sadrazam 0.1.0-alpha.6

package/CHANGELOG.md

@@ -0,0 +1,62 @@
+# CHANGELOG
+
+## Unreleased
+
+### Added
+- Repository contribution and release rules in `AGENTS.md`
+
+## v0.1.0-alpha.6
+
+### Changed
+- Switched the npm package name from `vezir` to `sadrazam` for publish testing
+
+## v0.1.0-alpha.5
+
+### Changed
+- Switched the npm package name from `mizan` to `vezir` for publish testing
+
+## v0.1.0-alpha.4
+
+### Changed
+- Switched the npm package name from `kantar` to `mizan` for publish testing
+
+## v0.1.0-alpha.3
+
+### Changed
+- Switched the npm package name from `sarraf` to `kantar` for publish testing
+
+## v0.1.0-alpha.2
+
+### Added
+- GitHub Actions workflows for docs validation and tagged npm publishing
+- Vitest-based test runner setup
+- MIT license file and package publish metadata cleanup
+
+### Changed
+- Limited published package contents to production artifacts and top-level docs
+- Strengthened alpha release preparation flow for automated npm publishing
+
+### Fixed
+- Removed accidental token-like content from the publish workflow before release
+
+## v0.1.0-alpha.1
+
+### Added
+- Workspace-aware scanning and workspace filtering
+- Text and JSON reporters
+- Script parser support for `package.json` scripts
+- Dependency trace output
+- Source mapping from build output back to source files
+- Config loading from `sarraf.json` and `package.json#sarraf`
+- Ignore and allowlist controls for findings
+- AI-powered dependency summaries for OpenAI, Anthropic, and Gemini
+- Fixture tests and smoke test scenarios
+
+### Changed
+- Improved CLI help output and quick-start documentation
+- Hardened CommonJS and hybrid import parsing
+- Added debug visibility for config source and active rule filters
+
+### Fixed
+- AI failures no longer break the main dependency scan report
+- Script-based package usage now reduces false positives for unused tooling packages

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Bora Kilicoglu
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,343 @@
+<p align="center">
+  <img src="./assets/logo.svg" alt="Sarraf logo" width="200" />
+</p>
+
+Sarraf is a dependency analysis CLI for JavaScript and TypeScript projects with optional AI-powered insights.
+
+Sarraf scans your dependencies like a jeweler inspects gold. It finds unused packages, flags dependency hygiene issues, and, when you provide an AI token, can explain findings and suggest cleanup actions directly in the CLI.
+
+Current status:
+
+- unused `dependencies` and `devDependencies`
+- script-aware dependency detection
+- workspace and monorepo-aware scanning
+- text and JSON reporters
+- package usage tracing
+- source mapping from build output back to source files
+- production and strict scan modes
+- config file support via `sarraf.json` or `package.json#sarraf`
+- ignore and allowlist controls for findings
+- AI summaries via `openai`, `anthropic`, or `gemini`
+
+## Why Sarraf?
+
+JavaScript projects accumulate packages over time. Some stop being used. Some belong in `devDependencies` but end up in `dependencies`. Some become outdated, deprecated, or risky.
+
+Sarraf exists to answer a simple question:
+
+Which packages in this project are actually needed, and which ones are adding weight or risk?
+
+Sarraf's direction is:
+
+- cover the core dependency analysis workflow teams expect from a modern dependency scanner
+- add an optional AI layer for interpretation, prioritization, and remediation suggestions
+- keep the base scanner useful even when no token is provided
+
+## What Sarraf Does
+
+Sarraf analyzes a project by reading its manifest and source files, then comparing declared dependencies with actual usage.
+
+Without AI:
+
+- scans the project
+- resolves imported packages
+- reports unused or suspicious dependencies
+
+With AI token provided:
+
+- explains why a dependency looks unused or risky
+- suggests whether it should be removed, moved, or reviewed
+- helps turn raw analysis into actionable cleanup decisions
+
+Current focus:
+
+- read `package.json`
+- scan `js`, `ts`, `jsx`, `tsx`, `mjs`, `cjs`, `mts`, `cts` files
+- extract package usage from `import`, `export ... from`, `import = require`, `require`, and `require.resolve`
+- include package usage referenced from `package.json` scripts
+- report unused and suspicious dependency declarations
+
+## MVP Scope
+
+The first version is intentionally narrow.
+
+Included in v1:
+
+- package manifest analysis
+- source scan for dependency usage
+- unused `dependencies` detection
+- unused `devDependencies` detection
+- script parser support
+- workspace-aware scanning
+- trace output for package usage
+- source mapping for build output
+- reporter support for `text` and `json`
+- `production` and `strict` scan modes
+- config support
+- ignore and allowlist support
+- optional AI summaries in the CLI when a valid token is configured
+
+Planned after MVP:
+
+- deeper wrong dependency placement detection
+- deprecated package checks
+- basic dependency risk score
+- CI-friendly output and exit codes
+- richer AI remediation suggestions
+
+## Install
+
+Local development:
+
+```bash
+npm install
+```
+
+When published as an npm package:
+
+```bash
+npm install -g sarraf
+```
+
+or run it without a global install:
+
+```bash
+npx sarraf .
+```
+
+## Quick Start
+
+```bash
+npx sarraf .
+npx sarraf . --reporter json
+npx sarraf . --trace typescript
+AI_PROVIDER=openai AI_TOKEN=your_token npx sarraf . --ai
+```
+
+## Usage
+
+Common scenarios:
+
+- scan a single package
+- scan one workspace inside a monorepo
+- export findings as JSON
+- trace why a package is treated as used
+- run in production or strict mode
+- enrich the report with AI summaries
+
+Scan the current project:
+
+```bash
+npx sarraf .
+```
+
+Scan a specific directory:
+
+```bash
+npx sarraf ./packages/web
+```
+
+Scan a single workspace in a monorepo:
+
+```bash
+npx sarraf . --workspace packages/web
+```
+
+Get JSON output:
+
+```bash
+npx sarraf . --reporter json
+```
+
+Trace why a package is considered used:
+
+```bash
+npx sarraf . --trace typescript
+```
+
+Production-only scan:
+
+```bash
+npx sarraf . --production
+```
+
+Strict mode:
+
+```bash
+npx sarraf . --strict
+```
+
+Ignore or allow specific findings from the CLI:
+
+```bash
+npx sarraf . --ignore-packages react
+npx sarraf . --allow-unused-dev-dependencies typescript
+```
+
+For local development in this repository:
+
+```bash
+npm run dev
+npm run build
+npm run typecheck
+node dist/index.js .
+```
+
+Useful local examples:
+
+```bash
+node dist/index.js . --debug
+node dist/index.js . --exclude unused-devDependencies
+node dist/index.js . --reporter json --trace commander
+node dist/index.js . --ignore-packages react --allow-unused-dev-dependencies typescript
+```
+
+## Config
+
+Sarraf can load config from either:
+
+- `sarraf.json`
+- `package.json` under the `sarraf` key
+
+Example `sarraf.json`:
+
+```json
+{
+  "reporter": "json",
+  "production": false,
+  "strict": false,
+  "exclude": ["missing"],
+  "ignorePackages": ["react"],
+  "allowUnusedDependencies": [],
+  "allowUnusedDevDependencies": ["typescript"],
+  "allowMissingPackages": [],
+  "allowMisplacedDevDependencies": [],
+  "workspace": ["packages/web"],
+  "ai": {
+    "provider": "openai",
+    "model": "gpt-4.1"
+  }
+}
+```
+
+CLI flags take precedence over config values.
+
+## Exit Codes
+
+Sarraf uses these exit codes:
+
+- `0`: scan completed and no findings were reported
+- `1`: execution error, invalid configuration, or unrecoverable runtime failure
+- `2`: scan completed and findings were reported
+
+## Ignore And Allowlist
+
+Use these when a finding is intentionally acceptable:
+
+- `ignorePackages`
+- `allowUnusedDependencies`
+- `allowUnusedDevDependencies`
+- `allowMissingPackages`
+- `allowMisplacedDevDependencies`
+
+## AI Mode
+
+Sarraf works in two modes:
+
+- standard analysis mode with no token required
+- AI-assisted mode when the user provides an API token
+
+The base CLI remains useful without AI. AI is an upgrade layer, not a requirement.
+
+Environment variables:
+
+```bash
+AI_PROVIDER=openai
+AI_TOKEN=your_token
+AI_MODEL=gpt-4.1
+```
+
+Current provider values:
+
+- `openai`
+- `anthropic`
+- `gemini`
+
+Examples:
+
+```bash
+AI_PROVIDER=openai AI_TOKEN=your_token npx sarraf . --ai
+AI_PROVIDER=anthropic AI_TOKEN=your_token npx sarraf . --ai
+AI_PROVIDER=gemini AI_TOKEN=your_token npx sarraf . --ai
+```
+
+CLI overrides:
+
+```bash
+npx sarraf . --ai --provider openai --model gpt-4.1
+```
+
+What AI currently does:
+
+- summarizes findings
+- prioritizes the most important cleanup actions
+- turns raw scan output into a short remediation note
+
+What AI does not yet do:
+
+- automatic fixes
+- package reputation or security scoring
+- multi-step remediation planning
+- guaranteed deterministic recommendations across providers
+
+## Testing
+
+Local verification includes fixture-based tests for:
+
+- config loading
+- ignore and allowlist behavior
+- AI response parsing
+- AI auth error handling
+
+Run:
+
+```bash
+npm test
+```
+
+Smoke scenarios:
+
+```bash
+npm run smoke
+```
+
+This runs repeatable checks for:
+
+- single-package config-driven repo
+- CommonJS repo
+- monorepo with multiple workspaces
+
+## Known Limitations
+
+- AI summaries depend on third-party provider behavior and network availability
+- source mapping uses source maps first and path heuristics second
+- misplaced dependency detection is intentionally conservative
+- dependency analysis is strongest for standard JS/TS project layouts
+
+## Product Vision
+
+Sarraf aims to become a practical dependency audit tool for everyday JavaScript teams.
+
+Not a full software composition analysis platform.
+Not a vulnerability database replacement.
+
+The goal is simpler and more useful in daily work:
+
+- show what is unused
+- reveal what looks suspicious
+- explain findings in plain language when AI is enabled
+- make dependency decisions easier during development and in CI
+
+## One-Line Pitch
+
+Sarraf is a CLI that finds unnecessary and risky npm packages, then goes further with optional AI-powered explanations and cleanup guidance.

package/dist/aiClient.d.ts

@@ -0,0 +1,4 @@
+import type { AiConfig } from "./aiConfig.js";
+import type { ReportWorkspace } from "./reporters.js";
+export declare function generateAiSummary(config: AiConfig, workspaces: ReportWorkspace[]): Promise<string>;
+//# sourceMappingURL=aiClient.d.ts.map

package/dist/aiClient.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aiClient.d.ts","sourceRoot":"","sources":["../src/aiClient.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAEtD,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,QAAQ,EAChB,UAAU,EAAE,eAAe,EAAE,GAC5B,OAAO,CAAC,MAAM,CAAC,CAYjB"}

package/dist/aiClient.js

@@ -0,0 +1,152 @@
+export async function generateAiSummary(config, workspaces) {
+    const prompt = buildPrompt(workspaces);
+    if (config.provider === "openai") {
+        return callOpenAI(config, prompt);
+    }
+    if (config.provider === "anthropic") {
+        return callAnthropic(config, prompt);
+    }
+    return callGemini(config, prompt);
+}
+function buildPrompt(workspaces) {
+    const payload = {
+        workspaces: workspaces.map(({ workspace, findings, result }) => ({
+            workspace: workspace.name,
+            relativeDir: workspace.relativeDir,
+            findings: findings.map((finding) => ({
+                type: finding.type,
+                items: finding.items,
+            })),
+            externalImports: result.externalImports,
+            traces: result.packageTraces,
+        })),
+    };
+    return [
+        "You are Sarraf AI, a dependency analysis assistant.",
+        "Summarize the most important dependency hygiene issues.",
+        "Keep the answer short, actionable, and grouped by priority.",
+        "If there are no findings, say that clearly.",
+        JSON.stringify(payload),
+    ].join("\n\n");
+}
+async function callOpenAI(config, prompt) {
+    const response = await requestJson("openai", "https://api.openai.com/v1/responses", {
+        method: "POST",
+        headers: {
+            Authorization: `Bearer ${config.token}`,
+            "Content-Type": "application/json",
+        },
+        body: JSON.stringify({
+            model: config.model ?? "gpt-4.1",
+            input: prompt,
+        }),
+    });
+    return parseOpenAIResponse(await parseJsonResponse(response));
+}
+async function callAnthropic(config, prompt) {
+    const response = await requestJson("anthropic", "https://api.anthropic.com/v1/messages", {
+        method: "POST",
+        headers: {
+            "x-api-key": config.token,
+            "anthropic-version": "2023-06-01",
+            "Content-Type": "application/json",
+        },
+        body: JSON.stringify({
+            model: config.model ?? "claude-sonnet-4-5",
+            max_tokens: 700,
+            messages: [
+                {
+                    role: "user",
+                    content: prompt,
+                },
+            ],
+        }),
+    });
+    return parseAnthropicResponse(await parseJsonResponse(response));
+}
+async function callGemini(config, prompt) {
+    const model = config.model ?? "gemini-2.5-flash";
+    const response = await requestJson("gemini", `https://generativelanguage.googleapis.com/v1beta/models/${encodeURIComponent(model)}:generateContent`, {
+        method: "POST",
+        headers: {
+            "x-goog-api-key": config.token,
+            "Content-Type": "application/json",
+        },
+        body: JSON.stringify({
+            contents: [
+                {
+                    parts: [{ text: prompt }],
+                },
+            ],
+        }),
+    });
+    return parseGeminiResponse(await parseJsonResponse(response));
+}
+async function parseJsonResponse(response) {
+    const payload = await response.json().catch(() => null);
+    if (!response.ok) {
+        throw new Error(describeHttpFailure(response.status, payload));
+    }
+    return payload;
+}
+async function requestJson(provider, url, init) {
+    try {
+        return await fetch(url, init);
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        throw new Error(`AI request to ${provider} failed before a response was received: ${message}`);
+    }
+}
+function parseOpenAIResponse(payload) {
+    const data = payload;
+    if (data.output_text?.trim()) {
+        return data.output_text.trim();
+    }
+    const fallback = data.output
+        ?.flatMap((item) => item.content ?? [])
+        .map((item) => item.text ?? "")
+        .join("\n")
+        .trim();
+    if (!fallback) {
+        throw new Error("OpenAI response did not contain text output.");
+    }
+    return fallback;
+}
+function parseAnthropicResponse(payload) {
+    const data = payload;
+    const text = data.content
+        ?.filter((item) => item.type === "text")
+        .map((item) => item.text ?? "")
+        .join("\n")
+        .trim();
+    if (!text) {
+        throw new Error("Anthropic response did not contain text output.");
+    }
+    return text;
+}
+function parseGeminiResponse(payload) {
+    const data = payload;
+    const text = data.candidates
+        ?.flatMap((candidate) => candidate.content?.parts ?? [])
+        .map((part) => part.text ?? "")
+        .join("\n")
+        .trim();
+    if (!text) {
+        throw new Error("Gemini response did not contain text output.");
+    }
+    return text;
+}
+function describeHttpFailure(status, payload) {
+    if (status === 401 || status === 403) {
+        return `AI authentication failed (${status}). Check AI_TOKEN and provider configuration.`;
+    }
+    if (status === 429) {
+        return `AI rate limit exceeded (${status}). Try again later or reduce request frequency.`;
+    }
+    if (status >= 500) {
+        return `AI provider error (${status}). Try again later.`;
+    }
+    return `AI request failed (${status}): ${JSON.stringify(payload)}`;
+}
+//# sourceMappingURL=aiClient.js.map

package/dist/aiClient.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aiClient.js","sourceRoot":"","sources":["../src/aiClient.ts"],"names":[],"mappings":"AAGA,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,MAAgB,EAChB,UAA6B;IAE7B,MAAM,MAAM,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC;IAEvC,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACjC,OAAO,UAAU,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACpC,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;QACpC,OAAO,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACvC,CAAC;IAED,OAAO,UAAU,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AACpC,CAAC;AAED,SAAS,WAAW,CAAC,UAA6B;IAChD,MAAM,OAAO,GAAG;QACd,UAAU,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC;YAC/D,SAAS,EAAE,SAAS,CAAC,IAAI;YACzB,WAAW,EAAE,SAAS,CAAC,WAAW;YAClC,QAAQ,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;gBACnC,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,KAAK,EAAE,OAAO,CAAC,KAAK;aACrB,CAAC,CAAC;YACH,eAAe,EAAE,MAAM,CAAC,eAAe;YACvC,MAAM,EAAE,MAAM,CAAC,aAAa;SAC7B,CAAC,CAAC;KACJ,CAAC;IAEF,OAAO;QACL,qDAAqD;QACrD,yDAAyD;QACzD,6DAA6D;QAC7D,6CAA6C;QAC7C,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;KACxB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;AACjB,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,MAAgB,EAAE,MAAc;IACxD,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,QAAQ,EAAE,qCAAqC,EAAE;QAClF,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,MAAM,CAAC,KAAK,EAAE;YACvC,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,SAAS;YAChC,KAAK,EAAE,MAAM;SACd,CAAC;KACH,CAAC,CAAC;IAEH,OAAO,mBAAmB,CAAC,MAAM,iBAAiB,CAAC,QAAQ,CAAC,CAAC,CAAC;AAChE,CAAC;AAED,KAAK,UAAU,aAAa,CAAC,MAAgB,EAAE,MAAc;IAC3D,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,WAAW,EAAE,uCAAuC,EAAE;QACvF,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,WAAW,EAAE,MAAM,CAAC,KAAK;YACzB,mBAAmB,EAAE,YAAY;YACjC,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,mBAAmB;YAC1C,UAAU,EAAE,GAAG;YACf,QAAQ,EAAE;gBACR;oBACE,IAAI,EAAE,MAAM;oBACZ,OAAO,EAAE,MAAM;iBAChB;aACF;SACF,CAAC;KACH,CAAC,CAAC;IAEH,OAAO,sBAAsB,CAAC,MAAM,iBAAiB,CAAC,QAAQ,CAAC,CAAC,CAAC;AACnE,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,MAAgB,EAAE,MAAc;IACxD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,IAAI,kBAAkB,CAAC;IACjD,MAAM,QAAQ,GAAG,MAAM,WAAW,CAChC,QAAQ,EACR,2DAA2D,kBAAkB,CAAC,KAAK,CAAC,kBAAkB,EACtG;QACE,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,gBAAgB,EAAE,MAAM,CAAC,KAAK;YAC9B,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,QAAQ,EAAE;gBACR;oBACE,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;iBAC1B;aACF;SACF,CAAC;KACH,CACF,CAAC;IAEF,OAAO,mBAAmB,CAAC,MAAM,iBAAiB,CAAC,QAAQ,CAAC,CAAC,CAAC;AAChE,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,QAAkB;IACjD,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAExD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;IACjE,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,KAAK,UAAU,WAAW,CACxB,QAAgB,EAChB,GAAW,EACX,IAAiB;IAEjB,IAAI,CAAC;QACH,OAAO,MAAM,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IAChC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,MAAM,IAAI,KAAK,CAAC,iBAAiB,QAAQ,2CAA2C,OAAO,EAAE,CAAC,CAAC;IACjG,CAAC;AACH,CAAC;AAED,SAAS,mBAAmB,CAAC,OAAgB;IAC3C,MAAM,IAAI,GAAG,OAKZ,CAAC;IAEF,IAAI,IAAI,CAAC,WAAW,EAAE,IAAI,EAAE,EAAE,CAAC;QAC7B,OAAO,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC;IACjC,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM;QAC1B,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC;SACtC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC;SAC9B,IAAI,CAAC,IAAI,CAAC;SACV,IAAI,EAAE,CAAC;IAEV,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,sBAAsB,CAAC,OAAgB;IAC9C,MAAM,IAAI,GAAG,OAEZ,CAAC;IACF,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO;QACvB,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,KAAK,MAAM,CAAC;SACvC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC;SAC9B,IAAI,CAAC,IAAI,CAAC;SACV,IAAI,EAAE,CAAC;IAEV,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;IACrE,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,mBAAmB,CAAC,OAAgB;IAC3C,MAAM,IAAI,GAAG,OAMZ,CAAC;IACF,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU;QAC1B,EAAE,OAAO,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,KAAK,IAAI,EAAE,CAAC;SACvD,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC;SAC9B,IAAI,CAAC,IAAI,CAAC;SACV,IAAI,EAAE,CAAC;IAEV,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,mBAAmB,CAAC,MAAc,EAAE,OAAgB;IAC3D,IAAI,MAAM,KAAK,GAAG,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QACrC,OAAO,6BAA6B,MAAM,+CAA+C,CAAC;IAC5F,CAAC;IAED,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QACnB,OAAO,2BAA2B,MAAM,iDAAiD,CAAC;IAC5F,CAAC;IAED,IAAI,MAAM,IAAI,GAAG,EAAE,CAAC;QAClB,OAAO,sBAAsB,MAAM,qBAAqB,CAAC;IAC3D,CAAC;IAED,OAAO,sBAAsB,MAAM,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC;AACrE,CAAC"}

package/dist/aiConfig.d.ts

@@ -0,0 +1,19 @@
+export declare const SUPPORTED_AI_PROVIDERS: readonly ["openai", "anthropic", "gemini"];
+export type AiProvider = (typeof SUPPORTED_AI_PROVIDERS)[number];
+export interface AiConfig {
+    enabled: boolean;
+    provider: AiProvider;
+    token: string;
+    model?: string;
+}
+export interface AiOptionsInput {
+    ai?: boolean | undefined;
+    provider?: string | undefined;
+    model?: string | undefined;
+    configAi?: {
+        provider?: string;
+        model?: string;
+    } | undefined;
+}
+export declare function resolveAiConfig(options: AiOptionsInput): AiConfig | null;
+//# sourceMappingURL=aiConfig.d.ts.map

package/dist/aiConfig.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aiConfig.d.ts","sourceRoot":"","sources":["../src/aiConfig.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,sBAAsB,4CAA6C,CAAC;AAEjF,MAAM,MAAM,UAAU,GAAG,CAAC,OAAO,sBAAsB,CAAC,CAAC,MAAM,CAAC,CAAC;AAEjE,MAAM,WAAW,QAAQ;IACvB,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,UAAU,CAAC;IACrB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,cAAc;IAC7B,EAAE,CAAC,EAAE,OAAO,GAAG,SAAS,CAAC;IACzB,QAAQ,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9B,KAAK,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC3B,QAAQ,CAAC,EAAE;QACT,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,GAAG,SAAS,CAAC;CACf;AAED,wBAAgB,eAAe,CAAC,OAAO,EAAE,cAAc,GAAG,QAAQ,GAAG,IAAI,CAgCxE"}

package/dist/aiConfig.js

@@ -0,0 +1,28 @@
+export const SUPPORTED_AI_PROVIDERS = ["openai", "anthropic", "gemini"];
+export function resolveAiConfig(options) {
+    if (!options.ai) {
+        return null;
+    }
+    const provider = (options.provider ??
+        options.configAi?.provider ??
+        process.env.AI_PROVIDER ??
+        "openai").trim();
+    const token = (process.env.AI_TOKEN ?? "").trim();
+    const model = (options.model ?? options.configAi?.model ?? process.env.AI_MODEL ?? "").trim();
+    if (!isAiProvider(provider)) {
+        throw new Error(`Unsupported AI provider "${provider}". Supported providers: ${SUPPORTED_AI_PROVIDERS.join(", ")}`);
+    }
+    if (!token) {
+        throw new Error("AI mode requires AI_TOKEN. Set AI_PROVIDER/AI_TOKEN in your environment or use --provider.");
+    }
+    return {
+        enabled: true,
+        provider,
+        token,
+        ...(model ? { model } : {}),
+    };
+}
+function isAiProvider(value) {
+    return SUPPORTED_AI_PROVIDERS.includes(value);
+}
+//# sourceMappingURL=aiConfig.js.map

package/dist/aiConfig.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aiConfig.js","sourceRoot":"","sources":["../src/aiConfig.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,QAAQ,EAAE,WAAW,EAAE,QAAQ,CAAU,CAAC;AAqBjF,MAAM,UAAU,eAAe,CAAC,OAAuB;IACrD,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC;QAChB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,QAAQ,GAAG,CACf,OAAO,CAAC,QAAQ;QAChB,OAAO,CAAC,QAAQ,EAAE,QAAQ;QAC1B,OAAO,CAAC,GAAG,CAAC,WAAW;QACvB,QAAQ,CACT,CAAC,IAAI,EAAE,CAAC;IACT,MAAM,KAAK,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAClD,MAAM,KAAK,GAAG,CAAC,OAAO,CAAC,KAAK,IAAI,OAAO,CAAC,QAAQ,EAAE,KAAK,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAE9F,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CACb,4BAA4B,QAAQ,2BAA2B,sBAAsB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACnG,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CACb,4FAA4F,CAC7F,CAAC;IACJ,CAAC;IAED,OAAO;QACL,OAAO,EAAE,IAAI;QACb,QAAQ;QACR,KAAK;QACL,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC5B,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,KAAa;IACjC,OAAO,sBAAsB,CAAC,QAAQ,CAAC,KAAmB,CAAC,CAAC;AAC9D,CAAC"}

package/dist/config.d.ts

@@ -0,0 +1,26 @@
+import type { FindingType, ReporterType } from "./reporters.js";
+export interface SarrafConfig {
+    reporter?: ReporterType;
+    include?: FindingType[];
+    exclude?: FindingType[];
+    workspace?: string[];
+    production?: boolean;
+    strict?: boolean;
+    debug?: boolean;
+    trace?: string;
+    ignorePackages?: string[];
+    allowUnusedDependencies?: string[];
+    allowUnusedDevDependencies?: string[];
+    allowMissingPackages?: string[];
+    allowMisplacedDevDependencies?: string[];
+    ai?: {
+        provider?: string;
+        model?: string;
+    };
+}
+export interface LoadedSarrafConfig {
+    config: SarrafConfig;
+    source: string;
+}
+export declare function loadSarrafConfig(startDir: string): Promise<LoadedSarrafConfig>;
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAGhE,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,EAAE,YAAY,CAAC;IACxB,OAAO,CAAC,EAAE,WAAW,EAAE,CAAC;IACxB,OAAO,CAAC,EAAE,WAAW,EAAE,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC,0BAA0B,CAAC,EAAE,MAAM,EAAE,CAAC;IACtC,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;IAChC,6BAA6B,CAAC,EAAE,MAAM,EAAE,CAAC;IACzC,EAAE,CAAC,EAAE;QACH,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;CACH;AAED,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,YAAY,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;CAChB;AAQD,wBAAsB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAoBpF"}