trailmark

# Trailmark Parses source code into a directed graph of functions, classes, calls, and semantic metadata for security analysis. Supports 16 languages. ## When to Use - Mapping call paths from user input to sensitive functions - Finding complexity hotspots for audit prioritization - Identifying attack surface and entrypoints - Understanding call relationships in unfamiliar codebases - Security review or audit preparation across polyglot projects - Adding LLM-inferred annotations (assumptions, preconditions) to code units - Pre-analysis before mutation testing (genotoxic skill) or diagramming ## When NOT to Use - Single-file scripts where call graph adds no value (read the file directly) - Architecture diagrams not derived from code (use the `diagramming-code` skill or draw by hand) - Mutation testing triage (use the genotoxic skill, which calls trailmark internally) - Runtime behavior analysis (trailmark is static, not dynamic) ## Rationalizations to Reject | Rationalization | Why It's Wrong | Required Action | |-----------------|----------------|-----------------| | "I'll just read the source files manually" | Manual reading misses call paths, blast radius, and taint data | Install trailmark and use the API | | "Pre-analysis isn't needed for a quick query" | Blast radius, taint, and privilege data are only available after `preanalysis()` | Always run `engine.preanalysis()` before handing off to other skills | | "The graph is too large, I'll sample" | Sampling misses cr...