC;YACF,IAAI,CAAC,SAAS;gBAAE,OAAO,IAAI,CAAC;YAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,OAAO,CAAC,SAAS,CAAC,CAAC;YACrF,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,WAAW,KAAK,IAAI,IAAI,IAAI,CAAC,OAAO,KAAK,IAAI;gBAAE,OAAO,IAAI,CAAC;YAC7E,IAAI,IAAI,CAAC,OAAO,KAAK,OAAO,EAAE,CAAC;gBAC7B,uFAAuF;gBACvF,oFAAoF;gBACpF,OAAO,IAAI,CAAC;YACd,CAAC;YACD,MAAM,OAAO,GAAG,iBAAiB,CAAC,IAAI,CAAC,OAAe,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;YACpF,IAAI,OAAO,KAAK,IAAI;gBAAE,OAAO,IAAI,CAAC;YAClC,OAAO,OAAO,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC;QACtC,CAAC;QACD,OAAO,CAAC,CAAC,CAAC;YACR,0FAA0F;YAC1F,MAAM,eAAe,GAAU,OAAO,CAAC,IAAI,CAAC;YAC5C,MAAM,IAAI,KAAK,CAAC,6BAA6B,MAAM,CAAC,eAAe,CAAC,EAAE,CAAC,CAAC;QAC1E,CAAC;IACH,CAAC;AACH,CAAC;AAED,0FAA0F;AAC1F,2FAA2F;AAC3F,wDAAwD;AACxD,SAAS,iBAAiB,CACxB,GAAS,EACT,QAAgB,EAChB,QAAgB,EAChB,MAAe;IAEf,IAAI,YAAY,GAAG,KAAK,CAAC;IACzB,IAAI,UAAU,GAAG,KAAK,CAAC;IACvB,YAAY,CAAC,GAAG,EAAE,CAAC,IAAI,EAAE,EAAE;QACzB,IAAI,IAAI,CAAC,IAAI,KAAK,gBAAgB;YAAE,OAAO;QAC3C,MAAM,EAAE,GAAG,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACnC,IAAI,EAAE,KAAK,IAAI;YAAE,OAAO;QACxB,IAAI,EAAE,KAAK,QAAQ,IAAI,CAAC,EAAE,CAAC,QAAQ,CAAC,IAAI,QAAQ,EAAE,CAAC;YAAE,OAAO;QAC5D,YAAY,GAAG,IAAI,CAAC;QACpB,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QACrC,IAAI,CAAC,GAAG;YAAE,OAAO;QACjB,IAAI,GAAG,CAAC,IAAI,KAAK,eAAe,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,GAAG,CAAC,KAAK,KAAK,MAAM,EAAE,CAAC;YACvF,UAAU,GAAG,IAAI,CAAC;QACpB,CAAC;aAAM,IACL,GAAG,CAAC,IAAI,KAAK,gBAAgB;YAC7B,OAAO,MAAM,KAAK,QAAQ;YAC1B,GAAG,CAAC,KAAK,KAAK,MAAM,EACpB,CAAC;YACD,UAAU,GAAG,IAAI,CAAC;QACpB,CAAC;aAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,EAAE,EAAE,CAAC;YACvD,wEAAwE;YACxE,IAAI,GAAG,CAAC,IAAI,KAAK,aAAa;gBAAE,UAAU,GAAG,IAAI,CAAC;iBAC7C,IAAI,GAAG,CAAC,IAAI,KAAK,YAAY,IAAI,GAAG,CAAC,IAAI,KAAK,WAAW;gBAAE,UAAU,GAAG,IAAI,CAAC;QACpF,CAAC;IACH,CAAC,CAAC,CAAC;IACH,IAAI,CAAC,YAAY;QAAE,OAAO,IAAI,CAAC;IAC/B,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,UAAU,CAAC,IAAuB;IACzC,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY;QAAE,OAAO,IAAI,CAAC,IAAI,CAAC;IACjD,IAAI,IAAI,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;QACrC,MAAM,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACpC,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;YAAE,OAAO,GAAG,GAAG,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;IACjF,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/evaluator/parse-error.d.ts

@@ -0,0 +1,4 @@
+import type { Finding } from "../types/finding.js";
+import type { ParsedFile } from "../types/project-model.js";
+export declare function buildParseErrorFinding(file: ParsedFile): Promise<Finding>;
+//# sourceMappingURL=parse-error.d.ts.map

package/dist/evaluator/parse-error.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"parse-error.d.ts","sourceRoot":"","sources":["../../src/evaluator/parse-error.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AAE5D,wBAAsB,sBAAsB,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,CAuC/E"}

package/dist/evaluator/parse-error.js

@@ -0,0 +1,46 @@
+// D-27 + ENGINE-07: every file with parse_error produces exactly ONE Finding.
+// rule_id is engine-internal: "engine/parse-error". Severity high (locked). State manual-review
+// (the engine cannot say verified/not-verified about a file it can't parse).
+import { computeFindingId, computePrimaryLocationLineHash } from "../findings/fingerprint.js";
+import { redactSnippet } from "../redaction/structural.js";
+export async function buildParseErrorFinding(file) {
+    if (file.parse_error === null) {
+        throw new Error("buildParseErrorFinding called on a file without parse_error");
+    }
+    const { line, col } = file.parse_error.location;
+    // Snippet: the source line where the parse failed, with literals redacted (D-39).
+    // We can't extract literals without a parse, so we redact the whole line as a single placeholder.
+    const lines = file.source_text.split(/\r?\n/);
+    const lineText = lines[Math.max(0, line - 1)] ?? "";
+    const snippet = redactSnippet({
+        source_text: lineText,
+        literals: [{ kind: "string", start: 0, end: lineText.length, value: lineText }],
+    });
+    const primaryLocationLineHash = await computePrimaryLocationLineHash({
+        rule_id: "engine/parse-error",
+        file_path: file.file_path,
+        node_kind: "ParseError",
+        line_text: lineText,
+    });
+    const id = await computeFindingId({
+        rule_id: "engine/parse-error",
+        handler_id: null,
+        file_path: file.file_path,
+        primary_location_line_hash: primaryLocationLineHash,
+    });
+    return {
+        id,
+        rule_id: "engine/parse-error",
+        provider: "unknown",
+        severity: "high",
+        state: "manual-review",
+        file_path: file.file_path,
+        location: { line, col, end_line: line, end_col: col + 1 },
+        snippet,
+        handler_id: null,
+        primary_location_line_hash: primaryLocationLineHash,
+        message: file.parse_error.message,
+        metadata: { source: file.parse_error.source },
+    };
+}
+//# sourceMappingURL=parse-error.js.map

package/dist/evaluator/parse-error.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"parse-error.js","sourceRoot":"","sources":["../../src/evaluator/parse-error.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,gGAAgG;AAChG,6EAA6E;AAE7E,OAAO,EAAE,gBAAgB,EAAE,8BAA8B,EAAE,MAAM,4BAA4B,CAAC;AAC9F,OAAO,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAI3D,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,IAAgB;IAC3D,IAAI,IAAI,CAAC,WAAW,KAAK,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;IACjF,CAAC;IACD,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC;IAChD,kFAAkF;IAClF,kGAAkG;IAClG,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC9C,MAAM,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IACpD,MAAM,OAAO,GAAG,aAAa,CAAC;QAC5B,WAAW,EAAE,QAAQ;QACrB,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,EAAE,GAAG,EAAE,QAAQ,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;KAChF,CAAC,CAAC;IACH,MAAM,uBAAuB,GAAG,MAAM,8BAA8B,CAAC;QACnE,OAAO,EAAE,oBAAoB;QAC7B,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,SAAS,EAAE,YAAY;QACvB,SAAS,EAAE,QAAQ;KACpB,CAAC,CAAC;IACH,MAAM,EAAE,GAAG,MAAM,gBAAgB,CAAC;QAChC,OAAO,EAAE,oBAAoB;QAC7B,UAAU,EAAE,IAAI;QAChB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,0BAA0B,EAAE,uBAAuB;KACpD,CAAC,CAAC;IACH,OAAO;QACL,EAAE;QACF,OAAO,EAAE,oBAAoB;QAC7B,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,eAAe;QACtB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,QAAQ,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,EAAE;QACzD,OAAO;QACP,UAAU,EAAE,IAAI;QAChB,0BAA0B,EAAE,uBAAuB;QACnD,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;QACjC,QAAQ,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE;KAC9C,CAAC;AACJ,CAAC"}

package/dist/evaluator/path-severity-overrides.d.ts

@@ -0,0 +1,4 @@
+import type { Finding } from "../types/finding.js";
+import type { RuleDefinition } from "../types/rule-set.js";
+export declare function applyPathSeverityOverrides(finding: Finding, rule: RuleDefinition): Finding;
+//# sourceMappingURL=path-severity-overrides.d.ts.map

package/dist/evaluator/path-severity-overrides.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-severity-overrides.d.ts","sourceRoot":"","sources":["../../src/evaluator/path-severity-overrides.ts"],"names":[],"mappings":"AAYA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAE3D,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,cAAc,GAAG,OAAO,CAa1F"}

package/dist/evaluator/path-severity-overrides.js

@@ -0,0 +1,29 @@
+// D-57 RULES-05: post-emit severity rewriter. Pure: no fs / http / network / process / node:*.
+// Engine purity guard at .dependency-cruiser.cjs lines 4–38 forbids those imports here.
+//
+// Matches finding.file_path against each override's glob patterns (picomatch). On the FIRST
+// matching override, replaces Finding.severity. Returns the finding unchanged when:
+//   - rule.path_severity_overrides is null
+//   - no override has a matching pattern
+//
+// Verification state (Finding.state, D-29) is NEVER touched — a hardcoded test secret is still
+// `not-verified`, just at `info` severity.
+import picomatch from "picomatch";
+export function applyPathSeverityOverrides(finding, rule) {
+    const overrides = rule.path_severity_overrides;
+    if (overrides === null || overrides.length === 0)
+        return finding;
+    for (const override of overrides) {
+        if (override.patterns.length === 0)
+            continue;
+        const isMatch = picomatch(override.patterns, { dot: true });
+        if (isMatch(finding.file_path)) {
+            // Identity: do not produce a new object when severity is already the override target.
+            if (finding.severity === override.severity)
+                return finding;
+            return { ...finding, severity: override.severity };
+        }
+    }
+    return finding;
+}
+//# sourceMappingURL=path-severity-overrides.js.map

package/dist/evaluator/path-severity-overrides.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-severity-overrides.js","sourceRoot":"","sources":["../../src/evaluator/path-severity-overrides.ts"],"names":[],"mappings":"AAAA,+FAA+F;AAC/F,wFAAwF;AACxF,EAAE;AACF,4FAA4F;AAC5F,oFAAoF;AACpF,2CAA2C;AAC3C,yCAAyC;AACzC,EAAE;AACF,+FAA+F;AAC/F,2CAA2C;AAE3C,OAAO,SAAS,MAAM,WAAW,CAAC;AAIlC,MAAM,UAAU,0BAA0B,CAAC,OAAgB,EAAE,IAAoB;IAC/E,MAAM,SAAS,GAAG,IAAI,CAAC,uBAAuB,CAAC;IAC/C,IAAI,SAAS,KAAK,IAAI,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,OAAO,CAAC;IACjE,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QAC7C,MAAM,OAAO,GAAG,SAAS,CAAC,QAAQ,CAAC,QAAoB,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;QACxE,IAAI,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;YAC/B,sFAAsF;YACtF,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,CAAC,QAAQ;gBAAE,OAAO,OAAO,CAAC;YAC3D,OAAO,EAAE,GAAG,OAAO,EAAE,QAAQ,EAAE,QAAQ,CAAC,QAAQ,EAAE,CAAC;QACrD,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/evaluator/visit.d.ts

@@ -0,0 +1,16 @@
+import type { Finding, FindingId, Verdict } from "../types/finding.js";
+import type { WebhookHandler } from "../types/handler.js";
+import type { ProjectModel } from "../types/project-model.js";
+import type { RuleSet } from "../types/rule-set.js";
+export interface EvaluateForHandlerInput {
+    readonly handler: WebhookHandler;
+    readonly ruleSet: RuleSet;
+    readonly model: ProjectModel;
+}
+export interface EvaluateForHandlerOutput {
+    readonly findings: ReadonlyArray<Finding>;
+    readonly findings_ref: ReadonlyArray<FindingId>;
+    readonly worst_state: Verdict;
+}
+export declare function evaluateRulesForHandler(input: EvaluateForHandlerInput): Promise<EvaluateForHandlerOutput>;
+//# sourceMappingURL=visit.d.ts.map

package/dist/evaluator/visit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"visit.d.ts","sourceRoot":"","sources":["../../src/evaluator/visit.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AACvE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAAkB,OAAO,EAAE,MAAM,sBAAsB,CAAC;AASpE,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,OAAO,EAAE,cAAc,CAAC;IACjC,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,KAAK,EAAE,YAAY,CAAC;CAC9B;AAED,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC,OAAO,CAAC,CAAC;IAC1C,QAAQ,CAAC,YAAY,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IAChD,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;CAC/B;AAED,wBAAsB,uBAAuB,CAC3C,KAAK,EAAE,uBAAuB,GAC7B,OAAO,CAAC,wBAAwB,CAAC,CAenC"}

package/dist/evaluator/visit.js

@@ -0,0 +1,96 @@
+// Per-handler rule visitor. Walks ruleSet.rules, applies matcher OR predicate per D-28,
+// emits one Finding per (rule, handler) match per D-30 (engine never dedups; renderer rollups).
+import { computeFindingId, computePrimaryLocationLineHash } from "../findings/fingerprint.js";
+import { applyMatcher } from "./matchers.js";
+const VERDICT_RANK = {
+    verified: 0,
+    "manual-review": 1,
+    "not-verified": 2,
+};
+export async function evaluateRulesForHandler(input) {
+    const { handler, ruleSet, model } = input;
+    const findings = [];
+    const findingsRef = [];
+    let worst = "verified"; // optimistic baseline; rules promote toward not-verified
+    for (const rule of ruleSet.rules) {
+        if (!ruleAppliesToFramework(rule, handler.framework))
+            continue;
+        const verdict = await runRule(rule, handler, model, ruleSet);
+        if (verdict === null)
+            continue; // rule does not apply
+        const finding = await buildFinding(rule, handler, verdict);
+        findings.push(finding);
+        findingsRef.push(finding.id);
+        if (VERDICT_RANK[verdict] > VERDICT_RANK[worst])
+            worst = verdict;
+    }
+    return { findings, findings_ref: findingsRef, worst_state: worst };
+}
+function ruleAppliesToFramework(rule, framework) {
+    if (rule.applies_to === "all")
+        return true;
+    return rule.applies_to.includes(framework);
+}
+async function runRule(rule, handler, model, ruleSet) {
+    // D-28: a rule may have a matcher, a predicate, or both. If both are present, BOTH must agree
+    // (return same verdict) for the rule to fire — conservative. If only one is present, its
+    // verdict is the rule's verdict. Unmatched rule → null.
+    let matcherVerdict = null;
+    if (rule.matcher !== null) {
+        matcherVerdict = applyMatcher({
+            matcher: rule.matcher,
+            handler,
+            model,
+            providers: ruleSet.providers,
+            emits_state: rule.emits_state,
+        });
+    }
+    let predicateVerdict = null;
+    if (rule.predicate_name !== null) {
+        const fn = ruleSet.predicates[rule.predicate_name];
+        if (fn)
+            predicateVerdict = await fn(handler, model);
+    }
+    if (rule.matcher !== null && rule.predicate_name !== null) {
+        if (matcherVerdict === null || predicateVerdict === null)
+            return null;
+        return matcherVerdict === predicateVerdict ? matcherVerdict : null;
+    }
+    return matcherVerdict ?? predicateVerdict;
+}
+async function buildFinding(rule, handler, verdict) {
+    const lineText = extractLineFromHandler(handler);
+    const primaryLocationLineHash = await computePrimaryLocationLineHash({
+        rule_id: rule.rule_id,
+        file_path: handler.file_path,
+        node_kind: "WebhookHandler",
+        line_text: lineText,
+    });
+    const id = await computeFindingId({
+        rule_id: rule.rule_id,
+        handler_id: handler.id,
+        file_path: handler.file_path,
+        primary_location_line_hash: primaryLocationLineHash,
+    });
+    return {
+        id,
+        rule_id: rule.rule_id,
+        provider: rule.provider,
+        severity: rule.severity,
+        state: verdict,
+        file_path: handler.file_path,
+        location: handler.location,
+        snippet: handler.redacted_snippet,
+        handler_id: handler.id,
+        primary_location_line_hash: primaryLocationLineHash,
+        message: rule.message,
+        metadata: { framework: handler.framework, route_pattern: handler.route_pattern },
+    };
+}
+function extractLineFromHandler(handler) {
+    // First line of the handler's redacted snippet — sufficient for the SARIF-style fingerprint
+    // (Plan 02's computePrimaryLocationLineHash normalizes whitespace before hashing).
+    const firstNl = handler.redacted_snippet.indexOf("\n");
+    return firstNl < 0 ? handler.redacted_snippet : handler.redacted_snippet.slice(0, firstNl);
+}
+//# sourceMappingURL=visit.js.map

package/dist/evaluator/visit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"visit.js","sourceRoot":"","sources":["../../src/evaluator/visit.ts"],"names":[],"mappings":"AAAA,wFAAwF;AACxF,gGAAgG;AAEhG,OAAO,EAAE,gBAAgB,EAAE,8BAA8B,EAAE,MAAM,4BAA4B,CAAC;AAK9F,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAE7C,MAAM,YAAY,GAA4B;IAC5C,QAAQ,EAAE,CAAC;IACX,eAAe,EAAE,CAAC;IAClB,cAAc,EAAE,CAAC;CAClB,CAAC;AAcF,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,KAA8B;IAE9B,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC;IAC1C,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,WAAW,GAAgB,EAAE,CAAC;IACpC,IAAI,KAAK,GAAY,UAAU,CAAC,CAAC,yDAAyD;IAC1F,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QACjC,IAAI,CAAC,sBAAsB,CAAC,IAAI,EAAE,OAAO,CAAC,SAAS,CAAC;YAAE,SAAS;QAC/D,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;QAC7D,IAAI,OAAO,KAAK,IAAI;YAAE,SAAS,CAAC,sBAAsB;QACtD,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;QAC3D,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACvB,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAC7B,IAAI,YAAY,CAAC,OAAO,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC;YAAE,KAAK,GAAG,OAAO,CAAC;IACnE,CAAC;IACD,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,WAAW,EAAE,WAAW,EAAE,KAAK,EAAE,CAAC;AACrE,CAAC;AAED,SAAS,sBAAsB,CAC7B,IAAoB,EACpB,SAAsC;IAEtC,IAAI,IAAI,CAAC,UAAU,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IAC3C,OAAO,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;AAC7C,CAAC;AAED,KAAK,UAAU,OAAO,CACpB,IAAoB,EACpB,OAAuB,EACvB,KAAmB,EACnB,OAAgB;IAEhB,8FAA8F;IAC9F,yFAAyF;IACzF,wDAAwD;IACxD,IAAI,cAAc,GAAmB,IAAI,CAAC;IAC1C,IAAI,IAAI,CAAC,OAAO,KAAK,IAAI,EAAE,CAAC;QAC1B,cAAc,GAAG,YAAY,CAAC;YAC5B,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,OAAO;YACP,KAAK;YACL,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,WAAW,EAAE,IAAI,CAAC,WAAW;SAC9B,CAAC,CAAC;IACL,CAAC;IACD,IAAI,gBAAgB,GAAmB,IAAI,CAAC;IAC5C,IAAI,IAAI,CAAC,cAAc,KAAK,IAAI,EAAE,CAAC;QACjC,MAAM,EAAE,GAAG,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QACnD,IAAI,EAAE;YAAE,gBAAgB,GAAG,MAAM,EAAE,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACtD,CAAC;IACD,IAAI,IAAI,CAAC,OAAO,KAAK,IAAI,IAAI,IAAI,CAAC,cAAc,KAAK,IAAI,EAAE,CAAC;QAC1D,IAAI,cAAc,KAAK,IAAI,IAAI,gBAAgB,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC;QACtE,OAAO,cAAc,KAAK,gBAAgB,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC;IACrE,CAAC;IACD,OAAO,cAAc,IAAI,gBAAgB,CAAC;AAC5C,CAAC;AAED,KAAK,UAAU,YAAY,CACzB,IAAoB,EACpB,OAAuB,EACvB,OAAgB;IAEhB,MAAM,QAAQ,GAAG,sBAAsB,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,uBAAuB,GAAG,MAAM,8BAA8B,CAAC;QACnE,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,SAAS,EAAE,gBAAgB;QAC3B,SAAS,EAAE,QAAQ;KACpB,CAAC,CAAC;IACH,MAAM,EAAE,GAAG,MAAM,gBAAgB,CAAC;QAChC,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,UAAU,EAAE,OAAO,CAAC,EAAE;QACtB,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,0BAA0B,EAAE,uBAAuB;KACpD,CAAC,CAAC;IACH,OAAO;QACL,EAAE;QACF,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,KAAK,EAAE,OAAO;QACd,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,OAAO,EAAE,OAAO,CAAC,gBAAgB;QACjC,UAAU,EAAE,OAAO,CAAC,EAAE;QACtB,0BAA0B,EAAE,uBAAuB;QACnD,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,QAAQ,EAAE,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,aAAa,EAAE,OAAO,CAAC,aAAa,EAAE;KACjF,CAAC;AACJ,CAAC;AAED,SAAS,sBAAsB,CAAC,OAAuB;IACrD,4FAA4F;IAC5F,mFAAmF;IACnF,MAAM,OAAO,GAAG,OAAO,CAAC,gBAAgB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IACvD,OAAO,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;AAC7F,CAAC"}

package/dist/findings/fingerprint.d.ts

@@ -0,0 +1,22 @@
+export interface PrimaryLocationLineHashInput {
+    readonly rule_id: string;
+    readonly file_path: string;
+    readonly node_kind: string;
+    readonly line_text: string;
+}
+export declare function computePrimaryLocationLineHash(input: PrimaryLocationLineHashInput): Promise<string>;
+export interface HandlerIdInput {
+    readonly file_path: string;
+    readonly route_pattern: string;
+    readonly http_methods: ReadonlyArray<string>;
+    readonly handler_function_name: string | null;
+}
+export declare function computeHandlerId(input: HandlerIdInput): Promise<string>;
+export interface FindingIdInput {
+    readonly rule_id: string;
+    readonly handler_id: string | null;
+    readonly file_path: string;
+    readonly primary_location_line_hash: string;
+}
+export declare function computeFindingId(input: FindingIdInput): Promise<string>;
+//# sourceMappingURL=fingerprint.d.ts.map

package/dist/findings/fingerprint.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fingerprint.d.ts","sourceRoot":"","sources":["../../src/findings/fingerprint.ts"],"names":[],"mappings":"AAaA,MAAM,WAAW,4BAA4B;IAC3C,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B;AAED,wBAAsB,8BAA8B,CAClD,KAAK,EAAE,4BAA4B,GAClC,OAAO,CAAC,MAAM,CAAC,CAQjB;AAID,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,YAAY,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC7C,QAAQ,CAAC,qBAAqB,EAAE,MAAM,GAAG,IAAI,CAAC;CAC/C;AAED,wBAAsB,gBAAgB,CAAC,KAAK,EAAE,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC,CAQ7E;AAID,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IACnC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,0BAA0B,EAAE,MAAM,CAAC;CAC7C;AAED,wBAAsB,gBAAgB,CAAC,KAAK,EAAE,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC,CAQ7E"}

package/dist/findings/fingerprint.js

@@ -0,0 +1,39 @@
+import { sha256Hex } from "./webcrypto.js";
+// SARIF 2.1.0 partialFingerprints.primaryLocationLineHash semantic:
+// - stable across unrelated line shifts in the same file
+// - input includes the rule id, file path, AST node kind, and a normalized version of the line text
+// - hex-encoded sha256 is GitHub Code Scanning's accepted format
+//
+// We normalize the line text by collapsing runs of whitespace to single spaces and trimming.
+// This means cosmetic reformatting does not change identity, but a real edit does.
+function normalizeLine(text) {
+    return text.replace(/[ \t]+/g, " ").trim();
+}
+export async function computePrimaryLocationLineHash(input) {
+    const canonical = [
+        input.rule_id,
+        input.file_path,
+        input.node_kind,
+        normalizeLine(input.line_text),
+    ].join("|");
+    return sha256Hex(canonical);
+}
+export async function computeHandlerId(input) {
+    const methodsSorted = [...input.http_methods]
+        .map((m) => m.toUpperCase())
+        .sort()
+        .join(",");
+    const fnName = input.handler_function_name ?? "<anonymous>";
+    const canonical = `${input.file_path}|${input.route_pattern}|${methodsSorted}|${fnName}`;
+    return sha256Hex(canonical);
+}
+export async function computeFindingId(input) {
+    const canonical = [
+        input.rule_id,
+        input.handler_id ?? "<no-handler>",
+        input.file_path,
+        input.primary_location_line_hash,
+    ].join("|");
+    return sha256Hex(canonical);
+}
+//# sourceMappingURL=fingerprint.js.map

package/dist/findings/fingerprint.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fingerprint.js","sourceRoot":"","sources":["../../src/findings/fingerprint.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAE3C,oEAAoE;AACpE,yDAAyD;AACzD,oGAAoG;AACpG,iEAAiE;AACjE,EAAE;AACF,6FAA6F;AAC7F,mFAAmF;AACnF,SAAS,aAAa,CAAC,IAAY;IACjC,OAAO,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;AAC7C,CAAC;AASD,MAAM,CAAC,KAAK,UAAU,8BAA8B,CAClD,KAAmC;IAEnC,MAAM,SAAS,GAAG;QAChB,KAAK,CAAC,OAAO;QACb,KAAK,CAAC,SAAS;QACf,KAAK,CAAC,SAAS;QACf,aAAa,CAAC,KAAK,CAAC,SAAS,CAAC;KAC/B,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACZ,OAAO,SAAS,CAAC,SAAS,CAAC,CAAC;AAC9B,CAAC;AAWD,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,KAAqB;IAC1D,MAAM,aAAa,GAAG,CAAC,GAAG,KAAK,CAAC,YAAY,CAAC;SAC1C,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;SAC3B,IAAI,EAAE;SACN,IAAI,CAAC,GAAG,CAAC,CAAC;IACb,MAAM,MAAM,GAAG,KAAK,CAAC,qBAAqB,IAAI,aAAa,CAAC;IAC5D,MAAM,SAAS,GAAG,GAAG,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC,aAAa,IAAI,aAAa,IAAI,MAAM,EAAE,CAAC;IACzF,OAAO,SAAS,CAAC,SAAS,CAAC,CAAC;AAC9B,CAAC;AAWD,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,KAAqB;IAC1D,MAAM,SAAS,GAAG;QAChB,KAAK,CAAC,OAAO;QACb,KAAK,CAAC,UAAU,IAAI,cAAc;QAClC,KAAK,CAAC,SAAS;QACf,KAAK,CAAC,0BAA0B;KACjC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACZ,OAAO,SAAS,CAAC,SAAS,CAAC,CAAC;AAC9B,CAAC"}

package/dist/findings/index.d.ts

@@ -0,0 +1,3 @@
+export type { FindingIdInput, HandlerIdInput, PrimaryLocationLineHashInput, } from "./fingerprint.js";
+export { computeFindingId, computeHandlerId, computePrimaryLocationLineHash, } from "./fingerprint.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/findings/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/findings/index.ts"],"names":[],"mappings":"AAGA,YAAY,EACV,cAAc,EACd,cAAc,EACd,4BAA4B,GAC7B,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,gBAAgB,EAChB,gBAAgB,EAChB,8BAA8B,GAC/B,MAAM,kBAAkB,CAAC"}

package/dist/findings/index.js

@@ -0,0 +1,4 @@
+// findings/ barrel — internal-use only. The engine package's public surface re-exports nothing
+// from here; downstream rules query the public `Finding` type from src/types/.
+export { computeFindingId, computeHandlerId, computePrimaryLocationLineHash, } from "./fingerprint.js";
+//# sourceMappingURL=index.js.map

package/dist/findings/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/findings/index.ts"],"names":[],"mappings":"AAAA,+FAA+F;AAC/F,+EAA+E;AAO/E,OAAO,EACL,gBAAgB,EAChB,gBAAgB,EAChB,8BAA8B,GAC/B,MAAM,kBAAkB,CAAC"}

package/dist/findings/webcrypto.d.ts

@@ -0,0 +1,2 @@
+export declare function sha256Hex(input: string): Promise<string>;
+//# sourceMappingURL=webcrypto.d.ts.map

package/dist/findings/webcrypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"webcrypto.d.ts","sourceRoot":"","sources":["../../src/findings/webcrypto.ts"],"names":[],"mappings":"AAIA,wBAAsB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAU9D"}

package/dist/findings/webcrypto.js

@@ -0,0 +1,15 @@
+// Engine-internal helper. Wraps WebCrypto's verbose `subtle.digest` API.
+// D-02: engine uses globalThis.crypto.subtle for hashing — no Node `crypto` import.
+// Browser-safe: works wherever the Web Crypto API is present (Node 22+, modern browsers).
+export async function sha256Hex(input) {
+    const bytes = new TextEncoder().encode(input);
+    const buffer = await globalThis.crypto.subtle.digest("SHA-256", bytes);
+    const view = new Uint8Array(buffer);
+    let out = "";
+    for (let i = 0; i < view.length; i++) {
+        const byte = view[i] ?? 0;
+        out += byte.toString(16).padStart(2, "0");
+    }
+    return out;
+}
+//# sourceMappingURL=webcrypto.js.map

package/dist/findings/webcrypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"webcrypto.js","sourceRoot":"","sources":["../../src/findings/webcrypto.ts"],"names":[],"mappings":"AAAA,yEAAyE;AACzE,oFAAoF;AACpF,0FAA0F;AAE1F,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,KAAa;IAC3C,MAAM,KAAK,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC9C,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;IACvE,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IACpC,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAC1B,GAAG,IAAI,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/index.d.ts

@@ -1,9 +1,9 @@
-export type Finding = {
-    ruleId: string;
-    severity: "critical" | "high" | "medium" | "low" | "info";
-};
-export type ProjectModel = Record<string, never>;
-export type RuleSet = Record<string, never>;
-export type Config = Record<string, never>;
-export declare function evaluate(_model: ProjectModel, _rules: RuleSet, _config: Config): Promise<Finding[]>;
+export { ALL_ADAPTERS, type FrameworkAdapter } from "./adapters/index.js";
+export { evaluate } from "./evaluate.js";
+export { type BuildProjectModelInput, buildProjectModel } from "./model/index.js";
+export { type ParseJsTsInput, parseJsTs } from "./parsers/babel.js";
+export { type ParsePythonInput, parsePython } from "./parsers/python.js";
+export { type InitPythonRuntimeInput, initPythonRuntime, type PythonRuntime, } from "./parsers/python-loader.js";
+export type { Config, DeclarativeMatcher, Finding, FindingId, Framework, ImportEdge, MatcherName, MiddlewareRegistration, ParsedFile, ParseErrorRecord, ProjectModel, ProviderCatalog, ProviderCatalogEntry, ReachableSymbol, ResolvedMiddleware, RuleDefinition, RulePredicate, RuleSet, ScanMetadata, ScanResult, Severity, SourceLocation, SuppressedPayload, SuppressionSource, Verdict, WebhookEvidence, WebhookEvidenceKind, WebhookHandler, } from "./types/index.js";
+export { ENGINE_VERSION } from "./version.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAMA,MAAM,MAAM,OAAO,GAAG;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAA;CAAE,CAAC;AACpG,MAAM,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;AACjD,MAAM,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;AAC5C,MAAM,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;AAE3C,wBAAsB,QAAQ,CAC5B,MAAM,EAAE,YAAY,EACpB,MAAM,EAAE,OAAO,EACf,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,OAAO,EAAE,CAAC,CAEpB"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,YAAY,EAAE,KAAK,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAC1E,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EAAE,KAAK,sBAAsB,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAClF,OAAO,EAAE,KAAK,cAAc,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACpE,OAAO,EAAE,KAAK,gBAAgB,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AACzE,OAAO,EACL,KAAK,sBAAsB,EAC3B,iBAAiB,EACjB,KAAK,aAAa,GACnB,MAAM,4BAA4B,CAAC;AAEpC,YAAY,EACV,MAAM,EACN,kBAAkB,EAClB,OAAO,EACP,SAAS,EACT,SAAS,EACT,UAAU,EACV,WAAW,EACX,sBAAsB,EACtB,UAAU,EACV,gBAAgB,EAChB,YAAY,EACZ,eAAe,EACf,oBAAoB,EACpB,eAAe,EACf,kBAAkB,EAClB,cAAc,EACd,aAAa,EACb,OAAO,EACP,YAAY,EACZ,UAAU,EACV,QAAQ,EACR,cAAc,EACd,iBAAiB,EACjB,iBAAiB,EACjB,OAAO,EACP,eAAe,EACf,mBAAmB,EACnB,cAAc,GACf,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC"}

package/dist/index.js

@@ -2,8 +2,13 @@
 // Decision D-01: no Node built-ins, no network libs.
 // Decision D-02: evaluate() is async (uses globalThis.crypto.subtle).
 // Decision D-03: RuleSet is pre-parsed by the caller; engine never reads files.
-// Phase 2 implements the real evaluate() function. This is a placeholder.
-export async function evaluate(_model, _rules, _config) {
-    return [];
-}
+// Decision D-23: engine source lives only in the public OSS repo.
+// Public function surface.
+export { ALL_ADAPTERS } from "./adapters/index.js";
+export { evaluate } from "./evaluate.js";
+export { buildProjectModel } from "./model/index.js";
+export { parseJsTs } from "./parsers/babel.js";
+export { parsePython } from "./parsers/python.js";
+export { initPythonRuntime, } from "./parsers/python-loader.js";
+export { ENGINE_VERSION } from "./version.js";
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,qDAAqD;AACrD,sEAAsE;AACtE,gFAAgF;AAChF,0EAA0E;AAO1E,MAAM,CAAC,KAAK,UAAU,QAAQ,CAC5B,MAAoB,EACpB,MAAe,EACf,OAAe;IAEf,OAAO,EAAE,CAAC;AACZ,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,qDAAqD;AACrD,sEAAsE;AACtE,gFAAgF;AAChF,kEAAkE;AAElE,2BAA2B;AAC3B,OAAO,EAAE,YAAY,EAAyB,MAAM,qBAAqB,CAAC;AAC1E,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EAA+B,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAClF,OAAO,EAAuB,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACpE,OAAO,EAAyB,WAAW,EAAE,MAAM,qBAAqB,CAAC;AACzE,OAAO,EAEL,iBAAiB,GAElB,MAAM,4BAA4B,CAAC;AAgCpC,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC"}

package/dist/model/build.d.ts

@@ -0,0 +1,12 @@
+import type { Config } from "../types/config.js";
+import type { ParsedFile, ProjectModel } from "../types/project-model.js";
+import type { RuleSet } from "../types/rule-set.js";
+import { type CandidateHandler } from "./catalog.js";
+export interface BuildProjectModelInput {
+    readonly parsedFiles: ReadonlyArray<ParsedFile>;
+    readonly ruleSet: RuleSet;
+    readonly config: Config;
+    readonly bespokeAdapters?: ReadonlyArray<(file: ParsedFile, allFiles: ReadonlyArray<ParsedFile>) => ReadonlyArray<CandidateHandler>>;
+}
+export declare function buildProjectModel(input: BuildProjectModelInput): Promise<ProjectModel>;
+//# sourceMappingURL=build.d.ts.map

package/dist/model/build.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"build.d.ts","sourceRoot":"","sources":["../../src/model/build.ts"],"names":[],"mappings":"AAaA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAOjD,OAAO,KAAK,EAGV,UAAU,EACV,YAAY,EACb,MAAM,2BAA2B,CAAC;AACnC,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,KAAK,gBAAgB,EAAyB,MAAM,cAAc,CAAC;AAK5E,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAC,UAAU,CAAC,CAAC;IAChD,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IAExB,QAAQ,CAAC,eAAe,CAAC,EAAE,aAAa,CACtC,CAAC,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,aAAa,CAAC,UAAU,CAAC,KAAK,aAAa,CAAC,gBAAgB,CAAC,CAC3F,CAAC;CACH;AAED,wBAAsB,iBAAiB,CAAC,KAAK,EAAE,sBAAsB,GAAG,OAAO,CAAC,YAAY,CAAC,CAmC5F"}