fivosense 0.1.0

package/dist/cli/index.d.ts

@@ -0,0 +1,6 @@
+#!/usr/bin/env node
+/**
+ * FivoSense CLI
+ */
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/cli/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";AACA;;GAEG"}

package/dist/cli/index.js

@@ -0,0 +1,39 @@
+#!/usr/bin/env node
+/**
+ * FivoSense CLI
+ */
+import { auditFile, formatAuditResult } from '../index.js';
+const args = process.argv.slice(2);
+if (args.length === 0) {
+    console.log(`
+🛡️  FivoSense - Neuro-symbolic AI Security Scanner
+
+Usage:
+  npx fivosense <file>
+  npx fivosense audit <file>
+
+Example:
+  npx fivosense src/server.js
+  `);
+    process.exit(0);
+}
+const command = args[0];
+const filepath = args[1] || args[0];
+async function main() {
+    try {
+        console.log(`\n🔍 Auditing ${filepath}...\n`);
+        const result = await auditFile(filepath);
+        const output = formatAuditResult(result);
+        console.log(output);
+        // Exit with error code if critical/high findings
+        if (result.summary.critical > 0 || result.summary.high > 0) {
+            process.exit(1);
+        }
+    }
+    catch (error) {
+        console.error(`\n❌ Error: ${error.message}\n`);
+        process.exit(1);
+    }
+}
+main();
+//# sourceMappingURL=index.js.map

package/dist/cli/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";AACA;;GAEG;AAEH,OAAO,EAAE,SAAS,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAE3D,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AAEnC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;IACtB,OAAO,CAAC,GAAG,CAAC;;;;;;;;;GASX,CAAC,CAAC;IACH,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,MAAM,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;AACxB,MAAM,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC;AAEpC,KAAK,UAAU,IAAI;IACjB,IAAI,CAAC;QACH,OAAO,CAAC,GAAG,CAAC,iBAAiB,QAAQ,OAAO,CAAC,CAAC;QAE9C,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,CAAC;QACzC,MAAM,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;QAEzC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAEpB,iDAAiD;QACjD,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;YAC3D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAAC,OAAO,KAAU,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CAAC,cAAc,KAAK,CAAC,OAAO,IAAI,CAAC,CAAC;QAC/C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,IAAI,EAAE,CAAC"}

package/dist/editors/vscode.d.ts

@@ -0,0 +1,30 @@
+/**
+ * VS Code Extension Adapter
+ * Integrates FivoSense with VS Code
+ */
+export interface VSCodeDiagnostic {
+    file: string;
+    line: number;
+    column: number;
+    severity: 'error' | 'warning' | 'info';
+    message: string;
+    source: string;
+    code?: string;
+}
+/**
+ * Convert FivoSense results to VS Code diagnostics
+ */
+export declare function analyzeWorkspace(files: string[]): Promise<VSCodeDiagnostic[]>;
+/**
+ * Quick fix provider for VS Code
+ */
+export declare function provideCodeActions(diagnostic: VSCodeDiagnostic): any[];
+/**
+ * VS Code command handlers
+ */
+export declare const commands: {
+    'fivosense.scan': (uri: string) => Promise<string>;
+    'fivosense.fix': (file: string, line: number) => Promise<string>;
+    'fivosense.explain': (diagnostic: VSCodeDiagnostic) => Promise<string>;
+};
+//# sourceMappingURL=vscode.d.ts.map

package/dist/editors/vscode.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vscode.d.ts","sourceRoot":"","sources":["../../src/editors/vscode.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,OAAO,GAAG,SAAS,GAAG,MAAM,CAAC;IACvC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,gBAAgB,EAAE,CAAC,CAoDnF;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,gBAAgB,GAAG,GAAG,EAAE,CA4BtE;AAED;;GAEG;AACH,eAAO,MAAM,QAAQ;4BACW,MAAM;4BAKN,MAAM,QAAQ,MAAM;sCAKV,gBAAgB;CAGzD,CAAC"}

package/dist/editors/vscode.js

@@ -0,0 +1,103 @@
+/**
+ * VS Code Extension Adapter
+ * Integrates FivoSense with VS Code
+ */
+import { auditFile, formatAuditResult } from '../index.js';
+/**
+ * Convert FivoSense results to VS Code diagnostics
+ */
+export async function analyzeWorkspace(files) {
+    const diagnostics = [];
+    for (const file of files) {
+        try {
+            const result = await auditFile(file);
+            // Convert vulnerabilities to diagnostics
+            result.vulnerabilities.forEach(vuln => {
+                diagnostics.push({
+                    file,
+                    line: vuln.location.line,
+                    column: vuln.location.column,
+                    severity: vuln.severity === 'critical' ? 'error' : 'warning',
+                    message: `${vuln.finding}: ${vuln.path}`,
+                    source: 'FivoSense',
+                    code: vuln.cwe,
+                });
+            });
+            // Convert secrets to diagnostics
+            result.secrets.forEach(secret => {
+                diagnostics.push({
+                    file,
+                    line: secret.line,
+                    column: 0,
+                    severity: 'error',
+                    message: `${secret.description}: ${secret.match}`,
+                    source: 'FivoSense',
+                    code: 'SECRET',
+                });
+            });
+            // Convert destructive commands to diagnostics
+            result.destructive.forEach(cmd => {
+                diagnostics.push({
+                    file,
+                    line: 0,
+                    column: 0,
+                    severity: 'error',
+                    message: `${cmd.description} (${cmd.category})`,
+                    source: 'FivoSense',
+                    code: 'DESTRUCTIVE',
+                });
+            });
+        }
+        catch (error) {
+            // Skip files that can't be analyzed
+            console.error(`Error analyzing ${file}:`, error);
+        }
+    }
+    return diagnostics;
+}
+/**
+ * Quick fix provider for VS Code
+ */
+export function provideCodeActions(diagnostic) {
+    const actions = [];
+    // Add quick fix action
+    actions.push({
+        title: 'Fix with FivoSense',
+        kind: 'quickfix',
+        diagnostics: [diagnostic],
+        command: {
+            command: 'fivosense.fix',
+            title: 'Apply Fix',
+            arguments: [diagnostic.file, diagnostic.line],
+        },
+    });
+    // Add explain action
+    actions.push({
+        title: 'Explain vulnerability',
+        kind: 'info',
+        diagnostics: [diagnostic],
+        command: {
+            command: 'fivosense.explain',
+            title: 'Show Details',
+            arguments: [diagnostic],
+        },
+    });
+    return actions;
+}
+/**
+ * VS Code command handlers
+ */
+export const commands = {
+    'fivosense.scan': async (uri) => {
+        const result = await auditFile(uri);
+        return formatAuditResult(result);
+    },
+    'fivosense.fix': async (file, line) => {
+        // TODO: Implement fix application
+        return 'Fix applied';
+    },
+    'fivosense.explain': async (diagnostic) => {
+        return `Security Issue: ${diagnostic.message}\n\nFile: ${diagnostic.file}:${diagnostic.line}`;
+    },
+};
+//# sourceMappingURL=vscode.js.map

package/dist/editors/vscode.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vscode.js","sourceRoot":"","sources":["../../src/editors/vscode.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,SAAS,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAY3D;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,KAAe;IACpD,MAAM,WAAW,GAAuB,EAAE,CAAC;IAE3C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,CAAC;YAErC,yCAAyC;YACzC,MAAM,CAAC,eAAe,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE;gBACpC,WAAW,CAAC,IAAI,CAAC;oBACf,IAAI;oBACJ,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI;oBACxB,MAAM,EAAE,IAAI,CAAC,QAAQ,CAAC,MAAM;oBAC5B,QAAQ,EAAE,IAAI,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;oBAC5D,OAAO,EAAE,GAAG,IAAI,CAAC,OAAO,KAAK,IAAI,CAAC,IAAI,EAAE;oBACxC,MAAM,EAAE,WAAW;oBACnB,IAAI,EAAE,IAAI,CAAC,GAAG;iBACf,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;YAEH,iCAAiC;YACjC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE;gBAC9B,WAAW,CAAC,IAAI,CAAC;oBACf,IAAI;oBACJ,IAAI,EAAE,MAAM,CAAC,IAAI;oBACjB,MAAM,EAAE,CAAC;oBACT,QAAQ,EAAE,OAAO;oBACjB,OAAO,EAAE,GAAG,MAAM,CAAC,WAAW,KAAK,MAAM,CAAC,KAAK,EAAE;oBACjD,MAAM,EAAE,WAAW;oBACnB,IAAI,EAAE,QAAQ;iBACf,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;YAEH,8CAA8C;YAC9C,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE;gBAC/B,WAAW,CAAC,IAAI,CAAC;oBACf,IAAI;oBACJ,IAAI,EAAE,CAAC;oBACP,MAAM,EAAE,CAAC;oBACT,QAAQ,EAAE,OAAO;oBACjB,OAAO,EAAE,GAAG,GAAG,CAAC,WAAW,KAAK,GAAG,CAAC,QAAQ,GAAG;oBAC/C,MAAM,EAAE,WAAW;oBACnB,IAAI,EAAE,aAAa;iBACpB,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,oCAAoC;YACpC,OAAO,CAAC,KAAK,CAAC,mBAAmB,IAAI,GAAG,EAAE,KAAK,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,UAA4B;IAC7D,MAAM,OAAO,GAAG,EAAE,CAAC;IAEnB,uBAAuB;IACvB,OAAO,CAAC,IAAI,CAAC;QACX,KAAK,EAAE,oBAAoB;QAC3B,IAAI,EAAE,UAAU;QAChB,WAAW,EAAE,CAAC,UAAU,CAAC;QACzB,OAAO,EAAE;YACP,OAAO,EAAE,eAAe;YACxB,KAAK,EAAE,WAAW;YAClB,SAAS,EAAE,CAAC,UAAU,CAAC,IAAI,EAAE,UAAU,CAAC,IAAI,CAAC;SAC9C;KACF,CAAC,CAAC;IAEH,qBAAqB;IACrB,OAAO,CAAC,IAAI,CAAC;QACX,KAAK,EAAE,uBAAuB;QAC9B,IAAI,EAAE,MAAM;QACZ,WAAW,EAAE,CAAC,UAAU,CAAC;QACzB,OAAO,EAAE;YACP,OAAO,EAAE,mBAAmB;YAC5B,KAAK,EAAE,cAAc;YACrB,SAAS,EAAE,CAAC,UAAU,CAAC;SACxB;KACF,CAAC,CAAC;IAEH,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,QAAQ,GAAG;IACtB,gBAAgB,EAAE,KAAK,EAAE,GAAW,EAAE,EAAE;QACtC,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;QACpC,OAAO,iBAAiB,CAAC,MAAM,CAAC,CAAC;IACnC,CAAC;IAED,eAAe,EAAE,KAAK,EAAE,IAAY,EAAE,IAAY,EAAE,EAAE;QACpD,kCAAkC;QAClC,OAAO,aAAa,CAAC;IACvB,CAAC;IAED,mBAAmB,EAAE,KAAK,EAAE,UAA4B,EAAE,EAAE;QAC1D,OAAO,mBAAmB,UAAU,CAAC,OAAO,aAAa,UAAU,CAAC,IAAI,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC;IAChG,CAAC;CACF,CAAC"}

package/dist/engine/adversary.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Adversarial Verification - AI attacker proves exploitability
+ */
+import { TaintTrace } from './taint.js';
+export interface AdversarialResult {
+    exploitable: boolean;
+    confidence: number;
+    attackVector: string;
+    payload: string;
+    reasoning: string;
+}
+/**
+ * Generate adversarial attack prompt
+ */
+export declare function buildAdversarialPrompt(trace: TaintTrace, code: string): string;
+/**
+ * Parse adversarial response
+ */
+export declare function parseAdversarialResult(response: string): AdversarialResult | null;
+/**
+ * Placeholder for adversarial verification
+ */
+export declare function verifyWithAdversary(trace: TaintTrace, code: string): Promise<AdversarialResult>;
+//# sourceMappingURL=adversary.d.ts.map

package/dist/engine/adversary.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"adversary.d.ts","sourceRoot":"","sources":["../../src/engine/adversary.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAExC,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,OAAO,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAuC9E;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,QAAQ,EAAE,MAAM,GAAG,iBAAiB,GAAG,IAAI,CAiBjF;AAED;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,KAAK,EAAE,UAAU,EACjB,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,iBAAiB,CAAC,CAa5B"}

package/dist/engine/adversary.js

@@ -0,0 +1,83 @@
+/**
+ * Adversarial Verification - AI attacker proves exploitability
+ */
+/**
+ * Generate adversarial attack prompt
+ */
+export function buildAdversarialPrompt(trace, code) {
+    return `You are a security researcher testing for vulnerabilities.
+
+**Vulnerability:** ${trace.finding}
+**Category:** ${trace.category}
+**CWE:** ${trace.cwe || 'N/A'}
+
+**Data Flow:**
+${trace.path}
+
+**Code:**
+\`\`\`javascript
+${code}
+\`\`\`
+
+**Your Task:**
+Try to exploit this vulnerability. If you can create a working exploit, respond with:
+
+\`\`\`json
+{
+  "exploitable": true,
+  "confidence": 0.0-1.0,
+  "attackVector": "description of attack",
+  "payload": "actual exploit payload",
+  "reasoning": "why this works"
+}
+\`\`\`
+
+If you CANNOT exploit it (properly sanitized), respond with:
+
+\`\`\`json
+{
+  "exploitable": false,
+  "confidence": 0.0-1.0,
+  "attackVector": "none",
+  "payload": "",
+  "reasoning": "why exploitation failed"
+}
+\`\`\``;
+}
+/**
+ * Parse adversarial response
+ */
+export function parseAdversarialResult(response) {
+    try {
+        const jsonMatch = response.match(/\{[\s\S]*\}/);
+        if (!jsonMatch)
+            return null;
+        const parsed = JSON.parse(jsonMatch[0]);
+        return {
+            exploitable: Boolean(parsed.exploitable),
+            confidence: Number(parsed.confidence) || 0.5,
+            attackVector: String(parsed.attackVector || ''),
+            payload: String(parsed.payload || ''),
+            reasoning: String(parsed.reasoning || ''),
+        };
+    }
+    catch (error) {
+        return null;
+    }
+}
+/**
+ * Placeholder for adversarial verification
+ */
+export async function verifyWithAdversary(trace, code) {
+    const prompt = buildAdversarialPrompt(trace, code);
+    // TODO: Phase 3 - integrate with host AI
+    console.warn('⚠️  Adversarial verification not yet integrated');
+    return {
+        exploitable: true,
+        confidence: 0.7,
+        attackVector: 'Adversarial verification not yet integrated',
+        payload: '',
+        reasoning: 'Marked as potentially exploitable until AI attacker confirms',
+    };
+}
+//# sourceMappingURL=adversary.js.map

package/dist/engine/adversary.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"adversary.js","sourceRoot":"","sources":["../../src/engine/adversary.ts"],"names":[],"mappings":"AAAA;;GAEG;AAYH;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,KAAiB,EAAE,IAAY;IACpE,OAAO;;qBAEY,KAAK,CAAC,OAAO;gBAClB,KAAK,CAAC,QAAQ;WACnB,KAAK,CAAC,GAAG,IAAI,KAAK;;;EAG3B,KAAK,CAAC,IAAI;;;;EAIV,IAAI;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BC,CAAC;AACR,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,QAAgB;IACrD,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;QAChD,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC;QAE5B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;QAExC,OAAO;YACL,WAAW,EAAE,OAAO,CAAC,MAAM,CAAC,WAAW,CAAC;YACxC,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,IAAI,GAAG;YAC5C,YAAY,EAAE,MAAM,CAAC,MAAM,CAAC,YAAY,IAAI,EAAE,CAAC;YAC/C,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC;YACrC,SAAS,EAAE,MAAM,CAAC,MAAM,CAAC,SAAS,IAAI,EAAE,CAAC;SAC1C,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,KAAiB,EACjB,IAAY;IAEZ,MAAM,MAAM,GAAG,sBAAsB,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAEnD,yCAAyC;IACzC,OAAO,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;IAEhE,OAAO;QACL,WAAW,EAAE,IAAI;QACjB,UAAU,EAAE,GAAG;QACf,YAAY,EAAE,6CAA6C;QAC3D,OAAO,EAAE,EAAE;QACX,SAAS,EAAE,8DAA8D;KAC1E,CAAC;AACJ,CAAC"}

package/dist/engine/graph.d.ts

@@ -0,0 +1,38 @@
+/**
+ * FivoCore Graph Builder
+ */
+import * as t from '@babel/types';
+import { SourcePattern } from './sources.js';
+import { SinkPattern } from './sinks.js';
+export interface DataFlowNode {
+    id: string;
+    type: 'source' | 'sink' | 'variable' | 'function';
+    name: string;
+    value?: string;
+    loc?: t.SourceLocation | null;
+    sourcePattern?: SourcePattern;
+    sinkPattern?: SinkPattern;
+}
+export interface DataFlowEdge {
+    from: string;
+    to: string;
+    type: 'assignment' | 'call' | 'return' | 'parameter';
+    loc?: t.SourceLocation | null;
+}
+export interface TaintPath {
+    source: DataFlowNode;
+    sink: DataFlowNode;
+    path: DataFlowNode[];
+    sanitized: boolean;
+    confidence: number;
+}
+export interface DataFlowGraph {
+    nodes: Map<string, DataFlowNode>;
+    edges: DataFlowEdge[];
+    taintPaths: TaintPath[];
+}
+export declare function buildDataFlowGraph(code: string, filename?: string): DataFlowGraph;
+export declare function getVulnerablePaths(graph: DataFlowGraph): TaintPath[];
+export declare function getPathsBySeverity(graph: DataFlowGraph, severity: 'critical' | 'high' | 'medium'): TaintPath[];
+export declare function formatTaintPath(path: TaintPath): string;
+//# sourceMappingURL=graph.d.ts.map

package/dist/engine/graph.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"graph.d.ts","sourceRoot":"","sources":["../../src/engine/graph.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,OAAO,KAAK,CAAC,MAAM,cAAc,CAAC;AAClC,OAAO,EAAY,aAAa,EAAE,MAAM,cAAc,CAAC;AACvD,OAAO,EAAU,WAAW,EAAE,MAAM,YAAY,CAAC;AAKjD,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,QAAQ,GAAG,MAAM,GAAG,UAAU,GAAG,UAAU,CAAC;IAClD,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,CAAC,CAAC,cAAc,GAAG,IAAI,CAAC;IAC9B,aAAa,CAAC,EAAE,aAAa,CAAC;IAC9B,WAAW,CAAC,EAAE,WAAW,CAAC;CAC3B;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,YAAY,GAAG,MAAM,GAAG,QAAQ,GAAG,WAAW,CAAC;IACrD,GAAG,CAAC,EAAE,CAAC,CAAC,cAAc,GAAG,IAAI,CAAC;CAC/B;AAED,MAAM,WAAW,SAAS;IACxB,MAAM,EAAE,YAAY,CAAC;IACrB,IAAI,EAAE,YAAY,CAAC;IACnB,IAAI,EAAE,YAAY,EAAE,CAAC;IACrB,SAAS,EAAE,OAAO,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;IACjC,KAAK,EAAE,YAAY,EAAE,CAAC;IACtB,UAAU,EAAE,SAAS,EAAE,CAAC;CACzB;AAOD,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,SAAa,GAAG,aAAa,CAuGrF;AAED,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,aAAa,GAAG,SAAS,EAAE,CAEpE;AAED,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,SAAS,EAAE,CAE9G;AAED,wBAAgB,eAAe,CAAC,IAAI,EAAE,SAAS,GAAG,MAAM,CAIvD"}

package/dist/engine/graph.js

@@ -0,0 +1,131 @@
+/**
+ * FivoCore Graph Builder
+ */
+import { parse } from '@babel/parser';
+import * as traverseModule from '@babel/traverse';
+import * as t from '@babel/types';
+import { isSource } from './sources.js';
+import { isSink } from './sinks.js';
+// @ts-ignore - Handle CJS/ESM interop
+const traverse = traverseModule.default ?? traverseModule;
+const SANITIZERS = new Set([
+    'parseInt', 'parseFloat', 'Number', 'escape', 'escapeHtml', 'sanitize',
+    'validator.escape', 'validator.trim', 'encodeURIComponent', 'encodeURI',
+]);
+export function buildDataFlowGraph(code, filename = 'input.js') {
+    const ast = parse(code, {
+        sourceType: 'module',
+        plugins: ['jsx', 'typescript'],
+        errorRecovery: true,
+    });
+    const graph = { nodes: new Map(), edges: [], taintPaths: [] };
+    const taintedVars = new Map();
+    let nodeIdCounter = 0;
+    const getNodeId = () => `node_${nodeIdCounter++}`;
+    function addNode(node) {
+        graph.nodes.set(node.id, node);
+        return node;
+    }
+    function nodeToString(node) {
+        if (t.isMemberExpression(node)) {
+            const obj = nodeToString(node.object);
+            const prop = t.isIdentifier(node.property) ? node.property.name : '';
+            return `${obj}.${prop}`;
+        }
+        return t.isIdentifier(node) ? node.name : t.isStringLiteral(node) ? node.value : '';
+    }
+    function getCalleeName(node) {
+        if (t.isIdentifier(node))
+            return node.name;
+        if (t.isMemberExpression(node)) {
+            const obj = t.isIdentifier(node.object) ? node.object.name : '';
+            const prop = t.isIdentifier(node.property) ? node.property.name : '';
+            return `${obj}.${prop}`;
+        }
+        return '';
+    }
+    function findTaintedVars(node) {
+        const results = [];
+        if (t.isIdentifier(node)) {
+            const taint = taintedVars.get(node.name);
+            if (taint)
+                results.push({ varName: node.name, taint });
+        }
+        else if (t.isTemplateLiteral(node)) {
+            node.expressions.forEach(expr => results.push(...findTaintedVars(expr)));
+        }
+        else if (t.isBinaryExpression(node)) {
+            results.push(...findTaintedVars(node.left), ...findTaintedVars(node.right));
+        }
+        else if (t.isCallExpression(node)) {
+            node.arguments.forEach(arg => !t.isSpreadElement(arg) && results.push(...findTaintedVars(arg)));
+        }
+        return results;
+    }
+    traverse(ast, {
+        VariableDeclarator(path) {
+            const { id, init } = path.node;
+            if (t.isIdentifier(id) && init) {
+                const varName = id.name;
+                const sourcePattern = isSource(nodeToString(init));
+                if (sourcePattern) {
+                    const node = addNode({
+                        id: getNodeId(), type: 'source', name: varName, value: nodeToString(init),
+                        loc: path.node.loc, sourcePattern,
+                    });
+                    taintedVars.set(varName, { source: sourcePattern, sanitized: false, node });
+                }
+                else {
+                    const taintedSources = findTaintedVars(init);
+                    if (taintedSources.length > 0) {
+                        const firstTaint = taintedSources[0].taint;
+                        taintedVars.set(varName, { source: firstTaint.source, sanitized: firstTaint.sanitized, node: firstTaint.node });
+                    }
+                }
+            }
+        },
+        CallExpression(path) {
+            const { callee, arguments: args } = path.node;
+            if (SANITIZERS.has(getCalleeName(callee))) {
+                args.forEach((arg) => {
+                    if (t.isIdentifier(arg)) {
+                        const taint = taintedVars.get(arg.name);
+                        if (taint)
+                            taint.sanitized = true;
+                    }
+                });
+                return;
+            }
+            const sinkPattern = isSink(nodeToString(callee));
+            if (sinkPattern) {
+                const sinkNode = addNode({
+                    id: getNodeId(), type: 'sink', name: getCalleeName(callee),
+                    loc: path.node.loc, sinkPattern,
+                });
+                args.forEach((arg) => {
+                    if (t.isSpreadElement(arg))
+                        return;
+                    findTaintedVars(arg).forEach(({ taint }) => {
+                        graph.taintPaths.push({
+                            source: taint.node, sink: sinkNode, path: [taint.node, sinkNode],
+                            sanitized: taint.sanitized, confidence: taint.sanitized ? 0.3 : 0.9,
+                        });
+                    });
+                });
+            }
+        },
+    });
+    return graph;
+}
+export function getVulnerablePaths(graph) {
+    return graph.taintPaths.filter(p => !p.sanitized);
+}
+export function getPathsBySeverity(graph, severity) {
+    return graph.taintPaths.filter(p => p.sink.sinkPattern?.severity === severity);
+}
+export function formatTaintPath(path) {
+    const sourceStr = `${path.source.value} (${path.source.sourcePattern?.description})`;
+    const sinkStr = `${path.sink.name} (${path.sink.sinkPattern?.description})`;
+    return `${sourceStr} → ${sinkStr}`;
+}
+//# sourceMappingURL=graph.js.map

package/dist/engine/graph.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"graph.js","sourceRoot":"","sources":["../../src/engine/graph.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAC;AACtC,OAAO,KAAK,cAAc,MAAM,iBAAiB,CAAC;AAClD,OAAO,KAAK,CAAC,MAAM,cAAc,CAAC;AAClC,OAAO,EAAE,QAAQ,EAAiB,MAAM,cAAc,CAAC;AACvD,OAAO,EAAE,MAAM,EAAe,MAAM,YAAY,CAAC;AAEjD,sCAAsC;AACtC,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAO,IAAI,cAAc,CAAC;AAiC1D,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC;IACzB,UAAU,EAAE,YAAY,EAAE,QAAQ,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU;IACtE,kBAAkB,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,WAAW;CACxE,CAAC,CAAC;AAEH,MAAM,UAAU,kBAAkB,CAAC,IAAY,EAAE,QAAQ,GAAG,UAAU;IACpE,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,EAAE;QACtB,UAAU,EAAE,QAAQ;QACpB,OAAO,EAAE,CAAC,KAAK,EAAE,YAAY,CAAC;QAC9B,aAAa,EAAE,IAAI;KACpB,CAAC,CAAC;IAEH,MAAM,KAAK,GAAkB,EAAE,KAAK,EAAE,IAAI,GAAG,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;IAC7E,MAAM,WAAW,GAAG,IAAI,GAAG,EAA6E,CAAC;IACzG,IAAI,aAAa,GAAG,CAAC,CAAC;IACtB,MAAM,SAAS,GAAG,GAAG,EAAE,CAAC,QAAQ,aAAa,EAAE,EAAE,CAAC;IAElD,SAAS,OAAO,CAAC,IAAkB;QACjC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;QAC/B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,SAAS,YAAY,CAAC,IAAY;QAChC,IAAI,CAAC,CAAC,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACtC,MAAM,IAAI,GAAG,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;YACrE,OAAO,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QAC1B,CAAC;QACD,OAAO,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;IACtF,CAAC;IAED,SAAS,aAAa,CAAC,IAAY;QACjC,IAAI,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC,IAAI,CAAC;QAC3C,IAAI,CAAC,CAAC,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,MAAM,GAAG,GAAG,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;YAChE,MAAM,IAAI,GAAG,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;YACrE,OAAO,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QAC1B,CAAC;QACD,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,SAAS,eAAe,CAAC,IAAY;QACnC,MAAM,OAAO,GAA2C,EAAE,CAAC;QAC3D,IAAI,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC;YACzB,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACzC,IAAI,KAAK;gBAAE,OAAO,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACzD,CAAC;aAAM,IAAI,CAAC,CAAC,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;YACrC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC3E,CAAC;aAAM,IAAI,CAAC,CAAC,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC;YACtC,OAAO,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,GAAG,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAC9E,CAAC;aAAM,IAAI,CAAC,CAAC,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC;YACpC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,eAAe,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAClG,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAEA,QAAgB,CAAC,GAAG,EAAE;QACrB,kBAAkB,CAAC,IAAS;YAC1B,MAAM,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC;YAC/B,IAAI,CAAC,CAAC,YAAY,CAAC,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC;gBAC/B,MAAM,OAAO,GAAG,EAAE,CAAC,IAAI,CAAC;gBACxB,MAAM,aAAa,GAAG,QAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;gBACnD,IAAI,aAAa,EAAE,CAAC;oBAClB,MAAM,IAAI,GAAG,OAAO,CAAC;wBACnB,EAAE,EAAE,SAAS,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,YAAY,CAAC,IAAI,CAAC;wBACzE,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,aAAa;qBAClC,CAAC,CAAC;oBACH,WAAW,CAAC,GAAG,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,aAAa,EAAE,SAAS,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;gBAC9E,CAAC;qBAAM,CAAC;oBACN,MAAM,cAAc,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;oBAC7C,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;wBAC9B,MAAM,UAAU,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;wBAC3C,WAAW,CAAC,GAAG,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,SAAS,EAAE,UAAU,CAAC,SAAS,EAAE,IAAI,EAAE,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC;oBAClH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QACD,cAAc,CAAC,IAAS;YACtB,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC;YAC9C,IAAI,UAAU,CAAC,GAAG,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;gBAC1C,IAAI,CAAC,OAAO,CAAC,CAAC,GAAQ,EAAE,EAAE;oBACxB,IAAI,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC;wBACxB,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;wBACxC,IAAI,KAAK;4BAAE,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC;oBACpC,CAAC;gBACH,CAAC,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YACD,MAAM,WAAW,GAAG,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;YACjD,IAAI,WAAW,EAAE,CAAC;gBAChB,MAAM,QAAQ,GAAG,OAAO,CAAC;oBACvB,EAAE,EAAE,SAAS,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC;oBAC1D,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW;iBAChC,CAAC,CAAC;gBACH,IAAI,CAAC,OAAO,CAAC,CAAC,GAAQ,EAAE,EAAE;oBACxB,IAAI,CAAC,CAAC,eAAe,CAAC,GAAG,CAAC;wBAAE,OAAO;oBACnC,eAAe,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;wBACzC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC;4BACpB,MAAM,EAAE,KAAK,CAAC,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,QAAQ,CAAC;4BAChE,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE,UAAU,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG;yBACpE,CAAC,CAAC;oBACL,CAAC,CAAC,CAAC;gBACL,CAAC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;KACF,CAAC,CAAC;IAEH,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,KAAoB;IACrD,OAAO,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;AACpD,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,KAAoB,EAAE,QAAwC;IAC/F,OAAO,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,QAAQ,KAAK,QAAQ,CAAC,CAAC;AACjF,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,IAAe;IAC7C,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,KAAK,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,WAAW,GAAG,CAAC;IACrF,MAAM,OAAO,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,GAAG,CAAC;IAC5E,OAAO,GAAG,SAAS,MAAM,OAAO,EAAE,CAAC;AACrC,CAAC"}

package/dist/engine/reach.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Reachability Analysis - Filters code to only entry-point reachable paths
+ * This reduces analysis surface by ~97% (OpenAnt research)
+ */
+export interface ReachabilityResult {
+    reachableFunctions: Set<string>;
+    reachableLines: Set<number>;
+    entryPoints: string[];
+    totalFunctions: number;
+    reachableFunctionCount: number;
+    reductionPercent: number;
+}
+/**
+ * Analyze reachability from entry points
+ */
+export declare function analyzeReachability(code: string): ReachabilityResult;
+export declare function filterReachablePaths<T extends {
+    location: {
+        line: number;
+    };
+}>(paths: T[], reachability: ReachabilityResult): T[];
+//# sourceMappingURL=reach.d.ts.map

package/dist/engine/reach.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"reach.d.ts","sourceRoot":"","sources":["../../src/engine/reach.ts"],"names":[],"mappings":"AAAA;;;GAGG;AASH,MAAM,WAAW,kBAAkB;IACjC,kBAAkB,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAChC,cAAc,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAC5B,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,cAAc,EAAE,MAAM,CAAC;IACvB,sBAAsB,EAAE,MAAM,CAAC;IAC/B,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AAeD;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,kBAAkB,CAiEpE;AA8BD,wBAAgB,oBAAoB,CAAC,CAAC,SAAS;IAAE,QAAQ,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,EAC3E,KAAK,EAAE,CAAC,EAAE,EACV,YAAY,EAAE,kBAAkB,GAC/B,CAAC,EAAE,CAKL"}

package/dist/engine/reach.js

@@ -0,0 +1,107 @@
+/**
+ * Reachability Analysis - Filters code to only entry-point reachable paths
+ * This reduces analysis surface by ~97% (OpenAnt research)
+ */
+import { parse } from '@babel/parser';
+import * as traverseModule from '@babel/traverse';
+import * as t from '@babel/types';
+// @ts-ignore
+const traverse = traverseModule.default ?? traverseModule;
+/**
+ * Common entry points in web applications
+ */
+const ENTRY_POINT_PATTERNS = [
+    /^app\.(get|post|put|delete|patch)/,
+    /^router\.(get|post|put|delete|patch)/,
+    /^exports\./,
+    /^module\.exports/,
+    /^export /,
+    /addEventListener/,
+    /^on[A-Z]/,
+];
+/**
+ * Analyze reachability from entry points
+ */
+export function analyzeReachability(code) {
+    const ast = parse(code, {
+        sourceType: 'module',
+        plugins: ['jsx', 'typescript'],
+        errorRecovery: true,
+    });
+    const entryPoints = [];
+    const allFunctions = new Set();
+    const reachableFunctions = new Set();
+    const reachableLines = new Set();
+    const functionCalls = new Map();
+    traverse(ast, {
+        FunctionDeclaration(path) {
+            const name = path.node.id?.name;
+            if (name) {
+                allFunctions.add(name);
+            }
+        },
+        CallExpression(path) {
+            const callee = getCalleeName(path.node.callee);
+            if (isEntryPoint(callee)) {
+                entryPoints.push(callee);
+                const callback = path.node.arguments[1] || path.node.arguments[0];
+                if (t.isFunctionExpression(callback) || t.isArrowFunctionExpression(callback)) {
+                    markReachable(callback, reachableFunctions, reachableLines);
+                }
+            }
+        },
+    });
+    const visited = new Set();
+    const queue = [...entryPoints];
+    while (queue.length > 0) {
+        const current = queue.shift();
+        if (visited.has(current))
+            continue;
+        visited.add(current);
+        reachableFunctions.add(current);
+        const callees = functionCalls.get(current) || new Set();
+        for (const callee of callees) {
+            if (!visited.has(callee)) {
+                queue.push(callee);
+            }
+        }
+    }
+    const totalFuncs = allFunctions.size || 1;
+    const reachableFuncs = reachableFunctions.size;
+    const reduction = ((totalFuncs - reachableFuncs) / totalFuncs) * 100;
+    return {
+        reachableFunctions,
+        reachableLines,
+        entryPoints,
+        totalFunctions: totalFuncs,
+        reachableFunctionCount: reachableFuncs,
+        reductionPercent: reduction,
+    };
+}
+function isEntryPoint(callee) {
+    return ENTRY_POINT_PATTERNS.some(pattern => pattern.test(callee));
+}
+function getCalleeName(node) {
+    if (t.isIdentifier(node))
+        return node.name;
+    if (t.isMemberExpression(node)) {
+        const obj = t.isIdentifier(node.object) ? node.object.name : '';
+        const prop = t.isIdentifier(node.property) ? node.property.name : '';
+        return `${obj}.${prop}`;
+    }
+    return '';
+}
+function markReachable(node, reachableFunctions, reachableLines) {
+    if (t.isFunctionExpression(node) || t.isArrowFunctionExpression(node)) {
+        if (node.loc) {
+            for (let i = node.loc.start.line; i <= node.loc.end.line; i++) {
+                reachableLines.add(i);
+            }
+        }
+    }
+}
+export function filterReachablePaths(paths, reachability) {
+    return paths.filter(path => reachability.reachableLines.size === 0 ||
+        reachability.reachableLines.has(path.location.line));
+}
+//# sourceMappingURL=reach.js.map

package/dist/engine/reach.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"reach.js","sourceRoot":"","sources":["../../src/engine/reach.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAC;AACtC,OAAO,KAAK,cAAc,MAAM,iBAAiB,CAAC;AAClD,OAAO,KAAK,CAAC,MAAM,cAAc,CAAC;AAElC,aAAa;AACb,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAO,IAAI,cAAc,CAAC;AAW1D;;GAEG;AACH,MAAM,oBAAoB,GAAG;IAC3B,mCAAmC;IACnC,sCAAsC;IACtC,YAAY;IACZ,kBAAkB;IAClB,UAAU;IACV,kBAAkB;IAClB,UAAU;CACX,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,IAAY;IAC9C,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,EAAE;QACtB,UAAU,EAAE,QAAQ;QACpB,OAAO,EAAE,CAAC,KAAK,EAAE,YAAY,CAAC;QAC9B,aAAa,EAAE,IAAI;KACpB,CAAC,CAAC;IAEH,MAAM,WAAW,GAAa,EAAE,CAAC;IACjC,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAC;IACvC,MAAM,kBAAkB,GAAG,IAAI,GAAG,EAAU,CAAC;IAC7C,MAAM,cAAc,GAAG,IAAI,GAAG,EAAU,CAAC;IACzC,MAAM,aAAa,GAAG,IAAI,GAAG,EAAuB,CAAC;IAEpD,QAAgB,CAAC,GAAG,EAAE;QACrB,mBAAmB,CAAC,IAAS;YAC3B,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC;YAChC,IAAI,IAAI,EAAE,CAAC;gBACT,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;QAED,cAAc,CAAC,IAAS;YACtB,MAAM,MAAM,GAAG,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAE/C,IAAI,YAAY,CAAC,MAAM,CAAC,EAAE,CAAC;gBACzB,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBAEzB,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;gBAClE,IAAI,CAAC,CAAC,oBAAoB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,yBAAyB,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAC9E,aAAa,CAAC,QAAQ,EAAE,kBAAkB,EAAE,cAAc,CAAC,CAAC;gBAC9D,CAAC;YACH,CAAC;QACH,CAAC;KACF,CAAC,CAAC;IAEH,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IAClC,MAAM,KAAK,GAAG,CAAC,GAAG,WAAW,CAAC,CAAC;IAE/B,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,EAAG,CAAC;QAC/B,IAAI,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC;YAAE,SAAS;QACnC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAErB,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAEhC,MAAM,OAAO,GAAG,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,GAAG,EAAE,CAAC;QACxD,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;gBACzB,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACrB,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,IAAI,CAAC,CAAC;IAC1C,MAAM,cAAc,GAAG,kBAAkB,CAAC,IAAI,CAAC;IAC/C,MAAM,SAAS,GAAG,CAAC,CAAC,UAAU,GAAG,cAAc,CAAC,GAAG,UAAU,CAAC,GAAG,GAAG,CAAC;IAErE,OAAO;QACL,kBAAkB;QAClB,cAAc;QACd,WAAW;QACX,cAAc,EAAE,UAAU;QAC1B,sBAAsB,EAAE,cAAc;QACtC,gBAAgB,EAAE,SAAS;KAC5B,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,MAAc;IAClC,OAAO,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;AACpE,CAAC;AAED,SAAS,aAAa,CAAC,IAAY;IACjC,IAAI,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC,IAAI,CAAC;IAC3C,IAAI,CAAC,CAAC,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/B,MAAM,GAAG,GAAG,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;QAChE,MAAM,IAAI,GAAG,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;QACrE,OAAO,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IAC1B,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,SAAS,aAAa,CACpB,IAAY,EACZ,kBAA+B,EAC/B,cAA2B;IAE3B,IAAI,CAAC,CAAC,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,yBAAyB,CAAC,IAAI,CAAC,EAAE,CAAC;QACtE,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;YACb,KAAK,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC9D,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACxB,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,KAAU,EACV,YAAgC;IAEhC,OAAO,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CACzB,YAAY,CAAC,cAAc,CAAC,IAAI,KAAK,CAAC;QACtC,YAAY,CAAC,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CACpD,CAAC;AACJ,CAAC"}