projscan 2.9.0 → 3.0.1

package/dist/mcp/tools/dataflow.js

@@ -0,0 +1,69 @@
+import { scanRepository } from '../../core/repositoryScanner.js';
+import { buildCodeGraph } from '../../core/codeGraph.js';
+import { computeDataflow } from '../../core/dataflow.js';
+import { loadConfig } from '../../utils/config.js';
+export const dataflowTool = {
+    name: 'projscan_dataflow',
+    description: 'Return v3 dataflow risks over the function graph. Includes legacy direct/propagated taint projections plus bridge-helper risks where a wrapper calls both a source reader and a dangerous sink.',
+    inputSchema: {
+        type: 'object',
+        properties: {
+            sources: {
+                type: 'array',
+                items: { type: 'string' },
+                description: 'Additional source names to merge with defaults and .projscanrc taint.sources.',
+            },
+            sinks: {
+                type: 'array',
+                items: { type: 'string' },
+                description: 'Additional sink names to merge with defaults and .projscanrc taint.sinks.',
+            },
+            max_risks: {
+                type: 'number',
+                description: 'Maximum risks to return. Default 50, max 500.',
+            },
+            include_tests: {
+                type: 'boolean',
+                description: 'Include dataflow risks that touch test files. Default false.',
+            },
+            include_broad_file_io: {
+                type: 'boolean',
+                description: 'Include broad readFile/writeFile-style default risks. Default false.',
+            },
+            max_tokens: {
+                type: 'number',
+                description: 'Cap the response to roughly this many tokens.',
+            },
+        },
+    },
+    handler: async (args, rootPath) => {
+        const scan = await scanRepository(rootPath);
+        const graph = await buildCodeGraph(rootPath, scan.files);
+        const { config } = await loadConfig(rootPath);
+        const sources = [
+            ...(config.taint?.sources ?? []),
+            ...(Array.isArray(args.sources)
+                ? args.sources.filter((value) => typeof value === 'string')
+                : []),
+        ];
+        const sinks = [
+            ...(config.taint?.sinks ?? []),
+            ...(Array.isArray(args.sinks)
+                ? args.sinks.filter((value) => typeof value === 'string')
+                : []),
+        ];
+        const maxRisks = typeof args.max_risks === 'number' && Number.isFinite(args.max_risks)
+            ? Math.max(1, Math.min(500, Math.floor(args.max_risks)))
+            : 50;
+        const report = computeDataflow(graph, { sources, sinks }, {
+            includeTests: args.include_tests === true,
+            includeBroadFileIo: args.include_broad_file_io === true,
+        });
+        return {
+            ...report,
+            risks: report.risks.slice(0, maxRisks),
+            truncated: report.risks.length > maxRisks || report.truncated,
+        };
+    },
+};
+//# sourceMappingURL=dataflow.js.map

package/dist/mcp/tools/dataflow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dataflow.js","sourceRoot":"","sources":["../../../src/mcp/tools/dataflow.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,iCAAiC,CAAC;AACjE,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACzD,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAGnD,MAAM,CAAC,MAAM,YAAY,GAAY;IACnC,IAAI,EAAE,mBAAmB;IACzB,WAAW,EACT,iMAAiM;IACnM,WAAW,EAAE;QACX,IAAI,EAAE,QAAQ;QACd,UAAU,EAAE;YACV,OAAO,EAAE;gBACP,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;gBACzB,WAAW,EAAE,+EAA+E;aAC7F;YACD,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;gBACzB,WAAW,EAAE,2EAA2E;aACzF;YACD,SAAS,EAAE;gBACT,IAAI,EAAE,QAAQ;gBACd,WAAW,EAAE,+CAA+C;aAC7D;YACD,aAAa,EAAE;gBACb,IAAI,EAAE,SAAS;gBACf,WAAW,EAAE,8DAA8D;aAC5E;YACD,qBAAqB,EAAE;gBACrB,IAAI,EAAE,SAAS;gBACf,WAAW,EAAE,sEAAsE;aACpF;YACD,UAAU,EAAE;gBACV,IAAI,EAAE,QAAQ;gBACd,WAAW,EAAE,+CAA+C;aAC7D;SACF;KACF;IACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE;QAChC,MAAM,IAAI,GAAG,MAAM,cAAc,CAAC,QAAQ,CAAC,CAAC;QAC5C,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;QACzD,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,UAAU,CAAC,QAAQ,CAAC,CAAC;QAC9C,MAAM,OAAO,GAAG;YACd,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,IAAI,EAAE,CAAC;YAChC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC;gBAC7B,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,KAAK,EAAmB,EAAE,CAAC,OAAO,KAAK,KAAK,QAAQ,CAAC;gBAC5E,CAAC,CAAC,EAAE,CAAC;SACR,CAAC;QACF,MAAM,KAAK,GAAG;YACZ,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,KAAK,IAAI,EAAE,CAAC;YAC9B,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC;gBAC3B,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,KAAK,EAAmB,EAAE,CAAC,OAAO,KAAK,KAAK,QAAQ,CAAC;gBAC1E,CAAC,CAAC,EAAE,CAAC;SACR,CAAC;QACF,MAAM,QAAQ,GACZ,OAAO,IAAI,CAAC,SAAS,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;YACnE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC;YACxD,CAAC,CAAC,EAAE,CAAC;QACT,MAAM,MAAM,GAAG,eAAe,CAAC,KAAK,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE;YACxD,YAAY,EAAE,IAAI,CAAC,aAAa,KAAK,IAAI;YACzC,kBAAkB,EAAE,IAAI,CAAC,qBAAqB,KAAK,IAAI;SACxD,CAAC,CAAC;QACH,OAAO;YACL,GAAG,MAAM;YACT,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC;YACtC,SAAS,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,QAAQ,IAAI,MAAM,CAAC,SAAS;SAC9D,CAAC;IACJ,CAAC;CACF,CAAC"}

package/dist/mcp/tools/semanticGraph.d.ts

@@ -0,0 +1,2 @@
+import type { McpTool } from './_shared.js';
+export declare const semanticGraphTool: McpTool;

package/dist/mcp/tools/semanticGraph.js

@@ -0,0 +1,40 @@
+import { scanRepository } from '../../core/repositoryScanner.js';
+import { buildCodeGraph } from '../../core/codeGraph.js';
+import { buildSemanticGraph } from '../../core/semanticGraph.js';
+import { loadCachedGraph, saveCachedGraph } from '../../core/indexCache.js';
+export const semanticGraphTool = {
+    name: 'projscan_semantic_graph',
+    description: 'Return the stable v3 semantic graph: file/function/package/symbol nodes plus imports, exports, defines, and calls edges. Use when an agent needs one normalized graph contract instead of several targeted graph queries.',
+    inputSchema: {
+        type: 'object',
+        properties: {
+            max_nodes: {
+                type: 'number',
+                description: 'Maximum graph nodes to return. Default 10000.',
+            },
+            max_edges: {
+                type: 'number',
+                description: 'Maximum graph edges to return. Default 25000.',
+            },
+            max_tokens: {
+                type: 'number',
+                description: 'Cap the response to roughly this many tokens.',
+            },
+        },
+    },
+    handler: async (args, rootPath) => {
+        const scan = await scanRepository(rootPath);
+        const cached = await loadCachedGraph(rootPath);
+        const graph = await buildCodeGraph(rootPath, scan.files, cached);
+        await saveCachedGraph(rootPath, graph);
+        return buildSemanticGraph(graph, {
+            maxNodes: typeof args.max_nodes === 'number' && Number.isFinite(args.max_nodes)
+                ? args.max_nodes
+                : undefined,
+            maxEdges: typeof args.max_edges === 'number' && Number.isFinite(args.max_edges)
+                ? args.max_edges
+                : undefined,
+        });
+    },
+};
+//# sourceMappingURL=semanticGraph.js.map

package/dist/mcp/tools/semanticGraph.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"semanticGraph.js","sourceRoot":"","sources":["../../../src/mcp/tools/semanticGraph.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,iCAAiC,CAAC;AACjE,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACzD,OAAO,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AACjE,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAG5E,MAAM,CAAC,MAAM,iBAAiB,GAAY;IACxC,IAAI,EAAE,yBAAyB;IAC/B,WAAW,EACT,2NAA2N;IAC7N,WAAW,EAAE;QACX,IAAI,EAAE,QAAQ;QACd,UAAU,EAAE;YACV,SAAS,EAAE;gBACT,IAAI,EAAE,QAAQ;gBACd,WAAW,EAAE,+CAA+C;aAC7D;YACD,SAAS,EAAE;gBACT,IAAI,EAAE,QAAQ;gBACd,WAAW,EAAE,+CAA+C;aAC7D;YACD,UAAU,EAAE;gBACV,IAAI,EAAE,QAAQ;gBACd,WAAW,EAAE,+CAA+C;aAC7D;SACF;KACF;IACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE;QAChC,MAAM,IAAI,GAAG,MAAM,cAAc,CAAC,QAAQ,CAAC,CAAC;QAC5C,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,QAAQ,CAAC,CAAC;QAC/C,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,QAAQ,EAAE,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACjE,MAAM,eAAe,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QACvC,OAAO,kBAAkB,CAAC,KAAK,EAAE;YAC/B,QAAQ,EACN,OAAO,IAAI,CAAC,SAAS,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;gBACnE,CAAC,CAAC,IAAI,CAAC,SAAS;gBAChB,CAAC,CAAC,SAAS;YACf,QAAQ,EACN,OAAO,IAAI,CAAC,SAAS,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;gBACnE,CAAC,CAAC,IAAI,CAAC,SAAS;gBAChB,CAAC,CAAC,SAAS;SAChB,CAAC,CAAC;IACL,CAAC;CACF,CAAC"}

package/dist/mcp/tools.js

@@ -20,6 +20,7 @@ import { auditTool } from './tools/audit.js';
 import { upgradeTool } from './tools/upgrade.js';
 import { coverageTool } from './tools/coverage.js';
 import { graphTool } from './tools/graph.js';
+import { semanticGraphTool } from './tools/semanticGraph.js';
 import { couplingTool } from './tools/coupling.js';
 import { workspacesTool } from './tools/workspaces.js';
 import { prDiffTool } from './tools/prDiff.js';
@@ -33,6 +34,7 @@ import { memoryTool } from './tools/memory.js';
 import { workspaceGraphTool } from './tools/workspaceGraph.js';
 import { applyFixTool } from './tools/applyFix.js';
 import { taintTool } from './tools/taint.js';
+import { dataflowTool } from './tools/dataflow.js';
 import { costSummaryTool } from './tools/costSummary.js';
 import { reviewWatchTool } from './tools/reviewWatch.js';
 import { pluginTool } from './tools/plugin.js';
@@ -58,6 +60,7 @@ const tools = [
     upgradeTool,
     coverageTool,
     graphTool,
+    semanticGraphTool,
     couplingTool,
     workspacesTool,
     prDiffTool,
@@ -71,6 +74,7 @@ const tools = [
     workspaceGraphTool,
     applyFixTool,
     taintTool,
+    dataflowTool,
     costSummaryTool,
     reviewWatchTool,
     pluginTool,

package/dist/mcp/tools.js.map

@@ -1 +1 @@
-{"version":3,"file":"tools.js","sourceRoot":"","sources":["../../src/mcp/tools.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAC3C,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AACnE,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAMnD,MAAM,KAAK,GAAc;IACvB,WAAW;IACX,UAAU;IACV,YAAY;IACZ,WAAW;IACX,QAAQ;IACR,aAAa;IACb,gBAAgB;IAChB,YAAY;IACZ,SAAS;IACT,WAAW;IACX,YAAY;IACZ,SAAS;IACT,YAAY;IACZ,cAAc;IACd,UAAU;IACV,UAAU;IACV,cAAc;IACd,gBAAgB;IAChB,UAAU;IACV,UAAU;IACV,WAAW;IACX,UAAU;IACV,kBAAkB;IAClB,YAAY;IACZ,SAAS;IACT,eAAe;IACf,eAAe;IACf,UAAU;IACV,aAAa;IACb,YAAY;IACZ,gBAAgB;IAChB,WAAW;IACX,gBAAgB;IAChB,kBAAkB;IAClB,cAAc;IACd,oBAAoB;IACpB,YAAY;CACb,CAAC;AAEF,MAAM,UAAU,kBAAkB;IAChC,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC;AACjG,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,IAAY;IACzC,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,EAAE,OAAO,CAAC;AACrD,CAAC"}
+{"version":3,"file":"tools.js","sourceRoot":"","sources":["../../src/mcp/tools.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAC3C,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AACnE,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAMnD,MAAM,KAAK,GAAc;IACvB,WAAW;IACX,UAAU;IACV,YAAY;IACZ,WAAW;IACX,QAAQ;IACR,aAAa;IACb,gBAAgB;IAChB,YAAY;IACZ,SAAS;IACT,WAAW;IACX,YAAY;IACZ,SAAS;IACT,iBAAiB;IACjB,YAAY;IACZ,cAAc;IACd,UAAU;IACV,UAAU;IACV,cAAc;IACd,gBAAgB;IAChB,UAAU;IACV,UAAU;IACV,WAAW;IACX,UAAU;IACV,kBAAkB;IAClB,YAAY;IACZ,SAAS;IACT,YAAY;IACZ,eAAe;IACf,eAAe;IACf,UAAU;IACV,aAAa;IACb,YAAY;IACZ,gBAAgB;IAChB,WAAW;IACX,gBAAgB;IAChB,kBAAkB;IAClB,cAAc;IACd,oBAAoB;IACpB,YAAY;CACb,CAAC;AAEF,MAAM,UAAU,kBAAkB;IAChC,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC;AACjG,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,IAAY;IACzC,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,EAAE,OAAO,CAAC;AACrD,CAAC"}

package/dist/projscan-sbom.cdx.json

@@ -1,23 +1,23 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:b12746dd-8a61-4284-98be-050dd759568d",
+  "serialNumber": "urn:uuid:43e993dc-55dd-4723-a95a-ad09b6117db4",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-23T13:07:23.569Z",
+    "timestamp": "2026-05-26T20:40:36.688Z",
     "tools": [
       {
         "vendor": "projscan",
         "name": "projscan-sbom-generator",
-        "version": "2.9.0"
+        "version": "3.0.1"
       }
     ],
     "component": {
       "type": "application",
-      "bom-ref": "pkg:npm/projscan@2.9.0",
+      "bom-ref": "pkg:npm/projscan@3.0.1",
       "name": "projscan",
-      "version": "2.9.0",
-      "purl": "pkg:npm/projscan@2.9.0"
+      "version": "3.0.1",
+      "purl": "pkg:npm/projscan@3.0.1"
     }
   },
   "components": [

package/dist/tool-manifest.json

@@ -1,9 +1,9 @@
 {
   "name": "projscan",
-  "version": "2.9.0",
+  "version": "3.0.1",
   "mcpProtocolVersion": "2025-03-26",
-  "generatedAt": "2026-05-23T13:07:28.575Z",
-  "toolCount": 37,
+  "generatedAt": "2026-05-26T20:40:40.856Z",
+  "toolCount": 39,
   "tools": [
     {
       "name": "projscan_analyze",
@@ -264,6 +264,27 @@
         ]
       }
     },
+    {
+      "name": "projscan_semantic_graph",
+      "description": "Return the stable v3 semantic graph: file/function/package/symbol nodes plus imports, exports, defines, and calls edges. Use when an agent needs one normalized graph contract instead of several targeted graph queries.",
+      "inputSchema": {
+        "type": "object",
+        "properties": {
+          "max_nodes": {
+            "type": "number",
+            "description": "Maximum graph nodes to return. Default 10000."
+          },
+          "max_edges": {
+            "type": "number",
+            "description": "Maximum graph edges to return. Default 25000."
+          },
+          "max_tokens": {
+            "type": "number",
+            "description": "Cap the response to roughly this many tokens."
+          }
+        }
+      }
+    },
     {
       "name": "projscan_coupling",
       "description": "Per-file coupling metrics (fan-in, fan-out, instability) and circular-import cycles, derived from the AST code graph. Use `direction` to focus the result: \"all\" returns every file sorted by fan-in; \"high_fan_in\" / \"high_fan_out\" sort accordingly; \"cycles_only\" returns just the files participating in import cycles. Cycles are reported separately as strongly-connected components of size >= 2.",
@@ -647,6 +668,45 @@
         }
       }
     },
+    {
+      "name": "projscan_dataflow",
+      "description": "Return v3 dataflow risks over the function graph. Includes legacy direct/propagated taint projections plus bridge-helper risks where a wrapper calls both a source reader and a dangerous sink.",
+      "inputSchema": {
+        "type": "object",
+        "properties": {
+          "sources": {
+            "type": "array",
+            "items": {
+              "type": "string"
+            },
+            "description": "Additional source names to merge with defaults and .projscanrc taint.sources."
+          },
+          "sinks": {
+            "type": "array",
+            "items": {
+              "type": "string"
+            },
+            "description": "Additional sink names to merge with defaults and .projscanrc taint.sinks."
+          },
+          "max_risks": {
+            "type": "number",
+            "description": "Maximum risks to return. Default 50, max 500."
+          },
+          "include_tests": {
+            "type": "boolean",
+            "description": "Include dataflow risks that touch test files. Default false."
+          },
+          "include_broad_file_io": {
+            "type": "boolean",
+            "description": "Include broad readFile/writeFile-style default risks. Default false."
+          },
+          "max_tokens": {
+            "type": "number",
+            "description": "Cap the response to roughly this many tokens."
+          }
+        }
+      }
+    },
     {
       "name": "projscan_cost_summary",
       "description": "Aggregate token-cost analytics from the current session's tool-call history. action:\"snapshot\" (default) returns total tokens spent, top spenders, per-tool typical/p95 estimates, and a static expected-cost catalog so the agent can budget pre-call. 1.10+: action:\"start_stream\" / \"stop_stream\" / \"list_streams\" turns this into a live cost dashboard — the server polls the session log on an interval and emits notifications/projscan/cost_delta whenever new tool calls have accrued, with the per-tool deltas and the new cumulative totals inline. Pairs with the `_cost` sidecar attached to every tool result. Read-only. Note: the session event log is bounded at 500 entries — for long-running sessions, older calls are dropped from the snapshot.",

package/dist/types.d.ts

@@ -212,7 +212,7 @@ export interface HealthScore {
 }
 export type PreflightMode = 'before_edit' | 'before_commit' | 'before_merge';
 export type PreflightVerdict = 'proceed' | 'caution' | 'block';
-export type PreflightReasonSource = 'doctor' | 'review' | 'taint' | 'session' | 'plugin' | 'supply-chain' | 'memory' | 'changed-files' | 'hotspots' | 'git' | 'format';
+export type PreflightReasonSource = 'doctor' | 'review' | 'taint' | 'session' | 'plugin' | 'supply-chain' | 'memory' | 'changed-files' | 'hotspots' | 'git' | 'format' | 'release';
 export interface PreflightReason {
     severity: IssueSeverity;
     source: PreflightReasonSource;
@@ -232,6 +232,15 @@ export interface PreflightSuggestedAction {
     tool?: string;
     args?: Record<string, unknown>;
 }
+export interface PreflightReleaseScaleEvidence {
+    detected: boolean;
+    changedFiles: number;
+    threshold: number;
+    reviewVerdict?: ReviewReport['verdict'];
+    reviewSummary?: string;
+    concreteBlockers: string[];
+    explanation: string;
+}
 export interface PreflightEvidence {
     health?: {
         score: number;
@@ -274,6 +283,7 @@ export interface PreflightEvidence {
         errorIssues: number;
         warningIssues: number;
     };
+    releaseScale?: PreflightReleaseScaleEvidence;
 }
 export interface PreflightReport {
     schemaVersion: 1;
@@ -290,7 +300,7 @@ export interface PreflightReport {
 export type WorkplanMode = PreflightMode | 'refactor' | 'release' | 'bug_hunt' | 'hardening';
 export type WorkplanPriority = 'p0' | 'p1' | 'p2';
 export interface WorkplanEvidence {
-    source: PreflightReasonSource | 'coordination' | 'release' | 'verification';
+    source: PreflightReasonSource | 'coordination' | 'release' | 'verification' | 'graph';
     message: string;
     severity?: IssueSeverity;
     file?: string;
@@ -477,6 +487,16 @@ export interface AgentBriefGuardrail {
     reason: string;
     command: string;
 }
+export interface GraphEvidenceSummary {
+    schemaVersion: 1;
+    changedFiles?: number;
+    changedFunctions?: number;
+    totalFunctions: number;
+    totalPackages: number;
+    totalCallEdges: number;
+    dataflowRisks: number;
+    topPackages: string[];
+}
 export interface AgentBriefReport {
     schemaVersion: 1;
     intent: AgentBriefIntent;
@@ -491,12 +511,29 @@ export interface AgentBriefReport {
         }>;
         touchedFiles: string[];
         conflicts: number;
+        graph?: GraphEvidenceSummary;
     };
     focus: AgentBriefItem[];
     guardrails: AgentBriefGuardrail[];
     suggestedNextActions: PreflightSuggestedAction[];
     truncated?: boolean;
 }
+export interface GraphCorpusFixtureMetrics {
+    name: string;
+    fixture: string;
+    files: number;
+    functions: number;
+    packages: number;
+    symbols: number;
+    importEdges: number;
+    callEdges: number;
+    dataflowRisks: number;
+}
+export interface GraphCorpusReport {
+    schemaVersion: 1;
+    fixtures: GraphCorpusFixtureMetrics[];
+    totals: Omit<GraphCorpusFixtureMetrics, 'name' | 'fixture'>;
+}
 export type QualityScorecardVerdict = 'excellent' | 'healthy' | 'needs_attention' | 'blocked';
 export type QualityScorecardStatus = 'pass' | 'watch' | 'fail';
 export interface QualityScorecardDimension {
@@ -906,6 +943,76 @@ export interface PrDiffReport {
     filesModified: FileAstDiff[];
     totalFilesChanged: number;
 }
+export type SemanticGraphNodeKind = 'file' | 'function' | 'package' | 'symbol';
+export interface SemanticGraphNode {
+    id: string;
+    kind: SemanticGraphNodeKind;
+    label: string;
+    file?: string;
+    line?: number;
+    endLine?: number;
+    adapterId?: string;
+    metrics?: {
+        lineCount?: number;
+        cyclomaticComplexity?: number;
+        fanIn?: number;
+        fanOut?: number;
+    };
+}
+export type SemanticGraphEdgeKind = 'defines' | 'imports' | 'imports_package' | 'exports' | 'calls';
+export interface SemanticGraphEdge {
+    from: string;
+    to: string;
+    kind: SemanticGraphEdgeKind;
+    label?: string;
+}
+export interface SemanticGraphReport {
+    schemaVersion: 3;
+    nodes: SemanticGraphNode[];
+    edges: SemanticGraphEdge[];
+    metrics: {
+        totalFiles: number;
+        totalFunctions: number;
+        totalPackages: number;
+        totalSymbols: number;
+        totalEdges: number;
+    };
+    truncated: boolean;
+    limits: {
+        maxNodes: number;
+        maxEdges: number;
+    };
+}
+export type DataflowRiskKind = 'direct' | 'propagated' | 'bridge';
+export type DataflowRiskSeverity = 'warning' | 'error';
+export type DataflowRiskConfidence = 'low' | 'medium' | 'high';
+export interface DataflowRisk {
+    key: string;
+    kind: DataflowRiskKind;
+    severity: DataflowRiskSeverity;
+    confidence: DataflowRiskConfidence;
+    sourceFn: string;
+    sinkFn: string;
+    bridgeFn?: string;
+    source: string;
+    sink: string;
+    path: string[];
+    sourcePath?: string[];
+    sinkPath?: string[];
+    pathLength: number;
+    files: string[];
+}
+export interface DataflowReport {
+    available: boolean;
+    reason?: string;
+    riskCount: number;
+    risks: DataflowRisk[];
+    effectiveSources: string[];
+    effectiveSinks: string[];
+    truncated?: boolean;
+    truncatedSources?: string[];
+    maxDepth?: number;
+}
 /**
  * One changed file enriched with risk signals. The agent calling
  * projscan_review uses these to decide which files need careful review.
@@ -981,6 +1088,24 @@ export interface ReviewTaintFlow {
     /** 1.9+ — set when `projscan_review` was called with an `intent` arg. Absent otherwise. */
     intentAlignment?: 'expected' | 'unexpected' | 'out-of-scope' | 'unknown';
 }
+/**
+ * 3.0+ — Review-time dataflow risks that are not represented by legacy
+ * taint reachability, especially bridge helpers that call both a source
+ * wrapper and a sink wrapper.
+ */
+export interface ReviewDataflowRisk {
+    kind: DataflowRiskKind;
+    sourceFn: string;
+    sinkFn: string;
+    bridgeFn?: string;
+    source: string;
+    sink: string;
+    pathLength: number;
+    files: string[];
+    severity: DataflowRiskSeverity;
+    confidence: DataflowRiskConfidence;
+    intentAlignment?: 'expected' | 'unexpected' | 'out-of-scope' | 'unknown';
+}
 /** Workspace-package-scoped dependency change. Aggregates root + workspaces. */
 export interface ReviewDependencyChange {
     /** Workspace name; '' for the root manifest. */
@@ -1046,6 +1171,13 @@ export interface ReviewReport {
      * (no per-function callSites at either side).
      */
     newTaintFlows: ReviewTaintFlow[];
+    /**
+     * 3.0+ — NEW dataflow risks introduced by this PR that are outside the
+     * legacy source-to-sink taint flow list. Empty when unavailable or clean.
+     */
+    newDataflowRisks: ReviewDataflowRisk[];
+    /** 3.5+ — compact graph/dataflow evidence for review consumers. */
+    graphEvidence?: GraphEvidenceSummary;
     /** 'ok' = ship it; 'review' = needs careful look; 'block' = strongly suggests rework. */
     verdict: 'ok' | 'review' | 'block';
     /** One-line bullets explaining the verdict. */
@@ -1074,7 +1206,7 @@ export interface ReviewReport {
     intentAnalysis?: {
         totals: Record<'expected' | 'unexpected' | 'out-of-scope' | 'unknown', number>;
         notable: Array<{
-            kind: 'file' | 'function' | 'cycle' | 'taint' | 'dependency';
+            kind: 'file' | 'function' | 'cycle' | 'taint' | 'dataflow' | 'dependency';
             label: string;
             alignment: 'expected' | 'unexpected' | 'out-of-scope' | 'unknown';
             reason: string;
@@ -1096,6 +1228,13 @@ export interface ImpactNode {
      */
     repo?: string;
 }
+export interface ImpactBoundarySummary {
+    repo: string;
+    packageName: string;
+    owner: string;
+    files: string[];
+    reachableFiles: number;
+}
 export interface ImpactReport {
     available: boolean;
     reason?: string;
@@ -1126,6 +1265,8 @@ export interface ImpactReport {
      * was false or the workspace had no siblings.
      */
     totalReachableByRepo?: Record<string, number>;
+    /** 3.5+ — cross-repo package/ownership boundaries that mention the target. */
+    boundarySummary?: ImpactBoundarySummary[];
     /**
      * True when traversal hit `maxDistance` before exhausting the graph.
      * Items beyond the limit are omitted from `reachable`.

package/dist/utils/formatSupport.d.ts

@@ -11,6 +11,7 @@ export declare const COMMAND_FORMAT_SUPPORT: {
     readonly coupling: readonly ["console", "json", "markdown", "html"];
     readonly coverage: readonly ["console", "json", "markdown", "html"];
     readonly dependencies: readonly ["console", "json", "markdown"];
+    readonly dataflow: readonly ["console", "json"];
     readonly diagram: readonly ["console", "json", "markdown"];
     readonly diff: readonly ["console", "json", "markdown"];
     readonly doctor: readonly ["console", "json", "markdown", "sarif", "html"];
@@ -46,6 +47,7 @@ export declare const COMMAND_FORMAT_SUPPORT: {
     readonly recipes: readonly ["console", "json"];
     readonly review: readonly ["console", "json", "markdown", "html"];
     readonly search: readonly ["console", "json", "markdown"];
+    readonly 'semantic-graph': readonly ["console", "json"];
     readonly session: readonly ["console", "json"];
     readonly 'session touched': readonly ["console", "json"];
     readonly 'session events': readonly ["console", "json"];

package/dist/utils/formatSupport.js

@@ -10,6 +10,7 @@ export const COMMAND_FORMAT_SUPPORT = {
     coupling: ['console', 'json', 'markdown', 'html'],
     coverage: ['console', 'json', 'markdown', 'html'],
     dependencies: ['console', 'json', 'markdown'],
+    dataflow: ['console', 'json'],
     diagram: ['console', 'json', 'markdown'],
     diff: ['console', 'json', 'markdown'],
     doctor: ['console', 'json', 'markdown', 'sarif', 'html'],
@@ -45,6 +46,7 @@ export const COMMAND_FORMAT_SUPPORT = {
     recipes: ['console', 'json'],
     review: ['console', 'json', 'markdown', 'html'],
     search: ['console', 'json', 'markdown'],
+    'semantic-graph': ['console', 'json'],
     session: ['console', 'json'],
     'session touched': ['console', 'json'],
     'session events': ['console', 'json'],

package/dist/utils/formatSupport.js.map

@@ -1 +1 @@
-{"version":3,"file":"formatSupport.js","sourceRoot":"","sources":["../../src/utils/formatSupport.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,CAA4C,CAAC;AAE1H,MAAM,CAAC,MAAM,sBAAsB,GAAG;IACpC,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAClC,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,CAAC;IACzD,WAAW,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAChC,KAAK,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,CAAC;IAC/C,KAAK,EAAE,CAAC,SAAS,CAAC;IAClB,UAAU,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC/B,EAAE,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,CAAC;IAC5C,QAAQ,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,CAAC;IACjD,QAAQ,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,CAAC;IACjD,YAAY,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IAC7C,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IACxC,IAAI,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IACrC,MAAM,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,CAAC;IACxD,eAAe,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACpC,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IACxC,eAAe,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IAChD,IAAI,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IACrC,WAAW,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAChC,GAAG,EAAE,CAAC,SAAS,CAAC;IAChB,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IAC9C,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC5B,IAAI,EAAE,CAAC,SAAS,CAAC;IACjB,QAAQ,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,CAAC;IACjD,MAAM,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,CAAC;IAC/C,IAAI,EAAE,CAAC,SAAS,CAAC;IACjB,UAAU,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC/B,cAAc,EAAE,CAAC,SAAS,CAAC;IAC3B,GAAG,EAAE,CAAC,SAAS,CAAC;IAChB,MAAM,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,eAAe,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACpC,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAClC,eAAe,EAAE,CAAC,SAAS,CAAC;IAC5B,QAAQ,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,CAAC;IAClD,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAClC,iBAAiB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACtC,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAClC,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAClC,SAAS,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC9B,SAAS,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,CAAC;IAClD,mBAAmB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACxC,eAAe,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACpC,iBAAiB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACtC,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC5B,MAAM,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,CAAC;IAC/C,MAAM,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IACvC,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC5B,iBAAiB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACtC,gBAAgB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACrC,eAAe,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACpC,SAAS,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IAC1C,KAAK,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC1B,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IACxC,KAAK,EAAE,CAAC,SAAS,CAAC;IAClB,gBAAgB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACrC,eAAe,EAAE,CAAC,SAAS,CAAC;IAC5B,kBAAkB,EAAE,CAAC,SAAS,CAAC;IAC/B,UAAU,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IAC3C,QAAQ,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;CAC6B,CAAC;AAI7D,MAAM,UAAU,UAAU,CAAC,UAAmC,cAAc;IAC1E,OAAO,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC5B,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,WAAmB;IACzD,OAAQ,sBAAkE,CAAC,WAAW,CAAC,CAAC;AAC1F,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,OAAO,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC,EAAE,EAAE,CAAC,CAAC;QACzE,OAAO,EAAE,OAA4B;QACrC,OAAO;KACR,CAAC,CAAC,CAAC;AACN,CAAC"}
+{"version":3,"file":"formatSupport.js","sourceRoot":"","sources":["../../src/utils/formatSupport.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,CAA4C,CAAC;AAE1H,MAAM,CAAC,MAAM,sBAAsB,GAAG;IACpC,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAClC,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,CAAC;IACzD,WAAW,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAChC,KAAK,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,CAAC;IAC/C,KAAK,EAAE,CAAC,SAAS,CAAC;IAClB,UAAU,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC/B,EAAE,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,CAAC;IAC5C,QAAQ,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,CAAC;IACjD,QAAQ,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,CAAC;IACjD,YAAY,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IAC7C,QAAQ,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC7B,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IACxC,IAAI,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IACrC,MAAM,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,CAAC;IACxD,eAAe,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACpC,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IACxC,eAAe,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IAChD,IAAI,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IACrC,WAAW,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAChC,GAAG,EAAE,CAAC,SAAS,CAAC;IAChB,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IAC9C,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC5B,IAAI,EAAE,CAAC,SAAS,CAAC;IACjB,QAAQ,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,CAAC;IACjD,MAAM,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,CAAC;IAC/C,IAAI,EAAE,CAAC,SAAS,CAAC;IACjB,UAAU,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC/B,cAAc,EAAE,CAAC,SAAS,CAAC;IAC3B,GAAG,EAAE,CAAC,SAAS,CAAC;IAChB,MAAM,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,eAAe,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACpC,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAClC,eAAe,EAAE,CAAC,SAAS,CAAC;IAC5B,QAAQ,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,CAAC;IAClD,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAClC,iBAAiB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACtC,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAClC,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAClC,SAAS,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC9B,SAAS,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,CAAC;IAClD,mBAAmB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACxC,eAAe,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACpC,iBAAiB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACtC,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC5B,MAAM,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,CAAC;IAC/C,MAAM,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IACvC,gBAAgB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACrC,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC5B,iBAAiB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACtC,gBAAgB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACrC,eAAe,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACpC,SAAS,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IAC1C,KAAK,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IAC1B,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IACxC,KAAK,EAAE,CAAC,SAAS,CAAC;IAClB,gBAAgB,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;IACrC,eAAe,EAAE,CAAC,SAAS,CAAC;IAC5B,kBAAkB,EAAE,CAAC,SAAS,CAAC;IAC/B,UAAU,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;IAC3C,QAAQ,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;CAC6B,CAAC;AAI7D,MAAM,UAAU,UAAU,CAAC,UAAmC,cAAc;IAC1E,OAAO,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC5B,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,WAAmB;IACzD,OAAQ,sBAAkE,CAAC,WAAW,CAAC,CAAC;AAC1F,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,OAAO,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC,EAAE,EAAE,CAAC,CAAC;QACzE,OAAO,EAAE,OAA4B;QACrC,OAAO;KACR,CAAC,CAAC,CAAC;AACN,CAAC"}

package/docs/PLUGIN-AUTHORING.md

@@ -65,7 +65,7 @@ The machine-readable manifest schema lives at
 [`docs/examples/plugins/`](examples/plugins/) are tested in CI.
 
 For packaged examples you can copy into a repo, see the
-[Plugin Gallery](PLUGIN-GALLERY.md). It includes policy, team health, security,
+[Plugin Gallery](PLUGIN-GALLERY.md). It includes policy, graph-context, team health, security,
 and release-readiness examples.
 
 ## Scaffold
@@ -84,8 +84,8 @@ It refuses to overwrite existing files.
 
 ## Analyzer Module
 
-The module must export a `check(rootPath, files)` function, either as the
-default export or a named export.
+The module must export a `check(rootPath, files, context?)` function, either as the
+default export or a named export. The optional third argument exposes lazy read-only graph helpers for analyzers that need deeper context.
 
 ```js
 export default {
@@ -117,6 +117,14 @@ Required issue fields:
 
 Malformed issues are dropped so one bad plugin cannot poison the issue stream.
 
+The analyzer `context` argument currently exposes:
+
+- `getCodeGraph()`: the underlying code graph used by core analysis.
+- `getSemanticGraph()`: the stable v3 semantic graph payload.
+- `getDataflow()`: the focused dataflow report.
+
+The packaged `graph-context` example under `docs/examples/plugins/` demonstrates the pattern without requiring a manifest schema bump.
+
 ## Reporter Module
 
 Reporter plugins are CLI-only. The module must export a

package/docs/PLUGIN-GALLERY.md

@@ -32,6 +32,14 @@ Files:
 - `docs/examples/plugins/security-radar.projscan-plugin.json`
 - `docs/examples/plugins/security-radar.mjs`
 
+### `graph-context`
+
+Demonstrates analyzer access to the optional graph/dataflow context. It reads the semantic graph and dataflow report through `context.getSemanticGraph()` and `context.getDataflow()` and emits a compact architecture summary issue.
+
+Files:
+- `docs/examples/plugins/graph-context.projscan-plugin.json`
+- `docs/examples/plugins/graph-context.mjs`
+
 ## Reporter Plugins
 
 ### `team-radar`

package/docs/examples/plugins/graph-context.mjs

@@ -0,0 +1,27 @@
+export default {
+  check: async (_rootPath, files, context) => {
+    if (!context) return [];
+
+    const [semanticGraph, dataflow] = await Promise.all([
+      context.getSemanticGraph(),
+      context.getDataflow(),
+    ]);
+
+    const severity = dataflow.riskCount > 0 ? 'warning' : 'info';
+    const fileCount = files.length;
+    const functionCount = semanticGraph.metrics.totalFunctions;
+    const callEdges = semanticGraph.metrics.totalEdges;
+
+    return [
+      {
+        id: 'graph-context-summary',
+        title: 'Graph context available',
+        description:
+          `Plugin received ${fileCount} file(s), ${functionCount} function(s), ${callEdges} semantic edge(s), and ${dataflow.riskCount} dataflow risk(s).`,
+        severity,
+        category: 'architecture',
+        fixAvailable: false,
+      },
+    ];
+  },
+};