@vibecheckai/cli 3.2.5 → 3.3.0

package/bin/runners/lib/graph/static-extractor.js

@@ -1,518 +1,518 @@
-/**
- * Static Edge Extractor
- * Extracts causal edges from AST analysis:
- * - UI actions → client functions
- * - Client functions → network calls
- * - Network calls → server routes
- * - Server routes → handlers
- * - Handlers → DB/external calls
- */
-
-"use strict";
-
-const fg = require("fast-glob");
-const fs = require("fs");
-const path = require("path");
-const crypto = require("crypto");
-const parser = require("@babel/parser");
-const traverse = require("@babel/traverse").default;
-const t = require("@babel/types");
-
-function sha256(text) {
-  return crypto.createHash("sha256").update(text).digest("hex").slice(0, 16);
-}
-
-function nodeId(type, file, line) {
-  return `${type}_${sha256(file + ":" + line)}`;
-}
-
-function parseFile(code) {
-  return parser.parse(code, {
-    sourceType: "unambiguous",
-    plugins: ["typescript", "jsx", "decorators-legacy"]
-  });
-}
-
-function safeRead(fileAbs) {
-  return fs.readFileSync(fileAbs, "utf8");
-}
-
-function getSnippet(code, loc) {
-  if (!loc) return "";
-  const lines = code.split(/\r?\n/);
-  const start = Math.max(0, (loc.start?.line || 1) - 1);
-  const end = Math.min(lines.length, (loc.end?.line || start + 1));
-  return lines.slice(start, end).join("\n").slice(0, 200);
-}
-
-/**
- * Extract UI action nodes (onClick, onSubmit, etc.)
- */
-async function extractUIActions(repoRoot) {
-  const files = await fg(["**/*.{tsx,jsx}"], {
-    cwd: repoRoot,
-    absolute: true,
-    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**"]
-  });
-
-  const nodes = [];
-  const edges = [];
-
-  for (const fileAbs of files) {
-    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-    const code = safeRead(fileAbs);
-
-    let ast;
-    try { ast = parseFile(code); } catch { continue; }
-
-    traverse(ast, {
-      JSXAttribute(p) {
-        const name = p.node.name?.name;
-        if (!name || !["onClick", "onSubmit", "onPress", "onChange"].includes(name)) return;
-
-        const line = p.node.loc?.start?.line || 0;
-        const snippet = getSnippet(code, p.node.loc);
-        const id = nodeId("ui_action", fileRel, line);
-
-        nodes.push({
-          id,
-          type: "ui_action",
-          file: fileRel,
-          line,
-          snippet,
-          snippetHash: sha256(snippet),
-          actionType: name
-        });
-
-        // Try to find what function this calls
-        const value = p.node.value;
-        if (t.isJSXExpressionContainer(value)) {
-          const expr = value.expression;
-          
-          // Direct function reference: onClick={handleClick}
-          if (t.isIdentifier(expr)) {
-            edges.push({
-              id: `edge_${sha256(id + "_" + expr.name)}`,
-              from: id,
-              toRef: expr.name,
-              type: "calls",
-              confidence: "high",
-              file: fileRel
-            });
-          }
-          
-          // Arrow function with call: onClick={() => handleClick()}
-          if (t.isArrowFunctionExpression(expr) || t.isFunctionExpression(expr)) {
-            traverse(expr.body, {
-              CallExpression(cp) {
-                if (t.isIdentifier(cp.node.callee)) {
-                  edges.push({
-                    id: `edge_${sha256(id + "_" + cp.node.callee.name)}`,
-                    from: id,
-                    toRef: cp.node.callee.name,
-                    type: "calls",
-                    confidence: "med",
-                    file: fileRel
-                  });
-                }
-              }
-            }, p.scope, p);
-          }
-        }
-      }
-    });
-  }
-
-  return { nodes, edges };
-}
-
-/**
- * Extract client function nodes that make network calls
- */
-async function extractClientFunctions(repoRoot) {
-  const files = await fg(["**/*.{ts,tsx,js,jsx}"], {
-    cwd: repoRoot,
-    absolute: true,
-    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**", "**/server/**", "**/api/**"]
-  });
-
-  const nodes = [];
-  const edges = [];
-
-  for (const fileAbs of files) {
-    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-    const code = safeRead(fileAbs);
-
-    let ast;
-    try { ast = parseFile(code); } catch { continue; }
-
-    // Track function declarations that contain fetch/axios
-    const funcMap = new Map();
-
-    traverse(ast, {
-      "FunctionDeclaration|ArrowFunctionExpression|FunctionExpression"(p) {
-        const funcName = p.node.id?.name || 
-          (t.isVariableDeclarator(p.parent) && t.isIdentifier(p.parent.id) ? p.parent.id.name : null);
-        
-        if (!funcName) return;
-
-        const line = p.node.loc?.start?.line || 0;
-        const snippet = getSnippet(code, p.node.loc);
-        const id = nodeId("client_function", fileRel, line);
-
-        funcMap.set(funcName, { id, line, snippet });
-      }
-    });
-
-    traverse(ast, {
-      CallExpression(p) {
-        const callee = p.node.callee;
-        let fetchUrl = null;
-        let method = "*";
-        let callType = null;
-
-        // fetch("/api/x")
-        if (t.isIdentifier(callee) && callee.name === "fetch") {
-          const arg0 = p.node.arguments[0];
-          if (t.isStringLiteral(arg0)) {
-            fetchUrl = arg0.value;
-            callType = "fetch";
-          }
-          // Check method in options
-          const arg1 = p.node.arguments[1];
-          if (t.isObjectExpression(arg1)) {
-            for (const prop of arg1.properties) {
-              if (t.isObjectProperty(prop) && 
-                  ((t.isIdentifier(prop.key) && prop.key.name === "method") ||
-                   (t.isStringLiteral(prop.key) && prop.key.value === "method")) &&
-                  t.isStringLiteral(prop.value)) {
-                method = prop.value.value.toUpperCase();
-              }
-            }
-          }
-        }
-
-        // axios.get("/api/x")
-        if (t.isMemberExpression(callee) && 
-            t.isIdentifier(callee.object) && callee.object.name === "axios" &&
-            t.isIdentifier(callee.property)) {
-          const verb = callee.property.name;
-          if (["get", "post", "put", "patch", "delete"].includes(verb)) {
-            const arg0 = p.node.arguments[0];
-            if (t.isStringLiteral(arg0)) {
-              fetchUrl = arg0.value;
-              method = verb.toUpperCase();
-              callType = "axios";
-            }
-          }
-        }
-
-        if (fetchUrl && fetchUrl.startsWith("/")) {
-          const line = p.node.loc?.start?.line || 0;
-          const snippet = getSnippet(code, p.node.loc);
-          const networkId = nodeId("network_call", fileRel, line);
-
-          nodes.push({
-            id: networkId,
-            type: "network_call",
-            file: fileRel,
-            line,
-            snippet,
-            snippetHash: sha256(snippet),
-            url: fetchUrl,
-            method,
-            callType
-          });
-
-          // Find enclosing function
-          let funcScope = p.scope;
-          while (funcScope) {
-            const funcNode = funcScope.block;
-            if (t.isFunction(funcNode)) {
-              const funcName = funcNode.id?.name ||
-                (t.isVariableDeclarator(funcScope.parentBlock) ? funcScope.parentBlock.id?.name : null);
-              
-              if (funcName && funcMap.has(funcName)) {
-                const funcData = funcMap.get(funcName);
-                
-                // Add function node if not already added
-                if (!nodes.find(n => n.id === funcData.id)) {
-                  nodes.push({
-                    id: funcData.id,
-                    type: "client_function",
-                    file: fileRel,
-                    line: funcData.line,
-                    snippet: funcData.snippet,
-                    snippetHash: sha256(funcData.snippet),
-                    name: funcName
-                  });
-                }
-
-                edges.push({
-                  id: `edge_${sha256(funcData.id + "_" + networkId)}`,
-                  from: funcData.id,
-                  to: networkId,
-                  type: "fetches",
-                  confidence: "high"
-                });
-              }
-              break;
-            }
-            funcScope = funcScope.parent;
-          }
-
-          // Create edge to server route (to be resolved later)
-          edges.push({
-            id: `edge_${sha256(networkId + "_route_" + fetchUrl)}`,
-            from: networkId,
-            toRoute: { method, path: fetchUrl },
-            type: "calls_route",
-            confidence: "high"
-          });
-        }
-      }
-    });
-  }
-
-  return { nodes, edges };
-}
-
-/**
- * Extract server route nodes from truthpack
- */
-function extractServerRoutes(truthpack) {
-  const nodes = [];
-  const serverRoutes = truthpack?.routes?.server || [];
-
-  for (const route of serverRoutes) {
-    const id = nodeId("server_route", route.handler || "unknown", route.path.length);
-    
-    nodes.push({
-      id,
-      type: "server_route",
-      file: route.handler || "unknown",
-      line: 0,
-      snippet: `${route.method} ${route.path}`,
-      snippetHash: sha256(`${route.method} ${route.path}`),
-      method: route.method,
-      path: route.path,
-      confidence: route.confidence
-    });
-  }
-
-  return { nodes, edges: [] };
-}
-
-/**
- * Extract handler → DB/external call edges
- */
-async function extractHandlerCalls(repoRoot) {
-  const files = await fg(["**/api/**/*.{ts,js}", "**/routes/**/*.{ts,js}", "**/server/**/*.{ts,js}"], {
-    cwd: repoRoot,
-    absolute: true,
-    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**"]
-  });
-
-  const nodes = [];
-  const edges = [];
-
-  for (const fileAbs of files) {
-    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-    const code = safeRead(fileAbs);
-
-    let ast;
-    try { ast = parseFile(code); } catch { continue; }
-
-    traverse(ast, {
-      CallExpression(p) {
-        const callee = p.node.callee;
-        let callType = null;
-        let target = null;
-
-        // Prisma: prisma.user.findMany(), prisma.$transaction()
-        if (t.isMemberExpression(callee)) {
-          const obj = callee.object;
-          if (t.isIdentifier(obj) && obj.name === "prisma") {
-            callType = "db_call";
-            target = "prisma";
-          } else if (t.isMemberExpression(obj) && 
-                     t.isIdentifier(obj.object) && obj.object.name === "prisma") {
-            callType = "db_call";
-            target = `prisma.${obj.property?.name || "unknown"}`;
-          }
-        }
-
-        // External: stripe.customers.create()
-        if (t.isMemberExpression(callee)) {
-          const rootObj = getRootObject(callee);
-          if (rootObj && ["stripe", "github", "sendgrid", "twilio", "aws"].includes(rootObj.toLowerCase())) {
-            callType = "external_call";
-            target = rootObj;
-          }
-        }
-
-        if (callType) {
-          const line = p.node.loc?.start?.line || 0;
-          const snippet = getSnippet(code, p.node.loc);
-          const id = nodeId(callType, fileRel, line);
-
-          nodes.push({
-            id,
-            type: callType,
-            file: fileRel,
-            line,
-            snippet,
-            snippetHash: sha256(snippet),
-            target
-          });
-        }
-      }
-    });
-  }
-
-  return { nodes, edges };
-}
-
-function getRootObject(node) {
-  if (t.isIdentifier(node)) return node.name;
-  if (t.isMemberExpression(node)) return getRootObject(node.object);
-  return null;
-}
-
-/**
- * Build complete static graph
- */
-async function extractStaticGraph(repoRoot, truthpack) {
-  const uiActions = await extractUIActions(repoRoot);
-  const clientFuncs = await extractClientFunctions(repoRoot);
-  const serverRoutes = extractServerRoutes(truthpack);
-  const handlerCalls = await extractHandlerCalls(repoRoot);
-
-  const allNodes = [
-    ...uiActions.nodes,
-    ...clientFuncs.nodes,
-    ...serverRoutes.nodes,
-    ...handlerCalls.nodes
-  ];
-
-  const allEdges = [
-    ...uiActions.edges,
-    ...clientFuncs.edges,
-    ...serverRoutes.edges,
-    ...handlerCalls.edges
-  ];
-
-  // Resolve function reference edges
-  const resolvedEdges = resolveEdges(allNodes, allEdges, truthpack);
-
-  return {
-    nodes: dedupeNodes(allNodes),
-    edges: resolvedEdges
-  };
-}
-
-function dedupeNodes(nodes) {
-  const seen = new Map();
-  for (const n of nodes) {
-    if (!seen.has(n.id)) seen.set(n.id, n);
-  }
-  return Array.from(seen.values());
-}
-
-function resolveEdges(nodes, edges, truthpack) {
-  const resolved = [];
-  const nodeById = new Map(nodes.map(n => [n.id, n]));
-  const funcByName = new Map();
-  const routeNodes = nodes.filter(n => n.type === "server_route");
-
-  // Build function name → node map
-  for (const n of nodes) {
-    if (n.type === "client_function" && n.name) {
-      funcByName.set(n.name, n);
-    }
-  }
-
-  for (const edge of edges) {
-    // Resolve toRef (function name) → actual node
-    if (edge.toRef) {
-      const target = funcByName.get(edge.toRef);
-      if (target) {
-        resolved.push({
-          ...edge,
-          to: target.id,
-          toRef: undefined
-        });
-      } else {
-        // Unresolved function call - might be external
-        resolved.push({
-          ...edge,
-          to: `unresolved_${edge.toRef}`,
-          confidence: "low"
-        });
-      }
-      continue;
-    }
-
-    // Resolve toRoute → server route node
-    if (edge.toRoute) {
-      const route = findMatchingRoute(routeNodes, edge.toRoute.method, edge.toRoute.path);
-      if (route) {
-        resolved.push({
-          ...edge,
-          to: route.id,
-          toRoute: undefined
-        });
-      } else {
-        // No matching route - this is a broken edge
-        resolved.push({
-          ...edge,
-          to: `missing_route_${edge.toRoute.method}_${edge.toRoute.path}`,
-          toRoute: edge.toRoute,
-          broken: true,
-          brokenReason: `Route ${edge.toRoute.method} ${edge.toRoute.path} not found on server`
-        });
-      }
-      continue;
-    }
-
-    resolved.push(edge);
-  }
-
-  return resolved;
-}
-
-function findMatchingRoute(routeNodes, method, path) {
-  // Normalize path
-  const normPath = path.replace(/\/$/, "") || "/";
-  
-  for (const r of routeNodes) {
-    if (r.method === "*" || r.method === method || method === "*") {
-      if (r.path === normPath) return r;
-      // Check parameterized match
-      if (matchesParameterized(r.path, normPath)) return r;
-    }
-  }
-  return null;
-}
-
-function matchesParameterized(pattern, actual) {
-  const patternParts = pattern.split("/").filter(Boolean);
-  const actualParts = actual.split("/").filter(Boolean);
-  
-  if (patternParts.length !== actualParts.length) return false;
-  
-  for (let i = 0; i < patternParts.length; i++) {
-    const p = patternParts[i];
-    if (p.startsWith(":") || p.startsWith("*")) continue;
-    if (p !== actualParts[i]) return false;
-  }
-  return true;
-}
-
-module.exports = {
-  extractStaticGraph,
-  extractUIActions,
-  extractClientFunctions,
-  extractServerRoutes,
-  extractHandlerCalls
-};
+/**
+ * Static Edge Extractor
+ * Extracts causal edges from AST analysis:
+ * - UI actions → client functions
+ * - Client functions → network calls
+ * - Network calls → server routes
+ * - Server routes → handlers
+ * - Handlers → DB/external calls
+ */
+
+"use strict";
+
+const fg = require("fast-glob");
+const fs = require("fs");
+const path = require("path");
+const crypto = require("crypto");
+const parser = require("@babel/parser");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+
+function sha256(text) {
+  return crypto.createHash("sha256").update(text).digest("hex").slice(0, 16);
+}
+
+function nodeId(type, file, line) {
+  return `${type}_${sha256(file + ":" + line)}`;
+}
+
+function parseFile(code) {
+  return parser.parse(code, {
+    sourceType: "unambiguous",
+    plugins: ["typescript", "jsx", "decorators-legacy"]
+  });
+}
+
+function safeRead(fileAbs) {
+  return fs.readFileSync(fileAbs, "utf8");
+}
+
+function getSnippet(code, loc) {
+  if (!loc) return "";
+  const lines = code.split(/\r?\n/);
+  const start = Math.max(0, (loc.start?.line || 1) - 1);
+  const end = Math.min(lines.length, (loc.end?.line || start + 1));
+  return lines.slice(start, end).join("\n").slice(0, 200);
+}
+
+/**
+ * Extract UI action nodes (onClick, onSubmit, etc.)
+ */
+async function extractUIActions(repoRoot) {
+  const files = await fg(["**/*.{tsx,jsx}"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**"]
+  });
+
+  const nodes = [];
+  const edges = [];
+
+  for (const fileAbs of files) {
+    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+    const code = safeRead(fileAbs);
+
+    let ast;
+    try { ast = parseFile(code); } catch { continue; }
+
+    traverse(ast, {
+      JSXAttribute(p) {
+        const name = p.node.name?.name;
+        if (!name || !["onClick", "onSubmit", "onPress", "onChange"].includes(name)) return;
+
+        const line = p.node.loc?.start?.line || 0;
+        const snippet = getSnippet(code, p.node.loc);
+        const id = nodeId("ui_action", fileRel, line);
+
+        nodes.push({
+          id,
+          type: "ui_action",
+          file: fileRel,
+          line,
+          snippet,
+          snippetHash: sha256(snippet),
+          actionType: name
+        });
+
+        // Try to find what function this calls
+        const value = p.node.value;
+        if (t.isJSXExpressionContainer(value)) {
+          const expr = value.expression;
+          
+          // Direct function reference: onClick={handleClick}
+          if (t.isIdentifier(expr)) {
+            edges.push({
+              id: `edge_${sha256(id + "_" + expr.name)}`,
+              from: id,
+              toRef: expr.name,
+              type: "calls",
+              confidence: "high",
+              file: fileRel
+            });
+          }
+          
+          // Arrow function with call: onClick={() => handleClick()}
+          if (t.isArrowFunctionExpression(expr) || t.isFunctionExpression(expr)) {
+            traverse(expr.body, {
+              CallExpression(cp) {
+                if (t.isIdentifier(cp.node.callee)) {
+                  edges.push({
+                    id: `edge_${sha256(id + "_" + cp.node.callee.name)}`,
+                    from: id,
+                    toRef: cp.node.callee.name,
+                    type: "calls",
+                    confidence: "med",
+                    file: fileRel
+                  });
+                }
+              }
+            }, p.scope, p);
+          }
+        }
+      }
+    });
+  }
+
+  return { nodes, edges };
+}
+
+/**
+ * Extract client function nodes that make network calls
+ */
+async function extractClientFunctions(repoRoot) {
+  const files = await fg(["**/*.{ts,tsx,js,jsx}"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**", "**/server/**", "**/api/**"]
+  });
+
+  const nodes = [];
+  const edges = [];
+
+  for (const fileAbs of files) {
+    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+    const code = safeRead(fileAbs);
+
+    let ast;
+    try { ast = parseFile(code); } catch { continue; }
+
+    // Track function declarations that contain fetch/axios
+    const funcMap = new Map();
+
+    traverse(ast, {
+      "FunctionDeclaration|ArrowFunctionExpression|FunctionExpression"(p) {
+        const funcName = p.node.id?.name || 
+          (t.isVariableDeclarator(p.parent) && t.isIdentifier(p.parent.id) ? p.parent.id.name : null);
+        
+        if (!funcName) return;
+
+        const line = p.node.loc?.start?.line || 0;
+        const snippet = getSnippet(code, p.node.loc);
+        const id = nodeId("client_function", fileRel, line);
+
+        funcMap.set(funcName, { id, line, snippet });
+      }
+    });
+
+    traverse(ast, {
+      CallExpression(p) {
+        const callee = p.node.callee;
+        let fetchUrl = null;
+        let method = "*";
+        let callType = null;
+
+        // fetch("/api/x")
+        if (t.isIdentifier(callee) && callee.name === "fetch") {
+          const arg0 = p.node.arguments[0];
+          if (t.isStringLiteral(arg0)) {
+            fetchUrl = arg0.value;
+            callType = "fetch";
+          }
+          // Check method in options
+          const arg1 = p.node.arguments[1];
+          if (t.isObjectExpression(arg1)) {
+            for (const prop of arg1.properties) {
+              if (t.isObjectProperty(prop) && 
+                  ((t.isIdentifier(prop.key) && prop.key.name === "method") ||
+                   (t.isStringLiteral(prop.key) && prop.key.value === "method")) &&
+                  t.isStringLiteral(prop.value)) {
+                method = prop.value.value.toUpperCase();
+              }
+            }
+          }
+        }
+
+        // axios.get("/api/x")
+        if (t.isMemberExpression(callee) && 
+            t.isIdentifier(callee.object) && callee.object.name === "axios" &&
+            t.isIdentifier(callee.property)) {
+          const verb = callee.property.name;
+          if (["get", "post", "put", "patch", "delete"].includes(verb)) {
+            const arg0 = p.node.arguments[0];
+            if (t.isStringLiteral(arg0)) {
+              fetchUrl = arg0.value;
+              method = verb.toUpperCase();
+              callType = "axios";
+            }
+          }
+        }
+
+        if (fetchUrl && fetchUrl.startsWith("/")) {
+          const line = p.node.loc?.start?.line || 0;
+          const snippet = getSnippet(code, p.node.loc);
+          const networkId = nodeId("network_call", fileRel, line);
+
+          nodes.push({
+            id: networkId,
+            type: "network_call",
+            file: fileRel,
+            line,
+            snippet,
+            snippetHash: sha256(snippet),
+            url: fetchUrl,
+            method,
+            callType
+          });
+
+          // Find enclosing function
+          let funcScope = p.scope;
+          while (funcScope) {
+            const funcNode = funcScope.block;
+            if (t.isFunction(funcNode)) {
+              const funcName = funcNode.id?.name ||
+                (t.isVariableDeclarator(funcScope.parentBlock) ? funcScope.parentBlock.id?.name : null);
+              
+              if (funcName && funcMap.has(funcName)) {
+                const funcData = funcMap.get(funcName);
+                
+                // Add function node if not already added
+                if (!nodes.find(n => n.id === funcData.id)) {
+                  nodes.push({
+                    id: funcData.id,
+                    type: "client_function",
+                    file: fileRel,
+                    line: funcData.line,
+                    snippet: funcData.snippet,
+                    snippetHash: sha256(funcData.snippet),
+                    name: funcName
+                  });
+                }
+
+                edges.push({
+                  id: `edge_${sha256(funcData.id + "_" + networkId)}`,
+                  from: funcData.id,
+                  to: networkId,
+                  type: "fetches",
+                  confidence: "high"
+                });
+              }
+              break;
+            }
+            funcScope = funcScope.parent;
+          }
+
+          // Create edge to server route (to be resolved later)
+          edges.push({
+            id: `edge_${sha256(networkId + "_route_" + fetchUrl)}`,
+            from: networkId,
+            toRoute: { method, path: fetchUrl },
+            type: "calls_route",
+            confidence: "high"
+          });
+        }
+      }
+    });
+  }
+
+  return { nodes, edges };
+}
+
+/**
+ * Extract server route nodes from truthpack
+ */
+function extractServerRoutes(truthpack) {
+  const nodes = [];
+  const serverRoutes = truthpack?.routes?.server || [];
+
+  for (const route of serverRoutes) {
+    const id = nodeId("server_route", route.handler || "unknown", route.path.length);
+    
+    nodes.push({
+      id,
+      type: "server_route",
+      file: route.handler || "unknown",
+      line: 0,
+      snippet: `${route.method} ${route.path}`,
+      snippetHash: sha256(`${route.method} ${route.path}`),
+      method: route.method,
+      path: route.path,
+      confidence: route.confidence
+    });
+  }
+
+  return { nodes, edges: [] };
+}
+
+/**
+ * Extract handler → DB/external call edges
+ */
+async function extractHandlerCalls(repoRoot) {
+  const files = await fg(["**/api/**/*.{ts,js}", "**/routes/**/*.{ts,js}", "**/server/**/*.{ts,js}"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**"]
+  });
+
+  const nodes = [];
+  const edges = [];
+
+  for (const fileAbs of files) {
+    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+    const code = safeRead(fileAbs);
+
+    let ast;
+    try { ast = parseFile(code); } catch { continue; }
+
+    traverse(ast, {
+      CallExpression(p) {
+        const callee = p.node.callee;
+        let callType = null;
+        let target = null;
+
+        // Prisma: prisma.user.findMany(), prisma.$transaction()
+        if (t.isMemberExpression(callee)) {
+          const obj = callee.object;
+          if (t.isIdentifier(obj) && obj.name === "prisma") {
+            callType = "db_call";
+            target = "prisma";
+          } else if (t.isMemberExpression(obj) && 
+                     t.isIdentifier(obj.object) && obj.object.name === "prisma") {
+            callType = "db_call";
+            target = `prisma.${obj.property?.name || "unknown"}`;
+          }
+        }
+
+        // External: stripe.customers.create()
+        if (t.isMemberExpression(callee)) {
+          const rootObj = getRootObject(callee);
+          if (rootObj && ["stripe", "github", "sendgrid", "twilio", "aws"].includes(rootObj.toLowerCase())) {
+            callType = "external_call";
+            target = rootObj;
+          }
+        }
+
+        if (callType) {
+          const line = p.node.loc?.start?.line || 0;
+          const snippet = getSnippet(code, p.node.loc);
+          const id = nodeId(callType, fileRel, line);
+
+          nodes.push({
+            id,
+            type: callType,
+            file: fileRel,
+            line,
+            snippet,
+            snippetHash: sha256(snippet),
+            target
+          });
+        }
+      }
+    });
+  }
+
+  return { nodes, edges };
+}
+
+function getRootObject(node) {
+  if (t.isIdentifier(node)) return node.name;
+  if (t.isMemberExpression(node)) return getRootObject(node.object);
+  return null;
+}
+
+/**
+ * Build complete static graph
+ */
+async function extractStaticGraph(repoRoot, truthpack) {
+  const uiActions = await extractUIActions(repoRoot);
+  const clientFuncs = await extractClientFunctions(repoRoot);
+  const serverRoutes = extractServerRoutes(truthpack);
+  const handlerCalls = await extractHandlerCalls(repoRoot);
+
+  const allNodes = [
+    ...uiActions.nodes,
+    ...clientFuncs.nodes,
+    ...serverRoutes.nodes,
+    ...handlerCalls.nodes
+  ];
+
+  const allEdges = [
+    ...uiActions.edges,
+    ...clientFuncs.edges,
+    ...serverRoutes.edges,
+    ...handlerCalls.edges
+  ];
+
+  // Resolve function reference edges
+  const resolvedEdges = resolveEdges(allNodes, allEdges, truthpack);
+
+  return {
+    nodes: dedupeNodes(allNodes),
+    edges: resolvedEdges
+  };
+}
+
+function dedupeNodes(nodes) {
+  const seen = new Map();
+  for (const n of nodes) {
+    if (!seen.has(n.id)) seen.set(n.id, n);
+  }
+  return Array.from(seen.values());
+}
+
+function resolveEdges(nodes, edges, truthpack) {
+  const resolved = [];
+  const nodeById = new Map(nodes.map(n => [n.id, n]));
+  const funcByName = new Map();
+  const routeNodes = nodes.filter(n => n.type === "server_route");
+
+  // Build function name → node map
+  for (const n of nodes) {
+    if (n.type === "client_function" && n.name) {
+      funcByName.set(n.name, n);
+    }
+  }
+
+  for (const edge of edges) {
+    // Resolve toRef (function name) → actual node
+    if (edge.toRef) {
+      const target = funcByName.get(edge.toRef);
+      if (target) {
+        resolved.push({
+          ...edge,
+          to: target.id,
+          toRef: undefined
+        });
+      } else {
+        // Unresolved function call - might be external
+        resolved.push({
+          ...edge,
+          to: `unresolved_${edge.toRef}`,
+          confidence: "low"
+        });
+      }
+      continue;
+    }
+
+    // Resolve toRoute → server route node
+    if (edge.toRoute) {
+      const route = findMatchingRoute(routeNodes, edge.toRoute.method, edge.toRoute.path);
+      if (route) {
+        resolved.push({
+          ...edge,
+          to: route.id,
+          toRoute: undefined
+        });
+      } else {
+        // No matching route - this is a broken edge
+        resolved.push({
+          ...edge,
+          to: `missing_route_${edge.toRoute.method}_${edge.toRoute.path}`,
+          toRoute: edge.toRoute,
+          broken: true,
+          brokenReason: `Route ${edge.toRoute.method} ${edge.toRoute.path} not found on server`
+        });
+      }
+      continue;
+    }
+
+    resolved.push(edge);
+  }
+
+  return resolved;
+}
+
+function findMatchingRoute(routeNodes, method, path) {
+  // Normalize path
+  const normPath = path.replace(/\/$/, "") || "/";
+  
+  for (const r of routeNodes) {
+    if (r.method === "*" || r.method === method || method === "*") {
+      if (r.path === normPath) return r;
+      // Check parameterized match
+      if (matchesParameterized(r.path, normPath)) return r;
+    }
+  }
+  return null;
+}
+
+function matchesParameterized(pattern, actual) {
+  const patternParts = pattern.split("/").filter(Boolean);
+  const actualParts = actual.split("/").filter(Boolean);
+  
+  if (patternParts.length !== actualParts.length) return false;
+  
+  for (let i = 0; i < patternParts.length; i++) {
+    const p = patternParts[i];
+    if (p.startsWith(":") || p.startsWith("*")) continue;
+    if (p !== actualParts[i]) return false;
+  }
+  return true;
+}
+
+module.exports = {
+  extractStaticGraph,
+  extractUIActions,
+  extractClientFunctions,
+  extractServerRoutes,
+  extractHandlerCalls
+};