api-tests-coverage 1.0.15 → 1.0.17

package/dist/src/pipeline/stages/ast/astStage.js

@@ -47,11 +47,20 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.AstStage = void 0;
 const astAnalysisOrchestrator_1 = require("../../../ast/astAnalysisOrchestrator");
 const crossFileResolver_1 = require("./crossFileResolver");
+const crossFileResolutionPass_1 = require("./crossFileResolutionPass");
 const abstractLayerTraversal_1 = require("./abstractLayerTraversal");
 const graphBuilder_1 = require("./graphBuilder");
 const fileClassifier_1 = require("../../../discovery/fileClassifier");
 const projectDiscovery_1 = require("../../../discovery/projectDiscovery");
 const parserRegistry_1 = require("../../../ast/parserRegistry");
+const rulesEnforcer_1 = require("./rulesEnforcer");
+const optionalAuthUnifier_1 = require("./optionalAuthUnifier");
+const expressRouterResolver_1 = require("./resolvers/expressRouterResolver");
+const flaskBlueprintResolver_1 = require("./resolvers/flaskBlueprintResolver");
+const angularInjectionResolver_1 = require("./resolvers/angularInjectionResolver");
+const vuexActionResolver_1 = require("./resolvers/vuexActionResolver");
+const mybatisResolver_1 = require("./resolvers/mybatisResolver");
+const dddLayerResolver_1 = require("./resolvers/dddLayerResolver");
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 class AstStage {
@@ -70,7 +79,8 @@ class AstStage {
         const scaOutput = context.stageOutputs.get('sca');
         // Build analysis context
         const analysisContext = (0, astAnalysisOrchestrator_1.buildAnalysisContext)(context.config.astConfig);
-        // Discover all files
+        // Discover all files — XML, GraphQL, and PHP files are included in serviceFiles
+        // via SERVICE_CODE_EXTS in fileClassifier.ts (RULE-SA05, SA06)
         const artifacts = (0, projectDiscovery_1.discoverProject)({ rootDir: context.projectRoot });
         const allSourceFiles = [
             ...artifacts.testFiles,
@@ -130,6 +140,33 @@ class AstStage {
         }
         // Phase 2: Build cross-file symbol table
         const crossFileTable = (0, crossFileResolver_1.buildCrossFileSymbolTable)(models, context.projectRoot);
+        // Phase 2b: Register and run cross-file resolvers (Feature 27)
+        // Clear any stale registrations from prior runs, then register all 6 resolvers
+        (0, crossFileResolutionPass_1.clearCrossFileResolvers)();
+        (0, crossFileResolutionPass_1.registerCrossFileResolver)(new expressRouterResolver_1.ExpressRouterResolver());
+        (0, crossFileResolutionPass_1.registerCrossFileResolver)(new flaskBlueprintResolver_1.FlaskBlueprintResolver());
+        (0, crossFileResolutionPass_1.registerCrossFileResolver)(new angularInjectionResolver_1.AngularInjectionResolver());
+        (0, crossFileResolutionPass_1.registerCrossFileResolver)(new vuexActionResolver_1.VuexActionResolver());
+        (0, crossFileResolutionPass_1.registerCrossFileResolver)(new mybatisResolver_1.MyBatisResolver());
+        (0, crossFileResolutionPass_1.registerCrossFileResolver)(new dddLayerResolver_1.DddLayerResolver());
+        const crossFileResolutionResult = (0, crossFileResolutionPass_1.runCrossFileResolution)(crossFileTable, context.projectRoot, artifacts.apiFrameworks, allSourceFiles);
+        // Phase 2c: Detect auth coverage gaps (Feature 27)
+        // Collect all endpoints with their security classifications for gap analysis
+        const endpointsForAuthGaps = [];
+        for (const [filePath, model] of crossFileTable.models) {
+            if (!model.routeRegistrations)
+                continue;
+            for (const reg of model.routeRegistrations) {
+                endpointsForAuthGaps.push({
+                    path: reg.path,
+                    security: reg.security,
+                    sourceFile: filePath,
+                });
+            }
+        }
+        const authCoverageGaps = (0, optionalAuthUnifier_1.detectAuthCoverageGaps)(endpointsForAuthGaps, new Set());
+        // Phase 2d: Enforce structure-agnostic rules (Feature 27)
+        const rulesResult = (0, rulesEnforcer_1.enforceStructureAgnosticRules)(crossFileTable, context.projectRoot);
         // Phase 3: Run abstract layer traversal for test files
         const traversalResults = new Map();
         const depthCap = context.config.traversalDepthCap;
@@ -199,6 +236,12 @@ class AstStage {
                 traversalResultCount: traversalResults.size,
                 graphNodesAdded: nodes.length,
                 graphEdgesAdded: edges.length,
+                crossFileResolversRun: crossFileResolutionResult.resolverResults.length,
+                crossFileEntriesAdded: crossFileResolutionResult.totalEntriesAdded,
+                rulesChecked: rulesResult.rulesChecked,
+                rulesPassed: rulesResult.rulesPassed,
+                ruleViolations: rulesResult.violations.length,
+                authCoverageGaps: authCoverageGaps.length,
             },
         };
         context.diagnostics.set('ast', diagnostics);
@@ -209,6 +252,7 @@ class AstStage {
             traversalResults,
             analyzedFiles: filesScanned,
             skippedFiles: filesSkipped,
+            crossFileResolutionDiagnostics: crossFileResolutionResult.resolverResults,
         };
         context.stageOutputs.set('ast', output);
         return output;
@@ -232,7 +276,13 @@ function detectLanguage(filePath, scaOutput) {
         '.kts': 'kotlin',
         '.py': 'python',
         '.rb': 'ruby',
+        '.php': 'php',
         '.feature': 'cucumber',
     };
+    // Handle GraphQL schema files and XML as special-case languages
+    if (ext === '.graphqls' || ext === '.graphql')
+        return 'graphql';
+    if (ext === '.xml')
+        return 'xml';
     return extensionMap[ext];
 }

package/dist/src/pipeline/stages/ast/baseUrlComposer.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Base URL composer (Feature 27, Sub-PR 9)
+ *
+ * Unified URL composition across all frameworks:
+ * - Flask: Blueprint url_prefix + route path
+ * - Express: app.use mount prefix + router path + route path
+ * - Spring: @RequestMapping class-level + method-level
+ * - Angular: environment.apiUrl from environments/environment.ts
+ * - Vue: axios.defaults.baseURL
+ * - Slim PHP: $app->group prefix + route path
+ * - HapiJS: explicit path (no composition needed)
+ *
+ * Normalizes: remove double slashes, ensure single leading slash.
+ */
+/**
+ * Compose a full URL from multiple path segments.
+ * Handles: double slashes, missing leading slashes, trailing slashes.
+ */
+export declare function composeUrl(...segments: (string | undefined)[]): string;
+/**
+ * Normalize a path template: ensure leading slash, remove double slashes,
+ * standardize parameter syntax.
+ */
+export declare function normalizePath(path: string): string;
+/**
+ * Convert framework-specific parameter syntax to OpenAPI-style {param}.
+ *
+ * Flask: <param>, <int:param> → {param}
+ * Express: :param → {param}
+ * Slim PHP: {param} (already correct)
+ * HapiJS: {param} (already correct)
+ * Spring: {param} (already correct)
+ */
+export declare function normalizePathParams(path: string): string;
+/**
+ * Compose full URL for a specific framework's route.
+ */
+export declare function composeFrameworkUrl(framework: string, parts: {
+    baseUrl?: string;
+    classPrefix?: string;
+    mountPrefix?: string;
+    routePath: string;
+}): string;
+//# sourceMappingURL=baseUrlComposer.d.ts.map

package/dist/src/pipeline/stages/ast/baseUrlComposer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"baseUrlComposer.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/ast/baseUrlComposer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH;;;GAGG;AACH,wBAAgB,UAAU,CAAC,GAAG,QAAQ,EAAE,CAAC,MAAM,GAAG,SAAS,CAAC,EAAE,GAAG,MAAM,CAyBtE;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAkBlD;AAED;;;;;;;;GAQG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAQxD;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,SAAS,EAAE,MAAM,EACjB,KAAK,EAAE;IACL,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB,GACA,MAAM,CAUR"}

package/dist/src/pipeline/stages/ast/baseUrlComposer.js

@@ -0,0 +1,97 @@
+"use strict";
+/**
+ * Base URL composer (Feature 27, Sub-PR 9)
+ *
+ * Unified URL composition across all frameworks:
+ * - Flask: Blueprint url_prefix + route path
+ * - Express: app.use mount prefix + router path + route path
+ * - Spring: @RequestMapping class-level + method-level
+ * - Angular: environment.apiUrl from environments/environment.ts
+ * - Vue: axios.defaults.baseURL
+ * - Slim PHP: $app->group prefix + route path
+ * - HapiJS: explicit path (no composition needed)
+ *
+ * Normalizes: remove double slashes, ensure single leading slash.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.composeUrl = composeUrl;
+exports.normalizePath = normalizePath;
+exports.normalizePathParams = normalizePathParams;
+exports.composeFrameworkUrl = composeFrameworkUrl;
+/**
+ * Compose a full URL from multiple path segments.
+ * Handles: double slashes, missing leading slashes, trailing slashes.
+ */
+function composeUrl(...segments) {
+    const parts = segments
+        .filter((s) => typeof s === 'string' && s.length > 0);
+    if (parts.length === 0)
+        return '/';
+    // Detect protocol in the first segment (e.g. http://, https://)
+    const protocolMatch = parts[0].match(/^(\w+:\/\/)/);
+    let protocol = '';
+    if (protocolMatch) {
+        protocol = protocolMatch[1];
+        parts[0] = parts[0].slice(protocol.length);
+    }
+    const stripped = parts.map((s) => s.replace(/^\/+|\/+$/g, ''));
+    const joined = stripped.join('/');
+    const deduped = joined.replace(/\/+/g, '/');
+    if (protocol) {
+        const normalized = protocol + deduped;
+        return normalized.replace(/\/+$/, '') || protocol;
+    }
+    const normalized = '/' + deduped;
+    return normalized === '/' ? '/' : normalized.replace(/\/+$/, '');
+}
+/**
+ * Normalize a path template: ensure leading slash, remove double slashes,
+ * standardize parameter syntax.
+ */
+function normalizePath(path) {
+    if (!path)
+        return '/';
+    // Ensure leading slash
+    let normalized = path.startsWith('/') ? path : '/' + path;
+    // Remove double slashes (but not from protocol like http://)
+    // First handle leading double slashes
+    normalized = normalized.replace(/^\/\/+/, '/');
+    // Then handle double slashes in the middle
+    normalized = normalized.replace(/([^:])\/\/+/g, '$1/');
+    // Remove trailing slash (unless it's just "/")
+    if (normalized.length > 1) {
+        normalized = normalized.replace(/\/+$/, '');
+    }
+    return normalized;
+}
+/**
+ * Convert framework-specific parameter syntax to OpenAPI-style {param}.
+ *
+ * Flask: <param>, <int:param> → {param}
+ * Express: :param → {param}
+ * Slim PHP: {param} (already correct)
+ * HapiJS: {param} (already correct)
+ * Spring: {param} (already correct)
+ */
+function normalizePathParams(path) {
+    // Flask/Python: <param> or <type:param>
+    let normalized = path.replace(/<(?:\w+:)?(\w+)>/g, '{$1}');
+    // Express: :param (but not :// from URLs)
+    normalized = normalized.replace(/(?<=\/):([\w]+)/g, '{$1}');
+    return normalized;
+}
+/**
+ * Compose full URL for a specific framework's route.
+ */
+function composeFrameworkUrl(framework, parts) {
+    const segments = [];
+    if (parts.baseUrl)
+        segments.push(parts.baseUrl);
+    if (parts.classPrefix)
+        segments.push(parts.classPrefix);
+    if (parts.mountPrefix)
+        segments.push(parts.mountPrefix);
+    segments.push(parts.routePath);
+    const raw = composeUrl(...segments);
+    return normalizePathParams(raw);
+}

package/dist/src/pipeline/stages/ast/crossFileResolutionPass.d.ts

@@ -0,0 +1,54 @@
+/**
+ * Cross-file resolution pass (Feature 27)
+ *
+ * Orchestrates all registered cross-file resolvers after the initial AST
+ * parsing pass. Each resolver enriches the CrossFileSymbolTable with
+ * framework-specific resolution data (Blueprint prefixes, Angular injection
+ * chains, DDD interface mappings, etc.).
+ *
+ * Resolvers are registered via `registerCrossFileResolver()` and discovered
+ * via `getCrossFileResolvers()`. Each resolver implements the `CrossFileResolver`
+ * interface and self-declares which API frameworks it applies to.
+ */
+import type { CrossFileResolver, CrossFileSymbolTable } from './types';
+import type { DetectedApiFramework } from '../../../discovery/frameworkDetector';
+/**
+ * Register a cross-file resolver. Resolvers are run in registration order.
+ */
+export declare function registerCrossFileResolver(resolver: CrossFileResolver): void;
+/**
+ * Return all registered cross-file resolvers.
+ */
+export declare function getCrossFileResolvers(): readonly CrossFileResolver[];
+/**
+ * Clear all registered resolvers (for testing).
+ */
+export declare function clearCrossFileResolvers(): void;
+export interface CrossFileResolutionPassResult {
+    /** Per-resolver diagnostics */
+    resolverResults: Array<{
+        resolverName: string;
+        entriesAdded: number;
+        diagnostics: string[];
+        unresolvedRefs: Array<{
+            ref: string;
+            reason: string;
+        }>;
+    }>;
+    /** Total entries added across all resolvers */
+    totalEntriesAdded: number;
+}
+/**
+ * Run all applicable cross-file resolvers against the symbol table.
+ *
+ * Each resolver mutates the symbol table in place, adding router mounts,
+ * injection chains, interface implementations, and middleware inheritance data.
+ *
+ * @param symbolTable - The cross-file symbol table to enrich
+ * @param projectRoot - Project root directory
+ * @param apiFrameworks - Detected API frameworks
+ * @param allSourceFiles - All source file paths
+ * @returns Aggregated diagnostics from all resolvers
+ */
+export declare function runCrossFileResolution(symbolTable: CrossFileSymbolTable, projectRoot: string, apiFrameworks: DetectedApiFramework[], allSourceFiles: string[]): CrossFileResolutionPassResult;
+//# sourceMappingURL=crossFileResolutionPass.d.ts.map

package/dist/src/pipeline/stages/ast/crossFileResolutionPass.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crossFileResolutionPass.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/ast/crossFileResolutionPass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EACV,iBAAiB,EAGjB,oBAAoB,EACrB,MAAM,SAAS,CAAC;AACjB,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,sCAAsC,CAAC;AAMjF;;GAEG;AACH,wBAAgB,yBAAyB,CAAC,QAAQ,EAAE,iBAAiB,GAAG,IAAI,CAK3E;AAED;;GAEG;AACH,wBAAgB,qBAAqB,IAAI,SAAS,iBAAiB,EAAE,CAEpE;AAED;;GAEG;AACH,wBAAgB,uBAAuB,IAAI,IAAI,CAE9C;AAID,MAAM,WAAW,6BAA6B;IAC5C,+BAA+B;IAC/B,eAAe,EAAE,KAAK,CAAC;QACrB,YAAY,EAAE,MAAM,CAAC;QACrB,YAAY,EAAE,MAAM,CAAC;QACrB,WAAW,EAAE,MAAM,EAAE,CAAC;QACtB,cAAc,EAAE,KAAK,CAAC;YAAE,GAAG,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;KACxD,CAAC,CAAC;IACH,+CAA+C;IAC/C,iBAAiB,EAAE,MAAM,CAAC;CAC3B;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,sBAAsB,CACpC,WAAW,EAAE,oBAAoB,EACjC,WAAW,EAAE,MAAM,EACnB,aAAa,EAAE,oBAAoB,EAAE,EACrC,cAAc,EAAE,MAAM,EAAE,GACvB,6BAA6B,CAoC/B"}

package/dist/src/pipeline/stages/ast/crossFileResolutionPass.js

@@ -0,0 +1,88 @@
+"use strict";
+/**
+ * Cross-file resolution pass (Feature 27)
+ *
+ * Orchestrates all registered cross-file resolvers after the initial AST
+ * parsing pass. Each resolver enriches the CrossFileSymbolTable with
+ * framework-specific resolution data (Blueprint prefixes, Angular injection
+ * chains, DDD interface mappings, etc.).
+ *
+ * Resolvers are registered via `registerCrossFileResolver()` and discovered
+ * via `getCrossFileResolvers()`. Each resolver implements the `CrossFileResolver`
+ * interface and self-declares which API frameworks it applies to.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerCrossFileResolver = registerCrossFileResolver;
+exports.getCrossFileResolvers = getCrossFileResolvers;
+exports.clearCrossFileResolvers = clearCrossFileResolvers;
+exports.runCrossFileResolution = runCrossFileResolution;
+// ─── Resolver registry ────────────────────────────────────────────────────────
+const resolverRegistry = [];
+/**
+ * Register a cross-file resolver. Resolvers are run in registration order.
+ */
+function registerCrossFileResolver(resolver) {
+    // Avoid duplicate registrations
+    if (!resolverRegistry.some((r) => r.name === resolver.name)) {
+        resolverRegistry.push(resolver);
+    }
+}
+/**
+ * Return all registered cross-file resolvers.
+ */
+function getCrossFileResolvers() {
+    return resolverRegistry;
+}
+/**
+ * Clear all registered resolvers (for testing).
+ */
+function clearCrossFileResolvers() {
+    resolverRegistry.length = 0;
+}
+/**
+ * Run all applicable cross-file resolvers against the symbol table.
+ *
+ * Each resolver mutates the symbol table in place, adding router mounts,
+ * injection chains, interface implementations, and middleware inheritance data.
+ *
+ * @param symbolTable - The cross-file symbol table to enrich
+ * @param projectRoot - Project root directory
+ * @param apiFrameworks - Detected API frameworks
+ * @param allSourceFiles - All source file paths
+ * @returns Aggregated diagnostics from all resolvers
+ */
+function runCrossFileResolution(symbolTable, projectRoot, apiFrameworks, allSourceFiles) {
+    const ctx = {
+        symbolTable,
+        projectRoot,
+        apiFrameworks,
+        allSourceFiles,
+    };
+    const resolverResults = [];
+    let totalEntriesAdded = 0;
+    for (const resolver of resolverRegistry) {
+        // Only run resolvers that apply to the detected frameworks
+        if (!resolver.appliesTo(apiFrameworks))
+            continue;
+        try {
+            const result = resolver.resolve(ctx);
+            resolverResults.push({
+                resolverName: resolver.name,
+                entriesAdded: result.entriesAdded,
+                diagnostics: result.diagnostics,
+                unresolvedRefs: result.unresolvedRefs,
+            });
+            totalEntriesAdded += result.entriesAdded;
+        }
+        catch (err) {
+            // Never let a resolver crash the pipeline
+            resolverResults.push({
+                resolverName: resolver.name,
+                entriesAdded: 0,
+                diagnostics: [`resolver-error: ${err instanceof Error ? err.message : String(err)}`],
+                unresolvedRefs: [],
+            });
+        }
+    }
+    return { resolverResults, totalEntriesAdded };
+}

package/dist/src/pipeline/stages/ast/crossFileResolver.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"crossFileResolver.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/ast/crossFileResolver.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAuC,MAAM,uBAAuB,CAAC;AAChG,OAAO,KAAK,EAAE,oBAAoB,EAAuC,MAAM,SAAS,CAAC;AAGzF;;;;;GAKG;AACH,wBAAgB,yBAAyB,CACvC,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,aAAa,CAAC,EAClC,WAAW,EAAE,MAAM,GAClB,oBAAoB,CAuDtB;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CACpC,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,oBAAoB,GAC1B,MAAM,GAAG,SAAS,CA4BpB"}
+{"version":3,"file":"crossFileResolver.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/ast/crossFileResolver.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAuC,MAAM,uBAAuB,CAAC;AAChG,OAAO,KAAK,EAAE,oBAAoB,EAAuC,MAAM,SAAS,CAAC;AAGzF;;;;;GAKG;AACH,wBAAgB,yBAAyB,CACvC,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,aAAa,CAAC,EAClC,WAAW,EAAE,MAAM,GAClB,oBAAoB,CAgEtB;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CACpC,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,oBAAoB,GAC1B,MAAM,GAAG,SAAS,CA4BpB"}

package/dist/src/pipeline/stages/ast/crossFileResolver.js

@@ -63,7 +63,16 @@ function buildCrossFileSymbolTable(models, projectRoot) {
         }
         importGraph.set(filePath, resolvedPaths);
     }
-    return { models, exportedSymbols, classes, importGraph };
+    return {
+        models,
+        exportedSymbols,
+        classes,
+        importGraph,
+        routerMounts: new Map(),
+        injectionChains: new Map(),
+        interfaceImplementations: new Map(),
+        middlewareInheritance: new Map(),
+    };
 }
 /**
  * Resolve a symbol name using the cross-file symbol table.
@@ -98,12 +107,31 @@ function resolveSymbolCrossFile(symbolName, fromFile, table) {
     }
     return undefined;
 }
+/** Built-in objects that should never be treated as import module names */
+const BUILTIN_OBJECTS = new Set([
+    'console', 'math', 'json', 'object', 'array', 'promise', 'date',
+    'string', 'number', 'boolean', 'symbol', 'regexp', 'error', 'map',
+    'set', 'weakmap', 'weakset', 'proxy', 'reflect', 'intl',
+    'arraybuffer', 'sharedarraybuffer', 'atomics', 'dataview',
+    'this', 'self', 'super', 'window', 'document', 'process',
+    'global', 'globalthis', 'module', 'exports', 'require',
+    '__dirname', '__filename',
+]);
 /**
  * Extract import declarations from a semantic model.
  * This is a heuristic extraction — real import extraction would come from the AST.
  */
 function extractImportsFromModel(filePath, model, projectRoot) {
     const imports = [];
+    // Build a set of known identifiers from the model (constants and local variables)
+    // These are the names that could plausibly be import aliases
+    const knownIdentifiers = new Set();
+    for (const [name] of model.constants) {
+        knownIdentifiers.add(name);
+    }
+    for (const [name] of model.localVariables) {
+        knownIdentifiers.add(name);
+    }
     // Use functions' calledFunctions to infer cross-file references
     for (const [, func] of model.functions) {
         for (const calledName of func.calledFunctions) {
@@ -111,6 +139,16 @@ function extractImportsFromModel(filePath, model, projectRoot) {
             const dotIndex = calledName.indexOf('.');
             if (dotIndex > 0) {
                 const modulePart = calledName.substring(0, dotIndex);
+                // Skip common built-in objects that are never import sources
+                if (BUILTIN_OBJECTS.has(modulePart.toLowerCase())) {
+                    continue;
+                }
+                // Only treat as an import if the prefix matches a known identifier
+                // (constant or local variable) in this file, which is how import
+                // aliases typically appear in the semantic model
+                if (!knownIdentifiers.has(modulePart)) {
+                    continue;
+                }
                 const resolvedPath = (0, importResolver_1.resolveImportPath)(`./${modulePart}`, filePath, projectRoot, model.language);
                 if (resolvedPath) {
                     imports.push({

package/dist/src/pipeline/stages/ast/graphBuilder.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"graphBuilder.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/ast/graphBuilder.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAoB,uBAAuB,EAAE,MAAM,uBAAuB,CAAC;AACtG,OAAO,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,KAAK,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAIrE;;GAEG;AACH,wBAAgB,aAAa,CAC3B,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,aAAa,CAAC,EAClC,cAAc,EAAE,oBAAoB,EACpC,gBAAgB,EAAE,GAAG,CAAC,MAAM,EAAE,eAAe,CAAC,EAC9C,YAAY,EAAE,GAAG,CAAC,MAAM,EAAE,uBAAuB,EAAE,CAAC,GACnD;IAAE,KAAK,EAAE,SAAS,EAAE,CAAC;IAAC,KAAK,EAAE,SAAS,EAAE,CAAA;CAAE,CAsN5C"}
+{"version":3,"file":"graphBuilder.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/ast/graphBuilder.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAoB,uBAAuB,EAAE,MAAM,uBAAuB,CAAC;AACtG,OAAO,KAAK,EAAE,SAAS,EAAE,SAAS,EAAiB,MAAM,aAAa,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAIrE;;GAEG;AACH,wBAAgB,aAAa,CAC3B,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,aAAa,CAAC,EAClC,cAAc,EAAE,oBAAoB,EACpC,gBAAgB,EAAE,GAAG,CAAC,MAAM,EAAE,eAAe,CAAC,EAC9C,YAAY,EAAE,GAAG,CAAC,MAAM,EAAE,uBAAuB,EAAE,CAAC,GACnD;IAAE,KAAK,EAAE,SAAS,EAAE,CAAC;IAAC,KAAK,EAAE,SAAS,EAAE,CAAA;CAAE,CA4S5C"}

package/dist/src/pipeline/stages/ast/graphBuilder.js

@@ -60,6 +60,28 @@ function buildAstGraph(models, crossFileTable, traversalResults, interactions) {
         addedEdgeIds.add(edge.id);
         edges.push(edge);
     }
+    /**
+     * Ensure a node exists in the graph. If the node ID is not yet present,
+     * create a stub node flagged as cross-file-unresolved (spec §2.3).
+     * Confidence on stub nodes is capped at 'low'.
+     */
+    function ensureNodeExists(nodeId, missingFilePath, nodeType) {
+        if (addedNodeIds.has(nodeId))
+            return nodeId;
+        addNode({
+            id: nodeId,
+            type: nodeType,
+            label: `[unresolved] ${path.basename(missingFilePath)}`,
+            sourceStage: 'ast',
+            filePath: missingFilePath,
+            metadata: {
+                resolution: 'cross-file-unresolved',
+                confidence: 'low',
+                diagnostic: `Cross-file resolution failed: file "${missingFilePath}" was not found in parsed models`,
+            },
+        });
+        return nodeId;
+    }
     // 1. Create file nodes for every parsed file
     for (const [filePath, model] of models) {
         const basename = path.basename(filePath);
@@ -241,6 +263,65 @@ function buildAstGraph(models, crossFileTable, traversalResults, interactions) {
             });
         }
     }
+    // 7. Feature 27: Create router mount edges
+    for (const [filePath, mounts] of crossFileTable.routerMounts) {
+        const sourceId = `file:${filePath}`;
+        if (!addedNodeIds.has(sourceId))
+            continue;
+        for (const mount of mounts) {
+            const targetId = `file:${mount.targetModulePath}`;
+            // Create edge even if target not parsed (creates stub node for missing files)
+            addEdge({
+                id: `${sourceId}->mounts->${mount.prefix}:${mount.targetModulePath}`,
+                type: 'router-mount',
+                sourceNodeId: sourceId,
+                targetNodeId: ensureNodeExists(targetId, mount.targetModulePath, 'file'),
+                sourceStage: 'ast',
+                metadata: {
+                    prefix: mount.prefix,
+                    targetModule: mount.targetModulePath,
+                    middlewareCount: mount.middleware.length,
+                },
+            });
+        }
+    }
+    // 8. Feature 27: Create injection chain edges
+    for (const [consumerFile, chains] of crossFileTable.injectionChains) {
+        for (const chain of chains) {
+            const consumerNodeId = `file:${chain.consumerFile}`;
+            const serviceNodeId = `file:${chain.serviceFile}`;
+            addEdge({
+                id: `${consumerNodeId}->injects->${chain.serviceClass}:${chain.serviceFile}`,
+                type: 'injects',
+                sourceNodeId: ensureNodeExists(consumerNodeId, chain.consumerFile, 'file'),
+                targetNodeId: ensureNodeExists(serviceNodeId, chain.serviceFile, 'file'),
+                sourceStage: 'ast',
+                metadata: {
+                    consumerClass: chain.consumerClass,
+                    serviceClass: chain.serviceClass,
+                    injectionStyle: chain.injectionStyle,
+                },
+            });
+        }
+    }
+    // 9. Feature 27: Create interface implementation edges
+    for (const [ifaceFile, impls] of crossFileTable.interfaceImplementations) {
+        for (const impl of impls) {
+            const ifaceNodeId = `file:${impl.interfaceFile}`;
+            const implNodeId = `file:${impl.implFile}`;
+            addEdge({
+                id: `${implNodeId}->implements->${impl.interfaceName}:${impl.interfaceFile}`,
+                type: 'implements',
+                sourceNodeId: ensureNodeExists(implNodeId, impl.implFile, 'file'),
+                targetNodeId: ensureNodeExists(ifaceNodeId, impl.interfaceFile, 'file'),
+                sourceStage: 'ast',
+                metadata: {
+                    interfaceName: impl.interfaceName,
+                    implName: impl.implName,
+                },
+            });
+        }
+    }
     return { nodes, edges };
 }
 /**

package/dist/src/pipeline/stages/ast/optionalAuthUnifier.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Optional auth unifier (Feature 27, Sub-PR 9)
+ *
+ * Normalizes all framework-specific auth classifications to a unified SecurityClassification.
+ * Maps framework-specific patterns:
+ *   Flask @jwt_optional → { optional: true }
+ *   Express auth.optional / credentialsRequired: false → { optional: true }
+ *   HapiJS auth: { mode: 'try' } → { optional: true }
+ *   Spring @PreAuthorize → { required: true }
+ *   Slim PHP optionalAuth → { optional: true }, jwt/auth → { required: true }
+ *   Angular canActivate:none → { optional: true } (interceptor-based)
+ *   NestJS @UseGuards → { required: true }
+ */
+import type { SecurityClassification } from '../../../ast/astTypes';
+export interface AuthClassificationEntry {
+    framework: string;
+    sourcePattern: string;
+    classification: SecurityClassification;
+}
+/**
+ * Framework-specific auth pattern → unified SecurityClassification.
+ */
+export declare function unifyAuthClassification(framework: string, pattern: string): SecurityClassification | undefined;
+/**
+ * Detect auth coverage gaps.
+ */
+export interface AuthCoverageGap {
+    type: 'missing-401-test' | 'missing-optional-dual-path';
+    endpointPath: string;
+    security: SecurityClassification;
+    sourceFile: string;
+}
+/**
+ * Analyze auth coverage gaps in endpoints vs tests.
+ */
+export declare function detectAuthCoverageGaps(endpoints: Array<{
+    path: string;
+    security?: SecurityClassification;
+    sourceFile: string;
+}>, testAssertionPaths: Set<string>): AuthCoverageGap[];
+//# sourceMappingURL=optionalAuthUnifier.d.ts.map

package/dist/src/pipeline/stages/ast/optionalAuthUnifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"optionalAuthUnifier.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/ast/optionalAuthUnifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AAEpE,MAAM,WAAW,uBAAuB;IACtC,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,cAAc,EAAE,sBAAsB,CAAC;CACxC;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CACrC,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,GACd,sBAAsB,GAAG,SAAS,CA6DpC;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,kBAAkB,GAAG,4BAA4B,CAAC;IACxD,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,sBAAsB,CAAC;IACjC,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,SAAS,EAAE,KAAK,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,sBAAsB,CAAC;IAAC,UAAU,EAAE,MAAM,CAAA;CAAE,CAAC,EACzF,kBAAkB,EAAE,GAAG,CAAC,MAAM,CAAC,GAC9B,eAAe,EAAE,CA0BnB"}