@kernlang/review 3.3.5 → 3.3.6

package/dist/concept-rules/auth-drift.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Rule: auth-drift
+ *
+ * Cross-stack rule — fires when a frontend network call targets a server
+ * route file that declares an auth guard (FastAPI `Depends(get_current_user)`,
+ * Flask `@login_required`, early-return `if (!req.user)` Express patterns),
+ * but the client call sends no Authorization header.
+ *
+ * Real-bug classes:
+ *   - Protected endpoint called from a public page or before login finished.
+ *   - Frontend forgot to add the Bearer token after a refactor that moved
+ *     auth out of a wrapper.
+ *   - Endpoint was auth-gated late in the PR but the client still fires
+ *     unauthenticated.
+ *
+ * v1 scope:
+ *   - Only fires on raw `fetch(...)`. Wrapped clients typically inject auth
+ *     inside the wrapper; the TS mapper already reports
+ *     `hasAuthHeader: undefined` for them.
+ *   - Auth guard is "present" when any guard concept of subtype 'auth' lives
+ *     in the same file as a matching server route. File granularity is
+ *     coarse on purpose — FastAPI's idiomatic `APIRouter(dependencies=[...])`
+ *     puts the guard on the router, not each handler.
+ *
+ * Confidence: `CROSS_STACK_EXACT_CONFIDENCE` (0.9). Graph mode only.
+ */
+import type { ReviewFinding } from '../types.js';
+import type { ConceptRuleContext } from './index.js';
+export declare function authDrift(ctx: ConceptRuleContext): ReviewFinding[];

package/dist/concept-rules/auth-drift.js

@@ -0,0 +1,127 @@
+/**
+ * Rule: auth-drift
+ *
+ * Cross-stack rule — fires when a frontend network call targets a server
+ * route file that declares an auth guard (FastAPI `Depends(get_current_user)`,
+ * Flask `@login_required`, early-return `if (!req.user)` Express patterns),
+ * but the client call sends no Authorization header.
+ *
+ * Real-bug classes:
+ *   - Protected endpoint called from a public page or before login finished.
+ *   - Frontend forgot to add the Bearer token after a refactor that moved
+ *     auth out of a wrapper.
+ *   - Endpoint was auth-gated late in the PR but the client still fires
+ *     unauthenticated.
+ *
+ * v1 scope:
+ *   - Only fires on raw `fetch(...)`. Wrapped clients typically inject auth
+ *     inside the wrapper; the TS mapper already reports
+ *     `hasAuthHeader: undefined` for them.
+ *   - Auth guard is "present" when any guard concept of subtype 'auth' lives
+ *     in the same file as a matching server route. File granularity is
+ *     coarse on purpose — FastAPI's idiomatic `APIRouter(dependencies=[...])`
+ *     puts the guard on the router, not each handler.
+ *
+ * Confidence: `CROSS_STACK_EXACT_CONFIDENCE` (0.9). Graph mode only.
+ */
+import { createFingerprint } from '../types.js';
+import { API_PATH_RE, CROSS_STACK_EXACT_CONFIDENCE, collectRoutesAcrossGraph, findMatchingRoute, normalizeClientUrl, } from './cross-stack-utils.js';
+export function authDrift(ctx) {
+    if (!ctx.allConcepts || ctx.allConcepts.size === 0)
+        return [];
+    const serverRoutes = collectRoutesAcrossGraph(ctx.allConcepts);
+    if (serverRoutes.length === 0)
+        return [];
+    // Map each file to the set of containerIds that have an auth guard AND
+    // record which files have BOTH guarded and unguarded routes ("mixed").
+    // Codex review flagged that file-level presence was too coarse: a file
+    // with `/api/me` (guarded) + `/api/public` (not) would false-positive on
+    // the public endpoint. The fix: only fire when we can prove the SPECIFIC
+    // route is guarded (matching containerId), OR when every route in the
+    // file shares the file's guard scope. Mixed files stay silent.
+    const authGuardContainers = collectAuthGuardContainers(ctx.allConcepts);
+    if (authGuardContainers.size === 0)
+        return [];
+    const findings = [];
+    for (const [, conceptMap] of ctx.allConcepts) {
+        for (const node of conceptMap.nodes) {
+            if (node.kind !== 'effect' || node.payload.kind !== 'effect' || node.payload.subtype !== 'network')
+                continue;
+            if (node.primarySpan.file !== ctx.filePath)
+                continue;
+            // Must be explicitly `false`. `undefined` = mapper couldn't tell; stay silent.
+            if (node.payload.hasAuthHeader !== false)
+                continue;
+            const target = node.payload.target;
+            if (typeof target !== 'string')
+                continue;
+            const normalized = normalizeClientUrl(target);
+            if (!normalized || !API_PATH_RE.test(normalized))
+                continue;
+            const route = findMatchingRoute(normalized, serverRoutes);
+            if (!route?.node)
+                continue;
+            const serverFile = route.node.primarySpan.file;
+            const fileGuards = authGuardContainers.get(serverFile);
+            if (!fileGuards)
+                continue;
+            // Proof that this specific route is guarded:
+            //  (a) the route's containerId matches an auth-guard containerId
+            //      (FastAPI pattern: `@router.get` + `Depends(...)` share the
+            //      function body), OR
+            //  (b) the file contains exactly one route (Express pattern: guard
+            //      is inside the handler callback, not the app.get call, so
+            //      containers differ but there's no ambiguity about which route
+            //      the guard protects).
+            // Mixed multi-route files with no container match fall through to
+            // silent — Codex review called out this false-positive class.
+            const routeContainer = route.node.containerId;
+            const routeIsGuardedByContainer = routeContainer !== undefined && fileGuards.routeContainers.has(routeContainer);
+            const routeIsGuardedBySingleRouteFile = fileGuards.totalRoutesInFile === 1;
+            if (!routeIsGuardedByContainer && !routeIsGuardedBySingleRouteFile)
+                continue;
+            findings.push({
+                source: 'kern',
+                ruleId: 'auth-drift',
+                severity: 'warning',
+                category: 'bug',
+                message: `Frontend calls \`${target}\` without an Authorization header, but the server route requires authentication (guard declared in ${shortPath(serverFile)}). Add the Authorization header or change the server guard.`,
+                primarySpan: node.primarySpan,
+                fingerprint: createFingerprint('auth-drift', node.primarySpan.startLine, node.primarySpan.startCol),
+                confidence: node.confidence * CROSS_STACK_EXACT_CONFIDENCE,
+            });
+        }
+    }
+    return findings;
+}
+function collectAuthGuardContainers(allConcepts) {
+    const result = new Map();
+    for (const [filePath, map] of allConcepts) {
+        const routeContainers = new Set();
+        let routeCount = 0;
+        for (const node of map.nodes) {
+            if (node.kind === 'entrypoint' && node.payload.kind === 'entrypoint' && node.payload.subtype === 'route') {
+                routeCount++;
+                continue;
+            }
+            if (node.kind !== 'guard' || node.payload.kind !== 'guard')
+                continue;
+            if (node.payload.subtype !== 'auth')
+                continue;
+            // The guard's containerId is the scope that enforces auth. Routes
+            // sharing that containerId (same function body) are considered
+            // guarded.
+            if (node.containerId !== undefined)
+                routeContainers.add(node.containerId);
+        }
+        if (routeContainers.size > 0) {
+            result.set(filePath, { routeContainers, totalRoutesInFile: routeCount });
+        }
+    }
+    return result;
+}
+function shortPath(filePath) {
+    const parts = filePath.split('/');
+    return parts.slice(-2).join('/');
+}
+//# sourceMappingURL=auth-drift.js.map

package/dist/concept-rules/auth-drift.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-drift.js","sourceRoot":"","sources":["../../src/concept-rules/auth-drift.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAIH,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,EACL,WAAW,EACX,4BAA4B,EAC5B,wBAAwB,EACxB,iBAAiB,EACjB,kBAAkB,GACnB,MAAM,wBAAwB,CAAC;AAGhC,MAAM,UAAU,SAAS,CAAC,GAAuB;IAC/C,IAAI,CAAC,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,WAAW,CAAC,IAAI,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAE9D,MAAM,YAAY,GAAG,wBAAwB,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAC/D,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAEzC,uEAAuE;IACvE,uEAAuE;IACvE,uEAAuE;IACvE,yEAAyE;IACzE,yEAAyE;IACzE,sEAAsE;IACtE,+DAA+D;IAC/D,MAAM,mBAAmB,GAAG,0BAA0B,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACxE,IAAI,mBAAmB,CAAC,IAAI,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAE9C,MAAM,QAAQ,GAAoB,EAAE,CAAC;IAErC,KAAK,MAAM,CAAC,EAAE,UAAU,CAAC,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;QAC7C,KAAK,MAAM,IAAI,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC;YACpC,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,KAAK,SAAS;gBAAE,SAAS;YAC7G,IAAI,IAAI,CAAC,WAAW,CAAC,IAAI,KAAK,GAAG,CAAC,QAAQ;gBAAE,SAAS;YACrD,+EAA+E;YAC/E,IAAI,IAAI,CAAC,OAAO,CAAC,aAAa,KAAK,KAAK;gBAAE,SAAS;YACnD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;YACnC,IAAI,OAAO,MAAM,KAAK,QAAQ;gBAAE,SAAS;YACzC,MAAM,UAAU,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;YAC9C,IAAI,CAAC,UAAU,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,UAAU,CAAC;gBAAE,SAAS;YAE3D,MAAM,KAAK,GAAG,iBAAiB,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;YAC1D,IAAI,CAAC,KAAK,EAAE,IAAI;gBAAE,SAAS;YAE3B,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC;YAC/C,MAAM,UAAU,GAAG,mBAAmB,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YACvD,IAAI,CAAC,UAAU;gBAAE,SAAS;YAE1B,6CAA6C;YAC7C,iEAAiE;YACjE,kEAAkE;YAClE,0BAA0B;YAC1B,mEAAmE;YACnE,gEAAgE;YAChE,oEAAoE;YACpE,4BAA4B;YAC5B,kEAAkE;YAClE,8DAA8D;YAC9D,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC;YAC9C,MAAM,yBAAyB,GAAG,cAAc,KAAK,SAAS,IAAI,UAAU,CAAC,eAAe,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YACjH,MAAM,+BAA+B,GAAG,UAAU,CAAC,iBAAiB,KAAK,CAAC,CAAC;YAC3E,IAAI,CAAC,yBAAyB,IAAI,CAAC,+BAA+B;gBAAE,SAAS;YAE7E,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,MAAM;gBACd,MAAM,EAAE,YAAY;gBACpB,QAAQ,EAAE,SAAS;gBACnB,QAAQ,EAAE,KAAK;gBACf,OAAO,EAAE,oBAAoB,MAAM,uGAAuG,SAAS,CAAC,UAAU,CAAC,6DAA6D;gBAC5N,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,WAAW,EAAE,iBAAiB,CAAC,YAAY,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC;gBACnG,UAAU,EAAE,IAAI,CAAC,UAAU,GAAG,4BAA4B;aAC3D,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AASD,SAAS,0BAA0B,CAAC,WAA4C;IAC9E,MAAM,MAAM,GAAG,IAAI,GAAG,EAAwB,CAAC;IAC/C,KAAK,MAAM,CAAC,QAAQ,EAAE,GAAG,CAAC,IAAI,WAAW,EAAE,CAAC;QAC1C,MAAM,eAAe,GAAG,IAAI,GAAG,EAAU,CAAC;QAC1C,IAAI,UAAU,GAAG,CAAC,CAAC;QACnB,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;YAC7B,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,KAAK,OAAO,EAAE,CAAC;gBACzG,UAAU,EAAE,CAAC;gBACb,SAAS;YACX,CAAC;YACD,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,OAAO;gBAAE,SAAS;YACrE,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,KAAK,MAAM;gBAAE,SAAS;YAC9C,kEAAkE;YAClE,+DAA+D;YAC/D,WAAW;YACX,IAAI,IAAI,CAAC,WAAW,KAAK,SAAS;gBAAE,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAC5E,CAAC;QACD,IAAI,eAAe,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;YAC7B,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,eAAe,EAAE,iBAAiB,EAAE,UAAU,EAAE,CAAC,CAAC;QAC3E,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,SAAS,CAAC,QAAgB;IACjC,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACnC,CAAC"}

package/dist/concept-rules/contract-drift.js

@@ -17,15 +17,14 @@
  * review silently returns no findings (can't correlate from one file).
  */
 import { createFingerprint } from '../types.js';
-import { API_PATH_RE, CROSS_STACK_HEURISTIC_CONFIDENCE, collectRoutes, hasMatchingRoute, normalizeClientUrl, } from './cross-stack-utils.js';
+import { API_PATH_RE, CROSS_STACK_HEURISTIC_CONFIDENCE, collectRoutesAcrossGraph, hasMatchingRoute, normalizeClientUrl, } from './cross-stack-utils.js';
 export function contractDrift(ctx) {
     // Graph mode only — URL correlation is useless within a single file.
     if (!ctx.allConcepts || ctx.allConcepts.size === 0)
         return [];
-    const serverRoutes = [];
+    const serverRoutes = collectRoutesAcrossGraph(ctx.allConcepts);
     const clientCalls = [];
     for (const [, conceptMap] of ctx.allConcepts) {
-        collectRoutes(conceptMap, serverRoutes);
         for (const node of conceptMap.nodes) {
             if (node.kind !== 'effect' || node.payload.kind !== 'effect' || node.payload.subtype !== 'network')
                 continue;

package/dist/concept-rules/contract-drift.js.map

@@ -1 +1 @@
-{"version":3,"file":"contract-drift.js","sourceRoot":"","sources":["../../src/concept-rules/contract-drift.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAIH,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,EACL,WAAW,EACX,gCAAgC,EAChC,aAAa,EACb,gBAAgB,EAChB,kBAAkB,GAEnB,MAAM,wBAAwB,CAAC;AAShC,MAAM,UAAU,aAAa,CAAC,GAAuB;IACnD,qEAAqE;IACrE,IAAI,CAAC,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,WAAW,CAAC,IAAI,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAE9D,MAAM,YAAY,GAAkB,EAAE,CAAC;IACvC,MAAM,WAAW,GAAiB,EAAE,CAAC;IAErC,KAAK,MAAM,CAAC,EAAE,UAAU,CAAC,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;QAC7C,aAAa,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;QACxC,KAAK,MAAM,IAAI,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC;YACpC,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,KAAK,SAAS;gBAAE,SAAS;YAC7G,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;YACnC,IAAI,OAAO,MAAM,KAAK,QAAQ;gBAAE,SAAS;YACzC,MAAM,UAAU,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;YAC9C,IAAI,CAAC,UAAU,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,UAAU,CAAC;gBAAE,SAAS;YAC3D,WAAW,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,cAAc,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC;QACjE,CAAC;IACH,CAAC;IAED,wEAAwE;IACxE,0EAA0E;IAC1E,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAErE,MAAM,QAAQ,GAAoB,EAAE,CAAC;IAErC,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;QAC/B,wEAAwE;QACxE,4CAA4C;QAC5C,IAAI,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,KAAK,GAAG,CAAC,QAAQ;YAAE,SAAS;QAC1D,IAAI,gBAAgB,CAAC,IAAI,CAAC,cAAc,EAAE,YAAY,CAAC;YAAE,SAAS;QAElE,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,MAAM;YACd,MAAM,EAAE,gBAAgB;YACxB,QAAQ,EAAE,SAAS;YACnB,QAAQ,EAAE,KAAK;YACf,OAAO,EAAE,oBAAoB,IAAI,CAAC,MAAM,2KAA2K;YACnN,WAAW,EAAE,IAAI,CAAC,IAAI,CAAC,WAAW;YAClC,WAAW,EAAE,iBAAiB,CAAC,gBAAgB,EAAE,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC;YACjH,UAAU,EAAE,IAAI,CAAC,IAAI,CAAC,UAAU,GAAG,gCAAgC;SACpE,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}
+{"version":3,"file":"contract-drift.js","sourceRoot":"","sources":["../../src/concept-rules/contract-drift.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAIH,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,EACL,WAAW,EACX,gCAAgC,EAChC,wBAAwB,EACxB,gBAAgB,EAChB,kBAAkB,GACnB,MAAM,wBAAwB,CAAC;AAShC,MAAM,UAAU,aAAa,CAAC,GAAuB;IACnD,qEAAqE;IACrE,IAAI,CAAC,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,WAAW,CAAC,IAAI,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAE9D,MAAM,YAAY,GAAG,wBAAwB,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAC/D,MAAM,WAAW,GAAiB,EAAE,CAAC;IAErC,KAAK,MAAM,CAAC,EAAE,UAAU,CAAC,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;QAC7C,KAAK,MAAM,IAAI,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC;YACpC,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,KAAK,SAAS;gBAAE,SAAS;YAC7G,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;YACnC,IAAI,OAAO,MAAM,KAAK,QAAQ;gBAAE,SAAS;YACzC,MAAM,UAAU,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;YAC9C,IAAI,CAAC,UAAU,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,UAAU,CAAC;gBAAE,SAAS;YAC3D,WAAW,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,cAAc,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC;QACjE,CAAC;IACH,CAAC;IAED,wEAAwE;IACxE,0EAA0E;IAC1E,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAErE,MAAM,QAAQ,GAAoB,EAAE,CAAC;IAErC,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;QAC/B,wEAAwE;QACxE,4CAA4C;QAC5C,IAAI,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,KAAK,GAAG,CAAC,QAAQ;YAAE,SAAS;QAC1D,IAAI,gBAAgB,CAAC,IAAI,CAAC,cAAc,EAAE,YAAY,CAAC;YAAE,SAAS;QAElE,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,MAAM;YACd,MAAM,EAAE,gBAAgB;YACxB,QAAQ,EAAE,SAAS;YACnB,QAAQ,EAAE,KAAK;YACf,OAAO,EAAE,oBAAoB,IAAI,CAAC,MAAM,2KAA2K;YACnN,WAAW,EAAE,IAAI,CAAC,IAAI,CAAC,WAAW;YAClC,WAAW,EAAE,iBAAiB,CAAC,gBAAgB,EAAE,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC;YACjH,UAAU,EAAE,IAAI,CAAC,IAAI,CAAC,UAAU,GAAG,gCAAgC;SACpE,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/concept-rules/contract-method-drift.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Rule: contract-method-drift
+ *
+ * Cross-stack rule — fires when a frontend network call targets an API path
+ * the server DOES define, but only for different HTTP methods. Sibling to
+ * `contract-drift`:
+ *   - contract-drift        : "no server route exists at this path"
+ *   - contract-method-drift : "server routes exist at this path, just not
+ *                             for your verb"
+ *
+ * Keeping them separate matters: the messages and fixes differ (rename the
+ * client URL vs. change the verb), the fingerprints can't collide on the
+ * same line, and the existing contract-drift `continue` gate stays intact.
+ *
+ * Confidence multiplier: `CROSS_STACK_EXACT_CONFIDENCE` (0.9) — once the path
+ * matches, a method mismatch is unambiguous.
+ *
+ * Requires graph mode; silent in single-file review.
+ */
+import type { ReviewFinding } from '../types.js';
+import type { ConceptRuleContext } from './index.js';
+export declare function contractMethodDrift(ctx: ConceptRuleContext): ReviewFinding[];

package/dist/concept-rules/contract-method-drift.js

@@ -0,0 +1,105 @@
+/**
+ * Rule: contract-method-drift
+ *
+ * Cross-stack rule — fires when a frontend network call targets an API path
+ * the server DOES define, but only for different HTTP methods. Sibling to
+ * `contract-drift`:
+ *   - contract-drift        : "no server route exists at this path"
+ *   - contract-method-drift : "server routes exist at this path, just not
+ *                             for your verb"
+ *
+ * Keeping them separate matters: the messages and fixes differ (rename the
+ * client URL vs. change the verb), the fingerprints can't collide on the
+ * same line, and the existing contract-drift `continue` gate stays intact.
+ *
+ * Confidence multiplier: `CROSS_STACK_EXACT_CONFIDENCE` (0.9) — once the path
+ * matches, a method mismatch is unambiguous.
+ *
+ * Requires graph mode; silent in single-file review.
+ */
+import { createFingerprint } from '../types.js';
+import { API_PATH_RE, CROSS_STACK_EXACT_CONFIDENCE, collectRoutesAcrossGraph, findRoutesAtPath, normalizeClientUrl, } from './cross-stack-utils.js';
+// Verbs the TS/Python mappers emit for handlers that intentionally accept any
+// method (Express `app.all()` emits `ALL`; `app.use()` emits `undefined`).
+const WILDCARD_METHODS = new Set(['ALL', 'ANY']);
+export function contractMethodDrift(ctx) {
+    if (!ctx.allConcepts || ctx.allConcepts.size === 0)
+        return [];
+    const serverRoutes = collectRoutesAcrossGraph(ctx.allConcepts);
+    if (serverRoutes.length === 0)
+        return [];
+    const clientCalls = [];
+    for (const [, conceptMap] of ctx.allConcepts) {
+        for (const node of conceptMap.nodes) {
+            if (node.kind !== 'effect' || node.payload.kind !== 'effect' || node.payload.subtype !== 'network')
+                continue;
+            const target = node.payload.target;
+            const method = node.payload.method;
+            if (typeof target !== 'string' || typeof method !== 'string')
+                continue;
+            const normalized = normalizeClientUrl(target);
+            if (!normalized || !API_PATH_RE.test(normalized))
+                continue;
+            clientCalls.push({ target, normalizedPath: normalized, method, node });
+        }
+    }
+    if (clientCalls.length === 0)
+        return [];
+    const findings = [];
+    for (const call of clientCalls) {
+        if (call.node.primarySpan.file !== ctx.filePath)
+            continue;
+        const routesAtPath = findRoutesAtPath(call.normalizedPath, serverRoutes);
+        if (routesAtPath.length === 0)
+            continue;
+        const hasMethodMatch = routesAtPath.some((r) => methodMatches(r.method, call.method));
+        if (hasMethodMatch)
+            continue;
+        const serverMethods = collectKnownMethods(routesAtPath);
+        if (serverMethods.length === 0)
+            continue;
+        const methodList = serverMethods.join(', ');
+        const hint = serverMethods.length === 1 ? ` Did you mean \`${serverMethods[0]} ${call.target}\`?` : '';
+        findings.push({
+            source: 'kern',
+            ruleId: 'contract-method-drift',
+            severity: 'warning',
+            category: 'bug',
+            message: `Frontend calls \`${call.method} ${call.target}\` but the server only defines [${methodList}] for this path.${hint}`,
+            primarySpan: call.node.primarySpan,
+            fingerprint: createFingerprint('contract-method-drift', call.node.primarySpan.startLine, call.node.primarySpan.startCol),
+            confidence: call.node.confidence * CROSS_STACK_EXACT_CONFIDENCE,
+        });
+    }
+    return findings;
+}
+function methodMatches(routeMethod, clientMethod) {
+    if (!routeMethod)
+        return true;
+    const r = routeMethod.toUpperCase();
+    if (WILDCARD_METHODS.has(r))
+        return true;
+    const c = clientMethod.toUpperCase();
+    if (r === c)
+        return true;
+    // Express and Starlette/FastAPI both auto-respond to HEAD on GET routes
+    // (returning headers, no body). Firing method-drift on `HEAD /api/x`
+    // against `app.get('/api/x')` is a false positive — the server DOES
+    // satisfy the request. Codex review called this out.
+    if (c === 'HEAD' && r === 'GET')
+        return true;
+    return false;
+}
+function collectKnownMethods(routes) {
+    const set = new Set();
+    for (const r of routes) {
+        if (!r.method)
+            continue;
+        const m = r.method.toUpperCase();
+        if (WILDCARD_METHODS.has(m))
+            continue;
+        set.add(m);
+    }
+    return Array.from(set).sort();
+}
+//# sourceMappingURL=contract-method-drift.js.map

package/dist/concept-rules/contract-method-drift.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"contract-method-drift.js","sourceRoot":"","sources":["../../src/concept-rules/contract-method-drift.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAIH,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,EACL,WAAW,EACX,4BAA4B,EAC5B,wBAAwB,EACxB,gBAAgB,EAChB,kBAAkB,GACnB,MAAM,wBAAwB,CAAC;AAUhC,8EAA8E;AAC9E,2EAA2E;AAC3E,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;AAEjD,MAAM,UAAU,mBAAmB,CAAC,GAAuB;IACzD,IAAI,CAAC,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,WAAW,CAAC,IAAI,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAE9D,MAAM,YAAY,GAAG,wBAAwB,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAC/D,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAEzC,MAAM,WAAW,GAAiB,EAAE,CAAC;IACrC,KAAK,MAAM,CAAC,EAAE,UAAU,CAAC,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;QAC7C,KAAK,MAAM,IAAI,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC;YACpC,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,KAAK,SAAS;gBAAE,SAAS;YAC7G,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;YACnC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;YACnC,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,OAAO,MAAM,KAAK,QAAQ;gBAAE,SAAS;YACvE,MAAM,UAAU,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;YAC9C,IAAI,CAAC,UAAU,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,UAAU,CAAC;gBAAE,SAAS;YAC3D,WAAW,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;IACD,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAExC,MAAM,QAAQ,GAAoB,EAAE,CAAC;IACrC,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;QAC/B,IAAI,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,KAAK,GAAG,CAAC,QAAQ;YAAE,SAAS;QAC1D,MAAM,YAAY,GAAG,gBAAgB,CAAC,IAAI,CAAC,cAAc,EAAE,YAAY,CAAC,CAAC;QACzE,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QACxC,MAAM,cAAc,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;QACtF,IAAI,cAAc;YAAE,SAAS;QAE7B,MAAM,aAAa,GAAG,mBAAmB,CAAC,YAAY,CAAC,CAAC;QACxD,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QAEzC,MAAM,UAAU,GAAG,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC5C,MAAM,IAAI,GAAG,aAAa,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,mBAAmB,aAAa,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QACvG,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,MAAM;YACd,MAAM,EAAE,uBAAuB;YAC/B,QAAQ,EAAE,SAAS;YACnB,QAAQ,EAAE,KAAK;YACf,OAAO,EAAE,oBAAoB,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,mCAAmC,UAAU,mBAAmB,IAAI,EAAE;YAC7H,WAAW,EAAE,IAAI,CAAC,IAAI,CAAC,WAAW;YAClC,WAAW,EAAE,iBAAiB,CAC5B,uBAAuB,EACvB,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,SAAS,EAC/B,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAC/B;YACD,UAAU,EAAE,IAAI,CAAC,IAAI,CAAC,UAAU,GAAG,4BAA4B;SAChE,CAAC,CAAC;IACL,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,aAAa,CAAC,WAA+B,EAAE,YAAoB;IAC1E,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAC9B,MAAM,CAAC,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;IACpC,IAAI,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACzC,MAAM,CAAC,GAAG,YAAY,CAAC,WAAW,EAAE,CAAC;IACrC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACzB,wEAAwE;IACxE,qEAAqE;IACrE,oEAAoE;IACpE,qDAAqD;IACrD,IAAI,CAAC,KAAK,MAAM,IAAI,CAAC,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IAC7C,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,mBAAmB,CAAC,MAAiD;IAC5E,MAAM,GAAG,GAAG,IAAI,GAAG,EAAU,CAAC;IAC9B,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,IAAI,CAAC,CAAC,CAAC,MAAM;YAAE,SAAS;QACxB,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QACjC,IAAI,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC;YAAE,SAAS;QACtC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IACb,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;AAChC,CAAC"}

package/dist/concept-rules/cross-stack-utils.d.ts

@@ -17,6 +17,14 @@ import type { ConceptMap, ConceptNode } from '@kernlang/core';
  * untyped-api-response can bump its own multiplier).
  */
 export declare const CROSS_STACK_HEURISTIC_CONFIDENCE = 0.7;
+/**
+ * Multiplier for rules where the correlation is unambiguous: the path matches
+ * exactly AND a second dimension (HTTP method, auth header, …) disagrees.
+ * `contract-method-drift`, `duplicate-route`, and `auth-drift` use this —
+ * once the path matches, a verb mismatch, duplicate declaration, or missing
+ * Authorization header is a real bug, not a heuristic.
+ */
+export declare const CROSS_STACK_EXACT_CONFIDENCE = 0.9;
 /** Client URLs we consider "internal" to the reviewed project. */
 export declare const API_PATH_RE: RegExp;
 export interface ServerRoute {
@@ -25,11 +33,41 @@ export interface ServerRoute {
     /** Present when the caller needs to cite the server route in a finding. */
     node?: ConceptNode;
 }
+export declare function hasFastApiEvidence(map: ConceptMap): boolean;
+export declare function isFastApiRouteMissingResponseModel(node: ConceptNode, map?: ConceptMap): boolean;
 /**
  * Pull every server-side route out of a concept map. Callers typically fold
  * this across `ctx.allConcepts` to collect routes for the whole project.
+ *
+ * Per-file use (legacy signature): just emits the decorator path as-is.
+ *
+ * Cross-project use (preferred): call `collectRoutesAcrossGraph` instead,
+ * which joins route-mount concepts (FastAPI `app.include_router(prefix=…)`)
+ * with the per-file route decorators so `@router.get("/current")` mounted
+ * under `prefix="/api/nutrition-goals"` surfaces as `/api/nutrition-goals/current`.
+ * Without that join the wedge rules silently find nothing on every FastAPI
+ * app that follows the standard APIRouter pattern.
  */
 export declare function collectRoutes(map: ConceptMap, routes: ServerRoute[]): void;
+/**
+ * Graph-wide route collection with FastAPI router-prefix expansion.
+ *
+ * Walks every concept map twice:
+ *   1. Collect `route-mount` concepts (FastAPI `app.include_router(<router>,
+ *      prefix=…)` calls). Each mount carries `prefix`, `routerName`, and —
+ *      when the router was imported from another module — `sourceModule`
+ *      like `app.api.nutrition_goals`.
+ *   2. For each per-file `route` concept, look up a matching mount by
+ *      `sourceModule` ↔ file path suffix (Python `app.api.nutrition_goals`
+ *      resolves to any file path ending in `app/api/nutrition_goals.py`),
+ *      falling back to a project-wide `routerName` match when the mount
+ *      is in the same file as the routes.
+ *
+ * Per-file routes with no mount are still emitted with their declared path
+ * — Flask / Express routes and FastAPI apps that decorate directly on
+ * `@app.get(...)` already carry the full path.
+ */
+export declare function collectRoutesAcrossGraph(allConcepts: ReadonlyMap<string, ConceptMap>): ServerRoute[];
 /**
  * Strip scheme/host, query string, and fragment from a client URL so it can
  * match against a server route template. Returns undefined when the input
@@ -48,3 +86,11 @@ export declare function normalizeClientUrl(raw: string): string | undefined;
 export declare function findMatchingRoute(clientPath: string, routes: readonly ServerRoute[]): ServerRoute | undefined;
 /** Boolean-returning thin wrapper preserved for callers that just need a yes/no. */
 export declare function hasMatchingRoute(clientPath: string, routes: readonly ServerRoute[]): boolean;
+/**
+ * Return every server route whose path template matches the client path,
+ * regardless of HTTP method. Used by `contract-method-drift` and
+ * `orphan-route` to distinguish "no server exists here" (contract-drift
+ * territory) from "server exists but only responds to a different verb /
+ * no one calls it" (method-drift / orphan-route territory).
+ */
+export declare function findRoutesAtPath(clientPath: string, routes: readonly ServerRoute[]): ServerRoute[];

package/dist/concept-rules/cross-stack-utils.js

@@ -16,11 +16,48 @@
  * untyped-api-response can bump its own multiplier).
  */
 export const CROSS_STACK_HEURISTIC_CONFIDENCE = 0.7;
+/**
+ * Multiplier for rules where the correlation is unambiguous: the path matches
+ * exactly AND a second dimension (HTTP method, auth header, …) disagrees.
+ * `contract-method-drift`, `duplicate-route`, and `auth-drift` use this —
+ * once the path matches, a verb mismatch, duplicate declaration, or missing
+ * Authorization header is a real bug, not a heuristic.
+ */
+export const CROSS_STACK_EXACT_CONFIDENCE = 0.9;
 /** Client URLs we consider "internal" to the reviewed project. */
 export const API_PATH_RE = /^\/api\//;
+export function hasFastApiEvidence(map) {
+    if (map.language !== 'py')
+        return false;
+    return map.edges.some((edge) => {
+        if (edge.kind !== 'dependency' || edge.payload.kind !== 'dependency')
+            return false;
+        return edge.payload.specifier === 'fastapi' || edge.payload.specifier.startsWith('fastapi.');
+    });
+}
+export function isFastApiRouteMissingResponseModel(node, map) {
+    if (node.language !== 'py')
+        return false;
+    if (node.kind !== 'entrypoint' || node.payload.kind !== 'entrypoint')
+        return false;
+    if (node.payload.subtype !== 'route')
+        return false;
+    if (node.payload.responseModel)
+        return false;
+    return map ? hasFastApiEvidence(map) : false;
+}
 /**
  * Pull every server-side route out of a concept map. Callers typically fold
  * this across `ctx.allConcepts` to collect routes for the whole project.
+ *
+ * Per-file use (legacy signature): just emits the decorator path as-is.
+ *
+ * Cross-project use (preferred): call `collectRoutesAcrossGraph` instead,
+ * which joins route-mount concepts (FastAPI `app.include_router(prefix=…)`)
+ * with the per-file route decorators so `@router.get("/current")` mounted
+ * under `prefix="/api/nutrition-goals"` surfaces as `/api/nutrition-goals/current`.
+ * Without that join the wedge rules silently find nothing on every FastAPI
+ * app that follows the standard APIRouter pattern.
  */
 export function collectRoutes(map, routes) {
     for (const node of map.nodes) {
@@ -32,6 +69,100 @@ export function collectRoutes(map, routes) {
         routes.push({ path, method: node.payload.httpMethod, node });
     }
 }
+/**
+ * Graph-wide route collection with FastAPI router-prefix expansion.
+ *
+ * Walks every concept map twice:
+ *   1. Collect `route-mount` concepts (FastAPI `app.include_router(<router>,
+ *      prefix=…)` calls). Each mount carries `prefix`, `routerName`, and —
+ *      when the router was imported from another module — `sourceModule`
+ *      like `app.api.nutrition_goals`.
+ *   2. For each per-file `route` concept, look up a matching mount by
+ *      `sourceModule` ↔ file path suffix (Python `app.api.nutrition_goals`
+ *      resolves to any file path ending in `app/api/nutrition_goals.py`),
+ *      falling back to a project-wide `routerName` match when the mount
+ *      is in the same file as the routes.
+ *
+ * Per-file routes with no mount are still emitted with their declared path
+ * — Flask / Express routes and FastAPI apps that decorate directly on
+ * `@app.get(...)` already carry the full path.
+ */
+export function collectRoutesAcrossGraph(allConcepts) {
+    const routes = [];
+    // Build the mount index first so each route can look up its prefix.
+    const mountsByModule = new Map();
+    const mountsByRouter = new Map();
+    for (const [mountFile, map] of allConcepts) {
+        for (const node of map.nodes) {
+            if (node.kind !== 'entrypoint' || node.payload.kind !== 'entrypoint')
+                continue;
+            if (node.payload.subtype !== 'route-mount')
+                continue;
+            const prefix = node.payload.name;
+            const routerName = node.payload.routerName;
+            const sourceModule = node.payload.sourceModule;
+            if (sourceModule) {
+                const list = mountsByModule.get(sourceModule) ?? [];
+                list.push(prefix);
+                mountsByModule.set(sourceModule, list);
+            }
+            if (routerName) {
+                const list = mountsByRouter.get(routerName) ?? [];
+                list.push({ prefix, mountFile });
+                mountsByRouter.set(routerName, list);
+            }
+        }
+    }
+    for (const [routeFile, map] of allConcepts) {
+        for (const node of map.nodes) {
+            if (node.kind !== 'entrypoint' || node.payload.kind !== 'entrypoint')
+                continue;
+            if (node.payload.subtype !== 'route')
+                continue;
+            const path = node.payload.name;
+            if (typeof path !== 'string' || !path.startsWith('/'))
+                continue;
+            const prefix = resolveMountPrefix(routeFile, node.payload.routerName, mountsByModule, mountsByRouter);
+            const fullPath = prefix ? joinPaths(prefix, path) : path;
+            routes.push({ path: fullPath, method: node.payload.httpMethod, node });
+        }
+    }
+    return routes;
+}
+function resolveMountPrefix(routeFile, routerName, mountsByModule, mountsByRouter) {
+    // Module-based match. TS mounts emit a `sourceModule` that already carries a
+    // code extension (e.g. `routes/review.ts`) — use it as a path suffix directly.
+    // Python mounts emit a dotted module name (`app.api.nutrition_goals`) — translate
+    // to `app/api/nutrition_goals.py` first. The leading-slash boundary check in
+    // both branches prevents `blog/api.py` from false-matching module `api`.
+    for (const [sourceModule, prefixes] of mountsByModule) {
+        if (prefixes.length === 0)
+            continue;
+        const relTail = /\.(ts|tsx|js|jsx|mjs|cjs)$/i.test(sourceModule)
+            ? sourceModule
+            : `${sourceModule.replace(/\./g, '/')}.py`;
+        if (routeFile === relTail || routeFile.endsWith(`/${relTail}`))
+            return prefixes[0];
+    }
+    // Same-file match: `router = APIRouter(); app.include_router(router, prefix=…)`.
+    // The mount has no `sourceModule` but shares the file with the routes.
+    if (routerName) {
+        const entries = mountsByRouter.get(routerName);
+        if (entries) {
+            const sameFile = entries.find((e) => e.mountFile === routeFile);
+            if (sameFile)
+                return sameFile.prefix;
+        }
+    }
+    return undefined;
+}
+function joinPaths(prefix, path) {
+    const trimmedPrefix = prefix.endsWith('/') ? prefix.slice(0, -1) : prefix;
+    const trimmedPath = path.startsWith('/') ? path : `/${path}`;
+    if (trimmedPath === '/')
+        return trimmedPrefix || '/';
+    return `${trimmedPrefix}${trimmedPath}`;
+}
 /**
  * Strip scheme/host, query string, and fragment from a client URL so it can
  * match against a server route template. Returns undefined when the input
@@ -89,6 +220,36 @@ export function findMatchingRoute(clientPath, routes) {
 export function hasMatchingRoute(clientPath, routes) {
     return findMatchingRoute(clientPath, routes) !== undefined;
 }
+/**
+ * Return every server route whose path template matches the client path,
+ * regardless of HTTP method. Used by `contract-method-drift` and
+ * `orphan-route` to distinguish "no server exists here" (contract-drift
+ * territory) from "server exists but only responds to a different verb /
+ * no one calls it" (method-drift / orphan-route territory).
+ */
+export function findRoutesAtPath(clientPath, routes) {
+    const clientSegments = trimTrailing(clientPath).split('/');
+    const matches = [];
+    for (const route of routes) {
+        const routeSegments = trimTrailing(route.path).split('/');
+        if (routeSegments.length !== clientSegments.length)
+            continue;
+        let matched = true;
+        for (let i = 0; i < routeSegments.length; i++) {
+            const rs = routeSegments[i];
+            const cs = clientSegments[i];
+            if (isParamSegment(rs))
+                continue;
+            if (rs !== cs) {
+                matched = false;
+                break;
+            }
+        }
+        if (matched)
+            matches.push(route);
+    }
+    return matches;
+}
 function trimTrailing(path) {
     return path.length > 1 && path.endsWith('/') ? path.slice(0, -1) : path;
 }

package/dist/concept-rules/cross-stack-utils.js.map

@@ -1 +1 @@
-{"version":3,"file":"cross-stack-utils.js","sourceRoot":"","sources":["../../src/concept-rules/cross-stack-utils.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,gCAAgC,GAAG,GAAG,CAAC;AAEpD,kEAAkE;AAClE,MAAM,CAAC,MAAM,WAAW,GAAG,UAAU,CAAC;AAStC;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,GAAe,EAAE,MAAqB;IAClE,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;QAC7B,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,KAAK,OAAO;YAAE,SAAS;QACnH,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;QAC/B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QAChE,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC;IAC/D,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAW;IAC5C,IAAI,GAAG,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IACrB,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,SAAS,CAAC;IACnE,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;IAChC,IAAI,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC5D,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;QAC3D,GAAG,GAAG,SAAS,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IACtD,CAAC;IACD,MAAM,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC3B,IAAI,CAAC,KAAK,CAAC,CAAC;QAAE,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACpC,MAAM,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC3B,IAAI,CAAC,KAAK,CAAC,CAAC;QAAE,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACpC,OAAO,GAAG,IAAI,SAAS,CAAC;AAC1B,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,iBAAiB,CAAC,UAAkB,EAAE,MAA8B;IAClF,MAAM,cAAc,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3D,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,aAAa,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC1D,IAAI,aAAa,CAAC,MAAM,KAAK,cAAc,CAAC,MAAM;YAAE,SAAS;QAC7D,IAAI,OAAO,GAAG,IAAI,CAAC;QACnB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,aAAa,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC9C,MAAM,EAAE,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;YAC5B,MAAM,EAAE,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC;YAC7B,IAAI,cAAc,CAAC,EAAE,CAAC;gBAAE,SAAS;YACjC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;gBACd,OAAO,GAAG,KAAK,CAAC;gBAChB,MAAM;YACR,CAAC;QACH,CAAC;QACD,IAAI,OAAO;YAAE,OAAO,KAAK,CAAC;IAC5B,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,oFAAoF;AACpF,MAAM,UAAU,gBAAgB,CAAC,UAAkB,EAAE,MAA8B;IACjF,OAAO,iBAAiB,CAAC,UAAU,EAAE,MAAM,CAAC,KAAK,SAAS,CAAC;AAC7D,CAAC;AAED,SAAS,YAAY,CAAC,IAAY;IAChC,OAAO,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAC1E,CAAC;AAED,SAAS,cAAc,CAAC,GAAW;IACjC,OAAO,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;AAC3E,CAAC"}
+{"version":3,"file":"cross-stack-utils.js","sourceRoot":"","sources":["../../src/concept-rules/cross-stack-utils.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,gCAAgC,GAAG,GAAG,CAAC;AAEpD;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAAG,GAAG,CAAC;AAEhD,kEAAkE;AAClE,MAAM,CAAC,MAAM,WAAW,GAAG,UAAU,CAAC;AAStC,MAAM,UAAU,kBAAkB,CAAC,GAAe;IAChD,IAAI,GAAG,CAAC,QAAQ,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IACxC,OAAO,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE;QAC7B,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,YAAY;YAAE,OAAO,KAAK,CAAC;QACnF,OAAO,IAAI,CAAC,OAAO,CAAC,SAAS,KAAK,SAAS,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;IAC/F,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,kCAAkC,CAAC,IAAiB,EAAE,GAAgB;IACpF,IAAI,IAAI,CAAC,QAAQ,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IACzC,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,YAAY;QAAE,OAAO,KAAK,CAAC;IACnF,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,KAAK,OAAO;QAAE,OAAO,KAAK,CAAC;IACnD,IAAI,IAAI,CAAC,OAAO,CAAC,aAAa;QAAE,OAAO,KAAK,CAAC;IAC7C,OAAO,GAAG,CAAC,CAAC,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;AAC/C,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,aAAa,CAAC,GAAe,EAAE,MAAqB;IAClE,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;QAC7B,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,KAAK,OAAO;YAAE,SAAS;QACnH,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;QAC/B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QAChE,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC;IAC/D,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,wBAAwB,CAAC,WAA4C;IACnF,MAAM,MAAM,GAAkB,EAAE,CAAC;IACjC,oEAAoE;IACpE,MAAM,cAAc,GAAG,IAAI,GAAG,EAAoB,CAAC;IACnD,MAAM,cAAc,GAAG,IAAI,GAAG,EAAwD,CAAC;IACvF,KAAK,MAAM,CAAC,SAAS,EAAE,GAAG,CAAC,IAAI,WAAW,EAAE,CAAC;QAC3C,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;YAC7B,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,YAAY;gBAAE,SAAS;YAC/E,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,KAAK,aAAa;gBAAE,SAAS;YACrD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;YACjC,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC;YAC3C,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC;YAC/C,IAAI,YAAY,EAAE,CAAC;gBACjB,MAAM,IAAI,GAAG,cAAc,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;gBACpD,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBAClB,cAAc,CAAC,GAAG,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;YACzC,CAAC;YACD,IAAI,UAAU,EAAE,CAAC;gBACf,MAAM,IAAI,GAAG,cAAc,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;gBAClD,IAAI,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;gBACjC,cAAc,CAAC,GAAG,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;YACvC,CAAC;QACH,CAAC;IACH,CAAC;IAED,KAAK,MAAM,CAAC,SAAS,EAAE,GAAG,CAAC,IAAI,WAAW,EAAE,CAAC;QAC3C,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;YAC7B,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,YAAY;gBAAE,SAAS;YAC/E,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,KAAK,OAAO;gBAAE,SAAS;YAC/C,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;YAC/B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,SAAS;YAEhE,MAAM,MAAM,GAAG,kBAAkB,CAAC,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,cAAc,EAAE,cAAc,CAAC,CAAC;YACtG,MAAM,QAAQ,GAAG,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YACzD,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,kBAAkB,CACzB,SAAiB,EACjB,UAA8B,EAC9B,cAA6C,EAC7C,cAAiF;IAEjF,6EAA6E;IAC7E,+EAA+E;IAC/E,kFAAkF;IAClF,6EAA6E;IAC7E,yEAAyE;IACzE,KAAK,MAAM,CAAC,YAAY,EAAE,QAAQ,CAAC,IAAI,cAAc,EAAE,CAAC;QACtD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QACpC,MAAM,OAAO,GAAG,6BAA6B,CAAC,IAAI,CAAC,YAAY,CAAC;YAC9D,CAAC,CAAC,YAAY;YACd,CAAC,CAAC,GAAG,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,KAAK,CAAC;QAC7C,IAAI,SAAS,KAAK,OAAO,IAAI,SAAS,CAAC,QAAQ,CAAC,IAAI,OAAO,EAAE,CAAC;YAAE,OAAO,QAAQ,CAAC,CAAC,CAAC,CAAC;IACrF,CAAC;IACD,iFAAiF;IACjF,uEAAuE;IACvE,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,cAAc,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAC/C,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC;YAChE,IAAI,QAAQ;gBAAE,OAAO,QAAQ,CAAC,MAAM,CAAC;QACvC,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,SAAS,CAAC,MAAc,EAAE,IAAY;IAC7C,MAAM,aAAa,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;IAC1E,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC;IAC7D,IAAI,WAAW,KAAK,GAAG;QAAE,OAAO,aAAa,IAAI,GAAG,CAAC;IACrD,OAAO,GAAG,aAAa,GAAG,WAAW,EAAE,CAAC;AAC1C,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAW;IAC5C,IAAI,GAAG,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IACrB,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,SAAS,CAAC;IACnE,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;IAChC,IAAI,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC5D,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;QAC3D,GAAG,GAAG,SAAS,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IACtD,CAAC;IACD,MAAM,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC3B,IAAI,CAAC,KAAK,CAAC,CAAC;QAAE,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACpC,MAAM,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC3B,IAAI,CAAC,KAAK,CAAC,CAAC;QAAE,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACpC,OAAO,GAAG,IAAI,SAAS,CAAC;AAC1B,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,iBAAiB,CAAC,UAAkB,EAAE,MAA8B;IAClF,MAAM,cAAc,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3D,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,aAAa,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC1D,IAAI,aAAa,CAAC,MAAM,KAAK,cAAc,CAAC,MAAM;YAAE,SAAS;QAC7D,IAAI,OAAO,GAAG,IAAI,CAAC;QACnB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,aAAa,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC9C,MAAM,EAAE,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;YAC5B,MAAM,EAAE,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC;YAC7B,IAAI,cAAc,CAAC,EAAE,CAAC;gBAAE,SAAS;YACjC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;gBACd,OAAO,GAAG,KAAK,CAAC;gBAChB,MAAM;YACR,CAAC;QACH,CAAC;QACD,IAAI,OAAO;YAAE,OAAO,KAAK,CAAC;IAC5B,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,oFAAoF;AACpF,MAAM,UAAU,gBAAgB,CAAC,UAAkB,EAAE,MAA8B;IACjF,OAAO,iBAAiB,CAAC,UAAU,EAAE,MAAM,CAAC,KAAK,SAAS,CAAC;AAC7D,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAAC,UAAkB,EAAE,MAA8B;IACjF,MAAM,cAAc,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3D,MAAM,OAAO,GAAkB,EAAE,CAAC;IAClC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,aAAa,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC1D,IAAI,aAAa,CAAC,MAAM,KAAK,cAAc,CAAC,MAAM;YAAE,SAAS;QAC7D,IAAI,OAAO,GAAG,IAAI,CAAC;QACnB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,aAAa,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC9C,MAAM,EAAE,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;YAC5B,MAAM,EAAE,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC;YAC7B,IAAI,cAAc,CAAC,EAAE,CAAC;gBAAE,SAAS;YACjC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;gBACd,OAAO,GAAG,KAAK,CAAC;gBAChB,MAAM;YACR,CAAC;QACH,CAAC;QACD,IAAI,OAAO;YAAE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,YAAY,CAAC,IAAY;IAChC,OAAO,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAC1E,CAAC;AAED,SAAS,cAAc,CAAC,GAAW;IACjC,OAAO,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;AAC3E,CAAC"}

package/dist/concept-rules/duplicate-route.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Rule: duplicate-route
+ *
+ * Server-side rule — fires when two or more route decorators declare the
+ * same `{path, method}` combination in the reviewed project. Real-bug
+ * classes:
+ *   - Someone renamed a handler but forgot to delete the old one; both fire,
+ *     order-dependent, one silently shadows the other.
+ *   - A copy-paste left an `@router.get("/users")` pair intact.
+ *   - A FastAPI router was mounted twice under the same prefix by accident.
+ *
+ * Fires on the SECOND and later occurrences (the first is the canonical
+ * declaration; duplicates are the bug). No-verb routes (`app.use`) key
+ * under `ANY` so two `use('/x')` calls still surface as duplicates.
+ *
+ * Path-only scope: does not cross-correlate client calls. Graph mode only.
+ */
+import type { ReviewFinding } from '../types.js';
+import type { ConceptRuleContext } from './index.js';
+export declare function duplicateRoute(ctx: ConceptRuleContext): ReviewFinding[];