auditor-lambda 0.2.6 → 0.2.9

package/dist/extractors/disposition.js

@@ -1,6 +1,6 @@
-import { isNodeModulesOrGit, isBuildOutput, isVendorPath, isBinaryArtifact, isDocPath, } from "./pathPatterns.js";
+import { isNodeModulesOrGit, isBuildOutput, isVendorPath, isBinaryArtifact, isLicensePath, isLockfilePath, isLogPath, isDocPath, normalizeExtractorPath, } from "./pathPatterns.js";
 function inferDisposition(path) {
-    const normalized = path.toLowerCase();
+    const normalized = normalizeExtractorPath(path);
     if (isNodeModulesOrGit(normalized)) {
         return { path, status: "excluded", reason: "node_modules or .git excluded by convention." };
     }
@@ -17,6 +17,15 @@ function inferDisposition(path) {
             reason: "Non-source binary-like artifact.",
         };
     }
+    if (isLogPath(normalized)) {
+        return { path, status: "generated", reason: "Runtime log artifact." };
+    }
+    if (isLicensePath(normalized)) {
+        return { path, status: "doc_only", reason: "License file is not auditable code." };
+    }
+    if (isLockfilePath(normalized)) {
+        return { path, status: "generated", reason: "Lockfile excluded from code audit scope." };
+    }
     if (isDocPath(normalized)) {
         return { path, status: "doc_only", reason: "Documentation artifact." };
     }
@@ -26,6 +35,10 @@ function inferDisposition(path) {
         reason: "Default included source or config artifact.",
     };
 }
+/**
+ * Applies shared path heuristics to mark files that should be excluded or
+ * down-scoped before audit planning begins.
+ */
 export function buildFileDisposition(repoManifest) {
     return {
         files: repoManifest.files.map((file) => inferDisposition(file.path)),

package/dist/extractors/fileInventory.js

@@ -1,32 +1,28 @@
+import { normalizeExtractorPath } from "./pathPatterns.js";
+const LANGUAGE_BY_EXTENSION = {
+    ts: "typescript",
+    tsx: "typescript",
+    mts: "typescript",
+    cts: "typescript",
+    js: "javascript",
+    jsx: "javascript",
+    mjs: "javascript",
+    cjs: "javascript",
+    py: "python",
+    go: "go",
+    rs: "rust",
+    java: "java",
+    cs: "csharp",
+    json: "json",
+    yml: "yaml",
+    yaml: "yaml",
+    md: "markdown",
+};
 function inferLanguage(path) {
-    const ext = path.split(".").pop()?.toLowerCase();
-    switch (ext) {
-        case "ts":
-        case "tsx":
-            return "typescript";
-        case "js":
-        case "jsx":
-            return "javascript";
-        case "py":
-            return "python";
-        case "go":
-            return "go";
-        case "rs":
-            return "rust";
-        case "java":
-            return "java";
-        case "cs":
-            return "csharp";
-        case "json":
-            return "json";
-        case "yml":
-        case "yaml":
-            return "yaml";
-        case "md":
-            return "markdown";
-        default:
-            return "unknown";
-    }
+    const normalized = normalizeExtractorPath(path);
+    const base = normalized.split("/").pop() ?? normalized;
+    const extension = base.includes(".") ? base.split(".").pop() ?? "" : "";
+    return LANGUAGE_BY_EXTENSION[extension] ?? "unknown";
 }
 export function buildRepoManifest(repositoryName, files) {
     return {

package/dist/extractors/flows.d.ts

@@ -2,4 +2,9 @@ import type { RepoManifest } from "../types.js";
 import type { FileDisposition } from "../types/disposition.js";
 import type { CriticalFlowManifest } from "../types/flows.js";
 import type { SurfaceManifest } from "../types/surfaces.js";
+/**
+ * Builds coarse critical-flow coverage from shared path heuristics. These
+ * bootstrap flows are intentionally conservative and should be reviewed when a
+ * repo uses unconventional naming or layout conventions.
+ */
 export declare function buildCriticalFlowManifest(repoManifest: RepoManifest, surfaceManifest: SurfaceManifest, disposition?: FileDisposition): CriticalFlowManifest;

package/dist/extractors/flows.js

@@ -1,14 +1,12 @@
 import { isAuditExcludedStatus } from "./disposition.js";
-import { isSecuritySensitivePath, isDataLayerPath, isConcurrencyPath, isInterfacePath, isDeploymentConfigPath, } from "./pathPatterns.js";
+import { EXTRACTOR_HEURISTIC_NOTE, isAsyncTaskPath, isBillingPath, isIdentityPath, isSecuritySensitivePath, isDataLayerPath, isConcurrencyPath, isInterfacePath, isDeploymentConfigPath, normalizeExtractorPath, } from "./pathPatterns.js";
 function inferConcerns(paths) {
     const concerns = new Set();
     for (const path of paths) {
-        const normalized = path.toLowerCase();
+        const normalized = normalizeExtractorPath(path);
         if (isSecuritySensitivePath(normalized))
             concerns.add("security");
-        if (isDataLayerPath(normalized) ||
-            normalized.includes("invoice") ||
-            normalized.includes("payment"))
+        if (isDataLayerPath(normalized) || isBillingPath(normalized))
             concerns.add("data_integrity");
         if (isConcurrencyPath(normalized))
             concerns.add("reliability");
@@ -18,47 +16,26 @@ function inferConcerns(paths) {
     return concerns.size > 0 ? [...concerns] : ["correctness"];
 }
 function relatedPaths(entry, availablePaths) {
-    const normalized = entry.toLowerCase();
+    const normalized = normalizeExtractorPath(entry);
     const linked = new Set([entry]);
     for (const path of availablePaths) {
-        const lower = path.toLowerCase();
+        const lower = normalizeExtractorPath(path);
         if (path === entry)
             continue;
         // Auth / session flows: link sibling auth, session, token, user paths
-        if (isSecuritySensitivePath(normalized) &&
-            (lower.includes("auth") ||
-                lower.includes("session") ||
-                lower.includes("token") ||
-                lower.includes("user"))) {
+        if (isSecuritySensitivePath(normalized) && isIdentityPath(lower)) {
             linked.add(path);
         }
         // Billing / payment flows: link ledger and subscription paths
-        if ((normalized.includes("billing") ||
-            normalized.includes("invoice") ||
-            normalized.includes("payment")) &&
-            (lower.includes("billing") ||
-                lower.includes("invoice") ||
-                lower.includes("payment") ||
-                lower.includes("ledger") ||
-                lower.includes("subscription"))) {
+        if (isBillingPath(normalized) && isBillingPath(lower)) {
             linked.add(path);
         }
         // Async / queue flows: link worker, job, retry, and task paths
-        if (isConcurrencyPath(normalized) &&
-            (lower.includes("queue") ||
-                lower.includes("retry") ||
-                lower.includes("worker") ||
-                lower.includes("job") ||
-                lower.includes("task"))) {
+        if (isConcurrencyPath(normalized) && isAsyncTaskPath(lower)) {
             linked.add(path);
         }
         // Deployment / infra flows: link docker, k8s, terraform, workflow paths
-        if (isDeploymentConfigPath(normalized) &&
-            (lower.includes("deploy") ||
-                lower.includes("docker") ||
-                lower.includes("workflow") ||
-                lower.includes("k8s") ||
-                lower.includes("terraform"))) {
+        if (isDeploymentConfigPath(normalized) && isDeploymentConfigPath(lower)) {
             linked.add(path);
         }
     }
@@ -76,6 +53,11 @@ function dedupeFlows(flows) {
     }
     return deduped;
 }
+/**
+ * Builds coarse critical-flow coverage from shared path heuristics. These
+ * bootstrap flows are intentionally conservative and should be reviewed when a
+ * repo uses unconventional naming or layout conventions.
+ */
 export function buildCriticalFlowManifest(repoManifest, surfaceManifest, disposition) {
     const dispositionMap = new Map(disposition?.files.map((item) => [item.path, item.status]) ?? []);
     const availablePaths = repoManifest.files
@@ -94,23 +76,27 @@ export function buildCriticalFlowManifest(repoManifest, surfaceManifest, disposi
             entrypoints: [entry],
             paths,
             concerns: inferConcerns(paths),
-            notes: [
-                "Heuristic critical-flow inference from detected surfaces and related paths.",
-            ],
+            confidence: paths.length > 1 ? "high" : "low",
+            notes: [EXTRACTOR_HEURISTIC_NOTE],
         });
     }
     for (const path of availablePaths) {
-        const lower = path.toLowerCase();
-        if (isDataLayerPath(lower) || lower.includes("seed")) {
+        const normalized = normalizeExtractorPath(path);
+        if (isDataLayerPath(normalized)) {
             flows.push({
                 id: `flow:data:${path.replace(/[^a-zA-Z0-9:_-]/g, "-")}`,
                 name: `data evolution flow for ${path}`,
                 entrypoints: [path],
                 paths: relatedPaths(path, availablePaths),
                 concerns: ["data_integrity", "reliability"],
-                notes: ["Heuristic data-evolution flow."],
+                confidence: "high",
+                notes: [EXTRACTOR_HEURISTIC_NOTE],
             });
         }
     }
-    return { flows: dedupeFlows(flows) };
+    const deduped = dedupeFlows(flows);
+    return {
+        flows: deduped,
+        fallback_required: deduped.length === 0 || deduped.some((flow) => flow.confidence === "low"),
+    };
 }

package/dist/extractors/pathPatterns.d.ts

@@ -1,12 +1,17 @@
 /**
- * Centralised path-pattern predicates shared across disposition, bucketing,
- * surfaces, and flows extractors.  Every function operates on the
- * already-lower-cased form of the path.
+ * Shared bootstrap heuristics for the extractor layer. These rules run before
+ * richer graph/unit analysis exists, so they intentionally favor recall over
+ * precision and always normalize case plus path separators first.
  */
+export declare const EXTRACTOR_HEURISTIC_NOTE = "Heuristic path classification normalizes case and path separators, then matches conservative keyword groups; confirm unusual repo layouts manually.";
+export declare function normalizeExtractorPath(path: string): string;
 export declare function isNodeModulesOrGit(normalized: string): boolean;
 export declare function isBuildOutput(normalized: string): boolean;
 export declare function isVendorPath(normalized: string): boolean;
 export declare function isBinaryArtifact(normalized: string): boolean;
+export declare function isLogPath(normalized: string): boolean;
+export declare function isLicensePath(normalized: string): boolean;
+export declare function isLockfilePath(normalized: string): boolean;
 export declare function isDocPath(normalized: string): boolean;
 export declare function isTestPath(normalized: string): boolean;
 export declare function isInterfacePath(normalized: string): boolean;
@@ -17,3 +22,8 @@ export declare function isScriptPath(normalized: string): boolean;
 export declare function isDeploymentConfigPath(normalized: string): boolean;
 export declare function isGeneratedPath(normalized: string): boolean;
 export declare function isSurfacePath(normalized: string): boolean;
+export declare function isBackgroundSurfacePath(normalized: string): boolean;
+export declare function isNetworkSurfacePath(normalized: string): boolean;
+export declare function isBillingPath(normalized: string): boolean;
+export declare function isIdentityPath(normalized: string): boolean;
+export declare function isAsyncTaskPath(normalized: string): boolean;

package/dist/extractors/pathPatterns.js

@@ -1,85 +1,148 @@
 /**
- * Centralised path-pattern predicates shared across disposition, bucketing,
- * surfaces, and flows extractors.  Every function operates on the
- * already-lower-cased form of the path.
+ * Shared bootstrap heuristics for the extractor layer. These rules run before
+ * richer graph/unit analysis exists, so they intentionally favor recall over
+ * precision and always normalize case plus path separators first.
  */
+export const EXTRACTOR_HEURISTIC_NOTE = "Heuristic path classification normalizes case and path separators, then matches conservative keyword groups; confirm unusual repo layouts manually.";
+const BINARY_EXTENSIONS = [
+    ".png",
+    ".jpg",
+    ".jpeg",
+    ".gif",
+    ".pdf",
+    ".zip",
+];
+const LOCKFILE_NAMES = [
+    "package-lock.json",
+    "pnpm-lock.yaml",
+    "yarn.lock",
+    "cargo.lock",
+    "composer.lock",
+    "go.sum",
+];
+const TEST_KEYWORDS = ["test", "spec", "__tests__"];
+const INTERFACE_KEYWORDS = ["route", "controller", "handler"];
+const DATA_LAYER_KEYWORDS = ["model", "schema", "migration", "seed"];
+const SECURITY_KEYWORDS = [
+    "auth",
+    "secret",
+    "token",
+    "permission",
+    "session",
+];
+const CONCURRENCY_KEYWORDS = [
+    "queue",
+    "worker",
+    "job",
+    "cache",
+    "retry",
+    "lock",
+];
+const SCRIPT_KEYWORDS = ["script"];
+const DEPLOYMENT_KEYWORDS = [
+    "docker",
+    "terraform",
+    "deploy",
+    "workflow",
+    "k8s",
+];
+const SURFACE_KEYWORDS = ["route", "controller", "worker", "job", "command"];
+const BILLING_KEYWORDS = [
+    "billing",
+    "invoice",
+    "payment",
+    "ledger",
+    "subscription",
+];
+const IDENTITY_KEYWORDS = ["user"];
+const ASYNC_TASK_KEYWORDS = ["task"];
+export function normalizeExtractorPath(path) {
+    return path.replace(/\\/g, "/").toLowerCase();
+}
+function splitSegments(normalized) {
+    return normalized.split("/").filter(Boolean);
+}
+function hasSegment(normalized, segment) {
+    return splitSegments(normalized).includes(segment);
+}
+function includesAny(normalized, values) {
+    return values.some((value) => normalized.includes(value));
+}
+function endsWithAny(normalized, suffixes) {
+    return suffixes.some((suffix) => normalized.endsWith(suffix));
+}
+function baseName(normalized) {
+    const segments = splitSegments(normalized);
+    return segments.at(-1) ?? normalized;
+}
 export function isNodeModulesOrGit(normalized) {
-    const segments = normalized.split(/[/\\]/);
-    return segments.includes("node_modules") || segments.includes(".git");
+    return hasSegment(normalized, "node_modules") || hasSegment(normalized, ".git");
 }
 export function isBuildOutput(normalized) {
-    return normalized.startsWith("dist/") || normalized.startsWith("build/");
+    return hasSegment(normalized, "dist") || hasSegment(normalized, "build");
 }
 export function isVendorPath(normalized) {
     return normalized.includes("vendor") || normalized.includes("third_party");
 }
 export function isBinaryArtifact(normalized) {
-    return (normalized.endsWith(".png") ||
-        normalized.endsWith(".jpg") ||
-        normalized.endsWith(".jpeg") ||
-        normalized.endsWith(".gif") ||
-        normalized.endsWith(".pdf") ||
-        normalized.endsWith(".zip"));
+    return endsWithAny(normalized, BINARY_EXTENSIONS);
+}
+export function isLogPath(normalized) {
+    return normalized.endsWith(".log") || includesAny(normalized, ["stdout.log", "stderr.log"]);
+}
+export function isLicensePath(normalized) {
+    const base = baseName(normalized);
+    return base === "license" || base.startsWith("license.");
+}
+export function isLockfilePath(normalized) {
+    return endsWithAny(normalized, LOCKFILE_NAMES);
 }
 export function isDocPath(normalized) {
-    return normalized.endsWith(".md") || normalized.startsWith("docs/");
+    return normalized.endsWith(".md") || hasSegment(normalized, "docs");
 }
 export function isTestPath(normalized) {
-    return (normalized.includes("test") ||
-        normalized.includes("spec") ||
-        normalized.includes("__tests__"));
+    return includesAny(normalized, TEST_KEYWORDS);
 }
 export function isInterfacePath(normalized) {
-    return (normalized.includes("route") ||
-        normalized.includes("controller") ||
-        normalized.includes("handler") ||
-        normalized.includes("api/"));
+    return includesAny(normalized, INTERFACE_KEYWORDS) || hasSegment(normalized, "api");
 }
 export function isDataLayerPath(normalized) {
-    return (normalized.includes("model") ||
-        normalized.includes("schema") ||
-        normalized.includes("migration") ||
-        normalized.includes("seed") ||
-        normalized.includes("db/"));
+    return includesAny(normalized, DATA_LAYER_KEYWORDS) || hasSegment(normalized, "db");
 }
 export function isSecuritySensitivePath(normalized) {
-    return (normalized.includes("auth") ||
-        normalized.includes("secret") ||
-        normalized.includes("token") ||
-        normalized.includes("permission") ||
-        normalized.includes("session"));
+    return includesAny(normalized, SECURITY_KEYWORDS);
 }
 export function isConcurrencyPath(normalized) {
-    return (normalized.includes("queue") ||
-        normalized.includes("worker") ||
-        normalized.includes("job") ||
-        normalized.includes("cache") ||
-        normalized.includes("retry") ||
-        normalized.includes("lock"));
+    return includesAny(normalized, CONCURRENCY_KEYWORDS);
 }
 export function isScriptPath(normalized) {
-    return (normalized.includes("script") ||
-        normalized.startsWith("scripts/") ||
-        normalized.startsWith("bin/"));
+    return (includesAny(normalized, SCRIPT_KEYWORDS) ||
+        hasSegment(normalized, "scripts") ||
+        hasSegment(normalized, "bin"));
 }
 export function isDeploymentConfigPath(normalized) {
-    return (normalized.includes("docker") ||
-        normalized.includes("terraform") ||
-        normalized.includes("deploy") ||
-        normalized.includes("workflow") ||
-        normalized.includes("k8s") ||
-        normalized.endsWith(".yml") ||
-        normalized.endsWith(".yaml"));
+    return includesAny(normalized, DEPLOYMENT_KEYWORDS) || endsWithAny(normalized, [".yml", ".yaml"]);
 }
 export function isGeneratedPath(normalized) {
     return normalized.includes("vendor") || normalized.includes("generated");
 }
 export function isSurfacePath(normalized) {
-    return (normalized.includes("api/") ||
-        normalized.includes("route") ||
-        normalized.includes("controller") ||
-        normalized.includes("worker") ||
-        normalized.includes("job") ||
-        normalized.includes("command") ||
-        normalized.includes("cli"));
+    return (hasSegment(normalized, "api") ||
+        includesAny(normalized, SURFACE_KEYWORDS) ||
+        hasSegment(normalized, "cli"));
+}
+export function isBackgroundSurfacePath(normalized) {
+    return includesAny(normalized, ["worker", "job"]);
+}
+export function isNetworkSurfacePath(normalized) {
+    return hasSegment(normalized, "api") || includesAny(normalized, ["route", "controller"]);
+}
+export function isBillingPath(normalized) {
+    return includesAny(normalized, BILLING_KEYWORDS);
+}
+export function isIdentityPath(normalized) {
+    return isSecuritySensitivePath(normalized) || includesAny(normalized, IDENTITY_KEYWORDS);
+}
+export function isAsyncTaskPath(normalized) {
+    return isConcurrencyPath(normalized) || includesAny(normalized, ASYNC_TASK_KEYWORDS);
 }

package/dist/extractors/risk.js

@@ -19,6 +19,9 @@ export function buildRiskRegister(unitManifest, criticalFlows, externalAnalyzerR
             signals.push("writes_or_persistence");
         if (unit.required_lenses.includes("config_deployment"))
             signals.push("operational_surface");
+        if (unit.files.some((path) => /(write|save|persist|lock|cache|retry|open|sync|refresh)/i.test(path))) {
+            signals.push("path_level_stateful_behavior");
+        }
         const flowHits = unit.files.reduce((sum, path) => sum + (flowMap.get(path) ?? 0), 0);
         if (flowHits > 0) {
             signals.push("critical_flow_member");
@@ -29,7 +32,10 @@ export function buildRiskRegister(unitManifest, criticalFlows, externalAnalyzerR
         }
         return {
             unit_id: unit.unit_id,
-            risk_score: (unit.risk_score ?? 0) + flowHits + externalHits,
+            risk_score: (unit.risk_score ?? 0) +
+                flowHits +
+                externalHits +
+                (signals.includes("path_level_stateful_behavior") ? 1 : 0),
             signals,
             notes: [
                 "Initial heuristic risk scoring.",

package/dist/extractors/surfaces.d.ts

@@ -1,4 +1,8 @@
 import type { RepoManifest } from "../types.js";
 import type { FileDisposition } from "../types/disposition.js";
 import type { SurfaceManifest } from "../types/surfaces.js";
+/**
+ * Detects likely execution surfaces from file paths using the shared extractor
+ * heuristics, primarily to seed later audit planning.
+ */
 export declare function buildSurfaceManifest(repoManifest: RepoManifest, disposition?: FileDisposition): SurfaceManifest;

package/dist/extractors/surfaces.js

@@ -1,12 +1,16 @@
 import { isAuditExcludedStatus } from "./disposition.js";
-import { isSurfacePath } from "./pathPatterns.js";
+import { EXTRACTOR_HEURISTIC_NOTE, isBackgroundSurfacePath, isNetworkSurfacePath, isSurfacePath, normalizeExtractorPath, } from "./pathPatterns.js";
 function methodsForPath(path) {
-    const normalized = path.toLowerCase();
-    if (normalized.includes("api") || normalized.includes("route")) {
+    const normalized = normalizeExtractorPath(path);
+    if (isNetworkSurfacePath(normalized)) {
         return ["GET", "POST"];
     }
     return undefined;
 }
+/**
+ * Detects likely execution surfaces from file paths using the shared extractor
+ * heuristics, primarily to seed later audit planning.
+ */
 export function buildSurfaceManifest(repoManifest, disposition) {
     const surfaces = [];
     const dispositionMap = new Map(disposition?.files.map((item) => [item.path, item.status]) ?? []);
@@ -15,19 +19,15 @@ export function buildSurfaceManifest(repoManifest, disposition) {
         if (status && isAuditExcludedStatus(status)) {
             continue;
         }
-        const normalized = file.path.toLowerCase();
+        const normalized = normalizeExtractorPath(file.path);
         if (isSurfacePath(normalized)) {
             surfaces.push({
                 id: `surface:${file.path}`,
-                kind: normalized.includes("worker") || normalized.includes("job")
-                    ? "background"
-                    : "interface",
+                kind: isBackgroundSurfacePath(normalized) ? "background" : "interface",
                 entrypoint: file.path,
-                exposure: normalized.includes("api") || normalized.includes("route")
-                    ? "network"
-                    : "local",
+                exposure: isNetworkSurfacePath(normalized) ? "network" : "local",
                 methods: methodsForPath(file.path),
-                notes: ["Heuristic surface detection."],
+                notes: [EXTRACTOR_HEURISTIC_NOTE],
             });
         }
     }

package/dist/index.d.ts

@@ -1 +1 @@
-import "./cli.js";
+export {};

package/dist/index.js

@@ -1 +1,2 @@
-import "./cli.js";
+import { runCli } from "./cli.js";
+await runCli(process.argv);