npm - guardlink - Versions diffs - 1.4.1 → 1.4.3 - Mend

guardlink 1.4.1 → 1.4.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (138) hide show

package/CHANGELOG.md +111 -7
package/README.md +53 -5
package/dist/agents/config.d.ts +7 -0
package/dist/agents/config.d.ts.map +1 -1
package/dist/agents/config.js.map +1 -1
package/dist/agents/index.d.ts +9 -1
package/dist/agents/index.d.ts.map +1 -1
package/dist/agents/index.js +36 -1
package/dist/agents/index.js.map +1 -1
package/dist/agents/launcher.d.ts.map +1 -1
package/dist/agents/launcher.js +5 -0
package/dist/agents/launcher.js.map +1 -1
package/dist/agents/prompts.d.ts +16 -1
package/dist/agents/prompts.d.ts.map +1 -1
package/dist/agents/prompts.js +511 -16
package/dist/agents/prompts.js.map +1 -1
package/dist/analyze/format.d.ts +72 -0
package/dist/analyze/format.d.ts.map +1 -0
package/dist/analyze/format.js +176 -0
package/dist/analyze/format.js.map +1 -0
package/dist/analyze/index.d.ts +76 -0
package/dist/analyze/index.d.ts.map +1 -1
package/dist/analyze/index.js +165 -2
package/dist/analyze/index.js.map +1 -1
package/dist/analyze/prompts.d.ts +3 -2
package/dist/analyze/prompts.d.ts.map +1 -1
package/dist/analyze/prompts.js +17 -3
package/dist/analyze/prompts.js.map +1 -1
package/dist/analyzer/sarif.d.ts +3 -2
package/dist/analyzer/sarif.d.ts.map +1 -1
package/dist/analyzer/sarif.js +29 -3
package/dist/analyzer/sarif.js.map +1 -1
package/dist/cli/index.d.ts +2 -0
package/dist/cli/index.d.ts.map +1 -1
package/dist/cli/index.js +408 -37
package/dist/cli/index.js.map +1 -1
package/dist/dashboard/data.d.ts +11 -0
package/dist/dashboard/data.d.ts.map +1 -1
package/dist/dashboard/data.js +12 -0
package/dist/dashboard/data.js.map +1 -1
package/dist/dashboard/diagrams.d.ts +81 -12
package/dist/dashboard/diagrams.d.ts.map +1 -1
package/dist/dashboard/diagrams.js +750 -362
package/dist/dashboard/diagrams.js.map +1 -1
package/dist/dashboard/generate.d.ts +5 -2
package/dist/dashboard/generate.d.ts.map +1 -1
package/dist/dashboard/generate.js +2516 -244
package/dist/dashboard/generate.js.map +1 -1
package/dist/diff/engine.d.ts +2 -1
package/dist/diff/engine.d.ts.map +1 -1
package/dist/diff/engine.js +3 -2
package/dist/diff/engine.js.map +1 -1
package/dist/diff/git.js +3 -3
package/dist/diff/git.js.map +1 -1
package/dist/init/index.d.ts +7 -0
package/dist/init/index.d.ts.map +1 -1
package/dist/init/index.js +82 -27
package/dist/init/index.js.map +1 -1
package/dist/init/migrate.d.ts +39 -0
package/dist/init/migrate.d.ts.map +1 -0
package/dist/init/migrate.js +45 -0
package/dist/init/migrate.js.map +1 -0
package/dist/init/templates.d.ts +8 -0
package/dist/init/templates.d.ts.map +1 -1
package/dist/init/templates.js +68 -6
package/dist/init/templates.js.map +1 -1
package/dist/mcp/lookup.d.ts +1 -0
package/dist/mcp/lookup.d.ts.map +1 -1
package/dist/mcp/lookup.js +138 -10
package/dist/mcp/lookup.js.map +1 -1
package/dist/mcp/server.d.ts +2 -1
package/dist/mcp/server.d.ts.map +1 -1
package/dist/mcp/server.js +32 -15
package/dist/mcp/server.js.map +1 -1
package/dist/parser/clear.d.ts +2 -1
package/dist/parser/clear.d.ts.map +1 -1
package/dist/parser/clear.js +19 -29
package/dist/parser/clear.js.map +1 -1
package/dist/parser/comment-strip.d.ts +5 -0
package/dist/parser/comment-strip.d.ts.map +1 -1
package/dist/parser/comment-strip.js +8 -0
package/dist/parser/comment-strip.js.map +1 -1
package/dist/parser/feature-filter.d.ts +42 -0
package/dist/parser/feature-filter.d.ts.map +1 -0
package/dist/parser/feature-filter.js +109 -0
package/dist/parser/feature-filter.js.map +1 -0
package/dist/parser/format.d.ts +24 -0
package/dist/parser/format.d.ts.map +1 -0
package/dist/parser/format.js +29 -0
package/dist/parser/format.js.map +1 -0
package/dist/parser/index.d.ts +2 -0
package/dist/parser/index.d.ts.map +1 -1
package/dist/parser/index.js +1 -0
package/dist/parser/index.js.map +1 -1
package/dist/parser/parse-file.d.ts +1 -0
package/dist/parser/parse-file.d.ts.map +1 -1
package/dist/parser/parse-file.js +34 -9
package/dist/parser/parse-file.js.map +1 -1
package/dist/parser/parse-line.d.ts +9 -0
package/dist/parser/parse-line.d.ts.map +1 -1
package/dist/parser/parse-line.js +100 -26
package/dist/parser/parse-line.js.map +1 -1
package/dist/parser/parse-project.d.ts +1 -0
package/dist/parser/parse-project.d.ts.map +1 -1
package/dist/parser/parse-project.js +36 -2
package/dist/parser/parse-project.js.map +1 -1
package/dist/parser/validate.d.ts +3 -0
package/dist/parser/validate.d.ts.map +1 -1
package/dist/parser/validate.js +7 -0
package/dist/parser/validate.js.map +1 -1
package/dist/report/index.d.ts +1 -0
package/dist/report/index.d.ts.map +1 -1
package/dist/report/index.js +1 -0
package/dist/report/index.js.map +1 -1
package/dist/report/report.d.ts.map +1 -1
package/dist/report/report.js +924 -24
package/dist/report/report.js.map +1 -1
package/dist/report/sequence.d.ts +11 -0
package/dist/report/sequence.d.ts.map +1 -0
package/dist/report/sequence.js +140 -0
package/dist/report/sequence.js.map +1 -0
package/dist/review/index.d.ts +3 -1
package/dist/review/index.d.ts.map +1 -1
package/dist/review/index.js +77 -35
package/dist/review/index.js.map +1 -1
package/dist/tui/commands.d.ts +1 -0
package/dist/tui/commands.d.ts.map +1 -1
package/dist/tui/commands.js +98 -12
package/dist/tui/commands.js.map +1 -1
package/dist/tui/index.d.ts.map +1 -1
package/dist/tui/index.js +7 -2
package/dist/tui/index.js.map +1 -1
package/dist/types/index.d.ts +59 -3
package/dist/types/index.d.ts.map +1 -1
package/dist/workspace/merge.d.ts.map +1 -1
package/dist/workspace/merge.js +6 -2
package/dist/workspace/merge.js.map +1 -1
package/package.json +1 -1

package/dist/parser/feature-filter.js ADDED Viewed

@@ -0,0 +1,109 @@
+/**
+ * GuardLink — Feature-based filtering.
+ *
+ * Filters a ThreatModel to only include annotations that belong to
+ * specific features. Feature association is determined by file-level
+ * proximity: if a file contains @feature "X", all annotations in
+ * that file are considered part of feature "X".
+ *
+ * @comment -- "Pure filtering utility; no I/O"
+ */
+/**
+ * Unique feature names found in the model, sorted alphabetically.
+ */
+export function listFeatures(model) {
+    const names = new Set();
+    for (const f of model.features) {
+        names.add(f.feature);
+    }
+    return [...names].sort();
+}
+/**
+ * Build a map of file → Set<feature name> from feature annotations.
+ */
+function buildFileFeatureMap(model) {
+    const map = new Map();
+    for (const f of model.features) {
+        const file = f.location.file;
+        if (!map.has(file))
+            map.set(file, new Set());
+        map.get(file).add(f.feature);
+    }
+    return map;
+}
+/**
+ * Filter a ThreatModel to only annotations in files tagged with
+ * one or more of the given feature names.
+ *
+ * Returns a new ThreatModel with only matching annotations.
+ * Feature matching is case-insensitive.
+ */
+export function filterByFeature(model, featureNames) {
+    const wantedLower = new Set(featureNames.map(n => n.toLowerCase()));
+    const fileFeatureMap = buildFileFeatureMap(model);
+    // Determine which files match any of the requested features
+    const matchingFiles = new Set();
+    for (const [file, features] of fileFeatureMap) {
+        for (const f of features) {
+            if (wantedLower.has(f.toLowerCase())) {
+                matchingFiles.add(file);
+                break;
+            }
+        }
+    }
+    // Filter helper
+    const inFeature = (arr) => arr.filter(item => matchingFiles.has(item.location.file));
+    return {
+        ...model,
+        // Preserve metadata
+        annotations_parsed: model.annotations_parsed,
+        source_files: model.source_files,
+        annotated_files: model.annotated_files.filter(f => matchingFiles.has(f)),
+        unannotated_files: model.unannotated_files,
+        // Filter each category
+        assets: inFeature(model.assets),
+        threats: inFeature(model.threats),
+        controls: inFeature(model.controls),
+        mitigations: inFeature(model.mitigations),
+        exposures: inFeature(model.exposures),
+        confirmed: inFeature(model.confirmed),
+        acceptances: inFeature(model.acceptances),
+        transfers: inFeature(model.transfers),
+        flows: inFeature(model.flows),
+        boundaries: inFeature(model.boundaries),
+        validations: inFeature(model.validations),
+        audits: inFeature(model.audits),
+        ownership: inFeature(model.ownership),
+        data_handling: inFeature(model.data_handling),
+        assumptions: inFeature(model.assumptions),
+        shields: inFeature(model.shields),
+        features: inFeature(model.features),
+        comments: inFeature(model.comments),
+    };
+}
+/**
+ * Get summary stats for each feature in the model.
+ */
+export function getFeatureSummaries(model) {
+    const featureNames = listFeatures(model);
+    return featureNames.map(name => {
+        const filtered = filterByFeature(model, [name]);
+        return {
+            name,
+            files: [...new Set(model.features.filter(f => f.feature.toLowerCase() === name.toLowerCase()).map(f => f.location.file))],
+            annotations: filtered.assets.length + filtered.threats.length + filtered.controls.length +
+                filtered.mitigations.length + filtered.exposures.length + filtered.confirmed.length +
+                filtered.acceptances.length + filtered.transfers.length + filtered.flows.length +
+                filtered.boundaries.length + filtered.validations.length + filtered.audits.length +
+                filtered.ownership.length + filtered.data_handling.length + filtered.assumptions.length +
+                filtered.features.length + filtered.comments.length + filtered.shields.length,
+            exposures: filtered.exposures.length,
+            mitigations: filtered.mitigations.length,
+            assets: filtered.assets.length,
+            threats: filtered.threats.length,
+            flows: filtered.flows.length,
+            confirmed: filtered.confirmed.length,
+        };
+    });
+}
+//# sourceMappingURL=feature-filter.js.map

package/dist/parser/feature-filter.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"feature-filter.js","sourceRoot":"","sources":["../../src/parser/feature-filter.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,KAAkB;IAC7C,MAAM,KAAK,GAAG,IAAI,GAAG,EAAU,CAAC;IAChC,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;QAC/B,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IACvB,CAAC;IACD,OAAO,CAAC,GAAG,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC;AAC3B,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,KAAkB;IAC7C,MAAM,GAAG,GAAG,IAAI,GAAG,EAAuB,CAAC;IAC3C,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC;QAC7B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,GAAG,EAAE,CAAC,CAAC;QAC7C,GAAG,CAAC,GAAG,CAAC,IAAI,CAAE,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IAChC,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,eAAe,CAAC,KAAkB,EAAE,YAAsB;IACxE,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IACpE,MAAM,cAAc,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;IAElD,4DAA4D;IAC5D,MAAM,aAAa,GAAG,IAAI,GAAG,EAAU,CAAC;IACxC,KAAK,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,cAAc,EAAE,CAAC;QAC9C,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,IAAI,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;gBACrC,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBACxB,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;IAED,gBAAgB;IAChB,MAAM,SAAS,GAAG,CAA2C,GAAQ,EAAO,EAAE,CAC5E,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;IAE5D,OAAO;QACL,GAAG,KAAK;QACR,oBAAoB;QACpB,kBAAkB,EAAE,KAAK,CAAC,kBAAkB;QAC5C,YAAY,EAAE,KAAK,CAAC,YAAY;QAChC,eAAe,EAAE,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACxE,iBAAiB,EAAE,KAAK,CAAC,iBAAiB;QAE1C,uBAAuB;QACvB,MAAM,EAAE,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC;QAC/B,OAAO,EAAE,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC;QACjC,QAAQ,EAAE,SAAS,CAAC,KAAK,CAAC,QAAQ,CAAC;QACnC,WAAW,EAAE,SAAS,CAAC,KAAK,CAAC,WAAW,CAAC;QACzC,SAAS,EAAE,SAAS,CAAC,KAAK,CAAC,SAAS,CAAC;QACrC,SAAS,EAAE,SAAS,CAAC,KAAK,CAAC,SAAS,CAAC;QACrC,WAAW,EAAE,SAAS,CAAC,KAAK,CAAC,WAAW,CAAC;QACzC,SAAS,EAAE,SAAS,CAAC,KAAK,CAAC,SAAS,CAAC;QACrC,KAAK,EAAE,SAAS,CAAC,KAAK,CAAC,KAAK,CAAC;QAC7B,UAAU,EAAE,SAAS,CAAC,KAAK,CAAC,UAAU,CAAC;QACvC,WAAW,EAAE,SAAS,CAAC,KAAK,CAAC,WAAW,CAAC;QACzC,MAAM,EAAE,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC;QAC/B,SAAS,EAAE,SAAS,CAAC,KAAK,CAAC,SAAS,CAAC;QACrC,aAAa,EAAE,SAAS,CAAC,KAAK,CAAC,aAAa,CAAC;QAC7C,WAAW,EAAE,SAAS,CAAC,KAAK,CAAC,WAAW,CAAC;QACzC,OAAO,EAAE,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC;QACjC,QAAQ,EAAE,SAAS,CAAC,KAAK,CAAC,QAAQ,CAAC;QACnC,QAAQ,EAAE,SAAS,CAAC,KAAK,CAAC,QAAQ,CAAC;KACpC,CAAC;AACJ,CAAC;AAiBD;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAAkB;IACpD,MAAM,YAAY,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IACzC,OAAO,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE;QAC7B,MAAM,QAAQ,GAAG,eAAe,CAAC,KAAK,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC;QAChD,OAAO;YACL,IAAI;YACJ,KAAK,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;YACzH,WAAW,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,GAAG,QAAQ,CAAC,OAAO,CAAC,MAAM,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM;gBACtF,QAAQ,CAAC,WAAW,CAAC,MAAM,GAAG,QAAQ,CAAC,SAAS,CAAC,MAAM,GAAG,QAAQ,CAAC,SAAS,CAAC,MAAM;gBACnF,QAAQ,CAAC,WAAW,CAAC,MAAM,GAAG,QAAQ,CAAC,SAAS,CAAC,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,MAAM;gBAC/E,QAAQ,CAAC,UAAU,CAAC,MAAM,GAAG,QAAQ,CAAC,WAAW,CAAC,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,MAAM;gBACjF,QAAQ,CAAC,SAAS,CAAC,MAAM,GAAG,QAAQ,CAAC,aAAa,CAAC,MAAM,GAAG,QAAQ,CAAC,WAAW,CAAC,MAAM;gBACvF,QAAQ,CAAC,QAAQ,CAAC,MAAM,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,GAAG,QAAQ,CAAC,OAAO,CAAC,MAAM;YAC/E,SAAS,EAAE,QAAQ,CAAC,SAAS,CAAC,MAAM;YACpC,WAAW,EAAE,QAAQ,CAAC,WAAW,CAAC,MAAM;YACxC,MAAM,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM;YAC9B,OAAO,EAAE,QAAQ,CAAC,OAAO,CAAC,MAAM;YAChC,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,MAAM;YAC5B,SAAS,EAAE,QAAQ,CAAC,SAAS,CAAC,MAAM;SACrC,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/parser/format.d.ts ADDED Viewed

@@ -0,0 +1,24 @@
+/**
+ * GuardLink parser — Diagnostic formatting helpers.
+ *
+ * Tiny pure helpers shared by the CLI's `printDiagnostics` and the TUI's
+ * status-command printer so the level-to-icon mapping lives in one place.
+ * If a future iteration adds a new diagnostic tier, only this file needs
+ * to change for the visual treatment to stay consistent across surfaces.
+ */
+import type { ParseDiagnostic } from '../types/index.js';
+/**
+ * Returns the icon character for a diagnostic level. No color, no padding,
+ * no extra whitespace — callers that want those (e.g. the TUI's
+ * `C.error('  ' + diagnosticIcon(...))`) wrap the return value themselves.
+ *
+ * - `'warning'` → `⚠`  (informational, never blocks)
+ * - `'error'`   → `✗`  (annotation skipped, model continues)
+ * - `'fatal'`   → `✗✗` (model is unsafe to render; consumer must abort)
+ *
+ * The switch is exhaustive over `ParseDiagnostic['level']` — TypeScript
+ * will flag this function if a new level is added to the union without a
+ * matching case here.
+ */
+export declare function diagnosticIcon(level: ParseDiagnostic['level']): string;
+//# sourceMappingURL=format.d.ts.map

package/dist/parser/format.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"format.d.ts","sourceRoot":"","sources":["../../src/parser/format.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAEzD;;;;;;;;;;;;GAYG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,eAAe,CAAC,OAAO,CAAC,GAAG,MAAM,CAMtE"}

package/dist/parser/format.js ADDED Viewed

@@ -0,0 +1,29 @@
+/**
+ * GuardLink parser — Diagnostic formatting helpers.
+ *
+ * Tiny pure helpers shared by the CLI's `printDiagnostics` and the TUI's
+ * status-command printer so the level-to-icon mapping lives in one place.
+ * If a future iteration adds a new diagnostic tier, only this file needs
+ * to change for the visual treatment to stay consistent across surfaces.
+ */
+/**
+ * Returns the icon character for a diagnostic level. No color, no padding,
+ * no extra whitespace — callers that want those (e.g. the TUI's
+ * `C.error('  ' + diagnosticIcon(...))`) wrap the return value themselves.
+ *
+ * - `'warning'` → `⚠`  (informational, never blocks)
+ * - `'error'`   → `✗`  (annotation skipped, model continues)
+ * - `'fatal'`   → `✗✗` (model is unsafe to render; consumer must abort)
+ *
+ * The switch is exhaustive over `ParseDiagnostic['level']` — TypeScript
+ * will flag this function if a new level is added to the union without a
+ * matching case here.
+ */
+export function diagnosticIcon(level) {
+    switch (level) {
+        case 'fatal': return '✗✗';
+        case 'error': return '✗';
+        case 'warning': return '⚠';
+    }
+}
+//# sourceMappingURL=format.js.map

package/dist/parser/format.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"format.js","sourceRoot":"","sources":["../../src/parser/format.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,cAAc,CAAC,KAA+B;IAC5D,QAAQ,KAAK,EAAE,CAAC;QACd,KAAK,OAAO,CAAC,CAAG,OAAO,IAAI,CAAC;QAC5B,KAAK,OAAO,CAAC,CAAG,OAAO,GAAG,CAAC;QAC3B,KAAK,SAAS,CAAC,CAAC,OAAO,GAAG,CAAC;IAC7B,CAAC;AACH,CAAC"}

package/dist/parser/index.d.ts CHANGED Viewed

@@ -10,4 +10,6 @@ export { stripCommentPrefix, commentStyleForExt } from './comment-strip.js';
 export { findDanglingRefs, findUnmitigatedExposures, findAcceptedWithoutAudit, findAcceptedExposures } from './validate.js';
 export { clearAnnotations } from './clear.js';
 export type { ClearAnnotationsOptions, ClearAnnotationsResult } from './clear.js';
+export { listFeatures, filterByFeature, getFeatureSummaries } from './feature-filter.js';
+export type { FeatureSummary } from './feature-filter.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/parser/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/parser/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AACzD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,YAAY,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AACrF,OAAO,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAC5E,OAAO,EAAE,gBAAgB,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAC5H,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAC9C,YAAY,EAAE,uBAAuB,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/parser/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AACzD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,YAAY,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AACrF,OAAO,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAC5E,OAAO,EAAE,gBAAgB,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAC5H,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAC9C,YAAY,EAAE,uBAAuB,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC;AAClF,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AACzF,YAAY,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/parser/index.js CHANGED Viewed

@@ -8,4 +8,5 @@ export { normalizeName, resolveSeverity, unescapeDescription } from './normalize
 export { stripCommentPrefix, commentStyleForExt } from './comment-strip.js';
 export { findDanglingRefs, findUnmitigatedExposures, findAcceptedWithoutAudit, findAcceptedExposures } from './validate.js';
 export { clearAnnotations } from './clear.js';
+export { listFeatures, filterByFeature, getFeatureSummaries } from './feature-filter.js';
 //# sourceMappingURL=index.js.map

package/dist/parser/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/parser/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AACzD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AACrF,OAAO,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAC5E,OAAO,EAAE,gBAAgB,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAC5H,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/parser/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AACzD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AACrF,OAAO,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAC5E,OAAO,EAAE,gBAAgB,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAC5H,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAE9C,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/parser/parse-file.d.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 /**
  * GuardLink — File-level parser.
  * Reads source files and extracts all GuardLink annotations.
+ * Standalone .gal files are treated as raw annotation text.
  *
  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "File path from caller read via readFile; no validation here"
  * @exposes #parser to #dos [medium] cwe:CWE-400 -- "Large files loaded entirely into memory"

package/dist/parser/parse-file.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"parse-file.d.ts","sourceRoot":"","sources":["../../src/parser/parse-file.ts"],"names":[],"mappings":"AAAA~~;;;;;;;;;GASG~~;~~AAIH~~,OAAO,KAAK,EAA+B,WAAW,~~EAAE~~,MAAM,mBAAmB,CAAC;~~AAKlF~~;;GAEG;AACH,wBAAsB,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC,CAGtE;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,GAAE,MAAkB,GAAG,WAAW,~~CAuEtF~~"}
1	+ {"version":3,"file":"parse-file.d.ts","sourceRoot":"","sources":["../../src/parser/parse-file.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,KAAK,EAA+B,WAAW,EAAkB,MAAM,mBAAmB,CAAC;AAKlG;;GAEG;AACH,wBAAsB,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC,CAGtE;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,GAAE,MAAkB,GAAG,WAAW,CA+FtF"}

package/dist/parser/parse-file.js CHANGED Viewed

@@ -1,6 +1,7 @@
 /**
  * GuardLink — File-level parser.
  * Reads source files and extracts all GuardLink annotations.
+ * Standalone .gal files are treated as raw annotation text.
  *
  * @exposes #parser to #path-traversal [high] cwe:CWE-22 -- "File path from caller read via readFile; no validation here"
  * @exposes #parser to #dos [medium] cwe:CWE-400 -- "Large files loaded entirely into memory"
@@ -9,7 +10,7 @@
  * @flows #parser -> Annotations via parseString -- "Parsed annotation output"
  */
 import { readFile } from 'node:fs/promises';
-import { stripCommentPrefix } from './comment-strip.js';
+import { isStandaloneAnnotationFile, stripCommentPrefix } from './comment-strip.js';
 import { parseLine } from './parse-line.js';
 import { unescapeDescription } from './normalize.js';
 /**
@@ -29,20 +30,24 @@ export function parseString(content, filePath = '<input>') {
     const diagnostics = [];
     let lastAnnotation = null;
     let inShield = false;
+    const allowRawAnnotationLines = isStandaloneAnnotationFile(filePath);
+    let currentSource = null;
     for (let i = 0; i < lines.length; i++) {
         const lineNum = i + 1; // 1-indexed
         const rawLine = lines[i];
-        // Strip comment prefix
-        const inner = stripCommentPrefix(rawLine);
+        // Strip comment prefix unless this is a standalone .gal file, where
+        // annotations are stored as raw lines instead of host-language comments.
+        const inner = allowRawAnnotationLines ? rawLine : stripCommentPrefix(rawLine);
         if (inner === null) {
             lastAnnotation = null;
             continue;
         }
+        const text = inner.trimStart();
         // Check for shield block boundaries — always parse these even inside shields
-        const trimmed = inner.trim();
+        const trimmed = text.trim();
         if (trimmed.startsWith('@shield:end')) {
             const location = { file: filePath, line: lineNum };
-            const result = parseLine(inner, location);
+            const result = parseLine(text, location);
             if (result.annotation)
                 annotations.push(result.annotation);
             inShield = false;
@@ -51,7 +56,7 @@ export function parseString(content, filePath = '<input>') {
         }
         if (trimmed.startsWith('@shield:begin')) {
             const location = { file: filePath, line: lineNum };
-            const result = parseLine(inner, location);
+            const result = parseLine(text, location);
             if (result.annotation)
                 annotations.push(result.annotation);
             inShield = true;
@@ -62,7 +67,7 @@ export function parseString(content, filePath = '<input>') {
         if (inShield)
             continue;
         // Check for continuation line: -- "..."
-        const contMatch = inner.match(/^--\s*"((?:[^"\\]|\\.)*)"/);
+        const contMatch = text.match(/^--\s*"((?:[^"\\]|\\.)*)"/);
         if (contMatch && lastAnnotation) {
             // Append to last annotation's description
             const contDesc = unescapeDescription(contMatch[1]);
@@ -76,10 +81,30 @@ export function parseString(content, filePath = '<input>') {
         }
         // Try to parse as annotation
         const location = { file: filePath, line: lineNum };
-        const result = parseLine(inner, location);
+        const result = parseLine(text, location);
+        if (result.sourceDirective) {
+            currentSource = {
+                file: result.sourceDirective.file,
+                line: result.sourceDirective.line,
+                parent_symbol: result.sourceDirective.symbol ?? null,
+            };
+            lastAnnotation = null;
+            continue;
+        }
         if (result.annotation) {
+            if (allowRawAnnotationLines && currentSource) {
+                result.annotation.location = {
+                    file: currentSource.file,
+                    line: currentSource.line,
+                    parent_symbol: currentSource.parent_symbol ?? null,
+                    origin_file: filePath,
+                    origin_line: lineNum,
+                };
+            }
             annotations.push(result.annotation);
-            lastAnnotation = result.annotation;
+            if (result.extraAnnotations)
+                annotations.push(...result.extraAnnotations);
+            lastAnnotation = annotations[annotations.length - 1];
         }
         else {
             if (result.diagnostic) {

package/dist/parser/parse-file.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"parse-file.js","sourceRoot":"","sources":["../../src/parser/parse-file.ts"],"names":[],"mappings":"AAAA~~;;;;;;;;;GASG~~;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;~~AAG5C~~,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;~~AACxD~~,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAErD;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,QAAgB;IAC9C,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAClD,OAAO,WAAW,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;AACxC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,OAAe,EAAE,WAAmB,SAAS;IACvE,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,WAAW,GAAiB,EAAE,CAAC;IACrC,MAAM,WAAW,GAAsB,EAAE,CAAC;IAC1C,IAAI,cAAc,GAAsB,IAAI,CAAC;IAC7C,IAAI,QAAQ,GAAG,KAAK,CAAC;~~IAErB~~,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC,CAAE,YAAY;QACpC,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAEzB,~~uBAAuB~~;~~QACvB~~,MAAM,KAAK,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;~~QAC1C~~,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YACnB,cAAc,GAAG,IAAI,CAAC;YACtB,SAAS;QACX,CAAC;~~QAED~~,6EAA6E;QAC7E,MAAM,OAAO,GAAG,~~KAAK~~,CAAC,IAAI,EAAE,CAAC;~~QAC7B~~,IAAI,OAAO,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;YACtC,MAAM,QAAQ,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;YACnD,MAAM,MAAM,GAAG,SAAS,CAAC,~~KAAK~~,EAAE,QAAQ,CAAC,CAAC;~~YAC1C~~,IAAI,MAAM,CAAC,UAAU;gBAAE,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;YAC3D,QAAQ,GAAG,KAAK,CAAC;YACjB,cAAc,GAAG,IAAI,CAAC;YACtB,SAAS;QACX,CAAC;QACD,IAAI,OAAO,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;YACxC,MAAM,QAAQ,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;YACnD,MAAM,MAAM,GAAG,SAAS,CAAC,~~KAAK~~,EAAE,QAAQ,CAAC,CAAC;~~YAC1C~~,IAAI,MAAM,CAAC,UAAU;gBAAE,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;YAC3D,QAAQ,GAAG,IAAI,CAAC;YAChB,cAAc,GAAG,IAAI,CAAC;YACtB,SAAS;QACX,CAAC;QAED,4EAA4E;QAC5E,IAAI,QAAQ;YAAE,SAAS;QAEvB,wCAAwC;QACxC,MAAM,SAAS,GAAG,~~KAAK~~,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC;~~QAC3D~~,IAAI,SAAS,IAAI,cAAc,EAAE,CAAC;YAChC,0CAA0C;YAC1C,MAAM,QAAQ,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;YACnD,IAAI,cAAc,CAAC,WAAW,EAAE,CAAC;gBAC/B,cAAc,CAAC,WAAW,IAAI,GAAG,GAAG,QAAQ,CAAC;YAC/C,CAAC;iBAAM,CAAC;gBACN,cAAc,CAAC,WAAW,GAAG,QAAQ,CAAC;YACxC,CAAC;YACD,SAAS;QACX,CAAC;QAED,6BAA6B;QAC7B,MAAM,QAAQ,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;QACnD,MAAM,MAAM,GAAG,SAAS,CAAC,~~KAAK~~,EAAE,QAAQ,CAAC,CAAC;~~QAE1C~~,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;YACtB,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;YACpC,cAAc,GAAG,MAAM,CAAC,~~UAAU~~,CAAC;~~QACrC~~,CAAC;aAAM,CAAC;YACN,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;gBACtB,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;YACtC,CAAC;YACD,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;gBAC3B,cAAc,GAAG,IAAI,CAAC;YACxB,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,YAAY,EAAE,CAAC,EAAE,CAAC;AACvD,CAAC"}
1	+ {"version":3,"file":"parse-file.js","sourceRoot":"","sources":["../../src/parser/parse-file.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,EAAE,0BAA0B,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACpF,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAErD;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,QAAgB;IAC9C,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAClD,OAAO,WAAW,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;AACxC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,OAAe,EAAE,WAAmB,SAAS;IACvE,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,WAAW,GAAiB,EAAE,CAAC;IACrC,MAAM,WAAW,GAAsB,EAAE,CAAC;IAC1C,IAAI,cAAc,GAAsB,IAAI,CAAC;IAC7C,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,MAAM,uBAAuB,GAAG,0BAA0B,CAAC,QAAQ,CAAC,CAAC;IACrE,IAAI,aAAa,GAA0B,IAAI,CAAC;IAEhD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC,CAAE,YAAY;QACpC,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAEzB,oEAAoE;QACpE,yEAAyE;QACzE,MAAM,KAAK,GAAG,uBAAuB,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAC9E,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YACnB,cAAc,GAAG,IAAI,CAAC;YACtB,SAAS;QACX,CAAC;QACD,MAAM,IAAI,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;QAE/B,6EAA6E;QAC7E,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,OAAO,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;YACtC,MAAM,QAAQ,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;YACnD,MAAM,MAAM,GAAG,SAAS,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;YACzC,IAAI,MAAM,CAAC,UAAU;gBAAE,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;YAC3D,QAAQ,GAAG,KAAK,CAAC;YACjB,cAAc,GAAG,IAAI,CAAC;YACtB,SAAS;QACX,CAAC;QACD,IAAI,OAAO,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;YACxC,MAAM,QAAQ,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;YACnD,MAAM,MAAM,GAAG,SAAS,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;YACzC,IAAI,MAAM,CAAC,UAAU;gBAAE,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;YAC3D,QAAQ,GAAG,IAAI,CAAC;YAChB,cAAc,GAAG,IAAI,CAAC;YACtB,SAAS;QACX,CAAC;QAED,4EAA4E;QAC5E,IAAI,QAAQ;YAAE,SAAS;QAEvB,wCAAwC;QACxC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC1D,IAAI,SAAS,IAAI,cAAc,EAAE,CAAC;YAChC,0CAA0C;YAC1C,MAAM,QAAQ,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;YACnD,IAAI,cAAc,CAAC,WAAW,EAAE,CAAC;gBAC/B,cAAc,CAAC,WAAW,IAAI,GAAG,GAAG,QAAQ,CAAC;YAC/C,CAAC;iBAAM,CAAC;gBACN,cAAc,CAAC,WAAW,GAAG,QAAQ,CAAC;YACxC,CAAC;YACD,SAAS;QACX,CAAC;QAED,6BAA6B;QAC7B,MAAM,QAAQ,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;QACnD,MAAM,MAAM,GAAG,SAAS,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QAEzC,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;YAC3B,aAAa,GAAG;gBACd,IAAI,EAAE,MAAM,CAAC,eAAe,CAAC,IAAI;gBACjC,IAAI,EAAE,MAAM,CAAC,eAAe,CAAC,IAAI;gBACjC,aAAa,EAAE,MAAM,CAAC,eAAe,CAAC,MAAM,IAAI,IAAI;aACrD,CAAC;YACF,cAAc,GAAG,IAAI,CAAC;YACtB,SAAS;QACX,CAAC;QAED,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;YACtB,IAAI,uBAAuB,IAAI,aAAa,EAAE,CAAC;gBAC7C,MAAM,CAAC,UAAU,CAAC,QAAQ,GAAG;oBAC3B,IAAI,EAAE,aAAa,CAAC,IAAI;oBACxB,IAAI,EAAE,aAAa,CAAC,IAAI;oBACxB,aAAa,EAAE,aAAa,CAAC,aAAa,IAAI,IAAI;oBAClD,WAAW,EAAE,QAAQ;oBACrB,WAAW,EAAE,OAAO;iBACrB,CAAC;YACJ,CAAC;YACD,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;YACpC,IAAI,MAAM,CAAC,gBAAgB;gBAAE,WAAW,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,gBAAgB,CAAC,CAAC;YAC1E,cAAc,GAAG,WAAW,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACvD,CAAC;aAAM,CAAC;YACN,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;gBACtB,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;YACtC,CAAC;YACD,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;gBAC3B,cAAc,GAAG,IAAI,CAAC;YACxB,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,YAAY,EAAE,CAAC,EAAE,CAAC;AACvD,CAAC"}

package/dist/parser/parse-line.d.ts CHANGED Viewed

@@ -7,10 +7,19 @@
  * @comment -- "Regex patterns designed with bounded quantifiers and explicit structure"
  */
 import type { Annotation, ParseDiagnostic, SourceLocation } from '../types/index.js';
+export interface SourceDirective {
+    file: string;
+    line: number;
+    symbol?: string;
+}
 export interface ParseLineResult {
     annotation: Annotation | null;
+    /** Additional annotations from the same line. Used by multi-hop @flows
+     *  chains (`A -> B -> C`) to emit one pairwise flow per arrow. */
+    extraAnnotations?: Annotation[];
     diagnostic: ParseDiagnostic | null;
     isContinuation: boolean;
+    sourceDirective?: SourceDirective | null;
 }
 /**
  * Parse a single annotation line (after comment prefix has been stripped).

package/dist/parser/parse-line.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"parse-line.d.ts","sourceRoot":"","sources":["../../src/parser/parse-line.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EACV,UAAU,EACV,eAAe,EAAE,cAAc,EAChC,MAAM,mBAAmB,CAAC;~~AAsE3B~~,MAAM,WAAW,eAAe;IAC9B,UAAU,EAAE,UAAU,GAAG,IAAI,CAAC;IAC9B,UAAU,EAAE,eAAe,GAAG,IAAI,CAAC;IACnC,cAAc,EAAE,OAAO,CAAC;~~CACzB~~;AAED;;;;GAIG;AACH,wBAAgB,SAAS,CACvB,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,cAAc,GACvB,eAAe,~~CA8KjB~~"}
1	+ {"version":3,"file":"parse-line.d.ts","sourceRoot":"","sources":["../../src/parser/parse-line.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EACV,UAAU,EACV,eAAe,EAAE,cAAc,EAChC,MAAM,mBAAmB,CAAC;AA0F3B,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,UAAU,EAAE,UAAU,GAAG,IAAI,CAAC;IAC9B;sEACkE;IAClE,gBAAgB,CAAC,EAAE,UAAU,EAAE,CAAC;IAChC,UAAU,EAAE,eAAe,GAAG,IAAI,CAAC;IACnC,cAAc,EAAE,OAAO,CAAC;IACxB,eAAe,CAAC,EAAE,eAAe,GAAG,IAAI,CAAC;CAC1C;AAED;;;;GAIG;AACH,wBAAgB,SAAS,CACvB,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,cAAc,GACvB,eAAe,CA0NjB"}

package/dist/parser/parse-line.js CHANGED Viewed

@@ -9,14 +9,20 @@
 import { normalizeName, resolveSeverity, unescapeDescription } from './normalize.js';
 // ─── Shared regex fragments ──────────────────────────────────────────
 const COMPONENT = String.raw `[A-Za-z_]\w*(?:\.[A-Za-z_]\w*)*`;
-const ASSET_REF = String.raw `(?:#[a-zA-Z0-9_-]+|[A-Za-z_]\w*(?:\.[A-Za-z_]\w*)*)`; // #id or Dotted.Path
+// Quoted ref: any non-newline content between double quotes, with `\"` and
+// `\\` escape support. Mirrors the DESC fragment's character class.
+const QUOTED_REF = String.raw `"(?:[^"\\\n]|\\.)*"`;
+const ASSET_REF = String.raw `(?:#[a-zA-Z0-9_-]+|${QUOTED_REF}|[A-Za-z_]\w*(?:\.[A-Za-z_]\w*)*)`; // #id, "quoted", or Dotted.Path
 const NAME = String.raw `[A-Za-z]\w*(?:[_\- ][A-Za-z]\w*)*`;
 const ID_DEF = String.raw `\(#([a-zA-Z0-9_-]+)\)`;
 const ID_REF = String.raw `#([a-zA-Z0-9_-]+)`;
-const THREAT_REF = String.raw `(?:#[a-zA-Z0-9_-]+|[A-Za-z]\w*(?:[_\- ][A-Za-z]\w*)*)`;
+const THREAT_REF = String.raw `(?:#[a-zA-Z0-9_-]+|${QUOTED_REF}|[A-Za-z]\w*(?:[_\- ][A-Za-z]\w*)*)`;
 const SEVERITY = String.raw `\[(P[0-3]|critical|high|medium|low)\]`;
 const EXT_REF = String.raw `([a-zA-Z]+:[A-Za-z0-9_:.\-]+)`;
 const DESC = String.raw `--\s*"((?:[^"\\]|\\.)*)"`;
+const SOURCE_FILE = String.raw `\S+`;
+const SOURCE_LINE = String.raw `[1-9]\d*`;
+const SOURCE_SYMBOL = String.raw `\S+`;
 // Capture external refs (0 or more, space-separated)
 const EXT_REFS_OPT = String.raw `((?:\s+[a-zA-Z]+:[A-Za-z0-9_:.\-]+)*)`;
 // ─── Verb-specific patterns ──────────────────────────────────────────
@@ -29,10 +35,11 @@ const PATTERNS = {
     mitigates: new RegExp(String.raw `^@mitigates\s+(${ASSET_REF})\s+against\s+(${THREAT_REF})(?:\s+using\s+(${THREAT_REF}))?(?:\s+${DESC})?$`),
     mitigates_v1: new RegExp(String.raw `^@mitigates\s+(${ASSET_REF})\s+against\s+(${THREAT_REF})(?:\s+with\s+(${THREAT_REF}))?(?:\s+${DESC})?$`),
     exposes: new RegExp(String.raw `^@exposes\s+(${ASSET_REF})\s+to\s+(${THREAT_REF})(?:\s+${SEVERITY})?${EXT_REFS_OPT}(?:\s+${DESC})?$`),
+    confirmed: new RegExp(String.raw `^@confirmed\s+(${THREAT_REF})\s+on\s+(${ASSET_REF})(?:\s+${SEVERITY})?${EXT_REFS_OPT}(?:\s+${DESC})?$`),
     accepts: new RegExp(String.raw `^@accepts\s+(${THREAT_REF})\s+on\s+(${ASSET_REF})(?:\s+${DESC})?$`),
     accepts_v1: new RegExp(String.raw `^@accepts\s+(${THREAT_REF})\s+to\s+(${ASSET_REF})(?:\s+${DESC})?$`),
     transfers: new RegExp(String.raw `^@transfers\s+(${THREAT_REF})\s+from\s+(${ASSET_REF})\s+to\s+(${ASSET_REF})(?:\s+${DESC})?$`),
-    flows: new RegExp(String.raw `^@flows\s+(${ASSET_REF})\s+->\s+(${ASSET_REF})(?:\s+via\s+((?:(?!\s+--\s*").)+?))?(?:\s+${DESC})?$`),
+    flows: new RegExp(String.raw `^@flows\s+(${ASSET_REF}(?:\s+->\s+${ASSET_REF})+)(?:\s+via\s+((?:(?!\s+--\s*").)+?))?(?:\s+${DESC})?$`),
     boundary: new RegExp(String.raw `^@boundary\s+(?:between\s+)?(${ASSET_REF})\s+and\s+(${ASSET_REF})(?:\s+${ID_DEF})?(?:\s+${DESC})?$`),
     boundary_pipe: new RegExp(String.raw `^@boundary\s+(${ASSET_REF})\s*\|\s*(${ASSET_REF})(?:\s+${ID_DEF})?(?:\s+${DESC})?$`),
     connects_v1: new RegExp(String.raw `^@connects\s+(${ASSET_REF})\s+to\s+(${ASSET_REF})(?:\s+${DESC})?$`),
@@ -43,8 +50,12 @@ const PATTERNS = {
     owns: new RegExp(String.raw `^@owns\s+([a-zA-Z0-9_-]+)\s+for\s+(${ASSET_REF})(?:\s+${DESC})?$`),
     handles: new RegExp(String.raw `^@handles\s+(pii|phi|financial|secrets|internal|public)\s+on\s+(${ASSET_REF})(?:\s+${DESC})?$`, 'i'),
     assumes: new RegExp(String.raw `^@assumes\s+(${ASSET_REF})(?:\s+${DESC})?$`),
+    // Metadata — feature tagging
+    feature: new RegExp(String.raw `^@feature\s+"((?:[^"\\]|\\.)*)"(?:\s+${DESC})?$`),
     // Comment — developer note, description only
     comment: new RegExp(String.raw `^@comment(?:\s+${DESC})?$`),
+    // Standalone .gal directive — sets logical source location for following annotations
+    source: new RegExp(String.raw `^@source\s+file:(${SOURCE_FILE})\s+line:(${SOURCE_LINE})(?:\s+symbol:(${SOURCE_SYMBOL}))?$`),
     // Special
     shield: new RegExp(String.raw `^@shield(?!:)(?:\s+${DESC})?$`),
     shield_begin: new RegExp(String.raw `^@shield:begin(?:\s+${DESC})?$`),
@@ -56,8 +67,15 @@ function extractExternalRefs(raw) {
         return [];
     return raw.trim().split(/\s+/).filter(r => /^[a-zA-Z]+:[A-Za-z0-9_:.\-]+$/.test(r));
 }
-// ─── Ref resolver: #id or Name → string ──────────────────────────────
+// ─── Ref resolver: #id, "quoted", or Dotted.Path → canonical string ───
+/** Normalize a captured ASSET_REF or THREAT_REF for storage in the model.
+ *  Strips surrounding double quotes and processes escape sequences (\", \\)
+ *  when the user wrote a quoted ref like `"User Browser"` or `"/api/login"`.
+ *  Pass-through for `#id` and `Dotted.Path` forms. */
 function resolveRef(ref) {
+    if (ref.length >= 2 && ref.charCodeAt(0) === 0x22 /* " */ && ref.charCodeAt(ref.length - 1) === 0x22) {
+        return unescapeDescription(ref.slice(1, -1));
+    }
     return ref;
 }
 /**
@@ -72,9 +90,9 @@ export function parseLine(text, location) {
         // Check for continuation line (-- "...")
         const contMatch = trimmed.match(new RegExp(String.raw `^${DESC}$`));
         if (contMatch) {
-            return { annotation: null, diagnostic: null, isContinuation: true };
+            return { annotation: null, diagnostic: null, isContinuation: true, sourceDirective: null };
         }
-        return { annotation: null, diagnostic: null, isContinuation: false };
+        return { annotation: null, diagnostic: null, isContinuation: false, sourceDirective: null };
     }
     const base = { location, raw: trimmed };
     let m;
@@ -102,7 +120,7 @@ export function parseLine(text, location) {
     // ── @mitigates ──
     if ((m = trimmed.match(PATTERNS.mitigates)) || (m = trimmed.match(PATTERNS.mitigates_v1))) {
         return ok({
-            ...base, verb: 'mitigates', asset: m[1],
+            ...base, verb: 'mitigates', asset: resolveRef(m[1]),
             threat: resolveRef(m[2]), control: m[3] ? resolveRef(m[3]) : undefined,
             description: desc(m[4]),
         });
@@ -110,77 +128,118 @@ export function parseLine(text, location) {
     // ── @exposes ──
     if ((m = trimmed.match(PATTERNS.exposes))) {
         return ok({
-            ...base, verb: 'exposes', asset: m[1], threat: resolveRef(m[2]),
+            ...base, verb: 'exposes', asset: resolveRef(m[1]), threat: resolveRef(m[2]),
+            severity: m[3] ? resolveSeverity(m[3]) : undefined,
+            external_refs: extractExternalRefs(m[4]), description: desc(m[5]),
+        });
+    }
+    // ── @confirmed ──
+    if ((m = trimmed.match(PATTERNS.confirmed))) {
+        return ok({
+            ...base, verb: 'confirmed', threat: resolveRef(m[1]), asset: resolveRef(m[2]),
             severity: m[3] ? resolveSeverity(m[3]) : undefined,
             external_refs: extractExternalRefs(m[4]), description: desc(m[5]),
         });
     }
     // ── @accepts ──
     if ((m = trimmed.match(PATTERNS.accepts)) || (m = trimmed.match(PATTERNS.accepts_v1))) {
-        return ok({ ...base, verb: 'accepts', threat: resolveRef(m[1]), asset: m[2], description: desc(m[3]) });
+        return ok({ ...base, verb: 'accepts', threat: resolveRef(m[1]), asset: resolveRef(m[2]), description: desc(m[3]) });
     }
     // ── @transfers ──
     if ((m = trimmed.match(PATTERNS.transfers))) {
         return ok({
             ...base, verb: 'transfers', threat: resolveRef(m[1]),
-            source: m[2], target: m[3], description: desc(m[4]),
+            source: resolveRef(m[2]), target: resolveRef(m[3]), description: desc(m[4]),
         });
     }
     // ── @flows ──
+    // Single-hop `A -> B` is a chain of length 2 producing one flow.
+    // Multi-hop `A -> B -> C -> D` is treated as syntactic sugar for N-1
+    // pairwise flows — each emitted flow shares the mechanism, description,
+    // and source location with every other hop in the chain.
     if ((m = trimmed.match(PATTERNS.flows))) {
-        return ok({
-            ...base, verb: 'flows', source: m[1], target: m[2],
-            mechanism: m[3]?.trim(), description: desc(m[4]),
-        });
+        // Use matchAll instead of split so quoted refs containing literal
+        // `->` sequences (e.g. `"step1 -> step2"`) aren't shredded by the
+        // arrow separator. The outer regex has already validated chain shape.
+        const participants = [...m[1].matchAll(new RegExp(ASSET_REF, 'g'))]
+            .map(mm => resolveRef(mm[0]));
+        const mechanism = m[2]?.trim();
+        const description = desc(m[3]);
+        const flows = [];
+        for (let i = 0; i < participants.length - 1; i++) {
+            flows.push({
+                ...base, verb: 'flows',
+                source: participants[i], target: participants[i + 1],
+                mechanism, description,
+            });
+        }
+        return okMulti(flows);
     }
     // ── @boundary ──
     if ((m = trimmed.match(PATTERNS.boundary))) {
         return ok({
-            ...base, verb: 'boundary', asset_a: m[1], asset_b: m[2],
+            ...base, verb: 'boundary', asset_a: resolveRef(m[1]), asset_b: resolveRef(m[2]),
             id: m[3], description: desc(m[4]),
         });
     }
     // ── @boundary pipe shorthand: @boundary A | B ──
     if ((m = trimmed.match(PATTERNS.boundary_pipe))) {
         return ok({
-            ...base, verb: 'boundary', asset_a: m[1], asset_b: m[2],
+            ...base, verb: 'boundary', asset_a: resolveRef(m[1]), asset_b: resolveRef(m[2]),
             id: m[3], description: desc(m[4]),
         });
     }
     // ── @connects (v1 → flows) ──
     if ((m = trimmed.match(PATTERNS.connects_v1))) {
         return ok({
-            ...base, verb: 'flows', source: m[1], target: m[2], description: desc(m[3]),
+            ...base, verb: 'flows', source: resolveRef(m[1]), target: resolveRef(m[2]), description: desc(m[3]),
         });
     }
     // ── @validates ──
     if ((m = trimmed.match(PATTERNS.validates))) {
-        return ok({ ...base, verb: 'validates', control: resolveRef(m[1]), asset: m[2], description: desc(m[3]) });
+        return ok({ ...base, verb: 'validates', control: resolveRef(m[1]), asset: resolveRef(m[2]), description: desc(m[3]) });
     }
     // ── @audit / @review (v1) ──
     if ((m = trimmed.match(PATTERNS.audit)) || (m = trimmed.match(PATTERNS.review_v1))) {
-        return ok({ ...base, verb: 'audit', asset: m[1], description: desc(m[2]) });
+        return ok({ ...base, verb: 'audit', asset: resolveRef(m[1]), description: desc(m[2]) });
     }
     // ── @owns ──
     if ((m = trimmed.match(PATTERNS.owns))) {
-        return ok({ ...base, verb: 'owns', owner: m[1], asset: m[2], description: desc(m[3]) });
+        return ok({ ...base, verb: 'owns', owner: m[1], asset: resolveRef(m[2]), description: desc(m[3]) });
     }
     // ── @handles ──
     if ((m = trimmed.match(PATTERNS.handles))) {
         return ok({
             ...base, verb: 'handles',
             classification: m[1].toLowerCase(),
-            asset: m[2], description: desc(m[3]),
+            asset: resolveRef(m[2]), description: desc(m[3]),
         });
     }
     // ── @assumes ──
     if ((m = trimmed.match(PATTERNS.assumes))) {
-        return ok({ ...base, verb: 'assumes', asset: m[1], description: desc(m[2]) });
+        return ok({ ...base, verb: 'assumes', asset: resolveRef(m[1]), description: desc(m[2]) });
+    }
+    // ── @feature ──
+    if ((m = trimmed.match(PATTERNS.feature))) {
+        return ok({ ...base, verb: 'feature', feature: unescapeDescription(m[1]), description: desc(m[2]) });
     }
     // ── @comment ──
     if ((m = trimmed.match(PATTERNS.comment))) {
         return ok({ ...base, verb: 'comment', description: desc(m[1]) });
     }
+    // ── @source ──
+    if ((m = trimmed.match(PATTERNS.source))) {
+        return {
+            annotation: null,
+            diagnostic: null,
+            isContinuation: false,
+            sourceDirective: {
+                file: m[1],
+                line: Number(m[2]),
+                symbol: m[3] || undefined,
+            },
+        };
+    }
     // ── @shield ──
     if ((m = trimmed.match(PATTERNS.shield_begin))) {
         return ok({ ...base, verb: 'shield:begin', description: desc(m[1]) });
@@ -195,9 +254,9 @@ export function parseLine(text, location) {
     const verbMatch = trimmed.match(/^@(\S+)/);
     if (verbMatch) {
         const knownVerbs = new Set([
-            'asset', 'threat', 'control', 'mitigates', 'exposes', 'accepts',
+            'asset', 'threat', 'control', 'mitigates', 'exposes', 'confirmed', 'accepts',
             'transfers', 'flows', 'boundary', 'validates', 'audit', 'owns',
-            'handles', 'assumes', 'comment', 'shield', 'shield:begin', 'shield:end',
+            'handles', 'assumes', 'feature', 'source', 'comment', 'shield', 'shield:begin', 'shield:end',
             // v1 compat
             'review', 'connects',
         ]);
@@ -216,11 +275,26 @@ export function parseLine(text, location) {
         }
     }
     // Not a GuardLink annotation (could be @param, @returns, etc.)
-    return { annotation: null, diagnostic: null, isContinuation: false };
+    return { annotation: null, diagnostic: null, isContinuation: false, sourceDirective: null };
 }
 // ─── Helpers ─────────────────────────────────────────────────────────
 function ok(annotation) {
-    return { annotation, diagnostic: null, isContinuation: false };
+    return { annotation, diagnostic: null, isContinuation: false, sourceDirective: null };
+}
+/** Like ok(), but for parser branches that emit multiple annotations from
+ *  one line (currently only multi-hop @flows chains). The first annotation
+ *  becomes the primary `annotation`; the remainder go in `extraAnnotations`
+ *  so the call site can push them all and update lastAnnotation correctly. */
+function okMulti(annotations) {
+    if (annotations.length === 0) {
+        return { annotation: null, diagnostic: null, isContinuation: false };
+    }
+    return {
+        annotation: annotations[0],
+        extraAnnotations: annotations.length > 1 ? annotations.slice(1) : undefined,
+        diagnostic: null,
+        isContinuation: false,
+    };
 }
 function desc(raw) {
     if (!raw)