archbyte 0.5.1 → 0.5.3

package/dist/agents/static/redactor.js

@@ -0,0 +1,206 @@
+// Redaction Mode — Hash sensitive identifiers in StaticContext
+// Preserves structure and public package names while hiding proprietary paths/names.
+import { createHash } from "crypto";
+/**
+ * Redact sensitive identifiers in a StaticContext.
+ * - File paths: hash each segment, preserve extensions and depth
+ * - Env var names: hash
+ * - Docker service names: hash
+ * - String literals in code samples: hash
+ * - Preserve: npm package names, language keywords, structural info
+ *
+ * Returns a deep copy — the original context is not modified.
+ */
+export function redactContext(ctx) {
+    return {
+        structure: redactStructure(ctx.structure),
+        docs: redactDocs(ctx.docs),
+        infra: redactInfra(ctx.infra),
+        events: redactEvents(ctx.events),
+        envs: redactEnvs(ctx.envs),
+        fileTree: redactFileTree(ctx.fileTree),
+        codeSamples: redactCodeSamples(ctx.codeSamples),
+    };
+}
+// --- Hashing ---
+const hashCache = new Map();
+function hashStr(value) {
+    const cached = hashCache.get(value);
+    if (cached)
+        return cached;
+    const hash = createHash("sha256").update(value).digest("hex").slice(0, 8);
+    const result = `redacted-${hash}`;
+    hashCache.set(value, result);
+    return result;
+}
+/**
+ * Hash each segment of a path, preserving the extension and directory depth.
+ * `src/auth/handler.ts` → `redacted-a1b2c3/redacted-d4e5f6/redacted-g7h8.ts`
+ */
+function redactPath(filePath) {
+    if (!filePath || filePath === ".")
+        return filePath;
+    const parts = filePath.split("/");
+    return parts
+        .map((part) => {
+        const dotIdx = part.lastIndexOf(".");
+        if (dotIdx > 0 && dotIdx < part.length - 1) {
+            const name = part.slice(0, dotIdx);
+            const ext = part.slice(dotIdx);
+            return `${hashStr(name)}${ext}`;
+        }
+        return hashStr(part);
+    })
+        .join("/");
+}
+// --- Structure ---
+function redactStructure(s) {
+    return {
+        ...s,
+        // Keep project name generic
+        projectName: hashStr(s.projectName),
+        // Keep language/framework/build info (public knowledge)
+        entryPoints: s.entryPoints.map(redactPath),
+        directories: Object.fromEntries(Object.entries(s.directories).map(([dir, isPresent]) => [hashStr(dir), isPresent])),
+    };
+}
+// --- Docs ---
+function redactDocs(d) {
+    return {
+        // Preserve project description (it's user-written public text)
+        projectDescription: d.projectDescription,
+        architectureNotes: d.architectureNotes,
+        apiEndpoints: d.apiEndpoints.map((ep) => ({
+            ...ep,
+            path: redactApiPath(ep.path),
+        })),
+        externalDependencies: d.externalDependencies, // Public package names — keep
+    };
+}
+function redactApiPath(apiPath) {
+    // Redact path parameters but keep HTTP structure
+    return apiPath.replace(/\/[a-zA-Z_]\w*/g, (segment) => {
+        // Keep common REST verbs/patterns
+        const common = ["/api", "/v1", "/v2", "/v3", "/health", "/status", "/auth"];
+        if (common.includes(segment))
+            return segment;
+        return `/${hashStr(segment.slice(1))}`;
+    });
+}
+// --- Infra ---
+function redactInfra(i) {
+    return {
+        docker: {
+            services: i.docker.services.map((svc) => ({
+                ...svc,
+                name: hashStr(svc.name),
+                buildContext: svc.buildContext ? redactPath(svc.buildContext) : undefined,
+                environment: svc.environment
+                    ? Object.fromEntries(Object.entries(svc.environment).map(([k, v]) => [hashStr(k), "***"]))
+                    : undefined,
+            })),
+            composeFile: i.docker.composeFile,
+            composeFilePath: i.docker.composeFilePath ? redactPath(i.docker.composeFilePath) : undefined,
+        },
+        kubernetes: {
+            resources: i.kubernetes.resources.map((r) => ({
+                ...r,
+                name: hashStr(r.name),
+                namespace: r.namespace ? hashStr(r.namespace) : undefined,
+            })),
+        },
+        cloud: i.cloud, // Provider names and service types are public
+        ci: i.ci, // CI platform names are public
+    };
+}
+// --- Events ---
+function redactEvents(e) {
+    return {
+        hasEDA: e.hasEDA,
+        patterns: e.patterns, // Technology names are public
+        events: e.events.map((ev) => ({
+            ...ev,
+            file: redactPath(ev.file),
+        })),
+    };
+}
+// --- Envs ---
+function redactEnvs(e) {
+    return {
+        environments: e.environments.map((env) => ({
+            name: env.name, // "production", "staging" etc — keep
+            variables: env.variables.map((v) => hashStr(v)),
+        })),
+        configPattern: e.configPattern,
+        hasSecrets: e.hasSecrets,
+    };
+}
+// --- File Tree ---
+function redactFileTree(ft) {
+    return {
+        tree: ft.tree.map(redactTreeEntry),
+        totalFiles: ft.totalFiles,
+        totalDirs: ft.totalDirs,
+    };
+}
+function redactTreeEntry(entry) {
+    return {
+        path: redactPath(entry.path),
+        type: entry.type,
+        children: entry.children?.map(redactTreeEntry),
+    };
+}
+// --- Code Samples ---
+function redactCodeSamples(cs) {
+    return {
+        samples: cs.samples.map((s) => ({
+            ...s,
+            path: redactPath(s.path),
+            excerpt: redactCodeExcerpt(s.excerpt),
+        })),
+        importMap: Object.fromEntries(Object.entries(cs.importMap).map(([file, imports]) => [
+            redactPath(file),
+            imports.map((imp) => {
+                // Keep npm package imports (don't start with . or /)
+                if (!imp.startsWith(".") && !imp.startsWith("/"))
+                    return imp;
+                return redactPath(imp);
+            }),
+        ])),
+        configFiles: cs.configFiles.map((cf) => ({
+            path: redactPath(cf.path),
+            content: redactConfigContent(cf.content),
+        })),
+    };
+}
+/**
+ * Redact string literals in code excerpts while preserving structure.
+ * Keeps language keywords, npm imports, and structural tokens.
+ */
+function redactCodeExcerpt(code) {
+    // Replace string literals (single/double quoted) with hashed versions
+    // But preserve common patterns like import paths to npm packages
+    return code.replace(/(["'])([^"']*)\1/g, (_match, quote, content) => {
+        // Keep npm package imports
+        if (!content.startsWith(".") && !content.startsWith("/") && !content.includes(" ")) {
+            return `${quote}${content}${quote}`;
+        }
+        // Keep short common strings
+        if (content.length <= 2)
+            return `${quote}${content}${quote}`;
+        // Redact everything else
+        return `${quote}${hashStr(content)}${quote}`;
+    });
+}
+function redactConfigContent(content) {
+    // Redact values in key=value and key: value patterns
+    return content
+        .replace(/^(\s*[\w.-]+\s*[:=]\s*)(.+)$/gm, (_match, prefix, value) => {
+        const trimmed = value.trim();
+        // Keep boolean, numeric, null values
+        if (/^(true|false|null|undefined|\d+(\.\d+)?)$/i.test(trimmed)) {
+            return `${prefix}${value}`;
+        }
+        return `${prefix}${hashStr(trimmed)}`;
+    });
+}

package/dist/agents/static/utils.d.ts

@@ -1,10 +1,12 @@
 import type { GrepResult, DirEntry } from "../runtime/types.js";
+import type { IgnoreFilter } from "./ignore.js";
 /**
  * Wraps LocalFSBackend with safe-read helpers for static scanners.
  */
 export declare class StaticToolkit {
     private fs;
-    constructor(projectRoot: string);
+    private ignore;
+    constructor(projectRoot: string, ignoreFilter?: IgnoreFilter);
     readFileSafe(path: string): Promise<string | null>;
     globFiles(pattern: string, cwd?: string): Promise<string[]>;
     grepFiles(pattern: string, searchPath?: string): Promise<GrepResult[]>;

package/dist/agents/static/utils.js

@@ -6,10 +6,14 @@ import { LocalFSBackend } from "../tools/local-fs.js";
  */
 export class StaticToolkit {
     fs;
-    constructor(projectRoot) {
+    ignore;
+    constructor(projectRoot, ignoreFilter) {
         this.fs = new LocalFSBackend(projectRoot);
+        this.ignore = ignoreFilter ?? null;
     }
     async readFileSafe(path) {
+        if (this.ignore?.isIgnored(path))
+            return null;
         try {
             return await this.fs.readFile(path);
         }
@@ -21,12 +25,19 @@ export class StaticToolkit {
         try {
             // Expand brace patterns like *.{yml,yaml} → [*.yml, *.yaml]
             const patterns = expandBraces(pattern);
+            let results;
             if (patterns.length === 1) {
-                return await this.fs.glob(patterns[0], cwd);
+                results = await this.fs.glob(patterns[0], cwd);
+            }
+            else {
+                const resultSets = await Promise.all(patterns.map((p) => this.fs.glob(p, cwd).catch(() => [])));
+                results = [...new Set(resultSets.flat())].sort();
+            }
+            // Apply ignore filter
+            if (this.ignore) {
+                results = results.filter((f) => !this.ignore.isIgnored(f));
             }
-            const resultSets = await Promise.all(patterns.map((p) => this.fs.glob(p, cwd).catch(() => [])));
-            // Deduplicate and sort
-            return [...new Set(resultSets.flat())].sort();
+            return results;
         }
         catch {
             return [];
@@ -36,11 +47,16 @@ export class StaticToolkit {
         try {
             // Work around LocalFSBackend.grep glob bug with cwd:
             // grep from root and filter by path prefix
-            const results = await this.fs.grep(pattern);
-            if (!searchPath)
-                return results;
-            const prefix = searchPath.endsWith("/") ? searchPath : `${searchPath}/`;
-            return results.filter((r) => r.file.startsWith(prefix));
+            let results = await this.fs.grep(pattern);
+            if (searchPath) {
+                const prefix = searchPath.endsWith("/") ? searchPath : `${searchPath}/`;
+                results = results.filter((r) => r.file.startsWith(prefix));
+            }
+            // Apply ignore filter
+            if (this.ignore) {
+                results = results.filter((r) => !this.ignore.isIgnored(r.file));
+            }
+            return results;
         }
         catch {
             return [];
@@ -48,7 +64,14 @@ export class StaticToolkit {
     }
     async listDir(dirPath) {
         try {
-            return await this.fs.listDir(dirPath);
+            const entries = await this.fs.listDir(dirPath);
+            if (this.ignore) {
+                return entries.filter((e) => {
+                    const fullPath = dirPath === "." ? e.name : `${dirPath}/${e.name}`;
+                    return !this.ignore.isIgnored(fullPath);
+                });
+            }
+            return entries;
         }
         catch {
             return [];

package/dist/cli/analyze.d.ts

@@ -9,6 +9,7 @@ interface AnalyzeOptions {
     dryRun?: boolean;
     force?: boolean;
     dir?: string;
+    debug?: boolean;
     /** When true, skip "archbyte serve" in the Next steps (e.g. called from `archbyte run`) */
     skipServeHint?: boolean;
 }

package/dist/cli/analyze.js

@@ -4,9 +4,10 @@ import { execSync } from "child_process";
 import chalk from "chalk";
 import { resolveConfig } from "./config.js";
 import { recordUsage } from "./license-gate.js";
-import { staticResultToSpec, writeSpec, writeMetadata, loadSpec, loadMetadata } from "./yaml-io.js";
+import { staticResultToSpec, writeSpec, writeMetadata, loadSpec, loadMetadata, resolvePrivacy } from "./yaml-io.js";
 import { getChangedFiles, mapFilesToComponents, shouldRunAgents, isGitAvailable, categorizeChanges, computeNeighbors, getCommitCount } from "./incremental.js";
 import { progressBar, confirm } from "./ui.js";
+import { buildCollectorReport, buildAgentReport, buildTransparencyReport, printTransparencyReport, saveTransparencyReport, } from "./transparency.js";
 export async function handleAnalyze(options) {
     const rootDir = options.dir ? path.resolve(options.dir) : process.cwd();
     const isStaticOnly = options.static || options.skipLlm;
@@ -50,10 +51,11 @@ export async function handleAnalyze(options) {
         progress.update(1, "Building analysis...");
         const freshAnalysis = buildAnalysisFromStatic(result, rootDir);
         const duration = Date.now() - startTime;
-        // Merge into existing analysis if it was produced by an agentic run,
+        // Merge into existing data if it was produced by an agentic run,
         // preserving LLM-generated components/connections while refreshing
         // static data (environments, metadata, project info).
         const existingAnalysis = loadExistingAnalysis(rootDir);
+        const existingSpec = loadSpec(rootDir);
         const wasAgentic = existingAnalysis && existingAnalysis.metadata?.mode !== "static";
         const analysis = wasAgentic ? mergeStaticIntoExisting(existingAnalysis, freshAnalysis) : freshAnalysis;
         // Stamp scan metadata on analysis.json (backward compat)
@@ -62,10 +64,19 @@ export async function handleAnalyze(options) {
         ameta.mode = wasAgentic ? "static-refresh" : "static";
         writeAnalysis(rootDir, analysis);
         // Dual-write: archbyte.yaml + metadata.json
-        const existingSpec = loadSpec(rootDir);
-        const spec = staticResultToSpec(result, rootDir, existingSpec?.rules);
-        writeSpec(rootDir, spec);
-        writeScanMetadata(rootDir, duration, "static");
+        // When prior data came from an agentic run, only refresh static fields
+        // (project info, environments) — never overwrite LLM components/connections.
+        if (wasAgentic && existingSpec) {
+            const freshSpec = staticResultToSpec(result, rootDir, existingSpec.rules);
+            existingSpec.project = freshSpec.project;
+            existingSpec.environments = freshSpec.environments;
+            writeSpec(rootDir, existingSpec);
+        }
+        else {
+            const spec = staticResultToSpec(result, rootDir, existingSpec?.rules);
+            writeSpec(rootDir, spec);
+        }
+        writeScanMetadata(rootDir, duration, wasAgentic ? "static-refresh" : "static");
         progress.update(2, "Generating diagram...");
         await autoGenerate(rootDir, options);
         progress.done("Analysis complete");
@@ -191,13 +202,17 @@ export async function handleAnalyze(options) {
             console.log(chalk.yellow(`File tree grew from ${priorCount} to ${currentFileCount} files — running full scan.`));
         }
     }
-    // 4. Run static context collection → LLM pipeline
+    // 4. Load privacy config
+    const privacySpec = loadSpec(rootDir);
+    const privacy = resolvePrivacy(privacySpec);
+    const agentReports = [];
+    // 5. Run static context collection → LLM pipeline
     const progress = progressBar(7);
     progress.update(0, "Collecting static context...");
     const { runStaticContextCollection } = await import("../agents/static/index.js");
     const ctx = await runStaticContextCollection(rootDir, (msg) => {
         progress.update(0, `Static context: ${msg}`);
-    });
+    }, privacy);
     // Save static context for debugging / re-runs
     const ctxPath = path.join(rootDir, ".archbyte", "static-context.json");
     if (!fs.existsSync(path.dirname(ctxPath))) {
@@ -209,6 +224,12 @@ export async function handleAnalyze(options) {
     const { runPipeline } = await import("../agents/pipeline/index.js");
     let result;
     let pipelineStep = 1;
+    // Debug callback — collect agent reports for transparency log
+    const onDebug = options.debug
+        ? (agentId, model, system, user) => {
+            agentReports.push(buildAgentReport(agentId, model, system, user));
+        }
+        : undefined;
     try {
         result = await runPipeline(ctx, provider, config, (msg) => {
             // Map pipeline progress messages to bar steps
@@ -239,7 +260,7 @@ export async function handleAnalyze(options) {
             else {
                 progress.update(pipelineStep, msg.trim());
             }
-        }, incrementalContext);
+        }, incrementalContext, onDebug);
     }
     catch (err) {
         const errorMsg = err instanceof Error ? err.message : String(err);
@@ -301,6 +322,22 @@ export async function handleAnalyze(options) {
     const spec = staticResultToSpec(result, rootDir, existingSpec?.rules);
     writeSpec(rootDir, spec);
     writeScanMetadata(rootDir, duration, "pipeline", ctx.fileTree.totalFiles, result.tokenUsage, incrementalContext ? true : undefined, result.skippedAgents);
+    // Transparency report (--debug)
+    if (options.debug) {
+        const collectors = buildCollectorReport(ctx);
+        const privacyControls = {
+            sendCodeSamples: privacy.sendCodeSamples,
+            sendImportMap: privacy.sendImportMap,
+            sendEnvNames: privacy.sendEnvNames,
+            sendDocs: privacy.sendDocs,
+            sendFileTree: privacy.sendFileTree,
+            sendInfra: privacy.sendInfra,
+        };
+        const ignoreFilter = (await import("../agents/static/ignore.js")).loadIgnoreFile(rootDir);
+        const report = buildTransparencyReport(collectors, agentReports, privacyControls, ignoreFilter.patternCount, privacy.redact);
+        printTransparencyReport(report);
+        saveTransparencyReport(rootDir, report);
+    }
     progress.update(6, "Generating diagram...");
     await autoGenerate(rootDir, options);
     progress.done("Analysis complete");

package/dist/cli/run.d.ts

@@ -7,6 +7,7 @@ interface RunOptions {
     verbose?: boolean;
     force?: boolean;
     dryRun?: boolean;
+    debug?: boolean;
     dir?: string;
 }
 export declare function handleRun(options: RunOptions): Promise<void>;

package/dist/cli/run.js

@@ -128,11 +128,12 @@ export async function handleRun(options) {
         apiKey: options.apiKey,
         force: options.force,
         dryRun: options.dryRun,
+        debug: options.debug,
         dir: options.dir,
         skipServeHint: true,
     });
     if (options.dryRun)
         return;
     // 2. Serve the UI
-    await handleServe({ port });
+    await handleServe({ port, debug: options.debug });
 }

package/dist/cli/serve.d.ts

@@ -1,6 +1,7 @@
 interface ServeOptions {
     port?: number;
     diagram?: string;
+    debug?: boolean;
 }
 /**
  * Start the ArchByte UI server

package/dist/cli/serve.js

@@ -84,6 +84,7 @@ export async function handleServe(options) {
                 diagramPath,
                 workspaceRoot: rootDir,
                 port,
+                debug: options.debug,
             });
             return;
         }

package/dist/cli/transparency.d.ts

@@ -0,0 +1,36 @@
+import type { StaticContext } from "../agents/static/types.js";
+export interface CollectorReport {
+    name: string;
+    itemCount: number;
+    filePaths: string[];
+    byteEstimate: number;
+}
+export interface AgentReport {
+    agentId: string;
+    model: string;
+    dataCategories: string[];
+    fileRefs: string[];
+    promptTokenEstimate: number;
+}
+export interface TransparencyReport {
+    timestamp: string;
+    collectors: CollectorReport[];
+    agents: AgentReport[];
+    privacyControls: Record<string, boolean>;
+    ignorePatterns: number;
+    redactionEnabled: boolean;
+    totals: {
+        collectorsRun: number;
+        agentsRun: number;
+        filesReferenced: number;
+        estimatedPromptBytes: number;
+    };
+}
+export declare function buildCollectorReport(ctx: StaticContext): CollectorReport[];
+export declare function buildAgentReport(agentId: string, model: string, systemPrompt: string, userPrompt: string): AgentReport;
+export declare function printTransparencyReport(report: TransparencyReport): void;
+export declare function saveTransparencyReport(rootDir: string, report: TransparencyReport): void;
+/**
+ * Build a complete TransparencyReport from collector reports and agent reports.
+ */
+export declare function buildTransparencyReport(collectors: CollectorReport[], agents: AgentReport[], privacy: Record<string, boolean>, ignorePatterns: number, redactionEnabled: boolean): TransparencyReport;