codeguardian-mcp 1.0.0

package/dist/analyzers/findingVerifier.js

@@ -0,0 +1,1169 @@
+/**
+ * Automated Finding Verifier - Batched & Concurrent
+ *
+ * This module automatically verifies validation findings to eliminate false positives
+ * without requiring human intervention. Uses batching and concurrency for performance.
+ *
+ * Verification Strategies:
+ * 1. Usage Pattern Analysis - Check for dynamic/indirect usage
+ * 2. Git History Analysis - Check if code is actually used in recent commits
+ * 3. Framework Pattern Detection - Recognize framework-specific patterns (callbacks, handlers)
+ * 4. Cross-File Reference Check - Look for references in other files
+ * 5. Test Coverage Analysis - Check if "dead" code is actually tested
+ *
+ * Performance Optimizations:
+ * - File-based batching: Groups findings by file to minimize I/O
+ * - Concurrent processing: Verifies multiple files in parallel with limits
+ * - Intelligent caching: File contents and git status cached per batch
+ * - Batched git operations: Single git status call for all files
+ *
+ * @format
+ */
+import { logger } from "../utils/logger.js";
+import { exec } from "child_process";
+import { promisify } from "util";
+const execAsync = promisify(exec);
+import * as fs from "fs/promises";
+import * as path from "path";
+import { extractSymbolsAST } from "../tools/validation/extractors/index.js";
+import { checkPackageRegistry } from "../tools/validation/registry.js";
+import { impactAnalyzer } from "./impactAnalyzer.js";
+/**
+ * Lightweight wrapper around the same semantic tracing that powers
+ * [`get_dependency_graph`](src/tools/getDependencyGraph.ts:61).
+ *
+ * Used during automated verification to eliminate "unused export" false positives
+ * without requiring the LLM to call a separate tool.
+ */
+function getDependencyEvidenceForSymbol(symbolName, ctx, depth = 2, definedInFile) {
+    const graph = ctx.projectContext.symbolGraph;
+    if (!graph)
+        return null;
+    // Safety: only use dependency evidence when the symbol is actually defined in the
+    // file associated with the finding. This reduces false negatives from name collisions
+    // (e.g., multiple "getById" methods across different files).
+    if (definedInFile) {
+        const definingFiles = graph.symbolToFiles.get(symbolName);
+        if (!definingFiles || !definingFiles.has(definedInFile)) {
+            return null;
+        }
+    }
+    const blast = impactAnalyzer.traceBlastRadius(symbolName, graph, Math.min(depth, 5));
+    const isUsed = blast.affectedFiles.length > 0 || blast.impactedSymbols.length > 0;
+    return { blast, isUsed };
+}
+/**
+ * Detect file language from extension. Used when ctx.language is "all"
+ * in full-stack projects to ensure the correct parser is used per file.
+ */
+function detectFileLanguage(filePath, fallback) {
+    const ext = path.extname(filePath).toLowerCase();
+    switch (ext) {
+        case ".py": return "python";
+        case ".ts":
+        case ".tsx": return "typescript";
+        case ".js":
+        case ".jsx":
+        case ".mjs":
+        case ".cjs": return "javascript";
+        default: return fallback === "all" ? "typescript" : fallback;
+    }
+}
+// ============================================================================
+// Configuration
+// ============================================================================
+/** Maximum concurrent file verifications */
+const MAX_CONCURRENCY = 8;
+/** Batch size for findings within a file */
+const FILE_BATCH_SIZE = 50;
+// ============================================================================
+// Main Entry Point - Batched & Concurrent
+// ============================================================================
+/**
+ * Automatically verify all findings using batched concurrent processing.
+ * Groups findings by file, caches file data, and processes files in parallel.
+ */
+export async function verifyFindingsAutomatically(hallucinations, deadCode, projectContext, projectPath, language, onProgress) {
+    const allFindings = [...hallucinations, ...deadCode];
+    logger.info(`Starting batched verification of ${allFindings.length} findings ` +
+        `(${hallucinations.length} hallucinations, ${deadCode.length} dead code)...`);
+    const ctx = {
+        projectPath,
+        projectContext,
+        language,
+        gitAvailable: await checkGitAvailable(projectPath),
+        fileContentCache: new Map(),
+    };
+    // Group findings by file for efficient batch processing
+    const fileBatches = groupFindingsByFile(allFindings);
+    logger.info(`Grouped into ${fileBatches.length} file batches for concurrent processing`);
+    // Pre-batch git status for ALL files in a single git call (instead of per-file)
+    if (ctx.gitAvailable) {
+        ctx.gitStatusBatch = await batchGitStatus(ctx.projectPath);
+        ctx.featureBranchCached = await checkFeatureBranch(ctx);
+    }
+    const progress = {
+        totalFiles: fileBatches.length,
+        processedFiles: 0,
+        totalFindings: allFindings.length,
+        processedFindings: 0,
+    };
+    // Process file batches concurrently with limit
+    const verifiedResults = [];
+    for (let i = 0; i < fileBatches.length; i += MAX_CONCURRENCY) {
+        const batch = fileBatches.slice(i, i + MAX_CONCURRENCY);
+        // Process this concurrent batch
+        const batchResults = await Promise.all(batch.map(async (fileBatch) => {
+            // Create file cache for this file
+            const fileCache = {};
+            // Pre-load file data (git status, content if needed)
+            await preloadFileCache(fileBatch.filePath, ctx, fileCache);
+            // Verify all findings for this file
+            const results = [];
+            for (const finding of fileBatch.findings) {
+                const verified = await verifyFindingWithCache(finding, ctx, fileCache);
+                results.push(verified);
+            }
+            // Update progress
+            progress.processedFiles++;
+            progress.processedFindings += fileBatch.findings.length;
+            onProgress?.(progress);
+            return results;
+        }));
+        // Flatten results
+        for (const results of batchResults) {
+            verifiedResults.push(...results);
+        }
+        // Yield to event loop between batches
+        await new Promise((resolve) => setImmediate(resolve));
+    }
+    // Categorize results
+    const confirmed = verifiedResults.filter((v) => v.status === "confirmed");
+    const falsePositives = verifiedResults.filter((v) => v.status === "false_positive");
+    const uncertain = verifiedResults.filter((v) => v.status === "uncertain");
+    logger.info(`Verification complete: ${confirmed.length} confirmed, ` +
+        `${falsePositives.length} false positives, ${uncertain.length} uncertain ` +
+        `(${fileBatches.length} files processed)`);
+    return {
+        confirmed,
+        falsePositives,
+        uncertain,
+        stats: {
+            totalAnalyzed: allFindings.length,
+            confirmedCount: confirmed.length,
+            falsePositiveCount: falsePositives.length,
+            uncertainCount: uncertain.length,
+        },
+    };
+}
+// ============================================================================
+// Batching & Caching
+// ============================================================================
+function groupFindingsByFile(findings) {
+    const fileMap = new Map();
+    for (const finding of findings) {
+        // Use a virtual key for findings without a file path (inline newCode validation)
+        const filePath = finding.file || "(inline)";
+        if (!fileMap.has(filePath)) {
+            fileMap.set(filePath, []);
+        }
+        fileMap.get(filePath).push(finding);
+    }
+    return Array.from(fileMap.entries()).map(([filePath, findings]) => ({
+        filePath,
+        findings,
+    }));
+}
+async function preloadFileCache(filePath, ctx, cache) {
+    // Use pre-batched git status (single git call for all files)
+    if (ctx.gitAvailable && ctx.gitStatusBatch) {
+        cache.gitStatus = ctx.gitStatusBatch.get(filePath) ?? { isNew: false, isModified: false };
+    }
+    // Feature branch is already cached on context during init
+    if (ctx.gitAvailable) {
+        cache.featureBranch = ctx.featureBranchCached;
+    }
+}
+async function verifyFindingWithCache(finding, ctx, cache) {
+    // Route to appropriate verifier based on finding type
+    if ("type" in finding && isValidationIssue(finding)) {
+        return await verifyHallucinationWithCache(finding, ctx, cache);
+    }
+    else {
+        return await verifyDeadCodeWithCache(finding, ctx, cache);
+    }
+}
+function isValidationIssue(finding) {
+    return "code" in finding && typeof finding.line === "number";
+}
+// ============================================================================
+// Hallucination Verification with Caching
+// ============================================================================
+async function verifyHallucinationWithCache(issue, ctx, cache) {
+    const reasons = [];
+    let confidence = 0;
+    let status = "uncertain";
+    let method = "";
+    switch (issue.type) {
+        case "nonExistentFunction":
+        case "nonExistentClass":
+        case "undefinedVariable": {
+            // Extra guard: if the symbol is defined locally in the same file
+            // (e.g., function parameter, destructured param, local const/let), this is a false positive.
+            if (issue.type === "undefinedVariable") {
+                const localDef = await checkSymbolDefinedLocally(issue, ctx, cache);
+                if (localDef.isDefined) {
+                    status = "false_positive";
+                    confidence = 95;
+                    method = "local_scope";
+                    reasons.push(`Symbol is defined locally in the file (${localDef.hint})`);
+                    reasons.push("Not a hallucination - this is valid local scope");
+                    break;
+                }
+            }
+            // Check if symbol exists in any form (maybe just not imported)
+            const existsInProject = checkSymbolExistsInProject(issue, ctx);
+            if (existsInProject.exists) {
+                status = "false_positive";
+                confidence = 90;
+                method = "cross_reference";
+                reasons.push(`Symbol exists in project at ${existsInProject.location}`);
+                reasons.push("This is a missing import, not a hallucination");
+            }
+            else {
+                // Use cached future feature detection
+                const futureFeatureCheck = await detectFutureFeatureWithCache(issue, ctx, cache);
+                if (futureFeatureCheck.isFutureFeature) {
+                    status = "false_positive";
+                    confidence = futureFeatureCheck.confidence;
+                    method = "future_feature_detection";
+                    reasons.push("This appears to be part of an incomplete/new feature:");
+                    reasons.push(...futureFeatureCheck.reasons);
+                    reasons.push("Not a hallucination - code is for planned functionality");
+                }
+                else {
+                    // Quick git check using cached status
+                    if (cache.gitStatus?.isNew || cache.gitStatus?.isModified) {
+                        status = "false_positive";
+                        confidence = 85;
+                        method = "git_history";
+                        reasons.push("Symbol found in recent git changes");
+                        reasons.push("This may be part of an incomplete feature");
+                    }
+                    else {
+                        status = "confirmed";
+                        confidence = 95;
+                        method = "static_analysis";
+                        reasons.push("Symbol not found anywhere in project");
+                        reasons.push("No indicators of planned/incomplete feature");
+                        reasons.push("This is a true hallucination");
+                    }
+                }
+            }
+            break;
+        }
+        case "nonExistentImport": {
+            const moduleCheck = await checkModuleExports(issue, ctx);
+            if (moduleCheck.moduleExists && !moduleCheck.exportExists) {
+                status = "confirmed";
+                confidence = 98;
+                method = "module_resolution";
+                reasons.push("Module exists but export does not");
+                reasons.push("This is a true hallucination");
+            }
+            else if (!moduleCheck.moduleExists) {
+                status = "confirmed";
+                confidence = 99;
+                method = "module_resolution";
+                reasons.push("Module does not exist in project");
+                reasons.push("This is a true hallucination");
+            }
+            else {
+                status = "false_positive";
+                confidence = 80;
+                method = "module_resolution";
+                reasons.push("Module and export both exist");
+                reasons.push("May be a resolution path issue");
+            }
+            break;
+        }
+        case "dependencyHallucination": {
+            const pkgName = extractPackageName(issue.message);
+            const fileLang = issue.file ? detectFileLanguage(issue.file, ctx.language) : ctx.language;
+            const existsOnNpm = await checkPackageExistsOnRegistry(pkgName, fileLang);
+            if (!existsOnNpm) {
+                status = "confirmed";
+                confidence = 99;
+                method = "registry_check";
+                reasons.push("Package does not exist on npm registry");
+                reasons.push("This is definitely a hallucination");
+            }
+            else {
+                status = "false_positive";
+                confidence = 85;
+                method = "registry_check";
+                reasons.push("Package exists on npm registry");
+                reasons.push("This is a missing dependency, not a hallucination");
+            }
+            break;
+        }
+        case "missingDependency": {
+            // Check if the package exists in a nearby package.json (subdirectory).
+            // The manifest loader may have already been fixed, but this is a safety net.
+            const missingPkgName = extractPackageName(issue.message);
+            if (missingPkgName) {
+                const foundInSubdir = await checkPackageInSubdirectoryManifest(missingPkgName, ctx.projectPath);
+                if (foundInSubdir) {
+                    status = "false_positive";
+                    confidence = 98;
+                    method = "subdirectory_manifest_check";
+                    reasons.push(`Package '${missingPkgName}' found in a subdirectory package.json`);
+                    reasons.push("This is not missing — the manifest loader missed it");
+                    break;
+                }
+            }
+            // If not found in subdirectory, it's a genuine missing dependency (but low severity)
+            status = "confirmed";
+            confidence = 70;
+            method = "manifest_check";
+            reasons.push("Package not found in any project manifest");
+            reasons.push("This is a missing dependency (not a hallucination — it exists on the registry)");
+            break;
+        }
+        case "wrongParamCount": {
+            const paramCheck = await verifyParameterCount(issue, ctx);
+            if (paramCheck.isMismatch) {
+                status = "confirmed";
+                confidence = 92;
+                method = "signature_analysis";
+                reasons.push("Parameter count mismatch confirmed");
+                reasons.push(`Expected ${paramCheck.expected}, got ${paramCheck.actual}`);
+            }
+            else {
+                status = "false_positive";
+                confidence = 88;
+                method = "signature_analysis";
+                reasons.push("Parameter count appears correct on re-check");
+                reasons.push("May be variadic or have optional parameters");
+            }
+            break;
+        }
+        case "unusedImport": {
+            // Special case: async validation injects per-file "unused local" findings into the
+            // ValidationIssue stream using type=unusedImport.
+            // These findings look like:
+            //   "Variable 'getRecipeDetails' is defined but never used in this file"
+            // For exported/service methods, this is frequently a false positive.
+            // Use dependency tracing (same engine as get_dependency_graph) to confirm.
+            if (issue.message.includes("defined but never used in this file") &&
+                typeof issue.file === "string" &&
+                issue.file.length > 0) {
+                const symbolName = extractSymbolName(issue);
+                if (symbolName) {
+                    const dep = getDependencyEvidenceForSymbol(symbolName, ctx, 2, issue.file);
+                    if (dep?.isUsed) {
+                        status = "false_positive";
+                        confidence = 98;
+                        method = "dependency_graph";
+                        reasons.push(`Dependency graph shows '${symbolName}' is referenced by ${dep.blast.affectedFiles.length} file(s).`);
+                        const sampleFiles = dep.blast.affectedFiles
+                            .slice(0, 4)
+                            .map((f) => f)
+                            .join(", ");
+                        if (sampleFiles) {
+                            reasons.push(`Example consumers: ${sampleFiles}${dep.blast.affectedFiles.length > 4 ? ", …" : ""}`);
+                        }
+                        reasons.push("Not an unused local — this symbol is reachable via cross-file consumers");
+                        break;
+                    }
+                }
+            }
+            const usageCheck = await checkImportUsage(issue, ctx);
+            if (usageCheck.isUsed) {
+                status = "false_positive";
+                confidence = 90;
+                method = "usage_analysis";
+                reasons.push("Import is actually used");
+                if (usageCheck.usageType) {
+                    reasons.push(`Usage type: ${usageCheck.usageType}`);
+                }
+            }
+            else {
+                status = "confirmed";
+                confidence = 95;
+                method = "usage_analysis";
+                reasons.push("Import is truly unused");
+                reasons.push("No references found in file");
+            }
+            break;
+        }
+        case "nonExistentMethod": {
+            // First check: does the method exist in the project at all?
+            const methodNameMatch = issue.message.match(/Method '([^']+)'/);
+            const objectNameMatch = issue.message.match(/on '([^']+)'/);
+            const methodName = methodNameMatch?.[1];
+            const objectName = objectNameMatch?.[1];
+            if (methodName) {
+                // Check if method exists with matching scope
+                const methodExists = checkMethodExistsInProject(methodName, objectName, ctx);
+                if (methodExists.exists) {
+                    status = "false_positive";
+                    confidence = 90;
+                    method = "symbol_lookup";
+                    reasons.push(`Method '${methodName}' exists in project at ${methodExists.location}`);
+                    if (methodExists.scope) {
+                        reasons.push(`Method is defined on object: ${methodExists.scope}`);
+                    }
+                    reasons.push("This is not a hallucination - the method exists");
+                    break;
+                }
+            }
+            // Fallback: check inheritance chain (for class-based methods)
+            const inheritanceCheck = await checkInheritanceChain(issue, ctx);
+            if (inheritanceCheck.foundInParent) {
+                status = "false_positive";
+                confidence = 85;
+                method = "inheritance_analysis";
+                reasons.push("Method found in parent class or interface");
+                reasons.push("This is not a hallucination");
+            }
+            else {
+                status = "confirmed";
+                confidence = 80;
+                method = "inheritance_analysis";
+                reasons.push("Method not found in class hierarchy");
+                reasons.push("May be a dynamic method (not verifiable)");
+            }
+            break;
+        }
+        default: {
+            status = issue.confidence && issue.confidence > 90 ? "confirmed" : "uncertain";
+            confidence = issue.confidence || 50;
+            method = "fallback";
+            reasons.push("Using original confidence score");
+            reasons.push("No specific verification available for this issue type");
+        }
+    }
+    return {
+        original: issue,
+        status,
+        confidence,
+        reasons,
+        verificationMethod: method,
+    };
+}
+// ============================================================================
+// Dead Code Verification with Caching
+// ============================================================================
+async function verifyDeadCodeWithCache(issue, ctx, cache) {
+    const reasons = [];
+    let confidence = 0;
+    let status = "uncertain";
+    let method = "";
+    switch (issue.type) {
+        case "unusedExport": {
+            // Highest-signal guard: if the symbol graph shows *any* downstream usage,
+            // this is not dead code. This prevents the exact class of false positives
+            // where the dead-code scan misses a semantic consumer, but the dependency
+            // tracer can prove a call chain exists.
+            const dep = getDependencyEvidenceForSymbol(issue.name, ctx, 2);
+            if (dep?.isUsed) {
+                status = "false_positive";
+                confidence = 98;
+                method = "dependency_graph";
+                const sampleFiles = dep.blast.affectedFiles
+                    .slice(0, 4)
+                    .map((f) => f)
+                    .join(", ");
+                reasons.push(`Dependency graph shows '${issue.name}' is used by ${dep.blast.affectedFiles.length} file(s).`);
+                if (sampleFiles) {
+                    reasons.push(`Example consumers: ${sampleFiles}${dep.blast.affectedFiles.length > 4 ? ", …" : ""}`);
+                }
+                reasons.push("Not dead code — keep this export or refactor with care");
+                break;
+            }
+            // Use cached future feature detection
+            const futureFeatureCheck = await detectFutureFeatureWithCache(issue, ctx, cache);
+            if (futureFeatureCheck.isFutureFeature) {
+                status = "false_positive";
+                confidence = futureFeatureCheck.confidence;
+                method = "future_feature_detection";
+                reasons.push("This export appears to be part of an incomplete/new feature:");
+                reasons.push(...futureFeatureCheck.reasons);
+                reasons.push("Not dead code - will likely be used when feature is complete");
+                break;
+            }
+            const isPublicApi = await checkIfPublicApi(issue, ctx);
+            const isTestFile = issue.file.includes('.test.') || issue.file.includes('.spec.') || issue.file.includes('/test/');
+            if (isPublicApi) {
+                status = "false_positive";
+                confidence = 88;
+                method = "api_analysis";
+                reasons.push("This appears to be a public API export");
+                reasons.push("External consumers may use this");
+            }
+            else if (isTestFile) {
+                status = "false_positive";
+                confidence = 75;
+                method = "test_file_analysis";
+                reasons.push("This is a test file - exports may be used by test runners");
+            }
+            else {
+                status = "confirmed";
+                confidence = 92;
+                method = "dead_code_detector_trust";
+                reasons.push("Dead code detector performed thorough cross-file analysis");
+                reasons.push("No imports, type references, or runtime usages found");
+                reasons.push("No indicators of planned/incomplete feature");
+                reasons.push("This is confirmed dead code");
+            }
+            break;
+        }
+        case "unusedFunction": {
+            const indirectCheck = await checkIndirectUsage(issue, ctx);
+            if (indirectCheck.isUsed) {
+                status = "false_positive";
+                confidence = 85;
+                method = "indirect_usage_analysis";
+                reasons.push("Function has indirect usage");
+                reasons.push(`Usage pattern: ${indirectCheck.pattern}`);
+            }
+            else {
+                status = "confirmed";
+                confidence = 88;
+                method = "static_analysis";
+                reasons.push("No direct or indirect usages found");
+                reasons.push("This is likely dead code");
+            }
+            break;
+        }
+        case "orphanedFile": {
+            const importCheck = await checkFileImports(issue, ctx);
+            if (importCheck.isImported) {
+                status = "false_positive";
+                confidence = 95;
+                method = "import_analysis";
+                reasons.push(`File is imported by ${importCheck.importers.length} file(s)`);
+                reasons.push("This is not an orphaned file");
+            }
+            else {
+                const isEntryPoint = await checkIfEntryPoint(issue, ctx);
+                if (isEntryPoint) {
+                    status = "false_positive";
+                    confidence = 90;
+                    method = "entry_point_analysis";
+                    reasons.push("This appears to be an entry point or config file");
+                    reasons.push("Not expected to be imported");
+                }
+                else {
+                    status = "confirmed";
+                    confidence = 85;
+                    method = "import_analysis";
+                    reasons.push("No imports found");
+                    reasons.push("Not a recognized entry point");
+                    reasons.push("This may be an orphaned file");
+                }
+            }
+            break;
+        }
+        default: {
+            status = "uncertain";
+            confidence = 50;
+            method = "fallback";
+            reasons.push("Unknown dead code type");
+        }
+    }
+    return {
+        original: issue,
+        status,
+        confidence,
+        reasons,
+        verificationMethod: method,
+    };
+}
+async function detectFutureFeatureWithCache(issue, ctx, cache) {
+    const reasons = [];
+    let signalCount = 0;
+    const signals = [];
+    // Signal 1: Check git status (cached)
+    if (cache.gitStatus?.isNew || cache.gitStatus?.isModified) {
+        signalCount++;
+        signals.push("uncommitted changes");
+        reasons.push(`File has uncommitted ${cache.gitStatus.isNew ? "changes (new file)" : "modifications"}`);
+    }
+    // Signal 2: Check for TODO/FIXME comments (lazy load & cache)
+    if (cache.hasTodoComments === undefined) {
+        cache.hasTodoComments = await checkForTodoComments(issue.file, ctx, cache);
+    }
+    if (cache.hasTodoComments) {
+        signalCount++;
+        signals.push("todo comments");
+        reasons.push("File contains TODO/FIXME comments indicating planned work");
+    }
+    // Signal 3: Check if this is a stub implementation (lazy load & cache)
+    if (cache.isStub === undefined) {
+        cache.isStub = await checkIfStubImplementation(issue.file, issue, ctx, cache);
+    }
+    if (cache.isStub) {
+        signalCount++;
+        signals.push("stub implementation");
+        reasons.push("Code appears to be a stub/placeholder for future implementation");
+    }
+    // Signal 4: Check feature branch naming (cached)
+    if (cache.featureBranch) {
+        signalCount++;
+        signals.push("feature branch");
+        reasons.push("Working on a feature branch (not main/master)");
+    }
+    // Signal 5: Check if the referenced symbol looks like a planned feature
+    const symbolName = extractSymbolName(issue);
+    if (symbolName && looksLikePlannedFeature(symbolName)) {
+        signalCount += 0.5;
+        signals.push("planned naming");
+        reasons.push(`Symbol name "${symbolName}" suggests planned functionality`);
+    }
+    // Determine result based on signal strength
+    const isFutureFeature = signalCount >= 2 || (signalCount >= 1 && signals.includes("todo comments"));
+    const confidence = Math.min(95, 60 + signalCount * 15);
+    return {
+        isFutureFeature,
+        confidence,
+        reasons,
+    };
+}
+// ============================================================================
+// Git Operations (Optimized)
+// ============================================================================
+async function checkGitAvailable(projectPath) {
+    try {
+        await execAsync("git rev-parse --git-dir", { cwd: projectPath });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Batch git status for ALL files in a single git call.
+ * Replaces per-file `git status --porcelain <file>` which spawned 100+ processes.
+ */
+async function batchGitStatus(projectPath) {
+    const statusMap = new Map();
+    try {
+        const { stdout } = await execAsync("git status --porcelain", { cwd: projectPath, maxBuffer: 10 * 1024 * 1024 });
+        for (const line of stdout.split("\n")) {
+            if (!line || line.length < 4)
+                continue;
+            const statusCode = line.substring(0, 2);
+            const filePart = line.substring(3).trim();
+            if (!filePart)
+                continue;
+            const absPath = path.isAbsolute(filePart) ? filePart : path.join(projectPath, filePart);
+            statusMap.set(absPath, {
+                isNew: statusCode === "??" || statusCode.startsWith("A"),
+                isModified: statusCode.includes("M"),
+            });
+        }
+    }
+    catch {
+        // git not available or error — return empty map
+    }
+    return statusMap;
+}
+async function checkFeatureBranch(ctx) {
+    if (!ctx.gitAvailable)
+        return false;
+    try {
+        const { stdout } = await execAsync("git branch --show-current", { cwd: ctx.projectPath });
+        const branchName = stdout.trim();
+        const featurePatterns = [
+            /^feature\//i,
+            /^feat\//i,
+            /^wip\//i,
+            /^wip-/i,
+            /-wip$/i,
+            /^new\//i,
+            /^implement/i,
+            /^add-/i,
+        ];
+        return featurePatterns.some((pattern) => pattern.test(branchName));
+    }
+    catch {
+        return false;
+    }
+}
+// ============================================================================
+// File Content Checks
+// ============================================================================
+async function checkForTodoComments(filePath, ctx, cache) {
+    if (!filePath)
+        return false;
+    try {
+        // Use cached content if available, otherwise load and cache
+        if (cache && !cache.content) {
+            cache.content = await fs.readFile(filePath, "utf-8");
+        }
+        const content = cache?.content ?? await fs.readFile(filePath, "utf-8");
+        const todoPatterns = [
+            /\/\/\s*TODO/i,
+            /\/\/\s*FIXME/i,
+            /\/\/\s*XXX/i,
+            /\/\*\s*TODO/i,
+            /\/\*\s*FIXME/i,
+            /#\s*TODO/i,
+            /#\s*FIXME/i,
+            /\{\s*\/\*\s*TODO/i,
+        ];
+        return todoPatterns.some((pattern) => pattern.test(content));
+    }
+    catch {
+        return false;
+    }
+}
+async function checkIfStubImplementation(filePath, issue, ctx, cache) {
+    if (!filePath)
+        return false;
+    try {
+        // Use cached content if available, otherwise load and cache
+        if (cache && !cache.content) {
+            cache.content = await fs.readFile(filePath, "utf-8");
+        }
+        const content = cache?.content ?? await fs.readFile(filePath, "utf-8");
+        const stubPatterns = [
+            /throw\s+new\s+Error\s*\(\s*["']\s*not\s+implemented/i,
+            /throw\s+new\s+Error\s*\(\s*["']\s*TODO/i,
+            /\/\/\s*TODO.*implement/i,
+            /return\s+null\s*;\s*\/\/\s*TODO/i,
+            /\/\/\s*placeholder/i,
+            /\/\/\s*stub/i,
+        ];
+        return stubPatterns.some((pattern) => pattern.test(content));
+    }
+    catch {
+        return false;
+    }
+}
+function extractSymbolName(issue) {
+    if ("message" in issue) {
+        const match = issue.message.match(/'([^']+)'/);
+        return match?.[1] || null;
+    }
+    return null;
+}
+function looksLikePlannedFeature(symbolName) {
+    const plannedPatterns = [
+        /new/i,
+        /upcoming/i,
+        /planned/i,
+        /future/i,
+        /next/i,
+        /v\d+/i,
+        /version\d+/i,
+    ];
+    return plannedPatterns.some((pattern) => pattern.test(symbolName));
+}
+// ============================================================================
+// Local Scope Checks (prevent verifier from confirming local vars as hallucinations)
+// ============================================================================
+async function checkSymbolDefinedLocally(issue, ctx, cache) {
+    const symbolName = extractSymbolName(issue);
+    if (!symbolName || !issue.file)
+        return { isDefined: false };
+    try {
+        // Load file content once (cache)
+        if (!cache.content) {
+            cache.content = await fs.readFile(issue.file, "utf-8");
+        }
+        // Parse local symbols from the file itself (includes params when enabled)
+        const fileLang = detectFileLanguage(issue.file, ctx.language);
+        const symbols = extractSymbolsAST(cache.content, issue.file, fileLang, {
+            includeParameterSymbols: true,
+        });
+        const found = symbols.some((s) => s.name === symbolName);
+        return found ? { isDefined: true, hint: "local symbol table" } : { isDefined: false };
+    }
+    catch {
+        return { isDefined: false };
+    }
+}
+// ============================================================================
+// Symbol & Module Checks
+// ============================================================================
+function checkSymbolExistsInProject(issue, ctx) {
+    const symbolName = issue.message.match(/'([^']+)'/)?.[1];
+    if (!symbolName)
+        return { exists: false };
+    for (const [name, definitions] of ctx.projectContext.symbolIndex) {
+        if (name === symbolName || name.toLowerCase() === symbolName.toLowerCase()) {
+            return {
+                exists: true,
+                location: definitions[0]?.file || "unknown",
+            };
+        }
+    }
+    return { exists: false };
+}
+/**
+ * Check if a method exists in the project, optionally with a specific scope (object name).
+ * This handles object literal methods like: const api = { method: () => {} }
+ */
+function checkMethodExistsInProject(methodName, objectName, ctx) {
+    // Search through all symbols in the project context
+    for (const [name, definitions] of ctx.projectContext.symbolIndex) {
+        if (name === methodName) {
+            // Check all definitions for this method name
+            for (const def of definitions) {
+                // Check if it's a method type
+                if (def.symbol.kind === "method") {
+                    // If object name is provided, check scope matches
+                    if (!objectName || !def.symbol.scope || def.symbol.scope === objectName) {
+                        return {
+                            exists: true,
+                            location: def.file || "unknown",
+                            scope: def.symbol.scope,
+                        };
+                    }
+                }
+            }
+        }
+    }
+    return { exists: false };
+}
+async function checkModuleExports(issue, ctx) {
+    const moduleMatch = issue.message.match(/module ['"]([^'"]+)['"]/);
+    const exportMatch = issue.message.match(/export ['"]([^'"]+)['"]/);
+    const moduleName = moduleMatch?.[1];
+    const exportName = exportMatch?.[1];
+    if (!moduleName) {
+        return { moduleExists: false, exportExists: false };
+    }
+    // Convert Python dotted module paths to file paths (e.g., app.api.cli_tokens -> app/api/cli_tokens)
+    const moduleAsPath = moduleName.replace(/\./g, "/");
+    const possiblePaths = [
+        path.join(ctx.projectPath, moduleName),
+        path.join(ctx.projectPath, `${moduleName}.ts`),
+        path.join(ctx.projectPath, `${moduleName}.tsx`),
+        path.join(ctx.projectPath, `${moduleName}.js`),
+        path.join(ctx.projectPath, `${moduleName}/index.ts`),
+        path.join(ctx.projectPath, `${moduleName}/index.js`),
+        // Python module paths (dotted notation)
+        path.join(ctx.projectPath, `${moduleAsPath}.py`),
+        path.join(ctx.projectPath, moduleAsPath, "__init__.py"),
+    ];
+    let moduleExists = false;
+    let modulePath = "";
+    for (const p of possiblePaths) {
+        try {
+            await fs.access(p);
+            moduleExists = true;
+            modulePath = p;
+            break;
+        }
+        catch {
+            // Continue checking
+        }
+    }
+    if (!moduleExists || !exportName) {
+        return { moduleExists, exportExists: false };
+    }
+    try {
+        const content = await fs.readFile(modulePath, "utf-8");
+        const isPython = modulePath.endsWith(".py");
+        const exportPatterns = [
+            new RegExp(`export\\s+(?:const|let|var|function|class|interface|type)\\s+${exportName}\\b`),
+            new RegExp(`export\\s*\\{[^}]*\\b${exportName}\\b`),
+            new RegExp(`export\\s+default\\s+(?:class|function)?\\s*\\b${exportName}\\b`),
+        ];
+        if (isPython) {
+            // Python: check for class/def/variable definitions
+            exportPatterns.push(new RegExp(`^class\\s+${exportName}\\b`, "m"), new RegExp(`^def\\s+${exportName}\\b`, "m"), new RegExp(`^${exportName}\\s*=`, "m"));
+            // Python: check for module-level imports (re-imports are valid namespace members)
+            exportPatterns.push(new RegExp(`^from\\s+\\S+\\s+import\\s+.*\\b${exportName}\\b`, "m"), new RegExp(`^import\\s+.*\\b${exportName}\\b`, "m"));
+        }
+        const exportExists = exportPatterns.some((pattern) => pattern.test(content));
+        return { moduleExists: true, exportExists };
+    }
+    catch {
+        return { moduleExists: true, exportExists: false };
+    }
+}
+async function checkPackageExistsOnRegistry(pkgName, language) {
+    if (!pkgName)
+        return false;
+    const commonPackages = new Set([
+        "react", "react-dom", "vue", "angular", "svelte",
+        "lodash", "underscore", "ramda",
+        "axios", "fetch", "node-fetch",
+        "express", "koa", "fastify", "hapi",
+        "jest", "mocha", "jasmine", "vitest", "playwright",
+        "typescript", "ts-node", "tsx",
+        "webpack", "vite", "rollup", "esbuild", "parcel",
+        "eslint", "prettier", "babel",
+        "mongoose", "sequelize", "prisma", "typeorm",
+        "mongodb", "redis", "pg", "mysql",
+        "jsonwebtoken", "bcrypt", "passport",
+        "winston", "pino", "morgan",
+        "dotenv", "cross-env", "rimraf",
+        "fs-extra", "glob", "minimatch",
+        "chalk", "commander", "inquirer",
+        "dayjs", "date-fns", "moment",
+        "uuid", "nanoid", "cuid",
+        "zod", "yup", "joi", "class-validator",
+        "tailwindcss", "styled-components", "emotion",
+        "@testing-library/react", "@testing-library/jest-dom",
+        "@types/node", "@types/react", "@types/express",
+        "next", "nuxt", "gatsby",
+    ]);
+    if (commonPackages.has(pkgName.toLowerCase()))
+        return true;
+    if (pkgName.startsWith("@")) {
+        const scope = pkgName.split("/")[0];
+        const name = pkgName.split("/")[1];
+        if (!name)
+            return false;
+        const commonScopes = ["@types", "@babel", "@rollup", "@vitejs", "@nestjs", "@angular", "@mui"];
+        if (commonScopes.includes(scope))
+            return true;
+    }
+    // Fall back to real registry check (cached + fail-open on network errors)
+    return checkPackageRegistry(pkgName, language);
+}
+function extractPackageName(message) {
+    const match = message.match(/Package ['"]([^'"]+)['"]/);
+    return match?.[1] || "";
+}
+/**
+ * Check if a package exists in any subdirectory's package.json.
+ * This catches cases where the main manifest loader missed subdirectory manifests
+ * (e.g., monorepo-style projects with frontend/package.json + backend/package.json).
+ */
+async function checkPackageInSubdirectoryManifest(pkgName, projectPath) {
+    const COMMON_SUBDIRS = ["frontend", "backend", "client", "server", "app", "web", "api"];
+    for (const subdir of COMMON_SUBDIRS) {
+        const pkgJsonPath = path.join(projectPath, subdir, "package.json");
+        try {
+            const content = await fs.readFile(pkgJsonPath, "utf-8");
+            const pkg = JSON.parse(content);
+            const allDeps = {
+                ...pkg.dependencies,
+                ...pkg.devDependencies,
+                ...pkg.peerDependencies,
+            };
+            if (pkgName in allDeps) {
+                return true;
+            }
+            // Also check @types/ mapping
+            if (`@types/${pkgName}` in (pkg.devDependencies || {})) {
+                return true;
+            }
+        }
+        catch {
+            // File doesn't exist or can't be parsed
+        }
+    }
+    return false;
+}
+async function verifyParameterCount(issue, ctx) {
+    const match = issue.message.match(/expects (\d+) args, got (\d+)/);
+    if (!match) {
+        return { isMismatch: true };
+    }
+    const expected = parseInt(match[1], 10);
+    const actual = parseInt(match[2], 10);
+    const symbolName = issue.message.match(/Function ['"]([^'"]+)['"]/)?.[1];
+    if (symbolName) {
+        const definitions = ctx.projectContext.symbolIndex.get(symbolName);
+        if (definitions && definitions.length > 0) {
+            const def = definitions[0];
+            if (def.symbol.params?.some((p) => p.name.startsWith("..."))) {
+                return { isMismatch: false, expected, actual };
+            }
+        }
+    }
+    return { isMismatch: true, expected, actual };
+}
+async function checkImportUsage(issue, ctx) {
+    const importName = issue.message.match(/'([^']+)'/)?.[1];
+    if (!importName || !issue.file)
+        return { isUsed: false };
+    try {
+        let rawContent = ctx.fileContentCache.get(issue.file);
+        if (!rawContent) {
+            rawContent = await fs.readFile(issue.file, "utf-8");
+            ctx.fileContentCache.set(issue.file, rawContent);
+        }
+        // Strip import lines, comment-only lines, and the definition line so they
+        // don't count as "usage".
+        // Previously, `import { ChefHat } from 'lucide-react'; // ChefHat is unused`
+        // produced 2 regex matches (import + comment) and was falsely marked as "used".
+        //
+        // For local dead code findings (e.g., `const GHOST_REGISTRY_ID = ...` or
+        // `function deprecatedAuditLog()`), the definition line itself contains the
+        // symbol name. Without excluding it, checkImportUsage falsely returns
+        // isUsed=true because the regex matches the definition.
+        const escapedName = importName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+        const issueLine = issue.line; // 1-indexed line number of the finding
+        const content = rawContent
+            .split("\n")
+            .filter((line, index) => {
+            // Exclude the definition/declaration line itself (prevents local dead code
+            // findings like GHOST_REGISTRY_ID from matching their own definition)
+            if (issueLine && index + 1 === issueLine)
+                return false;
+            const trimmed = line.trim();
+            // Exclude import lines
+            if (trimmed.startsWith("import ") || trimmed.startsWith("import{"))
+                return false;
+            // Exclude from...import lines (Python)
+            if (trimmed.startsWith("from "))
+                return false;
+            // Exclude comment-only lines (JS/TS/Python)
+            if (trimmed.startsWith("//") || trimmed.startsWith("#") || trimmed.startsWith("/*") || trimmed.startsWith("*"))
+                return false;
+            return true;
+        })
+            .join("\n");
+        const patterns = [
+            { regex: new RegExp(`\\b${escapedName}\\s*\\(`, "g"), type: "function call" },
+            { regex: new RegExp(`\\b${escapedName}\\.`, "g"), type: "property access" },
+            { regex: new RegExp(`<${escapedName}[\\s/>]`, "g"), type: "JSX component" },
+            { regex: new RegExp(`\\b${escapedName}\\b`, "g"), type: "reference" },
+            { regex: new RegExp(`type\\s+\\w+.*\\b${escapedName}\\b`, "g"), type: "type usage" },
+            { regex: new RegExp(`as\\s+${escapedName}\\b`, "g"), type: "type assertion" },
+        ];
+        for (const { regex, type } of patterns) {
+            const matches = content.match(regex);
+            if (matches && matches.length >= 1) {
+                return { isUsed: true, usageType: type };
+            }
+        }
+        return { isUsed: false };
+    }
+    catch {
+        return { isUsed: false };
+    }
+}
+async function checkInheritanceChain(issue, ctx) {
+    return { foundInParent: false };
+}
+async function checkIfPublicApi(issue, ctx) {
+    const publicPatterns = [
+        /index\.ts$/,
+        /index\.js$/,
+        /\bapi\b/,
+        /\bpublic\b/,
+        /\bexports\b/,
+        /\blib\b/,
+    ];
+    return publicPatterns.some((pattern) => pattern.test(issue.file));
+}
+async function checkIndirectUsage(issue, ctx) {
+    const functionName = issue.name;
+    const filePath = issue.file;
+    try {
+        const content = await fs.readFile(filePath, "utf-8");
+        const patterns = [
+            { regex: new RegExp(`\\b${functionName}\\b\\s*[,})\\]]`, "g"), pattern: "callback/collection" },
+            { regex: new RegExp(`['"]\\b${functionName}\\b['"]`, "g"), pattern: "string reference" },
+            { regex: new RegExp(`\\.\\b${functionName}\\b`, "g"), pattern: "method assignment" },
+        ];
+        for (const { regex, pattern } of patterns) {
+            if (regex.test(content)) {
+                return { isUsed: true, pattern };
+            }
+        }
+        return { isUsed: false };
+    }
+    catch {
+        return { isUsed: false };
+    }
+}
+async function checkFileImports(issue, ctx) {
+    // Use in-memory project context instead of reading every file from disk.
+    // The reverseImportGraph + raw import data is already available and up-to-date.
+    const importers = [];
+    const fileName = issue.name || issue.file;
+    // 1. Check reverseImportGraph (resolved imports)
+    const reverseImportGraph = ctx.projectContext.reverseImportGraph;
+    if (reverseImportGraph && typeof reverseImportGraph[Symbol.iterator] === "function") {
+        for (const [absPath, reverseList] of reverseImportGraph) {
+            // Match by absolute path or by basename
+            if (absPath === fileName ||
+                absPath.endsWith(`/${fileName}`) ||
+                path.basename(absPath).replace(/\.[^.]+$/, "") ===
+                    path.basename(fileName).replace(/\.[^.]+$/, "")) {
+                importers.push(...reverseList);
+            }
+        }
+    }
+    if (importers.length > 0) {
+        return { isImported: true, importers: [...new Set(importers)] };
+    }
+    // 2. Fallback: check raw import sources in context (catches unresolved imports)
+    const baseName = path.basename(fileName).replace(/\.[^.]+$/, "");
+    const files = ctx.projectContext.files;
+    if (!files || typeof files[Symbol.iterator] !== "function") {
+        return { isImported: false, importers: [] };
+    }
+    for (const [filePath, fileInfo] of files) {
+        if (filePath === issue.file)
+            continue;
+        for (const imp of fileInfo.imports) {
+            if (imp.source.includes(baseName)) {
+                importers.push(filePath);
+                break;
+            }
+        }
+    }
+    return { isImported: importers.length > 0, importers: [...new Set(importers)] };
+}
+async function checkIfEntryPoint(issue, ctx) {
+    const entryPatterns = [
+        /main\.(ts|js)$/,
+        /index\.(ts|js)$/,
+        /app\.(ts|js)$/,
+        /server\.(ts|js)$/,
+        /cli\.(ts|js)$/,
+        /vite\.config\./,
+        /webpack\.config\./,
+        /next\.config\./,
+        /tsup\.config\./,
+        /rollup\.config\./,
+        /jest\.config\./,
+        /vitest\.config\./,
+        /playwright\.config\./,
+        /cypress\.config\./,
+        /tailwind\.config\./,
+        /postcss\.config\./,
+        /eslint\.config\./,
+        /prettier\.config\./,
+    ];
+    return entryPatterns.some((pattern) => pattern.test(issue.file));
+}
+// ============================================================================
+// Result Filtering Helpers
+// ============================================================================
+export function getConfirmedFindings(result) {
+    // Include confirmed findings
+    const confirmedHallucinations = result.confirmed
+        .filter((f) => isValidationIssue(f.original))
+        .map((f) => f.original);
+    const confirmedDeadCode = result.confirmed
+        .filter((f) => !isValidationIssue(f.original))
+        .map((f) => f.original);
+    // Also include high-confidence uncertain findings (confidence >= 85)
+    // These are likely real issues that we couldn't fully verify
+    const highConfidenceUncertainHallucinations = result.uncertain
+        .filter((f) => f.confidence >= 85 && isValidationIssue(f.original))
+        .map((f) => f.original);
+    const highConfidenceUncertainDeadCode = result.uncertain
+        .filter((f) => f.confidence >= 85 && !isValidationIssue(f.original))
+        .map((f) => f.original);
+    return {
+        hallucinations: [...confirmedHallucinations, ...highConfidenceUncertainHallucinations],
+        deadCode: [...confirmedDeadCode, ...highConfidenceUncertainDeadCode],
+    };
+}
+// Keep backward compatibility - alias for the main function
+export { verifyFindingsAutomatically as verifyFindings };
+//# sourceMappingURL=findingVerifier.js.map