@oscharko-dev/keiko-workspace 0.2.0

package/dist/fs.js

@@ -0,0 +1,69 @@
+// The single filesystem boundary for the workspace layer (ADR-0005 D1). Every other module
+// depends on the `WorkspaceFs` port, never on `node:fs` directly, so discovery/detection are
+// testable with an in-memory fake and all real IO is auditable in one place. Synchronous, to
+// mirror the existing `loadConfigFromFile`/`readFileSync` usage in the gateway.
+import { lstatSync, readdirSync, readFileSync, realpathSync, statSync } from "node:fs";
+import { open } from "node:fs/promises";
+function isSymlink(absolutePath) {
+    return lstatSync(absolutePath, { throwIfNoEntry: false })?.isSymbolicLink() ?? false;
+}
+export const nodeWorkspaceFs = {
+    readFileUtf8: (absolutePath) => readFileSync(absolutePath, "utf8"),
+    stat: (absolutePath) => {
+        const stats = statSync(absolutePath, { throwIfNoEntry: true });
+        return {
+            size: stats.size,
+            isFile: stats.isFile(),
+            isDirectory: stats.isDirectory(),
+            isSymbolicLink: isSymlink(absolutePath),
+            hardLinkCount: stats.nlink,
+            mtimeMs: stats.mtimeMs,
+        };
+    },
+    readDir: (absolutePath) => readdirSync(absolutePath, { withFileTypes: true }).map((entry) => ({
+        name: entry.name,
+        isDirectory: entry.isDirectory(),
+        isFile: entry.isFile(),
+        isSymbolicLink: entry.isSymbolicLink(),
+    })),
+    realPath: (absolutePath) => realpathSync(absolutePath),
+    exists: (absolutePath) => {
+        try {
+            return statSync(absolutePath, { throwIfNoEntry: false }) !== undefined;
+        }
+        catch {
+            return false;
+        }
+    },
+    readFileBytes: async (absolutePath, maxBytes) => {
+        const handle = await open(absolutePath, "r");
+        try {
+            const cap = Math.max(0, Math.floor(maxBytes));
+            const buffer = new Uint8Array(cap);
+            if (cap === 0) {
+                return buffer;
+            }
+            const { bytesRead } = await handle.read(buffer, 0, cap, 0);
+            return buffer.subarray(0, bytesRead);
+        }
+        finally {
+            await handle.close();
+        }
+    },
+    readFileRange: async (absolutePath, startByte, length) => {
+        const handle = await open(absolutePath, "r");
+        try {
+            const offset = Math.max(0, Math.floor(startByte));
+            const cap = Math.max(0, Math.floor(length));
+            const buffer = new Uint8Array(cap);
+            if (cap === 0) {
+                return buffer;
+            }
+            const { bytesRead } = await handle.read(buffer, 0, cap, offset);
+            return buffer.subarray(0, bytesRead);
+        }
+        finally {
+            await handle.close();
+        }
+    },
+};

package/dist/gitHistory.d.ts

@@ -0,0 +1,3 @@
+import type { StructuralAdapter } from "./structuralAdapters.js";
+export declare const gitHistoryAdapter: StructuralAdapter;
+//# sourceMappingURL=gitHistory.d.ts.map

package/dist/gitHistory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gitHistory.d.ts","sourceRoot":"","sources":["../src/gitHistory.ts"],"names":[],"mappings":"AAoBA,OAAO,KAAK,EAAE,iBAAiB,EAAyB,MAAM,yBAAyB,CAAC;AA2SxF,eAAO,MAAM,iBAAiB,EAAE,iBAsD/B,CAAC"}

package/dist/gitHistory.js

@@ -0,0 +1,317 @@
+// Git-history adapter (Epic #177, Issue #180). Reads `.git/HEAD` and `.git/logs/HEAD` directly
+// via the WorkspaceFs port — never spawns `git` and never imports `child_process`. The shared
+// always-on deny list refuses `.git`; this adapter is the SOLE legitimate consumer of those
+// paths and therefore goes through the lower-level `fs.readFileUtf8` after `assertContainedRealPath`,
+// applies an explicit stat-based size cap, and redacts the contents. v1 surfaces the presence
+// of a reflog as a single EvidenceAtom referencing `.git/HEAD`; per-file granularity deferred.
+// Stays within ADR-0019 rule 3b: imports only @oscharko-dev/keiko-contracts, sibling workspace
+// modules, and Node stdlib (node:crypto). Limitation: unavailable when scope.relativePaths is
+// non-empty because git-history is a repo-level signal that cannot meaningfully scope to a
+// sub-folder.
+import { createHash } from "node:crypto";
+import { isAbsolute, normalize } from "node:path";
+import { redact } from "@oscharko-dev/keiko-security";
+import { resolveWithinWorkspace } from "./paths.js";
+import { assertContainedRealPath } from "./realpath.js";
+import { buildAtom } from "./repoSearchScan.js";
+function queryFingerprint(query) {
+    const canonical = JSON.stringify({ kind: query.kind, text: query.text });
+    return createHash("sha256").update(canonical).digest("hex").slice(0, 16);
+}
+const GIT_DIR_PREFIX = "gitdir:";
+const HEAD_MAX_BYTES = 256;
+const GIT_POINTER_MAX_BYTES = 4096;
+const REFLOG_MAX_BYTES = 1_048_576;
+const REFLOG_MAX_LINES = 10_000;
+function isAllowedExternalGitdir(candidate) {
+    return candidate.replace(/\\/g, "/").includes("/.git/worktrees/");
+}
+function containsParentTraversal(candidate) {
+    return candidate.split(/[\\/]+/).includes("..");
+}
+async function readGuardedAbsolute(fs, base, absolutePath, label, maxBytes) {
+    try {
+        assertContainedRealPath(fs, base, absolutePath, label);
+    }
+    catch {
+        return undefined;
+    }
+    if (!fs.exists(absolutePath)) {
+        return undefined;
+    }
+    const stat = fs.stat(absolutePath);
+    if (!stat.isFile) {
+        return undefined;
+    }
+    if (stat.hardLinkCount !== undefined && stat.hardLinkCount > 1) {
+        return undefined;
+    }
+    // Enforce the size cap BEFORE reading to avoid loading multi-megabyte files into memory
+    // (matches the probeBinary pattern from repoSearchScan.ts).
+    if (stat.size > maxBytes) {
+        if (fs.readFileBytes !== undefined) {
+            let bytes;
+            try {
+                bytes = await fs.readFileBytes(absolutePath, maxBytes);
+            }
+            catch {
+                return undefined;
+            }
+            return redact(new TextDecoder("utf-8", { fatal: false }).decode(bytes));
+        }
+        return undefined;
+    }
+    let raw;
+    try {
+        raw = fs.readFileUtf8(absolutePath);
+    }
+    catch {
+        return undefined;
+    }
+    return redact(raw);
+}
+function statOrUndefined(fs, abs) {
+    try {
+        const stat = fs.stat(abs);
+        return {
+            size: stat.size,
+            isFile: stat.isFile,
+            isDirectory: stat.isDirectory,
+            hardLinkCount: stat.hardLinkCount,
+        };
+    }
+    catch {
+        return undefined;
+    }
+}
+async function readSmallUtf8File(fs, abs, maxBytes) {
+    const stat = statOrUndefined(fs, abs);
+    if (!stat?.isFile) {
+        return undefined;
+    }
+    if (stat.hardLinkCount !== undefined && stat.hardLinkCount > 1) {
+        return undefined;
+    }
+    if (stat.size > maxBytes) {
+        return undefined;
+    }
+    if (fs.readFileBytes !== undefined) {
+        try {
+            const bytes = await fs.readFileBytes(abs, maxBytes);
+            return new TextDecoder("utf-8", { fatal: false }).decode(bytes);
+        }
+        catch {
+            return undefined;
+        }
+    }
+    try {
+        return fs.readFileUtf8(abs);
+    }
+    catch {
+        return undefined;
+    }
+}
+async function readWorktreePointerTarget(fs, dotGit) {
+    const raw = await readSmallUtf8File(fs, dotGit, GIT_POINTER_MAX_BYTES);
+    if (raw === undefined) {
+        return undefined;
+    }
+    const trimmed = raw.trim();
+    if (!trimmed.startsWith(GIT_DIR_PREFIX)) {
+        return undefined;
+    }
+    const target = trimmed.slice(GIT_DIR_PREFIX.length).trim();
+    if (target.length === 0 || target.includes("\n")) {
+        return undefined;
+    }
+    return target;
+}
+function containedPathIfPresent(fs, base, abs, label) {
+    try {
+        const contained = assertContainedRealPath(fs, base, abs, label);
+        if (!fs.exists(contained)) {
+            return undefined;
+        }
+        return contained;
+    }
+    catch {
+        return undefined;
+    }
+}
+function isContainedAndPresent(fs, base, abs, label) {
+    return containedPathIfPresent(fs, base, abs, label) !== undefined;
+}
+function resolvePointedGitdir(fs, root, target, candidate) {
+    if (!isAbsolute(target)) {
+        try {
+            return assertContainedRealPath(fs, root, candidate, ".git pointer");
+        }
+        catch {
+            return undefined;
+        }
+    }
+    if (containsParentTraversal(target)) {
+        return undefined;
+    }
+    const contained = containedPathIfPresent(fs, root, candidate, ".git pointer");
+    if (contained !== undefined) {
+        return contained;
+    }
+    let canonical;
+    try {
+        canonical = fs.realPath(candidate);
+    }
+    catch {
+        return undefined;
+    }
+    return isAllowedExternalGitdir(canonical) ? canonical : undefined;
+}
+// Find the first 10-digit run that is not preceded by '<'. Avoids regex backtracking.
+function firstUnixTimestamp(line) {
+    let i = 0;
+    const len = line.length;
+    while (i < len) {
+        const code = line.charCodeAt(i);
+        if (code >= 48 && code <= 57) {
+            let j = i;
+            while (j < len && line.charCodeAt(j) >= 48 && line.charCodeAt(j) <= 57) {
+                j += 1;
+            }
+            if (j - i === 10) {
+                const prev = i === 0 ? "" : line.charAt(i - 1);
+                if (prev !== "<") {
+                    return Number.parseInt(line.slice(i, j), 10);
+                }
+            }
+            i = j;
+        }
+        else {
+            i += 1;
+        }
+    }
+    return undefined;
+}
+function extractTimestamps(reflog) {
+    const out = [];
+    let lineCount = 0;
+    for (const line of reflog.split("\n")) {
+        if (lineCount >= REFLOG_MAX_LINES) {
+            break;
+        }
+        lineCount += 1;
+        if (line.length === 0) {
+            continue;
+        }
+        const ts = firstUnixTimestamp(line);
+        if (ts !== undefined) {
+            out.push(ts);
+        }
+    }
+    return out;
+}
+function gitHeadAtom(scope, fingerprint, nowMs) {
+    return buildAtom({
+        scopeId: scope.scopeId,
+        scopePath: ".git/HEAD",
+        lineRange: undefined,
+        provenanceKind: "git-history",
+        tool: "git-reflog",
+        queryFingerprint: fingerprint,
+        score: 1.0,
+        emittedAtMs: nowMs,
+    });
+}
+// Resolve the gitdir root: for a plain repo it is `workspace.root/.git/`; for a worktree
+// it is the path pointed at by the `.git` pointer file. Returns undefined when unavailable.
+// Strategy: check whether HEAD lives directly at `.git/HEAD` first (covers the normal case AND
+// the memFs directory simulation where only child keys are recorded); fall back to treating
+// `.git` as a worktree-pointer file only when that leaf check fails.
+async function resolveGitdir(fs, root) {
+    const dotGit = resolveWithinWorkspace(root, ".git");
+    const headDirect = `${dotGit}/HEAD`;
+    // Fast path: HEAD exists directly under .git — this is the standard directory layout.
+    // We do NOT require .git itself to appear as a stat entry (some WorkspaceFs impls, notably
+    // the test memFs, only record leaf file paths, not implicit parent directories).
+    if (isContainedAndPresent(fs, root, headDirect, ".git/HEAD")) {
+        return dotGit;
+    }
+    // Slow path: .git must be a regular file (worktree pointer). It must exist AND be readable.
+    if (!isContainedAndPresent(fs, root, dotGit, ".git")) {
+        return undefined;
+    }
+    const s = statOrUndefined(fs, dotGit);
+    if (!s?.isFile) {
+        return undefined;
+    }
+    // Worktree-pointer: read the `gitdir: <path>` value, validate containment once.
+    const target = await readWorktreePointerTarget(fs, dotGit);
+    if (target === undefined) {
+        return undefined;
+    }
+    const candidate = isAbsolute(target) ? normalize(target) : resolveWithinWorkspace(root, target);
+    // Real git worktrees usually point outside the checkout root to `.git/worktrees/<name>`.
+    // Allow that one narrow shape, but still constrain the actual reads to files whose realpaths
+    // stay inside the resolved gitdir itself.
+    const gitdir = resolvePointedGitdir(fs, root, target, candidate);
+    if (gitdir === undefined) {
+        return undefined;
+    }
+    const pointedHead = `${gitdir}/HEAD`;
+    if (!isContainedAndPresent(fs, gitdir, pointedHead, ".git-pointer/HEAD")) {
+        return undefined;
+    }
+    return gitdir;
+}
+async function isAvailableForScope(scope, fs) {
+    // Finding 8: git-history is a repo-level signal; sub-folder scoping is meaningless and
+    // would require reading outside the user-selected boundary.
+    if (scope.relativePaths.length > 0) {
+        return false;
+    }
+    const root = scope.workspace.root;
+    const gitdir = await resolveGitdir(fs, root);
+    if (gitdir === undefined) {
+        return false;
+    }
+    // HEAD must exist inside the resolved gitdir.
+    const headAbs = `${gitdir}/HEAD`;
+    return isContainedAndPresent(fs, gitdir, headAbs, ".git/HEAD");
+}
+export const gitHistoryAdapter = {
+    name: "git-history",
+    isAvailable: async (scope, fs) => {
+        try {
+            return await isAvailableForScope(scope, fs);
+        }
+        catch {
+            return false;
+        }
+    },
+    lookup: async (scope, query, limits, fs, deps) => {
+        void limits;
+        const nowMs = deps?.nowMs ?? Date.now;
+        // Finding 8: early-out when scope has sub-paths (matches isAvailable contract).
+        if (scope.relativePaths.length > 0) {
+            return [];
+        }
+        const root = scope.workspace.root;
+        // Finding 7: resolve the real gitdir so worktree-pointer layouts work end-to-end.
+        const gitdir = await resolveGitdir(fs, root);
+        if (gitdir === undefined) {
+            return [];
+        }
+        const head = await readGuardedAbsolute(fs, gitdir, `${gitdir}/HEAD`, ".git/HEAD", HEAD_MAX_BYTES);
+        if (head === undefined) {
+            return [];
+        }
+        const reflog = await readGuardedAbsolute(fs, gitdir, `${gitdir}/logs/HEAD`, ".git/logs/HEAD", REFLOG_MAX_BYTES);
+        if (reflog === undefined || reflog.length === 0) {
+            return [];
+        }
+        const timestamps = extractTimestamps(reflog);
+        if (timestamps.length === 0) {
+            return [];
+        }
+        return [gitHeadAtom(scope, queryFingerprint(query), nowMs())];
+    },
+};

package/dist/ignore.d.ts

@@ -0,0 +1,15 @@
+export declare const DEFAULT_DENY_PATTERNS: readonly string[];
+export declare function isDenied(relPath: string): boolean;
+interface IgnoreRule {
+    readonly regex: RegExp;
+    readonly dirEntryRegex: RegExp | null;
+    readonly negated: boolean;
+    readonly dirOnly: boolean;
+}
+export interface IgnoreMatcher {
+    readonly rules: readonly IgnoreRule[];
+}
+export declare function compileIgnore(lines: readonly string[]): IgnoreMatcher;
+export declare function isIgnored(matcher: IgnoreMatcher, relPath: string, isDir: boolean): boolean;
+export {};
+//# sourceMappingURL=ignore.d.ts.map

package/dist/ignore.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ignore.d.ts","sourceRoot":"","sources":["../src/ignore.ts"],"names":[],"mappings":"AAQA,eAAO,MAAM,qBAAqB,EAAE,SAAS,MAAM,EAmGjD,CAAC;AA+BH,wBAAgB,QAAQ,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAajD;AAMD,UAAU,UAAU;IAClB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IAGvB,QAAQ,CAAC,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IACtC,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;CAC3B;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,KAAK,EAAE,SAAS,UAAU,EAAE,CAAC;CACvC;AAkFD,wBAAgB,aAAa,CAAC,KAAK,EAAE,SAAS,MAAM,EAAE,GAAG,aAAa,CASrE;AAED,wBAAgB,SAAS,CAAC,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,GAAG,OAAO,CAS1F"}

package/dist/ignore.js

@@ -0,0 +1,248 @@
+// PURE filtering. Two tiers (ADR-0005 D3):
+//   1. isDenied()  — ALWAYS-ON security deny list. Enforced before every read regardless
+//      of .gitignore. Secret/dep/build/cache/vcs/log/os files are never discovered or read.
+//   2. compileIgnore()/isIgnored() — best-effort noise reduction over a DOCUMENTED, bounded
+//      .gitignore subset. Never relaxes the deny list.
+// Glob translation produces only linear regex pieces (`[^/]*`, `.*`) so there is no
+// catastrophic backtracking (no ReDoS).
+export const DEFAULT_DENY_PATTERNS = Object.freeze([
+    // secrets
+    ".env",
+    ".env.*",
+    "*.pem",
+    "*.key",
+    "id_rsa",
+    "id_ed25519",
+    "id_ecdsa",
+    "id_dsa",
+    "*.p12",
+    "*.pfx",
+    ".npmrc",
+    // credential directories & stores — Epic #532 makes any folder on the machine connectable, so
+    // the deny gate must keep well-known secret locations out of every tree listing, excerpt, and
+    // grounded answer even when the user points a Files window at their home directory.
+    ".ssh",
+    ".aws",
+    ".gnupg",
+    ".kube",
+    ".azure",
+    ".docker",
+    ".netrc",
+    ".pgpass",
+    ".git-credentials",
+    "Keychains",
+    "*.keychain",
+    "*.keychain-db",
+    "*.keystore",
+    "*.jks",
+    // Epic #532 security audit (H1/M1): additional well-known credential stores reachable when a
+    // user connects their home directory. `.config` is the XDG base whose subdirectories (gcloud
+    // ADC, many per-app tokens) consistently hold secrets; the rest are exact credential locations.
+    ".config",
+    ".terraform",
+    ".terraform.d",
+    ".vault-token",
+    ".cargo",
+    ".pypirc",
+    ".m2",
+    ".password-store",
+    "id_ecdsa_sk",
+    "id_ed25519_sk",
+    // Epic #532 security audit (H1): full-machine browse makes pure-credential FILES reachable in
+    // otherwise-allowed locations (not just credential dirs). These filenames hold secrets or secret
+    // state by convention, so they are denied outright — never listed, previewed, or grounded. Secrets
+    // that are merely content-shaped elsewhere are caught by the redaction layer instead.
+    "*.tfstate",
+    "*.tfstate.backup",
+    "kubeconfig",
+    ".rclone.conf",
+    "wp-config.php",
+    ".htpasswd",
+    ".bash_history",
+    ".zsh_history",
+    ".sh_history",
+    ".mysql_history",
+    ".psql_history",
+    ".python_history",
+    ".node_repl_history",
+    ".irb_history",
+    "service-account*.json",
+    // Epic #177 post-closure audit: additional pure-credential FILES denied outright. These filenames
+    // hold secrets by convention (cloud storage keys, OAuth tokens, VCS/registry/shell credentials,
+    // IaC variables); secret-shaped content in otherwise-allowed files is still scrubbed by the
+    // redaction layer as defence-in-depth.
+    ".s3cfg",
+    ".boto",
+    ".dockercfg",
+    ".gitconfig",
+    ".envrc",
+    "*.tfvars",
+    "*.tfvars.json",
+    ".terraformrc",
+    // deps
+    "node_modules",
+    // Keiko runtime/evidence state. These files are internal product artifacts, not repository
+    // source, and must never be discoverable through connected repository grounding.
+    ".keiko",
+    "keiko.config.json",
+    // Local tool and IDE runtime state. These directories can contain prompts, transcripts,
+    // worktrees, extension caches, shelves, and machine-local metadata; they are not source context.
+    ".codex",
+    ".claude",
+    ".playwright-mcp",
+    ".idea",
+    // build
+    "dist",
+    "build",
+    "out",
+    "coverage",
+    // caches
+    ".cache",
+    ".next",
+    ".turbo",
+    // vcs
+    ".git",
+    // os
+    ".DS_Store",
+]);
+// Note: `*.log` is intentionally NOT denied — connected-context search must cover every text
+// format, including log files. Secret-shaped strings inside any matched content are still scrubbed
+// by the redaction layer before they reach an answer or the evidence ledger.
+// Iterates from the end rather than using /\/+$/ to avoid quadratic ReDoS on
+// inputs with many consecutive trailing slashes (CodeQL js/polynomial-redos).
+function stripTrailingSlashes(value) {
+    let end = value.length;
+    while (end > 0 && value.charCodeAt(end - 1) === 47 /* "/" */) {
+        end -= 1;
+    }
+    return value.slice(0, end);
+}
+function normalize(relPath) {
+    return stripTrailingSlashes(relPath.replace(/\\/g, "/").replace(/^\.\//, ""));
+}
+function segments(relPath) {
+    return normalize(relPath)
+        .split("/")
+        .filter((part) => part.length > 0);
+}
+const EXAMPLE_ENV = ".env.example";
+// Always-on security check. Denied if ANY path segment matches a deny pattern (a denied
+// directory denies everything under it). `.env.example` is the single documented exception.
+// Matching is CASE-INSENSITIVE: on case-insensitive filesystems (macOS, Windows) `.ENV` and
+// `.env` name the same file, so a case-only variant must not bypass the deny list.
+export function isDenied(relPath) {
+    for (const part of segments(relPath)) {
+        const lower = part.toLowerCase();
+        if (lower === EXAMPLE_ENV) {
+            continue;
+        }
+        for (const matcher of PRECOMPILED_DENY_MATCHERS) {
+            if (matcher.regex.test(lower)) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+function globBody(glob) {
+    let body = "";
+    let i = 0;
+    while (i < glob.length) {
+        // charAt returns "" past the end; the loop bound guarantees a real char here, so there is
+        // no dead nullish fallback. charAt(i + 1)/(i + 2) safely return "" at the boundary.
+        const char = glob.charAt(i);
+        if (char === "*" && glob.charAt(i + 1) === "*") {
+            body += ".*";
+            i += glob.charAt(i + 2) === "/" ? 3 : 2;
+            continue;
+        }
+        if (char === "*") {
+            body += "[^/]*";
+        }
+        else if (char === "?") {
+            body += "[^/]";
+        }
+        else {
+            body += escapeLiteral(char);
+        }
+        i += 1;
+    }
+    return body;
+}
+function globToRegExp(glob, anchored) {
+    const prefix = anchored ? "^" : "^(?:.*/)?";
+    return new RegExp(`${prefix}${globBody(glob)}(?:/.*)?$`);
+}
+const PRECOMPILED_DENY_MATCHERS = DEFAULT_DENY_PATTERNS.map((pattern) => ({
+    regex: globToRegExp(pattern.toLowerCase(), false),
+}));
+// Matches the path that names the directory itself (no nested suffix), used so a `dir/` rule
+// can distinguish a real subdirectory from a same-named file at another depth.
+function globToDirEntryRegExp(glob, anchored) {
+    const prefix = anchored ? "^" : "^(?:.*/)?";
+    return new RegExp(`${prefix}${globBody(glob)}$`);
+}
+function escapeLiteral(char) {
+    return /[.*+?^${}()|[\]\\]/.test(char) ? `\\${char}` : char;
+}
+function stripAnchors(value, anchored, dirOnly) {
+    let core = value;
+    if (anchored) {
+        core = core.slice(1);
+    }
+    if (dirOnly) {
+        core = core.slice(0, -1);
+    }
+    return core;
+}
+function buildRule(rawLine) {
+    const line = rawLine.trim();
+    if (line.length === 0 || line.startsWith("#")) {
+        return null;
+    }
+    const negated = line.startsWith("!");
+    const afterBang = negated ? line.slice(1) : line;
+    const anchored = afterBang.startsWith("/");
+    const dirOnly = afterBang.endsWith("/");
+    const core = stripAnchors(afterBang, anchored, dirOnly);
+    if (core.length === 0) {
+        return null;
+    }
+    return {
+        regex: globToRegExp(core, anchored),
+        dirEntryRegex: dirOnly ? globToDirEntryRegExp(core, anchored) : null,
+        negated,
+        dirOnly,
+    };
+}
+export function compileIgnore(lines) {
+    const rules = [];
+    for (const line of lines) {
+        const rule = buildRule(line);
+        if (rule !== null) {
+            rules.push(rule);
+        }
+    }
+    return { rules };
+}
+export function isIgnored(matcher, relPath, isDir) {
+    const target = normalize(relPath);
+    let ignored = false;
+    for (const rule of matcher.rules) {
+        if (ruleMatches(rule, target, isDir)) {
+            ignored = !rule.negated;
+        }
+    }
+    return ignored;
+}
+// A `dir/` rule ignores either the matching directory entry itself (only when it IS a
+// directory), or any path genuinely nested under it. A same-named FILE is not ignored.
+function ruleMatches(rule, target, isDir) {
+    if (!rule.dirOnly) {
+        return rule.regex.test(target);
+    }
+    if (rule.dirEntryRegex?.test(target) === true) {
+        return isDir;
+    }
+    return rule.regex.test(target);
+}

package/dist/importGraph.d.ts

@@ -0,0 +1,3 @@
+import type { StructuralAdapter } from "./structuralAdapters.js";
+export declare const importGraphAdapter: StructuralAdapter;
+//# sourceMappingURL=importGraph.d.ts.map

package/dist/importGraph.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"importGraph.d.ts","sourceRoot":"","sources":["../src/importGraph.ts"],"names":[],"mappings":"AAiBA,OAAO,KAAK,EAAE,iBAAiB,EAAyB,MAAM,yBAAyB,CAAC;AA+HxF,eAAO,MAAM,kBAAkB,EAAE,iBAkChC,CAAC"}