verimu 0.0.17 → 0.0.19

package/dist/index.cjs

@@ -13057,9 +13057,9 @@ var require_traverse = __commonJS({
     Object.defineProperty(exports2, "__esModule", {
       value: true
     });
-    exports2.default = traverse2;
+    exports2.default = traverse;
     var _index = require_definitions();
-    function traverse2(node, handlers, state) {
+    function traverse(node, handlers, state) {
       if (typeof handlers === "function") {
         handlers = {
           enter: handlers
@@ -14374,8 +14374,8 @@ function sanitizeTagId(value) {
 }
 
 // src/scan.ts
-var import_promises15 = require("fs/promises");
-var import_path16 = require("path");
+var import_promises16 = require("fs/promises");
+var import_path17 = require("path");
 
 // src/scanners/npm/npm-scanner.ts
 var import_promises = require("fs/promises");
@@ -16997,6 +16997,15 @@ var ConsoleReporter = class {
       lines.push(
         `    Findings: direct_evidence=${directEvidence}, indirect_no_evidence=${indirectNoEvidence}, unsupported=${unsupported}, analysis_error=${analysisErrors}`
       );
+      if (result.usageContext.ecosystemStatus.length > 0) {
+        lines.push("    Analyzer status:");
+        for (const status of result.usageContext.ecosystemStatus) {
+          const note = status.note ? ` (${status.note})` : "";
+          lines.push(
+            `      ${status.ecosystem}: ${status.status} via ${status.analyzer}${note}`
+          );
+        }
+      }
       if (result.usageContext.artifactPath) {
         lines.push(`    Artifact: ${result.usageContext.artifactPath}`);
       }
@@ -17278,6 +17287,24 @@ var JsAstAnalyzer = class {
     return this.ecosystems.has(ecosystem);
   }
   async analyze(context) {
+    const traverseFn = resolveTraverseFunction(import_traverse.default);
+    if (!traverseFn) {
+      return {
+        packages: context.packages.map((pkg) => ({
+          packageName: pkg.packageName,
+          ecosystem: pkg.ecosystem,
+          status: "analysis_error",
+          snippets: [],
+          notes: "Failed to resolve @babel/traverse runtime export"
+        })),
+        errors: [{
+          analyzer: this.name,
+          ecosystem: context.ecosystem,
+          error: "Failed to resolve @babel/traverse runtime export"
+        }],
+        snippetsProduced: 0
+      };
+    }
     const packageMap = this.buildPackageMaps(context.packages);
     const resultMap = /* @__PURE__ */ new Map();
     const snippetKeyMap = /* @__PURE__ */ new Map();
@@ -17341,13 +17368,13 @@ var JsAstAnalyzer = class {
       const matchCandidates = [];
       const matchSeen = /* @__PURE__ */ new Set();
       const symbolToPackage = /* @__PURE__ */ new Map();
-      const addMatch = (packageKey2, line, matchKind, calledSymbol, confidence = 0.8) => {
-        const candidateKey = `${packageKey2}:${line}:${matchKind}:${calledSymbol ?? ""}`;
+      const addMatch = (packageKey3, line, matchKind, calledSymbol, confidence = 0.8) => {
+        const candidateKey = `${packageKey3}:${line}:${matchKind}:${calledSymbol ?? ""}`;
         if (matchSeen.has(candidateKey)) return;
         matchSeen.add(candidateKey);
-        matchCandidates.push({ packageKey: packageKey2, line, matchKind, calledSymbol, confidence });
+        matchCandidates.push({ packageKey: packageKey3, line, matchKind, calledSymbol, confidence });
       };
-      (0, import_traverse.default)(ast, {
+      traverseFn(ast, {
         ImportDeclaration: (path14) => {
           const source = path14.node.source;
           if (!(0, import_types.isStringLiteral)(source)) return;
@@ -17469,6 +17496,18 @@ var JsAstAnalyzer = class {
     return `${ecosystem}::${packageName}`;
   }
 };
+function resolveTraverseFunction(moduleValue) {
+  if (typeof moduleValue === "function") {
+    return moduleValue;
+  }
+  if (typeof moduleValue === "object" && moduleValue !== null && "default" in moduleValue) {
+    const candidate = moduleValue.default;
+    if (typeof candidate === "function") {
+      return candidate;
+    }
+  }
+  return null;
+}
 async function collectSourceFiles(rootPath) {
   const files = [];
   async function walk(dirPath) {
@@ -17564,9 +17603,9 @@ function collectIdentifiers(pattern) {
 function resolveCallMatch(callee, symbolToPackage) {
   const normalized = unwrapExpression(callee);
   if ((0, import_types.isIdentifier)(normalized)) {
-    const packageKey2 = symbolToPackage.get(normalized.name);
-    if (!packageKey2) return null;
-    return { packageKey: packageKey2, calledSymbol: normalized.name };
+    const packageKey3 = symbolToPackage.get(normalized.name);
+    if (!packageKey3) return null;
+    return { packageKey: packageKey3, calledSymbol: normalized.name };
   }
   if ((0, import_types.isMemberExpression)(normalized) || (0, import_types.isOptionalMemberExpression)(normalized)) {
     return resolveMemberCallMatch(normalized, symbolToPackage);
@@ -17583,13 +17622,13 @@ function unwrapExpression(expression) {
 function resolveMemberCallMatch(memberExpression, symbolToPackage) {
   const objectExpr = unwrapExpression(memberExpression.object);
   if (!(0, import_types.isIdentifier)(objectExpr)) return null;
-  const packageKey2 = symbolToPackage.get(objectExpr.name);
-  if (!packageKey2) return null;
+  const packageKey3 = symbolToPackage.get(objectExpr.name);
+  if (!packageKey3) return null;
   const propertyName = propertyNameOf(memberExpression);
   if (!propertyName) {
-    return { packageKey: packageKey2, calledSymbol: objectExpr.name };
+    return { packageKey: packageKey3, calledSymbol: objectExpr.name };
   }
-  return { packageKey: packageKey2, calledSymbol: `${objectExpr.name}.${propertyName}` };
+  return { packageKey: packageKey3, calledSymbol: `${objectExpr.name}.${propertyName}` };
 }
 function propertyNameOf(memberExpression) {
   if (memberExpression.computed) {
@@ -17606,34 +17645,1021 @@ function propertyNameOf(memberExpression) {
   return null;
 }
 
-// src/context/analyzers/unsupported-analyzer.ts
-var UnsupportedAnalyzer = class {
-  name;
-  ecosystems;
-  note;
-  constructor(name, ecosystems, note) {
-    this.name = name;
-    this.ecosystems = new Set(ecosystems);
-    this.note = note;
+// src/context/analyzers/shared.ts
+var import_promises15 = require("fs/promises");
+var import_path16 = require("path");
+var DEFAULT_IGNORED_DIRS = /* @__PURE__ */ new Set([
+  ".git",
+  ".hg",
+  ".svn",
+  "node_modules",
+  "dist",
+  "build",
+  "coverage",
+  ".next",
+  ".nuxt",
+  ".turbo",
+  "vendor",
+  ".venv",
+  "venv",
+  "target",
+  "bin",
+  "obj"
+]);
+function packageKey(ecosystem, packageName) {
+  return `${ecosystem}::${packageName}`;
+}
+function initState(packages) {
+  const resultMap = /* @__PURE__ */ new Map();
+  const snippetKeyMap = /* @__PURE__ */ new Map();
+  for (const pkg of packages) {
+    const key = packageKey(pkg.ecosystem, pkg.packageName);
+    resultMap.set(key, {
+      packageName: pkg.packageName,
+      ecosystem: pkg.ecosystem,
+      status: "indirect_no_evidence",
+      snippets: []
+    });
+    snippetKeyMap.set(key, /* @__PURE__ */ new Set());
+  }
+  return {
+    resultMap,
+    snippetKeyMap,
+    errors: [],
+    snippetsProduced: 0
+  };
+}
+function errorResultFromMessage(context, analyzerName, message, notes) {
+  return {
+    packages: context.packages.map((pkg) => ({
+      packageName: pkg.packageName,
+      ecosystem: pkg.ecosystem,
+      status: "analysis_error",
+      snippets: [],
+      notes
+    })),
+    errors: [{ analyzer: analyzerName, ecosystem: context.ecosystem, error: message }],
+    snippetsProduced: 0
+  };
+}
+function toAnalyzerResult(state) {
+  for (const result of state.resultMap.values()) {
+    result.snippets = dedupeSnippets(result.snippets);
+    if (result.snippets.length > 0) {
+      result.status = "direct_evidence";
+    }
+  }
+  return {
+    packages: Array.from(state.resultMap.values()),
+    errors: state.errors,
+    snippetsProduced: state.snippetsProduced
+  };
+}
+async function collectSourceFiles2(rootPath, extensions, ignoredDirs = DEFAULT_IGNORED_DIRS) {
+  const files = [];
+  async function walk(dirPath) {
+    const entries = await (0, import_promises15.readdir)(dirPath, { withFileTypes: true });
+    for (const entry of entries) {
+      const fullPath = (0, import_path16.join)(dirPath, entry.name);
+      if (entry.isDirectory()) {
+        if (ignoredDirs.has(entry.name)) continue;
+        await walk(fullPath);
+        continue;
+      }
+      if (!entry.isFile()) continue;
+      if (!extensions.has(extensionOf2(entry.name))) continue;
+      files.push(fullPath);
+    }
   }
+  await walk(rootPath);
+  return files;
+}
+async function readSourceFile(analyzerName, ecosystem, filePath, errors) {
+  try {
+    return await (0, import_promises15.readFile)(filePath, "utf-8");
+  } catch (err) {
+    errors.push({
+      analyzer: analyzerName,
+      ecosystem,
+      error: `Failed to read ${filePath}: ${err instanceof Error ? err.message : String(err)}`
+    });
+    return null;
+  }
+}
+function addCandidate(context, state, filePath, sourceText, candidate) {
+  if (state.snippetsProduced >= context.maxSnippetsTotal) return;
+  const packageResult = state.resultMap.get(candidate.packageKey);
+  if (!packageResult) return;
+  if (packageResult.snippets.length >= context.maxSnippetsPerPackage) return;
+  const snippet = buildSnippet({
+    projectPath: context.projectPath,
+    filePath,
+    sourceText,
+    line: candidate.line,
+    numContextLines: context.numContextLines,
+    matchKind: candidate.matchKind,
+    calledSymbol: candidate.calledSymbol,
+    confidence: candidate.confidence ?? 0.8
+  });
+  const dedupeKey = `${snippet.filePath}:${snippet.startLine}:${snippet.endLine}:${snippet.matchKind}:${snippet.calledSymbol ?? ""}`;
+  const packageSnippetKeys = state.snippetKeyMap.get(candidate.packageKey);
+  if (!packageSnippetKeys || packageSnippetKeys.has(dedupeKey)) return;
+  packageSnippetKeys.add(dedupeKey);
+  packageResult.snippets.push(snippet);
+  state.snippetsProduced += 1;
+}
+function extensionOf2(fileName) {
+  const index = fileName.lastIndexOf(".");
+  return index === -1 ? "" : fileName.slice(index).toLowerCase();
+}
+function basePackageName(name) {
+  const slash = name.includes("/") ? name.split("/").at(-1) ?? name : name;
+  const colon = slash.includes(":") ? slash.split(":").at(-1) ?? slash : slash;
+  return colon;
+}
+function toIdentifierToken(value) {
+  return value.replace(/[^A-Za-z0-9_]/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toLowerCase();
+}
+function uniqueTokens(values) {
+  const result = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const value of values) {
+    const trimmed = value.trim();
+    if (!trimmed) continue;
+    const key = trimmed.toLowerCase();
+    if (seen.has(key)) continue;
+    seen.add(key);
+    result.push(trimmed);
+  }
+  return result;
+}
+
+// src/context/analyzers/python-ast-analyzer.ts
+var PYTHON_EXTENSIONS = /* @__PURE__ */ new Set([".py"]);
+var PythonAstAnalyzer = class {
+  name = "python-ast-analyzer";
+  ecosystems = /* @__PURE__ */ new Set(["pip", "poetry", "uv"]);
   supports(ecosystem) {
     return this.ecosystems.has(ecosystem);
   }
   async analyze(context) {
-    const packages = context.packages.map((pkg) => ({
-      packageName: pkg.packageName,
-      ecosystem: pkg.ecosystem,
-      status: "unsupported",
-      snippets: [],
-      notes: this.note
-    }));
+    const state = initState(context.packages);
+    const packagePatterns = context.packages.map(
+      (pkg) => this.patternForPackage(pkg.packageName, pkg.ecosystem)
+    );
+    let files;
+    try {
+      files = await collectSourceFiles2(context.projectPath, PYTHON_EXTENSIONS);
+    } catch (err) {
+      return errorResultFromMessage(
+        context,
+        this.name,
+        err instanceof Error ? err.message : String(err),
+        "Failed to enumerate Python source files"
+      );
+    }
+    for (const filePath of files) {
+      if (state.snippetsProduced >= context.maxSnippetsTotal) break;
+      const sourceText = await readSourceFile(this.name, context.ecosystem, filePath, state.errors);
+      if (sourceText === null) continue;
+      const aliasToPackage = /* @__PURE__ */ new Map();
+      const lines = sourceText.split(/\r?\n/);
+      for (let idx = 0; idx < lines.length; idx++) {
+        const line = lines[idx];
+        const trimmed = stripInlineComment(line).trim();
+        const lineNumber = idx + 1;
+        if (!trimmed) continue;
+        const importMatch = trimmed.match(/^import\s+(.+)$/);
+        if (importMatch) {
+          const segments = importMatch[1].split(",").map((part) => part.trim()).filter(Boolean);
+          for (const segment of segments) {
+            const parsed = segment.match(/^([A-Za-z_][A-Za-z0-9_\.]*)(?:\s+as\s+([A-Za-z_][A-Za-z0-9_]*))?$/);
+            if (!parsed) continue;
+            const moduleName = parsed[1];
+            const alias = parsed[2] ?? moduleName.split(".").at(0) ?? moduleName;
+            this.addImportForModule(
+              context,
+              state,
+              filePath,
+              sourceText,
+              packagePatterns,
+              aliasToPackage,
+              moduleName,
+              alias,
+              lineNumber
+            );
+          }
+          continue;
+        }
+        const fromMatch = trimmed.match(
+          /^from\s+([A-Za-z_][A-Za-z0-9_\.]*)\s+import\s+(.+)$/
+        );
+        if (fromMatch) {
+          const moduleName = fromMatch[1];
+          const imported = fromMatch[2].split(",").map((part) => part.trim()).filter(Boolean);
+          for (const part of imported) {
+            const parsed = part.match(/^([A-Za-z_][A-Za-z0-9_]*)(?:\s+as\s+([A-Za-z_][A-Za-z0-9_]*))?$/);
+            if (!parsed) continue;
+            const name = parsed[1];
+            const alias = parsed[2] ?? name;
+            this.addImportForModule(
+              context,
+              state,
+              filePath,
+              sourceText,
+              packagePatterns,
+              aliasToPackage,
+              moduleName,
+              alias,
+              lineNumber
+            );
+          }
+          continue;
+        }
+        for (const [alias, pkgKey] of aliasToPackage.entries()) {
+          const escapedAlias = escapeRegex(alias);
+          const directCall = new RegExp(`\\b${escapedAlias}\\s*\\(`);
+          if (directCall.test(trimmed)) {
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkgKey,
+              line: lineNumber,
+              matchKind: "call",
+              calledSymbol: alias,
+              confidence: 0.78
+            });
+          }
+          const memberCall = new RegExp(`\\b${escapedAlias}\\s*\\.\\s*([A-Za-z_][A-Za-z0-9_]*)\\s*\\(`);
+          const match = trimmed.match(memberCall);
+          if (match) {
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkgKey,
+              line: lineNumber,
+              matchKind: "call",
+              calledSymbol: `${alias}.${match[1]}`,
+              confidence: 0.8
+            });
+          }
+        }
+      }
+    }
+    return toAnalyzerResult(state);
+  }
+  addImportForModule(context, state, filePath, sourceText, packagePatterns, aliasToPackage, moduleName, alias, lineNumber) {
+    const normalizedModule = moduleName.toLowerCase();
+    for (const pkg of packagePatterns) {
+      const matched = pkg.modules.some(
+        (candidate) => normalizedModule === candidate || normalizedModule.startsWith(`${candidate}.`)
+      );
+      if (!matched) continue;
+      aliasToPackage.set(alias, pkg.key);
+      aliasToPackage.set(moduleName.split(".").at(0) ?? moduleName, pkg.key);
+      addCandidate(context, state, filePath, sourceText, {
+        packageKey: pkg.key,
+        line: lineNumber,
+        matchKind: "import",
+        confidence: 0.95
+      });
+    }
+  }
+  patternForPackage(packageName, ecosystem) {
+    const normalized = toIdentifierToken(packageName).replace(/_/g, "-");
+    const base = toIdentifierToken(basePackageName(packageName));
+    const packageModules = [
+      normalized.replace(/-/g, "_"),
+      base.replace(/-/g, "_"),
+      base.replace(/_/g, "")
+    ];
+    if (normalized === "pyyaml" || base === "pyyaml") {
+      packageModules.push("yaml");
+    }
     return {
-      packages,
-      errors: [],
-      snippetsProduced: 0
+      key: packageKey(ecosystem, packageName),
+      modules: uniqueTokens(packageModules.map((v) => v.toLowerCase()))
     };
   }
 };
+function stripInlineComment(line) {
+  const hashIndex = line.indexOf("#");
+  return hashIndex === -1 ? line : line.slice(0, hashIndex);
+}
+function escapeRegex(value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+
+// src/context/analyzers/java-ast-analyzer.ts
+var JAVA_EXTENSIONS = /* @__PURE__ */ new Set([".java"]);
+var JavaAstAnalyzer = class {
+  name = "java-ast-analyzer";
+  ecosystems = /* @__PURE__ */ new Set(["maven"]);
+  supports(ecosystem) {
+    return this.ecosystems.has(ecosystem);
+  }
+  async analyze(context) {
+    const state = initState(context.packages);
+    const packagePatterns = context.packages.map(
+      (pkg) => this.patternForPackage(pkg.packageName, pkg.ecosystem)
+    );
+    let files;
+    try {
+      files = await collectSourceFiles2(context.projectPath, JAVA_EXTENSIONS);
+    } catch (err) {
+      return errorResultFromMessage(
+        context,
+        this.name,
+        err instanceof Error ? err.message : String(err),
+        "Failed to enumerate Java source files"
+      );
+    }
+    for (const filePath of files) {
+      if (state.snippetsProduced >= context.maxSnippetsTotal) break;
+      const sourceText = await readSourceFile(this.name, context.ecosystem, filePath, state.errors);
+      if (sourceText === null) continue;
+      const lines = sourceText.split(/\r?\n/);
+      const symbolToPackage = /* @__PURE__ */ new Map();
+      for (let idx = 0; idx < lines.length; idx++) {
+        const line = stripLineComment(lines[idx]).trim();
+        const lineNumber = idx + 1;
+        if (!line) continue;
+        const importMatch = line.match(/^import\s+(?:static\s+)?([A-Za-z0-9_.*]+)\s*;/);
+        if (importMatch) {
+          const importPath = importMatch[1].replace(/\.\*$/, "");
+          const simpleName = importPath.split(".").at(-1) ?? importPath;
+          for (const pkg of packagePatterns) {
+            if (!pkg.candidates.some((candidate) => importPath.startsWith(candidate))) continue;
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg.key,
+              line: lineNumber,
+              matchKind: "import",
+              confidence: 0.94
+            });
+            if (simpleName && /^[A-Za-z_][A-Za-z0-9_]*$/.test(simpleName)) {
+              symbolToPackage.set(simpleName, pkg.key);
+            }
+          }
+          continue;
+        }
+        const varDecl = line.match(/^([A-Za-z_][A-Za-z0-9_]*)\s+([A-Za-z_][A-Za-z0-9_]*)\s*(?:=|;)/);
+        if (varDecl) {
+          const typeName = varDecl[1];
+          const variableName = varDecl[2];
+          const pkgKey2 = symbolToPackage.get(typeName);
+          if (pkgKey2) {
+            symbolToPackage.set(variableName, pkgKey2);
+          }
+        }
+        const callMatch = line.match(/\b([A-Za-z_][A-Za-z0-9_]*)\s*\.\s*([A-Za-z_][A-Za-z0-9_]*)\s*\(/);
+        if (!callMatch) continue;
+        const lhs = callMatch[1];
+        const member = callMatch[2];
+        const pkgKey = symbolToPackage.get(lhs);
+        if (!pkgKey) continue;
+        addCandidate(context, state, filePath, sourceText, {
+          packageKey: pkgKey,
+          line: lineNumber,
+          matchKind: "call",
+          calledSymbol: `${lhs}.${member}`,
+          confidence: 0.8
+        });
+      }
+    }
+    return toAnalyzerResult(state);
+  }
+  patternForPackage(packageName, ecosystem) {
+    const [groupIdRaw, artifactIdRaw] = packageName.split(":");
+    const groupId = (groupIdRaw ?? "").trim();
+    const artifactId = (artifactIdRaw ?? "").trim();
+    const candidates = uniqueTokens([
+      groupId,
+      groupId && artifactId ? `${groupId}.${artifactId.replace(/-/g, ".")}` : "",
+      artifactId ? artifactId.replace(/-/g, ".") : "",
+      artifactId ? toIdentifierToken(artifactId).replace(/_/g, ".") : ""
+    ]);
+    return {
+      key: packageKey(ecosystem, packageName),
+      candidates
+    };
+  }
+};
+function stripLineComment(line) {
+  const idx = line.indexOf("//");
+  return idx === -1 ? line : line.slice(0, idx);
+}
+
+// src/context/analyzers/dotnet-ast-analyzer.ts
+var CSHARP_EXTENSIONS = /* @__PURE__ */ new Set([".cs"]);
+var DotnetAstAnalyzer = class {
+  name = "dotnet-ast-analyzer";
+  ecosystems = /* @__PURE__ */ new Set(["nuget"]);
+  supports(ecosystem) {
+    return this.ecosystems.has(ecosystem);
+  }
+  async analyze(context) {
+    const state = initState(context.packages);
+    const packagePatterns = context.packages.map(
+      (pkg) => this.patternForPackage(pkg.packageName, pkg.ecosystem)
+    );
+    let files;
+    try {
+      files = await collectSourceFiles2(context.projectPath, CSHARP_EXTENSIONS);
+    } catch (err) {
+      return errorResultFromMessage(
+        context,
+        this.name,
+        err instanceof Error ? err.message : String(err),
+        "Failed to enumerate C# source files"
+      );
+    }
+    for (const filePath of files) {
+      if (state.snippetsProduced >= context.maxSnippetsTotal) break;
+      const sourceText = await readSourceFile(this.name, context.ecosystem, filePath, state.errors);
+      if (sourceText === null) continue;
+      const lines = sourceText.split(/\r?\n/);
+      const symbolToPackage = /* @__PURE__ */ new Map();
+      for (let idx = 0; idx < lines.length; idx++) {
+        const line = stripLineComment2(lines[idx]).trim();
+        const lineNumber = idx + 1;
+        if (!line) continue;
+        const aliasUsing = line.match(/^using\s+([A-Za-z_][A-Za-z0-9_]*)\s*=\s*([A-Za-z0-9_.]+)\s*;/);
+        if (aliasUsing) {
+          const alias = aliasUsing[1];
+          const targetNamespace = aliasUsing[2];
+          for (const pkg of packagePatterns) {
+            if (!pkg.namespaceCandidates.some((candidate) => targetNamespace.startsWith(candidate))) continue;
+            symbolToPackage.set(alias, pkg.key);
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg.key,
+              line: lineNumber,
+              matchKind: "import",
+              confidence: 0.93
+            });
+          }
+          continue;
+        }
+        const usingMatch = line.match(/^using\s+([A-Za-z0-9_.]+)\s*;/);
+        if (usingMatch) {
+          const namespaceName = usingMatch[1];
+          const tailSymbol = namespaceName.split(".").at(-1) ?? namespaceName;
+          for (const pkg of packagePatterns) {
+            if (!pkg.namespaceCandidates.some((candidate) => namespaceName.startsWith(candidate))) continue;
+            symbolToPackage.set(tailSymbol, pkg.key);
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg.key,
+              line: lineNumber,
+              matchKind: "import",
+              confidence: 0.93
+            });
+          }
+          continue;
+        }
+        const varDecl = line.match(/^([A-Za-z_][A-Za-z0-9_.]*)\s+([A-Za-z_][A-Za-z0-9_]*)\s*(?:=|;)/);
+        if (varDecl) {
+          const typeName = varDecl[1].split(".").at(-1) ?? varDecl[1];
+          const variableName = varDecl[2];
+          const pkgKey = symbolToPackage.get(typeName);
+          if (pkgKey) {
+            symbolToPackage.set(variableName, pkgKey);
+          }
+        }
+        const memberCall = line.match(/\b([A-Za-z_][A-Za-z0-9_]*)\s*\.\s*([A-Za-z_][A-Za-z0-9_]*)\s*\(/);
+        if (memberCall) {
+          const lhs = memberCall[1];
+          const method = memberCall[2];
+          const pkgKey = symbolToPackage.get(lhs) ?? this.findSymbolCandidatePackage(lhs, packagePatterns);
+          if (pkgKey) {
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkgKey,
+              line: lineNumber,
+              matchKind: "call",
+              calledSymbol: `${lhs}.${method}`,
+              confidence: 0.79
+            });
+          }
+        }
+      }
+    }
+    return toAnalyzerResult(state);
+  }
+  patternForPackage(packageName, ecosystem) {
+    const dotted = packageName.replace(/-/g, ".");
+    const segments = dotted.split(".");
+    const symbolCandidates = uniqueTokens([
+      segments.at(-1) ?? "",
+      segments.at(-2) ?? "",
+      packageName.split(".").at(-1) ?? ""
+    ]);
+    const namespaceCandidates = uniqueTokens([
+      dotted,
+      segments.slice(0, -1).join("."),
+      segments.slice(0, Math.min(2, segments.length)).join(".")
+    ]);
+    return {
+      key: packageKey(ecosystem, packageName),
+      namespaceCandidates,
+      symbolCandidates
+    };
+  }
+  findSymbolCandidatePackage(symbol, packagePatterns) {
+    for (const pkg of packagePatterns) {
+      if (pkg.symbolCandidates.includes(symbol)) {
+        return pkg.key;
+      }
+    }
+    return null;
+  }
+};
+function stripLineComment2(line) {
+  const idx = line.indexOf("//");
+  return idx === -1 ? line : line.slice(0, idx);
+}
+
+// src/context/analyzers/rust-ast-analyzer.ts
+var RUST_EXTENSIONS = /* @__PURE__ */ new Set([".rs"]);
+var RustAstAnalyzer = class {
+  name = "rust-ast-analyzer";
+  ecosystems = /* @__PURE__ */ new Set(["cargo"]);
+  supports(ecosystem) {
+    return this.ecosystems.has(ecosystem);
+  }
+  async analyze(context) {
+    const state = initState(context.packages);
+    const packagePatterns = context.packages.map(
+      (pkg) => this.patternForPackage(pkg.packageName, pkg.ecosystem)
+    );
+    let files;
+    try {
+      files = await collectSourceFiles2(context.projectPath, RUST_EXTENSIONS);
+    } catch (err) {
+      return errorResultFromMessage(
+        context,
+        this.name,
+        err instanceof Error ? err.message : String(err),
+        "Failed to enumerate Rust source files"
+      );
+    }
+    for (const filePath of files) {
+      if (state.snippetsProduced >= context.maxSnippetsTotal) break;
+      const sourceText = await readSourceFile(this.name, context.ecosystem, filePath, state.errors);
+      if (sourceText === null) continue;
+      const lines = sourceText.split(/\r?\n/);
+      const symbolToPackage = /* @__PURE__ */ new Map();
+      for (let idx = 0; idx < lines.length; idx++) {
+        const line = stripLineComment3(lines[idx]).trim();
+        const lineNumber = idx + 1;
+        if (!line) continue;
+        const useMatch = line.match(/^use\s+([A-Za-z_][A-Za-z0-9_:]*)(?:\s+as\s+([A-Za-z_][A-Za-z0-9_]*))?\s*;/);
+        if (useMatch) {
+          const pathExpr = useMatch[1];
+          const alias = useMatch[2] ?? pathExpr.split("::").at(0) ?? pathExpr;
+          const crate = pathExpr.split("::").at(0) ?? pathExpr;
+          for (const pkg of packagePatterns) {
+            if (!pkg.crateNames.includes(crate)) continue;
+            symbolToPackage.set(alias, pkg.key);
+            symbolToPackage.set(crate, pkg.key);
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg.key,
+              line: lineNumber,
+              matchKind: "import",
+              confidence: 0.94
+            });
+          }
+          continue;
+        }
+        const externMatch = line.match(/^extern\s+crate\s+([A-Za-z_][A-Za-z0-9_]*)(?:\s+as\s+([A-Za-z_][A-Za-z0-9_]*))?\s*;/);
+        if (externMatch) {
+          const crate = externMatch[1];
+          const alias = externMatch[2] ?? crate;
+          for (const pkg of packagePatterns) {
+            if (!pkg.crateNames.includes(crate)) continue;
+            symbolToPackage.set(alias, pkg.key);
+            symbolToPackage.set(crate, pkg.key);
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg.key,
+              line: lineNumber,
+              matchKind: "import",
+              confidence: 0.94
+            });
+          }
+          continue;
+        }
+        const scopedCall = line.match(/\b([A-Za-z_][A-Za-z0-9_]*)::([A-Za-z_][A-Za-z0-9_]*)\s*\(/);
+        if (scopedCall) {
+          const lhs = scopedCall[1];
+          const func = scopedCall[2];
+          const pkgKey = symbolToPackage.get(lhs);
+          if (pkgKey) {
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkgKey,
+              line: lineNumber,
+              matchKind: "call",
+              calledSymbol: `${lhs}::${func}`,
+              confidence: 0.8
+            });
+          }
+        }
+        const methodCall = line.match(/\b([A-Za-z_][A-Za-z0-9_]*)\s*\.\s*([A-Za-z_][A-Za-z0-9_]*)\s*\(/);
+        if (methodCall) {
+          const lhs = methodCall[1];
+          const method = methodCall[2];
+          const pkgKey = symbolToPackage.get(lhs);
+          if (pkgKey) {
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkgKey,
+              line: lineNumber,
+              matchKind: "call",
+              calledSymbol: `${lhs}.${method}`,
+              confidence: 0.78
+            });
+          }
+        }
+      }
+    }
+    return toAnalyzerResult(state);
+  }
+  patternForPackage(packageName, ecosystem) {
+    const crateName = packageName.replace(/-/g, "_");
+    return {
+      key: packageKey(ecosystem, packageName),
+      crateNames: uniqueTokens([crateName, packageName])
+    };
+  }
+};
+function stripLineComment3(line) {
+  const idx = line.indexOf("//");
+  return idx === -1 ? line : line.slice(0, idx);
+}
+
+// src/context/analyzers/go-ast-analyzer.ts
+var GO_EXTENSIONS = /* @__PURE__ */ new Set([".go"]);
+var GoAstAnalyzer = class {
+  name = "go-ast-analyzer";
+  ecosystems = /* @__PURE__ */ new Set(["go"]);
+  supports(ecosystem) {
+    return this.ecosystems.has(ecosystem);
+  }
+  async analyze(context) {
+    const state = initState(context.packages);
+    const packagePatterns = context.packages.map((pkg) => this.patternForPackage(pkg.packageName, pkg.ecosystem));
+    let files;
+    try {
+      files = await collectSourceFiles2(context.projectPath, GO_EXTENSIONS);
+    } catch (err) {
+      return errorResultFromMessage(
+        context,
+        this.name,
+        err instanceof Error ? err.message : String(err),
+        "Failed to enumerate Go source files"
+      );
+    }
+    for (const filePath of files) {
+      if (state.snippetsProduced >= context.maxSnippetsTotal) break;
+      const sourceText = await readSourceFile(this.name, context.ecosystem, filePath, state.errors);
+      if (sourceText === null) continue;
+      const aliasesByPackage = /* @__PURE__ */ new Map();
+      for (const pkg of packagePatterns) {
+        aliasesByPackage.set(pkg.key, new Set(pkg.aliases));
+      }
+      const lines = sourceText.split(/\r?\n/);
+      let inImportBlock = false;
+      for (let idx = 0; idx < lines.length; idx++) {
+        const lineNumber = idx + 1;
+        const line = lines[idx];
+        const trimmed = line.trim();
+        if (trimmed.startsWith("import (")) {
+          inImportBlock = true;
+          continue;
+        }
+        if (inImportBlock && trimmed === ")") {
+          inImportBlock = false;
+          continue;
+        }
+        const match = this.extractImport(trimmed, inImportBlock);
+        if (match) {
+          for (const pkg of packagePatterns) {
+            if (match.importPath !== pkg.packageName) continue;
+            const alias = match.alias && match.alias !== "_" && match.alias !== "." ? toIdentifierToken(match.alias) : pkg.aliases[0];
+            if (alias) {
+              aliasesByPackage.get(pkg.key)?.add(alias);
+            }
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg.key,
+              line: lineNumber,
+              matchKind: "import",
+              confidence: 0.95
+            });
+          }
+        }
+        for (const pkg of packagePatterns) {
+          const aliases = aliasesByPackage.get(pkg.key);
+          if (!aliases) continue;
+          for (const alias of aliases) {
+            if (!alias) continue;
+            const escapedAlias = escapeRegex2(alias);
+            const callRegex = new RegExp(`\\b${escapedAlias}\\s*\\.\\s*([A-Za-z_][A-Za-z0-9_]*)\\s*\\(`);
+            const callMatch = line.match(callRegex);
+            if (!callMatch) continue;
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg.key,
+              line: lineNumber,
+              matchKind: "call",
+              calledSymbol: `${alias}.${callMatch[1]}`,
+              confidence: 0.8
+            });
+          }
+        }
+      }
+    }
+    return toAnalyzerResult(state);
+  }
+  patternForPackage(packageName, ecosystem) {
+    const baseName = basePackageName(packageName);
+    const identifierBase = toIdentifierToken(baseName.replace(/^v[0-9]+$/, ""));
+    const shortened = identifierBase.replace(/go$/i, "") || identifierBase;
+    return {
+      key: packageKey(ecosystem, packageName),
+      packageName,
+      aliases: uniqueTokens([identifierBase, shortened])
+    };
+  }
+  extractImport(trimmedLine, inImportBlock) {
+    if (!inImportBlock && !trimmedLine.startsWith("import ")) return null;
+    if (inImportBlock) {
+      const blockMatch = trimmedLine.match(/^(?:(\.|_|[A-Za-z_][A-Za-z0-9_]*)\s+)?\"([^\"]+)\"/);
+      if (!blockMatch) return null;
+      return {
+        alias: blockMatch[1] ?? null,
+        importPath: blockMatch[2]
+      };
+    }
+    const singleMatch = trimmedLine.match(/^import\s+(?:(\.|_|[A-Za-z_][A-Za-z0-9_]*)\s+)?\"([^\"]+)\"/);
+    if (!singleMatch) return null;
+    return {
+      alias: singleMatch[1] ?? null,
+      importPath: singleMatch[2]
+    };
+  }
+};
+function escapeRegex2(value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+
+// src/context/analyzers/ruby-ast-analyzer.ts
+var RUBY_EXTENSIONS = /* @__PURE__ */ new Set([".rb"]);
+var RubyAstAnalyzer = class {
+  name = "ruby-ast-analyzer";
+  ecosystems = /* @__PURE__ */ new Set(["ruby"]);
+  supports(ecosystem) {
+    return this.ecosystems.has(ecosystem);
+  }
+  async analyze(context) {
+    const state = initState(context.packages);
+    const packagePatterns = context.packages.map(
+      (pkg) => this.patternForPackage(pkg.packageName, pkg.ecosystem)
+    );
+    let files;
+    try {
+      files = await collectSourceFiles2(context.projectPath, RUBY_EXTENSIONS);
+    } catch (err) {
+      return errorResultFromMessage(
+        context,
+        this.name,
+        err instanceof Error ? err.message : String(err),
+        "Failed to enumerate Ruby source files"
+      );
+    }
+    for (const filePath of files) {
+      if (state.snippetsProduced >= context.maxSnippetsTotal) break;
+      const sourceText = await readSourceFile(this.name, context.ecosystem, filePath, state.errors);
+      if (sourceText === null) continue;
+      const lines = sourceText.split(/\r?\n/);
+      const symbolToPackage = /* @__PURE__ */ new Map();
+      for (let idx = 0; idx < lines.length; idx++) {
+        const line = stripInlineComment2(lines[idx]).trim();
+        const lineNumber = idx + 1;
+        if (!line) continue;
+        const requireMatch = line.match(/^require(?:_relative)?\s+['"]([^'"]+)['"]/);
+        if (requireMatch) {
+          const requiredPath = requireMatch[1];
+          for (const pkg of packagePatterns) {
+            if (!pkg.requireCandidates.some((candidate) => requiredPath.includes(candidate))) continue;
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg.key,
+              line: lineNumber,
+              matchKind: "require",
+              confidence: 0.93
+            });
+            for (const constant of pkg.constantCandidates) {
+              symbolToPackage.set(constant, pkg.key);
+            }
+          }
+          continue;
+        }
+        const includeMatch = line.match(/^include\s+([A-Za-z_][A-Za-z0-9_:]*)/);
+        if (includeMatch) {
+          const moduleName = includeMatch[1];
+          for (const pkg of packagePatterns) {
+            if (!pkg.constantCandidates.some((candidate) => moduleName.startsWith(candidate))) continue;
+            symbolToPackage.set(moduleName.split("::").at(0) ?? moduleName, pkg.key);
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg.key,
+              line: lineNumber,
+              matchKind: "import",
+              confidence: 0.9
+            });
+          }
+          continue;
+        }
+        const namespacedCall = line.match(/\b([A-Z][A-Za-z0-9_:]*)\s*(?:\.|::)\s*([A-Za-z_][A-Za-z0-9_]*)\s*\(/);
+        if (namespacedCall) {
+          const lhs = namespacedCall[1].split("::").at(0) ?? namespacedCall[1];
+          const method = namespacedCall[2];
+          const pkgKey = symbolToPackage.get(lhs) ?? this.findConstantCandidatePackage(lhs, packagePatterns);
+          if (pkgKey) {
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkgKey,
+              line: lineNumber,
+              matchKind: "call",
+              calledSymbol: `${lhs}.${method}`,
+              confidence: 0.78
+            });
+          }
+        }
+      }
+    }
+    return toAnalyzerResult(state);
+  }
+  patternForPackage(packageName, ecosystem) {
+    const base = basePackageName(packageName);
+    const normalized = base.toLowerCase();
+    const requireCandidates = uniqueTokens([
+      normalized,
+      normalized.replace(/-/g, "/"),
+      normalized.replace(/-/g, "_")
+    ]);
+    const constantParts = normalized.replace(/[^a-z0-9_/-]/g, "").split(/[\/_-]+/).filter(Boolean).map((part) => part[0]?.toUpperCase() + part.slice(1));
+    const constant = constantParts.join("::");
+    const collapsedConstant = constantParts.join("");
+    return {
+      key: packageKey(ecosystem, packageName),
+      requireCandidates,
+      constantCandidates: uniqueTokens([constant, collapsedConstant, constantParts.at(0) ?? ""])
+    };
+  }
+  findConstantCandidatePackage(constant, packagePatterns) {
+    for (const pkg of packagePatterns) {
+      if (pkg.constantCandidates.includes(constant)) {
+        return pkg.key;
+      }
+    }
+    return null;
+  }
+};
+function stripInlineComment2(line) {
+  const idx = line.indexOf("#");
+  return idx === -1 ? line : line.slice(0, idx);
+}
+
+// src/context/analyzers/php-ast-analyzer.ts
+var PHP_EXTENSIONS = /* @__PURE__ */ new Set([".php"]);
+var PhpAstAnalyzer = class {
+  name = "php-ast-analyzer";
+  ecosystems = /* @__PURE__ */ new Set(["composer"]);
+  supports(ecosystem) {
+    return this.ecosystems.has(ecosystem);
+  }
+  async analyze(context) {
+    const state = initState(context.packages);
+    const packagePatterns = context.packages.map(
+      (pkg) => this.patternForPackage(pkg.packageName, pkg.ecosystem)
+    );
+    let files;
+    try {
+      files = await collectSourceFiles2(context.projectPath, PHP_EXTENSIONS);
+    } catch (err) {
+      return errorResultFromMessage(
+        context,
+        this.name,
+        err instanceof Error ? err.message : String(err),
+        "Failed to enumerate PHP source files"
+      );
+    }
+    for (const filePath of files) {
+      if (state.snippetsProduced >= context.maxSnippetsTotal) break;
+      const sourceText = await readSourceFile(this.name, context.ecosystem, filePath, state.errors);
+      if (sourceText === null) continue;
+      const lines = sourceText.split(/\r?\n/);
+      const symbolToPackage = /* @__PURE__ */ new Map();
+      for (let idx = 0; idx < lines.length; idx++) {
+        const line = stripLineComment4(lines[idx]).trim();
+        const lineNumber = idx + 1;
+        if (!line) continue;
+        const useMatch = line.match(/^use\s+([A-Za-z0-9_\\]+)(?:\s+as\s+([A-Za-z_][A-Za-z0-9_]*))?\s*;/i);
+        if (useMatch) {
+          const namespacePath = useMatch[1];
+          const alias = useMatch[2] ?? namespacePath.split("\\").at(-1) ?? namespacePath;
+          for (const pkg of packagePatterns) {
+            const normalizedNamespace = namespacePath.toLowerCase();
+            if (!pkg.namespaceCandidates.some((candidate) => normalizedNamespace.startsWith(candidate.toLowerCase()))) continue;
+            symbolToPackage.set(alias, pkg.key);
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg.key,
+              line: lineNumber,
+              matchKind: "import",
+              confidence: 0.94
+            });
+          }
+          continue;
+        }
+        const requireMatch = line.match(/^require(?:_once)?\s*\(?\s*['"]([^'"]+)['"]\s*\)?\s*;/i);
+        if (requireMatch) {
+          const pathExpr = requireMatch[1].toLowerCase();
+          for (const pkg of packagePatterns) {
+            const hasVendor = pathExpr.includes(pkg.vendor.toLowerCase());
+            const hasPackage = pathExpr.includes(pkg.package.toLowerCase());
+            if (!hasVendor && !hasPackage) continue;
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg.key,
+              line: lineNumber,
+              matchKind: "require",
+              confidence: 0.9
+            });
+          }
+          continue;
+        }
+        const staticCall = line.match(/\b([A-Za-z_][A-Za-z0-9_]*)::([A-Za-z_][A-Za-z0-9_]*)\s*\(/);
+        if (staticCall) {
+          const lhs = staticCall[1];
+          const method = staticCall[2];
+          const pkgKey = symbolToPackage.get(lhs) ?? this.findSymbolCandidatePackage(lhs, packagePatterns);
+          if (pkgKey) {
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkgKey,
+              line: lineNumber,
+              matchKind: "call",
+              calledSymbol: `${lhs}::${method}`,
+              confidence: 0.8
+            });
+          }
+        }
+        const constructorMatch = line.match(/new\s+([A-Za-z_][A-Za-z0-9_]*)\b/);
+        if (constructorMatch) {
+          const className = constructorMatch[1];
+          const pkgKey = symbolToPackage.get(className) ?? this.findSymbolCandidatePackage(className, packagePatterns);
+          if (pkgKey) {
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkgKey,
+              line: lineNumber,
+              matchKind: "call",
+              calledSymbol: `new ${className}`,
+              confidence: 0.76
+            });
+          }
+        }
+      }
+    }
+    return toAnalyzerResult(state);
+  }
+  patternForPackage(packageName, ecosystem) {
+    const [vendorRaw, packageRaw] = packageName.split("/");
+    const vendor = vendorRaw ?? packageName;
+    const packagePart = packageRaw ?? packageName;
+    const namespaceCandidates = uniqueTokens([
+      pascalize(vendor),
+      pascalize(packagePart),
+      `${pascalize(vendor)}\\${pascalize(packagePart)}`,
+      `${pascalize(vendor)}\\${pascalize(packagePart.replace(/-/g, "_"))}`
+    ]);
+    const symbolCandidates = uniqueTokens([
+      pascalize(packagePart),
+      pascalize(vendor),
+      pascalize(packagePart).split("\\").at(-1) ?? ""
+    ]);
+    return {
+      key: packageKey(ecosystem, packageName),
+      vendor,
+      package: packagePart,
+      namespaceCandidates,
+      symbolCandidates
+    };
+  }
+  findSymbolCandidatePackage(symbol, packagePatterns) {
+    const normalized = symbol.toLowerCase();
+    for (const pkg of packagePatterns) {
+      if (pkg.symbolCandidates.some((candidate) => candidate.toLowerCase() === normalized)) {
+        return pkg.key;
+      }
+    }
+    return null;
+  }
+};
+function pascalize(input) {
+  return input.split(/[\/_.-]+/).filter(Boolean).map((part) => part[0]?.toUpperCase() + part.slice(1)).join("\\");
+}
+function stripLineComment4(line) {
+  const slashIdx = line.indexOf("//");
+  if (slashIdx !== -1) return line.slice(0, slashIdx);
+  const hashIdx = line.indexOf("#");
+  return hashIdx === -1 ? line : line.slice(0, hashIdx);
+}
 
 // src/context/usage-context-engine.ts
 var DEFAULT_MAX_SNIPPETS_PER_PACKAGE = 20;
@@ -17643,41 +18669,13 @@ var UsageContextEngine = class {
   constructor(analyzers) {
     this.analyzers = analyzers ?? [
       new JsAstAnalyzer(),
-      new UnsupportedAnalyzer(
-        "python-ast-analyzer",
-        ["pip", "poetry", "uv"],
-        "Python AST analyzer is not yet implemented in this release"
-      ),
-      new UnsupportedAnalyzer(
-        "java-ast-analyzer",
-        ["maven"],
-        "Java AST analyzer is not yet implemented in this release"
-      ),
-      new UnsupportedAnalyzer(
-        "dotnet-ast-analyzer",
-        ["nuget"],
-        "NuGet/C# AST analyzer is not yet implemented in this release"
-      ),
-      new UnsupportedAnalyzer(
-        "rust-ast-analyzer",
-        ["cargo"],
-        "Rust AST analyzer is not yet implemented in this release"
-      ),
-      new UnsupportedAnalyzer(
-        "go-ast-analyzer",
-        ["go"],
-        "Go AST analyzer is not yet implemented in this release"
-      ),
-      new UnsupportedAnalyzer(
-        "ruby-ast-analyzer",
-        ["ruby"],
-        "Ruby AST analyzer is not yet implemented in this release"
-      ),
-      new UnsupportedAnalyzer(
-        "php-ast-analyzer",
-        ["composer"],
-        "PHP AST analyzer is not yet implemented in this release"
-      )
+      new PythonAstAnalyzer(),
+      new JavaAstAnalyzer(),
+      new DotnetAstAnalyzer(),
+      new RustAstAnalyzer(),
+      new GoAstAnalyzer(),
+      new RubyAstAnalyzer(),
+      new PhpAstAnalyzer()
     ];
   }
   async analyze(input) {
@@ -17737,7 +18735,7 @@ var UsageContextEngine = class {
       try {
         const result = await analyzer.analyze(runContext);
         const resultByKey = new Map(
-          result.packages.map((pkg) => [packageKey(pkg.ecosystem, pkg.packageName), pkg])
+          result.packages.map((pkg) => [packageKey2(pkg.ecosystem, pkg.packageName), pkg])
         );
         errors.push(...result.errors);
         remainingSnippets = Math.max(0, remainingSnippets - result.snippetsProduced);
@@ -17745,7 +18743,7 @@ var UsageContextEngine = class {
         let unsupportedCount = 0;
         let analysisErrorCount = 0;
         for (const pkg of packages) {
-          const analyzed = resultByKey.get(packageKey(pkg.ecosystem, pkg.packageName)) ?? {
+          const analyzed = resultByKey.get(packageKey2(pkg.ecosystem, pkg.packageName)) ?? {
             packageName: pkg.packageName,
             ecosystem: pkg.ecosystem,
             status: "analysis_error",
@@ -17850,13 +18848,13 @@ var UsageContextEngine = class {
   buildVulnerablePackages(vulnerabilities, dependencies) {
     const directMap = /* @__PURE__ */ new Map();
     for (const dependency of dependencies) {
-      const key = packageKey(dependency.ecosystem, dependency.name);
+      const key = packageKey2(dependency.ecosystem, dependency.name);
       const existing = directMap.get(key) ?? false;
       directMap.set(key, existing || dependency.direct);
     }
     const grouped = /* @__PURE__ */ new Map();
     for (const vulnerability of vulnerabilities) {
-      const key = packageKey(vulnerability.ecosystem, vulnerability.packageName);
+      const key = packageKey2(vulnerability.ecosystem, vulnerability.packageName);
       const existing = grouped.get(key);
       if (existing) {
         existing.vulnerabilities.push(vulnerability);
@@ -17880,7 +18878,7 @@ var UsageContextEngine = class {
     return n > 0 ? n : fallback;
   }
 };
-function packageKey(ecosystem, packageName) {
+function packageKey2(ecosystem, packageName) {
   return `${ecosystem}::${packageName}`;
 }
 function groupByEcosystem(packages) {
@@ -17907,9 +18905,9 @@ async function scan(config) {
   const sbom = artifacts.cyclonedx;
   const outputPaths = deriveArtifactOutputPaths(sbomOutput);
   await Promise.all([
-    (0, import_promises15.writeFile)(outputPaths.cyclonedx, artifacts.cyclonedx.content, "utf-8"),
-    (0, import_promises15.writeFile)(outputPaths.spdx, artifacts.spdx.content, "utf-8"),
-    (0, import_promises15.writeFile)(outputPaths.swid, artifacts.swid.content, "utf-8")
+    (0, import_promises16.writeFile)(outputPaths.cyclonedx, artifacts.cyclonedx.content, "utf-8"),
+    (0, import_promises16.writeFile)(outputPaths.spdx, artifacts.spdx.content, "utf-8"),
+    (0, import_promises16.writeFile)(outputPaths.swid, artifacts.swid.content, "utf-8")
   ]);
   let cveCheck;
   if (skipCveCheck) {
@@ -17951,7 +18949,7 @@ async function scan(config) {
       };
     }
     usageContext.artifactPath = outputPaths.usageContext;
-    await (0, import_promises15.writeFile)(outputPaths.usageContext, JSON.stringify(usageContext, null, 2), "utf-8");
+    await (0, import_promises16.writeFile)(outputPaths.usageContext, JSON.stringify(usageContext, null, 2), "utf-8");
   }
   const summary = {
     totalDependencies: scanResult.dependencies.length,
@@ -17989,7 +18987,7 @@ async function uploadToVerimu(report, config) {
     throw new Error("API key required for upload");
   }
   const client = new VerimuApiClient(config.apiKey, config.apiBaseUrl);
-  const projectName = (0, import_path16.basename)(config.projectPath);
+  const projectName = (0, import_path17.basename)(config.projectPath);
   const upsertRes = await client.upsertProject({
     name: projectName,
     ecosystem: report.project.ecosystem
@@ -18023,16 +19021,16 @@ function printReport(report) {
   console.log(reporter.report(report));
 }
 function deriveArtifactOutputPaths(cycloneDxOutput) {
-  const parsed = (0, import_path16.parse)(cycloneDxOutput);
+  const parsed = (0, import_path17.parse)(cycloneDxOutput);
   let baseName = parsed.name;
   if (parsed.ext === ".json" && baseName.endsWith(".cdx")) {
     baseName = baseName.slice(0, -4);
   }
   return {
     cyclonedx: cycloneDxOutput,
-    spdx: (0, import_path16.join)(parsed.dir, `${baseName}.spdx.json`),
-    swid: (0, import_path16.join)(parsed.dir, `${baseName}.swid.xml`),
-    usageContext: (0, import_path16.join)(parsed.dir, `${baseName}.usage-context.json`)
+    spdx: (0, import_path17.join)(parsed.dir, `${baseName}.spdx.json`),
+    swid: (0, import_path17.join)(parsed.dir, `${baseName}.swid.xml`),
+    usageContext: (0, import_path17.join)(parsed.dir, `${baseName}.usage-context.json`)
   };
 }
 function buildUploadPayload(report) {