npm - ghagga-core - Versions diffs - 2.6.0 → 2.8.0 - Mend

ghagga-core 2.6.0 → 2.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (153) hide show

package/dist/agents/consensus.d.ts +2 -0
package/dist/agents/consensus.d.ts.map +1 -1
package/dist/agents/consensus.js +1 -0
package/dist/agents/consensus.js.map +1 -1
package/dist/agents/diagnostic.d.ts +2 -0
package/dist/agents/diagnostic.d.ts.map +1 -1
package/dist/agents/diagnostic.js +1 -0
package/dist/agents/diagnostic.js.map +1 -1
package/dist/agents/fan-out-lenses.d.ts +92 -0
package/dist/agents/fan-out-lenses.d.ts.map +1 -0
package/dist/agents/fan-out-lenses.js +424 -0
package/dist/agents/fan-out-lenses.js.map +1 -0
package/dist/agents/simple.d.ts +2 -0
package/dist/agents/simple.d.ts.map +1 -1
package/dist/agents/simple.js +1 -0
package/dist/agents/simple.js.map +1 -1
package/dist/agents/workflow.d.ts +2 -0
package/dist/agents/workflow.d.ts.map +1 -1
package/dist/agents/workflow.js +2 -1
package/dist/agents/workflow.js.map +1 -1
package/dist/checklist/config.d.ts +22 -0
package/dist/checklist/config.d.ts.map +1 -0
package/dist/checklist/config.js +85 -0
package/dist/checklist/config.js.map +1 -0
package/dist/checklist/context.d.ts +22 -0
package/dist/checklist/context.d.ts.map +1 -0
package/dist/checklist/context.js +76 -0
package/dist/checklist/context.js.map +1 -0
package/dist/checklist/defaults.d.ts +12 -0
package/dist/checklist/defaults.d.ts.map +1 -0
package/dist/checklist/defaults.js +172 -0
package/dist/checklist/defaults.js.map +1 -0
package/dist/checklist/index.d.ts +14 -0
package/dist/checklist/index.d.ts.map +1 -0
package/dist/checklist/index.js +15 -0
package/dist/checklist/index.js.map +1 -0
package/dist/checklist/scorer.d.ts +58 -0
package/dist/checklist/scorer.d.ts.map +1 -0
package/dist/checklist/scorer.js +142 -0
package/dist/checklist/scorer.js.map +1 -0
package/dist/checklist/types.d.ts +39 -0
package/dist/checklist/types.d.ts.map +1 -0
package/dist/checklist/types.js +17 -0
package/dist/checklist/types.js.map +1 -0
package/dist/exploitability/analyzer.d.ts +75 -0
package/dist/exploitability/analyzer.d.ts.map +1 -0
package/dist/exploitability/analyzer.js +299 -0
package/dist/exploitability/analyzer.js.map +1 -0
package/dist/exploitability/index.d.ts +10 -0
package/dist/exploitability/index.d.ts.map +1 -0
package/dist/exploitability/index.js +10 -0
package/dist/exploitability/index.js.map +1 -0
package/dist/exploitability/types.d.ts +32 -0
package/dist/exploitability/types.d.ts.map +1 -0
package/dist/exploitability/types.js +9 -0
package/dist/exploitability/types.js.map +1 -0
package/dist/index.d.ts +15 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +9 -2
package/dist/index.js.map +1 -1
package/dist/memory/context.d.ts +2 -0
package/dist/memory/context.d.ts.map +1 -1
package/dist/memory/context.js +2 -1
package/dist/memory/context.js.map +1 -1
package/dist/memory/contradiction.d.ts +46 -0
package/dist/memory/contradiction.d.ts.map +1 -0
package/dist/memory/contradiction.js +110 -0
package/dist/memory/contradiction.js.map +1 -0
package/dist/memory/decay.d.ts +25 -0
package/dist/memory/decay.d.ts.map +1 -0
package/dist/memory/decay.js +51 -0
package/dist/memory/decay.js.map +1 -0
package/dist/memory/search.d.ts.map +1 -1
package/dist/memory/search.js +1 -0
package/dist/memory/search.js.map +1 -1
package/dist/memory/sqlite.d.ts +21 -0
package/dist/memory/sqlite.d.ts.map +1 -1
package/dist/memory/sqlite.js +82 -7
package/dist/memory/sqlite.js.map +1 -1
package/dist/memory/versioning.d.ts +94 -0
package/dist/memory/versioning.d.ts.map +1 -0
package/dist/memory/versioning.js +350 -0
package/dist/memory/versioning.js.map +1 -0
package/dist/pipeline.d.ts.map +1 -1
package/dist/pipeline.js +117 -0
package/dist/pipeline.js.map +1 -1
package/dist/providers/index.d.ts.map +1 -1
package/dist/providers/index.js +7 -2
package/dist/providers/index.js.map +1 -1
package/dist/recursive/index.d.ts +45 -0
package/dist/recursive/index.d.ts.map +1 -0
package/dist/recursive/index.js +159 -0
package/dist/recursive/index.js.map +1 -0
package/dist/recursive/patch-extractor.d.ts +49 -0
package/dist/recursive/patch-extractor.d.ts.map +1 -0
package/dist/recursive/patch-extractor.js +133 -0
package/dist/recursive/patch-extractor.js.map +1 -0
package/dist/recursive/re-reviewer.d.ts +31 -0
package/dist/recursive/re-reviewer.d.ts.map +1 -0
package/dist/recursive/re-reviewer.js +66 -0
package/dist/recursive/re-reviewer.js.map +1 -0
package/dist/recursive/types.d.ts +62 -0
package/dist/recursive/types.d.ts.map +1 -0
package/dist/recursive/types.js +11 -0
package/dist/recursive/types.js.map +1 -0
package/dist/scope/context-builder.d.ts +37 -0
package/dist/scope/context-builder.d.ts.map +1 -0
package/dist/scope/context-builder.js +108 -0
package/dist/scope/context-builder.js.map +1 -0
package/dist/scope/diff-mapper.d.ts +29 -0
package/dist/scope/diff-mapper.d.ts.map +1 -0
package/dist/scope/diff-mapper.js +76 -0
package/dist/scope/diff-mapper.js.map +1 -0
package/dist/scope/extractor.d.ts +25 -0
package/dist/scope/extractor.d.ts.map +1 -0
package/dist/scope/extractor.js +264 -0
package/dist/scope/extractor.js.map +1 -0
package/dist/scope/index.d.ts +13 -0
package/dist/scope/index.d.ts.map +1 -0
package/dist/scope/index.js +16 -0
package/dist/scope/index.js.map +1 -0
package/dist/scope/parser.d.ts +47 -0
package/dist/scope/parser.d.ts.map +1 -0
package/dist/scope/parser.js +97 -0
package/dist/scope/parser.js.map +1 -0
package/dist/scope/queries.d.ts +23 -0
package/dist/scope/queries.d.ts.map +1 -0
package/dist/scope/queries.js +134 -0
package/dist/scope/queries.js.map +1 -0
package/dist/scope/types.d.ts +55 -0
package/dist/scope/types.d.ts.map +1 -0
package/dist/scope/types.js +8 -0
package/dist/scope/types.js.map +1 -0
package/dist/tools/execution.d.ts.map +1 -1
package/dist/tools/execution.js +2 -0
package/dist/tools/execution.js.map +1 -1
package/dist/tools/plugins/index.d.ts +1 -0
package/dist/tools/plugins/index.d.ts.map +1 -1
package/dist/tools/plugins/index.js +6 -5
package/dist/tools/plugins/index.js.map +1 -1
package/dist/tools/plugins/sonarqube.d.ts +54 -0
package/dist/tools/plugins/sonarqube.d.ts.map +1 -0
package/dist/tools/plugins/sonarqube.js +145 -0
package/dist/tools/plugins/sonarqube.js.map +1 -0
package/dist/tools/plugins/trivy.js +1 -1
package/dist/tools/plugins/trivy.js.map +1 -1
package/dist/tools/types.d.ts +7 -1
package/dist/tools/types.d.ts.map +1 -1
package/dist/types.d.ts +80 -1
package/dist/types.d.ts.map +1 -1
package/dist/types.js +9 -0
package/dist/types.js.map +1 -1
package/package.json +3 -1

package/dist/checklist/scorer.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"scorer.d.ts","sourceRoot":"","sources":["../../src/checklist/scorer.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEnD,OAAO,KAAK,EAAkB,eAAe,EAAsB,MAAM,YAAY,CAAC;AAItF,2DAA2D;AAC3D,MAAM,WAAW,aAAa;IAC5B,iDAAiD;IACjD,YAAY,EAAE,MAAM,CAAC;IAErB,iDAAiD;IACjD,WAAW,EAAE,MAAM,CAAC;IAEpB,4FAA4F;IAC5F,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IAEvB,2EAA2E;IAC3E,WAAW,EAAE,MAAM,CAAC;IAEpB,uCAAuC;IACvC,kBAAkB,EAAE,MAAM,CAAC;IAE3B,8DAA8D;IAC9D,KAAK,EAAE,MAAM,CAAC;CACf;AAED,4CAA4C;AAC5C,MAAM,WAAW,oBAAoB;IACnC,wDAAwD;IACxD,UAAU,EAAE,MAAM,CAAC;IAEnB,4EAA4E;IAC5E,QAAQ,EAAE,aAAa,EAAE,CAAC;IAE1B,mCAAmC;IACnC,eAAe,EAAE,cAAc,EAAE,CAAC;CACnC;AAED,4CAA4C;AAC5C,MAAM,WAAW,cAAc;IAC7B,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;CACtB;AA+CD,gDAAgD;AAChD,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,eAAe,CAAC;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;CACjB;AAID;;;;;;;;;;GAUG;AACH,wBAAgB,aAAa,CAC3B,QAAQ,EAAE,SAAS,eAAe,EAAE,EACpC,MAAM,EAAE,eAAe,GACtB,oBAAoB,CAuDtB"}

package/dist/checklist/scorer.js ADDED Viewed

@@ -0,0 +1,142 @@
+/**
+ * Checklist scoring engine — evaluates review findings against weighted checks.
+ *
+ * Maps each finding to the most relevant checklist dimension/check using
+ * keyword matching, then produces a weighted score sorted by severity.
+ */
+import { SEVERITY_MULTIPLIER } from './types.js';
+// ─── Keyword Maps ─────────────────────────────────────────────
+/**
+ * Keywords that map finding categories/messages to dimension IDs.
+ * Checked in order: first match wins.
+ */
+const DIMENSION_KEYWORDS = new Map([
+    ['solid', ['solid', 'single responsibility', 'srp', 'open closed', 'ocp', 'liskov', 'lsp', 'interface segregation', 'isp', 'dependency inversion', 'dip', 'coupling', 'cohesion', 'god class', 'fat interface']],
+    ['error-handling', ['error', 'exception', 'catch', 'throw', 'try', 'finally', 'unhandled', 'silent failure', 'swallow', 'propagat']],
+    ['boundary-conditions', ['boundary', 'null', 'undefined', 'empty', 'overflow', 'underflow', 'division by zero', 'nan', 'unicode', 'encoding', 'race condition', 'concurrent', 'off-by-one']],
+    ['security', ['security', 'injection', 'xss', 'csrf', 'auth', 'token', 'password', 'secret', 'credential', 'sensitive', 'sanitiz', 'validat', 'vulnerab', 'cve', 'exploit']],
+]);
+/**
+ * Keywords that map to specific check IDs within a dimension.
+ */
+const CHECK_KEYWORDS = new Map([
+    // SOLID
+    ['single-responsibility', ['single responsibility', 'srp', 'one reason to change', 'god class', 'too many responsibilities']],
+    ['open-closed', ['open closed', 'ocp', 'open for extension', 'closed for modification']],
+    ['liskov-substitution', ['liskov', 'lsp', 'substitut', 'subtype', 'base type']],
+    ['interface-segregation', ['interface segregation', 'isp', 'fat interface', 'too many methods']],
+    ['dependency-inversion', ['dependency inversion', 'dip', 'depend on abstraction', 'concrete dependency', 'coupling']],
+    // Error handling
+    ['error-propagation', ['error propagat', 'error context', 'wrap error', 'error chain']],
+    ['error-recovery', ['error recovery', 'graceful', 'fallback', 'retry', 'degrad']],
+    ['error-types', ['error type', 'specific error', 'generic error', 'custom error']],
+    ['silent-failures', ['silent', 'swallow', 'empty catch', 'ignore error']],
+    ['async-error-handling', ['async error', 'promise', 'unhandled rejection', 'await', '.catch']],
+    // Boundary conditions
+    ['null-undefined', ['null', 'undefined', 'nil', 'optional', 'nullable', 'nullish']],
+    ['empty-collections', ['empty array', 'empty list', 'empty map', 'empty string', 'length 0', 'size 0']],
+    ['numeric-limits', ['overflow', 'underflow', 'division by zero', 'nan', 'infinity', 'max safe integer']],
+    ['string-encoding', ['unicode', 'utf', 'encoding', 'multi-byte', 'special character']],
+    ['concurrency-bounds', ['race condition', 'concurrent', 'mutex', 'lock', 'deadlock', 'thread safe']],
+    // Security
+    ['input-validation', ['input validat', 'sanitiz', 'untrusted input', 'user input']],
+    ['auth-checks', ['auth', 'authentication', 'authorization', 'permission', 'access control']],
+    ['sensitive-data', ['sensitive data', 'password', 'token', 'secret', 'pii', 'credential', 'api key']],
+    ['injection-prevention', ['injection', 'xss', 'sql inject', 'command inject', 'path traversal']],
+    ['dependency-safety', ['dependency', 'vulnerab', 'cve', 'outdated', 'known vulnerab']],
+]);
+// ─── Scoring ──────────────────────────────────────────────────
+/**
+ * Score an array of findings against a resolved checklist configuration.
+ *
+ * Each finding is matched to the most relevant dimension and check
+ * using keyword analysis of its category and message fields.
+ * Unmatched findings are excluded from the score.
+ *
+ * @param findings - Array of findings to score
+ * @param config - Resolved checklist configuration (must be non-null and enabled)
+ * @returns Scored results sorted by weighted score descending
+ */
+export function scoreFindings(findings, config) {
+    const activeDimensions = config.dimensions.filter((d) => d.enabled);
+    if (activeDimensions.length === 0) {
+        return { totalScore: 0, findings: [], dimensionScores: [] };
+    }
+    const scored = [];
+    for (let i = 0; i < findings.length; i++) {
+        const finding = findings[i];
+        const match = matchFinding(finding, activeDimensions);
+        if (!match)
+            continue;
+        const severityMultiplier = SEVERITY_MULTIPLIER[finding.severity] ?? 1;
+        const score = match.weight * severityMultiplier;
+        scored.push({
+            findingIndex: i,
+            dimensionId: match.dimensionId,
+            checkId: match.checkId,
+            checkWeight: match.weight,
+            severityMultiplier,
+            score,
+        });
+    }
+    // Sort by score descending (highest severity first)
+    scored.sort((a, b) => b.score - a.score);
+    // Build dimension summaries
+    const dimMap = new Map();
+    for (const dim of activeDimensions) {
+        dimMap.set(dim.id, {
+            dimensionId: dim.id,
+            dimensionName: dim.name,
+            totalScore: 0,
+            findingCount: 0,
+        });
+    }
+    for (const sf of scored) {
+        const ds = dimMap.get(sf.dimensionId);
+        if (ds) {
+            ds.totalScore += sf.score;
+            ds.findingCount += 1;
+        }
+    }
+    const dimensionScores = Array.from(dimMap.values())
+        .filter((ds) => ds.findingCount > 0)
+        .sort((a, b) => b.totalScore - a.totalScore);
+    const totalScore = scored.reduce((sum, sf) => sum + sf.score, 0);
+    return { totalScore, findings: scored, dimensionScores };
+}
+const DEFAULT_DIMENSION_WEIGHT = 5;
+/**
+ * Match a finding to the best dimension and check using keyword analysis.
+ * Returns null if no dimension matches.
+ */
+function matchFinding(finding, dimensions) {
+    const text = `${finding.category} ${finding.message}`.toLowerCase();
+    // Try to match a specific check first (more precise)
+    for (const dim of dimensions) {
+        if (!dim.enabled)
+            continue;
+        const activeChecks = dim.checks.filter((c) => c.enabled);
+        for (const check of activeChecks) {
+            const keywords = CHECK_KEYWORDS.get(check.id);
+            if (keywords && keywords.some((kw) => text.includes(kw))) {
+                return { dimensionId: dim.id, checkId: check.id, weight: check.weight };
+            }
+        }
+    }
+    // Fallback: match at dimension level
+    for (const dim of dimensions) {
+        if (!dim.enabled)
+            continue;
+        const keywords = DIMENSION_KEYWORDS.get(dim.id);
+        if (keywords && keywords.some((kw) => text.includes(kw))) {
+            // Use average weight of active checks in this dimension
+            const activeChecks = dim.checks.filter((c) => c.enabled);
+            const avgWeight = activeChecks.length > 0
+                ? Math.round(activeChecks.reduce((s, c) => s + c.weight, 0) / activeChecks.length)
+                : DEFAULT_DIMENSION_WEIGHT;
+            return { dimensionId: dim.id, checkId: null, weight: avgWeight };
+        }
+    }
+    return null;
+}
+//# sourceMappingURL=scorer.js.map

package/dist/checklist/scorer.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"scorer.js","sourceRoot":"","sources":["../../src/checklist/scorer.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AA8CjD,iEAAiE;AAEjE;;;GAGG;AACH,MAAM,kBAAkB,GAA2C,IAAI,GAAG,CAAC;IACzE,CAAC,OAAO,EAAE,CAAC,OAAO,EAAE,uBAAuB,EAAE,KAAK,EAAE,aAAa,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,uBAAuB,EAAE,KAAK,EAAE,sBAAsB,EAAE,KAAK,EAAE,UAAU,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,CAAC,CAAC;IAChN,CAAC,gBAAgB,EAAE,CAAC,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,gBAAgB,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;IACpI,CAAC,qBAAqB,EAAE,CAAC,UAAU,EAAE,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,kBAAkB,EAAE,KAAK,EAAE,SAAS,EAAE,UAAU,EAAE,gBAAgB,EAAE,YAAY,EAAE,YAAY,CAAC,CAAC;IAC5L,CAAC,UAAU,EAAE,CAAC,UAAU,EAAE,WAAW,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,YAAY,EAAE,WAAW,EAAE,SAAS,EAAE,SAAS,EAAE,UAAU,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;CAC7K,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,cAAc,GAA2C,IAAI,GAAG,CAAC;IACrE,QAAQ;IACR,CAAC,uBAAuB,EAAE,CAAC,uBAAuB,EAAE,KAAK,EAAE,sBAAsB,EAAE,WAAW,EAAE,2BAA2B,CAAC,CAAC;IAC7H,CAAC,aAAa,EAAE,CAAC,aAAa,EAAE,KAAK,EAAE,oBAAoB,EAAE,yBAAyB,CAAC,CAAC;IACxF,CAAC,qBAAqB,EAAE,CAAC,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;IAC/E,CAAC,uBAAuB,EAAE,CAAC,uBAAuB,EAAE,KAAK,EAAE,eAAe,EAAE,kBAAkB,CAAC,CAAC;IAChG,CAAC,sBAAsB,EAAE,CAAC,sBAAsB,EAAE,KAAK,EAAE,uBAAuB,EAAE,qBAAqB,EAAE,UAAU,CAAC,CAAC;IACrH,iBAAiB;IACjB,CAAC,mBAAmB,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,YAAY,EAAE,aAAa,CAAC,CAAC;IACvF,CAAC,gBAAgB,EAAE,CAAC,gBAAgB,EAAE,UAAU,EAAE,UAAU,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACjF,CAAC,aAAa,EAAE,CAAC,YAAY,EAAE,gBAAgB,EAAE,eAAe,EAAE,cAAc,CAAC,CAAC;IAClF,CAAC,iBAAiB,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,aAAa,EAAE,cAAc,CAAC,CAAC;IACzE,CAAC,sBAAsB,EAAE,CAAC,aAAa,EAAE,SAAS,EAAE,qBAAqB,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC9F,sBAAsB;IACtB,CAAC,gBAAgB,EAAE,CAAC,MAAM,EAAE,WAAW,EAAE,KAAK,EAAE,UAAU,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;IACnF,CAAC,mBAAmB,EAAE,CAAC,aAAa,EAAE,YAAY,EAAE,WAAW,EAAE,cAAc,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;IACvG,CAAC,gBAAgB,EAAE,CAAC,UAAU,EAAE,WAAW,EAAE,kBAAkB,EAAE,KAAK,EAAE,UAAU,EAAE,kBAAkB,CAAC,CAAC;IACxG,CAAC,iBAAiB,EAAE,CAAC,SAAS,EAAE,KAAK,EAAE,UAAU,EAAE,YAAY,EAAE,mBAAmB,CAAC,CAAC;IACtF,CAAC,oBAAoB,EAAE,CAAC,gBAAgB,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;IACpG,WAAW;IACX,CAAC,kBAAkB,EAAE,CAAC,eAAe,EAAE,SAAS,EAAE,iBAAiB,EAAE,YAAY,CAAC,CAAC;IACnF,CAAC,aAAa,EAAE,CAAC,MAAM,EAAE,gBAAgB,EAAE,eAAe,EAAE,YAAY,EAAE,gBAAgB,CAAC,CAAC;IAC5F,CAAC,gBAAgB,EAAE,CAAC,gBAAgB,EAAE,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,YAAY,EAAE,SAAS,CAAC,CAAC;IACrG,CAAC,sBAAsB,EAAE,CAAC,WAAW,EAAE,KAAK,EAAE,YAAY,EAAE,gBAAgB,EAAE,gBAAgB,CAAC,CAAC;IAChG,CAAC,mBAAmB,EAAE,CAAC,YAAY,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,gBAAgB,CAAC,CAAC;CACvF,CAAC,CAAC;AAWH,iEAAiE;AAEjE;;;;;;;;;;GAUG;AACH,MAAM,UAAU,aAAa,CAC3B,QAAoC,EACpC,MAAuB;IAEvB,MAAM,gBAAgB,GAAG,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IACpE,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClC,OAAO,EAAE,UAAU,EAAE,CAAC,EAAE,QAAQ,EAAE,EAAE,EAAE,eAAe,EAAE,EAAE,EAAE,CAAC;IAC9D,CAAC;IAED,MAAM,MAAM,GAAoB,EAAE,CAAC;IAEnC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACzC,MAAM,OAAO,GAAG,QAAQ,CAAC,CAAC,CAAE,CAAC;QAC7B,MAAM,KAAK,GAAG,YAAY,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC;QACtD,IAAI,CAAC,KAAK;YAAE,SAAS;QAErB,MAAM,kBAAkB,GAAG,mBAAmB,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QACtE,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,GAAG,kBAAkB,CAAC;QAEhD,MAAM,CAAC,IAAI,CAAC;YACV,YAAY,EAAE,CAAC;YACf,WAAW,EAAE,KAAK,CAAC,WAAW;YAC9B,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,WAAW,EAAE,KAAK,CAAC,MAAM;YACzB,kBAAkB;YAClB,KAAK;SACN,CAAC,CAAC;IACL,CAAC;IAED,oDAAoD;IACpD,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;IAEzC,4BAA4B;IAC5B,MAAM,MAAM,GAAG,IAAI,GAAG,EAA0B,CAAC;IACjD,KAAK,MAAM,GAAG,IAAI,gBAAgB,EAAE,CAAC;QACnC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE;YACjB,WAAW,EAAE,GAAG,CAAC,EAAE;YACnB,aAAa,EAAE,GAAG,CAAC,IAAI;YACvB,UAAU,EAAE,CAAC;YACb,YAAY,EAAE,CAAC;SAChB,CAAC,CAAC;IACL,CAAC;IAED,KAAK,MAAM,EAAE,IAAI,MAAM,EAAE,CAAC;QACxB,MAAM,EAAE,GAAG,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,WAAW,CAAC,CAAC;QACtC,IAAI,EAAE,EAAE,CAAC;YACP,EAAE,CAAC,UAAU,IAAI,EAAE,CAAC,KAAK,CAAC;YAC1B,EAAE,CAAC,YAAY,IAAI,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;SAChD,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,YAAY,GAAG,CAAC,CAAC;SACnC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC;IAE/C,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,EAAE,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAEjE,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;AAC3D,CAAC;AAUD,MAAM,wBAAwB,GAAG,CAAC,CAAC;AAEnC;;;GAGG;AACH,SAAS,YAAY,CACnB,OAAwB,EACxB,UAAgC;IAEhC,MAAM,IAAI,GAAG,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC,WAAW,EAAE,CAAC;IAEpE,qDAAqD;IACrD,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,IAAI,CAAC,GAAG,CAAC,OAAO;YAAE,SAAS;QAC3B,MAAM,YAAY,GAAG,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;QAEzD,KAAK,MAAM,KAAK,IAAI,YAAY,EAAE,CAAC;YACjC,MAAM,QAAQ,GAAG,cAAc,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAC9C,IAAI,QAAQ,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;gBACzD,OAAO,EAAE,WAAW,EAAE,GAAG,CAAC,EAAE,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,CAAC;YAC1E,CAAC;QACH,CAAC;IACH,CAAC;IAED,qCAAqC;IACrC,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,IAAI,CAAC,GAAG,CAAC,OAAO;YAAE,SAAS;QAC3B,MAAM,QAAQ,GAAG,kBAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChD,IAAI,QAAQ,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;YACzD,wDAAwD;YACxD,MAAM,YAAY,GAAG,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;YACzD,MAAM,SAAS,GAAG,YAAY,CAAC,MAAM,GAAG,CAAC;gBACvC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,GAAG,YAAY,CAAC,MAAM,CAAC;gBAClF,CAAC,CAAC,wBAAwB,CAAC;YAC7B,OAAO,EAAE,WAAW,EAAE,GAAG,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;QACnE,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/checklist/types.d.ts ADDED Viewed

@@ -0,0 +1,39 @@
+/**
+ * Checklist types — configurable review dimensions with weighted checks.
+ *
+ * Each dimension (e.g., SOLID, error handling) contains named checks
+ * that guide AI agents during code review. Checks have weights (1-10)
+ * used for severity scoring.
+ */
+/** A single review check within a dimension. */
+export interface ChecklistCheck {
+    /** Unique kebab-case identifier (e.g., "single-responsibility") */
+    id: string;
+    /** Human-readable question the AI should evaluate (e.g., "Does this class have one reason to change?") */
+    description: string;
+    /** Importance weight (1-10). Higher = more severe when violated. */
+    weight: number;
+    /** Whether this check is active. Default: true. */
+    enabled: boolean;
+}
+/** A review dimension grouping related checks. */
+export interface ChecklistDimension {
+    /** Unique kebab-case identifier (e.g., "solid", "error-handling") */
+    id: string;
+    /** Human-readable name (e.g., "SOLID Principles") */
+    name: string;
+    /** Whether this dimension is active. Default: true. */
+    enabled: boolean;
+    /** Ordered list of checks in this dimension. */
+    checks: ChecklistCheck[];
+}
+/** Top-level checklist configuration. */
+export interface ChecklistConfig {
+    /** Master switch. When false, checklist is skipped entirely. */
+    enabled: boolean;
+    /** Review dimensions with their checks. */
+    dimensions: ChecklistDimension[];
+}
+/** Multipliers for finding severity when computing weighted scores. */
+export declare const SEVERITY_MULTIPLIER: Record<string, number>;
+//# sourceMappingURL=types.d.ts.map

package/dist/checklist/types.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/checklist/types.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,gDAAgD;AAChD,MAAM,WAAW,cAAc;IAC7B,mEAAmE;IACnE,EAAE,EAAE,MAAM,CAAC;IAEX,0GAA0G;IAC1G,WAAW,EAAE,MAAM,CAAC;IAEpB,oEAAoE;IACpE,MAAM,EAAE,MAAM,CAAC;IAEf,mDAAmD;IACnD,OAAO,EAAE,OAAO,CAAC;CAClB;AAID,kDAAkD;AAClD,MAAM,WAAW,kBAAkB;IACjC,qEAAqE;IACrE,EAAE,EAAE,MAAM,CAAC;IAEX,qDAAqD;IACrD,IAAI,EAAE,MAAM,CAAC;IAEb,uDAAuD;IACvD,OAAO,EAAE,OAAO,CAAC;IAEjB,gDAAgD;IAChD,MAAM,EAAE,cAAc,EAAE,CAAC;CAC1B;AAID,yCAAyC;AACzC,MAAM,WAAW,eAAe;IAC9B,gEAAgE;IAChE,OAAO,EAAE,OAAO,CAAC;IAEjB,2CAA2C;IAC3C,UAAU,EAAE,kBAAkB,EAAE,CAAC;CAClC;AAID,uEAAuE;AACvE,eAAO,MAAM,mBAAmB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAMtD,CAAC"}

package/dist/checklist/types.js ADDED Viewed

@@ -0,0 +1,17 @@
+/**
+ * Checklist types — configurable review dimensions with weighted checks.
+ *
+ * Each dimension (e.g., SOLID, error handling) contains named checks
+ * that guide AI agents during code review. Checks have weights (1-10)
+ * used for severity scoring.
+ */
+// ─── Severity Multipliers ──────────────────────────────────────
+/** Multipliers for finding severity when computing weighted scores. */
+export const SEVERITY_MULTIPLIER = {
+    critical: 5,
+    high: 3,
+    medium: 2,
+    low: 1,
+    info: 0.5,
+};
+//# sourceMappingURL=types.js.map

package/dist/checklist/types.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/checklist/types.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AA+CH,kEAAkE;AAElE,uEAAuE;AACvE,MAAM,CAAC,MAAM,mBAAmB,GAA2B;IACzD,QAAQ,EAAE,CAAC;IACX,IAAI,EAAE,CAAC;IACP,MAAM,EAAE,CAAC;IACT,GAAG,EAAE,CAAC;IACN,IAAI,EAAE,GAAG;CACV,CAAC"}

package/dist/exploitability/analyzer.d.ts ADDED Viewed

@@ -0,0 +1,75 @@
+/**
+ * Exploitability Analyzer
+ *
+ * Determines whether CVE findings from Trivy are actually exploitable
+ * by checking if the vulnerable package is imported and reachable
+ * from the project's entry points.
+ *
+ * Analysis flow:
+ *   1. Extract package names from Trivy CVE findings
+ *   2. Trace which project files import each vulnerable package
+ *   3. Find entry points (files with no importers)
+ *   4. BFS forward from entry points to check reachability
+ *   5. Label each finding based on reachability
+ */
+import type { DependencyGraph } from '../graph/schema.js';
+import type { ReviewFinding } from '../types.js';
+/**
+ * Extract unique vulnerable package names from Trivy CVE findings.
+ *
+ * Only processes findings with source === 'trivy' and
+ * category === 'dependency-vulnerability'.
+ *
+ * @param findings - All review findings
+ * @returns Map of package name → array of finding indices that reference it
+ */
+export declare function extractVulnPackages(findings: ReviewFinding[]): Map<string, number[]>;
+/**
+ * Find which project files import a given external package.
+ *
+ * Searches the DependencyGraph for nodes whose `imports` array
+ * contains the package name (non-relative imports that match).
+ *
+ * @param graph - The project's dependency graph
+ * @param packageName - External package name (e.g., "lodash", "@angular/core")
+ * @returns Array of file paths that import the package
+ */
+export declare function tracePackageImports(graph: DependencyGraph, packageName: string): string[];
+/**
+ * Find entry point files in the dependency graph.
+ *
+ * An entry point is a non-test file that is NOT imported by any other
+ * project file. These are the "roots" of the dependency tree.
+ *
+ * @param graph - The project's dependency graph
+ * @returns Array of file paths that are entry points
+ */
+export declare function findEntryPoints(graph: DependencyGraph): string[];
+/**
+ * Check if any of the import sites are reachable from entry points
+ * via forward BFS through the dependency graph.
+ *
+ * Forward traversal: follows import edges from entry points outward.
+ *
+ * @param graph - The project's dependency graph
+ * @param entryPoints - Root files (no importers)
+ * @param importSites - Files that import the vulnerable package
+ * @returns Map of import site → entry points that can reach it
+ */
+export declare function checkReachability(graph: DependencyGraph, entryPoints: string[], importSites: string[]): Map<string, string[]>;
+/**
+ * Analyze exploitability of CVE findings from Trivy.
+ *
+ * Enriches each Trivy vulnerability finding with an exploitability
+ * label and detail based on import reachability analysis.
+ *
+ * Degrades gracefully:
+ * - No graph → all CVEs labeled `potentially-exploitable`
+ * - No CVE findings → returns findings unchanged (no-op)
+ *
+ * @param findings - All review findings (will mutate Trivy CVE findings in place)
+ * @param graph - The project's dependency graph (null if unavailable)
+ * @returns The same findings array with exploitability fields added to CVE findings
+ */
+export declare function analyzeExploitability(findings: ReviewFinding[], graph: DependencyGraph | null): ReviewFinding[];
+//# sourceMappingURL=analyzer.d.ts.map

package/dist/exploitability/analyzer.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"analyzer.d.ts","sourceRoot":"","sources":["../../src/exploitability/analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAgBjD;;;;;;;;GAQG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,aAAa,EAAE,GAAG,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAyBpF;AAID;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,GAAG,MAAM,EAAE,CAkBzF;AAID;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,eAAe,GAAG,MAAM,EAAE,CAsBhE;AAID;;;;;;;;;;GAUG;AACH,wBAAgB,iBAAiB,CAC/B,KAAK,EAAE,eAAe,EACtB,WAAW,EAAE,MAAM,EAAE,EACrB,WAAW,EAAE,MAAM,EAAE,GACpB,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CA8CvB;AAoDD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,aAAa,EAAE,EACzB,KAAK,EAAE,eAAe,GAAG,IAAI,GAC5B,aAAa,EAAE,CAqFjB"}

package/dist/exploitability/analyzer.js ADDED Viewed

@@ -0,0 +1,299 @@
+/**
+ * Exploitability Analyzer
+ *
+ * Determines whether CVE findings from Trivy are actually exploitable
+ * by checking if the vulnerable package is imported and reachable
+ * from the project's entry points.
+ *
+ * Analysis flow:
+ *   1. Extract package names from Trivy CVE findings
+ *   2. Trace which project files import each vulnerable package
+ *   3. Find entry points (files with no importers)
+ *   4. BFS forward from entry points to check reachability
+ *   5. Label each finding based on reachability
+ */
+// ─── Package Extraction ────────────────────────────────────────
+/**
+ * Regex to extract package name from a Trivy vulnerability finding message.
+ *
+ * Matches patterns like:
+ *   "CVE-2024-1234: lodash@4.17.20 - Known vulnerability (fix: upgrade to 4.17.21)"
+ *   "CVE-2024-5678: @angular/core@16.0.0 - XSS vulnerability (no fix available)"
+ *
+ * Captures: packageName (group 1)
+ */
+const TRIVY_VULN_PACKAGE_RE = /:\s+(@?[a-zA-Z0-9][\w./-]*)@/;
+/**
+ * Extract unique vulnerable package names from Trivy CVE findings.
+ *
+ * Only processes findings with source === 'trivy' and
+ * category === 'dependency-vulnerability'.
+ *
+ * @param findings - All review findings
+ * @returns Map of package name → array of finding indices that reference it
+ */
+export function extractVulnPackages(findings) {
+    const packages = new Map();
+    for (let i = 0; i < findings.length; i++) {
+        const finding = findings[i];
+        if (!finding)
+            continue;
+        if (finding.source !== 'trivy' || finding.category !== 'dependency-vulnerability') {
+            continue;
+        }
+        const match = TRIVY_VULN_PACKAGE_RE.exec(finding.message);
+        if (!match?.[1]) {
+            // Can't parse package name — will be labeled potentially-exploitable
+            const key = `__unparseable_${i}`;
+            packages.set(key, [i]);
+            continue;
+        }
+        const packageName = match[1];
+        const indices = packages.get(packageName) ?? [];
+        indices.push(i);
+        packages.set(packageName, indices);
+    }
+    return packages;
+}
+// ─── Import Tracing ────────────────────────────────────────────
+/**
+ * Find which project files import a given external package.
+ *
+ * Searches the DependencyGraph for nodes whose `imports` array
+ * contains the package name (non-relative imports that match).
+ *
+ * @param graph - The project's dependency graph
+ * @param packageName - External package name (e.g., "lodash", "@angular/core")
+ * @returns Array of file paths that import the package
+ */
+export function tracePackageImports(graph, packageName) {
+    const importSites = [];
+    for (const [filePath, node] of Object.entries(graph.nodes)) {
+        for (const imp of node.imports) {
+            // Non-relative imports: match package name exactly or as prefix for deep imports
+            // e.g., "lodash" matches "lodash", "lodash/get"
+            // e.g., "@angular/core" matches "@angular/core", "@angular/core/testing"
+            if (!imp.startsWith('.') && !imp.startsWith('/')) {
+                if (imp === packageName || imp.startsWith(`${packageName}/`)) {
+                    importSites.push(filePath);
+                    break; // One match per file is enough
+                }
+            }
+        }
+    }
+    return importSites;
+}
+// ─── Entry Point Detection ─────────────────────────────────────
+/**
+ * Find entry point files in the dependency graph.
+ *
+ * An entry point is a non-test file that is NOT imported by any other
+ * project file. These are the "roots" of the dependency tree.
+ *
+ * @param graph - The project's dependency graph
+ * @returns Array of file paths that are entry points
+ */
+export function findEntryPoints(graph) {
+    // Build set of all files that are imported by at least one other file
+    const imported = new Set();
+    for (const node of Object.values(graph.nodes)) {
+        for (const imp of node.imports) {
+            imported.add(imp);
+        }
+        for (const call of node.calls) {
+            imported.add(call.target);
+        }
+    }
+    // Entry points = non-test files not in the imported set
+    const entryPoints = [];
+    for (const [filePath, node] of Object.entries(graph.nodes)) {
+        if (!node.isTest && !imported.has(filePath)) {
+            entryPoints.push(filePath);
+        }
+    }
+    return entryPoints;
+}
+// ─── Reachability Analysis ─────────────────────────────────────
+/**
+ * Check if any of the import sites are reachable from entry points
+ * via forward BFS through the dependency graph.
+ *
+ * Forward traversal: follows import edges from entry points outward.
+ *
+ * @param graph - The project's dependency graph
+ * @param entryPoints - Root files (no importers)
+ * @param importSites - Files that import the vulnerable package
+ * @returns Map of import site → entry points that can reach it
+ */
+export function checkReachability(graph, entryPoints, importSites) {
+    const importSiteSet = new Set(importSites);
+    const result = new Map();
+    // Initialize result with empty arrays
+    for (const site of importSites) {
+        result.set(site, []);
+    }
+    // BFS forward from each entry point
+    for (const entry of entryPoints) {
+        const visited = new Set();
+        const queue = [entry];
+        visited.add(entry);
+        while (queue.length > 0) {
+            const current = queue.shift();
+            if (!current)
+                break;
+            // Check if we reached an import site
+            if (importSiteSet.has(current)) {
+                result.get(current)?.push(entry);
+            }
+            // Follow imports forward
+            const node = graph.nodes[current];
+            if (!node)
+                continue;
+            for (const imp of node.imports) {
+                if (!visited.has(imp) && graph.nodes[imp]) {
+                    visited.add(imp);
+                    queue.push(imp);
+                }
+            }
+            // Follow calls forward
+            for (const call of node.calls) {
+                if (!visited.has(call.target) && graph.nodes[call.target]) {
+                    visited.add(call.target);
+                    queue.push(call.target);
+                }
+            }
+        }
+    }
+    return result;
+}
+// ─── Labeling ──────────────────────────────────────────────────
+/**
+ * Determine the exploitability label based on import and reachability data.
+ */
+function classifyExploitability(importSites, reachabilityMap) {
+    if (importSites.length === 0) {
+        return {
+            label: 'not-exploitable',
+            reachableFrom: [],
+            reason: 'Vulnerable package is not imported by any project file',
+        };
+    }
+    if (!reachabilityMap) {
+        return {
+            label: 'potentially-exploitable',
+            reachableFrom: [],
+            reason: 'Package is imported but reachability could not be determined',
+        };
+    }
+    // Collect all entry points that can reach any import site
+    const allReachableFrom = new Set();
+    for (const entryPoints of reachabilityMap.values()) {
+        for (const ep of entryPoints) {
+            allReachableFrom.add(ep);
+        }
+    }
+    if (allReachableFrom.size > 0) {
+        return {
+            label: 'exploitable',
+            reachableFrom: [...allReachableFrom],
+            reason: `Vulnerable package is imported and reachable from ${allReachableFrom.size} entry point(s)`,
+        };
+    }
+    return {
+        label: 'potentially-exploitable',
+        reachableFrom: [],
+        reason: 'Package is imported but not reachable from detected entry points',
+    };
+}
+// ─── Main Entry Point ──────────────────────────────────────────
+/**
+ * Analyze exploitability of CVE findings from Trivy.
+ *
+ * Enriches each Trivy vulnerability finding with an exploitability
+ * label and detail based on import reachability analysis.
+ *
+ * Degrades gracefully:
+ * - No graph → all CVEs labeled `potentially-exploitable`
+ * - No CVE findings → returns findings unchanged (no-op)
+ *
+ * @param findings - All review findings (will mutate Trivy CVE findings in place)
+ * @param graph - The project's dependency graph (null if unavailable)
+ * @returns The same findings array with exploitability fields added to CVE findings
+ */
+export function analyzeExploitability(findings, graph) {
+    // Step 1: Extract vulnerable packages
+    const vulnPackages = extractVulnPackages(findings);
+    if (vulnPackages.size === 0) {
+        return findings;
+    }
+    // Step 2: If no graph, label everything as potentially-exploitable
+    if (!graph) {
+        for (const [packageName, indices] of vulnPackages) {
+            const cleanName = packageName.startsWith('__unparseable_') ? 'unknown' : packageName;
+            const detail = {
+                label: 'potentially-exploitable',
+                packageName: cleanName,
+                importSites: [],
+                reachableFrom: [],
+                reason: 'Dependency graph unavailable — cannot determine reachability',
+            };
+            for (const idx of indices) {
+                const finding = findings[idx];
+                if (finding) {
+                    finding.exploitability = 'potentially-exploitable';
+                    finding.exploitabilityDetail = detail;
+                }
+            }
+        }
+        return findings;
+    }
+    // Step 3: Find entry points (once for all packages)
+    const entryPoints = findEntryPoints(graph);
+    // Step 4: Analyze each vulnerable package
+    for (const [packageName, indices] of vulnPackages) {
+        // Skip unparseable packages
+        if (packageName.startsWith('__unparseable_')) {
+            const detail = {
+                label: 'potentially-exploitable',
+                packageName: 'unknown',
+                importSites: [],
+                reachableFrom: [],
+                reason: 'Could not parse package name from finding',
+            };
+            for (const idx of indices) {
+                const finding = findings[idx];
+                if (finding) {
+                    finding.exploitability = 'potentially-exploitable';
+                    finding.exploitabilityDetail = detail;
+                }
+            }
+            continue;
+        }
+        // Trace imports
+        const importSites = tracePackageImports(graph, packageName);
+        // Check reachability
+        let reachabilityMap = null;
+        if (importSites.length > 0 && entryPoints.length > 0) {
+            reachabilityMap = checkReachability(graph, entryPoints, importSites);
+        }
+        // Classify
+        const { label, reachableFrom, reason } = classifyExploitability(importSites, reachabilityMap);
+        const detail = {
+            label,
+            packageName,
+            importSites,
+            reachableFrom,
+            reason,
+        };
+        // Apply to all findings for this package
+        for (const idx of indices) {
+            const finding = findings[idx];
+            if (finding) {
+                finding.exploitability = label;
+                finding.exploitabilityDetail = detail;
+            }
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=analyzer.js.map

package/dist/exploitability/analyzer.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"analyzer.js","sourceRoot":"","sources":["../../src/exploitability/analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAMH,kEAAkE;AAElE;;;;;;;;GAQG;AACH,MAAM,qBAAqB,GAAG,8BAA8B,CAAC;AAE7D;;;;;;;;GAQG;AACH,MAAM,UAAU,mBAAmB,CAAC,QAAyB;IAC3D,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAoB,CAAC;IAE7C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACzC,MAAM,OAAO,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;QAC5B,IAAI,CAAC,OAAO;YAAE,SAAS;QACvB,IAAI,OAAO,CAAC,MAAM,KAAK,OAAO,IAAI,OAAO,CAAC,QAAQ,KAAK,0BAA0B,EAAE,CAAC;YAClF,SAAS;QACX,CAAC;QAED,MAAM,KAAK,GAAG,qBAAqB,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC1D,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAChB,qEAAqE;YACrE,MAAM,GAAG,GAAG,iBAAiB,CAAC,EAAE,CAAC;YACjC,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;YACvB,SAAS;QACX,CAAC;QAED,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,QAAQ,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC;QAChD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAChB,QAAQ,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;IACrC,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,kEAAkE;AAElE;;;;;;;;;GASG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAAsB,EAAE,WAAmB;IAC7E,MAAM,WAAW,GAAa,EAAE,CAAC;IAEjC,KAAK,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;QAC3D,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YAC/B,iFAAiF;YACjF,gDAAgD;YAChD,yEAAyE;YACzE,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBACjD,IAAI,GAAG,KAAK,WAAW,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,WAAW,GAAG,CAAC,EAAE,CAAC;oBAC7D,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;oBAC3B,MAAM,CAAC,+BAA+B;gBACxC,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,kEAAkE;AAElE;;;;;;;;GAQG;AACH,MAAM,UAAU,eAAe,CAAC,KAAsB;IACpD,sEAAsE;IACtE,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;IAEnC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;QAC9C,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YAC/B,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACpB,CAAC;QACD,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC9B,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;IAED,wDAAwD;IACxD,MAAM,WAAW,GAAa,EAAE,CAAC;IACjC,KAAK,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;QAC3D,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC5C,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,kEAAkE;AAElE;;;;;;;;;;GAUG;AACH,MAAM,UAAU,iBAAiB,CAC/B,KAAsB,EACtB,WAAqB,EACrB,WAAqB;IAErB,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;IAC3C,MAAM,MAAM,GAAG,IAAI,GAAG,EAAoB,CAAC;IAE3C,sCAAsC;IACtC,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;QAC/B,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACvB,CAAC;IAED,oCAAoC;IACpC,KAAK,MAAM,KAAK,IAAI,WAAW,EAAE,CAAC;QAChC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;QAClC,MAAM,KAAK,GAAG,CAAC,KAAK,CAAC,CAAC;QACtB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAEnB,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,EAAE,CAAC;YAC9B,IAAI,CAAC,OAAO;gBAAE,MAAM;YAEpB,qCAAqC;YACrC,IAAI,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC/B,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;YACnC,CAAC;YAED,yBAAyB;YACzB,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAClC,IAAI,CAAC,IAAI;gBAAE,SAAS;YAEpB,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gBAC/B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC1C,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;oBACjB,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAClB,CAAC;YACH,CAAC;YAED,uBAAuB;YACvB,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;gBAC9B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;oBAC1D,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;oBACzB,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBAC1B,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,kEAAkE;AAElE;;GAEG;AACH,SAAS,sBAAsB,CAC7B,WAAqB,EACrB,eAA6C;IAE7C,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7B,OAAO;YACL,KAAK,EAAE,iBAAiB;YACxB,aAAa,EAAE,EAAE;YACjB,MAAM,EAAE,wDAAwD;SACjE,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,OAAO;YACL,KAAK,EAAE,yBAAyB;YAChC,aAAa,EAAE,EAAE;YACjB,MAAM,EAAE,8DAA8D;SACvE,CAAC;IACJ,CAAC;IAED,0DAA0D;IAC1D,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAU,CAAC;IAC3C,KAAK,MAAM,WAAW,IAAI,eAAe,CAAC,MAAM,EAAE,EAAE,CAAC;QACnD,KAAK,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC;YAC7B,gBAAgB,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;IAED,IAAI,gBAAgB,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,aAAa;YACpB,aAAa,EAAE,CAAC,GAAG,gBAAgB,CAAC;YACpC,MAAM,EAAE,qDAAqD,gBAAgB,CAAC,IAAI,iBAAiB;SACpG,CAAC;IACJ,CAAC;IAED,OAAO;QACL,KAAK,EAAE,yBAAyB;QAChC,aAAa,EAAE,EAAE;QACjB,MAAM,EAAE,kEAAkE;KAC3E,CAAC;AACJ,CAAC;AAED,kEAAkE;AAElE;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,qBAAqB,CACnC,QAAyB,EACzB,KAA6B;IAE7B,sCAAsC;IACtC,MAAM,YAAY,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAC;IAEnD,IAAI,YAAY,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;QAC5B,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,mEAAmE;IACnE,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,KAAK,MAAM,CAAC,WAAW,EAAE,OAAO,CAAC,IAAI,YAAY,EAAE,CAAC;YAClD,MAAM,SAAS,GAAG,WAAW,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC;YACrF,MAAM,MAAM,GAAyB;gBACnC,KAAK,EAAE,yBAAyB;gBAChC,WAAW,EAAE,SAAS;gBACtB,WAAW,EAAE,EAAE;gBACf,aAAa,EAAE,EAAE;gBACjB,MAAM,EAAE,8DAA8D;aACvE,CAAC;YACF,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;gBAC1B,MAAM,OAAO,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;gBAC9B,IAAI,OAAO,EAAE,CAAC;oBACZ,OAAO,CAAC,cAAc,GAAG,yBAAyB,CAAC;oBACnD,OAAO,CAAC,oBAAoB,GAAG,MAAM,CAAC;gBACxC,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,oDAAoD;IACpD,MAAM,WAAW,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;IAE3C,0CAA0C;IAC1C,KAAK,MAAM,CAAC,WAAW,EAAE,OAAO,CAAC,IAAI,YAAY,EAAE,CAAC;QAClD,4BAA4B;QAC5B,IAAI,WAAW,CAAC,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;YAC7C,MAAM,MAAM,GAAyB;gBACnC,KAAK,EAAE,yBAAyB;gBAChC,WAAW,EAAE,SAAS;gBACtB,WAAW,EAAE,EAAE;gBACf,aAAa,EAAE,EAAE;gBACjB,MAAM,EAAE,2CAA2C;aACpD,CAAC;YACF,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;gBAC1B,MAAM,OAAO,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;gBAC9B,IAAI,OAAO,EAAE,CAAC;oBACZ,OAAO,CAAC,cAAc,GAAG,yBAAyB,CAAC;oBACnD,OAAO,CAAC,oBAAoB,GAAG,MAAM,CAAC;gBACxC,CAAC;YACH,CAAC;YACD,SAAS;QACX,CAAC;QAED,gBAAgB;QAChB,MAAM,WAAW,GAAG,mBAAmB,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;QAE5D,qBAAqB;QACrB,IAAI,eAAe,GAAiC,IAAI,CAAC;QACzD,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrD,eAAe,GAAG,iBAAiB,CAAC,KAAK,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC;QACvE,CAAC;QAED,WAAW;QACX,MAAM,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,GAAG,sBAAsB,CAAC,WAAW,EAAE,eAAe,CAAC,CAAC;QAE9F,MAAM,MAAM,GAAyB;YACnC,KAAK;YACL,WAAW;YACX,WAAW;YACX,aAAa;YACb,MAAM;SACP,CAAC;QAEF,yCAAyC;QACzC,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;YAC1B,MAAM,OAAO,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;YAC9B,IAAI,OAAO,EAAE,CAAC;gBACZ,OAAO,CAAC,cAAc,GAAG,KAAK,CAAC;gBAC/B,OAAO,CAAC,oBAAoB,GAAG,MAAM,CAAC;YACxC,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/exploitability/index.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+/**
+ * Exploitability module barrel export.
+ *
+ * CVE exploitability analysis based on import reachability.
+ * Enriches Trivy vulnerability findings with labels indicating
+ * whether the vulnerable code path is actually reachable.
+ */
+export type { ExploitabilityDetail, ExploitabilityLabel } from './types.js';
+export { analyzeExploitability, checkReachability, extractVulnPackages, findEntryPoints, tracePackageImports, } from './analyzer.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/exploitability/index.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/exploitability/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,YAAY,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAI5E,OAAO,EACL,qBAAqB,EACrB,iBAAiB,EACjB,mBAAmB,EACnB,eAAe,EACf,mBAAmB,GACpB,MAAM,eAAe,CAAC"}

package/dist/exploitability/index.js ADDED Viewed

@@ -0,0 +1,10 @@
+/**
+ * Exploitability module barrel export.
+ *
+ * CVE exploitability analysis based on import reachability.
+ * Enriches Trivy vulnerability findings with labels indicating
+ * whether the vulnerable code path is actually reachable.
+ */
+// ─── Analyzer ──────────────────────────────────────────────────
+export { analyzeExploitability, checkReachability, extractVulnPackages, findEntryPoints, tracePackageImports, } from './analyzer.js';
+//# sourceMappingURL=index.js.map

package/dist/exploitability/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/exploitability/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,kEAAkE;AAElE,OAAO,EACL,qBAAqB,EACrB,iBAAiB,EACjB,mBAAmB,EACnB,eAAe,EACf,mBAAmB,GACpB,MAAM,eAAe,CAAC"}