@kernlang/review 3.1.9 → 3.3.4

package/dist/taint.js

@@ -14,7 +14,7 @@ export { analyzeTaintRegex, buildPaths, classifyParams, detectSanitizers, extrac
 // ── Finding Generation ──────────────────────────────────────────────────
 export { crossFileTaintToFindings, taintToFindings } from './taint-findings.js';
 // ── Cross-File Analysis ─────────────────────────────────────────────────
-export { analyzeTaintCrossFile, buildExportMap, buildImportMap } from './taint-crossfile.js';
+export { analyzeTaintCrossFile, buildExportMap, buildExportMapFromGraph, buildImportAliasMap, buildImportMap, buildImportMapFromGraph, } from './taint-crossfile.js';
 // ── Main Entry Point ────────────────────────────────────────────────────
 /**
  * Run taint analysis on all fn nodes in inferred results.

package/dist/taint.js.map

@@ -1 +1 @@
-{"version":3,"file":"taint.js","sourceRoot":"","sources":["../src/taint.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAiBrD,OAAO,EACL,gBAAgB,EAChB,gBAAgB,EAChB,qBAAqB,EACrB,uBAAuB,EACvB,kBAAkB,EAClB,UAAU,EACV,aAAa,EACb,iBAAiB,GAClB,MAAM,kBAAkB,CAAC;AAE1B,2EAA2E;AAE3E,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,MAAM,gBAAgB,CAAC;AAEvE,2EAA2E;AAE3E,OAAO,EACL,iBAAiB,EACjB,UAAU,EACV,cAAc,EACd,gBAAgB,EAChB,qBAAqB,EACrB,mBAAmB,EACnB,gBAAgB,EAChB,gBAAgB,EAChB,oBAAoB,EACpB,oBAAoB,EACpB,cAAc,EACd,sBAAsB,GACvB,MAAM,kBAAkB,CAAC;AAE1B,2EAA2E;AAE3E,OAAO,EAAE,wBAAwB,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEhF,2EAA2E;AAE3E,OAAO,EAAE,qBAAqB,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAE7F,2EAA2E;AAE3E;;;;GAIG;AACH,MAAM,UAAU,YAAY,CAAC,QAAuB,EAAE,QAAgB,EAAE,UAAuB;IAC7F,IAAI,UAAU,EAAE,CAAC;QACf,OAAO,eAAe,CAAC,QAAQ,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAC;IACzD,CAAC;IACD,OAAO,iBAAiB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;AAC/C,CAAC"}
+{"version":3,"file":"taint.js","sourceRoot":"","sources":["../src/taint.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAiBrD,OAAO,EACL,gBAAgB,EAChB,gBAAgB,EAChB,qBAAqB,EACrB,uBAAuB,EACvB,kBAAkB,EAClB,UAAU,EACV,aAAa,EACb,iBAAiB,GAClB,MAAM,kBAAkB,CAAC;AAE1B,2EAA2E;AAE3E,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,MAAM,gBAAgB,CAAC;AAEvE,2EAA2E;AAE3E,OAAO,EACL,iBAAiB,EACjB,UAAU,EACV,cAAc,EACd,gBAAgB,EAChB,qBAAqB,EACrB,mBAAmB,EACnB,gBAAgB,EAChB,gBAAgB,EAChB,oBAAoB,EACpB,oBAAoB,EACpB,cAAc,EACd,sBAAsB,GACvB,MAAM,kBAAkB,CAAC;AAE1B,2EAA2E;AAE3E,OAAO,EAAE,wBAAwB,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEhF,2EAA2E;AAE3E,OAAO,EACL,qBAAqB,EACrB,cAAc,EACd,uBAAuB,EACvB,mBAAmB,EACnB,cAAc,EACd,uBAAuB,GACxB,MAAM,sBAAsB,CAAC;AAE9B,2EAA2E;AAE3E;;;;GAIG;AACH,MAAM,UAAU,YAAY,CAAC,QAAuB,EAAE,QAAgB,EAAE,UAAuB;IAC7F,IAAI,UAAU,EAAE,CAAC;QACf,OAAO,eAAe,CAAC,QAAQ,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAC;IACzD,CAAC;IACD,OAAO,iBAAiB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;AAC/C,CAAC"}

package/dist/types.d.ts

@@ -32,6 +32,24 @@ export interface FixAction {
     replacement: string;
     description: string;
 }
+/** Single hop in an evidence chain — where a finding came from */
+export interface ProvenanceStep {
+    /** What this step represents — source, sanitizer, boundary, sink, etc. */
+    kind: 'source' | 'sanitizer' | 'boundary' | 'sink' | 'import' | 'call';
+    /** File + location of this step */
+    location: SourceSpan;
+    /** Short human-readable label (e.g., "req.body", "fetch(url)", "use client") */
+    label: string;
+    /** Optional longer explanation rendered in the "why this fired" tooltip */
+    detail?: string;
+}
+/** Evidence chain: ordered steps from root cause to the reported sink */
+export interface ProvenanceChain {
+    /** Ordered steps from source → sink */
+    steps: ProvenanceStep[];
+    /** Optional one-line summary shown before expanding the chain */
+    summary?: string;
+}
 /** Unified finding from any review layer */
 export interface ReviewFinding {
     /** Which layer produced this finding */
@@ -62,6 +80,8 @@ export interface ReviewFinding {
     origin?: 'changed' | 'upstream';
     /** Distance from nearest entry file (0 = entry, 1 = direct import, etc.) */
     distance?: number;
+    /** Evidence chain explaining WHY the finding fired (taint path, boundary walk, etc.) */
+    provenance?: ProvenanceChain;
 }
 /** Confidence level for an inference match */
 export type Confidence = 'high' | 'medium' | 'low';
@@ -111,6 +131,42 @@ export interface TemplateMatch {
     /** Original TS tokens covered by this match */
     tsTokens?: number;
 }
+/**
+ * Which analysis subsystem an entry concerns. Kept stable — reporters and downstream
+ * consumers pattern-match on these strings.
+ */
+export type ReviewHealthSubsystem = 'eslint' | 'tsc' | 'call-graph' | 'fs-project' | 'rule-loader' | 'concept-extraction';
+/**
+ * What happened to a subsystem during the review.
+ *   skipped — subsystem was not available and was cleanly skipped (e.g. optional peer dep missing)
+ *   fallback — subsystem partially ran but had to degrade (e.g. fs project fell back to in-memory)
+ *   error — subsystem failed outright; its findings are missing from this report
+ */
+export type ReviewHealthKind = 'skipped' | 'fallback' | 'error';
+/** A single note about a subsystem that didn't run at full fidelity. */
+export interface ReviewHealthEntry {
+    subsystem: ReviewHealthSubsystem;
+    kind: ReviewHealthKind;
+    /** Human-readable note — rendered in the report header */
+    message: string;
+    /** Error detail; only populated when KERN_DEBUG is set or the caller opts in */
+    detail?: string;
+}
+/**
+ * Aggregate subsystem status for a review. Present only when something degraded analysis —
+ * a clean run leaves this undefined so consumers that check for its presence can treat
+ * "no health field" as "all subsystems ran clean." Does NOT affect CI exit codes: `status`
+ * is observability, not gatekeeping.
+ */
+export interface ReviewHealth {
+    /**
+     *   ok — all subsystems ran clean (this case is normally represented by omitting the field entirely)
+     *   degraded — one or more subsystems fell back or were skipped; findings are still trustworthy within scope
+     *   partial — one or more subsystems failed outright; findings may be incomplete
+     */
+    status: 'ok' | 'degraded' | 'partial';
+    entries: ReviewHealthEntry[];
+}
 /** Full review report for a single file */
 export interface ReviewReport {
     /** File path that was reviewed */
@@ -121,6 +177,8 @@ export interface ReviewReport {
     templateMatches: TemplateMatch[];
     /** All findings from every review layer (unified) */
     findings: ReviewFinding[];
+    /** Findings removed by inline/config suppression, preserved for SARIF and audit output */
+    suppressedFindings?: ReviewFinding[];
     /** Summary stats */
     stats: ReviewStats;
     /** Cross-file taint results (present when graph-aware review detects cross-module taint) */
@@ -133,6 +191,13 @@ export interface ReviewReport {
     obligations?: import('./obligations.js').ProofObligation[];
     /** Semantic changes between old and new versions (present in --diff mode) */
     semanticChanges?: import('./semantic-diff.js').SemanticChange[];
+    /** True when the reviewed file is codegen output (path matches /generated/ | /__generated__/ or has @generated header). */
+    generated?: boolean;
+    /**
+     * Subsystem status — present only when something degraded analysis. Does NOT count
+     * toward findings-based CI gates; reporters surface it as a banner. See ReviewHealth.
+     */
+    health?: ReviewHealth;
 }
 /** Summary statistics for a review */
 export interface ReviewStats {
@@ -187,6 +252,8 @@ export interface ReviewConfig {
     enforceTemplates?: boolean;
     /** Maximum cognitive complexity allowed (default: 15) */
     maxComplexity?: number;
+    /** Maximum handler-body line count before handler-size fires (default: 30) */
+    maxHandlerLines?: number;
     /** Maximum errors allowed in CI (default: 0) */
     maxErrors?: number;
     /** Maximum warnings allowed in CI (default: undefined - no limit) */
@@ -211,6 +278,19 @@ export interface ReviewConfig {
     noCache?: boolean;
     /** Pre-computed file context map from import graph (populated by reviewGraph) */
     fileContextMap?: Map<string, FileContext>;
+    /** Pre-computed file graph map from import graph (populated by reviewGraph) */
+    graphFileMap?: Map<string, GraphFile>;
+    /** Path to host project's tsconfig.json — loaded into the ts-morph Project so jsx/paths/lib/allowJs match the real build. */
+    tsConfigFilePath?: string;
+    /** Override what dead-export treats as intentional public API. */
+    publicApi?: {
+        /** Absolute or projectRoot-relative paths whose exports are all public. */
+        files?: string[];
+        /** Per-symbol overrides in `path#name` form. */
+        symbols?: string[];
+        /** Root for resolving relative `files`/`symbols`. Defaults to process.cwd(). */
+        projectRoot?: string;
+    };
 }
 /** Runtime boundary determined by position in the import tree */
 export type RuntimeBoundary = 'server' | 'client' | 'api' | 'middleware' | 'shared' | 'unknown';
@@ -249,12 +329,27 @@ export interface RuleContext {
 }
 /** A review rule function */
 export type ReviewRule = (ctx: RuleContext) => ReviewFinding[];
+export type GraphEdgeKind = 'side-effect-import' | 'default-import' | 'named-import' | 'namespace-import' | 'named-reexport' | 'export-all';
+export interface GraphEdge {
+    from: string;
+    to: string;
+    specifier: string;
+    kind: GraphEdgeKind;
+    /** Exported symbol name, when known. */
+    importedName?: string;
+    /** Local bound name in the importing file, when applicable. */
+    localName?: string;
+    /** How the module resolution succeeded. */
+    via: 'ts-morph' | 'extension-fallback';
+}
 /** A file node in the import graph */
 export interface GraphFile {
     path: string;
     distance: number;
     imports: string[];
     importedBy: string[];
+    importEdges: GraphEdge[];
+    incomingEdges: GraphEdge[];
 }
 /** Result of resolving the import graph */
 export interface GraphResult {
@@ -262,6 +357,9 @@ export interface GraphResult {
     entryFiles: string[];
     totalFiles: number;
     skipped: number;
+    /** ts-morph Project used to resolve the graph. Exposed so downstream
+     *  analyses (call graph, cross-file taint) can reuse it without re-parsing. */
+    project?: import('ts-morph').Project;
 }
 /** Options for resolveImportGraph */
 export interface GraphOptions {

package/dist/types.js.map

@@ -1 +1 @@
-{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AA8SH,4EAA4E;AAE5E;sEACsE;AACtE,MAAM,UAAU,iBAAiB,CAAC,MAAc,EAAE,SAAiB,EAAE,QAAgB;IACnF,OAAO,GAAG,MAAM,IAAI,SAAS,IAAI,QAAQ,EAAE,CAAC;AAC9C,CAAC"}
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAsaH,4EAA4E;AAE5E;sEACsE;AACtE,MAAM,UAAU,iBAAiB,CAAC,MAAc,EAAE,SAAiB,EAAE,QAAgB;IACnF,OAAO,GAAG,MAAM,IAAI,SAAS,IAAI,QAAQ,EAAE,CAAC;AAC9C,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kernlang/review",
-  "version": "3.1.9",
+  "version": "3.3.4",
   "description": "Kern Review — scan TS, infer .kern IR, roundtrip diff, report",
   "type": "module",
   "main": "./dist/index.js",
@@ -25,8 +25,8 @@
   ],
   "license": "AGPL-3.0",
   "dependencies": {
-    "ts-morph": "^27.0.0",
-    "@kernlang/core": "3.1.9"
+    "ts-morph": "^28.0.0",
+    "@kernlang/core": "3.3.4"
   },
   "scripts": {
     "build": "tsc -b",