@quantracode/vibecheck 0.0.1 → 0.0.2

package/dist/commands/waivers.js

@@ -1,249 +0,0 @@
-import path from "node:path";
-import { readFileSync, fileExists, resolvePath, writeFileSync, ensureDir, } from "../utils/file-utils.js";
-import { createEmptyWaiversFile, createWaiver, addWaiver, removeWaiver, WaiversFileSchema, } from "@vibecheck/policy";
-const DEFAULT_WAIVERS_FILE = "vibecheck-waivers.json";
-/**
- * Load waivers file from path
- */
-function loadWaiversFile(filepath) {
-    const absolutePath = resolvePath(filepath);
-    if (!fileExists(absolutePath)) {
-        throw new Error(`Waivers file not found: ${filepath}`);
-    }
-    const content = readFileSync(absolutePath);
-    if (!content) {
-        throw new Error(`Failed to read waivers file: ${filepath}`);
-    }
-    const data = JSON.parse(content);
-    const result = WaiversFileSchema.safeParse(data);
-    if (!result.success) {
-        throw new Error(`Invalid waivers file: ${result.error.message}`);
-    }
-    return result.data;
-}
-/**
- * Save waivers file to path
- */
-function saveWaiversFile(filepath, file) {
-    const absolutePath = resolvePath(filepath);
-    ensureDir(path.dirname(absolutePath));
-    writeFileSync(absolutePath, JSON.stringify(file, null, 2));
-}
-/**
- * Initialize a new waivers file
- */
-export function executeWaiversInit(filepath, force) {
-    const absolutePath = resolvePath(filepath);
-    if (fileExists(absolutePath) && !force) {
-        console.error(`\x1b[31mError: Waivers file already exists: ${absolutePath}\x1b[0m`);
-        console.error("Use --force to overwrite");
-        return 1;
-    }
-    const emptyFile = createEmptyWaiversFile();
-    saveWaiversFile(filepath, emptyFile);
-    console.log(`Created waivers file: ${absolutePath}`);
-    return 0;
-}
-/**
- * Add a waiver to the file
- */
-export function executeWaiversAdd(filepath, options) {
-    // Validate options
-    if (!options.fingerprint && !options.ruleId) {
-        console.error("\x1b[31mError: Must specify either --fingerprint or --ruleId\x1b[0m");
-        return 1;
-    }
-    if (options.fingerprint && options.ruleId) {
-        console.error("\x1b[31mError: Cannot specify both --fingerprint and --ruleId\x1b[0m");
-        return 1;
-    }
-    // Validate expiry date if provided
-    if (options.expiresAt) {
-        const date = new Date(options.expiresAt);
-        if (isNaN(date.getTime())) {
-            console.error(`\x1b[31mError: Invalid expiry date: ${options.expiresAt}\x1b[0m`);
-            return 1;
-        }
-        if (date <= new Date()) {
-            console.error("\x1b[31mError: Expiry date must be in the future\x1b[0m");
-            return 1;
-        }
-    }
-    // Load or create waivers file
-    let file;
-    const absolutePath = resolvePath(filepath);
-    if (fileExists(absolutePath)) {
-        file = loadWaiversFile(filepath);
-    }
-    else {
-        console.log("Creating new waivers file...");
-        file = createEmptyWaiversFile();
-    }
-    // Create waiver
-    const waiver = createWaiver({
-        fingerprint: options.fingerprint,
-        ruleId: options.ruleId,
-        pathPattern: options.pathPattern,
-        reason: options.reason,
-        createdBy: options.createdBy,
-        expiresAt: options.expiresAt ? new Date(options.expiresAt).toISOString() : undefined,
-        ticketRef: options.ticketRef,
-    });
-    // Add to file
-    const updated = addWaiver(file, waiver);
-    saveWaiversFile(filepath, updated);
-    console.log(`Added waiver: ${waiver.id}`);
-    if (options.fingerprint) {
-        console.log(`  Fingerprint: ${options.fingerprint}`);
-    }
-    else {
-        console.log(`  Rule ID: ${options.ruleId}`);
-        if (options.pathPattern) {
-            console.log(`  Path pattern: ${options.pathPattern}`);
-        }
-    }
-    console.log(`  Reason: ${options.reason}`);
-    console.log(`  Created by: ${options.createdBy}`);
-    if (options.expiresAt) {
-        console.log(`  Expires: ${options.expiresAt}`);
-    }
-    if (options.ticketRef) {
-        console.log(`  Ticket: ${options.ticketRef}`);
-    }
-    return 0;
-}
-/**
- * List waivers in the file
- */
-export function executeWaiversList(filepath, verbose) {
-    const file = loadWaiversFile(filepath);
-    if (file.waivers.length === 0) {
-        console.log("No waivers in file");
-        return 0;
-    }
-    console.log(`Found ${file.waivers.length} waiver(s):\n`);
-    for (const waiver of file.waivers) {
-        const isExpired = waiver.expiresAt && new Date(waiver.expiresAt) < new Date();
-        const expiredNote = isExpired ? " \x1b[31m[EXPIRED]\x1b[0m" : "";
-        console.log(`ID: ${waiver.id}${expiredNote}`);
-        if (waiver.match.fingerprint) {
-            console.log(`  Match: fingerprint = ${waiver.match.fingerprint}`);
-        }
-        else {
-            console.log(`  Match: ruleId = ${waiver.match.ruleId}`);
-            if (waiver.match.pathPattern) {
-                console.log(`         pathPattern = ${waiver.match.pathPattern}`);
-            }
-        }
-        console.log(`  Reason: ${waiver.reason}`);
-        if (verbose) {
-            console.log(`  Created by: ${waiver.createdBy}`);
-            console.log(`  Created at: ${waiver.createdAt}`);
-            if (waiver.expiresAt) {
-                console.log(`  Expires at: ${waiver.expiresAt}`);
-            }
-            if (waiver.ticketRef) {
-                console.log(`  Ticket: ${waiver.ticketRef}`);
-            }
-        }
-        console.log("");
-    }
-    return 0;
-}
-/**
- * Remove a waiver from the file
- */
-export function executeWaiversRemove(filepath, waiverId) {
-    const file = loadWaiversFile(filepath);
-    // Check if waiver exists
-    const exists = file.waivers.some((w) => w.id === waiverId);
-    if (!exists) {
-        console.error(`\x1b[31mError: Waiver not found: ${waiverId}\x1b[0m`);
-        return 1;
-    }
-    const updated = removeWaiver(file, waiverId);
-    saveWaiversFile(filepath, updated);
-    console.log(`Removed waiver: ${waiverId}`);
-    return 0;
-}
-/**
- * Register waivers command with subcommands
- */
-export function registerWaiversCommand(program) {
-    const waiversCmd = program
-        .command("waivers")
-        .description("Manage policy waivers");
-    // waivers init
-    waiversCmd
-        .command("init [path]")
-        .description("Initialize a new waivers file")
-        .option("-f, --force", "Overwrite existing file")
-        .action((pathArg, cmdOptions) => {
-        const filepath = pathArg ?? DEFAULT_WAIVERS_FILE;
-        const exitCode = executeWaiversInit(filepath, Boolean(cmdOptions.force));
-        process.exit(exitCode);
-    });
-    // waivers add
-    waiversCmd
-        .command("add [path]")
-        .description("Add a waiver to the file")
-        .option("--fingerprint <sha256>", "Match by finding fingerprint")
-        .option("--rule-id <id>", "Match by rule ID (supports wildcards like VC-AUTH-*)")
-        .option("--path-pattern <glob>", "Additional path pattern for rule ID match")
-        .requiredOption("-r, --reason <text>", "Justification for the waiver")
-        .requiredOption("--created-by <email>", "Who is creating this waiver")
-        .option("--expires <date>", "Expiration date (ISO format)")
-        .option("--ticket <ref>", "Reference to ticket/issue")
-        .addHelpText("after", `
-Examples:
-  $ vibecheck waivers add --fingerprint sha256:abc123 -r "False positive" --created-by dev@example.com
-  $ vibecheck waivers add --rule-id VC-AUTH-001 -r "Accepted risk" --created-by dev@example.com
-  $ vibecheck waivers add --rule-id "VC-VAL-*" --path-pattern "src/legacy/**" -r "Legacy code" --created-by dev@example.com
-  $ vibecheck waivers add --fingerprint sha256:xyz --expires 2025-12-31 -r "Temporary" --created-by dev@example.com
-  $ vibecheck waivers add ./custom-waivers.json --fingerprint sha256:abc -r "Custom file" --created-by dev@example.com
-`)
-        .action((pathArg, cmdOptions) => {
-        const filepath = pathArg ?? DEFAULT_WAIVERS_FILE;
-        const exitCode = executeWaiversAdd(filepath, {
-            fingerprint: cmdOptions.fingerprint,
-            ruleId: cmdOptions.ruleId,
-            pathPattern: cmdOptions.pathPattern,
-            reason: cmdOptions.reason,
-            createdBy: cmdOptions.createdBy,
-            expiresAt: cmdOptions.expires,
-            ticketRef: cmdOptions.ticket,
-        });
-        process.exit(exitCode);
-    });
-    // waivers list
-    waiversCmd
-        .command("list [path]")
-        .description("List waivers in the file")
-        .option("-v, --verbose", "Show all waiver details")
-        .action((pathArg, cmdOptions) => {
-        const filepath = pathArg ?? DEFAULT_WAIVERS_FILE;
-        try {
-            const exitCode = executeWaiversList(filepath, Boolean(cmdOptions.verbose));
-            process.exit(exitCode);
-        }
-        catch (error) {
-            console.error(`\x1b[31mError: ${error instanceof Error ? error.message : String(error)}\x1b[0m`);
-            process.exit(1);
-        }
-    });
-    // waivers remove
-    waiversCmd
-        .command("remove <waiverId> [path]")
-        .description("Remove a waiver from the file")
-        .action((waiverId, pathArg) => {
-        const filepath = pathArg ?? DEFAULT_WAIVERS_FILE;
-        try {
-            const exitCode = executeWaiversRemove(filepath, waiverId);
-            process.exit(exitCode);
-        }
-        catch (error) {
-            console.error(`\x1b[31mError: ${error instanceof Error ? error.message : String(error)}\x1b[0m`);
-            process.exit(1);
-        }
-    });
-}

package/dist/index.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":""}

package/dist/phase3/index.d.ts

@@ -1,11 +0,0 @@
-/**
- * Phase 3: Hallucination Detection Engine
- *
- * Cross-file proof traces, intent claim mining, and hallucination detection.
- * All deterministic, local-only.
- */
-export { generateRouteId, filePathToRoutePath, buildRouteMap, buildMiddlewareMap, isRouteCoveredByMiddleware, buildProofTrace, buildAllProofTraces, calculateCoverage, } from "./proof-trace-builder.js";
-export { generateIntentId, mineIntentClaims, mineAllIntentClaims, findClaimsForRoute, findUnprovenClaims, } from "./intent-miner.js";
-export { phase3Scanners, hallucinationsPack, authPackPhase3, scanCommentClaimUnproven, scanMiddlewareAssumedNotMatching, scanValidationClaimedMissing, scanAuthByUiServerGap, } from "./scanners/index.js";
-export type { RouteInfo, MiddlewareInfo, IntentClaim, IntentClaimType, IntentClaimSource, IntentClaimScope, IntentClaimStrength, ProofTrace, ProofTraceStep, CoverageMetrics, Phase3Context, } from "../scanners/types.js";
-//# sourceMappingURL=index.d.ts.map

package/dist/phase3/index.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/phase3/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EACL,eAAe,EACf,mBAAmB,EACnB,aAAa,EACb,kBAAkB,EAClB,0BAA0B,EAC1B,eAAe,EACf,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EACL,gBAAgB,EAChB,gBAAgB,EAChB,mBAAmB,EACnB,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,mBAAmB,CAAC;AAG3B,OAAO,EACL,cAAc,EACd,kBAAkB,EAClB,cAAc,EACd,wBAAwB,EACxB,gCAAgC,EAChC,4BAA4B,EAC5B,qBAAqB,GACtB,MAAM,qBAAqB,CAAC;AAG7B,YAAY,EACV,SAAS,EACT,cAAc,EACd,WAAW,EACX,eAAe,EACf,iBAAiB,EACjB,gBAAgB,EAChB,mBAAmB,EACnB,UAAU,EACV,cAAc,EACd,eAAe,EACf,aAAa,GACd,MAAM,sBAAsB,CAAC"}

package/dist/phase3/index.js

@@ -1,12 +0,0 @@
-/**
- * Phase 3: Hallucination Detection Engine
- *
- * Cross-file proof traces, intent claim mining, and hallucination detection.
- * All deterministic, local-only.
- */
-// Proof trace builder
-export { generateRouteId, filePathToRoutePath, buildRouteMap, buildMiddlewareMap, isRouteCoveredByMiddleware, buildProofTrace, buildAllProofTraces, calculateCoverage, } from "./proof-trace-builder.js";
-// Intent claim miner
-export { generateIntentId, mineIntentClaims, mineAllIntentClaims, findClaimsForRoute, findUnprovenClaims, } from "./intent-miner.js";
-// Scanners
-export { phase3Scanners, hallucinationsPack, authPackPhase3, scanCommentClaimUnproven, scanMiddlewareAssumedNotMatching, scanValidationClaimedMissing, scanAuthByUiServerGap, } from "./scanners/index.js";

package/dist/phase3/intent-miner.d.ts

@@ -1,32 +0,0 @@
-/**
- * Phase 3: Intent Claim Miner
- *
- * Parses comments, identifiers, imports, and config for security claims.
- * Deterministic, local-only.
- */
-import { type SourceFile } from "ts-morph";
-import type { ScanContext, IntentClaim, IntentClaimType, RouteInfo } from "../scanners/types.js";
-/**
- * Generate a stable intent ID
- */
-export declare function generateIntentId(type: IntentClaimType, file: string, line: number, evidence: string): string;
-/**
- * Mine intent claims from a source file
- */
-export declare function mineIntentClaims(ctx: ScanContext, sourceFile: SourceFile, routes: RouteInfo[]): IntentClaim[];
-/**
- * Mine all intent claims from scan context
- */
-export declare function mineAllIntentClaims(ctx: ScanContext, routes: RouteInfo[]): IntentClaim[];
-/**
- * Find claims that target a specific route
- */
-export declare function findClaimsForRoute(claims: IntentClaim[], routeId: string): IntentClaim[];
-/**
- * Find unproven claims (claims without corresponding proof)
- */
-export declare function findUnprovenClaims(claims: IntentClaim[], proofTraces: Map<string, {
-    authProven: boolean;
-    validationProven: boolean;
-}>): IntentClaim[];
-//# sourceMappingURL=intent-miner.d.ts.map

package/dist/phase3/intent-miner.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"intent-miner.d.ts","sourceRoot":"","sources":["../../src/phase3/intent-miner.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAc,KAAK,UAAU,EAAE,MAAM,UAAU,CAAC;AACvD,OAAO,KAAK,EACV,WAAW,EACX,WAAW,EACX,eAAe,EAIf,SAAS,EACV,MAAM,sBAAsB,CAAC;AAkD9B;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,IAAI,EAAE,eAAe,EACrB,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,GACf,MAAM,CAGR;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,GAAG,EAAE,WAAW,EAChB,UAAU,EAAE,UAAU,EACtB,MAAM,EAAE,SAAS,EAAE,GAClB,WAAW,EAAE,CAef;AA6PD;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,GAAG,EAAE,WAAW,EAChB,MAAM,EAAE,SAAS,EAAE,GAClB,WAAW,EAAE,CAuBf;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,WAAW,EAAE,EACrB,OAAO,EAAE,MAAM,GACd,WAAW,EAAE,CAIf;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,WAAW,EAAE,EACrB,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE;IAAE,UAAU,EAAE,OAAO,CAAC;IAAC,gBAAgB,EAAE,OAAO,CAAA;CAAE,CAAC,GAC3E,WAAW,EAAE,CAqBf"}

package/dist/phase3/intent-miner.js

@@ -1,323 +0,0 @@
-/**
- * Phase 3: Intent Claim Miner
- *
- * Parses comments, identifiers, imports, and config for security claims.
- * Deterministic, local-only.
- */
-import crypto from "node:crypto";
-import path from "node:path";
-import { SyntaxKind } from "ts-morph";
-/**
- * Patterns for detecting security intent claims
- */
-const INTENT_PATTERNS = [
-    // Auth patterns
-    { pattern: /\b(auth|authenticate|authorized|protected|secured)\b/i, type: "AUTH_ENFORCED", strength: "strong" },
-    { pattern: /\brequires?\s*(auth|login|session)\b/i, type: "AUTH_ENFORCED", strength: "strong" },
-    { pattern: /\b(getServerSession|useSession|withAuth|requireAuth)\b/, type: "AUTH_ENFORCED", strength: "medium" },
-    // Validation patterns
-    { pattern: /\b(validat(e|ed|ion|or)|sanitiz(e|ed))\b/i, type: "INPUT_VALIDATED", strength: "strong" },
-    { pattern: /\b(schema|zod|yup|joi)\b/i, type: "INPUT_VALIDATED", strength: "medium" },
-    { pattern: /\.parse\(|\.validate\(|\.safeParse\(/, type: "INPUT_VALIDATED", strength: "medium" },
-    // CSRF patterns
-    { pattern: /\b(csrf|xsrf|cross.?site)\b/i, type: "CSRF_ENABLED", strength: "strong" },
-    // Rate limiting patterns
-    { pattern: /\b(rate.?limit|throttl|limit.?rate)\b/i, type: "RATE_LIMITED", strength: "strong" },
-    // Encryption patterns
-    { pattern: /\b(encrypt|cipher|aes|rsa)\b/i, type: "ENCRYPTED_AT_REST", strength: "medium" },
-    // Middleware patterns
-    { pattern: /\b(middleware|intercept|guard)\b/i, type: "MIDDLEWARE_PROTECTED", strength: "medium" },
-];
-/**
- * Security-related import patterns
- */
-const SECURITY_IMPORTS = [
-    { module: /^next-auth/, type: "AUTH_ENFORCED" },
-    { module: /^@auth\//, type: "AUTH_ENFORCED" },
-    { module: /^passport/, type: "AUTH_ENFORCED" },
-    { module: /^zod$/, type: "INPUT_VALIDATED" },
-    { module: /^yup$/, type: "INPUT_VALIDATED" },
-    { module: /^joi$/, type: "INPUT_VALIDATED" },
-    { module: /^csurf$/, type: "CSRF_ENABLED" },
-    { module: /^express-rate-limit$/, type: "RATE_LIMITED" },
-    { module: /^rate-limiter-flexible$/, type: "RATE_LIMITED" },
-    { module: /^helmet$/, type: "MIDDLEWARE_PROTECTED" },
-];
-/**
- * Generate a stable intent ID
- */
-export function generateIntentId(type, file, line, evidence) {
-    const normalized = `${type}:${file}:${line}:${evidence.slice(0, 50)}`.toLowerCase();
-    return crypto.createHash("sha256").update(normalized).digest("hex").slice(0, 12);
-}
-/**
- * Mine intent claims from a source file
- */
-export function mineIntentClaims(ctx, sourceFile, routes) {
-    const claims = [];
-    const filePath = sourceFile.getFilePath();
-    const relPath = path.relative(ctx.repoRoot, filePath).replace(/\\/g, "/");
-    // Mine from comments
-    claims.push(...mineFromComments(sourceFile, relPath, routes));
-    // Mine from imports
-    claims.push(...mineFromImports(sourceFile, relPath));
-    // Mine from identifiers (function names, variable names)
-    claims.push(...mineFromIdentifiers(sourceFile, relPath, routes));
-    return claims;
-}
-/**
- * Mine claims from code comments
- */
-function mineFromComments(sourceFile, relPath, routes) {
-    const claims = [];
-    // Get all comments in the file
-    const leadingComments = [];
-    sourceFile.forEachDescendant((node) => {
-        const nodeComments = node.getLeadingCommentRanges();
-        for (const comment of nodeComments) {
-            leadingComments.push({
-                text: comment.getText(),
-                line: sourceFile.getLineAndColumnAtPos(comment.getPos()).line,
-            });
-        }
-    });
-    // Also get file-level comments
-    const fullText = sourceFile.getFullText();
-    const commentMatches = fullText.matchAll(/\/\*\*?[\s\S]*?\*\/|\/\/[^\n]*/g);
-    for (const match of commentMatches) {
-        const line = sourceFile.getLineAndColumnAtPos(match.index || 0).line;
-        // Avoid duplicates
-        if (!leadingComments.some((c) => c.line === line)) {
-            leadingComments.push({ text: match[0], line });
-        }
-    }
-    for (const { text, line } of leadingComments) {
-        for (const { pattern, type, strength } of INTENT_PATTERNS) {
-            if (pattern.test(text)) {
-                // Determine scope based on comment context
-                const scope = determineCommentScope(text, relPath);
-                // Try to find associated route
-                const targetRouteId = findAssociatedRoute(relPath, line, routes);
-                claims.push({
-                    intentId: generateIntentId(type, relPath, line, text),
-                    type,
-                    scope,
-                    targetRouteId,
-                    source: "comment",
-                    location: {
-                        file: relPath,
-                        startLine: line,
-                        endLine: line,
-                    },
-                    strength,
-                    textEvidence: truncateEvidence(text),
-                });
-                break; // One claim per comment
-            }
-        }
-    }
-    return claims;
-}
-/**
- * Mine claims from import statements
- */
-function mineFromImports(sourceFile, relPath) {
-    const claims = [];
-    for (const importDecl of sourceFile.getImportDeclarations()) {
-        const moduleSpecifier = importDecl.getModuleSpecifierValue();
-        const line = importDecl.getStartLineNumber();
-        for (const { module, type } of SECURITY_IMPORTS) {
-            if (module.test(moduleSpecifier)) {
-                claims.push({
-                    intentId: generateIntentId(type, relPath, line, moduleSpecifier),
-                    type,
-                    scope: "module",
-                    source: "import",
-                    location: {
-                        file: relPath,
-                        startLine: line,
-                        endLine: line,
-                    },
-                    strength: "medium",
-                    textEvidence: `import from "${moduleSpecifier}"`,
-                });
-                break;
-            }
-        }
-    }
-    return claims;
-}
-/**
- * Mine claims from function and variable identifiers
- */
-function mineFromIdentifiers(sourceFile, relPath, routes) {
-    const claims = [];
-    // Function declarations
-    for (const func of sourceFile.getFunctions()) {
-        const name = func.getName() || "";
-        const line = func.getStartLineNumber();
-        for (const { pattern, type, strength } of INTENT_PATTERNS) {
-            if (pattern.test(name)) {
-                const targetRouteId = findAssociatedRoute(relPath, line, routes);
-                claims.push({
-                    intentId: generateIntentId(type, relPath, line, name),
-                    type,
-                    scope: "route",
-                    targetRouteId,
-                    source: "identifier",
-                    location: {
-                        file: relPath,
-                        startLine: line,
-                        endLine: func.getEndLineNumber(),
-                    },
-                    strength,
-                    textEvidence: `function ${name}`,
-                });
-                break;
-            }
-        }
-    }
-    // Variable declarations with security-related names
-    sourceFile.forEachDescendant((node) => {
-        if (node.getKind() === SyntaxKind.VariableDeclaration) {
-            const text = node.getText();
-            const name = text.split("=")[0].trim();
-            const line = node.getStartLineNumber();
-            for (const { pattern, type, strength } of INTENT_PATTERNS) {
-                if (pattern.test(name)) {
-                    claims.push({
-                        intentId: generateIntentId(type, relPath, line, name),
-                        type,
-                        scope: "route",
-                        source: "identifier",
-                        location: {
-                            file: relPath,
-                            startLine: line,
-                            endLine: line,
-                        },
-                        strength,
-                        textEvidence: `variable: ${truncateEvidence(name)}`,
-                    });
-                    break;
-                }
-            }
-        }
-    });
-    return claims;
-}
-/**
- * Determine the scope of a comment-based claim
- */
-function determineCommentScope(text, filePath) {
-    const lowerText = text.toLowerCase();
-    // Module-level indicators (file or function scope maps to module)
-    if (lowerText.includes("@file") ||
-        lowerText.includes("this file") ||
-        lowerText.includes("this module")) {
-        return "module";
-    }
-    // Route-level indicators
-    if (lowerText.includes("this route") ||
-        lowerText.includes("this endpoint") ||
-        lowerText.includes("this handler")) {
-        return "route";
-    }
-    // Global indicators
-    if (lowerText.includes("all routes") ||
-        lowerText.includes("every request") ||
-        lowerText.includes("globally")) {
-        return "global";
-    }
-    // Default to route scope for comments near handlers
-    return "route";
-}
-/**
- * Find an associated route for a given file and line
- */
-function findAssociatedRoute(filePath, line, routes) {
-    // Find routes in the same file
-    const fileRoutes = routes.filter((r) => r.file === filePath);
-    if (fileRoutes.length === 0) {
-        return undefined;
-    }
-    // If only one route, associate with it
-    if (fileRoutes.length === 1) {
-        return fileRoutes[0].routeId;
-    }
-    // Find the closest route that starts after or contains this line
-    for (const route of fileRoutes) {
-        if (line >= route.startLine && line <= route.endLine) {
-            return route.routeId;
-        }
-    }
-    // Find the closest route that starts after this line
-    const afterRoutes = fileRoutes.filter((r) => r.startLine > line);
-    if (afterRoutes.length > 0) {
-        return afterRoutes.sort((a, b) => a.startLine - b.startLine)[0].routeId;
-    }
-    return undefined;
-}
-/**
- * Truncate evidence text
- */
-function truncateEvidence(text) {
-    const cleaned = text.replace(/\s+/g, " ").trim();
-    if (cleaned.length <= 100) {
-        return cleaned;
-    }
-    return cleaned.slice(0, 97) + "...";
-}
-/**
- * Mine all intent claims from scan context
- */
-export function mineAllIntentClaims(ctx, routes) {
-    const allClaims = [];
-    // Mine from all source files
-    for (const file of ctx.fileIndex.allSourceFiles) {
-        // allSourceFiles are relative paths, resolve to absolute for parseFile
-        const absolutePath = path.join(ctx.repoRoot, file);
-        const sourceFile = ctx.helpers.parseFile(absolutePath);
-        if (!sourceFile)
-            continue;
-        const claims = mineIntentClaims(ctx, sourceFile, routes);
-        allClaims.push(...claims);
-    }
-    // Deduplicate by intentId
-    const seen = new Set();
-    return allClaims.filter((claim) => {
-        if (seen.has(claim.intentId)) {
-            return false;
-        }
-        seen.add(claim.intentId);
-        return true;
-    });
-}
-/**
- * Find claims that target a specific route
- */
-export function findClaimsForRoute(claims, routeId) {
-    return claims.filter((c) => c.targetRouteId === routeId || c.scope === "global" || c.scope === "module");
-}
-/**
- * Find unproven claims (claims without corresponding proof)
- */
-export function findUnprovenClaims(claims, proofTraces) {
-    const unproven = [];
-    for (const claim of claims) {
-        if (!claim.targetRouteId)
-            continue;
-        const proof = proofTraces.get(claim.targetRouteId);
-        if (!proof) {
-            unproven.push(claim);
-            continue;
-        }
-        // Check if the claim type matches the proof
-        if (claim.type === "AUTH_ENFORCED" && !proof.authProven) {
-            unproven.push(claim);
-        }
-        else if (claim.type === "INPUT_VALIDATED" && !proof.validationProven) {
-            unproven.push(claim);
-        }
-    }
-    return unproven;
-}

package/dist/phase3/proof-trace-builder.d.ts

@@ -1,42 +0,0 @@
-/**
- * Phase 3: Cross-file Proof Trace Builder
- *
- * Lightweight call-graph tracing for Next.js App Router.
- * Traces auth/validation through local imports (max depth 2).
- * Deterministic, local-only.
- */
-import type { ScanContext, RouteInfo, MiddlewareInfo, ProofTrace, CoverageMetrics } from "../scanners/types.js";
-/**
- * Generate a stable route ID from path, method, and file
- */
-export declare function generateRouteId(routePath: string, method: string, file: string): string;
-/**
- * Convert file path to URL path for Next.js App Router
- * e.g., "app/api/users/[id]/route.ts" -> "/api/users/[id]"
- */
-export declare function filePathToRoutePath(filePath: string): string;
-/**
- * Build route map from scan context
- */
-export declare function buildRouteMap(ctx: ScanContext): RouteInfo[];
-/**
- * Build middleware map from scan context
- */
-export declare function buildMiddlewareMap(ctx: ScanContext): MiddlewareInfo[];
-/**
- * Check if a route path is covered by middleware matchers
- */
-export declare function isRouteCoveredByMiddleware(routePath: string, matchers: string[]): boolean;
-/**
- * Trace auth/validation through a handler and its imports
- */
-export declare function buildProofTrace(ctx: ScanContext, route: RouteInfo): ProofTrace;
-/**
- * Calculate coverage metrics from routes and proof traces
- */
-export declare function calculateCoverage(routes: RouteInfo[], proofTraces: Map<string, ProofTrace>, middlewareMap: MiddlewareInfo[]): CoverageMetrics;
-/**
- * Build all proof traces for a scan context
- */
-export declare function buildAllProofTraces(ctx: ScanContext, routes: RouteInfo[]): Map<string, ProofTrace>;
-//# sourceMappingURL=proof-trace-builder.d.ts.map