@massu/core 1.4.0-soak.0 → 1.5.0

package/src/detect/adapters/spring.ts

@@ -0,0 +1,284 @@
+// Copyright (c) 2026 Massu. All rights reserved.
+// Licensed under BSL 1.1 - see LICENSE file for details.
+
+/**
+ * Plan 3c — Phase 7: Spring (Spring Boot / Spring MVC) AST adapter.
+ *
+ * Sixth and final Phase 7 framework after go-chi + Flask + Rails + Phoenix
+ * + ASP.NET. First to consume the `java` Tree-sitter grammar entry from
+ * GRAMMAR_MANIFEST (commit fbb8aa9). All four queries verified against
+ * actual tree-sitter-java AST shape via probe (R-011) BEFORE writing the
+ * adapter — same discipline as phoenix + aspnet.
+ *
+ * Spring uses annotation-based routing per the Spring MVC reference
+ * (https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller.html):
+ *   - `@RestController` / `@Controller` at the class level
+ *   - `@RequestMapping("/api/users")` at class level for path prefix
+ *   - `@GetMapping("/{id}")` / `@PostMapping` / etc. on methods for verb +
+ *     optional sub-path
+ *
+ * Extracts:
+ *   - route_method: most-common HTTP verb captured from
+ *     `@<Verb>Mapping` annotations. Normalized: `GetMapping` → `Get`,
+ *     `PostMapping` → `Post`, etc. Mirrors aspnet's MapGet/HttpGet
+ *     normalization for downstream consumer consistency.
+ *   - route_prefix_base: first segment of the first class-level
+ *     `@RequestMapping("/api/...")` template, normalized to a leading-
+ *     slash path. Mirrors aspnet route_prefix_base / phoenix
+ *     scope_prefix_base.
+ *   - controller_class: name of the first class annotated with
+ *     `@RestController` or `@Controller`. Mirrors aspnet controller_class
+ *     / phoenix router_module.
+ *
+ * Confidence rules (mirror phoenix / rails / aspnet):
+ *   - 'high'   if exactly ONE distinct route_method seen.
+ *   - 'low'    if multiple distinct route_methods seen.
+ *   - 'medium' if route_prefix_base or controller_class found but no
+ *              route_method.
+ *   - 'none'   if no Spring signals at all.
+ *
+ * Tree-sitter-java AST shape (verified via probe 2026-05-07):
+ *   - Annotations come in TWO node-type flavors:
+ *       - `(marker_annotation name: (identifier))` for parameterless
+ *         annotations like `@PostMapping`, `@RestController`.
+ *       - `(annotation name: (identifier) arguments: (annotation_argument_list
+ *         (string_literal) ...))` for parameterized annotations like
+ *         `@GetMapping("/{id}")`, `@RequestMapping("/api/users")`.
+ *     Adapter queries cover BOTH where applicable.
+ *   - Class declarations: `(class_declaration (modifiers (annotation ...) /
+ *     (marker_annotation ...)) name: (identifier) body: (class_body ...))`.
+ *   - String literals are `(string_literal (string_fragment))`; node.text
+ *     returns the quoted source verbatim.
+ *
+ * Does NOT use regex on file content — only Tree-sitter S-expression queries
+ * compiled via query-helpers.ts.
+ */
+
+import { Parser } from 'web-tree-sitter';
+import type { CodebaseAdapter, AdapterResult, DetectionSignals, Provenance, SourceFile } from './types.ts';
+import { runQuery, InvalidQueryError } from './query-helpers.ts';
+import { loadGrammar } from './tree-sitter-loader.ts';
+import { isParsableSource, MAX_AST_FILE_BYTES } from './parse-guard.ts';
+
+// ============================================================
+// Tree-sitter S-expression queries (Java grammar)
+// ============================================================
+
+/**
+ * Parameterized HTTP mapping annotations: `@GetMapping("/{id}")`,
+ * `@PostMapping("/login")`, etc. Captures both the verb (from the
+ * annotation name) AND the path string for prefix-base extraction.
+ *
+ * Per Spring docs:
+ * https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller/ann-requestmapping.html
+ */
+const HTTP_MAPPING_QUERY = `
+(annotation
+  name: (identifier) @method (#match? @method "^(Get|Post|Put|Patch|Delete|Head|Options)Mapping$")
+  arguments: (annotation_argument_list
+    (string_literal) @route_path))
+`;
+
+/**
+ * Parameterless HTTP mapping annotations: `@PostMapping`, `@DeleteMapping`,
+ * etc. The tree-sitter-java grammar uses a separate `marker_annotation`
+ * node for annotations without an argument list — distinct from the
+ * parameterized `annotation` node above.
+ */
+const HTTP_MAPPING_NO_ARGS_QUERY = `
+(marker_annotation
+  name: (identifier) @method (#match? @method "^(Get|Post|Put|Patch|Delete|Head|Options)Mapping$"))
+`;
+
+/**
+ * Class-level `@RequestMapping("/api/users")`. Captures the path template
+ * so we can extract its first segment.
+ */
+const REQUEST_MAPPING_QUERY = `
+(annotation
+  name: (identifier) @_name (#eq? @_name "RequestMapping")
+  arguments: (annotation_argument_list
+    (string_literal) @route_template))
+`;
+
+/**
+ * Class declarations annotated with `@RestController` or `@Controller`.
+ * Both annotation flavors (marker + parameterized) are captured because
+ * Spring controllers usually use parameterless `@RestController` /
+ * `@Controller` but some use `@Controller(value = "name")`.
+ */
+const CONTROLLER_CLASS_QUERY = `
+(class_declaration
+  (modifiers
+    (marker_annotation
+      name: (identifier) @_anno (#match? @_anno "^(RestController|Controller)$")))
+  name: (identifier) @class_name)
+
+(class_declaration
+  (modifiers
+    (annotation
+      name: (identifier) @_anno (#match? @_anno "^(RestController|Controller)$")))
+  name: (identifier) @class_name)
+`;
+
+// ============================================================
+// Adapter
+// ============================================================
+
+export const springAdapter: CodebaseAdapter = {
+  id: 'spring',
+  languages: ['java'],
+
+  matches(signals: DetectionSignals): boolean {
+    // Cheap signal-only check. No file IO. The canonical Spring Boot
+    // declaration is the `spring-boot-starter-web` artifact (Maven) or
+    // dependency string (Gradle), per the Spring Boot reference:
+    // https://docs.spring.io/spring-boot/reference/using/build-systems.html
+    if (signals.pomXml && /\bspring-boot-starter[\w-]*\b/.test(signals.pomXml)) {
+      return true;
+    }
+    if (signals.gradleBuild && /\bspring-boot-starter[\w-]*\b/.test(signals.gradleBuild)) {
+      return true;
+    }
+    // Fallback: explicit `spring-webmvc` or `org.springframework` references
+    // catch projects that use Spring without Spring Boot (rare today but
+    // canonical Spring MVC pre-Boot apps).
+    if (signals.pomXml && /\borg\.springframework\b/.test(signals.pomXml)) {
+      return true;
+    }
+    if (signals.gradleBuild && /\borg\.springframework\b/.test(signals.gradleBuild)) {
+      return true;
+    }
+    return false;
+  },
+
+  async introspect(files: SourceFile[], _rootDir: string): Promise<AdapterResult> {
+    if (files.length === 0) {
+      return { conventions: {}, provenance: [], confidence: 'none' };
+    }
+
+    let language;
+    try {
+      language = await loadGrammar('java');
+    } catch (e) {
+      return { conventions: {}, provenance: [], confidence: 'none' };
+    }
+
+    const parser = new Parser();
+    parser.setLanguage(language);
+
+    const routeMethods = new Map<string, { line: number; file: string }>();
+    const prefixBases = new Map<string, { line: number; file: string }>();
+    const controllerClasses = new Map<string, { line: number; file: string }>();
+
+    try {
+      for (const file of files) {
+        const skip = isParsableSource(file.content, file.size);
+        if (skip) {
+          process.stderr.write(
+            `[massu/ast] WARN: spring skipping ${file.path}: ${skip.reason} (${skip.detail}). Cap=${MAX_AST_FILE_BYTES}. (Phase 3.5 mitigation)\n`,
+          );
+          continue;
+        }
+        try {
+          // Parameterized @<Verb>Mapping("/path")
+          for (const hit of runQuery(parser, file.content, HTTP_MAPPING_QUERY, 'spring-http-mapping', file.path)) {
+            const methodRaw = hit.captures.method;
+            if (!methodRaw) continue;
+            const verb = methodRaw.replace(/Mapping$/, ''); // GetMapping → Get
+            if (!routeMethods.has(verb)) {
+              routeMethods.set(verb, { line: hit.line, file: file.path });
+            }
+          }
+          // Parameterless @<Verb>Mapping
+          for (const hit of runQuery(parser, file.content, HTTP_MAPPING_NO_ARGS_QUERY, 'spring-http-mapping-marker', file.path)) {
+            const methodRaw = hit.captures.method;
+            if (!methodRaw) continue;
+            const verb = methodRaw.replace(/Mapping$/, '');
+            if (!routeMethods.has(verb)) {
+              routeMethods.set(verb, { line: hit.line, file: file.path });
+            }
+          }
+          // @RequestMapping("/api/...")
+          for (const hit of runQuery(parser, file.content, REQUEST_MAPPING_QUERY, 'spring-request-mapping', file.path)) {
+            const tplRaw = hit.captures.route_template;
+            if (!tplRaw) continue;
+            const literal = tplRaw.replace(/^["']/, '').replace(/["']$/, '');
+            const base = extractPrefixBase(literal);
+            if (base && !prefixBases.has(base)) {
+              prefixBases.set(base, { line: hit.line, file: file.path });
+            }
+          }
+          // @RestController / @Controller class
+          for (const hit of runQuery(parser, file.content, CONTROLLER_CLASS_QUERY, 'spring-controller-class', file.path)) {
+            const name = hit.captures.class_name;
+            if (name && !controllerClasses.has(name)) {
+              controllerClasses.set(name, { line: hit.line, file: file.path });
+            }
+          }
+        } catch (e) {
+          if (e instanceof InvalidQueryError) {
+            throw e;
+          }
+          continue;
+        }
+      }
+    } finally {
+      try { parser.delete(); } catch { /* ignore */ }
+    }
+
+    const conventions: Record<string, unknown> = {};
+    const provenance: Provenance[] = [];
+
+    if (routeMethods.size === 1) {
+      const [name, { line, file }] = routeMethods.entries().next().value as [string, { line: number; file: string }];
+      conventions.route_method = name;
+      provenance.push({ field: 'route_method', sourceFile: file, line, query: 'spring-http-mapping' });
+    } else if (routeMethods.size >= 2) {
+      const [name, { line, file }] = routeMethods.entries().next().value as [string, { line: number; file: string }];
+      conventions.route_method = name;
+      provenance.push({ field: 'route_method', sourceFile: file, line, query: 'spring-http-mapping' });
+    }
+
+    if (prefixBases.size >= 1) {
+      const [base, { line, file }] = prefixBases.entries().next().value as [string, { line: number; file: string }];
+      conventions.route_prefix_base = base;
+      provenance.push({ field: 'route_prefix_base', sourceFile: file, line, query: 'spring-request-mapping' });
+    }
+
+    if (controllerClasses.size >= 1) {
+      const [name, { line, file }] = controllerClasses.entries().next().value as [string, { line: number; file: string }];
+      conventions.controller_class = name;
+      provenance.push({ field: 'controller_class', sourceFile: file, line, query: 'spring-controller-class' });
+    }
+
+    let confidence: AdapterResult['confidence'];
+    if (Object.keys(conventions).length === 0) {
+      confidence = 'none';
+    } else if (routeMethods.size === 1) {
+      confidence = 'high';
+    } else if (routeMethods.size >= 2) {
+      confidence = 'low';
+    } else {
+      confidence = 'medium';
+    }
+
+    return { conventions, provenance, confidence };
+  },
+};
+
+// ============================================================
+// Helpers
+// ============================================================
+
+/**
+ * Extract the first path segment of a Spring `@RequestMapping` template.
+ * Mirrors aspnet/phoenix/rails/python-flask/go-chi extractors. Returns
+ * null if input is empty or `/`-only.
+ */
+function extractPrefixBase(prefix: string): string | null {
+  const stripped = prefix.replace(/^\/+/, '');
+  const firstSeg = stripped.split('/')[0];
+  if (!firstSeg) return null;
+  return '/' + firstSeg;
+}

package/src/detect/adapters/tree-sitter-loader.ts

@@ -4,8 +4,7 @@
 /**
  * Plan 3b — Phase 1: Tree-sitter WASM grammar loader (Strategy A).
  *
- * Strategy A — locked at Phase 0 (`docs/internal/2026-04-26-ast-lsp-spec.md`
- * §1, §8): grammars are NOT bundled in the npm tarball. The loader downloads
+ * Strategy A: grammars are NOT bundled in the npm tarball. The loader downloads
  * each requested grammar at first use from a pinned URL, verifies SHA-256
  * against a hardcoded manifest, caches under `~/.massu/wasm-cache/`.
  *
@@ -25,12 +24,14 @@
 import { createHash } from 'crypto';
 import {
   mkdirSync,
+  readdirSync,
   readFileSync,
   writeFileSync,
   renameSync,
   unlinkSync,
   lstatSync,
   chmodSync,
+  utimesSync,
 } from 'fs';
 import { homedir } from 'os';
 import { dirname, join } from 'path';
@@ -160,6 +161,56 @@ export const GRAMMAR_MANIFEST: Partial<Record<TreeSitterLanguage, ManifestEntry>
     sha256: '41c4fdb2249a3aa6d87eed0d383081ff09725c2248b4977043a43825980ffcc7',
     version: '0.1.13',
   },
+  // ----------------------------------------------------------------
+  // Plan 3c Phase 7 expansion (2026-05-07):
+  //
+  // Six additional grammars to support the registry-verified framework
+  // adapters (go-chi, rails, aspnet, spring, ktor, phoenix) plus the
+  // bundled adapters in the same language families (gin/echo/fiber,
+  // sinatra, etc.). All entries use the SAME pinned tree-sitter-wasms
+  // version (0.1.13) as the v1 four to keep the dependency surface
+  // single-source.
+  //
+  // SHA-256s computed 2026-05-07 via:
+  //   curl -fsSL <url> | shasum -a 256
+  //
+  // The unpkg filename for C# uses an underscore (`c_sharp`) while the
+  // TreeSitterLanguage identifier uses no separator (`csharp`); the map
+  // key is the type identifier, the URL is the storage path — they do
+  // NOT need to match, the same as how `python` maps to `tree-sitter-
+  // python.wasm`. This is intentional and validated by the manifest
+  // shape test in tree-sitter-loader-manifest.test.ts.
+  // ----------------------------------------------------------------
+  go: {
+    url: 'https://unpkg.com/tree-sitter-wasms@0.1.13/out/tree-sitter-go.wasm',
+    sha256: '9963ca89b616eaf04b08a43bc1fb0f07b85395bec313330851f1f1ead2f755b6',
+    version: '0.1.13',
+  },
+  ruby: {
+    url: 'https://unpkg.com/tree-sitter-wasms@0.1.13/out/tree-sitter-ruby.wasm',
+    sha256: '93a5022855314cdb45458c7bb026a24a0ebc3a5ff6439e542e881f14dfa13a39',
+    version: '0.1.13',
+  },
+  csharp: {
+    url: 'https://unpkg.com/tree-sitter-wasms@0.1.13/out/tree-sitter-c_sharp.wasm',
+    sha256: '6266a7e32d68a3459104d994dc848df15d5672b0ea8e86d327274b694f8e6991',
+    version: '0.1.13',
+  },
+  java: {
+    url: 'https://unpkg.com/tree-sitter-wasms@0.1.13/out/tree-sitter-java.wasm',
+    sha256: '637aac4415fb39a211a4f4292d63c66b5ce9c32fa2cd35464af4f681d91b9a1f',
+    version: '0.1.13',
+  },
+  kotlin: {
+    url: 'https://unpkg.com/tree-sitter-wasms@0.1.13/out/tree-sitter-kotlin.wasm',
+    sha256: 'b5cb00c8d06ed0f10f1dbe497205b437809d7e87db1f638721a8cfb30e044449',
+    version: '0.1.13',
+  },
+  elixir: {
+    url: 'https://unpkg.com/tree-sitter-wasms@0.1.13/out/tree-sitter-elixir.wasm',
+    sha256: '82e91b9759ddca30d8978ebbfa8e347b4451b64c931f9ae62112e6db9b8fac20',
+    version: '0.1.13',
+  },
 };
 
 // ============================================================
@@ -174,6 +225,118 @@ function getCachedPath(language: TreeSitterLanguage, sha: string): string {
   return join(getCacheDir(), `${language}-${sha}.wasm`);
 }
 
+// ============================================================
+// LRU cache eviction (Phase 3.5 audit F-011 — closed 2026-05-06)
+// ============================================================
+//
+// F-011 was deferred at v1 ("at ~3MB per grammar, full cache footprint is
+// <100MB — not an attack vector"). The 2026-05-06 audit-leak retrospective
+// elevated it: now that the cache path + naming convention are publicly
+// known (the security audit doc was visible for 9 days), opportunistic
+// disk-fill attacks become slightly less hypothetical, AND the cost of
+// retrofitting LRU once Plan 3c expands the supported grammar set is
+// strictly higher than doing it now while only 4 grammars exist.
+//
+// Eviction rule: keep the N most-recently-USED entries (mtime, updated by
+// the cache-hit path on every read). Default cap = 16 — leaves headroom
+// for Plan 3c's 31-grammar expansion plus dev-time version churn, while
+// bounding total cache to ~50MB at 3MB/grammar.
+
+const DEFAULT_CACHE_RETAIN_COUNT = 16;
+
+function getCacheRetainCount(): number {
+  const env = process.env.MASSU_WASM_CACHE_RETAIN;
+  if (env) {
+    const n = Number(env);
+    if (Number.isFinite(n) && n >= 1 && n <= 1024) return Math.floor(n);
+  }
+  return DEFAULT_CACHE_RETAIN_COUNT;
+}
+
+/**
+ * Touch a cache file's mtime to mark "most recently used." Called on every
+ * cache-hit. Best-effort: any failure is silently swallowed — touching is
+ * an optimization signal for eviction, not load-bearing.
+ *
+ * Uses utimes via writeFileSync round-trip would be expensive; instead we
+ * use the same filesystem touch trick as `touch -a`: open + close. On
+ * macOS/Linux Node, `chmodSync` to the same mode does NOT update mtime,
+ * so we do a no-op write of empty content via a tmp marker file. Cheaper
+ * approach: just rely on atime if filesystem records it. Most modern
+ * filesystems are mounted with `relatime` so atime updates only when
+ * older than mtime — which means after our first eviction-relevant
+ * read, atime IS the right signal.
+ *
+ * Decision: use mtime via `utimesSync` — explicit and portable.
+ */
+function touchCacheFile(path: string): void {
+  try {
+    const now = new Date();
+    utimesSync(path, now, now);
+  } catch {
+    // best-effort
+  }
+}
+
+/**
+ * Evict cache entries beyond the retain count, keeping the N most recently
+ * used (by mtime). Called after every successful cache write. Best-effort:
+ * eviction failure never blocks a load.
+ *
+ * Rejects symlinks and non-regular files via lstat — the same defense as
+ * the cache-hit path (F-008 fix). A symlink in the cache dir is logged
+ * as a security warning but not deleted (don't act on attacker-controlled
+ * paths automatically).
+ */
+function evictBeyondRetainCount(retain: number = getCacheRetainCount()): void {
+  const dir = getCacheDir();
+  let entries: string[];
+  try {
+    entries = readdirSync(dir);
+  } catch {
+    return; // Dir doesn't exist yet; nothing to evict.
+  }
+
+  const candidates: { path: string; mtimeMs: number }[] = [];
+  for (const name of entries) {
+    if (!name.endsWith('.wasm')) continue; // Don't touch non-grammar files.
+    const path = join(dir, name);
+    let stat;
+    try {
+      stat = lstatSync(path);
+    } catch {
+      continue;
+    }
+    if (stat.isSymbolicLink() || !stat.isFile()) {
+      // Skip — never automatically delete what could be an attacker-placed
+      // symlink. Surface via stderr; user's cache dir is suspect.
+      console.error(
+        `[tree-sitter-loader] cache eviction skipped non-regular file: ${path} ` +
+          `(possible symlink attack — see Phase 3.5 finding F-008).`,
+      );
+      continue;
+    }
+    candidates.push({ path, mtimeMs: stat.mtimeMs });
+  }
+
+  if (candidates.length <= retain) return;
+
+  // Sort newest-first; everything beyond `retain` is evictable.
+  candidates.sort((a, b) => b.mtimeMs - a.mtimeMs);
+  for (const victim of candidates.slice(retain)) {
+    try {
+      unlinkSync(victim.path);
+    } catch {
+      // best-effort
+    }
+  }
+}
+
+/** Test-injection hook: lets tests force eviction without writing a new grammar. */
+export function _evictCacheForTest(retain?: number): void {
+  evictBeyondRetainCount(retain);
+}
+
 function sha256(bytes: Uint8Array): string {
   return createHash('sha256').update(bytes).digest('hex');
 }
@@ -271,6 +434,9 @@ export async function loadGrammar(
       }
       const lang = await Language.load(bytes);
       loadedGrammars.set(language, lang);
+      // F-011 LRU: mark this entry as most-recently-used so it survives
+      // future evictions.
+      touchCacheFile(cachePath);
       return lang;
     }
   }
@@ -326,6 +492,9 @@ export async function loadGrammar(
       }
       throw e;
     }
+    // F-011 LRU: prune cache to retain count after every successful write.
+    // Best-effort — eviction failure never blocks a load.
+    evictBeyondRetainCount();
   } catch (e) {
     // Cache write failure is non-fatal — we still have `body` in memory and
     // can load directly. Log to stderr per VR-USER-ERROR-MESSAGES style.

package/src/detect/adapters/types.ts

@@ -4,8 +4,7 @@
 /**
  * Plan 3b — Phase 1: AST Adapter contract types.
  *
- * Lives at `packages/core/src/detect/adapters/types.ts` per the spec doc
- * (`docs/internal/2026-04-26-ast-lsp-spec.md` §2). All types are local —
+ * Lives at `packages/core/src/detect/adapters/types.ts`. All types are local —
  * NONE re-exported from `web-tree-sitter`.
  *
  * Adapter authors import from this module only; the runner (`runner.ts`)
@@ -69,6 +68,24 @@ export interface DetectionSignals {
   cargoToml?: Record<string, unknown>;
   /** Raw `go.mod` text — undefined if absent. */
   goMod?: string;
+  /** Raw `mix.exs` text — undefined if absent. Elixir/Mix manifest. */
+  mixExs?: string;
+  /**
+   * Raw text of the FIRST `.csproj` file found at the project root —
+   * undefined if absent. .NET project file (XML). Adapters that need to
+   * inspect more than one csproj (multi-project solutions) can re-scan from
+   * `presentFiles`.
+   */
+  csproj?: string;
+  /** Raw `pom.xml` text — undefined if absent. Maven build manifest. */
+  pomXml?: string;
+  /**
+   * Raw text of `build.gradle` OR `build.gradle.kts` — whichever exists at
+   * the project root, with `.kts` (Kotlin DSL) preferred when both are
+   * present (Kotlin DSL is the modern default per Gradle 7+ docs).
+   * Undefined if neither exists.
+   */
+  gradleBuild?: string;
   /** Set of present directory names directly under the project root (one level). */
   presentDirs: Set<string>;
   /** Set of present file basenames directly under the project root (one level). */

package/src/detect/migrate.ts

@@ -192,7 +192,7 @@ export function migrateV1ToV2(
     framework.languages = languageEntries;
   }
   // P1-004: preserve any v1Framework subkey the explicit rebuild didn't emit
-  // (e.g., hedge's `framework.{python, rust, swift, typescript}` language sub-blocks).
+  // (e.g., a multi-runtime monorepo's `framework.{python, rust, swift, typescript}` language sub-blocks).
   preserveNestedSubkeys(v1Framework, framework);
 
   // Paths: preserve user-set fields; fill `source` from detection if user had 'src' default.
@@ -234,13 +234,13 @@ export function migrateV1ToV2(
     if (typeof v1Paths[k] === 'string') paths[k] = v1Paths[k];
   }
   // P1-005: preserve any v1Paths subkey the explicit rebuild didn't emit
-  // (e.g., hedge's 19 custom `paths.*` entries like adr, plans, monorepo_root).
+  // (e.g., a downstream consumer's 19 custom `paths.*` entries like adr, plans, monorepo_root).
   preserveNestedSubkeys(v1Paths, paths);
 
   const verification = buildVerificationBlock(detection, v1Verification);
 
   // P1-006: build project block with nested passthrough so custom subkeys
-  // (e.g., hedge's `project.description`) survive the migration.
+  // (e.g., a downstream consumer's `project.description`) survive the migration.
   const project: Record<string, unknown> = {
     name: typeof v1Project.name === 'string' ? v1Project.name : 'my-project',
     root: typeof v1Project.root === 'string' ? v1Project.root : 'auto',
@@ -265,7 +265,7 @@ export function migrateV1ToV2(
 
   // P1-001: preserve any v1 top-level key not already handled by the explicit
   // migrator. This is the generalization of PRESERVED_FIELDS — custom sections
-  // like `services`, `workflow`, `north_stars` (hedge) now pass through.
+  // like `services`, `workflow`, `north_stars` now pass through.
   //
   // `detection` is intentionally NOT in handledTopLevel: when a v2 config is
   // fed back in (idempotence check at migrate.ts:16), the existing `detection`

package/src/detect/monorepo-detector.ts

@@ -232,6 +232,7 @@ function detectPnpmWorkspaces(root: string): WorkspacePackage[] | null {
   const raw = safeReadText(join(root, 'pnpm-workspace.yaml'));
   if (!raw) return null;
   try {
+    // pattern-scanner-allow: yaml-parse — reason: Phase 1 auto-detection parses pnpm-workspace.yaml to discover workspace packages BEFORE any massu config exists. This runs PRE-getConfig in the init flow, so getConfig() is unavailable by definition.
     const parsed = parseYaml(raw) as { packages?: unknown } | null;
     const list = Array.isArray(parsed?.packages)
       ? (parsed!.packages as unknown[]).filter((x) => typeof x === 'string') as string[]

package/src/hooks/post-tool-use.ts

@@ -245,6 +245,7 @@ function readConventions(cwd?: string): {
     const configPath = join(projectRoot, 'massu.config.yaml');
     if (!existsSync(configPath)) return defaults;
     const content = readFileSync(configPath, 'utf-8');
+    // pattern-scanner-allow: yaml-parse — reason: compiled standalone hook (esbuild bundle). Per P2-023a, hooks cannot import getConfig() — they run in the Claude Code subprocess context with no module resolution path back to packages/core. Direct YAML parse is the only available access pattern.
     const parsed = parseYaml(content) as Record<string, unknown> | null;
     if (!parsed || typeof parsed !== 'object') return defaults;
     const conventions = parsed.conventions as Record<string, unknown> | undefined;

package/src/hooks/session-start.ts

@@ -279,6 +279,7 @@ async function buildDriftBanner(): Promise<string> {
     const configPath = resolve(process.cwd(), 'massu.config.yaml');
     if (!existsSync(configPath)) return '';
     const content = readFileSync(configPath, 'utf-8');
+    // pattern-scanner-allow: yaml-parse — reason: compiled standalone hook (esbuild bundle). Per P2-023a, hooks cannot import getConfig() — they run in the Claude Code subprocess context with no module resolution path back to packages/core. Direct YAML parse is the only available access pattern.
     const parsed = parseYaml(content) as Record<string, unknown> | null;
     if (!parsed || typeof parsed !== 'object') return '';
     const det = parsed.detection as Record<string, unknown> | undefined;