@trustify-da/trustify-da-javascript-client 0.3.0-ea.d71f957 → 0.3.0-ea.d9c1ae4

package/dist/src/providers/base_pyproject.js

@@ -0,0 +1,314 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { PackageURL } from 'packageurl-js';
+import { parse as parseToml } from 'smol-toml';
+import { getLicense } from '../license/license_utils.js';
+import Sbom from '../sbom.js';
+import { getCustom } from '../tools.js';
+const ecosystem = 'pip';
+const IGNORE_MARKERS = ['exhortignore', 'trustify-da-ignore'];
+const DEFAULT_ROOT_NAME = 'default-pip-root';
+const DEFAULT_ROOT_VERSION = '0.0.0';
+/** @typedef {{name: string, version: string, children: string[]}} GraphEntry */
+/** @typedef {{name: string, version: string, dependencies: DepTreeEntry[]}} DepTreeEntry */
+/** @typedef {{directDeps: string[], graph: Map<string, GraphEntry>}} DependencyData */
+/** @typedef {{ecosystem: string, content: string, contentType: string}} Provided */
+export default class Base_pyproject {
+    /**
+     * @param {string} manifestName
+     * @returns {boolean}
+     */
+    isSupported(manifestName) {
+        return 'pyproject.toml' === manifestName;
+    }
+    /**
+     * @param {string} manifestDir
+     * @param {Object} [opts={}]
+     * @returns {boolean}
+     */
+    validateLockFile(manifestDir, opts = {}) {
+        return this._findLockFileDir(manifestDir, opts) != null;
+    }
+    /**
+     * Walk up from manifestDir to find the directory containing the lock file.
+     * Follows the same pattern as Base_javascript._findLockFileDir().
+     * @param {string} manifestDir
+     * @param {Object} [opts={}]
+     * @returns {string|null}
+     * @protected
+     */
+    _findLockFileDir(manifestDir, opts = {}) {
+        const workspaceDir = getCustom('TRUSTIFY_DA_WORKSPACE_DIR', null, opts);
+        if (workspaceDir) {
+            const dir = path.resolve(workspaceDir);
+            return fs.existsSync(path.join(dir, this._lockFileName())) ? dir : null;
+        }
+        let dir = path.resolve(manifestDir);
+        let parent = dir;
+        do {
+            dir = parent;
+            if (fs.existsSync(path.join(dir, this._lockFileName()))) {
+                return dir;
+            }
+            if (this._isWorkspaceRoot(dir)) {
+                return null;
+            }
+            parent = path.dirname(dir);
+        } while (parent !== dir);
+        return null;
+    }
+    /**
+     * Detect workspace root boundaries.
+     * Currently only uv has native workspace support ([tool.uv.workspace] in pyproject.toml).
+     * Poetry has no workspace/monorepo support (python-poetry/poetry#2270), so each
+     * poetry project is treated independently — see Python_poetry._findLockFileDir().
+     * @param {string} dir
+     * @returns {boolean}
+     * @protected
+     */
+    _isWorkspaceRoot(dir) {
+        const pyprojectPath = path.join(dir, 'pyproject.toml');
+        if (!fs.existsSync(pyprojectPath)) {
+            return false;
+        }
+        try {
+            const content = parseToml(fs.readFileSync(pyprojectPath, 'utf-8'));
+            if (content.tool?.uv?.workspace) {
+                return true;
+            }
+        }
+        catch (_) {
+            // ignore parse errors
+        }
+        return false;
+    }
+    /**
+     * Read project license from pyproject.toml, with fallback to LICENSE file.
+     * @param {string} manifestPath
+     * @returns {string|null}
+     */
+    readLicenseFromManifest(manifestPath) {
+        let fromManifest = null;
+        try {
+            let content = fs.readFileSync(manifestPath, 'utf-8');
+            let parsed = parseToml(content);
+            fromManifest = parsed.project?.license;
+            if (typeof fromManifest === 'object' && fromManifest != null) {
+                fromManifest = fromManifest.text || null;
+            }
+            if (!fromManifest) {
+                fromManifest = parsed.tool?.poetry?.license || null;
+            }
+        }
+        catch (_) {
+            // leave fromManifest as null
+        }
+        return getLicense(fromManifest, manifestPath);
+    }
+    /**
+     * @param {string} manifest - path to pyproject.toml
+     * @param {Object} [opts={}]
+     * @returns {Promise<Provided>}
+     */
+    async provideStack(manifest, opts = {}) {
+        return {
+            ecosystem,
+            content: await this._createSbom(manifest, opts, true),
+            contentType: 'application/vnd.cyclonedx+json'
+        };
+    }
+    /**
+     * @param {string} manifest - path to pyproject.toml
+     * @param {Object} [opts={}]
+     * @returns {Promise<Provided>}
+     */
+    async provideComponent(manifest, opts = {}) {
+        return {
+            ecosystem,
+            content: await this._createSbom(manifest, opts, false),
+            contentType: 'application/vnd.cyclonedx+json'
+        };
+    }
+    // --- abstract methods (subclasses must override) ---
+    /**
+     * @returns {string}
+     * @protected
+     */
+    _lockFileName() {
+        throw new TypeError('_lockFileName must be implemented');
+    }
+    /**
+     * @returns {string}
+     * @protected
+     */
+    _cmdName() {
+        throw new TypeError('_cmdName must be implemented');
+    }
+    /**
+     * Resolve dependencies using the tool-specific command and parser.
+     *
+     * @param {string} manifestDir - directory containing the target pyproject.toml
+     * @param {string} workspaceDir - workspace root (where the lock file lives);
+     *   only used by providers that need workspace-level resolution (e.g. uv)
+     * @param {object} parsed - parsed pyproject.toml
+     * @param {Object} opts
+     * @returns {Promise<DependencyData>}
+     * @protected
+     */
+    // eslint-disable-next-line no-unused-vars
+    async _getDependencyData(manifestDir, workspaceDir, parsed, opts) {
+        throw new TypeError('_getDependencyData must be implemented');
+    }
+    // --- shared helpers ---
+    /**
+     * Canonicalize a Python package name per PEP 503.
+     * @param {string} name
+     * @returns {string}
+     * @protected
+     */
+    _canonicalize(name) {
+        return name.toLowerCase().replace(/[-_.]+/g, '-');
+    }
+    /**
+     * Get the project name from pyproject.toml.
+     * @param {object} parsed
+     * @returns {string|null}
+     * @protected
+     */
+    _getProjectName(parsed) {
+        return parsed.project?.name || parsed.tool?.poetry?.name || null;
+    }
+    /**
+     * Get the project version from pyproject.toml.
+     * @param {object} parsed
+     * @returns {string|null}
+     * @protected
+     */
+    _getProjectVersion(parsed) {
+        return parsed.project?.version || parsed.tool?.poetry?.version || null;
+    }
+    /**
+     * Scan raw pyproject.toml text for dependencies with ignore markers.
+     * @param {string} manifestPath
+     * @returns {Set<string>}
+     * @protected
+     */
+    _getIgnoredDeps(manifestPath) {
+        let ignored = new Set();
+        let content = fs.readFileSync(manifestPath, 'utf-8');
+        let lines = content.split(/\r?\n/);
+        for (let line of lines) {
+            if (!IGNORE_MARKERS.some(m => line.includes(m))) {
+                continue;
+            }
+            // PEP 621 style: "requests>=2.25" #exhortignore
+            let pep621Match = line.match(/^\s*"([^"]+)"/);
+            if (pep621Match) {
+                let reqStr = pep621Match[1];
+                let nameMatch = reqStr.match(/^([A-Za-z0-9]([A-Za-z0-9._-]*[A-Za-z0-9])?)/);
+                if (nameMatch) {
+                    ignored.add(this._canonicalize(nameMatch[1]));
+                }
+                continue;
+            }
+            // Poetry style: requests = "^2.25" #exhortignore
+            let poetryMatch = line.match(/^\s*([A-Za-z0-9][A-Za-z0-9._-]*)\s*=/);
+            if (poetryMatch) {
+                ignored.add(this._canonicalize(poetryMatch[1]));
+            }
+        }
+        return ignored;
+    }
+    /**
+     * Compute the set of graph nodes reachable from direct deps, excluding ignored.
+     * @param {Map<string, GraphEntry>} graph
+     * @param {string[]} directDeps
+     * @param {Set<string>} ignoredDeps
+     * @returns {Set<string>}
+     * @protected
+     */
+    _reachableNodes(graph, directDeps, ignoredDeps) {
+        let reachable = new Set();
+        let queue = directDeps.filter(k => !ignoredDeps.has(k) && graph.has(k));
+        while (queue.length > 0) {
+            let key = queue.shift();
+            if (reachable.has(key)) {
+                continue;
+            }
+            reachable.add(key);
+            for (let child of graph.get(key).children) {
+                if (!ignoredDeps.has(child) && graph.has(child) && !reachable.has(child)) {
+                    queue.push(child);
+                }
+            }
+        }
+        return reachable;
+    }
+    /**
+     * @param {string} name
+     * @param {string} version
+     * @returns {PackageURL}
+     * @protected
+     */
+    _toPurl(name, version) {
+        return new PackageURL('pypi', undefined, name, version, undefined, undefined);
+    }
+    /**
+     * Create SBOM json string for a pyproject.toml project.
+     * @param {string} manifest - path to pyproject.toml
+     * @param {Object} opts
+     * @param {boolean} includeTransitive
+     * @returns {Promise<string>}
+     * @private
+     */
+    async _createSbom(manifest, opts, includeTransitive) {
+        let manifestDir = path.dirname(manifest);
+        let content = fs.readFileSync(manifest, 'utf-8');
+        let parsed = parseToml(content);
+        let workspaceDir = this._findLockFileDir(manifestDir, opts) || manifestDir;
+        let { directDeps, graph } = await this._getDependencyData(manifestDir, workspaceDir, parsed, opts);
+        let ignoredDeps = this._getIgnoredDeps(manifest);
+        let sbom = new Sbom();
+        let rootName = this._getProjectName(parsed) || DEFAULT_ROOT_NAME;
+        let rootVersion = this._getProjectVersion(parsed) || DEFAULT_ROOT_VERSION;
+        let rootPurl = this._toPurl(rootName, rootVersion);
+        let license = this.readLicenseFromManifest(manifest);
+        sbom.addRoot(rootPurl, license);
+        if (includeTransitive) {
+            let reachable = this._reachableNodes(graph, directDeps, ignoredDeps);
+            for (let key of directDeps) {
+                if (!reachable.has(key)) {
+                    continue;
+                }
+                let entry = graph.get(key);
+                sbom.addDependency(rootPurl, this._toPurl(entry.name, entry.version));
+            }
+            for (let [key, entry] of graph) {
+                if (!reachable.has(key)) {
+                    continue;
+                }
+                let parentPurl = this._toPurl(entry.name, entry.version);
+                for (let child of entry.children) {
+                    if (!reachable.has(child)) {
+                        continue;
+                    }
+                    let childEntry = graph.get(child);
+                    sbom.addDependency(parentPurl, this._toPurl(childEntry.name, childEntry.version));
+                }
+            }
+        }
+        else {
+            for (let key of directDeps) {
+                if (ignoredDeps.has(key)) {
+                    continue;
+                }
+                let entry = graph.get(key);
+                if (!entry) {
+                    continue;
+                }
+                sbom.addDependency(rootPurl, this._toPurl(entry.name, entry.version));
+            }
+        }
+        return sbom.getAsJsonString(opts);
+    }
+}

package/dist/src/providers/javascript_npm.d.ts

@@ -1,4 +1,5 @@
 export default class Javascript_npm extends Base_javascript {
     _listCmdArgs(includeTransitive: any): string[];
+    _buildDependencyTree(includeTransitive: any, opts?: {}): any;
 }
 import Base_javascript from './base_javascript.js';

package/dist/src/providers/javascript_npm.js

@@ -12,4 +12,25 @@ export default class Javascript_npm extends Base_javascript {
     _updateLockFileCmdArgs() {
         return ['install', '--package-lock-only'];
     }
+    _buildDependencyTree(includeTransitive, opts = {}) {
+        // npm ls --json returns a single tree rooted at the workspace root.
+        // When analyzing a workspace member, its deps are nested under the
+        // root's dependencies keyed by the member name — extract that subtree
+        // so downstream analysis sees only the member's dependencies.
+        const tree = super._buildDependencyTree(includeTransitive, opts);
+        const memberName = this._getManifest().name;
+        if (tree.name === memberName) {
+            return tree;
+        }
+        const memberEntry = tree.dependencies?.[memberName];
+        if (memberEntry) {
+            return {
+                name: memberName,
+                version: memberEntry.version || this._getManifest().version,
+                dependencies: memberEntry.dependencies,
+                optionalDependencies: memberEntry.optionalDependencies,
+            };
+        }
+        return tree;
+    }
 }

package/dist/src/providers/javascript_pnpm.js

@@ -7,15 +7,19 @@ export default class Javascript_pnpm extends Base_javascript {
         return "pnpm";
     }
     _listCmdArgs(includeTransitive) {
-        return ['ls', includeTransitive ? '--depth=Infinity' : '--depth=0', '--prod', '--json'];
+        return ['ls', includeTransitive ? '--depth=Infinity' : '--depth=0', '--prod', '--json', '-r'];
     }
     _updateLockFileCmdArgs() {
         return ['install', '--frozen-lockfile'];
     }
     _buildDependencyTree(includeTransitive, opts = {}) {
+        // pnpm ls --json returns an array with one entry per workspace package.
+        // When analyzing a workspace member, find its entry by name instead of
+        // blindly taking the first element (which is the workspace root).
         const tree = super._buildDependencyTree(includeTransitive, opts);
         if (Array.isArray(tree) && tree.length > 0) {
-            return tree[0];
+            const memberName = this._getManifest().name;
+            return tree.find(pkg => pkg.name === memberName) || tree[0];
         }
         return {};
     }

package/dist/src/providers/processors/yarn_berry_processor.js

@@ -15,7 +15,10 @@ export default class Yarn_berry_processor extends Yarn_processor {
      * @returns {string[]} Command arguments for listing dependencies
      */
     listCmdArgs(includeTransitive) {
-        return ['info', includeTransitive ? '--recursive' : '--all', '--json'];
+        // --all is needed to include workspace members in the output
+        return includeTransitive
+            ? ['info', '--recursive', '--all', '--json']
+            : ['info', '--all', '--json'];
     }
     /**
      * Returns the command arguments for updating the lock file
@@ -68,7 +71,8 @@ export default class Yarn_berry_processor extends Yarn_processor {
         if (!name) {
             return false;
         }
-        return name.endsWith("@workspace:.");
+        // Workspace members use paths like "member-a@workspace:packages/member-a", not just "@workspace:."
+        return name.startsWith(`${this._manifest.name}@workspace:`);
     }
     /**
    * Adds dependencies to the SBOM

package/dist/src/providers/python_controller.js

@@ -95,7 +95,7 @@ export default class Python_controller {
     }
     /**
      * Parse the requirements.txt file using tree-sitter and return structured requirement data.
-     * @return {Promise<{name: string, version: string|null}[]>}
+     * @return {Promise<{name: string, version: string|null, hasMarker: boolean}[]>}
      */
     async #parseRequirements() {
         const content = fs.readFileSync(this.pathToRequirements).toString();
@@ -107,7 +107,8 @@ export default class Python_controller {
             const version = versionMatches.length > 0
                 ? versionMatches[0].captures.find(c => c.name === 'version').node.text
                 : null;
-            return { name, version };
+            const hasMarker = reqNode.children.some(c => c.type === 'marker_spec');
+            return { name, version, hasMarker };
         }));
     }
     #decideIfWindowsOrLinuxPath(fileName) {
@@ -224,7 +225,10 @@ export default class Python_controller {
                 CachedEnvironmentDeps[packageName.replace("_", "-")] = pipDepTreeEntryForCache;
             });
         }
-        parsedRequirements.forEach(({ name: depName, version: manifestVersion }) => {
+        parsedRequirements.forEach(({ name: depName, version: manifestVersion, hasMarker }) => {
+            if (hasMarker && CachedEnvironmentDeps[depName.toLowerCase()] === undefined) {
+                return;
+            }
             if (matchManifestVersions === "true" && manifestVersion != null) {
                 let installedVersion;
                 if (CachedEnvironmentDeps[depName.toLowerCase()] !== undefined) {

package/dist/src/providers/python_pip_pyproject.d.ts

@@ -0,0 +1,61 @@
+/**
+ * Python provider for pyproject.toml files using PEP 621 format without a lock file.
+ * Uses `pip install --dry-run --ignore-installed --report` to resolve the full dependency tree.
+ * Acts as the fallback provider when no lock file (uv.lock/poetry.lock) is found.
+ */
+export default class Python_pip_pyproject extends Base_pyproject {
+    /**
+     * Always returns true — pip provider is the fallback when no lock file is found.
+     * @param {string} manifestDir
+     * @param {{}} [opts={}]
+     * @returns {boolean}
+     */
+    validateLockFile(manifestDir: string, opts?: {}): boolean;
+    /**
+     * Get pip report output from env var override or by running pip.
+     * @param {string} manifestDir - directory containing pyproject.toml
+     * @param {{}} [opts={}]
+     * @returns {string} pip report JSON string
+     */
+    _getPipReportOutput(manifestDir: string, opts?: {}): string;
+    /**
+     * Parse pip report JSON and build dependency graph.
+     * @param {string} reportJson - pip report JSON string
+     * @returns {{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}}
+     */
+    _parsePipReport(reportJson: string): {
+        directDeps: string[];
+        graph: Map<string, {
+            name: string;
+            version: string;
+            children: string[];
+        }>;
+    };
+    /**
+     * Check if a requires_dist entry is an extras-only dependency.
+     * @param {string} req - e.g. "PySocks!=1.5.7,>=1.5.6; extra == \"socks\""
+     * @returns {boolean}
+     */
+    _hasExtraMarker(req: string): boolean;
+    /**
+     * Extract package name from a requires_dist entry.
+     * @param {string} req - e.g. "charset_normalizer<4,>=2"
+     * @returns {string|null}
+     */
+    _extractDepName(req: string): string | null;
+    /**
+     * Resolve dependencies using pip install --dry-run --report.
+     * @param {string} manifestDir
+     * @param {string} _workspaceDir - unused (pip resolves from manifest directory)
+     * @param {object} parsed - parsed pyproject.toml
+     * @param {{}} [opts={}]
+     * @returns {Promise<{directDeps: string[], graph: Map}>}
+     */
+    _getDependencyData(manifestDir: string, _workspaceDir: string, parsed: object, opts?: {}): Promise<{
+        directDeps: string[];
+        graph: Map<any, any>;
+    }>;
+    _findEggInfoDirs(dir: any): string[];
+    _cleanupEggInfo(dir: any, existing: any): void;
+}
+import Base_pyproject from './base_pyproject.js';

package/dist/src/providers/python_pip_pyproject.js

@@ -0,0 +1,144 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { environmentVariableIsPopulated, getCustomPath, invokeCommand } from '../tools.js';
+import Base_pyproject from './base_pyproject.js';
+/**
+ * Python provider for pyproject.toml files using PEP 621 format without a lock file.
+ * Uses `pip install --dry-run --ignore-installed --report` to resolve the full dependency tree.
+ * Acts as the fallback provider when no lock file (uv.lock/poetry.lock) is found.
+ */
+export default class Python_pip_pyproject extends Base_pyproject {
+    /** @returns {string} */
+    _lockFileName() {
+        return '.pip-lock-nonexistent';
+    }
+    /** @returns {string} */
+    _cmdName() {
+        return 'pip';
+    }
+    /**
+     * Always returns true — pip provider is the fallback when no lock file is found.
+     * @param {string} manifestDir
+     * @param {{}} [opts={}]
+     * @returns {boolean}
+     */
+    // eslint-disable-next-line no-unused-vars
+    validateLockFile(manifestDir, opts = {}) {
+        return true;
+    }
+    /**
+     * Get pip report output from env var override or by running pip.
+     * @param {string} manifestDir - directory containing pyproject.toml
+     * @param {{}} [opts={}]
+     * @returns {string} pip report JSON string
+     */
+    _getPipReportOutput(manifestDir, opts) {
+        if (environmentVariableIsPopulated('TRUSTIFY_DA_PIP_REPORT')) {
+            return Buffer.from(process.env['TRUSTIFY_DA_PIP_REPORT'], 'base64').toString('ascii');
+        }
+        let pipBin = getCustomPath('pip3', opts);
+        try {
+            invokeCommand(pipBin, ['--version']);
+        }
+        catch {
+            pipBin = getCustomPath('pip', opts);
+        }
+        let eggInfoDirs = this._findEggInfoDirs(manifestDir);
+        let result = invokeCommand(pipBin, [
+            'install', '--dry-run', '--ignore-installed', '--quiet', '--report', '-', '.'
+        ], { cwd: manifestDir }).toString();
+        this._cleanupEggInfo(manifestDir, eggInfoDirs);
+        return result;
+    }
+    /**
+     * Parse pip report JSON and build dependency graph.
+     * @param {string} reportJson - pip report JSON string
+     * @returns {{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}}
+     */
+    _parsePipReport(reportJson) {
+        let report = JSON.parse(reportJson);
+        let packages = report.install || [];
+        let rootEntry = packages.find(p => p.download_info?.dir_info !== undefined);
+        let rootRequires = rootEntry?.metadata?.requires_dist || [];
+        let directDepNames = new Set();
+        for (let req of rootRequires) {
+            if (this._hasExtraMarker(req)) {
+                continue;
+            }
+            let name = this._extractDepName(req);
+            if (name) {
+                directDepNames.add(this._canonicalize(name));
+            }
+        }
+        let graph = new Map();
+        let nonRootPackages = packages.filter(p => p !== rootEntry);
+        for (let pkg of nonRootPackages) {
+            let name = pkg.metadata.name;
+            let version = pkg.metadata.version;
+            let key = this._canonicalize(name);
+            graph.set(key, { name, version, children: [] });
+        }
+        for (let pkg of nonRootPackages) {
+            let key = this._canonicalize(pkg.metadata.name);
+            let entry = graph.get(key);
+            let requires = pkg.metadata.requires_dist || [];
+            for (let req of requires) {
+                let depName = this._extractDepName(req);
+                if (!depName) {
+                    continue;
+                }
+                let depKey = this._canonicalize(depName);
+                if (graph.has(depKey)) {
+                    entry.children.push(depKey);
+                }
+            }
+        }
+        let directDeps = [...directDepNames].filter(key => graph.has(key));
+        return { directDeps, graph };
+    }
+    /**
+     * Check if a requires_dist entry is an extras-only dependency.
+     * @param {string} req - e.g. "PySocks!=1.5.7,>=1.5.6; extra == \"socks\""
+     * @returns {boolean}
+     */
+    _hasExtraMarker(req) {
+        return /;\s*.*extra\s*==/.test(req);
+    }
+    /**
+     * Extract package name from a requires_dist entry.
+     * @param {string} req - e.g. "charset_normalizer<4,>=2"
+     * @returns {string|null}
+     */
+    _extractDepName(req) {
+        let match = req.match(/^([A-Za-z0-9]([A-Za-z0-9._-]*[A-Za-z0-9])?)/);
+        return match ? match[1] : null;
+    }
+    /**
+     * Resolve dependencies using pip install --dry-run --report.
+     * @param {string} manifestDir
+     * @param {string} _workspaceDir - unused (pip resolves from manifest directory)
+     * @param {object} parsed - parsed pyproject.toml
+     * @param {{}} [opts={}]
+     * @returns {Promise<{directDeps: string[], graph: Map}>}
+     */
+    // eslint-disable-next-line no-unused-vars
+    async _getDependencyData(manifestDir, _workspaceDir, parsed, opts) {
+        let reportOutput = this._getPipReportOutput(manifestDir, opts);
+        return this._parsePipReport(reportOutput);
+    }
+    _findEggInfoDirs(dir) {
+        try {
+            return fs.readdirSync(dir).filter(f => f.endsWith('.egg-info'));
+        }
+        catch {
+            return [];
+        }
+    }
+    _cleanupEggInfo(dir, existing) {
+        for (let entry of this._findEggInfoDirs(dir)) {
+            if (!existing.includes(entry)) {
+                fs.rmSync(path.join(dir, entry), { recursive: true, force: true });
+            }
+        }
+    }
+}

package/dist/src/providers/python_poetry.d.ts

@@ -0,0 +1,43 @@
+export default class Python_poetry extends Base_pyproject {
+    /**
+     * Get poetry show --tree output.
+     * @param {string} manifestDir
+     * @param {boolean} hasDevGroup
+     * @param {Object} opts
+     * @returns {string}
+     */
+    _getPoetryShowTreeOutput(manifestDir: string, hasDevGroup: boolean, opts: any): string;
+    /**
+     * Get poetry show --all output (flat list with resolved versions).
+     * @param {string} manifestDir
+     * @param {Object} opts
+     * @returns {string}
+     */
+    _getPoetryShowAllOutput(manifestDir: string, opts: any): string;
+    /**
+     * Parse poetry show --all output into a version map.
+     * Lines look like: "name         (!) 1.2.3  Description text..."
+     * or:              "name             1.2.3  Description text..."
+     * @param {string} output
+     * @returns {Map<string, string>} canonical name -> version
+     */
+    _parsePoetryShowAll(output: string): Map<string, string>;
+    /**
+     * Parse poetry show --tree output into a dependency graph structure.
+     * Top-level lines (no indentation/tree chars) are direct deps: "name version description"
+     * Indented lines are transitive deps with tree chars: "├── name >=constraint"
+     *
+     * @param {string} treeOutput
+     * @param {Map<string, string>} versionMap - canonical name -> resolved version
+     * @returns {{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}}
+     */
+    _parsePoetryTree(treeOutput: string, versionMap: Map<string, string>): {
+        directDeps: string[];
+        graph: Map<string, {
+            name: string;
+            version: string;
+            children: string[];
+        }>;
+    };
+}
+import Base_pyproject from './base_pyproject.js';