dravix-agent 0.1.0

package/dist/engines/eslint.js

@@ -0,0 +1,245 @@
+/**
+ * ESLint adapter — uses ESLint as a library (no subprocess), pinned to a small
+ * "high-signal for AI-generated code" ruleset.
+ *
+ * Specifically targets the async-foot-gun bugs that LLMs produce constantly:
+ *   - no-floating-promises (Promise.then without return/await)
+ *   - no-misused-promises (Promise in conditions)
+ *   - require-await
+ *   - no-unsafe-assignment (TS)
+ *   - no-unused-vars (catches half-written code)
+ *
+ * Loads `@typescript-eslint/parser` so it works on .ts/.tsx too.
+ */
+import { basename } from "node:path";
+import { makeFindingId } from "../findings.js";
+import { getLogger } from "../util/logger.js";
+const log = getLogger("aegis.engine.eslint");
+const SUPPORTED = ["javascript", "typescript", "jsx", "tsx"];
+const RULES = {
+    // built-in
+    "no-unused-vars": "warn",
+    "no-undef": "error",
+    eqeqeq: "warn",
+    "no-eval": "error",
+    "no-implied-eval": "error",
+    "no-throw-literal": "warn",
+    "no-self-compare": "warn",
+    "no-constant-condition": "warn",
+    "no-unreachable": "warn",
+    "no-fallthrough": "warn",
+};
+// TS rules that work WITHOUT type information. The four highest-signal async
+// rules (no-floating-promises, no-misused-promises, no-unsafe-assignment,
+// no-unsafe-call) are type-aware and need a real tsconfig + parserOptions
+// {project: ...}; Phase 1 adds project context and we re-enable them there.
+const TS_RULES = {
+    "@typescript-eslint/no-unused-vars": "warn",
+};
+/**
+ * Common globals available in Node + browser + worker + es2024 environments.
+ * Without this, `no-undef` floods on every `process`, `setTimeout`, `console`,
+ * `Buffer`, etc. — total noise on real Node code.
+ *
+ * Kept minimal-and-hard-coded to avoid pulling in the 'globals' npm package
+ * (which would add another runtime dep for ~20 names).
+ */
+const GLOBALS = {
+    // Node + JS runtime
+    process: "readonly",
+    Buffer: "readonly",
+    __dirname: "readonly",
+    __filename: "readonly",
+    global: "readonly",
+    globalThis: "readonly",
+    require: "readonly",
+    module: "readonly",
+    exports: "writable",
+    console: "readonly",
+    setTimeout: "readonly",
+    clearTimeout: "readonly",
+    setInterval: "readonly",
+    clearInterval: "readonly",
+    setImmediate: "readonly",
+    clearImmediate: "readonly",
+    queueMicrotask: "readonly",
+    URL: "readonly",
+    URLSearchParams: "readonly",
+    TextEncoder: "readonly",
+    TextDecoder: "readonly",
+    AbortController: "readonly",
+    AbortSignal: "readonly",
+    fetch: "readonly",
+    Headers: "readonly",
+    Request: "readonly",
+    Response: "readonly",
+    performance: "readonly",
+    structuredClone: "readonly",
+    // Browser (common — included so we don't false-positive on isomorphic code)
+    window: "readonly",
+    document: "readonly",
+    localStorage: "readonly",
+    sessionStorage: "readonly",
+    navigator: "readonly",
+    // Worker
+    self: "readonly",
+};
+function langToParser(lang) {
+    return lang === "typescript" || lang === "tsx"
+        ? "@typescript-eslint/parser"
+        : "espree";
+}
+function sevMap(s) {
+    return s === 2 ? "high" : "medium";
+}
+function confFor(s) {
+    return s === 2 ? 0.85 : 0.7;
+}
+let _Linter = null;
+let _tsParser = null;
+let _tsPlugin = null;
+let _attempted = false;
+/**
+ * The TS-eslint packages publish a CJS index that, when imported as ESM,
+ * wraps the real exports under `.default`. Pick the right shape so flat
+ * config sees a real ``plugin.rules`` / parser.parseForESLint``.
+ */
+function unwrapDefault(mod) {
+    if (mod &&
+        typeof mod === "object" &&
+        "default" in mod) {
+        return mod.default;
+    }
+    return mod;
+}
+async function tryLoad() {
+    if (_attempted) {
+        if (_Linter)
+            return { Linter: _Linter, tsParser: _tsParser, tsPlugin: _tsPlugin };
+        return null;
+    }
+    _attempted = true;
+    try {
+        const { Linter } = await import("eslint");
+        _Linter = Linter;
+    }
+    catch (err) {
+        log.warn("eslint not installed", { err: String(err) });
+        return null;
+    }
+    try {
+        const mod = await import("@typescript-eslint/parser");
+        _tsParser = unwrapDefault(mod);
+    }
+    catch {
+        _tsParser = null;
+    }
+    try {
+        const mod = await import("@typescript-eslint/eslint-plugin");
+        _tsPlugin = unwrapDefault(mod);
+    }
+    catch {
+        _tsPlugin = null;
+    }
+    return { Linter: _Linter, tsParser: _tsParser, tsPlugin: _tsPlugin };
+}
+export class ESLintEngine {
+    name = "eslint";
+    languages = SUPPORTED;
+    async available() {
+        const loaded = await tryLoad();
+        return loaded !== null;
+    }
+    async run(input) {
+        const t0 = Date.now();
+        const loaded = await tryLoad();
+        if (!loaded) {
+            return {
+                engine: this.name,
+                findings: [],
+                unavailable: true,
+                durationMs: Date.now() - t0,
+                reason: "eslint_not_installed",
+            };
+        }
+        const { Linter, tsParser, tsPlugin } = loaded;
+        const isTs = input.lang === "typescript" || input.lang === "tsx";
+        const parser = langToParser(input.lang);
+        // The new flat-config style: pass `config` to `verify` directly.
+        const rules = { ...RULES };
+        if (isTs && tsPlugin) {
+            Object.assign(rules, TS_RULES);
+        }
+        const linter = new Linter({ configType: "flat" });
+        // files glob is REQUIRED for ESLint 9 flat config when the filename is an
+        // absolute path outside cwd — without it, verify() returns
+        // "No matching configuration found for <path>".
+        const config = [
+            {
+                files: ["**/*.{js,jsx,mjs,cjs,ts,tsx}"],
+                languageOptions: {
+                    ecmaVersion: "latest",
+                    sourceType: "module",
+                    globals: GLOBALS,
+                    ...(isTs && tsParser ? { parser: tsParser } : {}),
+                    ...(input.lang === "jsx" || input.lang === "tsx"
+                        ? { parserOptions: { ecmaFeatures: { jsx: true } } }
+                        : {}),
+                },
+                ...(isTs && tsPlugin
+                    ? { plugins: { "@typescript-eslint": tsPlugin } }
+                    : {}),
+                rules,
+            },
+        ];
+        let messages = [];
+        try {
+            // Pass just the basename — ESLint flat-config glob matching is relative
+            // to cwd, so an absolute path outside cwd never matches `**/*.js` and
+            // returns "No matching configuration found".
+            const filenameForVerify = basename(input.filePath);
+            messages = linter.verify(input.content, config, {
+                filename: filenameForVerify,
+            });
+        }
+        catch (err) {
+            log.debug("verify threw", { err: String(err) });
+            return {
+                engine: this.name,
+                findings: [],
+                unavailable: true,
+                durationMs: Date.now() - t0,
+                reason: `verify_threw: ${String(err).slice(0, 100)}`,
+            };
+        }
+        const findings = [];
+        for (const m of messages) {
+            const rule = m.ruleId ?? "syntax_error";
+            const sev = sevMap(m.severity);
+            findings.push({
+                id: makeFindingId({
+                    engine: this.name,
+                    file: input.filePath,
+                    line: m.line,
+                    rule_id: rule,
+                }),
+                engine: "eslint",
+                file: input.filePath,
+                line: m.line,
+                col: m.column,
+                rule_id: rule,
+                severity: sev,
+                message: m.message.slice(0, 1900),
+                confidence: confFor(m.severity),
+                source: "lint",
+            });
+        }
+        return {
+            engine: this.name,
+            findings,
+            unavailable: false,
+            durationMs: Date.now() - t0,
+        };
+    }
+}
+//# sourceMappingURL=eslint.js.map

package/dist/engines/eslint.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"eslint.js","sourceRoot":"","sources":["../../src/engines/eslint.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAGrC,OAAO,EAAW,aAAa,EAAY,MAAM,gBAAgB,CAAC;AAElE,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAE9C,MAAM,GAAG,GAAG,SAAS,CAAC,qBAAqB,CAAC,CAAC;AAE7C,MAAM,SAAS,GAAwB,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;AAElF,MAAM,KAAK,GAAqC;IAC9C,WAAW;IACX,gBAAgB,EAAE,MAAM;IACxB,UAAU,EAAE,OAAO;IACnB,MAAM,EAAE,MAAM;IACd,SAAS,EAAE,OAAO;IAClB,iBAAiB,EAAE,OAAO;IAC1B,kBAAkB,EAAE,MAAM;IAC1B,iBAAiB,EAAE,MAAM;IACzB,uBAAuB,EAAE,MAAM;IAC/B,gBAAgB,EAAE,MAAM;IACxB,gBAAgB,EAAE,MAAM;CACzB,CAAC;AAEF,6EAA6E;AAC7E,0EAA0E;AAC1E,0EAA0E;AAC1E,4EAA4E;AAC5E,MAAM,QAAQ,GAAqC;IACjD,mCAAmC,EAAE,MAAM;CAC5C,CAAC;AAEF;;;;;;;GAOG;AACH,MAAM,OAAO,GAA4C;IACvD,oBAAoB;IACpB,OAAO,EAAE,UAAU;IACnB,MAAM,EAAE,UAAU;IAClB,SAAS,EAAE,UAAU;IACrB,UAAU,EAAE,UAAU;IACtB,MAAM,EAAE,UAAU;IAClB,UAAU,EAAE,UAAU;IACtB,OAAO,EAAE,UAAU;IACnB,MAAM,EAAE,UAAU;IAClB,OAAO,EAAE,UAAU;IACnB,OAAO,EAAE,UAAU;IACnB,UAAU,EAAE,UAAU;IACtB,YAAY,EAAE,UAAU;IACxB,WAAW,EAAE,UAAU;IACvB,aAAa,EAAE,UAAU;IACzB,YAAY,EAAE,UAAU;IACxB,cAAc,EAAE,UAAU;IAC1B,cAAc,EAAE,UAAU;IAC1B,GAAG,EAAE,UAAU;IACf,eAAe,EAAE,UAAU;IAC3B,WAAW,EAAE,UAAU;IACvB,WAAW,EAAE,UAAU;IACvB,eAAe,EAAE,UAAU;IAC3B,WAAW,EAAE,UAAU;IACvB,KAAK,EAAE,UAAU;IACjB,OAAO,EAAE,UAAU;IACnB,OAAO,EAAE,UAAU;IACnB,QAAQ,EAAE,UAAU;IACpB,WAAW,EAAE,UAAU;IACvB,eAAe,EAAE,UAAU;IAC3B,4EAA4E;IAC5E,MAAM,EAAE,UAAU;IAClB,QAAQ,EAAE,UAAU;IACpB,YAAY,EAAE,UAAU;IACxB,cAAc,EAAE,UAAU;IAC1B,SAAS,EAAE,UAAU;IACrB,SAAS;IACT,IAAI,EAAE,UAAU;CACjB,CAAC;AAYF,SAAS,YAAY,CAAC,IAAU;IAC9B,OAAO,IAAI,KAAK,YAAY,IAAI,IAAI,KAAK,KAAK;QAC5C,CAAC,CAAC,2BAA2B;QAC7B,CAAC,CAAC,QAAQ,CAAC;AACf,CAAC;AAED,SAAS,MAAM,CAAC,CAAQ;IACtB,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC;AACrC,CAAC;AAED,SAAS,OAAO,CAAC,CAAQ;IACvB,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC;AAC9B,CAAC;AAED,IAAI,OAAO,GAAmB,IAAI,CAAC;AACnC,IAAI,SAAS,GAAmB,IAAI,CAAC;AACrC,IAAI,SAAS,GAAmB,IAAI,CAAC;AACrC,IAAI,UAAU,GAAG,KAAK,CAAC;AAEvB;;;;GAIG;AACH,SAAS,aAAa,CAAc,GAAY;IAC9C,IACE,GAAG;QACH,OAAO,GAAG,KAAK,QAAQ;QACvB,SAAS,IAAK,GAA+B,EAC7C,CAAC;QACD,OAAQ,GAA+B,CAAC,OAAY,CAAC;IACvD,CAAC;IACD,OAAO,GAAQ,CAAC;AAClB,CAAC;AAED,KAAK,UAAU,OAAO;IAKpB,IAAI,UAAU,EAAE,CAAC;QACf,IAAI,OAAO;YAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;QAClF,OAAO,IAAI,CAAC;IACd,CAAC;IACD,UAAU,GAAG,IAAI,CAAC;IAClB,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;QAC1C,OAAO,GAAG,MAAM,CAAC;IACnB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,GAAG,CAAC,IAAI,CAAC,sBAAsB,EAAE,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACvD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,2BAA2B,CAAC,CAAC;QACtD,SAAS,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,SAAS,GAAG,IAAI,CAAC;IACnB,CAAC;IACD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,kCAAkC,CAAC,CAAC;QAC7D,SAAS,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,SAAS,GAAG,IAAI,CAAC;IACnB,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;AACvE,CAAC;AAED,MAAM,OAAO,YAAY;IACd,IAAI,GAAG,QAAQ,CAAC;IAChB,SAAS,GAAG,SAAS,CAAC;IAE/B,KAAK,CAAC,SAAS;QACb,MAAM,MAAM,GAAG,MAAM,OAAO,EAAE,CAAC;QAC/B,OAAO,MAAM,KAAK,IAAI,CAAC;IACzB,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,KAAqB;QAC7B,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACtB,MAAM,MAAM,GAAG,MAAM,OAAO,EAAE,CAAC;QAC/B,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO;gBACL,MAAM,EAAE,IAAI,CAAC,IAAI;gBACjB,QAAQ,EAAE,EAAE;gBACZ,WAAW,EAAE,IAAI;gBACjB,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE;gBAC3B,MAAM,EAAE,sBAAsB;aAC/B,CAAC;QACJ,CAAC;QACD,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,MAAM,CAAC;QAC9C,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,KAAK,YAAY,IAAI,KAAK,CAAC,IAAI,KAAK,KAAK,CAAC;QACjE,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAExC,iEAAiE;QACjE,MAAM,KAAK,GAAqC,EAAE,GAAG,KAAK,EAAE,CAAC;QAC7D,IAAI,IAAI,IAAI,QAAQ,EAAE,CAAC;YACrB,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;QACjC,CAAC;QAaD,MAAM,MAAM,GAAG,IAAK,MAAqB,CAAC,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC,CAAC;QAClE,0EAA0E;QAC1E,2DAA2D;QAC3D,gDAAgD;QAChD,MAAM,MAAM,GAAmC;YAC7C;gBACE,KAAK,EAAE,CAAC,8BAA8B,CAAC;gBACvC,eAAe,EAAE;oBACf,WAAW,EAAE,QAAQ;oBACrB,UAAU,EAAE,QAAQ;oBACpB,OAAO,EAAE,OAAO;oBAChB,GAAG,CAAC,IAAI,IAAI,QAAQ,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACjD,GAAG,CAAC,KAAK,CAAC,IAAI,KAAK,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,KAAK;wBAC9C,CAAC,CAAC,EAAE,aAAa,EAAE,EAAE,YAAY,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,EAAE;wBACpD,CAAC,CAAC,EAAE,CAAC;iBACR;gBACD,GAAG,CAAC,IAAI,IAAI,QAAQ;oBAClB,CAAC,CAAC,EAAE,OAAO,EAAE,EAAE,oBAAoB,EAAE,QAAQ,EAAE,EAAE;oBACjD,CAAC,CAAC,EAAE,CAAC;gBACP,KAAK;aACN;SACF,CAAC;QACF,IAAI,QAAQ,GAAiC,EAAE,CAAC;QAChD,IAAI,CAAC;YACH,wEAAwE;YACxE,sEAAsE;YACtE,6CAA6C;YAC7C,MAAM,iBAAiB,GAAG,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;YACnD,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE;gBAC9C,QAAQ,EAAE,iBAAiB;aAC5B,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,GAAG,CAAC,KAAK,CAAC,cAAc,EAAE,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAChD,OAAO;gBACL,MAAM,EAAE,IAAI,CAAC,IAAI;gBACjB,QAAQ,EAAE,EAAE;gBACZ,WAAW,EAAE,IAAI;gBACjB,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE;gBAC3B,MAAM,EAAE,iBAAiB,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;aACrD,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,MAAM,IAAI,GAAG,CAAC,CAAC,MAAM,IAAI,cAAc,CAAC;YACxC,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;YAC/B,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,aAAa,CAAC;oBAChB,MAAM,EAAE,IAAI,CAAC,IAAI;oBACjB,IAAI,EAAE,KAAK,CAAC,QAAQ;oBACpB,IAAI,EAAE,CAAC,CAAC,IAAI;oBACZ,OAAO,EAAE,IAAI;iBACd,CAAC;gBACF,MAAM,EAAE,QAAQ;gBAChB,IAAI,EAAE,KAAK,CAAC,QAAQ;gBACpB,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,GAAG,EAAE,CAAC,CAAC,MAAM;gBACb,OAAO,EAAE,IAAI;gBACb,QAAQ,EAAE,GAAG;gBACb,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC;gBACjC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC;gBAC/B,MAAM,EAAE,MAAM;aACf,CAAC,CAAC;QACL,CAAC;QACD,OAAO;YACL,MAAM,EAAE,IAAI,CAAC,IAAI;YACjB,QAAQ;YACR,WAAW,EAAE,KAAK;YAClB,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE;SAC5B,CAAC;IACJ,CAAC;CACF"}

package/dist/engines/joern.d.ts

@@ -0,0 +1,3 @@
+import type { Engine } from "./types.js";
+export declare const joernEngine: Engine;
+//# sourceMappingURL=joern.d.ts.map

package/dist/engines/joern.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"joern.d.ts","sourceRoot":"","sources":["../../src/engines/joern.ts"],"names":[],"mappings":"AAqBA,OAAO,KAAK,EAAE,MAAM,EAAmC,MAAM,YAAY,CAAC;AAgG1E,eAAO,MAAM,WAAW,EAAE,MAA0B,CAAC"}

package/dist/engines/joern.js

@@ -0,0 +1,98 @@
+/**
+ * Joern CPG engine adapter — reads pre-computed findings from cache.
+ *
+ * The actual CPG build + CPGQL query is in ``src/index/joern.ts``. This
+ * module is the realtime fast path: it reads the per-project
+ * ``findings.jsonl`` (written by ``aegis index --joern``), filters to the
+ * file currently under review, and returns a ``Finding[]``.
+ *
+ * If the cache is missing the engine reports ``unavailable: true`` with a
+ * reason that tells the user how to build it.
+ */
+import { existsSync, statSync } from "node:fs";
+import { findJoernDir, findJoernJdk, joernFindingsPath, joernInfoPath, readJoernFindings, } from "../index/joern.js";
+import { getLogger } from "../util/logger.js";
+const log = getLogger("aegis.engine.joern");
+/** Stale-cache warning threshold: if the cached findings.jsonl is older
+ * than this, we log a warn so users know to re-run ``aegis index --joern``.
+ * Doesn't change correctness — they still get the cached findings. */
+const STALE_WARN_AGE_MS = 24 * 60 * 60 * 1000; // 24 h
+class JoernEngine {
+    name = "joern";
+    languages = "all";
+    availabilityCache = null;
+    static AVAILABILITY_TTL_MS = 60_000;
+    async available() {
+        const now = Date.now();
+        if (this.availabilityCache &&
+            now - this.availabilityCache.checkedAt < JoernEngine.AVAILABILITY_TTL_MS) {
+            return this.availabilityCache.value;
+        }
+        // Engine is "available" iff joern + JDK 11..21 are installed. Absence
+        // of a cache for the current project is NOT unavailability — it just
+        // means run() will report "no cache, please run `aegis index --joern`".
+        const ok = findJoernDir() !== null && findJoernJdk() !== null;
+        this.availabilityCache = { value: ok, checkedAt: now };
+        return ok;
+    }
+    async run(input) {
+        const t0 = Date.now();
+        if (!input.projectRoot) {
+            return {
+                engine: this.name,
+                findings: [],
+                unavailable: false,
+                durationMs: Date.now() - t0,
+                reason: "no_project_root",
+            };
+        }
+        const findingsPath = joernFindingsPath(input.projectRoot);
+        const infoPath = joernInfoPath(input.projectRoot);
+        if (!existsSync(findingsPath) || !existsSync(infoPath)) {
+            return {
+                engine: this.name,
+                findings: [],
+                unavailable: false,
+                durationMs: Date.now() - t0,
+                reason: "no_cpg_cache — run `aegis index --joern` to build",
+            };
+        }
+        // Optional stale check — warn but still serve.
+        try {
+            const age = Date.now() - statSync(findingsPath).mtimeMs;
+            if (age > STALE_WARN_AGE_MS) {
+                log.debug("joern findings cache is stale", { age_ms: age, path: findingsPath });
+            }
+        }
+        catch {
+            // ignore
+        }
+        const all = readJoernFindings(input.projectRoot);
+        // Findings carry POSIX-relative paths. Compare against the file's relative
+        // path (relative to projectRoot). On Windows the input.filePath may use
+        // backslashes; normalize before compare.
+        const relPath = toRelPosix(input.filePath, input.projectRoot);
+        // Also match by basename — sometimes Joern emits a path that differs from
+        // ours by leading drive-letter or symlink resolution. Basename match is a
+        // safe fallback that won't cross-contaminate (same basename in two dirs
+        // is rare in real projects).
+        const baseName = relPath.split("/").pop() ?? relPath;
+        const fileFindings = all.filter((f) => f.file === relPath || f.file === baseName || f.file.endsWith("/" + baseName));
+        return {
+            engine: this.name,
+            findings: fileFindings,
+            unavailable: false,
+            durationMs: Date.now() - t0,
+        };
+    }
+}
+function toRelPosix(filePath, projectRoot) {
+    const fp = filePath.replace(/\\/g, "/");
+    const root = projectRoot.replace(/\\/g, "/").replace(/\/+$/, "");
+    if (fp.toLowerCase().startsWith(root.toLowerCase() + "/")) {
+        return fp.slice(root.length + 1);
+    }
+    return fp;
+}
+export const joernEngine = new JoernEngine();
+//# sourceMappingURL=joern.js.map

package/dist/engines/joern.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"joern.js","sourceRoot":"","sources":["../../src/engines/joern.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,EAAE,UAAU,EAAgB,QAAQ,EAAE,MAAM,SAAS,CAAC;AAE7D,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,iBAAiB,EACjB,aAAa,EACb,iBAAiB,GAClB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAG9C,MAAM,GAAG,GAAG,SAAS,CAAC,oBAAoB,CAAC,CAAC;AAE5C;;sEAEsE;AACtE,MAAM,iBAAiB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,OAAO;AAEtD,MAAM,WAAW;IACN,IAAI,GAAG,OAAgB,CAAC;IACxB,SAAS,GAAG,KAAc,CAAC;IAE5B,iBAAiB,GAAiD,IAAI,CAAC;IACvE,MAAM,CAAU,mBAAmB,GAAG,MAAM,CAAC;IAErD,KAAK,CAAC,SAAS;QACb,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IACE,IAAI,CAAC,iBAAiB;YACtB,GAAG,GAAG,IAAI,CAAC,iBAAiB,CAAC,SAAS,GAAG,WAAW,CAAC,mBAAmB,EACxE,CAAC;YACD,OAAO,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC;QACtC,CAAC;QACD,sEAAsE;QACtE,qEAAqE;QACrE,wEAAwE;QACxE,MAAM,EAAE,GAAG,YAAY,EAAE,KAAK,IAAI,IAAI,YAAY,EAAE,KAAK,IAAI,CAAC;QAC9D,IAAI,CAAC,iBAAiB,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC;QACvD,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,KAAqB;QAC7B,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACtB,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;YACvB,OAAO;gBACL,MAAM,EAAE,IAAI,CAAC,IAAI;gBACjB,QAAQ,EAAE,EAAE;gBACZ,WAAW,EAAE,KAAK;gBAClB,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE;gBAC3B,MAAM,EAAE,iBAAiB;aAC1B,CAAC;QACJ,CAAC;QAED,MAAM,YAAY,GAAG,iBAAiB,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QAC1D,MAAM,QAAQ,GAAG,aAAa,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QAClD,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YACvD,OAAO;gBACL,MAAM,EAAE,IAAI,CAAC,IAAI;gBACjB,QAAQ,EAAE,EAAE;gBACZ,WAAW,EAAE,KAAK;gBAClB,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE;gBAC3B,MAAM,EAAE,mDAAmD;aAC5D,CAAC;QACJ,CAAC;QAED,+CAA+C;QAC/C,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,YAAY,CAAC,CAAC,OAAO,CAAC;YACxD,IAAI,GAAG,GAAG,iBAAiB,EAAE,CAAC;gBAC5B,GAAG,CAAC,KAAK,CAAC,+BAA+B,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC,CAAC;YAClF,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QAED,MAAM,GAAG,GAAG,iBAAiB,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QACjD,2EAA2E;QAC3E,wEAAwE;QACxE,yCAAyC;QACzC,MAAM,OAAO,GAAG,UAAU,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,WAAW,CAAC,CAAC;QAC9D,0EAA0E;QAC1E,0EAA0E;QAC1E,wEAAwE;QACxE,6BAA6B;QAC7B,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,OAAO,CAAC;QACrD,MAAM,YAAY,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,OAAO,IAAI,CAAC,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,GAAG,QAAQ,CAAC,CAAC,CAAC;QAErH,OAAO;YACL,MAAM,EAAE,IAAI,CAAC,IAAI;YACjB,QAAQ,EAAE,YAAY;YACtB,WAAW,EAAE,KAAK;YAClB,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE;SAC5B,CAAC;IACJ,CAAC;;AAGH,SAAS,UAAU,CAAC,QAAgB,EAAE,WAAmB;IACvD,MAAM,EAAE,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACxC,MAAM,IAAI,GAAG,WAAW,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACjE,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,GAAG,CAAC,EAAE,CAAC;QAC1D,OAAO,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACnC,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,MAAM,CAAC,MAAM,WAAW,GAAW,IAAI,WAAW,EAAE,CAAC"}

package/dist/engines/js-sinks.d.ts

@@ -0,0 +1,70 @@
+/**
+ * Deterministic JavaScript / TypeScript dangerous-sinks scanner — no external binary.
+ *
+ * Covers the textbook patterns every JS/Node security linter flags:
+ *
+ *   Code execution / RCE (CWE-95)
+ *     - eval(<non-literal>)
+ *     - new Function(<...>)
+ *     - setTimeout/setInterval(<string>, ...)
+ *   XSS (CWE-79)
+ *     - element.innerHTML / outerHTML = <non-literal>
+ *     - document.write / writeln(<non-literal>)
+ *     - React dangerouslySetInnerHTML
+ *   Command injection (CWE-78)
+ *     - child_process.exec / execSync(<non-literal>)
+ *     - child_process.spawn / spawnSync({ shell: true })
+ *   Path traversal (CWE-22)
+ *     - fs.{read,write,unlink}File(req.params.x)
+ *   SSRF (CWE-918)
+ *     - axios/fetch/got/http.get(req.params.x)
+ *   Weak crypto (CWE-327 / CWE-338)
+ *     - crypto.createHash("md5"|"sha1")
+ *     - Math.random() in security-keyword context
+ *   JWT misuse (CWE-347 / CWE-798)
+ *     - jwt.verify(token, secret, { algorithms: ["none"] })
+ *     - jwt.sign(payload, "<short-hardcoded-secret>")
+ *     - jwt.verify without algorithms allowlist
+ *   Open redirect (CWE-601)
+ *     - res.redirect(req.query.x | req.body.x)
+ *   CORS misconfig (CWE-942)
+ *     - Access-Control-Allow-Origin: * AND Access-Control-Allow-Credentials: true
+ *   Prototype pollution (CWE-1321)
+ *     - lodash _.merge/set/setWith/defaultsDeep with req.body
+ *     - Object.assign(prototype, ...)
+ *
+ * Same architecture as python-sinks: per-rule regex + isDangerous predicate
+ * + optional fileGate; severity HIGH or CRITICAL, confidence 0.75; routes
+ * the LLM critic for refinement.
+ */
+import { Engine, EngineRunInput, EngineRunResult } from "./types.js";
+import { Lang } from "../lang.js";
+interface SinkRule {
+    id: string;
+    cwe: string;
+    severity: "high" | "critical";
+    what: string;
+    pattern: RegExp;
+    isDangerous: (firstArg: string, allArgs: string, fullContent?: string) => boolean;
+    fileGate?: (fullContent: string) => boolean;
+    remediation: string;
+}
+/** A JS arg "looks tainted" if it is NOT a pure string/number literal. */
+declare function looksTainted(arg: string): boolean;
+/** First positional arg from a parenthesized call body. */
+declare function firstPositionalArg(body: string): string;
+declare function containsTaintSource(s: string): boolean;
+export declare class JsSinksEngine implements Engine {
+    readonly name: "js-sinks";
+    readonly languages: ReadonlyArray<Lang>;
+    available(): Promise<boolean>;
+    run(input: EngineRunInput): Promise<EngineRunResult>;
+}
+export declare const _testing: {
+    RULES: readonly SinkRule[];
+    looksTainted: typeof looksTainted;
+    firstPositionalArg: typeof firstPositionalArg;
+    containsTaintSource: typeof containsTaintSource;
+};
+export {};
+//# sourceMappingURL=js-sinks.d.ts.map

package/dist/engines/js-sinks.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"js-sinks.d.ts","sourceRoot":"","sources":["../../src/engines/js-sinks.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,OAAO,EAAE,MAAM,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAErE,OAAO,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAGlC,UAAU,QAAQ;IAChB,EAAE,EAAE,MAAM,CAAC;IACX,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,MAAM,GAAG,UAAU,CAAC;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC;IAClF,QAAQ,CAAC,EAAE,CAAC,WAAW,EAAE,MAAM,KAAK,OAAO,CAAC;IAC5C,WAAW,EAAE,MAAM,CAAC;CACrB;AAID,0EAA0E;AAC1E,iBAAS,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAgB1C;AAED,2DAA2D;AAC3D,iBAAS,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAkBhD;AAOD,iBAAS,mBAAmB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAE/C;AA0RD,qBAAa,aAAc,YAAW,MAAM;IAC1C,QAAQ,CAAC,IAAI,EAAG,UAAU,CAAU;IACpC,QAAQ,CAAC,SAAS,EAAE,aAAa,CAAC,IAAI,CAAC,CAAgC;IAEjE,SAAS,IAAI,OAAO,CAAC,OAAO,CAAC;IAI7B,GAAG,CAAC,KAAK,EAAE,cAAc,GAAG,OAAO,CAAC,eAAe,CAAC;CA6D3D;AAED,eAAO,MAAM,QAAQ;;;;;CAKpB,CAAC"}