@massu/core 1.4.0 → 1.5.1

package/src/commands/config-check-drift.ts

@@ -69,6 +69,7 @@ export async function runConfigCheckDrift(
   let config: AnyConfig;
   try {
     const content = readFileSync(configPath, 'utf-8');
+    // pattern-scanner-allow: yaml-parse — reason: v1.1.0 drift detector. Raw YAML compare needed at arbitrary cwd before getConfig() cache populates; the drift detector intentionally bypasses the cached parse to inspect on-disk state.
     const parsed = parseYaml(content);
     if (!parsed || typeof parsed !== 'object') {
       throw new Error('config is not a YAML object');

package/src/commands/config-refresh.ts

@@ -272,6 +272,7 @@ export async function runConfigRefresh(opts: ConfigRefreshOptions = {}): Promise
   let existing: AnyConfig;
   try {
     const content = readFileSync(configPath, 'utf-8');
+    // pattern-scanner-allow: yaml-parse — reason: v1.1.0 config lifecycle command. getConfig() Zod-rejects pre-migration v1 configs (which is exactly what `massu config refresh` is meant to read + migrate). Raw parse is required to inspect a pre-upgrade YAML structure.
     const parsed = parseYaml(content);
     if (!parsed || typeof parsed !== 'object') {
       throw new Error('config is not a YAML object');

package/src/commands/config-upgrade.ts

@@ -74,6 +74,7 @@ export async function runConfigUpgrade(opts: ConfigUpgradeOptions = {}): Promise
   let existing: AnyConfig;
   try {
     const content = readFileSync(configPath, 'utf-8');
+    // pattern-scanner-allow: yaml-parse — reason: v1.1.0 config lifecycle command. Same pre-migration constraint as config-refresh: `massu config upgrade` operates on v1 configs that getConfig() Zod-rejects, so raw parse is required.
     const parsed = parseYaml(content);
     if (!parsed || typeof parsed !== 'object') {
       throw new Error('config is not a YAML object');

package/src/commands/doctor.ts

@@ -67,6 +67,7 @@ function checkConfig(projectRoot: string): CheckResult {
 
   try {
     const content = readFileSync(configPath, 'utf-8');
+    // pattern-scanner-allow: yaml-parse — reason: `massu doctor` config-integrity diagnostic; runs BEFORE getConfig() to verify the file is well-formed YAML so the user sees a parse error here, not a Zod-validation surprise downstream.
     const parsed = parseYaml(content);
     if (!parsed || typeof parsed !== 'object') {
       return { name: 'Configuration', status: 'fail', detail: 'massu.config.yaml is empty or invalid YAML' };
@@ -449,6 +450,7 @@ export async function runValidateConfig(): Promise<void> {
 
   try {
     const content = readFileSync(configPath, 'utf-8');
+    // pattern-scanner-allow: yaml-parse — reason: `massu doctor` deep-validation pass; same diagnostic-mode reasoning as the upper checkConfig() — surfaces YAML errors with operator-friendly stderr before any getConfig() call.
     const parsed = parseYaml(content);
 
     if (!parsed || typeof parsed !== 'object') {

package/src/commands/init.ts

@@ -543,6 +543,145 @@ export function buildConfigFromDetection(
   return config;
 }
 
+/**
+ * Plan 1.5.1 §3 — variant template merge.
+ *
+ * Map from detected `framework.languages.<lang>.framework` value → variant
+ * template directory under `packages/core/templates/`. Most detected
+ * frameworks map 1:1 to a template dir of the same name, but a few have
+ * naming divergence (e.g., detection emits `spring-boot` but the template
+ * dir is `spring`; detection emits `chi` but the template dir is `go-chi`).
+ *
+ * The mapping is intentionally tight — only frameworks with an actual
+ * variant template under `templates/` are listed. Adding a new framework
+ * = one entry here + one templates/<id>/massu.config.yaml file. The
+ * `manifest-registry-drift.test.ts` already gates the manifest side; the
+ * `init-end-to-end.test.ts` gates this map.
+ */
+const FRAMEWORK_TO_TEMPLATE_ID: Record<string, string> = {
+  rails: 'rails',
+  phoenix: 'phoenix',
+  'aspnet-core': 'aspnet',
+  'spring-boot': 'spring',
+  chi: 'go-chi',
+  flask: 'python-flask',
+};
+
+/**
+ * After `buildConfigFromDetection` produces a baseline config, look up the
+ * variant template for the detected framework (if any) and selectively
+ * merge fields. The variant wins on a small allowlist:
+ *   - `framework.router`
+ *   - `framework.orm`
+ *   - `framework.ui`
+ *   - `paths.source`
+ *   - `verification.<lang>.{lint,syntax,test,type,build}` — variant lint
+ *     is the canonical project-style command (rubocop, credo, etc.) and
+ *     should not be overridden by the generic detection default.
+ *
+ * The variant template's `framework.type`, `framework.languages`,
+ * `project.name`, `domains`, and `rules` are NOT merged — those come from
+ * detection and reflect the actual repo state. Allowlist keeps the merge
+ * precise; future fields require an explicit decision.
+ */
+export function applyVariantTemplate(
+  config: Record<string, unknown>,
+  templatesDir: string | null,
+): Record<string, unknown> {
+  if (!templatesDir) return config;
+  const fw = config.framework as Record<string, unknown> | undefined;
+  if (!fw) return config;
+  const langs = fw.languages as Record<string, unknown> | undefined;
+  if (!langs || typeof langs !== 'object') return config;
+
+  // Find the first language that has a `framework` value with a known
+  // variant template. Most projects have ONE primary language; in
+  // monorepos the detection-driven primary is what we honor.
+  let templateId: string | null = null;
+  for (const langEntry of Object.values(langs)) {
+    if (langEntry && typeof langEntry === 'object') {
+      const fwName = (langEntry as Record<string, unknown>).framework;
+      if (typeof fwName === 'string' && FRAMEWORK_TO_TEMPLATE_ID[fwName]) {
+        templateId = FRAMEWORK_TO_TEMPLATE_ID[fwName];
+        break;
+      }
+    }
+  }
+  if (templateId === null) return config;
+
+  const templatePath = resolve(templatesDir, templateId, 'massu.config.yaml');
+  if (!existsSync(templatePath)) return config;
+
+  let template: Record<string, unknown>;
+  try {
+    // pattern-scanner-allow: yaml-parse — reason: this loads a per-framework
+    // variant config-template shipped inside @massu/core. getConfig() reads
+    // the project's massu.config.yaml from cwd; this is a SEPARATE file
+    // (the template) that doesn't pass through that cache and isn't a Zod-
+    // validated config — it's a partial override map.
+    template = yamlParse(readFileSync(templatePath, 'utf-8')) as Record<string, unknown>;
+  } catch {
+    return config;
+  }
+
+  const out = { ...config };
+  const tplFw = template.framework as Record<string, unknown> | undefined;
+  const outFw = (out.framework as Record<string, unknown>) ?? {};
+  if (tplFw) {
+    if (typeof tplFw.router === 'string' && (!outFw.router || outFw.router === 'none')) {
+      outFw.router = tplFw.router;
+    }
+    if (typeof tplFw.orm === 'string' && (!outFw.orm || outFw.orm === 'none')) {
+      outFw.orm = tplFw.orm;
+    }
+    if (typeof tplFw.ui === 'string' && (!outFw.ui || outFw.ui === 'none')) {
+      outFw.ui = tplFw.ui;
+    }
+  }
+  out.framework = outFw;
+
+  const tplPaths = template.paths as Record<string, unknown> | undefined;
+  const outPaths = (out.paths as Record<string, unknown>) ?? {};
+  if (tplPaths && typeof tplPaths.source === 'string' && tplPaths.source) {
+    outPaths.source = tplPaths.source;
+  }
+  out.paths = outPaths;
+
+  const tplVerify = template.verification as Record<string, Record<string, unknown>> | undefined;
+  const outVerify = (out.verification as Record<string, Record<string, unknown>>) ?? {};
+  if (tplVerify) {
+    for (const [lang, tplLangVerify] of Object.entries(tplVerify)) {
+      if (!tplLangVerify || typeof tplLangVerify !== 'object') continue;
+      const outLangVerify = outVerify[lang] ?? {};
+      // Variant wins on lint + syntax (canonical project commands like
+      // rubocop, credo, golangci-lint that the generic detection layer
+      // doesn't know to suggest). For test/type/build, prefer detection-
+      // derived values when present (e.g., monorepo `cd packages/foo`
+      // prefixing) and fall back to variant template otherwise.
+      for (const key of ['lint', 'syntax']) {
+        if (typeof tplLangVerify[key] === 'string' && tplLangVerify[key]) {
+          outLangVerify[key] = tplLangVerify[key];
+        }
+      }
+      for (const key of ['test', 'type', 'build']) {
+        if (
+          typeof tplLangVerify[key] === 'string' &&
+          tplLangVerify[key] &&
+          !outLangVerify[key]
+        ) {
+          outLangVerify[key] = tplLangVerify[key];
+        }
+      }
+      outVerify[lang] = outLangVerify;
+    }
+  }
+  if (Object.keys(outVerify).length > 0) {
+    out.verification = outVerify;
+  }
+
+  return out;
+}
+
 /**
  * Serialize a built config object into YAML with a header comment.
  * Safe for `writeConfigAtomic` and for `fs.writeFileSync` directly.
@@ -616,6 +755,7 @@ export function writeConfigAtomic(
     }
 
     // Validate YAML parses.
+    // pattern-scanner-allow: yaml-parse — reason: atomic-write post-validator. We just generated `content` and wrote it to a tmp path; before atomic rename to the final config path we re-parse to verify the bytes we serialized are valid YAML. Calling getConfig() here would re-read from cwd and miss the tmp file.
     const parsed = yamlParse(content);
     if (parsed === null || typeof parsed !== 'object') {
       throw new Error('Generated config is not a valid YAML object');
@@ -661,6 +801,7 @@ export function validateWrittenConfig(
     // getConfig caches against process.cwd() and we may be validating a config
     // outside the current working tree (tests, etc.).
     const content = readFileSync(configPath, 'utf-8');
+    // pattern-scanner-allow: yaml-parse — reason: see preceding comment block; getConfig() caches against process.cwd() and would either return a stale entry or fail to read a config at an arbitrary projectRoot.
     const parsed = yamlParse(content);
     if (parsed === null || typeof parsed !== 'object') {
       return 'Config is not a valid YAML object';
@@ -1226,8 +1367,16 @@ export async function runInit(argv?: string[], overrides?: InitOptions): Promise
     }
   }
 
-  // Build config + write atomically.
-  const config = buildConfigFromDetection({ projectRoot, detection });
+  // Build config + apply variant template + write atomically. Plan 1.5.1
+  // §3: the framework-specific variant template under
+  // packages/core/templates/<id>/massu.config.yaml supplies router,
+  // paths.source, and verification.<lang>.lint that the generic
+  // detection-derived baseline doesn't know to set. Pre-1.5.1 init
+  // emitted configs with `router: none` even for clear-Rails / clear-
+  // Phoenix / clear-Spring projects (CR-39 violation per the Plan 1.5.1
+  // 5-fixture verification).
+  const baseConfig = buildConfigFromDetection({ projectRoot, detection });
+  const config = applyVariantTemplate(baseConfig, resolveTemplatesDir());
   const content = renderConfigYaml(config);
   const writeRes = writeConfigAtomic(configPath, content);
   if (!writeRes.validated) {

package/src/config.ts

@@ -372,6 +372,59 @@ const WatchConfigSchema = z.object({
 }).passthrough().optional();
 export type WatchConfig = z.infer<typeof WatchConfigSchema>;
 
+// --- Adapters Config (Plan 3c — third-party adapter registry) ---
+// Tunable knobs for the third-party adapter loading subsystem.
+// `enabled` is the kill switch (default false for first 2 minor releases per
+// Plan 3c gap-1 + audit-iteration-1 deliverable). When false, only the 35
+// CORE-BUNDLED adapters in @massu/core itself load; @massu/adapter-* npm
+// packages and adapters.local entries are ignored.
+// `local` is the explicit per-path opt-in for project-local TS/JS adapters.
+//
+// Note: `allow_unsigned` was REMOVED 2026-05-07 (CR-9 audit C2 fix). The
+// field had been parsed by the schema but never consulted at any callsite,
+// creating a tripwire — a future contributor wiring it would silently
+// disable signature verification. Per Rule 0 / drift-prevention, dead
+// fields are removed, not documented. No v1 use case exists for unsigned
+// adapter loading; if a future v2 adds one, it ships with documented
+// callsite enforcement and a different field name to avoid the tripwire
+// pattern.
+//
+// Path validation (gap-58): adapters.local entries are normalized to POSIX form
+// for cross-platform fingerprint stability. Absolute paths and `..` traversal
+// are rejected at schema validation (attack-surface defense — a malicious
+// postinstall could add "/etc/passwd" or "../../../home/user/.ssh/" entries
+// that bypass the project tree).
+export const AdapterLocalPathSchema = z.string()
+  .refine((s) => !/^([A-Za-z]:[\\/]|[\\/])/.test(s), {
+    message: 'absolute paths are rejected; adapters.local entries must be relative to the massu.config.yaml directory',
+  })
+  .refine((s) => !s.split(/[\\/]/).includes('..'), {
+    message: 'parent-directory traversal (`..`) is rejected; adapters.local entries must stay inside the project tree',
+  })
+  // Normalize to POSIX form for stable cross-platform sha256 fingerprinting.
+  // Windows backslash inputs are converted to forward slashes; consecutive
+  // separators are collapsed; trailing `./` segments are removed.
+  .transform((s) => s.split(/[\\/]/).filter((part) => part !== '' && part !== '.').join('/'));
+
+const AdaptersConfigSchema = z.object({
+  enabled: z.boolean().default(false),
+  local: z.array(AdapterLocalPathSchema).default([]),
+}).passthrough().optional();
+export type AdaptersConfig = z.infer<typeof AdaptersConfigSchema>;
+
+// --- Telemetry Config (Plan 3c — adapter-discovery telemetry) ---
+// Optional anonymous telemetry on adapter-discovery counts (NOT file paths,
+// NOT symbol names, NOT source content). Strictly off by default; never
+// enabled silently. When `adapters: true`, the telemetry writer at
+// packages/core/src/security/telemetry.ts emits one JSONL line per discovery
+// event matching AdapterDiscoveryPayloadSchema (defined inline in that
+// module). PII guardrail: schema is `.strict()` so unknown keys are
+// rejected at write time AND at replay time.
+const TelemetryConfigSchema = z.object({
+  adapters: z.boolean().default(false),
+}).passthrough().optional();
+export type TelemetryConfig = z.infer<typeof TelemetryConfigSchema>;
+
 // --- LSP Config (Plan 3b — Phase 4: LSP integration) ---
 // Top-level optional `lsp:` block configuring optional LSP enrichment of AST
 // adapter results. Per VR-LSP-AUTODETECT-OFF-BY-DEFAULT (audit-iter-1 fix G4):
@@ -440,6 +493,10 @@ const RawConfigSchema = z.object({
   detected: DetectedConfigSchema,
   // Plan 3a: file-watcher daemon tunables
   watch: WatchConfigSchema,
+  // Plan 3c: third-party adapter registry kill-switch + signing override + local-path opt-in.
+  adapters: AdaptersConfigSchema,
+  // Plan 3c: anonymous adapter-discovery telemetry opt-in (default off).
+  telemetry: TelemetryConfigSchema,
   // Plan 3b Phase 4: optional LSP enrichment of AST adapter results.
   lsp: LSPConfigSchema.optional(),
 }).passthrough();
@@ -484,6 +541,10 @@ export interface Config {
   detected?: DetectedConfig;
   // Plan 3a: file-watcher daemon tunables
   watch?: WatchConfig;
+  // Plan 3c: third-party adapter registry config block.
+  adapters?: AdaptersConfig;
+  // Plan 3c: telemetry opt-in block.
+  telemetry?: TelemetryConfig;
   // Plan 3b Phase 4: optional LSP enrichment block (default disabled).
   lsp?: LSPConfig;
 }
@@ -635,6 +696,8 @@ export function getConfig(): Config {
     detection: parsed.detection,
     detected: parsed.detected,
     watch: parsed.watch,
+    adapters: parsed.adapters,
+    telemetry: parsed.telemetry,
     lsp: parsed.lsp,
   };
 

package/src/detect/adapters/aspnet.ts

@@ -0,0 +1,293 @@
+// Copyright (c) 2026 Massu. All rights reserved.
+// Licensed under BSL 1.1 - see LICENSE file for details.
+
+/**
+ * Plan 3c — Phase 7: ASP.NET Core AST adapter.
+ *
+ * Fifth Phase 7 framework after go-chi + Flask + Rails + Phoenix. First to
+ * consume the `csharp` Tree-sitter grammar entry from GRAMMAR_MANIFEST
+ * (commit fbb8aa9). All queries verified against actual tree-sitter-c-sharp
+ * AST shape via probe (R-011) BEFORE writing the adapter.
+ *
+ * ASP.NET Core supports two routing styles, both first-class per the
+ * official routing guide (https://learn.microsoft.com/aspnet/core/fundamentals/routing):
+ *   1. **Minimal API** (recommended for new projects since .NET 6):
+ *      `app.MapGet("/path", handler)`, `app.MapPost(...)`, etc. in
+ *      Program.cs.
+ *   2. **Attribute routing** (MVC controllers): `[HttpGet("{id}")]`,
+ *      `[HttpPost]`, `[Route("api/[controller]")]` on controller classes
+ *      and methods.
+ *
+ * The adapter handles BOTH styles uniformly — extracted route_method
+ * normalizes `MapGet`/`HttpGet` → `Get`, `MapPost`/`HttpPost` → `Post`,
+ * etc. so downstream consumers don't need to know which style produced
+ * the signal.
+ *
+ * Extracts:
+ *   - route_method: most-common HTTP verb captured from EITHER `app.Map<Verb>`
+ *     invocations (minimal API) OR `[Http<Verb>]` attributes (MVC).
+ *   - route_prefix_base: first path segment from EITHER the first `MapGet`
+ *     string-literal path arg OR the first class-level `[Route("template")]`
+ *     attribute. Mirrors phoenix scope_prefix_base / rails api_namespace.
+ *   - controller_class: name of the first class ending in `Controller`
+ *     (attribute-routing style only — minimal API has no controllers).
+ *     Mirrors python-flask app_factory / phoenix router_module.
+ *
+ * Confidence rules (mirror phoenix / rails / go-chi):
+ *   - 'high'   if exactly ONE distinct route_method seen.
+ *   - 'low'    if multiple distinct route_methods seen.
+ *   - 'medium' if route_prefix_base or controller_class found but no
+ *              route_method.
+ *   - 'none'   if no ASP.NET signals at all (regex fallback takes over).
+ *
+ * Tree-sitter-c-sharp AST shape (verified via probe 2026-05-07):
+ *   - Method calls: `(invocation_expression function: (member_access_expression
+ *     name: (identifier)) arguments: (argument_list (argument
+ *     (string_literal)) ...))`.
+ *   - Attributes: `(attribute name: (identifier) (attribute_argument_list
+ *     (attribute_argument (string_literal))?))` — argument list is optional
+ *     because attributes like `[HttpPost]` have no args.
+ *   - Class declarations: `(class_declaration name: (identifier)
+ *     bases: (base_list (identifier)?))` — bases optional.
+ *
+ * Does NOT use regex on file content — only Tree-sitter S-expression queries
+ * compiled via query-helpers.ts.
+ */
+
+import { Parser } from 'web-tree-sitter';
+import type { CodebaseAdapter, AdapterResult, DetectionSignals, Provenance, SourceFile } from './types.ts';
+import { runQuery, InvalidQueryError } from './query-helpers.ts';
+import { loadGrammar } from './tree-sitter-loader.ts';
+import { isParsableSource, MAX_AST_FILE_BYTES } from './parse-guard.ts';
+
+// ============================================================
+// Tree-sitter S-expression queries (C# grammar)
+// ============================================================
+
+/**
+ * Minimal-API verb mapping: `app.MapGet("/path", handler)`,
+ * `app.MapPost(...)`, etc. Anchored on the first argument being a
+ * string_literal so we capture the route path together with the verb.
+ *
+ * The captured @method is the full method name like `MapGet` — the
+ * adapter strips the `Map` prefix in post-processing.
+ *
+ * Per ASP.NET Core minimal API docs:
+ * https://learn.microsoft.com/aspnet/core/fundamentals/minimal-apis
+ */
+const MAP_VERB_QUERY = `
+(invocation_expression
+  function: (member_access_expression
+    name: (identifier) @method (#match? @method "^Map(Get|Post|Put|Patch|Delete|Head|Options)$"))
+  arguments: (argument_list
+    .
+    (argument (string_literal) @route_path)))
+`;
+
+/**
+ * Attribute-routing HTTP verb attributes: `[HttpGet]`, `[HttpGet("{id}")]`,
+ * `[HttpPost]`, etc. Captures BOTH the parameterless and parameterized
+ * forms — the route path may or may not be present.
+ *
+ * The captured @attr_name is `HttpGet` etc. — the adapter strips the
+ * `Http` prefix in post-processing.
+ *
+ * Per ASP.NET Core attribute routing docs:
+ * https://learn.microsoft.com/aspnet/core/mvc/controllers/routing
+ */
+const HTTP_ATTR_QUERY = `
+(attribute
+  name: (identifier) @attr_name (#match? @attr_name "^Http(Get|Post|Put|Patch|Delete|Head|Options)$"))
+`;
+
+/**
+ * Class-level `[Route("api/[controller]")]` attribute. Captures the
+ * route template string so we can extract its first path segment.
+ * Tokens like `[controller]` inside the template are kept verbatim —
+ * the prefix-base extractor splits on `/` so `api/[controller]` → `/api`.
+ */
+const ROUTE_ATTR_QUERY = `
+(attribute
+  name: (identifier) @_attr_name (#eq? @_attr_name "Route")
+  (attribute_argument_list
+    (attribute_argument (string_literal) @route_template)))
+`;
+
+/**
+ * Controller class declaration: `class FooController : ControllerBase`.
+ * We restrict to class names ending in `Controller` to avoid every class
+ * in the project (canonical ASP.NET MVC naming convention).
+ */
+const CONTROLLER_CLASS_QUERY = `
+(class_declaration
+  name: (identifier) @class_name (#match? @class_name "Controller$"))
+`;
+
+// ============================================================
+// Adapter
+// ============================================================
+
+export const aspnetAdapter: CodebaseAdapter = {
+  id: 'aspnet',
+  languages: ['csharp'],
+
+  matches(signals: DetectionSignals): boolean {
+    // Cheap signal-only check. No file IO. The canonical ASP.NET Core
+    // declaration is `<Project Sdk="Microsoft.NET.Sdk.Web">` in the .csproj
+    // file (per https://learn.microsoft.com/aspnet/core/fundamentals/target-aspnetcore).
+    // Fallback: presence of `Microsoft.AspNetCore.App` framework reference,
+    // which appears in older .csproj formats.
+    if (!signals.csproj) return false;
+    if (/Sdk\s*=\s*["']Microsoft\.NET\.Sdk\.Web["']/i.test(signals.csproj)) return true;
+    if (/Microsoft\.AspNetCore\.App/i.test(signals.csproj)) return true;
+    return false;
+  },
+
+  async introspect(files: SourceFile[], _rootDir: string): Promise<AdapterResult> {
+    if (files.length === 0) {
+      return { conventions: {}, provenance: [], confidence: 'none' };
+    }
+
+    let language;
+    try {
+      language = await loadGrammar('csharp');
+    } catch (e) {
+      // Grammar unavailable → adapter returns 'none' so regex fallback takes over.
+      return { conventions: {}, provenance: [], confidence: 'none' };
+    }
+
+    const parser = new Parser();
+    parser.setLanguage(language);
+
+    const routeMethods = new Map<string, { line: number; file: string }>();
+    const prefixBases = new Map<string, { line: number; file: string }>();
+    const controllerClasses = new Map<string, { line: number; file: string }>();
+
+    try {
+      for (const file of files) {
+        const skip = isParsableSource(file.content, file.size);
+        if (skip) {
+          process.stderr.write(
+            `[massu/ast] WARN: aspnet skipping ${file.path}: ${skip.reason} (${skip.detail}). Cap=${MAX_AST_FILE_BYTES}. (Phase 3.5 mitigation)\n`,
+          );
+          continue;
+        }
+        try {
+          // Minimal API: app.MapGet("/path", ...)
+          for (const hit of runQuery(parser, file.content, MAP_VERB_QUERY, 'aspnet-map-verb', file.path)) {
+            const methodRaw = hit.captures.method;
+            if (!methodRaw) continue;
+            const verb = methodRaw.replace(/^Map/, ''); // MapGet → Get
+            if (!routeMethods.has(verb)) {
+              routeMethods.set(verb, { line: hit.line, file: file.path });
+            }
+            // Also capture the route path for prefix base
+            const pathRaw = hit.captures.route_path;
+            if (pathRaw) {
+              const literal = pathRaw.replace(/^["']/, '').replace(/["']$/, '');
+              const base = extractPrefixBase(literal);
+              if (base && !prefixBases.has(base)) {
+                prefixBases.set(base, { line: hit.line, file: file.path });
+              }
+            }
+          }
+          // Attribute routing: [HttpGet], [HttpPost], etc.
+          for (const hit of runQuery(parser, file.content, HTTP_ATTR_QUERY, 'aspnet-http-attr', file.path)) {
+            const attrRaw = hit.captures.attr_name;
+            if (!attrRaw) continue;
+            const verb = attrRaw.replace(/^Http/, ''); // HttpGet → Get
+            if (!routeMethods.has(verb)) {
+              routeMethods.set(verb, { line: hit.line, file: file.path });
+            }
+          }
+          // Class-level [Route("api/[controller]")]
+          for (const hit of runQuery(parser, file.content, ROUTE_ATTR_QUERY, 'aspnet-route-attr', file.path)) {
+            const tplRaw = hit.captures.route_template;
+            if (!tplRaw) continue;
+            const literal = tplRaw.replace(/^["']/, '').replace(/["']$/, '');
+            const base = extractPrefixBase(literal);
+            if (base && !prefixBases.has(base)) {
+              prefixBases.set(base, { line: hit.line, file: file.path });
+            }
+          }
+          // Controller class: class FooController : ControllerBase
+          for (const hit of runQuery(parser, file.content, CONTROLLER_CLASS_QUERY, 'aspnet-controller-class', file.path)) {
+            const name = hit.captures.class_name;
+            if (name && !controllerClasses.has(name)) {
+              controllerClasses.set(name, { line: hit.line, file: file.path });
+            }
+          }
+        } catch (e) {
+          if (e instanceof InvalidQueryError) {
+            throw e;
+          }
+          continue;
+        }
+      }
+    } finally {
+      try { parser.delete(); } catch { /* ignore */ }
+    }
+
+    const conventions: Record<string, unknown> = {};
+    const provenance: Provenance[] = [];
+
+    if (routeMethods.size === 1) {
+      const [name, { line, file }] = routeMethods.entries().next().value as [string, { line: number; file: string }];
+      conventions.route_method = name;
+      provenance.push({ field: 'route_method', sourceFile: file, line, query: 'aspnet-map-verb' });
+    } else if (routeMethods.size >= 2) {
+      const [name, { line, file }] = routeMethods.entries().next().value as [string, { line: number; file: string }];
+      conventions.route_method = name;
+      provenance.push({ field: 'route_method', sourceFile: file, line, query: 'aspnet-map-verb' });
+    }
+
+    if (prefixBases.size >= 1) {
+      const [base, { line, file }] = prefixBases.entries().next().value as [string, { line: number; file: string }];
+      conventions.route_prefix_base = base;
+      provenance.push({ field: 'route_prefix_base', sourceFile: file, line, query: 'aspnet-route-prefix' });
+    }
+
+    if (controllerClasses.size >= 1) {
+      const [name, { line, file }] = controllerClasses.entries().next().value as [string, { line: number; file: string }];
+      conventions.controller_class = name;
+      provenance.push({ field: 'controller_class', sourceFile: file, line, query: 'aspnet-controller-class' });
+    }
+
+    let confidence: AdapterResult['confidence'];
+    if (Object.keys(conventions).length === 0) {
+      confidence = 'none';
+    } else if (routeMethods.size === 1) {
+      confidence = 'high';
+    } else if (routeMethods.size >= 2) {
+      confidence = 'low';
+    } else {
+      confidence = 'medium';
+    }
+
+    return { conventions, provenance, confidence };
+  },
+};
+
+// ============================================================
+// Helpers
+// ============================================================
+
+/**
+ * Extract the first path segment of an ASP.NET route template. Mirrors
+ * phoenix/rails/python-flask/go-chi prefix-base extractors. Returns null
+ * if input is empty or `/`-only.
+ *
+ * Examples (verified against test fixtures):
+ *   "/health"             → "/health"
+ *   "api/[controller]"    → "/api"
+ *   "/api/v1/users"       → "/api"
+ *   "/"                   → null
+ *   ""                    → null
+ */
+function extractPrefixBase(prefix: string): string | null {
+  // ASP.NET route templates may or may not begin with `/`. Normalize.
+  const stripped = prefix.replace(/^\/+/, '');
+  const firstSeg = stripped.split('/')[0];
+  if (!firstSeg) return null;
+  return '/' + firstSeg;
+}