@massu/core 1.4.0-soak.0 → 1.5.0

package/src/commands/config-check-drift.ts

@@ -69,6 +69,7 @@ export async function runConfigCheckDrift(
   let config: AnyConfig;
   try {
     const content = readFileSync(configPath, 'utf-8');
+    // pattern-scanner-allow: yaml-parse — reason: v1.1.0 drift detector. Raw YAML compare needed at arbitrary cwd before getConfig() cache populates; the drift detector intentionally bypasses the cached parse to inspect on-disk state.
     const parsed = parseYaml(content);
     if (!parsed || typeof parsed !== 'object') {
       throw new Error('config is not a YAML object');

package/src/commands/config-refresh.ts

@@ -179,7 +179,7 @@ export function mergeRefresh(existing: AnyConfig, refreshed: AnyConfig): AnyConf
   // paths.aliases is a 2-level-nested user block. Detector always writes
   // { '@': <source-dir> }; user-authored alias map must survive. Spread user
   // over detector so user keys win for any overlap AND user-only keys survive.
-  // (P5-002 discovery — hedge's paths.aliases['@'] was being overwritten.)
+  // (P5-002 discovery — a downstream consumer's paths.aliases['@'] was being overwritten.)
   const existingPaths = existing.paths;
   const outPaths = out.paths;
   if (
@@ -203,9 +203,9 @@ export function mergeRefresh(existing: AnyConfig, refreshed: AnyConfig): AnyConf
 
   // verification is the other 2-level-nested detector-owned block. Semantics
   // mirror migrate.ts:132-138 buildVerificationBlock: user's custom language
-  // sections (e.g., hedge's `gateway`, `ios`, `runtime`, `web`) survive
+  // sections (e.g., a multi-runtime monorepo's `gateway`, `ios`, `runtime`, `web`) survive
   // wholesale; user's command overrides on shared languages (e.g., `python`)
-  // win over detector defaults. (P5-002 discovery — hedge was losing 15
+  // win over detector defaults. (P5-002 discovery — a downstream consumer was losing 15
   // verification command entries across 4 custom language sections plus
   // having 4 python commands overwritten with detector defaults.)
   const existingVer = existing.verification;
@@ -272,6 +272,7 @@ export async function runConfigRefresh(opts: ConfigRefreshOptions = {}): Promise
   let existing: AnyConfig;
   try {
     const content = readFileSync(configPath, 'utf-8');
+    // pattern-scanner-allow: yaml-parse — reason: v1.1.0 config lifecycle command. getConfig() Zod-rejects pre-migration v1 configs (which is exactly what `massu config refresh` is meant to read + migrate). Raw parse is required to inspect a pre-upgrade YAML structure.
     const parsed = parseYaml(content);
     if (!parsed || typeof parsed !== 'object') {
       throw new Error('config is not a YAML object');

package/src/commands/config-upgrade.ts

@@ -74,6 +74,7 @@ export async function runConfigUpgrade(opts: ConfigUpgradeOptions = {}): Promise
   let existing: AnyConfig;
   try {
     const content = readFileSync(configPath, 'utf-8');
+    // pattern-scanner-allow: yaml-parse — reason: v1.1.0 config lifecycle command. Same pre-migration constraint as config-refresh: `massu config upgrade` operates on v1 configs that getConfig() Zod-rejects, so raw parse is required.
     const parsed = parseYaml(content);
     if (!parsed || typeof parsed !== 'object') {
       throw new Error('config is not a YAML object');

package/src/commands/doctor.ts

@@ -67,6 +67,7 @@ function checkConfig(projectRoot: string): CheckResult {
 
   try {
     const content = readFileSync(configPath, 'utf-8');
+    // pattern-scanner-allow: yaml-parse — reason: `massu doctor` config-integrity diagnostic; runs BEFORE getConfig() to verify the file is well-formed YAML so the user sees a parse error here, not a Zod-validation surprise downstream.
     const parsed = parseYaml(content);
     if (!parsed || typeof parsed !== 'object') {
       return { name: 'Configuration', status: 'fail', detail: 'massu.config.yaml is empty or invalid YAML' };
@@ -449,6 +450,7 @@ export async function runValidateConfig(): Promise<void> {
 
   try {
     const content = readFileSync(configPath, 'utf-8');
+    // pattern-scanner-allow: yaml-parse — reason: `massu doctor` deep-validation pass; same diagnostic-mode reasoning as the upper checkConfig() — surfaces YAML errors with operator-friendly stderr before any getConfig() call.
     const parsed = parseYaml(content);
 
     if (!parsed || typeof parsed !== 'object') {

package/src/commands/init.ts

@@ -5,7 +5,7 @@
  * `massu init` — One-command, detection-driven project setup.
  *
  * Phase 3 rewrite (2026-04-19): replaces the JS/TS template copier (old
- * detectFramework/generateConfig path, root cause of Hedge-style stale configs)
+ * detectFramework/generateConfig path, root cause of multi-runtime stale-config drift)
  * with a flow that runs the Phase 1 detection engine (`runDetection`) and
  * generates a v2 schema_version=2 `massu.config.yaml` that reflects the
  * actual repo layout (languages, source_dirs, verification commands, domains).
@@ -616,6 +616,7 @@ export function writeConfigAtomic(
     }
 
     // Validate YAML parses.
+    // pattern-scanner-allow: yaml-parse — reason: atomic-write post-validator. We just generated `content` and wrote it to a tmp path; before atomic rename to the final config path we re-parse to verify the bytes we serialized are valid YAML. Calling getConfig() here would re-read from cwd and miss the tmp file.
     const parsed = yamlParse(content);
     if (parsed === null || typeof parsed !== 'object') {
       throw new Error('Generated config is not a valid YAML object');
@@ -661,6 +662,7 @@ export function validateWrittenConfig(
     // getConfig caches against process.cwd() and we may be validating a config
     // outside the current working tree (tests, etc.).
     const content = readFileSync(configPath, 'utf-8');
+    // pattern-scanner-allow: yaml-parse — reason: see preceding comment block; getConfig() caches against process.cwd() and would either return a stale entry or fail to read a config at an arbitrary projectRoot.
     const parsed = yamlParse(content);
     if (parsed === null || typeof parsed !== 'object') {
       return 'Config is not a valid YAML object';

package/src/commands/template-engine.ts

@@ -4,8 +4,6 @@
 /**
  * Massu codebase-aware templating engine — string substitution only.
  *
- * Spec: docs/internal/2026-04-26-codebase-aware-templates-spec.md
- *
  * Grammar (the entire surface):
  *   {{path.to.var}}                       Look up + render
  *   {{path.to.var | default("fallback")}} Look up; use literal on miss

package/src/commands/watch.ts

@@ -72,7 +72,7 @@ function parseFlags(args: string[]): ParsedFlags {
 }
 
 function findClaudeBg(): string | null {
-  // Prefer the well-known Hedge-author install path; fall back to PATH.
+  // Prefer the conventional ~/.claude/bin install path; fall back to PATH.
   const home = process.env.HOME ?? '';
   const fixed = home ? resolve(home, '.claude', 'bin', 'claude-bg') : null;
   if (fixed && existsSync(fixed)) return fixed;

package/src/config.ts

@@ -372,6 +372,59 @@ const WatchConfigSchema = z.object({
 }).passthrough().optional();
 export type WatchConfig = z.infer<typeof WatchConfigSchema>;
 
+// --- Adapters Config (Plan 3c — third-party adapter registry) ---
+// Tunable knobs for the third-party adapter loading subsystem.
+// `enabled` is the kill switch (default false for first 2 minor releases per
+// Plan 3c gap-1 + audit-iteration-1 deliverable). When false, only the 35
+// CORE-BUNDLED adapters in @massu/core itself load; @massu/adapter-* npm
+// packages and adapters.local entries are ignored.
+// `local` is the explicit per-path opt-in for project-local TS/JS adapters.
+//
+// Note: `allow_unsigned` was REMOVED 2026-05-07 (CR-9 audit C2 fix). The
+// field had been parsed by the schema but never consulted at any callsite,
+// creating a tripwire — a future contributor wiring it would silently
+// disable signature verification. Per Rule 0 / drift-prevention, dead
+// fields are removed, not documented. No v1 use case exists for unsigned
+// adapter loading; if a future v2 adds one, it ships with documented
+// callsite enforcement and a different field name to avoid the tripwire
+// pattern.
+//
+// Path validation (gap-58): adapters.local entries are normalized to POSIX form
+// for cross-platform fingerprint stability. Absolute paths and `..` traversal
+// are rejected at schema validation (attack-surface defense — a malicious
+// postinstall could add "/etc/passwd" or "../../../home/user/.ssh/" entries
+// that bypass the project tree).
+export const AdapterLocalPathSchema = z.string()
+  .refine((s) => !/^([A-Za-z]:[\\/]|[\\/])/.test(s), {
+    message: 'absolute paths are rejected; adapters.local entries must be relative to the massu.config.yaml directory',
+  })
+  .refine((s) => !s.split(/[\\/]/).includes('..'), {
+    message: 'parent-directory traversal (`..`) is rejected; adapters.local entries must stay inside the project tree',
+  })
+  // Normalize to POSIX form for stable cross-platform sha256 fingerprinting.
+  // Windows backslash inputs are converted to forward slashes; consecutive
+  // separators are collapsed; trailing `./` segments are removed.
+  .transform((s) => s.split(/[\\/]/).filter((part) => part !== '' && part !== '.').join('/'));
+
+const AdaptersConfigSchema = z.object({
+  enabled: z.boolean().default(false),
+  local: z.array(AdapterLocalPathSchema).default([]),
+}).passthrough().optional();
+export type AdaptersConfig = z.infer<typeof AdaptersConfigSchema>;
+
+// --- Telemetry Config (Plan 3c — adapter-discovery telemetry) ---
+// Optional anonymous telemetry on adapter-discovery counts (NOT file paths,
+// NOT symbol names, NOT source content). Strictly off by default; never
+// enabled silently. When `adapters: true`, the telemetry writer at
+// packages/core/src/security/telemetry.ts emits one JSONL line per discovery
+// event matching AdapterDiscoveryPayloadSchema (defined inline in that
+// module). PII guardrail: schema is `.strict()` so unknown keys are
+// rejected at write time AND at replay time.
+const TelemetryConfigSchema = z.object({
+  adapters: z.boolean().default(false),
+}).passthrough().optional();
+export type TelemetryConfig = z.infer<typeof TelemetryConfigSchema>;
+
 // --- LSP Config (Plan 3b — Phase 4: LSP integration) ---
 // Top-level optional `lsp:` block configuring optional LSP enrichment of AST
 // adapter results. Per VR-LSP-AUTODETECT-OFF-BY-DEFAULT (audit-iter-1 fix G4):
@@ -383,6 +436,14 @@ export const LSPConfigSchema = z.object({
   servers: z.array(z.object({
     language: z.string(),
     command: z.string(),
+    // F-014 (closed 2026-05-06): explicit opt-in to spawn SUID/SGID
+    // binaries. Default false — argv[0] with the SUID bit is rejected
+    // unless this is true. Decision is auditable in the YAML.
+    allow_setuid: z.boolean().default(false),
+    // F-015 (closed 2026-05-06): per-server RSS budget (MB). Watchdog
+    // SIGKILLs the server after sustained breach. Default 1024 MB.
+    // Set to 0 to disable the watchdog for this server.
+    max_rss_mb: z.number().int().nonnegative().default(1024),
   })).default([]),
   autoDetect: z.object({
     viaPortScan: z.boolean().default(false),
@@ -432,6 +493,10 @@ const RawConfigSchema = z.object({
   detected: DetectedConfigSchema,
   // Plan 3a: file-watcher daemon tunables
   watch: WatchConfigSchema,
+  // Plan 3c: third-party adapter registry kill-switch + signing override + local-path opt-in.
+  adapters: AdaptersConfigSchema,
+  // Plan 3c: anonymous adapter-discovery telemetry opt-in (default off).
+  telemetry: TelemetryConfigSchema,
   // Plan 3b Phase 4: optional LSP enrichment of AST adapter results.
   lsp: LSPConfigSchema.optional(),
 }).passthrough();
@@ -476,6 +541,10 @@ export interface Config {
   detected?: DetectedConfig;
   // Plan 3a: file-watcher daemon tunables
   watch?: WatchConfig;
+  // Plan 3c: third-party adapter registry config block.
+  adapters?: AdaptersConfig;
+  // Plan 3c: telemetry opt-in block.
+  telemetry?: TelemetryConfig;
   // Plan 3b Phase 4: optional LSP enrichment block (default disabled).
   lsp?: LSPConfig;
 }
@@ -627,6 +696,8 @@ export function getConfig(): Config {
     detection: parsed.detection,
     detected: parsed.detected,
     watch: parsed.watch,
+    adapters: parsed.adapters,
+    telemetry: parsed.telemetry,
     lsp: parsed.lsp,
   };
 

package/src/detect/adapters/aspnet.ts

@@ -0,0 +1,293 @@
+// Copyright (c) 2026 Massu. All rights reserved.
+// Licensed under BSL 1.1 - see LICENSE file for details.
+
+/**
+ * Plan 3c — Phase 7: ASP.NET Core AST adapter.
+ *
+ * Fifth Phase 7 framework after go-chi + Flask + Rails + Phoenix. First to
+ * consume the `csharp` Tree-sitter grammar entry from GRAMMAR_MANIFEST
+ * (commit fbb8aa9). All queries verified against actual tree-sitter-c-sharp
+ * AST shape via probe (R-011) BEFORE writing the adapter.
+ *
+ * ASP.NET Core supports two routing styles, both first-class per the
+ * official routing guide (https://learn.microsoft.com/aspnet/core/fundamentals/routing):
+ *   1. **Minimal API** (recommended for new projects since .NET 6):
+ *      `app.MapGet("/path", handler)`, `app.MapPost(...)`, etc. in
+ *      Program.cs.
+ *   2. **Attribute routing** (MVC controllers): `[HttpGet("{id}")]`,
+ *      `[HttpPost]`, `[Route("api/[controller]")]` on controller classes
+ *      and methods.
+ *
+ * The adapter handles BOTH styles uniformly — extracted route_method
+ * normalizes `MapGet`/`HttpGet` → `Get`, `MapPost`/`HttpPost` → `Post`,
+ * etc. so downstream consumers don't need to know which style produced
+ * the signal.
+ *
+ * Extracts:
+ *   - route_method: most-common HTTP verb captured from EITHER `app.Map<Verb>`
+ *     invocations (minimal API) OR `[Http<Verb>]` attributes (MVC).
+ *   - route_prefix_base: first path segment from EITHER the first `MapGet`
+ *     string-literal path arg OR the first class-level `[Route("template")]`
+ *     attribute. Mirrors phoenix scope_prefix_base / rails api_namespace.
+ *   - controller_class: name of the first class ending in `Controller`
+ *     (attribute-routing style only — minimal API has no controllers).
+ *     Mirrors python-flask app_factory / phoenix router_module.
+ *
+ * Confidence rules (mirror phoenix / rails / go-chi):
+ *   - 'high'   if exactly ONE distinct route_method seen.
+ *   - 'low'    if multiple distinct route_methods seen.
+ *   - 'medium' if route_prefix_base or controller_class found but no
+ *              route_method.
+ *   - 'none'   if no ASP.NET signals at all (regex fallback takes over).
+ *
+ * Tree-sitter-c-sharp AST shape (verified via probe 2026-05-07):
+ *   - Method calls: `(invocation_expression function: (member_access_expression
+ *     name: (identifier)) arguments: (argument_list (argument
+ *     (string_literal)) ...))`.
+ *   - Attributes: `(attribute name: (identifier) (attribute_argument_list
+ *     (attribute_argument (string_literal))?))` — argument list is optional
+ *     because attributes like `[HttpPost]` have no args.
+ *   - Class declarations: `(class_declaration name: (identifier)
+ *     bases: (base_list (identifier)?))` — bases optional.
+ *
+ * Does NOT use regex on file content — only Tree-sitter S-expression queries
+ * compiled via query-helpers.ts.
+ */
+
+import { Parser } from 'web-tree-sitter';
+import type { CodebaseAdapter, AdapterResult, DetectionSignals, Provenance, SourceFile } from './types.ts';
+import { runQuery, InvalidQueryError } from './query-helpers.ts';
+import { loadGrammar } from './tree-sitter-loader.ts';
+import { isParsableSource, MAX_AST_FILE_BYTES } from './parse-guard.ts';
+
+// ============================================================
+// Tree-sitter S-expression queries (C# grammar)
+// ============================================================
+
+/**
+ * Minimal-API verb mapping: `app.MapGet("/path", handler)`,
+ * `app.MapPost(...)`, etc. Anchored on the first argument being a
+ * string_literal so we capture the route path together with the verb.
+ *
+ * The captured @method is the full method name like `MapGet` — the
+ * adapter strips the `Map` prefix in post-processing.
+ *
+ * Per ASP.NET Core minimal API docs:
+ * https://learn.microsoft.com/aspnet/core/fundamentals/minimal-apis
+ */
+const MAP_VERB_QUERY = `
+(invocation_expression
+  function: (member_access_expression
+    name: (identifier) @method (#match? @method "^Map(Get|Post|Put|Patch|Delete|Head|Options)$"))
+  arguments: (argument_list
+    .
+    (argument (string_literal) @route_path)))
+`;
+
+/**
+ * Attribute-routing HTTP verb attributes: `[HttpGet]`, `[HttpGet("{id}")]`,
+ * `[HttpPost]`, etc. Captures BOTH the parameterless and parameterized
+ * forms — the route path may or may not be present.
+ *
+ * The captured @attr_name is `HttpGet` etc. — the adapter strips the
+ * `Http` prefix in post-processing.
+ *
+ * Per ASP.NET Core attribute routing docs:
+ * https://learn.microsoft.com/aspnet/core/mvc/controllers/routing
+ */
+const HTTP_ATTR_QUERY = `
+(attribute
+  name: (identifier) @attr_name (#match? @attr_name "^Http(Get|Post|Put|Patch|Delete|Head|Options)$"))
+`;
+
+/**
+ * Class-level `[Route("api/[controller]")]` attribute. Captures the
+ * route template string so we can extract its first path segment.
+ * Tokens like `[controller]` inside the template are kept verbatim —
+ * the prefix-base extractor splits on `/` so `api/[controller]` → `/api`.
+ */
+const ROUTE_ATTR_QUERY = `
+(attribute
+  name: (identifier) @_attr_name (#eq? @_attr_name "Route")
+  (attribute_argument_list
+    (attribute_argument (string_literal) @route_template)))
+`;
+
+/**
+ * Controller class declaration: `class FooController : ControllerBase`.
+ * We restrict to class names ending in `Controller` to avoid every class
+ * in the project (canonical ASP.NET MVC naming convention).
+ */
+const CONTROLLER_CLASS_QUERY = `
+(class_declaration
+  name: (identifier) @class_name (#match? @class_name "Controller$"))
+`;
+
+// ============================================================
+// Adapter
+// ============================================================
+
+export const aspnetAdapter: CodebaseAdapter = {
+  id: 'aspnet',
+  languages: ['csharp'],
+
+  matches(signals: DetectionSignals): boolean {
+    // Cheap signal-only check. No file IO. The canonical ASP.NET Core
+    // declaration is `<Project Sdk="Microsoft.NET.Sdk.Web">` in the .csproj
+    // file (per https://learn.microsoft.com/aspnet/core/fundamentals/target-aspnetcore).
+    // Fallback: presence of `Microsoft.AspNetCore.App` framework reference,
+    // which appears in older .csproj formats.
+    if (!signals.csproj) return false;
+    if (/Sdk\s*=\s*["']Microsoft\.NET\.Sdk\.Web["']/i.test(signals.csproj)) return true;
+    if (/Microsoft\.AspNetCore\.App/i.test(signals.csproj)) return true;
+    return false;
+  },
+
+  async introspect(files: SourceFile[], _rootDir: string): Promise<AdapterResult> {
+    if (files.length === 0) {
+      return { conventions: {}, provenance: [], confidence: 'none' };
+    }
+
+    let language;
+    try {
+      language = await loadGrammar('csharp');
+    } catch (e) {
+      // Grammar unavailable → adapter returns 'none' so regex fallback takes over.
+      return { conventions: {}, provenance: [], confidence: 'none' };
+    }
+
+    const parser = new Parser();
+    parser.setLanguage(language);
+
+    const routeMethods = new Map<string, { line: number; file: string }>();
+    const prefixBases = new Map<string, { line: number; file: string }>();
+    const controllerClasses = new Map<string, { line: number; file: string }>();
+
+    try {
+      for (const file of files) {
+        const skip = isParsableSource(file.content, file.size);
+        if (skip) {
+          process.stderr.write(
+            `[massu/ast] WARN: aspnet skipping ${file.path}: ${skip.reason} (${skip.detail}). Cap=${MAX_AST_FILE_BYTES}. (Phase 3.5 mitigation)\n`,
+          );
+          continue;
+        }
+        try {
+          // Minimal API: app.MapGet("/path", ...)
+          for (const hit of runQuery(parser, file.content, MAP_VERB_QUERY, 'aspnet-map-verb', file.path)) {
+            const methodRaw = hit.captures.method;
+            if (!methodRaw) continue;
+            const verb = methodRaw.replace(/^Map/, ''); // MapGet → Get
+            if (!routeMethods.has(verb)) {
+              routeMethods.set(verb, { line: hit.line, file: file.path });
+            }
+            // Also capture the route path for prefix base
+            const pathRaw = hit.captures.route_path;
+            if (pathRaw) {
+              const literal = pathRaw.replace(/^["']/, '').replace(/["']$/, '');
+              const base = extractPrefixBase(literal);
+              if (base && !prefixBases.has(base)) {
+                prefixBases.set(base, { line: hit.line, file: file.path });
+              }
+            }
+          }
+          // Attribute routing: [HttpGet], [HttpPost], etc.
+          for (const hit of runQuery(parser, file.content, HTTP_ATTR_QUERY, 'aspnet-http-attr', file.path)) {
+            const attrRaw = hit.captures.attr_name;
+            if (!attrRaw) continue;
+            const verb = attrRaw.replace(/^Http/, ''); // HttpGet → Get
+            if (!routeMethods.has(verb)) {
+              routeMethods.set(verb, { line: hit.line, file: file.path });
+            }
+          }
+          // Class-level [Route("api/[controller]")]
+          for (const hit of runQuery(parser, file.content, ROUTE_ATTR_QUERY, 'aspnet-route-attr', file.path)) {
+            const tplRaw = hit.captures.route_template;
+            if (!tplRaw) continue;
+            const literal = tplRaw.replace(/^["']/, '').replace(/["']$/, '');
+            const base = extractPrefixBase(literal);
+            if (base && !prefixBases.has(base)) {
+              prefixBases.set(base, { line: hit.line, file: file.path });
+            }
+          }
+          // Controller class: class FooController : ControllerBase
+          for (const hit of runQuery(parser, file.content, CONTROLLER_CLASS_QUERY, 'aspnet-controller-class', file.path)) {
+            const name = hit.captures.class_name;
+            if (name && !controllerClasses.has(name)) {
+              controllerClasses.set(name, { line: hit.line, file: file.path });
+            }
+          }
+        } catch (e) {
+          if (e instanceof InvalidQueryError) {
+            throw e;
+          }
+          continue;
+        }
+      }
+    } finally {
+      try { parser.delete(); } catch { /* ignore */ }
+    }
+
+    const conventions: Record<string, unknown> = {};
+    const provenance: Provenance[] = [];
+
+    if (routeMethods.size === 1) {
+      const [name, { line, file }] = routeMethods.entries().next().value as [string, { line: number; file: string }];
+      conventions.route_method = name;
+      provenance.push({ field: 'route_method', sourceFile: file, line, query: 'aspnet-map-verb' });
+    } else if (routeMethods.size >= 2) {
+      const [name, { line, file }] = routeMethods.entries().next().value as [string, { line: number; file: string }];
+      conventions.route_method = name;
+      provenance.push({ field: 'route_method', sourceFile: file, line, query: 'aspnet-map-verb' });
+    }
+
+    if (prefixBases.size >= 1) {
+      const [base, { line, file }] = prefixBases.entries().next().value as [string, { line: number; file: string }];
+      conventions.route_prefix_base = base;
+      provenance.push({ field: 'route_prefix_base', sourceFile: file, line, query: 'aspnet-route-prefix' });
+    }
+
+    if (controllerClasses.size >= 1) {
+      const [name, { line, file }] = controllerClasses.entries().next().value as [string, { line: number; file: string }];
+      conventions.controller_class = name;
+      provenance.push({ field: 'controller_class', sourceFile: file, line, query: 'aspnet-controller-class' });
+    }
+
+    let confidence: AdapterResult['confidence'];
+    if (Object.keys(conventions).length === 0) {
+      confidence = 'none';
+    } else if (routeMethods.size === 1) {
+      confidence = 'high';
+    } else if (routeMethods.size >= 2) {
+      confidence = 'low';
+    } else {
+      confidence = 'medium';
+    }
+
+    return { conventions, provenance, confidence };
+  },
+};
+
+// ============================================================
+// Helpers
+// ============================================================
+
+/**
+ * Extract the first path segment of an ASP.NET route template. Mirrors
+ * phoenix/rails/python-flask/go-chi prefix-base extractors. Returns null
+ * if input is empty or `/`-only.
+ *
+ * Examples (verified against test fixtures):
+ *   "/health"             → "/health"
+ *   "api/[controller]"    → "/api"
+ *   "/api/v1/users"       → "/api"
+ *   "/"                   → null
+ *   ""                    → null
+ */
+function extractPrefixBase(prefix: string): string | null {
+  // ASP.NET route templates may or may not begin with `/`. Normalize.
+  const stripped = prefix.replace(/^\/+/, '');
+  const firstSeg = stripped.split('/')[0];
+  if (!firstSeg) return null;
+  return '/' + firstSeg;
+}