trailofbits
diff --git a/‎.github/dependabot.yml‎
Lines changed: 21 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 70 additions & 0 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 70 additions & 0 deletions
diff --git a/‎.github/workflows/mutation.yml‎
Lines changed: 38 additions & 0 deletions b/‎.github/workflows/mutation.yml‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎.github/workflows/semgrep.yml‎
Lines changed: 41 additions & 0 deletions b/‎.github/workflows/semgrep.yml‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎.github/workflows/zizmor.yml‎
Lines changed: 33 additions & 0 deletions b/‎.github/workflows/zizmor.yml‎
Lines changed: 33 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 16 additions & 0 deletions b/‎.gitignore‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎AGENTS.md‎
Lines changed: 90 additions & 0 deletions b/‎AGENTS.md‎
Lines changed: 90 additions & 0 deletions
diff --git a/‎CONTRIBUTING.md‎
Lines changed: 80 additions & 0 deletions b/‎CONTRIBUTING.md‎
Lines changed: 80 additions & 0 deletions
@@ -0,0 +1,21 @@
+version: 2
+updates:
+  - package-ecosystem: pip
+    directory: /
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
+    groups:
+      all:
+        patterns: ["*"]
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
+    groups:
+      all:
+        patterns: ["*"]
@@ -0,0 +1,70 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - uses: astral-sh/ruff-action@4919ec5cf1f49eff0871dbcea0da843445b837e6  # v3.6.1
+        with:
+          args: check src/ tests/
+
+      - uses: astral-sh/ruff-action@4919ec5cf1f49eff0871dbcea0da843445b837e6  # v3.6.1
+        with:
+          args: format --check src/ tests/
+
+  type-check:
+    name: Type Check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b  # v7.3.0
+
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
+        with:
+          python-version: "3.13"
+
+      - run: uv sync --all-groups
+
+      - run: uv tool install ty && ty check
+
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.13"]
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b  # v7.3.0
+
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - run: uv sync --all-groups
+
+      - run: uv run pytest -q tests/
@@ -0,0 +1,38 @@
+name: Mutation Testing
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  mutmut:
+    name: Mutation Testing
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b  # v7.3.0
+
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
+        with:
+          python-version: "3.13"
+
+      - run: uv sync --all-groups
+
+      - name: Run mutation testing
+        run: uv run mutmut run
+
+      - name: Show results
+        if: always()
+        run: uv run mutmut results
@@ -0,0 +1,41 @@
+name: Semgrep
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  semgrep:
+    name: Semgrep Scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
+        with:
+          python-version: "3.13"
+
+      - name: Install Semgrep
+        run: pip install semgrep
+
+      - name: Run Semgrep
+        run: >
+          semgrep scan
+          --metrics=off
+          --error
+          --config p/python
+          --config p/security-audit
+          --config p/secrets
+          --include="*.py"
+          .
@@ -0,0 +1,33 @@
+name: Zizmor
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - ".github/workflows/**"
+  pull_request:
+    branches: [main]
+    paths:
+      - ".github/workflows/**"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  actions: read
+
+jobs:
+  zizmor:
+    name: Workflow Security Audit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d  # v0.5.0
+        with:
+          version: latest
+          advanced-security: false
@@ -0,0 +1,16 @@
+.coverage
+.hypothesis
+.idea
+.pytest_cache
+.ruff_cache
+.serena
+.supply-chain-risk-auditor
+/src/trailmark/__pycache__
+/src/trailmark/*/__pycache__
+/src/trailmark/*/*/__pycache__
+/tests/__pycache__
+*.pyc
+uv.lock
+mutants/
+src/trailmark/tree_sitter_custom/**/*.so
+src/trailmark/tree_sitter_custom/**/*.pyd
@@ -0,0 +1,90 @@
+# Agents
+
+Development context for AI agents working on this codebase.
+
+## Project Overview
+
+Trailmark parses source code into directed graphs of functions, classes,
+calls, and semantic metadata for security analysis. It supports 16
+languages via tree-sitter (plus a bundled Circom grammar) and uses
+rustworkx for graph traversal.
+
+## Architecture
+
+```
+CodeGraph (data) -> GraphStore (indexed storage) -> QueryEngine (facade)
+```
+
+- **CodeGraph** holds raw nodes, edges, annotations, entrypoints. Mutable.
+- **GraphStore** wraps CodeGraph in a rustworkx PyDiGraph. Validates
+  node existence. Returns model objects.
+- **QueryEngine** resolves names to node IDs, delegates to GraphStore,
+  returns plain dicts for JSON serialization.
+
+## Key Conventions
+
+- All public methods return `False` or `[]` for missing nodes. Never raise.
+- QueryEngine returns dicts; GraphStore returns model objects.
+- Node IDs follow `module:function`, `module:Class`, `module:Class.method`.
+- Edge confidence: `certain`, `inferred`, `uncertain`.
+- Annotation sources: `"llm"`, `"docstring"`, `"manual"`.
+- Frozen dataclasses for immutable data. `CodeGraph` is mutable.
+- No relative (`..`) imports. Use `from trailmark.*`.
+
+## File Layout
+
+```
+src/trailmark/
+  models/          # Data classes: CodeUnit, CodeEdge, Annotation, CodeGraph
+    graph.py       # CodeGraph with add_annotation, clear_annotations, merge
+    nodes.py       # CodeUnit, Parameter, TypeRef, BranchInfo
+    edges.py       # CodeEdge, EdgeKind, EdgeConfidence
+    annotations.py # Annotation, AnnotationKind, EntrypointTag
+  parsers/         # Language-specific tree-sitter parsers
+    base.py        # BaseParser protocol
+    _common.py     # Shared parser utilities
+    python/        # One subpackage per language
+    javascript/
+    ...
+  storage/
+    graph_store.py # GraphStore: rustworkx-backed indexed storage
+  query/
+    api.py         # QueryEngine: high-level facade
+  cli.py           # CLI entry point
+tests/             # pytest test suite
+```
+
+## Running Checks
+
+```bash
+uv run ruff check --fix src/ tests/
+uv run ruff format src/ tests/
+uv run ty check
+pytest -q
+```
+
+## Mutation Testing
+
+```bash
+uv run mutmut run
+uv run mutmut results
+```
+
+### macOS Fork Safety
+
+mutmut uses `fork()` which segfaults with rustworkx on macOS. Set:
+
+```bash
+export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES
+```
+
+This is not needed on Linux/CI (Ubuntu).
+
+## Adding Features
+
+- Follow the three-layer pattern: add to CodeGraph first, then GraphStore
+  (with validation), then QueryEngine (with name resolution and dict
+  conversion).
+- Add tests at each layer: `test_models.py`, `test_storage.py`,
+  `test_query.py`.
+- Update `README.md` if adding user-facing API.
@@ -0,0 +1,80 @@
+# Contributing to Trailmark
+
+## Setup
+
+Requires Python >= 3.13 and [uv](https://docs.astral.sh/uv/).
+
+```bash
+uv sync --all-groups
+```
+
+## Running Checks
+
+Run all three before submitting changes:
+
+```bash
+# Lint and format
+uv run ruff check --fix src/ tests/
+uv run ruff format src/ tests/
+
+# Type check
+uv run ty check
+
+# Tests
+pytest -q
+```
+
+## Mutation Testing
+
+Trailmark uses [mutmut](https://mutmut.readthedocs.io/) to verify test
+suite quality. Mutmut generates source code mutations and confirms that
+tests catch each one.
+
+```bash
+uv run mutmut run
+uv run mutmut results
+```
+
+### macOS: Fork Safety
+
+mutmut uses `fork()` to isolate mutation runs. On macOS, this conflicts
+with the Objective-C runtime and with native extensions like rustworkx
+(a Rust/C extension). You **must** set this environment variable:
+
+```bash
+export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES
+```
+
+Without it, mutmut will segfault on every mutant. This is not needed on
+Linux (CI runs on Ubuntu without issue).
+
+## Architecture
+
+Trailmark has a three-layer architecture:
+
+1. **CodeGraph** (`src/trailmark/models/graph.py`) -- mutable data
+   container holding nodes, edges, annotations, and entrypoints.
+2. **GraphStore** (`src/trailmark/storage/graph_store.py`) -- wraps
+   CodeGraph in a rustworkx `PyDiGraph` with bidirectional ID/index
+   mappings. Validates node existence before mutations.
+3. **QueryEngine** (`src/trailmark/query/api.py`) -- high-level facade
+   that resolves names, delegates to GraphStore, and returns plain dicts.
+
+### Conventions
+
+- **No exceptions for missing nodes.** All methods return `False` or `[]`
+  when a node is not found.
+- **QueryEngine returns dicts**, GraphStore returns model objects.
+- **Helper functions** like `_unit_to_dict()`, `_edge_to_dict()`,
+  `_annotation_to_dict()` live at module level alongside their class.
+- **Frozen dataclasses** for immutable data (`CodeUnit`, `CodeEdge`,
+  `Annotation`). `CodeGraph` is mutable (not frozen).
+- **No relative imports.** Use absolute imports from `trailmark.*`.
+
+## Adding a New Language Parser
+
+1. Create `src/trailmark/parsers/<lang>/parser.py` implementing the
+   `BaseParser` protocol from `src/trailmark/parsers/base.py`.
+2. Register the language in `src/trailmark/parsers/__init__.py`.
+3. Add tests in `tests/test_<lang>_parser.py`.
+4. Update the language table in `README.md`.