@opencodehub/ingestion 0.1.0

package/dist/pipeline/dep-parsers/python.js

@@ -0,0 +1,369 @@
+/**
+ * Python ecosystem manifest parser.
+ *
+ * Supported inputs:
+ *   - `pyproject.toml` — PEP 621 `[project.dependencies]` + PEP 508
+ *     requirement specifiers, plus the legacy `[tool.poetry.dependencies]`
+ *     table for older Poetry projects.
+ *   - `requirements.txt` — one requirement per line; tolerates `-e`
+ *     (editable installs), `--hash=` lines, `#` comments, blank lines,
+ *     and the `-r` / `-c` include directives (which we skip).
+ *   - `uv.lock` — TOML with a top-level `package = [[...]]` array; each
+ *     entry has `name` and `version`.
+ *
+ * Versions are captured verbatim from the source; v1.0 makes no attempt
+ * to resolve `>=1.0` style ranges into concrete versions (that would
+ * require a PyPI lookup which this phase forbids). Callers consuming
+ * Dependency nodes for SBOM emission can treat "UNKNOWN" as unresolved.
+ */
+import { promises as fs } from "node:fs";
+import path from "node:path";
+import toml from "@iarna/toml";
+const PYPI_ECO = "pypi";
+export const parsePythonDeps = async (input) => {
+    const basename = path.basename(input.relPath);
+    try {
+        if (basename === "pyproject.toml") {
+            return await parsePyproject(input.absPath, input.relPath, input.onWarn);
+        }
+        if (basename === "requirements.txt" || /^requirements-.*\.txt$/.test(basename)) {
+            return await parseRequirements(input.absPath, input.relPath, input.onWarn);
+        }
+        if (basename === "uv.lock") {
+            return await parseUvLock(input.absPath, input.relPath, input.onWarn);
+        }
+    }
+    catch (err) {
+        input.onWarn(`python: failed to parse ${input.relPath}: ${err instanceof Error ? err.message : String(err)}`);
+        return [];
+    }
+    return [];
+};
+async function parsePyproject(absPath, relPath, onWarn) {
+    const raw = await safeRead(absPath, relPath, onWarn, "python");
+    if (raw === undefined)
+        return [];
+    let parsed;
+    try {
+        parsed = toml.parse(raw);
+    }
+    catch (err) {
+        onWarn(`python: ${relPath} is not valid TOML: ${err instanceof Error ? err.message : String(err)}`);
+        return [];
+    }
+    if (!isObject(parsed))
+        return [];
+    const out = [];
+    // PEP 621 — [project].dependencies is an array of PEP 508 strings.
+    const project = parsed["project"];
+    if (isObject(project)) {
+        const deps = project["dependencies"];
+        if (Array.isArray(deps)) {
+            for (const spec of deps) {
+                if (typeof spec !== "string")
+                    continue;
+                const parsedSpec = parsePep508(spec);
+                if (!parsedSpec)
+                    continue;
+                out.push({
+                    ecosystem: PYPI_ECO,
+                    name: parsedSpec.name,
+                    version: parsedSpec.version,
+                    lockfileSource: relPath,
+                });
+            }
+        }
+        // PEP 621 optional-dependencies is a table of arrays.
+        const optional = project["optional-dependencies"];
+        if (isObject(optional)) {
+            for (const group of Object.values(optional)) {
+                if (!Array.isArray(group))
+                    continue;
+                for (const spec of group) {
+                    if (typeof spec !== "string")
+                        continue;
+                    const parsedSpec = parsePep508(spec);
+                    if (!parsedSpec)
+                        continue;
+                    out.push({
+                        ecosystem: PYPI_ECO,
+                        name: parsedSpec.name,
+                        version: parsedSpec.version,
+                        lockfileSource: relPath,
+                    });
+                }
+            }
+        }
+    }
+    // Legacy Poetry — [tool.poetry.dependencies] table of name => specifier/object.
+    const tool = parsed["tool"];
+    if (isObject(tool)) {
+        const poetry = tool["poetry"];
+        if (isObject(poetry)) {
+            for (const field of ["dependencies", "dev-dependencies"]) {
+                const bag = poetry[field];
+                if (!isObject(bag))
+                    continue;
+                for (const [name, spec] of Object.entries(bag)) {
+                    if (name === "python")
+                        continue; // poetry convention: version of python itself
+                    const version = normalizePoetrySpec(spec);
+                    out.push({
+                        ecosystem: PYPI_ECO,
+                        name,
+                        version,
+                        lockfileSource: relPath,
+                    });
+                }
+            }
+            // dependency-groups-style [tool.poetry.group.X.dependencies].
+            const groups = poetry["group"];
+            if (isObject(groups)) {
+                for (const group of Object.values(groups)) {
+                    if (!isObject(group))
+                        continue;
+                    const bag = group["dependencies"];
+                    if (!isObject(bag))
+                        continue;
+                    for (const [name, spec] of Object.entries(bag)) {
+                        if (name === "python")
+                            continue;
+                        const version = normalizePoetrySpec(spec);
+                        out.push({
+                            ecosystem: PYPI_ECO,
+                            name,
+                            version,
+                            lockfileSource: relPath,
+                        });
+                    }
+                }
+            }
+        }
+    }
+    return out;
+}
+async function parseRequirements(absPath, relPath, onWarn) {
+    const raw = await safeRead(absPath, relPath, onWarn, "python");
+    if (raw === undefined)
+        return [];
+    const out = [];
+    const lines = raw.split(/\r?\n/);
+    for (const rawLine of lines) {
+        // Full-line comment: drop it before touching anything else so that
+        // URLs carrying `#egg=...` fragments survive to the URL handler.
+        const trimmedLine = rawLine.trim();
+        if (trimmedLine.length === 0 || trimmedLine.startsWith("#"))
+            continue;
+        // Strip inline comments only for non-URL lines. URL style specs use
+        // `#` as a valid fragment indicator (`#egg=...`, `#subdirectory=`)
+        // and must not be truncated.
+        const stripped = looksLikeUrlSpec(trimmedLine)
+            ? trimmedLine
+            : stripInlineComment(trimmedLine).trim();
+        if (stripped.length === 0)
+            continue;
+        // Skip include directives and flags we don't interpret.
+        if (stripped.startsWith("-r") || stripped.startsWith("--requirement"))
+            continue;
+        if (stripped.startsWith("-c") || stripped.startsWith("--constraint"))
+            continue;
+        if (stripped.startsWith("--hash"))
+            continue;
+        if (stripped.startsWith("--index-url"))
+            continue;
+        if (stripped.startsWith("--extra-index-url"))
+            continue;
+        if (stripped.startsWith("--find-links") || stripped.startsWith("-f"))
+            continue;
+        if (stripped.startsWith("--no-index"))
+            continue;
+        if (stripped.startsWith("--trusted-host"))
+            continue;
+        // `-e` / `--editable` prefix: strip then parse whatever follows.
+        let spec = stripped;
+        if (spec.startsWith("-e "))
+            spec = spec.slice(3).trim();
+        else if (spec.startsWith("--editable "))
+            spec = spec.slice("--editable ".length).trim();
+        // Git/URL style refs — capture the egg fragment name if present.
+        if (/^(git\+|https?:|file:|ssh:)/.test(spec)) {
+            const egg = /[#&]egg=([A-Za-z0-9._-]+)/.exec(spec);
+            if (egg?.[1]) {
+                out.push({
+                    ecosystem: PYPI_ECO,
+                    name: egg[1],
+                    version: "UNKNOWN",
+                    lockfileSource: relPath,
+                });
+            }
+            continue;
+        }
+        const parsed = parsePep508(spec);
+        if (!parsed)
+            continue;
+        out.push({
+            ecosystem: PYPI_ECO,
+            name: parsed.name,
+            version: parsed.version,
+            lockfileSource: relPath,
+        });
+    }
+    return out;
+}
+async function parseUvLock(absPath, relPath, onWarn) {
+    const raw = await safeRead(absPath, relPath, onWarn, "python");
+    if (raw === undefined)
+        return [];
+    let parsed;
+    try {
+        parsed = toml.parse(raw);
+    }
+    catch (err) {
+        onWarn(`python: ${relPath} is not valid TOML: ${err instanceof Error ? err.message : String(err)}`);
+        return [];
+    }
+    if (!isObject(parsed))
+        return [];
+    const out = [];
+    const packages = parsed["package"];
+    if (Array.isArray(packages)) {
+        for (const pkg of packages) {
+            if (!isObject(pkg))
+                continue;
+            const name = pkg["name"];
+            const version = pkg["version"];
+            if (typeof name !== "string" || typeof version !== "string")
+                continue;
+            // uv.lock records the PyPI trove license when the package declares
+            // one. Best-effort — undefined when the package entry omits it.
+            const license = readPyLicense(pkg);
+            out.push({
+                ecosystem: PYPI_ECO,
+                name,
+                version,
+                lockfileSource: relPath,
+                ...(license !== undefined ? { license } : {}),
+            });
+        }
+    }
+    return out;
+}
+/**
+ * Read a PEP 621 / PEP 639 license declaration from a TOML object. Four
+ * shapes coexist in the wild:
+ *   - `license = "MIT"`                 (PEP 639 SPDX expression)
+ *   - `license = { text = "MIT" }`      (PEP 621 table)
+ *   - `license = { file = "LICENSE" }`  (PEP 621 — returns `"file:LICENSE"`)
+ *   - `license-expression = "MIT"`      (PEP 639 alternate key)
+ * Plus the trove-classifier fallback: `License :: OSI Approved :: MIT`.
+ */
+function readPyLicense(pkg) {
+    const direct = pkg["license"];
+    if (typeof direct === "string" && direct.length > 0)
+        return direct;
+    if (isObject(direct)) {
+        const text = direct["text"];
+        if (typeof text === "string" && text.length > 0)
+            return text;
+        const file = direct["file"];
+        if (typeof file === "string" && file.length > 0)
+            return `file:${file}`;
+    }
+    const expr = pkg["license-expression"];
+    if (typeof expr === "string" && expr.length > 0)
+        return expr;
+    const classifiers = pkg["classifiers"];
+    if (Array.isArray(classifiers)) {
+        for (const c of classifiers) {
+            if (typeof c !== "string")
+                continue;
+            const m = /^License\s*::\s*(?:OSI Approved\s*::\s*)?(.+)$/.exec(c.trim());
+            if (m !== null && m[1] !== undefined)
+                return m[1].trim();
+        }
+    }
+    return undefined;
+}
+/**
+ * Parse a PEP 508 requirement string into `{ name, version }`. The returned
+ * `version` is the right-hand-side of the specifier (e.g. "1.2.3" from
+ * "requests==1.2.3"; "UNKNOWN" when no specifier is present).
+ */
+function parsePep508(raw) {
+    let s = raw.trim();
+    if (s.length === 0)
+        return undefined;
+    // Strip environment markers ("; python_version < '3.10'")
+    const semi = s.indexOf(";");
+    if (semi !== -1)
+        s = s.slice(0, semi).trim();
+    // Strip optional extras specifier "pkg[extra1,extra2]"
+    s = s.replace(/\[[^\]]*\]/, "");
+    // PEP 440 URL-style "name @ https://..."
+    const atUrl = /^([A-Za-z0-9._-]+)\s*@\s*(\S+)/.exec(s);
+    if (atUrl) {
+        const name = atUrl[1];
+        const version = atUrl[2];
+        if (!name || !version)
+            return undefined;
+        return { name, version };
+    }
+    // Match `name<op><version>` allowing chained specifiers. We keep only
+    // the first specifier's pinned value; for "requests>=2,<3" the version
+    // becomes ">=2,<3" (stored verbatim) to preserve operator fidelity.
+    const m = /^([A-Za-z0-9._-]+)\s*(.*)$/.exec(s);
+    if (!m)
+        return undefined;
+    const name = m[1];
+    const rest = (m[2] ?? "").trim();
+    if (!name)
+        return undefined;
+    if (rest.length === 0)
+        return { name, version: "UNKNOWN" };
+    // Collapse internal whitespace so the stored version is stable.
+    return { name, version: rest.replace(/\s+/g, "") };
+}
+function normalizePoetrySpec(spec) {
+    if (typeof spec === "string")
+        return spec;
+    if (isObject(spec)) {
+        const v = spec["version"];
+        if (typeof v === "string")
+            return v;
+        const g = spec["git"];
+        if (typeof g === "string")
+            return `git:${g}`;
+        const p = spec["path"];
+        if (typeof p === "string")
+            return `path:${p}`;
+        const u = spec["url"];
+        if (typeof u === "string")
+            return `url:${u}`;
+    }
+    return "UNKNOWN";
+}
+function stripInlineComment(line) {
+    const idx = line.indexOf("#");
+    if (idx === -1)
+        return line;
+    return line.slice(0, idx);
+}
+function looksLikeUrlSpec(line) {
+    // `-e` / `--editable` preserve their URLs after the prefix; include
+    // those variants when sniffing for URL-bearing lines.
+    const stripped = line.replace(/^(?:-e|--editable)\s+/, "");
+    return /^(?:git\+|https?:|file:|ssh:)/.test(stripped);
+}
+async function safeRead(absPath, relPath, onWarn, tag) {
+    try {
+        return await fs.readFile(absPath, "utf8");
+    }
+    catch (err) {
+        onWarn(`${tag}: cannot read ${relPath}: ${err instanceof Error ? err.message : String(err)}`);
+        return undefined;
+    }
+}
+function isObject(x) {
+    return typeof x === "object" && x !== null && !Array.isArray(x);
+}
+//# sourceMappingURL=python.js.map

package/dist/pipeline/dep-parsers/python.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"python.js","sourceRoot":"","sources":["../../../src/pipeline/dep-parsers/python.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,IAAI,MAAM,aAAa,CAAC;AAG/B,MAAM,QAAQ,GAAG,MAAe,CAAC;AAEjC,MAAM,CAAC,MAAM,eAAe,GAAgB,KAAK,EAAE,KAAK,EAAE,EAAE;IAC1D,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC9C,IAAI,CAAC;QACH,IAAI,QAAQ,KAAK,gBAAgB,EAAE,CAAC;YAClC,OAAO,MAAM,cAAc,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QAC1E,CAAC;QACD,IAAI,QAAQ,KAAK,kBAAkB,IAAI,wBAAwB,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC/E,OAAO,MAAM,iBAAiB,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QAC7E,CAAC;QACD,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC3B,OAAO,MAAM,WAAW,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QACvE,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,KAAK,CAAC,MAAM,CACV,2BAA2B,KAAK,CAAC,OAAO,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAChG,CAAC;QACF,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC,CAAC;AAEF,KAAK,UAAU,cAAc,CAC3B,OAAe,EACf,OAAe,EACf,MAA2B;IAE3B,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC/D,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC;IACjC,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CACJ,WAAW,OAAO,uBAAuB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC5F,CAAC;QACF,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,EAAE,CAAC;IAEjC,MAAM,GAAG,GAAuB,EAAE,CAAC;IAEnC,mEAAmE;IACnE,MAAM,OAAO,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC;IAClC,IAAI,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QACtB,MAAM,IAAI,GAAG,OAAO,CAAC,cAAc,CAAC,CAAC;QACrC,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACxB,KAAK,MAAM,IAAI,IAAI,IAAI,EAAE,CAAC;gBACxB,IAAI,OAAO,IAAI,KAAK,QAAQ;oBAAE,SAAS;gBACvC,MAAM,UAAU,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;gBACrC,IAAI,CAAC,UAAU;oBAAE,SAAS;gBAC1B,GAAG,CAAC,IAAI,CAAC;oBACP,SAAS,EAAE,QAAQ;oBACnB,IAAI,EAAE,UAAU,CAAC,IAAI;oBACrB,OAAO,EAAE,UAAU,CAAC,OAAO;oBAC3B,cAAc,EAAE,OAAO;iBACxB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QACD,sDAAsD;QACtD,MAAM,QAAQ,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;QAClD,IAAI,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YACvB,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC5C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;oBAAE,SAAS;gBACpC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;oBACzB,IAAI,OAAO,IAAI,KAAK,QAAQ;wBAAE,SAAS;oBACvC,MAAM,UAAU,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;oBACrC,IAAI,CAAC,UAAU;wBAAE,SAAS;oBAC1B,GAAG,CAAC,IAAI,CAAC;wBACP,SAAS,EAAE,QAAQ;wBACnB,IAAI,EAAE,UAAU,CAAC,IAAI;wBACrB,OAAO,EAAE,UAAU,CAAC,OAAO;wBAC3B,cAAc,EAAE,OAAO;qBACxB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,gFAAgF;IAChF,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5B,IAAI,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACnB,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC9B,IAAI,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACrB,KAAK,MAAM,KAAK,IAAI,CAAC,cAAc,EAAE,kBAAkB,CAAU,EAAE,CAAC;gBAClE,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;gBAC1B,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;oBAAE,SAAS;gBAC7B,KAAK,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC/C,IAAI,IAAI,KAAK,QAAQ;wBAAE,SAAS,CAAC,8CAA8C;oBAC/E,MAAM,OAAO,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;oBAC1C,GAAG,CAAC,IAAI,CAAC;wBACP,SAAS,EAAE,QAAQ;wBACnB,IAAI;wBACJ,OAAO;wBACP,cAAc,EAAE,OAAO;qBACxB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YACD,8DAA8D;YAC9D,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;YAC/B,IAAI,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;gBACrB,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;oBAC1C,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;wBAAE,SAAS;oBAC/B,MAAM,GAAG,GAAG,KAAK,CAAC,cAAc,CAAC,CAAC;oBAClC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;wBAAE,SAAS;oBAC7B,KAAK,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;wBAC/C,IAAI,IAAI,KAAK,QAAQ;4BAAE,SAAS;wBAChC,MAAM,OAAO,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;wBAC1C,GAAG,CAAC,IAAI,CAAC;4BACP,SAAS,EAAE,QAAQ;4BACnB,IAAI;4BACJ,OAAO;4BACP,cAAc,EAAE,OAAO;yBACxB,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,KAAK,UAAU,iBAAiB,CAC9B,OAAe,EACf,OAAe,EACf,MAA2B;IAE3B,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC/D,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC;IAEjC,MAAM,GAAG,GAAuB,EAAE,CAAC;IACnC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IACjC,KAAK,MAAM,OAAO,IAAI,KAAK,EAAE,CAAC;QAC5B,mEAAmE;QACnE,iEAAiE;QACjE,MAAM,WAAW,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;QACnC,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,IAAI,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QACtE,oEAAoE;QACpE,mEAAmE;QACnE,6BAA6B;QAC7B,MAAM,QAAQ,GAAG,gBAAgB,CAAC,WAAW,CAAC;YAC5C,CAAC,CAAC,WAAW;YACb,CAAC,CAAC,kBAAkB,CAAC,WAAW,CAAC,CAAC,IAAI,EAAE,CAAC;QAC3C,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QACpC,wDAAwD;QACxD,IAAI,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,eAAe,CAAC;YAAE,SAAS;QAChF,IAAI,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,cAAc,CAAC;YAAE,SAAS;QAC/E,IAAI,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC;YAAE,SAAS;QAC5C,IAAI,QAAQ,CAAC,UAAU,CAAC,aAAa,CAAC;YAAE,SAAS;QACjD,IAAI,QAAQ,CAAC,UAAU,CAAC,mBAAmB,CAAC;YAAE,SAAS;QACvD,IAAI,QAAQ,CAAC,UAAU,CAAC,cAAc,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,SAAS;QAC/E,IAAI,QAAQ,CAAC,UAAU,CAAC,YAAY,CAAC;YAAE,SAAS;QAChD,IAAI,QAAQ,CAAC,UAAU,CAAC,gBAAgB,CAAC;YAAE,SAAS;QAEpD,iEAAiE;QACjE,IAAI,IAAI,GAAG,QAAQ,CAAC;QACpB,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC;YAAE,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;aACnD,IAAI,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC;YAAE,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;QAExF,iEAAiE;QACjE,IAAI,6BAA6B,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7C,MAAM,GAAG,GAAG,2BAA2B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACnD,IAAI,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACb,GAAG,CAAC,IAAI,CAAC;oBACP,SAAS,EAAE,QAAQ;oBACnB,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;oBACZ,OAAO,EAAE,SAAS;oBAClB,cAAc,EAAE,OAAO;iBACxB,CAAC,CAAC;YACL,CAAC;YACD,SAAS;QACX,CAAC;QAED,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;QACjC,IAAI,CAAC,MAAM;YAAE,SAAS;QACtB,GAAG,CAAC,IAAI,CAAC;YACP,SAAS,EAAE,QAAQ;YACnB,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,cAAc,EAAE,OAAO;SACxB,CAAC,CAAC;IACL,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,KAAK,UAAU,WAAW,CACxB,OAAe,EACf,OAAe,EACf,MAA2B;IAE3B,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC/D,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC;IACjC,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CACJ,WAAW,OAAO,uBAAuB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC5F,CAAC;QACF,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,EAAE,CAAC;IAEjC,MAAM,GAAG,GAAuB,EAAE,CAAC;IACnC,MAAM,QAAQ,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC;IACnC,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC5B,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;YAC3B,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAAE,SAAS;YAC7B,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC;YACzB,MAAM,OAAO,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC;YAC/B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,OAAO,OAAO,KAAK,QAAQ;gBAAE,SAAS;YACtE,mEAAmE;YACnE,gEAAgE;YAChE,MAAM,OAAO,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;YACnC,GAAG,CAAC,IAAI,CAAC;gBACP,SAAS,EAAE,QAAQ;gBACnB,IAAI;gBACJ,OAAO;gBACP,cAAc,EAAE,OAAO;gBACvB,GAAG,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAC9C,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,aAAa,CAAC,GAA4B;IACjD,MAAM,MAAM,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC;IAC9B,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,MAAM,CAAC;IACnE,IAAI,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;QAC5B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QAC7D,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;QAC5B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,QAAQ,IAAI,EAAE,CAAC;IACzE,CAAC;IACD,MAAM,IAAI,GAAG,GAAG,CAAC,oBAAoB,CAAC,CAAC;IACvC,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7D,MAAM,WAAW,GAAG,GAAG,CAAC,aAAa,CAAC,CAAC;IACvC,IAAI,KAAK,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;QAC/B,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;YAC5B,IAAI,OAAO,CAAC,KAAK,QAAQ;gBAAE,SAAS;YACpC,MAAM,CAAC,GAAG,gDAAgD,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;YAC1E,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,SAAS;gBAAE,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC3D,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;GAIG;AACH,SAAS,WAAW,CAAC,GAAW;IAC9B,IAAI,CAAC,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IACnB,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IACrC,0DAA0D;IAC1D,MAAM,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC5B,IAAI,IAAI,KAAK,CAAC,CAAC;QAAE,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;IAC7C,uDAAuD;IACvD,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;IAEhC,yCAAyC;IACzC,MAAM,KAAK,GAAG,gCAAgC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACvD,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACzB,IAAI,CAAC,IAAI,IAAI,CAAC,OAAO;YAAE,OAAO,SAAS,CAAC;QACxC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;IAC3B,CAAC;IAED,sEAAsE;IACtE,uEAAuE;IACvE,oEAAoE;IACpE,MAAM,CAAC,GAAG,4BAA4B,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC/C,IAAI,CAAC,CAAC;QAAE,OAAO,SAAS,CAAC;IACzB,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAClB,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACjC,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAC5B,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;IAC3D,gEAAgE;IAChE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,EAAE,CAAC;AACrD,CAAC;AAED,SAAS,mBAAmB,CAAC,IAAa;IACxC,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC1C,IAAI,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACnB,MAAM,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC;QAC1B,IAAI,OAAO,CAAC,KAAK,QAAQ;YAAE,OAAO,CAAC,CAAC;QACpC,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;QACtB,IAAI,OAAO,CAAC,KAAK,QAAQ;YAAE,OAAO,OAAO,CAAC,EAAE,CAAC;QAC7C,MAAM,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;QACvB,IAAI,OAAO,CAAC,KAAK,QAAQ;YAAE,OAAO,QAAQ,CAAC,EAAE,CAAC;QAC9C,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;QACtB,IAAI,OAAO,CAAC,KAAK,QAAQ;YAAE,OAAO,OAAO,CAAC,EAAE,CAAC;IAC/C,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,kBAAkB,CAAC,IAAY;IACtC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC9B,IAAI,GAAG,KAAK,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5B,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;AAC5B,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAY;IACpC,oEAAoE;IACpE,sDAAsD;IACtD,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,uBAAuB,EAAE,EAAE,CAAC,CAAC;IAC3D,OAAO,+BAA+B,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACxD,CAAC;AAED,KAAK,UAAU,QAAQ,CACrB,OAAe,EACf,OAAe,EACf,MAA2B,EAC3B,GAAW;IAEX,IAAI,CAAC;QACH,OAAO,MAAM,EAAE,CAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC5C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,GAAG,GAAG,iBAAiB,OAAO,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC9F,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,QAAQ,CAAC,CAAU;IAC1B,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;AAClE,CAAC"}

package/dist/pipeline/dep-parsers/rust.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Rust ecosystem manifest parser.
+ *
+ * Supported inputs:
+ *   - `Cargo.lock` — TOML document with a `[[package]]` array. Each entry
+ *     carries `name`, `version`, and optional `source` + `checksum`. We
+ *     emit one `ParsedDependency` per `[[package]]` entry, preserving the
+ *     full `(name, version)` tuple so multi-version fan-out (e.g. two
+ *     different majors of `syn`) yields two distinct Dependency nodes.
+ *   - `Cargo.toml` — direct `[dependencies]` / `[dev-dependencies]` /
+ *     `[build-dependencies]` tables. Falls back to this when there is no
+ *     sibling `Cargo.lock`.
+ *
+ * Versions captured verbatim; we never normalize semver ranges.
+ */
+import type { ParseDepsFn } from "./types.js";
+export declare const parseRustDeps: ParseDepsFn;
+//# sourceMappingURL=rust.d.ts.map

package/dist/pipeline/dep-parsers/rust.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rust.d.ts","sourceRoot":"","sources":["../../../src/pipeline/dep-parsers/rust.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAKH,OAAO,KAAK,EAAE,WAAW,EAAoB,MAAM,YAAY,CAAC;AAIhE,eAAO,MAAM,aAAa,EAAE,WAgB3B,CAAC"}

package/dist/pipeline/dep-parsers/rust.js

@@ -0,0 +1,134 @@
+/**
+ * Rust ecosystem manifest parser.
+ *
+ * Supported inputs:
+ *   - `Cargo.lock` — TOML document with a `[[package]]` array. Each entry
+ *     carries `name`, `version`, and optional `source` + `checksum`. We
+ *     emit one `ParsedDependency` per `[[package]]` entry, preserving the
+ *     full `(name, version)` tuple so multi-version fan-out (e.g. two
+ *     different majors of `syn`) yields two distinct Dependency nodes.
+ *   - `Cargo.toml` — direct `[dependencies]` / `[dev-dependencies]` /
+ *     `[build-dependencies]` tables. Falls back to this when there is no
+ *     sibling `Cargo.lock`.
+ *
+ * Versions captured verbatim; we never normalize semver ranges.
+ */
+import { promises as fs } from "node:fs";
+import path from "node:path";
+import toml from "@iarna/toml";
+const CARGO_ECO = "cargo";
+export const parseRustDeps = async (input) => {
+    const basename = path.basename(input.relPath);
+    try {
+        if (basename === "Cargo.lock") {
+            return await parseCargoLock(input.absPath, input.relPath, input.onWarn);
+        }
+        if (basename === "Cargo.toml") {
+            return await parseCargoToml(input.absPath, input.relPath, input.onWarn);
+        }
+    }
+    catch (err) {
+        input.onWarn(`rust: failed to parse ${input.relPath}: ${err instanceof Error ? err.message : String(err)}`);
+        return [];
+    }
+    return [];
+};
+async function parseCargoLock(absPath, relPath, onWarn) {
+    const raw = await safeRead(absPath, relPath, onWarn);
+    if (raw === undefined)
+        return [];
+    let parsed;
+    try {
+        parsed = toml.parse(raw);
+    }
+    catch (err) {
+        onWarn(`rust: ${relPath} is not valid TOML: ${err instanceof Error ? err.message : String(err)}`);
+        return [];
+    }
+    if (!isObject(parsed))
+        return [];
+    const out = [];
+    const pkgs = parsed["package"];
+    if (Array.isArray(pkgs)) {
+        for (const pkg of pkgs) {
+            if (!isObject(pkg))
+                continue;
+            const name = pkg["name"];
+            const version = pkg["version"];
+            if (typeof name !== "string" || typeof version !== "string")
+                continue;
+            // Cargo.lock v3+ may include `license` when the crate publishes it.
+            // Standard v1/v2 lockfiles omit the field; best-effort readback.
+            const licenseRaw = pkg["license"];
+            const license = typeof licenseRaw === "string" && licenseRaw.length > 0 ? licenseRaw : undefined;
+            out.push({
+                ecosystem: CARGO_ECO,
+                name,
+                version,
+                lockfileSource: relPath,
+                ...(license !== undefined ? { license } : {}),
+            });
+        }
+    }
+    return out;
+}
+async function parseCargoToml(absPath, relPath, onWarn) {
+    const raw = await safeRead(absPath, relPath, onWarn);
+    if (raw === undefined)
+        return [];
+    let parsed;
+    try {
+        parsed = toml.parse(raw);
+    }
+    catch (err) {
+        onWarn(`rust: ${relPath} is not valid TOML: ${err instanceof Error ? err.message : String(err)}`);
+        return [];
+    }
+    if (!isObject(parsed))
+        return [];
+    const out = [];
+    for (const table of ["dependencies", "dev-dependencies", "build-dependencies"]) {
+        const bag = parsed[table];
+        if (!isObject(bag))
+            continue;
+        for (const [name, spec] of Object.entries(bag)) {
+            const version = normalizeCargoSpec(spec);
+            out.push({
+                ecosystem: CARGO_ECO,
+                name,
+                version,
+                lockfileSource: relPath,
+            });
+        }
+    }
+    return out;
+}
+function normalizeCargoSpec(spec) {
+    if (typeof spec === "string")
+        return spec;
+    if (isObject(spec)) {
+        const v = spec["version"];
+        if (typeof v === "string")
+            return v;
+        const g = spec["git"];
+        if (typeof g === "string")
+            return `git:${g}`;
+        const p = spec["path"];
+        if (typeof p === "string")
+            return `path:${p}`;
+    }
+    return "UNKNOWN";
+}
+async function safeRead(absPath, relPath, onWarn) {
+    try {
+        return await fs.readFile(absPath, "utf8");
+    }
+    catch (err) {
+        onWarn(`rust: cannot read ${relPath}: ${err instanceof Error ? err.message : String(err)}`);
+        return undefined;
+    }
+}
+function isObject(x) {
+    return typeof x === "object" && x !== null && !Array.isArray(x);
+}
+//# sourceMappingURL=rust.js.map

package/dist/pipeline/dep-parsers/rust.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rust.js","sourceRoot":"","sources":["../../../src/pipeline/dep-parsers/rust.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,IAAI,MAAM,aAAa,CAAC;AAG/B,MAAM,SAAS,GAAG,OAAgB,CAAC;AAEnC,MAAM,CAAC,MAAM,aAAa,GAAgB,KAAK,EAAE,KAAK,EAAE,EAAE;IACxD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC9C,IAAI,CAAC;QACH,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC9B,OAAO,MAAM,cAAc,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QAC1E,CAAC;QACD,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC9B,OAAO,MAAM,cAAc,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QAC1E,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,KAAK,CAAC,MAAM,CACV,yBAAyB,KAAK,CAAC,OAAO,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC9F,CAAC;QACF,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC,CAAC;AAEF,KAAK,UAAU,cAAc,CAC3B,OAAe,EACf,OAAe,EACf,MAA2B;IAE3B,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IACrD,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC;IACjC,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CACJ,SAAS,OAAO,uBAAuB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC1F,CAAC;QACF,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,EAAE,CAAC;IAEjC,MAAM,GAAG,GAAuB,EAAE,CAAC;IACnC,MAAM,IAAI,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACxB,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAAE,SAAS;YAC7B,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC;YACzB,MAAM,OAAO,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC;YAC/B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,OAAO,OAAO,KAAK,QAAQ;gBAAE,SAAS;YACtE,oEAAoE;YACpE,iEAAiE;YACjE,MAAM,UAAU,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC;YAClC,MAAM,OAAO,GACX,OAAO,UAAU,KAAK,QAAQ,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC;YACnF,GAAG,CAAC,IAAI,CAAC;gBACP,SAAS,EAAE,SAAS;gBACpB,IAAI;gBACJ,OAAO;gBACP,cAAc,EAAE,OAAO;gBACvB,GAAG,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAC9C,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,OAAe,EACf,OAAe,EACf,MAA2B;IAE3B,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IACrD,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC;IACjC,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CACJ,SAAS,OAAO,uBAAuB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC1F,CAAC;QACF,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,EAAE,CAAC;IAEjC,MAAM,GAAG,GAAuB,EAAE,CAAC;IACnC,KAAK,MAAM,KAAK,IAAI,CAAC,cAAc,EAAE,kBAAkB,EAAE,oBAAoB,CAAU,EAAE,CAAC;QACxF,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;QAC1B,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,SAAS;QAC7B,KAAK,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YAC/C,MAAM,OAAO,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;YACzC,GAAG,CAAC,IAAI,CAAC;gBACP,SAAS,EAAE,SAAS;gBACpB,IAAI;gBACJ,OAAO;gBACP,cAAc,EAAE,OAAO;aACxB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,kBAAkB,CAAC,IAAa;IACvC,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC1C,IAAI,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACnB,MAAM,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC;QAC1B,IAAI,OAAO,CAAC,KAAK,QAAQ;YAAE,OAAO,CAAC,CAAC;QACpC,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;QACtB,IAAI,OAAO,CAAC,KAAK,QAAQ;YAAE,OAAO,OAAO,CAAC,EAAE,CAAC;QAC7C,MAAM,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;QACvB,IAAI,OAAO,CAAC,KAAK,QAAQ;YAAE,OAAO,QAAQ,CAAC,EAAE,CAAC;IAChD,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,QAAQ,CACrB,OAAe,EACf,OAAe,EACf,MAA2B;IAE3B,IAAI,CAAC;QACH,OAAO,MAAM,EAAE,CAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC5C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,qBAAqB,OAAO,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC5F,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,QAAQ,CAAC,CAAU;IAC1B,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;AAClE,CAAC"}

package/dist/pipeline/dep-parsers/spdx-normalize.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Normalize informal license strings into SPDX-2.1 identifiers.
+ *
+ * Thin wrapper around `spdx-correct` (Apache-2.0): forwards non-empty
+ * input to the corrector and returns `undefined` for blank / explicitly
+ * unknown values so downstream dedup logic can prefer entries that
+ * carry a real license. When `spdx-correct` cannot recognise the input
+ * we pass the trimmed original through — MCP `license_audit` still
+ * classifies it (e.g. a non-SPDX custom identifier triggers the
+ * UNKNOWN/WARN branch if it doesn't match any copyleft / proprietary
+ * pattern).
+ */
+/** Normalized SPDX id, or `undefined` when no license was declared. */
+export declare function spdxNormalize(raw: string | undefined | null): string | undefined;
+//# sourceMappingURL=spdx-normalize.d.ts.map

package/dist/pipeline/dep-parsers/spdx-normalize.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"spdx-normalize.d.ts","sourceRoot":"","sources":["../../../src/pipeline/dep-parsers/spdx-normalize.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,uEAAuE;AACvE,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,MAAM,GAAG,SAAS,CAYhF"}

package/dist/pipeline/dep-parsers/spdx-normalize.js

@@ -0,0 +1,31 @@
+/**
+ * Normalize informal license strings into SPDX-2.1 identifiers.
+ *
+ * Thin wrapper around `spdx-correct` (Apache-2.0): forwards non-empty
+ * input to the corrector and returns `undefined` for blank / explicitly
+ * unknown values so downstream dedup logic can prefer entries that
+ * carry a real license. When `spdx-correct` cannot recognise the input
+ * we pass the trimmed original through — MCP `license_audit` still
+ * classifies it (e.g. a non-SPDX custom identifier triggers the
+ * UNKNOWN/WARN branch if it doesn't match any copyleft / proprietary
+ * pattern).
+ */
+import correct from "spdx-correct";
+/** Normalized SPDX id, or `undefined` when no license was declared. */
+export function spdxNormalize(raw) {
+    if (raw === undefined || raw === null)
+        return undefined;
+    const trimmed = raw.trim();
+    if (trimmed.length === 0)
+        return undefined;
+    if (trimmed.toUpperCase() === "UNKNOWN")
+        return undefined;
+    // `spdx-correct` returns a normalized SPDX id for common aliases
+    // (`mit` -> `MIT`, `Apache 2` -> `Apache-2.0`), or `null` if the
+    // input is too far from any known id. We fall back to the trimmed
+    // original in that case to preserve whatever signal the manifest
+    // provided.
+    const normalized = correct(trimmed);
+    return normalized ?? trimmed;
+}
+//# sourceMappingURL=spdx-normalize.js.map

package/dist/pipeline/dep-parsers/spdx-normalize.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"spdx-normalize.js","sourceRoot":"","sources":["../../../src/pipeline/dep-parsers/spdx-normalize.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,OAAO,MAAM,cAAc,CAAC;AAEnC,uEAAuE;AACvE,MAAM,UAAU,aAAa,CAAC,GAA8B;IAC1D,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,SAAS,CAAC;IACxD,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IAC3B,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IAC3C,IAAI,OAAO,CAAC,WAAW,EAAE,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAC1D,iEAAiE;IACjE,iEAAiE;IACjE,kEAAkE;IAClE,iEAAiE;IACjE,YAAY;IACZ,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACpC,OAAO,UAAU,IAAI,OAAO,CAAC;AAC/B,CAAC"}