depwire-cli 1.0.7 → 1.0.8

package/dist/{chunk-SLGC72RW.js → chunk-WLKW7X7G.js}

@@ -36,8 +36,9 @@ function scanDirectory(rootDir, baseDir = rootDir) {
         const isCSharp = entry.endsWith(".cs") || entry.endsWith(".csx") || entry.endsWith(".csproj");
         const isJava = entry.endsWith(".java") || entry === "pom.xml" || entry === "build.gradle" || entry === "build.gradle.kts";
         const isKotlin = entry.endsWith(".kt") || entry.endsWith(".kts") || entry === "settings.gradle.kts" || entry === "settings.gradle";
+        const isPhp = entry.endsWith(".php");
         const isCppBuild = entry === "CMakeLists.txt" || entry === "conanfile.txt" || entry === "vcpkg.json";
-        if (isTypeScript || isJavaScript || isPython || isGo || isRust || isC || isCpp || isCSharp || isJava || isKotlin || isCppBuild) {
+        if (isTypeScript || isJavaScript || isPython || isGo || isRust || isC || isCpp || isCSharp || isJava || isKotlin || isPhp || isCppBuild) {
           files.push(relative(rootDir, fullPath));
         }
       }
@@ -81,6 +82,8 @@ function findProjectRoot(startDir = process.cwd()) {
     // Java (Gradle)
     "build.gradle.kts",
     // Kotlin (Gradle KTS)
+    "composer.json",
+    // PHP
     ".git"
     // Any git repo
   ];
@@ -114,11 +117,11 @@ function findProjectRoot(startDir = process.cwd()) {
 }
 
 // src/parser/index.ts
-import { readFileSync as readFileSync9, statSync as statSync6 } from "fs";
-import { join as join12, resolve as resolve6 } from "path";
+import { readFileSync as readFileSync10, statSync as statSync7 } from "fs";
+import { join as join13, resolve as resolve7 } from "path";
 
 // src/parser/detect.ts
-import { extname as extname7, basename as basename5 } from "path";
+import { extname as extname8, basename as basename6 } from "path";
 
 // src/parser/wasm-init.ts
 import { Parser, Language } from "web-tree-sitter";
@@ -149,7 +152,8 @@ async function initParser() {
     "c_sharp": "tree-sitter-c_sharp.wasm",
     "java": "tree-sitter-java.wasm",
     "cpp": "tree-sitter-cpp.wasm",
-    "kotlin": "tree-sitter-kotlin.wasm"
+    "kotlin": "tree-sitter-kotlin.wasm",
+    "php": "tree-sitter-php.wasm"
   };
   for (const [name, file] of Object.entries(grammarFiles)) {
     const wasmPath = path.join(grammarsDir, file);
@@ -5549,7 +5553,611 @@ function resolveKotlinImport(importPath, currentFile, projectRoot) {
   }
   return null;
 }
-function resolveSymbol9(name, context) {
+function resolveSymbol9(name, context) {
+  if (context.imports.has(name)) {
+    return context.imports.get(name) || null;
+  }
+  const currentFileId = `${context.filePath}::${name}`;
+  if (context.symbols.find((s) => s.id === currentFileId)) {
+    return currentFileId;
+  }
+  if (context.currentClass) {
+    const classMethodId = `${context.filePath}::${context.currentClass}.${name}`;
+    if (context.symbols.find((s) => s.id === classMethodId)) {
+      return classMethodId;
+    }
+  }
+  return null;
+}
+function getModifiers(node, context) {
+  const modifiers = [];
+  const modList = findChildByType10(node, "modifiers");
+  if (modList) {
+    for (let i = 0; i < modList.childCount; i++) {
+      const child = modList.child(i);
+      if (child) {
+        const text = nodeText9(child, context).trim();
+        if (text) modifiers.push(text);
+      }
+    }
+  }
+  return modifiers;
+}
+function extractTypeName5(node, context) {
+  const text = nodeText9(node, context).trim();
+  if (!text || text === "," || text === ":") return null;
+  let name = text;
+  const angleBracketIdx = name.indexOf("<");
+  if (angleBracketIdx > 0) name = name.substring(0, angleBracketIdx);
+  const parenIdx = name.indexOf("(");
+  if (parenIdx > 0) name = name.substring(0, parenIdx);
+  const dotIdx = name.lastIndexOf(".");
+  name = dotIdx >= 0 ? name.substring(dotIdx + 1) : name;
+  return name.trim() || null;
+}
+function findChildByType10(node, type) {
+  for (let i = 0; i < node.childCount; i++) {
+    const child = node.child(i);
+    if (child && child.type === type) return child;
+  }
+  return null;
+}
+function findChildrenByType4(node, type) {
+  const results = [];
+  for (let i = 0; i < node.childCount; i++) {
+    const child = node.child(i);
+    if (child && child.type === type) results.push(child);
+  }
+  return results;
+}
+function findDescendantByTypes2(node, types) {
+  for (let i = 0; i < node.childCount; i++) {
+    const child = node.child(i);
+    if (!child) continue;
+    if (types.includes(child.type)) return child;
+    const found = findDescendantByTypes2(child, types);
+    if (found) return found;
+  }
+  return null;
+}
+function nodeText9(node, context) {
+  return context.sourceCode.substring(node.startIndex, node.endIndex);
+}
+function getCurrentSymbolId10(context) {
+  if (context.currentScope.length === 0) return null;
+  return `${context.filePath}::${context.currentScope[context.currentScope.length - 1]}`;
+}
+var kotlinParser = {
+  name: "kotlin",
+  extensions: [".kt", ".kts", "build.gradle.kts", "settings.gradle.kts", "settings.gradle"],
+  parseFile: parseKotlinFile
+};
+
+// src/parser/php.ts
+import { dirname as dirname11, join as join12 } from "path";
+import { existsSync as existsSync12 } from "fs";
+function parsePhpFile(filePath, sourceCode, projectRoot) {
+  const parser = getParser("php");
+  const tree = parser.parse(sourceCode, null, { bufferSize: 1024 * 1024 });
+  const context = {
+    filePath,
+    projectRoot,
+    sourceCode,
+    symbols: [],
+    edges: [],
+    currentScope: [],
+    currentClass: null,
+    currentNamespace: null,
+    imports: /* @__PURE__ */ new Map()
+  };
+  walkNode11(tree.rootNode, context);
+  return {
+    filePath,
+    symbols: context.symbols,
+    edges: context.edges
+  };
+}
+var SCOPE_TYPES = /* @__PURE__ */ new Set([
+  "class_declaration",
+  "interface_declaration",
+  "trait_declaration",
+  "enum_declaration",
+  "function_definition",
+  "method_declaration"
+]);
+function walkNode11(node, context) {
+  processNode11(node, context);
+  if (SCOPE_TYPES.has(node.type)) return;
+  for (let i = 0; i < node.childCount; i++) {
+    const child = node.child(i);
+    if (child) {
+      walkNode11(child, context);
+    }
+  }
+}
+function processNode11(node, context) {
+  switch (node.type) {
+    case "namespace_definition":
+      processNamespaceDefinition2(node, context);
+      break;
+    case "namespace_use_declaration":
+      processUseDeclaration2(node, context);
+      break;
+    case "class_declaration":
+      processClassDeclaration6(node, context);
+      break;
+    case "interface_declaration":
+      processInterfaceDeclaration4(node, context);
+      break;
+    case "trait_declaration":
+      processTraitDeclaration(node, context);
+      break;
+    case "enum_declaration":
+      processEnumDeclaration4(node, context);
+      break;
+    case "function_definition":
+      processFunctionDefinition4(node, context);
+      break;
+    case "method_declaration":
+      processMethodDeclaration4(node, context);
+      break;
+    case "property_declaration":
+      processPropertyDeclaration3(node, context);
+      break;
+    case "const_declaration":
+      processConstDeclaration2(node, context);
+      break;
+    case "function_call_expression":
+      processCallExpression11(node, context);
+      break;
+    case "member_call_expression":
+      processMemberCallExpression(node, context);
+      break;
+    case "scoped_call_expression":
+      processScopedCallExpression(node, context);
+      break;
+    case "include_expression":
+    case "include_once_expression":
+    case "require_expression":
+    case "require_once_expression":
+      processIncludeRequire(node, context);
+      break;
+  }
+}
+function processNamespaceDefinition2(node, context) {
+  const nameNode = findChildByType11(node, "namespace_name");
+  if (!nameNode) return;
+  const name = nodeText10(nameNode, context);
+  const symbolId = `${context.filePath}::${name}`;
+  context.symbols.push({
+    id: symbolId,
+    name,
+    kind: "module",
+    filePath: context.filePath,
+    startLine: node.startPosition.row + 1,
+    endLine: node.endPosition.row + 1,
+    exported: true
+  });
+  context.currentNamespace = name;
+}
+function processUseDeclaration2(node, context) {
+  const clauses = findChildrenByType5(node, "namespace_use_clause");
+  for (const clause of clauses) {
+    const nameNode = findChildByType11(clause, "namespace_name") || findChildByType11(clause, "qualified_name");
+    if (!nameNode) continue;
+    const importPath = nodeText10(nameNode, context);
+    const aliasNode = findChildByType11(clause, "namespace_aliasing_clause");
+    const alias = aliasNode ? nodeText10(findChildByType11(aliasNode, "name") || aliasNode, context).trim() : null;
+    const parts = importPath.split("\\");
+    const simpleName = alias || parts[parts.length - 1];
+    const resolvedPath = resolvePhpImport(importPath, context.filePath, context.projectRoot);
+    if (resolvedPath) {
+      const sourceId = `${context.filePath}::__file__`;
+      const targetId = `${resolvedPath}::__file__`;
+      context.edges.push({
+        source: sourceId,
+        target: targetId,
+        kind: "imports",
+        filePath: context.filePath,
+        line: node.startPosition.row + 1
+      });
+      context.imports.set(simpleName, `${resolvedPath}::${parts[parts.length - 1]}`);
+    }
+    const symbolId = `${context.filePath}::import:${importPath}`;
+    context.symbols.push({
+      id: symbolId,
+      name: importPath,
+      kind: "import",
+      filePath: context.filePath,
+      startLine: node.startPosition.row + 1,
+      endLine: node.endPosition.row + 1,
+      exported: false
+    });
+  }
+}
+function processClassDeclaration6(node, context) {
+  const nameNode = findChildByType11(node, "name");
+  if (!nameNode) return;
+  const name = nodeText10(nameNode, context);
+  const symbolId = `${context.filePath}::${name}`;
+  const text = nodeText10(node, context);
+  const isAbstract = text.trimStart().startsWith("abstract");
+  context.symbols.push({
+    id: symbolId,
+    name,
+    kind: "class",
+    filePath: context.filePath,
+    startLine: node.startPosition.row + 1,
+    endLine: node.endPosition.row + 1,
+    exported: true,
+    scope: context.currentClass || void 0
+  });
+  const baseClause = findChildByType11(node, "base_clause");
+  if (baseClause) {
+    const baseName = extractQualifiedName(baseClause, context);
+    if (baseName) {
+      const baseId = resolveSymbol10(baseName, context);
+      if (baseId) {
+        context.edges.push({
+          source: symbolId,
+          target: baseId,
+          kind: "inherits",
+          filePath: context.filePath,
+          line: node.startPosition.row + 1
+        });
+      }
+    }
+  }
+  const interfaceClause = findChildByType11(node, "class_interface_clause");
+  if (interfaceClause) {
+    const names = findChildrenByType5(interfaceClause, "name");
+    const qualifiedNames = findChildrenByType5(interfaceClause, "qualified_name");
+    for (const n of [...names, ...qualifiedNames]) {
+      const ifaceName = nodeText10(n, context).trim();
+      if (ifaceName && ifaceName !== ",") {
+        const ifaceId = resolveSymbol10(ifaceName, context);
+        if (ifaceId) {
+          context.edges.push({
+            source: symbolId,
+            target: ifaceId,
+            kind: "implements",
+            filePath: context.filePath,
+            line: node.startPosition.row + 1
+          });
+        }
+      }
+    }
+  }
+  const oldClass = context.currentClass;
+  context.currentClass = name;
+  context.currentScope.push(name);
+  const body = findChildByType11(node, "declaration_list");
+  if (body) {
+    walkNode11(body, context);
+  }
+  context.currentScope.pop();
+  context.currentClass = oldClass;
+}
+function processInterfaceDeclaration4(node, context) {
+  const nameNode = findChildByType11(node, "name");
+  if (!nameNode) return;
+  const name = nodeText10(nameNode, context);
+  const symbolId = `${context.filePath}::${name}`;
+  context.symbols.push({
+    id: symbolId,
+    name,
+    kind: "interface",
+    filePath: context.filePath,
+    startLine: node.startPosition.row + 1,
+    endLine: node.endPosition.row + 1,
+    exported: true,
+    scope: context.currentClass || void 0
+  });
+  const oldClass = context.currentClass;
+  context.currentClass = name;
+  context.currentScope.push(name);
+  const body = findChildByType11(node, "declaration_list");
+  if (body) {
+    walkNode11(body, context);
+  }
+  context.currentScope.pop();
+  context.currentClass = oldClass;
+}
+function processTraitDeclaration(node, context) {
+  const nameNode = findChildByType11(node, "name");
+  if (!nameNode) return;
+  const name = nodeText10(nameNode, context);
+  const symbolId = `${context.filePath}::${name}`;
+  context.symbols.push({
+    id: symbolId,
+    name,
+    kind: "class",
+    // Traits map to class kind
+    filePath: context.filePath,
+    startLine: node.startPosition.row + 1,
+    endLine: node.endPosition.row + 1,
+    exported: true,
+    scope: context.currentClass || void 0
+  });
+  const oldClass = context.currentClass;
+  context.currentClass = name;
+  context.currentScope.push(name);
+  const body = findChildByType11(node, "declaration_list");
+  if (body) {
+    walkNode11(body, context);
+  }
+  context.currentScope.pop();
+  context.currentClass = oldClass;
+}
+function processEnumDeclaration4(node, context) {
+  const nameNode = findChildByType11(node, "name");
+  if (!nameNode) return;
+  const name = nodeText10(nameNode, context);
+  const symbolId = `${context.filePath}::${name}`;
+  context.symbols.push({
+    id: symbolId,
+    name,
+    kind: "enum",
+    filePath: context.filePath,
+    startLine: node.startPosition.row + 1,
+    endLine: node.endPosition.row + 1,
+    exported: true
+  });
+  const oldClass = context.currentClass;
+  context.currentClass = name;
+  context.currentScope.push(name);
+  const body = findChildByType11(node, "declaration_list");
+  if (body) {
+    walkNode11(body, context);
+  }
+  context.currentScope.pop();
+  context.currentClass = oldClass;
+}
+function processFunctionDefinition4(node, context) {
+  const nameNode = findChildByType11(node, "name");
+  if (!nameNode) return;
+  const name = nodeText10(nameNode, context);
+  const scope = context.currentClass || void 0;
+  const symbolId = scope ? `${context.filePath}::${scope}.${name}` : `${context.filePath}::${name}`;
+  context.symbols.push({
+    id: symbolId,
+    name,
+    kind: "function",
+    filePath: context.filePath,
+    startLine: node.startPosition.row + 1,
+    endLine: node.endPosition.row + 1,
+    exported: true,
+    scope
+  });
+  const scopeName = scope ? `${scope}.${name}` : name;
+  context.currentScope.push(scopeName);
+  const body = findChildByType11(node, "compound_statement");
+  if (body) {
+    walkNode11(body, context);
+  }
+  context.currentScope.pop();
+}
+function processMethodDeclaration4(node, context) {
+  const nameNode = findChildByType11(node, "name");
+  if (!nameNode) return;
+  const name = nodeText10(nameNode, context);
+  const modifiers = getModifiers2(node, context);
+  const exported = !modifiers.includes("private");
+  const scope = context.currentClass || void 0;
+  const symbolId = scope ? `${context.filePath}::${scope}.${name}` : `${context.filePath}::${name}`;
+  context.symbols.push({
+    id: symbolId,
+    name,
+    kind: "method",
+    filePath: context.filePath,
+    startLine: node.startPosition.row + 1,
+    endLine: node.endPosition.row + 1,
+    exported,
+    scope
+  });
+  const scopeName = scope ? `${scope}.${name}` : name;
+  context.currentScope.push(scopeName);
+  const body = findChildByType11(node, "compound_statement");
+  if (body) {
+    walkNode11(body, context);
+  }
+  context.currentScope.pop();
+}
+function processPropertyDeclaration3(node, context) {
+  const varNode = findDescendantByTypes3(node, ["variable_name"]);
+  if (!varNode) return;
+  const name = nodeText10(varNode, context).replace(/^\$/, "");
+  const modifiers = getModifiers2(node, context);
+  const exported = !modifiers.includes("private");
+  const scope = context.currentClass || void 0;
+  const symbolId = scope ? `${context.filePath}::${scope}.${name}` : `${context.filePath}::${name}`;
+  context.symbols.push({
+    id: symbolId,
+    name,
+    kind: "property",
+    filePath: context.filePath,
+    startLine: node.startPosition.row + 1,
+    endLine: node.endPosition.row + 1,
+    exported,
+    scope
+  });
+}
+function processConstDeclaration2(node, context) {
+  const elements = findChildrenByType5(node, "const_element");
+  for (const elem of elements) {
+    const nameNode = findChildByType11(elem, "name");
+    if (!nameNode) continue;
+    const name = nodeText10(nameNode, context);
+    const scope = context.currentClass || void 0;
+    const symbolId = scope ? `${context.filePath}::${scope}.${name}` : `${context.filePath}::${name}`;
+    context.symbols.push({
+      id: symbolId,
+      name,
+      kind: "constant",
+      filePath: context.filePath,
+      startLine: elem.startPosition.row + 1,
+      endLine: elem.endPosition.row + 1,
+      exported: true,
+      scope
+    });
+  }
+}
+function processCallExpression11(node, context) {
+  if (context.currentScope.length === 0) return;
+  const firstChild = node.child(0);
+  if (!firstChild) return;
+  let calleeName = null;
+  if (firstChild.type === "name") {
+    calleeName = nodeText10(firstChild, context);
+  } else if (firstChild.type === "qualified_name") {
+    const parts = nodeText10(firstChild, context).split("\\");
+    calleeName = parts[parts.length - 1];
+  }
+  if (!calleeName) return;
+  const builtins = /* @__PURE__ */ new Set([
+    "echo",
+    "print",
+    "var_dump",
+    "print_r",
+    "isset",
+    "unset",
+    "empty",
+    "array",
+    "list",
+    "count",
+    "strlen",
+    "strpos",
+    "substr",
+    "explode",
+    "implode",
+    "array_map",
+    "array_filter",
+    "array_merge",
+    "array_push",
+    "array_pop",
+    "array_shift",
+    "array_unshift",
+    "array_keys",
+    "array_values",
+    "in_array",
+    "json_encode",
+    "json_decode",
+    "sprintf",
+    "printf",
+    "is_array",
+    "is_string",
+    "is_int",
+    "is_null",
+    "is_bool",
+    "intval",
+    "floatval",
+    "strval",
+    "boolval",
+    "trim",
+    "ltrim",
+    "rtrim",
+    "strtolower",
+    "strtoupper",
+    "str_replace",
+    "preg_match",
+    "preg_replace",
+    "file_exists",
+    "is_file",
+    "is_dir",
+    "dirname",
+    "basename",
+    "date",
+    "time",
+    "strtotime",
+    "compact",
+    "extract",
+    "defined",
+    "define",
+    "class_exists",
+    "function_exists",
+    "throw",
+    "die",
+    "exit"
+  ]);
+  if (builtins.has(calleeName)) return;
+  const callerId = getCurrentSymbolId11(context);
+  if (!callerId) return;
+  const calleeId = resolveSymbol10(calleeName, context);
+  if (calleeId) {
+    context.edges.push({
+      source: callerId,
+      target: calleeId,
+      kind: "calls",
+      filePath: context.filePath,
+      line: node.startPosition.row + 1
+    });
+  }
+}
+function processMemberCallExpression(node, context) {
+}
+function processScopedCallExpression(node, context) {
+}
+function processIncludeRequire(node, context) {
+  const text = nodeText10(node, context);
+  const pathMatch = text.match(/['"]([^'"]+)['"]/);
+  if (!pathMatch) return;
+  const includePath = pathMatch[1];
+  const resolvedPath = resolvePhpInclude(includePath, context.filePath, context.projectRoot);
+  if (resolvedPath) {
+    const sourceId = `${context.filePath}::__file__`;
+    const targetId = `${resolvedPath}::__file__`;
+    context.edges.push({
+      source: sourceId,
+      target: targetId,
+      kind: "imports",
+      filePath: context.filePath,
+      line: node.startPosition.row + 1
+    });
+  }
+}
+function resolvePhpImport(importPath, currentFile, projectRoot) {
+  const parts = importPath.split("\\");
+  const filePath = parts.join("/") + ".php";
+  const sourceRoots = [
+    "",
+    "src",
+    "app",
+    "lib",
+    "includes",
+    "wp-content/plugins",
+    "wp-content/themes"
+  ];
+  for (const root of sourceRoots) {
+    const candidate = root ? join12(root, filePath) : filePath;
+    const fullPath = join12(projectRoot, candidate);
+    if (existsSync12(fullPath)) {
+      return candidate;
+    }
+    const loweredParts = [...parts];
+    loweredParts[0] = loweredParts[0].toLowerCase();
+    const loweredFilePath = loweredParts.join("/") + ".php";
+    const loweredCandidate = root ? join12(root, loweredFilePath) : loweredFilePath;
+    const loweredFullPath = join12(projectRoot, loweredCandidate);
+    if (existsSync12(loweredFullPath)) {
+      return loweredCandidate;
+    }
+  }
+  return null;
+}
+function resolvePhpInclude(includePath, currentFile, projectRoot) {
+  const currentDir = dirname11(join12(projectRoot, currentFile));
+  const relativePath = join12(currentDir, includePath);
+  const relativeToRoot = relativePath.replace(projectRoot + "/", "");
+  if (existsSync12(relativePath)) {
+    return relativeToRoot;
+  }
+  const fromRoot = join12(projectRoot, includePath);
+  if (existsSync12(fromRoot)) {
+    return includePath;
+  }
+  return null;
+}
+function resolveSymbol10(name, context) {
   if (context.imports.has(name)) {
     return context.imports.get(name) || null;
   }
@@ -5565,40 +6173,34 @@ function resolveSymbol9(name, context) {
   }
   return null;
 }
-function getModifiers(node, context) {
+function getModifiers2(node, context) {
   const modifiers = [];
-  const modList = findChildByType10(node, "modifiers");
-  if (modList) {
-    for (let i = 0; i < modList.childCount; i++) {
-      const child = modList.child(i);
-      if (child) {
-        const text = nodeText9(child, context).trim();
-        if (text) modifiers.push(text);
-      }
+  for (let i = 0; i < node.childCount; i++) {
+    const child = node.child(i);
+    if (!child) continue;
+    const type = child.type;
+    if (type === "visibility_modifier" || type === "static_modifier" || type === "abstract_modifier" || type === "final_modifier" || type === "readonly_modifier") {
+      modifiers.push(nodeText10(child, context).trim());
     }
   }
   return modifiers;
 }
-function extractTypeName5(node, context) {
-  const text = nodeText9(node, context).trim();
-  if (!text || text === "," || text === ":") return null;
-  let name = text;
-  const angleBracketIdx = name.indexOf("<");
-  if (angleBracketIdx > 0) name = name.substring(0, angleBracketIdx);
-  const parenIdx = name.indexOf("(");
-  if (parenIdx > 0) name = name.substring(0, parenIdx);
-  const dotIdx = name.lastIndexOf(".");
-  name = dotIdx >= 0 ? name.substring(dotIdx + 1) : name;
-  return name.trim() || null;
+function extractQualifiedName(node, context) {
+  const nameNode = findDescendantByTypes3(node, ["name", "qualified_name", "namespace_name"]);
+  if (!nameNode) return null;
+  const text = nodeText10(nameNode, context).trim();
+  if (!text) return null;
+  const parts = text.split("\\");
+  return parts[parts.length - 1];
 }
-function findChildByType10(node, type) {
+function findChildByType11(node, type) {
   for (let i = 0; i < node.childCount; i++) {
     const child = node.child(i);
     if (child && child.type === type) return child;
   }
   return null;
 }
-function findChildrenByType4(node, type) {
+function findChildrenByType5(node, type) {
   const results = [];
   for (let i = 0; i < node.childCount; i++) {
     const child = node.child(i);
@@ -5606,27 +6208,27 @@ function findChildrenByType4(node, type) {
   }
   return results;
 }
-function findDescendantByTypes2(node, types) {
+function findDescendantByTypes3(node, types) {
   for (let i = 0; i < node.childCount; i++) {
     const child = node.child(i);
     if (!child) continue;
     if (types.includes(child.type)) return child;
-    const found = findDescendantByTypes2(child, types);
+    const found = findDescendantByTypes3(child, types);
     if (found) return found;
   }
   return null;
 }
-function nodeText9(node, context) {
+function nodeText10(node, context) {
   return context.sourceCode.substring(node.startIndex, node.endIndex);
 }
-function getCurrentSymbolId10(context) {
+function getCurrentSymbolId11(context) {
   if (context.currentScope.length === 0) return null;
   return `${context.filePath}::${context.currentScope[context.currentScope.length - 1]}`;
 }
-var kotlinParser = {
-  name: "kotlin",
-  extensions: [".kt", ".kts", "build.gradle.kts", "settings.gradle.kts", "settings.gradle"],
-  parseFile: parseKotlinFile
+var phpParser = {
+  name: "php",
+  extensions: [".php"],
+  parseFile: parsePhpFile
 };
 
 // src/parser/detect.ts
@@ -5640,12 +6242,13 @@ var parsers = [
   csharpParser,
   javaParser,
   cppParser,
-  kotlinParser
+  kotlinParser,
+  phpParser
 ];
 var CPP_KEYWORDS = /\b(?:class|namespace|template|public:|private:|protected:|virtual|nullptr|constexpr|auto\s+\w+\s*=|using\s+\w+\s*=|static_cast|dynamic_cast|reinterpret_cast|const_cast|noexcept|override|final|decltype|concept|requires|co_await|co_yield|co_return|std::)\b/;
 function getParserForFile(filePath, content) {
-  const ext = extname7(filePath).toLowerCase();
-  const fileName = basename5(filePath);
+  const ext = extname8(filePath).toLowerCase();
+  const fileName = basename6(filePath);
   if (ext === ".h" && content) {
     if (CPP_KEYWORDS.test(content)) {
       return cppParser;
@@ -5663,7 +6266,7 @@ import { minimatch } from "minimatch";
 var MAX_FILE_SIZE = 1e6;
 function shouldParseFile(fullPath) {
   try {
-    const stats = statSync6(fullPath);
+    const stats = statSync7(fullPath);
     if (stats.size > MAX_FILE_SIZE) {
       console.error(`[Parser] Skipping ${fullPath} \u2014 file too large (${(stats.size / 1024).toFixed(0)}KB)`);
       return false;
@@ -5681,8 +6284,8 @@ async function parseProject(projectRoot, options) {
   let errorFiles = 0;
   for (const file of files) {
     try {
-      const fullPath = join12(projectRoot, file);
-      if (!resolve6(fullPath).startsWith(resolve6(projectRoot))) {
+      const fullPath = join13(projectRoot, file);
+      if (!resolve7(fullPath).startsWith(resolve7(projectRoot))) {
         skippedFiles++;
         continue;
       }
@@ -5705,7 +6308,7 @@ async function parseProject(projectRoot, options) {
       if (options?.verbose) {
         console.error(`[Parser] Parsing: ${file}`);
       }
-      const sourceCode = readFileSync9(fullPath, "utf-8");
+      const sourceCode = readFileSync10(fullPath, "utf-8");
       const parser = getParserForFile(file, sourceCode);
       if (!parser) {
         console.error(`No parser found for file: ${file}`);
@@ -5734,8 +6337,8 @@ async function parseProject(projectRoot, options) {
 }
 
 // src/cross-language/detectors/rest-api.ts
-import { readFileSync as readFileSync10 } from "fs";
-import { join as join13, resolve as resolve7 } from "path";
+import { readFileSync as readFileSync11 } from "fs";
+import { join as join14, resolve as resolve8 } from "path";
 function getLanguage(filePath) {
   if (filePath.endsWith(".ts") || filePath.endsWith(".tsx")) return "typescript";
   if (filePath.endsWith(".js") || filePath.endsWith(".jsx") || filePath.endsWith(".mjs") || filePath.endsWith(".cjs")) return "javascript";
@@ -5744,6 +6347,7 @@ function getLanguage(filePath) {
   if (filePath.endsWith(".cs") || filePath.endsWith(".csx")) return "csharp";
   if (filePath.endsWith(".java")) return "java";
   if (filePath.endsWith(".kt") || filePath.endsWith(".kts")) return "kotlin";
+  if (filePath.endsWith(".php")) return "php";
   if (filePath.endsWith(".cpp") || filePath.endsWith(".cc") || filePath.endsWith(".cxx") || filePath.endsWith(".c++") || filePath.endsWith(".hpp") || filePath.endsWith(".hh") || filePath.endsWith(".hxx") || filePath.endsWith(".h++") || filePath.endsWith(".h") || filePath.endsWith(".inl") || filePath.endsWith(".ipp")) return "cpp";
   return "unknown";
 }
@@ -6102,6 +6706,67 @@ function extractRouteDefinitions(source, filePath) {
         if (!path6.startsWith("/")) path6 = "/" + path6;
       }
     }
+    if (lang === "php") {
+      const laravelRouteMatch = line.match(/Route\s*::\s*(get|post|put|delete|patch)\s*\(\s*['"]([^'"]+)['"]/i);
+      if (laravelRouteMatch) {
+        const path6 = laravelRouteMatch[2];
+        if (path6.startsWith("/")) {
+          routes.push({
+            method: laravelRouteMatch[1].toUpperCase(),
+            path: path6,
+            normalizedPath: normalizePath(path6),
+            file: filePath,
+            line: i + 1
+          });
+        }
+      }
+      const symfonyRouteMatch = line.match(/#\[Route\s*\(\s*['"]([^'"]+)['"]/);
+      if (symfonyRouteMatch) {
+        const path6 = symfonyRouteMatch[1];
+        if (path6.startsWith("/")) {
+          const methodsMatch = line.match(/methods\s*:\s*\[([^\]]+)\]/);
+          const methods = methodsMatch ? methodsMatch[1].match(/['"](\w+)['"]/g)?.map((m) => m.replace(/['"]/g, "").toUpperCase()) || ["ANY"] : ["ANY"];
+          for (const method of methods) {
+            routes.push({
+              method,
+              path: path6,
+              normalizedPath: normalizePath(path6),
+              file: filePath,
+              line: i + 1
+            });
+          }
+        }
+      }
+      const slimMatch = line.match(/\$(?:app|group)\s*->\s*(get|post|put|delete|patch)\s*\(\s*['"]([^'"]+)['"]/i);
+      if (slimMatch) {
+        const path6 = slimMatch[2];
+        if (path6.startsWith("/")) {
+          routes.push({
+            method: slimMatch[1].toUpperCase(),
+            path: path6,
+            normalizedPath: normalizePath(path6),
+            file: filePath,
+            line: i + 1
+          });
+        }
+      }
+      const wpRestMatch = line.match(/register_rest_route\s*\(\s*['"]([^'"]+)['"]\s*,\s*['"]([^'"]+)['"]/);
+      if (wpRestMatch) {
+        const namespace = wpRestMatch[1];
+        let path6 = wpRestMatch[2];
+        if (!path6.startsWith("/")) path6 = "/" + path6;
+        const fullPath = `/wp-json/${namespace}${path6}`;
+        const methodMatch = line.match(/methods\s*['"=>\s]+['"](\w+)['"]/i);
+        const method = methodMatch ? methodMatch[1].toUpperCase() : "ANY";
+        routes.push({
+          method,
+          path: fullPath,
+          normalizedPath: normalizePath(fullPath),
+          file: filePath,
+          line: i + 1
+        });
+      }
+    }
     if (lang === "cpp") {
       const crowMatch = line.match(/CROW_ROUTE\s*\(\s*\w+\s*,\s*"([^"]+)"/);
       if (crowMatch) {
@@ -6216,11 +6881,11 @@ function detectRestApiEdges(files, projectRoot) {
   const allCalls = [];
   const allRoutes = [];
   for (const file of files) {
-    const fullPath = join13(projectRoot, file.filePath);
-    if (!resolve7(fullPath).startsWith(resolve7(projectRoot))) continue;
+    const fullPath = join14(projectRoot, file.filePath);
+    if (!resolve8(fullPath).startsWith(resolve8(projectRoot))) continue;
     let source;
     try {
-      source = readFileSync10(fullPath, "utf-8");
+      source = readFileSync11(fullPath, "utf-8");
     } catch {
       continue;
     }
@@ -6240,6 +6905,34 @@ function detectRestApiEdges(files, projectRoot) {
         }
       }
     }
+    if (lang === "php") {
+      const phpLines = source.split("\n");
+      for (let i = 0; i < phpLines.length; i++) {
+        const line = phpLines[i];
+        const guzzleMatch = line.match(/\$\w+\s*->\s*(get|post|put|delete|patch|request)\s*\(\s*['"]([^'"]+)['"]/i);
+        if (guzzleMatch) {
+          let method = guzzleMatch[1].toUpperCase();
+          let path6 = guzzleMatch[2];
+          if (method === "REQUEST") {
+            const reqMethodMatch = line.match(/request\s*\(\s*['"](\w+)['"]\s*,\s*['"]([^'"]+)['"]/i);
+            if (reqMethodMatch) {
+              method = reqMethodMatch[1].toUpperCase();
+              path6 = reqMethodMatch[2];
+            }
+          }
+          if (isLocalApiPath(path6)) {
+            allCalls.push({ method, path: cleanPath(path6), file: file.filePath, line: i + 1 });
+          }
+        }
+        const fgcMatch = line.match(/file_get_contents\s*\(\s*['"]([^'"]+)['"]/);
+        if (fgcMatch) {
+          const path6 = fgcMatch[1];
+          if (isLocalApiPath(path6)) {
+            allCalls.push({ method: "GET", path: cleanPath(path6), file: file.filePath, line: i + 1 });
+          }
+        }
+      }
+    }
     allRoutes.push(...extractRouteDefinitions(source, file.filePath));
   }
   for (const call of allCalls) {
@@ -6268,8 +6961,8 @@ function detectRestApiEdges(files, projectRoot) {
 }
 
 // src/cross-language/detectors/subprocess.ts
-import { readFileSync as readFileSync11 } from "fs";
-import { join as join14, resolve as resolve8, basename as basename6 } from "path";
+import { readFileSync as readFileSync12 } from "fs";
+import { join as join15, resolve as resolve9, basename as basename7 } from "path";
 var SCRIPT_EXTENSIONS = [".py", ".js", ".ts", ".go", ".rs"];
 function getLanguage2(filePath) {
   if (filePath.endsWith(".ts") || filePath.endsWith(".tsx")) return "typescript";
@@ -6368,16 +7061,16 @@ function detectSubprocessEdges(files, projectRoot) {
   const knownFiles = new Set(files.map((f) => f.filePath));
   const basenameMap = /* @__PURE__ */ new Map();
   for (const f of files) {
-    const base = basename6(f.filePath);
+    const base = basename7(f.filePath);
     if (!basenameMap.has(base)) basenameMap.set(base, []);
     basenameMap.get(base).push(f.filePath);
   }
   for (const file of files) {
-    const fullPath = join14(projectRoot, file.filePath);
-    if (!resolve8(fullPath).startsWith(resolve8(projectRoot))) continue;
+    const fullPath = join15(projectRoot, file.filePath);
+    if (!resolve9(fullPath).startsWith(resolve9(projectRoot))) continue;
     let source;
     try {
-      source = readFileSync11(fullPath, "utf-8");
+      source = readFileSync12(fullPath, "utf-8");
     } catch {
       continue;
     }
@@ -6389,7 +7082,7 @@ function detectSubprocessEdges(files, projectRoot) {
         targetFile = call.calledFile;
         confidence = "high";
       } else {
-        const base = basename6(call.calledFile);
+        const base = basename7(call.calledFile);
         const candidates = basenameMap.get(base);
         if (candidates && candidates.length > 0) {
           const exactCandidate = candidates.find((c) => c.endsWith(call.calledFile));
@@ -6768,7 +7461,7 @@ function getArchitectureSummary(graph) {
 }
 
 // src/health/metrics.ts
-import { dirname as dirname11 } from "path";
+import { dirname as dirname12 } from "path";
 function scoreToGrade(score) {
   if (score >= 90) return "A";
   if (score >= 80) return "B";
@@ -6801,8 +7494,8 @@ function calculateCouplingScore(graph) {
       totalEdges++;
       fileConnections.set(sourceAttrs.filePath, (fileConnections.get(sourceAttrs.filePath) || 0) + 1);
       fileConnections.set(targetAttrs.filePath, (fileConnections.get(targetAttrs.filePath) || 0) + 1);
-      const sourceDir = dirname11(sourceAttrs.filePath).split("/")[0];
-      const targetDir = dirname11(targetAttrs.filePath).split("/")[0];
+      const sourceDir = dirname12(sourceAttrs.filePath).split("/")[0];
+      const targetDir = dirname12(targetAttrs.filePath).split("/")[0];
       if (sourceDir !== targetDir) {
         crossDirEdges++;
       }
@@ -6849,8 +7542,8 @@ function calculateCohesionScore(graph) {
     const sourceAttrs = graph.getNodeAttributes(source);
     const targetAttrs = graph.getNodeAttributes(target);
     if (sourceAttrs.filePath !== targetAttrs.filePath) {
-      const sourceDir = dirname11(sourceAttrs.filePath);
-      const targetDir = dirname11(targetAttrs.filePath);
+      const sourceDir = dirname12(sourceAttrs.filePath);
+      const targetDir = dirname12(targetAttrs.filePath);
       if (!dirEdges.has(sourceDir)) {
         dirEdges.set(sourceDir, { internal: 0, total: 0 });
       }
@@ -7132,8 +7825,8 @@ function calculateDepthScore(graph) {
 }
 
 // src/health/index.ts
-import { readFileSync as readFileSync12, writeFileSync, existsSync as existsSync12, mkdirSync } from "fs";
-import { dirname as dirname12, resolve as resolve9 } from "path";
+import { readFileSync as readFileSync13, writeFileSync, existsSync as existsSync13, mkdirSync } from "fs";
+import { dirname as dirname13, resolve as resolve10 } from "path";
 function calculateHealthScore(graph, projectRoot) {
   const coupling = calculateCouplingScore(graph);
   const cohesion = calculateCohesionScore(graph);
@@ -7232,8 +7925,8 @@ function getHealthTrend(projectRoot, currentScore) {
   }
 }
 function saveHealthHistory(projectRoot, report) {
-  const resolvedRoot = resolve9(projectRoot);
-  const historyFile = resolve9(resolvedRoot, ".depwire", "health-history.json");
+  const resolvedRoot = resolve10(projectRoot);
+  const historyFile = resolve10(resolvedRoot, ".depwire", "health-history.json");
   if (!historyFile.startsWith(resolvedRoot)) {
     return;
   }
@@ -7248,10 +7941,10 @@ function saveHealthHistory(projectRoot, report) {
     }))
   };
   let history = [];
-  if (existsSync12(historyFile)) {
+  if (existsSync13(historyFile)) {
     try {
       if (!historyFile.startsWith(resolvedRoot)) return;
-      const content = readFileSync12(historyFile, "utf-8");
+      const content = readFileSync13(historyFile, "utf-8");
       history = JSON.parse(content);
     } catch {
     }
@@ -7260,19 +7953,19 @@ function saveHealthHistory(projectRoot, report) {
   if (history.length > 50) {
     history = history.slice(-50);
   }
-  mkdirSync(dirname12(historyFile), { recursive: true });
+  mkdirSync(dirname13(historyFile), { recursive: true });
   if (!historyFile.startsWith(resolvedRoot)) return;
   writeFileSync(historyFile, JSON.stringify(history, null, 2), "utf-8");
 }
 function loadHealthHistory(projectRoot) {
-  const resolvedRoot = resolve9(projectRoot);
-  const historyFile = resolve9(resolvedRoot, ".depwire", "health-history.json");
-  if (!historyFile.startsWith(resolvedRoot) || !existsSync12(historyFile)) {
+  const resolvedRoot = resolve10(projectRoot);
+  const historyFile = resolve10(resolvedRoot, ".depwire", "health-history.json");
+  if (!historyFile.startsWith(resolvedRoot) || !existsSync13(historyFile)) {
     return [];
   }
   try {
     if (!historyFile.startsWith(resolvedRoot)) return [];
-    const content = readFileSync12(historyFile, "utf-8");
+    const content = readFileSync13(historyFile, "utf-8");
     return JSON.parse(content);
   } catch {
     return [];
@@ -7281,7 +7974,7 @@ function loadHealthHistory(projectRoot) {
 
 // src/dead-code/detector.ts
 import path2 from "path";
-import { readFileSync as readFileSync13, existsSync as existsSync13 } from "fs";
+import { readFileSync as readFileSync14, existsSync as existsSync14 } from "fs";
 function findDeadSymbols(graph, projectRoot, includeTests = false, debug = false) {
   const deadSymbols = [];
   const context = { graph, projectRoot };
@@ -7414,11 +8107,11 @@ function getPackageEntryPoints(projectRoot) {
   const entryPoints = /* @__PURE__ */ new Set();
   const resolvedRoot = path2.resolve(projectRoot);
   const packageJsonPath = path2.resolve(resolvedRoot, "package.json");
-  if (!packageJsonPath.startsWith(resolvedRoot) || !existsSync13(packageJsonPath)) {
+  if (!packageJsonPath.startsWith(resolvedRoot) || !existsSync14(packageJsonPath)) {
     return entryPoints;
   }
   try {
-    const packageJson = JSON.parse(readFileSync13(packageJsonPath, "utf-8"));
+    const packageJson = JSON.parse(readFileSync14(packageJsonPath, "utf-8"));
     if (packageJson.main) {
       entryPoints.add(path2.resolve(projectRoot, packageJson.main));
     }
@@ -7475,6 +8168,9 @@ function shouldExclude(attrs, context, includeTests, packageEntryPoints) {
   if (isKotlinExcluded(attrs)) {
     return "framework";
   }
+  if (isPhpExcluded(attrs)) {
+    return "framework";
+  }
   return null;
 }
 function isRealPackageEntryPoint(filePath, packageEntryPoints) {
@@ -7540,6 +8236,71 @@ function isKotlinExcluded(attrs) {
   if (name.startsWith("operator")) return true;
   return false;
 }
+function isPhpExcluded(attrs) {
+  const filePath = attrs.file || attrs.filePath || "";
+  const name = attrs.name || "";
+  if (!filePath.endsWith(".php")) return false;
+  const magicMethods = [
+    "__construct",
+    "__destruct",
+    "__call",
+    "__callStatic",
+    "__get",
+    "__set",
+    "__isset",
+    "__unset",
+    "__sleep",
+    "__wakeup",
+    "__serialize",
+    "__unserialize",
+    "__toString",
+    "__invoke",
+    "__set_state",
+    "__clone",
+    "__debugInfo"
+  ];
+  if (magicMethods.includes(name)) return true;
+  const wpHooks = [
+    "init",
+    "admin_init",
+    "wp_enqueue_scripts",
+    "admin_enqueue_scripts",
+    "widgets_init",
+    "register_activation_hook",
+    "register_deactivation_hook",
+    "add_action",
+    "add_filter",
+    "activate",
+    "deactivate"
+  ];
+  if (wpHooks.includes(name)) return true;
+  const laravelMethods = [
+    "register",
+    "boot",
+    "handle",
+    "authorize",
+    "rules",
+    "messages",
+    "prepareForValidation",
+    "failed",
+    "broadcastOn",
+    "broadcastAs",
+    "broadcastWith"
+  ];
+  if (laravelMethods.includes(name)) return true;
+  const symfonyMethods = [
+    "__invoke",
+    "getSubscribedEvents",
+    "getSubscribedServices",
+    "configureOptions",
+    "buildForm",
+    "load",
+    "getConfigTreeBuilder"
+  ];
+  if (symfonyMethods.includes(name)) return true;
+  if (name.startsWith("test") || name === "setUp" || name === "tearDown" || name === "setUpBeforeClass" || name === "tearDownAfterClass") return true;
+  return false;
+}
 
 // src/dead-code/classifier.ts
 import path3 from "path";
@@ -7606,8 +8367,8 @@ function generateReason(symbol, confidence) {
   return "Potentially unused";
 }
 function isBarrelFile(filePath) {
-  const basename10 = path3.basename(filePath);
-  return basename10 === "index.ts" || basename10 === "index.js";
+  const basename11 = path3.basename(filePath);
+  return basename11 === "index.ts" || basename11 === "index.js";
 }
 function isTestFile2(filePath) {
   return filePath.includes("__tests__/") || filePath.includes(".test.") || filePath.includes(".spec.") || filePath.includes("/test/") || filePath.includes("/tests/");
@@ -7786,11 +8547,11 @@ function filterByConfidence(symbols, minConfidence) {
 }
 
 // src/docs/generator.ts
-import { writeFileSync as writeFileSync3, mkdirSync as mkdirSync2, existsSync as existsSync16 } from "fs";
-import { join as join18 } from "path";
+import { writeFileSync as writeFileSync3, mkdirSync as mkdirSync2, existsSync as existsSync17 } from "fs";
+import { join as join19 } from "path";
 
 // src/docs/architecture.ts
-import { dirname as dirname13 } from "path";
+import { dirname as dirname14 } from "path";
 
 // src/docs/templates.ts
 function header(text, level = 1) {
@@ -7941,7 +8702,7 @@ function generateModuleStructure(graph) {
 function getDirectoryStats(graph) {
   const dirMap = /* @__PURE__ */ new Map();
   graph.forEachNode((node, attrs) => {
-    const dir = dirname13(attrs.filePath);
+    const dir = dirname14(attrs.filePath);
     if (dir === ".") return;
     if (!dirMap.has(dir)) {
       dirMap.set(dir, {
@@ -7966,7 +8727,7 @@ function getDirectoryStats(graph) {
   });
   const filesPerDir = /* @__PURE__ */ new Map();
   graph.forEachNode((node, attrs) => {
-    const dir = dirname13(attrs.filePath);
+    const dir = dirname14(attrs.filePath);
     if (!filesPerDir.has(dir)) {
       filesPerDir.set(dir, /* @__PURE__ */ new Set());
     }
@@ -7981,8 +8742,8 @@ function getDirectoryStats(graph) {
   graph.forEachEdge((edge, attrs, source, target) => {
     const sourceAttrs = graph.getNodeAttributes(source);
     const targetAttrs = graph.getNodeAttributes(target);
-    const sourceDir = dirname13(sourceAttrs.filePath);
-    const targetDir = dirname13(targetAttrs.filePath);
+    const sourceDir = dirname14(sourceAttrs.filePath);
+    const targetDir = dirname14(targetAttrs.filePath);
     if (sourceDir !== targetDir) {
       if (!dirEdges.has(sourceDir)) {
         dirEdges.set(sourceDir, { in: 0, out: 0 });
@@ -8189,7 +8950,7 @@ function detectCycles(graph) {
 }
 
 // src/docs/conventions.ts
-import { basename as basename7, extname as extname8 } from "path";
+import { basename as basename8, extname as extname9 } from "path";
 function generateConventions(graph, projectRoot, version) {
   let output = "";
   const now = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
@@ -8227,7 +8988,7 @@ function generateFileOrganization(graph) {
   graph.forEachNode((node, attrs) => {
     if (!files.has(attrs.filePath)) {
       files.add(attrs.filePath);
-      const fileName = basename7(attrs.filePath);
+      const fileName = basename8(attrs.filePath);
       if (fileName === "index.ts" || fileName === "index.js" || fileName === "index.tsx" || fileName === "index.jsx") {
         barrelFileCount++;
       }
@@ -8286,7 +9047,7 @@ function generateNamingPatterns(graph) {
   graph.forEachNode((node, attrs) => {
     if (!files.has(attrs.filePath)) {
       files.add(attrs.filePath);
-      const fileName = basename7(attrs.filePath, extname8(attrs.filePath));
+      const fileName = basename8(attrs.filePath, extname9(attrs.filePath));
       if (isCamelCase(fileName)) patterns.files.camelCase++;
       else if (isPascalCase(fileName)) patterns.files.PascalCase++;
       else if (isKebabCase(fileName)) patterns.files.kebabCase++;
@@ -8963,7 +9724,7 @@ function detectCyclesDetailed(graph) {
 }
 
 // src/docs/onboarding.ts
-import { dirname as dirname14 } from "path";
+import { dirname as dirname15 } from "path";
 function generateOnboarding(graph, projectRoot, version) {
   let output = "";
   const now = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
@@ -9022,7 +9783,7 @@ function generateQuickOrientation(graph) {
   const primaryLang = Object.entries(languages2).sort((a, b) => b[1] - a[1])[0];
   const dirs = /* @__PURE__ */ new Set();
   graph.forEachNode((node, attrs) => {
-    const dir = dirname14(attrs.filePath);
+    const dir = dirname15(attrs.filePath);
     if (dir !== ".") {
       const topLevel = dir.split("/")[0];
       dirs.add(topLevel);
@@ -9126,7 +9887,7 @@ function generateModuleMap(graph) {
 function getDirectoryStats2(graph) {
   const dirMap = /* @__PURE__ */ new Map();
   graph.forEachNode((node, attrs) => {
-    const dir = dirname14(attrs.filePath);
+    const dir = dirname15(attrs.filePath);
     if (dir === ".") return;
     if (!dirMap.has(dir)) {
       dirMap.set(dir, {
@@ -9141,7 +9902,7 @@ function getDirectoryStats2(graph) {
   });
   const filesPerDir = /* @__PURE__ */ new Map();
   graph.forEachNode((node, attrs) => {
-    const dir = dirname14(attrs.filePath);
+    const dir = dirname15(attrs.filePath);
     if (!filesPerDir.has(dir)) {
       filesPerDir.set(dir, /* @__PURE__ */ new Set());
     }
@@ -9156,8 +9917,8 @@ function getDirectoryStats2(graph) {
   graph.forEachEdge((edge, attrs, source, target) => {
     const sourceAttrs = graph.getNodeAttributes(source);
     const targetAttrs = graph.getNodeAttributes(target);
-    const sourceDir = dirname14(sourceAttrs.filePath);
-    const targetDir = dirname14(targetAttrs.filePath);
+    const sourceDir = dirname15(sourceAttrs.filePath);
+    const targetDir = dirname15(targetAttrs.filePath);
     if (sourceDir !== targetDir) {
       if (!dirEdges.has(sourceDir)) {
         dirEdges.set(sourceDir, { in: 0, out: 0 });
@@ -9238,7 +9999,7 @@ function detectClusters(graph) {
   const dirFiles = /* @__PURE__ */ new Map();
   const fileEdges = /* @__PURE__ */ new Map();
   graph.forEachNode((node, attrs) => {
-    const dir = dirname14(attrs.filePath);
+    const dir = dirname15(attrs.filePath);
     if (!dirFiles.has(dir)) {
       dirFiles.set(dir, /* @__PURE__ */ new Set());
     }
@@ -9292,8 +10053,8 @@ function inferClusterName(files) {
   if (sortedWords.length > 0 && sortedWords[0][1] > 1) {
     return capitalizeFirst2(sortedWords[0][0]);
   }
-  const commonDir = dirname14(files[0]);
-  if (files.every((f) => dirname14(f) === commonDir)) {
+  const commonDir = dirname15(files[0]);
+  if (files.every((f) => dirname15(f) === commonDir)) {
     return capitalizeFirst2(commonDir.split("/").pop() || "Core");
   }
   return "Core";
@@ -9351,7 +10112,7 @@ function generateDepwireUsage(projectRoot) {
 }
 
 // src/docs/files.ts
-import { dirname as dirname15, basename as basename8 } from "path";
+import { dirname as dirname16, basename as basename9 } from "path";
 function generateFiles(graph, projectRoot, version) {
   let output = "";
   const now = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
@@ -9455,7 +10216,7 @@ function generateDirectoryBreakdown(graph) {
   const fileStats = getFileStats2(graph);
   const dirMap = /* @__PURE__ */ new Map();
   for (const file of fileStats) {
-    const dir = dirname15(file.filePath);
+    const dir = dirname16(file.filePath);
     const topDir = dir === "." ? "." : dir.split("/")[0];
     if (!dirMap.has(topDir)) {
       dirMap.set(topDir, {
@@ -9470,7 +10231,7 @@ function generateDirectoryBreakdown(graph) {
     dirStats.symbolCount += file.symbolCount;
     if (file.totalConnections > dirStats.maxConnections) {
       dirStats.maxConnections = file.totalConnections;
-      dirStats.mostConnectedFile = basename8(file.filePath);
+      dirStats.mostConnectedFile = basename9(file.filePath);
     }
   }
   if (dirMap.size === 0) {
@@ -10098,7 +10859,7 @@ function generateRecommendations(graph) {
 }
 
 // src/docs/tests.ts
-import { basename as basename9, dirname as dirname16 } from "path";
+import { basename as basename10, dirname as dirname17 } from "path";
 function generateTests(graph, projectRoot, version) {
   let output = "";
   const now = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
@@ -10126,8 +10887,8 @@ function getFileCount8(graph) {
   return files.size;
 }
 function isTestFile3(filePath) {
-  const fileName = basename9(filePath).toLowerCase();
-  const dirPath = dirname16(filePath).toLowerCase();
+  const fileName = basename10(filePath).toLowerCase();
+  const dirPath = dirname17(filePath).toLowerCase();
   if (dirPath.includes("test") || dirPath.includes("spec") || dirPath.includes("__tests__")) {
     return true;
   }
@@ -10185,13 +10946,13 @@ function generateTestFileInventory(graph) {
   return output;
 }
 function matchTestToSource(testFile) {
-  const testFileName = basename9(testFile);
-  const testDir = dirname16(testFile);
+  const testFileName = basename10(testFile);
+  const testDir = dirname17(testFile);
   let sourceFileName = testFileName.replace(/\.test\./g, ".").replace(/\.spec\./g, ".").replace(/_test\./g, ".").replace(/_spec\./g, ".");
   const possiblePaths = [];
   possiblePaths.push(testDir + "/" + sourceFileName);
   if (testDir.endsWith("/test") || testDir.endsWith("/tests") || testDir.endsWith("/__tests__")) {
-    const parentDir = dirname16(testDir);
+    const parentDir = dirname17(testDir);
     possiblePaths.push(parentDir + "/" + sourceFileName);
   }
   if (testDir.includes("test")) {
@@ -10347,7 +11108,7 @@ function generateTestCoverageMap(graph) {
   const rows = mappings.slice(0, 30).map((m) => [
     `\`${m.sourceFile}\``,
     m.hasTest ? "\u2705" : "\u274C",
-    m.testFile ? `\`${basename9(m.testFile)}\`` : "-",
+    m.testFile ? `\`${basename10(m.testFile)}\`` : "-",
     formatNumber(m.symbolCount)
   ]);
   let output = table(headers, rows);
@@ -10388,7 +11149,7 @@ function generateTestStatistics(graph) {
 `;
   const dirTestCoverage = /* @__PURE__ */ new Map();
   for (const sourceFile of sourceFiles) {
-    const dir = dirname16(sourceFile).split("/")[0];
+    const dir = dirname17(sourceFile).split("/")[0];
     if (!dirTestCoverage.has(dir)) {
       dirTestCoverage.set(dir, { total: 0, tested: 0 });
     }
@@ -10411,7 +11172,7 @@ function generateTestStatistics(graph) {
 }
 
 // src/docs/history.ts
-import { dirname as dirname17 } from "path";
+import { dirname as dirname18 } from "path";
 import { execSync } from "child_process";
 function generateHistory(graph, projectRoot, version) {
   let output = "";
@@ -10692,7 +11453,7 @@ function generateFeatureClusters(graph) {
   const dirFiles = /* @__PURE__ */ new Map();
   const fileEdges = /* @__PURE__ */ new Map();
   graph.forEachNode((node, attrs) => {
-    const dir = dirname17(attrs.filePath);
+    const dir = dirname18(attrs.filePath);
     if (!dirFiles.has(dir)) {
       dirFiles.set(dir, /* @__PURE__ */ new Set());
     }
@@ -10774,7 +11535,7 @@ function capitalizeFirst3(str) {
 }
 
 // src/docs/current.ts
-import { dirname as dirname18 } from "path";
+import { dirname as dirname19 } from "path";
 function generateCurrent(graph, projectRoot, version) {
   let output = "";
   const now = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
@@ -10912,7 +11673,7 @@ function generateCompleteFileIndex(graph) {
   fileInfos.sort((a, b) => a.filePath.localeCompare(b.filePath));
   const dirGroups = /* @__PURE__ */ new Map();
   for (const info of fileInfos) {
-    const dir = dirname18(info.filePath);
+    const dir = dirname19(info.filePath);
     const topDir = dir === "." ? "root" : dir.split("/")[0];
     if (!dirGroups.has(topDir)) {
       dirGroups.set(topDir, []);
@@ -11123,8 +11884,8 @@ function getTopLevelDir2(filePath) {
 }
 
 // src/docs/status.ts
-import { readFileSync as readFileSync14, existsSync as existsSync14 } from "fs";
-import { resolve as resolve10 } from "path";
+import { readFileSync as readFileSync15, existsSync as existsSync15 } from "fs";
+import { resolve as resolve11 } from "path";
 function generateStatus(graph, projectRoot, version) {
   let output = "";
   const now = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
@@ -11157,16 +11918,16 @@ function getFileCount11(graph) {
 }
 function extractComments(projectRoot, filePath) {
   const comments = [];
-  const resolvedRoot = resolve10(projectRoot);
-  const fullPath = resolve10(resolvedRoot, filePath);
+  const resolvedRoot = resolve11(projectRoot);
+  const fullPath = resolve11(resolvedRoot, filePath);
   if (!fullPath.startsWith(resolvedRoot)) {
     return comments;
   }
-  if (!existsSync14(fullPath)) {
+  if (!existsSync15(fullPath)) {
     return comments;
   }
   try {
-    const content = readFileSync14(fullPath, "utf-8");
+    const content = readFileSync15(fullPath, "utf-8");
     const lines = content.split("\n");
     const patterns = [
       { type: "TODO", regex: /(?:\/\/|#|\/\*)\s*TODO:?\s*(.+)/i },
@@ -11745,16 +12506,16 @@ function generateConfidenceSection(title, description, symbols, projectRoot) {
 }
 
 // src/docs/metadata.ts
-import { existsSync as existsSync15, readFileSync as readFileSync15, writeFileSync as writeFileSync2 } from "fs";
-import { resolve as resolve11 } from "path";
+import { existsSync as existsSync16, readFileSync as readFileSync16, writeFileSync as writeFileSync2 } from "fs";
+import { resolve as resolve12 } from "path";
 function loadMetadata(outputDir) {
-  const resolvedDir = resolve11(outputDir);
-  const metadataPath = resolve11(resolvedDir, "metadata.json");
-  if (!metadataPath.startsWith(resolvedDir) || !existsSync15(metadataPath)) {
+  const resolvedDir = resolve12(outputDir);
+  const metadataPath = resolve12(resolvedDir, "metadata.json");
+  if (!metadataPath.startsWith(resolvedDir) || !existsSync16(metadataPath)) {
     return null;
   }
   try {
-    const content = readFileSync15(metadataPath, "utf-8");
+    const content = readFileSync16(metadataPath, "utf-8");
     return JSON.parse(content);
   } catch (err) {
     console.error("Failed to load metadata:", err);
@@ -11762,8 +12523,8 @@ function loadMetadata(outputDir) {
   }
 }
 function saveMetadata(outputDir, metadata) {
-  const resolvedDir = resolve11(outputDir);
-  const metadataPath = resolve11(resolvedDir, "metadata.json");
+  const resolvedDir = resolve12(outputDir);
+  const metadataPath = resolve12(resolvedDir, "metadata.json");
   if (!metadataPath.startsWith(resolvedDir)) {
     throw new Error(`Path traversal attempt blocked: ${metadataPath}`);
   }
@@ -11809,7 +12570,7 @@ async function generateDocs(graph, projectRoot, version, parseTime, options) {
   const generated = [];
   const errors = [];
   try {
-    if (!existsSync16(options.outputDir)) {
+    if (!existsSync17(options.outputDir)) {
       mkdirSync2(options.outputDir, { recursive: true });
       if (options.verbose) {
         console.log(`Created output directory: ${options.outputDir}`);
@@ -11848,7 +12609,7 @@ async function generateDocs(graph, projectRoot, version, parseTime, options) {
         try {
           if (options.verbose) console.log("Generating ARCHITECTURE.md...");
           const content = generateArchitecture(graph, projectRoot, version, parseTime);
-          const filePath = join18(options.outputDir, "ARCHITECTURE.md");
+          const filePath = join19(options.outputDir, "ARCHITECTURE.md");
           writeFileSync3(filePath, content, "utf-8");
           generated.push("ARCHITECTURE.md");
         } catch (err) {
@@ -11859,7 +12620,7 @@ async function generateDocs(graph, projectRoot, version, parseTime, options) {
         try {
           if (options.verbose) console.log("Generating CONVENTIONS.md...");
           const content = generateConventions(graph, projectRoot, version);
-          const filePath = join18(options.outputDir, "CONVENTIONS.md");
+          const filePath = join19(options.outputDir, "CONVENTIONS.md");
           writeFileSync3(filePath, content, "utf-8");
           generated.push("CONVENTIONS.md");
         } catch (err) {
@@ -11870,7 +12631,7 @@ async function generateDocs(graph, projectRoot, version, parseTime, options) {
         try {
           if (options.verbose) console.log("Generating DEPENDENCIES.md...");
           const content = generateDependencies(graph, projectRoot, version);
-          const filePath = join18(options.outputDir, "DEPENDENCIES.md");
+          const filePath = join19(options.outputDir, "DEPENDENCIES.md");
           writeFileSync3(filePath, content, "utf-8");
           generated.push("DEPENDENCIES.md");
         } catch (err) {
@@ -11881,7 +12642,7 @@ async function generateDocs(graph, projectRoot, version, parseTime, options) {
         try {
           if (options.verbose) console.log("Generating ONBOARDING.md...");
           const content = generateOnboarding(graph, projectRoot, version);
-          const filePath = join18(options.outputDir, "ONBOARDING.md");
+          const filePath = join19(options.outputDir, "ONBOARDING.md");
           writeFileSync3(filePath, content, "utf-8");
           generated.push("ONBOARDING.md");
         } catch (err) {
@@ -11892,7 +12653,7 @@ async function generateDocs(graph, projectRoot, version, parseTime, options) {
         try {
           if (options.verbose) console.log("Generating FILES.md...");
           const content = generateFiles(graph, projectRoot, version);
-          const filePath = join18(options.outputDir, "FILES.md");
+          const filePath = join19(options.outputDir, "FILES.md");
           writeFileSync3(filePath, content, "utf-8");
           generated.push("FILES.md");
         } catch (err) {
@@ -11903,7 +12664,7 @@ async function generateDocs(graph, projectRoot, version, parseTime, options) {
         try {
           if (options.verbose) console.log("Generating API_SURFACE.md...");
           const content = generateApiSurface(graph, projectRoot, version);
-          const filePath = join18(options.outputDir, "API_SURFACE.md");
+          const filePath = join19(options.outputDir, "API_SURFACE.md");
           writeFileSync3(filePath, content, "utf-8");
           generated.push("API_SURFACE.md");
         } catch (err) {
@@ -11914,7 +12675,7 @@ async function generateDocs(graph, projectRoot, version, parseTime, options) {
         try {
           if (options.verbose) console.log("Generating ERRORS.md...");
           const content = generateErrors(graph, projectRoot, version);
-          const filePath = join18(options.outputDir, "ERRORS.md");
+          const filePath = join19(options.outputDir, "ERRORS.md");
           writeFileSync3(filePath, content, "utf-8");
           generated.push("ERRORS.md");
         } catch (err) {
@@ -11925,7 +12686,7 @@ async function generateDocs(graph, projectRoot, version, parseTime, options) {
         try {
           if (options.verbose) console.log("Generating TESTS.md...");
           const content = generateTests(graph, projectRoot, version);
-          const filePath = join18(options.outputDir, "TESTS.md");
+          const filePath = join19(options.outputDir, "TESTS.md");
           writeFileSync3(filePath, content, "utf-8");
           generated.push("TESTS.md");
         } catch (err) {
@@ -11936,7 +12697,7 @@ async function generateDocs(graph, projectRoot, version, parseTime, options) {
         try {
           if (options.verbose) console.log("Generating HISTORY.md...");
           const content = generateHistory(graph, projectRoot, version);
-          const filePath = join18(options.outputDir, "HISTORY.md");
+          const filePath = join19(options.outputDir, "HISTORY.md");
           writeFileSync3(filePath, content, "utf-8");
           generated.push("HISTORY.md");
         } catch (err) {
@@ -11947,7 +12708,7 @@ async function generateDocs(graph, projectRoot, version, parseTime, options) {
         try {
           if (options.verbose) console.log("Generating CURRENT.md...");
           const content = generateCurrent(graph, projectRoot, version);
-          const filePath = join18(options.outputDir, "CURRENT.md");
+          const filePath = join19(options.outputDir, "CURRENT.md");
           writeFileSync3(filePath, content, "utf-8");
           generated.push("CURRENT.md");
         } catch (err) {
@@ -11958,7 +12719,7 @@ async function generateDocs(graph, projectRoot, version, parseTime, options) {
         try {
           if (options.verbose) console.log("Generating STATUS.md...");
           const content = generateStatus(graph, projectRoot, version);
-          const filePath = join18(options.outputDir, "STATUS.md");
+          const filePath = join19(options.outputDir, "STATUS.md");
           writeFileSync3(filePath, content, "utf-8");
           generated.push("STATUS.md");
         } catch (err) {
@@ -11969,7 +12730,7 @@ async function generateDocs(graph, projectRoot, version, parseTime, options) {
         try {
           if (options.verbose) console.log("Generating HEALTH.md...");
           const content = generateHealth(graph, projectRoot, version);
-          const filePath = join18(options.outputDir, "HEALTH.md");
+          const filePath = join19(options.outputDir, "HEALTH.md");
           writeFileSync3(filePath, content, "utf-8");
           generated.push("HEALTH.md");
         } catch (err) {
@@ -11980,7 +12741,7 @@ async function generateDocs(graph, projectRoot, version, parseTime, options) {
         try {
           if (options.verbose) console.log("Generating DEAD_CODE.md...");
           const content = generateDeadCode(graph, projectRoot, version);
-          const filePath = join18(options.outputDir, "DEAD_CODE.md");
+          const filePath = join19(options.outputDir, "DEAD_CODE.md");
           writeFileSync3(filePath, content, "utf-8");
           generated.push("DEAD_CODE.md");
         } catch (err) {
@@ -12024,7 +12785,7 @@ function getFileCount13(graph) {
 }
 
 // src/simulation/engine.ts
-import { dirname as dirname19, join as join19 } from "path";
+import { dirname as dirname20, join as join20 } from "path";
 function normalizePath2(p) {
   return p.replace(/^\.\//, "").replace(/\/+$/, "");
 }
@@ -12156,7 +12917,7 @@ var SimulationEngine = class {
     }
   }
   applyRename(clone, target, newName, brokenImports) {
-    const destination = join19(dirname19(target), newName);
+    const destination = join20(dirname20(target), newName);
     this.applyMove(clone, target, destination, brokenImports);
   }
   applySplit(clone, target, newFile, symbols, brokenImports) {
@@ -12356,13 +13117,13 @@ var SimulationEngine = class {
 };
 
 // src/security/scanner.ts
-import { existsSync as existsSync18 } from "fs";
-import { join as join29 } from "path";
+import { existsSync as existsSync19 } from "fs";
+import { join as join30 } from "path";
 
 // src/security/checks/dependencies.ts
 import { execSync as execSync2 } from "child_process";
-import { existsSync as existsSync17, readFileSync as readFileSync16, readdirSync as readdirSync9 } from "fs";
-import { join as join20 } from "path";
+import { existsSync as existsSync18, readFileSync as readFileSync17, readdirSync as readdirSync10 } from "fs";
+import { join as join21 } from "path";
 function cvssToSeverity(score) {
   if (score >= 9) return "critical";
   if (score >= 7) return "high";
@@ -12372,18 +13133,18 @@ function cvssToSeverity(score) {
 async function checkDependencies(_files, projectRoot) {
   const findings = [];
   try {
-    if (existsSync17(join20(projectRoot, "package.json"))) {
+    if (existsSync18(join21(projectRoot, "package.json"))) {
       findings.push(...checkNpmAudit(projectRoot));
       findings.push(...checkPackageJsonPatterns(projectRoot));
       findings.push(...checkPostinstallScripts(projectRoot));
     }
-    if (existsSync17(join20(projectRoot, "requirements.txt")) || existsSync17(join20(projectRoot, "pyproject.toml"))) {
+    if (existsSync18(join21(projectRoot, "requirements.txt")) || existsSync18(join21(projectRoot, "pyproject.toml"))) {
       findings.push(...checkPipAudit(projectRoot));
     }
-    if (existsSync17(join20(projectRoot, "Cargo.toml"))) {
+    if (existsSync18(join21(projectRoot, "Cargo.toml"))) {
       findings.push(...checkCargoAudit(projectRoot));
     }
-    if (existsSync17(join20(projectRoot, "go.mod"))) {
+    if (existsSync18(join21(projectRoot, "go.mod"))) {
       findings.push(...checkGoVerify(projectRoot));
     }
   } catch (err) {
@@ -12472,8 +13233,8 @@ function checkNpmAudit(projectRoot) {
 function checkPackageJsonPatterns(projectRoot) {
   const findings = [];
   try {
-    const pkgPath = join20(projectRoot, "package.json");
-    const pkg = JSON.parse(readFileSync16(pkgPath, "utf-8"));
+    const pkgPath = join21(projectRoot, "package.json");
+    const pkg = JSON.parse(readFileSync17(pkgPath, "utf-8"));
     const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
     for (const [name, version] of Object.entries(allDeps)) {
       if (version.startsWith("^") || version.startsWith("~")) {
@@ -12495,15 +13256,15 @@ function checkPackageJsonPatterns(projectRoot) {
 }
 function checkPostinstallScripts(projectRoot) {
   const findings = [];
-  const nodeModules = join20(projectRoot, "node_modules");
-  if (!existsSync17(nodeModules)) return findings;
+  const nodeModules = join21(projectRoot, "node_modules");
+  if (!existsSync18(nodeModules)) return findings;
   try {
-    const topLevelDeps = readdirSync9(nodeModules).filter((d) => !d.startsWith("."));
+    const topLevelDeps = readdirSync10(nodeModules).filter((d) => !d.startsWith("."));
     for (const dep of topLevelDeps) {
-      const depPkgPath = join20(nodeModules, dep, "package.json");
-      if (!existsSync17(depPkgPath)) continue;
+      const depPkgPath = join21(nodeModules, dep, "package.json");
+      if (!existsSync18(depPkgPath)) continue;
       try {
-        const depPkg = JSON.parse(readFileSync16(depPkgPath, "utf-8"));
+        const depPkg = JSON.parse(readFileSync17(depPkgPath, "utf-8"));
         const scripts = depPkg.scripts || {};
         if (scripts.postinstall || scripts.preinstall || scripts.install) {
           const scriptName = scripts.postinstall ? "postinstall" : scripts.preinstall ? "preinstall" : "install";
@@ -12541,7 +13302,7 @@ function checkPipAudit(projectRoot) {
         id: "",
         severity: cvssToSeverity(vuln.cvss?.score || 5),
         vulnerabilityClass: "dependency-cve",
-        file: existsSync17(join20(projectRoot, "requirements.txt")) ? "requirements.txt" : "pyproject.toml",
+        file: existsSync18(join21(projectRoot, "requirements.txt")) ? "requirements.txt" : "pyproject.toml",
         title: `Vulnerable Python dependency: ${vuln.name}`,
         description: `${vuln.name}@${vuln.version} \u2014 ${vuln.id}: ${vuln.description || "Known vulnerability"}`,
         attackScenario: `An attacker could exploit the vulnerability in ${vuln.name}.`,
@@ -12638,8 +13399,8 @@ function checkGoVerify(projectRoot) {
 }
 
 // src/security/checks/injection.ts
-import { readFileSync as readFileSync17 } from "fs";
-import { join as join21 } from "path";
+import { readFileSync as readFileSync18 } from "fs";
+import { join as join22 } from "path";
 var SKIP_DIRS = ["node_modules/", "dist/", ".git/", ".wrangler/", "src/security/checks/"];
 var TEST_PATTERNS = ["test", "spec", "fixture", "mock", "__tests__", "__mocks__"];
 var USER_INPUT_NAMES = /(?:input|user|name|path|query|branch|hash|cmd|command|req\.|params|body|args|url|dir|file|subdirectory)/i;
@@ -12871,6 +13632,61 @@ var PATTERNS = [
     description: "permitAll() applied to a path that appears security-sensitive.",
     attackScenario: "An attacker could access administrative or destructive endpoints without authentication.",
     suggestedFix: 'Use .hasRole("ADMIN") or .authenticated() for sensitive endpoints.'
+  },
+  // PHP injection patterns
+  {
+    regex: /\$wpdb\s*->\s*query\s*\(\s*["'][^"']*\$|.*\$wpdb\s*->\s*query\s*\(\s*[^"']*\.\s*\$/,
+    title: "PHP SQL injection via $wpdb->query with string concatenation",
+    vulnClass: "code-injection",
+    baseSeverity: "high",
+    description: "WordPress $wpdb->query() called with direct variable interpolation \u2014 vulnerable to SQL injection.",
+    attackScenario: "An attacker could inject SQL through unescaped user input to read, modify, or delete database data.",
+    suggestedFix: 'Use $wpdb->prepare() with placeholders: $wpdb->query($wpdb->prepare("SELECT * FROM table WHERE id = %d", $id))'
+  },
+  {
+    regex: /\beval\s*\(\s*\$/,
+    title: "PHP eval() with variable input",
+    vulnClass: "code-injection",
+    baseSeverity: "high",
+    description: "eval() executes arbitrary PHP code from a variable \u2014 potential RCE.",
+    attackScenario: "An attacker could inject malicious PHP code if user input reaches eval().",
+    suggestedFix: "Remove eval() entirely. Use safe alternatives like json_decode() for data or specific parsers."
+  },
+  {
+    regex: /\b(?:system|exec|shell_exec|passthru)\s*\(\s*\$/,
+    title: "PHP command injection via system/exec/shell_exec/passthru",
+    vulnClass: "shell-injection",
+    baseSeverity: "high",
+    description: "Shell command execution with a variable argument \u2014 potential command injection.",
+    attackScenario: "An attacker could inject shell metacharacters to execute arbitrary commands on the server.",
+    suggestedFix: "Use escapeshellarg() and escapeshellcmd() to sanitize input, or avoid shell commands entirely."
+  },
+  {
+    regex: /preg_replace\s*\(\s*['"]\/[^'"]*\/e['"]/,
+    title: "PHP preg_replace with /e modifier (code execution)",
+    vulnClass: "code-injection",
+    baseSeverity: "high",
+    description: "preg_replace() with the /e modifier evaluates the replacement as PHP code \u2014 deprecated and dangerous.",
+    attackScenario: "An attacker could inject PHP code through the matched string to achieve remote code execution.",
+    suggestedFix: "Use preg_replace_callback() instead of the /e modifier."
+  },
+  {
+    regex: /\bunserialize\s*\(\s*\$(?:_GET|_POST|_REQUEST|_COOKIE)/,
+    title: "PHP insecure deserialization of user input",
+    vulnClass: "code-injection",
+    baseSeverity: "high",
+    description: "unserialize() called on user-controlled superglobal input \u2014 potential RCE via PHP object injection.",
+    attackScenario: "An attacker could craft a malicious serialized PHP object to achieve remote code execution.",
+    suggestedFix: "Use json_decode() instead of unserialize() for user input. If unserialize is necessary, use the allowed_classes option."
+  },
+  {
+    regex: /\bextract\s*\(\s*\$(?:_GET|_POST|_REQUEST)/,
+    title: "PHP extract() on superglobal input",
+    vulnClass: "code-injection",
+    baseSeverity: "high",
+    description: "extract() on $_GET/$_POST/$_REQUEST overwrites local variables \u2014 can bypass security checks.",
+    attackScenario: "An attacker could set arbitrary variables by crafting request parameters, potentially overwriting auth flags or config values.",
+    suggestedFix: "Avoid extract() on user input. Access superglobals directly or use a whitelist of expected keys."
   }
 ];
 function shouldSkip(filePath) {
@@ -12887,7 +13703,7 @@ async function checkInjection(files, projectRoot) {
       if (shouldSkip(file.filePath) || isTestFile4(file.filePath)) continue;
       let content;
       try {
-        content = readFileSync17(join21(projectRoot, file.filePath), "utf-8");
+        content = readFileSync18(join22(projectRoot, file.filePath), "utf-8");
       } catch {
         continue;
       }
@@ -12925,8 +13741,8 @@ async function checkInjection(files, projectRoot) {
 }
 
 // src/security/checks/secrets.ts
-import { readFileSync as readFileSync18 } from "fs";
-import { join as join22 } from "path";
+import { readFileSync as readFileSync19 } from "fs";
+import { join as join23 } from "path";
 var SKIP_DIRS2 = ["node_modules/", "dist/", ".git/", ".wrangler/", "src/security/checks/"];
 var TEST_PATTERNS2 = ["test", "spec", "fixture", "mock", "__tests__", "__mocks__", ".example", ".sample"];
 var SECRET_PATTERNS = [
@@ -12959,7 +13775,7 @@ async function checkSecrets(files, projectRoot) {
       if (shouldSkip2(file.filePath) || isTestFile5(file.filePath)) continue;
       let content;
       try {
-        content = readFileSync18(join22(projectRoot, file.filePath), "utf-8");
+        content = readFileSync19(join23(projectRoot, file.filePath), "utf-8");
       } catch {
         continue;
       }
@@ -12992,8 +13808,8 @@ async function checkSecrets(files, projectRoot) {
 }
 
 // src/security/checks/path-traversal.ts
-import { readFileSync as readFileSync19 } from "fs";
-import { join as join23 } from "path";
+import { readFileSync as readFileSync20 } from "fs";
+import { join as join24 } from "path";
 var SKIP_DIRS3 = ["node_modules/", "dist/", ".git/", ".wrangler/", "src/security/checks/"];
 var USER_INPUT_VARS = /(?:req\.|params|query|body|input|path|dir|subdirectory|file|userInput|fileName|filePath)/i;
 var PATTERNS2 = [
@@ -13040,7 +13856,7 @@ async function checkPathTraversal(files, projectRoot) {
       if (shouldSkip3(file.filePath)) continue;
       let content;
       try {
-        content = readFileSync19(join23(projectRoot, file.filePath), "utf-8");
+        content = readFileSync20(join24(projectRoot, file.filePath), "utf-8");
       } catch {
         continue;
       }
@@ -13082,8 +13898,8 @@ async function checkPathTraversal(files, projectRoot) {
 }
 
 // src/security/checks/auth.ts
-import { readFileSync as readFileSync20 } from "fs";
-import { join as join24 } from "path";
+import { readFileSync as readFileSync21 } from "fs";
+import { join as join25 } from "path";
 var SKIP_DIRS4 = ["node_modules/", "dist/", ".git/", ".wrangler/", "src/security/checks/"];
 function shouldSkip4(filePath) {
   return SKIP_DIRS4.some((d) => filePath.includes(d));
@@ -13099,7 +13915,7 @@ async function checkAuth(files, projectRoot) {
       if (shouldSkip4(file.filePath)) continue;
       let content;
       try {
-        content = readFileSync20(join24(projectRoot, file.filePath), "utf-8");
+        content = readFileSync21(join25(projectRoot, file.filePath), "utf-8");
       } catch {
         continue;
       }
@@ -13190,8 +14006,8 @@ async function checkAuth(files, projectRoot) {
 }
 
 // src/security/checks/input-validation.ts
-import { readFileSync as readFileSync21 } from "fs";
-import { join as join25 } from "path";
+import { readFileSync as readFileSync22 } from "fs";
+import { join as join26 } from "path";
 var SKIP_DIRS5 = ["node_modules/", "dist/", ".git/", ".wrangler/", "src/security/checks/"];
 function shouldSkip5(filePath) {
   return SKIP_DIRS5.some((d) => filePath.includes(d));
@@ -13203,7 +14019,7 @@ async function checkInputValidation(files, projectRoot) {
       if (shouldSkip5(file.filePath)) continue;
       let content;
       try {
-        content = readFileSync21(join25(projectRoot, file.filePath), "utf-8");
+        content = readFileSync22(join26(projectRoot, file.filePath), "utf-8");
       } catch {
         continue;
       }
@@ -13280,8 +14096,8 @@ async function checkInputValidation(files, projectRoot) {
 }
 
 // src/security/checks/information-disclosure.ts
-import { readFileSync as readFileSync22 } from "fs";
-import { join as join26 } from "path";
+import { readFileSync as readFileSync23 } from "fs";
+import { join as join27 } from "path";
 var SKIP_DIRS6 = ["node_modules/", "dist/", ".git/", ".wrangler/", "src/security/checks/"];
 function shouldSkip6(filePath) {
   return SKIP_DIRS6.some((d) => filePath.includes(d));
@@ -13293,7 +14109,7 @@ async function checkInformationDisclosure(files, projectRoot) {
       if (shouldSkip6(file.filePath)) continue;
       let content;
       try {
-        content = readFileSync22(join26(projectRoot, file.filePath), "utf-8");
+        content = readFileSync23(join27(projectRoot, file.filePath), "utf-8");
       } catch {
         continue;
       }
@@ -13363,8 +14179,8 @@ async function checkInformationDisclosure(files, projectRoot) {
 }
 
 // src/security/checks/cryptography.ts
-import { readFileSync as readFileSync23 } from "fs";
-import { join as join27 } from "path";
+import { readFileSync as readFileSync24 } from "fs";
+import { join as join28 } from "path";
 var SKIP_DIRS7 = ["node_modules/", "dist/", ".git/", ".wrangler/", "src/security/checks/"];
 var USER_INPUT_NAMES2 = /(?:input|user|name|path|query|param|request|body|args|url)/i;
 function shouldSkip7(filePath) {
@@ -13381,7 +14197,7 @@ async function checkCryptography(files, projectRoot) {
       if (shouldSkip7(file.filePath)) continue;
       let content;
       try {
-        content = readFileSync23(join27(projectRoot, file.filePath), "utf-8");
+        content = readFileSync24(join28(projectRoot, file.filePath), "utf-8");
       } catch {
         continue;
       }
@@ -13561,6 +14377,84 @@ async function checkCryptography(files, projectRoot) {
             suggestedFix: "Use HTTPS for all external URLs to ensure data confidentiality and integrity."
           });
         }
+        if (/\bmd5\s*\(/.test(line) && /password|passwd|pass|pwd/i.test(line)) {
+          findings.push({
+            id: "",
+            severity: "high",
+            vulnerabilityClass: "cryptography",
+            file: file.filePath,
+            line: i + 1,
+            title: "PHP md5() used for password hashing",
+            description: "md5() is cryptographically broken and should never be used for password hashing.",
+            attackScenario: "An attacker could crack MD5 password hashes in seconds using rainbow tables or GPU brute force.",
+            suggestedFix: "Use password_hash() with PASSWORD_BCRYPT or PASSWORD_ARGON2ID."
+          });
+        }
+        if (/\bsha1\s*\(/.test(line) && /password|passwd|pass|pwd/i.test(line)) {
+          findings.push({
+            id: "",
+            severity: "high",
+            vulnerabilityClass: "cryptography",
+            file: file.filePath,
+            line: i + 1,
+            title: "PHP sha1() used for password hashing",
+            description: "SHA-1 has known collision attacks and should not be used for password hashing.",
+            attackScenario: "An attacker could crack SHA-1 password hashes using precomputed tables.",
+            suggestedFix: "Use password_hash() with PASSWORD_BCRYPT or PASSWORD_ARGON2ID."
+          });
+        }
+        if (/\bcrypt\s*\(\s*[^,]+,\s*['"][\$]?[12a-zA-Z]{0,3}['"]/.test(line)) {
+          findings.push({
+            id: "",
+            severity: "medium",
+            vulnerabilityClass: "cryptography",
+            file: file.filePath,
+            line: i + 1,
+            title: "PHP crypt() with potentially weak salt",
+            description: "crypt() with a short or weak salt may use DES or MD5 algorithm.",
+            attackScenario: "An attacker could crack weakly-salted crypt() hashes using brute force.",
+            suggestedFix: "Use password_hash() instead of crypt(). It automatically uses a strong algorithm and salt."
+          });
+        }
+        if (/\bmcrypt_/.test(line)) {
+          findings.push({
+            id: "",
+            severity: "high",
+            vulnerabilityClass: "cryptography",
+            file: file.filePath,
+            line: i + 1,
+            title: "PHP deprecated mcrypt_* function",
+            description: "mcrypt extension was deprecated in PHP 7.1 and removed in PHP 7.2. It has known vulnerabilities.",
+            attackScenario: "An attacker could exploit known weaknesses in mcrypt implementations.",
+            suggestedFix: "Use openssl_encrypt()/openssl_decrypt() or the sodium extension (sodium_crypto_*)."
+          });
+        }
+        if (/\b(?:rand|mt_rand)\s*\(/.test(line) && isCryptoFile) {
+          findings.push({
+            id: "",
+            severity: "medium",
+            vulnerabilityClass: "cryptography",
+            file: file.filePath,
+            line: i + 1,
+            title: "PHP rand()/mt_rand() in security context",
+            description: "rand() and mt_rand() are not cryptographically secure \u2014 their output can be predicted.",
+            attackScenario: "An attacker could predict random values to forge tokens or bypass security checks.",
+            suggestedFix: "Use random_bytes() or random_int() for cryptographic purposes."
+          });
+        }
+        if (/\$(?:password|secret|api_?key|token)\s*=\s*['"][^'"]{4,}['"]/i.test(line)) {
+          findings.push({
+            id: "",
+            severity: "high",
+            vulnerabilityClass: "cryptography",
+            file: file.filePath,
+            line: i + 1,
+            title: "Hardcoded credentials in PHP source",
+            description: "A password, secret, or API key is hardcoded as a string literal.",
+            attackScenario: "An attacker with access to the source could extract the credential.",
+            suggestedFix: "Load credentials from environment variables using getenv() or $_ENV."
+          });
+        }
       }
     }
   } catch {
@@ -13569,8 +14463,8 @@ async function checkCryptography(files, projectRoot) {
 }
 
 // src/security/checks/frontend.ts
-import { readFileSync as readFileSync24 } from "fs";
-import { join as join28 } from "path";
+import { readFileSync as readFileSync25 } from "fs";
+import { join as join29 } from "path";
 var SKIP_DIRS8 = ["node_modules/", "dist/", ".git/", ".wrangler/", "src/security/checks/"];
 function shouldSkip8(filePath) {
   return SKIP_DIRS8.some((d) => filePath.includes(d));
@@ -13586,7 +14480,7 @@ async function checkFrontend(files, projectRoot) {
       if (!isFrontendFile(file.filePath)) continue;
       let content;
       try {
-        content = readFileSync24(join28(projectRoot, file.filePath), "utf-8");
+        content = readFileSync25(join29(projectRoot, file.filePath), "utf-8");
       } catch {
         continue;
       }
@@ -14046,13 +14940,13 @@ async function scanSecurity(projectRoot, graph, options = {}) {
   };
 }
 function detectPackageManager(projectRoot) {
-  if (existsSync18(join29(projectRoot, "package.json"))) return "npm";
-  if (existsSync18(join29(projectRoot, "requirements.txt"))) return "pip";
-  if (existsSync18(join29(projectRoot, "pyproject.toml"))) return "pip";
-  if (existsSync18(join29(projectRoot, "Cargo.toml"))) return "cargo";
-  if (existsSync18(join29(projectRoot, "go.mod"))) return "go";
-  if (existsSync18(join29(projectRoot, "pom.xml"))) return "maven";
-  if (existsSync18(join29(projectRoot, "build.gradle")) || existsSync18(join29(projectRoot, "build.gradle.kts"))) return "gradle";
+  if (existsSync19(join30(projectRoot, "package.json"))) return "npm";
+  if (existsSync19(join30(projectRoot, "requirements.txt"))) return "pip";
+  if (existsSync19(join30(projectRoot, "pyproject.toml"))) return "pip";
+  if (existsSync19(join30(projectRoot, "Cargo.toml"))) return "cargo";
+  if (existsSync19(join30(projectRoot, "go.mod"))) return "go";
+  if (existsSync19(join30(projectRoot, "pom.xml"))) return "maven";
+  if (existsSync19(join30(projectRoot, "build.gradle")) || existsSync19(join30(projectRoot, "build.gradle.kts"))) return "gradle";
   return "unknown";
 }