musubix 1.7.0 → 1.8.5

package/AGENTS.md

@@ -8,13 +8,13 @@
 
 | 項目 | 詳細 |
 |------|------|
-| **バージョン** | 1.7.0 (YATA Platform Enhancements) |
+| **バージョン** | 1.8.0 (Security Analysis Edition) |
 | **言語** | TypeScript |
 | **ランタイム** | Node.js >= 20.0.0 |
 | **パッケージマネージャ** | npm >= 10.0.0 |
 | **ビルドシステム** | モノレポ（npm workspaces） |
 | **テストフレームワーク** | Vitest |
-| **テスト数** | 1386 (全合格) |
+| **テスト数** | 1586 (全合格) |
 | **コンポーネント数** | 249 (62ドメイン対応) |
 | **Agent Skills** | 12 (Claude Code対応) |
 
@@ -28,10 +28,12 @@
 packages/
 ├── core/           # @nahisaho/musubix-core
 ├── mcp-server/     # @nahisaho/musubix-mcp-server  
+├── security/       # @nahisaho/musubix-security (NEW!)
+├── formal-verify/  # @nahisaho/musubix-formal-verify
 ├── yata-client/    # @nahisaho/musubix-yata-client
 ├── yata-local/     # @nahisaho/yata-local
 ├── yata-global/    # @nahisaho/yata-global
-├── yata-ui/        # @nahisaho/yata-ui (NEW!)
+├── yata-ui/        # @nahisaho/yata-ui
 ├── pattern-mcp/    # @nahisaho/musubix-pattern-mcp
 ├── ontology-mcp/   # @nahisaho/musubix-ontology-mcp
 ├── wake-sleep/     # @nahisaho/musubix-wake-sleep
@@ -42,10 +44,12 @@ packages/
 |-----------|-----|------|
 | `packages/core/` | `@nahisaho/musubix-core` | コアライブラリ - CLI、EARS検証、コード生成、設計パターン |
 | `packages/mcp-server/` | `@nahisaho/musubix-mcp-server` | MCPサーバー - 19ツール、3プロンプト |
+| `packages/security/` | `@nahisaho/musubix-security` | **セキュリティ分析** - 脆弱性検出、シークレット検出、テイント解析 (NEW!) |
+| `packages/formal-verify/` | `@nahisaho/musubix-formal-verify` | 形式検証 - Z3統合、Hoare検証、EARS→SMT変換 |
 | `packages/yata-client/` | `@nahisaho/musubix-yata-client` | YATAクライアント - 知識グラフ連携 |
 | `packages/yata-local/` | `@nahisaho/yata-local` | **YATA Local** - SQLiteベースローカル知識グラフ |
 | `packages/yata-global/` | `@nahisaho/yata-global` | **YATA Global** - 分散型知識グラフプラットフォーム |
-| `packages/yata-ui/` | `@nahisaho/yata-ui` | **YATA UI** - Web可視化・管理インターフェース (NEW!) |
+| `packages/yata-ui/` | `@nahisaho/yata-ui` | **YATA UI** - Web可視化・管理インターフェース |
 | `packages/pattern-mcp/` | `@nahisaho/musubix-pattern-mcp` | パターン学習 - 抽出・圧縮・ライブラリ |
 | `packages/ontology-mcp/` | `@nahisaho/musubix-ontology-mcp` | オントロジー - N3Store・推論エンジン |
 | `packages/wake-sleep/` | `@nahisaho/musubix-wake-sleep` | Wake-Sleep学習サイクル |

package/README.ja.md

@@ -6,11 +6,12 @@
 [![Node.js Version](https://img.shields.io/badge/node-%3E%3D20.0.0-brightgreen)](https://nodejs.org/)
 [![License](https://img.shields.io/badge/license-MIT-blue)](LICENSE)
 [![TypeScript](https://img.shields.io/badge/TypeScript-5.3-blue)](https://www.typescriptlang.org/)
-[![Tests](https://img.shields.io/badge/tests-1429%20passing-brightgreen)](https://github.com/nahisaho/MUSUBIX)
+[![Tests](https://img.shields.io/badge/tests-1586%20passing-brightgreen)](https://github.com/nahisaho/MUSUBIX)
+[![npm security](https://img.shields.io/npm/v/@nahisaho/musubix-security.svg?label=@nahisaho/musubix-security)](https://www.npmjs.com/package/@nahisaho/musubix-security)
 
 > MUSUBI × YATA 統合による次世代AIコーディングシステム
 >
-> **v1.7.0** - YATAプラットフォーム拡張
+> **v1.8.0** - セキュリティ分析エディション
 
 ## 概要
 
@@ -36,6 +37,8 @@ MUSUBIXは、**ニューラル（LLM）** と **シンボリック（知識グ
 - 🌐 **YATA Global** - オフライン同期対応分散型知識プラットフォーム *(v1.6.3)*
 - 📤 **KGPR** - 安全な知識共有のためのKnowledge Graph Pull Request *(v1.6.4)*
 - 🚀 **YATAプラットフォーム拡張** - インデックス最適化、拡張エクスポート、グローバル同期、コード生成、Web UI *(v1.7.0)*
+- 🔬 **形式検証** - Z3 SMTソルバー統合、Hoareトリプル検証、EARS→SMT変換 *(v1.7.5)*
+- 🛡️ **セキュリティ分析** - 脆弱性スキャン、シークレット検出、テイント解析、依存関係監査 *(v1.8.0)*
 
 ## アーキテクチャ
 
@@ -85,6 +88,8 @@ flowchart TB
 | `packages/ontology-mcp/` | **オントロジーエンジン（NEW!）** |
 | `packages/wake-sleep/` | **Wake-Sleep学習（NEW!）** |
 | `packages/sdd-ontology/` | **SDDオントロジー（NEW!）** |
+| `packages/security/` | **セキュリティ分析（NEW!）** |
+| `packages/formal-verify/` | **形式検証** |
 | `steering/` | プロジェクトメモリ |
 | `storage/` | 仕様書・成果物 |
 | `templates/` | テンプレート |
@@ -120,6 +125,8 @@ npx musubix-mcp --transport stdio
 npm install @nahisaho/musubix-core
 npm install @nahisaho/musubix-mcp-server
 npm install @nahisaho/musubix-yata-client
+npm install @nahisaho/musubix-security
+npm install @nahisaho/musubix-formal-verify
 ```
 
 ### ソースからビルド
@@ -291,5 +298,5 @@ nahisaho
 ---
 
 **文書ID**: README  
-**バージョン**: 1.4.5  
-**最終更新**: 2026-01-05
+**バージョン**: 1.8.0  
+**最終更新**: 2026-01-06

package/README.md

@@ -7,11 +7,15 @@
 [![Node.js Version](https://img.shields.io/badge/node-%3E%3D20.0.0-brightgreen)](https://nodejs.org/)
 [![License](https://img.shields.io/badge/license-MIT-blue)](LICENSE)
 [![TypeScript](https://img.shields.io/badge/TypeScript-5.3-blue)](https://www.typescriptlang.org/)
-[![Tests](https://img.shields.io/badge/tests-1429%20passing-brightgreen)](https://github.com/nahisaho/MUSUBIX)
+[![Tests](https://img.shields.io/badge/tests-1824%20passing-brightgreen)](https://github.com/nahisaho/MUSUBIX)
+[![npm security](https://img.shields.io/npm/v/@nahisaho/musubix-security.svg?label=@nahisaho/musubix-security)](https://www.npmjs.com/package/@nahisaho/musubix-security)
+[![npm dfg](https://img.shields.io/npm/v/@nahisaho/musubix-dfg.svg?label=@nahisaho/musubix-dfg)](https://www.npmjs.com/package/@nahisaho/musubix-dfg)
+[![npm lean](https://img.shields.io/npm/v/@nahisaho/musubix-lean.svg?label=@nahisaho/musubix-lean)](https://www.npmjs.com/package/@nahisaho/musubix-lean)
+[![npm yata-scale](https://img.shields.io/npm/v/@nahisaho/yata-scale.svg?label=@nahisaho/yata-scale)](https://www.npmjs.com/package/@nahisaho/yata-scale)
 
 > Next-generation AI Coding System powered by MUSUBI × YATA Integration
 >
-> **v1.7.0** - YATA Platform Enhancements
+> **v1.8.5** - Deep Symbolic Integration Edition
 
 **[日本語版 README](README.ja.md)**
 
@@ -39,6 +43,11 @@ MUSUBIX is an innovative AI coding system that integrates **Neural (LLM)** and *
 - 🌐 **YATA Global** - Distributed knowledge platform with offline sync *(v1.6.3)*
 - 📤 **KGPR** - Knowledge Graph Pull Request for safe knowledge sharing *(v1.6.4)*
 - 🚀 **YATA Platform Enhancements** - Index optimization, enhanced export, global sync, code generation, web UI *(v1.7.0)*
+- 🔬 **Formal Verification** - Z3 SMT solver integration, Hoare triple verification, EARS-to-SMT conversion *(v1.7.5)*
+- 🛡️ **Security Analysis** - Vulnerability scanning, secret detection, taint analysis, dependency auditing *(v1.8.0)*
+- 📊 **DFG/CFG Extraction** - Data flow graph and control flow graph analysis for TypeScript/JavaScript *(v2.0.0-alpha.1)*
+- 🧮 **Lean 4 Integration** - Theorem proving with EARS-to-Lean conversion and ReProver proof search *(v2.0.0-alpha.1)*
+- 📈 **YATA Scale** - Distributed knowledge graph with sharding, multi-tier caching, and vector clock sync *(v2.0.0-alpha.1)*
 
 ## Architecture
 
@@ -90,6 +99,11 @@ flowchart TB
 | `packages/sdd-ontology/` | **SDD Ontology (NEW!)** |
 | `packages/yata-local/` | **YATA Local - SQLite Knowledge Graph (NEW!)** |
 | `packages/yata-global/` | **YATA Global - Distributed Knowledge Platform (NEW!)** |
+| `packages/security/` | **Security Analysis (NEW!)** |
+| `packages/formal-verify/` | **Formal Verification** |
+| `packages/dfg/` | **DFG/CFG Extraction - Data Flow Analysis (v2.0.0)** |
+| `packages/lean/` | **Lean 4 Integration - Theorem Proving (v2.0.0)** |
+| `packages/yata-scale/` | **YATA Scale - Distributed KG (v2.0.0)** |
 | `steering/` | Project Memory |
 | `storage/` | Specifications & Artifacts |
 | `templates/` | Templates |
@@ -125,6 +139,11 @@ npx musubix-mcp --transport stdio
 npm install @nahisaho/musubix-core
 npm install @nahisaho/musubix-mcp-server
 npm install @nahisaho/musubix-yata-client
+npm install @nahisaho/musubix-security
+npm install @nahisaho/musubix-formal-verify
+npm install @nahisaho/musubix-dfg
+npm install @nahisaho/musubix-lean
+npm install @nahisaho/yata-scale
 ```
 
 ### Build from Source
@@ -296,5 +315,5 @@ See [CHANGELOG.md](CHANGELOG.md)
 ---
 
 **Document ID**: README  
-**Version**: 1.4.5  
-**Last Updated**: 2026-01-05
+**Version**: 1.8.0  
+**Last Updated**: 2026-01-06

package/docs/API-REFERENCE.md

@@ -18,6 +18,7 @@
   - [YATA Global](#yata-global) *(v1.6.3)*
   - [KGPR](#kgpr) *(v1.6.4)*
   - [YATA Platform](#yata-platform) *(v1.7.0)*
+  - [Formal Verification](#formal-verification) *(v1.7.5)*
   - [Validation](#validation)
   - [Utils](#utils)
 - [MCP Server](#mcp-server)
@@ -885,6 +886,243 @@ await server.start();
 
 ---
 
+### Formal Verification (v1.7.5)
+
+The formal verification module provides Z3 SMT solver integration for verifying code correctness.
+
+#### Z3Adapter
+
+Unified interface for Z3 backends (WASM or Process).
+
+```typescript
+import { Z3Adapter } from '@nahisaho/musubix-formal-verify';
+
+// Create adapter (auto-selects best backend)
+const z3 = await Z3Adapter.create();
+
+// Check satisfiability
+const result = await z3.checkSat('(declare-const x Int) (assert (> x 0))');
+console.log(result); // 'sat' | 'unsat' | 'unknown'
+```
+
+**Methods:**
+
+| Method | Parameters | Returns | Description |
+|--------|------------|---------|-------------|
+| `create()` | - | `Promise<Z3Adapter>` | Create adapter instance |
+| `checkSat(smtLib2)` | `smtLib2: string` | `Promise<string>` | Check satisfiability |
+| `dispose()` | - | `Promise<void>` | Cleanup resources |
+
+---
+
+#### PreconditionVerifier
+
+Verifies preconditions for functions and methods.
+
+```typescript
+import { PreconditionVerifier } from '@nahisaho/musubix-formal-verify';
+
+const verifier = new PreconditionVerifier(z3Adapter);
+
+const result = await verifier.verify({
+  condition: { expression: 'amount > 0 && balance >= amount', format: 'javascript' },
+  variables: [
+    { name: 'amount', type: 'Int' },
+    { name: 'balance', type: 'Int' }
+  ]
+});
+
+console.log(result.status); // 'valid' | 'invalid' | 'unknown' | 'error'
+```
+
+**Methods:**
+
+| Method | Parameters | Returns | Description |
+|--------|------------|---------|-------------|
+| `verify(spec)` | `PreconditionSpec` | `Promise<VerificationResult>` | Verify precondition |
+
+**PreconditionSpec:**
+
+| Property | Type | Description |
+|----------|------|-------------|
+| `condition` | `Condition` | The precondition to verify |
+| `variables` | `Variable[]` | Variables with types |
+
+**VerificationResult:**
+
+| Property | Type | Description |
+|----------|------|-------------|
+| `status` | `'valid' \| 'invalid' \| 'unknown' \| 'error'` | Verification status |
+| `counterexample?` | `Record<string, any>` | Counterexample if invalid |
+| `message?` | `string` | Additional message |
+
+---
+
+#### PostconditionVerifier
+
+Verifies Hoare triples {P} C {Q}.
+
+```typescript
+import { PostconditionVerifier } from '@nahisaho/musubix-formal-verify';
+
+const verifier = new PostconditionVerifier(z3Adapter);
+
+const result = await verifier.verify({
+  precondition: { expression: 'balance >= amount', format: 'javascript' },
+  postcondition: { expression: 'balance_new == balance - amount', format: 'javascript' },
+  preVariables: [
+    { name: 'balance', type: 'Int' },
+    { name: 'amount', type: 'Int' }
+  ],
+  postVariables: [
+    { name: 'balance_new', type: 'Int' }
+  ],
+  transition: 'balance_new == balance - amount'
+});
+```
+
+**PostconditionSpec:**
+
+| Property | Type | Description |
+|----------|------|-------------|
+| `precondition` | `Condition` | Pre-state condition |
+| `postcondition` | `Condition` | Post-state condition |
+| `preVariables` | `Variable[]` | Pre-state variables |
+| `postVariables` | `Variable[]` | Post-state variables |
+| `transition` | `string` | State transition expression |
+
+---
+
+#### EarsToSmtConverter
+
+Converts EARS requirements to SMT-LIB2 formulas.
+
+```typescript
+import { EarsToSmtConverter } from '@nahisaho/musubix-formal-verify';
+
+const converter = new EarsToSmtConverter();
+
+// Single conversion
+const result = converter.convert('THE system SHALL validate inputs');
+
+// Multiple conversions
+const results = converter.convertMultiple([
+  'THE system SHALL validate inputs',           // ubiquitous
+  'WHEN error, THE system SHALL notify user',   // event-driven
+  'WHILE busy, THE system SHALL queue requests', // state-driven
+  'THE system SHALL NOT expose secrets',        // unwanted
+  'IF admin, THEN THE system SHALL allow edit'  // optional
+]);
+```
+
+**Methods:**
+
+| Method | Parameters | Returns | Description |
+|--------|------------|---------|-------------|
+| `convert(ears)` | `ears: string` | `ConversionResult` | Convert single requirement |
+| `convertMultiple(ears[])` | `ears: string[]` | `ConversionResult[]` | Convert multiple requirements |
+
+**EARS Patterns:**
+
+| Pattern | Syntax | SMT Encoding |
+|---------|--------|--------------|
+| Ubiquitous | `THE system SHALL [action]` | `(assert action)` |
+| Event-driven | `WHEN [event], THE system SHALL [response]` | `(assert (=> event response))` |
+| State-driven | `WHILE [state], THE system SHALL [response]` | `(assert (=> state response))` |
+| Unwanted | `THE system SHALL NOT [behavior]` | `(assert (not behavior))` |
+| Optional | `IF [condition], THEN THE system SHALL [response]` | `(assert (=> condition response))` |
+
+---
+
+#### TraceabilityDB
+
+SQLite-based traceability database.
+
+```typescript
+import { TraceabilityDB } from '@nahisaho/musubix-formal-verify';
+
+const db = new TraceabilityDB('./trace.db');
+
+// Add nodes
+await db.addNode({ id: 'REQ-001', type: 'requirement', title: 'User Auth' });
+await db.addNode({ id: 'DES-001', type: 'design', title: 'AuthService' });
+await db.addNode({ id: 'CODE-001', type: 'code', title: 'auth.ts' });
+
+// Add links
+await db.addLink({ source: 'DES-001', target: 'REQ-001', type: 'satisfies' });
+await db.addLink({ source: 'CODE-001', target: 'DES-001', type: 'implements' });
+
+// Query
+const node = await db.getNode('REQ-001');
+const stats = await db.getStatistics();
+```
+
+**Methods:**
+
+| Method | Parameters | Returns | Description |
+|--------|------------|---------|-------------|
+| `addNode(node)` | `TraceNode` | `Promise<void>` | Add traceability node |
+| `getNode(id)` | `id: string` | `Promise<TraceNode \| undefined>` | Get node by ID |
+| `addLink(link)` | `TraceLink` | `Promise<void>` | Add traceability link |
+| `getStatistics()` | - | `Promise<TraceStats>` | Get database statistics |
+| `query(nodeId, options?)` | `nodeId: string, QueryOptions` | `Promise<QueryResult>` | Query related nodes |
+| `close()` | - | `void` | Close database |
+
+**Node Types:**
+
+| Type | Description |
+|------|-------------|
+| `requirement` | Requirements (REQ-*) |
+| `design` | Design artifacts (DES-*) |
+| `code` | Code files |
+| `test` | Test cases |
+
+**Link Types:**
+
+| Type | Description |
+|------|-------------|
+| `satisfies` | Design satisfies requirement |
+| `implements` | Code implements design |
+| `verifies` | Test verifies requirement |
+| `traces-to` | Generic traceability |
+
+---
+
+#### ImpactAnalyzer
+
+Analyzes change impact across traceability graph.
+
+```typescript
+import { ImpactAnalyzer } from '@nahisaho/musubix-formal-verify';
+
+const analyzer = new ImpactAnalyzer(traceabilityDB);
+
+// Analyze impact of changing REQ-001
+const impact = await analyzer.analyze('REQ-001');
+
+console.log(`Total impacted: ${impact.totalImpacted}`);
+console.log(`Direct: ${impact.directImpact.length}`);
+console.log(`Indirect: ${impact.indirectImpact.length}`);
+```
+
+**Methods:**
+
+| Method | Parameters | Returns | Description |
+|--------|------------|---------|-------------|
+| `analyze(nodeId)` | `nodeId: string` | `Promise<ImpactResult>` | Analyze change impact |
+
+**ImpactResult:**
+
+| Property | Type | Description |
+|----------|------|-------------|
+| `sourceId` | `string` | Source node ID |
+| `directImpact` | `ImpactedNode[]` | Directly impacted nodes |
+| `indirectImpact` | `ImpactedNode[]` | Transitively impacted nodes |
+| `totalImpacted` | `number` | Total number of impacted nodes |
+| `maxDepth` | `number` | Maximum impact depth |
+
+---
+
 ### Utils
 
 #### I18nManager

package/docs/INSTALL-GUIDE.ja.md

@@ -1,8 +1,8 @@
 # MUSUBIX インストールガイド
 
 **文書ID**: INSTALL-GUIDE  
-**バージョン**: 1.7.0  
-**最終更新**: 2026-01-06
+**バージョン**: 1.7.5  
+**最終更新**: 2026-01-07
 
 ---
 

package/docs/INSTALL-GUIDE.md

@@ -1,8 +1,8 @@
 # MUSUBIX Installation Guide
 
 **Document ID**: INSTALL-GUIDE  
-**Version**: 1.7.0  
-**Last Updated**: 2026-01-06
+**Version**: 1.7.5  
+**Last Updated**: 2026-01-07
 
 ---