@massu/core 1.5.4 → 1.5.5

package/dist/cli.js

@@ -15717,6 +15717,924 @@ var init_swift_swiftui = __esm({
   }
 });
 
+// src/detect/adapters/python-flask.ts
+function extractPrefixBase3(prefix3) {
+  if (!prefix3.startsWith("/")) return null;
+  const stripped = prefix3.replace(/^\/+/, "");
+  const firstSeg = stripped.split("/")[0];
+  if (!firstSeg) return null;
+  return "/" + firstSeg;
+}
+var AUTH_DECORATOR_QUERY, BLUEPRINT_URL_PREFIX_QUERY, APP_FACTORY_QUERY, pythonFlaskAdapter;
+var init_python_flask = __esm({
+  "src/detect/adapters/python-flask.ts"() {
+    "use strict";
+    init_tree_sitter();
+    init_query_helpers();
+    init_tree_sitter_loader();
+    init_parse_guard();
+    AUTH_DECORATOR_QUERY = `
+(decorator
+  (identifier) @auth_decorator (#match? @auth_decorator "_required$"))
+`;
+    BLUEPRINT_URL_PREFIX_QUERY = `
+(call
+  function: (identifier) @_callee (#eq? @_callee "Blueprint")
+  arguments: (argument_list
+    (keyword_argument
+      name: (identifier) @_kw (#eq? @_kw "url_prefix")
+      value: (string) @url_prefix)))
+`;
+    APP_FACTORY_QUERY = `
+(function_definition
+  name: (identifier) @factory_name (#match? @factory_name "^create_")
+  body: (block
+    (expression_statement
+      (assignment
+        right: (call
+          function: (identifier) @_flask_call (#eq? @_flask_call "Flask"))))))
+`;
+    pythonFlaskAdapter = {
+      id: "python-flask",
+      languages: ["python"],
+      matches(signals) {
+        const pyToml = signals.pyprojectToml;
+        if (pyToml?.__raw && /\bflask\b/i.test(pyToml.__raw)) return true;
+        if (signals.presentDirs.has("app") && signals.presentFiles.has("app.py")) return true;
+        if (signals.presentDirs.has("app") && signals.presentFiles.has("wsgi.py")) return true;
+        return false;
+      },
+      async introspect(files, _rootDir) {
+        if (files.length === 0) {
+          return { conventions: {}, provenance: [], confidence: "none" };
+        }
+        let language;
+        try {
+          language = await loadGrammar("python");
+        } catch (e2) {
+          return { conventions: {}, provenance: [], confidence: "none" };
+        }
+        const parser = new Parser();
+        parser.setLanguage(language);
+        const authDecorators = /* @__PURE__ */ new Map();
+        const urlPrefixes = /* @__PURE__ */ new Map();
+        const appFactories = /* @__PURE__ */ new Map();
+        try {
+          for (const file of files) {
+            const skip = isParsableSource(file.content, file.size);
+            if (skip) {
+              process.stderr.write(
+                `[massu/ast] WARN: python-flask skipping ${file.path}: ${skip.reason} (${skip.detail}). Cap=${MAX_AST_FILE_BYTES}. (Phase 3.5 mitigation)
+`
+              );
+              continue;
+            }
+            try {
+              for (const hit of runQuery(parser, file.content, AUTH_DECORATOR_QUERY, "flask-auth-decorator", file.path)) {
+                const name2 = hit.captures.auth_decorator;
+                if (name2 && !authDecorators.has(name2)) {
+                  authDecorators.set(name2, { line: hit.line, file: file.path });
+                }
+              }
+              for (const hit of runQuery(parser, file.content, BLUEPRINT_URL_PREFIX_QUERY, "flask-blueprint-url-prefix", file.path)) {
+                const raw = hit.captures.url_prefix;
+                if (!raw) continue;
+                const literal = raw.replace(/^['"]/, "").replace(/['"]$/, "");
+                const base = extractPrefixBase3(literal);
+                if (base && !urlPrefixes.has(base)) {
+                  urlPrefixes.set(base, { line: hit.line, file: file.path });
+                }
+              }
+              for (const hit of runQuery(parser, file.content, APP_FACTORY_QUERY, "flask-app-factory", file.path)) {
+                const name2 = hit.captures.factory_name;
+                if (name2 && !appFactories.has(name2)) {
+                  appFactories.set(name2, { line: hit.line, file: file.path });
+                }
+              }
+            } catch (e2) {
+              if (e2 instanceof InvalidQueryError) {
+                throw e2;
+              }
+              continue;
+            }
+          }
+        } finally {
+          try {
+            parser.delete();
+          } catch {
+          }
+        }
+        const conventions = {};
+        const provenance = [];
+        if (authDecorators.size === 1) {
+          const [name2, { line, file }] = authDecorators.entries().next().value;
+          conventions.auth_decorator = name2;
+          provenance.push({ field: "auth_decorator", sourceFile: file, line, query: "flask-auth-decorator" });
+        } else if (authDecorators.size >= 2) {
+          const [name2, { line, file }] = authDecorators.entries().next().value;
+          conventions.auth_decorator = name2;
+          provenance.push({ field: "auth_decorator", sourceFile: file, line, query: "flask-auth-decorator" });
+        }
+        if (urlPrefixes.size >= 1) {
+          const [base, { line, file }] = urlPrefixes.entries().next().value;
+          conventions.blueprint_url_prefix = base;
+          provenance.push({ field: "blueprint_url_prefix", sourceFile: file, line, query: "flask-blueprint-url-prefix" });
+        }
+        if (appFactories.size >= 1) {
+          const [name2, { line, file }] = appFactories.entries().next().value;
+          conventions.app_factory = name2;
+          provenance.push({ field: "app_factory", sourceFile: file, line, query: "flask-app-factory" });
+        }
+        let confidence;
+        if (Object.keys(conventions).length === 0) {
+          confidence = "none";
+        } else if (authDecorators.size === 1) {
+          confidence = "high";
+        } else if (authDecorators.size >= 2) {
+          confidence = "low";
+        } else {
+          confidence = "medium";
+        }
+        return { conventions, provenance, confidence };
+      }
+    };
+  }
+});
+
+// src/detect/adapters/go-chi.ts
+function extractPrefixBase4(prefix3) {
+  if (!prefix3.startsWith("/")) return null;
+  const stripped = prefix3.replace(/^\/+/, "");
+  const firstSeg = stripped.split("/")[0];
+  if (!firstSeg) return null;
+  return "/" + firstSeg;
+}
+var ROUTE_METHOD_QUERY, MOUNT_PREFIX_QUERY, MIDDLEWARE_USE_QUERY, goChiAdapter;
+var init_go_chi = __esm({
+  "src/detect/adapters/go-chi.ts"() {
+    "use strict";
+    init_tree_sitter();
+    init_query_helpers();
+    init_tree_sitter_loader();
+    init_parse_guard();
+    ROUTE_METHOD_QUERY = `
+(call_expression
+  function: (selector_expression
+    field: (field_identifier) @method (#match? @method "^(Get|Post|Put|Delete|Patch|Head|Options|Connect|Trace)$"))
+  arguments: (argument_list
+    .
+    (interpreted_string_literal) @route_path))
+`;
+    MOUNT_PREFIX_QUERY = `
+(call_expression
+  function: (selector_expression
+    field: (field_identifier) @_field (#eq? @_field "Mount"))
+  arguments: (argument_list
+    .
+    (interpreted_string_literal) @mount_path))
+`;
+    MIDDLEWARE_USE_QUERY = `
+(call_expression
+  function: (selector_expression
+    field: (field_identifier) @_use (#eq? @_use "Use"))
+  arguments: (argument_list
+    .
+    (selector_expression
+      operand: (identifier) @_pkg (#eq? @_pkg "middleware")
+      field: (field_identifier) @middleware_name)))
+`;
+    goChiAdapter = {
+      id: "go-chi",
+      languages: ["go"],
+      matches(signals) {
+        if (!signals.goMod) return false;
+        if (/github\.com\/go-chi\/chi/i.test(signals.goMod)) return true;
+        return false;
+      },
+      async introspect(files, _rootDir) {
+        if (files.length === 0) {
+          return { conventions: {}, provenance: [], confidence: "none" };
+        }
+        let language;
+        try {
+          language = await loadGrammar("go");
+        } catch (e2) {
+          return { conventions: {}, provenance: [], confidence: "none" };
+        }
+        const parser = new Parser();
+        parser.setLanguage(language);
+        const routeMethods = /* @__PURE__ */ new Map();
+        const mountBases = /* @__PURE__ */ new Map();
+        const middlewareNames = /* @__PURE__ */ new Map();
+        try {
+          for (const file of files) {
+            const skip = isParsableSource(file.content, file.size);
+            if (skip) {
+              process.stderr.write(
+                `[massu/ast] WARN: go-chi skipping ${file.path}: ${skip.reason} (${skip.detail}). Cap=${MAX_AST_FILE_BYTES}. (Phase 3.5 mitigation)
+`
+              );
+              continue;
+            }
+            try {
+              for (const hit of runQuery(parser, file.content, ROUTE_METHOD_QUERY, "chi-route-method", file.path)) {
+                const method = hit.captures.method;
+                if (method && !routeMethods.has(method)) {
+                  routeMethods.set(method, { line: hit.line, file: file.path });
+                }
+              }
+              for (const hit of runQuery(parser, file.content, MOUNT_PREFIX_QUERY, "chi-mount-prefix", file.path)) {
+                const raw = hit.captures.mount_path;
+                if (!raw) continue;
+                const literal = raw.replace(/^["`]/, "").replace(/["`]$/, "");
+                const base = extractPrefixBase4(literal);
+                if (base && !mountBases.has(base)) {
+                  mountBases.set(base, { line: hit.line, file: file.path });
+                }
+              }
+              for (const hit of runQuery(parser, file.content, MIDDLEWARE_USE_QUERY, "chi-middleware-use", file.path)) {
+                const name2 = hit.captures.middleware_name;
+                if (name2 && !middlewareNames.has(name2)) {
+                  middlewareNames.set(name2, { line: hit.line, file: file.path });
+                }
+              }
+            } catch (e2) {
+              if (e2 instanceof InvalidQueryError) {
+                throw e2;
+              }
+              continue;
+            }
+          }
+        } finally {
+          try {
+            parser.delete();
+          } catch {
+          }
+        }
+        const conventions = {};
+        const provenance = [];
+        if (routeMethods.size === 1) {
+          const [name2, { line, file }] = routeMethods.entries().next().value;
+          conventions.route_method = name2;
+          provenance.push({ field: "route_method", sourceFile: file, line, query: "chi-route-method" });
+        } else if (routeMethods.size >= 2) {
+          const [name2, { line, file }] = routeMethods.entries().next().value;
+          conventions.route_method = name2;
+          provenance.push({ field: "route_method", sourceFile: file, line, query: "chi-route-method" });
+        }
+        if (mountBases.size >= 1) {
+          const [base, { line, file }] = mountBases.entries().next().value;
+          conventions.mount_prefix_base = base;
+          provenance.push({ field: "mount_prefix_base", sourceFile: file, line, query: "chi-mount-prefix" });
+        }
+        if (middlewareNames.size >= 1) {
+          const [name2, { line, file }] = middlewareNames.entries().next().value;
+          conventions.middleware_name = name2;
+          provenance.push({ field: "middleware_name", sourceFile: file, line, query: "chi-middleware-use" });
+        }
+        let confidence;
+        if (Object.keys(conventions).length === 0) {
+          confidence = "none";
+        } else if (routeMethods.size === 1) {
+          confidence = "high";
+        } else if (routeMethods.size >= 2) {
+          confidence = "low";
+        } else {
+          confidence = "medium";
+        }
+        return { conventions, provenance, confidence };
+      }
+    };
+  }
+});
+
+// src/detect/adapters/rails.ts
+function extractRootController(target) {
+  const idx = target.indexOf("#");
+  if (idx <= 0) return null;
+  const controller = target.slice(0, idx).trim();
+  return controller || null;
+}
+var ROUTE_METHOD_QUERY2, NAMESPACE_QUERY, ROOT_ROUTE_QUERY, railsAdapter;
+var init_rails = __esm({
+  "src/detect/adapters/rails.ts"() {
+    "use strict";
+    init_tree_sitter();
+    init_query_helpers();
+    init_tree_sitter_loader();
+    init_parse_guard();
+    ROUTE_METHOD_QUERY2 = `
+(call
+  method: (identifier) @method (#match? @method "^(get|post|put|patch|delete|options|head)$")
+  arguments: (argument_list
+    .
+    (string) @route_path))
+`;
+    NAMESPACE_QUERY = `
+(call
+  method: (identifier) @_method (#eq? @_method "namespace")
+  arguments: (argument_list
+    .
+    [
+      (simple_symbol) @namespace_symbol
+      (string) @namespace_string
+    ]))
+`;
+    ROOT_ROUTE_QUERY = `
+(call
+  method: (identifier) @_method (#eq? @_method "root")
+  arguments: (argument_list
+    .
+    (string) @root_target))
+
+(call
+  method: (identifier) @_method (#eq? @_method "root")
+  arguments: (argument_list
+    (pair
+      key: (hash_key_symbol) @_key (#eq? @_key "to")
+      value: (string) @root_target)))
+`;
+    railsAdapter = {
+      id: "rails",
+      languages: ["ruby"],
+      matches(signals) {
+        if (!signals.gemfile) return false;
+        return /^\s*gem\s+['"]rails['"]/im.test(signals.gemfile);
+      },
+      async introspect(files, _rootDir) {
+        if (files.length === 0) {
+          return { conventions: {}, provenance: [], confidence: "none" };
+        }
+        let language;
+        try {
+          language = await loadGrammar("ruby");
+        } catch (e2) {
+          return { conventions: {}, provenance: [], confidence: "none" };
+        }
+        const parser = new Parser();
+        parser.setLanguage(language);
+        const routeMethods = /* @__PURE__ */ new Map();
+        const namespaces = /* @__PURE__ */ new Map();
+        const rootControllers = /* @__PURE__ */ new Map();
+        try {
+          for (const file of files) {
+            const skip = isParsableSource(file.content, file.size);
+            if (skip) {
+              process.stderr.write(
+                `[massu/ast] WARN: rails skipping ${file.path}: ${skip.reason} (${skip.detail}). Cap=${MAX_AST_FILE_BYTES}. (Phase 3.5 mitigation)
+`
+              );
+              continue;
+            }
+            try {
+              for (const hit of runQuery(parser, file.content, ROUTE_METHOD_QUERY2, "rails-route-method", file.path)) {
+                const method = hit.captures.method;
+                if (method && !routeMethods.has(method)) {
+                  routeMethods.set(method, { line: hit.line, file: file.path });
+                }
+              }
+              for (const hit of runQuery(parser, file.content, NAMESPACE_QUERY, "rails-namespace", file.path)) {
+                const symbolRaw = hit.captures.namespace_symbol;
+                const stringRaw = hit.captures.namespace_string;
+                const name2 = symbolRaw ? symbolRaw.replace(/^:/, "") : stringRaw ? stringRaw.replace(/^['"]/, "").replace(/['"]$/, "") : null;
+                if (!name2) continue;
+                const path = "/" + name2;
+                if (!namespaces.has(path)) {
+                  namespaces.set(path, { line: hit.line, file: file.path });
+                }
+              }
+              for (const hit of runQuery(parser, file.content, ROOT_ROUTE_QUERY, "rails-root", file.path)) {
+                const raw = hit.captures.root_target;
+                if (!raw) continue;
+                const literal = raw.replace(/^['"]/, "").replace(/['"]$/, "");
+                const controller = extractRootController(literal);
+                if (controller && !rootControllers.has(controller)) {
+                  rootControllers.set(controller, { line: hit.line, file: file.path });
+                }
+              }
+            } catch (e2) {
+              if (e2 instanceof InvalidQueryError) {
+                throw e2;
+              }
+              continue;
+            }
+          }
+        } finally {
+          try {
+            parser.delete();
+          } catch {
+          }
+        }
+        const conventions = {};
+        const provenance = [];
+        if (routeMethods.size === 1) {
+          const [name2, { line, file }] = routeMethods.entries().next().value;
+          conventions.route_method = name2;
+          provenance.push({ field: "route_method", sourceFile: file, line, query: "rails-route-method" });
+        } else if (routeMethods.size >= 2) {
+          const [name2, { line, file }] = routeMethods.entries().next().value;
+          conventions.route_method = name2;
+          provenance.push({ field: "route_method", sourceFile: file, line, query: "rails-route-method" });
+        }
+        if (namespaces.size >= 1) {
+          const [path, { line, file }] = namespaces.entries().next().value;
+          conventions.api_namespace = path;
+          provenance.push({ field: "api_namespace", sourceFile: file, line, query: "rails-namespace" });
+        }
+        if (rootControllers.size >= 1) {
+          const [name2, { line, file }] = rootControllers.entries().next().value;
+          conventions.root_controller = name2;
+          provenance.push({ field: "root_controller", sourceFile: file, line, query: "rails-root" });
+        }
+        let confidence;
+        if (Object.keys(conventions).length === 0) {
+          confidence = "none";
+        } else if (routeMethods.size === 1) {
+          confidence = "high";
+        } else if (routeMethods.size >= 2) {
+          confidence = "low";
+        } else {
+          confidence = "medium";
+        }
+        return { conventions, provenance, confidence };
+      }
+    };
+  }
+});
+
+// src/detect/adapters/phoenix.ts
+function extractPrefixBase5(prefix3) {
+  if (!prefix3.startsWith("/")) return null;
+  const stripped = prefix3.replace(/^\/+/, "");
+  const firstSeg = stripped.split("/")[0];
+  if (!firstSeg) return null;
+  return "/" + firstSeg;
+}
+var ROUTE_METHOD_QUERY3, SCOPE_PATH_QUERY, ROUTER_MODULE_QUERY, phoenixAdapter;
+var init_phoenix = __esm({
+  "src/detect/adapters/phoenix.ts"() {
+    "use strict";
+    init_tree_sitter();
+    init_query_helpers();
+    init_tree_sitter_loader();
+    init_parse_guard();
+    ROUTE_METHOD_QUERY3 = `
+(call
+  (identifier) @method (#match? @method "^(get|post|put|patch|delete|options|head)$")
+  (arguments
+    .
+    (string) @route_path))
+`;
+    SCOPE_PATH_QUERY = `
+(call
+  (identifier) @_method (#eq? @_method "scope")
+  (arguments
+    .
+    (string) @scope_path)
+  (do_block))
+`;
+    ROUTER_MODULE_QUERY = `
+(call
+  (identifier) @_method (#eq? @_method "defmodule")
+  (arguments
+    .
+    (alias) @module_name (#match? @module_name "Router$"))
+  (do_block))
+`;
+    phoenixAdapter = {
+      id: "phoenix",
+      languages: ["elixir"],
+      matches(signals) {
+        if (!signals.mixExs) return false;
+        return /\{\s*:phoenix\b(?!_)/.test(signals.mixExs);
+      },
+      async introspect(files, _rootDir) {
+        if (files.length === 0) {
+          return { conventions: {}, provenance: [], confidence: "none" };
+        }
+        let language;
+        try {
+          language = await loadGrammar("elixir");
+        } catch (e2) {
+          return { conventions: {}, provenance: [], confidence: "none" };
+        }
+        const parser = new Parser();
+        parser.setLanguage(language);
+        const routeMethods = /* @__PURE__ */ new Map();
+        const scopePaths = /* @__PURE__ */ new Map();
+        const routerModules = /* @__PURE__ */ new Map();
+        try {
+          for (const file of files) {
+            const skip = isParsableSource(file.content, file.size);
+            if (skip) {
+              process.stderr.write(
+                `[massu/ast] WARN: phoenix skipping ${file.path}: ${skip.reason} (${skip.detail}). Cap=${MAX_AST_FILE_BYTES}. (Phase 3.5 mitigation)
+`
+              );
+              continue;
+            }
+            try {
+              for (const hit of runQuery(parser, file.content, ROUTE_METHOD_QUERY3, "phoenix-route-method", file.path)) {
+                const method = hit.captures.method;
+                if (method && !routeMethods.has(method)) {
+                  routeMethods.set(method, { line: hit.line, file: file.path });
+                }
+              }
+              for (const hit of runQuery(parser, file.content, SCOPE_PATH_QUERY, "phoenix-scope-path", file.path)) {
+                const raw = hit.captures.scope_path;
+                if (!raw) continue;
+                const literal = raw.replace(/^["']/, "").replace(/["']$/, "");
+                const base = extractPrefixBase5(literal);
+                if (base && !scopePaths.has(base)) {
+                  scopePaths.set(base, { line: hit.line, file: file.path });
+                }
+              }
+              for (const hit of runQuery(parser, file.content, ROUTER_MODULE_QUERY, "phoenix-router-module", file.path)) {
+                const name2 = hit.captures.module_name;
+                if (name2 && !routerModules.has(name2)) {
+                  routerModules.set(name2, { line: hit.line, file: file.path });
+                }
+              }
+            } catch (e2) {
+              if (e2 instanceof InvalidQueryError) {
+                throw e2;
+              }
+              continue;
+            }
+          }
+        } finally {
+          try {
+            parser.delete();
+          } catch {
+          }
+        }
+        const conventions = {};
+        const provenance = [];
+        if (routeMethods.size === 1) {
+          const [name2, { line, file }] = routeMethods.entries().next().value;
+          conventions.route_method = name2;
+          provenance.push({ field: "route_method", sourceFile: file, line, query: "phoenix-route-method" });
+        } else if (routeMethods.size >= 2) {
+          const [name2, { line, file }] = routeMethods.entries().next().value;
+          conventions.route_method = name2;
+          provenance.push({ field: "route_method", sourceFile: file, line, query: "phoenix-route-method" });
+        }
+        if (scopePaths.size >= 1) {
+          const [base, { line, file }] = scopePaths.entries().next().value;
+          conventions.scope_prefix_base = base;
+          provenance.push({ field: "scope_prefix_base", sourceFile: file, line, query: "phoenix-scope-path" });
+        }
+        if (routerModules.size >= 1) {
+          const [name2, { line, file }] = routerModules.entries().next().value;
+          conventions.router_module = name2;
+          provenance.push({ field: "router_module", sourceFile: file, line, query: "phoenix-router-module" });
+        }
+        let confidence;
+        if (Object.keys(conventions).length === 0) {
+          confidence = "none";
+        } else if (routeMethods.size === 1) {
+          confidence = "high";
+        } else if (routeMethods.size >= 2) {
+          confidence = "low";
+        } else {
+          confidence = "medium";
+        }
+        return { conventions, provenance, confidence };
+      }
+    };
+  }
+});
+
+// src/detect/adapters/aspnet.ts
+function extractPrefixBase6(prefix3) {
+  const stripped = prefix3.replace(/^\/+/, "");
+  const firstSeg = stripped.split("/")[0];
+  if (!firstSeg) return null;
+  return "/" + firstSeg;
+}
+var MAP_VERB_QUERY, HTTP_ATTR_QUERY, ROUTE_ATTR_QUERY, CONTROLLER_CLASS_QUERY, aspnetAdapter;
+var init_aspnet = __esm({
+  "src/detect/adapters/aspnet.ts"() {
+    "use strict";
+    init_tree_sitter();
+    init_query_helpers();
+    init_tree_sitter_loader();
+    init_parse_guard();
+    MAP_VERB_QUERY = `
+(invocation_expression
+  function: (member_access_expression
+    name: (identifier) @method (#match? @method "^Map(Get|Post|Put|Patch|Delete|Head|Options)$"))
+  arguments: (argument_list
+    .
+    (argument (string_literal) @route_path)))
+`;
+    HTTP_ATTR_QUERY = `
+(attribute
+  name: (identifier) @attr_name (#match? @attr_name "^Http(Get|Post|Put|Patch|Delete|Head|Options)$"))
+`;
+    ROUTE_ATTR_QUERY = `
+(attribute
+  name: (identifier) @_attr_name (#eq? @_attr_name "Route")
+  (attribute_argument_list
+    (attribute_argument (string_literal) @route_template)))
+`;
+    CONTROLLER_CLASS_QUERY = `
+(class_declaration
+  name: (identifier) @class_name (#match? @class_name "Controller$"))
+`;
+    aspnetAdapter = {
+      id: "aspnet",
+      languages: ["csharp"],
+      matches(signals) {
+        if (!signals.csproj) return false;
+        if (/Sdk\s*=\s*["']Microsoft\.NET\.Sdk\.Web["']/i.test(signals.csproj)) return true;
+        if (/Microsoft\.AspNetCore\.App/i.test(signals.csproj)) return true;
+        return false;
+      },
+      async introspect(files, _rootDir) {
+        if (files.length === 0) {
+          return { conventions: {}, provenance: [], confidence: "none" };
+        }
+        let language;
+        try {
+          language = await loadGrammar("csharp");
+        } catch (e2) {
+          return { conventions: {}, provenance: [], confidence: "none" };
+        }
+        const parser = new Parser();
+        parser.setLanguage(language);
+        const routeMethods = /* @__PURE__ */ new Map();
+        const prefixBases = /* @__PURE__ */ new Map();
+        const controllerClasses = /* @__PURE__ */ new Map();
+        try {
+          for (const file of files) {
+            const skip = isParsableSource(file.content, file.size);
+            if (skip) {
+              process.stderr.write(
+                `[massu/ast] WARN: aspnet skipping ${file.path}: ${skip.reason} (${skip.detail}). Cap=${MAX_AST_FILE_BYTES}. (Phase 3.5 mitigation)
+`
+              );
+              continue;
+            }
+            try {
+              for (const hit of runQuery(parser, file.content, MAP_VERB_QUERY, "aspnet-map-verb", file.path)) {
+                const methodRaw = hit.captures.method;
+                if (!methodRaw) continue;
+                const verb = methodRaw.replace(/^Map/, "");
+                if (!routeMethods.has(verb)) {
+                  routeMethods.set(verb, { line: hit.line, file: file.path });
+                }
+                const pathRaw = hit.captures.route_path;
+                if (pathRaw) {
+                  const literal = pathRaw.replace(/^["']/, "").replace(/["']$/, "");
+                  const base = extractPrefixBase6(literal);
+                  if (base && !prefixBases.has(base)) {
+                    prefixBases.set(base, { line: hit.line, file: file.path });
+                  }
+                }
+              }
+              for (const hit of runQuery(parser, file.content, HTTP_ATTR_QUERY, "aspnet-http-attr", file.path)) {
+                const attrRaw = hit.captures.attr_name;
+                if (!attrRaw) continue;
+                const verb = attrRaw.replace(/^Http/, "");
+                if (!routeMethods.has(verb)) {
+                  routeMethods.set(verb, { line: hit.line, file: file.path });
+                }
+              }
+              for (const hit of runQuery(parser, file.content, ROUTE_ATTR_QUERY, "aspnet-route-attr", file.path)) {
+                const tplRaw = hit.captures.route_template;
+                if (!tplRaw) continue;
+                const literal = tplRaw.replace(/^["']/, "").replace(/["']$/, "");
+                const base = extractPrefixBase6(literal);
+                if (base && !prefixBases.has(base)) {
+                  prefixBases.set(base, { line: hit.line, file: file.path });
+                }
+              }
+              for (const hit of runQuery(parser, file.content, CONTROLLER_CLASS_QUERY, "aspnet-controller-class", file.path)) {
+                const name2 = hit.captures.class_name;
+                if (name2 && !controllerClasses.has(name2)) {
+                  controllerClasses.set(name2, { line: hit.line, file: file.path });
+                }
+              }
+            } catch (e2) {
+              if (e2 instanceof InvalidQueryError) {
+                throw e2;
+              }
+              continue;
+            }
+          }
+        } finally {
+          try {
+            parser.delete();
+          } catch {
+          }
+        }
+        const conventions = {};
+        const provenance = [];
+        if (routeMethods.size === 1) {
+          const [name2, { line, file }] = routeMethods.entries().next().value;
+          conventions.route_method = name2;
+          provenance.push({ field: "route_method", sourceFile: file, line, query: "aspnet-map-verb" });
+        } else if (routeMethods.size >= 2) {
+          const [name2, { line, file }] = routeMethods.entries().next().value;
+          conventions.route_method = name2;
+          provenance.push({ field: "route_method", sourceFile: file, line, query: "aspnet-map-verb" });
+        }
+        if (prefixBases.size >= 1) {
+          const [base, { line, file }] = prefixBases.entries().next().value;
+          conventions.route_prefix_base = base;
+          provenance.push({ field: "route_prefix_base", sourceFile: file, line, query: "aspnet-route-prefix" });
+        }
+        if (controllerClasses.size >= 1) {
+          const [name2, { line, file }] = controllerClasses.entries().next().value;
+          conventions.controller_class = name2;
+          provenance.push({ field: "controller_class", sourceFile: file, line, query: "aspnet-controller-class" });
+        }
+        let confidence;
+        if (Object.keys(conventions).length === 0) {
+          confidence = "none";
+        } else if (routeMethods.size === 1) {
+          confidence = "high";
+        } else if (routeMethods.size >= 2) {
+          confidence = "low";
+        } else {
+          confidence = "medium";
+        }
+        return { conventions, provenance, confidence };
+      }
+    };
+  }
+});
+
+// src/detect/adapters/spring.ts
+function extractPrefixBase7(prefix3) {
+  const stripped = prefix3.replace(/^\/+/, "");
+  const firstSeg = stripped.split("/")[0];
+  if (!firstSeg) return null;
+  return "/" + firstSeg;
+}
+var HTTP_MAPPING_QUERY, HTTP_MAPPING_NO_ARGS_QUERY, REQUEST_MAPPING_QUERY, CONTROLLER_CLASS_QUERY2, springAdapter;
+var init_spring = __esm({
+  "src/detect/adapters/spring.ts"() {
+    "use strict";
+    init_tree_sitter();
+    init_query_helpers();
+    init_tree_sitter_loader();
+    init_parse_guard();
+    HTTP_MAPPING_QUERY = `
+(annotation
+  name: (identifier) @method (#match? @method "^(Get|Post|Put|Patch|Delete|Head|Options)Mapping$")
+  arguments: (annotation_argument_list
+    (string_literal) @route_path))
+`;
+    HTTP_MAPPING_NO_ARGS_QUERY = `
+(marker_annotation
+  name: (identifier) @method (#match? @method "^(Get|Post|Put|Patch|Delete|Head|Options)Mapping$"))
+`;
+    REQUEST_MAPPING_QUERY = `
+(annotation
+  name: (identifier) @_name (#eq? @_name "RequestMapping")
+  arguments: (annotation_argument_list
+    (string_literal) @route_template))
+`;
+    CONTROLLER_CLASS_QUERY2 = `
+(class_declaration
+  (modifiers
+    (marker_annotation
+      name: (identifier) @_anno (#match? @_anno "^(RestController|Controller)$")))
+  name: (identifier) @class_name)
+
+(class_declaration
+  (modifiers
+    (annotation
+      name: (identifier) @_anno (#match? @_anno "^(RestController|Controller)$")))
+  name: (identifier) @class_name)
+`;
+    springAdapter = {
+      id: "spring",
+      languages: ["java"],
+      matches(signals) {
+        if (signals.pomXml && /\bspring-boot-starter[\w-]*\b/.test(signals.pomXml)) {
+          return true;
+        }
+        if (signals.gradleBuild && /\bspring-boot-starter[\w-]*\b/.test(signals.gradleBuild)) {
+          return true;
+        }
+        if (signals.pomXml && /\borg\.springframework\b/.test(signals.pomXml)) {
+          return true;
+        }
+        if (signals.gradleBuild && /\borg\.springframework\b/.test(signals.gradleBuild)) {
+          return true;
+        }
+        return false;
+      },
+      async introspect(files, _rootDir) {
+        if (files.length === 0) {
+          return { conventions: {}, provenance: [], confidence: "none" };
+        }
+        let language;
+        try {
+          language = await loadGrammar("java");
+        } catch (e2) {
+          return { conventions: {}, provenance: [], confidence: "none" };
+        }
+        const parser = new Parser();
+        parser.setLanguage(language);
+        const routeMethods = /* @__PURE__ */ new Map();
+        const prefixBases = /* @__PURE__ */ new Map();
+        const controllerClasses = /* @__PURE__ */ new Map();
+        try {
+          for (const file of files) {
+            const skip = isParsableSource(file.content, file.size);
+            if (skip) {
+              process.stderr.write(
+                `[massu/ast] WARN: spring skipping ${file.path}: ${skip.reason} (${skip.detail}). Cap=${MAX_AST_FILE_BYTES}. (Phase 3.5 mitigation)
+`
+              );
+              continue;
+            }
+            try {
+              for (const hit of runQuery(parser, file.content, HTTP_MAPPING_QUERY, "spring-http-mapping", file.path)) {
+                const methodRaw = hit.captures.method;
+                if (!methodRaw) continue;
+                const verb = methodRaw.replace(/Mapping$/, "");
+                if (!routeMethods.has(verb)) {
+                  routeMethods.set(verb, { line: hit.line, file: file.path });
+                }
+              }
+              for (const hit of runQuery(parser, file.content, HTTP_MAPPING_NO_ARGS_QUERY, "spring-http-mapping-marker", file.path)) {
+                const methodRaw = hit.captures.method;
+                if (!methodRaw) continue;
+                const verb = methodRaw.replace(/Mapping$/, "");
+                if (!routeMethods.has(verb)) {
+                  routeMethods.set(verb, { line: hit.line, file: file.path });
+                }
+              }
+              for (const hit of runQuery(parser, file.content, REQUEST_MAPPING_QUERY, "spring-request-mapping", file.path)) {
+                const tplRaw = hit.captures.route_template;
+                if (!tplRaw) continue;
+                const literal = tplRaw.replace(/^["']/, "").replace(/["']$/, "");
+                const base = extractPrefixBase7(literal);
+                if (base && !prefixBases.has(base)) {
+                  prefixBases.set(base, { line: hit.line, file: file.path });
+                }
+              }
+              for (const hit of runQuery(parser, file.content, CONTROLLER_CLASS_QUERY2, "spring-controller-class", file.path)) {
+                const name2 = hit.captures.class_name;
+                if (name2 && !controllerClasses.has(name2)) {
+                  controllerClasses.set(name2, { line: hit.line, file: file.path });
+                }
+              }
+            } catch (e2) {
+              if (e2 instanceof InvalidQueryError) {
+                throw e2;
+              }
+              continue;
+            }
+          }
+        } finally {
+          try {
+            parser.delete();
+          } catch {
+          }
+        }
+        const conventions = {};
+        const provenance = [];
+        if (routeMethods.size === 1) {
+          const [name2, { line, file }] = routeMethods.entries().next().value;
+          conventions.route_method = name2;
+          provenance.push({ field: "route_method", sourceFile: file, line, query: "spring-http-mapping" });
+        } else if (routeMethods.size >= 2) {
+          const [name2, { line, file }] = routeMethods.entries().next().value;
+          conventions.route_method = name2;
+          provenance.push({ field: "route_method", sourceFile: file, line, query: "spring-http-mapping" });
+        }
+        if (prefixBases.size >= 1) {
+          const [base, { line, file }] = prefixBases.entries().next().value;
+          conventions.route_prefix_base = base;
+          provenance.push({ field: "route_prefix_base", sourceFile: file, line, query: "spring-request-mapping" });
+        }
+        if (controllerClasses.size >= 1) {
+          const [name2, { line, file }] = controllerClasses.entries().next().value;
+          conventions.controller_class = name2;
+          provenance.push({ field: "controller_class", sourceFile: file, line, query: "spring-controller-class" });
+        }
+        let confidence;
+        if (Object.keys(conventions).length === 0) {
+          confidence = "none";
+        } else if (routeMethods.size === 1) {
+          confidence = "high";
+        } else if (routeMethods.size >= 2) {
+          confidence = "low";
+        } else {
+          confidence = "medium";
+        }
+        return { conventions, provenance, confidence };
+      }
+    };
+  }
+});
+
 // src/detect/adapters/file-sampler.ts
 var file_sampler_exports = {};
 __export(file_sampler_exports, {
@@ -15940,11 +16858,23 @@ var init_codebase_introspector = __esm({
     init_python_django();
     init_nextjs_trpc();
     init_swift_swiftui();
+    init_python_flask();
+    init_go_chi();
+    init_rails();
+    init_phoenix();
+    init_aspnet();
+    init_spring();
     FIRST_PARTY_ADAPTERS = [
       pythonFastApiAdapter,
       pythonDjangoAdapter,
+      pythonFlaskAdapter,
       nextjsTrpcAdapter,
-      swiftSwiftUiAdapter
+      swiftSwiftUiAdapter,
+      goChiAdapter,
+      railsAdapter,
+      phoenixAdapter,
+      aspnetAdapter,
+      springAdapter
     ];
   }
 });

package/dist/hooks/session-start.js

@@ -13309,6 +13309,24 @@ init_parse_guard();
 // src/detect/adapters/swift-swiftui.ts
 init_parse_guard();
 
+// src/detect/adapters/python-flask.ts
+init_parse_guard();
+
+// src/detect/adapters/go-chi.ts
+init_parse_guard();
+
+// src/detect/adapters/rails.ts
+init_parse_guard();
+
+// src/detect/adapters/phoenix.ts
+init_parse_guard();
+
+// src/detect/adapters/aspnet.ts
+init_parse_guard();
+
+// src/detect/adapters/spring.ts
+init_parse_guard();
+
 // src/detect/codebase-introspector.ts
 function introspect(detection, projectRoot) {
   const out2 = {};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@massu/core",
-  "version": "1.5.4",
+  "version": "1.5.5",
   "type": "module",
   "description": "AI Engineering Governance MCP Server - Session memory, knowledge system, feature registry, code intelligence, rule enforcement, tiered tooling (12 free / 72 total), 55+ workflow commands, 11 agents, 20+ patterns",
   "main": "src/server.ts",

package/src/detect/codebase-introspector.ts

@@ -48,6 +48,19 @@ import { pythonFastApiAdapter } from './adapters/python-fastapi.ts';
 import { pythonDjangoAdapter } from './adapters/python-django.ts';
 import { nextjsTrpcAdapter } from './adapters/nextjs-trpc.ts';
 import { swiftSwiftUiAdapter } from './adapters/swift-swiftui.ts';
+// Plan 1.5.4 R-011 discovery: Phase 7 adapters were committed but never
+// added to FIRST_PARTY_ADAPTERS. The omission was masked pre-1.5.4 by
+// sampleFiles=[] (every adapter returned 'none' anyway). Now that the
+// sampler works, these 6 adapters MUST be in the dispatch list or
+// `npx massu init` against a Phase 7 project produces no detected.<id>:
+// block (verified via debug instrumentation 2026-05-08 against the
+// 1.5.4 published bundle).
+import { pythonFlaskAdapter } from './adapters/python-flask.ts';
+import { goChiAdapter } from './adapters/go-chi.ts';
+import { railsAdapter } from './adapters/rails.ts';
+import { phoenixAdapter } from './adapters/phoenix.ts';
+import { aspnetAdapter } from './adapters/aspnet.ts';
+import { springAdapter } from './adapters/spring.ts';
 import type { CodebaseAdapter, AdapterResolved } from './adapters/types.ts';
 
 // ============================================================
@@ -75,8 +88,14 @@ export interface DetectedConventions {
 const FIRST_PARTY_ADAPTERS: CodebaseAdapter[] = [
   pythonFastApiAdapter,
   pythonDjangoAdapter,
+  pythonFlaskAdapter,
   nextjsTrpcAdapter,
   swiftSwiftUiAdapter,
+  goChiAdapter,
+  railsAdapter,
+  phoenixAdapter,
+  aspnetAdapter,
+  springAdapter,
 ];
 
 // ============================================================

package/src/security/registry-pubkey.generated.ts

@@ -1,4 +1,4 @@
-// AUTO-GENERATED by scripts/bundle-pubkey.mjs at 2026-05-08T20:46:40.928Z.
+// AUTO-GENERATED by scripts/bundle-pubkey.mjs at 2026-05-08T20:50:59.749Z.
 // Source pem: packages/core/security/registry-pubkey.pem
 // RAW-bytes sha256: 3b6226d036c472e533110d11a7d0cd2773ce1d7d4f1003517d5bd69c5418ed4c
 // DO NOT EDIT — regenerate via `node scripts/bundle-pubkey.mjs` or