IronAdamant
diff --git a/‎CHANGELOG.md‎
Lines changed: 25 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎CLAUDE.md‎
Lines changed: 3 additions & 2 deletions b/‎CLAUDE.md‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎chisel/engine.py‎
Lines changed: 22 additions & 0 deletions b/‎chisel/engine.py‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎chisel/impact.py‎
Lines changed: 62 additions & 10 deletions b/‎chisel/impact.py‎
Lines changed: 62 additions & 10 deletions
diff --git a/‎chisel/risk_meta.py‎
Lines changed: 4 additions & 3 deletions b/‎chisel/risk_meta.py‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎chisel/storage.py‎
Lines changed: 14 additions & 0 deletions b/‎chisel/storage.py‎
Lines changed: 14 additions & 0 deletions
@@ -5,6 +5,31 @@ All notable changes to Chisel are documented in this file.
 Format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 This project uses [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.8.0] - 2026-03-31
+
+### Added
+
+- **Variable taint tracking for JS/TS**: Regex-based tracking of `const/let/var X = './path'` assignments resolves `require(variable)` calls. Known variables upgrade to `tainted_import` (confidence=1.0); unknown variables remain `dynamic_import` (confidence=0.3). `test_mapper.py`: `_JS_VAR_ASSIGN_RE`, `_JS_SIMPLE_ASSIGN_RE`, updated `_extract_js_deps()`.
+- **`shadow_graph` in `stats`**: `tool_stats()` now returns a `shadow_graph` dict with `total_edges`, `call_edges`, `import_edges`, `dynamic_import_edges`, `eval_import_edges`, `tainted_import_edges`, and `unknown_shadow_ratio`. `storage.py`: `get_edge_type_counts()`.
+- **Per-file dynamic risk fields in `risk_map`**: Each entry now includes `shadow_edge_count`, `dynamic_edge_count`, `unknown_require_count` (via `new Function()` pattern scan in JS/TS files), and `hidden_risk_factor`. `impact.py`: updated `compute_risk_score()` and `get_risk_map()`.
+- **`coverage_depth` in risk formula**: New 6th component — `min(distinct_covering_tests/5, 1.0)` — with weight 0.10. `test_instability` weight reduced from 0.10 to 0.05. Risk formula: `0.35*churn + 0.25*coupling + 0.15*coverage_gap + 0.10*coverage_depth + 0.10*author_concentration + 0.05*test_instability + hidden_risk_factor`.
+- **`hidden_risk_factor`**: Additive uplift (0–0.15) from dynamic/eval import edge density: `min(dynamic_edge_count/20, 1.0) * 0.15`. Computed separately from the 6-component reweighting system.
+- **Confidence-weighted edges**: Edge weights now blend `proximity * sqrt(confidence)` so low-confidence dynamic requires contribute proportionally less to impact scores. `test_mapper.py`: `build_test_edges()`.
+- **`unknown_require_count`**: Count of `new Function(` patterns in JS/TS source files, indicating potential `eval`-based module loading. Surface-level heuristic for risk assessment.
+- **3 new glossary entries**: "Dynamic require() detection", "Shadow graph", "Require confidence score" (`wiki-local/glossary.md`).
+
+### Changed
+
+- **`_BASE_RISK_WEIGHTS`** (`risk_meta.py`): Updated to 6-component weights reflecting new formula.
+- **`docs/CUSTOM_EXTRACTORS.md`**: Completely rewritten with comprehensive JS/TS tree-sitter extractor showing scope-aware variable tracking and `tainted_import` resolution.
+- **`docs/LLM_CONTRACT.md`**: Dynamic require table now includes `tainted_import`; added `risk_map dynamic-risk fields` section documenting `hidden_risk_factor`, `shadow_edge_count`, `dynamic_edge_count`.
+- **`wiki-local/spec-project.md`**: Updated risk formula, test edge weighting section now mentions variable taint tracking and shadow graph.
+- **`CLAUDE.md`**: Updated risk formula bullet with correct weights, `coverage_depth`, and `hidden_risk_factor`.
+
+### Fixed
+
+- **`risk_map` reweighting**: Now correctly handles 6 components (was 5) when 3+ are uniform across files.
+
 ## [0.6.5] - 2026-03-27
 
 ### Added
 
@@ -38,7 +38,7 @@ chisel/
 - **Zero deps**: stdlib only. `ast` for Python, regex for JS/TS/Go/Rust. `subprocess.run(["git", ...])` for git. Requires Python >= 3.11.
 - **FK enforcement disabled** in SQLite: stale test detection relies on orphaned edge refs; re-analysis deletes/recreates code_units freely.
 - **Churn formula**: `sum(1 / (1 + days_since_commit))` — recent changes weigh heavily.
-- **Risk formula**: `0.35*churn + 0.25*coupling + 0.2*coverage_gap + 0.1*author_concentration + 0.1*test_instability`. Coupling uses `max(git co-change, static import-graph)` breadth. `coverage_gap` is graduated (quantized to 0.25 steps: 0.0/0.25/0.5/0.75/1.0). `get_risk_map` may reweight the composite when 3+ components are uniform across files. `proximity_adjustment` optionally reduces `coverage_gap` by import distance to tested code.
+- **Risk formula**: `0.35*churn + 0.25*coupling + 0.15*coverage_gap + 0.10*coverage_depth + 0.10*author_concentration + 0.05*test_instability + hidden_risk_factor`. The first 6 components are reweighted when 3+ are uniform. `hidden_risk_factor` (0–0.15) is added separately from dynamic/eval import edge density. Coupling uses `max(git co-change, static import-graph)` breadth. `coverage_gap` is graduated (quantized to 0.25 steps: 0.0/0.25/0.5/0.75/1.0). `coverage_depth = min(distinct_covering_tests/5, 1.0)`. `get_risk_map` may reweight the composite when 3+ components are uniform across files. `proximity_adjustment` optionally reduces `coverage_gap` by import distance to tested code.
 - **Co-change ingest**: `compute_co_changes` uses adaptive `min_count` from `coupling_threshold()`; queries use `meta.co_change_query_min` so stored pairs are visible. Branch-only pairs stored in `branch_co_changes` from `merge-base..HEAD`. Commits touching >50 files are skipped (bulk operations).
 - **Blame caching**: Cached by file content hash, invalidated on change.
 - **Incremental updates**: File content hashes tracked in `file_hashes` table.
@@ -48,9 +48,10 @@ chisel/
 - **Ownership vs Reviewers**: `ownership` = blame-based (`role: "original_author"`). `who_reviews` = commit-activity-based (`role: "suggested_reviewer"`). Both are **git-derived signals** for agents (lineage, hot spots); they are not substitutes for team assignment in a solo workflow.
 - **Shared constants**: `_SKIP_DIRS` and `_EXTENSION_MAP` live in `ast_utils.py`. `_CODE_EXTENSIONS` in `engine.py` is derived from `_EXTENSION_MAP`. `_SKIP_DIRS` includes `coverage`, `.next`, `.nuxt` to exclude build/test output artifacts.
 - **Shared dispatch**: `dispatch_tool()` in `mcp_server.py` is used by both HTTP and stdio servers. Tool schemas and dispatch tables live in `schemas.py`.
-- **Edge weighting**: Test edges carry a weight (0.4-1.0) based on file proximity. `_compute_proximity_weight()` in `test_mapper.py`.
+- **Edge weighting**: Test edges carry a weight (0.4-1.0) based on file proximity, blended with `sqrt(confidence)` for dynamic requires: `weight = proximity * sqrt(confidence)`. `_compute_proximity_weight()` in `test_mapper.py`.
 - **Three-tier edge matching** in `build_test_edges()`: (1) Python import-path matching (`from myapp.utils import foo` → `myapp/utils.py:foo`, requires both path and name match), (2) JS/TS path-based matching (`require('../../src/services/searchService')` → resolves relative path, matches ALL code units in the resolved file), (3) name-only matching (universal fallback). Priority chain ensures precise matching where possible with file-level fallback for JS.
 - **JS/TS import binding extraction**: `_extract_js_deps()` extracts binding names from `const X = require('...')` (`_JS_CJS_DEFAULT_RE`), destructured requires `const { X, Y } = require('...')` (`_JS_CJS_DESTRUCTURED_RE`), and ESM defaults `import X from '...'` (`_JS_ESM_DEFAULT_RE`). All include `module_path` for path-based matching. Combined with `_JS_IMPORT_RE` (file-stem name) and `_JS_NAMED_IMPORT_RE` (ESM named imports), this covers CommonJS and ESM patterns.
+- **Dynamic require() detection (DynamicRequireChainTracer)**: Chisel detects `require()` patterns invisible to naive static analysis: variable refs (`require(variable)`), template literals, string concatenation, conditionals, and eval-based loading. Variable taint tracking (`const MODULE = './foo'; require(MODULE)`) resolves known variables and upgrades them to `tainted_import` (confidence=1.0). Unknown variables produce `dynamic_import` (confidence=0.3). Confidence is blended into edge weights via `proximity * sqrt(confidence)`. Files with `dynamic_import`/`eval_import` edges accumulate `hidden_risk_factor` in risk scoring: `min(dynamic_edge_count/20, 1.0) * 0.15` added to the 5-component risk formula. `shadow_edge_count` and `dynamic_edge_count` are exposed in `risk_map` output.
 - **JS path resolution**: `_resolve_js_module_path(test_file, module_path)` resolves relative imports against the test file's directory. `_matches_js_import_path(code_file, resolved)` strips JS/TS extensions and handles `index.js` barrel imports. `_strip_js_ext()` shared helper. `_JS_EXTENSIONS` frozenset in `test_mapper.py`.
 - **AST regex improvements**: C#/Java support nested generics `<A<B>>` and annotations/attributes `@Override`/`[Test]`. Kotlin supports extension functions `fun String.foo()`. C++ supports template functions and destructors `~Foo()`. Swift supports `@objc`-style attributes. Dart supports factory constructors and getters/setters.
 - **Jest/Mocha/Vitest test block extraction**: `_JS_JEST_BLOCK_RE` in `ast_utils.py` matches `describe('name', ...)`, `it('name', ...)`, `test('name', ...)` (plus `.only`/`.skip`/`.todo` modifiers) as code units with `unit_type` "test_suite" or "test_case". `_TEST_UNIT_TYPES` in `test_mapper.py` ensures these are recognized as test units regardless of `_is_test_name()`. This enables test edge building for JS/TS projects — the `require()`/`import` dep extraction already worked but was unreachable without test units.
 
@@ -725,6 +725,28 @@ def tool_stats(self):
                             stats["branch_coupling_commits"] = int(bc)
                         except ValueError:
                             pass
+                    # Shadow graph summary: edge type breakdown for dynamic require visibility
+                    edge_counts = self.storage.get_edge_type_counts()
+                    if edge_counts:
+                        stats["shadow_graph"] = {
+                            "total_edges": sum(edge_counts.values()),
+                            "call_edges": edge_counts.get("call", 0),
+                            "import_edges": edge_counts.get("import", 0),
+                            "dynamic_import_edges": (
+                                edge_counts.get("dynamic_import", 0)
+                                + edge_counts.get("eval_import", 0)
+                            ),
+                            "eval_import_edges": edge_counts.get("eval_import", 0),
+                            "tainted_import_edges": edge_counts.get("tainted_import", 0),
+                            "unknown_shadow_ratio": round(
+                                (
+                                    edge_counts.get("dynamic_import", 0)
+                                    + edge_counts.get("eval_import", 0)
+                                )
+                                / max(sum(edge_counts.values()), 1),
+                                4,
+                            ),
+                        }
                 return stats
 
     # ------------------------------------------------------------------ #
 
@@ -1,12 +1,16 @@
 """Impact analysis, risk scoring, stale test detection, and reviewer suggestions."""
 
+import os
 import re
 from collections import defaultdict, deque
 from datetime import datetime, timezone
 
 from chisel.metrics import _parse_iso_date, compute_ownership
 from chisel.static_test_imports import StaticImportIndex
 
+# Regex to detect eval/new Function patterns in source files (eval_import dep source)
+_JS_EVAL_RE = re.compile(r"new\s+Function\s*\(")
+
 # Co-change coupling: breadth of partners (normalized by this count).
 _COCHANGE_COUPLING_CAP = 10
 # Static import-graph coupling: distinct neighbor files (either direction).
@@ -326,8 +330,12 @@ def compute_risk_score(self, file_path, unit_name=None, failure_rates=None,
                            coverage_mode="unit"):
         """Compute a risk score for a file or function.
 
-        Formula: 0.35*churn + 0.25*coupling + 0.2*coverage_gap
-                 + 0.1*author_concentration + 0.1*test_instability
+        Formula: 0.35*churn + 0.25*coupling + 0.15*coverage_gap
+                 + 0.10*coverage_depth + 0.10*author_concentration
+                 + 0.05*test_instability + hidden_risk_factor
+        where coverage_depth = min(distinct_covering_tests/5, 1.0)
+        and hidden_risk_factor = min(dynamic_edge_count/20, 1.0) * 0.15
+        from dynamic_import/eval_import edge counts.
 
         Args:
             failure_rates: Optional pre-fetched dict of {test_id: rate}.
@@ -383,7 +391,7 @@ def compute_risk_score(self, file_path, unit_name=None, failure_rates=None,
         tested_lines = 0
         total_lines = 0
         covering_test_ids = set()
-        edge_type_counts = {"call": 0, "import": 0}
+        edge_type_counts = {"call": 0, "import": 0, "dynamic_import": 0, "eval_import": 0, "tainted_import": 0}
         for cu in code_units:
             unit_lines = cu["line_end"] - cu["line_start"] + 1
             total_lines += unit_lines
@@ -422,17 +430,30 @@ def compute_risk_score(self, file_path, unit_name=None, failure_rates=None,
             covering_test_ids, failure_rates, duration_cv,
         )
 
+        # Hidden risk from dynamic/eval imports (shadow graph)
+        dynamic_edge_count = (
+            edge_type_counts.get("dynamic_import", 0)
+            + edge_type_counts.get("eval_import", 0)
+        )
+        shadow_edge_count = total_edges - edge_type_counts.get("call", 0)
+        hidden_risk_factor = min(dynamic_edge_count / 20.0, 1.0) * 0.15
         risk = (
             0.35 * churn_norm
             + 0.25 * coupling_norm
-            + 0.2 * coverage_gap
-            + 0.1 * author_conc
-            + 0.1 * instability
+            + 0.15 * coverage_gap
+            + 0.10 * coverage_depth
+            + 0.10 * author_conc
+            + 0.05 * instability
+            + hidden_risk_factor
         )
         return {
             "file_path": file_path,
             "unit_name": unit_name,
             "risk_score": round(risk, 4),
+            "shadow_edge_count": shadow_edge_count,
+            "dynamic_edge_count": dynamic_edge_count,
+            "unknown_require_count": edge_type_counts.get("eval_import", 0),
+            "hidden_risk_factor": round(hidden_risk_factor, 4),
             "breakdown": {
                 "churn": round(churn_norm, 4),
                 "coupling": round(coupling_norm, 4),
@@ -446,6 +467,7 @@ def compute_risk_score(self, file_path, unit_name=None, failure_rates=None,
                 "edge_type_quality": edge_type_quality,
                 "author_concentration": round(author_conc, 4),
                 "test_instability": round(instability, 4),
+                "hidden_risk": round(hidden_risk_factor, 4),
             },
         }
 
@@ -750,7 +772,7 @@ def get_risk_map(self, directory=None, exclude_tests=True,
             tested_lines = 0
             total_lines = 0
             covering_test_ids = set()
-            edge_type_counts = {"call": 0, "import": 0}
+            edge_type_counts = {"call": 0, "import": 0, "dynamic_import": 0, "eval_import": 0, "tainted_import": 0}
             for cu in code_units:
                 unit_lines = cu["line_end"] - cu["line_start"] + 1
                 total_lines += unit_lines
@@ -787,17 +809,46 @@ def get_risk_map(self, directory=None, exclude_tests=True,
                 covering_test_ids, failure_rates, duration_cv_by_test,
             )
 
+            # Hidden risk from dynamic/eval imports (shadow graph)
+            # Files with many dynamic_import/eval_import edges have unknown deps
+            dynamic_edge_count = (
+                edge_type_counts.get("dynamic_import", 0)
+                + edge_type_counts.get("eval_import", 0)
+            )
+            shadow_edge_count = total_edges - edge_type_counts.get("call", 0)
+            hidden_risk_factor = min(dynamic_edge_count / 20.0, 1.0) * 0.15
+
+            # unknown_require_count: eval/new Function patterns in source file.
+            # Only applies to JS/TS files where eval patterns are relevant.
+            # These deps produce zero edges (confidence=0) and are invisible to
+            # impact analysis — count them directly from source to surface hidden risk.
+            eval_pattern_count = 0
+            if fp.endswith((".js", ".jsx", ".ts", ".tsx", ".mjs", ".cjs")):
+                try:
+                    abs_path = os.path.join(self.project_dir, fp)
+                    with open(abs_path, encoding="utf-8", errors="replace") as fh:
+                        content = fh.read()
+                    eval_pattern_count = len(_JS_EVAL_RE.findall(content))
+                except OSError:
+                    pass
             risk = (
                 0.35 * churn_norm
                 + 0.25 * coupling_norm
-                + 0.2 * coverage_gap
-                + 0.1 * author_conc
-                + 0.1 * instability
+                + 0.15 * coverage_gap
+                + 0.10 * coverage_depth
+                + 0.10 * author_conc
+                + 0.05 * instability
+                + hidden_risk_factor
             )
+
             risk_map.append({
                 "file_path": fp,
                 "unit_name": None,
                 "risk_score": round(risk, 4),
+                "shadow_edge_count": shadow_edge_count,
+                "dynamic_edge_count": dynamic_edge_count,
+                "unknown_require_count": eval_pattern_count,
+                "hidden_risk_factor": round(hidden_risk_factor, 4),
                 "coupling_partners": coupling_partners,
                 "import_partners": import_partners,
                 "breakdown": {
@@ -813,6 +864,7 @@ def get_risk_map(self, directory=None, exclude_tests=True,
                     "edge_type_quality": edge_type_quality,
                     "author_concentration": round(author_conc, 4),
                     "test_instability": round(instability, 4),
+                    "hidden_risk": round(hidden_risk_factor, 4),
                 },
             })
 
 
@@ -5,9 +5,10 @@
 _BASE_RISK_WEIGHTS = {
     "churn": 0.35,
     "coupling": 0.25,
-    "coverage_gap": 0.2,
-    "author_concentration": 0.1,
-    "test_instability": 0.1,
+    "coverage_gap": 0.15,
+    "coverage_depth": 0.10,
+    "author_concentration": 0.10,
+    "test_instability": 0.05,
 }
 
 _COMPONENTS = tuple(_BASE_RISK_WEIGHTS.keys())
 
@@ -604,6 +604,20 @@ def get_stale_test_edges(self):
                WHERE cu.id IS NULL""",
         )
 
+    def get_edge_type_counts(self):
+        """Count test edges grouped by edge_type.
+
+        Returns:
+            Dict mapping edge_type string to count.
+            Keys include: call, import, dynamic_import, eval_import, tainted_import.
+        """
+        rows = self._fetchall(
+            """SELECT edge_type, COUNT(*) AS cnt
+               FROM test_edges
+               GROUP BY edge_type""",
+        )
+        return {r["edge_type"]: r["cnt"] for r in rows}
+
     def get_direct_impacted_tests(self, file_path, changed_functions=None):
         """Find tests with edges to code units in a file, via a single JOIN."""
         base_sql = """SELECT tu.id AS test_id, tu.file_path,