npm - @vibecheckai/cli - Versions diffs - 3.5.0 → 3.5.2 - Mend

@vibecheckai/cli 3.5.0 → 3.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (224) hide show

package/bin/registry.js +214 -237
package/bin/runners/cli-utils.js +33 -2
package/bin/runners/context/analyzer.js +52 -1
package/bin/runners/context/generators/cursor.js +2 -49
package/bin/runners/context/git-context.js +3 -1
package/bin/runners/context/team-conventions.js +33 -7
package/bin/runners/lib/analysis-core.js +25 -5
package/bin/runners/lib/analyzers.js +431 -481
package/bin/runners/lib/default-config.js +127 -0
package/bin/runners/lib/doctor/modules/security.js +3 -1
package/bin/runners/lib/engine/ast-cache.js +210 -0
package/bin/runners/lib/engine/auth-extractor.js +211 -0
package/bin/runners/lib/engine/billing-extractor.js +112 -0
package/bin/runners/lib/engine/enforcement-extractor.js +100 -0
package/bin/runners/lib/engine/env-extractor.js +207 -0
package/bin/runners/lib/engine/express-extractor.js +208 -0
package/bin/runners/lib/engine/extractors.js +849 -0
package/bin/runners/lib/engine/index.js +207 -0
package/bin/runners/lib/engine/repo-index.js +514 -0
package/bin/runners/lib/engine/types.js +124 -0
package/bin/runners/lib/engines/accessibility-engine.js +18 -218
package/bin/runners/lib/engines/api-consistency-engine.js +30 -335
package/bin/runners/lib/engines/cross-file-analysis-engine.js +27 -292
package/bin/runners/lib/engines/empty-catch-engine.js +17 -127
package/bin/runners/lib/engines/mock-data-engine.js +10 -53
package/bin/runners/lib/engines/performance-issues-engine.js +36 -176
package/bin/runners/lib/engines/security-vulnerabilities-engine.js +54 -382
package/bin/runners/lib/engines/type-aware-engine.js +39 -263
package/bin/runners/lib/engines/vibecheck-engines/index.js +13 -122
package/bin/runners/lib/engines/vibecheck-engines/lib/ast-cache.js +164 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/code-quality-engine.js +291 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/console-logs-engine.js +83 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/dead-code-engine.js +198 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/deprecated-api-engine.js +275 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/empty-catch-engine.js +167 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/file-filter.js +217 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/hardcoded-secrets-engine.js +73 -373
package/bin/runners/lib/engines/vibecheck-engines/lib/mock-data-engine.js +140 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/parallel-processor.js +164 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/performance-issues-engine.js +234 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/type-aware-engine.js +217 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/unsafe-regex-engine.js +78 -0
package/bin/runners/lib/entitlements-v2.js +73 -97
package/bin/runners/lib/error-handler.js +44 -3
package/bin/runners/lib/error-messages.js +289 -0
package/bin/runners/lib/evidence-pack.js +7 -1
package/bin/runners/lib/finding-id.js +69 -0
package/bin/runners/lib/finding-sorter.js +89 -0
package/bin/runners/lib/html-proof-report.js +700 -350
package/bin/runners/lib/missions/plan.js +6 -46
package/bin/runners/lib/missions/templates.js +0 -232
package/bin/runners/lib/next-action.js +560 -0
package/bin/runners/lib/prerequisites.js +149 -0
package/bin/runners/lib/route-detection.js +137 -68
package/bin/runners/lib/scan-output.js +91 -76
package/bin/runners/lib/scan-runner.js +135 -0
package/bin/runners/lib/schemas/ajv-validator.js +464 -0
package/bin/runners/lib/schemas/error-envelope.schema.json +105 -0
package/bin/runners/lib/schemas/finding-v3.schema.json +151 -0
package/bin/runners/lib/schemas/report-artifact.schema.json +120 -0
package/bin/runners/lib/schemas/run-request.schema.json +108 -0
package/bin/runners/lib/schemas/validator.js +27 -0
package/bin/runners/lib/schemas/verdict.schema.json +140 -0
package/bin/runners/lib/ship-output-enterprise.js +23 -23
package/bin/runners/lib/ship-output.js +75 -31
package/bin/runners/lib/terminal-ui.js +6 -113
package/bin/runners/lib/truth.js +351 -10
package/bin/runners/lib/unified-cli-output.js +430 -603
package/bin/runners/lib/unified-output.js +13 -9
package/bin/runners/runAIAgent.js +10 -5
package/bin/runners/runAgent.js +0 -3
package/bin/runners/runAllowlist.js +389 -0
package/bin/runners/runApprove.js +0 -33
package/bin/runners/runAuth.js +73 -45
package/bin/runners/runCheckpoint.js +51 -11
package/bin/runners/runClassify.js +85 -21
package/bin/runners/runContext.js +0 -3
package/bin/runners/runDoctor.js +41 -28
package/bin/runners/runEvidencePack.js +362 -0
package/bin/runners/runFirewall.js +0 -3
package/bin/runners/runFirewallHook.js +0 -3
package/bin/runners/runFix.js +66 -76
package/bin/runners/runGuard.js +18 -411
package/bin/runners/runInit.js +113 -30
package/bin/runners/runLabs.js +424 -0
package/bin/runners/runMcp.js +19 -25
package/bin/runners/runPolish.js +64 -240
package/bin/runners/runPromptFirewall.js +12 -5
package/bin/runners/runProve.js +57 -22
package/bin/runners/runQuickstart.js +531 -0
package/bin/runners/runReality.js +59 -68
package/bin/runners/runReport.js +38 -33
package/bin/runners/runRuntime.js +8 -5
package/bin/runners/runScan.js +1413 -190
package/bin/runners/runShip.js +113 -719
package/bin/runners/runTruth.js +0 -3
package/bin/runners/runValidate.js +13 -9
package/bin/runners/runWatch.js +23 -14
package/bin/scan.js +6 -1
package/bin/vibecheck.js +204 -185
package/mcp-server/deprecation-middleware.js +282 -0
package/mcp-server/handlers/index.ts +15 -0
package/mcp-server/handlers/tool-handler.ts +554 -0
package/mcp-server/index-v1.js +698 -0
package/mcp-server/index.js +210 -238
package/mcp-server/lib/cache-wrapper.cjs +383 -0
package/mcp-server/lib/error-envelope.js +138 -0
package/mcp-server/lib/executor.ts +499 -0
package/mcp-server/lib/index.ts +19 -0
package/mcp-server/lib/rate-limiter.js +166 -0
package/mcp-server/lib/sandbox.test.ts +519 -0
package/mcp-server/lib/sandbox.ts +395 -0
package/mcp-server/lib/types.ts +267 -0
package/mcp-server/package.json +12 -3
package/mcp-server/registry/tool-registry.js +794 -0
package/mcp-server/registry/tools.json +605 -0
package/mcp-server/registry.test.ts +334 -0
package/mcp-server/tests/tier-gating.test.js +297 -0
package/mcp-server/tier-auth.js +378 -45
package/mcp-server/tools-v3.js +353 -442
package/mcp-server/tsconfig.json +37 -0
package/mcp-server/vibecheck-2.0-tools.js +14 -1
package/package.json +1 -1
package/bin/runners/lib/agent-firewall/learning/learning-engine.js +0 -849
package/bin/runners/lib/audit-logger.js +0 -532
package/bin/runners/lib/authority/authorities/architecture.js +0 -364
package/bin/runners/lib/authority/authorities/compliance.js +0 -341
package/bin/runners/lib/authority/authorities/human.js +0 -343
package/bin/runners/lib/authority/authorities/quality.js +0 -420
package/bin/runners/lib/authority/authorities/security.js +0 -228
package/bin/runners/lib/authority/index.js +0 -293
package/bin/runners/lib/bundle/bundle-intelligence.js +0 -846
package/bin/runners/lib/cli-charts.js +0 -368
package/bin/runners/lib/cli-config-display.js +0 -405
package/bin/runners/lib/cli-demo.js +0 -275
package/bin/runners/lib/cli-errors.js +0 -438
package/bin/runners/lib/cli-help-formatter.js +0 -439
package/bin/runners/lib/cli-interactive-menu.js +0 -509
package/bin/runners/lib/cli-prompts.js +0 -441
package/bin/runners/lib/cli-scan-cards.js +0 -362
package/bin/runners/lib/compliance-reporter.js +0 -710
package/bin/runners/lib/conductor/index.js +0 -671
package/bin/runners/lib/easy/README.md +0 -123
package/bin/runners/lib/easy/index.js +0 -140
package/bin/runners/lib/easy/interactive-wizard.js +0 -788
package/bin/runners/lib/easy/one-click-firewall.js +0 -564
package/bin/runners/lib/easy/zero-config-reality.js +0 -714
package/bin/runners/lib/engines/async-patterns-engine.js +0 -444
package/bin/runners/lib/engines/bundle-size-engine.js +0 -433
package/bin/runners/lib/engines/confidence-scoring.js +0 -276
package/bin/runners/lib/engines/context-detection.js +0 -264
package/bin/runners/lib/engines/database-patterns-engine.js +0 -429
package/bin/runners/lib/engines/duplicate-code-engine.js +0 -354
package/bin/runners/lib/engines/env-variables-engine.js +0 -458
package/bin/runners/lib/engines/error-handling-engine.js +0 -437
package/bin/runners/lib/engines/false-positive-prevention.js +0 -630
package/bin/runners/lib/engines/framework-adapters/index.js +0 -607
package/bin/runners/lib/engines/framework-detection.js +0 -508
package/bin/runners/lib/engines/import-order-engine.js +0 -429
package/bin/runners/lib/engines/naming-conventions-engine.js +0 -544
package/bin/runners/lib/engines/noise-reduction-engine.js +0 -452
package/bin/runners/lib/engines/orchestrator.js +0 -334
package/bin/runners/lib/engines/react-patterns-engine.js +0 -457
package/bin/runners/lib/engines/vibecheck-engines/lib/ai-hallucination-engine.js +0 -806
package/bin/runners/lib/engines/vibecheck-engines/lib/smart-fix-engine.js +0 -577
package/bin/runners/lib/engines/vibecheck-engines/lib/vibe-score-engine.js +0 -543
package/bin/runners/lib/engines/vibecheck-engines.js +0 -514
package/bin/runners/lib/enhanced-features/index.js +0 -305
package/bin/runners/lib/enhanced-output.js +0 -631
package/bin/runners/lib/enterprise.js +0 -300
package/bin/runners/lib/firewall/command-validator.js +0 -351
package/bin/runners/lib/firewall/config.js +0 -341
package/bin/runners/lib/firewall/content-validator.js +0 -519
package/bin/runners/lib/firewall/index.js +0 -101
package/bin/runners/lib/firewall/path-validator.js +0 -256
package/bin/runners/lib/intelligence/cross-repo-intelligence.js +0 -817
package/bin/runners/lib/mcp-utils.js +0 -425
package/bin/runners/lib/output/index.js +0 -1022
package/bin/runners/lib/policy-engine.js +0 -652
package/bin/runners/lib/polish/autofix/accessibility-fixes.js +0 -333
package/bin/runners/lib/polish/autofix/async-handlers.js +0 -273
package/bin/runners/lib/polish/autofix/dead-code.js +0 -280
package/bin/runners/lib/polish/autofix/imports-optimizer.js +0 -344
package/bin/runners/lib/polish/autofix/index.js +0 -200
package/bin/runners/lib/polish/autofix/remove-consoles.js +0 -209
package/bin/runners/lib/polish/autofix/strengthen-types.js +0 -245
package/bin/runners/lib/polish/backend-checks.js +0 -148
package/bin/runners/lib/polish/documentation-checks.js +0 -111
package/bin/runners/lib/polish/frontend-checks.js +0 -168
package/bin/runners/lib/polish/index.js +0 -71
package/bin/runners/lib/polish/infrastructure-checks.js +0 -131
package/bin/runners/lib/polish/library-detection.js +0 -175
package/bin/runners/lib/polish/performance-checks.js +0 -100
package/bin/runners/lib/polish/security-checks.js +0 -148
package/bin/runners/lib/polish/utils.js +0 -203
package/bin/runners/lib/prompt-builder.js +0 -540
package/bin/runners/lib/proof-certificate.js +0 -634
package/bin/runners/lib/reality/accessibility-audit.js +0 -946
package/bin/runners/lib/reality/api-contract-validator.js +0 -1012
package/bin/runners/lib/reality/chaos-engineering.js +0 -1084
package/bin/runners/lib/reality/performance-tracker.js +0 -1077
package/bin/runners/lib/reality/scenario-generator.js +0 -1404
package/bin/runners/lib/reality/visual-regression.js +0 -852
package/bin/runners/lib/reality-profiler.js +0 -717
package/bin/runners/lib/replay/flight-recorder-viewer.js +0 -1160
package/bin/runners/lib/review/ai-code-review.js +0 -832
package/bin/runners/lib/rules/custom-rule-engine.js +0 -985
package/bin/runners/lib/sbom-generator.js +0 -641
package/bin/runners/lib/scan-output-enhanced.js +0 -512
package/bin/runners/lib/security/owasp-scanner.js +0 -939
package/bin/runners/lib/validators/contract-validator.js +0 -283
package/bin/runners/lib/validators/dead-export-detector.js +0 -279
package/bin/runners/lib/validators/dep-audit.js +0 -245
package/bin/runners/lib/validators/env-validator.js +0 -319
package/bin/runners/lib/validators/index.js +0 -120
package/bin/runners/lib/validators/license-checker.js +0 -252
package/bin/runners/lib/validators/route-validator.js +0 -290
package/bin/runners/runAuthority.js +0 -528
package/bin/runners/runConductor.js +0 -772
package/bin/runners/runContainer.js +0 -366
package/bin/runners/runEasy.js +0 -410
package/bin/runners/runIaC.js +0 -372
package/bin/runners/runVibe.js +0 -791
package/mcp-server/tools.js +0 -495

package/bin/runners/lib/engine/enforcement-extractor.js ADDED Viewed

@@ -0,0 +1,100 @@
+// bin/runners/lib/engine/enforcement-extractor.js
+// Optimized enforcement extraction using RepoIndex
+const path = require("path");
+const fs = require("fs");
+const ENFORCE_HINTS = [
+  "enforceFeature",
+  "enforceLimit",
+  "getEntitlements",
+  "requirePlan",
+  "requireTier",
+  "requireSubscription",
+  "checkAccess",
+  "entitlements",
+  "plan",
+  "tier",
+  "subscription",
+  "stripe",
+  "credits"
+];
+function looksPaidSurface(routePath) {
+  const p = String(routePath || "");
+  return (
+    p.includes("/api/ship") ||
+    p.includes("/api/verdict") ||
+    p.includes("/api/fix") ||
+    p.includes("/api/autopilot") ||
+    p.includes("/api/missions") ||
+    p.includes("/api/pr") ||
+    p.includes("/api/credits") ||
+    p.includes("/api/billing") ||
+    p.includes("/api/stripe") ||
+    p.includes("/api/entitlements")
+  );
+}
+/**
+ * Check if handler has enforcement signal using RepoIndex
+ * @param {import('./repo-index').RepoIndex} index
+ * @param {string} handlerRel
+ * @returns {{ ok: boolean, hits: string[] }}
+ */
+function handlerHasEnforcementSignalV2(index, handlerRel) {
+  const fileAbs = path.join(index.repoRoot, handlerRel);
+  // Try to get content from index first (fast path)
+  let content = index.getContent(fileAbs);
+  // Fall back to direct read if not in index
+  if (!content) {
+    try {
+      content = fs.readFileSync(fileAbs, "utf8");
+    } catch {
+      return { ok: false, hits: [] };
+    }
+  }
+  const hits = ENFORCE_HINTS.filter(k => content.includes(k));
+  return { ok: hits.length > 0, hits };
+}
+/**
+ * Build enforcement truth using RepoIndex (optimized)
+ * @param {import('./repo-index').RepoIndex} index
+ * @param {Array} serverRoutes
+ * @returns {Object}
+ */
+function buildEnforcementTruthV2(index, serverRoutes) {
+  const checked = [];
+  const routeList = serverRoutes || [];
+  for (const r of routeList) {
+    if (!r.handler) continue;
+    if (!looksPaidSurface(r.path)) continue;
+    const res = handlerHasEnforcementSignalV2(index, r.handler);
+    checked.push({
+      method: r.method,
+      path: r.path,
+      handler: r.handler,
+      enforced: res.ok,
+      hits: res.hits
+    });
+  }
+  return {
+    checkedCount: checked.length,
+    enforcedCount: checked.filter(x => x.enforced).length,
+    missingCount: checked.filter(x => !x.enforced).length,
+    checks: checked
+  };
+}
+module.exports = {
+  buildEnforcementTruthV2,
+  ENFORCE_HINTS,
+  looksPaidSurface,
+};

package/bin/runners/lib/engine/env-extractor.js ADDED Viewed

@@ -0,0 +1,207 @@
+// bin/runners/lib/engine/env-extractor.js
+// Optimized env var extraction using RepoIndex
+const path = require("path");
+const fs = require("fs");
+const crypto = require("crypto");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+const { globalASTCache } = require("./ast-cache");
+function sha256(text) {
+  return "sha256:" + crypto.createHash("sha256").update(text).digest("hex");
+}
+function isEnvName(s) {
+  return typeof s === "string" && /^[A-Z0-9_]+$/.test(s);
+}
+function extractEnvFromMemberExpr(node) {
+  if (!t.isMemberExpression(node)) return null;
+  // process.env.NAME
+  if (t.isMemberExpression(node.object) &&
+      t.isIdentifier(node.object.object, { name: "process" }) &&
+      t.isIdentifier(node.object.property, { name: "env" }) &&
+      t.isIdentifier(node.property)) {
+    return node.property.name;
+  }
+  // process.env["NAME"]
+  if (t.isMemberExpression(node.object) &&
+      t.isIdentifier(node.object.object, { name: "process" }) &&
+      t.isIdentifier(node.object.property, { name: "env" }) &&
+      t.isStringLiteral(node.property)) {
+    return node.property.value;
+  }
+  // import.meta.env.NAME
+  if (t.isMemberExpression(node.object) &&
+      t.isMemberExpression(node.object.object) &&
+      t.isIdentifier(node.object.object.object, { name: "import" }) &&
+      t.isIdentifier(node.object.object.property, { name: "meta" }) &&
+      t.isIdentifier(node.object.property, { name: "env" }) &&
+      t.isIdentifier(node.property)) {
+    return node.property.name;
+  }
+  return null;
+}
+function detectDefaultSignals(parentPath) {
+  const p = parentPath?.parentPath;
+  if (!p) return { hasDefault: false };
+  if (p.isLogicalExpression() && (p.node.operator === "||" || p.node.operator === "??")) {
+    return { hasDefault: true };
+  }
+  if (p.isConditionalExpression()) return { hasDefault: true };
+  if (p.isAssignmentExpression() && p.node.operator === "||=") return { hasDefault: true };
+  return { hasDefault: false };
+}
+function evidenceFromContent(content, fileRel, loc, reason) {
+  if (!loc || !content) return null;
+  const lines = content.split(/\r?\n/);
+  const start = Math.max(1, loc.start?.line || 1);
+  const end = Math.max(start, loc.end?.line || start);
+  const snippet = lines.slice(start - 1, end).join("\n");
+  return {
+    id: `ev_${crypto.randomBytes(4).toString("hex")}`,
+    file: fileRel,
+    lines: `${start}-${end}`,
+    snippetHash: sha256(snippet),
+    reason
+  };
+}
+function parseDotEnvLike(content) {
+  const out = new Set();
+  const lines = content.split(/\r?\n/);
+  for (const raw of lines) {
+    const line = raw.trim();
+    if (!line || line.startsWith("#")) continue;
+    const l = line.startsWith("export ") ? line.slice(7).trim() : line;
+    const eq = l.indexOf("=");
+    if (eq <= 0) continue;
+    const key = l.slice(0, eq).trim();
+    if (isEnvName(key)) out.add(key);
+  }
+  return out;
+}
+/**
+ * Extract env var usage using RepoIndex
+ * @param {import('./repo-index').RepoIndex} index
+ * @param {Object} stats
+ * @returns {Object} - Map of env var name to usage info
+ */
+function extractEnvUsage(index, stats) {
+  // Use token prefilter - only scan files that reference process.env or import.meta.env
+  const candidateAbs = index.getByAnyToken(["process.env", "import.meta.env"]);
+  // Filter to JS/TS files
+  const jsExtensions = new Set([".ts", ".tsx", ".js", ".jsx", ".mjs", ".cjs"]);
+  const files = candidateAbs.filter(abs => {
+    const ext = path.extname(abs).toLowerCase();
+    return jsExtensions.has(ext);
+  });
+  const usageMap = {};
+  for (const fileAbs of files) {
+    const fileRel = index.relPath(fileAbs);
+    const content = index.getContent(fileAbs);
+    if (!content) continue;
+    const { ast, error } = globalASTCache.parse(content, fileAbs);
+    if (error || !ast) {
+      stats.parseErrors++;
+      continue;
+    }
+    try {
+      traverse(ast, {
+        MemberExpression(p) {
+          const name = extractEnvFromMemberExpr(p.node);
+          if (!name || !isEnvName(name)) return;
+          usageMap[name] = usageMap[name] || { name, references: [], signals: { hasDefault: false } };
+          const ev = evidenceFromContent(content, fileRel, p.node.loc, `Env usage: ${name}`);
+          if (ev) usageMap[name].references.push(ev);
+          const sig = detectDefaultSignals(p);
+          if (sig.hasDefault) usageMap[name].signals.hasDefault = true;
+        }
+      });
+    } catch {
+      stats.parseErrors++;
+    }
+  }
+  return usageMap;
+}
+/**
+ * Extract declared env vars from .env files
+ * @param {string} repoRoot
+ * @returns {{ declared: string[], sources: string[] }}
+ */
+function extractEnvDeclared(repoRoot) {
+  const candidates = [
+    ".env.example", ".env.template", ".env.sample",
+    ".env.local.example", ".env.development.example",
+    ".env"
+  ];
+  const declared = new Set();
+  const sources = [];
+  for (const rel of candidates) {
+    const abs = path.join(repoRoot, rel);
+    try {
+      if (!fs.existsSync(abs)) continue;
+      const content = fs.readFileSync(abs, "utf8");
+      const keys = parseDotEnvLike(content);
+      if (keys.size) {
+        for (const k of keys) declared.add(k);
+        sources.push(rel);
+      }
+    } catch {}
+  }
+  return { declared: Array.from(declared).sort(), sources };
+}
+/**
+ * Build env truth using RepoIndex (optimized)
+ * @param {import('./repo-index').RepoIndex} index
+ * @param {Object} stats
+ * @returns {Object}
+ */
+function buildEnvTruthV2(index, stats) {
+  const usageMap = extractEnvUsage(index, stats);
+  const declared = extractEnvDeclared(index.repoRoot);
+  const used = Object.values(usageMap).sort((a, b) => a.name.localeCompare(b.name));
+  const vars = used.map(u => ({
+    name: u.name,
+    required: !u.signals?.hasDefault,
+    references: u.references || [],
+    notes: u.signals?.hasDefault ? "Has default/fallback usage signal" : ""
+  }));
+  return {
+    vars,
+    declared: declared.declared,
+    declaredSources: declared.sources
+  };
+}
+module.exports = {
+  extractEnvUsage,
+  extractEnvDeclared,
+  buildEnvTruthV2,
+};

package/bin/runners/lib/engine/express-extractor.js ADDED Viewed

@@ -0,0 +1,208 @@
+// bin/runners/lib/engine/express-extractor.js
+// Optimized Express route extraction using RepoIndex
+const path = require("path");
+const crypto = require("crypto");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+const { globalASTCache } = require("./ast-cache");
+function sha256(text) {
+  return "sha256:" + crypto.createHash("sha256").update(text).digest("hex");
+}
+function canonicalizeMethod(m) {
+  const u = String(m || "").toUpperCase();
+  if (u === "ALL" || u === "ANY" || u === "*") return "*";
+  return u;
+}
+function canonicalizePath(p) {
+  let s = String(p || "").trim();
+  if (!s.startsWith("/")) s = "/" + s;
+  s = s.replace(/\/+/g, "/");
+  s = s.replace(/\[\[\.{3}([^\]]+)\]\]/g, "*$1?");
+  s = s.replace(/\[\.{3}([^\]]+)\]/g, "*$1");
+  s = s.replace(/\[([^\]]+)\]/g, ":$1");
+  if (s.length > 1) s = s.replace(/\/$/, "");
+  return s;
+}
+function joinPaths(prefix, p) {
+  const a = canonicalizePath(prefix || "/");
+  const b = canonicalizePath(p || "/");
+  if (a === "/") return b;
+  if (b === "/") return a;
+  return canonicalizePath(a + "/" + b);
+}
+function evidenceFromContent(content, fileRel, loc, reason) {
+  if (!loc || !content) return null;
+  const lines = content.split(/\r?\n/);
+  const start = Math.max(1, loc.start?.line || 1);
+  const end = Math.max(start, loc.end?.line || start);
+  const snippet = lines.slice(start - 1, end).join("\n");
+  return {
+    id: `ev_${crypto.randomBytes(4).toString("hex")}`,
+    file: fileRel,
+    lines: `${start}-${end}`,
+    snippetHash: sha256(snippet),
+    reason
+  };
+}
+const EXPRESS_METHODS = new Set(["get", "post", "put", "patch", "delete", "options", "head", "all", "use"]);
+const EXPRESS_NAMES = new Set(["app", "router", "express", "server"]);
+function evalStaticString(node, constMap = new Map(), depth = 0) {
+  if (!node || depth > 5) return null;
+  if (t.isStringLiteral(node)) return node.value;
+  if (t.isTemplateLiteral(node) && node.expressions.length === 0) {
+    return node.quasis.map(q => q.value.cooked || "").join("");
+  }
+  if (t.isIdentifier(node) && constMap.has(node.name)) {
+    return evalStaticString(constMap.get(node.name), constMap, depth + 1);
+  }
+  if (t.isBinaryExpression(node, { operator: "+" })) {
+    const l = evalStaticString(node.left, constMap, depth + 1);
+    const r = evalStaticString(node.right, constMap, depth + 1);
+    if (typeof l === "string" && typeof r === "string") return l + r;
+  }
+  return null;
+}
+/**
+ * Extract Express routes using RepoIndex
+ * @param {import('./repo-index').RepoIndex} index
+ * @param {Object} stats
+ * @returns {Array}
+ */
+function extractExpressRoutes(index, stats) {
+  if (!index.hasFramework("express")) return [];
+  // Use token prefilter - only scan files that mention express/app/router
+  const candidateAbs = index.getByAnyToken(["express", "app.get", "app.post", "router.get", "router.post"]);
+  // Filter to JS/TS files, exclude tests
+  const jsExtensions = new Set([".ts", ".tsx", ".js", ".jsx", ".mjs", ".cjs"]);
+  const files = candidateAbs.filter(abs => {
+    const ext = path.extname(abs).toLowerCase();
+    if (!jsExtensions.has(ext)) return false;
+    const rel = index.relPath(abs);
+    if (rel.includes("/test/") || rel.includes("/tests/") || rel.includes("/__tests__/")) return false;
+    if (rel.includes(".test.") || rel.includes(".spec.")) return false;
+    if (rel.endsWith(".d.ts")) return false;
+    return true;
+  });
+  const routes = [];
+  for (const fileAbs of files) {
+    const fileRel = index.relPath(fileAbs);
+    const content = index.getContent(fileAbs);
+    if (!content) continue;
+    // Quick content check
+    if (!content.includes("express") && !content.includes("app.") && !content.includes("router.")) continue;
+    const { ast, error } = globalASTCache.parse(content, fileAbs);
+    if (error || !ast) {
+      stats.parseErrors++;
+      continue;
+    }
+    const constMap = new Map();
+    const routerPrefixes = new Map();
+    try {
+      // First pass: collect constants and router.use prefixes
+      traverse(ast, {
+        VariableDeclarator(p) {
+          if (t.isIdentifier(p.node.id) && p.node.init) {
+            const v = evalStaticString(p.node.init, constMap);
+            if (typeof v === "string") constMap.set(p.node.id.name, p.node.init);
+            // Detect express/router assignment
+            if (t.isCallExpression(p.node.init)) {
+              const callee = p.node.init.callee;
+              if (t.isIdentifier(callee, { name: "express" }) ||
+                  (t.isMemberExpression(callee) && t.isIdentifier(callee.property, { name: "Router" }))) {
+                EXPRESS_NAMES.add(p.node.id.name);
+              }
+            }
+          }
+        },
+        CallExpression(p) {
+          const callee = p.node.callee;
+          if (!t.isMemberExpression(callee)) return;
+          if (!t.isIdentifier(callee.object) || !t.isIdentifier(callee.property)) return;
+          const obj = callee.object.name;
+          const method = callee.property.name;
+          // app.use("/api", router) - track prefix
+          if (method === "use" && EXPRESS_NAMES.has(obj)) {
+            const args = p.node.arguments;
+            if (args.length >= 2) {
+              const prefixArg = args[0];
+              const routerArg = args[1];
+              const prefix = evalStaticString(prefixArg, constMap);
+              if (typeof prefix === "string" && t.isIdentifier(routerArg)) {
+                routerPrefixes.set(routerArg.name, prefix);
+              }
+            }
+          }
+        }
+      });
+      // Second pass: extract routes
+      traverse(ast, {
+        CallExpression(p) {
+          const callee = p.node.callee;
+          if (!t.isMemberExpression(callee)) return;
+          if (!t.isIdentifier(callee.object) || !t.isIdentifier(callee.property)) return;
+          const obj = callee.object.name;
+          const method = callee.property.name.toLowerCase();
+          if (!EXPRESS_NAMES.has(obj) && !routerPrefixes.has(obj)) return;
+          if (!EXPRESS_METHODS.has(method)) return;
+          // Get the path argument
+          const pathArg = p.node.arguments[0];
+          const routePath = evalStaticString(pathArg, constMap);
+          if (!routePath) return;
+          // Skip middleware-only patterns
+          if (method === "use" && !routePath.startsWith("/")) return;
+          // Get prefix for this router
+          const prefix = routerPrefixes.get(obj) || "/";
+          const fullPath = joinPaths(prefix, routePath);
+          const ev = evidenceFromContent(content, fileRel, p.node.loc, `Express ${method.toUpperCase()}("${routePath}")`);
+          routes.push({
+            method: method === "use" ? "*" : canonicalizeMethod(method),
+            path: fullPath,
+            handler: fileRel,
+            confidence: "med",
+            framework: "express",
+            evidence: ev ? [ev] : []
+          });
+        }
+      });
+    } catch {
+      stats.parseErrors++;
+    }
+  }
+  return routes;
+}
+module.exports = {
+  extractExpressRoutes,
+  canonicalizeMethod,
+  canonicalizePath,
+  joinPaths,
+};