feat(ts-io): emit unresolved-call edges for imported names + browser catalog (WI-banaf)

jgstern-agent · jgstern-agent · commit 275e15a61e58 · 2026-04-14T09:54:43.000-04:00
UAT BUG-09a observed 0 io-boundaries on TypeScript repos. Two structural
gaps were responsible:

1. The JS/TS analyzer never emitted call edges to imported function
   names that didn't resolve to an intra-repo symbol. Calls like
   `import { existsSync } from 'node:fs'; existsSync(p)` produced no
   edge at all, so the io-boundaries layer had nothing to match against.
   Added an unresolved-edge fallback in the bare-name call path: when
   `func_name in named_imports` and no callee resolves, emit
   `&lt;lang&gt;:&lt;module_hint&gt;:0-0:&lt;name&gt;:unresolved` with the import path
   normalised (strip `node:` prefix, strip `./` `../` leaders) so the
   colon-delimited symbol ID stays parseable.

2. The JavaScript catalog was Node-only. Added browser/web-API entries:
   WebSocket / EventSource / BroadcastChannel (net), XMLHttpRequest /
   navigator.sendBeacon / window.fetch (net_send), localStorage /
   sessionStorage / indexedDB / caches (fs_read &amp; fs_write), console.*
   (logging), navigator / window / document env reads, plus the common
   third-party HTTP clients ky / got / superagent / undici.

Verified on nextjs/packages/create-next-app: total_io_edges 0 → 27
(fs_read 17 chains, fs_write 4, subprocess 6). apollo-server: 0 → 7
(logging+net_recv via console.log + http.createServer).

Member calls on namespace and default imports (`fs.readFileSync` after
`import * as fs`, `axios.get` after `import axios`) are not yet covered;
filed as follow-up WI-vurop.

Signed-off-by: jgstern-agent &lt;josh-agent@iterabloom.com&gt;
diff --git a/.ci/affected-tests.txt b/.ci/affected-tests.txt
@@ -1,16 +1,17 @@
 # Test selection manifest
-# Generated by smart-test at 2026-04-14T05:14:04-04:00
+# Generated by smart-test at 2026-04-14T09:54:37-04:00
 # Mode: targeted
 # Baseline: 3a502998615fa04cbe60be62b61dd38520b9750b
-# Changed files: 11
-# Changed source files: 4
-# Selected tests: 269
+# Changed files: 15
+# Changed source files: 5
+# Selected tests: 270
 #
 # === CHANGED_SOURCE_FILES ===
 packages/hypergumbo-core/src/hypergumbo_core/cli.py
 packages/hypergumbo-core/src/hypergumbo_core/discovery.py
 packages/hypergumbo-core/src/hypergumbo_core/gitleaks.py
 packages/hypergumbo-core/src/hypergumbo_core/sketch.py
+packages/hypergumbo-lang-mainstream/src/hypergumbo_lang_mainstream/js_ts.py
 # === SELECTED_TESTS ===
 packages/hypergumbo-core/tests/BRANCHES_test_database_query.py
 packages/hypergumbo-core/tests/BRANCHES_test_graphql.py
@@ -279,5 +280,6 @@ packages/hypergumbo-lang-mainstream/tests/test_scala.py
 packages/hypergumbo-lang-mainstream/tests/test_sql_analyzer.py
 packages/hypergumbo-lang-mainstream/tests/test_swift.py
 packages/hypergumbo-lang-mainstream/tests/test_toml_analyzer.py
+packages/hypergumbo-lang-mainstream/tests/test_ts_decorator_edges.py
 packages/hypergumbo-lang-mainstream/tests/test_xml_analyzer.py
 packages/hypergumbo-lang-mainstream/tests/test_yaml_ansible.py
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -18,6 +18,10 @@ This changelog tracks the **tool version** (package releases). The **schema vers
 
 - **Cached secret-scan results across warm sketch runs** (WI-julir / UAT BUG-20): `scan_content_cached` keys gitleaks output by sha256 of the sketch content and stores up to 8 entries in the per-state results cache directory. A warm `hypergumbo sketch` now completes in roughly the `--no-secret-scan` time (~7s on alertmanager) instead of paying the ~8s gitleaks cost on every invocation. The cache invalidates automatically when the repo state hash changes (the cache lives inside the per-state directory).
 
+### Added
+
+- **TypeScript/JavaScript I/O boundary tracing** (WI-banaf / UAT BUG-09a): the JS/TS analyzer now emits unresolved-call edges for bare-name calls to named imports (e.g. `import { existsSync } from 'node:fs'; existsSync()`), so the io-boundaries pipeline can match them against the catalog. Browser-API entries added to the JavaScript catalog: WebSocket, EventSource, BroadcastChannel, XMLHttpRequest, navigator.sendBeacon, localStorage / sessionStorage / indexedDB / caches, console logging, navigator/window/document env reads, and HTTP-client modules ky/got/superagent/undici. Verified on `nextjs/packages/create-next-app`: total_io_edges 0 → 27 (fs_read/fs_write/subprocess populated). Member calls on namespace and default imports remain a follow-up (WI-vurop).
+
 ## [2.6.0] - 2026-04-12
 
 ### Changed
diff --git a/packages/hypergumbo-core/src/hypergumbo_core/io_primitives/javascript.yaml b/packages/hypergumbo-core/src/hypergumbo_core/io_primitives/javascript.yaml
@@ -58,6 +58,20 @@ fs_read:
     notes: "Deno runtime file read operations"
   - module: Deno
     methods: [readFile, readTextFile, readDir, stat, lstat]
+  # Browser persistent storage (WI-banaf): treated as fs_read because they
+  # are persistent reads from a host-managed store.
+  - module: localStorage
+    methods: [getItem, key, length]
+    notes: "Browser localStorage read"
+  - module: sessionStorage
+    methods: [getItem, key, length]
+    notes: "Browser sessionStorage read"
+  - module: indexedDB
+    functions: [open, databases]
+    notes: "Browser IndexedDB read"
+  - module: caches
+    functions: [open, match, has, keys]
+    notes: "Browser CacheStorage read (Service Workers)"
 
 fs_write:
   - module: fs
@@ -70,6 +84,13 @@ fs_write:
   - module: Deno
     functions: [writeFile, writeTextFile, mkdir, remove, rename, chmod, chown, truncate, create]
     notes: "Deno runtime file write operations"
+  # Browser persistent storage writes (WI-banaf)
+  - module: localStorage
+    methods: [setItem, removeItem, clear]
+    notes: "Browser localStorage write"
+  - module: sessionStorage
+    methods: [setItem, removeItem, clear]
+    notes: "Browser sessionStorage write"
 
 net_send:
   - module: http
@@ -99,6 +120,32 @@ net_send:
   - module: Deno
     functions: [connect, connectTls]
     notes: "Deno runtime network client operations"
+  # Browser network sinks (WI-banaf)
+  - module: WebSocket
+    methods: [send]
+    notes: "Browser WebSocket client send"
+  - module: window
+    functions: [fetch]
+    notes: "Browser window.fetch (same as global fetch)"
+  - module: navigator
+    methods: [sendBeacon]
+    notes: "Browser navigator.sendBeacon for analytics/telemetry"
+  - module: XMLHttpRequest
+    methods: [send, open, setRequestHeader]
+    notes: "Browser XHR"
+  # Common browser HTTP client libraries (resolved via named imports)
+  - module: ky
+    functions: [get, post, put, delete, patch, head, create]
+    notes: "ky HTTP client (browser/Deno)"
+  - module: superagent
+    functions: [get, post, put, delete, patch, head]
+    notes: "superagent HTTP client"
+  - module: got
+    functions: [get, post, put, delete, patch, head, request]
+    notes: "got HTTP client (Node)"
+  - module: undici
+    functions: [request, fetch, stream]
+    notes: "undici HTTP client (Node)"
 
 net_recv:
   - module: http
@@ -125,6 +172,16 @@ net_recv:
   - module: koa.Application
     methods: [listen]
     notes: "Koa server listen"
+  # Browser network sources (WI-banaf)
+  - module: EventSource
+    methods: [addEventListener, onmessage, onerror]
+    notes: "Browser Server-Sent Events client"
+  - module: WebSocket
+    methods: [addEventListener, onmessage, onopen, onclose, onerror]
+    notes: "Browser WebSocket client receive"
+  - module: BroadcastChannel
+    methods: [postMessage, addEventListener]
+    notes: "Browser cross-tab messaging"
 
 subprocess:
   - module: child_process
@@ -135,6 +192,16 @@ env_read:
     attributes: [env, argv, platform, arch, version, cwd]
   - module: os
     functions: [hostname, platform, arch, release, type, cpus, totalmem, freemem, homedir, tmpdir, userInfo]
+  # Browser environment introspection (WI-banaf)
+  - module: navigator
+    attributes: [userAgent, language, languages, platform, geolocation, cookieEnabled, onLine]
+    notes: "Browser environment / capability detection"
+  - module: window
+    attributes: [location, navigator, screen, document]
+    notes: "Browser window globals"
+  - module: document
+    attributes: [cookie, location, referrer]
+    notes: "Browser document globals (cookie/referrer leak fingerprintable data)"
 
 ipc_send:
   - module: process
@@ -149,3 +216,9 @@ ipc_recv:
   - module: process
     methods: [on]
     notes: "process.on('message', ...) for IPC from parent"
+
+logging:
+  # Browser + Node share console.* (WI-banaf)
+  - module: console
+    methods: [log, info, warn, error, debug, trace, dir, table, group, groupEnd, time, timeEnd]
+    notes: "Universal console logging (browser + Node)"
diff --git a/packages/hypergumbo-lang-mainstream/src/hypergumbo_lang_mainstream/js_ts.py b/packages/hypergumbo-lang-mainstream/src/hypergumbo_lang_mainstream/js_ts.py
@@ -308,6 +308,30 @@ def _get_parser_for_file(file_path: Path) -> Optional["tree_sitter.Parser"]:
         return parser
 
 
+def _normalize_import_module_hint(module: str) -> str:
+    """Normalise an import path to a module hint usable in symbol IDs.
+
+    Symbol IDs are colon-delimited (``lang:module:span:name:kind``) so a
+    raw ``node:fs`` import path would corrupt the parse downstream.  We
+    strip the ``node:`` prefix (Node 16+ canonical form for built-ins)
+    and the relative-path leaders (``./``, ``../``) so the module hint
+    becomes the bare module name expected by the I/O catalog
+    (``fs``, ``child_process``, ``axios``).
+
+    Examples:
+        node:fs           -> fs
+        node:child_process -> child_process
+        ./utils           -> utils
+        ../helpers/git    -> helpers/git
+        @scope/pkg        -> @scope/pkg (unchanged)
+    """
+    if module.startswith("node:"):
+        return module[5:]
+    while module.startswith("./") or module.startswith("../"):
+        module = module[2:] if module.startswith("./") else module[3:]
+    return module
+
+
 def _extract_namespace_imports(
     tree: "tree_sitter.Tree",
     source: bytes,
@@ -3670,7 +3694,32 @@ def _extract_edges(
                                 confidence=edge_confidence,
                             )
                             edges.append(edge)
+                        elif (named_imports or {}).get(func_name):
+                            # WI-banaf: when a named-imported function is
+                            # called but doesn't resolve to an intra-repo
+                            # symbol (the common case for Node/browser
+                            # built-ins like ``existsSync`` from ``node:fs``),
+                            # emit an unresolved-call edge with the import
+                            # path as the module hint. The io-boundaries
+                            # layer matches the callee name against the
+                            # JavaScript catalog and tags the edge.
+                            module_hint = _normalize_import_module_hint(
+                                named_imports[func_name]
+                            )
+                            dst_id = f"{lang}:{module_hint}:0-0:{func_name}:unresolved"
+                            edge = Edge.create(
+                                src=current_function.id,
+                                dst=dst_id,
+                                edge_type="calls",
+                                line=node.start_point[0] + 1 + line_offset,
+                                origin=PASS_ID,
+                                origin_run_id=run.execution_id,
+                                evidence_type="ast_call_unresolved_import",
+                                confidence=0.70,
+                            )
+                            edges.append(edge)
 
+                        if callee is not None:
                             # Return type inference: if function has a return
                             # type annotation, track the variable's type
                             if callee.kind in ("function", "method"):
diff --git a/packages/hypergumbo-lang-mainstream/tests/test_js_ts.py b/packages/hypergumbo-lang-mainstream/tests/test_js_ts.py
@@ -266,6 +266,85 @@ def test_extracts_function_calls(self, tmp_path: Path) -> None:
         # main calls helper
         assert any("helper" in e.dst for e in call_edges)
 
+    def test_unresolved_call_to_named_import_emits_edge(self, tmp_path: Path) -> None:
+        """Bare-name calls to named imports emit unresolved call edges (WI-banaf).
+
+        Without these edges io-boundaries cannot match Node/browser I/O
+        primitives in TypeScript projects (UAT 2026-04-13 BUG-09a). The
+        destination ID encodes the import path as the module hint so the
+        catalog lookup can disambiguate (``fs`` vs ``crypto`` etc.).
+        """
+        pytest.importorskip("tree_sitter_typescript")
+        from hypergumbo_lang_mainstream.js_ts import analyze_javascript
+
+        code = """
+import { existsSync, readFileSync } from 'node:fs';
+
+export function loadConfig(path: string) {
+  if (!existsSync(path)) return null;
+  return readFileSync(path, 'utf8');
+}
+"""
+        (tmp_path / "app.ts").write_text(code)
+        result = analyze_javascript(tmp_path)
+
+        unresolved = [
+            e for e in result.edges
+            if e.edge_type == "calls" and ":unresolved" in e.dst
+        ]
+        callees = {e.dst for e in unresolved}
+        assert any("existsSync" in c for c in callees), callees
+        assert any("readFileSync" in c for c in callees), callees
+        # Module hint encoded in dst (second colon-separated segment).
+        for c in callees:
+            if "existsSync" in c or "readFileSync" in c:
+                # typescript:<module>:0-0:<name>:unresolved
+                segs = c.split(":")
+                # 'node:fs' contains a colon, so we expect either 'fs' or 'node'.
+                # The module hint normalisation strips the 'node:' prefix.
+                module = segs[1]
+                assert module in ("fs", "node"), c
+
+    def test_resolved_call_does_not_emit_unresolved_edge(self, tmp_path: Path) -> None:
+        """When a callee resolves intra-repo we do NOT also emit an unresolved edge."""
+        from hypergumbo_lang_mainstream.js_ts import analyze_javascript
+
+        code = """
+function helper() { return 1; }
+function main() { helper(); }
+"""
+        (tmp_path / "app.js").write_text(code)
+        result = analyze_javascript(tmp_path)
+
+        unresolved = [
+            e for e in result.edges
+            if e.edge_type == "calls" and ":unresolved" in e.dst
+        ]
+        assert all("helper" not in e.dst for e in unresolved)
+
+    def test_unresolved_skips_unimported_names(self, tmp_path: Path) -> None:
+        """Calls to unknown bare names without an import do not produce noise.
+
+        Only names that appear in the file's named-import map become
+        unresolved edges. This bounds the noise to legitimate import sites
+        and keeps the catalog match precise.
+        """
+        from hypergumbo_lang_mainstream.js_ts import analyze_javascript
+
+        code = """
+function main() {
+  somethingNobodyImported();
+}
+"""
+        (tmp_path / "app.js").write_text(code)
+        result = analyze_javascript(tmp_path)
+
+        unresolved = [
+            e for e in result.edges
+            if e.edge_type == "calls" and ":unresolved" in e.dst
+        ]
+        assert all("somethingNobodyImported" not in e.dst for e in unresolved)
+
     def test_typescript_with_types(self, tmp_path: Path) -> None:
         """Handles TypeScript files with type annotations."""
         pytest.importorskip("tree_sitter_typescript")
