api-tests-coverage 1.0.16 → 1.0.17

package/dist/src/pipeline/confidence.js

@@ -151,8 +151,13 @@ function hasPartialResolution(graph, pathNodeIds) {
 /**
  * Build a ConfidenceEvidence object from a coverage path in the graph.
  * Inspects the nodes and their source stages to determine what evidence exists.
+ *
+ * Optional `iastConfirmed` and `dastConfirmed` flags allow the caller to
+ * inject runtime confirmation state that may not be discoverable by walking
+ * `pathNodeIds` alone (e.g. when IAST/DAST nodes are not directly on the
+ * endpoint→test path in the graph).
  */
-function buildConfidenceEvidence(graph, pathNodeIds, isStaticOnlyMode) {
+function buildConfidenceEvidence(graph, pathNodeIds, isStaticOnlyMode, iastConfirmed, dastConfirmed) {
     var _a, _b;
     const sourceStages = new Set();
     let hasIastConfirmation = false;
@@ -187,8 +192,8 @@ function buildConfidenceEvidence(graph, pathNodeIds, isStaticOnlyMode) {
     }
     return {
         sourceStages: Array.from(sourceStages),
-        hasIastConfirmation,
-        hasDastConfirmation,
+        hasIastConfirmation: hasIastConfirmation || (iastConfirmed !== null && iastConfirmed !== void 0 ? iastConfirmed : false),
+        hasDastConfirmation: hasDastConfirmation || (dastConfirmed !== null && dastConfirmed !== void 0 ? dastConfirmed : false),
         hasAssertionConfirmation,
         hasMockBoundary,
         hasPartialResolution: hasPartial,

package/dist/src/pipeline/graph.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"graph.d.ts","sourceRoot":"","sources":["../../../src/pipeline/graph.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,SAAS,EACT,SAAS,EACT,aAAa,EACb,aAAa,EACb,YAAY,EACZ,SAAS,EACV,MAAM,SAAS,CAAC;AAEjB,qBAAa,sBAAsB;IACjC,OAAO,CAAC,KAAK,CAAqC;IAClD,OAAO,CAAC,KAAK,CAAqC;IAIlD,OAAO,CAAC,IAAI,EAAE,SAAS,GAAG,IAAI;IAI9B,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,SAAS,GAAG,SAAS;IAI1C,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAI5B,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAI/B,cAAc,CAAC,IAAI,EAAE,aAAa,GAAG,SAAS,EAAE;IAIhD,eAAe,CAAC,KAAK,EAAE,SAAS,GAAG,SAAS,EAAE;IAI9C,WAAW,IAAI,SAAS,EAAE;IAI1B,IAAI,SAAS,IAAI,MAAM,CAEtB;IAID,OAAO,CAAC,IAAI,EAAE,SAAS,GAAG,IAAI;IAI9B,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,SAAS,GAAG,SAAS;IAI1C,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAI5B,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAI/B,mDAAmD;IACnD,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,EAAE;IAIzC,8CAA8C;IAC9C,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,EAAE;IAIvC,sEAAsE;IACtE,eAAe,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,SAAS,EAAE;IAQ9D,wCAAwC;IACxC,cAAc,CAAC,IAAI,EAAE,aAAa,GAAG,SAAS,EAAE;IAIhD,WAAW,IAAI,SAAS,EAAE;IAI1B,IAAI,SAAS,IAAI,MAAM,CAEtB;IAID;;;OAGG;IACH,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,aAAa,EAAE,GAAG,SAAS,EAAE;IA4B5E;;;OAGG;IACH,iBAAiB,CACf,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,aAAa,GACtB,OAAO;IAiCV;;;OAGG;IACH,KAAK,CAAC,KAAK,EAAE,sBAAsB,GAAG,YAAY,EAAE;IAwCpD,cAAc,IAAI;QAAE,KAAK,EAAE,SAAS,EAAE,CAAC;QAAC,KAAK,EAAE,SAAS,EAAE,CAAA;KAAE;IAO5D,MAAM,CAAC,gBAAgB,CAAC,IAAI,EAAE;QAAE,KAAK,EAAE,SAAS,EAAE,CAAC;QAAC,KAAK,EAAE,SAAS,EAAE,CAAA;KAAE,GAAG,sBAAsB;IAajG,KAAK,IAAI,IAAI;CAId"}
+{"version":3,"file":"graph.d.ts","sourceRoot":"","sources":["../../../src/pipeline/graph.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,SAAS,EACT,SAAS,EACT,aAAa,EACb,aAAa,EACb,YAAY,EACZ,SAAS,EACV,MAAM,SAAS,CAAC;AAEjB,qBAAa,sBAAsB;IACjC,OAAO,CAAC,KAAK,CAAqC;IAClD,OAAO,CAAC,KAAK,CAAqC;IAIlD,OAAO,CAAC,IAAI,EAAE,SAAS,GAAG,IAAI;IAI9B,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,SAAS,GAAG,SAAS;IAI1C,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAI5B,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAa/B,cAAc,CAAC,IAAI,EAAE,aAAa,GAAG,SAAS,EAAE;IAIhD,eAAe,CAAC,KAAK,EAAE,SAAS,GAAG,SAAS,EAAE;IAI9C,WAAW,IAAI,SAAS,EAAE;IAI1B,IAAI,SAAS,IAAI,MAAM,CAEtB;IAID,OAAO,CAAC,IAAI,EAAE,SAAS,GAAG,IAAI;IAI9B,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,SAAS,GAAG,SAAS;IAI1C,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAI5B,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAI/B,mDAAmD;IACnD,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,EAAE;IAIzC,8CAA8C;IAC9C,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,EAAE;IAIvC,sEAAsE;IACtE,eAAe,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,SAAS,EAAE;IAQ9D,wCAAwC;IACxC,cAAc,CAAC,IAAI,EAAE,aAAa,GAAG,SAAS,EAAE;IAIhD,WAAW,IAAI,SAAS,EAAE;IAI1B,IAAI,SAAS,IAAI,MAAM,CAEtB;IAID;;;OAGG;IACH,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,aAAa,EAAE,GAAG,SAAS,EAAE;IA4B5E;;;OAGG;IACH,iBAAiB,CACf,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,aAAa,GACtB,OAAO;IAmCV;;;OAGG;IACH,KAAK,CAAC,KAAK,EAAE,sBAAsB,GAAG,YAAY,EAAE;IAwCpD,cAAc,IAAI;QAAE,KAAK,EAAE,SAAS,EAAE,CAAC;QAAC,KAAK,EAAE,SAAS,EAAE,CAAA;KAAE;IAO5D,MAAM,CAAC,gBAAgB,CAAC,IAAI,EAAE;QAAE,KAAK,EAAE,SAAS,EAAE,CAAC;QAAC,KAAK,EAAE,SAAS,EAAE,CAAA;KAAE,GAAG,sBAAsB;IAajG,KAAK,IAAI,IAAI;CAId"}

package/dist/src/pipeline/graph.js

@@ -23,7 +23,16 @@ class CoverageKnowledgeGraph {
         return this.nodes.has(id);
     }
     removeNode(id) {
-        return this.nodes.delete(id);
+        const deleted = this.nodes.delete(id);
+        if (deleted) {
+            // Remove all edges that reference this node to avoid dangling edges
+            for (const [edgeId, edge] of this.edges) {
+                if (edge.sourceNodeId === id || edge.targetNodeId === id) {
+                    this.edges.delete(edgeId);
+                }
+            }
+        }
+        return deleted;
     }
     getNodesByType(type) {
         return Array.from(this.nodes.values()).filter((n) => n.type === type);
@@ -112,9 +121,11 @@ class CoverageKnowledgeGraph {
         while (queue.length > 0) {
             const path = queue.shift();
             const currentId = path[path.length - 1];
-            if (visited.has(currentId))
+            // Don't skip endId — we need to check every path that arrives at it
+            if (currentId !== endId && visited.has(currentId))
                 continue;
-            visited.add(currentId);
+            if (currentId !== endId)
+                visited.add(currentId);
             if (currentId === endId) {
                 // Check interior nodes (not start or end)
                 for (let i = 1; i < path.length - 1; i++) {
@@ -122,7 +133,8 @@ class CoverageKnowledgeGraph {
                     if ((node === null || node === void 0 ? void 0 : node.type) === nodeType)
                         return true;
                 }
-                return false;
+                // Don't return false here — other paths may still contain the node type
+                continue;
             }
             const outEdges = this.getEdgesFrom(currentId);
             for (const edge of outEdges) {

package/dist/src/pipeline/stages/ast/astStage.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"astStage.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/ast/astStage.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAE3E,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAmB9C,qBAAa,QAAS,YAAW,aAAa,CAAC,cAAc,CAAC;IAC5D,QAAQ,CAAC,IAAI,EAAG,KAAK,CAAU;IAC/B,QAAQ,CAAC,QAAQ,SAAS;IAEpB,OAAO,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,cAAc,CAAC;CAoLjE"}
+{"version":3,"file":"astStage.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/ast/astStage.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAE3E,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AA2B9C,qBAAa,QAAS,YAAW,aAAa,CAAC,cAAc,CAAC;IAC5D,QAAQ,CAAC,IAAI,EAAG,KAAK,CAAU;IAC/B,QAAQ,CAAC,QAAQ,SAAS;IAEpB,OAAO,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,cAAc,CAAC;CAoNjE"}

package/dist/src/pipeline/stages/ast/astStage.js

@@ -53,6 +53,14 @@ const graphBuilder_1 = require("./graphBuilder");
 const fileClassifier_1 = require("../../../discovery/fileClassifier");
 const projectDiscovery_1 = require("../../../discovery/projectDiscovery");
 const parserRegistry_1 = require("../../../ast/parserRegistry");
+const rulesEnforcer_1 = require("./rulesEnforcer");
+const optionalAuthUnifier_1 = require("./optionalAuthUnifier");
+const expressRouterResolver_1 = require("./resolvers/expressRouterResolver");
+const flaskBlueprintResolver_1 = require("./resolvers/flaskBlueprintResolver");
+const angularInjectionResolver_1 = require("./resolvers/angularInjectionResolver");
+const vuexActionResolver_1 = require("./resolvers/vuexActionResolver");
+const mybatisResolver_1 = require("./resolvers/mybatisResolver");
+const dddLayerResolver_1 = require("./resolvers/dddLayerResolver");
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 class AstStage {
@@ -71,7 +79,8 @@ class AstStage {
         const scaOutput = context.stageOutputs.get('sca');
         // Build analysis context
         const analysisContext = (0, astAnalysisOrchestrator_1.buildAnalysisContext)(context.config.astConfig);
-        // Discover all files
+        // Discover all files — XML, GraphQL, and PHP files are included in serviceFiles
+        // via SERVICE_CODE_EXTS in fileClassifier.ts (RULE-SA05, SA06)
         const artifacts = (0, projectDiscovery_1.discoverProject)({ rootDir: context.projectRoot });
         const allSourceFiles = [
             ...artifacts.testFiles,
@@ -131,8 +140,33 @@ class AstStage {
         }
         // Phase 2: Build cross-file symbol table
         const crossFileTable = (0, crossFileResolver_1.buildCrossFileSymbolTable)(models, context.projectRoot);
-        // Phase 2b: Run cross-file resolution pass (Feature 27)
+        // Phase 2b: Register and run cross-file resolvers (Feature 27)
+        // Clear any stale registrations from prior runs, then register all 6 resolvers
+        (0, crossFileResolutionPass_1.clearCrossFileResolvers)();
+        (0, crossFileResolutionPass_1.registerCrossFileResolver)(new expressRouterResolver_1.ExpressRouterResolver());
+        (0, crossFileResolutionPass_1.registerCrossFileResolver)(new flaskBlueprintResolver_1.FlaskBlueprintResolver());
+        (0, crossFileResolutionPass_1.registerCrossFileResolver)(new angularInjectionResolver_1.AngularInjectionResolver());
+        (0, crossFileResolutionPass_1.registerCrossFileResolver)(new vuexActionResolver_1.VuexActionResolver());
+        (0, crossFileResolutionPass_1.registerCrossFileResolver)(new mybatisResolver_1.MyBatisResolver());
+        (0, crossFileResolutionPass_1.registerCrossFileResolver)(new dddLayerResolver_1.DddLayerResolver());
         const crossFileResolutionResult = (0, crossFileResolutionPass_1.runCrossFileResolution)(crossFileTable, context.projectRoot, artifacts.apiFrameworks, allSourceFiles);
+        // Phase 2c: Detect auth coverage gaps (Feature 27)
+        // Collect all endpoints with their security classifications for gap analysis
+        const endpointsForAuthGaps = [];
+        for (const [filePath, model] of crossFileTable.models) {
+            if (!model.routeRegistrations)
+                continue;
+            for (const reg of model.routeRegistrations) {
+                endpointsForAuthGaps.push({
+                    path: reg.path,
+                    security: reg.security,
+                    sourceFile: filePath,
+                });
+            }
+        }
+        const authCoverageGaps = (0, optionalAuthUnifier_1.detectAuthCoverageGaps)(endpointsForAuthGaps, new Set());
+        // Phase 2d: Enforce structure-agnostic rules (Feature 27)
+        const rulesResult = (0, rulesEnforcer_1.enforceStructureAgnosticRules)(crossFileTable, context.projectRoot);
         // Phase 3: Run abstract layer traversal for test files
         const traversalResults = new Map();
         const depthCap = context.config.traversalDepthCap;
@@ -204,6 +238,10 @@ class AstStage {
                 graphEdgesAdded: edges.length,
                 crossFileResolversRun: crossFileResolutionResult.resolverResults.length,
                 crossFileEntriesAdded: crossFileResolutionResult.totalEntriesAdded,
+                rulesChecked: rulesResult.rulesChecked,
+                rulesPassed: rulesResult.rulesPassed,
+                ruleViolations: rulesResult.violations.length,
+                authCoverageGaps: authCoverageGaps.length,
             },
         };
         context.diagnostics.set('ast', diagnostics);
@@ -238,7 +276,13 @@ function detectLanguage(filePath, scaOutput) {
         '.kts': 'kotlin',
         '.py': 'python',
         '.rb': 'ruby',
+        '.php': 'php',
         '.feature': 'cucumber',
     };
+    // Handle GraphQL schema files and XML as special-case languages
+    if (ext === '.graphqls' || ext === '.graphql')
+        return 'graphql';
+    if (ext === '.xml')
+        return 'xml';
     return extensionMap[ext];
 }

package/dist/src/pipeline/stages/ast/baseUrlComposer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"baseUrlComposer.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/ast/baseUrlComposer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH;;;GAGG;AACH,wBAAgB,UAAU,CAAC,GAAG,QAAQ,EAAE,CAAC,MAAM,GAAG,SAAS,CAAC,EAAE,GAAG,MAAM,CAStE;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAkBlD;AAED;;;;;;;;GAQG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAQxD;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,SAAS,EAAE,MAAM,EACjB,KAAK,EAAE;IACL,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB,GACA,MAAM,CAUR"}
+{"version":3,"file":"baseUrlComposer.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/ast/baseUrlComposer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH;;;GAGG;AACH,wBAAgB,UAAU,CAAC,GAAG,QAAQ,EAAE,CAAC,MAAM,GAAG,SAAS,CAAC,EAAE,GAAG,MAAM,CAyBtE;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAkBlD;AAED;;;;;;;;GAQG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAQxD;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,SAAS,EAAE,MAAM,EACjB,KAAK,EAAE;IACL,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB,GACA,MAAM,CAUR"}

package/dist/src/pipeline/stages/ast/baseUrlComposer.js

@@ -24,10 +24,24 @@ exports.composeFrameworkUrl = composeFrameworkUrl;
  */
 function composeUrl(...segments) {
     const parts = segments
-        .filter((s) => typeof s === 'string' && s.length > 0)
-        .map((s) => s.replace(/^\/+|\/+$/g, ''));
-    const joined = parts.join('/');
-    const normalized = '/' + joined.replace(/\/+/g, '/');
+        .filter((s) => typeof s === 'string' && s.length > 0);
+    if (parts.length === 0)
+        return '/';
+    // Detect protocol in the first segment (e.g. http://, https://)
+    const protocolMatch = parts[0].match(/^(\w+:\/\/)/);
+    let protocol = '';
+    if (protocolMatch) {
+        protocol = protocolMatch[1];
+        parts[0] = parts[0].slice(protocol.length);
+    }
+    const stripped = parts.map((s) => s.replace(/^\/+|\/+$/g, ''));
+    const joined = stripped.join('/');
+    const deduped = joined.replace(/\/+/g, '/');
+    if (protocol) {
+        const normalized = protocol + deduped;
+        return normalized.replace(/\/+$/, '') || protocol;
+    }
+    const normalized = '/' + deduped;
     return normalized === '/' ? '/' : normalized.replace(/\/+$/, '');
 }
 /**

package/dist/src/pipeline/stages/ast/crossFileResolver.js

@@ -107,12 +107,31 @@ function resolveSymbolCrossFile(symbolName, fromFile, table) {
     }
     return undefined;
 }
+/** Built-in objects that should never be treated as import module names */
+const BUILTIN_OBJECTS = new Set([
+    'console', 'math', 'json', 'object', 'array', 'promise', 'date',
+    'string', 'number', 'boolean', 'symbol', 'regexp', 'error', 'map',
+    'set', 'weakmap', 'weakset', 'proxy', 'reflect', 'intl',
+    'arraybuffer', 'sharedarraybuffer', 'atomics', 'dataview',
+    'this', 'self', 'super', 'window', 'document', 'process',
+    'global', 'globalthis', 'module', 'exports', 'require',
+    '__dirname', '__filename',
+]);
 /**
  * Extract import declarations from a semantic model.
  * This is a heuristic extraction — real import extraction would come from the AST.
  */
 function extractImportsFromModel(filePath, model, projectRoot) {
     const imports = [];
+    // Build a set of known identifiers from the model (constants and local variables)
+    // These are the names that could plausibly be import aliases
+    const knownIdentifiers = new Set();
+    for (const [name] of model.constants) {
+        knownIdentifiers.add(name);
+    }
+    for (const [name] of model.localVariables) {
+        knownIdentifiers.add(name);
+    }
     // Use functions' calledFunctions to infer cross-file references
     for (const [, func] of model.functions) {
         for (const calledName of func.calledFunctions) {
@@ -120,6 +139,16 @@ function extractImportsFromModel(filePath, model, projectRoot) {
             const dotIndex = calledName.indexOf('.');
             if (dotIndex > 0) {
                 const modulePart = calledName.substring(0, dotIndex);
+                // Skip common built-in objects that are never import sources
+                if (BUILTIN_OBJECTS.has(modulePart.toLowerCase())) {
+                    continue;
+                }
+                // Only treat as an import if the prefix matches a known identifier
+                // (constant or local variable) in this file, which is how import
+                // aliases typically appear in the semantic model
+                if (!knownIdentifiers.has(modulePart)) {
+                    continue;
+                }
                 const resolvedPath = (0, importResolver_1.resolveImportPath)(`./${modulePart}`, filePath, projectRoot, model.language);
                 if (resolvedPath) {
                     imports.push({

package/dist/src/pipeline/stages/ast/graphBuilder.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"graphBuilder.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/ast/graphBuilder.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAoB,uBAAuB,EAAE,MAAM,uBAAuB,CAAC;AACtG,OAAO,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,KAAK,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAIrE;;GAEG;AACH,wBAAgB,aAAa,CAC3B,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,aAAa,CAAC,EAClC,cAAc,EAAE,oBAAoB,EACpC,gBAAgB,EAAE,GAAG,CAAC,MAAM,EAAE,eAAe,CAAC,EAC9C,YAAY,EAAE,GAAG,CAAC,MAAM,EAAE,uBAAuB,EAAE,CAAC,GACnD;IAAE,KAAK,EAAE,SAAS,EAAE,CAAC;IAAC,KAAK,EAAE,SAAS,EAAE,CAAA;CAAE,CAsN5C"}
+{"version":3,"file":"graphBuilder.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/ast/graphBuilder.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAoB,uBAAuB,EAAE,MAAM,uBAAuB,CAAC;AACtG,OAAO,KAAK,EAAE,SAAS,EAAE,SAAS,EAAiB,MAAM,aAAa,CAAC;AACvE,OAAO,KAAK,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAIrE;;GAEG;AACH,wBAAgB,aAAa,CAC3B,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,aAAa,CAAC,EAClC,cAAc,EAAE,oBAAoB,EACpC,gBAAgB,EAAE,GAAG,CAAC,MAAM,EAAE,eAAe,CAAC,EAC9C,YAAY,EAAE,GAAG,CAAC,MAAM,EAAE,uBAAuB,EAAE,CAAC,GACnD;IAAE,KAAK,EAAE,SAAS,EAAE,CAAC;IAAC,KAAK,EAAE,SAAS,EAAE,CAAA;CAAE,CA4S5C"}

package/dist/src/pipeline/stages/ast/graphBuilder.js

@@ -60,6 +60,28 @@ function buildAstGraph(models, crossFileTable, traversalResults, interactions) {
         addedEdgeIds.add(edge.id);
         edges.push(edge);
     }
+    /**
+     * Ensure a node exists in the graph. If the node ID is not yet present,
+     * create a stub node flagged as cross-file-unresolved (spec §2.3).
+     * Confidence on stub nodes is capped at 'low'.
+     */
+    function ensureNodeExists(nodeId, missingFilePath, nodeType) {
+        if (addedNodeIds.has(nodeId))
+            return nodeId;
+        addNode({
+            id: nodeId,
+            type: nodeType,
+            label: `[unresolved] ${path.basename(missingFilePath)}`,
+            sourceStage: 'ast',
+            filePath: missingFilePath,
+            metadata: {
+                resolution: 'cross-file-unresolved',
+                confidence: 'low',
+                diagnostic: `Cross-file resolution failed: file "${missingFilePath}" was not found in parsed models`,
+            },
+        });
+        return nodeId;
+    }
     // 1. Create file nodes for every parsed file
     for (const [filePath, model] of models) {
         const basename = path.basename(filePath);
@@ -241,6 +263,65 @@ function buildAstGraph(models, crossFileTable, traversalResults, interactions) {
             });
         }
     }
+    // 7. Feature 27: Create router mount edges
+    for (const [filePath, mounts] of crossFileTable.routerMounts) {
+        const sourceId = `file:${filePath}`;
+        if (!addedNodeIds.has(sourceId))
+            continue;
+        for (const mount of mounts) {
+            const targetId = `file:${mount.targetModulePath}`;
+            // Create edge even if target not parsed (creates stub node for missing files)
+            addEdge({
+                id: `${sourceId}->mounts->${mount.prefix}:${mount.targetModulePath}`,
+                type: 'router-mount',
+                sourceNodeId: sourceId,
+                targetNodeId: ensureNodeExists(targetId, mount.targetModulePath, 'file'),
+                sourceStage: 'ast',
+                metadata: {
+                    prefix: mount.prefix,
+                    targetModule: mount.targetModulePath,
+                    middlewareCount: mount.middleware.length,
+                },
+            });
+        }
+    }
+    // 8. Feature 27: Create injection chain edges
+    for (const [consumerFile, chains] of crossFileTable.injectionChains) {
+        for (const chain of chains) {
+            const consumerNodeId = `file:${chain.consumerFile}`;
+            const serviceNodeId = `file:${chain.serviceFile}`;
+            addEdge({
+                id: `${consumerNodeId}->injects->${chain.serviceClass}:${chain.serviceFile}`,
+                type: 'injects',
+                sourceNodeId: ensureNodeExists(consumerNodeId, chain.consumerFile, 'file'),
+                targetNodeId: ensureNodeExists(serviceNodeId, chain.serviceFile, 'file'),
+                sourceStage: 'ast',
+                metadata: {
+                    consumerClass: chain.consumerClass,
+                    serviceClass: chain.serviceClass,
+                    injectionStyle: chain.injectionStyle,
+                },
+            });
+        }
+    }
+    // 9. Feature 27: Create interface implementation edges
+    for (const [ifaceFile, impls] of crossFileTable.interfaceImplementations) {
+        for (const impl of impls) {
+            const ifaceNodeId = `file:${impl.interfaceFile}`;
+            const implNodeId = `file:${impl.implFile}`;
+            addEdge({
+                id: `${implNodeId}->implements->${impl.interfaceName}:${impl.interfaceFile}`,
+                type: 'implements',
+                sourceNodeId: ensureNodeExists(implNodeId, impl.implFile, 'file'),
+                targetNodeId: ensureNodeExists(ifaceNodeId, impl.interfaceFile, 'file'),
+                sourceStage: 'ast',
+                metadata: {
+                    interfaceName: impl.interfaceName,
+                    implName: impl.implName,
+                },
+            });
+        }
+    }
     return { nodes, edges };
 }
 /**

package/dist/src/pipeline/stages/ast/optionalAuthUnifier.d.ts

@@ -7,7 +7,9 @@
  *   Express auth.optional / credentialsRequired: false → { optional: true }
  *   HapiJS auth: { mode: 'try' } → { optional: true }
  *   Spring @PreAuthorize → { required: true }
- *   Angular route guard → depends on guard type
+ *   Slim PHP optionalAuth → { optional: true }, jwt/auth → { required: true }
+ *   Angular canActivate:none → { optional: true } (interceptor-based)
+ *   NestJS @UseGuards → { required: true }
  */
 import type { SecurityClassification } from '../../../ast/astTypes';
 export interface AuthClassificationEntry {

package/dist/src/pipeline/stages/ast/optionalAuthUnifier.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"optionalAuthUnifier.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/ast/optionalAuthUnifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AAEpE,MAAM,WAAW,uBAAuB;IACtC,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,cAAc,EAAE,sBAAsB,CAAC;CACxC;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CACrC,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,GACd,sBAAsB,GAAG,SAAS,CAwCpC;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,kBAAkB,GAAG,4BAA4B,CAAC;IACxD,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,sBAAsB,CAAC;IACjC,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,SAAS,EAAE,KAAK,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,sBAAsB,CAAC;IAAC,UAAU,EAAE,MAAM,CAAA;CAAE,CAAC,EACzF,kBAAkB,EAAE,GAAG,CAAC,MAAM,CAAC,GAC9B,eAAe,EAAE,CA0BnB"}
+{"version":3,"file":"optionalAuthUnifier.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/ast/optionalAuthUnifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AAEpE,MAAM,WAAW,uBAAuB;IACtC,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,cAAc,EAAE,sBAAsB,CAAC;CACxC;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CACrC,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,GACd,sBAAsB,GAAG,SAAS,CA6DpC;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,kBAAkB,GAAG,4BAA4B,CAAC;IACxD,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,sBAAsB,CAAC;IACjC,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,SAAS,EAAE,KAAK,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,sBAAsB,CAAC;IAAC,UAAU,EAAE,MAAM,CAAA;CAAE,CAAC,EACzF,kBAAkB,EAAE,GAAG,CAAC,MAAM,CAAC,GAC9B,eAAe,EAAE,CA0BnB"}

package/dist/src/pipeline/stages/ast/optionalAuthUnifier.js

@@ -8,7 +8,9 @@
  *   Express auth.optional / credentialsRequired: false → { optional: true }
  *   HapiJS auth: { mode: 'try' } → { optional: true }
  *   Spring @PreAuthorize → { required: true }
- *   Angular route guard → depends on guard type
+ *   Slim PHP optionalAuth → { optional: true }, jwt/auth → { required: true }
+ *   Angular canActivate:none → { optional: true } (interceptor-based)
+ *   NestJS @UseGuards → { required: true }
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.unifyAuthClassification = unifyAuthClassification;
@@ -18,36 +20,54 @@ exports.detectAuthCoverageGaps = detectAuthCoverageGaps;
  */
 function unifyAuthClassification(framework, pattern) {
     const key = `${framework}:${pattern}`.toLowerCase();
-    // Flask patterns
-    if (key.includes('flask:@jwt_required') || key.includes('flask:jwt_required')) {
+    // Flask patterns — use word-boundary regex to avoid matching e.g. "@jwt_required_custom"
+    if (/^flask:@?jwt_required\b/.test(key)) {
         return { type: 'jwt', required: true, optional: false, sourcePattern: pattern };
     }
-    if (key.includes('flask:@jwt_optional') || key.includes('flask:jwt_optional')) {
+    if (/^flask:@?jwt_optional\b/.test(key)) {
         return { type: 'jwt', required: false, optional: true, sourcePattern: pattern };
     }
-    if (key.includes('flask:@login_required') || key.includes('flask:login_required')) {
+    if (/^flask:@?login_required\b/.test(key)) {
         return { type: 'session', required: true, optional: false, sourcePattern: pattern };
     }
-    // Express patterns
-    if (key.includes('express:auth.required') || key.includes('express:credentialsrequired: true')) {
+    // Express patterns — use word-boundary regex for precise matching
+    if (/^express:auth\.required\b/.test(key) || /^express:credentialsrequired:\s*true\b/.test(key)) {
         return { type: 'jwt', required: true, optional: false, sourcePattern: pattern };
     }
-    if (key.includes('express:auth.optional') || key.includes('express:credentialsrequired: false')) {
+    if (/^express:auth\.optional\b/.test(key) || /^express:credentialsrequired:\s*false\b/.test(key)) {
         return { type: 'jwt', required: false, optional: true, sourcePattern: pattern };
     }
-    if (key.includes('express:passport.authenticate')) {
+    if (/^express:passport\.authenticate\b/.test(key)) {
         return { type: 'jwt', required: true, optional: false, sourcePattern: pattern };
     }
     // HapiJS patterns (framework may be 'hapi' or 'hapijs')
-    const isHapi = key.startsWith('hapi:') || key.startsWith('hapijs:');
-    if (isHapi && key.includes('auth') && key.includes('mode') && (key.includes('try') || key.includes('optional'))) {
+    const isHapi = /^hapi(?:js)?:/.test(key);
+    if (isHapi && /\bauth\b/.test(key) && /\bmode\b/.test(key) && (/\btry\b/.test(key) || /\boptional\b/.test(key))) {
         return { type: 'jwt', required: false, optional: true, sourcePattern: pattern };
     }
-    if (isHapi && key.includes('auth') && !key.includes('false') && !key.includes('try') && !key.includes('optional')) {
+    if (isHapi && /\bauth\b/.test(key) && !/\bfalse\b/.test(key) && !/\btry\b/.test(key) && !/\boptional\b/.test(key)) {
         return { type: 'jwt', required: true, optional: false, sourcePattern: pattern };
     }
-    // Spring patterns
-    if (key.includes('spring:@preauthorize') || key.includes('spring:@secured')) {
+    // Spring patterns — include @RolesAllowed and @WithMockUser
+    if (/^spring:@?preauthorize\b/.test(key) || /^spring:@?secured\b/.test(key) || /^spring:@?rolesallowed\b/.test(key)) {
+        return { type: 'custom', required: true, optional: false, sourcePattern: pattern };
+    }
+    if (/^spring:@?withmockuser\b/.test(key)) {
+        return { type: 'custom', required: true, optional: false, sourcePattern: pattern };
+    }
+    // Slim PHP patterns — slim:optionalAuth is optional, slim:jwt or slim:auth is required
+    if (/^slim:optionalauth\b/.test(key)) {
+        return { type: 'jwt', required: false, optional: true, sourcePattern: pattern };
+    }
+    if (/^slim:(?:jwt|auth)\b/.test(key)) {
+        return { type: 'jwt', required: true, optional: false, sourcePattern: pattern };
+    }
+    // Angular patterns — canActivate:none (no guard) with interceptor tokens is optional
+    if (/^angular:canactivate:none\b/.test(key)) {
+        return { type: 'custom', required: false, optional: true, sourcePattern: pattern };
+    }
+    // NestJS patterns — @UseGuards is required auth
+    if (/^nestjs:@?useguards\b/.test(key)) {
         return { type: 'custom', required: true, optional: false, sourcePattern: pattern };
     }
     return undefined;

package/dist/src/pipeline/stages/ast/resolvers/angularInjectionResolver.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"angularInjectionResolver.d.ts","sourceRoot":"","sources":["../../../../../../src/pipeline/stages/ast/resolvers/angularInjectionResolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EACV,iBAAiB,EACjB,0BAA0B,EAC1B,yBAAyB,EAC1B,MAAM,UAAU,CAAC;AAClB,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,yCAAyC,CAAC;AAEpF,qBAAa,wBAAyB,YAAW,iBAAiB;IAChE,QAAQ,CAAC,IAAI,uBAAuB;IAEpC,SAAS,CAAC,UAAU,EAAE,oBAAoB,EAAE,GAAG,OAAO;IAItD,OAAO,CAAC,GAAG,EAAE,0BAA0B,GAAG,yBAAyB;CA0CpE"}
+{"version":3,"file":"angularInjectionResolver.d.ts","sourceRoot":"","sources":["../../../../../../src/pipeline/stages/ast/resolvers/angularInjectionResolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EACV,iBAAiB,EACjB,0BAA0B,EAC1B,yBAAyB,EAC1B,MAAM,UAAU,CAAC;AAClB,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,yCAAyC,CAAC;AAEpF,qBAAa,wBAAyB,YAAW,iBAAiB;IAChE,QAAQ,CAAC,IAAI,uBAAuB;IAEpC,SAAS,CAAC,UAAU,EAAE,oBAAoB,EAAE,GAAG,OAAO;IAItD,OAAO,CAAC,GAAG,EAAE,0BAA0B,GAAG,yBAAyB;CAyCpE"}

package/dist/src/pipeline/stages/ast/resolvers/angularInjectionResolver.js

@@ -24,9 +24,7 @@ class AngularInjectionResolver {
         const unresolvedRefs = [];
         // Build injection chains from class registry
         for (const [className, classInfo] of ctx.symbolTable.classes) {
-            // If class implements interfaces, it may be a service
-            if (!classInfo.implementsInterfaces)
-                continue;
+            // Check any class that has a model — Angular services typically don't implement interfaces
             // Look for classes that have methods making HTTP calls
             const model = ctx.symbolTable.models.get(classInfo.filePath);
             if (!model)
@@ -73,5 +71,26 @@ function findConsumers(serviceName, ctx) {
             }
         }
     }
+    // Fallback: search class registry for classes that might inject this service
+    // (constructor injection detected by parameter name matching)
+    for (const [className, classInfo] of ctx.symbolTable.classes) {
+        // Skip if already found as a consumer
+        if (consumers.some((c) => c.className === className && c.file === classInfo.filePath))
+            continue;
+        // Check if this class's model has the service name in its calledFunctions
+        const model = ctx.symbolTable.models.get(classInfo.filePath);
+        if (!model)
+            continue;
+        for (const [, func] of model.functions) {
+            if (func.calledFunctions.some((f) => f.includes(serviceName))) {
+                consumers.push({
+                    className,
+                    file: classInfo.filePath,
+                    style: 'constructor',
+                });
+                break;
+            }
+        }
+    }
     return consumers;
 }

package/dist/src/pipeline/stages/ast/resolvers/dddLayerResolver.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"dddLayerResolver.d.ts","sourceRoot":"","sources":["../../../../../../src/pipeline/stages/ast/resolvers/dddLayerResolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EACV,iBAAiB,EACjB,0BAA0B,EAC1B,yBAAyB,EAC1B,MAAM,UAAU,CAAC;AAClB,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,yCAAyC,CAAC;AAEpF,MAAM,WAAW,sBAAsB;IACrC,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,SAAS,GAAG,OAAO,GAAG,OAAO,CAAC;IAC3C,gBAAgB,EAAE,MAAM,CAAC;IACzB,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,qBAAa,gBAAiB,YAAW,iBAAiB;IACxD,QAAQ,CAAC,IAAI,eAAe;IAE5B,SAAS,CAAC,UAAU,EAAE,oBAAoB,EAAE,GAAG,OAAO;IAMtD,OAAO,CAAC,GAAG,EAAE,0BAA0B,GAAG,yBAAyB;CAqEpE;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,sBAAsB,EAAE,CAgFrG;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,cAAc,EAAE,CAiCrF;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,KAAK,CAAC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAcjG"}
+{"version":3,"file":"dddLayerResolver.d.ts","sourceRoot":"","sources":["../../../../../../src/pipeline/stages/ast/resolvers/dddLayerResolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EACV,iBAAiB,EACjB,0BAA0B,EAC1B,yBAAyB,EAC1B,MAAM,UAAU,CAAC;AAClB,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,yCAAyC,CAAC;AAEpF,MAAM,WAAW,sBAAsB;IACrC,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,SAAS,GAAG,OAAO,GAAG,OAAO,CAAC;IAC3C,gBAAgB,EAAE,MAAM,CAAC;IACzB,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,qBAAa,gBAAiB,YAAW,iBAAiB;IACxD,QAAQ,CAAC,IAAI,eAAe;IAE5B,SAAS,CAAC,UAAU,EAAE,oBAAoB,EAAE,GAAG,OAAO;IAMtD,OAAO,CAAC,GAAG,EAAE,0BAA0B,GAAG,yBAAyB;CA+JpE;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,sBAAsB,EAAE,CAgFrG;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,cAAc,EAAE,CAiCrF;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,KAAK,CAAC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAcjG"}