depwire-cli 0.9.26 → 0.9.28

package/dist/{chunk-B2KGFBZL.js → chunk-VJLBOFCD.js}

@@ -16,7 +16,7 @@ import {
   parseTypeScriptFile,
   scanSecurity,
   searchSymbols
-} from "./chunk-YYY5TNG7.js";
+} from "./chunk-ITEGMPF7.js";
 
 // src/viz/data.ts
 import { basename } from "path";
@@ -45,12 +45,18 @@ function prepareVizData(graph, projectRoot) {
       if (!arc.edgeKinds.includes(edge.kind)) {
         arc.edgeKinds.push(edge.kind);
       }
+      if (edge.crossLanguage) {
+        arc.crossLanguage = true;
+        arc.edgeType = edge.edgeType || arc.edgeType;
+      }
     } else {
       arcMap.set(key, {
         sourceFile: edge.sourceFile,
         targetFile: edge.targetFile,
         edgeCount: 1,
-        edgeKinds: [edge.kind]
+        edgeKinds: [edge.kind],
+        crossLanguage: edge.crossLanguage || false,
+        edgeType: edge.edgeType
       });
     }
   }
@@ -171,14 +177,14 @@ async function findAvailablePort(startPort, maxAttempts = 10) {
   const net = await import("net");
   for (let attempt = 0; attempt < maxAttempts; attempt++) {
     const testPort = startPort + attempt;
-    const isAvailable = await new Promise((resolve2) => {
+    const isAvailable = await new Promise((resolve4) => {
       const server = net.createServer();
       server.once("error", () => {
-        resolve2(false);
+        resolve4(false);
       });
       server.once("listening", () => {
         server.close();
-        resolve2(true);
+        resolve4(true);
       });
       server.listen(testPort, "127.0.0.1");
     });
@@ -238,7 +244,7 @@ Depwire visualization running at ${url2}`);
       console.error(`File changed: ${filePath} \u2014 re-parsing project...`);
       try {
         const parsedFiles = await parseProject(projectRoot, options);
-        const newGraph = buildGraph(parsedFiles);
+        const newGraph = buildGraph(parsedFiles, projectRoot);
         graph.clear();
         newGraph.forEachNode((node, attrs) => {
           graph.addNode(node, attrs);
@@ -257,7 +263,7 @@ Depwire visualization running at ${url2}`);
       console.error(`File added: ${filePath} \u2014 re-parsing project...`);
       try {
         const parsedFiles = await parseProject(projectRoot, options);
-        const newGraph = buildGraph(parsedFiles);
+        const newGraph = buildGraph(parsedFiles, projectRoot);
         graph.clear();
         newGraph.forEachNode((node, attrs) => {
           graph.addNode(node, attrs);
@@ -276,7 +282,7 @@ Depwire visualization running at ${url2}`);
       console.error(`File deleted: ${filePath} \u2014 re-parsing project...`);
       try {
         const parsedFiles = await parseProject(projectRoot, options);
-        const newGraph = buildGraph(parsedFiles);
+        const newGraph = buildGraph(parsedFiles, projectRoot);
         graph.clear();
         newGraph.forEachNode((node, attrs) => {
           graph.addNode(node, attrs);
@@ -377,7 +383,7 @@ import { Server } from "@modelcontextprotocol/sdk/server/index.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 
 // src/mcp/tools.ts
-import { dirname as dirname2, join as join5 } from "path";
+import { dirname as dirname2, join as join5, resolve as resolve3 } from "path";
 import { existsSync as existsSync3, readFileSync as readFileSync2 } from "fs";
 
 // src/mcp/connect.ts
@@ -509,7 +515,7 @@ async function connectToRepo(source, subdirectory, state) {
         message: `No supported source files (.ts, .tsx, .js, .jsx, .py, .go) found in ${projectRoot}`
       };
     }
-    const graph = buildGraph(parsedFiles);
+    const graph = buildGraph(parsedFiles, projectRoot);
     state.graph = graph;
     state.projectRoot = projectRoot;
     state.projectName = projectName;
@@ -626,8 +632,8 @@ async function getCurrentBranch(dir) {
   }
 }
 async function checkoutCommit(dir, hash) {
-  if (!/^[a-zA-Z0-9_.\-\/]+$/.test(hash)) {
-    throw new Error(`Invalid git ref: ${hash}`);
+  if (!/^[a-f0-9]+$/.test(hash)) {
+    throw new Error(`Invalid commit hash: ${hash}`);
   }
   try {
     execSync(`git checkout -q ${hash}`, { cwd: dir, stdio: "ignore" });
@@ -636,11 +642,12 @@ async function checkoutCommit(dir, hash) {
   }
 }
 async function restoreOriginal(dir, originalBranch) {
-  if (!/^[a-zA-Z0-9_.\-\/]+$/.test(originalBranch)) {
-    throw new Error(`Invalid git ref: ${originalBranch}`);
+  if (!/^[a-zA-Z0-9/_.\-]+$/.test(originalBranch)) {
+    throw new Error(`Invalid branch name: ${originalBranch}`);
   }
   try {
     execSync(`git checkout -q ${originalBranch}`, {
+      // depwire-security-reviewed: branch validated above
       cwd: dir,
       stdio: "ignore"
     });
@@ -788,19 +795,22 @@ function getWeekNumber(date) {
 
 // src/temporal/snapshots.ts
 import { writeFileSync, readFileSync, mkdirSync, existsSync as existsSync2, readdirSync } from "fs";
-import { join as join4 } from "path";
+import { resolve as resolve2 } from "path";
 function saveSnapshot(snapshot, outputDir) {
   if (!existsSync2(outputDir)) {
     mkdirSync(outputDir, { recursive: true });
   }
   const filename = `${snapshot.commitHash.substring(0, 8)}.json`;
-  const filepath = join4(outputDir, filename);
+  const filepath = resolve2(outputDir, filename);
+  if (!filepath.startsWith(resolve2(outputDir))) {
+    throw new Error(`Path traversal attempt blocked: ${filepath}`);
+  }
   writeFileSync(filepath, JSON.stringify(snapshot, null, 2), "utf-8");
 }
 function loadSnapshot(commitHash, outputDir) {
   const shortHash = commitHash.substring(0, 8);
-  const filepath = join4(outputDir, `${shortHash}.json`);
-  if (!existsSync2(filepath)) {
+  const filepath = resolve2(outputDir, `${shortHash}.json`);
+  if (!filepath.startsWith(resolve2(outputDir)) || !existsSync2(filepath)) {
     return null;
   }
   try {
@@ -935,7 +945,7 @@ function getToolsList() {
     },
     {
       name: "impact_analysis",
-      description: "Analyze what would break if a symbol is changed, renamed, or removed. Shows direct dependents, transitive dependents (chain reaction), and all affected files. Pass a symbol name (e.g., 'Router') or a fully qualified ID (e.g., 'src/router.ts::Router') for exact matching. If multiple symbols share the same name, returns all matches for disambiguation. Use this before making changes to understand the blast radius.",
+      description: "Analyze what would break if a symbol is changed, renamed, or removed. Shows direct dependents, transitive dependents (chain reaction), and all affected files. Cross-language edges included \u2014 a TypeScript fetch call to a Python route will show the Python file as affected. Pass a symbol name (e.g., 'Router') or a fully qualified ID (e.g., 'src/router.ts::Router') for exact matching. If multiple symbols share the same name, returns all matches for disambiguation. Use this before making changes to understand the blast radius.",
       inputSchema: {
         type: "object",
         properties: {
@@ -953,7 +963,7 @@ function getToolsList() {
     },
     {
       name: "get_file_context",
-      description: "Get complete context about a file \u2014 all symbols defined in it, all imports, all exports, and all files that import from it.",
+      description: "Get complete context about a file \u2014 all symbols defined in it, all imports, all exports, and all files that import from it. Includes cross-language connections (REST API calls, subprocess invocations).",
       inputSchema: {
         type: "object",
         properties: {
@@ -1090,7 +1100,7 @@ function getToolsList() {
     },
     {
       name: "simulate_change",
-      description: `Simulate an architectural change before touching any code. Returns health score delta, broken imports, and affected nodes. Zero file I/O \u2014 pure in-memory simulation.
+      description: `Simulate an architectural change before touching any code. Returns health score delta, broken imports, and affected nodes. Zero file I/O \u2014 pure in-memory simulation. Cross-language edges included \u2014 deleting a Python route file will show TypeScript callers as affected.
 
 Operations:
 - delete: Simulate deleting a file. Shows every file that would break and the full blast radius.
@@ -1737,6 +1747,10 @@ Available document types:
       continue;
     }
     const filePath = join5(docsDir, metadata.documents[doc].file);
+    if (!resolve3(filePath).startsWith(resolve3(docsDir))) {
+      missing.push(doc);
+      continue;
+    }
     if (!existsSync3(filePath)) {
       missing.push(doc);
       continue;
@@ -1769,7 +1783,7 @@ async function handleUpdateProjectDocs(docType, state) {
   const docsDir = join5(state.projectRoot, ".depwire");
   console.error("Regenerating project documentation...");
   const parsedFiles = await parseProject(state.projectRoot);
-  const graph = buildGraph(parsedFiles);
+  const graph = buildGraph(parsedFiles, state.projectRoot);
   const parseTime = (Date.now() - startTime) / 1e3;
   state.graph = graph;
   const packageJsonPath = join5(__dirname, "../../package.json");

package/dist/index.js

@@ -17,7 +17,7 @@ import {
   stashChanges,
   updateFileInGraph,
   watchProject
-} from "./chunk-B2KGFBZL.js";
+} from "./chunk-VJLBOFCD.js";
 import {
   SimulationEngine,
   analyzeDeadCode,
@@ -31,11 +31,11 @@ import {
   parseProject,
   scanSecurity,
   searchSymbols
-} from "./chunk-YYY5TNG7.js";
+} from "./chunk-ITEGMPF7.js";
 
 // src/index.ts
 import { Command } from "commander";
-import { resolve as resolve3, dirname as dirname4, join as join5 } from "path";
+import { resolve as resolve4, dirname as dirname4, join as join5 } from "path";
 import { writeFileSync, readFileSync as readFileSync3, existsSync } from "fs";
 import { fileURLToPath as fileURLToPath4 } from "url";
 
@@ -231,7 +231,7 @@ import { join as join2 } from "path";
 import express from "express";
 import { readFileSync } from "fs";
 import { fileURLToPath } from "url";
-import { dirname, join } from "path";
+import { dirname, resolve } from "path";
 import open from "open";
 
 // src/viz/temporal-data.ts
@@ -306,10 +306,10 @@ async function findAvailablePort(startPort) {
   const net = await import("net");
   for (let attempt = 0; attempt < 10; attempt++) {
     const testPort = startPort + attempt;
-    const isAvailable = await new Promise((resolve4) => {
-      const server = net.createServer().once("error", () => resolve4(false)).once("listening", () => {
+    const isAvailable = await new Promise((resolve5) => {
+      const server = net.createServer().once("error", () => resolve5(false)).once("listening", () => {
         server.close();
-        resolve4(true);
+        resolve5(true);
       }).listen(testPort, "127.0.0.1");
     });
     if (isAvailable) {
@@ -325,19 +325,22 @@ async function startTemporalServer(snapshots, projectRoot, preferredPort = 3334)
   app.get("/api/data", (_req, res) => {
     res.json(vizData);
   });
-  const publicDir = join(__dirname, "viz", "public");
+  const publicDir = resolve(__dirname, "viz", "public");
   app.get("/", (_req, res) => {
-    const htmlPath = join(publicDir, "temporal.html");
+    const htmlPath = resolve(publicDir, "temporal.html");
+    if (!htmlPath.startsWith(publicDir)) return res.status(403).send("Forbidden");
     const html = readFileSync(htmlPath, "utf-8");
     res.send(html);
   });
   app.get("/temporal.js", (_req, res) => {
-    const jsPath = join(publicDir, "temporal.js");
+    const jsPath = resolve(publicDir, "temporal.js");
+    if (!jsPath.startsWith(publicDir)) return res.status(403).send("Forbidden");
     const js = readFileSync(jsPath, "utf-8");
     res.type("application/javascript").send(js);
   });
   app.get("/temporal.css", (_req, res) => {
-    const cssPath = join(publicDir, "temporal.css");
+    const cssPath = resolve(publicDir, "temporal.css");
+    if (!cssPath.startsWith(publicDir)) return res.status(403).send("Forbidden");
     const css = readFileSync(cssPath, "utf-8");
     res.type("text/css").send(css);
   });
@@ -350,13 +353,13 @@ async function startTemporalServer(snapshots, projectRoot, preferredPort = 3334)
       console.log("  (Could not open browser automatically)");
     });
   });
-  await new Promise((resolve4, reject) => {
+  await new Promise((resolve5, reject) => {
     server.on("error", reject);
     process.on("SIGINT", () => {
       console.log("\n\nShutting down temporal server...");
       server.close(() => {
         console.log("Server stopped");
-        resolve4();
+        resolve5();
         process.exit(0);
       });
     });
@@ -407,7 +410,7 @@ async function runTemporalAnalysis(projectDir, options) {
       }
       await checkoutCommit(projectDir, commit.hash);
       const parsedFiles = await parseProject(projectDir);
-      const graph = buildGraph(parsedFiles);
+      const graph = buildGraph(parsedFiles, projectDir);
       const projectGraph = exportToJSON(graph, projectDir);
       const snapshot = createSnapshot(
         projectGraph,
@@ -501,7 +504,7 @@ async function trackCommand(command, version = "unknown") {
 }
 
 // src/commands/whatif.ts
-import { resolve } from "path";
+import { resolve as resolve2 } from "path";
 import chalk from "chalk";
 
 // src/viz/whatif-server.ts
@@ -690,14 +693,14 @@ async function findAvailablePort2(startPort, maxAttempts = 10) {
   const net = await import("net");
   for (let attempt = 0; attempt < maxAttempts; attempt++) {
     const testPort = startPort + attempt;
-    const isAvailable = await new Promise((resolve4) => {
+    const isAvailable = await new Promise((resolve5) => {
       const server = net.createServer();
       server.once("error", () => {
-        resolve4(false);
+        resolve5(false);
       });
       server.once("listening", () => {
         server.close();
-        resolve4(true);
+        resolve5(true);
       });
       server.listen(testPort, "127.0.0.1");
     });
@@ -752,10 +755,10 @@ Opening What If UI at ${url}`);
 // src/commands/whatif.ts
 async function whatif(dir, options) {
   if (!options.simulate) {
-    const projectRoot2 = dir === "." ? findProjectRoot() : resolve(dir);
+    const projectRoot2 = dir === "." ? findProjectRoot() : resolve2(dir);
     console.error(`Parsing project: ${projectRoot2}`);
     const parsedFiles2 = await parseProject(projectRoot2);
-    const graph2 = buildGraph(parsedFiles2);
+    const graph2 = buildGraph(parsedFiles2, projectRoot2);
     console.error(`Built graph: ${graph2.order} symbols, ${graph2.size} edges`);
     const vizData = prepareVizData(graph2, projectRoot2);
     const emptyResult = {
@@ -778,10 +781,10 @@ async function whatif(dir, options) {
     process.exit(1);
   }
   const action = buildAction(options);
-  const projectRoot = dir === "." ? findProjectRoot() : resolve(dir);
+  const projectRoot = dir === "." ? findProjectRoot() : resolve2(dir);
   console.error(`Parsing project: ${projectRoot}`);
   const parsedFiles = await parseProject(projectRoot);
-  const graph = buildGraph(parsedFiles);
+  const graph = buildGraph(parsedFiles, projectRoot);
   console.error(`Built graph: ${graph.order} symbols, ${graph.size} edges`);
   console.error("");
   const engine = new SimulationEngine(graph);
@@ -889,7 +892,7 @@ function formatAction(action) {
 }
 
 // src/commands/security.ts
-import { resolve as resolve2, dirname as dirname3, join as join4 } from "path";
+import { resolve as resolve3, dirname as dirname3, join as join4 } from "path";
 import { readFileSync as readFileSync2 } from "fs";
 import { fileURLToPath as fileURLToPath3 } from "url";
 
@@ -1031,12 +1034,12 @@ function getVersion() {
 }
 var SEVERITY_ORDER = ["critical", "high", "medium", "low", "info"];
 async function securityCommand(dir, options) {
-  const projectRoot = dir === "." ? findProjectRoot() : resolve2(dir);
+  const projectRoot = dir === "." ? findProjectRoot() : resolve3(dir);
   console.error(`Scanning: ${projectRoot}`);
   const startTime = Date.now();
   const parsedFiles = await parseProject(projectRoot);
   console.error(`Parsed ${parsedFiles.length} files`);
-  const graph = buildGraph(parsedFiles);
+  const graph = buildGraph(parsedFiles, projectRoot);
   console.error(`Built graph: ${graph.order} symbols, ${graph.size} edges`);
   const result = await scanSecurity(projectRoot, graph, {
     target: options.target,
@@ -1079,14 +1082,14 @@ program.command("parse").description("Parse a TypeScript project and build depen
   trackCommand("parse", packageJson.version);
   const startTime = Date.now();
   try {
-    const projectRoot = directory ? resolve3(directory) : findProjectRoot();
+    const projectRoot = directory ? resolve4(directory) : findProjectRoot();
     console.log(`Parsing project: ${projectRoot}`);
     const parsedFiles = await parseProject(projectRoot, {
       exclude: options.exclude,
       verbose: options.verbose
     });
     console.log(`Parsed ${parsedFiles.length} files`);
-    const graph = buildGraph(parsedFiles);
+    const graph = buildGraph(parsedFiles, projectRoot);
     const projectGraph = exportToJSON(graph, projectRoot);
     const json = options.pretty ? JSON.stringify(projectGraph, null, 2) : JSON.stringify(projectGraph);
     writeFileSync(options.output, json, "utf-8");
@@ -1118,8 +1121,8 @@ Orphan Files (no cross-references): ${summary.orphanFiles.length}`);
 program.command("query").description("Query impact analysis for a symbol").argument("<directory>", "Project directory").argument("<symbol-name>", "Symbol name to query").action(async (directory, symbolName) => {
   trackCommand("query", packageJson.version);
   try {
-    const projectRoot = resolve3(directory);
-    const cacheFile = "depwire-output.json";
+    const projectRoot = resolve4(directory);
+    const cacheFile = resolve4("depwire-output.json");
     let graph;
     if (existsSync(cacheFile)) {
       console.log("Loading from cache...");
@@ -1128,7 +1131,7 @@ program.command("query").description("Query impact analysis for a symbol").argum
     } else {
       console.log("Parsing project...");
       const parsedFiles = await parseProject(projectRoot);
-      graph = buildGraph(parsedFiles);
+      graph = buildGraph(parsedFiles, projectRoot);
     }
     const matches = searchSymbols(graph, symbolName);
     if (matches.length === 0) {
@@ -1167,14 +1170,14 @@ Total Transitive Dependents: ${impact.transitiveDependents.length}`);
 program.command("viz").description("Launch interactive arc diagram visualization").argument("[directory]", "Project directory to visualize (defaults to current directory or auto-detected project root)").option("-p, --port <number>", "Server port", "3333").option("--no-open", "Don't auto-open browser").option("--exclude <patterns...>", 'Glob patterns to exclude (e.g., "**/*.test.*" "dist/**")').option("--verbose", "Show detailed parsing progress").action(async (directory, options) => {
   trackCommand("viz", packageJson.version);
   try {
-    const projectRoot = directory ? resolve3(directory) : findProjectRoot();
+    const projectRoot = directory ? resolve4(directory) : findProjectRoot();
     console.log(`Parsing project: ${projectRoot}`);
     const parsedFiles = await parseProject(projectRoot, {
       exclude: options.exclude,
       verbose: options.verbose
     });
     console.log(`Parsed ${parsedFiles.length} files`);
-    const graph = buildGraph(parsedFiles);
+    const graph = buildGraph(parsedFiles, projectRoot);
     const vizData = prepareVizData(graph, projectRoot);
     console.log(`Found ${vizData.stats.totalSymbols} symbols, ${vizData.stats.totalCrossFileEdges} cross-file edges`);
     const port = parseInt(options.port, 10);
@@ -1190,7 +1193,7 @@ program.command("viz").description("Launch interactive arc diagram visualization
 program.command("temporal").description("Visualize how the dependency graph evolved over git history").argument("[directory]", "Project directory to analyze (defaults to current directory or auto-detected project root)").option("--commits <number>", "Number of commits to sample", "20").option("--strategy <type>", "Sampling strategy: even, weekly, monthly", "even").option("-p, --port <number>", "Server port", "3334").option("--output <path>", "Save snapshots to custom path (default: .depwire/temporal/)").option("--verbose", "Show progress for each commit being parsed").option("--stats", "Show summary statistics at end").action(async (directory, options) => {
   trackCommand("temporal", packageJson.version);
   try {
-    const projectRoot = directory ? resolve3(directory) : findProjectRoot();
+    const projectRoot = directory ? resolve4(directory) : findProjectRoot();
     await runTemporalAnalysis(projectRoot, {
       commits: parseInt(options.commits, 10),
       strategy: options.strategy,
@@ -1210,7 +1213,7 @@ program.command("mcp").description("Start MCP server for AI coding tools").argum
     const state = createEmptyState();
     let projectRootToConnect = null;
     if (directory) {
-      projectRootToConnect = resolve3(directory);
+      projectRootToConnect = resolve4(directory);
     } else {
       const detectedRoot = findProjectRoot();
       const cwd = process.cwd();
@@ -1222,7 +1225,7 @@ program.command("mcp").description("Start MCP server for AI coding tools").argum
       console.error(`Parsing project: ${projectRootToConnect}`);
       const parsedFiles = await parseProject(projectRootToConnect);
       console.error(`Parsed ${parsedFiles.length} files`);
-      const graph = buildGraph(parsedFiles);
+      const graph = buildGraph(parsedFiles, projectRootToConnect);
       console.error(`Built graph: ${graph.order} symbols, ${graph.size} edges`);
       state.graph = graph;
       state.projectRoot = projectRootToConnect;
@@ -1271,8 +1274,8 @@ program.command("docs").description("Generate comprehensive codebase documentati
   trackCommand("docs", packageJson.version);
   const startTime = Date.now();
   try {
-    const projectRoot = directory ? resolve3(directory) : findProjectRoot();
-    const outputDir = options.output ? resolve3(options.output) : join5(projectRoot, ".depwire");
+    const projectRoot = directory ? resolve4(directory) : findProjectRoot();
+    const outputDir = options.output ? resolve4(options.output) : join5(projectRoot, ".depwire");
     const includeList = options.include.split(",").map((s) => s.trim());
     const onlyList = options.only ? options.only.split(",").map((s) => s.trim()) : void 0;
     if (options.gitignore === void 0 && !existsSyncNode(outputDir)) {
@@ -1289,7 +1292,7 @@ program.command("docs").description("Generate comprehensive codebase documentati
       verbose: options.verbose
     });
     console.log(`Parsed ${parsedFiles.length} files`);
-    const graph = buildGraph(parsedFiles);
+    const graph = buildGraph(parsedFiles, projectRoot);
     const parseTime = (Date.now() - startTime) / 1e3;
     console.log(`Built graph: ${graph.order} symbols, ${graph.size} edges`);
     if (options.verbose) {
@@ -1334,11 +1337,11 @@ async function promptGitignore() {
     input: process.stdin,
     output: process.stdout
   });
-  return new Promise((resolve4) => {
+  return new Promise((resolve5) => {
     rl.question("Add .depwire/ to .gitignore? [Y/n] ", (answer) => {
       rl.close();
       const normalized = answer.trim().toLowerCase();
-      resolve4(normalized === "" || normalized === "y" || normalized === "yes");
+      resolve5(normalized === "" || normalized === "y" || normalized === "yes");
     });
   });
 }
@@ -1368,10 +1371,10 @@ ${pattern}
 program.command("health").description("Analyze dependency architecture health (0-100 score)").argument("[directory]", "Project directory to analyze (defaults to current directory or auto-detected project root)").option("--json", "Output as JSON").option("--verbose", "Show detailed breakdown").action(async (directory, options) => {
   trackCommand("health", packageJson.version);
   try {
-    const projectRoot = directory ? resolve3(directory) : findProjectRoot();
+    const projectRoot = directory ? resolve4(directory) : findProjectRoot();
     const startTime = Date.now();
     const parsedFiles = await parseProject(projectRoot);
-    const graph = buildGraph(parsedFiles);
+    const graph = buildGraph(parsedFiles, projectRoot);
     const parseTime = Date.now() - startTime;
     const report = calculateHealthScore(graph, projectRoot);
     const trend = getHealthTrend(projectRoot, report.overall);
@@ -1392,10 +1395,10 @@ program.command("health").description("Analyze dependency architecture health (0
 program.command("dead-code").description("Identify dead code - symbols defined but never referenced").argument("[directory]", "Project directory to analyze (defaults to current directory or auto-detected project root)").option("--confidence <level>", "Minimum confidence level to show: high, medium, low (default: medium)", "medium").option("--json", "Output as JSON (for CI/automation)").option("--verbose", "Show detailed info for each dead symbol").option("--stats", "Show summary statistics").option("--include-tests", "Include test files in analysis").option("--include-low", "Shortcut for --confidence low").option("--debug", "Show debug information (exclusion stats)").action(async (directory, options) => {
   trackCommand("dead-code", packageJson.version);
   try {
-    const projectRoot = directory ? resolve3(directory) : findProjectRoot();
+    const projectRoot = directory ? resolve4(directory) : findProjectRoot();
     const startTime = Date.now();
     const parsedFiles = await parseProject(projectRoot);
-    const graph = buildGraph(parsedFiles);
+    const graph = buildGraph(parsedFiles, projectRoot);
     const confidence = options.includeLow ? "low" : options.confidence || "medium";
     const report = analyzeDeadCode(graph, projectRoot, {
       confidence,

package/dist/mcpb-entry.js

@@ -4,11 +4,11 @@ import {
   startMcpServer,
   updateFileInGraph,
   watchProject
-} from "./chunk-B2KGFBZL.js";
+} from "./chunk-VJLBOFCD.js";
 import {
   buildGraph,
   parseProject
-} from "./chunk-YYY5TNG7.js";
+} from "./chunk-ITEGMPF7.js";
 
 // src/mcpb-entry.ts
 import { resolve } from "path";
@@ -21,7 +21,7 @@ async function main() {
       console.error(`[MCPB] Parsing project: ${projectRoot}`);
       const parsedFiles = await parseProject(projectRoot);
       console.error(`[MCPB] Parsed ${parsedFiles.length} files`);
-      const graph = buildGraph(parsedFiles);
+      const graph = buildGraph(parsedFiles, projectRoot);
       console.error(`[MCPB] Built graph: ${graph.order} symbols, ${graph.size} edges`);
       state.graph = graph;
       state.projectRoot = projectRoot;

package/dist/sdk.d.ts

@@ -36,7 +36,7 @@ declare function parseProject(projectRoot: string, options?: {
     verbose?: boolean;
 }): Promise<ParsedFile[]>;
 
-declare function buildGraph(parsedFiles: ParsedFile[]): DirectedGraph;
+declare function buildGraph(parsedFiles: ParsedFile[], projectRoot?: string): DirectedGraph;
 
 /**
  * Health Score Type Definitions
@@ -270,6 +270,35 @@ interface SecurityScanOptions {
 
 declare function scanSecurity(projectRoot: string, graph: DirectedGraph, options?: SecurityScanOptions): Promise<SecurityScanResult>;
 
+type CrossLanguageEdgeType = 'rest-api' | 'subprocess';
+interface CrossLanguageEdge {
+    sourceFile: string;
+    targetFile: string;
+    edgeType: CrossLanguageEdgeType;
+    confidence: 'high' | 'medium' | 'low';
+    sourceLanguage: string;
+    targetLanguage: string;
+    sourceLine?: number;
+    targetLine?: number;
+    metadata: {
+        httpMethod?: string;
+        path?: string;
+        command?: string;
+        calledFile?: string;
+    };
+}
+interface CrossLanguageDetectionResult {
+    edges: CrossLanguageEdge[];
+    stats: {
+        restApiEdges: number;
+        subprocessEdges: number;
+        filesAnalyzed: number;
+        detectionTimeMs: number;
+    };
+}
+
+declare function detectCrossLanguageEdges(files: ParsedFile[], projectRoot: string, graph: DirectedGraph): CrossLanguageDetectionResult;
+
 /**
  * depwire-cli SDK — Public API Surface
  *
@@ -282,4 +311,4 @@ declare function scanSecurity(projectRoot: string, graph: DirectedGraph, options
 /** Current SDK version — matches depwire-cli npm version */
 declare const DepwireSDKVersion: string;
 
-export { type BrokenImport, DepwireSDKVersion, type GraphDiff, type HealthDelta, type SecurityFinding, type SecurityScanOptions, type SecurityScanResult, type Severity, type SimulationAction, SimulationEngine, type SimulationResult, type VulnerabilityClass, analyzeDeadCode, buildGraph, calculateHealthScore, generateDocs, getArchitectureSummary, getImpact, parseProject, scanSecurity, searchSymbols };
+export { type BrokenImport, type CrossLanguageDetectionResult, type CrossLanguageEdge, DepwireSDKVersion, type GraphDiff, type HealthDelta, type SecurityFinding, type SecurityScanOptions, type SecurityScanResult, type Severity, type SimulationAction, SimulationEngine, type SimulationResult, type VulnerabilityClass, analyzeDeadCode, buildGraph, calculateHealthScore, detectCrossLanguageEdges, generateDocs, getArchitectureSummary, getImpact, parseProject, scanSecurity, searchSymbols };

package/dist/sdk.js

@@ -3,13 +3,14 @@ import {
   analyzeDeadCode,
   buildGraph,
   calculateHealthScore,
+  detectCrossLanguageEdges,
   generateDocs,
   getArchitectureSummary,
   getImpact,
   parseProject,
   scanSecurity,
   searchSymbols
-} from "./chunk-YYY5TNG7.js";
+} from "./chunk-ITEGMPF7.js";
 
 // src/sdk.ts
 import { readFileSync } from "fs";
@@ -25,6 +26,7 @@ export {
   analyzeDeadCode,
   buildGraph,
   calculateHealthScore,
+  detectCrossLanguageEdges,
   generateDocs,
   getArchitectureSummary,
   getImpact,

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "depwire-cli",
-  "version": "0.9.26",
-  "description": "Dependency graph + 16 MCP tools for AI coding assistants. Impact analysis, health scoring, visualization.",
+  "version": "0.9.28",
+  "description": "Dependency graph + 17 MCP tools for AI coding assistants. Impact analysis, health scoring, security scanner.",
   "type": "module",
   "bin": {
     "depwire": "dist/index.js"
@@ -63,16 +63,16 @@
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "1.26.0",
-    "chalk": "^5.6.2",
+    "chalk": "5.6.2",
     "chokidar": "5.0.0",
     "commander": "14.0.3",
     "express": "5.2.1",
     "graphology": "0.26.0",
     "graphology-types": "0.24.8",
-    "minimatch": "^10.2.4",
+    "minimatch": "10.2.4",
     "open": "11.0.0",
-    "simple-git": "^3.35.2",
-    "web-tree-sitter": "^0.26.6",
+    "simple-git": "3.35.2",
+    "web-tree-sitter": "0.26.6",
     "ws": "8.19.0",
     "zod": "4.3.6"
   },