@schemyx/mcp 0.1.0 → 0.1.1

package/dist/codebase-scanner/backend.js

@@ -0,0 +1,814 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.extractBackendEndpointContracts = extractBackendEndpointContracts;
+exports.extractBackendOperations = extractBackendOperations;
+exports.extractBackendSideEffects = extractBackendSideEffects;
+exports.extractBackendErrors = extractBackendErrors;
+exports.extractBackendLogging = extractBackendLogging;
+exports.detectBackendFramework = detectBackendFramework;
+exports.backendReceiverToClassName = backendReceiverToClassName;
+const extractors_1 = require("./extractors");
+const utils_1 = require("./utils");
+const httpMethods = ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS', 'HEAD'];
+const mutatingMethods = new Set(['POST', 'PUT', 'PATCH', 'DELETE']);
+function extractBackendEndpointContracts(relPath, content) {
+    return uniqueEndpointContracts([
+        ...extractNestEndpointContracts(relPath, content),
+        ...extractNextEndpointContracts(relPath, content),
+        ...extractRouterEndpointContracts(relPath, content),
+        ...extractLaravelEndpointContracts(relPath, content),
+        ...extractDjangoEndpointContracts(relPath, content),
+    ]);
+}
+function extractBackendOperations(relPath, content, owners) {
+    if (!owners.controllers.length && !owners.services.length && !owners.modules.length) {
+        return [];
+    }
+    const framework = detectBackendFramework(relPath, content);
+    const operations = [];
+    const ownerNames = (0, utils_1.unique)([...owners.controllers, ...owners.services, ...owners.modules]);
+    for (const owner of ownerNames) {
+        const ownerKind = owners.controllers.includes(owner)
+            ? 'controller'
+            : owners.services.includes(owner)
+                ? 'service'
+                : owners.modules.includes(owner)
+                    ? 'module'
+                    : 'unknown';
+        const classBlock = readClassBody(content, owner);
+        if (!classBlock) {
+            continue;
+        }
+        for (const method of readClassMethods(classBlock.body, classBlock.offset)) {
+            if (method.name === 'constructor') {
+                continue;
+            }
+            const serviceCalls = extractBackendServiceCalls(method.body, content, method.index);
+            const sideEffects = extractBackendSideEffects(method.body, content, method.index);
+            const errors = extractBackendErrors(method.body, content, method.index);
+            const logging = extractBackendLogging(method.body, content, method.index);
+            operations.push({
+                framework,
+                owner,
+                ownerKind,
+                name: method.name,
+                signature: `${method.name}(${compactWhitespace(method.params)})`,
+                line: (0, utils_1.lineNumberAt)(content, method.index),
+                params: parseBackendParams(method.params),
+                returnType: cleanType(method.returnType),
+                serviceCalls,
+                repositoryCalls: serviceCalls.filter((call) => call.kind === 'repository'),
+                sideEffects,
+                errors,
+                logging,
+                risk: backendRiskLabels({
+                    method: ownerKind === 'controller' ? undefined : undefined,
+                    auth: undefined,
+                    sideEffects,
+                    errors,
+                }),
+            });
+        }
+    }
+    return operations.slice(0, 120);
+}
+function extractBackendSideEffects(content, fullContent = content, offset = 0) {
+    const effects = [];
+    addSideEffects(effects, content, fullContent, offset, /\bthis\.([A-Za-z_$][\w$]*(?:Repository|Repo|Store))\.(create|update|upsert|delete|remove|save|insert)[A-Za-z_$\w]*/g, 'database-write', 'high');
+    addSideEffects(effects, content, fullContent, offset, /\b(?:prisma|db|knex|sequelize|mongoose)\.[A-Za-z_$][\w$]*\.(create|update|upsert|delete|deleteMany|insert|save)\b/g, 'database-write', 'high');
+    addSideEffects(effects, content, fullContent, offset, /\bthis\.([A-Za-z_$][\w$]*(?:Email|Mailer|Mail|Notification)[A-Za-z_$\w]*)\.(send|notify|deliver)[A-Za-z_$\w]*/g, 'email', 'high');
+    addSideEffects(effects, content, fullContent, offset, /\b(?:queue|dispatch|enqueue|schedule)\((['"`]?)([A-Za-z0-9_.:-]+)?\1/g, 'queue', 'medium');
+    addSideEffects(effects, content, fullContent, offset, /\b(?:emit|publish|broadcast|subscribe)\(\s*['"`]([^'"`]+)['"`]/g, 'event', 'medium');
+    addSideEffects(effects, content, fullContent, offset, /\bresponse\.(cookie|clearCookie)\(/g, 'cookie', 'high');
+    addSideEffects(effects, content, fullContent, offset, /\b(?:response|res)\.(?:set|setHeader|header)\(/g, 'header', 'medium');
+    addSideEffects(effects, content, fullContent, offset, /\b(?:fetch|axios\.(?:get|post|put|patch|delete)|httpService\.(?:get|post|put|patch|delete))\(/g, 'external-api', 'medium');
+    addSideEffects(effects, content, fullContent, offset, /\b(?:cache|redis)\.(?:set|del|delete|expire|incr|decr)\(/g, 'cache', 'medium');
+    return uniqueSideEffects(effects).slice(0, 80);
+}
+function extractBackendErrors(content, fullContent = content, offset = 0) {
+    const errors = [];
+    for (const match of content.matchAll(/\bthrow\s+new\s+([A-Za-z_$][\w$]*)(?:\(\s*(['"`])([^'"`]*)\2)?/g)) {
+        errors.push({
+            kind: match[1],
+            ...(match[3] ? { message: match[3].slice(0, 180) } : {}),
+            statusCode: exceptionStatusCode(match[1]),
+            line: (0, utils_1.lineNumberAt)(fullContent, offset + match.index),
+        });
+    }
+    return errors.slice(0, 80);
+}
+function extractBackendLogging(content, fullContent = content, offset = 0) {
+    const logs = [];
+    for (const match of content.matchAll(/\b(?:this\.)?logger\.(log|warn|error|debug|verbose)\(\s*(?:`([^`]*)`|['"]([^'"]*)['"])?/g)) {
+        logs.push({
+            level: match[1],
+            message: (match[2] ?? match[3])?.replace(/\s+/g, ' ').trim().slice(0, 180),
+            line: (0, utils_1.lineNumberAt)(fullContent, offset + match.index),
+        });
+    }
+    return logs.slice(0, 80);
+}
+function detectBackendFramework(relPath, content) {
+    if (/@Controller\(|@Injectable\(|@Module\(/.test(content) || /@nestjs\//.test(content)) {
+        return 'nestjs';
+    }
+    if ((0, extractors_1.isNextRouteFile)(relPath)) {
+        return 'nextjs-route-handler';
+    }
+    if (/\b(?:router|app|server)\.(?:get|post|put|patch|delete)\(/i.test(content)) {
+        return 'node-router';
+    }
+    if (/Route::(?:get|post|put|patch|delete|options|any)\(/i.test(content)) {
+        return 'laravel';
+    }
+    if (/\bpath\(\s*['"]|url\(r?['"]/.test(content)) {
+        return 'django';
+    }
+    if (/Rails\.application\.routes|^\s*(?:get|post|patch|put|delete)\s+['"]/m.test(content)) {
+        return 'rails';
+    }
+    return 'generic-backend';
+}
+function extractNestEndpointContracts(relPath, content) {
+    const contracts = [];
+    const controller = readNestController(content);
+    if (!controller) {
+        return contracts;
+    }
+    const methodPattern = /((?:\s*@[A-Za-z_$][\w$]*(?:\([^)]*\))?\s*)+)\s*(?:public\s+|private\s+|protected\s+)?(?:async\s+)?([A-Za-z_$][\w$]*)\s*\(([\s\S]*?)\)\s*(?::\s*([^{]+))?\s*\{/g;
+    for (const match of content.matchAll(methodPattern)) {
+        const decorators = readDecorators(match[1]);
+        const routeDecorators = decorators.filter((decorator) => /^@(Get|Post|Put|Patch|Delete|Options|Head)\b/.test(decorator));
+        if (!routeDecorators.length) {
+            continue;
+        }
+        const openIndex = match.index + match[0].lastIndexOf('{');
+        const body = (0, extractors_1.readBalancedBlock)(content, openIndex) ?? '';
+        const bodyContexts = [
+            { body, offset: openIndex },
+            ...readLocalHelperMethodBodies(content, controller.name, body),
+        ];
+        const params = parseBackendParams(match[3]);
+        const auth = authPolicyFromDecorators(decorators, body);
+        const serviceCalls = extractBackendServiceCalls(body, content, openIndex);
+        const sideEffects = bodyContexts.flatMap((context) => extractBackendSideEffects(context.body, content, context.offset));
+        const errors = bodyContexts.flatMap((context) => extractBackendErrors(context.body, content, context.offset));
+        const logging = bodyContexts.flatMap((context) => extractBackendLogging(context.body, content, context.offset));
+        for (const decorator of routeDecorators) {
+            const route = readNestRouteDecorator(decorator);
+            const method = route.method;
+            const fullPath = joinRoutePaths(controller.basePath, route.path);
+            contracts.push({
+                framework: 'nestjs',
+                method,
+                path: route.path,
+                fullPath,
+                handler: `${method} ${(0, extractors_1.normalizeRoutePath)(fullPath)}`,
+                handlerName: match[2],
+                controller: controller.name,
+                line: (0, utils_1.lineNumberAt)(content, match.index),
+                decorators,
+                params,
+                request: requestContractFromParams(params),
+                response: {
+                    type: cleanType(match[4]),
+                    statusCodes: statusCodesFromDecorators(decorators, method),
+                    returns: extractReturnShapes(body),
+                },
+                auth,
+                validation: validationContractFromParams(params, decorators),
+                serviceCalls,
+                repositoryCalls: serviceCalls.filter((call) => call.kind === 'repository'),
+                sideEffects,
+                errors,
+                logging,
+                risk: backendRiskLabels({ method, auth, sideEffects, errors }),
+            });
+        }
+    }
+    return contracts;
+}
+function extractNextEndpointContracts(relPath, content) {
+    if (!(0, extractors_1.isNextRouteFile)(relPath)) {
+        return [];
+    }
+    const routePath = (0, extractors_1.toNextRoutePath)(relPath);
+    const contracts = [];
+    for (const method of httpMethods) {
+        const pattern = new RegExp(`export\\s+(?:async\\s+)?(?:function\\s+${method}\\s*\\(([^)]*)\\)\\s*(?::\\s*([^\\{]+))?\\{|const\\s+${method}\\s*=\\s*(?:async\\s*)?\\(([^)]*)\\)\\s*(?::\\s*([^=]+))?=>\\s*\\{)`, 'g');
+        for (const match of content.matchAll(pattern)) {
+            const openIndex = match.index + match[0].lastIndexOf('{');
+            const body = (0, extractors_1.readBalancedBlock)(content, openIndex) ?? '';
+            const params = parseBackendParams(match[1] ?? match[3] ?? '');
+            const serviceCalls = extractBackendServiceCalls(body, content, openIndex);
+            const sideEffects = extractBackendSideEffects(body, content, openIndex);
+            const errors = extractBackendErrors(body, content, openIndex);
+            const logging = extractBackendLogging(body, content, openIndex);
+            const auth = authPolicyFromDecorators([], body);
+            contracts.push({
+                framework: 'nextjs-route-handler',
+                method,
+                path: routePath,
+                fullPath: routePath,
+                handler: `${method} ${routePath}`,
+                handlerName: method,
+                line: (0, utils_1.lineNumberAt)(content, match.index),
+                decorators: [],
+                params,
+                request: requestContractFromParams(params),
+                response: {
+                    type: cleanType(match[2] ?? match[4]),
+                    statusCodes: statusCodesFromBody(body, method),
+                    returns: extractReturnShapes(body),
+                },
+                auth,
+                validation: validationContractFromParams(params, []),
+                serviceCalls,
+                repositoryCalls: serviceCalls.filter((call) => call.kind === 'repository'),
+                sideEffects,
+                errors,
+                logging,
+                risk: backendRiskLabels({ method, auth, sideEffects, errors }),
+            });
+        }
+    }
+    return contracts;
+}
+function extractRouterEndpointContracts(relPath, content) {
+    const contracts = [];
+    const pattern = /\b(?:router|app|server|route)\.(get|post|put|patch|delete|options|head)\(\s*['"`]([^'"`]+)['"`]([\s\S]*?)\);/gi;
+    for (const match of content.matchAll(pattern)) {
+        const method = match[1].toUpperCase();
+        const routePath = (0, extractors_1.normalizeRoutePath)(match[2]);
+        const callBody = match[3] ?? '';
+        const params = parseBackendParams(callBody.match(/\(([^)]*)\)\s*=>/)?.[1] ?? 'req, res');
+        const serviceCalls = extractBackendServiceCalls(callBody, content, match.index);
+        const sideEffects = extractBackendSideEffects(callBody, content, match.index);
+        const errors = extractBackendErrors(callBody, content, match.index);
+        const logging = extractBackendLogging(callBody, content, match.index);
+        const auth = authPolicyFromMiddleware(callBody);
+        contracts.push({
+            framework: detectBackendFramework(relPath, content),
+            method,
+            path: routePath,
+            fullPath: routePath,
+            handler: `${method} ${routePath}`,
+            line: (0, utils_1.lineNumberAt)(content, match.index),
+            decorators: [],
+            params,
+            request: requestContractFromParams(params),
+            response: {
+                statusCodes: statusCodesFromBody(callBody, method),
+                returns: extractReturnShapes(callBody),
+            },
+            auth,
+            validation: validationContractFromParams(params, []),
+            serviceCalls,
+            repositoryCalls: serviceCalls.filter((call) => call.kind === 'repository'),
+            sideEffects,
+            errors,
+            logging,
+            risk: backendRiskLabels({ method, auth, sideEffects, errors }),
+        });
+    }
+    return contracts;
+}
+function extractLaravelEndpointContracts(relPath, content) {
+    const contracts = [];
+    for (const match of content.matchAll(/Route::(get|post|put|patch|delete|options|any)\(\s*['"`]([^'"`]+)['"`]([\s\S]*?)\);/gi)) {
+        const method = match[1].toLowerCase() === 'any' ? 'ANY' : match[1].toUpperCase();
+        const routePath = (0, extractors_1.normalizeRoutePath)(match[2]);
+        const callBody = match[3] ?? '';
+        const auth = authPolicyFromMiddleware(callBody);
+        contracts.push({
+            framework: 'laravel',
+            method,
+            path: routePath,
+            fullPath: routePath,
+            handler: `${method} ${routePath}`,
+            line: (0, utils_1.lineNumberAt)(content, match.index),
+            decorators: [],
+            params: [],
+            request: { pathParams: [], usesRequest: /\$request/.test(callBody), usesResponse: false },
+            response: {
+                statusCodes: statusCodesFromBody(callBody, method),
+                returns: extractReturnShapes(callBody),
+            },
+            auth,
+            validation: {
+                pathParams: [],
+                decorators: [],
+                confidence: /\bvalidate\(/.test(callBody) ? 'medium' : 'low',
+            },
+            serviceCalls: extractBackendServiceCalls(callBody, content, match.index),
+            repositoryCalls: extractBackendServiceCalls(callBody, content, match.index).filter((call) => call.kind === 'repository'),
+            sideEffects: extractBackendSideEffects(callBody, content, match.index),
+            errors: extractBackendErrors(callBody, content, match.index),
+            logging: extractBackendLogging(callBody, content, match.index),
+            risk: backendRiskLabels({ method, auth, sideEffects: [], errors: [] }),
+        });
+    }
+    return contracts;
+}
+function extractDjangoEndpointContracts(relPath, content) {
+    const contracts = [];
+    for (const match of content.matchAll(/\bpath\(\s*['"]([^'"]+)['"]\s*,\s*([A-Za-z_][\w.]*)/g)) {
+        const routePath = (0, extractors_1.normalizeRoutePath)(match[1]);
+        const auth = authPolicyFromMiddleware(content);
+        contracts.push({
+            framework: 'django',
+            method: 'ANY',
+            path: routePath,
+            fullPath: routePath,
+            handler: `ANY ${routePath}`,
+            handlerName: match[2],
+            line: (0, utils_1.lineNumberAt)(content, match.index),
+            decorators: [],
+            params: [],
+            request: { pathParams: [], usesRequest: true, usesResponse: false },
+            response: { statusCodes: [], returns: [] },
+            auth,
+            validation: { pathParams: [], decorators: [], confidence: 'low' },
+            serviceCalls: [],
+            repositoryCalls: [],
+            sideEffects: [],
+            errors: [],
+            logging: [],
+            risk: backendRiskLabels({ method: 'ANY', auth, sideEffects: [], errors: [] }),
+        });
+    }
+    return contracts;
+}
+function extractBackendServiceCalls(content, fullContent = content, offset = 0) {
+    const calls = [];
+    for (const match of content.matchAll(/\b(await\s+)?this\.([A-Za-z_$][\w$]*)\.([A-Za-z_$][\w$]*)\(/g)) {
+        if (shouldSkipBackendCallReceiver(match[2])) {
+            continue;
+        }
+        calls.push({
+            receiver: match[2],
+            method: match[3],
+            await: Boolean(match[1]),
+            line: (0, utils_1.lineNumberAt)(fullContent, offset + match.index),
+            kind: classifyCallReceiver(match[2]),
+        });
+    }
+    for (const match of content.matchAll(/\b(await\s+)?([A-Za-z_$][\w$]*(?:Service|Repository|Client|Provider))\.([A-Za-z_$][\w$]*)\(/g)) {
+        if (content[match.index - 1] === '.' || shouldSkipBackendCallReceiver(match[2])) {
+            continue;
+        }
+        calls.push({
+            receiver: match[2],
+            method: match[3],
+            await: Boolean(match[1]),
+            line: (0, utils_1.lineNumberAt)(fullContent, offset + match.index),
+            kind: classifyCallReceiver(match[2]),
+        });
+    }
+    return uniqueServiceCalls(calls).slice(0, 80);
+}
+function readNestController(content) {
+    const decorator = content.match(/@Controller\(\s*(?:['"`]([^'"`]*)['"`])?/);
+    const classMatch = content.match(/(?:export\s+)?class\s+([A-Za-z_$][\w$]*)/);
+    if (!decorator || !classMatch) {
+        return undefined;
+    }
+    return {
+        name: classMatch[1],
+        basePath: decorator[1] ? (0, extractors_1.normalizeRoutePath)(decorator[1]) : '/',
+    };
+}
+function readNestRouteDecorator(decorator) {
+    const match = decorator.match(/^@(Get|Post|Put|Patch|Delete|Options|Head)\(([^)]*)\)/);
+    const method = match?.[1]?.toUpperCase() ?? 'ANY';
+    const routeValue = match?.[2]?.match(/['"`]([^'"`]*)['"`]/)?.[1] ?? '';
+    return { method, path: (0, extractors_1.normalizeRoutePath)(routeValue) };
+}
+function readDecorators(block) {
+    return (0, utils_1.unique)(Array.from(block.matchAll(/@[A-Za-z_$][\w$]*(?:\([^)]*\))?/g)).map((match) => compactWhitespace(match[0])));
+}
+function parseBackendParams(paramsSource) {
+    const params = [];
+    for (const rawParam of splitTopLevelParams(paramsSource)) {
+        const source = backendParamSource(rawParam);
+        const decorator = rawParam.match(/@([A-Za-z_$][\w$]*)/)?.[1];
+        const decoratorName = rawParam.match(/@\w+\(\s*['"`]([^'"`]*)['"`]/)?.[1];
+        const withoutDecorators = rawParam.replace(/@[A-Za-z_$][\w$]*(?:\([^)]*\))?\s*/g, '').trim();
+        const name = withoutDecorators.match(/([A-Za-z_$][\w$]*)\??\s*(?::|=|$)/)?.[1];
+        const type = withoutDecorators.match(/:\s*([^=,]+)/)?.[1]?.trim();
+        if (!name && !decoratorName) {
+            continue;
+        }
+        params.push({
+            name: decoratorName || name || 'param',
+            source,
+            ...(type ? { type: cleanType(type) } : {}),
+            required: !/\?:/.test(withoutDecorators),
+            ...(decorator ? { decorator } : {}),
+        });
+    }
+    return params;
+}
+function splitTopLevelParams(source) {
+    const params = [];
+    let start = 0;
+    let depth = 0;
+    let quote;
+    for (let index = 0; index < source.length; index += 1) {
+        const char = source[index];
+        if (quote) {
+            if (char === quote && source[index - 1] !== '\\') {
+                quote = undefined;
+            }
+            continue;
+        }
+        if (char === '"' || char === "'" || char === '`') {
+            quote = char;
+            continue;
+        }
+        if (char === '(' || char === '[' || char === '{' || char === '<') {
+            depth += 1;
+        }
+        else if (char === ')' || char === ']' || char === '}' || char === '>') {
+            depth = Math.max(0, depth - 1);
+        }
+        else if (char === ',' && depth === 0) {
+            params.push(source.slice(start, index).trim());
+            start = index + 1;
+        }
+    }
+    const tail = source.slice(start).trim();
+    if (tail) {
+        params.push(tail);
+    }
+    return params.filter(Boolean);
+}
+function backendParamSource(rawParam) {
+    if (/@Body\b/.test(rawParam) || /\bbody\b/i.test(rawParam)) {
+        return 'body';
+    }
+    if (/@Query\b/.test(rawParam) || /\bquery\b/i.test(rawParam)) {
+        return 'query';
+    }
+    if (/@Param\b/.test(rawParam) || /\bparams?\b/i.test(rawParam)) {
+        return 'path';
+    }
+    if (/@Req\b|Request\b|\breq\b/.test(rawParam)) {
+        return 'request';
+    }
+    if (/@Res\b|Response\b|\bres\b/.test(rawParam)) {
+        return 'response';
+    }
+    if (/@CurrentUser\b|AuthenticatedUser\b|\buser\b/.test(rawParam)) {
+        return 'current-user';
+    }
+    return 'unknown';
+}
+function requestContractFromParams(params) {
+    return {
+        bodyType: params.find((param) => param.source === 'body')?.type,
+        queryType: params.find((param) => param.source === 'query')?.type,
+        pathParams: params.filter((param) => param.source === 'path'),
+        usesRequest: params.some((param) => param.source === 'request'),
+        usesResponse: params.some((param) => param.source === 'response'),
+    };
+}
+function validationContractFromParams(params, decorators) {
+    const bodyType = params.find((param) => param.source === 'body')?.type;
+    const queryType = params.find((param) => param.source === 'query')?.type;
+    const validationDecorators = decorators.filter((decorator) => /^@(UsePipes|Body|Query|Param)\b/.test(decorator));
+    return {
+        ...(bodyType ? { bodyType } : {}),
+        ...(queryType ? { queryType } : {}),
+        pathParams: params.filter((param) => param.source === 'path'),
+        decorators: validationDecorators,
+        confidence: bodyType || queryType || validationDecorators.length ? 'high' : 'medium',
+    };
+}
+function authPolicyFromDecorators(decorators, body) {
+    const joined = `${decorators.join(' ')} ${body}`;
+    const guards = (0, utils_1.unique)(Array.from(joined.matchAll(/\b([A-Za-z_$][\w$]*(?:Guard|Auth|Policy|Middleware))\b/g)).map((match) => match[1]));
+    const roles = (0, utils_1.unique)(Array.from(joined.matchAll(/Roles?\(([^)]*)\)/g))
+        .flatMap((match) => Array.from(match[1].matchAll(/['"`]([^'"`]+)['"`]/g)).map((item) => item[1]))
+        .filter(Boolean));
+    const permissions = (0, utils_1.unique)(Array.from(joined.matchAll(/Permissions?\(([^)]*)\)/g))
+        .flatMap((match) => Array.from(match[1].matchAll(/['"`]([^'"`]+)['"`]/g)).map((item) => item[1]))
+        .filter(Boolean));
+    const publicEndpoint = decorators.some((decorator) => /^@(Public|AllowAnonymous)\b/.test(decorator));
+    return {
+        required: !publicEndpoint && guards.length > 0,
+        public: publicEndpoint || guards.length === 0,
+        guards,
+        roles,
+        permissions,
+        hints: authHintsFromText(joined),
+        confidence: guards.length || roles.length || permissions.length ? 'high' : 'medium',
+    };
+}
+function authPolicyFromMiddleware(source) {
+    const guards = (0, utils_1.unique)(Array.from(source.matchAll(/\b([A-Za-z_$][\w$]*(?:Auth|Guard|Policy|Middleware|Permission)[A-Za-z_$\w]*)\b/g)).map((match) => match[1]));
+    return {
+        required: guards.length > 0,
+        public: guards.length === 0,
+        guards,
+        roles: [],
+        permissions: [],
+        hints: authHintsFromText(source),
+        confidence: guards.length ? 'medium' : 'low',
+    };
+}
+function authHintsFromText(source) {
+    return [
+        'auth',
+        'authenticated',
+        'authorize',
+        'permission',
+        'role',
+        'guard',
+        'session',
+        'csrf',
+        'jwt',
+        'token',
+    ].filter((hint) => new RegExp(`\\b${hint}\\b`, 'i').test(source));
+}
+function statusCodesFromDecorators(decorators, method) {
+    const codes = decorators
+        .map((decorator) => Number(decorator.match(/@HttpCode\(\s*(\d+)/)?.[1]))
+        .filter((code) => Number.isInteger(code));
+    if (codes.length) {
+        return (0, utils_1.unique)(codes);
+    }
+    if (method === 'POST') {
+        return [201];
+    }
+    if (method === 'DELETE') {
+        return [200, 204];
+    }
+    return [200];
+}
+function statusCodesFromBody(body, method) {
+    const codes = Array.from(body.matchAll(/\bstatus\(\s*(\d{3})\s*\)|status\s*:\s*(\d{3})/g))
+        .map((match) => Number(match[1] ?? match[2]))
+        .filter((code) => Number.isInteger(code));
+    return codes.length ? (0, utils_1.unique)(codes) : statusCodesFromDecorators([], method);
+}
+function extractReturnShapes(body) {
+    const returns = new Set();
+    for (const match of body.matchAll(/\breturn\s+([^;\n]+)/g)) {
+        returns.add(compactWhitespace(match[1]).slice(0, 180));
+    }
+    return Array.from(returns).slice(0, 20);
+}
+function classifyCallReceiver(receiver) {
+    if (/(Repository|Repo|Store)$/i.test(receiver)) {
+        return 'repository';
+    }
+    if (/Service$/i.test(receiver)) {
+        return 'service';
+    }
+    if (/(Client|Http|Api)$/i.test(receiver)) {
+        return 'client';
+    }
+    if (/(Provider|Gateway|Manager)$/i.test(receiver)) {
+        return 'provider';
+    }
+    return /repository|repo|store/i.test(receiver)
+        ? 'repository'
+        : /service/i.test(receiver)
+            ? 'service'
+            : /client|http|api/i.test(receiver)
+                ? 'client'
+                : 'unknown';
+}
+function shouldSkipBackendCallReceiver(receiver) {
+    return /^(logger|console)$/i.test(receiver);
+}
+function addSideEffects(effects, content, fullContent, offset, pattern, kind, confidence) {
+    for (const match of content.matchAll(pattern)) {
+        effects.push({
+            kind,
+            target: match[1] &&
+                !/^(create|update|upsert|delete|remove|save|insert|send|notify|deliver|cookie|clearCookie)$/i.test(match[1])
+                ? match[1]
+                : undefined,
+            operation: match[2] ?? match[1],
+            line: (0, utils_1.lineNumberAt)(fullContent, offset + match.index),
+            confidence,
+        });
+    }
+}
+function backendRiskLabels(input) {
+    const labels = new Set();
+    if (input.method && mutatingMethods.has(input.method)) {
+        labels.add('mutation');
+    }
+    if (input.method === 'DELETE') {
+        labels.add('destructive');
+    }
+    if (input.auth?.required) {
+        labels.add('auth-protected');
+    }
+    else if (input.auth?.public) {
+        labels.add('public');
+    }
+    for (const effect of input.sideEffects) {
+        labels.add(effect.kind);
+    }
+    if (input.errors.length) {
+        labels.add('throws');
+    }
+    return Array.from(labels).sort();
+}
+function readClassBody(content, className) {
+    const classMatch = new RegExp(`class\\s+${className}\\b[^{]*\\{`).exec(content);
+    if (!classMatch) {
+        return undefined;
+    }
+    const openIndex = classMatch.index + classMatch[0].lastIndexOf('{');
+    const block = (0, extractors_1.readBalancedBlock)(content, openIndex);
+    if (!block) {
+        return undefined;
+    }
+    return {
+        body: block.slice(1, -1),
+        offset: openIndex + 1,
+    };
+}
+function readClassMethods(classBody, offset) {
+    const methods = [];
+    const pattern = /(?:^|\n)\s*(?:public\s+|private\s+|protected\s+)?(?:async\s+)?([A-Za-z_$][\w$]*)\s*\(([\s\S]*?)\)\s*/g;
+    let match;
+    while ((match = pattern.exec(classBody))) {
+        if (/(if|for|while|switch|catch|function)$/.test(match[1])) {
+            continue;
+        }
+        const methodBody = findMethodBodyOpen(classBody, pattern.lastIndex);
+        if (!methodBody) {
+            continue;
+        }
+        const openIndex = methodBody.openIndex;
+        const body = (0, extractors_1.readBalancedBlock)(classBody, openIndex);
+        if (!body) {
+            continue;
+        }
+        methods.push({
+            name: match[1],
+            params: match[2],
+            returnType: methodBody.returnType,
+            body,
+            index: offset + match.index,
+        });
+        pattern.lastIndex = openIndex + body.length;
+    }
+    return methods;
+}
+function findMethodBodyOpen(source, startIndex) {
+    let index = startIndex;
+    while (/\s/.test(source[index] ?? '')) {
+        index += 1;
+    }
+    if (source[index] !== ':') {
+        const openIndex = source.indexOf('{', index);
+        return openIndex >= 0 ? { openIndex } : undefined;
+    }
+    const typeStart = index + 1;
+    index = typeStart;
+    let quote;
+    let angleDepth = 0;
+    let braceDepth = 0;
+    let parenDepth = 0;
+    let bracketDepth = 0;
+    for (; index < source.length; index += 1) {
+        const char = source[index];
+        if (quote) {
+            if (char === quote && source[index - 1] !== '\\') {
+                quote = undefined;
+            }
+            continue;
+        }
+        if (char === '"' || char === "'" || char === '`') {
+            quote = char;
+            continue;
+        }
+        if (char === '<') {
+            angleDepth += 1;
+            continue;
+        }
+        if (char === '>') {
+            angleDepth = Math.max(0, angleDepth - 1);
+            continue;
+        }
+        if (char === '(') {
+            parenDepth += 1;
+            continue;
+        }
+        if (char === ')') {
+            parenDepth = Math.max(0, parenDepth - 1);
+            continue;
+        }
+        if (char === '[') {
+            bracketDepth += 1;
+            continue;
+        }
+        if (char === ']') {
+            bracketDepth = Math.max(0, bracketDepth - 1);
+            continue;
+        }
+        if (char === '{') {
+            if (angleDepth === 0 && braceDepth === 0 && parenDepth === 0 && bracketDepth === 0) {
+                const previous = previousNonWhitespace(source, index - 1);
+                if (previous !== ':' && previous !== '=' && previous !== '|') {
+                    return {
+                        openIndex: index,
+                        returnType: cleanType(source.slice(typeStart, index)),
+                    };
+                }
+            }
+            braceDepth += 1;
+            continue;
+        }
+        if (char === '}') {
+            braceDepth = Math.max(0, braceDepth - 1);
+        }
+    }
+    return undefined;
+}
+function previousNonWhitespace(source, startIndex) {
+    for (let index = startIndex; index >= 0; index -= 1) {
+        if (!/\s/.test(source[index])) {
+            return source[index];
+        }
+    }
+    return undefined;
+}
+function readLocalHelperMethodBodies(content, className, callerBody) {
+    const classBlock = readClassBody(content, className);
+    if (!classBlock) {
+        return [];
+    }
+    const methods = readClassMethods(classBlock.body, classBlock.offset);
+    const helpers = (0, utils_1.unique)(Array.from(callerBody.matchAll(/\bthis\.([A-Za-z_$][\w$]*)\(/g)).map((match) => match[1]));
+    return methods
+        .filter((method) => helpers.includes(method.name))
+        .map((method) => ({ body: method.body, offset: method.index }));
+}
+function cleanType(value) {
+    return value?.replace(/\s+/g, ' ').replace(/\{$/, '').trim() || undefined;
+}
+function compactWhitespace(value) {
+    return value.replace(/\s+/g, ' ').trim();
+}
+function joinRoutePaths(basePath, routePath) {
+    return (0, extractors_1.normalizeRoutePath)(`${(0, extractors_1.normalizeRoutePath)(basePath)}/${routePath.replace(/^\/+/, '')}`);
+}
+function uniqueEndpointContracts(contracts) {
+    const seen = new Set();
+    return contracts.filter((contract) => {
+        const key = `${contract.method} ${contract.fullPath ?? contract.path} ${contract.handlerName ?? ''}`;
+        if (seen.has(key)) {
+            return false;
+        }
+        seen.add(key);
+        return true;
+    });
+}
+function uniqueServiceCalls(calls) {
+    const seen = new Set();
+    return calls.filter((call) => {
+        const key = `${call.receiver}.${call.method}.${call.line}`;
+        if (seen.has(key)) {
+            return false;
+        }
+        seen.add(key);
+        return true;
+    });
+}
+function uniqueSideEffects(effects) {
+    const seen = new Set();
+    return effects.filter((effect) => {
+        const key = `${effect.kind}.${effect.target ?? ''}.${effect.operation ?? ''}.${effect.line}`;
+        if (seen.has(key)) {
+            return false;
+        }
+        seen.add(key);
+        return true;
+    });
+}
+function exceptionStatusCode(name) {
+    const statusByException = {
+        BadRequestException: 400,
+        UnauthorizedException: 401,
+        ForbiddenException: 403,
+        NotFoundException: 404,
+        ConflictException: 409,
+        GoneException: 410,
+        UnprocessableEntityException: 422,
+        TooManyRequestsException: 429,
+        InternalServerErrorException: 500,
+    };
+    return statusByException[name];
+}
+function backendReceiverToClassName(receiver) {
+    return (0, utils_1.toPascalCase)(receiver);
+}
+//# sourceMappingURL=backend.js.map