pkg-scaffold 3.3.4 → 3.3.6

package/README.md

@@ -2,7 +2,7 @@
 
 ![Logo](./logo.png)
 
-> **The Ultimate Enterprise Codebase Janitor.** Faster than Knip with OXC integration, type-aware analysis, and self-healing capabilities. Fully standalone - solving what Knip cannot.
+> **The Ultimate Enterprise Codebase Janitor.** Faster than Knip with OXC integration, type-aware analysis, and automated structural healing. Fully standalone - solving what Knip cannot.
 
 ![Version](https://img.shields.io/npm/v/pkg-scaffold) ![License](https://img.shields.io/badge/license-Apache--2.0-green.svg) ![Performance](https://img.shields.io/badge/performance-OXC--Inside-blueviolet.svg)
 
@@ -14,9 +14,9 @@
 *   **🔌 Massive Plugin Ecosystem:** Over 20+ built-in plugins (Next.js, Nuxt, SvelteKit, Tailwind, Jest, Vitest, Playwright, GitHub Actions, Webpack, Babel, Rollup, ESLint, Prettier, Husky, and many more).
 *   **💀 True Dead Code Detection:** Advanced graph-based reachability analysis to find truly dead files and unused exports, even deep within your codebase.
 *   **🔄 Circular Dependency Detection:** High-performance Tarjan-based algorithm to detect and report circular dependencies.
+*   **🔐 Secrets Scanning:** Automatically detects hardcoded API keys, tokens, and credentials (v3.3.6+).
 *   **🛡️ Supply Chain Guard:** Detects typosquatting and verifies integrity lockfile hashes.
-*   **🔐 Secret Detection:** Scans for hardcoded secrets (API keys, tokens) using AST and Regex.
-*   **🛠️ Self-Healing:** Not just reporting, but automatically fixing structural issues (removing dead files, pruning unused dependencies).
+*   **🛠️ Automated Structural Healing:** Not just reporting, but automatically fixing structural issues (removing dead files, pruning unused dependencies) with git-based rollback protection.
 *   **⚙️ Flexible Configuration:** Supports `pkg-scaffold.json`, `pkg-scaffold.ts`, `scaffold.config.js`, and more.
 
 ## 📦 Installation
@@ -26,7 +26,7 @@ npm install -D pkg-scaffold
 # or
 pnpm add -D pkg-scaffold
 # or
-yarn add -D pkg-scaffold
+pnpm add -D pkg-scaffold
 ```
 
 ## 🚀 Usage
@@ -34,9 +34,11 @@ yarn add -D pkg-scaffold
 Run the CLI at the root of your project:
 
 ```bash
-npx pkg-scaffold --run
+npx pkg-scaffold -r
 ```
 
+> **Note**: Always use the `-r` flag to start the analysis loop. v3.3.6+ also features **Auto-Detection for Monorepos**.
+
 ### CLI Options
 
 *   `-c, --cwd <path>`: Specify the execution context root directory.

package/bin/cli.js

@@ -28,7 +28,7 @@ async function bootstrap() {
     program
       .name('pkg-scaffold')
       .description(ansis.cyan('Enterprise-Grade AST Syntax Refactoring & Self-Healing Engine'))
-      .version(packageJsonContent.version || '3.3.2');
+      .version(packageJsonContent.version || '3.3.5');
 
     program
       .option('-c, --cwd <path>', 'Specify the execution context root directory', process.cwd())
@@ -64,7 +64,7 @@ async function bootstrap() {
         const answer = await rl.question(ansis.bold.yellow('❓ No "pkg-scaffold:run" script found in package.json. Install it? (y/n): '));
         if (answer.toLowerCase() === 'y') {
           pkgJson.scripts = pkgJson.scripts || {};
-          pkgJson.scripts['pkg-scaffold:run'] = 'pkg-scaffold --fix';
+          pkgJson.scripts['pkg-scaffold:run'] = 'npx pkg-scaffold --fix';
           await fs.writeFile(pkgJsonPath, JSON.stringify(pkgJson, null, 2));
           console.log(ansis.green('✅ "pkg-scaffold:run" script added to package.json.'));
         }
@@ -95,7 +95,7 @@ async function bootstrap() {
 
       if (pkgJson?.scripts?.['pkg-scaffold:run'] || configInstalled) {
         console.log(ansis.bold.cyan('\n🚀 Setup complete! To start the engine, run:'));
-        console.log(ansis.white(`   - pkg-scaffold -r`));
+        console.log(ansis.white(`   - npx pkg-scaffold -r`));
         console.log(ansis.white(`   - npm run pkg-scaffold:run\n`));
       }
     }
@@ -130,7 +130,7 @@ async function bootstrap() {
     }, timeoutMs);
     timeoutTimer.unref(); // Allow process to exit if work finishes
 
-    console.log(ansis.bold.green(`\n📦 pkg-scaffold v${packageJsonContent.version || '3.3.2'} Engine Activation`));
+    console.log(ansis.bold.green(`\n📦 pkg-scaffold v${packageJsonContent.version || '3.3.5'} Engine Activation`));
     console.log(ansis.dim('------------------------------------------------------------'));
     console.log(`${ansis.bold('Target Workspace Root :')} ${ansis.blue(targetCwd)}`);
     console.log(`${ansis.bold('Refactoring Mode     :')} ${options.fix ? ansis.yellow('Active Fixing & Self-Healing Enabled') : ansis.gray('Dry-Run Reporting Only')}`);

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "pkg-scaffold",
-  "version": "3.3.4",
-  "description": "The Ultimate Enterprise Codebase Janitor. Faster than Knip with OXC integration, type-aware analysis, and self-healing capabilities. Fully standalone - solving what Knip cannot.",
+  "version": "3.3.6",
+  "description": "The Ultimate Enterprise Codebase Janitor. Faster than Knip with OXC integration, type-aware analysis, and automated structural healing. Fully standalone - solving what Knip cannot.",
   "type": "module",
   "main": "index.js",
   "bin": {
@@ -9,7 +9,7 @@
   },
   "scripts": {
     "start": "node bin/cli.js",
-    "pkg-scaffold:run": "node bin/cli.js",
+    "pkg-scaffold:run": "npx pkg-scaffold --fix",
     "test": "echo \"Error: no test specified\" && exit 0",
     "test:stability": "npm run test",
     "docs:dev": "vitepress dev docs",
@@ -48,7 +48,13 @@
     "package.json",
     "packages",
     "scan",
-    "self-healing",
+    "security",
+    "secret-scanner",
+    "secrets",
+    "hardcoded-secrets",
+    "credentials",
+    "audit",
+    "structural-healing",
     "setup",
     "type",
     "types",

package/src/EngineContext.js

@@ -1,6 +1,6 @@
 /**
  * ============================================================================
- * 📦 pkg-scaffold v3.3.0: Enterprise In-Memory Codebase State Manifest
+ * 📦 pkg-scaffold v3.3.6: Enterprise In-Memory Codebase State Manifest
  * ============================================================================
  * Implements a high-density, centralized graph database context for tracking
  * software engineering debt, dependencies, types, and vulnerabilities.
@@ -8,6 +8,7 @@
 
 import path from 'path';
 import fs from 'fs/promises';
+import { DependencyProfiler } from './resolution/DependencyProfiler.js';
 
 /**
  * High-Fidelity Graph Element Node representing a single file asset boundary.
@@ -42,14 +43,15 @@ export class GraphNode {
     this.incomingEdges = new Set(); // Set of absolute filePaths depending on this component
     this.outgoingEdges = new Set(); // Set of absolute internal filePaths this component calls
     
-    // Security & Compliance Anomaly Matrices
-    this.securityThreats = [];
+    // Structural Syntax Boundaries
     this.calculatedDynamicImports = [];
     this.localSuppressedRules = new Set();
     this.externalPackageUsage = new Set(); // Tracked third-party package names
     
     // Detailed AST Location Diagnostics (Symbol -> Structural Location Mapping)
     this.symbolSourceLocations = new Map(); // Symbol -> { line: number, column: number, length: number }
+    // Security threat findings for this file
+    this.securityThreats = [];
   }
 
   /**
@@ -64,17 +66,25 @@ export class GraphNode {
       if (!parentNode) continue;
 
       // Check if the symbol is explicitly imported by the parent
-      const importKey = `${path.relative(path.dirname(parentPath), this.filePath).replace(/\\/g, '/')}:${symbolName}`;
-      const importKeyAlt = `${path.relative(path.dirname(parentPath), this.filePath).replace(/\\/g, '/').replace(/\.(js|ts|tsx|jsx)$/, '')}:${symbolName}`;
+      // Strategy 1: Check absolute path based tokens (more reliable)
+      const absoluteImportKey = `${this.filePath}:${symbolName}`;
+      const absoluteStarKey = `${this.filePath}:*`;
       
-      if (parentNode.importedSymbols.has(importKey) || parentNode.importedSymbols.has(importKeyAlt)) {
+      if (parentNode.importedSymbols.has(absoluteImportKey) || parentNode.importedSymbols.has(absoluteStarKey)) {
         return true;
       }
 
-      // Check for star imports or namespace imports
-      const starKey = `${path.relative(path.dirname(parentPath), this.filePath).replace(/\\/g, '/')}:*`;
-      const starKeyAlt = `${path.relative(path.dirname(parentPath), this.filePath).replace(/\\/g, '/').replace(/\.(js|ts|tsx|jsx)$/, '')}:*`;
-      if (parentNode.importedSymbols.has(starKey) || parentNode.importedSymbols.has(starKeyAlt)) {
+      // Strategy 2: Check relative path based tokens (legacy/compatibility)
+      const relativePath = path.relative(path.dirname(parentPath), this.filePath).replace(/\\/g, '/');
+      const relativePathNoExt = relativePath.replace(/\.(js|ts|tsx|jsx)$/, '');
+      
+      const importKey = `${relativePath}:${symbolName}`;
+      const importKeyAlt = `${relativePathNoExt}:${symbolName}`;
+      const starKey = `${relativePath}:*`;
+      const starKeyAlt = `${relativePathNoExt}:*`;
+      
+      if (parentNode.importedSymbols.has(importKey) || parentNode.importedSymbols.has(importKeyAlt) ||
+          parentNode.importedSymbols.has(starKey) || parentNode.importedSymbols.has(starKeyAlt)) {
         return true;
       }
 
@@ -117,7 +127,7 @@ export class GraphNode {
       incomingDependenciesCount: this.incomingEdges.size,
       outgoingDependenciesCount: this.outgoingEdges.size,
       isDanglingOrphan: this.incomingEdges.size === 0 && !this.isLibraryEntry,
-      trackedThreatsCount: this.securityThreats.length
+      trackedThreatsCount: (this.securityThreats || []).length
     };
   }
 }
@@ -160,6 +170,10 @@ export class EngineContext {
     };
     this.usedExternalPackages = new Set(); // Global set of used npm packages
     this.manifestDependencies = new Map(); // Package.json path -> { dependencies, devDependencies, peerDependencies, optionalDependencies }
+    this.allSecretFindings = []; // Aggregated hardcoded secret findings across all scanned files
+
+    // DependencyProfiler instance for implicit invocation tracing
+    this._depProfiler = new DependencyProfiler(this);
   }
 
   /**
@@ -237,7 +251,7 @@ export class EngineContext {
    * Processes the entire active dependency map to compile structural issue indices.
    * Evaluates orphaned components, dead exports, and supply-chain threats.
    */
-  generateSummaryReport() {
+  async generateSummaryReport() {
     this.metrics.endTime = Date.now();
     const durationSeconds = ((this.metrics.endTime - this.metrics.startTime) / 1000).toFixed(2);
     
@@ -254,7 +268,6 @@ export class EngineContext {
       structuralIssuesDetected: {
         deadFiles: [],
         deadExports: [],
-        securityThreats: [],
         unusedDependencies: []
       },
       modificationsExecuted: {
@@ -266,6 +279,11 @@ export class EngineContext {
     for (const [filePath, node] of this.graph.entries()) {
       // Skip package control files from standard structural dead-code checks
       if (filePath.endsWith('package.json')) continue;
+      
+      // Fix: Always track external package usage from all files, even if they are orphaned,
+      // to prevent false-positive unused dependency reports.
+      node.externalPackageUsage.forEach(pkg => this.usedExternalPackages.add(pkg));
+
       if (this.isPathIgnored(filePath)) continue;
 
       const relativePath = path.relative(this.cwd, filePath);
@@ -299,28 +317,34 @@ export class EngineContext {
         }
       }
 
-      // Category C: Security Vulnerabilities
-      if (node.securityThreats && node.securityThreats.length > 0) {
-        node.securityThreats.forEach(threat => {
-          summary.structuralIssuesDetected.securityThreats.push({
-            file: relativePath,
-            identifier: threat.variableKey,
-            riskCode: threat.riskCode || 'HIGH_RISK_SECRET_LEAK',
-            entropy: threat.entropyValue,
-            line: threat.line || 1
-          });
-        });
-      }
     }
 
     // Category D: Unused Dependencies Audit (Enhanced Classification)
     for (const [manifestPath, manifestData] of this.manifestDependencies.entries()) {
       const relativeManifest = path.relative(this.cwd, manifestPath);
-      
+      const packageRoot = path.dirname(manifestPath);
+
+      // Collect packages that are implicitly used via scripts / config files
+      const implicitlyUsed = await this._depProfiler.traceImplicitInvocations(packageRoot);
+
+      // Resolve peer dependencies of all used packages so they are not flagged
+      const allUsedForPeerResolution = new Set([...this.usedExternalPackages, ...implicitlyUsed]);
+      const peerDepsOfUsed = await this._depProfiler.resolvePeerDependencies(allUsedForPeerResolution, packageRoot);
+
       const checkDeps = (deps, type) => {
         if (!deps) return;
         for (const dep of deps) {
-          if (!this.usedExternalPackages.has(dep)) {
+          // Skip peer and optional dependencies – they are never "unused" in the
+          // traditional sense because they are not required to be imported directly.
+          if (this._depProfiler.shouldExcludeFromUnusedCheck(dep, type)) {
+            continue;
+          }
+
+          const isUsedInCode = this.usedExternalPackages.has(dep);
+          const isUsedImplicitly = implicitlyUsed.has(dep);
+          const isRequiredAsPeer = peerDepsOfUsed.has(dep);
+
+          if (!isUsedInCode && !isUsedImplicitly && !isRequiredAsPeer) {
             summary.structuralIssuesDetected.unusedDependencies.push({
               manifest: relativeManifest,
               package: dep,
@@ -333,6 +357,7 @@ export class EngineContext {
 
       checkDeps(manifestData.dependencies, 'dependency');
       checkDeps(manifestData.devDependencies, 'devDependency');
+      // peerDependencies and optionalDependencies are excluded via shouldExcludeFromUnusedCheck
       checkDeps(manifestData.peerDependencies, 'peerDependency');
       checkDeps(manifestData.optionalDependencies, 'optionalDependency');
     }

package/src/ast/ASTAnalyzer.js

@@ -6,6 +6,16 @@ export class ASTAnalyzer {
     this.scopeStack = [];
   }
 
+  /**
+   * Returns the TypeScript ScriptKind for a given file path.
+   * Exposed as a public method so WorkerTaskRunner can call it directly.
+   */
+  getScriptKind(filePath) {
+    if (filePath.endsWith('.tsx') || filePath.endsWith('.jsx')) return ts.ScriptKind.TSX;
+    if (filePath.endsWith('.js') || filePath.endsWith('.mjs') || filePath.endsWith('.cjs')) return ts.ScriptKind.JS;
+    return ts.ScriptKind.TS;
+  }
+
   parseFile(filePath, content, fileNode) {
     if (this.context.verbose) {
       console.log(`[AST] Parsing: ${filePath}`);
@@ -16,7 +26,7 @@ export class ASTAnalyzer {
       content,
       ts.ScriptTarget.Latest,
       true,
-      filePath.endsWith('.tsx') || filePath.endsWith('.jsx') ? ts.ScriptKind.TSX : ts.ScriptKind.TS
+      this.getScriptKind(filePath)
     );
 
     this.currentScope = { symbols: new Map(), parent: null };
@@ -29,6 +39,13 @@ export class ASTAnalyzer {
     this.currentScope = null;
   }
 
+  /**
+   * Alias for walkAST used by WorkerTaskRunner (legacy API compatibility).
+   */
+  walkNode(node, sourceFile, fileNode) {
+    return this.walkAST(node, fileNode, sourceFile);
+  }
+
   pushScope() {
     const newScope = { symbols: new Map(), parent: this.currentScope };
     this.scopeStack.push(newScope);
@@ -87,6 +104,16 @@ export class ASTAnalyzer {
       case ts.SyntaxKind.ModuleDeclaration:
         this.handleNamedDeclaration(node, fileNode, sourceFile);
         break;
+      case ts.SyntaxKind.Identifier:
+        fileNode.instantiatedIdentifiers.add(node.text);
+        break;
+      case ts.SyntaxKind.StringLiteral:
+      case ts.SyntaxKind.NoSubstitutionTemplateLiteral:
+        fileNode.rawStringReferences.add(node.text);
+        break;
+      case ts.SyntaxKind.PropertyAccessExpression:
+        fileNode.propertyAccessChains.add(node.getText(sourceFile));
+        break;
       case ts.SyntaxKind.CallExpression:
         this.handleCallExpression(node, fileNode, sourceFile);
         break;
@@ -97,13 +124,6 @@ export class ASTAnalyzer {
       case ts.SyntaxKind.Decorator:
         this.handleDecorator(node, fileNode, sourceFile);
         break;
-      case ts.SyntaxKind.Identifier:
-        // Track usage of identifiers
-        const symbol = this.resolveSymbol(node.text);
-        if (symbol) {
-          // fileNode.usedSymbols.add(`${symbol.node.parent.kind}:${node.text}`); // More granular tracking needed
-        }
-        break;
     }
 
     ts.forEachChild(node, child => this.walkAST(child, fileNode, sourceFile));
@@ -117,88 +137,67 @@ export class ASTAnalyzer {
     if (node.moduleSpecifier && ts.isStringLiteral(node.moduleSpecifier)) {
       const specifier = node.moduleSpecifier.text;
       fileNode.explicitImports.add(specifier);
+      
+      // Track external package usage for dependency analysis
+      if (!specifier.startsWith('.') && !specifier.startsWith('/')) {
+        fileNode.externalPackageUsage.add(this._extractPackageName(specifier));
+      }
 
       if (node.importClause) {
+        if (node.importClause.name) {
+          fileNode.importedSymbols.add(`${specifier}:default`);
+        }
         if (node.importClause.namedBindings) {
-          if (ts.isNamedImports(node.importClause.namedBindings)) {
+          if (ts.isNamespaceImport(node.importClause.namedBindings)) {
+            fileNode.importedSymbols.add(`${specifier}:*`);
+          } else if (ts.isNamedImports(node.importClause.namedBindings)) {
             node.importClause.namedBindings.elements.forEach(element => {
-              const importedName = element.name.text;
-              const propertyName = element.propertyName ? element.propertyName.text : importedName;
-              fileNode.importedSymbols.add(`${specifier}:${propertyName}`);
-              this.addDeclaredSymbol(element.name.text, element, sourceFile); // Add local import name to scope
+              const importedName = element.propertyName ? element.propertyName.text : element.name.text;
+              fileNode.importedSymbols.add(`${specifier}:${importedName}`);
             });
-          } else if (ts.isNamespaceImport(node.importClause.namedBindings)) {
-            fileNode.importedSymbols.add(`${specifier}:*`);
-            this.addDeclaredSymbol(node.importClause.namedBindings.name.text, node.importClause.namedBindings, sourceFile); // Add namespace import to scope
           }
         }
-        if (node.importClause.name) {
-          fileNode.importedSymbols.add(`${specifier}:default`);
-          this.addDeclaredSymbol(node.importClause.name.text, node.importClause.name, sourceFile); // Add default import to scope
-        }
       }
     }
   }
 
   handleExportDeclaration(node, fileNode, sourceFile) {
-    if (node.moduleSpecifier && ts.isStringLiteral(node.moduleSpecifier)) {
-      const specifier = node.moduleSpecifier.text;
-      if (node.exportClause && ts.isNamedExports(node.exportClause)) {
-        node.exportClause.elements.forEach(element => {
-          const name = element.name.text;
-          const propertyName = element.propertyName ? element.propertyName.text : name;
-          fileNode.internalExports.set(name, { 
-            type: 're-export', 
-            source: specifier,
-            originalName: propertyName,
-            start: node.getStart(sourceFile), 
-            end: node.getEnd() 
-          });
-        });
-      } else if (node.exportClause && ts.isNamespaceExport(node.exportClause)) {
-        // export * as name from 'module'
+    const specifier = node.moduleSpecifier && ts.isStringLiteral(node.moduleSpecifier) ? node.moduleSpecifier.text : null;
+    
+    if (specifier) {
+      // Re-export from source: export * from './module' or export { x } from './module'
+      fileNode.explicitImports.add(specifier);
+      
+      // Track external package usage from re-exports
+      if (!specifier.startsWith('.') && !specifier.startsWith('/')) {
+        fileNode.externalPackageUsage.add(this._extractPackageName(specifier));
+      }
+
+      if (!node.exportClause) {
+        // export * from './module'
+        fileNode.internalExports.set('*', { type: 're-export-all', source: specifier });
+        fileNode.importedSymbols.add(`${specifier}:*`);
+      } else if (ts.isNamespaceExport(node.exportClause)) {
+        // export * as name from './module'
         const name = node.exportClause.name.text;
         fileNode.internalExports.set(name, { type: 're-export-namespace', source: specifier, originalName: '*', start: node.getStart(sourceFile), end: node.getEnd() });
-      } else {
-        // export * from 'module'
-        fileNode.internalExports.set('*', { type: 're-export-all', source: specifier });
-      }
-    } else if (node.exportClause && ts.isNamedExports(node.exportClause)) {
+        fileNode.importedSymbols.add(`${specifier}:*`);
+      } else if (ts.isNamedExports(node.exportClause)) {
+        // export { x, y as z } from './module'
         node.exportClause.elements.forEach(element => {
-          const name = element.name.text;
-          const propertyName = element.propertyName ? element.propertyName.text : name;
-          fileNode.internalExports.set(name, { 
-            type: 'export', 
-            originalName: propertyName,
-            start: node.getStart(sourceFile), 
-            end: node.getEnd() 
-          });
+          const originalName = element.propertyName ? element.propertyName.text : element.name.text;
+          const exportedName = element.name.text;
+          fileNode.internalExports.set(exportedName, { type: 're-export', source: specifier, originalName, start: element.getStart(sourceFile), end: element.getEnd() });
+          fileNode.importedSymbols.add(`${specifier}:${originalName}`);
         });
-    } else if (node.declaration) {
-      // Direct export of a declaration (e.g., export const x = 1;)
-      if (ts.isVariableStatement(node.declaration)) {
-        node.declaration.declarationList.declarations.forEach(decl => {
-          if (decl.name && ts.isIdentifier(decl.name)) {
-            const name = decl.name.text;
-            fileNode.internalExports.set(name, { 
-              type: 'variable', 
-              start: decl.getStart(sourceFile), 
-              end: decl.getEnd() 
-            });
-            this.addDeclaredSymbol(name, decl, sourceFile);
-          }
-        });
-      } else if (ts.isFunctionDeclaration(node.declaration) || ts.isClassDeclaration(node.declaration)) {
-        const name = node.declaration.name?.text;
-        if (name) {
-          fileNode.internalExports.set(name, { 
-            type: ts.SyntaxKind[node.declaration.kind].toLowerCase().replace('declaration', ''), 
-            start: node.declaration.getStart(sourceFile), 
-            end: node.declaration.getEnd() 
-          });
-          this.addDeclaredSymbol(name, node.declaration, sourceFile);
-        }
       }
+    } else if (node.exportClause && ts.isNamedExports(node.exportClause)) {
+      // Local named exports: export { x, y as z }
+      node.exportClause.elements.forEach(element => {
+        const localName = element.propertyName ? element.propertyName.text : element.name.text;
+        const exportedName = element.name.text;
+        fileNode.internalExports.set(exportedName, { type: 'export', originalName: localName, start: element.getStart(sourceFile), end: element.getEnd() });
+      });
     }
   }
 
@@ -275,6 +274,8 @@ export class ASTAnalyzer {
             start: decl.getStart(sourceFile), 
             end: decl.getEnd() 
           });
+          const loc = sourceFile.getLineAndCharacterOfPosition(decl.getStart(sourceFile));
+          fileNode.symbolSourceLocations.set(name, { line: loc.line + 1, column: loc.character + 1 });
           this.addDeclaredSymbol(name, decl, sourceFile);
         } else if (decl.name && ts.isObjectBindingPattern(decl.name)) {
            decl.name.elements.forEach(element => {
@@ -285,6 +286,8 @@ export class ASTAnalyzer {
                        start: element.getStart(sourceFile),
                        end: element.getEnd()
                    });
+                   const loc = sourceFile.getLineAndCharacterOfPosition(element.getStart(sourceFile));
+                   fileNode.symbolSourceLocations.set(name, { line: loc.line + 1, column: loc.character + 1 });
                    this.addDeclaredSymbol(name, element, sourceFile);
                }
            });
@@ -297,6 +300,8 @@ export class ASTAnalyzer {
                        start: element.getStart(sourceFile),
                        end: element.getEnd()
                    });
+                   const loc = sourceFile.getLineAndCharacterOfPosition(element.getStart(sourceFile));
+                   fileNode.symbolSourceLocations.set(name, { line: loc.line + 1, column: loc.character + 1 });
                    this.addDeclaredSymbol(name, element, sourceFile);
                }
            });
@@ -325,16 +330,32 @@ export class ASTAnalyzer {
   }
 
   handleCallExpression(node, fileNode, sourceFile) {
+    // Dynamic import(): import('./module').then(...)
     if (node.expression.kind === ts.SyntaxKind.ImportKeyword) {
       const arg = node.arguments[0];
-      if (arg && ts.isStringLiteral(arg)) {
-        fileNode.explicitImports.add(arg.text);
-        fileNode.dynamicImports.add(arg.text);
+      if (arg) {
+        if (ts.isStringLiteral(arg)) {
+          fileNode.explicitImports.add(arg.text);
+          fileNode.dynamicImports.add(arg.text);
+          // Track external package usage from dynamic imports
+          if (!arg.text.startsWith('.') && !arg.text.startsWith('/')) {
+            fileNode.externalPackageUsage.add(this._extractPackageName(arg.text));
+          }
+        } else {
+          // Dynamic import with a non-literal expression (e.g., variable or template literal).
+          if (fileNode.calculatedDynamicImports) {
+            fileNode.calculatedDynamicImports.push({ kind: ts.SyntaxKind[arg.kind], start: arg.getStart(sourceFile) });
+          }
+        }
       }
     } else if (ts.isIdentifier(node.expression) && node.expression.text === 'require') {
       const arg = node.arguments[0];
       if (arg && ts.isStringLiteral(arg)) {
         fileNode.explicitImports.add(arg.text);
+        // Track external package usage from require() calls
+        if (!arg.text.startsWith('.') && !arg.text.startsWith('/')) {
+          fileNode.externalPackageUsage.add(this._extractPackageName(arg.text));
+        }
       }
     }
   }
@@ -371,7 +392,6 @@ export class ASTAnalyzer {
     if (ts.isCallExpression(node.expression)) {
       node.expression.arguments.forEach(arg => {
         // Further analysis of arguments can be done here if needed
-        // e.g., if (ts.isStringLiteral(arg)) fileNode.decoratorArgs.add(`${decoratorName}:${arg.text}`);
       });
     }
   }
@@ -391,4 +411,18 @@ export class ASTAnalyzer {
       }
     }
   }
+
+  /**
+   * Extracts the root npm package name from an import specifier.
+   * Handles scoped packages (@scope/pkg) and subpath imports (pkg/utils, @scope/pkg/utils).
+   */
+  _extractPackageName(specifier) {
+    if (specifier.startsWith('@')) {
+      // Scoped package: @scope/name or @scope/name/subpath
+      const parts = specifier.split('/');
+      return parts.length >= 2 ? `${parts[0]}/${parts[1]}` : specifier;
+    }
+    // Regular package: name or name/subpath
+    return specifier.split('/')[0];
+  }
 }

package/src/ast/BarrelParser.js

@@ -178,19 +178,39 @@ export class BarrelParser {
     }
 
     // Rule D: Sweep through anonymous star re-exports vectors (export * from 'module')
+    //
+    // Algorithm:
+    // 1. For each `export * from './child'`, recursively resolve the symbol in the child.
+    // 2. A non-barrel child immediately returns `{ originFile: childPath }` regardless of
+    //    whether it actually declares the symbol.  We therefore must verify that the
+    //    returned origin file actually contains the symbol in its declaredLocalExports
+    //    before accepting the result.
+    // 3. If the child is itself a barrel, the recursive call already performs the full
+    //    chain walk, so we only need to verify the final origin.
     for (const relativePath of spec.wildcardExports) {
       const fullyResolvedPath = this.resolver.resolveModulePath(contextFilePath, relativePath);
       
       if (fullyResolvedPath) {
-        // Look inside the graph metadata map configuration to verify child target availability
         const continuousResolutionTrace = await this.determineSymbolDeclarationOrigin(
           fullyResolvedPath,
           targetSymbolName,
           activeProjectGraph,
-          protectionStack
+          new Set(protectionStack) // Use a copy so sibling branches don't block each other
         );
-        // If a resolution was found in a child barrel, return it
-        if (continuousResolutionTrace && continuousResolutionTrace.originFile !== fullyResolvedPath) {
+
+        if (!continuousResolutionTrace) continue;
+        if (continuousResolutionTrace.originFile === contextFilePath) continue;
+
+        // Verify that the resolved origin actually declares the symbol.
+        // This prevents a non-barrel sibling (e.g. constants.ts) from being
+        // incorrectly returned for a symbol it does not export (e.g. formatData).
+        const originSpec = await this.parseBarrelSpecification(continuousResolutionTrace.originFile);
+        if (originSpec.declaredLocalExports.has(continuousResolutionTrace.originSymbol)) {
+          return continuousResolutionTrace;
+        }
+        // The origin spec is itself a barrel (isBarrelInstance = true) and the
+        // recursive call already resolved through it – accept the result.
+        if (originSpec.isBarrelInstance) {
           return continuousResolutionTrace;
         }
       }