ai-spec-dev 0.55.0 → 0.56.0

package/cli/pipeline/multi-repo.ts

@@ -662,6 +662,15 @@ export async function runMultiRepoPipeline(
           { scopedFiles: fe.generatedFiles }
         );
         printCrossStackReport(fe.repoName, report);
+        if (report.hasViolations) {
+          console.log(
+            chalk.yellow(
+              `  ⚠ [W5] ${fe.repoName} has cross-stack violations` +
+              ` (${report.phantom.length} phantom, ${report.methodMismatch.length} method mismatch).` +
+              ` Review the report above and fix generated frontend code.`
+            )
+          );
+        }
       } catch (err) {
         console.log(chalk.yellow(`  ⚠ Verification failed for ${fe.repoName}: ${(err as Error).message}`));
       }

package/core/cross-stack-verifier.ts

@@ -11,6 +11,9 @@ export interface FrontendApiCall {
   file: string;         // relative path from frontend root
   line: number;         // 1-indexed line number
   snippet: string;      // one-line source snippet
+  /** True when path was extracted from a string concatenation (e.g. '/api/' + id).
+   *  The path ends with /* to represent the unknown suffix — matching is approximate. */
+  isConcatPath?: boolean;
 }
 
 export interface CrossStackReport {
@@ -24,7 +27,12 @@ export interface CrossStackReport {
   methodMismatch: Array<{ call: FrontendApiCall; expectedMethod: string }>;
   /** Calls whose method+path both match the DSL */
   matched: Array<{ call: FrontendApiCall; endpointId: string }>;
+  /** Calls with UNKNOWN method (generic `request('/path')` helpers without a method arg).
+   *  These are counted as matched (permissive) but surfaced for visibility. */
+  unknownMethodCalls: FrontendApiCall[];
   totalScannedFiles: number;
+  /** True when there are phantom calls or method mismatches — use to fail CI / pipeline steps. */
+  hasViolations: boolean;
 }
 
 // ─── File scanning ────────────────────────────────────────────────────────────
@@ -92,8 +100,9 @@ export function extractApiCallsFromSource(
 
   // Pattern 1: .get('/path') / .post('/path') / .delete('/path') / .put('/path') / .patch('/path')
   // Matches things like: axios.get('/api/users'), api.post(`/api/users/${id}`)
+  // Negative lookahead (?!\s*\+) ensures we don't match string concatenation (handled by Pattern 5).
   const methodCallRegex =
-    /\.(get|post|put|patch|delete)\s*\(\s*(['"`])([^'"`]+)\2/gi;
+    /\.(get|post|put|patch|delete)\s*\(\s*(['"`])([^'"`]+)\2(?!\s*\+)/gi;
 
   // Pattern 2: fetch('/path', { method: 'POST' })
   // We detect fetch( + URL + optional method in the next ~100 chars
@@ -107,6 +116,15 @@ export function extractApiCallsFromSource(
   const genericRequestRegex =
     /\brequest\s*\(\s*(['"`])([^'"`]+)\1\s*(?:,\s*(['"`])(GET|POST|PUT|PATCH|DELETE)\3)?/gi;
 
+  // Pattern 5: axios.get('/api/prefix/' + variable)  — string concatenation with static prefix.
+  // We capture the static prefix and treat the unknown suffix as a wildcard segment.
+  // Only the method-call variant is handled here; fetch+concat is covered separately below.
+  const concatMethodRegex =
+    /\.(get|post|put|patch|delete)\s*\(\s*(['"`])([^'"`]+)\2\s*\+/gi;
+
+  // Pattern 6: fetch('/api/prefix/' + variable, ...) — concat inside fetch
+  const concatFetchRegex = /\bfetch\s*\(\s*(['"`])([^'"`]+)\1\s*\+([^)]*)\)/g;
+
   function getLineNumber(offset: number): number {
     // Count newlines up to offset
     let ln = 1;
@@ -131,6 +149,15 @@ export function extractApiCallsFromSource(
     return true;
   }
 
+  /** Build a wildcard-terminated path from a static concat prefix.
+   *  '/api/users/'  → '/api/users/*'
+   *  '/api/users'   → '/api/users/*'
+   */
+  function concatPath(prefix: string): string {
+    const stripped = prefix.endsWith("/") ? prefix.slice(0, -1) : prefix;
+    return stripped + "/*";
+  }
+
   let match: RegExpExecArray | null;
 
   while ((match = methodCallRegex.exec(source)) !== null) {
@@ -189,6 +216,39 @@ export function extractApiCallsFromSource(
     });
   }
 
+  // Pattern 5: axios.get('/api/prefix/' + variable)
+  // Pattern 1's negative lookahead excludes these cases, so no dedup needed.
+  while ((match = concatMethodRegex.exec(source)) !== null) {
+    const rawPrefix = match[3];
+    if (!isApiLike(rawPrefix)) continue;
+    const line = getLineNumber(match.index);
+    calls.push({
+      method: match[1].toUpperCase(),
+      path: concatPath(rawPrefix),
+      file: relFile,
+      line,
+      snippet: getSnippet(line),
+      isConcatPath: true,
+    });
+  }
+
+  // Pattern 6: fetch('/api/prefix/' + variable, ...)
+  while ((match = concatFetchRegex.exec(source)) !== null) {
+    const rawPrefix = match[2];
+    if (!isApiLike(rawPrefix)) continue;
+    const tail = match[3] ?? "";
+    const methodMatch = tail.match(/method\s*:\s*['"`](GET|POST|PUT|PATCH|DELETE)['"`]/i);
+    const line = getLineNumber(match.index);
+    calls.push({
+      method: methodMatch ? methodMatch[1].toUpperCase() : "GET",
+      path: concatPath(rawPrefix),
+      file: relFile,
+      line,
+      snippet: getSnippet(line),
+      isConcatPath: true,
+    });
+  }
+
   return calls;
 }
 
@@ -211,6 +271,7 @@ export function normalizePathSegments(p: string): string[] {
   const withoutQs = p.split("?")[0];
   const segments = withoutQs.split("/").filter(Boolean);
   return segments.map((seg) => {
+    if (seg === "*") return "*";                          // explicit wildcard (concat paths)
     if (seg.startsWith(":")) return "*";
     if (seg.includes("${") || seg.includes("{{")) return "*";
     if (/^\d+$/.test(seg)) return "*";
@@ -286,9 +347,13 @@ export async function verifyCrossStackContract(
   const phantom: FrontendApiCall[] = [];
   const methodMismatch: Array<{ call: FrontendApiCall; expectedMethod: string }> = [];
   const matched: Array<{ call: FrontendApiCall; endpointId: string }> = [];
+  const unknownMethodCalls: FrontendApiCall[] = [];
   const usedEndpointIds = new Set<string>();
 
   for (const call of allCalls) {
+    // Track UNKNOWN-method calls for visibility regardless of matching outcome.
+    if (call.method === "UNKNOWN") unknownMethodCalls.push(call);
+
     // Find all DSL endpoints whose path matches this call's path.
     const pathMatches = backendEndpoints.filter((ep) => pathsMatch(ep.path, call.path));
     if (pathMatches.length === 0) {
@@ -296,6 +361,7 @@ export async function verifyCrossStackContract(
       continue;
     }
     // Check if any path-match also matches the method.
+    // UNKNOWN is treated permissively — matched against the first path hit.
     const methodMatch = pathMatches.find(
       (ep) => call.method === "UNKNOWN" || ep.method === call.method
     );
@@ -319,7 +385,9 @@ export async function verifyCrossStackContract(
     unused,
     methodMismatch,
     matched,
+    unknownMethodCalls,
     totalScannedFiles: files.length,
+    hasViolations: phantom.length > 0 || methodMismatch.length > 0,
   };
 }
 
@@ -332,10 +400,12 @@ export function printCrossStackReport(repoName: string, report: CrossStackReport
   const mismatchCount = report.methodMismatch.length;
   const unusedCount = report.unused.length;
 
+  const concatCount = report.frontendCalls.filter((c) => c.isConcatPath).length;
+  const concatNote = concatCount > 0 ? ` (${concatCount} via string concat — approximate)` : "";
   console.log(chalk.cyan(`\n─── Cross-Stack Contract Verification [${repoName}] ─────────────`));
   console.log(
     chalk.gray(
-      `  Scanned ${report.totalScannedFiles} file(s), found ${report.frontendCalls.length} HTTP call(s)`
+      `  Scanned ${report.totalScannedFiles} file(s), found ${report.frontendCalls.length} HTTP call(s)${concatNote}`
     )
   );
   console.log(chalk.gray(`  Backend DSL endpoints: ${totalEp}`));
@@ -387,8 +457,25 @@ export function printCrossStackReport(repoName: string, report: CrossStackReport
     }
   }
 
+  // ── UNKNOWN method calls ─────────────────────────────────────────────────────
+  // Surface for visibility; they were matched permissively and may hide real mismatches.
+  if (report.unknownMethodCalls.length > 0) {
+    console.log(
+      chalk.gray(
+        `\n  · Unknown method (${report.unknownMethodCalls.length}): HTTP method could not be determined — matched permissively`
+      )
+    );
+    for (const call of report.unknownMethodCalls.slice(0, 5)) {
+      console.log(chalk.gray(`     UNKNWN ${call.path}`));
+      console.log(chalk.gray(`       ${call.file}:${call.line}`));
+    }
+    if (report.unknownMethodCalls.length > 5) {
+      console.log(chalk.gray(`     ... and ${report.unknownMethodCalls.length - 5} more`));
+    }
+  }
+
   // ── Summary ─────────────────────────────────────────────────────────────────
-  if (phantomCount === 0 && mismatchCount === 0 && unusedCount === 0 && matchedCount === totalEp && totalEp > 0) {
+  if (!report.hasViolations && unusedCount === 0 && matchedCount === totalEp && totalEp > 0) {
     console.log(chalk.green(`\n  ✔ Contract fully aligned — all ${totalEp} endpoints consumed correctly.`));
   }
   console.log(chalk.cyan("─".repeat(65)));

package/dist/cli/index.js

@@ -715,7 +715,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "ai-spec-dev",
-      version: "0.55.0",
+      version: "0.56.0",
       description: "AI-driven Development Orchestrator SDK & CLI",
       main: "dist/index.js",
       types: "dist/index.d.ts",
@@ -10321,10 +10321,12 @@ async function walkSource(root) {
 function extractApiCallsFromSource(source, relFile) {
   const calls = [];
   const lines = source.split("\n");
-  const methodCallRegex = /\.(get|post|put|patch|delete)\s*\(\s*(['"`])([^'"`]+)\2/gi;
+  const methodCallRegex = /\.(get|post|put|patch|delete)\s*\(\s*(['"`])([^'"`]+)\2(?!\s*\+)/gi;
   const fetchRegex = /\bfetch\s*\(\s*(['"`])([^'"`]+)\1([^)]*)\)/g;
   const useRequestRegex = /\buseRequest\s*\(\s*(['"`])([^'"`]+)\1([^)]*)\)/g;
   const genericRequestRegex = /\brequest\s*\(\s*(['"`])([^'"`]+)\1\s*(?:,\s*(['"`])(GET|POST|PUT|PATCH|DELETE)\3)?/gi;
+  const concatMethodRegex = /\.(get|post|put|patch|delete)\s*\(\s*(['"`])([^'"`]+)\2\s*\+/gi;
+  const concatFetchRegex = /\bfetch\s*\(\s*(['"`])([^'"`]+)\1\s*\+([^)]*)\)/g;
   function getLineNumber(offset) {
     let ln = 1;
     for (let i = 0; i < offset && i < source.length; i++) {
@@ -10341,6 +10343,10 @@ function extractApiCallsFromSource(source, relFile) {
     if (/\.(css|svg|png|jpe?g|gif|ico|woff2?|ttf|eot)$/i.test(p)) return false;
     return true;
   }
+  function concatPath(prefix) {
+    const stripped = prefix.endsWith("/") ? prefix.slice(0, -1) : prefix;
+    return stripped + "/*";
+  }
   let match;
   while ((match = methodCallRegex.exec(source)) !== null) {
     const rawPath = match[3];
@@ -10394,12 +10400,41 @@ function extractApiCallsFromSource(source, relFile) {
       snippet: getSnippet(line)
     });
   }
+  while ((match = concatMethodRegex.exec(source)) !== null) {
+    const rawPrefix = match[3];
+    if (!isApiLike(rawPrefix)) continue;
+    const line = getLineNumber(match.index);
+    calls.push({
+      method: match[1].toUpperCase(),
+      path: concatPath(rawPrefix),
+      file: relFile,
+      line,
+      snippet: getSnippet(line),
+      isConcatPath: true
+    });
+  }
+  while ((match = concatFetchRegex.exec(source)) !== null) {
+    const rawPrefix = match[2];
+    if (!isApiLike(rawPrefix)) continue;
+    const tail = match[3] ?? "";
+    const methodMatch = tail.match(/method\s*:\s*['"`](GET|POST|PUT|PATCH|DELETE)['"`]/i);
+    const line = getLineNumber(match.index);
+    calls.push({
+      method: methodMatch ? methodMatch[1].toUpperCase() : "GET",
+      path: concatPath(rawPrefix),
+      file: relFile,
+      line,
+      snippet: getSnippet(line),
+      isConcatPath: true
+    });
+  }
   return calls;
 }
 function normalizePathSegments(p) {
   const withoutQs = p.split("?")[0];
   const segments = withoutQs.split("/").filter(Boolean);
   return segments.map((seg) => {
+    if (seg === "*") return "*";
     if (seg.startsWith(":")) return "*";
     if (seg.includes("${") || seg.includes("{{")) return "*";
     if (/^\d+$/.test(seg)) return "*";
@@ -10451,8 +10486,10 @@ async function verifyCrossStackContract(backendDsl, frontendRoot, opts = {}) {
   const phantom = [];
   const methodMismatch = [];
   const matched = [];
+  const unknownMethodCalls = [];
   const usedEndpointIds = /* @__PURE__ */ new Set();
   for (const call of allCalls) {
+    if (call.method === "UNKNOWN") unknownMethodCalls.push(call);
     const pathMatches = backendEndpoints.filter((ep) => pathsMatch(ep.path, call.path));
     if (pathMatches.length === 0) {
       phantom.push(call);
@@ -10477,7 +10514,9 @@ async function verifyCrossStackContract(backendDsl, frontendRoot, opts = {}) {
     unused,
     methodMismatch,
     matched,
-    totalScannedFiles: files.length
+    unknownMethodCalls,
+    totalScannedFiles: files.length,
+    hasViolations: phantom.length > 0 || methodMismatch.length > 0
   };
 }
 function printCrossStackReport(repoName, report) {
@@ -10486,11 +10525,13 @@ function printCrossStackReport(repoName, report) {
   const phantomCount = report.phantom.length;
   const mismatchCount = report.methodMismatch.length;
   const unusedCount = report.unused.length;
+  const concatCount = report.frontendCalls.filter((c) => c.isConcatPath).length;
+  const concatNote = concatCount > 0 ? ` (${concatCount} via string concat \u2014 approximate)` : "";
   console.log(import_chalk19.default.cyan(`
 \u2500\u2500\u2500 Cross-Stack Contract Verification [${repoName}] \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500`));
   console.log(
     import_chalk19.default.gray(
-      `  Scanned ${report.totalScannedFiles} file(s), found ${report.frontendCalls.length} HTTP call(s)`
+      `  Scanned ${report.totalScannedFiles} file(s), found ${report.frontendCalls.length} HTTP call(s)${concatNote}`
     )
   );
   console.log(import_chalk19.default.gray(`  Backend DSL endpoints: ${totalEp}`));
@@ -10532,7 +10573,22 @@ function printCrossStackReport(repoName, report) {
       console.log(import_chalk19.default.gray(`     ... and ${unusedCount - 8} more`));
     }
   }
-  if (phantomCount === 0 && mismatchCount === 0 && unusedCount === 0 && matchedCount === totalEp && totalEp > 0) {
+  if (report.unknownMethodCalls.length > 0) {
+    console.log(
+      import_chalk19.default.gray(
+        `
+  \xB7 Unknown method (${report.unknownMethodCalls.length}): HTTP method could not be determined \u2014 matched permissively`
+      )
+    );
+    for (const call of report.unknownMethodCalls.slice(0, 5)) {
+      console.log(import_chalk19.default.gray(`     UNKNWN ${call.path}`));
+      console.log(import_chalk19.default.gray(`       ${call.file}:${call.line}`));
+    }
+    if (report.unknownMethodCalls.length > 5) {
+      console.log(import_chalk19.default.gray(`     ... and ${report.unknownMethodCalls.length - 5} more`));
+    }
+  }
+  if (!report.hasViolations && unusedCount === 0 && matchedCount === totalEp && totalEp > 0) {
     console.log(import_chalk19.default.green(`
   \u2714 Contract fully aligned \u2014 all ${totalEp} endpoints consumed correctly.`));
   }
@@ -12012,6 +12068,13 @@ async function runMultiRepoPipeline(idea, workspace, opts, currentDir, config2)
           { scopedFiles: fe2.generatedFiles }
         );
         printCrossStackReport(fe2.repoName, report);
+        if (report.hasViolations) {
+          console.log(
+            import_chalk22.default.yellow(
+              `  \u26A0 [W5] ${fe2.repoName} has cross-stack violations (${report.phantom.length} phantom, ${report.methodMismatch.length} method mismatch). Review the report above and fix generated frontend code.`
+            )
+          );
+        }
       } catch (err) {
         console.log(import_chalk22.default.yellow(`  \u26A0 Verification failed for ${fe2.repoName}: ${err.message}`));
       }