@lbroth/rothunter 1.0.0-rc.1

package/dist/detectors/dead-api.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dead-api.d.ts","sourceRoot":"","sources":["../../src/detectors/dead-api.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AACzD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAG7D,MAAM,WAAW,oBAAoB;IACnC,4EAA4E;IAC5E,OAAO,EAAE,aAAa,CAAC,YAAY,CAAC,CAAC;IACrC,gGAAgG;IAChG,OAAO,EAAE,aAAa,CAAC,YAAY,CAAC,CAAC;CACtC;AAKD,wBAAgB,cAAc,CAAC,KAAK,EAAE,oBAAoB,GAAG,OAAO,EAAE,CAmGrE"}

package/dist/detectors/dead-api.js

@@ -0,0 +1,115 @@
+import { stableHash } from '../utils/hash.js';
+// Cross-workspace dead-API: exported symbol with no consumer in any
+// OTHER workspace. Intra-workspace use intentionally ignored (dead-export
+// covers that). Severity low — external dependents are invisible.
+export function detectDeadApis(input) {
+    // Per-target consumed name sets across workspace boundaries.
+    const crossConsumed = new Map();
+    const crossNamespace = new Set(); // target file: a namespace consumer exists from another workspace
+    const crossDefault = new Set();
+    const addCross = (target, name) => {
+        const s = crossConsumed.get(target) ?? new Set();
+        s.add(name);
+        crossConsumed.set(target, s);
+    };
+    for (const imp of input.imports) {
+        if (!imp.target)
+            continue;
+        if (imp.targetWorkspace && imp.sourceWorkspace && imp.targetWorkspace !== imp.sourceWorkspace) {
+            if (imp.namespaceAlias)
+                crossNamespace.add(imp.target);
+            if (imp.isStarReExport)
+                crossNamespace.add(imp.target);
+            if (imp.defaultImport)
+                crossDefault.add(imp.target);
+            for (const name of imp.namedImports)
+                addCross(imp.target, name);
+        }
+    }
+    // Re-export propagation. If `pkg/src/index.ts` does
+    // `export { getUser } from './api/users'` and a cross-workspace consumer
+    // imports `getUser` from `pkg`, the consumption was recorded against
+    // `pkg/src/index.ts` (the resolved target). We need to forward that
+    // consumption to `pkg/src/api/users.ts`, where the actual symbol lives.
+    // Fixpoint iteration handles re-export chains (A re-exports from B
+    // which re-exports from C).
+    let changed = true;
+    while (changed) {
+        changed = false;
+        for (const imp of input.imports) {
+            if (!imp.isReExport)
+                continue;
+            if (!imp.target)
+                continue;
+            const sourceConsumed = crossConsumed.get(imp.source);
+            const sourceIsNamespaceConsumed = crossNamespace.has(imp.source);
+            if (imp.isStarReExport) {
+                // `export * from './x'` — every cross-consumed name on the re-exporting
+                // file must propagate to the target.
+                if (sourceConsumed) {
+                    for (const name of sourceConsumed) {
+                        const targetSet = crossConsumed.get(imp.target) ?? new Set();
+                        if (!targetSet.has(name)) {
+                            targetSet.add(name);
+                            crossConsumed.set(imp.target, targetSet);
+                            changed = true;
+                        }
+                    }
+                }
+                if (sourceIsNamespaceConsumed && !crossNamespace.has(imp.target)) {
+                    crossNamespace.add(imp.target);
+                    changed = true;
+                }
+                continue;
+            }
+            for (const name of imp.reExportNames ?? imp.namedImports) {
+                const consumedHere = sourceConsumed?.has(name) || sourceIsNamespaceConsumed;
+                if (!consumedHere)
+                    continue;
+                const targetSet = crossConsumed.get(imp.target) ?? new Set();
+                if (!targetSet.has(name)) {
+                    targetSet.add(name);
+                    crossConsumed.set(imp.target, targetSet);
+                    changed = true;
+                }
+            }
+        }
+    }
+    const findings = [];
+    const exportedSymbols = input.symbols.filter((s) => s.exported);
+    for (const sym of exportedSymbols) {
+        if (!sym.workspace)
+            continue; // single-workspace scan — skip
+        // `sym.file` is already workspace-prefixed by the multi-workspace scanner.
+        if (crossNamespace.has(sym.file))
+            continue;
+        if (crossDefault.has(sym.file))
+            continue;
+        const consumed = crossConsumed.get(sym.file);
+        if (consumed && consumed.has(sym.name))
+            continue;
+        findings.push({
+            detectorId: 'dead-api',
+            severity: 'low',
+            confidence: 0.7,
+            layer: 1,
+            title: `Unused public API: ${sym.name} (${sym.workspace}/${stripWorkspace(sym.file, sym.workspace)})`,
+            description: `\`${sym.name}\` is exported from \`${sym.file}\` but no file in any sibling workspace imports it.\nLocations:\n- ${sym.file}:${sym.range.startLine} (${sym.kind} ${sym.name})`,
+            evidence: [
+                {
+                    file: sym.file,
+                    range: sym.range,
+                    snippet: sym.source,
+                },
+            ],
+            suggestion: 'If this is an internal helper accidentally exported, remove the `export` keyword. If it is meant for external consumers outside the linked group, mark this finding as a false positive.',
+            fingerprint: `dead-api:${stableHash(`${sym.workspace}::${sym.file}::${sym.name}`)}`,
+        });
+    }
+    return findings;
+}
+function stripWorkspace(file, workspace) {
+    const prefix = `${workspace}/`;
+    return file.startsWith(prefix) ? file.slice(prefix.length) : file;
+}
+//# sourceMappingURL=dead-api.js.map

package/dist/detectors/dead-api.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dead-api.js","sourceRoot":"","sources":["../../src/detectors/dead-api.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAS9C,oEAAoE;AACpE,0EAA0E;AAC1E,kEAAkE;AAClE,MAAM,UAAU,cAAc,CAAC,KAA2B;IACxD,6DAA6D;IAC7D,MAAM,aAAa,GAAG,IAAI,GAAG,EAAuB,CAAC;IACrD,MAAM,cAAc,GAAG,IAAI,GAAG,EAAU,CAAC,CAAC,kEAAkE;IAC5G,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAC;IAEvC,MAAM,QAAQ,GAAG,CAAC,MAAc,EAAE,IAAY,EAAQ,EAAE;QACtD,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,IAAI,GAAG,EAAU,CAAC;QACzD,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACZ,aAAa,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAC/B,CAAC,CAAC;IAEF,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAChC,IAAI,CAAC,GAAG,CAAC,MAAM;YAAE,SAAS;QAC1B,IAAI,GAAG,CAAC,eAAe,IAAI,GAAG,CAAC,eAAe,IAAI,GAAG,CAAC,eAAe,KAAK,GAAG,CAAC,eAAe,EAAE,CAAC;YAC9F,IAAI,GAAG,CAAC,cAAc;gBAAE,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YACvD,IAAI,GAAG,CAAC,cAAc;gBAAE,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YACvD,IAAI,GAAG,CAAC,aAAa;gBAAE,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YACpD,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,YAAY;gBAAE,QAAQ,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QAClE,CAAC;IACH,CAAC;IAED,oDAAoD;IACpD,yEAAyE;IACzE,qEAAqE;IACrE,oEAAoE;IACpE,wEAAwE;IACxE,mEAAmE;IACnE,4BAA4B;IAC5B,IAAI,OAAO,GAAG,IAAI,CAAC;IACnB,OAAO,OAAO,EAAE,CAAC;QACf,OAAO,GAAG,KAAK,CAAC;QAChB,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;YAChC,IAAI,CAAC,GAAG,CAAC,UAAU;gBAAE,SAAS;YAC9B,IAAI,CAAC,GAAG,CAAC,MAAM;gBAAE,SAAS;YAC1B,MAAM,cAAc,GAAG,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YACrD,MAAM,yBAAyB,GAAG,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YACjE,IAAI,GAAG,CAAC,cAAc,EAAE,CAAC;gBACvB,wEAAwE;gBACxE,qCAAqC;gBACrC,IAAI,cAAc,EAAE,CAAC;oBACnB,KAAK,MAAM,IAAI,IAAI,cAAc,EAAE,CAAC;wBAClC,MAAM,SAAS,GAAG,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,IAAI,GAAG,EAAU,CAAC;wBACrE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;4BACzB,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;4BACpB,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;4BACzC,OAAO,GAAG,IAAI,CAAC;wBACjB,CAAC;oBACH,CAAC;gBACH,CAAC;gBACD,IAAI,yBAAyB,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;oBACjE,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;oBAC/B,OAAO,GAAG,IAAI,CAAC;gBACjB,CAAC;gBACD,SAAS;YACX,CAAC;YACD,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,aAAa,IAAI,GAAG,CAAC,YAAY,EAAE,CAAC;gBACzD,MAAM,YAAY,GAAG,cAAc,EAAE,GAAG,CAAC,IAAI,CAAC,IAAI,yBAAyB,CAAC;gBAC5E,IAAI,CAAC,YAAY;oBAAE,SAAS;gBAC5B,MAAM,SAAS,GAAG,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,IAAI,GAAG,EAAU,CAAC;gBACrE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;oBACzB,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;oBACpB,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;oBACzC,OAAO,GAAG,IAAI,CAAC;gBACjB,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,eAAe,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IAChE,KAAK,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;QAClC,IAAI,CAAC,GAAG,CAAC,SAAS;YAAE,SAAS,CAAC,+BAA+B;QAC7D,2EAA2E;QAC3E,IAAI,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,SAAS;QAC3C,IAAI,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,SAAS;QACzC,MAAM,QAAQ,GAAG,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC7C,IAAI,QAAQ,IAAI,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,SAAS;QAEjD,QAAQ,CAAC,IAAI,CAAC;YACZ,UAAU,EAAE,UAAU;YACtB,QAAQ,EAAE,KAAK;YACf,UAAU,EAAE,GAAG;YACf,KAAK,EAAE,CAAC;YACR,KAAK,EAAE,sBAAsB,GAAG,CAAC,IAAI,KAAK,GAAG,CAAC,SAAS,IAAI,cAAc,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,SAAS,CAAC,GAAG;YACrG,WAAW,EAAE,KAAK,GAAG,CAAC,IAAI,yBAAyB,GAAG,CAAC,IAAI,sEAAsE,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,SAAS,KAAK,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,GAAG;YAC5L,QAAQ,EAAE;gBACR;oBACE,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,KAAK,EAAE,GAAG,CAAC,KAAK;oBAChB,OAAO,EAAE,GAAG,CAAC,MAAM;iBACpB;aACF;YACD,UAAU,EACR,0LAA0L;YAC5L,WAAW,EAAE,YAAY,UAAU,CAAC,GAAG,GAAG,CAAC,SAAS,KAAK,GAAG,CAAC,IAAI,KAAK,GAAG,CAAC,IAAI,EAAE,CAAC,EAAE;SACpF,CAAC,CAAC;IACL,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,cAAc,CAAC,IAAY,EAAE,SAAiB;IACrD,MAAM,MAAM,GAAG,GAAG,SAAS,GAAG,CAAC;IAC/B,OAAO,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACpE,CAAC"}

package/dist/detectors/dead-export.d.ts

@@ -0,0 +1,12 @@
+import type { Finding, SymbolRecord } from '../types.js';
+import type { ImportRecord } from '../graph/import-graph.js';
+export interface DeadExportDetectorInput {
+    /** Symbols parsed from the workspace, with `exported: boolean` set by the parser. */
+    symbols: ReadonlyArray<SymbolRecord>;
+    /** Import + re-export records produced by the parser. */
+    imports: ReadonlyArray<ImportRecord>;
+    /** Entry-point files (workspace-relative) — their exports are externally consumed. */
+    entryPoints: ReadonlySet<string>;
+}
+export declare function detectDeadExports(input: DeadExportDetectorInput): Finding[];
+//# sourceMappingURL=dead-export.d.ts.map

package/dist/detectors/dead-export.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dead-export.d.ts","sourceRoot":"","sources":["../../src/detectors/dead-export.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AACzD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAG7D,MAAM,WAAW,uBAAuB;IACtC,qFAAqF;IACrF,OAAO,EAAE,aAAa,CAAC,YAAY,CAAC,CAAC;IACrC,yDAAyD;IACzD,OAAO,EAAE,aAAa,CAAC,YAAY,CAAC,CAAC;IACrC,sFAAsF;IACtF,WAAW,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;CAClC;AAMD,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,uBAAuB,GAAG,OAAO,EAAE,CA0E3E"}

package/dist/detectors/dead-export.js

@@ -0,0 +1,140 @@
+import * as path from 'node:path';
+import { stableHash } from '../utils/hash.js';
+// Flag exports nothing imports. Consumed = named import, `* as ns`, `export *`,
+// re-export, OR default import IFF the symbol is the file's `isDefault`.
+// Dynamic / string-eval'd imports invisible. Severity low, confidence 0.65 —
+// mark as FP from the dashboard for framework conventions.
+export function detectDeadExports(input) {
+    const consumedNames = new Map();
+    const namespaceConsumedFiles = new Set();
+    const defaultConsumedFiles = new Set();
+    const addConsumed = (file, name) => {
+        const s = consumedNames.get(file) ?? new Set();
+        s.add(name);
+        consumedNames.set(file, s);
+    };
+    for (const imp of input.imports) {
+        if (!imp.target)
+            continue;
+        if (imp.namespaceAlias)
+            namespaceConsumedFiles.add(imp.target);
+        if (imp.isStarReExport)
+            namespaceConsumedFiles.add(imp.target);
+        if (imp.defaultImport)
+            defaultConsumedFiles.add(imp.target);
+        for (const name of imp.namedImports)
+            addConsumed(imp.target, name);
+    }
+    // Per-file map of EVERY symbol (exported AND internal) → its source.
+    // Used for the same-file reachability pass: an exported helper /
+    // type / class referenced from any sibling — exported or not —
+    // counts as used. Restricting to siblings-also-exported missed the
+    // common case where an exported utility (`sha256File`) is called
+    // only from a non-exported helper (`checksumMatchesSidecar`) within
+    // the same file.
+    const symbolsByFile = new Map();
+    for (const sym of input.symbols) {
+        const arr = symbolsByFile.get(sym.file) ?? [];
+        arr.push(sym);
+        symbolsByFile.set(sym.file, arr);
+    }
+    const findings = [];
+    for (const sym of input.symbols) {
+        if (!sym.exported)
+            continue;
+        if (input.entryPoints.has(sym.file))
+            continue;
+        if (shouldSkipFile(sym.file))
+            continue;
+        if (namespaceConsumedFiles.has(sym.file))
+            continue;
+        const consumed = consumedNames.get(sym.file);
+        if (consumed && consumed.has(sym.name))
+            continue;
+        // Default-import gate: only protect the symbol that IS the file's
+        // default. Other named exports in the same file remain subject to
+        // dead-export. The parser tags `isDefault` on the symbol; absent
+        // that tag the symbol is NOT the default, so leave the rest of the
+        // file's named exports open to the check.
+        if (defaultConsumedFiles.has(sym.file) && sym.isDefault)
+            continue;
+        // Type-surface reachability: an exported type / interface used in
+        // another exported symbol's source is reachable through that
+        // symbol's signature, even if no module imports it by name. Only
+        // applies to types — runtime symbols (function / class / enum)
+        // would show up via named import anyway.
+        if (isTypeSurface(sym, symbolsByFile))
+            continue;
+        findings.push({
+            detectorId: 'dead-export',
+            severity: 'low',
+            confidence: 0.65,
+            layer: 1,
+            title: `Unused export: ${sym.name} in ${sym.file}`,
+            description: `\`${sym.name}\` is exported from \`${sym.file}\` but no other workspace file imports it.\nLocations:\n- ${sym.file}:${sym.range.startLine} (${sym.kind} ${sym.name})`,
+            evidence: [
+                {
+                    file: sym.file,
+                    range: sym.range,
+                    snippet: sym.source,
+                },
+            ],
+            suggestion: 'If this export is consumed via dynamic import, framework convention, or an external package, mark this finding as a false positive. Otherwise drop the `export` keyword (or delete the symbol).',
+            fingerprint: `dead-export:${stableHash(`${sym.file}::${sym.name}`)}`,
+        });
+    }
+    return findings;
+}
+const SKIP_FILE_PATTERNS = [
+    /\.d\.ts$/,
+    /(^|\/)__fixtures__\//,
+    /(^|\/)__mocks__\//,
+    /\.story\.tsx?$/,
+    /\.stories\.tsx?$/,
+];
+function shouldSkipFile(file) {
+    const posix = file.split(path.sep).join('/');
+    return SKIP_FILE_PATTERNS.some((re) => re.test(posix));
+}
+/**
+ * Decide whether `sym` is exposed transitively through the signature
+ * of any OTHER exported symbol in the same file. A `\bName\b` hit in a
+ * sibling's source is treated as a structural reference — return type,
+ * parameter, generic constraint, extends clause.
+ *
+ * Restricted to `interface` / `type-alias` kinds: those are the ones
+ * regularly exported purely to name a shape passed across the module
+ * boundary. A runtime symbol (function / class / enum) imported only
+ * through a sibling is rare; relying on the named-import path keeps
+ * the FP risk low.
+ */
+function isTypeSurface(sym, symbolsByFile) {
+    // Restricted to symbols whose surface is naturally referenced from a
+    // sibling — types from signatures, helpers from another function's
+    // body. Enum / class also count: extending or referencing the type
+    // inside another symbol of the same module is enough proof the
+    // symbol is consumed transitively. Variables / constants are
+    // intentionally excluded because their name regularly collides with
+    // local variables and would over-mask.
+    if (sym.kind !== 'interface' &&
+        sym.kind !== 'type-alias' &&
+        sym.kind !== 'function' &&
+        sym.kind !== 'class' &&
+        sym.kind !== 'enum')
+        return false;
+    const siblings = symbolsByFile.get(sym.file);
+    if (!siblings)
+        return false;
+    const nameRe = new RegExp(`\\b${escapeRegex(sym.name)}\\b`);
+    for (const other of siblings) {
+        if (other === sym)
+            continue;
+        if (nameRe.test(other.source))
+            return true;
+    }
+    return false;
+}
+function escapeRegex(s) {
+    return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+//# sourceMappingURL=dead-export.js.map

package/dist/detectors/dead-export.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dead-export.js","sourceRoot":"","sources":["../../src/detectors/dead-export.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAGlC,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAW9C,gFAAgF;AAChF,yEAAyE;AACzE,6EAA6E;AAC7E,2DAA2D;AAC3D,MAAM,UAAU,iBAAiB,CAAC,KAA8B;IAC9D,MAAM,aAAa,GAAG,IAAI,GAAG,EAAuB,CAAC;IACrD,MAAM,sBAAsB,GAAG,IAAI,GAAG,EAAU,CAAC;IACjD,MAAM,oBAAoB,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/C,MAAM,WAAW,GAAG,CAAC,IAAY,EAAE,IAAY,EAAQ,EAAE;QACvD,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,IAAI,GAAG,EAAU,CAAC;QACvD,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACZ,aAAa,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IAC7B,CAAC,CAAC;IAEF,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAChC,IAAI,CAAC,GAAG,CAAC,MAAM;YAAE,SAAS;QAC1B,IAAI,GAAG,CAAC,cAAc;YAAE,sBAAsB,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC/D,IAAI,GAAG,CAAC,cAAc;YAAE,sBAAsB,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC/D,IAAI,GAAG,CAAC,aAAa;YAAE,oBAAoB,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC5D,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,YAAY;YAAE,WAAW,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IACrE,CAAC;IAED,qEAAqE;IACrE,iEAAiE;IACjE,+DAA+D;IAC/D,mEAAmE;IACnE,iEAAiE;IACjE,oEAAoE;IACpE,iBAAiB;IACjB,MAAM,aAAa,GAAG,IAAI,GAAG,EAA0B,CAAC;IACxD,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAChC,MAAM,GAAG,GAAG,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAC9C,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACd,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACnC,CAAC;IAED,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAChC,IAAI,CAAC,GAAG,CAAC,QAAQ;YAAE,SAAS;QAC5B,IAAI,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,SAAS;QAC9C,IAAI,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,SAAS;QACvC,IAAI,sBAAsB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,SAAS;QACnD,MAAM,QAAQ,GAAG,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC7C,IAAI,QAAQ,IAAI,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,SAAS;QACjD,kEAAkE;QAClE,kEAAkE;QAClE,iEAAiE;QACjE,mEAAmE;QACnE,0CAA0C;QAC1C,IAAI,oBAAoB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,SAAS;YAAE,SAAS;QAClE,kEAAkE;QAClE,6DAA6D;QAC7D,iEAAiE;QACjE,+DAA+D;QAC/D,yCAAyC;QACzC,IAAI,aAAa,CAAC,GAAG,EAAE,aAAa,CAAC;YAAE,SAAS;QAEhD,QAAQ,CAAC,IAAI,CAAC;YACZ,UAAU,EAAE,aAAa;YACzB,QAAQ,EAAE,KAAK;YACf,UAAU,EAAE,IAAI;YAChB,KAAK,EAAE,CAAC;YACR,KAAK,EAAE,kBAAkB,GAAG,CAAC,IAAI,OAAO,GAAG,CAAC,IAAI,EAAE;YAClD,WAAW,EAAE,KAAK,GAAG,CAAC,IAAI,yBAAyB,GAAG,CAAC,IAAI,6DAA6D,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,SAAS,KAAK,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,GAAG;YACnL,QAAQ,EAAE;gBACR;oBACE,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,KAAK,EAAE,GAAG,CAAC,KAAK;oBAChB,OAAO,EAAE,GAAG,CAAC,MAAM;iBACpB;aACF;YACD,UAAU,EACR,iMAAiM;YACnM,WAAW,EAAE,eAAe,UAAU,CAAC,GAAG,GAAG,CAAC,IAAI,KAAK,GAAG,CAAC,IAAI,EAAE,CAAC,EAAE;SACrE,CAAC,CAAC;IACL,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,kBAAkB,GAAa;IACnC,UAAU;IACV,sBAAsB;IACtB,mBAAmB;IACnB,gBAAgB;IAChB,kBAAkB;CACnB,CAAC;AAEF,SAAS,cAAc,CAAC,IAAY;IAClC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC7C,OAAO,kBAAkB,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;AACzD,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAS,aAAa,CACpB,GAAiB,EACjB,aAA0C;IAE1C,qEAAqE;IACrE,mEAAmE;IACnE,mEAAmE;IACnE,+DAA+D;IAC/D,6DAA6D;IAC7D,oEAAoE;IACpE,uCAAuC;IACvC,IACE,GAAG,CAAC,IAAI,KAAK,WAAW;QACxB,GAAG,CAAC,IAAI,KAAK,YAAY;QACzB,GAAG,CAAC,IAAI,KAAK,UAAU;QACvB,GAAG,CAAC,IAAI,KAAK,OAAO;QACpB,GAAG,CAAC,IAAI,KAAK,MAAM;QAEnB,OAAO,KAAK,CAAC;IACf,MAAM,QAAQ,GAAG,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC7C,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5B,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,MAAM,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC5D,KAAK,MAAM,KAAK,IAAI,QAAQ,EAAE,CAAC;QAC7B,IAAI,KAAK,KAAK,GAAG;YAAE,SAAS;QAC5B,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC;YAAE,OAAO,IAAI,CAAC;IAC7C,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,WAAW,CAAC,CAAS;IAC5B,OAAO,CAAC,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;AAClD,CAAC"}

package/dist/detectors/dead-handler.d.ts

@@ -0,0 +1,12 @@
+import type { Finding } from '../types.js';
+import type { ImportRecord } from '../graph/import-graph.js';
+export interface DeadHandlerDetectorInput {
+    /** All workspace-relative files parsed in this run. */
+    files: ReadonlyArray<string>;
+    /** Files referenced by an IaC construct's `entry`/`handler`/routes config. */
+    iacEntries: ReadonlySet<string>;
+    /** Import records — used to know if a file is statically/dynamically imported. */
+    imports: ReadonlyArray<ImportRecord>;
+}
+export declare function detectDeadHandlers(input: DeadHandlerDetectorInput): Finding[];
+//# sourceMappingURL=dead-handler.d.ts.map

package/dist/detectors/dead-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dead-handler.d.ts","sourceRoot":"","sources":["../../src/detectors/dead-handler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAI7D,MAAM,WAAW,wBAAwB;IACvC,uDAAuD;IACvD,KAAK,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC7B,8EAA8E;IAC9E,UAAU,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;IAChC,kFAAkF;IAClF,OAAO,EAAE,aAAa,CAAC,YAAY,CAAC,CAAC;CACtC;AAKD,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,wBAAwB,GAAG,OAAO,EAAE,CA+B7E"}

package/dist/detectors/dead-handler.js

@@ -0,0 +1,40 @@
+import { isHandlerConventionFile } from '../graph/handler-conventions.js';
+import { stableHash } from '../utils/hash.js';
+// Files in handler-convention dirs (src/handlers, src/lambdas, …) that are
+// neither IaC-referenced nor imported anywhere. Confidence 0.65 (runtime
+// config-file wiring is invisible to ts-morph).
+export function detectDeadHandlers(input) {
+    const importedTargets = new Set();
+    for (const imp of input.imports) {
+        if (imp.target)
+            importedTargets.add(imp.target);
+    }
+    const findings = [];
+    for (const file of input.files) {
+        if (!isHandlerConventionFile(file))
+            continue;
+        if (input.iacEntries.has(file))
+            continue;
+        if (importedTargets.has(file))
+            continue;
+        findings.push({
+            detectorId: 'dead-handler',
+            severity: 'low',
+            confidence: 0.65,
+            layer: 1,
+            title: `Handler with no IaC wiring: ${file}`,
+            description: `\`${file}\` lives in a handler-convention directory but no CDK / SST / Serverless-framework construct references its path, and no other file imports it.\nLocations:\n- ${file} (entire file)`,
+            evidence: [
+                {
+                    file,
+                    range: { startLine: 1, endLine: 1 },
+                    snippet: `// (no IaC reference and no inbound import for ${file})`,
+                },
+            ],
+            suggestion: 'If this handler is wired by a non-TypeScript config (`serverless.yml`, `sam.template.yaml`, runtime path string), mark this finding as a false positive. Otherwise it is dead infrastructure — wire it or remove the file.',
+            fingerprint: `dead-handler:${stableHash(file)}`,
+        });
+    }
+    return findings;
+}
+//# sourceMappingURL=dead-handler.js.map

package/dist/detectors/dead-handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dead-handler.js","sourceRoot":"","sources":["../../src/detectors/dead-handler.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AAC1E,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAW9C,2EAA2E;AAC3E,yEAAyE;AACzE,gDAAgD;AAChD,MAAM,UAAU,kBAAkB,CAAC,KAA+B;IAChE,MAAM,eAAe,GAAG,IAAI,GAAG,EAAU,CAAC;IAC1C,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAChC,IAAI,GAAG,CAAC,MAAM;YAAE,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAClD,CAAC;IAED,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;QAC/B,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC;YAAE,SAAS;QAC7C,IAAI,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,SAAS;QACzC,IAAI,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,SAAS;QACxC,QAAQ,CAAC,IAAI,CAAC;YACZ,UAAU,EAAE,cAAc;YAC1B,QAAQ,EAAE,KAAK;YACf,UAAU,EAAE,IAAI;YAChB,KAAK,EAAE,CAAC;YACR,KAAK,EAAE,+BAA+B,IAAI,EAAE;YAC5C,WAAW,EAAE,KAAK,IAAI,kKAAkK,IAAI,gBAAgB;YAC5M,QAAQ,EAAE;gBACR;oBACE,IAAI;oBACJ,KAAK,EAAE,EAAE,SAAS,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE;oBACnC,OAAO,EAAE,kDAAkD,IAAI,GAAG;iBACnE;aACF;YACD,UAAU,EACR,4NAA4N;YAC9N,WAAW,EAAE,gBAAgB,UAAU,CAAC,IAAI,CAAC,EAAE;SAChD,CAAC,CAAC;IACL,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/detectors/dead-module.d.ts

@@ -0,0 +1,14 @@
+import type { Finding } from '../types.js';
+import type { ImportGraph } from '../graph/import-graph.js';
+export interface DeadModuleDetectorInput {
+    /** All workspace-relative files parsed in this run. */
+    files: ReadonlyArray<string>;
+    /** Import graph built from those files. */
+    graph: ImportGraph;
+    /** Set of entry-point files (workspace-relative). */
+    entryPoints: ReadonlySet<string>;
+    /** Files reachable from entry points via BFS. */
+    reachable: ReadonlySet<string>;
+}
+export declare function detectDeadModules(input: DeadModuleDetectorInput): Finding[];
+//# sourceMappingURL=dead-module.d.ts.map

package/dist/detectors/dead-module.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dead-module.d.ts","sourceRoot":"","sources":["../../src/detectors/dead-module.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAG5D,MAAM,WAAW,uBAAuB;IACtC,uDAAuD;IACvD,KAAK,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC7B,2CAA2C;IAC3C,KAAK,EAAE,WAAW,CAAC;IACnB,qDAAqD;IACrD,WAAW,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;IACjC,iDAAiD;IACjD,SAAS,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;CAChC;AAID,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,uBAAuB,GAAG,OAAO,EAAE,CA+B3E"}

package/dist/detectors/dead-module.js

@@ -0,0 +1,50 @@
+import * as path from 'node:path';
+import { stableHash } from '../utils/hash.js';
+// Files not reachable from any entry point + not themselves entry points
+// + not .d.ts/ambient. LOW — framework conventions create FPs; mark as FP.
+export function detectDeadModules(input) {
+    const findings = [];
+    for (const file of input.files) {
+        if (input.entryPoints.has(file))
+            continue;
+        if (input.reachable.has(file))
+            continue;
+        if (shouldExcludeFromDeadCheck(file))
+            continue;
+        findings.push({
+            detectorId: 'dead-module',
+            severity: 'low',
+            // 0.7 is the post-LLM-confirmation default; deterministic-only this would
+            // be higher (1.0 — the file is genuinely unimported) but the LLM is
+            // expected to drop borderline framework-handler files below the report
+            // threshold. We start in the middle so a no-LLM run still reports.
+            confidence: 0.7,
+            layer: 1,
+            title: `Unused module: ${file}`,
+            description: `\`${file}\` is not imported by any other workspace file and is not a known entry point.\nLocations:\n- ${file} (entire file)`,
+            evidence: [
+                {
+                    file,
+                    range: { startLine: 1, endLine: 1 },
+                    snippet: `// (entire file ${file} appears to have no inbound imports)`,
+                },
+            ],
+            suggestion: 'If this file is intentionally loaded by convention (framework route, dynamic import, build step), add an entry-point hint or mark this finding as a false positive. Otherwise delete it.',
+            fingerprint: `dead-module:${stableHash(file)}`,
+        });
+    }
+    return findings;
+}
+const ALWAYS_SKIP_PATTERNS = [
+    /\.d\.ts$/, // ambient declarations — consumed via tsconfig, no import edge
+    /(^|\/)global\.d\.ts$/,
+    /(^|\/)vite-env\.d\.ts$/,
+    /(^|\/)next-env\.d\.ts$/,
+    /\.story\.tsx?$/,
+    /\.stories\.tsx?$/,
+];
+function shouldExcludeFromDeadCheck(file) {
+    const posix = file.split(path.sep).join('/');
+    return ALWAYS_SKIP_PATTERNS.some((re) => re.test(posix));
+}
+//# sourceMappingURL=dead-module.js.map

package/dist/detectors/dead-module.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dead-module.js","sourceRoot":"","sources":["../../src/detectors/dead-module.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAGlC,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAa9C,yEAAyE;AACzE,2EAA2E;AAC3E,MAAM,UAAU,iBAAiB,CAAC,KAA8B;IAC9D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;QAC/B,IAAI,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,SAAS;QAC1C,IAAI,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,SAAS;QACxC,IAAI,0BAA0B,CAAC,IAAI,CAAC;YAAE,SAAS;QAE/C,QAAQ,CAAC,IAAI,CAAC;YACZ,UAAU,EAAE,aAAa;YACzB,QAAQ,EAAE,KAAK;YACf,0EAA0E;YAC1E,oEAAoE;YACpE,uEAAuE;YACvE,mEAAmE;YACnE,UAAU,EAAE,GAAG;YACf,KAAK,EAAE,CAAC;YACR,KAAK,EAAE,kBAAkB,IAAI,EAAE;YAC/B,WAAW,EAAE,KAAK,IAAI,iGAAiG,IAAI,gBAAgB;YAC3I,QAAQ,EAAE;gBACR;oBACE,IAAI;oBACJ,KAAK,EAAE,EAAE,SAAS,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE;oBACnC,OAAO,EAAE,mBAAmB,IAAI,sCAAsC;iBACvE;aACF;YACD,UAAU,EACR,0LAA0L;YAC5L,WAAW,EAAE,eAAe,UAAU,CAAC,IAAI,CAAC,EAAE;SAC/C,CAAC,CAAC;IACL,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,oBAAoB,GAAa;IACrC,UAAU,EAAE,+DAA+D;IAC3E,sBAAsB;IACtB,wBAAwB;IACxB,wBAAwB;IACxB,gBAAgB;IAChB,kBAAkB;CACnB,CAAC;AAEF,SAAS,0BAA0B,CAAC,IAAY;IAC9C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC7C,OAAO,oBAAoB,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;AAC3D,CAAC"}

package/dist/detectors/deep-nesting.d.ts

@@ -0,0 +1,12 @@
+import type { Finding, SymbolRecord } from '../types.js';
+export interface DeepNestingDetectorInput {
+    symbols: ReadonlyArray<SymbolRecord>;
+    /** Nesting depth that triggers LOW. Default 4. */
+    lowThreshold?: number;
+    /** Nesting depth that triggers MED. Default 5. */
+    medThreshold?: number;
+    /** Nesting depth that triggers HIGH. Default 6. */
+    highThreshold?: number;
+}
+export declare function detectDeepNesting(input: DeepNestingDetectorInput): Finding[];
+//# sourceMappingURL=deep-nesting.d.ts.map

package/dist/detectors/deep-nesting.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"deep-nesting.d.ts","sourceRoot":"","sources":["../../src/detectors/deep-nesting.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAGzD,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,aAAa,CAAC,YAAY,CAAC,CAAC;IACrC,kDAAkD;IAClD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,kDAAkD;IAClD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,mDAAmD;IACnD,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAID,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,wBAAwB,GAAG,OAAO,EAAE,CA+B5E"}

package/dist/detectors/deep-nesting.js

@@ -0,0 +1,133 @@
+import { stableHash } from '../utils/hash.js';
+// Max if/for/while/try/switch depth per function via regex single-pass.
+// LOW ≥4, MED ≥5, HIGH ≥6.
+export function detectDeepNesting(input) {
+    const low = input.lowThreshold ?? 4;
+    const med = input.medThreshold ?? 5;
+    const high = input.highThreshold ?? 6;
+    const findings = [];
+    for (const sym of input.symbols) {
+        if (sym.kind !== 'function')
+            continue;
+        const depth = maxNestingDepth(sym.source);
+        if (depth < low)
+            continue;
+        const severity = depth >= high ? 'high' : depth >= med ? 'medium' : 'low';
+        findings.push({
+            detectorId: 'deep-nesting',
+            severity,
+            confidence: 0.85,
+            layer: 1,
+            title: `Deeply nested function: \`${sym.name}\` (depth ${depth}) in ${sym.file}`,
+            description: `\`${sym.name}\` reaches ${depth} levels of nested control flow. Past depth 4 the reader has to track too many active conditions at once.`,
+            evidence: [
+                {
+                    file: sym.file,
+                    range: { startLine: sym.range.startLine, endLine: sym.range.endLine },
+                    snippet: sym.source.split('\n').slice(0, 4).join('\n'),
+                },
+            ],
+            suggestion: 'Invert the deepest condition with an early return ("guard clause"). Replace nested if/else trees with a discriminated dispatch table. Extract inner loops into named helpers.',
+            fingerprint: `deep-nesting:${stableHash(`${sym.file}:${sym.name}:${sym.range.startLine}`)}`,
+        });
+    }
+    return findings;
+}
+/**
+ * Counts the maximum depth of control-flow nesting in a function body.
+ * Walks the source once, ignoring strings/comments, and tracks the
+ * brace stack alongside the most recent keyword introducing each block.
+ *
+ * Only `if`/`for`/`while`/`switch`/`try`/`catch` keyword-introduced
+ * braces count toward depth — plain object literals and function-bodies
+ * don't inflate the metric.
+ */
+function maxNestingDepth(source) {
+    const masked = maskStringsAndComments(source);
+    let depth = 0;
+    let max = 0;
+    const stack = [];
+    // Use a sliding 16-char lookbehind for the most recent keyword.
+    for (let i = 0; i < masked.length; i++) {
+        const c = masked[i];
+        if (c === '{') {
+            const before = masked.slice(Math.max(0, i - 20), i);
+            const isControl = /\b(?:if|else|for|while|switch|try|catch|finally|do)\b\s*(?:\([^)]*\)\s*)?$/.test(before);
+            stack.push(isControl ? 'control' : 'other');
+            if (isControl) {
+                depth++;
+                if (depth > max)
+                    max = depth;
+            }
+        }
+        else if (c === '}') {
+            const popped = stack.pop();
+            if (popped === 'control' && depth > 0)
+                depth--;
+        }
+    }
+    return max;
+}
+function maskStringsAndComments(raw) {
+    let out = '';
+    let inString = null;
+    let inLineComment = false;
+    let inBlockComment = false;
+    for (let i = 0; i < raw.length; i++) {
+        const c = raw[i];
+        const next = raw[i + 1];
+        if (inLineComment) {
+            if (c === '\n') {
+                inLineComment = false;
+                out += '\n';
+            }
+            else
+                out += ' ';
+            continue;
+        }
+        if (inBlockComment) {
+            if (c === '*' && next === '/') {
+                inBlockComment = false;
+                out += '  ';
+                i++;
+            }
+            else
+                out += c === '\n' ? '\n' : ' ';
+            continue;
+        }
+        if (inString) {
+            if (c === '\\') {
+                out += '  ';
+                i++;
+                continue;
+            }
+            if (c === inString) {
+                inString = null;
+                out += c;
+                continue;
+            }
+            out += c === '\n' ? '\n' : ' ';
+            continue;
+        }
+        if (c === '/' && next === '/') {
+            inLineComment = true;
+            out += '  ';
+            i++;
+            continue;
+        }
+        if (c === '/' && next === '*') {
+            inBlockComment = true;
+            out += '  ';
+            i++;
+            continue;
+        }
+        if (c === '"' || c === "'" || c === '`') {
+            inString = c;
+            out += c;
+            continue;
+        }
+        out += c;
+    }
+    return out;
+}
+//# sourceMappingURL=deep-nesting.js.map

package/dist/detectors/deep-nesting.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"deep-nesting.js","sourceRoot":"","sources":["../../src/detectors/deep-nesting.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAY9C,wEAAwE;AACxE,2BAA2B;AAC3B,MAAM,UAAU,iBAAiB,CAAC,KAA+B;IAC/D,MAAM,GAAG,GAAG,KAAK,CAAC,YAAY,IAAI,CAAC,CAAC;IACpC,MAAM,GAAG,GAAG,KAAK,CAAC,YAAY,IAAI,CAAC,CAAC;IACpC,MAAM,IAAI,GAAG,KAAK,CAAC,aAAa,IAAI,CAAC,CAAC;IACtC,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAChC,IAAI,GAAG,CAAC,IAAI,KAAK,UAAU;YAAE,SAAS;QACtC,MAAM,KAAK,GAAG,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC1C,IAAI,KAAK,GAAG,GAAG;YAAE,SAAS;QAC1B,MAAM,QAAQ,GAA8B,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC;QACrG,QAAQ,CAAC,IAAI,CAAC;YACZ,UAAU,EAAE,cAAc;YAC1B,QAAQ;YACR,UAAU,EAAE,IAAI;YAChB,KAAK,EAAE,CAAC;YACR,KAAK,EAAE,6BAA6B,GAAG,CAAC,IAAI,aAAa,KAAK,QAAQ,GAAG,CAAC,IAAI,EAAE;YAChF,WAAW,EACT,KAAK,GAAG,CAAC,IAAI,cAAc,KAAK,0GAA0G;YAC5I,QAAQ,EAAE;gBACR;oBACE,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,KAAK,EAAE,EAAE,SAAS,EAAE,GAAG,CAAC,KAAK,CAAC,SAAS,EAAE,OAAO,EAAE,GAAG,CAAC,KAAK,CAAC,OAAO,EAAE;oBACrE,OAAO,EAAE,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;iBACvD;aACF;YACD,UAAU,EACR,+KAA+K;YACjL,WAAW,EAAE,gBAAgB,UAAU,CAAC,GAAG,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC,EAAE;SAC5F,CAAC,CAAC;IACL,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,eAAe,CAAC,MAAc;IACrC,MAAM,MAAM,GAAG,sBAAsB,CAAC,MAAM,CAAC,CAAC;IAC9C,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,MAAM,KAAK,GAA+B,EAAE,CAAC;IAC7C,gEAAgE;IAChE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,CAAE,CAAC;QACrB,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;YACd,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;YACpD,MAAM,SAAS,GAAG,4EAA4E,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC5G,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;YAC5C,IAAI,SAAS,EAAE,CAAC;gBACd,KAAK,EAAE,CAAC;gBACR,IAAI,KAAK,GAAG,GAAG;oBAAE,GAAG,GAAG,KAAK,CAAC;YAC/B,CAAC;QACH,CAAC;aAAM,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;YACrB,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,EAAE,CAAC;YAC3B,IAAI,MAAM,KAAK,SAAS,IAAI,KAAK,GAAG,CAAC;gBAAE,KAAK,EAAE,CAAC;QACjD,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,sBAAsB,CAAC,GAAW;IACzC,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,IAAI,QAAQ,GAA2B,IAAI,CAAC;IAC5C,IAAI,aAAa,GAAG,KAAK,CAAC;IAC1B,IAAI,cAAc,GAAG,KAAK,CAAC;IAC3B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC,CAAE,CAAC;QAClB,MAAM,IAAI,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACxB,IAAI,aAAa,EAAE,CAAC;YAClB,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;gBACf,aAAa,GAAG,KAAK,CAAC;gBACtB,GAAG,IAAI,IAAI,CAAC;YACd,CAAC;;gBAAM,GAAG,IAAI,GAAG,CAAC;YAClB,SAAS;QACX,CAAC;QACD,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,CAAC,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;gBAC9B,cAAc,GAAG,KAAK,CAAC;gBACvB,GAAG,IAAI,IAAI,CAAC;gBACZ,CAAC,EAAE,CAAC;YACN,CAAC;;gBAAM,GAAG,IAAI,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC;YACtC,SAAS;QACX,CAAC;QACD,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;gBACf,GAAG,IAAI,IAAI,CAAC;gBACZ,CAAC,EAAE,CAAC;gBACJ,SAAS;YACX,CAAC;YACD,IAAI,CAAC,KAAK,QAAQ,EAAE,CAAC;gBACnB,QAAQ,GAAG,IAAI,CAAC;gBAChB,GAAG,IAAI,CAAC,CAAC;gBACT,SAAS;YACX,CAAC;YACD,GAAG,IAAI,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC;YAC/B,SAAS;QACX,CAAC;QACD,IAAI,CAAC,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;YAC9B,aAAa,GAAG,IAAI,CAAC;YACrB,GAAG,IAAI,IAAI,CAAC;YACZ,CAAC,EAAE,CAAC;YACJ,SAAS;QACX,CAAC;QACD,IAAI,CAAC,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;YAC9B,cAAc,GAAG,IAAI,CAAC;YACtB,GAAG,IAAI,IAAI,CAAC;YACZ,CAAC,EAAE,CAAC;YACJ,SAAS;QACX,CAAC;QACD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;YACxC,QAAQ,GAAG,CAAC,CAAC;YACb,GAAG,IAAI,CAAC,CAAC;YACT,SAAS;QACX,CAAC;QACD,GAAG,IAAI,CAAC,CAAC;IACX,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/detectors/duplicate-function.d.ts

@@ -0,0 +1,9 @@
+import type { Detector, Finding, SymbolRecord } from '../types.js';
+export declare class DuplicateFunctionDetector implements Detector {
+    id: string;
+    name: string;
+    run(symbols: SymbolRecord[]): Promise<Finding[]>;
+    private toFinding;
+    private buildDescription;
+}
+//# sourceMappingURL=duplicate-function.d.ts.map

package/dist/detectors/duplicate-function.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"duplicate-function.d.ts","sourceRoot":"","sources":["../../src/detectors/duplicate-function.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAqB,YAAY,EAAE,MAAM,aAAa,CAAC;AAwBtF,qBAAa,yBAA0B,YAAW,QAAQ;IACxD,EAAE,SAAwB;IAC1B,IAAI,SAAiC;IAE/B,GAAG,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;IAoHtD,OAAO,CAAC,SAAS;IAmCjB,OAAO,CAAC,gBAAgB;CAgBzB"}