@trust-assurance-protocol/owaspscan 1.0.0

package/dist/config/loader.js

@@ -0,0 +1,81 @@
+// ============================================================
+// Config Loader — finds and merges owaspscan.config.json
+// Search order: --config <path> → ./owaspscan.config.json → ./.owaspscanrc → defaults
+// CLI flags passed as overrides always win
+// ============================================================
+import fs from 'fs';
+import path from 'path';
+import { DEFAULT_CONFIG } from './schema.js';
+const CONFIG_FILENAMES = ['owaspscan.config.json', '.owaspscanrc'];
+function tryReadJson(filePath) {
+    try {
+        const raw = fs.readFileSync(filePath, 'utf8');
+        return JSON.parse(raw);
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Find the config file, starting from the given directory and walking up to the filesystem root.
+ */
+function findConfigFile(startDir) {
+    let dir = startDir;
+    const root = path.parse(dir).root;
+    while (true) {
+        for (const name of CONFIG_FILENAMES) {
+            const candidate = path.join(dir, name);
+            if (fs.existsSync(candidate))
+                return candidate;
+        }
+        if (dir === root)
+            break;
+        const parent = path.dirname(dir);
+        if (parent === dir)
+            break;
+        dir = parent;
+    }
+    return null;
+}
+/**
+ * Load the effective config by merging: defaults < config file < CLI overrides.
+ *
+ * @param cliOverrides Partial config from CLI flags (undefined fields are ignored)
+ * @param explicitConfigPath Path from --config flag (overrides auto-discovery)
+ * @param searchDir Directory to start config file search from (default: cwd)
+ */
+export function loadConfig(cliOverrides = {}, explicitConfigPath, searchDir = process.cwd()) {
+    let fileConfig = {};
+    if (explicitConfigPath) {
+        const parsed = tryReadJson(path.resolve(explicitConfigPath));
+        if (!parsed) {
+            process.stderr.write(`Warning: Could not read config file at ${explicitConfigPath}\n`);
+        }
+        else {
+            fileConfig = parsed;
+        }
+    }
+    else {
+        const found = findConfigFile(searchDir);
+        if (found) {
+            const parsed = tryReadJson(found);
+            if (parsed) {
+                fileConfig = parsed;
+            }
+        }
+    }
+    // Merge: defaults < file config < CLI overrides (only defined keys from CLI win)
+    const merged = { ...DEFAULT_CONFIG };
+    for (const key of Object.keys(fileConfig)) {
+        if (fileConfig[key] !== undefined) {
+            merged[key] = fileConfig[key];
+        }
+    }
+    for (const key of Object.keys(cliOverrides)) {
+        if (cliOverrides[key] !== undefined) {
+            merged[key] = cliOverrides[key];
+        }
+    }
+    return merged;
+}
+//# sourceMappingURL=loader.js.map

package/dist/config/loader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"loader.js","sourceRoot":"","sources":["../../src/config/loader.ts"],"names":[],"mappings":"AAAA,+DAA+D;AAC/D,yDAAyD;AACzD,sFAAsF;AACtF,2CAA2C;AAC3C,+DAA+D;AAE/D,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,IAAI,MAAM,MAAM,CAAC;AAExB,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C,MAAM,gBAAgB,GAAG,CAAC,uBAAuB,EAAE,cAAc,CAAC,CAAC;AAEnE,SAAS,WAAW,CAAC,QAAgB;IACnC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC9C,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAoB,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,QAAgB;IACtC,IAAI,GAAG,GAAG,QAAQ,CAAC;IACnB,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;IAElC,OAAO,IAAI,EAAE,CAAC;QACZ,KAAK,MAAM,IAAI,IAAI,gBAAgB,EAAE,CAAC;YACpC,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;YACvC,IAAI,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC;gBAAE,OAAO,SAAS,CAAC;QACjD,CAAC;QACD,IAAI,GAAG,KAAK,IAAI;YAAE,MAAM;QACxB,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,MAAM,KAAK,GAAG;YAAE,MAAM;QAC1B,GAAG,GAAG,MAAM,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,UAAU,CACxB,eAAyC,EAAE,EAC3C,kBAA2B,EAC3B,YAAoB,OAAO,CAAC,GAAG,EAAE;IAEjC,IAAI,UAAU,GAAoB,EAAE,CAAC;IAErC,IAAI,kBAAkB,EAAE,CAAC;QACvB,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC,CAAC;QAC7D,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,0CAA0C,kBAAkB,IAAI,CAAC,CAAC;QACzF,CAAC;aAAM,CAAC;YACN,UAAU,GAAG,MAAM,CAAC;QACtB,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,KAAK,GAAG,cAAc,CAAC,SAAS,CAAC,CAAC;QACxC,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,MAAM,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;YAClC,IAAI,MAAM,EAAE,CAAC;gBACX,UAAU,GAAG,MAAM,CAAC;YACtB,CAAC;QACH,CAAC;IACH,CAAC;IAED,iFAAiF;IACjF,MAAM,MAAM,GAA8B,EAAE,GAAG,cAAc,EAAE,CAAC;IAEhE,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,UAAU,CAA8B,EAAE,CAAC;QACvE,IAAI,UAAU,CAAC,GAAG,CAAC,KAAK,SAAS,EAAE,CAAC;YACjC,MAAkC,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;IAED,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,YAAY,CAA8B,EAAE,CAAC;QACzE,IAAI,YAAY,CAAC,GAAG,CAAC,KAAK,SAAS,EAAE,CAAC;YACnC,MAAkC,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;QAC/D,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/config/schema.d.ts

@@ -0,0 +1,23 @@
+import type { Confidence, FailOnLevel, OutputFormat } from '../types/index.js';
+export interface OWASPScanConfig {
+    /** OWASP category prefixes to scan (e.g. ["A01", "A03", "LLM01"]). Default: all */
+    rules?: string[];
+    /** Glob patterns to exclude from scanning */
+    exclude?: string[];
+    /** Exit code 1 if any finding at this severity or above */
+    failOn?: FailOnLevel;
+    /** Only report findings at this confidence level or higher */
+    minConfidence?: Confidence;
+    /** Output format */
+    format?: OutputFormat;
+    /** Show fix suggestions and references */
+    verbose?: boolean;
+    /** Run SCA dependency scanning against OSV database */
+    sca?: boolean;
+    /** Use Claude AI to verify low-confidence findings (requires ANTHROPIC_API_KEY) */
+    aiVerify?: boolean;
+    /** Max number of LLM API calls per scan run */
+    aiVerifyLimit?: number;
+}
+export declare const DEFAULT_CONFIG: Required<OWASPScanConfig>;
+//# sourceMappingURL=schema.d.ts.map

package/dist/config/schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/config/schema.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAE/E,MAAM,WAAW,eAAe;IAC9B,mFAAmF;IACnF,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,6CAA6C;IAC7C,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,2DAA2D;IAC3D,MAAM,CAAC,EAAE,WAAW,CAAC;IACrB,8DAA8D;IAC9D,aAAa,CAAC,EAAE,UAAU,CAAC;IAC3B,oBAAoB;IACpB,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,0CAA0C;IAC1C,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,uDAAuD;IACvD,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,mFAAmF;IACnF,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,+CAA+C;IAC/C,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,eAAO,MAAM,cAAc,EAAE,QAAQ,CAAC,eAAe,CAUpD,CAAC"}

package/dist/config/schema.js

@@ -0,0 +1,17 @@
+// ============================================================
+// OWASPScan Configuration Schema
+// Supports owaspscan.config.json or .owaspscanrc in project root
+// CLI flags always override config file values
+// ============================================================
+export const DEFAULT_CONFIG = {
+    rules: [],
+    exclude: [],
+    failOn: 'never',
+    minConfidence: 'LOW',
+    format: 'console',
+    verbose: false,
+    sca: false,
+    aiVerify: false,
+    aiVerifyLimit: 50,
+};
+//# sourceMappingURL=schema.js.map

package/dist/config/schema.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.js","sourceRoot":"","sources":["../../src/config/schema.ts"],"names":[],"mappings":"AAAA,+DAA+D;AAC/D,iCAAiC;AACjC,iEAAiE;AACjE,+CAA+C;AAC/C,+DAA+D;AAyB/D,MAAM,CAAC,MAAM,cAAc,GAA8B;IACvD,KAAK,EAAE,EAAE;IACT,OAAO,EAAE,EAAE;IACX,MAAM,EAAE,OAAO;IACf,aAAa,EAAE,KAAK;IACpB,MAAM,EAAE,SAAS;IACjB,OAAO,EAAE,KAAK;IACd,GAAG,EAAE,KAAK;IACV,QAAQ,EAAE,KAAK;IACf,aAAa,EAAE,EAAE;CAClB,CAAC"}

package/dist/mcp/server.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=server.d.ts.map

package/dist/mcp/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/mcp/server.ts"],"names":[],"mappings":""}

package/dist/mcp/server.js

@@ -0,0 +1,250 @@
+// ============================================================
+// OWASPScan MCP Server
+// Exposes security scanning as MCP tools for AI agents
+// Compatible with Claude Desktop, Cursor, Cline, and any MCP client
+// ============================================================
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import { z } from 'zod';
+import path from 'path';
+import { scanDirectory, scanCode } from '../scanner/engine.js';
+import { scanFile as scanSingleFile } from '../scanner/engine.js';
+import { registry } from '../rules/registry.js';
+import { reportLlm } from '../reporter/llm.js';
+import { reportJson } from '../reporter/json.js';
+const SUPPORTED_LANGUAGES = [
+    'javascript', 'typescript', 'python', 'java', 'go', 'php', 'ruby', 'csharp', 'rust',
+];
+const server = new McpServer({
+    name: 'owaspscan',
+    version: '1.0.0',
+});
+// ─── Tool: scan_file ───────────────────────────────────────────────────────
+server.tool('scan_file', 'Scan a single source code file for OWASP Top 10 + LLM Top 10 security vulnerabilities. ' +
+    'Returns findings with severity, OWASP category, CWE, line numbers, code snippets, and fix guidance.', {
+    path: z.string().describe('Absolute or relative path to the file to scan'),
+    rules: z
+        .array(z.string())
+        .optional()
+        .describe('Filter to specific OWASP categories e.g. ["A01", "A03", "LLM01"]. Omit for all rules.'),
+    format: z
+        .enum(['llm', 'json'])
+        .default('llm')
+        .describe('Output format: "llm" (compact, token-efficient) or "json" (full structured data)'),
+}, async ({ path: filePath, rules, format }) => {
+    const resolvedPath = path.resolve(filePath);
+    const allRules = rules && rules.length > 0
+        ? registry.filterByCategories(rules)
+        : registry.getAll();
+    const fileResult = await scanSingleFile(resolvedPath, allRules);
+    // Wrap into ScanResult format
+    const { buildScanResult } = await import('../utils/scoring.js');
+    const result = buildScanResult(resolvedPath, [fileResult], fileResult.scanDurationMs, 'never');
+    const output = format === 'json' ? reportJson(result) : reportLlm(result);
+    return {
+        content: [{ type: 'text', text: output }],
+    };
+});
+// ─── Tool: scan_directory ─────────────────────────────────────────────────
+server.tool('scan_directory', 'Recursively scan a project directory for OWASP Top 10 + LLM Top 10 security vulnerabilities across all supported languages. ' +
+    'Supports JS/TS, Python, Java, Go, PHP, Ruby, C#, Rust.', {
+    path: z.string().describe('Path to the directory to scan'),
+    recursive: z
+        .boolean()
+        .default(true)
+        .describe('Whether to scan subdirectories recursively'),
+    rules: z
+        .array(z.string())
+        .optional()
+        .describe('Filter to specific OWASP categories. Omit for all 35+ rules.'),
+    exclude: z
+        .array(z.string())
+        .optional()
+        .describe('Glob patterns to exclude (e.g. ["**/*.test.ts", "migrations/**"])'),
+    format: z
+        .enum(['llm', 'json'])
+        .default('llm')
+        .describe('Output format'),
+    fail_on: z
+        .enum(['critical', 'high', 'medium', 'low', 'never'])
+        .default('never')
+        .describe('Severity threshold — result.passed will be false if findings at or above this level exist'),
+}, async ({ path: dirPath, recursive, rules, exclude, format, fail_on }) => {
+    const resolvedPath = path.resolve(dirPath);
+    const result = await scanDirectory(resolvedPath, {
+        rules,
+        exclude,
+        recursive,
+        failOn: fail_on,
+        verbose: false,
+    });
+    const output = format === 'json' ? reportJson(result) : reportLlm(result);
+    return {
+        content: [{ type: 'text', text: output }],
+    };
+});
+// ─── Tool: scan_code ──────────────────────────────────────────────────────
+server.tool('scan_code', 'Scan a code snippet (string) for security vulnerabilities without needing a file. ' +
+    'Perfect for scanning code that was just generated or modified by an AI assistant before committing.', {
+    code: z.string().describe('The source code to scan'),
+    language: z
+        .enum(SUPPORTED_LANGUAGES)
+        .describe('Programming language of the code snippet'),
+    filename: z
+        .string()
+        .optional()
+        .default('<inline>')
+        .describe('Optional filename for context in findings output'),
+    rules: z
+        .array(z.string())
+        .optional()
+        .describe('Filter to specific OWASP categories. Omit for all rules.'),
+    format: z.enum(['llm', 'json']).default('llm'),
+}, async ({ code, language, filename, rules, format }) => {
+    const result = await scanCode(code, language, filename ?? '<inline>', rules);
+    const output = format === 'json' ? reportJson(result) : reportLlm(result);
+    return {
+        content: [{ type: 'text', text: output }],
+    };
+});
+// ─── Tool: get_rules ─────────────────────────────────────────────────────
+server.tool('get_rules', 'List all available security rules with their IDs, names, OWASP categories, severity, and CWE numbers.', {
+    owasp_category: z
+        .string()
+        .optional()
+        .describe('Filter by OWASP category prefix e.g. "A01", "LLM01", "EXTRA"'),
+    language: z
+        .enum(SUPPORTED_LANGUAGES)
+        .optional()
+        .describe('Filter rules applicable to a specific language'),
+    severity: z
+        .enum(['CRITICAL', 'HIGH', 'MEDIUM', 'LOW', 'INFO'])
+        .optional()
+        .describe('Filter by minimum severity'),
+}, async ({ owasp_category, language, severity }) => {
+    let rules = registry.getAll();
+    if (owasp_category) {
+        rules = rules.filter((r) => r.owasp.startsWith(owasp_category.toUpperCase()));
+    }
+    if (language) {
+        rules = rules.filter((r) => r.languages.includes('all') || r.languages.includes(language));
+    }
+    if (severity) {
+        const sevOrder = { CRITICAL: 5, HIGH: 4, MEDIUM: 3, LOW: 2, INFO: 1 };
+        const minSev = sevOrder[severity];
+        rules = rules.filter((r) => sevOrder[r.severity] >= minSev);
+    }
+    const output = rules
+        .map((r) => `[${r.id}] ${r.name}\n` +
+        `  OWASP: ${r.owasp} | CWE: ${r.cwe} | Severity: ${r.severity}\n` +
+        `  Languages: ${r.languages.join(', ')}\n` +
+        `  Tags: ${r.tags.join(', ')}\n`)
+        .join('\n');
+    return {
+        content: [
+            {
+                type: 'text',
+                text: `OWASPScan Rules (${rules.length} total):\n\n${output}`,
+            },
+        ],
+    };
+});
+// ─── Tool: explain_finding ───────────────────────────────────────────────
+server.tool('explain_finding', 'Get detailed explanation, example vulnerable code, and secure code fix for a specific rule ID.', {
+    rule_id: z
+        .string()
+        .describe('Rule ID to explain, e.g. "OWASP-A03-001" or "LLM-01-001"'),
+}, async ({ rule_id }) => {
+    const rule = registry.getById(rule_id);
+    if (!rule) {
+        return {
+            content: [
+                {
+                    type: 'text',
+                    text: `Rule "${rule_id}" not found. Use get_rules to see available rule IDs.`,
+                },
+            ],
+            isError: true,
+        };
+    }
+    const output = [
+        `## ${rule.name}`,
+        `**ID:** ${rule.id}`,
+        `**OWASP Category:** ${rule.owasp}`,
+        `**CWE:** ${rule.cwe}`,
+        `**Severity:** ${rule.severity}`,
+        `**Applicable Languages:** ${rule.languages.join(', ')}`,
+        '',
+        '### Description',
+        rule.description,
+        '',
+        '### Remediation',
+        '```',
+        rule.fix,
+        '```',
+        '',
+        '### References',
+        ...rule.references.map((r) => `- ${r}`),
+        '',
+        '### Tags',
+        rule.tags.map((t) => `\`${t}\``).join(', '),
+    ].join('\n');
+    return {
+        content: [{ type: 'text', text: output }],
+    };
+});
+// ─── Tool: get_owasp_category ─────────────────────────────────────────────
+server.tool('get_owasp_category', 'Get a description of an OWASP Top 10 or LLM Top 10 category with all related rules.', {
+    category: z
+        .string()
+        .describe('OWASP category e.g. "A03:2021", "LLM01:2025", or just "A03" or "LLM01"'),
+}, async ({ category }) => {
+    const prefix = category.toUpperCase().replace(/:.*/, '');
+    const rules = registry.filterByCategories([prefix]);
+    const CATEGORY_DESCRIPTIONS = {
+        'A01:2021': 'Broken Access Control — Users can act outside their intended permissions.',
+        'A02:2021': 'Cryptographic Failures — Weak encryption, hardcoded secrets, insecure randomness.',
+        'A03:2021': 'Injection — SQL, command, NoSQL, LDAP, template, XSS injection.',
+        'A04:2021': 'Insecure Design — Missing rate limiting, mass assignment, flawed security design.',
+        'A05:2021': 'Security Misconfiguration — Debug mode, wildcard CORS, default credentials.',
+        'A06:2021': 'Vulnerable and Outdated Components — Known CVEs, deprecated APIs.',
+        'A07:2021': 'Identification and Authentication Failures — JWT, password storage, session bugs.',
+        'A08:2021': 'Software and Data Integrity Failures — eval(), unsafe deserialization.',
+        'A09:2021': 'Security Logging and Monitoring Failures — Sensitive data in logs, silent errors.',
+        'A10:2021': 'Server-Side Request Forgery (SSRF) — Unvalidated URLs in server requests.',
+        'LLM01:2025': 'Prompt Injection — User input injected into LLM prompts.',
+        'LLM02:2025': 'Sensitive Information Disclosure — PII/secrets sent to LLMs or leaked.',
+        'LLM05:2025': 'Improper Output Handling — LLM output used unsafely in code.',
+        'LLM06:2025': 'Excessive Agency — LLM agents with too many permissions and no human oversight.',
+        'LLM07:2025': 'System Prompt Leakage — System prompt contents exposed to users.',
+        'LLM10:2025': 'Unbounded Consumption — No token limits or rate limits on LLM API calls.',
+    };
+    const matchedKey = Object.keys(CATEGORY_DESCRIPTIONS).find((k) => k.toUpperCase().startsWith(prefix));
+    const description = matchedKey
+        ? CATEGORY_DESCRIPTIONS[matchedKey]
+        : `No description available for category: ${category}`;
+    const rulesText = rules
+        .map((r) => `  [${r.severity}] ${r.id} — ${r.name}`)
+        .join('\n');
+    const output = [
+        `## OWASP ${category}`,
+        description ?? '',
+        '',
+        `### Rules in OWASPScan for this category (${rules.length}):`,
+        rulesText || '  No rules found for this category.',
+    ].join('\n');
+    return {
+        content: [{ type: 'text', text: output }],
+    };
+});
+// ─── Start server ─────────────────────────────────────────────────────────
+async function main() {
+    const transport = new StdioServerTransport();
+    await server.connect(transport);
+    process.stderr.write('OWASPScan MCP Server running on stdio\n');
+}
+main().catch((err) => {
+    process.stderr.write(`Fatal error: ${String(err)}\n`);
+    process.exit(1);
+});
+//# sourceMappingURL=server.js.map

package/dist/mcp/server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/mcp/server.ts"],"names":[],"mappings":"AAAA,+DAA+D;AAC/D,uBAAuB;AACvB,uDAAuD;AACvD,oEAAoE;AACpE,+DAA+D;AAE/D,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,IAAI,MAAM,MAAM,CAAC;AAExB,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAC/D,OAAO,EAAE,QAAQ,IAAI,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC/C,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAGjD,MAAM,mBAAmB,GAAwB;IAC/C,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM;CACpF,CAAC;AAEF,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;IAC3B,IAAI,EAAE,WAAW;IACjB,OAAO,EAAE,OAAO;CACjB,CAAC,CAAC;AAEH,8EAA8E;AAC9E,MAAM,CAAC,IAAI,CACT,WAAW,EACX,yFAAyF;IACzF,qGAAqG,EACrG;IACE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,+CAA+C,CAAC;IAC1E,KAAK,EAAE,CAAC;SACL,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;SACV,QAAQ,CAAC,uFAAuF,CAAC;IACpG,MAAM,EAAE,CAAC;SACN,IAAI,CAAC,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;SACrB,OAAO,CAAC,KAAK,CAAC;SACd,QAAQ,CAAC,kFAAkF,CAAC;CAChG,EACD,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE;IAC1C,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC5C,MAAM,QAAQ,GAAG,KAAK,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;QACxC,CAAC,CAAC,QAAQ,CAAC,kBAAkB,CAAC,KAAK,CAAC;QACpC,CAAC,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;IAEtB,MAAM,UAAU,GAAG,MAAM,cAAc,CAAC,YAAY,EAAE,QAAQ,CAAC,CAAC;IAEhE,8BAA8B;IAC9B,MAAM,EAAE,eAAe,EAAE,GAAG,MAAM,MAAM,CAAC,qBAAqB,CAAC,CAAC;IAChE,MAAM,MAAM,GAAG,eAAe,CAAC,YAAY,EAAE,CAAC,UAAU,CAAC,EAAE,UAAU,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;IAE/F,MAAM,MAAM,GAAG,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAE1E,OAAO;QACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;KAC1C,CAAC;AACJ,CAAC,CACF,CAAC;AAEF,6EAA6E;AAC7E,MAAM,CAAC,IAAI,CACT,gBAAgB,EAChB,8HAA8H;IAC9H,wDAAwD,EACxD;IACE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,+BAA+B,CAAC;IAC1D,SAAS,EAAE,CAAC;SACT,OAAO,EAAE;SACT,OAAO,CAAC,IAAI,CAAC;SACb,QAAQ,CAAC,4CAA4C,CAAC;IACzD,KAAK,EAAE,CAAC;SACL,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;SACV,QAAQ,CAAC,8DAA8D,CAAC;IAC3E,OAAO,EAAE,CAAC;SACP,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;SACV,QAAQ,CAAC,mEAAmE,CAAC;IAChF,MAAM,EAAE,CAAC;SACN,IAAI,CAAC,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;SACrB,OAAO,CAAC,KAAK,CAAC;SACd,QAAQ,CAAC,eAAe,CAAC;IAC5B,OAAO,EAAE,CAAC;SACP,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;SACpD,OAAO,CAAC,OAAO,CAAC;SAChB,QAAQ,CAAC,2FAA2F,CAAC;CACzG,EACD,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE;IACtE,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAE3C,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,YAAY,EAAE;QAC/C,KAAK;QACL,OAAO;QACP,SAAS;QACT,MAAM,EAAE,OAAO;QACf,OAAO,EAAE,KAAK;KACf,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAE1E,OAAO;QACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;KAC1C,CAAC;AACJ,CAAC,CACF,CAAC;AAEF,6EAA6E;AAC7E,MAAM,CAAC,IAAI,CACT,WAAW,EACX,oFAAoF;IACpF,qGAAqG,EACrG;IACE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,yBAAyB,CAAC;IACpD,QAAQ,EAAE,CAAC;SACR,IAAI,CAAC,mBAAkE,CAAC;SACxE,QAAQ,CAAC,0CAA0C,CAAC;IACvD,QAAQ,EAAE,CAAC;SACR,MAAM,EAAE;SACR,QAAQ,EAAE;SACV,OAAO,CAAC,UAAU,CAAC;SACnB,QAAQ,CAAC,kDAAkD,CAAC;IAC/D,KAAK,EAAE,CAAC;SACL,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;SACV,QAAQ,CAAC,0DAA0D,CAAC;IACvE,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;CAC/C,EACD,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE;IACpD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,QAAQ,EAAE,QAAQ,IAAI,UAAU,EAAE,KAAK,CAAC,CAAC;IAE7E,MAAM,MAAM,GAAG,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAE1E,OAAO;QACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;KAC1C,CAAC;AACJ,CAAC,CACF,CAAC;AAEF,4EAA4E;AAC5E,MAAM,CAAC,IAAI,CACT,WAAW,EACX,uGAAuG,EACvG;IACE,cAAc,EAAE,CAAC;SACd,MAAM,EAAE;SACR,QAAQ,EAAE;SACV,QAAQ,CAAC,8DAA8D,CAAC;IAC3E,QAAQ,EAAE,CAAC;SACR,IAAI,CAAC,mBAAkE,CAAC;SACxE,QAAQ,EAAE;SACV,QAAQ,CAAC,gDAAgD,CAAC;IAC7D,QAAQ,EAAE,CAAC;SACR,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;SACnD,QAAQ,EAAE;SACV,QAAQ,CAAC,4BAA4B,CAAC;CAC1C,EACD,KAAK,EAAE,EAAE,cAAc,EAAE,QAAQ,EAAE,QAAQ,EAAE,EAAE,EAAE;IAC/C,IAAI,KAAK,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC;IAE9B,IAAI,cAAc,EAAE,CAAC;QACnB,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,cAAc,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IAChF,CAAC;IAED,IAAI,QAAQ,EAAE,CAAC;QACb,KAAK,GAAG,KAAK,CAAC,MAAM,CAClB,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,CACrE,CAAC;IACJ,CAAC;IAED,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,QAAQ,GAAG,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QACtE,MAAM,MAAM,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAClC,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,MAAM,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,MAAM,GAAG,KAAK;SACjB,GAAG,CACF,CAAC,CAAC,EAAE,EAAE,CACJ,IAAI,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,IAAI,IAAI;QACvB,YAAY,CAAC,CAAC,KAAK,WAAW,CAAC,CAAC,GAAG,gBAAgB,CAAC,CAAC,QAAQ,IAAI;QACjE,gBAAgB,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;QAC1C,WAAW,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CACnC;SACA,IAAI,CAAC,IAAI,CAAC,CAAC;IAEd,OAAO;QACL,OAAO,EAAE;YACP;gBACE,IAAI,EAAE,MAAM;gBACZ,IAAI,EAAE,oBAAoB,KAAK,CAAC,MAAM,eAAe,MAAM,EAAE;aAC9D;SACF;KACF,CAAC;AACJ,CAAC,CACF,CAAC;AAEF,4EAA4E;AAC5E,MAAM,CAAC,IAAI,CACT,iBAAiB,EACjB,gGAAgG,EAChG;IACE,OAAO,EAAE,CAAC;SACP,MAAM,EAAE;SACR,QAAQ,CAAC,0DAA0D,CAAC;CACxE,EACD,KAAK,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE;IACpB,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAEvC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO;YACL,OAAO,EAAE;gBACP;oBACE,IAAI,EAAE,MAAM;oBACZ,IAAI,EAAE,SAAS,OAAO,uDAAuD;iBAC9E;aACF;YACD,OAAO,EAAE,IAAI;SACd,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG;QACb,MAAM,IAAI,CAAC,IAAI,EAAE;QACjB,WAAW,IAAI,CAAC,EAAE,EAAE;QACpB,uBAAuB,IAAI,CAAC,KAAK,EAAE;QACnC,YAAY,IAAI,CAAC,GAAG,EAAE;QACtB,iBAAiB,IAAI,CAAC,QAAQ,EAAE;QAChC,6BAA6B,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;QACxD,EAAE;QACF,iBAAiB;QACjB,IAAI,CAAC,WAAW;QAChB,EAAE;QACF,iBAAiB;QACjB,KAAK;QACL,IAAI,CAAC,GAAG;QACR,KAAK;QACL,EAAE;QACF,gBAAgB;QAChB,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC;QACvC,EAAE;QACF,UAAU;QACV,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;KAC5C,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEb,OAAO;QACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;KAC1C,CAAC;AACJ,CAAC,CACF,CAAC;AAEF,6EAA6E;AAC7E,MAAM,CAAC,IAAI,CACT,oBAAoB,EACpB,qFAAqF,EACrF;IACE,QAAQ,EAAE,CAAC;SACR,MAAM,EAAE;SACR,QAAQ,CAAC,wEAAwE,CAAC;CACtF,EACD,KAAK,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE;IACrB,MAAM,MAAM,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACzD,MAAM,KAAK,GAAG,QAAQ,CAAC,kBAAkB,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;IAEpD,MAAM,qBAAqB,GAA2C;QACpE,UAAU,EAAE,2EAA2E;QACvF,UAAU,EAAE,mFAAmF;QAC/F,UAAU,EAAE,iEAAiE;QAC7E,UAAU,EAAE,mFAAmF;QAC/F,UAAU,EAAE,6EAA6E;QACzF,UAAU,EAAE,mEAAmE;QAC/E,UAAU,EAAE,mFAAmF;QAC/F,UAAU,EAAE,wEAAwE;QACpF,UAAU,EAAE,mFAAmF;QAC/F,UAAU,EAAE,2EAA2E;QACvF,YAAY,EAAE,0DAA0D;QACxE,YAAY,EAAE,wEAAwE;QACtF,YAAY,EAAE,8DAA8D;QAC5E,YAAY,EAAE,iFAAiF;QAC/F,YAAY,EAAE,kEAAkE;QAChF,YAAY,EAAE,0EAA0E;KACzF,CAAC;IAEF,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAC/D,CAAC,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,CACN,CAAC;IAE/B,MAAM,WAAW,GAAG,UAAU;QAC5B,CAAC,CAAC,qBAAqB,CAAC,UAAU,CAAC;QACnC,CAAC,CAAC,0CAA0C,QAAQ,EAAE,CAAC;IAEzD,MAAM,SAAS,GAAG,KAAK;SACpB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;SACnD,IAAI,CAAC,IAAI,CAAC,CAAC;IAEd,MAAM,MAAM,GAAG;QACb,YAAY,QAAQ,EAAE;QACtB,WAAW,IAAI,EAAE;QACjB,EAAE;QACF,6CAA6C,KAAK,CAAC,MAAM,IAAI;QAC7D,SAAS,IAAI,qCAAqC;KACnD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEb,OAAO;QACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;KAC1C,CAAC;AACJ,CAAC,CACF,CAAC;AAEF,6EAA6E;AAC7E,KAAK,UAAU,IAAI;IACjB,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAChC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,yCAAyC,CAAC,CAAC;AAClE,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,gBAAgB,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACtD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/parsers/ast-parser.d.ts

@@ -0,0 +1,38 @@
+export interface TSNode {
+    type: string;
+    text: string;
+    startPosition: {
+        row: number;
+        column: number;
+    };
+    endPosition: {
+        row: number;
+        column: number;
+    };
+    childCount: number;
+    namedChildCount: number;
+    children: TSNode[];
+    namedChildren: TSNode[];
+    parent: TSNode | null;
+    firstChild: TSNode | null;
+    firstNamedChild: TSNode | null;
+    nextSibling: TSNode | null;
+    nextNamedSibling: TSNode | null;
+    child(index: number): TSNode | null;
+    namedChild(index: number): TSNode | null;
+    childForFieldName(fieldName: string): TSNode | null;
+}
+export interface TSTree {
+    rootNode: TSNode;
+}
+export type ParseLanguage = 'javascript' | 'typescript' | 'python';
+/**
+ * Parse source code into an AST.
+ * Returns null if tree-sitter is unavailable or parsing fails.
+ */
+export declare function parseCode(code: string, language: ParseLanguage): TSTree | null;
+/** Recursively walk every node in the tree, calling visitor for each. */
+export declare function walkTree(node: TSNode, visitor: (n: TSNode) => void): void;
+/** Collect all nodes of a specific type. */
+export declare function findAllNodes(root: TSNode, type: string): TSNode[];
+//# sourceMappingURL=ast-parser.d.ts.map

package/dist/parsers/ast-parser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ast-parser.d.ts","sourceRoot":"","sources":["../../src/parsers/ast-parser.ts"],"names":[],"mappings":"AAcA,MAAM,WAAW,MAAM;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,aAAa,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IAC/C,WAAW,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IAC7C,UAAU,EAAE,MAAM,CAAC;IACnB,eAAe,EAAE,MAAM,CAAC;IACxB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,KAAK,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;IACpC,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;IACzC,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;CACrD;AAED,MAAM,WAAW,MAAM;IACrB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,MAAM,aAAa,GAAG,YAAY,GAAG,YAAY,GAAG,QAAQ,CAAC;AAoDnE;;;GAGG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,aAAa,GAAG,MAAM,GAAG,IAAI,CAQ9E;AAED,yEAAyE;AACzE,wBAAgB,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC,EAAE,MAAM,KAAK,IAAI,GAAG,IAAI,CAKzE;AAED,4CAA4C;AAC5C,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAMjE"}

package/dist/parsers/ast-parser.js

@@ -0,0 +1,88 @@
+// ============================================================
+// AST Parser — tree-sitter wrapper with lazy-loading and caching
+//
+// tree-sitter is a native CJS module; use createRequire in ESM context.
+// Parser instances are cached per language for performance.
+// All errors return null — callers fall back to regex/taint on failure.
+// ============================================================
+import { createRequire } from 'module';
+const _require = createRequire(import.meta.url);
+// ---- Internal state ----
+let _ParserClass = null;
+let _jsLang = null;
+let _pyLang = null;
+function loadParser() {
+    if (!_ParserClass) {
+        _ParserClass = _require('tree-sitter');
+    }
+    return _ParserClass;
+}
+function loadLanguage(language) {
+    if (language === 'javascript' || language === 'typescript') {
+        if (!_jsLang) {
+            _jsLang = _require('tree-sitter-javascript');
+        }
+        return _jsLang;
+    }
+    if (language === 'python') {
+        if (!_pyLang) {
+            _pyLang = _require('tree-sitter-python');
+        }
+        return _pyLang;
+    }
+    return null;
+}
+// Cached parser instances (one per language)
+const _parsers = new Map();
+function getParser(language) {
+    if (_parsers.has(language)) {
+        return _parsers.get(language);
+    }
+    try {
+        const ParserClass = loadParser();
+        if (!ParserClass)
+            return null;
+        const lang = loadLanguage(language);
+        if (!lang)
+            return null;
+        const parser = new ParserClass();
+        parser.setLanguage(lang);
+        _parsers.set(language, parser);
+        return parser;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Parse source code into an AST.
+ * Returns null if tree-sitter is unavailable or parsing fails.
+ */
+export function parseCode(code, language) {
+    try {
+        const parser = getParser(language);
+        if (!parser)
+            return null;
+        return parser.parse(code);
+    }
+    catch {
+        return null;
+    }
+}
+/** Recursively walk every node in the tree, calling visitor for each. */
+export function walkTree(node, visitor) {
+    visitor(node);
+    for (const child of node.children) {
+        walkTree(child, visitor);
+    }
+}
+/** Collect all nodes of a specific type. */
+export function findAllNodes(root, type) {
+    const results = [];
+    walkTree(root, (n) => {
+        if (n.type === type)
+            results.push(n);
+    });
+    return results;
+}
+//# sourceMappingURL=ast-parser.js.map

package/dist/parsers/ast-parser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ast-parser.js","sourceRoot":"","sources":["../../src/parsers/ast-parser.ts"],"names":[],"mappings":"AAAA,+DAA+D;AAC/D,iEAAiE;AACjE,EAAE;AACF,wEAAwE;AACxE,4DAA4D;AAC5D,wEAAwE;AACxE,+DAA+D;AAE/D,OAAO,EAAE,aAAa,EAAE,MAAM,QAAQ,CAAC;AAEvC,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AA6BhD,2BAA2B;AAE3B,IAAI,YAAY,GAAmF,IAAI,CAAC;AACxG,IAAI,OAAO,GAAY,IAAI,CAAC;AAC5B,IAAI,OAAO,GAAY,IAAI,CAAC;AAE5B,SAAS,UAAU;IACjB,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,YAAY,GAAG,QAAQ,CAAC,aAAa,CAAwB,CAAC;IAChE,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,SAAS,YAAY,CAAC,QAAuB;IAC3C,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;QAC3D,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,GAAG,QAAQ,CAAC,wBAAwB,CAAC,CAAC;QAC/C,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IACD,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,GAAG,QAAQ,CAAC,oBAAoB,CAAC,CAAC;QAC3C,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,6CAA6C;AAC7C,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAuE,CAAC;AAEhG,SAAS,SAAS,CAAC,QAAuB;IACxC,IAAI,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC3B,OAAO,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAE,CAAC;IACjC,CAAC;IACD,IAAI,CAAC;QACH,MAAM,WAAW,GAAG,UAAU,EAAE,CAAC;QACjC,IAAI,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QAC9B,MAAM,IAAI,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;QACpC,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QACvB,MAAM,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;QACjC,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;QACzB,QAAQ,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC/B,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,SAAS,CAAC,IAAY,EAAE,QAAuB;IAC7D,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;QACnC,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QACzB,OAAO,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,yEAAyE;AACzE,MAAM,UAAU,QAAQ,CAAC,IAAY,EAAE,OAA4B;IACjE,OAAO,CAAC,IAAI,CAAC,CAAC;IACd,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;QAClC,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IAC3B,CAAC;AACH,CAAC;AAED,4CAA4C;AAC5C,MAAM,UAAU,YAAY,CAAC,IAAY,EAAE,IAAY;IACrD,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE;QACnB,IAAI,CAAC,CAAC,IAAI,KAAK,IAAI;YAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;IACH,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/parsers/ast-queries.d.ts

@@ -0,0 +1,63 @@
+import type { TSNode } from './ast-parser.js';
+import type { OWASPCategory, Severity } from '../types/index.js';
+export type TaintMap = Map<string, string>;
+/**
+ * Scan a single file's AST and collect the names of exported functions/variables
+ * whose bodies contain direct user-input sources.
+ *
+ * Used for cross-file taint tracking: if file A exports `getUserId(req)` which
+ * reads `req.query.id`, and file B calls `getUserId(req)`, the return value in
+ * file B should be treated as tainted.
+ */
+export declare function collectExportedTaintSources(rootNode: TSNode, language: 'javascript' | 'typescript'): TaintMap;
+/**
+ * Walk all variable declarations and assignments in the AST.
+ * When the right-hand side is/contains a user input source, mark the
+ * left-hand variable name(s) as tainted.
+ *
+ * crossFileSources: optional map of function names from other files that return
+ * tainted data (built by collectExportedTaintSources in the pre-pass).
+ *
+ * Returns the initial (un-propagated) taint map.
+ */
+export declare function buildInitialTaintMap(rootNode: TSNode, language: 'javascript' | 'typescript' | 'python', crossFileSources?: TaintMap): TaintMap;
+/**
+ * Fixed-point propagation: if the RHS of an assignment contains a tainted
+ * identifier, the LHS variable becomes tainted too.
+ *
+ * Mutates `tainted` in place. Runs until no new taints are added (max 10 passes).
+ */
+export declare function propagateTaint(rootNode: TSNode, tainted: TaintMap, language: 'javascript' | 'typescript' | 'python'): void;
+/**
+ * Build the full taint map: initial sources + propagated chains.
+ * crossFileSources: optional function names from other files that return tainted data.
+ */
+export declare function buildTaintMap(rootNode: TSNode, language: 'javascript' | 'typescript' | 'python', crossFileSources?: TaintMap): TaintMap;
+export interface ASTFinding {
+    ruleId: string;
+    owasp: OWASPCategory;
+    severity: Severity;
+    description: string;
+    line: number;
+    column: number;
+    snippet: string;
+    argText: string;
+    sinkName: string;
+    taintPath?: string[];
+    suppressedByMiddleware?: boolean;
+}
+/**
+ * Scan a parsed AST for vulnerabilities.
+ * Combines two detection modes:
+ *   1. Direct: user input appears directly in a sink argument
+ *   2. Taint: user input was assigned to a variable that reaches the sink
+ *
+ * The taint map is built via AST node traversal (not regex), so it is
+ * precise — handles destructuring, reassignment, template literals.
+ * Middleware-aware: handlers guarded by validate/auth middleware get LOW confidence.
+ *
+ * crossFileSources: optional map of function names from other scanned files that
+ * return tainted data (populated by the two-pass scanDirectory pre-pass).
+ */
+export declare function findVulnerableCalls(rootNode: TSNode, language: 'javascript' | 'typescript' | 'python', sourceLines: string[], crossFileSources?: TaintMap): ASTFinding[];
+//# sourceMappingURL=ast-queries.d.ts.map

package/dist/parsers/ast-queries.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ast-queries.d.ts","sourceRoot":"","sources":["../../src/parsers/ast-queries.ts"],"names":[],"mappings":"AAmBA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAejE,MAAM,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AAI3C;;;;;;;GAOG;AACH,wBAAgB,2BAA2B,CACzC,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,YAAY,GAAG,YAAY,GACpC,QAAQ,CA+CV;AAED;;;;;;;;;GASG;AACH,wBAAgB,oBAAoB,CAClC,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,YAAY,GAAG,YAAY,GAAG,QAAQ,EAChD,gBAAgB,CAAC,EAAE,QAAQ,GAC1B,QAAQ,CAsGV;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,QAAQ,EACjB,QAAQ,EAAE,YAAY,GAAG,YAAY,GAAG,QAAQ,GAC/C,IAAI,CA+DN;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAC3B,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,YAAY,GAAG,YAAY,GAAG,QAAQ,EAChD,gBAAgB,CAAC,EAAE,QAAQ,GAC1B,QAAQ,CAMV;AA0GD,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,aAAa,CAAC;IACrB,QAAQ,EAAE,QAAQ,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,sBAAsB,CAAC,EAAE,OAAO,CAAC;CAClC;AAkND;;;;;;;;;;;;GAYG;AACH,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,YAAY,GAAG,YAAY,GAAG,QAAQ,EAChD,WAAW,EAAE,MAAM,EAAE,EACrB,gBAAgB,CAAC,EAAE,QAAQ,GAC1B,UAAU,EAAE,CAqCd"}