@vibecheckai/cli 3.2.5 → 3.3.0

package/bin/runners/lib/extractors/client-calls.js

@@ -1,990 +1,990 @@
-/**
- * Client Call Extractor v2
- * 
- * Extracts client-side API calls: fetch, axios, tRPC, GraphQL, Server Actions, SDK calls.
- * Links them to the Reality Proof Graph for dead UI detection.
- * 
- * Output: ClientCall records with evidence, confidence, and canonical paths.
- */
-
-"use strict";
-
-const fs = require("fs");
-const path = require("path");
-const fg = require("fast-glob");
-const crypto = require("crypto");
-const parser = require("@babel/parser");
-const traverse = require("@babel/traverse").default;
-const t = require("@babel/types");
-
-// =============================================================================
-// TYPES AND CONSTANTS
-// =============================================================================
-
-const HTTP_METHODS = ["GET", "POST", "PUT", "PATCH", "DELETE", "HEAD", "OPTIONS"];
-
-const CALL_KINDS = {
-  HTTP: "http",
-  TRPC: "trpc",
-  GRAPHQL: "graphql",
-  SERVER_ACTION: "server_action",
-  SDK: "sdk",
-};
-
-const RUNTIMES = {
-  CLIENT: "client",
-  SERVER: "server",
-  SHARED: "shared",
-  UNKNOWN: "unknown",
-};
-
-// =============================================================================
-// MAIN EXTRACTION
-// =============================================================================
-
-/**
- * Extract all client calls from a project
- */
-function extractClientCalls(projectRoot, options = {}) {
-  const { include = [], exclude = [] } = options;
-
-  // Find source files
-  const defaultInclude = ["**/*.{ts,tsx,js,jsx,mts,cts}"];
-  const defaultExclude = [
-    "**/node_modules/**",
-    "**/.next/**",
-    "**/dist/**",
-    "**/build/**",
-    "**/coverage/**",
-    "**/*.min.js",
-    "**/*.d.ts",
-  ];
-
-  const patterns = include.length > 0 ? include : defaultInclude;
-  const ignorePatterns = [...defaultExclude, ...exclude];
-
-  const files = fg.sync(patterns, {
-    cwd: projectRoot,
-    absolute: true,
-    ignore: ignorePatterns,
-    onlyFiles: true,
-  });
-
-  const calls = [];
-  const wrappers = [];
-  const uiBindings = [];
-  const errors = [];
-
-  // Pass 1: Extract wrappers (axios instances, custom request helpers)
-  for (const file of files) {
-    try {
-      const content = fs.readFileSync(file, "utf8");
-      const relPath = path.relative(projectRoot, file).replace(/\\/g, "/");
-      const fileWrappers = extractWrappers(content, relPath, projectRoot);
-      wrappers.push(...fileWrappers);
-    } catch (err) {
-      errors.push({ file, phase: "wrappers", error: err.message });
-    }
-  }
-
-  // Build wrapper lookup
-  const wrapperMap = new Map();
-  for (const w of wrappers) {
-    wrapperMap.set(w.name, w);
-  }
-
-  // Pass 2: Extract calls
-  for (const file of files) {
-    try {
-      const content = fs.readFileSync(file, "utf8");
-      const relPath = path.relative(projectRoot, file).replace(/\\/g, "/");
-      const runtime = inferRuntime(content, relPath);
-
-      const fileCalls = extractCallsFromFile(content, relPath, runtime, wrapperMap, projectRoot);
-      calls.push(...fileCalls);
-
-      const bindings = extractUIBindings(content, relPath, fileCalls);
-      uiBindings.push(...bindings);
-    } catch (err) {
-      errors.push({ file, phase: "calls", error: err.message });
-    }
-  }
-
-  return {
-    calls,
-    wrappers,
-    uiBindings,
-    errors,
-    stats: {
-      filesScanned: files.length,
-      callsFound: calls.length,
-      wrappersFound: wrappers.length,
-      bindingsFound: uiBindings.length,
-    },
-  };
-}
-
-/**
- * Extract calls from a single file
- */
-function extractCallsFromFile(content, relPath, runtime, wrapperMap, projectRoot) {
-  const calls = [];
-
-  let ast;
-  try {
-    ast = parser.parse(content, {
-      sourceType: "module",
-      plugins: ["typescript", "jsx", "decorators-legacy"],
-      errorRecovery: true,
-    });
-  } catch {
-    return calls;
-  }
-
-  traverse(ast, {
-    CallExpression(path) {
-      // fetch() calls
-      const fetchCall = extractFetchCall(path, content, relPath, runtime);
-      if (fetchCall) {
-        calls.push(fetchCall);
-        return;
-      }
-
-      // axios calls
-      const axiosCall = extractAxiosCall(path, content, relPath, runtime, wrapperMap);
-      if (axiosCall) {
-        calls.push(axiosCall);
-        return;
-      }
-
-      // tRPC calls
-      const trpcCall = extractTRPCCall(path, content, relPath, runtime);
-      if (trpcCall) {
-        calls.push(trpcCall);
-        return;
-      }
-
-      // GraphQL calls
-      const gqlCall = extractGraphQLCall(path, content, relPath, runtime);
-      if (gqlCall) {
-        calls.push(gqlCall);
-        return;
-      }
-
-      // Wrapper calls
-      const wrapperCall = extractWrapperCall(path, content, relPath, runtime, wrapperMap);
-      if (wrapperCall) {
-        calls.push(wrapperCall);
-        return;
-      }
-    },
-
-    // Server Actions (form action={...})
-    JSXAttribute(path) {
-      if (path.node.name.name === "action" && t.isJSXExpressionContainer(path.node.value)) {
-        const actionCall = extractServerAction(path, content, relPath);
-        if (actionCall) {
-          calls.push(actionCall);
-        }
-      }
-    },
-  });
-
-  return calls;
-}
-
-// =============================================================================
-// FETCH EXTRACTION
-// =============================================================================
-
-/**
- * Extract fetch() call
- */
-function extractFetchCall(path, content, relPath, runtime) {
-  const { node } = path;
-
-  // Check if callee is 'fetch'
-  if (!t.isIdentifier(node.callee, { name: "fetch" })) {
-    // Also check for fetch(new Request(...))
-    if (t.isNewExpression(node.callee) && t.isIdentifier(node.callee.callee, { name: "Request" })) {
-      return extractRequestCall(path, content, relPath, runtime);
-    }
-    return null;
-  }
-
-  const urlArg = node.arguments[0];
-  const initArg = node.arguments[1];
-
-  if (!urlArg) return null;
-
-  // Extract URL
-  const urlInfo = extractUrlFromNode(urlArg, content);
-  if (!urlInfo.value) return null;
-
-  // Extract method
-  const method = extractMethodFromInit(initArg) || "GET";
-
-  // Extract other info
-  const expectsJson = extractExpectsJson(initArg, path);
-  const authHint = extractAuthHint(initArg);
-
-  const lineNum = node.loc?.start?.line || 1;
-
-  return createClientCall({
-    kind: CALL_KINDS.HTTP,
-    runtime,
-    method,
-    urlTemplate: urlInfo.value,
-    canonicalPath: canonicalizeUrl(urlInfo.value),
-    expectsJson,
-    authHint,
-    confidence: urlInfo.confidence,
-    file: relPath,
-    lines: `${lineNum}-${lineNum + 5}`,
-    snippet: content.substring(node.start, Math.min(node.end, node.start + 200)),
-    reason: `fetch('${urlInfo.value.slice(0, 50)}') call`,
-  });
-}
-
-/**
- * Extract new Request() call inside fetch
- */
-function extractRequestCall(path, content, relPath, runtime) {
-  const { node } = path;
-  const requestNode = node.callee;
-
-  if (!t.isNewExpression(requestNode)) return null;
-
-  const urlArg = requestNode.arguments[0];
-  const initArg = requestNode.arguments[1];
-
-  if (!urlArg) return null;
-
-  const urlInfo = extractUrlFromNode(urlArg, content);
-  if (!urlInfo.value) return null;
-
-  const method = extractMethodFromInit(initArg) || "GET";
-  const lineNum = node.loc?.start?.line || 1;
-
-  return createClientCall({
-    kind: CALL_KINDS.HTTP,
-    runtime,
-    method,
-    urlTemplate: urlInfo.value,
-    canonicalPath: canonicalizeUrl(urlInfo.value),
-    expectsJson: false,
-    authHint: "unknown",
-    confidence: urlInfo.confidence,
-    file: relPath,
-    lines: `${lineNum}-${lineNum + 3}`,
-    snippet: content.substring(node.start, Math.min(node.end, node.start + 200)),
-    reason: `fetch(new Request('${urlInfo.value.slice(0, 50)}')) call`,
-  });
-}
-
-// =============================================================================
-// AXIOS EXTRACTION
-// =============================================================================
-
-/**
- * Extract axios call
- */
-function extractAxiosCall(path, content, relPath, runtime, wrapperMap) {
-  const { node } = path;
-
-  // Pattern A: axios.get/post/etc(url)
-  if (t.isMemberExpression(node.callee)) {
-    const obj = node.callee.object;
-    const prop = node.callee.property;
-
-    if (t.isIdentifier(obj, { name: "axios" }) && t.isIdentifier(prop)) {
-      const methodName = prop.name.toUpperCase();
-      if (HTTP_METHODS.includes(methodName) || methodName === "REQUEST") {
-        const urlArg = node.arguments[0];
-        if (!urlArg) return null;
-
-        const urlInfo = extractUrlFromNode(urlArg, content);
-        if (!urlInfo.value) return null;
-
-        const lineNum = node.loc?.start?.line || 1;
-
-        return createClientCall({
-          kind: CALL_KINDS.HTTP,
-          runtime,
-          method: methodName === "REQUEST" ? "UNKNOWN" : methodName,
-          urlTemplate: urlInfo.value,
-          canonicalPath: canonicalizeUrl(urlInfo.value),
-          expectsJson: true,
-          authHint: "unknown",
-          confidence: urlInfo.confidence,
-          file: relPath,
-          lines: `${lineNum}-${lineNum + 3}`,
-          snippet: content.substring(node.start, Math.min(node.end, node.start + 200)),
-          reason: `axios.${prop.name}('${urlInfo.value.slice(0, 50)}') call`,
-        });
-      }
-    }
-  }
-
-  // Pattern B: axios({ method, url })
-  if (t.isIdentifier(node.callee, { name: "axios" })) {
-    const configArg = node.arguments[0];
-    if (t.isObjectExpression(configArg)) {
-      const config = extractObjectLiteralProps(configArg);
-      if (config.url) {
-        const lineNum = node.loc?.start?.line || 1;
-
-        return createClientCall({
-          kind: CALL_KINDS.HTTP,
-          runtime,
-          method: (config.method || "GET").toUpperCase(),
-          urlTemplate: config.url,
-          canonicalPath: canonicalizeUrl(combineBaseUrl(config.baseURL, config.url)),
-          expectsJson: true,
-          authHint: "unknown",
-          confidence: "medium",
-          file: relPath,
-          lines: `${lineNum}-${lineNum + 5}`,
-          snippet: content.substring(node.start, Math.min(node.end, node.start + 200)),
-          reason: `axios({ url: '${config.url.slice(0, 50)}' }) call`,
-        });
-      }
-    }
-  }
-
-  return null;
-}
-
-// =============================================================================
-// TRPC EXTRACTION
-// =============================================================================
-
-/**
- * Extract tRPC call
- */
-function extractTRPCCall(path, content, relPath, runtime) {
-  const { node } = path;
-
-  // Pattern: trpc.user.get.useQuery() or trpc.billing.portal.useMutation()
-  if (t.isMemberExpression(node.callee)) {
-    const calleeCode = extractMemberChain(node.callee);
-
-    // Check for tRPC patterns
-    const trpcMatch = calleeCode.match(/^(?:trpc|api)\.(.+?)\.(useQuery|useMutation|query|mutate)$/);
-    if (trpcMatch) {
-      const procedure = trpcMatch[1];
-      const operationType = trpcMatch[2].includes("Mutation") || trpcMatch[2] === "mutate" ? "mutation" : "query";
-      const lineNum = node.loc?.start?.line || 1;
-
-      return createClientCall({
-        kind: CALL_KINDS.TRPC,
-        runtime,
-        method: "POST",
-        urlTemplate: `/api/trpc/${procedure}`,
-        canonicalPath: `/api/trpc/${procedure}`,
-        expectsJson: true,
-        authHint: "unknown",
-        confidence: "medium",
-        file: relPath,
-        lines: `${lineNum}-${lineNum + 3}`,
-        snippet: content.substring(node.start, Math.min(node.end, node.start + 150)),
-        reason: `tRPC ${operationType}: ${procedure}`,
-        meta: {
-          procedure,
-          operationType,
-        },
-      });
-    }
-  }
-
-  return null;
-}
-
-// =============================================================================
-// GRAPHQL EXTRACTION
-// =============================================================================
-
-/**
- * Extract GraphQL call
- */
-function extractGraphQLCall(path, content, relPath, runtime) {
-  const { node } = path;
-
-  // Pattern: useQuery(gql`...`) or useMutation(gql`...`)
-  if (t.isIdentifier(node.callee)) {
-    const calleeName = node.callee.name;
-
-    if (calleeName === "useQuery" || calleeName === "useMutation" || calleeName === "request") {
-      const queryArg = node.arguments[0];
-      let operationName = null;
-
-      // Try to extract operation name from gql template
-      if (t.isTaggedTemplateExpression(queryArg)) {
-        const template = queryArg.quasi.quasis.map(q => q.value.raw).join("");
-        const opMatch = template.match(/(?:query|mutation|subscription)\s+(\w+)/);
-        if (opMatch) {
-          operationName = opMatch[1];
-        }
-      }
-
-      const lineNum = node.loc?.start?.line || 1;
-
-      return createClientCall({
-        kind: CALL_KINDS.GRAPHQL,
-        runtime,
-        method: "POST",
-        urlTemplate: "/graphql",
-        canonicalPath: "/graphql",
-        expectsJson: true,
-        authHint: "unknown",
-        confidence: operationName ? "medium" : "low",
-        file: relPath,
-        lines: `${lineNum}-${lineNum + 5}`,
-        snippet: content.substring(node.start, Math.min(node.end, node.start + 200)),
-        reason: `GraphQL ${calleeName}${operationName ? `: ${operationName}` : ""}`,
-        meta: {
-          operationName,
-          operationType: calleeName.includes("Mutation") ? "mutation" : "query",
-        },
-      });
-    }
-  }
-
-  return null;
-}
-
-// =============================================================================
-// SERVER ACTIONS EXTRACTION
-// =============================================================================
-
-/**
- * Extract Next.js Server Action
- */
-function extractServerAction(path, content, relPath) {
-  const jsxAttr = path.node;
-  const container = jsxAttr.value;
-
-  if (!t.isJSXExpressionContainer(container)) return null;
-
-  const expr = container.expression;
-  let actionName = null;
-
-  if (t.isIdentifier(expr)) {
-    actionName = expr.name;
-  } else if (t.isMemberExpression(expr)) {
-    actionName = extractMemberChain(expr);
-  }
-
-  if (!actionName) return null;
-
-  const lineNum = jsxAttr.loc?.start?.line || 1;
-
-  return createClientCall({
-    kind: CALL_KINDS.SERVER_ACTION,
-    runtime: RUNTIMES.SERVER,
-    method: "POST",
-    urlTemplate: `action://${relPath}#${actionName}`,
-    canonicalPath: `action://${relPath}#${actionName}`,
-    expectsJson: false,
-    authHint: "unknown",
-    confidence: "high",
-    file: relPath,
-    lines: `${lineNum}-${lineNum + 1}`,
-    snippet: `action={${actionName}}`,
-    reason: `Server Action: ${actionName}`,
-    meta: {
-      actionExport: actionName,
-      module: relPath,
-    },
-  });
-}
-
-// =============================================================================
-// WRAPPER EXTRACTION
-// =============================================================================
-
-/**
- * Extract wrapper definitions (axios instances, custom fetch wrappers)
- */
-function extractWrappers(content, relPath, projectRoot) {
-  const wrappers = [];
-
-  let ast;
-  try {
-    ast = parser.parse(content, {
-      sourceType: "module",
-      plugins: ["typescript", "jsx", "decorators-legacy"],
-      errorRecovery: true,
-    });
-  } catch {
-    return wrappers;
-  }
-
-  traverse(ast, {
-    // axios.create()
-    CallExpression(path) {
-      const { node } = path;
-
-      if (
-        t.isMemberExpression(node.callee) &&
-        t.isIdentifier(node.callee.object, { name: "axios" }) &&
-        t.isIdentifier(node.callee.property, { name: "create" })
-      ) {
-        const configArg = node.arguments[0];
-        const config = t.isObjectExpression(configArg) ? extractObjectLiteralProps(configArg) : {};
-
-        // Find variable name
-        let name = "axiosInstance";
-        if (t.isVariableDeclarator(path.parent)) {
-          if (t.isIdentifier(path.parent.id)) {
-            name = path.parent.id.name;
-          }
-        }
-
-        wrappers.push({
-          id: `W_AXIOS_${hashShort(relPath + name)}`,
-          name,
-          kind: "axios",
-          baseURL: config.baseURL || "",
-          defaultHeaders: config.headers ? Object.keys(config.headers) : [],
-          file: relPath,
-          lines: `${node.loc?.start?.line || 1}-${node.loc?.end?.line || 1}`,
-        });
-      }
-    },
-
-    // Custom fetch wrappers: export const api = { get: ..., post: ... }
-    VariableDeclarator(path) {
-      const { node } = path;
-
-      if (t.isIdentifier(node.id) && t.isObjectExpression(node.init)) {
-        const props = node.init.properties;
-        const methodProps = props.filter(
-          p => t.isIdentifier(p.key) && HTTP_METHODS.map(m => m.toLowerCase()).includes(p.key.name)
-        );
-
-        if (methodProps.length >= 2) {
-          // Looks like an API client object
-          wrappers.push({
-            id: `W_CUSTOM_${hashShort(relPath + node.id.name)}`,
-            name: node.id.name,
-            kind: "custom",
-            baseURL: "",
-            methods: methodProps.map(p => p.key.name),
-            file: relPath,
-            lines: `${node.loc?.start?.line || 1}-${node.loc?.end?.line || 1}`,
-          });
-        }
-      }
-    },
-  });
-
-  return wrappers;
-}
-
-/**
- * Extract wrapper call (api.get(), apiClient.post(), etc.)
- */
-function extractWrapperCall(path, content, relPath, runtime, wrapperMap) {
-  const { node } = path;
-
-  if (!t.isMemberExpression(node.callee)) return null;
-
-  const obj = node.callee.object;
-  const prop = node.callee.property;
-
-  if (!t.isIdentifier(obj) || !t.isIdentifier(prop)) return null;
-
-  const wrapper = wrapperMap.get(obj.name);
-  if (!wrapper) return null;
-
-  const methodName = prop.name.toUpperCase();
-  if (!HTTP_METHODS.includes(methodName) && methodName !== "REQUEST") return null;
-
-  const urlArg = node.arguments[0];
-  if (!urlArg) return null;
-
-  const urlInfo = extractUrlFromNode(urlArg, content);
-  if (!urlInfo.value) return null;
-
-  // Combine with wrapper baseURL
-  const fullUrl = combineBaseUrl(wrapper.baseURL, urlInfo.value);
-  const lineNum = node.loc?.start?.line || 1;
-
-  return createClientCall({
-    kind: CALL_KINDS.HTTP,
-    runtime,
-    method: methodName === "REQUEST" ? "UNKNOWN" : methodName,
-    urlTemplate: urlInfo.value,
-    canonicalPath: canonicalizeUrl(fullUrl),
-    expectsJson: true,
-    authHint: "unknown",
-    confidence: urlInfo.confidence,
-    file: relPath,
-    lines: `${lineNum}-${lineNum + 3}`,
-    snippet: content.substring(node.start, Math.min(node.end, node.start + 150)),
-    reason: `${obj.name}.${prop.name}('${urlInfo.value.slice(0, 50)}') via wrapper`,
-    meta: {
-      wrapperId: wrapper.id,
-    },
-  });
-}
-
-// =============================================================================
-// UI BINDING EXTRACTION
-// =============================================================================
-
-/**
- * Extract UI bindings (onClick, onSubmit that call API)
- */
-function extractUIBindings(content, relPath, calls) {
-  const bindings = [];
-  const callIds = new Set(calls.map(c => c.id));
-
-  let ast;
-  try {
-    ast = parser.parse(content, {
-      sourceType: "module",
-      plugins: ["typescript", "jsx", "decorators-legacy"],
-      errorRecovery: true,
-    });
-  } catch {
-    return bindings;
-  }
-
-  traverse(ast, {
-    JSXAttribute(path) {
-      const { node } = path;
-      const attrName = node.name?.name;
-
-      if (!["onClick", "onSubmit", "onBlur", "onChange", "action"].includes(attrName)) return;
-
-      if (!t.isJSXExpressionContainer(node.value)) return;
-
-      const expr = node.value.expression;
-      const lineNum = node.loc?.start?.line || 1;
-
-      // Find associated calls in this handler
-      const handlerCalls = calls.filter(c => {
-        const callLine = parseInt(c.evidence?.[0]?.lines?.split("-")[0] || "0");
-        return Math.abs(callLine - lineNum) < 20; // Within 20 lines
-      });
-
-      if (handlerCalls.length > 0) {
-        // Try to find label hint
-        const labelHint = findLabelHint(path);
-
-        bindings.push({
-          bindingId: `UIB_${hashShort(relPath + lineNum)}`,
-          file: relPath,
-          lines: `${lineNum}-${lineNum + 5}`,
-          event: attrName,
-          labelHint,
-          calls: handlerCalls.map(c => c.id),
-        });
-      }
-    },
-  });
-
-  return bindings;
-}
-
-/**
- * Find label hint from JSX context
- */
-function findLabelHint(path) {
-  // Look for button text, aria-label, etc.
-  const parent = path.parentPath;
-  if (!parent) return null;
-
-  // Check for aria-label
-  if (t.isJSXOpeningElement(parent.node)) {
-    const ariaLabel = parent.node.attributes.find(
-      a => t.isJSXAttribute(a) && a.name?.name === "aria-label"
-    );
-    if (ariaLabel && t.isStringLiteral(ariaLabel.value)) {
-      return ariaLabel.value.value;
-    }
-  }
-
-  // Check for children text
-  const jsxElement = parent.parentPath;
-  if (t.isJSXElement(jsxElement?.node)) {
-    const textChild = jsxElement.node.children.find(
-      c => t.isJSXText(c) && c.value.trim()
-    );
-    if (textChild) {
-      return textChild.value.trim();
-    }
-  }
-
-  return null;
-}
-
-// =============================================================================
-// HELPERS
-// =============================================================================
-
-/**
- * Extract URL value and confidence from AST node
- */
-function extractUrlFromNode(node, content) {
-  // String literal: HIGH confidence
-  if (t.isStringLiteral(node)) {
-    return { value: node.value, confidence: "high" };
-  }
-
-  // Template literal
-  if (t.isTemplateLiteral(node)) {
-    if (node.expressions.length === 0) {
-      // No expressions: HIGH
-      return { value: node.quasis[0].value.raw, confidence: "high" };
-    }
-    // Has expressions: MEDIUM
-    const template = node.quasis.map((q, i) => {
-      const expr = node.expressions[i];
-      return q.value.raw + (expr ? `{${i}}` : "");
-    }).join("");
-    return { value: template, confidence: "medium" };
-  }
-
-  // Binary expression (concatenation)
-  if (t.isBinaryExpression(node, { operator: "+" })) {
-    const left = extractUrlFromNode(node.left, content);
-    const right = extractUrlFromNode(node.right, content);
-    if (left.value && right.value) {
-      return {
-        value: left.value + right.value,
-        confidence: "medium",
-      };
-    }
-  }
-
-  // Variable: LOW confidence
-  if (t.isIdentifier(node)) {
-    return { value: `\${${node.name}}`, confidence: "low" };
-  }
-
-  return { value: null, confidence: "low" };
-}
-
-/**
- * Extract method from fetch init argument
- */
-function extractMethodFromInit(initNode) {
-  if (!initNode || !t.isObjectExpression(initNode)) return null;
-
-  const methodProp = initNode.properties.find(
-    p => t.isObjectProperty(p) && t.isIdentifier(p.key, { name: "method" })
-  );
-
-  if (methodProp && t.isStringLiteral(methodProp.value)) {
-    return methodProp.value.value.toUpperCase();
-  }
-
-  return null;
-}
-
-/**
- * Extract expectsJson from init
- */
-function extractExpectsJson(initNode, path) {
-  if (!initNode) return false;
-
-  if (t.isObjectExpression(initNode)) {
-    const props = extractObjectLiteralProps(initNode);
-    if (props.headers?.["content-type"]?.includes("application/json")) return true;
-    if (props.body && typeof props.body === "string" && props.body.includes("JSON.stringify")) return true;
-  }
-
-  // Check if .json() is called on response
-  // This would require more complex flow analysis
-  return false;
-}
-
-/**
- * Extract auth hint from init
- */
-function extractAuthHint(initNode) {
-  if (!initNode || !t.isObjectExpression(initNode)) return "unknown";
-
-  const props = extractObjectLiteralProps(initNode);
-
-  if (props.credentials === "include") return "cookie";
-  if (props.headers?.authorization?.toLowerCase().startsWith("bearer")) return "bearer";
-  if (props.headers?.Authorization?.toLowerCase().startsWith("bearer")) return "bearer";
-
-  return "unknown";
-}
-
-/**
- * Extract object literal properties as plain object
- */
-function extractObjectLiteralProps(node) {
-  const props = {};
-
-  for (const prop of node.properties) {
-    if (t.isObjectProperty(prop) && t.isIdentifier(prop.key)) {
-      const key = prop.key.name;
-
-      if (t.isStringLiteral(prop.value)) {
-        props[key] = prop.value.value;
-      } else if (t.isObjectExpression(prop.value)) {
-        props[key] = extractObjectLiteralProps(prop.value);
-      } else if (t.isIdentifier(prop.value)) {
-        props[key] = `$${prop.value.name}`;
-      }
-    }
-  }
-
-  return props;
-}
-
-/**
- * Extract member expression chain as string
- */
-function extractMemberChain(node) {
-  const parts = [];
-
-  let current = node;
-  while (t.isMemberExpression(current)) {
-    if (t.isIdentifier(current.property)) {
-      parts.unshift(current.property.name);
-    }
-    current = current.object;
-  }
-
-  if (t.isIdentifier(current)) {
-    parts.unshift(current.name);
-  }
-
-  return parts.join(".");
-}
-
-/**
- * Infer runtime from file content
- */
-function inferRuntime(content, relPath) {
-  if (content.includes('"use client"') || content.includes("'use client'")) {
-    return RUNTIMES.CLIENT;
-  }
-  if (content.includes('"use server"') || content.includes("'use server'")) {
-    return RUNTIMES.SERVER;
-  }
-  if (relPath.includes("/api/") || relPath.includes("server")) {
-    return RUNTIMES.SERVER;
-  }
-  if (relPath.includes("/lib/") || relPath.includes("/utils/")) {
-    return RUNTIMES.SHARED;
-  }
-  return RUNTIMES.UNKNOWN;
-}
-
-/**
- * Canonicalize URL path
- */
-function canonicalizeUrl(url) {
-  if (!url) return null;
-
-  let canonical = url;
-
-  // Strip protocol and host
-  canonical = canonical.replace(/^https?:\/\/[^/]+/, "");
-
-  // Strip query string
-  canonical = canonical.split("?")[0];
-
-  // Strip hash
-  canonical = canonical.split("#")[0];
-
-  // Replace template expressions with params
-  canonical = canonical.replace(/\$\{[^}]+\}/g, "{param}");
-  canonical = canonical.replace(/\{[0-9]+\}/g, "{param}");
-
-  // Normalize slashes
-  canonical = canonical.replace(/\/+/g, "/");
-
-  // Ensure leading slash
-  if (!canonical.startsWith("/") && !canonical.startsWith("action://")) {
-    canonical = "/" + canonical;
-  }
-
-  // Remove trailing slash (except root)
-  if (canonical.length > 1) {
-    canonical = canonical.replace(/\/$/, "");
-  }
-
-  return canonical;
-}
-
-/**
- * Combine base URL with path
- */
-function combineBaseUrl(base, path) {
-  if (!base) return path;
-  if (!path) return base;
-
-  const baseTrimmed = base.replace(/\/$/, "");
-  const pathTrimmed = path.startsWith("/") ? path : "/" + path;
-
-  return baseTrimmed + pathTrimmed;
-}
-
-/**
- * Create a ClientCall record
- */
-function createClientCall(opts) {
-  const id = `C_CALL_${hashShort(opts.file + opts.urlTemplate + opts.method)}`;
-
-  return {
-    id,
-    kind: opts.kind,
-    runtime: opts.runtime,
-    method: opts.method,
-    urlTemplate: opts.urlTemplate,
-    canonicalPath: opts.canonicalPath,
-    expectsJson: opts.expectsJson,
-    authHint: opts.authHint,
-    confidence: opts.confidence,
-    evidence: [{
-      id: `E_${hashShort(opts.file + opts.lines)}`,
-      kind: "file",
-      file: opts.file,
-      lines: opts.lines,
-      snippetHash: hashSnippet(opts.snippet || ""),
-      reason: opts.reason,
-    }],
-    meta: opts.meta || {},
-  };
-}
-
-function hashShort(text) {
-  return crypto.createHash("sha256").update(text).digest("hex").slice(0, 12).toUpperCase();
-}
-
-function hashSnippet(text) {
-  return `sha256:${crypto.createHash("sha256").update(text).digest("hex")}`;
-}
-
-// =============================================================================
-// EXPORTS
-// =============================================================================
-
-module.exports = {
-  extractClientCalls,
-  extractCallsFromFile,
-  extractFetchCall,
-  extractAxiosCall,
-  extractTRPCCall,
-  extractGraphQLCall,
-  extractServerAction,
-  extractWrappers,
-  extractWrapperCall,
-  extractUIBindings,
-  canonicalizeUrl,
-  combineBaseUrl,
-  inferRuntime,
-  CALL_KINDS,
-  RUNTIMES,
-  HTTP_METHODS,
-};
+/**
+ * Client Call Extractor v2
+ * 
+ * Extracts client-side API calls: fetch, axios, tRPC, GraphQL, Server Actions, SDK calls.
+ * Links them to the Reality Proof Graph for dead UI detection.
+ * 
+ * Output: ClientCall records with evidence, confidence, and canonical paths.
+ */
+
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+const fg = require("fast-glob");
+const crypto = require("crypto");
+const parser = require("@babel/parser");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+
+// =============================================================================
+// TYPES AND CONSTANTS
+// =============================================================================
+
+const HTTP_METHODS = ["GET", "POST", "PUT", "PATCH", "DELETE", "HEAD", "OPTIONS"];
+
+const CALL_KINDS = {
+  HTTP: "http",
+  TRPC: "trpc",
+  GRAPHQL: "graphql",
+  SERVER_ACTION: "server_action",
+  SDK: "sdk",
+};
+
+const RUNTIMES = {
+  CLIENT: "client",
+  SERVER: "server",
+  SHARED: "shared",
+  UNKNOWN: "unknown",
+};
+
+// =============================================================================
+// MAIN EXTRACTION
+// =============================================================================
+
+/**
+ * Extract all client calls from a project
+ */
+function extractClientCalls(projectRoot, options = {}) {
+  const { include = [], exclude = [] } = options;
+
+  // Find source files
+  const defaultInclude = ["**/*.{ts,tsx,js,jsx,mts,cts}"];
+  const defaultExclude = [
+    "**/node_modules/**",
+    "**/.next/**",
+    "**/dist/**",
+    "**/build/**",
+    "**/coverage/**",
+    "**/*.min.js",
+    "**/*.d.ts",
+  ];
+
+  const patterns = include.length > 0 ? include : defaultInclude;
+  const ignorePatterns = [...defaultExclude, ...exclude];
+
+  const files = fg.sync(patterns, {
+    cwd: projectRoot,
+    absolute: true,
+    ignore: ignorePatterns,
+    onlyFiles: true,
+  });
+
+  const calls = [];
+  const wrappers = [];
+  const uiBindings = [];
+  const errors = [];
+
+  // Pass 1: Extract wrappers (axios instances, custom request helpers)
+  for (const file of files) {
+    try {
+      const content = fs.readFileSync(file, "utf8");
+      const relPath = path.relative(projectRoot, file).replace(/\\/g, "/");
+      const fileWrappers = extractWrappers(content, relPath, projectRoot);
+      wrappers.push(...fileWrappers);
+    } catch (err) {
+      errors.push({ file, phase: "wrappers", error: err.message });
+    }
+  }
+
+  // Build wrapper lookup
+  const wrapperMap = new Map();
+  for (const w of wrappers) {
+    wrapperMap.set(w.name, w);
+  }
+
+  // Pass 2: Extract calls
+  for (const file of files) {
+    try {
+      const content = fs.readFileSync(file, "utf8");
+      const relPath = path.relative(projectRoot, file).replace(/\\/g, "/");
+      const runtime = inferRuntime(content, relPath);
+
+      const fileCalls = extractCallsFromFile(content, relPath, runtime, wrapperMap, projectRoot);
+      calls.push(...fileCalls);
+
+      const bindings = extractUIBindings(content, relPath, fileCalls);
+      uiBindings.push(...bindings);
+    } catch (err) {
+      errors.push({ file, phase: "calls", error: err.message });
+    }
+  }
+
+  return {
+    calls,
+    wrappers,
+    uiBindings,
+    errors,
+    stats: {
+      filesScanned: files.length,
+      callsFound: calls.length,
+      wrappersFound: wrappers.length,
+      bindingsFound: uiBindings.length,
+    },
+  };
+}
+
+/**
+ * Extract calls from a single file
+ */
+function extractCallsFromFile(content, relPath, runtime, wrapperMap, projectRoot) {
+  const calls = [];
+
+  let ast;
+  try {
+    ast = parser.parse(content, {
+      sourceType: "module",
+      plugins: ["typescript", "jsx", "decorators-legacy"],
+      errorRecovery: true,
+    });
+  } catch {
+    return calls;
+  }
+
+  traverse(ast, {
+    CallExpression(path) {
+      // fetch() calls
+      const fetchCall = extractFetchCall(path, content, relPath, runtime);
+      if (fetchCall) {
+        calls.push(fetchCall);
+        return;
+      }
+
+      // axios calls
+      const axiosCall = extractAxiosCall(path, content, relPath, runtime, wrapperMap);
+      if (axiosCall) {
+        calls.push(axiosCall);
+        return;
+      }
+
+      // tRPC calls
+      const trpcCall = extractTRPCCall(path, content, relPath, runtime);
+      if (trpcCall) {
+        calls.push(trpcCall);
+        return;
+      }
+
+      // GraphQL calls
+      const gqlCall = extractGraphQLCall(path, content, relPath, runtime);
+      if (gqlCall) {
+        calls.push(gqlCall);
+        return;
+      }
+
+      // Wrapper calls
+      const wrapperCall = extractWrapperCall(path, content, relPath, runtime, wrapperMap);
+      if (wrapperCall) {
+        calls.push(wrapperCall);
+        return;
+      }
+    },
+
+    // Server Actions (form action={...})
+    JSXAttribute(path) {
+      if (path.node.name.name === "action" && t.isJSXExpressionContainer(path.node.value)) {
+        const actionCall = extractServerAction(path, content, relPath);
+        if (actionCall) {
+          calls.push(actionCall);
+        }
+      }
+    },
+  });
+
+  return calls;
+}
+
+// =============================================================================
+// FETCH EXTRACTION
+// =============================================================================
+
+/**
+ * Extract fetch() call
+ */
+function extractFetchCall(path, content, relPath, runtime) {
+  const { node } = path;
+
+  // Check if callee is 'fetch'
+  if (!t.isIdentifier(node.callee, { name: "fetch" })) {
+    // Also check for fetch(new Request(...))
+    if (t.isNewExpression(node.callee) && t.isIdentifier(node.callee.callee, { name: "Request" })) {
+      return extractRequestCall(path, content, relPath, runtime);
+    }
+    return null;
+  }
+
+  const urlArg = node.arguments[0];
+  const initArg = node.arguments[1];
+
+  if (!urlArg) return null;
+
+  // Extract URL
+  const urlInfo = extractUrlFromNode(urlArg, content);
+  if (!urlInfo.value) return null;
+
+  // Extract method
+  const method = extractMethodFromInit(initArg) || "GET";
+
+  // Extract other info
+  const expectsJson = extractExpectsJson(initArg, path);
+  const authHint = extractAuthHint(initArg);
+
+  const lineNum = node.loc?.start?.line || 1;
+
+  return createClientCall({
+    kind: CALL_KINDS.HTTP,
+    runtime,
+    method,
+    urlTemplate: urlInfo.value,
+    canonicalPath: canonicalizeUrl(urlInfo.value),
+    expectsJson,
+    authHint,
+    confidence: urlInfo.confidence,
+    file: relPath,
+    lines: `${lineNum}-${lineNum + 5}`,
+    snippet: content.substring(node.start, Math.min(node.end, node.start + 200)),
+    reason: `fetch('${urlInfo.value.slice(0, 50)}') call`,
+  });
+}
+
+/**
+ * Extract new Request() call inside fetch
+ */
+function extractRequestCall(path, content, relPath, runtime) {
+  const { node } = path;
+  const requestNode = node.callee;
+
+  if (!t.isNewExpression(requestNode)) return null;
+
+  const urlArg = requestNode.arguments[0];
+  const initArg = requestNode.arguments[1];
+
+  if (!urlArg) return null;
+
+  const urlInfo = extractUrlFromNode(urlArg, content);
+  if (!urlInfo.value) return null;
+
+  const method = extractMethodFromInit(initArg) || "GET";
+  const lineNum = node.loc?.start?.line || 1;
+
+  return createClientCall({
+    kind: CALL_KINDS.HTTP,
+    runtime,
+    method,
+    urlTemplate: urlInfo.value,
+    canonicalPath: canonicalizeUrl(urlInfo.value),
+    expectsJson: false,
+    authHint: "unknown",
+    confidence: urlInfo.confidence,
+    file: relPath,
+    lines: `${lineNum}-${lineNum + 3}`,
+    snippet: content.substring(node.start, Math.min(node.end, node.start + 200)),
+    reason: `fetch(new Request('${urlInfo.value.slice(0, 50)}')) call`,
+  });
+}
+
+// =============================================================================
+// AXIOS EXTRACTION
+// =============================================================================
+
+/**
+ * Extract axios call
+ */
+function extractAxiosCall(path, content, relPath, runtime, wrapperMap) {
+  const { node } = path;
+
+  // Pattern A: axios.get/post/etc(url)
+  if (t.isMemberExpression(node.callee)) {
+    const obj = node.callee.object;
+    const prop = node.callee.property;
+
+    if (t.isIdentifier(obj, { name: "axios" }) && t.isIdentifier(prop)) {
+      const methodName = prop.name.toUpperCase();
+      if (HTTP_METHODS.includes(methodName) || methodName === "REQUEST") {
+        const urlArg = node.arguments[0];
+        if (!urlArg) return null;
+
+        const urlInfo = extractUrlFromNode(urlArg, content);
+        if (!urlInfo.value) return null;
+
+        const lineNum = node.loc?.start?.line || 1;
+
+        return createClientCall({
+          kind: CALL_KINDS.HTTP,
+          runtime,
+          method: methodName === "REQUEST" ? "UNKNOWN" : methodName,
+          urlTemplate: urlInfo.value,
+          canonicalPath: canonicalizeUrl(urlInfo.value),
+          expectsJson: true,
+          authHint: "unknown",
+          confidence: urlInfo.confidence,
+          file: relPath,
+          lines: `${lineNum}-${lineNum + 3}`,
+          snippet: content.substring(node.start, Math.min(node.end, node.start + 200)),
+          reason: `axios.${prop.name}('${urlInfo.value.slice(0, 50)}') call`,
+        });
+      }
+    }
+  }
+
+  // Pattern B: axios({ method, url })
+  if (t.isIdentifier(node.callee, { name: "axios" })) {
+    const configArg = node.arguments[0];
+    if (t.isObjectExpression(configArg)) {
+      const config = extractObjectLiteralProps(configArg);
+      if (config.url) {
+        const lineNum = node.loc?.start?.line || 1;
+
+        return createClientCall({
+          kind: CALL_KINDS.HTTP,
+          runtime,
+          method: (config.method || "GET").toUpperCase(),
+          urlTemplate: config.url,
+          canonicalPath: canonicalizeUrl(combineBaseUrl(config.baseURL, config.url)),
+          expectsJson: true,
+          authHint: "unknown",
+          confidence: "medium",
+          file: relPath,
+          lines: `${lineNum}-${lineNum + 5}`,
+          snippet: content.substring(node.start, Math.min(node.end, node.start + 200)),
+          reason: `axios({ url: '${config.url.slice(0, 50)}' }) call`,
+        });
+      }
+    }
+  }
+
+  return null;
+}
+
+// =============================================================================
+// TRPC EXTRACTION
+// =============================================================================
+
+/**
+ * Extract tRPC call
+ */
+function extractTRPCCall(path, content, relPath, runtime) {
+  const { node } = path;
+
+  // Pattern: trpc.user.get.useQuery() or trpc.billing.portal.useMutation()
+  if (t.isMemberExpression(node.callee)) {
+    const calleeCode = extractMemberChain(node.callee);
+
+    // Check for tRPC patterns
+    const trpcMatch = calleeCode.match(/^(?:trpc|api)\.(.+?)\.(useQuery|useMutation|query|mutate)$/);
+    if (trpcMatch) {
+      const procedure = trpcMatch[1];
+      const operationType = trpcMatch[2].includes("Mutation") || trpcMatch[2] === "mutate" ? "mutation" : "query";
+      const lineNum = node.loc?.start?.line || 1;
+
+      return createClientCall({
+        kind: CALL_KINDS.TRPC,
+        runtime,
+        method: "POST",
+        urlTemplate: `/api/trpc/${procedure}`,
+        canonicalPath: `/api/trpc/${procedure}`,
+        expectsJson: true,
+        authHint: "unknown",
+        confidence: "medium",
+        file: relPath,
+        lines: `${lineNum}-${lineNum + 3}`,
+        snippet: content.substring(node.start, Math.min(node.end, node.start + 150)),
+        reason: `tRPC ${operationType}: ${procedure}`,
+        meta: {
+          procedure,
+          operationType,
+        },
+      });
+    }
+  }
+
+  return null;
+}
+
+// =============================================================================
+// GRAPHQL EXTRACTION
+// =============================================================================
+
+/**
+ * Extract GraphQL call
+ */
+function extractGraphQLCall(path, content, relPath, runtime) {
+  const { node } = path;
+
+  // Pattern: useQuery(gql`...`) or useMutation(gql`...`)
+  if (t.isIdentifier(node.callee)) {
+    const calleeName = node.callee.name;
+
+    if (calleeName === "useQuery" || calleeName === "useMutation" || calleeName === "request") {
+      const queryArg = node.arguments[0];
+      let operationName = null;
+
+      // Try to extract operation name from gql template
+      if (t.isTaggedTemplateExpression(queryArg)) {
+        const template = queryArg.quasi.quasis.map(q => q.value.raw).join("");
+        const opMatch = template.match(/(?:query|mutation|subscription)\s+(\w+)/);
+        if (opMatch) {
+          operationName = opMatch[1];
+        }
+      }
+
+      const lineNum = node.loc?.start?.line || 1;
+
+      return createClientCall({
+        kind: CALL_KINDS.GRAPHQL,
+        runtime,
+        method: "POST",
+        urlTemplate: "/graphql",
+        canonicalPath: "/graphql",
+        expectsJson: true,
+        authHint: "unknown",
+        confidence: operationName ? "medium" : "low",
+        file: relPath,
+        lines: `${lineNum}-${lineNum + 5}`,
+        snippet: content.substring(node.start, Math.min(node.end, node.start + 200)),
+        reason: `GraphQL ${calleeName}${operationName ? `: ${operationName}` : ""}`,
+        meta: {
+          operationName,
+          operationType: calleeName.includes("Mutation") ? "mutation" : "query",
+        },
+      });
+    }
+  }
+
+  return null;
+}
+
+// =============================================================================
+// SERVER ACTIONS EXTRACTION
+// =============================================================================
+
+/**
+ * Extract Next.js Server Action
+ */
+function extractServerAction(path, content, relPath) {
+  const jsxAttr = path.node;
+  const container = jsxAttr.value;
+
+  if (!t.isJSXExpressionContainer(container)) return null;
+
+  const expr = container.expression;
+  let actionName = null;
+
+  if (t.isIdentifier(expr)) {
+    actionName = expr.name;
+  } else if (t.isMemberExpression(expr)) {
+    actionName = extractMemberChain(expr);
+  }
+
+  if (!actionName) return null;
+
+  const lineNum = jsxAttr.loc?.start?.line || 1;
+
+  return createClientCall({
+    kind: CALL_KINDS.SERVER_ACTION,
+    runtime: RUNTIMES.SERVER,
+    method: "POST",
+    urlTemplate: `action://${relPath}#${actionName}`,
+    canonicalPath: `action://${relPath}#${actionName}`,
+    expectsJson: false,
+    authHint: "unknown",
+    confidence: "high",
+    file: relPath,
+    lines: `${lineNum}-${lineNum + 1}`,
+    snippet: `action={${actionName}}`,
+    reason: `Server Action: ${actionName}`,
+    meta: {
+      actionExport: actionName,
+      module: relPath,
+    },
+  });
+}
+
+// =============================================================================
+// WRAPPER EXTRACTION
+// =============================================================================
+
+/**
+ * Extract wrapper definitions (axios instances, custom fetch wrappers)
+ */
+function extractWrappers(content, relPath, projectRoot) {
+  const wrappers = [];
+
+  let ast;
+  try {
+    ast = parser.parse(content, {
+      sourceType: "module",
+      plugins: ["typescript", "jsx", "decorators-legacy"],
+      errorRecovery: true,
+    });
+  } catch {
+    return wrappers;
+  }
+
+  traverse(ast, {
+    // axios.create()
+    CallExpression(path) {
+      const { node } = path;
+
+      if (
+        t.isMemberExpression(node.callee) &&
+        t.isIdentifier(node.callee.object, { name: "axios" }) &&
+        t.isIdentifier(node.callee.property, { name: "create" })
+      ) {
+        const configArg = node.arguments[0];
+        const config = t.isObjectExpression(configArg) ? extractObjectLiteralProps(configArg) : {};
+
+        // Find variable name
+        let name = "axiosInstance";
+        if (t.isVariableDeclarator(path.parent)) {
+          if (t.isIdentifier(path.parent.id)) {
+            name = path.parent.id.name;
+          }
+        }
+
+        wrappers.push({
+          id: `W_AXIOS_${hashShort(relPath + name)}`,
+          name,
+          kind: "axios",
+          baseURL: config.baseURL || "",
+          defaultHeaders: config.headers ? Object.keys(config.headers) : [],
+          file: relPath,
+          lines: `${node.loc?.start?.line || 1}-${node.loc?.end?.line || 1}`,
+        });
+      }
+    },
+
+    // Custom fetch wrappers: export const api = { get: ..., post: ... }
+    VariableDeclarator(path) {
+      const { node } = path;
+
+      if (t.isIdentifier(node.id) && t.isObjectExpression(node.init)) {
+        const props = node.init.properties;
+        const methodProps = props.filter(
+          p => t.isIdentifier(p.key) && HTTP_METHODS.map(m => m.toLowerCase()).includes(p.key.name)
+        );
+
+        if (methodProps.length >= 2) {
+          // Looks like an API client object
+          wrappers.push({
+            id: `W_CUSTOM_${hashShort(relPath + node.id.name)}`,
+            name: node.id.name,
+            kind: "custom",
+            baseURL: "",
+            methods: methodProps.map(p => p.key.name),
+            file: relPath,
+            lines: `${node.loc?.start?.line || 1}-${node.loc?.end?.line || 1}`,
+          });
+        }
+      }
+    },
+  });
+
+  return wrappers;
+}
+
+/**
+ * Extract wrapper call (api.get(), apiClient.post(), etc.)
+ */
+function extractWrapperCall(path, content, relPath, runtime, wrapperMap) {
+  const { node } = path;
+
+  if (!t.isMemberExpression(node.callee)) return null;
+
+  const obj = node.callee.object;
+  const prop = node.callee.property;
+
+  if (!t.isIdentifier(obj) || !t.isIdentifier(prop)) return null;
+
+  const wrapper = wrapperMap.get(obj.name);
+  if (!wrapper) return null;
+
+  const methodName = prop.name.toUpperCase();
+  if (!HTTP_METHODS.includes(methodName) && methodName !== "REQUEST") return null;
+
+  const urlArg = node.arguments[0];
+  if (!urlArg) return null;
+
+  const urlInfo = extractUrlFromNode(urlArg, content);
+  if (!urlInfo.value) return null;
+
+  // Combine with wrapper baseURL
+  const fullUrl = combineBaseUrl(wrapper.baseURL, urlInfo.value);
+  const lineNum = node.loc?.start?.line || 1;
+
+  return createClientCall({
+    kind: CALL_KINDS.HTTP,
+    runtime,
+    method: methodName === "REQUEST" ? "UNKNOWN" : methodName,
+    urlTemplate: urlInfo.value,
+    canonicalPath: canonicalizeUrl(fullUrl),
+    expectsJson: true,
+    authHint: "unknown",
+    confidence: urlInfo.confidence,
+    file: relPath,
+    lines: `${lineNum}-${lineNum + 3}`,
+    snippet: content.substring(node.start, Math.min(node.end, node.start + 150)),
+    reason: `${obj.name}.${prop.name}('${urlInfo.value.slice(0, 50)}') via wrapper`,
+    meta: {
+      wrapperId: wrapper.id,
+    },
+  });
+}
+
+// =============================================================================
+// UI BINDING EXTRACTION
+// =============================================================================
+
+/**
+ * Extract UI bindings (onClick, onSubmit that call API)
+ */
+function extractUIBindings(content, relPath, calls) {
+  const bindings = [];
+  const callIds = new Set(calls.map(c => c.id));
+
+  let ast;
+  try {
+    ast = parser.parse(content, {
+      sourceType: "module",
+      plugins: ["typescript", "jsx", "decorators-legacy"],
+      errorRecovery: true,
+    });
+  } catch {
+    return bindings;
+  }
+
+  traverse(ast, {
+    JSXAttribute(path) {
+      const { node } = path;
+      const attrName = node.name?.name;
+
+      if (!["onClick", "onSubmit", "onBlur", "onChange", "action"].includes(attrName)) return;
+
+      if (!t.isJSXExpressionContainer(node.value)) return;
+
+      const expr = node.value.expression;
+      const lineNum = node.loc?.start?.line || 1;
+
+      // Find associated calls in this handler
+      const handlerCalls = calls.filter(c => {
+        const callLine = parseInt(c.evidence?.[0]?.lines?.split("-")[0] || "0");
+        return Math.abs(callLine - lineNum) < 20; // Within 20 lines
+      });
+
+      if (handlerCalls.length > 0) {
+        // Try to find label hint
+        const labelHint = findLabelHint(path);
+
+        bindings.push({
+          bindingId: `UIB_${hashShort(relPath + lineNum)}`,
+          file: relPath,
+          lines: `${lineNum}-${lineNum + 5}`,
+          event: attrName,
+          labelHint,
+          calls: handlerCalls.map(c => c.id),
+        });
+      }
+    },
+  });
+
+  return bindings;
+}
+
+/**
+ * Find label hint from JSX context
+ */
+function findLabelHint(path) {
+  // Look for button text, aria-label, etc.
+  const parent = path.parentPath;
+  if (!parent) return null;
+
+  // Check for aria-label
+  if (t.isJSXOpeningElement(parent.node)) {
+    const ariaLabel = parent.node.attributes.find(
+      a => t.isJSXAttribute(a) && a.name?.name === "aria-label"
+    );
+    if (ariaLabel && t.isStringLiteral(ariaLabel.value)) {
+      return ariaLabel.value.value;
+    }
+  }
+
+  // Check for children text
+  const jsxElement = parent.parentPath;
+  if (t.isJSXElement(jsxElement?.node)) {
+    const textChild = jsxElement.node.children.find(
+      c => t.isJSXText(c) && c.value.trim()
+    );
+    if (textChild) {
+      return textChild.value.trim();
+    }
+  }
+
+  return null;
+}
+
+// =============================================================================
+// HELPERS
+// =============================================================================
+
+/**
+ * Extract URL value and confidence from AST node
+ */
+function extractUrlFromNode(node, content) {
+  // String literal: HIGH confidence
+  if (t.isStringLiteral(node)) {
+    return { value: node.value, confidence: "high" };
+  }
+
+  // Template literal
+  if (t.isTemplateLiteral(node)) {
+    if (node.expressions.length === 0) {
+      // No expressions: HIGH
+      return { value: node.quasis[0].value.raw, confidence: "high" };
+    }
+    // Has expressions: MEDIUM
+    const template = node.quasis.map((q, i) => {
+      const expr = node.expressions[i];
+      return q.value.raw + (expr ? `{${i}}` : "");
+    }).join("");
+    return { value: template, confidence: "medium" };
+  }
+
+  // Binary expression (concatenation)
+  if (t.isBinaryExpression(node, { operator: "+" })) {
+    const left = extractUrlFromNode(node.left, content);
+    const right = extractUrlFromNode(node.right, content);
+    if (left.value && right.value) {
+      return {
+        value: left.value + right.value,
+        confidence: "medium",
+      };
+    }
+  }
+
+  // Variable: LOW confidence
+  if (t.isIdentifier(node)) {
+    return { value: `\${${node.name}}`, confidence: "low" };
+  }
+
+  return { value: null, confidence: "low" };
+}
+
+/**
+ * Extract method from fetch init argument
+ */
+function extractMethodFromInit(initNode) {
+  if (!initNode || !t.isObjectExpression(initNode)) return null;
+
+  const methodProp = initNode.properties.find(
+    p => t.isObjectProperty(p) && t.isIdentifier(p.key, { name: "method" })
+  );
+
+  if (methodProp && t.isStringLiteral(methodProp.value)) {
+    return methodProp.value.value.toUpperCase();
+  }
+
+  return null;
+}
+
+/**
+ * Extract expectsJson from init
+ */
+function extractExpectsJson(initNode, path) {
+  if (!initNode) return false;
+
+  if (t.isObjectExpression(initNode)) {
+    const props = extractObjectLiteralProps(initNode);
+    if (props.headers?.["content-type"]?.includes("application/json")) return true;
+    if (props.body && typeof props.body === "string" && props.body.includes("JSON.stringify")) return true;
+  }
+
+  // Check if .json() is called on response
+  // This would require more complex flow analysis
+  return false;
+}
+
+/**
+ * Extract auth hint from init
+ */
+function extractAuthHint(initNode) {
+  if (!initNode || !t.isObjectExpression(initNode)) return "unknown";
+
+  const props = extractObjectLiteralProps(initNode);
+
+  if (props.credentials === "include") return "cookie";
+  if (props.headers?.authorization?.toLowerCase().startsWith("bearer")) return "bearer";
+  if (props.headers?.Authorization?.toLowerCase().startsWith("bearer")) return "bearer";
+
+  return "unknown";
+}
+
+/**
+ * Extract object literal properties as plain object
+ */
+function extractObjectLiteralProps(node) {
+  const props = {};
+
+  for (const prop of node.properties) {
+    if (t.isObjectProperty(prop) && t.isIdentifier(prop.key)) {
+      const key = prop.key.name;
+
+      if (t.isStringLiteral(prop.value)) {
+        props[key] = prop.value.value;
+      } else if (t.isObjectExpression(prop.value)) {
+        props[key] = extractObjectLiteralProps(prop.value);
+      } else if (t.isIdentifier(prop.value)) {
+        props[key] = `$${prop.value.name}`;
+      }
+    }
+  }
+
+  return props;
+}
+
+/**
+ * Extract member expression chain as string
+ */
+function extractMemberChain(node) {
+  const parts = [];
+
+  let current = node;
+  while (t.isMemberExpression(current)) {
+    if (t.isIdentifier(current.property)) {
+      parts.unshift(current.property.name);
+    }
+    current = current.object;
+  }
+
+  if (t.isIdentifier(current)) {
+    parts.unshift(current.name);
+  }
+
+  return parts.join(".");
+}
+
+/**
+ * Infer runtime from file content
+ */
+function inferRuntime(content, relPath) {
+  if (content.includes('"use client"') || content.includes("'use client'")) {
+    return RUNTIMES.CLIENT;
+  }
+  if (content.includes('"use server"') || content.includes("'use server'")) {
+    return RUNTIMES.SERVER;
+  }
+  if (relPath.includes("/api/") || relPath.includes("server")) {
+    return RUNTIMES.SERVER;
+  }
+  if (relPath.includes("/lib/") || relPath.includes("/utils/")) {
+    return RUNTIMES.SHARED;
+  }
+  return RUNTIMES.UNKNOWN;
+}
+
+/**
+ * Canonicalize URL path
+ */
+function canonicalizeUrl(url) {
+  if (!url) return null;
+
+  let canonical = url;
+
+  // Strip protocol and host
+  canonical = canonical.replace(/^https?:\/\/[^/]+/, "");
+
+  // Strip query string
+  canonical = canonical.split("?")[0];
+
+  // Strip hash
+  canonical = canonical.split("#")[0];
+
+  // Replace template expressions with params
+  canonical = canonical.replace(/\$\{[^}]+\}/g, "{param}");
+  canonical = canonical.replace(/\{[0-9]+\}/g, "{param}");
+
+  // Normalize slashes
+  canonical = canonical.replace(/\/+/g, "/");
+
+  // Ensure leading slash
+  if (!canonical.startsWith("/") && !canonical.startsWith("action://")) {
+    canonical = "/" + canonical;
+  }
+
+  // Remove trailing slash (except root)
+  if (canonical.length > 1) {
+    canonical = canonical.replace(/\/$/, "");
+  }
+
+  return canonical;
+}
+
+/**
+ * Combine base URL with path
+ */
+function combineBaseUrl(base, path) {
+  if (!base) return path;
+  if (!path) return base;
+
+  const baseTrimmed = base.replace(/\/$/, "");
+  const pathTrimmed = path.startsWith("/") ? path : "/" + path;
+
+  return baseTrimmed + pathTrimmed;
+}
+
+/**
+ * Create a ClientCall record
+ */
+function createClientCall(opts) {
+  const id = `C_CALL_${hashShort(opts.file + opts.urlTemplate + opts.method)}`;
+
+  return {
+    id,
+    kind: opts.kind,
+    runtime: opts.runtime,
+    method: opts.method,
+    urlTemplate: opts.urlTemplate,
+    canonicalPath: opts.canonicalPath,
+    expectsJson: opts.expectsJson,
+    authHint: opts.authHint,
+    confidence: opts.confidence,
+    evidence: [{
+      id: `E_${hashShort(opts.file + opts.lines)}`,
+      kind: "file",
+      file: opts.file,
+      lines: opts.lines,
+      snippetHash: hashSnippet(opts.snippet || ""),
+      reason: opts.reason,
+    }],
+    meta: opts.meta || {},
+  };
+}
+
+function hashShort(text) {
+  return crypto.createHash("sha256").update(text).digest("hex").slice(0, 12).toUpperCase();
+}
+
+function hashSnippet(text) {
+  return `sha256:${crypto.createHash("sha256").update(text).digest("hex")}`;
+}
+
+// =============================================================================
+// EXPORTS
+// =============================================================================
+
+module.exports = {
+  extractClientCalls,
+  extractCallsFromFile,
+  extractFetchCall,
+  extractAxiosCall,
+  extractTRPCCall,
+  extractGraphQLCall,
+  extractServerAction,
+  extractWrappers,
+  extractWrapperCall,
+  extractUIBindings,
+  canonicalizeUrl,
+  combineBaseUrl,
+  inferRuntime,
+  CALL_KINDS,
+  RUNTIMES,
+  HTTP_METHODS,
+};