feat: wire dead-code to /v1/analysis/dead-code endpoint (#23)

* feat: wire dead-code command to /v1/analysis/dead-code endpoint

Replace naive graph-edge counting with the API's dedicated dead code
analysis endpoint which provides multi-phase reachability, transitive
propagation, confidence levels, line numbers, and reasons.

New flags: --min-confidence (high/medium/low), --limit
Removed: --include-exports (handled by API)

Closes #22

* test: add unit tests for dead-code output formatting and JSON

* feat: add --ignore flag and SUPERMODEL_API_KEY env var support

- dead-code: --ignore <glob> filters candidates client-side (repeatable,
  supports ** across segments). Implemented without new dependencies.
- config: SUPERMODEL_API_KEY and SUPERMODEL_API_BASE env vars override
  config file values, enabling CI/CD usage without a config file.
- dead-code summary line now reflects post-filter candidate count.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Grey Newell <greyshipscode@gmail.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: 3 people

cmd/deadcode.go

@@ -13,13 +13,13 @@ func init() {
 	c := &cobra.Command{
 		Use:     "dead-code [path]",
 		Aliases: []string{"dc"},
-		Short:   "Find functions with no callers",
-		Long: `Analyses the call graph and reports functions that are never called
-from anywhere in the repository.
+		Short:   "Find unreachable functions using static analysis",
+		Long: `Uploads the repository to the Supermodel API and runs multi-phase dead
+code analysis including call graph reachability, entry point detection,
+and transitive propagation.
 
-Exported functions, entry points (main, init), and test functions are
-excluded by default because they are reachable by external callers.
-Pass --include-exports to include them.`,
+Results include confidence levels (high/medium/low), line numbers, and
+explanations for why each function was flagged.`,
 		Args: cobra.MaximumNArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			cfg, err := config.Load()
@@ -38,7 +38,9 @@ Pass --include-exports to include them.`,
 	}
 
 	c.Flags().BoolVar(&opts.Force, "force", false, "re-analyze even if a cached result exists")
-	c.Flags().BoolVar(&opts.IncludeExports, "include-exports", false, "include exported functions in results")
+	c.Flags().StringVar(&opts.MinConfidence, "min-confidence", "", "minimum confidence: high, medium, or low")
+	c.Flags().IntVar(&opts.Limit, "limit", 0, "maximum number of candidates to return")
+	c.Flags().StringArrayVar(&opts.Ignore, "ignore", nil, "glob pattern to exclude from results (repeatable, supports **)")
 	c.Flags().StringVarP(&opts.Output, "output", "o", "", "output format: human|json")
 
 	rootCmd.AddCommand(c)

internal/api/client.go

@@ -110,6 +110,63 @@ func (c *Client) pollUntilComplete(ctx context.Context, zipPath, idempotencyKey
 // postZip sends the repository ZIP to the analyze endpoint and returns the
 // raw job response (which may be pending, processing, or completed).
 func (c *Client) postZip(ctx context.Context, zipPath, idempotencyKey string) (*JobResponse, error) {
+	return c.postZipTo(ctx, zipPath, idempotencyKey, analyzeEndpoint)
+}
+
+// deadCodeEndpoint is the API path for dead code analysis.
+const deadCodeEndpoint = "/v1/analysis/dead-code"
+
+// DeadCode uploads a repository ZIP and runs dead code analysis,
+// polling until the async job completes and returning the result.
+func (c *Client) DeadCode(ctx context.Context, zipPath, idempotencyKey string, minConfidence string, limit int) (*DeadCodeResult, error) {
+	endpoint := deadCodeEndpoint
+	sep := "?"
+	if minConfidence != "" {
+		endpoint += sep + "min_confidence=" + minConfidence
+		sep = "&"
+	}
+	if limit > 0 {
+		endpoint += sep + fmt.Sprintf("limit=%d", limit)
+	}
+
+	job, err := c.postZipTo(ctx, zipPath, idempotencyKey, endpoint)
+	if err != nil {
+		return nil, err
+	}
+
+	for job.Status == "pending" || job.Status == "processing" {
+		wait := time.Duration(job.RetryAfter) * time.Second
+		if wait <= 0 {
+			wait = 5 * time.Second
+		}
+		select {
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		case <-time.After(wait):
+		}
+
+		job, err = c.postZipTo(ctx, zipPath, idempotencyKey, endpoint)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if job.Error != nil {
+		return nil, fmt.Errorf("dead code analysis failed: %s", *job.Error)
+	}
+	if job.Status != "completed" {
+		return nil, fmt.Errorf("unexpected job status: %s", job.Status)
+	}
+
+	var result DeadCodeResult
+	if err := json.Unmarshal(job.Result, &result); err != nil {
+		return nil, fmt.Errorf("decode dead code result: %w", err)
+	}
+	return &result, nil
+}
+
+// postZipTo sends a repository ZIP to the given endpoint and returns the job response.
+func (c *Client) postZipTo(ctx context.Context, zipPath, idempotencyKey, endpoint string) (*JobResponse, error) {
 	f, err := os.Open(zipPath)
 	if err != nil {
 		return nil, err
@@ -128,7 +185,7 @@ func (c *Client) postZip(ctx context.Context, zipPath, idempotencyKey string) (*
 	mw.Close()
 
 	var job JobResponse
-	if err := c.request(ctx, http.MethodPost, analyzeEndpoint, mw.FormDataContentType(), &buf, idempotencyKey, &job); err != nil {
+	if err := c.request(ctx, http.MethodPost, endpoint, mw.FormDataContentType(), &buf, idempotencyKey, &job); err != nil {
 		return nil, err
 	}
 	return &job, nil

internal/api/types.go

@@ -158,6 +158,48 @@ type jobResult struct {
 	Graph Graph `json:"graph"`
 }
 
+// DeadCodeResult is the result from /v1/analysis/dead-code.
+type DeadCodeResult struct {
+	Metadata           DeadCodeMetadata    `json:"metadata"`
+	DeadCodeCandidates []DeadCodeCandidate `json:"deadCodeCandidates"`
+	AliveCode          []AliveCode         `json:"aliveCode"`
+	EntryPoints        []EntryPoint        `json:"entryPoints"`
+}
+
+// DeadCodeMetadata holds summary stats for a dead code analysis.
+type DeadCodeMetadata struct {
+	TotalDeclarations  int    `json:"totalDeclarations"`
+	DeadCodeCandidates int    `json:"deadCodeCandidates"`
+	AliveCode          int    `json:"aliveCode"`
+	AnalysisMethod     string `json:"analysisMethod"`
+	AnalysisStartTime  string `json:"analysisStartTime"`
+	AnalysisEndTime    string `json:"analysisEndTime"`
+}
+
+// DeadCodeCandidate is a function flagged as unreachable.
+type DeadCodeCandidate struct {
+	File       string `json:"file"`
+	Name       string `json:"name"`
+	Line       int    `json:"line"`
+	Type       string `json:"type"`
+	Confidence string `json:"confidence"`
+	Reason     string `json:"reason"`
+}
+
+// AliveCode is a function confirmed as reachable.
+type AliveCode struct {
+	File        string `json:"file"`
+	Name        string `json:"name"`
+	Line        int    `json:"line"`
+	Type        string `json:"type"`
+	CallerCount int    `json:"callerCount"`
+}
+
+// EntryPoint is a detected entry point that should not be flagged as dead.
+type EntryPoint struct {
+	File string `json:"file"`
+}
+
 // Error represents a non-2xx response from the API.
 type Error struct {
 	StatusCode int    `json:"-"`

internal/config/config.go

@@ -32,10 +32,15 @@ func Path() string {
 }
 
 // Load reads the config file. Returns defaults when the file does not exist.
+// Environment variables override file values:
+//   - SUPERMODEL_API_KEY overrides api_key
+//   - SUPERMODEL_API_BASE overrides api_base
 func Load() (*Config, error) {
 	data, err := os.ReadFile(Path())
 	if os.IsNotExist(err) {
-		return defaults(), nil
+		cfg := defaults()
+		cfg.applyEnv()
+		return cfg, nil
 	}
 	if err != nil {
 		return nil, fmt.Errorf("read config: %w", err)
@@ -45,6 +50,7 @@ func Load() (*Config, error) {
 		return nil, fmt.Errorf("parse config: %w", err)
 	}
 	cfg.applyDefaults()
+	cfg.applyEnv()
 	return &cfg, nil
 }
 
@@ -84,3 +90,12 @@ func (c *Config) applyDefaults() {
 		c.Output = defaultOutput
 	}
 }
+
+func (c *Config) applyEnv() {
+	if key := os.Getenv("SUPERMODEL_API_KEY"); key != "" {
+		c.APIKey = key
+	}
+	if base := os.Getenv("SUPERMODEL_API_BASE"); base != "" {
+		c.APIBase = base
+	}
+}

internal/config/config_test.go

@@ -9,6 +9,8 @@ import (
 
 func TestLoadDefaults(t *testing.T) {
 	t.Setenv("HOME", t.TempDir())
+	t.Setenv("SUPERMODEL_API_KEY", "")
+	t.Setenv("SUPERMODEL_API_BASE", "")
 	cfg, err := Load()
 	if err != nil {
 		t.Fatal(err)
@@ -23,6 +25,8 @@ func TestLoadDefaults(t *testing.T) {
 
 func TestSaveAndLoad(t *testing.T) {
 	t.Setenv("HOME", t.TempDir())
+	t.Setenv("SUPERMODEL_API_KEY", "")
+	t.Setenv("SUPERMODEL_API_BASE", "")
 	cfg := &Config{APIKey: "test-key", APIBase: DefaultAPIBase, Output: "json"}
 	if err := cfg.Save(); err != nil {
 		t.Fatal(err)

internal/deadcode/glob.go

@@ -0,0 +1,53 @@
+package deadcode
+
+import (
+	"path/filepath"
+	"strings"
+)
+
+// matchGlob reports whether filePath matches the glob pattern.
+// Supports *, ?, [...] within a single path segment (via filepath.Match)
+// and ** to match zero or more path segments.
+//
+// Examples:
+//
+//	matchGlob("dist/**", "dist/index.js")         → true
+//	matchGlob("**/generated/**", "src/generated/api.go") → true
+//	matchGlob("**/*.test.ts", "src/foo.test.ts")  → true
+func matchGlob(pattern, filePath string) bool {
+	pattern = filepath.ToSlash(pattern)
+	filePath = filepath.ToSlash(filePath)
+	return matchSegments(strings.Split(pattern, "/"), strings.Split(filePath, "/"))
+}
+
+func matchSegments(pat, path []string) bool {
+	for len(pat) > 0 {
+		seg := pat[0]
+		pat = pat[1:]
+
+		if seg == "**" {
+			// ** at the end matches one or more remaining segments (mirrors minimatch behaviour).
+			if len(pat) == 0 {
+				return len(path) > 0
+			}
+			// Try consuming 0, 1, 2, … path segments before resuming.
+			for i := 0; i <= len(path); i++ {
+				if matchSegments(pat, path[i:]) {
+					return true
+				}
+			}
+			return false
+		}
+
+		if len(path) == 0 {
+			return false
+		}
+
+		ok, err := filepath.Match(seg, path[0])
+		if err != nil || !ok {
+			return false
+		}
+		path = path[1:]
+	}
+	return len(path) == 0
+}