projscan 3.0.0 → 3.0.2

package/dist/types.d.ts

@@ -212,7 +212,7 @@ export interface HealthScore {
 }
 export type PreflightMode = 'before_edit' | 'before_commit' | 'before_merge';
 export type PreflightVerdict = 'proceed' | 'caution' | 'block';
-export type PreflightReasonSource = 'doctor' | 'review' | 'taint' | 'session' | 'plugin' | 'supply-chain' | 'memory' | 'changed-files' | 'hotspots' | 'git' | 'format';
+export type PreflightReasonSource = 'doctor' | 'review' | 'taint' | 'session' | 'plugin' | 'supply-chain' | 'memory' | 'changed-files' | 'hotspots' | 'git' | 'format' | 'release';
 export interface PreflightReason {
     severity: IssueSeverity;
     source: PreflightReasonSource;
@@ -232,6 +232,15 @@ export interface PreflightSuggestedAction {
     tool?: string;
     args?: Record<string, unknown>;
 }
+export interface PreflightReleaseScaleEvidence {
+    detected: boolean;
+    changedFiles: number;
+    threshold: number;
+    reviewVerdict?: ReviewReport['verdict'];
+    reviewSummary?: string;
+    concreteBlockers: string[];
+    explanation: string;
+}
 export interface PreflightEvidence {
     health?: {
         score: number;
@@ -274,6 +283,7 @@ export interface PreflightEvidence {
         errorIssues: number;
         warningIssues: number;
     };
+    releaseScale?: PreflightReleaseScaleEvidence;
 }
 export interface PreflightReport {
     schemaVersion: 1;
@@ -290,7 +300,7 @@ export interface PreflightReport {
 export type WorkplanMode = PreflightMode | 'refactor' | 'release' | 'bug_hunt' | 'hardening';
 export type WorkplanPriority = 'p0' | 'p1' | 'p2';
 export interface WorkplanEvidence {
-    source: PreflightReasonSource | 'coordination' | 'release' | 'verification';
+    source: PreflightReasonSource | 'coordination' | 'release' | 'verification' | 'graph';
     message: string;
     severity?: IssueSeverity;
     file?: string;
@@ -477,6 +487,16 @@ export interface AgentBriefGuardrail {
     reason: string;
     command: string;
 }
+export interface GraphEvidenceSummary {
+    schemaVersion: 1;
+    changedFiles?: number;
+    changedFunctions?: number;
+    totalFunctions: number;
+    totalPackages: number;
+    totalCallEdges: number;
+    dataflowRisks: number;
+    topPackages: string[];
+}
 export interface AgentBriefReport {
     schemaVersion: 1;
     intent: AgentBriefIntent;
@@ -491,12 +511,29 @@ export interface AgentBriefReport {
         }>;
         touchedFiles: string[];
         conflicts: number;
+        graph?: GraphEvidenceSummary;
     };
     focus: AgentBriefItem[];
     guardrails: AgentBriefGuardrail[];
     suggestedNextActions: PreflightSuggestedAction[];
     truncated?: boolean;
 }
+export interface GraphCorpusFixtureMetrics {
+    name: string;
+    fixture: string;
+    files: number;
+    functions: number;
+    packages: number;
+    symbols: number;
+    importEdges: number;
+    callEdges: number;
+    dataflowRisks: number;
+}
+export interface GraphCorpusReport {
+    schemaVersion: 1;
+    fixtures: GraphCorpusFixtureMetrics[];
+    totals: Omit<GraphCorpusFixtureMetrics, 'name' | 'fixture'>;
+}
 export type QualityScorecardVerdict = 'excellent' | 'healthy' | 'needs_attention' | 'blocked';
 export type QualityScorecardStatus = 'pass' | 'watch' | 'fail';
 export interface QualityScorecardDimension {
@@ -1139,6 +1176,8 @@ export interface ReviewReport {
      * legacy source-to-sink taint flow list. Empty when unavailable or clean.
      */
     newDataflowRisks: ReviewDataflowRisk[];
+    /** 3.5+ — compact graph/dataflow evidence for review consumers. */
+    graphEvidence?: GraphEvidenceSummary;
     /** 'ok' = ship it; 'review' = needs careful look; 'block' = strongly suggests rework. */
     verdict: 'ok' | 'review' | 'block';
     /** One-line bullets explaining the verdict. */
@@ -1189,6 +1228,13 @@ export interface ImpactNode {
      */
     repo?: string;
 }
+export interface ImpactBoundarySummary {
+    repo: string;
+    packageName: string;
+    owner: string;
+    files: string[];
+    reachableFiles: number;
+}
 export interface ImpactReport {
     available: boolean;
     reason?: string;
@@ -1219,6 +1265,8 @@ export interface ImpactReport {
      * was false or the workspace had no siblings.
      */
     totalReachableByRepo?: Record<string, number>;
+    /** 3.5+ — cross-repo package/ownership boundaries that mention the target. */
+    boundarySummary?: ImpactBoundarySummary[];
     /**
      * True when traversal hit `maxDistance` before exhausting the graph.
      * Items beyond the limit are omitted from `reachable`.

package/docs/PLUGIN-AUTHORING.md

@@ -65,7 +65,7 @@ The machine-readable manifest schema lives at
 [`docs/examples/plugins/`](examples/plugins/) are tested in CI.
 
 For packaged examples you can copy into a repo, see the
-[Plugin Gallery](PLUGIN-GALLERY.md). It includes policy, team health, security,
+[Plugin Gallery](PLUGIN-GALLERY.md). It includes policy, graph-context, team health, security,
 and release-readiness examples.
 
 ## Scaffold
@@ -84,8 +84,8 @@ It refuses to overwrite existing files.
 
 ## Analyzer Module
 
-The module must export a `check(rootPath, files)` function, either as the
-default export or a named export.
+The module must export a `check(rootPath, files, context?)` function, either as the
+default export or a named export. The optional third argument exposes lazy read-only graph helpers for analyzers that need deeper context.
 
 ```js
 export default {
@@ -117,6 +117,14 @@ Required issue fields:
 
 Malformed issues are dropped so one bad plugin cannot poison the issue stream.
 
+The analyzer `context` argument currently exposes:
+
+- `getCodeGraph()`: the underlying code graph used by core analysis.
+- `getSemanticGraph()`: the stable v3 semantic graph payload.
+- `getDataflow()`: the focused dataflow report.
+
+The packaged `graph-context` example under `docs/examples/plugins/` demonstrates the pattern without requiring a manifest schema bump.
+
 ## Reporter Module
 
 Reporter plugins are CLI-only. The module must export a

package/docs/PLUGIN-GALLERY.md

@@ -32,6 +32,14 @@ Files:
 - `docs/examples/plugins/security-radar.projscan-plugin.json`
 - `docs/examples/plugins/security-radar.mjs`
 
+### `graph-context`
+
+Demonstrates analyzer access to the optional graph/dataflow context. It reads the semantic graph and dataflow report through `context.getSemanticGraph()` and `context.getDataflow()` and emits a compact architecture summary issue.
+
+Files:
+- `docs/examples/plugins/graph-context.projscan-plugin.json`
+- `docs/examples/plugins/graph-context.mjs`
+
 ## Reporter Plugins
 
 ### `team-radar`

package/docs/examples/plugins/graph-context.mjs

@@ -0,0 +1,27 @@
+export default {
+  check: async (_rootPath, files, context) => {
+    if (!context) return [];
+
+    const [semanticGraph, dataflow] = await Promise.all([
+      context.getSemanticGraph(),
+      context.getDataflow(),
+    ]);
+
+    const severity = dataflow.riskCount > 0 ? 'warning' : 'info';
+    const fileCount = files.length;
+    const functionCount = semanticGraph.metrics.totalFunctions;
+    const callEdges = semanticGraph.metrics.totalEdges;
+
+    return [
+      {
+        id: 'graph-context-summary',
+        title: 'Graph context available',
+        description:
+          `Plugin received ${fileCount} file(s), ${functionCount} function(s), ${callEdges} semantic edge(s), and ${dataflow.riskCount} dataflow risk(s).`,
+        severity,
+        category: 'architecture',
+        fixAvailable: false,
+      },
+    ];
+  },
+};

package/docs/examples/plugins/graph-context.projscan-plugin.json

@@ -0,0 +1,8 @@
+{
+  "schemaVersion": 1,
+  "name": "graph-context",
+  "kind": "analyzer",
+  "module": "./graph-context.mjs",
+  "category": "architecture",
+  "description": "Demonstrates analyzer access to semantic graph and dataflow context"
+}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "projscan",
   "mcpName": "io.github.abhiyoheswaran1/projscan",
-  "version": "3.0.0",
+  "version": "3.0.2",
   "description": "Agent-first code intelligence. MCP server (2025-03-26) with AST parsing for JavaScript, TypeScript, Python, Go, Java, Ruby, Rust, PHP, C#, Kotlin, Swift, and C++; stable v3 semantic graph (projscan_semantic_graph), dataflow risk engine with bridge-helper detection (projscan_dataflow), code graph, file + per-function AST cyclomatic complexity, per-function fan-in + fan-out, coupling + cycle detection, structural PR diff with HTML reporter, coverage report with HTML reporter, intent-grounded one-call PR review (projscan_review with optional `intent` arg, new taint flows, contract changes, and newDataflowRisks) and long-running PR-watch mode with structured per-bucket deltas (projscan_review_watch), agent workplans (projscan_workplan), bug-hunt queues (projscan_bug_hunt), product-line planning (projscan_release_train), evidence packs (projscan_evidence_pack), regression planning (projscan_regression_plan), agent briefs (projscan_agent_brief), quality scorecards (projscan_quality_scorecard), and preflight with supply-chain IOC evidence, rule-driven fix suggestions + mechanical apply layer with rollback (projscan_apply_fix, projscan_fix_suggest, projscan_explain_issue), source-to-sink taint analysis (projscan_taint) with truncation reporting, transitive blast-radius analysis with cross-repo mode (projscan_impact for files and symbols), cross-repo workspace registration + intelligence (projscan_workspace_graph), per-function semantic search chunks (sub-file embeddings), per-rule confidence + severity drift + cost-summary analytics with live streaming (projscan_cost_summary), stable local analyzer + reporter plugin API (projscan_plugin, CLI --reporter, opt-in via PROJSCAN_PLUGINS_PREVIEW=1), monorepo workspace awareness with cross-package import policy + per-package dependencies / outdated / audit, BM25 + optional semantic search, cursor pagination, progress notifications, context-budgeted output, and a stable-surface CI guard. CLI on the side.",
   "type": "module",
   "main": "./dist/index.js",
@@ -32,7 +32,8 @@
     "release:check": "node scripts/release-check.mjs",
     "security:release-gate": "node scripts/release-gate.mjs",
     "sbom:generate": "node scripts/generate-sbom.mjs",
-    "prepare": "npm run build"
+    "prepare": "npm run build",
+    "check:graph-corpus": "node scripts/check-graph-corpus.mjs"
   },
   "keywords": [
     "cli",