auditor-lambda 0.3.12 → 0.3.14

package/dist/extractors/graph.js

@@ -2,30 +2,10 @@ import { readFile } from "node:fs/promises";
 import { isAbsolute, relative, resolve } from "node:path";
 import { posix } from "node:path";
 import { isAuditExcludedStatus } from "./disposition.js";
+import { extractCargoWorkspaceMemberEdges, extractGoWorkspaceModuleEdges, extractMavenModuleEdges, extractPackageEntrypointEdges, extractPackageScriptEdges, extractPyprojectTestpathLinks, extractTypescriptProjectReferenceEdges, extractWorkspacePackageEdges, extractYamlPathReferenceEdges, isCargoManifestPath, isGoWorkspaceManifestPath, isMavenPomPath, isPyprojectPath, } from "./graphManifestEdges.js";
+import { graphEdge, graphLookupKey, normalizeGraphPath, resolveCandidate, } from "./graphPathUtils.js";
+import { isTestPath, normalizeExtractorPath } from "./pathPatterns.js";
 const MAX_GRAPH_SOURCE_BYTES = 512 * 1024;
-const RESOLVABLE_EXTENSIONS = [
-    "",
-    ".ts",
-    ".tsx",
-    ".mts",
-    ".cts",
-    ".js",
-    ".jsx",
-    ".mjs",
-    ".cjs",
-    ".json",
-];
-const INDEX_EXTENSIONS = [
-    "index.ts",
-    "index.tsx",
-    "index.mts",
-    "index.cts",
-    "index.js",
-    "index.jsx",
-    "index.mjs",
-    "index.cjs",
-    "index.json",
-];
 const SOURCE_LANGUAGES = new Set([
     "typescript",
     "javascript",
@@ -50,11 +30,30 @@ const SOURCE_EXTENSIONS = [
     ".yml",
     ".yaml",
     ".py",
+    ".pyi",
     ".go",
     ".rs",
     ".java",
     ".cs",
 ];
+const PYTHON_SOURCE_EXTENSIONS = [".py", ".pyi"];
+const PYTHON_PACKAGE_INDEX_FILES = ["__init__.py", "__init__.pyi"];
+const TYPESCRIPT_TYPE_CONTRACT_EXTENSIONS = [
+    ".ts",
+    ".tsx",
+    ".mts",
+    ".cts",
+];
+const PACKAGE_SCRIPT_SUITE_EXTENSIONS = [
+    ".js",
+    ".jsx",
+    ".mjs",
+    ".cjs",
+    ".ts",
+    ".tsx",
+    ".mts",
+    ".cts",
+];
 const IMPORT_PATTERNS = [
     {
         pattern: /\bimport\s+(?:type\s+)?(?:[^"'()]*?\s+from\s+)?["']([^"']+)["']/g,
@@ -74,19 +73,63 @@ const IMPORT_PATTERNS = [
     },
 ];
 const STRING_LITERAL_PATTERN = /["'`]([^"'`\r\n]{1,260})["'`]/g;
-function normalizeGraphPath(path) {
-    return posix
-        .normalize(path.replace(/\\/g, "/"))
-        .replace(/^\.\//, "");
-}
-function graphLookupKey(path) {
-    return normalizeGraphPath(path).toLowerCase();
-}
+const IMPORT_EDGE_CONFIDENCE = 0.95;
+const REFERENCE_EDGE_CONFIDENCE = 0.72;
+const RELATIVE_REFERENCE_EDGE_CONFIDENCE = 0.82;
+const TEST_SOURCE_EDGE_CONFIDENCE = 0.88;
+const CONFTEST_LINK_CONFIDENCE = 0.85;
+const ANALYZER_OWNERSHIP_EDGE_CONFIDENCE = 0.84;
+const JSON_SCHEMA_REF_EDGE_CONFIDENCE = 0.93;
+const SCHEMA_CONTRACT_TEST_EDGE_CONFIDENCE = 0.86;
+const SCHEMA_SUITE_EDGE_CONFIDENCE = 0.78;
+const GITHUB_WORKFLOW_SUITE_EDGE_CONFIDENCE = 0.78;
+const PACKAGE_SCRIPT_SUITE_EDGE_CONFIDENCE = 0.78;
+const TYPESCRIPT_TYPE_SUITE_EDGE_CONFIDENCE = 0.78;
+const PYTHON_TEST_UTIL_SUITE_EDGE_CONFIDENCE = 0.72;
+const PYTHON_TEST_UTIL_SEGMENT_NAMES = new Set(["utils", "helpers", "support"]);
+const ROUTE_HANDLER_EDGE_CONFIDENCE = 0.92;
+const CONTAINER_EDGE_CONFIDENCE = 0.25;
+const AUTH_SESSION_EDGE_CONFIDENCE = 0.55;
+const MAX_BOUNDED_SUITE_EDGE_FILES = 12;
+const MAX_BOUNDED_TYPE_SUITE_EDGE_FILES = 16;
+const MAX_TYPE_CONTRACT_SOURCE_BYTES = 64 * 1024;
+const TOP_LEVEL_TEST_SEGMENTS = new Set(["test", "tests", "spec", "specs"]);
+const COLOCATED_TEST_SEGMENTS = new Set([
+    "__test__",
+    "__tests__",
+    "__spec__",
+    "__specs__",
+    "test",
+    "tests",
+    "spec",
+    "specs",
+]);
+const ROUTE_REGISTRATION_PATTERN = /\b(?:app|router|server|fastify)\s*\.\s*(get|post|put|patch|delete|del|options|head|all)\s*\(\s*["'`]([^"'`]+)["'`]\s*,\s*([A-Za-z_$][\w$]*(?:\.[A-Za-z_$][\w$]*)?)/gi;
+const ROUTE_OBJECT_PATTERN = /\b(?:app|router|server|fastify)\s*\.\s*route\s*\(\s*\{([\s\S]{0,1200}?)\}\s*\)/gi;
+const ROUTE_METHOD_EXPORT_PATTERN = /\bexport\s+(?:async\s+)?(?:function|const)\s+(GET|POST|PUT|PATCH|DELETE|OPTIONS|HEAD)\b/g;
+const ROUTE_METHODS = new Set([
+    "GET",
+    "POST",
+    "PUT",
+    "PATCH",
+    "DELETE",
+    "OPTIONS",
+    "HEAD",
+    "ALL",
+]);
+const IMPORT_BINDING_PATTERN = /\bimport\s+(?:type\s+)?([^;"'](?:[^;]*?))\s+from\s+["']([^"']+)["']/g;
+const REQUIRE_BINDING_PATTERN = /\b(?:const|let|var)\s+([A-Za-z_$][\w$]*)\s*=\s*require\s*\(\s*["']([^"']+)["']\s*\)/g;
+const REQUIRE_DESTRUCTURING_PATTERN = /\b(?:const|let|var)\s*\{([^}]+)\}\s*=\s*require\s*\(\s*["']([^"']+)["']\s*\)/g;
+const IDENTIFIER_PATTERN = /^[A-Za-z_$][\w$]*$/;
 function shouldReadForGraph(file) {
     const normalized = normalizeGraphPath(file.path);
     return (file.size_bytes <= MAX_GRAPH_SOURCE_BYTES &&
         (SOURCE_LANGUAGES.has(file.language) ||
-            SOURCE_EXTENSIONS.some((extension) => normalized.endsWith(extension))));
+            SOURCE_EXTENSIONS.some((extension) => normalized.endsWith(extension)) ||
+            isGoWorkspaceManifestPath(normalized) ||
+            isCargoManifestPath(normalized) ||
+            isMavenPomPath(normalized) ||
+            isPyprojectPath(normalized)));
 }
 function buildPathLookup(repoManifest, dispositionMap) {
     return new Map(repoManifest.files
@@ -96,24 +139,6 @@ function buildPathLookup(repoManifest, dispositionMap) {
     })
         .map((file) => [graphLookupKey(file.path), file.path]));
 }
-function resolveCandidate(candidate, pathLookup) {
-    const normalized = normalizeGraphPath(candidate);
-    const direct = pathLookup.get(normalized.toLowerCase());
-    if (direct)
-        return direct;
-    for (const extension of RESOLVABLE_EXTENSIONS) {
-        const withExtension = `${normalized}${extension}`;
-        const match = pathLookup.get(withExtension.toLowerCase());
-        if (match)
-            return match;
-    }
-    for (const indexFile of INDEX_EXTENSIONS) {
-        const match = pathLookup.get(posix.join(normalized, indexFile).toLowerCase());
-        if (match)
-            return match;
-    }
-    return undefined;
-}
 function resolveSpecifier(fromPath, specifier, pathLookup) {
     if (!specifier.startsWith(".")) {
         return undefined;
@@ -134,6 +159,11 @@ function resolveReferenceLiteral(fromPath, literal, pathLookup) {
 function edgeSignature(edge) {
     return `${edge.from}\0${edge.to}\0${edge.kind ?? ""}`;
 }
+function clampConfidence(value, fallback) {
+    return typeof value === "number" && Number.isFinite(value)
+        ? Math.min(1, Math.max(0, value))
+        : fallback;
+}
 function uniqueSortedEdges(edges) {
     const deduped = new Map();
     for (const edge of edges) {
@@ -145,6 +175,487 @@ function uniqueSortedEdges(edges) {
         a.to.localeCompare(b.to) ||
         (a.kind ?? "").localeCompare(b.kind ?? ""));
 }
+function normalizeOwnershipRoot(root) {
+    const normalized = normalizeGraphPath(root.trim()).replace(/\/+$/, "");
+    if (normalized.length === 0 ||
+        normalized === "." ||
+        normalized === ".." ||
+        normalized.startsWith("../") ||
+        normalized.startsWith("/") ||
+        isAbsolute(normalized)) {
+        return undefined;
+    }
+    return normalized;
+}
+function extractAnalyzerOwnershipEdges(externalAnalyzerResults, pathLookup) {
+    const roots = Array.isArray(externalAnalyzerResults?.ownership_roots)
+        ? externalAnalyzerResults.ownership_roots
+        : [];
+    const edges = [];
+    for (const rootHint of roots) {
+        if (!rootHint ||
+            typeof rootHint.root !== "string" ||
+            !Array.isArray(rootHint.paths)) {
+            continue;
+        }
+        const root = normalizeOwnershipRoot(rootHint.root);
+        if (!root) {
+            continue;
+        }
+        const normalizedRoot = root.toLowerCase();
+        const confidence = clampConfidence(rootHint.confidence, ANALYZER_OWNERSHIP_EDGE_CONFIDENCE);
+        const ownershipKind = typeof rootHint.kind === "string" && rootHint.kind.trim().length > 0
+            ? rootHint.kind.trim()
+            : undefined;
+        const providedReason = typeof rootHint.reason === "string" && rootHint.reason.trim().length > 0
+            ? rootHint.reason.trim()
+            : undefined;
+        for (const rawPath of rootHint.paths) {
+            if (typeof rawPath !== "string" || rawPath.trim().length === 0) {
+                continue;
+            }
+            const target = resolveCandidate(rawPath, pathLookup);
+            if (!target) {
+                continue;
+            }
+            const normalizedTarget = normalizeGraphPath(target).toLowerCase();
+            if (normalizedTarget !== normalizedRoot &&
+                !normalizedTarget.startsWith(`${normalizedRoot}/`)) {
+                continue;
+            }
+            edges.push(graphEdge({
+                from: root,
+                to: target,
+                kind: "analyzer-ownership-root-link",
+                direction: "undirected",
+                confidence,
+                reason: providedReason ??
+                    (ownershipKind
+                        ? `${externalAnalyzerResults?.tool ?? "analyzer"} reports ${ownershipKind} ownership root '${root}' contains '${target}'.`
+                        : `${externalAnalyzerResults?.tool ?? "analyzer"} reports ownership root '${root}' contains '${target}'.`),
+            }));
+        }
+    }
+    return edges;
+}
+function routeSignature(route) {
+    return `${route.method ?? ""}\0${route.path}\0${route.handler}`;
+}
+function uniqueSortedRoutes(routes) {
+    const deduped = new Map();
+    for (const route of routes) {
+        deduped.set(routeSignature(route), route);
+    }
+    return [...deduped.values()].sort((a, b) => a.path.localeCompare(b.path) ||
+        a.handler.localeCompare(b.handler) ||
+        (a.method ?? "").localeCompare(b.method ?? ""));
+}
+function normalizeRoutePath(routePath) {
+    const trimmed = routePath.trim();
+    if (trimmed === "*" || trimmed === "/*") {
+        return trimmed;
+    }
+    const prefixed = trimmed.startsWith("/") ? trimmed : `/${trimmed}`;
+    return prefixed.replace(/\/{2,}/g, "/");
+}
+function normalizeHttpMethod(method) {
+    const upper = method.toUpperCase();
+    return upper === "DEL" ? "DELETE" : upper;
+}
+function isIdentifier(value) {
+    return typeof value === "string" && IDENTIFIER_PATTERN.test(value);
+}
+function addImportBinding(bindings, localName, binding) {
+    if (isIdentifier(localName)) {
+        bindings.set(localName, binding);
+    }
+}
+function parseNamedImportLocal(rawName) {
+    const normalized = rawName.trim().replace(/^type\s+/i, "").trim();
+    if (!normalized) {
+        return undefined;
+    }
+    const [, aliasedName] = normalized.split(/\s+as\s+/i);
+    const localName = (aliasedName ?? normalized.split(/\s*:\s*/).at(-1) ?? "")
+        .trim()
+        .replace(/=.*$/, "")
+        .trim();
+    return isIdentifier(localName) ? localName : undefined;
+}
+function addNamedImportBindings(bindings, rawBindings, binding) {
+    for (const rawName of rawBindings.split(",")) {
+        addImportBinding(bindings, parseNamedImportLocal(rawName), binding);
+    }
+}
+function extractImportBindings(fromPath, content, pathLookup) {
+    const bindings = new Map();
+    IMPORT_BINDING_PATTERN.lastIndex = 0;
+    for (const match of content.matchAll(IMPORT_BINDING_PATTERN)) {
+        const clause = match[1]?.trim();
+        const specifier = match[2];
+        if (!clause || !specifier)
+            continue;
+        const target = resolveSpecifier(fromPath, specifier, pathLookup);
+        if (!target)
+            continue;
+        const binding = { target, specifier };
+        const namespaceMatch = clause.match(/\*\s+as\s+([A-Za-z_$][\w$]*)/);
+        addImportBinding(bindings, namespaceMatch?.[1], binding);
+        const namedMatch = clause.match(/\{([^}]*)\}/);
+        if (namedMatch?.[1]) {
+            addNamedImportBindings(bindings, namedMatch[1], binding);
+        }
+        const defaultCandidate = clause
+            .split(/[,{]/, 1)[0]
+            ?.trim()
+            .replace(/^type\s+/i, "");
+        addImportBinding(bindings, defaultCandidate, binding);
+    }
+    REQUIRE_BINDING_PATTERN.lastIndex = 0;
+    for (const match of content.matchAll(REQUIRE_BINDING_PATTERN)) {
+        const localName = match[1];
+        const specifier = match[2];
+        if (!localName || !specifier)
+            continue;
+        const target = resolveSpecifier(fromPath, specifier, pathLookup);
+        if (target) {
+            addImportBinding(bindings, localName, { target, specifier });
+        }
+    }
+    REQUIRE_DESTRUCTURING_PATTERN.lastIndex = 0;
+    for (const match of content.matchAll(REQUIRE_DESTRUCTURING_PATTERN)) {
+        const rawBindings = match[1];
+        const specifier = match[2];
+        if (!rawBindings || !specifier)
+            continue;
+        const target = resolveSpecifier(fromPath, specifier, pathLookup);
+        if (target) {
+            addNamedImportBindings(bindings, rawBindings, { target, specifier });
+        }
+    }
+    return bindings;
+}
+function isPythonSourcePath(path) {
+    const normalized = normalizeGraphPath(path).toLowerCase();
+    return PYTHON_SOURCE_EXTENSIONS.some((extension) => normalized.endsWith(extension));
+}
+function stripPythonLineComment(line) {
+    let quote;
+    let escaped = false;
+    for (let index = 0; index < line.length; index++) {
+        const char = line[index];
+        if (escaped) {
+            escaped = false;
+            continue;
+        }
+        if (quote) {
+            if (char === "\\") {
+                escaped = true;
+                continue;
+            }
+            if (char === quote) {
+                quote = undefined;
+            }
+            continue;
+        }
+        if (char === "'" || char === '"') {
+            quote = char;
+            continue;
+        }
+        if (char === "#") {
+            return line.slice(0, index);
+        }
+    }
+    return line;
+}
+function pythonParenDelta(line) {
+    let quote;
+    let escaped = false;
+    let delta = 0;
+    for (const char of line) {
+        if (escaped) {
+            escaped = false;
+            continue;
+        }
+        if (quote) {
+            if (char === "\\") {
+                escaped = true;
+                continue;
+            }
+            if (char === quote) {
+                quote = undefined;
+            }
+            continue;
+        }
+        if (char === "'" || char === '"') {
+            quote = char;
+            continue;
+        }
+        if (char === "(") {
+            delta += 1;
+        }
+        else if (char === ")") {
+            delta -= 1;
+        }
+    }
+    return delta;
+}
+function pythonLogicalLines(content) {
+    const logicalLines = [];
+    let pending = "";
+    let parenDepth = 0;
+    for (const rawLine of content.split(/\r?\n/)) {
+        const stripped = stripPythonLineComment(rawLine).trim();
+        if (stripped.length === 0) {
+            continue;
+        }
+        if (pending.length === 0 && !/^(?:import|from)\s+/i.test(stripped)) {
+            continue;
+        }
+        const continued = stripped.endsWith("\\");
+        const line = continued ? stripped.slice(0, -1).trimEnd() : stripped;
+        pending = pending.length > 0 ? `${pending} ${line}` : line;
+        parenDepth += pythonParenDelta(line);
+        if (!continued && parenDepth <= 0) {
+            logicalLines.push(pending.replace(/\s+/g, " ").trim());
+            pending = "";
+            parenDepth = 0;
+        }
+    }
+    if (pending.length > 0) {
+        logicalLines.push(pending.replace(/\s+/g, " ").trim());
+    }
+    return logicalLines;
+}
+function unwrapPythonImportList(value) {
+    let trimmed = value.trim();
+    if (trimmed.startsWith("(") && trimmed.endsWith(")")) {
+        trimmed = trimmed.slice(1, -1).trim();
+    }
+    return trimmed;
+}
+function splitPythonImportList(value) {
+    const items = [];
+    let current = "";
+    let quote;
+    let escaped = false;
+    let parenDepth = 0;
+    for (const char of unwrapPythonImportList(value)) {
+        if (escaped) {
+            current += char;
+            escaped = false;
+            continue;
+        }
+        if (quote) {
+            current += char;
+            if (char === "\\") {
+                escaped = true;
+            }
+            else if (char === quote) {
+                quote = undefined;
+            }
+            continue;
+        }
+        if (char === "'" || char === '"') {
+            current += char;
+            quote = char;
+            continue;
+        }
+        if (char === "(") {
+            parenDepth += 1;
+            current += char;
+            continue;
+        }
+        if (char === ")") {
+            parenDepth -= 1;
+            current += char;
+            continue;
+        }
+        if (char === "," && parenDepth === 0) {
+            const item = current.trim();
+            if (item.length > 0) {
+                items.push(item);
+            }
+            current = "";
+            continue;
+        }
+        current += char;
+    }
+    const item = current.trim();
+    if (item.length > 0) {
+        items.push(item);
+    }
+    return items;
+}
+function stripPythonAlias(value) {
+    return value.replace(/\s+as\s+[A-Za-z_]\w*$/i, "").trim();
+}
+function isPythonIdentifier(value) {
+    return /^[A-Za-z_]\w*$/.test(value);
+}
+function isPythonAbsoluteModuleSpecifier(value) {
+    return /^[A-Za-z_]\w*(?:\.[A-Za-z_]\w*)*$/.test(value);
+}
+function isPythonRelativeModuleSpecifier(value) {
+    return /^\.+(?:[A-Za-z_]\w*(?:\.[A-Za-z_]\w*)*)?$/.test(value);
+}
+function isPythonModuleSpecifier(value) {
+    return (isPythonAbsoluteModuleSpecifier(value) ||
+        isPythonRelativeModuleSpecifier(value));
+}
+function pythonModulePath(specifier) {
+    return specifier.split(".").filter(Boolean).join("/");
+}
+function resolvePythonPathCandidate(candidate, pathLookup) {
+    const normalized = normalizeGraphPath(candidate).replace(/\/+$/, "");
+    if (normalized.length === 0 || normalized === "." || normalized === "..") {
+        return undefined;
+    }
+    return resolveCandidate(normalized, pathLookup);
+}
+function pythonPathMatchesModule(path, modulePath) {
+    const normalizedPath = normalizeGraphPath(path).toLowerCase();
+    const normalizedModulePath = normalizeGraphPath(modulePath).toLowerCase();
+    return (PYTHON_SOURCE_EXTENSIONS.some((extension) => {
+        const moduleFile = `${normalizedModulePath}${extension}`;
+        return (normalizedPath === moduleFile ||
+            normalizedPath.endsWith(`/${moduleFile}`));
+    }) ||
+        PYTHON_PACKAGE_INDEX_FILES.some((indexFile) => {
+            const packageFile = posix.join(normalizedModulePath, indexFile);
+            return (normalizedPath === packageFile ||
+                normalizedPath.endsWith(`/${packageFile}`));
+        }));
+}
+function commonDirectoryPrefixLength(left, right) {
+    const leftParts = normalizeGraphPath(left).split("/").filter(Boolean);
+    const rightParts = normalizeGraphPath(right).split("/").filter(Boolean);
+    let count = 0;
+    while (count < leftParts.length &&
+        count < rightParts.length &&
+        leftParts[count].toLowerCase() === rightParts[count].toLowerCase()) {
+        count += 1;
+    }
+    return count;
+}
+function resolvePythonAbsoluteModuleSpecifier(fromPath, specifier, pathLookup) {
+    const modulePath = pythonModulePath(specifier);
+    const direct = resolvePythonPathCandidate(modulePath, pathLookup);
+    if (direct) {
+        return direct;
+    }
+    const matches = [...new Set(pathLookup.values())].filter((path) => isPythonSourcePath(path) && pythonPathMatchesModule(path, modulePath));
+    if (matches.length === 1) {
+        return matches[0];
+    }
+    if (matches.length === 0) {
+        return undefined;
+    }
+    const fromDir = posix.dirname(normalizeGraphPath(fromPath));
+    const scored = matches
+        .map((target) => ({
+        target,
+        score: commonDirectoryPrefixLength(fromDir, posix.dirname(normalizeGraphPath(target))),
+    }))
+        .sort((a, b) => b.score - a.score || a.target.localeCompare(b.target));
+    const bestScore = scored[0]?.score ?? 0;
+    const bestMatches = scored.filter((item) => item.score === bestScore);
+    if (bestScore > 0 && bestMatches.length === 1) {
+        return bestMatches[0].target;
+    }
+    const srcMatches = matches.filter((target) => normalizeGraphPath(target).toLowerCase().startsWith("src/"));
+    return srcMatches.length === 1 ? srcMatches[0] : undefined;
+}
+function resolvePythonRelativeModuleSpecifier(fromPath, specifier, pathLookup) {
+    const match = /^(\.+)(.*)$/.exec(specifier);
+    if (!match) {
+        return undefined;
+    }
+    const level = match[1].length;
+    const remainder = match[2] ?? "";
+    let baseDir = posix.dirname(normalizeGraphPath(fromPath));
+    for (let index = 1; index < level; index++) {
+        const next = posix.dirname(baseDir);
+        if (next === baseDir) {
+            return undefined;
+        }
+        baseDir = next;
+    }
+    const modulePath = pythonModulePath(remainder);
+    const candidate = modulePath.length > 0 ? posix.join(baseDir, modulePath) : baseDir;
+    return resolvePythonPathCandidate(candidate, pathLookup);
+}
+function resolvePythonModuleSpecifier(fromPath, specifier, pathLookup) {
+    if (isPythonRelativeModuleSpecifier(specifier)) {
+        return resolvePythonRelativeModuleSpecifier(fromPath, specifier, pathLookup);
+    }
+    if (isPythonAbsoluteModuleSpecifier(specifier)) {
+        return resolvePythonAbsoluteModuleSpecifier(fromPath, specifier, pathLookup);
+    }
+    return undefined;
+}
+function appendPythonImportedSpecifier(moduleSpecifier, importedName) {
+    return moduleSpecifier.endsWith(".")
+        ? `${moduleSpecifier}${importedName}`
+        : `${moduleSpecifier}.${importedName}`;
+}
+function addPythonImportEdge(edges, fromPath, target, kind, specifier) {
+    if (!target || target === fromPath) {
+        return;
+    }
+    edges.push(graphEdge({
+        from: fromPath,
+        to: target,
+        kind,
+        confidence: IMPORT_EDGE_CONFIDENCE,
+        reason: `Resolved Python import specifier '${specifier}'.`,
+    }));
+}
+function extractPythonImportEdges(fromPath, content, pathLookup) {
+    if (!isPythonSourcePath(fromPath)) {
+        return [];
+    }
+    const edges = [];
+    for (const line of pythonLogicalLines(content)) {
+        const importMatch = /^import\s+(.+)$/i.exec(line);
+        if (importMatch) {
+            for (const rawSpecifier of splitPythonImportList(importMatch[1] ?? "")) {
+                const specifier = stripPythonAlias(rawSpecifier);
+                if (!isPythonAbsoluteModuleSpecifier(specifier)) {
+                    continue;
+                }
+                addPythonImportEdge(edges, fromPath, resolvePythonModuleSpecifier(fromPath, specifier, pathLookup), "python-import", specifier);
+            }
+            continue;
+        }
+        const fromImportMatch = /^from\s+([.\w]+)\s+import\s+(.+)$/i.exec(line);
+        if (!fromImportMatch) {
+            continue;
+        }
+        const moduleSpecifier = fromImportMatch[1] ?? "";
+        if (!isPythonModuleSpecifier(moduleSpecifier)) {
+            continue;
+        }
+        const importedNames = splitPythonImportList(fromImportMatch[2] ?? "")
+            .map(stripPythonAlias)
+            .filter((name) => name !== "*" && isPythonIdentifier(name));
+        const submoduleTargets = importedNames
+            .map((name) => appendPythonImportedSpecifier(moduleSpecifier, name))
+            .map((specifier) => ({
+            specifier,
+            target: resolvePythonModuleSpecifier(fromPath, specifier, pathLookup),
+        }))
+            .filter((item) => item.target);
+        if (submoduleTargets.length > 0) {
+            for (const { specifier, target } of submoduleTargets) {
+                addPythonImportEdge(edges, fromPath, target, "python-from-import", specifier);
+            }
+            continue;
+        }
+        addPythonImportEdge(edges, fromPath, resolvePythonModuleSpecifier(fromPath, moduleSpecifier, pathLookup), "python-from-import", moduleSpecifier);
+    }
+    return edges;
+}
 function extractImportEdges(fromPath, content, pathLookup) {
     const edges = [];
     for (const { pattern, kind } of IMPORT_PATTERNS) {
@@ -155,33 +666,574 @@ function extractImportEdges(fromPath, content, pathLookup) {
                 continue;
             const target = resolveSpecifier(fromPath, specifier, pathLookup);
             if (target) {
-                edges.push({ from: fromPath, to: target, kind });
+                edges.push(graphEdge({
+                    from: fromPath,
+                    to: target,
+                    kind,
+                    confidence: IMPORT_EDGE_CONFIDENCE,
+                    reason: `Resolved ${kind} specifier '${specifier}'.`,
+                }));
             }
         }
     }
     return edges;
 }
+function importSpecifierRanges(content) {
+    const ranges = [];
+    for (const { pattern } of IMPORT_PATTERNS) {
+        pattern.lastIndex = 0;
+        for (const match of content.matchAll(pattern)) {
+            const specifier = match[1];
+            if (!specifier)
+                continue;
+            const fullMatch = match[0];
+            const doubleQuotedOffset = fullMatch.lastIndexOf(`"${specifier}"`);
+            const singleQuotedOffset = fullMatch.lastIndexOf(`'${specifier}'`);
+            const quotedOffset = doubleQuotedOffset >= 0 ? doubleQuotedOffset : singleQuotedOffset;
+            if (quotedOffset < 0)
+                continue;
+            const start = (match.index ?? 0) + quotedOffset + 1;
+            ranges.push({ start, end: start + specifier.length });
+        }
+    }
+    return ranges;
+}
+function isImportSpecifierRange(start, end, ranges) {
+    return ranges.some((range) => range.start === start && range.end === end);
+}
 function extractReferenceEdges(fromPath, content, pathLookup) {
     const edges = [];
+    const importRanges = importSpecifierRanges(content);
     STRING_LITERAL_PATTERN.lastIndex = 0;
     for (const match of content.matchAll(STRING_LITERAL_PATTERN)) {
         const literal = match[1];
         if (!literal)
             continue;
+        const literalStart = (match.index ?? 0) + 1;
+        if (isImportSpecifierRange(literalStart, literalStart + literal.length, importRanges)) {
+            continue;
+        }
         const target = resolveReferenceLiteral(fromPath, literal, pathLookup);
         if (target) {
+            const relativeReference = literal.startsWith(".");
             edges.push({
                 from: fromPath,
                 to: target,
-                kind: literal.startsWith(".")
+                kind: relativeReference
                     ? "relative-string-reference"
                     : "repo-path-reference",
+                direction: "directed",
+                confidence: relativeReference
+                    ? RELATIVE_REFERENCE_EDGE_CONFIDENCE
+                    : REFERENCE_EDGE_CONFIDENCE,
+                reason: relativeReference
+                    ? `Resolved relative string literal '${literal}'.`
+                    : `Resolved repository path string literal '${literal}'.`,
             });
         }
     }
     return edges;
 }
-export async function buildGraphBundleFromFs(repoManifest, root, disposition) {
+function isJsonSchemaPath(path) {
+    return posix
+        .basename(normalizeGraphPath(path))
+        .toLowerCase()
+        .endsWith(".schema.json");
+}
+function collectJsonSchemaRefs(value, refs) {
+    if (Array.isArray(value)) {
+        for (const item of value) {
+            collectJsonSchemaRefs(item, refs);
+        }
+        return;
+    }
+    if (value === null || typeof value !== "object") {
+        return;
+    }
+    for (const [key, item] of Object.entries(value)) {
+        if (key === "$ref" && typeof item === "string" && item.trim().length > 0) {
+            refs.add(item.trim());
+            continue;
+        }
+        collectJsonSchemaRefs(item, refs);
+    }
+}
+function resolveJsonSchemaRef(fromPath, ref, pathLookup) {
+    const targetSpecifier = (ref.split("#", 1)[0] ?? "").trim();
+    if (targetSpecifier.length === 0) {
+        return undefined;
+    }
+    const normalizedSpecifier = normalizeGraphPath(targetSpecifier);
+    if (normalizedSpecifier.startsWith("/") ||
+        /^[a-z][a-z0-9+.-]*:/i.test(normalizedSpecifier)) {
+        return undefined;
+    }
+    const baseDir = posix.dirname(normalizeGraphPath(fromPath));
+    const candidate = targetSpecifier.startsWith(".") || !normalizedSpecifier.includes("/")
+        ? posix.join(baseDir, normalizedSpecifier)
+        : normalizedSpecifier;
+    return resolveCandidate(candidate, pathLookup);
+}
+function extractJsonSchemaReferenceEdges(fromPath, content, pathLookup) {
+    if (!isJsonSchemaPath(fromPath)) {
+        return [];
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(content);
+    }
+    catch {
+        return [];
+    }
+    const refs = new Set();
+    collectJsonSchemaRefs(parsed, refs);
+    const edges = [];
+    for (const ref of refs) {
+        const target = resolveJsonSchemaRef(fromPath, ref, pathLookup);
+        if (!target || target === fromPath) {
+            continue;
+        }
+        edges.push(graphEdge({
+            from: fromPath,
+            to: target,
+            kind: "json-schema-ref",
+            confidence: JSON_SCHEMA_REF_EDGE_CONFIDENCE,
+            reason: `JSON Schema $ref '${ref}' resolves to '${target}'.`,
+        }));
+    }
+    return edges;
+}
+function extractSchemaContractTestEdges(fromPath, content, pathLookup) {
+    if (!isTestPath(normalizeExtractorPath(fromPath)) ||
+        !/schema/i.test(fromPath) ||
+        !/\.schema\.json/i.test(content)) {
+        return [];
+    }
+    const literalBasenames = new Set();
+    STRING_LITERAL_PATTERN.lastIndex = 0;
+    for (const match of content.matchAll(STRING_LITERAL_PATTERN)) {
+        const literal = match[1];
+        if (!literal || !literal.toLowerCase().endsWith(".schema.json")) {
+            continue;
+        }
+        literalBasenames.add(posix.basename(normalizeGraphPath(literal)).toLowerCase());
+    }
+    if (literalBasenames.size === 0 ||
+        literalBasenames.size > MAX_BOUNDED_SUITE_EDGE_FILES) {
+        return [];
+    }
+    const targets = [...new Set(pathLookup.values())]
+        .filter((path) => {
+        const normalized = normalizeGraphPath(path);
+        return (isJsonSchemaPath(normalized) &&
+            literalBasenames.has(posix.basename(normalized).toLowerCase()));
+    })
+        .sort((a, b) => a.localeCompare(b));
+    if (targets.length > MAX_BOUNDED_SUITE_EDGE_FILES) {
+        return [];
+    }
+    return targets.map((target) => graphEdge({
+        from: fromPath,
+        to: target,
+        kind: "schema-contract-test-link",
+        confidence: SCHEMA_CONTRACT_TEST_EDGE_CONFIDENCE,
+        reason: `Schema contract test references '${posix.basename(target)}'.`,
+    }));
+}
+function isGithubWorkflowPath(path) {
+    const normalized = normalizeGraphPath(path).toLowerCase();
+    return (normalized.startsWith(".github/workflows/") &&
+        (normalized.endsWith(".yml") || normalized.endsWith(".yaml")));
+}
+function isTypescriptTypeContractPath(path, fileContents) {
+    const normalized = normalizeGraphPath(path);
+    const segments = normalized.split("/").filter(Boolean);
+    if (!segments.includes("types") ||
+        isTestPath(normalizeExtractorPath(normalized)) ||
+        !TYPESCRIPT_TYPE_CONTRACT_EXTENSIONS.some((extension) => normalized.endsWith(extension))) {
+        return false;
+    }
+    const content = fileContents[path];
+    if (!content || content.length > MAX_TYPE_CONTRACT_SOURCE_BYTES) {
+        return false;
+    }
+    return /\bexport\s+(?:declare\s+)?(?:interface|type|enum|const)\b/.test(content);
+}
+function packageScriptSuiteDirectories(graphEdges) {
+    const directories = new Set();
+    for (const edge of graphEdges) {
+        if (edge.kind !== "package-script-link") {
+            continue;
+        }
+        const directory = posix.dirname(normalizeGraphPath(edge.to));
+        const basename = posix.basename(directory);
+        if (basename === "scripts" || basename === "bin") {
+            directories.add(directory);
+        }
+    }
+    return directories;
+}
+function isPackageScriptSuitePath(path, suiteDirectories) {
+    const normalized = normalizeGraphPath(path);
+    return (suiteDirectories.has(posix.dirname(normalized)) &&
+        PACKAGE_SCRIPT_SUITE_EXTENSIONS.some((extension) => normalized.endsWith(extension)));
+}
+function isPythonTestUtilSuitePath(path) {
+    const normalized = normalizeGraphPath(path);
+    if (!normalized.endsWith(".py"))
+        return false;
+    if (isPytestConftestPath(normalized))
+        return false;
+    const dir = posix.dirname(normalized);
+    if (!PYTHON_TEST_UTIL_SEGMENT_NAMES.has(posix.basename(dir).toLowerCase()))
+        return false;
+    return isTestPath(normalizeExtractorPath(dir));
+}
+function extractBoundedSuiteEdges(pathLookup, fileContents, graphEdges) {
+    const files = [...new Set(pathLookup.values())].sort((a, b) => a.localeCompare(b));
+    const edges = [];
+    const scriptSuiteDirectories = packageScriptSuiteDirectories(graphEdges);
+    const addSuiteEdges = (params) => {
+        const groups = new Map();
+        for (const file of files) {
+            if (!params.predicate(file)) {
+                continue;
+            }
+            const directory = posix.dirname(normalizeGraphPath(file));
+            const group = groups.get(directory) ?? [];
+            group.push(file);
+            groups.set(directory, group);
+        }
+        for (const [directory, group] of groups) {
+            const maxFiles = params.maxFiles ?? MAX_BOUNDED_SUITE_EDGE_FILES;
+            if (group.length < 2 ||
+                group.length > maxFiles) {
+                continue;
+            }
+            const suiteName = directory === "." ? "repository root" : directory;
+            for (let index = 1; index < group.length; index++) {
+                edges.push(graphEdge({
+                    from: group[index - 1],
+                    to: group[index],
+                    kind: params.kind,
+                    direction: "undirected",
+                    confidence: params.confidence,
+                    reason: `${params.label} suite '${suiteName}' groups ${group.length} related file(s).`,
+                }));
+            }
+        }
+    };
+    addSuiteEdges({
+        predicate: isJsonSchemaPath,
+        kind: "schema-suite-link",
+        confidence: SCHEMA_SUITE_EDGE_CONFIDENCE,
+        label: "JSON Schema",
+    });
+    addSuiteEdges({
+        predicate: isGithubWorkflowPath,
+        kind: "github-workflow-suite-link",
+        confidence: GITHUB_WORKFLOW_SUITE_EDGE_CONFIDENCE,
+        label: "GitHub Actions workflow",
+    });
+    addSuiteEdges({
+        predicate: (path) => isPackageScriptSuitePath(path, scriptSuiteDirectories),
+        kind: "package-script-suite-link",
+        confidence: PACKAGE_SCRIPT_SUITE_EDGE_CONFIDENCE,
+        label: "Package script",
+    });
+    addSuiteEdges({
+        predicate: (path) => isTypescriptTypeContractPath(path, fileContents),
+        kind: "typescript-type-suite-link",
+        confidence: TYPESCRIPT_TYPE_SUITE_EDGE_CONFIDENCE,
+        label: "TypeScript type contract",
+        maxFiles: MAX_BOUNDED_TYPE_SUITE_EDGE_FILES,
+    });
+    addSuiteEdges({
+        predicate: isPythonTestUtilSuitePath,
+        kind: "python-test-util-suite-link",
+        confidence: PYTHON_TEST_UTIL_SUITE_EDGE_CONFIDENCE,
+        label: "Python test utility",
+    });
+    return edges;
+}
+function importedHandlerBinding(handlerExpression, bindings) {
+    const rootIdentifier = handlerExpression.split(".")[0];
+    return rootIdentifier ? bindings.get(rootIdentifier) : undefined;
+}
+function addRouteEvidence(params) {
+    const method = params.method ? normalizeHttpMethod(params.method) : undefined;
+    if (method && !ROUTE_METHODS.has(method)) {
+        return;
+    }
+    const handlerBinding = params.handlerExpression
+        ? importedHandlerBinding(params.handlerExpression, params.bindings)
+        : undefined;
+    const handlerPath = handlerBinding?.target ?? params.fromPath;
+    const route = {
+        path: normalizeRoutePath(params.routePath),
+        handler: handlerPath,
+    };
+    if (method) {
+        route.method = method;
+    }
+    params.routes.push(route);
+    if (handlerBinding && handlerPath !== params.fromPath) {
+        params.calls.push(graphEdge({
+            from: params.fromPath,
+            to: handlerPath,
+            kind: "route-handler-link",
+            confidence: ROUTE_HANDLER_EDGE_CONFIDENCE,
+            reason: `Route ${method ?? "handler"} '${route.path}' passes handler '${params.handlerExpression}' from '${handlerBinding.specifier}'.`,
+        }));
+    }
+}
+function extractRegisteredRouteEvidence(fromPath, content, pathLookup) {
+    const bindings = extractImportBindings(fromPath, content, pathLookup);
+    const calls = [];
+    const routes = [];
+    ROUTE_REGISTRATION_PATTERN.lastIndex = 0;
+    for (const match of content.matchAll(ROUTE_REGISTRATION_PATTERN)) {
+        const method = match[1];
+        const routePath = match[2];
+        const handlerExpression = match[3];
+        if (!method || !routePath)
+            continue;
+        addRouteEvidence({
+            fromPath,
+            routes,
+            calls,
+            method,
+            routePath,
+            handlerExpression,
+            bindings,
+        });
+    }
+    ROUTE_OBJECT_PATTERN.lastIndex = 0;
+    for (const match of content.matchAll(ROUTE_OBJECT_PATTERN)) {
+        const body = match[1];
+        if (!body)
+            continue;
+        const method = body.match(/\bmethod\s*:\s*["'`]([A-Za-z]+)["'`]/i)?.[1];
+        const routePath = body.match(/\b(?:url|path)\s*:\s*["'`]([^"'`]+)["'`]/i)?.[1];
+        const handlerExpression = body.match(/\bhandler\s*:\s*([A-Za-z_$][\w$]*(?:\.[A-Za-z_$][\w$]*)?)/)?.[1];
+        if (!routePath)
+            continue;
+        addRouteEvidence({
+            fromPath,
+            routes,
+            calls,
+            method,
+            routePath,
+            handlerExpression,
+            bindings,
+        });
+    }
+    return { calls, routes };
+}
+function stripSourceExtension(path) {
+    const lowerPath = path.toLowerCase();
+    const extension = SOURCE_EXTENSIONS.find((item) => lowerPath.endsWith(item));
+    return extension ? path.slice(0, -extension.length) : path;
+}
+function nextRouteSegment(segment) {
+    if (!segment || (segment.startsWith("(") && segment.endsWith(")"))) {
+        return undefined;
+    }
+    const catchAll = segment.match(/^\[\.\.\.(.+)\]$/);
+    if (catchAll?.[1]) {
+        return `:${catchAll[1]}*`;
+    }
+    const dynamic = segment.match(/^\[(.+)\]$/);
+    if (dynamic?.[1]) {
+        return `:${dynamic[1]}`;
+    }
+    return segment;
+}
+function routePathFromSegments(segments) {
+    const routeSegments = segments
+        .map(nextRouteSegment)
+        .filter((segment) => segment !== undefined);
+    if (routeSegments.length === 0) {
+        return undefined;
+    }
+    return normalizeRoutePath(routeSegments.join("/"));
+}
+function conventionalRoutePath(filePath) {
+    const normalized = normalizeGraphPath(filePath);
+    const parts = normalized.split("/").filter(Boolean);
+    const lowerParts = parts.map((part) => part.toLowerCase());
+    const fileName = lowerParts.at(-1);
+    if (!fileName) {
+        return undefined;
+    }
+    const appIndex = lowerParts.lastIndexOf("app");
+    if (appIndex >= 0 && fileName.startsWith("route.")) {
+        return routePathFromSegments(parts.slice(appIndex + 1, -1));
+    }
+    const pagesIndex = lowerParts.lastIndexOf("pages");
+    const apiIndex = pagesIndex >= 0
+        ? lowerParts.indexOf("api", pagesIndex + 1)
+        : lowerParts.indexOf("api");
+    if (apiIndex >= 0 && apiIndex < parts.length - 1) {
+        const withoutExtension = stripSourceExtension(parts.at(-1) ?? "");
+        return routePathFromSegments([...parts.slice(apiIndex, -1), withoutExtension]);
+    }
+    return undefined;
+}
+function extractConventionalRouteEvidence(fromPath, content) {
+    const routePath = conventionalRoutePath(fromPath);
+    if (!routePath) {
+        return [];
+    }
+    const routes = [];
+    if (content) {
+        ROUTE_METHOD_EXPORT_PATTERN.lastIndex = 0;
+        for (const match of content.matchAll(ROUTE_METHOD_EXPORT_PATTERN)) {
+            const method = match[1];
+            if (method) {
+                routes.push({
+                    path: routePath,
+                    handler: fromPath,
+                    method,
+                });
+            }
+        }
+    }
+    return routes.length > 0 ? routes : [{ path: routePath, handler: fromPath }];
+}
+function fallbackRouteEdge(filePath) {
+    const normalized = filePath.toLowerCase();
+    if (normalized.includes("api/") || normalized.includes("route")) {
+        return {
+            path: `/${filePath.replaceAll("/", "_")}`,
+            handler: filePath,
+            method: "GET",
+        };
+    }
+    return undefined;
+}
+function stripKnownSourceExtension(path) {
+    const lowerPath = path.toLowerCase();
+    const extension = SOURCE_EXTENSIONS.find((item) => lowerPath.endsWith(item));
+    if (!extension) {
+        return undefined;
+    }
+    return path.slice(0, -extension.length);
+}
+function stripTestSuffix(pathWithoutExtension) {
+    const stripped = pathWithoutExtension.replace(/[._-](?:test|spec)$/i, "");
+    return stripped === pathWithoutExtension ? undefined : stripped;
+}
+function stripPythonTestPrefix(pathWithoutExtension) {
+    const basename = posix.basename(pathWithoutExtension);
+    const match = /^test[._-](.+)$/i.exec(basename);
+    if (!match?.[1]) {
+        return undefined;
+    }
+    const directory = posix.dirname(pathWithoutExtension);
+    return directory === "." ? match[1] : posix.join(directory, match[1]);
+}
+function addTestSourceCandidatesForBase(basePath, candidates) {
+    candidates.add(basePath);
+    const parts = basePath.split("/").filter(Boolean);
+    const topLevelSegment = parts[0]?.toLowerCase();
+    if (topLevelSegment && TOP_LEVEL_TEST_SEGMENTS.has(topLevelSegment)) {
+        const mirroredParts = parts.slice(1);
+        if (mirroredParts.length > 0) {
+            candidates.add(posix.join("src", ...mirroredParts));
+        }
+    }
+    for (let index = 1; index < parts.length; index++) {
+        if (COLOCATED_TEST_SEGMENTS.has(parts[index].toLowerCase())) {
+            const colocatedParts = [
+                ...parts.slice(0, index),
+                ...parts.slice(index + 1),
+            ];
+            if (colocatedParts.length > 0) {
+                candidates.add(posix.join(...colocatedParts));
+            }
+        }
+    }
+}
+function testSourceCandidates(testPath) {
+    const normalizedPath = normalizeGraphPath(testPath);
+    const withoutExtension = stripKnownSourceExtension(normalizedPath);
+    if (!withoutExtension) {
+        return [];
+    }
+    const baseCandidates = new Set();
+    const withoutTestSuffix = stripTestSuffix(withoutExtension);
+    if (withoutTestSuffix) {
+        baseCandidates.add(withoutTestSuffix);
+    }
+    if (isPythonSourcePath(normalizedPath)) {
+        const withoutPythonPrefix = stripPythonTestPrefix(withoutExtension);
+        if (withoutPythonPrefix) {
+            baseCandidates.add(withoutPythonPrefix);
+        }
+    }
+    const candidates = new Set();
+    for (const basePath of baseCandidates) {
+        addTestSourceCandidatesForBase(basePath, candidates);
+    }
+    return [...candidates];
+}
+function extractTestSourceEdges(fromPath, pathLookup) {
+    if (!isTestPath(normalizeExtractorPath(fromPath))) {
+        return [];
+    }
+    const edges = [];
+    for (const candidate of testSourceCandidates(fromPath)) {
+        const target = resolveCandidate(candidate, pathLookup);
+        if (!target || isTestPath(normalizeExtractorPath(target))) {
+            continue;
+        }
+        edges.push(graphEdge({
+            from: fromPath,
+            to: target,
+            kind: "test-source-link",
+            confidence: TEST_SOURCE_EDGE_CONFIDENCE,
+            reason: `Test path naming maps to source path '${target}'.`,
+        }));
+    }
+    return edges;
+}
+function isPytestConftestPath(path) {
+    return posix.basename(normalizeGraphPath(path)).toLowerCase() === "conftest.py";
+}
+function extractPytestConftestLinks(pathLookup) {
+    const allPaths = [...new Set(pathLookup.values())];
+    const conftestPaths = allPaths.filter((p) => isPytestConftestPath(p));
+    if (conftestPaths.length === 0)
+        return [];
+    const edges = [];
+    for (const conftestPath of conftestPaths) {
+        const conftestDir = posix.dirname(normalizeGraphPath(conftestPath));
+        if (!isTestPath(normalizeExtractorPath(conftestDir)))
+            continue;
+        const scopePrefix = `${conftestDir}/`;
+        for (const targetPath of allPaths) {
+            if (targetPath === conftestPath)
+                continue;
+            const normalizedTarget = normalizeGraphPath(targetPath);
+            if (!normalizedTarget.startsWith(scopePrefix))
+                continue;
+            if (!normalizedTarget.endsWith(".py"))
+                continue;
+            if (isPytestConftestPath(normalizedTarget))
+                continue;
+            edges.push(graphEdge({
+                from: conftestPath,
+                to: targetPath,
+                kind: "conftest-link",
+                confidence: CONFTEST_LINK_CONFIDENCE,
+                reason: `Pytest conftest '${conftestPath}' applies to all Python files in its scope directory.`,
+            }));
+        }
+    }
+    return edges;
+}
+export async function buildGraphBundleFromFs(repoManifest, root, disposition, options = {}) {
     const rootPath = resolve(root);
     const dispositionMap = new Map(disposition?.files.map((item) => [item.path, item.status]) ?? []);
     const fileContents = {};
@@ -204,10 +1256,11 @@ export async function buildGraphBundleFromFs(repoManifest, root, disposition) {
             // Best-effort graph extraction should not block structure planning.
         }
     }));
-    return buildGraphBundle(repoManifest, disposition, { fileContents });
+    return buildGraphBundle(repoManifest, disposition, { ...options, fileContents });
 }
 export function buildGraphBundle(repoManifest, disposition, options = {}) {
     const imports = [];
+    const calls = [];
     const references = [];
     const routes = [];
     const dispositionMap = new Map(disposition?.files.map((item) => [item.path, item.status]) ?? []);
@@ -217,22 +1270,18 @@ export function buildGraphBundle(repoManifest, disposition, options = {}) {
         if (file.excluded || (status && isAuditExcludedStatus(status))) {
             continue;
         }
-        const normalized = file.path.toLowerCase();
-        if (normalized.includes("api/") || normalized.includes("route")) {
-            routes.push({
-                path: `/${file.path.replaceAll("/", "_")}`,
-                handler: file.path,
-                method: "GET",
-            });
-        }
         const parts = file.path.split("/");
         if (parts.length > 2) {
-            imports.push({
+            imports.push(graphEdge({
                 from: file.path,
                 to: `${parts[0]}/${parts[1]}`,
                 kind: "heuristic-container-edge",
-            });
+                direction: "undirected",
+                confidence: CONTAINER_EDGE_CONFIDENCE,
+                reason: "Path hierarchy suggests shared module ownership.",
+            }));
         }
+        const normalized = file.path.toLowerCase();
         if (normalized.includes("auth") &&
             normalized.includes("session") === false) {
             for (const other of repoManifest.files) {
@@ -242,25 +1291,56 @@ export function buildGraphBundle(repoManifest, disposition, options = {}) {
                 if (otherStatus && isAuditExcludedStatus(otherStatus))
                     continue;
                 if (other.path.toLowerCase().includes("session")) {
-                    imports.push({
+                    imports.push(graphEdge({
                         from: file.path,
                         to: other.path,
                         kind: "heuristic-auth-session-link",
-                    });
+                        confidence: AUTH_SESSION_EDGE_CONFIDENCE,
+                        reason: "Security-sensitive auth path appears coupled to a session path by naming convention.",
+                    }));
                 }
             }
         }
         const content = options.fileContents?.[file.path];
+        const fileRoutes = [];
         if (content) {
             imports.push(...extractImportEdges(file.path, content, pathLookup));
+            imports.push(...extractPythonImportEdges(file.path, content, pathLookup));
             references.push(...extractReferenceEdges(file.path, content, pathLookup));
+            references.push(...extractJsonSchemaReferenceEdges(file.path, content, pathLookup));
+            references.push(...extractPackageEntrypointEdges(file.path, content, pathLookup));
+            references.push(...extractPackageScriptEdges(file.path, content, pathLookup));
+            references.push(...extractWorkspacePackageEdges(file.path, content, pathLookup));
+            references.push(...extractTypescriptProjectReferenceEdges(file.path, content, pathLookup));
+            references.push(...extractGoWorkspaceModuleEdges(file.path, content, pathLookup));
+            references.push(...extractCargoWorkspaceMemberEdges(file.path, content, pathLookup));
+            references.push(...extractMavenModuleEdges(file.path, content, pathLookup));
+            references.push(...extractPyprojectTestpathLinks(file.path, content, pathLookup));
+            references.push(...extractYamlPathReferenceEdges(file.path, content, pathLookup));
+            references.push(...extractSchemaContractTestEdges(file.path, content, pathLookup));
+            const registeredRoutes = extractRegisteredRouteEvidence(file.path, content, pathLookup);
+            calls.push(...registeredRoutes.calls);
+            fileRoutes.push(...registeredRoutes.routes);
         }
+        fileRoutes.push(...extractConventionalRouteEvidence(file.path, content));
+        if (fileRoutes.length === 0) {
+            const fallbackRoute = fallbackRouteEdge(file.path);
+            if (fallbackRoute) {
+                fileRoutes.push(fallbackRoute);
+            }
+        }
+        routes.push(...fileRoutes);
+        references.push(...extractTestSourceEdges(file.path, pathLookup));
     }
+    references.push(...extractAnalyzerOwnershipEdges(options.externalAnalyzerResults, pathLookup));
+    references.push(...extractPytestConftestLinks(pathLookup));
+    references.push(...extractBoundedSuiteEdges(pathLookup, options.fileContents ?? {}, references));
     return {
         graphs: {
             imports: uniqueSortedEdges(imports),
+            calls: uniqueSortedEdges(calls),
             references: uniqueSortedEdges(references),
-            routes,
+            routes: uniqueSortedRoutes(routes),
         },
     };
 }