You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* fix(csharp): attribute declarations under file-scoped namespaces correctly
The C# grammar represents a file-scoped namespace (namespace X;) as
file_scoped_namespace_declaration, a distinct node type from
namespace_declaration with no body field: every top-level declaration
after it belongs to that namespace. _visit_top_level only matched
namespace_declaration, so types under a file-scoped namespace were
silently attributed to the module instead - no NAMESPACE CodeUnit, no
CONTAINS edge from the namespace.
Track the active file-scoped namespace while walking the top level in
_visit_module and route subsequent declarations through _visit_ns_child,
mirroring what _extract_namespace does with a braced body. Factor the
shared CodeUnit/CONTAINS-edge creation into _create_namespace_unit. If
the namespace node has no extractable name, later declarations keep
falling back to module attribution.
* build(deps): bump the all group across 1 directory with 6 updates
Bumps the all group with 6 updates in the / directory:
| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout) | `6.0.3` | `7.0.0` |
| [astral-sh/ruff-action](https://github.com/astral-sh/ruff-action) | `4.0.0` | `4.1.0` |
| [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) | `8.2.0` | `8.3.1` |
| [actions/setup-python](https://github.com/actions/setup-python) | `6.2.0` | `6.3.0` |
| [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) | `4.1.0` | `4.1.1` |
| [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) | `0.5.6` | `0.5.7` |
Updates `actions/checkout` from 6.0.3 to 7.0.0
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@df4cb1c...9c091bb)
Updates `astral-sh/ruff-action` from 4.0.0 to 4.1.0
- [Release notes](https://github.com/astral-sh/ruff-action/releases)
- [Commits](astral-sh/ruff-action@0ce1b0b...278981a)
Updates `astral-sh/setup-uv` from 8.2.0 to 8.3.1
- [Release notes](https://github.com/astral-sh/setup-uv/releases)
- [Commits](astral-sh/setup-uv@fac544c...f98e069)
Updates `actions/setup-python` from 6.2.0 to 6.3.0
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](actions/setup-python@a309ff8...ece7cb0)
Updates `actions/attest-build-provenance` from 4.1.0 to 4.1.1
- [Release notes](https://github.com/actions/attest-build-provenance/releases)
- [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md)
- [Commits](actions/attest-build-provenance@a2bbfa2...0f67c3f)
Updates `zizmorcore/zizmor-action` from 0.5.6 to 0.5.7
- [Release notes](https://github.com/zizmorcore/zizmor-action/releases)
- [Commits](zizmorcore/zizmor-action@5f14fd0...192e21d)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: 7.0.0
dependency-type: direct:production
update-type: version-update:semver-major
dependency-group: all
- dependency-name: astral-sh/ruff-action
dependency-version: 4.1.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: all
- dependency-name: astral-sh/setup-uv
dependency-version: 8.3.1
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: all
- dependency-name: actions/setup-python
dependency-version: 6.3.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: all
- dependency-name: actions/attest-build-provenance
dependency-version: 4.1.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: all
- dependency-name: zizmorcore/zizmor-action
dependency-version: 0.5.7
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: all
...
Signed-off-by: dependabot[bot] <support@github.com>
* feat: prepare v0.5.0 release features
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Alexander Heinrich <hallo@alexanderheinrich.de>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@@ -117,7 +118,7 @@ The `QueryEngine` provides a high-level API over the indexed graph:
117
118
|`paths_between(src, dst)`| All simple call paths between two nodes |
118
119
|`connect_subgraphs(source, target)`| Paths connecting two named subgraphs |
119
120
|`entrypoint_paths_to(name)`| Paths from any detected entrypoint to the target |
120
-
|`attack_surface()`| Entrypoints tagged with trust level and asset value |
121
+
|`attack_surface()`| Entrypoints tagged with trust level, asset value, and parser attributes when present|
121
122
|`complexity_hotspots(n)`| Functions with cyclomatic complexity ≥ n |
122
123
|`functions_that_raise(exc)`| Functions whose parser-detected exception list includes `exc`|
123
124
|`generic_parameters(name)`| Generic type parameters declared by a node |
@@ -261,6 +262,14 @@ uv sync --all-groups
261
262
262
263
Requires Python ≥ 3.12.
263
264
265
+
Trailmark uses `tree-sitter-language-pack` for most grammars. Current releases
266
+
use the platform certificate store for grammar downloads. In TLS-inspected or
267
+
offline environments, pre-populate the package cache with
268
+
`python -c "import tree_sitter_language_pack as p; p.download_all()"` on a
269
+
matching platform, then copy the resulting `tree-sitter-language-pack` cache
270
+
directory to the target machine. `HTTPS_PROXY` is also honored. The SQL grammar
271
+
ships as the `tree-sitter-sql` wheel dependency and does not use that cache.
272
+
264
273
## Usage
265
274
266
275
```bash
@@ -392,6 +401,52 @@ Later entries override earlier ones when two rules tag the same node, so place b
392
401
393
402
See [docs/entrypoint-patterns.md](docs/entrypoint-patterns.md) for the full reference, including frameworks not yet implemented (Express / Koa / Fastify, Laravel, Cobra, axum, warp, clap, and others) with grep-ready patterns contributors can use to add new detectors.
394
403
404
+
Solidity detection uses parser metadata rather than signature regexes. Interface
405
+
declarations are excluded and a derived override suppresses the matching base
406
+
implementation. Concrete `public` and `external` functions remain entrypoints,
407
+
including `view` and `pure` functions; their `solidity_visibility` and
408
+
`solidity_mutability` attributes are returned by `attack_surface()` so callers
409
+
can distinguish read-only exposure. `attack_surface()` includes parser-specific
410
+
entrypoint attributes when they are attached to the underlying graph node.
411
+
412
+
### Cross-language and external links
413
+
414
+
Polyglot parsing merges language graphs, but many RPC, FFI, subprocess, and
415
+
host/contract relationships are not visible in source syntax. Declare these
416
+
deterministically in `.trailmark/links.toml`:
417
+
418
+
```toml
419
+
[[link]]
420
+
source = "backend:submit"
421
+
target = "contract:Verifier.verify"
422
+
kind = "calls"# defaults to calls
423
+
confidence = "certain"# defaults to inferred
424
+
description = "JSON-RPC eth_call"
425
+
426
+
[[link]]
427
+
source = "backend:notify"
428
+
target = "payments-webhook"
429
+
external = true# required when either endpoint is unresolved
430
+
```
431
+
432
+
References may be exact node IDs or unique names/suffixes. Ambiguous references,
433
+
unknown internal endpoints, invalid enum values, and malformed TOML raise
0 commit comments