universal-ast-mapper 1.28.0 → 2.0.1

package/dist/report.js

@@ -116,9 +116,12 @@ export async function buildReport(absDir, root) {
         },
     };
 }
-/* ─── Premium HTML dashboard ───────────────────────────────────────────────── */
+/* ─── HTML dashboard ────────────────────────────────────────────────────────── */
 const GRADE_COLOR = {
-    A: "#1d9e75", B: "#1d9e75", C: "#ba7517", D: "#d85a30", F: "#e24b4a",
+    A: "#1d9e75", B: "#22c55e", C: "#ba7517", D: "#d85a30", F: "#e24b4a",
+};
+const GRADE_BG = {
+    A: "#dcfce7", B: "#dcfce7", C: "#fef9c3", D: "#ffedd5", F: "#fee2e2",
 };
 function esc(s) {
     return String(s).replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
@@ -129,104 +132,310 @@ function ratingColor(r) {
 function instColor(i) {
     return i >= 0.8 ? "#e24b4a" : i <= 0.2 ? "#1d9e75" : "#ba7517";
 }
-function statCard(label, value, accent) {
-    return `<div class="stat"><div class="sv"${accent ? ` style="color:${accent}"` : ""}>${value}</div><div class="sl">${label}</div></div>`;
+function scoreRing(score, grade) {
+    const gc = GRADE_COLOR[grade] ?? "#888";
+    const r = 42, circ = 2 * Math.PI * r;
+    const dash = (score / 100) * circ;
+    return `<div class="score-ring-wrap">
+    <svg width="110" height="110" viewBox="0 0 110 110">
+      <circle cx="55" cy="55" r="${r}" fill="none" stroke="currentColor" stroke-width="9" opacity=".1"/>
+      <circle cx="55" cy="55" r="${r}" fill="none" stroke="${gc}" stroke-width="9"
+        stroke-dasharray="${dash.toFixed(1)} ${circ.toFixed(1)}"
+        stroke-linecap="round" transform="rotate(-90 55 55)"
+        style="transition:stroke-dasharray 1s ease"/>
+      <text x="55" y="50" text-anchor="middle" font-size="28" font-weight="700" fill="${gc}" font-family="system-ui,sans-serif">${grade}</text>
+      <text x="55" y="66" text-anchor="middle" font-size="12" fill="currentColor" opacity=".6" font-family="system-ui,sans-serif">${score}/100</text>
+    </svg>
+  </div>`;
+}
+function statCard(label, value, accent, sub) {
+    const accent_attr = accent ? ` style="color:${accent}"` : "";
+    const sub_html = sub ? `<div class="sl-sub">${sub}</div>` : "";
+    return `<div class="stat"><div class="sv"${accent_attr}>${value}</div><div class="sl">${label}</div>${sub_html}</div>`;
 }
-function bar(label, value, max, color, right) {
+function bar(label, value, max, color, right, title) {
     const pct = max > 0 ? Math.round((value / max) * 100) : 0;
-    return `<div class="row"><div class="rl">${esc(label)}</div><div class="track"><div class="fill" style="width:${pct}%;background:${color}"></div></div><div class="rr">${right}</div></div>`;
+    const titleAttr = title ? ` title="${esc(title)}"` : "";
+    return `<div class="row"${titleAttr}><div class="rl">${esc(label)}</div><div class="track"><div class="fill" style="width:${pct}%;background:${color}"></div></div><div class="rr">${right}</div></div>`;
+}
+function collapsibleCard(id, title, content, icon, open = true) {
+    return `<div class="card" id="card-${id}">
+    <div class="card-header" onclick="toggleCard('${id}')">
+      <span class="card-icon">${icon}</span>
+      <h2>${title}</h2>
+      <span class="card-arrow" id="arr-${id}">${open ? "▾" : "▸"}</span>
+    </div>
+    <div class="card-body" id="body-${id}" style="${open ? "" : "display:none"}">
+      ${content}
+    </div>
+  </div>`;
 }
-export function buildReportHtml(d) {
+export function buildReportHtml(d, history = []) {
     const gc = GRADE_COLOR[d.grade] ?? "#888";
+    const prev = history.length >= 2 ? history[history.length - 2] : null;
+    const scoreDelta = prev ? d.score - prev.score : null;
+    const deltaBadge = scoreDelta === null ? ""
+        : scoreDelta > 0 ? `<span class="delta up">↑ +${scoreDelta}</span>`
+            : scoreDelta < 0 ? `<span class="delta dn">↓ ${scoreDelta}</span>`
+                : `<span class="delta neu">→ 0</span>`;
     const maxLang = d.languages[0]?.files ?? 1;
     const langs = d.languages.map((l) => bar(l.lang, l.files, maxLang, "#534ab7", `${l.files}`)).join("");
     const maxCx = d.complexity.hotspots[0]?.complexity ?? 1;
     const hotspots = d.complexity.hotspots.length
-        ? d.complexity.hotspots.map((h) => bar(`${h.name}  ·  ${h.file}`, h.complexity, maxCx, ratingColor(h.rating), `<b>${h.complexity}</b>`)).join("")
+        ? d.complexity.hotspots.map((h) => bar(`${h.name}  ·  ${h.file}`, h.complexity, maxCx, ratingColor(h.rating), `<b>${h.complexity}</b>`, `${h.name} in ${h.file} — complexity ${h.complexity}`)).join("")
         : `<div class="empty">No functions found.</div>`;
     const god = d.godNodes.length
-        ? d.godNodes.map((g) => `<div class="li"><span class="mono">${esc(g.symbol)}</span><span class="dim">${esc(g.file)}</span><span class="pill">${g.importCount} importers</span></div>`).join("")
-        : `<div class="empty">None.</div>`;
+        ? d.godNodes.map((g) => `<div class="li">
+        <span class="kbadge">god</span>
+        <span class="mono">${esc(g.symbol)}</span>
+        <span class="dim">${esc(g.file)}</span>
+        <span class="pill pill-warn">${g.importCount} importers</span>
+      </div>`).join("")
+        : `<div class="ok">✓ No dominant god nodes</div>`;
     const dead = d.dead.count
-        ? d.dead.items.map((x) => `<div class="li"><span class="kbadge">${esc(x.kind)}</span><span class="mono">${esc(x.symbol)}</span><span class="dim">${esc(x.file)}</span></div>`).join("")
+        ? d.dead.items.map((x) => `<div class="li">
+        <span class="kbadge">${esc(x.kind)}</span>
+        <span class="mono">${esc(x.symbol)}</span>
+        <span class="dim">${esc(x.file)}</span>
+      </div>`).join("")
             + (d.dead.count > d.dead.items.length ? `<div class="more">+${d.dead.count - d.dead.items.length} more…</div>` : "")
         : `<div class="ok">✓ No high-confidence dead exports</div>`;
     const cycles = d.cycles.count
-        ? d.cycles.items.map((c) => `<div class="li"><span class="mono">${esc(c.join("  →  "))}</span></div>`).join("")
+        ? d.cycles.items.map((c) => `<div class="li cycle-li">
+        <span class="cycle-arrow">↻</span>
+        <span class="mono cycle-chain">${esc(c.join(" → "))}</span>
+      </div>`).join("")
         : `<div class="ok">✓ No circular dependencies</div>`;
     const modules = d.modules.length
         ? d.modules.map((m) => bar(`${m.module}  ·  ${m.files} file(s)`, m.instability, 1, instColor(m.instability), `Ca ${m.afferent} · Ce ${m.efferent} · <b>I ${m.instability.toFixed(2)}</b>`)).join("")
         : `<div class="empty">No cross-module imports.</div>`;
     const covPct = Math.round(d.testCoverage.coverageRatio * 100);
     const covC = d.testCoverage.coverageRatio >= 0.7 ? "#1d9e75" : d.testCoverage.coverageRatio >= 0.4 ? "#ba7517" : "#e24b4a";
-    const covHead = d.testCoverage.testFiles > 0
-        ? bar(`${d.testCoverage.testedSources}/${d.testCoverage.sourceFiles} sources tested · ${d.testCoverage.testFiles} test file(s)${d.testCoverage.rootFallback ? " (from project root)" : ""}`, covPct, 100, covC, `<b>${covPct}%</b>`)
-        : "";
+    const covRing = d.testCoverage.testFiles > 0 ? (() => {
+        const r = 28, circ = 2 * Math.PI * r;
+        const dash = (covPct / 100) * circ;
+        return `<div class="cov-ring-wrap">
+      <svg width="72" height="72" viewBox="0 0 72 72">
+        <circle cx="36" cy="36" r="${r}" fill="none" stroke="currentColor" stroke-width="7" opacity=".12"/>
+        <circle cx="36" cy="36" r="${r}" fill="none" stroke="${covC}" stroke-width="7"
+          stroke-dasharray="${dash.toFixed(1)} ${circ.toFixed(1)}"
+          stroke-linecap="round" transform="rotate(-90 36 36)"/>
+        <text x="36" y="40" text-anchor="middle" font-size="14" font-weight="700" fill="${covC}" font-family="system-ui,sans-serif">${covPct}%</text>
+      </svg>
+    </div>`;
+    })() : "";
+    const covSummary = d.testCoverage.testFiles > 0
+        ? `<div class="cov-summary">
+        ${covRing}
+        <div class="cov-text">
+          <div class="cov-pct" style="color:${covC}">${covPct}% covered</div>
+          <div class="cov-detail">${d.testCoverage.testedSources}/${d.testCoverage.sourceFiles} source files tested &middot; ${d.testCoverage.testFiles} test file(s)${d.testCoverage.rootFallback ? " (from project root)" : ""}</div>
+        </div>
+      </div>` : "";
     const covList = d.testCoverage.testFiles === 0
         ? `<div class="empty">No test files found in the scanned directory or project root.</div>`
         : d.testCoverage.untested.length === 0
             ? `<div class="ok">✓ Every source file has at least one test</div>`
-            : d.testCoverage.untested.map((u) => `<div class="li"><span class="mono">${esc(u.file)}</span><span class="dim">${u.symbols} symbol(s)</span><span class="pill">Ca ${u.afferent}</span></div>`).join("")
-                + (d.testCoverage.untestedCount > d.testCoverage.untested.length ? `<div class="more">+${d.testCoverage.untestedCount - d.testCoverage.untested.length} more…</div>` : "");
+            : `<div class="untested-header">Untested files (by risk)</div>`
+                + d.testCoverage.untested.map((u) => `<div class="li"><span class="mono">${esc(u.file)}</span><span class="dim">${u.symbols} symbol(s)</span><span class="pill">Ca ${u.afferent}</span></div>`).join("")
+                + (d.testCoverage.untestedCount > d.testCoverage.untested.length
+                    ? `<div class="more">+${d.testCoverage.untestedCount - d.testCoverage.untested.length} more untested…</div>` : "");
     const sdp = d.layerViolations.count
-        ? d.layerViolations.items.map((v) => `<div class="li"><span class="mono">${esc(v.from)}</span><span class="dim">→ ${esc(v.to)}</span><span class="pill" style="color:${instColor(0.9)}">+${v.severity.toFixed(2)}</span></div>`).join("")
-            + (d.layerViolations.count > d.layerViolations.items.length ? `<div class="more">+${d.layerViolations.count - d.layerViolations.items.length} more…</div>` : "")
+        ? d.layerViolations.items.map((v) => `<div class="li">
+        <span class="mono">${esc(v.from)}</span>
+        <span class="dim">→ ${esc(v.to)}</span>
+        <span class="pill pill-err">+${v.severity.toFixed(2)}</span>
+      </div>`).join("")
+            + (d.layerViolations.count > d.layerViolations.items.length
+                ? `<div class="more">+${d.layerViolations.count - d.layerViolations.items.length} more…</div>` : "")
         : `<div class="ok">✓ No stability inversions (SDP)</div>`;
-    return `<!doctype html><html><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1">
-<title>${esc(d.project)} — code health</title><style>
-:root{--bg:#fafaf8;--card:#fff;--bd:#e7e5df;--tx:#2b2b28;--dim:#8a8880;--soft:#f1efe9}
-@media(prefers-color-scheme:dark){:root{--bg:#161613;--card:#1e1e1b;--bd:#33332e;--tx:#e6e4dd;--dim:#9a988f;--soft:#26261f}}
-*{box-sizing:border-box}body{margin:0;background:var(--bg);color:var(--tx);font-family:system-ui,-apple-system,sans-serif;line-height:1.5}
-.wrap{max-width:980px;margin:0 auto;padding:32px 24px 60px}
-.hero{display:flex;align-items:center;gap:24px;margin-bottom:28px}
-.badge{width:104px;height:104px;border-radius:24px;display:flex;flex-direction:column;align-items:center;justify-content:center;color:#fff;flex:0 0 auto}
-.badge .g{font-size:46px;font-weight:700;line-height:1}.badge .s{font-size:12px;opacity:.9}
-.h1{font-size:26px;font-weight:650;margin:0}.sub{color:var(--dim);font-size:13px;margin-top:4px}
-.grid{display:grid;grid-template-columns:repeat(auto-fit,minmax(110px,1fr));gap:12px;margin-bottom:30px}
-.stat{background:var(--card);border:1px solid var(--bd);border-radius:14px;padding:14px 16px}
-.sv{font-size:24px;font-weight:650}.sl{font-size:12px;color:var(--dim);margin-top:2px}
-.card{background:var(--card);border:1px solid var(--bd);border-radius:16px;padding:18px 20px;margin-bottom:18px}
-.card h2{font-size:14px;font-weight:600;margin:0 0 14px;letter-spacing:.02em;text-transform:uppercase;color:var(--dim)}
-.row{display:flex;align-items:center;gap:12px;margin:7px 0;font-size:13px}
-.rl{flex:0 0 46%;white-space:nowrap;overflow:hidden;text-overflow:ellipsis}
-.track{flex:1;height:8px;background:var(--soft);border-radius:5px;overflow:hidden}.fill{height:100%;border-radius:5px}
-.rr{flex:0 0 auto;color:var(--dim);min-width:32px;text-align:right}
-.li{display:flex;align-items:center;gap:10px;padding:5px 0;font-size:13px;border-top:1px solid var(--bd)}.li:first-child{border-top:none}
-.mono{font-family:ui-monospace,monospace;font-weight:550}.dim{color:var(--dim);font-size:12px;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}
-.pill{margin-left:auto;background:var(--soft);border-radius:20px;padding:2px 10px;font-size:11px;color:var(--dim);flex:0 0 auto}
-.kbadge{font-size:11px;color:var(--dim);background:var(--soft);border-radius:5px;padding:1px 7px;flex:0 0 auto}
-.ok{color:#1d9e75;font-size:13px}.empty{color:var(--dim);font-size:13px}.more{color:var(--dim);font-size:12px;padding-top:6px}
-.two{display:grid;grid-template-columns:1fr 1fr;gap:18px}@media(max-width:720px){.two{grid-template-columns:1fr}.rl{flex-basis:42%}}
-.foot{color:var(--dim);font-size:11px;text-align:center;margin-top:24px}
-</style></head><body><div class="wrap">
-<div class="hero">
-  <div class="badge" style="background:${gc}"><div class="g">${d.grade}</div><div class="s">${d.score}/100</div></div>
-  <div><h1 class="h1">${esc(d.project)} — code health</h1>
-  <div class="sub">${d.fileCount} files · ${d.symbolCount} symbols · ${d.languages.length} language(s) · ${esc(d.generatedAt.slice(0, 10))}</div></div>
-</div>
-<div class="grid">
-  ${statCard("Files", d.fileCount)}
-  ${statCard("Symbols", d.symbolCount)}
-  ${statCard("Import edges", d.edgeCount)}
-  ${statCard("Avg complexity", d.complexity.average)}
-  ${statCard("Max complexity", d.complexity.max, ratingColor(d.complexity.max > 20 ? "very-high" : d.complexity.max > 10 ? "high" : "low"))}
-  ${statCard("Dead exports", d.dead.count, d.dead.count ? "#d85a30" : "#1d9e75")}
-  ${statCard("Cycles", d.cycles.count, d.cycles.count ? "#e24b4a" : "#1d9e75")}
-  ${statCard("SDP violations", d.layerViolations.count, d.layerViolations.count ? "#d85a30" : "#1d9e75")}
-  ${statCard("Test coverage", covPct + "%", covC)}
-</div>
-<div class="card"><h2>Language breakdown</h2>${langs}</div>
-<div class="card"><h2>Complexity hotspots</h2>${hotspots}</div>
-<div class="two">
-  <div class="card"><h2>God nodes (most imported)</h2>${god}</div>
-  <div class="card"><h2>Circular dependencies</h2>${cycles}</div>
-</div>
-<div class="two">
-  <div class="card"><h2>Module coupling (instability)</h2>${modules}</div>
-  <div class="card"><h2>Layer violations (stable → volatile)</h2>${sdp}</div>
-</div>
-<div class="card"><h2>Test coverage (untested by risk)</h2>${covHead}${covList}</div>
-<div class="card"><h2>Dead exports (high confidence)</h2>${dead}</div>
-<div class="foot">Generated by AST-MCP · universal-ast-mapper</div>
-</div></body></html>`;
+    const issues = [
+        d.cycles.count > 0 ? `<div class="issue-row issue-err">🔴 ${d.cycles.count} circular ${d.cycles.count === 1 ? "dependency" : "dependencies"} detected</div>` : "",
+        d.dead.count > 5 ? `<div class="issue-row issue-warn">🟠 ${d.dead.count} dead exports (potential dead code)</div>` : "",
+        d.complexity.max > 20 ? `<div class="issue-row issue-warn">🟠 Max complexity ${d.complexity.max} — consider refactoring</div>` : "",
+        d.testCoverage.testFiles === 0 ? `<div class="issue-row issue-warn">🟡 No test files found</div>` :
+            covPct < 40 ? `<div class="issue-row issue-warn">🟡 Low test coverage (${covPct}%)</div>` : "",
+        d.layerViolations.count > 5 ? `<div class="issue-row issue-info">🔵 ${d.layerViolations.count} layer violations (SDP)</div>` : "",
+    ].filter(Boolean).join("");
+    return `<!doctype html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<title>${esc(d.project)} — Code Health</title>
+<style>
+:root{
+  --bg:#f6f8fa;--card:#fff;--bd:#e2e8f0;--tx:#0f172a;--dim:#64748b;
+  --soft:#f1f5f9;--accent:#6366f1;
+  --shadow:0 1px 3px rgba(0,0,0,.06),0 1px 2px rgba(0,0,0,.04);
+}
+@media(prefers-color-scheme:dark){
+  :root{--bg:#0d1117;--card:#161b22;--bd:#21262d;--tx:#e6edf3;--dim:#7d8590;--soft:#1c2128;}
+}
+*{box-sizing:border-box;margin:0;padding:0;}
+body{background:var(--bg);color:var(--tx);font-family:system-ui,-apple-system,"Segoe UI",sans-serif;line-height:1.5;font-size:13px;}
+.wrap{max-width:1000px;margin:0 auto;padding:28px 20px 60px;}
+
+/* ── Topbar ── */
+.topbar{background:var(--card);border-bottom:1px solid var(--bd);padding:0 20px;height:50px;display:flex;align-items:center;gap:10px;position:sticky;top:0;z-index:10;box-shadow:var(--shadow);}
+.topbar-title{font-weight:700;font-size:13px;color:var(--accent);}
+.topbar-sep{width:1px;height:18px;background:var(--bd);}
+.topbar-meta{font-size:12px;color:var(--dim);flex:1;}
+.topbar-grade{font-weight:700;font-size:13px;padding:3px 10px;border-radius:999px;}
+.btn{font:12px system-ui,sans-serif;cursor:pointer;border:1px solid var(--bd);background:transparent;color:inherit;border-radius:7px;padding:4px 11px;transition:background .12s;}
+.btn:hover{background:var(--soft);}
+
+/* ── Hero ── */
+.hero{display:flex;align-items:center;gap:20px;margin:24px 0 22px;background:var(--card);border:1px solid var(--bd);border-radius:16px;padding:20px 24px;box-shadow:var(--shadow);}
+.hero-right{flex:1;min-width:0;}
+.score-ring-wrap svg{display:block;}
+.h1{font-size:22px;font-weight:700;margin-bottom:4px;}
+.sub{color:var(--dim);font-size:12px;}
+.issues{margin-top:12px;display:flex;flex-direction:column;gap:4px;}
+.issue-row{font-size:12px;padding:5px 10px;border-radius:8px;}
+.issue-err{background:#fee2e2;color:#991b1b;}
+.issue-warn{background:#fef9c3;color:#854d0e;}
+.issue-info{background:#dbeafe;color:#1e40af;}
+@media(prefers-color-scheme:dark){
+  .issue-err{background:#450a0a;color:#fca5a5;}
+  .issue-warn{background:#422006;color:#fde68a;}
+  .issue-info{background:#0c1e40;color:#93c5fd;}
+}
+
+/* ── Stat grid ── */
+.grid{display:grid;grid-template-columns:repeat(auto-fit,minmax(100px,1fr));gap:10px;margin-bottom:20px;}
+.stat{background:var(--card);border:1px solid var(--bd);border-radius:12px;padding:13px 15px;box-shadow:var(--shadow);transition:transform .12s,box-shadow .12s;}
+.stat:hover{transform:translateY(-1px);box-shadow:0 4px 12px rgba(0,0,0,.1);}
+.sv{font-size:22px;font-weight:700;line-height:1.2;}
+.sl{font-size:11px;color:var(--dim);margin-top:3px;}
+.sl-sub{font-size:10px;color:var(--dim);margin-top:2px;opacity:.7;}
+
+/* ── Cards ── */
+.card{background:var(--card);border:1px solid var(--bd);border-radius:14px;margin-bottom:14px;box-shadow:var(--shadow);overflow:hidden;}
+.card-header{display:flex;align-items:center;gap:8px;padding:14px 18px;cursor:pointer;user-select:none;transition:background .1s;}
+.card-header:hover{background:var(--soft);}
+.card-icon{font-size:15px;flex-shrink:0;}
+.card-header h2{font-size:13px;font-weight:600;letter-spacing:.02em;text-transform:uppercase;color:var(--dim);flex:1;margin:0;}
+.card-arrow{color:var(--dim);font-size:12px;transition:transform .15s;}
+.card-body{padding:6px 18px 16px;border-top:1px solid var(--bd);}
+
+/* ── Bars ── */
+.row{display:flex;align-items:center;gap:10px;margin:7px 0;font-size:12px;}
+.rl{flex:0 0 42%;white-space:nowrap;overflow:hidden;text-overflow:ellipsis;color:var(--tx);}
+.track{flex:1;height:7px;background:var(--soft);border-radius:4px;overflow:hidden;}
+.fill{height:100%;border-radius:4px;transition:width .5s ease;}
+.rr{flex:0 0 auto;color:var(--dim);min-width:40px;text-align:right;font-size:11px;}
+
+/* ── List items ── */
+.li{display:flex;align-items:center;gap:8px;padding:6px 0;font-size:12px;border-top:1px solid var(--bd);}
+.li:first-child{border-top:none;}
+.mono{font-family:ui-monospace,monospace;font-weight:600;font-size:11px;}
+.dim{color:var(--dim);font-size:11px;overflow:hidden;text-overflow:ellipsis;white-space:nowrap;flex:1;min-width:0;}
+.pill{margin-left:auto;background:var(--soft);border-radius:20px;padding:2px 9px;font-size:10px;color:var(--dim);flex-shrink:0;white-space:nowrap;}
+.pill-warn{background:#fef9c3;color:#854d0e;}
+.pill-err{background:#fee2e2;color:#991b1b;}
+@media(prefers-color-scheme:dark){.pill-warn{background:#422006;color:#fde68a;}.pill-err{background:#450a0a;color:#fca5a5;}}
+.kbadge{font-size:10px;color:var(--dim);background:var(--soft);border-radius:5px;padding:1px 6px;flex-shrink:0;}
+.ok{color:#16a34a;font-size:12px;padding:4px 0;}
+.empty{color:var(--dim);font-size:12px;padding:4px 0;}
+.more{color:var(--dim);font-size:11px;padding-top:4px;}
+.tag{font-size:10px;background:var(--soft);border-radius:5px;padding:1px 6px;color:var(--dim);}
+
+/* ── Two col ── */
+.two{display:grid;grid-template-columns:1fr 1fr;gap:14px;}
+@media(max-width:740px){.two{grid-template-columns:1fr;}.rl{flex-basis:38%;}}
+
+/* ── Coverage ── */
+.cov-summary{display:flex;align-items:center;gap:14px;margin-bottom:12px;padding-bottom:10px;border-bottom:1px solid var(--bd);}
+.cov-ring-wrap svg{display:block;}
+.cov-pct{font-size:18px;font-weight:700;}
+.cov-detail{font-size:11px;color:var(--dim);margin-top:3px;}
+.untested-header{font-size:11px;font-weight:600;text-transform:uppercase;letter-spacing:.04em;color:var(--dim);margin-bottom:4px;}
+
+/* ── Cycles ── */
+.cycle-li{align-items:flex-start;}
+.cycle-arrow{color:#e24b4a;font-size:16px;flex-shrink:0;line-height:1.4;}
+.cycle-chain{font-size:11px;word-break:break-all;flex:1;}
+
+.delta{font-size:13px;font-weight:600;padding:3px 10px;border-radius:999px;margin-left:8px;}
+.delta.up{background:#dcfce7;color:#16a34a;}.delta.dn{background:#fee2e2;color:#dc2626;}.delta.neu{background:var(--soft);color:var(--dim);}
+@media(prefers-color-scheme:dark){.delta.up{background:#14532d;color:#4ade80;}.delta.dn{background:#7f1d1d;color:#f87171;}}
+.sparkline{display:flex;align-items:flex-end;gap:2px;height:28px;margin-top:8px;}
+.spark-bar{width:8px;border-radius:2px 2px 0 0;min-height:2px;transition:opacity .2s;}
+.spark-bar:hover{opacity:.75;}
+
+/* ── Footer ── */
+.foot{color:var(--dim);font-size:11px;text-align:center;margin-top:20px;padding-top:14px;border-top:1px solid var(--bd);}
+.foot a{color:var(--dim);}
+</style>
+</head>
+<body>
+<div class="topbar">
+  <span class="topbar-title">AST Map</span>
+  <div class="topbar-sep"></div>
+  <span class="topbar-meta">${esc(d.project)} · Code Health Report · ${esc(d.generatedAt.slice(0, 10))}</span>
+  <span class="topbar-grade" style="background:${gc}22;color:${gc};border:1px solid ${gc}44">${d.grade} · ${d.score}/100</span>
+  <button class="btn" onclick="window.print()">Print</button>
+</div>
+<div class="wrap">
+<div class="hero">
+  ${scoreRing(d.score, d.grade)}
+  <div class="hero-right">
+    <h1 class="h1">${esc(d.project)}</h1>
+    <div class="sub">${d.fileCount} files · ${d.symbolCount} symbols · ${d.languages.length} language(s) · generated ${esc(d.generatedAt.slice(0, 10))}${deltaBadge}</div>
+    ${issues ? `<div class="issues">${issues}</div>` : `<div class="issues"><div class="issue-row issue-info">✅ No critical issues detected</div></div>`}
+    ${history.length > 1 ? (() => {
+        const max = Math.max(...history.map(h => h.score), 1);
+        const bars = history.map(h => {
+            const pct = Math.round((h.score / max) * 100);
+            const gc2 = GRADE_COLOR[h.grade] ?? "#888";
+            return `<div class="spark-bar" style="height:${pct}%;background:${gc2}" title="${h.date.slice(0, 10)}: ${h.score}/100 (${h.grade})"></div>`;
+        }).join("");
+        return `<div class="sparkline" title="Score history (last ${history.length} runs)">${bars}</div>`;
+    })() : ""}
+  </div>
+</div>
+
+<div class="grid">
+  ${statCard("Files", d.fileCount)}
+  ${statCard("Symbols", d.symbolCount)}
+  ${statCard("Import edges", d.edgeCount)}
+  ${statCard("Avg complexity", d.complexity.average)}
+  ${statCard("Max complexity", d.complexity.max, ratingColor(d.complexity.max > 20 ? "very-high" : d.complexity.max > 10 ? "high" : "low"))}
+  ${statCard("Dead exports", d.dead.count, d.dead.count > 5 ? "#d85a30" : d.dead.count > 0 ? "#ba7517" : "#1d9e75")}
+  ${statCard("Cycles", d.cycles.count, d.cycles.count ? "#e24b4a" : "#1d9e75")}
+  ${statCard("SDP violations", d.layerViolations.count, d.layerViolations.count > 5 ? "#d85a30" : d.layerViolations.count > 0 ? "#ba7517" : "#1d9e75")}
+  ${statCard("Test coverage", covPct + "%", covC)}
+</div>
+
+${collapsibleCard("langs", "Language breakdown", langs || `<div class="empty">No data.</div>`, "🌐")}
+${collapsibleCard("cx", "Complexity hotspots", hotspots, "🔥")}
+
+<div class="two">
+  ${collapsibleCard("god", "God nodes (most imported)", god, "👑")}
+  ${collapsibleCard("cycles", "Circular dependencies", cycles, "🔄")}
+</div>
+
+<div class="two">
+  ${collapsibleCard("modules", "Module coupling (instability)", modules, "📦")}
+  ${collapsibleCard("sdp", "Layer violations (SDP)", sdp, "🏗️")}
+</div>
+
+${collapsibleCard("cov", "Test coverage", covSummary + covList, "🧪")}
+${collapsibleCard("dead", "Dead exports (high confidence)", dead, "💀", false)}
+
+<div class="foot">Generated by <strong>AST-MCP</strong> · universal-ast-mapper · <a href="https://github.com/6ixthxense/ast-mcp">github</a></div>
+</div>
+<script>
+function toggleCard(id){
+  const body=document.getElementById('body-'+id);
+  const arr=document.getElementById('arr-'+id);
+  if(!body||!arr)return;
+  const open=body.style.display!=='none';
+  body.style.display=open?'none':'';
+  arr.textContent=open?'▸':'▾';
+}
+</script>
+</body>
+</html>`;
 }

package/dist/security.js

@@ -0,0 +1,178 @@
+// ─── Static security scanner ──────────────────────────────────────────────────
+// Line-by-line regex scanning — no AST needed. Finds dangerous patterns
+// in source code across JavaScript, TypeScript, Python, etc.
+// ─── Rule definitions ─────────────────────────────────────────────────────────
+export const SECURITY_RULES = [
+    {
+        id: "eval",
+        severity: "critical",
+        message: "Use of eval() allows arbitrary code execution",
+        // matches eval( but not eval.toString( or eval.call(
+        pattern: /\beval\s*\(/,
+        exclude: /\beval\s*\.\s*\w+/,
+    },
+    {
+        id: "inner-html",
+        severity: "high",
+        message: "Direct assignment to innerHTML can lead to XSS",
+        // .innerHTML = but not .innerHTML +=
+        pattern: /\.innerHTML\s*=[^=+]/,
+    },
+    {
+        id: "document-write",
+        severity: "high",
+        message: "document.write() can overwrite the page and lead to XSS",
+        pattern: /\bdocument\s*\.\s*write\s*\(/,
+    },
+    {
+        id: "dangerously-set-inner-html",
+        severity: "high",
+        message: "dangerouslySetInnerHTML bypasses React's XSS protection",
+        pattern: /dangerouslySetInnerHTML/,
+    },
+    {
+        id: "child-process",
+        severity: "medium",
+        message: "Use of child_process module can lead to command injection if inputs are not sanitized",
+        pattern: /require\s*\(\s*['"]child_process['"]\s*\)|import\s+.*\bchild_process\b/,
+    },
+    {
+        id: "shell-exec",
+        severity: "high",
+        message: "exec/execSync with a non-literal argument is vulnerable to command injection",
+        // Only flag when the argument looks like a variable/template (contains $ or an identifier before ))
+        pattern: /\b(?:exec|execSync)\s*\(\s*(?:[`$]|\w+\s*[+,)])/,
+    },
+    {
+        id: "weak-crypto",
+        severity: "medium",
+        message: "MD5 and SHA-1 are cryptographically weak and should not be used for security purposes",
+        pattern: /createHash\s*\(\s*['"](?:md5|sha1)['"]\s*\)/i,
+    },
+    {
+        id: "hardcoded-secret",
+        severity: "high",
+        message: "Hardcoded secret/credential detected",
+        // variable named password/secret/api_key/apiKey/token/passwd assigned a string literal of 8+ chars
+        pattern: /(?:password|secret|api_key|apiKey|token|passwd)\s*[=:]\s*['"][^'"]{8,}['"]/i,
+        // filter out common placeholders
+        exclude: /(?:your[-_]?key|xxx+|changeme|placeholder|example|test|dummy|sample|fake|mock|<|>|\*)/i,
+    },
+    {
+        id: "sql-injection",
+        severity: "high",
+        message: "SQL query built with string concatenation may be vulnerable to injection",
+        // query( or execute( followed by string concatenation on same line or a nearby + sign
+        pattern: /\b(?:query|execute)\s*\(\s*[`"']?[^)]*\+/,
+    },
+    {
+        id: "http-url",
+        severity: "low",
+        message: "Hardcoded HTTP (non-HTTPS) URL detected",
+        pattern: /['"`]http:\/\/(?!(?:localhost|127\.0\.0\.1|0\.0\.0\.0|example\.com|schema\.org))/,
+    },
+    {
+        id: "no-rate-limit",
+        severity: "medium",
+        message: "Express route handler without apparent rate limiting",
+        // Express route .get( or .post( etc.
+        pattern: /\.\s*(?:get|post|put|patch|delete|all)\s*\(\s*['"`]/,
+        // only applies to JS/TS files
+        fileFilter: /\.[jt]sx?$/,
+    },
+    {
+        id: "prototype-pollution",
+        severity: "high",
+        message: "Potential prototype pollution via __proto__, constructor.prototype, or unsafe Object.assign",
+        pattern: /(?:__proto__|constructor\s*\.\s*prototype|Object\.assign\s*\(\s*\{\s*\}[^)]*(?:req|params|body|input|data|user))/,
+    },
+];
+// ─── Comment-line detection ───────────────────────────────────────────────────
+/**
+ * Returns true when the (trimmed) line is a comment and should be skipped
+ * for most security rules. Covers //, #, * (JSDoc / block comment lines).
+ */
+function isCommentLine(trimmed) {
+    return (trimmed.startsWith("//") ||
+        trimmed.startsWith("#") ||
+        trimmed.startsWith("*") ||
+        trimmed.startsWith("/*"));
+}
+// Rules that should also scan comment lines (none by default — keep list empty
+// but the structure allows future exceptions).
+const SCAN_COMMENTS_FOR = new Set([]);
+// ─── Core scanner ─────────────────────────────────────────────────────────────
+/**
+ * Scan a single file's source text for security issues.
+ *
+ * @param source   - Full file contents.
+ * @param relPath  - Relative file path (used for fileFilter matching and issue reporting).
+ * @param rules    - Rule set to apply (defaults to SECURITY_RULES).
+ */
+export function scanFileForSecurityIssues(source, relPath, rules = SECURITY_RULES) {
+    const issues = [];
+    const lines = source.split("\n");
+    // Pre-filter rules by fileFilter so we don't re-test every line.
+    const applicableRules = rules.filter((r) => r.fileFilter === undefined || r.fileFilter.test(relPath));
+    // Build a lookup of line indices that need rate-limit context checks.
+    // (We collect matches first, then do the window search in one pass.)
+    const rateLimitMatches = [];
+    for (let i = 0; i < lines.length; i++) {
+        const raw = lines[i];
+        const trimmed = raw.trim();
+        const lineNo = i + 1; // 1-based
+        for (const rule of applicableRules) {
+            // Skip comment lines unless the rule explicitly needs them.
+            if (isCommentLine(trimmed) && !SCAN_COMMENTS_FOR.has(rule.id))
+                continue;
+            if (!rule.pattern.test(raw))
+                continue;
+            if (rule.exclude && rule.exclude.test(raw))
+                continue;
+            // Special handling for no-rate-limit: defer until we have all line indices.
+            if (rule.id === "no-rate-limit") {
+                rateLimitMatches.push(i);
+                continue;
+            }
+            issues.push({
+                file: relPath,
+                rule: rule.id,
+                severity: rule.severity,
+                message: rule.message,
+                line: lineNo,
+                snippet: trimmed.slice(0, 120),
+            });
+        }
+    }
+    // ── no-rate-limit: window check ──────────────────────────────────────────
+    // For each matched route line, look 5 lines before and 5 lines after for
+    // rate-limit keywords. Only emit an issue when none are found nearby.
+    const rateLimitRule = applicableRules.find((r) => r.id === "no-rate-limit");
+    if (rateLimitRule && rateLimitMatches.length > 0) {
+        const WINDOW = 5;
+        const rateLimitKeyword = /rateLimit|throttle|limiter/i;
+        for (const idx of rateLimitMatches) {
+            const windowStart = Math.max(0, idx - WINDOW);
+            const windowEnd = Math.min(lines.length - 1, idx + WINDOW);
+            let hasRateLimit = false;
+            for (let w = windowStart; w <= windowEnd; w++) {
+                if (rateLimitKeyword.test(lines[w])) {
+                    hasRateLimit = true;
+                    break;
+                }
+            }
+            if (!hasRateLimit) {
+                const trimmed = lines[idx].trim();
+                issues.push({
+                    file: relPath,
+                    rule: "no-rate-limit",
+                    severity: rateLimitRule.severity,
+                    message: rateLimitRule.message,
+                    line: idx + 1,
+                    snippet: trimmed.slice(0, 120),
+                });
+            }
+        }
+    }
+    return issues;
+}