Hookwarden

Patch Changes

• 0a0ff4c: Bundle the Python tree-sitter grammar (WASM) into the CLI's published tarball; remove tree-sitter-python as a runtime dependency.

  The tree-sitter-python npm package ships both a native binding and a WASM grammar artifact. hookwarden only uses the WASM path (via web-tree-sitter), but the native binding ran node-gyp-build at install time — failing on platforms without prebuilds (Alpine/musl, locked-down corporate environments) and adding install-time latency for everyone.

  Fix: packages/cli/scripts/sync-wasm.mjs copies tree-sitter-python.wasm into packages/cli/wasm/ at install + pack time. The CLI loader reads from the bundled location instead of resolving the npm package at runtime. tree-sitter-python moves from dependencies → devDependencies on both @hookwarden/engine and hookwarden (CLI).

  Net effect for end users:

  • npm i hookwarden no longer triggers a native compile step. Works cleanly on Alpine, locked-down CI, and any environment without a C++ toolchain.
  • Tarball grows from 55 kB → 123 kB (gzipped) — the price of bundled portability.
  • Runtime behavior unchanged. Same WASM, same parser, same tests passing.

• 1fadc62: Fix stripe/raw-body-misuse false positive on the canonical Stripe happy-path pattern.

  The engine's body_as_bytes_or_buffer evidence signal previously searched the handler's arrow function body for raw-body indicators. But express.raw({ type: 'application/json' }) is registered as an inline per-route middleware argument — outside the arrow body — so the search missed it, even though the middleware was correctly resolved into middleware_chain.

  Result: stripe/raw-body-misuse fired as a critical finding on every codebase that uses Stripe correctly with the path-scoped express.raw pattern. The PI-3 integration test had been written around this — expect(stdout).toContain("verified") masked the fact that exit code was 1 and a critical FP was being emitted alongside the verified badge.

  Fix: Added collectRawBodyMiddlewareEvidence overlay in packages/engine/src/model/build.ts that follows the same pattern as the sdkVerifyEvidence overlay. When middleware_chain contains express.raw (qualified call) or raw (named import) AND the import source is express or body-parser, an evidence entry of kind body_as_bytes_or_buffer is appended. The import_source guard prevents false-negative matches from unrelated raw middleware on other routers.

  Test: PI-3 strengthened — now asserts exit 0, stripe/library-verified present, stripe/raw-body-misuse absent, and counts.active.critical == 0 on the happy-path fixture. Full suite: 234/234 pass.

  Net effect for users: scanning a correct Stripe webhook handler that uses express.raw as a per-route middleware no longer emits a critical false positive. The stripe/library-verified (info, verified) finding still fires correctly to confirm the handler is verified.