@shipsafe/cli 0.1.0

package/dist/src/config/manager.js

@@ -0,0 +1,131 @@
+import * as fs from 'node:fs/promises';
+import { readFileSync, existsSync } from 'node:fs';
+import * as path from 'node:path';
+import * as os from 'node:os';
+import { GLOBAL_DIR_NAME, CONFIG_FILE, DEFAULT_CONFIG, DEFAULT_API_URL } from '../constants.js';
+/**
+ * Deep merge two objects. Source values override target values.
+ * Arrays are replaced, not concatenated.
+ */
+function deepMerge(target, source) {
+    const result = { ...target };
+    for (const key of Object.keys(source)) {
+        const sourceVal = source[key];
+        const targetVal = result[key];
+        if (sourceVal !== null &&
+            sourceVal !== undefined &&
+            typeof sourceVal === 'object' &&
+            !Array.isArray(sourceVal) &&
+            targetVal !== null &&
+            targetVal !== undefined &&
+            typeof targetVal === 'object' &&
+            !Array.isArray(targetVal)) {
+            result[key] = deepMerge(targetVal, sourceVal);
+        }
+        else {
+            result[key] = sourceVal;
+        }
+    }
+    return result;
+}
+/**
+ * Returns the path to the global ShipSafe config directory (~/.shipsafe).
+ */
+export function getGlobalConfigDir() {
+    return path.join(os.homedir(), GLOBAL_DIR_NAME);
+}
+/**
+ * Reads a JSON config file and returns the parsed contents, or an empty
+ * object if the file does not exist or cannot be parsed.
+ */
+async function readConfigFile(filePath) {
+    try {
+        const raw = await fs.readFile(filePath, 'utf-8');
+        return JSON.parse(raw);
+    }
+    catch {
+        return {};
+    }
+}
+/**
+ * Reads the global config from ~/.shipsafe/config.json.
+ * Returns defaults if the file is missing.
+ */
+export async function loadGlobalConfig() {
+    const configPath = path.join(getGlobalConfigDir(), 'config.json');
+    const raw = await readConfigFile(configPath);
+    return deepMerge({ ...DEFAULT_CONFIG }, raw);
+}
+/**
+ * Reads the project config from <projectDir>/shipsafe.config.json.
+ * Returns defaults if the file is missing.
+ */
+export async function loadProjectConfig(projectDir) {
+    const dir = projectDir ?? process.cwd();
+    const configPath = path.join(dir, CONFIG_FILE);
+    const raw = await readConfigFile(configPath);
+    return deepMerge({ ...DEFAULT_CONFIG }, raw);
+}
+/**
+ * Merges global and project configs. Project config overrides global config.
+ * Merge order: defaults < global < project.
+ */
+export async function loadConfig(projectDir) {
+    const globalConfigPath = path.join(getGlobalConfigDir(), 'config.json');
+    const dir = projectDir ?? process.cwd();
+    const projectConfigPath = path.join(dir, CONFIG_FILE);
+    const globalRaw = await readConfigFile(globalConfigPath);
+    const projectRaw = await readConfigFile(projectConfigPath);
+    // Three-way merge: defaults < global raw < project raw
+    const withGlobal = deepMerge({ ...DEFAULT_CONFIG }, globalRaw);
+    return deepMerge(withGlobal, projectRaw);
+}
+/**
+ * Returns the API endpoint. Priority: SHIPSAFE_API_URL env var > config value > default.
+ */
+export function getApiEndpoint(config) {
+    const envUrl = process.env.SHIPSAFE_API_URL?.trim();
+    if (envUrl)
+        return envUrl;
+    if (config?.apiEndpoint)
+        return config.apiEndpoint;
+    return DEFAULT_API_URL;
+}
+/**
+ * Writes config to ~/.shipsafe/config.json, creating the directory if needed.
+ */
+export async function saveGlobalConfig(config) {
+    const dir = getGlobalConfigDir();
+    await fs.mkdir(dir, { recursive: true });
+    const configPath = path.join(dir, 'config.json');
+    await fs.writeFile(configPath, JSON.stringify(config, null, 2) + '\n', 'utf-8');
+}
+/**
+ * Writes config to <projectDir>/shipsafe.config.json.
+ */
+export async function saveProjectConfig(config, projectDir) {
+    const dir = projectDir ?? process.cwd();
+    const configPath = path.join(dir, CONFIG_FILE);
+    await fs.writeFile(configPath, JSON.stringify(config, null, 2) + '\n', 'utf-8');
+}
+/**
+ * Derives project name from package.json name field or falls back to directory name.
+ */
+export function getProjectName(projectDir) {
+    const dir = projectDir ?? process.cwd();
+    const pkgPath = path.join(dir, 'package.json');
+    try {
+        if (existsSync(pkgPath)) {
+            const raw = readFileSync(pkgPath, 'utf-8');
+            const pkg = JSON.parse(raw);
+            if (pkg.name) {
+                return pkg.name;
+            }
+        }
+    }
+    catch {
+        // fall through to directory name
+    }
+    return path.basename(dir);
+}
+//# sourceMappingURL=manager.js.map

package/dist/src/config/manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"manager.js","sourceRoot":"","sources":["../../../src/config/manager.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACvC,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAE9B,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAEhG;;;GAGG;AACH,SAAS,SAAS,CAChB,MAA+B,EAC/B,MAA+B;IAE/B,MAAM,MAAM,GAA4B,EAAE,GAAG,MAAM,EAAE,CAAC;IAEtD,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QACtC,MAAM,SAAS,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;QAC9B,MAAM,SAAS,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;QAE9B,IACE,SAAS,KAAK,IAAI;YAClB,SAAS,KAAK,SAAS;YACvB,OAAO,SAAS,KAAK,QAAQ;YAC7B,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC;YACzB,SAAS,KAAK,IAAI;YAClB,SAAS,KAAK,SAAS;YACvB,OAAO,SAAS,KAAK,QAAQ;YAC7B,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,EACzB,CAAC;YACD,MAAM,CAAC,GAAG,CAAC,GAAG,SAAS,CACrB,SAAoC,EACpC,SAAoC,CACrC,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,GAAG,CAAC,GAAG,SAAS,CAAC;QAC1B,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB;IAChC,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,eAAe,CAAC,CAAC;AAClD,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,cAAc,CAAC,QAAgB;IAC5C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACjD,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAA4B,CAAC;IACpD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB;IACpC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,EAAE,aAAa,CAAC,CAAC;IAClE,MAAM,GAAG,GAAG,MAAM,cAAc,CAAC,UAAU,CAAC,CAAC;IAC7C,OAAO,SAAS,CACd,EAAE,GAAG,cAAc,EAA6B,EAChD,GAA8B,CACb,CAAC;AACtB,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,UAAmB;IACzD,MAAM,GAAG,GAAG,UAAU,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IACxC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;IAC/C,MAAM,GAAG,GAAG,MAAM,cAAc,CAAC,UAAU,CAAC,CAAC;IAC7C,OAAO,SAAS,CACd,EAAE,GAAG,cAAc,EAA6B,EAChD,GAA8B,CACb,CAAC;AACtB,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,UAAmB;IAClD,MAAM,gBAAgB,GAAG,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,EAAE,aAAa,CAAC,CAAC;IACxE,MAAM,GAAG,GAAG,UAAU,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IACxC,MAAM,iBAAiB,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;IAEtD,MAAM,SAAS,GAAG,MAAM,cAAc,CAAC,gBAAgB,CAAC,CAAC;IACzD,MAAM,UAAU,GAAG,MAAM,cAAc,CAAC,iBAAiB,CAAC,CAAC;IAE3D,uDAAuD;IACvD,MAAM,UAAU,GAAG,SAAS,CAC1B,EAAE,GAAG,cAAc,EAA6B,EAChD,SAAoC,CACrC,CAAC;IACF,OAAO,SAAS,CACd,UAAU,EACV,UAAqC,CACpB,CAAC;AACtB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,MAA4C;IACzE,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,EAAE,IAAI,EAAE,CAAC;IACpD,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAC1B,IAAI,MAAM,EAAE,WAAW;QAAE,OAAO,MAAM,CAAC,WAAW,CAAC;IACnD,OAAO,eAAe,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,MAA+B;IACpE,MAAM,GAAG,GAAG,kBAAkB,EAAE,CAAC;IACjC,MAAM,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;IACjD,MAAM,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;AAClF,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,MAA+B,EAC/B,UAAmB;IAEnB,MAAM,GAAG,GAAG,UAAU,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IACxC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;IAC/C,MAAM,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;AAClF,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,UAAmB;IAChD,MAAM,GAAG,GAAG,UAAU,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IACxC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC;IAE/C,IAAI,CAAC;QACH,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACxB,MAAM,GAAG,GAAG,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAsB,CAAC;YACjD,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;gBACb,OAAO,GAAG,CAAC,IAAI,CAAC;YAClB,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,iCAAiC;IACnC,CAAC;IAED,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;AAC5B,CAAC"}

package/dist/src/constants.d.ts

@@ -0,0 +1,28 @@
+export declare const SHIPSAFE_DIR = ".shipsafe";
+export declare const CONFIG_FILE = "shipsafe.config.json";
+export declare const GLOBAL_DIR_NAME = ".shipsafe";
+export declare const CLAUDE_MD_START = "<!-- shipsafe:start -->";
+export declare const CLAUDE_MD_END = "<!-- shipsafe:end -->";
+export declare const VERSION = "0.1.0";
+export declare const HOOK_MARKER = "# SHIPSAFE_HOOK";
+export declare const DEFAULT_API_URL = "http://localhost:3747";
+export declare const EXIT_CODES: {
+    readonly SUCCESS: 0;
+    readonly SCAN_FAIL: 1;
+    readonly TOOL_MISSING: 2;
+    readonly CONFIG_ERROR: 3;
+};
+export declare const SEVERITY_ORDER: Record<string, number>;
+export declare const DEFAULT_CONFIG: {
+    monitoring: {
+        enabled: boolean;
+        error_sample_rate: number;
+        performance_sample_rate: number;
+    };
+    scan: {
+        ignore_paths: string[];
+        ignore_rules: string[];
+        severity_threshold: string;
+    };
+};
+//# sourceMappingURL=constants.d.ts.map

package/dist/src/constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../src/constants.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,YAAY,cAAc,CAAC;AACxC,eAAO,MAAM,WAAW,yBAAyB,CAAC;AAClD,eAAO,MAAM,eAAe,cAAc,CAAC;AAC3C,eAAO,MAAM,eAAe,4BAA4B,CAAC;AACzD,eAAO,MAAM,aAAa,0BAA0B,CAAC;AACrD,eAAO,MAAM,OAAO,UAAU,CAAC;AAC/B,eAAO,MAAM,WAAW,oBAAoB,CAAC;AAC7C,eAAO,MAAM,eAAe,0BAA0B,CAAC;AAEvD,eAAO,MAAM,UAAU;;;;;CAKb,CAAC;AAEX,eAAO,MAAM,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAMjD,CAAC;AAEF,eAAO,MAAM,cAAc,EAAE;IAC3B,UAAU,EAAE;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,iBAAiB,EAAE,MAAM,CAAC;QAAC,uBAAuB,EAAE,MAAM,CAAA;KAAE,CAAC;IAC7F,IAAI,EAAE;QAAE,YAAY,EAAE,MAAM,EAAE,CAAC;QAAC,YAAY,EAAE,MAAM,EAAE,CAAC;QAAC,kBAAkB,EAAE,MAAM,CAAA;KAAE,CAAC;CAYtF,CAAC"}

package/dist/src/constants.js

@@ -0,0 +1,34 @@
+export const SHIPSAFE_DIR = '.shipsafe';
+export const CONFIG_FILE = 'shipsafe.config.json';
+export const GLOBAL_DIR_NAME = '.shipsafe';
+export const CLAUDE_MD_START = '<!-- shipsafe:start -->';
+export const CLAUDE_MD_END = '<!-- shipsafe:end -->';
+export const VERSION = '0.1.0';
+export const HOOK_MARKER = '# SHIPSAFE_HOOK';
+export const DEFAULT_API_URL = 'http://localhost:3747';
+export const EXIT_CODES = {
+    SUCCESS: 0,
+    SCAN_FAIL: 1,
+    TOOL_MISSING: 2,
+    CONFIG_ERROR: 3,
+};
+export const SEVERITY_ORDER = {
+    critical: 0,
+    high: 1,
+    medium: 2,
+    low: 3,
+    info: 4,
+};
+export const DEFAULT_CONFIG = {
+    monitoring: {
+        enabled: true,
+        error_sample_rate: 1.0,
+        performance_sample_rate: 1.0,
+    },
+    scan: {
+        ignore_paths: ['node_modules', 'dist', '.git', 'coverage'],
+        ignore_rules: [],
+        severity_threshold: 'high',
+    },
+};
+//# sourceMappingURL=constants.js.map

package/dist/src/constants.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../src/constants.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,YAAY,GAAG,WAAW,CAAC;AACxC,MAAM,CAAC,MAAM,WAAW,GAAG,sBAAsB,CAAC;AAClD,MAAM,CAAC,MAAM,eAAe,GAAG,WAAW,CAAC;AAC3C,MAAM,CAAC,MAAM,eAAe,GAAG,yBAAyB,CAAC;AACzD,MAAM,CAAC,MAAM,aAAa,GAAG,uBAAuB,CAAC;AACrD,MAAM,CAAC,MAAM,OAAO,GAAG,OAAO,CAAC;AAC/B,MAAM,CAAC,MAAM,WAAW,GAAG,iBAAiB,CAAC;AAC7C,MAAM,CAAC,MAAM,eAAe,GAAG,uBAAuB,CAAC;AAEvD,MAAM,CAAC,MAAM,UAAU,GAAG;IACxB,OAAO,EAAE,CAAC;IACV,SAAS,EAAE,CAAC;IACZ,YAAY,EAAE,CAAC;IACf,YAAY,EAAE,CAAC;CACP,CAAC;AAEX,MAAM,CAAC,MAAM,cAAc,GAA2B;IACpD,QAAQ,EAAE,CAAC;IACX,IAAI,EAAE,CAAC;IACP,MAAM,EAAE,CAAC;IACT,GAAG,EAAE,CAAC;IACN,IAAI,EAAE,CAAC;CACR,CAAC;AAEF,MAAM,CAAC,MAAM,cAAc,GAGvB;IACF,UAAU,EAAE;QACV,OAAO,EAAE,IAAI;QACb,iBAAiB,EAAE,GAAG;QACtB,uBAAuB,EAAE,GAAG;KAC7B;IACD,IAAI,EAAE;QACJ,YAAY,EAAE,CAAC,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC;QAC1D,YAAY,EAAE,EAAE;QAChB,kBAAkB,EAAE,MAAM;KAC3B;CACF,CAAC"}

package/dist/src/engines/graph/data-flow.d.ts

@@ -0,0 +1,36 @@
+import type { GraphStore } from './store.js';
+export interface DataFlowResult {
+    source: {
+        name: string;
+        filePath: string;
+        line: number;
+        type: string;
+    };
+    sink: {
+        name: string;
+        filePath: string;
+        line: number;
+        type: string;
+    };
+    path: string[];
+    hasSanitization: boolean;
+}
+/** Classify a function name as a taint source type, or null if not a source. */
+export declare function classifySource(name: string): string | null;
+/** Classify a function name as a taint sink type, or null if not a sink. */
+export declare function classifySink(name: string): string | null;
+/**
+ * Trace tainted data from source functions (user input, request params) through
+ * call chains to dangerous sinks (SQL, filesystem, shell) using BFS on the knowledge graph.
+ *
+ * Algorithm:
+ * 1. Find all functions in the graph.
+ * 2. Identify source functions (by name pattern).
+ * 3. For each source, find all callers (functions that call the source).
+ *    These callers handle tainted data.
+ * 4. BFS from each tainted caller, following callees up to depth MAX_DEPTH.
+ * 5. If BFS reaches a sink, record a DataFlowResult.
+ * 6. Mark as hasSanitization=true if any function in the path is a sanitizer.
+ */
+export declare function findDataFlows(store: GraphStore): Promise<DataFlowResult[]>;
+//# sourceMappingURL=data-flow.d.ts.map

package/dist/src/engines/graph/data-flow.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"data-flow.d.ts","sourceRoot":"","sources":["../../../../src/engines/graph/data-flow.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAiB,MAAM,YAAY,CAAC;AA6B5D,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE;QACN,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;KACd,CAAC;IACF,IAAI,EAAE;QACJ,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;KACd,CAAC;IACF,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,eAAe,EAAE,OAAO,CAAC;CAC1B;AAID,gFAAgF;AAChF,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAQ1D;AAED,4EAA4E;AAC5E,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CA4BxD;AASD;;;;;;;;;;;;GAYG;AACH,wBAAsB,aAAa,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC,CAuIhF"}

package/dist/src/engines/graph/data-flow.js

@@ -0,0 +1,189 @@
+// ── Constants ──
+const SOURCE_PATTERNS = [
+    'request',
+    'req',
+    'body',
+    'params',
+    'query',
+    'getrequestbody',
+    'readline',
+    'input',
+    'formdata',
+];
+const SINK_PATTERNS = {
+    database: ['query', 'execute', 'exec', 'find', 'insert', 'update', 'delete', 'raw'],
+    filesystem: ['writefile', 'spawn'],
+    shell: ['exec', 'spawn'],
+    eval: ['eval', 'function'],
+};
+const SANITIZER_PATTERNS = ['valid', 'sanitiz', 'escape', 'clean', 'encode', 'parameteriz', 'prepare'];
+const MAX_DEPTH = 8;
+// ── Exported classifier functions ──
+/** Classify a function name as a taint source type, or null if not a source. */
+export function classifySource(name) {
+    const nameLower = name.toLowerCase();
+    for (const pattern of SOURCE_PATTERNS) {
+        if (nameLower.includes(pattern)) {
+            return 'user_input';
+        }
+    }
+    return null;
+}
+/** Classify a function name as a taint sink type, or null if not a sink. */
+export function classifySink(name) {
+    const nameLower = name.toLowerCase();
+    // Prioritize more specific types: eval > shell > filesystem > database
+    // Check eval first
+    if (nameLower === 'eval' || nameLower === 'function') {
+        return 'eval';
+    }
+    // shell: spawn, exec (but not execute/execSync — those go to database/shell)
+    // exec is both shell and database — shell takes priority
+    if (nameLower === 'exec' || nameLower === 'execsync' || nameLower === 'spawn' || nameLower === 'execfile') {
+        return 'shell';
+    }
+    // filesystem
+    if (nameLower === 'writefile') {
+        return 'filesystem';
+    }
+    // database
+    for (const pattern of SINK_PATTERNS['database']) {
+        if (nameLower === pattern.toLowerCase()) {
+            return 'database';
+        }
+    }
+    return null;
+}
+function isSanitizer(name) {
+    const nameLower = name.toLowerCase();
+    return SANITIZER_PATTERNS.some((p) => nameLower.includes(p));
+}
+// ── findDataFlows ──
+/**
+ * Trace tainted data from source functions (user input, request params) through
+ * call chains to dangerous sinks (SQL, filesystem, shell) using BFS on the knowledge graph.
+ *
+ * Algorithm:
+ * 1. Find all functions in the graph.
+ * 2. Identify source functions (by name pattern).
+ * 3. For each source, find all callers (functions that call the source).
+ *    These callers handle tainted data.
+ * 4. BFS from each tainted caller, following callees up to depth MAX_DEPTH.
+ * 5. If BFS reaches a sink, record a DataFlowResult.
+ * 6. Mark as hasSanitization=true if any function in the path is a sanitizer.
+ */
+export async function findDataFlows(store) {
+    // Step 1: Get all functions
+    const allFunctionsRaw = (await store.query('MATCH (fn:Function) RETURN fn.name AS name, fn.filePath AS filePath, fn.startLine AS line'));
+    if (allFunctionsRaw.length === 0) {
+        return [];
+    }
+    // Step 2: Identify source functions
+    const sourceFunctions = allFunctionsRaw.filter((fn) => {
+        const name = fn['name'];
+        return classifySource(name) !== null;
+    });
+    const results = [];
+    // Track source+sink pairs to avoid duplicates
+    const seen = new Set();
+    // Step 3 & 4: For each source, find callers and BFS their callees to find sinks
+    for (const sourceFn of sourceFunctions) {
+        const sourceName = sourceFn['name'];
+        const sourceType = classifySource(sourceName);
+        // Find all functions that call this source (i.e., functions that handle tainted data)
+        const callers = (await store.getCallers(sourceName, 1));
+        for (const caller of callers) {
+            // Pre-compute whether any function reachable from caller (within MAX_DEPTH)
+            // is a sanitizer. This captures sibling calls like:
+            //   safeHandler -> sanitizeInput (sanitizer)
+            //   safeHandler -> exec (sink)
+            // Even though sanitizeInput is not on the path to exec, it shows sanitization intent.
+            const allCalleesOfCaller = (await store.getCallees(caller.name, MAX_DEPTH));
+            const callerHasSanitizerInScope = isSanitizer(caller.name) ||
+                allCalleesOfCaller.some((fn) => isSanitizer(fn.name));
+            const queue = [
+                {
+                    fn: caller,
+                    path: [sourceName, caller.name],
+                    depth: 1,
+                },
+            ];
+            const visited = new Set();
+            visited.add(sourceName);
+            visited.add(caller.name);
+            while (queue.length > 0) {
+                const node = queue.shift();
+                const { fn, path, depth } = node;
+                // Check if current function is itself a sink
+                const sinkType = classifySink(fn.name);
+                if (sinkType !== null) {
+                    const key = `${sourceName}:${fn.name}`;
+                    if (!seen.has(key)) {
+                        seen.add(key);
+                        results.push({
+                            source: {
+                                name: sourceName,
+                                filePath: sourceFn['filePath'],
+                                line: sourceFn['line'],
+                                type: sourceType,
+                            },
+                            sink: {
+                                name: fn.name,
+                                filePath: fn.filePath,
+                                line: fn.startLine,
+                                type: sinkType,
+                            },
+                            path,
+                            hasSanitization: callerHasSanitizerInScope,
+                        });
+                    }
+                    // Don't continue BFS past a sink
+                    continue;
+                }
+                if (depth >= MAX_DEPTH)
+                    continue;
+                // Get direct callees of current function
+                const callees = (await store.getCallees(fn.name, 1));
+                for (const callee of callees) {
+                    if (visited.has(callee.name))
+                        continue;
+                    visited.add(callee.name);
+                    const calleeSinkType = classifySink(callee.name);
+                    const newPath = [...path, callee.name];
+                    if (calleeSinkType !== null) {
+                        // Found a sink!
+                        const key = `${sourceName}:${callee.name}`;
+                        if (!seen.has(key)) {
+                            seen.add(key);
+                            results.push({
+                                source: {
+                                    name: sourceName,
+                                    filePath: sourceFn['filePath'],
+                                    line: sourceFn['line'],
+                                    type: sourceType,
+                                },
+                                sink: {
+                                    name: callee.name,
+                                    filePath: callee.filePath,
+                                    line: callee.startLine,
+                                    type: calleeSinkType,
+                                },
+                                path: newPath,
+                                hasSanitization: callerHasSanitizerInScope,
+                            });
+                        }
+                    }
+                    else {
+                        queue.push({
+                            fn: callee,
+                            path: newPath,
+                            depth: depth + 1,
+                        });
+                    }
+                }
+            }
+        }
+    }
+    return results;
+}
+//# sourceMappingURL=data-flow.js.map

package/dist/src/engines/graph/data-flow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"data-flow.js","sourceRoot":"","sources":["../../../../src/engines/graph/data-flow.ts"],"names":[],"mappings":"AAEA,kBAAkB;AAElB,MAAM,eAAe,GAAG;IACtB,SAAS;IACT,KAAK;IACL,MAAM;IACN,QAAQ;IACR,OAAO;IACP,gBAAgB;IAChB,UAAU;IACV,OAAO;IACP,UAAU;CACX,CAAC;AAEF,MAAM,aAAa,GAA6B;IAC9C,QAAQ,EAAE,CAAC,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,CAAC;IACnF,UAAU,EAAE,CAAC,WAAW,EAAE,OAAO,CAAC;IAClC,KAAK,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC;IACxB,IAAI,EAAE,CAAC,MAAM,EAAE,UAAU,CAAC;CAC3B,CAAC;AAEF,MAAM,kBAAkB,GAAG,CAAC,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,SAAS,CAAC,CAAC;AAEvG,MAAM,SAAS,GAAG,CAAC,CAAC;AAqBpB,sCAAsC;AAEtC,gFAAgF;AAChF,MAAM,UAAU,cAAc,CAAC,IAAY;IACzC,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACrC,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;QACtC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YAChC,OAAO,YAAY,CAAC;QACtB,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,4EAA4E;AAC5E,MAAM,UAAU,YAAY,CAAC,IAAY;IACvC,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IAErC,uEAAuE;IACvE,mBAAmB;IACnB,IAAI,SAAS,KAAK,MAAM,IAAI,SAAS,KAAK,UAAU,EAAE,CAAC;QACrD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,6EAA6E;IAC7E,yDAAyD;IACzD,IAAI,SAAS,KAAK,MAAM,IAAI,SAAS,KAAK,UAAU,IAAI,SAAS,KAAK,OAAO,IAAI,SAAS,KAAK,UAAU,EAAE,CAAC;QAC1G,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,aAAa;IACb,IAAI,SAAS,KAAK,WAAW,EAAE,CAAC;QAC9B,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,WAAW;IACX,KAAK,MAAM,OAAO,IAAI,aAAa,CAAC,UAAU,CAAE,EAAE,CAAC;QACjD,IAAI,SAAS,KAAK,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC;YACxC,OAAO,UAAU,CAAC;QACpB,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,WAAW,CAAC,IAAY;IAC/B,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACrC,OAAO,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;AAC/D,CAAC;AAED,sBAAsB;AAEtB;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,KAAiB;IACnD,4BAA4B;IAC5B,MAAM,eAAe,GAAG,CAAC,MAAM,KAAK,CAAC,KAAK,CACxC,2FAA2F,CAC5F,CAAmC,CAAC;IAErC,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjC,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,oCAAoC;IACpC,MAAM,eAAe,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE;QACpD,MAAM,IAAI,GAAG,EAAE,CAAC,MAAM,CAAW,CAAC;QAClC,OAAO,cAAc,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC;IACvC,CAAC,CAAC,CAAC;IAEH,MAAM,OAAO,GAAqB,EAAE,CAAC;IACrC,8CAA8C;IAC9C,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/B,gFAAgF;IAChF,KAAK,MAAM,QAAQ,IAAI,eAAe,EAAE,CAAC;QACvC,MAAM,UAAU,GAAG,QAAQ,CAAC,MAAM,CAAW,CAAC;QAC9C,MAAM,UAAU,GAAG,cAAc,CAAC,UAAU,CAAE,CAAC;QAE/C,sFAAsF;QACtF,MAAM,OAAO,GAAG,CAAC,MAAM,KAAK,CAAC,UAAU,CAAC,UAAU,EAAE,CAAC,CAAC,CAAoB,CAAC;QAE3E,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,4EAA4E;YAC5E,oDAAoD;YACpD,6CAA6C;YAC7C,+BAA+B;YAC/B,sFAAsF;YACtF,MAAM,kBAAkB,GAAG,CAAC,MAAM,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,EAAE,SAAS,CAAC,CAAoB,CAAC;YAC/F,MAAM,yBAAyB,GAC7B,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC;gBACxB,kBAAkB,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,WAAW,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC;YASxD,MAAM,KAAK,GAAc;gBACvB;oBACE,EAAE,EAAE,MAAM;oBACV,IAAI,EAAE,CAAC,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC;oBAC/B,KAAK,EAAE,CAAC;iBACT;aACF,CAAC;YAEF,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;YAClC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YACxB,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAEzB,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxB,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,EAAG,CAAC;gBAC5B,MAAM,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC;gBAEjC,6CAA6C;gBAC7C,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;gBACvC,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;oBACtB,MAAM,GAAG,GAAG,GAAG,UAAU,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC;oBACvC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;wBACnB,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;wBACd,OAAO,CAAC,IAAI,CAAC;4BACX,MAAM,EAAE;gCACN,IAAI,EAAE,UAAU;gCAChB,QAAQ,EAAE,QAAQ,CAAC,UAAU,CAAW;gCACxC,IAAI,EAAE,QAAQ,CAAC,MAAM,CAAW;gCAChC,IAAI,EAAE,UAAU;6BACjB;4BACD,IAAI,EAAE;gCACJ,IAAI,EAAE,EAAE,CAAC,IAAI;gCACb,QAAQ,EAAE,EAAE,CAAC,QAAQ;gCACrB,IAAI,EAAE,EAAE,CAAC,SAAS;gCAClB,IAAI,EAAE,QAAQ;6BACf;4BACD,IAAI;4BACJ,eAAe,EAAE,yBAAyB;yBAC3C,CAAC,CAAC;oBACL,CAAC;oBACD,iCAAiC;oBACjC,SAAS;gBACX,CAAC;gBAED,IAAI,KAAK,IAAI,SAAS;oBAAE,SAAS;gBAEjC,yCAAyC;gBACzC,MAAM,OAAO,GAAG,CAAC,MAAM,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,CAAoB,CAAC;gBACxE,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;oBAC7B,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC;wBAAE,SAAS;oBACvC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;oBAEzB,MAAM,cAAc,GAAG,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;oBACjD,MAAM,OAAO,GAAG,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;oBAEvC,IAAI,cAAc,KAAK,IAAI,EAAE,CAAC;wBAC5B,gBAAgB;wBAChB,MAAM,GAAG,GAAG,GAAG,UAAU,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;wBAC3C,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;4BACnB,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;4BACd,OAAO,CAAC,IAAI,CAAC;gCACX,MAAM,EAAE;oCACN,IAAI,EAAE,UAAU;oCAChB,QAAQ,EAAE,QAAQ,CAAC,UAAU,CAAW;oCACxC,IAAI,EAAE,QAAQ,CAAC,MAAM,CAAW;oCAChC,IAAI,EAAE,UAAU;iCACjB;gCACD,IAAI,EAAE;oCACJ,IAAI,EAAE,MAAM,CAAC,IAAI;oCACjB,QAAQ,EAAE,MAAM,CAAC,QAAQ;oCACzB,IAAI,EAAE,MAAM,CAAC,SAAS;oCACtB,IAAI,EAAE,cAAc;iCACrB;gCACD,IAAI,EAAE,OAAO;gCACb,eAAe,EAAE,yBAAyB;6BAC3C,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;yBAAM,CAAC;wBACN,KAAK,CAAC,IAAI,CAAC;4BACT,EAAE,EAAE,MAAM;4BACV,IAAI,EAAE,OAAO;4BACb,KAAK,EAAE,KAAK,GAAG,CAAC;yBACjB,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/src/engines/graph/index.d.ts

@@ -0,0 +1,20 @@
+import type { Finding, ScanScope } from '../../types.js';
+export interface GraphEngineResult {
+    findings: Finding[];
+    stats: {
+        filesScanned: number;
+        functionsFound: number;
+        classesFound: number;
+        callEdges: number;
+        attackPathsFound: number;
+    };
+    duration_ms: number;
+}
+/** Check if graph engine dependencies are available (tree-sitter, etc.) */
+export declare function isGraphEngineAvailable(): boolean;
+/** Run the full Knowledge Graph analysis on a project. */
+export declare function runGraphEngine(options: {
+    targetPath: string;
+    scope: ScanScope;
+}): Promise<GraphEngineResult>;
+//# sourceMappingURL=index.d.ts.map

package/dist/src/engines/graph/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/engines/graph/index.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAazD,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,KAAK,EAAE;QACL,YAAY,EAAE,MAAM,CAAC;QACrB,cAAc,EAAE,MAAM,CAAC;QACvB,YAAY,EAAE,MAAM,CAAC;QACrB,SAAS,EAAE,MAAM,CAAC;QAClB,gBAAgB,EAAE,MAAM,CAAC;KAC1B,CAAC;IACF,WAAW,EAAE,MAAM,CAAC;CACrB;AAID,2EAA2E;AAC3E,wBAAgB,sBAAsB,IAAI,OAAO,CAOhD;AAED,0DAA0D;AAC1D,wBAAsB,cAAc,CAAC,OAAO,EAAE;IAC5C,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,SAAS,CAAC;CAClB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAyF7B"}

package/dist/src/engines/graph/index.js

@@ -0,0 +1,100 @@
+import os from 'node:os';
+import path from 'node:path';
+import { rm, mkdir } from 'node:fs/promises';
+import { randomUUID } from 'node:crypto';
+import { initParser, parseProject } from './parser.js';
+import { createGraphStore } from './store.js';
+import { findAttackPaths, findBlastRadius, findMissingAuth, queryResultsToFindings, } from './queries.js';
+import { findDataFlows } from './data-flow.js';
+// ── Public API ──
+/** Check if graph engine dependencies are available (tree-sitter, etc.) */
+export function isGraphEngineAvailable() {
+    try {
+        // web-tree-sitter is a bundled dependency, so if we got here it's available
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/** Run the full Knowledge Graph analysis on a project. */
+export async function runGraphEngine(options) {
+    const startTime = Date.now();
+    const { targetPath } = options;
+    // 1. Initialize the parser
+    await initParser();
+    // 2. Parse project files
+    const parsedFiles = await parseProject(targetPath);
+    // 3. Create a temporary graph store
+    const tmpDir = path.join(os.tmpdir(), `shipsafe-graph-${randomUUID()}`);
+    await mkdir(tmpDir, { recursive: true });
+    const store = await createGraphStore(tmpDir);
+    try {
+        // 4. Build the graph from parsed files
+        await store.buildGraph(parsedFiles);
+        // 5. Compute stats
+        const totalFunctions = parsedFiles.reduce((sum, f) => sum + f.functions.length, 0);
+        const totalClasses = parsedFiles.reduce((sum, f) => sum + f.classes.length, 0);
+        const totalCallEdges = parsedFiles.reduce((sum, f) => sum + f.callSites.length, 0);
+        // 6. Run all security queries
+        const attackPaths = await findAttackPaths(store);
+        // Find blast radius for any known-vulnerable functions (sinks)
+        const sinkNames = new Set();
+        for (const ap of attackPaths) {
+            if (!ap.hasValidation) {
+                sinkNames.add(ap.sink.name);
+            }
+        }
+        const blastRadiusResults = [];
+        for (const sinkName of sinkNames) {
+            const br = await findBlastRadius(store, sinkName);
+            blastRadiusResults.push(br);
+        }
+        const missingAuth = await findMissingAuth(store);
+        // 7. Convert query results to findings
+        const findings = queryResultsToFindings(attackPaths, blastRadiusResults, missingAuth);
+        // 8. Run data flow taint analysis and add tainted_data_flow findings
+        const dataFlows = await findDataFlows(store);
+        let dfIdCounter = 0;
+        for (const flow of dataFlows) {
+            if (flow.hasSanitization)
+                continue; // sanitized flows are not findings
+            dfIdCounter++;
+            const severity = flow.sink.type === 'shell' || flow.sink.type === 'eval' ? 'critical' : 'high';
+            findings.push({
+                id: `kg-tainted-flow-${dfIdCounter}`,
+                engine: 'knowledge_graph',
+                severity,
+                type: 'tainted_data_flow',
+                file: flow.source.filePath,
+                line: flow.source.line,
+                description: `Tainted data flows from ${flow.source.name} (${flow.source.type}) to ${flow.sink.name} (${flow.sink.type} sink): ${flow.path.join(' -> ')}`,
+                fix_suggestion: `Add input sanitization or parameterization between ${flow.source.name} and ${flow.sink.name}`,
+                auto_fixable: false,
+            });
+        }
+        // 9. Return findings with stats and timing
+        return {
+            findings,
+            stats: {
+                filesScanned: parsedFiles.length,
+                functionsFound: totalFunctions,
+                classesFound: totalClasses,
+                callEdges: totalCallEdges,
+                attackPathsFound: attackPaths.length,
+            },
+            duration_ms: Date.now() - startTime,
+        };
+    }
+    finally {
+        // 10. Clean up (close graph store and remove temp directory)
+        await store.close();
+        try {
+            await rm(tmpDir, { recursive: true, force: true });
+        }
+        catch {
+            // Best-effort cleanup
+        }
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/src/engines/graph/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/engines/graph/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAC9C,OAAO,EACL,eAAe,EACf,eAAe,EACf,eAAe,EACf,sBAAsB,GACvB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAgB/C,mBAAmB;AAEnB,2EAA2E;AAC3E,MAAM,UAAU,sBAAsB;IACpC,IAAI,CAAC;QACH,4EAA4E;QAC5E,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,0DAA0D;AAC1D,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,OAGpC;IACC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,MAAM,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;IAE/B,2BAA2B;IAC3B,MAAM,UAAU,EAAE,CAAC;IAEnB,yBAAyB;IACzB,MAAM,WAAW,GAAG,MAAM,YAAY,CAAC,UAAU,CAAC,CAAC;IAEnD,oCAAoC;IACpC,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,kBAAkB,UAAU,EAAE,EAAE,CAAC,CAAC;IACxE,MAAM,KAAK,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzC,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAE7C,IAAI,CAAC;QACH,uCAAuC;QACvC,MAAM,KAAK,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;QAEpC,mBAAmB;QACnB,MAAM,cAAc,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QACnF,MAAM,YAAY,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QAC/E,MAAM,cAAc,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QAEnF,8BAA8B;QAC9B,MAAM,WAAW,GAAG,MAAM,eAAe,CAAC,KAAK,CAAC,CAAC;QAEjD,+DAA+D;QAC/D,MAAM,SAAS,GAAG,IAAI,GAAG,EAAU,CAAC;QACpC,KAAK,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC;YAC7B,IAAI,CAAC,EAAE,CAAC,aAAa,EAAE,CAAC;gBACtB,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC9B,CAAC;QACH,CAAC;QACD,MAAM,kBAAkB,GAAG,EAAE,CAAC;QAC9B,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;YACjC,MAAM,EAAE,GAAG,MAAM,eAAe,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;YAClD,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC9B,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,eAAe,CAAC,KAAK,CAAC,CAAC;QAEjD,uCAAuC;QACvC,MAAM,QAAQ,GAAG,sBAAsB,CAAC,WAAW,EAAE,kBAAkB,EAAE,WAAW,CAAC,CAAC;QAEtF,qEAAqE;QACrE,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC;QAC7C,IAAI,WAAW,GAAG,CAAC,CAAC;QACpB,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,IAAI,IAAI,CAAC,eAAe;gBAAE,SAAS,CAAC,mCAAmC;YAEvE,WAAW,EAAE,CAAC;YACd,MAAM,QAAQ,GACZ,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC;YAEhF,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,mBAAmB,WAAW,EAAE;gBACpC,MAAM,EAAE,iBAAiB;gBACzB,QAAQ;gBACR,IAAI,EAAE,mBAAmB;gBACzB,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAC1B,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI;gBACtB,WAAW,EAAE,2BAA2B,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,IAAI,CAAC,MAAM,CAAC,IAAI,QAAQ,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,IAAI,CAAC,IAAI,CAAC,IAAI,WAAW,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE;gBACzJ,cAAc,EAAE,sDAAsD,IAAI,CAAC,MAAM,CAAC,IAAI,QAAQ,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE;gBAC9G,YAAY,EAAE,KAAK;aACpB,CAAC,CAAC;QACL,CAAC;QAED,2CAA2C;QAC3C,OAAO;YACL,QAAQ;YACR,KAAK,EAAE;gBACL,YAAY,EAAE,WAAW,CAAC,MAAM;gBAChC,cAAc,EAAE,cAAc;gBAC9B,YAAY,EAAE,YAAY;gBAC1B,SAAS,EAAE,cAAc;gBACzB,gBAAgB,EAAE,WAAW,CAAC,MAAM;aACrC;YACD,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;SACpC,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,6DAA6D;QAC7D,MAAM,KAAK,CAAC,KAAK,EAAE,CAAC;QACpB,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACrD,CAAC;QAAC,MAAM,CAAC;YACP,sBAAsB;QACxB,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/src/engines/graph/parser.d.ts

@@ -0,0 +1,13 @@
+import type { SupportedLanguage, ParsedFile } from '../../types.js';
+/** Initialize tree-sitter. Must be called once before parsing. */
+export declare function initParser(): Promise<void>;
+/** Detect language from file extension. Returns null for unsupported files. */
+export declare function detectLanguage(filePath: string): SupportedLanguage | null;
+/** Parse a single file and extract structural nodes. */
+export declare function parseFile(filePath: string, content: string): Promise<ParsedFile>;
+/** Parse all supported files in a directory. */
+export declare function parseProject(projectDir: string, options?: {
+    include?: string[];
+    exclude?: string[];
+}): Promise<ParsedFile[]>;
+//# sourceMappingURL=parser.d.ts.map

package/dist/src/engines/graph/parser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"parser.d.ts","sourceRoot":"","sources":["../../../../src/engines/graph/parser.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EACV,iBAAiB,EACjB,UAAU,EAMX,MAAM,gBAAgB,CAAC;AAWxB,kEAAkE;AAClE,wBAAsB,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC,CAGhD;AAED,+EAA+E;AAC/E,wBAAgB,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,iBAAiB,GAAG,IAAI,CAgBzE;AAED,wDAAwD;AACxD,wBAAsB,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAiCtF;AAED,gDAAgD;AAChD,wBAAsB,YAAY,CAChC,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE;IAAE,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,EAAE,CAAA;CAAE,GACnD,OAAO,CAAC,UAAU,EAAE,CAAC,CA0BvB"}