@zhuma4/cli 4.0.0-alpha.1

package/dist/engine/incremental/engine.js

@@ -0,0 +1,337 @@
+/**
+ * 逐码 ZhuMa V4.1 — 增量扫描引擎
+ *
+ * 核心流程:
+ *   1. 读取 .zhuma-cache/incremental-state.json
+ *   2. Git diff 获取变更文件列表
+ *   3. 对变更文件调用 Semgrep (传具体文件路径)
+ *   4. 未变更文件复用 findingsCache 缓存
+ *   5. 合并结果 + 写入新缓存
+ *   6. 返回 ScanResult + 增量元信息
+ *
+ * 回退策略: 缓存损坏/不存在/Git 不可用 → 自动回退全量扫描
+ *
+ * S1-2: 增量扫描引擎 | 众安天下 · 猎鹰情报威胁中心
+ */
+import { spawn } from 'node:child_process';
+import { readFile, writeFile, mkdir, access, } from 'node:fs/promises';
+import { resolve as resolvePath, join } from 'node:path';
+import { existsSync } from 'node:fs';
+import { getGitDiff } from './git-diff.js';
+import { semgrepNotFound, targetNotFound, semgrepCrashed, sarifParsedFailed, } from '../errors.js';
+const CACHE_DIR = '.zhuma-cache';
+const CACHE_FILE = 'incremental-state.json';
+const CACHE_VERSION = 1;
+const SEMGREP_BIN = 'semgrep';
+const DEFAULT_TIMEOUT = 15 * 60_000;
+// ── 辅助函数 ────────────────────────────────────────────────
+function semgrepEnv() {
+    const env = {};
+    if (process.platform === 'win32') {
+        const pyScripts = join(process.env.APPDATA ?? join(process.env.USERPROFILE ?? 'C:\\Users', 'AppData', 'Roaming'), 'Python', 'Python311', 'Scripts');
+        if (existsSync(join(pyScripts, 'semgrep.exe'))) {
+            env.PATH = pyScripts + ';' + (process.env.PATH ?? '');
+        }
+    }
+    return env;
+}
+function defaultRulesDir() {
+    return resolvePath(join(import.meta.dirname ?? '.', '..', '..', '..', '..', 'rules', 'common'));
+}
+function cachePath(targetPath) {
+    return join(targetPath, CACHE_DIR, CACHE_FILE);
+}
+// ── 缓存读写 ────────────────────────────────────────────────
+async function readCache(targetPath) {
+    const filePath = cachePath(targetPath);
+    try {
+        await access(filePath);
+        const raw = await readFile(filePath, 'utf-8');
+        const parsed = JSON.parse(raw);
+        // 校验缓存版本
+        if (!parsed.cacheVersion || parsed.cacheVersion !== CACHE_VERSION) {
+            console.warn('⚠️  缓存格式版本不匹配，将执行全量扫描');
+            return null;
+        }
+        // 校验核心字段
+        if (!parsed.lastCommit || !parsed.findingsCache) {
+            console.warn('⚠️  缓存数据不完整，将执行全量扫描');
+            return null;
+        }
+        return parsed;
+    }
+    catch {
+        return null;
+    }
+}
+async function writeCache(targetPath, state) {
+    const dir = join(targetPath, CACHE_DIR);
+    await mkdir(dir, { recursive: true });
+    const filePath = join(dir, CACHE_FILE);
+    await writeFile(filePath, JSON.stringify(state, null, 2), 'utf-8');
+}
+// ── Semgrep 针对特定文件的扫描 ───────────────────────────────
+async function semgrepScanFiles(targetPath, rulesDir, files, severity) {
+    if (files.length === 0) {
+        return { runs: [{ results: [] }] };
+    }
+    // Semgrep 接受 file list 在 positional args 的最后
+    const args = [
+        'scan',
+        '--config', rulesDir,
+        '--sarif',
+        '--quiet',
+        '--no-git-ignore',
+        '--scan-unknown-extensions',
+    ];
+    if (severity) {
+        args.push('--severity', severity);
+    }
+    // 添加具体文件路径
+    for (const file of files) {
+        args.push(join(targetPath, file));
+    }
+    return new Promise((resolve, reject) => {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const child = spawn(SEMGREP_BIN, args, {
+            stdio: ['ignore', 'pipe', 'pipe'],
+            timeout: DEFAULT_TIMEOUT,
+            env: {
+                ...process.env,
+                ...semgrepEnv(),
+                PYTHONUTF8: '1',
+                PYTHONIOENCODING: 'utf-8',
+            },
+        });
+        let stdout = '';
+        let stderr = '';
+        child.stdout.on('data', (d) => { stdout += d.toString(); });
+        child.stderr.on('data', (d) => { stderr += d.toString(); });
+        child.on('close', (code) => {
+            if (code !== 0 && code !== 1) {
+                reject(semgrepCrashed(code, stderr));
+                return;
+            }
+            try {
+                resolve(JSON.parse(stdout));
+            }
+            catch {
+                reject(sarifParsedFailed(`stdout=${stdout.slice(0, 300)} stderr=${stderr.slice(0, 300)}`));
+            }
+        });
+        child.on('error', (err) => {
+            reject(err.code === 'ENOENT'
+                ? semgrepNotFound(err)
+                : new Error(`Semgrep 启动失败: ${err.message}`));
+        });
+    });
+}
+// ── 合并与报告 ─────────────────────────────────────────────
+function mergeFindings(newFindings, cachedFindings) {
+    // 新发现可能和缓存发现有重叠（同文件扫描两次），去重策略：
+    // 以同文件新扫描结果为准，丢弃该文件的缓存结果
+    const scannedFileSet = new Set();
+    for (const f of newFindings) {
+        scannedFileSet.add(f.file);
+    }
+    const merged = [...newFindings];
+    for (const f of cachedFindings) {
+        if (!scannedFileSet.has(f.file)) {
+            merged.push(f);
+        }
+    }
+    return merged;
+}
+/**
+ * 从缓存中提取未变更文件的发现
+ */
+function getCachedFindings(diff, cache) {
+    const changedSet = new Set(diff.changedFiles);
+    const findings = [];
+    for (const [file, cachedFinds] of Object.entries(cache.findingsCache)) {
+        if (!changedSet.has(file)) {
+            findings.push(...cachedFinds);
+        }
+    }
+    return findings;
+}
+// ── 主入口 ──────────────────────────────────────────────────
+/**
+ * 运行增量扫描
+ *
+ * @param targetPath - 项目根目录
+ * @param options - 扫描配置
+ * @returns ScanResult 含增量元信息
+ */
+export async function runIncrementalScan(targetPath, options) {
+    const startTime = Date.now();
+    const resolvedTarget = resolvePath(targetPath);
+    if (!existsSync(resolvedTarget)) {
+        throw targetNotFound(targetPath);
+    }
+    const { rules, only, quick } = options;
+    const rulesDir = rules ? resolvePath(rules) : defaultRulesDir();
+    // severity 过滤
+    let severity;
+    if (only) {
+        const levelMap = {
+            critical: 'ERROR', high: 'WARNING',
+            medium: 'INFO', low: 'NOTE',
+        };
+        severity = levelMap[only.toLowerCase()];
+    }
+    if (quick && !severity)
+        severity = 'WARNING';
+    // 1. 读取缓存
+    const cache = await readCache(resolvedTarget);
+    const lastCommit = cache?.lastCommit;
+    // 2. Git diff
+    const diff = await getGitDiff(resolvedTarget, lastCommit);
+    let allFindings;
+    let filesScanned = 0;
+    let filesReused = 0;
+    let filesTotal = 0;
+    if (diff.isInitial || diff.currentHash === '' || !cache) {
+        // ── 首次扫描 / 回退全量 ──
+        if (cache) {
+            console.log('ℹ️  缓存不可用，执行全量扫描');
+        }
+        else {
+            console.log('ℹ️  首次扫描，建立增量缓存基线...');
+        }
+        // 全量扫描 → 复用现有 runScan 逻辑
+        // 但是我们需要自己有文件列表和扫描能力
+        // 直接调用 Semgrep 扫描整个目录
+        const sarif = await semgrepScanFiles(resolvedTarget, rulesDir, ['.'], // 扫描整个目录 — semgrep 会递归
+        severity);
+        const { parseSarif } = await import('../sarif.js');
+        allFindings = parseSarif(sarif, { severityFilter: only });
+        const { filterFindings } = await import('../filter.js');
+        allFindings = filterFindings(allFindings);
+        // 构建缓存
+        const newCache = {
+            lastCommit: diff.currentHash,
+            lastScannedAt: new Date().toISOString(),
+            scannedFiles: {},
+            findingsCache: {},
+            cacheVersion: CACHE_VERSION,
+        };
+        // 按文件分组 findings 存入缓存
+        for (const f of allFindings) {
+            if (!newCache.findingsCache[f.file]) {
+                newCache.findingsCache[f.file] = [];
+            }
+            newCache.findingsCache[f.file].push(f);
+        }
+        // 记录已扫描的文件 (从 findings 中推导)
+        const scannedFileSet = new Set(allFindings.map((f) => f.file));
+        newCache.scannedFiles = {};
+        for (const file of scannedFileSet) {
+            newCache.scannedFiles[file] = '';
+        }
+        await writeCache(resolvedTarget, newCache);
+        filesTotal = scannedFileSet.size;
+        filesScanned = scannedFileSet.size;
+        filesReused = 0;
+    }
+    else {
+        // ── 增量扫描 ──
+        filesTotal = Object.keys(cache.findingsCache).length;
+        filesScanned = diff.changedFiles.length;
+        // 3. 扫描变更文件
+        let newFindings;
+        try {
+            const sarif = await semgrepScanFiles(resolvedTarget, rulesDir, diff.changedFiles, severity);
+            const { parseSarif } = await import('../sarif.js');
+            newFindings = parseSarif(sarif, { severityFilter: only });
+            const { filterFindings } = await import('../filter.js');
+            newFindings = filterFindings(newFindings);
+        }
+        catch (err) {
+            // Semgrep 扫描失败 → 回退全量
+            console.warn(`⚠️  增量扫描失败，回退全量: ${err.message}`);
+            const sarif = await semgrepScanFiles(resolvedTarget, rulesDir, ['.'], severity);
+            const { parseSarif } = await import('../sarif.js');
+            newFindings = parseSarif(sarif, { severityFilter: only });
+            const { filterFindings } = await import('../filter.js');
+            newFindings = filterFindings(newFindings);
+            // 全量扫描重置一切
+            const newCache = {
+                lastCommit: diff.currentHash,
+                lastScannedAt: new Date().toISOString(),
+                scannedFiles: {},
+                findingsCache: {},
+                cacheVersion: CACHE_VERSION,
+            };
+            for (const f of newFindings) {
+                if (!newCache.findingsCache[f.file]) {
+                    newCache.findingsCache[f.file] = [];
+                }
+                newCache.findingsCache[f.file].push(f);
+            }
+            await writeCache(resolvedTarget, newCache);
+            allFindings = newFindings;
+            filesScanned = Object.keys(newCache.findingsCache).length;
+            filesReused = 0;
+            filesTotal = filesScanned;
+            return buildResult(resolvedTarget, allFindings, options, startTime, {
+                filesChanged: filesScanned,
+                filesTotal,
+                filesReused,
+            });
+        }
+        // 4. 从缓存中获取未变更文件的发现
+        const cachedFindings = getCachedFindings(diff, cache);
+        filesReused = Object.keys(cache.findingsCache).length - filesScanned;
+        // 5. 合并结果
+        allFindings = mergeFindings(newFindings, cachedFindings);
+        // 6. 更新缓存
+        const updatedCache = {
+            lastCommit: diff.currentHash,
+            lastScannedAt: new Date().toISOString(),
+            scannedFiles: cache.scannedFiles,
+            findingsCache: { ...cache.findingsCache },
+            cacheVersion: CACHE_VERSION,
+        };
+        // 移除被删除文件的缓存条目
+        for (const [file] of Object.entries(updatedCache.findingsCache)) {
+            if (diff.changedFiles.includes(file)) {
+                delete updatedCache.findingsCache[file];
+            }
+        }
+        // 添加新扫描文件的发现
+        for (const f of newFindings) {
+            if (!updatedCache.findingsCache[f.file]) {
+                updatedCache.findingsCache[f.file] = [];
+            }
+            updatedCache.findingsCache[f.file].push(f);
+        }
+        filesTotal = Object.keys(updatedCache.findingsCache).length;
+        await writeCache(resolvedTarget, updatedCache);
+    }
+    return buildResult(resolvedTarget, allFindings, options, startTime, {
+        filesChanged: diff.changedFiles.length,
+        filesTotal,
+        filesReused,
+    });
+}
+// ── 构建最终结果 ──────────────────────────────────────────
+async function buildResult(target, findings, options, startTime, incremental) {
+    const durationMs = Date.now() - startTime;
+    // 生成报告 (复用现有 renderer)
+    const { renderReport } = await import('../../report/render.js');
+    const result = await renderReport(findings, {
+        target,
+        output: options.output || 'html',
+    });
+    return {
+        ...result,
+        durationMs,
+        incremental: {
+            filesChanged: incremental.filesChanged,
+            filesTotal: incremental.filesTotal,
+            filesReused: incremental.filesReused,
+        },
+    };
+}
+//# sourceMappingURL=engine.js.map

package/dist/engine/incremental/engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.js","sourceRoot":"","sources":["../../../src/engine/incremental/engine.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EACL,QAAQ,EACR,SAAS,EACT,KAAK,EACL,MAAM,GACP,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,OAAO,IAAI,WAAW,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACzD,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAIrC,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EACL,eAAe,EACf,cAAc,EACd,cAAc,EACd,iBAAiB,GAClB,MAAM,cAAc,CAAC;AAEtB,MAAM,SAAS,GAAG,cAAc,CAAC;AACjC,MAAM,UAAU,GAAG,wBAAwB,CAAC;AAC5C,MAAM,aAAa,GAAG,CAAC,CAAC;AACxB,MAAM,WAAW,GAAG,SAAS,CAAC;AAC9B,MAAM,eAAe,GAAG,EAAE,GAAG,MAAM,CAAC;AAEpC,2DAA2D;AAE3D,SAAS,UAAU;IACjB,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACjC,MAAM,SAAS,GAAG,IAAI,CACpB,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,WAAW,EAAE,SAAS,EAAE,SAAS,CAAC,EACzF,QAAQ,EAAE,WAAW,EAAE,SAAS,CACjC,CAAC;QACF,IAAI,UAAU,CAAC,IAAI,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,EAAE,CAAC;YAC/C,GAAG,CAAC,IAAI,GAAG,SAAS,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,eAAe;IACtB,OAAO,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,IAAI,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;AAClG,CAAC;AAED,SAAS,SAAS,CAAC,UAAkB;IACnC,OAAO,IAAI,CAAC,UAAU,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;AACjD,CAAC;AAED,2DAA2D;AAE3D,KAAK,UAAU,SAAS,CAAC,UAAkB;IACzC,MAAM,QAAQ,GAAG,SAAS,CAAC,UAAU,CAAC,CAAC;IACvC,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;QACvB,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC9C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAqB,CAAC;QAEnD,SAAS;QACT,IAAI,CAAC,MAAM,CAAC,YAAY,IAAI,MAAM,CAAC,YAAY,KAAK,aAAa,EAAE,CAAC;YAClE,OAAO,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;YACtC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,SAAS;QACT,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;YAChD,OAAO,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;YACpC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,UAAkB,EAClB,KAAuB;IAEvB,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;IACxC,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;IACvC,MAAM,SAAS,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;AACrE,CAAC;AAED,uDAAuD;AAEvD,KAAK,UAAU,gBAAgB,CAC7B,UAAkB,EAClB,QAAgB,EAChB,KAAe,EACf,QAAiB;IAEjB,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,EAAE,IAAI,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC;IACrC,CAAC;IAED,6CAA6C;IAC7C,MAAM,IAAI,GAAG;QACX,MAAM;QACN,UAAU,EAAE,QAAQ;QACpB,SAAS;QACT,SAAS;QACT,iBAAiB;QACjB,2BAA2B;KAC5B,CAAC;IACF,IAAI,QAAQ,EAAE,CAAC;QACb,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,QAAQ,CAAC,CAAC;IACpC,CAAC;IACD,WAAW;IACX,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC,CAAC;IACpC,CAAC;IAED,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,8DAA8D;QAC9D,MAAM,KAAK,GAAQ,KAAK,CAAC,WAAW,EAAE,IAAI,EAAE;YAC1C,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;YACjC,OAAO,EAAE,eAAe;YACxB,GAAG,EAAE;gBACH,GAAG,OAAO,CAAC,GAAG;gBACd,GAAG,UAAU,EAAE;gBACf,UAAU,EAAE,GAAG;gBACf,gBAAgB,EAAE,OAAO;aAC1B;SACF,CAAC,CAAC;QAEH,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE,GAAG,MAAM,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;QACpE,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE,GAAG,MAAM,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;QAEpE,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAmB,EAAE,EAAE;YACxC,IAAI,IAAI,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;gBAC7B,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;gBACrC,OAAO;YACT,CAAC;YACD,IAAI,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YAC9B,CAAC;YAAC,MAAM,CAAC;gBACP,MAAM,CAAC,iBAAiB,CACtB,UAAU,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,WAAW,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAChE,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAU,EAAE,EAAE;YAC/B,MAAM,CACH,GAA6B,CAAC,IAAI,KAAK,QAAQ;gBAC9C,CAAC,CAAC,eAAe,CAAC,GAAG,CAAC;gBACtB,CAAC,CAAC,IAAI,KAAK,CAAC,iBAAiB,GAAG,CAAC,OAAO,EAAE,CAAC,CAC9C,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,yDAAyD;AAEzD,SAAS,aAAa,CACpB,WAAsB,EACtB,cAAyB;IAEzB,+BAA+B;IAC/B,yBAAyB;IACzB,MAAM,cAAc,GAAG,IAAI,GAAG,EAAU,CAAC;IACzC,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;QAC5B,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC;IAED,MAAM,MAAM,GAAc,CAAC,GAAG,WAAW,CAAC,CAAC;IAC3C,KAAK,MAAM,CAAC,IAAI,cAAc,EAAE,CAAC;QAC/B,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;YAChC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CACxB,IAAmB,EACnB,KAAuB;IAEvB,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC9C,MAAM,QAAQ,GAAc,EAAE,CAAC;IAE/B,KAAK,MAAM,CAAC,IAAI,EAAE,WAAW,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,aAAa,CAAC,EAAE,CAAC;QACtE,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1B,QAAQ,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,4DAA4D;AAE5D;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,UAAkB,EAClB,OAAoB;IAEpB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,MAAM,cAAc,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC;IAE/C,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;QAChC,MAAM,cAAc,CAAC,UAAU,CAAC,CAAC;IACnC,CAAC;IAED,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,OAAO,CAAC;IACvC,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,eAAe,EAAE,CAAC;IAEhE,cAAc;IACd,IAAI,QAA4B,CAAC;IACjC,IAAI,IAAI,EAAE,CAAC;QACT,MAAM,QAAQ,GAA2B;YACvC,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS;YAClC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM;SAC5B,CAAC;QACF,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;IAC1C,CAAC;IACD,IAAI,KAAK,IAAI,CAAC,QAAQ;QAAE,QAAQ,GAAG,SAAS,CAAC;IAE7C,UAAU;IACV,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,cAAc,CAAC,CAAC;IAC9C,MAAM,UAAU,GAAG,KAAK,EAAE,UAAU,CAAC;IAErC,cAAc;IACd,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC,cAAc,EAAE,UAAU,CAAC,CAAC;IAE1D,IAAI,WAAsB,CAAC;IAC3B,IAAI,YAAY,GAAG,CAAC,CAAC;IACrB,IAAI,WAAW,GAAG,CAAC,CAAC;IACpB,IAAI,UAAU,GAAG,CAAC,CAAC;IAEnB,IAAI,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,WAAW,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC;QACxD,oBAAoB;QACpB,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;QAClC,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;QACtC,CAAC;QAED,yBAAyB;QACzB,qBAAqB;QACrB,sBAAsB;QACtB,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAClC,cAAc,EACd,QAAQ,EACR,CAAC,GAAG,CAAC,EAAE,uBAAuB;QAC9B,QAAQ,CACT,CAAC;QAEF,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;QACnD,WAAW,GAAG,UAAU,CAAC,KAAK,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC;QAE1D,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,CAAC;QACxD,WAAW,GAAG,cAAc,CAAC,WAAW,CAAC,CAAC;QAE1C,OAAO;QACP,MAAM,QAAQ,GAAqB;YACjC,UAAU,EAAE,IAAI,CAAC,WAAW;YAC5B,aAAa,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACvC,YAAY,EAAE,EAAE;YAChB,aAAa,EAAE,EAAE;YACjB,YAAY,EAAE,aAAa;SAC5B,CAAC;QAEF,sBAAsB;QACtB,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;YAC5B,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;gBACpC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;YACtC,CAAC;YACD,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACzC,CAAC;QAED,4BAA4B;QAC5B,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;QAC/D,QAAQ,CAAC,YAAY,GAAG,EAAE,CAAC;QAC3B,KAAK,MAAM,IAAI,IAAI,cAAc,EAAE,CAAC;YAClC,QAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;QACnC,CAAC;QAED,MAAM,UAAU,CAAC,cAAc,EAAE,QAAQ,CAAC,CAAC;QAE3C,UAAU,GAAG,cAAc,CAAC,IAAI,CAAC;QACjC,YAAY,GAAG,cAAc,CAAC,IAAI,CAAC;QACnC,WAAW,GAAG,CAAC,CAAC;IAClB,CAAC;SAAM,CAAC;QACN,aAAa;QACb,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,MAAM,CAAC;QACrD,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC;QAExC,YAAY;QACZ,IAAI,WAAsB,CAAC;QAC3B,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAClC,cAAc,EACd,QAAQ,EACR,IAAI,CAAC,YAAY,EACjB,QAAQ,CACT,CAAC;YAEF,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;YACnD,WAAW,GAAG,UAAU,CAAC,KAAK,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC;YAE1D,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,CAAC;YACxD,WAAW,GAAG,cAAc,CAAC,WAAW,CAAC,CAAC;QAC5C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,sBAAsB;YACtB,OAAO,CAAC,IAAI,CAAC,oBAAqB,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;YAC3D,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAClC,cAAc,EACd,QAAQ,EACR,CAAC,GAAG,CAAC,EACL,QAAQ,CACT,CAAC;YAEF,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;YACnD,WAAW,GAAG,UAAU,CAAC,KAAK,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC;YAE1D,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,CAAC;YACxD,WAAW,GAAG,cAAc,CAAC,WAAW,CAAC,CAAC;YAE1C,WAAW;YACX,MAAM,QAAQ,GAAqB;gBACjC,UAAU,EAAE,IAAI,CAAC,WAAW;gBAC5B,aAAa,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACvC,YAAY,EAAE,EAAE;gBAChB,aAAa,EAAE,EAAE;gBACjB,YAAY,EAAE,aAAa;aAC5B,CAAC;YACF,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;gBAC5B,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;oBACpC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;gBACtC,CAAC;gBACD,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACzC,CAAC;YACD,MAAM,UAAU,CAAC,cAAc,EAAE,QAAQ,CAAC,CAAC;YAE3C,WAAW,GAAG,WAAW,CAAC;YAC1B,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,MAAM,CAAC;YAC1D,WAAW,GAAG,CAAC,CAAC;YAChB,UAAU,GAAG,YAAY,CAAC;YAE1B,OAAO,WAAW,CAAC,cAAc,EAAE,WAAW,EAAE,OAAO,EAAE,SAAS,EAAE;gBAClE,YAAY,EAAE,YAAY;gBAC1B,UAAU;gBACV,WAAW;aACZ,CAAC,CAAC;QACL,CAAC;QAED,oBAAoB;QACpB,MAAM,cAAc,GAAG,iBAAiB,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QACtD,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,MAAM,GAAG,YAAY,CAAC;QAErE,UAAU;QACV,WAAW,GAAG,aAAa,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;QAEzD,UAAU;QACV,MAAM,YAAY,GAAqB;YACrC,UAAU,EAAE,IAAI,CAAC,WAAW;YAC5B,aAAa,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACvC,YAAY,EAAE,KAAK,CAAC,YAAY;YAChC,aAAa,EAAE,EAAE,GAAG,KAAK,CAAC,aAAa,EAAE;YACzC,YAAY,EAAE,aAAa;SAC5B,CAAC;QAEF,eAAe;QACf,KAAK,MAAM,CAAC,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,aAAa,CAAC,EAAE,CAAC;YAChE,IAAI,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrC,OAAO,YAAY,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;YAC1C,CAAC;QACH,CAAC;QAED,aAAa;QACb,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;YAC5B,IAAI,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;gBACxC,YAAY,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;YAC1C,CAAC;YACD,YAAY,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC7C,CAAC;QAED,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC,MAAM,CAAC;QAE5D,MAAM,UAAU,CAAC,cAAc,EAAE,YAAY,CAAC,CAAC;IACjD,CAAC;IAED,OAAO,WAAW,CAAC,cAAc,EAAE,WAAW,EAAE,OAAO,EAAE,SAAS,EAAE;QAClE,YAAY,EAAE,IAAI,CAAC,YAAY,CAAC,MAAM;QACtC,UAAU;QACV,WAAW;KACZ,CAAC,CAAC;AACL,CAAC;AAED,uDAAuD;AAEvD,KAAK,UAAU,WAAW,CACxB,MAAc,EACd,QAAmB,EACnB,OAAoB,EACpB,SAAiB,EACjB,WAA8E;IAE9E,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;IAE1C,uBAAuB;IACvB,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAC;IAChE,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,QAAQ,EAAE;QAC1C,MAAM;QACN,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,MAAM;KACjC,CAAC,CAAC;IAEH,OAAO;QACL,GAAG,MAAM;QACT,UAAU;QACV,WAAW,EAAE;YACX,YAAY,EAAE,WAAW,CAAC,YAAY;YACtC,UAAU,EAAE,WAAW,CAAC,UAAU;YAClC,WAAW,EAAE,WAAW,CAAC,WAAW;SACrC;KACF,CAAC;AACJ,CAAC"}

package/dist/engine/incremental/git-diff.d.ts

@@ -0,0 +1,19 @@
+/**
+ * 逐码 ZhuMa V4.1 — Git Diff 解析器
+ *
+ * 从 Git 仓库获取 HEAD vs lastScannedCommit 的变更文件列表。
+ * 首次扫描 (无 lastCommit) 返回全量文件列表。
+ * Git 不可用时自动回退全量扫描并打印警告。
+ *
+ * S1-2: 增量扫描引擎 | 众安天下 · 猎鹰情报威胁中心
+ */
+import type { GitDiffResult } from './types.js';
+/**
+ * 解析 Git diff 获取变更文件列表。
+ *
+ * @param targetPath - 项目根目录 (必须是 git 仓库)
+ * @param lastCommit - 上次扫描的 commit SHA (首次扫描传 undefined)
+ * @returns GitDiffResult
+ */
+export declare function getGitDiff(targetPath: string, lastCommit?: string): Promise<GitDiffResult>;
+//# sourceMappingURL=git-diff.d.ts.map

package/dist/engine/incremental/git-diff.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"git-diff.d.ts","sourceRoot":"","sources":["../../../src/engine/incremental/git-diff.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAmFhD;;;;;;GAMG;AACH,wBAAsB,UAAU,CAC9B,UAAU,EAAE,MAAM,EAClB,UAAU,CAAC,EAAE,MAAM,GAClB,OAAO,CAAC,aAAa,CAAC,CAoFxB"}

package/dist/engine/incremental/git-diff.js

@@ -0,0 +1,175 @@
+/**
+ * 逐码 ZhuMa V4.1 — Git Diff 解析器
+ *
+ * 从 Git 仓库获取 HEAD vs lastScannedCommit 的变更文件列表。
+ * 首次扫描 (无 lastCommit) 返回全量文件列表。
+ * Git 不可用时自动回退全量扫描并打印警告。
+ *
+ * S1-2: 增量扫描引擎 | 众安天下 · 猎鹰情报威胁中心
+ */
+import { spawn } from 'node:child_process';
+import { resolve as resolvePath } from 'node:path';
+/** 支持的代码文件扩展名 */
+const CODE_EXTENSIONS = new Set([
+    '.java', '.kt', '.kts',
+    '.js', '.mjs', '.cjs', '.jsx',
+    '.ts', '.tsx',
+    '.py', '.pyi', '.pyx',
+    '.yaml', '.yml',
+    '.xml', '.xml',
+    '.json',
+    '.go',
+    '.rs',
+    '.rb',
+    '.php',
+    '.cs',
+    '.swift',
+    '.scala',
+    '.groovy',
+    '.dart',
+    '.c', '.h', '.cpp', '.hpp', '.cc', '.hh',
+]);
+/** 过滤保留代码文件 */
+function isCodeFile(path) {
+    const lower = path.toLowerCase();
+    for (const ext of CODE_EXTENSIONS) {
+        if (lower.endsWith(ext))
+            return true;
+    }
+    return false;
+}
+/** 执行 git 命令，返回 stdout 字符串 (strip trailing newline) */
+function git(cwd, args) {
+    return new Promise((resolve, reject) => {
+        const child = spawn('git', args, {
+            cwd,
+            stdio: ['ignore', 'pipe', 'pipe'],
+            timeout: 30_000,
+        });
+        let stdout = '';
+        let stderr = '';
+        child.stdout.on('data', (d) => { stdout += d.toString(); });
+        child.stderr.on('data', (d) => { stderr += d.toString(); });
+        child.on('close', (code) => {
+            if (code !== 0) {
+                reject(new Error(`git ${args[0]} 失败 (exit ${code}): ${stderr.slice(0, 500)}`));
+                return;
+            }
+            resolve(stdout.trim());
+        });
+        child.on('error', (err) => {
+            reject(new Error(`无法启动 git: ${err.message}`));
+        });
+    });
+}
+/** 检查目录是否为有效的 git 仓库 */
+async function isGitRepo(cwd) {
+    try {
+        await git(cwd, ['rev-parse', '--git-dir']);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/** 使用 git 获取所有被跟踪的代码文件列表 */
+async function getAllTrackedFiles(cwd) {
+    const output = await git(cwd, ['ls-files']);
+    return output
+        .split('\n')
+        .map((l) => l.trim())
+        .filter((l) => l.length > 0)
+        .filter(isCodeFile);
+}
+/**
+ * 解析 Git diff 获取变更文件列表。
+ *
+ * @param targetPath - 项目根目录 (必须是 git 仓库)
+ * @param lastCommit - 上次扫描的 commit SHA (首次扫描传 undefined)
+ * @returns GitDiffResult
+ */
+export async function getGitDiff(targetPath, lastCommit) {
+    const cwd = resolvePath(targetPath);
+    // 获取当前 HEAD hash
+    let currentHash;
+    try {
+        currentHash = await git(cwd, ['rev-parse', 'HEAD']);
+    }
+    catch {
+        // Git 不可用 → 回退全量
+        console.warn('⚠️  Git 不可用，回退全量扫描');
+        return {
+            changedFiles: [],
+            currentHash: '',
+            isInitial: true,
+        };
+    }
+    // 检查是否为有效 git 仓库
+    if (!(await isGitRepo(cwd))) {
+        console.warn('⚠️  目标目录不是 Git 仓库，回退全量扫描');
+        return {
+            changedFiles: [],
+            currentHash: currentHash,
+            isInitial: true,
+        };
+    }
+    // 首次扫描 (无历史 commit) → 返回全量文件
+    if (!lastCommit) {
+        try {
+            const allFiles = await getAllTrackedFiles(cwd);
+            return {
+                changedFiles: allFiles,
+                currentHash,
+                isInitial: true,
+            };
+        }
+        catch (err) {
+            console.warn('⚠️  无法列出 Git 文件，回退全量扫描:', err.message);
+            return {
+                changedFiles: [],
+                currentHash,
+                isInitial: true,
+            };
+        }
+    }
+    // 增量扫描: HEAD vs lastCommit
+    try {
+        // 先验证 lastCommit 在历史中是否存在
+        await git(cwd, ['cat-file', '-e', lastCommit]);
+    }
+    catch {
+        console.warn(`⚠️  Commit ${lastCommit.slice(0, 8)} 不在当前仓库历史中，回退全量扫描`);
+        try {
+            const allFiles = await getAllTrackedFiles(cwd);
+            return { changedFiles: allFiles, currentHash, isInitial: true };
+        }
+        catch {
+            return { changedFiles: [], currentHash, isInitial: true };
+        }
+    }
+    // 获取变更文件列表
+    try {
+        const output = await git(cwd, ['diff', '--name-only', lastCommit, 'HEAD']);
+        const files = output
+            .split('\n')
+            .map((l) => l.trim())
+            .filter((l) => l.length > 0);
+        const codeFiles = files.filter(isCodeFile);
+        return {
+            changedFiles: codeFiles,
+            currentHash,
+            isInitial: false,
+        };
+    }
+    catch (err) {
+        console.warn('⚠️  Git diff 失败，回退全量扫描:', err.message);
+        try {
+            const allFiles = await getAllTrackedFiles(cwd);
+            return { changedFiles: allFiles, currentHash, isInitial: true };
+        }
+        catch {
+            return { changedFiles: [], currentHash, isInitial: true };
+        }
+    }
+}
+//# sourceMappingURL=git-diff.js.map

package/dist/engine/incremental/git-diff.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"git-diff.js","sourceRoot":"","sources":["../../../src/engine/incremental/git-diff.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EAAE,OAAO,IAAI,WAAW,EAAE,MAAM,WAAW,CAAC;AAGnD,iBAAiB;AACjB,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC;IAC9B,OAAO,EAAE,KAAK,EAAE,MAAM;IACtB,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;IAC7B,KAAK,EAAE,MAAM;IACb,KAAK,EAAE,MAAM,EAAE,MAAM;IACrB,OAAO,EAAE,MAAM;IACf,MAAM,EAAE,MAAM;IACd,OAAO;IACP,KAAK;IACL,KAAK;IACL,KAAK;IACL,MAAM;IACN,KAAK;IACL,QAAQ;IACR,QAAQ;IACR,SAAS;IACT,OAAO;IACP,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK;CACzC,CAAC,CAAC;AAEH,eAAe;AACf,SAAS,UAAU,CAAC,IAAY;IAC9B,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACjC,KAAK,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;QAClC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;IACvC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,uDAAuD;AACvD,SAAS,GAAG,CACV,GAAW,EACX,IAAc;IAEd,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,EAAE,IAAI,EAAE;YAC/B,GAAG;YACH,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;YACjC,OAAO,EAAE,MAAM;SAChB,CAAC,CAAC;QAEH,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE,GAAG,MAAM,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;QACpE,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE,GAAG,MAAM,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;QAEpE,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;YACzB,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;gBACf,MAAM,CAAC,IAAI,KAAK,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,aAAa,IAAI,MAAM,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;gBAC/E,OAAO;YACT,CAAC;YACD,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;QACzB,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACxB,MAAM,CAAC,IAAI,KAAK,CAAC,aAAa,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QAChD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,wBAAwB;AACxB,KAAK,UAAU,SAAS,CAAC,GAAW;IAClC,IAAI,CAAC;QACH,MAAM,GAAG,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,4BAA4B;AAC5B,KAAK,UAAU,kBAAkB,CAAC,GAAW;IAC3C,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC;IAC5C,OAAO,MAAM;SACV,KAAK,CAAC,IAAI,CAAC;SACX,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACpB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;SAC3B,MAAM,CAAC,UAAU,CAAC,CAAC;AACxB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,UAAkB,EAClB,UAAmB;IAEnB,MAAM,GAAG,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC;IAEpC,iBAAiB;IACjB,IAAI,WAAmB,CAAC;IACxB,IAAI,CAAC;QACH,WAAW,GAAG,MAAM,GAAG,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC;IACtD,CAAC;IAAC,MAAM,CAAC;QACP,iBAAiB;QACjB,OAAO,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;QACnC,OAAO;YACL,YAAY,EAAE,EAAE;YAChB,WAAW,EAAE,EAAE;YACf,SAAS,EAAE,IAAI;SAChB,CAAC;IACJ,CAAC;IAED,iBAAiB;IACjB,IAAI,CAAC,CAAC,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;QAC5B,OAAO,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;QACzC,OAAO;YACL,YAAY,EAAE,EAAE;YAChB,WAAW,EAAE,WAAW;YACxB,SAAS,EAAE,IAAI;SAChB,CAAC;IACJ,CAAC;IAED,6BAA6B;IAC7B,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,GAAG,CAAC,CAAC;YAC/C,OAAO;gBACL,YAAY,EAAE,QAAQ;gBACtB,WAAW;gBACX,SAAS,EAAE,IAAI;aAChB,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,yBAAyB,EAAG,GAAa,CAAC,OAAO,CAAC,CAAC;YAChE,OAAO;gBACL,YAAY,EAAE,EAAE;gBAChB,WAAW;gBACX,SAAS,EAAE,IAAI;aAChB,CAAC;QACJ,CAAC;IACH,CAAC;IAED,2BAA2B;IAC3B,IAAI,CAAC;QACH,0BAA0B;QAC1B,MAAM,GAAG,CAAC,GAAG,EAAE,CAAC,UAAU,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC,CAAC;IACjD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,IAAI,CAAC,cAAc,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,mBAAmB,CAAC,CAAC;QACtE,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,GAAG,CAAC,CAAC;YAC/C,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,WAAW,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;QAClE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,YAAY,EAAE,EAAE,EAAE,WAAW,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;QAC5D,CAAC;IACH,CAAC;IAED,WAAW;IACX,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,GAAG,EAAE,CAAC,MAAM,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC;QAC3E,MAAM,KAAK,GAAG,MAAM;aACjB,KAAK,CAAC,IAAI,CAAC;aACX,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;aACpB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAE/B,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QAE3C,OAAO;YACL,YAAY,EAAE,SAAS;YACvB,WAAW;YACX,SAAS,EAAE,KAAK;SACjB,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,IAAI,CAAC,yBAAyB,EAAG,GAAa,CAAC,OAAO,CAAC,CAAC;QAChE,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,GAAG,CAAC,CAAC;YAC/C,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,WAAW,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;QAClE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,YAAY,EAAE,EAAE,EAAE,WAAW,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;QAC5D,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/engine/incremental/types.d.ts

@@ -0,0 +1,33 @@
+/**
+ * 逐码 ZhuMa V4.1 — 增量扫描引擎 局部类型定义
+ *
+ * SDK 中已有 IncrementalState / IncrementalDiff 基线类型（frozen），
+ * 但增量引擎需要 path→hash 映射和 findings 缓存索引，
+ * 因此在 CLI 内部扩展定义，不修改 packages/sdk/src/index.ts
+ *
+ * S1-2: 增量扫描引擎 | 众安天下 · 猎鹰情报威胁中心
+ */
+import type { Finding } from '@zhuma4/sdk';
+/** 增量扫描缓存状态 — 持久化到 .zhuma-cache/incremental-state.json */
+export interface IncrementalState {
+    /** 最近一次扫描的 commit SHA */
+    lastCommit: string;
+    /** 上次扫描完成时间 (ISO-8601) */
+    lastScannedAt: string;
+    /** 文件路径(相对项目根) → 文件内容 SHA-256 */
+    scannedFiles: Record<string, string>;
+    /** 文件路径 → 该文件所有发现 */
+    findingsCache: Record<string, Finding[]>;
+    /** 缓存格式版本 (用于检测不兼容变更) */
+    cacheVersion: number;
+}
+/** Git diff 解析结果 */
+export interface GitDiffResult {
+    /** 变更的代码文件列表 (相对项目根路径) */
+    changedFiles: string[];
+    /** 当前 HEAD commit SHA */
+    currentHash: string;
+    /** 是否为首次扫描 (无历史缓存) */
+    isInitial: boolean;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/engine/incremental/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/engine/incremental/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAE3C,0DAA0D;AAC1D,MAAM,WAAW,gBAAgB;IAC/B,yBAAyB;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,0BAA0B;IAC1B,aAAa,EAAE,MAAM,CAAC;IACtB,iCAAiC;IACjC,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACrC,qBAAqB;IACrB,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;IACzC,yBAAyB;IACzB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,oBAAoB;AACpB,MAAM,WAAW,aAAa;IAC5B,0BAA0B;IAC1B,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,yBAAyB;IACzB,WAAW,EAAE,MAAM,CAAC;IACpB,sBAAsB;IACtB,SAAS,EAAE,OAAO,CAAC;CACpB"}

package/dist/engine/incremental/types.js

@@ -0,0 +1,11 @@
+/**
+ * 逐码 ZhuMa V4.1 — 增量扫描引擎 局部类型定义
+ *
+ * SDK 中已有 IncrementalState / IncrementalDiff 基线类型（frozen），
+ * 但增量引擎需要 path→hash 映射和 findings 缓存索引，
+ * 因此在 CLI 内部扩展定义，不修改 packages/sdk/src/index.ts
+ *
+ * S1-2: 增量扫描引擎 | 众安天下 · 猎鹰情报威胁中心
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/engine/incremental/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/engine/incremental/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG"}

package/dist/engine/manifest_scanner.d.ts

@@ -0,0 +1,48 @@
+/**
+ * AndroidManifest.xml 安全扫描引擎 — ZhuMa V4
+ *
+ * 解析 jadx 解码后的 AndroidManifest.xml 并执行 12 项安全检测：
+ *   1. debuggable 标志    6. 导出 Service
+ *   2. allowBackup 标志   7. 低 targetSdkVersion
+ *   3. 导出组件无权限      8. cleartext 流量
+ *   4. 导出 ContentProvider 9. 缺失网络安全配置
+ *   5. 导出 BroadcastReceiver 10. 危险权限
+ *   11. 自定义权限保护级别  12. taskAffinity 劫持
+ *
+ * 设计原则: regex-first parsing → 优先可用性，而非 XML 解析优雅性
+ *   jadx 输出的 AndroidManifest.xml 格式可预测且有规律，
+ *   regex 提取属性比引入 DOM 解析器更稳定，特别是有命名空间歧义时。
+ */
+/** ManifestFinding — 独立于 SDK Finding，字段适配 Mobile Security Testing Guide 体系 */
+export interface ManifestFinding {
+    id: string;
+    severity: 'CRITICAL' | 'HIGH' | 'WARNING' | 'MEDIUM';
+    title: string;
+    description: string;
+    cwe: string;
+    owasp_mobile: string;
+    masvs: string;
+    location: {
+        file: string;
+        element: string;
+    };
+    evidence: string;
+    remediation: string;
+}
+/**
+ * 扫描 jadx 输出的 AndroidManifest.xml
+ *
+ * @param manifestPath - jadx 解码后的 AndroidManifest.xml 路径
+ * @returns ManifestFinding[] — 安全发现列表
+ * @throws 文件不存在或解析失败时抛出 Error
+ */
+export declare function scanManifest(manifestPath: string): ManifestFinding[];
+/**
+ * 按严重程度统计发现数量
+ */
+export declare function countBySeverity(findings: ManifestFinding[]): Record<string, number>;
+/**
+ * 按严重程度过滤发现
+ */
+export declare function filterBySeverity(findings: ManifestFinding[], minSeverity: ManifestFinding['severity']): ManifestFinding[];
+//# sourceMappingURL=manifest_scanner.d.ts.map