auditor-lambda 0.10.3 → 0.10.8

package/dist/extractors/graphManifestEdges/packageJson.js

@@ -0,0 +1,204 @@
+import { posix } from "node:path";
+import { graphEdge, normalizeGraphPath, resolveCandidate, isPackageManifestPath } from "../graphPathUtils.js";
+import { collectWorkspacePatternValues, normalizeWorkspacePattern, workspacePatternMatchesPackage, } from "./workspace.js";
+import { pnpmWorkspacePatterns } from "./pnpm.js";
+import { isPnpmWorkspaceManifestPath } from "../graphPathUtils.js";
+export const PACKAGE_ENTRYPOINT_EDGE_CONFIDENCE = 0.9;
+export const PACKAGE_SCRIPT_EDGE_CONFIDENCE = 0.88;
+export const WORKSPACE_PACKAGE_EDGE_CONFIDENCE = 0.86;
+export const PACKAGE_SCRIPT_REFERENCE_PATTERN = /(?:^|[\s"'`])((?:\.{1,2}\/)?(?:[\w.-]+\/)*[\w.-]+\.(?:cjs|cts|js|jsx|mjs|mts|ts|tsx))(?:$|[\s"'`])/gi;
+function collectPackageEntrypointValues(value, fieldPath, entries) {
+    if (typeof value === "string") {
+        if (value.trim().length > 0) {
+            entries.push({ field: fieldPath, specifier: value });
+        }
+        return;
+    }
+    if (Array.isArray(value)) {
+        value.forEach((item, index) => collectPackageEntrypointValues(item, `${fieldPath}.${index}`, entries));
+        return;
+    }
+    if (value === null || typeof value !== "object") {
+        return;
+    }
+    for (const [key, item] of Object.entries(value)) {
+        collectPackageEntrypointValues(item, `${fieldPath}.${key}`, entries);
+    }
+}
+export function packageEntrypointCandidates(content) {
+    let parsed;
+    try {
+        parsed = JSON.parse(content);
+    }
+    catch {
+        return [];
+    }
+    if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) {
+        return [];
+    }
+    const record = parsed;
+    const entries = [];
+    for (const field of ["main", "module", "types", "typings", "browser"]) {
+        collectPackageEntrypointValues(record[field], field, entries);
+    }
+    collectPackageEntrypointValues(record.bin, "bin", entries);
+    collectPackageEntrypointValues(record.exports, "exports", entries);
+    return entries;
+}
+export function resolvePackageEntrypoint(packagePath, specifier, pathLookup) {
+    const normalizedSpecifier = normalizeGraphPath(specifier);
+    if (normalizedSpecifier.length === 0 ||
+        normalizedSpecifier.startsWith("/") ||
+        /^[a-z][a-z0-9+.-]*:/i.test(normalizedSpecifier)) {
+        return undefined;
+    }
+    const packageDir = posix.dirname(normalizeGraphPath(packagePath));
+    const packageRelative = packageDir === "."
+        ? normalizedSpecifier
+        : posix.join(packageDir, normalizedSpecifier);
+    return resolveCandidate(packageRelative, pathLookup);
+}
+export function extractPackageEntrypointEdges(fromPath, content, pathLookup) {
+    if (!isPackageManifestPath(fromPath)) {
+        return [];
+    }
+    const edges = [];
+    for (const { field, specifier } of packageEntrypointCandidates(content)) {
+        const target = resolvePackageEntrypoint(fromPath, specifier, pathLookup);
+        if (!target) {
+            continue;
+        }
+        edges.push(graphEdge({
+            from: fromPath,
+            to: target,
+            kind: "package-entrypoint-link",
+            confidence: PACKAGE_ENTRYPOINT_EDGE_CONFIDENCE,
+            reason: `Package manifest field '${field}' points to '${specifier}'.`,
+        }));
+    }
+    return edges;
+}
+export function packageScriptCandidates(content) {
+    let parsed;
+    try {
+        parsed = JSON.parse(content);
+    }
+    catch {
+        return [];
+    }
+    if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) {
+        return [];
+    }
+    const scripts = parsed.scripts;
+    if (scripts === null ||
+        typeof scripts !== "object" ||
+        Array.isArray(scripts)) {
+        return [];
+    }
+    const entries = [];
+    for (const [script, command] of Object.entries(scripts)) {
+        if (typeof command !== "string") {
+            continue;
+        }
+        PACKAGE_SCRIPT_REFERENCE_PATTERN.lastIndex = 0;
+        for (const match of command.matchAll(PACKAGE_SCRIPT_REFERENCE_PATTERN)) {
+            const specifier = match[1]?.trim();
+            if (specifier) {
+                entries.push({ script, specifier });
+            }
+        }
+    }
+    return entries;
+}
+export function extractPackageScriptEdges(fromPath, content, pathLookup) {
+    if (!isPackageManifestPath(fromPath)) {
+        return [];
+    }
+    const edges = [];
+    for (const { script, specifier } of packageScriptCandidates(content)) {
+        const target = resolvePackageEntrypoint(fromPath, specifier, pathLookup);
+        if (!target) {
+            continue;
+        }
+        edges.push(graphEdge({
+            from: fromPath,
+            to: target,
+            kind: "package-script-link",
+            confidence: PACKAGE_SCRIPT_EDGE_CONFIDENCE,
+            reason: `Package script '${script}' references '${specifier}'.`,
+        }));
+    }
+    return edges;
+}
+export function packageWorkspacePatterns(content) {
+    let parsed;
+    try {
+        parsed = JSON.parse(content);
+    }
+    catch {
+        return [];
+    }
+    if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) {
+        return [];
+    }
+    const record = parsed;
+    const patterns = [];
+    collectWorkspacePatternValues(record.workspaces, patterns);
+    if (record.workspaces !== null &&
+        typeof record.workspaces === "object" &&
+        !Array.isArray(record.workspaces)) {
+        collectWorkspacePatternValues(record.workspaces.packages, patterns);
+    }
+    return patterns;
+}
+function workspacePatternsForFile(path, content) {
+    if (isPackageManifestPath(path)) {
+        return packageWorkspacePatterns(content);
+    }
+    if (isPnpmWorkspaceManifestPath(path)) {
+        return pnpmWorkspacePatterns(content);
+    }
+    return [];
+}
+export function extractWorkspacePackageEdges(fromPath, content, pathLookup) {
+    const rawPatterns = workspacePatternsForFile(fromPath, content);
+    if (rawPatterns.length === 0) {
+        return [];
+    }
+    const positivePatterns = [];
+    const negativePatterns = [];
+    for (const { pattern, negated } of rawPatterns) {
+        const normalized = normalizeWorkspacePattern(fromPath, pattern);
+        if (!normalized) {
+            continue;
+        }
+        if (negated) {
+            negativePatterns.push(normalized);
+        }
+        else {
+            positivePatterns.push(normalized);
+        }
+    }
+    const edges = [];
+    for (const pattern of positivePatterns) {
+        for (const target of pathLookup.values()) {
+            if (target === fromPath || !isPackageManifestPath(target)) {
+                continue;
+            }
+            if (!workspacePatternMatchesPackage(pattern, target)) {
+                continue;
+            }
+            if (negativePatterns.some((negativePattern) => workspacePatternMatchesPackage(negativePattern, target))) {
+                continue;
+            }
+            edges.push(graphEdge({
+                from: fromPath,
+                to: target,
+                kind: "workspace-package-link",
+                confidence: WORKSPACE_PACKAGE_EDGE_CONFIDENCE,
+                reason: `Workspace pattern '${pattern}' includes package manifest '${target}'.`,
+            }));
+        }
+    }
+    return edges;
+}

package/dist/extractors/graphManifestEdges/pnpm.d.ts

@@ -0,0 +1,2 @@
+import { WorkspacePattern } from "./workspace.js";
+export declare function pnpmWorkspacePatterns(content: string): WorkspacePattern[];

package/dist/extractors/graphManifestEdges/pnpm.js

@@ -0,0 +1,42 @@
+import { addWorkspacePattern } from "./workspace.js";
+import { stripYamlComment, unquoteYamlScalar, splitYamlInlineList } from "./yaml.js";
+export function pnpmWorkspacePatterns(content) {
+    const patterns = [];
+    const lines = content.split(/\r?\n/);
+    let inPackagesList = false;
+    let packagesIndent = 0;
+    for (const line of lines) {
+        const withoutComment = stripYamlComment(line);
+        if (withoutComment.trim().length === 0) {
+            continue;
+        }
+        const indent = withoutComment.match(/^\s*/)?.[0].length ?? 0;
+        const trimmed = withoutComment.trim();
+        if (inPackagesList) {
+            if (indent <= packagesIndent) {
+                inPackagesList = false;
+            }
+            else {
+                const itemMatch = /^-\s+(.+)$/.exec(trimmed);
+                if (itemMatch?.[1]) {
+                    addWorkspacePattern(patterns, unquoteYamlScalar(itemMatch[1]));
+                }
+                continue;
+            }
+        }
+        const packagesMatch = /^packages\s*:\s*(.*)$/.exec(trimmed);
+        if (!packagesMatch || indent !== 0) {
+            continue;
+        }
+        const inlineValue = packagesMatch[1]?.trim() ?? "";
+        if (inlineValue.length === 0) {
+            inPackagesList = true;
+            packagesIndent = indent;
+            continue;
+        }
+        for (const pattern of splitYamlInlineList(inlineValue)) {
+            addWorkspacePattern(patterns, pattern);
+        }
+    }
+    return patterns;
+}

package/dist/extractors/graphManifestEdges/pyproject.d.ts

@@ -0,0 +1,3 @@
+import type { GraphEdge } from "@audit-tools/shared";
+export declare const PYPROJECT_TESTPATHS_LINK_CONFIDENCE = 0.85;
+export declare function extractPyprojectTestpathLinks(fromPath: string, content: string, pathLookup: Map<string, string>): GraphEdge[];

package/dist/extractors/graphManifestEdges/pyproject.js

@@ -0,0 +1,83 @@
+import { posix } from "node:path";
+import { graphEdge, normalizeGraphPath, isPyprojectPath } from "../graphPathUtils.js";
+import { stripTomlComment, tomlArrayIsClosed, tomlStringArrayValues } from "./toml.js";
+export const PYPROJECT_TESTPATHS_LINK_CONFIDENCE = 0.85;
+function pyprojectTestpaths(content) {
+    const values = [];
+    let currentSection = "";
+    let collectingKey;
+    let collectedValue = "";
+    const flush = () => {
+        if (!collectingKey)
+            return;
+        for (const v of tomlStringArrayValues(collectedValue)) {
+            values.push(v);
+        }
+        collectingKey = undefined;
+        collectedValue = "";
+    };
+    for (const rawLine of content.split(/\r?\n/)) {
+        const withoutComment = stripTomlComment(rawLine);
+        const trimmed = withoutComment.trim();
+        if (trimmed.length === 0)
+            continue;
+        const sectionMatch = /^\[([^\]]+)\]\s*$/.exec(trimmed);
+        if (sectionMatch?.[1]) {
+            flush();
+            currentSection = sectionMatch[1].trim();
+            continue;
+        }
+        if (collectingKey) {
+            collectedValue = `${collectedValue}\n${trimmed}`;
+            if (tomlArrayIsClosed(collectedValue)) {
+                flush();
+            }
+            continue;
+        }
+        if (currentSection !== "tool.pytest.ini_options")
+            continue;
+        const keyMatch = /^testpaths\s*=\s*(.+)$/.exec(trimmed);
+        if (!keyMatch?.[1])
+            continue;
+        const value = keyMatch[1].trim();
+        if (!value.startsWith("[")) {
+            const bare = value.replace(/^["']|["']$/g, "").trim();
+            if (bare.length > 0)
+                values.push(bare);
+            continue;
+        }
+        collectingKey = "testpaths";
+        collectedValue = value;
+        if (tomlArrayIsClosed(collectedValue)) {
+            flush();
+        }
+    }
+    flush();
+    return values;
+}
+export function extractPyprojectTestpathLinks(fromPath, content, pathLookup) {
+    if (!isPyprojectPath(fromPath)) {
+        return [];
+    }
+    const testpaths = pyprojectTestpaths(content);
+    if (testpaths.length === 0) {
+        return [];
+    }
+    const pyprojectDir = posix.dirname(normalizeGraphPath(fromPath));
+    const edges = [];
+    for (const testpath of testpaths) {
+        const resolvedTestpath = pyprojectDir === "." ? testpath : posix.join(pyprojectDir, testpath);
+        const conftestKey = posix.join(resolvedTestpath, "conftest.py").toLowerCase();
+        const conftestTarget = pathLookup.get(conftestKey);
+        if (!conftestTarget || conftestTarget === fromPath)
+            continue;
+        edges.push(graphEdge({
+            from: fromPath,
+            to: conftestTarget,
+            kind: "pyproject-testpaths-link",
+            confidence: PYPROJECT_TESTPATHS_LINK_CONFIDENCE,
+            reason: `pyproject.toml testpaths entry '${testpath}' resolves to '${conftestTarget}'.`,
+        }));
+    }
+    return edges;
+}

package/dist/extractors/graphManifestEdges/toml.d.ts

@@ -0,0 +1,4 @@
+export declare function stripTomlComment(line: string): string;
+export declare function tomlArrayIsClosed(value: string): boolean;
+export declare function unquoteTomlString(value: string, quote: '"' | "'"): string;
+export declare function tomlStringArrayValues(value: string): string[];

package/dist/extractors/graphManifestEdges/toml.js

@@ -0,0 +1,68 @@
+import { scanStringAware } from "@audit-tools/shared";
+const TOML_SCAN_OPTIONS = {
+    quoteChars: ['"', "'"],
+    // Only double-quoted strings honour backslash escapes in TOML.
+    escapedQuotes: ['"'],
+};
+export function stripTomlComment(line) {
+    let commentIndex;
+    scanStringAware(line, TOML_SCAN_OPTIONS, {
+        onUnquoted(char, i) {
+            if (char === "#") {
+                commentIndex = i;
+                return false;
+            }
+        },
+    });
+    return commentIndex !== undefined ? line.slice(0, commentIndex) : line;
+}
+export function tomlArrayIsClosed(value) {
+    let depth = 0;
+    let found = false;
+    scanStringAware(value, TOML_SCAN_OPTIONS, {
+        onUnquoted(char) {
+            if (char === "[") {
+                depth += 1;
+            }
+            else if (char === "]") {
+                depth -= 1;
+                if (depth <= 0) {
+                    found = true;
+                    return false;
+                }
+            }
+        },
+    });
+    return found;
+}
+export function unquoteTomlString(value, quote) {
+    if (quote === "'") {
+        return value.trim();
+    }
+    try {
+        const parsed = JSON.parse(`"${value}"`);
+        return typeof parsed === "string" ? parsed.trim() : value.trim();
+    }
+    catch {
+        return value.replace(/\\"/g, '"').trim();
+    }
+}
+export function tomlStringArrayValues(value) {
+    const values = [];
+    let openIndex = 0;
+    scanStringAware(value, TOML_SCAN_OPTIONS, {
+        onQuoteOpen(_quoteChar, i) {
+            openIndex = i + 1; // content starts after the opening quote
+        },
+        onQuoteClose(quoteChar, i) {
+            if (quoteChar === "`") {
+                return;
+            }
+            const item = unquoteTomlString(value.slice(openIndex, i), quoteChar);
+            if (item.length > 0) {
+                values.push(item);
+            }
+        },
+    });
+    return values;
+}

package/dist/extractors/graphManifestEdges/typescript.d.ts

@@ -0,0 +1,3 @@
+import type { GraphEdge } from "@audit-tools/shared";
+export declare const TYPESCRIPT_PROJECT_REFERENCE_EDGE_CONFIDENCE = 0.87;
+export declare function extractTypescriptProjectReferenceEdges(fromPath: string, content: string, pathLookup: Map<string, string>): GraphEdge[];

package/dist/extractors/graphManifestEdges/typescript.js

@@ -0,0 +1,56 @@
+import { posix } from "node:path";
+import { graphEdge, normalizeGraphPath, resolveCandidate, isTypescriptProjectConfigPath } from "../graphPathUtils.js";
+import { parseJsoncObject } from "./jsonc.js";
+export const TYPESCRIPT_PROJECT_REFERENCE_EDGE_CONFIDENCE = 0.87;
+function typescriptProjectReferenceSpecifiers(content) {
+    const parsed = parseJsoncObject(content);
+    if (!parsed || !Array.isArray(parsed.references)) {
+        return [];
+    }
+    return parsed.references
+        .map((item) => {
+        if (item === null || typeof item !== "object" || Array.isArray(item)) {
+            return undefined;
+        }
+        const referencePath = item.path;
+        return typeof referencePath === "string" ? referencePath.trim() : undefined;
+    })
+        .filter((specifier) => Boolean(specifier));
+}
+function resolveTypescriptProjectReference(fromPath, specifier, pathLookup) {
+    const normalizedSpecifier = normalizeGraphPath(specifier);
+    if (normalizedSpecifier.length === 0 ||
+        normalizedSpecifier.startsWith("/") ||
+        /^[a-z][a-z0-9+.-]*:/i.test(normalizedSpecifier)) {
+        return undefined;
+    }
+    const configDir = posix.dirname(normalizeGraphPath(fromPath));
+    const target = configDir === "."
+        ? normalizedSpecifier
+        : posix.join(configDir, normalizedSpecifier);
+    const direct = resolveCandidate(target, pathLookup);
+    if (direct && isTypescriptProjectConfigPath(direct)) {
+        return direct;
+    }
+    return pathLookup.get(posix.join(target, "tsconfig.json").toLowerCase());
+}
+export function extractTypescriptProjectReferenceEdges(fromPath, content, pathLookup) {
+    if (!isTypescriptProjectConfigPath(fromPath)) {
+        return [];
+    }
+    const edges = [];
+    for (const specifier of typescriptProjectReferenceSpecifiers(content)) {
+        const target = resolveTypescriptProjectReference(fromPath, specifier, pathLookup);
+        if (!target) {
+            continue;
+        }
+        edges.push(graphEdge({
+            from: fromPath,
+            to: target,
+            kind: "typescript-project-reference-link",
+            confidence: TYPESCRIPT_PROJECT_REFERENCE_EDGE_CONFIDENCE,
+            reason: `TypeScript project reference '${specifier}' resolves to '${target}'.`,
+        }));
+    }
+    return edges;
+}

package/dist/extractors/graphManifestEdges/workspace.d.ts

@@ -0,0 +1,10 @@
+export interface WorkspacePattern {
+    pattern: string;
+    negated: boolean;
+}
+export declare function addWorkspacePattern(patterns: WorkspacePattern[], rawPattern: string): void;
+export declare function collectWorkspacePatternValues(value: unknown, patterns: WorkspacePattern[]): void;
+export declare function normalizeWorkspacePattern(workspacePath: string, pattern: string): string | undefined;
+export declare function globPatternToRegExp(pattern: string): RegExp;
+export declare function workspacePatternMatchesPackage(workspacePattern: string, packagePath: string): boolean;
+export declare function workspacePatternMatchesManifest(workspacePattern: string, manifestPath: string, manifestName: string): boolean;

package/dist/extractors/graphManifestEdges/workspace.js

@@ -0,0 +1,72 @@
+import { posix } from "node:path";
+import { normalizeGraphPath } from "../graphPathUtils.js";
+export function addWorkspacePattern(patterns, rawPattern) {
+    const trimmedPattern = rawPattern.trim();
+    if (trimmedPattern.length === 0) {
+        return;
+    }
+    const negated = trimmedPattern.startsWith("!");
+    const pattern = negated ? trimmedPattern.slice(1).trim() : trimmedPattern;
+    if (pattern.length > 0) {
+        patterns.push({ pattern, negated });
+    }
+}
+export function collectWorkspacePatternValues(value, patterns) {
+    if (!Array.isArray(value)) {
+        return;
+    }
+    for (const item of value) {
+        if (typeof item !== "string") {
+            continue;
+        }
+        addWorkspacePattern(patterns, item);
+    }
+}
+export function normalizeWorkspacePattern(workspacePath, pattern) {
+    const normalizedPattern = pattern
+        .replace(/\\/g, "/")
+        .replace(/^\.\//, "")
+        .replace(/\/+$/, "");
+    if (normalizedPattern.length === 0 ||
+        normalizedPattern.startsWith("/") ||
+        /^[a-z][a-z0-9+.-]*:/i.test(normalizedPattern)) {
+        return undefined;
+    }
+    const workspaceDir = posix.dirname(normalizeGraphPath(workspacePath));
+    return workspaceDir === "."
+        ? normalizedPattern
+        : posix.join(workspaceDir, normalizedPattern);
+}
+export function globPatternToRegExp(pattern) {
+    let source = "^";
+    for (let index = 0; index < pattern.length; index++) {
+        const char = pattern[index];
+        const next = pattern[index + 1];
+        if (char === "*" && next === "*") {
+            source += ".*";
+            index++;
+        }
+        else if (char === "*") {
+            source += "[^/]*";
+        }
+        else if (char === "?") {
+            source += "[^/]";
+        }
+        else {
+            source += char.replace(/[|\\{}()[\]^$+?.]/g, "\\$&");
+        }
+    }
+    return new RegExp(`${source}$`, "i");
+}
+export function workspacePatternMatchesPackage(workspacePattern, packagePath) {
+    return workspacePatternMatchesManifest(workspacePattern, packagePath, "package.json");
+}
+export function workspacePatternMatchesManifest(workspacePattern, manifestPath, manifestName) {
+    const normalizedManifestPath = normalizeGraphPath(manifestPath);
+    const manifestDir = posix.dirname(normalizedManifestPath);
+    const lowerManifestPattern = `/${manifestName.toLowerCase()}`;
+    const patternTarget = workspacePattern.toLowerCase().endsWith(lowerManifestPattern)
+        ? normalizedManifestPath
+        : manifestDir;
+    return globPatternToRegExp(workspacePattern).test(patternTarget);
+}

package/dist/extractors/graphManifestEdges/yaml.d.ts

@@ -0,0 +1,3 @@
+export declare function stripYamlComment(line: string): string;
+export declare function unquoteYamlScalar(value: string): string;
+export declare function splitYamlInlineList(value: string): string[];

package/dist/extractors/graphManifestEdges/yaml.js

@@ -0,0 +1,59 @@
+export function stripYamlComment(line) {
+    let quote;
+    for (let index = 0; index < line.length; index++) {
+        const char = line[index];
+        if (quote) {
+            if (char === quote) {
+                quote = undefined;
+            }
+            continue;
+        }
+        if (char === '"' || char === "'") {
+            quote = char;
+            continue;
+        }
+        if (char === "#") {
+            return line.slice(0, index);
+        }
+    }
+    return line;
+}
+export function unquoteYamlScalar(value) {
+    const trimmed = value.trim();
+    if (trimmed.length < 2) {
+        return trimmed;
+    }
+    const quote = trimmed[0];
+    if ((quote === '"' || quote === "'") && trimmed.at(-1) === quote) {
+        return trimmed.slice(1, -1).trim();
+    }
+    return trimmed;
+}
+export function splitYamlInlineList(value) {
+    const trimmed = value.trim();
+    if (!trimmed.startsWith("[") || !trimmed.endsWith("]")) {
+        return [];
+    }
+    const values = [];
+    let quote;
+    let start = 1;
+    for (let index = 1; index < trimmed.length - 1; index++) {
+        const char = trimmed[index];
+        if (quote) {
+            if (char === quote) {
+                quote = undefined;
+            }
+            continue;
+        }
+        if (char === '"' || char === "'") {
+            quote = char;
+            continue;
+        }
+        if (char === ",") {
+            values.push(unquoteYamlScalar(trimmed.slice(start, index)));
+            start = index + 1;
+        }
+    }
+    values.push(unquoteYamlScalar(trimmed.slice(start, -1)));
+    return values.filter((item) => item.length > 0);
+}

package/dist/extractors/graphManifestEdges/yamlPaths.d.ts

@@ -0,0 +1,4 @@
+import type { GraphEdge } from "@audit-tools/shared";
+export declare const YAML_PATH_REFERENCE_LINK_CONFIDENCE = 0.8;
+export declare const YAML_CONFIG_EXTENSIONS: readonly [".yaml", ".yml", ".json", ".toml"];
+export declare function extractYamlPathReferenceEdges(fromPath: string, content: string, pathLookup: Map<string, string>): GraphEdge[];