depwire-cli 0.9.26 → 0.9.28

package/dist/{chunk-YYY5TNG7.js → chunk-ITEGMPF7.js}

@@ -106,7 +106,7 @@ function findProjectRoot(startDir = process.cwd()) {
 
 // src/parser/index.ts
 import { readFileSync as readFileSync5, statSync as statSync2 } from "fs";
-import { join as join8 } from "path";
+import { join as join8, resolve as resolve3 } from "path";
 
 // src/parser/detect.ts
 import { extname as extname3 } from "path";
@@ -1578,7 +1578,7 @@ var javascriptParser = {
 
 // src/parser/go.ts
 import { existsSync as existsSync5, readFileSync as readFileSync2, readdirSync as readdirSync2 } from "fs";
-import { join as join5, dirname as dirname4 } from "path";
+import { join as join5, dirname as dirname4, resolve as resolve2 } from "path";
 function parseGoFile(filePath, sourceCode, projectRoot) {
   const parser = getParser("go");
   const tree = parser.parse(sourceCode, null, { bufferSize: 1024 * 1024 });
@@ -1860,7 +1860,7 @@ function processCallExpression4(node, context) {
 function readGoModuleName(projectRoot) {
   let currentDir = projectRoot;
   for (let i = 0; i < 5; i++) {
-    const goModPath = join5(currentDir, "go.mod");
+    const goModPath = resolve2(currentDir, "go.mod");
     if (existsSync5(goModPath)) {
       try {
         const content = readFileSync2(goModPath, "utf-8");
@@ -2822,6 +2822,10 @@ async function parseProject(projectRoot, options) {
   for (const file of files) {
     try {
       const fullPath = join8(projectRoot, file);
+      if (!resolve3(fullPath).startsWith(resolve3(projectRoot))) {
+        skippedFiles++;
+        continue;
+      }
       if (options?.exclude) {
         const shouldExclude2 = options.exclude.some(
           (pattern) => minimatch(file, pattern, { matchBase: true })
@@ -2869,9 +2873,449 @@ async function parseProject(projectRoot, options) {
   return parsedFiles;
 }
 
+// src/cross-language/detectors/rest-api.ts
+import { readFileSync as readFileSync6 } from "fs";
+import { join as join9, resolve as resolve4 } from "path";
+function getLanguage(filePath) {
+  if (filePath.endsWith(".ts") || filePath.endsWith(".tsx")) return "typescript";
+  if (filePath.endsWith(".js") || filePath.endsWith(".jsx") || filePath.endsWith(".mjs") || filePath.endsWith(".cjs")) return "javascript";
+  if (filePath.endsWith(".py")) return "python";
+  if (filePath.endsWith(".go")) return "go";
+  return "unknown";
+}
+function normalizePath(routePath) {
+  return routePath.replace(/:[a-zA-Z_][a-zA-Z0-9_]*/g, "__PARAM__").replace(/\{[a-zA-Z_][a-zA-Z0-9_]*\}/g, "__PARAM__");
+}
+function stripTrailingSlash(p) {
+  return p.length > 1 && p.endsWith("/") ? p.slice(0, -1) : p;
+}
+function extractHttpCalls(source, filePath) {
+  const calls = [];
+  const lines = source.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const fetchMatch = line.match(/fetch\s*\(\s*(['"`])([^'"`]+)\1/);
+    if (fetchMatch) {
+      const path6 = fetchMatch[2];
+      if (isLocalApiPath(path6)) {
+        const methodMatch = line.match(/method\s*:\s*['"](\w+)['"]/);
+        const method = methodMatch ? methodMatch[1].toUpperCase() : "GET";
+        calls.push({ method, path: cleanPath(path6), file: filePath, line: i + 1 });
+      }
+    }
+    if (!fetchMatch) {
+      const fetchTemplateMatch = line.match(/fetch\s*\(\s*`([^`]+)`/);
+      if (fetchTemplateMatch) {
+        const path6 = fetchTemplateMatch[1];
+        if (isLocalApiPath(path6)) {
+          const methodMatch = line.match(/method\s*:\s*['"](\w+)['"]/);
+          const method = methodMatch ? methodMatch[1].toUpperCase() : "GET";
+          calls.push({ method, path: cleanPath(path6), file: filePath, line: i + 1 });
+        }
+      }
+    }
+    const axiosMatch = line.match(/axios\s*\.\s*(get|post|put|delete|patch)\s*\(\s*(['"`])([^'"`]+)\2/i);
+    if (axiosMatch) {
+      const path6 = axiosMatch[3];
+      if (isLocalApiPath(path6)) {
+        calls.push({ method: axiosMatch[1].toUpperCase(), path: cleanPath(path6), file: filePath, line: i + 1 });
+      }
+    }
+    if (!axiosMatch) {
+      const axiosTemplateMatch = line.match(/axios\s*\.\s*(get|post|put|delete|patch)\s*\(\s*`([^`]+)`/i);
+      if (axiosTemplateMatch) {
+        const path6 = axiosTemplateMatch[2];
+        if (isLocalApiPath(path6)) {
+          calls.push({ method: axiosTemplateMatch[1].toUpperCase(), path: cleanPath(path6), file: filePath, line: i + 1 });
+        }
+      }
+    }
+    const genericMatch = line.match(/\w+\s*\.\s*(get|post|put|delete|patch)\s*\(\s*(['"`])([^'"`]+)\2/i);
+    if (genericMatch && !line.match(/axios/) && !line.match(/app\s*\./) && !line.match(/router\s*\./) && !line.match(/r\s*\./)) {
+      const path6 = genericMatch[3];
+      if (isLocalApiPath(path6)) {
+        calls.push({ method: genericMatch[1].toUpperCase(), path: cleanPath(path6), file: filePath, line: i + 1 });
+      }
+    }
+  }
+  return calls;
+}
+function isLocalApiPath(path6) {
+  if (path6.startsWith("http://") || path6.startsWith("https://")) return false;
+  return path6.startsWith("/") || path6.includes("/api/");
+}
+function cleanPath(path6) {
+  let cleaned = path6.replace(/\$\{[^}]*\}/g, "");
+  cleaned = stripTrailingSlash(cleaned);
+  return cleaned;
+}
+function extractRouteDefinitions(source, filePath) {
+  const routes = [];
+  const lines = source.split("\n");
+  const lang = getLanguage(filePath);
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (lang === "typescript" || lang === "javascript") {
+      const expressMatch = line.match(/(?:app|router)\s*\.\s*(get|post|put|delete|patch)\s*\(\s*(['"`])([^'"`]+)\2/i);
+      if (expressMatch) {
+        const path6 = expressMatch[3];
+        if (path6.startsWith("/")) {
+          routes.push({
+            method: expressMatch[1].toUpperCase(),
+            path: path6,
+            normalizedPath: normalizePath(path6),
+            file: filePath,
+            line: i + 1
+          });
+        }
+      }
+    }
+    if (lang === "python") {
+      const pythonMatch = line.match(/@(?:app|router)\s*\.\s*(get|post|put|delete|patch)\s*\(\s*(['"])([^'"]+)\2/i);
+      if (pythonMatch) {
+        const path6 = pythonMatch[3];
+        if (path6.startsWith("/")) {
+          routes.push({
+            method: pythonMatch[1].toUpperCase(),
+            path: path6,
+            normalizedPath: normalizePath(path6),
+            file: filePath,
+            line: i + 1
+          });
+        }
+      }
+      const flaskMatch = line.match(/@(?:app|blueprint|router)\s*\.\s*route\s*\(\s*(['"])([^'"]+)\1/);
+      if (flaskMatch) {
+        const path6 = flaskMatch[2];
+        if (path6.startsWith("/")) {
+          const methodsMatch = line.match(/methods\s*=\s*\[([^\]]+)\]/);
+          const methods = methodsMatch ? methodsMatch[1].match(/['"](\w+)['"]/g)?.map((m) => m.replace(/['"]/g, "").toUpperCase()) || ["GET"] : ["GET"];
+          for (const method of methods) {
+            routes.push({
+              method,
+              path: path6,
+              normalizedPath: normalizePath(path6),
+              file: filePath,
+              line: i + 1
+            });
+          }
+        }
+      }
+    }
+    if (lang === "go") {
+      const goMatch = line.match(/(?:r|router|group)\s*\.\s*(GET|POST|PUT|DELETE|PATCH)\s*\(\s*"([^"]+)"/);
+      if (goMatch) {
+        const path6 = goMatch[2];
+        if (path6.startsWith("/")) {
+          routes.push({
+            method: goMatch[1].toUpperCase(),
+            path: path6,
+            normalizedPath: normalizePath(path6),
+            file: filePath,
+            line: i + 1
+          });
+        }
+      }
+    }
+  }
+  return routes;
+}
+function matchPaths(callPath, routeNormalized) {
+  const normalizedCall = normalizePath(stripTrailingSlash(callPath));
+  const normalizedRoute = stripTrailingSlash(routeNormalized);
+  if (normalizedCall === normalizedRoute) return true;
+  if (normalizedRoute.startsWith(normalizedCall) && normalizedRoute[normalizedCall.length] === "/") return true;
+  const callParts = normalizedCall.split("/");
+  const routeParts = normalizedRoute.split("/");
+  if (callParts.length <= routeParts.length) {
+    let match = true;
+    for (let i = 0; i < callParts.length; i++) {
+      if (routeParts[i] === "__PARAM__") continue;
+      if (callParts[i] !== routeParts[i]) {
+        match = false;
+        break;
+      }
+    }
+    if (match) return true;
+  }
+  return false;
+}
+function getConfidence(callPath, callMethod, routePath, routeMethod) {
+  const normalizedCall = normalizePath(stripTrailingSlash(callPath));
+  const normalizedRoute = normalizePath(stripTrailingSlash(routePath));
+  const exactPath = normalizedCall === normalizedRoute;
+  const methodMatch = callMethod === routeMethod;
+  if (exactPath && methodMatch) return "high";
+  if (exactPath) return "medium";
+  if (methodMatch) return "medium";
+  return "low";
+}
+function detectRestApiEdges(files, projectRoot) {
+  const edges = [];
+  const allCalls = [];
+  const allRoutes = [];
+  for (const file of files) {
+    const fullPath = join9(projectRoot, file.filePath);
+    if (!resolve4(fullPath).startsWith(resolve4(projectRoot))) continue;
+    let source;
+    try {
+      source = readFileSync6(fullPath, "utf-8");
+    } catch {
+      continue;
+    }
+    const lang = getLanguage(file.filePath);
+    if (lang === "typescript" || lang === "javascript") {
+      allCalls.push(...extractHttpCalls(source, file.filePath));
+    }
+    allRoutes.push(...extractRouteDefinitions(source, file.filePath));
+  }
+  for (const call of allCalls) {
+    for (const route of allRoutes) {
+      if (call.file === route.file) continue;
+      if (matchPaths(call.path, route.normalizedPath)) {
+        const confidence = getConfidence(call.path, call.method, route.path, route.method);
+        edges.push({
+          sourceFile: call.file,
+          targetFile: route.file,
+          edgeType: "rest-api",
+          confidence,
+          sourceLanguage: getLanguage(call.file),
+          targetLanguage: getLanguage(route.file),
+          sourceLine: call.line,
+          targetLine: route.line,
+          metadata: {
+            httpMethod: call.method,
+            path: call.path
+          }
+        });
+      }
+    }
+  }
+  return edges;
+}
+
+// src/cross-language/detectors/subprocess.ts
+import { readFileSync as readFileSync7 } from "fs";
+import { join as join10, resolve as resolve5, basename } from "path";
+var SCRIPT_EXTENSIONS = [".py", ".js", ".ts", ".go", ".rs"];
+function getLanguage2(filePath) {
+  if (filePath.endsWith(".ts") || filePath.endsWith(".tsx")) return "typescript";
+  if (filePath.endsWith(".js") || filePath.endsWith(".jsx") || filePath.endsWith(".mjs") || filePath.endsWith(".cjs")) return "javascript";
+  if (filePath.endsWith(".py")) return "python";
+  if (filePath.endsWith(".go")) return "go";
+  if (filePath.endsWith(".rs")) return "rust";
+  return "unknown";
+}
+function extractFilenameFromArgs(args) {
+  const tokens = args.split(/[\s,'"[\]]+/).filter(Boolean);
+  for (const token of tokens) {
+    for (const ext of SCRIPT_EXTENSIONS) {
+      if (token.endsWith(ext)) {
+        return token;
+      }
+    }
+  }
+  return null;
+}
+function extractSubprocessCalls(source, filePath) {
+  const calls = [];
+  const lines = source.split("\n");
+  const lang = getLanguage2(filePath);
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (lang === "typescript" || lang === "javascript") {
+      const execMatch = line.match(/(?:execSync|exec)\s*\(\s*(['"`])([^'"`]+)\1/);
+      if (execMatch) {
+        const command = execMatch[2];
+        const calledFile = extractFilenameFromArgs(command);
+        if (calledFile) {
+          calls.push({ file: filePath, line: i + 1, command, calledFile });
+        }
+      }
+      if (!execMatch) {
+        const execTemplateMatch = line.match(/(?:execSync|exec)\s*\(\s*`([^`]+)`/);
+        if (execTemplateMatch) {
+          const command = execTemplateMatch[1].replace(/\$\{[^}]*\}/g, "");
+          const calledFile = extractFilenameFromArgs(command);
+          if (calledFile) {
+            calls.push({ file: filePath, line: i + 1, command: execTemplateMatch[1], calledFile });
+          }
+        }
+      }
+      const spawnMatch = line.match(/(?:spawn|spawnSync)\s*\(\s*['"](\w+)['"]\s*,\s*\[([^\]]*)\]/);
+      if (spawnMatch) {
+        const command = `${spawnMatch[1]} ${spawnMatch[2]}`;
+        const calledFile = extractFilenameFromArgs(spawnMatch[2]);
+        if (calledFile) {
+          calls.push({ file: filePath, line: i + 1, command, calledFile });
+        }
+      }
+    }
+    if (lang === "python") {
+      const subprocessMatch = line.match(/subprocess\s*\.\s*(?:run|call|Popen|check_output|check_call)\s*\(\s*\[([^\]]*)\]/);
+      if (subprocessMatch) {
+        const command = subprocessMatch[1];
+        const calledFile = extractFilenameFromArgs(command);
+        if (calledFile) {
+          calls.push({ file: filePath, line: i + 1, command, calledFile });
+        }
+      }
+      const osMatch = line.match(/os\s*\.\s*system\s*\(\s*['"]([^'"]+)['"]/);
+      if (osMatch) {
+        const command = osMatch[1];
+        const calledFile = extractFilenameFromArgs(command);
+        if (calledFile) {
+          calls.push({ file: filePath, line: i + 1, command, calledFile });
+        }
+      }
+      const subprocessStrMatch = line.match(/subprocess\s*\.\s*(?:run|call|Popen|check_output|check_call)\s*\(\s*['"]([^'"]+)['"]/);
+      if (subprocessStrMatch) {
+        const command = subprocessStrMatch[1];
+        const calledFile = extractFilenameFromArgs(command);
+        if (calledFile) {
+          calls.push({ file: filePath, line: i + 1, command, calledFile });
+        }
+      }
+    }
+    if (lang === "go") {
+      const goMatch = line.match(/exec\s*\.\s*Command\s*\(\s*"([^"]+)"\s*,\s*"([^"]+)"/);
+      if (goMatch) {
+        const command = `${goMatch[1]} ${goMatch[2]}`;
+        const calledFile = extractFilenameFromArgs(command);
+        if (calledFile) {
+          calls.push({ file: filePath, line: i + 1, command, calledFile });
+        }
+      }
+    }
+  }
+  return calls;
+}
+function detectSubprocessEdges(files, projectRoot) {
+  const edges = [];
+  const knownFiles = new Set(files.map((f) => f.filePath));
+  const basenameMap = /* @__PURE__ */ new Map();
+  for (const f of files) {
+    const base = basename(f.filePath);
+    if (!basenameMap.has(base)) basenameMap.set(base, []);
+    basenameMap.get(base).push(f.filePath);
+  }
+  for (const file of files) {
+    const fullPath = join10(projectRoot, file.filePath);
+    if (!resolve5(fullPath).startsWith(resolve5(projectRoot))) continue;
+    let source;
+    try {
+      source = readFileSync7(fullPath, "utf-8");
+    } catch {
+      continue;
+    }
+    const calls = extractSubprocessCalls(source, file.filePath);
+    for (const call of calls) {
+      let targetFile = null;
+      let confidence = "high";
+      if (knownFiles.has(call.calledFile)) {
+        targetFile = call.calledFile;
+        confidence = "high";
+      } else {
+        const base = basename(call.calledFile);
+        const candidates = basenameMap.get(base);
+        if (candidates && candidates.length > 0) {
+          const exactCandidate = candidates.find((c) => c.endsWith(call.calledFile));
+          if (exactCandidate) {
+            targetFile = exactCandidate;
+            confidence = "high";
+          } else {
+            targetFile = candidates[0];
+            confidence = "medium";
+          }
+        }
+      }
+      if (!targetFile) continue;
+      if (targetFile === call.file) continue;
+      edges.push({
+        sourceFile: call.file,
+        targetFile,
+        edgeType: "subprocess",
+        confidence,
+        sourceLanguage: getLanguage2(call.file),
+        targetLanguage: getLanguage2(targetFile),
+        sourceLine: call.line,
+        metadata: {
+          command: call.command,
+          calledFile: call.calledFile
+        }
+      });
+    }
+  }
+  return edges;
+}
+
+// src/cross-language/index.ts
+function detectCrossLanguageEdges(files, projectRoot, graph) {
+  const startTime = Date.now();
+  const restApiEdges = detectRestApiEdges(files, projectRoot);
+  const subprocessEdges = detectSubprocessEdges(files, projectRoot);
+  const allEdges = [...restApiEdges, ...subprocessEdges];
+  for (const edge of allEdges) {
+    const sourceNodeId = `${edge.sourceFile}::__file__`;
+    const targetNodeId = `${edge.targetFile}::__file__`;
+    if (!graph.hasNode(sourceNodeId)) {
+      let hasSourceFile = false;
+      graph.forEachNode((_nodeId, attrs) => {
+        if (attrs.filePath === edge.sourceFile) hasSourceFile = true;
+      });
+      if (!hasSourceFile) continue;
+      graph.addNode(sourceNodeId, {
+        name: "__file__",
+        kind: "import",
+        filePath: edge.sourceFile,
+        startLine: 1,
+        endLine: 1,
+        exported: false
+      });
+    }
+    if (!graph.hasNode(targetNodeId)) {
+      let hasTargetFile = false;
+      graph.forEachNode((_nodeId, attrs) => {
+        if (attrs.filePath === edge.targetFile) hasTargetFile = true;
+      });
+      if (!hasTargetFile) continue;
+      graph.addNode(targetNodeId, {
+        name: "__file__",
+        kind: "import",
+        filePath: edge.targetFile,
+        startLine: 1,
+        endLine: 1,
+        exported: false
+      });
+    }
+    graph.mergeEdge(sourceNodeId, targetNodeId, {
+      kind: edge.edgeType,
+      filePath: edge.sourceFile,
+      line: edge.sourceLine || 1,
+      crossLanguage: true,
+      confidence: edge.confidence,
+      edgeType: edge.edgeType,
+      httpMethod: edge.metadata.httpMethod,
+      path: edge.metadata.path,
+      command: edge.metadata.command,
+      calledFile: edge.metadata.calledFile
+    });
+  }
+  const detectionTimeMs = Date.now() - startTime;
+  return {
+    edges: allEdges,
+    stats: {
+      restApiEdges: restApiEdges.length,
+      subprocessEdges: subprocessEdges.length,
+      filesAnalyzed: files.length,
+      detectionTimeMs
+    }
+  };
+}
+
 // src/graph/index.ts
 import { DirectedGraph } from "graphology";
-function buildGraph(parsedFiles) {
+function buildGraph(parsedFiles, projectRoot) {
   const graph = new DirectedGraph();
   for (const file of parsedFiles) {
     for (const symbol of file.symbols) {
@@ -2928,6 +3372,12 @@ function buildGraph(parsedFiles) {
       }
     }
   }
+  if (projectRoot) {
+    const result = detectCrossLanguageEdges(parsedFiles, projectRoot, graph);
+    if (result.stats.restApiEdges > 0 || result.stats.subprocessEdges > 0) {
+      console.error(`Cross-language edges: ${result.stats.restApiEdges} rest-api, ${result.stats.subprocessEdges} subprocess detected`);
+    }
+  }
   return graph;
 }
 
@@ -3059,7 +3509,9 @@ function getCrossFileEdges(graph) {
         target,
         sourceFile: sourceAttrs.filePath,
         targetFile: targetAttrs.filePath,
-        kind: attrs.kind
+        kind: attrs.kind,
+        crossLanguage: attrs.crossLanguage || false,
+        edgeType: attrs.edgeType
       });
     }
   });
@@ -3507,8 +3959,8 @@ function calculateDepthScore(graph) {
 }
 
 // src/health/index.ts
-import { readFileSync as readFileSync6, writeFileSync, existsSync as existsSync8, mkdirSync } from "fs";
-import { join as join9, dirname as dirname8 } from "path";
+import { readFileSync as readFileSync8, writeFileSync, existsSync as existsSync8, mkdirSync } from "fs";
+import { dirname as dirname8, resolve as resolve6 } from "path";
 function calculateHealthScore(graph, projectRoot) {
   const coupling = calculateCouplingScore(graph);
   const cohesion = calculateCohesionScore(graph);
@@ -3607,7 +4059,11 @@ function getHealthTrend(projectRoot, currentScore) {
   }
 }
 function saveHealthHistory(projectRoot, report) {
-  const historyFile = join9(projectRoot, ".depwire", "health-history.json");
+  const resolvedRoot = resolve6(projectRoot);
+  const historyFile = resolve6(resolvedRoot, ".depwire", "health-history.json");
+  if (!historyFile.startsWith(resolvedRoot)) {
+    return;
+  }
   const entry = {
     timestamp: report.timestamp,
     score: report.overall,
@@ -3621,7 +4077,8 @@ function saveHealthHistory(projectRoot, report) {
   let history = [];
   if (existsSync8(historyFile)) {
     try {
-      const content = readFileSync6(historyFile, "utf-8");
+      if (!historyFile.startsWith(resolvedRoot)) return;
+      const content = readFileSync8(historyFile, "utf-8");
       history = JSON.parse(content);
     } catch {
     }
@@ -3631,15 +4088,18 @@ function saveHealthHistory(projectRoot, report) {
     history = history.slice(-50);
   }
   mkdirSync(dirname8(historyFile), { recursive: true });
+  if (!historyFile.startsWith(resolvedRoot)) return;
   writeFileSync(historyFile, JSON.stringify(history, null, 2), "utf-8");
 }
 function loadHealthHistory(projectRoot) {
-  const historyFile = join9(projectRoot, ".depwire", "health-history.json");
-  if (!existsSync8(historyFile)) {
+  const resolvedRoot = resolve6(projectRoot);
+  const historyFile = resolve6(resolvedRoot, ".depwire", "health-history.json");
+  if (!historyFile.startsWith(resolvedRoot) || !existsSync8(historyFile)) {
     return [];
   }
   try {
-    const content = readFileSync6(historyFile, "utf-8");
+    if (!historyFile.startsWith(resolvedRoot)) return [];
+    const content = readFileSync8(historyFile, "utf-8");
     return JSON.parse(content);
   } catch {
     return [];
@@ -3648,7 +4108,7 @@ function loadHealthHistory(projectRoot) {
 
 // src/dead-code/detector.ts
 import path2 from "path";
-import { readFileSync as readFileSync7, existsSync as existsSync9 } from "fs";
+import { readFileSync as readFileSync9, existsSync as existsSync9 } from "fs";
 function findDeadSymbols(graph, projectRoot, includeTests = false, debug = false) {
   const deadSymbols = [];
   const context = { graph, projectRoot };
@@ -3777,12 +4237,13 @@ function isRelevantForDeadCodeDetection(attrs) {
 }
 function getPackageEntryPoints(projectRoot) {
   const entryPoints = /* @__PURE__ */ new Set();
-  const packageJsonPath = path2.join(projectRoot, "package.json");
-  if (!existsSync9(packageJsonPath)) {
+  const resolvedRoot = path2.resolve(projectRoot);
+  const packageJsonPath = path2.resolve(resolvedRoot, "package.json");
+  if (!packageJsonPath.startsWith(resolvedRoot) || !existsSync9(packageJsonPath)) {
     return entryPoints;
   }
   try {
-    const packageJson = JSON.parse(readFileSync7(packageJsonPath, "utf-8"));
+    const packageJson = JSON.parse(readFileSync9(packageJsonPath, "utf-8"));
     if (packageJson.main) {
       entryPoints.add(path2.resolve(projectRoot, packageJson.main));
     }
@@ -3923,8 +4384,8 @@ function generateReason(symbol, confidence) {
   return "Potentially unused";
 }
 function isBarrelFile(filePath) {
-  const basename4 = path3.basename(filePath);
-  return basename4 === "index.ts" || basename4 === "index.js";
+  const basename5 = path3.basename(filePath);
+  return basename5 === "index.ts" || basename5 === "index.js";
 }
 function isTestFile2(filePath) {
   return filePath.includes("__tests__/") || filePath.includes(".test.") || filePath.includes(".spec.") || filePath.includes("/test/") || filePath.includes("/tests/");
@@ -4104,7 +4565,7 @@ function filterByConfidence(symbols, minConfidence) {
 
 // src/docs/generator.ts
 import { writeFileSync as writeFileSync3, mkdirSync as mkdirSync2, existsSync as existsSync12 } from "fs";
-import { join as join12 } from "path";
+import { join as join14 } from "path";
 
 // src/docs/architecture.ts
 import { dirname as dirname9 } from "path";
@@ -4506,7 +4967,7 @@ function detectCycles(graph) {
 }
 
 // src/docs/conventions.ts
-import { basename, extname as extname4 } from "path";
+import { basename as basename2, extname as extname4 } from "path";
 function generateConventions(graph, projectRoot, version) {
   let output = "";
   const now = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
@@ -4544,7 +5005,7 @@ function generateFileOrganization(graph) {
   graph.forEachNode((node, attrs) => {
     if (!files.has(attrs.filePath)) {
       files.add(attrs.filePath);
-      const fileName = basename(attrs.filePath);
+      const fileName = basename2(attrs.filePath);
       if (fileName === "index.ts" || fileName === "index.js" || fileName === "index.tsx" || fileName === "index.jsx") {
         barrelFileCount++;
       }
@@ -4603,7 +5064,7 @@ function generateNamingPatterns(graph) {
   graph.forEachNode((node, attrs) => {
     if (!files.has(attrs.filePath)) {
       files.add(attrs.filePath);
-      const fileName = basename(attrs.filePath, extname4(attrs.filePath));
+      const fileName = basename2(attrs.filePath, extname4(attrs.filePath));
       if (isCamelCase(fileName)) patterns.files.camelCase++;
       else if (isPascalCase(fileName)) patterns.files.PascalCase++;
       else if (isKebabCase(fileName)) patterns.files.kebabCase++;
@@ -5668,7 +6129,7 @@ function generateDepwireUsage(projectRoot) {
 }
 
 // src/docs/files.ts
-import { dirname as dirname11, basename as basename2 } from "path";
+import { dirname as dirname11, basename as basename3 } from "path";
 function generateFiles(graph, projectRoot, version) {
   let output = "";
   const now = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
@@ -5787,7 +6248,7 @@ function generateDirectoryBreakdown(graph) {
     dirStats.symbolCount += file.symbolCount;
     if (file.totalConnections > dirStats.maxConnections) {
       dirStats.maxConnections = file.totalConnections;
-      dirStats.mostConnectedFile = basename2(file.filePath);
+      dirStats.mostConnectedFile = basename3(file.filePath);
     }
   }
   if (dirMap.size === 0) {
@@ -6415,7 +6876,7 @@ function generateRecommendations(graph) {
 }
 
 // src/docs/tests.ts
-import { basename as basename3, dirname as dirname12 } from "path";
+import { basename as basename4, dirname as dirname12 } from "path";
 function generateTests(graph, projectRoot, version) {
   let output = "";
   const now = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
@@ -6443,7 +6904,7 @@ function getFileCount8(graph) {
   return files.size;
 }
 function isTestFile3(filePath) {
-  const fileName = basename3(filePath).toLowerCase();
+  const fileName = basename4(filePath).toLowerCase();
   const dirPath = dirname12(filePath).toLowerCase();
   if (dirPath.includes("test") || dirPath.includes("spec") || dirPath.includes("__tests__")) {
     return true;
@@ -6502,7 +6963,7 @@ function generateTestFileInventory(graph) {
   return output;
 }
 function matchTestToSource(testFile) {
-  const testFileName = basename3(testFile);
+  const testFileName = basename4(testFile);
   const testDir = dirname12(testFile);
   let sourceFileName = testFileName.replace(/\.test\./g, ".").replace(/\.spec\./g, ".").replace(/_test\./g, ".").replace(/_spec\./g, ".");
   const possiblePaths = [];
@@ -6664,7 +7125,7 @@ function generateTestCoverageMap(graph) {
   const rows = mappings.slice(0, 30).map((m) => [
     `\`${m.sourceFile}\``,
     m.hasTest ? "\u2705" : "\u274C",
-    m.testFile ? `\`${basename3(m.testFile)}\`` : "-",
+    m.testFile ? `\`${basename4(m.testFile)}\`` : "-",
     formatNumber(m.symbolCount)
   ]);
   let output = table(headers, rows);
@@ -7440,8 +7901,8 @@ function getTopLevelDir2(filePath) {
 }
 
 // src/docs/status.ts
-import { readFileSync as readFileSync8, existsSync as existsSync10 } from "fs";
-import { join as join10 } from "path";
+import { readFileSync as readFileSync10, existsSync as existsSync10 } from "fs";
+import { resolve as resolve7 } from "path";
 function generateStatus(graph, projectRoot, version) {
   let output = "";
   const now = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
@@ -7474,12 +7935,16 @@ function getFileCount11(graph) {
 }
 function extractComments(projectRoot, filePath) {
   const comments = [];
-  const fullPath = join10(projectRoot, filePath);
+  const resolvedRoot = resolve7(projectRoot);
+  const fullPath = resolve7(resolvedRoot, filePath);
+  if (!fullPath.startsWith(resolvedRoot)) {
+    return comments;
+  }
   if (!existsSync10(fullPath)) {
     return comments;
   }
   try {
-    const content = readFileSync8(fullPath, "utf-8");
+    const content = readFileSync10(fullPath, "utf-8");
     const lines = content.split("\n");
     const patterns = [
       { type: "TODO", regex: /(?:\/\/|#|\/\*)\s*TODO:?\s*(.+)/i },
@@ -8058,15 +8523,16 @@ function generateConfidenceSection(title, description, symbols, projectRoot) {
 }
 
 // src/docs/metadata.ts
-import { existsSync as existsSync11, readFileSync as readFileSync9, writeFileSync as writeFileSync2 } from "fs";
-import { join as join11 } from "path";
+import { existsSync as existsSync11, readFileSync as readFileSync11, writeFileSync as writeFileSync2 } from "fs";
+import { resolve as resolve8 } from "path";
 function loadMetadata(outputDir) {
-  const metadataPath = join11(outputDir, "metadata.json");
-  if (!existsSync11(metadataPath)) {
+  const resolvedDir = resolve8(outputDir);
+  const metadataPath = resolve8(resolvedDir, "metadata.json");
+  if (!metadataPath.startsWith(resolvedDir) || !existsSync11(metadataPath)) {
     return null;
   }
   try {
-    const content = readFileSync9(metadataPath, "utf-8");
+    const content = readFileSync11(metadataPath, "utf-8");
     return JSON.parse(content);
   } catch (err) {
     console.error("Failed to load metadata:", err);
@@ -8074,7 +8540,11 @@ function loadMetadata(outputDir) {
   }
 }
 function saveMetadata(outputDir, metadata) {
-  const metadataPath = join11(outputDir, "metadata.json");
+  const resolvedDir = resolve8(outputDir);
+  const metadataPath = resolve8(resolvedDir, "metadata.json");
+  if (!metadataPath.startsWith(resolvedDir)) {
+    throw new Error(`Path traversal attempt blocked: ${metadataPath}`);
+  }
   writeFileSync2(metadataPath, JSON.stringify(metadata, null, 2), "utf-8");
 }
 function createMetadata(version, projectPath, fileCount, symbolCount, edgeCount, docTypes) {
@@ -8156,7 +8626,7 @@ async function generateDocs(graph, projectRoot, version, parseTime, options) {
         try {
           if (options.verbose) console.log("Generating ARCHITECTURE.md...");
           const content = generateArchitecture(graph, projectRoot, version, parseTime);
-          const filePath = join12(options.outputDir, "ARCHITECTURE.md");
+          const filePath = join14(options.outputDir, "ARCHITECTURE.md");
           writeFileSync3(filePath, content, "utf-8");
           generated.push("ARCHITECTURE.md");
         } catch (err) {
@@ -8167,7 +8637,7 @@ async function generateDocs(graph, projectRoot, version, parseTime, options) {
         try {
           if (options.verbose) console.log("Generating CONVENTIONS.md...");
           const content = generateConventions(graph, projectRoot, version);
-          const filePath = join12(options.outputDir, "CONVENTIONS.md");
+          const filePath = join14(options.outputDir, "CONVENTIONS.md");
           writeFileSync3(filePath, content, "utf-8");
           generated.push("CONVENTIONS.md");
         } catch (err) {
@@ -8178,7 +8648,7 @@ async function generateDocs(graph, projectRoot, version, parseTime, options) {
         try {
           if (options.verbose) console.log("Generating DEPENDENCIES.md...");
           const content = generateDependencies(graph, projectRoot, version);
-          const filePath = join12(options.outputDir, "DEPENDENCIES.md");
+          const filePath = join14(options.outputDir, "DEPENDENCIES.md");
           writeFileSync3(filePath, content, "utf-8");
           generated.push("DEPENDENCIES.md");
         } catch (err) {
@@ -8189,7 +8659,7 @@ async function generateDocs(graph, projectRoot, version, parseTime, options) {
         try {
           if (options.verbose) console.log("Generating ONBOARDING.md...");
           const content = generateOnboarding(graph, projectRoot, version);
-          const filePath = join12(options.outputDir, "ONBOARDING.md");
+          const filePath = join14(options.outputDir, "ONBOARDING.md");
           writeFileSync3(filePath, content, "utf-8");
           generated.push("ONBOARDING.md");
         } catch (err) {
@@ -8200,7 +8670,7 @@ async function generateDocs(graph, projectRoot, version, parseTime, options) {
         try {
           if (options.verbose) console.log("Generating FILES.md...");
           const content = generateFiles(graph, projectRoot, version);
-          const filePath = join12(options.outputDir, "FILES.md");
+          const filePath = join14(options.outputDir, "FILES.md");
           writeFileSync3(filePath, content, "utf-8");
           generated.push("FILES.md");
         } catch (err) {
@@ -8211,7 +8681,7 @@ async function generateDocs(graph, projectRoot, version, parseTime, options) {
         try {
           if (options.verbose) console.log("Generating API_SURFACE.md...");
           const content = generateApiSurface(graph, projectRoot, version);
-          const filePath = join12(options.outputDir, "API_SURFACE.md");
+          const filePath = join14(options.outputDir, "API_SURFACE.md");
           writeFileSync3(filePath, content, "utf-8");
           generated.push("API_SURFACE.md");
         } catch (err) {
@@ -8222,7 +8692,7 @@ async function generateDocs(graph, projectRoot, version, parseTime, options) {
         try {
           if (options.verbose) console.log("Generating ERRORS.md...");
           const content = generateErrors(graph, projectRoot, version);
-          const filePath = join12(options.outputDir, "ERRORS.md");
+          const filePath = join14(options.outputDir, "ERRORS.md");
           writeFileSync3(filePath, content, "utf-8");
           generated.push("ERRORS.md");
         } catch (err) {
@@ -8233,7 +8703,7 @@ async function generateDocs(graph, projectRoot, version, parseTime, options) {
         try {
           if (options.verbose) console.log("Generating TESTS.md...");
           const content = generateTests(graph, projectRoot, version);
-          const filePath = join12(options.outputDir, "TESTS.md");
+          const filePath = join14(options.outputDir, "TESTS.md");
           writeFileSync3(filePath, content, "utf-8");
           generated.push("TESTS.md");
         } catch (err) {
@@ -8244,7 +8714,7 @@ async function generateDocs(graph, projectRoot, version, parseTime, options) {
         try {
           if (options.verbose) console.log("Generating HISTORY.md...");
           const content = generateHistory(graph, projectRoot, version);
-          const filePath = join12(options.outputDir, "HISTORY.md");
+          const filePath = join14(options.outputDir, "HISTORY.md");
           writeFileSync3(filePath, content, "utf-8");
           generated.push("HISTORY.md");
         } catch (err) {
@@ -8255,7 +8725,7 @@ async function generateDocs(graph, projectRoot, version, parseTime, options) {
         try {
           if (options.verbose) console.log("Generating CURRENT.md...");
           const content = generateCurrent(graph, projectRoot, version);
-          const filePath = join12(options.outputDir, "CURRENT.md");
+          const filePath = join14(options.outputDir, "CURRENT.md");
           writeFileSync3(filePath, content, "utf-8");
           generated.push("CURRENT.md");
         } catch (err) {
@@ -8266,7 +8736,7 @@ async function generateDocs(graph, projectRoot, version, parseTime, options) {
         try {
           if (options.verbose) console.log("Generating STATUS.md...");
           const content = generateStatus(graph, projectRoot, version);
-          const filePath = join12(options.outputDir, "STATUS.md");
+          const filePath = join14(options.outputDir, "STATUS.md");
           writeFileSync3(filePath, content, "utf-8");
           generated.push("STATUS.md");
         } catch (err) {
@@ -8277,7 +8747,7 @@ async function generateDocs(graph, projectRoot, version, parseTime, options) {
         try {
           if (options.verbose) console.log("Generating HEALTH.md...");
           const content = generateHealth(graph, projectRoot, version);
-          const filePath = join12(options.outputDir, "HEALTH.md");
+          const filePath = join14(options.outputDir, "HEALTH.md");
           writeFileSync3(filePath, content, "utf-8");
           generated.push("HEALTH.md");
         } catch (err) {
@@ -8288,7 +8758,7 @@ async function generateDocs(graph, projectRoot, version, parseTime, options) {
         try {
           if (options.verbose) console.log("Generating DEAD_CODE.md...");
           const content = generateDeadCode(graph, projectRoot, version);
-          const filePath = join12(options.outputDir, "DEAD_CODE.md");
+          const filePath = join14(options.outputDir, "DEAD_CODE.md");
           writeFileSync3(filePath, content, "utf-8");
           generated.push("DEAD_CODE.md");
         } catch (err) {
@@ -8332,13 +8802,13 @@ function getFileCount13(graph) {
 }
 
 // src/simulation/engine.ts
-import { dirname as dirname15, join as join13 } from "path";
-function normalizePath(p) {
+import { dirname as dirname15, join as join15 } from "path";
+function normalizePath2(p) {
   return p.replace(/^\.\//, "").replace(/\/+$/, "");
 }
 function fileMatch(nodeFilePath, target) {
-  const a = normalizePath(nodeFilePath);
-  const b = normalizePath(target);
+  const a = normalizePath2(nodeFilePath);
+  const b = normalizePath2(target);
   return a === b || a.endsWith("/" + b) || b.endsWith("/" + a);
 }
 var SimulationEngine = class {
@@ -8403,8 +8873,8 @@ var SimulationEngine = class {
   }
   // ── Action implementations ─────────────────────────────────────
   applyMove(clone, target, destination, brokenImports) {
-    const normalizedTarget = normalizePath(target);
-    const normalizedDest = normalizePath(destination);
+    const normalizedTarget = normalizePath2(target);
+    const normalizedDest = normalizePath2(destination);
     const nodesToMove = clone.filterNodes(
       (_node, attrs) => fileMatch(attrs.filePath, target)
     );
@@ -8463,11 +8933,11 @@ var SimulationEngine = class {
     }
   }
   applyRename(clone, target, newName, brokenImports) {
-    const destination = join13(dirname15(target), newName);
+    const destination = join15(dirname15(target), newName);
     this.applyMove(clone, target, destination, brokenImports);
   }
   applySplit(clone, target, newFile, symbols, brokenImports) {
-    const normalizedNewFile = normalizePath(newFile);
+    const normalizedNewFile = normalizePath2(newFile);
     const nodesToSplit = clone.filterNodes((_node, attrs) => {
       return fileMatch(attrs.filePath, target) && symbols.includes(attrs.name);
     });
@@ -8503,7 +8973,7 @@ var SimulationEngine = class {
     }
   }
   applyMerge(clone, target, source, brokenImports) {
-    const normalizedTarget = normalizePath(target);
+    const normalizedTarget = normalizePath2(target);
     const sourceNodes = clone.filterNodes(
       (_node, attrs) => fileMatch(attrs.filePath, source)
     );
@@ -8664,12 +9134,12 @@ var SimulationEngine = class {
 
 // src/security/scanner.ts
 import { existsSync as existsSync14 } from "fs";
-import { join as join23 } from "path";
+import { join as join25 } from "path";
 
 // src/security/checks/dependencies.ts
 import { execSync as execSync2 } from "child_process";
-import { existsSync as existsSync13, readFileSync as readFileSync10, readdirSync as readdirSync5 } from "fs";
-import { join as join14 } from "path";
+import { existsSync as existsSync13, readFileSync as readFileSync12, readdirSync as readdirSync5 } from "fs";
+import { join as join16 } from "path";
 function cvssToSeverity(score) {
   if (score >= 9) return "critical";
   if (score >= 7) return "high";
@@ -8679,18 +9149,18 @@ function cvssToSeverity(score) {
 async function checkDependencies(_files, projectRoot) {
   const findings = [];
   try {
-    if (existsSync13(join14(projectRoot, "package.json"))) {
+    if (existsSync13(join16(projectRoot, "package.json"))) {
       findings.push(...checkNpmAudit(projectRoot));
       findings.push(...checkPackageJsonPatterns(projectRoot));
       findings.push(...checkPostinstallScripts(projectRoot));
     }
-    if (existsSync13(join14(projectRoot, "requirements.txt")) || existsSync13(join14(projectRoot, "pyproject.toml"))) {
+    if (existsSync13(join16(projectRoot, "requirements.txt")) || existsSync13(join16(projectRoot, "pyproject.toml"))) {
       findings.push(...checkPipAudit(projectRoot));
     }
-    if (existsSync13(join14(projectRoot, "Cargo.toml"))) {
+    if (existsSync13(join16(projectRoot, "Cargo.toml"))) {
       findings.push(...checkCargoAudit(projectRoot));
     }
-    if (existsSync13(join14(projectRoot, "go.mod"))) {
+    if (existsSync13(join16(projectRoot, "go.mod"))) {
       findings.push(...checkGoVerify(projectRoot));
     }
   } catch (err) {
@@ -8779,8 +9249,8 @@ function checkNpmAudit(projectRoot) {
 function checkPackageJsonPatterns(projectRoot) {
   const findings = [];
   try {
-    const pkgPath = join14(projectRoot, "package.json");
-    const pkg = JSON.parse(readFileSync10(pkgPath, "utf-8"));
+    const pkgPath = join16(projectRoot, "package.json");
+    const pkg = JSON.parse(readFileSync12(pkgPath, "utf-8"));
     const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
     for (const [name, version] of Object.entries(allDeps)) {
       if (version.startsWith("^") || version.startsWith("~")) {
@@ -8802,15 +9272,15 @@ function checkPackageJsonPatterns(projectRoot) {
 }
 function checkPostinstallScripts(projectRoot) {
   const findings = [];
-  const nodeModules = join14(projectRoot, "node_modules");
+  const nodeModules = join16(projectRoot, "node_modules");
   if (!existsSync13(nodeModules)) return findings;
   try {
     const topLevelDeps = readdirSync5(nodeModules).filter((d) => !d.startsWith("."));
     for (const dep of topLevelDeps) {
-      const depPkgPath = join14(nodeModules, dep, "package.json");
+      const depPkgPath = join16(nodeModules, dep, "package.json");
       if (!existsSync13(depPkgPath)) continue;
       try {
-        const depPkg = JSON.parse(readFileSync10(depPkgPath, "utf-8"));
+        const depPkg = JSON.parse(readFileSync12(depPkgPath, "utf-8"));
         const scripts = depPkg.scripts || {};
         if (scripts.postinstall || scripts.preinstall || scripts.install) {
           const scriptName = scripts.postinstall ? "postinstall" : scripts.preinstall ? "preinstall" : "install";
@@ -8848,7 +9318,7 @@ function checkPipAudit(projectRoot) {
         id: "",
         severity: cvssToSeverity(vuln.cvss?.score || 5),
         vulnerabilityClass: "dependency-cve",
-        file: existsSync13(join14(projectRoot, "requirements.txt")) ? "requirements.txt" : "pyproject.toml",
+        file: existsSync13(join16(projectRoot, "requirements.txt")) ? "requirements.txt" : "pyproject.toml",
         title: `Vulnerable Python dependency: ${vuln.name}`,
         description: `${vuln.name}@${vuln.version} \u2014 ${vuln.id}: ${vuln.description || "Known vulnerability"}`,
         attackScenario: `An attacker could exploit the vulnerability in ${vuln.name}.`,
@@ -8945,8 +9415,8 @@ function checkGoVerify(projectRoot) {
 }
 
 // src/security/checks/injection.ts
-import { readFileSync as readFileSync11 } from "fs";
-import { join as join15 } from "path";
+import { readFileSync as readFileSync13 } from "fs";
+import { join as join17 } from "path";
 var SKIP_DIRS = ["node_modules/", "dist/", ".git/", ".wrangler/", "src/security/checks/"];
 var TEST_PATTERNS = ["test", "spec", "fixture", "mock", "__tests__", "__mocks__"];
 var USER_INPUT_NAMES = /(?:input|user|name|path|query|branch|hash|cmd|command|req\.|params|body|args|url|dir|file|subdirectory)/i;
@@ -9047,7 +9517,7 @@ async function checkInjection(files, projectRoot) {
       if (shouldSkip(file.filePath) || isTestFile4(file.filePath)) continue;
       let content;
       try {
-        content = readFileSync11(join15(projectRoot, file.filePath), "utf-8");
+        content = readFileSync13(join17(projectRoot, file.filePath), "utf-8");
       } catch {
         continue;
       }
@@ -9057,6 +9527,7 @@ async function checkInjection(files, projectRoot) {
         if (line.trimStart().startsWith("//") || line.trimStart().startsWith("#") || line.trimStart().startsWith("*")) {
           continue;
         }
+        if (line.includes("depwire-security-reviewed")) continue;
         for (const pattern of PATTERNS) {
           if (pattern.regex.test(line)) {
             let severity = pattern.baseSeverity;
@@ -9084,8 +9555,8 @@ async function checkInjection(files, projectRoot) {
 }
 
 // src/security/checks/secrets.ts
-import { readFileSync as readFileSync12 } from "fs";
-import { join as join16 } from "path";
+import { readFileSync as readFileSync14 } from "fs";
+import { join as join18 } from "path";
 var SKIP_DIRS2 = ["node_modules/", "dist/", ".git/", ".wrangler/", "src/security/checks/"];
 var TEST_PATTERNS2 = ["test", "spec", "fixture", "mock", "__tests__", "__mocks__", ".example", ".sample"];
 var SECRET_PATTERNS = [
@@ -9118,7 +9589,7 @@ async function checkSecrets(files, projectRoot) {
       if (shouldSkip2(file.filePath) || isTestFile5(file.filePath)) continue;
       let content;
       try {
-        content = readFileSync12(join16(projectRoot, file.filePath), "utf-8");
+        content = readFileSync14(join18(projectRoot, file.filePath), "utf-8");
       } catch {
         continue;
       }
@@ -9151,8 +9622,8 @@ async function checkSecrets(files, projectRoot) {
 }
 
 // src/security/checks/path-traversal.ts
-import { readFileSync as readFileSync13 } from "fs";
-import { join as join17 } from "path";
+import { readFileSync as readFileSync15 } from "fs";
+import { join as join19 } from "path";
 var SKIP_DIRS3 = ["node_modules/", "dist/", ".git/", ".wrangler/", "src/security/checks/"];
 var USER_INPUT_VARS = /(?:req\.|params|query|body|input|path|dir|subdirectory|file|userInput|fileName|filePath)/i;
 var PATTERNS2 = [
@@ -9199,7 +9670,7 @@ async function checkPathTraversal(files, projectRoot) {
       if (shouldSkip3(file.filePath)) continue;
       let content;
       try {
-        content = readFileSync13(join17(projectRoot, file.filePath), "utf-8");
+        content = readFileSync15(join19(projectRoot, file.filePath), "utf-8");
       } catch {
         continue;
       }
@@ -9217,8 +9688,8 @@ async function checkPathTraversal(files, projectRoot) {
               if (SAFE_OUTPUT_PATTERNS.test(context)) continue;
             }
             if (/__dirname/.test(line) && SAFE_DIRNAME_ARGS.test(line)) continue;
-            const nearbyLines = lines.slice(Math.max(0, i - 3), Math.min(lines.length, i + 4)).join("\n");
-            if (nearbyLines.includes("startsWith") && nearbyLines.includes("resolve")) continue;
+            const nearbyLines = lines.slice(Math.max(0, i - 15), Math.min(lines.length, i + 4)).join("\n");
+            if (nearbyLines.includes("startsWith") && /resolve/.test(nearbyLines)) continue;
             const severity = inRouteOrTool ? "high" : "medium";
             findings.push({
               id: "",
@@ -9241,8 +9712,8 @@ async function checkPathTraversal(files, projectRoot) {
 }
 
 // src/security/checks/auth.ts
-import { readFileSync as readFileSync14 } from "fs";
-import { join as join18 } from "path";
+import { readFileSync as readFileSync16 } from "fs";
+import { join as join20 } from "path";
 var SKIP_DIRS4 = ["node_modules/", "dist/", ".git/", ".wrangler/", "src/security/checks/"];
 function shouldSkip4(filePath) {
   return SKIP_DIRS4.some((d) => filePath.includes(d));
@@ -9258,7 +9729,7 @@ async function checkAuth(files, projectRoot) {
       if (shouldSkip4(file.filePath)) continue;
       let content;
       try {
-        content = readFileSync14(join18(projectRoot, file.filePath), "utf-8");
+        content = readFileSync16(join20(projectRoot, file.filePath), "utf-8");
       } catch {
         continue;
       }
@@ -9349,8 +9820,8 @@ async function checkAuth(files, projectRoot) {
 }
 
 // src/security/checks/input-validation.ts
-import { readFileSync as readFileSync15 } from "fs";
-import { join as join19 } from "path";
+import { readFileSync as readFileSync17 } from "fs";
+import { join as join21 } from "path";
 var SKIP_DIRS5 = ["node_modules/", "dist/", ".git/", ".wrangler/", "src/security/checks/"];
 function shouldSkip5(filePath) {
   return SKIP_DIRS5.some((d) => filePath.includes(d));
@@ -9362,7 +9833,7 @@ async function checkInputValidation(files, projectRoot) {
       if (shouldSkip5(file.filePath)) continue;
       let content;
       try {
-        content = readFileSync15(join19(projectRoot, file.filePath), "utf-8");
+        content = readFileSync17(join21(projectRoot, file.filePath), "utf-8");
       } catch {
         continue;
       }
@@ -9439,8 +9910,8 @@ async function checkInputValidation(files, projectRoot) {
 }
 
 // src/security/checks/information-disclosure.ts
-import { readFileSync as readFileSync16 } from "fs";
-import { join as join20 } from "path";
+import { readFileSync as readFileSync18 } from "fs";
+import { join as join22 } from "path";
 var SKIP_DIRS6 = ["node_modules/", "dist/", ".git/", ".wrangler/", "src/security/checks/"];
 function shouldSkip6(filePath) {
   return SKIP_DIRS6.some((d) => filePath.includes(d));
@@ -9452,7 +9923,7 @@ async function checkInformationDisclosure(files, projectRoot) {
       if (shouldSkip6(file.filePath)) continue;
       let content;
       try {
-        content = readFileSync16(join20(projectRoot, file.filePath), "utf-8");
+        content = readFileSync18(join22(projectRoot, file.filePath), "utf-8");
       } catch {
         continue;
       }
@@ -9522,8 +9993,8 @@ async function checkInformationDisclosure(files, projectRoot) {
 }
 
 // src/security/checks/cryptography.ts
-import { readFileSync as readFileSync17 } from "fs";
-import { join as join21 } from "path";
+import { readFileSync as readFileSync19 } from "fs";
+import { join as join23 } from "path";
 var SKIP_DIRS7 = ["node_modules/", "dist/", ".git/", ".wrangler/", "src/security/checks/"];
 function shouldSkip7(filePath) {
   return SKIP_DIRS7.some((d) => filePath.includes(d));
@@ -9539,7 +10010,7 @@ async function checkCryptography(files, projectRoot) {
       if (shouldSkip7(file.filePath)) continue;
       let content;
       try {
-        content = readFileSync17(join21(projectRoot, file.filePath), "utf-8");
+        content = readFileSync19(join23(projectRoot, file.filePath), "utf-8");
       } catch {
         continue;
       }
@@ -9621,8 +10092,8 @@ async function checkCryptography(files, projectRoot) {
 }
 
 // src/security/checks/frontend.ts
-import { readFileSync as readFileSync18 } from "fs";
-import { join as join22 } from "path";
+import { readFileSync as readFileSync20 } from "fs";
+import { join as join24 } from "path";
 var SKIP_DIRS8 = ["node_modules/", "dist/", ".git/", ".wrangler/", "src/security/checks/"];
 function shouldSkip8(filePath) {
   return SKIP_DIRS8.some((d) => filePath.includes(d));
@@ -9638,7 +10109,7 @@ async function checkFrontend(files, projectRoot) {
       if (!isFrontendFile(file.filePath)) continue;
       let content;
       try {
-        content = readFileSync18(join22(projectRoot, file.filePath), "utf-8");
+        content = readFileSync20(join24(projectRoot, file.filePath), "utf-8");
       } catch {
         continue;
       }
@@ -10098,11 +10569,11 @@ async function scanSecurity(projectRoot, graph, options = {}) {
   };
 }
 function detectPackageManager(projectRoot) {
-  if (existsSync14(join23(projectRoot, "package.json"))) return "npm";
-  if (existsSync14(join23(projectRoot, "requirements.txt"))) return "pip";
-  if (existsSync14(join23(projectRoot, "pyproject.toml"))) return "pip";
-  if (existsSync14(join23(projectRoot, "Cargo.toml"))) return "cargo";
-  if (existsSync14(join23(projectRoot, "go.mod"))) return "go";
+  if (existsSync14(join25(projectRoot, "package.json"))) return "npm";
+  if (existsSync14(join25(projectRoot, "requirements.txt"))) return "pip";
+  if (existsSync14(join25(projectRoot, "pyproject.toml"))) return "pip";
+  if (existsSync14(join25(projectRoot, "Cargo.toml"))) return "cargo";
+  if (existsSync14(join25(projectRoot, "go.mod"))) return "go";
   return "unknown";
 }
 
@@ -10110,6 +10581,7 @@ export {
   findProjectRoot,
   parseTypeScriptFile,
   parseProject,
+  detectCrossLanguageEdges,
   buildGraph,
   findSymbols,
   getDependencies,