verimu 0.0.18 → 0.0.19

package/dist/cli.mjs

@@ -13052,9 +13052,9 @@ var require_traverse = __commonJS({
     Object.defineProperty(exports, "__esModule", {
       value: true
     });
-    exports.default = traverse2;
+    exports.default = traverse;
     var _index = require_definitions();
-    function traverse2(node, handlers, state) {
+    function traverse(node, handlers, state) {
       if (typeof handlers === "function") {
         handlers = {
           enter: handlers
@@ -14096,7 +14096,7 @@ import { createRequire } from "module";
 
 // src/scan.ts
 import { writeFile } from "fs/promises";
-import { basename, join as join2, parse as parse2 } from "path";
+import { basename, join as join3, parse as parse2 } from "path";
 
 // src/scanners/npm/npm-scanner.ts
 import { readFile } from "fs/promises";
@@ -16750,6 +16750,15 @@ var ConsoleReporter = class {
       lines.push(
         `    Findings: direct_evidence=${directEvidence}, indirect_no_evidence=${indirectNoEvidence}, unsupported=${unsupported}, analysis_error=${analysisErrors}`
       );
+      if (result.usageContext.ecosystemStatus.length > 0) {
+        lines.push("    Analyzer status:");
+        for (const status of result.usageContext.ecosystemStatus) {
+          const note = status.note ? ` (${status.note})` : "";
+          lines.push(
+            `      ${status.ecosystem}: ${status.status} via ${status.analyzer}${note}`
+          );
+        }
+      }
       if (result.usageContext.artifactPath) {
         lines.push(`    Artifact: ${result.usageContext.artifactPath}`);
       }
@@ -17001,7 +17010,7 @@ var import_types = __toESM(require_lib3(), 1);
 import { readdir, readFile as readFile14 } from "fs/promises";
 import { join } from "path";
 import { parse } from "@babel/parser";
-import traverse from "@babel/traverse";
+import traverseModule from "@babel/traverse";
 var JS_EXTENSIONS = /* @__PURE__ */ new Set([
   ".js",
   ".jsx",
@@ -17031,6 +17040,24 @@ var JsAstAnalyzer = class {
     return this.ecosystems.has(ecosystem);
   }
   async analyze(context) {
+    const traverseFn = resolveTraverseFunction(traverseModule);
+    if (!traverseFn) {
+      return {
+        packages: context.packages.map((pkg2) => ({
+          packageName: pkg2.packageName,
+          ecosystem: pkg2.ecosystem,
+          status: "analysis_error",
+          snippets: [],
+          notes: "Failed to resolve @babel/traverse runtime export"
+        })),
+        errors: [{
+          analyzer: this.name,
+          ecosystem: context.ecosystem,
+          error: "Failed to resolve @babel/traverse runtime export"
+        }],
+        snippetsProduced: 0
+      };
+    }
     const packageMap = this.buildPackageMaps(context.packages);
     const resultMap = /* @__PURE__ */ new Map();
     const snippetKeyMap = /* @__PURE__ */ new Map();
@@ -17094,13 +17121,13 @@ var JsAstAnalyzer = class {
       const matchCandidates = [];
       const matchSeen = /* @__PURE__ */ new Set();
       const symbolToPackage = /* @__PURE__ */ new Map();
-      const addMatch = (packageKey2, line, matchKind, calledSymbol, confidence = 0.8) => {
-        const candidateKey = `${packageKey2}:${line}:${matchKind}:${calledSymbol ?? ""}`;
+      const addMatch = (packageKey3, line, matchKind, calledSymbol, confidence = 0.8) => {
+        const candidateKey = `${packageKey3}:${line}:${matchKind}:${calledSymbol ?? ""}`;
         if (matchSeen.has(candidateKey)) return;
         matchSeen.add(candidateKey);
-        matchCandidates.push({ packageKey: packageKey2, line, matchKind, calledSymbol, confidence });
+        matchCandidates.push({ packageKey: packageKey3, line, matchKind, calledSymbol, confidence });
       };
-      traverse(ast, {
+      traverseFn(ast, {
         ImportDeclaration: (path14) => {
           const source = path14.node.source;
           if (!(0, import_types.isStringLiteral)(source)) return;
@@ -17222,6 +17249,18 @@ var JsAstAnalyzer = class {
     return `${ecosystem}::${packageName}`;
   }
 };
+function resolveTraverseFunction(moduleValue) {
+  if (typeof moduleValue === "function") {
+    return moduleValue;
+  }
+  if (typeof moduleValue === "object" && moduleValue !== null && "default" in moduleValue) {
+    const candidate = moduleValue.default;
+    if (typeof candidate === "function") {
+      return candidate;
+    }
+  }
+  return null;
+}
 async function collectSourceFiles(rootPath) {
   const files = [];
   async function walk(dirPath) {
@@ -17317,9 +17356,9 @@ function collectIdentifiers(pattern) {
 function resolveCallMatch(callee, symbolToPackage) {
   const normalized = unwrapExpression(callee);
   if ((0, import_types.isIdentifier)(normalized)) {
-    const packageKey2 = symbolToPackage.get(normalized.name);
-    if (!packageKey2) return null;
-    return { packageKey: packageKey2, calledSymbol: normalized.name };
+    const packageKey3 = symbolToPackage.get(normalized.name);
+    if (!packageKey3) return null;
+    return { packageKey: packageKey3, calledSymbol: normalized.name };
   }
   if ((0, import_types.isMemberExpression)(normalized) || (0, import_types.isOptionalMemberExpression)(normalized)) {
     return resolveMemberCallMatch(normalized, symbolToPackage);
@@ -17336,13 +17375,13 @@ function unwrapExpression(expression) {
 function resolveMemberCallMatch(memberExpression, symbolToPackage) {
   const objectExpr = unwrapExpression(memberExpression.object);
   if (!(0, import_types.isIdentifier)(objectExpr)) return null;
-  const packageKey2 = symbolToPackage.get(objectExpr.name);
-  if (!packageKey2) return null;
+  const packageKey3 = symbolToPackage.get(objectExpr.name);
+  if (!packageKey3) return null;
   const propertyName = propertyNameOf(memberExpression);
   if (!propertyName) {
-    return { packageKey: packageKey2, calledSymbol: objectExpr.name };
+    return { packageKey: packageKey3, calledSymbol: objectExpr.name };
   }
-  return { packageKey: packageKey2, calledSymbol: `${objectExpr.name}.${propertyName}` };
+  return { packageKey: packageKey3, calledSymbol: `${objectExpr.name}.${propertyName}` };
 }
 function propertyNameOf(memberExpression) {
   if (memberExpression.computed) {
@@ -17359,34 +17398,1021 @@ function propertyNameOf(memberExpression) {
   return null;
 }
 
-// src/context/analyzers/unsupported-analyzer.ts
-var UnsupportedAnalyzer = class {
-  name;
-  ecosystems;
-  note;
-  constructor(name, ecosystems, note) {
-    this.name = name;
-    this.ecosystems = new Set(ecosystems);
-    this.note = note;
+// src/context/analyzers/shared.ts
+import { readdir as readdir2, readFile as readFile15 } from "fs/promises";
+import { join as join2 } from "path";
+var DEFAULT_IGNORED_DIRS = /* @__PURE__ */ new Set([
+  ".git",
+  ".hg",
+  ".svn",
+  "node_modules",
+  "dist",
+  "build",
+  "coverage",
+  ".next",
+  ".nuxt",
+  ".turbo",
+  "vendor",
+  ".venv",
+  "venv",
+  "target",
+  "bin",
+  "obj"
+]);
+function packageKey(ecosystem, packageName) {
+  return `${ecosystem}::${packageName}`;
+}
+function initState(packages) {
+  const resultMap = /* @__PURE__ */ new Map();
+  const snippetKeyMap = /* @__PURE__ */ new Map();
+  for (const pkg2 of packages) {
+    const key = packageKey(pkg2.ecosystem, pkg2.packageName);
+    resultMap.set(key, {
+      packageName: pkg2.packageName,
+      ecosystem: pkg2.ecosystem,
+      status: "indirect_no_evidence",
+      snippets: []
+    });
+    snippetKeyMap.set(key, /* @__PURE__ */ new Set());
+  }
+  return {
+    resultMap,
+    snippetKeyMap,
+    errors: [],
+    snippetsProduced: 0
+  };
+}
+function errorResultFromMessage(context, analyzerName, message, notes) {
+  return {
+    packages: context.packages.map((pkg2) => ({
+      packageName: pkg2.packageName,
+      ecosystem: pkg2.ecosystem,
+      status: "analysis_error",
+      snippets: [],
+      notes
+    })),
+    errors: [{ analyzer: analyzerName, ecosystem: context.ecosystem, error: message }],
+    snippetsProduced: 0
+  };
+}
+function toAnalyzerResult(state) {
+  for (const result of state.resultMap.values()) {
+    result.snippets = dedupeSnippets(result.snippets);
+    if (result.snippets.length > 0) {
+      result.status = "direct_evidence";
+    }
   }
+  return {
+    packages: Array.from(state.resultMap.values()),
+    errors: state.errors,
+    snippetsProduced: state.snippetsProduced
+  };
+}
+async function collectSourceFiles2(rootPath, extensions, ignoredDirs = DEFAULT_IGNORED_DIRS) {
+  const files = [];
+  async function walk(dirPath) {
+    const entries = await readdir2(dirPath, { withFileTypes: true });
+    for (const entry of entries) {
+      const fullPath = join2(dirPath, entry.name);
+      if (entry.isDirectory()) {
+        if (ignoredDirs.has(entry.name)) continue;
+        await walk(fullPath);
+        continue;
+      }
+      if (!entry.isFile()) continue;
+      if (!extensions.has(extensionOf2(entry.name))) continue;
+      files.push(fullPath);
+    }
+  }
+  await walk(rootPath);
+  return files;
+}
+async function readSourceFile(analyzerName, ecosystem, filePath, errors) {
+  try {
+    return await readFile15(filePath, "utf-8");
+  } catch (err) {
+    errors.push({
+      analyzer: analyzerName,
+      ecosystem,
+      error: `Failed to read ${filePath}: ${err instanceof Error ? err.message : String(err)}`
+    });
+    return null;
+  }
+}
+function addCandidate(context, state, filePath, sourceText, candidate) {
+  if (state.snippetsProduced >= context.maxSnippetsTotal) return;
+  const packageResult = state.resultMap.get(candidate.packageKey);
+  if (!packageResult) return;
+  if (packageResult.snippets.length >= context.maxSnippetsPerPackage) return;
+  const snippet = buildSnippet({
+    projectPath: context.projectPath,
+    filePath,
+    sourceText,
+    line: candidate.line,
+    numContextLines: context.numContextLines,
+    matchKind: candidate.matchKind,
+    calledSymbol: candidate.calledSymbol,
+    confidence: candidate.confidence ?? 0.8
+  });
+  const dedupeKey = `${snippet.filePath}:${snippet.startLine}:${snippet.endLine}:${snippet.matchKind}:${snippet.calledSymbol ?? ""}`;
+  const packageSnippetKeys = state.snippetKeyMap.get(candidate.packageKey);
+  if (!packageSnippetKeys || packageSnippetKeys.has(dedupeKey)) return;
+  packageSnippetKeys.add(dedupeKey);
+  packageResult.snippets.push(snippet);
+  state.snippetsProduced += 1;
+}
+function extensionOf2(fileName) {
+  const index = fileName.lastIndexOf(".");
+  return index === -1 ? "" : fileName.slice(index).toLowerCase();
+}
+function basePackageName(name) {
+  const slash = name.includes("/") ? name.split("/").at(-1) ?? name : name;
+  const colon = slash.includes(":") ? slash.split(":").at(-1) ?? slash : slash;
+  return colon;
+}
+function toIdentifierToken(value) {
+  return value.replace(/[^A-Za-z0-9_]/g, "_").replace(/_+/g, "_").replace(/^_+|_+$/g, "").toLowerCase();
+}
+function uniqueTokens(values) {
+  const result = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const value of values) {
+    const trimmed = value.trim();
+    if (!trimmed) continue;
+    const key = trimmed.toLowerCase();
+    if (seen.has(key)) continue;
+    seen.add(key);
+    result.push(trimmed);
+  }
+  return result;
+}
+
+// src/context/analyzers/python-ast-analyzer.ts
+var PYTHON_EXTENSIONS = /* @__PURE__ */ new Set([".py"]);
+var PythonAstAnalyzer = class {
+  name = "python-ast-analyzer";
+  ecosystems = /* @__PURE__ */ new Set(["pip", "poetry", "uv"]);
   supports(ecosystem) {
     return this.ecosystems.has(ecosystem);
   }
   async analyze(context) {
-    const packages = context.packages.map((pkg2) => ({
-      packageName: pkg2.packageName,
-      ecosystem: pkg2.ecosystem,
-      status: "unsupported",
-      snippets: [],
-      notes: this.note
-    }));
+    const state = initState(context.packages);
+    const packagePatterns = context.packages.map(
+      (pkg2) => this.patternForPackage(pkg2.packageName, pkg2.ecosystem)
+    );
+    let files;
+    try {
+      files = await collectSourceFiles2(context.projectPath, PYTHON_EXTENSIONS);
+    } catch (err) {
+      return errorResultFromMessage(
+        context,
+        this.name,
+        err instanceof Error ? err.message : String(err),
+        "Failed to enumerate Python source files"
+      );
+    }
+    for (const filePath of files) {
+      if (state.snippetsProduced >= context.maxSnippetsTotal) break;
+      const sourceText = await readSourceFile(this.name, context.ecosystem, filePath, state.errors);
+      if (sourceText === null) continue;
+      const aliasToPackage = /* @__PURE__ */ new Map();
+      const lines = sourceText.split(/\r?\n/);
+      for (let idx = 0; idx < lines.length; idx++) {
+        const line = lines[idx];
+        const trimmed = stripInlineComment(line).trim();
+        const lineNumber = idx + 1;
+        if (!trimmed) continue;
+        const importMatch = trimmed.match(/^import\s+(.+)$/);
+        if (importMatch) {
+          const segments = importMatch[1].split(",").map((part) => part.trim()).filter(Boolean);
+          for (const segment of segments) {
+            const parsed = segment.match(/^([A-Za-z_][A-Za-z0-9_\.]*)(?:\s+as\s+([A-Za-z_][A-Za-z0-9_]*))?$/);
+            if (!parsed) continue;
+            const moduleName = parsed[1];
+            const alias = parsed[2] ?? moduleName.split(".").at(0) ?? moduleName;
+            this.addImportForModule(
+              context,
+              state,
+              filePath,
+              sourceText,
+              packagePatterns,
+              aliasToPackage,
+              moduleName,
+              alias,
+              lineNumber
+            );
+          }
+          continue;
+        }
+        const fromMatch = trimmed.match(
+          /^from\s+([A-Za-z_][A-Za-z0-9_\.]*)\s+import\s+(.+)$/
+        );
+        if (fromMatch) {
+          const moduleName = fromMatch[1];
+          const imported = fromMatch[2].split(",").map((part) => part.trim()).filter(Boolean);
+          for (const part of imported) {
+            const parsed = part.match(/^([A-Za-z_][A-Za-z0-9_]*)(?:\s+as\s+([A-Za-z_][A-Za-z0-9_]*))?$/);
+            if (!parsed) continue;
+            const name = parsed[1];
+            const alias = parsed[2] ?? name;
+            this.addImportForModule(
+              context,
+              state,
+              filePath,
+              sourceText,
+              packagePatterns,
+              aliasToPackage,
+              moduleName,
+              alias,
+              lineNumber
+            );
+          }
+          continue;
+        }
+        for (const [alias, pkgKey] of aliasToPackage.entries()) {
+          const escapedAlias = escapeRegex(alias);
+          const directCall = new RegExp(`\\b${escapedAlias}\\s*\\(`);
+          if (directCall.test(trimmed)) {
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkgKey,
+              line: lineNumber,
+              matchKind: "call",
+              calledSymbol: alias,
+              confidence: 0.78
+            });
+          }
+          const memberCall = new RegExp(`\\b${escapedAlias}\\s*\\.\\s*([A-Za-z_][A-Za-z0-9_]*)\\s*\\(`);
+          const match = trimmed.match(memberCall);
+          if (match) {
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkgKey,
+              line: lineNumber,
+              matchKind: "call",
+              calledSymbol: `${alias}.${match[1]}`,
+              confidence: 0.8
+            });
+          }
+        }
+      }
+    }
+    return toAnalyzerResult(state);
+  }
+  addImportForModule(context, state, filePath, sourceText, packagePatterns, aliasToPackage, moduleName, alias, lineNumber) {
+    const normalizedModule = moduleName.toLowerCase();
+    for (const pkg2 of packagePatterns) {
+      const matched = pkg2.modules.some(
+        (candidate) => normalizedModule === candidate || normalizedModule.startsWith(`${candidate}.`)
+      );
+      if (!matched) continue;
+      aliasToPackage.set(alias, pkg2.key);
+      aliasToPackage.set(moduleName.split(".").at(0) ?? moduleName, pkg2.key);
+      addCandidate(context, state, filePath, sourceText, {
+        packageKey: pkg2.key,
+        line: lineNumber,
+        matchKind: "import",
+        confidence: 0.95
+      });
+    }
+  }
+  patternForPackage(packageName, ecosystem) {
+    const normalized = toIdentifierToken(packageName).replace(/_/g, "-");
+    const base = toIdentifierToken(basePackageName(packageName));
+    const packageModules = [
+      normalized.replace(/-/g, "_"),
+      base.replace(/-/g, "_"),
+      base.replace(/_/g, "")
+    ];
+    if (normalized === "pyyaml" || base === "pyyaml") {
+      packageModules.push("yaml");
+    }
     return {
-      packages,
-      errors: [],
-      snippetsProduced: 0
+      key: packageKey(ecosystem, packageName),
+      modules: uniqueTokens(packageModules.map((v) => v.toLowerCase()))
     };
   }
 };
+function stripInlineComment(line) {
+  const hashIndex = line.indexOf("#");
+  return hashIndex === -1 ? line : line.slice(0, hashIndex);
+}
+function escapeRegex(value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+
+// src/context/analyzers/java-ast-analyzer.ts
+var JAVA_EXTENSIONS = /* @__PURE__ */ new Set([".java"]);
+var JavaAstAnalyzer = class {
+  name = "java-ast-analyzer";
+  ecosystems = /* @__PURE__ */ new Set(["maven"]);
+  supports(ecosystem) {
+    return this.ecosystems.has(ecosystem);
+  }
+  async analyze(context) {
+    const state = initState(context.packages);
+    const packagePatterns = context.packages.map(
+      (pkg2) => this.patternForPackage(pkg2.packageName, pkg2.ecosystem)
+    );
+    let files;
+    try {
+      files = await collectSourceFiles2(context.projectPath, JAVA_EXTENSIONS);
+    } catch (err) {
+      return errorResultFromMessage(
+        context,
+        this.name,
+        err instanceof Error ? err.message : String(err),
+        "Failed to enumerate Java source files"
+      );
+    }
+    for (const filePath of files) {
+      if (state.snippetsProduced >= context.maxSnippetsTotal) break;
+      const sourceText = await readSourceFile(this.name, context.ecosystem, filePath, state.errors);
+      if (sourceText === null) continue;
+      const lines = sourceText.split(/\r?\n/);
+      const symbolToPackage = /* @__PURE__ */ new Map();
+      for (let idx = 0; idx < lines.length; idx++) {
+        const line = stripLineComment(lines[idx]).trim();
+        const lineNumber = idx + 1;
+        if (!line) continue;
+        const importMatch = line.match(/^import\s+(?:static\s+)?([A-Za-z0-9_.*]+)\s*;/);
+        if (importMatch) {
+          const importPath = importMatch[1].replace(/\.\*$/, "");
+          const simpleName = importPath.split(".").at(-1) ?? importPath;
+          for (const pkg2 of packagePatterns) {
+            if (!pkg2.candidates.some((candidate) => importPath.startsWith(candidate))) continue;
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg2.key,
+              line: lineNumber,
+              matchKind: "import",
+              confidence: 0.94
+            });
+            if (simpleName && /^[A-Za-z_][A-Za-z0-9_]*$/.test(simpleName)) {
+              symbolToPackage.set(simpleName, pkg2.key);
+            }
+          }
+          continue;
+        }
+        const varDecl = line.match(/^([A-Za-z_][A-Za-z0-9_]*)\s+([A-Za-z_][A-Za-z0-9_]*)\s*(?:=|;)/);
+        if (varDecl) {
+          const typeName = varDecl[1];
+          const variableName = varDecl[2];
+          const pkgKey2 = symbolToPackage.get(typeName);
+          if (pkgKey2) {
+            symbolToPackage.set(variableName, pkgKey2);
+          }
+        }
+        const callMatch = line.match(/\b([A-Za-z_][A-Za-z0-9_]*)\s*\.\s*([A-Za-z_][A-Za-z0-9_]*)\s*\(/);
+        if (!callMatch) continue;
+        const lhs = callMatch[1];
+        const member = callMatch[2];
+        const pkgKey = symbolToPackage.get(lhs);
+        if (!pkgKey) continue;
+        addCandidate(context, state, filePath, sourceText, {
+          packageKey: pkgKey,
+          line: lineNumber,
+          matchKind: "call",
+          calledSymbol: `${lhs}.${member}`,
+          confidence: 0.8
+        });
+      }
+    }
+    return toAnalyzerResult(state);
+  }
+  patternForPackage(packageName, ecosystem) {
+    const [groupIdRaw, artifactIdRaw] = packageName.split(":");
+    const groupId = (groupIdRaw ?? "").trim();
+    const artifactId = (artifactIdRaw ?? "").trim();
+    const candidates = uniqueTokens([
+      groupId,
+      groupId && artifactId ? `${groupId}.${artifactId.replace(/-/g, ".")}` : "",
+      artifactId ? artifactId.replace(/-/g, ".") : "",
+      artifactId ? toIdentifierToken(artifactId).replace(/_/g, ".") : ""
+    ]);
+    return {
+      key: packageKey(ecosystem, packageName),
+      candidates
+    };
+  }
+};
+function stripLineComment(line) {
+  const idx = line.indexOf("//");
+  return idx === -1 ? line : line.slice(0, idx);
+}
+
+// src/context/analyzers/dotnet-ast-analyzer.ts
+var CSHARP_EXTENSIONS = /* @__PURE__ */ new Set([".cs"]);
+var DotnetAstAnalyzer = class {
+  name = "dotnet-ast-analyzer";
+  ecosystems = /* @__PURE__ */ new Set(["nuget"]);
+  supports(ecosystem) {
+    return this.ecosystems.has(ecosystem);
+  }
+  async analyze(context) {
+    const state = initState(context.packages);
+    const packagePatterns = context.packages.map(
+      (pkg2) => this.patternForPackage(pkg2.packageName, pkg2.ecosystem)
+    );
+    let files;
+    try {
+      files = await collectSourceFiles2(context.projectPath, CSHARP_EXTENSIONS);
+    } catch (err) {
+      return errorResultFromMessage(
+        context,
+        this.name,
+        err instanceof Error ? err.message : String(err),
+        "Failed to enumerate C# source files"
+      );
+    }
+    for (const filePath of files) {
+      if (state.snippetsProduced >= context.maxSnippetsTotal) break;
+      const sourceText = await readSourceFile(this.name, context.ecosystem, filePath, state.errors);
+      if (sourceText === null) continue;
+      const lines = sourceText.split(/\r?\n/);
+      const symbolToPackage = /* @__PURE__ */ new Map();
+      for (let idx = 0; idx < lines.length; idx++) {
+        const line = stripLineComment2(lines[idx]).trim();
+        const lineNumber = idx + 1;
+        if (!line) continue;
+        const aliasUsing = line.match(/^using\s+([A-Za-z_][A-Za-z0-9_]*)\s*=\s*([A-Za-z0-9_.]+)\s*;/);
+        if (aliasUsing) {
+          const alias = aliasUsing[1];
+          const targetNamespace = aliasUsing[2];
+          for (const pkg2 of packagePatterns) {
+            if (!pkg2.namespaceCandidates.some((candidate) => targetNamespace.startsWith(candidate))) continue;
+            symbolToPackage.set(alias, pkg2.key);
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg2.key,
+              line: lineNumber,
+              matchKind: "import",
+              confidence: 0.93
+            });
+          }
+          continue;
+        }
+        const usingMatch = line.match(/^using\s+([A-Za-z0-9_.]+)\s*;/);
+        if (usingMatch) {
+          const namespaceName = usingMatch[1];
+          const tailSymbol = namespaceName.split(".").at(-1) ?? namespaceName;
+          for (const pkg2 of packagePatterns) {
+            if (!pkg2.namespaceCandidates.some((candidate) => namespaceName.startsWith(candidate))) continue;
+            symbolToPackage.set(tailSymbol, pkg2.key);
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg2.key,
+              line: lineNumber,
+              matchKind: "import",
+              confidence: 0.93
+            });
+          }
+          continue;
+        }
+        const varDecl = line.match(/^([A-Za-z_][A-Za-z0-9_.]*)\s+([A-Za-z_][A-Za-z0-9_]*)\s*(?:=|;)/);
+        if (varDecl) {
+          const typeName = varDecl[1].split(".").at(-1) ?? varDecl[1];
+          const variableName = varDecl[2];
+          const pkgKey = symbolToPackage.get(typeName);
+          if (pkgKey) {
+            symbolToPackage.set(variableName, pkgKey);
+          }
+        }
+        const memberCall = line.match(/\b([A-Za-z_][A-Za-z0-9_]*)\s*\.\s*([A-Za-z_][A-Za-z0-9_]*)\s*\(/);
+        if (memberCall) {
+          const lhs = memberCall[1];
+          const method = memberCall[2];
+          const pkgKey = symbolToPackage.get(lhs) ?? this.findSymbolCandidatePackage(lhs, packagePatterns);
+          if (pkgKey) {
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkgKey,
+              line: lineNumber,
+              matchKind: "call",
+              calledSymbol: `${lhs}.${method}`,
+              confidence: 0.79
+            });
+          }
+        }
+      }
+    }
+    return toAnalyzerResult(state);
+  }
+  patternForPackage(packageName, ecosystem) {
+    const dotted = packageName.replace(/-/g, ".");
+    const segments = dotted.split(".");
+    const symbolCandidates = uniqueTokens([
+      segments.at(-1) ?? "",
+      segments.at(-2) ?? "",
+      packageName.split(".").at(-1) ?? ""
+    ]);
+    const namespaceCandidates = uniqueTokens([
+      dotted,
+      segments.slice(0, -1).join("."),
+      segments.slice(0, Math.min(2, segments.length)).join(".")
+    ]);
+    return {
+      key: packageKey(ecosystem, packageName),
+      namespaceCandidates,
+      symbolCandidates
+    };
+  }
+  findSymbolCandidatePackage(symbol, packagePatterns) {
+    for (const pkg2 of packagePatterns) {
+      if (pkg2.symbolCandidates.includes(symbol)) {
+        return pkg2.key;
+      }
+    }
+    return null;
+  }
+};
+function stripLineComment2(line) {
+  const idx = line.indexOf("//");
+  return idx === -1 ? line : line.slice(0, idx);
+}
+
+// src/context/analyzers/rust-ast-analyzer.ts
+var RUST_EXTENSIONS = /* @__PURE__ */ new Set([".rs"]);
+var RustAstAnalyzer = class {
+  name = "rust-ast-analyzer";
+  ecosystems = /* @__PURE__ */ new Set(["cargo"]);
+  supports(ecosystem) {
+    return this.ecosystems.has(ecosystem);
+  }
+  async analyze(context) {
+    const state = initState(context.packages);
+    const packagePatterns = context.packages.map(
+      (pkg2) => this.patternForPackage(pkg2.packageName, pkg2.ecosystem)
+    );
+    let files;
+    try {
+      files = await collectSourceFiles2(context.projectPath, RUST_EXTENSIONS);
+    } catch (err) {
+      return errorResultFromMessage(
+        context,
+        this.name,
+        err instanceof Error ? err.message : String(err),
+        "Failed to enumerate Rust source files"
+      );
+    }
+    for (const filePath of files) {
+      if (state.snippetsProduced >= context.maxSnippetsTotal) break;
+      const sourceText = await readSourceFile(this.name, context.ecosystem, filePath, state.errors);
+      if (sourceText === null) continue;
+      const lines = sourceText.split(/\r?\n/);
+      const symbolToPackage = /* @__PURE__ */ new Map();
+      for (let idx = 0; idx < lines.length; idx++) {
+        const line = stripLineComment3(lines[idx]).trim();
+        const lineNumber = idx + 1;
+        if (!line) continue;
+        const useMatch = line.match(/^use\s+([A-Za-z_][A-Za-z0-9_:]*)(?:\s+as\s+([A-Za-z_][A-Za-z0-9_]*))?\s*;/);
+        if (useMatch) {
+          const pathExpr = useMatch[1];
+          const alias = useMatch[2] ?? pathExpr.split("::").at(0) ?? pathExpr;
+          const crate = pathExpr.split("::").at(0) ?? pathExpr;
+          for (const pkg2 of packagePatterns) {
+            if (!pkg2.crateNames.includes(crate)) continue;
+            symbolToPackage.set(alias, pkg2.key);
+            symbolToPackage.set(crate, pkg2.key);
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg2.key,
+              line: lineNumber,
+              matchKind: "import",
+              confidence: 0.94
+            });
+          }
+          continue;
+        }
+        const externMatch = line.match(/^extern\s+crate\s+([A-Za-z_][A-Za-z0-9_]*)(?:\s+as\s+([A-Za-z_][A-Za-z0-9_]*))?\s*;/);
+        if (externMatch) {
+          const crate = externMatch[1];
+          const alias = externMatch[2] ?? crate;
+          for (const pkg2 of packagePatterns) {
+            if (!pkg2.crateNames.includes(crate)) continue;
+            symbolToPackage.set(alias, pkg2.key);
+            symbolToPackage.set(crate, pkg2.key);
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg2.key,
+              line: lineNumber,
+              matchKind: "import",
+              confidence: 0.94
+            });
+          }
+          continue;
+        }
+        const scopedCall = line.match(/\b([A-Za-z_][A-Za-z0-9_]*)::([A-Za-z_][A-Za-z0-9_]*)\s*\(/);
+        if (scopedCall) {
+          const lhs = scopedCall[1];
+          const func = scopedCall[2];
+          const pkgKey = symbolToPackage.get(lhs);
+          if (pkgKey) {
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkgKey,
+              line: lineNumber,
+              matchKind: "call",
+              calledSymbol: `${lhs}::${func}`,
+              confidence: 0.8
+            });
+          }
+        }
+        const methodCall = line.match(/\b([A-Za-z_][A-Za-z0-9_]*)\s*\.\s*([A-Za-z_][A-Za-z0-9_]*)\s*\(/);
+        if (methodCall) {
+          const lhs = methodCall[1];
+          const method = methodCall[2];
+          const pkgKey = symbolToPackage.get(lhs);
+          if (pkgKey) {
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkgKey,
+              line: lineNumber,
+              matchKind: "call",
+              calledSymbol: `${lhs}.${method}`,
+              confidence: 0.78
+            });
+          }
+        }
+      }
+    }
+    return toAnalyzerResult(state);
+  }
+  patternForPackage(packageName, ecosystem) {
+    const crateName = packageName.replace(/-/g, "_");
+    return {
+      key: packageKey(ecosystem, packageName),
+      crateNames: uniqueTokens([crateName, packageName])
+    };
+  }
+};
+function stripLineComment3(line) {
+  const idx = line.indexOf("//");
+  return idx === -1 ? line : line.slice(0, idx);
+}
+
+// src/context/analyzers/go-ast-analyzer.ts
+var GO_EXTENSIONS = /* @__PURE__ */ new Set([".go"]);
+var GoAstAnalyzer = class {
+  name = "go-ast-analyzer";
+  ecosystems = /* @__PURE__ */ new Set(["go"]);
+  supports(ecosystem) {
+    return this.ecosystems.has(ecosystem);
+  }
+  async analyze(context) {
+    const state = initState(context.packages);
+    const packagePatterns = context.packages.map((pkg2) => this.patternForPackage(pkg2.packageName, pkg2.ecosystem));
+    let files;
+    try {
+      files = await collectSourceFiles2(context.projectPath, GO_EXTENSIONS);
+    } catch (err) {
+      return errorResultFromMessage(
+        context,
+        this.name,
+        err instanceof Error ? err.message : String(err),
+        "Failed to enumerate Go source files"
+      );
+    }
+    for (const filePath of files) {
+      if (state.snippetsProduced >= context.maxSnippetsTotal) break;
+      const sourceText = await readSourceFile(this.name, context.ecosystem, filePath, state.errors);
+      if (sourceText === null) continue;
+      const aliasesByPackage = /* @__PURE__ */ new Map();
+      for (const pkg2 of packagePatterns) {
+        aliasesByPackage.set(pkg2.key, new Set(pkg2.aliases));
+      }
+      const lines = sourceText.split(/\r?\n/);
+      let inImportBlock = false;
+      for (let idx = 0; idx < lines.length; idx++) {
+        const lineNumber = idx + 1;
+        const line = lines[idx];
+        const trimmed = line.trim();
+        if (trimmed.startsWith("import (")) {
+          inImportBlock = true;
+          continue;
+        }
+        if (inImportBlock && trimmed === ")") {
+          inImportBlock = false;
+          continue;
+        }
+        const match = this.extractImport(trimmed, inImportBlock);
+        if (match) {
+          for (const pkg2 of packagePatterns) {
+            if (match.importPath !== pkg2.packageName) continue;
+            const alias = match.alias && match.alias !== "_" && match.alias !== "." ? toIdentifierToken(match.alias) : pkg2.aliases[0];
+            if (alias) {
+              aliasesByPackage.get(pkg2.key)?.add(alias);
+            }
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg2.key,
+              line: lineNumber,
+              matchKind: "import",
+              confidence: 0.95
+            });
+          }
+        }
+        for (const pkg2 of packagePatterns) {
+          const aliases = aliasesByPackage.get(pkg2.key);
+          if (!aliases) continue;
+          for (const alias of aliases) {
+            if (!alias) continue;
+            const escapedAlias = escapeRegex2(alias);
+            const callRegex = new RegExp(`\\b${escapedAlias}\\s*\\.\\s*([A-Za-z_][A-Za-z0-9_]*)\\s*\\(`);
+            const callMatch = line.match(callRegex);
+            if (!callMatch) continue;
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg2.key,
+              line: lineNumber,
+              matchKind: "call",
+              calledSymbol: `${alias}.${callMatch[1]}`,
+              confidence: 0.8
+            });
+          }
+        }
+      }
+    }
+    return toAnalyzerResult(state);
+  }
+  patternForPackage(packageName, ecosystem) {
+    const baseName = basePackageName(packageName);
+    const identifierBase = toIdentifierToken(baseName.replace(/^v[0-9]+$/, ""));
+    const shortened = identifierBase.replace(/go$/i, "") || identifierBase;
+    return {
+      key: packageKey(ecosystem, packageName),
+      packageName,
+      aliases: uniqueTokens([identifierBase, shortened])
+    };
+  }
+  extractImport(trimmedLine, inImportBlock) {
+    if (!inImportBlock && !trimmedLine.startsWith("import ")) return null;
+    if (inImportBlock) {
+      const blockMatch = trimmedLine.match(/^(?:(\.|_|[A-Za-z_][A-Za-z0-9_]*)\s+)?\"([^\"]+)\"/);
+      if (!blockMatch) return null;
+      return {
+        alias: blockMatch[1] ?? null,
+        importPath: blockMatch[2]
+      };
+    }
+    const singleMatch = trimmedLine.match(/^import\s+(?:(\.|_|[A-Za-z_][A-Za-z0-9_]*)\s+)?\"([^\"]+)\"/);
+    if (!singleMatch) return null;
+    return {
+      alias: singleMatch[1] ?? null,
+      importPath: singleMatch[2]
+    };
+  }
+};
+function escapeRegex2(value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+
+// src/context/analyzers/ruby-ast-analyzer.ts
+var RUBY_EXTENSIONS = /* @__PURE__ */ new Set([".rb"]);
+var RubyAstAnalyzer = class {
+  name = "ruby-ast-analyzer";
+  ecosystems = /* @__PURE__ */ new Set(["ruby"]);
+  supports(ecosystem) {
+    return this.ecosystems.has(ecosystem);
+  }
+  async analyze(context) {
+    const state = initState(context.packages);
+    const packagePatterns = context.packages.map(
+      (pkg2) => this.patternForPackage(pkg2.packageName, pkg2.ecosystem)
+    );
+    let files;
+    try {
+      files = await collectSourceFiles2(context.projectPath, RUBY_EXTENSIONS);
+    } catch (err) {
+      return errorResultFromMessage(
+        context,
+        this.name,
+        err instanceof Error ? err.message : String(err),
+        "Failed to enumerate Ruby source files"
+      );
+    }
+    for (const filePath of files) {
+      if (state.snippetsProduced >= context.maxSnippetsTotal) break;
+      const sourceText = await readSourceFile(this.name, context.ecosystem, filePath, state.errors);
+      if (sourceText === null) continue;
+      const lines = sourceText.split(/\r?\n/);
+      const symbolToPackage = /* @__PURE__ */ new Map();
+      for (let idx = 0; idx < lines.length; idx++) {
+        const line = stripInlineComment2(lines[idx]).trim();
+        const lineNumber = idx + 1;
+        if (!line) continue;
+        const requireMatch = line.match(/^require(?:_relative)?\s+['"]([^'"]+)['"]/);
+        if (requireMatch) {
+          const requiredPath = requireMatch[1];
+          for (const pkg2 of packagePatterns) {
+            if (!pkg2.requireCandidates.some((candidate) => requiredPath.includes(candidate))) continue;
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg2.key,
+              line: lineNumber,
+              matchKind: "require",
+              confidence: 0.93
+            });
+            for (const constant of pkg2.constantCandidates) {
+              symbolToPackage.set(constant, pkg2.key);
+            }
+          }
+          continue;
+        }
+        const includeMatch = line.match(/^include\s+([A-Za-z_][A-Za-z0-9_:]*)/);
+        if (includeMatch) {
+          const moduleName = includeMatch[1];
+          for (const pkg2 of packagePatterns) {
+            if (!pkg2.constantCandidates.some((candidate) => moduleName.startsWith(candidate))) continue;
+            symbolToPackage.set(moduleName.split("::").at(0) ?? moduleName, pkg2.key);
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg2.key,
+              line: lineNumber,
+              matchKind: "import",
+              confidence: 0.9
+            });
+          }
+          continue;
+        }
+        const namespacedCall = line.match(/\b([A-Z][A-Za-z0-9_:]*)\s*(?:\.|::)\s*([A-Za-z_][A-Za-z0-9_]*)\s*\(/);
+        if (namespacedCall) {
+          const lhs = namespacedCall[1].split("::").at(0) ?? namespacedCall[1];
+          const method = namespacedCall[2];
+          const pkgKey = symbolToPackage.get(lhs) ?? this.findConstantCandidatePackage(lhs, packagePatterns);
+          if (pkgKey) {
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkgKey,
+              line: lineNumber,
+              matchKind: "call",
+              calledSymbol: `${lhs}.${method}`,
+              confidence: 0.78
+            });
+          }
+        }
+      }
+    }
+    return toAnalyzerResult(state);
+  }
+  patternForPackage(packageName, ecosystem) {
+    const base = basePackageName(packageName);
+    const normalized = base.toLowerCase();
+    const requireCandidates = uniqueTokens([
+      normalized,
+      normalized.replace(/-/g, "/"),
+      normalized.replace(/-/g, "_")
+    ]);
+    const constantParts = normalized.replace(/[^a-z0-9_/-]/g, "").split(/[\/_-]+/).filter(Boolean).map((part) => part[0]?.toUpperCase() + part.slice(1));
+    const constant = constantParts.join("::");
+    const collapsedConstant = constantParts.join("");
+    return {
+      key: packageKey(ecosystem, packageName),
+      requireCandidates,
+      constantCandidates: uniqueTokens([constant, collapsedConstant, constantParts.at(0) ?? ""])
+    };
+  }
+  findConstantCandidatePackage(constant, packagePatterns) {
+    for (const pkg2 of packagePatterns) {
+      if (pkg2.constantCandidates.includes(constant)) {
+        return pkg2.key;
+      }
+    }
+    return null;
+  }
+};
+function stripInlineComment2(line) {
+  const idx = line.indexOf("#");
+  return idx === -1 ? line : line.slice(0, idx);
+}
+
+// src/context/analyzers/php-ast-analyzer.ts
+var PHP_EXTENSIONS = /* @__PURE__ */ new Set([".php"]);
+var PhpAstAnalyzer = class {
+  name = "php-ast-analyzer";
+  ecosystems = /* @__PURE__ */ new Set(["composer"]);
+  supports(ecosystem) {
+    return this.ecosystems.has(ecosystem);
+  }
+  async analyze(context) {
+    const state = initState(context.packages);
+    const packagePatterns = context.packages.map(
+      (pkg2) => this.patternForPackage(pkg2.packageName, pkg2.ecosystem)
+    );
+    let files;
+    try {
+      files = await collectSourceFiles2(context.projectPath, PHP_EXTENSIONS);
+    } catch (err) {
+      return errorResultFromMessage(
+        context,
+        this.name,
+        err instanceof Error ? err.message : String(err),
+        "Failed to enumerate PHP source files"
+      );
+    }
+    for (const filePath of files) {
+      if (state.snippetsProduced >= context.maxSnippetsTotal) break;
+      const sourceText = await readSourceFile(this.name, context.ecosystem, filePath, state.errors);
+      if (sourceText === null) continue;
+      const lines = sourceText.split(/\r?\n/);
+      const symbolToPackage = /* @__PURE__ */ new Map();
+      for (let idx = 0; idx < lines.length; idx++) {
+        const line = stripLineComment4(lines[idx]).trim();
+        const lineNumber = idx + 1;
+        if (!line) continue;
+        const useMatch = line.match(/^use\s+([A-Za-z0-9_\\]+)(?:\s+as\s+([A-Za-z_][A-Za-z0-9_]*))?\s*;/i);
+        if (useMatch) {
+          const namespacePath = useMatch[1];
+          const alias = useMatch[2] ?? namespacePath.split("\\").at(-1) ?? namespacePath;
+          for (const pkg2 of packagePatterns) {
+            const normalizedNamespace = namespacePath.toLowerCase();
+            if (!pkg2.namespaceCandidates.some((candidate) => normalizedNamespace.startsWith(candidate.toLowerCase()))) continue;
+            symbolToPackage.set(alias, pkg2.key);
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg2.key,
+              line: lineNumber,
+              matchKind: "import",
+              confidence: 0.94
+            });
+          }
+          continue;
+        }
+        const requireMatch = line.match(/^require(?:_once)?\s*\(?\s*['"]([^'"]+)['"]\s*\)?\s*;/i);
+        if (requireMatch) {
+          const pathExpr = requireMatch[1].toLowerCase();
+          for (const pkg2 of packagePatterns) {
+            const hasVendor = pathExpr.includes(pkg2.vendor.toLowerCase());
+            const hasPackage = pathExpr.includes(pkg2.package.toLowerCase());
+            if (!hasVendor && !hasPackage) continue;
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkg2.key,
+              line: lineNumber,
+              matchKind: "require",
+              confidence: 0.9
+            });
+          }
+          continue;
+        }
+        const staticCall = line.match(/\b([A-Za-z_][A-Za-z0-9_]*)::([A-Za-z_][A-Za-z0-9_]*)\s*\(/);
+        if (staticCall) {
+          const lhs = staticCall[1];
+          const method = staticCall[2];
+          const pkgKey = symbolToPackage.get(lhs) ?? this.findSymbolCandidatePackage(lhs, packagePatterns);
+          if (pkgKey) {
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkgKey,
+              line: lineNumber,
+              matchKind: "call",
+              calledSymbol: `${lhs}::${method}`,
+              confidence: 0.8
+            });
+          }
+        }
+        const constructorMatch = line.match(/new\s+([A-Za-z_][A-Za-z0-9_]*)\b/);
+        if (constructorMatch) {
+          const className = constructorMatch[1];
+          const pkgKey = symbolToPackage.get(className) ?? this.findSymbolCandidatePackage(className, packagePatterns);
+          if (pkgKey) {
+            addCandidate(context, state, filePath, sourceText, {
+              packageKey: pkgKey,
+              line: lineNumber,
+              matchKind: "call",
+              calledSymbol: `new ${className}`,
+              confidence: 0.76
+            });
+          }
+        }
+      }
+    }
+    return toAnalyzerResult(state);
+  }
+  patternForPackage(packageName, ecosystem) {
+    const [vendorRaw, packageRaw] = packageName.split("/");
+    const vendor = vendorRaw ?? packageName;
+    const packagePart = packageRaw ?? packageName;
+    const namespaceCandidates = uniqueTokens([
+      pascalize(vendor),
+      pascalize(packagePart),
+      `${pascalize(vendor)}\\${pascalize(packagePart)}`,
+      `${pascalize(vendor)}\\${pascalize(packagePart.replace(/-/g, "_"))}`
+    ]);
+    const symbolCandidates = uniqueTokens([
+      pascalize(packagePart),
+      pascalize(vendor),
+      pascalize(packagePart).split("\\").at(-1) ?? ""
+    ]);
+    return {
+      key: packageKey(ecosystem, packageName),
+      vendor,
+      package: packagePart,
+      namespaceCandidates,
+      symbolCandidates
+    };
+  }
+  findSymbolCandidatePackage(symbol, packagePatterns) {
+    const normalized = symbol.toLowerCase();
+    for (const pkg2 of packagePatterns) {
+      if (pkg2.symbolCandidates.some((candidate) => candidate.toLowerCase() === normalized)) {
+        return pkg2.key;
+      }
+    }
+    return null;
+  }
+};
+function pascalize(input) {
+  return input.split(/[\/_.-]+/).filter(Boolean).map((part) => part[0]?.toUpperCase() + part.slice(1)).join("\\");
+}
+function stripLineComment4(line) {
+  const slashIdx = line.indexOf("//");
+  if (slashIdx !== -1) return line.slice(0, slashIdx);
+  const hashIdx = line.indexOf("#");
+  return hashIdx === -1 ? line : line.slice(0, hashIdx);
+}
 
 // src/context/usage-context-engine.ts
 var DEFAULT_MAX_SNIPPETS_PER_PACKAGE = 20;
@@ -17396,41 +18422,13 @@ var UsageContextEngine = class {
   constructor(analyzers) {
     this.analyzers = analyzers ?? [
       new JsAstAnalyzer(),
-      new UnsupportedAnalyzer(
-        "python-ast-analyzer",
-        ["pip", "poetry", "uv"],
-        "Python AST analyzer is not yet implemented in this release"
-      ),
-      new UnsupportedAnalyzer(
-        "java-ast-analyzer",
-        ["maven"],
-        "Java AST analyzer is not yet implemented in this release"
-      ),
-      new UnsupportedAnalyzer(
-        "dotnet-ast-analyzer",
-        ["nuget"],
-        "NuGet/C# AST analyzer is not yet implemented in this release"
-      ),
-      new UnsupportedAnalyzer(
-        "rust-ast-analyzer",
-        ["cargo"],
-        "Rust AST analyzer is not yet implemented in this release"
-      ),
-      new UnsupportedAnalyzer(
-        "go-ast-analyzer",
-        ["go"],
-        "Go AST analyzer is not yet implemented in this release"
-      ),
-      new UnsupportedAnalyzer(
-        "ruby-ast-analyzer",
-        ["ruby"],
-        "Ruby AST analyzer is not yet implemented in this release"
-      ),
-      new UnsupportedAnalyzer(
-        "php-ast-analyzer",
-        ["composer"],
-        "PHP AST analyzer is not yet implemented in this release"
-      )
+      new PythonAstAnalyzer(),
+      new JavaAstAnalyzer(),
+      new DotnetAstAnalyzer(),
+      new RustAstAnalyzer(),
+      new GoAstAnalyzer(),
+      new RubyAstAnalyzer(),
+      new PhpAstAnalyzer()
     ];
   }
   async analyze(input) {
@@ -17490,7 +18488,7 @@ var UsageContextEngine = class {
       try {
         const result = await analyzer.analyze(runContext);
         const resultByKey = new Map(
-          result.packages.map((pkg2) => [packageKey(pkg2.ecosystem, pkg2.packageName), pkg2])
+          result.packages.map((pkg2) => [packageKey2(pkg2.ecosystem, pkg2.packageName), pkg2])
         );
         errors.push(...result.errors);
         remainingSnippets = Math.max(0, remainingSnippets - result.snippetsProduced);
@@ -17498,7 +18496,7 @@ var UsageContextEngine = class {
         let unsupportedCount = 0;
         let analysisErrorCount = 0;
         for (const pkg2 of packages) {
-          const analyzed = resultByKey.get(packageKey(pkg2.ecosystem, pkg2.packageName)) ?? {
+          const analyzed = resultByKey.get(packageKey2(pkg2.ecosystem, pkg2.packageName)) ?? {
             packageName: pkg2.packageName,
             ecosystem: pkg2.ecosystem,
             status: "analysis_error",
@@ -17603,13 +18601,13 @@ var UsageContextEngine = class {
   buildVulnerablePackages(vulnerabilities, dependencies) {
     const directMap = /* @__PURE__ */ new Map();
     for (const dependency of dependencies) {
-      const key = packageKey(dependency.ecosystem, dependency.name);
+      const key = packageKey2(dependency.ecosystem, dependency.name);
       const existing = directMap.get(key) ?? false;
       directMap.set(key, existing || dependency.direct);
     }
     const grouped = /* @__PURE__ */ new Map();
     for (const vulnerability of vulnerabilities) {
-      const key = packageKey(vulnerability.ecosystem, vulnerability.packageName);
+      const key = packageKey2(vulnerability.ecosystem, vulnerability.packageName);
       const existing = grouped.get(key);
       if (existing) {
         existing.vulnerabilities.push(vulnerability);
@@ -17633,7 +18631,7 @@ var UsageContextEngine = class {
     return n > 0 ? n : fallback;
   }
 };
-function packageKey(ecosystem, packageName) {
+function packageKey2(ecosystem, packageName) {
   return `${ecosystem}::${packageName}`;
 }
 function groupByEcosystem(packages) {
@@ -17779,9 +18777,9 @@ function deriveArtifactOutputPaths(cycloneDxOutput) {
   }
   return {
     cyclonedx: cycloneDxOutput,
-    spdx: join2(parsed.dir, `${baseName}.spdx.json`),
-    swid: join2(parsed.dir, `${baseName}.swid.xml`),
-    usageContext: join2(parsed.dir, `${baseName}.usage-context.json`)
+    spdx: join3(parsed.dir, `${baseName}.spdx.json`),
+    swid: join3(parsed.dir, `${baseName}.swid.xml`),
+    usageContext: join3(parsed.dir, `${baseName}.usage-context.json`)
   };
 }
 function buildUploadPayload(report) {
@@ -17840,16 +18838,27 @@ function renderPlatformScan(projectPath, result) {
   return lines.join("\n");
 }
 function collectVulnerabilities(result) {
-  return (result.scanResponse.scan_results ?? []).flatMap(
-    (scanResult) => (scanResult.vulnerabilities ?? []).map((vuln) => ({
-      dependencyName: scanResult.dependency_name,
-      version: scanResult.version,
-      cveId: vuln.cve_id,
-      severity: normalizeSeverity(vuln.severity ?? "UNKNOWN"),
-      summary: pickSummary(vuln),
-      fixedVersion: pickFixedVersion(vuln)
-    }))
-  );
+  const deduped = /* @__PURE__ */ new Map();
+  for (const scanResult of result.scanResponse.scan_results ?? []) {
+    for (const vuln of scanResult.vulnerabilities ?? []) {
+      const next = {
+        dependencyName: scanResult.dependency_name,
+        version: scanResult.version,
+        cveId: vuln.cve_id,
+        severity: normalizeSeverity(vuln.severity ?? "UNKNOWN"),
+        summary: pickSummary(vuln),
+        fixedVersion: pickFixedVersion(vuln)
+      };
+      const key = `${next.dependencyName}::${next.version}::${next.cveId}`;
+      const existing = deduped.get(key);
+      if (!existing) {
+        deduped.set(key, next);
+        continue;
+      }
+      deduped.set(key, mergeVulnerability(existing, next));
+    }
+  }
+  return Array.from(deduped.values());
 }
 function pickSummary(vuln) {
   const value = vuln.summary ?? vuln.description;
@@ -17882,6 +18891,26 @@ function normalizeSeverity(severity) {
       return "UNKNOWN";
   }
 }
+function mergeVulnerability(current, incoming) {
+  const severity = severityOrder2(incoming.severity) < severityOrder2(current.severity) ? incoming.severity : current.severity;
+  const summary = pickPreferredSummary(current.summary, incoming.summary);
+  const fixedVersion = current.fixedVersion ?? incoming.fixedVersion ?? null;
+  return {
+    ...current,
+    severity,
+    summary,
+    fixedVersion
+  };
+}
+function pickPreferredSummary(a, b) {
+  const normalizedA = (a ?? "").trim();
+  const normalizedB = (b ?? "").trim();
+  if (!normalizedA) return normalizedB || "No description available";
+  if (!normalizedB) return normalizedA;
+  if (normalizedA === "No description available") return normalizedB;
+  if (normalizedB === "No description available") return normalizedA;
+  return normalizedB.length > normalizedA.length ? normalizedB : normalizedA;
+}
 function summarizeBySeverity(severities) {
   const summary = {
     CRITICAL: 0,