auditor-lambda 0.3.40 → 0.5.0

package/dist/extractors/analyzers/treeSitter.js

@@ -0,0 +1,111 @@
+import { createRequire } from "node:module";
+import { dirname, join } from "node:path";
+import { pathToFileURL } from "node:url";
+const requireFromHere = createRequire(import.meta.url);
+let modulePromise;
+let initPromise;
+const languageCache = new Map();
+async function importParserModule(dependencyPath) {
+    const specifiers = [];
+    if (dependencyPath) {
+        try {
+            const manifest = requireFromHere(join(dependencyPath, "package.json"));
+            const entry = manifest.module ?? manifest.main ?? "index.js";
+            specifiers.push(pathToFileURL(join(dependencyPath, entry)).href);
+        }
+        catch {
+            // Fall through to the bare specifier.
+        }
+    }
+    specifiers.push("web-tree-sitter");
+    for (const specifier of specifiers) {
+        try {
+            const mod = (await import(specifier));
+            const resolved = (mod.Parser ? mod : mod.default);
+            if (resolved?.Parser && resolved.Language) {
+                return resolved;
+            }
+        }
+        catch {
+            // Try the next specifier.
+        }
+    }
+    return undefined;
+}
+async function getModule(dependencyPath) {
+    if (!modulePromise) {
+        modulePromise = importParserModule(dependencyPath);
+    }
+    return modulePromise;
+}
+async function ensureInit(parserModule) {
+    if (!initPromise) {
+        initPromise = parserModule.Parser.init()
+            .then(() => true)
+            .catch(() => false);
+    }
+    return initPromise;
+}
+function resolveGrammarPath(grammar) {
+    // tree-sitter-wasms ships prebuilt grammars under out/tree-sitter-<lang>.wasm.
+    try {
+        return requireFromHere.resolve(`tree-sitter-wasms/out/tree-sitter-${grammar}.wasm`);
+    }
+    catch {
+        // Fall back to locating the package root, then the file under out/.
+    }
+    try {
+        const pkg = requireFromHere.resolve("tree-sitter-wasms/package.json");
+        return join(dirname(pkg), "out", `tree-sitter-${grammar}.wasm`);
+    }
+    catch {
+        return undefined;
+    }
+}
+async function loadLanguage(parserModule, grammar) {
+    if (languageCache.has(grammar)) {
+        return languageCache.get(grammar) ?? undefined;
+    }
+    const grammarPath = resolveGrammarPath(grammar);
+    if (!grammarPath) {
+        languageCache.set(grammar, null);
+        return undefined;
+    }
+    try {
+        const language = await parserModule.Language.load(grammarPath);
+        languageCache.set(grammar, language);
+        return language;
+    }
+    catch {
+        languageCache.set(grammar, null);
+        return undefined;
+    }
+}
+/**
+ * Obtain a parser bound to `grammar` (e.g. "python", "html", "css"), or
+ * `undefined` if web-tree-sitter or the grammar wasm cannot be loaded.
+ */
+export async function getTreeSitterParser(grammar, dependencyPath) {
+    const parserModule = await getModule(dependencyPath);
+    if (!parserModule)
+        return undefined;
+    if (!(await ensureInit(parserModule)))
+        return undefined;
+    const language = await loadLanguage(parserModule, grammar);
+    if (!language)
+        return undefined;
+    try {
+        const parser = new parserModule.Parser();
+        parser.setLanguage(language);
+        return parser;
+    }
+    catch {
+        return undefined;
+    }
+}
+/** Test seam: reset the memoised runtime/grammar caches. */
+export function __resetTreeSitterForTests() {
+    modulePromise = undefined;
+    initPromise = undefined;
+    languageCache.clear();
+}

package/dist/extractors/analyzers/types.d.ts

@@ -0,0 +1,53 @@
+import type { GraphEdge, RouteEdge, AnalyzerSetting } from "@audit-tools/shared";
+import type { FileDisposition } from "@audit-tools/shared";
+import type { RepoManifest } from "../../types.js";
+/**
+ * The compiler/parser graph seam (Phase 5.0). A `LanguageAnalyzer` enriches the
+ * deterministic regex floor with edges derived from a real parser/compiler. Each
+ * analyzer is optional: its dependency resolves from the audited repo's
+ * node_modules, a shared version-keyed cache, or not at all — and when it cannot
+ * resolve, the orchestrator simply keeps the regex floor.
+ */
+export interface AnalyzerOutput {
+    edges: GraphEdge[];
+    routes?: RouteEdge[];
+}
+export interface AnalyzerContext {
+    /** Absolute repository root. */
+    root: string;
+    repoManifest: RepoManifest;
+    disposition?: FileDisposition;
+    /** Repo-relative, audit-included file paths (the analyzer's working set). */
+    includedFiles: string[];
+    /** graphLookupKey(path) → repo-relative path, for resolving targets. */
+    pathLookup: Map<string, string>;
+    /** Resolved npm package directory for this analyzer's dependency, if any. */
+    dependencyPath?: string;
+}
+export interface LanguageAnalyzer {
+    /** Stable id; also the `analyzers.<id>` session-config key. */
+    id: string;
+    /** Optional npm dependency spec ("name" or "name@range") this analyzer needs. */
+    dependency?: string;
+    /** Whether this analyzer can contribute edges for the given repo-relative file. */
+    supports(file: string): boolean;
+    /** Analyze the supported subset of `files` and return enrichment edges/routes. */
+    analyze(files: string[], context: AnalyzerContext): Promise<AnalyzerOutput> | AnalyzerOutput;
+}
+/** How an analyzer's dependency resolved (or why it will not run). */
+export type AnalyzerResolution = "repo" | "cache" | "installed" | "absent" | "skip" | "not_applicable";
+/**
+ * Deterministic pre-install resolution for one analyzer. Computed without
+ * mutating anything (no install), so the conversation-first CLI can decide
+ * whether to propose an install before the executor runs.
+ */
+export interface AnalyzerPlanEntry {
+    id: string;
+    dependency?: string;
+    setting: AnalyzerSetting;
+    resolution: AnalyzerResolution;
+    /** Resolved package directory when resolution is repo/cache. */
+    path?: string;
+    /** Count of in-scope files the analyzer supports. */
+    supportedCount: number;
+}

package/dist/extractors/analyzers/typescript.d.ts

@@ -0,0 +1,2 @@
+import type { LanguageAnalyzer } from "./types.js";
+export declare const typescriptAnalyzer: LanguageAnalyzer;

package/dist/extractors/analyzers/typescript.js

@@ -0,0 +1,257 @@
+import { readFileSync } from "node:fs";
+import { dirname, isAbsolute, join, relative, resolve } from "node:path";
+import { pathToFileURL } from "node:url";
+import { graphEdge, normalizeGraphPath, resolveCandidate } from "../graphPathUtils.js";
+import { TS_CALL_EDGE_CONFIDENCE, TS_EXTENDS_EDGE_CONFIDENCE, TS_IMPLEMENTS_EDGE_CONFIDENCE, TS_IMPORT_EDGE_CONFIDENCE, TS_REEXPORT_EDGE_CONFIDENCE, } from "./merge.js";
+const SUPPORTED_EXTENSIONS = [
+    ".ts",
+    ".tsx",
+    ".mts",
+    ".cts",
+    ".js",
+    ".jsx",
+    ".mjs",
+    ".cjs",
+];
+function supports(file) {
+    const lower = normalizeGraphPath(file).toLowerCase();
+    if (lower.endsWith(".d.ts"))
+        return false;
+    return SUPPORTED_EXTENSIONS.some((extension) => lower.endsWith(extension));
+}
+/**
+ * Load the TypeScript compiler module. Prefers the dependency resolved from the
+ * audited repo / shared cache (so its tsconfig + version semantics match);
+ * falls back to the bundled `typescript` so the analyzer still works when the
+ * caller did not pin a path.
+ */
+async function loadTypescript(dependencyPath) {
+    if (dependencyPath) {
+        try {
+            const manifest = JSON.parse(readFileSync(join(dependencyPath, "package.json"), "utf8"));
+            const mainPath = resolve(dependencyPath, manifest.main ?? "index.js");
+            const mod = (await import(pathToFileURL(mainPath).href));
+            return (mod.default ?? mod);
+        }
+        catch {
+            // Fall through to the bundled compiler.
+        }
+    }
+    const mod = (await import("typescript"));
+    return (mod.default ?? mod);
+}
+function loadCompilerOptions(ts, root) {
+    let options = {};
+    try {
+        const configPath = ts.findConfigFile(root, (path) => ts.sys.fileExists(path), "tsconfig.json");
+        if (configPath) {
+            const read = ts.readConfigFile(configPath, (path) => ts.sys.readFile(path));
+            const parsed = ts.parseJsonConfigFileContent(read.config ?? {}, ts.sys, dirname(configPath));
+            options = parsed.options;
+        }
+    }
+    catch {
+        options = {};
+    }
+    // Force a lenient, emit-free, JS-aware program: we only want resolution + the
+    // checker, never diagnostics or output.
+    return {
+        ...options,
+        allowJs: true,
+        checkJs: false,
+        noEmit: true,
+        skipLibCheck: true,
+        skipDefaultLibCheck: true,
+        declaration: false,
+        composite: false,
+        incremental: false,
+    };
+}
+/** Map an absolute file path back to its canonical audit-included repo path. */
+function mapToIncluded(state, absolutePath) {
+    const normalizedAbsolute = isAbsolute(absolutePath)
+        ? absolutePath
+        : resolve(state.root, absolutePath);
+    const relativePath = normalizeGraphPath(relative(state.root, normalizedAbsolute));
+    if (relativePath.startsWith("..") || isAbsolute(relativePath)) {
+        return undefined;
+    }
+    return resolveCandidate(relativePath, state.context.pathLookup);
+}
+function resolveSpecifierTarget(state, specifier, containingFile) {
+    const resolved = state.ts.resolveModuleName(specifier, containingFile, state.options, state.ts.sys);
+    const target = resolved.resolvedModule;
+    if (!target ||
+        target.isExternalLibraryImport ||
+        target.resolvedFileName.endsWith(".d.ts")) {
+        return undefined;
+    }
+    return mapToIncluded(state, target.resolvedFileName);
+}
+/** Follow import aliases to the symbol's real declaration source file. */
+function resolveSymbolToIncluded(state, symbol) {
+    if (!symbol)
+        return undefined;
+    let resolved = symbol;
+    if (resolved.flags & state.ts.SymbolFlags.Alias) {
+        try {
+            resolved = state.checker.getAliasedSymbol(resolved);
+        }
+        catch {
+            // Keep the un-aliased symbol on failure.
+        }
+    }
+    for (const declaration of resolved.declarations ?? []) {
+        const fileName = declaration.getSourceFile().fileName;
+        if (fileName.endsWith(".d.ts"))
+            continue;
+        const included = mapToIncluded(state, fileName);
+        if (included)
+            return included;
+    }
+    return undefined;
+}
+function collectFileEdges(state, sourceFile, fromPath, imports, references, calls) {
+    const ts = state.ts;
+    const callTargets = new Set();
+    const recordCall = (target) => {
+        if (!target || target === fromPath || callTargets.has(target))
+            return;
+        callTargets.add(target);
+        calls.push(graphEdge({
+            from: fromPath,
+            to: target,
+            kind: "ts-call",
+            confidence: TS_CALL_EDGE_CONFIDENCE,
+            reason: `TypeScript checker resolved a cross-file call into '${target}'.`,
+        }));
+    };
+    const visitHeritage = (node) => {
+        for (const clause of node.heritageClauses ?? []) {
+            const isExtends = clause.token === ts.SyntaxKind.ExtendsKeyword;
+            for (const typeNode of clause.types) {
+                const target = resolveSymbolToIncluded(state, state.checker.getSymbolAtLocation(typeNode.expression));
+                if (!target || target === fromPath)
+                    continue;
+                references.push(graphEdge({
+                    from: fromPath,
+                    to: target,
+                    kind: isExtends ? "ts-extends" : "ts-implements",
+                    confidence: isExtends
+                        ? TS_EXTENDS_EDGE_CONFIDENCE
+                        : TS_IMPLEMENTS_EDGE_CONFIDENCE,
+                    reason: `TypeScript ${isExtends ? "extends" : "implements"} heritage resolves to '${target}'.`,
+                }));
+            }
+        }
+    };
+    const visit = (node) => {
+        if (ts.isImportDeclaration(node) && ts.isStringLiteral(node.moduleSpecifier)) {
+            const target = resolveSpecifierTarget(state, node.moduleSpecifier.text, sourceFile.fileName);
+            if (target && target !== fromPath) {
+                imports.push(graphEdge({
+                    from: fromPath,
+                    to: target,
+                    kind: "ts-import",
+                    confidence: TS_IMPORT_EDGE_CONFIDENCE,
+                    reason: `TypeScript resolved import '${node.moduleSpecifier.text}' to '${target}'.`,
+                }));
+            }
+        }
+        else if (ts.isExportDeclaration(node) &&
+            node.moduleSpecifier &&
+            ts.isStringLiteral(node.moduleSpecifier)) {
+            const target = resolveSpecifierTarget(state, node.moduleSpecifier.text, sourceFile.fileName);
+            if (target && target !== fromPath) {
+                imports.push(graphEdge({
+                    from: fromPath,
+                    to: target,
+                    kind: "ts-reexport",
+                    confidence: TS_REEXPORT_EDGE_CONFIDENCE,
+                    reason: `TypeScript resolved re-export '${node.moduleSpecifier.text}' to '${target}'.`,
+                }));
+            }
+        }
+        else if (ts.isImportEqualsDeclaration(node) &&
+            ts.isExternalModuleReference(node.moduleReference) &&
+            ts.isStringLiteral(node.moduleReference.expression)) {
+            const target = resolveSpecifierTarget(state, node.moduleReference.expression.text, sourceFile.fileName);
+            if (target && target !== fromPath) {
+                imports.push(graphEdge({
+                    from: fromPath,
+                    to: target,
+                    kind: "ts-import",
+                    confidence: TS_IMPORT_EDGE_CONFIDENCE,
+                    reason: `TypeScript resolved import-equals to '${target}'.`,
+                }));
+            }
+        }
+        else if (ts.isCallExpression(node)) {
+            if (node.expression.kind === ts.SyntaxKind.ImportKeyword &&
+                node.arguments[0] &&
+                ts.isStringLiteral(node.arguments[0])) {
+                const target = resolveSpecifierTarget(state, node.arguments[0].text, sourceFile.fileName);
+                if (target && target !== fromPath) {
+                    imports.push(graphEdge({
+                        from: fromPath,
+                        to: target,
+                        kind: "ts-import",
+                        confidence: TS_IMPORT_EDGE_CONFIDENCE,
+                        reason: `TypeScript resolved dynamic import to '${target}'.`,
+                    }));
+                }
+            }
+            else {
+                recordCall(resolveSymbolToIncluded(state, state.checker.getSymbolAtLocation(node.expression)));
+            }
+        }
+        else if (ts.isClassDeclaration(node) ||
+            ts.isClassExpression(node) ||
+            ts.isInterfaceDeclaration(node)) {
+            visitHeritage(node);
+        }
+        ts.forEachChild(node, visit);
+    };
+    ts.forEachChild(sourceFile, visit);
+}
+async function analyze(files, context) {
+    if (files.length === 0)
+        return { edges: [] };
+    let ts;
+    try {
+        ts = await loadTypescript(context.dependencyPath);
+    }
+    catch {
+        return { edges: [] };
+    }
+    try {
+        const root = resolve(context.root);
+        const options = loadCompilerOptions(ts, root);
+        const rootNames = files.map((file) => resolve(root, file));
+        const program = ts.createProgram({ rootNames, options });
+        const checker = program.getTypeChecker();
+        const state = { ts, options, checker, context, root };
+        const imports = [];
+        const references = [];
+        const calls = [];
+        for (const sourceFile of program.getSourceFiles()) {
+            if (sourceFile.isDeclarationFile)
+                continue;
+            const fromPath = mapToIncluded(state, sourceFile.fileName);
+            if (!fromPath)
+                continue;
+            collectFileEdges(state, sourceFile, fromPath, imports, references, calls);
+        }
+        return { edges: [...imports, ...references, ...calls] };
+    }
+    catch {
+        // Any compiler failure degrades cleanly to the regex floor.
+        return { edges: [] };
+    }
+}
+export const typescriptAnalyzer = {
+    id: "typescript",
+    dependency: "typescript@5",
+    supports,
+    analyze,
+};

package/dist/extractors/browserExtension.d.ts

@@ -1,7 +1,5 @@
 import type { Lens, RepoManifest } from "../types.js";
-import type { FileDisposition } from "../types/disposition.js";
-import type { GraphBundle, GraphEdge } from "../types/graph.js";
-import type { SurfaceRecord } from "../types/surfaces.js";
+import type { FileDisposition, GraphBundle, GraphEdge, SurfaceRecord } from "@audit-tools/shared";
 export declare const BROWSER_EXTENSION_HEURISTIC_NOTE = "Chrome extension manifest and HTML asset references were resolved deterministically from local paths; verify unusual dynamic registration manually.";
 export declare function isBrowserExtensionManifestPath(path: string): boolean;
 export declare function extractChromeExtensionManifestEdges(fromPath: string, content: string, pathLookup: Map<string, string>): GraphEdge[];

package/dist/extractors/browserExtension.js

@@ -1,5 +1,5 @@
 import { posix } from "node:path";
-import { isAuditExcludedStatus } from "./disposition.js";
+import { buildDispositionMap, isAuditExcludedStatus } from "./disposition.js";
 import { graphEdge, normalizeGraphPath, resolveCandidate, } from "./graphPathUtils.js";
 export const BROWSER_EXTENSION_HEURISTIC_NOTE = "Chrome extension manifest and HTML asset references were resolved deterministically from local paths; verify unusual dynamic registration manually.";
 const CHROME_EXTENSION_BACKGROUND_EDGE = "chrome-extension-background-link";
@@ -334,7 +334,7 @@ export function buildBrowserExtensionSurfacesFromGraph(graphBundle, disposition)
     const references = Array.isArray(graphBundle?.graphs.references)
         ? graphBundle.graphs.references
         : [];
-    const dispositionMap = new Map(disposition?.files.map((item) => [item.path, item.status]) ?? []);
+    const dispositionMap = buildDispositionMap(disposition);
     const surfaces = [];
     const seen = new Set();
     for (const edge of references) {

package/dist/extractors/designAssessment.d.ts

@@ -1,8 +1,6 @@
 import type { UnitManifest } from "../types.js";
+import type { GraphBundle, CriticalFlowManifest, RiskRegister } from "@audit-tools/shared";
 import type { DesignAssessment } from "../types/designAssessment.js";
-import type { GraphBundle } from "../types/graph.js";
-import type { CriticalFlowManifest } from "../types/flows.js";
-import type { RiskRegister } from "../types/risk.js";
 export declare function buildDesignAssessment(params: {
     unitManifest: UnitManifest;
     graphBundle: GraphBundle;

package/dist/extractors/disposition.d.ts

@@ -1,8 +1,9 @@
 import type { RepoManifest } from "../types.js";
-import type { FileDisposition, FileDispositionStatus } from "../types/disposition.js";
+import type { FileDisposition, FileDispositionStatus } from "@audit-tools/shared";
 /**
  * Applies shared path heuristics to mark files that should be excluded or
  * down-scoped before audit planning begins.
  */
 export declare function buildFileDisposition(repoManifest: RepoManifest): FileDisposition;
+export declare function buildDispositionMap(disposition?: FileDisposition): Map<string, FileDispositionStatus>;
 export declare function isAuditExcludedStatus(status: FileDispositionStatus): boolean;

package/dist/extractors/disposition.js

@@ -1,9 +1,16 @@
-import { isNodeModulesOrGit, isBuildOutput, isVendorPath, isBinaryArtifact, isLicensePath, isLockfilePath, isLogPath, isDocPath, isGeneratedPath, isAuditArtifactPath, isGeneratedTestArtifactPath, isGeneratedInstallArtifactPath, isExamplesOrFixturesPath, normalizeExtractorPath, } from "./pathPatterns.js";
+import { isNodeModulesOrGit, isTmpPath, isBuildOutput, isVendorPath, isBinaryArtifact, isLicensePath, isLockfilePath, isLogPath, isDocPath, isGeneratedPath, isAuditArtifactPath, isGeneratedTestArtifactPath, isGeneratedInstallArtifactPath, isExamplesOrFixturesPath, normalizeExtractorPath, } from "./pathPatterns.js";
 function inferDisposition(path) {
     const normalized = normalizeExtractorPath(path);
     if (isNodeModulesOrGit(normalized)) {
         return { path, status: "excluded", reason: "node_modules or .git excluded by convention." };
     }
+    if (isTmpPath(normalized)) {
+        return {
+            path,
+            status: "excluded",
+            reason: "Temporary/bundled artifact directory (.tmp) excluded by convention.",
+        };
+    }
     if (isBuildOutput(normalized)) {
         return { path, status: "generated", reason: "Build output path." };
     }
@@ -75,6 +82,9 @@ export function buildFileDisposition(repoManifest) {
         files: repoManifest.files.map((file) => inferDisposition(file.path)),
     };
 }
+export function buildDispositionMap(disposition) {
+    return new Map(disposition?.files.map((item) => [item.path, item.status]) ?? []);
+}
 export function isAuditExcludedStatus(status) {
     return (status === "excluded" ||
         status === "generated" ||

package/dist/extractors/flows.d.ts

@@ -1,7 +1,5 @@
 import type { RepoManifest } from "../types.js";
-import type { FileDisposition } from "../types/disposition.js";
-import type { CriticalFlowManifest } from "../types/flows.js";
-import type { SurfaceManifest } from "../types/surfaces.js";
+import type { FileDisposition, CriticalFlowManifest, SurfaceManifest } from "@audit-tools/shared";
 /**
  * Builds coarse critical-flow coverage from shared path heuristics. These
  * bootstrap flows are intentionally conservative and should be reviewed when a

package/dist/extractors/flows.js

@@ -1,4 +1,4 @@
-import { isAuditExcludedStatus } from "./disposition.js";
+import { buildDispositionMap, isAuditExcludedStatus } from "./disposition.js";
 import { EXTRACTOR_HEURISTIC_NOTE, isAsyncTaskPath, isBillingPath, isIdentityPath, isSecuritySensitivePath, isTestPath, isDataLayerPath, isConcurrencyPath, isInterfacePath, isDeploymentConfigPath, normalizeExtractorPath, } from "./pathPatterns.js";
 function inferConcerns(paths) {
     const concerns = new Set();
@@ -65,7 +65,7 @@ function dedupeFlows(flows) {
  * repo uses unconventional naming or layout conventions.
  */
 export function buildCriticalFlowManifest(repoManifest, surfaceManifest, disposition) {
-    const dispositionMap = new Map(disposition?.files.map((item) => [item.path, item.status]) ?? []);
+    const dispositionMap = buildDispositionMap(disposition);
     const availablePaths = repoManifest.files
         .map((file) => file.path)
         .filter((path) => {

package/dist/extractors/graph.d.ts

@@ -1,10 +1,10 @@
 import type { RepoManifest } from "../types.js";
-import type { FileDisposition } from "../types/disposition.js";
+import type { FileDisposition, GraphBundle } from "@audit-tools/shared";
 import type { ExternalAnalyzerResults } from "../types/externalAnalyzer.js";
-import type { GraphBundle } from "../types/graph.js";
 export interface BuildGraphBundleOptions {
     fileContents?: Record<string, string>;
     externalAnalyzerResults?: ExternalAnalyzerResults;
 }
+export declare function buildPathLookup(repoManifest: RepoManifest, dispositionMap: Map<string, FileDisposition["files"][number]["status"]>): Map<string, string>;
 export declare function buildGraphBundleFromFs(repoManifest: RepoManifest, root: string, disposition?: FileDisposition, options?: Pick<BuildGraphBundleOptions, "externalAnalyzerResults">): Promise<GraphBundle>;
 export declare function buildGraphBundle(repoManifest: RepoManifest, disposition?: FileDisposition, options?: BuildGraphBundleOptions): GraphBundle;