vibecheck-ai 2.0.2 → 5.0.1

package/bin/runners/lib/extractors/client-calls.js

@@ -0,0 +1,990 @@
+/**
+ * Client Call Extractor v2
+ * 
+ * Extracts client-side API calls: fetch, axios, tRPC, GraphQL, Server Actions, SDK calls.
+ * Links them to the Reality Proof Graph for dead UI detection.
+ * 
+ * Output: ClientCall records with evidence, confidence, and canonical paths.
+ */
+
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+const fg = require("fast-glob");
+const crypto = require("crypto");
+const parser = require("@babel/parser");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+
+// =============================================================================
+// TYPES AND CONSTANTS
+// =============================================================================
+
+const HTTP_METHODS = ["GET", "POST", "PUT", "PATCH", "DELETE", "HEAD", "OPTIONS"];
+
+const CALL_KINDS = {
+  HTTP: "http",
+  TRPC: "trpc",
+  GRAPHQL: "graphql",
+  SERVER_ACTION: "server_action",
+  SDK: "sdk",
+};
+
+const RUNTIMES = {
+  CLIENT: "client",
+  SERVER: "server",
+  SHARED: "shared",
+  UNKNOWN: "unknown",
+};
+
+// =============================================================================
+// MAIN EXTRACTION
+// =============================================================================
+
+/**
+ * Extract all client calls from a project
+ */
+function extractClientCalls(projectRoot, options = {}) {
+  const { include = [], exclude = [] } = options;
+
+  // Find source files
+  const defaultInclude = ["**/*.{ts,tsx,js,jsx,mts,cts}"];
+  const defaultExclude = [
+    "**/node_modules/**",
+    "**/.next/**",
+    "**/dist/**",
+    "**/build/**",
+    "**/coverage/**",
+    "**/*.min.js",
+    "**/*.d.ts",
+  ];
+
+  const patterns = include.length > 0 ? include : defaultInclude;
+  const ignorePatterns = [...defaultExclude, ...exclude];
+
+  const files = fg.sync(patterns, {
+    cwd: projectRoot,
+    absolute: true,
+    ignore: ignorePatterns,
+    onlyFiles: true,
+  });
+
+  const calls = [];
+  const wrappers = [];
+  const uiBindings = [];
+  const errors = [];
+
+  // Pass 1: Extract wrappers (axios instances, custom request helpers)
+  for (const file of files) {
+    try {
+      const content = fs.readFileSync(file, "utf8");
+      const relPath = path.relative(projectRoot, file).replace(/\\/g, "/");
+      const fileWrappers = extractWrappers(content, relPath, projectRoot);
+      wrappers.push(...fileWrappers);
+    } catch (err) {
+      errors.push({ file, phase: "wrappers", error: err.message });
+    }
+  }
+
+  // Build wrapper lookup
+  const wrapperMap = new Map();
+  for (const w of wrappers) {
+    wrapperMap.set(w.name, w);
+  }
+
+  // Pass 2: Extract calls
+  for (const file of files) {
+    try {
+      const content = fs.readFileSync(file, "utf8");
+      const relPath = path.relative(projectRoot, file).replace(/\\/g, "/");
+      const runtime = inferRuntime(content, relPath);
+
+      const fileCalls = extractCallsFromFile(content, relPath, runtime, wrapperMap, projectRoot);
+      calls.push(...fileCalls);
+
+      const bindings = extractUIBindings(content, relPath, fileCalls);
+      uiBindings.push(...bindings);
+    } catch (err) {
+      errors.push({ file, phase: "calls", error: err.message });
+    }
+  }
+
+  return {
+    calls,
+    wrappers,
+    uiBindings,
+    errors,
+    stats: {
+      filesScanned: files.length,
+      callsFound: calls.length,
+      wrappersFound: wrappers.length,
+      bindingsFound: uiBindings.length,
+    },
+  };
+}
+
+/**
+ * Extract calls from a single file
+ */
+function extractCallsFromFile(content, relPath, runtime, wrapperMap, projectRoot) {
+  const calls = [];
+
+  let ast;
+  try {
+    ast = parser.parse(content, {
+      sourceType: "module",
+      plugins: ["typescript", "jsx", "decorators-legacy"],
+      errorRecovery: true,
+    });
+  } catch {
+    return calls;
+  }
+
+  traverse(ast, {
+    CallExpression(path) {
+      // fetch() calls
+      const fetchCall = extractFetchCall(path, content, relPath, runtime);
+      if (fetchCall) {
+        calls.push(fetchCall);
+        return;
+      }
+
+      // axios calls
+      const axiosCall = extractAxiosCall(path, content, relPath, runtime, wrapperMap);
+      if (axiosCall) {
+        calls.push(axiosCall);
+        return;
+      }
+
+      // tRPC calls
+      const trpcCall = extractTRPCCall(path, content, relPath, runtime);
+      if (trpcCall) {
+        calls.push(trpcCall);
+        return;
+      }
+
+      // GraphQL calls
+      const gqlCall = extractGraphQLCall(path, content, relPath, runtime);
+      if (gqlCall) {
+        calls.push(gqlCall);
+        return;
+      }
+
+      // Wrapper calls
+      const wrapperCall = extractWrapperCall(path, content, relPath, runtime, wrapperMap);
+      if (wrapperCall) {
+        calls.push(wrapperCall);
+        return;
+      }
+    },
+
+    // Server Actions (form action={...})
+    JSXAttribute(path) {
+      if (path.node.name.name === "action" && t.isJSXExpressionContainer(path.node.value)) {
+        const actionCall = extractServerAction(path, content, relPath);
+        if (actionCall) {
+          calls.push(actionCall);
+        }
+      }
+    },
+  });
+
+  return calls;
+}
+
+// =============================================================================
+// FETCH EXTRACTION
+// =============================================================================
+
+/**
+ * Extract fetch() call
+ */
+function extractFetchCall(path, content, relPath, runtime) {
+  const { node } = path;
+
+  // Check if callee is 'fetch'
+  if (!t.isIdentifier(node.callee, { name: "fetch" })) {
+    // Also check for fetch(new Request(...))
+    if (t.isNewExpression(node.callee) && t.isIdentifier(node.callee.callee, { name: "Request" })) {
+      return extractRequestCall(path, content, relPath, runtime);
+    }
+    return null;
+  }
+
+  const urlArg = node.arguments[0];
+  const initArg = node.arguments[1];
+
+  if (!urlArg) return null;
+
+  // Extract URL
+  const urlInfo = extractUrlFromNode(urlArg, content);
+  if (!urlInfo.value) return null;
+
+  // Extract method
+  const method = extractMethodFromInit(initArg) || "GET";
+
+  // Extract other info
+  const expectsJson = extractExpectsJson(initArg, path);
+  const authHint = extractAuthHint(initArg);
+
+  const lineNum = node.loc?.start?.line || 1;
+
+  return createClientCall({
+    kind: CALL_KINDS.HTTP,
+    runtime,
+    method,
+    urlTemplate: urlInfo.value,
+    canonicalPath: canonicalizeUrl(urlInfo.value),
+    expectsJson,
+    authHint,
+    confidence: urlInfo.confidence,
+    file: relPath,
+    lines: `${lineNum}-${lineNum + 5}`,
+    snippet: content.substring(node.start, Math.min(node.end, node.start + 200)),
+    reason: `fetch('${urlInfo.value.slice(0, 50)}') call`,
+  });
+}
+
+/**
+ * Extract new Request() call inside fetch
+ */
+function extractRequestCall(path, content, relPath, runtime) {
+  const { node } = path;
+  const requestNode = node.callee;
+
+  if (!t.isNewExpression(requestNode)) return null;
+
+  const urlArg = requestNode.arguments[0];
+  const initArg = requestNode.arguments[1];
+
+  if (!urlArg) return null;
+
+  const urlInfo = extractUrlFromNode(urlArg, content);
+  if (!urlInfo.value) return null;
+
+  const method = extractMethodFromInit(initArg) || "GET";
+  const lineNum = node.loc?.start?.line || 1;
+
+  return createClientCall({
+    kind: CALL_KINDS.HTTP,
+    runtime,
+    method,
+    urlTemplate: urlInfo.value,
+    canonicalPath: canonicalizeUrl(urlInfo.value),
+    expectsJson: false,
+    authHint: "unknown",
+    confidence: urlInfo.confidence,
+    file: relPath,
+    lines: `${lineNum}-${lineNum + 3}`,
+    snippet: content.substring(node.start, Math.min(node.end, node.start + 200)),
+    reason: `fetch(new Request('${urlInfo.value.slice(0, 50)}')) call`,
+  });
+}
+
+// =============================================================================
+// AXIOS EXTRACTION
+// =============================================================================
+
+/**
+ * Extract axios call
+ */
+function extractAxiosCall(path, content, relPath, runtime, wrapperMap) {
+  const { node } = path;
+
+  // Pattern A: axios.get/post/etc(url)
+  if (t.isMemberExpression(node.callee)) {
+    const obj = node.callee.object;
+    const prop = node.callee.property;
+
+    if (t.isIdentifier(obj, { name: "axios" }) && t.isIdentifier(prop)) {
+      const methodName = prop.name.toUpperCase();
+      if (HTTP_METHODS.includes(methodName) || methodName === "REQUEST") {
+        const urlArg = node.arguments[0];
+        if (!urlArg) return null;
+
+        const urlInfo = extractUrlFromNode(urlArg, content);
+        if (!urlInfo.value) return null;
+
+        const lineNum = node.loc?.start?.line || 1;
+
+        return createClientCall({
+          kind: CALL_KINDS.HTTP,
+          runtime,
+          method: methodName === "REQUEST" ? "UNKNOWN" : methodName,
+          urlTemplate: urlInfo.value,
+          canonicalPath: canonicalizeUrl(urlInfo.value),
+          expectsJson: true,
+          authHint: "unknown",
+          confidence: urlInfo.confidence,
+          file: relPath,
+          lines: `${lineNum}-${lineNum + 3}`,
+          snippet: content.substring(node.start, Math.min(node.end, node.start + 200)),
+          reason: `axios.${prop.name}('${urlInfo.value.slice(0, 50)}') call`,
+        });
+      }
+    }
+  }
+
+  // Pattern B: axios({ method, url })
+  if (t.isIdentifier(node.callee, { name: "axios" })) {
+    const configArg = node.arguments[0];
+    if (t.isObjectExpression(configArg)) {
+      const config = extractObjectLiteralProps(configArg);
+      if (config.url) {
+        const lineNum = node.loc?.start?.line || 1;
+
+        return createClientCall({
+          kind: CALL_KINDS.HTTP,
+          runtime,
+          method: (config.method || "GET").toUpperCase(),
+          urlTemplate: config.url,
+          canonicalPath: canonicalizeUrl(combineBaseUrl(config.baseURL, config.url)),
+          expectsJson: true,
+          authHint: "unknown",
+          confidence: "medium",
+          file: relPath,
+          lines: `${lineNum}-${lineNum + 5}`,
+          snippet: content.substring(node.start, Math.min(node.end, node.start + 200)),
+          reason: `axios({ url: '${config.url.slice(0, 50)}' }) call`,
+        });
+      }
+    }
+  }
+
+  return null;
+}
+
+// =============================================================================
+// TRPC EXTRACTION
+// =============================================================================
+
+/**
+ * Extract tRPC call
+ */
+function extractTRPCCall(path, content, relPath, runtime) {
+  const { node } = path;
+
+  // Pattern: trpc.user.get.useQuery() or trpc.billing.portal.useMutation()
+  if (t.isMemberExpression(node.callee)) {
+    const calleeCode = extractMemberChain(node.callee);
+
+    // Check for tRPC patterns
+    const trpcMatch = calleeCode.match(/^(?:trpc|api)\.(.+?)\.(useQuery|useMutation|query|mutate)$/);
+    if (trpcMatch) {
+      const procedure = trpcMatch[1];
+      const operationType = trpcMatch[2].includes("Mutation") || trpcMatch[2] === "mutate" ? "mutation" : "query";
+      const lineNum = node.loc?.start?.line || 1;
+
+      return createClientCall({
+        kind: CALL_KINDS.TRPC,
+        runtime,
+        method: "POST",
+        urlTemplate: `/api/trpc/${procedure}`,
+        canonicalPath: `/api/trpc/${procedure}`,
+        expectsJson: true,
+        authHint: "unknown",
+        confidence: "medium",
+        file: relPath,
+        lines: `${lineNum}-${lineNum + 3}`,
+        snippet: content.substring(node.start, Math.min(node.end, node.start + 150)),
+        reason: `tRPC ${operationType}: ${procedure}`,
+        meta: {
+          procedure,
+          operationType,
+        },
+      });
+    }
+  }
+
+  return null;
+}
+
+// =============================================================================
+// GRAPHQL EXTRACTION
+// =============================================================================
+
+/**
+ * Extract GraphQL call
+ */
+function extractGraphQLCall(path, content, relPath, runtime) {
+  const { node } = path;
+
+  // Pattern: useQuery(gql`...`) or useMutation(gql`...`)
+  if (t.isIdentifier(node.callee)) {
+    const calleeName = node.callee.name;
+
+    if (calleeName === "useQuery" || calleeName === "useMutation" || calleeName === "request") {
+      const queryArg = node.arguments[0];
+      let operationName = null;
+
+      // Try to extract operation name from gql template
+      if (t.isTaggedTemplateExpression(queryArg)) {
+        const template = queryArg.quasi.quasis.map(q => q.value.raw).join("");
+        const opMatch = template.match(/(?:query|mutation|subscription)\s+(\w+)/);
+        if (opMatch) {
+          operationName = opMatch[1];
+        }
+      }
+
+      const lineNum = node.loc?.start?.line || 1;
+
+      return createClientCall({
+        kind: CALL_KINDS.GRAPHQL,
+        runtime,
+        method: "POST",
+        urlTemplate: "/graphql",
+        canonicalPath: "/graphql",
+        expectsJson: true,
+        authHint: "unknown",
+        confidence: operationName ? "medium" : "low",
+        file: relPath,
+        lines: `${lineNum}-${lineNum + 5}`,
+        snippet: content.substring(node.start, Math.min(node.end, node.start + 200)),
+        reason: `GraphQL ${calleeName}${operationName ? `: ${operationName}` : ""}`,
+        meta: {
+          operationName,
+          operationType: calleeName.includes("Mutation") ? "mutation" : "query",
+        },
+      });
+    }
+  }
+
+  return null;
+}
+
+// =============================================================================
+// SERVER ACTIONS EXTRACTION
+// =============================================================================
+
+/**
+ * Extract Next.js Server Action
+ */
+function extractServerAction(path, content, relPath) {
+  const jsxAttr = path.node;
+  const container = jsxAttr.value;
+
+  if (!t.isJSXExpressionContainer(container)) return null;
+
+  const expr = container.expression;
+  let actionName = null;
+
+  if (t.isIdentifier(expr)) {
+    actionName = expr.name;
+  } else if (t.isMemberExpression(expr)) {
+    actionName = extractMemberChain(expr);
+  }
+
+  if (!actionName) return null;
+
+  const lineNum = jsxAttr.loc?.start?.line || 1;
+
+  return createClientCall({
+    kind: CALL_KINDS.SERVER_ACTION,
+    runtime: RUNTIMES.SERVER,
+    method: "POST",
+    urlTemplate: `action://${relPath}#${actionName}`,
+    canonicalPath: `action://${relPath}#${actionName}`,
+    expectsJson: false,
+    authHint: "unknown",
+    confidence: "high",
+    file: relPath,
+    lines: `${lineNum}-${lineNum + 1}`,
+    snippet: `action={${actionName}}`,
+    reason: `Server Action: ${actionName}`,
+    meta: {
+      actionExport: actionName,
+      module: relPath,
+    },
+  });
+}
+
+// =============================================================================
+// WRAPPER EXTRACTION
+// =============================================================================
+
+/**
+ * Extract wrapper definitions (axios instances, custom fetch wrappers)
+ */
+function extractWrappers(content, relPath, projectRoot) {
+  const wrappers = [];
+
+  let ast;
+  try {
+    ast = parser.parse(content, {
+      sourceType: "module",
+      plugins: ["typescript", "jsx", "decorators-legacy"],
+      errorRecovery: true,
+    });
+  } catch {
+    return wrappers;
+  }
+
+  traverse(ast, {
+    // axios.create()
+    CallExpression(path) {
+      const { node } = path;
+
+      if (
+        t.isMemberExpression(node.callee) &&
+        t.isIdentifier(node.callee.object, { name: "axios" }) &&
+        t.isIdentifier(node.callee.property, { name: "create" })
+      ) {
+        const configArg = node.arguments[0];
+        const config = t.isObjectExpression(configArg) ? extractObjectLiteralProps(configArg) : {};
+
+        // Find variable name
+        let name = "axiosInstance";
+        if (t.isVariableDeclarator(path.parent)) {
+          if (t.isIdentifier(path.parent.id)) {
+            name = path.parent.id.name;
+          }
+        }
+
+        wrappers.push({
+          id: `W_AXIOS_${hashShort(relPath + name)}`,
+          name,
+          kind: "axios",
+          baseURL: config.baseURL || "",
+          defaultHeaders: config.headers ? Object.keys(config.headers) : [],
+          file: relPath,
+          lines: `${node.loc?.start?.line || 1}-${node.loc?.end?.line || 1}`,
+        });
+      }
+    },
+
+    // Custom fetch wrappers: export const api = { get: ..., post: ... }
+    VariableDeclarator(path) {
+      const { node } = path;
+
+      if (t.isIdentifier(node.id) && t.isObjectExpression(node.init)) {
+        const props = node.init.properties;
+        const methodProps = props.filter(
+          p => t.isIdentifier(p.key) && HTTP_METHODS.map(m => m.toLowerCase()).includes(p.key.name)
+        );
+
+        if (methodProps.length >= 2) {
+          // Looks like an API client object
+          wrappers.push({
+            id: `W_CUSTOM_${hashShort(relPath + node.id.name)}`,
+            name: node.id.name,
+            kind: "custom",
+            baseURL: "",
+            methods: methodProps.map(p => p.key.name),
+            file: relPath,
+            lines: `${node.loc?.start?.line || 1}-${node.loc?.end?.line || 1}`,
+          });
+        }
+      }
+    },
+  });
+
+  return wrappers;
+}
+
+/**
+ * Extract wrapper call (api.get(), apiClient.post(), etc.)
+ */
+function extractWrapperCall(path, content, relPath, runtime, wrapperMap) {
+  const { node } = path;
+
+  if (!t.isMemberExpression(node.callee)) return null;
+
+  const obj = node.callee.object;
+  const prop = node.callee.property;
+
+  if (!t.isIdentifier(obj) || !t.isIdentifier(prop)) return null;
+
+  const wrapper = wrapperMap.get(obj.name);
+  if (!wrapper) return null;
+
+  const methodName = prop.name.toUpperCase();
+  if (!HTTP_METHODS.includes(methodName) && methodName !== "REQUEST") return null;
+
+  const urlArg = node.arguments[0];
+  if (!urlArg) return null;
+
+  const urlInfo = extractUrlFromNode(urlArg, content);
+  if (!urlInfo.value) return null;
+
+  // Combine with wrapper baseURL
+  const fullUrl = combineBaseUrl(wrapper.baseURL, urlInfo.value);
+  const lineNum = node.loc?.start?.line || 1;
+
+  return createClientCall({
+    kind: CALL_KINDS.HTTP,
+    runtime,
+    method: methodName === "REQUEST" ? "UNKNOWN" : methodName,
+    urlTemplate: urlInfo.value,
+    canonicalPath: canonicalizeUrl(fullUrl),
+    expectsJson: true,
+    authHint: "unknown",
+    confidence: urlInfo.confidence,
+    file: relPath,
+    lines: `${lineNum}-${lineNum + 3}`,
+    snippet: content.substring(node.start, Math.min(node.end, node.start + 150)),
+    reason: `${obj.name}.${prop.name}('${urlInfo.value.slice(0, 50)}') via wrapper`,
+    meta: {
+      wrapperId: wrapper.id,
+    },
+  });
+}
+
+// =============================================================================
+// UI BINDING EXTRACTION
+// =============================================================================
+
+/**
+ * Extract UI bindings (onClick, onSubmit that call API)
+ */
+function extractUIBindings(content, relPath, calls) {
+  const bindings = [];
+  const callIds = new Set(calls.map(c => c.id));
+
+  let ast;
+  try {
+    ast = parser.parse(content, {
+      sourceType: "module",
+      plugins: ["typescript", "jsx", "decorators-legacy"],
+      errorRecovery: true,
+    });
+  } catch {
+    return bindings;
+  }
+
+  traverse(ast, {
+    JSXAttribute(path) {
+      const { node } = path;
+      const attrName = node.name?.name;
+
+      if (!["onClick", "onSubmit", "onBlur", "onChange", "action"].includes(attrName)) return;
+
+      if (!t.isJSXExpressionContainer(node.value)) return;
+
+      const expr = node.value.expression;
+      const lineNum = node.loc?.start?.line || 1;
+
+      // Find associated calls in this handler
+      const handlerCalls = calls.filter(c => {
+        const callLine = parseInt(c.evidence?.[0]?.lines?.split("-")[0] || "0");
+        return Math.abs(callLine - lineNum) < 20; // Within 20 lines
+      });
+
+      if (handlerCalls.length > 0) {
+        // Try to find label hint
+        const labelHint = findLabelHint(path);
+
+        bindings.push({
+          bindingId: `UIB_${hashShort(relPath + lineNum)}`,
+          file: relPath,
+          lines: `${lineNum}-${lineNum + 5}`,
+          event: attrName,
+          labelHint,
+          calls: handlerCalls.map(c => c.id),
+        });
+      }
+    },
+  });
+
+  return bindings;
+}
+
+/**
+ * Find label hint from JSX context
+ */
+function findLabelHint(path) {
+  // Look for button text, aria-label, etc.
+  const parent = path.parentPath;
+  if (!parent) return null;
+
+  // Check for aria-label
+  if (t.isJSXOpeningElement(parent.node)) {
+    const ariaLabel = parent.node.attributes.find(
+      a => t.isJSXAttribute(a) && a.name?.name === "aria-label"
+    );
+    if (ariaLabel && t.isStringLiteral(ariaLabel.value)) {
+      return ariaLabel.value.value;
+    }
+  }
+
+  // Check for children text
+  const jsxElement = parent.parentPath;
+  if (t.isJSXElement(jsxElement?.node)) {
+    const textChild = jsxElement.node.children.find(
+      c => t.isJSXText(c) && c.value.trim()
+    );
+    if (textChild) {
+      return textChild.value.trim();
+    }
+  }
+
+  return null;
+}
+
+// =============================================================================
+// HELPERS
+// =============================================================================
+
+/**
+ * Extract URL value and confidence from AST node
+ */
+function extractUrlFromNode(node, content) {
+  // String literal: HIGH confidence
+  if (t.isStringLiteral(node)) {
+    return { value: node.value, confidence: "high" };
+  }
+
+  // Template literal
+  if (t.isTemplateLiteral(node)) {
+    if (node.expressions.length === 0) {
+      // No expressions: HIGH
+      return { value: node.quasis[0].value.raw, confidence: "high" };
+    }
+    // Has expressions: MEDIUM
+    const template = node.quasis.map((q, i) => {
+      const expr = node.expressions[i];
+      return q.value.raw + (expr ? `{${i}}` : "");
+    }).join("");
+    return { value: template, confidence: "medium" };
+  }
+
+  // Binary expression (concatenation)
+  if (t.isBinaryExpression(node, { operator: "+" })) {
+    const left = extractUrlFromNode(node.left, content);
+    const right = extractUrlFromNode(node.right, content);
+    if (left.value && right.value) {
+      return {
+        value: left.value + right.value,
+        confidence: "medium",
+      };
+    }
+  }
+
+  // Variable: LOW confidence
+  if (t.isIdentifier(node)) {
+    return { value: `\${${node.name}}`, confidence: "low" };
+  }
+
+  return { value: null, confidence: "low" };
+}
+
+/**
+ * Extract method from fetch init argument
+ */
+function extractMethodFromInit(initNode) {
+  if (!initNode || !t.isObjectExpression(initNode)) return null;
+
+  const methodProp = initNode.properties.find(
+    p => t.isObjectProperty(p) && t.isIdentifier(p.key, { name: "method" })
+  );
+
+  if (methodProp && t.isStringLiteral(methodProp.value)) {
+    return methodProp.value.value.toUpperCase();
+  }
+
+  return null;
+}
+
+/**
+ * Extract expectsJson from init
+ */
+function extractExpectsJson(initNode, path) {
+  if (!initNode) return false;
+
+  if (t.isObjectExpression(initNode)) {
+    const props = extractObjectLiteralProps(initNode);
+    if (props.headers?.["content-type"]?.includes("application/json")) return true;
+    if (props.body && typeof props.body === "string" && props.body.includes("JSON.stringify")) return true;
+  }
+
+  // Check if .json() is called on response
+  // This would require more complex flow analysis
+  return false;
+}
+
+/**
+ * Extract auth hint from init
+ */
+function extractAuthHint(initNode) {
+  if (!initNode || !t.isObjectExpression(initNode)) return "unknown";
+
+  const props = extractObjectLiteralProps(initNode);
+
+  if (props.credentials === "include") return "cookie";
+  if (props.headers?.authorization?.toLowerCase().startsWith("bearer")) return "bearer";
+  if (props.headers?.Authorization?.toLowerCase().startsWith("bearer")) return "bearer";
+
+  return "unknown";
+}
+
+/**
+ * Extract object literal properties as plain object
+ */
+function extractObjectLiteralProps(node) {
+  const props = {};
+
+  for (const prop of node.properties) {
+    if (t.isObjectProperty(prop) && t.isIdentifier(prop.key)) {
+      const key = prop.key.name;
+
+      if (t.isStringLiteral(prop.value)) {
+        props[key] = prop.value.value;
+      } else if (t.isObjectExpression(prop.value)) {
+        props[key] = extractObjectLiteralProps(prop.value);
+      } else if (t.isIdentifier(prop.value)) {
+        props[key] = `$${prop.value.name}`;
+      }
+    }
+  }
+
+  return props;
+}
+
+/**
+ * Extract member expression chain as string
+ */
+function extractMemberChain(node) {
+  const parts = [];
+
+  let current = node;
+  while (t.isMemberExpression(current)) {
+    if (t.isIdentifier(current.property)) {
+      parts.unshift(current.property.name);
+    }
+    current = current.object;
+  }
+
+  if (t.isIdentifier(current)) {
+    parts.unshift(current.name);
+  }
+
+  return parts.join(".");
+}
+
+/**
+ * Infer runtime from file content
+ */
+function inferRuntime(content, relPath) {
+  if (content.includes('"use client"') || content.includes("'use client'")) {
+    return RUNTIMES.CLIENT;
+  }
+  if (content.includes('"use server"') || content.includes("'use server'")) {
+    return RUNTIMES.SERVER;
+  }
+  if (relPath.includes("/api/") || relPath.includes("server")) {
+    return RUNTIMES.SERVER;
+  }
+  if (relPath.includes("/lib/") || relPath.includes("/utils/")) {
+    return RUNTIMES.SHARED;
+  }
+  return RUNTIMES.UNKNOWN;
+}
+
+/**
+ * Canonicalize URL path
+ */
+function canonicalizeUrl(url) {
+  if (!url) return null;
+
+  let canonical = url;
+
+  // Strip protocol and host
+  canonical = canonical.replace(/^https?:\/\/[^/]+/, "");
+
+  // Strip query string
+  canonical = canonical.split("?")[0];
+
+  // Strip hash
+  canonical = canonical.split("#")[0];
+
+  // Replace template expressions with params
+  canonical = canonical.replace(/\$\{[^}]+\}/g, "{param}");
+  canonical = canonical.replace(/\{[0-9]+\}/g, "{param}");
+
+  // Normalize slashes
+  canonical = canonical.replace(/\/+/g, "/");
+
+  // Ensure leading slash
+  if (!canonical.startsWith("/") && !canonical.startsWith("action://")) {
+    canonical = "/" + canonical;
+  }
+
+  // Remove trailing slash (except root)
+  if (canonical.length > 1) {
+    canonical = canonical.replace(/\/$/, "");
+  }
+
+  return canonical;
+}
+
+/**
+ * Combine base URL with path
+ */
+function combineBaseUrl(base, path) {
+  if (!base) return path;
+  if (!path) return base;
+
+  const baseTrimmed = base.replace(/\/$/, "");
+  const pathTrimmed = path.startsWith("/") ? path : "/" + path;
+
+  return baseTrimmed + pathTrimmed;
+}
+
+/**
+ * Create a ClientCall record
+ */
+function createClientCall(opts) {
+  const id = `C_CALL_${hashShort(opts.file + opts.urlTemplate + opts.method)}`;
+
+  return {
+    id,
+    kind: opts.kind,
+    runtime: opts.runtime,
+    method: opts.method,
+    urlTemplate: opts.urlTemplate,
+    canonicalPath: opts.canonicalPath,
+    expectsJson: opts.expectsJson,
+    authHint: opts.authHint,
+    confidence: opts.confidence,
+    evidence: [{
+      id: `E_${hashShort(opts.file + opts.lines)}`,
+      kind: "file",
+      file: opts.file,
+      lines: opts.lines,
+      snippetHash: hashSnippet(opts.snippet || ""),
+      reason: opts.reason,
+    }],
+    meta: opts.meta || {},
+  };
+}
+
+function hashShort(text) {
+  return crypto.createHash("sha256").update(text).digest("hex").slice(0, 12).toUpperCase();
+}
+
+function hashSnippet(text) {
+  return `sha256:${crypto.createHash("sha256").update(text).digest("hex")}`;
+}
+
+// =============================================================================
+// EXPORTS
+// =============================================================================
+
+module.exports = {
+  extractClientCalls,
+  extractCallsFromFile,
+  extractFetchCall,
+  extractAxiosCall,
+  extractTRPCCall,
+  extractGraphQLCall,
+  extractServerAction,
+  extractWrappers,
+  extractWrapperCall,
+  extractUIBindings,
+  canonicalizeUrl,
+  combineBaseUrl,
+  inferRuntime,
+  CALL_KINDS,
+  RUNTIMES,
+  HTTP_METHODS,
+};