@massu/core 1.4.0 → 1.5.1

package/src/detect/adapters/spring.ts

@@ -0,0 +1,284 @@
+// Copyright (c) 2026 Massu. All rights reserved.
+// Licensed under BSL 1.1 - see LICENSE file for details.
+
+/**
+ * Plan 3c — Phase 7: Spring (Spring Boot / Spring MVC) AST adapter.
+ *
+ * Sixth and final Phase 7 framework after go-chi + Flask + Rails + Phoenix
+ * + ASP.NET. First to consume the `java` Tree-sitter grammar entry from
+ * GRAMMAR_MANIFEST (commit fbb8aa9). All four queries verified against
+ * actual tree-sitter-java AST shape via probe (R-011) BEFORE writing the
+ * adapter — same discipline as phoenix + aspnet.
+ *
+ * Spring uses annotation-based routing per the Spring MVC reference
+ * (https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller.html):
+ *   - `@RestController` / `@Controller` at the class level
+ *   - `@RequestMapping("/api/users")` at class level for path prefix
+ *   - `@GetMapping("/{id}")` / `@PostMapping` / etc. on methods for verb +
+ *     optional sub-path
+ *
+ * Extracts:
+ *   - route_method: most-common HTTP verb captured from
+ *     `@<Verb>Mapping` annotations. Normalized: `GetMapping` → `Get`,
+ *     `PostMapping` → `Post`, etc. Mirrors aspnet's MapGet/HttpGet
+ *     normalization for downstream consumer consistency.
+ *   - route_prefix_base: first segment of the first class-level
+ *     `@RequestMapping("/api/...")` template, normalized to a leading-
+ *     slash path. Mirrors aspnet route_prefix_base / phoenix
+ *     scope_prefix_base.
+ *   - controller_class: name of the first class annotated with
+ *     `@RestController` or `@Controller`. Mirrors aspnet controller_class
+ *     / phoenix router_module.
+ *
+ * Confidence rules (mirror phoenix / rails / aspnet):
+ *   - 'high'   if exactly ONE distinct route_method seen.
+ *   - 'low'    if multiple distinct route_methods seen.
+ *   - 'medium' if route_prefix_base or controller_class found but no
+ *              route_method.
+ *   - 'none'   if no Spring signals at all.
+ *
+ * Tree-sitter-java AST shape (verified via probe 2026-05-07):
+ *   - Annotations come in TWO node-type flavors:
+ *       - `(marker_annotation name: (identifier))` for parameterless
+ *         annotations like `@PostMapping`, `@RestController`.
+ *       - `(annotation name: (identifier) arguments: (annotation_argument_list
+ *         (string_literal) ...))` for parameterized annotations like
+ *         `@GetMapping("/{id}")`, `@RequestMapping("/api/users")`.
+ *     Adapter queries cover BOTH where applicable.
+ *   - Class declarations: `(class_declaration (modifiers (annotation ...) /
+ *     (marker_annotation ...)) name: (identifier) body: (class_body ...))`.
+ *   - String literals are `(string_literal (string_fragment))`; node.text
+ *     returns the quoted source verbatim.
+ *
+ * Does NOT use regex on file content — only Tree-sitter S-expression queries
+ * compiled via query-helpers.ts.
+ */
+
+import { Parser } from 'web-tree-sitter';
+import type { CodebaseAdapter, AdapterResult, DetectionSignals, Provenance, SourceFile } from './types.ts';
+import { runQuery, InvalidQueryError } from './query-helpers.ts';
+import { loadGrammar } from './tree-sitter-loader.ts';
+import { isParsableSource, MAX_AST_FILE_BYTES } from './parse-guard.ts';
+
+// ============================================================
+// Tree-sitter S-expression queries (Java grammar)
+// ============================================================
+
+/**
+ * Parameterized HTTP mapping annotations: `@GetMapping("/{id}")`,
+ * `@PostMapping("/login")`, etc. Captures both the verb (from the
+ * annotation name) AND the path string for prefix-base extraction.
+ *
+ * Per Spring docs:
+ * https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller/ann-requestmapping.html
+ */
+const HTTP_MAPPING_QUERY = `
+(annotation
+  name: (identifier) @method (#match? @method "^(Get|Post|Put|Patch|Delete|Head|Options)Mapping$")
+  arguments: (annotation_argument_list
+    (string_literal) @route_path))
+`;
+
+/**
+ * Parameterless HTTP mapping annotations: `@PostMapping`, `@DeleteMapping`,
+ * etc. The tree-sitter-java grammar uses a separate `marker_annotation`
+ * node for annotations without an argument list — distinct from the
+ * parameterized `annotation` node above.
+ */
+const HTTP_MAPPING_NO_ARGS_QUERY = `
+(marker_annotation
+  name: (identifier) @method (#match? @method "^(Get|Post|Put|Patch|Delete|Head|Options)Mapping$"))
+`;
+
+/**
+ * Class-level `@RequestMapping("/api/users")`. Captures the path template
+ * so we can extract its first segment.
+ */
+const REQUEST_MAPPING_QUERY = `
+(annotation
+  name: (identifier) @_name (#eq? @_name "RequestMapping")
+  arguments: (annotation_argument_list
+    (string_literal) @route_template))
+`;
+
+/**
+ * Class declarations annotated with `@RestController` or `@Controller`.
+ * Both annotation flavors (marker + parameterized) are captured because
+ * Spring controllers usually use parameterless `@RestController` /
+ * `@Controller` but some use `@Controller(value = "name")`.
+ */
+const CONTROLLER_CLASS_QUERY = `
+(class_declaration
+  (modifiers
+    (marker_annotation
+      name: (identifier) @_anno (#match? @_anno "^(RestController|Controller)$")))
+  name: (identifier) @class_name)
+
+(class_declaration
+  (modifiers
+    (annotation
+      name: (identifier) @_anno (#match? @_anno "^(RestController|Controller)$")))
+  name: (identifier) @class_name)
+`;
+
+// ============================================================
+// Adapter
+// ============================================================
+
+export const springAdapter: CodebaseAdapter = {
+  id: 'spring',
+  languages: ['java'],
+
+  matches(signals: DetectionSignals): boolean {
+    // Cheap signal-only check. No file IO. The canonical Spring Boot
+    // declaration is the `spring-boot-starter-web` artifact (Maven) or
+    // dependency string (Gradle), per the Spring Boot reference:
+    // https://docs.spring.io/spring-boot/reference/using/build-systems.html
+    if (signals.pomXml && /\bspring-boot-starter[\w-]*\b/.test(signals.pomXml)) {
+      return true;
+    }
+    if (signals.gradleBuild && /\bspring-boot-starter[\w-]*\b/.test(signals.gradleBuild)) {
+      return true;
+    }
+    // Fallback: explicit `spring-webmvc` or `org.springframework` references
+    // catch projects that use Spring without Spring Boot (rare today but
+    // canonical Spring MVC pre-Boot apps).
+    if (signals.pomXml && /\borg\.springframework\b/.test(signals.pomXml)) {
+      return true;
+    }
+    if (signals.gradleBuild && /\borg\.springframework\b/.test(signals.gradleBuild)) {
+      return true;
+    }
+    return false;
+  },
+
+  async introspect(files: SourceFile[], _rootDir: string): Promise<AdapterResult> {
+    if (files.length === 0) {
+      return { conventions: {}, provenance: [], confidence: 'none' };
+    }
+
+    let language;
+    try {
+      language = await loadGrammar('java');
+    } catch (e) {
+      return { conventions: {}, provenance: [], confidence: 'none' };
+    }
+
+    const parser = new Parser();
+    parser.setLanguage(language);
+
+    const routeMethods = new Map<string, { line: number; file: string }>();
+    const prefixBases = new Map<string, { line: number; file: string }>();
+    const controllerClasses = new Map<string, { line: number; file: string }>();
+
+    try {
+      for (const file of files) {
+        const skip = isParsableSource(file.content, file.size);
+        if (skip) {
+          process.stderr.write(
+            `[massu/ast] WARN: spring skipping ${file.path}: ${skip.reason} (${skip.detail}). Cap=${MAX_AST_FILE_BYTES}. (Phase 3.5 mitigation)\n`,
+          );
+          continue;
+        }
+        try {
+          // Parameterized @<Verb>Mapping("/path")
+          for (const hit of runQuery(parser, file.content, HTTP_MAPPING_QUERY, 'spring-http-mapping', file.path)) {
+            const methodRaw = hit.captures.method;
+            if (!methodRaw) continue;
+            const verb = methodRaw.replace(/Mapping$/, ''); // GetMapping → Get
+            if (!routeMethods.has(verb)) {
+              routeMethods.set(verb, { line: hit.line, file: file.path });
+            }
+          }
+          // Parameterless @<Verb>Mapping
+          for (const hit of runQuery(parser, file.content, HTTP_MAPPING_NO_ARGS_QUERY, 'spring-http-mapping-marker', file.path)) {
+            const methodRaw = hit.captures.method;
+            if (!methodRaw) continue;
+            const verb = methodRaw.replace(/Mapping$/, '');
+            if (!routeMethods.has(verb)) {
+              routeMethods.set(verb, { line: hit.line, file: file.path });
+            }
+          }
+          // @RequestMapping("/api/...")
+          for (const hit of runQuery(parser, file.content, REQUEST_MAPPING_QUERY, 'spring-request-mapping', file.path)) {
+            const tplRaw = hit.captures.route_template;
+            if (!tplRaw) continue;
+            const literal = tplRaw.replace(/^["']/, '').replace(/["']$/, '');
+            const base = extractPrefixBase(literal);
+            if (base && !prefixBases.has(base)) {
+              prefixBases.set(base, { line: hit.line, file: file.path });
+            }
+          }
+          // @RestController / @Controller class
+          for (const hit of runQuery(parser, file.content, CONTROLLER_CLASS_QUERY, 'spring-controller-class', file.path)) {
+            const name = hit.captures.class_name;
+            if (name && !controllerClasses.has(name)) {
+              controllerClasses.set(name, { line: hit.line, file: file.path });
+            }
+          }
+        } catch (e) {
+          if (e instanceof InvalidQueryError) {
+            throw e;
+          }
+          continue;
+        }
+      }
+    } finally {
+      try { parser.delete(); } catch { /* ignore */ }
+    }
+
+    const conventions: Record<string, unknown> = {};
+    const provenance: Provenance[] = [];
+
+    if (routeMethods.size === 1) {
+      const [name, { line, file }] = routeMethods.entries().next().value as [string, { line: number; file: string }];
+      conventions.route_method = name;
+      provenance.push({ field: 'route_method', sourceFile: file, line, query: 'spring-http-mapping' });
+    } else if (routeMethods.size >= 2) {
+      const [name, { line, file }] = routeMethods.entries().next().value as [string, { line: number; file: string }];
+      conventions.route_method = name;
+      provenance.push({ field: 'route_method', sourceFile: file, line, query: 'spring-http-mapping' });
+    }
+
+    if (prefixBases.size >= 1) {
+      const [base, { line, file }] = prefixBases.entries().next().value as [string, { line: number; file: string }];
+      conventions.route_prefix_base = base;
+      provenance.push({ field: 'route_prefix_base', sourceFile: file, line, query: 'spring-request-mapping' });
+    }
+
+    if (controllerClasses.size >= 1) {
+      const [name, { line, file }] = controllerClasses.entries().next().value as [string, { line: number; file: string }];
+      conventions.controller_class = name;
+      provenance.push({ field: 'controller_class', sourceFile: file, line, query: 'spring-controller-class' });
+    }
+
+    let confidence: AdapterResult['confidence'];
+    if (Object.keys(conventions).length === 0) {
+      confidence = 'none';
+    } else if (routeMethods.size === 1) {
+      confidence = 'high';
+    } else if (routeMethods.size >= 2) {
+      confidence = 'low';
+    } else {
+      confidence = 'medium';
+    }
+
+    return { conventions, provenance, confidence };
+  },
+};
+
+// ============================================================
+// Helpers
+// ============================================================
+
+/**
+ * Extract the first path segment of a Spring `@RequestMapping` template.
+ * Mirrors aspnet/phoenix/rails/python-flask/go-chi extractors. Returns
+ * null if input is empty or `/`-only.
+ */
+function extractPrefixBase(prefix: string): string | null {
+  const stripped = prefix.replace(/^\/+/, '');
+  const firstSeg = stripped.split('/')[0];
+  if (!firstSeg) return null;
+  return '/' + firstSeg;
+}

package/src/detect/adapters/tree-sitter-loader.ts

@@ -161,6 +161,56 @@ export const GRAMMAR_MANIFEST: Partial<Record<TreeSitterLanguage, ManifestEntry>
     sha256: '41c4fdb2249a3aa6d87eed0d383081ff09725c2248b4977043a43825980ffcc7',
     version: '0.1.13',
   },
+  // ----------------------------------------------------------------
+  // Plan 3c Phase 7 expansion (2026-05-07):
+  //
+  // Six additional grammars to support the registry-verified framework
+  // adapters (go-chi, rails, aspnet, spring, ktor, phoenix) plus the
+  // bundled adapters in the same language families (gin/echo/fiber,
+  // sinatra, etc.). All entries use the SAME pinned tree-sitter-wasms
+  // version (0.1.13) as the v1 four to keep the dependency surface
+  // single-source.
+  //
+  // SHA-256s computed 2026-05-07 via:
+  //   curl -fsSL <url> | shasum -a 256
+  //
+  // The unpkg filename for C# uses an underscore (`c_sharp`) while the
+  // TreeSitterLanguage identifier uses no separator (`csharp`); the map
+  // key is the type identifier, the URL is the storage path — they do
+  // NOT need to match, the same as how `python` maps to `tree-sitter-
+  // python.wasm`. This is intentional and validated by the manifest
+  // shape test in tree-sitter-loader-manifest.test.ts.
+  // ----------------------------------------------------------------
+  go: {
+    url: 'https://unpkg.com/tree-sitter-wasms@0.1.13/out/tree-sitter-go.wasm',
+    sha256: '9963ca89b616eaf04b08a43bc1fb0f07b85395bec313330851f1f1ead2f755b6',
+    version: '0.1.13',
+  },
+  ruby: {
+    url: 'https://unpkg.com/tree-sitter-wasms@0.1.13/out/tree-sitter-ruby.wasm',
+    sha256: '93a5022855314cdb45458c7bb026a24a0ebc3a5ff6439e542e881f14dfa13a39',
+    version: '0.1.13',
+  },
+  csharp: {
+    url: 'https://unpkg.com/tree-sitter-wasms@0.1.13/out/tree-sitter-c_sharp.wasm',
+    sha256: '6266a7e32d68a3459104d994dc848df15d5672b0ea8e86d327274b694f8e6991',
+    version: '0.1.13',
+  },
+  java: {
+    url: 'https://unpkg.com/tree-sitter-wasms@0.1.13/out/tree-sitter-java.wasm',
+    sha256: '637aac4415fb39a211a4f4292d63c66b5ce9c32fa2cd35464af4f681d91b9a1f',
+    version: '0.1.13',
+  },
+  kotlin: {
+    url: 'https://unpkg.com/tree-sitter-wasms@0.1.13/out/tree-sitter-kotlin.wasm',
+    sha256: 'b5cb00c8d06ed0f10f1dbe497205b437809d7e87db1f638721a8cfb30e044449',
+    version: '0.1.13',
+  },
+  elixir: {
+    url: 'https://unpkg.com/tree-sitter-wasms@0.1.13/out/tree-sitter-elixir.wasm',
+    sha256: '82e91b9759ddca30d8978ebbfa8e347b4451b64c931f9ae62112e6db9b8fac20',
+    version: '0.1.13',
+  },
 };
 
 // ============================================================

package/src/detect/adapters/types.ts

@@ -68,6 +68,24 @@ export interface DetectionSignals {
   cargoToml?: Record<string, unknown>;
   /** Raw `go.mod` text — undefined if absent. */
   goMod?: string;
+  /** Raw `mix.exs` text — undefined if absent. Elixir/Mix manifest. */
+  mixExs?: string;
+  /**
+   * Raw text of the FIRST `.csproj` file found at the project root —
+   * undefined if absent. .NET project file (XML). Adapters that need to
+   * inspect more than one csproj (multi-project solutions) can re-scan from
+   * `presentFiles`.
+   */
+  csproj?: string;
+  /** Raw `pom.xml` text — undefined if absent. Maven build manifest. */
+  pomXml?: string;
+  /**
+   * Raw text of `build.gradle` OR `build.gradle.kts` — whichever exists at
+   * the project root, with `.kts` (Kotlin DSL) preferred when both are
+   * present (Kotlin DSL is the modern default per Gradle 7+ docs).
+   * Undefined if neither exists.
+   */
+  gradleBuild?: string;
   /** Set of present directory names directly under the project root (one level). */
   presentDirs: Set<string>;
   /** Set of present file basenames directly under the project root (one level). */

package/src/detect/framework-detector.ts

@@ -138,6 +138,13 @@ export const DETECTION_RULES: DetectionRule[] = [
   { language: 'go', kind: 'framework', keyword: 'github.com/labstack/echo', value: 'echo', priority: 10 },
   { language: 'go', kind: 'framework', keyword: 'github.com/gofiber/fiber', value: 'fiber', priority: 10 },
   { language: 'go', kind: 'framework', keyword: 'github.com/go-chi/chi', value: 'chi', priority: 9 },
+  // chi versioned import paths (Go convention: github.com/<org>/<name>/v<N>).
+  // matchRule does exact case-insensitive set lookup, so the unversioned and
+  // each major-version path each need their own rule.
+  { language: 'go', kind: 'framework', keyword: 'github.com/go-chi/chi/v2', value: 'chi', priority: 9 },
+  { language: 'go', kind: 'framework', keyword: 'github.com/go-chi/chi/v3', value: 'chi', priority: 9 },
+  { language: 'go', kind: 'framework', keyword: 'github.com/go-chi/chi/v4', value: 'chi', priority: 9 },
+  { language: 'go', kind: 'framework', keyword: 'github.com/go-chi/chi/v5', value: 'chi', priority: 9 },
   { language: 'go', kind: 'test_framework', keyword: 'github.com/stretchr/testify', value: 'testify', priority: 8 },
   { language: 'go', kind: 'orm', keyword: 'gorm.io/gorm', value: 'gorm', priority: 10 },
 
@@ -157,6 +164,25 @@ export const DETECTION_RULES: DetectionRule[] = [
   { language: 'ruby', kind: 'framework', keyword: 'sinatra', value: 'sinatra', priority: 9 },
   { language: 'ruby', kind: 'test_framework', keyword: 'rspec', value: 'rspec', priority: 10 },
   { language: 'ruby', kind: 'orm', keyword: 'activerecord', value: 'activerecord', priority: 10 },
+  // Plan 1.5.1: elixir + csharp framework rules. Closes the CR-39 gap
+  // where Phoenix + ASP.NET projects produced `framework.languages.<lang>`
+  // entries WITHOUT a `framework:` value, which prevented variant
+  // templates from being looked up.
+  { language: 'elixir', kind: 'framework', keyword: 'phoenix', value: 'phoenix', priority: 10 },
+  { language: 'elixir', kind: 'test_framework', keyword: 'ex_unit', value: 'ex-unit', priority: 10 },
+  { language: 'elixir', kind: 'orm', keyword: 'ecto', value: 'ecto', priority: 10 },
+  // ASP.NET Core surfaces via several PackageReference names; the canonical
+  // ones in modern .NET projects are .App and .Mvc. matchRule does exact
+  // (case-insensitive) lookup against the deps set parseCsproj extracts.
+  { language: 'csharp', kind: 'framework', keyword: 'Microsoft.AspNetCore.App', value: 'aspnet-core', priority: 10 },
+  { language: 'csharp', kind: 'framework', keyword: 'Microsoft.AspNetCore.Mvc', value: 'aspnet-core', priority: 10 },
+  { language: 'csharp', kind: 'framework', keyword: 'Microsoft.AspNetCore', value: 'aspnet-core', priority: 9 },
+  // SDK-style projects: `<Project Sdk="Microsoft.NET.Sdk.Web">` is the
+  // canonical ASP.NET Core declaration in modern .NET. parseCsproj
+  // surfaces the Sdk attribute as a dep so this rule can match.
+  { language: 'csharp', kind: 'framework', keyword: 'Microsoft.NET.Sdk.Web', value: 'aspnet-core', priority: 10 },
+  { language: 'csharp', kind: 'test_framework', keyword: 'xunit', value: 'xunit', priority: 10 },
+  { language: 'csharp', kind: 'orm', keyword: 'EntityFrameworkCore', value: 'ef-core', priority: 10 },
 ];
 
 /**

package/src/detect/manifest-registry.ts

@@ -0,0 +1,261 @@
+// Copyright (c) 2026 Massu. All rights reserved.
+// Licensed under BSL 1.1 - see LICENSE file for details.
+
+/**
+ * Canonical manifest registry — Plan 1.5.1 §3 deliverable.
+ *
+ * Single source-of-truth for "what manifest files we recognize and how we
+ * read them." Both `package-detector.ts` (init's framework-detection layer)
+ * and `adapters/runner.ts:buildDetectionSignals` (AST adapter signal layer)
+ * consume from THIS registry. Adding a new manifest type = ONE entry; both
+ * consumers automatically pick it up.
+ *
+ * Pre-registry state (1.5.0) had TWO parallel lists that drifted:
+ *   - `package-detector.ts:MANIFEST_FILES` — 11 entries (legacy)
+ *   - `runner.ts:buildDetectionSignals` — 9 manifest reads (extended Phase 7)
+ * Phoenix + ASP.NET were unreachable via `npx massu init` because their
+ * manifest files (mix.exs, *.csproj) were in the runner's list but missing
+ * from package-detector's list. CR-39 violation; closed by this registry.
+ *
+ * Per CR-46 Rule 0 self-attest #3 ("does this add an N+1th alias map?"):
+ * this REPLACES the duplicated lists with one canonical map. The drift-
+ * prevention test `manifest-registry-drift.test.ts` fails the build if a
+ * registry entry is consumed by only one of the two layers.
+ *
+ * Plan 1.5.1 reference:
+ * `~/massu-internal/docs/plans/2026-05-08-1.5.1-init-end-to-end.md`.
+ */
+
+import type { PackageManifest, DetectionWarning, SupportedLanguage } from './package-detector.ts';
+import type { DetectionSignals } from './adapters/types.ts';
+import * as parsers from './package-detector.ts';
+
+/**
+ * The pattern by which the registry recognizes a manifest file:
+ *   - exact filename: `'Gemfile'`, `'mix.exs'`, `'package.json'`
+ *   - extension-glob: `'*.csproj'` (matches any file ending in `.csproj`)
+ * Only these two shapes are supported; arbitrary glob patterns are
+ * intentionally rejected to keep matching cheap and predictable.
+ */
+export type ManifestPattern = string;
+
+/**
+ * Match a candidate filename against a registry pattern.
+ * Returns true if `name` matches `pattern`.
+ */
+export function matchManifestPattern(name: string, pattern: ManifestPattern): boolean {
+  if (pattern.startsWith('*')) {
+    const suffix = pattern.slice(1);
+    if (suffix.includes('*')) {
+      throw new Error(
+        `[manifest-registry] pattern "${pattern}" has more than one wildcard. ` +
+        `Only "*.<ext>" extension-globs are supported.`,
+      );
+    }
+    return name.endsWith(suffix);
+  }
+  return name === pattern;
+}
+
+/**
+ * Parser function signature — matches the existing parse* fns in
+ * package-detector.ts. Returns null on file-not-found or parse failure
+ * (with a warning pushed to `warnings`).
+ */
+export type ManifestParser = (
+  path: string,
+  directory: string,
+  root: string,
+  warnings: DetectionWarning[],
+) => PackageManifest | null;
+
+/**
+ * Single registry entry. One per manifest type.
+ */
+export interface ManifestEntry {
+  /** Recognition pattern (see `ManifestPattern`). */
+  pattern: ManifestPattern;
+  /** Canonical manifest-type tag (matches `PackageManifest.manifestType`). */
+  manifestType: PackageManifest['manifestType'];
+  /** Default language this manifest implies. */
+  language: SupportedLanguage;
+  /** Runtime family hint. */
+  runtime: string;
+  /** Function that reads + parses the file into a `PackageManifest`. */
+  parse: ManifestParser;
+  /**
+   * The DetectionSignals key the runner uses to expose this manifest's
+   * contents to AST adapters. `null` when this manifest doesn't surface
+   * to the AST tier (e.g., requirements.txt is captured via pyprojectToml
+   * sibling already; Package.swift has no AST adapter consumer yet).
+   */
+  signalKey: keyof DetectionSignals | null;
+  /**
+   * Shape the runner stores under `signalKey`. Drives whether the runner
+   * calls `tryReadString` (string) or `tryReadToml` (toml) or
+   * `tryReadJson` (json) when populating signals. Ignored when
+   * `signalKey === null`.
+   */
+  signalShape: 'string' | 'toml' | 'json';
+}
+
+/**
+ * The canonical registry — the SINGLE source-of-truth for "what manifests
+ * we recognize."
+ *
+ * Lazy initializer: package-detector.ts re-exports the parsers we
+ * reference here, so eager top-level evaluation would risk an ESM
+ * circular-import undefined-symbol. Resolution: build the registry on
+ * first call (after both modules' top-level evaluations have completed).
+ *
+ * Adding a new manifest type:
+ *   1. Author a new `parseXxx()` function in `package-detector.ts`.
+ *   2. Add an entry to MANIFEST_REGISTRY referencing it.
+ *   3. (If needed) extend `SupportedLanguage` and
+ *      `PackageManifest.manifestType` unions.
+ *   4. Add the new signal field to `DetectionSignals` if the AST adapter
+ *      pipeline needs to read it.
+ *   5. The drift-prevention test will fail until both consumers see the
+ *      new entry.
+ */
+let _registryCache: ManifestEntry[] | null = null;
+
+export function getManifestRegistry(): ManifestEntry[] {
+  if (_registryCache !== null) return _registryCache;
+  _registryCache = [
+    {
+      pattern: 'package.json',
+      manifestType: 'package.json',
+      language: 'typescript',
+      runtime: 'node',
+      parse: parsers.parsePackageJson,
+      signalKey: 'packageJson',
+      signalShape: 'json',
+    },
+    {
+      pattern: 'pyproject.toml',
+      manifestType: 'pyproject.toml',
+      language: 'python',
+      runtime: 'python3',
+      parse: parsers.parsePyproject,
+      signalKey: 'pyprojectToml',
+      signalShape: 'toml',
+    },
+    {
+      pattern: 'requirements.txt',
+      manifestType: 'requirements.txt',
+      language: 'python',
+      runtime: 'python3',
+      parse: parsers.parseRequirementsTxt,
+      // Captured via pyprojectToml sibling already; no separate signal.
+      signalKey: null,
+      signalShape: 'string',
+    },
+    {
+      pattern: 'Pipfile',
+      manifestType: 'Pipfile',
+      language: 'python',
+      runtime: 'python3',
+      parse: parsers.parsePipfile,
+      // Captured via pyprojectToml sibling already; no separate signal.
+      signalKey: null,
+      signalShape: 'string',
+    },
+    {
+      pattern: 'Cargo.toml',
+      manifestType: 'Cargo.toml',
+      language: 'rust',
+      runtime: 'cargo',
+      parse: parsers.parseCargoToml,
+      signalKey: 'cargoToml',
+      signalShape: 'toml',
+    },
+    {
+      pattern: 'Package.swift',
+      manifestType: 'Package.swift',
+      language: 'swift',
+      runtime: 'xcode',
+      parse: parsers.parsePackageSwift,
+      // No AST adapter consumer yet (swift-swiftui doesn't need it).
+      signalKey: null,
+      signalShape: 'string',
+    },
+    {
+      pattern: 'go.mod',
+      manifestType: 'go.mod',
+      language: 'go',
+      runtime: 'go',
+      parse: parsers.parseGoMod,
+      signalKey: 'goMod',
+      signalShape: 'string',
+    },
+    {
+      pattern: 'pom.xml',
+      manifestType: 'pom.xml',
+      language: 'java',
+      runtime: 'jvm',
+      parse: parsers.parsePomXml,
+      signalKey: 'pomXml',
+      signalShape: 'string',
+    },
+    {
+      pattern: 'build.gradle',
+      manifestType: 'build.gradle',
+      language: 'java',
+      runtime: 'jvm',
+      parse: parsers.parseBuildGradle,
+      signalKey: 'gradleBuild',
+      signalShape: 'string',
+    },
+    {
+      pattern: 'build.gradle.kts',
+      manifestType: 'build.gradle',
+      language: 'java',
+      runtime: 'jvm',
+      parse: parsers.parseBuildGradle,
+      signalKey: 'gradleBuild',
+      signalShape: 'string',
+    },
+    {
+      pattern: 'Gemfile',
+      manifestType: 'Gemfile',
+      language: 'ruby',
+      runtime: 'ruby',
+      parse: parsers.parseGemfile,
+      signalKey: 'gemfile',
+      signalShape: 'string',
+    },
+    // Plan 1.5.1 — closes CR-39 violation (1.5.0 init failed for Phoenix
+    // + ASP.NET fixtures). Both rely on AST adapters that already work
+    // in introspect; the gap was solely package-detector unaware of the
+    // manifest filenames.
+    {
+      pattern: 'mix.exs',
+      manifestType: 'mix.exs',
+      language: 'elixir',
+      runtime: 'beam',
+      parse: parsers.parseMixExs,
+      signalKey: 'mixExs',
+      signalShape: 'string',
+    },
+    {
+      pattern: '*.csproj',
+      manifestType: '*.csproj',
+      language: 'csharp',
+      runtime: 'dotnet',
+      parse: parsers.parseCsproj,
+      signalKey: 'csproj',
+      signalShape: 'string',
+    },
+  ];
+  return _registryCache;
+}
+
+/**
+ * Filename list for direct iteration callers (e.g., the existing
+ * package-detector.ts `MANIFEST_FILES` const). Derived from the registry
+ * so it stays in lockstep automatically.
+ */
+export function getManifestPatterns(): ManifestPattern[] {
+  return getManifestRegistry().map((e) => e.pattern);
+}

package/src/detect/monorepo-detector.ts

@@ -232,6 +232,7 @@ function detectPnpmWorkspaces(root: string): WorkspacePackage[] | null {
   const raw = safeReadText(join(root, 'pnpm-workspace.yaml'));
   if (!raw) return null;
   try {
+    // pattern-scanner-allow: yaml-parse — reason: Phase 1 auto-detection parses pnpm-workspace.yaml to discover workspace packages BEFORE any massu config exists. This runs PRE-getConfig in the init flow, so getConfig() is unavailable by definition.
     const parsed = parseYaml(raw) as { packages?: unknown } | null;
     const list = Array.isArray(parsed?.packages)
       ? (parsed!.packages as unknown[]).filter((x) => typeof x === 'string') as string[]