@fanalis/repo
v0.1.0
Published
Repo inspection — framework detection, route enumeration, source-walk, package analysis.
Maintainers
Readme
@fanalis/repo
source-pass modules. read the user's filesystem; analyse without rendering.
what's here
13 deterministic scanners, all bounded + sandboxed (no reads outside repoRoot):
framework.ts— detect next/vite/astro/sveltekit/remix/nuxt + package manager + lockfile + dev portroutes.ts— enumerate page + api routes per frameworkdeps.ts— unused deps, runtime-vs-dev mislisting, missing depssecrets.ts— 21 patterns: github tokens, openai keys, aws keys, .env leaksnpm-audit.ts— shells out to user's pm (pnpm/npm/yarn) for vulnsbundle.ts— chunk-size analysis from.next/distast.ts— 99 regex+guard rules over .ts/.tsx/.js/.jsx; brace-balanced scanner for useEffect/await-in-loopts-strictness.ts— JSONC parser for tsconfig; flags missing noUncheckedIndexedAccess etcunused-exports.ts— collects exports + import sites across the tree, surfaces dead exportsimages.ts—public/,static/,assets/: oversized/wrong-formatcss.ts—!importantdensity, vendor-prefix overuse, tailwind dynamic-class JIT breaksdep-graph.ts— Tarjan SCC over the import graph (with tsconfig path alias resolution); cycles + hot files + god filesdesign-system.ts— tailwind theme.extend coverage vs arbitrary-value hotspots; CSS-var inventorysupply-chain.ts— package.json policy + lockfile sanity (~35% of Socket-style coverage)package-inspect.ts— walksnode_modules/<pkg>/, runs Amalfi 2022 triad detection (install + env + network); flags eval/dyn-require/obfuscation/native binaries/trivial-with-power (~12 of Socket's 70 alerts)
perf
source pass on the fanalis repo itself: ~280 ms cold, ~110 ms warm (mtime cache on ast + dep-graph). pkg-inspect is the heaviest at ~200 ms.
caveats
safeRead()refuses to resolve outsiderepoRoot. counted in the file-read audit surfaced by the CLI.ast.tsanddep-graph.tssharescan-cache.ts— invalidated by mtime + rule-hash. delete~/.cache/fanalis/scan-cache/to force cold scan.analysePackageInspectrequiresnode_modules/to exist. if the user hasn't installed, returns an empty result silently.analyseSupplyChainis reframed honest: "package.json policy + lockfile sanity check", NOT full supply-chain detection. typosquat heuristic uses trigram-jaccard ≥ 0.55 against a 3,491-name corpus from npm's search api; misses distant-position swaps likelodahs→lodash. SOTA is Socket.dev / Phylum.
not in scope
- tarball inspection (would need to fetch from registry)
- registry cross-ref (online-only signals: recently-published, unstable-ownership, new-author)
- behavioural diff between published versions
post-v1.
