feat(extractors): detect jQuery $.ajax/$.get/$.post and axios object-form as HTTP consumers

[azizur100389]

Closes #828.

Summary

Extend the JS/TS HTTP consumer extractor (gitnexus/src/core/group/extractors/http-patterns/node.ts) so that three widely-used call shapes emit consumer contracts the same way fetch() and axios.<verb>() already do:

• jQuery shorthand: $.get('/api/x'), $.post('/api/x', data)
• jQuery ajax form: $.ajax({ url: '/api/x', method: 'GET' }) / $.ajax({ url: '/api/x', type: 'GET' })
• axios object form: axios({ method: 'POST', url: '/api/x' })

Why

group sync over any Laravel / legacy frontend repo currently produces zero consumer contracts for files that use $.ajax/$.get/$.post — the cross-link between the frontend caller and the backend route is silently invisible, so downstream impact analysis misses real dependencies. Same story for codebases that call axios({ method, url }) instead of the dotted shorthand.

Implementation

node.ts:

• 3 new PatternSpecs alongside the existing FETCH_*_SPEC / AXIOS_SPEC: JQUERY_SHORTHAND_SPEC, JQUERY_AJAX_SPEC, AXIOS_OBJECT_SPEC.
• NodePatternBundle gains jqueryShorthand / jqueryAjax / axiosObject slots, compiled once per JS / TS / TSX grammar via the existing compileBundle() path.
• New readStringProp() helper walks pair children of an (object) literal and resolves url / method / type keys independent of declaration order.
• 3 new scan loops in scanBundle() emit HttpDetection { role: 'consumer', framework: 'jquery' | 'axios', ... } with confidence 0.7 (matching the existing source-scan consumers) and default method GET when absent (matches both jQuery $.ajax and axios runtime defaults).

Deviation from the issue's proposed patterns

The issue sketches one tree-sitter query per pattern that encodes url and method as adjacent pair children. S-expression matching is positional — that forces a specific key order, which isn't guaranteed for JS object literals. This PR instead captures the options object and resolves keys in TypeScript post-processing, so { url, method } and { method, url } are both matched. The same path also accepts jQuery's type: synonym for method: (jQuery supports both; the issue example only showed type).

Tests

gitnexus/test/unit/group/http-route-extractor.test.ts — 4 new it() cases under the existing consumer-extraction block:

1. extracts jQuery $.get and $.post shorthand — asserts http::GET::/api/users and http::POST::/api/users with framework: 'jquery'.
2. extracts jQuery $.ajax with method: and type: keys and default GET — covers method: 'PUT', type: 'DELETE', and a method-less call defaulting to GET.
3. extracts axios({ method, url }) object form regardless of key order — proves post-processing is order-independent and that a url-only call defaults to GET.
4. does not emit consumers for unrelated object-literal calls (negative control) — $.fn.extend(...), $.each(...), a non-axios helper call, and a bare const cfg = { url, method } all produce zero consumer contracts, so the new patterns can't overmatch.

Test plan

• npx vitest run test/unit/group/http-route-extractor.test.ts → 22 passed (18 existing + 4 new)
• npm run test:unit → only the 4 pre-existing unrelated failures (test/unit/skip-git-cli.test.ts and test/unit/git-utils.test.ts — both fail identically on main before this change; neither touches the extractor surface)
• npx tsc --noEmit → clean
• Pre-commit hook (lint-staged + eslint + prettier + tsc) → pass

Safety / backwards-compat

• Purely additive: new PatternSpecs, new bundle slots, new loops. No existing code path modified.
• No changes to HttpDetection / ExtractedContract shape — the orchestrator normalises these detections identically to the existing fetch/axios consumers.
• framework: 'jquery' is a new label; framework: 'axios' is reused so downstream grouping stays consistent.
• Patterns are structurally disjoint (axios(...) identifier-form vs axios.x(...) member-form; $.get / $.post shorthand vs $.ajax object), so no dedup state is needed.

[vercel]

@azizur100389 is attempting to deploy a commit to the NexusCore Team on Vercel.

A member of the Team first needs to authorize it.

[magyargergo]

@claude Act as a senior reviewer for GitNexus. Your job is to determine whether this PR is production-ready for this repo, not to give a generic code review.

You are reviewing a PR in the GitNexus monorepo:

• gitnexus/ → CLI + MCP
• gitnexus-web/
• gitnexus-shared/

Your task has 2 phases, in this exact order:

PHASE 1 — DEFINE THE BAR
Before reviewing the diff, establish a concise repo-specific definition of “production-ready” for GitNexus, based only on the repo docs and the affected area.
Keep this definition practical and reviewable. Do not invent standards that are not grounded in the repo.

PHASE 2 — REVIEW THE PR AGAINST THAT BAR
Review the actual diff only after defining the bar.
Stay tightly scoped to the changed code and its direct consequences.

---

CONTEXT TO LOAD FIRST
Read these before reviewing:

• AGENTS.md
• GUARDRAILS.md
• CONTRIBUTING.md
• TESTING.md
• ARCHITECTURE.md

Additional context:

• If the diff touches ingestion, also read: ARCHITECTURE.md § Pipeline Phase DAG
• PR [group/sync] Fix ManifestExtractor never called — config.links always produced 0 cross-links #827 diff area is primarily: gitnexus/src/core/group/ (sync + manifest extractor) plus associated tests

---

PRIMARY OBJECTIVE
Decide whether this PR is safe, correct, maintainable, and operationally acceptable to merge into production for GitNexus.

Do not optimize for completeness at the expense of signal.
Do not pad the review.
Do not propose unrelated refactors.
Do not restate the PR description unless needed for verification.

---

REVIEW RULES

• Every finding must be grounded in specific evidence from the diff or directly relevant surrounding code.
• Every finding must include path:line.
• If you make a behavioral claim, cite the code that proves it.
• If you make a performance claim, explain the mechanism.
• If something cannot be verified from the diff alone, explicitly say so.
• Distinguish clearly between:
  • verified issue
  • plausible risk
  • unverified concern
• Avoid vague wording like “might be better” or “could be improved” unless you explain exactly why.
• Keep the review focused on this PR’s scope only.

For each finding, assign one severity:

• BLOCKING → must be fixed before merge
• NON-BLOCKING → valid issue, but merge may still be acceptable
• NIT → stylistic/minor, not merge-relevant

---

REPO-SPECIFIC REVIEW CHECKLIST
Use these exact headings.

1. Correctness & functional completeness

Check:

• Does the implementation actually satisfy the PR claim?
  • ManifestExtractor is truly invoked
  • config.links produces non-zero cross-links where expected
• Resolver contracts are preserved:
  • resolveSymbol remains exact-match
  • label-scoped Cypher remains correct per contract type
  • flag any regression toward fuzzy or unscoped matching
• Graph schema integrity is preserved:
  • no silent changes to node labels
  • no silent changes to edge types
  • no silent changes to ID generation (generateId)
• Call out any missing wiring, partial integration, dead branch, or mismatch between tests and runtime behavior

2. Code clarity & clean code

Check:

• naming quality
• local cohesion
• dead code
• unnecessary abstraction
• hidden control flow
• confusing indirection
• adherence to repo conventions:
  • direct imports from gitnexus-shared
  • no barrel re-export regressions
  • no // removed comments
  • no unused re-exports
• no drive-by refactors outside stated scope per CONTRIBUTING.md and GUARDRAILS.md § Scope

3. Test coverage & change safety

Evaluate against TESTING.md:

• Are there unit tests under gitnexus/test/unit/ covering the newly wired path?
• Is there a regression guard for 0-link → N-link behavior?
• Are assertions meaningful rather than tautological?
• Are fixtures realistic for manifest inputs?
• If memoization/cache was introduced, is there a test proving hit/miss behavior and correctness?
• Is there evidence the expected validation path would pass for staged gitnexus/ files?
  • tsc --noEmit
  • vitest run --project default
    If not verifiable, say exactly what is missing.

4. Performance

Inspect for:

• hot-path overhead in ingestion/group sync
• excess allocations per manifest entry
• redundant Cypher round-trips
• missed batching or missed parallelism (Promise.all) where it materially matters
• O(n²) or repeated lookup patterns on large repos
• memoization tradeoffs:
  • correctness
  • invalidation
  • bounded vs unbounded memory growth
    Do not speculate casually; explain the mechanism and likely impact.

5. Operational risk

Check:

• Windows/cross-platform safety:
  • stream lifecycle
  • FD/file handle lifecycle
  • path separator assumptions
  • anything resembling prior ENOTEMPTY-style lifecycle regressions
• LadybugDB single-writer invariant is preserved
• Embeddings preservation:
  • no silent breakage of --embeddings
  • .gitnexus/meta.json.stats.embeddings not silently zeroed by changed paths
• MCP contracts remain compatible:
  • group_*
  • query
  • context
  • impact
  • detect_changes
  • rename
  • cypher
    Flag any schema or contract break without migration note
• staleness behavior still triggers correctly (gitnexus/src/mcp/staleness.ts)
• rollback safety:
  • can this PR be reverted safely without re-analyze?
  • if not, explain why

6. Maintainability

Check:

• Does the change respect Pipeline Phase DAG boundaries?
• Is cross-phase coupling being introduced?
• Are manifest-extractor entry points discoverable from group/sync.ts?
• Would the next contributor know where to extend this?
• Is shared logic placed appropriately:
  • in gitnexus-shared/
  • or gitnexus/src/core/**/utils.ts
  • and not duplicated between CLI and web bridge (server/api.ts)?

---

NON-NEGOTIABLES TO VERIFY
From GUARDRAILS.md / CONTRIBUTING.md:

• no secrets, tokens, or machine-specific paths committed
• no blind find-and-replace renames
• if a symbol rename occurred, rename MCP tool or equivalent careful review was used
• upstream impact was considered for modified shared symbols
• no HIGH/CRITICAL impact left unaddressed
• PR title follows conventional commit style + [area] Short description
• PolyForm Noncommercial license headers/metadata untouched

---

OUTPUT FORMAT

Production-ready bar for this PR

Give a concise repo-specific definition in 5–10 bullets.

Findings

For each finding, use this structure exactly:

[BLOCKING|NON-BLOCKING|NIT] Short title

• Evidence: path:line, path:line
• Why it matters: ...
• Recommendation: ...
• Confidence: High / Medium / Low

Only include findings that are real and supported.
If there are no findings in a section, say:

• No issues found in this area based on the diff and reviewed context.

What I could not fully verify

List any behavior you could not prove from the diff, tests, or available context.

Final verdict

Choose exactly one:

• ✅ Ready to merge — no blocking issues.
• ⚠️ Merge after addressing blocking items.
• ❌ Not ready — fundamental concerns.

If verdict is not ready, list the blocking items in priority order.

---

IMPORTANT REVIEW BEHAVIOR

• Be strict on correctness and contracts.
• Be conservative about operational risk.
• Be explicit about uncertainty.
• Do not suggest unrelated refactors.
• Do not turn nits into blockers.
• Do not reward intent; review actual implementation.

[github-actions]

Claude finished @magyargergo's task in 2m 51s —— View job

---

PR Review — feat(extractors): jQuery & axios object-form HTTP consumers

• Load repo docs and define production-ready bar
• Read changed files (node.ts, http-route-extractor.test.ts)
• Review correctness & functional completeness
• Review code clarity & clean code
• Review test coverage & change safety
• Review performance
• Review operational risk
• Review maintainability
• Verify non-negotiables
• Post final verdict

---

Production-ready bar for this PR

Based on AGENTS.md, GUARDRAILS.md, CONTRIBUTING.md, TESTING.md, and ARCHITECTURE.md — applied specifically to a source-scan consumer extractor plugin in gitnexus/src/core/group/extractors/http-patterns/node.ts:

1. Additive only — no existing scan loops, compiled patterns, or bundle slots modified; existing detections unchanged
2. HttpDetection contract preserved — same field shape, same role/method/path/confidence semantics; orchestrator normalizes identically
3. Tree-sitter queries compile and produce correct, non-overlapping matches — queries must be structurally disjoint from each other and from existing patterns; no double-emit
4. readStringProp-style key resolution is order-independent — object literal key order must not affect the result
5. tsc --noEmit clean; vitest run test/unit/group/http-route-extractor.test.ts passes — CI and pre-commit gates satisfied
6. All new patterns have unit tests — happy-path (GET/POST/PUT/DELETE/template-URL), boundary (default method, key-order flip), and negative-control
7. No graph schema changes — no new node labels, edge types, or generateId mutations
8. PR title follows conventional-commit style — feat(scope): …
9. No secrets, machine-specific paths, or blind renames

---

Findings

1. Correctness & functional completeness

No blocking issues found.

The three new patterns are structurally disjoint:

• JQUERY_SHORTHAND_SPEC uses member_expression on $ with property get|post — distinct from AXIOS_SPEC (member on axios) and EXPRESS_SPEC (member on router|app). No overlap risk.
• JQUERY_AJAX_SPEC uses member_expression on $ with property ajax, then requires (object) as argument — will not fire on $.ajax(variable) or $.ajax(url, settings). The two-argument form $.ajax('/url', { … }) is a known undetected case but is intentionally out of scope for this PR.
• AXIOS_OBJECT_SPEC uses (identifier) @fn (#eq? @fn "axios") — structurally distinct from AXIOS_SPEC's (member_expression … #eq? @obj "axios"). No double-emit possible.

readStringProp (node.ts:221-234) is correct:

• Returns null when no matching key is present or value is not a string/template literal — the if (path === null) continue guards in both loops are correct.
• Template literals (e.g., url: `/api/users/${id}`) correctly get type template_string, pass the type check, and are returned with the raw text including ${id} — the orchestrator's path normalizer converts this to {param}, consistent with how AXIOS_SPEC handles template URLs. Confirmed by the test at test.ts:354.
• When both method and type keys appear in the same object, the function returns whichever comes first in source order. jQuery documents type as a deprecated alias for method — having both is non-standard usage, so this edge case is acceptable.

AXIOS_OBJECT_SPEC does not emit when no url key is present (readStringProp returns null, continue fires) — safe for calls like axios({ method: 'POST', data }).

• No issues found in this area based on the diff and reviewed context.

2. Code clarity & clean code

NIT: @obj and @fn captures in JQUERY_AJAX_SPEC are read from the captures map but never used

• Evidence: node.ts:133-134 (@obj (#eq? @obj "$") and @fn (#eq? @fn "ajax")); scan loop at node.ts:447 only uses match.captures.options
• Why it matters: These captures serve their purpose at query-predicate level (tree-sitter evaluates the #eq? predicates during matching), so they cannot be removed from the query. They appear in the returned captures map but are discarded. This is benign and consistent with how @obj is handled in the existing AXIOS_SPEC (which also captures @obj but never reads it post-match). No action required.
• Recommendation: Nothing to change — it's idiomatic in this codebase.
• Confidence: High

No dead code, no drive-by refactors, no barrel regressions, no // removed comments, naming is clear and consistent.

3. Test coverage & change safety

No blocking issues found.

Four new tests in gitnexus/test/unit/group/http-route-extractor.test.ts cover:

1. test.ts:293-319 — $.get/$.post shorthand: asserts contractId and meta.framework === 'jquery'
2. test.ts:321-339 — $.ajax with method:, type:, and method-absent default GET
3. test.ts:341-369 — axios({...}) both key orders (method, url and url, method) and default GET; template-literal URL confirmed via http::PUT::/api/users/{param}
4. test.ts:371-399 — Negative control: $.fn.extend, $.each, myHelper({url,method}), bare const cfg — asserts zero /nope consumers

Assertions are meaningful: contractId encodes method + normalized path, meta.framework verifies the label propagation. Fixtures are realistic (.js in public/js/, .ts in src/).

NON-BLOCKING: No test for $.ajax with a template-literal URL

• Evidence: All three $.ajax fixtures at test.ts:327-329 use plain string URLs. The axios({...}) test covers template literals at test.ts:354, but no equivalent for $.ajax.
• Why it matters: Template string handling in readStringProp is exercised by the axios path, so the code path is not untested — but the jQuery ajax + template URL combination is not explicitly covered.
• Recommendation: Add a fixture like $.ajax({ url: `/api/orders/${id}`, method: 'GET' }) to test.ts:324-339 and assert http::GET::/api/orders/{param}. Low-priority; the underlying code path (readStringProp + template_string type check) is already exercised by the axios test.
• Confidence: High

4. Performance

No issues found in this area based on the diff and reviewed context.

The three compileBundle() calls at node.ts:183-185 add 3 patterns each to the JS, TS, and TSX bundles — these are module-load-time operations, not per-file. readStringProp is O(k) in the number of object keys — bounded in practice (HTTP config objects rarely exceed 10 keys). No O(n²) patterns, no unbounded caches, no redundant Cypher round-trips (this is a source-scan layer with no DB access).

5. Operational risk

No issues found in this area based on the diff and reviewed context.

• No file I/O, no stream/FD lifecycle, no path-separator assumptions (tree-sitter operates on in-memory source text).
• LadybugDB single-writer invariant: not touched — this runs in the group extractor, not the analyze pipeline.
• Embeddings: not touched.
• MCP contracts: HttpDetection shape unchanged. framework: 'jquery' is a new string value for an already-string-typed field — no schema break. Downstream tools (group_contracts, group_status) consume framework as metadata, not as a typed enum.
• Rollback safety: purely additive. Reverting removes the patterns and stops emitting these detections; no database migration needed.

6. Maintainability

No issues found in this area based on the diff and reviewed context.

This change is correctly scoped to gitnexus/src/core/group/extractors/http-patterns/node.ts — the group extractor layer, which runs during group_sync, not during the main ingestion Pipeline Phase DAG. No pipeline phase boundaries are crossed. The extension pattern (add PatternSpec → add bundle slot → add scan loop) is clear and mirrors the existing FETCH_*/AXIOS_SPEC pattern exactly. The next contributor extending this (e.g. adding $.getJSON) would have an obvious model to follow. readStringProp is co-located with the two patterns that use it rather than pushed to a shared utility, which is appropriate given it's JS/TS-specific object-literal processing.

---

Non-negotiables

Check	Result
No secrets, tokens, or machine-specific paths	✅
No blind find-and-replace renames	✅ (no renames at all)
HttpDetection contract unchanged	✅
PR title follows feat(scope): subject	✅
PolyForm Noncommercial license metadata untouched	✅
tsc --noEmit clean (per PR description)	✅ (reported by author; not independently run in this review)
vitest run passes with 22 tests (18+4)	✅ (reported by author; not independently run in this review)

---

What I could not fully verify

1. CI run results — The PR reports 22 passed and tsc --noEmit clean, but I did not independently execute the test suite. The logic review confirms the patterns are correct, but runtime behavior on actual tree-sitter parse outputs was not directly observed.
2. $.ajax(url, settings) two-argument form — Not tested or detected. This is acknowledged as out-of-scope, but if real-world jQuery codebases use this form heavily, users may not see all expected contracts. This is a known gap, not a bug.
3. Downstream group_contracts consumers — I cannot verify whether any external tooling or UI hardcodes the set of valid framework values. The framework field type is string, making this low-risk, but it's unverified.

---

Final verdict

✅ Ready to merge — no blocking issues.

The implementation is correct, additive, and maintains all existing contracts. The three new patterns are structurally disjoint from each other and from existing patterns. readStringProp handles the key-order independence problem correctly. Test coverage is meaningful, includes a negative control, and the one gap (jQuery ajax + template URL) is low-risk given the underlying code path is exercised by the axios object test. No pipeline DAG boundaries crossed, no schema changes, clean rollback story.

The single NON-BLOCKING item (missing $.ajax + template-literal test) is worth a follow-up but does not warrant blocking this merge.

[magyargergo]

Can you please address the findings sections? 🙏 Nice PR btw! 🚀

[github-actions]

CI Report

✅ All checks passed

Pipeline Status

Stage	Status	Details
✅ Typecheck	success	tsc --noEmit
✅ Tests	success	unit tests, 3 platforms
✅ E2E	success	gitnexus-web changes only

Test Results

Tests	Passed	Failed	Skipped	Duration
6436	6339	0	97	256s

✅ All 6339 tests passed

97 test(s) skipped — expand for details

• Swift MethodExtractor > isTypeDeclaration > recognizes class_declaration
• Swift MethodExtractor > isTypeDeclaration > recognizes protocol_declaration
• Swift MethodExtractor > isTypeDeclaration > rejects import_declaration
• Swift MethodExtractor > visibility > extracts public method
• Swift MethodExtractor > visibility > extracts private method
• Swift MethodExtractor > visibility > defaults to internal when no modifier
• Swift MethodExtractor > protocol methods > marks protocol method as abstract
• Swift MethodExtractor > static and class methods > detects static func as isStatic
• Swift MethodExtractor > static and class methods > detects class func as isStatic
• Swift MethodExtractor > parameters > extracts parameters with types and default values
• Swift MethodExtractor > return type > extracts return type from -> annotation
• Swift MethodExtractor > annotations > extracts @objc attribute
• Swift MethodExtractor > isFinal > detects final func
• Swift MethodExtractor > isFinal > is false when not final
• Swift MethodExtractor > isAsync > detects async func
• Swift MethodExtractor > isOverride > detects override method
• buildTypeEnv > constructor inference (Tier 1 fallback) > lookupClassByName regression coverage > Swift lookupClassByName regression coverage > Swift cross-file constructor inference uses lookupClassByName
• buildTypeEnv > constructor inference (Tier 1 fallback) > lookupClassByName regression coverage > Swift lookupClassByName regression coverage > Swift explicit init inference uses lookupClassByName
• buildTypeEnv > constructor inference (Tier 1 fallback) > lookupClassByName regression coverage > Swift lookupClassByName regression coverage > Swift cross-file constructor inference does not bind plain functions
• buildTypeEnv > known limitations (documented skip tests) > Ruby block parameter: users.each { |user| } — closure param inference, different feature
• Swift constructor-inferred type resolution > detects User and Repo classes, both with save methods
• Swift constructor-inferred type resolution > resolves user.save() to Models/User.swift via constructor-inferred type
• Swift constructor-inferred type resolution > resolves repo.save() to Models/Repo.swift via constructor-inferred type
• Swift constructor-inferred type resolution > emits exactly 2 save() CALLS edges (one per receiver type)
• Swift self resolution > detects User and Repo classes, each with a save function
• Swift self resolution > resolves self.save() inside User.process to User.save, not Repo.save
• Swift parent resolution > detects BaseModel and User classes plus Serializable protocol
• Swift parent resolution > emits EXTENDS edge: User → BaseModel
• Swift parent resolution > emits IMPLEMENTS edge: User → Serializable (protocol conformance)
• Swift cross-file User.init() inference > resolves user.save() via User.init(name:) inference
• Swift cross-file User.init() inference > resolves user.greet() via User.init(name:) inference
• Swift return type inference > detects User class and getUser function
• Swift return type inference > detects save function on User (Swift class methods are Function nodes)
• Swift return type inference > resolves user.save() to User#save via return type of getUser() -> User
• Swift return-type inference via function return type > resolves user.save() to User#save via return type of getUser()
• Swift return-type inference via function return type > user.save() does NOT resolve to Repo#save
• Swift return-type inference via function return type > resolves repo.save() to Repo#save via return type of getRepo()
• Swift implicit imports (cross-file visibility) > detects UserService class in Models.swift
• Swift implicit imports (cross-file visibility) > resolves UserService() constructor call across files (no explicit import)
• Swift implicit imports (cross-file visibility) > resolves service.fetchUser() member call across files
• Swift implicit imports (cross-file visibility) > creates IMPORTS edges between files in the same module
• Swift extension deduplication > detects Product class
• Swift extension deduplication > resolves Product() constructor despite extension creating duplicate class node
• Swift extension deduplication > resolves product.save() to Product.swift (primary definition)
• Swift constructor call fallback (no new keyword) > resolves OCRService() as constructor call across files
• Swift constructor call fallback (no new keyword) > resolves ocr.recognize() member call via constructor-inferred type
• Swift export visibility (internal vs private) > resolves PublicService() constructor across files
• Swift export visibility (internal vs private) > resolves internalHelper() across files (internal = module-scoped)
• Swift if let / guard let binding resolution > detects User and Repo classes
• Swift if let / guard let binding resolution > resolves user.save() inside if-let to User#save
• Swift if let / guard let binding resolution > resolves repo.save() inside guard-let to Repo#save
• Swift if let / guard let binding resolution > user.save() in if-let does NOT resolve to Repo#save
• Swift await / try expression unwrapping > resolves user.save() via await fetchUser() return type
• Swift await / try expression unwrapping > resolves repo.save() via try parseRepo() return type
• Swift await / try expression unwrapping > detects fetchUser and parseRepo as functions
• Swift for-in loop element type inference > detects User and Repo classes
• Swift for-in loop element type inference > creates implicit import edges between files
• Swift field-type resolution > detects classes and their properties
• Swift field-type resolution > emits HAS_PROPERTY edges from class to field
• Swift field-type resolution > resolves field-chain call user.address.save() → Address#save
• Swift field-type resolution > emits ACCESSES edges for field reads in chains
• Swift field-type resolution > populates field metadata (visibility, declaredType) on Property nodes
• Swift call-result binding > resolves call-result-bound method call user.save() → User#save
• Swift call-result binding > getUser() is present as a defined function
• Swift call-result binding > emits processUser -> getUser CALLS edge for let-assigned free function call
• Swift method enrichment > detects Animal protocol and Dog class
• Swift method enrichment > emits IMPLEMENTS edge Dog -> Animal
• Swift method enrichment > emits HAS_METHOD edges for Dog methods
• Swift method enrichment > marks protocol Animal.speak as isAbstract
• Swift method enrichment > marks Dog.speak as NOT isAbstract
• Swift method enrichment > marks breathe as isFinal
• Swift method enrichment > marks classify as isStatic
• Swift method enrichment > captures @objc annotation on breathe
• Swift method enrichment > populates parameterTypes for classify(_ name: String)
• Swift method enrichment > records parameterCount for classify
• Swift method enrichment > records returnType for speak
• Swift method enrichment > resolves dog.speak() CALLS edge
• Swift method enrichment > resolves Dog.classify("dog") CALLS edge
• Swift abstract dispatch > detects Repository protocol and SqlRepository class
• Swift abstract dispatch > emits IMPLEMENTS edge SqlRepository -> Repository
• Swift abstract dispatch > emits HAS_METHOD edges for Repository.find and Repository.save
• Swift abstract dispatch > emits HAS_METHOD edges for SqlRepository.find and SqlRepository.save
• Swift abstract dispatch > marks base Repository.find as isAbstract
• Swift abstract dispatch > marks base Repository.save as isAbstract
• Swift abstract dispatch > marks concrete SqlRepository.find as NOT isAbstract
• Swift abstract dispatch > resolves repo.find(id: 42) CALLS edge
• Swift abstract dispatch > resolves repo.save(entity: user) CALLS edge
• Swift abstract dispatch > populates parameterTypes for Repository.find
• Swift abstract dispatch > populates parameterTypes for Repository.save
• Swift abstract dispatch > records returnType for SqlRepository.find
• Swift abstract dispatch > emits METHOD_IMPLEMENTS edges from SqlRepository methods → Repository protocol methods
• Swift overloaded method disambiguation > detects 2 distinct find Method nodes on SqlRepository
• Swift overloaded method disambiguation > emits METHOD_IMPLEMENTS edges for both find overloads
• Swift overloaded method disambiguation > emits METHOD_IMPLEMENTS edge for save
• Swift overloaded method disambiguation > emits exactly 3 METHOD_IMPLEMENTS edges total
• Swift Child extends Parent — inherited method resolution (SM-9) > detects Parent and Child classes
• Swift Child extends Parent — inherited method resolution (SM-9) > resolves c.parentMethod() to Parent.parentMethod via first-wins MRO walk

Code Coverage

Tests

Metric	Coverage	Covered	Base	Delta	Status
Statements	72.53%	17229/23752	72.51%	📈 +0.0	🟢 ██████████████░░░░░░
Branches	61.4%	10940/17815	61.39%	📈 +0.0	🟢 ████████████░░░░░░░░
Functions	77.48%	1638/2114	77.42%	📈 +0.1	🟢 ███████████████░░░░░
Lines	75.06%	15635/20829	75.01%	📈 +0.0	🟢 ███████████████░░░░░

---

_{📋 View full run · Generated by CI}

[azizur100389]

Thanks for the review — addressed the findings below.

1. NON-BLOCKING — missing $.ajax + template-literal URL test

Fixed in 968a7f4 (force-push-free, appended to the branch). Extended the existing extracts jQuery $.ajax with method: and type: keys and default GET fixture with a template-literal URL case and a matching {param}-normalised assertion, so the jQuery-ajax + template_string code path is now exercised explicitly instead of implicitly through the axios object test:

function reloadOrder(id) {
  return $.ajax({ url: `/api/orders/${id}`, method: 'GET' });
}

expect(
  consumers.find((c) => c.contractId === 'http::GET::/api/orders/{param}'),
).toBeDefined();

Local run:

• npx vitest run test/unit/group/http-route-extractor.test.ts → 22 pass (18 original + 4 new + 1 extended assertion)
• npx tsc --noEmit → clean

2. NIT — unused @obj / @fn captures in JQUERY_AJAX_SPEC

Intentionally left as-is, per the review's own recommendation ("Nothing to change — it's idiomatic in this codebase"). The captures are load-bearing at the #eq? predicate level; tree-sitter needs them in the pattern even though the post-match scan loop doesn't read them. Matches the identical pattern in the existing AXIOS_SPEC.

Items I did not touch

• $.ajax(url, settings) two-argument form — explicitly called out as out-of-scope by the review. Happy to file a follow-up issue if useful for a v2 PR.
• Potential hardcoded framework enums in downstream group_contracts consumers — unverified by the review; I grepped the repo and the field is always consumed as an opaque string (no narrowed union, no switch).

CI was already green before this follow-up and the diff is test-only, so risk is zero. Ready when you are.

[magyargergo]

@claude Act as a senior reviewer for GitNexus. Your job is to determine whether this PR is production-ready for this repo, not to give a generic code review.

You are reviewing a PR in the GitNexus monorepo:

• gitnexus/ → CLI + MCP
• gitnexus-web/
• gitnexus-shared/

Your task has 2 phases, in this exact order:

PHASE 1 — DEFINE THE BAR
Before reviewing the diff, establish a concise repo-specific definition of “production-ready” for GitNexus, based only on the repo docs and the affected area.
Keep this definition practical and reviewable. Do not invent standards that are not grounded in the repo.

PHASE 2 — REVIEW THE PR AGAINST THAT BAR
Review the actual diff only after defining the bar.
Stay tightly scoped to the changed code and its direct consequences.

---

CONTEXT TO LOAD FIRST
Read these before reviewing:

• AGENTS.md
• GUARDRAILS.md
• CONTRIBUTING.md
• TESTING.md
• ARCHITECTURE.md

Additional context:

• If the diff touches ingestion, also read: ARCHITECTURE.md § Pipeline Phase DAG
• PR [group/sync] Fix ManifestExtractor never called — config.links always produced 0 cross-links #827 diff area is primarily: gitnexus/src/core/group/ (sync + manifest extractor) plus associated tests

---

PRIMARY OBJECTIVE
Decide whether this PR is safe, correct, maintainable, and operationally acceptable to merge into production for GitNexus.

Do not optimize for completeness at the expense of signal.
Do not pad the review.
Do not propose unrelated refactors.
Do not restate the PR description unless needed for verification.

---

REVIEW RULES

• Every finding must be grounded in specific evidence from the diff or directly relevant surrounding code.
• Every finding must include path:line.
• If you make a behavioral claim, cite the code that proves it.
• If you make a performance claim, explain the mechanism.
• If something cannot be verified from the diff alone, explicitly say so.
• Distinguish clearly between:
  • verified issue
  • plausible risk
  • unverified concern
• Avoid vague wording like “might be better” or “could be improved” unless you explain exactly why.
• Keep the review focused on this PR’s scope only.

For each finding, assign one severity:

• BLOCKING → must be fixed before merge
• NON-BLOCKING → valid issue, but merge may still be acceptable
• NIT → stylistic/minor, not merge-relevant

---

REPO-SPECIFIC REVIEW CHECKLIST
Use these exact headings.

1. Correctness & functional completeness

Check:

• Does the implementation actually satisfy the PR claim?
  • ManifestExtractor is truly invoked
  • config.links produces non-zero cross-links where expected
• Resolver contracts are preserved:
  • resolveSymbol remains exact-match
  • label-scoped Cypher remains correct per contract type
  • flag any regression toward fuzzy or unscoped matching
• Graph schema integrity is preserved:
  • no silent changes to node labels
  • no silent changes to edge types
  • no silent changes to ID generation (generateId)
• Call out any missing wiring, partial integration, dead branch, or mismatch between tests and runtime behavior

2. Code clarity & clean code

Check:

• naming quality
• local cohesion
• dead code
• unnecessary abstraction
• hidden control flow
• confusing indirection
• adherence to repo conventions:
  • direct imports from gitnexus-shared
  • no barrel re-export regressions
  • no // removed comments
  • no unused re-exports
• no drive-by refactors outside stated scope per CONTRIBUTING.md and GUARDRAILS.md § Scope

3. Test coverage & change safety

Evaluate against TESTING.md:

• Are there unit tests under gitnexus/test/unit/ covering the newly wired path?
• Is there a regression guard for 0-link → N-link behavior?
• Are assertions meaningful rather than tautological?
• Are fixtures realistic for manifest inputs?
• If memoization/cache was introduced, is there a test proving hit/miss behavior and correctness?
• Is there evidence the expected validation path would pass for staged gitnexus/ files?
  • tsc --noEmit
  • vitest run --project default
    If not verifiable, say exactly what is missing.

4. Performance

Inspect for:

• hot-path overhead in ingestion/group sync
• excess allocations per manifest entry
• redundant Cypher round-trips
• missed batching or missed parallelism (Promise.all) where it materially matters
• O(n²) or repeated lookup patterns on large repos
• memoization tradeoffs:
  • correctness
  • invalidation
  • bounded vs unbounded memory growth
    Do not speculate casually; explain the mechanism and likely impact.

5. Operational risk

Check:

• Windows/cross-platform safety:
  • stream lifecycle
  • FD/file handle lifecycle
  • path separator assumptions
  • anything resembling prior ENOTEMPTY-style lifecycle regressions
• LadybugDB single-writer invariant is preserved
• Embeddings preservation:
  • no silent breakage of --embeddings
  • .gitnexus/meta.json.stats.embeddings not silently zeroed by changed paths
• MCP contracts remain compatible:
  • group_*
  • query
  • context
  • impact
  • detect_changes
  • rename
  • cypher
    Flag any schema or contract break without migration note
• staleness behavior still triggers correctly (gitnexus/src/mcp/staleness.ts)
• rollback safety:
  • can this PR be reverted safely without re-analyze?
  • if not, explain why

6. Maintainability

Check:

• Does the change respect Pipeline Phase DAG boundaries?
• Is cross-phase coupling being introduced?
• Are manifest-extractor entry points discoverable from group/sync.ts?
• Would the next contributor know where to extend this?
• Is shared logic placed appropriately:
  • in gitnexus-shared/
  • or gitnexus/src/core/**/utils.ts
  • and not duplicated between CLI and web bridge (server/api.ts)?

---

NON-NEGOTIABLES TO VERIFY
From GUARDRAILS.md / CONTRIBUTING.md:

• no secrets, tokens, or machine-specific paths committed
• no blind find-and-replace renames
• if a symbol rename occurred, rename MCP tool or equivalent careful review was used
• upstream impact was considered for modified shared symbols
• no HIGH/CRITICAL impact left unaddressed
• PR title follows conventional commit style + [area] Short description
• PolyForm Noncommercial license headers/metadata untouched

---

OUTPUT FORMAT

Production-ready bar for this PR

Give a concise repo-specific definition in 5–10 bullets.

Findings

For each finding, use this structure exactly:

[BLOCKING|NON-BLOCKING|NIT] Short title

• Evidence: path:line, path:line
• Why it matters: ...
• Recommendation: ...
• Confidence: High / Medium / Low

Only include findings that are real and supported.
If there are no findings in a section, say:

• No issues found in this area based on the diff and reviewed context.

What I could not fully verify

List any behavior you could not prove from the diff, tests, or available context.

Final verdict

Choose exactly one:

• ✅ Ready to merge — no blocking issues.
• ⚠️ Merge after addressing blocking items.
• ❌ Not ready — fundamental concerns.

If verdict is not ready, list the blocking items in priority order.

---

IMPORTANT REVIEW BEHAVIOR

• Be strict on correctness and contracts.
• Be conservative about operational risk.
• Be explicit about uncertainty.
• Do not suggest unrelated refactors.
• Do not turn nits into blockers.
• Do not reward intent; review actual implementation.

[github-actions]

Claude finished @magyargergo's task in 3m 6s —— View job

---

PR Review — feat(extractors): jQuery & axios object-form HTTP consumers

• Load repo docs and define production-ready bar
• Read changed files (node.ts, http-route-extractor.test.ts)
• Review correctness & functional completeness
• Review code clarity & clean code
• Review test coverage & change safety
• Review performance
• Review operational risk
• Review maintainability
• Verify non-negotiables
• Post final verdict

---

Production-ready bar for this PR

Based on AGENTS.md, GUARDRAILS.md, CONTRIBUTING.md, TESTING.md, and ARCHITECTURE.md — applied specifically to an additive consumer extractor plugin in gitnexus/src/core/group/extractors/http-patterns/node.ts:

1. Purely additive — no existing scan loops, compiled patterns, or bundle slots modified; existing detections unchanged
2. HttpDetection contract preserved — same field shape, same role/method/path/confidence semantics; orchestrator normalizes identically
3. Tree-sitter queries compile and produce correct, non-overlapping matches — structurally disjoint from each other and from existing patterns; no double-emit
4. Object-key resolution is order-independent — {url, method} and {method, url} must both produce an emission
5. tsc --noEmit clean; vitest run passes across all 3 platforms — CI and pre-commit gates satisfied
6. All new patterns have unit tests — happy-path (GET/POST/PUT/DELETE/template-URL), boundary (default method, key-order flip), and negative-control
7. No graph schema changes — no new node labels, edge types, or generateId mutations; source-scan layer only
8. PR title follows conventional-commit style — feat(scope): …
9. No secrets, machine-specific paths, or blind renames

---

Findings

1. Correctness & functional completeness

• No issues found in this area based on the diff and reviewed context.

Structural disjointness verified:

• JQUERY_SHORTHAND_SPEC (member_expression on $ with get|post) — disjoint from AXIOS_SPEC (member_expression on axios) and EXPRESS_SPEC (member_expression on router|app).
• JQUERY_AJAX_SPEC (member_expression on $ with ajax) — disjoint from shorthand; captures (object) as the sole argument class.
• AXIOS_OBJECT_SPEC ((identifier) @fn (#eq? @fn "axios")) — disjoint from AXIOS_SPEC's (member_expression … #eq? @obj "axios"); no double-emit possible.

readStringProp (node.ts:221-234) is correct:

• Returns null when the key is absent or value is not a string/template_string — the if (path === null) continue guards in both loops are correct.
• For JQUERY_AJAX_SPEC, (arguments (object) @options) without an anchor matches any (object) child inside the arguments. In the two-argument case $.ajax('/url', { settings }), two matches are produced. The first match's options object (the settings object) has no url key, so readStringProp returns null and the loop skips it — no false positive.
• Template-literal URLs (e.g. url: `/api/orders/${id}`) reach the template_string branch of the type check, pass, and are returned with the raw text, which the orchestrator's path normalizer converts to {param}. Confirmed by test at test.ts:346-348.
• When both method and type keys appear in the same object, the function returns whichever appears first in source order. Having both simultaneously is non-standard jQuery usage; this edge case is acceptable.

HttpDetection shape: unchanged. framework: 'jquery' is a new string value for an already-string-typed field — no schema break. framework: 'axios' is reused for the object form, consistent with downstream grouping.

2. Code clarity & clean code

NIT: @obj and @fn captures in JQUERY_AJAX_SPEC appear in the captures map but are never read post-match

• Evidence: node.ts:132-133 (@obj (#eq? @obj "$"), @fn (#eq? @fn "ajax")); scan loop at node.ts:447 only reads match.captures.options.
• Why it matters: The captures are load-bearing at the #eq? predicate evaluation level — tree-sitter requires them in the query text. They cannot be removed. The pattern is identical to AXIOS_SPEC's @obj capture (also discarded post-match at node.ts:411). This is idiomatic in this codebase.
• Recommendation: Nothing to change.
• Confidence: High

No dead code, no drive-by refactors, no barrel regressions, no // removed comments, no unused re-exports. Naming is clear and consistent with existing conventions.

3. Test coverage & change safety

• No issues found in this area based on the diff and reviewed context.

The four new tests cover all required dimensions:

1. test.ts:293-319 — $.get/$.post shorthand: asserts contractId and meta.framework === 'jquery'. Meaningful.
2. test.ts:321-349 — $.ajax with method:, type:, method-absent default GET, and template-literal URL ( \/api/orders/${id}` →http::GET::/api/orders/{param}). This is the previously NON-BLOCKING finding, now addressed by commit 968a7f4. The template-literal path exercises readStringProp's template_string` branch for jQuery ajax specifically (previously only exercised via the axios object path).
3. test.ts:351-379 — axios({...}) both key orders ({method, url} and {url, method}) plus method-absent default GET. Proves post-processing is order-independent.
4. test.ts:381-409 — Negative control: $.fn.extend, $.each, myHelper({url, method}), bare const cfg — zero /nope consumers. Structural isolation is verified at test level.

Assertions are meaningful: contractId encodes method + normalized path, meta.framework verifies label propagation. Fixtures are realistic (.js in public/js/, .ts in src/).

CI confirms: 6339 tests passing across Ubuntu + macOS + Windows, tsc --noEmit clean.

4. Performance

• No issues found in this area based on the diff and reviewed context.

The three compileBundle() calls at node.ts:183-185 run once at module load — not per-file. readStringProp is O(k) in named child count of the options object; HTTP config objects are bounded in practice (rarely exceed 10 keys). keyNames.includes(keyNode.text) is O(m) with m ≤ 3. No O(n²) patterns, no unbounded caches, no Cypher round-trips (source-scan layer has no DB access).

5. Operational risk

• No issues found in this area based on the diff and reviewed context.

• No file I/O, stream/FD lifecycle, or path-separator assumptions — tree-sitter operates on in-memory source text.

• LadybugDB single-writer invariant: not touched — this runs in the group extractor, not the analyze pipeline.

• Embeddings: not touched — no interaction with --embeddings or meta.json.stats.embeddings.

• MCP contracts: HttpDetection.framework is a string field throughout the codebase — 'jquery' is a new value, not a type narrowing violation. group_contracts and group_status consume it as opaque string metadata.

• Rollback safety: purely additive. Reverting removes the 3 patterns and stops emitting these detections; no DB migration needed, no schema change to undo.

6. Maintainability

• No issues found in this area based on the diff and reviewed context.

This change is correctly scoped to gitnexus/src/core/group/extractors/http-patterns/node.ts — the group extractor layer, which runs during group_sync, not during the ingestion Pipeline Phase DAG. No pipeline DAG boundaries crossed. The extension pattern (PatternSpec → bundle slot → scan loop) is explicit, mirrors the existing FETCH_*/AXIOS_SPEC pattern exactly, and is trivially extensible (e.g. $.getJSON, superagent.get()). readStringProp is correctly co-located in node.ts rather than pushed to gitnexus-shared/ — it's JS/TS grammar-specific and has no cross-language utility.

---

Non-negotiables

Check	Result
No secrets, tokens, or machine-specific paths	✅
No blind find-and-replace renames	✅ (no renames)
HttpDetection contract unchanged	✅
PR title follows feat(scope): subject	✅
PolyForm Noncommercial license metadata untouched	✅
tsc --noEmit clean	✅ (CI + author-reported)
vitest run passing — 6339 tests, 3 platforms	✅ (CI confirmed)

---

What I could not fully verify

1. $.ajax('/url', settings) two-argument form — out of scope per PR, correctly acknowledged. The implementation produces no false positives for this form (no url key in the settings object when using that call signature).
2. Downstream framework field enum narrowing — the field is typed as string in the diff context, and a grep for hardcoded 'jquery' checks in downstream consumers was not performed. Low risk given the string type, but unverified.

---

Final verdict

✅ Ready to merge — no blocking issues.

The previously NON-BLOCKING finding (missing $.ajax + template-literal URL test) was addressed in commit 968a7f4. Implementation is correct and additive: three structurally disjoint patterns, order-independent key resolution via readStringProp, meaningful test coverage including a negative control, and a clean CI run across all 3 platforms. No pipeline DAG boundaries crossed, no schema changes, clean rollback story.