docguard-cli 0.9.11 → 0.11.0

package/cli/scanners/routes.mjs

@@ -8,6 +8,7 @@
 
 import { existsSync, readFileSync, readdirSync, statSync } from 'node:fs';
 import { resolve, join, relative, basename, extname, dirname } from 'node:path';
+import { resolveSourceRoots } from '../shared-source.mjs';
 
 const IGNORE_DIRS = new Set([
   'node_modules', '.git', '.next', 'dist', 'build', 'coverage',
@@ -19,9 +20,10 @@ const IGNORE_DIRS = new Set([
  * @param {string} dir - Project root
  * @param {object} stack - Detected tech stack
  * @param {object} docTools - Detected doc tools (may include OpenAPI)
+ * @param {object} [opts] - { config } — config enables monorepo-aware source roots
  * @returns {Array} Array of route objects { method, path, handler, file, auth, description }
  */
-export function scanRoutesDeep(dir, stack, docTools) {
+export function scanRoutesDeep(dir, stack, docTools, opts = {}) {
   // Priority 1: Use OpenAPI spec if available (most accurate)
   if (docTools?.openapi?.found && docTools.openapi.endpoints?.length > 0) {
     return docTools.openapi.endpoints.map(ep => ({
@@ -31,30 +33,49 @@ export function scanRoutesDeep(dir, stack, docTools) {
     }));
   }
 
-  // Priority 2: Framework-specific code scanning
+  // Priority 2: Framework-specific code scanning.
+  // Monorepo-aware: when a config is supplied, scan the resolved source roots
+  // (honors config.sourceRoot + workspaces) instead of only root-relative dirs.
   const framework = stack?.framework || '';
   const routes = [];
+  const roots = opts.config ? resolveSourceRoots(dir, opts.config) : null;
 
   if (framework.includes('Next.js') || framework.includes('Next')) {
     routes.push(...scanNextJsRoutes(dir));
   }
 
   if (framework.includes('Express') || !framework) {
-    routes.push(...scanExpressRoutes(dir));
+    routes.push(...scanExpressRoutes(dir, roots));
   }
 
   if (framework.includes('Fastify')) {
-    routes.push(...scanFastifyRoutes(dir));
+    routes.push(...scanFastifyRoutes(dir, roots));
   }
 
   if (framework.includes('Hono')) {
-    routes.push(...scanHonoRoutes(dir));
+    routes.push(...scanHonoRoutes(dir, roots));
   }
 
   if (framework.includes('Django')) {
     routes.push(...scanDjangoRoutes(dir));
   }
 
+  if (framework.includes('Spring') || framework.includes('Java')) {
+    routes.push(...scanSpringBootRoutes(dir));
+  }
+
+  if (framework.includes('Rails') || framework.includes('Ruby')) {
+    routes.push(...scanRailsRoutes(dir));
+  }
+
+  if (framework.includes('Gin') || framework.includes('Echo') || framework.includes('Chi') || framework.includes('Fiber') || framework.includes('Go')) {
+    routes.push(...scanGoWebRoutes(dir));
+  }
+
+  if (framework.includes('Axum') || framework.includes('Actix') || framework.includes('Rocket') || framework.includes('Warp') || framework.includes('Rust')) {
+    routes.push(...scanRustWebRoutes(dir));
+  }
+
   if (framework.includes('FastAPI') || framework.includes('Flask')) {
     routes.push(...scanFastAPIRoutes(dir));
   }
@@ -167,13 +188,16 @@ function scanNextJsRoutes(dir) {
 
 // ── Express / Generic Node.js ───────────────────────────────────────────────
 
-function scanExpressRoutes(dir) {
+function scanExpressRoutes(dir, roots = null) {
   const routes = [];
   const routePattern = /(?:app|router|server)\s*\.\s*(get|post|put|delete|patch|head|options)\s*\(\s*['"`]([^'"`]+)['"`]/gi;
 
-  const searchDirs = ['src', 'routes', 'api', 'server', 'lib'];
-  for (const searchDir of searchDirs) {
-    const fullDir = resolve(dir, searchDir);
+  // Monorepo-aware: walk resolved absolute source roots when provided,
+  // otherwise fall back to conventional root-relative directories.
+  const searchTargets = roots && roots.length
+    ? roots
+    : ['src', 'routes', 'api', 'server', 'lib'].map(d => resolve(dir, d));
+  for (const fullDir of searchTargets) {
     if (!existsSync(fullDir)) continue;
 
     walkRouteDirs(fullDir, (filePath) => {
@@ -224,42 +248,47 @@ function scanExpressRoutes(dir) {
 
 // ── Fastify ─────────────────────────────────────────────────────────────────
 
-function scanFastifyRoutes(dir) {
+function scanFastifyRoutes(dir, roots = null) {
   const routes = [];
   const pattern = /(?:fastify|server|app)\s*\.\s*(get|post|put|delete|patch)\s*\(\s*['"`]([^'"`]+)['"`]/gi;
 
-  walkRouteDirs(resolve(dir, 'src'), (filePath) => {
-    if (!isJSFile(filePath)) return;
-    const content = readFileSafe(filePath);
-    if (!content) return;
+  const searchTargets = roots && roots.length ? roots : [resolve(dir, 'src')];
+  for (const fullDir of searchTargets) {
+    if (!existsSync(fullDir)) continue;
+    walkRouteDirs(fullDir, (filePath) => {
+      if (!isJSFile(filePath)) return;
+      const content = readFileSafe(filePath);
+      if (!content) return;
 
-    let match;
-    const regex = new RegExp(pattern.source, 'gi');
-    while ((match = regex.exec(content)) !== null) {
-      routes.push({
-        method: match[1].toUpperCase(),
-        path: match[2],
-        handler: extractHandlerName(content, match.index),
-        file: relative(dir, filePath),
-        source: 'fastify',
-        auth: hasAuthCheck(content),
-        description: extractNearbyComment(content, match.index),
-      });
-    }
-  });
+      let match;
+      const regex = new RegExp(pattern.source, 'gi');
+      while ((match = regex.exec(content)) !== null) {
+        routes.push({
+          method: match[1].toUpperCase(),
+          path: match[2],
+          handler: extractHandlerName(content, match.index),
+          file: relative(dir, filePath),
+          source: 'fastify',
+          auth: hasAuthCheck(content),
+          description: extractNearbyComment(content, match.index),
+        });
+      }
+    });
+  }
 
   return routes;
 }
 
 // ── Hono ────────────────────────────────────────────────────────────────────
 
-function scanHonoRoutes(dir) {
+function scanHonoRoutes(dir, roots = null) {
   const routes = [];
   const pattern = /(?:app|router)\s*\.\s*(get|post|put|delete|patch)\s*\(\s*['"`]([^'"`]+)['"`]/gi;
 
-  const searchDirs = ['src', '.'];
-  for (const searchDir of searchDirs) {
-    const fullDir = resolve(dir, searchDir);
+  const searchTargets = roots && roots.length
+    ? roots
+    : ['src', '.'].map(d => resolve(dir, d));
+  for (const fullDir of searchTargets) {
     if (!existsSync(fullDir)) continue;
 
     walkRouteDirs(fullDir, (filePath) => {
@@ -344,6 +373,139 @@ function scanFastAPIRoutes(dir) {
   return routes;
 }
 
+// ── Spring Boot (Java/Kotlin) ────────────────────────────────────────────────
+
+function scanSpringBootRoutes(dir) {
+  const routes = [];
+  // Method-level verb annotations (NOT @RequestMapping — that's class-level base).
+  // Optional path; bare `@PostMapping` means "base path only".
+  const verbMap = /@(Get|Post|Put|Delete|Patch)Mapping(?:\s*\(\s*(?:value\s*=\s*)?["']([^"']*)["'])?/g;
+  const classBase = /@RequestMapping\s*\(\s*(?:value\s*=\s*)?["']([^"']+)["'][^)]*\)\s*[\r\n][\s\S]*?(?:public\s+)?class\s+\w+/;
+
+  const javaFiles = findFiles(dir, /\.(java|kt)$/);
+  for (const filePath of javaFiles) {
+    const content = readFileSafe(filePath);
+    if (!content || !content.includes('Mapping')) continue;
+
+    // Class-level base path, if any.
+    const cb = classBase.exec(content);
+    const basePath = cb ? cb[1] : '';
+    const authPresent = /@PreAuthorize|@Secured|SecurityContext/.test(content);
+
+    let match;
+    const re = new RegExp(verbMap.source, 'g');
+    while ((match = re.exec(content)) !== null) {
+      const method = match[1].toUpperCase();
+      const sub = match[2] || '';
+      const path = (basePath + sub).replace(/\/+/g, '/') || '/';
+      routes.push({
+        method, path,
+        handler: '', file: relative(dir, filePath), source: 'spring-boot',
+        auth: authPresent, description: '',
+      });
+    }
+  }
+  return routes;
+}
+
+// ── Rails (Ruby) — config/routes.rb ──────────────────────────────────────────
+
+function scanRailsRoutes(dir) {
+  const routes = [];
+  const routesFile = resolve(dir, 'config/routes.rb');
+  if (!existsSync(routesFile)) return routes;
+  const content = readFileSafe(routesFile);
+  if (!content) return routes;
+
+  // Verb DSL: get '/x', post '/x', etc.  AND  resources :things (RESTful 7 actions)
+  const verbDsl = /^\s*(get|post|put|patch|delete)\s+['"]([^'"]+)['"]/gm;
+  let m;
+  while ((m = verbDsl.exec(content)) !== null) {
+    routes.push({
+      method: m[1].toUpperCase(),
+      path: m[2].startsWith('/') ? m[2] : '/' + m[2],
+      handler: '', file: 'config/routes.rb', source: 'rails', auth: false, description: '',
+    });
+  }
+  // resources :users → 7 standard RESTful routes.
+  const resourcesRe = /^\s*resources\s+:([a-z_]+)/gm;
+  while ((m = resourcesRe.exec(content)) !== null) {
+    const r = m[1];
+    const base = `/${r}`;
+    const seven = [
+      ['GET', base], ['GET', `${base}/new`], ['POST', base],
+      ['GET', `${base}/:id`], ['GET', `${base}/:id/edit`],
+      ['PATCH', `${base}/:id`], ['DELETE', `${base}/:id`],
+    ];
+    for (const [method, path] of seven) {
+      routes.push({ method, path, handler: '', file: 'config/routes.rb', source: 'rails', auth: false, description: '' });
+    }
+  }
+  return routes;
+}
+
+// ── Go web frameworks (Gin / Echo / Chi / Fiber / std mux) ───────────────────
+
+function scanGoWebRoutes(dir) {
+  const routes = [];
+  // Generic: <recv>.<METHOD>("/path", handler)  for Gin/Echo/Chi/Fiber/mux.Router
+  const pattern = /\.(GET|POST|PUT|DELETE|PATCH|HEAD|OPTIONS|HandleFunc|Handle)\s*\(\s*["']([^"']+)["']/g;
+  const goFiles = findFiles(dir, /\.go$/);
+  for (const filePath of goFiles) {
+    const content = readFileSafe(filePath);
+    if (!content) continue;
+    let m;
+    const re = new RegExp(pattern.source, 'g');
+    while ((m = re.exec(content)) !== null) {
+      const verb = m[1];
+      // HandleFunc / Handle are method-agnostic.
+      const method = ['HandleFunc', 'Handle'].includes(verb) ? 'ANY' : verb;
+      const path = m[2];
+      if (!path.startsWith('/')) continue;
+      routes.push({
+        method, path,
+        handler: '', file: relative(dir, filePath), source: 'go-web',
+        auth: /Authorization|jwt\.|middleware\.Auth/.test(content),
+        description: '',
+      });
+    }
+  }
+  return routes;
+}
+
+// ── Rust web frameworks (Axum / Actix / Rocket / Warp) ───────────────────────
+
+function scanRustWebRoutes(dir) {
+  const routes = [];
+  const rsFiles = findFiles(dir, /\.rs$/);
+  for (const filePath of rsFiles) {
+    const content = readFileSafe(filePath);
+    if (!content) continue;
+
+    // Axum: .route("/x", get(handler)) / .route("/x", post(handler).get(handler))
+    const axum = /\.route\s*\(\s*"([^"]+)"\s*,\s*([a-z]+)\s*\(/g;
+    let m;
+    while ((m = axum.exec(content)) !== null) {
+      const method = m[2].toUpperCase();
+      if (!['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'HEAD', 'OPTIONS'].includes(method)) continue;
+      routes.push({ method, path: m[1], handler: '', file: relative(dir, filePath), source: 'axum', auth: false, description: '' });
+    }
+
+    // Actix-web: .route("/x", web::get().to(handler))
+    const actix = /\.route\s*\(\s*"([^"]+)"\s*,\s*web::(get|post|put|delete|patch)\(\)/g;
+    while ((m = actix.exec(content)) !== null) {
+      routes.push({ method: m[2].toUpperCase(), path: m[1], handler: '', file: relative(dir, filePath), source: 'actix', auth: false, description: '' });
+    }
+
+    // Rocket: #[get("/x")] etc.
+    const rocket = /#\[(get|post|put|delete|patch)\(\s*"([^"]+)"/g;
+    while ((m = rocket.exec(content)) !== null) {
+      routes.push({ method: m[1].toUpperCase(), path: m[2], handler: '', file: relative(dir, filePath), source: 'rocket', auth: false, description: '' });
+    }
+  }
+  return routes;
+}
+
 // ── Helpers ──────────────────────────────────────────────────────────────────
 
 function readFileSafe(path) {

package/cli/scanners/schemas.mjs

@@ -69,6 +69,15 @@ export function scanSchemasDeep(dir, stack, docTools) {
     relationships.push(...mongooseResult.relationships);
   }
 
+  // ── Multi-language model scanners (additive; supports polyglot repos) ──
+  for (const scanner of [scanPythonModels, scanRustModels, scanGoModels, scanJpaModels, scanRailsModels]) {
+    const result = scanner(dir);
+    if (result.entities.length > 0) {
+      entities.push(...result.entities);
+      relationships.push(...(result.relationships || []));
+    }
+  }
+
   return {
     entities,
     relationships,
@@ -490,6 +499,170 @@ function mapMongooseType(type) {
   return map[type] || type;
 }
 
+// ── Python: SQLAlchemy + Pydantic ────────────────────────────────────────────
+
+function scanPythonModels(dir) {
+  const entities = [];
+  const relationships = [];
+  walkDir(dir, (filePath) => {
+    if (!filePath.endsWith('.py')) return;
+    const content = readFileSafe(filePath);
+    if (!content) return;
+    if (!/class\s+\w+\s*\([^)]*(Base|BaseModel|db\.Model|Model|SQLModel)/.test(content)) return;
+
+    // SQLAlchemy ORM: class X(Base): __tablename__ = "x"; id = Column(...)
+    const ormRe = /class\s+(\w+)\s*\([^)]*(?:Base|db\.Model|SQLModel)[^)]*\):([\s\S]*?)(?=\nclass\s+\w+|\n*$)/g;
+    let m;
+    while ((m = ormRe.exec(content)) !== null) {
+      const name = m[1];
+      const body = m[2];
+      const fields = [];
+      const colRe = /^\s*(\w+)\s*=\s*(?:mapped_column|Column)\s*\(\s*([A-Za-z_]+)(?:\([^)]*\))?([^)]*)\)/gm;
+      let cm;
+      while ((cm = colRe.exec(body)) !== null) {
+        const required = !/nullable\s*=\s*True/.test(cm[3]);
+        fields.push({ name: cm[1], type: cm[2], required, description: '' });
+      }
+      const relRe = /(\w+)\s*[:=]\s*(?:Mapped\[[^\]]*?["'](\w+)["']|relationship\s*\(\s*["'](\w+)["'])/g;
+      let rm;
+      while ((rm = relRe.exec(body)) !== null) {
+        relationships.push({ from: name, to: rm[2] || rm[3], type: 'related' });
+      }
+      if (fields.length > 0) entities.push({ name, fields, file: filePath, source: 'sqlalchemy' });
+    }
+
+    // Pydantic / SQLModel: class X(BaseModel): name: str
+    const pydRe = /class\s+(\w+)\s*\([^)]*(?:BaseModel|SQLModel)[^)]*\):([\s\S]*?)(?=\nclass\s+\w+|\n*$)/g;
+    while ((m = pydRe.exec(content)) !== null) {
+      const name = m[1];
+      if (entities.some(e => e.name === name)) continue;
+      const body = m[2];
+      const fields = [];
+      const fieldRe = /^\s{2,}(\w+)\s*:\s*([\w\[\],\s|]+?)(?:\s*=\s*([^\n]+))?$/gm;
+      let fm;
+      while ((fm = fieldRe.exec(body)) !== null) {
+        const fname = fm[1];
+        if (/^[A-Z_]+$/.test(fname)) continue;
+        const type = fm[2].trim();
+        const required = !/Optional|None|None\s*$/.test(type + (fm[3] || ''));
+        fields.push({ name: fname, type, required, description: '' });
+      }
+      if (fields.length > 0) entities.push({ name, fields, file: filePath, source: 'pydantic' });
+    }
+  });
+  return { entities, relationships };
+}
+
+// ── Rust: Diesel `table! { ... }` ─────────────────────────────────────────────
+
+function scanRustModels(dir) {
+  const entities = [];
+  walkDir(dir, (filePath) => {
+    if (!filePath.endsWith('.rs')) return;
+    const content = readFileSafe(filePath);
+    if (!content || !content.includes('table!')) return;
+    const tableRe = /table!\s*\{\s*(\w+)\s*\([^)]*\)\s*\{([\s\S]*?)\}\s*\}/g;
+    let m;
+    while ((m = tableRe.exec(content)) !== null) {
+      const name = m[1];
+      const body = m[2];
+      const fields = [];
+      const colRe = /(\w+)\s*->\s*(\w+)/g;
+      let cm;
+      while ((cm = colRe.exec(body)) !== null) {
+        fields.push({ name: cm[1], type: cm[2], required: !/Nullable/.test(cm[2]), description: '' });
+      }
+      if (fields.length > 0) entities.push({ name, fields, file: filePath, source: 'diesel' });
+    }
+  });
+  return { entities, relationships: [] };
+}
+
+// ── Go: structs with json/gorm/db tags ───────────────────────────────────────
+
+function scanGoModels(dir) {
+  const entities = [];
+  walkDir(dir, (filePath) => {
+    if (!filePath.endsWith('.go')) return;
+    const content = readFileSafe(filePath);
+    if (!content || !/`[^`]*\b(json|gorm|db|bson):/.test(content)) return;
+    const structRe = /type\s+(\w+)\s+struct\s*\{([\s\S]*?)\}/g;
+    let m;
+    while ((m = structRe.exec(content)) !== null) {
+      const name = m[1];
+      const body = m[2];
+      const fields = [];
+      const fieldRe = /^\s*(\w+)\s+([\w*.\[\]]+)\s+`([^`]+)`/gm;
+      let fm;
+      while ((fm = fieldRe.exec(body)) !== null) {
+        const fname = fm[1];
+        const ftype = fm[2];
+        const tag = fm[3];
+        if (!/\b(json|gorm|db|bson):/.test(tag)) continue;
+        const required = !tag.includes('omitempty');
+        fields.push({ name: fname, type: ftype, required, description: '' });
+      }
+      if (fields.length > 0) entities.push({ name, fields, file: filePath, source: 'go-struct' });
+    }
+  });
+  return { entities, relationships: [] };
+}
+
+// ── Java/Kotlin: JPA @Entity ─────────────────────────────────────────────────
+
+function scanJpaModels(dir) {
+  const entities = [];
+  walkDir(dir, (filePath) => {
+    if (!/\.(java|kt)$/.test(filePath)) return;
+    const content = readFileSafe(filePath);
+    if (!content || !content.includes('@Entity')) return;
+    const classRe = /@Entity[\s\S]*?class\s+(\w+)\s*(?:\([^)]*\))?\s*\{([\s\S]*?)^\}/gm;
+    let m;
+    while ((m = classRe.exec(content)) !== null) {
+      const name = m[1];
+      const body = m[2];
+      const fields = [];
+      const fieldRe = /(?:private|public|protected|val|var)\s+([\w<>]+)\s+(\w+)\s*[;=]/g;
+      let fm;
+      while ((fm = fieldRe.exec(body)) !== null) {
+        const ftype = fm[1];
+        const fname = fm[2];
+        if (/^(boolean|int|long|short|byte|float|double|char)$/.test(ftype) || /^[A-Z]/.test(ftype)) {
+          fields.push({ name: fname, type: ftype, required: true, description: '' });
+        }
+      }
+      if (fields.length > 0) entities.push({ name, fields, file: filePath, source: 'jpa' });
+    }
+  });
+  return { entities, relationships: [] };
+}
+
+// ── Rails: ActiveRecord migrations + schema.rb ───────────────────────────────
+
+function scanRailsModels(dir) {
+  const entities = [];
+  walkDir(dir, (filePath) => {
+    if (!/db\/(migrate|schema\.rb)/.test(filePath) || !filePath.endsWith('.rb')) return;
+    const content = readFileSafe(filePath);
+    if (!content || !content.includes('create_table')) return;
+    const tableRe = /create_table\s+:(\w+)\s+do\s+\|t\|([\s\S]*?)end/g;
+    let m;
+    while ((m = tableRe.exec(content)) !== null) {
+      const name = m[1];
+      const body = m[2];
+      const fields = [{ name: 'id', type: 'integer', required: true, description: '' }];
+      const colRe = /t\.(string|text|integer|float|decimal|datetime|date|time|boolean|json|binary|references)\s+:(\w+)(?:\s*,\s*([^,\n]+))?/g;
+      let cm;
+      while ((cm = colRe.exec(body)) !== null) {
+        const required = !!cm[3] && /null:\s*false/.test(cm[3]);
+        fields.push({ name: cm[2], type: cm[1], required, description: '' });
+      }
+      entities.push({ name, fields, file: filePath, source: 'rails-migration' });
+    }
+  });
+  return { entities, relationships: [] };
+}
+
 // ── Helpers ──────────────────────────────────────────────────────────────────
 
 function extractOpenAPIRelationships(schemas) {
@@ -526,7 +699,7 @@ function walkDir(dir, callback) {
       const fullPath = join(dir, entry.name);
       if (entry.isDirectory()) {
         walkDir(fullPath, callback);
-      } else if (entry.isFile() && /\.(js|mjs|cjs|ts|tsx|jsx|py)$/.test(entry.name)) {
+      } else if (entry.isFile() && /\.(js|mjs|cjs|ts|tsx|jsx|py|rs|go|java|kt|rb)$/.test(entry.name)) {
         callback(fullPath);
       }
     }