feat(frameworks): wire stage-3 config-AST evidence into detection#264
Merged
Conversation
Stage 3 (config-AST: next.config.*, astro.config.*, vite.config.*, META-INF/spring.factories) shipped as a tested standalone module but reached no detection — the dispatcher input had no way to carry config text, so `inspectConfigAst` was never called in production and its evidence never landed on `frameworksDetected`. Wire it: `FrameworkDetectorInput` gains optional `configText`; the dispatcher runs `inspectConfigAst` once, groups findings by framework name, and merges them as stage-3 evidence into a detection that ALREADY hit on a manifest/layout signal — config text corroborates, it never creates a detection (a repo can carry a vendored config without using the framework). The `frameworks.ts` wrapper pre-reads CONFIG_AST_FILES alongside manifests/lockfiles and threads `configText` through both entrypoints, so the profile phase picks it up with no phase-ordering change. Legacy callers that omit `configText` are unaffected. Verified end-to-end: `analyze` on a Next.js repo now records the nextjs detection with evidence stages [1, 3, 4] — stage 3 contributing "next.config present" + "nextjs router: app-router" (previously only [1, 4]). Stage 5 (imports/SCIP) stays deferred: it consumes resolved IMPORTS edges, but the profile phase runs (deps: [scan]) before `crossFile` resolves them. Wiring it needs a phase-ordering change; documented in the package header as the remaining step. frameworks 92 + ingestion 638 tests green; full workspace 0 fail.
Merged
theagenticguy
added a commit
that referenced
this pull request
Jun 29, 2026
🤖 Automated release via release-please --- <details><summary>root: 0.10.3</summary> ## [0.10.3](root-v0.10.2...root-v0.10.3) (2026-06-29) ### Features * **frameworks:** wire stage-3 config-AST evidence into detection ([#264](#264)) ([18e08b2](18e08b2)) * **pack:** context-bom read-receipt (9th BOM item) + real production provenance ([#261](#261)) ([b936af2](b936af2)) ### Bug Fixes * wire four dropped injection seams (F1–F4 from the latent-bug sweep) ([#263](#263)) ([dde590e](dde590e)) </details> <details><summary>cli: 0.10.3</summary> ## [0.10.3](cli-v0.10.2...cli-v0.10.3) (2026-06-29) ### Features * **pack:** context-bom read-receipt (9th BOM item) + real production provenance ([#261](#261)) ([b936af2](b936af2)) ### Bug Fixes * wire four dropped injection seams (F1–F4 from the latent-bug sweep) ([#263](#263)) ([dde590e](dde590e)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Laith Al-Saadoon <9553966+theagenticguy@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Wires framework-detection stage 3 (config-AST) into the production path. This was the documented-deferred near-miss flagged by the latent-bug sweep:
inspectConfigAst(handlesnext.config.*,astro.config.*,vite.config.*,META-INF/spring.factories) shipped as a tested standalone module but had zero production callers — the dispatcher input couldn't carry config text, so its evidence never reachedframeworksDetected.What changed
FrameworkDetectorInputgains optionalconfigText. The dispatcher runsinspectConfigAstonce, groups findings by framework name, and merges them as stage-3 evidence into a detection that already hit on a manifest/layout signal.frameworks.tspre-readsCONFIG_AST_FILESalongside manifests/lockfiles and threadsconfigTextthrough both entrypoints, so the profile phase picks it up with no phase-ordering change. Legacy callers that omitconfigTextare unaffected (verified by a no-op test).Verification
analyzeon a Next.js repo now records the nextjs detection with evidence stages [1, 3, 4] — stage 3 contributingnext.config present+nextjs router: app-router(previously only [1, 4]).spring.factories, which is not a catalog file-marker); omittingconfigTextis a no-op.biome ciclean.Deferred: stage 5 (imports / SCIP)
Stage 5 consumes resolved
IMPORTSedges, but the profile phase runs (deps: [scan]) beforecrossFileresolves them. Wiring it needs a phase-ordering change (run framework detection aftercrossFile, or add a later detection pass). Documented in the package header as the remaining step — out of scope here to avoid a DAG change in this PR.🤖 Generated with Claude Code