@hookwarden/engine 0.0.1 → 0.1.0

package/dist/model/build.js

@@ -0,0 +1,154 @@
+// buildProjectModel: orchestrates parsers' output into a ProjectModel that the evaluator (Plan 08)
+// consumes. Async (D-02 — handler ids are WebCrypto sha256). Pure (D-01 — no fs/http).
+//
+// Wires together:
+//   - Plan 06a's detectCatalogHandlers + computeEvidence (6 of 7 D-32 signals)
+//   - Plan 07's bespoke adapters (Next.js / Django / FastAPI) via the bespokeAdapters hook
+//   - This plan's computeReachableSymbols (D-34 cross-file traversal) + extractMiddlewareChain (D-36)
+//   - The sdk_verify_call evidence overlay — completes D-32's 7th signal.
+import { computeHandlerId } from "../findings/fingerprint.js";
+import { extractBabelLiterals } from "../parsers/literals.js";
+import { extractPythonLiterals } from "../parsers/python-literals.js";
+import { redactSnippet } from "../redaction/structural.js";
+import { detectCatalogHandlers } from "./catalog.js";
+import { computeEvidence } from "./evidence.js";
+import { extractMiddlewareChain } from "./middleware.js";
+import { computeReachableSymbols } from "./reachability.js";
+export async function buildProjectModel(input) {
+    // 1. Aggregate every file's imports → import_graph (engine-internal cross-file index).
+    const importGraph = [];
+    for (const file of input.parsedFiles) {
+        for (const edge of file.imports)
+            importGraph.push(edge);
+    }
+    // 2. Detect candidate handlers per file (catalog + bespoke). Skip parse-error files (D-27).
+    const candidates = [];
+    const adapters = input.bespokeAdapters ?? [];
+    for (const file of input.parsedFiles) {
+        if (file.parse_error !== null)
+            continue;
+        for (const cand of detectCatalogHandlers(file))
+            candidates.push({ cand, file });
+        for (const adapter of adapters) {
+            for (const cand of adapter(file, input.parsedFiles))
+                candidates.push({ cand, file });
+        }
+    }
+    // 3. For each candidate, compute id + evidence (with sdk_verify_call overlay) + reachability +
+    //    middleware_chain + redacted snippet.
+    const handlers = [];
+    for (const { cand, file } of candidates) {
+        handlers.push(await assembleHandler(cand, file, input));
+    }
+    // 4. Aggregate middleware registrations at the project level (engine-internal index — Phase 8
+    //    rule authors who need cross-handler middleware ordering can query this).
+    const middlewareRegistrations = [];
+    return {
+        parsed_files: input.parsedFiles,
+        handlers,
+        middleware_registrations: middlewareRegistrations,
+        import_graph: importGraph,
+    };
+}
+async function assembleHandler(cand, file, input) {
+    const id = await computeHandlerId({
+        file_path: cand.file_path,
+        route_pattern: cand.route_pattern,
+        http_methods: cand.http_methods,
+        handler_function_name: cand.handler_function_name,
+    });
+    const baseEvidence = computeEvidence({
+        handler: cand,
+        parsedFile: file,
+        providerCatalog: input.ruleSet.providers,
+        imports: file.imports,
+    });
+    const reachableSymbols = computeReachableSymbols({
+        handler_body_node: cand.handler_body_node,
+        handler_file: file,
+        all_files: input.parsedFiles,
+        imports: file.imports,
+        maxDepth: input.config.reachability_max_depth,
+    });
+    const middlewareChain = extractMiddlewareChain({
+        handler: cand,
+        parsedFile: file,
+        imports: file.imports,
+    });
+    // sdk_verify_call evidence overlay (issue #7 fix) — completes D-32's 7th signal.
+    const sdkVerifyEvidence = collectSdkVerifyCallEvidence(cand, reachableSymbols, input.ruleSet);
+    const evidence = [...baseEvidence.evidence, ...sdkVerifyEvidence];
+    // Recompute provider attribution since sdk_verify_call evidence may shift the count.
+    const provider = recomputeProvider(evidence, baseEvidence.provider);
+    const redactedSnippet = renderHandlerSnippet(file, cand);
+    return {
+        id,
+        framework: cand.framework,
+        framework_version: cand.framework_version,
+        route_pattern: cand.route_pattern,
+        http_methods: cand.http_methods,
+        file_path: cand.file_path,
+        location: cand.location,
+        handler_function_name: cand.handler_function_name,
+        provider,
+        verification_state: "manual-review", // PITFALLS #3 default; Plan 08 evaluator promotes
+        evidence,
+        middleware_chain: middlewareChain,
+        reachable_symbols: reachableSymbols,
+        findings_ref: [], // back-populated by Plan 08 evaluator
+        redacted_snippet: redactedSnippet,
+    };
+}
+function collectSdkVerifyCallEvidence(cand, reachableSymbols, ruleSet) {
+    const out = [];
+    for (const [providerName, entry] of Object.entries(ruleSet.providers)) {
+        for (const verifyCall of entry.sdk_verify_calls) {
+            const matched = reachableSymbols.some((s) => s.qualified_name === verifyCall || s.qualified_name.endsWith(`.${verifyCall}`));
+            if (matched) {
+                out.push({
+                    kind: "sdk_verify_call",
+                    provider: providerName,
+                    location: cand.location,
+                    detail: verifyCall,
+                });
+            }
+        }
+    }
+    return out;
+}
+function recomputeProvider(evidence, fallback) {
+    const counts = new Map();
+    for (const e of evidence) {
+        if (e.provider === "unknown")
+            continue;
+        counts.set(e.provider, (counts.get(e.provider) ?? 0) + 1);
+    }
+    let topProvider = "unknown";
+    let topCount = 0;
+    let tied = false;
+    for (const [p, c] of counts) {
+        if (c > topCount) {
+            topProvider = p;
+            topCount = c;
+            tied = false;
+        }
+        else if (c === topCount && c > 0) {
+            tied = true;
+        }
+    }
+    if (topProvider === "unknown")
+        return fallback;
+    return tied ? "multiple" : topProvider;
+}
+function renderHandlerSnippet(file, cand) {
+    const slice = file.source_text.slice(cand.handler_source_start, cand.handler_source_end);
+    const offset = cand.handler_source_start;
+    const allLiterals = file.dialect === "babel"
+        ? extractBabelLiterals(file.raw_ast)
+        : extractPythonLiterals(file.raw_ast);
+    const sliceLiterals = allLiterals
+        .filter((l) => l.start >= cand.handler_source_start && l.end <= cand.handler_source_end)
+        .map((l) => ({ ...l, start: l.start - offset, end: l.end - offset }));
+    return redactSnippet({ source_text: slice, literals: sliceLiterals });
+}
+//# sourceMappingURL=build.js.map

package/dist/model/build.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"build.js","sourceRoot":"","sources":["../../src/model/build.ts"],"names":[],"mappings":"AAAA,mGAAmG;AACnG,uFAAuF;AACvF,EAAE;AACF,kBAAkB;AAClB,+EAA+E;AAC/E,2FAA2F;AAC3F,sGAAsG;AACtG,0EAA0E;AAE1E,OAAO,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAC9D,OAAO,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAC9D,OAAO,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AACtE,OAAO,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAe3D,OAAO,EAAyB,qBAAqB,EAAE,MAAM,cAAc,CAAC;AAC5E,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AACzD,OAAO,EAAE,uBAAuB,EAAE,MAAM,mBAAmB,CAAC;AAY5D,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,KAA6B;IACnE,uFAAuF;IACvF,MAAM,WAAW,GAAiB,EAAE,CAAC;IACrC,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC;QACrC,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,OAAO;YAAE,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1D,CAAC;IAED,4FAA4F;IAC5F,MAAM,UAAU,GAA0E,EAAE,CAAC;IAC7F,MAAM,QAAQ,GAAG,KAAK,CAAC,eAAe,IAAI,EAAE,CAAC;IAC7C,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC;QACrC,IAAI,IAAI,CAAC,WAAW,KAAK,IAAI;YAAE,SAAS;QACxC,KAAK,MAAM,IAAI,IAAI,qBAAqB,CAAC,IAAI,CAAC;YAAE,UAAU,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;QAChF,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,WAAW,CAAC;gBAAE,UAAU,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;QACvF,CAAC;IACH,CAAC;IAED,+FAA+F;IAC/F,0CAA0C;IAC1C,MAAM,QAAQ,GAAqB,EAAE,CAAC;IACtC,KAAK,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,UAAU,EAAE,CAAC;QACxC,QAAQ,CAAC,IAAI,CAAC,MAAM,eAAe,CAAC,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;IAC1D,CAAC;IAED,8FAA8F;IAC9F,8EAA8E;IAC9E,MAAM,uBAAuB,GAA0C,EAAE,CAAC;IAE1E,OAAO;QACL,YAAY,EAAE,KAAK,CAAC,WAAW;QAC/B,QAAQ;QACR,wBAAwB,EAAE,uBAAuB;QACjD,YAAY,EAAE,WAAW;KAC1B,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,eAAe,CAC5B,IAAsB,EACtB,IAAgB,EAChB,KAA6B;IAE7B,MAAM,EAAE,GAAG,MAAM,gBAAgB,CAAC;QAChC,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,aAAa,EAAE,IAAI,CAAC,aAAa;QACjC,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,qBAAqB,EAAE,IAAI,CAAC,qBAAqB;KAClD,CAAC,CAAC;IACH,MAAM,YAAY,GAAG,eAAe,CAAC;QACnC,OAAO,EAAE,IAAI;QACb,UAAU,EAAE,IAAI;QAChB,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,SAAS;QACxC,OAAO,EAAE,IAAI,CAAC,OAAO;KACtB,CAAC,CAAC;IACH,MAAM,gBAAgB,GAAG,uBAAuB,CAAC;QAC/C,iBAAiB,EAAE,IAAI,CAAC,iBAAiB;QACzC,YAAY,EAAE,IAAI;QAClB,SAAS,EAAE,KAAK,CAAC,WAAW;QAC5B,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,QAAQ,EAAE,KAAK,CAAC,MAAM,CAAC,sBAAsB;KAC9C,CAAC,CAAC;IACH,MAAM,eAAe,GAAsC,sBAAsB,CAAC;QAChF,OAAO,EAAE,IAAI;QACb,UAAU,EAAE,IAAI;QAChB,OAAO,EAAE,IAAI,CAAC,OAAO;KACtB,CAAC,CAAC;IACH,iFAAiF;IACjF,MAAM,iBAAiB,GAAG,4BAA4B,CAAC,IAAI,EAAE,gBAAgB,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;IAC9F,MAAM,QAAQ,GAAmC,CAAC,GAAG,YAAY,CAAC,QAAQ,EAAE,GAAG,iBAAiB,CAAC,CAAC;IAClG,qFAAqF;IACrF,MAAM,QAAQ,GAAG,iBAAiB,CAAC,QAAQ,EAAE,YAAY,CAAC,QAAQ,CAAC,CAAC;IACpE,MAAM,eAAe,GAAG,oBAAoB,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IACzD,OAAO;QACL,EAAE;QACF,SAAS,EAAE,IAAI,CAAC,SAAsB;QACtC,iBAAiB,EAAE,IAAI,CAAC,iBAAiB;QACzC,aAAa,EAAE,IAAI,CAAC,aAAa;QACjC,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,qBAAqB,EAAE,IAAI,CAAC,qBAAqB;QACjD,QAAQ;QACR,kBAAkB,EAAE,eAAe,EAAE,kDAAkD;QACvF,QAAQ;QACR,gBAAgB,EAAE,eAAe;QACjC,iBAAiB,EAAE,gBAAgB;QACnC,YAAY,EAAE,EAAE,EAAE,sCAAsC;QACxD,gBAAgB,EAAE,eAAe;KAClC,CAAC;AACJ,CAAC;AAED,SAAS,4BAA4B,CACnC,IAAsB,EACtB,gBAGE,EACF,OAAgB;IAEhB,MAAM,GAAG,GAAsB,EAAE,CAAC;IAClC,KAAK,MAAM,CAAC,YAAY,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;QACtE,KAAK,MAAM,UAAU,IAAI,KAAK,CAAC,gBAAgB,EAAE,CAAC;YAChD,MAAM,OAAO,GAAG,gBAAgB,CAAC,IAAI,CACnC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,UAAU,IAAI,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,IAAI,UAAU,EAAE,CAAC,CACtF,CAAC;YACF,IAAI,OAAO,EAAE,CAAC;gBACZ,GAAG,CAAC,IAAI,CAAC;oBACP,IAAI,EAAE,iBAAiB;oBACvB,QAAQ,EAAE,YAAY;oBACtB,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,MAAM,EAAE,UAAU;iBACnB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,iBAAiB,CAAC,QAAwC,EAAE,QAAgB;IACnF,MAAM,MAAM,GAAG,IAAI,GAAG,EAAkB,CAAC;IACzC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,CAAC,QAAQ,KAAK,SAAS;YAAE,SAAS;QACvC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5D,CAAC;IACD,IAAI,WAAW,GAAG,SAAS,CAAC;IAC5B,IAAI,QAAQ,GAAG,CAAC,CAAC;IACjB,IAAI,IAAI,GAAG,KAAK,CAAC;IACjB,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,EAAE,CAAC;QAC5B,IAAI,CAAC,GAAG,QAAQ,EAAE,CAAC;YACjB,WAAW,GAAG,CAAC,CAAC;YAChB,QAAQ,GAAG,CAAC,CAAC;YACb,IAAI,GAAG,KAAK,CAAC;QACf,CAAC;aAAM,IAAI,CAAC,KAAK,QAAQ,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YACnC,IAAI,GAAG,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,IAAI,WAAW,KAAK,SAAS;QAAE,OAAO,QAAQ,CAAC;IAC/C,OAAO,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,WAAW,CAAC;AACzC,CAAC;AAED,SAAS,oBAAoB,CAAC,IAAgB,EAAE,IAAsB;IACpE,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,oBAAoB,EAAE,IAAI,CAAC,kBAAkB,CAAC,CAAC;IACzF,MAAM,MAAM,GAAG,IAAI,CAAC,oBAAoB,CAAC;IACzC,MAAM,WAAW,GACf,IAAI,CAAC,OAAO,KAAK,OAAO;QACtB,CAAC,CAAC,oBAAoB,CAAC,IAAI,CAAC,OAAqD,CAAC;QAClF,CAAC,CAAC,qBAAqB,CAAC,IAAI,CAAC,OAAsD,CAAC,CAAC;IACzF,MAAM,aAAa,GAAG,WAAW;SAC9B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,oBAAoB,IAAI,CAAC,CAAC,GAAG,IAAI,IAAI,CAAC,kBAAkB,CAAC;SACvF,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,GAAG,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,GAAG,MAAM,EAAE,CAAC,CAAC,CAAC;IACxE,OAAO,aAAa,CAAC,EAAE,WAAW,EAAE,KAAK,EAAE,QAAQ,EAAE,aAAa,EAAE,CAAC,CAAC;AACxE,CAAC"}

package/dist/model/catalog.d.ts

@@ -0,0 +1,17 @@
+import type { SourceLocation } from "../types/finding.js";
+import type { Framework } from "../types/handler.js";
+import type { ParsedFile } from "../types/project-model.js";
+export interface CandidateHandler {
+    readonly framework: Framework;
+    readonly framework_version: string | null;
+    readonly route_pattern: string;
+    readonly http_methods: ReadonlyArray<string>;
+    readonly file_path: string;
+    readonly location: SourceLocation;
+    readonly handler_function_name: string | null;
+    readonly handler_body_node: unknown;
+    readonly handler_source_start: number;
+    readonly handler_source_end: number;
+}
+export declare function detectCatalogHandlers(parsedFile: ParsedFile): ReadonlyArray<CandidateHandler>;
+//# sourceMappingURL=catalog.d.ts.map

package/dist/model/catalog.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"catalog.d.ts","sourceRoot":"","sources":["../../src/model/catalog.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AAE5D,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC;IAC9B,QAAQ,CAAC,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1C,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,YAAY,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC7C,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,QAAQ,EAAE,cAAc,CAAC;IAClC,QAAQ,CAAC,qBAAqB,EAAE,MAAM,GAAG,IAAI,CAAC;IAE9C,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;IAEpC,QAAQ,CAAC,oBAAoB,EAAE,MAAM,CAAC;IACtC,QAAQ,CAAC,kBAAkB,EAAE,MAAM,CAAC;CACrC;AA6BD,wBAAgB,qBAAqB,CAAC,UAAU,EAAE,UAAU,GAAG,aAAa,CAAC,gBAAgB,CAAC,CAK7F"}

package/dist/model/catalog.js

@@ -0,0 +1,303 @@
+// Catalog-driven framework detection (D-31). Covers the four frameworks the catalog data
+// can express uniformly. Next.js / Django / FastAPI need bespoke adapters in Plan 07.
+//
+// This module produces "candidate handlers" — partial WebhookHandler shapes — that Plan 06b's
+// build.ts enriches with cross-file data (reachable_symbols, middleware_chain) and evidence.
+import { walkBabelAst } from "../parsers/walk.js";
+const BODY_METHODS = new Set(["post", "put", "patch", "delete", "all"]);
+const ALL_METHODS = new Set([
+    "get",
+    "post",
+    "put",
+    "patch",
+    "delete",
+    "head",
+    "options",
+    "all",
+]);
+export function detectCatalogHandlers(parsedFile) {
+    if (parsedFile.parse_error !== null || parsedFile.raw_ast === null)
+        return [];
+    if (parsedFile.dialect === "babel")
+        return detectJsTsCatalog(parsedFile);
+    if (parsedFile.dialect === "tree-sitter-python")
+        return detectPythonCatalog(parsedFile);
+    return [];
+}
+// ---- JS/TS: Express, Hono, Fastify ----
+function detectJsTsCatalog(parsedFile) {
+    const ast = parsedFile.raw_ast;
+    const out = [];
+    const imports = parsedFile.imports;
+    const hasHono = imports.some((i) => i.to_module === "hono" || i.to_module.startsWith("hono/"));
+    const hasFastify = imports.some((i) => i.to_module === "fastify");
+    walkBabelAst(ast, (node) => {
+        const handler = matchAppMethodCall(node, parsedFile.file_path, hasHono, hasFastify);
+        if (handler !== null)
+            out.push(handler);
+        if (hasFastify) {
+            const fastifyRoute = matchFastifyRouteCall(node, parsedFile.file_path);
+            if (fastifyRoute !== null)
+                out.push(fastifyRoute);
+        }
+    });
+    return out;
+}
+// Matches `app.METHOD(path, ...handlers)` for body-bearing methods (POST/PUT/PATCH/DELETE/ALL).
+// Returns null when the node shape does not match — keeps the walker visitor side-effect-free.
+function matchAppMethodCall(node, filePath, hasHono, hasFastify) {
+    if (node.type !== "ExpressionStatement")
+        return null;
+    const expr = node.expression;
+    if (expr.type !== "CallExpression")
+        return null;
+    const callee = expr.callee;
+    if (callee.type !== "MemberExpression")
+        return null;
+    const property = callee.property;
+    if (property.type !== "Identifier")
+        return null;
+    const methodName = property.name.toLowerCase();
+    if (!ALL_METHODS.has(methodName) || !BODY_METHODS.has(methodName))
+        return null;
+    const args = expr.arguments;
+    const pathArg = args[0];
+    if (!pathArg)
+        return null;
+    const path = extractStringPath(pathArg);
+    if (path === null || !isWebhookishPath(path))
+        return null;
+    const fnNode = args[args.length - 1];
+    if (!fnNode || fnNode.type === "SpreadElement" || fnNode.type === "ArgumentPlaceholder") {
+        return null;
+    }
+    const framework = hasHono ? "hono" : hasFastify ? "fastify" : "express";
+    const fnSpan = spanOf(fnNode);
+    return {
+        framework,
+        framework_version: null, // D-01 — never inferred in Phase 2 (issue #5).
+        route_pattern: path,
+        http_methods: [methodName.toUpperCase()],
+        file_path: filePath,
+        location: locationOf(node),
+        handler_function_name: extractFunctionName(fnNode),
+        handler_body_node: fnNode,
+        handler_source_start: fnSpan.start,
+        handler_source_end: fnSpan.end,
+    };
+}
+// Matches `fastify.route({ method, url, handler })` shape.
+function matchFastifyRouteCall(node, filePath) {
+    if (node.type !== "ExpressionStatement")
+        return null;
+    const expr = node.expression;
+    if (expr.type !== "CallExpression")
+        return null;
+    const callee = expr.callee;
+    if (callee.type !== "MemberExpression")
+        return null;
+    const property = callee.property;
+    if (property.type !== "Identifier" || property.name !== "route")
+        return null;
+    const opts = expr.arguments[0];
+    if (!opts || opts.type !== "ObjectExpression")
+        return null;
+    const route = readRouteOptions(opts);
+    const method = readMethodField(route.method);
+    const url = route.url;
+    if (!method || !url || !isWebhookishPath(url))
+        return null;
+    if (!route.handler)
+        return null;
+    const fnSpan = spanOf(route.handler);
+    return {
+        framework: "fastify",
+        framework_version: null, // issue #5
+        route_pattern: url,
+        http_methods: method,
+        file_path: filePath,
+        location: locationOf(node),
+        handler_function_name: extractFunctionName(route.handler),
+        handler_body_node: route.handler,
+        handler_source_start: fnSpan.start,
+        handler_source_end: fnSpan.end,
+    };
+}
+function readRouteOptions(node) {
+    let method = null;
+    let url = null;
+    let handler = null;
+    for (const prop of node.properties) {
+        if (prop.type !== "ObjectProperty")
+            continue;
+        const keyName = propertyKeyName(prop.key);
+        if (keyName === null)
+            continue;
+        const value = prop.value;
+        if (keyName === "method") {
+            if (value.type === "StringLiteral") {
+                method = value.value;
+            }
+            else if (value.type === "ArrayExpression") {
+                method = value.elements
+                    .filter((e) => e !== null && e.type === "StringLiteral")
+                    .map((e) => e.value);
+            }
+        }
+        else if (keyName === "url") {
+            if (value.type === "StringLiteral")
+                url = value.value;
+        }
+        else if (keyName === "handler") {
+            // Skip Pattern (destructuring assignment LHS) — only Expression-shaped values can be a handler.
+            if (value.type !== "RestElement" &&
+                value.type !== "AssignmentPattern" &&
+                value.type !== "ArrayPattern" &&
+                value.type !== "ObjectPattern") {
+                handler = value;
+            }
+        }
+    }
+    return { method, url, handler };
+}
+function propertyKeyName(key) {
+    if (key.type === "Identifier")
+        return key.name;
+    if (key.type === "StringLiteral")
+        return key.value;
+    return null;
+}
+function extractStringPath(node) {
+    if (node.type === "StringLiteral")
+        return node.value;
+    if (node.type === "TemplateLiteral" &&
+        node.expressions.length === 0 &&
+        node.quasis.length === 1) {
+        return node.quasis[0]?.value.cooked ?? null;
+    }
+    return null;
+}
+function isWebhookishPath(path) {
+    // Pre-filter: catch obvious webhook paths and conventional provider paths.
+    // The catalog's `conventional_paths` is also used for evidence; the prefilter is just to keep
+    // noise low so we don't enumerate every route in the project.
+    const lower = path.toLowerCase();
+    return lower.includes("webhook") || lower.includes("/hook") || lower.includes("/hooks");
+}
+function extractFunctionName(node) {
+    if (node.type === "FunctionExpression" || node.type === "FunctionDeclaration") {
+        return node.id?.name ?? null;
+    }
+    if (node.type === "Identifier")
+        return node.name;
+    return null; // arrow function or anonymous
+}
+function locationOf(node) {
+    const loc = node.loc;
+    return {
+        line: loc?.start.line ?? 1,
+        col: (loc?.start.column ?? 0) + 1,
+        end_line: loc?.end.line ?? 1,
+        end_col: (loc?.end.column ?? 0) + 1,
+    };
+}
+function spanOf(node) {
+    return { start: node.start ?? 0, end: node.end ?? 0 };
+}
+function readMethodField(value) {
+    if (value === null)
+        return null;
+    if (typeof value === "string") {
+        return BODY_METHODS.has(value.toLowerCase()) ? [value.toUpperCase()] : null;
+    }
+    const upper = value.map((v) => v.toUpperCase());
+    return upper.some((m) => BODY_METHODS.has(m.toLowerCase())) ? upper : null;
+}
+// ---- Python: Flask ----
+function detectPythonCatalog(parsedFile) {
+    const tree = parsedFile.raw_ast;
+    const out = [];
+    // Detect `@app.route('/x', methods=['POST'])\ndef fn(...)` — Flask convention.
+    const decorated = tree.rootNode.descendantsOfType(["decorated_definition"]);
+    for (const node of decorated) {
+        const handler = matchFlaskDecorator(node, parsedFile.file_path);
+        if (handler !== null)
+            out.push(handler);
+    }
+    return out;
+}
+function matchFlaskDecorator(node, filePath) {
+    const fnDef = node.namedChildren.find((c) => c.type === "function_definition");
+    if (!fnDef)
+        return null;
+    for (const dec of node.descendantsOfType(["decorator"])) {
+        const route = matchRouteDecorator(dec);
+        if (!route)
+            continue;
+        if (!isWebhookishPath(route.path))
+            continue;
+        if (!route.methods.some((m) => BODY_METHODS.has(m.toLowerCase())))
+            continue;
+        return {
+            framework: "flask",
+            framework_version: null, // issue #5
+            route_pattern: route.path,
+            http_methods: route.methods,
+            file_path: filePath,
+            location: {
+                line: node.startPosition.row + 1,
+                col: node.startPosition.column + 1,
+                end_line: node.endPosition.row + 1,
+                end_col: node.endPosition.column + 1,
+            },
+            handler_function_name: fnDef.childForFieldName("name")?.text ?? null,
+            handler_body_node: fnDef,
+            handler_source_start: fnDef.startIndex,
+            handler_source_end: fnDef.endIndex,
+        };
+    }
+    return null;
+}
+function matchRouteDecorator(dec) {
+    const call = dec.descendantsOfType(["call"])[0];
+    if (!call)
+        return null;
+    if (!(call.childForFieldName("function")?.text ?? "").endsWith(".route"))
+        return null;
+    const args = call.childForFieldName("arguments");
+    if (!args)
+        return null;
+    const pathArg = args.namedChildren.find((c) => c.type === "string");
+    if (!pathArg)
+        return null;
+    const path = stripPyString(pathArg.text);
+    const methods = [];
+    for (const kw of args.namedChildren) {
+        if (kw.type !== "keyword_argument")
+            continue;
+        if (kw.childForFieldName("name")?.text !== "methods")
+            continue;
+        const list = kw.childForFieldName("value");
+        if (!list)
+            continue;
+        for (const elem of list.namedChildren) {
+            if (elem.type === "string")
+                methods.push(stripPyString(elem.text).toUpperCase());
+        }
+    }
+    return { path, methods: methods.length > 0 ? methods : ["GET"] };
+}
+function stripPyString(raw) {
+    let i = 0;
+    while (i < raw.length && /[bBrRuUfF]/.test(raw[i] ?? ""))
+        i++;
+    const quoted = raw.slice(i);
+    if (quoted.startsWith('"""') || quoted.startsWith("'''")) {
+        return quoted.slice(3, quoted.length - 3);
+    }
+    if (quoted.startsWith('"') || quoted.startsWith("'")) {
+        return quoted.slice(1, quoted.length - 1);
+    }
+    return quoted;
+}
+//# sourceMappingURL=catalog.js.map

package/dist/model/catalog.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"catalog.js","sourceRoot":"","sources":["../../src/model/catalog.ts"],"names":[],"mappings":"AAAA,yFAAyF;AACzF,sFAAsF;AACtF,EAAE;AACF,8FAA8F;AAC9F,6FAA6F;AAG7F,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAmClD,MAAM,YAAY,GAAwB,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC;AAC7F,MAAM,WAAW,GAAwB,IAAI,GAAG,CAAC;IAC/C,KAAK;IACL,MAAM;IACN,KAAK;IACL,OAAO;IACP,QAAQ;IACR,MAAM;IACN,SAAS;IACT,KAAK;CACN,CAAC,CAAC;AAEH,MAAM,UAAU,qBAAqB,CAAC,UAAsB;IAC1D,IAAI,UAAU,CAAC,WAAW,KAAK,IAAI,IAAI,UAAU,CAAC,OAAO,KAAK,IAAI;QAAE,OAAO,EAAE,CAAC;IAC9E,IAAI,UAAU,CAAC,OAAO,KAAK,OAAO;QAAE,OAAO,iBAAiB,CAAC,UAAU,CAAC,CAAC;IACzE,IAAI,UAAU,CAAC,OAAO,KAAK,oBAAoB;QAAE,OAAO,mBAAmB,CAAC,UAAU,CAAC,CAAC;IACxF,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,0CAA0C;AAE1C,SAAS,iBAAiB,CAAC,UAAsB;IAC/C,MAAM,GAAG,GAAG,UAAU,CAAC,OAAe,CAAC;IACvC,MAAM,GAAG,GAAuB,EAAE,CAAC;IACnC,MAAM,OAAO,GAAG,UAAU,CAAC,OAAO,CAAC;IACnC,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,MAAM,IAAI,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC;IAC/F,MAAM,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC;IAElE,YAAY,CAAC,GAAG,EAAE,CAAC,IAAI,EAAE,EAAE;QACzB,MAAM,OAAO,GAAG,kBAAkB,CAAC,IAAI,EAAE,UAAU,CAAC,SAAS,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC;QACpF,IAAI,OAAO,KAAK,IAAI;YAAE,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAExC,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,YAAY,GAAG,qBAAqB,CAAC,IAAI,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC;YACvE,IAAI,YAAY,KAAK,IAAI;gBAAE,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACpD,CAAC;IACH,CAAC,CAAC,CAAC;IACH,OAAO,GAAG,CAAC;AACb,CAAC;AAED,gGAAgG;AAChG,+FAA+F;AAC/F,SAAS,kBAAkB,CACzB,IAAU,EACV,QAAgB,EAChB,OAAgB,EAChB,UAAmB;IAEnB,IAAI,IAAI,CAAC,IAAI,KAAK,qBAAqB;QAAE,OAAO,IAAI,CAAC;IACrD,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC;IAC7B,IAAI,IAAI,CAAC,IAAI,KAAK,gBAAgB;QAAE,OAAO,IAAI,CAAC;IAChD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;IAC3B,IAAI,MAAM,CAAC,IAAI,KAAK,kBAAkB;QAAE,OAAO,IAAI,CAAC;IACpD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;IACjC,IAAI,QAAQ,CAAC,IAAI,KAAK,YAAY;QAAE,OAAO,IAAI,CAAC;IAChD,MAAM,UAAU,GAAG,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;IAC/C,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC;QAAE,OAAO,IAAI,CAAC;IAE/E,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC;IAC5B,MAAM,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;IACxB,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAC1B,MAAM,IAAI,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;IACxC,IAAI,IAAI,KAAK,IAAI,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAE1D,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACrC,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,IAAI,KAAK,eAAe,IAAI,MAAM,CAAC,IAAI,KAAK,qBAAqB,EAAE,CAAC;QACxF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,SAAS,GAAc,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;IACnF,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;IAC9B,OAAO;QACL,SAAS;QACT,iBAAiB,EAAE,IAAI,EAAE,+CAA+C;QACxE,aAAa,EAAE,IAAI;QACnB,YAAY,EAAE,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC;QACxC,SAAS,EAAE,QAAQ;QACnB,QAAQ,EAAE,UAAU,CAAC,IAAI,CAAC;QAC1B,qBAAqB,EAAE,mBAAmB,CAAC,MAAM,CAAC;QAClD,iBAAiB,EAAE,MAAM;QACzB,oBAAoB,EAAE,MAAM,CAAC,KAAK;QAClC,kBAAkB,EAAE,MAAM,CAAC,GAAG;KAC/B,CAAC;AACJ,CAAC;AAED,2DAA2D;AAC3D,SAAS,qBAAqB,CAAC,IAAU,EAAE,QAAgB;IACzD,IAAI,IAAI,CAAC,IAAI,KAAK,qBAAqB;QAAE,OAAO,IAAI,CAAC;IACrD,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC;IAC7B,IAAI,IAAI,CAAC,IAAI,KAAK,gBAAgB;QAAE,OAAO,IAAI,CAAC;IAChD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;IAC3B,IAAI,MAAM,CAAC,IAAI,KAAK,kBAAkB;QAAE,OAAO,IAAI,CAAC;IACpD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;IACjC,IAAI,QAAQ,CAAC,IAAI,KAAK,YAAY,IAAI,QAAQ,CAAC,IAAI,KAAK,OAAO;QAAE,OAAO,IAAI,CAAC;IAE7E,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IAC/B,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,KAAK,kBAAkB;QAAE,OAAO,IAAI,CAAC;IAE3D,MAAM,KAAK,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;IACrC,MAAM,MAAM,GAAG,eAAe,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAC7C,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC;IACtB,IAAI,CAAC,MAAM,IAAI,CAAC,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3D,IAAI,CAAC,KAAK,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAEhC,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IACrC,OAAO;QACL,SAAS,EAAE,SAAS;QACpB,iBAAiB,EAAE,IAAI,EAAE,WAAW;QACpC,aAAa,EAAE,GAAG;QAClB,YAAY,EAAE,MAAM;QACpB,SAAS,EAAE,QAAQ;QACnB,QAAQ,EAAE,UAAU,CAAC,IAAI,CAAC;QAC1B,qBAAqB,EAAE,mBAAmB,CAAC,KAAK,CAAC,OAAO,CAAC;QACzD,iBAAiB,EAAE,KAAK,CAAC,OAAO;QAChC,oBAAoB,EAAE,MAAM,CAAC,KAAK;QAClC,kBAAkB,EAAE,MAAM,CAAC,GAAG;KAC/B,CAAC;AACJ,CAAC;AAUD,SAAS,gBAAgB,CAAC,IAAsB;IAC9C,IAAI,MAAM,GAA0C,IAAI,CAAC;IACzD,IAAI,GAAG,GAAkB,IAAI,CAAC;IAC9B,IAAI,OAAO,GAAsB,IAAI,CAAC;IACtC,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;QACnC,IAAI,IAAI,CAAC,IAAI,KAAK,gBAAgB;YAAE,SAAS;QAC7C,MAAM,OAAO,GAAG,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC1C,IAAI,OAAO,KAAK,IAAI;YAAE,SAAS;QAC/B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;QACzB,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;YACzB,IAAI,KAAK,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;gBACnC,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC;YACvB,CAAC;iBAAM,IAAI,KAAK,CAAC,IAAI,KAAK,iBAAiB,EAAE,CAAC;gBAC5C,MAAM,GAAG,KAAK,CAAC,QAAQ;qBACpB,MAAM,CACL,CAAC,CAAC,EAAkE,EAAE,CACpE,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,IAAI,KAAK,eAAe,CAC3C;qBACA,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;aAAM,IAAI,OAAO,KAAK,KAAK,EAAE,CAAC;YAC7B,IAAI,KAAK,CAAC,IAAI,KAAK,eAAe;gBAAE,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC;QACxD,CAAC;aAAM,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;YACjC,gGAAgG;YAChG,IACE,KAAK,CAAC,IAAI,KAAK,aAAa;gBAC5B,KAAK,CAAC,IAAI,KAAK,mBAAmB;gBAClC,KAAK,CAAC,IAAI,KAAK,cAAc;gBAC7B,KAAK,CAAC,IAAI,KAAK,eAAe,EAC9B,CAAC;gBACD,OAAO,GAAG,KAAmB,CAAC;YAChC,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;AAClC,CAAC;AAED,SAAS,eAAe,CACtB,GAA2E;IAE3E,IAAI,GAAG,CAAC,IAAI,KAAK,YAAY;QAAE,OAAO,GAAG,CAAC,IAAI,CAAC;IAC/C,IAAI,GAAG,CAAC,IAAI,KAAK,eAAe;QAAE,OAAO,GAAG,CAAC,KAAK,CAAC;IACnD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAU;IACnC,IAAI,IAAI,CAAC,IAAI,KAAK,eAAe;QAAE,OAAO,IAAI,CAAC,KAAK,CAAC;IACrD,IACE,IAAI,CAAC,IAAI,KAAK,iBAAiB;QAC/B,IAAI,CAAC,WAAW,CAAC,MAAM,KAAK,CAAC;QAC7B,IAAI,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,EACxB,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,MAAM,IAAI,IAAI,CAAC;IAC9C,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAY;IACpC,2EAA2E;IAC3E,8FAA8F;IAC9F,8DAA8D;IAC9D,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACjC,OAAO,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AAC1F,CAAC;AAED,SAAS,mBAAmB,CAAC,IAAU;IACrC,IAAI,IAAI,CAAC,IAAI,KAAK,oBAAoB,IAAI,IAAI,CAAC,IAAI,KAAK,qBAAqB,EAAE,CAAC;QAC9E,OAAO,IAAI,CAAC,EAAE,EAAE,IAAI,IAAI,IAAI,CAAC;IAC/B,CAAC;IACD,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY;QAAE,OAAO,IAAI,CAAC,IAAI,CAAC;IACjD,OAAO,IAAI,CAAC,CAAC,8BAA8B;AAC7C,CAAC;AAED,SAAS,UAAU,CAAC,IAAU;IAC5B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC;IACrB,OAAO;QACL,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC;QAC1B,GAAG,EAAE,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC;QACjC,QAAQ,EAAE,GAAG,EAAE,GAAG,CAAC,IAAI,IAAI,CAAC;QAC5B,OAAO,EAAE,CAAC,GAAG,EAAE,GAAG,CAAC,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC;KACpC,CAAC;AACJ,CAAC;AAED,SAAS,MAAM,CAAC,IAAU;IACxB,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,IAAI,CAAC,EAAE,CAAC;AACxD,CAAC;AAED,SAAS,eAAe,CACtB,KAA4C;IAE5C,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAChC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC9E,CAAC;IACD,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IAChD,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;AAC7E,CAAC;AAED,0BAA0B;AAE1B,SAAS,mBAAmB,CAAC,UAAsB;IACjD,MAAM,IAAI,GAAG,UAAU,CAAC,OAAqC,CAAC;IAC9D,MAAM,GAAG,GAAuB,EAAE,CAAC;IAEnC,+EAA+E;IAC/E,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC;IAC5E,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;QAC7B,MAAM,OAAO,GAAG,mBAAmB,CAAC,IAAI,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC;QAChE,IAAI,OAAO,KAAK,IAAI;YAAE,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC1C,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,mBAAmB,CAAC,IAAkB,EAAE,QAAgB;IAC/D,MAAM,KAAK,GAAG,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,qBAAqB,CAAC,CAAC;IAC/E,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAExB,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,iBAAiB,CAAC,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;QACxD,MAAM,KAAK,GAAG,mBAAmB,CAAC,GAAG,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK;YAAE,SAAS;QACrB,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,IAAI,CAAC;YAAE,SAAS;QAC5C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;YAAE,SAAS;QAE5E,OAAO;YACL,SAAS,EAAE,OAAO;YAClB,iBAAiB,EAAE,IAAI,EAAE,WAAW;YACpC,aAAa,EAAE,KAAK,CAAC,IAAI;YACzB,YAAY,EAAE,KAAK,CAAC,OAAO;YAC3B,SAAS,EAAE,QAAQ;YACnB,QAAQ,EAAE;gBACR,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,GAAG,GAAG,CAAC;gBAChC,GAAG,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC;gBAClC,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,GAAG,GAAG,CAAC;gBAClC,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC;aACrC;YACD,qBAAqB,EAAE,KAAK,CAAC,iBAAiB,CAAC,MAAM,CAAC,EAAE,IAAI,IAAI,IAAI;YACpE,iBAAiB,EAAE,KAAK;YACxB,oBAAoB,EAAE,KAAK,CAAC,UAAU;YACtC,kBAAkB,EAAE,KAAK,CAAC,QAAQ;SACnC,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAOD,SAAS,mBAAmB,CAAC,GAAiB;IAC5C,MAAM,IAAI,GAAG,GAAG,CAAC,iBAAiB,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAChD,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IACvB,IAAI,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IACtF,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,WAAW,CAAC,CAAC;IACjD,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAEvB,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;IACpE,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAC1B,MAAM,IAAI,GAAG,aAAa,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAEzC,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,EAAE,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;QACpC,IAAI,EAAE,CAAC,IAAI,KAAK,kBAAkB;YAAE,SAAS;QAC7C,IAAI,EAAE,CAAC,iBAAiB,CAAC,MAAM,CAAC,EAAE,IAAI,KAAK,SAAS;YAAE,SAAS;QAC/D,MAAM,IAAI,GAAG,EAAE,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAC3C,IAAI,CAAC,IAAI;YAAE,SAAS;QACpB,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACtC,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ;gBAAE,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;QACnF,CAAC;IACH,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;AACnE,CAAC;AAED,SAAS,aAAa,CAAC,GAAW;IAChC,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,OAAO,CAAC,GAAG,GAAG,CAAC,MAAM,IAAI,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAAE,CAAC,EAAE,CAAC;IAC9D,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC5B,IAAI,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QACzD,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC5C,CAAC;IACD,IAAI,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACrD,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC5C,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/model/evidence.d.ts

@@ -0,0 +1,18 @@
+import type { SourceLocation } from "../types/finding.js";
+import type { WebhookEvidence } from "../types/handler.js";
+import type { ImportEdge, ParsedFile } from "../types/project-model.js";
+import type { ProviderCatalog } from "../types/rule-set.js";
+import type { CandidateHandler } from "./catalog.js";
+export interface ComputeEvidenceInput {
+    readonly handler: CandidateHandler;
+    readonly parsedFile: ParsedFile;
+    readonly providerCatalog: ProviderCatalog;
+    readonly imports: ReadonlyArray<ImportEdge>;
+}
+export interface ComputeEvidenceOutput {
+    readonly evidence: ReadonlyArray<WebhookEvidence>;
+    readonly provider: string;
+}
+export declare function computeEvidence(input: ComputeEvidenceInput): ComputeEvidenceOutput;
+export declare function locationFromCandidate(handler: CandidateHandler): SourceLocation;
+//# sourceMappingURL=evidence.d.ts.map

package/dist/model/evidence.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"evidence.d.ts","sourceRoot":"","sources":["../../src/model/evidence.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,KAAK,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AACxE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAC5D,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAErD,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,OAAO,EAAE,gBAAgB,CAAC;IACnC,QAAQ,CAAC,UAAU,EAAE,UAAU,CAAC;IAChC,QAAQ,CAAC,eAAe,EAAE,eAAe,CAAC;IAC1C,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,UAAU,CAAC,CAAC;CAC7C;AAED,MAAM,WAAW,qBAAqB;IACpC,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;IAClD,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B;AAED,wBAAgB,eAAe,CAAC,KAAK,EAAE,oBAAoB,GAAG,qBAAqB,CAoHlF;AAED,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,gBAAgB,GAAG,cAAc,CAE/E"}

package/dist/model/evidence.js

@@ -0,0 +1,114 @@
+// D-32: every candidate handler is enriched with WebhookEvidence[] derived from the provider
+// catalog. Engine computes evidence; rules query thresholds. Engine never decides "is webhook?" —
+// that's rule-side. Engine assigns provider attribution heuristically (worst case "unknown").
+//
+// Phase 2 split: this function emits 6 of the 7 D-32 signals. The seventh —
+// `sdk_verify_call` — is appended in Plan 06b's build.ts after reachable_symbols is computed.
+export function computeEvidence(input) {
+    const out = [];
+    const handlerLoc = input.handler.location;
+    const handlerText = input.parsedFile.source_text.slice(input.handler.handler_source_start, input.handler.handler_source_end);
+    // Signal A — path_pattern_match (catalog conventional_paths).
+    for (const [providerName, entry] of Object.entries(input.providerCatalog)) {
+        for (const conv of entry.conventional_paths) {
+            if (input.handler.route_pattern.toLowerCase().includes(conv.toLowerCase())) {
+                out.push({
+                    kind: "path_pattern_match",
+                    provider: providerName,
+                    location: handlerLoc,
+                    detail: conv,
+                });
+            }
+        }
+    }
+    // Signal B — sdk_import (catalog sdk_packages).
+    for (const [providerName, entry] of Object.entries(input.providerCatalog)) {
+        for (const pkg of entry.sdk_packages) {
+            if (input.imports.some((i) => i.to_module === pkg)) {
+                out.push({
+                    kind: "sdk_import",
+                    provider: providerName,
+                    location: handlerLoc,
+                    detail: pkg,
+                });
+            }
+        }
+    }
+    // Signal C — secret_env_var_reference (catalog secret_env_prefix). Substring match within the
+    // handler's source range so we count only references in/near this handler.
+    for (const [providerName, entry] of Object.entries(input.providerCatalog)) {
+        for (const env of entry.secret_env_prefix) {
+            if (handlerText.includes(env)) {
+                out.push({
+                    kind: "secret_env_var_reference",
+                    provider: providerName,
+                    location: handlerLoc,
+                    detail: env,
+                });
+            }
+        }
+    }
+    // Signal D — secret_literal_match (catalog secret_literal_prefix). Restricted to handler text.
+    for (const [providerName, entry] of Object.entries(input.providerCatalog)) {
+        for (const prefix of entry.secret_literal_prefix) {
+            if (handlerText.includes(prefix)) {
+                out.push({
+                    kind: "secret_literal_match",
+                    provider: providerName,
+                    location: handlerLoc,
+                    detail: prefix,
+                });
+            }
+        }
+    }
+    // Signal E — signature_header_read (catalog signature_header). Substring match on handler text.
+    for (const [providerName, entry] of Object.entries(input.providerCatalog)) {
+        for (const header of entry.signature_header) {
+            if (handlerText.toLowerCase().includes(header.toLowerCase())) {
+                out.push({
+                    kind: "signature_header_read",
+                    provider: providerName,
+                    location: handlerLoc,
+                    detail: header,
+                });
+            }
+        }
+    }
+    // Signal F — body_as_bytes_or_buffer. Heuristic token search inside the handler.
+    if (/(Buffer|Uint8Array|\braw\b|\bbytes\b|c\.req\.raw|request\.get_data\(\)|request\.body)/i.test(handlerText)) {
+        out.push({
+            kind: "body_as_bytes_or_buffer",
+            provider: "unknown",
+            location: handlerLoc,
+            detail: "heuristic",
+        });
+    }
+    // Signal G — sdk_verify_call: NOT EMITTED HERE. Plan 06b's build.ts appends it after computing
+    // reachable_symbols, by cross-checking against catalog.providers[*].sdk_verify_calls.
+    // Provider attribution — most-cited provider wins; ties → "multiple"; zero → "unknown".
+    const counts = new Map();
+    for (const e of out) {
+        if (e.provider === "unknown")
+            continue;
+        counts.set(e.provider, (counts.get(e.provider) ?? 0) + 1);
+    }
+    let topProvider = "unknown";
+    let topCount = 0;
+    let tied = false;
+    for (const [p, c] of counts) {
+        if (c > topCount) {
+            topProvider = p;
+            topCount = c;
+            tied = false;
+        }
+        else if (c === topCount && c > 0) {
+            tied = true;
+        }
+    }
+    const provider = tied ? "multiple" : topProvider;
+    return { evidence: out, provider };
+}
+export function locationFromCandidate(handler) {
+    return handler.location;
+}
+//# sourceMappingURL=evidence.js.map

package/dist/model/evidence.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"evidence.js","sourceRoot":"","sources":["../../src/model/evidence.ts"],"names":[],"mappings":"AAAA,6FAA6F;AAC7F,kGAAkG;AAClG,8FAA8F;AAC9F,EAAE;AACF,4EAA4E;AAC5E,8FAA8F;AAoB9F,MAAM,UAAU,eAAe,CAAC,KAA2B;IACzD,MAAM,GAAG,GAAsB,EAAE,CAAC;IAClC,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC;IAC1C,MAAM,WAAW,GAAG,KAAK,CAAC,UAAU,CAAC,WAAW,CAAC,KAAK,CACpD,KAAK,CAAC,OAAO,CAAC,oBAAoB,EAClC,KAAK,CAAC,OAAO,CAAC,kBAAkB,CACjC,CAAC;IAEF,8DAA8D;IAC9D,KAAK,MAAM,CAAC,YAAY,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,EAAE,CAAC;QAC1E,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,kBAAkB,EAAE,CAAC;YAC5C,IAAI,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;gBAC3E,GAAG,CAAC,IAAI,CAAC;oBACP,IAAI,EAAE,oBAAoB;oBAC1B,QAAQ,EAAE,YAAY;oBACtB,QAAQ,EAAE,UAAU;oBACpB,MAAM,EAAE,IAAI;iBACb,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,gDAAgD;IAChD,KAAK,MAAM,CAAC,YAAY,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,EAAE,CAAC;QAC1E,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,YAAY,EAAE,CAAC;YACrC,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,GAAG,CAAC,EAAE,CAAC;gBACnD,GAAG,CAAC,IAAI,CAAC;oBACP,IAAI,EAAE,YAAY;oBAClB,QAAQ,EAAE,YAAY;oBACtB,QAAQ,EAAE,UAAU;oBACpB,MAAM,EAAE,GAAG;iBACZ,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,8FAA8F;IAC9F,2EAA2E;IAC3E,KAAK,MAAM,CAAC,YAAY,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,EAAE,CAAC;QAC1E,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,iBAAiB,EAAE,CAAC;YAC1C,IAAI,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC9B,GAAG,CAAC,IAAI,CAAC;oBACP,IAAI,EAAE,0BAA0B;oBAChC,QAAQ,EAAE,YAAY;oBACtB,QAAQ,EAAE,UAAU;oBACpB,MAAM,EAAE,GAAG;iBACZ,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,+FAA+F;IAC/F,KAAK,MAAM,CAAC,YAAY,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,EAAE,CAAC;QAC1E,KAAK,MAAM,MAAM,IAAI,KAAK,CAAC,qBAAqB,EAAE,CAAC;YACjD,IAAI,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;gBACjC,GAAG,CAAC,IAAI,CAAC;oBACP,IAAI,EAAE,sBAAsB;oBAC5B,QAAQ,EAAE,YAAY;oBACtB,QAAQ,EAAE,UAAU;oBACpB,MAAM,EAAE,MAAM;iBACf,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,gGAAgG;IAChG,KAAK,MAAM,CAAC,YAAY,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,EAAE,CAAC;QAC1E,KAAK,MAAM,MAAM,IAAI,KAAK,CAAC,gBAAgB,EAAE,CAAC;YAC5C,IAAI,WAAW,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;gBAC7D,GAAG,CAAC,IAAI,CAAC;oBACP,IAAI,EAAE,uBAAuB;oBAC7B,QAAQ,EAAE,YAAY;oBACtB,QAAQ,EAAE,UAAU;oBACpB,MAAM,EAAE,MAAM;iBACf,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,iFAAiF;IACjF,IACE,wFAAwF,CAAC,IAAI,CAC3F,WAAW,CACZ,EACD,CAAC;QACD,GAAG,CAAC,IAAI,CAAC;YACP,IAAI,EAAE,yBAAyB;YAC/B,QAAQ,EAAE,SAAS;YACnB,QAAQ,EAAE,UAAU;YACpB,MAAM,EAAE,WAAW;SACpB,CAAC,CAAC;IACL,CAAC;IAED,+FAA+F;IAC/F,sFAAsF;IAEtF,wFAAwF;IACxF,MAAM,MAAM,GAAG,IAAI,GAAG,EAAkB,CAAC;IACzC,KAAK,MAAM,CAAC,IAAI,GAAG,EAAE,CAAC;QACpB,IAAI,CAAC,CAAC,QAAQ,KAAK,SAAS;YAAE,SAAS;QACvC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5D,CAAC;IACD,IAAI,WAAW,GAAG,SAAS,CAAC;IAC5B,IAAI,QAAQ,GAAG,CAAC,CAAC;IACjB,IAAI,IAAI,GAAG,KAAK,CAAC;IACjB,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,EAAE,CAAC;QAC5B,IAAI,CAAC,GAAG,QAAQ,EAAE,CAAC;YACjB,WAAW,GAAG,CAAC,CAAC;YAChB,QAAQ,GAAG,CAAC,CAAC;YACb,IAAI,GAAG,KAAK,CAAC;QACf,CAAC;aAAM,IAAI,CAAC,KAAK,QAAQ,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YACnC,IAAI,GAAG,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,MAAM,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,WAAW,CAAC;IACjD,OAAO,EAAE,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,CAAC;AACrC,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,OAAyB;IAC7D,OAAO,OAAO,CAAC,QAAQ,CAAC;AAC1B,CAAC"}