save checkpoint

docs/features/unimplemented/scanner/bun-language-analyzer.md

@@ -0,0 +1,58 @@
+# Bun Language Analyzer
+
+## Module
+Scanner
+
+## Status
+PARTIALLY_IMPLEMENTED
+
+## Description
+Full language analyzer for the Bun JavaScript runtime including bun.lockb binary lockfile parser, installed package collector, workspace/monorepo support, scope classification (dev/prod/peer), symlink safety checks, CLI verbs, and WebService endpoints for Worker integration.
+
+## Implementation Details
+- **Analyzer Plugin**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/BunAnalyzerPlugin.cs` - Plugin entry point for Bun analyzer
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/BunLanguageAnalyzer.cs` - Main language analyzer implementation
+- **Lockfile Parsing**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunLockParser.cs` - Parses `bun.lockb` binary lockfiles
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunLockData.cs` - Parsed lock data model
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunLockEntry.cs` - Individual lock entry model
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunLockInventory.cs` - Inventory built from lockfile
+- **Package Collection**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunInstalledCollector.cs` - Collects installed packages from filesystem
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunDeclaredDependencyCollector.cs` - Collects declared dependencies from package.json
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunPackage.cs` - Package model
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunPackageNormalizer.cs` - Package normalization
+- **Scope & Classification**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunLockScopeClassifier.cs` - Classifies dependencies as dev/prod/peer
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunInputClassification.cs` - Input file classification
+- **Workspace/Monorepo**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunWorkspaceHelper.cs` - Workspace and monorepo support
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunProjectDiscoverer.cs` - Discovers Bun projects in filesystem
+- **Input & Config**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunInputNormalizer.cs` - Normalizes input for determinism
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunConfigHelper.cs` - Configuration helpers
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunVersionSpec.cs` - Version specification parsing
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunEvidenceHasher.cs` - Evidence hashing for determinism
+- **Worker Integration**:
+  - `src/Scanner/StellaOps.Scanner.Worker/Processing/Surface/BunPackageInventoryBuilder.cs` - Builds package inventory during scan
+- **Storage**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Services/BunPackageInventoryStore.cs` - Package inventory store
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Repositories/BunPackageInventoryRepository.cs` - Repository
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Catalog/BunPackageInventoryDocument.cs` - Document model
+- **WebService**: `src/Scanner/StellaOps.Scanner.WebService/Contracts/BunContracts.cs` - API contracts for Bun scan results
+
+## E2E Test Plan
+- [ ] Scan a container image containing a Bun project with `bun.lockb` and verify all packages are parsed correctly
+- [ ] Verify scope classification distinguishes dev, prod, and peer dependencies
+- [ ] Scan a Bun workspace/monorepo and verify all workspace packages are discovered and analyzed
+- [ ] Verify installed package collection from node_modules matches lockfile data
+- [ ] Verify the scan results include PURL identifiers for all Bun packages
+- [ ] Verify symlink safety checks flag potentially unsafe symlinks in node_modules
+- [ ] Verify Bun scan results are available via the WebService API contracts
+
+## Verification Findings
+- `run-001` Tier 0 confirmed listed Bun analyzer, worker, storage, and WebService contract files are present.
+- Tier 1 builds succeeded for analyzer/worker/storage/webservice/Bun test projects, but Bun deterministic suite failed (`98/115` passed) with 17 golden hash mismatches.
+- Code review found feature-contract mismatch: runtime classifies `bun.lockb` as unsupported remediation-only input instead of parsing binary lockfile package inventory.
+- Tier 2 targeted behavioral checks captured both paths: remediation on `bun.lockb` passes, while standard deterministic Bun analysis remains failing; feature terminalized as `not_implemented`.