npm - projscan - Versions diffs - 4.5.0 → 4.6.0 - Mend

projscan 4.5.0 → 4.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (591) hide show

package/README.md +14 -13
package/dist/analyzers/pythonDependencyRiskCheck.js +1 -1
package/dist/analyzers/pythonDependencyRiskCheck.js.map +1 -1
package/dist/cli/_shared.d.ts +4 -5
package/dist/cli/_shared.js +41 -188
package/dist/cli/_shared.js.map +1 -1
package/dist/cli/architectureLayers.d.ts +2 -0
package/dist/cli/architectureLayers.js +112 -0
package/dist/cli/architectureLayers.js.map +1 -0
package/dist/cli/bannerDisplay.d.ts +9 -0
package/dist/cli/bannerDisplay.js +18 -0
package/dist/cli/bannerDisplay.js.map +1 -0
package/dist/cli/changedIssueFilter.d.ts +10 -0
package/dist/cli/changedIssueFilter.js +24 -0
package/dist/cli/changedIssueFilter.js.map +1 -0
package/dist/cli/commandPath.d.ts +2 -0
package/dist/cli/commandPath.js +12 -0
package/dist/cli/commandPath.js.map +1 -0
package/dist/cli/commands/agentBrief.js +11 -0
package/dist/cli/commands/agentBrief.js.map +1 -1
package/dist/cli/commands/analyze.js +6 -5
package/dist/cli/commands/analyze.js.map +1 -1
package/dist/cli/commands/ci.js +5 -4
package/dist/cli/commands/ci.js.map +1 -1
package/dist/cli/commands/coordinate.js +27 -0
package/dist/cli/commands/coordinate.js.map +1 -1
package/dist/cli/commands/doctor.js +6 -5
package/dist/cli/commands/doctor.js.map +1 -1
package/dist/cli/pluginReporter.d.ts +14 -0
package/dist/cli/pluginReporter.js +46 -0
package/dist/cli/pluginReporter.js.map +1 -0
package/dist/cli/projectConfig.d.ts +12 -0
package/dist/cli/projectConfig.js +41 -0
package/dist/cli/projectConfig.js.map +1 -0
package/dist/cli/treeSlice.d.ts +3 -0
package/dist/cli/treeSlice.js +12 -0
package/dist/cli/treeSlice.js.map +1 -0
package/dist/core/ast.d.ts +4 -81
package/dist/core/ast.js +11 -637
package/dist/core/ast.js.map +1 -1
package/dist/core/astBodySignals.d.ts +17 -0
package/dist/core/astBodySignals.js +107 -0
package/dist/core/astBodySignals.js.map +1 -0
package/dist/core/astFunctionCollector.d.ts +11 -0
package/dist/core/astFunctionCollector.js +140 -0
package/dist/core/astFunctionCollector.js.map +1 -0
package/dist/core/astFunctionNames.d.ts +2 -0
package/dist/core/astFunctionNames.js +53 -0
package/dist/core/astFunctionNames.js.map +1 -0
package/dist/core/astFunctionNodes.d.ts +2 -0
package/dist/core/astFunctionNodes.js +12 -0
package/dist/core/astFunctionNodes.js.map +1 -0
package/dist/core/astMembers.d.ts +13 -0
package/dist/core/astMembers.js +116 -0
package/dist/core/astMembers.js.map +1 -0
package/dist/core/astModuleSignals.d.ts +3 -0
package/dist/core/astModuleSignals.js +140 -0
package/dist/core/astModuleSignals.js.map +1 -0
package/dist/core/astParser.d.ts +11 -0
package/dist/core/astParser.js +38 -0
package/dist/core/astParser.js.map +1 -0
package/dist/core/astProgramSignals.d.ts +11 -0
package/dist/core/astProgramSignals.js +97 -0
package/dist/core/astProgramSignals.js.map +1 -0
package/dist/core/astTypes.d.ts +78 -0
package/dist/core/astTypes.js +2 -0
package/dist/core/astTypes.js.map +1 -0
package/dist/core/codeGraph.d.ts +3 -28
package/dist/core/codeGraph.js +3 -231
package/dist/core/codeGraph.js.map +1 -1
package/dist/core/codeGraphFanMetrics.d.ts +17 -0
package/dist/core/codeGraphFanMetrics.js +89 -0
package/dist/core/codeGraphFanMetrics.js.map +1 -0
package/dist/core/codeGraphIndexes.d.ts +23 -0
package/dist/core/codeGraphIndexes.js +57 -0
package/dist/core/codeGraphIndexes.js.map +1 -0
package/dist/core/codeGraphParsing.d.ts +20 -0
package/dist/core/codeGraphParsing.js +104 -0
package/dist/core/codeGraphParsing.js.map +1 -0
package/dist/core/codeGraphTypes.d.ts +28 -0
package/dist/core/codeGraphTypes.js +2 -0
package/dist/core/codeGraphTypes.js.map +1 -0
package/dist/core/collisionDetector.d.ts +2 -0
package/dist/core/collisionDetector.js +17 -12
package/dist/core/collisionDetector.js.map +1 -1
package/dist/core/coordination.d.ts +4 -2
package/dist/core/coordination.js +40 -4
package/dist/core/coordination.js.map +1 -1
package/dist/core/coordinationEvidence.d.ts +32 -0
package/dist/core/coordinationEvidence.js +101 -0
package/dist/core/coordinationEvidence.js.map +1 -0
package/dist/core/fileAccess.d.ts +16 -0
package/dist/core/fileAccess.js +78 -0
package/dist/core/fileAccess.js.map +1 -0
package/dist/core/fileExportTypes.d.ts +2 -0
package/dist/core/fileExportTypes.js +16 -0
package/dist/core/fileExportTypes.js.map +1 -0
package/dist/core/fileGraphMetrics.d.ts +4 -0
package/dist/core/fileGraphMetrics.js +34 -0
package/dist/core/fileGraphMetrics.js.map +1 -0
package/dist/core/fileInspectionEvidence.d.ts +13 -0
package/dist/core/fileInspectionEvidence.js +14 -0
package/dist/core/fileInspectionEvidence.js.map +1 -0
package/dist/core/fileInspectionGraph.d.ts +5 -0
package/dist/core/fileInspectionGraph.js +29 -0
package/dist/core/fileInspectionGraph.js.map +1 -0
package/dist/core/fileInspector.d.ts +4 -4
package/dist/core/fileInspector.js +28 -215
package/dist/core/fileInspector.js.map +1 -1
package/dist/core/fileIssues.d.ts +1 -0
package/dist/core/fileIssues.js +18 -0
package/dist/core/fileIssues.js.map +1 -0
package/dist/core/filePurpose.d.ts +2 -0
package/dist/core/filePurpose.js +61 -0
package/dist/core/filePurpose.js.map +1 -0
package/dist/core/frameworkExpressSources.d.ts +4 -0
package/dist/core/frameworkExpressSources.js +95 -0
package/dist/core/frameworkExpressSources.js.map +1 -0
package/dist/core/frameworkFastifySources.d.ts +4 -0
package/dist/core/frameworkFastifySources.js +74 -0
package/dist/core/frameworkFastifySources.js.map +1 -0
package/dist/core/frameworkHonoSources.d.ts +4 -0
package/dist/core/frameworkHonoSources.js +73 -0
package/dist/core/frameworkHonoSources.js.map +1 -0
package/dist/core/frameworkKoaSources.d.ts +4 -0
package/dist/core/frameworkKoaSources.js +81 -0
package/dist/core/frameworkKoaSources.js.map +1 -0
package/dist/core/frameworkNextRouteSources.d.ts +2 -0
package/dist/core/frameworkNextRouteSources.js +55 -0
package/dist/core/frameworkNextRouteSources.js.map +1 -0
package/dist/core/frameworkSources.js +15 -214
package/dist/core/frameworkSources.js.map +1 -1
package/dist/core/hotspotAnalyzer.d.ts +2 -18
package/dist/core/hotspotAnalyzer.js +15 -477
package/dist/core/hotspotAnalyzer.js.map +1 -1
package/dist/core/hotspotBuilder.d.ts +14 -0
package/dist/core/hotspotBuilder.js +70 -0
package/dist/core/hotspotBuilder.js.map +1 -0
package/dist/core/hotspotCandidates.d.ts +9 -0
package/dist/core/hotspotCandidates.js +63 -0
package/dist/core/hotspotCandidates.js.map +1 -0
package/dist/core/hotspotGit.d.ts +10 -0
package/dist/core/hotspotGit.js +152 -0
package/dist/core/hotspotGit.js.map +1 -0
package/dist/core/hotspotIssues.d.ts +2 -0
package/dist/core/hotspotIssues.js +83 -0
package/dist/core/hotspotIssues.js.map +1 -0
package/dist/core/hotspotLines.d.ts +2 -0
package/dist/core/hotspotLines.js +24 -0
package/dist/core/hotspotLines.js.map +1 -0
package/dist/core/hotspotMemory.d.ts +2 -0
package/dist/core/hotspotMemory.js +21 -0
package/dist/core/hotspotMemory.js.map +1 -0
package/dist/core/hotspotRanking.d.ts +13 -0
package/dist/core/hotspotRanking.js +44 -0
package/dist/core/hotspotRanking.js.map +1 -0
package/dist/core/hotspotScoring.d.ts +23 -0
package/dist/core/hotspotScoring.js +128 -0
package/dist/core/hotspotScoring.js.map +1 -0
package/dist/core/indexCache.js +3 -1
package/dist/core/indexCache.js.map +1 -1
package/dist/core/intentRouter.d.ts +3 -16
package/dist/core/intentRouter.js +5 -7348
package/dist/core/intentRouter.js.map +1 -1
package/dist/core/intentRouterCatalog.d.ts +16 -0
package/dist/core/intentRouterCatalog.js +1692 -0
package/dist/core/intentRouterCatalog.js.map +1 -0
package/dist/core/intentRouterCoordinationSignals.d.ts +12 -0
package/dist/core/intentRouterCoordinationSignals.js +111 -0
package/dist/core/intentRouterCoordinationSignals.js.map +1 -0
package/dist/core/intentRouterDependencySignals.d.ts +9 -0
package/dist/core/intentRouterDependencySignals.js +226 -0
package/dist/core/intentRouterDependencySignals.js.map +1 -0
package/dist/core/intentRouterKeywordContext.d.ts +14 -0
package/dist/core/intentRouterKeywordContext.js +2 -0
package/dist/core/intentRouterKeywordContext.js.map +1 -0
package/dist/core/intentRouterKeywordEarlyGuards.d.ts +2 -0
package/dist/core/intentRouterKeywordEarlyGuards.js +127 -0
package/dist/core/intentRouterKeywordEarlyGuards.js.map +1 -0
package/dist/core/intentRouterKeywordMatches.d.ts +3 -0
package/dist/core/intentRouterKeywordMatches.js +31 -0
package/dist/core/intentRouterKeywordMatches.js.map +1 -0
package/dist/core/intentRouterKeywordSearchGuards.d.ts +2 -0
package/dist/core/intentRouterKeywordSearchGuards.js +239 -0
package/dist/core/intentRouterKeywordSearchGuards.js.map +1 -0
package/dist/core/intentRouterKeywordTargetGuards.d.ts +2 -0
package/dist/core/intentRouterKeywordTargetGuards.js +191 -0
package/dist/core/intentRouterKeywordTargetGuards.js.map +1 -0
package/dist/core/intentRouterKeywordToolGuards.d.ts +2 -0
package/dist/core/intentRouterKeywordToolGuards.js +133 -0
package/dist/core/intentRouterKeywordToolGuards.js.map +1 -0
package/dist/core/intentRouterKeywordWeights.d.ts +4 -0
package/dist/core/intentRouterKeywordWeights.js +1184 -0
package/dist/core/intentRouterKeywordWeights.js.map +1 -0
package/dist/core/intentRouterPlanningSignals.d.ts +7 -0
package/dist/core/intentRouterPlanningSignals.js +268 -0
package/dist/core/intentRouterPlanningSignals.js.map +1 -0
package/dist/core/intentRouterPrDiffSignals.d.ts +1 -0
package/dist/core/intentRouterPrDiffSignals.js +41 -0
package/dist/core/intentRouterPrDiffSignals.js.map +1 -0
package/dist/core/intentRouterPreflightSignals.d.ts +3 -0
package/dist/core/intentRouterPreflightSignals.js +54 -0
package/dist/core/intentRouterPreflightSignals.js.map +1 -0
package/dist/core/intentRouterRegressionKeywordMatches.d.ts +1 -0
package/dist/core/intentRouterRegressionKeywordMatches.js +176 -0
package/dist/core/intentRouterRegressionKeywordMatches.js.map +1 -0
package/dist/core/intentRouterRegressionSignals.d.ts +10 -0
package/dist/core/intentRouterRegressionSignals.js +207 -0
package/dist/core/intentRouterRegressionSignals.js.map +1 -0
package/dist/core/intentRouterReleaseSignals.d.ts +8 -0
package/dist/core/intentRouterReleaseSignals.js +59 -0
package/dist/core/intentRouterReleaseSignals.js.map +1 -0
package/dist/core/intentRouterRepoSignals.d.ts +8 -0
package/dist/core/intentRouterRepoSignals.js +226 -0
package/dist/core/intentRouterRepoSignals.js.map +1 -0
package/dist/core/intentRouterReviewSignals.d.ts +2 -0
package/dist/core/intentRouterReviewSignals.js +109 -0
package/dist/core/intentRouterReviewSignals.js.map +1 -0
package/dist/core/intentRouterRiskSignals.d.ts +12 -0
package/dist/core/intentRouterRiskSignals.js +242 -0
package/dist/core/intentRouterRiskSignals.js.map +1 -0
package/dist/core/intentRouterScoring.d.ts +9 -0
package/dist/core/intentRouterScoring.js +40 -0
package/dist/core/intentRouterScoring.js.map +1 -0
package/dist/core/intentRouterSearchApiSignals.d.ts +1 -0
package/dist/core/intentRouterSearchApiSignals.js +62 -0
package/dist/core/intentRouterSearchApiSignals.js.map +1 -0
package/dist/core/intentRouterSearchBackgroundSignals.d.ts +1 -0
package/dist/core/intentRouterSearchBackgroundSignals.js +55 -0
package/dist/core/intentRouterSearchBackgroundSignals.js.map +1 -0
package/dist/core/intentRouterSearchCommunicationSignals.d.ts +1 -0
package/dist/core/intentRouterSearchCommunicationSignals.js +74 -0
package/dist/core/intentRouterSearchCommunicationSignals.js.map +1 -0
package/dist/core/intentRouterSearchDataSignals.d.ts +2 -0
package/dist/core/intentRouterSearchDataSignals.js +98 -0
package/dist/core/intentRouterSearchDataSignals.js.map +1 -0
package/dist/core/intentRouterSearchDomainSignals.d.ts +1 -0
package/dist/core/intentRouterSearchDomainSignals.js +71 -0
package/dist/core/intentRouterSearchDomainSignals.js.map +1 -0
package/dist/core/intentRouterSearchInfraSignals.d.ts +1 -0
package/dist/core/intentRouterSearchInfraSignals.js +79 -0
package/dist/core/intentRouterSearchInfraSignals.js.map +1 -0
package/dist/core/intentRouterSearchIntegrationSignals.d.ts +1 -0
package/dist/core/intentRouterSearchIntegrationSignals.js +117 -0
package/dist/core/intentRouterSearchIntegrationSignals.js.map +1 -0
package/dist/core/intentRouterSearchLookupSignals.d.ts +10 -0
package/dist/core/intentRouterSearchLookupSignals.js +310 -0
package/dist/core/intentRouterSearchLookupSignals.js.map +1 -0
package/dist/core/intentRouterSearchNavigationSignals.d.ts +1 -0
package/dist/core/intentRouterSearchNavigationSignals.js +62 -0
package/dist/core/intentRouterSearchNavigationSignals.js.map +1 -0
package/dist/core/intentRouterSearchOwnershipSignals.d.ts +1 -0
package/dist/core/intentRouterSearchOwnershipSignals.js +15 -0
package/dist/core/intentRouterSearchOwnershipSignals.js.map +1 -0
package/dist/core/intentRouterSearchPageSignals.d.ts +1 -0
package/dist/core/intentRouterSearchPageSignals.js +84 -0
package/dist/core/intentRouterSearchPageSignals.js.map +1 -0
package/dist/core/intentRouterSearchReliabilitySignals.d.ts +1 -0
package/dist/core/intentRouterSearchReliabilitySignals.js +94 -0
package/dist/core/intentRouterSearchReliabilitySignals.js.map +1 -0
package/dist/core/intentRouterSearchStateSignals.d.ts +1 -0
package/dist/core/intentRouterSearchStateSignals.js +107 -0
package/dist/core/intentRouterSearchStateSignals.js.map +1 -0
package/dist/core/intentRouterSearchStyleSignals.d.ts +1 -0
package/dist/core/intentRouterSearchStyleSignals.js +99 -0
package/dist/core/intentRouterSearchStyleSignals.js.map +1 -0
package/dist/core/intentRouterSearchTestSignals.d.ts +1 -0
package/dist/core/intentRouterSearchTestSignals.js +34 -0
package/dist/core/intentRouterSearchTestSignals.js.map +1 -0
package/dist/core/intentRouterSearchToolingSignals.d.ts +1 -0
package/dist/core/intentRouterSearchToolingSignals.js +106 -0
package/dist/core/intentRouterSearchToolingSignals.js.map +1 -0
package/dist/core/intentRouterSearchUiSignals.d.ts +1 -0
package/dist/core/intentRouterSearchUiSignals.js +77 -0
package/dist/core/intentRouterSearchUiSignals.js.map +1 -0
package/dist/core/intentRouterSecuritySignals.d.ts +4 -0
package/dist/core/intentRouterSecuritySignals.js +235 -0
package/dist/core/intentRouterSecuritySignals.js.map +1 -0
package/dist/core/intentRouterTargetSignals.d.ts +5 -0
package/dist/core/intentRouterTargetSignals.js +76 -0
package/dist/core/intentRouterTargetSignals.js.map +1 -0
package/dist/core/intentRouterTokens.d.ts +1 -0
package/dist/core/intentRouterTokens.js +36 -0
package/dist/core/intentRouterTokens.js.map +1 -0
package/dist/core/intentRouterUnderstandSignals.d.ts +1 -0
package/dist/core/intentRouterUnderstandSignals.js +171 -0
package/dist/core/intentRouterUnderstandSignals.js.map +1 -0
package/dist/core/intentRouterVerificationSignals.d.ts +8 -0
package/dist/core/intentRouterVerificationSignals.js +119 -0
package/dist/core/intentRouterVerificationSignals.js.map +1 -0
package/dist/core/intentRouterWorkSignals.d.ts +4 -0
package/dist/core/intentRouterWorkSignals.js +157 -0
package/dist/core/intentRouterWorkSignals.js.map +1 -0
package/dist/core/languages/pythonLockfiles.d.ts +11 -0
package/dist/core/languages/pythonLockfiles.js +206 -0
package/dist/core/languages/pythonLockfiles.js.map +1 -0
package/dist/core/languages/pythonManifestText.d.ts +7 -0
package/dist/core/languages/pythonManifestText.js +25 -0
package/dist/core/languages/pythonManifestText.js.map +1 -0
package/dist/core/languages/pythonManifests.d.ts +6 -38
package/dist/core/languages/pythonManifests.js +27 -316
package/dist/core/languages/pythonManifests.js.map +1 -1
package/dist/core/languages/pythonPep508.d.ts +4 -0
package/dist/core/languages/pythonPep508.js +14 -0
package/dist/core/languages/pythonPep508.js.map +1 -0
package/dist/core/languages/pythonProjectEvidence.d.ts +2 -0
package/dist/core/languages/pythonProjectEvidence.js +29 -0
package/dist/core/languages/pythonProjectEvidence.js.map +1 -0
package/dist/core/languages/pythonProjectTypes.d.ts +31 -0
package/dist/core/languages/pythonProjectTypes.js +2 -0
package/dist/core/languages/pythonProjectTypes.js.map +1 -0
package/dist/core/languages/pythonPyproject.d.ts +2 -0
package/dist/core/languages/pythonPyproject.js +160 -0
package/dist/core/languages/pythonPyproject.js.map +1 -0
package/dist/core/languages/pythonRequirements.d.ts +9 -0
package/dist/core/languages/pythonRequirements.js +86 -0
package/dist/core/languages/pythonRequirements.js.map +1 -0
package/dist/core/languages/pythonRoots.d.ts +3 -0
package/dist/core/languages/pythonRoots.js +83 -0
package/dist/core/languages/pythonRoots.js.map +1 -0
package/dist/core/languages/pythonSetuptools.d.ts +6 -0
package/dist/core/languages/pythonSetuptools.js +58 -0
package/dist/core/languages/pythonSetuptools.js.map +1 -0
package/dist/core/prDiff.js +12 -0
package/dist/core/prDiff.js.map +1 -1
package/dist/core/preflight.d.ts +3 -3
package/dist/core/preflight.js +28 -542
package/dist/core/preflight.js.map +1 -1
package/dist/core/preflightChangedFileReasons.d.ts +14 -0
package/dist/core/preflightChangedFileReasons.js +75 -0
package/dist/core/preflightChangedFileReasons.js.map +1 -0
package/dist/core/preflightChangedFiles.d.ts +9 -0
package/dist/core/preflightChangedFiles.js +34 -0
package/dist/core/preflightChangedFiles.js.map +1 -0
package/dist/core/preflightContextReasons.d.ts +17 -0
package/dist/core/preflightContextReasons.js +73 -0
package/dist/core/preflightContextReasons.js.map +1 -0
package/dist/core/preflightEvidence.d.ts +34 -0
package/dist/core/preflightEvidence.js +119 -0
package/dist/core/preflightEvidence.js.map +1 -0
package/dist/core/preflightInputs.d.ts +15 -0
package/dist/core/preflightInputs.js +31 -0
package/dist/core/preflightInputs.js.map +1 -0
package/dist/core/preflightIssueReasons.d.ts +2 -0
package/dist/core/preflightIssueReasons.js +39 -0
package/dist/core/preflightIssueReasons.js.map +1 -0
package/dist/core/preflightLocalEvidence.d.ts +12 -0
package/dist/core/preflightLocalEvidence.js +36 -0
package/dist/core/preflightLocalEvidence.js.map +1 -0
package/dist/core/preflightReleaseScale.d.ts +28 -0
package/dist/core/preflightReleaseScale.js +95 -0
package/dist/core/preflightReleaseScale.js.map +1 -0
package/dist/core/preflightRequiredChecks.d.ts +26 -0
package/dist/core/preflightRequiredChecks.js +96 -0
package/dist/core/preflightRequiredChecks.js.map +1 -0
package/dist/core/preflightReviewEvidence.d.ts +16 -0
package/dist/core/preflightReviewEvidence.js +31 -0
package/dist/core/preflightReviewEvidence.js.map +1 -0
package/dist/core/preflightReviewReasons.d.ts +15 -0
package/dist/core/preflightReviewReasons.js +76 -0
package/dist/core/preflightReviewReasons.js.map +1 -0
package/dist/core/preflightSuggestedActions.d.ts +15 -0
package/dist/core/preflightSuggestedActions.js +84 -0
package/dist/core/preflightSuggestedActions.js.map +1 -0
package/dist/core/preflightTruncation.d.ts +6 -0
package/dist/core/preflightTruncation.js +7 -0
package/dist/core/preflightTruncation.js.map +1 -0
package/dist/core/preflightVerdict.d.ts +3 -0
package/dist/core/preflightVerdict.js +17 -0
package/dist/core/preflightVerdict.js.map +1 -0
package/dist/core/releaseEvidence.d.ts +4 -3
package/dist/core/releaseEvidence.js +12 -263
package/dist/core/releaseEvidence.js.map +1 -1
package/dist/core/releaseEvidenceBaseline.d.ts +2 -0
package/dist/core/releaseEvidenceBaseline.js +28 -0
package/dist/core/releaseEvidenceBaseline.js.map +1 -0
package/dist/core/releaseEvidencePrSummary.d.ts +13 -0
package/dist/core/releaseEvidencePrSummary.js +240 -0
package/dist/core/releaseEvidencePrSummary.js.map +1 -0
package/dist/core/releaseTrain.js +3 -317
package/dist/core/releaseTrain.js.map +1 -1
package/dist/core/releaseTrainFallbacks.d.ts +3 -0
package/dist/core/releaseTrainFallbacks.js +318 -0
package/dist/core/releaseTrainFallbacks.js.map +1 -0
package/dist/core/reportScope.d.ts +7 -0
package/dist/core/reportScope.js +97 -6
package/dist/core/reportScope.js.map +1 -1
package/dist/core/review.d.ts +2 -25
package/dist/core/review.js +34 -1034
package/dist/core/review.js.map +1 -1
package/dist/core/reviewBaseSnapshot.d.ts +14 -0
package/dist/core/reviewBaseSnapshot.js +41 -0
package/dist/core/reviewBaseSnapshot.js.map +1 -0
package/dist/core/reviewChangedFiles.d.ts +8 -0
package/dist/core/reviewChangedFiles.js +63 -0
package/dist/core/reviewChangedFiles.js.map +1 -0
package/dist/core/reviewContractChanges.d.ts +5 -0
package/dist/core/reviewContractChanges.js +114 -0
package/dist/core/reviewContractChanges.js.map +1 -0
package/dist/core/reviewCycles.d.ts +7 -0
package/dist/core/reviewCycles.js +53 -0
package/dist/core/reviewCycles.js.map +1 -0
package/dist/core/reviewFindings.d.ts +17 -0
package/dist/core/reviewFindings.js +49 -0
package/dist/core/reviewFindings.js.map +1 -0
package/dist/core/reviewFlowDiffs.d.ts +4 -0
package/dist/core/reviewFlowDiffs.js +99 -0
package/dist/core/reviewFlowDiffs.js.map +1 -0
package/dist/core/reviewGit.d.ts +7 -0
package/dist/core/reviewGit.js +45 -0
package/dist/core/reviewGit.js.map +1 -0
package/dist/core/reviewGraphEvidence.d.ts +3 -0
package/dist/core/reviewGraphEvidence.js +55 -0
package/dist/core/reviewGraphEvidence.js.map +1 -0
package/dist/core/reviewHeadSnapshot.d.ts +8 -0
package/dist/core/reviewHeadSnapshot.js +15 -0
package/dist/core/reviewHeadSnapshot.js.map +1 -0
package/dist/core/reviewIntent.d.ts +2 -0
package/dist/core/reviewIntent.js +18 -0
package/dist/core/reviewIntent.js.map +1 -0
package/dist/core/reviewManifests.d.ts +12 -0
package/dist/core/reviewManifests.js +124 -0
package/dist/core/reviewManifests.js.map +1 -0
package/dist/core/reviewNoChanges.d.ts +9 -0
package/dist/core/reviewNoChanges.js +26 -0
package/dist/core/reviewNoChanges.js.map +1 -0
package/dist/core/reviewPackageScope.d.ts +4 -0
package/dist/core/reviewPackageScope.js +24 -0
package/dist/core/reviewPackageScope.js.map +1 -0
package/dist/core/reviewRefs.d.ts +4 -0
package/dist/core/reviewRefs.js +65 -0
package/dist/core/reviewRefs.js.map +1 -0
package/dist/core/reviewRiskyFunctions.d.ts +8 -0
package/dist/core/reviewRiskyFunctions.js +83 -0
package/dist/core/reviewRiskyFunctions.js.map +1 -0
package/dist/core/reviewState.d.ts +21 -0
package/dist/core/reviewState.js +96 -0
package/dist/core/reviewState.js.map +1 -0
package/dist/core/reviewTier.d.ts +18 -0
package/dist/core/reviewTier.js +99 -0
package/dist/core/reviewTier.js.map +1 -0
package/dist/core/reviewVerdict.d.ts +9 -0
package/dist/core/reviewVerdict.js +121 -0
package/dist/core/reviewVerdict.js.map +1 -0
package/dist/core/start.d.ts +1 -1
package/dist/core/start.js +17 -49
package/dist/core/start.js.map +1 -1
package/dist/core/startAdoptionGaps.d.ts +3 -0
package/dist/core/startAdoptionGaps.js +12 -0
package/dist/core/startAdoptionGaps.js.map +1 -0
package/dist/core/startInputs.d.ts +31 -0
package/dist/core/startInputs.js +27 -0
package/dist/core/startInputs.js.map +1 -0
package/dist/core/startMode.js +7 -1
package/dist/core/startMode.js.map +1 -1
package/dist/core/startReportBuilder.d.ts +25 -0
package/dist/core/startReportBuilder.js +44 -0
package/dist/core/startReportBuilder.js.map +1 -0
package/dist/core/taint.js +4 -116
package/dist/core/taint.js.map +1 -1
package/dist/core/taintMatching.d.ts +11 -0
package/dist/core/taintMatching.js +126 -0
package/dist/core/taintMatching.js.map +1 -0
package/dist/core/upgradePreview.d.ts +1 -12
package/dist/core/upgradePreview.js +9 -229
package/dist/core/upgradePreview.js.map +1 -1
package/dist/core/upgradePreviewNpmEvidence.d.ts +19 -0
package/dist/core/upgradePreviewNpmEvidence.js +164 -0
package/dist/core/upgradePreviewNpmEvidence.js.map +1 -0
package/dist/core/upgradePreviewPython.d.ts +2 -0
package/dist/core/upgradePreviewPython.js +71 -0
package/dist/core/upgradePreviewPython.js.map +1 -0
package/dist/index.d.ts +6 -12
package/dist/index.js +2 -3
package/dist/index.js.map +1 -1
package/dist/mcp/server.d.ts +3 -24
package/dist/mcp/server.js +32 -414
package/dist/mcp/server.js.map +1 -1
package/dist/mcp/serverContext.d.ts +6 -0
package/dist/mcp/serverContext.js +55 -0
package/dist/mcp/serverContext.js.map +1 -0
package/dist/mcp/serverDispatch.d.ts +39 -0
package/dist/mcp/serverDispatch.js +74 -0
package/dist/mcp/serverDispatch.js.map +1 -0
package/dist/mcp/serverHandlers.d.ts +15 -0
package/dist/mcp/serverHandlers.js +94 -0
package/dist/mcp/serverHandlers.js.map +1 -0
package/dist/mcp/serverLifecycle.d.ts +14 -0
package/dist/mcp/serverLifecycle.js +65 -0
package/dist/mcp/serverLifecycle.js.map +1 -0
package/dist/mcp/serverMessage.d.ts +11 -0
package/dist/mcp/serverMessage.js +37 -0
package/dist/mcp/serverMessage.js.map +1 -0
package/dist/mcp/serverSession.d.ts +6 -0
package/dist/mcp/serverSession.js +77 -0
package/dist/mcp/serverSession.js.map +1 -0
package/dist/mcp/serverStdio.d.ts +7 -0
package/dist/mcp/serverStdio.js +34 -0
package/dist/mcp/serverStdio.js.map +1 -0
package/dist/mcp/serverTypes.d.ts +18 -0
package/dist/mcp/serverTypes.js +2 -0
package/dist/mcp/serverTypes.js.map +1 -0
package/dist/mcp/serverVersion.d.ts +1 -0
package/dist/mcp/serverVersion.js +17 -0
package/dist/mcp/serverVersion.js.map +1 -0
package/dist/mcp/toolCatalog.d.ts +2 -0
package/dist/mcp/toolCatalog.js +93 -0
package/dist/mcp/toolCatalog.js.map +1 -0
package/dist/mcp/tools.d.ts +2 -3
package/dist/mcp/tools.js +5 -97
package/dist/mcp/tools.js.map +1 -1
package/dist/projscan-sbom.cdx.json +6 -6
package/dist/reporters/htmlReporter.d.ts +3 -2
package/dist/reporters/htmlReporter.js +14 -2
package/dist/reporters/htmlReporter.js.map +1 -1
package/dist/reporters/jsonReporter.d.ts +4 -3
package/dist/reporters/jsonReporter.js +9 -4
package/dist/reporters/jsonReporter.js.map +1 -1
package/dist/reporters/markdownAnalysisReporter.d.ts +2 -1
package/dist/reporters/markdownAnalysisReporter.js +8 -1
package/dist/reporters/markdownAnalysisReporter.js.map +1 -1
package/dist/reporters/markdownArchitectureReporter.d.ts +3 -0
package/dist/reporters/markdownArchitectureReporter.js +33 -0
package/dist/reporters/markdownArchitectureReporter.js.map +1 -0
package/dist/reporters/markdownCouplingReporter.d.ts +2 -0
package/dist/reporters/markdownCouplingReporter.js +43 -0
package/dist/reporters/markdownCouplingReporter.js.map +1 -0
package/dist/reporters/markdownCoverageReporter.d.ts +2 -0
package/dist/reporters/markdownCoverageReporter.js +40 -0
package/dist/reporters/markdownCoverageReporter.js.map +1 -0
package/dist/reporters/markdownExplanationReporter.d.ts +2 -0
package/dist/reporters/markdownExplanationReporter.js +37 -0
package/dist/reporters/markdownExplanationReporter.js.map +1 -0
package/dist/reporters/markdownHealthReporter.d.ts +4 -0
package/dist/reporters/markdownHealthReporter.js +66 -0
package/dist/reporters/markdownHealthReporter.js.map +1 -0
package/dist/reporters/markdownHotspotReporter.d.ts +2 -0
package/dist/reporters/markdownHotspotReporter.js +36 -0
package/dist/reporters/markdownHotspotReporter.js.map +1 -0
package/dist/reporters/markdownOutdatedReporter.d.ts +2 -0
package/dist/reporters/markdownOutdatedReporter.js +31 -0
package/dist/reporters/markdownOutdatedReporter.js.map +1 -0
package/dist/reporters/markdownPrDiffReporter.d.ts +2 -0
package/dist/reporters/markdownPrDiffReporter.js +63 -0
package/dist/reporters/markdownPrDiffReporter.js.map +1 -0
package/dist/reporters/markdownReporter.d.ts +9 -12
package/dist/reporters/markdownReporter.js +9 -288
package/dist/reporters/markdownReporter.js.map +1 -1
package/dist/reporters/markdownWorkspaceReporter.d.ts +2 -0
package/dist/reporters/markdownWorkspaceReporter.js +25 -0
package/dist/reporters/markdownWorkspaceReporter.js.map +1 -0
package/dist/reporters/sarifReporter.d.ts +6 -4
package/dist/reporters/sarifReporter.js +8 -7
package/dist/reporters/sarifReporter.js.map +1 -1
package/dist/tool-manifest.json +3 -3
package/dist/types.d.ts +34 -34
package/dist/utils/config.d.ts +2 -8
package/dist/utils/config.js +13 -211
package/dist/utils/config.js.map +1 -1
package/dist/utils/configBasics.d.ts +5 -0
package/dist/utils/configBasics.js +21 -0
package/dist/utils/configBasics.js.map +1 -0
package/dist/utils/configHotspots.d.ts +2 -0
package/dist/utils/configHotspots.js +15 -0
package/dist/utils/configHotspots.js.map +1 -0
package/dist/utils/configIssueRules.d.ts +8 -0
package/dist/utils/configIssueRules.js +24 -0
package/dist/utils/configIssueRules.js.map +1 -0
package/dist/utils/configMonorepo.d.ts +2 -0
package/dist/utils/configMonorepo.js +38 -0
package/dist/utils/configMonorepo.js.map +1 -0
package/dist/utils/configReportPolicies.d.ts +2 -0
package/dist/utils/configReportPolicies.js +32 -0
package/dist/utils/configReportPolicies.js.map +1 -0
package/dist/utils/configScan.d.ts +2 -0
package/dist/utils/configScan.js +15 -0
package/dist/utils/configScan.js.map +1 -0
package/dist/utils/configSeverity.d.ts +2 -0
package/dist/utils/configSeverity.js +15 -0
package/dist/utils/configSeverity.js.map +1 -0
package/dist/utils/configSources.d.ts +5 -0
package/dist/utils/configSources.js +55 -0
package/dist/utils/configSources.js.map +1 -0
package/dist/utils/configTaint.d.ts +2 -0
package/dist/utils/configTaint.js +15 -0
package/dist/utils/configTaint.js.map +1 -0
package/docs/GUIDE.md +21 -10
package/docs/ROADMAP.md +2 -2
package/docs/examples/adoption-workflows.md +2 -2
package/docs/examples/swarm-coordination.md +11 -0
package/package.json +1 -1

package/dist/utils/configReportPolicies.js ADDED Viewed

@@ -0,0 +1,32 @@
+export function applyReportPolicies(obj, out) {
+    if (!obj.reportPolicies ||
+        typeof obj.reportPolicies !== 'object' ||
+        Array.isArray(obj.reportPolicies)) {
+        return;
+    }
+    const raw = obj.reportPolicies;
+    const policies = {};
+    for (const [rawName, rawPolicy] of Object.entries(raw)) {
+        const name = rawName.trim();
+        const policy = name ? normalizeReportPolicy(rawPolicy) : null;
+        if (policy)
+            policies[name] = policy;
+    }
+    if (Object.keys(policies).length > 0)
+        out.reportPolicies = policies;
+}
+function normalizeReportPolicy(rawPolicy) {
+    if (!rawPolicy || typeof rawPolicy !== 'object' || Array.isArray(rawPolicy))
+        return null;
+    const entry = rawPolicy;
+    const policy = {};
+    if (Array.isArray(entry.reportScope)) {
+        const scopes = entry.reportScope.filter((v) => typeof v === 'string' && v.length > 0);
+        if (scopes.length > 0)
+            policy.reportScope = scopes;
+    }
+    if (typeof entry.redactPaths === 'boolean')
+        policy.redactPaths = entry.redactPaths;
+    return Object.keys(policy).length > 0 ? policy : null;
+}
+//# sourceMappingURL=configReportPolicies.js.map

package/dist/utils/configReportPolicies.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"configReportPolicies.js","sourceRoot":"","sources":["../../src/utils/configReportPolicies.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,mBAAmB,CAAC,GAA4B,EAAE,GAAmB;IACnF,IACE,CAAC,GAAG,CAAC,cAAc;QACnB,OAAO,GAAG,CAAC,cAAc,KAAK,QAAQ;QACtC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,EACjC,CAAC;QACD,OAAO;IACT,CAAC;IACD,MAAM,GAAG,GAAG,GAAG,CAAC,cAAyC,CAAC;IAC1D,MAAM,QAAQ,GAAuC,EAAE,CAAC;IAExD,KAAK,MAAM,CAAC,OAAO,EAAE,SAAS,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,qBAAqB,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAC9D,IAAI,MAAM;YAAE,QAAQ,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC;IACtC,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,GAAG,CAAC;QAAE,GAAG,CAAC,cAAc,GAAG,QAAQ,CAAC;AACtE,CAAC;AAED,SAAS,qBAAqB,CAAC,SAAkB;IAC/C,IAAI,CAAC,SAAS,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IACzF,MAAM,KAAK,GAAG,SAAoC,CAAC;IACnD,MAAM,MAAM,GAAuB,EAAE,CAAC;IACtC,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,CAAC;QACrC,MAAM,MAAM,GAAG,KAAK,CAAC,WAAW,CAAC,MAAM,CACrC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAC1D,CAAC;QACF,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC;YAAE,MAAM,CAAC,WAAW,GAAG,MAAM,CAAC;IACrD,CAAC;IACD,IAAI,OAAO,KAAK,CAAC,WAAW,KAAK,SAAS;QAAE,MAAM,CAAC,WAAW,GAAG,KAAK,CAAC,WAAW,CAAC;IACnF,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC;AACxD,CAAC"}

package/dist/utils/configScan.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import type { ProjscanConfig } from '../types/config.js';
2	+ export declare function applyScan(obj: Record<string, unknown>, out: ProjscanConfig): void;

package/dist/utils/configScan.js ADDED Viewed

@@ -0,0 +1,15 @@
+export function applyScan(obj, out) {
+    if (!obj.scan || typeof obj.scan !== 'object')
+        return;
+    const raw = obj.scan;
+    const scan = {};
+    if (typeof raw.includeIgnored === 'boolean')
+        scan.includeIgnored = raw.includeIgnored;
+    if (typeof raw.scanEnvValues === 'boolean')
+        scan.scanEnvValues = raw.scanEnvValues;
+    if (typeof raw.offline === 'boolean')
+        scan.offline = raw.offline;
+    if (Object.keys(scan).length)
+        out.scan = scan;
+}
+//# sourceMappingURL=configScan.js.map

package/dist/utils/configScan.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"configScan.js","sourceRoot":"","sources":["../../src/utils/configScan.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,SAAS,CAAC,GAA4B,EAAE,GAAmB;IACzE,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ;QAAE,OAAO;IACtD,MAAM,GAAG,GAAG,GAAG,CAAC,IAA+B,CAAC;IAChD,MAAM,IAAI,GAAwC,EAAE,CAAC;IACrD,IAAI,OAAO,GAAG,CAAC,cAAc,KAAK,SAAS;QAAE,IAAI,CAAC,cAAc,GAAG,GAAG,CAAC,cAAc,CAAC;IACtF,IAAI,OAAO,GAAG,CAAC,aAAa,KAAK,SAAS;QAAE,IAAI,CAAC,aAAa,GAAG,GAAG,CAAC,aAAa,CAAC;IACnF,IAAI,OAAO,GAAG,CAAC,OAAO,KAAK,SAAS;QAAE,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC;IACjE,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM;QAAE,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC;AAChD,CAAC"}

package/dist/utils/configSeverity.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import type { ProjscanConfig } from '../types/config.js';
2	+ export declare function applySeverityOverrides(obj: Record<string, unknown>, out: ProjscanConfig): void;

package/dist/utils/configSeverity.js ADDED Viewed

@@ -0,0 +1,15 @@
+const VALID_SEVERITIES = ['info', 'warning', 'error'];
+export function applySeverityOverrides(obj, out) {
+    if (!obj.severityOverrides || typeof obj.severityOverrides !== 'object')
+        return;
+    const raw = obj.severityOverrides;
+    const overrides = {};
+    for (const [key, val] of Object.entries(raw)) {
+        if (typeof val === 'string' && VALID_SEVERITIES.includes(val)) {
+            overrides[key] = val;
+        }
+    }
+    if (Object.keys(overrides).length)
+        out.severityOverrides = overrides;
+}
+//# sourceMappingURL=configSeverity.js.map

package/dist/utils/configSeverity.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"configSeverity.js","sourceRoot":"","sources":["../../src/utils/configSeverity.ts"],"names":[],"mappings":"AAGA,MAAM,gBAAgB,GAAoB,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;AAEvE,MAAM,UAAU,sBAAsB,CACpC,GAA4B,EAC5B,GAAmB;IAEnB,IAAI,CAAC,GAAG,CAAC,iBAAiB,IAAI,OAAO,GAAG,CAAC,iBAAiB,KAAK,QAAQ;QAAE,OAAO;IAChF,MAAM,GAAG,GAAG,GAAG,CAAC,iBAA4C,CAAC;IAC7D,MAAM,SAAS,GAAkC,EAAE,CAAC;IACpD,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC7C,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAK,gBAA6B,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC5E,SAAS,CAAC,GAAG,CAAC,GAAG,GAAoB,CAAC;QACxC,CAAC;IACH,CAAC;IACD,IAAI,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM;QAAE,GAAG,CAAC,iBAAiB,GAAG,SAAS,CAAC;AACvE,CAAC"}

package/dist/utils/configSources.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+export interface ConfigSource {
+    value: unknown;
+    source: string;
+}
+export declare function loadConfigSource(rootPath: string, explicitPath?: string): Promise<ConfigSource | null>;

package/dist/utils/configSources.js ADDED Viewed

@@ -0,0 +1,55 @@
+import fs from 'node:fs/promises';
+import path from 'node:path';
+const CONFIG_CANDIDATES = ['.projscanrc.json', '.projscanrc'];
+const PKG_KEY = 'projscan';
+export async function loadConfigSource(rootPath, explicitPath) {
+    if (explicitPath)
+        return await loadExplicitConfigSource(rootPath, explicitPath);
+    const candidateSource = await loadCandidateConfigSource(rootPath);
+    if (candidateSource)
+        return candidateSource;
+    return await loadPackageConfigSource(rootPath);
+}
+async function loadExplicitConfigSource(rootPath, explicitPath) {
+    const resolved = path.isAbsolute(explicitPath) ? explicitPath : path.join(rootPath, explicitPath);
+    return { value: safeParse(await fs.readFile(resolved, 'utf-8'), resolved), source: resolved };
+}
+async function loadCandidateConfigSource(rootPath) {
+    for (const name of CONFIG_CANDIDATES) {
+        const candidate = path.join(rootPath, name);
+        let raw;
+        try {
+            raw = await fs.readFile(candidate, 'utf-8');
+        }
+        catch {
+            continue;
+        }
+        return { value: safeParse(raw, candidate), source: candidate };
+    }
+    return null;
+}
+async function loadPackageConfigSource(rootPath) {
+    const pkgPath = path.join(rootPath, 'package.json');
+    try {
+        const raw = await fs.readFile(pkgPath, 'utf-8');
+        const pkg = JSON.parse(raw);
+        const embedded = pkg[PKG_KEY];
+        if (embedded && typeof embedded === 'object') {
+            return { value: embedded, source: `${pkgPath}#${PKG_KEY}` };
+        }
+    }
+    catch {
+        return null;
+    }
+    return null;
+}
+function safeParse(raw, filePath) {
+    try {
+        return JSON.parse(raw);
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        throw new Error(`Invalid JSON in ${filePath}: ${msg}`, { cause: err });
+    }
+}
+//# sourceMappingURL=configSources.js.map

package/dist/utils/configSources.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"configSources.js","sourceRoot":"","sources":["../../src/utils/configSources.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAClC,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,MAAM,iBAAiB,GAAG,CAAC,kBAAkB,EAAE,aAAa,CAAC,CAAC;AAC9D,MAAM,OAAO,GAAG,UAAU,CAAC;AAO3B,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,QAAgB,EAChB,YAAqB;IAErB,IAAI,YAAY;QAAE,OAAO,MAAM,wBAAwB,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;IAEhF,MAAM,eAAe,GAAG,MAAM,yBAAyB,CAAC,QAAQ,CAAC,CAAC;IAClE,IAAI,eAAe;QAAE,OAAO,eAAe,CAAC;IAE5C,OAAO,MAAM,uBAAuB,CAAC,QAAQ,CAAC,CAAC;AACjD,CAAC;AAED,KAAK,UAAU,wBAAwB,CACrC,QAAgB,EAChB,YAAoB;IAEpB,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;IAClG,OAAO,EAAE,KAAK,EAAE,SAAS,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;AAChG,CAAC;AAED,KAAK,UAAU,yBAAyB,CAAC,QAAgB;IACvD,KAAK,MAAM,IAAI,IAAI,iBAAiB,EAAE,CAAC;QACrC,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAC5C,IAAI,GAAW,CAAC;QAChB,IAAI,CAAC;YACH,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,SAAS,CAAC,GAAG,EAAE,SAAS,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IACjE,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,uBAAuB,CAAC,QAAgB;IACrD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;IACpD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAChD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA4B,CAAC;QACvD,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,CAAC;QAC9B,IAAI,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC7C,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,OAAO,IAAI,OAAO,EAAE,EAAE,CAAC;QAC9D,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,SAAS,CAAC,GAAW,EAAE,QAAgB;IAC9C,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACzB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,MAAM,IAAI,KAAK,CAAC,mBAAmB,QAAQ,KAAK,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;IACzE,CAAC;AACH,CAAC"}

package/dist/utils/configTaint.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import type { ProjscanConfig } from '../types/config.js';
2	+ export declare function applyTaint(obj: Record<string, unknown>, out: ProjscanConfig): void;

package/dist/utils/configTaint.js ADDED Viewed

@@ -0,0 +1,15 @@
+export function applyTaint(obj, out) {
+    if (!obj.taint || typeof obj.taint !== 'object')
+        return;
+    const t = obj.taint;
+    const taint = {};
+    if (Array.isArray(t.sources)) {
+        taint.sources = t.sources.filter((v) => typeof v === 'string' && v.length > 0);
+    }
+    if (Array.isArray(t.sinks)) {
+        taint.sinks = t.sinks.filter((v) => typeof v === 'string' && v.length > 0);
+    }
+    if (Object.keys(taint).length)
+        out.taint = taint;
+}
+//# sourceMappingURL=configTaint.js.map

package/dist/utils/configTaint.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"configTaint.js","sourceRoot":"","sources":["../../src/utils/configTaint.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,UAAU,CAAC,GAA4B,EAAE,GAAmB;IAC1E,IAAI,CAAC,GAAG,CAAC,KAAK,IAAI,OAAO,GAAG,CAAC,KAAK,KAAK,QAAQ;QAAE,OAAO;IACxD,MAAM,CAAC,GAAG,GAAG,CAAC,KAAgC,CAAC;IAC/C,MAAM,KAAK,GAAyC,EAAE,CAAC;IACvD,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7B,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC9F,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;QAC3B,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC1F,CAAC;IACD,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM;QAAE,GAAG,CAAC,KAAK,GAAG,KAAK,CAAC;AACnD,CAAC"}

package/docs/GUIDE.md CHANGED Viewed

@@ -187,7 +187,7 @@ When the agent first opens a repo, or before starting a refactor, the question i
   For branch-diff, PR-size, and commit-message questions, such as `projscan start --intent "what did I change since main?"`, `projscan start --intent "is this PR too large?"`, `projscan start --intent "how big is this change?"`, `projscan start --intent "write a commit message for these changes"`, or `projscan start --intent "summarize my changes for a commit"`, it routes to `projscan_pr_diff` so changed exports, imports, call sites, complexity, and fan-in are reviewed before full review.
   For branch freshness and comparison questions, such as `projscan start --intent "is my branch stale?"` or `projscan start --intent "compare my branch with main"`, it also routes to `projscan_pr_diff` so the developer checks the structural diff before rebasing or asking for review. For rebase and merge-conflict recovery, such as `projscan start --intent "rebase went wrong"` or `projscan start --intent "resolve merge conflicts"`, it routes to `projscan_preflight --mode before_merge`; post-conflict test-plan wording such as `projscan start --intent "what should I test after resolving conflicts?"` stays on `projscan_regression_plan`.
   For resume questions, such as `projscan start --intent "where did I leave off?"`, `projscan start --intent "what changed while I was away?"`, `projscan start --intent "what changed while I was offline?"`, `projscan start --intent "what changed while I was asleep?"`, `projscan start --intent "what did the last agent touch?"`, or `projscan start --intent "what did the last agent do?"`, it routes to `projscan_session { action: "touched" }` so remembered touched files are reviewed before live preflight evidence gates the next edit.
-  For parallel-agent coordination questions, such as `projscan start --intent "show coordination status for parallel agents"`, `projscan start --intent "who else is working on this?"`, `projscan start --intent "am I going to collide with another agent?"`, or `projscan start --intent "what worktrees are active?"`, it routes to `projscan_coordinate` so collisions, claims, and merge order are reviewed through one readiness verdict before editing continues. For merge-order wording, such as `projscan start --intent "what should merge first?"`, it routes to `projscan_merge_risk`; for overlap wording, such as `projscan start --intent "show me overlapping changes"`, it routes to `projscan_collision`.
+  For parallel-agent coordination questions, such as `projscan start --intent "show coordination status for parallel agents"`, `projscan start --intent "who else is working on this?"`, `projscan start --intent "am I going to collide with another agent?"`, or `projscan start --intent "what worktrees are active?"`, it routes to `projscan_coordinate` so collisions, claims, merge order, and the current-worktree-versus-remembered-session evidence boundary are reviewed through one readiness verdict before editing continues. For merge-order wording, such as `projscan start --intent "what should merge first?"`, it routes to `projscan_merge_risk`; for overlap wording, such as `projscan start --intent "show me overlapping changes"`, it routes to `projscan_collision`.
   For active-claim questions, such as `projscan start --intent "show active claims"`, it routes to `projscan_claim { action: "list" }` so owners, leases, and contention warnings are reviewed before parallel work continues.
   For file-claim requests, such as `projscan start --intent "claim src/core/start.ts for me"`, it routes to `projscan_claim`, lists active claims first, then adds the requested target only after a real agent name replaces `Needs Input`.
   For architecture-coupling questions, such as `projscan start --intent "show circular dependencies"` or `projscan start --intent "find dependency cycles"`, it routes to `projscan_coupling` with `direction: "cycles_only"` / `projscan coupling --cycles-only --format json`; broader wording such as `projscan start --intent "what modules are tightly coupled"` routes to the full fan-in, fan-out, instability, cross-package-edge, and cycle report.
@@ -204,7 +204,7 @@ When the agent first opens a repo, or before starting a refactor, the question i
 - **`projscan_preflight` / `projscan preflight`** — agent safety gate. Returns `proceed`, `caution`, or `block` with health, changed-file, review, remembered session, hotspot, plugin-policy, supply-chain, and release-scale evidence. `evidence.riskSources.currentWorktree` is current Git/worktree evidence; `evidence.riskSources.sessionMemory` is remembered handoff context. Use `--mode before_edit` at the start of work and `--mode before_commit` / `--mode before_merge` before handing off or merging; scale-only commit blocks are cautions, while merge gates still require manual release sign-off.
 - **`projscan_hotspots` / `projscan hotspots`** — files ranked by `git churn × AST cyclomatic complexity × open issues × ownership × coverage`. Pass `view: "functions"` for top-N risky individual functions across the repo (0.13+).
 - **`projscan_semantic_graph` / `projscan semantic-graph`** — stable v3 graph contract with file, function, package, and symbol nodes plus imports, exports, definitions, and calls edges. Use it when an agent needs one normalized graph shape instead of several targeted queries.
-- **`projscan_dataflow` / `projscan dataflow`** — direct, propagated, and bridge source-to-sink dataflow risks. Use it for a focused safety pass before touching command execution, raw SQL, filesystem writes, or DOM sinks.
+- **`projscan_dataflow` / `projscan dataflow`** — direct, propagated, and bridge source-to-sink dataflow risks, including framework-aware Next.js route request body and URL sources. Use it for a focused safety pass before touching command execution, raw SQL, filesystem writes, or DOM sinks.
 - **`projscan_coupling` / `projscan coupling`** — per-file fan-in / fan-out / instability plus circular-import cycles (Tarjan SCC). Use `direction: cycles_only` or `projscan coupling --cycles-only` to surface architectural debt directly.
 - **`projscan_analyze` / `projscan analyze`** — the everything report; useful at session start but verbose.
@@ -435,7 +435,11 @@ and a sink wrapper is surfaced even when legacy taint reachability cannot see a
 downstream call path from source to sink. By default, dataflow suppresses test-file paths,
 broad readFile/writeFile-style noise, and JavaScript RegExp.exec false positives.
 Framework request-source detection covers narrow tested patterns for Next.js, Hono,
-Express, Fastify, and Koa handlers while keeping lookalike helpers quiet.
+Express, Fastify, and Koa handlers, including Hono validator output,
+Express/Fastify/Koa request IP metadata, Fastify host/hostname and raw
+URL/header evidence, and Express/Koa header accessors plus Express
+`req.param(...)` and `req.originalUrl`, while
+keeping lookalike helpers quiet.
 For release hardening, `npm run check:graph-corpus` compares bundled fixture metrics against `docs/graph-corpus-baseline.json`. The gate fails only when graph coverage drops below the baseline or dataflow risks rise above it.
@@ -698,8 +702,8 @@ Preview the impact of upgrading a package. The default path is fully offline; pa
 - Breaking-change markers found in the CHANGELOG: scans for `BREAKING CHANGE`, `deprecated`, `removed support`, `no longer supported`, and section headers containing "breaking"
 - CHANGELOG excerpt sliced to the relevant version range (read from `node_modules/<pkg>/CHANGELOG.md`)
 - Importer list - every file in your source tree that imports the package (direct or sub-path)
-- Python manifest evidence for packages declared in `pyproject.toml`, `setup.cfg`, `setup.py`, or root `requirements*.txt`
-- Python current-version evidence from `poetry.lock` package blocks or pinned root `requirements*.txt` entries
+- Python manifest evidence for packages declared in `pyproject.toml` (including PEP 735 `dependency-groups`, Poetry dependency groups, and legacy `tool.poetry.dev-dependencies`), `setup.cfg`, `setup.py`, or root `requirements*.txt`. Root Python manifests are sufficient local evidence even before `.py` files exist.
+- Python current-version evidence from `poetry.lock` / `uv.lock` / `pdm.lock` package blocks, `conda-lock.yml` / `conda-lock.yaml` package entries, `Pipfile.lock` exact versions, pinned root `requirements*.txt`, or pinned root `constraints*.txt` entries
 **Example:**
@@ -721,7 +725,7 @@ $ projscan upgrade react --format markdown
 - Reads the CHANGELOG that npm already placed in `node_modules/`. If the package author doesn't ship one, you'll see "No local CHANGELOG found."
 - Without `--check-registry`, works with what's **installed** and reports `latestSource: "installed"`. With `--check-registry`, npm registry lookup is attempted and failures fall back to the installed version with `registryError`.
-- Python previews stay offline. They do not query PyPI; current-version evidence comes from supported local lockfiles or pinned root requirements.
+- Python previews stay offline. They do not query PyPI; current-version evidence comes from supported local lockfiles, pinned root requirements, or pinned root constraints.
 ### coverage
@@ -909,6 +913,10 @@ projscan doctor --format html > HEALTH.html
 ```
 Supported on `analyze`, `doctor`, `hotspots`, `coupling`, `pr-diff`, `review`, `impact`, and `coverage`.
+For `analyze` and `doctor`, scoped/redacted report controls also appear as a
+path-safe controls card when active.
+Path redaction keeps HTTP(S) documentation links readable while redacting
+standalone file-like path tokens from issue text.
 ### SARIF
@@ -929,9 +937,11 @@ Supported on `analyze`, `audit`, `ci`, `doctor`, and `outdated`. Each issue is e
 For shareable evidence artifacts, `analyze`, `doctor`, and `ci` accept
 `--report-policy <name>`, `--report-scope <paths>`, and `--redact-paths`. Scope
 is comma-separated and repo-relative. Redaction replaces file paths with stable
-labels while preserving correlation across issues and files in the same report.
-Direct `--report-scope` and `--redact-paths` flags override the selected preset
-for a single run.
+labels while preserving correlation across issues and files in the same report,
+including file-like path tokens in issue text that has no location anchor.
+JSON/SARIF include path-safe `reportControls` metadata, and Markdown/HTML print
+path-safe controls banners. Direct `--report-scope` and `--redact-paths` flags
+override the selected preset for a single run.
 - `properties.fixAvailable` - whether `projscan fix` can remediate it
 When uploaded to GitHub Code Scanning, findings appear in the **Security → Code scanning** tab and (for PRs) as inline annotations on changed lines.
@@ -1622,7 +1632,8 @@ src/
 │   ├── markdownReporter.ts      # Markdown output
 │   └── sarifReporter.ts         # SARIF 2.1.0 output
 ├── mcp/
-│   ├── server.ts                # JSON-RPC 2.0 dispatcher, stdio transport, negotiation
+│   ├── server.ts                # MCP server factory and JSON-RPC request orchestration
+│   ├── serverStdio.ts           # stdio transport loop for the CLI entry point
 │   ├── tools.ts                 # 41 MCP tools (barrel; per-tool files under tools/)
 │   ├── tokenBudget.ts           # Record-aware response truncator
 │   ├── pagination.ts            # Cursor-based pagination (opaque base64 + checksum)

package/docs/ROADMAP.md CHANGED Viewed

@@ -79,8 +79,8 @@ Success signals: teams copy the adoption examples into real reviews, scoped/reda
 - Roadmap and release-train planning now default to the current post-4.4 product lines instead of stale shipped work.
 - Adoption examples cover agent orchestration, package ownership, custom policy plugins, swarm coordination, and scoped evidence exports.
 - `analyze`, `doctor`, and `ci` can scope and redact shareable evidence with direct flags or named `reportPolicies` presets.
-- `projscan upgrade` and MCP `projscan_upgrade` support offline Python previews from manifests, Poetry lockfiles, pinned requirements, and Python importers.
-- Dataflow detects narrow Fastify and Koa request-source patterns while suppressing lookalike helpers and Koa response-body writes.
+- `projscan upgrade` and MCP `projscan_upgrade` support offline Python previews from manifests, Poetry/Pipfile/uv/PDM/Conda lockfiles, pinned requirements/constraints, and Python importers.
+- Dataflow detects narrow Fastify and Koa request-source patterns, including Fastify raw URL/header and Koa IP evidence, while suppressing lookalike helpers and Koa response-body writes.
 - Start next-action assembly and taint function identity were tightened during release readiness cleanup.
 ### Recently Completed — 4.4.0 (2026)

package/docs/examples/adoption-workflows.md CHANGED Viewed

@@ -50,8 +50,8 @@ projscan agent-brief --intent "handoff package ownership for fastapi" --format j
 For Node packages, `upgrade` reads local `package.json`, `node_modules`, local
 CHANGELOG files, and importer evidence. For Python packages, it reads
 `pyproject.toml`, `setup.cfg`, `setup.py`, root `requirements*.txt` files,
-Poetry lockfiles, and pinned root requirements, then returns declared scope,
-current-version source, drift, and Python importers.
+Poetry/Pipfile/uv/PDM/Conda lockfiles, and pinned root requirements/constraints, then
+returns declared scope, current-version source, drift, and Python importers.
 Decision loop:

package/docs/examples/swarm-coordination.md CHANGED Viewed

@@ -51,6 +51,17 @@ Read the outputs this way:
 | `coordinate` | Is the current swarm clear, cautious, or conflicted? | Use this as the one-line status in handoffs. |
 | `agent-brief` | What should the next agent know? | Include coordination hints in the next-agent packet. |
+The JSON reports for `collisions` and `coordinate` include an `evidence` block
+with the active command path, current worktree state, local-only source signals,
+the validation workflow above, and a reminder that session memory is separate
+from current Git/worktree evidence. The default `coordinate` console view prints
+the same session-boundary reminder inside its `Evidence` section.
+When multiple worktrees are present, `agent-brief` also carries a
+`context.coordinationHints` entry even for a clear swarm, so the next agent knows
+to validate locally with `projscan coordinate --format json`,
+`projscan coordinate --watch --interval 5 --format json`, and
+`projscan agent-brief --format json` before continuing parallel edits.
 For MCP clients that support long-running notifications, use the watch tool:
 ```text

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "projscan",
   "mcpName": "io.github.abhiyoheswaran1/projscan",
-  "version": "4.5.0",
+  "version": "4.6.0",
   "description": "Agent-first code intelligence. MCP server (2025-03-26) with 11 AST adapters covering 12 named languages: JavaScript, TypeScript, Python, Go, Java, Ruby, Rust, PHP, C#, Kotlin, Swift, and C++; repo understanding maps (projscan_understand), stable v3 semantic graph (projscan_semantic_graph), dataflow risk engine with bridge-helper detection (projscan_dataflow), code graph, file + per-function AST cyclomatic complexity, per-function fan-in + fan-out, coupling + cycle detection, structural PR diff with HTML reporter, coverage report with HTML reporter, intent-grounded one-call PR review (projscan_review with optional `intent` arg, new taint flows, contract changes, and newDataflowRisks) and long-running PR-watch mode with structured per-bucket deltas (projscan_review_watch), first-60-seconds workflow orientation (projscan_start), agent workplans (projscan_workplan), bug-hunt queues (projscan_bug_hunt), product-line planning (projscan_release_train), evidence packs (projscan_evidence_pack), regression planning (projscan_regression_plan), agent briefs (projscan_agent_brief), quality scorecards (projscan_quality_scorecard), and preflight with supply-chain IOC evidence, rule-driven fix suggestions + mechanical apply layer with rollback (projscan_apply_fix, projscan_fix_suggest, projscan_explain_issue), source-to-sink taint analysis (projscan_taint) with truncation reporting, transitive blast-radius analysis with cross-repo mode (projscan_impact for files and symbols), cross-repo workspace registration + intelligence (projscan_workspace_graph), per-function semantic search chunks (sub-file embeddings), per-rule confidence + severity drift + cost-summary analytics with live streaming (projscan_cost_summary), stable local analyzer + reporter plugin API (projscan_plugin, CLI --reporter, opt-in via PROJSCAN_PLUGINS_PREVIEW=1), monorepo workspace awareness with cross-package import policy + per-package dependencies / outdated / audit, BM25 + optional semantic search, cursor pagination, progress notifications, context-budgeted output, and a stable-surface CI guard. CLI on the side.",
   "type": "module",
   "main": "./dist/index.js",