Improve alias-like import reachability from agent repo lab

[EgemennSahin]

Problem

The latest agent-repo lab shows that unresolved import counts are now split into useful buckets, but alias-like imports still block some project-local reachability evidence in real JS/TS agent repos.

This is not a security finding and not a claim that any external repository is unsafe. The issue is only about agentdiff understanding repo-local alias imports well enough to explain agent-to-tool reachability.

Evidence from the lab

Latest secondary lab summary:

• 20/20 public JS/TS agent repos scanned
• 0 crashes
• 55 useful findings
• 2 noisy findings
• 3/3 useful synthetic PR tests

Alias-like unresolved samples that look agent/tool-relevant:

• vercel/ai: 147 alias-like unresolved imports
  • @/tool/weather-tool from examples/ai-e2e-next/agent/anthropic/tools-agent.ts
  • @/tool/sandbox-shell-tool from examples/ai-e2e-next/agent/openai/sandbox-agent.ts
  • @/agent/anthropic/advisor-20260301-agent from examples/ai-e2e-next/app/api/chat/anthropic-advisor-20260301/route.ts
• i-am-bee/beeai-framework: 117 alias-like unresolved imports
  • @/agents/base.js from typescript/src/adapters/a2a/agents/agent.ts
  • @/memory/base.js from typescript/src/adapters/a2a/agents/agent.ts
  • @/backend/message.js from typescript/src/adapters/a2a/agents/agent.ts
• VoltAgent/voltagent: 56 alias-like unresolved imports
  • @/voltagent from examples/next-js-chatbot-starter-template/app/api/chat/route.ts
  • @/lib/ai/config from examples/next-js-chatbot-starter-template/app/api/chat/route.ts

These samples suggest the remaining blind spot is high-confidence project-local alias reachability, not external packages like zod, provider SDKs, or framework dependencies.

Proposed fix

Add narrow alias-like import reachability handling for project-local imports when there is strong evidence, for example:

• @/ or ~/ conventions that can be mapped to a nearby app/package src, app root, or configured root without leaving the scan root.
• Alias resolution only when the target is an obvious local file using existing extension and index fallback logic.
• Explanations that record resolved_via, the alias convention, importing file, and target file.

Keep the existing unresolved bucket reporting so unsupported imports remain visible.

Acceptance criteria

• npm test passes.
• Secondary agent-repo lab remains 20/20 scanned with 0 crashes.
• At least one cited alias-like sample resolves or is explicitly documented as intentionally unsupported.
• External dependency-like imports are still not treated as product blind spots by default.
• Reports continue to cap samples so map/report output does not explode.

Non-goals

• Do not build a full TypeScript compiler resolver.
• Do not install dependencies in external repos.
• Do not shell out to tsc.
• Do not run live model calls.
• Do not classify external repos as vulnerable or unsafe.

[EgemennSahin]

Implemented in 388c570 and now available through the moving v0 action channel.

What changed:

• Added high-confidence @/ and ~/ project-local alias resolution.
• Resolution only succeeds when an existing file is found under a nearby project root or src root, using the existing extension/index fallback logic.
• Added project_alias import-graph edge evidence so inferred aliases stay distinct from tsconfig_paths and workspace_package resolution.
• Preserved unresolved alias samples when no local file can be resolved.
• Added focused tests for @/tools/sendEmail, @/voltagent, unresolved @/missing, unsafe @/../outside, and docs/test downranking.

Verification:

• npm test passed.
• npm run stranger passed.
• AGENTDIFF_LAB_INCLUDE_SECONDARY=1 AGENTDIFF_LAB_MAX_REPOS=20 npm run lab passed with 0 crashes.
• CD passed and moved v0 to 388c570.

Lab before/after for cited alias-like blockers:

• vercel/ai: alias-like unresolved imports 147 -> 1; cited @/tool/* samples now resolve.
• i-am-bee/beeai-framework: 117 -> 0; cited @/agents/*, @/memory/*, and @/backend/* samples now resolve.
• VoltAgent/voltagent: 56 -> 9; cited @/voltagent and @/lib/ai/config samples now resolve. Remaining samples are #/ aliases and can be inspected separately if needed.

Latest lab headline: 25 seeds, 20 scanned, 5 skipped by archive/size guardrails, 0 crashes, 48 useful findings, 4 noisy findings, 3/3 useful synthetic PR tests.

Closing because the specific alias blockers in this issue were meaningfully reduced without adding a full TypeScript resolver.

[EgemennSahin]

Closing after 388c570 shipped through @v0 and reduced the cited alias-like blockers.