auditor-lambda 0.3.41 → 0.6.0

package/dist/extractors/analyzers/treeSitter.js

@@ -0,0 +1,111 @@
+import { createRequire } from "node:module";
+import { dirname, join } from "node:path";
+import { pathToFileURL } from "node:url";
+const requireFromHere = createRequire(import.meta.url);
+let modulePromise;
+let initPromise;
+const languageCache = new Map();
+async function importParserModule(dependencyPath) {
+    const specifiers = [];
+    if (dependencyPath) {
+        try {
+            const manifest = requireFromHere(join(dependencyPath, "package.json"));
+            const entry = manifest.module ?? manifest.main ?? "index.js";
+            specifiers.push(pathToFileURL(join(dependencyPath, entry)).href);
+        }
+        catch {
+            // Fall through to the bare specifier.
+        }
+    }
+    specifiers.push("web-tree-sitter");
+    for (const specifier of specifiers) {
+        try {
+            const mod = (await import(specifier));
+            const resolved = (mod.Parser ? mod : mod.default);
+            if (resolved?.Parser && resolved.Language) {
+                return resolved;
+            }
+        }
+        catch {
+            // Try the next specifier.
+        }
+    }
+    return undefined;
+}
+async function getModule(dependencyPath) {
+    if (!modulePromise) {
+        modulePromise = importParserModule(dependencyPath);
+    }
+    return modulePromise;
+}
+async function ensureInit(parserModule) {
+    if (!initPromise) {
+        initPromise = parserModule.Parser.init()
+            .then(() => true)
+            .catch(() => false);
+    }
+    return initPromise;
+}
+function resolveGrammarPath(grammar) {
+    // tree-sitter-wasms ships prebuilt grammars under out/tree-sitter-<lang>.wasm.
+    try {
+        return requireFromHere.resolve(`tree-sitter-wasms/out/tree-sitter-${grammar}.wasm`);
+    }
+    catch {
+        // Fall back to locating the package root, then the file under out/.
+    }
+    try {
+        const pkg = requireFromHere.resolve("tree-sitter-wasms/package.json");
+        return join(dirname(pkg), "out", `tree-sitter-${grammar}.wasm`);
+    }
+    catch {
+        return undefined;
+    }
+}
+async function loadLanguage(parserModule, grammar) {
+    if (languageCache.has(grammar)) {
+        return languageCache.get(grammar) ?? undefined;
+    }
+    const grammarPath = resolveGrammarPath(grammar);
+    if (!grammarPath) {
+        languageCache.set(grammar, null);
+        return undefined;
+    }
+    try {
+        const language = await parserModule.Language.load(grammarPath);
+        languageCache.set(grammar, language);
+        return language;
+    }
+    catch {
+        languageCache.set(grammar, null);
+        return undefined;
+    }
+}
+/**
+ * Obtain a parser bound to `grammar` (e.g. "python", "html", "css"), or
+ * `undefined` if web-tree-sitter or the grammar wasm cannot be loaded.
+ */
+export async function getTreeSitterParser(grammar, dependencyPath) {
+    const parserModule = await getModule(dependencyPath);
+    if (!parserModule)
+        return undefined;
+    if (!(await ensureInit(parserModule)))
+        return undefined;
+    const language = await loadLanguage(parserModule, grammar);
+    if (!language)
+        return undefined;
+    try {
+        const parser = new parserModule.Parser();
+        parser.setLanguage(language);
+        return parser;
+    }
+    catch {
+        return undefined;
+    }
+}
+/** Test seam: reset the memoised runtime/grammar caches. */
+export function __resetTreeSitterForTests() {
+    modulePromise = undefined;
+    initPromise = undefined;
+    languageCache.clear();
+}

package/dist/extractors/analyzers/types.d.ts

@@ -0,0 +1,53 @@
+import type { GraphEdge, RouteEdge, AnalyzerSetting } from "@audit-tools/shared";
+import type { FileDisposition } from "@audit-tools/shared";
+import type { RepoManifest } from "../../types.js";
+/**
+ * The compiler/parser graph seam (Phase 5.0). A `LanguageAnalyzer` enriches the
+ * deterministic regex floor with edges derived from a real parser/compiler. Each
+ * analyzer is optional: its dependency resolves from the audited repo's
+ * node_modules, a shared version-keyed cache, or not at all — and when it cannot
+ * resolve, the orchestrator simply keeps the regex floor.
+ */
+export interface AnalyzerOutput {
+    edges: GraphEdge[];
+    routes?: RouteEdge[];
+}
+export interface AnalyzerContext {
+    /** Absolute repository root. */
+    root: string;
+    repoManifest: RepoManifest;
+    disposition?: FileDisposition;
+    /** Repo-relative, audit-included file paths (the analyzer's working set). */
+    includedFiles: string[];
+    /** graphLookupKey(path) → repo-relative path, for resolving targets. */
+    pathLookup: Map<string, string>;
+    /** Resolved npm package directory for this analyzer's dependency, if any. */
+    dependencyPath?: string;
+}
+export interface LanguageAnalyzer {
+    /** Stable id; also the `analyzers.<id>` session-config key. */
+    id: string;
+    /** Optional npm dependency spec ("name" or "name@range") this analyzer needs. */
+    dependency?: string;
+    /** Whether this analyzer can contribute edges for the given repo-relative file. */
+    supports(file: string): boolean;
+    /** Analyze the supported subset of `files` and return enrichment edges/routes. */
+    analyze(files: string[], context: AnalyzerContext): Promise<AnalyzerOutput> | AnalyzerOutput;
+}
+/** How an analyzer's dependency resolved (or why it will not run). */
+export type AnalyzerResolution = "repo" | "cache" | "installed" | "absent" | "skip" | "not_applicable";
+/**
+ * Deterministic pre-install resolution for one analyzer. Computed without
+ * mutating anything (no install), so the conversation-first CLI can decide
+ * whether to propose an install before the executor runs.
+ */
+export interface AnalyzerPlanEntry {
+    id: string;
+    dependency?: string;
+    setting: AnalyzerSetting;
+    resolution: AnalyzerResolution;
+    /** Resolved package directory when resolution is repo/cache. */
+    path?: string;
+    /** Count of in-scope files the analyzer supports. */
+    supportedCount: number;
+}

package/dist/extractors/analyzers/types.js

@@ -0,0 +1 @@
+export {};

package/dist/extractors/analyzers/typescript.d.ts

@@ -0,0 +1,2 @@
+import type { LanguageAnalyzer } from "./types.js";
+export declare const typescriptAnalyzer: LanguageAnalyzer;

package/dist/extractors/analyzers/typescript.js

@@ -0,0 +1,257 @@
+import { readFileSync } from "node:fs";
+import { dirname, isAbsolute, join, relative, resolve } from "node:path";
+import { pathToFileURL } from "node:url";
+import { graphEdge, normalizeGraphPath, resolveCandidate } from "../graphPathUtils.js";
+import { TS_CALL_EDGE_CONFIDENCE, TS_EXTENDS_EDGE_CONFIDENCE, TS_IMPLEMENTS_EDGE_CONFIDENCE, TS_IMPORT_EDGE_CONFIDENCE, TS_REEXPORT_EDGE_CONFIDENCE, } from "./merge.js";
+const SUPPORTED_EXTENSIONS = [
+    ".ts",
+    ".tsx",
+    ".mts",
+    ".cts",
+    ".js",
+    ".jsx",
+    ".mjs",
+    ".cjs",
+];
+function supports(file) {
+    const lower = normalizeGraphPath(file).toLowerCase();
+    if (lower.endsWith(".d.ts"))
+        return false;
+    return SUPPORTED_EXTENSIONS.some((extension) => lower.endsWith(extension));
+}
+/**
+ * Load the TypeScript compiler module. Prefers the dependency resolved from the
+ * audited repo / shared cache (so its tsconfig + version semantics match);
+ * falls back to the bundled `typescript` so the analyzer still works when the
+ * caller did not pin a path.
+ */
+async function loadTypescript(dependencyPath) {
+    if (dependencyPath) {
+        try {
+            const manifest = JSON.parse(readFileSync(join(dependencyPath, "package.json"), "utf8"));
+            const mainPath = resolve(dependencyPath, manifest.main ?? "index.js");
+            const mod = (await import(pathToFileURL(mainPath).href));
+            return (mod.default ?? mod);
+        }
+        catch {
+            // Fall through to the bundled compiler.
+        }
+    }
+    const mod = (await import("typescript"));
+    return (mod.default ?? mod);
+}
+function loadCompilerOptions(ts, root) {
+    let options = {};
+    try {
+        const configPath = ts.findConfigFile(root, (path) => ts.sys.fileExists(path), "tsconfig.json");
+        if (configPath) {
+            const read = ts.readConfigFile(configPath, (path) => ts.sys.readFile(path));
+            const parsed = ts.parseJsonConfigFileContent(read.config ?? {}, ts.sys, dirname(configPath));
+            options = parsed.options;
+        }
+    }
+    catch {
+        options = {};
+    }
+    // Force a lenient, emit-free, JS-aware program: we only want resolution + the
+    // checker, never diagnostics or output.
+    return {
+        ...options,
+        allowJs: true,
+        checkJs: false,
+        noEmit: true,
+        skipLibCheck: true,
+        skipDefaultLibCheck: true,
+        declaration: false,
+        composite: false,
+        incremental: false,
+    };
+}
+/** Map an absolute file path back to its canonical audit-included repo path. */
+function mapToIncluded(state, absolutePath) {
+    const normalizedAbsolute = isAbsolute(absolutePath)
+        ? absolutePath
+        : resolve(state.root, absolutePath);
+    const relativePath = normalizeGraphPath(relative(state.root, normalizedAbsolute));
+    if (relativePath.startsWith("..") || isAbsolute(relativePath)) {
+        return undefined;
+    }
+    return resolveCandidate(relativePath, state.context.pathLookup);
+}
+function resolveSpecifierTarget(state, specifier, containingFile) {
+    const resolved = state.ts.resolveModuleName(specifier, containingFile, state.options, state.ts.sys);
+    const target = resolved.resolvedModule;
+    if (!target ||
+        target.isExternalLibraryImport ||
+        target.resolvedFileName.endsWith(".d.ts")) {
+        return undefined;
+    }
+    return mapToIncluded(state, target.resolvedFileName);
+}
+/** Follow import aliases to the symbol's real declaration source file. */
+function resolveSymbolToIncluded(state, symbol) {
+    if (!symbol)
+        return undefined;
+    let resolved = symbol;
+    if (resolved.flags & state.ts.SymbolFlags.Alias) {
+        try {
+            resolved = state.checker.getAliasedSymbol(resolved);
+        }
+        catch {
+            // Keep the un-aliased symbol on failure.
+        }
+    }
+    for (const declaration of resolved.declarations ?? []) {
+        const fileName = declaration.getSourceFile().fileName;
+        if (fileName.endsWith(".d.ts"))
+            continue;
+        const included = mapToIncluded(state, fileName);
+        if (included)
+            return included;
+    }
+    return undefined;
+}
+function collectFileEdges(state, sourceFile, fromPath, imports, references, calls) {
+    const ts = state.ts;
+    const callTargets = new Set();
+    const recordCall = (target) => {
+        if (!target || target === fromPath || callTargets.has(target))
+            return;
+        callTargets.add(target);
+        calls.push(graphEdge({
+            from: fromPath,
+            to: target,
+            kind: "ts-call",
+            confidence: TS_CALL_EDGE_CONFIDENCE,
+            reason: `TypeScript checker resolved a cross-file call into '${target}'.`,
+        }));
+    };
+    const visitHeritage = (node) => {
+        for (const clause of node.heritageClauses ?? []) {
+            const isExtends = clause.token === ts.SyntaxKind.ExtendsKeyword;
+            for (const typeNode of clause.types) {
+                const target = resolveSymbolToIncluded(state, state.checker.getSymbolAtLocation(typeNode.expression));
+                if (!target || target === fromPath)
+                    continue;
+                references.push(graphEdge({
+                    from: fromPath,
+                    to: target,
+                    kind: isExtends ? "ts-extends" : "ts-implements",
+                    confidence: isExtends
+                        ? TS_EXTENDS_EDGE_CONFIDENCE
+                        : TS_IMPLEMENTS_EDGE_CONFIDENCE,
+                    reason: `TypeScript ${isExtends ? "extends" : "implements"} heritage resolves to '${target}'.`,
+                }));
+            }
+        }
+    };
+    const visit = (node) => {
+        if (ts.isImportDeclaration(node) && ts.isStringLiteral(node.moduleSpecifier)) {
+            const target = resolveSpecifierTarget(state, node.moduleSpecifier.text, sourceFile.fileName);
+            if (target && target !== fromPath) {
+                imports.push(graphEdge({
+                    from: fromPath,
+                    to: target,
+                    kind: "ts-import",
+                    confidence: TS_IMPORT_EDGE_CONFIDENCE,
+                    reason: `TypeScript resolved import '${node.moduleSpecifier.text}' to '${target}'.`,
+                }));
+            }
+        }
+        else if (ts.isExportDeclaration(node) &&
+            node.moduleSpecifier &&
+            ts.isStringLiteral(node.moduleSpecifier)) {
+            const target = resolveSpecifierTarget(state, node.moduleSpecifier.text, sourceFile.fileName);
+            if (target && target !== fromPath) {
+                imports.push(graphEdge({
+                    from: fromPath,
+                    to: target,
+                    kind: "ts-reexport",
+                    confidence: TS_REEXPORT_EDGE_CONFIDENCE,
+                    reason: `TypeScript resolved re-export '${node.moduleSpecifier.text}' to '${target}'.`,
+                }));
+            }
+        }
+        else if (ts.isImportEqualsDeclaration(node) &&
+            ts.isExternalModuleReference(node.moduleReference) &&
+            ts.isStringLiteral(node.moduleReference.expression)) {
+            const target = resolveSpecifierTarget(state, node.moduleReference.expression.text, sourceFile.fileName);
+            if (target && target !== fromPath) {
+                imports.push(graphEdge({
+                    from: fromPath,
+                    to: target,
+                    kind: "ts-import",
+                    confidence: TS_IMPORT_EDGE_CONFIDENCE,
+                    reason: `TypeScript resolved import-equals to '${target}'.`,
+                }));
+            }
+        }
+        else if (ts.isCallExpression(node)) {
+            if (node.expression.kind === ts.SyntaxKind.ImportKeyword &&
+                node.arguments[0] &&
+                ts.isStringLiteral(node.arguments[0])) {
+                const target = resolveSpecifierTarget(state, node.arguments[0].text, sourceFile.fileName);
+                if (target && target !== fromPath) {
+                    imports.push(graphEdge({
+                        from: fromPath,
+                        to: target,
+                        kind: "ts-import",
+                        confidence: TS_IMPORT_EDGE_CONFIDENCE,
+                        reason: `TypeScript resolved dynamic import to '${target}'.`,
+                    }));
+                }
+            }
+            else {
+                recordCall(resolveSymbolToIncluded(state, state.checker.getSymbolAtLocation(node.expression)));
+            }
+        }
+        else if (ts.isClassDeclaration(node) ||
+            ts.isClassExpression(node) ||
+            ts.isInterfaceDeclaration(node)) {
+            visitHeritage(node);
+        }
+        ts.forEachChild(node, visit);
+    };
+    ts.forEachChild(sourceFile, visit);
+}
+async function analyze(files, context) {
+    if (files.length === 0)
+        return { edges: [] };
+    let ts;
+    try {
+        ts = await loadTypescript(context.dependencyPath);
+    }
+    catch {
+        return { edges: [] };
+    }
+    try {
+        const root = resolve(context.root);
+        const options = loadCompilerOptions(ts, root);
+        const rootNames = files.map((file) => resolve(root, file));
+        const program = ts.createProgram({ rootNames, options });
+        const checker = program.getTypeChecker();
+        const state = { ts, options, checker, context, root };
+        const imports = [];
+        const references = [];
+        const calls = [];
+        for (const sourceFile of program.getSourceFiles()) {
+            if (sourceFile.isDeclarationFile)
+                continue;
+            const fromPath = mapToIncluded(state, sourceFile.fileName);
+            if (!fromPath)
+                continue;
+            collectFileEdges(state, sourceFile, fromPath, imports, references, calls);
+        }
+        return { edges: [...imports, ...references, ...calls] };
+    }
+    catch {
+        // Any compiler failure degrades cleanly to the regex floor.
+        return { edges: [] };
+    }
+}
+export const typescriptAnalyzer = {
+    id: "typescript",
+    dependency: "typescript@5",
+    supports,
+    analyze,
+};

package/dist/extractors/disposition.js

@@ -1,9 +1,16 @@
-import { isNodeModulesOrGit, isBuildOutput, isVendorPath, isBinaryArtifact, isLicensePath, isLockfilePath, isLogPath, isDocPath, isGeneratedPath, isAuditArtifactPath, isGeneratedTestArtifactPath, isGeneratedInstallArtifactPath, isExamplesOrFixturesPath, normalizeExtractorPath, } from "./pathPatterns.js";
+import { isNodeModulesOrGit, isTmpPath, isBuildOutput, isVendorPath, isBinaryArtifact, isLicensePath, isLockfilePath, isLogPath, isDocPath, isGeneratedPath, isAuditArtifactPath, isGeneratedTestArtifactPath, isGeneratedInstallArtifactPath, isExamplesOrFixturesPath, normalizeExtractorPath, } from "./pathPatterns.js";
 function inferDisposition(path) {
     const normalized = normalizeExtractorPath(path);
     if (isNodeModulesOrGit(normalized)) {
         return { path, status: "excluded", reason: "node_modules or .git excluded by convention." };
     }
+    if (isTmpPath(normalized)) {
+        return {
+            path,
+            status: "excluded",
+            reason: "Temporary/bundled artifact directory (.tmp) excluded by convention.",
+        };
+    }
     if (isBuildOutput(normalized)) {
         return { path, status: "generated", reason: "Build output path." };
     }

package/dist/extractors/graph.d.ts

@@ -5,5 +5,6 @@ export interface BuildGraphBundleOptions {
     fileContents?: Record<string, string>;
     externalAnalyzerResults?: ExternalAnalyzerResults;
 }
+export declare function buildPathLookup(repoManifest: RepoManifest, dispositionMap: Map<string, FileDisposition["files"][number]["status"]>): Map<string, string>;
 export declare function buildGraphBundleFromFs(repoManifest: RepoManifest, root: string, disposition?: FileDisposition, options?: Pick<BuildGraphBundleOptions, "externalAnalyzerResults">): Promise<GraphBundle>;
 export declare function buildGraphBundle(repoManifest: RepoManifest, disposition?: FileDisposition, options?: BuildGraphBundleOptions): GraphBundle;

package/dist/extractors/graph.js

@@ -134,7 +134,7 @@ function shouldReadForGraph(file) {
             isMavenPomPath(normalized) ||
             isPyprojectPath(normalized)));
 }
-function buildPathLookup(repoManifest, dispositionMap) {
+export function buildPathLookup(repoManifest, dispositionMap) {
     return new Map(repoManifest.files
         .filter((file) => {
         const status = dispositionMap.get(file.path);
@@ -783,6 +783,169 @@ function extractConventionalRouteEvidence(fromPath, content) {
     }
     return routes.length > 0 ? routes : [{ path: routePath, handler: fromPath }];
 }
+// ---- Phase 4A: decorator / framework route detection ----
+// Deterministic route patterns for NestJS, FastAPI, Flask, and Angular. These
+// emit only the existing RouteEdge / route-handler-link shapes — no new
+// planning-topology edge kinds. Each branch is gated on a framework marker so
+// the patterns do not fire on unrelated decorators or object literals. An
+// AST-based version can later move behind the analyzer seam; this is the
+// regex floor for these frameworks.
+const NEST_CONTROLLER_PATTERN = /@Controller\s*\(([\s\S]{0,200}?)\)/g;
+const NEST_METHOD_DECORATOR_PATTERN = /@(Get|Post|Put|Patch|Delete|Options|Head|All)\s*\(\s*(?:["'`]([^"'`]*)["'`])?/g;
+const PY_DECORATOR_METHOD_PATTERN = /@\s*[A-Za-z_]\w*\s*\.\s*(get|post|put|patch|delete|options|head|trace|websocket)\s*\(\s*["']([^"']+)["']/g;
+const PY_ROUTE_DECORATOR_PATTERN = /@\s*[A-Za-z_]\w*\s*\.\s*(api_route|route)\s*\(\s*["']([^"']+)["']([\s\S]{0,200}?)\)/g;
+const PY_METHODS_LIST_PATTERN = /methods\s*=\s*\[([^\]]*)\]/;
+const PY_METHOD_LITERAL_PATTERN = /["']([A-Za-z]+)["']/g;
+const ANGULAR_FILE_MARKER_PATTERN = /\b(?:RouterModule|provideRouter|loadChildren|loadComponent)\b|:\s*Routes\b/;
+const ANGULAR_ROUTE_OBJECT_PATTERN = /\{[^{}]*?\bpath\s*:\s*["'`]([^"'`]*)["'`][^{}]*?\}/g;
+const ANGULAR_ROUTE_KEY_PATTERN = /\b(?:component|loadChildren|loadComponent|redirectTo)\s*:/;
+const ANGULAR_COMPONENT_PATTERN = /\b(?:component|loadComponent)\s*:\s*([A-Za-z_$][\w$]*)/;
+const ANGULAR_LAZY_IMPORT_PATTERN = /\b(?:loadChildren|loadComponent)\s*:[\s\S]*?import\s*\(\s*["']([^"']+)["']\s*\)/;
+const TS_LIKE_EXTENSION_PATTERN = /\.(?:ts|tsx|mts|cts|js|jsx|mjs|cjs)$/;
+/** Join route segments (controller prefix + method path) into one clean path. */
+function joinRouteSegments(...segments) {
+    return segments
+        .map((segment) => segment.trim().replace(/^\/+|\/+$/g, ""))
+        .filter((segment) => segment.length > 0)
+        .join("/");
+}
+/** Controller prefixes in document order, so each method can take the nearest. */
+function nestControllerPrefixes(content) {
+    const prefixes = [];
+    NEST_CONTROLLER_PATTERN.lastIndex = 0;
+    for (const match of content.matchAll(NEST_CONTROLLER_PATTERN)) {
+        const arg = match[1] ?? "";
+        const pathProp = arg.match(/\bpath\s*:\s*["'`]([^"'`]*)["'`]/);
+        const firstString = arg.match(/["'`]([^"'`]*)["'`]/);
+        const prefix = pathProp?.[1] ?? firstString?.[1] ?? "";
+        prefixes.push({ index: match.index ?? 0, prefix });
+    }
+    return prefixes;
+}
+function collectNestRoutes(fromPath, content, routes) {
+    if (!content.includes("@Controller")) {
+        return;
+    }
+    const controllers = nestControllerPrefixes(content);
+    if (controllers.length === 0) {
+        return;
+    }
+    NEST_METHOD_DECORATOR_PATTERN.lastIndex = 0;
+    for (const match of content.matchAll(NEST_METHOD_DECORATOR_PATTERN)) {
+        const method = match[1];
+        if (!method)
+            continue;
+        const subPath = match[2] ?? "";
+        const at = match.index ?? 0;
+        let prefix = "";
+        for (const controller of controllers) {
+            if (controller.index <= at)
+                prefix = controller.prefix;
+            else
+                break;
+        }
+        routes.push({
+            path: normalizeRoutePath(joinRouteSegments(prefix, subPath)),
+            handler: fromPath,
+            method: method.toUpperCase(),
+        });
+    }
+}
+function pythonRouteMethods(args) {
+    const listMatch = args.match(PY_METHODS_LIST_PATTERN);
+    if (!listMatch?.[1])
+        return [];
+    PY_METHOD_LITERAL_PATTERN.lastIndex = 0;
+    return [...listMatch[1].matchAll(PY_METHOD_LITERAL_PATTERN)].map((method) => method[1].toUpperCase());
+}
+function collectPythonFrameworkRoutes(fromPath, content, routes) {
+    // FastAPI / Starlette: @app.get("/x"), @router.post("/y"), @router.websocket("/ws")
+    PY_DECORATOR_METHOD_PATTERN.lastIndex = 0;
+    for (const match of content.matchAll(PY_DECORATOR_METHOD_PATTERN)) {
+        const verb = match[1];
+        const routePath = match[2];
+        if (!verb || !routePath)
+            continue;
+        const method = verb.toUpperCase();
+        routes.push({
+            path: normalizeRoutePath(routePath),
+            handler: fromPath,
+            method: method === "WEBSOCKET" ? "WS" : method,
+        });
+    }
+    // FastAPI api_route + Flask route: @app.route("/x", methods=["GET","POST"])
+    PY_ROUTE_DECORATOR_PATTERN.lastIndex = 0;
+    for (const match of content.matchAll(PY_ROUTE_DECORATOR_PATTERN)) {
+        const routePath = match[2];
+        if (!routePath)
+            continue;
+        const methods = pythonRouteMethods(match[3] ?? "");
+        const path = normalizeRoutePath(routePath);
+        if (methods.length === 0) {
+            routes.push({ path, handler: fromPath, method: "GET" });
+            continue;
+        }
+        for (const method of methods) {
+            routes.push({ path, handler: fromPath, method });
+        }
+    }
+}
+function collectAngularRoutes(fromPath, content, pathLookup, calls, routes) {
+    if (!ANGULAR_FILE_MARKER_PATTERN.test(content)) {
+        return;
+    }
+    const bindings = extractImportBindings(fromPath, content, pathLookup);
+    ANGULAR_ROUTE_OBJECT_PATTERN.lastIndex = 0;
+    for (const match of content.matchAll(ANGULAR_ROUTE_OBJECT_PATTERN)) {
+        const body = match[0];
+        if (!ANGULAR_ROUTE_KEY_PATTERN.test(body)) {
+            continue;
+        }
+        const routePath = normalizeRoutePath(match[1] ?? "");
+        let handlerPath = fromPath;
+        let handlerExpression;
+        const lazyImport = body.match(ANGULAR_LAZY_IMPORT_PATTERN);
+        const component = body.match(ANGULAR_COMPONENT_PATTERN);
+        if (lazyImport?.[1]) {
+            const target = resolveSpecifier(fromPath, lazyImport[1], pathLookup) ??
+                resolveReferenceLiteral(fromPath, lazyImport[1], pathLookup);
+            if (target) {
+                handlerPath = target;
+                handlerExpression = lazyImport[1];
+            }
+        }
+        else if (component?.[1]) {
+            const binding = bindings.get(component[1]);
+            if (binding) {
+                handlerPath = binding.target;
+                handlerExpression = component[1];
+            }
+        }
+        routes.push({ path: routePath, handler: handlerPath });
+        if (handlerPath !== fromPath) {
+            calls.push(graphEdge({
+                from: fromPath,
+                to: handlerPath,
+                kind: "route-handler-link",
+                confidence: ROUTE_HANDLER_EDGE_CONFIDENCE,
+                reason: `Angular route '${routePath}' maps to '${handlerExpression ?? handlerPath}'.`,
+            }));
+        }
+    }
+}
+function extractFrameworkRouteEvidence(fromPath, content, pathLookup) {
+    const normalized = normalizeGraphPath(fromPath).toLowerCase();
+    const calls = [];
+    const routes = [];
+    if (normalized.endsWith(".py")) {
+        collectPythonFrameworkRoutes(fromPath, content, routes);
+    }
+    else if (TS_LIKE_EXTENSION_PATTERN.test(normalized)) {
+        collectNestRoutes(fromPath, content, routes);
+        collectAngularRoutes(fromPath, content, pathLookup, calls, routes);
+    }
+    return { calls, routes };
+}
 function fallbackRouteEdge(filePath) {
     const normalized = filePath.toLowerCase();
     if (normalized.includes("api/") || normalized.includes("route")) {
@@ -1005,6 +1168,9 @@ export function buildGraphBundle(repoManifest, disposition, options = {}) {
             const registeredRoutes = extractRegisteredRouteEvidence(file.path, content, pathLookup);
             calls.push(...registeredRoutes.calls);
             fileRoutes.push(...registeredRoutes.routes);
+            const frameworkRoutes = extractFrameworkRouteEvidence(file.path, content, pathLookup);
+            calls.push(...frameworkRoutes.calls);
+            fileRoutes.push(...frameworkRoutes.routes);
         }
         fileRoutes.push(...extractConventionalRouteEvidence(file.path, content));
         if (fileRoutes.length === 0) {

package/dist/extractors/graphPythonImports.d.ts

@@ -1,3 +1,18 @@
 import type { GraphEdge } from "@audit-tools/shared";
 export declare function isPythonSourcePath(path: string): boolean;
+/**
+ * Resolve a single `import <spec>` module specifier to a repo file, or
+ * undefined. Shared with the tree-sitter Python analyzer so AST-extracted
+ * imports resolve to exactly the same targets as the regex floor.
+ */
+export declare function resolvePythonImportTarget(fromPath: string, specifier: string, pathLookup: Map<string, string>): string | undefined;
+/**
+ * Resolve a `from <module> import <names>` statement to repo files. Mirrors the
+ * floor: prefer submodule files (`module.name`), else the module itself. Shared
+ * with the tree-sitter Python analyzer.
+ */
+export declare function resolvePythonFromImportTargets(fromPath: string, moduleSpecifier: string, importedNames: string[], pathLookup: Map<string, string>): Array<{
+    specifier: string;
+    target: string;
+}>;
 export declare function extractPythonImportEdges(fromPath: string, content: string, pathLookup: Map<string, string>): GraphEdge[];